Technical Information
Malicious functions:
Launches itself as a daemon
Launches processes:
- sh
- mkdir -p /etc/config/runone
- cp -a /etc/config/runone/.S99utelnetd.sh.bak /etc/config/runone/.S99utelnetd.sh
- cp /etc/config/runone/.S99utelnetd.sh.bak /etc/config/runone/.S99utelnetd.sh
- chmod 755 /etc/config/runone/.S99utelnetd.sh
- busybox --list
- dirname /
- grep -F ab*c
- date +%s
- whoami
- uname -m
- readlink /share/homes
- readlink /share/Public
- readlink /share/Download
- readlink /share/Multimedia
- readlink /share/Web
- readlink /share/Recordings
- tr ABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyz
- sed -n :s;/^[ ]*\[share_def][ ]*$/{:x;n;/^[ ]*\[.*][ ]*$/bs;s/[ ]*defvolmp[ ]*=[ ]*\(.*\)/\1/p;tq;bx;:q;q}
- sed h;s/[^=]*\(=\{
- mount
- sed -n s/.*\(\/share\/[^ /]\+\) .*/\1/gp
- head -n 1
- nslookup qnap.com
- mkdir /var/lock/.qpkgd.lck
- mkdir -p /mnt/HDA_ROOT/.system/.qpkg
- cat
- chmod 755 /mnt/HDA_ROOT/.system/.qpkg/qpkgd
- dd if=/dev/urandom bs=1 count=1
- date -d @1557611231 +%m%d%H%M%Y.%S
- mkdir /var/lock/.ctime.lck
- date -d @1571140104 +%m%d%H%M%Y.%S
- date 051200472019.11
- touch /mnt/HDA_ROOT/.system/.qpkg/qpkgd
- stat -c %#03a /mnt/HDA_ROOT/.system/.qpkg/qpkgd
- stat -c %a /mnt/HDA_ROOT/.system/.qpkg/qpkgd
- chmod 0755 /mnt/HDA_ROOT/.system/.qpkg/qpkgd
- chattr +ai /mnt/HDA_ROOT/.system/.qpkg/qpkgd
- date 101514482019.24
- date +%Y
- rm -rf /var/lock/.ctime.lck
- stat -c %Y /mnt/HDA_ROOT/.system/.qpkg/qpkgd
- rm -rf /var/lock/.qpkgd.lck
- pidof -s crond
- pidof crond
- ps
- sed -n s/^[ ]*\([0-9]\{
- /mnt/HDA_ROOT/.system/.qpkg/qpkgd
- grep -F
- rm -f .tmp.*
- mktemp ./.tmp.XXXXXX
- sed y/ABCDEFGHIJKLMNOPQRSTUVWXYZ-+\//abcdefghijklmnopqrstuvwxyzabc/;s/=//g
- openssl dgst -sha1 -binary
- openssl base64
- rm -f ./.tmp.1Ihs4x
Performs operations with the file system:
Modifies file access rights:
- /mnt/HDA_ROOT/.system/.qpkg/qpkgd
Creates folders:
- /etc/config
- /etc/config/runone
- /.qpkgd.lck
- /mnt/HDA_ROOT
- /mnt/HDA_ROOT/.system
- /mnt/HDA_ROOT/.system/.qpkg
- /.ctime.lck
Creates or modifies files:
- /var/lock/.qpkgd.lck/.pid
- /run/lock/.qpkgd.lck/.pid
- /mnt/HDA_ROOT/.system/.qpkg/qpkgd
- /var/lock/.ctime.lck/.pid
- /run/lock/.ctime.lck/.pid
- /mnt/HDA_ROOT/.system/.qpkg/.rsakey
- /mnt/HDA_ROOT/.system/.qpkg/.tmp.1Ihs4x
Deletes files:
- /mnt/HDA_ROOT/.system/.pid
- /mnt/HDA_ROOT/.system/.qpkg/.tmp.*
- /mnt/HDA_ROOT/.system/.qpkg/.tmp.1Ihs4x
Network activity:
DNS ASK:
- qn##.com
Other:
Collects CPU information
Collects RAM information
