Technical Information
Malicious functions:
Launches itself as a daemon
Substitutes application name for:
- e28081
Kills the following processes:
- kthreadd
- rcu_gp
- rcu_par_gp
- kworker/0:0
- kworker/0:0H
- kworker/u2:0
- mm_percpu_wq
- rcu_tasks_rude_
- rcu_tasks_trace
- ksoftirqd/0
- rcu_sched
- migration/0
- cpuhp/0
- kdevtmpfs
- netns
- kauditd
- khungtaskd
- oom_reaper
- writeback
- kcompactd0
- ksmd
- kintegrityd
- kblockd
- blkcg_punt_bio
- ata_sff
- devfreq_wq
- kworker/0:1H
- kswapd0
- kthrotld
- ipv6_addrconf
- kworker/u2:2
- kstrp
- zswap-shrink
- kworker/u3:0
- scsi_eh_0
- scsi_tmf_0
- scsi_eh_1
- scsi_tmf_1
- kworker/0:2
- kworker/0:3
- jbd2/sda1-8
- ext4-rsv-conver
- kworker/u2:1
- 9bc2fd2a
Network activity:
Awaits incoming connections on ports:
- 127.0.0.1:33337
Establishes connection:
- 8.#.8.8:53
- 45.###.232.208:33335
Attacks using a special dictionary (brute-force technique) via the Telnet protocol.
DNS ASK:
- ro##me.xyz
Sends data to the following servers:
- 45.###.232.208:33335
- 15#.##4.136.198:23
- 19#.##1.39.152:23
- 16#.##7.199.126:23
- 30.###.192.121:23
- 68.##.188.62:23
- 23#.##8.73.44:23
- 16#.##.218.51:23
- 70.###.103.33:23
- 22#.##5.138.231:23
- 18#.##.220.147:23
- 22#.##3.117.87:23
- 61.##.54.66:23
- 10#.##4.167.82:23
- 19#.##1.180.153:23
- 71.##.126.182:23
- 15#.##9.75.165:23
- 27.###.41.225:23
- 17#.##.192.224:23
- 24#.##.95.134:23
- 83.##.235.53:23
- 76.##.208.102:23
- 21#.##7.28.170:23
- 15#.##4.206.72:23
- 75.###.187.218:23
- 22.###.121.145:23
- 13#.##.62.159:23
- 25#.#1.6.0:23
- 20#.##6.101.24:23
- 20#.##.218.63:23
- 88.###.108.96:23
- 15#.##1.49.13:23
- 15#.##7.175.196:23
- 10#.##1.14.58:23
- 52.##9.68.5:23
- 23#.#5.72.40:23
- 53.##.72.198:23
- 12#.##5.62.95:23
- 16#.##.246.44:23
- 30.###.181.23:23
- 22#.##.153.89:23
- 20#.##.223.75:23
- 57.##6.84.13:23
- 15#.##.100.183:23
- 94.##5.52.73:23
- 69.###.214.199:23
- 23#.##8.195.196:23
- 68.##.162.197:23
- 99.###.248.210:23
- 13#.##1.77.37:23
- 31.##.54.237:23
- 22#.##.254.102:23
- 17#.#1.81.57:23
- 18#.##2.88.142:23
- 15#.##3.65.50:23
- 47.###.200.175:23
- 14#.##4.154.233:23
- 12#.##.153.100:23
- 2.###.105.179:23
- 94.###.213.236:23
- 18#.##9.235.150:23
- 19#.##8.38.221:23
- 82.##1.31.42:23
- 37.##.162.28:23
- 18#.##6.83.243:23
- 11#.##.170.82:23
- 94.##8.43.16:23
- 18#.##.248.190:23
- 39.##.247.23:23
- 14#.#9.240.5:23
- 61.###.136.43:23
- 25#.##1.223.20:23
- 49.##.58.201:23
- 18#.##8.30.240:23
- 73.###.176.169:23
- 45.#.57.79:23
- 13#.##0.14.65:23
- 23#.##0.145.174:23
- 16#.##.104.169:23
- 45.###.130.187:23
- 22#.#65.88.3:23
- 83.##.77.177:23
- 22#.##.97.154:23
- 96.##1.97.76:23
- 11.##1.11.73:23
- 18#.##1.233.78:23
- 4.###.204.112:23
- 19#.##4.141.24:23
- 21#.##.213.222:23
- 22#.##.111.47:23
- 24#.##1.3.153:23
- 21#.##5.223.156:23
- 15#.##5.238.114:23
- 11#.##6.29.49:23
- 24#.##7.33.104:23
- 43.###.94.216:23
- 90.##1.7.164:23
- 79.###.118.232:23
- 3.###.176.180:23
- 22#.##0.175.91:23
- 51.#.122.19:23
- 20#.##.174.89:23
- 24#.##5.23.187:23
- 14#.##0.109.151:23
- 80.###.225.227:23
- 17#.##7.253.245:23
- 1.##.208.65:23
- 13#.##2.191.174:23
- 20#.##5.239.90:23
- 21#.##.100.70:23
- 22#.##.17.250:23
- 52.###.13.249:23
- 18#.##3.127.150:23
- 18#.#.173.202:23
- 19#.##2.147.141:23
- 20#.##2.254.52:23
- 51.###.131.219:23
- 84.##.31.164:23
- 35.##1.197.5:23
- 14#.##9.173.68:23
- 64.###.95.141:23
- 41.###.29.123:23
- 17#.##2.178.39:23
- 21#.##0.109.223:23
- 42.##.239.150:23
- 61.###.61.217:23
- 65.###.238.236:23
- 20#.##0.11.27:23
- 17.###.21.135:23
Receives data from the following servers:
- 45.###.232.208:33335
