iptablez | 960cb322998f273c7c30ea05f58284a5bf749dc32240d1ecbe533b091148a44a

Analysis

max time kernel
152s
max time network
157s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20231215-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20231215-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
22-12-2023 17:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fba111160d27811f538ffcee8eb0c1b7
Size

1.1MB
MD5

fba111160d27811f538ffcee8eb0c1b7
SHA1

629f9828d8f88197e528a49390f478aecdcd1f08
SHA256

960cb322998f273c7c30ea05f58284a5bf749dc32240d1ecbe533b091148a44a
SHA512

43aef2b5ec18cf13757b5ed79f667f5b941d298687215fdf482456be77e093812e91be2471031c88688b88c56d9afee73641d472a404d90d856cadcc66009fe0
SSDEEP

24576:y4mC8Hn1lEI0D8vzV7KDSSOH3DHAAKDiyAVcnFtzAblnvV:rx8Hn1lPvzQRGfx4rAnvV

Score

10^/10

iptablez backdoor

Malware Config

Signatures

Detected IptabLes/IptabLez backdoor 2 IoCs

resource	yara_rule
behavioral1/files/fstream-1.dat	family_iptablez
behavioral1/files/fstream-6.dat	family_iptablez

IptabLes/IptabLez Backdoor
Linux RAT/backdoor which has been around since 2014.
backdoor iptablez

Executes dropped EXE 15 IoCs

ioc	pid	Process
/tmp/fba111160d27811f538ffcee8eb0c1b7BCfWrED	1541	fba111160d27811f538ffcee8eb0c1b7BCfWrED
/delallmykkks	1552	delallmykkks
/delallmykkk	1553	delallmykkk
/delallmykkks	1562	delallmykkks
/delallmykkk	1563	delallmykkk
/delallmykkk	1572	delallmykkk
/delallmykkks	1573	delallmykkks
/delallmykkks	1583	delallmykkks
/delallmykkk	1582	delallmykkk
/delallmykkk	1595	delallmykkk
/delallmykkks	1594	delallmykkks
/boot/IptabLex	1699	IptabLex
/boot/.IptabLex	1702	.IptabLex
/boot/IptabLes	1716	IptabLes
/boot/.IptabLes	1717	.IptabLes

Unexpected DNS network traffic destination 3 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114

Enumerates running processes
Discovers information about currently running processes on the system

Reads CPU attributes 1 TTPs 24 IoCs

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	kill
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	kill
File opened for reading	/sys/devices/system/cpu/online	kill
File opened for reading	/sys/devices/system/cpu/online	kill
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	kill
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	kill
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	kill
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	kill
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
File opened for reading	/proc/89/cmdline	ps
File opened for reading	/proc/1123/status	ps
File opened for reading	/proc/1161/stat	ps
File opened for reading	/proc/1339/stat	ps
File opened for reading	/proc/83/status	ps
File opened for reading	/proc/1156/stat	ps
File opened for reading	/proc/1575/status	ps
File opened for reading	/proc/31/stat	ps
File opened for reading	/proc/159/cmdline	ps
File opened for reading	/proc/1119/status	ps
File opened for reading	/proc/1177/stat	ps
File opened for reading	/proc/157/stat	ps
File opened for reading	/proc/self/fd	xargs
File opened for reading	/proc/20/status	ps
File opened for reading	/proc/1599/stat	ps
File opened for reading	/proc/644/cmdline	ps
File opened for reading	/proc/1531/status	ps
File opened for reading	/proc/128/cmdline	ps
File opened for reading	/proc/self/stat	ps
File opened for reading	/proc/79/status	ps
File opened for reading	/proc/115/cmdline	ps
File opened for reading	/proc/24/status	ps
File opened for reading	/proc/1271/cmdline	ps
File opened for reading	/proc/20/stat	ps
File opened for reading	/proc/1510/cmdline	ps
File opened for reading	/proc/78/status	ps
File opened for reading	/proc/81/stat	ps
File opened for reading	/proc/1556/status	ps
File opened for reading	/proc/128/status	ps
File opened for reading	/proc/83/cmdline	ps
File opened for reading	/proc/89/stat	ps
File opened for reading	/proc/159/stat	ps
File opened for reading	/proc/923/stat	ps
File opened for reading	/proc/956/status	ps
File opened for reading	/proc/1090/cmdline	ps
File opened for reading	/proc/1115/cmdline	ps
File opened for reading	/proc/1553/status	ps
File opened for reading	/proc/24/stat	ps
File opened for reading	/proc/7/status	ps
File opened for reading	/proc/1552/status	ps
File opened for reading	/proc/13/stat	ps
File opened for reading	/proc/163/stat	ps
File opened for reading	/proc/1464/status	ps
File opened for reading	/proc/590/stat	ps
File opened for reading	/proc/11/cmdline	ps
File opened for reading	/proc/84/stat	ps
File opened for reading	/proc/3/stat	ps
File opened for reading	/proc/11/stat	ps
File opened for reading	/proc/1006/status	ps
File opened for reading	/proc/1510/status	ps
File opened for reading	/proc/1533/status	ps
File opened for reading	/proc/865/status	ps
File opened for reading	/proc/1127/cmdline	ps
File opened for reading	/proc/1339/status	ps
File opened for reading	/proc/27/status	ps
File opened for reading	/proc/1141/status	ps
File opened for reading	/proc/1246/stat	ps
File opened for reading	/proc/18/status	ps
File opened for reading	/proc/11/cmdline	ps
File opened for reading	/proc/27/status	ps
File opened for reading	/proc/156/status	ps
File opened for reading	/proc/1146/cmdline	ps
File opened for reading	/proc/1115/cmdline	ps
File opened for reading	/proc/478/status	ps

Writes file to tmp directory 1 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/fba111160d27811f538ffcee8eb0c1b7BCfWrED	fba111160d27811f538ffcee8eb0c1b7

/tmp/fba111160d27811f538ffcee8eb0c1b7
/tmp/fba111160d27811f538ffcee8eb0c1b7
1⤵
- Writes file to tmp directory
PID:1535
- /bin/sh
  sh -c /tmp/fba111160d27811f538ffcee8eb0c1b7BCfWrED
  2⤵
  PID:1536
- - /tmp/fba111160d27811f538ffcee8eb0c1b7BCfWrED
    /tmp/fba111160d27811f538ffcee8eb0c1b7BCfWrED
    3⤵
    - Executes dropped EXE
    PID:1541

/bin/sh
sh -c "/delallmykkks>/dev/null"
1⤵
PID:1548
- /delallmykkks
  /delallmykkks
  2⤵
  - Executes dropped EXE
  PID:1552
- - /bin/ps
    ps -f -C .IptabLex
    3⤵
    - Reads CPU attributes
    - Reads runtime system information
    PID:1554
- - /bin/grep
    grep .IptabLex
    3⤵
    PID:1555
- - /usr/bin/awk
    awk "{print \$3}"
    3⤵
    PID:1557
- - /usr/bin/xargs
    xargs /delallmykkks 2
    3⤵
    PID:1560
  - - /delallmykkks
      /delallmykkks 2
      4⤵
      Executes dropped EXE
      PID:1562
- - /usr/bin/xargs
    xargs /delallmykkks 2
    3⤵
    PID:1568
  - - /delallmykkks
      /delallmykkks 2
      4⤵
      Executes dropped EXE
      PID:1573
- - /usr/bin/awk
    awk "{print \$3}"
    3⤵
    PID:1567
- - /bin/grep
    grep .IptabLex
    3⤵
    PID:1566
- - /bin/ps
    ps -f -C .IptabLex
    3⤵
    - Reads CPU attributes
    - Reads runtime system information
    PID:1564
- - /usr/bin/xargs
    xargs /delallmykkks 2
    3⤵
    PID:1580
  - - /delallmykkks
      /delallmykkks 2
      4⤵
      Executes dropped EXE
      PID:1583
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1578
- - /bin/grep
    grep .IptabLex
    3⤵
    PID:1577
- - /bin/ps
    ps -f -C .IptabLex
    3⤵
    - Reads CPU attributes
    - Reads runtime system information
    PID:1575
- - /bin/ps
    ps -f -C .IptabLex
    3⤵
    - Reads CPU attributes
    - Reads runtime system information
    PID:1585
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1590
- - /bin/grep
    grep .IptabLex
    3⤵
    PID:1586
- - /usr/bin/xargs
    xargs /delallmykkks 2
    3⤵
    PID:1593
  - - /delallmykkks
      /delallmykkks 2
      4⤵
      Executes dropped EXE
      PID:1594
- - /bin/grep
    grep .IptabLex
    3⤵
    PID:1599
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1601
- - /bin/ps
    ps -axu
    3⤵
    - Reads CPU attributes
    - Reads runtime system information
    PID:1597
- - /usr/bin/xargs
    xargs kill -9
    3⤵
    PID:1602
  - - /usr/local/sbin/kill
      kill -9 1599
      4⤵
      PID:1604
  - - /usr/local/bin/kill
      kill -9 1599
      4⤵
      PID:1604
  - - /usr/sbin/kill
      kill -9 1599
      4⤵
      PID:1604
  - - /usr/bin/kill
      kill -9 1599
      4⤵
      PID:1604
  - - /sbin/kill
      kill -9 1599
      4⤵
      PID:1604
  - - /bin/kill
      kill -9 1599
      4⤵
      Reads CPU attributes
      PID:1604
- - /bin/grep
    grep .IptabLex
    3⤵
    PID:1608
- - /bin/ps
    ps -axu
    3⤵
    - Reads CPU attributes
    - Reads runtime system information
    PID:1606
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1610
- - /usr/bin/xargs
    xargs kill -9
    3⤵
    PID:1612
  - - /usr/local/sbin/kill
      kill -9 1608
      4⤵
      PID:1615
  - - /usr/local/bin/kill
      kill -9 1608
      4⤵
      PID:1615
  - - /usr/sbin/kill
      kill -9 1608
      4⤵
      PID:1615
  - - /usr/bin/kill
      kill -9 1608
      4⤵
      PID:1615
  - - /sbin/kill
      kill -9 1608
      4⤵
      PID:1615
  - - /bin/kill
      kill -9 1608
      4⤵
      Reads CPU attributes
      PID:1615
- - /usr/bin/xargs
    xargs kill -9
    3⤵
    PID:1620
  - - /usr/local/sbin/kill
      kill -9 PID TTY TIME CMD
      4⤵
      PID:1622
  - - /usr/local/bin/kill
      kill -9 PID TTY TIME CMD
      4⤵
      PID:1622
  - - /usr/sbin/kill
      kill -9 PID TTY TIME CMD
      4⤵
      PID:1622
  - - /usr/bin/kill
      kill -9 PID TTY TIME CMD
      4⤵
      PID:1622
  - - /sbin/kill
      kill -9 PID TTY TIME CMD
      4⤵
      PID:1622
  - - /bin/kill
      kill -9 PID TTY TIME CMD
      4⤵
      Reads CPU attributes
      PID:1622
- - /bin/ps
    ps -C .IptabLex
    3⤵
    - Reads CPU attributes
    - Reads runtime system information
    PID:1619
- - /bin/ps
    ps -C .IptabLex
    3⤵
    - Reads CPU attributes
    - Reads runtime system information
    PID:1626
- - /usr/bin/xargs
    xargs kill -9
    3⤵
    PID:1627
  - - /usr/local/sbin/kill
      kill -9 PID TTY TIME CMD
      4⤵
      PID:1628
  - - /usr/local/bin/kill
      kill -9 PID TTY TIME CMD
      4⤵
      PID:1628
  - - /usr/sbin/kill
      kill -9 PID TTY TIME CMD
      4⤵
      PID:1628
  - - /usr/bin/kill
      kill -9 PID TTY TIME CMD
      4⤵
      PID:1628
  - - /sbin/kill
      kill -9 PID TTY TIME CMD
      4⤵
      PID:1628
  - - /bin/kill
      kill -9 PID TTY TIME CMD
      4⤵
      Reads CPU attributes
      PID:1628
- - /bin/rm
    rm -f /boot/.stabip
    3⤵
    PID:1630
- - /bin/rm
    rm -f /boot/.IptabLex
    3⤵
    PID:1633
- - /bin/rm
    rm -f /etc/rc.d/init.d/IptabLex
    3⤵
    PID:1635
- - /bin/rm
    rm -f /boot/IptabLex
    3⤵
    PID:1637
- - /bin/rm
    rm -f /tmp/IptabLex
    3⤵
    PID:1639
- - /bin/rm
    rm -f /usr/IptabLex
    3⤵
    PID:1641
- - /bin/rm
    rm -f /usr/.IptabLex
    3⤵
    PID:1643
- - /bin/rm
    rm -f /boot/.IptabLex
    3⤵
    PID:1645
- - /bin/rm
    rm -f /.IptabLex
    3⤵
    PID:1647
- - /bin/rm
    rm -f /boot/IptabLex
    3⤵
    PID:1649
- - /bin/rm
    rm -f /IptabLex
    3⤵
    PID:1651
- - /bin/rm
    rm -f "/etc/rc.d/rc4.d/*IptabLex"
    3⤵
    PID:1653
- - /bin/rm
    rm -f "/etc/rc.d/rc1.d/*IptabLex"
    3⤵
    PID:1655
- - /bin/rm
    rm -f "/etc/rc.d/rc2.d/*IptabLex"
    3⤵
    PID:1657
- - /bin/rm
    rm -f "/etc/rc.d/rc3.d/*IptabLex"
    3⤵
    PID:1659
- - /bin/rm
    rm -f "/etc/rc.d/rc0.d/*IptabLex"
    3⤵
    PID:1661
- - /bin/rm
    rm -f "/etc/rc.d/rc5.d/*IptabLex"
    3⤵
    PID:1662
- - /bin/rm
    rm -f "/etc/rc.d/rc6.d/*IptabLex"
    3⤵
    PID:1663
- - /bin/rm
    rm -f /etc/init.d/IptabLex
    3⤵
    PID:1664
- - /bin/rm
    rm -f "/etc/rc4.d/*IptabLex"
    3⤵
    PID:1665
- - /bin/rm
    rm -f "/etc/rc1.d/*IptabLex"
    3⤵
    PID:1666
- - /bin/rm
    rm -f "/etc/rc2.d/*IptabLex"
    3⤵
    PID:1668
- - /bin/rm
    rm -f "/etc/rc3.d/*IptabLex"
    3⤵
    PID:1670
- - /bin/rm
    rm -f "/etc/rc0.d/*IptabLex"
    3⤵
    PID:1672
- - /bin/rm
    rm -f "/etc/rc5.d/*IptabLex"
    3⤵
    PID:1674
- - /bin/rm
    rm -f "/etc/rc6.d/*IptabLex"
    3⤵
    PID:1676
- - /bin/rm
    rm -rf /delallmykkks
    3⤵
    PID:1678

/bin/sh
sh -c "/delallmykkk>/dev/null"
1⤵
PID:1551
- /delallmykkk
  /delallmykkk
  2⤵
  - Executes dropped EXE
  PID:1553
- - /bin/ps
    ps -f -C .IptabLes
    3⤵
    - Reads CPU attributes
    - Reads runtime system information
    PID:1556
- - /bin/grep
    grep .IptabLes
    3⤵
    PID:1558
- - /usr/bin/awk
    awk "{print \$3}"
    3⤵
    PID:1559
- - /usr/bin/xargs
    xargs /delallmykkk 2
    3⤵
    PID:1561
  - - /delallmykkk
      /delallmykkk 2
      4⤵
      Executes dropped EXE
      PID:1563
- - /bin/grep
    grep .IptabLes
    3⤵
    PID:1569
- - /bin/ps
    ps -f -C .IptabLes
    3⤵
    - Reads CPU attributes
    - Reads runtime system information
    PID:1565
- - /usr/bin/awk
    awk "{print \$3}"
    3⤵
    PID:1570
- - /usr/bin/xargs
    xargs /delallmykkk 2
    3⤵
    PID:1571
  - - /delallmykkk
      /delallmykkk 2
      4⤵
      Executes dropped EXE
      PID:1572
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1579
- - /bin/grep
    grep .IptabLes
    3⤵
    PID:1576
- - /usr/bin/xargs
    xargs /delallmykkk 2
    3⤵
    PID:1581
  - - /delallmykkk
      /delallmykkk 2
      4⤵
      Executes dropped EXE
      PID:1582
- - /bin/ps
    ps -f -C .IptabLes
    3⤵
    - Reads CPU attributes
    - Reads runtime system information
    PID:1574
- - /bin/ps
    ps -f -C .IptabLes
    3⤵
    - Reads CPU attributes
    PID:1584
- - /bin/grep
    grep .IptabLes
    3⤵
    PID:1587
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1591
- - /usr/bin/xargs
    xargs /delallmykkk 2
    3⤵
    - Reads runtime system information
    PID:1592
  - - /delallmykkk
      /delallmykkk 2
      4⤵
      Executes dropped EXE
      PID:1595
- - /bin/grep
    grep .IptabLes
    3⤵
    PID:1598
- - /bin/ps
    ps -axu
    3⤵
    - Reads CPU attributes
    - Reads runtime system information
    PID:1596
- - /usr/bin/xargs
    xargs kill -9
    3⤵
    PID:1603
  - - /usr/local/sbin/kill
      kill -9 1598
      4⤵
      PID:1605
  - - /usr/local/bin/kill
      kill -9 1598
      4⤵
      PID:1605
  - - /usr/sbin/kill
      kill -9 1598
      4⤵
      PID:1605
  - - /usr/bin/kill
      kill -9 1598
      4⤵
      PID:1605
  - - /sbin/kill
      kill -9 1598
      4⤵
      PID:1605
  - - /bin/kill
      kill -9 1598
      4⤵
      Reads CPU attributes
      PID:1605
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1600
- - /bin/grep
    grep .IptabLes
    3⤵
    PID:1609
- - /bin/ps
    ps -axu
    3⤵
    - Reads CPU attributes
    - Reads runtime system information
    PID:1607
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1611
- - /usr/bin/xargs
    xargs kill -9
    3⤵
    PID:1613
  - - /usr/local/sbin/kill
      kill -9 1609
      4⤵
      PID:1616
  - - /usr/local/bin/kill
      kill -9 1609
      4⤵
      PID:1616
  - - /usr/sbin/kill
      kill -9 1609
      4⤵
      PID:1616
  - - /usr/bin/kill
      kill -9 1609
      4⤵
      PID:1616
  - - /sbin/kill
      kill -9 1609
      4⤵
      PID:1616
  - - /bin/kill
      kill -9 1609
      4⤵
      Reads CPU attributes
      PID:1616
- - /usr/bin/xargs
    xargs kill -9
    3⤵
    PID:1618
  - - /usr/local/sbin/kill
      kill -9 PID TTY TIME CMD
      4⤵
      PID:1621
  - - /usr/local/bin/kill
      kill -9 PID TTY TIME CMD
      4⤵
      PID:1621
  - - /usr/sbin/kill
      kill -9 PID TTY TIME CMD
      4⤵
      PID:1621
  - - /usr/bin/kill
      kill -9 PID TTY TIME CMD
      4⤵
      PID:1621
  - - /sbin/kill
      kill -9 PID TTY TIME CMD
      4⤵
      PID:1621
  - - /bin/kill
      kill -9 PID TTY TIME CMD
      4⤵
      Reads CPU attributes
      PID:1621
- - /bin/ps
    ps -C .IptabLes
    3⤵
    - Reads CPU attributes
    - Reads runtime system information
    PID:1617
- - /bin/ps
    ps -C .IptabLes
    3⤵
    - Reads CPU attributes
    - Reads runtime system information
    PID:1623
- - /bin/grep
    grep .IptabLes
    3⤵
    PID:1624
- - /usr/bin/xargs
    xargs kill -9
    3⤵
    PID:1625
  - - /usr/local/sbin/kill
      kill -9
      4⤵
      PID:1629
  - - /usr/local/bin/kill
      kill -9
      4⤵
      PID:1629
  - - /usr/sbin/kill
      kill -9
      4⤵
      PID:1629
  - - /usr/bin/kill
      kill -9
      4⤵
      PID:1629
  - - /sbin/kill
      kill -9
      4⤵
      PID:1629
  - - /bin/kill
      kill -9
      4⤵
      Reads CPU attributes
      PID:1629
- - /bin/rm
    rm -f /boot/.stabip
    3⤵
    PID:1631
- - /bin/rm
    rm -f /boot/.IptabLes
    3⤵
    PID:1632
- - /bin/rm
    rm -f /etc/rc.d/init.d/IptabLes
    3⤵
    PID:1634
- - /bin/rm
    rm -f /boot/IptabLes
    3⤵
    PID:1636
- - /bin/rm
    rm -f /tmp/IptabLes
    3⤵
    PID:1638
- - /bin/rm
    rm -f /usr/IptabLes
    3⤵
    PID:1640
- - /bin/rm
    rm -f /usr/.IptabLes
    3⤵
    PID:1642
- - /bin/rm
    rm -f /boot/.IptabLes
    3⤵
    PID:1644
- - /bin/rm
    rm -f /.IptabLes
    3⤵
    PID:1646
- - /bin/rm
    rm -f /boot/IptabLes
    3⤵
    PID:1648
- - /bin/rm
    rm -f /IptabLes
    3⤵
    PID:1650
- - /bin/rm
    rm -f "/etc/rc.d/rc4.d/*IptabLes"
    3⤵
    PID:1652
- - /bin/rm
    rm -f "/etc/rc.d/rc1.d/*IptabLes"
    3⤵
    PID:1654
- - /bin/rm
    rm -f "/etc/rc.d/rc2.d/*IptabLes"
    3⤵
    PID:1656
- - /bin/rm
    rm -f "/etc/rc.d/rc3.d/*IptabLes"
    3⤵
    PID:1658
- - /bin/rm
    rm -f "/etc/rc.d/rc0.d/*IptabLes"
    3⤵
    PID:1660
- - /bin/rm
    rm -f "/etc/rc.d/rc5.d/*IptabLes"
    3⤵
    PID:1667
- - /bin/rm
    rm -f "/etc/rc.d/rc6.d/*IptabLes"
    3⤵
    PID:1669
- - /bin/rm
    rm -f /etc/init.d/IptabLes
    3⤵
    PID:1671
- - /bin/rm
    rm -f "/etc/rc4.d/*IptabLes"
    3⤵
    PID:1673
- - /bin/rm
    rm -f "/etc/rc1.d/*IptabLes"
    3⤵
    PID:1675
- - /bin/rm
    rm -f "/etc/rc2.d/*IptabLes"
    3⤵
    PID:1677
- - /bin/rm
    rm -f "/etc/rc3.d/*IptabLes"
    3⤵
    PID:1679
- - /bin/rm
    rm -f "/etc/rc0.d/*IptabLes"
    3⤵
    PID:1681
- - /bin/rm
    rm -f "/etc/rc5.d/*IptabLes"
    3⤵
    PID:1683
- - /bin/rm
    rm -f "/etc/rc6.d/*IptabLes"
    3⤵
    PID:1684
- - /bin/rm
    rm -rf /delallmykkk
    3⤵
    PID:1685

/bin/sh
sh -c "cp /tmp/fba111160d27811f538ffcee8eb0c1b7BCfWrED /boot/.IptabLex>/dev/null"
1⤵
PID:1680
- /bin/cp
  cp /tmp/fba111160d27811f538ffcee8eb0c1b7BCfWrED /boot/.IptabLex
  2⤵
  PID:1682

/bin/sh
sh -c /etc/rc2.d/S55IptabLex
1⤵
PID:1686
- /etc/rc2.d/S55IptabLex
  /etc/rc2.d/S55IptabLex
  2⤵
  PID:1689

/bin/sh
sh -c "cp /tmp/fba111160d27811f538ffcee8eb0c1b7 /boot/.IptabLes>/dev/null"
1⤵
PID:1687
- /bin/cp
  cp /tmp/fba111160d27811f538ffcee8eb0c1b7 /boot/.IptabLes
  2⤵
  PID:1688

/bin/sh
sh -c /etc/rc3.d/S55IptabLex
1⤵
PID:1690
- /etc/rc3.d/S55IptabLex
  /etc/rc3.d/S55IptabLex
  2⤵
  PID:1691

/bin/sh
sh -c /etc/rc4.d/S55IptabLex
1⤵
PID:1692
- /etc/rc4.d/S55IptabLex
  /etc/rc4.d/S55IptabLex
  2⤵
  PID:1693

/bin/sh
sh -c /etc/rc5.d/S55IptabLex
1⤵
PID:1694
- /etc/rc5.d/S55IptabLex
  /etc/rc5.d/S55IptabLex
  2⤵
  PID:1695

/bin/sh
sh -c /etc/rc2.d/S55IptabLes
1⤵
PID:1696
- /etc/rc2.d/S55IptabLes
  /etc/rc2.d/S55IptabLes
  2⤵
  PID:1697

/bin/sh
sh -c /boot/IptabLex
1⤵
PID:1698
- /boot/IptabLex
  /boot/IptabLex
  2⤵
  - Executes dropped EXE
  PID:1699
- - /boot/.IptabLex
    /boot/.IptabLex
    3⤵
    - Executes dropped EXE
    PID:1702

/bin/sh
sh -c /etc/rc3.d/S55IptabLes
1⤵
PID:1700
- /etc/rc3.d/S55IptabLes
  /etc/rc3.d/S55IptabLes
  2⤵
  PID:1701

/bin/sh
sh -c /etc/rc4.d/S55IptabLes
1⤵
PID:1704
- /etc/rc4.d/S55IptabLes
  /etc/rc4.d/S55IptabLes
  2⤵
  PID:1705

/bin/sh
sh -c "sh /delxxaazzx"
1⤵
PID:1706
- /bin/sh
  sh /delxxaazzx
  2⤵
  PID:1712
- - /bin/sleep
    sleep 3
    3⤵
    PID:1714
- - /bin/sleep
    sleep 1
    3⤵
    PID:1727
- - /bin/rm
    rm -f /tmp/fba111160d27811f538ffcee8eb0c1b7BCfWrED
    3⤵
    PID:1729
- - /bin/rm
    rm -rf /delxxaazzx
    3⤵
    PID:1730

/bin/sh
sh -c /etc/rc5.d/S55IptabLes
1⤵
PID:1710
- /etc/rc5.d/S55IptabLes
  /etc/rc5.d/S55IptabLes
  2⤵
  PID:1713

/bin/sh
sh -c /boot/IptabLes
1⤵
PID:1715
- /boot/IptabLes
  /boot/IptabLes
  2⤵
  - Executes dropped EXE
  PID:1716
- - /boot/.IptabLes
    /boot/.IptabLes
    3⤵
    - Executes dropped EXE
    PID:1717

/bin/sh
sh -c "sh /delxxaazz"
1⤵
PID:1719
- /bin/sh
  sh /delxxaazz
  2⤵
  PID:1724
- - /bin/sleep
    sleep 3
    3⤵
    PID:1725
- - /bin/sleep
    sleep 1
    3⤵
    PID:1728
- - /bin/rm
    rm -f /tmp/fba111160d27811f538ffcee8eb0c1b7
    3⤵
    PID:1731
- - /bin/rm
    rm -rf /delxxaazz
    3⤵
    PID:1732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/.mylisthbSx.pid

Filesize
5B

MD5
15da7c0c5e1f91431957e8727df99cb8

SHA1
333bf5cc1d5add4a057a70cfa69b419d70f0b008

SHA256
8c83a86578103b0f8c4d6603cfeac6b7274e0b733405171d8d305f8b712fc21d

SHA512
5611f5592d672a798c7063ac74b2231478dbfd7d6f5d9e084d05577657b1156c9dd0f49b69bacbe8f851c6d2c6d828237eec2da9ac976adf52c9e5f1b4693f95

Download Submit
/.mylisthbx.pid

Filesize
5B

MD5
c46048618c4509693663790663709736

SHA1
1b99615eac10fdebccd980fb77228635fa5d50fd

SHA256
c7022cdbb0f0327a164870b5d653fe289d25f94ed5b70e8ba306206de7f902ca

SHA512
da928baf22466f6586795a63bd18bcf476c9ad446e3464393248e9449aaa0520db48c82a14883d2b33790823b9ca5956aa9d123daa95516eb0624e9ce8f464aa

Download Submit
/.mylisthbx.pid

Filesize
5B

MD5
3abfbde1a332ec1c20a0148a8320b47d

SHA1
b15467692b69e37f48748505cec91a84c37697dd

SHA256
aa3daae38a61c5ad4079a238869a662dfb662cb59aa3489c1fdc740c923df96f

SHA512
34818b5569203d2c76fedb8b5db7213d55f36ac84f754488e2a9768e0818a072bbe05f0544c398da3dead67f88d8ff012040cbac4c7da29086fd16fc2773fbc4

Download Submit
/.mylisthbx.pid

Filesize
5B

MD5
063efaec7294b8d61cc49e9bcda34486

SHA1
f7c74245084407a72eccd2d97a1fd8a2ab909803

SHA256
80122bea4522dce2f76358d334e845350bb91ba964641260d8851860347336d4

SHA512
5b961b359305ad346948a933320377a89e1985b14dd64c1e4578dcdfd02aa3f795118f991f9b82a29cdb9dc8a8835803e9d6cb62a0857a59669ff1f6386ca5f1

Download Submit
/boot/.IptabLes

Filesize
1.1MB

MD5
fba111160d27811f538ffcee8eb0c1b7

SHA1
629f9828d8f88197e528a49390f478aecdcd1f08

SHA256
960cb322998f273c7c30ea05f58284a5bf749dc32240d1ecbe533b091148a44a

SHA512
43aef2b5ec18cf13757b5ed79f667f5b941d298687215fdf482456be77e093812e91be2471031c88688b88c56d9afee73641d472a404d90d856cadcc66009fe0

Download Submit
/boot/IptabLes

Filesize
33B

MD5
83ed46dc4887fda860c6a43f11c34877

SHA1
76505b08bae1a79ef5b194df6230d8a0dd406146

SHA256
a654d6c11d5af3247a32622f3b4ed15ee84f9f421ac229fb4554276ba89762f3

SHA512
a19776d13d5e0fc67e33a4b12e58617d77224e5313b4c4d81886ea4d32ee93e2fbf2209a85f2dae5515338536281f6ee0080113adc241d979df17f3acef57920

Download Submit
/boot/IptabLex

Filesize
33B

MD5
f87babea4da49278448a7cfc90378881

SHA1
6894fb87a61fa12616d676232573bcc6a97337cf

SHA256
c76e5acffa83340ec7ee66fbf876bf0be9939b9c741f9db013451ff83139ad70

SHA512
4c5d834f67d9af90a8d9cb6fa5296a02184ef4abdde220d1d96c1705f39ce91822a58a800bb4f54bd2322658871a3e3f8cb135a3c147d7bdfd6b5fe972568514

Download Submit
/delallmykkk

Filesize
1KB

MD5
df756e2bf74136a76dd788949975ee3d

SHA1
d8e10d9d697aa370d301ac35836e9f8cf4183a68

SHA256
4ffae94610d8bbcf0bab5cee6a6c6730fdaeb39d773754eb55be9bb7872be2ce

SHA512
015c37c6e61c49a81d8914dc699e0adb2bc126b5e927d08e806112460afafde5da4290804910616f0e0133605cc69aee285b0c7ff404cc648a4a9435d15ab8d7

Download Submit
/delallmykkks

Filesize
1KB

MD5
61e68867137b82e069a7fa3c309bc8ce

SHA1
06c346be7c6ad4788e94c6da02923bad095af6b1

SHA256
58c6f370de862a4cebc1932c11fc72eb3476be00d8e334b56a8e35e93a5aaca8

SHA512
d7bb6be53ee14e18196aa71658f9bae21761360cbba3896c619082fbbc38c687ba317ad1d329fc0ec3ca46da6369aaaf3f32d39ff77be9aa8fae1fc4cbbdde77

Download Submit
/delxxaazz

Filesize
94B

MD5
936d9b7c1df1482eaca0d1e563d8a3fc

SHA1
d2db9ad3145e6f563e6f6bc26e9186cdaef75b48

SHA256
d88eeba626a857c827ed54e335222a067edbd92e2a4c5af290924fcd06f86c7c

SHA512
6252bfa8d5371f837b7c9a65278d7e51f7812c46b3d9a5a5541d133b495f6c9d9b438187496e6e80422c55a6012cd3d0b531ca0bbd8c2e989739911ffc7fa01c

Download Submit
/delxxaazzx

Filesize
101B

MD5
ec9ec317ca666eb5dc63646caf33f0a2

SHA1
34d635517c218823abaee9f888db68551b69be4e

SHA256
ff0f3cde6123f933a49c2067a660591b5e61b0e5a567074b9238f97bd8eecfe8

SHA512
e4e76395a4d98c3d6f7b0fc27a396d8d0959511a2a587bf99ffe914b460cebdaa076c208bb1e0254fb9946971008105c893c84e450b7afbc13a287d3f56ed9ae

Download Submit
/tmp/fba111160d27811f538ffcee8eb0c1b7BCfWrED

Filesize
705KB

MD5
df9ff33c5af9a2b2e78921a772f3d53e

SHA1
7f1bd2f2b8ccf3fe672b54b4577ffd0216d308d6

SHA256
4f95771522487a6b887011ad7ef5d33c70415347ec9d7ec7559652bd95857bb1

SHA512
ff3e037e3f1ca4d31baa5e58556f12499caefb9754d1cccd9c7ed9846824d822f8017efe16d24a3e4cd0016a72d650aa8d1d51f47bdc31783dcb8404d0089f1d

Download Submit