Linux.Siggen.7545

Technical Information

Malicious functions:

Removes itself

Launches itself as a daemon

Substitutes application name for:

7riwLmB7y3DiU6M
xcEl44q70Ud1iIT
5b4T60skXqG03JO

Launches processes:

/usr/sbin/xtables-nft-multi iptables -I INPUT -p tcp --syn -s 10.0.0.0/8 -j ACCEPT
iptables -D INPUT -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -I INPUT -p tcp --syn -s 192.0.0.0/8 -j ACCEPT
rm -rf /var/tmp/x
iptables -D INPUT -p tcp --syn -s 10.0.0.0/8 -j ACCEPT
/usr/sbin/xtables-nft-multi iptables -I INPUT -p tcp --syn -s 127.0.0.0/8 -j ACCEPT
killall tftp
iptables -D INPUT -p tcp --syn -s 127.0.0.0/8 -j ACCEPT
rm -rf /var/tmp/v
rm -rf /var/tmp/a
iptables -I INPUT -p tcp --syn -j DROP
iptables -D INPUT -p tcp --syn -j DROP
iptables -I INPUT -p tcp --syn -s 172.16.0.0/12 -j ACCEPT
iptables -D INPUT -p tcp --syn -s 172.16.0.0/12 -j ACCEPT
/usr/sbin/xtables-nft-multi iptables -I INPUT -p tcp --syn -j DROP
rm -rf /var/tmp/i
/usr/sbin/xtables-nft-multi iptables -D INPUT -p tcp --syn -j DROP
iptables -D INPUT -p tcp --syn -s 100.64.0.0/10 -j ACCEPT
rm -rf /var/tmp/l
/usr/sbin/xtables-nft-multi iptables -I INPUT -p tcp --syn -s 192.0.0.0/8 -j ACCEPT
rm -rf /var/tmp/b
iptables -I INPUT -p tcp --syn -s 10.0.0.0/8 -j ACCEPT
killall ipping
/usr/sbin/xtables-nft-multi iptables -D INPUT -p tcp --syn -s 172.16.0.0/12 -j ACCEPT
/usr/sbin/xtables-nft-multi iptables -D INPUT -p tcp --syn -s 127.0.0.0/8 -j ACCEPT
/usr/sbin/xtables-nft-multi iptables -I INPUT -p tcp --syn -s 100.64.0.0/10 -j ACCEPT
/usr/sbin/xtables-nft-multi iptables -D INPUT -p tcp --syn -s 10.0.0.0/8 -j ACCEPT
iptables -I INPUT -p tcp --syn -s 100.64.0.0/10 -j ACCEPT
/usr/sbin/xtables-nft-multi iptables -D INPUT -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
/usr/sbin/xtables-nft-multi iptables -I INPUT -p tcp --syn -s 172.16.0.0/12 -j ACCEPT
/usr/sbin/xtables-nft-multi iptables -D INPUT -p tcp --syn -s 100.64.0.0/10 -j ACCEPT
/usr/sbin/xtables-nft-multi iptables -D INPUT -p tcp --syn -s 192.0.0.0/8 -j ACCEPT
iptables -D INPUT -p tcp --syn -s 192.0.0.0/8 -j ACCEPT
rm -rf /var/tmp/z
iptables -I INPUT -p tcp --syn -s 127.0.0.0/8 -j ACCEPT

Kills the following processes:

<SAMPLE>

Performs operations with the file system:

Modifies file access rights:

<SAMPLE_FULL_PATH>

Creates or modifies files:

<SAMPLE_FULL_PATH>
/dev/watchdog

Mounts file systems:

/root/none

Network activity:

Awaits incoming connections on ports:

127.0.0.1:65524
127.0.0.1:65525

Establishes connection:

19#.##.16.15:4561

Sends data to the following servers:

19#.##.16.15:4561

Receives data from the following servers:

19#.##.16.15:4561

Technologies

Terminology

Training and education

Myths

Technical Information

Curing recommendations