Overview

overview

3

Static

static

1

xiang/1.sh

ubuntu-18.04-amd64

3

xiang/1.sh

debian-9-armhf

3

xiang/1.sh

debian-9-mips

3

xiang/1.sh

debian-9-mipsel

3

xiang/go.sh

windows7-x64

3

xiang/go.sh

windows10-2004-x64

3

xiang/ss

ubuntu-18.04-amd64

1

xiang/ssh-scan

ubuntu-18.04-amd64

1

Analysis

  • max time kernel
    10s
  • platform
    debian-9_armhf
  • resource
    debian9-armhf-20231215-en
  • resource tags

    arch:armhfimage:debian9-armhf-20231215-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
  • submitted
    21-12-2023 20:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    xiang/1.sh

  • Size

    404B

  • MD5

    fa4f1798d03844cc950c5c0ff1ed71a7

  • SHA1

    7b7bb83c614603989d91a77ac0405d4000a0fa75

  • SHA256

    a5b0146024e8974f15f29c835f5d2d272a199846fa04963bb05d7e0bd14620ff

  • SHA512

    e94e75ade995e3ed08e1fcff6a830dbb28e512091d72af14bbf19ae6b6a33381130bda2c9b38050e61fc9dcf82e25ba06fb8d8f15edd4edeb1a7c1a675a8139e

Score
3/10

Malware Config

Signatures

  • Reads runtime system information 3 IoCs

    Reads data from /proc virtual filesystem.

  • Writes file to tmp directory 11 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/xiang/1.sh
    /tmp/xiang/1.sh
    1⤵
    • Writes file to tmp directory
    PID:656
    • /bin/rm
      rm -r -f /tmp/exploit
      2⤵
        PID:659
      • /bin/mkdir
        mkdir /tmp/exploit
        2⤵
        • Reads runtime system information
        PID:660
      • /bin/ln
        ln /bin/ping /tmp/exploit/target
        2⤵
          PID:662
        • /bin/ls
          ls -l /proc/656/fd/3
          2⤵
          • Reads runtime system information
          PID:666
        • /bin/rm
          rm -rf /tmp/exploit
          2⤵
            PID:667
          • /bin/ls
            ls -l /proc/656/fd/3
            2⤵
            • Reads runtime system information
            PID:668
          • /bin/cat
            cat
            2⤵
              PID:669
            • /usr/bin/gcc
              gcc -w -fPIC -shared -o /tmp/exploit program.c
              2⤵
              • Writes file to tmp directory
              PID:670
              • /usr/lib/gcc/arm-linux-gnueabihf/6/cc1
                /usr/lib/gcc/arm-linux-gnueabihf/6/cc1 -quiet -imultilib . -imultiarch arm-linux-gnueabihf program.c -quiet -dumpbase program.c "-march=armv7-a" "-mfloat-abi=hard" "-mfpu=vfpv3-d16" -mthumb "-mtls-dialect=gnu" -auxbase program -w -fPIC -o /tmp/ccFUgwTB.s
                3⤵
                • Writes file to tmp directory
                PID:671
              • /usr/local/sbin/as
                as -W "-march=armv7-a" "-mfloat-abi=hard" "-mfpu=vfpv3-d16" "-meabi=5" -o /tmp/ccoJxy7L.o /tmp/ccFUgwTB.s
                3⤵
                  PID:674
                • /usr/local/bin/as
                  as -W "-march=armv7-a" "-mfloat-abi=hard" "-mfpu=vfpv3-d16" "-meabi=5" -o /tmp/ccoJxy7L.o /tmp/ccFUgwTB.s
                  3⤵
                    PID:674
                  • /usr/sbin/as
                    as -W "-march=armv7-a" "-mfloat-abi=hard" "-mfpu=vfpv3-d16" "-meabi=5" -o /tmp/ccoJxy7L.o /tmp/ccFUgwTB.s
                    3⤵
                      PID:674
                    • /usr/bin/as
                      as -W "-march=armv7-a" "-mfloat-abi=hard" "-mfpu=vfpv3-d16" "-meabi=5" -o /tmp/ccoJxy7L.o /tmp/ccFUgwTB.s
                      3⤵
                      • Writes file to tmp directory
                      PID:674
                    • /usr/lib/gcc/arm-linux-gnueabihf/6/collect2
                      /usr/lib/gcc/arm-linux-gnueabihf/6/collect2 -plugin /usr/lib/gcc/arm-linux-gnueabihf/6/liblto_plugin.so "-plugin-opt=/usr/lib/gcc/arm-linux-gnueabihf/6/lto-wrapper" "-plugin-opt=-fresolution=/tmp/ccnopmiw.res" "-plugin-opt=-pass-through=-lgcc" "-plugin-opt=-pass-through=-lgcc_s" "-plugin-opt=-pass-through=-lc" "-plugin-opt=-pass-through=-lgcc" "-plugin-opt=-pass-through=-lgcc_s" "--sysroot=/" --build-id --eh-frame-hdr -shared -X "--hash-style=gnu" -m armelf_linux_eabi -o /tmp/exploit /usr/lib/gcc/arm-linux-gnueabihf/6/../../../arm-linux-gnueabihf/crti.o /usr/lib/gcc/arm-linux-gnueabihf/6/crtbeginS.o -L/usr/lib/gcc/arm-linux-gnueabihf/6 -L/usr/lib/gcc/arm-linux-gnueabihf/6/../../../arm-linux-gnueabihf -L/usr/lib/gcc/arm-linux-gnueabihf/6/../../.. -L/lib/arm-linux-gnueabihf -L/usr/lib/arm-linux-gnueabihf /tmp/ccoJxy7L.o -lgcc --as-needed -lgcc_s --no-as-needed -lc -lgcc --as-needed -lgcc_s --no-as-needed /usr/lib/gcc/arm-linux-gnueabihf/6/crtendS.o /usr/lib/gcc/arm-linux-gnueabihf/6/../../../arm-linux-gnueabihf/crtn.o
                      3⤵
                      • Writes file to tmp directory
                      PID:675
                      • /usr/bin/ld
                        /usr/bin/ld -plugin /usr/lib/gcc/arm-linux-gnueabihf/6/liblto_plugin.so "-plugin-opt=/usr/lib/gcc/arm-linux-gnueabihf/6/lto-wrapper" "-plugin-opt=-fresolution=/tmp/ccnopmiw.res" "-plugin-opt=-pass-through=-lgcc" "-plugin-opt=-pass-through=-lgcc_s" "-plugin-opt=-pass-through=-lc" "-plugin-opt=-pass-through=-lgcc" "-plugin-opt=-pass-through=-lgcc_s" "--sysroot=/" --build-id --eh-frame-hdr -shared -X "--hash-style=gnu" -m armelf_linux_eabi -o /tmp/exploit /usr/lib/gcc/arm-linux-gnueabihf/6/../../../arm-linux-gnueabihf/crti.o /usr/lib/gcc/arm-linux-gnueabihf/6/crtbeginS.o -L/usr/lib/gcc/arm-linux-gnueabihf/6 -L/usr/lib/gcc/arm-linux-gnueabihf/6/../../../arm-linux-gnueabihf -L/usr/lib/gcc/arm-linux-gnueabihf/6/../../.. -L/lib/arm-linux-gnueabihf -L/usr/lib/arm-linux-gnueabihf /tmp/ccoJxy7L.o -lgcc --as-needed -lgcc_s --no-as-needed -lc -lgcc --as-needed -lgcc_s --no-as-needed /usr/lib/gcc/arm-linux-gnueabihf/6/crtendS.o /usr/lib/gcc/arm-linux-gnueabihf/6/../../../arm-linux-gnueabihf/crtn.o
                        4⤵
                        • Writes file to tmp directory
                        PID:678
                • /proc/self/fd/3
                  /proc/self/fd/3
                  1⤵
                    PID:656

                  Network

                  MITRE ATT&CK Matrix

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • /tmp/ccFUgwTB.s
                    Filesize

                    863B

                    MD5

                    f5c0aa63abaffec1b80dc89a20bdc480

                    SHA1

                    d155fb2fc8df183feb772bd93700a6364afdc757

                    SHA256

                    aacd7f1f969de5e875f4e6bca3e69879452567d408263712b62ff7b23fb8aeca

                    SHA512

                    da31ce55d683c3753dd18314acabe79f7d855e6d8e3957e4976c3c9516ce7d85160f4d05af977790e32680c7476e29019974d473ca407908609fb0610524ea99

                    Download Submit

                  • /tmp/ccoJxy7L.o
                    Filesize

                    1KB

                    MD5

                    b54980081b2bd4ddbc64846cada68a5d

                    SHA1

                    77608e3eff7c01f9142a1d314440ffd0cdc57eaa

                    SHA256

                    293bd6ddcd0891b994d85417092a0c4e8132c5dda2db40068bd10d1f87a4e63c

                    SHA512

                    0890121b8da93f7e7a3755d9d51a58de3156e5caaa974df2830aa004c35a807a18890e6af89e9ae2695c8c3f541ea4f1a0d3dd91e75f6e96349c5cc63b0269f1

                    Download Submit

                  • /tmp/exploit
                    Filesize

                    7KB

                    MD5

                    5fca6723c2d5e7252733961a6af4e06d

                    SHA1

                    83eee1e066a23b43258725916df1a144db4091d7

                    SHA256

                    f7636ee4ef918df82e45448843728720a07f9c10dd6d215c0c7a5e98b6487ce9

                    SHA512

                    8f798f152987444fbee12007a8e7ac478147d3d2c158314346841fd71af0b1e2ce93a35e5f5762ec70adf3198b63f5b428ebd4c159ff63ad8ba84ceec5d5a448

                    Download Submit