10edad7999da34e37a866beadf2bb2c1952e071c93cb8708e79ee45c90a06199

General

Target

10edad7999da34e37a866beadf2bb2c1952e071c93cb8708e79ee45c90a06199
Size

1.0MB
MD5

9966d5db77f247070fcac9590a3fde80
SHA1

ec0fdb1333443a7c0442dd279626bf8d58eb8cbb
SHA256

10edad7999da34e37a866beadf2bb2c1952e071c93cb8708e79ee45c90a06199
SHA512

e6a468cdfd9f720b217069f0dddc012b8549a834862d287ea101914503a048f644085c16b534b2b7418686b792a9ee0cb1e32977751d648d57ed0241bed17131
SSDEEP

24576:L8TklemVE3JnQaQAcA+xk3ZeRXP1qjStp/vtq6bUn5V:2IemVE6aQyTpexwyVOn5V

Score

7^/10

persistence

Malware Config

Signatures

Modifies init.d 1 TTPs 2 IoCs
Adds/modifies system service, likely for persistence.
persistence

Boot or Logon Autostart Execution
T1547

Processes:

rmrm

description ioc process

/etc/init.d/IptabLex /etc/init.d/IptabLex rm
/etc/init.d/IptabLes /etc/init.d/IptabLes rm

description	ioc	process
/etc/init.d/IptabLex	/etc/init.d/IptabLex	rm
/etc/init.d/IptabLes	/etc/init.d/IptabLes	rm

Modifies rc script 1 TTPs 22 IoCs

Adding/modifying system rc scripts is a common persistence mechanism.

persistence

Boot or Logon Autostart Execution

T1547

Processes:

rmrmrmrmrmrmrmrmrmrmrmrmrmrm

description	ioc
/etc/rc5.d/S55IptabLes	/etc/rc5.d/S55IptabLes
/etc/rc4.d/*IptabLex	/etc/rc4.d/*IptabLex	rm
/etc/rc1.d/*IptabLex	/etc/rc1.d/*IptabLex	rm
/etc/rc2.d/*IptabLex	/etc/rc2.d/*IptabLex	rm
/etc/rc6.d/*IptabLex	/etc/rc6.d/*IptabLex	rm
/etc/rc3.d/*IptabLes	/etc/rc3.d/*IptabLes	rm
/etc/rc2.d/S55IptabLes	/etc/rc2.d/S55IptabLes
/etc/rc6.d/*IptabLes	/etc/rc6.d/*IptabLes	rm
/etc/rc3.d/*IptabLex	/etc/rc3.d/*IptabLex	rm
/etc/rc0.d/*IptabLex	/etc/rc0.d/*IptabLex	rm
/etc/rc4.d/*IptabLes	/etc/rc4.d/*IptabLes	rm
/etc/rc2.d/*IptabLes	/etc/rc2.d/*IptabLes	rm
/etc/rc0.d/*IptabLes	/etc/rc0.d/*IptabLes	rm
/etc/rc5.d/*IptabLes	/etc/rc5.d/*IptabLes	rm
/etc/rc3.d/S55IptabLex	/etc/rc3.d/S55IptabLex
/etc/rc4.d/S55IptabLex	/etc/rc4.d/S55IptabLex
/etc/rc5.d/S55IptabLex	/etc/rc5.d/S55IptabLex
/etc/rc5.d/*IptabLex	/etc/rc5.d/*IptabLex	rm
/etc/rc1.d/*IptabLes	/etc/rc1.d/*IptabLes	rm
/etc/rc2.d/S55IptabLex	/etc/rc2.d/S55IptabLex
/etc/rc3.d/S55IptabLes	/etc/rc3.d/S55IptabLes
/etc/rc4.d/S55IptabLes	/etc/rc4.d/S55IptabLes

Reads CPU attributes 1 TTPs 32 IoCs

System Information Discovery

T1082

Processes:

pspspspspspspspspspspspspskillpspspspspspspspskillpspskillpskillkillkillkillkill

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

Processes:

pspspspspspspspspspspspspspspskillps

description	ioc	process
/proc/169/status	/proc/169/status	ps
/proc/82/stat	/proc/82/stat	ps
/proc/604/stat	/proc/604/stat	ps
/proc/647/stat	/proc/647/stat	ps
/proc/83/stat	/proc/83/stat	ps
/proc/30/cmdline	/proc/30/cmdline	ps
/proc/171/stat	/proc/171/stat	ps
/proc/382/stat	/proc/382/stat	ps
/proc/600/status	/proc/600/status	ps
/proc/16/status	/proc/16/status	ps
/proc/170/stat	/proc/170/stat	ps
/proc/12/stat	/proc/12/stat	ps
/proc/262/stat	/proc/262/stat	ps
/proc/262/stat	/proc/262/stat	ps
/proc/424/status	/proc/424/status	ps
/proc/173/stat	/proc/173/stat	ps
/proc/169/status	/proc/169/status	ps
/proc/98/stat	/proc/98/stat	ps
/proc/604/status	/proc/604/status	ps
/proc/21/status	/proc/21/status	ps
/proc/27/cmdline	/proc/27/cmdline	ps
/proc/25/stat	/proc/25/stat	ps
/proc/602/cmdline	/proc/602/cmdline	ps
/proc/604/status	/proc/604/status	ps
/proc/175/status	/proc/175/status	ps
/proc/167/stat	/proc/167/stat	ps
/proc/12/status	/proc/12/status	ps
/proc/79/cmdline	/proc/79/cmdline	ps
/proc/180/status	/proc/180/status	ps
/proc/202/cmdline	/proc/202/cmdline	ps
/proc/78/status	/proc/78/status	ps
/proc/591/cmdline	/proc/591/cmdline	ps
/proc/19/status	/proc/19/status	ps
/proc/78/status	/proc/78/status	ps
/proc/178/status	/proc/178/status	ps
/proc/250/stat	/proc/250/stat	ps
/proc/409/stat	/proc/409/stat	ps
/proc/36/stat	/proc/36/stat	ps
/proc/350/stat	/proc/350/stat	ps
/proc/sys/kernel/osrelease	/proc/sys/kernel/osrelease	kill
/proc/602/cmdline	/proc/602/cmdline	ps
/proc/13/stat	/proc/13/stat	ps
/proc/168/status	/proc/168/status	ps
/proc/3/stat	/proc/3/stat	ps
/proc/389/status	/proc/389/status	ps
/proc/422/stat	/proc/422/stat	ps
/proc/35/status	/proc/35/status	ps
/proc/350/stat	/proc/350/stat	ps
/proc/668/cmdline	/proc/668/cmdline	ps
/proc/203/stat	/proc/203/stat	ps
/proc/352/stat	/proc/352/stat	ps
/proc/16/stat	/proc/16/stat	ps
/proc/202/stat	/proc/202/stat	ps
/proc/12/status	/proc/12/status	ps
/proc/178/status	/proc/178/status	ps
/proc/168/stat	/proc/168/stat	ps
/proc/168/status	/proc/168/status	ps
/proc/175/status	/proc/175/status	ps
/proc/620/status	/proc/620/status	ps
/proc/409/status	/proc/409/status	ps
/proc/366/stat	/proc/366/stat	ps
/proc/382/status	/proc/382/status	ps
/proc/sys/kernel/pid_max	/proc/sys/kernel/pid_max	ps
/proc/163/status	/proc/163/status	ps

Writes file to tmp directory 6 IoCs

Malware often drops required files in the /tmp directory.

Processes:

rmcpcprmrmrm

description	ioc	process
/tmp/IptabLes	/tmp/IptabLes	rm
/tmp/10edad7999da34e37a866beadf2bb2c1952e071c93cb8708e79ee45c90a06199BCfWrED	/tmp/10edad7999da34e37a866beadf2bb2c1952e071c93cb8708e79ee45c90a06199BCfWrED	cp
/tmp/10edad7999da34e37a866beadf2bb2c1952e071c93cb8708e79ee45c90a06199	/tmp/10edad7999da34e37a866beadf2bb2c1952e071c93cb8708e79ee45c90a06199	cp
/tmp/10edad7999da34e37a866beadf2bb2c1952e071c93cb8708e79ee45c90a06199BCfWrED	/tmp/10edad7999da34e37a866beadf2bb2c1952e071c93cb8708e79ee45c90a06199BCfWrED	rm
/tmp/10edad7999da34e37a866beadf2bb2c1952e071c93cb8708e79ee45c90a06199	/tmp/10edad7999da34e37a866beadf2bb2c1952e071c93cb8708e79ee45c90a06199	rm
/tmp/IptabLex	/tmp/IptabLex	rm

/tmp/10edad7999da34e37a866beadf2bb2c1952e071c93cb8708e79ee45c90a06199
/tmp/10edad7999da34e37a866beadf2bb2c1952e071c93cb8708e79ee45c90a06199
1⤵
PID:593

/bin/sh
sh -c /tmp/10edad7999da34e37a866beadf2bb2c1952e071c93cb8708e79ee45c90a06199BCfWrED
2⤵
PID:594

/tmp/10edad7999da34e37a866beadf2bb2c1952e071c93cb8708e79ee45c90a06199BCfWrED
/tmp/10edad7999da34e37a866beadf2bb2c1952e071c93cb8708e79ee45c90a06199BCfWrED
3⤵
PID:595

/bin/sh
sh -c "/delallmykkks>/dev/null"
1⤵
PID:602

/delallmykkks
/delallmykkks
2⤵
PID:604

/bin/grep
grep .IptabLex
3⤵
PID:608

/bin/ps
ps -f -C .IptabLex
3⤵
- Reads CPU attributes
- Reads runtime system information
PID:607

/usr/bin/awk
awk "{print \$3}"
3⤵
PID:610

/usr/bin/xargs
xargs /delallmykkks 2
3⤵
PID:613

/delallmykkks
/delallmykkks 2
4⤵
PID:616

/bin/grep
grep .IptabLex
3⤵
PID:621

/bin/ps
ps -f -C .IptabLex
3⤵
- Reads CPU attributes
- Reads runtime system information
PID:620

/usr/bin/awk
awk "{print \$3}"
3⤵
PID:622

/usr/bin/xargs
xargs /delallmykkks 2
3⤵
PID:624

/delallmykkks
/delallmykkks 2
4⤵
PID:630

/bin/ps
ps -f -C .IptabLex
3⤵
- Reads CPU attributes
- Reads runtime system information
PID:632

/bin/grep
grep .IptabLex
3⤵
PID:635

/usr/bin/awk
awk "{print \$2}"
3⤵
PID:637

/usr/bin/xargs
xargs /delallmykkks 2
3⤵
PID:639

/delallmykkks
/delallmykkks 2
4⤵
PID:640

/bin/grep
grep .IptabLex
3⤵
PID:644

/bin/ps
ps -f -C .IptabLex
3⤵
- Reads CPU attributes
- Reads runtime system information
PID:642

/usr/bin/awk
awk "{print \$2}"
3⤵
PID:646

/usr/bin/xargs
xargs /delallmykkks 2
3⤵
PID:648

/delallmykkks
/delallmykkks 2
4⤵
PID:650

/bin/ps
ps -axu
3⤵
- Reads CPU attributes
- Reads runtime system information
PID:652

/bin/grep
grep .IptabLex
3⤵
PID:654

/usr/bin/awk
awk "{print \$2}"
3⤵
PID:656

/usr/bin/xargs
xargs kill -9
3⤵
PID:658

/usr/local/sbin/kill
kill -9 654
4⤵
PID:661

/usr/local/bin/kill
kill -9 654
4⤵
PID:661

/usr/sbin/kill
kill -9 654
4⤵
PID:661

/usr/bin/kill
kill -9 654
4⤵
PID:661

/sbin/kill
kill -9 654
4⤵
PID:661

/bin/kill
kill -9 654
4⤵
- Reads CPU attributes
PID:661

/bin/ps
ps -axu
3⤵
- Reads CPU attributes
- Reads runtime system information
PID:663

/bin/grep
grep .IptabLex
3⤵
PID:664

/usr/bin/awk
awk "{print \$2}"
3⤵
PID:667

/usr/bin/xargs
xargs kill -9
3⤵
PID:669

/usr/local/sbin/kill
kill -9 664
4⤵
PID:670

/usr/local/bin/kill
kill -9 664
4⤵
PID:670

/usr/sbin/kill
kill -9 664
4⤵
PID:670

/usr/bin/kill
kill -9 664
4⤵
PID:670

/sbin/kill
kill -9 664
4⤵
PID:670

/bin/kill
kill -9 664
4⤵
- Reads CPU attributes
PID:670

/usr/bin/xargs
xargs kill -9
3⤵
PID:673

/usr/local/sbin/kill
kill -9 PID TTY TIME CMD
4⤵
PID:676

/usr/local/bin/kill
kill -9 PID TTY TIME CMD
4⤵
PID:676

/usr/sbin/kill
kill -9 PID TTY TIME CMD
4⤵
PID:676

/usr/bin/kill
kill -9 PID TTY TIME CMD
4⤵
PID:676

/sbin/kill
kill -9 PID TTY TIME CMD
4⤵
PID:676

/bin/kill
kill -9 PID TTY TIME CMD
4⤵
- Reads CPU attributes
PID:676

/bin/ps
ps -C .IptabLex
3⤵
- Reads CPU attributes
- Reads runtime system information
PID:672

/bin/ps
ps -C .IptabLex
3⤵
- Reads CPU attributes
- Reads runtime system information
PID:678

/usr/bin/xargs
xargs kill -9
3⤵
PID:679

/usr/local/sbin/kill
kill -9 PID TTY TIME CMD
4⤵
PID:683

/usr/local/bin/kill
kill -9 PID TTY TIME CMD
4⤵
PID:683

/usr/sbin/kill
kill -9 PID TTY TIME CMD
4⤵
PID:683

/usr/bin/kill
kill -9 PID TTY TIME CMD
4⤵
PID:683

/sbin/kill
kill -9 PID TTY TIME CMD
4⤵
PID:683

/bin/kill
kill -9 PID TTY TIME CMD
4⤵
- Reads CPU attributes
- Reads runtime system information
PID:683

/usr/bin/xargs
xargs rm -f
3⤵
PID:686

/usr/local/sbin/rm
rm -f
4⤵
PID:689

/usr/local/bin/rm
rm -f
4⤵
PID:689

/usr/sbin/rm
rm -f
4⤵
PID:689

/usr/bin/rm
rm -f
4⤵
PID:689

/sbin/rm
rm -f
4⤵
PID:689

/bin/rm
rm -f
4⤵
PID:689

/bin/ps
ps find / -name "*ptabLex"
3⤵
- Reads CPU attributes
PID:685

/bin/ps
ps find / -name .IptabLex
3⤵
- Reads CPU attributes
PID:690

/usr/bin/xargs
xargs rm -f
3⤵
PID:691

/usr/local/sbin/rm
rm -f
4⤵
PID:693

/usr/local/bin/rm
rm -f
4⤵
PID:693

/usr/sbin/rm
rm -f
4⤵
PID:693

/usr/bin/rm
rm -f
4⤵
PID:693

/sbin/rm
rm -f
4⤵
PID:693

/bin/rm
rm -f
4⤵
PID:693

/usr/bin/xargs
xargs rm -f
3⤵
PID:697

/usr/local/sbin/rm
rm -f
4⤵
PID:699

/usr/local/bin/rm
rm -f
4⤵
PID:699

/usr/sbin/rm
rm -f
4⤵
PID:699

/usr/bin/rm
rm -f
4⤵
PID:699

/sbin/rm
rm -f
4⤵
PID:699

/bin/rm
rm -f
4⤵
PID:699

/bin/ps
ps find / -name "*ptabLex"
3⤵
- Reads CPU attributes
PID:696

/bin/ps
ps find / -name .IptabLex
3⤵
- Reads CPU attributes
PID:702

/usr/bin/xargs
xargs rm -f
3⤵
PID:703

/usr/local/sbin/rm
rm -f
4⤵
PID:705

/usr/local/bin/rm
rm -f
4⤵
PID:705

/usr/sbin/rm
rm -f
4⤵
PID:705

/usr/bin/rm
rm -f
4⤵
PID:705

/sbin/rm
rm -f
4⤵
PID:705

/bin/rm
rm -f
4⤵
PID:705

/bin/rm
rm -f /boot/.stabip
3⤵
PID:707

/bin/rm
rm -f /boot/.IptabLex
3⤵
PID:709

/bin/rm
rm -f /etc/rc.d/init.d/IptabLex
3⤵
PID:710

/bin/rm
rm -f /boot/IptabLex
3⤵
PID:711

/bin/rm
rm -f /tmp/IptabLex
3⤵
- Writes file to tmp directory
PID:713

/bin/rm
rm -f /usr/IptabLex
3⤵
PID:714

/bin/rm
rm -f /usr/.IptabLex
3⤵
PID:717

/bin/rm
rm -f "/etc/rc.d/rc4.d/*IptabLex"
3⤵
PID:719

/bin/rm
rm -f "/etc/rc.d/rc1.d/*IptabLex"
3⤵
PID:720

/bin/rm
rm -f "/etc/rc.d/rc2.d/*IptabLex"
3⤵
PID:722

/bin/rm
rm -f "/etc/rc.d/rc3.d/*IptabLex"
3⤵
PID:724

/bin/rm
rm -f "/etc/rc.d/rc0.d/*IptabLex"
3⤵
PID:726

/bin/rm
rm -f "/etc/rc.d/rc5.d/*IptabLex"
3⤵
PID:728

/bin/rm
rm -f "/etc/rc.d/rc6.d/*IptabLex"
3⤵
PID:730

/bin/rm
rm -f /etc/init.d/IptabLex
3⤵
- Modifies init.d
PID:731

/bin/rm
rm -f "/etc/rc4.d/*IptabLex"
3⤵
- Modifies rc script
PID:733

/bin/rm
rm -f "/etc/rc1.d/*IptabLex"
3⤵
- Modifies rc script
PID:735

/bin/rm
rm -f "/etc/rc2.d/*IptabLex"
3⤵
- Modifies rc script
PID:737

/bin/rm
rm -f "/etc/rc3.d/*IptabLex"
3⤵
- Modifies rc script
PID:739

/bin/rm
rm -f "/etc/rc0.d/*IptabLex"
3⤵
- Modifies rc script
PID:741

/bin/rm
rm -f "/etc/rc5.d/*IptabLex"
3⤵
- Modifies rc script
PID:743

/bin/rm
rm -f "/etc/rc6.d/*IptabLex"
3⤵
- Modifies rc script
PID:746

/bin/rm
rm -rf /delallmykkks
3⤵
PID:747

/bin/sh
sh -c "/delallmykkk>/dev/null"
1⤵
PID:606

/delallmykkk
/delallmykkk
2⤵
PID:609

/bin/ps
ps -f -C .IptabLes
3⤵
- Reads CPU attributes
- Reads runtime system information
PID:611

/bin/grep
grep .IptabLes
3⤵
PID:612

/usr/bin/awk
awk "{print \$3}"
3⤵
PID:614

/usr/bin/xargs
xargs /delallmykkk 2
3⤵
PID:615

/delallmykkk
/delallmykkk 2
4⤵
PID:617

/bin/ps
ps -f -C .IptabLes
3⤵
- Reads CPU attributes
- Reads runtime system information
PID:618

/bin/grep
grep .IptabLes
3⤵
PID:619

/usr/bin/awk
awk "{print \$3}"
3⤵
PID:623

/usr/bin/xargs
xargs /delallmykkk 2
3⤵
PID:625

/delallmykkk
/delallmykkk 2
4⤵
PID:631

/bin/grep
grep .IptabLes
3⤵
PID:634

/bin/ps
ps -f -C .IptabLes
3⤵
- Reads CPU attributes
- Reads runtime system information
PID:633

/usr/bin/awk
awk "{print \$2}"
3⤵
PID:636

/usr/bin/xargs
xargs /delallmykkk 2
3⤵
PID:638

/delallmykkk
/delallmykkk 2
4⤵
PID:641

/bin/ps
ps -f -C .IptabLes
3⤵
- Reads CPU attributes
- Reads runtime system information
PID:643

/usr/bin/awk
awk "{print \$2}"
3⤵
PID:647

/bin/grep
grep .IptabLes
3⤵
PID:645

/usr/bin/xargs
xargs /delallmykkk 2
3⤵
PID:649

/delallmykkk
/delallmykkk 2
4⤵
PID:651

/bin/ps
ps -axu
3⤵
- Reads CPU attributes
- Reads runtime system information
PID:653

/bin/grep
grep .IptabLes
3⤵
PID:655

/usr/bin/awk
awk "{print \$2}"
3⤵
PID:657

/usr/bin/xargs
xargs kill -9
3⤵
PID:659

/usr/local/sbin/kill
kill -9 655
4⤵
PID:660

/usr/local/bin/kill
kill -9 655
4⤵
PID:660

/usr/sbin/kill
kill -9 655
4⤵
PID:660

/usr/bin/kill
kill -9 655
4⤵
PID:660

/sbin/kill
kill -9 655
4⤵
PID:660

/bin/kill
kill -9 655
4⤵
- Reads CPU attributes
PID:660

/bin/grep
grep .IptabLes
3⤵
PID:665

/bin/ps
ps -axu
3⤵
- Reads CPU attributes
- Reads runtime system information
PID:662

/usr/bin/awk
awk "{print \$2}"
3⤵
PID:666

/usr/bin/xargs
xargs kill -9
3⤵
PID:668

/usr/local/sbin/kill
kill -9 665
4⤵
PID:671

/usr/local/bin/kill
kill -9 665
4⤵
PID:671

/usr/sbin/kill
kill -9 665
4⤵
PID:671

/usr/bin/kill
kill -9 665
4⤵
PID:671

/sbin/kill
kill -9 665
4⤵
PID:671

/bin/kill
kill -9 665
4⤵
- Reads CPU attributes
PID:671

/usr/bin/xargs
xargs kill -9
3⤵
PID:675

/usr/local/sbin/kill
kill -9 PID TTY TIME CMD
4⤵
PID:677

/usr/local/bin/kill
kill -9 PID TTY TIME CMD
4⤵
PID:677

/usr/sbin/kill
kill -9 PID TTY TIME CMD
4⤵
PID:677

/usr/bin/kill
kill -9 PID TTY TIME CMD
4⤵
PID:677

/sbin/kill
kill -9 PID TTY TIME CMD
4⤵
PID:677

/bin/kill
kill -9 PID TTY TIME CMD
4⤵
- Reads CPU attributes
PID:677

/bin/ps
ps -C .IptabLes
3⤵
- Reads CPU attributes
- Reads runtime system information
PID:674

/bin/grep
grep .IptabLes
3⤵
PID:681

/bin/ps
ps -C .IptabLes
3⤵
- Reads CPU attributes
- Reads runtime system information
PID:680

/usr/bin/xargs
xargs kill -9
3⤵
PID:682

/usr/local/sbin/kill
kill -9
4⤵
PID:684

/usr/local/bin/kill
kill -9
4⤵
PID:684

/usr/sbin/kill
kill -9
4⤵
PID:684

/usr/bin/kill
kill -9
4⤵
PID:684

/sbin/kill
kill -9
4⤵
PID:684

/bin/kill
kill -9
4⤵
- Reads CPU attributes
PID:684

/usr/bin/xargs
xargs rm -f
3⤵
PID:688

/usr/local/sbin/rm
rm -f
4⤵
PID:692

/usr/local/bin/rm
rm -f
4⤵
PID:692

/usr/sbin/rm
rm -f
4⤵
PID:692

/usr/bin/rm
rm -f
4⤵
PID:692

/sbin/rm
rm -f
4⤵
PID:692

/bin/rm
rm -f
4⤵
PID:692

/bin/ps
ps find / -name "*ptabLes"
3⤵
- Reads CPU attributes
PID:687

/bin/ps
ps find / -name .IptabLes
3⤵
- Reads CPU attributes
PID:694

/usr/bin/xargs
xargs rm -f
3⤵
PID:695

/usr/local/sbin/rm
rm -f
4⤵
PID:698

/usr/local/bin/rm
rm -f
4⤵
PID:698

/usr/sbin/rm
rm -f
4⤵
PID:698

/usr/bin/rm
rm -f
4⤵
PID:698

/sbin/rm
rm -f
4⤵
PID:698

/bin/rm
rm -f
4⤵
PID:698

/bin/ps
ps find / -name "*ptabLes"
3⤵
- Reads CPU attributes
PID:700

/usr/bin/xargs
xargs rm -f
3⤵
PID:701

/usr/local/sbin/rm
rm -f
4⤵
PID:704

/usr/local/bin/rm
rm -f
4⤵
PID:704

/usr/sbin/rm
rm -f
4⤵
PID:704

/usr/bin/rm
rm -f
4⤵
PID:704

/sbin/rm
rm -f
4⤵
PID:704

/bin/rm
rm -f
4⤵
PID:704

/bin/ps
ps find / -name .IptabLes
3⤵
- Reads CPU attributes
PID:706

/usr/bin/xargs
xargs rm -f
3⤵
PID:708

/usr/local/sbin/rm
rm -f
4⤵
PID:712

/usr/local/bin/rm
rm -f
4⤵
PID:712

/usr/sbin/rm
rm -f
4⤵
PID:712

/usr/bin/rm
rm -f
4⤵
PID:712

/sbin/rm
rm -f
4⤵
PID:712

/bin/rm
rm -f
4⤵
PID:712

/bin/rm
rm -f /boot/.stabip
3⤵
PID:715

/bin/rm
rm -f /boot/.IptabLes
3⤵
PID:716

/bin/rm
rm -f /etc/rc.d/init.d/IptabLes
3⤵
PID:718

/bin/rm
rm -f /boot/IptabLes
3⤵
PID:721

/bin/rm
rm -f /tmp/IptabLes
3⤵
- Writes file to tmp directory
PID:723

/bin/rm
rm -f /usr/IptabLes
3⤵
PID:725

/bin/rm
rm -f /usr/.IptabLes
3⤵
PID:727

/bin/rm
rm -f "/etc/rc.d/rc4.d/*IptabLes"
3⤵
PID:729

/bin/rm
rm -f "/etc/rc.d/rc1.d/*IptabLes"
3⤵
PID:732

/bin/rm
rm -f "/etc/rc.d/rc2.d/*IptabLes"
3⤵
PID:734

/bin/rm
rm -f "/etc/rc.d/rc3.d/*IptabLes"
3⤵
PID:736

/bin/rm
rm -f "/etc/rc.d/rc0.d/*IptabLes"
3⤵
PID:738

/bin/rm
rm -f "/etc/rc.d/rc5.d/*IptabLes"
3⤵
PID:740

/bin/rm
rm -f "/etc/rc.d/rc6.d/*IptabLes"
3⤵
PID:742

/bin/rm
rm -f /etc/init.d/IptabLes
3⤵
- Modifies init.d
PID:744

/bin/rm
rm -f "/etc/rc4.d/*IptabLes"
3⤵
- Modifies rc script
PID:745

/bin/rm
rm -f "/etc/rc1.d/*IptabLes"
3⤵
- Modifies rc script
PID:748

/bin/rm
rm -f "/etc/rc2.d/*IptabLes"
3⤵
- Modifies rc script
PID:750

/bin/rm
rm -f "/etc/rc3.d/*IptabLes"
3⤵
- Modifies rc script
PID:752

/bin/rm
rm -f "/etc/rc0.d/*IptabLes"
3⤵
- Modifies rc script
PID:753

/bin/rm
rm -f "/etc/rc5.d/*IptabLes"
3⤵
- Modifies rc script
PID:755

/bin/rm
rm -f "/etc/rc6.d/*IptabLes"
3⤵
- Modifies rc script
PID:757

/bin/rm
rm -rf /delallmykkk
3⤵
PID:759

/bin/sh
sh -c "nohup cp /tmp/10edad7999da34e37a866beadf2bb2c1952e071c93cb8708e79ee45c90a06199BCfWrED /boot/.IptabLex>/dev/null"
1⤵
PID:749

/usr/bin/nohup
nohup cp /tmp/10edad7999da34e37a866beadf2bb2c1952e071c93cb8708e79ee45c90a06199BCfWrED /boot/.IptabLex
2⤵
PID:751

/usr/local/sbin/cp
cp /tmp/10edad7999da34e37a866beadf2bb2c1952e071c93cb8708e79ee45c90a06199BCfWrED /boot/.IptabLex
2⤵
PID:751

/usr/local/bin/cp
cp /tmp/10edad7999da34e37a866beadf2bb2c1952e071c93cb8708e79ee45c90a06199BCfWrED /boot/.IptabLex
2⤵
PID:751

/usr/sbin/cp
cp /tmp/10edad7999da34e37a866beadf2bb2c1952e071c93cb8708e79ee45c90a06199BCfWrED /boot/.IptabLex
2⤵
PID:751

/usr/bin/cp
cp /tmp/10edad7999da34e37a866beadf2bb2c1952e071c93cb8708e79ee45c90a06199BCfWrED /boot/.IptabLex
2⤵
PID:751

/sbin/cp
cp /tmp/10edad7999da34e37a866beadf2bb2c1952e071c93cb8708e79ee45c90a06199BCfWrED /boot/.IptabLex
2⤵
PID:751

/bin/cp
cp /tmp/10edad7999da34e37a866beadf2bb2c1952e071c93cb8708e79ee45c90a06199BCfWrED /boot/.IptabLex
2⤵
- Writes file to tmp directory
PID:751

/bin/sh
sh -c /etc/rc2.d/S55IptabLex
1⤵
PID:754

/etc/rc2.d/S55IptabLex
/etc/rc2.d/S55IptabLex
2⤵
PID:756

/bin/sh
sh -c /etc/rc3.d/S55IptabLex
1⤵
PID:758

/etc/rc3.d/S55IptabLex
/etc/rc3.d/S55IptabLex
2⤵
PID:760

/bin/sh
sh -c /etc/rc4.d/S55IptabLex
1⤵
PID:761

/etc/rc4.d/S55IptabLex
/etc/rc4.d/S55IptabLex
2⤵
PID:763

/bin/sh
sh -c "nohup cp /tmp/10edad7999da34e37a866beadf2bb2c1952e071c93cb8708e79ee45c90a06199 /boot/.IptabLes>/dev/null"
1⤵
PID:762

/usr/bin/nohup
nohup cp /tmp/10edad7999da34e37a866beadf2bb2c1952e071c93cb8708e79ee45c90a06199 /boot/.IptabLes
2⤵
PID:764

/usr/local/sbin/cp
cp /tmp/10edad7999da34e37a866beadf2bb2c1952e071c93cb8708e79ee45c90a06199 /boot/.IptabLes
2⤵
PID:764

/usr/local/bin/cp
cp /tmp/10edad7999da34e37a866beadf2bb2c1952e071c93cb8708e79ee45c90a06199 /boot/.IptabLes
2⤵
PID:764

/usr/sbin/cp
cp /tmp/10edad7999da34e37a866beadf2bb2c1952e071c93cb8708e79ee45c90a06199 /boot/.IptabLes
2⤵
PID:764

/usr/bin/cp
cp /tmp/10edad7999da34e37a866beadf2bb2c1952e071c93cb8708e79ee45c90a06199 /boot/.IptabLes
2⤵
PID:764

/sbin/cp
cp /tmp/10edad7999da34e37a866beadf2bb2c1952e071c93cb8708e79ee45c90a06199 /boot/.IptabLes
2⤵
PID:764

/bin/cp
cp /tmp/10edad7999da34e37a866beadf2bb2c1952e071c93cb8708e79ee45c90a06199 /boot/.IptabLes
2⤵
- Writes file to tmp directory
PID:764

/bin/sh
sh -c /etc/rc5.d/S55IptabLex
1⤵
PID:765

/etc/rc5.d/S55IptabLex
/etc/rc5.d/S55IptabLex
2⤵
PID:766

/bin/sh
sh -c /boot/IptabLex
1⤵
PID:767

/boot/IptabLex
/boot/IptabLex
2⤵
PID:768

/boot/.IptabLex
/boot/.IptabLex
3⤵
PID:771

/bin/sh
sh -c /etc/rc2.d/S55IptabLes
1⤵
PID:769

/etc/rc2.d/S55IptabLes
/etc/rc2.d/S55IptabLes
2⤵
PID:770

/bin/sh
sh -c /etc/rc3.d/S55IptabLes
1⤵
PID:772

/etc/rc3.d/S55IptabLes
/etc/rc3.d/S55IptabLes
2⤵
PID:773

/bin/sh
sh -c "nohup sh /delxxaazzx>/dev/null&"
1⤵
PID:775

/usr/bin/nohup
nohup sh /delxxaazzx
2⤵
PID:780

/usr/local/sbin/sh
sh /delxxaazzx
2⤵
PID:780

/usr/local/bin/sh
sh /delxxaazzx
2⤵
PID:780

/usr/sbin/sh
sh /delxxaazzx
2⤵
PID:780

/usr/bin/sh
sh /delxxaazzx
2⤵
PID:780

/sbin/sh
sh /delxxaazzx
2⤵
PID:780

/bin/sh
sh /delxxaazzx
2⤵
PID:780

/bin/sleep
sleep 3
3⤵
PID:783

/bin/sleep
sleep 1
3⤵
PID:797

/bin/rm
rm -f /tmp/10edad7999da34e37a866beadf2bb2c1952e071c93cb8708e79ee45c90a06199BCfWrED
3⤵
- Writes file to tmp directory
PID:799

/bin/rm
rm -rf /delxxaazzx
3⤵
PID:800

/bin/sh
sh -c /etc/rc4.d/S55IptabLes
1⤵
PID:781

/etc/rc4.d/S55IptabLes
/etc/rc4.d/S55IptabLes
2⤵
PID:782

/bin/sh
sh -c /etc/rc5.d/S55IptabLes
1⤵
PID:784

/etc/rc5.d/S55IptabLes
/etc/rc5.d/S55IptabLes
2⤵
PID:785

/bin/sh
sh -c /boot/IptabLes
1⤵
PID:786

/boot/IptabLes
/boot/IptabLes
2⤵
PID:787

/boot/.IptabLes
/boot/.IptabLes
3⤵
PID:788

/bin/sh
sh -c "nohup sh /delxxaazz>/dev/null&"
1⤵
PID:790

/usr/bin/nohup
nohup sh /delxxaazz
2⤵
PID:795

/usr/local/sbin/sh
sh /delxxaazz
2⤵
PID:795

/usr/local/bin/sh
sh /delxxaazz
2⤵
PID:795

/usr/sbin/sh
sh /delxxaazz
2⤵
PID:795

/usr/bin/sh
sh /delxxaazz
2⤵
PID:795

/sbin/sh
sh /delxxaazz
2⤵
PID:795

/bin/sh
sh /delxxaazz
2⤵
PID:795

/bin/sleep
sleep 3
3⤵
PID:796

/bin/sleep
sleep 1
3⤵
PID:798

/bin/rm
rm -f /tmp/10edad7999da34e37a866beadf2bb2c1952e071c93cb8708e79ee45c90a06199
3⤵
- Writes file to tmp directory
PID:801

/bin/rm
rm -rf /delxxaazz
3⤵
PID:802

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2

T1547

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

description	ioc	process
/sys/devices/system/cpu/online	/sys/devices/system/cpu/online	ps
/sys/devices/system/cpu/online	/sys/devices/system/cpu/online	ps
/sys/devices/system/cpu/online	/sys/devices/system/cpu/online	ps
/sys/devices/system/cpu/online	/sys/devices/system/cpu/online	ps
/sys/devices/system/cpu/online	/sys/devices/system/cpu/online	ps
/sys/devices/system/cpu/online	/sys/devices/system/cpu/online	ps
/sys/devices/system/cpu/online	/sys/devices/system/cpu/online	ps
/sys/devices/system/cpu/online	/sys/devices/system/cpu/online	ps
/sys/devices/system/cpu/online	/sys/devices/system/cpu/online	ps
/sys/devices/system/cpu/online	/sys/devices/system/cpu/online	ps
/sys/devices/system/cpu/online	/sys/devices/system/cpu/online	ps
/sys/devices/system/cpu/online	/sys/devices/system/cpu/online	ps
/sys/devices/system/cpu/online	/sys/devices/system/cpu/online	ps
/sys/devices/system/cpu/online	/sys/devices/system/cpu/online	kill
/sys/devices/system/cpu/online	/sys/devices/system/cpu/online	ps
/sys/devices/system/cpu/online	/sys/devices/system/cpu/online	ps
/sys/devices/system/cpu/online	/sys/devices/system/cpu/online	ps
/sys/devices/system/cpu/online	/sys/devices/system/cpu/online	ps
/sys/devices/system/cpu/online	/sys/devices/system/cpu/online	ps
/sys/devices/system/cpu/online	/sys/devices/system/cpu/online	ps
/sys/devices/system/cpu/online	/sys/devices/system/cpu/online	ps
/sys/devices/system/cpu/online	/sys/devices/system/cpu/online	ps
/sys/devices/system/cpu/online	/sys/devices/system/cpu/online	kill
/sys/devices/system/cpu/online	/sys/devices/system/cpu/online	ps
/sys/devices/system/cpu/online	/sys/devices/system/cpu/online	ps
/sys/devices/system/cpu/online	/sys/devices/system/cpu/online	kill
/sys/devices/system/cpu/online	/sys/devices/system/cpu/online	ps
/sys/devices/system/cpu/online	/sys/devices/system/cpu/online	kill
/sys/devices/system/cpu/online	/sys/devices/system/cpu/online	kill
/sys/devices/system/cpu/online	/sys/devices/system/cpu/online	kill
/sys/devices/system/cpu/online	/sys/devices/system/cpu/online	kill
/sys/devices/system/cpu/online	/sys/devices/system/cpu/online	kill

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads