Technical Information
Malicious functions:
Launches itself as a daemon
Substitutes application name for:
- e28081
Kills the following processes:
- systemd
- kthreadd
- ksoftirqd/0
- kworker/0:0H
- kworker/u2:0
- watchdog/0
- khelper
- kdevtmpfs
- netns
- khungtaskd
- writeback
- ksmd
- crypto
- kintegrityd
- bioset
- kblockd
- ata_sff
- kworker/0:1
- kswapd0
- fsnotify_mark
- kthrotld
- scsi_eh_0
- scsi_tmf_0
- scsi_eh_1
- scsi_tmf_1
- ipv6_addrconf
- deferwq
- kworker/u2:2
- kworker/0:1H
- jbd2/sda3-8
- ext4-rsv-conver
- kauditd
- kworker/0:3
- systemd-journal
- systemd-udevd
- ttm_swap
- rpciod
- nfsiod
- systemd-logind
- kworker/0:0
- kworker/0:2
- dhclient
- 9bc2fd2a
Network activity:
Awaits incoming connections on ports:
- 127.0.0.1:33337
Establishes connection:
- 8.#.8.8:53
- 45.###.232.208:33335
Attacks using a special dictionary (brute-force technique) via the Telnet protocol.
DNS ASK:
- ro##me.xyz
Sends data to the following servers:
- 45.###.232.208:33335
- 21#.##0.86.42:23
- 20#.##1.205.245:23
- 25#.##7.90.116:23
- 98.###.186.61:23
- 74.###.153.14:23
- 95.###.230.160:23
- 82.###.226.190:23
- 13#.##6.211.147:23
- 13#.##.117.75:23
- 18.##.108.198:23
- 17#.##5.121.89:23
- 22#.##6.54.136:23
- 18#.##6.20.224:23
- 5.##.25.97:23
- 70.###.201.24:23
- 30.###.79.198:23
- 85.###.153.92:23
- 11#.##4.231.204:23
- 38.###.200.135:23
- 6.##.111.7:23
- 24.###.141.175:23
- 16#.##3.69.131:23
- 10#.##.81.110:23
- 15#.##.136.145:23
- 12#.##.74.204:23
- 99.###.167.104:23
- 61.##.229.216:23
- 13#.##0.54.57:23
- 22#.#6.2.89:23
- 37.##6.95.17:23
- 17#.##4.225.14:23
- 11#.##.127.250:23
- 24#.#.85.217:23
- 20#.##.53.167:23
- 19#.##5.180.171:23
- 11#.#7.5.122:23
- 92.##4.0.134:23
- 50.##.194.116:23
- 13#.##.134.203:23
- 23#.##3.92.200:23
- 15#.##0.73.142:23
- 32.##.119.181:23
- 20.###.52.132:23
- 20#.##2.77.49:23
- 16#.##5.71.240:23
- 13#.##.132.128:23
- 22#.##.219.173:23
- 22#.##8.215.47:23
- 50.###.63.123:23
- 92.##.169.11:23
- 35.##.195.171:23
- 11#.#.148.90:23
- 17#.##2.77.57:23
- 21#.##6.195.45:23
- 11#.##.137.66:23
- 23.###.181.223:23
- 4.##.251.61:23
- 68.#.222.79:23
- 22#.##5.201.108:23
- 85.##.157.4:23
- 14#.##7.242.17:23
- 81.###.147.46:23
- 5.##.1.79:23
- 98.###.238.20:23
- 19#.##.197.67:23
- 28.###.232.210:23
- 14#.##.240.142:23
- 19#.##.188.80:23
- 13#.#4.71.56:23
- 19#.##8.206.136:23
- 13#.#.44.131:23
- 16#.##.166.173:23
- 19#.##.227.52:23
- 21#.##5.31.112:23
- 14#.##.63.136:23
- 72.###.150.174:23
- 25#.#0.60.6:23
- 19#.##2.212.154:23
- 18#.##6.62.255:23
- 19#.##.212.123:23
- 15#.##5.79.198:23
- 14#.##.107.25:23
- 79.###.146.131:23
- 14.###.213.71:23
- 12#.#0.53.48:23
- 24#.##2.159.139:23
- 10#.##6.92.108:23
- 99.###.45.111:23
- 15#.##.111.60:23
- 11#.##2.198.39:23
- 23#.##4.184.6:23
- 19#.##.110.46:23
- 20#.##9.183.130:23
- 22.##.14.56:23
- 16#.##6.98.145:23
- 15#.##1.83.118:23
- 21#.##2.254.117:23
- 20#.#12.1.6:23
- 11.##.240.28:23
- 37.###.209.83:23
- 13#.##.254.159:23
- 19#.##.141.198:23
- 23#.##6.87.240:23
- 11#.##.27.233:23
- 42.##.215.185:23
- 21#.##.110.60:23
- 16.###.233.146:23
- 12#.##8.117.108:23
- 31.###.181.90:23
- 22#.##1.10.225:23
- 21#.##2.131.209:23
- 25#.##8.25.44:23
- 39.##.199.58:23
- 22#.##.57.142:23
- 71.###.104.142:23
- 36.###.133.133:23
- 22#.##3.16.233:23
- 11#.##5.151.108:23
- 11#.##.78.161:23
- 18#.##7.94.126:23
- 11#.#77.99.0:23
- 19#.#6.84.62:23
- 10#.##.196.76:23
- 20#.##.103.151:23
- 23#.##7.250.36:23
- 24#.#.14.193:23
- 14#.##8.99.181:23
- 14#.##0.69.187:23
Receives data from the following servers:
- 45.###.232.208:33335
