kaiten | 57f70cf211661f7c521f33899de93b9be81fa467a034f0f35620b1d40e2817a5

Analysis

max time kernel
150s
max time network
151s
platform
debian-12_mipsel
resource
debian12-mipsel-20240729-en
resource tags

arch:mipselimage:debian12-mipsel-20240729-enkernel:6.1.0-17-4kc-maltalocale:en-usos:debian-12-mipselsystem
submitted
29-07-2024 08:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3d1dda1265835215bec662a920d4ee01_JaffaCakes118
Size

31KB
MD5

3d1dda1265835215bec662a920d4ee01
SHA1

3f515381462cb4e15f2205bab4b6d8b93430dbd5
SHA256

57f70cf211661f7c521f33899de93b9be81fa467a034f0f35620b1d40e2817a5
SHA512

f8cf3a861f55a1ce2c45109ce5afb1c8ef3c7f37d0de8623e3a698bec8c7bad8bf05d80a06bca39a710de43aecd0ea913e07f6a2d44160db53bd2a6907110ed4
SSDEEP

768:8SKbKLrV2Nrjb6y/uN0pVx2prhPDjWCo/nQTZXTWb:UGLrVUbPXp2fjs/QTC

Score

10^/10

kaiten botnet persistence

Malware Config

Signatures

Detects Kaiten/Tsunami Payload 1 IoCs

resource	yara_rule
behavioral1/memory/716-1-0x00400000-0x100015ac-memory.dmp	family_kaiten2

Kaiten/Tsunami
Linux-based IoT botnet which is controlled through IRC and normally used to carry out DDoS attacks.
botnet kaiten

Writes DNS configuration 1 TTPs 1 IoCs

Writes data to DNS resolver config file.

Dynamic Resolution

T1568

description	ioc	Process
File opened for modification	/etc/resolv.conf	sh

Creates/modifies Cron job 1 TTPs 1 IoCs

Cron allows running tasks on a schedule, and is commonly used for malware persistence.

persistence

Scheduled Task/Job

T1053

description	ioc	Process
File opened for modification	/var/spool/cron/crontabs/tmp.dx5dPY	crontab

Enumerates running processes
Discovers information about currently running processes on the system

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
File opened for reading	/proc/13/stat	killall
File opened for reading	/proc/29/stat	killall
File opened for reading	/proc/711	killall
File opened for reading	/proc/667/stat	killall
File opened for reading	/proc/9/stat	killall
File opened for reading	/proc/341/stat	killall
File opened for reading	/proc/201	killall
File opened for reading	/proc/32	killall
File opened for reading	/proc/7/stat	killall
File opened for reading	/proc/115	killall
File opened for reading	/proc/680/stat	killall
File opened for reading	/proc/115/stat	killall
File opened for reading	/proc/10/stat	killall
File opened for reading	/proc/179/cmdline	killall
File opened for reading	/proc/397	killall
File opened for reading	/proc/392/stat	killall
File opened for reading	/proc/201/stat	killall
File opened for reading	/proc/396/stat	killall
File opened for reading	/proc/428	killall
File opened for reading	/proc/19	killall
File opened for reading	/proc/680/stat	killall
File opened for reading	/proc/7/stat	killall
File opened for reading	/proc/396/stat	killall
File opened for reading	/proc/45/stat	killall
File opened for reading	/proc/24/stat	killall
File opened for reading	/proc/179/stat	killall
File opened for reading	/proc/201	killall
File opened for reading	/proc/667/stat	killall
File opened for reading	/proc/34	killall
File opened for reading	/proc/47/stat	killall
File opened for reading	/proc/136/stat	killall
File opened for reading	/proc/20/stat	killall
File opened for reading	/proc/716/cmdline	killall
File opened for reading	/proc/15	killall
File opened for reading	/proc/12/stat	killall
File opened for reading	/proc/18/stat	killall
File opened for reading	/proc/33/stat	killall
File opened for reading	/proc/179	killall
File opened for reading	/proc/118	killall
File opened for reading	/proc/45/stat	killall
File opened for reading	/proc/722	killall
File opened for reading	/proc/3/stat	killall
File opened for reading	/proc/379	killall
File opened for reading	/proc/711	killall
File opened for reading	/proc/1/stat	killall
File opened for reading	/proc/42/stat	killall
File opened for reading	/proc/722	killall
File opened for reading	/proc/25/stat	killall
File opened for reading	/proc/201	killall
File opened for reading	/proc/392	killall
File opened for reading	/proc/397/stat	killall
File opened for reading	/proc/667/stat	killall
File opened for reading	/proc/201	killall
File opened for reading	/proc/355	killall
File opened for reading	/proc/716	killall
File opened for reading	/proc/31/stat	killall
File opened for reading	/proc/37	killall
File opened for reading	/proc/42	killall
File opened for reading	/proc/179	killall
File opened for reading	/proc/58/stat	killall
File opened for reading	/proc/32	killall
File opened for reading	/proc/722/stat	killall
File opened for reading	/proc/25	killall
File opened for reading	/proc/711/stat	killall

/tmp/3d1dda1265835215bec662a920d4ee01_JaffaCakes118
/tmp/3d1dda1265835215bec662a920d4ee01_JaffaCakes118
1⤵
PID:716
- /bin/sh
  sh -c "rm -rf /var/run/wgsh > /dev/null 2>&1 &"
  2⤵
  PID:717
- /bin/sh
  sh -c "rm -rf /var/run/bbsh > /dev/null 2>&1 &"
  2⤵
  PID:719
- - /usr/bin/rm
    rm -rf /var/run/bbsh
    3⤵
    PID:720
- /bin/sh
  sh -c "rm -rf /var/run/tty1 > /dev/null 2>&1 &"
  2⤵
  PID:721
- /bin/sh
  sh -c "rm -rf /var/run/tty2 > /dev/null 2>&1 &"
  2⤵
  PID:724
- /bin/sh
  sh -c "rm -rf /var/run/tty3 > /dev/null 2>&1 &"
  2⤵
  PID:726
- /bin/sh
  sh -c "rm -rf /var/run/tty4 > /dev/null 2>&1 &"
  2⤵
  PID:729
- /bin/sh
  sh -c "rm -rf /var/run/tty5 > /dev/null 2>&1 &"
  2⤵
  PID:732
- /bin/sh
  sh -c "rm -rf /var/run/tty6 > /dev/null 2>&1 &"
  2⤵
  PID:734
- /bin/sh
  sh -c "rm -rf /tmp/tty1 > /dev/null 2>&1 &"
  2⤵
  PID:736
- /bin/sh
  sh -c "rm -rf /tmp/tty2 > /dev/null 2>&1 &"
  2⤵
  PID:738
- /bin/sh
  sh -c "rm -rf /tmp/tty3 > /dev/null 2>&1 &"
  2⤵
  PID:740
- /bin/sh
  sh -c "rm -rf /tmp/tty4 > /dev/null 2>&1 &"
  2⤵
  PID:742
- /bin/sh
  sh -c "rm -rf /tmp/tty5 > /dev/null 2>&1 &"
  2⤵
  PID:744
- /bin/sh
  sh -c "rm -rf /tmp/tty6 > /dev/null 2>&1 &"
  2⤵
  PID:746
- /bin/sh
  sh -c "rm -rf /var/run/pty > /dev/null 2>&1 &"
  2⤵
  PID:748
- /bin/sh
  sh -c "killall -9 arm > /dev/null 2>&1 &"
  2⤵
  PID:750
- /bin/sh
  sh -c "killall -9 mips > /dev/null 2>&1 &"
  2⤵
  PID:752
- /bin/sh
  sh -c "killall -9 mipsel > /dev/null 2>&1 &"
  2⤵
  PID:754
- /bin/sh
  sh -c "killall -9 powerpc > /dev/null 2>&1 &"
  2⤵
  PID:756
- /bin/sh
  sh -c "killall -9 ppc > /dev/null 2>&1 &"
  2⤵
  PID:758
- /bin/sh
  sh -c "killall -9 daemon.armv4l.mod > /dev/null 2>&1 &"
  2⤵
  PID:760
- /bin/sh
  sh -c "killall -9 daemon.i686.mod > /dev/null 2>&1 &"
  2⤵
  PID:762
- /bin/sh
  sh -c "killall -9 daemon.mips.mod > /dev/null 2>&1 &"
  2⤵
  PID:764
- /bin/sh
  sh -c "killall -9 daemon.mipsel.mod > /dev/null 2>&1 &"
  2⤵
  PID:766
- /bin/sh
  sh -c "kill -9 `cat /tmp/.xs/*.pid` > /dev/null 2>&1 &"
  2⤵
  PID:768
- - /usr/bin/cat
    cat "/tmp/.xs/*.pid"
    3⤵
    PID:771
- /bin/sh
  sh -c "rm -rf /tmp/.xs/* > /dev/null 2>&1 &"
  2⤵
  PID:770
- /bin/sh
  sh -c "echo \"nameserver 8.8.8.8\" > /etc/resolv.conf &"
  2⤵
  - Writes DNS configuration
  PID:773
- /bin/sh
  sh -c "chmod 700 /tmp/3d1dda1265835215bec662a920d4ee01_JaffaCakes118 > /dev/null 2>&1 &"
  2⤵
  PID:775
- /bin/sh
  sh -c "touch -acmr /bin/ls /tmp/3d1dda1265835215bec662a920d4ee01_JaffaCakes118"
  2⤵
  PID:777
- - /usr/bin/touch
    touch -acmr /bin/ls /tmp/3d1dda1265835215bec662a920d4ee01_JaffaCakes118
    3⤵
    PID:778
- /bin/sh
  sh -c "(crontab -l | grep -v \"/tmp/3d1dda1265835215bec662a920d4ee01_JaffaCakes118\" | grep -v \"no cron\" | grep -v \"lesshts/run.sh\" > /var/run/.x001804289383) > /dev/null 2>&1"
  2⤵
  PID:779
- - /usr/bin/crontab
    crontab -l
    3⤵
    PID:781
- - /usr/bin/grep
    grep -v "no cron"
    3⤵
    PID:783
- - /usr/bin/grep
    grep -v /tmp/3d1dda1265835215bec662a920d4ee01_JaffaCakes118
    3⤵
    PID:782
- - /usr/bin/grep
    grep -v lesshts/run.sh
    3⤵
    PID:784
- /bin/sh
  sh -c "echo \"* * * * * /tmp/3d1dda1265835215bec662a920d4ee01_JaffaCakes118 > /dev/null 2>&1 &\" >> /var/run/.x001804289383"
  2⤵
  PID:785
- /bin/sh
  sh -c "crontab /var/run/.x001804289383"
  2⤵
  PID:786
- - /usr/bin/crontab
    crontab /var/run/.x001804289383
    3⤵
    - Creates/modifies Cron job
    PID:787
- /bin/sh
  sh -c "rm -rf /var/run/.x001804289383"
  2⤵
  PID:788
- - /usr/bin/rm
    rm -rf /var/run/.x001804289383
    3⤵
    PID:789
- /bin/sh
  sh -c "/bin/uname -n"
  2⤵
  PID:790
- - /bin/uname
    /bin/uname -n
    3⤵
    PID:791
- /bin/sh
  sh -c "/bin/uname -n"
  2⤵
  PID:792
- - /bin/uname
    /bin/uname -n
    3⤵
    PID:793

/usr/bin/rm
rm -rf /var/run/wgsh
1⤵
PID:718

/usr/bin/rm
rm -rf /var/run/tty1
1⤵
PID:723

/usr/bin/rm
rm -rf /var/run/tty2
1⤵
PID:725

/usr/bin/rm
rm -rf /var/run/tty4
1⤵
PID:731

/usr/bin/rm
rm -rf /var/run/tty5
1⤵
PID:733

/usr/bin/rm
rm -rf /var/run/tty6
1⤵
PID:735

/usr/bin/rm
rm -rf /tmp/tty1
1⤵
PID:737

/usr/bin/rm
rm -rf /tmp/tty2
1⤵
PID:739

/usr/bin/rm
rm -rf /tmp/tty3
1⤵
PID:741

/usr/bin/rm
rm -rf /tmp/tty4
1⤵
PID:743

/usr/bin/rm
rm -rf /tmp/tty5
1⤵
PID:745

/usr/bin/rm
rm -rf /tmp/tty6
1⤵
PID:747

/usr/bin/rm
rm -rf /var/run/pty
1⤵
PID:749

/usr/bin/killall
killall -9 arm
1⤵
- Reads runtime system information
PID:751

/usr/bin/killall
killall -9 mips
1⤵
- Reads runtime system information
PID:753

/usr/bin/killall
killall -9 mipsel
1⤵
- Reads runtime system information
PID:755

/usr/bin/killall
killall -9 powerpc
1⤵
- Reads runtime system information
PID:757

/usr/bin/killall
killall -9 ppc
1⤵
- Reads runtime system information
PID:759

/usr/bin/killall
killall -9 daemon.armv4l.mod
1⤵
- Reads runtime system information
PID:761

/usr/bin/killall
killall -9 daemon.i686.mod
1⤵
- Reads runtime system information
PID:763

/usr/bin/killall
killall -9 daemon.mips.mod
1⤵
- Reads runtime system information
PID:765

/usr/bin/killall
killall -9 daemon.mipsel.mod
1⤵
- Reads runtime system information
PID:767

/usr/bin/rm
rm -rf "/tmp/.xs/*"
1⤵
PID:772

/usr/bin/chmod
chmod 700 /tmp/3d1dda1265835215bec662a920d4ee01_JaffaCakes118
1⤵
PID:776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Dynamic Resolution

T1568

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/run/.x001804289383

Filesize
81B

MD5
084f07b50c89e945e2a9a5c626a42aaf

SHA1
02a9639d6143ff0b61eea92c667bc6412c38ef34

SHA256
df48b00dbe9a7c02129f71f06310982481145f70b8fe1e2d587a5acbc2bb8c23

SHA512
12fb3b3672d3e527db251eb58c8109631ef35af2d39b83c927a69998b990ec55a36f14b0a9586a35ae7947fbe4d9840ed618a45e122a774e7b96995576569e29

Download Submit
/var/spool/cron/crontabs/tmp.dx5dPY

Filesize
278B

MD5
1c7f967514c4cf9de26d8c2a2edf8409

SHA1
53ad68bc37e11938baca61bf7191276dcca295c5

SHA256
2764bdb54456bb16600e0ab3cabe2987053b5be8a04341c4733a75a117cb3c34

SHA512
ff9cd5a360e4fef280c5704e26339e33355de4ef2f5762ea4d31ddf9cfbf5347caafff09c7aaf3aed4961e98a49d25c88cff8399442e2da207b1c45f7a542ff9

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads