Technical Information
Malicious functions:
Launches itself as a daemon
Launches processes:
- sh -c pkill -9 902i13 || busybox pkill -9 902i13
- pkill -9 902i13
- busybox pkill -9 902i13
- sh -c pkill -9 BzSxLxBxeY || busybox pkill -9 BzSxLxBxeY
- pkill -9 BzSxLxBxeY
- busybox pkill -9 BzSxLxBxeY
- sh -c pkill -9 HOHO-LUGO7 || busybox pkill -9 HOHO-LUGO7
- pkill -9 HOHO-LUGO7
- busybox pkill -9 HOHO-LUGO7
- sh -c pkill -9 HOHO-U79OL || busybox pkill -9 HOHO-U79OL
- pkill -9 HOHO-U79OL
- busybox pkill -9 HOHO-U79OL
- sh -c pkill -9 JuYfouyf87 || busybox pkill -9 JuYfouyf87
- pkill -9 JuYfouyf87
- busybox pkill -9 JuYfouyf87
- sh -c pkill -9 NiGGeR69xd || busybox pkill -9 NiGGeR69xd
- pkill -9 NiGGeR69xd
- busybox pkill -9 NiGGeR69xd
- sh -c pkill -9 SO190Ij1X || busybox pkill -9 SO190Ij1X
- pkill -9 SO190Ij1X
- busybox pkill -9 SO190Ij1X
- sh -c pkill -9 LOLKIKEEEDDE || busybox pkill -9 LOLKIKEEEDDE
- pkill -9 LOLKIKEEEDDE
- busybox pkill -9 LOLKIKEEEDDE
- sh -c pkill -9 ekjheory98e || busybox pkill -9 ekjheory98e
- pkill -9 ekjheory98e
- busybox pkill -9 ekjheory98e
- sh -c pkill -9 scansh4 || busybox pkill -9 scansh4
- pkill -9 scansh4
- busybox pkill -9 scansh4
- sh -c pkill -9 MDMA || busybox pkill -9 MDMA
- pkill -9 MDMA
- busybox pkill -9 MDMA
- sh -c pkill -9 fdevalvex || busybox pkill -9 fdevalvex
- pkill -9 fdevalvex
- busybox pkill -9 fdevalvex
- sh -c pkill -9 scanspc || busybox pkill -9 scanspc
- pkill -9 scanspc
- busybox pkill -9 scanspc
- sh -c pkill -9 MELTEDNINJAREALZ || busybox pkill -9 MELTEDNINJAREALZ
- pkill -9 MELTEDNINJAREALZ
- busybox pkill -9 MELTEDNINJAREALZ
- sh -c pkill -9 flexsonskids || busybox pkill -9 flexsonskids
- pkill -9 flexsonskids
- busybox pkill -9 flexsonskids
- sh -c pkill -9 scanx86 || busybox pkill -9 scanx86
- pkill -9 scanx86
- busybox pkill -9 scanx86
- sh -c pkill -9 MISAKI-U79OL || busybox pkill -9 MISAKI-U79OL
- pkill -9 MISAKI-U79OL
- busybox pkill -9 MISAKI-U79OL
- sh -c pkill -9 foAxi102kxe || busybox pkill -9 foAxi102kxe
Network activity:
Attacks using a special dictionary (brute-force technique) via the Telnet protocol.
Connects to the following servers over the IRC protocol:
- Server: 91.##7.189.21; Command: NICK [TNG|x86_64]O8DYsTgL\nUSER O8DYsTgL localhost localhost :O8DYsTgL\n
- Server: 91.##7.189.21; Command: PONG :4066124176\n
- Server: 91.##7.189.21; Command: MODE O8DYsTgL -xi\n
- Server: 91.##7.189.21; Command: JOIN #Tanagra :picard\n
- Server: 91.##7.189.21; Command: WHO O8DYsTgL\n
Other:
Collects CPU information
