Malware Analysis Report

2024-11-13 17:34

Sample ID 220314-cb5tpabgf3
Target 97717ad2ff60ac257a5f66634fe06544
SHA256 95d1fca8bea30d9629fdf05e6ba0fc6195eb0a86f99ea021b17cb8823db9d78b
Tags
kaiten persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

95d1fca8bea30d9629fdf05e6ba0fc6195eb0a86f99ea021b17cb8823db9d78b

Threat Level: Known bad

The file 97717ad2ff60ac257a5f66634fe06544 was found to be: Known bad.

Malicious Activity Summary

kaiten persistence

Identified Kaiten Bot

Kaiten family

Writes file to system bin folder

Writes DNS configuration

Modifies hosts file

Modifies rc script

Write file to user bin folder

Writes file to tmp directory

Reads runtime system information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-03-14 01:55

Signatures

Identified Kaiten Bot

Description Indicator Process Target
N/A N/A N/A N/A

Kaiten family

kaiten

Analysis: behavioral1

Detonation Overview

Submitted

2022-03-14 01:55

Reported

2022-03-14 01:57

Platform

debian9-mipsel-en-20211208

Max time kernel

0s

Max time network

121s

Command Line

[./97717ad2ff60ac257a5f66634fe06544]

Signatures

Writes file to system bin folder

Description Indicator Process Target
/bin/crontab /bin/crontab N/A N/A
/bin/nvram /bin/nvram N/A N/A
/bin/uname /bin/uname N/A N/A

Modifies hosts file

Description Indicator Process Target
/etc/hosts /etc/hosts N/A N/A

Writes DNS configuration

Description Indicator Process Target
/etc/resolv.conf /etc/resolv.conf N/A N/A

Modifies rc script

persistence
Description Indicator Process Target
/etc/rc.local /etc/rc.local ./97717ad2ff60ac257a5f66634fe06544 N/A

Write file to user bin folder

Description Indicator Process Target
/usr/bin/crontab /usr/bin/crontab N/A N/A
/usr/sbin/nvram /usr/sbin/nvram N/A N/A

Reads runtime system information

Description Indicator Process Target
/proc/filesystems /proc/filesystems /usr/bin/crontab N/A
/proc/filesystems /proc/filesystems /bin/cp N/A
/proc/filesystems /proc/filesystems /usr/bin/crontab N/A
/proc/filesystems /proc/filesystems /usr/bin/crontab N/A
/proc/filesystems /proc/filesystems /usr/bin/crontab N/A
/proc/filesystems /proc/filesystems /usr/bin/crontab N/A
/proc/filesystems /proc/filesystems /bin/cp N/A
/proc/filesystems /proc/filesystems /usr/bin/crontab N/A
/proc/filesystems /proc/filesystems /usr/bin/crontab N/A
/proc/filesystems /proc/filesystems /usr/bin/crontab N/A
/proc/filesystems /proc/filesystems /usr/bin/crontab N/A
/proc/filesystems /proc/filesystems /usr/bin/crontab N/A
/proc/filesystems /proc/filesystems /usr/bin/crontab N/A
/proc/filesystems /proc/filesystems /usr/bin/crontab N/A
/proc/filesystems /proc/filesystems /usr/bin/crontab N/A
/proc/filesystems /proc/filesystems /bin/cp N/A
/proc/filesystems /proc/filesystems /usr/bin/crontab N/A
/proc/filesystems /proc/filesystems /usr/bin/crontab N/A
/proc/filesystems /proc/filesystems /bin/cp N/A
/proc/filesystems /proc/filesystems /usr/bin/crontab N/A

Writes file to tmp directory

Description Indicator Process Target
/tmp/97717ad2ff60ac257a5f66634fe06544 /tmp/97717ad2ff60ac257a5f66634fe06544 /bin/cp N/A
/tmp/97717ad2ff60ac257a5f66634fe06544 /tmp/97717ad2ff60ac257a5f66634fe06544 /bin/cp N/A
/tmp/.bawtz /tmp/.bawtz ./97717ad2ff60ac257a5f66634fe06544 N/A
/tmp/97717ad2ff60ac257a5f66634fe06544 /tmp/97717ad2ff60ac257a5f66634fe06544 /bin/cp N/A
/tmp/97717ad2ff60ac257a5f66634fe06544 /tmp/97717ad2ff60ac257a5f66634fe06544 /bin/cp N/A

Processes

./97717ad2ff60ac257a5f66634fe06544

[./97717ad2ff60ac257a5f66634fe06544]

/bin/sh

[sh -c pidof -x strace > /dev/null]

/bin/pidof

[pidof -x strace]

/bin/sh

[sh -c pidof -x tcpdump > /dev/null]

/bin/pidof

[pidof -x tcpdump]

/bin/sh

[sh -c cat /etc/inittab | grep -v "/tmp/97717ad2ff60ac257a5f66634fe06544" > /etc/inittab2]

/bin/sh

[sh -c crontab -r]

/bin/sh

[sh -c crontab -l | grep /tmp/97717ad2ff60ac257a5f66634fe06544 | grep -v "no cron" || (crontab -l ; echo "* * * * * /tmp/97717ad2ff60ac257a5f66634fe06544 > /dev/null 2>&1 &") | crontab -]

/usr/bin/crontab

[crontab -r]

/bin/cat

[cat /etc/inittab]

/bin/grep

[grep -v /tmp/97717ad2ff60ac257a5f66634fe06544]

/usr/bin/crontab

[crontab -l]

/bin/grep

[grep /tmp/97717ad2ff60ac257a5f66634fe06544]

/bin/grep

[grep -v no cron]

/bin/sh

[sh -c echo "0:2345:respawn:/tmp/97717ad2ff60ac257a5f66634fe06544" >> /etc/inittab2]

/usr/bin/crontab

[crontab -]

/usr/bin/crontab

[crontab -l]

/bin/sh

[sh -c cat /etc/inittab2 > /etc/inittab]

/bin/cat

[cat /etc/inittab2]

/bin/sh

[sh -c rm -rf /etc/inittab2]

/bin/rm

[rm -rf /etc/inittab2]

/bin/sh

[sh -c touch -acmr /bin/ls /etc/inittab]

/usr/bin/touch

[touch -acmr /bin/ls /etc/inittab]

/bin/sh

[sh -c cp -f /tmp/97717ad2ff60ac257a5f66634fe06544 /dev/shm/97717ad2ff60ac257a5f66634fe06544]

/bin/sh

[sh -c /bin/uname -n]

/bin/uname

[/bin/uname -n]

/bin/cp

[cp -f /tmp/97717ad2ff60ac257a5f66634fe06544 /dev/shm/97717ad2ff60ac257a5f66634fe06544]

/bin/sh

[sh -c cat /etc/inittab | grep -v "/dev/shm/97717ad2ff60ac257a5f66634fe06544" > /etc/inittab2]

/bin/sh

[sh -c crontab -l | grep /dev/shm/97717ad2ff60ac257a5f66634fe06544 | grep -v "no cron" || (crontab -l ; echo "* * * * * /dev/shm/97717ad2ff60ac257a5f66634fe06544 > /dev/null 2>&1 &") | crontab -]

/usr/bin/crontab

[crontab -l]

/bin/cat

[cat /etc/inittab]

/bin/grep

[grep -v /dev/shm/97717ad2ff60ac257a5f66634fe06544]

/bin/grep

[grep /dev/shm/97717ad2ff60ac257a5f66634fe06544]

/bin/grep

[grep -v no cron]

/bin/sh

[sh -c echo "0:2345:respawn:/dev/shm/97717ad2ff60ac257a5f66634fe06544" >> /etc/inittab2]

/usr/bin/crontab

[crontab -l]

/usr/bin/crontab

[crontab -]

/bin/sh

[sh -c cat /etc/inittab2 > /etc/inittab]

/bin/cat

[cat /etc/inittab2]

/bin/sh

[sh -c rm -rf /etc/inittab2]

/bin/rm

[rm -rf /etc/inittab2]

/bin/sh

[sh -c touch -acmr /bin/ls /etc/inittab]

/usr/bin/touch

[touch -acmr /bin/ls /etc/inittab]

/bin/sh

[sh -c cp -f /tmp/97717ad2ff60ac257a5f66634fe06544 /var/tmp/97717ad2ff60ac257a5f66634fe06544]

/bin/cp

[cp -f /tmp/97717ad2ff60ac257a5f66634fe06544 /var/tmp/97717ad2ff60ac257a5f66634fe06544]

/bin/sh

[sh -c cat /etc/inittab | grep -v "/var/tmp/97717ad2ff60ac257a5f66634fe06544" > /etc/inittab2]

/bin/sh

[sh -c crontab -l | grep /var/tmp/97717ad2ff60ac257a5f66634fe06544 | grep -v "no cron" || (crontab -l ; echo "* * * * * /var/tmp/97717ad2ff60ac257a5f66634fe06544 > /dev/null 2>&1 &") | crontab -]

/bin/grep

[grep -v /var/tmp/97717ad2ff60ac257a5f66634fe06544]

/bin/grep

[grep -v no cron]

/bin/cat

[cat /etc/inittab]

/usr/bin/crontab

[crontab -l]

/bin/grep

[grep /var/tmp/97717ad2ff60ac257a5f66634fe06544]

/bin/sh

[sh -c echo "0:2345:respawn:/var/tmp/97717ad2ff60ac257a5f66634fe06544" >> /etc/inittab2]

/usr/bin/crontab

[crontab -]

/usr/bin/crontab

[crontab -l]

/bin/sh

[sh -c cat /etc/inittab2 > /etc/inittab]

/bin/cat

[cat /etc/inittab2]

/bin/sh

[sh -c rm -rf /etc/inittab2]

/bin/rm

[rm -rf /etc/inittab2]

/bin/sh

[sh -c touch -acmr /bin/ls /etc/inittab]

/usr/bin/touch

[touch -acmr /bin/ls /etc/inittab]

/bin/sh

[sh -c cp -f /tmp/97717ad2ff60ac257a5f66634fe06544 /var/lock/97717ad2ff60ac257a5f66634fe06544]

/bin/cp

[cp -f /tmp/97717ad2ff60ac257a5f66634fe06544 /var/lock/97717ad2ff60ac257a5f66634fe06544]

/bin/sh

[sh -c cat /etc/inittab | grep -v "/var/lock/97717ad2ff60ac257a5f66634fe06544" > /etc/inittab2]

/bin/sh

[sh -c crontab -l | grep /var/lock/97717ad2ff60ac257a5f66634fe06544 | grep -v "no cron" || (crontab -l ; echo "* * * * * /var/lock/97717ad2ff60ac257a5f66634fe06544 > /dev/null 2>&1 &") | crontab -]

/bin/grep

[grep -v no cron]

/bin/grep

[grep /var/lock/97717ad2ff60ac257a5f66634fe06544]

/bin/grep

[grep -v /var/lock/97717ad2ff60ac257a5f66634fe06544]

/bin/cat

[cat /etc/inittab]

/usr/bin/crontab

[crontab -l]

/bin/sh

[sh -c echo "0:2345:respawn:/var/lock/97717ad2ff60ac257a5f66634fe06544" >> /etc/inittab2]

/usr/bin/crontab

[crontab -]

/usr/bin/crontab

[crontab -l]

/bin/sh

[sh -c cat /etc/inittab2 > /etc/inittab]

/bin/cat

[cat /etc/inittab2]

/bin/sh

[sh -c rm -rf /etc/inittab2]

/bin/rm

[rm -rf /etc/inittab2]

/bin/sh

[sh -c touch -acmr /bin/ls /etc/inittab]

/usr/bin/touch

[touch -acmr /bin/ls /etc/inittab]

/bin/sh

[sh -c cp -f /tmp/97717ad2ff60ac257a5f66634fe06544 /var/run/97717ad2ff60ac257a5f66634fe06544]

/bin/cp

[cp -f /tmp/97717ad2ff60ac257a5f66634fe06544 /var/run/97717ad2ff60ac257a5f66634fe06544]

/bin/sh

[sh -c cat /etc/inittab | grep -v "/var/run/97717ad2ff60ac257a5f66634fe06544" > /etc/inittab2]

/bin/sh

[sh -c crontab -l | grep /var/run/97717ad2ff60ac257a5f66634fe06544 | grep -v "no cron" || (crontab -l ; echo "* * * * * /var/run/97717ad2ff60ac257a5f66634fe06544 > /dev/null 2>&1 &") | crontab -]

/bin/cat

[cat /etc/inittab]

/bin/grep

[grep -v /var/run/97717ad2ff60ac257a5f66634fe06544]

/usr/bin/crontab

[crontab -l]

/bin/grep

[grep /var/run/97717ad2ff60ac257a5f66634fe06544]

/bin/grep

[grep -v no cron]

/bin/sh

[sh -c echo "0:2345:respawn:/var/run/97717ad2ff60ac257a5f66634fe06544" >> /etc/inittab2]

/bin/sh

[sh -c cat /etc/inittab2 > /etc/inittab]

/usr/bin/crontab

[crontab -]

/usr/bin/crontab

[crontab -l]

/bin/cat

[cat /etc/inittab2]

/bin/sh

[sh -c rm -rf /etc/inittab2]

/bin/rm

[rm -rf /etc/inittab2]

/bin/sh

[sh -c touch -acmr /bin/ls /etc/inittab]

/usr/bin/touch

[touch -acmr /bin/ls /etc/inittab]

Network

Country Destination Domain Proto
SG 185.201.8.176:8080 tcp
SG 185.201.8.176:8080 tcp
SG 141.136.47.97:8080 tcp
RO 89.33.194.89:8080 tcp
SG 156.67.218.115:8080 tcp
SG 156.67.218.115:8080 tcp
SG 156.67.218.115:8080 tcp
SG 141.136.47.97:8080 tcp
RO 89.33.194.89:8080 tcp
SG 156.67.218.115:8080 tcp
SG 185.201.8.176:8080 tcp
SG 156.67.218.115:8080 tcp
SG 156.67.218.115:8080 tcp
US 1.1.1.1:53 oiii.deutschland-zahlung.eu udp
SG 185.201.8.176:8080 tcp
SG 156.67.218.115:8080 tcp
SG 156.67.218.115:8080 tcp
SG 156.67.218.115:8080 tcp
SG 156.67.218.115:8080 tcp
SG 156.67.218.115:8080 tcp
SG 194.59.165.52:8080 tcp
SG 185.201.8.176:8080 tcp
GB 178.159.3.213:8080 tcp
GB 178.159.3.213:8080 tcp
US 85.120.225.141:8080 tcp
SG 37.44.244.106:8080 tcp

Files

N/A