Technical Information
Malicious functions:
Launches itself as a daemon
Substitutes application name for:
- fiLXOBqH2wHU
Network activity:
Awaits incoming connections on ports:
- 0.0.0.0:23
- 0.0.0.0:22
- 0.0.0.0:443
- 0.0.0.0:81
- 0.0.0.0:8080
Establishes connection:
- 8.#.8.8:53
- 20#.##1.57.143:722
Attacks using a special dictionary (brute-force technique) via the Telnet protocol.
Sends data to the following servers:
- 20#.##1.57.143:722
- 5.##.22.205:23
- 40.##.235.38:23
- 21#.##7.69.119:23
- 37.#.203.34:23
- 23.###.193.29:23
- 13.##.60.63:23
- 18#.#2.119.9:23
- 54.##.95.80:23
- 14#.##.26.118:23
- 19#.##5.24.185:23
- 34.###.230.144:23
- 20#.##3.99.71:23
- 18#.#2.85.77:23
- 52.##.82.50:23
- 11#.##.128.13:23
- 14#.##4.2.177:23
- 21#.##9.31.106:23
- 15#.##9.40.169:23
- 14#.##.214.22:23
- 19#.##0.47.83:23
- 15#.##.131.205:23
- 13#.##9.207.249:23
- 86.##.81.22:23
- 11#.##4.109.183:23
- 11#.##1.71.55:23
- 20#.#.185.248:23
- 20#.#.161.165:23
- 20#.#4.0.189:23
- 60.###.243.18:23
- 17#.##.195.92:23
- 1.##.241.38:23
- 75.###.104.210:23
- 50.##.10.229:23
- 40.###.244.175:23
- 11#.##.16.147:23
- 11#.##2.197.72:23
- 22#.##0.133.1:23
- 11#.#6.56.83:23
- 17#.##2.228.2:23
- 20#.##6.37.231:23
- 51.###.29.132:23
- 69.###.154.194:23
- 43.##1.11.64:23
- 53.###.52.201:23
- 20#.##.129.239:23
- 74.##.45.98:23
- 44.##.224.48:23
- 11#.#8.28.9:23
- 81.###.209.148:23
- 15#.##2.75.145:23
- 11#.##9.84.255:23
- 21#.##5.7.145:23
- 20.##.85.74:23
- 22#.##9.203.45:23
- 1.###.8.13:23
- 14#.##9.163.134:23
- 19#.#6.26.72:23
- 22#.##5.50.133:23
- 98.###.59.201:23
- 13#.##5.190.89:23
- 22#.##7.204.7:23
- 19#.#.137.32:23
- 34.##.183.157:23
- 13#.##8.17.244:23
- 63.###.174.139:23
- 11#.##.126.65:23
- 44.###.196.182:23
- 15#.##6.169.165:23
- 16#.##7.111.3:23
- 19#.##.197.94:23
- 13#.##8.235.250:23
Receives data from the following servers:
- 20#.##1.57.143:722
