kaiten | a12bde3cc7f15db10dad98fb07c2aed5134fb34c711736547603f574c528185f

Analysis

max time kernel
146s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
13-10-2023 03:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fallofwindows.exe
Size

370KB
MD5

7f13152a4e20b2fac49a0bea102b6122
SHA1

5d46374164fcda53764237436f796a85a7f1b1d5
SHA256

a12bde3cc7f15db10dad98fb07c2aed5134fb34c711736547603f574c528185f
SHA512

5fcf2f4f90b3f6d7cccce53a477980383b8caf28c9a67fa3b1f553b0b5b5c187c001dfb126f4d65edeea92bfcf39a7297c8424c87472670386ed37fbeaad649a
SSDEEP

6144:f+6zEHbvCEXlRk/O0zfHWaBsdWTE8oBN2FkSel3F7SWelTD9Tb+XG+Uypqn2TlY:DEHbvCEVR6BzfvB7oBNYel3F7JeldTbi

Score

10^/10

kaiten botnet

Malware Config

Signatures

Contains code to disable Windows Defender 2 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\97EA.tmp\AIMING~1.BAT	disable_win_def
behavioral2/memory/4504-7-0x0000000000400000-0x00000000005B3000-memory.dmp	disable_win_def

Detects Kaiten/Tsunami Payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\97EA.tmp\AIMING~1.BAT	family_kaiten2
behavioral2/memory/4504-7-0x0000000000400000-0x00000000005B3000-memory.dmp	family_kaiten2

Detects Kaiten/Tsunami payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\97EA.tmp\AIMING~1.BAT	family_kaiten
behavioral2/memory/4504-7-0x0000000000400000-0x00000000005B3000-memory.dmp	family_kaiten

Kaiten/Tsunami
Linux-based IoT botnet which is controlled through IRC and normally used to carry out DDoS attacks.
botnet kaiten
Executes dropped EXE 1 IoCs

Processes:

RSOD.exe

pid process

1444 RSOD.exe

pid	process
1444	RSOD.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

fallofwindows.execmd.exe

description	pid	process	target process
PID 4504 wrote to memory of 316	4504	fallofwindows.exe	cmd.exe
PID 4504 wrote to memory of 316	4504	fallofwindows.exe	cmd.exe
PID 4504 wrote to memory of 316	4504	fallofwindows.exe	cmd.exe
PID 316 wrote to memory of 1444	316	cmd.exe	RSOD.exe
PID 316 wrote to memory of 1444	316	cmd.exe	RSOD.exe

C:\Users\Admin\AppData\Local\Temp\fallofwindows.exe
"C:\Users\Admin\AppData\Local\Temp\fallofwindows.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4504

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\97EA.tmp\AIMING~1.BAT""
2⤵
- Suspicious use of WriteProcessMemory
PID:316

C:\Users\Admin\AppData\Local\Temp\RSOD.exe
RSOD.exe
3⤵
- Executes dropped EXE
PID:1444

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\97EA.tmp\AIMING~1.BAT
Filesize
1.6MB

MD5
f64530ab5a6f0abc0c7107e813158c1f

SHA1
4bf402bffad762db235ea9fb6f19d8af75cabd6c

SHA256
3421122c2d2b532f14f5f1881d03092ff2fc49adac44b72bbec69740a01f4748

SHA512
82721d327bd8024e11ec4b4557c4bb63bd38df06e6ef9b8007d0c83fdfa625bdcdedc6eede7ef8fa63d83cd0df624958210feb30a9a8acc9b98c82826555581a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RSOD.exe
Filesize
11KB

MD5
2cd94e786a624bf706e3d74f86f1352c

SHA1
a199fa3dc341e5d8a508a6b87ebde2d7949ade86

SHA256
ebcecd72b8bb18ed52787b47bdaabbe4a9cee534b1498b7da8243fff39a685c9

SHA512
cb44edf11e6d253ecda97d85363acbb80da4ac552bc2ea4176765c81de872f5bb70a91082a7235551aacedddc9a4f361cbe1df87ee348199c1c7ab8593399b29

Download Submit
C:\Users\Admin\AppData\Local\Temp\RSOD.exe
Filesize
11KB

MD5
2cd94e786a624bf706e3d74f86f1352c

SHA1
a199fa3dc341e5d8a508a6b87ebde2d7949ade86

SHA256
ebcecd72b8bb18ed52787b47bdaabbe4a9cee534b1498b7da8243fff39a685c9

SHA512
cb44edf11e6d253ecda97d85363acbb80da4ac552bc2ea4176765c81de872f5bb70a91082a7235551aacedddc9a4f361cbe1df87ee348199c1c7ab8593399b29

Download Submit
memory/1444-13-0x0000000000D60000-0x0000000000D6A000-memory.dmp

Filesize
40KB

Download
memory/1444-14-0x00007FF9B3270000-0x00007FF9B3D31000-memory.dmp

Filesize
10.8MB

Download
memory/1444-16-0x000000001BA90000-0x000000001BAA0000-memory.dmp

Filesize
64KB

Download
memory/1444-17-0x00007FF9B3270000-0x00007FF9B3D31000-memory.dmp

Filesize
10.8MB

Download
memory/1444-19-0x000000001BA90000-0x000000001BAA0000-memory.dmp

Filesize
64KB

Download
memory/4504-0-0x0000000000400000-0x00000000005B3000-memory.dmp

Filesize
1.7MB

Download
memory/4504-1-0x0000000000400000-0x00000000005B3000-memory.dmp

Filesize
1.7MB

Download
memory/4504-7-0x0000000000400000-0x00000000005B3000-memory.dmp

Filesize
1.7MB

Download