Overview
overview
10Static
static
10/Client.exe
ubuntu-18.04-amd64
/Client.exe
ubuntu-20.04-amd64
/Client.exe
ubuntu-22.04-amd64
/Client.exe
ubuntu-24.04-amd64
/getsetup.exe
ubuntu-18.04-amd64
/getsetup.exe
ubuntu-20.04-amd64
/getsetup.exe
ubuntu-22.04-amd64
/getsetup.exe
ubuntu-24.04-amd64
/getsetup.hb
ubuntu-18.04-amd64
10/getsetup.hb
ubuntu-20.04-amd64
10/getsetup.hb
ubuntu-22.04-amd64
1/getsetup.hb
ubuntu-24.04-amd64
1/..._C.exe
ubuntu-18.04-amd64
/..._C.exe
ubuntu-20.04-amd64
/..._C.exe
ubuntu-22.04-amd64
/..._C.exe
ubuntu-24.04-amd64
Analysis
-
max time kernel
145s -
max time network
154s -
platform
ubuntu-20.04_amd64 -
resource
ubuntu2004-amd64-20240508-en -
resource tags
arch:amd64arch:i386image:ubuntu2004-amd64-20240508-enkernel:5.4.0-169-genericlocale:en-usos:ubuntu-20.04-amd64system -
submitted
26-05-2024 20:34
Behavioral task
behavioral1
Sample
/Client.exe
Resource
ubuntu1804-amd64-20240508-en
Behavioral task
behavioral2
Sample
/Client.exe
Resource
ubuntu2004-amd64-20240508-en
Behavioral task
behavioral3
Sample
/Client.exe
Resource
ubuntu2204-amd64-20240522.1-en
Behavioral task
behavioral4
Sample
/Client.exe
Resource
ubuntu2404-amd64-20240523-en
Behavioral task
behavioral5
Sample
/getsetup.exe
Resource
ubuntu1804-amd64-20240508-en
Behavioral task
behavioral6
Sample
/getsetup.exe
Resource
ubuntu2004-amd64-20240508-en
Behavioral task
behavioral7
Sample
/getsetup.exe
Resource
ubuntu2204-amd64-20240522.1-en
Behavioral task
behavioral8
Sample
/getsetup.exe
Resource
ubuntu2404-amd64-20240523-en
Behavioral task
behavioral9
Sample
/getsetup.hb
Resource
ubuntu1804-amd64-20240508-en
Behavioral task
behavioral10
Sample
/getsetup.hb
Resource
ubuntu2004-amd64-20240508-en
Behavioral task
behavioral11
Sample
/getsetup.hb
Resource
ubuntu2204-amd64-20240522.1-en
Behavioral task
behavioral12
Sample
/getsetup.hb
Resource
ubuntu2404-amd64-20240523-en
Behavioral task
behavioral13
Sample
/ƶ_C.exe
Resource
ubuntu1804-amd64-20240508-en
Behavioral task
behavioral14
Sample
/ƶ_C.exe
Resource
ubuntu2004-amd64-20240508-en
Behavioral task
behavioral15
Sample
/ƶ_C.exe
Resource
ubuntu2204-amd64-20240522.1-en
Behavioral task
behavioral16
Sample
/ƶ_C.exe
Resource
ubuntu2404-amd64-20240523-en
General
-
Target
/getsetup.hb
-
Size
1.0MB
-
MD5
9966d5db77f247070fcac9590a3fde80
-
SHA1
ec0fdb1333443a7c0442dd279626bf8d58eb8cbb
-
SHA256
10edad7999da34e37a866beadf2bb2c1952e071c93cb8708e79ee45c90a06199
-
SHA512
e6a468cdfd9f720b217069f0dddc012b8549a834862d287ea101914503a048f644085c16b534b2b7418686b792a9ee0cb1e32977751d648d57ed0241bed17131
-
SSDEEP
24576:L8TklemVE3JnQaQAcA+xk3ZeRXP1qjStp/vtq6bUn5V:2IemVE6aQyTpexwyVOn5V
Malware Config
Signatures
-
Detected IptabLes/IptabLez backdoor 2 IoCs
Processes:
resource yara_rule /boot/.IptabLex family_iptablez /boot/.IptabLes family_iptablez -
Executes dropped EXE 14 IoCs
Processes:
delallmykkksdelallmykkkdelallmykkkdelallmykkksdelallmykkkdelallmykkksdelallmykkksdelallmykkkdelallmykkkdelallmykkksIptabLexIptabLes.IptabLex.IptabLesioc pid process /delallmykkks 1432 delallmykkks /delallmykkk 1441 delallmykkk /delallmykkk 1449 delallmykkk /delallmykkks 1450 delallmykkks /delallmykkk 1460 delallmykkk /delallmykkks 1459 delallmykkks /delallmykkks 1470 delallmykkks /delallmykkk 1469 delallmykkk /delallmykkk 1479 delallmykkk /delallmykkks 1480 delallmykkks /boot/IptabLex 1606 IptabLex /boot/IptabLes 1607 IptabLes /boot/.IptabLex 1608 .IptabLex /boot/.IptabLes 1610 .IptabLes -
Enumerates running processes
Discovers information about currently running processes on the system
-
Reads CPU attributes 1 TTPs 32 IoCs
Processes:
pskillpspspskillpspskillpskillpskillkillpspspspspspspspspskillpspskillpspspspspsdescription ioc process File opened for reading /sys/devices/system/cpu/online ps File opened for reading /sys/devices/system/cpu/online kill File opened for reading /sys/devices/system/cpu/online ps File opened for reading /sys/devices/system/cpu/online ps File opened for reading /sys/devices/system/cpu/online ps File opened for reading /sys/devices/system/cpu/online kill File opened for reading /sys/devices/system/cpu/online ps File opened for reading /sys/devices/system/cpu/online ps File opened for reading /sys/devices/system/cpu/online kill File opened for reading /sys/devices/system/cpu/online ps File opened for reading /sys/devices/system/cpu/online kill File opened for reading /sys/devices/system/cpu/online ps File opened for reading /sys/devices/system/cpu/online kill File opened for reading /sys/devices/system/cpu/online kill File opened for reading /sys/devices/system/cpu/online ps File opened for reading /sys/devices/system/cpu/online ps File opened for reading /sys/devices/system/cpu/online ps File opened for reading /sys/devices/system/cpu/online ps File opened for reading /sys/devices/system/cpu/online ps File opened for reading /sys/devices/system/cpu/online ps File opened for reading /sys/devices/system/cpu/online ps File opened for reading /sys/devices/system/cpu/online ps File opened for reading /sys/devices/system/cpu/online ps File opened for reading /sys/devices/system/cpu/online kill File opened for reading /sys/devices/system/cpu/online ps File opened for reading /sys/devices/system/cpu/online ps File opened for reading /sys/devices/system/cpu/online kill File opened for reading /sys/devices/system/cpu/online ps File opened for reading /sys/devices/system/cpu/online ps File opened for reading /sys/devices/system/cpu/online ps File opened for reading /sys/devices/system/cpu/online ps File opened for reading /sys/devices/system/cpu/online ps -
Reads runtime system information 64 IoCs
Reads data from /proc virtual filesystem.
Processes:
pspspspspspspspspspspspspspspspsdescription ioc process File opened for reading /proc/89/stat ps File opened for reading /proc/160/status ps File opened for reading /proc/78/status ps File opened for reading /proc/488/stat ps File opened for reading /proc/1040/status ps File opened for reading /proc/1147/stat ps File opened for reading /proc/1472/status ps File opened for reading /proc/1087/status ps File opened for reading /proc/807/status ps File opened for reading /proc/813/stat ps File opened for reading /proc/1452/cmdline ps File opened for reading /proc/1089/cmdline ps File opened for reading /proc/813/stat ps File opened for reading /proc/1031/status ps File opened for reading /proc/681/cmdline ps File opened for reading /proc/1364/stat ps File opened for reading /proc/171/status ps File opened for reading /proc/177/stat ps File opened for reading /proc/1096/stat ps File opened for reading /proc/10/stat ps File opened for reading /proc/1107/stat ps File opened for reading /proc/1080/status ps File opened for reading /proc/119/status ps File opened for reading /proc/312/stat ps File opened for reading /proc/693/stat ps File opened for reading /proc/76/cmdline ps File opened for reading /proc/1411/cmdline ps File opened for reading /proc/1080/stat ps File opened for reading /proc/17/status ps File opened for reading /proc/176/status ps File opened for reading /proc/1340/cmdline ps File opened for reading /proc/1044/stat ps File opened for reading /proc/168/stat ps File opened for reading /proc/119/stat ps File opened for reading /proc/85/status ps File opened for reading /proc/574/stat ps File opened for reading /proc/1462/status ps File opened for reading /proc/1088/status ps File opened for reading /proc/5/stat ps File opened for reading /proc/1362/status ps File opened for reading /proc/self/stat ps File opened for reading /proc/77/cmdline ps File opened for reading /proc/1451/stat ps File opened for reading /proc/272/cmdline ps File opened for reading /proc/1026/cmdline ps File opened for reading /proc/1475/stat ps File opened for reading /proc/1078/cmdline ps File opened for reading /proc/807/status ps File opened for reading /proc/5/stat ps File opened for reading /proc/506/status ps File opened for reading /proc/1432/status ps File opened for reading /proc/681/stat ps File opened for reading /proc/1031/status ps File opened for reading /proc/1096/status ps File opened for reading /proc/956/status ps File opened for reading /proc/1147/cmdline ps File opened for reading /proc/20/status ps File opened for reading /proc/23/status ps File opened for reading /proc/805/stat ps File opened for reading /proc/1453/status ps File opened for reading /proc/272/stat ps File opened for reading /proc/10/cmdline ps File opened for reading /proc/569/cmdline ps File opened for reading /proc/588/stat ps -
Writes file to tmp directory 1 IoCs
Malware often drops required files in the /tmp directory.
Processes:
getsetup.hbdescription ioc process File opened for modification /tmp//getsetup.hbBCfWrED getsetup.hb
Processes
-
/tmp//getsetup.hb"/tmp//getsetup.hb"1⤵
- Writes file to tmp directory
-
/bin/shsh -c "/tmp//getsetup.hbBCfWrED"2⤵
-
/tmp//getsetup.hbBCfWrED"/tmp//getsetup.hbBCfWrED"3⤵
-
/bin/shsh -c "/delallmykkks>/dev/null"4⤵
-
/delallmykkks/delallmykkks5⤵
- Executes dropped EXE
-
/usr/bin/grepgrep .IptabLex6⤵
-
/usr/bin/psps -f -C .IptabLex6⤵
- Reads CPU attributes
- Reads runtime system information
-
/usr/bin/awkawk "{print \$3}"6⤵
-
/usr/bin/xargsxargs /delallmykkks 26⤵
-
/delallmykkks/delallmykkks 27⤵
- Executes dropped EXE
-
/usr/bin/xargsxargs /delallmykkks 26⤵
-
/delallmykkks/delallmykkks 27⤵
- Executes dropped EXE
-
/usr/bin/awkawk "{print \$3}"6⤵
-
/usr/bin/grepgrep .IptabLex6⤵
-
/usr/bin/psps -f -C .IptabLex6⤵
- Reads CPU attributes
- Reads runtime system information
-
/usr/bin/xargsxargs /delallmykkks 26⤵
-
/delallmykkks/delallmykkks 27⤵
- Executes dropped EXE
-
/usr/bin/awkawk "{print \$2}"6⤵
-
/usr/bin/grepgrep .IptabLex6⤵
-
/usr/bin/psps -f -C .IptabLex6⤵
- Reads CPU attributes
- Reads runtime system information
-
/usr/bin/xargsxargs /delallmykkks 26⤵
-
/delallmykkks/delallmykkks 27⤵
- Executes dropped EXE
-
/usr/bin/awkawk "{print \$2}"6⤵
-
/usr/bin/grepgrep .IptabLex6⤵
-
/usr/bin/psps -f -C .IptabLex6⤵
- Reads CPU attributes
- Reads runtime system information
-
/usr/bin/xargsxargs kill -96⤵
-
/usr/local/sbin/killkill -9 14827⤵
-
/usr/local/bin/killkill -9 14827⤵
-
/usr/sbin/killkill -9 14827⤵
-
/usr/bin/killkill -9 14827⤵
- Reads CPU attributes
-
/usr/bin/awkawk "{print \$2}"6⤵
-
/usr/bin/grepgrep .IptabLex6⤵
-
/usr/bin/psps -axu6⤵
- Reads CPU attributes
- Reads runtime system information
-
/usr/bin/xargsxargs kill -96⤵
-
/usr/local/sbin/killkill -9 14927⤵
-
/usr/local/bin/killkill -9 14927⤵
-
/usr/sbin/killkill -9 14927⤵
-
/usr/bin/killkill -9 14927⤵
- Reads CPU attributes
-
/usr/bin/awkawk "{print \$2}"6⤵
-
/usr/bin/grepgrep .IptabLex6⤵
-
/usr/bin/psps -axu6⤵
- Reads CPU attributes
- Reads runtime system information
-
/usr/bin/xargsxargs kill -96⤵
-
/usr/local/sbin/killkill -9 PID TTY TIME CMD7⤵
-
/usr/local/bin/killkill -9 PID TTY TIME CMD7⤵
-
/usr/sbin/killkill -9 PID TTY TIME CMD7⤵
-
/usr/bin/killkill -9 PID TTY TIME CMD7⤵
- Reads CPU attributes
-
/usr/bin/psps -C .IptabLex6⤵
- Reads CPU attributes
- Reads runtime system information
-
/usr/bin/xargsxargs kill -96⤵
-
/usr/local/sbin/killkill -9 PID TTY TIME CMD7⤵
-
/usr/local/bin/killkill -9 PID TTY TIME CMD7⤵
-
/usr/sbin/killkill -9 PID TTY TIME CMD7⤵
-
/usr/bin/killkill -9 PID TTY TIME CMD7⤵
- Reads CPU attributes
-
/usr/bin/psps -C .IptabLex6⤵
- Reads CPU attributes
- Reads runtime system information
-
/usr/bin/xargsxargs rm -f6⤵
-
/usr/local/sbin/rmrm -f7⤵
-
/usr/local/bin/rmrm -f7⤵
-
/usr/sbin/rmrm -f7⤵
-
/usr/bin/rmrm -f7⤵
-
/usr/bin/psps find / -name "*ptabLex"6⤵
- Reads CPU attributes
-
/usr/bin/xargsxargs rm -f6⤵
-
/usr/local/sbin/rmrm -f7⤵
-
/usr/local/bin/rmrm -f7⤵
-
/usr/sbin/rmrm -f7⤵
-
/usr/bin/rmrm -f7⤵
-
/usr/bin/psps find / -name .IptabLex6⤵
- Reads CPU attributes
-
/usr/bin/xargsxargs rm -f6⤵
-
/usr/local/sbin/rmrm -f7⤵
-
/usr/local/bin/rmrm -f7⤵
-
/usr/sbin/rmrm -f7⤵
-
/usr/bin/rmrm -f7⤵
-
/usr/bin/psps find / -name "*ptabLex"6⤵
- Reads CPU attributes
-
/usr/bin/xargsxargs rm -f6⤵
-
/usr/local/sbin/rmrm -f7⤵
-
/usr/local/bin/rmrm -f7⤵
-
/usr/sbin/rmrm -f7⤵
-
/usr/bin/rmrm -f7⤵
-
/usr/bin/psps find / -name .IptabLex6⤵
- Reads CPU attributes
-
/usr/bin/rmrm -f /boot/.stabip6⤵
-
/usr/bin/rmrm -f /boot/.IptabLex6⤵
-
/usr/bin/rmrm -f /etc/rc.d/init.d/IptabLex6⤵
-
/usr/bin/rmrm -f /boot/IptabLex6⤵
-
/usr/bin/rmrm -f /tmp/IptabLex6⤵
-
/usr/bin/rmrm -f /usr/IptabLex6⤵
-
/usr/bin/rmrm -f /usr/.IptabLex6⤵
-
/usr/bin/rmrm -f "/etc/rc.d/rc4.d/*IptabLex"6⤵
-
/usr/bin/rmrm -f "/etc/rc.d/rc1.d/*IptabLex"6⤵
-
/usr/bin/rmrm -f "/etc/rc.d/rc2.d/*IptabLex"6⤵
-
/usr/bin/rmrm -f "/etc/rc.d/rc3.d/*IptabLex"6⤵
-
/usr/bin/rmrm -f "/etc/rc.d/rc0.d/*IptabLex"6⤵
-
/usr/bin/rmrm -f "/etc/rc.d/rc5.d/*IptabLex"6⤵
-
/usr/bin/rmrm -f "/etc/rc.d/rc6.d/*IptabLex"6⤵
-
/usr/bin/rmrm -f /etc/init.d/IptabLex6⤵
-
/usr/bin/rmrm -f "/etc/rc4.d/*IptabLex"6⤵
-
/usr/bin/rmrm -f "/etc/rc1.d/*IptabLex"6⤵
-
/usr/bin/rmrm -f "/etc/rc2.d/*IptabLex"6⤵
-
/usr/bin/rmrm -f "/etc/rc3.d/*IptabLex"6⤵
-
/usr/bin/rmrm -f "/etc/rc0.d/*IptabLex"6⤵
-
/usr/bin/rmrm -f "/etc/rc5.d/*IptabLex"6⤵
-
/usr/bin/rmrm -f "/etc/rc6.d/*IptabLex"6⤵
-
/usr/bin/rmrm -rf /delallmykkks6⤵
-
/bin/shsh -c "nohup cp /tmp//getsetup.hbBCfWrED /boot/.IptabLex>/dev/null"4⤵
-
/usr/bin/nohupnohup cp "/tmp//getsetup.hbBCfWrED" /boot/.IptabLex5⤵
-
/usr/local/sbin/cpcp "/tmp//getsetup.hbBCfWrED" /boot/.IptabLex5⤵
-
/usr/local/bin/cpcp "/tmp//getsetup.hbBCfWrED" /boot/.IptabLex5⤵
-
/usr/sbin/cpcp "/tmp//getsetup.hbBCfWrED" /boot/.IptabLex5⤵
-
/usr/bin/cpcp "/tmp//getsetup.hbBCfWrED" /boot/.IptabLex5⤵
-
/bin/shsh -c /etc/rc2.d/S55IptabLex4⤵
-
/etc/rc2.d/S55IptabLex/etc/rc2.d/S55IptabLex5⤵
-
/bin/shsh -c /etc/rc3.d/S55IptabLex4⤵
-
/etc/rc3.d/S55IptabLex/etc/rc3.d/S55IptabLex5⤵
-
/bin/shsh -c /etc/rc4.d/S55IptabLex4⤵
-
/etc/rc4.d/S55IptabLex/etc/rc4.d/S55IptabLex5⤵
-
/bin/shsh -c /etc/rc5.d/S55IptabLex4⤵
-
/etc/rc5.d/S55IptabLex/etc/rc5.d/S55IptabLex5⤵
-
/bin/shsh -c /boot/IptabLex4⤵
-
/boot/IptabLex/boot/IptabLex5⤵
- Executes dropped EXE
-
/boot/.IptabLex/boot/.IptabLex6⤵
- Executes dropped EXE
-
/bin/shsh -c "nohup sh /delxxaazzx>/dev/null&"4⤵
-
/bin/shsh -c "/delallmykkk>/dev/null"2⤵
-
/delallmykkk/delallmykkk3⤵
- Executes dropped EXE
-
/usr/bin/grepgrep .IptabLes4⤵
-
/usr/bin/awkawk "{print \$3}"4⤵
-
/usr/bin/xargsxargs /delallmykkk 24⤵
-
/delallmykkk/delallmykkk 25⤵
- Executes dropped EXE
-
/usr/bin/psps -f -C .IptabLes4⤵
- Reads CPU attributes
- Reads runtime system information
-
/usr/bin/xargsxargs /delallmykkk 24⤵
-
/delallmykkk/delallmykkk 25⤵
- Executes dropped EXE
-
/usr/bin/awkawk "{print \$3}"4⤵
-
/usr/bin/grepgrep .IptabLes4⤵
-
/usr/bin/psps -f -C .IptabLes4⤵
- Reads CPU attributes
- Reads runtime system information
-
/usr/bin/xargsxargs /delallmykkk 24⤵
-
/delallmykkk/delallmykkk 25⤵
- Executes dropped EXE
-
/usr/bin/awkawk "{print \$2}"4⤵
-
/usr/bin/grepgrep .IptabLes4⤵
-
/usr/bin/psps -f -C .IptabLes4⤵
- Reads CPU attributes
- Reads runtime system information
-
/usr/bin/xargsxargs /delallmykkk 24⤵
-
/delallmykkk/delallmykkk 25⤵
- Executes dropped EXE
-
/usr/bin/awkawk "{print \$2}"4⤵
-
/usr/bin/grepgrep .IptabLes4⤵
-
/usr/bin/psps -f -C .IptabLes4⤵
- Reads CPU attributes
- Reads runtime system information
-
/usr/bin/xargsxargs kill -94⤵
-
/usr/local/sbin/killkill -9 14865⤵
-
/usr/local/bin/killkill -9 14865⤵
-
/usr/sbin/killkill -9 14865⤵
-
/usr/bin/killkill -9 14865⤵
- Reads CPU attributes
-
/usr/bin/awkawk "{print \$2}"4⤵
-
/usr/bin/grepgrep .IptabLes4⤵
-
/usr/bin/psps -axu4⤵
- Reads CPU attributes
- Reads runtime system information
-
/usr/bin/xargsxargs kill -94⤵
-
/usr/local/sbin/killkill -9 14955⤵
-
/usr/local/bin/killkill -9 14955⤵
-
/usr/sbin/killkill -9 14955⤵
-
/usr/bin/killkill -9 14955⤵
- Reads CPU attributes
-
/usr/bin/awkawk "{print \$2}"4⤵
-
/usr/bin/grepgrep .IptabLes4⤵
-
/usr/bin/psps -axu4⤵
- Reads CPU attributes
- Reads runtime system information
-
/usr/bin/xargsxargs kill -94⤵
-
/usr/local/sbin/killkill -9 PID TTY TIME CMD5⤵
-
/usr/local/bin/killkill -9 PID TTY TIME CMD5⤵
-
/usr/sbin/killkill -9 PID TTY TIME CMD5⤵
-
/usr/bin/killkill -9 PID TTY TIME CMD5⤵
- Reads CPU attributes
-
/usr/bin/psps -C .IptabLes4⤵
- Reads CPU attributes
- Reads runtime system information
-
/usr/bin/xargsxargs kill -94⤵
-
/usr/local/sbin/killkill -95⤵
-
/usr/local/bin/killkill -95⤵
-
/usr/sbin/killkill -95⤵
-
/usr/bin/killkill -95⤵
- Reads CPU attributes
-
/usr/bin/grepgrep .IptabLes4⤵
-
/usr/bin/psps -C .IptabLes4⤵
- Reads CPU attributes
- Reads runtime system information
-
/usr/bin/xargsxargs rm -f4⤵
-
/usr/local/sbin/rmrm -f5⤵
-
/usr/local/bin/rmrm -f5⤵
-
/usr/sbin/rmrm -f5⤵
-
/usr/bin/rmrm -f5⤵
-
/usr/bin/psps find / -name "*ptabLes"4⤵
- Reads CPU attributes
-
/usr/bin/xargsxargs rm -f4⤵
-
/usr/local/sbin/rmrm -f5⤵
-
/usr/local/bin/rmrm -f5⤵
-
/usr/sbin/rmrm -f5⤵
-
/usr/bin/rmrm -f5⤵
-
/usr/bin/psps find / -name .IptabLes4⤵
- Reads CPU attributes
-
/usr/bin/xargsxargs rm -f4⤵
-
/usr/local/sbin/rmrm -f5⤵
-
/usr/local/bin/rmrm -f5⤵
-
/usr/sbin/rmrm -f5⤵
-
/usr/bin/rmrm -f5⤵
-
/usr/bin/psps find / -name "*ptabLes"4⤵
- Reads CPU attributes
-
/usr/bin/xargsxargs rm -f4⤵
-
/usr/local/sbin/rmrm -f5⤵
-
/usr/local/bin/rmrm -f5⤵
-
/usr/sbin/rmrm -f5⤵
-
/usr/bin/rmrm -f5⤵
-
/usr/bin/psps find / -name .IptabLes4⤵
- Reads CPU attributes
-
/usr/bin/rmrm -f /boot/.stabip4⤵
-
/usr/bin/rmrm -f /boot/.IptabLes4⤵
-
/usr/bin/rmrm -f /etc/rc.d/init.d/IptabLes4⤵
-
/usr/bin/rmrm -f /boot/IptabLes4⤵
-
/usr/bin/rmrm -f /tmp/IptabLes4⤵
-
/usr/bin/rmrm -f /usr/IptabLes4⤵
-
/usr/bin/rmrm -f /usr/.IptabLes4⤵
-
/usr/bin/rmrm -f "/etc/rc.d/rc4.d/*IptabLes"4⤵
-
/usr/bin/rmrm -f "/etc/rc.d/rc1.d/*IptabLes"4⤵
-
/usr/bin/rmrm -f "/etc/rc.d/rc2.d/*IptabLes"4⤵
-
/usr/bin/rmrm -f "/etc/rc.d/rc3.d/*IptabLes"4⤵
-
/usr/bin/rmrm -f "/etc/rc.d/rc0.d/*IptabLes"4⤵
-
/usr/bin/rmrm -f "/etc/rc.d/rc5.d/*IptabLes"4⤵
-
/usr/bin/rmrm -f "/etc/rc.d/rc6.d/*IptabLes"4⤵
-
/usr/bin/rmrm -f /etc/init.d/IptabLes4⤵
-
/usr/bin/rmrm -f "/etc/rc4.d/*IptabLes"4⤵
-
/usr/bin/rmrm -f "/etc/rc1.d/*IptabLes"4⤵
-
/usr/bin/rmrm -f "/etc/rc2.d/*IptabLes"4⤵
-
/usr/bin/rmrm -f "/etc/rc3.d/*IptabLes"4⤵
-
/usr/bin/rmrm -f "/etc/rc0.d/*IptabLes"4⤵
-
/usr/bin/rmrm -f "/etc/rc5.d/*IptabLes"4⤵
-
/usr/bin/rmrm -f "/etc/rc6.d/*IptabLes"4⤵
-
/usr/bin/rmrm -rf /delallmykkk4⤵
-
/bin/shsh -c "nohup cp /tmp//getsetup.hb /boot/.IptabLes>/dev/null"2⤵
-
/usr/bin/nohupnohup cp "/tmp//getsetup.hb" /boot/.IptabLes3⤵
-
/usr/local/sbin/cpcp "/tmp//getsetup.hb" /boot/.IptabLes3⤵
-
/usr/local/bin/cpcp "/tmp//getsetup.hb" /boot/.IptabLes3⤵
-
/usr/sbin/cpcp "/tmp//getsetup.hb" /boot/.IptabLes3⤵
-
/usr/bin/cpcp "/tmp//getsetup.hb" /boot/.IptabLes3⤵
-
/bin/shsh -c /etc/rc2.d/S55IptabLes2⤵
-
/etc/rc2.d/S55IptabLes/etc/rc2.d/S55IptabLes3⤵
-
/bin/shsh -c /etc/rc3.d/S55IptabLes2⤵
-
/etc/rc3.d/S55IptabLes/etc/rc3.d/S55IptabLes3⤵
-
/bin/shsh -c /etc/rc4.d/S55IptabLes2⤵
-
/etc/rc4.d/S55IptabLes/etc/rc4.d/S55IptabLes3⤵
-
/bin/shsh -c /etc/rc5.d/S55IptabLes2⤵
-
/etc/rc5.d/S55IptabLes/etc/rc5.d/S55IptabLes3⤵
-
/bin/shsh -c /boot/IptabLes2⤵
-
/boot/IptabLes/boot/IptabLes3⤵
- Executes dropped EXE
-
/boot/.IptabLes/boot/.IptabLes4⤵
- Executes dropped EXE
-
/bin/shsh -c "nohup sh /delxxaazz>/dev/null&"2⤵
-
/usr/bin/nohupnohup sh /delxxaazzx1⤵
-
/usr/local/sbin/shsh /delxxaazzx1⤵
-
/usr/local/bin/shsh /delxxaazzx1⤵
-
/usr/sbin/shsh /delxxaazzx1⤵
-
/usr/bin/shsh /delxxaazzx1⤵
-
/usr/bin/sleepsleep 32⤵
-
/usr/bin/sleepsleep 12⤵
-
/usr/bin/rmrm -f "/tmp//getsetup.hbBCfWrED"2⤵
-
/usr/bin/rmrm -rf /delxxaazzx2⤵
-
/usr/bin/nohupnohup sh /delxxaazz1⤵
-
/usr/local/sbin/shsh /delxxaazz1⤵
-
/usr/local/bin/shsh /delxxaazz1⤵
-
/usr/sbin/shsh /delxxaazz1⤵
-
/usr/bin/shsh /delxxaazz1⤵
-
/usr/bin/sleepsleep 32⤵
-
/usr/bin/sleepsleep 12⤵
-
/usr/bin/rmrm -f "/tmp//getsetup.hb"2⤵
-
/usr/bin/rmrm -rf /delxxaazz2⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
/.mylisthbSx.pidFilesize
5B
MD58ca90246f736b3d0818e71327009a021
SHA1657bb9913aa89cf487cfe429d602128a7e387204
SHA256c6c64942180268c8706d16898737e97147aff160748bf887c9b3c3d272c9816b
SHA512bea2087c1bd74a31c2c9622dd5342648aeb900f186ad75bcf2baf8dd680ec2b0cca8baad72e4cef5d8b8e1b75a2c0606481ab9ce97814e575c0801c118c0367f
-
/.mylisthbx.pidFilesize
5B
MD542dcd029ef0d9372784039054e5f635c
SHA10c65a947a29c79b7dc06d5d6fa4188523315ea10
SHA256d4ed4919e6c216d8cca64df42702c993922850aeb8a50a98b5706f82d0f79f33
SHA512e25b035df55747415d81db21ef85e6012bb1701307b3d968b5479262657448de4b1b85fc4a96e2e8a382fc4877306b4ccadaac3cebc2fab80a5fb404129ab4cc
-
/.mylisthbx.pidFilesize
5B
MD58e9ae8b65c03cdfa69da7c6fe8389acc
SHA18bda52c6fae962e108cb6e94831c3ff91baaab95
SHA25641981270c48723906828aac464fb928d35d03a0a4228e6326a014e8cb82244dd
SHA512c8dd170e971409201a0ebd770a979b6d50b50326676520852f5252ceb94d4b2ea1e1c9d8bdd7c1aca4ecf56a97bec02fef130e6894d289c70df83e2006139c0a
-
/.mylisthbx.pidFilesize
5B
MD5aa3160fc141b0f0b0666a3589323ec27
SHA197bf70a62495fdde7afa66be99408b2683317b32
SHA256b082f7f3adc6c439254e3f5233bbc4c207e0146600ba529687eb90c23293863d
SHA51291362d316e355fda04790d23f5e4ea6da81926c667c1c7fb61b9dd885001eecaa4ebdd521845836bfb2d77917decfd5f0d64ae592463e1718b3d1d1f9b4fb967
-
/boot/.IptabLesFilesize
1.0MB
MD59966d5db77f247070fcac9590a3fde80
SHA1ec0fdb1333443a7c0442dd279626bf8d58eb8cbb
SHA25610edad7999da34e37a866beadf2bb2c1952e071c93cb8708e79ee45c90a06199
SHA512e6a468cdfd9f720b217069f0dddc012b8549a834862d287ea101914503a048f644085c16b534b2b7418686b792a9ee0cb1e32977751d648d57ed0241bed17131
-
/boot/.IptabLexFilesize
705KB
MD57b6ecf8e0740258188a3b3ad1c9fe050
SHA19054f186567fe7cfcb1197a903c8873e48c42385
SHA2561f5e9a31d677e3d2f1beefd1dc01c9bf492e2e3b9eb4d61903b2d9cd5c1a1f43
SHA512476e0e3b78f7eafca818ee2b17f77f83991e175182ba1a9aeea1a73f25588dbb4cd45202c492fa4b621b5a50a3af42e2c8ec2478c203c6a5df08d2cb3e5689b2
-
/boot/IptabLesFilesize
33B
MD583ed46dc4887fda860c6a43f11c34877
SHA176505b08bae1a79ef5b194df6230d8a0dd406146
SHA256a654d6c11d5af3247a32622f3b4ed15ee84f9f421ac229fb4554276ba89762f3
SHA512a19776d13d5e0fc67e33a4b12e58617d77224e5313b4c4d81886ea4d32ee93e2fbf2209a85f2dae5515338536281f6ee0080113adc241d979df17f3acef57920
-
/boot/IptabLexFilesize
33B
MD5f87babea4da49278448a7cfc90378881
SHA16894fb87a61fa12616d676232573bcc6a97337cf
SHA256c76e5acffa83340ec7ee66fbf876bf0be9939b9c741f9db013451ff83139ad70
SHA5124c5d834f67d9af90a8d9cb6fa5296a02184ef4abdde220d1d96c1705f39ce91822a58a800bb4f54bd2322658871a3e3f8cb135a3c147d7bdfd6b5fe972568514
-
/delallmykkkFilesize
1KB
MD5d42637b86ca7c28cf8f149693a725c1a
SHA1e0fa8c025eb03ab6c23c2095f2cb3ea85aed4c52
SHA2560eb4b7f646bbd2a08fa342654c4d27285d7851bf53309e407de6273baba398c9
SHA5120ff790803c531db3a243f497772a6e76a78dc73d12f687e43e5760a43b1bf10798d4496b12e46bd1cee89d8e29dafa294555a912451db0ba90218e61245c5261
-
/delallmykkksFilesize
1KB
MD58da57205d718f385e3878220b55635e4
SHA128c2bab19d21e8712819f257c81cc80189147e2f
SHA2568cdd7e6196522a770304eb9a0c8dfa47a72f4d9c9abac7cd3c559782e05275a6
SHA512bdb138f44ca919e99915e113f7d4274c869e0cf743766bc969cd0f89e789363f446cfbf207b68f48e569323092cec5510a4a7fb319f88e0fda00a2dd0be59582
-
/delxxaazzFilesize
80B
MD5d72b8800ee99f3cc99e9391648466c41
SHA179ff5c09affb5f176b9a5b9277b1c35d0ea86355
SHA256f568e874ef0c6792de48ce6a2bae0ff892944574f135c9a2789dae6ff6c3b63b
SHA512d9acc4190ecef03082019a5a3441b38f8d99af9d5f082bfc2c972c534e930062f8b084bb25d780f9c42de849099e0d4a6455c886f6f4a812acedb2e529dfd934
-
/delxxaazzxFilesize
87B
MD58460ebb0c42b026d731c8e10ab1eab54
SHA190d2a60d20f9170935731db1b92ea8a38b62a39e
SHA25613090d6af02c83078dc9dce84883b08df4b2aba4042e769efb17d7d1497d47ec
SHA512dd64ca60b87fe659af9ed95ec8c6ca5f621c80a4c2b347629203bb83f0924dddf9e7ff32fc7660523a5130a0ece8a0817f1b471ba641351b0aa7eb72971b0785