"It looks for a value of #Dogecoins sent out from an attacker-controlled 'hardcoded wallet address.'

The first 12 hex characters from a SHA256 digest of this value will serve as the C2 domain address hosted on DynDNS"...

https://www.bleepingcomputer.com/news/security/sneaky-doki-linux-malware-infiltrates-docker-cloud-instances/