Technical Information
Malicious functions:
Launches itself as a daemon
Substitutes application name for:
- [btest]
Launches processes:
- bash -c cp -rp /bin/* /ram/_bin/
- cp -rp /bin/bash /bin/bunzip2 /bin/busybox /bin/bzcat /bin/bzcmp /bin/bzdiff /bin/bzegrep /bin/bzexe /bin/bzfgrep /bin/bzgrep /bin/bzip2 /bin/bzip2recover /bin/bzless /bin/bzmore /bin/cat /bin/cfgmtd /bin/chacl /bin/chgrp /bin/chmod /bin/chown /bin/cp /bin/cpio /bin/dash /bin/date /bin/dd /bin/df /bin/dir /bin/dmesg /bin/dnsdomainname /bin/domainname /bin/echo /bin/egrep /bin/false /bin/fgrep /bin/findmnt /bin/fuser /bin/getfacl /bin/grep /bin/gunzip /bin/gzexe /bin/gzip /bin/hostname /bin/ip /bin/journalctl /bin/kill /bin/kmod /bin/less /bin/lessecho /bin/lessfile /bin/lesskey /bin/lesspipe /bin/ln /bin/login /bin/loginctl /bin/ls /bin/lsblk /bin/lsmod /bin/machinectl /bin/mkdir /bin/mknod /bin/mktemp /bin/more /bin/mount /bin/mountpoint /bin/mt /bin/mt-gnu[rkmodule] [[btest]][PPID:0x215] [bash][PID:0x216] do_filp_open. Filename: \"/bin/cp\
Kills the following processes:
- systemd-logind
- dbus-daemon
Performs operations with the file system:
Creates or modifies files:
- /ram/pckg/fix/flash/rw/store/bfd/iface
- /ram/pckg/fix/flash/rw/store/bgconf/general
- /ram/pckg/fix/flash/rw/store/bridge-vlans
- /ram/pckg/fix/flash/rw/store/bridgeports
- /ram/pckg/fix/flash/rw/store/bserv
- /ram/pckg/fix/flash/rw/store/ccenv
- /ram/pckg/fix/flash/rw/store/cchst2
- /ram/pckg/fix/flash/rw/store/ccusq
- /ram/pckg/fix/flash/rw/store/cerm
- /ram/pckg/fix/flash/rw/store/cert/ca
- /ram/pckg/fix/flash/rw/store/cert/ca_issued
- /ram/pckg/fix/flash/rw/store/cert/scep_client
- /ram/pckg/fix/flash/rw/store/cert/template
- /ram/pckg/fix/flash/rw/store/cloud
- /ram/pckg/fix/flash/rw/store/cmanifacecfg
- /ram/pckg/fix/flash/rw/store/command/speclogin
- /ram/pckg/fix/flash/rw/store/detnet-settings
- /ram/pckg/fix/flash/rw/store/dhcp/client
- /ram/pckg/fix/flash/rw/store/dhcp/client_options
- /ram/pckg/fix/flash/rw/store/dhcp/duid
- /ram/pckg/fix/flash/rw/store/dhcp/server/config
- /ram/pckg/fix/flash/rw/store/dhcp/server/lease
- /ram/pckg/fix/flash/rw/store/dhcp/server/server
- /ram/pckg/fix/flash/rw/store/dhcp/server/subnet
- /ram/pckg/fix/flash/rw/store/echosave
- /ram/pckg/fix/flash/rw/store/graphing/store/ifaces
- /ram/pckg/fix/flash/rw/store/graphing/store/queues
- /ram/pckg/fix/flash/rw/store/group
- /ram/pckg/fix/flash/rw/store/hotspot/main
- /ram/pckg/fix/flash/rw/store/hotspot/profile
- /ram/pckg/fix/flash/rw/store/hotspot/srvprof
- /ram/pckg/fix/flash/rw/store/hotspot/user
- /ram/pckg/fix/flash/rw/store/hotspot/walled-garden
- /ram/pckg/fix/flash/rw/store/hotspot/wgip
- /ram/pckg/fix/flash/rw/store/ippool
- /ram/pckg/fix/flash/rw/store/ipsec/modecfg
- /ram/pckg/fix/flash/rw/store/ipsec/peer
- /ram/pckg/fix/flash/rw/store/ipsec/policy
- /ram/pckg/fix/flash/rw/store/ipsec/policy_group
- /ram/pckg/fix/flash/rw/store/ipsec/sainfo
- /ram/pckg/fix/flash/rw/store/lcdtouch
- /ram/pckg/fix/flash/rw/store/lcdtouch-interface
- /ram/pckg/fix/flash/rw/store/lcdtouch-pages
- /ram/pckg/fix/flash/rw/store/lcdtouch-slide6
- /ram/pckg/fix/flash/rw/store/leds
- /ram/pckg/fix/flash/rw/store/log-actions
- /ram/pckg/fix/flash/rw/store/log-rules
- /ram/pckg/fix/flash/rw/store/mactel
- /ram/pckg/fix/flash/rw/store/mactel-settings
- /ram/pckg/fix/flash/rw/store/mpls/filterin
- /ram/pckg/fix/flash/rw/store/mpls/filterout
- /ram/pckg/fix/flash/rw/store/mpls/ifcfg
- /ram/pckg/fix/flash/rw/store/mproxy
- /ram/pckg/fix/flash/rw/store/mproxy-settings
- /ram/pckg/fix/flash/rw/store/net/address-list
- /ram/pckg/fix/flash/rw/store/net/address-list6
- /ram/pckg/fix/flash/rw/store/net/addrs
- /ram/pckg/fix/flash/rw/store/net/apn
- /ram/pckg/fix/flash/rw/store/net/ctmodule
- /ram/pckg/fix/flash/rw/store/net/devices
- /ram/pckg/fix/flash/rw/store/net/devlist
- /ram/pckg/fix/flash/rw/store/net/devlist-member
- /ram/pckg/fix/flash/rw/store/net/ebt-filter
- /ram/pckg/fix/flash/rw/store/net/ebt-nat
- /ram/pckg/fix/flash/rw/store/net/ipt-filter
- /ram/pckg/fix/flash/rw/store/net/ipt-mangle
- /ram/pckg/fix/flash/rw/store/net/ipt-nat
- /ram/pckg/fix/flash/rw/store/net/ipt-raw
- /ram/pckg/fix/flash/rw/store/net/ipt6-filter
- /ram/pckg/fix/flash/rw/store/net/ipt6-mangle
- /ram/pckg/fix/flash/rw/store/net/ipt6-raw
- /ram/pckg/fix/flash/rw/store/net/layer7protos
- /ram/pckg/fix/flash/rw/store/net/music/policy
- /ram/pckg/fix/flash/rw/store/net/music/port-isolation
- /ram/pckg/fix/flash/rw/store/net/music/port-leakage
- /ram/pckg/fix/flash/rw/store/net/music/vlan-egress-trans
- /ram/pckg/fix/flash/rw/store/net/music/vlan-ingress-trans
- /ram/pckg/fix/flash/rw/store/net/queuetypes
- /ram/pckg/fix/flash/rw/store/net/raw
- /ram/pckg/fix/flash/rw/store/net/routes
- /ram/pckg/fix/flash/rw/store/net/simplequeues
- /ram/pckg/fix/flash/rw/store/net/switch-acl-entries
- /ram/pckg/fix/flash/rw/store/net/switch-config
- /ram/pckg/fix/flash/rw/store/net/switch-ports
- /ram/pckg/fix/flash/rw/store/net/switch-vlans
- /ram/pckg/fix/flash/rw/store/ospfconf/area
- /ram/pckg/fix/flash/rw/store/ospfconf/gen
- /ram/pckg/fix/flash/rw/store/ospfv3/area
- /ram/pckg/fix/flash/rw/store/ospfv3/gen
- /ram/pckg/fix/flash/rw/store/ovpn/server
- /ram/pckg/fix/flash/rw/store/port_lock
- /ram/pckg/fix/flash/rw/store/ppp/aaa
- /ram/pckg/fix/flash/rw/store/ppp/epoch
- /ram/pckg/fix/flash/rw/store/ppp/profile
- /ram/pckg/fix/flash/rw/store/pptp/server
- /ram/pckg/fix/flash/rw/store/radius
- /ram/pckg/fix/flash/rw/store/radvd/iface
- /ram/pckg/fix/flash/rw/store/resolver/config
- /ram/pckg/fix/flash/rw/store/resolver/static
- /ram/pckg/fix/flash/rw/store/rip/ripkey
- /ram/pckg/fix/flash/rw/store/romonport
- /ram/pckg/fix/flash/rw/store/routing/filter
- /ram/pckg/fix/flash/rw/store/routing/plists
- /ram/pckg/fix/flash/rw/store/routing/rule
- /ram/pckg/fix/flash/rw/store/rps
- /ram/pckg/fix/flash/rw/store/scheduler
- /ram/pckg/fix/flash/rw/store/scripts
- /ram/pckg/fix/flash/rw/store/serial-login
- /ram/pckg/fix/flash/rw/store/sermgr
- /ram/pckg/fix/flash/rw/store/smbshares
- /ram/pckg/fix/flash/rw/store/smbusers
- /ram/pckg/fix/flash/rw/store/sms-config
- /ram/pckg/fix/flash/rw/store/sniffer
- /ram/pckg/fix/flash/rw/store/snmp-communities
- /ram/pckg/fix/flash/rw/store/snmpd
- /ram/pckg/fix/flash/rw/store/ssh-forwarding
- /ram/pckg/fix/flash/rw/store/ssh-keys
- /ram/pckg/fix/flash/rw/store/ssh-private-keys
- /ram/pckg/fix/flash/rw/store/ssh/ssh_host_dsa_key
- /ram/pckg/fix/flash/rw/store/ssh/ssh_host_rsa_key
- /ram/pckg/fix/flash/rw/store/system
- /ram/pckg/fix/flash/rw/store/tftp
- /ram/pckg/fix/flash/rw/store/um4
- /ram/pckg/fix/flash/rw/store/unicl/client
- /ram/pckg/fix/flash/rw/store/unicl/module
- /ram/pckg/fix/flash/rw/store/upgrader
- /ram/pckg/fix/flash/rw/store/upnp
- /ram/pckg/fix/flash/rw/store/upnpm
- /ram/pckg/fix/flash/rw/store/usb
- /ram/pckg/fix/flash/rw/store/user
- /ram/pckg/fix/flash/rw/store/user/webprefs/kengz
- /ram/pckg/fix/flash/rw/store/vm
- /ram/pckg/fix/flash/rw/store/vmifaces
- /ram/pckg/fix/flash/rw/store/wireless
- /ram/pckg/fix/flash/rw/store/wirelessccl
- /ram/pckg/fix/flash/rw/store/wirelessch
- /ram/pckg/fix/flash/rw/store/wirelessprofile
- /ram/pckg/fix/flash/rw/store/wirelesssniffer
- /ram/pckg/fix/flash/rw/store/wlcacl
- /ram/pckg/fix/flash/rw/store/wlccfgrule
- /ram/pckg/fix/flash/rw/store/wproxy/access
- /ram/pckg/fix/flash/rw/store/wproxy/cache
- /ram/pckg/fix/flash/rw/store/wproxy/config
- /ram/pckg/fix/flash/rw/store/wproxy/direct
- /ram/pckg/fix/flash/rw/store/www/socks/acl
- /ram/pckg/fix/flash/rw/store/www/socks/config
Network activity:
Awaits incoming connections on ports:
- 0.0.0.0:2000
Establishes connection:
- 8.#.8.8:53
HTTP GET requests:
- cl####outer.online/
Sends data to the following servers:
- 13#.##2.230.77:2000
Other:
Collects RAM information
