iptablez | 12954da8d252fdb02bc2293a11804c701bc7e1ecd01fd4feb79d40300dd0e578

Analysis

max time kernel
146s
max time network
150s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20231222-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20231222-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
22-12-2023 01:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

/getsetup.hb
Size

1.0MB
MD5

9966d5db77f247070fcac9590a3fde80
SHA1

ec0fdb1333443a7c0442dd279626bf8d58eb8cbb
SHA256

10edad7999da34e37a866beadf2bb2c1952e071c93cb8708e79ee45c90a06199
SHA512

e6a468cdfd9f720b217069f0dddc012b8549a834862d287ea101914503a048f644085c16b534b2b7418686b792a9ee0cb1e32977751d648d57ed0241bed17131
SSDEEP

24576:L8TklemVE3JnQaQAcA+xk3ZeRXP1qjStp/vtq6bUn5V:2IemVE6aQyTpexwyVOn5V

Score

10^/10

iptablez backdoor

Malware Config

Signatures

Detected IptabLes/IptabLez backdoor 2 IoCs

Processes:

resource	yara_rule
/boot/.IptabLex	family_iptablez
/boot/.IptabLes	family_iptablez

IptabLes/IptabLez Backdoor
Linux RAT/backdoor which has been around since 2014.
backdoor iptablez

Executes dropped EXE 14 IoCs

Processes:

delallmykkksdelallmykkkdelallmykkksdelallmykkkdelallmykkkdelallmykkksdelallmykkkdelallmykkksdelallmykkkdelallmykkksIptabLex.IptabLexIptabLes.IptabLes

ioc	pid	process
/delallmykkks	1565	delallmykkks
/delallmykkk	1570	delallmykkk
/delallmykkks	1577	delallmykkks
/delallmykkk	1578	delallmykkk
/delallmykkk	1587	delallmykkk
/delallmykkks	1588	delallmykkks
/delallmykkk	1597	delallmykkk
/delallmykkks	1598	delallmykkks
/delallmykkk	1607	delallmykkk
/delallmykkks	1608	delallmykkks
/boot/IptabLex	1733	IptabLex
/boot/.IptabLex	1736	.IptabLex
/boot/IptabLes	1747	IptabLes
/boot/.IptabLes	1748	.IptabLes

Enumerates running processes
Discovers information about currently running processes on the system

Reads CPU attributes 1 TTPs 32 IoCs

System Information Discovery

T1082

Processes:

killpspspspspspspskillkillpspspspspspspspspspskillkillkillpspspspskillkillpspsps

description	ioc	process
File opened for reading	/sys/devices/system/cpu/online	kill
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	kill
File opened for reading	/sys/devices/system/cpu/online	kill
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	kill
File opened for reading	/sys/devices/system/cpu/online	kill
File opened for reading	/sys/devices/system/cpu/online	kill
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	kill
File opened for reading	/sys/devices/system/cpu/online	kill
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

Processes:

pspspspspspspspspspspspspspspspsps

description	ioc	process
File opened for reading	/proc/78/status	ps
File opened for reading	/proc/78/status	ps
File opened for reading	/proc/334/cmdline	ps
File opened for reading	/proc/629/cmdline	ps
File opened for reading	/proc/629/status	ps
File opened for reading	/proc/1148/status	ps
File opened for reading	/proc/446/status	ps
File opened for reading	/proc/1643/stat	ps
File opened for reading	/proc/855/cmdline	ps
File opened for reading	/proc/3/cmdline	ps
File opened for reading	/proc/1456/stat	ps
File opened for reading	/proc/576/stat	ps
File opened for reading	/proc/597/stat	ps
File opened for reading	/proc/1163/stat	ps
File opened for reading	/proc/uptime	ps
File opened for reading	/proc/115/cmdline	ps
File opened for reading	/proc/1140/status	ps
File opened for reading	/proc/self/stat	ps
File opened for reading	/proc/452/stat	ps
File opened for reading	/proc/198/stat	ps
File opened for reading	/proc/1275/cmdline	ps
File opened for reading	/proc/20/status	ps
File opened for reading	/proc/29/cmdline	ps
File opened for reading	/proc/16/stat	ps
File opened for reading	/proc/650/cmdline	ps
File opened for reading	/proc/12/status	ps
File opened for reading	/proc/1081/stat	ps
File opened for reading	/proc/1114/status	ps
File opened for reading	/proc/977/cmdline	ps
File opened for reading	/proc/32/status	ps
File opened for reading	/proc/483/stat	ps
File opened for reading	/proc/21/status	ps
File opened for reading	/proc/115/cmdline	ps
File opened for reading	/proc/1291/status	ps
File opened for reading	/proc/855/cmdline	ps
File opened for reading	/proc/1298/stat	ps
File opened for reading	/proc/26/status	ps
File opened for reading	/proc/488/stat	ps
File opened for reading	/proc/158/stat	ps
File opened for reading	/proc/246/cmdline	ps
File opened for reading	/proc/334/cmdline	ps
File opened for reading	/proc/449/stat	ps
File opened for reading	/proc/169/cmdline	ps
File opened for reading	/proc/1126/cmdline	ps
File opened for reading	/proc/1275/stat	ps
File opened for reading	/proc/440/stat	ps
File opened for reading	/proc/sys/kernel/osrelease	ps
File opened for reading	/proc/506/status	ps
File opened for reading	/proc/643/stat	ps
File opened for reading	/proc/449/stat	ps
File opened for reading	/proc/977/status	ps
File opened for reading	/proc/13/stat	ps
File opened for reading	/proc/1150/cmdline	ps
File opened for reading	/proc/1101/status	ps
File opened for reading	/proc/17/cmdline	ps
File opened for reading	/proc/576/cmdline	ps
File opened for reading	/proc/507/stat	ps
File opened for reading	/proc/1456/stat	ps
File opened for reading	/proc/83/cmdline	ps
File opened for reading	/proc/855/status	ps
File opened for reading	/proc/89/cmdline	ps
File opened for reading	/proc/1634/stat	ps
File opened for reading	/proc/20/stat	ps
File opened for reading	/proc/1049/cmdline	ps

Writes file to tmp directory 1 IoCs
Malware often drops required files in the /tmp directory.

Processes:

getsetup.hb

description ioc process

File opened for modification /tmp//getsetup.hbBCfWrED getsetup.hb

description	ioc	process
File opened for modification	/tmp//getsetup.hbBCfWrED	getsetup.hb

/tmp//getsetup.hb
"/tmp//getsetup.hb"
1⤵
- Writes file to tmp directory
PID:1554

/bin/sh
sh -c "/tmp//getsetup.hbBCfWrED"
2⤵
PID:1555

/tmp//getsetup.hbBCfWrED
"/tmp//getsetup.hbBCfWrED"
3⤵
PID:1556

/bin/sh
sh -c "/delallmykkks>/dev/null"
1⤵
PID:1564

/delallmykkks
/delallmykkks
2⤵
- Executes dropped EXE
PID:1565

/bin/ps
ps -f -C .IptabLex
3⤵
- Reads CPU attributes
- Reads runtime system information
PID:1568

/bin/grep
grep .IptabLex
3⤵
PID:1569

/usr/bin/awk
awk "{print \$3}"
3⤵
PID:1573

/usr/bin/xargs
xargs /delallmykkks 2
3⤵
PID:1575

/delallmykkks
/delallmykkks 2
4⤵
- Executes dropped EXE
PID:1577

/bin/ps
ps -f -C .IptabLex
3⤵
- Reads CPU attributes
- Reads runtime system information
PID:1579

/bin/grep
grep .IptabLex
3⤵
PID:1581

/usr/bin/awk
awk "{print \$3}"
3⤵
PID:1583

/usr/bin/xargs
xargs /delallmykkks 2
3⤵
PID:1586

/delallmykkks
/delallmykkks 2
4⤵
- Executes dropped EXE
PID:1588

/usr/bin/xargs
xargs /delallmykkks 2
3⤵
PID:1596

/delallmykkks
/delallmykkks 2
4⤵
- Executes dropped EXE
PID:1598

/usr/bin/awk
awk "{print \$2}"
3⤵
PID:1595

/bin/grep
grep .IptabLex
3⤵
PID:1594

/bin/ps
ps -f -C .IptabLex
3⤵
- Reads CPU attributes
- Reads runtime system information
PID:1592

/usr/bin/xargs
xargs /delallmykkks 2
3⤵
PID:1606

/delallmykkks
/delallmykkks 2
4⤵
- Executes dropped EXE
PID:1608

/usr/bin/awk
awk "{print \$2}"
3⤵
PID:1605

/bin/grep
grep .IptabLex
3⤵
PID:1604

/bin/ps
ps -f -C .IptabLex
3⤵
- Reads CPU attributes
- Reads runtime system information
PID:1603

/bin/ps
ps -axu
3⤵
- Reads CPU attributes
- Reads runtime system information
PID:1612

/bin/grep
grep .IptabLex
3⤵
PID:1613

/usr/bin/awk
awk "{print \$2}"
3⤵
PID:1615

/usr/bin/xargs
xargs kill -9
3⤵
PID:1616

/usr/local/sbin/kill
kill -9 1613
4⤵
PID:1622

/usr/local/bin/kill
kill -9 1613
4⤵
PID:1622

/usr/sbin/kill
kill -9 1613
4⤵
PID:1622

/usr/bin/kill
kill -9 1613
4⤵
PID:1622

/sbin/kill
kill -9 1613
4⤵
PID:1622

/bin/kill
kill -9 1613
4⤵
- Reads CPU attributes
PID:1622

/usr/bin/xargs
xargs kill -9
3⤵
PID:1626

/usr/local/sbin/kill
kill -9 1624
4⤵
PID:1630

/usr/local/bin/kill
kill -9 1624
4⤵
PID:1630

/usr/sbin/kill
kill -9 1624
4⤵
PID:1630

/usr/bin/kill
kill -9 1624
4⤵
PID:1630

/sbin/kill
kill -9 1624
4⤵
PID:1630

/bin/kill
kill -9 1624
4⤵
- Reads CPU attributes
PID:1630

/usr/bin/awk
awk "{print \$2}"
3⤵
PID:1625

/bin/grep
grep .IptabLex
3⤵
PID:1624

/bin/ps
ps -axu
3⤵
- Reads CPU attributes
- Reads runtime system information
PID:1623

/usr/bin/xargs
xargs kill -9
3⤵
PID:1632

/usr/local/sbin/kill
kill -9 PID TTY TIME CMD
4⤵
PID:1638

/usr/local/bin/kill
kill -9 PID TTY TIME CMD
4⤵
PID:1638

/usr/sbin/kill
kill -9 PID TTY TIME CMD
4⤵
PID:1638

/usr/bin/kill
kill -9 PID TTY TIME CMD
4⤵
PID:1638

/sbin/kill
kill -9 PID TTY TIME CMD
4⤵
PID:1638

/bin/kill
kill -9 PID TTY TIME CMD
4⤵
- Reads CPU attributes
PID:1638

/bin/ps
ps -C .IptabLex
3⤵
- Reads CPU attributes
- Reads runtime system information
PID:1631

/usr/bin/xargs
xargs kill -9
3⤵
PID:1643

/usr/local/sbin/kill
kill -9 PID TTY TIME CMD
4⤵
PID:1646

/usr/local/bin/kill
kill -9 PID TTY TIME CMD
4⤵
PID:1646

/usr/sbin/kill
kill -9 PID TTY TIME CMD
4⤵
PID:1646

/usr/bin/kill
kill -9 PID TTY TIME CMD
4⤵
PID:1646

/sbin/kill
kill -9 PID TTY TIME CMD
4⤵
PID:1646

/bin/kill
kill -9 PID TTY TIME CMD
4⤵
- Reads CPU attributes
PID:1646

/bin/ps
ps -C .IptabLex
3⤵
- Reads CPU attributes
- Reads runtime system information
PID:1642

/usr/bin/xargs
xargs rm -f
3⤵
PID:1650

/usr/local/sbin/rm
rm -f
4⤵
PID:1651

/usr/local/bin/rm
rm -f
4⤵
PID:1651

/usr/sbin/rm
rm -f
4⤵
PID:1651

/usr/bin/rm
rm -f
4⤵
PID:1651

/sbin/rm
rm -f
4⤵
PID:1651

/bin/rm
rm -f
4⤵
PID:1651

/bin/ps
ps find / -name "*ptabLex"
3⤵
- Reads CPU attributes
PID:1649

/usr/bin/xargs
xargs rm -f
3⤵
PID:1653

/usr/local/sbin/rm
rm -f
4⤵
PID:1656

/usr/local/bin/rm
rm -f
4⤵
PID:1656

/usr/sbin/rm
rm -f
4⤵
PID:1656

/usr/bin/rm
rm -f
4⤵
PID:1656

/sbin/rm
rm -f
4⤵
PID:1656

/bin/rm
rm -f
4⤵
PID:1656

/bin/ps
ps find / -name .IptabLex
3⤵
- Reads CPU attributes
PID:1652

/usr/bin/xargs
xargs rm -f
3⤵
PID:1658

/usr/local/sbin/rm
rm -f
4⤵
PID:1662

/usr/local/bin/rm
rm -f
4⤵
PID:1662

/usr/sbin/rm
rm -f
4⤵
PID:1662

/usr/bin/rm
rm -f
4⤵
PID:1662

/sbin/rm
rm -f
4⤵
PID:1662

/bin/rm
rm -f
4⤵
PID:1662

/bin/ps
ps find / -name "*ptabLex"
3⤵
- Reads CPU attributes
PID:1657

/usr/bin/xargs
xargs rm -f
3⤵
PID:1664

/usr/local/sbin/rm
rm -f
4⤵
PID:1668

/usr/local/bin/rm
rm -f
4⤵
PID:1668

/usr/sbin/rm
rm -f
4⤵
PID:1668

/usr/bin/rm
rm -f
4⤵
PID:1668

/sbin/rm
rm -f
4⤵
PID:1668

/bin/rm
rm -f
4⤵
PID:1668

/bin/ps
ps find / -name .IptabLex
3⤵
- Reads CPU attributes
PID:1663

/bin/rm
rm -f /boot/.stabip
3⤵
PID:1669

/bin/rm
rm -f /boot/.IptabLex
3⤵
PID:1671

/bin/rm
rm -f /etc/rc.d/init.d/IptabLex
3⤵
PID:1672

/bin/rm
rm -f /boot/IptabLex
3⤵
PID:1676

/bin/rm
rm -f /tmp/IptabLex
3⤵
PID:1677

/bin/rm
rm -f /usr/IptabLex
3⤵
PID:1678

/bin/rm
rm -f /usr/.IptabLex
3⤵
PID:1680

/bin/rm
rm -f "/etc/rc.d/rc4.d/*IptabLex"
3⤵
PID:1682

/bin/rm
rm -f "/etc/rc.d/rc1.d/*IptabLex"
3⤵
PID:1684

/bin/rm
rm -f "/etc/rc.d/rc2.d/*IptabLex"
3⤵
PID:1687

/bin/rm
rm -f "/etc/rc.d/rc3.d/*IptabLex"
3⤵
PID:1689

/bin/rm
rm -f "/etc/rc.d/rc0.d/*IptabLex"
3⤵
PID:1691

/bin/rm
rm -f "/etc/rc.d/rc5.d/*IptabLex"
3⤵
PID:1692

/bin/rm
rm -f "/etc/rc.d/rc6.d/*IptabLex"
3⤵
PID:1694

/bin/rm
rm -f /etc/init.d/IptabLex
3⤵
PID:1697

/bin/rm
rm -f "/etc/rc4.d/*IptabLex"
3⤵
PID:1701

/bin/rm
rm -f "/etc/rc1.d/*IptabLex"
3⤵
PID:1703

/bin/rm
rm -f "/etc/rc2.d/*IptabLex"
3⤵
PID:1705

/bin/rm
rm -f "/etc/rc3.d/*IptabLex"
3⤵
PID:1706

/bin/rm
rm -f "/etc/rc0.d/*IptabLex"
3⤵
PID:1708

/bin/rm
rm -f "/etc/rc5.d/*IptabLex"
3⤵
PID:1710

/bin/rm
rm -f "/etc/rc6.d/*IptabLex"
3⤵
PID:1713

/bin/rm
rm -rf /delallmykkks
3⤵
PID:1715

/bin/sh
sh -c "/delallmykkk>/dev/null"
1⤵
PID:1567

/delallmykkk
/delallmykkk
2⤵
- Executes dropped EXE
PID:1570

/bin/ps
ps -f -C .IptabLes
3⤵
- Reads CPU attributes
- Reads runtime system information
PID:1571

/bin/grep
grep .IptabLes
3⤵
PID:1572

/usr/bin/awk
awk "{print \$3}"
3⤵
PID:1574

/usr/bin/xargs
xargs /delallmykkk 2
3⤵
PID:1576

/delallmykkk
/delallmykkk 2
4⤵
- Executes dropped EXE
PID:1578

/bin/ps
ps -f -C .IptabLes
3⤵
- Reads CPU attributes
- Reads runtime system information
PID:1580

/bin/grep
grep .IptabLes
3⤵
PID:1582

/usr/bin/awk
awk "{print \$3}"
3⤵
PID:1584

/usr/bin/xargs
xargs /delallmykkk 2
3⤵
PID:1585

/delallmykkk
/delallmykkk 2
4⤵
- Executes dropped EXE
PID:1587

/usr/bin/awk
awk "{print \$2}"
3⤵
PID:1591

/bin/grep
grep .IptabLes
3⤵
PID:1590

/usr/bin/xargs
xargs /delallmykkk 2
3⤵
PID:1593

/delallmykkk
/delallmykkk 2
4⤵
- Executes dropped EXE
PID:1597

/bin/ps
ps -f -C .IptabLes
3⤵
- Reads CPU attributes
- Reads runtime system information
PID:1589

/usr/bin/xargs
xargs /delallmykkk 2
3⤵
PID:1602

/delallmykkk
/delallmykkk 2
4⤵
- Executes dropped EXE
PID:1607

/usr/bin/awk
awk "{print \$2}"
3⤵
PID:1601

/bin/grep
grep .IptabLes
3⤵
PID:1600

/bin/ps
ps -f -C .IptabLes
3⤵
- Reads CPU attributes
- Reads runtime system information
PID:1599

/usr/bin/awk
awk "{print \$2}"
3⤵
PID:1611

/usr/bin/xargs
xargs kill -9
3⤵
PID:1614

/usr/local/sbin/kill
kill -9 1610
4⤵
PID:1617

/usr/local/bin/kill
kill -9 1610
4⤵
PID:1617

/usr/sbin/kill
kill -9 1610
4⤵
PID:1617

/usr/bin/kill
kill -9 1610
4⤵
PID:1617

/sbin/kill
kill -9 1610
4⤵
PID:1617

/bin/kill
kill -9 1610
4⤵
- Reads CPU attributes
PID:1617

/bin/grep
grep .IptabLes
3⤵
PID:1610

/bin/ps
ps -axu
3⤵
- Reads CPU attributes
- Reads runtime system information
PID:1609

/usr/bin/xargs
xargs kill -9
3⤵
PID:1621

/usr/local/sbin/kill
kill -9 1619
4⤵
PID:1627

/usr/local/bin/kill
kill -9 1619
4⤵
PID:1627

/usr/sbin/kill
kill -9 1619
4⤵
PID:1627

/usr/bin/kill
kill -9 1619
4⤵
PID:1627

/sbin/kill
kill -9 1619
4⤵
PID:1627

/bin/kill
kill -9 1619
4⤵
- Reads CPU attributes
PID:1627

/usr/bin/awk
awk "{print \$2}"
3⤵
PID:1620

/bin/grep
grep .IptabLes
3⤵
PID:1619

/bin/ps
ps -axu
3⤵
- Reads CPU attributes
- Reads runtime system information
PID:1618

/usr/bin/xargs
xargs kill -9
3⤵
PID:1629

/usr/local/sbin/kill
kill -9 PID TTY TIME CMD
4⤵
PID:1633

/usr/local/bin/kill
kill -9 PID TTY TIME CMD
4⤵
PID:1633

/usr/sbin/kill
kill -9 PID TTY TIME CMD
4⤵
PID:1633

/usr/bin/kill
kill -9 PID TTY TIME CMD
4⤵
PID:1633

/sbin/kill
kill -9 PID TTY TIME CMD
4⤵
PID:1633

/bin/kill
kill -9 PID TTY TIME CMD
4⤵
- Reads CPU attributes
PID:1633

/bin/ps
ps -C .IptabLes
3⤵
- Reads CPU attributes
- Reads runtime system information
PID:1628

/usr/bin/xargs
xargs kill -9
3⤵
PID:1637

/usr/local/sbin/kill
kill -9
4⤵
PID:1644

/usr/local/bin/kill
kill -9
4⤵
PID:1644

/usr/sbin/kill
kill -9
4⤵
PID:1644

/usr/bin/kill
kill -9
4⤵
PID:1644

/sbin/kill
kill -9
4⤵
PID:1644

/bin/kill
kill -9
4⤵
- Reads CPU attributes
PID:1644

/bin/grep
grep .IptabLes
3⤵
PID:1636

/bin/ps
ps -C .IptabLes
3⤵
- Reads CPU attributes
- Reads runtime system information
PID:1635

/bin/ps
ps find / -name "*ptabLes"
3⤵
- Reads CPU attributes
PID:1645

/usr/bin/xargs
xargs rm -f
3⤵
PID:1647

/usr/local/sbin/rm
rm -f
4⤵
PID:1648

/usr/local/bin/rm
rm -f
4⤵
PID:1648

/usr/sbin/rm
rm -f
4⤵
PID:1648

/usr/bin/rm
rm -f
4⤵
PID:1648

/sbin/rm
rm -f
4⤵
PID:1648

/bin/rm
rm -f
4⤵
PID:1648

/bin/ps
ps find / -name .IptabLes
3⤵
- Reads CPU attributes
- Reads runtime system information
PID:1654

/usr/bin/xargs
xargs rm -f
3⤵
PID:1655

/usr/local/sbin/rm
rm -f
4⤵
PID:1659

/usr/local/bin/rm
rm -f
4⤵
PID:1659

/usr/sbin/rm
rm -f
4⤵
PID:1659

/usr/bin/rm
rm -f
4⤵
PID:1659

/sbin/rm
rm -f
4⤵
PID:1659

/bin/rm
rm -f
4⤵
PID:1659

/usr/bin/xargs
xargs rm -f
3⤵
PID:1661

/usr/local/sbin/rm
rm -f
4⤵
PID:1665

/usr/local/bin/rm
rm -f
4⤵
PID:1665

/usr/sbin/rm
rm -f
4⤵
PID:1665

/usr/bin/rm
rm -f
4⤵
PID:1665

/sbin/rm
rm -f
4⤵
PID:1665

/bin/rm
rm -f
4⤵
PID:1665

/bin/ps
ps find / -name "*ptabLes"
3⤵
- Reads CPU attributes
PID:1660

/usr/bin/xargs
xargs rm -f
3⤵
PID:1667

/usr/local/sbin/rm
rm -f
4⤵
PID:1670

/usr/local/bin/rm
rm -f
4⤵
PID:1670

/usr/sbin/rm
rm -f
4⤵
PID:1670

/usr/bin/rm
rm -f
4⤵
PID:1670

/sbin/rm
rm -f
4⤵
PID:1670

/bin/rm
rm -f
4⤵
PID:1670

/bin/ps
ps find / -name .IptabLes
3⤵
- Reads CPU attributes
PID:1666

/bin/rm
rm -f /boot/.stabip
3⤵
PID:1673

/bin/rm
rm -f /boot/.IptabLes
3⤵
PID:1674

/bin/rm
rm -f /etc/rc.d/init.d/IptabLes
3⤵
PID:1675

/bin/rm
rm -f /boot/IptabLes
3⤵
PID:1679

/bin/rm
rm -f /tmp/IptabLes
3⤵
PID:1681

/bin/rm
rm -f /usr/IptabLes
3⤵
PID:1683

/bin/rm
rm -f /usr/.IptabLes
3⤵
PID:1685

/bin/rm
rm -f "/etc/rc.d/rc4.d/*IptabLes"
3⤵
PID:1686

/bin/rm
rm -f "/etc/rc.d/rc1.d/*IptabLes"
3⤵
PID:1688

/bin/rm
rm -f "/etc/rc.d/rc2.d/*IptabLes"
3⤵
PID:1690

/bin/rm
rm -f "/etc/rc.d/rc3.d/*IptabLes"
3⤵
PID:1693

/bin/rm
rm -f "/etc/rc.d/rc0.d/*IptabLes"
3⤵
PID:1695

/bin/rm
rm -f "/etc/rc.d/rc5.d/*IptabLes"
3⤵
PID:1696

/bin/rm
rm -f "/etc/rc.d/rc6.d/*IptabLes"
3⤵
PID:1698

/bin/rm
rm -f /etc/init.d/IptabLes
3⤵
PID:1699

/bin/rm
rm -f "/etc/rc4.d/*IptabLes"
3⤵
PID:1700

/bin/rm
rm -f "/etc/rc1.d/*IptabLes"
3⤵
PID:1702

/bin/rm
rm -f "/etc/rc2.d/*IptabLes"
3⤵
PID:1704

/bin/rm
rm -f "/etc/rc3.d/*IptabLes"
3⤵
PID:1707

/bin/rm
rm -f "/etc/rc0.d/*IptabLes"
3⤵
PID:1709

/bin/rm
rm -f "/etc/rc5.d/*IptabLes"
3⤵
PID:1711

/bin/rm
rm -f "/etc/rc6.d/*IptabLes"
3⤵
PID:1712

/bin/rm
rm -rf /delallmykkk
3⤵
PID:1714

/bin/sh
sh -c "nohup cp /tmp//getsetup.hb /boot/.IptabLes>/dev/null"
1⤵
PID:1716

/usr/bin/nohup
nohup cp "/tmp//getsetup.hb" /boot/.IptabLes
2⤵
PID:1718

/usr/local/sbin/cp
cp "/tmp//getsetup.hb" /boot/.IptabLes
2⤵
PID:1718

/usr/local/bin/cp
cp "/tmp//getsetup.hb" /boot/.IptabLes
2⤵
PID:1718

/usr/sbin/cp
cp "/tmp//getsetup.hb" /boot/.IptabLes
2⤵
PID:1718

/usr/bin/cp
cp "/tmp//getsetup.hb" /boot/.IptabLes
2⤵
PID:1718

/sbin/cp
cp "/tmp//getsetup.hb" /boot/.IptabLes
2⤵
PID:1718

/bin/cp
cp "/tmp//getsetup.hb" /boot/.IptabLes
2⤵
PID:1718

/bin/sh
sh -c "nohup cp /tmp//getsetup.hbBCfWrED /boot/.IptabLex>/dev/null"
1⤵
PID:1717

/usr/bin/nohup
nohup cp "/tmp//getsetup.hbBCfWrED" /boot/.IptabLex
2⤵
PID:1719

/usr/local/sbin/cp
cp "/tmp//getsetup.hbBCfWrED" /boot/.IptabLex
2⤵
PID:1719

/usr/local/bin/cp
cp "/tmp//getsetup.hbBCfWrED" /boot/.IptabLex
2⤵
PID:1719

/usr/sbin/cp
cp "/tmp//getsetup.hbBCfWrED" /boot/.IptabLex
2⤵
PID:1719

/usr/bin/cp
cp "/tmp//getsetup.hbBCfWrED" /boot/.IptabLex
2⤵
PID:1719

/sbin/cp
cp "/tmp//getsetup.hbBCfWrED" /boot/.IptabLex
2⤵
PID:1719

/bin/cp
cp "/tmp//getsetup.hbBCfWrED" /boot/.IptabLex
2⤵
PID:1719

/bin/sh
sh -c /etc/rc2.d/S55IptabLex
1⤵
PID:1720

/etc/rc2.d/S55IptabLex
/etc/rc2.d/S55IptabLex
2⤵
PID:1721

/bin/sh
sh -c /etc/rc3.d/S55IptabLex
1⤵
PID:1722

/etc/rc3.d/S55IptabLex
/etc/rc3.d/S55IptabLex
2⤵
PID:1723

/bin/sh
sh -c /etc/rc2.d/S55IptabLes
1⤵
PID:1724

/etc/rc2.d/S55IptabLes
/etc/rc2.d/S55IptabLes
2⤵
PID:1725

/bin/sh
sh -c /etc/rc4.d/S55IptabLex
1⤵
PID:1726

/etc/rc4.d/S55IptabLex
/etc/rc4.d/S55IptabLex
2⤵
PID:1727

/bin/sh
sh -c /etc/rc5.d/S55IptabLex
1⤵
PID:1728

/etc/rc5.d/S55IptabLex
/etc/rc5.d/S55IptabLex
2⤵
PID:1729

/bin/sh
sh -c /etc/rc3.d/S55IptabLes
1⤵
PID:1730

/etc/rc3.d/S55IptabLes
/etc/rc3.d/S55IptabLes
2⤵
PID:1731

/bin/sh
sh -c /boot/IptabLex
1⤵
PID:1732

/boot/IptabLex
/boot/IptabLex
2⤵
- Executes dropped EXE
PID:1733

/boot/.IptabLex
/boot/.IptabLex
3⤵
- Executes dropped EXE
PID:1736

/bin/sh
sh -c /etc/rc4.d/S55IptabLes
1⤵
PID:1734

/etc/rc4.d/S55IptabLes
/etc/rc4.d/S55IptabLes
2⤵
PID:1735

/bin/sh
sh -c /etc/rc5.d/S55IptabLes
1⤵
PID:1738

/etc/rc5.d/S55IptabLes
/etc/rc5.d/S55IptabLes
2⤵
PID:1739

/bin/sh
sh -c "nohup sh /delxxaazzx>/dev/null&"
1⤵
PID:1744

/usr/bin/nohup
nohup sh /delxxaazzx
1⤵
PID:1746

/bin/sh
sh -c /boot/IptabLes
1⤵
PID:1745

/boot/IptabLes
/boot/IptabLes
2⤵
- Executes dropped EXE
PID:1747

/boot/.IptabLes
/boot/.IptabLes
3⤵
- Executes dropped EXE
PID:1748

/usr/local/sbin/sh
sh /delxxaazzx
1⤵
PID:1746

/usr/local/bin/sh
sh /delxxaazzx
1⤵
PID:1746

/usr/sbin/sh
sh /delxxaazzx
1⤵
PID:1746

/usr/bin/sh
sh /delxxaazzx
1⤵
PID:1746

/sbin/sh
sh /delxxaazzx
1⤵
PID:1746

/bin/sh
sh /delxxaazzx
1⤵
PID:1746

/bin/sleep
sleep 3
2⤵
PID:1749

/bin/sleep
sleep 1
2⤵
PID:1767

/bin/rm
rm -f "/tmp//getsetup.hbBCfWrED"
2⤵
PID:1770

/bin/rm
rm -rf /delxxaazzx
2⤵
PID:1771

/bin/sh
sh -c "nohup sh /delxxaazz>/dev/null&"
1⤵
PID:1751

/usr/bin/nohup
nohup sh /delxxaazz
1⤵
PID:1756

/usr/local/sbin/sh
sh /delxxaazz
1⤵
PID:1756

/usr/local/bin/sh
sh /delxxaazz
1⤵
PID:1756

/usr/sbin/sh
sh /delxxaazz
1⤵
PID:1756

/usr/bin/sh
sh /delxxaazz
1⤵
PID:1756

/sbin/sh
sh /delxxaazz
1⤵
PID:1756

/bin/sh
sh /delxxaazz
1⤵
PID:1756

/bin/sleep
sleep 3
2⤵
PID:1757

/bin/sleep
sleep 1
2⤵
PID:1768

/bin/rm
rm -f "/tmp//getsetup.hb"
2⤵
PID:1772

/bin/rm
rm -rf /delxxaazz
2⤵
PID:1773

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/.mylisthbSx.pid

Filesize
5B

MD5
6c6560fccce36a901b700e2153971c65

SHA1
b193e3eb79733e481147628c8de46a47974fb521

SHA256
3b5d2e49bcb616343dfa11a18422dd8d180ec2af8af3b50f430740b74c391831

SHA512
b0ff19c52aa326d56ecbf2a649602dc93c7d8c470d03abacd4521aada5b71a32b435097fa39116bd3b412e77e583ff5cc3ed7d57c055772e6686c926de5ea561

Download Submit
/.mylisthbx.pid

Filesize
5B

MD5
8ff2b15c72e424864272a68fd398db39

SHA1
8b83b96649e2f6fc54eb3ea9781e23125003769c

SHA256
ee88a51a4ac5a6fb45835607a0863b3b20080127945bb58fdd1343ffc6d2ed72

SHA512
0a00f95b9677d0163b7cfa69c682b18d7df03c90e3f497b04999000952a2f4a68488899c7e3e74e244de60e0f2f559098601cd3f311e3b32041a221533536478

Download Submit
/.mylisthbx.pid

Filesize
5B

MD5
1b5cabbd8776b23b85a7175f067a4832

SHA1
384d92edb7fee5bdbfc9094cd01f504eeb2c9dbb

SHA256
e6ab851c4c882f348791900309c8b2ba6c7c0812cc94226e2339767f0edf70a4

SHA512
ab521fa46a4ab5cc4d71691047e7666f33a72f8e5001fb2749257dee757d70cb762fb6011dfb80e1a2de62d02d2fb559b2847e7c262d4f616895236f578c8592

Download Submit
/boot/.IptabLes

Filesize
1.0MB

MD5
9966d5db77f247070fcac9590a3fde80

SHA1
ec0fdb1333443a7c0442dd279626bf8d58eb8cbb

SHA256
10edad7999da34e37a866beadf2bb2c1952e071c93cb8708e79ee45c90a06199

SHA512
e6a468cdfd9f720b217069f0dddc012b8549a834862d287ea101914503a048f644085c16b534b2b7418686b792a9ee0cb1e32977751d648d57ed0241bed17131

Download Submit
/boot/.IptabLex

Filesize
705KB

MD5
7b6ecf8e0740258188a3b3ad1c9fe050

SHA1
9054f186567fe7cfcb1197a903c8873e48c42385

SHA256
1f5e9a31d677e3d2f1beefd1dc01c9bf492e2e3b9eb4d61903b2d9cd5c1a1f43

SHA512
476e0e3b78f7eafca818ee2b17f77f83991e175182ba1a9aeea1a73f25588dbb4cd45202c492fa4b621b5a50a3af42e2c8ec2478c203c6a5df08d2cb3e5689b2

Download Submit
/boot/IptabLes

Filesize
33B

MD5
83ed46dc4887fda860c6a43f11c34877

SHA1
76505b08bae1a79ef5b194df6230d8a0dd406146

SHA256
a654d6c11d5af3247a32622f3b4ed15ee84f9f421ac229fb4554276ba89762f3

SHA512
a19776d13d5e0fc67e33a4b12e58617d77224e5313b4c4d81886ea4d32ee93e2fbf2209a85f2dae5515338536281f6ee0080113adc241d979df17f3acef57920

Download Submit
/boot/IptabLex

Filesize
33B

MD5
f87babea4da49278448a7cfc90378881

SHA1
6894fb87a61fa12616d676232573bcc6a97337cf

SHA256
c76e5acffa83340ec7ee66fbf876bf0be9939b9c741f9db013451ff83139ad70

SHA512
4c5d834f67d9af90a8d9cb6fa5296a02184ef4abdde220d1d96c1705f39ce91822a58a800bb4f54bd2322658871a3e3f8cb135a3c147d7bdfd6b5fe972568514

Download Submit
/delallmykkk

Filesize
1KB

MD5
d42637b86ca7c28cf8f149693a725c1a

SHA1
e0fa8c025eb03ab6c23c2095f2cb3ea85aed4c52

SHA256
0eb4b7f646bbd2a08fa342654c4d27285d7851bf53309e407de6273baba398c9

SHA512
0ff790803c531db3a243f497772a6e76a78dc73d12f687e43e5760a43b1bf10798d4496b12e46bd1cee89d8e29dafa294555a912451db0ba90218e61245c5261

Download Submit
/delallmykkks

Filesize
1KB

MD5
8da57205d718f385e3878220b55635e4

SHA1
28c2bab19d21e8712819f257c81cc80189147e2f

SHA256
8cdd7e6196522a770304eb9a0c8dfa47a72f4d9c9abac7cd3c559782e05275a6

SHA512
bdb138f44ca919e99915e113f7d4274c869e0cf743766bc969cd0f89e789363f446cfbf207b68f48e569323092cec5510a4a7fb319f88e0fda00a2dd0be59582

Download Submit
/delxxaazz

Filesize
80B

MD5
037a7b0df0be7b9a0c11275580062292

SHA1
37b092f24077aa7e44fcd06188245d3baa167b7b

SHA256
33728b8568a27cc7720075e98bcfb7cf29f54f1f6fa9c8b13d4cbffa0eb3d07d

SHA512
6ea9d5ea73d77d548a992a444ac643293a4343892904ff52b30a80362912e7d4e5530d97ec79f9a952858ab6c4a00a56f6c669869db0988d16221d3123934b17

Download Submit
/delxxaazzx

Filesize
87B

MD5
249a7deb0ac2109806e8d36b4fdd2d3d

SHA1
0cac756a5f5fcc1a581472638fe8fca4a94f3acf

SHA256
3cd82375331934dde2bf25a783fe6789bf09d72faa0bc63dea6087563a3f7e05

SHA512
ff5f00c126e889040e14684ec9f4ba3b27bbc4eb2c40e537c58840b65fa196177959e710b6faff76e00e339bcb7475f3112eb1b8f63b52f3c5b897de2f2abb2d

Download Submit