59e9a55a03b24accd71f8503e2e24fa7d430ec758c8baebb21a0887dcc2d43c1

General

Target

59e9a55a03b24accd71f8503e2e24fa7d430ec758c8baebb21a0887dcc2d43c1
Size

699KB
MD5

a3a70a53a5d4e4a4ef24c0f7e0757490
SHA1

94efef21f765a4c6af2219760fb374b786006308
SHA256

59e9a55a03b24accd71f8503e2e24fa7d430ec758c8baebb21a0887dcc2d43c1
SHA512

85634593967a3932a3df5e2525b844194d6cbae15a662dbfc626e1f51c542f9f1e1058659ff13578f96a3057c4efb15471af968226aedcb0b289953f53310682

Score

7^/10

persistence

Malware Config

Signatures

Modifies init.d 1 TTPs 1 IoCs
Adds/modifies system service, likely for persistence.
persistence

Boot or Logon Autostart Execution
T1547

Processes:

rm

description ioc process

/etc/init.d/IptabLes /etc/init.d/IptabLes rm

description	ioc	process
/etc/init.d/IptabLes	/etc/init.d/IptabLes	rm

Modifies rc script 1 TTPs 11 IoCs

Adding/modifying system rc scripts is a common persistence mechanism.

persistence

Boot or Logon Autostart Execution

T1547

Processes:

rmrmrmrmrmrmrm

description	ioc	process
/etc/rc6.d/*IptabLes	/etc/rc6.d/*IptabLes	rm
/etc/rc2.d/S55IptabLes	/etc/rc2.d/S55IptabLes
/etc/rc5.d/S55IptabLes	/etc/rc5.d/S55IptabLes
/etc/rc3.d/*IptabLes	/etc/rc3.d/*IptabLes	rm
/etc/rc0.d/*IptabLes	/etc/rc0.d/*IptabLes	rm
/etc/rc5.d/*IptabLes	/etc/rc5.d/*IptabLes	rm
/etc/rc3.d/S55IptabLes	/etc/rc3.d/S55IptabLes
/etc/rc4.d/S55IptabLes	/etc/rc4.d/S55IptabLes
/etc/rc4.d/*IptabLes	/etc/rc4.d/*IptabLes	rm
/etc/rc1.d/*IptabLes	/etc/rc1.d/*IptabLes	rm
/etc/rc2.d/*IptabLes	/etc/rc2.d/*IptabLes	rm

Reads CPU attributes 1 TTPs 10 IoCs

System Information Discovery

T1082

Processes:

pskillpskillpspspspskillkill

description	ioc	process
/sys/devices/system/cpu/online	/sys/devices/system/cpu/online	ps
/sys/devices/system/cpu/online	/sys/devices/system/cpu/online	kill
/sys/devices/system/cpu/online	/sys/devices/system/cpu/online	ps
/sys/devices/system/cpu/online	/sys/devices/system/cpu/online	kill
/sys/devices/system/cpu/online	/sys/devices/system/cpu/online	ps
/sys/devices/system/cpu/online	/sys/devices/system/cpu/online	ps
/sys/devices/system/cpu/online	/sys/devices/system/cpu/online	ps
/sys/devices/system/cpu/online	/sys/devices/system/cpu/online	ps
/sys/devices/system/cpu/online	/sys/devices/system/cpu/online	kill
/sys/devices/system/cpu/online	/sys/devices/system/cpu/online	kill

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

Processes:

pspspsps

description	ioc	process
/proc/5/status	/proc/5/status	ps
/proc/157/status	/proc/157/status	ps
/proc/165/stat	/proc/165/stat	ps
/proc/193/status	/proc/193/status	ps
/proc/17/status	/proc/17/status	ps
/proc/592/stat	/proc/592/stat	ps
/proc/31/status	/proc/31/status	ps
/proc/18/status	/proc/18/status	ps
/proc/161/status	/proc/161/status	ps
/proc/418/status	/proc/418/status	ps
/proc/23/status	/proc/23/status	ps
/proc/129/status	/proc/129/status	ps
/proc/369/cmdline	/proc/369/cmdline	ps
/proc/98/status	/proc/98/status	ps
/proc/20/status	/proc/20/status	ps
/proc/583/stat	/proc/583/stat	ps
/proc/159/stat	/proc/159/stat	ps
/proc/418/stat	/proc/418/stat	ps
/proc/363/status	/proc/363/status	ps
/proc/34/status	/proc/34/status	ps
/proc/2/stat	/proc/2/stat	ps
/proc/14/stat	/proc/14/stat	ps
/proc/286/status	/proc/286/status	ps
/proc/82/stat	/proc/82/stat	ps
/proc/11/status	/proc/11/status	ps
/proc/17/status	/proc/17/status	ps
/proc/153/stat	/proc/153/stat	ps
/proc/13/cmdline	/proc/13/cmdline	ps
/proc/168/cmdline	/proc/168/cmdline	ps
/proc/9/status	/proc/9/status	ps
/proc/252/cmdline	/proc/252/cmdline	ps
/proc/24/status	/proc/24/status	ps
/proc/158/stat	/proc/158/stat	ps
/proc/meminfo	/proc/meminfo	ps
/proc/1/cmdline	/proc/1/cmdline	ps
/proc/29/cmdline	/proc/29/cmdline	ps
/proc/159/stat	/proc/159/stat	ps
/proc/155/stat	/proc/155/stat	ps
/proc/4/status	/proc/4/status	ps
/proc/83/stat	/proc/83/stat	ps
/proc/167/stat	/proc/167/stat	ps
/proc/82/cmdline	/proc/82/cmdline	ps
/proc/34/status	/proc/34/status	ps
/proc/30/cmdline	/proc/30/cmdline	ps
/proc/363/status	/proc/363/status	ps
/proc/192/status	/proc/192/status	ps
/proc/7/stat	/proc/7/stat	ps
/proc/14/status	/proc/14/status	ps
/proc/uptime	/proc/uptime	ps
/proc/591/stat	/proc/591/stat	ps
/proc/36/stat	/proc/36/stat	ps
/proc/98/status	/proc/98/status	ps
/proc/157/stat	/proc/157/stat	ps
/proc/586/cmdline	/proc/586/cmdline	ps
/proc/192/cmdline	/proc/192/cmdline	ps
/proc/80/status	/proc/80/status	ps
/proc/352/cmdline	/proc/352/cmdline	ps
/proc/583/stat	/proc/583/stat	ps
/proc/115/stat	/proc/115/stat	ps
/proc/352/stat	/proc/352/stat	ps
/proc/167/stat	/proc/167/stat	ps
/proc/9/status	/proc/9/status	ps
/proc/10/status	/proc/10/status	ps
/proc/157/status	/proc/157/status	ps

Writes file to tmp directory 3 IoCs

Malware often drops required files in the /tmp directory.

Processes:

rmcprm

description	ioc	process
/tmp/IptabLes	/tmp/IptabLes	rm
/tmp/59e9a55a03b24accd71f8503e2e24fa7d430ec758c8baebb21a0887dcc2d43c1	/tmp/59e9a55a03b24accd71f8503e2e24fa7d430ec758c8baebb21a0887dcc2d43c1	cp
/tmp/59e9a55a03b24accd71f8503e2e24fa7d430ec758c8baebb21a0887dcc2d43c1	/tmp/59e9a55a03b24accd71f8503e2e24fa7d430ec758c8baebb21a0887dcc2d43c1	rm

./59e9a55a03b24accd71f8503e2e24fa7d430ec758c8baebb21a0887dcc2d43c1
./59e9a55a03b24accd71f8503e2e24fa7d430ec758c8baebb21a0887dcc2d43c1
1⤵
PID:577

/bin/sh
sh -c "nohup sh /delallmykkk>/dev/null"
1⤵
PID:582

/usr/bin/nohup
nohup sh /delallmykkk
2⤵
PID:583

/usr/local/sbin/sh
sh /delallmykkk
2⤵
PID:583

/usr/local/bin/sh
sh /delallmykkk
2⤵
PID:583

/usr/sbin/sh
sh /delallmykkk
2⤵
PID:583

/usr/bin/sh
sh /delallmykkk
2⤵
PID:583

/sbin/sh
sh /delallmykkk
2⤵
PID:583

/bin/sh
sh /delallmykkk
2⤵
PID:583

/bin/grep
grep .IptabLes
3⤵
PID:585

/bin/ps
ps -axu
3⤵
- Reads CPU attributes
- Reads runtime system information
PID:584

/usr/bin/awk
awk "{print \$2}"
3⤵
PID:586

/usr/bin/xargs
xargs kill -9
3⤵
PID:587

/usr/local/sbin/kill
kill -9 585
4⤵
PID:588

/usr/local/bin/kill
kill -9 585
4⤵
PID:588

/usr/sbin/kill
kill -9 585
4⤵
PID:588

/usr/bin/kill
kill -9 585
4⤵
PID:588

/sbin/kill
kill -9 585
4⤵
PID:588

/bin/kill
kill -9 585
4⤵
- Reads CPU attributes
PID:588

/bin/ps
ps -axu
3⤵
- Reads CPU attributes
- Reads runtime system information
PID:589

/bin/grep
grep .IptabLes
3⤵
PID:590

/usr/bin/xargs
xargs kill -9
3⤵
PID:592

/usr/local/sbin/kill
kill -9 590
4⤵
PID:593

/usr/local/bin/kill
kill -9 590
4⤵
PID:593

/usr/sbin/kill
kill -9 590
4⤵
PID:593

/usr/bin/kill
kill -9 590
4⤵
PID:593

/sbin/kill
kill -9 590
4⤵
PID:593

/bin/kill
kill -9 590
4⤵
- Reads CPU attributes
PID:593

/usr/bin/awk
awk "{print \$2}"
3⤵
PID:591

/bin/ps
ps -C .IptabLes
3⤵
- Reads CPU attributes
- Reads runtime system information
PID:594

/usr/bin/xargs
xargs kill -9
3⤵
PID:595

/usr/local/sbin/kill
kill -9 PID TTY TIME CMD
4⤵
PID:596

/usr/local/bin/kill
kill -9 PID TTY TIME CMD
4⤵
PID:596

/usr/sbin/kill
kill -9 PID TTY TIME CMD
4⤵
PID:596

/usr/bin/kill
kill -9 PID TTY TIME CMD
4⤵
PID:596

/sbin/kill
kill -9 PID TTY TIME CMD
4⤵
PID:596

/bin/kill
kill -9 PID TTY TIME CMD
4⤵
- Reads CPU attributes
PID:596

/bin/ps
ps -C .IptabLes
3⤵
- Reads CPU attributes
- Reads runtime system information
PID:597

/usr/bin/xargs
xargs kill -9
3⤵
PID:598

/usr/local/sbin/kill
kill -9 PID TTY TIME CMD
4⤵
PID:599

/usr/local/bin/kill
kill -9 PID TTY TIME CMD
4⤵
PID:599

/usr/sbin/kill
kill -9 PID TTY TIME CMD
4⤵
PID:599

/usr/bin/kill
kill -9 PID TTY TIME CMD
4⤵
PID:599

/sbin/kill
kill -9 PID TTY TIME CMD
4⤵
PID:599

/bin/kill
kill -9 PID TTY TIME CMD
4⤵
- Reads CPU attributes
PID:599

/bin/ps
ps find / -name "*ptabLes"
3⤵
- Reads CPU attributes
PID:604

/usr/bin/xargs
xargs rm -f
3⤵
PID:605

/usr/local/sbin/rm
rm -f
4⤵
PID:606

/usr/local/bin/rm
rm -f
4⤵
PID:606

/usr/sbin/rm
rm -f
4⤵
PID:606

/usr/bin/rm
rm -f
4⤵
PID:606

/sbin/rm
rm -f
4⤵
PID:606

/bin/rm
rm -f
4⤵
PID:606

/bin/ps
ps find / -name .IptabLes
3⤵
- Reads CPU attributes
PID:607

/usr/bin/xargs
xargs rm -f
3⤵
PID:608

/usr/local/sbin/rm
rm -f
4⤵
PID:609

/usr/local/bin/rm
rm -f
4⤵
PID:609

/usr/sbin/rm
rm -f
4⤵
PID:609

/usr/bin/rm
rm -f
4⤵
PID:609

/sbin/rm
rm -f
4⤵
PID:609

/bin/rm
rm -f
4⤵
PID:609

/bin/rm
rm -f /boot/.stabip
3⤵
PID:610

/bin/rm
rm -f /boot/.IptabLes
3⤵
PID:611

/bin/rm
rm -f /etc/rc.d/init.d/IptabLes
3⤵
PID:612

/bin/rm
rm -f /boot/IptabLes
3⤵
PID:613

/bin/rm
rm -f /tmp/IptabLes
3⤵
- Writes file to tmp directory
PID:614

/bin/rm
rm -f /usr/.IptabLes
3⤵
PID:615

/bin/rm
rm -f "/etc/rc.d/rc4.d/*IptabLes"
3⤵
PID:616

/bin/rm
rm -f "/etc/rc.d/rc1.d/*IptabLes"
3⤵
PID:617

/bin/rm
rm -f "/etc/rc.d/rc2.d/*IptabLes"
3⤵
PID:618

/bin/rm
rm -f "/etc/rc.d/rc3.d/*IptabLes"
3⤵
PID:619

/bin/rm
rm -f "/etc/rc.d/rc0.d/*IptabLes"
3⤵
PID:620

/bin/rm
rm -f "/etc/rc.d/rc5.d/*IptabLes"
3⤵
PID:621

/bin/rm
rm -f "/etc/rc.d/rc6.d/*IptabLes"
3⤵
PID:622

/bin/rm
rm -f /etc/init.d/IptabLes
3⤵
- Modifies init.d
PID:623

/bin/rm
rm -f "/etc/rc4.d/*IptabLes"
3⤵
- Modifies rc script
PID:624

/bin/rm
rm -f "/etc/rc1.d/*IptabLes"
3⤵
- Modifies rc script
PID:625

/bin/rm
rm -f "/etc/rc2.d/*IptabLes"
3⤵
- Modifies rc script
PID:626

/bin/rm
rm -f "/etc/rc3.d/*IptabLes"
3⤵
- Modifies rc script
PID:627

/bin/rm
rm -f "/etc/rc0.d/*IptabLes"
3⤵
- Modifies rc script
PID:628

/bin/rm
rm -f "/etc/rc5.d/*IptabLes"
3⤵
- Modifies rc script
PID:629

/bin/rm
rm -f "/etc/rc6.d/*IptabLes"
3⤵
- Modifies rc script
PID:630

/bin/rm
rm -rf /delallmykkk
3⤵
PID:631

/bin/sh
sh -c "nohup cp /tmp/59e9a55a03b24accd71f8503e2e24fa7d430ec758c8baebb21a0887dcc2d43c1 /boot/.IptabLes>/dev/null"
1⤵
PID:632

/usr/bin/nohup
nohup cp /tmp/59e9a55a03b24accd71f8503e2e24fa7d430ec758c8baebb21a0887dcc2d43c1 /boot/.IptabLes
2⤵
PID:633

/usr/local/sbin/cp
cp /tmp/59e9a55a03b24accd71f8503e2e24fa7d430ec758c8baebb21a0887dcc2d43c1 /boot/.IptabLes
2⤵
PID:633

/usr/local/bin/cp
cp /tmp/59e9a55a03b24accd71f8503e2e24fa7d430ec758c8baebb21a0887dcc2d43c1 /boot/.IptabLes
2⤵
PID:633

/usr/sbin/cp
cp /tmp/59e9a55a03b24accd71f8503e2e24fa7d430ec758c8baebb21a0887dcc2d43c1 /boot/.IptabLes
2⤵
PID:633

/usr/bin/cp
cp /tmp/59e9a55a03b24accd71f8503e2e24fa7d430ec758c8baebb21a0887dcc2d43c1 /boot/.IptabLes
2⤵
PID:633

/sbin/cp
cp /tmp/59e9a55a03b24accd71f8503e2e24fa7d430ec758c8baebb21a0887dcc2d43c1 /boot/.IptabLes
2⤵
PID:633

/bin/cp
cp /tmp/59e9a55a03b24accd71f8503e2e24fa7d430ec758c8baebb21a0887dcc2d43c1 /boot/.IptabLes
2⤵
- Writes file to tmp directory
PID:633

/bin/sh
sh -c "nohup chmod 777 /boot/.IptabLes>/dev/null"
1⤵
PID:634

/usr/bin/nohup
nohup chmod 777 /boot/.IptabLes
2⤵
PID:635

/usr/local/sbin/chmod
chmod 777 /boot/.IptabLes
2⤵
PID:635

/usr/local/bin/chmod
chmod 777 /boot/.IptabLes
2⤵
PID:635

/usr/sbin/chmod
chmod 777 /boot/.IptabLes
2⤵
PID:635

/usr/bin/chmod
chmod 777 /boot/.IptabLes
2⤵
PID:635

/sbin/chmod
chmod 777 /boot/.IptabLes
2⤵
PID:635

/bin/chmod
chmod 777 /boot/.IptabLes
2⤵
PID:635

/bin/sh
sh -c "nohup chmod 777 /boot/IptabLes>/dev/null"
1⤵
PID:636

/usr/bin/nohup
nohup chmod 777 /boot/IptabLes
2⤵
PID:637

/usr/local/sbin/chmod
chmod 777 /boot/IptabLes
2⤵
PID:637

/usr/local/bin/chmod
chmod 777 /boot/IptabLes
2⤵
PID:637

/usr/sbin/chmod
chmod 777 /boot/IptabLes
2⤵
PID:637

/usr/bin/chmod
chmod 777 /boot/IptabLes
2⤵
PID:637

/sbin/chmod
chmod 777 /boot/IptabLes
2⤵
PID:637

/bin/chmod
chmod 777 /boot/IptabLes
2⤵
PID:637

/bin/sh
sh -c /etc/rc2.d/S55IptabLes
1⤵
PID:638

/etc/rc2.d/S55IptabLes
/etc/rc2.d/S55IptabLes
2⤵
PID:639

/bin/sh
sh -c /etc/rc3.d/S55IptabLes
1⤵
PID:640

/etc/rc3.d/S55IptabLes
/etc/rc3.d/S55IptabLes
2⤵
PID:641

/bin/sh
sh -c /etc/rc4.d/S55IptabLes
1⤵
PID:642

/etc/rc4.d/S55IptabLes
/etc/rc4.d/S55IptabLes
2⤵
PID:643

/bin/sh
sh -c /etc/rc5.d/S55IptabLes
1⤵
PID:644

/etc/rc5.d/S55IptabLes
/etc/rc5.d/S55IptabLes
2⤵
PID:645

/bin/sh
sh -c "/boot/IptabLes xxxx xxx"
1⤵
PID:646

/boot/IptabLes
/boot/IptabLes xxxx xxx
2⤵
PID:647

/boot/.IptabLes
/boot/.IptabLes
3⤵
PID:648

/bin/sh
sh -c "nohup sh /delxxaazz>/dev/null&"
1⤵
PID:650

/usr/bin/nohup
nohup sh /delxxaazz
2⤵
PID:655

/usr/local/sbin/sh
sh /delxxaazz
2⤵
PID:655

/usr/local/bin/sh
sh /delxxaazz
2⤵
PID:655

/usr/sbin/sh
sh /delxxaazz
2⤵
PID:655

/usr/bin/sh
sh /delxxaazz
2⤵
PID:655

/sbin/sh
sh /delxxaazz
2⤵
PID:655

/bin/sh
sh /delxxaazz
2⤵
PID:655

/bin/sleep
sleep 3
3⤵
PID:656

/bin/sleep
sleep 1
3⤵
PID:657

/bin/rm
rm -f /tmp/59e9a55a03b24accd71f8503e2e24fa7d430ec758c8baebb21a0887dcc2d43c1
3⤵
- Writes file to tmp directory
PID:658

/bin/rm
rm -rf /delxxaazz
3⤵
PID:659

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2

T1547

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads