Malware Analysis Report

2024-11-13 17:34

Sample ID 220219-hs3csaaafq
Target ca21a60bf8ffb7414a9e52a2e1574b0f15797e5e32ca196bf093b2cf7c2b0a49
SHA256 ca21a60bf8ffb7414a9e52a2e1574b0f15797e5e32ca196bf093b2cf7c2b0a49
Tags
kaiten
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ca21a60bf8ffb7414a9e52a2e1574b0f15797e5e32ca196bf093b2cf7c2b0a49

Threat Level: Known bad

The file ca21a60bf8ffb7414a9e52a2e1574b0f15797e5e32ca196bf093b2cf7c2b0a49 was found to be: Known bad.

Malicious Activity Summary

kaiten

Identified Kaiten Bot

Kaiten family

Deletes system logs

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-02-19 07:00

Signatures

Identified Kaiten Bot

Description Indicator Process Target
N/A N/A N/A N/A

Kaiten family

kaiten

Analysis: behavioral1

Detonation Overview

Submitted

2022-02-19 07:00

Reported

2022-02-19 12:30

Platform

ubuntu1804-amd64-en-20211208

Max time kernel

6291s

Max time network

154s

Command Line

[./ca21a60bf8ffb7414a9e52a2e1574b0f15797e5e32ca196bf093b2cf7c2b0a49]

Signatures

Deletes system logs

Description Indicator Process Target
/var/log/syslog /var/log/syslog /bin/rm N/A
/var/log/syslog /var/log/syslog /usr/bin/touch N/A
/var/log/syslog /var/log/syslog /usr/bin/chattr N/A

Processes

./ca21a60bf8ffb7414a9e52a2e1574b0f15797e5e32ca196bf093b2cf7c2b0a49

[./ca21a60bf8ffb7414a9e52a2e1574b0f15797e5e32ca196bf093b2cf7c2b0a49]

/bin/sh

[sh -c rm -rf /var/log/syslog;touch /var/log/syslog;chmod 0000 /var/log/syslog;chattr +isa /var/log/syslog;]

/bin/rm

[rm -rf /var/log/syslog]

/usr/bin/touch

[touch /var/log/syslog]

/bin/chmod

[chmod 0000 /var/log/syslog]

/usr/bin/chattr

[chattr +isa /var/log/syslog]

Network

Country Destination Domain Proto
BR 200.20.10.72:80 tcp
BR 200.20.10.72:80 tcp
BR 200.20.10.72:80 tcp
BR 200.20.10.72:80 tcp
BR 200.20.10.72:80 tcp
BR 200.20.10.72:80 tcp
BR 200.20.10.72:80 tcp
BR 200.20.10.72:80 tcp
BR 200.20.10.72:80 tcp
BR 200.20.10.72:80 tcp
BR 200.20.10.72:80 tcp
BR 200.20.10.72:80 tcp
BR 200.20.10.72:80 tcp
BR 200.20.10.72:80 tcp
BR 200.20.10.72:80 tcp
BR 200.20.10.72:80 tcp

Files

N/A