c9a76da2ccce153eb7421493ae8c0b03ab5104fadb7656dc291fc388af5dc6f2

General

Target

wunderbar_emporium/wunderbar_emporium.sh
Size

1KB
MD5

a4bd78f8b9f69b508daca4268dcc66ce
SHA1

02d29ddb69616a0d3d4cf4348f51d3f81f147e67
SHA256

64206f3f7d6c962fb9bf49b161e636d8be4bedde1a11d2a0164006aa25748a7e
SHA512

60ba980e3cd14c0dc71f0b34b8f79cca1d2349569832a526d5b052a78baa3ceec36e6b312876251b019b3371e898d175ba0b8c7e32f8ae9a140fdb9bffa6e3c6

Score

5^/10

Malware Config

Signatures

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

Processes:

killallmvmvcat

description	ioc	process
/proc/83/stat	/proc/83/stat	killall
/proc/155/stat	/proc/155/stat	killall
/proc/168/stat	/proc/168/stat	killall
/proc/85/stat	/proc/85/stat	killall
/proc/157/stat	/proc/157/stat	killall
/proc/159/stat	/proc/159/stat	killall
/proc/345/stat	/proc/345/stat	killall
/proc/588/stat	/proc/588/stat	killall
/proc/590/cmdline	/proc/590/cmdline	killall
/proc/3/stat	/proc/3/stat	killall
/proc/12/stat	/proc/12/stat	killall
/proc/195/stat	/proc/195/stat	killall
/proc/20/stat	/proc/20/stat	killall
/proc/78/stat	/proc/78/stat	killall
/proc/253/stat	/proc/253/stat	killall
/proc/1/stat	/proc/1/stat	killall
/proc/16/stat	/proc/16/stat	killall
/proc/19/stat	/proc/19/stat	killall
/proc/318/stat	/proc/318/stat	killall
/proc/7/stat	/proc/7/stat	killall
/proc/115/stat	/proc/115/stat	killall
/proc/170/stat	/proc/170/stat	killall
/proc/10/stat	/proc/10/stat	killall
/proc/25/stat	/proc/25/stat	killall
/proc/365/stat	/proc/365/stat	killall
/proc/15/cmdline	/proc/15/cmdline	killall
/proc/23/stat	/proc/23/stat	killall
/proc/32/stat	/proc/32/stat	killall
/proc/318/cmdline	/proc/318/cmdline	killall
/proc/351/stat	/proc/351/stat	killall
/proc/filesystems	/proc/filesystems	mv
/proc/84/stat	/proc/84/stat	killall
/proc/171/stat	/proc/171/stat	killall
/proc/227/cmdline	/proc/227/cmdline	killall
/proc/5/stat	/proc/5/stat	killall
/proc/15/stat	/proc/15/stat	killall
/proc/29/stat	/proc/29/stat	killall
/proc/18/stat	/proc/18/stat	killall
/proc/36/stat	/proc/36/stat	killall
/proc/156/stat	/proc/156/stat	killall
/proc/filesystems	/proc/filesystems	killall
/proc/320/stat	/proc/320/stat	killall
/proc/351/cmdline	/proc/351/cmdline	killall
/proc/565/cmdline	/proc/565/cmdline	killall
/proc/340/stat	/proc/340/stat	killall
/proc/429/stat	/proc/429/stat	killall
/proc/filesystems	/proc/filesystems	mv
/proc/158/stat	/proc/158/stat	killall
/proc/165/stat	/proc/165/stat	killall
/proc/371/stat	/proc/371/stat	killall
/proc/79/stat	/proc/79/stat	killall
/proc/80/stat	/proc/80/stat	killall
/proc/79/cmdline	/proc/79/cmdline	killall
/proc/89/stat	/proc/89/stat	killall
/proc/167/stat	/proc/167/stat	killall
/proc/34/stat	/proc/34/stat	killall
/proc/8/stat	/proc/8/stat	killall
/proc/24/stat	/proc/24/stat	killall
/proc/sys/vm/mmap_min_addr	/proc/sys/vm/mmap_min_addr	cat
/proc/9/stat	/proc/9/stat	killall
/proc/409/stat	/proc/409/stat	killall
/proc/426/stat	/proc/426/stat	killall
/proc/357/stat	/proc/357/stat	killall
/proc/194/stat	/proc/194/stat	killall

Writes file to tmp directory 23 IoCs

Malware often drops required files in the /tmp directory.

Processes:

ccascccc1collect2collect2ldwunderbar_emporium.shldascc1

description	ioc	process
/tmp/ccINdTmf.o	/tmp/ccINdTmf.o	cc
/tmp/ccINdTmf.o	/tmp/ccINdTmf.o	as
/tmp/cccTA0Zv.s	/tmp/cccTA0Zv.s	cc
/tmp/cccTA0Zv.s	/tmp/cccTA0Zv.s	cc1
/tmp/ccAYS2H0.o	/tmp/ccAYS2H0.o	collect2
/tmp/ccTjqwoD.c	/tmp/ccTjqwoD.c	collect2
/tmp/ccJO1hPY.o	/tmp/ccJO1hPY.o	collect2
/tmp/ccLTGLVR.o	/tmp/ccLTGLVR.o	cc
/tmp/ccsnfsKE.c	/tmp/ccsnfsKE.c	collect2
/tmp/ccEtHDFm.ld	/tmp/ccEtHDFm.ld	collect2
/tmp/ccuFFeDI.le	/tmp/ccuFFeDI.le	collect2
/tmp/ccLTGLVR.o	/tmp/ccLTGLVR.o	ld
/tmp/wunderbar_emporium/wunderbar_emporium.sh	/tmp/wunderbar_emporium/wunderbar_emporium.sh	wunderbar_emporium.sh
/tmp/ccs63KSf.s	/tmp/ccs63KSf.s	cc
/tmp/ccbkaRGF.le	/tmp/ccbkaRGF.le	collect2
/tmp/ccINdTmf.o	/tmp/ccINdTmf.o	ld
/tmp/cccTA0Zv.s	/tmp/cccTA0Zv.s	as
/tmp/ccs63KSf.s	/tmp/ccs63KSf.s	cc1
/tmp/ccs63KSf.s	/tmp/ccs63KSf.s	as
/tmp/ccC6Lgjz.res	/tmp/ccC6Lgjz.res	cc
/tmp/ccCHn4fk.ld	/tmp/ccCHn4fk.ld	collect2
/tmp/ccLTGLVR.o	/tmp/ccLTGLVR.o	as
/tmp/ccQSXWSd.res	/tmp/ccQSXWSd.res	cc

/tmp/wunderbar_emporium/wunderbar_emporium.sh
/tmp/wunderbar_emporium/wunderbar_emporium.sh
1⤵
- Writes file to tmp directory
PID:590

/bin/sed
sed "s/\\/home\\/spender/\\/tmp\\/wunderbar_emporium/g" pwnkernel.c
2⤵
PID:594

/bin/mv
mv pwnkernel.c pwnkernel2.c
2⤵
PID:595

/bin/mv
mv pwnkernel1.c pwnkernel.c
2⤵
- Reads runtime system information
PID:596

/usr/bin/killall
killall -9 pulseaudio
2⤵
- Reads runtime system information
PID:597

/bin/uname
uname -p
2⤵
PID:598

/bin/cat
cat /proc/sys/vm/mmap_min_addr
2⤵
- Reads runtime system information
PID:599

/usr/bin/cc
cc -fno-stack-protector -fPIC -m64 -shared -o exploit.so exploit.c
2⤵
- Writes file to tmp directory
PID:600

/usr/bin/cc
cc -m64 -o pwnkernel pwnkernel.c
2⤵
- Writes file to tmp directory
PID:610

./pwnkernel
./pwnkernel
2⤵
PID:615

/bin/mv
mv -f pwnkernel2.c pwnkernel.c
2⤵
- Reads runtime system information
PID:616

/bin/sed
sed "s/\\//\\\\\\//g"
1⤵
PID:593

/usr/lib/gcc/x86_64-linux-gnu/7/cc1
/usr/lib/gcc/x86_64-linux-gnu/7/cc1 -quiet -imultiarch x86_64-linux-gnu exploit.c -quiet -dumpbase exploit.c -m64 "-mtune=generic" "-march=x86-64" -auxbase exploit -fno-stack-protector -fPIC -Wformat -Wformat-security -o /tmp/ccs63KSf.s
1⤵
- Writes file to tmp directory
PID:601

/usr/local/sbin/as
as --64 -o /tmp/ccINdTmf.o /tmp/ccs63KSf.s
1⤵
PID:607

/usr/local/bin/as
as --64 -o /tmp/ccINdTmf.o /tmp/ccs63KSf.s
1⤵
PID:607

/usr/sbin/as
as --64 -o /tmp/ccINdTmf.o /tmp/ccs63KSf.s
1⤵
PID:607

/usr/bin/as
as --64 -o /tmp/ccINdTmf.o /tmp/ccs63KSf.s
1⤵
- Writes file to tmp directory
PID:607

/usr/lib/gcc/x86_64-linux-gnu/7/collect2
/usr/lib/gcc/x86_64-linux-gnu/7/collect2 -plugin /usr/lib/gcc/x86_64-linux-gnu/7/liblto_plugin.so "-plugin-opt=/usr/lib/gcc/x86_64-linux-gnu/7/lto-wrapper" "-plugin-opt=-fresolution=/tmp/ccC6Lgjz.res" "-plugin-opt=-pass-through=-lgcc" "-plugin-opt=-pass-through=-lgcc_s" "-plugin-opt=-pass-through=-lc" "-plugin-opt=-pass-through=-lgcc" "-plugin-opt=-pass-through=-lgcc_s" --build-id --eh-frame-hdr -m elf_x86_64 "--hash-style=gnu" --as-needed -shared -z relro -o exploit.so /usr/lib/gcc/x86_64-linux-gnu/7/../../../x86_64-linux-gnu/crti.o /usr/lib/gcc/x86_64-linux-gnu/7/crtbeginS.o -L/usr/lib/gcc/x86_64-linux-gnu/7 -L/usr/lib/gcc/x86_64-linux-gnu/7/../../../x86_64-linux-gnu -L/usr/lib/gcc/x86_64-linux-gnu/7/../../../../lib -L/lib/x86_64-linux-gnu -L/lib/../lib -L/usr/lib/x86_64-linux-gnu -L/usr/lib/../lib -L/usr/lib/gcc/x86_64-linux-gnu/7/../../.. /tmp/ccINdTmf.o -lgcc --push-state --as-needed -lgcc_s --pop-state -lc -lgcc --push-state --as-needed -lgcc_s --pop-state /usr/lib/gcc/x86_64-linux-gnu/7/crtendS.o /usr/lib/gcc/x86_64-linux-gnu/7/../../../x86_64-linux-gnu/crtn.o
1⤵
- Writes file to tmp directory
PID:608

/usr/bin/ld
/usr/bin/ld -plugin /usr/lib/gcc/x86_64-linux-gnu/7/liblto_plugin.so "-plugin-opt=/usr/lib/gcc/x86_64-linux-gnu/7/lto-wrapper" "-plugin-opt=-fresolution=/tmp/ccC6Lgjz.res" "-plugin-opt=-pass-through=-lgcc" "-plugin-opt=-pass-through=-lgcc_s" "-plugin-opt=-pass-through=-lc" "-plugin-opt=-pass-through=-lgcc" "-plugin-opt=-pass-through=-lgcc_s" --build-id --eh-frame-hdr -m elf_x86_64 "--hash-style=gnu" --as-needed -shared -z relro -o exploit.so /usr/lib/gcc/x86_64-linux-gnu/7/../../../x86_64-linux-gnu/crti.o /usr/lib/gcc/x86_64-linux-gnu/7/crtbeginS.o -L/usr/lib/gcc/x86_64-linux-gnu/7 -L/usr/lib/gcc/x86_64-linux-gnu/7/../../../x86_64-linux-gnu -L/usr/lib/gcc/x86_64-linux-gnu/7/../../../../lib -L/lib/x86_64-linux-gnu -L/lib/../lib -L/usr/lib/x86_64-linux-gnu -L/usr/lib/../lib -L/usr/lib/gcc/x86_64-linux-gnu/7/../../.. /tmp/ccINdTmf.o -lgcc --push-state --as-needed -lgcc_s --pop-state -lc -lgcc --push-state --as-needed -lgcc_s --pop-state /usr/lib/gcc/x86_64-linux-gnu/7/crtendS.o /usr/lib/gcc/x86_64-linux-gnu/7/../../../x86_64-linux-gnu/crtn.o
1⤵
- Writes file to tmp directory
PID:609

/usr/lib/gcc/x86_64-linux-gnu/7/cc1
/usr/lib/gcc/x86_64-linux-gnu/7/cc1 -quiet -imultiarch x86_64-linux-gnu pwnkernel.c -quiet -dumpbase pwnkernel.c -m64 "-mtune=generic" "-march=x86-64" -auxbase pwnkernel -fstack-protector-strong -Wformat -Wformat-security -o /tmp/cccTA0Zv.s
1⤵
- Writes file to tmp directory
PID:611

/usr/local/sbin/as
as --64 -o /tmp/ccLTGLVR.o /tmp/cccTA0Zv.s
1⤵
PID:612

/usr/local/bin/as
as --64 -o /tmp/ccLTGLVR.o /tmp/cccTA0Zv.s
1⤵
PID:612

/usr/sbin/as
as --64 -o /tmp/ccLTGLVR.o /tmp/cccTA0Zv.s
1⤵
PID:612

/usr/bin/as
as --64 -o /tmp/ccLTGLVR.o /tmp/cccTA0Zv.s
1⤵
- Writes file to tmp directory
PID:612

/usr/lib/gcc/x86_64-linux-gnu/7/collect2
/usr/lib/gcc/x86_64-linux-gnu/7/collect2 -plugin /usr/lib/gcc/x86_64-linux-gnu/7/liblto_plugin.so "-plugin-opt=/usr/lib/gcc/x86_64-linux-gnu/7/lto-wrapper" "-plugin-opt=-fresolution=/tmp/ccQSXWSd.res" "-plugin-opt=-pass-through=-lgcc" "-plugin-opt=-pass-through=-lgcc_s" "-plugin-opt=-pass-through=-lc" "-plugin-opt=-pass-through=-lgcc" "-plugin-opt=-pass-through=-lgcc_s" --build-id --eh-frame-hdr -m elf_x86_64 "--hash-style=gnu" --as-needed -dynamic-linker /lib64/ld-linux-x86-64.so.2 -pie -z now -z relro -o pwnkernel /usr/lib/gcc/x86_64-linux-gnu/7/../../../x86_64-linux-gnu/Scrt1.o /usr/lib/gcc/x86_64-linux-gnu/7/../../../x86_64-linux-gnu/crti.o /usr/lib/gcc/x86_64-linux-gnu/7/crtbeginS.o -L/usr/lib/gcc/x86_64-linux-gnu/7 -L/usr/lib/gcc/x86_64-linux-gnu/7/../../../x86_64-linux-gnu -L/usr/lib/gcc/x86_64-linux-gnu/7/../../../../lib -L/lib/x86_64-linux-gnu -L/lib/../lib -L/usr/lib/x86_64-linux-gnu -L/usr/lib/../lib -L/usr/lib/gcc/x86_64-linux-gnu/7/../../.. /tmp/ccLTGLVR.o -lgcc --push-state --as-needed -lgcc_s --pop-state -lc -lgcc --push-state --as-needed -lgcc_s --pop-state /usr/lib/gcc/x86_64-linux-gnu/7/crtendS.o /usr/lib/gcc/x86_64-linux-gnu/7/../../../x86_64-linux-gnu/crtn.o
1⤵
- Writes file to tmp directory
PID:613

/usr/bin/ld
/usr/bin/ld -plugin /usr/lib/gcc/x86_64-linux-gnu/7/liblto_plugin.so "-plugin-opt=/usr/lib/gcc/x86_64-linux-gnu/7/lto-wrapper" "-plugin-opt=-fresolution=/tmp/ccQSXWSd.res" "-plugin-opt=-pass-through=-lgcc" "-plugin-opt=-pass-through=-lgcc_s" "-plugin-opt=-pass-through=-lc" "-plugin-opt=-pass-through=-lgcc" "-plugin-opt=-pass-through=-lgcc_s" --build-id --eh-frame-hdr -m elf_x86_64 "--hash-style=gnu" --as-needed -dynamic-linker /lib64/ld-linux-x86-64.so.2 -pie -z now -z relro -o pwnkernel /usr/lib/gcc/x86_64-linux-gnu/7/../../../x86_64-linux-gnu/Scrt1.o /usr/lib/gcc/x86_64-linux-gnu/7/../../../x86_64-linux-gnu/crti.o /usr/lib/gcc/x86_64-linux-gnu/7/crtbeginS.o -L/usr/lib/gcc/x86_64-linux-gnu/7 -L/usr/lib/gcc/x86_64-linux-gnu/7/../../../x86_64-linux-gnu -L/usr/lib/gcc/x86_64-linux-gnu/7/../../../../lib -L/lib/x86_64-linux-gnu -L/lib/../lib -L/usr/lib/x86_64-linux-gnu -L/usr/lib/../lib -L/usr/lib/gcc/x86_64-linux-gnu/7/../../.. /tmp/ccLTGLVR.o -lgcc --push-state --as-needed -lgcc_s --pop-state -lc -lgcc --push-state --as-needed -lgcc_s --pop-state /usr/lib/gcc/x86_64-linux-gnu/7/crtendS.o /usr/lib/gcc/x86_64-linux-gnu/7/../../../x86_64-linux-gnu/crtn.o
1⤵
- Writes file to tmp directory
PID:614

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads