Technical Information
To ensure autorun and distribution:
Creates or modifies the following files:
- /etc/init.d/network
Malicious functions:
Launches itself as a daemon
Launches processes:
- /proc/self/fd/3 #
- /bin/sh -c
- id
- rm -rf /tmp/444
- id -u
- grep .mxain /etc/init.d/network
- sed -r /# IPv6 hook [(]pre IPv4 start[)]/a \/var\/tmp\/.mxain /etc/init.d/network
- cat /tmp/444
- getconf LONG_BIT
- rm -rf /tmp/.cdr
- sh /tmp/.974
- rm -rf /tmp/.974
- rm -rf /etc/.wav
- chmod +x /tmp/.cdr
- /tmp/.cdr
- chmod +x /etc/.wav
- /etc/.wav
Performs operations with the file system:
Creates symlinks:
- /memfd:libcrypto.so.1.0.0
- /memfd:libssl.so.1.0.0
- /memfd:libpython2.7.so.1.0
- /memfd:_locale
- /memfd:strop
- /memfd:_ctypes
- /memfd:_struct
- /memfd:select
- /memfd:fcntl
- /memfd:binascii
- /memfd:cStringIO
- /memfd:_io
- /memfd:math
- /memfd:_hashlib
- /memfd:_random
- /memfd:_collections
- /memfd:operator
- /memfd:itertools
- /memfd:_heapq
- /memfd:time
- /memfd:_socket
- /memfd:_functools
- /memfd:_ssl
- /memfd:zlib
Creates or modifies files:
- /memfd:libc.so.6 (deleted)
- /var/tmp/.crypto
- /tmp/444
- /tmp/.974
Deletes files:
- /dev/shm/memfd:libcrypto.so.1.0.0
- /dev/shm/memfd:libssl.so.1.0.0
- /dev/shm/memfd:libpython2.7.so.1.0
- /dev/shm/memfd:_locale
- /dev/shm/memfd:strop
- /dev/shm/memfd:_ctypes
- /dev/shm/memfd:_struct
- /dev/shm/memfd:select
- /dev/shm/memfd:fcntl
- /dev/shm/memfd:binascii
- /dev/shm/memfd:cStringIO
- /dev/shm/memfd:_io
- /dev/shm/memfd:math
- /dev/shm/memfd:_hashlib
- /dev/shm/memfd:_random
- /dev/shm/memfd:_collections
- /dev/shm/memfd:operator
- /dev/shm/memfd:itertools
- /dev/shm/memfd:_heapq
- /dev/shm/memfd:time
- /dev/shm/memfd:_socket
- /dev/shm/memfd:_functools
- /dev/shm/memfd:_ssl
- /dev/shm/memfd:zlib
- /tmp/444
- /tmp/.cdr
- /tmp/.974
- /etc/.wav
Network activity:
Sends data to the following servers:
- 10#.##0.130.205:80
Other:
Collects RAM information
