Technical Information
To ensure autorun and distribution:
Creates or modifies the following files:
- /var/spool/cron/crontabs/root
Malicious functions:
Launches itself as a daemon
Launches processes:
- sh -c (crontab -l | grep -v \"/<SAMPLE>\" | grep -v \"no cron\" > /var/run/.x001804289383) > /dev/null 2>&1
- crontab -l
- grep -v /<SAMPLE>
- grep -v no cron
- sh -c crontab /var/run/.x001804289383
- crontab /var/run/.x001804289383
- sh -c /bin/uname -n
- /bin/uname -n
Performs operations with the file system:
Modifies file access rights:
- <SAMPLE_FULL_PATH>
- /var/tmp/<SAMPLE>
- /run/<SAMPLE>
- /run/lock/<SAMPLE>
- /dev/shm/<SAMPLE>
- /tmp/<SAMPLE>
- /var/spool/cron/crontabs/tmp.SPKrLK
Creates or modifies files:
- /var/run/.x001804289383
- <SAMPLE_FULL_PATH>
- /run/.x001804289383
- /var/tmp/<SAMPLE>
- /var/run/<SAMPLE>
- /run/<SAMPLE>
- /var/lock/<SAMPLE>
- /run/lock/<SAMPLE>
- /dev/shm/<SAMPLE>
- /tmp/<SAMPLE>
- /var/spool/cron/crontabs/tmp.SPKrLK
Deletes files:
- /var/run/.x001804289383
Network activity:
Awaits incoming connections on ports:
- 127.0.0.1:61100
Connects to the following servers over the IRC protocol:
- Server: 45.##.87.147; Command: NICK TT|0|986185|box-i386\nUSER TT localhost localhost :1.0\n
Other:
Collects OS information
