Technical Information
Malicious functions:
Removes itself
Launches itself as a daemon
Substitutes application name for:
- 2kmscgmqetockvisa5bv
Network activity:
Awaits incoming connections on ports:
- 19#.##8.218.50:3467
Establishes connection:
- 8.#.8.8:53
- 5.###.227.140:4321
- 5.###.227.140:7685
Attacks using a special dictionary (brute-force technique) via the Telnet protocol.
Sends data to the following servers:
- 5.###.227.140:4321
- 5.###.227.140:7685
- 0.0.0.0:0
- 21.###.88.199:23
- 16.##.71.134:23
- 12#.##6.93.13:23
- 65.##.152.101:23
- 11#.##.110.22:23
- 22#.##.64.177:23
- 19#.##.160.156:23
- 24.##.245.27:23
- 14#.##.37.249:23
- 23#.#9.83.23:23
- 13#.##2.192.30:23
- 19.###.215.228:23
- 20#.##.101.181:23
- 11#.##4.22.107:23
- 16#.##8.90.245:23
- 15#.##9.72.140:23
- 23#.##2.162.218:23
- 43.###.182.95:23
- 21#.##7.140.157:23
- 21#.#8.31.27:23
- 19#.##9.173.89:23
- 22#.##.202.85:23
- 24#.#5.4.3:23
- 16#.##8.226.62:23
- 13#.#1.6.75:23
- 31.###.250.55:23
- 19#.##.255.204:23
- 20#.##0.189.219:23
- 73.###.90.190:23
- 20#.##5.165.131:23
- 21#.##6.88.71:23
- 18#.##5.120.95:23
- 16#.##.12.135:23
- 17#.##1.20.119:23
- 18#.##.193.113:23
- 21#.##2.143.71:23
- 25#.##0.234.242:23
- 98.###.141.203:23
- 12#.##5.249.117:23
- 14#.##5.197.184:23
- 11#.##4.142.78:23
- 21#.##1.40.122:23
- 24#.##6.67.92:23
- 18#.#.191.104:23
Receives data from the following servers:
- 5.###.227.140:7685
- 5.###.227.140:4321
