Technical Information
Malicious functions:
Launches itself as a daemon
Substitutes application name for:
- e28081
Kills the following processes:
- systemd
- kthreadd
- ksoftirqd/0
- kworker/0:0
- kworker/0:0H
- watchdog/0
- khelper
- kdevtmpfs
- netns
- khungtaskd
- writeback
- ksmd
- crypto
- kintegrityd
- bioset
- kblockd
- kswapd0
- fsnotify_mark
- kthrotld
- ipv6_addrconf
- deferwq
- kworker/u2:1
- kpsmoused
- scsi_eh_0
- scsi_tmf_0
- kworker/0:1H
- kworker/u2:2
- jbd2/sda1-8
- ext4-rsv-conver
- kauditd
- kworker/0:3
- systemd-journal
- systemd-udevd
- rpciod
- nfsiod
- systemd-logind
- kworker/0:1
- dhclient
- lockfile-touch
- kworker/0:2
- 9bc2fd2a
Network activity:
Awaits incoming connections on ports:
- 127.0.0.1:33337
Establishes connection:
- 8.#.8.8:53
- 45.###.232.208:33335
Attacks using a special dictionary (brute-force technique) via the Telnet protocol.
DNS ASK:
- ro##me.xyz
Sends data to the following servers:
- 45.###.232.208:33335
- 22#.##.194.81:23
- 22.##6.26.81:23
- 48.##.48.234:23
- 12#.##.150.84:23
- 15#.##2.123.81:23
- 11#.##2.187.76:23
- 20#.##.225.97:23
- 21#.##9.237.155:23
- 23#.##1.215.147:23
- 85.##1.77.67:23
- 24#.##.112.135:23
- 17#.##4.120.41:23
- 19#.##6.50.13:23
- 21#.##.156.81:23
- 13#.##7.9.146:23
- 5.###.212.106:23
Receives data from the following servers:
- 45.###.232.208:33335
