Malware Analysis Report

2024-11-13 17:34

Sample ID 220314-gm2nmaffbr
Target 0abc01de8962867957bca89f6bd4c10e
SHA256 46389c117c5f41b60e10f965b3674b3b77189b504b0aeb5c2da67adf55a7129f
Tags
kaiten persistence suricata
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

46389c117c5f41b60e10f965b3674b3b77189b504b0aeb5c2da67adf55a7129f

Threat Level: Known bad

The file 0abc01de8962867957bca89f6bd4c10e was found to be: Known bad.

Malicious Activity Summary

kaiten persistence suricata

Identified Kaiten Bot

Kaiten family

suricata: ET MALWARE ELF/Muhstik Botnet CnC Activity

Writes file to system bin folder

Writes DNS configuration

Modifies rc script

Write file to user bin folder

Reads runtime system information

Writes file to tmp directory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-03-14 05:56

Signatures

Identified Kaiten Bot

Description Indicator Process Target
N/A N/A N/A N/A

Kaiten family

kaiten

Analysis: behavioral1

Detonation Overview

Submitted

2022-03-14 05:56

Reported

2022-03-14 05:59

Platform

debian9-armhf-en-20211208

Max time kernel

8255s

Max time network

190s

Command Line

[./0abc01de8962867957bca89f6bd4c10e]

Signatures

suricata: ET MALWARE ELF/Muhstik Botnet CnC Activity

suricata

Writes file to system bin folder

Description Indicator Process Target
/bin/crontab /bin/crontab N/A N/A
/bin/nvram /bin/nvram N/A N/A
/bin/uname /bin/uname N/A N/A

Writes DNS configuration

Description Indicator Process Target
/etc/resolv.conf /etc/resolv.conf N/A N/A

Modifies rc script

persistence
Description Indicator Process Target
/etc/rc.local /etc/rc.local ./0abc01de8962867957bca89f6bd4c10e N/A

Write file to user bin folder

Description Indicator Process Target
/usr/bin/crontab /usr/bin/crontab N/A N/A
/usr/sbin/nvram /usr/sbin/nvram N/A N/A

Reads runtime system information

Description Indicator Process Target
/proc/filesystems /proc/filesystems /usr/bin/crontab N/A
/proc/filesystems /proc/filesystems /bin/cp N/A
/proc/filesystems /proc/filesystems /usr/bin/crontab N/A
/proc/filesystems /proc/filesystems /bin/cp N/A
/proc/filesystems /proc/filesystems /usr/bin/crontab N/A
/proc/filesystems /proc/filesystems /usr/bin/crontab N/A
/proc/filesystems /proc/filesystems /usr/bin/crontab N/A
/proc/filesystems /proc/filesystems /usr/bin/crontab N/A
/proc/filesystems /proc/filesystems /usr/bin/crontab N/A
/proc/filesystems /proc/filesystems /usr/bin/crontab N/A
/proc/filesystems /proc/filesystems /bin/cp N/A
/proc/filesystems /proc/filesystems /usr/bin/crontab N/A
/proc/filesystems /proc/filesystems /bin/cp N/A
/proc/filesystems /proc/filesystems /usr/bin/crontab N/A
/proc/filesystems /proc/filesystems /usr/bin/crontab N/A
/proc/filesystems /proc/filesystems /usr/bin/crontab N/A
/proc/filesystems /proc/filesystems /usr/bin/crontab N/A
/proc/filesystems /proc/filesystems /usr/bin/crontab N/A
/proc/filesystems /proc/filesystems /usr/bin/crontab N/A
/proc/filesystems /proc/filesystems /usr/bin/crontab N/A

Writes file to tmp directory

Description Indicator Process Target
/tmp/0abc01de8962867957bca89f6bd4c10e /tmp/0abc01de8962867957bca89f6bd4c10e /bin/cp N/A
/tmp/.bawtz /tmp/.bawtz ./0abc01de8962867957bca89f6bd4c10e N/A
/tmp/0abc01de8962867957bca89f6bd4c10e /tmp/0abc01de8962867957bca89f6bd4c10e /bin/cp N/A
/tmp/0abc01de8962867957bca89f6bd4c10e /tmp/0abc01de8962867957bca89f6bd4c10e /bin/cp N/A
/tmp/0abc01de8962867957bca89f6bd4c10e /tmp/0abc01de8962867957bca89f6bd4c10e /bin/cp N/A

Processes

./0abc01de8962867957bca89f6bd4c10e

[./0abc01de8962867957bca89f6bd4c10e]

/bin/sh

[sh -c pidof -x strace > /dev/null]

/bin/pidof

[pidof -x strace]

/bin/sh

[sh -c pidof -x tcpdump > /dev/null]

/bin/pidof

[pidof -x tcpdump]

/bin/sh

[sh -c crontab -r]

/bin/sh

[sh -c cat /etc/inittab | grep -v "/tmp/0abc01de8962867957bca89f6bd4c10e" > /etc/inittab2]

/bin/sh

[sh -c crontab -l | grep /tmp/0abc01de8962867957bca89f6bd4c10e | grep -v "no cron" || (crontab -l ; echo "* * * * * /tmp/0abc01de8962867957bca89f6bd4c10e > /dev/null 2>&1 &") | crontab -]

/usr/bin/crontab

[crontab -r]

/usr/bin/crontab

[crontab -l]

/bin/cat

[cat /etc/inittab]

/bin/grep

[grep /tmp/0abc01de8962867957bca89f6bd4c10e]

/bin/grep

[grep -v no cron]

/bin/grep

[grep -v /tmp/0abc01de8962867957bca89f6bd4c10e]

/bin/sh

[sh -c echo "0:2345:respawn:/tmp/0abc01de8962867957bca89f6bd4c10e" >> /etc/inittab2]

/usr/bin/crontab

[crontab -l]

/usr/bin/crontab

[crontab -]

/bin/sh

[sh -c cat /etc/inittab2 > /etc/inittab]

/bin/cat

[cat /etc/inittab2]

/bin/sh

[sh -c rm -rf /etc/inittab2]

/bin/rm

[rm -rf /etc/inittab2]

/bin/sh

[sh -c touch -acmr /bin/ls /etc/inittab]

/usr/bin/touch

[touch -acmr /bin/ls /etc/inittab]

/bin/sh

[sh -c cp -f /tmp/0abc01de8962867957bca89f6bd4c10e /dev/shm/0abc01de8962867957bca89f6bd4c10e]

/bin/sh

[sh -c /bin/uname -n]

/bin/cp

[cp -f /tmp/0abc01de8962867957bca89f6bd4c10e /dev/shm/0abc01de8962867957bca89f6bd4c10e]

/bin/uname

[/bin/uname -n]

/bin/sh

[sh -c crontab -l | grep /dev/shm/0abc01de8962867957bca89f6bd4c10e | grep -v "no cron" || (crontab -l ; echo "* * * * * /dev/shm/0abc01de8962867957bca89f6bd4c10e > /dev/null 2>&1 &") | crontab -]

/bin/sh

[sh -c cat /etc/inittab | grep -v "/dev/shm/0abc01de8962867957bca89f6bd4c10e" > /etc/inittab2]

/bin/cat

[cat /etc/inittab]

/usr/bin/crontab

[crontab -l]

/bin/grep

[grep -v /dev/shm/0abc01de8962867957bca89f6bd4c10e]

/bin/grep

[grep /dev/shm/0abc01de8962867957bca89f6bd4c10e]

/bin/grep

[grep -v no cron]

/bin/sh

[sh -c echo "0:2345:respawn:/dev/shm/0abc01de8962867957bca89f6bd4c10e" >> /etc/inittab2]

/usr/bin/crontab

[crontab -l]

/usr/bin/crontab

[crontab -]

/bin/sh

[sh -c cat /etc/inittab2 > /etc/inittab]

/bin/cat

[cat /etc/inittab2]

/bin/sh

[sh -c rm -rf /etc/inittab2]

/bin/rm

[rm -rf /etc/inittab2]

/bin/sh

[sh -c touch -acmr /bin/ls /etc/inittab]

/usr/bin/touch

[touch -acmr /bin/ls /etc/inittab]

/bin/sh

[sh -c cp -f /tmp/0abc01de8962867957bca89f6bd4c10e /var/tmp/0abc01de8962867957bca89f6bd4c10e]

/bin/cp

[cp -f /tmp/0abc01de8962867957bca89f6bd4c10e /var/tmp/0abc01de8962867957bca89f6bd4c10e]

/bin/sh

[sh -c cat /etc/inittab | grep -v "/var/tmp/0abc01de8962867957bca89f6bd4c10e" > /etc/inittab2]

/bin/sh

[sh -c crontab -l | grep /var/tmp/0abc01de8962867957bca89f6bd4c10e | grep -v "no cron" || (crontab -l ; echo "* * * * * /var/tmp/0abc01de8962867957bca89f6bd4c10e > /dev/null 2>&1 &") | crontab -]

/bin/cat

[cat /etc/inittab]

/bin/grep

[grep -v /var/tmp/0abc01de8962867957bca89f6bd4c10e]

/usr/bin/crontab

[crontab -l]

/bin/grep

[grep /var/tmp/0abc01de8962867957bca89f6bd4c10e]

/bin/grep

[grep -v no cron]

/bin/sh

[sh -c echo "0:2345:respawn:/var/tmp/0abc01de8962867957bca89f6bd4c10e" >> /etc/inittab2]

/bin/sh

[sh -c cat /etc/inittab2 > /etc/inittab]

/usr/bin/crontab

[crontab -]

/usr/bin/crontab

[crontab -l]

/bin/cat

[cat /etc/inittab2]

/bin/sh

[sh -c rm -rf /etc/inittab2]

/bin/rm

[rm -rf /etc/inittab2]

/bin/sh

[sh -c touch -acmr /bin/ls /etc/inittab]

/usr/bin/touch

[touch -acmr /bin/ls /etc/inittab]

/bin/sh

[sh -c cp -f /tmp/0abc01de8962867957bca89f6bd4c10e /var/lock/0abc01de8962867957bca89f6bd4c10e]

/bin/cp

[cp -f /tmp/0abc01de8962867957bca89f6bd4c10e /var/lock/0abc01de8962867957bca89f6bd4c10e]

/bin/sh

[sh -c crontab -l | grep /var/lock/0abc01de8962867957bca89f6bd4c10e | grep -v "no cron" || (crontab -l ; echo "* * * * * /var/lock/0abc01de8962867957bca89f6bd4c10e > /dev/null 2>&1 &") | crontab -]

/bin/sh

[sh -c cat /etc/inittab | grep -v "/var/lock/0abc01de8962867957bca89f6bd4c10e" > /etc/inittab2]

/usr/bin/crontab

[crontab -l]

/bin/cat

[cat /etc/inittab]

/bin/grep

[grep -v /var/lock/0abc01de8962867957bca89f6bd4c10e]

/bin/grep

[grep /var/lock/0abc01de8962867957bca89f6bd4c10e]

/bin/grep

[grep -v no cron]

/bin/sh

[sh -c echo "0:2345:respawn:/var/lock/0abc01de8962867957bca89f6bd4c10e" >> /etc/inittab2]

/usr/bin/crontab

[crontab -l]

/usr/bin/crontab

[crontab -]

/bin/sh

[sh -c cat /etc/inittab2 > /etc/inittab]

/bin/cat

[cat /etc/inittab2]

/bin/sh

[sh -c rm -rf /etc/inittab2]

/bin/rm

[rm -rf /etc/inittab2]

/bin/sh

[sh -c touch -acmr /bin/ls /etc/inittab]

/usr/bin/touch

[touch -acmr /bin/ls /etc/inittab]

/bin/sh

[sh -c cp -f /tmp/0abc01de8962867957bca89f6bd4c10e /var/run/0abc01de8962867957bca89f6bd4c10e]

/bin/cp

[cp -f /tmp/0abc01de8962867957bca89f6bd4c10e /var/run/0abc01de8962867957bca89f6bd4c10e]

/bin/sh

[sh -c crontab -l | grep /var/run/0abc01de8962867957bca89f6bd4c10e | grep -v "no cron" || (crontab -l ; echo "* * * * * /var/run/0abc01de8962867957bca89f6bd4c10e > /dev/null 2>&1 &") | crontab -]

/bin/sh

[sh -c cat /etc/inittab | grep -v "/var/run/0abc01de8962867957bca89f6bd4c10e" > /etc/inittab2]

/bin/cat

[cat /etc/inittab]

/bin/grep

[grep -v /var/run/0abc01de8962867957bca89f6bd4c10e]

/usr/bin/crontab

[crontab -l]

/bin/grep

[grep /var/run/0abc01de8962867957bca89f6bd4c10e]

/bin/grep

[grep -v no cron]

/bin/sh

[sh -c echo "0:2345:respawn:/var/run/0abc01de8962867957bca89f6bd4c10e" >> /etc/inittab2]

/usr/bin/crontab

[crontab -l]

/usr/bin/crontab

[crontab -]

/bin/sh

[sh -c cat /etc/inittab2 > /etc/inittab]

/bin/cat

[cat /etc/inittab2]

/bin/sh

[sh -c rm -rf /etc/inittab2]

/bin/rm

[rm -rf /etc/inittab2]

/bin/sh

[sh -c touch -acmr /bin/ls /etc/inittab]

/usr/bin/touch

[touch -acmr /bin/ls /etc/inittab]

Network

Country Destination Domain Proto
NL 67.209.115.148:8080 tcp
SG 156.67.218.115:8080 tcp
SG 156.67.218.115:8080 tcp
SG 141.136.47.97:8080 tcp
SG 156.67.218.115:8080 tcp
SG 156.67.218.115:8080 tcp
US 144.172.71.162:8080 tcp
SG 156.67.218.115:8080 tcp
NL 67.209.115.148:8080 tcp
US 85.120.225.141:8080 tcp
SG 141.136.47.97:8080 tcp
SG 156.67.218.115:8080 tcp
SG 194.59.165.52:8080 tcp
SG 156.67.218.115:8080 tcp
NL 67.209.115.148:8080 tcp
SG 156.67.218.115:8080 tcp
NL 67.209.115.148:8080 tcp
US 144.172.71.162:8080 tcp
SG 185.201.8.176:8080 tcp
US 85.120.225.141:8080 tcp
SG 185.201.8.176:8080 tcp
NL 67.209.115.148:8080 tcp
US 144.172.71.162:8080 tcp
NL 67.209.115.148:8080 tcp
SG 156.67.218.115:8080 tcp
SG 156.67.218.115:8080 tcp
SG 156.67.218.115:8080 tcp
US 144.172.71.162:8080 tcp
GB 178.159.3.213:8080 tcp
RO 89.33.194.89:8080 tcp
SG 141.136.47.97:8080 tcp
SG 156.67.218.115:8080 tcp
SG 185.201.8.176:8080 tcp
SG 156.67.218.115:8080 tcp
SG 156.67.218.115:8080 tcp
SG 156.67.218.115:8080 tcp
SG 156.67.218.115:8080 tcp
SG 194.59.165.52:8080 tcp
SG 37.44.244.106:8080 tcp
SG 156.67.218.115:8080 tcp
SG 156.67.218.115:8080 tcp
RO 89.33.194.89:8080 tcp
SG 194.59.165.52:8080 tcp
SG 194.59.165.52:8080 tcp
SG 156.67.218.115:8080 tcp
US 85.120.225.141:8080 tcp
SG 156.67.218.115:8080 tcp
GB 178.159.3.213:8080 tcp
SG 156.67.218.115:8080 tcp
SG 141.136.47.97:8080 tcp
SG 194.59.165.52:8080 tcp
SG 156.67.218.115:8080 tcp
SG 141.136.47.97:8080 tcp
SG 37.44.244.106:8080 tcp
SG 156.67.218.115:8080 tcp
SG 156.67.218.115:8080 tcp
SG 156.67.218.115:8080 tcp
SG 156.67.218.115:8080 tcp
SG 156.67.218.115:8080 tcp
SG 156.67.218.115:8080 tcp
SG 194.59.165.52:8080 tcp
SG 185.201.8.176:8080 tcp
SG 156.67.218.115:8080 tcp
SG 194.59.165.52:8080 tcp
SG 156.67.218.115:8080 tcp
SG 141.136.47.97:8080 tcp
SG 156.67.218.115:8080 tcp
SG 141.136.47.97:8080 tcp
GB 178.159.3.213:8080 tcp
SG 37.44.244.106:8080 tcp
SG 194.59.165.52:8080 tcp
SG 194.59.165.52:8080 tcp
SG 156.67.218.115:8080 tcp
SG 37.44.244.106:8080 tcp
SG 185.201.8.176:8080 tcp
SG 156.67.218.115:8080 tcp
SG 37.44.244.106:8080 tcp
SG 37.44.244.106:8080 tcp
SG 141.136.47.97:8080 tcp
SG 156.67.218.115:8080 tcp
SG 37.44.244.106:8080 tcp
SG 141.136.47.97:8080 tcp
GB 178.159.3.213:8080 tcp
SG 185.201.8.176:8080 tcp
SG 141.136.47.97:8080 tcp
SG 156.67.218.115:8080 tcp
RO 89.33.194.89:8080 tcp
SG 156.67.218.115:8080 tcp
US 144.172.71.162:8080 tcp
NL 67.209.115.148:8080 tcp

Files

N/A