6545e8e023044d43ba0a7763f955acf5618fc05bcc9893480b25b64f665b874f

Analysis

max time kernel
153s
max time network
131s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20231215-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20231215-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
22/12/2023, 14:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cd4b7ea2befd29781f5a1d0e2dd203fb
Size

2KB
MD5

cd4b7ea2befd29781f5a1d0e2dd203fb
SHA1

9e86227bf456a34312646cf0edb56f9f179c8799
SHA256

6545e8e023044d43ba0a7763f955acf5618fc05bcc9893480b25b64f665b874f
SHA512

dbc9cfad7f232a2822e448cf2bc075d5d6b3fd82754d8c162bca2f0d9efa65801a38163359d9956733cc3f50b8c3510a8ba7b75324840326ce4a47c7f0a837d8

Score

3^/10

Malware Config

Signatures

Reads runtime system information 1 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
File opened for reading	/proc/filesystems	mkdir

Writes file to tmp directory 17 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/cccpqgmw.s	cc
File opened for modification	/tmp/foo/capdrop.so	ld
File opened for modification	/tmp/cckGIO4G.s	cc
File opened for modification	/tmp/ccrhiucY.o	as
File opened for modification	/tmp/cc5uPvu1.o	collect2
File opened for modification	/tmp/foo/sush.c	cd4b7ea2befd29781f5a1d0e2dd203fb
File opened for modification	/tmp/cc5Cb9gK.c	collect2
File opened for modification	/tmp/ccw5YDVz.le	collect2
File opened for modification	/tmp/foo/capdrop.c	cd4b7ea2befd29781f5a1d0e2dd203fb
File opened for modification	/tmp/cckGIO4G.s	cc1
File opened for modification	/tmp/ccR5hqof.res	cc
File opened for modification	/tmp/foo/script	cd4b7ea2befd29781f5a1d0e2dd203fb
File opened for modification	/tmp/cccpqgmw.s	cc1
File opened for modification	/tmp/ccrhiucY.o	cc
File opened for modification	/tmp/ccLZO0Hi.ld	collect2
File opened for modification	/tmp/foo/sush	ld
File opened for modification	/tmp/foo/sm.cf	cd4b7ea2befd29781f5a1d0e2dd203fb

/tmp/cd4b7ea2befd29781f5a1d0e2dd203fb
/tmp/cd4b7ea2befd29781f5a1d0e2dd203fb
1⤵
- Writes file to tmp directory
PID:1530
- /bin/mkdir
  mkdir -p /tmp/foo
  2⤵
  - Reads runtime system information
  PID:1531
- /bin/cat
  cat
  2⤵
  PID:1532
- /usr/bin/cc
  cc capdrop.c -c -o capdrop.o
  2⤵
  - Writes file to tmp directory
  PID:1533
- - /usr/lib/gcc/x86_64-linux-gnu/7/cc1
    /usr/lib/gcc/x86_64-linux-gnu/7/cc1 -quiet -imultiarch x86_64-linux-gnu capdrop.c -quiet -dumpbase capdrop.c "-mtune=generic" "-march=x86-64" -auxbase-strip capdrop.o -fstack-protector-strong -Wformat -Wformat-security -o /tmp/cccpqgmw.s
    3⤵
    - Writes file to tmp directory
    PID:1534
- /usr/bin/ld
  ld -shared capdrop.o -o capdrop.so
  2⤵
  - Writes file to tmp directory
  PID:1538
- /bin/cat
  cat
  2⤵
  PID:1539
- /usr/bin/cc
  cc sush.c -o /tmp/foo/sush
  2⤵
  - Writes file to tmp directory
  PID:1540
- - /usr/lib/gcc/x86_64-linux-gnu/7/cc1
    /usr/lib/gcc/x86_64-linux-gnu/7/cc1 -quiet -imultiarch x86_64-linux-gnu sush.c -quiet -dumpbase sush.c "-mtune=generic" "-march=x86-64" -auxbase sush -fstack-protector-strong -Wformat -Wformat-security -o /tmp/cckGIO4G.s
    3⤵
    - Writes file to tmp directory
    PID:1541
- - /usr/local/sbin/as
    as --64 -o /tmp/ccrhiucY.o /tmp/cckGIO4G.s
    3⤵
    PID:1542
- - /usr/local/bin/as
    as --64 -o /tmp/ccrhiucY.o /tmp/cckGIO4G.s
    3⤵
    PID:1542
- - /usr/sbin/as
    as --64 -o /tmp/ccrhiucY.o /tmp/cckGIO4G.s
    3⤵
    PID:1542
- - /usr/bin/as
    as --64 -o /tmp/ccrhiucY.o /tmp/cckGIO4G.s
    3⤵
    - Writes file to tmp directory
    PID:1542
- - /usr/lib/gcc/x86_64-linux-gnu/7/collect2
    /usr/lib/gcc/x86_64-linux-gnu/7/collect2 -plugin /usr/lib/gcc/x86_64-linux-gnu/7/liblto_plugin.so "-plugin-opt=/usr/lib/gcc/x86_64-linux-gnu/7/lto-wrapper" "-plugin-opt=-fresolution=/tmp/ccR5hqof.res" "-plugin-opt=-pass-through=-lgcc" "-plugin-opt=-pass-through=-lgcc_s" "-plugin-opt=-pass-through=-lc" "-plugin-opt=-pass-through=-lgcc" "-plugin-opt=-pass-through=-lgcc_s" --build-id --eh-frame-hdr -m elf_x86_64 "--hash-style=gnu" --as-needed -dynamic-linker /lib64/ld-linux-x86-64.so.2 -pie -z now -z relro -o /tmp/foo/sush /usr/lib/gcc/x86_64-linux-gnu/7/../../../x86_64-linux-gnu/Scrt1.o /usr/lib/gcc/x86_64-linux-gnu/7/../../../x86_64-linux-gnu/crti.o /usr/lib/gcc/x86_64-linux-gnu/7/crtbeginS.o -L/usr/lib/gcc/x86_64-linux-gnu/7 -L/usr/lib/gcc/x86_64-linux-gnu/7/../../../x86_64-linux-gnu -L/usr/lib/gcc/x86_64-linux-gnu/7/../../../../lib -L/lib/x86_64-linux-gnu -L/lib/../lib -L/usr/lib/x86_64-linux-gnu -L/usr/lib/../lib -L/usr/lib/gcc/x86_64-linux-gnu/7/../../.. /tmp/ccrhiucY.o -lgcc --push-state --as-needed -lgcc_s --pop-state -lc -lgcc --push-state --as-needed -lgcc_s --pop-state /usr/lib/gcc/x86_64-linux-gnu/7/crtendS.o /usr/lib/gcc/x86_64-linux-gnu/7/../../../x86_64-linux-gnu/crtn.o
    3⤵
    - Writes file to tmp directory
    PID:1543
  - - /usr/bin/ld
      /usr/bin/ld -plugin /usr/lib/gcc/x86_64-linux-gnu/7/liblto_plugin.so "-plugin-opt=/usr/lib/gcc/x86_64-linux-gnu/7/lto-wrapper" "-plugin-opt=-fresolution=/tmp/ccR5hqof.res" "-plugin-opt=-pass-through=-lgcc" "-plugin-opt=-pass-through=-lgcc_s" "-plugin-opt=-pass-through=-lc" "-plugin-opt=-pass-through=-lgcc" "-plugin-opt=-pass-through=-lgcc_s" --build-id --eh-frame-hdr -m elf_x86_64 "--hash-style=gnu" --as-needed -dynamic-linker /lib64/ld-linux-x86-64.so.2 -pie -z now -z relro -o /tmp/foo/sush /usr/lib/gcc/x86_64-linux-gnu/7/../../../x86_64-linux-gnu/Scrt1.o /usr/lib/gcc/x86_64-linux-gnu/7/../../../x86_64-linux-gnu/crti.o /usr/lib/gcc/x86_64-linux-gnu/7/crtbeginS.o -L/usr/lib/gcc/x86_64-linux-gnu/7 -L/usr/lib/gcc/x86_64-linux-gnu/7/../../../x86_64-linux-gnu -L/usr/lib/gcc/x86_64-linux-gnu/7/../../../../lib -L/lib/x86_64-linux-gnu -L/lib/../lib -L/usr/lib/x86_64-linux-gnu -L/usr/lib/../lib -L/usr/lib/gcc/x86_64-linux-gnu/7/../../.. /tmp/ccrhiucY.o -lgcc --push-state --as-needed -lgcc_s --pop-state -lc -lgcc --push-state --as-needed -lgcc_s --pop-state /usr/lib/gcc/x86_64-linux-gnu/7/crtendS.o /usr/lib/gcc/x86_64-linux-gnu/7/../../../x86_64-linux-gnu/crtn.o
      4⤵
      Writes file to tmp directory
      PID:1544
- /bin/cat
  cat
  2⤵
  PID:1545
- /bin/cat
  cat
  2⤵
  PID:1546
- /bin/true
  /bin/true
  2⤵
  PID:1547
- /bin/sleep
  sleep 1
  2⤵
  PID:1548
- /bin/sleep
  sleep 1
  2⤵
  PID:1549
- /bin/sleep
  sleep 1
  2⤵
  PID:1550
- /bin/sleep
  sleep 1
  2⤵
  PID:1551
- /bin/sleep
  sleep 1
  2⤵
  PID:1552
- /bin/sleep
  sleep 1
  2⤵
  PID:1553
- /bin/sleep
  sleep 1
  2⤵
  PID:1554
- /bin/sleep
  sleep 1
  2⤵
  PID:1555
- /bin/sleep
  sleep 1
  2⤵
  PID:1556
- /bin/sleep
  sleep 1
  2⤵
  PID:1557
- /bin/sleep
  sleep 1
  2⤵
  PID:1558
- /bin/sleep
  sleep 1
  2⤵
  PID:1559
- /bin/sleep
  sleep 1
  2⤵
  PID:1560
- /bin/sleep
  sleep 1
  2⤵
  PID:1561
- /bin/sleep
  sleep 1
  2⤵
  PID:1562
- /bin/sleep
  sleep 1
  2⤵
  PID:1563
- /bin/sleep
  sleep 1
  2⤵
  PID:1564
- /bin/sleep
  sleep 1
  2⤵
  PID:1565
- /bin/sleep
  sleep 1
  2⤵
  PID:1566
- /bin/sleep
  sleep 1
  2⤵
  PID:1567
- /bin/sleep
  sleep 1
  2⤵
  PID:1568
- /bin/sleep
  sleep 1
  2⤵
  PID:1569
- /bin/sleep
  sleep 1
  2⤵
  PID:1570
- /bin/sleep
  sleep 1
  2⤵
  PID:1571
- /bin/sleep
  sleep 1
  2⤵
  PID:1572
- /bin/sleep
  sleep 1
  2⤵
  PID:1573
- /bin/sleep
  sleep 1
  2⤵
  PID:1576
- /bin/sleep
  sleep 1
  2⤵
  PID:1577
- /bin/sleep
  sleep 1
  2⤵
  PID:1578
- /bin/sleep
  sleep 1
  2⤵
  PID:1579
- /bin/sleep
  sleep 1
  2⤵
  PID:1580
- /bin/sleep
  sleep 1
  2⤵
  PID:1581
- /bin/sleep
  sleep 1
  2⤵
  PID:1582
- /bin/sleep
  sleep 1
  2⤵
  PID:1583
- /bin/sleep
  sleep 1
  2⤵
  PID:1584
- /bin/sleep
  sleep 1
  2⤵
  PID:1585
- /bin/sleep
  sleep 1
  2⤵
  PID:1586
- /bin/sleep
  sleep 1
  2⤵
  PID:1587
- /bin/sleep
  sleep 1
  2⤵
  PID:1588
- /bin/sleep
  sleep 1
  2⤵
  PID:1589
- /bin/sleep
  sleep 1
  2⤵
  PID:1590
- /bin/sleep
  sleep 1
  2⤵
  PID:1591
- /bin/sleep
  sleep 1
  2⤵
  PID:1592
- /bin/sleep
  sleep 1
  2⤵
  PID:1593
- /bin/sleep
  sleep 1
  2⤵
  PID:1594
- /bin/sleep
  sleep 1
  2⤵
  PID:1595
- /bin/sleep
  sleep 1
  2⤵
  PID:1596
- /bin/sleep
  sleep 1
  2⤵
  PID:1597
- /bin/sleep
  sleep 1
  2⤵
  PID:1598
- /bin/sleep
  sleep 1
  2⤵
  PID:1599
- /bin/sleep
  sleep 1
  2⤵
  PID:1600
- /bin/sleep
  sleep 1
  2⤵
  PID:1601
- /bin/sleep
  sleep 1
  2⤵
  PID:1602
- /bin/sleep
  sleep 1
  2⤵
  PID:1603
- /bin/sleep
  sleep 1
  2⤵
  PID:1604
- /bin/sleep
  sleep 1
  2⤵
  PID:1605
- /bin/sleep
  sleep 1
  2⤵
  PID:1606
- /bin/sleep
  sleep 1
  2⤵
  PID:1607
- /bin/sleep
  sleep 1
  2⤵
  PID:1608
- /bin/sleep
  sleep 1
  2⤵
  PID:1609
- /bin/sleep
  sleep 1
  2⤵
  PID:1610
- /bin/sleep
  sleep 1
  2⤵
  PID:1611
- /bin/sleep
  sleep 1
  2⤵
  PID:1612
- /bin/sleep
  sleep 1
  2⤵
  PID:1613
- /bin/sleep
  sleep 1
  2⤵
  PID:1614
- /bin/sleep
  sleep 1
  2⤵
  PID:1615
- /bin/sleep
  sleep 1
  2⤵
  PID:1616
- /bin/sleep
  sleep 1
  2⤵
  PID:1617
- /bin/sleep
  sleep 1
  2⤵
  PID:1618
- /bin/sleep
  sleep 1
  2⤵
  PID:1619
- /bin/sleep
  sleep 1
  2⤵
  PID:1620
- /bin/sleep
  sleep 1
  2⤵
  PID:1621
- /bin/sleep
  sleep 1
  2⤵
  PID:1622
- /bin/sleep
  sleep 1
  2⤵
  PID:1623
- /bin/sleep
  sleep 1
  2⤵
  PID:1624
- /bin/sleep
  sleep 1
  2⤵
  PID:1625
- /bin/sleep
  sleep 1
  2⤵
  PID:1626
- /bin/sleep
  sleep 1
  2⤵
  PID:1627
- /bin/sleep
  sleep 1
  2⤵
  PID:1628
- /bin/sleep
  sleep 1
  2⤵
  PID:1629
- /bin/sleep
  sleep 1
  2⤵
  PID:1630
- /bin/sleep
  sleep 1
  2⤵
  PID:1631
- /bin/sleep
  sleep 1
  2⤵
  PID:1632
- /bin/sleep
  sleep 1
  2⤵
  PID:1633
- /bin/sleep
  sleep 1
  2⤵
  PID:1634
- /bin/sleep
  sleep 1
  2⤵
  PID:1635
- /bin/sleep
  sleep 1
  2⤵
  PID:1636
- /bin/sleep
  sleep 1
  2⤵
  PID:1637
- /bin/sleep
  sleep 1
  2⤵
  PID:1638
- /bin/sleep
  sleep 1
  2⤵
  PID:1639
- /bin/sleep
  sleep 1
  2⤵
  PID:1640
- /bin/sleep
  sleep 1
  2⤵
  PID:1641
- /bin/sleep
  sleep 1
  2⤵
  PID:1642
- /bin/sleep
  sleep 1
  2⤵
  PID:1643
- /bin/sleep
  sleep 1
  2⤵
  PID:1644
- /bin/sleep
  sleep 1
  2⤵
  PID:1645
- /bin/sleep
  sleep 1
  2⤵
  PID:1646
- /bin/sleep
  sleep 1
  2⤵
  PID:1647
- /bin/sleep
  sleep 1
  2⤵
  PID:1648
- /bin/sleep
  sleep 1
  2⤵
  PID:1649
- /bin/sleep
  sleep 1
  2⤵
  PID:1650
- /bin/sleep
  sleep 1
  2⤵
  PID:1651
- /bin/sleep
  sleep 1
  2⤵
  PID:1652
- /bin/sleep
  sleep 1
  2⤵
  PID:1653
- /bin/sleep
  sleep 1
  2⤵
  PID:1654
- /bin/sleep
  sleep 1
  2⤵
  PID:1655
- /bin/sleep
  sleep 1
  2⤵
  PID:1656
- /bin/sleep
  sleep 1
  2⤵
  PID:1657
- /bin/sleep
  sleep 1
  2⤵
  PID:1658
- /bin/sleep
  sleep 1
  2⤵
  PID:1659
- /bin/sleep
  sleep 1
  2⤵
  PID:1660
- /bin/sleep
  sleep 1
  2⤵
  PID:1661
- /bin/sleep
  sleep 1
  2⤵
  PID:1662
- /bin/sleep
  sleep 1
  2⤵
  PID:1663
- /bin/sleep
  sleep 1
  2⤵
  PID:1664
- /bin/sleep
  sleep 1
  2⤵
  PID:1665
- /bin/sleep
  sleep 1
  2⤵
  PID:1666
- /bin/sleep
  sleep 1
  2⤵
  PID:1667
- /bin/sleep
  sleep 1
  2⤵
  PID:1668
- /bin/sleep
  sleep 1
  2⤵
  PID:1669
- /bin/sleep
  sleep 1
  2⤵
  PID:1670
- /bin/sleep
  sleep 1
  2⤵
  PID:1671
- /bin/sleep
  sleep 1
  2⤵
  PID:1672
- /bin/sleep
  sleep 1
  2⤵
  PID:1673
- /bin/sleep
  sleep 1
  2⤵
  PID:1674
- /bin/sleep
  sleep 1
  2⤵
  PID:1675
- /bin/sleep
  sleep 1
  2⤵
  PID:1676
- /bin/sleep
  sleep 1
  2⤵
  PID:1677
- /bin/sleep
  sleep 1
  2⤵
  PID:1678
- /bin/sleep
  sleep 1
  2⤵
  PID:1679
- /bin/sleep
  sleep 1
  2⤵
  PID:1680
- /bin/sleep
  sleep 1
  2⤵
  PID:1681
- /bin/sleep
  sleep 1
  2⤵
  PID:1682
- /bin/sleep
  sleep 1
  2⤵
  PID:1683
- /bin/sleep
  sleep 1
  2⤵
  PID:1684
- /bin/sleep
  sleep 1
  2⤵
  PID:1685
- /bin/sleep
  sleep 1
  2⤵
  PID:1686
- /bin/sleep
  sleep 1
  2⤵
  PID:1687
- /bin/sleep
  sleep 1
  2⤵
  PID:1688
- /bin/sleep
  sleep 1
  2⤵
  PID:1689
- /bin/sleep
  sleep 1
  2⤵
  PID:1690
- /bin/sleep
  sleep 1
  2⤵
  PID:1691
- /bin/sleep
  sleep 1
  2⤵
  PID:1692
- /bin/sleep
  sleep 1
  2⤵
  PID:1693
- /bin/sleep
  sleep 1
  2⤵
  PID:1694
- /bin/sleep
  sleep 1
  2⤵
  PID:1695
- /bin/sleep
  sleep 1
  2⤵
  PID:1696
- /bin/sleep
  sleep 1
  2⤵
  PID:1697

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/cccpqgmw.s

Filesize
19B

MD5
76351e1ee9582b4e9498936394df11f8

SHA1
ba2c7f742e9e1453f32f1e8b2ede2ba8804d934b

SHA256
c61bcc43ed426f31cfe251b0578541aeb9c6867f8f0e29614f7368184e5a620f

SHA512
f8f95a79efbe1e76b8ff2be44a289094c04b60721be3c591995eee06377ba192f72d04a5d710e2c6eb64672a3e3426c49e55457ae8bc85547e0c8f924333614d

Download Submit
/tmp/cckGIO4G.s

Filesize
593B

MD5
10f2df0e02604789dbd190d56534c1b9

SHA1
78a70a6e092e11d6bc82425bd05daf6b5626eaa8

SHA256
e933d290c909a20368ecb0ccf28db466212e87aefe8e4e03f5414c03acfd6692

SHA512
2eacfb6395ef97cab7e82901ef9cdeff7277707f15d2453200357e251cd6688f6c6781d30cc55be7dfccd7e89ab6bd598bf33aa54fe22ec87e97772693619789

Download Submit
/tmp/ccrhiucY.o

Filesize
1KB

MD5
4465d45126f3e03d711ebbc7b2653894

SHA1
d39ac56f566f8b521e63a49dc749c978f3712f7e

SHA256
8f7b7babf3e0e500f4f09795fd35be2db9189f49f4c851634c7daa556c7a4ea9

SHA512
c3a96cd876c958a8840a7fecb2f1edd98009fdd4762a78df340fde77a4192c96139034f655428b705c26f7dcdfbf9792df9390e4d89cdb087aaa1535003880a6

Download Submit
/tmp/foo/capdrop.c

Filesize
517B

MD5
2c075ee35675e81f440e30a3392c4c3c

SHA1
2108017266ef36c1cf8ec699c76e5393514a9069

SHA256
f88eedff81acd5d90169f8fdd89de021e54f8ca224c3a9786bddc5a1bb1a2a7d

SHA512
69bcdb6370be4ec76cc91de2f702ef14f40003d2c1952dd12e679bf06abdef3339b99fcd61aa27fb10693ab41d50db507eb9e9c527ca9be3ddc95ce8a0e9d111

Download Submit
/tmp/foo/script

Filesize
81B

MD5
c107f1b458aa71247230253dd83d2de0

SHA1
cd6b6c83e279bb0fe9d49c54dbd393b7ef0e66c8

SHA256
6b18702b489c61c4baae1d03fb9072ac6522cdc256529ea8de6403c2ebc2e7c3

SHA512
8b709f8c4fb1151c79e3acac22f37b4be48953d93799dc69778cbe73433c9608d74b1715771a22188af2375cb31e9509413f02b9171d20e93769f2007a301cb0

Download Submit
/tmp/foo/sm.cf

Filesize
210B

MD5
cf174b44cdff414654f55cc443b9a74c

SHA1
f1c2d099d72326d7c1402e9a693ac833b87da3b9

SHA256
12d387e9de678b5ca7f011738d6eecc7b0979ec0860573f02c460c3ef785afa5

SHA512
80a1c62422fe1708fc700d3516f23a771ccf69601b9d86ab0618ae908fd1656944775b3affcc2f9f38d1c93be5c28b340f6c4f3f92257a9a75e9cd768a1d7645

Download Submit
/tmp/foo/sush

Filesize
8KB

MD5
5c083f66185f33bf9d40e1d66c3f1d0c

SHA1
1aea232c2fa8914f176650bb57c721c9a46f3b03

SHA256
a15df927407818eb2450fee5325d2f9f60707ecad45bcaa08bb9b08b13d52855

SHA512
7e114659d3578bfc66586b245ef61f951cd0c6f8a5bf854d7eb10da4d7476616b6d45ed8eea18580492fdf131697d254d6510725796be4fa8235d7c7045cc074

Download Submit
/tmp/foo/sush.c

Filesize
87B

MD5
b5d3f05969df6ed90056c6afecda51e3

SHA1
56a75abe7f7f717aff43fc99413f6c78c8ea2c1c

SHA256
05158bb2d287705bbf335b5b80482d053dae8804a7a920ce8ef128562471834a

SHA512
b988dd13b5499cccdfd82fbf7548c4bcc9996fe640c2fa075e8cfcf3054863b8217cad5a137cbb9fa8db14e48dbd3fc84cdb4f486ca6e8db9389ea7a6d6fa1ea

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads