kaiten | d2e2fd9bcb3ba0416e9f057c3b09c8470d51634fc6ab0414611ba27ac7e98e2d

General

Target

inst
Size

732B
MD5

56a30205ea23a457ff2af18a76cd521c
SHA1

a2007725d6a3e6b2a1b6dfed6a9a735ac66a7606
SHA256

d1469b9971ed7346f21104b2044feb538a5206e55bdbc60b641c9d8ca11ab851
SHA512

7f44fbe568895c25fc63577aad7c5b1208226a42949e71a770b10a7f780ebe431d69182600fe190da6444554b29397168e6b51b815b1161febe5b8fe7269073b

Score

10^/10

kaiten botnet persistence

Malware Config

Signatures

Detects Kaiten/Tsunami Payload 3 IoCs

Processes:

resource	yara_rule
/tmp/ccQOg1wx.s	family_kaiten2
/tmp/ccSiCVfO.o	family_kaiten2
/tmp/httpds	family_kaiten2

Detects Kaiten/Tsunami payload 2 IoCs

Processes:

resource	yara_rule
/tmp/ccSiCVfO.o	family_kaiten
/tmp/httpds	family_kaiten

Kaiten/Tsunami
Linux-based IoT botnet which is controlled through IRC and normally used to carry out DDoS attacks.
botnet kaiten
Creates/modifies Cron job 1 TTPs 1 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
persistence

Scheduled Task/Job
T1053

Processes:

crontab

description ioc process

File opened for modification /var/spool/cron/crontabs/tmp.s9Ulkq crontab

description	ioc	process
File opened for modification	/var/spool/cron/crontabs/tmp.s9Ulkq	crontab

Reads runtime system information 3 IoCs

Reads data from /proc virtual filesystem.

Processes:

idmkdircp

description	ioc	process
File opened for reading	/proc/filesystems	id
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	cp

Writes file to tmp directory 12 IoCs

Malware often drops required files in the /tmp directory.

Processes:

ldinstcc1ascollect2gcc

description	ioc	process
File opened for modification	/tmp/httpds	ld
File opened for modification	/tmp/saveds
File opened for modification	/tmp/saveds	inst
File opened for modification	/tmp/ccQOg1wx.s	cc1
File opened for modification	/tmp/ccSiCVfO.o	as
File opened for modification	/tmp/cc9JymCb.o	collect2
File opened for modification	/tmp/ccTNFzws.ld	collect2
File opened for modification	/tmp/ccQOg1wx.s	gcc
File opened for modification	/tmp/ccSiCVfO.o	gcc
File opened for modification	/tmp/ccAej164.res	gcc
File opened for modification	/tmp/ccyJ2CIU.c	collect2
File opened for modification	/tmp/cc46K3qJ.le	collect2

/tmp/inst
/tmp/inst
1⤵
- Writes file to tmp directory
PID:1536

/usr/bin/id
id -u
2⤵
- Reads runtime system information
PID:1537

/bin/mkdir
mkdir /etc/-lib
2⤵
- Reads runtime system information
PID:1538

/bin/chmod
chmod u+x /etc/-lib/httpd
2⤵
PID:1539

/usr/bin/chattr
chattr +ais /etc/-lib/httpd
2⤵
PID:1540

/usr/bin/crontab
crontab -l
2⤵
PID:1541

/bin/grep
grep -vi /etc/-lib/httpd
2⤵
PID:1542

/usr/bin/crontab
crontab saveds
2⤵
- Creates/modifies Cron job
PID:1543

/bin/rm
rm -rf saveds
2⤵
PID:1544

/usr/bin/gcc
gcc httpds.c -o httpds
2⤵
- Writes file to tmp directory
PID:1545

/usr/lib/gcc/x86_64-linux-gnu/7/cc1
/usr/lib/gcc/x86_64-linux-gnu/7/cc1 -quiet -imultiarch x86_64-linux-gnu httpds.c -quiet -dumpbase httpds.c "-mtune=generic" "-march=x86-64" -auxbase httpds -fstack-protector-strong -Wformat -Wformat-security -o /tmp/ccQOg1wx.s
3⤵
- Writes file to tmp directory
PID:1546

/usr/local/sbin/as
as --64 -o /tmp/ccSiCVfO.o /tmp/ccQOg1wx.s
3⤵
PID:1550

/usr/local/bin/as
as --64 -o /tmp/ccSiCVfO.o /tmp/ccQOg1wx.s
3⤵
PID:1550

/usr/sbin/as
as --64 -o /tmp/ccSiCVfO.o /tmp/ccQOg1wx.s
3⤵
PID:1550

/usr/bin/as
as --64 -o /tmp/ccSiCVfO.o /tmp/ccQOg1wx.s
3⤵
- Writes file to tmp directory
PID:1550

/usr/lib/gcc/x86_64-linux-gnu/7/collect2
/usr/lib/gcc/x86_64-linux-gnu/7/collect2 -plugin /usr/lib/gcc/x86_64-linux-gnu/7/liblto_plugin.so "-plugin-opt=/usr/lib/gcc/x86_64-linux-gnu/7/lto-wrapper" "-plugin-opt=-fresolution=/tmp/ccAej164.res" "-plugin-opt=-pass-through=-lgcc" "-plugin-opt=-pass-through=-lgcc_s" "-plugin-opt=-pass-through=-lc" "-plugin-opt=-pass-through=-lgcc" "-plugin-opt=-pass-through=-lgcc_s" --build-id --eh-frame-hdr -m elf_x86_64 "--hash-style=gnu" --as-needed -dynamic-linker /lib64/ld-linux-x86-64.so.2 -pie -z now -z relro -o httpds /usr/lib/gcc/x86_64-linux-gnu/7/../../../x86_64-linux-gnu/Scrt1.o /usr/lib/gcc/x86_64-linux-gnu/7/../../../x86_64-linux-gnu/crti.o /usr/lib/gcc/x86_64-linux-gnu/7/crtbeginS.o -L/usr/lib/gcc/x86_64-linux-gnu/7 -L/usr/lib/gcc/x86_64-linux-gnu/7/../../../x86_64-linux-gnu -L/usr/lib/gcc/x86_64-linux-gnu/7/../../../../lib -L/lib/x86_64-linux-gnu -L/lib/../lib -L/usr/lib/x86_64-linux-gnu -L/usr/lib/../lib -L/usr/lib/gcc/x86_64-linux-gnu/7/../../.. /tmp/ccSiCVfO.o -lgcc --push-state --as-needed -lgcc_s --pop-state -lc -lgcc --push-state --as-needed -lgcc_s --pop-state /usr/lib/gcc/x86_64-linux-gnu/7/crtendS.o /usr/lib/gcc/x86_64-linux-gnu/7/../../../x86_64-linux-gnu/crtn.o
3⤵
- Writes file to tmp directory
PID:1551

/usr/bin/ld
/usr/bin/ld -plugin /usr/lib/gcc/x86_64-linux-gnu/7/liblto_plugin.so "-plugin-opt=/usr/lib/gcc/x86_64-linux-gnu/7/lto-wrapper" "-plugin-opt=-fresolution=/tmp/ccAej164.res" "-plugin-opt=-pass-through=-lgcc" "-plugin-opt=-pass-through=-lgcc_s" "-plugin-opt=-pass-through=-lc" "-plugin-opt=-pass-through=-lgcc" "-plugin-opt=-pass-through=-lgcc_s" --build-id --eh-frame-hdr -m elf_x86_64 "--hash-style=gnu" --as-needed -dynamic-linker /lib64/ld-linux-x86-64.so.2 -pie -z now -z relro -o httpds /usr/lib/gcc/x86_64-linux-gnu/7/../../../x86_64-linux-gnu/Scrt1.o /usr/lib/gcc/x86_64-linux-gnu/7/../../../x86_64-linux-gnu/crti.o /usr/lib/gcc/x86_64-linux-gnu/7/crtbeginS.o -L/usr/lib/gcc/x86_64-linux-gnu/7 -L/usr/lib/gcc/x86_64-linux-gnu/7/../../../x86_64-linux-gnu -L/usr/lib/gcc/x86_64-linux-gnu/7/../../../../lib -L/lib/x86_64-linux-gnu -L/lib/../lib -L/usr/lib/x86_64-linux-gnu -L/usr/lib/../lib -L/usr/lib/gcc/x86_64-linux-gnu/7/../../.. /tmp/ccSiCVfO.o -lgcc --push-state --as-needed -lgcc_s --pop-state -lc -lgcc --push-state --as-needed -lgcc_s --pop-state /usr/lib/gcc/x86_64-linux-gnu/7/crtendS.o /usr/lib/gcc/x86_64-linux-gnu/7/../../../x86_64-linux-gnu/crtn.o
4⤵
- Writes file to tmp directory
PID:1552

/bin/cp
cp httpds /etc/-lib/
2⤵
- Reads runtime system information
PID:1553

/bin/chmod
chmod u+x /etc/-lib/httpds
2⤵
PID:1554

/usr/bin/chattr
chattr +ais /etc/-lib/httpds
2⤵
PID:1555

/bin/rm
rm -rf ./httpds ./httpds.c ./inst
2⤵
PID:1556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/etc/-lib/httpd
Filesize
163B

MD5
f74bebdcbf28f62cbca5043ccd4e3771

SHA1
398f13629a640ec98b2f3ee67cdc22b3eb5b487b

SHA256
cef7615f1d3fa6421a00ec39346bcca19c9cd3d777153e982c9237b46c9ddbaa

SHA512
de6b896fdc40bff0c2f3557490719ba4c0bf100d7ac15769a9afbf8bbf2dbcbb791c7b261a4e5bd8c9dc89a7b222d78d2abe1c8236e8adf663a95f28efd22b68

Download Submit
/tmp/ccQOg1wx.s
Filesize
84KB

MD5
9a7c4dc4c2f591b6206816229c8d693d

SHA1
ec800faa0b97527f8841c9244f9c456f6f4f80bc

SHA256
7dac63eae5b8c9e6752afcb633830b98474653cab891563c75c6b8165f195d7b

SHA512
005af043a75a05b2e818259211008bb132b61b069aea5ec6b599bea172c6b52279c3e894dbf5c002497d24c8e6351d5ddee6c7213be5420babc478b0eef96402

Download Submit
/tmp/ccSiCVfO.o
Filesize
42KB

MD5
a4f80fb371948507e6083b2d7e17283d

SHA1
cb83c6a69c48c2ee26a1d6c13082ac33d6739dda

SHA256
72af7d462331bcd87eb85c210d42f7110a1dae36f269bac162d56a9d999f7d5a

SHA512
3c3e7fc232d7e9dda7dc04e9485550d3417b300de85d368337e512439eebf9db41a23427818d8069d5d61d4e4417755fc9558f3fdc61db0f8c12cd4307c0d6c2

Download Submit
/tmp/httpds
Filesize
40KB

MD5
3c8a941508a10861c1bfbdf9dc94ffd0

SHA1
fafba12d7d1246ff62040be9377466baaf4709bc

SHA256
8f2880164a1810cc3ad2bbe9cff3fdf65f3751f33d4a955576f7fa60c280b238

SHA512
b4048ae39d4e631f2f681ac8441a351f670fcf9872335684131c1e2ddfab8c19e366641a6d6fba1f67d544e0d5f317b97fa80d1fd369445e9801ddba83869d88

Download Submit
/tmp/saveds
Filesize
42B

MD5
6c8eb055c0fd33626d89304ea6591bd0

SHA1
d51eb12a8891939217e1e867ba114ddfe940b9ed

SHA256
4212867a0307d9fcc05f966ae12f5280bb2b6f70c39b2d533663ad76a1c5aaf8

SHA512
a9d702ccb477fe1ddda484a05bf0150025e979855c03b200e4d62048d23780f256595917767071a62e961e9a926875724031a411597f2d788798d58bd9f78321

Download Submit
/var/spool/cron/crontabs/tmp.s9Ulkq
Filesize
222B

MD5
d0faab5eaa348c1b316325178dd50fd2

SHA1
619456862136654671c49484e14bc9c32ab41bc6

SHA256
78e2afda962ed29c8b11278ea3d435dbb5f785eec4f6ce9e5076566223db6f60

SHA512
40d37cdac6a3933bacbb6ea33488bc9bcba0fb4a17028ccccb20a877985d9c037b07137b7e18ad80d824fe2d44fe2ef3363ab036e19b8adafe21ca8fa12ccc21

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads