64206f3f7d6c962fb9bf49b161e636d8be4bedde1a11d2a0164006aa25748a7e

Analysis

max time kernel
0s
max time network
103s
platform
linux_amd64
resource
ubuntu1804-amd64-en-20211208
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-en-20211208kernel:4.15.0-161-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
27/11/2022, 18:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

64206f3f7d6c962fb9bf49b161e636d8be4bedde1a11d2a0164006aa25748a7e
Size

1KB
MD5

a4bd78f8b9f69b508daca4268dcc66ce
SHA1

02d29ddb69616a0d3d4cf4348f51d3f81f147e67
SHA256

64206f3f7d6c962fb9bf49b161e636d8be4bedde1a11d2a0164006aa25748a7e
SHA512

60ba980e3cd14c0dc71f0b34b8f79cca1d2349569832a526d5b052a78baa3ceec36e6b312876251b019b3371e898d175ba0b8c7e32f8ae9a140fdb9bffa6e3c6

Score

5^/10

Malware Config

Signatures

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
/proc/4/stat	/proc/4/stat	killall
/proc/8/stat	/proc/8/stat	killall
/proc/89/stat	/proc/89/stat	killall
/proc/83/stat	/proc/83/stat	killall
/proc/339/cmdline	/proc/339/cmdline	killall
/proc/filesystems	/proc/filesystems	mv
/proc/3/stat	/proc/3/stat	killall
/proc/341/stat	/proc/341/stat	killall
/proc/15/stat	/proc/15/stat	killall
/proc/35/stat	/proc/35/stat	killall
/proc/36/stat	/proc/36/stat	killall
/proc/153/stat	/proc/153/stat	killall
/proc/162/stat	/proc/162/stat	killall
/proc/167/stat	/proc/167/stat	killall
/proc/332/stat	/proc/332/stat	killall
/proc/81/stat	/proc/81/stat	killall
/proc/161/stat	/proc/161/stat	killall
/proc/289/cmdline	/proc/289/cmdline	killall
/proc/1/stat	/proc/1/stat	killall
/proc/10/stat	/proc/10/stat	killall
/proc/11/stat	/proc/11/stat	killall
/proc/15/cmdline	/proc/15/cmdline	killall
/proc/5/stat	/proc/5/stat	killall
/proc/13/stat	/proc/13/stat	killall
/proc/193/cmdline	/proc/193/cmdline	killall
/proc/576/stat	/proc/576/stat	killall
/proc/32/stat	/proc/32/stat	killall
/proc/223/cmdline	/proc/223/cmdline	killall
/proc/363/stat	/proc/363/stat	killall
/proc/447/stat	/proc/447/stat	killall
/proc/filesystems	/proc/filesystems	sed
/proc/25/stat	/proc/25/stat	killall
/proc/193/stat	/proc/193/stat	killall
/proc/21/stat	/proc/21/stat	killall
/proc/22/stat	/proc/22/stat	killall
/proc/29/stat	/proc/29/stat	killall
/proc/251/stat	/proc/251/stat	killall
/proc/347/stat	/proc/347/stat	killall
/proc/6/stat	/proc/6/stat	killall
/proc/79/stat	/proc/79/stat	killall
/proc/filesystems	/proc/filesystems	mv
/proc/24/stat	/proc/24/stat	killall
/proc/115/cmdline	/proc/115/cmdline	killall
/proc/filesystems	/proc/filesystems	mv
/proc/98/stat	/proc/98/stat	killall
/proc/158/stat	/proc/158/stat	killall
/proc/356/stat	/proc/356/stat	killall
/proc/78/stat	/proc/78/stat	killall
/proc/458/stat	/proc/458/stat	killall
/proc/12/stat	/proc/12/stat	killall
/proc/36/cmdline	/proc/36/cmdline	killall
/proc/286/stat	/proc/286/stat	killall
/proc/129/stat	/proc/129/stat	killall
/proc/192/stat	/proc/192/stat	killall
/proc/416/stat	/proc/416/stat	killall
/proc/576/cmdline	/proc/576/cmdline	killall
/proc/18/stat	/proc/18/stat	killall
/proc/28/stat	/proc/28/stat	killall
/proc/82/stat	/proc/82/stat	killall
/proc/169/stat	/proc/169/stat	killall
/proc/163/stat	/proc/163/stat	killall
/proc/17/stat	/proc/17/stat	killall
/proc/80/stat	/proc/80/stat	killall
/proc/157/stat	/proc/157/stat	killall

Writes file to tmp directory 12 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
/tmp/64206f3f7d6c962fb9bf49b161e636d8be4bedde1a11d2a0164006aa25748a7e	/tmp/64206f3f7d6c962fb9bf49b161e636d8be4bedde1a11d2a0164006aa25748a7e	64206f3f7d6c962fb9bf49b161e636d8be4bedde1a11d2a0164006aa25748a7e
/tmp/cc67hxbv.s	/tmp/cc67hxbv.s	cc1
/tmp/ccN1BIdD.o	/tmp/ccN1BIdD.o	cc
/tmp/ccTxrBxI.c	/tmp/ccTxrBxI.c	collect2
/tmp/ccxurWKY.ld	/tmp/ccxurWKY.ld	collect2
/tmp/ccN1BIdD.o	/tmp/ccN1BIdD.o	ld
/tmp/cc67hxbv.s	/tmp/cc67hxbv.s	cc
/tmp/ccN1BIdD.o	/tmp/ccN1BIdD.o	as
/tmp/cc67hxbv.s	/tmp/cc67hxbv.s	as
/tmp/cc2NA9iL.res	/tmp/cc2NA9iL.res	cc
/tmp/cchnQgEQ.o	/tmp/cchnQgEQ.o	collect2
/tmp/ccpfeCR6.le	/tmp/ccpfeCR6.le	collect2

/tmp/64206f3f7d6c962fb9bf49b161e636d8be4bedde1a11d2a0164006aa25748a7e
/tmp/64206f3f7d6c962fb9bf49b161e636d8be4bedde1a11d2a0164006aa25748a7e
1⤵
- Writes file to tmp directory
PID:576
- /bin/sed
  sed "s/\\/home\\/spender/\\/tmp/g" pwnkernel.c
  2⤵
  - Reads runtime system information
  PID:580
- /bin/mv
  mv pwnkernel.c pwnkernel2.c
  2⤵
  - Reads runtime system information
  PID:581
- /bin/mv
  mv pwnkernel1.c pwnkernel.c
  2⤵
  - Reads runtime system information
  PID:582
- /usr/bin/killall
  killall -9 pulseaudio
  2⤵
  - Reads runtime system information
  PID:583
- /bin/uname
  uname -p
  2⤵
  PID:584
- /bin/cat
  cat /proc/sys/vm/mmap_min_addr
  2⤵
  PID:585
- /usr/bin/cc
  cc -fno-stack-protector -fPIC -m64 -shared -o exploit.so exploit.c
  2⤵
  PID:586
- /usr/bin/cc
  cc -m64 -o pwnkernel pwnkernel.c
  2⤵
  - Writes file to tmp directory
  PID:587
- ./pwnkernel
  ./pwnkernel
  2⤵
  PID:596
- /bin/mv
  mv -f pwnkernel2.c pwnkernel.c
  2⤵
  - Reads runtime system information
  PID:597

/bin/sed
sed "s/\\//\\\\\\//g"
1⤵
PID:579

/usr/lib/gcc/x86_64-linux-gnu/7/cc1
/usr/lib/gcc/x86_64-linux-gnu/7/cc1 -quiet -imultiarch x86_64-linux-gnu pwnkernel.c -quiet -dumpbase pwnkernel.c -m64 "-mtune=generic" "-march=x86-64" -auxbase pwnkernel -fstack-protector-strong -Wformat -Wformat-security -o /tmp/cc67hxbv.s
1⤵
- Writes file to tmp directory
PID:588

/usr/local/sbin/as
as --64 -o /tmp/ccN1BIdD.o /tmp/cc67hxbv.s
1⤵
PID:589

/usr/local/bin/as
as --64 -o /tmp/ccN1BIdD.o /tmp/cc67hxbv.s
1⤵
PID:589

/usr/sbin/as
as --64 -o /tmp/ccN1BIdD.o /tmp/cc67hxbv.s
1⤵
PID:589

/usr/bin/as
as --64 -o /tmp/ccN1BIdD.o /tmp/cc67hxbv.s
1⤵
- Writes file to tmp directory
PID:589

/usr/lib/gcc/x86_64-linux-gnu/7/collect2
/usr/lib/gcc/x86_64-linux-gnu/7/collect2 -plugin /usr/lib/gcc/x86_64-linux-gnu/7/liblto_plugin.so "-plugin-opt=/usr/lib/gcc/x86_64-linux-gnu/7/lto-wrapper" "-plugin-opt=-fresolution=/tmp/cc2NA9iL.res" "-plugin-opt=-pass-through=-lgcc" "-plugin-opt=-pass-through=-lgcc_s" "-plugin-opt=-pass-through=-lc" "-plugin-opt=-pass-through=-lgcc" "-plugin-opt=-pass-through=-lgcc_s" --build-id --eh-frame-hdr -m elf_x86_64 "--hash-style=gnu" --as-needed -dynamic-linker /lib64/ld-linux-x86-64.so.2 -pie -z now -z relro -o pwnkernel /usr/lib/gcc/x86_64-linux-gnu/7/../../../x86_64-linux-gnu/Scrt1.o /usr/lib/gcc/x86_64-linux-gnu/7/../../../x86_64-linux-gnu/crti.o /usr/lib/gcc/x86_64-linux-gnu/7/crtbeginS.o -L/usr/lib/gcc/x86_64-linux-gnu/7 -L/usr/lib/gcc/x86_64-linux-gnu/7/../../../x86_64-linux-gnu -L/usr/lib/gcc/x86_64-linux-gnu/7/../../../../lib -L/lib/x86_64-linux-gnu -L/lib/../lib -L/usr/lib/x86_64-linux-gnu -L/usr/lib/../lib -L/usr/lib/gcc/x86_64-linux-gnu/7/../../.. /tmp/ccN1BIdD.o -lgcc --push-state --as-needed -lgcc_s --pop-state -lc -lgcc --push-state --as-needed -lgcc_s --pop-state /usr/lib/gcc/x86_64-linux-gnu/7/crtendS.o /usr/lib/gcc/x86_64-linux-gnu/7/../../../x86_64-linux-gnu/crtn.o
1⤵
- Writes file to tmp directory
PID:590

/usr/bin/ld
/usr/bin/ld -plugin /usr/lib/gcc/x86_64-linux-gnu/7/liblto_plugin.so "-plugin-opt=/usr/lib/gcc/x86_64-linux-gnu/7/lto-wrapper" "-plugin-opt=-fresolution=/tmp/cc2NA9iL.res" "-plugin-opt=-pass-through=-lgcc" "-plugin-opt=-pass-through=-lgcc_s" "-plugin-opt=-pass-through=-lc" "-plugin-opt=-pass-through=-lgcc" "-plugin-opt=-pass-through=-lgcc_s" --build-id --eh-frame-hdr -m elf_x86_64 "--hash-style=gnu" --as-needed -dynamic-linker /lib64/ld-linux-x86-64.so.2 -pie -z now -z relro -o pwnkernel /usr/lib/gcc/x86_64-linux-gnu/7/../../../x86_64-linux-gnu/Scrt1.o /usr/lib/gcc/x86_64-linux-gnu/7/../../../x86_64-linux-gnu/crti.o /usr/lib/gcc/x86_64-linux-gnu/7/crtbeginS.o -L/usr/lib/gcc/x86_64-linux-gnu/7 -L/usr/lib/gcc/x86_64-linux-gnu/7/../../../x86_64-linux-gnu -L/usr/lib/gcc/x86_64-linux-gnu/7/../../../../lib -L/lib/x86_64-linux-gnu -L/lib/../lib -L/usr/lib/x86_64-linux-gnu -L/usr/lib/../lib -L/usr/lib/gcc/x86_64-linux-gnu/7/../../.. /tmp/ccN1BIdD.o -lgcc --push-state --as-needed -lgcc_s --pop-state -lc -lgcc --push-state --as-needed -lgcc_s --pop-state /usr/lib/gcc/x86_64-linux-gnu/7/crtendS.o /usr/lib/gcc/x86_64-linux-gnu/7/../../../x86_64-linux-gnu/crtn.o
1⤵
- Writes file to tmp directory
PID:591

Windows 7 deprecation

Loading Replay Monitor...

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads