Home / malware Linux.Mokes
First posted on 22 January 2016.
Source: SymantecAliases :
There are no other names known for Linux.Mokes.
Explanation :
The Trojan requires GLIBC library version 2.14 or greater to be installed.
When The Trojan is executed, it copies itself to one of the following paths:
$path/.mozilla/firefox/profiled$path/.dropbox/DropboxCache
The Trojan may install itself in the following location so that it persists even after reboot:
$HOME/.config/autostart/[RANDOM NAME].desktop
The Trojan may connect to one of the following locations using ports 80 and 443:
[http://]188.165.218.177/v[REMOVED][http://]kurgen3211a.com/v[REMOVED]
The Trojan takes screenshots at regular intervals and saves them to the following location:
/tmp/ss[RANDOM NUMBERS]-[TIME STAMP].sst
The Trojan may check the temporary folder and upload every file based on the following filters:
ss*.sstkk*.kktaa*.aatdd*.ddt
The Trojan may download and run an uninstaller from the following location:
/tmp/ccXXXXXX.exeLast update 22 January 2016
