iptablez | 1c714527787cb354ebba0eeb1657fb054be765838e8c845d13c488480a872e23

Analysis

max time kernel
145s
max time network
154s
platform
ubuntu-20.04_amd64
resource
ubuntu2004-amd64-20240508-en
resource tags

arch:amd64arch:i386image:ubuntu2004-amd64-20240508-enkernel:5.4.0-169-genericlocale:en-usos:ubuntu-20.04-amd64system
submitted
26/05/2024, 20:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

/getsetup.hb
Size

1.0MB
MD5

9966d5db77f247070fcac9590a3fde80
SHA1

ec0fdb1333443a7c0442dd279626bf8d58eb8cbb
SHA256

10edad7999da34e37a866beadf2bb2c1952e071c93cb8708e79ee45c90a06199
SHA512

e6a468cdfd9f720b217069f0dddc012b8549a834862d287ea101914503a048f644085c16b534b2b7418686b792a9ee0cb1e32977751d648d57ed0241bed17131
SSDEEP

24576:L8TklemVE3JnQaQAcA+xk3ZeRXP1qjStp/vtq6bUn5V:2IemVE6aQyTpexwyVOn5V

Score

10^/10

iptablez backdoor

Malware Config

Signatures

Detected IptabLes/IptabLez backdoor 2 IoCs

resource	yara_rule
behavioral10/files/fstream-3.dat	family_iptablez
behavioral10/files/fstream-4.dat	family_iptablez

IptabLes/IptabLez Backdoor
Linux RAT/backdoor which has been around since 2014.
backdoor iptablez

Executes dropped EXE 14 IoCs

ioc	pid	Process
/delallmykkks	1432	delallmykkks
/delallmykkk	1441	delallmykkk
/delallmykkk	1449	delallmykkk
/delallmykkks	1450	delallmykkks
/delallmykkk	1460	delallmykkk
/delallmykkks	1459	delallmykkks
/delallmykkks	1470	delallmykkks
/delallmykkk	1469	delallmykkk
/delallmykkk	1479	delallmykkk
/delallmykkks	1480	delallmykkks
/boot/IptabLex	1606	IptabLex
/boot/IptabLes	1607	IptabLes
/boot/.IptabLex	1608	.IptabLex
/boot/.IptabLes	1610	.IptabLes

Enumerates running processes
Discovers information about currently running processes on the system

Reads CPU attributes 1 TTPs 32 IoCs

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	kill
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	kill
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	kill
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	kill
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	kill
File opened for reading	/sys/devices/system/cpu/online	kill
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	kill
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	kill
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
File opened for reading	/proc/89/stat	ps
File opened for reading	/proc/160/status	ps
File opened for reading	/proc/78/status	ps
File opened for reading	/proc/488/stat	ps
File opened for reading	/proc/1040/status	ps
File opened for reading	/proc/1147/stat	ps
File opened for reading	/proc/1472/status	ps
File opened for reading	/proc/1087/status	ps
File opened for reading	/proc/807/status	ps
File opened for reading	/proc/813/stat	ps
File opened for reading	/proc/1452/cmdline	ps
File opened for reading	/proc/1089/cmdline	ps
File opened for reading	/proc/813/stat	ps
File opened for reading	/proc/1031/status	ps
File opened for reading	/proc/681/cmdline	ps
File opened for reading	/proc/1364/stat	ps
File opened for reading	/proc/171/status	ps
File opened for reading	/proc/177/stat	ps
File opened for reading	/proc/1096/stat	ps
File opened for reading	/proc/10/stat	ps
File opened for reading	/proc/1107/stat	ps
File opened for reading	/proc/1080/status	ps
File opened for reading	/proc/119/status	ps
File opened for reading	/proc/312/stat	ps
File opened for reading	/proc/693/stat	ps
File opened for reading	/proc/76/cmdline	ps
File opened for reading	/proc/1411/cmdline	ps
File opened for reading	/proc/1080/stat	ps
File opened for reading	/proc/17/status	ps
File opened for reading	/proc/176/status	ps
File opened for reading	/proc/1340/cmdline	ps
File opened for reading	/proc/1044/stat	ps
File opened for reading	/proc/168/stat	ps
File opened for reading	/proc/119/stat	ps
File opened for reading	/proc/85/status	ps
File opened for reading	/proc/574/stat	ps
File opened for reading	/proc/1462/status	ps
File opened for reading	/proc/1088/status	ps
File opened for reading	/proc/5/stat	ps
File opened for reading	/proc/1362/status	ps
File opened for reading	/proc/self/stat	ps
File opened for reading	/proc/77/cmdline	ps
File opened for reading	/proc/1451/stat	ps
File opened for reading	/proc/272/cmdline	ps
File opened for reading	/proc/1026/cmdline	ps
File opened for reading	/proc/1475/stat	ps
File opened for reading	/proc/1078/cmdline	ps
File opened for reading	/proc/807/status	ps
File opened for reading	/proc/5/stat	ps
File opened for reading	/proc/506/status	ps
File opened for reading	/proc/1432/status	ps
File opened for reading	/proc/681/stat	ps
File opened for reading	/proc/1031/status	ps
File opened for reading	/proc/1096/status	ps
File opened for reading	/proc/956/status	ps
File opened for reading	/proc/1147/cmdline	ps
File opened for reading	/proc/20/status	ps
File opened for reading	/proc/23/status	ps
File opened for reading	/proc/805/stat	ps
File opened for reading	/proc/1453/status	ps
File opened for reading	/proc/272/stat	ps
File opened for reading	/proc/10/cmdline	ps
File opened for reading	/proc/569/cmdline	ps
File opened for reading	/proc/588/stat	ps

Writes file to tmp directory 1 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp//getsetup.hbBCfWrED	getsetup.hb

/tmp//getsetup.hb
"/tmp//getsetup.hb"
1⤵
- Writes file to tmp directory
PID:1417
- /bin/sh
  sh -c "/tmp//getsetup.hbBCfWrED"
  2⤵
  PID:1424
- - /tmp//getsetup.hbBCfWrED
    "/tmp//getsetup.hbBCfWrED"
    3⤵
    PID:1425
  - - /bin/sh
      sh -c "/delallmykkks>/dev/null"
      4⤵
      PID:1431
    - - /delallmykkks
        
        /delallmykkks
        5⤵
        Executes dropped EXE
        
        PID:1432
      - /usr/bin/grep
        
        grep .IptabLex
        6⤵
        
        PID:1434
      - /usr/bin/ps
        
        ps -f -C .IptabLex
        6⤵
        Reads CPU attributes
        Reads runtime system information
        
        PID:1433
      - /usr/bin/awk
        
        awk "{print \$3}"
        6⤵
        
        PID:1435
      - /usr/bin/xargs
        
        xargs /delallmykkks 2
        6⤵
        
        PID:1436
        
        /delallmykkks
        
        /delallmykkks 2
        7⤵
        Executes dropped EXE
        
        PID:1450
      - /usr/bin/xargs
        
        xargs /delallmykkks 2
        6⤵
        
        PID:1458
        
        /delallmykkks
        
        /delallmykkks 2
        7⤵
        Executes dropped EXE
        
        PID:1459
      - /usr/bin/awk
        
        awk "{print \$3}"
        6⤵
        
        PID:1457
      - /usr/bin/grep
        
        grep .IptabLex
        6⤵
        
        PID:1456
      - /usr/bin/ps
        
        ps -f -C .IptabLex
        6⤵
        Reads CPU attributes
        Reads runtime system information
        
        PID:1455
      - /usr/bin/xargs
        
        xargs /delallmykkks 2
        6⤵
        
        PID:1464
        
        /delallmykkks
        
        /delallmykkks 2
        7⤵
        Executes dropped EXE
        
        PID:1470
      - /usr/bin/awk
        
        awk "{print \$2}"
        6⤵
        
        PID:1463
      - /usr/bin/grep
        
        grep .IptabLex
        6⤵
        
        PID:1462
      - /usr/bin/ps
        
        ps -f -C .IptabLex
        6⤵
        Reads CPU attributes
        Reads runtime system information
        
        PID:1461
      - /usr/bin/xargs
        
        xargs /delallmykkks 2
        6⤵
        
        PID:1478
        
        /delallmykkks
        
        /delallmykkks 2
        7⤵
        Executes dropped EXE
        
        PID:1480
      - /usr/bin/awk
        
        awk "{print \$2}"
        6⤵
        
        PID:1477
      - /usr/bin/grep
        
        grep .IptabLex
        6⤵
        
        PID:1476
      - /usr/bin/ps
        
        ps -f -C .IptabLex
        6⤵
        Reads CPU attributes
        Reads runtime system information
        
        PID:1475
      - /usr/bin/xargs
        
        xargs kill -9
        6⤵
        
        PID:1484
        
        /usr/local/sbin/kill
        
        kill -9 1482
        7⤵
        
        PID:1490
        
        /usr/local/bin/kill
        
        kill -9 1482
        7⤵
        
        PID:1490
        
        /usr/sbin/kill
        
        kill -9 1482
        7⤵
        
        PID:1490
        
        /usr/bin/kill
        
        kill -9 1482
        7⤵
        Reads CPU attributes
        
        PID:1490
      - /usr/bin/awk
        
        awk "{print \$2}"
        6⤵
        
        PID:1483
      - /usr/bin/grep
        
        grep .IptabLex
        6⤵
        
        PID:1482
      - /usr/bin/ps
        
        ps -axu
        6⤵
        Reads CPU attributes
        Reads runtime system information
        
        PID:1481
      - /usr/bin/xargs
        
        xargs kill -9
        6⤵
        
        PID:1496
        
        /usr/local/sbin/kill
        
        kill -9 1492
        7⤵
        
        PID:1499
        
        /usr/local/bin/kill
        
        kill -9 1492
        7⤵
        
        PID:1499
        
        /usr/sbin/kill
        
        kill -9 1492
        7⤵
        
        PID:1499
        
        /usr/bin/kill
        
        kill -9 1492
        7⤵
        Reads CPU attributes
        
        PID:1499
      - /usr/bin/awk
        
        awk "{print \$2}"
        6⤵
        
        PID:1494
      - /usr/bin/grep
        
        grep .IptabLex
        6⤵
        
        PID:1492
      - /usr/bin/ps
        
        ps -axu
        6⤵
        Reads CPU attributes
        Reads runtime system information
        
        PID:1491
      - /usr/bin/xargs
        
        xargs kill -9
        6⤵
        
        PID:1504
        
        /usr/local/sbin/kill
        
        kill -9 PID TTY TIME CMD
        7⤵
        
        PID:1505
        
        /usr/local/bin/kill
        
        kill -9 PID TTY TIME CMD
        7⤵
        
        PID:1505
        
        /usr/sbin/kill
        
        kill -9 PID TTY TIME CMD
        7⤵
        
        PID:1505
        
        /usr/bin/kill
        
        kill -9 PID TTY TIME CMD
        7⤵
        Reads CPU attributes
        
        PID:1505
      - /usr/bin/ps
        
        ps -C .IptabLex
        6⤵
        Reads CPU attributes
        Reads runtime system information
        
        PID:1503
      - /usr/bin/xargs
        
        xargs kill -9
        6⤵
        
        PID:1511
        
        /usr/local/sbin/kill
        
        kill -9 PID TTY TIME CMD
        7⤵
        
        PID:1512
        
        /usr/local/bin/kill
        
        kill -9 PID TTY TIME CMD
        7⤵
        
        PID:1512
        
        /usr/sbin/kill
        
        kill -9 PID TTY TIME CMD
        7⤵
        
        PID:1512
        
        /usr/bin/kill
        
        kill -9 PID TTY TIME CMD
        7⤵
        Reads CPU attributes
        
        PID:1512
      - /usr/bin/ps
        
        ps -C .IptabLex
        6⤵
        Reads CPU attributes
        Reads runtime system information
        
        PID:1509
      - /usr/bin/xargs
        
        xargs rm -f
        6⤵
        
        PID:1515
        
        /usr/local/sbin/rm
        
        rm -f
        7⤵
        
        PID:1518
        
        /usr/local/bin/rm
        
        rm -f
        7⤵
        
        PID:1518
        
        /usr/sbin/rm
        
        rm -f
        7⤵
        
        PID:1518
        
        /usr/bin/rm
        
        rm -f
        7⤵
        
        PID:1518
      - /usr/bin/ps
        
        ps find / -name "*ptabLex"
        6⤵
        Reads CPU attributes
        
        PID:1514
      - /usr/bin/xargs
        
        xargs rm -f
        6⤵
        
        PID:1522
        
        /usr/local/sbin/rm
        
        rm -f
        7⤵
        
        PID:1525
        
        /usr/local/bin/rm
        
        rm -f
        7⤵
        
        PID:1525
        
        /usr/sbin/rm
        
        rm -f
        7⤵
        
        PID:1525
        
        /usr/bin/rm
        
        rm -f
        7⤵
        
        PID:1525
      - /usr/bin/ps
        
        ps find / -name .IptabLex
        6⤵
        Reads CPU attributes
        
        PID:1521
      - /usr/bin/xargs
        
        xargs rm -f
        6⤵
        
        PID:1528
        
        /usr/local/sbin/rm
        
        rm -f
        7⤵
        
        PID:1531
        
        /usr/local/bin/rm
        
        rm -f
        7⤵
        
        PID:1531
        
        /usr/sbin/rm
        
        rm -f
        7⤵
        
        PID:1531
        
        /usr/bin/rm
        
        rm -f
        7⤵
        
        PID:1531
      - /usr/bin/ps
        
        ps find / -name "*ptabLex"
        6⤵
        Reads CPU attributes
        
        PID:1527
      - /usr/bin/xargs
        
        xargs rm -f
        6⤵
        
        PID:1535
        
        /usr/local/sbin/rm
        
        rm -f
        7⤵
        
        PID:1536
        
        /usr/local/bin/rm
        
        rm -f
        7⤵
        
        PID:1536
        
        /usr/sbin/rm
        
        rm -f
        7⤵
        
        PID:1536
        
        /usr/bin/rm
        
        rm -f
        7⤵
        
        PID:1536
      - /usr/bin/ps
        
        ps find / -name .IptabLex
        6⤵
        Reads CPU attributes
        
        PID:1533
      - /usr/bin/rm
        
        rm -f /boot/.stabip
        6⤵
        
        PID:1538
      - /usr/bin/rm
        
        rm -f /boot/.IptabLex
        6⤵
        
        PID:1541
      - /usr/bin/rm
        
        rm -f /etc/rc.d/init.d/IptabLex
        6⤵
        
        PID:1543
      - /usr/bin/rm
        
        rm -f /boot/IptabLex
        6⤵
        
        PID:1545
      - /usr/bin/rm
        
        rm -f /tmp/IptabLex
        6⤵
        
        PID:1546
      - /usr/bin/rm
        
        rm -f /usr/IptabLex
        6⤵
        
        PID:1548
      - /usr/bin/rm
        
        rm -f /usr/.IptabLex
        6⤵
        
        PID:1551
      - /usr/bin/rm
        
        rm -f "/etc/rc.d/rc4.d/*IptabLex"
        6⤵
        
        PID:1553
      - /usr/bin/rm
        
        rm -f "/etc/rc.d/rc1.d/*IptabLex"
        6⤵
        
        PID:1555
      - /usr/bin/rm
        
        rm -f "/etc/rc.d/rc2.d/*IptabLex"
        6⤵
        
        PID:1556
      - /usr/bin/rm
        
        rm -f "/etc/rc.d/rc3.d/*IptabLex"
        6⤵
        
        PID:1559
      - /usr/bin/rm
        
        rm -f "/etc/rc.d/rc0.d/*IptabLex"
        6⤵
        
        PID:1560
      - /usr/bin/rm
        
        rm -f "/etc/rc.d/rc5.d/*IptabLex"
        6⤵
        
        PID:1562
      - /usr/bin/rm
        
        rm -f "/etc/rc.d/rc6.d/*IptabLex"
        6⤵
        
        PID:1565
      - /usr/bin/rm
        
        rm -f /etc/init.d/IptabLex
        6⤵
        
        PID:1566
      - /usr/bin/rm
        
        rm -f "/etc/rc4.d/*IptabLex"
        6⤵
        
        PID:1568
      - /usr/bin/rm
        
        rm -f "/etc/rc1.d/*IptabLex"
        6⤵
        
        PID:1571
      - /usr/bin/rm
        
        rm -f "/etc/rc2.d/*IptabLex"
        6⤵
        
        PID:1572
      - /usr/bin/rm
        
        rm -f "/etc/rc3.d/*IptabLex"
        6⤵
        
        PID:1575
      - /usr/bin/rm
        
        rm -f "/etc/rc0.d/*IptabLex"
        6⤵
        
        PID:1577
      - /usr/bin/rm
        
        rm -f "/etc/rc5.d/*IptabLex"
        6⤵
        
        PID:1578
      - /usr/bin/rm
        
        rm -f "/etc/rc6.d/*IptabLex"
        6⤵
        
        PID:1580
      - /usr/bin/rm
        
        rm -rf /delallmykkks
        6⤵
        
        PID:1583
  - - /bin/sh
      sh -c "nohup cp /tmp//getsetup.hbBCfWrED /boot/.IptabLex>/dev/null"
      4⤵
      PID:1585
    - - /usr/bin/nohup
        
        nohup cp "/tmp//getsetup.hbBCfWrED" /boot/.IptabLex
        5⤵
        
        PID:1587
    - - /usr/local/sbin/cp
        
        cp "/tmp//getsetup.hbBCfWrED" /boot/.IptabLex
        5⤵
        
        PID:1587
    - - /usr/local/bin/cp
        
        cp "/tmp//getsetup.hbBCfWrED" /boot/.IptabLex
        5⤵
        
        PID:1587
    - - /usr/sbin/cp
        
        cp "/tmp//getsetup.hbBCfWrED" /boot/.IptabLex
        5⤵
        
        PID:1587
    - - /usr/bin/cp
        
        cp "/tmp//getsetup.hbBCfWrED" /boot/.IptabLex
        5⤵
        
        PID:1587
  - - /bin/sh
      sh -c /etc/rc2.d/S55IptabLex
      4⤵
      PID:1588
    - - /etc/rc2.d/S55IptabLex
        
        /etc/rc2.d/S55IptabLex
        5⤵
        
        PID:1590
  - - /bin/sh
      sh -c /etc/rc3.d/S55IptabLex
      4⤵
      PID:1591
    - - /etc/rc3.d/S55IptabLex
        
        /etc/rc3.d/S55IptabLex
        5⤵
        
        PID:1593
  - - /bin/sh
      sh -c /etc/rc4.d/S55IptabLex
      4⤵
      PID:1595
    - - /etc/rc4.d/S55IptabLex
        
        /etc/rc4.d/S55IptabLex
        5⤵
        
        PID:1598
  - - /bin/sh
      sh -c /etc/rc5.d/S55IptabLex
      4⤵
      PID:1599
    - - /etc/rc5.d/S55IptabLex
        
        /etc/rc5.d/S55IptabLex
        5⤵
        
        PID:1602
  - - /bin/sh
      sh -c /boot/IptabLex
      4⤵
      PID:1603
    - - /boot/IptabLex
        
        /boot/IptabLex
        5⤵
        Executes dropped EXE
        
        PID:1606
      - /boot/.IptabLex
        
        /boot/.IptabLex
        6⤵
        Executes dropped EXE
        
        PID:1608
  - - /bin/sh
      sh -c "nohup sh /delxxaazzx>/dev/null&"
      4⤵
      PID:1612
- /bin/sh
  sh -c "/delallmykkk>/dev/null"
  2⤵
  PID:1440
- - /delallmykkk
    /delallmykkk
    3⤵
    - Executes dropped EXE
    PID:1441
  - - /usr/bin/grep
      grep .IptabLes
      4⤵
      PID:1443
  - - /usr/bin/awk
      awk "{print \$3}"
      4⤵
      PID:1444
  - - /usr/bin/xargs
      xargs /delallmykkk 2
      4⤵
      PID:1445
    - - /delallmykkk
        
        /delallmykkk 2
        5⤵
        Executes dropped EXE
        
        PID:1449
  - - /usr/bin/ps
      ps -f -C .IptabLes
      4⤵
      Reads CPU attributes
      Reads runtime system information
      PID:1442
  - - /usr/bin/xargs
      xargs /delallmykkk 2
      4⤵
      PID:1454
    - - /delallmykkk
        
        /delallmykkk 2
        5⤵
        Executes dropped EXE
        
        PID:1460
  - - /usr/bin/awk
      awk "{print \$3}"
      4⤵
      PID:1453
  - - /usr/bin/grep
      grep .IptabLes
      4⤵
      PID:1452
  - - /usr/bin/ps
      ps -f -C .IptabLes
      4⤵
      Reads CPU attributes
      Reads runtime system information
      PID:1451
  - - /usr/bin/xargs
      xargs /delallmykkk 2
      4⤵
      PID:1468
    - - /delallmykkk
        
        /delallmykkk 2
        5⤵
        Executes dropped EXE
        
        PID:1469
  - - /usr/bin/awk
      awk "{print \$2}"
      4⤵
      PID:1467
  - - /usr/bin/grep
      grep .IptabLes
      4⤵
      PID:1466
  - - /usr/bin/ps
      ps -f -C .IptabLes
      4⤵
      Reads CPU attributes
      Reads runtime system information
      PID:1465
  - - /usr/bin/xargs
      xargs /delallmykkk 2
      4⤵
      PID:1474
    - - /delallmykkk
        
        /delallmykkk 2
        5⤵
        Executes dropped EXE
        
        PID:1479
  - - /usr/bin/awk
      awk "{print \$2}"
      4⤵
      PID:1473
  - - /usr/bin/grep
      grep .IptabLes
      4⤵
      PID:1472
  - - /usr/bin/ps
      ps -f -C .IptabLes
      4⤵
      Reads CPU attributes
      Reads runtime system information
      PID:1471
  - - /usr/bin/xargs
      xargs kill -9
      4⤵
      PID:1488
    - - /usr/local/sbin/kill
        
        kill -9 1486
        5⤵
        
        PID:1489
    - - /usr/local/bin/kill
        
        kill -9 1486
        5⤵
        
        PID:1489
    - - /usr/sbin/kill
        
        kill -9 1486
        5⤵
        
        PID:1489
    - - /usr/bin/kill
        
        kill -9 1486
        5⤵
        Reads CPU attributes
        
        PID:1489
  - - /usr/bin/awk
      awk "{print \$2}"
      4⤵
      PID:1487
  - - /usr/bin/grep
      grep .IptabLes
      4⤵
      PID:1486
  - - /usr/bin/ps
      ps -axu
      4⤵
      Reads CPU attributes
      Reads runtime system information
      PID:1485
  - - /usr/bin/xargs
      xargs kill -9
      4⤵
      PID:1498
    - - /usr/local/sbin/kill
        
        kill -9 1495
        5⤵
        
        PID:1500
    - - /usr/local/bin/kill
        
        kill -9 1495
        5⤵
        
        PID:1500
    - - /usr/sbin/kill
        
        kill -9 1495
        5⤵
        
        PID:1500
    - - /usr/bin/kill
        
        kill -9 1495
        5⤵
        Reads CPU attributes
        
        PID:1500
  - - /usr/bin/awk
      awk "{print \$2}"
      4⤵
      PID:1497
  - - /usr/bin/grep
      grep .IptabLes
      4⤵
      PID:1495
  - - /usr/bin/ps
      ps -axu
      4⤵
      Reads CPU attributes
      Reads runtime system information
      PID:1493
  - - /usr/bin/xargs
      xargs kill -9
      4⤵
      PID:1502
    - - /usr/local/sbin/kill
        
        kill -9 PID TTY TIME CMD
        5⤵
        
        PID:1506
    - - /usr/local/bin/kill
        
        kill -9 PID TTY TIME CMD
        5⤵
        
        PID:1506
    - - /usr/sbin/kill
        
        kill -9 PID TTY TIME CMD
        5⤵
        
        PID:1506
    - - /usr/bin/kill
        
        kill -9 PID TTY TIME CMD
        5⤵
        Reads CPU attributes
        
        PID:1506
  - - /usr/bin/ps
      ps -C .IptabLes
      4⤵
      Reads CPU attributes
      Reads runtime system information
      PID:1501
  - - /usr/bin/xargs
      xargs kill -9
      4⤵
      PID:1510
    - - /usr/local/sbin/kill
        
        kill -9
        5⤵
        
        PID:1513
    - - /usr/local/bin/kill
        
        kill -9
        5⤵
        
        PID:1513
    - - /usr/sbin/kill
        
        kill -9
        5⤵
        
        PID:1513
    - - /usr/bin/kill
        
        kill -9
        5⤵
        Reads CPU attributes
        
        PID:1513
  - - /usr/bin/grep
      grep .IptabLes
      4⤵
      PID:1508
  - - /usr/bin/ps
      ps -C .IptabLes
      4⤵
      Reads CPU attributes
      Reads runtime system information
      PID:1507
  - - /usr/bin/xargs
      xargs rm -f
      4⤵
      PID:1517
    - - /usr/local/sbin/rm
        
        rm -f
        5⤵
        
        PID:1519
    - - /usr/local/bin/rm
        
        rm -f
        5⤵
        
        PID:1519
    - - /usr/sbin/rm
        
        rm -f
        5⤵
        
        PID:1519
    - - /usr/bin/rm
        
        rm -f
        5⤵
        
        PID:1519
  - - /usr/bin/ps
      ps find / -name "*ptabLes"
      4⤵
      Reads CPU attributes
      PID:1516
  - - /usr/bin/xargs
      xargs rm -f
      4⤵
      PID:1523
    - - /usr/local/sbin/rm
        
        rm -f
        5⤵
        
        PID:1524
    - - /usr/local/bin/rm
        
        rm -f
        5⤵
        
        PID:1524
    - - /usr/sbin/rm
        
        rm -f
        5⤵
        
        PID:1524
    - - /usr/bin/rm
        
        rm -f
        5⤵
        
        PID:1524
  - - /usr/bin/ps
      ps find / -name .IptabLes
      4⤵
      Reads CPU attributes
      PID:1520
  - - /usr/bin/xargs
      xargs rm -f
      4⤵
      PID:1529
    - - /usr/local/sbin/rm
        
        rm -f
        5⤵
        
        PID:1530
    - - /usr/local/bin/rm
        
        rm -f
        5⤵
        
        PID:1530
    - - /usr/sbin/rm
        
        rm -f
        5⤵
        
        PID:1530
    - - /usr/bin/rm
        
        rm -f
        5⤵
        
        PID:1530
  - - /usr/bin/ps
      ps find / -name "*ptabLes"
      4⤵
      Reads CPU attributes
      PID:1526
  - - /usr/bin/xargs
      xargs rm -f
      4⤵
      PID:1534
    - - /usr/local/sbin/rm
        
        rm -f
        5⤵
        
        PID:1537
    - - /usr/local/bin/rm
        
        rm -f
        5⤵
        
        PID:1537
    - - /usr/sbin/rm
        
        rm -f
        5⤵
        
        PID:1537
    - - /usr/bin/rm
        
        rm -f
        5⤵
        
        PID:1537
  - - /usr/bin/ps
      ps find / -name .IptabLes
      4⤵
      Reads CPU attributes
      PID:1532
  - - /usr/bin/rm
      rm -f /boot/.stabip
      4⤵
      PID:1539
  - - /usr/bin/rm
      rm -f /boot/.IptabLes
      4⤵
      PID:1540
  - - /usr/bin/rm
      rm -f /etc/rc.d/init.d/IptabLes
      4⤵
      PID:1542
  - - /usr/bin/rm
      rm -f /boot/IptabLes
      4⤵
      PID:1544
  - - /usr/bin/rm
      rm -f /tmp/IptabLes
      4⤵
      PID:1547
  - - /usr/bin/rm
      rm -f /usr/IptabLes
      4⤵
      PID:1549
  - - /usr/bin/rm
      rm -f /usr/.IptabLes
      4⤵
      PID:1550
  - - /usr/bin/rm
      rm -f "/etc/rc.d/rc4.d/*IptabLes"
      4⤵
      PID:1552
  - - /usr/bin/rm
      rm -f "/etc/rc.d/rc1.d/*IptabLes"
      4⤵
      PID:1554
  - - /usr/bin/rm
      rm -f "/etc/rc.d/rc2.d/*IptabLes"
      4⤵
      PID:1557
  - - /usr/bin/rm
      rm -f "/etc/rc.d/rc3.d/*IptabLes"
      4⤵
      PID:1558
  - - /usr/bin/rm
      rm -f "/etc/rc.d/rc0.d/*IptabLes"
      4⤵
      PID:1561
  - - /usr/bin/rm
      rm -f "/etc/rc.d/rc5.d/*IptabLes"
      4⤵
      PID:1563
  - - /usr/bin/rm
      rm -f "/etc/rc.d/rc6.d/*IptabLes"
      4⤵
      PID:1564
  - - /usr/bin/rm
      rm -f /etc/init.d/IptabLes
      4⤵
      PID:1567
  - - /usr/bin/rm
      rm -f "/etc/rc4.d/*IptabLes"
      4⤵
      PID:1569
  - - /usr/bin/rm
      rm -f "/etc/rc1.d/*IptabLes"
      4⤵
      PID:1570
  - - /usr/bin/rm
      rm -f "/etc/rc2.d/*IptabLes"
      4⤵
      PID:1573
  - - /usr/bin/rm
      rm -f "/etc/rc3.d/*IptabLes"
      4⤵
      PID:1574
  - - /usr/bin/rm
      rm -f "/etc/rc0.d/*IptabLes"
      4⤵
      PID:1576
  - - /usr/bin/rm
      rm -f "/etc/rc5.d/*IptabLes"
      4⤵
      PID:1579
  - - /usr/bin/rm
      rm -f "/etc/rc6.d/*IptabLes"
      4⤵
      PID:1581
  - - /usr/bin/rm
      rm -rf /delallmykkk
      4⤵
      PID:1582
- /bin/sh
  sh -c "nohup cp /tmp//getsetup.hb /boot/.IptabLes>/dev/null"
  2⤵
  PID:1584
- - /usr/bin/nohup
    nohup cp "/tmp//getsetup.hb" /boot/.IptabLes
    3⤵
    PID:1586
- - /usr/local/sbin/cp
    cp "/tmp//getsetup.hb" /boot/.IptabLes
    3⤵
    PID:1586
- - /usr/local/bin/cp
    cp "/tmp//getsetup.hb" /boot/.IptabLes
    3⤵
    PID:1586
- - /usr/sbin/cp
    cp "/tmp//getsetup.hb" /boot/.IptabLes
    3⤵
    PID:1586
- - /usr/bin/cp
    cp "/tmp//getsetup.hb" /boot/.IptabLes
    3⤵
    PID:1586
- /bin/sh
  sh -c /etc/rc2.d/S55IptabLes
  2⤵
  PID:1589
- - /etc/rc2.d/S55IptabLes
    /etc/rc2.d/S55IptabLes
    3⤵
    PID:1592
- /bin/sh
  sh -c /etc/rc3.d/S55IptabLes
  2⤵
  PID:1594
- - /etc/rc3.d/S55IptabLes
    /etc/rc3.d/S55IptabLes
    3⤵
    PID:1596
- /bin/sh
  sh -c /etc/rc4.d/S55IptabLes
  2⤵
  PID:1597
- - /etc/rc4.d/S55IptabLes
    /etc/rc4.d/S55IptabLes
    3⤵
    PID:1600
- /bin/sh
  sh -c /etc/rc5.d/S55IptabLes
  2⤵
  PID:1601
- - /etc/rc5.d/S55IptabLes
    /etc/rc5.d/S55IptabLes
    3⤵
    PID:1604
- /bin/sh
  sh -c /boot/IptabLes
  2⤵
  PID:1605
- - /boot/IptabLes
    /boot/IptabLes
    3⤵
    - Executes dropped EXE
    PID:1607
  - - /boot/.IptabLes
      /boot/.IptabLes
      4⤵
      Executes dropped EXE
      PID:1610
- /bin/sh
  sh -c "nohup sh /delxxaazz>/dev/null&"
  2⤵
  PID:1618

/usr/bin/nohup
nohup sh /delxxaazzx
1⤵
PID:1617

/usr/local/sbin/sh
sh /delxxaazzx
1⤵
PID:1617

/usr/local/bin/sh
sh /delxxaazzx
1⤵
PID:1617

/usr/sbin/sh
sh /delxxaazzx
1⤵
PID:1617

/usr/bin/sh
sh /delxxaazzx
1⤵
PID:1617
- /usr/bin/sleep
  sleep 3
  2⤵
  PID:1624
- /usr/bin/sleep
  sleep 1
  2⤵
  PID:1663
- /usr/bin/rm
  rm -f "/tmp//getsetup.hbBCfWrED"
  2⤵
  PID:1664
- /usr/bin/rm
  rm -rf /delxxaazzx
  2⤵
  PID:1667

/usr/bin/nohup
nohup sh /delxxaazz
1⤵
PID:1623

/usr/local/sbin/sh
sh /delxxaazz
1⤵
PID:1623

/usr/local/bin/sh
sh /delxxaazz
1⤵
PID:1623

/usr/sbin/sh
sh /delxxaazz
1⤵
PID:1623

/usr/bin/sh
sh /delxxaazz
1⤵
PID:1623
- /usr/bin/sleep
  sleep 3
  2⤵
  PID:1625
- /usr/bin/sleep
  sleep 1
  2⤵
  PID:1662
- /usr/bin/rm
  rm -f "/tmp//getsetup.hb"
  2⤵
  PID:1665
- /usr/bin/rm
  rm -rf /delxxaazz
  2⤵
  PID:1666

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/.mylisthbSx.pid

Filesize
5B

MD5
8ca90246f736b3d0818e71327009a021

SHA1
657bb9913aa89cf487cfe429d602128a7e387204

SHA256
c6c64942180268c8706d16898737e97147aff160748bf887c9b3c3d272c9816b

SHA512
bea2087c1bd74a31c2c9622dd5342648aeb900f186ad75bcf2baf8dd680ec2b0cca8baad72e4cef5d8b8e1b75a2c0606481ab9ce97814e575c0801c118c0367f

Download Submit
/.mylisthbx.pid

Filesize
5B

MD5
42dcd029ef0d9372784039054e5f635c

SHA1
0c65a947a29c79b7dc06d5d6fa4188523315ea10

SHA256
d4ed4919e6c216d8cca64df42702c993922850aeb8a50a98b5706f82d0f79f33

SHA512
e25b035df55747415d81db21ef85e6012bb1701307b3d968b5479262657448de4b1b85fc4a96e2e8a382fc4877306b4ccadaac3cebc2fab80a5fb404129ab4cc

Download Submit
/.mylisthbx.pid

Filesize
5B

MD5
8e9ae8b65c03cdfa69da7c6fe8389acc

SHA1
8bda52c6fae962e108cb6e94831c3ff91baaab95

SHA256
41981270c48723906828aac464fb928d35d03a0a4228e6326a014e8cb82244dd

SHA512
c8dd170e971409201a0ebd770a979b6d50b50326676520852f5252ceb94d4b2ea1e1c9d8bdd7c1aca4ecf56a97bec02fef130e6894d289c70df83e2006139c0a

Download Submit
/.mylisthbx.pid

Filesize
5B

MD5
aa3160fc141b0f0b0666a3589323ec27

SHA1
97bf70a62495fdde7afa66be99408b2683317b32

SHA256
b082f7f3adc6c439254e3f5233bbc4c207e0146600ba529687eb90c23293863d

SHA512
91362d316e355fda04790d23f5e4ea6da81926c667c1c7fb61b9dd885001eecaa4ebdd521845836bfb2d77917decfd5f0d64ae592463e1718b3d1d1f9b4fb967

Download Submit
/boot/.IptabLes

Filesize
1.0MB

MD5
9966d5db77f247070fcac9590a3fde80

SHA1
ec0fdb1333443a7c0442dd279626bf8d58eb8cbb

SHA256
10edad7999da34e37a866beadf2bb2c1952e071c93cb8708e79ee45c90a06199

SHA512
e6a468cdfd9f720b217069f0dddc012b8549a834862d287ea101914503a048f644085c16b534b2b7418686b792a9ee0cb1e32977751d648d57ed0241bed17131

Download Submit
/boot/.IptabLex

Filesize
705KB

MD5
7b6ecf8e0740258188a3b3ad1c9fe050

SHA1
9054f186567fe7cfcb1197a903c8873e48c42385

SHA256
1f5e9a31d677e3d2f1beefd1dc01c9bf492e2e3b9eb4d61903b2d9cd5c1a1f43

SHA512
476e0e3b78f7eafca818ee2b17f77f83991e175182ba1a9aeea1a73f25588dbb4cd45202c492fa4b621b5a50a3af42e2c8ec2478c203c6a5df08d2cb3e5689b2

Download Submit
/boot/IptabLes

Filesize
33B

MD5
83ed46dc4887fda860c6a43f11c34877

SHA1
76505b08bae1a79ef5b194df6230d8a0dd406146

SHA256
a654d6c11d5af3247a32622f3b4ed15ee84f9f421ac229fb4554276ba89762f3

SHA512
a19776d13d5e0fc67e33a4b12e58617d77224e5313b4c4d81886ea4d32ee93e2fbf2209a85f2dae5515338536281f6ee0080113adc241d979df17f3acef57920

Download Submit
/boot/IptabLex

Filesize
33B

MD5
f87babea4da49278448a7cfc90378881

SHA1
6894fb87a61fa12616d676232573bcc6a97337cf

SHA256
c76e5acffa83340ec7ee66fbf876bf0be9939b9c741f9db013451ff83139ad70

SHA512
4c5d834f67d9af90a8d9cb6fa5296a02184ef4abdde220d1d96c1705f39ce91822a58a800bb4f54bd2322658871a3e3f8cb135a3c147d7bdfd6b5fe972568514

Download Submit
/delallmykkk

Filesize
1KB

MD5
d42637b86ca7c28cf8f149693a725c1a

SHA1
e0fa8c025eb03ab6c23c2095f2cb3ea85aed4c52

SHA256
0eb4b7f646bbd2a08fa342654c4d27285d7851bf53309e407de6273baba398c9

SHA512
0ff790803c531db3a243f497772a6e76a78dc73d12f687e43e5760a43b1bf10798d4496b12e46bd1cee89d8e29dafa294555a912451db0ba90218e61245c5261

Download Submit
/delallmykkks

Filesize
1KB

MD5
8da57205d718f385e3878220b55635e4

SHA1
28c2bab19d21e8712819f257c81cc80189147e2f

SHA256
8cdd7e6196522a770304eb9a0c8dfa47a72f4d9c9abac7cd3c559782e05275a6

SHA512
bdb138f44ca919e99915e113f7d4274c869e0cf743766bc969cd0f89e789363f446cfbf207b68f48e569323092cec5510a4a7fb319f88e0fda00a2dd0be59582

Download Submit
/delxxaazz

Filesize
80B

MD5
d72b8800ee99f3cc99e9391648466c41

SHA1
79ff5c09affb5f176b9a5b9277b1c35d0ea86355

SHA256
f568e874ef0c6792de48ce6a2bae0ff892944574f135c9a2789dae6ff6c3b63b

SHA512
d9acc4190ecef03082019a5a3441b38f8d99af9d5f082bfc2c972c534e930062f8b084bb25d780f9c42de849099e0d4a6455c886f6f4a812acedb2e529dfd934

Download Submit
/delxxaazzx

Filesize
87B

MD5
8460ebb0c42b026d731c8e10ab1eab54

SHA1
90d2a60d20f9170935731db1b92ea8a38b62a39e

SHA256
13090d6af02c83078dc9dce84883b08df4b2aba4042e769efb17d7d1497d47ec

SHA512
dd64ca60b87fe659af9ed95ec8c6ca5f621c80a4c2b347629203bb83f0924dddf9e7ff32fc7660523a5130a0ece8a0817f1b471ba641351b0aa7eb72971b0785

Download Submit