4861dc86e0eef13b546d4a6e69e1f9ada2a81ee13bf4c2a4f55f381e6c4a2c72

Analysis

max time kernel
3s
platform
debian-9_mipsel
resource
debian9-mipsel-20240729-en
resource tags

arch:mipselimage:debian9-mipsel-20240729-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipselsystem
submitted
25/11/2024, 15:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

platforms/QNX/local/1479.sh
Size

644B
MD5

f2273bf88664e68857f46681317c9cc7
SHA1

1ee20de6c758683652740ff8cce2281461a53893
SHA256

710313d9fb5b811740f47cd8256de2ec1fa8dc8eb266532718382f5af867c8ca
SHA512

4706f1e79dea89c043ad835e19ace01e24464c59946f1b767b014d7c2c33d8c3ce10c2e05e844d1fea4df255024ea23ea292f81170339ea238c58ec669aa2c9a

Score

3^/10

discovery

Malware Config

Signatures

System Network Configuration Discovery 1 TTPs 4 IoCs

Adversaries may gather information about the network configuration of a system.

discovery

System Network Configuration Discovery

T1016

pid	Process
757	as
757	as
757	as
757	as

Writes file to tmp directory 11 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/ccwnon0A.s	cc1
File opened for modification	/tmp/ccIe1bcd.res	cc
File opened for modification	/tmp/cc0eo6of.c	collect2
File opened for modification	/tmp/cc63BmLk.o	collect2
File opened for modification	/tmp/ccekbp2p.ld	collect2
File opened for modification	/tmp/platforms/QNX/local/phfontphf.c	1479.sh
File opened for modification	/tmp/ccwnon0A.s	cc
File opened for modification	/tmp/ccRHM1ig.o	cc
File opened for modification	/tmp/ccRHM1ig.o	as
File opened for modification	/tmp/ccoVAZju.le	collect2
File opened for modification	/tmp/platforms/QNX/local/phfontphf	ld

/tmp/platforms/QNX/local/1479.sh
/tmp/platforms/QNX/local/1479.sh
1⤵
- Writes file to tmp directory
PID:741
- /bin/cat
  cat
  2⤵
  PID:742
- /usr/bin/make
  make phfontphf
  2⤵
  PID:744
- - /usr/local/sbin/cc
    cc phfontphf.c -o phfontphf
    3⤵
    PID:750
- - /usr/local/bin/cc
    cc phfontphf.c -o phfontphf
    3⤵
    PID:750
- - /usr/sbin/cc
    cc phfontphf.c -o phfontphf
    3⤵
    PID:750
- - /usr/bin/cc
    cc phfontphf.c -o phfontphf
    3⤵
    - Writes file to tmp directory
    PID:750
  - - /usr/lib/gcc/mipsel-linux-gnu/6/cc1
      /usr/lib/gcc/mipsel-linux-gnu/6/cc1 -quiet -imultiarch mipsel-linux-gnu phfontphf.c -mel -quiet -dumpbase phfontphf.c "-march=mips32r2" -mfpxx -mllsc -mno-lxc1-sxc1 -mno-madd4 -mips32r2 "-mabi=32" -auxbase phfontphf -o /tmp/ccwnon0A.s
      4⤵
      Writes file to tmp directory
      PID:751
  - - /usr/local/sbin/as
      as -EL -mips32r2 -O1 -no-mdebug "-mabi=32" "-march=mips32r2" -mfpxx -KPIC -o /tmp/ccRHM1ig.o /tmp/ccwnon0A.s
      4⤵
      System Network Configuration Discovery
      PID:757
  - - /usr/local/bin/as
      as -EL -mips32r2 -O1 -no-mdebug "-mabi=32" "-march=mips32r2" -mfpxx -KPIC -o /tmp/ccRHM1ig.o /tmp/ccwnon0A.s
      4⤵
      System Network Configuration Discovery
      PID:757
  - - /usr/sbin/as
      as -EL -mips32r2 -O1 -no-mdebug "-mabi=32" "-march=mips32r2" -mfpxx -KPIC -o /tmp/ccRHM1ig.o /tmp/ccwnon0A.s
      4⤵
      System Network Configuration Discovery
      PID:757
  - - /usr/bin/as
      as -EL -mips32r2 -O1 -no-mdebug "-mabi=32" "-march=mips32r2" -mfpxx -KPIC -o /tmp/ccRHM1ig.o /tmp/ccwnon0A.s
      4⤵
      System Network Configuration Discovery
      Writes file to tmp directory
      PID:757
  - - /usr/lib/gcc/mipsel-linux-gnu/6/collect2
      /usr/lib/gcc/mipsel-linux-gnu/6/collect2 -plugin /usr/lib/gcc/mipsel-linux-gnu/6/liblto_plugin.so "-plugin-opt=/usr/lib/gcc/mipsel-linux-gnu/6/lto-wrapper" "-plugin-opt=-fresolution=/tmp/ccIe1bcd.res" "-plugin-opt=-pass-through=-lgcc" "-plugin-opt=-pass-through=-lgcc_s" "-plugin-opt=-pass-through=-lc" "-plugin-opt=-pass-through=-lgcc" "-plugin-opt=-pass-through=-lgcc_s" "--sysroot=/" --build-id --eh-frame-hdr -EL -mips32r2 -dynamic-linker /lib/ld.so.1 -melf32ltsmip -pie -o phfontphf /usr/lib/gcc/mipsel-linux-gnu/6/../../../mipsel-linux-gnu/Scrt1.o /usr/lib/gcc/mipsel-linux-gnu/6/../../../mipsel-linux-gnu/crti.o /usr/lib/gcc/mipsel-linux-gnu/6/crtbeginS.o -L/usr/lib/gcc/mipsel-linux-gnu/6 -L/usr/lib/gcc/mipsel-linux-gnu/6/../../../mipsel-linux-gnu -L/usr/lib/gcc/mipsel-linux-gnu/6/../../../../lib -L/lib/mipsel-linux-gnu -L/lib/../lib -L/usr/lib/mipsel-linux-gnu -L/usr/lib/../lib -L/usr/lib/gcc/mipsel-linux-gnu/6/../../.. /tmp/ccRHM1ig.o -lgcc --as-needed -lgcc_s --no-as-needed -lc -lgcc --as-needed -lgcc_s --no-as-needed /usr/lib/gcc/mipsel-linux-gnu/6/crtendS.o /usr/lib/gcc/mipsel-linux-gnu/6/../../../mipsel-linux-gnu/crtn.o
      4⤵
      Writes file to tmp directory
      PID:759
    - - /usr/bin/ld
        
        /usr/bin/ld -plugin /usr/lib/gcc/mipsel-linux-gnu/6/liblto_plugin.so "-plugin-opt=/usr/lib/gcc/mipsel-linux-gnu/6/lto-wrapper" "-plugin-opt=-fresolution=/tmp/ccIe1bcd.res" "-plugin-opt=-pass-through=-lgcc" "-plugin-opt=-pass-through=-lgcc_s" "-plugin-opt=-pass-through=-lc" "-plugin-opt=-pass-through=-lgcc" "-plugin-opt=-pass-through=-lgcc_s" "--sysroot=/" --build-id --eh-frame-hdr -EL -mips32r2 -dynamic-linker /lib/ld.so.1 -melf32ltsmip -pie -o phfontphf /usr/lib/gcc/mipsel-linux-gnu/6/../../../mipsel-linux-gnu/Scrt1.o /usr/lib/gcc/mipsel-linux-gnu/6/../../../mipsel-linux-gnu/crti.o /usr/lib/gcc/mipsel-linux-gnu/6/crtbeginS.o -L/usr/lib/gcc/mipsel-linux-gnu/6 -L/usr/lib/gcc/mipsel-linux-gnu/6/../../../mipsel-linux-gnu -L/usr/lib/gcc/mipsel-linux-gnu/6/../../../../lib -L/lib/mipsel-linux-gnu -L/lib/../lib -L/usr/lib/mipsel-linux-gnu -L/usr/lib/../lib -L/usr/lib/gcc/mipsel-linux-gnu/6/../../.. /tmp/ccRHM1ig.o -lgcc --as-needed -lgcc_s --no-as-needed -lc -lgcc --as-needed -lgcc_s --no-as-needed /usr/lib/gcc/mipsel-linux-gnu/6/crtendS.o /usr/lib/gcc/mipsel-linux-gnu/6/../../../mipsel-linux-gnu/crtn.o
        5⤵
        Writes file to tmp directory
        
        PID:760
- /bin/ln
  ln -s /usr/photon/bin/phfont ./phfont
  2⤵
  PID:766
- /tmp/platforms/QNX/local/phfont
  ./phfont
  2⤵
  PID:768
- /bin/rm
  rm phfont phfontphf phfontphf.c
  2⤵
  PID:769

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Network Configuration Discovery

T1016

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/ccRHM1ig.o

Filesize
1KB

MD5
b889792c8a008481bf82512f892eca9d

SHA1
25aa7d8ba8b5608989bef53bb4ee74973e876b1a

SHA256
303191eea35ee666c482245dff5a9f79f37dcb6ba45ef8780b7c11b62341bef2

SHA512
96a22ec1c0e60abd6b108cd852127c7a10e5d15586e6a5191c9a85dde6a663605f1f1c4d23d155b52e0b28adfbe8f05433285a134b35bb87cb303eb8c79c0590

Download Submit
/tmp/ccwnon0A.s

Filesize
1KB

MD5
baa43a16cd4a2fe7c0f1549e4ea47203

SHA1
d6ebaed1fd48af48e55382e91cdf77d338262a76

SHA256
474bed2b1a537053a3ccecb2a8f89ed49b23ec5d82725daebd4904960d8594d4

SHA512
42792bdf80e1f96061595f9c7a10c65669b729cec52961b1e427498135e70b83f8eaf74779f6ec05f3dbd35e0cd6b926c293e8e17047ee5968f34dcf2e1fe6dd

Download Submit
/tmp/platforms/QNX/local/phfontphf

Filesize
6KB

MD5
5e3d9c82f7482079277cd271cfce38fc

SHA1
8e21da627168f64e94ae17dc53c53f84048ab016

SHA256
c8da3fea613a29db2353bcd5ac19cfb9c11a26b49456f456c645c72e15bf7577

SHA512
0686e81d05b7010113585ee1ab8210741a6093ef8b20dcd0bfbc5ad31fad239dca1cad9bebe9e4389926a7b269a85715f0fd9e3e9d5e2dc1374aa343b27581e0

Download Submit
/tmp/platforms/QNX/local/phfontphf.c

Filesize
128B

MD5
21bbe0b519bf442c3afdf1ac622e0637

SHA1
4d068ce6feba9e3fb2c27408c94bff2637ca22ec

SHA256
0d8d3adeed3013b55b9cd8e3ac5cbad673ce4aa214e2cd44c15dc4f2a6fdec36

SHA512
e476b1c6d6f7a2c3aab88733daae032f86d4bc9ca6b0b5e535875682579a14ac276cd8aadee5bc62a6426bf69a44d12f6b954d1bae9cc8e821108422af8b5fd4

Download Submit