Technical Information
Malicious functions:
Launches itself as a daemon
Gets access to SSH keys
- /root/.ssh/authorized_keys
Launches processes:
- /usr/bin/getconf CLK_TCK
- <SAMPLE_FULL_PATH>
- /usr/bin/lsb_release
- dpkg-query -f ${Version} ${Provides
- /sbin/sysctl -n kernel.random.boot_id
- sh -c uptime
- sh -c whoami
- sh -c ps auxf
- uptime
- whoami
- ps auxf
Performs operations with the file system:
Creates folders:
- /tmp/.ddg
- /root/.ssh
Creates or modifies files:
- /tmp/.ddg/3001.lock
Network activity:
Establishes connection:
- 10#.##1.232.44:8000
- 10#.##.151.237:8000
- 10#.###.242.196:8000
- 127.0.0.1:8000
- 10#.##7.3.227:8000
- 10#.###.143.126:8000
- 11#.##.125.150:8000
- 11#.##.252.210:8000
- 11#.##9.42.117:8000
- 11#.##6.115.88:8000
- 11#.##.226.241:8000
- 11#.##.77.98:8000
- 12#.##.144.36:8000
- 12#.##.76.100:8000
- 12#.##.221.92:8000
- 12#.##.81.73:8000
- 13.###.99.28:8000
- 13#.##9.61.237:8000
- 14#.##.106.215:8000
- 15#.#.64.243:8000
- 17#.##7.29.78:8000
- 18#.###.158.234:8000
- 20#.##1.169.98:8000
- 20#.###.172.162:8000
- 21#.##.151.65:8000
- 23.##.98.54:8000
- 47.##.218.199:8000
HTTP POST requests:
- 10#.###.151.191:8000/slave
- 16#.###.157.157:8000/slave
- 18#.###.158.233:8000/slave
- 21#.###.40.228:8000/slave
Other:
Collects OS information
Collects CPU information
Collects RAM information
Collects information about network activity
