Automated Malware Analysis IOC Report for

Processes

Path

Cmdline

Malicious

/usr/bin/dash

/usr/bin/rm

rm -f /tmp/tmp.pJ1K70qGTX /tmp/tmp.vhUMLtHevr /tmp/tmp.ctklcOzlGq

/usr/bin/dash

/usr/bin/rm

rm -f /tmp/tmp.pJ1K70qGTX /tmp/tmp.vhUMLtHevr /tmp/tmp.ctklcOzlGq

/tmp/boatnet.sh4.elf

URLs

Name

Malicious

http://5.181.159.16/wget.sh;

unknown

Details

Name:	http://5.181.159.16/wget.sh;
TargetID:	16
From Memory:	true
Current Path:	/tmp/boatnet.sh4.elf
Source:	boatnet.sh4.elf

Signature Hits	Behavior Group	Mitre Attack
Found strings indicative of a multi-platform dropper	Spreading	Scripting
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable	System Summary
URLs found in memory or binary data	Networking

http://5.181.159.16/idk/home.arm7;chmod

unknown

http://5.181.159.16/w.sh;

unknown

Details

Name:	http://5.181.159.16/w.sh;
TargetID:	16
From Memory:	true
Current Path:	/tmp/boatnet.sh4.elf
Source:	boatnet.sh4.elf

Signature Hits	Behavior Group	Mitre Attack
Found strings indicative of a multi-platform dropper	Spreading	Scripting
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable	System Summary
URLs found in memory or binary data	Networking

http://5.181.159.16/c.sh;

unknown

Details

Name:	http://5.181.159.16/c.sh;
TargetID:	16
From Memory:	true
Current Path:	/tmp/boatnet.sh4.elf
Source:	boatnet.sh4.elf

Signature Hits	Behavior Group	Mitre Attack
Found strings indicative of a multi-platform dropper	Spreading	Scripting
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable	System Summary
URLs found in memory or binary data	Networking

http://schemas.xmlsoap.org/soap/encoding/

unknown

Details

Name:	http://schemas.xmlsoap.org/soap/encoding/
TargetID:	16
From Memory:	true
Current Path:	/tmp/boatnet.sh4.elf
Source:	boatnet.sh4.elf
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Found strings indicative of a multi-platform dropper	Spreading	Scripting
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable	System Summary
URLs found in memory or binary data	Networking

http://5.181.159.16/idk/home.mips

unknown

http://5.181.159.16/idk/home.mips;

unknown

http://5.181.159.16/idk/home.x86

unknown

http://schemas.xmlsoap.org/soap/envelope/

unknown

Details

Name:	http://schemas.xmlsoap.org/soap/envelope/
TargetID:	16
From Memory:	true
Current Path:	/tmp/boatnet.sh4.elf
Source:	boatnet.sh4.elf
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Found strings indicative of a multi-platform dropper	Spreading	Scripting
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable	System Summary
URLs found in memory or binary data	Networking

Domains

Name

Malicious

daisy.ubuntu.com

162.213.35.24

Details

Name:	daisy.ubuntu.com
IP:	162.213.35.24
TargetID:	-1
Active:	true
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

Memdumps

Base Address

Regiontype

Protect

Malicious

7f69e0417000

page execute read

7f6a68179000

page read and write

55a35992e000

page read and write

7f6a6791e000

page read and write

7f69e0428000

page read and write

7f6a67681000

page read and write

55a35b94b000

page read and write

55a359936000

page read and write

7f6a60021000

page read and write

7f6a60000000

page read and write

7ffeca4c6000

page execute read

7f6a67ce0000

page read and write

55a359718000

page execute read

55a35b934000

page execute and read and write

7f6a6768f000

page read and write

7ffeca41b000

page read and write

55a35cc19000

page read and write

7f6a68181000

page read and write

7f6a68050000

page read and write

7f6a66e7e000

page read and write

7f6a67d05000

page read and write

7f6a681c6000

page read and write

7f69e0429000

page read and write

There are 13 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
boatnet.sh4.elf

Processes

URLs

Domains

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportboatnet.sh4.elf

Processes

URLs

Domains

Memdumps

IOC Report
boatnet.sh4.elf