Technical Information
Malicious functions:
Substitutes application name for:
- sshd
Modifies firewall settings:
- iptables -I INPUT -p tcp --destination-port 22 -j DROP
- iptables -I INPUT -p tcp --destination-port 23 -j DROP
- iptables -I INPUT -p tcp --destination-port 2323 -j DROP
- iptables -I OUTPUT -p tcp --source-port 22 -j DROP
- iptables -I OUTPUT -p tcp --source-port 23 -j DROP
- iptables -I OUTPUT -p tcp --source-port 2323 -j DROP
- iptables -I INPUT -p udp --destination-port 63812 -j ACCEPT
- iptables -I OUTPUT -p udp --source-port 63812 -j ACCEPT
- iptables -I PREROUTING -t nat -p udp --destination-port 63812 -j ACCEPT
- iptables -I POSTROUTING -t nat -p udp --source-port 63812 -j ACCEPT
- iptables -I INPUT -p tcp --destination-port 54455 -j ACCEPT
- iptables -I PREROUTING -t nat -p tcp --destination-port 54455 -j ACCEPT
- iptables -I POSTROUTING -t nat -p tcp --source-port 54455 -j ACCEPT
Launches processes:
- sh -c echo 3 > /proc/sys/vm/drop_caches
- sh -c iptables -I INPUT -p tcp --destination-port 22 -j DROP
- sh -c iptables -I INPUT -p tcp --destination-port 23 -j DROP
- sh -c iptables -I INPUT -p tcp --destination-port 2323 -j DROP
- sh -c iptables -I OUTPUT -p tcp --source-port 22 -j DROP
- sh -c iptables -I OUTPUT -p tcp --source-port 23 -j DROP
- sh -c iptables -I OUTPUT -p tcp --source-port 2323 -j DROP
- sh -c iptables -I INPUT -p udp --destination-port 63812 -j ACCEPT
- sh -c iptables -I OUTPUT -p udp --source-port 63812 -j ACCEPT
- sh -c iptables -I PREROUTING -t nat -p udp --destination-port 63812 -j ACCEPT
- sh -c iptables -I POSTROUTING -t nat -p udp --source-port 63812 -j ACCEPT
- sh -c iptables -I INPUT -p tcp --destination-port 54455 -j ACCEPT
- sh -c iptables -I OUTPUT -p tcp --source-port 54455 -j ACCEPT
- sh -c iptables -I PREROUTING -t nat -p tcp --destination-port 54455 -j ACCEPT
- sh -c iptables -I POSTROUTING -t nat -p tcp --source-port 54455 -j ACCEPT
Performs operations with the file system:
Creates or modifies files:
- /proc/self/oom_score_adj
- /proc/705/oom_score_adj
- /proc/sys/vm/drop_caches
- /root/config
- /config
Network activity:
Awaits incoming connections on ports:
- 127.0.0.1:14737
- 0.0.0.0:63812
- 0.0.0.0:54455
Establishes connection:
- [:##]:63812
- 127.0.0.1:63812
- <LOCAL_DNS_SERVER>
- 8.#.8.8:123
- 19#.##8.1.1:8088
- 19#.#68.3.1:123
- 19#.##8.1.1:1234
- 20#.##2.186.8:8443
- 13#.##.224.167:81
- 16#.###.217.207:49152
- 38.###.240.189:80
- 13#.###.252.111:8080
- 12#.##3.127.1:80
- 36.###.112.93:8080
- 97.##7.93.29:80
- 64.###.183.125:7574
- 17#.#.13.217:8080
- 48.##.50.151:80
- 18#.##0.35.55:8443
- 10#.##.133.243:80
- 45.#.133.40:80
- 10#.##.46.150:7574
- 13#.##.213.134:80
- 59.##.67.215:8080
- 30.###.43.30:7574
- 52.##.157.190:80
- 47.###.245.153:80
- 19#.##0.117.14:81
- 8.###.129.223:52869
- 11#.###.215.223:8080
- 11#.###.156.154:8080
- 21#.##5.44.44:7574
- 22.##0.72.74:80
- 11#.##2.249.36:8080
- 76.##.169.92:8080
- 28.##.103.59:8080
- 13#.##0.70.7:8080
- 12#.###.126.159:8080
- 84.##.167.96:49152
- 18#.##5.98.17:52869
- 89.###.144.228:5555
- 21#.##1.40.204:8080
- 59.###.162.208:5555
- 4.###.169.251:8080
- 16#.##.32.9:8080
- 10#.##.114.147:5555
- 24.###.51.252:49152
- 5.###.52.218:8080
- 84.###.50.89:8080
- 64.##.62.27:8443
- 65.##.207.135:49152
- 21#.##2.44.95:37215
- 16.##.121.91:37215
- 60.##.143.204:7574
- 20.###.26.143:8080
- 41.###.224.231:5555
- 17#.##4.168.143:80
- 22.##.246.178:80
- 86.###.224.92:8443
- 55.##.40.119:8080
- 15#.##3.56.147:8080
- 20.##.153.87:49152
- 11#.##3.141.3:80
- 90.###.123.246:7574
- 6.##.#11.38:37215
- 40.##.237.196:8080
- 56.###.183.112:7574
- 18.###.189.254:8080
- 11#.#.48.114:80
- 15#.##1.134.47:81
- 89.##.220.191:8080
- 18#.##.188.25:5555
- 10#.##.7.181:8443
- 14#.##7.248.54:8080
- 85.###.110.40:49152
- 14#.##.184.157:80
- 85.###.112.15:80
- 11#.##9.208.176:81
- 62.###.150.158:7574
- 96.##.117.129:8443
- 13#.##5.68.72:80
- 16#.##9.69.97:7574
- 31.##.80.90:8080
- 18#.###.194.104:37215
- 19#.###.201.132:8443
- 23.###.4.61:52869
- 20#.###.139.87:52869
- 62.###.173.118:8080
- 25.###.2.192:5555
- 27.#.#7.190:5555
- 14#.#.190.200:80
- 90.###.65.114:80
- 20#.##.129.40:8080
- 21#.###.208.47:52869
- 13#.###.211.26:52869
- 11#.##0.104.87:8080
- 56.###.3.96:8443
- 18#.##.132.253:81
- 15.###.148.15:8080
- 48.###.154.46:49152
- 18#.##.89.121:80
- 13#.##0.87.169:80
- 76.##.44.176:81
- 37.###.221.26:5555
- 39.###.207.216:8080
- 19#.###.206.247:8080
- 60.###.161.251:8080
- 21#.#53.30.7:80
- 15#.###.106.38:37215
- 39.###.191.237:80
- 26.###.216.229:81
- 86.##.143.46:80
- 43.###.151.136:8080
- 21#.###.180.102:8080
- 82.###.142.246:80
- 21#.##0.178.33:80
- 21#.##4.57.40:8080
- 25.##.52.90:7574
- 16#.##7.94.213:80
- 15#.##6.58.33:80
- 16#.##8.167.12:8080
- 12#.##8.134.106:80
- 85.###.183.103:8080
- 41.###.225.234:8080
- 22.###.139.225:49152
- 16#.##4.33.175:80
- 71.###.90.197:80
- 49.##.191.39:5555
- 17#.##2.61.87:80
- 66.###.153.189:49152
- 13#.##.164.145:52869
- 15#.##.81.28:5555
- 16#.##.56.7:7574
- 46.###.173.114:49152
- 53.#.44.174:80
- 13#.##0.159.133:81
- 10#.#.183.121:8080
- 20#.##6.140.28:8080
- 77.##.20.54:52869
- 55.###.241.187:37215
- 15#.###.236.61:52869
- 17#.##0.59.0:8080
- 40.##.77.182:80
- 11#.###.106.224:5555
- 40.###.56.189:80
- 81.###.216.98:37215
- 23.##.13.81:5555
- 16#.##.191.126:7574
- 53.##.153.41:8080
- 27.###.119.231:8080
- 79.###.249.88:8080
- 14#.##.220.131:80
- 20#.##.178.183:8080
- 21#.##9.110.122:80
- 17#.##.5.51:37215
- 60.##.76.132:1023
- 65.###.90.132:23
- 20#.##.90.132:23
- 18#.##.76.132:23
- 16#.##1.199.98:23
- 19#.#3.72.53:23
- 15#.#5.67.98:23
- 15#.##.76.132:23
- 23.##.184.218:23
- 48.###.237.214:23
- 96.##3.91.40:23
DNS ASK:
- dh#.###nsmissionbt.com
- ro####.bittorrent.com
- ro####.utorrent.com
- bt#####er.debian.org
Sends data to the following servers:
- 87.##.162.88:6881
- 21#.##9.33.59:6881
- 67.###.246.10:6881
- 82.###.103.244:6881
- 13#.##9.18.159:6881
- 50.#.#7.12:51413
- 19#.###.249.218:13131
- 21#.##6.79.205:7135
- 20#.#.114.116:59840
- 17#.##4.189.96:6881
- 10#.###.177.69:50321
- 83.###.191.131:6881
- 81.##.116.110:6881
- 94.###.87.187:38321
- 5.###.108.149:6881
- 62.###.139.196:55111
- 11#.###.61.172:16001
- 96.##.219.131:1434
- 10#.##3.181.1:40945
- 78.###.51.42:61143
- 77.##.2.36:7425
- 82.##.80.165:6882
- 17#.##3.48.84:62298
- 76.###.27.227:21275
- 10#.##.133.113:57609
- 46.##.179.97:4459
- 91.###.156.19:63055
- 91.###.221.187:51413
- 17#.##2.205.4:6908
- 98.###.172.176:51413
- 18#.###.108.62:24874
- 73.###.116.248:35650
- 15#.##.216.209:1235
- 95.###.174.73:63141
- 46.###.13.230:1274
- 14#.###.158.56:51413
- 11#.##.223.223:6889
- 5.##.#26.241:49197
- 10#.##.183.149:4676
- 12#.##.239.143:6881
- 93.###.200.200:51413
- 37.##.41.6:51413
- 77.##.180.163:51413
- 62.###.62.182:555
- 1.###.148.100:7480
- 91.###.121.216:6881
- 18#.##.190.131:27049
- 92.###.219.26:53001
- 14#.##7.79.86:16043
- 71.###.81.140:52411
- 16#.##2.89.234:6881
- 21#.###.19.188:28577
- 90.###.173.240:64692
- 17#.###.128.58:51413
- 5.###.183.129:46942
- 2.###.8.37:61259
- 94.##.46.53:27862
- 95.##.51.237:43768
- 10#.##3.91.93:47800
- 11#.##7.76.162:6889
- 79.###.73.100:44434
- 94.###.121.144:39916
