Analysis Overview
SHA256
7d3855bb09f2f6111d6c71e06e1e6b06dd47b1dade49af0235b220966c2f5be3
Threat Level: Known bad
The file pty3pejnyxxb was found to be: Known bad.
Malicious Activity Summary
Identified Kaiten Bot
Kaiten family
suricata: ET MALWARE ELF/Muhstik Botnet CnC Activity
Writes file to system bin folder
Modifies hosts file
Writes DNS configuration
Write file to user bin folder
Modifies rc script
Reads runtime system information
Writes file to tmp directory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-04-25 23:53
Signatures
Identified Kaiten Bot
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Kaiten family
Analysis: behavioral1
Detonation Overview
Submitted
2022-04-25 23:53
Reported
2022-04-26 00:01
Platform
ubuntu1804-amd64-en-20211208
Max time kernel
11949s
Max time network
156s
Command Line
Signatures
suricata: ET MALWARE ELF/Muhstik Botnet CnC Activity
Writes file to system bin folder
| Description | Indicator | Process | Target |
| /bin/uname | /bin/uname | N/A | N/A |
| /bin/crontab | /bin/crontab | N/A | N/A |
| /bin/nvram | /bin/nvram | N/A | N/A |
Modifies hosts file
| Description | Indicator | Process | Target |
| /etc/hosts | /etc/hosts | N/A | N/A |
Writes DNS configuration
| Description | Indicator | Process | Target |
| /etc/resolv.conf | /etc/resolv.conf | N/A | N/A |
Modifies rc script
| Description | Indicator | Process | Target |
| /etc/rc.local | /etc/rc.local | ./pty3pejnyxxb | N/A |
Write file to user bin folder
| Description | Indicator | Process | Target |
| /usr/bin/crontab | /usr/bin/crontab | N/A | N/A |
| /usr/sbin/nvram | /usr/sbin/nvram | N/A | N/A |
Reads runtime system information
| Description | Indicator | Process | Target |
| /proc/filesystems | /proc/filesystems | /bin/cp | N/A |
| /proc/filesystems | /proc/filesystems | /bin/cp | N/A |
| /proc/filesystems | /proc/filesystems | /bin/cp | N/A |
| /proc/filesystems | /proc/filesystems | /bin/cp | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| /tmp/pty3pejnyxxb | /tmp/pty3pejnyxxb | /bin/cp | N/A |
| /tmp/pty3pejnyxxb | /tmp/pty3pejnyxxb | /bin/cp | N/A |
| /tmp/pty3pejnyxxb | /tmp/pty3pejnyxxb | /bin/cp | N/A |
| /tmp/pty3pejnyxxb | /tmp/pty3pejnyxxb | /bin/cp | N/A |
| /tmp/.bawtz | /tmp/.bawtz | ./pty3pejnyxxb | N/A |
Processes
./pty3pejnyxxb
[./pty3pejnyxxb]
/bin/sh
[sh -c pidof -x strace > /dev/null]
/bin/pidof
[pidof -x strace]
/bin/sh
[sh -c pidof -x tcpdump > /dev/null]
/bin/pidof
[pidof -x tcpdump]
/bin/sh
[sh -c cat /etc/inittab | grep -v "/tmp/pty3pejnyxxb" > /etc/inittab2]
/bin/sh
[sh -c crontab -l | grep /tmp/pty3pejnyxxb | grep -v "no cron" || (crontab -l ; echo "* * * * * /tmp/pty3pejnyxxb > /dev/null 2>&1 &") | crontab -]
/bin/sh
[sh -c crontab -r]
/bin/cat
[cat /etc/inittab]
/usr/bin/crontab
[crontab -r]
/bin/grep
[grep -v /tmp/pty3pejnyxxb]
/usr/bin/crontab
[crontab -l]
/bin/grep
[grep /tmp/pty3pejnyxxb]
/bin/grep
[grep -v no cron]
/bin/sh
[sh -c echo "0:2345:respawn:/tmp/pty3pejnyxxb" >> /etc/inittab2]
/usr/bin/crontab
[crontab -]
/bin/sh
[sh -c cat /etc/inittab2 > /etc/inittab]
/usr/bin/crontab
[crontab -l]
/bin/cat
[cat /etc/inittab2]
/bin/sh
[sh -c rm -rf /etc/inittab2]
/bin/rm
[rm -rf /etc/inittab2]
/bin/sh
[sh -c touch -acmr /bin/ls /etc/inittab]
/usr/bin/touch
[touch -acmr /bin/ls /etc/inittab]
/bin/sh
[sh -c /bin/uname -n]
/bin/sh
[sh -c cp -f /tmp/pty3pejnyxxb /dev/shm/pty3pejnyxxb]
/bin/uname
[/bin/uname -n]
/bin/cp
[cp -f /tmp/pty3pejnyxxb /dev/shm/pty3pejnyxxb]
/bin/sh
[sh -c cat /etc/inittab | grep -v "/dev/shm/pty3pejnyxxb" > /etc/inittab2]
/bin/sh
[sh -c crontab -l | grep /dev/shm/pty3pejnyxxb | grep -v "no cron" || (crontab -l ; echo "* * * * * /dev/shm/pty3pejnyxxb > /dev/null 2>&1 &") | crontab -]
/usr/bin/crontab
[crontab -l]
/bin/cat
[cat /etc/inittab]
/bin/grep
[grep /dev/shm/pty3pejnyxxb]
/bin/grep
[grep -v /dev/shm/pty3pejnyxxb]
/bin/grep
[grep -v no cron]
/bin/sh
[sh -c echo "0:2345:respawn:/dev/shm/pty3pejnyxxb" >> /etc/inittab2]
/usr/bin/crontab
[crontab -]
/bin/sh
[sh -c cat /etc/inittab2 > /etc/inittab]
/usr/bin/crontab
[crontab -l]
/bin/cat
[cat /etc/inittab2]
/bin/sh
[sh -c rm -rf /etc/inittab2]
/bin/rm
[rm -rf /etc/inittab2]
/bin/sh
[sh -c touch -acmr /bin/ls /etc/inittab]
/usr/bin/touch
[touch -acmr /bin/ls /etc/inittab]
/bin/sh
[sh -c cp -f /tmp/pty3pejnyxxb /var/tmp/pty3pejnyxxb]
/bin/cp
[cp -f /tmp/pty3pejnyxxb /var/tmp/pty3pejnyxxb]
/bin/sh
[sh -c cat /etc/inittab | grep -v "/var/tmp/pty3pejnyxxb" > /etc/inittab2]
/bin/sh
[sh -c crontab -l | grep /var/tmp/pty3pejnyxxb | grep -v "no cron" || (crontab -l ; echo "* * * * * /var/tmp/pty3pejnyxxb > /dev/null 2>&1 &") | crontab -]
/bin/cat
[cat /etc/inittab]
/bin/grep
[grep -v /var/tmp/pty3pejnyxxb]
/usr/bin/crontab
[crontab -l]
/bin/grep
[grep /var/tmp/pty3pejnyxxb]
/bin/sh
[sh -c echo "0:2345:respawn:/var/tmp/pty3pejnyxxb" >> /etc/inittab2]
/bin/grep
[grep -v no cron]
/bin/sh
[sh -c cat /etc/inittab2 > /etc/inittab]
/usr/bin/crontab
[crontab -]
/bin/cat
[cat /etc/inittab2]
/usr/bin/crontab
[crontab -l]
/bin/sh
[sh -c rm -rf /etc/inittab2]
/bin/rm
[rm -rf /etc/inittab2]
/bin/sh
[sh -c touch -acmr /bin/ls /etc/inittab]
/usr/bin/touch
[touch -acmr /bin/ls /etc/inittab]
/bin/sh
[sh -c cp -f /tmp/pty3pejnyxxb /var/lock/pty3pejnyxxb]
/bin/cp
[cp -f /tmp/pty3pejnyxxb /var/lock/pty3pejnyxxb]
/bin/sh
[sh -c cat /etc/inittab | grep -v "/var/lock/pty3pejnyxxb" > /etc/inittab2]
/bin/sh
[sh -c crontab -l | grep /var/lock/pty3pejnyxxb | grep -v "no cron" || (crontab -l ; echo "* * * * * /var/lock/pty3pejnyxxb > /dev/null 2>&1 &") | crontab -]
/bin/cat
[cat /etc/inittab]
/bin/grep
[grep -v /var/lock/pty3pejnyxxb]
/usr/bin/crontab
[crontab -l]
/bin/grep
[grep /var/lock/pty3pejnyxxb]
/bin/sh
[sh -c echo "0:2345:respawn:/var/lock/pty3pejnyxxb" >> /etc/inittab2]
/bin/grep
[grep -v no cron]
/bin/sh
[sh -c cat /etc/inittab2 > /etc/inittab]
/usr/bin/crontab
[crontab -]
/usr/bin/crontab
[crontab -l]
/bin/cat
[cat /etc/inittab2]
/bin/sh
[sh -c rm -rf /etc/inittab2]
/bin/rm
[rm -rf /etc/inittab2]
/bin/sh
[sh -c touch -acmr /bin/ls /etc/inittab]
/usr/bin/touch
[touch -acmr /bin/ls /etc/inittab]
/bin/sh
[sh -c cp -f /tmp/pty3pejnyxxb /var/run/pty3pejnyxxb]
/bin/cp
[cp -f /tmp/pty3pejnyxxb /var/run/pty3pejnyxxb]
/bin/sh
[sh -c cat /etc/inittab | grep -v "/var/run/pty3pejnyxxb" > /etc/inittab2]
/bin/sh
[sh -c crontab -l | grep /var/run/pty3pejnyxxb | grep -v "no cron" || (crontab -l ; echo "* * * * * /var/run/pty3pejnyxxb > /dev/null 2>&1 &") | crontab -]
/bin/cat
[cat /etc/inittab]
/usr/bin/crontab
[crontab -l]
/bin/grep
[grep -v /var/run/pty3pejnyxxb]
/bin/grep
[grep /var/run/pty3pejnyxxb]
/bin/grep
[grep -v no cron]
/bin/sh
[sh -c echo "0:2345:respawn:/var/run/pty3pejnyxxb" >> /etc/inittab2]
/bin/sh
[sh -c cat /etc/inittab2 > /etc/inittab]
/usr/bin/crontab
[crontab -]
/bin/cat
[cat /etc/inittab2]
/usr/bin/crontab
[crontab -l]
/bin/sh
[sh -c rm -rf /etc/inittab2]
/bin/rm
[rm -rf /etc/inittab2]
/bin/sh
[sh -c touch -acmr /bin/ls /etc/inittab]
/usr/bin/touch
[touch -acmr /bin/ls /etc/inittab]
Network
| Country | Destination | Domain | Proto |
| RO | 89.33.194.89:8080 | tcp | |
| GB | 178.159.3.213:8080 | tcp | |
| SG | 185.201.8.176:8080 | tcp | |
| SG | 37.44.244.106:8080 | tcp | |
| US | 85.120.225.141:8080 | tcp | |
| SG | 156.67.218.115:8080 | tcp | |
| SG | 194.59.165.52:8080 | tcp | |
| SG | 37.44.244.106:8080 | tcp | |
| US | 144.172.71.162:8080 | tcp | |
| SG | 37.44.244.106:8080 | tcp | |
| SG | 185.201.8.176:8080 | tcp | |
| RO | 89.33.194.89:8080 | tcp | |
| US | 144.172.71.162:8080 | tcp | |
| US | 1.1.1.1:53 | oiii.deutschland-zahlung.eu | udp |
| US | 144.172.71.162:8080 | tcp | |
| US | 144.172.71.162:8080 | tcp | |
| US | 144.172.71.162:8080 | tcp | |
| SG | 156.67.218.115:8080 | tcp | |
| SG | 156.67.218.115:8080 | tcp | |
| RU | 195.70.197.29:8080 | tcp | |
| SG | 156.67.218.115:8080 | tcp | |
| US | 85.120.225.141:8080 | tcp | |
| SG | 156.67.218.115:8080 | tcp | |
| NL | 67.209.115.148:8080 | tcp | |
| SG | 141.136.47.97:8080 | tcp | |
| US | 85.120.225.141:8080 | tcp | |
| SG | 156.67.218.115:8080 | tcp | |
| SG | 156.67.218.115:8080 | tcp | |
| SG | 156.67.218.115:8080 | tcp | |
| SG | 156.67.218.115:8080 | tcp | |
| US | 144.172.71.162:8080 | tcp | |
| SG | 156.67.218.115:8080 | tcp | |
| SG | 185.201.8.176:8080 | tcp | |
| RO | 89.33.194.89:8080 | tcp | |
| SG | 156.67.218.115:8080 | tcp |