Technical Information
To ensure autorun and distribution:
Creates or modifies the following files:
- /etc/inittab
- /var/spool/cron/crontabs/root
- /etc/rc.local
Malicious functions:
Substitutes application name for:
- l7dws18qi461cuhqba653vju
Modifies router settings:
- /bin/nvram
Launches processes:
- sh -c cat /etc/inittab | grep -v \"<SAMPLE_FULL_PATH>\" > /etc/inittab2
- sh -c crontab -r
- sh -c crontab -l | grep <SAMPLE_FULL_PATH> | grep -v \"no cron\" || (crontab -l ; echo \"* * * * * <SAMPLE_FULL_PATH> > /dev/null 2>&1 &\") | crontab - > /dev/null 2>&1 &
- crontab -r
- cat /etc/inittab
- grep <SAMPLE_FULL_PATH>
- grep -v <SAMPLE_FULL_PATH>
- crontab -l
- grep -v no cron
- sh -c echo \"0:2345:respawn:<SAMPLE_FULL_PATH>\" >> /etc/inittab2
- sh -c cat /etc/inittab2 > /etc/inittab
- crontab -
- cat /etc/inittab2
- sh -c rm -rf /etc/inittab2
- rm -rf /etc/inittab2
- sh -c touch -acmr /bin/ls /etc/inittab
- touch -acmr /bin/ls /etc/inittab
- sh -c cp -f <SAMPLE_FULL_PATH> /dev/shm/<SAMPLE>
- sh -c /bin/uname -n
- sh -c nvram get router_name
- cp -f <SAMPLE_FULL_PATH> /dev/shm/<SAMPLE>
- /bin/uname -n
- sh -c cat /etc/inittab | grep -v \"/dev/shm/<SAMPLE>\" > /etc/inittab2
- sh -c crontab -l | grep /dev/shm/<SAMPLE> | grep -v \"no cron\" || (crontab -l ; echo \"* * * * * /dev/shm/<SAMPLE> > /dev/null 2>&1 &\") | crontab - > /dev/null 2>&1 &
- grep -v /dev/shm/<SAMPLE>
- grep /dev/shm/<SAMPLE>
- sh -c echo \"0:2345:respawn:/dev/shm/<SAMPLE>\" >> /etc/inittab2
- sh -c cp -f <SAMPLE_FULL_PATH> /var/tmp/<SAMPLE>
- cp -f <SAMPLE_FULL_PATH> /var/tmp/<SAMPLE>
- sh -c cat /etc/inittab | grep -v \"/var/tmp/<SAMPLE>\" > /etc/inittab2
- sh -c crontab -l | grep /var/tmp/<SAMPLE> | grep -v \"no cron\" || (crontab -l ; echo \"* * * * * /var/tmp/<SAMPLE> > /dev/null 2>&1 &\") | crontab - > /dev/null 2>&1 &
- grep /var/tmp/<SAMPLE>
- grep -v /var/tmp/<SAMPLE>
Performs operations with the file system:
Modifies file access rights:
- /var/spool/cron/crontabs/tmp.BxqqDJ
- /var/spool/cron/crontabs/tmp.5D6fq4
Creates or modifies files:
- /tmp/.bawtz
- /etc/inittab2
- /var/spool/cron/crontabs/tmp.BxqqDJ
- /dev/shm/<SAMPLE>
- /var/spool/cron/crontabs/tmp.5D6fq4
- /var/tmp/<SAMPLE>
Deletes files:
- /etc/inittab2
Locks files:
- /tmp/.bawtz
Network activity:
Awaits incoming connections on ports:
- 127.0.0.1:59000
Connects to the following servers over the IRC protocol:
- Server: 51.##0.8.207; Command: NICK A5|e|0|2696672|unknown\nUSER muhstik localhost localhost :muhstik-11052018\n
- Server: 51.##0.8.207; Command: PONG :683FD55F\n
- Server: 51.##0.8.207; Command: MODE A5|e|0|2696672|unknown -xi\n
- Server: 51.##0.8.207; Command: JOIN #ssh :8974\n
- Server: 51.##0.8.207; Command: WHO A5|e|0|2696672|unknown\n
