Overview

overview

10

Static

static

1

httpds

ubuntu-18.04-amd64

inst

ubuntu-18.04-amd64

10

inst

debian-9-armhf

10

inst

debian-9-mips

10

inst

debian-9-mipsel

10

Analysis

  • max time kernel
    18s
  • max time network
    153s
  • platform
    debian-9_armhf
  • resource
    debian9-armhf-20231215-en
  • resource tags

    arch:armhfimage:debian9-armhf-20231215-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
  • submitted
    22-12-2023 01:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    inst

  • Size

    732B

  • MD5

    56a30205ea23a457ff2af18a76cd521c

  • SHA1

    a2007725d6a3e6b2a1b6dfed6a9a735ac66a7606

  • SHA256

    d1469b9971ed7346f21104b2044feb538a5206e55bdbc60b641c9d8ca11ab851

  • SHA512

    7f44fbe568895c25fc63577aad7c5b1208226a42949e71a770b10a7f780ebe431d69182600fe190da6444554b29397168e6b51b815b1161febe5b8fe7269073b

Score
10/10
kaitenbotnetpersistence

Malware Config

Signatures

  • Detects Kaiten/Tsunami Payload 2 IoCs
  • Detects Kaiten/Tsunami payload 2 IoCs
  • Kaiten/Tsunami

    Linux-based IoT botnet which is controlled through IRC and normally used to carry out DDoS attacks.

    botnetkaiten
  • Creates/modifies Cron job 1 TTPs 1 IoCs

    Cron allows running tasks on a schedule, and is commonly used for malware persistence.

    persistence
  • Reads runtime system information 5 IoCs

    Reads data from /proc virtual filesystem.

  • Writes file to tmp directory 12 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/inst
    /tmp/inst
    1⤵
    • Writes file to tmp directory
    PID:652
    • /usr/bin/id
      id -u
      2⤵
      • Reads runtime system information
      PID:654
    • /bin/mkdir
      mkdir /etc/-lib
      2⤵
      • Reads runtime system information
      PID:656
    • /bin/chmod
      chmod u+x /etc/-lib/httpd
      2⤵
        PID:660
      • /usr/bin/chattr
        chattr +ais /etc/-lib/httpd
        2⤵
          PID:661
        • /usr/bin/crontab
          crontab -l
          2⤵
          • Reads runtime system information
          PID:663
        • /bin/grep
          grep -vi /etc/-lib/httpd
          2⤵
            PID:664
          • /usr/bin/crontab
            crontab saveds
            2⤵
            • Creates/modifies Cron job
            • Reads runtime system information
            PID:665
          • /bin/rm
            rm -rf saveds
            2⤵
              PID:667
            • /usr/bin/gcc
              gcc httpds.c -o httpds
              2⤵
              • Writes file to tmp directory
              PID:668
              • /usr/lib/gcc/arm-linux-gnueabihf/6/cc1
                /usr/lib/gcc/arm-linux-gnueabihf/6/cc1 -quiet -imultilib . -imultiarch arm-linux-gnueabihf httpds.c -quiet -dumpbase httpds.c "-march=armv7-a" "-mfloat-abi=hard" "-mfpu=vfpv3-d16" -mthumb "-mtls-dialect=gnu" -auxbase httpds -o /tmp/cc1AP7RC.s
                3⤵
                • Writes file to tmp directory
                PID:669
              • /usr/local/sbin/as
                as "-march=armv7-a" "-mfloat-abi=hard" "-mfpu=vfpv3-d16" "-meabi=5" -o /tmp/ccNBWgRA.o /tmp/cc1AP7RC.s
                3⤵
                  PID:694
                • /usr/local/bin/as
                  as "-march=armv7-a" "-mfloat-abi=hard" "-mfpu=vfpv3-d16" "-meabi=5" -o /tmp/ccNBWgRA.o /tmp/cc1AP7RC.s
                  3⤵
                    PID:694
                  • /usr/sbin/as
                    as "-march=armv7-a" "-mfloat-abi=hard" "-mfpu=vfpv3-d16" "-meabi=5" -o /tmp/ccNBWgRA.o /tmp/cc1AP7RC.s
                    3⤵
                      PID:694
                    • /usr/bin/as
                      as "-march=armv7-a" "-mfloat-abi=hard" "-mfpu=vfpv3-d16" "-meabi=5" -o /tmp/ccNBWgRA.o /tmp/cc1AP7RC.s
                      3⤵
                      • Writes file to tmp directory
                      PID:694
                    • /usr/lib/gcc/arm-linux-gnueabihf/6/collect2
                      /usr/lib/gcc/arm-linux-gnueabihf/6/collect2 -plugin /usr/lib/gcc/arm-linux-gnueabihf/6/liblto_plugin.so "-plugin-opt=/usr/lib/gcc/arm-linux-gnueabihf/6/lto-wrapper" "-plugin-opt=-fresolution=/tmp/cccc6Ivg.res" "-plugin-opt=-pass-through=-lgcc" "-plugin-opt=-pass-through=-lgcc_s" "-plugin-opt=-pass-through=-lc" "-plugin-opt=-pass-through=-lgcc" "-plugin-opt=-pass-through=-lgcc_s" "--sysroot=/" --build-id --eh-frame-hdr -dynamic-linker /lib/ld-linux-armhf.so.3 -X "--hash-style=gnu" -m armelf_linux_eabi -pie -o httpds /usr/lib/gcc/arm-linux-gnueabihf/6/../../../arm-linux-gnueabihf/Scrt1.o /usr/lib/gcc/arm-linux-gnueabihf/6/../../../arm-linux-gnueabihf/crti.o /usr/lib/gcc/arm-linux-gnueabihf/6/crtbeginS.o -L/usr/lib/gcc/arm-linux-gnueabihf/6 -L/usr/lib/gcc/arm-linux-gnueabihf/6/../../../arm-linux-gnueabihf -L/usr/lib/gcc/arm-linux-gnueabihf/6/../../.. -L/lib/arm-linux-gnueabihf -L/usr/lib/arm-linux-gnueabihf /tmp/ccNBWgRA.o -lgcc --as-needed -lgcc_s --no-as-needed -lc -lgcc --as-needed -lgcc_s --no-as-needed /usr/lib/gcc/arm-linux-gnueabihf/6/crtendS.o /usr/lib/gcc/arm-linux-gnueabihf/6/../../../arm-linux-gnueabihf/crtn.o
                      3⤵
                      • Writes file to tmp directory
                      PID:699
                      • /usr/bin/ld
                        /usr/bin/ld -plugin /usr/lib/gcc/arm-linux-gnueabihf/6/liblto_plugin.so "-plugin-opt=/usr/lib/gcc/arm-linux-gnueabihf/6/lto-wrapper" "-plugin-opt=-fresolution=/tmp/cccc6Ivg.res" "-plugin-opt=-pass-through=-lgcc" "-plugin-opt=-pass-through=-lgcc_s" "-plugin-opt=-pass-through=-lc" "-plugin-opt=-pass-through=-lgcc" "-plugin-opt=-pass-through=-lgcc_s" "--sysroot=/" --build-id --eh-frame-hdr -dynamic-linker /lib/ld-linux-armhf.so.3 -X "--hash-style=gnu" -m armelf_linux_eabi -pie -o httpds /usr/lib/gcc/arm-linux-gnueabihf/6/../../../arm-linux-gnueabihf/Scrt1.o /usr/lib/gcc/arm-linux-gnueabihf/6/../../../arm-linux-gnueabihf/crti.o /usr/lib/gcc/arm-linux-gnueabihf/6/crtbeginS.o -L/usr/lib/gcc/arm-linux-gnueabihf/6 -L/usr/lib/gcc/arm-linux-gnueabihf/6/../../../arm-linux-gnueabihf -L/usr/lib/gcc/arm-linux-gnueabihf/6/../../.. -L/lib/arm-linux-gnueabihf -L/usr/lib/arm-linux-gnueabihf /tmp/ccNBWgRA.o -lgcc --as-needed -lgcc_s --no-as-needed -lc -lgcc --as-needed -lgcc_s --no-as-needed /usr/lib/gcc/arm-linux-gnueabihf/6/crtendS.o /usr/lib/gcc/arm-linux-gnueabihf/6/../../../arm-linux-gnueabihf/crtn.o
                        4⤵
                        • Writes file to tmp directory
                        PID:701
                  • /bin/cp
                    cp httpds /etc/-lib/
                    2⤵
                    • Reads runtime system information
                    PID:708
                  • /bin/chmod
                    chmod u+x /etc/-lib/httpds
                    2⤵
                      PID:710
                    • /usr/bin/chattr
                      chattr +ais /etc/-lib/httpds
                      2⤵
                        PID:713
                      • /bin/rm
                        rm -rf ./httpds ./httpds.c ./inst
                        2⤵
                          PID:715

                      Network

                      MITRE ATT&CK Enterprise v15

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • /etc/-lib/httpd
                        Filesize

                        163B

                        MD5

                        f74bebdcbf28f62cbca5043ccd4e3771

                        SHA1

                        398f13629a640ec98b2f3ee67cdc22b3eb5b487b

                        SHA256

                        cef7615f1d3fa6421a00ec39346bcca19c9cd3d777153e982c9237b46c9ddbaa

                        SHA512

                        de6b896fdc40bff0c2f3557490719ba4c0bf100d7ac15769a9afbf8bbf2dbcbb791c7b261a4e5bd8c9dc89a7b222d78d2abe1c8236e8adf663a95f28efd22b68

                        Download Submit

                      • /tmp/ccNBWgRA.o
                        Filesize

                        26KB

                        MD5

                        aaf224f1cd45e046dec0e5f70f34ddb7

                        SHA1

                        7b0015193802d65f74c79e417fb12e117a4bc4f5

                        SHA256

                        19a48171c424f6000e94d044db38f721b496a7065039059260be96ddb1343df3

                        SHA512

                        3129a17e2e9d6709e16235f6fdf5691059be13b9e2ed3e6a4cf2f4bf9fc79cbe0b586747fbf3e12101ef0699b0eec7fc82fc67d169102bbcc0ab2b6ba06fe9c7

                        Download Submit

                      • /tmp/httpds
                        Filesize

                        33KB

                        MD5

                        deb79f679defeef1c345b6935f49429d

                        SHA1

                        14ed47e2b35e79cfe82ecd39efd75d7fa3ad9c08

                        SHA256

                        db8092228103c45b4577d6b1448e38235a7c8511b6459ee5141d0064fdce5fcc

                        SHA512

                        901c2254cb8d5a7695962e70af1b34d61ec78414fd9883ec3041de763e3202cfc7ef4c66946169f57ea64e0e6ea340945a12bb976aaeaba5cd4f48db8ffaf762

                        Download Submit

                      • /tmp/saveds
                        Filesize

                        42B

                        MD5

                        6c8eb055c0fd33626d89304ea6591bd0

                        SHA1

                        d51eb12a8891939217e1e867ba114ddfe940b9ed

                        SHA256

                        4212867a0307d9fcc05f966ae12f5280bb2b6f70c39b2d533663ad76a1c5aaf8

                        SHA512

                        a9d702ccb477fe1ddda484a05bf0150025e979855c03b200e4d62048d23780f256595917767071a62e961e9a926875724031a411597f2d788798d58bd9f78321

                        Download Submit

                      • /var/spool/cron/crontabs/tmp.Tr1v7p
                        Filesize

                        222B

                        MD5

                        b1d9ec36f31abf83e79dbdf1ee2e146a

                        SHA1

                        660ebd77c4ff2bfde43c6436e6fc9d56c8cdfbef

                        SHA256

                        ed4a53bf0c82ce7062fd324df73cd14e89af189e4f20fa740c4d55f93f0917bf

                        SHA512

                        420426cdfa4b57a28e84cee2e2b7e67d1ba809b4b7d4a26f150a6856485cc044e58591efa188e7815cea49e13adc986d9da44cb86f50da849f64bdf603a70cf0

                        Download Submit