Overview

overview

3

Static

static

1

xiang/1.sh

ubuntu-18.04-amd64

3

xiang/1.sh

debian-9-armhf

3

xiang/1.sh

debian-9-mips

3

xiang/1.sh

debian-9-mipsel

3

xiang/go.sh

windows7-x64

3

xiang/go.sh

windows10-2004-x64

3

xiang/ss

ubuntu-18.04-amd64

1

xiang/ssh-scan

ubuntu-18.04-amd64

1

Analysis

  • max time kernel
    5s
  • max time network
    130s
  • platform
    ubuntu-18.04_amd64
  • resource
    ubuntu1804-amd64-20231215-en
  • resource tags

    arch:amd64arch:i386image:ubuntu1804-amd64-20231215-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
  • submitted
    21-12-2023 20:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    xiang/1.sh

  • Size

    404B

  • MD5

    fa4f1798d03844cc950c5c0ff1ed71a7

  • SHA1

    7b7bb83c614603989d91a77ac0405d4000a0fa75

  • SHA256

    a5b0146024e8974f15f29c835f5d2d272a199846fa04963bb05d7e0bd14620ff

  • SHA512

    e94e75ade995e3ed08e1fcff6a830dbb28e512091d72af14bbf19ae6b6a33381130bda2c9b38050e61fc9dcf82e25ba06fb8d8f15edd4edeb1a7c1a675a8139e

Score
3/10

Malware Config

Signatures

  • Reads runtime system information 3 IoCs

    Reads data from /proc virtual filesystem.

  • Writes file to tmp directory 11 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/xiang/1.sh
    /tmp/xiang/1.sh
    1⤵
    • Writes file to tmp directory
    PID:1526
    • /bin/rm
      rm -r -f /tmp/exploit
      2⤵
        PID:1527
      • /bin/mkdir
        mkdir /tmp/exploit
        2⤵
        • Reads runtime system information
        PID:1528
      • /bin/ln
        ln /bin/ping /tmp/exploit/target
        2⤵
          PID:1529
        • /bin/ls
          ls -l /proc/1526/fd/3
          2⤵
          • Reads runtime system information
          PID:1530
        • /bin/rm
          rm -rf /tmp/exploit
          2⤵
            PID:1531
          • /bin/ls
            ls -l /proc/1526/fd/3
            2⤵
            • Reads runtime system information
            PID:1532
          • /bin/cat
            cat
            2⤵
              PID:1533
            • /usr/bin/gcc
              gcc -w -fPIC -shared -o /tmp/exploit program.c
              2⤵
              • Writes file to tmp directory
              PID:1534
              • /usr/lib/gcc/x86_64-linux-gnu/7/cc1
                /usr/lib/gcc/x86_64-linux-gnu/7/cc1 -quiet -imultiarch x86_64-linux-gnu program.c -quiet -dumpbase program.c "-mtune=generic" "-march=x86-64" -auxbase program -w -fPIC -fstack-protector-strong -Wformat -Wformat-security -o /tmp/cc9AzpRK.s
                3⤵
                • Writes file to tmp directory
                PID:1535
              • /usr/local/sbin/as
                as -W --64 -o /tmp/ccSsXwp4.o /tmp/cc9AzpRK.s
                3⤵
                  PID:1539
                • /usr/local/bin/as
                  as -W --64 -o /tmp/ccSsXwp4.o /tmp/cc9AzpRK.s
                  3⤵
                    PID:1539
                  • /usr/sbin/as
                    as -W --64 -o /tmp/ccSsXwp4.o /tmp/cc9AzpRK.s
                    3⤵
                      PID:1539
                    • /usr/bin/as
                      as -W --64 -o /tmp/ccSsXwp4.o /tmp/cc9AzpRK.s
                      3⤵
                      • Writes file to tmp directory
                      PID:1539
                    • /usr/lib/gcc/x86_64-linux-gnu/7/collect2
                      /usr/lib/gcc/x86_64-linux-gnu/7/collect2 -plugin /usr/lib/gcc/x86_64-linux-gnu/7/liblto_plugin.so "-plugin-opt=/usr/lib/gcc/x86_64-linux-gnu/7/lto-wrapper" "-plugin-opt=-fresolution=/tmp/ccyILn4n.res" "-plugin-opt=-pass-through=-lgcc" "-plugin-opt=-pass-through=-lgcc_s" "-plugin-opt=-pass-through=-lc" "-plugin-opt=-pass-through=-lgcc" "-plugin-opt=-pass-through=-lgcc_s" --build-id --eh-frame-hdr -m elf_x86_64 "--hash-style=gnu" --as-needed -shared -z relro -o /tmp/exploit /usr/lib/gcc/x86_64-linux-gnu/7/../../../x86_64-linux-gnu/crti.o /usr/lib/gcc/x86_64-linux-gnu/7/crtbeginS.o -L/usr/lib/gcc/x86_64-linux-gnu/7 -L/usr/lib/gcc/x86_64-linux-gnu/7/../../../x86_64-linux-gnu -L/usr/lib/gcc/x86_64-linux-gnu/7/../../../../lib -L/lib/x86_64-linux-gnu -L/lib/../lib -L/usr/lib/x86_64-linux-gnu -L/usr/lib/../lib -L/usr/lib/gcc/x86_64-linux-gnu/7/../../.. /tmp/ccSsXwp4.o -lgcc --push-state --as-needed -lgcc_s --pop-state -lc -lgcc --push-state --as-needed -lgcc_s --pop-state /usr/lib/gcc/x86_64-linux-gnu/7/crtendS.o /usr/lib/gcc/x86_64-linux-gnu/7/../../../x86_64-linux-gnu/crtn.o
                      3⤵
                      • Writes file to tmp directory
                      PID:1540
                      • /usr/bin/ld
                        /usr/bin/ld -plugin /usr/lib/gcc/x86_64-linux-gnu/7/liblto_plugin.so "-plugin-opt=/usr/lib/gcc/x86_64-linux-gnu/7/lto-wrapper" "-plugin-opt=-fresolution=/tmp/ccyILn4n.res" "-plugin-opt=-pass-through=-lgcc" "-plugin-opt=-pass-through=-lgcc_s" "-plugin-opt=-pass-through=-lc" "-plugin-opt=-pass-through=-lgcc" "-plugin-opt=-pass-through=-lgcc_s" --build-id --eh-frame-hdr -m elf_x86_64 "--hash-style=gnu" --as-needed -shared -z relro -o /tmp/exploit /usr/lib/gcc/x86_64-linux-gnu/7/../../../x86_64-linux-gnu/crti.o /usr/lib/gcc/x86_64-linux-gnu/7/crtbeginS.o -L/usr/lib/gcc/x86_64-linux-gnu/7 -L/usr/lib/gcc/x86_64-linux-gnu/7/../../../x86_64-linux-gnu -L/usr/lib/gcc/x86_64-linux-gnu/7/../../../../lib -L/lib/x86_64-linux-gnu -L/lib/../lib -L/usr/lib/x86_64-linux-gnu -L/usr/lib/../lib -L/usr/lib/gcc/x86_64-linux-gnu/7/../../.. /tmp/ccSsXwp4.o -lgcc --push-state --as-needed -lgcc_s --pop-state -lc -lgcc --push-state --as-needed -lgcc_s --pop-state /usr/lib/gcc/x86_64-linux-gnu/7/crtendS.o /usr/lib/gcc/x86_64-linux-gnu/7/../../../x86_64-linux-gnu/crtn.o
                        4⤵
                        • Writes file to tmp directory
                        PID:1541
                • /proc/self/fd/3
                  /proc/self/fd/3
                  1⤵
                    PID:1526

                  Network

                  MITRE ATT&CK Matrix

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • /tmp/cc9AzpRK.s
                    Filesize

                    563B

                    MD5

                    3d69cabe808fc30bba811c249ba63028

                    SHA1

                    844331d5ea6720fef8888657d2fef631a5fe72ba

                    SHA256

                    82a2d9deca3d1a24c6ebf733c6e2049516b74aaf0612ef8144f77b4aef66b1c3

                    SHA512

                    6e3d31a370ead6c2f16dca938b1a4830c28700fc3e94bd62248e4fc39530bd296c5457116b3addeb74bebe76911601fd57aee26d82260143a42297c153cb64bf

                    Download Submit

                  • /tmp/ccSsXwp4.o
                    Filesize

                    1KB

                    MD5

                    05d032666f9241f0a722758c2443d99c

                    SHA1

                    e7179ee3a095d27daa0155ea03bf87381c550177

                    SHA256

                    748b24084b1f44d05d78e6ccdb1ae67715fe977ff61250864d04205a91e66f9d

                    SHA512

                    b561bbf3e10d0fb5efd3af507122c7b93f71090e5858aeba7e51f09c6663f11bbc927fe791c6a6a69ffa9c4c57fa072fd451885db4da9c8ade490db4f8bc2dee

                    Download Submit

                  • /tmp/exploit
                    Filesize

                    7KB

                    MD5

                    711082790e8039aec3c8cc8b6bf9de7c

                    SHA1

                    96543b27af51646cd8249c07b4fe3f353210055d

                    SHA256

                    42fa32d036cd2abfabc9de7d09e916e55dbf934702f81464d9cb9225ed591272

                    SHA512

                    cc144f0974599e14c5acc6fdd0f147e2bb8f51b6e68bb8b426cefd336d791f26ae4903ac75b7aa0742e5733cfc2c531365697523492f08bc6b45fca40c334c0a

                    Download Submit