kaiten | 032e9a22f73d548479fc9cc94e9b8512275d053e419262a4f500c7736001741f

Analysis

max time kernel
149s
max time network
150s
platform
debian-9_mipsel
resource
debian9-mipsel-20240729-en
resource tags

arch:mipselimage:debian9-mipsel-20240729-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipselsystem
submitted
12-08-2024 06:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8db93a1c37558cb87760ef0b443c7365_JaffaCakes118
Size

33KB
MD5

8db93a1c37558cb87760ef0b443c7365
SHA1

54d760fdb8309b6e08a94bc2c8631d930e16676a
SHA256

032e9a22f73d548479fc9cc94e9b8512275d053e419262a4f500c7736001741f
SHA512

7ab49f2f612cd872a8571da339ae8881c7837e7daec2d8fbb5b7ab651ff9334c8100bde2289c703308d00d4738eb67fc9835a067599b58c9aea70ec02b3204c1
SSDEEP

768:6JxbYLs+mQh5hKMKuNmeY8Pzq+PbDf6Wb:wv+VcMKuNDzqgbjD

Score

10^/10

kaiten botnet persistence

Malware Config

Signatures

Detects Kaiten/Tsunami Payload 1 IoCs

resource	yara_rule
behavioral1/memory/738-1-0x00400000-0x100015bc-memory.dmp	family_kaiten2

Kaiten/Tsunami
Linux-based IoT botnet which is controlled through IRC and normally used to carry out DDoS attacks.
botnet kaiten

Creates/modifies Cron job 1 TTPs 1 IoCs

Cron allows running tasks on a schedule, and is commonly used for malware persistence.

persistence

Scheduled Task/Job

T1053

description	ioc	Process
File opened for modification	/var/spool/cron/crontabs/tmp.4NXJfN	crontab

Enumerates running processes
Discovers information about currently running processes on the system

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
File opened for reading	/proc/128/stat	killall
File opened for reading	/proc/392/stat	killall
File opened for reading	/proc/79/stat	killall
File opened for reading	/proc/795/stat	killall
File opened for reading	/proc/79/stat	killall
File opened for reading	/proc/1/stat	killall
File opened for reading	/proc/689/stat	killall
File opened for reading	/proc/8/stat	killall
File opened for reading	/proc/20/stat	killall
File opened for reading	/proc/685/stat	killall
File opened for reading	/proc/251/stat	killall
File opened for reading	/proc/802/stat	killall
File opened for reading	/proc/9/stat	killall
File opened for reading	/proc/36/stat	killall
File opened for reading	/proc/4/stat	killall
File opened for reading	/proc/393/stat	killall
File opened for reading	/proc/338/stat	killall
File opened for reading	/proc/18/stat	killall
File opened for reading	/proc/111/stat	killall
File opened for reading	/proc/83/stat	killall
File opened for reading	/proc/398/stat	killall
File opened for reading	/proc/5/stat	killall
File opened for reading	/proc/72/stat	killall
File opened for reading	/proc/71/stat	killall
File opened for reading	/proc/735/stat	killall
File opened for reading	/proc/737/stat	killall
File opened for reading	/proc/338/stat	killall
File opened for reading	/proc/82/stat	killall
File opened for reading	/proc/10/stat	killall
File opened for reading	/proc/732/stat	killall
File opened for reading	/proc/2/stat	killall
File opened for reading	/proc/7/stat	killall
File opened for reading	/proc/15/stat	killall
File opened for reading	/proc/24/stat	killall
File opened for reading	/proc/738/stat	killall
File opened for reading	/proc/731/stat	killall
File opened for reading	/proc/717/stat	killall
File opened for reading	/proc/338/stat	killall
File opened for reading	/proc/5/stat	killall
File opened for reading	/proc/398/stat	killall
File opened for reading	/proc/179/stat	killall
File opened for reading	/proc/17/stat	killall
File opened for reading	/proc/803/stat	killall
File opened for reading	/proc/737/stat	killall
File opened for reading	/proc/83/stat	killall
File opened for reading	/proc/764/stat	killall
File opened for reading	/proc/731/stat	killall
File opened for reading	/proc/2/stat	killall
File opened for reading	/proc/7/stat	killall
File opened for reading	/proc/339/stat	killall
File opened for reading	/proc/71/stat	killall
File opened for reading	/proc/10/stat	killall
File opened for reading	/proc/738/cmdline	killall
File opened for reading	/proc/745/stat	killall
File opened for reading	/proc/82/stat	killall
File opened for reading	/proc/737/stat	killall
File opened for reading	/proc/70/stat	killall
File opened for reading	/proc/392/stat	killall
File opened for reading	/proc/451/stat	killall
File opened for reading	/proc/732/stat	killall
File opened for reading	/proc/364/stat	killall
File opened for reading	/proc/393/stat	killall
File opened for reading	/proc/745/stat	killall
File opened for reading	/proc/13/stat	killall

/tmp/8db93a1c37558cb87760ef0b443c7365_JaffaCakes118
/tmp/8db93a1c37558cb87760ef0b443c7365_JaffaCakes118
1⤵
PID:738
- /bin/sh
  sh -c "rm -rf /var/run/wgsh > /dev/null 2>&1 &"
  2⤵
  PID:739
- /bin/sh
  sh -c "rm -rf /var/run/bbsh > /dev/null 2>&1 &"
  2⤵
  PID:742
- /bin/sh
  sh -c "rm -rf /var/run/tty1 > /dev/null 2>&1 &"
  2⤵
  PID:744
- /bin/sh
  sh -c "rm -rf /var/run/tty2 > /dev/null 2>&1 &"
  2⤵
  PID:750
- /bin/sh
  sh -c "rm -rf /var/run/tty3 > /dev/null 2>&1 &"
  2⤵
  PID:752
- /bin/sh
  sh -c "rm -rf /var/run/tty4 > /dev/null 2>&1 &"
  2⤵
  PID:755
- /bin/sh
  sh -c "rm -rf /var/run/tty5 > /dev/null 2>&1 &"
  2⤵
  PID:758
- /bin/sh
  sh -c "rm -rf /var/run/tty6 > /dev/null 2>&1 &"
  2⤵
  PID:760
- /bin/sh
  sh -c "rm -rf /tmp/tty1 > /dev/null 2>&1 &"
  2⤵
  PID:763
- /bin/sh
  sh -c "rm -rf /tmp/tty2 > /dev/null 2>&1 &"
  2⤵
  PID:766
- /bin/sh
  sh -c "rm -rf /tmp/tty3 > /dev/null 2>&1 &"
  2⤵
  PID:768
- /bin/sh
  sh -c "rm -rf /tmp/tty4 > /dev/null 2>&1 &"
  2⤵
  PID:771
- /bin/sh
  sh -c "rm -rf /tmp/tty5 > /dev/null 2>&1 &"
  2⤵
  PID:774
- /bin/sh
  sh -c "rm -rf /tmp/tty6 > /dev/null 2>&1 &"
  2⤵
  PID:777
- /bin/sh
  sh -c "rm -rf /var/run/pty > /dev/null 2>&1 &"
  2⤵
  PID:779
- /bin/sh
  sh -c "killall -9 arm > /dev/null 2>&1 &"
  2⤵
  PID:782
- /bin/sh
  sh -c "killall -9 mips > /dev/null 2>&1 &"
  2⤵
  PID:785
- /bin/sh
  sh -c "killall -9 mipsel > /dev/null 2>&1 &"
  2⤵
  PID:788
- /bin/sh
  sh -c "killall -9 powerpc > /dev/null 2>&1 &"
  2⤵
  PID:791
- /bin/sh
  sh -c "killall -9 ppc > /dev/null 2>&1 &"
  2⤵
  PID:794
- /bin/sh
  sh -c "killall -9 daemon.armv4l.mod > /dev/null 2>&1 &"
  2⤵
  PID:796
- /bin/sh
  sh -c "killall -9 daemon.i686.mod > /dev/null 2>&1 &"
  2⤵
  PID:799
- /bin/sh
  sh -c "killall -9 daemon.mips.mod > /dev/null 2>&1 &"
  2⤵
  PID:801
- /bin/sh
  sh -c "killall -9 daemon.mipsel.mod > /dev/null 2>&1 &"
  2⤵
  PID:804
- /bin/sh
  sh -c "kill -9 `cat /tmp/.xs/*.pid` > /dev/null 2>&1 &"
  2⤵
  PID:806
- - /bin/cat
    cat "/tmp/.xs/*.pid"
    3⤵
    PID:809
- /bin/sh
  sh -c "rm -rf /tmp/.xs/* > /dev/null 2>&1 &"
  2⤵
  PID:808
- /bin/sh
  sh -c "chmod 700 /tmp/8db93a1c37558cb87760ef0b443c7365_JaffaCakes118 > /dev/null 2>&1 &"
  2⤵
  PID:811
- /bin/sh
  sh -c "touch -acmr /bin/ls /tmp/8db93a1c37558cb87760ef0b443c7365_JaffaCakes118"
  2⤵
  PID:813
- - /usr/bin/touch
    touch -acmr /bin/ls /tmp/8db93a1c37558cb87760ef0b443c7365_JaffaCakes118
    3⤵
    PID:815
- /bin/sh
  sh -c "(crontab -l | grep -v \"/tmp/8db93a1c37558cb87760ef0b443c7365_JaffaCakes118\" | grep -v \"no cron\" | grep -v \"lesshts/run.sh\" > /var/run/.x001804289383) > /dev/null 2>&1"
  2⤵
  PID:816
- - /bin/grep
    grep -v "no cron"
    3⤵
    PID:821
- - /usr/bin/crontab
    crontab -l
    3⤵
    PID:819
- - /bin/grep
    grep -v /tmp/8db93a1c37558cb87760ef0b443c7365_JaffaCakes118
    3⤵
    PID:820
- - /bin/grep
    grep -v lesshts/run.sh
    3⤵
    PID:822
- /bin/sh
  sh -c "echo \"* * * * * /tmp/8db93a1c37558cb87760ef0b443c7365_JaffaCakes118 > /dev/null 2>&1 &\" >> /var/run/.x001804289383"
  2⤵
  PID:823
- /bin/sh
  sh -c "crontab /var/run/.x001804289383"
  2⤵
  PID:824
- - /usr/bin/crontab
    crontab /var/run/.x001804289383
    3⤵
    - Creates/modifies Cron job
    PID:826
- /bin/sh
  sh -c "rm -rf /var/run/.x001804289383"
  2⤵
  PID:828
- - /bin/rm
    rm -rf /var/run/.x001804289383
    3⤵
    PID:830
- /bin/sh
  sh -c "/bin/uname -n"
  2⤵
  PID:831
- - /bin/uname
    /bin/uname -n
    3⤵
    PID:832
- /bin/sh
  sh -c "/bin/uname -n"
  2⤵
  PID:833
- - /bin/uname
    /bin/uname -n
    3⤵
    PID:835

/bin/rm
rm -rf /var/run/wgsh
1⤵
PID:741

/bin/rm
rm -rf /var/run/bbsh
1⤵
PID:743

/bin/rm
rm -rf /var/run/tty1
1⤵
PID:747

/bin/rm
rm -rf /var/run/tty2
1⤵
PID:751

/bin/rm
rm -rf /var/run/tty3
1⤵
PID:754

/bin/rm
rm -rf /var/run/tty4
1⤵
PID:757

/bin/rm
rm -rf /var/run/tty5
1⤵
PID:759

/bin/rm
rm -rf /var/run/tty6
1⤵
PID:762

/bin/rm
rm -rf /tmp/tty1
1⤵
PID:765

/bin/rm
rm -rf /tmp/tty2
1⤵
PID:767

/bin/rm
rm -rf /tmp/tty3
1⤵
PID:770

/bin/rm
rm -rf /tmp/tty4
1⤵
PID:773

/bin/rm
rm -rf /tmp/tty5
1⤵
PID:776

/bin/rm
rm -rf /tmp/tty6
1⤵
PID:778

/bin/rm
rm -rf /var/run/pty
1⤵
PID:781

/usr/bin/killall
killall -9 arm
1⤵
- Reads runtime system information
PID:784

/usr/bin/killall
killall -9 mips
1⤵
- Reads runtime system information
PID:787

/usr/bin/killall
killall -9 mipsel
1⤵
- Reads runtime system information
PID:790

/usr/bin/killall
killall -9 powerpc
1⤵
- Reads runtime system information
PID:792

/usr/bin/killall
killall -9 ppc
1⤵
- Reads runtime system information
PID:795

/usr/bin/killall
killall -9 daemon.armv4l.mod
1⤵
- Reads runtime system information
PID:798

/usr/bin/killall
killall -9 daemon.i686.mod
1⤵
- Reads runtime system information
PID:800

/usr/bin/killall
killall -9 daemon.mips.mod
1⤵
- Reads runtime system information
PID:803

/usr/bin/killall
killall -9 daemon.mipsel.mod
1⤵
- Reads runtime system information
PID:805

/bin/rm
rm -rf "/tmp/.xs/*"
1⤵
PID:810

/bin/chmod
chmod 700 /tmp/8db93a1c37558cb87760ef0b443c7365_JaffaCakes118
1⤵
PID:812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/run/.x001804289383

Filesize
81B

MD5
54c6f3bd835b0625347cdc77b9feaec3

SHA1
299cfb428fb53a9e31153ddabb01fd3a8067282d

SHA256
d9f2c70eb8c47f4b1b0d88e42155eb31b1eb0813f871e637b444f44047a5ba50

SHA512
84298ad7aab9455111d2e8a8a6d234fc0c91e30768443c8d05b007e5dbbff609e6803ad012d5dbeeab3ff4b3e563c6d24fa0a737f1b37cfa5c5d9445cb96f222

Download Submit
/var/spool/cron/crontabs/tmp.4NXJfN

Filesize
278B

MD5
5d341f989de2ff00b2595dafa4ee5cc9

SHA1
7030fbb16393c8ae5e44359ab1e1a7be177cafdd

SHA256
bdc6431733fb3a6d3c0cde7013ec38c9ef88e4f4952609e4c196566a1085672e

SHA512
f1c76c0d7457458f4a8764cdb782a79c2855bf124669eb5821a6dfd2d2be82db7eae4735e3fde205d00f5df59156ce69804c5bb739a4ce472a4df2a58a891c78

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads