Technical Information
Malicious functions:
Substitutes application name for:
- bhash-loadblk
- bhash-obfuscation
- bhash-net
- bhash-dnsseed
- bhash-addcon
- bhash-msghand
- bhash-opencon
- bhash-dumpaddr
- bhash-stakemint
- bhash-wallet
- bhash-miner
Performs operations with the file system:
Creates folders:
- /root/.bhash
- /root/.bhash/backups
- /root/.bhash/database
- /root/.bhash/blocks
- /root/.bhash/blocks/index
- /root/.bhash/chainstate
Creates or modifies files:
- /root/.bhash/bhash.conf
- /root/.bhash/masternode.conf
- /root/.bhash/.lock
- /root/.bhash/bhashd.pid
- /root/.bhash/debug.log
- /root/.bhash/db.log
- /root/.bhash/blocks/index/LOG
- /root/.bhash/blocks/index/LOCK
- /root/.bhash/blocks/index/MANIFEST-000001
- /root/.bhash/blocks/index/000001.dbtmp
- /root/.bhash/blocks/index/000003.log
- /root/.bhash/blocks/index/MANIFEST-000002
- /root/.bhash/blocks/index/000002.dbtmp
- /root/.bhash/chainstate/LOG
- /root/.bhash/chainstate/LOCK
- /root/.bhash/chainstate/MANIFEST-000001
- /root/.bhash/chainstate/000001.dbtmp
- /root/.bhash/chainstate/000003.log
- /root/.bhash/chainstate/MANIFEST-000002
- /root/.bhash/chainstate/000002.dbtmp
- /root/.bhash/blocks/blk00000.dat
- /root/.bhash/blocks/rev00000.dat
- /root/.bhash/database/log.0000000001
- /root/.bhash/__db.80000001.585c7aa2
- /root/.bhash/wallet.dat
Deletes files:
- /root/.bhash/blocks/index/MANIFEST-000001"
- /root/.bhash/chainstate/MANIFEST-000001"
Network activity:
Awaits incoming connections on ports:
- 127.0.0.1:17654
- 0.0.0.0:17652
Establishes connection:
- <LOCAL_DNS_SERVER>
- 51.##.37.145:0
- 45.##.15.228:0
- 51.##.58.146:0
- 51.##.37.145:17652
DNS ASK:
- bh######ed1.coinseed.online
- co###eed.online
- bh######ed2.coinseed.online
Sends data to the following servers:
- 51.##.37.145:17652
Receives data from the following servers:
- 51.##.37.145:17652
Other:
Collects CPU information
