kaiten | b8e0d51884523ed4a8e79246faafff4a8c2f4070bec0cd9e526be36d9b0d4c0d

Analysis

max time kernel
152s
max time network
155s
platform
debian-9_armhf
resource
debian9-armhf-20231215-en
resource tags

arch:armhfimage:debian9-armhf-20231215-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
19-12-2023 22:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

121719543d8d5e1dda976200c619f82d
Size

576KB
MD5

121719543d8d5e1dda976200c619f82d
SHA1

ebdbdda19e76931a2f6154da160d1a6b597533e0
SHA256

b8e0d51884523ed4a8e79246faafff4a8c2f4070bec0cd9e526be36d9b0d4c0d
SHA512

81135dce29498d56c5110759a9712316af25e4992a9ce33ff2b86637aa011f50e231a9ac4fa146dab113ac011851c799a493909f263abb26467687436b2e11ec
SSDEEP

12288:gl7H+P4WdRE8+GEWQTQfeiUklkFeXfSYbMa9vJesJeGtq0iVv0Eun5PxLO:Y7H+gWEThEUklk8tbMatgWpCVv0EL

Score

10^/10

kaiten botnet persistence

Malware Config

Signatures

Detects Kaiten/Tsunami Payload 1 IoCs

resource	yara_rule
behavioral1/memory/683-1-0x00008000-0x001bb7e0-memory.dmp	family_kaiten2

Kaiten/Tsunami
Linux-based IoT botnet which is controlled through IRC and normally used to carry out DDoS attacks.
botnet kaiten

Creates/modifies Cron job 1 TTPs 1 IoCs

Cron allows running tasks on a schedule, and is commonly used for malware persistence.

persistence

Scheduled Task/Job

T1053

description	ioc	Process
File opened for modification	/var/spool/cron/crontabs/tmp.olXI6Y	crontab

Reads runtime system information 4 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
File opened for reading	/proc/version	121719543d8d5e1dda976200c619f82d
File opened for reading	/proc/filesystems	crontab
File opened for reading	/proc/filesystems	crontab
File opened for reading	/proc/1/cmdline	121719543d8d5e1dda976200c619f82d

/tmp/121719543d8d5e1dda976200c619f82d
/tmp/121719543d8d5e1dda976200c619f82d
1⤵
- Reads runtime system information
PID:683
- /bin/sh
  sh -c "chmod 700 /tmp/121719543d8d5e1dda976200c619f82d > /dev/null 2>&1 &"
  2⤵
  PID:689
- /bin/sh
  sh -c "touch -acmr /bin/ls /tmp/121719543d8d5e1dda976200c619f82d"
  2⤵
  PID:691
- - /usr/bin/touch
    touch -acmr /bin/ls /tmp/121719543d8d5e1dda976200c619f82d
    3⤵
    PID:692
- /bin/sh
  sh -c "(crontab -l | grep -v \"/tmp/121719543d8d5e1dda976200c619f82d\" | grep -v \"no cron\" | grep -v \"lesshts/run.sh\" > /var/run/.x00846930886) > /dev/null 2>&1"
  2⤵
  PID:694
- /bin/sh
  sh -c "echo \"* * * * * /tmp/121719543d8d5e1dda976200c619f82d > /dev/null 2>&1 &\" >> /var/run/.x00846930886"
  2⤵
  PID:702
- /bin/sh
  sh -c "crontab /var/run/.x00846930886"
  2⤵
  PID:703
- - /usr/bin/crontab
    crontab /var/run/.x00846930886
    3⤵
    - Creates/modifies Cron job
    - Reads runtime system information
    PID:704
- /bin/sh
  sh -c "rm -rf /var/run/.x00846930886"
  2⤵
  PID:706
- - /bin/rm
    rm -rf /var/run/.x00846930886
    3⤵
    PID:707
- /bin/sh
  sh -c "cat /etc/inittab | grep -v \"/tmp/121719543d8d5e1dda976200c619f82d\" > /etc/inittab2"
  2⤵
  PID:708
- - /bin/cat
    cat /etc/inittab
    3⤵
    PID:710
- - /bin/grep
    grep -v /tmp/121719543d8d5e1dda976200c619f82d
    3⤵
    PID:711
- /bin/sh
  sh -c "echo \"0:2345:respawn:/tmp/121719543d8d5e1dda976200c619f82d\" >> /etc/inittab2"
  2⤵
  PID:712
- /bin/sh
  sh -c "cat /etc/inittab2 > /etc/inittab"
  2⤵
  PID:713
- - /bin/cat
    cat /etc/inittab2
    3⤵
    PID:714
- /bin/sh
  sh -c "rm -rf /etc/inittab2"
  2⤵
  PID:715
- - /bin/rm
    rm -rf /etc/inittab2
    3⤵
    PID:716
- /bin/sh
  sh -c "touch -acmr /bin/ls /etc/inittab"
  2⤵
  PID:717
- - /usr/bin/touch
    touch -acmr /bin/ls /etc/inittab
    3⤵
    PID:718
- /bin/sh
  sh -c "/bin/uname -n"
  2⤵
  PID:719
- - /bin/uname
    /bin/uname -n
    3⤵
    PID:720
- /bin/sh
  sh -c "/bin/uname -n"
  2⤵
  PID:721
- - /bin/uname
    /bin/uname -n
    3⤵
    PID:722
- /bin/sh
  sh -c "/bin/uname -n"
  2⤵
  PID:723
- - /bin/uname
    /bin/uname -n
    3⤵
    PID:724

/bin/chmod
chmod 700 /tmp/121719543d8d5e1dda976200c619f82d
1⤵
PID:690

/usr/bin/crontab
crontab -l
1⤵
- Reads runtime system information
PID:696

/bin/grep
grep -v /tmp/121719543d8d5e1dda976200c619f82d
1⤵
PID:697

/bin/grep
grep -v "no cron"
1⤵
PID:698

/bin/grep
grep -v lesshts/run.sh
1⤵
PID:699

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/etc/inittab2

Filesize
53B

MD5
2b493238a7273657a88690771ce555b4

SHA1
75ab0688836baf3f7f80b7871db2e81847ba348e

SHA256
42574fe00b655bcf13301bcb2879cc67163094e25ce4fc0369cf7080cc14ce39

SHA512
4c3a123f68e278787d947e01e8cbbb96429ed793cdb067565fbfd783fe4f35d1ffa74920948fea01b273bf6798e5f25f2671986eb67499804e9c8099b48a56d8

Download Submit
/run/.x00846930886

Filesize
67B

MD5
753a965847b04998a76c170c5b324995

SHA1
822b82d36cd8e5e97264a9e0cd20332828432758

SHA256
94163432631c54e43f92118b9f8edc32e3782fda1be011891259a65b972a1f65

SHA512
f05cce0eb97564090bd032f883e4cca6c8991d3372d74e9973a8cfc5242d2942a3b4e355a1b8bf979fdef38e893767ec0d3a0a08a8b1635d7d9dd01818dfbf31

Download Submit
/var/spool/cron/crontabs/tmp.olXI6Y

Filesize
263B

MD5
c1d79e11afca609a2d69ca16a4e32d4a

SHA1
c1352ea0cdaf2e66a8e68a782681cffe3cbde628

SHA256
89105693b4c503c39d518ba2e488bc469cd3d2d9f27bb5a84e7e1ecb6524797c

SHA512
66d79e79d7cafcf271d3d2139c3e274e085194c5b637ddab6c3c19a87c5b98bb266fc85f2cc5e658a725fe8c0444e1da6210bac16c28bc8626c27155062dea57

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads