kaiten | 20e6d42c34c5d986e83f834df3bb475a1df49acdb4e6fa332a86a45b423ff850

General

Target

e466d2f7b23f6d62b309989f1828d734
Size

62KB
MD5

e466d2f7b23f6d62b309989f1828d734
SHA1

c0dbfca2caf98c99d48e8c99bb306ec32d084001
SHA256

20e6d42c34c5d986e83f834df3bb475a1df49acdb4e6fa332a86a45b423ff850
SHA512

cf8a727c514273379a78798e439239baacfde459a9d0d64619a712e8959336b2a747f4912b918ef9415ebcddf280ca6598564f5fa59a00a420957b99762c6dd2
SSDEEP

768:vYPjLmGo1TW7QXgdRv4r5J8+/DBW1DR/Whzeq5TflWsL3JgGlzDpYuR1JQHRkAg3:AvmG8i7Qwn4lJTC9YjlWq1VGu2RW

Score

10^/10

kaiten botnet

Malware Config

Signatures

Detects Kaiten/Tsunami Payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/716-1-0x00400000-0x0045fbf4-memory.dmp	family_kaiten2

Kaiten/Tsunami
Linux-based IoT botnet which is controlled through IRC and normally used to carry out DDoS attacks.
botnet kaiten
Writes DNS configuration 1 TTPs 1 IoCs
Writes data to DNS resolver config file.

Dynamic Resolution
T1568

Processes:

description ioc

File opened for modification /etc/resolv.conf
Enumerates running processes
Discovers information about currently running processes on the system

description	ioc
File opened for modification	/etc/resolv.conf

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

Processes:

killallkillallkillallkillallkillallkillallkillallkillallkillall

description	ioc	process
File opened for reading	/proc/142/stat	killall
File opened for reading	/proc/776/stat	killall
File opened for reading	/proc/142/stat	killall
File opened for reading	/proc/105/stat	killall
File opened for reading	/proc/76/stat	killall
File opened for reading	/proc/333/stat	killall
File opened for reading	/proc/12/stat	killall
File opened for reading	/proc/2/stat	killall
File opened for reading	/proc/709/stat	killall
File opened for reading	/proc/150/stat	killall
File opened for reading	/proc/74/stat	killall
File opened for reading	/proc/333/stat	killall
File opened for reading	/proc/703/stat	killall
File opened for reading	/proc/22/stat	killall
File opened for reading	/proc/513/stat	killall
File opened for reading	/proc/82/stat	killall
File opened for reading	/proc/330/stat	killall
File opened for reading	/proc/150/stat	killall
File opened for reading	/proc/37/stat	killall
File opened for reading	/proc/16/stat	killall
File opened for reading	/proc/20/stat	killall
File opened for reading	/proc/4/stat	killall
File opened for reading	/proc/105/stat	killall
File opened for reading	/proc/513/stat	killall
File opened for reading	/proc/709/cmdline	killall
File opened for reading	/proc/514/stat	killall
File opened for reading	/proc/6/stat	killall
File opened for reading	/proc/69/stat	killall
File opened for reading	/proc/2/stat	killall
File opened for reading	/proc/703/stat	killall
File opened for reading	/proc/7/stat	killall
File opened for reading	/proc/716/stat	killall
File opened for reading	/proc/16/stat	killall
File opened for reading	/proc/716/cmdline	killall
File opened for reading	/proc/769/stat	killall
File opened for reading	/proc/76/stat	killall
File opened for reading	/proc/37/stat	killall
File opened for reading	/proc/362/stat	killall
File opened for reading	/proc/1/stat	killall
File opened for reading	/proc/20/stat	killall
File opened for reading	/proc/12/stat	killall
File opened for reading	/proc/78/stat	killall
File opened for reading	/proc/241/stat	killall
File opened for reading	/proc/241/stat	killall
File opened for reading	/proc/706/stat	killall
File opened for reading	/proc/716/cmdline	killall
File opened for reading	/proc/716/stat	killall
File opened for reading	/proc/4/stat	killall
File opened for reading	/proc/385/stat	killall
File opened for reading	/proc/716/cmdline	killall
File opened for reading	/proc/706/stat	killall
File opened for reading	/proc/4/stat	killall
File opened for reading	/proc/18/stat	killall
File opened for reading	/proc/37/stat	killall
File opened for reading	/proc/6/stat	killall
File opened for reading	/proc/115/stat	killall
File opened for reading	/proc/15/stat	killall
File opened for reading	/proc/333/stat	killall
File opened for reading	/proc/703/stat	killall
File opened for reading	/proc/17/stat	killall
File opened for reading	/proc/330/stat	killall
File opened for reading	/proc/2/stat	killall
File opened for reading	/proc/11/stat	killall
File opened for reading	/proc/700/cmdline	killall

/tmp/e466d2f7b23f6d62b309989f1828d734
/tmp/e466d2f7b23f6d62b309989f1828d734
1⤵
PID:716

/bin/sh
sh -c "rm -rf /var/run/wgsh > /dev/null 2>&1 &"
2⤵
PID:718

/bin/sh
sh -c "rm -rf /var/run/bbsh > /dev/null 2>&1 &"
2⤵
PID:722

/bin/sh
sh -c "rm -rf /var/run/tty0 > /dev/null 2>&1 &"
2⤵
PID:725

/bin/sh
sh -c "rm -rf /var/run/tty2 > /dev/null 2>&1 &"
2⤵
PID:730

/bin/sh
sh -c "rm -rf /var/run/tty3 > /dev/null 2>&1 &"
2⤵
PID:733

/bin/sh
sh -c "rm -rf /var/run/tty4 > /dev/null 2>&1 &"
2⤵
PID:736

/bin/sh
sh -c "rm -rf /var/run/tty5 > /dev/null 2>&1 &"
2⤵
PID:738

/bin/sh
sh -c "rm -rf /var/run/tty6 > /dev/null 2>&1 &"
2⤵
PID:741

/bin/sh
sh -c "rm -rf /tmp/tty0 > /dev/null 2>&1 &"
2⤵
PID:743

/bin/sh
sh -c "rm -rf /tmp/tty2 > /dev/null 2>&1 &"
2⤵
PID:745

/bin/sh
sh -c "rm -rf /tmp/tty3 > /dev/null 2>&1 &"
2⤵
PID:747

/bin/sh
sh -c "rm -rf /tmp/tty4 > /dev/null 2>&1 &"
2⤵
PID:749

/bin/sh
sh -c "rm -rf /tmp/tty5 > /dev/null 2>&1 &"
2⤵
PID:752

/bin/sh
sh -c "rm -rf /tmp/tty6 > /dev/null 2>&1 &"
2⤵
PID:754

/bin/sh
sh -c "rm -rf /var/run/pty > /dev/null 2>&1 &"
2⤵
PID:756

/bin/sh
sh -c "killall -9 arm > /dev/null 2>&1 &"
2⤵
PID:759

/bin/sh
sh -c "killall -9 mips > /dev/null 2>&1 &"
2⤵
PID:761

/bin/sh
sh -c "killall -9 mipsel > /dev/null 2>&1 &"
2⤵
PID:763

/bin/sh
sh -c "killall -9 powerpc > /dev/null 2>&1 &"
2⤵
PID:765

/bin/sh
sh -c "killall -9 ppc > /dev/null 2>&1 &"
2⤵
PID:767

/bin/sh
sh -c "killall -9 daemon.armv4l.mod > /dev/null 2>&1 &"
2⤵
PID:770

/bin/sh
sh -c "killall -9 daemon.i686.mod > /dev/null 2>&1 &"
2⤵
PID:772

/bin/sh
sh -c "killall -9 daemon.mips.mod > /dev/null 2>&1 &"
2⤵
PID:775

/bin/sh
sh -c "killall -9 daemon.mipsel.mod > /dev/null 2>&1 &"
2⤵
PID:777

/bin/sh
sh -c "kill -9 `cat /tmp/.xs/*.pid` > /dev/null 2>&1 &"
2⤵
PID:780

/bin/sh
sh -c "rm -rf /tmp/.xs/* > /dev/null 2>&1 &"
2⤵
PID:782

/bin/sh
sh -c "sleep 432000 && reboot &"
2⤵
PID:785

/bin/sh
sh -c "echo \"nameserver 8.8.8.8\" > /etc/resolv.conf &"
2⤵
PID:787

/bin/sh
sh -c "chmod 700 /tmp/e466d2f7b23f6d62b309989f1828d734 > /dev/null 2>&1 &"
2⤵
PID:790

/bin/sh
sh -c "touch -acmr /bin/ls /tmp/e466d2f7b23f6d62b309989f1828d734"
2⤵
PID:792

/usr/bin/touch
touch -acmr /bin/ls /tmp/e466d2f7b23f6d62b309989f1828d734
3⤵
PID:794

/bin/sh
sh -c "(crontab -l | grep -v \"/tmp/e466d2f7b23f6d62b309989f1828d734\" | grep -v \"no cron\" | grep -v \"lesshts/run.sh\" > /var/run/.x001804289383) > /dev/null 2>&1"
2⤵
PID:795

/bin/sh
sh -c "echo \"* * * * * /tmp/e466d2f7b23f6d62b309989f1828d734 > /dev/null 2>&1 &\" >> /var/run/.x001804289383"
2⤵
PID:801

/bin/rm
rm -rf /var/run/wgsh
1⤵
PID:721

/bin/rm
rm -rf /var/run/bbsh
1⤵
PID:724

/bin/rm
rm -rf /var/run/tty0
1⤵
PID:729

/bin/rm
rm -rf /var/run/tty2
1⤵
PID:732

/bin/rm
rm -rf /var/run/tty3
1⤵
PID:735

/bin/rm
rm -rf /var/run/tty4
1⤵
PID:737

/bin/rm
rm -rf /var/run/tty5
1⤵
PID:740

/bin/rm
rm -rf /var/run/tty6
1⤵
PID:742

/bin/rm
rm -rf /tmp/tty0
1⤵
PID:744

/bin/rm
rm -rf /tmp/tty2
1⤵
PID:746

/bin/rm
rm -rf /tmp/tty3
1⤵
PID:748

/bin/rm
rm -rf /tmp/tty4
1⤵
PID:751

/bin/rm
rm -rf /tmp/tty5
1⤵
PID:753

/bin/rm
rm -rf /tmp/tty6
1⤵
PID:755

/bin/rm
rm -rf /var/run/pty
1⤵
PID:758

/usr/bin/killall
killall -9 arm
1⤵
- Reads runtime system information
PID:760

/usr/bin/killall
killall -9 mips
1⤵
- Reads runtime system information
PID:762

/usr/bin/killall
killall -9 mipsel
1⤵
- Reads runtime system information
PID:764

/usr/bin/killall
killall -9 powerpc
1⤵
- Reads runtime system information
PID:766

/usr/bin/killall
killall -9 ppc
1⤵
- Reads runtime system information
PID:769

/usr/bin/killall
killall -9 daemon.armv4l.mod
1⤵
- Reads runtime system information
PID:771

/usr/bin/killall
killall -9 daemon.i686.mod
1⤵
- Reads runtime system information
PID:774

/usr/bin/killall
killall -9 daemon.mips.mod
1⤵
- Reads runtime system information
PID:776

/usr/bin/killall
killall -9 daemon.mipsel.mod
1⤵
- Reads runtime system information
PID:779

/bin/cat
cat "/tmp/.xs/*.pid"
1⤵
PID:783

/bin/rm
rm -rf "/tmp/.xs/*"
1⤵
PID:784

/bin/sleep
sleep 432000
1⤵
PID:788

/bin/chmod
chmod 700 /tmp/e466d2f7b23f6d62b309989f1828d734
1⤵
PID:791

/usr/bin/crontab
crontab -l
1⤵
PID:797

/bin/grep
grep -v /tmp/e466d2f7b23f6d62b309989f1828d734
1⤵
PID:798

/bin/grep
grep -v "no cron"
1⤵
PID:799

/bin/grep
grep -v lesshts/run.sh
1⤵
PID:800

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Dynamic Resolution

1

T1568

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

/run/.x001804289383
Filesize
67B

MD5
abb9aad8eaee670b33ff743c093cf1de

SHA1
4e5142d3380f97db66a3ed55ed90402d20c4ce54

SHA256
d5594e9b0ea0c80b3403b31c5c9314060bb94959a8ff251bb0d51d24f14c1421

SHA512
477f39d6b97b46e433382d157c8f901abd843fec2e77842f1a427b4f29859a3cfd1fb5c2439d991e81bfe10cbf4a44196094bddbfa271e33d50f1a537be200c2

Download Submit
memory/716-1-0x00400000-0x0045fbf4-memory.dmp

Download

Analysis

Sharing