10edad7999da34e37a866beadf2bb2c1952e071c93cb8708e79ee45c90a06199

Analysis

max time kernel
30423s
max time network
154s
platform
linux_amd64
resource
ubuntu1804-amd64-en-20211208
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-en-20211208kernel:4.15.0-161-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
25/11/2022, 12:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

10edad7999da34e37a866beadf2bb2c1952e071c93cb8708e79ee45c90a06199
Size

1.0MB
MD5

9966d5db77f247070fcac9590a3fde80
SHA1

ec0fdb1333443a7c0442dd279626bf8d58eb8cbb
SHA256

10edad7999da34e37a866beadf2bb2c1952e071c93cb8708e79ee45c90a06199
SHA512

e6a468cdfd9f720b217069f0dddc012b8549a834862d287ea101914503a048f644085c16b534b2b7418686b792a9ee0cb1e32977751d648d57ed0241bed17131
SSDEEP

24576:L8TklemVE3JnQaQAcA+xk3ZeRXP1qjStp/vtq6bUn5V:2IemVE6aQyTpexwyVOn5V

Score

7^/10

persistence

Malware Config

Signatures

Modifies init.d 1 TTPs 2 IoCs

Adds/modifies system service, likely for persistence.

persistence

Boot or Logon Autostart Execution

T1547

description	ioc	Process
/etc/init.d/IptabLex	/etc/init.d/IptabLex	rm
/etc/init.d/IptabLes	/etc/init.d/IptabLes	rm

Modifies rc script 1 TTPs 22 IoCs

Adding/modifying system rc scripts is a common persistence mechanism.

persistence

Boot or Logon Autostart Execution

T1547

description	ioc	Process
/etc/rc5.d/S55IptabLes	/etc/rc5.d/S55IptabLes	Process not Found
/etc/rc4.d/*IptabLex	/etc/rc4.d/*IptabLex	rm
/etc/rc1.d/*IptabLex	/etc/rc1.d/*IptabLex	rm
/etc/rc2.d/*IptabLex	/etc/rc2.d/*IptabLex	rm
/etc/rc6.d/*IptabLex	/etc/rc6.d/*IptabLex	rm
/etc/rc3.d/*IptabLes	/etc/rc3.d/*IptabLes	rm
/etc/rc2.d/S55IptabLes	/etc/rc2.d/S55IptabLes	Process not Found
/etc/rc6.d/*IptabLes	/etc/rc6.d/*IptabLes	rm
/etc/rc3.d/*IptabLex	/etc/rc3.d/*IptabLex	rm
/etc/rc0.d/*IptabLex	/etc/rc0.d/*IptabLex	rm
/etc/rc4.d/*IptabLes	/etc/rc4.d/*IptabLes	rm
/etc/rc2.d/*IptabLes	/etc/rc2.d/*IptabLes	rm
/etc/rc0.d/*IptabLes	/etc/rc0.d/*IptabLes	rm
/etc/rc5.d/*IptabLes	/etc/rc5.d/*IptabLes	rm
/etc/rc3.d/S55IptabLex	/etc/rc3.d/S55IptabLex	Process not Found
/etc/rc4.d/S55IptabLex	/etc/rc4.d/S55IptabLex	Process not Found
/etc/rc5.d/S55IptabLex	/etc/rc5.d/S55IptabLex	Process not Found
/etc/rc5.d/*IptabLex	/etc/rc5.d/*IptabLex	rm
/etc/rc1.d/*IptabLes	/etc/rc1.d/*IptabLes	rm
/etc/rc2.d/S55IptabLex	/etc/rc2.d/S55IptabLex	Process not Found
/etc/rc3.d/S55IptabLes	/etc/rc3.d/S55IptabLes	Process not Found
/etc/rc4.d/S55IptabLes	/etc/rc4.d/S55IptabLes	Process not Found

Reads CPU attributes 1 TTPs 32 IoCs

System Information Discovery

T1082

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
/proc/169/status	/proc/169/status	ps
/proc/82/stat	/proc/82/stat	ps
/proc/604/stat	/proc/604/stat	ps
/proc/647/stat	/proc/647/stat	ps
/proc/83/stat	/proc/83/stat	ps
/proc/30/cmdline	/proc/30/cmdline	ps
/proc/171/stat	/proc/171/stat	ps
/proc/382/stat	/proc/382/stat	ps
/proc/600/status	/proc/600/status	ps
/proc/16/status	/proc/16/status	ps
/proc/170/stat	/proc/170/stat	ps
/proc/12/stat	/proc/12/stat	ps
/proc/262/stat	/proc/262/stat	ps
/proc/262/stat	/proc/262/stat	ps
/proc/424/status	/proc/424/status	ps
/proc/173/stat	/proc/173/stat	ps
/proc/169/status	/proc/169/status	ps
/proc/98/stat	/proc/98/stat	ps
/proc/604/status	/proc/604/status	ps
/proc/21/status	/proc/21/status	ps
/proc/27/cmdline	/proc/27/cmdline	ps
/proc/25/stat	/proc/25/stat	ps
/proc/602/cmdline	/proc/602/cmdline	ps
/proc/604/status	/proc/604/status	ps
/proc/175/status	/proc/175/status	ps
/proc/167/stat	/proc/167/stat	ps
/proc/12/status	/proc/12/status	ps
/proc/79/cmdline	/proc/79/cmdline	ps
/proc/180/status	/proc/180/status	ps
/proc/202/cmdline	/proc/202/cmdline	ps
/proc/78/status	/proc/78/status	ps
/proc/591/cmdline	/proc/591/cmdline	ps
/proc/19/status	/proc/19/status	ps
/proc/78/status	/proc/78/status	ps
/proc/178/status	/proc/178/status	ps
/proc/250/stat	/proc/250/stat	ps
/proc/409/stat	/proc/409/stat	ps
/proc/36/stat	/proc/36/stat	ps
/proc/350/stat	/proc/350/stat	ps
/proc/sys/kernel/osrelease	/proc/sys/kernel/osrelease	kill
/proc/602/cmdline	/proc/602/cmdline	ps
/proc/13/stat	/proc/13/stat	ps
/proc/168/status	/proc/168/status	ps
/proc/3/stat	/proc/3/stat	ps
/proc/389/status	/proc/389/status	ps
/proc/422/stat	/proc/422/stat	ps
/proc/35/status	/proc/35/status	ps
/proc/350/stat	/proc/350/stat	ps
/proc/668/cmdline	/proc/668/cmdline	ps
/proc/203/stat	/proc/203/stat	ps
/proc/352/stat	/proc/352/stat	ps
/proc/16/stat	/proc/16/stat	ps
/proc/202/stat	/proc/202/stat	ps
/proc/12/status	/proc/12/status	ps
/proc/178/status	/proc/178/status	ps
/proc/168/stat	/proc/168/stat	ps
/proc/168/status	/proc/168/status	ps
/proc/175/status	/proc/175/status	ps
/proc/620/status	/proc/620/status	ps
/proc/409/status	/proc/409/status	ps
/proc/366/stat	/proc/366/stat	ps
/proc/382/status	/proc/382/status	ps
/proc/sys/kernel/pid_max	/proc/sys/kernel/pid_max	ps
/proc/163/status	/proc/163/status	ps

Writes file to tmp directory 6 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
/tmp/IptabLes	/tmp/IptabLes	rm
/tmp/10edad7999da34e37a866beadf2bb2c1952e071c93cb8708e79ee45c90a06199BCfWrED	/tmp/10edad7999da34e37a866beadf2bb2c1952e071c93cb8708e79ee45c90a06199BCfWrED	cp
/tmp/10edad7999da34e37a866beadf2bb2c1952e071c93cb8708e79ee45c90a06199	/tmp/10edad7999da34e37a866beadf2bb2c1952e071c93cb8708e79ee45c90a06199	cp
/tmp/10edad7999da34e37a866beadf2bb2c1952e071c93cb8708e79ee45c90a06199BCfWrED	/tmp/10edad7999da34e37a866beadf2bb2c1952e071c93cb8708e79ee45c90a06199BCfWrED	rm
/tmp/10edad7999da34e37a866beadf2bb2c1952e071c93cb8708e79ee45c90a06199	/tmp/10edad7999da34e37a866beadf2bb2c1952e071c93cb8708e79ee45c90a06199	rm
/tmp/IptabLex	/tmp/IptabLex	rm

/tmp/10edad7999da34e37a866beadf2bb2c1952e071c93cb8708e79ee45c90a06199
/tmp/10edad7999da34e37a866beadf2bb2c1952e071c93cb8708e79ee45c90a06199
1⤵
PID:593
- /bin/sh
  sh -c /tmp/10edad7999da34e37a866beadf2bb2c1952e071c93cb8708e79ee45c90a06199BCfWrED
  2⤵
  PID:594
- - /tmp/10edad7999da34e37a866beadf2bb2c1952e071c93cb8708e79ee45c90a06199BCfWrED
    /tmp/10edad7999da34e37a866beadf2bb2c1952e071c93cb8708e79ee45c90a06199BCfWrED
    3⤵
    PID:595

/bin/sh
sh -c "/delallmykkks>/dev/null"
1⤵
PID:602
- /delallmykkks
  /delallmykkks
  2⤵
  PID:604
- - /bin/grep
    grep .IptabLex
    3⤵
    PID:608
- - /bin/ps
    ps -f -C .IptabLex
    3⤵
    - Reads CPU attributes
    - Reads runtime system information
    PID:607
- - /usr/bin/awk
    awk "{print \$3}"
    3⤵
    PID:610
- - /usr/bin/xargs
    xargs /delallmykkks 2
    3⤵
    PID:613
  - - /delallmykkks
      /delallmykkks 2
      4⤵
      PID:616
- - /bin/grep
    grep .IptabLex
    3⤵
    PID:621
- - /bin/ps
    ps -f -C .IptabLex
    3⤵
    - Reads CPU attributes
    - Reads runtime system information
    PID:620
- - /usr/bin/awk
    awk "{print \$3}"
    3⤵
    PID:622
- - /usr/bin/xargs
    xargs /delallmykkks 2
    3⤵
    PID:624
  - - /delallmykkks
      /delallmykkks 2
      4⤵
      PID:630
- - /bin/ps
    ps -f -C .IptabLex
    3⤵
    - Reads CPU attributes
    - Reads runtime system information
    PID:632
- - /bin/grep
    grep .IptabLex
    3⤵
    PID:635
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:637
- - /usr/bin/xargs
    xargs /delallmykkks 2
    3⤵
    PID:639
  - - /delallmykkks
      /delallmykkks 2
      4⤵
      PID:640
- - /bin/grep
    grep .IptabLex
    3⤵
    PID:644
- - /bin/ps
    ps -f -C .IptabLex
    3⤵
    - Reads CPU attributes
    - Reads runtime system information
    PID:642
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:646
- - /usr/bin/xargs
    xargs /delallmykkks 2
    3⤵
    PID:648
  - - /delallmykkks
      /delallmykkks 2
      4⤵
      PID:650
- - /bin/ps
    ps -axu
    3⤵
    - Reads CPU attributes
    - Reads runtime system information
    PID:652
- - /bin/grep
    grep .IptabLex
    3⤵
    PID:654
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:656
- - /usr/bin/xargs
    xargs kill -9
    3⤵
    PID:658
  - - /usr/local/sbin/kill
      kill -9 654
      4⤵
      PID:661
  - - /usr/local/bin/kill
      kill -9 654
      4⤵
      PID:661
  - - /usr/sbin/kill
      kill -9 654
      4⤵
      PID:661
  - - /usr/bin/kill
      kill -9 654
      4⤵
      PID:661
  - - /sbin/kill
      kill -9 654
      4⤵
      PID:661
  - - /bin/kill
      kill -9 654
      4⤵
      Reads CPU attributes
      PID:661
- - /bin/ps
    ps -axu
    3⤵
    - Reads CPU attributes
    - Reads runtime system information
    PID:663
- - /bin/grep
    grep .IptabLex
    3⤵
    PID:664
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:667
- - /usr/bin/xargs
    xargs kill -9
    3⤵
    PID:669
  - - /usr/local/sbin/kill
      kill -9 664
      4⤵
      PID:670
  - - /usr/local/bin/kill
      kill -9 664
      4⤵
      PID:670
  - - /usr/sbin/kill
      kill -9 664
      4⤵
      PID:670
  - - /usr/bin/kill
      kill -9 664
      4⤵
      PID:670
  - - /sbin/kill
      kill -9 664
      4⤵
      PID:670
  - - /bin/kill
      kill -9 664
      4⤵
      Reads CPU attributes
      PID:670
- - /usr/bin/xargs
    xargs kill -9
    3⤵
    PID:673
  - - /usr/local/sbin/kill
      kill -9 PID TTY TIME CMD
      4⤵
      PID:676
  - - /usr/local/bin/kill
      kill -9 PID TTY TIME CMD
      4⤵
      PID:676
  - - /usr/sbin/kill
      kill -9 PID TTY TIME CMD
      4⤵
      PID:676
  - - /usr/bin/kill
      kill -9 PID TTY TIME CMD
      4⤵
      PID:676
  - - /sbin/kill
      kill -9 PID TTY TIME CMD
      4⤵
      PID:676
  - - /bin/kill
      kill -9 PID TTY TIME CMD
      4⤵
      Reads CPU attributes
      PID:676
- - /bin/ps
    ps -C .IptabLex
    3⤵
    - Reads CPU attributes
    - Reads runtime system information
    PID:672
- - /bin/ps
    ps -C .IptabLex
    3⤵
    - Reads CPU attributes
    - Reads runtime system information
    PID:678
- - /usr/bin/xargs
    xargs kill -9
    3⤵
    PID:679
  - - /usr/local/sbin/kill
      kill -9 PID TTY TIME CMD
      4⤵
      PID:683
  - - /usr/local/bin/kill
      kill -9 PID TTY TIME CMD
      4⤵
      PID:683
  - - /usr/sbin/kill
      kill -9 PID TTY TIME CMD
      4⤵
      PID:683
  - - /usr/bin/kill
      kill -9 PID TTY TIME CMD
      4⤵
      PID:683
  - - /sbin/kill
      kill -9 PID TTY TIME CMD
      4⤵
      PID:683
  - - /bin/kill
      kill -9 PID TTY TIME CMD
      4⤵
      Reads CPU attributes
      Reads runtime system information
      PID:683
- - /usr/bin/xargs
    xargs rm -f
    3⤵
    PID:686
  - - /usr/local/sbin/rm
      rm -f
      4⤵
      PID:689
  - - /usr/local/bin/rm
      rm -f
      4⤵
      PID:689
  - - /usr/sbin/rm
      rm -f
      4⤵
      PID:689
  - - /usr/bin/rm
      rm -f
      4⤵
      PID:689
  - - /sbin/rm
      rm -f
      4⤵
      PID:689
  - - /bin/rm
      rm -f
      4⤵
      PID:689
- - /bin/ps
    ps find / -name "*ptabLex"
    3⤵
    - Reads CPU attributes
    PID:685
- - /bin/ps
    ps find / -name .IptabLex
    3⤵
    - Reads CPU attributes
    PID:690
- - /usr/bin/xargs
    xargs rm -f
    3⤵
    PID:691
  - - /usr/local/sbin/rm
      rm -f
      4⤵
      PID:693
  - - /usr/local/bin/rm
      rm -f
      4⤵
      PID:693
  - - /usr/sbin/rm
      rm -f
      4⤵
      PID:693
  - - /usr/bin/rm
      rm -f
      4⤵
      PID:693
  - - /sbin/rm
      rm -f
      4⤵
      PID:693
  - - /bin/rm
      rm -f
      4⤵
      PID:693
- - /usr/bin/xargs
    xargs rm -f
    3⤵
    PID:697
  - - /usr/local/sbin/rm
      rm -f
      4⤵
      PID:699
  - - /usr/local/bin/rm
      rm -f
      4⤵
      PID:699
  - - /usr/sbin/rm
      rm -f
      4⤵
      PID:699
  - - /usr/bin/rm
      rm -f
      4⤵
      PID:699
  - - /sbin/rm
      rm -f
      4⤵
      PID:699
  - - /bin/rm
      rm -f
      4⤵
      PID:699
- - /bin/ps
    ps find / -name "*ptabLex"
    3⤵
    - Reads CPU attributes
    PID:696
- - /bin/ps
    ps find / -name .IptabLex
    3⤵
    - Reads CPU attributes
    PID:702
- - /usr/bin/xargs
    xargs rm -f
    3⤵
    PID:703
  - - /usr/local/sbin/rm
      rm -f
      4⤵
      PID:705
  - - /usr/local/bin/rm
      rm -f
      4⤵
      PID:705
  - - /usr/sbin/rm
      rm -f
      4⤵
      PID:705
  - - /usr/bin/rm
      rm -f
      4⤵
      PID:705
  - - /sbin/rm
      rm -f
      4⤵
      PID:705
  - - /bin/rm
      rm -f
      4⤵
      PID:705
- - /bin/rm
    rm -f /boot/.stabip
    3⤵
    PID:707
- - /bin/rm
    rm -f /boot/.IptabLex
    3⤵
    PID:709
- - /bin/rm
    rm -f /etc/rc.d/init.d/IptabLex
    3⤵
    PID:710
- - /bin/rm
    rm -f /boot/IptabLex
    3⤵
    PID:711
- - /bin/rm
    rm -f /tmp/IptabLex
    3⤵
    - Writes file to tmp directory
    PID:713
- - /bin/rm
    rm -f /usr/IptabLex
    3⤵
    PID:714
- - /bin/rm
    rm -f /usr/.IptabLex
    3⤵
    PID:717
- - /bin/rm
    rm -f "/etc/rc.d/rc4.d/*IptabLex"
    3⤵
    PID:719
- - /bin/rm
    rm -f "/etc/rc.d/rc1.d/*IptabLex"
    3⤵
    PID:720
- - /bin/rm
    rm -f "/etc/rc.d/rc2.d/*IptabLex"
    3⤵
    PID:722
- - /bin/rm
    rm -f "/etc/rc.d/rc3.d/*IptabLex"
    3⤵
    PID:724
- - /bin/rm
    rm -f "/etc/rc.d/rc0.d/*IptabLex"
    3⤵
    PID:726
- - /bin/rm
    rm -f "/etc/rc.d/rc5.d/*IptabLex"
    3⤵
    PID:728
- - /bin/rm
    rm -f "/etc/rc.d/rc6.d/*IptabLex"
    3⤵
    PID:730
- - /bin/rm
    rm -f /etc/init.d/IptabLex
    3⤵
    - Modifies init.d
    PID:731
- - /bin/rm
    rm -f "/etc/rc4.d/*IptabLex"
    3⤵
    - Modifies rc script
    PID:733
- - /bin/rm
    rm -f "/etc/rc1.d/*IptabLex"
    3⤵
    - Modifies rc script
    PID:735
- - /bin/rm
    rm -f "/etc/rc2.d/*IptabLex"
    3⤵
    - Modifies rc script
    PID:737
- - /bin/rm
    rm -f "/etc/rc3.d/*IptabLex"
    3⤵
    - Modifies rc script
    PID:739
- - /bin/rm
    rm -f "/etc/rc0.d/*IptabLex"
    3⤵
    - Modifies rc script
    PID:741
- - /bin/rm
    rm -f "/etc/rc5.d/*IptabLex"
    3⤵
    - Modifies rc script
    PID:743
- - /bin/rm
    rm -f "/etc/rc6.d/*IptabLex"
    3⤵
    - Modifies rc script
    PID:746
- - /bin/rm
    rm -rf /delallmykkks
    3⤵
    PID:747

/bin/sh
sh -c "/delallmykkk>/dev/null"
1⤵
PID:606
- /delallmykkk
  /delallmykkk
  2⤵
  PID:609
- - /bin/ps
    ps -f -C .IptabLes
    3⤵
    - Reads CPU attributes
    - Reads runtime system information
    PID:611
- - /bin/grep
    grep .IptabLes
    3⤵
    PID:612
- - /usr/bin/awk
    awk "{print \$3}"
    3⤵
    PID:614
- - /usr/bin/xargs
    xargs /delallmykkk 2
    3⤵
    PID:615
  - - /delallmykkk
      /delallmykkk 2
      4⤵
      PID:617
- - /bin/ps
    ps -f -C .IptabLes
    3⤵
    - Reads CPU attributes
    - Reads runtime system information
    PID:618
- - /bin/grep
    grep .IptabLes
    3⤵
    PID:619
- - /usr/bin/awk
    awk "{print \$3}"
    3⤵
    PID:623
- - /usr/bin/xargs
    xargs /delallmykkk 2
    3⤵
    PID:625
  - - /delallmykkk
      /delallmykkk 2
      4⤵
      PID:631
- - /bin/grep
    grep .IptabLes
    3⤵
    PID:634
- - /bin/ps
    ps -f -C .IptabLes
    3⤵
    - Reads CPU attributes
    - Reads runtime system information
    PID:633
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:636
- - /usr/bin/xargs
    xargs /delallmykkk 2
    3⤵
    PID:638
  - - /delallmykkk
      /delallmykkk 2
      4⤵
      PID:641
- - /bin/ps
    ps -f -C .IptabLes
    3⤵
    - Reads CPU attributes
    - Reads runtime system information
    PID:643
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:647
- - /bin/grep
    grep .IptabLes
    3⤵
    PID:645
- - /usr/bin/xargs
    xargs /delallmykkk 2
    3⤵
    PID:649
  - - /delallmykkk
      /delallmykkk 2
      4⤵
      PID:651
- - /bin/ps
    ps -axu
    3⤵
    - Reads CPU attributes
    - Reads runtime system information
    PID:653
- - /bin/grep
    grep .IptabLes
    3⤵
    PID:655
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:657
- - /usr/bin/xargs
    xargs kill -9
    3⤵
    PID:659
  - - /usr/local/sbin/kill
      kill -9 655
      4⤵
      PID:660
  - - /usr/local/bin/kill
      kill -9 655
      4⤵
      PID:660
  - - /usr/sbin/kill
      kill -9 655
      4⤵
      PID:660
  - - /usr/bin/kill
      kill -9 655
      4⤵
      PID:660
  - - /sbin/kill
      kill -9 655
      4⤵
      PID:660
  - - /bin/kill
      kill -9 655
      4⤵
      Reads CPU attributes
      PID:660
- - /bin/grep
    grep .IptabLes
    3⤵
    PID:665
- - /bin/ps
    ps -axu
    3⤵
    - Reads CPU attributes
    - Reads runtime system information
    PID:662
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:666
- - /usr/bin/xargs
    xargs kill -9
    3⤵
    PID:668
  - - /usr/local/sbin/kill
      kill -9 665
      4⤵
      PID:671
  - - /usr/local/bin/kill
      kill -9 665
      4⤵
      PID:671
  - - /usr/sbin/kill
      kill -9 665
      4⤵
      PID:671
  - - /usr/bin/kill
      kill -9 665
      4⤵
      PID:671
  - - /sbin/kill
      kill -9 665
      4⤵
      PID:671
  - - /bin/kill
      kill -9 665
      4⤵
      Reads CPU attributes
      PID:671
- - /usr/bin/xargs
    xargs kill -9
    3⤵
    PID:675
  - - /usr/local/sbin/kill
      kill -9 PID TTY TIME CMD
      4⤵
      PID:677
  - - /usr/local/bin/kill
      kill -9 PID TTY TIME CMD
      4⤵
      PID:677
  - - /usr/sbin/kill
      kill -9 PID TTY TIME CMD
      4⤵
      PID:677
  - - /usr/bin/kill
      kill -9 PID TTY TIME CMD
      4⤵
      PID:677
  - - /sbin/kill
      kill -9 PID TTY TIME CMD
      4⤵
      PID:677
  - - /bin/kill
      kill -9 PID TTY TIME CMD
      4⤵
      Reads CPU attributes
      PID:677
- - /bin/ps
    ps -C .IptabLes
    3⤵
    - Reads CPU attributes
    - Reads runtime system information
    PID:674
- - /bin/grep
    grep .IptabLes
    3⤵
    PID:681
- - /bin/ps
    ps -C .IptabLes
    3⤵
    - Reads CPU attributes
    - Reads runtime system information
    PID:680
- - /usr/bin/xargs
    xargs kill -9
    3⤵
    PID:682
  - - /usr/local/sbin/kill
      kill -9
      4⤵
      PID:684
  - - /usr/local/bin/kill
      kill -9
      4⤵
      PID:684
  - - /usr/sbin/kill
      kill -9
      4⤵
      PID:684
  - - /usr/bin/kill
      kill -9
      4⤵
      PID:684
  - - /sbin/kill
      kill -9
      4⤵
      PID:684
  - - /bin/kill
      kill -9
      4⤵
      Reads CPU attributes
      PID:684
- - /usr/bin/xargs
    xargs rm -f
    3⤵
    PID:688
  - - /usr/local/sbin/rm
      rm -f
      4⤵
      PID:692
  - - /usr/local/bin/rm
      rm -f
      4⤵
      PID:692
  - - /usr/sbin/rm
      rm -f
      4⤵
      PID:692
  - - /usr/bin/rm
      rm -f
      4⤵
      PID:692
  - - /sbin/rm
      rm -f
      4⤵
      PID:692
  - - /bin/rm
      rm -f
      4⤵
      PID:692
- - /bin/ps
    ps find / -name "*ptabLes"
    3⤵
    - Reads CPU attributes
    PID:687
- - /bin/ps
    ps find / -name .IptabLes
    3⤵
    - Reads CPU attributes
    PID:694
- - /usr/bin/xargs
    xargs rm -f
    3⤵
    PID:695
  - - /usr/local/sbin/rm
      rm -f
      4⤵
      PID:698
  - - /usr/local/bin/rm
      rm -f
      4⤵
      PID:698
  - - /usr/sbin/rm
      rm -f
      4⤵
      PID:698
  - - /usr/bin/rm
      rm -f
      4⤵
      PID:698
  - - /sbin/rm
      rm -f
      4⤵
      PID:698
  - - /bin/rm
      rm -f
      4⤵
      PID:698
- - /bin/ps
    ps find / -name "*ptabLes"
    3⤵
    - Reads CPU attributes
    PID:700
- - /usr/bin/xargs
    xargs rm -f
    3⤵
    PID:701
  - - /usr/local/sbin/rm
      rm -f
      4⤵
      PID:704
  - - /usr/local/bin/rm
      rm -f
      4⤵
      PID:704
  - - /usr/sbin/rm
      rm -f
      4⤵
      PID:704
  - - /usr/bin/rm
      rm -f
      4⤵
      PID:704
  - - /sbin/rm
      rm -f
      4⤵
      PID:704
  - - /bin/rm
      rm -f
      4⤵
      PID:704
- - /bin/ps
    ps find / -name .IptabLes
    3⤵
    - Reads CPU attributes
    PID:706
- - /usr/bin/xargs
    xargs rm -f
    3⤵
    PID:708
  - - /usr/local/sbin/rm
      rm -f
      4⤵
      PID:712
  - - /usr/local/bin/rm
      rm -f
      4⤵
      PID:712
  - - /usr/sbin/rm
      rm -f
      4⤵
      PID:712
  - - /usr/bin/rm
      rm -f
      4⤵
      PID:712
  - - /sbin/rm
      rm -f
      4⤵
      PID:712
  - - /bin/rm
      rm -f
      4⤵
      PID:712
- - /bin/rm
    rm -f /boot/.stabip
    3⤵
    PID:715
- - /bin/rm
    rm -f /boot/.IptabLes
    3⤵
    PID:716
- - /bin/rm
    rm -f /etc/rc.d/init.d/IptabLes
    3⤵
    PID:718
- - /bin/rm
    rm -f /boot/IptabLes
    3⤵
    PID:721
- - /bin/rm
    rm -f /tmp/IptabLes
    3⤵
    - Writes file to tmp directory
    PID:723
- - /bin/rm
    rm -f /usr/IptabLes
    3⤵
    PID:725
- - /bin/rm
    rm -f /usr/.IptabLes
    3⤵
    PID:727
- - /bin/rm
    rm -f "/etc/rc.d/rc4.d/*IptabLes"
    3⤵
    PID:729
- - /bin/rm
    rm -f "/etc/rc.d/rc1.d/*IptabLes"
    3⤵
    PID:732
- - /bin/rm
    rm -f "/etc/rc.d/rc2.d/*IptabLes"
    3⤵
    PID:734
- - /bin/rm
    rm -f "/etc/rc.d/rc3.d/*IptabLes"
    3⤵
    PID:736
- - /bin/rm
    rm -f "/etc/rc.d/rc0.d/*IptabLes"
    3⤵
    PID:738
- - /bin/rm
    rm -f "/etc/rc.d/rc5.d/*IptabLes"
    3⤵
    PID:740
- - /bin/rm
    rm -f "/etc/rc.d/rc6.d/*IptabLes"
    3⤵
    PID:742
- - /bin/rm
    rm -f /etc/init.d/IptabLes
    3⤵
    - Modifies init.d
    PID:744
- - /bin/rm
    rm -f "/etc/rc4.d/*IptabLes"
    3⤵
    - Modifies rc script
    PID:745
- - /bin/rm
    rm -f "/etc/rc1.d/*IptabLes"
    3⤵
    - Modifies rc script
    PID:748
- - /bin/rm
    rm -f "/etc/rc2.d/*IptabLes"
    3⤵
    - Modifies rc script
    PID:750
- - /bin/rm
    rm -f "/etc/rc3.d/*IptabLes"
    3⤵
    - Modifies rc script
    PID:752
- - /bin/rm
    rm -f "/etc/rc0.d/*IptabLes"
    3⤵
    - Modifies rc script
    PID:753
- - /bin/rm
    rm -f "/etc/rc5.d/*IptabLes"
    3⤵
    - Modifies rc script
    PID:755
- - /bin/rm
    rm -f "/etc/rc6.d/*IptabLes"
    3⤵
    - Modifies rc script
    PID:757
- - /bin/rm
    rm -rf /delallmykkk
    3⤵
    PID:759

/bin/sh
sh -c "nohup cp /tmp/10edad7999da34e37a866beadf2bb2c1952e071c93cb8708e79ee45c90a06199BCfWrED /boot/.IptabLex>/dev/null"
1⤵
PID:749
- /usr/bin/nohup
  nohup cp /tmp/10edad7999da34e37a866beadf2bb2c1952e071c93cb8708e79ee45c90a06199BCfWrED /boot/.IptabLex
  2⤵
  PID:751
- /usr/local/sbin/cp
  cp /tmp/10edad7999da34e37a866beadf2bb2c1952e071c93cb8708e79ee45c90a06199BCfWrED /boot/.IptabLex
  2⤵
  PID:751
- /usr/local/bin/cp
  cp /tmp/10edad7999da34e37a866beadf2bb2c1952e071c93cb8708e79ee45c90a06199BCfWrED /boot/.IptabLex
  2⤵
  PID:751
- /usr/sbin/cp
  cp /tmp/10edad7999da34e37a866beadf2bb2c1952e071c93cb8708e79ee45c90a06199BCfWrED /boot/.IptabLex
  2⤵
  PID:751
- /usr/bin/cp
  cp /tmp/10edad7999da34e37a866beadf2bb2c1952e071c93cb8708e79ee45c90a06199BCfWrED /boot/.IptabLex
  2⤵
  PID:751
- /sbin/cp
  cp /tmp/10edad7999da34e37a866beadf2bb2c1952e071c93cb8708e79ee45c90a06199BCfWrED /boot/.IptabLex
  2⤵
  PID:751
- /bin/cp
  cp /tmp/10edad7999da34e37a866beadf2bb2c1952e071c93cb8708e79ee45c90a06199BCfWrED /boot/.IptabLex
  2⤵
  - Writes file to tmp directory
  PID:751

/bin/sh
sh -c /etc/rc2.d/S55IptabLex
1⤵
PID:754
- /etc/rc2.d/S55IptabLex
  /etc/rc2.d/S55IptabLex
  2⤵
  PID:756

/bin/sh
sh -c /etc/rc3.d/S55IptabLex
1⤵
PID:758
- /etc/rc3.d/S55IptabLex
  /etc/rc3.d/S55IptabLex
  2⤵
  PID:760

/bin/sh
sh -c /etc/rc4.d/S55IptabLex
1⤵
PID:761
- /etc/rc4.d/S55IptabLex
  /etc/rc4.d/S55IptabLex
  2⤵
  PID:763

/bin/sh
sh -c "nohup cp /tmp/10edad7999da34e37a866beadf2bb2c1952e071c93cb8708e79ee45c90a06199 /boot/.IptabLes>/dev/null"
1⤵
PID:762
- /usr/bin/nohup
  nohup cp /tmp/10edad7999da34e37a866beadf2bb2c1952e071c93cb8708e79ee45c90a06199 /boot/.IptabLes
  2⤵
  PID:764
- /usr/local/sbin/cp
  cp /tmp/10edad7999da34e37a866beadf2bb2c1952e071c93cb8708e79ee45c90a06199 /boot/.IptabLes
  2⤵
  PID:764
- /usr/local/bin/cp
  cp /tmp/10edad7999da34e37a866beadf2bb2c1952e071c93cb8708e79ee45c90a06199 /boot/.IptabLes
  2⤵
  PID:764
- /usr/sbin/cp
  cp /tmp/10edad7999da34e37a866beadf2bb2c1952e071c93cb8708e79ee45c90a06199 /boot/.IptabLes
  2⤵
  PID:764
- /usr/bin/cp
  cp /tmp/10edad7999da34e37a866beadf2bb2c1952e071c93cb8708e79ee45c90a06199 /boot/.IptabLes
  2⤵
  PID:764
- /sbin/cp
  cp /tmp/10edad7999da34e37a866beadf2bb2c1952e071c93cb8708e79ee45c90a06199 /boot/.IptabLes
  2⤵
  PID:764
- /bin/cp
  cp /tmp/10edad7999da34e37a866beadf2bb2c1952e071c93cb8708e79ee45c90a06199 /boot/.IptabLes
  2⤵
  - Writes file to tmp directory
  PID:764

/bin/sh
sh -c /etc/rc5.d/S55IptabLex
1⤵
PID:765
- /etc/rc5.d/S55IptabLex
  /etc/rc5.d/S55IptabLex
  2⤵
  PID:766

/bin/sh
sh -c /boot/IptabLex
1⤵
PID:767
- /boot/IptabLex
  /boot/IptabLex
  2⤵
  PID:768
- - /boot/.IptabLex
    /boot/.IptabLex
    3⤵
    PID:771

/bin/sh
sh -c /etc/rc2.d/S55IptabLes
1⤵
PID:769
- /etc/rc2.d/S55IptabLes
  /etc/rc2.d/S55IptabLes
  2⤵
  PID:770

/bin/sh
sh -c /etc/rc3.d/S55IptabLes
1⤵
PID:772
- /etc/rc3.d/S55IptabLes
  /etc/rc3.d/S55IptabLes
  2⤵
  PID:773

/bin/sh
sh -c "nohup sh /delxxaazzx>/dev/null&"
1⤵
PID:775
- /usr/bin/nohup
  nohup sh /delxxaazzx
  2⤵
  PID:780
- /usr/local/sbin/sh
  sh /delxxaazzx
  2⤵
  PID:780
- /usr/local/bin/sh
  sh /delxxaazzx
  2⤵
  PID:780
- /usr/sbin/sh
  sh /delxxaazzx
  2⤵
  PID:780
- /usr/bin/sh
  sh /delxxaazzx
  2⤵
  PID:780
- /sbin/sh
  sh /delxxaazzx
  2⤵
  PID:780
- /bin/sh
  sh /delxxaazzx
  2⤵
  PID:780
- - /bin/sleep
    sleep 3
    3⤵
    PID:783
- - /bin/sleep
    sleep 1
    3⤵
    PID:797
- - /bin/rm
    rm -f /tmp/10edad7999da34e37a866beadf2bb2c1952e071c93cb8708e79ee45c90a06199BCfWrED
    3⤵
    - Writes file to tmp directory
    PID:799
- - /bin/rm
    rm -rf /delxxaazzx
    3⤵
    PID:800

/bin/sh
sh -c /etc/rc4.d/S55IptabLes
1⤵
PID:781
- /etc/rc4.d/S55IptabLes
  /etc/rc4.d/S55IptabLes
  2⤵
  PID:782

/bin/sh
sh -c /etc/rc5.d/S55IptabLes
1⤵
PID:784
- /etc/rc5.d/S55IptabLes
  /etc/rc5.d/S55IptabLes
  2⤵
  PID:785

/bin/sh
sh -c /boot/IptabLes
1⤵
PID:786
- /boot/IptabLes
  /boot/IptabLes
  2⤵
  PID:787
- - /boot/.IptabLes
    /boot/.IptabLes
    3⤵
    PID:788

/bin/sh
sh -c "nohup sh /delxxaazz>/dev/null&"
1⤵
PID:790
- /usr/bin/nohup
  nohup sh /delxxaazz
  2⤵
  PID:795
- /usr/local/sbin/sh
  sh /delxxaazz
  2⤵
  PID:795
- /usr/local/bin/sh
  sh /delxxaazz
  2⤵
  PID:795
- /usr/sbin/sh
  sh /delxxaazz
  2⤵
  PID:795
- /usr/bin/sh
  sh /delxxaazz
  2⤵
  PID:795
- /sbin/sh
  sh /delxxaazz
  2⤵
  PID:795
- /bin/sh
  sh /delxxaazz
  2⤵
  PID:795
- - /bin/sleep
    sleep 3
    3⤵
    PID:796
- - /bin/sleep
    sleep 1
    3⤵
    PID:798
- - /bin/rm
    rm -f /tmp/10edad7999da34e37a866beadf2bb2c1952e071c93cb8708e79ee45c90a06199
    3⤵
    - Writes file to tmp directory
    PID:801
- - /bin/rm
    rm -rf /delxxaazz
    3⤵
    PID:802

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Windows 7 deprecation

Loading Replay Monitor...

description	ioc	Process
/sys/devices/system/cpu/online	/sys/devices/system/cpu/online	ps
/sys/devices/system/cpu/online	/sys/devices/system/cpu/online	ps
/sys/devices/system/cpu/online	/sys/devices/system/cpu/online	ps
/sys/devices/system/cpu/online	/sys/devices/system/cpu/online	ps
/sys/devices/system/cpu/online	/sys/devices/system/cpu/online	ps
/sys/devices/system/cpu/online	/sys/devices/system/cpu/online	ps
/sys/devices/system/cpu/online	/sys/devices/system/cpu/online	ps
/sys/devices/system/cpu/online	/sys/devices/system/cpu/online	ps
/sys/devices/system/cpu/online	/sys/devices/system/cpu/online	ps
/sys/devices/system/cpu/online	/sys/devices/system/cpu/online	ps
/sys/devices/system/cpu/online	/sys/devices/system/cpu/online	ps
/sys/devices/system/cpu/online	/sys/devices/system/cpu/online	ps
/sys/devices/system/cpu/online	/sys/devices/system/cpu/online	ps
/sys/devices/system/cpu/online	/sys/devices/system/cpu/online	kill
/sys/devices/system/cpu/online	/sys/devices/system/cpu/online	ps
/sys/devices/system/cpu/online	/sys/devices/system/cpu/online	ps
/sys/devices/system/cpu/online	/sys/devices/system/cpu/online	ps
/sys/devices/system/cpu/online	/sys/devices/system/cpu/online	ps
/sys/devices/system/cpu/online	/sys/devices/system/cpu/online	ps
/sys/devices/system/cpu/online	/sys/devices/system/cpu/online	ps
/sys/devices/system/cpu/online	/sys/devices/system/cpu/online	ps
/sys/devices/system/cpu/online	/sys/devices/system/cpu/online	ps
/sys/devices/system/cpu/online	/sys/devices/system/cpu/online	kill
/sys/devices/system/cpu/online	/sys/devices/system/cpu/online	ps
/sys/devices/system/cpu/online	/sys/devices/system/cpu/online	ps
/sys/devices/system/cpu/online	/sys/devices/system/cpu/online	kill
/sys/devices/system/cpu/online	/sys/devices/system/cpu/online	ps
/sys/devices/system/cpu/online	/sys/devices/system/cpu/online	kill
/sys/devices/system/cpu/online	/sys/devices/system/cpu/online	kill
/sys/devices/system/cpu/online	/sys/devices/system/cpu/online	kill
/sys/devices/system/cpu/online	/sys/devices/system/cpu/online	kill
/sys/devices/system/cpu/online	/sys/devices/system/cpu/online	kill

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads