Malware Analysis Report

2024-12-01 00:52

Sample ID 220121-28w1gscee4
Target b913222cb8f75d2198dc3837ae46006c3e82ac739a97676c07575774ae279ffb
SHA256 b913222cb8f75d2198dc3837ae46006c3e82ac739a97676c07575774ae279ffb
Tags
kaiten persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b913222cb8f75d2198dc3837ae46006c3e82ac739a97676c07575774ae279ffb

Threat Level: Known bad

The file b913222cb8f75d2198dc3837ae46006c3e82ac739a97676c07575774ae279ffb was found to be: Known bad.

Malicious Activity Summary

kaiten persistence

Kaiten family

Identified Kaiten Bot

Modifies rc script

Reads CPU attributes

Reads runtime system information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-01-21 23:15

Signatures

Identified Kaiten Bot

Description Indicator Process Target
N/A N/A N/A N/A

Kaiten family

kaiten

Analysis: behavioral1

Detonation Overview

Submitted

2022-01-21 23:15

Reported

2022-01-22 00:08

Platform

debian9-armhf-en-20211208

Max time kernel

0s

Max time network

158s

Command Line

[./b913222cb8f75d2198dc3837ae46006c3e82ac739a97676c07575774ae279ffb]

Signatures

Modifies rc script

persistence
Description Indicator Process Target
/etc/rc.d/rc.local /etc/rc.d/rc.local N/A N/A

Reads CPU attributes

Description Indicator Process Target
/sys/devices/system/cpu/online /sys/devices/system/cpu/online /usr/bin/pkill N/A
/sys/devices/system/cpu/online /sys/devices/system/cpu/online /usr/bin/pkill N/A
/sys/devices/system/cpu/online /sys/devices/system/cpu/online /usr/bin/pkill N/A
/sys/devices/system/cpu/online /sys/devices/system/cpu/online /usr/bin/pkill N/A
/sys/devices/system/cpu/online /sys/devices/system/cpu/online /usr/bin/pkill N/A
/sys/devices/system/cpu/online /sys/devices/system/cpu/online /usr/bin/pkill N/A
/sys/devices/system/cpu/online /sys/devices/system/cpu/online /usr/bin/pkill N/A
/sys/devices/system/cpu/online /sys/devices/system/cpu/online /usr/bin/pkill N/A
/sys/devices/system/cpu/online /sys/devices/system/cpu/online /usr/bin/pkill N/A
/sys/devices/system/cpu/online /sys/devices/system/cpu/online /usr/bin/pkill N/A
/sys/devices/system/cpu/online /sys/devices/system/cpu/online /usr/bin/pkill N/A
/sys/devices/system/cpu/online /sys/devices/system/cpu/online /usr/bin/pkill N/A
/sys/devices/system/cpu/online /sys/devices/system/cpu/online /usr/bin/pkill N/A
/sys/devices/system/cpu/online /sys/devices/system/cpu/online /usr/bin/pkill N/A
/sys/devices/system/cpu/online /sys/devices/system/cpu/online /usr/bin/pkill N/A
/sys/devices/system/cpu/online /sys/devices/system/cpu/online /usr/bin/pkill N/A
/sys/devices/system/cpu/online /sys/devices/system/cpu/online /usr/bin/pkill N/A
/sys/devices/system/cpu/online /sys/devices/system/cpu/online /usr/bin/pkill N/A
/sys/devices/system/cpu/online /sys/devices/system/cpu/online /usr/bin/pkill N/A
/sys/devices/system/cpu/online /sys/devices/system/cpu/online /usr/bin/pkill N/A
/sys/devices/system/cpu/online /sys/devices/system/cpu/online /usr/bin/pkill N/A
/sys/devices/system/cpu/online /sys/devices/system/cpu/online /usr/bin/pkill N/A
/sys/devices/system/cpu/online /sys/devices/system/cpu/online /usr/bin/pkill N/A
/sys/devices/system/cpu/online /sys/devices/system/cpu/online /usr/bin/pkill N/A
/sys/devices/system/cpu/online /sys/devices/system/cpu/online /usr/bin/pkill N/A
/sys/devices/system/cpu/online /sys/devices/system/cpu/online /usr/bin/pkill N/A
/sys/devices/system/cpu/online /sys/devices/system/cpu/online /usr/bin/pkill N/A
/sys/devices/system/cpu/online /sys/devices/system/cpu/online /usr/bin/pkill N/A
/sys/devices/system/cpu/online /sys/devices/system/cpu/online /usr/bin/pkill N/A
/sys/devices/system/cpu/online /sys/devices/system/cpu/online /usr/bin/pkill N/A

Reads runtime system information

Description Indicator Process Target
/proc/228/status /proc/228/status /usr/bin/pkill N/A
/proc/1/cmdline /proc/1/cmdline /usr/bin/pkill N/A
/proc/20/status /proc/20/status /usr/bin/pkill N/A
/proc/230/status /proc/230/status /usr/bin/pkill N/A
/proc/131/status /proc/131/status /usr/bin/pkill N/A
/proc/353/status /proc/353/status /usr/bin/pkill N/A
/proc/144/cmdline /proc/144/cmdline /usr/bin/pkill N/A
/proc/301/cmdline /proc/301/cmdline /usr/bin/pkill N/A
/proc/41/cmdline /proc/41/cmdline /usr/bin/pkill N/A
/proc/154/cmdline /proc/154/cmdline /usr/bin/pkill N/A
/proc/11/cmdline /proc/11/cmdline /usr/bin/pkill N/A
/proc/9/status /proc/9/status /usr/bin/pkill N/A
/proc/19/status /proc/19/status /usr/bin/pkill N/A
/proc/164/status /proc/164/status /usr/bin/pkill N/A
/proc/8/cmdline /proc/8/cmdline /usr/bin/pkill N/A
/proc/2/status /proc/2/status /usr/bin/pkill N/A
/proc/434/status /proc/434/status /usr/bin/pkill N/A
/proc/19/cmdline /proc/19/cmdline /usr/bin/pkill N/A
/proc/10/status /proc/10/status /usr/bin/pkill N/A
/proc/4/cmdline /proc/4/cmdline /usr/bin/pkill N/A
/proc/19/status /proc/19/status /usr/bin/pkill N/A
/proc/276/cmdline /proc/276/cmdline /usr/bin/pkill N/A
/proc/228/cmdline /proc/228/cmdline /usr/bin/pkill N/A
/proc/414/status /proc/414/status /usr/bin/pkill N/A
/proc/18/status /proc/18/status /usr/bin/pkill N/A
/proc/2/status /proc/2/status /usr/bin/pkill N/A
/proc/13/cmdline /proc/13/cmdline /usr/bin/pkill N/A
/proc/225/cmdline /proc/225/cmdline /usr/bin/pkill N/A
/proc/301/status /proc/301/status /usr/bin/pkill N/A
/proc/307/status /proc/307/status /usr/bin/pkill N/A
/proc/415/status /proc/415/status /usr/bin/pkill N/A
/proc/95/cmdline /proc/95/cmdline /usr/bin/pkill N/A
/proc/230/cmdline /proc/230/cmdline /usr/bin/pkill N/A
/proc/375/cmdline /proc/375/cmdline /usr/bin/pkill N/A
/proc/132/cmdline /proc/132/cmdline /usr/bin/pkill N/A
/proc/11/status /proc/11/status /usr/bin/pkill N/A
/proc/74/status /proc/74/status /usr/bin/pkill N/A
/proc/21/status /proc/21/status /usr/bin/pkill N/A
/proc/132/cmdline /proc/132/cmdline /usr/bin/pkill N/A
/proc/285/status /proc/285/status /usr/bin/pkill N/A
/proc/276/cmdline /proc/276/cmdline /usr/bin/pkill N/A
/proc/131/status /proc/131/status /usr/bin/pkill N/A
/proc/14/cmdline /proc/14/cmdline /usr/bin/pkill N/A
/proc/43/cmdline /proc/43/cmdline /usr/bin/pkill N/A
/proc/25/status /proc/25/status /usr/bin/pkill N/A
/proc/28/status /proc/28/status /usr/bin/pkill N/A
/proc/sys/kernel/osrelease /proc/sys/kernel/osrelease /usr/bin/pkill N/A
/proc/5/status /proc/5/status /usr/bin/pkill N/A
/proc/132/cmdline /proc/132/cmdline /usr/bin/pkill N/A
/proc/17/cmdline /proc/17/cmdline /usr/bin/pkill N/A
/proc/3/cmdline /proc/3/cmdline /usr/bin/pkill N/A
/proc/28/status /proc/28/status /usr/bin/pkill N/A
/proc/filesystems /proc/filesystems /usr/bin/pkill N/A
/proc/225/status /proc/225/status /usr/bin/pkill N/A
/proc/10/status /proc/10/status /usr/bin/pkill N/A
/proc/348/status /proc/348/status /usr/bin/pkill N/A
/proc/6/cmdline /proc/6/cmdline /usr/bin/pkill N/A
/proc/14/cmdline /proc/14/cmdline /usr/bin/pkill N/A
/proc/400/cmdline /proc/400/cmdline /usr/bin/pkill N/A
/proc/9/status /proc/9/status /usr/bin/pkill N/A
/proc/15/status /proc/15/status /usr/bin/pkill N/A
/proc/filesystems /proc/filesystems /usr/bin/pkill N/A
/proc/144/cmdline /proc/144/cmdline /usr/bin/pkill N/A
/proc/7/cmdline /proc/7/cmdline /usr/bin/pkill N/A

Processes

./b913222cb8f75d2198dc3837ae46006c3e82ac739a97676c07575774ae279ffb

[./b913222cb8f75d2198dc3837ae46006c3e82ac739a97676c07575774ae279ffb]

/bin/sh

[sh -c pkill -9 mirai.* || busybox pkill -9 mirai.*]

/usr/bin/pkill

[pkill -9 mirai.*]

/bin/busybox

[busybox pkill -9 mirai.*]

/bin/sh

[sh -c pkill -9 dlr.*mips || busybox pkill -9 dlr.*mips]

/usr/bin/pkill

[pkill -9 dlr.*mips]

/bin/busybox

[busybox pkill -9 dlr.*mips]

/bin/sh

[sh -c pkill -9 mips64 || busybox pkill -9 mips64]

/usr/bin/pkill

[pkill -9 mips64]

/bin/busybox

[busybox pkill -9 mips64]

/bin/sh

[sh -c pkill -9 mipsel || busybox pkill -9 mipsel]

/usr/bin/pkill

[pkill -9 mipsel]

/bin/busybox

[busybox pkill -9 mipsel]

/bin/sh

[sh -c pkill -9 sh2eb || busybox pkill -9 sh2eb]

/usr/bin/pkill

[pkill -9 sh2eb]

/bin/busybox

[busybox pkill -9 sh2eb]

/bin/sh

[sh -c pkill -9 sh2elf || busybox pkill -9 sh2elf]

/usr/bin/pkill

[pkill -9 sh2elf]

/bin/busybox

[busybox pkill -9 sh2elf]

/bin/sh

[sh -c pkill -9 sh4 || busybox pkill -9 sh4]

/usr/bin/pkill

[pkill -9 sh4]

/bin/busybox

[busybox pkill -9 sh4]

/bin/sh

[sh -c pkill -9 x86 || busybox pkill -9 x86]

/usr/bin/pkill

[pkill -9 x86]

/bin/busybox

[busybox pkill -9 x86]

/bin/sh

[sh -c pkill -9 arm || busybox pkill -9 arm]

/usr/bin/pkill

[pkill -9 arm]

/bin/busybox

[busybox pkill -9 arm]

/bin/sh

[sh -c pkill -9 armv5 || busybox pkill -9 armv5]

/usr/bin/pkill

[pkill -9 armv5]

/bin/busybox

[busybox pkill -9 armv5]

/bin/sh

[sh -c pkill -9 armv4tl || busybox pkill -9 armv4tl]

/usr/bin/pkill

[pkill -9 armv4tl]

/bin/busybox

[busybox pkill -9 armv4tl]

/bin/sh

[sh -c pkill -9 armv4 || busybox pkill -9 armv4]

/usr/bin/pkill

[pkill -9 armv4]

/bin/busybox

[busybox pkill -9 armv4]

/bin/sh

[sh -c pkill -9 armv6 || busybox pkill -9 armv6]

/usr/bin/pkill

[pkill -9 armv6]

/bin/busybox

[busybox pkill -9 armv6]

/bin/sh

[sh -c pkill -9 i686 || busybox pkill -9 i686]

/usr/bin/pkill

[pkill -9 i686]

/bin/busybox

[busybox pkill -9 i686]

/bin/sh

[sh -c pkill -9 powerpc || busybox pkill -9 powerpc]

/usr/bin/pkill

[pkill -9 powerpc]

/bin/busybox

[busybox pkill -9 powerpc]

/bin/sh

[sh -c pkill -9 powerpc440fp || busybox pkill -9 powerpc440fp]

/usr/bin/pkill

[pkill -9 powerpc440fp]

/bin/busybox

[busybox pkill -9 powerpc440fp]

/bin/sh

[sh -c pkill -9 i586 || busybox pkill -9 i586]

/usr/bin/pkill

[pkill -9 i586]

/bin/busybox

[busybox pkill -9 i586]

/bin/sh

[sh -c pkill -9 m68k || busybox pkill -9 m68k]

/usr/bin/pkill

[pkill -9 m68k]

/bin/busybox

[busybox pkill -9 m68k]

/bin/sh

[sh -c pkill -9 sparc || busybox pkill -9 sparc]

/usr/bin/pkill

[pkill -9 sparc]

/bin/busybox

[busybox pkill -9 sparc]

/bin/sh

[sh -c pkill -9 x86_64 || busybox pkill -9 x86_64]

/usr/bin/pkill

[pkill -9 x86_64]

/bin/busybox

[busybox pkill -9 x86_64]

/bin/sh

[sh -c pkill -9 jackmy* || busybox pkill -9 jackmy*]

/usr/bin/pkill

[pkill -9 jackmy*]

/bin/busybox

[busybox pkill -9 jackmy*]

/bin/sh

[sh -c pkill -9 hackmy* || busybox pkill -9 hackmy*]

/usr/bin/pkill

[pkill -9 hackmy*]

/bin/busybox

[busybox pkill -9 hackmy*]

/bin/sh

[sh -c pkill -9 b1 || busybox pkill -9 b1]

/usr/bin/pkill

[pkill -9 b1]

/bin/busybox

[busybox pkill -9 b1]

/bin/sh

[sh -c pkill -9 b2 || busybox pkill -9 b2]

/usr/bin/pkill

[pkill -9 b2]

/bin/busybox

[busybox pkill -9 b2]

/bin/sh

[sh -c pkill -9 b3 || busybox pkill -9 b3]

/usr/bin/pkill

[pkill -9 b3]

/bin/busybox

[busybox pkill -9 b3]

/bin/sh

[sh -c pkill -9 b4 || busybox pkill -9 b4]

/usr/bin/pkill

[pkill -9 b4]

/bin/busybox

[busybox pkill -9 b4]

/bin/sh

[sh -c pkill -9 b5 || busybox pkill -9 b5]

/usr/bin/pkill

[pkill -9 b5]

/bin/busybox

[busybox pkill -9 b5]

/bin/sh

[sh -c pkill -9 b6 || busybox pkill -9 b6]

/usr/bin/pkill

[pkill -9 b6]

/bin/busybox

[busybox pkill -9 b6]

/bin/sh

[sh -c pkill -9 b7 || busybox pkill -9 b7]

/usr/bin/pkill

[pkill -9 b7]

/bin/busybox

[busybox pkill -9 b7]

/bin/sh

[sh -c pkill -9 b8 || busybox pkill -9 b8]

/usr/bin/pkill

[pkill -9 b8]

Network

Country Destination Domain Proto
CN 106.52.68.18:6667 tcp
CN 212.64.67.230:6667 tcp
HK 154.92.16.67:6667 tcp
HK 154.92.16.67:6667 tcp
CN 106.52.68.18:6667 tcp
CN 106.52.68.18:6667 tcp

Files

N/A