4861dc86e0eef13b546d4a6e69e1f9ada2a81ee13bf4c2a4f55f381e6c4a2c72

Analysis

max time kernel
3s
platform
debian-9_armhf
resource
debian9-armhf-20240611-en
resource tags

arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
25-11-2024 15:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

platforms/aix/local/4232.sh
Size

635B
MD5

a3546946df48b2c8403d47b61e0c329f
SHA1

6f631ee5481c1d31041b72a4fb8dbca1788419c0
SHA256

6dd9464a2091f42438f09c9aa668fa0133837ec281e576db9778a23b0cb9018f
SHA512

0b83d1409ecfd3013dbe652b8d5b15a52602096e1fd71701c2d64179dbddb8eccc50002fc76acb759f57e173431e2a16a2b5f12dbce768017ccf6f826afac7c3

Score

3^/10

Malware Config

Signatures

Writes file to tmp directory 11 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/platforms/aix/local/piolib.c	4232.sh
File opened for modification	/tmp/ccAiZEKz.res	gcc
File opened for modification	/tmp/cckMloed.c	collect2
File opened for modification	/tmp/ccw18ZXf.o	collect2
File opened for modification	/tmp/ccWM1UYm.le	collect2
File opened for modification	/tmp/platforms/aix/local/piolib	ld
File opened for modification	/tmp/ccokx9Wa.s	gcc
File opened for modification	/tmp/ccokx9Wa.s	cc1
File opened for modification	/tmp/cceNVXXD.o	gcc
File opened for modification	/tmp/cceNVXXD.o	as
File opened for modification	/tmp/ccavcQkh.ld	collect2

/tmp/platforms/aix/local/4232.sh
/tmp/platforms/aix/local/4232.sh
1⤵
- Writes file to tmp directory
PID:719
- /bin/cat
  cat
  2⤵
  PID:721
- /usr/bin/gcc
  gcc piolib.c -o piolib -shared -fPIC
  2⤵
  - Writes file to tmp directory
  PID:723
- - /usr/lib/gcc/arm-linux-gnueabihf/6/cc1
    /usr/lib/gcc/arm-linux-gnueabihf/6/cc1 -quiet -imultilib . -imultiarch arm-linux-gnueabihf piolib.c -quiet -dumpbase piolib.c "-march=armv7-a" "-mfloat-abi=hard" "-mfpu=vfpv3-d16" -mthumb "-mtls-dialect=gnu" -auxbase piolib -fPIC -o /tmp/ccokx9Wa.s
    3⤵
    - Writes file to tmp directory
    PID:728
- - /usr/local/sbin/as
    as "-march=armv7-a" "-mfloat-abi=hard" "-mfpu=vfpv3-d16" "-meabi=5" -o /tmp/cceNVXXD.o /tmp/ccokx9Wa.s
    3⤵
    PID:738
- - /usr/local/bin/as
    as "-march=armv7-a" "-mfloat-abi=hard" "-mfpu=vfpv3-d16" "-meabi=5" -o /tmp/cceNVXXD.o /tmp/ccokx9Wa.s
    3⤵
    PID:738
- - /usr/sbin/as
    as "-march=armv7-a" "-mfloat-abi=hard" "-mfpu=vfpv3-d16" "-meabi=5" -o /tmp/cceNVXXD.o /tmp/ccokx9Wa.s
    3⤵
    PID:738
- - /usr/bin/as
    as "-march=armv7-a" "-mfloat-abi=hard" "-mfpu=vfpv3-d16" "-meabi=5" -o /tmp/cceNVXXD.o /tmp/ccokx9Wa.s
    3⤵
    - Writes file to tmp directory
    PID:738
- - /usr/lib/gcc/arm-linux-gnueabihf/6/collect2
    /usr/lib/gcc/arm-linux-gnueabihf/6/collect2 -plugin /usr/lib/gcc/arm-linux-gnueabihf/6/liblto_plugin.so "-plugin-opt=/usr/lib/gcc/arm-linux-gnueabihf/6/lto-wrapper" "-plugin-opt=-fresolution=/tmp/ccAiZEKz.res" "-plugin-opt=-pass-through=-lgcc" "-plugin-opt=-pass-through=-lgcc_s" "-plugin-opt=-pass-through=-lc" "-plugin-opt=-pass-through=-lgcc" "-plugin-opt=-pass-through=-lgcc_s" "--sysroot=/" --build-id --eh-frame-hdr -shared -X "--hash-style=gnu" -m armelf_linux_eabi -o piolib /usr/lib/gcc/arm-linux-gnueabihf/6/../../../arm-linux-gnueabihf/crti.o /usr/lib/gcc/arm-linux-gnueabihf/6/crtbeginS.o -L/usr/lib/gcc/arm-linux-gnueabihf/6 -L/usr/lib/gcc/arm-linux-gnueabihf/6/../../../arm-linux-gnueabihf -L/usr/lib/gcc/arm-linux-gnueabihf/6/../../.. -L/lib/arm-linux-gnueabihf -L/usr/lib/arm-linux-gnueabihf /tmp/cceNVXXD.o -lgcc --as-needed -lgcc_s --no-as-needed -lc -lgcc --as-needed -lgcc_s --no-as-needed /usr/lib/gcc/arm-linux-gnueabihf/6/crtendS.o /usr/lib/gcc/arm-linux-gnueabihf/6/../../../arm-linux-gnueabihf/crtn.o
    3⤵
    - Writes file to tmp directory
    PID:741
  - - /usr/bin/ld
      /usr/bin/ld -plugin /usr/lib/gcc/arm-linux-gnueabihf/6/liblto_plugin.so "-plugin-opt=/usr/lib/gcc/arm-linux-gnueabihf/6/lto-wrapper" "-plugin-opt=-fresolution=/tmp/ccAiZEKz.res" "-plugin-opt=-pass-through=-lgcc" "-plugin-opt=-pass-through=-lgcc_s" "-plugin-opt=-pass-through=-lc" "-plugin-opt=-pass-through=-lgcc" "-plugin-opt=-pass-through=-lgcc_s" "--sysroot=/" --build-id --eh-frame-hdr -shared -X "--hash-style=gnu" -m armelf_linux_eabi -o piolib /usr/lib/gcc/arm-linux-gnueabihf/6/../../../arm-linux-gnueabihf/crti.o /usr/lib/gcc/arm-linux-gnueabihf/6/crtbeginS.o -L/usr/lib/gcc/arm-linux-gnueabihf/6 -L/usr/lib/gcc/arm-linux-gnueabihf/6/../../../arm-linux-gnueabihf -L/usr/lib/gcc/arm-linux-gnueabihf/6/../../.. -L/lib/arm-linux-gnueabihf -L/usr/lib/arm-linux-gnueabihf /tmp/cceNVXXD.o -lgcc --as-needed -lgcc_s --no-as-needed -lc -lgcc --as-needed -lgcc_s --no-as-needed /usr/lib/gcc/arm-linux-gnueabihf/6/crtendS.o /usr/lib/gcc/arm-linux-gnueabihf/6/../../../arm-linux-gnueabihf/crtn.o
      4⤵
      Writes file to tmp directory
      PID:744
- /usr/lpd/pio/etc/pioout
  /usr/lpd/pio/etc/pioout -R ./piolib
  2⤵
  PID:749
- /bin/rm
  rm -f piolib.c piolib
  2⤵
  PID:750

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/cceNVXXD.o

Filesize
1KB

MD5
d66e4286c2d83efeffe1ba47af7d6082

SHA1
57abcc9c90e670825337ec59bc3d6ecdbbdb498b

SHA256
187abcf1274c792e9652712abffc98db79118bf7457800439e8e6819c5b4b116

SHA512
9b6045840c6df63c37c10f110b616e40342ace01e61c19f4e91e0c038eb0be2a90d7bbeeedbbec48afeae6bfceafcb808855e22f68684f20248ac778eabe4119

Download Submit
/tmp/ccokx9Wa.s

Filesize
1KB

MD5
2de72ab9eb1fbe07f0604d13c4a8defc

SHA1
d683ffbdd34d130ec4e80ad017547d143b3c7e0a

SHA256
26665764a96ab92b680b86cfd3d76e7557d61ff32c3fea843164a2b483723776

SHA512
3b2bda76604ff6dc7006506349977eccc0b49358571982be81068f39d4c66ade84f5ce157651ae6288e35d71b9a65e306b6cde1c42a247b487ca17227dafd8c8

Download Submit
/tmp/platforms/aix/local/piolib

Filesize
7KB

MD5
66ce74e6f0ee069c3103779d72a9f397

SHA1
3772a648565860f56ed83177a5d39dcc3d84ed75

SHA256
b7717bb8d5287c18894038457b5ff300ad3b273df7e09bf8840d045147271856

SHA512
071f9d3b30cabd2834480ee8744dcb5166a02add7c704f0367fc415e437c82887155c934215a4dac0505caf87f56c88f936327995de618ae2cd7fb227b8207a2

Download Submit
/tmp/platforms/aix/local/piolib.c

Filesize
273B

MD5
7d7d2ea6cde42ce582f464e4436246b9

SHA1
e902c4c205bff6e4e03506159d35891d68edbd62

SHA256
dee8d23345dc1b1f2ab6c126a3aa9d03800164e90d8f0823be48296ba6bce036

SHA512
8539d0ca0b56e8cbcf1d3a2e71db0b9aec4ff949dc9bae54657ecc87e94eeea3eee5d9b442c4c670142c6cd1fb48c568cab65dcf4f31ff4bab4ab2e60844f4d2

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads