6545e8e023044d43ba0a7763f955acf5618fc05bcc9893480b25b64f665b874f

Analysis

max time kernel
150s
platform
debian-9_armhf
resource
debian9-armhf-20231222-en
resource tags

arch:armhfimage:debian9-armhf-20231222-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
22/12/2023, 14:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cd4b7ea2befd29781f5a1d0e2dd203fb
Size

2KB
MD5

cd4b7ea2befd29781f5a1d0e2dd203fb
SHA1

9e86227bf456a34312646cf0edb56f9f179c8799
SHA256

6545e8e023044d43ba0a7763f955acf5618fc05bcc9893480b25b64f665b874f
SHA512

dbc9cfad7f232a2822e448cf2bc075d5d6b3fd82754d8c162bca2f0d9efa65801a38163359d9956733cc3f50b8c3510a8ba7b75324840326ce4a47c7f0a837d8

Score

3^/10

Malware Config

Signatures

Reads runtime system information 1 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
File opened for reading	/proc/filesystems	mkdir

Writes file to tmp directory 17 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/ccYjsisf.o	collect2
File opened for modification	/tmp/ccIv9Kfi.ld	collect2
File opened for modification	/tmp/ccGXqPxi.s	cc
File opened for modification	/tmp/foo/capdrop.so	ld
File opened for modification	/tmp/cc6ZQW3e.o	cc
File opened for modification	/tmp/foo/script	cd4b7ea2befd29781f5a1d0e2dd203fb
File opened for modification	/tmp/foo/sm.cf	cd4b7ea2befd29781f5a1d0e2dd203fb
File opened for modification	/tmp/ccIOncol.s	cc
File opened for modification	/tmp/ccIFTp7o.le	collect2
File opened for modification	/tmp/foo/sush	ld
File opened for modification	/tmp/ccOc0yGc.c	collect2
File opened for modification	/tmp/foo/capdrop.c	cd4b7ea2befd29781f5a1d0e2dd203fb
File opened for modification	/tmp/ccGXqPxi.s	cc1
File opened for modification	/tmp/foo/sush.c	cd4b7ea2befd29781f5a1d0e2dd203fb
File opened for modification	/tmp/ccIOncol.s	cc1
File opened for modification	/tmp/cc6ZQW3e.o	as
File opened for modification	/tmp/ccUCzXln.res	cc

/tmp/cd4b7ea2befd29781f5a1d0e2dd203fb
/tmp/cd4b7ea2befd29781f5a1d0e2dd203fb
1⤵
- Writes file to tmp directory
PID:682
- /bin/mkdir
  mkdir -p /tmp/foo
  2⤵
  - Reads runtime system information
  PID:684
- /bin/cat
  cat
  2⤵
  PID:685
- /usr/bin/cc
  cc capdrop.c -c -o capdrop.o
  2⤵
  - Writes file to tmp directory
  PID:687
- - /usr/lib/gcc/arm-linux-gnueabihf/6/cc1
    /usr/lib/gcc/arm-linux-gnueabihf/6/cc1 -quiet -imultilib . -imultiarch arm-linux-gnueabihf capdrop.c -quiet -dumpbase capdrop.c "-march=armv7-a" "-mfloat-abi=hard" "-mfpu=vfpv3-d16" -mthumb "-mtls-dialect=gnu" -auxbase-strip capdrop.o -o /tmp/ccGXqPxi.s
    3⤵
    - Writes file to tmp directory
    PID:693
- /usr/bin/ld
  ld -shared capdrop.o -o capdrop.so
  2⤵
  - Writes file to tmp directory
  PID:698
- /bin/cat
  cat
  2⤵
  PID:699
- /usr/bin/cc
  cc sush.c -o /tmp/foo/sush
  2⤵
  - Writes file to tmp directory
  PID:700
- - /usr/lib/gcc/arm-linux-gnueabihf/6/cc1
    /usr/lib/gcc/arm-linux-gnueabihf/6/cc1 -quiet -imultilib . -imultiarch arm-linux-gnueabihf sush.c -quiet -dumpbase sush.c "-march=armv7-a" "-mfloat-abi=hard" "-mfpu=vfpv3-d16" -mthumb "-mtls-dialect=gnu" -auxbase sush -o /tmp/ccIOncol.s
    3⤵
    - Writes file to tmp directory
    PID:701
- - /usr/local/sbin/as
    as "-march=armv7-a" "-mfloat-abi=hard" "-mfpu=vfpv3-d16" "-meabi=5" -o /tmp/cc6ZQW3e.o /tmp/ccIOncol.s
    3⤵
    PID:702
- - /usr/local/bin/as
    as "-march=armv7-a" "-mfloat-abi=hard" "-mfpu=vfpv3-d16" "-meabi=5" -o /tmp/cc6ZQW3e.o /tmp/ccIOncol.s
    3⤵
    PID:702
- - /usr/sbin/as
    as "-march=armv7-a" "-mfloat-abi=hard" "-mfpu=vfpv3-d16" "-meabi=5" -o /tmp/cc6ZQW3e.o /tmp/ccIOncol.s
    3⤵
    PID:702
- - /usr/bin/as
    as "-march=armv7-a" "-mfloat-abi=hard" "-mfpu=vfpv3-d16" "-meabi=5" -o /tmp/cc6ZQW3e.o /tmp/ccIOncol.s
    3⤵
    - Writes file to tmp directory
    PID:702
- - /usr/lib/gcc/arm-linux-gnueabihf/6/collect2
    /usr/lib/gcc/arm-linux-gnueabihf/6/collect2 -plugin /usr/lib/gcc/arm-linux-gnueabihf/6/liblto_plugin.so "-plugin-opt=/usr/lib/gcc/arm-linux-gnueabihf/6/lto-wrapper" "-plugin-opt=-fresolution=/tmp/ccUCzXln.res" "-plugin-opt=-pass-through=-lgcc" "-plugin-opt=-pass-through=-lgcc_s" "-plugin-opt=-pass-through=-lc" "-plugin-opt=-pass-through=-lgcc" "-plugin-opt=-pass-through=-lgcc_s" "--sysroot=/" --build-id --eh-frame-hdr -dynamic-linker /lib/ld-linux-armhf.so.3 -X "--hash-style=gnu" -m armelf_linux_eabi -pie -o /tmp/foo/sush /usr/lib/gcc/arm-linux-gnueabihf/6/../../../arm-linux-gnueabihf/Scrt1.o /usr/lib/gcc/arm-linux-gnueabihf/6/../../../arm-linux-gnueabihf/crti.o /usr/lib/gcc/arm-linux-gnueabihf/6/crtbeginS.o -L/usr/lib/gcc/arm-linux-gnueabihf/6 -L/usr/lib/gcc/arm-linux-gnueabihf/6/../../../arm-linux-gnueabihf -L/usr/lib/gcc/arm-linux-gnueabihf/6/../../.. -L/lib/arm-linux-gnueabihf -L/usr/lib/arm-linux-gnueabihf /tmp/cc6ZQW3e.o -lgcc --as-needed -lgcc_s --no-as-needed -lc -lgcc --as-needed -lgcc_s --no-as-needed /usr/lib/gcc/arm-linux-gnueabihf/6/crtendS.o /usr/lib/gcc/arm-linux-gnueabihf/6/../../../arm-linux-gnueabihf/crtn.o
    3⤵
    - Writes file to tmp directory
    PID:703
  - - /usr/bin/ld
      /usr/bin/ld -plugin /usr/lib/gcc/arm-linux-gnueabihf/6/liblto_plugin.so "-plugin-opt=/usr/lib/gcc/arm-linux-gnueabihf/6/lto-wrapper" "-plugin-opt=-fresolution=/tmp/ccUCzXln.res" "-plugin-opt=-pass-through=-lgcc" "-plugin-opt=-pass-through=-lgcc_s" "-plugin-opt=-pass-through=-lc" "-plugin-opt=-pass-through=-lgcc" "-plugin-opt=-pass-through=-lgcc_s" "--sysroot=/" --build-id --eh-frame-hdr -dynamic-linker /lib/ld-linux-armhf.so.3 -X "--hash-style=gnu" -m armelf_linux_eabi -pie -o /tmp/foo/sush /usr/lib/gcc/arm-linux-gnueabihf/6/../../../arm-linux-gnueabihf/Scrt1.o /usr/lib/gcc/arm-linux-gnueabihf/6/../../../arm-linux-gnueabihf/crti.o /usr/lib/gcc/arm-linux-gnueabihf/6/crtbeginS.o -L/usr/lib/gcc/arm-linux-gnueabihf/6 -L/usr/lib/gcc/arm-linux-gnueabihf/6/../../../arm-linux-gnueabihf -L/usr/lib/gcc/arm-linux-gnueabihf/6/../../.. -L/lib/arm-linux-gnueabihf -L/usr/lib/arm-linux-gnueabihf /tmp/cc6ZQW3e.o -lgcc --as-needed -lgcc_s --no-as-needed -lc -lgcc --as-needed -lgcc_s --no-as-needed /usr/lib/gcc/arm-linux-gnueabihf/6/crtendS.o /usr/lib/gcc/arm-linux-gnueabihf/6/../../../arm-linux-gnueabihf/crtn.o
      4⤵
      Writes file to tmp directory
      PID:704
- /bin/cat
  cat
  2⤵
  PID:707
- /bin/cat
  cat
  2⤵
  PID:708
- /bin/true
  /bin/true
  2⤵
  PID:710
- /bin/sleep
  sleep 1
  2⤵
  PID:712
- /bin/sleep
  sleep 1
  2⤵
  PID:731
- /bin/sleep
  sleep 1
  2⤵
  PID:754
- /bin/sleep
  sleep 1
  2⤵
  PID:758
- /bin/sleep
  sleep 1
  2⤵
  PID:779
- /bin/sleep
  sleep 1
  2⤵
  PID:788
- /bin/sleep
  sleep 1
  2⤵
  PID:789
- /bin/sleep
  sleep 1
  2⤵
  PID:790
- /bin/sleep
  sleep 1
  2⤵
  PID:791
- /bin/sleep
  sleep 1
  2⤵
  PID:792
- /bin/sleep
  sleep 1
  2⤵
  PID:793
- /bin/sleep
  sleep 1
  2⤵
  PID:794
- /bin/sleep
  sleep 1
  2⤵
  PID:795
- /bin/sleep
  sleep 1
  2⤵
  PID:798
- /bin/sleep
  sleep 1
  2⤵
  PID:799
- /bin/sleep
  sleep 1
  2⤵
  PID:800
- /bin/sleep
  sleep 1
  2⤵
  PID:801
- /bin/sleep
  sleep 1
  2⤵
  PID:802
- /bin/sleep
  sleep 1
  2⤵
  PID:803
- /bin/sleep
  sleep 1
  2⤵
  PID:804
- /bin/sleep
  sleep 1
  2⤵
  PID:805
- /bin/sleep
  sleep 1
  2⤵
  PID:806
- /bin/sleep
  sleep 1
  2⤵
  PID:807
- /bin/sleep
  sleep 1
  2⤵
  PID:810
- /bin/sleep
  sleep 1
  2⤵
  PID:811
- /bin/sleep
  sleep 1
  2⤵
  PID:815
- /bin/sleep
  sleep 1
  2⤵
  PID:816
- /bin/sleep
  sleep 1
  2⤵
  PID:817
- /bin/sleep
  sleep 1
  2⤵
  PID:818
- /bin/sleep
  sleep 1
  2⤵
  PID:819
- /bin/sleep
  sleep 1
  2⤵
  PID:820
- /bin/sleep
  sleep 1
  2⤵
  PID:821
- /bin/sleep
  sleep 1
  2⤵
  PID:822
- /bin/sleep
  sleep 1
  2⤵
  PID:825
- /bin/sleep
  sleep 1
  2⤵
  PID:826
- /bin/sleep
  sleep 1
  2⤵
  PID:827
- /bin/sleep
  sleep 1
  2⤵
  PID:828
- /bin/sleep
  sleep 1
  2⤵
  PID:829
- /bin/sleep
  sleep 1
  2⤵
  PID:830
- /bin/sleep
  sleep 1
  2⤵
  PID:831
- /bin/sleep
  sleep 1
  2⤵
  PID:832
- /bin/sleep
  sleep 1
  2⤵
  PID:833
- /bin/sleep
  sleep 1
  2⤵
  PID:834
- /bin/sleep
  sleep 1
  2⤵
  PID:837
- /bin/sleep
  sleep 1
  2⤵
  PID:838
- /bin/sleep
  sleep 1
  2⤵
  PID:839
- /bin/sleep
  sleep 1
  2⤵
  PID:840
- /bin/sleep
  sleep 1
  2⤵
  PID:841
- /bin/sleep
  sleep 1
  2⤵
  PID:842
- /bin/sleep
  sleep 1
  2⤵
  PID:843
- /bin/sleep
  sleep 1
  2⤵
  PID:844
- /bin/sleep
  sleep 1
  2⤵
  PID:845
- /bin/sleep
  sleep 1
  2⤵
  PID:846
- /bin/sleep
  sleep 1
  2⤵
  PID:849
- /bin/sleep
  sleep 1
  2⤵
  PID:850
- /bin/sleep
  sleep 1
  2⤵
  PID:851
- /bin/sleep
  sleep 1
  2⤵
  PID:852
- /bin/sleep
  sleep 1
  2⤵
  PID:853
- /bin/sleep
  sleep 1
  2⤵
  PID:854
- /bin/sleep
  sleep 1
  2⤵
  PID:855
- /bin/sleep
  sleep 1
  2⤵
  PID:856
- /bin/sleep
  sleep 1
  2⤵
  PID:857
- /bin/sleep
  sleep 1
  2⤵
  PID:858
- /bin/sleep
  sleep 1
  2⤵
  PID:861
- /bin/sleep
  sleep 1
  2⤵
  PID:862
- /bin/sleep
  sleep 1
  2⤵
  PID:863
- /bin/sleep
  sleep 1
  2⤵
  PID:864
- /bin/sleep
  sleep 1
  2⤵
  PID:865
- /bin/sleep
  sleep 1
  2⤵
  PID:866
- /bin/sleep
  sleep 1
  2⤵
  PID:867
- /bin/sleep
  sleep 1
  2⤵
  PID:868
- /bin/sleep
  sleep 1
  2⤵
  PID:869
- /bin/sleep
  sleep 1
  2⤵
  PID:870
- /bin/sleep
  sleep 1
  2⤵
  PID:873
- /bin/sleep
  sleep 1
  2⤵
  PID:874
- /bin/sleep
  sleep 1
  2⤵
  PID:875
- /bin/sleep
  sleep 1
  2⤵
  PID:876
- /bin/sleep
  sleep 1
  2⤵
  PID:877
- /bin/sleep
  sleep 1
  2⤵
  PID:878
- /bin/sleep
  sleep 1
  2⤵
  PID:879
- /bin/sleep
  sleep 1
  2⤵
  PID:880
- /bin/sleep
  sleep 1
  2⤵
  PID:881
- /bin/sleep
  sleep 1
  2⤵
  PID:882
- /bin/sleep
  sleep 1
  2⤵
  PID:885
- /bin/sleep
  sleep 1
  2⤵
  PID:886
- /bin/sleep
  sleep 1
  2⤵
  PID:887
- /bin/sleep
  sleep 1
  2⤵
  PID:888
- /bin/sleep
  sleep 1
  2⤵
  PID:889
- /bin/sleep
  sleep 1
  2⤵
  PID:890
- /bin/sleep
  sleep 1
  2⤵
  PID:891
- /bin/sleep
  sleep 1
  2⤵
  PID:892
- /bin/sleep
  sleep 1
  2⤵
  PID:893
- /bin/sleep
  sleep 1
  2⤵
  PID:894
- /bin/sleep
  sleep 1
  2⤵
  PID:897
- /bin/sleep
  sleep 1
  2⤵
  PID:898
- /bin/sleep
  sleep 1
  2⤵
  PID:899
- /bin/sleep
  sleep 1
  2⤵
  PID:900
- /bin/sleep
  sleep 1
  2⤵
  PID:901
- /bin/sleep
  sleep 1
  2⤵
  PID:902
- /bin/sleep
  sleep 1
  2⤵
  PID:903
- /bin/sleep
  sleep 1
  2⤵
  PID:904
- /bin/sleep
  sleep 1
  2⤵
  PID:905
- /bin/sleep
  sleep 1
  2⤵
  PID:906
- /bin/sleep
  sleep 1
  2⤵
  PID:909
- /bin/sleep
  sleep 1
  2⤵
  PID:910
- /bin/sleep
  sleep 1
  2⤵
  PID:911
- /bin/sleep
  sleep 1
  2⤵
  PID:912
- /bin/sleep
  sleep 1
  2⤵
  PID:913
- /bin/sleep
  sleep 1
  2⤵
  PID:914
- /bin/sleep
  sleep 1
  2⤵
  PID:915
- /bin/sleep
  sleep 1
  2⤵
  PID:916
- /bin/sleep
  sleep 1
  2⤵
  PID:917
- /bin/sleep
  sleep 1
  2⤵
  PID:918
- /bin/sleep
  sleep 1
  2⤵
  PID:921
- /bin/sleep
  sleep 1
  2⤵
  PID:922
- /bin/sleep
  sleep 1
  2⤵
  PID:923
- /bin/sleep
  sleep 1
  2⤵
  PID:924
- /bin/sleep
  sleep 1
  2⤵
  PID:925
- /bin/sleep
  sleep 1
  2⤵
  PID:926
- /bin/sleep
  sleep 1
  2⤵
  PID:927
- /bin/sleep
  sleep 1
  2⤵
  PID:928
- /bin/sleep
  sleep 1
  2⤵
  PID:929
- /bin/sleep
  sleep 1
  2⤵
  PID:930
- /bin/sleep
  sleep 1
  2⤵
  PID:933
- /bin/sleep
  sleep 1
  2⤵
  PID:934
- /bin/sleep
  sleep 1
  2⤵
  PID:935
- /bin/sleep
  sleep 1
  2⤵
  PID:936
- /bin/sleep
  sleep 1
  2⤵
  PID:937
- /bin/sleep
  sleep 1
  2⤵
  PID:938
- /bin/sleep
  sleep 1
  2⤵
  PID:939
- /bin/sleep
  sleep 1
  2⤵
  PID:940
- /bin/sleep
  sleep 1
  2⤵
  PID:941
- /bin/sleep
  sleep 1
  2⤵
  PID:942
- /bin/sleep
  sleep 1
  2⤵
  PID:945
- /bin/sleep
  sleep 1
  2⤵
  PID:946
- /bin/sleep
  sleep 1
  2⤵
  PID:947
- /bin/sleep
  sleep 1
  2⤵
  PID:948
- /bin/sleep
  sleep 1
  2⤵
  PID:949
- /bin/sleep
  sleep 1
  2⤵
  PID:950
- /bin/sleep
  sleep 1
  2⤵
  PID:951
- /bin/sleep
  sleep 1
  2⤵
  PID:952
- /bin/sleep
  sleep 1
  2⤵
  PID:953
- /bin/sleep
  sleep 1
  2⤵
  PID:954

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/cc6ZQW3e.o

Filesize
1KB

MD5
e65fff5ebc9f01a2539f9b657048d224

SHA1
6f38d08b46828e989781f9b91d4ccd6513ece280

SHA256
5e8136d8291b59bb8d5ccb23eabbaa2e1038587c5193b72ebf3c7a1b8406d216

SHA512
8e578f06bbc03da2acca5b29f1e56c6b261753ce8553f7af89560086b824fc23bc458fb5ecc8708bfc4133e9f5d262de4b66d4613c7bd460f79e5138e292dd29

Download Submit
/tmp/ccGXqPxi.s

Filesize
264B

MD5
d3a9c70a79b5c9d3f4e5e07b4d7c35f4

SHA1
abb2bd83c06bb7bc6a929eb5cb0eb446ae86e598

SHA256
68c7de9c2401493c470ea14babea91362c3d540364a016be4f0976fa2fc37d6f

SHA512
afaa9f13c2e103818d4890449e26b71a07703f1b81a8b2dc2d96d1e9a3f6bd7430a38ce023b57bae92b33b1b096d08767ca69d17b87ba35821bb1739e9bf1526

Download Submit
/tmp/ccIOncol.s

Filesize
973B

MD5
77a1ec5e91211462dc9d647b6fcee073

SHA1
6570a9a2091ce21f0456b41b57a1f8c2d0bc8659

SHA256
04c90a20c5bfdbce58cbe66705d5da50d508d6464a59cfb9c32b9eb12c8c6e0f

SHA512
3e757b5cc9a7d0df06068ecc2730e61bece4f43d193ccffdb3a7a94b8ac7652f92e3b80f4d6f6be4fbd3fcf38b6313312d6516636c3f46c8a8389baae166133f

Download Submit
/tmp/foo/script

Filesize
81B

MD5
c107f1b458aa71247230253dd83d2de0

SHA1
cd6b6c83e279bb0fe9d49c54dbd393b7ef0e66c8

SHA256
6b18702b489c61c4baae1d03fb9072ac6522cdc256529ea8de6403c2ebc2e7c3

SHA512
8b709f8c4fb1151c79e3acac22f37b4be48953d93799dc69778cbe73433c9608d74b1715771a22188af2375cb31e9509413f02b9171d20e93769f2007a301cb0

Download Submit
/tmp/foo/sm.cf

Filesize
210B

MD5
cf174b44cdff414654f55cc443b9a74c

SHA1
f1c2d099d72326d7c1402e9a693ac833b87da3b9

SHA256
12d387e9de678b5ca7f011738d6eecc7b0979ec0860573f02c460c3ef785afa5

SHA512
80a1c62422fe1708fc700d3516f23a771ccf69601b9d86ab0618ae908fd1656944775b3affcc2f9f38d1c93be5c28b340f6c4f3f92257a9a75e9cd768a1d7645

Download Submit
/tmp/foo/sush

Filesize
8KB

MD5
7f6acf55e71bdfbbcde27e59ba417621

SHA1
cea149cbf41eaabb70ecc9358f08f229ea41d45a

SHA256
3b4e6d7bc0670d6011a9c644704b3e17e34b77a30e5353ba199446ec20a0e779

SHA512
2ff88b35f1f29db855b918dc56f5a34f90fe51ad08a8cc2bd828b1ab8a5b7051e567e16e8cf35c7e44854017beab74027269cb82c52956d1a206a8c4ab7034cc

Download Submit
/tmp/foo/sush.c

Filesize
87B

MD5
b5d3f05969df6ed90056c6afecda51e3

SHA1
56a75abe7f7f717aff43fc99413f6c78c8ea2c1c

SHA256
05158bb2d287705bbf335b5b80482d053dae8804a7a920ce8ef128562471834a

SHA512
b988dd13b5499cccdfd82fbf7548c4bcc9996fe640c2fa075e8cfcf3054863b8217cad5a137cbb9fa8db14e48dbd3fc84cdb4f486ca6e8db9389ea7a6d6fa1ea

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads