iptablez | 1c714527787cb354ebba0eeb1657fb054be765838e8c845d13c488480a872e23

Analysis

max time kernel
143s
max time network
148s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20240508-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20240508-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
26-05-2024 20:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

/getsetup.hb
Size

1.0MB
MD5

9966d5db77f247070fcac9590a3fde80
SHA1

ec0fdb1333443a7c0442dd279626bf8d58eb8cbb
SHA256

10edad7999da34e37a866beadf2bb2c1952e071c93cb8708e79ee45c90a06199
SHA512

e6a468cdfd9f720b217069f0dddc012b8549a834862d287ea101914503a048f644085c16b534b2b7418686b792a9ee0cb1e32977751d648d57ed0241bed17131
SSDEEP

24576:L8TklemVE3JnQaQAcA+xk3ZeRXP1qjStp/vtq6bUn5V:2IemVE6aQyTpexwyVOn5V

Score

10^/10

iptablez backdoor

Malware Config

Signatures

Detected IptabLes/IptabLez backdoor 2 IoCs

Processes:

resource	yara_rule
/boot/.IptabLex	family_iptablez
/boot/.IptabLes	family_iptablez

IptabLes/IptabLez Backdoor
Linux RAT/backdoor which has been around since 2014.
backdoor iptablez

Executes dropped EXE 14 IoCs

Processes:

delallmykkksdelallmykkkdelallmykkksdelallmykkkdelallmykkksdelallmykkkdelallmykkksdelallmykkkdelallmykkkdelallmykkksIptabLex.IptabLexIptabLes.IptabLes

ioc	pid	process
/delallmykkks	1502	delallmykkks
/delallmykkk	1508	delallmykkk
/delallmykkks	1513	delallmykkks
/delallmykkk	1514	delallmykkk
/delallmykkks	1524	delallmykkks
/delallmykkk	1523	delallmykkk
/delallmykkks	1534	delallmykkks
/delallmykkk	1533	delallmykkk
/delallmykkk	1544	delallmykkk
/delallmykkks	1543	delallmykkks
/boot/IptabLex	1671	IptabLex
/boot/.IptabLex	1673	.IptabLex
/boot/IptabLes	1676	IptabLes
/boot/.IptabLes	1682	.IptabLes

Enumerates running processes
Discovers information about currently running processes on the system

Reads CPU attributes 1 TTPs 32 IoCs

System Information Discovery

T1082

Processes:

pskillpspskillpspspspspspspspskillpskillpspskillkillpspspspskillpskillpspspspsps

description	ioc	process
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	kill
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	kill
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	kill
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	kill
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	kill
File opened for reading	/sys/devices/system/cpu/online	kill
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	kill
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	kill
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

Processes:

pspspspspspspspspspspspskillpspspsps

description	ioc	process
File opened for reading	/proc/888/cmdline	ps
File opened for reading	/proc/163/cmdline	ps
File opened for reading	/proc/1536/status	ps
File opened for reading	/proc/3/stat	ps
File opened for reading	/proc/30/cmdline	ps
File opened for reading	/proc/679/status	ps
File opened for reading	/proc/407/cmdline	ps
File opened for reading	/proc/167/cmdline	ps
File opened for reading	/proc/28/status	ps
File opened for reading	/proc/1021/status	ps
File opened for reading	/proc/79/cmdline	ps
File opened for reading	/proc/167/status	ps
File opened for reading	/proc/536/cmdline	ps
File opened for reading	/proc/1174/cmdline	ps
File opened for reading	/proc/1542/stat	ps
File opened for reading	/proc/1123/cmdline	ps
File opened for reading	/proc/550/stat	ps
File opened for reading	/proc/81/status	ps
File opened for reading	/proc/1331/cmdline	ps
File opened for reading	/proc/85/stat	ps
File opened for reading	/proc/29/cmdline	ps
File opened for reading	/proc/30/cmdline	ps
File opened for reading	/proc/sys/kernel/pid_max	ps
File opened for reading	/proc/1276/stat	ps
File opened for reading	/proc/1102/stat	ps
File opened for reading	/proc/1102/cmdline	ps
File opened for reading	/proc/sys/kernel/osrelease	kill
File opened for reading	/proc/729/status	ps
File opened for reading	/proc/32/cmdline	ps
File opened for reading	/proc/1177/status	ps
File opened for reading	/proc/1485/cmdline	ps
File opened for reading	/proc/472/stat	ps
File opened for reading	/proc/1532/cmdline	ps
File opened for reading	/proc/1007/status	ps
File opened for reading	/proc/1289/status	ps
File opened for reading	/proc/1136/cmdline	ps
File opened for reading	/proc/240/status	ps
File opened for reading	/proc/939/status	ps
File opened for reading	/proc/1463/stat	ps
File opened for reading	/proc/1508/stat	ps
File opened for reading	/proc/729/stat	ps
File opened for reading	/proc/1078/stat	ps
File opened for reading	/proc/198/status	ps
File opened for reading	/proc/98/cmdline	ps
File opened for reading	/proc/82/status	ps
File opened for reading	/proc/1485/status	ps
File opened for reading	/proc/34/stat	ps
File opened for reading	/proc/169/cmdline	ps
File opened for reading	/proc/718/cmdline	ps
File opened for reading	/proc/611/status	ps
File opened for reading	/proc/1064/status	ps
File opened for reading	/proc/1276/status	ps
File opened for reading	/proc/888/stat	ps
File opened for reading	/proc/1106/stat	ps
File opened for reading	/proc/1115/status	ps
File opened for reading	/proc/172/status	ps
File opened for reading	/proc/1276/status	ps
File opened for reading	/proc/1/status	ps
File opened for reading	/proc/198/stat	ps
File opened for reading	/proc/27/cmdline	ps
File opened for reading	/proc/519/stat	ps
File opened for reading	/proc/98/stat	ps
File opened for reading	/proc/1160/status	ps
File opened for reading	/proc/1160/status	ps

Writes file to tmp directory 1 IoCs
Malware often drops required files in the /tmp directory.

Processes:

getsetup.hb

description ioc process

File opened for modification /tmp//getsetup.hbBCfWrED getsetup.hb

description	ioc	process
File opened for modification	/tmp//getsetup.hbBCfWrED	getsetup.hb

/tmp//getsetup.hb
"/tmp//getsetup.hb"
1⤵
- Writes file to tmp directory
PID:1490

/bin/sh
sh -c "/tmp//getsetup.hbBCfWrED"
2⤵
PID:1491

/tmp//getsetup.hbBCfWrED
"/tmp//getsetup.hbBCfWrED"
3⤵
PID:1492

/bin/sh
sh -c "/delallmykkks>/dev/null"
4⤵
PID:1501

/delallmykkks
/delallmykkks
5⤵
- Executes dropped EXE
PID:1502

/bin/grep
grep .IptabLex
6⤵
PID:1504

/usr/bin/awk
awk "{print \$3}"
6⤵
PID:1505

/usr/bin/xargs
xargs /delallmykkks 2
6⤵
PID:1506

/delallmykkks
/delallmykkks 2
7⤵
- Executes dropped EXE
PID:1513

/bin/ps
ps -f -C .IptabLex
6⤵
- Reads CPU attributes
- Reads runtime system information
PID:1503

/usr/bin/xargs
xargs /delallmykkks 2
6⤵
PID:1518

/delallmykkks
/delallmykkks 2
7⤵
- Executes dropped EXE
PID:1524

/usr/bin/awk
awk "{print \$3}"
6⤵
PID:1517

/bin/grep
grep .IptabLex
6⤵
PID:1516

/bin/ps
ps -f -C .IptabLex
6⤵
- Reads CPU attributes
- Reads runtime system information
PID:1515

/usr/bin/xargs
xargs /delallmykkks 2
6⤵
PID:1531

/delallmykkks
/delallmykkks 2
7⤵
- Executes dropped EXE
PID:1534

/usr/bin/awk
awk "{print \$2}"
6⤵
PID:1529

/bin/grep
grep .IptabLex
6⤵
PID:1527

/bin/ps
ps -f -C .IptabLex
6⤵
- Reads CPU attributes
- Reads runtime system information
PID:1526

/usr/bin/xargs
xargs /delallmykkks 2
6⤵
PID:1542

/delallmykkks
/delallmykkks 2
7⤵
- Executes dropped EXE
PID:1543

/usr/bin/awk
awk "{print \$2}"
6⤵
PID:1541

/bin/grep
grep .IptabLex
6⤵
PID:1540

/bin/ps
ps -f -C .IptabLex
6⤵
- Reads CPU attributes
- Reads runtime system information
PID:1538

/usr/bin/xargs
xargs kill -9
6⤵
PID:1550

/usr/local/sbin/kill
kill -9 1547
7⤵
PID:1553

/usr/local/bin/kill
kill -9 1547
7⤵
PID:1553

/usr/sbin/kill
kill -9 1547
7⤵
PID:1553

/usr/bin/kill
kill -9 1547
7⤵
PID:1553

/sbin/kill
kill -9 1547
7⤵
PID:1553

/bin/kill
kill -9 1547
7⤵
- Reads CPU attributes
- Reads runtime system information
PID:1553

/usr/bin/awk
awk "{print \$2}"
6⤵
PID:1549

/bin/grep
grep .IptabLex
6⤵
PID:1547

/bin/ps
ps -axu
6⤵
- Reads CPU attributes
- Reads runtime system information
PID:1545

/usr/bin/xargs
xargs kill -9
6⤵
PID:1562

/usr/local/sbin/kill
kill -9 1558
7⤵
PID:1564

/usr/local/bin/kill
kill -9 1558
7⤵
PID:1564

/usr/sbin/kill
kill -9 1558
7⤵
PID:1564

/usr/bin/kill
kill -9 1558
7⤵
PID:1564

/sbin/kill
kill -9 1558
7⤵
PID:1564

/bin/kill
kill -9 1558
7⤵
- Reads CPU attributes
PID:1564

/usr/bin/awk
awk "{print \$2}"
6⤵
PID:1561

/bin/grep
grep .IptabLex
6⤵
PID:1558

/bin/ps
ps -axu
6⤵
- Reads CPU attributes
- Reads runtime system information
PID:1557

/usr/bin/xargs
xargs kill -9
6⤵
PID:1567

/usr/local/sbin/kill
kill -9 PID TTY TIME CMD
7⤵
PID:1569

/usr/local/bin/kill
kill -9 PID TTY TIME CMD
7⤵
PID:1569

/usr/sbin/kill
kill -9 PID TTY TIME CMD
7⤵
PID:1569

/usr/bin/kill
kill -9 PID TTY TIME CMD
7⤵
PID:1569

/sbin/kill
kill -9 PID TTY TIME CMD
7⤵
PID:1569

/bin/kill
kill -9 PID TTY TIME CMD
7⤵
- Reads CPU attributes
PID:1569

/bin/ps
ps -C .IptabLex
6⤵
- Reads CPU attributes
- Reads runtime system information
PID:1565

/usr/bin/xargs
xargs kill -9
6⤵
PID:1573

/usr/local/sbin/kill
kill -9 PID TTY TIME CMD
7⤵
PID:1576

/usr/local/bin/kill
kill -9 PID TTY TIME CMD
7⤵
PID:1576

/usr/sbin/kill
kill -9 PID TTY TIME CMD
7⤵
PID:1576

/usr/bin/kill
kill -9 PID TTY TIME CMD
7⤵
PID:1576

/sbin/kill
kill -9 PID TTY TIME CMD
7⤵
PID:1576

/bin/kill
kill -9 PID TTY TIME CMD
7⤵
- Reads CPU attributes
PID:1576

/bin/ps
ps -C .IptabLex
6⤵
- Reads CPU attributes
- Reads runtime system information
PID:1571

/usr/bin/xargs
xargs rm -f
6⤵
PID:1581

/usr/local/sbin/rm
rm -f
7⤵
PID:1582

/usr/local/bin/rm
rm -f
7⤵
PID:1582

/usr/sbin/rm
rm -f
7⤵
PID:1582

/usr/bin/rm
rm -f
7⤵
PID:1582

/sbin/rm
rm -f
7⤵
PID:1582

/bin/rm
rm -f
7⤵
PID:1582

/bin/ps
ps find / -name "*ptabLex"
6⤵
- Reads CPU attributes
PID:1579

/usr/bin/xargs
xargs rm -f
6⤵
PID:1586

/usr/local/sbin/rm
rm -f
7⤵
PID:1589

/usr/local/bin/rm
rm -f
7⤵
PID:1589

/usr/sbin/rm
rm -f
7⤵
PID:1589

/usr/bin/rm
rm -f
7⤵
PID:1589

/sbin/rm
rm -f
7⤵
PID:1589

/bin/rm
rm -f
7⤵
PID:1589

/bin/ps
ps find / -name .IptabLex
6⤵
- Reads CPU attributes
PID:1585

/usr/bin/xargs
xargs rm -f
6⤵
PID:1593

/usr/local/sbin/rm
rm -f
7⤵
PID:1597

/usr/local/bin/rm
rm -f
7⤵
PID:1597

/usr/sbin/rm
rm -f
7⤵
PID:1597

/usr/bin/rm
rm -f
7⤵
PID:1597

/sbin/rm
rm -f
7⤵
PID:1597

/bin/rm
rm -f
7⤵
PID:1597

/bin/ps
ps find / -name "*ptabLex"
6⤵
- Reads CPU attributes
PID:1591

/usr/bin/xargs
xargs rm -f
6⤵
PID:1602

/usr/local/sbin/rm
rm -f
7⤵
PID:1604

/usr/local/bin/rm
rm -f
7⤵
PID:1604

/usr/sbin/rm
rm -f
7⤵
PID:1604

/usr/bin/rm
rm -f
7⤵
PID:1604

/sbin/rm
rm -f
7⤵
PID:1604

/bin/rm
rm -f
7⤵
PID:1604

/bin/ps
ps find / -name .IptabLex
6⤵
- Reads CPU attributes
PID:1600

/bin/rm
rm -f /boot/.stabip
6⤵
PID:1606

/bin/rm
rm -f /boot/.IptabLex
6⤵
PID:1608

/bin/rm
rm -f /etc/rc.d/init.d/IptabLex
6⤵
PID:1610

/bin/rm
rm -f /boot/IptabLex
6⤵
PID:1611

/bin/rm
rm -f /tmp/IptabLex
6⤵
PID:1614

/bin/rm
rm -f /usr/IptabLex
6⤵
PID:1616

/bin/rm
rm -f /usr/.IptabLex
6⤵
PID:1618

/bin/rm
rm -f "/etc/rc.d/rc4.d/*IptabLex"
6⤵
PID:1619

/bin/rm
rm -f "/etc/rc.d/rc1.d/*IptabLex"
6⤵
PID:1622

/bin/rm
rm -f "/etc/rc.d/rc2.d/*IptabLex"
6⤵
PID:1624

/bin/rm
rm -f "/etc/rc.d/rc3.d/*IptabLex"
6⤵
PID:1626

/bin/rm
rm -f "/etc/rc.d/rc0.d/*IptabLex"
6⤵
PID:1628

/bin/rm
rm -f "/etc/rc.d/rc5.d/*IptabLex"
6⤵
PID:1629

/bin/rm
rm -f "/etc/rc.d/rc6.d/*IptabLex"
6⤵
PID:1632

/bin/rm
rm -f /etc/init.d/IptabLex
6⤵
PID:1633

/bin/rm
rm -f "/etc/rc4.d/*IptabLex"
6⤵
PID:1635

/bin/rm
rm -f "/etc/rc1.d/*IptabLex"
6⤵
PID:1638

/bin/rm
rm -f "/etc/rc2.d/*IptabLex"
6⤵
PID:1639

/bin/rm
rm -f "/etc/rc3.d/*IptabLex"
6⤵
PID:1641

/bin/rm
rm -f "/etc/rc0.d/*IptabLex"
6⤵
PID:1643

/bin/rm
rm -f "/etc/rc5.d/*IptabLex"
6⤵
PID:1646

/bin/rm
rm -f "/etc/rc6.d/*IptabLex"
6⤵
PID:1648

/bin/rm
rm -rf /delallmykkks
6⤵
PID:1650

/bin/sh
sh -c "nohup cp /tmp//getsetup.hbBCfWrED /boot/.IptabLex>/dev/null"
4⤵
PID:1652

/usr/bin/nohup
nohup cp "/tmp//getsetup.hbBCfWrED" /boot/.IptabLex
5⤵
PID:1653

/usr/local/sbin/cp
cp "/tmp//getsetup.hbBCfWrED" /boot/.IptabLex
5⤵
PID:1653

/usr/local/bin/cp
cp "/tmp//getsetup.hbBCfWrED" /boot/.IptabLex
5⤵
PID:1653

/usr/sbin/cp
cp "/tmp//getsetup.hbBCfWrED" /boot/.IptabLex
5⤵
PID:1653

/usr/bin/cp
cp "/tmp//getsetup.hbBCfWrED" /boot/.IptabLex
5⤵
PID:1653

/sbin/cp
cp "/tmp//getsetup.hbBCfWrED" /boot/.IptabLex
5⤵
PID:1653

/bin/cp
cp "/tmp//getsetup.hbBCfWrED" /boot/.IptabLex
5⤵
PID:1653

/bin/sh
sh -c /etc/rc2.d/S55IptabLex
4⤵
PID:1655

/etc/rc2.d/S55IptabLex
/etc/rc2.d/S55IptabLex
5⤵
PID:1656

/bin/sh
sh -c /etc/rc3.d/S55IptabLex
4⤵
PID:1657

/etc/rc3.d/S55IptabLex
/etc/rc3.d/S55IptabLex
5⤵
PID:1659

/bin/sh
sh -c /etc/rc4.d/S55IptabLex
4⤵
PID:1660

/etc/rc4.d/S55IptabLex
/etc/rc4.d/S55IptabLex
5⤵
PID:1663

/bin/sh
sh -c /etc/rc5.d/S55IptabLex
4⤵
PID:1664

/etc/rc5.d/S55IptabLex
/etc/rc5.d/S55IptabLex
5⤵
PID:1667

/bin/sh
sh -c /boot/IptabLex
4⤵
PID:1668

/boot/IptabLex
/boot/IptabLex
5⤵
- Executes dropped EXE
PID:1671

/boot/.IptabLex
/boot/.IptabLex
6⤵
- Executes dropped EXE
PID:1673

/bin/sh
sh -c "nohup sh /delxxaazzx>/dev/null&"
4⤵
PID:1677

/bin/sh
sh -c "/delallmykkk>/dev/null"
2⤵
PID:1507

/delallmykkk
/delallmykkk
3⤵
- Executes dropped EXE
PID:1508

/usr/bin/awk
awk "{print \$3}"
4⤵
PID:1511

/bin/grep
grep .IptabLes
4⤵
PID:1510

/usr/bin/xargs
xargs /delallmykkk 2
4⤵
PID:1512

/delallmykkk
/delallmykkk 2
5⤵
- Executes dropped EXE
PID:1514

/bin/ps
ps -f -C .IptabLes
4⤵
- Reads CPU attributes
- Reads runtime system information
PID:1509

/usr/bin/xargs
xargs /delallmykkk 2
4⤵
PID:1522

/delallmykkk
/delallmykkk 2
5⤵
- Executes dropped EXE
PID:1523

/usr/bin/awk
awk "{print \$3}"
4⤵
PID:1521

/bin/grep
grep .IptabLes
4⤵
PID:1520

/bin/ps
ps -f -C .IptabLes
4⤵
- Reads CPU attributes
- Reads runtime system information
PID:1519

/usr/bin/xargs
xargs /delallmykkk 2
4⤵
PID:1532

/delallmykkk
/delallmykkk 2
5⤵
- Executes dropped EXE
PID:1533

/usr/bin/awk
awk "{print \$2}"
4⤵
PID:1530

/bin/grep
grep .IptabLes
4⤵
PID:1528

/bin/ps
ps -f -C .IptabLes
4⤵
- Reads CPU attributes
- Reads runtime system information
PID:1525

/usr/bin/xargs
xargs /delallmykkk 2
4⤵
PID:1539

/delallmykkk
/delallmykkk 2
5⤵
- Executes dropped EXE
PID:1544

/usr/bin/awk
awk "{print \$2}"
4⤵
PID:1537

/bin/grep
grep .IptabLes
4⤵
PID:1536

/bin/ps
ps -f -C .IptabLes
4⤵
- Reads CPU attributes
- Reads runtime system information
PID:1535

/usr/bin/xargs
xargs kill -9
4⤵
PID:1552

/usr/local/sbin/kill
kill -9 1548
5⤵
PID:1554

/usr/local/bin/kill
kill -9 1548
5⤵
PID:1554

/usr/sbin/kill
kill -9 1548
5⤵
PID:1554

/usr/bin/kill
kill -9 1548
5⤵
PID:1554

/sbin/kill
kill -9 1548
5⤵
PID:1554

/bin/kill
kill -9 1548
5⤵
- Reads CPU attributes
PID:1554

/usr/bin/awk
awk "{print \$2}"
4⤵
PID:1551

/bin/grep
grep .IptabLes
4⤵
PID:1548

/bin/ps
ps -axu
4⤵
- Reads CPU attributes
- Reads runtime system information
PID:1546

/usr/bin/xargs
xargs kill -9
4⤵
PID:1560

/usr/local/sbin/kill
kill -9 1556
5⤵
PID:1563

/usr/local/bin/kill
kill -9 1556
5⤵
PID:1563

/usr/sbin/kill
kill -9 1556
5⤵
PID:1563

/usr/bin/kill
kill -9 1556
5⤵
PID:1563

/sbin/kill
kill -9 1556
5⤵
PID:1563

/bin/kill
kill -9 1556
5⤵
- Reads CPU attributes
PID:1563

/usr/bin/awk
awk "{print \$2}"
4⤵
PID:1559

/bin/grep
grep .IptabLes
4⤵
PID:1556

/bin/ps
ps -axu
4⤵
- Reads CPU attributes
- Reads runtime system information
PID:1555

/usr/bin/xargs
xargs kill -9
4⤵
PID:1568

/usr/local/sbin/kill
kill -9 PID TTY TIME CMD
5⤵
PID:1570

/usr/local/bin/kill
kill -9 PID TTY TIME CMD
5⤵
PID:1570

/usr/sbin/kill
kill -9 PID TTY TIME CMD
5⤵
PID:1570

/usr/bin/kill
kill -9 PID TTY TIME CMD
5⤵
PID:1570

/sbin/kill
kill -9 PID TTY TIME CMD
5⤵
PID:1570

/bin/kill
kill -9 PID TTY TIME CMD
5⤵
- Reads CPU attributes
PID:1570

/bin/ps
ps -C .IptabLes
4⤵
- Reads CPU attributes
- Reads runtime system information
PID:1566

/usr/bin/xargs
xargs kill -9
4⤵
PID:1575

/usr/local/sbin/kill
kill -9
5⤵
PID:1577

/usr/local/bin/kill
kill -9
5⤵
PID:1577

/usr/sbin/kill
kill -9
5⤵
PID:1577

/usr/bin/kill
kill -9
5⤵
PID:1577

/sbin/kill
kill -9
5⤵
PID:1577

/bin/kill
kill -9
5⤵
- Reads CPU attributes
PID:1577

/bin/grep
grep .IptabLes
4⤵
PID:1574

/bin/ps
ps -C .IptabLes
4⤵
- Reads CPU attributes
- Reads runtime system information
PID:1572

/usr/bin/xargs
xargs rm -f
4⤵
PID:1580

/usr/local/sbin/rm
rm -f
5⤵
PID:1583

/usr/local/bin/rm
rm -f
5⤵
PID:1583

/usr/sbin/rm
rm -f
5⤵
PID:1583

/usr/bin/rm
rm -f
5⤵
PID:1583

/sbin/rm
rm -f
5⤵
PID:1583

/bin/rm
rm -f
5⤵
PID:1583

/bin/ps
ps find / -name "*ptabLes"
4⤵
- Reads CPU attributes
PID:1578

/usr/bin/xargs
xargs rm -f
4⤵
PID:1587

/usr/local/sbin/rm
rm -f
5⤵
PID:1588

/usr/local/bin/rm
rm -f
5⤵
PID:1588

/usr/sbin/rm
rm -f
5⤵
PID:1588

/usr/bin/rm
rm -f
5⤵
PID:1588

/sbin/rm
rm -f
5⤵
PID:1588

/bin/rm
rm -f
5⤵
PID:1588

/bin/ps
ps find / -name .IptabLes
4⤵
- Reads CPU attributes
PID:1584

/usr/bin/xargs
xargs rm -f
4⤵
PID:1592

/usr/local/sbin/rm
rm -f
5⤵
PID:1598

/usr/local/bin/rm
rm -f
5⤵
PID:1598

/usr/sbin/rm
rm -f
5⤵
PID:1598

/usr/bin/rm
rm -f
5⤵
PID:1598

/sbin/rm
rm -f
5⤵
PID:1598

/bin/rm
rm -f
5⤵
PID:1598

/bin/ps
ps find / -name "*ptabLes"
4⤵
- Reads CPU attributes
PID:1590

/usr/bin/xargs
xargs rm -f
4⤵
PID:1601

/usr/local/sbin/rm
rm -f
5⤵
PID:1603

/usr/local/bin/rm
rm -f
5⤵
PID:1603

/usr/sbin/rm
rm -f
5⤵
PID:1603

/usr/bin/rm
rm -f
5⤵
PID:1603

/sbin/rm
rm -f
5⤵
PID:1603

/bin/rm
rm -f
5⤵
PID:1603

/bin/ps
ps find / -name .IptabLes
4⤵
- Reads CPU attributes
PID:1599

/bin/rm
rm -f /boot/.stabip
4⤵
PID:1605

/bin/rm
rm -f /boot/.IptabLes
4⤵
PID:1607

/bin/rm
rm -f /etc/rc.d/init.d/IptabLes
4⤵
PID:1609

/bin/rm
rm -f /boot/IptabLes
4⤵
PID:1612

/bin/rm
rm -f /tmp/IptabLes
4⤵
PID:1613

/bin/rm
rm -f /usr/IptabLes
4⤵
PID:1615

/bin/rm
rm -f /usr/.IptabLes
4⤵
PID:1617

/bin/rm
rm -f "/etc/rc.d/rc4.d/*IptabLes"
4⤵
PID:1620

/bin/rm
rm -f "/etc/rc.d/rc1.d/*IptabLes"
4⤵
PID:1621

/bin/rm
rm -f "/etc/rc.d/rc2.d/*IptabLes"
4⤵
PID:1623

/bin/rm
rm -f "/etc/rc.d/rc3.d/*IptabLes"
4⤵
PID:1625

/bin/rm
rm -f "/etc/rc.d/rc0.d/*IptabLes"
4⤵
PID:1627

/bin/rm
rm -f "/etc/rc.d/rc5.d/*IptabLes"
4⤵
PID:1630

/bin/rm
rm -f "/etc/rc.d/rc6.d/*IptabLes"
4⤵
PID:1631

/bin/rm
rm -f /etc/init.d/IptabLes
4⤵
PID:1634

/bin/rm
rm -f "/etc/rc4.d/*IptabLes"
4⤵
PID:1636

/bin/rm
rm -f "/etc/rc1.d/*IptabLes"
4⤵
PID:1637

/bin/rm
rm -f "/etc/rc2.d/*IptabLes"
4⤵
PID:1640

/bin/rm
rm -f "/etc/rc3.d/*IptabLes"
4⤵
PID:1642

/bin/rm
rm -f "/etc/rc0.d/*IptabLes"
4⤵
PID:1644

/bin/rm
rm -f "/etc/rc5.d/*IptabLes"
4⤵
PID:1645

/bin/rm
rm -f "/etc/rc6.d/*IptabLes"
4⤵
PID:1647

/bin/rm
rm -rf /delallmykkk
4⤵
PID:1649

/bin/sh
sh -c "nohup cp /tmp//getsetup.hb /boot/.IptabLes>/dev/null"
2⤵
PID:1651

/usr/bin/nohup
nohup cp "/tmp//getsetup.hb" /boot/.IptabLes
3⤵
PID:1654

/usr/local/sbin/cp
cp "/tmp//getsetup.hb" /boot/.IptabLes
3⤵
PID:1654

/usr/local/bin/cp
cp "/tmp//getsetup.hb" /boot/.IptabLes
3⤵
PID:1654

/usr/sbin/cp
cp "/tmp//getsetup.hb" /boot/.IptabLes
3⤵
PID:1654

/usr/bin/cp
cp "/tmp//getsetup.hb" /boot/.IptabLes
3⤵
PID:1654

/sbin/cp
cp "/tmp//getsetup.hb" /boot/.IptabLes
3⤵
PID:1654

/bin/cp
cp "/tmp//getsetup.hb" /boot/.IptabLes
3⤵
PID:1654

/bin/sh
sh -c /etc/rc2.d/S55IptabLes
2⤵
PID:1658

/etc/rc2.d/S55IptabLes
/etc/rc2.d/S55IptabLes
3⤵
PID:1661

/bin/sh
sh -c /etc/rc3.d/S55IptabLes
2⤵
PID:1662

/etc/rc3.d/S55IptabLes
/etc/rc3.d/S55IptabLes
3⤵
PID:1665

/bin/sh
sh -c /etc/rc4.d/S55IptabLes
2⤵
PID:1666

/etc/rc4.d/S55IptabLes
/etc/rc4.d/S55IptabLes
3⤵
PID:1669

/bin/sh
sh -c /etc/rc5.d/S55IptabLes
2⤵
PID:1670

/etc/rc5.d/S55IptabLes
/etc/rc5.d/S55IptabLes
3⤵
PID:1672

/bin/sh
sh -c /boot/IptabLes
2⤵
PID:1674

/boot/IptabLes
/boot/IptabLes
3⤵
- Executes dropped EXE
PID:1676

/boot/.IptabLes
/boot/.IptabLes
4⤵
- Executes dropped EXE
PID:1682

/bin/sh
sh -c "nohup sh /delxxaazz>/dev/null&"
2⤵
PID:1685

/usr/bin/nohup
nohup sh /delxxaazzx
1⤵
PID:1683

/usr/local/sbin/sh
sh /delxxaazzx
1⤵
PID:1683

/usr/local/bin/sh
sh /delxxaazzx
1⤵
PID:1683

/usr/sbin/sh
sh /delxxaazzx
1⤵
PID:1683

/usr/bin/sh
sh /delxxaazzx
1⤵
PID:1683

/sbin/sh
sh /delxxaazzx
1⤵
PID:1683

/bin/sh
sh /delxxaazzx
1⤵
PID:1683

/bin/sleep
sleep 3
2⤵
PID:1691

/bin/sleep
sleep 1
2⤵
PID:1693

/bin/rm
rm -f "/tmp//getsetup.hbBCfWrED"
2⤵
PID:1695

/bin/rm
rm -rf /delxxaazzx
2⤵
PID:1698

/usr/bin/nohup
nohup sh /delxxaazz
1⤵
PID:1690

/usr/local/sbin/sh
sh /delxxaazz
1⤵
PID:1690

/usr/local/bin/sh
sh /delxxaazz
1⤵
PID:1690

/usr/sbin/sh
sh /delxxaazz
1⤵
PID:1690

/usr/bin/sh
sh /delxxaazz
1⤵
PID:1690

/sbin/sh
sh /delxxaazz
1⤵
PID:1690

/bin/sh
sh /delxxaazz
1⤵
PID:1690

/bin/sleep
sleep 3
2⤵
PID:1692

/bin/sleep
sleep 1
2⤵
PID:1694

/bin/rm
rm -f "/tmp//getsetup.hb"
2⤵
PID:1696

/bin/rm
rm -rf /delxxaazz
2⤵
PID:1697

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

/.mylisthbSx.pid
Filesize
5B

MD5
61d8b769a9fea3b4399a1e690dcb7856

SHA1
7a71ba1f5b8ac8944c0ea4dd13c9f4687ca3268e

SHA256
912ccd78675a5869b484f3e01039be65541bca95d69264e9aa1d6119d356c783

SHA512
b0d082c7a09557cce07f5c2c84b1ea13bbe275a749663f8bfb7fda61bea3bbc07ceb0b544ee935d6d6cb8070ae7f27c12ffcdd53fb473cd0c66295a9013439e3

Download Submit
/.mylisthbx.pid
Filesize
5B

MD5
bb6d77407dcf9f0dcf2efb9184efe72c

SHA1
f92f165f311645fe10434abe282c11fc46417840

SHA256
ffb93f9ff83dd02a2854b26c80228ac8c6be09daf0e38c5dd7c60e0fd55e0a26

SHA512
cfc01ba0f93800e2da8cf205a5735ff1c848fecd4e73b546301af3872b397bfb57f82910f0f96e39be0611aaa760082bb26a1b5f3d8a952138c86b265378852e

Download Submit
/.mylisthbx.pid
Filesize
5B

MD5
74db11e795254beae492317ec719f027

SHA1
c6f167968eea5e57f49a0b4b9a11ebf34c125dd1

SHA256
f4ce42e1725b38f36d960b8f86a3158410fd9a36941dcd087000c0050b78e888

SHA512
051911803ad6b1456124deff5bcdb94c037bb6784e4523c8237f79891c89a91750488900b13de703c7f2a0278b1608dc572d831636d05af7376ce804c0b38ab4

Download Submit
/.mylisthbx.pid
Filesize
5B

MD5
616fd8401ccf0b3d979176cbe9022d1f

SHA1
b216e308c9281dff09194552f74a10fda2bb6f29

SHA256
624b0f8a3abfda9780294f6e4931572597c22c49454c8d902383b46860a6fbb7

SHA512
d2419505d3163799d20581177227f340e595c5e4ab872671941a9417690d3156354db50b3629c548726c51f74223ccadc581e3564cf83752db027549d49ccd7d

Download Submit
/boot/.IptabLes
Filesize
1.0MB

MD5
9966d5db77f247070fcac9590a3fde80

SHA1
ec0fdb1333443a7c0442dd279626bf8d58eb8cbb

SHA256
10edad7999da34e37a866beadf2bb2c1952e071c93cb8708e79ee45c90a06199

SHA512
e6a468cdfd9f720b217069f0dddc012b8549a834862d287ea101914503a048f644085c16b534b2b7418686b792a9ee0cb1e32977751d648d57ed0241bed17131

Download Submit
/boot/.IptabLex
Filesize
705KB

MD5
7b6ecf8e0740258188a3b3ad1c9fe050

SHA1
9054f186567fe7cfcb1197a903c8873e48c42385

SHA256
1f5e9a31d677e3d2f1beefd1dc01c9bf492e2e3b9eb4d61903b2d9cd5c1a1f43

SHA512
476e0e3b78f7eafca818ee2b17f77f83991e175182ba1a9aeea1a73f25588dbb4cd45202c492fa4b621b5a50a3af42e2c8ec2478c203c6a5df08d2cb3e5689b2

Download Submit
/boot/IptabLes
Filesize
33B

MD5
83ed46dc4887fda860c6a43f11c34877

SHA1
76505b08bae1a79ef5b194df6230d8a0dd406146

SHA256
a654d6c11d5af3247a32622f3b4ed15ee84f9f421ac229fb4554276ba89762f3

SHA512
a19776d13d5e0fc67e33a4b12e58617d77224e5313b4c4d81886ea4d32ee93e2fbf2209a85f2dae5515338536281f6ee0080113adc241d979df17f3acef57920

Download Submit
/boot/IptabLex
Filesize
33B

MD5
f87babea4da49278448a7cfc90378881

SHA1
6894fb87a61fa12616d676232573bcc6a97337cf

SHA256
c76e5acffa83340ec7ee66fbf876bf0be9939b9c741f9db013451ff83139ad70

SHA512
4c5d834f67d9af90a8d9cb6fa5296a02184ef4abdde220d1d96c1705f39ce91822a58a800bb4f54bd2322658871a3e3f8cb135a3c147d7bdfd6b5fe972568514

Download Submit
/delallmykkk
Filesize
1KB

MD5
d42637b86ca7c28cf8f149693a725c1a

SHA1
e0fa8c025eb03ab6c23c2095f2cb3ea85aed4c52

SHA256
0eb4b7f646bbd2a08fa342654c4d27285d7851bf53309e407de6273baba398c9

SHA512
0ff790803c531db3a243f497772a6e76a78dc73d12f687e43e5760a43b1bf10798d4496b12e46bd1cee89d8e29dafa294555a912451db0ba90218e61245c5261

Download Submit
/delallmykkks
Filesize
1KB

MD5
8da57205d718f385e3878220b55635e4

SHA1
28c2bab19d21e8712819f257c81cc80189147e2f

SHA256
8cdd7e6196522a770304eb9a0c8dfa47a72f4d9c9abac7cd3c559782e05275a6

SHA512
bdb138f44ca919e99915e113f7d4274c869e0cf743766bc969cd0f89e789363f446cfbf207b68f48e569323092cec5510a4a7fb319f88e0fda00a2dd0be59582

Download Submit
/delxxaazz
Filesize
80B

MD5
dfb8b876e12f910f0382f96b63838638

SHA1
fb67cbe7ddba7b9f02142c07051b0e817b258298

SHA256
a39c3902de341e7f2f30ea31e50bf519946b7371fb388fad904f864e64053c19

SHA512
ffc6afa79958bebf39e8fb32a6fc7e8caf8e4a8dd1f3c2d2c7cce4ede679577e512cca31f8ccec96758ead6d4e450b45e30a66db9b5556facd73005a62dda9bd

Download Submit
/delxxaazzx
Filesize
87B

MD5
1fb64ae714b75f80e2a80e1354f84ec8

SHA1
8d50b138db6fd57cf312dce7012e82631c44a873

SHA256
dff810fb917b02e805aae293b0bb880c84c49d84aa3a9d02426ef904f379a692

SHA512
3a6a1aaeb8232be78f4a136b8edb6009bef4c6132b7c3264f262bce9347e3e3d395f5c185303597f344941d0901b4cbb2fdcb35e4410d7485121385dfb0a5251

Download Submit