kaiten | 975a79e3549d8c0b8f102888d4c407535404a18b17086c6ae580850a8aa32ff1 | Triage

Submit
Reports

Overview

overview

Static

static

1

bot

ubuntu-18.04-amd64

1

bot

debian-9-armhf

1

bot

debian-9-mips

1

bot

debian-9-mipsel

1

go

ubuntu-18.04-amd64

go

debian-9-armhf

go

debian-9-mips

go

debian-9-mipsel

Sharing

General

Target

OR4B396XQLONQ2IF82GFI6DRV0REMCS4WL31D1F1YHSZZ1D5A5
Size

24KB
Sample

240828-yybp1svhmm
MD5

3b64c2ecd7ea152f9d4af9d0461db265
SHA1

29f839c71c24a1af7d34ced8c21a57bd98b80ac5
SHA256

975a79e3549d8c0b8f102888d4c407535404a18b17086c6ae580850a8aa32ff1
SHA512

f1447396d8ecbe9c6f984b20cb26c33600176686b9c160858ad0748495e7e0b96ee87b6eb5468e2f660156e7f68e64b8e87155ef376d5c79c6c25f6c2e4191d5
SSDEEP

768:VVlrin9agscJSJe6IynHU5uKkWc4p7TzgYYHi/:t09aQJSsuHUMKS8Oi/

Score

10^/10

kaiten botnet linux persistence

Static task

static1

Behavioral task

behavioral1

Sample

bot

Resource

ubuntu1804-amd64-20240611-en

ubuntu-18.04-amd64

0 signatures

150 seconds

Behavioral task

behavioral2

Sample

bot

Resource

debian9-armhf-20240611-en

debian-9-armhf

0 signatures

150 seconds

Behavioral task

behavioral3

Sample

bot

Resource

debian9-mipsbe-20240611-en

debian-9-mips

0 signatures

150 seconds

Behavioral task

behavioral4

Sample

bot

Resource

debian9-mipsel-20240611-en

debian-9-mipsel

0 signatures

150 seconds

Behavioral task

behavioral5

Sample

go

Resource

ubuntu1804-amd64-20240508-en

kaiten botnet persistence

ubuntu-18.04-amd64

10 signatures

150 seconds

Behavioral task

behavioral6

Sample

go

Resource

debian9-armhf-20240611-en

kaiten botnet persistence

debian-9-armhf

10 signatures

150 seconds

Behavioral task

behavioral7

Sample

go

Resource

debian9-mipsbe-20240611-en

kaiten botnet persistence

debian-9-mips

10 signatures

150 seconds

Behavioral task

behavioral8

Sample

go

Resource

debian9-mipsel-20240611-en

kaiten botnet persistence

debian-9-mipsel

10 signatures

150 seconds

Malware Config

Targets

- Target
  
  bot
- Size
  
  17KB
- MD5
  
  1d4c9039ca7e0b3e93c708f5d02f92a0
- SHA1
  
  6725399cf12cd25458f23b941b297d8d0b0ed8b0
- SHA256
  
  a675fb9cefb4e1d72a83da99ef6fcc56e83a53f9494bc56316824b8ba4316f90
- SHA512
  
  22f67e4abc727055efa23a90c1101bff951384564f98750c5c31d83ecab1bb2216e68530257a2172de7b9566bc38bb1463da7203275b880f720b08b573907c2a
- SSDEEP
  
  384:TgsxbX1HTCruTkwRfPdyd0tt8H0f5bUD1G4f:csx71HTJTkwHuPXf
Score

1^/10
behavioral1 behavioral2 behavioral3 behavioral4
- Target
  
  go
- Size
  
  3KB
- MD5
  
  fd55f0754084ba041539bb469f06a83d
- SHA1
  
  af7beef3297d77bdf1299a4fbf6cc50e27113aa4
- SHA256
  
  9bde6ebc01e00f36cb71b979f602f61a0f78e201ad9073ae557d764578789023
- SHA512
  
  cee0d136026accde83034f0b135dac8bdc2eec1a395a518f4b15c813062d75d49432b6d0ba996448107c1735382e84c31aeec372e9e1a9f830f1be848f7a8248
Score

10^/10

kaiten botnet persistence
- Detects Kaiten/Tsunami Payload
- Detects Kaiten/Tsunami payload
- Kaiten/Tsunami
  Linux-based IoT botnet which is controlled through IRC and normally used to carry out DDoS attacks.
  botnet kaiten
- Adds new SSH keys
  Linux special file to hold SSH keys. The threat actor may add new keys for further remote access.
  persistence
- Modifies password files for system users/ groups
  Modifies files storing password hashes of existing users/ groups, likely to grant additional privileges.
- Write file to user bin folder
- Writes file to system bin folder
behavioral5 behavioral6 behavioral7 behavioral8

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Hijack Execution Flow

Privilege Escalation

Hijack Execution Flow

Defense Evasion

Hijack Execution Flow

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

kaitenbotnetpersistence

behavioral6

kaitenbotnetpersistence

behavioral7

kaitenbotnetpersistence

behavioral8

kaitenbotnetpersistence

© 2018-2024

Terms | Privacy