Overview

overview

10

Static

static

7

2f1854f309...9b.elf

ubuntu-20.04-amd64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    c91421f0d68095890b50a034dbf9d060.bin

  • Size

    4.3MB

  • Sample

    240314-elg7gsaa3x

  • MD5

    729c8aacc1a1007b1f7d4c108f4cd502

  • SHA1

    81e37249fa9c4b469978ac537e74083651257697

  • SHA256

    70e3446da9cb39fbb01e627b06d1731165119b6fcec42d6878baa1aaa8f88274

  • SHA512

    0fcb33a887513c12d29fe3d0eefc816e4719cd01c430115e4bb4e0e9906006a5cc4aa0f67279711e65594c9bc436dfbca908f71d1220f1e5aec6fe6fd84fc726

  • SSDEEP

    98304:fbHUQu6wti1Llci875If6SsPAiPdph9oesE2IShTumua:THUQu6wU1Llci8VzxAiPdph9YErja

Score
10/10
kaitenantivmbotnetinfostealerlinuxpersistencerootkitupx

Malware Config

Targets

    • Target

      2f1854f309c913068700c0c3efec3a84ea48e62393df38bab9c8233053e2b19b.elf

    • Size

      7.0MB

    • MD5

      c91421f0d68095890b50a034dbf9d060

    • SHA1

      624e0d9c94309de8d038b2e21cf07685d2020fdb

    • SHA256

      2f1854f309c913068700c0c3efec3a84ea48e62393df38bab9c8233053e2b19b

    • SHA512

      63d174cf0ba590aa836a9c4490ef7982d7590d8fcf9f67b8a8021dc23755a4aecf16805a12679e566d6d6bec45a4d3344d62197a7f3c6660c46812594888bd88

    • SSDEEP

      49152:FdvgYnvuqgrb/TGvO90dL3BmAFd4A64nsfJYgJi1QjpzkpDKzBzQgQHDSZ/+/A5X:YqpgxDFnEqZJvlNiPt9y7LxXk5prrT

    Score
    10/10
    kaitenantivmbotnetinfostealerpersistencerootkitupx

    • Detects Kaiten/Tsunami Payload

    • Detects Kaiten/Tsunami payload

    • Kaiten/Tsunami

      Linux-based IoT botnet which is controlled through IRC and normally used to carry out DDoS attacks.

      botnetkaiten

    • Executes dropped EXE

    • Flushes firewall rules

      Flushes/ disables firewall rules inside the Linux kernel.

    • Loads a kernel module

      Loads a Linux kernel module, potentially to achieve persistence

      rootkit

    • Reads EFI boot settings

      Reads EFI boot settings from the efivars filesystem, may contain security secrets or sensitive data.

      infostealer

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Attempts to change immutable files

      Modifies inode attributes on the filesystem to allow changing of immutable files.

    • Checks CPU configuration

      Checks CPU information which indicate if the system is a virtual machine.

      antivm

    • Checks hardware identifiers (DMI)

      Checks DMI information which indicate if the system is a virtual machine.

      antivm

    • Creates/modifies Cron job

      Cron allows running tasks on a schedule, and is commonly used for malware persistence.

      persistence

    • Enumerates running processes

      Discovers information about currently running processes on the system

    • Modifies init.d

      Adds/modifies system service, likely for persistence.

      persistence

    • Modifies systemd

      Adds/ modifies systemd service files. Likely to achieve persistence.

      persistence

    • Reads CPU attributes

    • Reads hardware information

      Accesses system info like serial numbers, manufacturer names etc.

    • Writes file to system bin folder

    behavioral1

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1
T1053

Persistence

Scheduled Task/Job

1
T1053

Boot or Logon Autostart Execution

2
T1547

Hijack Execution Flow

1
T1574

Privilege Escalation

Scheduled Task/Job

1
T1053

Boot or Logon Autostart Execution

2
T1547

Hijack Execution Flow

1
T1574

Defense Evasion

Virtualization/Sandbox Evasion

2
T1497

Hijack Execution Flow

1
T1574

Credential Access

Discovery

Virtualization/Sandbox Evasion

2
T1497

System Information Discovery

3
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks