Overview

overview

10

Static

static

7

b5a6bca187...97e478

debian-9-armhf

10

Analysis

  • max time kernel
    151s
  • max time network
    154s
  • platform
    debian-9_armhf
  • resource
    debian9-armhf-20231215-en
  • resource tags

    arch:armhfimage:debian9-armhf-20231215-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
  • submitted
    20-12-2023 13:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b5a6bca187a6a82ded6276494697e478

  • Size

    49KB

  • MD5

    b5a6bca187a6a82ded6276494697e478

  • SHA1

    44540202c8712e4b7730999c7e12f8ae274c465d

  • SHA256

    dc2e1628ee9f18b3a8740bd36bc1f6aa5e3c506822ec5bbac306a8f3d2140145

  • SHA512

    9132cc1416f0933d1195e19cc9c2e924be6d0d0e3a909dd7d07e8d107b9ba0cc5ba21c578d66cb65ba0d396b534d4b39f5e006f8348a9c0a3aeb4b96a0680d2c

  • SSDEEP

    768:uy0RsOlDx5GBbhzcapESDl/oWsynfuAxt74NIboblfO5vIawuZGq3UIVPfeRpO+t:kD0mapESDl/zfghJmIa7pVPUOm

Score
10/10
kaitenbotnet

Malware Config

Signatures

  • Detects Kaiten/Tsunami Payload 1 IoCs
  • Detects Kaiten/Tsunami payload 1 IoCs
  • Kaiten/Tsunami

    Linux-based IoT botnet which is controlled through IRC and normally used to carry out DDoS attacks.

    botnetkaiten
  • Reads system network configuration 1 TTPs 1 IoCs

    Uses contents of /proc filesystem to enumerate network settings.

  • Reads runtime system information 1 IoCs

    Reads data from /proc virtual filesystem.

  • Writes file to tmp directory 1 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/b5a6bca187a6a82ded6276494697e478
    /tmp/b5a6bca187a6a82ded6276494697e478
    1⤵
    • Reads runtime system information
    PID:648
    • /bin/sh
      sh -c "IPT=/sbin/iptables;\$IPT -N TN;\$IPT -A TN -s -j ACCEPT;\$IPT -A TN -p tcp -m tcp --dport 23 -j REJECT;\$IPT -I INPUT -j TN;\$IPT-save; echo 'nameserver 4.2.2.2' > /tmp/resolv.conf;echo 'namserver 208.67.222.222' >> /tmp/resolv.conf"
      2⤵
      • Writes file to tmp directory
      PID:651
      • /sbin/iptables
        /sbin/iptables -N TN
        3⤵
          PID:653
        • /sbin/iptables
          /sbin/iptables -A TN -s -j ACCEPT
          3⤵
            PID:659
          • /sbin/iptables
            /sbin/iptables -A TN -p tcp -m tcp --dport 23 -j REJECT
            3⤵
              PID:661
            • /sbin/iptables
              /sbin/iptables -I INPUT -j TN
              3⤵
                PID:669
              • /sbin/iptables-save
                /sbin/iptables-save
                3⤵
                • Reads system network configuration
                PID:671

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • /tmp/resolv.conf
            Filesize

            19B

            MD5

            18e0d4be7ee318c312d30ed75f39224a

            SHA1

            b9dc9465cf5b3df703210bc0a9c3a9cf99a0a9da

            SHA256

            ccf6e60942eb1621dc5c14f36e531f15ddab87cd011b0330055b638437969038

            SHA512

            50d8b06a918649fd3d3b9ddb4e9a5488584adc3fd17c32ed897283bdd96d38f77e51e7bf3580e9ec826aba09112cfcf220a6a989cae1f65e0876787fccd7b7f3

            Download Submit

          • /tmp/resolv.conf
            Filesize

            44B

            MD5

            51a49244ffd6b878ded13f8ca99ec374

            SHA1

            e1b011254290e401e3e033691ac003fb5eb4744e

            SHA256

            b8b3e8e7ef159fac65286258082f832c227e982512ff9457b7d166e91b77ce98

            SHA512

            202ecd188cb234b6d21e6a4c895fc1420ec445bea436a9cba0986fc82979df6d2f3afca57542e2944f5df9b380d61ede54e6782cd3baee0f07a1df41b59a10c1

            Download Submit