d4baf12e31a5a697b83bdd052d0dc86d2acc3fc3f8ed356234ee1c3d6d068b21

Analysis

max time kernel
6s
max time network
132s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20231215-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20231215-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
22-12-2023 03:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

run.sh
Size

69B
MD5

679dda55ba172ca10fb02353776552f1
SHA1

a49999b708d209040562070cc131b9a17a392d3d
SHA256

328e7447b1e592312e022b97484e4f540c99ac57684a05dd17e81a2930618ee2
SHA512

b24a15922d1c8c71bb6335cb9464a73c0ffda8c8fef70b0cbeadc743f87960d8a4a536c6af41c3773750541bd5eced616a099966326c68cd14eb9523ca77fe9b

Score

3^/10

Malware Config

Signatures

Writes file to tmp directory 14 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/cctSy35U.s	cc1
File opened for modification	/tmp/ccvH47oz.ld	collect2
File opened for modification	/tmp/ccvWGIPZ.le	collect2
File opened for modification	/tmp/run	ld
File opened for modification	/tmp/ccsHqdaN.o	as
File opened for modification	/tmp/ccLPM1gm.o	gcc
File opened for modification	/tmp/ccLPM1gm.o	as
File opened for modification	/tmp/ccgV9cxd.res	gcc
File opened for modification	/tmp/ccFnILzI.c	collect2
File opened for modification	/tmp/cctSy35U.s	gcc
File opened for modification	/tmp/ccXflmZ8.o	collect2
File opened for modification	/tmp/ccsT8c0m.s	gcc
File opened for modification	/tmp/ccsT8c0m.s	cc1
File opened for modification	/tmp/ccsHqdaN.o	gcc

/tmp/run.sh
/tmp/run.sh
1⤵
PID:1539
- /usr/bin/gcc
  gcc -o run run.c
  2⤵
  - Writes file to tmp directory
  PID:1540
- - /usr/lib/gcc/x86_64-linux-gnu/7/cc1
    /usr/lib/gcc/x86_64-linux-gnu/7/cc1 -quiet -imultiarch x86_64-linux-gnu run.c -quiet -dumpbase run.c "-mtune=generic" "-march=x86-64" -auxbase run -fstack-protector-strong -Wformat -Wformat-security -o /tmp/ccsT8c0m.s
    3⤵
    - Writes file to tmp directory
    PID:1541
- - /usr/local/sbin/as
    as --64 -o /tmp/ccsHqdaN.o /tmp/ccsT8c0m.s
    3⤵
    PID:1542
- - /usr/local/bin/as
    as --64 -o /tmp/ccsHqdaN.o /tmp/ccsT8c0m.s
    3⤵
    PID:1542
- - /usr/sbin/as
    as --64 -o /tmp/ccsHqdaN.o /tmp/ccsT8c0m.s
    3⤵
    PID:1542
- - /usr/bin/as
    as --64 -o /tmp/ccsHqdaN.o /tmp/ccsT8c0m.s
    3⤵
    - Writes file to tmp directory
    PID:1542
- - /usr/lib/gcc/x86_64-linux-gnu/7/collect2
    /usr/lib/gcc/x86_64-linux-gnu/7/collect2 -plugin /usr/lib/gcc/x86_64-linux-gnu/7/liblto_plugin.so "-plugin-opt=/usr/lib/gcc/x86_64-linux-gnu/7/lto-wrapper" "-plugin-opt=-fresolution=/tmp/ccgV9cxd.res" "-plugin-opt=-pass-through=-lgcc" "-plugin-opt=-pass-through=-lgcc_s" "-plugin-opt=-pass-through=-lc" "-plugin-opt=-pass-through=-lgcc" "-plugin-opt=-pass-through=-lgcc_s" --build-id --eh-frame-hdr -m elf_x86_64 "--hash-style=gnu" --as-needed -dynamic-linker /lib64/ld-linux-x86-64.so.2 -pie -z now -z relro -o run /usr/lib/gcc/x86_64-linux-gnu/7/../../../x86_64-linux-gnu/Scrt1.o /usr/lib/gcc/x86_64-linux-gnu/7/../../../x86_64-linux-gnu/crti.o /usr/lib/gcc/x86_64-linux-gnu/7/crtbeginS.o -L/usr/lib/gcc/x86_64-linux-gnu/7 -L/usr/lib/gcc/x86_64-linux-gnu/7/../../../x86_64-linux-gnu -L/usr/lib/gcc/x86_64-linux-gnu/7/../../../../lib -L/lib/x86_64-linux-gnu -L/lib/../lib -L/usr/lib/x86_64-linux-gnu -L/usr/lib/../lib -L/usr/lib/gcc/x86_64-linux-gnu/7/../../.. /tmp/ccsHqdaN.o -lgcc --push-state --as-needed -lgcc_s --pop-state -lc -lgcc --push-state --as-needed -lgcc_s --pop-state /usr/lib/gcc/x86_64-linux-gnu/7/crtendS.o /usr/lib/gcc/x86_64-linux-gnu/7/../../../x86_64-linux-gnu/crtn.o
    3⤵
    - Writes file to tmp directory
    PID:1546
  - - /usr/bin/ld
      /usr/bin/ld -plugin /usr/lib/gcc/x86_64-linux-gnu/7/liblto_plugin.so "-plugin-opt=/usr/lib/gcc/x86_64-linux-gnu/7/lto-wrapper" "-plugin-opt=-fresolution=/tmp/ccgV9cxd.res" "-plugin-opt=-pass-through=-lgcc" "-plugin-opt=-pass-through=-lgcc_s" "-plugin-opt=-pass-through=-lc" "-plugin-opt=-pass-through=-lgcc" "-plugin-opt=-pass-through=-lgcc_s" --build-id --eh-frame-hdr -m elf_x86_64 "--hash-style=gnu" --as-needed -dynamic-linker /lib64/ld-linux-x86-64.so.2 -pie -z now -z relro -o run /usr/lib/gcc/x86_64-linux-gnu/7/../../../x86_64-linux-gnu/Scrt1.o /usr/lib/gcc/x86_64-linux-gnu/7/../../../x86_64-linux-gnu/crti.o /usr/lib/gcc/x86_64-linux-gnu/7/crtbeginS.o -L/usr/lib/gcc/x86_64-linux-gnu/7 -L/usr/lib/gcc/x86_64-linux-gnu/7/../../../x86_64-linux-gnu -L/usr/lib/gcc/x86_64-linux-gnu/7/../../../../lib -L/lib/x86_64-linux-gnu -L/lib/../lib -L/usr/lib/x86_64-linux-gnu -L/usr/lib/../lib -L/usr/lib/gcc/x86_64-linux-gnu/7/../../.. /tmp/ccsHqdaN.o -lgcc --push-state --as-needed -lgcc_s --pop-state -lc -lgcc --push-state --as-needed -lgcc_s --pop-state /usr/lib/gcc/x86_64-linux-gnu/7/crtendS.o /usr/lib/gcc/x86_64-linux-gnu/7/../../../x86_64-linux-gnu/crtn.o
      4⤵
      Writes file to tmp directory
      PID:1547
- /usr/bin/gcc
  gcc -o exploit exploit.c
  2⤵
  - Writes file to tmp directory
  PID:1548
- - /usr/lib/gcc/x86_64-linux-gnu/7/cc1
    /usr/lib/gcc/x86_64-linux-gnu/7/cc1 -quiet -imultiarch x86_64-linux-gnu exploit.c -quiet -dumpbase exploit.c "-mtune=generic" "-march=x86-64" -auxbase exploit -fstack-protector-strong -Wformat -Wformat-security -o /tmp/cctSy35U.s
    3⤵
    - Writes file to tmp directory
    PID:1549
- - /usr/local/sbin/as
    as --64 -o /tmp/ccLPM1gm.o /tmp/cctSy35U.s
    3⤵
    PID:1550
- - /usr/local/bin/as
    as --64 -o /tmp/ccLPM1gm.o /tmp/cctSy35U.s
    3⤵
    PID:1550
- - /usr/sbin/as
    as --64 -o /tmp/ccLPM1gm.o /tmp/cctSy35U.s
    3⤵
    PID:1550
- - /usr/bin/as
    as --64 -o /tmp/ccLPM1gm.o /tmp/cctSy35U.s
    3⤵
    - Writes file to tmp directory
    PID:1550

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/ccsHqdaN.o

Filesize
1KB

MD5
9823661785cdebafeed1b82c200fece7

SHA1
11de3644839d6ab731f248aaa7ed77890b3d359e

SHA256
6d296c65cc44f0439e160a96f353206aa066856d943189e4e8324b571f1413b2

SHA512
483e4a2cba9e090d7ffde5e18bb3fa58421b10df48c669d759ad742ae648ea154d8e68ea709d281d1a7603a28a09c792ca9f9dd93bff799d1640a06e696533fe

Download Submit
/tmp/ccsT8c0m.s

Filesize
861B

MD5
40eaf2a556f7c19b0f5d9509a0d1050a

SHA1
e9de1124e57a9e36c8cbe6aa610ac4daa9c083f0

SHA256
407a77fe447b11d47a92cca04f695d22132844fbdb816ac1e4fd754d709cac2a

SHA512
0143bbec5624d3f47b01361182c211e29c193c41b62fe7e112a03e0d09ef131c036cc7ac14ab0f631c65b3b329ee3967e50b33950ad7426a6485ce6b33162b54

Download Submit
/tmp/cctSy35U.s

Filesize
5KB

MD5
f9b4c50d3ca80419b287fa733826f8ac

SHA1
398f44edbc0693ab5455c26c5c2267d4548d2de5

SHA256
e9ef1b9c693daa066f147c19afa306e78a73bbabeb5dd789756ff36b85ea9143

SHA512
427a6842783a40a8ae35ecc2ef67c3548ac719a294979ac9e431b06e5575bce895744ab8d1a3036ecc7dcde045f496e51fce9ec02b3e5c41f70ba9ae74726aa7

Download Submit
/tmp/run

Filesize
8KB

MD5
81eaf1c238e9154d91ded5890e7562bc

SHA1
c94ed6170f320c95fd472b71d158862d6ab4d434

SHA256
5de6eaf6f1b622d49c680479ebfeaf0997d1a91158835121f7f4e7c7525084b7

SHA512
de06189e11055f454886c583f4f04c22856e98a74b7ce24a3262caad84670a0ab5ada4c4ea4662faf181228ff668a5e24f94af705d496c1656ad8d6a47f6e2f1

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads