Analysis Overview
SHA256
46389c117c5f41b60e10f965b3674b3b77189b504b0aeb5c2da67adf55a7129f
Threat Level: Known bad
The file 0abc01de8962867957bca89f6bd4c10e was found to be: Known bad.
Malicious Activity Summary
Identified Kaiten Bot
Kaiten family
suricata: ET MALWARE ELF/Muhstik Botnet CnC Activity
Writes file to system bin folder
Writes DNS configuration
Modifies rc script
Write file to user bin folder
Reads runtime system information
Writes file to tmp directory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-03-14 05:56
Signatures
Identified Kaiten Bot
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Kaiten family
Analysis: behavioral1
Detonation Overview
Submitted
2022-03-14 05:56
Reported
2022-03-14 05:59
Platform
debian9-armhf-en-20211208
Max time kernel
8255s
Max time network
190s
Command Line
Signatures
suricata: ET MALWARE ELF/Muhstik Botnet CnC Activity
Writes file to system bin folder
| Description | Indicator | Process | Target |
| /bin/crontab | /bin/crontab | N/A | N/A |
| /bin/nvram | /bin/nvram | N/A | N/A |
| /bin/uname | /bin/uname | N/A | N/A |
Writes DNS configuration
| Description | Indicator | Process | Target |
| /etc/resolv.conf | /etc/resolv.conf | N/A | N/A |
Modifies rc script
| Description | Indicator | Process | Target |
| /etc/rc.local | /etc/rc.local | ./0abc01de8962867957bca89f6bd4c10e | N/A |
Write file to user bin folder
| Description | Indicator | Process | Target |
| /usr/bin/crontab | /usr/bin/crontab | N/A | N/A |
| /usr/sbin/nvram | /usr/sbin/nvram | N/A | N/A |
Reads runtime system information
| Description | Indicator | Process | Target |
| /proc/filesystems | /proc/filesystems | /usr/bin/crontab | N/A |
| /proc/filesystems | /proc/filesystems | /bin/cp | N/A |
| /proc/filesystems | /proc/filesystems | /usr/bin/crontab | N/A |
| /proc/filesystems | /proc/filesystems | /bin/cp | N/A |
| /proc/filesystems | /proc/filesystems | /usr/bin/crontab | N/A |
| /proc/filesystems | /proc/filesystems | /usr/bin/crontab | N/A |
| /proc/filesystems | /proc/filesystems | /usr/bin/crontab | N/A |
| /proc/filesystems | /proc/filesystems | /usr/bin/crontab | N/A |
| /proc/filesystems | /proc/filesystems | /usr/bin/crontab | N/A |
| /proc/filesystems | /proc/filesystems | /usr/bin/crontab | N/A |
| /proc/filesystems | /proc/filesystems | /bin/cp | N/A |
| /proc/filesystems | /proc/filesystems | /usr/bin/crontab | N/A |
| /proc/filesystems | /proc/filesystems | /bin/cp | N/A |
| /proc/filesystems | /proc/filesystems | /usr/bin/crontab | N/A |
| /proc/filesystems | /proc/filesystems | /usr/bin/crontab | N/A |
| /proc/filesystems | /proc/filesystems | /usr/bin/crontab | N/A |
| /proc/filesystems | /proc/filesystems | /usr/bin/crontab | N/A |
| /proc/filesystems | /proc/filesystems | /usr/bin/crontab | N/A |
| /proc/filesystems | /proc/filesystems | /usr/bin/crontab | N/A |
| /proc/filesystems | /proc/filesystems | /usr/bin/crontab | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| /tmp/0abc01de8962867957bca89f6bd4c10e | /tmp/0abc01de8962867957bca89f6bd4c10e | /bin/cp | N/A |
| /tmp/.bawtz | /tmp/.bawtz | ./0abc01de8962867957bca89f6bd4c10e | N/A |
| /tmp/0abc01de8962867957bca89f6bd4c10e | /tmp/0abc01de8962867957bca89f6bd4c10e | /bin/cp | N/A |
| /tmp/0abc01de8962867957bca89f6bd4c10e | /tmp/0abc01de8962867957bca89f6bd4c10e | /bin/cp | N/A |
| /tmp/0abc01de8962867957bca89f6bd4c10e | /tmp/0abc01de8962867957bca89f6bd4c10e | /bin/cp | N/A |
Processes
./0abc01de8962867957bca89f6bd4c10e
[./0abc01de8962867957bca89f6bd4c10e]
/bin/sh
[sh -c pidof -x strace > /dev/null]
/bin/pidof
[pidof -x strace]
/bin/sh
[sh -c pidof -x tcpdump > /dev/null]
/bin/pidof
[pidof -x tcpdump]
/bin/sh
[sh -c crontab -r]
/bin/sh
[sh -c cat /etc/inittab | grep -v "/tmp/0abc01de8962867957bca89f6bd4c10e" > /etc/inittab2]
/bin/sh
[sh -c crontab -l | grep /tmp/0abc01de8962867957bca89f6bd4c10e | grep -v "no cron" || (crontab -l ; echo "* * * * * /tmp/0abc01de8962867957bca89f6bd4c10e > /dev/null 2>&1 &") | crontab -]
/usr/bin/crontab
[crontab -r]
/usr/bin/crontab
[crontab -l]
/bin/cat
[cat /etc/inittab]
/bin/grep
[grep /tmp/0abc01de8962867957bca89f6bd4c10e]
/bin/grep
[grep -v no cron]
/bin/grep
[grep -v /tmp/0abc01de8962867957bca89f6bd4c10e]
/bin/sh
[sh -c echo "0:2345:respawn:/tmp/0abc01de8962867957bca89f6bd4c10e" >> /etc/inittab2]
/usr/bin/crontab
[crontab -l]
/usr/bin/crontab
[crontab -]
/bin/sh
[sh -c cat /etc/inittab2 > /etc/inittab]
/bin/cat
[cat /etc/inittab2]
/bin/sh
[sh -c rm -rf /etc/inittab2]
/bin/rm
[rm -rf /etc/inittab2]
/bin/sh
[sh -c touch -acmr /bin/ls /etc/inittab]
/usr/bin/touch
[touch -acmr /bin/ls /etc/inittab]
/bin/sh
[sh -c cp -f /tmp/0abc01de8962867957bca89f6bd4c10e /dev/shm/0abc01de8962867957bca89f6bd4c10e]
/bin/sh
[sh -c /bin/uname -n]
/bin/cp
[cp -f /tmp/0abc01de8962867957bca89f6bd4c10e /dev/shm/0abc01de8962867957bca89f6bd4c10e]
/bin/uname
[/bin/uname -n]
/bin/sh
[sh -c crontab -l | grep /dev/shm/0abc01de8962867957bca89f6bd4c10e | grep -v "no cron" || (crontab -l ; echo "* * * * * /dev/shm/0abc01de8962867957bca89f6bd4c10e > /dev/null 2>&1 &") | crontab -]
/bin/sh
[sh -c cat /etc/inittab | grep -v "/dev/shm/0abc01de8962867957bca89f6bd4c10e" > /etc/inittab2]
/bin/cat
[cat /etc/inittab]
/usr/bin/crontab
[crontab -l]
/bin/grep
[grep -v /dev/shm/0abc01de8962867957bca89f6bd4c10e]
/bin/grep
[grep /dev/shm/0abc01de8962867957bca89f6bd4c10e]
/bin/grep
[grep -v no cron]
/bin/sh
[sh -c echo "0:2345:respawn:/dev/shm/0abc01de8962867957bca89f6bd4c10e" >> /etc/inittab2]
/usr/bin/crontab
[crontab -l]
/usr/bin/crontab
[crontab -]
/bin/sh
[sh -c cat /etc/inittab2 > /etc/inittab]
/bin/cat
[cat /etc/inittab2]
/bin/sh
[sh -c rm -rf /etc/inittab2]
/bin/rm
[rm -rf /etc/inittab2]
/bin/sh
[sh -c touch -acmr /bin/ls /etc/inittab]
/usr/bin/touch
[touch -acmr /bin/ls /etc/inittab]
/bin/sh
[sh -c cp -f /tmp/0abc01de8962867957bca89f6bd4c10e /var/tmp/0abc01de8962867957bca89f6bd4c10e]
/bin/cp
[cp -f /tmp/0abc01de8962867957bca89f6bd4c10e /var/tmp/0abc01de8962867957bca89f6bd4c10e]
/bin/sh
[sh -c cat /etc/inittab | grep -v "/var/tmp/0abc01de8962867957bca89f6bd4c10e" > /etc/inittab2]
/bin/sh
[sh -c crontab -l | grep /var/tmp/0abc01de8962867957bca89f6bd4c10e | grep -v "no cron" || (crontab -l ; echo "* * * * * /var/tmp/0abc01de8962867957bca89f6bd4c10e > /dev/null 2>&1 &") | crontab -]
/bin/cat
[cat /etc/inittab]
/bin/grep
[grep -v /var/tmp/0abc01de8962867957bca89f6bd4c10e]
/usr/bin/crontab
[crontab -l]
/bin/grep
[grep /var/tmp/0abc01de8962867957bca89f6bd4c10e]
/bin/grep
[grep -v no cron]
/bin/sh
[sh -c echo "0:2345:respawn:/var/tmp/0abc01de8962867957bca89f6bd4c10e" >> /etc/inittab2]
/bin/sh
[sh -c cat /etc/inittab2 > /etc/inittab]
/usr/bin/crontab
[crontab -]
/usr/bin/crontab
[crontab -l]
/bin/cat
[cat /etc/inittab2]
/bin/sh
[sh -c rm -rf /etc/inittab2]
/bin/rm
[rm -rf /etc/inittab2]
/bin/sh
[sh -c touch -acmr /bin/ls /etc/inittab]
/usr/bin/touch
[touch -acmr /bin/ls /etc/inittab]
/bin/sh
[sh -c cp -f /tmp/0abc01de8962867957bca89f6bd4c10e /var/lock/0abc01de8962867957bca89f6bd4c10e]
/bin/cp
[cp -f /tmp/0abc01de8962867957bca89f6bd4c10e /var/lock/0abc01de8962867957bca89f6bd4c10e]
/bin/sh
[sh -c crontab -l | grep /var/lock/0abc01de8962867957bca89f6bd4c10e | grep -v "no cron" || (crontab -l ; echo "* * * * * /var/lock/0abc01de8962867957bca89f6bd4c10e > /dev/null 2>&1 &") | crontab -]
/bin/sh
[sh -c cat /etc/inittab | grep -v "/var/lock/0abc01de8962867957bca89f6bd4c10e" > /etc/inittab2]
/usr/bin/crontab
[crontab -l]
/bin/cat
[cat /etc/inittab]
/bin/grep
[grep -v /var/lock/0abc01de8962867957bca89f6bd4c10e]
/bin/grep
[grep /var/lock/0abc01de8962867957bca89f6bd4c10e]
/bin/grep
[grep -v no cron]
/bin/sh
[sh -c echo "0:2345:respawn:/var/lock/0abc01de8962867957bca89f6bd4c10e" >> /etc/inittab2]
/usr/bin/crontab
[crontab -l]
/usr/bin/crontab
[crontab -]
/bin/sh
[sh -c cat /etc/inittab2 > /etc/inittab]
/bin/cat
[cat /etc/inittab2]
/bin/sh
[sh -c rm -rf /etc/inittab2]
/bin/rm
[rm -rf /etc/inittab2]
/bin/sh
[sh -c touch -acmr /bin/ls /etc/inittab]
/usr/bin/touch
[touch -acmr /bin/ls /etc/inittab]
/bin/sh
[sh -c cp -f /tmp/0abc01de8962867957bca89f6bd4c10e /var/run/0abc01de8962867957bca89f6bd4c10e]
/bin/cp
[cp -f /tmp/0abc01de8962867957bca89f6bd4c10e /var/run/0abc01de8962867957bca89f6bd4c10e]
/bin/sh
[sh -c crontab -l | grep /var/run/0abc01de8962867957bca89f6bd4c10e | grep -v "no cron" || (crontab -l ; echo "* * * * * /var/run/0abc01de8962867957bca89f6bd4c10e > /dev/null 2>&1 &") | crontab -]
/bin/sh
[sh -c cat /etc/inittab | grep -v "/var/run/0abc01de8962867957bca89f6bd4c10e" > /etc/inittab2]
/bin/cat
[cat /etc/inittab]
/bin/grep
[grep -v /var/run/0abc01de8962867957bca89f6bd4c10e]
/usr/bin/crontab
[crontab -l]
/bin/grep
[grep /var/run/0abc01de8962867957bca89f6bd4c10e]
/bin/grep
[grep -v no cron]
/bin/sh
[sh -c echo "0:2345:respawn:/var/run/0abc01de8962867957bca89f6bd4c10e" >> /etc/inittab2]
/usr/bin/crontab
[crontab -l]
/usr/bin/crontab
[crontab -]
/bin/sh
[sh -c cat /etc/inittab2 > /etc/inittab]
/bin/cat
[cat /etc/inittab2]
/bin/sh
[sh -c rm -rf /etc/inittab2]
/bin/rm
[rm -rf /etc/inittab2]
/bin/sh
[sh -c touch -acmr /bin/ls /etc/inittab]
/usr/bin/touch
[touch -acmr /bin/ls /etc/inittab]
Network
| Country | Destination | Domain | Proto |
| NL | 67.209.115.148:8080 | tcp | |
| SG | 156.67.218.115:8080 | tcp | |
| SG | 156.67.218.115:8080 | tcp | |
| SG | 141.136.47.97:8080 | tcp | |
| SG | 156.67.218.115:8080 | tcp | |
| SG | 156.67.218.115:8080 | tcp | |
| US | 144.172.71.162:8080 | tcp | |
| SG | 156.67.218.115:8080 | tcp | |
| NL | 67.209.115.148:8080 | tcp | |
| US | 85.120.225.141:8080 | tcp | |
| SG | 141.136.47.97:8080 | tcp | |
| SG | 156.67.218.115:8080 | tcp | |
| SG | 194.59.165.52:8080 | tcp | |
| SG | 156.67.218.115:8080 | tcp | |
| NL | 67.209.115.148:8080 | tcp | |
| SG | 156.67.218.115:8080 | tcp | |
| NL | 67.209.115.148:8080 | tcp | |
| US | 144.172.71.162:8080 | tcp | |
| SG | 185.201.8.176:8080 | tcp | |
| US | 85.120.225.141:8080 | tcp | |
| SG | 185.201.8.176:8080 | tcp | |
| NL | 67.209.115.148:8080 | tcp | |
| US | 144.172.71.162:8080 | tcp | |
| NL | 67.209.115.148:8080 | tcp | |
| SG | 156.67.218.115:8080 | tcp | |
| SG | 156.67.218.115:8080 | tcp | |
| SG | 156.67.218.115:8080 | tcp | |
| US | 144.172.71.162:8080 | tcp | |
| GB | 178.159.3.213:8080 | tcp | |
| RO | 89.33.194.89:8080 | tcp | |
| SG | 141.136.47.97:8080 | tcp | |
| SG | 156.67.218.115:8080 | tcp | |
| SG | 185.201.8.176:8080 | tcp | |
| SG | 156.67.218.115:8080 | tcp | |
| SG | 156.67.218.115:8080 | tcp | |
| SG | 156.67.218.115:8080 | tcp | |
| SG | 156.67.218.115:8080 | tcp | |
| SG | 194.59.165.52:8080 | tcp | |
| SG | 37.44.244.106:8080 | tcp | |
| SG | 156.67.218.115:8080 | tcp | |
| SG | 156.67.218.115:8080 | tcp | |
| RO | 89.33.194.89:8080 | tcp | |
| SG | 194.59.165.52:8080 | tcp | |
| SG | 194.59.165.52:8080 | tcp | |
| SG | 156.67.218.115:8080 | tcp | |
| US | 85.120.225.141:8080 | tcp | |
| SG | 156.67.218.115:8080 | tcp | |
| GB | 178.159.3.213:8080 | tcp | |
| SG | 156.67.218.115:8080 | tcp | |
| SG | 141.136.47.97:8080 | tcp | |
| SG | 194.59.165.52:8080 | tcp | |
| SG | 156.67.218.115:8080 | tcp | |
| SG | 141.136.47.97:8080 | tcp | |
| SG | 37.44.244.106:8080 | tcp | |
| SG | 156.67.218.115:8080 | tcp | |
| SG | 156.67.218.115:8080 | tcp | |
| SG | 156.67.218.115:8080 | tcp | |
| SG | 156.67.218.115:8080 | tcp | |
| SG | 156.67.218.115:8080 | tcp | |
| SG | 156.67.218.115:8080 | tcp | |
| SG | 194.59.165.52:8080 | tcp | |
| SG | 185.201.8.176:8080 | tcp | |
| SG | 156.67.218.115:8080 | tcp | |
| SG | 194.59.165.52:8080 | tcp | |
| SG | 156.67.218.115:8080 | tcp | |
| SG | 141.136.47.97:8080 | tcp | |
| SG | 156.67.218.115:8080 | tcp | |
| SG | 141.136.47.97:8080 | tcp | |
| GB | 178.159.3.213:8080 | tcp | |
| SG | 37.44.244.106:8080 | tcp | |
| SG | 194.59.165.52:8080 | tcp | |
| SG | 194.59.165.52:8080 | tcp | |
| SG | 156.67.218.115:8080 | tcp | |
| SG | 37.44.244.106:8080 | tcp | |
| SG | 185.201.8.176:8080 | tcp | |
| SG | 156.67.218.115:8080 | tcp | |
| SG | 37.44.244.106:8080 | tcp | |
| SG | 37.44.244.106:8080 | tcp | |
| SG | 141.136.47.97:8080 | tcp | |
| SG | 156.67.218.115:8080 | tcp | |
| SG | 37.44.244.106:8080 | tcp | |
| SG | 141.136.47.97:8080 | tcp | |
| GB | 178.159.3.213:8080 | tcp | |
| SG | 185.201.8.176:8080 | tcp | |
| SG | 141.136.47.97:8080 | tcp | |
| SG | 156.67.218.115:8080 | tcp | |
| RO | 89.33.194.89:8080 | tcp | |
| SG | 156.67.218.115:8080 | tcp | |
| US | 144.172.71.162:8080 | tcp | |
| NL | 67.209.115.148:8080 | tcp |