Technical Information
Malicious functions:
Removes itself
Launches itself as a daemon
Substitutes application name for:
- v47igqwsom80mcawiw3t4l00
Performs operations with the file system:
Creates or modifies files:
- <SAMPLE_FULL_PATH>
Network activity:
Awaits incoming connections on ports:
- 127.0.0.1:21065
Establishes connection:
- 8.#.8.8:53
- 45.##.24.152:33943
Attacks using a special dictionary (brute-force technique) via the Telnet protocol.
Connects to the following servers over the IRC protocol:
- Server: 20#.#87.95.65; Command: USER1
- Server: 20#.#87.95.65; Command: \n
- Server: 20#.#87.95.65; Command: 0937795500
- Server: 20#.#87.95.65; Command: enable
- Server: 20#.#87.95.65; Command: development
- Server: 20#.#87.95.65; Command: system
- Server: 20#.#87.95.65; Command: shell
- Server: 20#.#87.95.65; Command: sh
- Server: 20#.#87.95.65; Command: runshellcmd
- Server: 20#.#87.95.65; Command: linuxshell
- Server: 20#.#87.95.65; Command: start start-shell
- Server: 20#.#87.95.65; Command: start-shell
- Server: 20#.#87.95.65; Command: ping ; sh
- Server: 20#.#87.95.65; Command: busybox DNXFCOW
- Server: 20#.#87.95.65; Command: /bin/busybox DNXFCOW
DNS ASK:
- tm#.#yberium.cc
Sends data to the following servers:
- 45.##.24.152:33943
Receives data from the following servers:
- 45.##.24.152:33943
