Malware Analysis Report

2024-12-01 00:44

Sample ID 220217-1zjhcsfac2
Target 25f299887ea827b2905e714136912771951cd76f05f8078319af8f81c1c5fe7e
SHA256 25f299887ea827b2905e714136912771951cd76f05f8078319af8f81c1c5fe7e
Tags
kaiten
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

25f299887ea827b2905e714136912771951cd76f05f8078319af8f81c1c5fe7e

Threat Level: Known bad

The file 25f299887ea827b2905e714136912771951cd76f05f8078319af8f81c1c5fe7e was found to be: Known bad.

Malicious Activity Summary

kaiten

Identified Kaiten Bot

Kaiten family

Deletes system logs

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-02-17 22:05

Signatures

Identified Kaiten Bot

Description Indicator Process Target
N/A N/A N/A N/A

Kaiten family

kaiten

Analysis: behavioral1

Detonation Overview

Submitted

2022-02-17 22:05

Reported

2022-02-18 01:31

Platform

ubuntu1804-amd64-en-20211208

Max time kernel

0s

Max time network

152s

Command Line

[./25f299887ea827b2905e714136912771951cd76f05f8078319af8f81c1c5fe7e]

Signatures

Deletes system logs

Description Indicator Process Target
/var/log/syslog /var/log/syslog /bin/rm N/A
/var/log/syslog /var/log/syslog /usr/bin/touch N/A
/var/log/syslog /var/log/syslog /usr/bin/chattr N/A

Processes

./25f299887ea827b2905e714136912771951cd76f05f8078319af8f81c1c5fe7e

[./25f299887ea827b2905e714136912771951cd76f05f8078319af8f81c1c5fe7e]

/bin/sh

[sh -c rm -rf /var/log/syslog;touch /var/log/syslog;chmod 0000 /var/log/syslog;chattr +isa /var/log/syslog;]

/bin/rm

[rm -rf /var/log/syslog]

/usr/bin/touch

[touch /var/log/syslog]

/bin/chmod

[chmod 0000 /var/log/syslog]

/usr/bin/chattr

[chattr +isa /var/log/syslog]

Network

Country Destination Domain Proto
BR 200.156.100.119:80 tcp
BR 200.156.100.119:80 tcp
BR 200.156.100.119:80 tcp
BR 200.156.100.119:80 tcp
BR 200.156.100.119:80 tcp
BR 200.156.100.119:80 tcp
BR 200.156.100.119:80 tcp
BR 200.156.100.119:80 tcp
BR 200.156.100.119:80 tcp
BR 200.156.100.119:80 tcp
BR 200.156.100.119:80 tcp
BR 200.156.100.119:80 tcp
BR 200.156.100.119:80 tcp
BR 200.156.100.119:80 tcp
BR 200.156.100.119:80 tcp

Files

N/A