Overview

overview

5

Static

static

a5b0146024...4620ff

ubuntu-18.04-amd64

5

a5b0146024...4620ff

debian-9-armhf

5

a5b0146024...4620ff

debian-9-mips

5

a5b0146024...4620ff

debian-9-mipsel

5

Analysis

  • max time kernel
    0s
  • max time network
    102s
  • platform
    linux_amd64
  • resource
    ubuntu1804-amd64-en-20211208
  • resource tags

    arch:amd64arch:i386image:ubuntu1804-amd64-en-20211208kernel:4.15.0-161-genericlocale:en-usos:ubuntu-18.04-amd64system
  • submitted
    27-11-2022 12:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a5b0146024e8974f15f29c835f5d2d272a199846fa04963bb05d7e0bd14620ff

  • Size

    404B

  • MD5

    fa4f1798d03844cc950c5c0ff1ed71a7

  • SHA1

    7b7bb83c614603989d91a77ac0405d4000a0fa75

  • SHA256

    a5b0146024e8974f15f29c835f5d2d272a199846fa04963bb05d7e0bd14620ff

  • SHA512

    e94e75ade995e3ed08e1fcff6a830dbb28e512091d72af14bbf19ae6b6a33381130bda2c9b38050e61fc9dcf82e25ba06fb8d8f15edd4edeb1a7c1a675a8139e

Score
5/10

Malware Config

Signatures

  • Reads runtime system information 3 IoCs

    Reads data from /proc virtual filesystem.

  • Writes file to tmp directory 17 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/a5b0146024e8974f15f29c835f5d2d272a199846fa04963bb05d7e0bd14620ff
    /tmp/a5b0146024e8974f15f29c835f5d2d272a199846fa04963bb05d7e0bd14620ff
    1⤵
    • Writes file to tmp directory
    PID:571
    • /bin/rm
      rm -r -f /tmp/exploit
      2⤵
      • Writes file to tmp directory
      PID:572
    • /bin/mkdir
      mkdir /tmp/exploit
      2⤵
      • Reads runtime system information
      PID:573
    • /bin/ln
      ln /bin/ping /tmp/exploit/target
      2⤵
        PID:574
      • /bin/ls
        ls -l /proc/571/fd/3
        2⤵
        • Reads runtime system information
        PID:575
      • /bin/rm
        rm -rf /tmp/exploit
        2⤵
        • Writes file to tmp directory
        PID:576
      • /bin/ls
        ls -l /proc/571/fd/3
        2⤵
        • Reads runtime system information
        PID:577
      • /bin/cat
        cat
        2⤵
          PID:578
        • /usr/bin/gcc
          gcc -w -fPIC -shared -o /tmp/exploit program.c
          2⤵
          • Writes file to tmp directory
          PID:579
      • /usr/lib/gcc/x86_64-linux-gnu/7/cc1
        /usr/lib/gcc/x86_64-linux-gnu/7/cc1 -quiet -imultiarch x86_64-linux-gnu program.c -quiet -dumpbase program.c "-mtune=generic" "-march=x86-64" -auxbase program -w -fPIC -fstack-protector-strong -Wformat -Wformat-security -o /tmp/ccdVZ7rs.s
        1⤵
        • Writes file to tmp directory
        PID:580
      • /usr/local/sbin/as
        as -W --64 -o /tmp/cc6MvESB.o /tmp/ccdVZ7rs.s
        1⤵
          PID:581
        • /usr/local/bin/as
          as -W --64 -o /tmp/cc6MvESB.o /tmp/ccdVZ7rs.s
          1⤵
            PID:581
          • /usr/sbin/as
            as -W --64 -o /tmp/cc6MvESB.o /tmp/ccdVZ7rs.s
            1⤵
              PID:581
            • /usr/bin/as
              as -W --64 -o /tmp/cc6MvESB.o /tmp/ccdVZ7rs.s
              1⤵
              • Writes file to tmp directory
              PID:581
            • /usr/lib/gcc/x86_64-linux-gnu/7/collect2
              /usr/lib/gcc/x86_64-linux-gnu/7/collect2 -plugin /usr/lib/gcc/x86_64-linux-gnu/7/liblto_plugin.so "-plugin-opt=/usr/lib/gcc/x86_64-linux-gnu/7/lto-wrapper" "-plugin-opt=-fresolution=/tmp/ccPda4lL.res" "-plugin-opt=-pass-through=-lgcc" "-plugin-opt=-pass-through=-lgcc_s" "-plugin-opt=-pass-through=-lc" "-plugin-opt=-pass-through=-lgcc" "-plugin-opt=-pass-through=-lgcc_s" --build-id --eh-frame-hdr -m elf_x86_64 "--hash-style=gnu" --as-needed -shared -z relro -o /tmp/exploit /usr/lib/gcc/x86_64-linux-gnu/7/../../../x86_64-linux-gnu/crti.o /usr/lib/gcc/x86_64-linux-gnu/7/crtbeginS.o -L/usr/lib/gcc/x86_64-linux-gnu/7 -L/usr/lib/gcc/x86_64-linux-gnu/7/../../../x86_64-linux-gnu -L/usr/lib/gcc/x86_64-linux-gnu/7/../../../../lib -L/lib/x86_64-linux-gnu -L/lib/../lib -L/usr/lib/x86_64-linux-gnu -L/usr/lib/../lib -L/usr/lib/gcc/x86_64-linux-gnu/7/../../.. /tmp/cc6MvESB.o -lgcc --push-state --as-needed -lgcc_s --pop-state -lc -lgcc --push-state --as-needed -lgcc_s --pop-state /usr/lib/gcc/x86_64-linux-gnu/7/crtendS.o /usr/lib/gcc/x86_64-linux-gnu/7/../../../x86_64-linux-gnu/crtn.o
              1⤵
              • Writes file to tmp directory
              PID:582
            • /usr/bin/ld
              /usr/bin/ld -plugin /usr/lib/gcc/x86_64-linux-gnu/7/liblto_plugin.so "-plugin-opt=/usr/lib/gcc/x86_64-linux-gnu/7/lto-wrapper" "-plugin-opt=-fresolution=/tmp/ccPda4lL.res" "-plugin-opt=-pass-through=-lgcc" "-plugin-opt=-pass-through=-lgcc_s" "-plugin-opt=-pass-through=-lc" "-plugin-opt=-pass-through=-lgcc" "-plugin-opt=-pass-through=-lgcc_s" --build-id --eh-frame-hdr -m elf_x86_64 "--hash-style=gnu" --as-needed -shared -z relro -o /tmp/exploit /usr/lib/gcc/x86_64-linux-gnu/7/../../../x86_64-linux-gnu/crti.o /usr/lib/gcc/x86_64-linux-gnu/7/crtbeginS.o -L/usr/lib/gcc/x86_64-linux-gnu/7 -L/usr/lib/gcc/x86_64-linux-gnu/7/../../../x86_64-linux-gnu -L/usr/lib/gcc/x86_64-linux-gnu/7/../../../../lib -L/lib/x86_64-linux-gnu -L/lib/../lib -L/usr/lib/x86_64-linux-gnu -L/usr/lib/../lib -L/usr/lib/gcc/x86_64-linux-gnu/7/../../.. /tmp/cc6MvESB.o -lgcc --push-state --as-needed -lgcc_s --pop-state -lc -lgcc --push-state --as-needed -lgcc_s --pop-state /usr/lib/gcc/x86_64-linux-gnu/7/crtendS.o /usr/lib/gcc/x86_64-linux-gnu/7/../../../x86_64-linux-gnu/crtn.o
              1⤵
              • Writes file to tmp directory
              PID:583
            • /proc/self/fd/3
              /proc/self/fd/3
              1⤵
                PID:571

              Network

              MITRE ATT&CK Matrix

              Replay Monitor

              Loading Replay Monitor...

              Downloads