kaiten | 20e6d42c34c5d986e83f834df3bb475a1df49acdb4e6fa332a86a45b423ff850

Analysis

max time kernel
9s
platform
debian-9_mips
resource
debian9-mipsbe-20231215-en
resource tags

arch:mipsimage:debian9-mipsbe-20231215-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipssystem
submitted
20-12-2023 16:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e466d2f7b23f6d62b309989f1828d734
Size

62KB
MD5

e466d2f7b23f6d62b309989f1828d734
SHA1

c0dbfca2caf98c99d48e8c99bb306ec32d084001
SHA256

20e6d42c34c5d986e83f834df3bb475a1df49acdb4e6fa332a86a45b423ff850
SHA512

cf8a727c514273379a78798e439239baacfde459a9d0d64619a712e8959336b2a747f4912b918ef9415ebcddf280ca6598564f5fa59a00a420957b99762c6dd2
SSDEEP

768:vYPjLmGo1TW7QXgdRv4r5J8+/DBW1DR/Whzeq5TflWsL3JgGlzDpYuR1JQHRkAg3:AvmG8i7Qwn4lJTC9YjlWq1VGu2RW

Score

10^/10

kaiten botnet

Malware Config

Signatures

Detects Kaiten/Tsunami Payload 1 IoCs

resource	yara_rule
behavioral1/memory/716-1-0x00400000-0x0045fbf4-memory.dmp	family_kaiten2

Kaiten/Tsunami
Linux-based IoT botnet which is controlled through IRC and normally used to carry out DDoS attacks.
botnet kaiten

Writes DNS configuration 1 TTPs 1 IoCs

Writes data to DNS resolver config file.

Dynamic Resolution

T1568

description	ioc
File opened for modification	/etc/resolv.conf

Enumerates running processes
Discovers information about currently running processes on the system

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
File opened for reading	/proc/142/stat	killall
File opened for reading	/proc/776/stat	killall
File opened for reading	/proc/142/stat	killall
File opened for reading	/proc/105/stat	killall
File opened for reading	/proc/76/stat	killall
File opened for reading	/proc/333/stat	killall
File opened for reading	/proc/12/stat	killall
File opened for reading	/proc/2/stat	killall
File opened for reading	/proc/709/stat	killall
File opened for reading	/proc/150/stat	killall
File opened for reading	/proc/74/stat	killall
File opened for reading	/proc/333/stat	killall
File opened for reading	/proc/703/stat	killall
File opened for reading	/proc/22/stat	killall
File opened for reading	/proc/513/stat	killall
File opened for reading	/proc/82/stat	killall
File opened for reading	/proc/330/stat	killall
File opened for reading	/proc/150/stat	killall
File opened for reading	/proc/37/stat	killall
File opened for reading	/proc/16/stat	killall
File opened for reading	/proc/20/stat	killall
File opened for reading	/proc/4/stat	killall
File opened for reading	/proc/105/stat	killall
File opened for reading	/proc/513/stat	killall
File opened for reading	/proc/709/cmdline	killall
File opened for reading	/proc/514/stat	killall
File opened for reading	/proc/6/stat	killall
File opened for reading	/proc/69/stat	killall
File opened for reading	/proc/2/stat	killall
File opened for reading	/proc/703/stat	killall
File opened for reading	/proc/7/stat	killall
File opened for reading	/proc/716/stat	killall
File opened for reading	/proc/16/stat	killall
File opened for reading	/proc/716/cmdline	killall
File opened for reading	/proc/769/stat	killall
File opened for reading	/proc/76/stat	killall
File opened for reading	/proc/37/stat	killall
File opened for reading	/proc/362/stat	killall
File opened for reading	/proc/1/stat	killall
File opened for reading	/proc/20/stat	killall
File opened for reading	/proc/12/stat	killall
File opened for reading	/proc/78/stat	killall
File opened for reading	/proc/241/stat	killall
File opened for reading	/proc/241/stat	killall
File opened for reading	/proc/706/stat	killall
File opened for reading	/proc/716/cmdline	killall
File opened for reading	/proc/716/stat	killall
File opened for reading	/proc/4/stat	killall
File opened for reading	/proc/385/stat	killall
File opened for reading	/proc/716/cmdline	killall
File opened for reading	/proc/706/stat	killall
File opened for reading	/proc/4/stat	killall
File opened for reading	/proc/18/stat	killall
File opened for reading	/proc/37/stat	killall
File opened for reading	/proc/6/stat	killall
File opened for reading	/proc/115/stat	killall
File opened for reading	/proc/15/stat	killall
File opened for reading	/proc/333/stat	killall
File opened for reading	/proc/703/stat	killall
File opened for reading	/proc/17/stat	killall
File opened for reading	/proc/330/stat	killall
File opened for reading	/proc/2/stat	killall
File opened for reading	/proc/11/stat	killall
File opened for reading	/proc/700/cmdline	killall

/tmp/e466d2f7b23f6d62b309989f1828d734
/tmp/e466d2f7b23f6d62b309989f1828d734
1⤵
PID:716
- /bin/sh
  sh -c "rm -rf /var/run/wgsh > /dev/null 2>&1 &"
  2⤵
  PID:718
- /bin/sh
  sh -c "rm -rf /var/run/bbsh > /dev/null 2>&1 &"
  2⤵
  PID:722
- /bin/sh
  sh -c "rm -rf /var/run/tty0 > /dev/null 2>&1 &"
  2⤵
  PID:725
- /bin/sh
  sh -c "rm -rf /var/run/tty2 > /dev/null 2>&1 &"
  2⤵
  PID:730
- /bin/sh
  sh -c "rm -rf /var/run/tty3 > /dev/null 2>&1 &"
  2⤵
  PID:733
- /bin/sh
  sh -c "rm -rf /var/run/tty4 > /dev/null 2>&1 &"
  2⤵
  PID:736
- /bin/sh
  sh -c "rm -rf /var/run/tty5 > /dev/null 2>&1 &"
  2⤵
  PID:738
- /bin/sh
  sh -c "rm -rf /var/run/tty6 > /dev/null 2>&1 &"
  2⤵
  PID:741
- /bin/sh
  sh -c "rm -rf /tmp/tty0 > /dev/null 2>&1 &"
  2⤵
  PID:743
- /bin/sh
  sh -c "rm -rf /tmp/tty2 > /dev/null 2>&1 &"
  2⤵
  PID:745
- /bin/sh
  sh -c "rm -rf /tmp/tty3 > /dev/null 2>&1 &"
  2⤵
  PID:747
- /bin/sh
  sh -c "rm -rf /tmp/tty4 > /dev/null 2>&1 &"
  2⤵
  PID:749
- /bin/sh
  sh -c "rm -rf /tmp/tty5 > /dev/null 2>&1 &"
  2⤵
  PID:752
- /bin/sh
  sh -c "rm -rf /tmp/tty6 > /dev/null 2>&1 &"
  2⤵
  PID:754
- /bin/sh
  sh -c "rm -rf /var/run/pty > /dev/null 2>&1 &"
  2⤵
  PID:756
- /bin/sh
  sh -c "killall -9 arm > /dev/null 2>&1 &"
  2⤵
  PID:759
- /bin/sh
  sh -c "killall -9 mips > /dev/null 2>&1 &"
  2⤵
  PID:761
- /bin/sh
  sh -c "killall -9 mipsel > /dev/null 2>&1 &"
  2⤵
  PID:763
- /bin/sh
  sh -c "killall -9 powerpc > /dev/null 2>&1 &"
  2⤵
  PID:765
- /bin/sh
  sh -c "killall -9 ppc > /dev/null 2>&1 &"
  2⤵
  PID:767
- /bin/sh
  sh -c "killall -9 daemon.armv4l.mod > /dev/null 2>&1 &"
  2⤵
  PID:770
- /bin/sh
  sh -c "killall -9 daemon.i686.mod > /dev/null 2>&1 &"
  2⤵
  PID:772
- /bin/sh
  sh -c "killall -9 daemon.mips.mod > /dev/null 2>&1 &"
  2⤵
  PID:775
- /bin/sh
  sh -c "killall -9 daemon.mipsel.mod > /dev/null 2>&1 &"
  2⤵
  PID:777
- /bin/sh
  sh -c "kill -9 `cat /tmp/.xs/*.pid` > /dev/null 2>&1 &"
  2⤵
  PID:780
- /bin/sh
  sh -c "rm -rf /tmp/.xs/* > /dev/null 2>&1 &"
  2⤵
  PID:782
- /bin/sh
  sh -c "sleep 432000 && reboot &"
  2⤵
  PID:785
- /bin/sh
  sh -c "echo \"nameserver 8.8.8.8\" > /etc/resolv.conf &"
  2⤵
  PID:787
- /bin/sh
  sh -c "chmod 700 /tmp/e466d2f7b23f6d62b309989f1828d734 > /dev/null 2>&1 &"
  2⤵
  PID:790
- /bin/sh
  sh -c "touch -acmr /bin/ls /tmp/e466d2f7b23f6d62b309989f1828d734"
  2⤵
  PID:792
- - /usr/bin/touch
    touch -acmr /bin/ls /tmp/e466d2f7b23f6d62b309989f1828d734
    3⤵
    PID:794
- /bin/sh
  sh -c "(crontab -l | grep -v \"/tmp/e466d2f7b23f6d62b309989f1828d734\" | grep -v \"no cron\" | grep -v \"lesshts/run.sh\" > /var/run/.x001804289383) > /dev/null 2>&1"
  2⤵
  PID:795
- /bin/sh
  sh -c "echo \"* * * * * /tmp/e466d2f7b23f6d62b309989f1828d734 > /dev/null 2>&1 &\" >> /var/run/.x001804289383"
  2⤵
  PID:801

/bin/rm
rm -rf /var/run/wgsh
1⤵
PID:721

/bin/rm
rm -rf /var/run/bbsh
1⤵
PID:724

/bin/rm
rm -rf /var/run/tty0
1⤵
PID:729

/bin/rm
rm -rf /var/run/tty2
1⤵
PID:732

/bin/rm
rm -rf /var/run/tty3
1⤵
PID:735

/bin/rm
rm -rf /var/run/tty4
1⤵
PID:737

/bin/rm
rm -rf /var/run/tty5
1⤵
PID:740

/bin/rm
rm -rf /var/run/tty6
1⤵
PID:742

/bin/rm
rm -rf /tmp/tty0
1⤵
PID:744

/bin/rm
rm -rf /tmp/tty2
1⤵
PID:746

/bin/rm
rm -rf /tmp/tty3
1⤵
PID:748

/bin/rm
rm -rf /tmp/tty4
1⤵
PID:751

/bin/rm
rm -rf /tmp/tty5
1⤵
PID:753

/bin/rm
rm -rf /tmp/tty6
1⤵
PID:755

/bin/rm
rm -rf /var/run/pty
1⤵
PID:758

/usr/bin/killall
killall -9 arm
1⤵
- Reads runtime system information
PID:760

/usr/bin/killall
killall -9 mips
1⤵
- Reads runtime system information
PID:762

/usr/bin/killall
killall -9 mipsel
1⤵
- Reads runtime system information
PID:764

/usr/bin/killall
killall -9 powerpc
1⤵
- Reads runtime system information
PID:766

/usr/bin/killall
killall -9 ppc
1⤵
- Reads runtime system information
PID:769

/usr/bin/killall
killall -9 daemon.armv4l.mod
1⤵
- Reads runtime system information
PID:771

/usr/bin/killall
killall -9 daemon.i686.mod
1⤵
- Reads runtime system information
PID:774

/usr/bin/killall
killall -9 daemon.mips.mod
1⤵
- Reads runtime system information
PID:776

/usr/bin/killall
killall -9 daemon.mipsel.mod
1⤵
- Reads runtime system information
PID:779

/bin/cat
cat "/tmp/.xs/*.pid"
1⤵
PID:783

/bin/rm
rm -rf "/tmp/.xs/*"
1⤵
PID:784

/bin/sleep
sleep 432000
1⤵
PID:788

/bin/chmod
chmod 700 /tmp/e466d2f7b23f6d62b309989f1828d734
1⤵
PID:791

/usr/bin/crontab
crontab -l
1⤵
PID:797

/bin/grep
grep -v /tmp/e466d2f7b23f6d62b309989f1828d734
1⤵
PID:798

/bin/grep
grep -v "no cron"
1⤵
PID:799

/bin/grep
grep -v lesshts/run.sh
1⤵
PID:800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Dynamic Resolution

T1568

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/run/.x001804289383

Filesize
67B

MD5
abb9aad8eaee670b33ff743c093cf1de

SHA1
4e5142d3380f97db66a3ed55ed90402d20c4ce54

SHA256
d5594e9b0ea0c80b3403b31c5c9314060bb94959a8ff251bb0d51d24f14c1421

SHA512
477f39d6b97b46e433382d157c8f901abd843fec2e77842f1a427b4f29859a3cfd1fb5c2439d991e81bfe10cbf4a44196094bddbfa271e33d50f1a537be200c2

Download Submit