kaiten | e4385a86e5b0f299fee2110bec4f8add82a7f106d869ff5024044c98048cefd5

Analysis

max time kernel
114s
max time network
144s
platform
debian-9_mipsel
resource
debian9-mipsel-20240611-en
resource tags

arch:mipselimage:debian9-mipsel-20240611-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipselsystem
submitted
29-07-2024 09:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3f0ba0848dbceb9c6ffef89bfa4e4a1c_JaffaCakes118
Size

32KB
MD5

3f0ba0848dbceb9c6ffef89bfa4e4a1c
SHA1

30081402cd8d2d8253a531fca5a76374a4c7445f
SHA256

e4385a86e5b0f299fee2110bec4f8add82a7f106d869ff5024044c98048cefd5
SHA512

bacce18da136050e66fbc7b3e9f8bdc4428589f6a2aba882c817d240f1be3ff67de36f809a14930b4c8d00f156bd6bad7cad64f231c2ece9e75628435fd0fc22
SSDEEP

768:qH5ckn7T8bQcetXy7+vNRfai4TBW3vso6RrhtompWb:qTnX8mo+vNRCXT430tHtFu

Score

10^/10

kaiten botnet persistence

Malware Config

Signatures

Detects Kaiten/Tsunami Payload 1 IoCs

resource	yara_rule
behavioral1/memory/683-1-0x00400000-0x100015cc-memory.dmp	family_kaiten2

Kaiten/Tsunami
Linux-based IoT botnet which is controlled through IRC and normally used to carry out DDoS attacks.
botnet kaiten

Writes DNS configuration 1 TTPs 1 IoCs

Writes data to DNS resolver config file.

Dynamic Resolution

T1568

description	ioc	Process
File opened for modification	/etc/resolv.conf	sh

Creates/modifies Cron job 1 TTPs 1 IoCs

Cron allows running tasks on a schedule, and is commonly used for malware persistence.

persistence

Scheduled Task/Job

T1053

description	ioc	Process
File opened for modification	/var/spool/cron/crontabs/tmp.zKbn4V	crontab

Enumerates running processes
Discovers information about currently running processes on the system

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
File opened for reading	/proc/661/stat	killall
File opened for reading	/proc/73/stat	killall
File opened for reading	/proc/37/stat	killall
File opened for reading	/proc/319/stat	killall
File opened for reading	/proc/71/stat	killall
File opened for reading	/proc/15/stat	killall
File opened for reading	/proc/744/stat	killall
File opened for reading	/proc/12/stat	killall
File opened for reading	/proc/685/stat	killall
File opened for reading	/proc/373/stat	killall
File opened for reading	/proc/11/stat	killall
File opened for reading	/proc/72/stat	killall
File opened for reading	/proc/36/stat	killall
File opened for reading	/proc/373/stat	killall
File opened for reading	/proc/12/stat	killall
File opened for reading	/proc/22/stat	killall
File opened for reading	/proc/116/cmdline	killall
File opened for reading	/proc/2/stat	killall
File opened for reading	/proc/231/stat	killall
File opened for reading	/proc/679/stat	killall
File opened for reading	/proc/687/stat	killall
File opened for reading	/proc/11/stat	killall
File opened for reading	/proc/682/stat	killall
File opened for reading	/proc/22/stat	killall
File opened for reading	/proc/683/cmdline	killall
File opened for reading	/proc/704/cmdline	killall
File opened for reading	/proc/6/stat	killall
File opened for reading	/proc/384/stat	killall
File opened for reading	/proc/18/stat	killall
File opened for reading	/proc/18/stat	killall
File opened for reading	/proc/319/stat	killall
File opened for reading	/proc/682/stat	killall
File opened for reading	/proc/685/stat	killall
File opened for reading	/proc/749/stat	killall
File opened for reading	/proc/19/stat	killall
File opened for reading	/proc/71/stat	killall
File opened for reading	/proc/704/cmdline	killall
File opened for reading	/proc/681/stat	killall
File opened for reading	/proc/13/stat	killall
File opened for reading	/proc/72/stat	killall
File opened for reading	/proc/346/stat	killall
File opened for reading	/proc/36/stat	killall
File opened for reading	/proc/685/cmdline	killall
File opened for reading	/proc/659/stat	killall
File opened for reading	/proc/677/cmdline	killall
File opened for reading	/proc/679/stat	killall
File opened for reading	/proc/116/stat	killall
File opened for reading	/proc/77/stat	killall
File opened for reading	/proc/24/stat	killall
File opened for reading	/proc/166/stat	killall
File opened for reading	/proc/231/stat	killall
File opened for reading	/proc/76/stat	killall
File opened for reading	/proc/643/stat	killall
File opened for reading	/proc/144/cmdline	killall
File opened for reading	/proc/677/cmdline	killall
File opened for reading	/proc/115/stat	killall
File opened for reading	/proc/6/stat	killall
File opened for reading	/proc/75/stat	killall
File opened for reading	/proc/682/stat	killall
File opened for reading	/proc/77/stat	killall
File opened for reading	/proc/150/stat	killall
File opened for reading	/proc/116/cmdline	killall
File opened for reading	/proc/70/stat	killall
File opened for reading	/proc/656/stat	killall

/tmp/3f0ba0848dbceb9c6ffef89bfa4e4a1c_JaffaCakes118
/tmp/3f0ba0848dbceb9c6ffef89bfa4e4a1c_JaffaCakes118
1⤵
PID:683
- /bin/sh
  sh -c "rm -rf /var/run/wgsh > /dev/null 2>&1 &"
  2⤵
  PID:684
- /bin/sh
  sh -c "rm -rf /var/run/bbsh > /dev/null 2>&1 &"
  2⤵
  PID:689
- /bin/sh
  sh -c "rm -rf /var/run/tty1 > /dev/null 2>&1 &"
  2⤵
  PID:693
- /bin/sh
  sh -c "rm -rf /var/run/tty2 > /dev/null 2>&1 &"
  2⤵
  PID:696
- /bin/sh
  sh -c "rm -rf /var/run/tty3 > /dev/null 2>&1 &"
  2⤵
  PID:698
- /bin/sh
  sh -c "rm -rf /var/run/tty4 > /dev/null 2>&1 &"
  2⤵
  PID:700
- /bin/sh
  sh -c "rm -rf /var/run/tty5 > /dev/null 2>&1 &"
  2⤵
  PID:703
- /bin/sh
  sh -c "rm -rf /var/run/tty6 > /dev/null 2>&1 &"
  2⤵
  PID:706
- /bin/sh
  sh -c "rm -rf /tmp/tty1 > /dev/null 2>&1 &"
  2⤵
  PID:709
- /bin/sh
  sh -c "rm -rf /tmp/tty2 > /dev/null 2>&1 &"
  2⤵
  PID:712
- /bin/sh
  sh -c "rm -rf /tmp/tty3 > /dev/null 2>&1 &"
  2⤵
  PID:714
- /bin/sh
  sh -c "rm -rf /tmp/tty4 > /dev/null 2>&1 &"
  2⤵
  PID:717
- /bin/sh
  sh -c "rm -rf /tmp/tty5 > /dev/null 2>&1 &"
  2⤵
  PID:720
- /bin/sh
  sh -c "rm -rf /tmp/tty6 > /dev/null 2>&1 &"
  2⤵
  PID:723
- /bin/sh
  sh -c "rm -rf /var/run/pty > /dev/null 2>&1 &"
  2⤵
  PID:725
- /bin/sh
  sh -c "killall -9 arm > /dev/null 2>&1 &"
  2⤵
  PID:728
- /bin/sh
  sh -c "killall -9 mips > /dev/null 2>&1 &"
  2⤵
  PID:730
- /bin/sh
  sh -c "killall -9 mipsel > /dev/null 2>&1 &"
  2⤵
  PID:733
- /bin/sh
  sh -c "killall -9 powerpc > /dev/null 2>&1 &"
  2⤵
  PID:739
- /bin/sh
  sh -c "killall -9 ppc > /dev/null 2>&1 &"
  2⤵
  PID:741
- /bin/sh
  sh -c "killall -9 daemon.armv4l.mod > /dev/null 2>&1 &"
  2⤵
  PID:746
- /bin/sh
  sh -c "killall -9 daemon.i686.mod > /dev/null 2>&1 &"
  2⤵
  PID:748
- /bin/sh
  sh -c "killall -9 daemon.mips.mod > /dev/null 2>&1 &"
  2⤵
  PID:750
- /bin/sh
  sh -c "killall -9 daemon.mipsel.mod > /dev/null 2>&1 &"
  2⤵
  PID:752
- /bin/sh
  sh -c "kill -9 `cat /tmp/.xs/*.pid` > /dev/null 2>&1 &"
  2⤵
  PID:754
- - /bin/cat
    cat "/tmp/.xs/*.pid"
    3⤵
    PID:756
- /bin/sh
  sh -c "rm -rf /tmp/.xs/* > /dev/null 2>&1 &"
  2⤵
  PID:757
- /bin/sh
  sh -c "echo \"nameserver 8.8.8.8\" > /etc/resolv.conf &"
  2⤵
  - Writes DNS configuration
  PID:761
- /bin/sh
  sh -c "chmod 700 /tmp/3f0ba0848dbceb9c6ffef89bfa4e4a1c_JaffaCakes118 > /dev/null 2>&1 &"
  2⤵
  PID:763
- /bin/sh
  sh -c "touch -acmr /bin/ls /tmp/3f0ba0848dbceb9c6ffef89bfa4e4a1c_JaffaCakes118"
  2⤵
  PID:765
- - /usr/bin/touch
    touch -acmr /bin/ls /tmp/3f0ba0848dbceb9c6ffef89bfa4e4a1c_JaffaCakes118
    3⤵
    PID:766
- /bin/sh
  sh -c "(crontab -l | grep -v \"/tmp/3f0ba0848dbceb9c6ffef89bfa4e4a1c_JaffaCakes118\" | grep -v \"no cron\" | grep -v \"lesshts/run.sh\" > /var/run/.x001804289383) > /dev/null 2>&1"
  2⤵
  PID:767
- - /usr/bin/crontab
    crontab -l
    3⤵
    PID:771
- - /bin/grep
    grep -v /tmp/3f0ba0848dbceb9c6ffef89bfa4e4a1c_JaffaCakes118
    3⤵
    PID:772
- - /bin/grep
    grep -v "no cron"
    3⤵
    PID:773
- - /bin/grep
    grep -v lesshts/run.sh
    3⤵
    PID:774
- /bin/sh
  sh -c "echo \"* * * * * /tmp/3f0ba0848dbceb9c6ffef89bfa4e4a1c_JaffaCakes118 > /dev/null 2>&1 &\" >> /var/run/.x001804289383"
  2⤵
  PID:780
- /bin/sh
  sh -c "crontab /var/run/.x001804289383"
  2⤵
  PID:781
- - /usr/bin/crontab
    crontab /var/run/.x001804289383
    3⤵
    - Creates/modifies Cron job
    PID:783
- /bin/sh
  sh -c "rm -rf /var/run/.x001804289383"
  2⤵
  PID:784
- - /bin/rm
    rm -rf /var/run/.x001804289383
    3⤵
    PID:785
- /bin/sh
  sh -c "/bin/uname -n"
  2⤵
  PID:786
- - /bin/uname
    /bin/uname -n
    3⤵
    PID:787
- /bin/sh
  sh -c "/bin/uname -n"
  2⤵
  PID:788
- - /bin/uname
    /bin/uname -n
    3⤵
    PID:789

/bin/rm
rm -rf /var/run/wgsh
1⤵
PID:688

/bin/rm
rm -rf /var/run/bbsh
1⤵
PID:692

/bin/rm
rm -rf /var/run/tty1
1⤵
PID:695

/bin/rm
rm -rf /var/run/tty2
1⤵
PID:697

/bin/rm
rm -rf /var/run/tty3
1⤵
PID:699

/bin/rm
rm -rf /var/run/tty4
1⤵
PID:702

/bin/rm
rm -rf /var/run/tty5
1⤵
PID:705

/bin/rm
rm -rf /var/run/tty6
1⤵
PID:708

/bin/rm
rm -rf /tmp/tty1
1⤵
PID:711

/bin/rm
rm -rf /tmp/tty2
1⤵
PID:713

/bin/rm
rm -rf /tmp/tty3
1⤵
PID:716

/bin/rm
rm -rf /tmp/tty4
1⤵
PID:719

/bin/rm
rm -rf /tmp/tty5
1⤵
PID:722

/bin/rm
rm -rf /tmp/tty6
1⤵
PID:724

/bin/rm
rm -rf /var/run/pty
1⤵
PID:727

/usr/bin/killall
killall -9 arm
1⤵
- Reads runtime system information
PID:729

/usr/bin/killall
killall -9 mips
1⤵
- Reads runtime system information
PID:732

/usr/bin/killall
killall -9 mipsel
1⤵
- Reads runtime system information
PID:737

/usr/bin/killall
killall -9 powerpc
1⤵
- Reads runtime system information
PID:740

/usr/bin/killall
killall -9 ppc
1⤵
- Reads runtime system information
PID:745

/usr/bin/killall
killall -9 daemon.armv4l.mod
1⤵
- Reads runtime system information
PID:747

/usr/bin/killall
killall -9 daemon.i686.mod
1⤵
- Reads runtime system information
PID:749

/usr/bin/killall
killall -9 daemon.mips.mod
1⤵
- Reads runtime system information
PID:751

/usr/bin/killall
killall -9 daemon.mipsel.mod
1⤵
- Reads runtime system information
PID:753

/bin/rm
rm -rf "/tmp/.xs/*"
1⤵
PID:760

/bin/chmod
chmod 700 /tmp/3f0ba0848dbceb9c6ffef89bfa4e4a1c_JaffaCakes118
1⤵
PID:764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Dynamic Resolution

T1568

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/run/.x001804289383

Filesize
81B

MD5
9b9b0f95abaa6d19867bbfbf64ca133a

SHA1
c712faf3e73d66e0657e4868472527e184015a60

SHA256
05923e7033e99ed5e10bbb1dee7820895c37f1e8e5e2c525d6aa5bb94d7e1fe0

SHA512
d65801c72d2849798da163f0039725d6cf467db921e990019ea0653f9199b1d52183de182322fd000f8623cee0a16909b055ccb8ef4eba31dc0acd582a1132a7

Download Submit
/var/spool/cron/crontabs/tmp.zKbn4V

Filesize
278B

MD5
8aa2e75ed84485ff52c6751e8c0271c9

SHA1
2c66e95bacbe01ef79dec164e7387b0cf067b7ba

SHA256
09273e888bb0e14bfa2e04e594160806dad47e709ba811e11698dcb558747700

SHA512
044d3107f78ea0f5806e22c0fec318c75147405b7d99598c1c8229fdf7309d3cb893a6245e0189fd452f9324bcd78f7d9966873a513ab79d93c474e159a23018

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads