Technical Information
Malicious functions:
Launches itself as a daemon
Launches processes:
- sh -c rm -f /usr/bin/pamdicks 1> /dev/null 2>&1
- rm -f /usr/bin/pamdicks
- sh -c rm -f /usr/bin/pamdicks.org 1> /dev/null 2>&1
- rm -f /usr/bin/pamdicks.org
- sh -c rm -f /usr/bin/pamdicks.org1 1> /dev/null 2>&1
- rm -f /usr/bin/pamdicks.org1
- sh -c rm -f /usr/bin/pamdicks.org2 1> /dev/null 2>&1
- rm -f /usr/bin/pamdicks.org2
- sh -c rm -rf /tmp/up 1> /dev/null 2>&1
- rm -rf /tmp/up
- sh -c rm -rf /var/lib//up 1> /dev/null 2>&1
- rm -rf /var/lib//up
- sh -c /usr/bin/pamdicks
- /usr/bin/pamdicks
- sh -c rm -f /etc/hosts.old
- rm -f /etc/hosts.old
- sh -c echo > /var/log/messages
Performs operations with the file system:
Modifies file access rights:
- /usr/bin/pamdicks
- /usr/bin/pamdicks.org
- /usr/bin/pamdicks.org1
- /usr/bin/pamdicks.org2
Creates or modifies files:
- /usr/bin/pamdicks
- /usr/bin/pamdicks.org
- /usr/bin/pamdicks.org1
- /usr/bin/pamdicks.org2
- /etc/hosts
- /lib/x86_64-linux-gnu/security/pam_unix.so
- /var/run/bioset
- /run/bioset
- /var/log/messages
Deletes files:
- /usr/bin/pamdicks
- /usr/bin/pamdicks.org
- /usr/bin/pamdicks.org1
- /usr/bin/pamdicks.org2
- /tmp/up
- /var/lib//up
- /etc/hosts.old
Network activity:
Establishes connection:
- <LOCAL_DNS_SERVER>
- 13#.##.68.221:7042
DNS ASK:
- po##.##uminerpool.com
- st#####-asia.rplant.xyz
Sends data to the following servers:
- 13#.##.68.221:7042
Receives data from the following servers:
- 13#.##.68.221:7042
