kaiten | 9d5036d204e6598fd4c4ac93688c9acdec3d6a1e4d14018ec16db955f3ee8b24

Analysis

max time kernel
12s
max time network
10s
platform
debian-9_mips
resource
debian9-mipsbe-20231215-en
resource tags

arch:mipsimage:debian9-mipsbe-20231215-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipssystem
submitted
20/12/2023, 05:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ai.sh
Size

831B
MD5

b1a64a7afeda8fc66076eae49bdb6267
SHA1

0d840e800c0dac1d51f8a243056e94ed385c3a98
SHA256

9d5036d204e6598fd4c4ac93688c9acdec3d6a1e4d14018ec16db955f3ee8b24
SHA512

619c55b6f6d222c8a831a441205b75359976d9d80ba01734640d81b96a32e2b263448e16be8d3dad9afb1c78ebcd717cbc8dbefe134fc593f079a931140c67fa

Score

10^/10

kaiten xmrig botnet miner persistence

Malware Config

Signatures

Detects Kaiten/Tsunami Payload 1 IoCs

resource	yara_rule
behavioral3/files/fstream-6.dat	family_kaiten2

Detects Kaiten/Tsunami payload 1 IoCs

resource	yara_rule
behavioral3/files/fstream-6.dat	family_kaiten

Kaiten/Tsunami
Linux-based IoT botnet which is controlled through IRC and normally used to carry out DDoS attacks.
botnet kaiten

XMRig Miner payload 2 IoCs

miner

resource	yara_rule
behavioral3/files/fstream-10.dat	family_xmrig
behavioral3/files/fstream-10.dat	xmrig

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Executes dropped EXE 4 IoCs

ioc	pid	Process
/var/tmp/.22/start	745	start
/var/tmp/.22/hide	747	hide
/var/tmp/.22/create	749	create
/var/tmp/.22/auto	757	auto

Creates/modifies Cron job 1 TTPs 1 IoCs

Cron allows running tasks on a schedule, and is commonly used for malware persistence.

persistence

Scheduled Task/Job

T1053

description	ioc	Process
File opened for modification	/var/spool/cron/crontabs/tmp.VWLgsm	crontab

Reads runtime system information 4 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	tar
File opened for reading	/proc/filesystems	crontab
File opened for reading	/proc/filesystems	crontab

Writes file to tmp directory 1 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/sh-thd.y2EVHf	ai.sh

/tmp/ai.sh
/tmp/ai.sh
1⤵
- Writes file to tmp directory
PID:711
- /bin/grep
  grep EST
  2⤵
  PID:723
- /bin/grep
  grep 94.241.140.177
  2⤵
  PID:724
- /bin/grep
  grep 80
  2⤵
  PID:725
- /bin/mkdir
  mkdir -p /var/tmp/.22
  2⤵
  - Reads runtime system information
  PID:729
- /bin/tar
  tar -xf xm.jpg
  2⤵
  - Reads runtime system information
  PID:739
- - /usr/local/sbin/gzip
    gzip -d
    3⤵
    PID:740
- - /usr/local/bin/gzip
    gzip -d
    3⤵
    PID:740
- - /usr/sbin/gzip
    gzip -d
    3⤵
    PID:740
- - /usr/bin/gzip
    gzip -d
    3⤵
    PID:740
- - /sbin/gzip
    gzip -d
    3⤵
    PID:740
- - /bin/gzip
    gzip -d
    3⤵
    PID:740
- /bin/chmod
  chmod +x start
  2⤵
  PID:744
- /var/tmp/.22/start
  ./start
  2⤵
  - Executes dropped EXE
  PID:745
- - /bin/uname
    uname -m
    3⤵
    PID:746
- - /var/tmp/.22/hide
    ./hide
    3⤵
    - Executes dropped EXE
    PID:747
- - /var/tmp/.22/create
    ./create
    3⤵
    - Executes dropped EXE
    PID:749
  - - /bin/cat
      cat auto
      4⤵
      PID:751
  - - /usr/bin/crontab
      crontab cronjobs
      4⤵
      Creates/modifies Cron job
      Reads runtime system information
      PID:752
  - - /bin/rm
      rm -f cronjobs
      4⤵
      PID:753
  - - /usr/bin/crontab
      crontab -l
      4⤵
      Reads runtime system information
      PID:754
  - - /bin/chmod
      chmod u+x auto init.d
      4⤵
      PID:755
  - - /bin/sh
      sh -c "./auto > /dev/null 2>&1 &"
      4⤵
      PID:756
  - - /bin/rm
      rm -f aarch64 x86_64 hide.c init.c start create
      4⤵
      PID:758

/usr/bin/base64
base64 -d
1⤵
PID:720

/bin/cat
cat
1⤵
PID:736

/var/tmp/.22/auto
./auto
1⤵
- Executes dropped EXE
PID:757
- /var/tmp/.22/init.d
  /var/tmp/.22/init.d
  2⤵
  PID:759

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/sh-thd.y2EVHf

Filesize
34B

MD5
d73b6cacb30d623ccbb82cb8b3489476

SHA1
83a9395088a8885f45dfb4de5dc509aa74bb5164

SHA256
1a6177c310e4ddd1526252e4fcecfa3c78a440760f4adae90e4b2d60ad3000c5

SHA512
94e1949188ff086eec6dbc72dc01967f5c952928399db92656d65dc30f767e188f1a43f9558ffcf0fffaf38a522b335e6509228330780a97f09432c1b50f5941

Download Submit
/var/spool/cron/crontabs/tmp.VWLgsm

Filesize
266B

MD5
453ec25f76738a92ac2cf448d45b5448

SHA1
fbc4f6d350d9006b06900769c7dfea8037f4f40e

SHA256
1d56b02dada86e1bdfb2c29e2adaae05a2a065e1185cb32caed8611c7bfe99f8

SHA512
fdfbe6599ffb72125da0eb2c2b49459a3c8bb23046c40f1ee3be1aec3f2d87f651dcdb0b37b72d398ddeca21ee88d072356db1e4b6aa3a417b116a1c7402961b

Download Submit
/var/tmp/.22/auto

Filesize
237B

MD5
31dd8df9646ec4ba759bb9bab05d50d2

SHA1
56d64851b676586beaab6b385e270855815e95bd

SHA256
5b1574e562a37087c472f214870d022e7ca80de38a601f6b16893cc2a398071f

SHA512
ae95c5016b6ccbd94a0700801bd31f113e366a1f54460a1c102f694a52d703fde19242a8bd886a854494b679793344ae123d1cd9086e97254122e8bd51d5ffb0

Download Submit
/var/tmp/.22/create

Filesize
669B

MD5
18d2b80638dc8ed90e86c7caf316fe43

SHA1
887f50f37a7e57abd113153becd5d8e36a780b19

SHA256
d6a88499031026e3216ac733dd5b6365d597fa91599d33ec10a65cbb72e229b8

SHA512
1ab557c50377097f1b4f59bacea66de1b569ea8e341d47155919d2996157f71e078e3a4b474ef005c7320e4eb46199fdda01dcffe5df6973778059466c0f2cec

Download Submit
/var/tmp/.22/hide

Filesize
17KB

MD5
0bb4618c041fdb18c2e115b65bc5401f

SHA1
d9d039df279c4cdcceba347630a5fbdd296fca22

SHA256
3f1e584ca9393a3f635d8a8573e5b7f863df0dc092911de03bffc2d4ab4f8b53

SHA512
7dfc744f8aa5d571db704a56d6f5d5bda4b1889b1829a1cdbcc0272d059dc9fa1d2055e56c47ffb39851f175bbde41a6b137a1175cb7ad06eb64c601302538cf

Download Submit
/var/tmp/.22/init

Filesize
41KB

MD5
3d7964550b662754985bae37e0ee427b

SHA1
3de28ccabe03f53cc4f534c96337ece4878d7a0e

SHA256
03fab42e0825e6c35b803a125d63191dcf819f48bc9152180379b6c598632075

SHA512
75849f318fa46c8415fac9bded6b0bcecc2762cbb3b2c63d0d27794bfaaf8803fff3b67919758a2b7d534f30ea0a4010e828615a09d64f562820e111b00ea7c3

Download Submit
/var/tmp/.22/mining

Filesize
355B

MD5
8674ce902ffedf49ae4be47baabcc2c0

SHA1
441ecd5d3a928125e10a0b6b19f7eed31cfd4476

SHA256
8f93a7dd12dbd84749cb5cf675cd8371bd732655a8d048f269d8e88e8136e2e3

SHA512
8428b05454cc9a6ccc3ddea862d9f38b6f10f542ebf6f784b2f7027a985f1adc9bf7c69d3306b6d4d1896af9ec8e7fe1e1d9291c60652c46d7e5126a2d2e3380

Download Submit
/var/tmp/.22/mkcfg

Filesize
2KB

MD5
b586844bb52809b9dd6c5982347e27e0

SHA1
1aa9693db7bd01099d3022c5d697b601a938e205

SHA256
a86693407c7ec7a73e1f0e39ae7727f8bdbbc690cbaedeb3817f04cb9f87a57c

SHA512
2a3c4031b987178e8b93ced37794d2b2803ffb595b431f05b25793fd4874d8059d9499b8c00ca5abeb7524bba3c4d23a3a5cf2091a811c79224803f7a5f440f0

Download Submit
/var/tmp/.22/start

Filesize
176B

MD5
fe2ac6ae76a359f127213790c460496f

SHA1
df036a0088e1f418cb6e618fae06cf6282e79452

SHA256
0f1e5ab87d39835c6c28f242e68f7855a57813ef8e3e07091eee4f4d4f7ef78d

SHA512
8e41371af2cca37fff463fa1fff44db1cb462c8bf65f93f0ba0779adcfb4c812e411baf00bd67a2e7c92ddb27d65894bb18e205d6ca0e588c81219ba1b272889

Download Submit
/var/tmp/.22/x86_64

Filesize
3.8MB

MD5
bffed784b8e2d3f33a4fd10ce78f49e4

SHA1
ae0e4e06594ac8f81614e17f4bd527ee184919d4

SHA256
0f05779c210e21675f4ee6f8c99c8b24dcdeb4ac54db447ced7b0680d434d9c8

SHA512
ee028da377fd607c3e8aaacfc5e75c70a06cfba15140aaefea94391c95959e5d9cbd56c28e9522701f62a9f78909b1ae859280442f870b1a28b23e22f191caf9

Download Submit
/var/tmp/.22/xm.jpg

Filesize
2.7MB

MD5
36b3bf20d0c4d023aaa9617d29540f34

SHA1
bc802f646e40de028d10b6025feefe35b9395948

SHA256
714fc0ab79da19245fa0f3c0bb736960d72feef69401004e004890d2e4131101

SHA512
613008c05cdbb891586fdfa054a0559aa31079a61766d14bdb13d24e704d0d69fc5906a3c5e9f1e119883e9339f757760ff2ed663bb155637124788ada15a10c

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads