Analysis
-
max time kernel
0s -
max time network
102s -
platform
linux_amd64 -
resource
ubuntu1804-amd64-en-20211208 -
resource tags
arch:amd64arch:i386image:ubuntu1804-amd64-en-20211208kernel:4.15.0-161-genericlocale:en-usos:ubuntu-18.04-amd64system -
submitted
27-11-2022 12:57
Static task
static1
Behavioral task
behavioral1
Sample
a5b0146024e8974f15f29c835f5d2d272a199846fa04963bb05d7e0bd14620ff
Resource
ubuntu1804-amd64-en-20211208
Behavioral task
behavioral2
Sample
a5b0146024e8974f15f29c835f5d2d272a199846fa04963bb05d7e0bd14620ff
Resource
debian9-armhf-20221111-en
Behavioral task
behavioral3
Sample
a5b0146024e8974f15f29c835f5d2d272a199846fa04963bb05d7e0bd14620ff
Resource
debian9-mipsbe-en-20211208
Behavioral task
behavioral4
Sample
a5b0146024e8974f15f29c835f5d2d272a199846fa04963bb05d7e0bd14620ff
Resource
debian9-mipsel-20221111-en
General
-
Target
a5b0146024e8974f15f29c835f5d2d272a199846fa04963bb05d7e0bd14620ff
-
Size
404B
-
MD5
fa4f1798d03844cc950c5c0ff1ed71a7
-
SHA1
7b7bb83c614603989d91a77ac0405d4000a0fa75
-
SHA256
a5b0146024e8974f15f29c835f5d2d272a199846fa04963bb05d7e0bd14620ff
-
SHA512
e94e75ade995e3ed08e1fcff6a830dbb28e512091d72af14bbf19ae6b6a33381130bda2c9b38050e61fc9dcf82e25ba06fb8d8f15edd4edeb1a7c1a675a8139e
Malware Config
Signatures
-
Reads runtime system information 3 IoCs
Reads data from /proc virtual filesystem.
Processes:
mkdirlslsdescription ioc process /proc/filesystems /proc/filesystems mkdir /proc/filesystems /proc/filesystems ls /proc/filesystems /proc/filesystems ls -
Writes file to tmp directory 17 IoCs
Malware often drops required files in the /tmp directory.
Processes:
a5b0146024e8974f15f29c835f5d2d272a199846fa04963bb05d7e0bd14620ffasgcccollect2ldrmrmcc1description ioc process /tmp/a5b0146024e8974f15f29c835f5d2d272a199846fa04963bb05d7e0bd14620ff /tmp/a5b0146024e8974f15f29c835f5d2d272a199846fa04963bb05d7e0bd14620ff a5b0146024e8974f15f29c835f5d2d272a199846fa04963bb05d7e0bd14620ff /tmp/cc6MvESB.o /tmp/cc6MvESB.o as /tmp/ccdVZ7rs.s /tmp/ccdVZ7rs.s as /tmp/ccPda4lL.res /tmp/ccPda4lL.res gcc /tmp/ccK6VZb4.le /tmp/ccK6VZb4.le collect2 /tmp/cc6MvESB.o /tmp/cc6MvESB.o ld /tmp/exploit/target /tmp/exploit/target a5b0146024e8974f15f29c835f5d2d272a199846fa04963bb05d7e0bd14620ff /tmp/exploit /tmp/exploit rm /tmp/exploit/target /tmp/exploit/target rm /tmp/cc6MvESB.o /tmp/cc6MvESB.o gcc /tmp/ccYNrvJB.c /tmp/ccYNrvJB.c collect2 /tmp/ccuYBPHU.ld /tmp/ccuYBPHU.ld collect2 /tmp/exploit /tmp/exploit rm /tmp/ccdVZ7rs.s /tmp/ccdVZ7rs.s cc1 /tmp/cc0JrFdL.o /tmp/cc0JrFdL.o collect2 /tmp/exploit /tmp/exploit ld /tmp/ccdVZ7rs.s /tmp/ccdVZ7rs.s gcc
Processes
-
/tmp/a5b0146024e8974f15f29c835f5d2d272a199846fa04963bb05d7e0bd14620ff/tmp/a5b0146024e8974f15f29c835f5d2d272a199846fa04963bb05d7e0bd14620ff1⤵
- Writes file to tmp directory
-
/bin/rmrm -r -f /tmp/exploit2⤵
- Writes file to tmp directory
-
/bin/mkdirmkdir /tmp/exploit2⤵
- Reads runtime system information
-
/bin/lnln /bin/ping /tmp/exploit/target2⤵
-
/bin/lsls -l /proc/571/fd/32⤵
- Reads runtime system information
-
/bin/rmrm -rf /tmp/exploit2⤵
- Writes file to tmp directory
-
/bin/lsls -l /proc/571/fd/32⤵
- Reads runtime system information
-
/bin/catcat2⤵
-
/usr/bin/gccgcc -w -fPIC -shared -o /tmp/exploit program.c2⤵
- Writes file to tmp directory
-
/usr/lib/gcc/x86_64-linux-gnu/7/cc1/usr/lib/gcc/x86_64-linux-gnu/7/cc1 -quiet -imultiarch x86_64-linux-gnu program.c -quiet -dumpbase program.c "-mtune=generic" "-march=x86-64" -auxbase program -w -fPIC -fstack-protector-strong -Wformat -Wformat-security -o /tmp/ccdVZ7rs.s1⤵
- Writes file to tmp directory
-
/usr/local/sbin/asas -W --64 -o /tmp/cc6MvESB.o /tmp/ccdVZ7rs.s1⤵
-
/usr/local/bin/asas -W --64 -o /tmp/cc6MvESB.o /tmp/ccdVZ7rs.s1⤵
-
/usr/sbin/asas -W --64 -o /tmp/cc6MvESB.o /tmp/ccdVZ7rs.s1⤵
-
/usr/bin/asas -W --64 -o /tmp/cc6MvESB.o /tmp/ccdVZ7rs.s1⤵
- Writes file to tmp directory
-
/usr/lib/gcc/x86_64-linux-gnu/7/collect2/usr/lib/gcc/x86_64-linux-gnu/7/collect2 -plugin /usr/lib/gcc/x86_64-linux-gnu/7/liblto_plugin.so "-plugin-opt=/usr/lib/gcc/x86_64-linux-gnu/7/lto-wrapper" "-plugin-opt=-fresolution=/tmp/ccPda4lL.res" "-plugin-opt=-pass-through=-lgcc" "-plugin-opt=-pass-through=-lgcc_s" "-plugin-opt=-pass-through=-lc" "-plugin-opt=-pass-through=-lgcc" "-plugin-opt=-pass-through=-lgcc_s" --build-id --eh-frame-hdr -m elf_x86_64 "--hash-style=gnu" --as-needed -shared -z relro -o /tmp/exploit /usr/lib/gcc/x86_64-linux-gnu/7/../../../x86_64-linux-gnu/crti.o /usr/lib/gcc/x86_64-linux-gnu/7/crtbeginS.o -L/usr/lib/gcc/x86_64-linux-gnu/7 -L/usr/lib/gcc/x86_64-linux-gnu/7/../../../x86_64-linux-gnu -L/usr/lib/gcc/x86_64-linux-gnu/7/../../../../lib -L/lib/x86_64-linux-gnu -L/lib/../lib -L/usr/lib/x86_64-linux-gnu -L/usr/lib/../lib -L/usr/lib/gcc/x86_64-linux-gnu/7/../../.. /tmp/cc6MvESB.o -lgcc --push-state --as-needed -lgcc_s --pop-state -lc -lgcc --push-state --as-needed -lgcc_s --pop-state /usr/lib/gcc/x86_64-linux-gnu/7/crtendS.o /usr/lib/gcc/x86_64-linux-gnu/7/../../../x86_64-linux-gnu/crtn.o1⤵
- Writes file to tmp directory
-
/usr/bin/ld/usr/bin/ld -plugin /usr/lib/gcc/x86_64-linux-gnu/7/liblto_plugin.so "-plugin-opt=/usr/lib/gcc/x86_64-linux-gnu/7/lto-wrapper" "-plugin-opt=-fresolution=/tmp/ccPda4lL.res" "-plugin-opt=-pass-through=-lgcc" "-plugin-opt=-pass-through=-lgcc_s" "-plugin-opt=-pass-through=-lc" "-plugin-opt=-pass-through=-lgcc" "-plugin-opt=-pass-through=-lgcc_s" --build-id --eh-frame-hdr -m elf_x86_64 "--hash-style=gnu" --as-needed -shared -z relro -o /tmp/exploit /usr/lib/gcc/x86_64-linux-gnu/7/../../../x86_64-linux-gnu/crti.o /usr/lib/gcc/x86_64-linux-gnu/7/crtbeginS.o -L/usr/lib/gcc/x86_64-linux-gnu/7 -L/usr/lib/gcc/x86_64-linux-gnu/7/../../../x86_64-linux-gnu -L/usr/lib/gcc/x86_64-linux-gnu/7/../../../../lib -L/lib/x86_64-linux-gnu -L/lib/../lib -L/usr/lib/x86_64-linux-gnu -L/usr/lib/../lib -L/usr/lib/gcc/x86_64-linux-gnu/7/../../.. /tmp/cc6MvESB.o -lgcc --push-state --as-needed -lgcc_s --pop-state -lc -lgcc --push-state --as-needed -lgcc_s --pop-state /usr/lib/gcc/x86_64-linux-gnu/7/crtendS.o /usr/lib/gcc/x86_64-linux-gnu/7/../../../x86_64-linux-gnu/crtn.o1⤵
- Writes file to tmp directory
-
/proc/self/fd/3/proc/self/fd/31⤵