kaiten | 751014e0154d219dea8c2e999714c32fd98f817782588cd7af355d2488eb1c80

Analysis

max time kernel
149s
max time network
149s
platform
ubuntu-20.04_amd64
resource
ubuntu2004-amd64-20240221-en
resource tags

arch:amd64arch:i386image:ubuntu2004-amd64-20240221-enkernel:5.4.0-169-genericlocale:en-usos:ubuntu-20.04-amd64system
submitted
01-04-2024 14:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

731e88ae5f22ba01372a3b0cc5adccdf_JaffaCakes118
Size

2.7MB
MD5

731e88ae5f22ba01372a3b0cc5adccdf
SHA1

893db829a8b0af8e37f3e0c25d63779afdc575b9
SHA256

751014e0154d219dea8c2e999714c32fd98f817782588cd7af355d2488eb1c80
SHA512

523094ef2170dc5a0333f7a9e0b1f3c2fc025295198b7c9b9ac36e5c130cc5c5b091f3bb541601e45f6efd081f79f50322affce355a1a2b4f83c9058566390f0
SSDEEP

49152:Q4LOseggj73q9sgK4TCbbwWg0+/Y8jk1OkIlDdohcjJq:tlMVPwWIYMOOkIQh2Jq

Score

10^/10

kaiten botnet

Malware Config

Signatures

Detects Kaiten/Tsunami Payload 1 IoCs

resource	yara_rule
behavioral1/files/fstream-1.dat	family_kaiten2

Detects Kaiten/Tsunami payload 1 IoCs

resource	yara_rule
behavioral1/files/fstream-1.dat	family_kaiten

Kaiten/Tsunami
Linux-based IoT botnet which is controlled through IRC and normally used to carry out DDoS attacks.
botnet kaiten

Runs EXE from memory 1 IoCs

Runs an executable from memory, likely to minimize footprint

ioc	pid	Process
/proc/self/fd/3	1491	3

Enumerates kernel/hardware configuration 1 TTPs 1 IoCs

Reads contents of /sys virtual filesystem to enumerate system information.

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/kernel/mm/transparent_hugepage/hpage_pmd_size	731e88ae5f22ba01372a3b0cc5adccdf_JaffaCakes118

/tmp/731e88ae5f22ba01372a3b0cc5adccdf_JaffaCakes118
/tmp/731e88ae5f22ba01372a3b0cc5adccdf_JaffaCakes118
1⤵
- Enumerates kernel/hardware configuration
PID:1477

/proc/self/fd/3
kthreadd
1⤵
- Runs EXE from memory
PID:1491

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/proc/self/fd/3

Filesize
585KB

MD5
38071b617742b9a85178ced8de20bf99

SHA1
2bf984fad801fada75c94ef9f4cb678d29004d9c

SHA256
b494ca3b7bae2ab9a5197b81e928baae5b8eac77dfdc7fe1223fee8f27024772

SHA512
58302bc8bbc90d5389aa59fc983dd4d89bb1e41b698fb4327b612ff5084a3cd066e59cdc3e317b70b64f0f3411da5fcda96825f0ac37e22a38d537152e79430a

Download Submit