Technical Information
Malicious functions:
Launches itself as a daemon
Substitutes application name for:
- sic1eec0sxas
Network activity:
Awaits incoming connections on ports:
- 127.0.0.1:3132
Establishes connection:
- 8.#.8.8:53
- 1.#.0.1:53
- 87.###.37.65:1024
- 87.###.37.65:7685
- 43.###.36.208:26
- 15#.##4.131.137:26
- 11#.##7.113.124:26
- 16#.##6.58.221:26
- 19#.##5.197.9:26
- 19#.##3.241.51:26
- 15#.##7.190.211:26
- 16#.##.120.138:9000
- 10#.##.179.154:26
- 14#.##1.66.148:26
- 37.###.171.3:9001
- 16#.##4.236.0:26
- 17#.#5.64.20:26
- 19#.##2.217.112:26
- 21#.##8.95.52:26
- 19#.##5.7.253:26
- 45.##.80.99:9001
- 18#.##0.17.224:26
- 19#.##0.83.224:9001
- 45.##.13.12:9001
- 3.###.238.107:9000
- 15#.##0.79.162:9001
- 15#.##1.74.138:9001
- 14#.##.187.187:9000
- 16#.##.181.20:26
- 70.##.246.120:26
- 19#.#9.20.96:26
- 11#.##8.41.113:26
Attacks using a special dictionary (brute-force technique) via the Telnet protocol.
Attacks using a special dictionary (brute-force technique) via an undefined protocol.
DNS ASK:
- oh####.#aiseyourdongers.pw
- oh#####.raiseyourdongers.pw
Sends data to the following servers:
- 87.###.37.65:1024
- 87.###.37.65:7685
- 43.###.36.208:26
- 11#.##8.16.144:26
- 14.##.127.164:26
- 22#.###.122.121:9000
- 23#.##5.39.109:26
- 24#.##.149.172:26
- 14#.#.30.52:26
- 16#.##6.58.221:26
- 19#.##2.217.112:26
- 70.##.246.120:26
- 19#.#9.20.96:26
Receives data from the following servers:
- 87.###.37.65:7685
- 16#.##6.58.221:26
- 19#.##3.241.51:26
- 14#.##1.66.148:26
- 16#.##4.236.0:26
- 19#.##2.217.112:26
- 19#.##5.7.253:26
- 87.###.37.65:1024
- 15#.##1.74.138:9001
- 70.##.246.120:26
- 19#.#9.20.96:26
- 11#.##8.41.113:26
