Technical Information
To ensure autorun and distribution:
Creates or modifies the following files:
- /var/spool/cron/crontabs/root
Malicious functions:
Launches itself as a daemon
Substitutes application name for:
- /usr/bin/vi
Manages services:
- ['/bin/systemctl', 'enable', 'bot']
Launches processes:
- (crontab -l 2>/dev/null; echo \x22@reboot /bin/bash -c \x27<SAMPLE_FULL_PATH>\x27\x22) | crontab -
- crontab -l
- crontab -
- /bin/systemctl enable bot
Kills the following processes:
- <SAMPLE>
Performs operations with the file system:
Modifies file access rights:
- /var/spool/cron/crontabs/tmp.OXJy7E
Creates or modifies files:
- /dev/full
- /var/spool/cron/crontabs/tmp.OXJy7E
- /usr/lib/systemd/system/bot.service
Changes time of creation/access/modification of files:
- /var/spool/cron/crontabs
Network activity:
Awaits incoming connections on ports:
- 1.#.#.127:4161
- 0.0.0.0:4161
Establishes connection:
- 8.#.8.8:53
- 0.0.0.0:4161
- 1.#.1.1:53
- 14#.##.7.49:1290
DNS ASK:
- ex###cam.pro
Sends data to the following servers:
- 10#.###.69.113:37215
- 13#.##.227.85:37215
- 10#.###.174.230:37215
- 94.###.36.168:37215
- 15#.##9.50.43:37215
- 12#.##.85.179:37215
- 13#.###.119.103:37215
- 18#.###.149.192:37215
- 15#.##7.58.12:37215
- 10#.##.17.7:37215
- 37.##.140.3:37215
- 15#.##4.36.95:37215
- 94.###.214.12:37215
- 45.###.10.229:37215
- 22#.##3.96.2:37215
- 19#.##9.26.22:37215
- 15#.###.194.155:37215
- 12#.##.152.111:37215
- 94.##.233.141:37215
- 16#.##.48.2:37215
- 10#.###.147.209:37215
- 22#.###.48.214:37215
- 41.###.52.197:37215
- 45.##.31.152:37215
- 15#.###.206.128:37215
- 41.###.228.194:37215
- 41.###.78.42:37215
- 31.##.216.134:37215
- 15#.##.110.150:37215
- 15#.##.222.133:37215
- 37.###.224.18:37215
- 17#.###.193.99:37215
- 12#.###.216.137:37215
- 94.###.10.30:37215
- 18#.##.89.250:37215
- 94.##.182.23:37215
- 12#.###.90.178:37215
- 41.##.146.66:37215
- 12#.###.242.63:37215
- 31.###.188.33:37215
- 31.###.31.87:37215
- 15#.##.241.214:37215
- 19#.##1.52.38:37215
- 19#.###.226.171:37215
- 20.###.104.148:37215
- 31.#.#71.23:37215
- 10#.###.77.102:37215
- 45.###.151.111:37215
- 13#.##.0.193:37215
- 37.###.195.194:37215
- 12#.###.29.198:37215
- 46.###.183.6:37215
- 13#.##.140.222:37215
- 18#.##.62.103:37215
- 15#.##.0.87:37215
- 12#.##.174.250:37215
- 94.###.57.98:37215
- 12#.###.71.162:37215
- 19#.##.18.6:37215
- 22#.##.12.234:37215
- 19#.###.241.176:37215
- 12#.###.132.166:37215
- 10#.###.249.88:37215
- 10#.###.126.246:37215
- 12#.###.56.164:37215
- 16#.##.194.106:37215
- 12#.##.44.82:37215
- 14#.##.14.237:37215
- 15#.##.92.71:37215
- 18#.##.150.216:37215
- 15#.###.204.41:37215
- 12#.###.220.143:37215
- 22#.###.156.176:37215
- 12#.##.119.175:37215
- 18#.##2.39.59:37215
- 37.###.214.121:37215
- 13#.##.20.6:37215
- 18#.###.196.15:37215
- 10#.##.127.244:37215
- 19#.###.65.236:37215
- 13#.###.28.245:37215
- 10#.###.110.56:37215
- 31.##.83.249:37215
- 13#.##.103.200:37215
- 19#.###.44.202:37215
- 12#.#.145.56:37215
- 45.###.127.68:37215
- 31.###.73.105:37215
- 16#.###.15.110:37215
- 45.###.3.164:37215
- 13#.##.126.32:37215
- 12#.##8.59.90:37215
- 19#.##5.55.15:37215
- 22#.##.71.62:37215
- 31.###.254.245:37215
- 22#.###.184.129:37215
- 31.#.#91.178:37215
- 15#.##.170.25:37215
- 19#.###.147.129:37215
- 15#.##.72.42:37215
- 19#.##4.7.10:37215
- 94.###.171.45:37215
- 10#.##.68.86:37215
- 18#.###.123.177:37215
- 31.###.179.169:37215
- 31.##.224.184:37215
- 37.###.225.166:37215
- 13#.###.118.209:37215
- 19#.##.211.30:37215
- 16#.###.142.144:37215
- 12#.###.205.145:37215
- 31.###.98.51:37215
- 15#.###.137.117:37215
- 94.###.14.107:37215
- 12#.###.202.84:37215
- 45.###.240.76:37215
- 12#.##.185.216:37215
- 15#.##.212.138:37215
- 12#.###.236.81:37215
- 18#.##.131.140:37215
- 22#.##.164.81:37215
- 18#.###.163.229:37215
- 19#.###.188.211:37215
- 15#.##2.95.18:37215
- 37.###.91.103:37215
- 15#.##1.52.74:37215
- 37.##.180.217:37215
- 15#.##.207.124:37215
- 18#.##5.8.54:37215
- 15#.##.196.19:37215
- 89.###.31.74:37215
- 12#.###.119.194:37215
- 19#.###.250.154:37215
- 14#.##.7.49:1290
Receives data from the following servers:
- 14#.##.7.49:1290
