Overview

overview

5

Static

static

wunderbar_...ium.sh

ubuntu-18.04-amd64

5

wunderbar_...ium.sh

debian-9-armhf

5

wunderbar_...ium.sh

debian-9-mips

5

wunderbar_...ium.sh

debian-9-mipsel

5

Analysis

  • max time kernel
    0s
  • max time network
    152s
  • platform
    linux_mipsel
  • resource
    debian9-mipsel-en-20211208
  • resource tags

    arch:mipselimage:debian9-mipsel-en-20211208kernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipselsystem
  • submitted
    27-11-2022 18:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    wunderbar_emporium/wunderbar_emporium.sh

  • Size

    1KB

  • MD5

    a4bd78f8b9f69b508daca4268dcc66ce

  • SHA1

    02d29ddb69616a0d3d4cf4348f51d3f81f147e67

  • SHA256

    64206f3f7d6c962fb9bf49b161e636d8be4bedde1a11d2a0164006aa25748a7e

  • SHA512

    60ba980e3cd14c0dc71f0b34b8f79cca1d2349569832a526d5b052a78baa3ceec36e6b312876251b019b3371e898d175ba0b8c7e32f8ae9a140fdb9bffa6e3c6

Score
5/10

Malware Config

Signatures

  • Reads runtime system information 6 IoCs

    Reads data from /proc virtual filesystem.

  • Writes file to tmp directory 17 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/wunderbar_emporium/wunderbar_emporium.sh
    /tmp/wunderbar_emporium/wunderbar_emporium.sh
    1⤵
    • Writes file to tmp directory
    PID:327
    • /bin/sed
      sed "s/\\/home\\/spender/\\/tmp\\/wunderbar_emporium/g" pwnkernel.c
      2⤵
      • Reads runtime system information
      PID:333
    • /bin/mv
      mv pwnkernel.c pwnkernel2.c
      2⤵
      • Reads runtime system information
      PID:337
    • /bin/mv
      mv pwnkernel1.c pwnkernel.c
      2⤵
      • Reads runtime system information
      PID:338
    • /bin/uname
      uname -p
      2⤵
        PID:339
      • /bin/cat
        cat /proc/sys/vm/mmap_min_addr
        2⤵
        • Reads runtime system information
        PID:340
      • /usr/bin/cc
        cc -fno-stack-protector -fPIC -shared -o exploit.so exploit.c
        2⤵
        • Writes file to tmp directory
        PID:341
        • /usr/lib/gcc/mipsel-linux-gnu/6/cc1
          /usr/lib/gcc/mipsel-linux-gnu/6/cc1 -quiet -imultiarch mipsel-linux-gnu exploit.c -mel -quiet -dumpbase exploit.c "-march=mips32r2" -mfpxx -mllsc -mno-lxc1-sxc1 -mno-madd4 -mips32r2 "-mabi=32" -auxbase exploit -fno-stack-protector -fPIC -o /tmp/ccKhe62S.s
          3⤵
          • Writes file to tmp directory
          PID:342
        • /usr/bin/as
          as -EL -mips32r2 -O1 -no-mdebug "-mabi=32" "-march=mips32r2" -mfpxx -KPIC -o /tmp/ccD1klR2.o /tmp/ccKhe62S.s
          3⤵
          • Writes file to tmp directory
          PID:343
      • /usr/bin/cc
        cc -o pwnkernel pwnkernel.c
        2⤵
        • Writes file to tmp directory
        PID:344
        • /usr/lib/gcc/mipsel-linux-gnu/6/cc1
          /usr/lib/gcc/mipsel-linux-gnu/6/cc1 -quiet -imultiarch mipsel-linux-gnu pwnkernel.c -mel -quiet -dumpbase pwnkernel.c "-march=mips32r2" -mfpxx -mllsc -mno-lxc1-sxc1 -mno-madd4 -mips32r2 "-mabi=32" -auxbase pwnkernel -o /tmp/ccTqHYnN.s
          3⤵
          • Writes file to tmp directory
          PID:345
        • /usr/bin/as
          as -EL -mips32r2 -O1 -no-mdebug "-mabi=32" "-march=mips32r2" -mfpxx -KPIC -o /tmp/ccZgj1wF.o /tmp/ccTqHYnN.s
          3⤵
          • Writes file to tmp directory
          PID:346
        • /usr/lib/gcc/mipsel-linux-gnu/6/collect2
          /usr/lib/gcc/mipsel-linux-gnu/6/collect2 -plugin /usr/lib/gcc/mipsel-linux-gnu/6/liblto_plugin.so "-plugin-opt=/usr/lib/gcc/mipsel-linux-gnu/6/lto-wrapper" "-plugin-opt=-fresolution=/tmp/ccqHME8F.res" "-plugin-opt=-pass-through=-lgcc" "-plugin-opt=-pass-through=-lgcc_s" "-plugin-opt=-pass-through=-lc" "-plugin-opt=-pass-through=-lgcc" "-plugin-opt=-pass-through=-lgcc_s" "--sysroot=/" --build-id --eh-frame-hdr -EL -mips32r2 -dynamic-linker /lib/ld.so.1 -melf32ltsmip -pie -o pwnkernel /usr/lib/gcc/mipsel-linux-gnu/6/../../../mipsel-linux-gnu/Scrt1.o /usr/lib/gcc/mipsel-linux-gnu/6/../../../mipsel-linux-gnu/crti.o /usr/lib/gcc/mipsel-linux-gnu/6/crtbeginS.o -L/usr/lib/gcc/mipsel-linux-gnu/6 -L/usr/lib/gcc/mipsel-linux-gnu/6/../../../mipsel-linux-gnu -L/usr/lib/gcc/mipsel-linux-gnu/6/../../../../lib -L/lib/mipsel-linux-gnu -L/lib/../lib -L/usr/lib/mipsel-linux-gnu -L/usr/lib/../lib -L/usr/lib/gcc/mipsel-linux-gnu/6/../../.. /tmp/ccZgj1wF.o -lgcc --as-needed -lgcc_s --no-as-needed -lc -lgcc --as-needed -lgcc_s --no-as-needed /usr/lib/gcc/mipsel-linux-gnu/6/crtendS.o /usr/lib/gcc/mipsel-linux-gnu/6/../../../mipsel-linux-gnu/crtn.o
          3⤵
          • Writes file to tmp directory
          PID:347
          • /usr/bin/ld
            /usr/bin/ld -plugin /usr/lib/gcc/mipsel-linux-gnu/6/liblto_plugin.so "-plugin-opt=/usr/lib/gcc/mipsel-linux-gnu/6/lto-wrapper" "-plugin-opt=-fresolution=/tmp/ccqHME8F.res" "-plugin-opt=-pass-through=-lgcc" "-plugin-opt=-pass-through=-lgcc_s" "-plugin-opt=-pass-through=-lc" "-plugin-opt=-pass-through=-lgcc" "-plugin-opt=-pass-through=-lgcc_s" "--sysroot=/" --build-id --eh-frame-hdr -EL -mips32r2 -dynamic-linker /lib/ld.so.1 -melf32ltsmip -pie -o pwnkernel /usr/lib/gcc/mipsel-linux-gnu/6/../../../mipsel-linux-gnu/Scrt1.o /usr/lib/gcc/mipsel-linux-gnu/6/../../../mipsel-linux-gnu/crti.o /usr/lib/gcc/mipsel-linux-gnu/6/crtbeginS.o -L/usr/lib/gcc/mipsel-linux-gnu/6 -L/usr/lib/gcc/mipsel-linux-gnu/6/../../../mipsel-linux-gnu -L/usr/lib/gcc/mipsel-linux-gnu/6/../../../../lib -L/lib/mipsel-linux-gnu -L/lib/../lib -L/usr/lib/mipsel-linux-gnu -L/usr/lib/../lib -L/usr/lib/gcc/mipsel-linux-gnu/6/../../.. /tmp/ccZgj1wF.o -lgcc --as-needed -lgcc_s --no-as-needed -lc -lgcc --as-needed -lgcc_s --no-as-needed /usr/lib/gcc/mipsel-linux-gnu/6/crtendS.o /usr/lib/gcc/mipsel-linux-gnu/6/../../../mipsel-linux-gnu/crtn.o
            4⤵
            • Writes file to tmp directory
            PID:348
      • ./pwnkernel
        ./pwnkernel
        2⤵
          PID:349
        • /bin/mv
          mv -f pwnkernel2.c pwnkernel.c
          2⤵
          • Reads runtime system information
          PID:350
      • /bin/sed
        sed "s/\\//\\\\\\//g"
        1⤵
        • Reads runtime system information
        PID:331
      • /usr/local/sbin/as
        as -EL -mips32r2 -O1 -no-mdebug "-mabi=32" "-march=mips32r2" -mfpxx -KPIC -o /tmp/ccD1klR2.o /tmp/ccKhe62S.s
        1⤵
          PID:343
        • /usr/local/bin/as
          as -EL -mips32r2 -O1 -no-mdebug "-mabi=32" "-march=mips32r2" -mfpxx -KPIC -o /tmp/ccD1klR2.o /tmp/ccKhe62S.s
          1⤵
            PID:343
          • /usr/sbin/as
            as -EL -mips32r2 -O1 -no-mdebug "-mabi=32" "-march=mips32r2" -mfpxx -KPIC -o /tmp/ccD1klR2.o /tmp/ccKhe62S.s
            1⤵
              PID:343
            • /usr/local/sbin/as
              as -EL -mips32r2 -O1 -no-mdebug "-mabi=32" "-march=mips32r2" -mfpxx -KPIC -o /tmp/ccZgj1wF.o /tmp/ccTqHYnN.s
              1⤵
                PID:346
              • /usr/local/bin/as
                as -EL -mips32r2 -O1 -no-mdebug "-mabi=32" "-march=mips32r2" -mfpxx -KPIC -o /tmp/ccZgj1wF.o /tmp/ccTqHYnN.s
                1⤵
                  PID:346
                • /usr/sbin/as
                  as -EL -mips32r2 -O1 -no-mdebug "-mabi=32" "-march=mips32r2" -mfpxx -KPIC -o /tmp/ccZgj1wF.o /tmp/ccTqHYnN.s
                  1⤵
                    PID:346

                  Network

                  MITRE ATT&CK Matrix

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads