Technical Information
Malicious functions:
Removes itself
Launches itself as a daemon
Substitutes application name for:
- -bash
Performs operations with the file system:
Creates or modifies files:
- /tmp/.X1-lock
Network activity:
Establishes connection:
- 24.#.0.1:8500
- 24.#.0.2:8500
- 24.#.0.3:8500
- 24.#.0.4:8500
- 24.#.0.5:8500
- 24.#.0.6:8500
- 24.#.0.7:8500
- 24.#.0.8:8500
- 24.#.0.9:8500
- 24.#.0.10:8500
- 24.#.0.11:8500
- 24.#.0.12:8500
- 24.#.0.13:8500
- 24.#.0.14:8500
- 24.#.0.15:8500
- 24.#.0.16:8500
- 24.#.0.17:8500
- 24.#.0.18:8500
- 24.#.0.19:8500
- 24.#.0.20:8500
- 24.#.0.21:8500
- 24.#.0.22:8500
- 24.#.0.23:8500
- 24.#.0.24:8500
- 24.#.0.25:8500
- 24.#.0.26:8500
- 24.#.0.27:8500
- 24.#.0.28:8500
- 24.#.0.29:8500
- 24.#.0.30:8500
- 24.#.0.31:8500
- 24.#.0.32:8500
- 24.#.0.33:8500
- 24.#.0.34:8500
- 24.#.0.35:8500
- 24.#.0.36:8500
- 24.#.0.37:8500
- 24.#.0.39:8500
- 24.#.0.40:8500
- 24.#.0.41:8500
- 24.#.0.42:8500
- 24.#.0.43:8500
- 24.#.0.44:8500
- 24.#.0.45:8500
- 24.#.0.46:8500
- 24.#.0.47:8500
- 24.#.0.48:8500
- 24.#.0.49:8500
- 24.#.0.50:8500
- 24.#.0.51:8500
- 24.#.0.52:8500
- 24.#.0.53:8500
- 24.#.0.54:8500
- 24.#.0.55:8500
- 24.#.0.56:8500
- 24.#.0.57:8500
- 24.#.0.58:8500
- 24.#.0.59:8500
- 24.#.0.60:8500
- 24.#.0.61:8500
- 24.#.0.62:8500
- 24.#.0.63:8500
- 24.#.0.64:8500
- 24.#.0.65:8500
- 24.#.0.66:8500
- 24.#.0.67:8500
- 24.#.0.68:8500
- 24.#.0.69:8500
- 24.#.0.70:8500
- 24.#.0.71:8500
- 24.#.0.72:8500
- 24.#.0.73:8500
- 24.#.0.74:8500
- 24.#.0.75:8500
- 24.#.0.76:8500
- 24.#.0.77:8500
- 24.#.0.78:8500
- 24.#.0.79:8500
- 24.#.0.80:8500
- 24.#.0.81:8500
- 24.#.0.82:8500
- 24.#.0.83:8500
- 24.#.0.84:8500
- 24.#.0.85:8500
- 24.#.0.86:8500
- 24.#.0.87:8500
- 24.#.0.88:8500
- 24.#.0.89:8500
- 24.#.0.90:8500
- 24.#.0.91:8500
- 24.#.0.92:8500
- 24.#.0.93:8500
- 24.#.0.94:8500
- 24.#.0.95:8500
- 24.#.0.96:8500
- 24.#.0.97:8500
- 24.#.0.98:8500
- 24.#.0.99:8500
- 24.#.0.100:8500
- 24.#.0.101:8500
HTTP GET requests:
- http://##.#.#.38/v1/agent/self
