Technical Information
Malicious functions:
Launches itself as a daemon
Modifies firewall settings:
- iptables -I INPUT -p tcp --dport 22 -j DROP
- iptables -I INPUT -p tcp --dport 23 -j DROP
- iptables -I OUTPUT -p tcp --sport 22 -j DROP
- iptables -I OUTPUT -p tcp --sport 23 -j DROP
- iptables -I INPUT -p udp --dport 8083 -j ACCEPT
- iptables -I OUTPUT -p udp --sport 8083 -j ACCEPT
- iptables -I PREROUTING -t nat -p udp --dport 8083 -j ACCEPT
Launches processes:
- sh -c echo 3 > /proc/sys/vm/drop_caches
- sh -c iptables -I INPUT -p tcp --dport 22 -j DROP
- sh -c iptables -I INPUT -p tcp --dport 23 -j DROP
- sh -c iptables -I OUTPUT -p tcp --sport 22 -j DROP
- sh -c iptables -I OUTPUT -p tcp --sport 23 -j DROP
- sh -c iptables -I INPUT -p udp --dport 8083 -j ACCEPT
- sh -c iptables -I OUTPUT -p udp --sport 8083 -j ACCEPT
- sh -c iptables -I PREROUTING -t nat -p udp --dport 8083 -j ACCEPT
Performs operations with the file system:
Creates or modifies files:
- /tmp/xrun.pid
- /proc/sys/vm/drop_caches
Network activity:
Awaits incoming connections on ports:
- 0.0.0.0:8083
Establishes connection:
- [:##]:8083
- 127.0.0.1:8083
