Analysis Overview
SHA256
b39c5d868deb2e37254830f475b644223123049e2ca08db1db3ff229943b901a
Threat Level: Known bad
The file b39c5d868deb2e37254830f475b644223123049e2ca08db1db3ff229943b901a was found to be: Known bad.
Malicious Activity Summary
Identified Kaiten Bot
Kaiten family
Modifies rc script
Reads CPU attributes
Reads runtime system information
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-01-21 23:17
Signatures
Identified Kaiten Bot
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Kaiten family
Analysis: behavioral1
Detonation Overview
Submitted
2022-01-21 23:17
Reported
2022-01-22 00:13
Platform
debian9-mipsbe-en-20211208
Max time kernel
0s
Max time network
153s
Command Line
Signatures
Modifies rc script
| Description | Indicator | Process | Target |
| /etc/rc.d/rc.local | /etc/rc.d/rc.local | N/A | N/A |
Reads CPU attributes
| Description | Indicator | Process | Target |
| /sys/devices/system/cpu/online | /sys/devices/system/cpu/online | /usr/bin/pkill | N/A |
| /sys/devices/system/cpu/online | /sys/devices/system/cpu/online | /usr/bin/pkill | N/A |
| /sys/devices/system/cpu/online | /sys/devices/system/cpu/online | /usr/bin/pkill | N/A |
| /sys/devices/system/cpu/online | /sys/devices/system/cpu/online | /usr/bin/pkill | N/A |
| /sys/devices/system/cpu/online | /sys/devices/system/cpu/online | /usr/bin/pkill | N/A |
| /sys/devices/system/cpu/online | /sys/devices/system/cpu/online | /usr/bin/pkill | N/A |
| /sys/devices/system/cpu/online | /sys/devices/system/cpu/online | /usr/bin/pkill | N/A |
| /sys/devices/system/cpu/online | /sys/devices/system/cpu/online | /usr/bin/pkill | N/A |
| /sys/devices/system/cpu/online | /sys/devices/system/cpu/online | /usr/bin/pkill | N/A |
| /sys/devices/system/cpu/online | /sys/devices/system/cpu/online | /usr/bin/pkill | N/A |
| /sys/devices/system/cpu/online | /sys/devices/system/cpu/online | /usr/bin/pkill | N/A |
| /sys/devices/system/cpu/online | /sys/devices/system/cpu/online | /usr/bin/pkill | N/A |
| /sys/devices/system/cpu/online | /sys/devices/system/cpu/online | /usr/bin/pkill | N/A |
| /sys/devices/system/cpu/online | /sys/devices/system/cpu/online | /usr/bin/pkill | N/A |
| /sys/devices/system/cpu/online | /sys/devices/system/cpu/online | /usr/bin/pkill | N/A |
| /sys/devices/system/cpu/online | /sys/devices/system/cpu/online | /usr/bin/pkill | N/A |
| /sys/devices/system/cpu/online | /sys/devices/system/cpu/online | /usr/bin/pkill | N/A |
| /sys/devices/system/cpu/online | /sys/devices/system/cpu/online | /usr/bin/pkill | N/A |
| /sys/devices/system/cpu/online | /sys/devices/system/cpu/online | /usr/bin/pkill | N/A |
| /sys/devices/system/cpu/online | /sys/devices/system/cpu/online | /usr/bin/pkill | N/A |
| /sys/devices/system/cpu/online | /sys/devices/system/cpu/online | /usr/bin/pkill | N/A |
| /sys/devices/system/cpu/online | /sys/devices/system/cpu/online | /usr/bin/pkill | N/A |
| /sys/devices/system/cpu/online | /sys/devices/system/cpu/online | /usr/bin/pkill | N/A |
| /sys/devices/system/cpu/online | /sys/devices/system/cpu/online | /usr/bin/pkill | N/A |
Reads runtime system information
| Description | Indicator | Process | Target |
| /proc/4/status | /proc/4/status | /usr/bin/pkill | N/A |
| /proc/216/cmdline | /proc/216/cmdline | /usr/bin/pkill | N/A |
| /proc/337/status | /proc/337/status | /usr/bin/pkill | N/A |
| /proc/227/status | /proc/227/status | /usr/bin/pkill | N/A |
| /proc/75/cmdline | /proc/75/cmdline | /usr/bin/pkill | N/A |
| /proc/10/status | /proc/10/status | /usr/bin/pkill | N/A |
| /proc/234/cmdline | /proc/234/cmdline | /usr/bin/pkill | N/A |
| /proc/302/status | /proc/302/status | /usr/bin/pkill | N/A |
| /proc/77/cmdline | /proc/77/cmdline | /usr/bin/pkill | N/A |
| /proc/139/cmdline | /proc/139/cmdline | /usr/bin/pkill | N/A |
| /proc/13/status | /proc/13/status | /usr/bin/pkill | N/A |
| /proc/filesystems | /proc/filesystems | /usr/bin/pkill | N/A |
| /proc/2/cmdline | /proc/2/cmdline | /usr/bin/pkill | N/A |
| /proc/18/status | /proc/18/status | /usr/bin/pkill | N/A |
| /proc/139/cmdline | /proc/139/cmdline | /usr/bin/pkill | N/A |
| /proc/332/status | /proc/332/status | /usr/bin/pkill | N/A |
| /proc/13/cmdline | /proc/13/cmdline | /usr/bin/pkill | N/A |
| /proc/8/status | /proc/8/status | /usr/bin/pkill | N/A |
| /proc/17/status | /proc/17/status | /usr/bin/pkill | N/A |
| /proc/332/cmdline | /proc/332/cmdline | /usr/bin/pkill | N/A |
| /proc/139/status | /proc/139/status | /usr/bin/pkill | N/A |
| /proc/13/cmdline | /proc/13/cmdline | /usr/bin/pkill | N/A |
| /proc/82/cmdline | /proc/82/cmdline | /usr/bin/pkill | N/A |
| /proc/78/cmdline | /proc/78/cmdline | /usr/bin/pkill | N/A |
| /proc/74/status | /proc/74/status | /usr/bin/pkill | N/A |
| /proc/10/status | /proc/10/status | /usr/bin/pkill | N/A |
| /proc/337/cmdline | /proc/337/cmdline | /usr/bin/pkill | N/A |
| /proc/342/cmdline | /proc/342/cmdline | /usr/bin/pkill | N/A |
| /proc/12/status | /proc/12/status | /usr/bin/pkill | N/A |
| /proc/332/cmdline | /proc/332/cmdline | /usr/bin/pkill | N/A |
| /proc/294/cmdline | /proc/294/cmdline | /usr/bin/pkill | N/A |
| /proc/16/status | /proc/16/status | /usr/bin/pkill | N/A |
| /proc/114/status | /proc/114/status | /usr/bin/pkill | N/A |
| /proc/254/status | /proc/254/status | /usr/bin/pkill | N/A |
| /proc/289/cmdline | /proc/289/cmdline | /usr/bin/pkill | N/A |
| /proc/286/status | /proc/286/status | /usr/bin/pkill | N/A |
| /proc/4/status | /proc/4/status | /usr/bin/pkill | N/A |
| /proc/77/status | /proc/77/status | /usr/bin/pkill | N/A |
| /proc/2/cmdline | /proc/2/cmdline | /usr/bin/pkill | N/A |
| /proc/254/status | /proc/254/status | /usr/bin/pkill | N/A |
| /proc/409/cmdline | /proc/409/cmdline | /usr/bin/pkill | N/A |
| /proc/75/cmdline | /proc/75/cmdline | /usr/bin/pkill | N/A |
| /proc/114/status | /proc/114/status | /usr/bin/pkill | N/A |
| /proc/71/status | /proc/71/status | /usr/bin/pkill | N/A |
| /proc/139/status | /proc/139/status | /usr/bin/pkill | N/A |
| /proc/20/cmdline | /proc/20/cmdline | /usr/bin/pkill | N/A |
| /proc/73/status | /proc/73/status | /usr/bin/pkill | N/A |
| /proc/332/status | /proc/332/status | /usr/bin/pkill | N/A |
| /proc/11/status | /proc/11/status | /usr/bin/pkill | N/A |
| /proc/332/cmdline | /proc/332/cmdline | /usr/bin/pkill | N/A |
| /proc/19/status | /proc/19/status | /usr/bin/pkill | N/A |
| /proc/18/cmdline | /proc/18/cmdline | /usr/bin/pkill | N/A |
| /proc/75/cmdline | /proc/75/cmdline | /usr/bin/pkill | N/A |
| /proc/17/cmdline | /proc/17/cmdline | /usr/bin/pkill | N/A |
| /proc/254/status | /proc/254/status | /usr/bin/pkill | N/A |
| /proc/370/cmdline | /proc/370/cmdline | /usr/bin/pkill | N/A |
| /proc/333/status | /proc/333/status | /usr/bin/pkill | N/A |
| /proc/384/cmdline | /proc/384/cmdline | /usr/bin/pkill | N/A |
| /proc/334/cmdline | /proc/334/cmdline | /usr/bin/pkill | N/A |
| /proc/19/status | /proc/19/status | /usr/bin/pkill | N/A |
| /proc/16/status | /proc/16/status | /usr/bin/pkill | N/A |
| /proc/17/cmdline | /proc/17/cmdline | /usr/bin/pkill | N/A |
| /proc/399/status | /proc/399/status | /usr/bin/pkill | N/A |
| /proc/105/status | /proc/105/status | /usr/bin/pkill | N/A |
Processes
./b39c5d868deb2e37254830f475b644223123049e2ca08db1db3ff229943b901a
[./b39c5d868deb2e37254830f475b644223123049e2ca08db1db3ff229943b901a]
/bin/sh
[sh -c pkill -9 mirai.* || busybox pkill -9 mirai.*]
/usr/bin/pkill
[pkill -9 mirai.*]
/bin/busybox
[busybox pkill -9 mirai.*]
/bin/sh
[sh -c pkill -9 dlr.*mips || busybox pkill -9 dlr.*mips]
/usr/bin/pkill
[pkill -9 dlr.*mips]
/bin/busybox
[busybox pkill -9 dlr.*mips]
/bin/sh
[sh -c pkill -9 mips64 || busybox pkill -9 mips64]
/usr/bin/pkill
[pkill -9 mips64]
/bin/busybox
[busybox pkill -9 mips64]
/bin/sh
[sh -c pkill -9 mipsel || busybox pkill -9 mipsel]
/usr/bin/pkill
[pkill -9 mipsel]
/bin/busybox
[busybox pkill -9 mipsel]
/bin/sh
[sh -c pkill -9 sh2eb || busybox pkill -9 sh2eb]
/usr/bin/pkill
[pkill -9 sh2eb]
/bin/busybox
[busybox pkill -9 sh2eb]
/bin/sh
[sh -c pkill -9 sh2elf || busybox pkill -9 sh2elf]
/usr/bin/pkill
[pkill -9 sh2elf]
/bin/busybox
[busybox pkill -9 sh2elf]
/bin/sh
[sh -c pkill -9 sh4 || busybox pkill -9 sh4]
/usr/bin/pkill
[pkill -9 sh4]
/bin/busybox
[busybox pkill -9 sh4]
/bin/sh
[sh -c pkill -9 x86 || busybox pkill -9 x86]
/usr/bin/pkill
[pkill -9 x86]
/bin/busybox
[busybox pkill -9 x86]
/bin/sh
[sh -c pkill -9 arm || busybox pkill -9 arm]
/usr/bin/pkill
[pkill -9 arm]
/bin/busybox
[busybox pkill -9 arm]
/bin/sh
[sh -c pkill -9 armv5 || busybox pkill -9 armv5]
/usr/bin/pkill
[pkill -9 armv5]
/bin/busybox
[busybox pkill -9 armv5]
/bin/sh
[sh -c pkill -9 armv4tl || busybox pkill -9 armv4tl]
/usr/bin/pkill
[pkill -9 armv4tl]
/bin/busybox
[busybox pkill -9 armv4tl]
/bin/sh
[sh -c pkill -9 armv4 || busybox pkill -9 armv4]
/usr/bin/pkill
[pkill -9 armv4]
/bin/busybox
[busybox pkill -9 armv4]
/bin/sh
[sh -c pkill -9 armv6 || busybox pkill -9 armv6]
/usr/bin/pkill
[pkill -9 armv6]
/bin/busybox
[busybox pkill -9 armv6]
/bin/sh
[sh -c pkill -9 i686 || busybox pkill -9 i686]
/usr/bin/pkill
[pkill -9 i686]
/bin/busybox
[busybox pkill -9 i686]
/bin/sh
[sh -c pkill -9 powerpc || busybox pkill -9 powerpc]
/usr/bin/pkill
[pkill -9 powerpc]
/bin/busybox
[busybox pkill -9 powerpc]
/bin/sh
[sh -c pkill -9 powerpc440fp || busybox pkill -9 powerpc440fp]
/usr/bin/pkill
[pkill -9 powerpc440fp]
/bin/busybox
[busybox pkill -9 powerpc440fp]
/bin/sh
[sh -c pkill -9 i586 || busybox pkill -9 i586]
/usr/bin/pkill
[pkill -9 i586]
/bin/busybox
[busybox pkill -9 i586]
/bin/sh
[sh -c pkill -9 m68k || busybox pkill -9 m68k]
/usr/bin/pkill
[pkill -9 m68k]
/bin/busybox
[busybox pkill -9 m68k]
/bin/sh
[sh -c pkill -9 sparc || busybox pkill -9 sparc]
/usr/bin/pkill
[pkill -9 sparc]
/bin/busybox
[busybox pkill -9 sparc]
/bin/sh
[sh -c pkill -9 x86_64 || busybox pkill -9 x86_64]
/usr/bin/pkill
[pkill -9 x86_64]
/bin/busybox
[busybox pkill -9 x86_64]
/bin/sh
[sh -c pkill -9 jackmy* || busybox pkill -9 jackmy*]
/usr/bin/pkill
[pkill -9 jackmy*]
/bin/busybox
[busybox pkill -9 jackmy*]
/bin/sh
[sh -c pkill -9 hackmy* || busybox pkill -9 hackmy*]
/usr/bin/pkill
[pkill -9 hackmy*]
/bin/busybox
[busybox pkill -9 hackmy*]
/bin/sh
[sh -c pkill -9 b1 || busybox pkill -9 b1]
/usr/bin/pkill
[pkill -9 b1]
/bin/busybox
[busybox pkill -9 b1]
/bin/sh
[sh -c pkill -9 b2 || busybox pkill -9 b2]
/usr/bin/pkill
[pkill -9 b2]
Network
| Country | Destination | Domain | Proto |
| CN | 106.53.200.20:6667 | tcp | |
| CN | 212.64.67.230:6667 | tcp | |
| CN | 106.52.68.18:6667 | tcp | |
| CN | 106.52.68.18:6667 | tcp | |
| HK | 154.92.16.67:6667 | tcp | |
| KR | 121.163.241.77:23 | tcp |