kaiten | 2f1854f309c913068700c0c3efec3a84ea48e62393df38bab9c8233053e2b19b

General

Target

2f1854f309c913068700c0c3efec3a84ea48e62393df38bab9c8233053e2b19b.elf
Size

7.0MB
Sample

240313-cmqh5shh6x
MD5

c91421f0d68095890b50a034dbf9d060
SHA1

624e0d9c94309de8d038b2e21cf07685d2020fdb
SHA256

2f1854f309c913068700c0c3efec3a84ea48e62393df38bab9c8233053e2b19b
SHA512

63d174cf0ba590aa836a9c4490ef7982d7590d8fcf9f67b8a8021dc23755a4aecf16805a12679e566d6d6bec45a4d3344d62197a7f3c6660c46812594888bd88
SSDEEP

49152:FdvgYnvuqgrb/TGvO90dL3BmAFd4A64nsfJYgJi1QjpzkpDKzBzQgQHDSZ/+/A5X:YqpgxDFnEqZJvlNiPt9y7LxXk5prrT

Score

10^/10

Malware Config

Targets

- Target
  
  2f1854f309c913068700c0c3efec3a84ea48e62393df38bab9c8233053e2b19b.elf
- Size
  
  7.0MB
- MD5
  
  c91421f0d68095890b50a034dbf9d060
- SHA1
  
  624e0d9c94309de8d038b2e21cf07685d2020fdb
- SHA256
  
  2f1854f309c913068700c0c3efec3a84ea48e62393df38bab9c8233053e2b19b
- SHA512
  
  63d174cf0ba590aa836a9c4490ef7982d7590d8fcf9f67b8a8021dc23755a4aecf16805a12679e566d6d6bec45a4d3344d62197a7f3c6660c46812594888bd88
- SSDEEP
  
  49152:FdvgYnvuqgrb/TGvO90dL3BmAFd4A64nsfJYgJi1QjpzkpDKzBzQgQHDSZ/+/A5X:YqpgxDFnEqZJvlNiPt9y7LxXk5prrT
Score

10^/10

kaiten antivm botnet persistence rootkit upx
- Detects Kaiten/Tsunami Payload
- Detects Kaiten/Tsunami payload
- Kaiten/Tsunami
  Linux-based IoT botnet which is controlled through IRC and normally used to carry out DDoS attacks.
  botnet kaiten
- Executes dropped EXE
- Flushes firewall rules
  Flushes/ disables firewall rules inside the Linux kernel.
- Loads a kernel module
  Loads a Linux kernel module, potentially to achieve persistence
  rootkit
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Attempts to change immutable files
  Modifies inode attributes on the filesystem to allow changing of immutable files.
- Checks CPU configuration
  Checks CPU information which indicate if the system is a virtual machine.
  antivm
- Checks hardware identifiers (DMI)
  Checks DMI information which indicate if the system is a virtual machine.
  antivm
- Creates/modifies Cron job
  Cron allows running tasks on a schedule, and is commonly used for malware persistence.
  persistence
- Enumerates running processes
  Discovers information about currently running processes on the system
- Modifies init.d
  Adds/modifies system service, likely for persistence.
  persistence
- Modifies systemd
  Adds/ modifies systemd service files. Likely to achieve persistence.
  persistence
- Reads CPU attributes
- Reads hardware information
  Accesses system info like serial numbers, manufacturer names etc.
- Writes file to system bin folder
behavioral1