Technical Information
To ensure autorun and distribution:
Creates or modifies the following files:
- /etc/cron.d/root
- /var/spool/cron/crontabs/root
- /etc/init.d/sshservice
- /etc/init.d/.depend.boot
- /etc/init.d/.depend.start
- /etc/init.d/.depend.stop
Creates or modifies the following symlinks:
- /etc/rc0.d/K01sshservice
- /etc/rc1.d/K01sshservice
- /etc/rc2.d/S01sshservice
- /etc/rc3.d/S01sshservice
- /etc/rc4.d/S01sshservice
- /etc/rc5.d/S01sshservice
- /etc/rc6.d/K01sshservice
Malicious functions:
Launches itself as a daemon
Manages services:
- systemctl enable sshservice.service
- /usr/sbin/update-rc.d sshservice defaults
- systemctl daemon-reload
- /usr/sbin/update-rc.d sshservice enable
Launches processes:
- <SAMPLE_FULL_PATH> [mds]
- <SAMPLE_FULL_PATH> [kdevtmpfds]
- /bin/sh -c export PATH=$PATH:/bin:/usr/bin:/sbin:/usr/local/bin:/usr/sbin;chkconfig --add sshservice
- /bin/sh -c export PATH=$PATH:/bin:/usr/bin:/sbin:/usr/local/bin:/usr/sbin;systemctl enable sshservice.service;systemctl reload sshservice.service
- /sbin/insserv sshservice
Performs operations with the file system:
Modifies file access rights:
- /etc/cron.d/root
- /var/spool/cron/root
- /var/spool/cron/crontabs/root
Creates symlinks:
- /etc/systemd/system/multi-user.target.wants/sshservice.service
Creates or modifies files:
- /usr/local/sbin/<SAMPLE>
- /var/spool/cron/root
- /usr/lib/systemd/system/sshservice.service
- /lib/systemd/system/sshservice.service
- /etc/systemd/system/sshservice.service
Network activity:
Awaits incoming connections on ports:
- 127.0.0.1:61131
Establishes connection:
- <LOCAL_DNS_SERVER>
- 127.0.0.1:61131
- 21#.#39.36.21:9
- 21#.#39.38.21:9
- 21#.#39.32.21:9
- 21#.#39.34.21:9
- 95.##1.0.0:6379
- 95.###.0.35:8080
- 95.##1.0.0:8161
- 95.##1.0.1:6379
- 95.##1.0.1:8161
- 95.##1.0.1:8080
- 95.##1.0.2:6379
- 95.##1.0.2:8161
- 95.##1.0.2:8080
- 95.##1.0.3:6379
- 95.##1.0.3:8161
- 95.##1.0.3:8080
- 95.##1.0.4:6379
- 95.##1.0.4:8161
- 95.##1.0.4:8080
- 95.##1.0.5:6379
- 95.##1.0.5:8161
- 95.##1.0.5:8080
- 95.##1.0.6:6379
- 95.##1.0.6:8161
- 95.##1.0.6:8080
- 95.##1.0.0:8080
- 95.##1.0.7:6379
- 95.##1.0.7:8161
- 95.##1.0.7:8080
- 95.##1.0.8:6379
- 95.##1.0.8:8161
- 95.##1.0.8:8080
- 95.##1.0.9:6379
- 95.##1.0.9:8161
- 95.##1.0.9:8080
- 95.###.0.10:6379
- 95.###.0.10:8161
- 95.###.0.10:8080
- 95.###.0.11:6379
- 95.###.0.11:8161
- 95.###.0.11:8080
- 95.###.0.12:6379
- 95.###.0.12:8161
- 95.###.0.12:8080
- 95.###.0.13:6379
- 95.###.0.13:8161
- 95.###.0.13:8080
- 95.###.0.14:6379
- 95.###.0.14:8161
- 95.###.0.14:8080
- 95.###.0.15:6379
- 95.###.0.15:8161
- 95.###.0.15:8080
- 95.###.0.16:6379
- 95.###.0.16:8161
- 95.###.0.16:8080
- 95.###.0.17:6379
- 95.###.0.17:8161
- 95.###.0.17:8080
- 95.###.0.18:6379
- 95.###.0.18:8161
- 95.###.0.18:8080
- 95.###.0.19:6379
- 95.###.0.19:8161
- 95.###.0.19:8080
- 95.###.0.20:6379
- 95.###.0.20:8161
- 95.###.0.20:8080
- 95.###.0.21:6379
- 95.###.0.21:8161
- 95.###.0.21:8080
- 95.###.0.22:6379
- 95.###.0.22:8161
- 95.###.0.22:8080
- 95.###.0.23:6379
- 95.###.0.23:8161
- 95.###.0.23:8080
- 95.###.0.24:6379
- 95.###.0.24:8161
- 95.###.0.24:8080
- 95.###.0.25:6379
- 95.###.0.25:8161
- 95.###.0.25:8080
- 95.###.0.26:6379
- 95.###.0.26:8161
- 95.###.0.26:8080
- 95.###.0.27:6379
- 95.###.0.27:8161
- 95.###.0.28:6379
- 95.###.0.28:8161
- 95.###.0.28:8080
- 95.###.0.27:8080
- 95.###.0.29:6379
- 95.###.0.29:8161
- 95.###.0.29:8080
- 95.###.0.30:6379
- 95.###.0.30:8161
- 95.###.0.30:8080
- 95.###.0.31:6379
- 95.###.0.31:8161
- 95.###.0.31:8080
- 95.###.0.32:6379
- 95.###.0.32:8161
- 95.###.0.33:6379
- 95.###.0.33:8161
- 95.###.0.33:8080
- 95.###.0.34:6379
- 95.###.0.34:8161
- 95.###.0.32:8080
- 95.###.0.34:8080
- 95.###.0.35:6379
- 95.###.0.35:8161
- 95.###.0.36:6379
- 95.###.0.36:8161
- 95.###.0.36:8080
- 95.###.0.37:6379
- 95.###.0.37:8161
- 95.###.0.37:8080
- 95.###.0.38:6379
- 95.###.0.38:8161
- 95.###.0.38:8080
- 95.###.0.39:6379
- 95.###.0.39:8161
- 95.###.0.39:8080
- 95.###.0.40:6379
- 95.###.0.40:8161
- 95.###.0.40:8080
- 95.###.0.41:6379
- 95.###.0.41:8161
- 95.###.0.41:8080
- 95.###.0.42:6379
- 95.###.0.42:8161
- 95.###.0.42:8080
- 95.###.0.43:6379
- 95.###.0.43:8161
- 95.###.0.43:8080
- 95.###.0.44:6379
- 95.###.0.44:8161
- 95.###.0.44:8080
- 95.###.0.45:6379
- 95.###.0.45:8161
- 95.###.0.45:8080
- 95.###.0.46:6379
- 95.###.0.46:8161
- 95.###.0.46:8080
- 95.###.0.47:6379
- 95.###.0.47:8161
- 95.###.0.47:8080
- 95.###.0.48:6379
- 95.###.0.48:8161
- 95.###.0.48:8080
- 95.###.0.49:6379
- 95.###.0.49:8161
- 95.###.0.49:8080
- 95.###.0.50:6379
- 95.###.0.50:8161
- 95.###.0.50:8080
- 95.###.0.51:6379
- 95.###.0.51:8161
- 95.###.0.51:8080
- 95.###.0.52:6379
- 95.###.0.52:8161
- 95.###.0.52:8080
- 95.###.0.53:6379
- 95.###.0.53:8161
- 95.###.0.53:8080
- 95.###.0.54:6379
- 95.###.0.54:8161
- 95.###.0.54:8080
- 95.###.0.55:6379
- 95.###.0.55:8161
- 95.###.0.55:8080
- 95.###.0.56:6379
- 95.###.0.56:8161
- 95.###.0.56:8080
- 95.###.0.57:6379
- 95.###.0.57:8161
- 95.###.0.57:8080
- 95.###.0.58:6379
- 95.###.0.58:8161
- 95.###.0.58:8080
- 95.###.0.59:6379
- 95.###.0.59:8161
- 95.###.0.60:6379
- 95.###.0.59:8080
- 95.###.0.60:8161
- 95.###.0.61:6379
- 95.###.0.61:8161
- 95.###.0.60:8080
- 95.###.0.61:8080
- 95.###.0.62:6379
- 95.###.0.62:8161
- 95.###.0.62:8080
- 95.###.0.63:6379
- 95.###.0.63:8161
- 95.###.0.63:8080
- 95.###.0.64:6379
- 95.###.0.64:8161
- 95.###.0.64:8080
- 95.###.0.65:6379
- 95.###.0.65:8161
- 95.###.0.65:8080
- 95.###.0.66:6379
- 95.###.0.66:8161
- 95.###.0.66:8080
- 95.###.0.67:6379
- 95.###.0.67:8161
- 95.###.0.67:8080
- 95.###.0.68:6379
- 95.###.0.68:8161
- 95.###.0.68:8080
- 95.###.0.69:6379
- 95.###.0.69:8161
- 95.###.0.69:8080
- 95.###.0.70:6379
- 95.###.0.70:8161
- 95.###.0.70:8080
- 95.###.0.71:6379
- 95.###.0.71:8161
- 95.###.0.71:8080
- 95.###.0.72:6379
- 95.###.0.72:8161
- 95.###.0.170:8161
- 95.###.0.137:8161
- 95.###.0.137:8080
- 95.###.0.138:6379
- 95.###.0.72:8080
- 95.###.0.138:8161
- 95.###.0.138:8080
- 95.###.0.139:6379
- 95.###.0.139:8161
- 95.###.0.139:8080
- 95.###.0.140:6379
- 95.###.0.140:8161
- 95.###.0.140:8080
- 95.###.0.141:6379
- 95.###.0.141:8161
- 95.###.0.141:8080
- 95.###.0.142:6379
- 95.###.0.142:8080
- 95.###.0.142:8161
- 95.###.0.143:6379
- 95.###.0.143:8161
- 95.###.0.143:8080
- 95.###.0.144:6379
- 95.###.0.144:8161
- 95.###.0.144:8080
- 95.###.0.145:6379
- 95.###.0.145:8161
- 95.###.0.145:8080
- 95.###.0.146:6379
- 95.###.0.146:8161
- 95.###.0.146:8080
- 95.###.0.147:6379
- 95.###.0.147:8080
- 95.###.0.148:6379
- 95.###.0.148:8161
- 95.###.0.148:8080
- 95.###.0.149:6379
- 95.###.0.149:8161
- 95.###.0.149:8080
- 95.###.0.147:8161
- 95.###.0.150:6379
- 95.###.0.150:8161
- 95.###.0.150:8080
- 95.###.0.151:8161
- 95.###.0.73:6379
- 95.###.0.151:8080
- 95.###.0.152:8161
- 95.###.0.151:6379
- 95.###.0.152:8080
- 95.###.0.153:6379
- 95.###.0.153:8161
- 95.###.0.153:8080
- 95.###.0.152:6379
- 95.###.0.154:6379
- 95.###.0.154:8161
- 95.###.0.154:8080
- 95.###.0.155:6379
- 95.###.0.155:8161
- 95.###.0.155:8080
- 95.###.0.156:6379
- 95.###.0.156:8161
- 95.###.0.156:8080
- 95.###.0.157:6379
- 95.###.0.157:8161
- 95.###.0.157:8080
- 95.###.0.158:6379
- 95.###.0.158:8161
- 95.###.0.158:8080
- 95.###.0.159:6379
- 95.###.0.159:8161
- 95.###.0.159:8080
- 95.###.0.160:6379
- 95.###.0.160:8161
- 95.###.0.160:8080
- 95.###.0.161:8161
- 95.###.0.162:6379
- 95.###.0.162:8161
- 95.###.0.162:8080
- 95.###.0.163:6379
- 95.###.0.163:8161
- 95.###.0.163:8080
- 95.###.0.164:6379
- 95.###.0.164:8161
- 95.###.0.164:8080
- 95.###.0.165:6379
- 95.###.0.165:8161
- 95.###.0.165:8080
- 95.###.0.166:6379
- 95.###.0.166:8161
- 95.###.0.73:8161
Attacks using a special dictionary (brute-force technique) via the SSH protocol
HTTP GET requests:
- if###fig.me/
DNS ASK:
- cr##.#######bety6vifaxsi9vovnc9jjay2l.com
- if##nfig.me
