Overview

overview

10

Static

static

1

bot

ubuntu-18.04-amd64

1

bot

debian-9-armhf

1

bot

debian-9-mips

1

bot

debian-9-mipsel

1

go

ubuntu-18.04-amd64

10

go

debian-9-armhf

10

go

debian-9-mips

10

go

debian-9-mipsel

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    2EOCE5RDC4SW0F3TYBQACDDJLXH9UR2FVRWTTR1MB25OLP1VUZ

  • Size

    24KB

  • Sample

    240828-zqgrqsxelj

  • MD5

    c728173017b573947dee46338451f712

  • SHA1

    3b137a8035f0a982942955e34d2b766d8204fadb

  • SHA256

    9ffc0ec1e281acb2213b638b7e7ab41720be2f9ff31c3640bf790bb406e05652

  • SHA512

    2447388ce4c979ee7e6d34ce6025222f95108934b3c680858c3cf502e1ac905eaac7e2c8f0633442667cdc904a03e8ed28bc3d4c99037c0fb4c4a8f13eafa3bb

  • SSDEEP

    384:achErrmbLZnKQBq7nA3dyJSmorfivc8f89cXroxwqvwcB5U1ZMw/tea17zwunzW3:fhVEQ07AAJuriklcXroxrab/tT7ETnTR

Score
10/10
kaitenbotnetlinuxpersistence

Malware Config

Targets

    • Target

      bot

    • Size

      17KB

    • MD5

      7b8cfb64ae09ab5968fdc0cb6ea1e798

    • SHA1

      c0206429f286f5b5814f770849f3c75aa7f6dc64

    • SHA256

      7ed3e282869a290bcf3557eb65f88ed8ece9ac86966a987b3dd7a86cd68c3feb

    • SHA512

      228f33b4e0c384fed4ecf9d7d7789b83e8f07d741fbc70fb289591205398ae36adb0f6fc255b4e56ae15aa6df9d53b576283f0244c2d9d296e04d96bf151159c

    • SSDEEP

      384:TdsxbX1HTGruTkwRfPdyd0tt8H0f5bUD1G4f:Zsx71HTdTkwHuPXf

    Score
    1/10
    behavioral1behavioral2behavioral3behavioral4

    • Target

      go

    • Size

      3KB

    • MD5

      7ecb186e0f39db85c9e668dcb1bac301

    • SHA1

      e42e91afdad6e32858c62700dd859011b653a80c

    • SHA256

      e228c6a2e62ccd691cc3534b1302a301bd6fa66e6e0c44a26677d4f00cbfa6b5

    • SHA512

      b1df507c89e5ebcb615b79c36879b2cf2b81ed705878fcfc990d39c86f428743d8d2b7b27e308d52f13e407bdeed93943f4c239b273c1747bca5a37bdf4f9eb1

    Score
    10/10
    kaitenbotnetpersistence

    • Detects Kaiten/Tsunami Payload

    • Detects Kaiten/Tsunami payload

    • Kaiten/Tsunami

      Linux-based IoT botnet which is controlled through IRC and normally used to carry out DDoS attacks.

      botnetkaiten

    • Adds new SSH keys

      Linux special file to hold SSH keys. The threat actor may add new keys for further remote access.

      persistence

    • Modifies password files for system users/ groups

      Modifies files storing password hashes of existing users/ groups, likely to grant additional privileges.

    • Write file to user bin folder

    • Writes file to system bin folder

    behavioral5behavioral6behavioral7behavioral8

MITRE ATT&CK Enterprise v15

Tasks