Техническая информация
Для обеспечения автоматического запуска и распространения:
Создает или модифицирует следующие файлы:
- /var/spool/cron/crontabs/root
Вредоносные функции:
Самоудаляется
Запускает себя в качестве демона
Запускает процессы:
- crontab -l | grep -v \x27/var/tmp/systemd-private-f0fd406c1a484a80879a20681d9207ef-systemd-timesyncd.service-rlMSmi/DUdbXseC\x27 | crontab -
- grep -v /var/tmp/systemd-private-f0fd406c1a484a80879a20681d9207ef-systemd-timesyncd.service-rlMSmi/BcFmPPvD
- crontab -l | { cat; echo \x27*/2 * * * * /var/tmp/systemd-private-f0fd406c1a484a80879a20681d9207ef-systemd-timesyncd.service-rlMSmi/DUdbXseC\x27; } | crontab -
- lRHiNBUt
- crontab -l | grep -v \x27/var/tmp/systemd-private-f0fd406c1a484a80879a20681d9207ef-systemd-timesyncd.service-rlMSmi/BcFmPPvD\x27 | crontab -
- grep -v <SAMPLE_FULL_PATH>
- grep -v /var/tmp/7xA4xjMe
- crontab -l | grep -v \x27/root/7NYl0Ckn\x27 | crontab -
- 7xA4xjMe
- grep -v /var/tmp/NovRtBLN
- crontab -l | { cat; echo \x27*/2 * * * * /var/tmp/7xA4xjMe\x27; } | crontab -
- cat
- crontab -l | { cat; echo \x27*/2 * * * * /var/tmp/NovRtBLN\x27; } | crontab -
- crontab -l | grep -v \x27/var/tmp/systemd-private-f0fd406c1a484a80879a20681d9207ef-systemd-timesyncd.service-rlMSmi/xVX1EO6x\x27 | crontab -
- crontab -
- grep -v /var/tmp/systemd-private-f0fd406c1a484a80879a20681d9207ef-systemd-timesyncd.service-rlMSmi/lRHiNBUt
- crontab -l | { cat; echo \x27*/2 * * * * <SAMPLE_FULL_PATH>\x27; } | crontab -
- crontab -l
- DUdbXseC
- NovRtBLN
- xVX1EO6x
- crontab -l | { cat; echo \x27*/2 * * * * /root/7NYl0Ckn\x27; } | crontab -
- grep -v /var/tmp/systemd-private-f0fd406c1a484a80879a20681d9207ef-systemd-timesyncd.service-rlMSmi/xVX1EO6x
- grep -v /var/tmp/systemd-private-f0fd406c1a484a80879a20681d9207ef-systemd-timesyncd.service-rlMSmi/DUdbXseC
- w2GctkaEk70R1
- crontab -l | grep -v \x27/var/tmp/NovRtBLN\x27 | crontab -
- crontab -l | { cat; echo \x27*/2 * * * * /var/tmp/systemd-private-f0fd406c1a484a80879a20681d9207ef-systemd-timesyncd.service-rlMSmi/lRHiNBUt\x27; } | crontab -
- grep -v /root/7NYl0Ckn
- BcFmPPvD
- crontab -l | grep -v \x27/var/tmp/systemd-private-f0fd406c1a484a80879a20681d9207ef-systemd-timesyncd.service-rlMSmi/lRHiNBUt\x27 | crontab -
- crontab -l | grep -v \x27/var/tmp/7xA4xjMe\x27 | crontab -
- crontab -l | { cat; echo \x27*/2 * * * * /var/tmp/systemd-private-f0fd406c1a484a80879a20681d9207ef-systemd-timesyncd.service-rlMSmi/BcFmPPvD\x27; } | crontab -
- crontab -l | grep -v \x27<SAMPLE_FULL_PATH>\x27 | crontab -
- 7NYl0Ckn
- daemon
- uhLdjZ0X
- crontab -l | { cat; echo \x27*/2 * * * * /var/tmp/systemd-private-f0fd406c1a484a80879a20681d9207ef-systemd-timesyncd.service-rlMSmi/xVX1EO6x\x27; } | crontab -
Выполняет операции с файловой системой:
Модифицирует права доступа к файлам:
- /var/spool/cron/crontabs/tmp.s5ME4U
- /tmp/.ICE-unix/w2GctkaEk70R1
- /var/spool/cron/crontabs/tmp.TbeLWS
- /var/tmp/7xA4xjMe
- /var/spool/cron/crontabs/tmp.QqYiZf
- /var/spool/cron/crontabs/tmp.uja1Dz
- /var/spool/cron/crontabs/tmp.zZsRN3
- /var/spool/cron/crontabs/tmp.DkzkGt
- /var/spool/cron/crontabs/tmp.h20QRQ
- /var/tmp/systemd-private-f0fd406c1a484a80879a20681d9207ef-systemd-timesyncd.service-rlMSmi/BcFmPPvD
- /var/spool/cron/crontabs/tmp.WliaOZ
- /var/spool/cron/crontabs/tmp.k378Dk
- /var/spool/cron/crontabs/tmp.SjDoJJ
- /var/spool/cron/crontabs/tmp.QHX3x1
- /var/tmp/systemd-private-f0fd406c1a484a80879a20681d9207ef-systemd-timesyncd.service-rlMSmi/DUdbXseC
- /var/spool/cron/crontabs/tmp.DPCHrm
- /var/spool/cron/crontabs/tmp.LSI2xF
- /var/spool/cron/crontabs/tmp.OCJU5d
- /var/spool/cron/crontabs/tmp.BJAVuB
- /root/7NYl0Ckn
- /var/spool/cron/crontabs/tmp.8BLzL4
- /var/spool/cron/crontabs/tmp.iUdkFg
- /var/spool/cron/crontabs/tmp.GYXHwX
- /var/spool/cron/crontabs/tmp.99kK6g
- /var/tmp/systemd-private-f0fd406c1a484a80879a20681d9207ef-systemd-timesyncd.service-rlMSmi/xVX1EO6x
- /var/spool/cron/crontabs/tmp.xWkK9X
- /var/spool/cron/crontabs/tmp.kjoLg8
- /var/spool/cron/crontabs/tmp.YYtx0Q
- /var/spool/cron/crontabs/tmp.PKaiLa
- /var/tmp/NovRtBLN
- /var/spool/cron/crontabs/tmp.mvCfpq
- /var/spool/cron/crontabs/tmp.4chWKF
- /var/spool/cron/crontabs/tmp.PCZha9
- /var/spool/cron/crontabs/tmp.WitVTp
- /var/spool/cron/crontabs/tmp.irjoLR
- /var/tmp/systemd-private-f0fd406c1a484a80879a20681d9207ef-systemd-timesyncd.service-rlMSmi/lRHiNBUt
- /var/spool/cron/crontabs/tmp.jjHQW0
- /root/daemon
- /var/spool/cron/crontabs/tmp.msgCon
- /var/spool/cron/crontabs/tmp.2RS6yb
- /root/uhLdjZ0X
- /var/spool/cron/crontabs/tmp.NSh0qj
Создает или модифицирует файлы:
- /var/spool/cron/crontabs/tmp.s5ME4U
- /tmp/.ICE-unix/w2GctkaEk70R1
- /var/spool/cron/crontabs/tmp.TbeLWS
- /var/tmp/7xA4xjMe
- /var/tmp/systemd-private-f0fd406c1a484a80879a20681d9207ef-systemd-timesyncd.service-rlMSmi/db.data
- /var/spool/cron/crontabs/tmp.QqYiZf
- /var/spool/cron/crontabs/tmp.uja1Dz
- /var/spool/cron/crontabs/tmp.zZsRN3
- /root/config.json
- /var/spool/cron/crontabs/tmp.DkzkGt
- /var/spool/cron/crontabs/tmp.h20QRQ
- /var/tmp/systemd-private-f0fd406c1a484a80879a20681d9207ef-systemd-timesyncd.service-rlMSmi/BcFmPPvD
- /var/spool/cron/crontabs/tmp.k378Dk
- /var/spool/cron/crontabs/tmp.WliaOZ
- /var/spool/cron/crontabs/tmp.SjDoJJ
- /var/spool/cron/crontabs/tmp.QHX3x1
- /var/tmp/systemd-private-f0fd406c1a484a80879a20681d9207ef-systemd-timesyncd.service-rlMSmi/DUdbXseC
- /var/spool/cron/crontabs/tmp.DPCHrm
- /var/spool/cron/crontabs/tmp.LSI2xF
- /var/spool/cron/crontabs/tmp.OCJU5d
- /var/spool/cron/crontabs/tmp.BJAVuB
- /root/7NYl0Ckn
- /var/spool/cron/crontabs/tmp.8BLzL4
- /var/spool/cron/crontabs/tmp.iUdkFg
- /var/spool/cron/crontabs/tmp.GYXHwX
- /var/spool/cron/crontabs/tmp.99kK6g
- /var/tmp/systemd-private-f0fd406c1a484a80879a20681d9207ef-systemd-timesyncd.service-rlMSmi/xVX1EO6x
- /var/spool/cron/crontabs/tmp.xWkK9X
- /var/spool/cron/crontabs/tmp.kjoLg8
- /var/spool/cron/crontabs/tmp.YYtx0Q
- /var/spool/cron/crontabs/tmp.PKaiLa
- /var/tmp/NovRtBLN
- /var/spool/cron/crontabs/tmp.mvCfpq
- /var/spool/cron/crontabs/tmp.4chWKF
- /var/spool/cron/crontabs/tmp.PCZha9
- /var/spool/cron/crontabs/tmp.WitVTp
- /var/spool/cron/crontabs/tmp.irjoLR
- /var/tmp/systemd-private-f0fd406c1a484a80879a20681d9207ef-systemd-timesyncd.service-rlMSmi/lRHiNBUt
- /var/spool/cron/crontabs/tmp.jjHQW0
- /root/daemon
- /sys/devices/system/node/node0/hugepages/hugepages-2048kB/nr_hugepages
- /var/spool/cron/crontabs/tmp.msgCon
- /var/spool/cron/crontabs/tmp.2RS6yb
- /root/uhLdjZ0X
- /var/spool/cron/crontabs/tmp.NSh0qj
Удаляет файлы:
- /var/tmp/7xA4xjMe
- /var/tmp/systemd-private-f0fd406c1a484a80879a20681d9207ef-systemd-timesyncd.service-rlMSmi/BcFmPPvD
- /var/tmp/systemd-private-f0fd406c1a484a80879a20681d9207ef-systemd-timesyncd.service-rlMSmi/DUdbXseC
- /root/7NYl0Ckn
- /var/tmp/systemd-private-f0fd406c1a484a80879a20681d9207ef-systemd-timesyncd.service-rlMSmi/xVX1EO6x
- /var/tmp/NovRtBLN
Изменяет время создания/доступа/модификации файлов:
- /var/spool/cron/crontabs
Сетевая активность:
Устанавливает соединение:
- 127.0.0.1:44444
- [:##]:44444
- 127.0.0.1:44443
- [:##]:44443
- 67.###.135.145:8000
- 19#.###.194.180:8000
- 1.#.#.1:8080
- 91.###.18.60:8000
Посылает данные следующим серверам:
- 67.###.135.145:8000
- 1.#.#.1:8080
- 91.###.18.60:8000
Получает данные от следующих серверов:
- 67.###.135.145:8000
- 1.#.#.1:8080
- 91.###.18.60:8000
Прочее:
Собирает информацию о CPU
Собирает информацию об оперативной памяти
