Trojan.SH.KAIJI.A

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Arrival Details

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Other System Modifications

This Trojan deletes the following files:

• /etc/id.services.conf
• /etc/32679
• /tmp/.img

Process Termination

This Trojan terminates the following processes if found running in the affected system's memory:

• process with PID 32679

Download Routine

This Trojan connects to the following website(s) to download and execute a malicious file:

• http://{BLOCKED}.{BLOCKED}.160.189/linux_arm
• http://{BLOCKED}.{BLOCKED}.18.221:808/808/linux_arm
• http://{BLOCKED}.{BLOCKED}.18.221:808/808/linux_amd64;

HOSTS File Modification

This Trojan modifies the system's HOSTS files to redirect users once the following Web site(s) are accessed:

• 9.9.9.9 www.{BLOCKED}6.com
• 9.9.9.9 www.{BLOCKED}rver.xyz
• 9.9.9.9 www.{BLOCKED}ot.xyz
• 9.9.9.9 www.{BLOCKED}1.com

Other Details

This Trojan deletes the following files to remove its traces in the system:

• Adds the following process to delete its traces:
  • rm -rf linux*;
  • rm -rf *.sh;
  • history -c;
  • cd /usr/bin; rm -rf whoami yes x86_64 perl touch apt* du head find last du stat who whami wget curl;
  • cd /bin/; rm -rf mv ps sleep touch ss mkdir dd cat chmod dir ip su sed ping* ls cp login sh sed rm rmdir gzip echo date ls dir pwd rm tar sh hostname dir cat bash; history -c;