Coinminer.SH.MALXMR.ATNP

Finalización del proceso

Finaliza los procesos siguientes si detecta que se ejecutan en la memoria del sistema afectado:

• processes with the following strings in its command:
  
  • {BLOCKED}.moneropool.com
  • {BLOCKED}.t00ls.ru
  • {BLOCKED}.crypto-pool.fr:8080
  • {BLOCKED}.crypto-pool.fr:3333
  • {BLOCKED}bcn@yahoo.com
  • {BLOCKED}hash.com
  • /tmp/a7b104c270
  • {BLOCKED}.crypto-pool.fr:6666
  • {BLOCKED}.crypto-pool.fr:7777
  • {BLOCKED}.crypto-pool.fr:443
  • {BLOCKED}.f2pool.com:8888
  • {BLOCKED}ool.eu
  • xiaoyao
  • xiaoxue
  • stratum
• processes with process name:
  
  • jenkins
  • {digit numbers} -c
  • biosetjenkins
  • Loopback
  • apaceha
  • cryptonight
  • stratum
  • mixnerdx
  • performedl
  • JnKihGjn
  • irqba2anc1
  • irqba5xnc1
  • irqbnc1
  • ir29xc1
  • conns
  • irqbalance
  • crypto-pool
  • minexmr
  • XJnRj
  • mgwsl
  • pythno
  • jweri
  • lx26
  • NXLAi
  • BI5zj
  • askdljlqw
  • minerd
  • minergate
  • Guard.sh
  • ysaydh
  • bonns
  • donns
  • kxjd
  • Duck.sh
  • bonn.sh
  • conn.sh
  • kworker34
  • kw.sh
  • pro.sh
  • polkitd
  • acpid
  • icb5o
  • nopxi
  • irqbalanc1
  • minerd
  • i586
  • gddr
  • mstxmr
  • ddg.2011
  • wnTKYg
  • deamon
  • disk_genius
  • sourplum
  • polkitd
  • nanoWatch
  • zigw
• processes found in /tmp or with more than 40% cpu usage and does not contain any of the following in its command line:
  
  • devtool
  • update.sh
  • systemctI

Rutina de descarga

Accede a los siguientes sitios Web para descargar archivos:

• http://{BLOCKED}.{BLOCKED}.70.143:8506/IOFoqIgyC0zmf2UR/config.json

Guarda los archivos que descarga con los nombres siguientes:

• /etc/config.json or /tmp/config.json -> config for Coinminer.Linux.MALXMR.UWEIS
• /etc/devtool or /tmp/devtool -> detected as Coinminer.Linux.MALXMR.UWEIS
• /etc/systemctI or /tmp/systemctI -> detected as Trojan.Linux.GOSCAN.AA