Malware Analysis Report

2024-12-01 00:46

Sample ID 220121-2tc9tscbdj
Target f4ff89b7994bda48548c58f6be117a547c3b38a91b62f4986c9377e6b37bef83
SHA256 f4ff89b7994bda48548c58f6be117a547c3b38a91b62f4986c9377e6b37bef83
Tags
kaiten persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f4ff89b7994bda48548c58f6be117a547c3b38a91b62f4986c9377e6b37bef83

Threat Level: Known bad

The file f4ff89b7994bda48548c58f6be117a547c3b38a91b62f4986c9377e6b37bef83 was found to be: Known bad.

Malicious Activity Summary

kaiten persistence

Identified Kaiten Bot

Kaiten family

Modifies rc script

Reads CPU attributes

Reads runtime system information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-01-21 22:52

Signatures

Identified Kaiten Bot

Description Indicator Process Target
N/A N/A N/A N/A

Kaiten family

kaiten

Analysis: behavioral1

Detonation Overview

Submitted

2022-01-21 22:52

Reported

2022-01-21 23:19

Platform

ubuntu1804-amd64-en-20211208

Max time kernel

0s

Max time network

96s

Command Line

[./f4ff89b7994bda48548c58f6be117a547c3b38a91b62f4986c9377e6b37bef83]

Signatures

Modifies rc script

persistence
Description Indicator Process Target
/etc/rc.d/rc.local /etc/rc.d/rc.local N/A N/A

Reads CPU attributes

Description Indicator Process Target
/sys/devices/system/cpu/online /sys/devices/system/cpu/online /usr/bin/pkill N/A
/sys/devices/system/cpu/online /sys/devices/system/cpu/online /usr/bin/pkill N/A
/sys/devices/system/cpu/online /sys/devices/system/cpu/online /usr/bin/pkill N/A
/sys/devices/system/cpu/online /sys/devices/system/cpu/online /usr/bin/pkill N/A
/sys/devices/system/cpu/online /sys/devices/system/cpu/online /usr/bin/pkill N/A
/sys/devices/system/cpu/online /sys/devices/system/cpu/online /usr/bin/pkill N/A
/sys/devices/system/cpu/online /sys/devices/system/cpu/online /usr/bin/pkill N/A
/sys/devices/system/cpu/online /sys/devices/system/cpu/online /usr/bin/pkill N/A
/sys/devices/system/cpu/online /sys/devices/system/cpu/online /usr/bin/pkill N/A
/sys/devices/system/cpu/online /sys/devices/system/cpu/online /usr/bin/pkill N/A
/sys/devices/system/cpu/online /sys/devices/system/cpu/online /usr/bin/pkill N/A
/sys/devices/system/cpu/online /sys/devices/system/cpu/online /usr/bin/pkill N/A
/sys/devices/system/cpu/online /sys/devices/system/cpu/online /usr/bin/pkill N/A
/sys/devices/system/cpu/online /sys/devices/system/cpu/online /usr/bin/pkill N/A
/sys/devices/system/cpu/online /sys/devices/system/cpu/online /usr/bin/pkill N/A
/sys/devices/system/cpu/online /sys/devices/system/cpu/online /usr/bin/pkill N/A
/sys/devices/system/cpu/online /sys/devices/system/cpu/online /usr/bin/pkill N/A
/sys/devices/system/cpu/online /sys/devices/system/cpu/online /usr/bin/pkill N/A
/sys/devices/system/cpu/online /sys/devices/system/cpu/online /usr/bin/pkill N/A
/sys/devices/system/cpu/online /sys/devices/system/cpu/online /usr/bin/pkill N/A
/sys/devices/system/cpu/online /sys/devices/system/cpu/online /usr/bin/pkill N/A
/sys/devices/system/cpu/online /sys/devices/system/cpu/online /usr/bin/pkill N/A
/sys/devices/system/cpu/online /sys/devices/system/cpu/online /usr/bin/pkill N/A
/sys/devices/system/cpu/online /sys/devices/system/cpu/online /usr/bin/pkill N/A
/sys/devices/system/cpu/online /sys/devices/system/cpu/online /usr/bin/pkill N/A
/sys/devices/system/cpu/online /sys/devices/system/cpu/online /usr/bin/pkill N/A
/sys/devices/system/cpu/online /sys/devices/system/cpu/online /usr/bin/pkill N/A
/sys/devices/system/cpu/online /sys/devices/system/cpu/online /usr/bin/pkill N/A
/sys/devices/system/cpu/online /sys/devices/system/cpu/online /usr/bin/pkill N/A

Reads runtime system information

Description Indicator Process Target
/proc/81/status /proc/81/status /usr/bin/pkill N/A
/proc/451/cmdline /proc/451/cmdline /usr/bin/pkill N/A
/proc/425/cmdline /proc/425/cmdline /usr/bin/pkill N/A
/proc/156/cmdline /proc/156/cmdline /usr/bin/pkill N/A
/proc/81/cmdline /proc/81/cmdline /usr/bin/pkill N/A
/proc/130/cmdline /proc/130/cmdline /usr/bin/pkill N/A
/proc/154/cmdline /proc/154/cmdline /usr/bin/pkill N/A
/proc/342/cmdline /proc/342/cmdline /usr/bin/pkill N/A
/proc/22/status /proc/22/status /usr/bin/pkill N/A
/proc/24/cmdline /proc/24/cmdline /usr/bin/pkill N/A
/proc/30/status /proc/30/status /usr/bin/pkill N/A
/proc/417/cmdline /proc/417/cmdline /usr/bin/pkill N/A
/proc/625/status /proc/625/status /usr/bin/pkill N/A
/proc/417/status /proc/417/status /usr/bin/pkill N/A
/proc/30/status /proc/30/status /usr/bin/pkill N/A
/proc/79/status /proc/79/status /usr/bin/pkill N/A
/proc/251/status /proc/251/status /usr/bin/pkill N/A
/proc/29/cmdline /proc/29/cmdline /usr/bin/pkill N/A
/proc/165/status /proc/165/status /usr/bin/pkill N/A
/proc/163/status /proc/163/status /usr/bin/pkill N/A
/proc/84/cmdline /proc/84/cmdline /usr/bin/pkill N/A
/proc/158/status /proc/158/status /usr/bin/pkill N/A
/proc/27/cmdline /proc/27/cmdline /usr/bin/pkill N/A
/proc/7/cmdline /proc/7/cmdline /usr/bin/pkill N/A
/proc/35/status /proc/35/status /usr/bin/pkill N/A
/proc/18/cmdline /proc/18/cmdline /usr/bin/pkill N/A
/proc/584/status /proc/584/status /usr/bin/pkill N/A
/proc/25/cmdline /proc/25/cmdline /usr/bin/pkill N/A
/proc/34/status /proc/34/status /usr/bin/pkill N/A
/proc/587/status /proc/587/status /usr/bin/pkill N/A
/proc/9/status /proc/9/status /usr/bin/pkill N/A
/proc/81/cmdline /proc/81/cmdline /usr/bin/pkill N/A
/proc/16/status /proc/16/status /usr/bin/pkill N/A
/proc/153/status /proc/153/status /usr/bin/pkill N/A
/proc/9/status /proc/9/status /usr/bin/pkill N/A
/proc/25/cmdline /proc/25/cmdline /usr/bin/pkill N/A
/proc/161/cmdline /proc/161/cmdline /usr/bin/pkill N/A
/proc/584/status /proc/584/status /usr/bin/pkill N/A
/proc/582/cmdline /proc/582/cmdline /usr/bin/pkill N/A
/proc/85/status /proc/85/status /usr/bin/pkill N/A
/proc/162/status /proc/162/status /usr/bin/pkill N/A
/proc/162/status /proc/162/status /usr/bin/pkill N/A
/proc/4/cmdline /proc/4/cmdline /usr/bin/pkill N/A
/proc/162/cmdline /proc/162/cmdline /usr/bin/pkill N/A
/proc/78/cmdline /proc/78/cmdline /usr/bin/pkill N/A
/proc/24/status /proc/24/status /usr/bin/pkill N/A
/proc/192/cmdline /proc/192/cmdline /usr/bin/pkill N/A
/proc/153/cmdline /proc/153/cmdline /usr/bin/pkill N/A
/proc/160/status /proc/160/status /usr/bin/pkill N/A
/proc/26/status /proc/26/status /usr/bin/pkill N/A
/proc/23/status /proc/23/status /usr/bin/pkill N/A
/proc/165/cmdline /proc/165/cmdline /usr/bin/pkill N/A
/proc/7/cmdline /proc/7/cmdline /usr/bin/pkill N/A
/proc/169/cmdline /proc/169/cmdline /usr/bin/pkill N/A
/proc/425/status /proc/425/status /usr/bin/pkill N/A
/proc/5/cmdline /proc/5/cmdline /usr/bin/pkill N/A
/proc/16/status /proc/16/status /usr/bin/pkill N/A
/proc/36/cmdline /proc/36/cmdline /usr/bin/pkill N/A
/proc/34/cmdline /proc/34/cmdline /usr/bin/pkill N/A
/proc/13/status /proc/13/status /usr/bin/pkill N/A
/proc/130/cmdline /proc/130/cmdline /usr/bin/pkill N/A
/proc/80/status /proc/80/status /usr/bin/pkill N/A
/proc/425/status /proc/425/status /usr/bin/pkill N/A
/proc/252/cmdline /proc/252/cmdline /usr/bin/pkill N/A

Processes

./f4ff89b7994bda48548c58f6be117a547c3b38a91b62f4986c9377e6b37bef83

[./f4ff89b7994bda48548c58f6be117a547c3b38a91b62f4986c9377e6b37bef83]

/bin/sh

[sh -c pkill -9 mirai.* || busybox pkill -9 mirai.*]

/usr/bin/pkill

[pkill -9 mirai.*]

/bin/busybox

[busybox pkill -9 mirai.*]

/bin/sh

[sh -c pkill -9 dlr.*mips || busybox pkill -9 dlr.*mips]

/usr/bin/pkill

[pkill -9 dlr.*mips]

/bin/busybox

[busybox pkill -9 dlr.*mips]

/bin/sh

[sh -c pkill -9 mips64 || busybox pkill -9 mips64]

/usr/bin/pkill

[pkill -9 mips64]

/bin/busybox

[busybox pkill -9 mips64]

/bin/sh

[sh -c pkill -9 mipsel || busybox pkill -9 mipsel]

/usr/bin/pkill

[pkill -9 mipsel]

/bin/busybox

[busybox pkill -9 mipsel]

/bin/sh

[sh -c pkill -9 sh2eb || busybox pkill -9 sh2eb]

/usr/bin/pkill

[pkill -9 sh2eb]

/bin/busybox

[busybox pkill -9 sh2eb]

/bin/sh

[sh -c pkill -9 sh2elf || busybox pkill -9 sh2elf]

/usr/bin/pkill

[pkill -9 sh2elf]

/bin/busybox

[busybox pkill -9 sh2elf]

/bin/sh

[sh -c pkill -9 sh4 || busybox pkill -9 sh4]

/usr/bin/pkill

[pkill -9 sh4]

/bin/busybox

[busybox pkill -9 sh4]

/bin/sh

[sh -c pkill -9 x86 || busybox pkill -9 x86]

/usr/bin/pkill

[pkill -9 x86]

/bin/busybox

[busybox pkill -9 x86]

/bin/sh

[sh -c pkill -9 arm || busybox pkill -9 arm]

/usr/bin/pkill

[pkill -9 arm]

/bin/busybox

[busybox pkill -9 arm]

/bin/sh

[sh -c pkill -9 armv5 || busybox pkill -9 armv5]

/usr/bin/pkill

[pkill -9 armv5]

/bin/busybox

[busybox pkill -9 armv5]

/bin/sh

[sh -c pkill -9 armv4tl || busybox pkill -9 armv4tl]

/usr/bin/pkill

[pkill -9 armv4tl]

/bin/busybox

[busybox pkill -9 armv4tl]

/bin/sh

[sh -c pkill -9 armv4 || busybox pkill -9 armv4]

/usr/bin/pkill

[pkill -9 armv4]

/bin/busybox

[busybox pkill -9 armv4]

/bin/sh

[sh -c pkill -9 armv6 || busybox pkill -9 armv6]

/usr/bin/pkill

[pkill -9 armv6]

/bin/busybox

[busybox pkill -9 armv6]

/bin/sh

[sh -c pkill -9 i686 || busybox pkill -9 i686]

/usr/bin/pkill

[pkill -9 i686]

/bin/busybox

[busybox pkill -9 i686]

/bin/sh

[sh -c pkill -9 powerpc || busybox pkill -9 powerpc]

/usr/bin/pkill

[pkill -9 powerpc]

/bin/busybox

[busybox pkill -9 powerpc]

/bin/sh

[sh -c pkill -9 powerpc440fp || busybox pkill -9 powerpc440fp]

/usr/bin/pkill

[pkill -9 powerpc440fp]

/bin/busybox

[busybox pkill -9 powerpc440fp]

/bin/sh

[sh -c pkill -9 i586 || busybox pkill -9 i586]

/usr/bin/pkill

[pkill -9 i586]

/bin/busybox

[busybox pkill -9 i586]

/bin/sh

[sh -c pkill -9 m68k || busybox pkill -9 m68k]

/usr/bin/pkill

[pkill -9 m68k]

/bin/busybox

[busybox pkill -9 m68k]

/bin/sh

[sh -c pkill -9 sparc || busybox pkill -9 sparc]

/usr/bin/pkill

[pkill -9 sparc]

/bin/busybox

[busybox pkill -9 sparc]

/bin/sh

[sh -c pkill -9 x86_64 || busybox pkill -9 x86_64]

/usr/bin/pkill

[pkill -9 x86_64]

/bin/busybox

[busybox pkill -9 x86_64]

/bin/sh

[sh -c pkill -9 jackmy* || busybox pkill -9 jackmy*]

/usr/bin/pkill

[pkill -9 jackmy*]

/bin/busybox

[busybox pkill -9 jackmy*]

/bin/sh

[sh -c pkill -9 hackmy* || busybox pkill -9 hackmy*]

/usr/bin/pkill

[pkill -9 hackmy*]

/bin/busybox

[busybox pkill -9 hackmy*]

/bin/sh

[sh -c pkill -9 b1 || busybox pkill -9 b1]

/usr/bin/pkill

[pkill -9 b1]

/bin/busybox

[busybox pkill -9 b1]

/bin/sh

[sh -c pkill -9 b2 || busybox pkill -9 b2]

/usr/bin/pkill

[pkill -9 b2]

/bin/busybox

[busybox pkill -9 b2]

/bin/sh

[sh -c pkill -9 b3 || busybox pkill -9 b3]

/usr/bin/pkill

[pkill -9 b3]

/bin/busybox

[busybox pkill -9 b3]

/bin/sh

[sh -c pkill -9 b4 || busybox pkill -9 b4]

/usr/bin/pkill

[pkill -9 b4]

/bin/busybox

[busybox pkill -9 b4]

/bin/sh

[sh -c pkill -9 b5 || busybox pkill -9 b5]

/usr/bin/pkill

[pkill -9 b5]

/bin/busybox

[busybox pkill -9 b5]

/bin/sh

[sh -c pkill -9 b6 || busybox pkill -9 b6]

/usr/bin/pkill

[pkill -9 b6]

/bin/busybox

[busybox pkill -9 b6]

/bin/sh

[sh -c pkill -9 b7 || busybox pkill -9 b7]

/usr/bin/pkill

[pkill -9 b7]

Network

Country Destination Domain Proto
CN 106.52.68.18:6667 tcp
CN 106.52.68.18:6667 tcp
CN 106.52.68.18:6667 tcp

Files

N/A