Technical Information
Malicious functions:
Launches itself as a daemon
Substitutes application name for:
- /bin/busybox
Launches processes:
- /bin/sh -c rm -rf bin/busybox && mkdir bin; >bin/busybox && mv <SAMPLE_FULL_PATH> bin/busybox; chmod 777 bin/busybox
- rm -rf bin/busybox
- mkdir bin
- mv <SAMPLE_FULL_PATH> bin/busybox
- chmod 777 bin/busybox
Performs operations with the file system:
Modifies file access rights:
- /root/bin/busybox
Creates folders:
- /root/bin
Creates or modifies files:
- /root/bin/busybox
- <SAMPLE_FULL_PATH>
Deletes files:
- /root/bin/busybox
Network activity:
Awaits incoming connections on ports:
- 127.0.0.1:1124
Establishes connection:
- 8.#.8.8:53
- 0.0.0.0:0
Attacks using a special dictionary (brute-force technique) via the Telnet protocol.
DNS ASK:
- ar###cboatz.cz
Sends data to the following servers:
- 11#.##9.38.193:23
- 16#.##.242.136:23
- 50.#.212.197:23
- 91.##.248.199:23
- 95.###.223.104:23
- 46.##.10.189:23
- 22#.##.41.226:23
- 15#.##1.6.255:23
- 19#.##9.122.168:23
