Trojan.SH.HADGLIDER.C
Publish Date: 05 Mai 2020
Plattform:
Linux
Risikobewertung (gesamt):
Schadenspotenzial::
Verteilungspotenzial::
reportedInfection:
live casino online L?sungen:
Niedrig
Mittel
Hoch
Kritisch
Malware-Typ:
Trojan
Zerstrerisch?:
Nein
Verschlsselt?:
In the wild::
Ja
?berblick
Infektionsweg: Aus dem Internet heruntergeladen
It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Technische Details
Dateigr??e: 31,043 bytes
Dateityp: Other
Speicherresiden: Nein
Erste Muster erhalten am: 04 Mai 2020
Schadteil: Connects to URLs/IPs, Downloads files
?bertragungsdetails
It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Installation
Schleust die folgenden Dateien ein:
- proc/sys/kernel/nmi_watchdog
- /etc/sysctl.conf
Andere Details
Es macht Folgendes:
- Deletes the following user accounts:
- phishl00t
- aport
- openssl
- cokkokotre1
- akay
- vfinder
- Stops and disable the following services:
- cp.syshealt service
- watchdogd.service
- aliyun-service
- apparmor
- aliyun.service
- Terminates processes that contain the following strings:
- /usr/bin/nhcm
- kinsing
- kdevtmpfsi
- sysupdata
- sysguerd
- /bin/./xmrig
- "docker-cache"
- "donate-level"
- httpy
- pippip
- networkservics
- kswapd0
- "redis2"
- "sysupdate"
- "networkservice"
- "sysguard"
- "update.sh"
- "kswap_svc"
- "masscan"
- "hping3"
- /usr/sbin/agentty
- aliyun-service
- ':3333'
- ':5555'
- 'kworker -c\'
- 'log_'
- 'systemten'
- 'netns'
- 'voltuned'
- 'darwin'
- '/tmp/dl'
- '/tmp/pprt'
- '/tmp/ppol'
- '/tmp/65ccE*'
- '/tmp/jmx*'
- '/tmp/2Ne80*'
- 'IOFoqIgyC0zmf2UR'
- '45.76.122.92'
- '51.38.191.178'
- '51.15.56.161'
- '86s.jpg'
- 'aGTSGJJp'
- 'nMrfmnRa'
- 'PuNY5tm2'
- 'I0r8Jyyt'
- 'AgdgACUD'
- 'uiZvwxG8'
- 'hahwNEdB'
- 'BtwXn5qH'
- '3XEzey2T'
- 't2tKrCSZ'
- 'HD7fcBgg'
- 'zXcDajSs'
- '3lmigMo'
- 'AkMK4A2'
- 'AJ2AkKe'
- 'HiPxCJRS'
- 'http_0xCC030'
- 'http_0xCC031'
- 'http_0xCC032'
- 'http_0xCC033'
- "C4iLM4L"
- 'aziplcr72qjhzvin'
- '/boot/vmlinuz'
- "i4b503a52cc5"
- "dgqtrcst23rtdi3ldqk322j2"
- "2g0uv7npuhrlatd"
- "nqscheduler"
- "rkebbwgqpl4npmm"
- "2fhtu70teuhtoh78jc5s"
- "0kwti6ut420t"
- "44ct7udt0patws3agkdfqnjm"
- "\[^"
- "rsync"
- "watchd0g"
- "158.69.133.18:8220"
- "/tmp/java"
- 'gitee.com'
- '/tmp/java'
- '104.248.4.162'
- '89.35.39.78'
- '/dev/shm/z3.sh'
- 'kthrotlds'
- 'ksoftirqds'
- 'netdns'
- 'watchdogs'
- "sync_supers"
- "cpuset"
- '/tmp/l.sh'
- '/tmp/zmcat'
- 'hahwNEdB'
- 'CnzFVPLF'
- 'CvKzzZLs'
- 'aziplcr72qjhzvin'
- '/tmp/udevd'
- 'KCBjdXJsIC1vIC0gaHR0cDovLzg5LjIyMS41Mi4xMjIvcy5zaCApIHwgYmFzaCA'
- 'Y3VybCAtcyBodHRwOi8vMTA3LjE3NC40Ny4xNTYvbXIuc2ggfCBiYXNoIC1zaAo'
- 'sustse'
- 'sustse3'
- 'mr.sh'
- 'mr.sh'
- '2mr.sh'
- '2mr.sh'
- 'cr5.sh'
- 'cr5.sh'
- 'logo9.jpg'
- 'logo9.jpg'
- 'j2.conf'
- 'luk-cpu'
- 'luk-cpu'
- 'ficov'
- 'ficov'
- 'he.sh'
- 'he.sh'
- 'miner.sh'
- 'miner.sh'
- 'nullcrew'
- 'nullcrew'
- '107.174.47.156'
- '83.220.169.247'
- '51.38.203.146'
- '144.217.45.45'
- '107.174.47.181'
- '176.31.6.16'
- "mine.moneropool.com"
- "pool.t00ls.ru"
- "xmr.crypto-pool.fr:8080"
- "xmr.crypto-pool.fr:3333"
- "zhuabcn@yahoo.com"
- "monerohash.com"
- "/tmp/a7b104c270"
- "xmr.crypto-pool.fr:6666"
- "xmr.crypto-pool.fr:7777"
- "xmr.crypto-pool.fr:443"
- "stratum.f2pool.com:8888"
- "xmrpool.eu"
- monerohash
- L2Jpbi9iYXN
- xzpauectgr
- slxfbkmxtd
- mixtape
- addnj
- 200.68.17.196
- IyEvYmluL3NoCgpzUG
- KHdnZXQgLXFPLSBodHRw
- FEQ3eSp8omko5nx9e97hQ39NS3NMo6rxVQS3
- Y3VybCAxOTEuMTAxLjE4MC43Ni9saW4udHh0IHxzaAo
- mwyumwdbpq.conf
- honvbsasbf.conf
- mqdsflm.cf
- stratum
- lower.sh
- ./ppp
- cryptonight
- ./seervceaess
- ./servceaess
- ./servceas
- ./servcesa
- ./vsp
- ./jvs
- ./pvv
- ./vpp
- ./pces
- ./rspce
- ./haveged
- ./jiba
- ./watchbog
- ./A7mA5gb
- kacpi_svc
- kswap_svc
- kauditd_svc
- kpsmoused_svc
- kseriod_svc
- kthreadd_svc
- ksoftirqd_svc
- kintegrityd_svc
- jawa
- oracle.jpg
- 45cToD1FzkjAxHRBhYKKLg5utMGEN
- 188.209.49.54
- 181.214.87.241
- etnkFgkKMumdqhrqxZ6729U7bY8pzRjYzGbXa5sDQ
- 47TdedDgSXjZtJguKmYqha4sSrTvoPXnrYQEq2Lbj
- etnkP9UjR55j9TKyiiXWiRELxTS51FjU9e1UapXyK
- servim
- kblockd_svc
- native_svc
- ynn
- 65ccEJ7
- jmxx
- 2Ne80nA
- sysstats
- systemxlv
- watchbog
- OIcJi1m
- biosetjenkins
- Loopback
- apaceha
- cryptonight
- stratum
- mixnerdx
- performedl
- JnKihGjn
- irqba2anc1
- irqba5xnc1
- irqbnc1
- ir29xc1
- conns
- irqbalance
- crypto-pool
- XJnRj
- mgwsl
- pythno
- jweri
- lx26
- NXLAi
- BI5zj
- askdljlqw
- minerd
- minergate
- Guard.sh
- ysaydh
- bonns
- donns
- kxjd
- Duck.sh
- bonn.sh
- conn.sh
- kworker34
- kw.sh
- pro.sh
- polkitd
- acpid
- icb5o
- nopxi
- irqbalanc1
- minerd
- i586
- gddr
- mstxmr
- ddg.2011
- wnTKYg
- deamon
- disk_genius
- sourplum
- polkitd
- nanoWatch
- zigw
- devtool
- devtools
- systemctI
- watchbog
- cryptonight
- sustes
- xmrig
- xmrig-cpu
- 121.42.151.137
- sysguard
- networkservice
- sysupdate
- init12.cfg
- nginxk
- tmp/wc.conf
- xmrig-notls
- xmr-stak
- suppoie
- zer0day.ru
- dbus-daemon--system
- nullcrew
- systemctI
- kworkerds
- init10.cfg
- /wl.conf
- crond64
- sustse
- vmlinuz
- exin
- apachiii
- "pocosow"
- "gakeaws"
- "azulu"
- "auto"
- "xmr"
- "mine"
- "monero"
- "slowhttp"
- "bash.shell"
- "entrypoint.sh"
- "/var/sbin/bash"
- Deletes the following directories:
- /var/log/syslog
- /usr/bin/watchdogd
- /usr/bin/xmrigMiner
- /var/tmp
- /var/tmp/*
- /tmp/.*
- /tmp/*
- /root/kinsing
- /tmp/kinsing
- /etc/kinsing
- /root/kdevtmpfsi
- /tmp/kdevtmpfsi
- /etc/kdevtmpfsi
- /bin/./xmrig
- /etc/cron.d/COVID19*
- /etc/cron.d/SARScov2*
- /etc/cron.hourly/COVID19*
- /etc/cron.hourly/SARScov2*
- /var/spool/cron/COVID19*
- /var/spool/cron/SARScov2*
- /var/spool/cron/crontabs/SARScov2*
- /var/spool/cron/crontabs/COVID19*
- /usr/daemon.json
- /tmp/addres*
- /tmp/walle*
- /tmp/keys
- /usr/bin/config.json
- /usr/bin/exin
- /tmp/wc.conf
- /tmp/log_rot
- /tmp/apachiii
- /tmp/sustse
- /tmp/php
- /tmp/p2.conf
- /tmp/pprt
- /tmp/ppol
- /tmp/javax/config.sh
- /tmp/javax/sshd2
- /tmp/.profile
- /tmp/1.so
- /tmp/kworkerds
- /tmp/kworkerds3
- /tmp/kworkerdssx
- /tmp/xd.json
- /tmp/syslogd
- /tmp/syslogdb
- /tmp/65ccEJ7
- /tmp/jmxx
- /tmp/2Ne80nA
- /tmp/dl
- /tmp/ddg
- /tmp/systemxlv
- /tmp/systemctI
- /tmp/.abc
- /tmp/osw.hb
- /tmp/.tmpleve
- /tmp/.tmpnewzz
- /tmp/.java
- /tmp/.omed
- /tmp/.tmpc
- /tmp/.tmpleve
- /tmp/.tmpnewzz
- /tmp/gates.lod
- /tmp/conf.n
- /tmp/update.sh
- /tmp/devtool
- /tmp/devtools
- /tmp/fs
- /tmp/.rod
- /tmp/.rod.tgz
- /tmp/.rod.tgz.1
- /tmp/.rod.tgz.2
- /tmp/.mer
- /tmp/.mer.tgz
- /tmp/.mer.tgz.1
- /tmp/.hod
- /tmp/.hod.tgz
- /tmp/.hod.tgz.1
- /tmp/84Onmce
- /tmp/C4iLM4L
- /tmp/lilpip
- /tmp/3lmigMo
- /tmp/am8jmBP
- /tmp/tmp.txt
- /tmp/baby
- /tmp/.lib
- /tmp/systemd
- /tmp/lib.tar.gz
- /tmp/baby
- /tmp/java
- /tmp/j2.conf
- /tmp/.mynews1234
- /tmp/a3e12d
- /tmp/.pt
- /tmp/.pt.tgz
- /tmp/.pt.tgz.1
- /tmp/go
- /tmp/java
- /tmp/j2.conf
- /tmp/.tmpnewasss
- /tmp/java
- /tmp/go.sh
- /tmp/go2.sh
- /tmp/khugepageds
- /tmp/.censusqqqqqqqqq
- /tmp/.kerberods
- /tmp/kerberods
- /tmp/seasame
- /tmp/touch
- /tmp/.p
- /tmp/runtime2.sh
- /tmp/runtime.sh
- /dev/shm/z3.sh
- /dev/shm/z2.sh
- /dev/shm/.scr
- /dev/shm/.kerberods
- /etc/ld.so.preload
- /usr/local/lib/libioset.so
- /etc/ld.so.preload
- /usr/local/lib/libioset.so
- /tmp/watchdogs
- /etc/cron.d/tomcat
- /etc/rc.d/init.d/watchdogs
- /usr/sbin/watchdogs
- /tmp/kthrotlds
- /etc/rc.d/init.d/kthrotlds
- /tmp/.sysbabyuuuuu12
- /tmp/logo9.jpg
- /tmp/miner.sh
- /tmp/nullcrew
- /tmp/proc
- /tmp/2.sh
- /opt/atlassian/confluence/bin/1.sh
- /opt/atlassian/confluence/bin/1.sh.1
- /opt/atlassian/confluence/bin/1.sh.2
- /opt/atlassian/confluence/bin/1.sh.3
- /opt/atlassian/confluence/bin/3.sh
- /opt/atlassian/confluence/bin/3.sh.1
- /opt/atlassian/confluence/bin/3.sh.2
- /opt/atlassian/confluence/bin/3.sh.3
- /var/tmp/f41
- /var/tmp/2.sh
- /var/tmp/config.json
- /var/tmp/xmrig
- /var/tmp/1.so
- /var/tmp/kworkerds3
- /var/tmp/kworkerdssx
- /var/tmp/kworkerds
- /var/tmp/wc.conf
- /var/tmp/nadezhda.
- /var/tmp/nadezhda.arm
- /var/tmp/nadezhda.arm.1
- /var/tmp/nadezhda.arm.2
- /var/tmp/nadezhda.x86_64
- /var/tmp/nadezhda.x86_64.1
- /var/tmp/nadezhda.x86_64.2
- /var/tmp/sustse3
- /var/tmp/sustse
- /var/tmp/moneroocean/
- /var/tmp/devtool
- /var/tmp/devtools
- /var/tmp/play.sh
- /var/tmp/systemctI
- /var/tmp/update.sh
- /var/tmp/.java
- /var/tmp/1.sh
- /var/tmp/conf.n
- /var/tmp/lib
- /var/tmp/.lib
- /tmp/config.json
- /tmp/lok
- "pocosow"
- "gakeaws"
- "buster-slim"
- "hello-"
- "azulu"
- "registry"
- "xmr"
- "auto"
- "mine"
- "monero"
- "slowhttp"
- aegis
- Yun
- /usr/local/aegis
- Terminates the following connections:
- 185.71.65.238
- 140.82.52.87
- 46.243.253.15
- 176.31.6.16
- 108.174.197.76
- 192.236.161.6
- :443
- :23
- :443
- :143
- :2222
- :3333
- :3389
- :4444
- :5555
- :6666
- :6665
- :6667
- :7777
- :8444
- :3347
- :14444
- :14433
- :13531
L?sungen
Mindestversion der Scan Engine: 9.850
Erste VSAPI Pattern-Datei: 15.850.01
Erste VSAPI Pattern ver?ffentlicht am: 05 Mai 2020
VSAPI OPR Pattern-Version: 15.851.00
VSAPI OPR Pattern ver?ffentlicht am: 06 Mai 2020
Durchsuchen Sie Ihren Computer mit Ihrem live casino online Produkt, und l?schen Sie Dateien, die als Trojan.SH.HADGLIDER.C entdeckt werden. Falls die entdeckten Dateien bereits von Ihrem live casino online Produkt ges?ubert, gel?scht oder in Quarant?ne verschoben wurden, sind keine weiteren Schritte erforderlich. Dateien in Quarant?ne k?nnen einfach gel?scht werden. Auf dieser finden Sie weitere Informationen.
Nehmen Sie an unserer Umfrage teil