Malware Analysis Report

2024-12-01 00:47

Sample ID 220125-yvemhaecd6
Target ns3.jpg
SHA256 112a47e9cba424b909318c559c12efddefe03d5f4839957e965e7b1746eab813
Tags
kaiten persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

112a47e9cba424b909318c559c12efddefe03d5f4839957e965e7b1746eab813

Threat Level: Likely malicious

The file ns3.jpg was found to be: Likely malicious.

Malicious Activity Summary

kaiten persistence

Identified Kaiten Bot

Kaiten family

Modifies hosts file

Writes DNS configuration

Modifies rc script

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-01-25 20:06

Signatures

Identified Kaiten Bot

Description Indicator Process Target
N/A N/A N/A N/A

Kaiten family

kaiten

Analysis: behavioral1

Detonation Overview

Submitted

2022-01-25 20:06

Reported

2022-01-25 20:08

Platform

ubuntu1804-amd64-en-20211208

Max time kernel

4159s

Max time network

153s

Command Line

[./ns3.jpg]

Signatures

Modifies hosts file

Description Indicator Process Target
/etc/hosts /etc/hosts N/A N/A

Writes DNS configuration

Description Indicator Process Target
/etc/resolv.conf /etc/resolv.conf N/A N/A

Modifies rc script

persistence
Description Indicator Process Target
/etc/rc.d/rc.local /etc/rc.d/rc.local ./ns3.jpg N/A

Processes

./ns3.jpg

[./ns3.jpg]

Network

Country Destination Domain Proto
US 1.1.1.1:53 irc.siutao.tk udp
SG 45.64.130.149:20 irc.siutao.tk tcp
SG 45.64.130.149:20 irc.siutao.tk tcp
SG 45.64.130.149:20 irc.siutao.tk tcp
US 1.1.1.1:53 irc.tung-shu.cf udp
N/A 172.16.70.55:20 irc.tung-shu.cf tcp
N/A 172.16.70.55:20 irc.tung-shu.cf tcp
N/A 172.16.70.55:20 irc.tung-shu.cf tcp
N/A 172.16.70.55:20 irc.tung-shu.cf tcp
N/A 172.16.70.55:20 irc.tung-shu.cf tcp
N/A 172.16.70.55:20 irc.tung-shu.cf tcp
N/A 172.16.70.55:20 irc.tung-shu.cf tcp
N/A 172.16.70.55:20 irc.tung-shu.cf tcp
N/A 172.16.70.55:20 irc.tung-shu.cf tcp
N/A 172.16.70.55:20 irc.tung-shu.cf tcp
N/A 172.16.70.55:20 irc.tung-shu.cf tcp
N/A 172.16.70.55:20 irc.tung-shu.cf tcp
N/A 172.16.70.55:20 irc.tung-shu.cf tcp
N/A 172.16.70.55:20 irc.tung-shu.cf tcp
N/A 172.16.70.55:20 irc.tung-shu.cf tcp
N/A 172.16.70.55:20 irc.tung-shu.cf tcp
N/A 172.16.70.55:20 irc.tung-shu.cf tcp
N/A 172.16.70.55:20 irc.tung-shu.cf tcp
N/A 172.16.70.55:20 irc.tung-shu.cf tcp

Files

N/A