Analysis
-
max time kernel
0s -
max time network
154s -
platform
linux_amd64 -
resource
ubuntu1804-amd64-en-20211208 -
submitted
17-02-2022 19:13
General
-
Target
960cb322998f273c7c30ea05f58284a5bf749dc32240d1ecbe533b091148a44a
-
Size
1.1MB
-
MD5
fba111160d27811f538ffcee8eb0c1b7
-
SHA1
629f9828d8f88197e528a49390f478aecdcd1f08
-
SHA256
960cb322998f273c7c30ea05f58284a5bf749dc32240d1ecbe533b091148a44a
-
SHA512
43aef2b5ec18cf13757b5ed79f667f5b941d298687215fdf482456be77e093812e91be2471031c88688b88c56d9afee73641d472a404d90d856cadcc66009fe0
Score
7/10
Malware Config
Signatures
-
Modifies init.d 1 TTPs 2 IoCs
Adds/modifies system service, likely for persistence.
-
Modifies rc script 1 TTPs 22 IoCs
Adding/modifying system rc scripts is a common persistence mechanism.
-
Reads CPU attributes 1 TTPs 24 IoCs
-
Reads runtime system information 64 IoCs
Reads data from /proc virtual filesystem.
-
Writes file to tmp directory 6 IoCs
Malware often drops required files in the /tmp directory.
Processes
-
./960cb322998f273c7c30ea05f58284a5bf749dc32240d1ecbe533b091148a44a./960cb322998f273c7c30ea05f58284a5bf749dc32240d1ecbe533b091148a44a1⤵
-
/bin/shsh -c /tmp/960cb322998f273c7c30ea05f58284a5bf749dc32240d1ecbe533b091148a44aBCfWrED2⤵
-
/tmp/960cb322998f273c7c30ea05f58284a5bf749dc32240d1ecbe533b091148a44aBCfWrED/tmp/960cb322998f273c7c30ea05f58284a5bf749dc32240d1ecbe533b091148a44aBCfWrED3⤵
-
/bin/shsh -c "/delallmykkks>/dev/null"1⤵
-
/delallmykkks/delallmykkks2⤵
-
/usr/bin/awkawk "{print \$3}"3⤵
-
/bin/psps -f -C .IptabLex3⤵
- Reads CPU attributes
- Reads runtime system information
-
/usr/bin/xargsxargs /delallmykkks 23⤵
-
/delallmykkks/delallmykkks 24⤵
-
/bin/grepgrep .IptabLex3⤵
-
/bin/grepgrep .IptabLex3⤵
-
/bin/psps -f -C .IptabLex3⤵
- Reads CPU attributes
- Reads runtime system information
-
/usr/bin/awkawk "{print \$3}"3⤵
-
/usr/bin/xargsxargs /delallmykkks 23⤵
-
/delallmykkks/delallmykkks 24⤵
-
/bin/grepgrep .IptabLex3⤵
-
/bin/psps -f -C .IptabLex3⤵
- Reads CPU attributes
- Reads runtime system information
-
/usr/bin/awkawk "{print \$2}"3⤵
-
/usr/bin/xargsxargs /delallmykkks 23⤵
-
/delallmykkks/delallmykkks 24⤵
-
/bin/grepgrep .IptabLex3⤵
-
/bin/psps -f -C .IptabLex3⤵
- Reads CPU attributes
- Reads runtime system information
-
/usr/bin/xargsxargs /delallmykkks 23⤵
-
/delallmykkks/delallmykkks 24⤵
-
/usr/bin/awkawk "{print \$2}"3⤵
-
/bin/grepgrep .IptabLex3⤵
-
/bin/psps -axu3⤵
- Reads CPU attributes
- Reads runtime system information
-
/usr/bin/awkawk "{print \$2}"3⤵
-
/usr/bin/xargsxargs kill -93⤵
-
/usr/local/sbin/killkill -9 6314⤵
-
/usr/local/bin/killkill -9 6314⤵
-
/usr/sbin/killkill -9 6314⤵
-
/usr/bin/killkill -9 6314⤵
-
/sbin/killkill -9 6314⤵
-
/bin/killkill -9 6314⤵
- Reads CPU attributes
-
/bin/psps -axu3⤵
- Reads CPU attributes
- Reads runtime system information
-
/bin/grepgrep .IptabLex3⤵
-
/usr/bin/awkawk "{print \$2}"3⤵
-
/usr/bin/xargsxargs kill -93⤵
-
/usr/local/sbin/killkill -9 6414⤵
-
/usr/local/bin/killkill -9 6414⤵
-
/usr/sbin/killkill -9 6414⤵
-
/usr/bin/killkill -9 6414⤵
-
/sbin/killkill -9 6414⤵
-
/bin/killkill -9 6414⤵
- Reads CPU attributes
-
/usr/bin/xargsxargs kill -93⤵
-
/usr/local/sbin/killkill -9 PID TTY TIME CMD4⤵
-
/usr/local/bin/killkill -9 PID TTY TIME CMD4⤵
-
/usr/sbin/killkill -9 PID TTY TIME CMD4⤵
-
/usr/bin/killkill -9 PID TTY TIME CMD4⤵
-
/sbin/killkill -9 PID TTY TIME CMD4⤵
-
/bin/killkill -9 PID TTY TIME CMD4⤵
- Reads CPU attributes
-
/bin/psps -C .IptabLex3⤵
- Reads CPU attributes
- Reads runtime system information
-
/usr/bin/xargsxargs kill -93⤵
-
/usr/local/sbin/killkill -9 PID TTY TIME CMD4⤵
-
/usr/local/bin/killkill -9 PID TTY TIME CMD4⤵
-
/usr/sbin/killkill -9 PID TTY TIME CMD4⤵
-
/usr/bin/killkill -9 PID TTY TIME CMD4⤵
-
/sbin/killkill -9 PID TTY TIME CMD4⤵
-
/bin/killkill -9 PID TTY TIME CMD4⤵
- Reads CPU attributes
-
/bin/psps -C .IptabLex3⤵
- Reads CPU attributes
- Reads runtime system information
-
/bin/rmrm -f /boot/.stabip3⤵
-
/bin/rmrm -f /boot/.IptabLex3⤵
-
/bin/rmrm -f /etc/rc.d/init.d/IptabLex3⤵
-
/bin/rmrm -f /boot/IptabLex3⤵
-
/bin/rmrm -f /tmp/IptabLex3⤵
- Writes file to tmp directory
-
/bin/rmrm -f /usr/IptabLex3⤵
-
/bin/rmrm -f /usr/.IptabLex3⤵
-
/bin/rmrm -f /boot/.IptabLex3⤵
-
/bin/rmrm -f /.IptabLex3⤵
-
/bin/rmrm -f /boot/IptabLex3⤵
-
/bin/rmrm -f /IptabLex3⤵
-
/bin/rmrm -f "/etc/rc.d/rc4.d/*IptabLex"3⤵
-
/bin/rmrm -f "/etc/rc.d/rc1.d/*IptabLex"3⤵
-
/bin/rmrm -f "/etc/rc.d/rc2.d/*IptabLex"3⤵
-
/bin/rmrm -f "/etc/rc.d/rc3.d/*IptabLex"3⤵
-
/bin/rmrm -f "/etc/rc.d/rc0.d/*IptabLex"3⤵
-
/bin/rmrm -f "/etc/rc.d/rc5.d/*IptabLex"3⤵
-
/bin/rmrm -f "/etc/rc.d/rc6.d/*IptabLex"3⤵
-
/bin/rmrm -f /etc/init.d/IptabLex3⤵
- Modifies init.d
-
/bin/rmrm -f "/etc/rc4.d/*IptabLex"3⤵
- Modifies rc script
-
/bin/rmrm -f "/etc/rc1.d/*IptabLex"3⤵
- Modifies rc script
-
/bin/rmrm -f "/etc/rc2.d/*IptabLex"3⤵
- Modifies rc script
-
/bin/rmrm -f "/etc/rc3.d/*IptabLex"3⤵
- Modifies rc script
-
/bin/rmrm -f "/etc/rc0.d/*IptabLex"3⤵
- Modifies rc script
-
/bin/rmrm -f "/etc/rc5.d/*IptabLex"3⤵
- Modifies rc script
-
/bin/rmrm -f "/etc/rc6.d/*IptabLex"3⤵
- Modifies rc script
-
/bin/rmrm -rf /delallmykkks3⤵
-
/bin/shsh -c "/delallmykkk>/dev/null"1⤵
-
/delallmykkk/delallmykkk2⤵
-
/bin/psps -f -C .IptabLes3⤵
- Reads CPU attributes
- Reads runtime system information
-
/bin/grepgrep .IptabLes3⤵
-
/usr/bin/awkawk "{print \$3}"3⤵
-
/usr/bin/xargsxargs /delallmykkk 23⤵
-
/delallmykkk/delallmykkk 24⤵
-
/bin/psps -f -C .IptabLes3⤵
- Reads CPU attributes
- Reads runtime system information
-
/bin/grepgrep .IptabLes3⤵
-
/usr/bin/awkawk "{print \$3}"3⤵
-
/usr/bin/xargsxargs /delallmykkk 23⤵
-
/delallmykkk/delallmykkk 24⤵
-
/bin/psps -f -C .IptabLes3⤵
- Reads CPU attributes
- Reads runtime system information
-
/bin/grepgrep .IptabLes3⤵
-
/usr/bin/xargsxargs /delallmykkk 23⤵
-
/delallmykkk/delallmykkk 24⤵
-
/usr/bin/awkawk "{print \$2}"3⤵
-
/bin/psps -f -C .IptabLes3⤵
- Reads CPU attributes
- Reads runtime system information
-
/usr/bin/awkawk "{print \$2}"3⤵
-
/bin/grepgrep .IptabLes3⤵
-
/usr/bin/xargsxargs /delallmykkk 23⤵
-
/delallmykkk/delallmykkk 24⤵
-
/bin/grepgrep .IptabLes3⤵
-
/bin/psps -axu3⤵
- Reads CPU attributes
- Reads runtime system information
-
/usr/bin/awkawk "{print \$2}"3⤵
-
/usr/bin/xargsxargs kill -93⤵
-
/usr/local/sbin/killkill -9 6344⤵
-
/usr/local/bin/killkill -9 6344⤵
-
/usr/sbin/killkill -9 6344⤵
-
/usr/bin/killkill -9 6344⤵
-
/sbin/killkill -9 6344⤵
-
/bin/killkill -9 6344⤵
- Reads CPU attributes
-
/bin/grepgrep .IptabLes3⤵
-
/usr/bin/awkawk "{print \$2}"3⤵
-
/usr/bin/xargsxargs kill -93⤵
-
/usr/local/sbin/killkill -9 6444⤵
-
/usr/local/bin/killkill -9 6444⤵
-
/usr/sbin/killkill -9 6444⤵
-
/usr/bin/killkill -9 6444⤵
-
/sbin/killkill -9 6444⤵
-
/bin/killkill -9 6444⤵
- Reads CPU attributes
-
/bin/psps -axu3⤵
- Reads CPU attributes
- Reads runtime system information
-
/usr/bin/xargsxargs kill -93⤵
-
/usr/local/sbin/killkill -9 PID TTY TIME CMD4⤵
-
/usr/local/bin/killkill -9 PID TTY TIME CMD4⤵
-
/usr/sbin/killkill -9 PID TTY TIME CMD4⤵
-
/usr/bin/killkill -9 PID TTY TIME CMD4⤵
-
/sbin/killkill -9 PID TTY TIME CMD4⤵
-
/bin/killkill -9 PID TTY TIME CMD4⤵
- Reads CPU attributes
-
/bin/psps -C .IptabLes3⤵
- Reads CPU attributes
- Reads runtime system information
-
/bin/grepgrep .IptabLes3⤵
-
/bin/psps -C .IptabLes3⤵
- Reads CPU attributes
- Reads runtime system information
-
/usr/bin/xargsxargs kill -93⤵
-
/usr/local/sbin/killkill -94⤵
-
/usr/local/bin/killkill -94⤵
-
/usr/sbin/killkill -94⤵
-
/usr/bin/killkill -94⤵
-
/sbin/killkill -94⤵
-
/bin/killkill -94⤵
- Reads CPU attributes
-
/bin/rmrm -f /boot/.stabip3⤵
-
/bin/rmrm -f /boot/.IptabLes3⤵
-
/bin/rmrm -f /etc/rc.d/init.d/IptabLes3⤵
-
/bin/rmrm -f /boot/IptabLes3⤵
-
/bin/rmrm -f /tmp/IptabLes3⤵
- Writes file to tmp directory
-
/bin/rmrm -f /usr/IptabLes3⤵
-
/bin/rmrm -f /usr/.IptabLes3⤵
-
/bin/rmrm -f /boot/.IptabLes3⤵
-
/bin/rmrm -f /.IptabLes3⤵
-
/bin/rmrm -f /boot/IptabLes3⤵
-
/bin/rmrm -f /IptabLes3⤵
-
/bin/rmrm -f "/etc/rc.d/rc4.d/*IptabLes"3⤵
-
/bin/rmrm -f "/etc/rc.d/rc1.d/*IptabLes"3⤵
-
/bin/rmrm -f "/etc/rc.d/rc2.d/*IptabLes"3⤵
-
/bin/rmrm -f "/etc/rc.d/rc3.d/*IptabLes"3⤵
-
/bin/rmrm -f "/etc/rc.d/rc0.d/*IptabLes"3⤵
-
/bin/rmrm -f "/etc/rc.d/rc5.d/*IptabLes"3⤵
-
/bin/rmrm -f "/etc/rc.d/rc6.d/*IptabLes"3⤵
-
/bin/rmrm -f /etc/init.d/IptabLes3⤵
- Modifies init.d
-
/bin/rmrm -f "/etc/rc4.d/*IptabLes"3⤵
- Modifies rc script
-
/bin/rmrm -f "/etc/rc1.d/*IptabLes"3⤵
- Modifies rc script
-
/bin/rmrm -f "/etc/rc2.d/*IptabLes"3⤵
- Modifies rc script
-
/bin/rmrm -f "/etc/rc3.d/*IptabLes"3⤵
- Modifies rc script
-
/bin/rmrm -f "/etc/rc0.d/*IptabLes"3⤵
- Modifies rc script
-
/bin/rmrm -f "/etc/rc5.d/*IptabLes"3⤵
- Modifies rc script
-
/bin/rmrm -f "/etc/rc6.d/*IptabLes"3⤵
- Modifies rc script
-
/bin/rmrm -rf /delallmykkk3⤵
-
/bin/shsh -c "cp /tmp/960cb322998f273c7c30ea05f58284a5bf749dc32240d1ecbe533b091148a44a /boot/.IptabLes>/dev/null"1⤵
-
/bin/cpcp /tmp/960cb322998f273c7c30ea05f58284a5bf749dc32240d1ecbe533b091148a44a /boot/.IptabLes2⤵
- Writes file to tmp directory
-
/bin/shsh -c "cp /tmp/960cb322998f273c7c30ea05f58284a5bf749dc32240d1ecbe533b091148a44aBCfWrED /boot/.IptabLex>/dev/null"1⤵
-
/bin/cpcp /tmp/960cb322998f273c7c30ea05f58284a5bf749dc32240d1ecbe533b091148a44aBCfWrED /boot/.IptabLex2⤵
- Writes file to tmp directory
-
/bin/shsh -c /etc/rc2.d/S55IptabLes1⤵
-
/etc/rc2.d/S55IptabLes/etc/rc2.d/S55IptabLes2⤵
-
/bin/shsh -c /etc/rc2.d/S55IptabLex1⤵
-
/etc/rc2.d/S55IptabLex/etc/rc2.d/S55IptabLex2⤵
-
/bin/shsh -c /etc/rc3.d/S55IptabLex1⤵
-
/etc/rc3.d/S55IptabLex/etc/rc3.d/S55IptabLex2⤵
-
/bin/shsh -c /etc/rc3.d/S55IptabLes1⤵
-
/etc/rc3.d/S55IptabLes/etc/rc3.d/S55IptabLes2⤵
-
/bin/shsh -c /etc/rc4.d/S55IptabLex1⤵
-
/etc/rc4.d/S55IptabLex/etc/rc4.d/S55IptabLex2⤵
-
/bin/shsh -c /etc/rc4.d/S55IptabLes1⤵
-
/etc/rc4.d/S55IptabLes/etc/rc4.d/S55IptabLes2⤵
-
/bin/shsh -c /etc/rc5.d/S55IptabLex1⤵
-
/etc/rc5.d/S55IptabLex/etc/rc5.d/S55IptabLex2⤵
-
/bin/shsh -c /etc/rc5.d/S55IptabLes1⤵
-
/etc/rc5.d/S55IptabLes/etc/rc5.d/S55IptabLes2⤵
-
/bin/shsh -c /boot/IptabLex1⤵
-
/boot/IptabLex/boot/IptabLex2⤵
-
/boot/.IptabLex/boot/.IptabLex3⤵
-
/bin/shsh -c /boot/IptabLes1⤵
-
/boot/IptabLes/boot/IptabLes2⤵
-
/boot/.IptabLes/boot/.IptabLes3⤵
-
/bin/shsh -c "sh /delxxaazzx"1⤵
-
/bin/shsh /delxxaazzx2⤵
-
/bin/sleepsleep 33⤵
-
/bin/sleepsleep 13⤵
-
/bin/rmrm -f /tmp/960cb322998f273c7c30ea05f58284a5bf749dc32240d1ecbe533b091148a44aBCfWrED3⤵
- Writes file to tmp directory
-
/bin/rmrm -rf /delxxaazzx3⤵
-
/bin/shsh -c "sh /delxxaazz"1⤵
-
/bin/shsh /delxxaazz2⤵
-
/bin/sleepsleep 33⤵
-
/bin/sleepsleep 13⤵
-
/bin/rmrm -f /tmp/960cb322998f273c7c30ea05f58284a5bf749dc32240d1ecbe533b091148a44a3⤵
- Writes file to tmp directory
-
/bin/rmrm -rf /delxxaazz3⤵