Technical Information
Malicious functions:
Launches processes:
- <SAMPLE_FULL_PATH>
- route -n
- xdg-open http://127.0.0.1:8384/
- dbus-send --print-reply --dest=org.freedesktop.DBus /org/freedesktop/DBus org.freedesktop.DBus.GetNameOwner string:org.gnome.SessionManager
- xprop -root _DT_SAVE_MODE
- grep = \\"xfce4\\"$
- grep -i ^xfce_desktop_window
- xprop -root
- uname
- grep -q ^file://
- egrep -q ^[[:alpha:]+\.\-]+:
- grep -E -q ^[[:alpha:]+\.\-]+:
- www-browser http://127.0.0.1:8384/
- gunzip
- gzip -d
Performs operations with the file system:
Creates folders:
- /root/.config
- /root/.config/syncthing
- /root/.config/syncthing/index-v0.14.0.db
- /root/Sync
- /root/Sync/.stfolder
- /root/.w3m
Creates or modifies files:
- /root/.config/syncthing/cert.pem
- /root/.config/syncthing/key.pem
- /root/.config/syncthing/.syncthing.tmp.237038084
- /root/.config/syncthing/index-v0.14.0.db/LOCK
- /root/.config/syncthing/index-v0.14.0.db/LOG
- /root/.config/syncthing/index-v0.14.0.db/MANIFEST-000000
- /root/.config/syncthing/index-v0.14.0.db/CURRENT.0
- /root/.config/syncthing/index-v0.14.0.db/000001.log
- /root/.config/syncthing/https-cert.pem
- /root/.config/syncthing/https-key.pem
- /root/.config/syncthing/.syncthing.tmp.954994579
- /root/.config/syncthing/.syncthing.tmp.228126166
- /root/.w3m/w3mtmp713-0.gz
Deletes files:
- /root/.config/syncthing/.syncthing.tmp.237038084"
- /root/.config/syncthing/.syncthing.tmp.954994579"
- /root/.config/syncthing/.syncthing.tmp.228126166"
- /root/.w3m/w3mtmp713-0.gz"
Network activity:
Awaits incoming connections on ports:
- 127.0.0.1:8384
- 0.0.0.0:21027
Establishes connection:
- <LOCAL_DNS_SERVER>
- 45.##.230.38:443
- 46.###.130.230:443
- [2########:800:10::182:a001]:443
- [2#######0:0:d0::d9:d001]:443
- 51.##.92.95:9
- 51.##.215.88:9
- 51.##.92.95:443
- 12#.##9.95.124:443
- [2######8:4400:2200::c39]:9
- [2######8:4700:2000::515]:9
- [2#######:4400:2200::c39]:443
- [2#######:4700:2000::515]:443
- <LOCAL_DNS_SERVER>51
- 15#.#.77.158:22067
- 18#.##.171.192:443
- 70.##.233.222:22067
- 16#.##6.157.114:443
- 37.###.191.245:22067
- 17#.##0.8.190:22067
- 16#.###.182.254:22067
- 94.###.105.96:443
- 16#.###.24.229:22067
- 69.##.201.138:22067
- 11#.###.44.148:17607
- 12#.###.219.85:22067
- 10#.###.218.29:22067
- 46.###.18.182:22067
- 21#.##.253.154:22067
- 14#.##.71.91:22067
- 10#.##0.56.60:443
- 21#.##.221.154:8080
- 17#.##.221.151:22067
- 85.##.76.192:22067
- 10#.##1.30.17:8080
- 16#.##2.179.61:8443
- 86.###.112.13:22067
- 19#.###.196.10:22067
- 21#.###.53.178:22067
- 10#.##3.225.93:443
- 46.##.48.180:22067
- 13#.###.96.164:22067
- 10#.###.199.119:22067
- 14#.###.234.88:22067
- 36.###.1.232:22067
- 86.###.110.238:22067
- 21#.##.158.110:22067
- 5.#.#6.38:22067
- 21#.###.205.247:22067
- 51.##.56.101:22067
- 90.##.66.100:22067
- 89.##.74.106:80
- 83.##.2.250:22067
- 21#.###.171.119:22067
- 19#.##.175.39:22067
- 77.##.145.221:22067
- 10#.##0.6.122:8080
- [2#######0:3:d0::18d6:8001]:9
- 46.###.130.230:9
- 94.###.67.138:22067
- 21#.###.217.18:22067
- 94.###.98.21:22067
- 17#.##.181.189:22067
- 93.###.117.241:443
- 18#.##.167.63:22067
- 18#.###.228.140:22067
- 31.###.45.3:22067
- 19#.###.110.10:22067
- 10#.###.154.59:22067
- 45.##.172.54:22067
- 10#.###.145.187:22067
- 19#.###.49.122:22067
- 91.###.229.68:22067
- 94.###.44.20:22067
- 37.###.9.77:22067
- 82.###.10.247:15552
- 18#.###.143.60:22067
- 14#.###.52.153:22067
- 18#.###.156.211:22067
- 80.###.192.102:22067
- 83.###.51.14:443
- 37.###.57.69:22067
- 10#.##.183.249:22067
- 94.##.122.162:443
- 78.##.248.86:443
- 19#.##.138.11:13272
- 64.###.224.30:443
- 20#.###.135.76:22067
- 51.###.75.9:22067
- 15#.##3.30.69:443
- 69.###.114.223:22067
- 16#.##.232.119:22067
- 31.##.30.188:22067
- 92.###.95.0:22067
- 88.##.175.206:22067
- 65.##.142.180:22067
- 83.###.144.57:22067
- 77.##.78.148:22067
- 95.##.90.44:22067
- 99.###.129.99:22067
- 13#.##.36.151:22067
- 89.###.130.244:22067
- 85.###.216.244:22067
- 21#.##.26.243:443
- 24.##.153.158:22067
- 20#.###.146.36:22067
- 13#.##.43.68:22067
- 89.##.39.108:22067
- 21#.###.231.216:22067
- 15#.##.170.183:22067
- 21#.##.15.128:22067
- 17#.##.187.139:22067
- 86.###.65.13:22067
- 16#.###.132.71:22067
- 19#.###.147.150:22067
- 94.###.57.172:443
- 90.###.93.175:48662
- 46.#.#0.132:22067
- 46.##.250.207:993
- 5.###.179.192:22067
- 78.###.42.155:443
- 21#.###.140.233:22067
- 22#.##1.38.55:8067
- 16#.###.160.227:22067
- 16#.##.83.235:22067
- 19#.##9.226.6:443
- 79.###.32.223:22067
HTTP GET requests:
- 127.0.0.1:8384/
DNS ASK:
- st##.ekiga.net
- re####.syncthing.net
- di#######-v4-2.syncthing.net
- di#######-v4-3.syncthing.net
- di#######-v4-4.syncthing.net
- di#######-v6-2.syncthing.net
- di#######-v6-3.syncthing.net
- di#######-v6-4.syncthing.net
- up#####s.syncthing.net
Sends data to the following servers:
- 19#.###.200.255:21027
- [f####:8384]:21027
- 23#.###.255.250:1900
- [:######217.10.68.152]:3478
- <LOCAL_DNS_SERVER>51
- 51.##.92.95:443
- 46.###.130.230:443
- 45.##.230.38:443
- 12#.##9.95.124:443
- [:#######17.116.122.137]:3479
- 127.0.0.1:43609
- 86.###.65.13:22067
Receives data from the following servers:
- <LOCAL_DNS_SERVER>51
- 51.##.92.95:443
- 46.###.130.230:443
- 45.##.230.38:443
- 12#.##9.95.124:443
- 127.0.0.1:43609
- 86.###.65.13:22067
Other:
Collects RAM information
Collects information about network activity
