Overview

overview

10

Static

static

1

d.py

ubuntu-18.04-amd64

10

d.py

debian-9-armhf

1

d.py

debian-9-mips

1

d.py

debian-9-mipsel

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    d.py

  • Size

    2KB

  • Sample

    240215-29357abg98

  • MD5

    2a8df33aa6948528816c4bb9b9a48752

  • SHA1

    0dd5919d50cf6861985c3a1629d501c986876dd3

  • SHA256

    e5062a17af9e778231b73f94099db13cefde1cbb2b5466e2234e2c5b75764c97

  • SHA512

    6da29ea77cc85fd3766c6f4b8554ceea6f49d770854366d69d4a3c8709947e45128241c1e81a09761b76e5a2a6b67d54504aa9a55973fb01728428d75474b337

Score
10/10
kaitenantivmbotnetlinuxpersistenceupx

Malware Config

Targets

    • Target

      d.py

    • Size

      2KB

    • MD5

      2a8df33aa6948528816c4bb9b9a48752

    • SHA1

      0dd5919d50cf6861985c3a1629d501c986876dd3

    • SHA256

      e5062a17af9e778231b73f94099db13cefde1cbb2b5466e2234e2c5b75764c97

    • SHA512

      6da29ea77cc85fd3766c6f4b8554ceea6f49d770854366d69d4a3c8709947e45128241c1e81a09761b76e5a2a6b67d54504aa9a55973fb01728428d75474b337

    Score
    10/10
    kaitenantivmbotnetpersistenceupx

    • Detects Kaiten/Tsunami Payload

    • Detects Kaiten/Tsunami payload

    • Kaiten/Tsunami

      Linux-based IoT botnet which is controlled through IRC and normally used to carry out DDoS attacks.

      botnetkaiten

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Attempts to change immutable files

      Modifies inode attributes on the filesystem to allow changing of immutable files.

    • Checks CPU configuration

      Checks CPU information which indicate if the system is a virtual machine.

      antivm

    • Checks hardware identifiers (DMI)

      Checks DMI information which indicate if the system is a virtual machine.

      antivm

    • Creates/modifies Cron job

      Cron allows running tasks on a schedule, and is commonly used for malware persistence.

      persistence

    • Enumerates running processes

      Discovers information about currently running processes on the system

    • Modifies init.d

      Adds/modifies system service, likely for persistence.

      persistence

    • Modifies systemd

      Adds/ modifies systemd service files. Likely to achieve persistence.

      persistence

    • Reads CPU attributes

    • Reads hardware information

      Accesses system info like serial numbers, manufacturer names etc.

    • Writes file to system bin folder

    behavioral1behavioral2behavioral3behavioral4

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1
T1053

Persistence

Scheduled Task/Job

1
T1053

Boot or Logon Autostart Execution

2
T1547

Hijack Execution Flow

1
T1574

Privilege Escalation

Scheduled Task/Job

1
T1053

Boot or Logon Autostart Execution

2
T1547

Hijack Execution Flow

1
T1574

Defense Evasion

Virtualization/Sandbox Evasion

2
T1497

Hijack Execution Flow

1
T1574

Credential Access

Discovery

Virtualization/Sandbox Evasion

2
T1497

System Information Discovery

3
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks