kaiten | d2e2fd9bcb3ba0416e9f057c3b09c8470d51634fc6ab0414611ba27ac7e98e2d

Analysis

max time kernel
4s
max time network
152s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20231215-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20231215-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
22-12-2023 01:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

inst
Size

732B
MD5

56a30205ea23a457ff2af18a76cd521c
SHA1

a2007725d6a3e6b2a1b6dfed6a9a735ac66a7606
SHA256

d1469b9971ed7346f21104b2044feb538a5206e55bdbc60b641c9d8ca11ab851
SHA512

7f44fbe568895c25fc63577aad7c5b1208226a42949e71a770b10a7f780ebe431d69182600fe190da6444554b29397168e6b51b815b1161febe5b8fe7269073b

Score

10^/10

kaiten botnet persistence

Malware Config

Signatures

Detects Kaiten/Tsunami Payload 3 IoCs

Processes:

resource	yara_rule
/tmp/ccQOg1wx.s	family_kaiten2
/tmp/ccSiCVfO.o	family_kaiten2
/tmp/httpds	family_kaiten2

Detects Kaiten/Tsunami payload 2 IoCs

Processes:

resource	yara_rule
/tmp/ccSiCVfO.o	family_kaiten
/tmp/httpds	family_kaiten

Kaiten/Tsunami
Linux-based IoT botnet which is controlled through IRC and normally used to carry out DDoS attacks.
botnet kaiten
Creates/modifies Cron job 1 TTPs 1 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
persistence

Scheduled Task/Job
T1053

Processes:

crontab

description ioc process

File opened for modification /var/spool/cron/crontabs/tmp.s9Ulkq crontab

description	ioc	process
File opened for modification	/var/spool/cron/crontabs/tmp.s9Ulkq	crontab

Reads runtime system information 3 IoCs

Reads data from /proc virtual filesystem.

Processes:

idmkdircp

description	ioc	process
File opened for reading	/proc/filesystems	id
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	cp

Writes file to tmp directory 12 IoCs

Malware often drops required files in the /tmp directory.

Processes:

ldinstcc1ascollect2gcc

description	ioc	process
File opened for modification	/tmp/httpds	ld
File opened for modification	/tmp/saveds
File opened for modification	/tmp/saveds	inst
File opened for modification	/tmp/ccQOg1wx.s	cc1
File opened for modification	/tmp/ccSiCVfO.o	as
File opened for modification	/tmp/cc9JymCb.o	collect2
File opened for modification	/tmp/ccTNFzws.ld	collect2
File opened for modification	/tmp/ccQOg1wx.s	gcc
File opened for modification	/tmp/ccSiCVfO.o	gcc
File opened for modification	/tmp/ccAej164.res	gcc
File opened for modification	/tmp/ccyJ2CIU.c	collect2
File opened for modification	/tmp/cc46K3qJ.le	collect2

/tmp/inst
/tmp/inst
1⤵
- Writes file to tmp directory
PID:1536
- /usr/bin/id
  id -u
  2⤵
  - Reads runtime system information
  PID:1537
- /bin/mkdir
  mkdir /etc/-lib
  2⤵
  - Reads runtime system information
  PID:1538
- /bin/chmod
  chmod u+x /etc/-lib/httpd
  2⤵
  PID:1539
- /usr/bin/chattr
  chattr +ais /etc/-lib/httpd
  2⤵
  PID:1540
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1541
- /bin/grep
  grep -vi /etc/-lib/httpd
  2⤵
  PID:1542
- /usr/bin/crontab
  crontab saveds
  2⤵
  - Creates/modifies Cron job
  PID:1543
- /bin/rm
  rm -rf saveds
  2⤵
  PID:1544
- /usr/bin/gcc
  gcc httpds.c -o httpds
  2⤵
  - Writes file to tmp directory
  PID:1545
- - /usr/lib/gcc/x86_64-linux-gnu/7/cc1
    /usr/lib/gcc/x86_64-linux-gnu/7/cc1 -quiet -imultiarch x86_64-linux-gnu httpds.c -quiet -dumpbase httpds.c "-mtune=generic" "-march=x86-64" -auxbase httpds -fstack-protector-strong -Wformat -Wformat-security -o /tmp/ccQOg1wx.s
    3⤵
    - Writes file to tmp directory
    PID:1546
- - /usr/local/sbin/as
    as --64 -o /tmp/ccSiCVfO.o /tmp/ccQOg1wx.s
    3⤵
    PID:1550
- - /usr/local/bin/as
    as --64 -o /tmp/ccSiCVfO.o /tmp/ccQOg1wx.s
    3⤵
    PID:1550
- - /usr/sbin/as
    as --64 -o /tmp/ccSiCVfO.o /tmp/ccQOg1wx.s
    3⤵
    PID:1550
- - /usr/bin/as
    as --64 -o /tmp/ccSiCVfO.o /tmp/ccQOg1wx.s
    3⤵
    - Writes file to tmp directory
    PID:1550
- - /usr/lib/gcc/x86_64-linux-gnu/7/collect2
    /usr/lib/gcc/x86_64-linux-gnu/7/collect2 -plugin /usr/lib/gcc/x86_64-linux-gnu/7/liblto_plugin.so "-plugin-opt=/usr/lib/gcc/x86_64-linux-gnu/7/lto-wrapper" "-plugin-opt=-fresolution=/tmp/ccAej164.res" "-plugin-opt=-pass-through=-lgcc" "-plugin-opt=-pass-through=-lgcc_s" "-plugin-opt=-pass-through=-lc" "-plugin-opt=-pass-through=-lgcc" "-plugin-opt=-pass-through=-lgcc_s" --build-id --eh-frame-hdr -m elf_x86_64 "--hash-style=gnu" --as-needed -dynamic-linker /lib64/ld-linux-x86-64.so.2 -pie -z now -z relro -o httpds /usr/lib/gcc/x86_64-linux-gnu/7/../../../x86_64-linux-gnu/Scrt1.o /usr/lib/gcc/x86_64-linux-gnu/7/../../../x86_64-linux-gnu/crti.o /usr/lib/gcc/x86_64-linux-gnu/7/crtbeginS.o -L/usr/lib/gcc/x86_64-linux-gnu/7 -L/usr/lib/gcc/x86_64-linux-gnu/7/../../../x86_64-linux-gnu -L/usr/lib/gcc/x86_64-linux-gnu/7/../../../../lib -L/lib/x86_64-linux-gnu -L/lib/../lib -L/usr/lib/x86_64-linux-gnu -L/usr/lib/../lib -L/usr/lib/gcc/x86_64-linux-gnu/7/../../.. /tmp/ccSiCVfO.o -lgcc --push-state --as-needed -lgcc_s --pop-state -lc -lgcc --push-state --as-needed -lgcc_s --pop-state /usr/lib/gcc/x86_64-linux-gnu/7/crtendS.o /usr/lib/gcc/x86_64-linux-gnu/7/../../../x86_64-linux-gnu/crtn.o
    3⤵
    - Writes file to tmp directory
    PID:1551
  - - /usr/bin/ld
      /usr/bin/ld -plugin /usr/lib/gcc/x86_64-linux-gnu/7/liblto_plugin.so "-plugin-opt=/usr/lib/gcc/x86_64-linux-gnu/7/lto-wrapper" "-plugin-opt=-fresolution=/tmp/ccAej164.res" "-plugin-opt=-pass-through=-lgcc" "-plugin-opt=-pass-through=-lgcc_s" "-plugin-opt=-pass-through=-lc" "-plugin-opt=-pass-through=-lgcc" "-plugin-opt=-pass-through=-lgcc_s" --build-id --eh-frame-hdr -m elf_x86_64 "--hash-style=gnu" --as-needed -dynamic-linker /lib64/ld-linux-x86-64.so.2 -pie -z now -z relro -o httpds /usr/lib/gcc/x86_64-linux-gnu/7/../../../x86_64-linux-gnu/Scrt1.o /usr/lib/gcc/x86_64-linux-gnu/7/../../../x86_64-linux-gnu/crti.o /usr/lib/gcc/x86_64-linux-gnu/7/crtbeginS.o -L/usr/lib/gcc/x86_64-linux-gnu/7 -L/usr/lib/gcc/x86_64-linux-gnu/7/../../../x86_64-linux-gnu -L/usr/lib/gcc/x86_64-linux-gnu/7/../../../../lib -L/lib/x86_64-linux-gnu -L/lib/../lib -L/usr/lib/x86_64-linux-gnu -L/usr/lib/../lib -L/usr/lib/gcc/x86_64-linux-gnu/7/../../.. /tmp/ccSiCVfO.o -lgcc --push-state --as-needed -lgcc_s --pop-state -lc -lgcc --push-state --as-needed -lgcc_s --pop-state /usr/lib/gcc/x86_64-linux-gnu/7/crtendS.o /usr/lib/gcc/x86_64-linux-gnu/7/../../../x86_64-linux-gnu/crtn.o
      4⤵
      Writes file to tmp directory
      PID:1552
- /bin/cp
  cp httpds /etc/-lib/
  2⤵
  - Reads runtime system information
  PID:1553
- /bin/chmod
  chmod u+x /etc/-lib/httpds
  2⤵
  PID:1554
- /usr/bin/chattr
  chattr +ais /etc/-lib/httpds
  2⤵
  PID:1555
- /bin/rm
  rm -rf ./httpds ./httpds.c ./inst
  2⤵
  PID:1556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/etc/-lib/httpd

Filesize
163B

MD5
f74bebdcbf28f62cbca5043ccd4e3771

SHA1
398f13629a640ec98b2f3ee67cdc22b3eb5b487b

SHA256
cef7615f1d3fa6421a00ec39346bcca19c9cd3d777153e982c9237b46c9ddbaa

SHA512
de6b896fdc40bff0c2f3557490719ba4c0bf100d7ac15769a9afbf8bbf2dbcbb791c7b261a4e5bd8c9dc89a7b222d78d2abe1c8236e8adf663a95f28efd22b68

Download Submit
/tmp/ccQOg1wx.s

Filesize
84KB

MD5
9a7c4dc4c2f591b6206816229c8d693d

SHA1
ec800faa0b97527f8841c9244f9c456f6f4f80bc

SHA256
7dac63eae5b8c9e6752afcb633830b98474653cab891563c75c6b8165f195d7b

SHA512
005af043a75a05b2e818259211008bb132b61b069aea5ec6b599bea172c6b52279c3e894dbf5c002497d24c8e6351d5ddee6c7213be5420babc478b0eef96402

Download Submit
/tmp/ccSiCVfO.o

Filesize
42KB

MD5
a4f80fb371948507e6083b2d7e17283d

SHA1
cb83c6a69c48c2ee26a1d6c13082ac33d6739dda

SHA256
72af7d462331bcd87eb85c210d42f7110a1dae36f269bac162d56a9d999f7d5a

SHA512
3c3e7fc232d7e9dda7dc04e9485550d3417b300de85d368337e512439eebf9db41a23427818d8069d5d61d4e4417755fc9558f3fdc61db0f8c12cd4307c0d6c2

Download Submit
/tmp/httpds

Filesize
40KB

MD5
3c8a941508a10861c1bfbdf9dc94ffd0

SHA1
fafba12d7d1246ff62040be9377466baaf4709bc

SHA256
8f2880164a1810cc3ad2bbe9cff3fdf65f3751f33d4a955576f7fa60c280b238

SHA512
b4048ae39d4e631f2f681ac8441a351f670fcf9872335684131c1e2ddfab8c19e366641a6d6fba1f67d544e0d5f317b97fa80d1fd369445e9801ddba83869d88

Download Submit
/tmp/saveds

Filesize
42B

MD5
6c8eb055c0fd33626d89304ea6591bd0

SHA1
d51eb12a8891939217e1e867ba114ddfe940b9ed

SHA256
4212867a0307d9fcc05f966ae12f5280bb2b6f70c39b2d533663ad76a1c5aaf8

SHA512
a9d702ccb477fe1ddda484a05bf0150025e979855c03b200e4d62048d23780f256595917767071a62e961e9a926875724031a411597f2d788798d58bd9f78321

Download Submit
/var/spool/cron/crontabs/tmp.s9Ulkq

Filesize
222B

MD5
d0faab5eaa348c1b316325178dd50fd2

SHA1
619456862136654671c49484e14bc9c32ab41bc6

SHA256
78e2afda962ed29c8b11278ea3d435dbb5f785eec4f6ce9e5076566223db6f60

SHA512
40d37cdac6a3933bacbb6ea33488bc9bcba0fb4a17028ccccb20a877985d9c037b07137b7e18ad80d824fe2d44fe2ef3363ab036e19b8adafe21ca8fa12ccc21

Download Submit