kaiten | a12bde3cc7f15db10dad98fb07c2aed5134fb34c711736547603f574c528185f

Analysis

max time kernel
141s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
16-09-2023 11:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fallofwindows.exe
Size

370KB
MD5

7f13152a4e20b2fac49a0bea102b6122
SHA1

5d46374164fcda53764237436f796a85a7f1b1d5
SHA256

a12bde3cc7f15db10dad98fb07c2aed5134fb34c711736547603f574c528185f
SHA512

5fcf2f4f90b3f6d7cccce53a477980383b8caf28c9a67fa3b1f553b0b5b5c187c001dfb126f4d65edeea92bfcf39a7297c8424c87472670386ed37fbeaad649a
SSDEEP

6144:f+6zEHbvCEXlRk/O0zfHWaBsdWTE8oBN2FkSel3F7SWelTD9Tb+XG+Uypqn2TlY:DEHbvCEVR6BzfvB7oBNYel3F7JeldTbi

Score

10^/10

kaiten botnet

Malware Config

Signatures

Contains code to disable Windows Defender 2 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

resource	yara_rule
behavioral2/files/0x000600000002305b-6.dat	disable_win_def
behavioral2/memory/2256-13-0x0000000000400000-0x00000000005B3000-memory.dmp	disable_win_def

Detects Kaiten/Tsunami Payload 1 IoCs

resource	yara_rule
behavioral2/files/0x000600000002305b-6.dat	family_kaiten2

Detects Kaiten/Tsunami payload 1 IoCs

resource	yara_rule
behavioral2/files/0x000600000002305b-6.dat	family_kaiten

Kaiten/Tsunami
Linux-based IoT botnet which is controlled through IRC and normally used to carry out DDoS attacks.
botnet kaiten

Executes dropped EXE 1 IoCs

pid	Process
3396	RSOD.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 2256 wrote to memory of 968	2256	fallofwindows.exe	85
PID 2256 wrote to memory of 968	2256	fallofwindows.exe	85
PID 2256 wrote to memory of 968	2256	fallofwindows.exe	85
PID 968 wrote to memory of 3396	968	cmd.exe	87
PID 968 wrote to memory of 3396	968	cmd.exe	87

C:\Users\Admin\AppData\Local\Temp\fallofwindows.exe
"C:\Users\Admin\AppData\Local\Temp\fallofwindows.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2256
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DDFC.tmp\AIMING~1.BAT""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:968
- - C:\Users\Admin\AppData\Local\Temp\RSOD.exe
    RSOD.exe
    3⤵
    - Executes dropped EXE
    PID:3396

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DDFC.tmp\AIMING~1.BAT

Filesize
1.6MB

MD5
f64530ab5a6f0abc0c7107e813158c1f

SHA1
4bf402bffad762db235ea9fb6f19d8af75cabd6c

SHA256
3421122c2d2b532f14f5f1881d03092ff2fc49adac44b72bbec69740a01f4748

SHA512
82721d327bd8024e11ec4b4557c4bb63bd38df06e6ef9b8007d0c83fdfa625bdcdedc6eede7ef8fa63d83cd0df624958210feb30a9a8acc9b98c82826555581a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RSOD.exe

Filesize
11KB

MD5
2cd94e786a624bf706e3d74f86f1352c

SHA1
a199fa3dc341e5d8a508a6b87ebde2d7949ade86

SHA256
ebcecd72b8bb18ed52787b47bdaabbe4a9cee534b1498b7da8243fff39a685c9

SHA512
cb44edf11e6d253ecda97d85363acbb80da4ac552bc2ea4176765c81de872f5bb70a91082a7235551aacedddc9a4f361cbe1df87ee348199c1c7ab8593399b29

Download Submit
C:\Users\Admin\AppData\Local\Temp\RSOD.exe

Filesize
11KB

MD5
2cd94e786a624bf706e3d74f86f1352c

SHA1
a199fa3dc341e5d8a508a6b87ebde2d7949ade86

SHA256
ebcecd72b8bb18ed52787b47bdaabbe4a9cee534b1498b7da8243fff39a685c9

SHA512
cb44edf11e6d253ecda97d85363acbb80da4ac552bc2ea4176765c81de872f5bb70a91082a7235551aacedddc9a4f361cbe1df87ee348199c1c7ab8593399b29

Download Submit
memory/2256-0-0x0000000000400000-0x00000000005B3000-memory.dmp

Filesize
1.7MB

Download
memory/2256-1-0x0000000000400000-0x00000000005B3000-memory.dmp

Filesize
1.7MB

Download
memory/2256-13-0x0000000000400000-0x00000000005B3000-memory.dmp

Filesize
1.7MB

Download
memory/3396-10-0x0000000000490000-0x000000000049A000-memory.dmp

Filesize
40KB

Download
memory/3396-11-0x00007FF88AC30000-0x00007FF88B6F1000-memory.dmp

Filesize
10.8MB

Download
memory/3396-12-0x000000001B200000-0x000000001B210000-memory.dmp

Filesize
64KB

Download
memory/3396-15-0x00007FF88AC30000-0x00007FF88B6F1000-memory.dmp

Filesize
10.8MB

Download
memory/3396-16-0x000000001B200000-0x000000001B210000-memory.dmp

Filesize
64KB

Download