960cb322998f273c7c30ea05f58284a5bf749dc32240d1ecbe533b091148a44a

General

Target

960cb322998f273c7c30ea05f58284a5bf749dc32240d1ecbe533b091148a44a
Size

1.1MB
MD5

fba111160d27811f538ffcee8eb0c1b7
SHA1

629f9828d8f88197e528a49390f478aecdcd1f08
SHA256

960cb322998f273c7c30ea05f58284a5bf749dc32240d1ecbe533b091148a44a
SHA512

43aef2b5ec18cf13757b5ed79f667f5b941d298687215fdf482456be77e093812e91be2471031c88688b88c56d9afee73641d472a404d90d856cadcc66009fe0

Score

7^/10

persistence

Malware Config

Signatures

Modifies init.d 1 TTPs 2 IoCs
Adds/modifies system service, likely for persistence.
persistence

Boot or Logon Autostart Execution
T1547

Processes:

rmrm

description ioc process

/etc/init.d/IptabLex /etc/init.d/IptabLex rm
/etc/init.d/IptabLes /etc/init.d/IptabLes rm

description	ioc	process
/etc/init.d/IptabLex	/etc/init.d/IptabLex	rm
/etc/init.d/IptabLes	/etc/init.d/IptabLes	rm

Modifies rc script 1 TTPs 22 IoCs

Adding/modifying system rc scripts is a common persistence mechanism.

persistence

Boot or Logon Autostart Execution

T1547

Processes:

rmrmrmrmrmrmrmrmrmrmrmrmrmrm

description	ioc
/etc/rc5.d/S55IptabLes	/etc/rc5.d/S55IptabLes
/etc/rc2.d/*IptabLex	/etc/rc2.d/*IptabLex	rm
/etc/rc3.d/*IptabLex	/etc/rc3.d/*IptabLex	rm
/etc/rc5.d/*IptabLex	/etc/rc5.d/*IptabLex	rm
/etc/rc2.d/S55IptabLex	/etc/rc2.d/S55IptabLex
/etc/rc5.d/S55IptabLex	/etc/rc5.d/S55IptabLex
/etc/rc4.d/S55IptabLex	/etc/rc4.d/S55IptabLex
/etc/rc4.d/*IptabLex	/etc/rc4.d/*IptabLex	rm
/etc/rc4.d/*IptabLes	/etc/rc4.d/*IptabLes	rm
/etc/rc0.d/*IptabLex	/etc/rc0.d/*IptabLex	rm
/etc/rc6.d/*IptabLes	/etc/rc6.d/*IptabLes	rm
/etc/rc3.d/S55IptabLes	/etc/rc3.d/S55IptabLes
/etc/rc5.d/*IptabLes	/etc/rc5.d/*IptabLes	rm
/etc/rc6.d/*IptabLex	/etc/rc6.d/*IptabLex	rm
/etc/rc2.d/S55IptabLes	/etc/rc2.d/S55IptabLes
/etc/rc1.d/*IptabLex	/etc/rc1.d/*IptabLex	rm
/etc/rc1.d/*IptabLes	/etc/rc1.d/*IptabLes	rm
/etc/rc2.d/*IptabLes	/etc/rc2.d/*IptabLes	rm
/etc/rc3.d/*IptabLes	/etc/rc3.d/*IptabLes	rm
/etc/rc0.d/*IptabLes	/etc/rc0.d/*IptabLes	rm
/etc/rc3.d/S55IptabLex	/etc/rc3.d/S55IptabLex
/etc/rc4.d/S55IptabLes	/etc/rc4.d/S55IptabLes

Reads CPU attributes 1 TTPs 24 IoCs

System Information Discovery

T1082

Processes:

pspspskillpskillpspskillpspskillpskillpspspspskillkillkillpspsps

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

Processes:

pspspspspspspspspspspspspspspsps

description	ioc	process
/proc/165/status	/proc/165/status	ps
/proc/157/stat	/proc/157/stat	ps
/proc/155/stat	/proc/155/stat	ps
/proc/19/status	/proc/19/status	ps
/proc/1/cmdline	/proc/1/cmdline	ps
/proc/83/stat	/proc/83/stat	ps
/proc/309/stat	/proc/309/stat	ps
/proc/12/stat	/proc/12/stat	ps
/proc/127/stat	/proc/127/stat	ps
/proc/612/cmdline	/proc/612/cmdline	ps
/proc/27/status	/proc/27/status	ps
/proc/17/status	/proc/17/status	ps
/proc/18/stat	/proc/18/stat	ps
/proc/10/stat	/proc/10/stat	ps
/proc/16/cmdline	/proc/16/cmdline	ps
/proc/26/cmdline	/proc/26/cmdline	ps
/proc/158/cmdline	/proc/158/cmdline	ps
/proc/332/stat	/proc/332/stat	ps
/proc/584/status	/proc/584/status	ps
/proc/643/cmdline	/proc/643/cmdline	ps
/proc/156/status	/proc/156/status	ps
/proc/7/cmdline	/proc/7/cmdline	ps
/proc/8/status	/proc/8/status	ps
/proc/332/cmdline	/proc/332/cmdline	ps
/proc/584/stat	/proc/584/stat	ps
/proc/89/status	/proc/89/status	ps
/proc/160/stat	/proc/160/stat	ps
/proc/98/cmdline	/proc/98/cmdline	ps
/proc/154/cmdline	/proc/154/cmdline	ps
/proc/161/cmdline	/proc/161/cmdline	ps
/proc/98/cmdline	/proc/98/cmdline	ps
/proc/334/cmdline	/proc/334/cmdline	ps
/proc/81/stat	/proc/81/stat	ps
/proc/604/cmdline	/proc/604/cmdline	ps
/proc/156/stat	/proc/156/stat	ps
/proc/12/cmdline	/proc/12/cmdline	ps
/proc/24/stat	/proc/24/stat	ps
/proc/36/stat	/proc/36/stat	ps
/proc/578/status	/proc/578/status	ps
/proc/170/stat	/proc/170/stat	ps
/proc/6/cmdline	/proc/6/cmdline	ps
/proc/18/stat	/proc/18/stat	ps
/proc/332/stat	/proc/332/stat	ps
/proc/32/status	/proc/32/status	ps
/proc/634/stat	/proc/634/stat	ps
/proc/422/cmdline	/proc/422/cmdline	ps
/proc/115/status	/proc/115/status	ps
/proc/164/cmdline	/proc/164/cmdline	ps
/proc/160/cmdline	/proc/160/cmdline	ps
/proc/156/cmdline	/proc/156/cmdline	ps
/proc/24/cmdline	/proc/24/cmdline	ps
/proc/599/status	/proc/599/status	ps
/proc/636/stat	/proc/636/stat	ps
/proc/7/cmdline	/proc/7/cmdline	ps
/proc/85/stat	/proc/85/stat	ps
/proc/10/stat	/proc/10/stat	ps
/proc/350/cmdline	/proc/350/cmdline	ps
/proc/17/status	/proc/17/status	ps
/proc/32/cmdline	/proc/32/cmdline	ps
/proc/17/stat	/proc/17/stat	ps
/proc/160/cmdline	/proc/160/cmdline	ps
/proc/155/status	/proc/155/status	ps
/proc/252/status	/proc/252/status	ps
/proc/193/stat	/proc/193/stat	ps

Writes file to tmp directory 6 IoCs

Malware often drops required files in the /tmp directory.

Processes:

cpcprmrmrmrm

description	ioc	process
/tmp/960cb322998f273c7c30ea05f58284a5bf749dc32240d1ecbe533b091148a44a	/tmp/960cb322998f273c7c30ea05f58284a5bf749dc32240d1ecbe533b091148a44a	cp
/tmp/960cb322998f273c7c30ea05f58284a5bf749dc32240d1ecbe533b091148a44aBCfWrED	/tmp/960cb322998f273c7c30ea05f58284a5bf749dc32240d1ecbe533b091148a44aBCfWrED	cp
/tmp/960cb322998f273c7c30ea05f58284a5bf749dc32240d1ecbe533b091148a44a	/tmp/960cb322998f273c7c30ea05f58284a5bf749dc32240d1ecbe533b091148a44a	rm
/tmp/960cb322998f273c7c30ea05f58284a5bf749dc32240d1ecbe533b091148a44aBCfWrED	/tmp/960cb322998f273c7c30ea05f58284a5bf749dc32240d1ecbe533b091148a44aBCfWrED	rm
/tmp/IptabLex	/tmp/IptabLex	rm
/tmp/IptabLes	/tmp/IptabLes	rm

./960cb322998f273c7c30ea05f58284a5bf749dc32240d1ecbe533b091148a44a
./960cb322998f273c7c30ea05f58284a5bf749dc32240d1ecbe533b091148a44a
1⤵
PID:571

/bin/sh
sh -c /tmp/960cb322998f273c7c30ea05f58284a5bf749dc32240d1ecbe533b091148a44aBCfWrED
2⤵
PID:572

/tmp/960cb322998f273c7c30ea05f58284a5bf749dc32240d1ecbe533b091148a44aBCfWrED
/tmp/960cb322998f273c7c30ea05f58284a5bf749dc32240d1ecbe533b091148a44aBCfWrED
3⤵
PID:573

/bin/sh
sh -c "/delallmykkks>/dev/null"
1⤵
PID:580

/delallmykkks
/delallmykkks
2⤵
PID:581

/usr/bin/awk
awk "{print \$3}"
3⤵
PID:589

/bin/ps
ps -f -C .IptabLex
3⤵
- Reads CPU attributes
- Reads runtime system information
PID:586

/usr/bin/xargs
xargs /delallmykkks 2
3⤵
PID:592

/delallmykkks
/delallmykkks 2
4⤵
PID:594

/bin/grep
grep .IptabLex
3⤵
PID:588

/bin/grep
grep .IptabLex
3⤵
PID:599

/bin/ps
ps -f -C .IptabLex
3⤵
- Reads CPU attributes
- Reads runtime system information
PID:596

/usr/bin/awk
awk "{print \$3}"
3⤵
PID:600

/usr/bin/xargs
xargs /delallmykkks 2
3⤵
PID:602

/delallmykkks
/delallmykkks 2
4⤵
PID:609

/bin/grep
grep .IptabLex
3⤵
PID:612

/bin/ps
ps -f -C .IptabLex
3⤵
- Reads CPU attributes
- Reads runtime system information
PID:610

/usr/bin/awk
awk "{print \$2}"
3⤵
PID:614

/usr/bin/xargs
xargs /delallmykkks 2
3⤵
PID:616

/delallmykkks
/delallmykkks 2
4⤵
PID:618

/bin/grep
grep .IptabLex
3⤵
PID:622

/bin/ps
ps -f -C .IptabLex
3⤵
- Reads CPU attributes
- Reads runtime system information
PID:620

/usr/bin/xargs
xargs /delallmykkks 2
3⤵
PID:626

/delallmykkks
/delallmykkks 2
4⤵
PID:628

/usr/bin/awk
awk "{print \$2}"
3⤵
PID:624

/bin/grep
grep .IptabLex
3⤵
PID:631

/bin/ps
ps -axu
3⤵
- Reads CPU attributes
- Reads runtime system information
PID:630

/usr/bin/awk
awk "{print \$2}"
3⤵
PID:633

/usr/bin/xargs
xargs kill -9
3⤵
PID:635

/usr/local/sbin/kill
kill -9 631
4⤵
PID:638

/usr/local/bin/kill
kill -9 631
4⤵
PID:638

/usr/sbin/kill
kill -9 631
4⤵
PID:638

/usr/bin/kill
kill -9 631
4⤵
PID:638

/sbin/kill
kill -9 631
4⤵
PID:638

/bin/kill
kill -9 631
4⤵
- Reads CPU attributes
PID:638

/bin/ps
ps -axu
3⤵
- Reads CPU attributes
- Reads runtime system information
PID:640

/bin/grep
grep .IptabLex
3⤵
PID:641

/usr/bin/awk
awk "{print \$2}"
3⤵
PID:643

/usr/bin/xargs
xargs kill -9
3⤵
PID:647

/usr/local/sbin/kill
kill -9 641
4⤵
PID:649

/usr/local/bin/kill
kill -9 641
4⤵
PID:649

/usr/sbin/kill
kill -9 641
4⤵
PID:649

/usr/bin/kill
kill -9 641
4⤵
PID:649

/sbin/kill
kill -9 641
4⤵
PID:649

/bin/kill
kill -9 641
4⤵
- Reads CPU attributes
PID:649

/usr/bin/xargs
xargs kill -9
3⤵
PID:652

/usr/local/sbin/kill
kill -9 PID TTY TIME CMD
4⤵
PID:654

/usr/local/bin/kill
kill -9 PID TTY TIME CMD
4⤵
PID:654

/usr/sbin/kill
kill -9 PID TTY TIME CMD
4⤵
PID:654

/usr/bin/kill
kill -9 PID TTY TIME CMD
4⤵
PID:654

/sbin/kill
kill -9 PID TTY TIME CMD
4⤵
PID:654

/bin/kill
kill -9 PID TTY TIME CMD
4⤵
- Reads CPU attributes
PID:654

/bin/ps
ps -C .IptabLex
3⤵
- Reads CPU attributes
- Reads runtime system information
PID:650

/usr/bin/xargs
xargs kill -9
3⤵
PID:658

/usr/local/sbin/kill
kill -9 PID TTY TIME CMD
4⤵
PID:661

/usr/local/bin/kill
kill -9 PID TTY TIME CMD
4⤵
PID:661

/usr/sbin/kill
kill -9 PID TTY TIME CMD
4⤵
PID:661

/usr/bin/kill
kill -9 PID TTY TIME CMD
4⤵
PID:661

/sbin/kill
kill -9 PID TTY TIME CMD
4⤵
PID:661

/bin/kill
kill -9 PID TTY TIME CMD
4⤵
- Reads CPU attributes
PID:661

/bin/ps
ps -C .IptabLex
3⤵
- Reads CPU attributes
- Reads runtime system information
PID:657

/bin/rm
rm -f /boot/.stabip
3⤵
PID:663

/bin/rm
rm -f /boot/.IptabLex
3⤵
PID:664

/bin/rm
rm -f /etc/rc.d/init.d/IptabLex
3⤵
PID:666

/bin/rm
rm -f /boot/IptabLex
3⤵
PID:668

/bin/rm
rm -f /tmp/IptabLex
3⤵
- Writes file to tmp directory
PID:670

/bin/rm
rm -f /usr/IptabLex
3⤵
PID:672

/bin/rm
rm -f /usr/.IptabLex
3⤵
PID:674

/bin/rm
rm -f /boot/.IptabLex
3⤵
PID:676

/bin/rm
rm -f /.IptabLex
3⤵
PID:679

/bin/rm
rm -f /boot/IptabLex
3⤵
PID:681

/bin/rm
rm -f /IptabLex
3⤵
PID:683

/bin/rm
rm -f "/etc/rc.d/rc4.d/*IptabLex"
3⤵
PID:685

/bin/rm
rm -f "/etc/rc.d/rc1.d/*IptabLex"
3⤵
PID:687

/bin/rm
rm -f "/etc/rc.d/rc2.d/*IptabLex"
3⤵
PID:689

/bin/rm
rm -f "/etc/rc.d/rc3.d/*IptabLex"
3⤵
PID:691

/bin/rm
rm -f "/etc/rc.d/rc0.d/*IptabLex"
3⤵
PID:693

/bin/rm
rm -f "/etc/rc.d/rc5.d/*IptabLex"
3⤵
PID:695

/bin/rm
rm -f "/etc/rc.d/rc6.d/*IptabLex"
3⤵
PID:697

/bin/rm
rm -f /etc/init.d/IptabLex
3⤵
- Modifies init.d
PID:699

/bin/rm
rm -f "/etc/rc4.d/*IptabLex"
3⤵
- Modifies rc script
PID:702

/bin/rm
rm -f "/etc/rc1.d/*IptabLex"
3⤵
- Modifies rc script
PID:703

/bin/rm
rm -f "/etc/rc2.d/*IptabLex"
3⤵
- Modifies rc script
PID:705

/bin/rm
rm -f "/etc/rc3.d/*IptabLex"
3⤵
- Modifies rc script
PID:707

/bin/rm
rm -f "/etc/rc0.d/*IptabLex"
3⤵
- Modifies rc script
PID:709

/bin/rm
rm -f "/etc/rc5.d/*IptabLex"
3⤵
- Modifies rc script
PID:711

/bin/rm
rm -f "/etc/rc6.d/*IptabLex"
3⤵
- Modifies rc script
PID:713

/bin/rm
rm -rf /delallmykkks
3⤵
PID:715

/bin/sh
sh -c "/delallmykkk>/dev/null"
1⤵
PID:584

/delallmykkk
/delallmykkk
2⤵
PID:585

/bin/ps
ps -f -C .IptabLes
3⤵
- Reads CPU attributes
- Reads runtime system information
PID:587

/bin/grep
grep .IptabLes
3⤵
PID:590

/usr/bin/awk
awk "{print \$3}"
3⤵
PID:591

/usr/bin/xargs
xargs /delallmykkk 2
3⤵
PID:593

/delallmykkk
/delallmykkk 2
4⤵
PID:595

/bin/ps
ps -f -C .IptabLes
3⤵
- Reads CPU attributes
- Reads runtime system information
PID:597

/bin/grep
grep .IptabLes
3⤵
PID:598

/usr/bin/awk
awk "{print \$3}"
3⤵
PID:601

/usr/bin/xargs
xargs /delallmykkk 2
3⤵
PID:603

/delallmykkk
/delallmykkk 2
4⤵
PID:608

/bin/ps
ps -f -C .IptabLes
3⤵
- Reads CPU attributes
- Reads runtime system information
PID:611

/bin/grep
grep .IptabLes
3⤵
PID:613

/usr/bin/xargs
xargs /delallmykkk 2
3⤵
PID:617

/delallmykkk
/delallmykkk 2
4⤵
PID:619

/usr/bin/awk
awk "{print \$2}"
3⤵
PID:615

/bin/ps
ps -f -C .IptabLes
3⤵
- Reads CPU attributes
- Reads runtime system information
PID:621

/usr/bin/awk
awk "{print \$2}"
3⤵
PID:625

/bin/grep
grep .IptabLes
3⤵
PID:623

/usr/bin/xargs
xargs /delallmykkk 2
3⤵
PID:627

/delallmykkk
/delallmykkk 2
4⤵
PID:629

/bin/grep
grep .IptabLes
3⤵
PID:634

/bin/ps
ps -axu
3⤵
- Reads CPU attributes
- Reads runtime system information
PID:632

/usr/bin/awk
awk "{print \$2}"
3⤵
PID:636

/usr/bin/xargs
xargs kill -9
3⤵
PID:637

/usr/local/sbin/kill
kill -9 634
4⤵
PID:639

/usr/local/bin/kill
kill -9 634
4⤵
PID:639

/usr/sbin/kill
kill -9 634
4⤵
PID:639

/usr/bin/kill
kill -9 634
4⤵
PID:639

/sbin/kill
kill -9 634
4⤵
PID:639

/bin/kill
kill -9 634
4⤵
- Reads CPU attributes
PID:639

/bin/grep
grep .IptabLes
3⤵
PID:644

/usr/bin/awk
awk "{print \$2}"
3⤵
PID:645

/usr/bin/xargs
xargs kill -9
3⤵
PID:646

/usr/local/sbin/kill
kill -9 644
4⤵
PID:648

/usr/local/bin/kill
kill -9 644
4⤵
PID:648

/usr/sbin/kill
kill -9 644
4⤵
PID:648

/usr/bin/kill
kill -9 644
4⤵
PID:648

/sbin/kill
kill -9 644
4⤵
PID:648

/bin/kill
kill -9 644
4⤵
- Reads CPU attributes
PID:648

/bin/ps
ps -axu
3⤵
- Reads CPU attributes
- Reads runtime system information
PID:642

/usr/bin/xargs
xargs kill -9
3⤵
PID:653

/usr/local/sbin/kill
kill -9 PID TTY TIME CMD
4⤵
PID:655

/usr/local/bin/kill
kill -9 PID TTY TIME CMD
4⤵
PID:655

/usr/sbin/kill
kill -9 PID TTY TIME CMD
4⤵
PID:655

/usr/bin/kill
kill -9 PID TTY TIME CMD
4⤵
PID:655

/sbin/kill
kill -9 PID TTY TIME CMD
4⤵
PID:655

/bin/kill
kill -9 PID TTY TIME CMD
4⤵
- Reads CPU attributes
PID:655

/bin/ps
ps -C .IptabLes
3⤵
- Reads CPU attributes
- Reads runtime system information
PID:651

/bin/grep
grep .IptabLes
3⤵
PID:659

/bin/ps
ps -C .IptabLes
3⤵
- Reads CPU attributes
- Reads runtime system information
PID:656

/usr/bin/xargs
xargs kill -9
3⤵
PID:660

/usr/local/sbin/kill
kill -9
4⤵
PID:662

/usr/local/bin/kill
kill -9
4⤵
PID:662

/usr/sbin/kill
kill -9
4⤵
PID:662

/usr/bin/kill
kill -9
4⤵
PID:662

/sbin/kill
kill -9
4⤵
PID:662

/bin/kill
kill -9
4⤵
- Reads CPU attributes
PID:662

/bin/rm
rm -f /boot/.stabip
3⤵
PID:665

/bin/rm
rm -f /boot/.IptabLes
3⤵
PID:667

/bin/rm
rm -f /etc/rc.d/init.d/IptabLes
3⤵
PID:669

/bin/rm
rm -f /boot/IptabLes
3⤵
PID:671

/bin/rm
rm -f /tmp/IptabLes
3⤵
- Writes file to tmp directory
PID:673

/bin/rm
rm -f /usr/IptabLes
3⤵
PID:675

/bin/rm
rm -f /usr/.IptabLes
3⤵
PID:677

/bin/rm
rm -f /boot/.IptabLes
3⤵
PID:678

/bin/rm
rm -f /.IptabLes
3⤵
PID:680

/bin/rm
rm -f /boot/IptabLes
3⤵
PID:682

/bin/rm
rm -f /IptabLes
3⤵
PID:684

/bin/rm
rm -f "/etc/rc.d/rc4.d/*IptabLes"
3⤵
PID:686

/bin/rm
rm -f "/etc/rc.d/rc1.d/*IptabLes"
3⤵
PID:688

/bin/rm
rm -f "/etc/rc.d/rc2.d/*IptabLes"
3⤵
PID:690

/bin/rm
rm -f "/etc/rc.d/rc3.d/*IptabLes"
3⤵
PID:692

/bin/rm
rm -f "/etc/rc.d/rc0.d/*IptabLes"
3⤵
PID:694

/bin/rm
rm -f "/etc/rc.d/rc5.d/*IptabLes"
3⤵
PID:696

/bin/rm
rm -f "/etc/rc.d/rc6.d/*IptabLes"
3⤵
PID:698

/bin/rm
rm -f /etc/init.d/IptabLes
3⤵
- Modifies init.d
PID:700

/bin/rm
rm -f "/etc/rc4.d/*IptabLes"
3⤵
- Modifies rc script
PID:701

/bin/rm
rm -f "/etc/rc1.d/*IptabLes"
3⤵
- Modifies rc script
PID:704

/bin/rm
rm -f "/etc/rc2.d/*IptabLes"
3⤵
- Modifies rc script
PID:706

/bin/rm
rm -f "/etc/rc3.d/*IptabLes"
3⤵
- Modifies rc script
PID:708

/bin/rm
rm -f "/etc/rc0.d/*IptabLes"
3⤵
- Modifies rc script
PID:710

/bin/rm
rm -f "/etc/rc5.d/*IptabLes"
3⤵
- Modifies rc script
PID:712

/bin/rm
rm -f "/etc/rc6.d/*IptabLes"
3⤵
- Modifies rc script
PID:714

/bin/rm
rm -rf /delallmykkk
3⤵
PID:716

/bin/sh
sh -c "cp /tmp/960cb322998f273c7c30ea05f58284a5bf749dc32240d1ecbe533b091148a44a /boot/.IptabLes>/dev/null"
1⤵
PID:718

/bin/cp
cp /tmp/960cb322998f273c7c30ea05f58284a5bf749dc32240d1ecbe533b091148a44a /boot/.IptabLes
2⤵
- Writes file to tmp directory
PID:719

/bin/sh
sh -c "cp /tmp/960cb322998f273c7c30ea05f58284a5bf749dc32240d1ecbe533b091148a44aBCfWrED /boot/.IptabLex>/dev/null"
1⤵
PID:717

/bin/cp
cp /tmp/960cb322998f273c7c30ea05f58284a5bf749dc32240d1ecbe533b091148a44aBCfWrED /boot/.IptabLex
2⤵
- Writes file to tmp directory
PID:720

/bin/sh
sh -c /etc/rc2.d/S55IptabLes
1⤵
PID:721

/etc/rc2.d/S55IptabLes
/etc/rc2.d/S55IptabLes
2⤵
PID:722

/bin/sh
sh -c /etc/rc2.d/S55IptabLex
1⤵
PID:723

/etc/rc2.d/S55IptabLex
/etc/rc2.d/S55IptabLex
2⤵
PID:724

/bin/sh
sh -c /etc/rc3.d/S55IptabLex
1⤵
PID:725

/etc/rc3.d/S55IptabLex
/etc/rc3.d/S55IptabLex
2⤵
PID:726

/bin/sh
sh -c /etc/rc3.d/S55IptabLes
1⤵
PID:727

/etc/rc3.d/S55IptabLes
/etc/rc3.d/S55IptabLes
2⤵
PID:728

/bin/sh
sh -c /etc/rc4.d/S55IptabLex
1⤵
PID:729

/etc/rc4.d/S55IptabLex
/etc/rc4.d/S55IptabLex
2⤵
PID:730

/bin/sh
sh -c /etc/rc4.d/S55IptabLes
1⤵
PID:731

/etc/rc4.d/S55IptabLes
/etc/rc4.d/S55IptabLes
2⤵
PID:733

/bin/sh
sh -c /etc/rc5.d/S55IptabLex
1⤵
PID:732

/etc/rc5.d/S55IptabLex
/etc/rc5.d/S55IptabLex
2⤵
PID:734

/bin/sh
sh -c /etc/rc5.d/S55IptabLes
1⤵
PID:735

/etc/rc5.d/S55IptabLes
/etc/rc5.d/S55IptabLes
2⤵
PID:737

/bin/sh
sh -c /boot/IptabLex
1⤵
PID:736

/boot/IptabLex
/boot/IptabLex
2⤵
PID:738

/boot/.IptabLex
/boot/.IptabLex
3⤵
PID:741

/bin/sh
sh -c /boot/IptabLes
1⤵
PID:739

/boot/IptabLes
/boot/IptabLes
2⤵
PID:740

/boot/.IptabLes
/boot/.IptabLes
3⤵
PID:742

/bin/sh
sh -c "sh /delxxaazzx"
1⤵
PID:744

/bin/sh
sh /delxxaazzx
2⤵
PID:750

/bin/sleep
sleep 3
3⤵
PID:757

/bin/sleep
sleep 1
3⤵
PID:759

/bin/rm
rm -f /tmp/960cb322998f273c7c30ea05f58284a5bf749dc32240d1ecbe533b091148a44aBCfWrED
3⤵
- Writes file to tmp directory
PID:761

/bin/rm
rm -rf /delxxaazzx
3⤵
PID:764

/bin/sh
sh -c "sh /delxxaazz"
1⤵
PID:751

/bin/sh
sh /delxxaazz
2⤵
PID:756

/bin/sleep
sleep 3
3⤵
PID:758

/bin/sleep
sleep 1
3⤵
PID:760

/bin/rm
rm -f /tmp/960cb322998f273c7c30ea05f58284a5bf749dc32240d1ecbe533b091148a44a
3⤵
- Writes file to tmp directory
PID:762

/bin/rm
rm -rf /delxxaazz
3⤵
PID:763

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2

T1547

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

description	ioc	process
/sys/devices/system/cpu/online	/sys/devices/system/cpu/online	ps
/sys/devices/system/cpu/online	/sys/devices/system/cpu/online	ps
/sys/devices/system/cpu/online	/sys/devices/system/cpu/online	ps
/sys/devices/system/cpu/online	/sys/devices/system/cpu/online	kill
/sys/devices/system/cpu/online	/sys/devices/system/cpu/online	ps
/sys/devices/system/cpu/online	/sys/devices/system/cpu/online	kill
/sys/devices/system/cpu/online	/sys/devices/system/cpu/online	ps
/sys/devices/system/cpu/online	/sys/devices/system/cpu/online	ps
/sys/devices/system/cpu/online	/sys/devices/system/cpu/online	kill
/sys/devices/system/cpu/online	/sys/devices/system/cpu/online	ps
/sys/devices/system/cpu/online	/sys/devices/system/cpu/online	ps
/sys/devices/system/cpu/online	/sys/devices/system/cpu/online	kill
/sys/devices/system/cpu/online	/sys/devices/system/cpu/online	ps
/sys/devices/system/cpu/online	/sys/devices/system/cpu/online	kill
/sys/devices/system/cpu/online	/sys/devices/system/cpu/online	ps
/sys/devices/system/cpu/online	/sys/devices/system/cpu/online	ps
/sys/devices/system/cpu/online	/sys/devices/system/cpu/online	ps
/sys/devices/system/cpu/online	/sys/devices/system/cpu/online	ps
/sys/devices/system/cpu/online	/sys/devices/system/cpu/online	kill
/sys/devices/system/cpu/online	/sys/devices/system/cpu/online	kill
/sys/devices/system/cpu/online	/sys/devices/system/cpu/online	kill
/sys/devices/system/cpu/online	/sys/devices/system/cpu/online	ps
/sys/devices/system/cpu/online	/sys/devices/system/cpu/online	ps
/sys/devices/system/cpu/online	/sys/devices/system/cpu/online	ps

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads