Analysis

  • max time kernel
    0s
  • max time network
    154s
  • platform
    linux_mips
  • resource
    debian9-mipsbe-en-20211208
  • resource tags

    arch:mipsimage:debian9-mipsbe-en-20211208kernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipssystem
  • submitted
    27-11-2022 12:57

General

  • Target

    xiang/1.sh

  • Size

    404B

  • MD5

    fa4f1798d03844cc950c5c0ff1ed71a7

  • SHA1

    7b7bb83c614603989d91a77ac0405d4000a0fa75

  • SHA256

    a5b0146024e8974f15f29c835f5d2d272a199846fa04963bb05d7e0bd14620ff

  • SHA512

    e94e75ade995e3ed08e1fcff6a830dbb28e512091d72af14bbf19ae6b6a33381130bda2c9b38050e61fc9dcf82e25ba06fb8d8f15edd4edeb1a7c1a675a8139e

Score
5/10

Malware Config

Signatures

  • Reads runtime system information 3 IoCs

    Reads data from /proc virtual filesystem.

  • Writes file to tmp directory 16 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/xiang/1.sh
    /tmp/xiang/1.sh
    1⤵
    • Writes file to tmp directory
    PID:320
    • /bin/rm
      rm -r -f /tmp/exploit
      2⤵
      • Writes file to tmp directory
      PID:321
    • /bin/mkdir
      mkdir /tmp/exploit
      2⤵
      • Reads runtime system information
      PID:322
    • /bin/ln
      ln /bin/ping /tmp/exploit/target
      2⤵
        PID:323
      • /bin/ls
        ls -l /proc/320/fd/3
        2⤵
        • Reads runtime system information
        PID:325
      • /bin/rm
        rm -rf /tmp/exploit
        2⤵
        • Writes file to tmp directory
        PID:329
      • /bin/ls
        ls -l /proc/320/fd/3
        2⤵
        • Reads runtime system information
        PID:330
      • /bin/cat
        cat
        2⤵
          PID:331
        • /usr/bin/gcc
          gcc -w -fPIC -shared -o /tmp/exploit program.c
          2⤵
          • Writes file to tmp directory
          PID:332
          • /usr/lib/gcc/mips-linux-gnu/6/cc1
            /usr/lib/gcc/mips-linux-gnu/6/cc1 -quiet -imultiarch mips-linux-gnu program.c -meb -quiet -dumpbase program.c "-march=mips32r2" -mfpxx -mllsc -mno-lxc1-sxc1 -mips32r2 "-mabi=32" -auxbase program -w -fPIC -o /tmp/ccEAm5cM.s
            3⤵
            • Writes file to tmp directory
            PID:333
          • /usr/bin/as
            as -W -EB -mips32r2 -O1 -no-mdebug "-mabi=32" "-march=mips32r2" -mfpxx -KPIC -o /tmp/ccZfhUBv.o /tmp/ccEAm5cM.s
            3⤵
            • Writes file to tmp directory
            PID:334
          • /usr/lib/gcc/mips-linux-gnu/6/collect2
            /usr/lib/gcc/mips-linux-gnu/6/collect2 -plugin /usr/lib/gcc/mips-linux-gnu/6/liblto_plugin.so "-plugin-opt=/usr/lib/gcc/mips-linux-gnu/6/lto-wrapper" "-plugin-opt=-fresolution=/tmp/ccATKl8x.res" "-plugin-opt=-pass-through=-lgcc" "-plugin-opt=-pass-through=-lgcc_s" "-plugin-opt=-pass-through=-lc" "-plugin-opt=-pass-through=-lgcc" "-plugin-opt=-pass-through=-lgcc_s" "--sysroot=/" --build-id --eh-frame-hdr -EB -mips32r2 -shared -melf32btsmip -o /tmp/exploit /usr/lib/gcc/mips-linux-gnu/6/../../../mips-linux-gnu/crti.o /usr/lib/gcc/mips-linux-gnu/6/crtbeginS.o -L/usr/lib/gcc/mips-linux-gnu/6 -L/usr/lib/gcc/mips-linux-gnu/6/../../../mips-linux-gnu -L/usr/lib/gcc/mips-linux-gnu/6/../../../../lib -L/lib/mips-linux-gnu -L/lib/../lib -L/usr/lib/mips-linux-gnu -L/usr/lib/../lib -L/usr/lib/gcc/mips-linux-gnu/6/../../.. /tmp/ccZfhUBv.o -lgcc --as-needed -lgcc_s --no-as-needed -lc -lgcc --as-needed -lgcc_s --no-as-needed /usr/lib/gcc/mips-linux-gnu/6/crtendS.o /usr/lib/gcc/mips-linux-gnu/6/../../../mips-linux-gnu/crtn.o
            3⤵
            • Writes file to tmp directory
            PID:335
            • /usr/bin/ld
              /usr/bin/ld -plugin /usr/lib/gcc/mips-linux-gnu/6/liblto_plugin.so "-plugin-opt=/usr/lib/gcc/mips-linux-gnu/6/lto-wrapper" "-plugin-opt=-fresolution=/tmp/ccATKl8x.res" "-plugin-opt=-pass-through=-lgcc" "-plugin-opt=-pass-through=-lgcc_s" "-plugin-opt=-pass-through=-lc" "-plugin-opt=-pass-through=-lgcc" "-plugin-opt=-pass-through=-lgcc_s" "--sysroot=/" --build-id --eh-frame-hdr -EB -mips32r2 -shared -melf32btsmip -o /tmp/exploit /usr/lib/gcc/mips-linux-gnu/6/../../../mips-linux-gnu/crti.o /usr/lib/gcc/mips-linux-gnu/6/crtbeginS.o -L/usr/lib/gcc/mips-linux-gnu/6 -L/usr/lib/gcc/mips-linux-gnu/6/../../../mips-linux-gnu -L/usr/lib/gcc/mips-linux-gnu/6/../../../../lib -L/lib/mips-linux-gnu -L/lib/../lib -L/usr/lib/mips-linux-gnu -L/usr/lib/../lib -L/usr/lib/gcc/mips-linux-gnu/6/../../.. /tmp/ccZfhUBv.o -lgcc --as-needed -lgcc_s --no-as-needed -lc -lgcc --as-needed -lgcc_s --no-as-needed /usr/lib/gcc/mips-linux-gnu/6/crtendS.o /usr/lib/gcc/mips-linux-gnu/6/../../../mips-linux-gnu/crtn.o
              4⤵
              • Writes file to tmp directory
              PID:336
      • /usr/local/sbin/as
        as -W -EB -mips32r2 -O1 -no-mdebug "-mabi=32" "-march=mips32r2" -mfpxx -KPIC -o /tmp/ccZfhUBv.o /tmp/ccEAm5cM.s
        1⤵
          PID:334
        • /usr/local/bin/as
          as -W -EB -mips32r2 -O1 -no-mdebug "-mabi=32" "-march=mips32r2" -mfpxx -KPIC -o /tmp/ccZfhUBv.o /tmp/ccEAm5cM.s
          1⤵
            PID:334
          • /usr/sbin/as
            as -W -EB -mips32r2 -O1 -no-mdebug "-mabi=32" "-march=mips32r2" -mfpxx -KPIC -o /tmp/ccZfhUBv.o /tmp/ccEAm5cM.s
            1⤵
              PID:334
            • /proc/self/fd/3
              /proc/self/fd/3
              1⤵
                PID:320

              Network

              MITRE ATT&CK Matrix

              Replay Monitor

              Loading Replay Monitor...

              Downloads