Linux.Siggen.7162

Technical Information

Malicious functions:

Launches itself as a daemon

Substitutes application name for:

e28081

Kills the following processes:

kthreadd
rcu_gp
rcu_par_gp
kworker/0:0H
kworker/u2:0
mm_percpu_wq
rcu_tasks_rude_
rcu_tasks_trace
ksoftirqd/0
rcu_sched
migration/0
kworker/0:1
cpuhp/0
kdevtmpfs
netns
kauditd
khungtaskd
oom_reaper
writeback
kcompactd0
ksmd
khugepaged
kintegrityd
kblockd
blkcg_punt_bio
edac-poller
devfreq_wq
kworker/0:1H
kswapd0
kthrotld
acpi_thermal_pm
ipv6_addrconf
kworker/u2:1
kworker/u2:2
kstrp
zswap-shrink
kworker/u3:0
kworker/0:2
ata_sff
scsi_eh_0
scsi_tmf_0
scsi_eh_1
scsi_tmf_1
jbd2/sda1-8
ext4-rsv-conver
ttm_swap
kworker/u2:3
kworker/0:0
9bc2fd2a

Network activity:

Awaits incoming connections on ports:

127.0.0.1:33337

Establishes connection:

8.#.8.8:53
45.###.232.208:33335

Attacks using a special dictionary (brute-force technique) via the Telnet protocol.

DNS ASK:

ro##me.xyz

Sends data to the following servers:

45.###.232.208:33335
6.#.#20.153:23
15#.##1.182.212:23
14#.##.159.244:23
80.###.103.24:23
24#.##0.251.69:23
93.##6.44.64:23
33.##.72.1:23
21#.##.198.230:23
93.##.75.185:23
21#.##9.101.206:23
14.##.192.87:23
19#.##.131.165:23
20#.##0.245.154:23
32.###.56.199:23
20#.##9.209.27:23
17#.##.245.30:23
11#.##.253.154:23
15.##4.45.24:23
19#.##3.14.131:23
91.###.102.226:23
20#.##.190.160:23
15#.##8.225.153:23
22#.##6.250.12:23
69.###.100.124:23
21#.##1.17.41:23
15#.##.121.56:23
12.###.121.128:23
19#.##.181.86:23
15#.##1.0.161:23
82.###.205.238:23
17#.##.133.220:23
24#.##0.170.188:23
21#.##.158.129:23
73.###.37.155:23
13#.##7.194.79:23
19#.##3.139.181:23
23#.##6.186.166:23
30.##.222.47:23
19#.##5.161.92:23
59.###.113.123:23
23#.#.28.108:23
10#.##.81.130:23
12#.##8.236.170:23
25#.##.246.85:23
23#.##.183.83:23
10#.##8.130.140:23
14#.##.195.50:23
60.##.115.189:23
12#.#5.67.51:23
14#.##7.207.15:23
18#.##.131.194:23
22.###.96.148:23
11#.##.140.180:23
42.##.245.249:23
20#.##.128.211:23
11#.##8.162.123:23
14#.##1.230.178:23
43.###.29.195:23
10#.##8.234.47:23
16#.##.37.117:23
14#.##4.119.178:23
82.##0.98.33:23
80.##.139.152:23
22#.##5.135.159:23
83.###.160.32:23
18#.##1.69.245:23
16#.##7.116.133:23
40.###.97.177:23
20#.#05.75.6:23
48.##.143.171:23
16.##.37.231:23
37.#.22.19:23
25#.##.215.186:23
19#.#5.18.98:23
30.##.41.1:23
42.##.45.234:23
11#.##9.146.207:23
35.###.55.189:23
27.##.81.142:23
77.###.246.183:23
37.##.166.78:23
24#.##6.172.116:23
59.###.245.49:23
82.##.173.211:23
67.##.81.61:23
15#.#9.7.85:23
97.##.72.179:23
21#.##2.130.117:23
20#.##6.177.124:23
19#.##2.191.27:23
19.##.26.179:23
40.###.195.235:23
23#.##.141.27:23
45.##.19.212:23
16#.##.131.30:23
13#.##9.143.251:23
13#.##4.100.120:23
22.##.208.136:23
19#.##8.34.145:23
95.#.238.79:23
29.##.156.188:23
12#.#.33.50:23
12#.##5.219.129:23
10#.##6.27.99:23
10#.##0.153.158:23
64.###.16.210:23
19#.#01.94.3:23
24#.##9.50.12:23
40.###.173.134:23
73.##.95.124:23
86.##.96.118:23
21#.##.136.82:23
39.##.199.16:23
46.###.16.227:23
25.##.6.19:23
18#.##.130.15:23
22#.##.137.183:23
77.##.245.36:23
17#.##1.41.52:23
22#.##2.41.164:23
10#.##0.224.94:23
18#.##.229.126:23
70.###.46.101:23
15#.##.108.204:23
19#.#8.98.80:23
65.##.248.145:23
32.##.177.195:23
12#.##8.252.131:23
95.###.221.150:23
10#.##.222.11:23
56.###.30.145:23
16#.##3.182.155:23
59.##.138.196:23
25#.##8.69.30:23
3.##.15.237:23
93.##.9.173:23
37.##.24.174:23
59.##.95.77:23
23#.##2.17.73:23
23#.##.125.75:23
19#.##3.121.225:23
68.###.148.108:23
13#.##.185.226:23
22#.##8.82.158:23
72.##.103.211:23
22#.##.232.199:23
18#.#6.67.75:23
16#.##6.12.224:23
15.###.218.221:23
13#.##0.159.131:23
82.##4.37.76:23
17#.##7.31.177:23
15.##.158.206:23
16#.##.235.45:23
17#.##.139.188:23
22#.##5.186.233:23
42.###.148.242:23
22#.##2.162.7:23
69.###.184.69:23
63.#.85.17:23
57.##4.5.179:23
50.##.120.228:23

Receives data from the following servers:

45.###.232.208:33335

TECHNOLOGIES

TERMINOLOGIE

COURS ET EDU

MYTHES

Technical Information

Recommandations pour le traitement