General

  • Target

    ohshit.sh

  • Size

    2KB

  • Sample

    241125-1fwnkstrel

  • MD5

    81eee2b1d28af46c8e9190b0c20fce28

  • SHA1

    8025e6d6f83b129d6c7a11a684d5d6f54d160333

  • SHA256

    b86582605641a45410c0811cec9d1d19deb98bb5c4f5cd27caa06949e2ec7e30

  • SHA512

    359baa5371f4f8cbd4c3caf9cb1b02624b22d8cadd63722c2a9db673e73df55f6f75988e988911ee731e3b30b5a1c22207cd9a8aebb933c38bab17f9a1f8df45

Malware Config

Targets

    • Target

      ohshit.sh

    • Size

      2KB

    • MD5

      81eee2b1d28af46c8e9190b0c20fce28

    • SHA1

      8025e6d6f83b129d6c7a11a684d5d6f54d160333

    • SHA256

      b86582605641a45410c0811cec9d1d19deb98bb5c4f5cd27caa06949e2ec7e30

    • SHA512

      359baa5371f4f8cbd4c3caf9cb1b02624b22d8cadd63722c2a9db673e73df55f6f75988e988911ee731e3b30b5a1c22207cd9a8aebb933c38bab17f9a1f8df45

    • Detected Echobot

    • Echobot

      An updated variant of Mirai which infects a wide range of IoT devices to form a botnet.

    • Echobot family

    • Mirai

      Mirai is a prevalent Linux malware infecting exposed network devices.

    • Mirai family

    • Contacts a large (131682) amount of remote hosts

      This may indicate a network scan to discover remotely running services.

    • Creates a large amount of network flows

      This may indicate a network scan to discover remotely running services.

    • File and Directory Permissions Modification

      Adversaries may modify file or directory permissions to evade defenses.

    • Executes dropped EXE

    • Modifies Watchdog functionality

      Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

    • Enumerates active TCP sockets

      Gets active TCP sockets from /proc virtual filesystem.

    • Enumerates running processes

      Discovers information about currently running processes on the system

MITRE ATT&CK Enterprise v15

Tasks