Overview

overview

5

Static

static

fac37c893c...a4ef46

ubuntu-18.04-amd64

5

fac37c893c...a4ef46

debian-9-armhf

5

fac37c893c...a4ef46

debian-9-mips

5

fac37c893c...a4ef46

debian-9-mipsel

5

Analysis

  • max time kernel
    0s
  • max time network
    134s
  • platform
    ubuntu-18.04_amd64
  • resource
    ubuntu1804-amd64-20221111-en
  • resource tags

    arch:amd64arch:i386image:ubuntu1804-amd64-20221111-enkernel:4.15.0-161-genericlocale:en-usos:ubuntu-18.04-amd64system
  • submitted
    24/11/2022, 03:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fac37c893ca025ceadfade88af1fbc68826de71488be75f703af5a43eea4ef46

  • Size

    280B

  • MD5

    ffbe082703fd28730ccf804c76e7e04c

  • SHA1

    14d68ce4221d8ad00d5f351ded4b66a331b92ced

  • SHA256

    fac37c893ca025ceadfade88af1fbc68826de71488be75f703af5a43eea4ef46

  • SHA512

    e350aa02c42514216d5e1bf5684c15379d6cdc64861e931373fd6a204058a89f61758e661e107900e4697fda24a23a011b6ecb166d754c3ebcdad2b9e3369f47

Score
5/10

Malware Config

Signatures

  • Reads runtime system information 3 IoCs

    Reads data from /proc virtual filesystem.

  • Writes file to tmp directory 17 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/fac37c893ca025ceadfade88af1fbc68826de71488be75f703af5a43eea4ef46
    /tmp/fac37c893ca025ceadfade88af1fbc68826de71488be75f703af5a43eea4ef46
    1⤵
    • Writes file to tmp directory
    PID:615
    • /bin/rm
      rm -rf /tmp/x
      2⤵
      • Writes file to tmp directory
      PID:616
    • /bin/mkdir
      mkdir /tmp/x
      2⤵
      • Reads runtime system information
      PID:617
    • /bin/ln
      ln /bin/mount /tmp/x/t
      2⤵
        PID:618
      • /bin/cat
        cat
        2⤵
          PID:619
        • /bin/rm
          rm -rf /tmp/x
          2⤵
          • Writes file to tmp directory
          PID:620
        • /usr/bin/gcc
          gcc -w -fPIC -shared -o /tmp/x pl.c
          2⤵
          • Writes file to tmp directory
          PID:621
      • /usr/lib/gcc/x86_64-linux-gnu/7/cc1
        /usr/lib/gcc/x86_64-linux-gnu/7/cc1 -quiet -imultiarch x86_64-linux-gnu pl.c -quiet -dumpbase pl.c "-mtune=generic" "-march=x86-64" -auxbase pl -w -fPIC -fstack-protector-strong -Wformat -Wformat-security -o /tmp/ccEAHdIa.s
        1⤵
        • Writes file to tmp directory
        PID:622
      • /usr/local/sbin/as
        as -W --64 -o /tmp/ccRckPa8.o /tmp/ccEAHdIa.s
        1⤵
          PID:623
        • /usr/local/bin/as
          as -W --64 -o /tmp/ccRckPa8.o /tmp/ccEAHdIa.s
          1⤵
            PID:623
          • /usr/sbin/as
            as -W --64 -o /tmp/ccRckPa8.o /tmp/ccEAHdIa.s
            1⤵
              PID:623
            • /usr/bin/as
              as -W --64 -o /tmp/ccRckPa8.o /tmp/ccEAHdIa.s
              1⤵
              • Writes file to tmp directory
              PID:623
            • /usr/lib/gcc/x86_64-linux-gnu/7/collect2
              /usr/lib/gcc/x86_64-linux-gnu/7/collect2 -plugin /usr/lib/gcc/x86_64-linux-gnu/7/liblto_plugin.so "-plugin-opt=/usr/lib/gcc/x86_64-linux-gnu/7/lto-wrapper" "-plugin-opt=-fresolution=/tmp/ccJu7FHg.res" "-plugin-opt=-pass-through=-lgcc" "-plugin-opt=-pass-through=-lgcc_s" "-plugin-opt=-pass-through=-lc" "-plugin-opt=-pass-through=-lgcc" "-plugin-opt=-pass-through=-lgcc_s" --build-id --eh-frame-hdr -m elf_x86_64 "--hash-style=gnu" --as-needed -shared -z relro -o /tmp/x /usr/lib/gcc/x86_64-linux-gnu/7/../../../x86_64-linux-gnu/crti.o /usr/lib/gcc/x86_64-linux-gnu/7/crtbeginS.o -L/usr/lib/gcc/x86_64-linux-gnu/7 -L/usr/lib/gcc/x86_64-linux-gnu/7/../../../x86_64-linux-gnu -L/usr/lib/gcc/x86_64-linux-gnu/7/../../../../lib -L/lib/x86_64-linux-gnu -L/lib/../lib -L/usr/lib/x86_64-linux-gnu -L/usr/lib/../lib -L/usr/lib/gcc/x86_64-linux-gnu/7/../../.. /tmp/ccRckPa8.o -lgcc --push-state --as-needed -lgcc_s --pop-state -lc -lgcc --push-state --as-needed -lgcc_s --pop-state /usr/lib/gcc/x86_64-linux-gnu/7/crtendS.o /usr/lib/gcc/x86_64-linux-gnu/7/../../../x86_64-linux-gnu/crtn.o
              1⤵
              • Writes file to tmp directory
              PID:628
            • /usr/bin/ld
              /usr/bin/ld -plugin /usr/lib/gcc/x86_64-linux-gnu/7/liblto_plugin.so "-plugin-opt=/usr/lib/gcc/x86_64-linux-gnu/7/lto-wrapper" "-plugin-opt=-fresolution=/tmp/ccJu7FHg.res" "-plugin-opt=-pass-through=-lgcc" "-plugin-opt=-pass-through=-lgcc_s" "-plugin-opt=-pass-through=-lc" "-plugin-opt=-pass-through=-lgcc" "-plugin-opt=-pass-through=-lgcc_s" --build-id --eh-frame-hdr -m elf_x86_64 "--hash-style=gnu" --as-needed -shared -z relro -o /tmp/x /usr/lib/gcc/x86_64-linux-gnu/7/../../../x86_64-linux-gnu/crti.o /usr/lib/gcc/x86_64-linux-gnu/7/crtbeginS.o -L/usr/lib/gcc/x86_64-linux-gnu/7 -L/usr/lib/gcc/x86_64-linux-gnu/7/../../../x86_64-linux-gnu -L/usr/lib/gcc/x86_64-linux-gnu/7/../../../../lib -L/lib/x86_64-linux-gnu -L/lib/../lib -L/usr/lib/x86_64-linux-gnu -L/usr/lib/../lib -L/usr/lib/gcc/x86_64-linux-gnu/7/../../.. /tmp/ccRckPa8.o -lgcc --push-state --as-needed -lgcc_s --pop-state -lc -lgcc --push-state --as-needed -lgcc_s --pop-state /usr/lib/gcc/x86_64-linux-gnu/7/crtendS.o /usr/lib/gcc/x86_64-linux-gnu/7/../../../x86_64-linux-gnu/crtn.o
              1⤵
              • Writes file to tmp directory
              PID:629
            • /proc/self/fd/3
              /proc/self/fd/3
              1⤵
              • Reads runtime system information
              PID:615

            Network

            MITRE ATT&CK Matrix

            Replay Monitor

            Loading Replay Monitor...

            Downloads