4861dc86e0eef13b546d4a6e69e1f9ada2a81ee13bf4c2a4f55f381e6c4a2c72

Analysis

max time kernel
6s
platform
debian-9_armhf
resource
debian9-armhf-20240611-en
resource tags

arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
25-11-2024 15:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

platforms/QNX/local/1479.sh
Size

644B
MD5

f2273bf88664e68857f46681317c9cc7
SHA1

1ee20de6c758683652740ff8cce2281461a53893
SHA256

710313d9fb5b811740f47cd8256de2ec1fa8dc8eb266532718382f5af867c8ca
SHA512

4706f1e79dea89c043ad835e19ace01e24464c59946f1b767b014d7c2c33d8c3ce10c2e05e844d1fea4df255024ea23ea292f81170339ea238c58ec669aa2c9a

Score

3^/10

Malware Config

Signatures

Writes file to tmp directory 11 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/cchEL6C3.s	cc
File opened for modification	/tmp/ccRy3s7l.o	cc
File opened for modification	/tmp/ccrNpgxa.c	collect2
File opened for modification	/tmp/ccqhXhHd.o	collect2
File opened for modification	/tmp/platforms/QNX/local/phfontphf	ld
File opened for modification	/tmp/platforms/QNX/local/phfontphf.c	1479.sh
File opened for modification	/tmp/cchEL6C3.s	cc1
File opened for modification	/tmp/ccRy3s7l.o	as
File opened for modification	/tmp/ccjrKL3g.res	cc
File opened for modification	/tmp/ccpbkjHk.ld	collect2
File opened for modification	/tmp/ccQtAgop.le	collect2

/tmp/platforms/QNX/local/1479.sh
/tmp/platforms/QNX/local/1479.sh
1⤵
- Writes file to tmp directory
PID:740
- /bin/cat
  cat
  2⤵
  PID:742
- /usr/bin/make
  make phfontphf
  2⤵
  PID:743
- - /usr/local/sbin/cc
    cc phfontphf.c -o phfontphf
    3⤵
    PID:749
- - /usr/local/bin/cc
    cc phfontphf.c -o phfontphf
    3⤵
    PID:749
- - /usr/sbin/cc
    cc phfontphf.c -o phfontphf
    3⤵
    PID:749
- - /usr/bin/cc
    cc phfontphf.c -o phfontphf
    3⤵
    - Writes file to tmp directory
    PID:749
  - - /usr/lib/gcc/arm-linux-gnueabihf/6/cc1
      /usr/lib/gcc/arm-linux-gnueabihf/6/cc1 -quiet -imultilib . -imultiarch arm-linux-gnueabihf phfontphf.c -quiet -dumpbase phfontphf.c "-march=armv7-a" "-mfloat-abi=hard" "-mfpu=vfpv3-d16" -mthumb "-mtls-dialect=gnu" -auxbase phfontphf -o /tmp/cchEL6C3.s
      4⤵
      Writes file to tmp directory
      PID:751
  - - /usr/local/sbin/as
      as "-march=armv7-a" "-mfloat-abi=hard" "-mfpu=vfpv3-d16" "-meabi=5" -o /tmp/ccRy3s7l.o /tmp/cchEL6C3.s
      4⤵
      PID:758
  - - /usr/local/bin/as
      as "-march=armv7-a" "-mfloat-abi=hard" "-mfpu=vfpv3-d16" "-meabi=5" -o /tmp/ccRy3s7l.o /tmp/cchEL6C3.s
      4⤵
      PID:758
  - - /usr/sbin/as
      as "-march=armv7-a" "-mfloat-abi=hard" "-mfpu=vfpv3-d16" "-meabi=5" -o /tmp/ccRy3s7l.o /tmp/cchEL6C3.s
      4⤵
      PID:758
  - - /usr/bin/as
      as "-march=armv7-a" "-mfloat-abi=hard" "-mfpu=vfpv3-d16" "-meabi=5" -o /tmp/ccRy3s7l.o /tmp/cchEL6C3.s
      4⤵
      Writes file to tmp directory
      PID:758
  - - /usr/lib/gcc/arm-linux-gnueabihf/6/collect2
      /usr/lib/gcc/arm-linux-gnueabihf/6/collect2 -plugin /usr/lib/gcc/arm-linux-gnueabihf/6/liblto_plugin.so "-plugin-opt=/usr/lib/gcc/arm-linux-gnueabihf/6/lto-wrapper" "-plugin-opt=-fresolution=/tmp/ccjrKL3g.res" "-plugin-opt=-pass-through=-lgcc" "-plugin-opt=-pass-through=-lgcc_s" "-plugin-opt=-pass-through=-lc" "-plugin-opt=-pass-through=-lgcc" "-plugin-opt=-pass-through=-lgcc_s" "--sysroot=/" --build-id --eh-frame-hdr -dynamic-linker /lib/ld-linux-armhf.so.3 -X "--hash-style=gnu" -m armelf_linux_eabi -pie -o phfontphf /usr/lib/gcc/arm-linux-gnueabihf/6/../../../arm-linux-gnueabihf/Scrt1.o /usr/lib/gcc/arm-linux-gnueabihf/6/../../../arm-linux-gnueabihf/crti.o /usr/lib/gcc/arm-linux-gnueabihf/6/crtbeginS.o -L/usr/lib/gcc/arm-linux-gnueabihf/6 -L/usr/lib/gcc/arm-linux-gnueabihf/6/../../../arm-linux-gnueabihf -L/usr/lib/gcc/arm-linux-gnueabihf/6/../../.. -L/lib/arm-linux-gnueabihf -L/usr/lib/arm-linux-gnueabihf /tmp/ccRy3s7l.o -lgcc --as-needed -lgcc_s --no-as-needed -lc -lgcc --as-needed -lgcc_s --no-as-needed /usr/lib/gcc/arm-linux-gnueabihf/6/crtendS.o /usr/lib/gcc/arm-linux-gnueabihf/6/../../../arm-linux-gnueabihf/crtn.o
      4⤵
      Writes file to tmp directory
      PID:761
    - - /usr/bin/ld
        
        /usr/bin/ld -plugin /usr/lib/gcc/arm-linux-gnueabihf/6/liblto_plugin.so "-plugin-opt=/usr/lib/gcc/arm-linux-gnueabihf/6/lto-wrapper" "-plugin-opt=-fresolution=/tmp/ccjrKL3g.res" "-plugin-opt=-pass-through=-lgcc" "-plugin-opt=-pass-through=-lgcc_s" "-plugin-opt=-pass-through=-lc" "-plugin-opt=-pass-through=-lgcc" "-plugin-opt=-pass-through=-lgcc_s" "--sysroot=/" --build-id --eh-frame-hdr -dynamic-linker /lib/ld-linux-armhf.so.3 -X "--hash-style=gnu" -m armelf_linux_eabi -pie -o phfontphf /usr/lib/gcc/arm-linux-gnueabihf/6/../../../arm-linux-gnueabihf/Scrt1.o /usr/lib/gcc/arm-linux-gnueabihf/6/../../../arm-linux-gnueabihf/crti.o /usr/lib/gcc/arm-linux-gnueabihf/6/crtbeginS.o -L/usr/lib/gcc/arm-linux-gnueabihf/6 -L/usr/lib/gcc/arm-linux-gnueabihf/6/../../../arm-linux-gnueabihf -L/usr/lib/gcc/arm-linux-gnueabihf/6/../../.. -L/lib/arm-linux-gnueabihf -L/usr/lib/arm-linux-gnueabihf /tmp/ccRy3s7l.o -lgcc --as-needed -lgcc_s --no-as-needed -lc -lgcc --as-needed -lgcc_s --no-as-needed /usr/lib/gcc/arm-linux-gnueabihf/6/crtendS.o /usr/lib/gcc/arm-linux-gnueabihf/6/../../../arm-linux-gnueabihf/crtn.o
        5⤵
        Writes file to tmp directory
        
        PID:763
- /bin/ln
  ln -s /usr/photon/bin/phfont ./phfont
  2⤵
  PID:768
- /tmp/platforms/QNX/local/phfont
  ./phfont
  2⤵
  PID:770
- /bin/rm
  rm phfont phfontphf phfontphf.c
  2⤵
  PID:771

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/ccRy3s7l.o

Filesize
1KB

MD5
bd745335b7e6839e4658f7d4324f5f10

SHA1
04039d68d37b176e30d0a8130a568dfca6584bdd

SHA256
d9201ceafd311d1f88e8e5387be5984dfa08c0470f7f53845948009069258697

SHA512
71d9040c020d3932f059cd045f00b6f056bfb72ce6fd7e8876dcbce656fbfdb5bb613f5e66eadf5ad4adc17b9cb43d639357bc7d2a0253bbeec020d0a3cf017a

Download Submit
/tmp/cchEL6C3.s

Filesize
928B

MD5
58a400aa6331341c7404d01dc2672c6e

SHA1
b7415e623bf813ece75a24ade16bbc5a6d81a7b1

SHA256
f24ec4684a16ae8033805e83b2c27e952d648b9530c41114d81f1208b51af406

SHA512
ee0fdfa1f05726297b80328dab6669ed2ea3aea9c61612466240429f2db0957c149cc59072e00722c1374f72018b90196c9d5eaed9e893d914ac1c2f9473fff0

Download Submit
/tmp/platforms/QNX/local/phfontphf

Filesize
8KB

MD5
d752b4f721d32af93946387e431a8aa4

SHA1
d43b6837e075b0bf031d9707114a53a65e16b61a

SHA256
319fb0a51ca30a4cbd2609d71267524e035345133515743ea4955b2b530fe342

SHA512
04c00c6edc5006aa887ef5b005becfa98c079040df38e380496b8df39e83bca8e04967d2724c3143fb208380f1a1b5cde10f200489f3fac5fb294211ebc8b25d

Download Submit
/tmp/platforms/QNX/local/phfontphf.c

Filesize
128B

MD5
21bbe0b519bf442c3afdf1ac622e0637

SHA1
4d068ce6feba9e3fb2c27408c94bff2637ca22ec

SHA256
0d8d3adeed3013b55b9cd8e3ac5cbad673ce4aa214e2cd44c15dc4f2a6fdec36

SHA512
e476b1c6d6f7a2c3aab88733daae032f86d4bc9ca6b0b5e535875682579a14ac276cd8aadee5bc62a6426bf69a44d12f6b954d1bae9cc8e821108422af8b5fd4

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads