kaiten | d2e2fd9bcb3ba0416e9f057c3b09c8470d51634fc6ab0414611ba27ac7e98e2d

General

Target

inst
Size

732B
MD5

56a30205ea23a457ff2af18a76cd521c
SHA1

a2007725d6a3e6b2a1b6dfed6a9a735ac66a7606
SHA256

d1469b9971ed7346f21104b2044feb538a5206e55bdbc60b641c9d8ca11ab851
SHA512

7f44fbe568895c25fc63577aad7c5b1208226a42949e71a770b10a7f780ebe431d69182600fe190da6444554b29397168e6b51b815b1161febe5b8fe7269073b

Score

10^/10

kaiten botnet persistence

Malware Config

Signatures

Detects Kaiten/Tsunami Payload 3 IoCs

Processes:

resource	yara_rule
/tmp/ccIsSJLB.s	family_kaiten2
/tmp/httpds	family_kaiten2
/etc/-lib/httpds	family_kaiten2

Detects Kaiten/Tsunami payload 2 IoCs

Processes:

resource	yara_rule
/tmp/httpds	family_kaiten
/etc/-lib/httpds	family_kaiten

Kaiten/Tsunami
Linux-based IoT botnet which is controlled through IRC and normally used to carry out DDoS attacks.
botnet kaiten
Creates/modifies Cron job 1 TTPs 1 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
persistence

Scheduled Task/Job
T1053

Processes:

crontab

description ioc process

File opened for modification /var/spool/cron/crontabs/tmp.9zP4NZ crontab

description	ioc	process
File opened for modification	/var/spool/cron/crontabs/tmp.9zP4NZ	crontab

Reads runtime system information 5 IoCs

Reads data from /proc virtual filesystem.

Processes:

cpidmkdircrontabcrontab

description	ioc	process
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	id
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	crontab
File opened for reading	/proc/filesystems	crontab

Writes file to tmp directory 12 IoCs

Malware often drops required files in the /tmp directory.

Processes:

collect2ldgcccc1asinst

description	ioc	process
File opened for modification	/tmp/ccdGig7R.c	collect2
File opened for modification	/tmp/ccVtUzTi.ld	collect2
File opened for modification	/tmp/httpds	ld
File opened for modification	/tmp/saveds
File opened for modification	/tmp/ccIsSJLB.s	gcc
File opened for modification	/tmp/ccIsSJLB.s	cc1
File opened for modification	/tmp/ccoG0Cca.o	as
File opened for modification	/tmp/ccXjufRI.res	gcc
File opened for modification	/tmp/saveds	inst
File opened for modification	/tmp/ccoG0Cca.o	gcc
File opened for modification	/tmp/cckM0NtA.o	collect2
File opened for modification	/tmp/ccq4bJy0.le	collect2

/tmp/inst
/tmp/inst
1⤵
- Writes file to tmp directory
PID:717

/usr/bin/id
id -u
2⤵
- Reads runtime system information
PID:720

/bin/mkdir
mkdir /etc/-lib
2⤵
- Reads runtime system information
PID:724

/bin/chmod
chmod u+x /etc/-lib/httpd
2⤵
PID:728

/usr/bin/chattr
chattr +ais /etc/-lib/httpd
2⤵
PID:730

/usr/bin/crontab
crontab -l
2⤵
- Reads runtime system information
PID:732

/bin/grep
grep -vi /etc/-lib/httpd
2⤵
PID:733

/usr/bin/crontab
crontab saveds
2⤵
- Creates/modifies Cron job
- Reads runtime system information
PID:734

/bin/rm
rm -rf saveds
2⤵
PID:738

/usr/bin/gcc
gcc httpds.c -o httpds
2⤵
- Writes file to tmp directory
PID:740

/usr/lib/gcc/mipsel-linux-gnu/6/cc1
/usr/lib/gcc/mipsel-linux-gnu/6/cc1 -quiet -imultiarch mipsel-linux-gnu httpds.c -mel -quiet -dumpbase httpds.c "-march=mips32r2" -mfpxx -mllsc -mno-lxc1-sxc1 -mno-madd4 -mips32r2 "-mabi=32" -auxbase httpds -o /tmp/ccIsSJLB.s
3⤵
- Writes file to tmp directory
PID:742

/usr/local/sbin/as
as -EL -mips32r2 -O1 -no-mdebug "-mabi=32" "-march=mips32r2" -mfpxx -KPIC -o /tmp/ccoG0Cca.o /tmp/ccIsSJLB.s
3⤵
PID:762

/usr/local/bin/as
as -EL -mips32r2 -O1 -no-mdebug "-mabi=32" "-march=mips32r2" -mfpxx -KPIC -o /tmp/ccoG0Cca.o /tmp/ccIsSJLB.s
3⤵
PID:762

/usr/sbin/as
as -EL -mips32r2 -O1 -no-mdebug "-mabi=32" "-march=mips32r2" -mfpxx -KPIC -o /tmp/ccoG0Cca.o /tmp/ccIsSJLB.s
3⤵
PID:762

/usr/bin/as
as -EL -mips32r2 -O1 -no-mdebug "-mabi=32" "-march=mips32r2" -mfpxx -KPIC -o /tmp/ccoG0Cca.o /tmp/ccIsSJLB.s
3⤵
- Writes file to tmp directory
PID:762

/usr/lib/gcc/mipsel-linux-gnu/6/collect2
/usr/lib/gcc/mipsel-linux-gnu/6/collect2 -plugin /usr/lib/gcc/mipsel-linux-gnu/6/liblto_plugin.so "-plugin-opt=/usr/lib/gcc/mipsel-linux-gnu/6/lto-wrapper" "-plugin-opt=-fresolution=/tmp/ccXjufRI.res" "-plugin-opt=-pass-through=-lgcc" "-plugin-opt=-pass-through=-lgcc_s" "-plugin-opt=-pass-through=-lc" "-plugin-opt=-pass-through=-lgcc" "-plugin-opt=-pass-through=-lgcc_s" "--sysroot=/" --build-id --eh-frame-hdr -EL -mips32r2 -dynamic-linker /lib/ld.so.1 -melf32ltsmip -pie -o httpds /usr/lib/gcc/mipsel-linux-gnu/6/../../../mipsel-linux-gnu/Scrt1.o /usr/lib/gcc/mipsel-linux-gnu/6/../../../mipsel-linux-gnu/crti.o /usr/lib/gcc/mipsel-linux-gnu/6/crtbeginS.o -L/usr/lib/gcc/mipsel-linux-gnu/6 -L/usr/lib/gcc/mipsel-linux-gnu/6/../../../mipsel-linux-gnu -L/usr/lib/gcc/mipsel-linux-gnu/6/../../../../lib -L/lib/mipsel-linux-gnu -L/lib/../lib -L/usr/lib/mipsel-linux-gnu -L/usr/lib/../lib -L/usr/lib/gcc/mipsel-linux-gnu/6/../../.. /tmp/ccoG0Cca.o -lgcc --as-needed -lgcc_s --no-as-needed -lc -lgcc --as-needed -lgcc_s --no-as-needed /usr/lib/gcc/mipsel-linux-gnu/6/crtendS.o /usr/lib/gcc/mipsel-linux-gnu/6/../../../mipsel-linux-gnu/crtn.o
3⤵
- Writes file to tmp directory
PID:766

/usr/bin/ld
/usr/bin/ld -plugin /usr/lib/gcc/mipsel-linux-gnu/6/liblto_plugin.so "-plugin-opt=/usr/lib/gcc/mipsel-linux-gnu/6/lto-wrapper" "-plugin-opt=-fresolution=/tmp/ccXjufRI.res" "-plugin-opt=-pass-through=-lgcc" "-plugin-opt=-pass-through=-lgcc_s" "-plugin-opt=-pass-through=-lc" "-plugin-opt=-pass-through=-lgcc" "-plugin-opt=-pass-through=-lgcc_s" "--sysroot=/" --build-id --eh-frame-hdr -EL -mips32r2 -dynamic-linker /lib/ld.so.1 -melf32ltsmip -pie -o httpds /usr/lib/gcc/mipsel-linux-gnu/6/../../../mipsel-linux-gnu/Scrt1.o /usr/lib/gcc/mipsel-linux-gnu/6/../../../mipsel-linux-gnu/crti.o /usr/lib/gcc/mipsel-linux-gnu/6/crtbeginS.o -L/usr/lib/gcc/mipsel-linux-gnu/6 -L/usr/lib/gcc/mipsel-linux-gnu/6/../../../mipsel-linux-gnu -L/usr/lib/gcc/mipsel-linux-gnu/6/../../../../lib -L/lib/mipsel-linux-gnu -L/lib/../lib -L/usr/lib/mipsel-linux-gnu -L/usr/lib/../lib -L/usr/lib/gcc/mipsel-linux-gnu/6/../../.. /tmp/ccoG0Cca.o -lgcc --as-needed -lgcc_s --no-as-needed -lc -lgcc --as-needed -lgcc_s --no-as-needed /usr/lib/gcc/mipsel-linux-gnu/6/crtendS.o /usr/lib/gcc/mipsel-linux-gnu/6/../../../mipsel-linux-gnu/crtn.o
4⤵
- Writes file to tmp directory
PID:768

/bin/cp
cp httpds /etc/-lib/
2⤵
- Reads runtime system information
PID:774

/bin/chmod
chmod u+x /etc/-lib/httpds
2⤵
PID:775

/usr/bin/chattr
chattr +ais /etc/-lib/httpds
2⤵
PID:777

/bin/rm
rm -rf ./httpds ./httpds.c ./inst
2⤵
PID:778

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/etc/-lib/httpd
Filesize
163B

MD5
f74bebdcbf28f62cbca5043ccd4e3771

SHA1
398f13629a640ec98b2f3ee67cdc22b3eb5b487b

SHA256
cef7615f1d3fa6421a00ec39346bcca19c9cd3d777153e982c9237b46c9ddbaa

SHA512
de6b896fdc40bff0c2f3557490719ba4c0bf100d7ac15769a9afbf8bbf2dbcbb791c7b261a4e5bd8c9dc89a7b222d78d2abe1c8236e8adf663a95f28efd22b68

Download Submit
/etc/-lib/httpds
Filesize
42KB

MD5
5471bd258e524e639b2be1a8aa2f3dc4

SHA1
43bce5dc24ef914b713521abe7586d1cecdd5480

SHA256
eacf2821c4781178f211ee594c8392a786f91f10c45871a5399cd7db4c6a1ae2

SHA512
4f1b1a59bd56370c8fc84b2dd841636ba6fb6f18f626de9feae6daf8f1fce429a17431947606c7da353aa0163673c3d2fdb2dc8331b16801146b5d3e14e77ea0

Download Submit
/tmp/ccIsSJLB.s
Filesize
16KB

MD5
3f58ed17ab42f16a66811b86f5b6ab17

SHA1
b70594054cad01f85e4d6b06934d8bc600386b5c

SHA256
1e7a7d6b1f231c60361b772090c7183f824fe063b5bc1ad992bfa9eeb3279fa9

SHA512
d6702f5eddbc248bc868f080ce03bb9b59cca129b0bd7d63d92b96ad93684d124f7b3ce720296aa32339d04f9520215c3dd840d9bfaf2a0c5a1b09fc413c48ac

Download Submit
/tmp/httpds
Filesize
35KB

MD5
79a5f7735e392d66436b030bc9836e96

SHA1
366663a6efa83bc3d8072cf1b9625cec33e503d7

SHA256
af615019cfbcd41420acc8828d7efee3ba7186d0c74722b25c5a88315e232b0c

SHA512
e3fdad566d17254c40d1d773e6e75c59a4b43563f6fe8bcad4b1878452ac84869c4e049f28ceb22bf09909ddbd5396d4fd1a9e46e7537c5fd6ea12c8bf2b5106

Download Submit
/tmp/saveds
Filesize
42B

MD5
6c8eb055c0fd33626d89304ea6591bd0

SHA1
d51eb12a8891939217e1e867ba114ddfe940b9ed

SHA256
4212867a0307d9fcc05f966ae12f5280bb2b6f70c39b2d533663ad76a1c5aaf8

SHA512
a9d702ccb477fe1ddda484a05bf0150025e979855c03b200e4d62048d23780f256595917767071a62e961e9a926875724031a411597f2d788798d58bd9f78321

Download Submit
/var/spool/cron/crontabs/tmp.9zP4NZ
Filesize
222B

MD5
18940377bffed8c5e07bf32a55230f7e

SHA1
dc251d438ae8908f273ffaea173193368c85cedc

SHA256
ed95fcd36da68a123d79974ba16df0a7199304c518502505851f23b89dfc8bb3

SHA512
50a7bfa1a0aee8aae722fb8131cc440b2314a7d354f08175ce7c573f6e2f48c9e581eedb450d339b10919359820afac6a0b2b20e1445105da5985f88eec7430b

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads