Technical Information
Malicious functions:
Launches itself as a daemon
Modifies firewall settings:
- iptables -F
Launches processes:
- sh -c grep -c ^processor /proc/cpuinfo
- grep -c ^processor /proc/cpuinfo
- sh -c free -mt|grep \"Total:\"|awk '{print $2}'|head -n1
- free -mt
- grep Total:
- awk {print $2}
- head -n1
- sh -c if [ -f /usr/bin/yum ]; then cat /etc/system-release|head -n1; elif [ -f /usr/bin/apt-get ]; then lsb_release -d|awk '{$1= \"\"; print $0}'|head -n1;fi
- lsb_release -d
- awk {$1= \"\"; print $0}
- sh -c if [ -f /usr/bin/yum ]; then printf \"Centos/Rhel Based\"; elif [ -f /usr/bin/apt-get ]; then printf \"Debian/Ubuntu Based\";fi
- sh -c rm -rf /tmp/* /var/tmp/* /tmp/.* /var/tmp/.*
- rm -rf /tmp/* /var/tmp/* /tmp/. /tmp/.. /tmp/.ICE-unix /tmp/.Test-unix /tmp/.X11-unix /tmp/.XIM-unix /tmp/.font-unix /var/tmp/. /var/tmp/..
- sh -c rm -rf /var/log/wtmp
- rm -rf /var/log/wtmp
- sh -c rm -rf /bin/netstat
- rm -rf /bin/netstat
- sh -c iptables -F
Performs operations with the file system:
Creates or modifies files:
- /etc/resolv.conf
Deletes files:
- /tmp/*
- /var/tmp/*
- /var/log/wtmp
- /bin/netstat
Network activity:
Establishes connection:
- 8.#.8.8:53
- 18#.###.39.107:17769
Sends data to the following servers:
- 18#.###.39.107:17769
Receives data from the following servers:
- 18#.###.39.107:17769
Other:
Collects CPU information
Collects RAM information
