Overview

overview

5

Static

static

xiang/1.sh

ubuntu-18.04-amd64

5

xiang/1.sh

debian-9-armhf

5

xiang/1.sh

debian-9-mips

5

xiang/1.sh

debian-9-mipsel

5

xiang/go.sh

windows7-x64

3

xiang/go.sh

windows10-2004-x64

3

xiang/ss

ubuntu-18.04-amd64

1

xiang/ssh-scan

ubuntu-18.04-amd64

1

Analysis

  • max time kernel
    0s
  • max time network
    159s
  • platform
    debian-9_armhf
  • resource
    debian9-armhf-20221111-en
  • resource tags

    arch:armhfimage:debian9-armhf-20221111-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
  • submitted
    27-11-2022 12:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    xiang/1.sh

  • Size

    404B

  • MD5

    fa4f1798d03844cc950c5c0ff1ed71a7

  • SHA1

    7b7bb83c614603989d91a77ac0405d4000a0fa75

  • SHA256

    a5b0146024e8974f15f29c835f5d2d272a199846fa04963bb05d7e0bd14620ff

  • SHA512

    e94e75ade995e3ed08e1fcff6a830dbb28e512091d72af14bbf19ae6b6a33381130bda2c9b38050e61fc9dcf82e25ba06fb8d8f15edd4edeb1a7c1a675a8139e

Score
5/10

Malware Config

Signatures

  • Reads runtime system information 3 IoCs

    Reads data from /proc virtual filesystem.

  • Writes file to tmp directory 16 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/xiang/1.sh
    /tmp/xiang/1.sh
    1⤵
    • Writes file to tmp directory
    PID:367
    • /bin/rm
      rm -r -f /tmp/exploit
      2⤵
      • Writes file to tmp directory
      PID:368
    • /bin/mkdir
      mkdir /tmp/exploit
      2⤵
      • Reads runtime system information
      PID:369
    • /bin/ln
      ln /bin/ping /tmp/exploit/target
      2⤵
        PID:370
      • /bin/ls
        ls -l /proc/367/fd/3
        2⤵
        • Reads runtime system information
        PID:374
      • /bin/rm
        rm -rf /tmp/exploit
        2⤵
        • Writes file to tmp directory
        PID:377
      • /bin/ls
        ls -l /proc/367/fd/3
        2⤵
        • Reads runtime system information
        PID:379
      • /bin/cat
        cat
        2⤵
          PID:380
        • /usr/bin/gcc
          gcc -w -fPIC -shared -o /tmp/exploit program.c
          2⤵
          • Writes file to tmp directory
          PID:381
      • /usr/lib/gcc/arm-linux-gnueabihf/6/cc1
        /usr/lib/gcc/arm-linux-gnueabihf/6/cc1 -quiet -imultilib . -imultiarch arm-linux-gnueabihf program.c -quiet -dumpbase program.c "-march=armv7-a" "-mfloat-abi=hard" "-mfpu=vfpv3-d16" -mthumb "-mtls-dialect=gnu" -auxbase program -w -fPIC -o /tmp/ccWXIm51.s
        1⤵
        • Writes file to tmp directory
        PID:382
      • /usr/local/sbin/as
        as -W "-march=armv7-a" "-mfloat-abi=hard" "-mfpu=vfpv3-d16" "-meabi=5" -o /tmp/ccFy6enC.o /tmp/ccWXIm51.s
        1⤵
          PID:383
        • /usr/local/bin/as
          as -W "-march=armv7-a" "-mfloat-abi=hard" "-mfpu=vfpv3-d16" "-meabi=5" -o /tmp/ccFy6enC.o /tmp/ccWXIm51.s
          1⤵
            PID:383
          • /usr/sbin/as
            as -W "-march=armv7-a" "-mfloat-abi=hard" "-mfpu=vfpv3-d16" "-meabi=5" -o /tmp/ccFy6enC.o /tmp/ccWXIm51.s
            1⤵
              PID:383
            • /usr/bin/as
              as -W "-march=armv7-a" "-mfloat-abi=hard" "-mfpu=vfpv3-d16" "-meabi=5" -o /tmp/ccFy6enC.o /tmp/ccWXIm51.s
              1⤵
              • Writes file to tmp directory
              PID:383
            • /usr/lib/gcc/arm-linux-gnueabihf/6/collect2
              /usr/lib/gcc/arm-linux-gnueabihf/6/collect2 -plugin /usr/lib/gcc/arm-linux-gnueabihf/6/liblto_plugin.so "-plugin-opt=/usr/lib/gcc/arm-linux-gnueabihf/6/lto-wrapper" "-plugin-opt=-fresolution=/tmp/cc6JxRzt.res" "-plugin-opt=-pass-through=-lgcc" "-plugin-opt=-pass-through=-lgcc_s" "-plugin-opt=-pass-through=-lc" "-plugin-opt=-pass-through=-lgcc" "-plugin-opt=-pass-through=-lgcc_s" "--sysroot=/" --build-id --eh-frame-hdr -shared -X "--hash-style=gnu" -m armelf_linux_eabi -o /tmp/exploit /usr/lib/gcc/arm-linux-gnueabihf/6/../../../arm-linux-gnueabihf/crti.o /usr/lib/gcc/arm-linux-gnueabihf/6/crtbeginS.o -L/usr/lib/gcc/arm-linux-gnueabihf/6 -L/usr/lib/gcc/arm-linux-gnueabihf/6/../../../arm-linux-gnueabihf -L/usr/lib/gcc/arm-linux-gnueabihf/6/../../.. -L/lib/arm-linux-gnueabihf -L/usr/lib/arm-linux-gnueabihf /tmp/ccFy6enC.o -lgcc --as-needed -lgcc_s --no-as-needed -lc -lgcc --as-needed -lgcc_s --no-as-needed /usr/lib/gcc/arm-linux-gnueabihf/6/crtendS.o /usr/lib/gcc/arm-linux-gnueabihf/6/../../../arm-linux-gnueabihf/crtn.o
              1⤵
              • Writes file to tmp directory
              PID:384
            • /usr/bin/ld
              /usr/bin/ld -plugin /usr/lib/gcc/arm-linux-gnueabihf/6/liblto_plugin.so "-plugin-opt=/usr/lib/gcc/arm-linux-gnueabihf/6/lto-wrapper" "-plugin-opt=-fresolution=/tmp/cc6JxRzt.res" "-plugin-opt=-pass-through=-lgcc" "-plugin-opt=-pass-through=-lgcc_s" "-plugin-opt=-pass-through=-lc" "-plugin-opt=-pass-through=-lgcc" "-plugin-opt=-pass-through=-lgcc_s" "--sysroot=/" --build-id --eh-frame-hdr -shared -X "--hash-style=gnu" -m armelf_linux_eabi -o /tmp/exploit /usr/lib/gcc/arm-linux-gnueabihf/6/../../../arm-linux-gnueabihf/crti.o /usr/lib/gcc/arm-linux-gnueabihf/6/crtbeginS.o -L/usr/lib/gcc/arm-linux-gnueabihf/6 -L/usr/lib/gcc/arm-linux-gnueabihf/6/../../../arm-linux-gnueabihf -L/usr/lib/gcc/arm-linux-gnueabihf/6/../../.. -L/lib/arm-linux-gnueabihf -L/usr/lib/arm-linux-gnueabihf /tmp/ccFy6enC.o -lgcc --as-needed -lgcc_s --no-as-needed -lc -lgcc --as-needed -lgcc_s --no-as-needed /usr/lib/gcc/arm-linux-gnueabihf/6/crtendS.o /usr/lib/gcc/arm-linux-gnueabihf/6/../../../arm-linux-gnueabihf/crtn.o
              1⤵
              • Writes file to tmp directory
              PID:385
            • /proc/self/fd/3
              /proc/self/fd/3
              1⤵
                PID:367

              Network

              MITRE ATT&CK Matrix

              Replay Monitor

              Loading Replay Monitor...

              Downloads