kaiten | 8e9cd77c31ba14b925208fa5e3d9f5675909f0a5ebc2399bdd9e36279314abd1

Analysis

max time kernel
22s
max time network
22s
platform
debian-12_mipsel
resource
debian12-mipsel-20240221-en
resource tags

arch:mipselimage:debian12-mipsel-20240221-enkernel:6.1.0-17-4kc-maltalocale:en-usos:debian-12-mipselsystem
submitted
23-10-2024 01:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8e9cd77c31ba14b925208fa5e3d9f5675909f0a5ebc2399bdd9e36279314abd1.elf
Size

515KB
MD5

2ad737fb9e6ce08a164ddb8386f19b16
SHA1

86e87501edbdb8b6ee6ada9497ba2b62d741decc
SHA256

8e9cd77c31ba14b925208fa5e3d9f5675909f0a5ebc2399bdd9e36279314abd1
SHA512

068f4f7659c1d29ac0a6510e591100fba7fa1ffc445db21ce6487d77c8b34370fce3a24b4e9ff18b8910757123f593342dd80e473c0e337e7fa504eb3a13754f
SSDEEP

12288:v/J7M48SdpPK0RkLbZLn4nQdVV05tXqozEpwK9:HplxmLbJ4sY5tlzuv

Score

10^/10

kaiten botnet defense_evasion discovery execution persistence privilege_escalatio

Malware Config

Signatures

Detects Kaiten/Tsunami Payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/739-1-0x00400000-0x005777e8-memory.dmp	family_kaiten2

Kaiten/Tsunami
Linux-based IoT botnet which is controlled through IRC and normally used to carry out DDoS attacks.
botnet kaiten
Creates/modifies Cron job 1 TTPs 1 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
execution persistence privilege_escalatio

Cron
T1053.003

Processes:

crontab

description ioc process

File opened for modification /var/spool/cron/crontabs/tmp.bJiXgk crontab
Enumerates running processes
Discovers information about currently running processes on the system
Indicator Removal: Timestomp 1 TTPs 4 IoCs
Adversaries may remove indicators of compromise from the host to evade detection.
defense_evasion

Timestomp
T1070.006

Processes:

touchshtouchsh

pid process

747 touch
790 sh
792 touch
744 sh

description	ioc	process
File opened for modification	/var/spool/cron/crontabs/tmp.bJiXgk	crontab

pid	process
747	touch
790	sh
792	touch
744	sh

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

discovery

Processes:

killallkillallkillallkillallkillallkillallkillallkillall

description	ioc	process
File opened for reading	/proc/17/stat	killall
File opened for reading	/proc/24/stat	killall
File opened for reading	/proc/111/stat	killall
File opened for reading	/proc/11/stat	killall
File opened for reading	/proc/8/stat	killall
File opened for reading	/proc/24/stat	killall
File opened for reading	/proc/4/stat	killall
File opened for reading	/proc/731	killall
File opened for reading	/proc/813/stat	killall
File opened for reading	/proc/53	killall
File opened for reading	/proc/22/stat	killall
File opened for reading	/proc/698	killall
File opened for reading	/proc/22	killall
File opened for reading	/proc/380/stat	killall
File opened for reading	/proc/794/stat	killall
File opened for reading	/proc/679	killall
File opened for reading	/proc/844	killall
File opened for reading	/proc/407/stat	killall
File opened for reading	/proc/732	killall
File opened for reading	/proc/323	killall
File opened for reading	/proc/9	killall
File opened for reading	/proc/111	killall
File opened for reading	/proc/842/stat	killall
File opened for reading	/proc/1/stat	killall
File opened for reading	/proc/119	killall
File opened for reading	/proc/13/stat	killall
File opened for reading	/proc/323/stat	killall
File opened for reading	/proc/667	killall
File opened for reading	/proc/844	killall
File opened for reading	/proc/433/stat	killall
File opened for reading	/proc/58	killall
File opened for reading	/proc/323	killall
File opened for reading	/proc/433	killall
File opened for reading	/proc/37	killall
File opened for reading	/proc/17/stat	killall
File opened for reading	/proc/20/stat	killall
File opened for reading	/proc/112/stat	killall
File opened for reading	/proc/119	killall
File opened for reading	/proc/26	killall
File opened for reading	/proc/27	killall
File opened for reading	/proc/119/stat	killall
File opened for reading	/proc/323/stat	killall
File opened for reading	/proc/842	killall
File opened for reading	/proc/848/stat	killall
File opened for reading	/proc/6	killall
File opened for reading	/proc/26	killall
File opened for reading	/proc/679/stat	killall
File opened for reading	/proc/9	killall
File opened for reading	/proc/844/stat	killall
File opened for reading	/proc/23/stat	killall
File opened for reading	/proc/181/stat	killall
File opened for reading	/proc/119/stat	killall
File opened for reading	/proc/323/stat	killall
File opened for reading	/proc/794/stat	killall
File opened for reading	/proc/323	killall
File opened for reading	/proc/16	killall
File opened for reading	/proc/830/stat	killall
File opened for reading	/proc/848/stat	killall
File opened for reading	/proc/48/stat	killall
File opened for reading	/proc/1/stat	killall
File opened for reading	/proc/17/stat	killall
File opened for reading	/proc/848/stat	killall
File opened for reading	/proc/5/stat	killall
File opened for reading	/proc/59/stat	killall

/tmp/8e9cd77c31ba14b925208fa5e3d9f5675909f0a5ebc2399bdd9e36279314abd1.elf
/tmp/8e9cd77c31ba14b925208fa5e3d9f5675909f0a5ebc2399bdd9e36279314abd1.elf
1⤵
PID:739
- /bin/sh
  sh -c "touch -acmr /bin/ls /tmp/8e9cd77c31ba14b925208fa5e3d9f5675909f0a5ebc2399bdd9e36279314abd1.elf"
  2⤵
  - Indicator Removal: Timestomp
  PID:744
- - /usr/bin/touch
    touch -acmr /bin/ls /tmp/8e9cd77c31ba14b925208fa5e3d9f5675909f0a5ebc2399bdd9e36279314abd1.elf
    3⤵
    - Indicator Removal: Timestomp
    PID:747
- /bin/sh
  sh -c "(crontab -l | grep -v \"/tmp/8e9cd77c31ba14b925208fa5e3d9f5675909f0a5ebc2399bdd9e36279314abd1.elf\" | grep -v \"no cron\" | grep -v \"lesshts/run.sh\" > /var/run/.x00740882966) > /dev/null 2>&1"
  2⤵
  PID:750
- - /usr/bin/crontab
    crontab -l
    3⤵
    PID:754
- - /usr/bin/grep
    grep -v /tmp/8e9cd77c31ba14b925208fa5e3d9f5675909f0a5ebc2399bdd9e36279314abd1.elf
    3⤵
    PID:756
- - /usr/bin/grep
    grep -v "no cron"
    3⤵
    PID:757
- - /usr/bin/grep
    grep -v lesshts/run.sh
    3⤵
    PID:758
- /bin/sh
  sh -c "echo \"* * * * * /tmp/8e9cd77c31ba14b925208fa5e3d9f5675909f0a5ebc2399bdd9e36279314abd1.elf > /dev/null 2>&1 &\" >> /var/run/.x00740882966"
  2⤵
  PID:763
- /bin/sh
  sh -c "crontab /var/run/.x00740882966"
  2⤵
  PID:766
- - /usr/bin/crontab
    crontab /var/run/.x00740882966
    3⤵
    - Creates/modifies Cron job
    PID:767
- /bin/sh
  sh -c "rm -rf /var/run/.x00740882966"
  2⤵
  PID:770
- - /usr/bin/rm
    rm -rf /var/run/.x00740882966
    3⤵
    PID:772
- /bin/sh
  sh -c "cat /etc/inittab | grep -v \"/tmp/8e9cd77c31ba14b925208fa5e3d9f5675909f0a5ebc2399bdd9e36279314abd1.elf\" > /etc/inittab2"
  2⤵
  PID:774
- - /usr/bin/cat
    cat /etc/inittab
    3⤵
    PID:777
- - /usr/bin/grep
    grep -v /tmp/8e9cd77c31ba14b925208fa5e3d9f5675909f0a5ebc2399bdd9e36279314abd1.elf
    3⤵
    PID:778
- /bin/sh
  sh -c "echo \"0:2345:respawn:/tmp/8e9cd77c31ba14b925208fa5e3d9f5675909f0a5ebc2399bdd9e36279314abd1.elf\" >> /etc/inittab2"
  2⤵
  PID:782
- /bin/sh
  sh -c "cat /etc/inittab2 > /etc/inittab"
  2⤵
  PID:784
- - /usr/bin/cat
    cat /etc/inittab2
    3⤵
    PID:786
- /bin/sh
  sh -c "rm -rf /etc/inittab2"
  2⤵
  PID:787
- - /usr/bin/rm
    rm -rf /etc/inittab2
    3⤵
    PID:788
- /bin/sh
  sh -c "touch -acmr /bin/ls /etc/inittab"
  2⤵
  - Indicator Removal: Timestomp
  PID:790
- - /usr/bin/touch
    touch -acmr /bin/ls /etc/inittab
    3⤵
    - Indicator Removal: Timestomp
    PID:792
- /bin/sh
  sh -c "/bin/uname -n"
  2⤵
  PID:795
- - /bin/uname
    /bin/uname -n
    3⤵
    PID:798
- /bin/sh
  sh -c "/bin/uname -n"
  2⤵
  PID:800
- - /bin/uname
    /bin/uname -n
    3⤵
    PID:801
- /bin/sh
  sh -c "/bin/uname -n"
  2⤵
  PID:803
- - /bin/uname
    /bin/uname -n
    3⤵
    PID:805
- /bin/sh
  sh -c "kill -9 `cat /var/run/httpd.pid` > /dev/null 2>&1 &"
  2⤵
  PID:814
- - /usr/bin/cat
    cat /var/run/httpd.pid
    3⤵
    PID:817
- /bin/sh
  sh -c "service httpd stop > /dev/null 2>&1 &"
  2⤵
  PID:816
- /bin/sh
  sh -c "killall -9 mini_httpd > /dev/null 2>&1 &"
  2⤵
  PID:819
- /bin/sh
  sh -c "killall -9 minihttpd > /dev/null 2>&1 &"
  2⤵
  PID:821
- /bin/sh
  sh -c "kill -9 `cat /var/run/thttpd.pid` > /dev/null 2>&1 &"
  2⤵
  PID:824
- - /usr/bin/cat
    cat /var/run/thttpd.pid
    3⤵
    PID:828
- /bin/sh
  sh -c "nvram set httpd_enable=0 > /dev/null 2>&1"
  2⤵
  PID:827
- /bin/sh
  sh -c "nvram set http_enable=0 > /dev/null 2>&1"
  2⤵
  PID:832
- /bin/sh
  sh -c "killall -9 httpd > /dev/null 2>&1 &"
  2⤵
  PID:833
- /bin/sh
  sh -c "service telnetd stop > /dev/null 2>&1 &"
  2⤵
  PID:835
- - /usr/sbin/service
    service telnetd stop
    3⤵
    PID:836
  - - /usr/bin/basename
      basename /usr/sbin/service
      4⤵
      PID:837
  - - /usr/bin/basename
      basename /usr/sbin/service
      4⤵
      PID:838
  - - /usr/bin/systemctl
      systemctl list-unit-files --full "--type=socket"
      4⤵
      PID:843
  - - /usr/bin/sed
      sed -ne "s/\\.socket\\s*[a-z]*\\s*\$/.socket/p"
      4⤵
      PID:844
- /bin/sh
  sh -c "service sshd stop > /dev/null 2>&1 &"
  2⤵
  PID:839
- /bin/sh
  sh -c "killall -9 telnetd > /dev/null 2>&1 &"
  2⤵
  PID:841
- /bin/sh
  sh -c "killall -9 utelnetd > /dev/null 2>&1 &"
  2⤵
  PID:847
- /bin/sh
  sh -c "killall -9 dropbear > /dev/null 2>&1 &"
  2⤵
  PID:849
- /bin/sh
  sh -c "killall -9 sshd > /dev/null 2>&1 &"
  2⤵
  PID:852
- /bin/sh
  sh -c "killall -9 lighttpd > /dev/null 2>&1 &"
  2⤵
  PID:857

/usr/sbin/service
service httpd stop
1⤵
PID:818
- /usr/bin/basename
  basename /usr/sbin/service
  2⤵
  PID:822
- /usr/bin/basename
  basename /usr/sbin/service
  2⤵
  PID:825
- /usr/bin/systemctl
  systemctl list-unit-files --full "--type=socket"
  2⤵
  PID:830
- /usr/bin/sed
  sed -ne "s/\\.socket\\s*[a-z]*\\s*\$/.socket/p"
  2⤵
  PID:831

/usr/bin/killall
killall -9 mini_httpd
1⤵
- Reads runtime system information
PID:820

/usr/bin/killall
killall -9 minihttpd
1⤵
- Reads runtime system information
PID:823

/usr/bin/killall
killall -9 httpd
1⤵
- Reads runtime system information
PID:834

/usr/sbin/service
service sshd stop
1⤵
PID:840
- /usr/bin/basename
  basename /usr/sbin/service
  2⤵
  PID:845
- /usr/bin/basename
  basename /usr/sbin/service
  2⤵
  PID:850
- /usr/bin/systemctl
  systemctl list-unit-files --full "--type=socket"
  2⤵
  PID:854
- /usr/bin/sed
  sed -ne "s/\\.socket\\s*[a-z]*\\s*\$/.socket/p"
  2⤵
  PID:855

/usr/bin/killall
killall -9 telnetd
1⤵
- Reads runtime system information
PID:846

/usr/bin/killall
killall -9 utelnetd
1⤵
- Reads runtime system information
PID:848

/usr/bin/killall
killall -9 dropbear
1⤵
- Reads runtime system information
PID:851

/usr/bin/killall
killall -9 sshd
1⤵
- Reads runtime system information
PID:856

/usr/bin/killall
killall -9 lighttpd
1⤵
- Reads runtime system information
PID:858

/usr/local/sbin/systemctl
systemctl stop httpd.service
1⤵
PID:818

/usr/local/bin/systemctl
systemctl stop httpd.service
1⤵
PID:818

/usr/sbin/systemctl
systemctl stop httpd.service
1⤵
PID:818

/usr/bin/systemctl
systemctl stop httpd.service
1⤵
PID:818

/usr/local/sbin/systemctl
systemctl stop telnetd.service
1⤵
PID:836

/usr/local/bin/systemctl
systemctl stop telnetd.service
1⤵
PID:836

/usr/sbin/systemctl
systemctl stop telnetd.service
1⤵
PID:836

/usr/bin/systemctl
systemctl stop telnetd.service
1⤵
PID:836

/usr/local/sbin/systemctl
systemctl stop sshd.service
1⤵
PID:840

/usr/local/bin/systemctl
systemctl stop sshd.service
1⤵
PID:840

/usr/sbin/systemctl
systemctl stop sshd.service
1⤵
PID:840

/usr/bin/systemctl
systemctl stop sshd.service
1⤵
PID:840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Cron

T1053.003

Persistence

Scheduled Task/Job

T1053

Cron

T1053.003

Privilege Escalation

Scheduled Task/Job

T1053

Cron

T1053.003

Defense Evasion

Indicator Removal

T1070

Timestomp

T1070.006

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/etc/inittab2

Filesize
89B

MD5
ed9325576707c90f92f91a00018df6e1

SHA1
66b0c43f0a5fa8afb5b91cab54a881c758ee6617

SHA256
4545b1ca306caee15d18eed17776a0913a35f495a5667ff969f9b6bdeb71e798

SHA512
b959e227747b772bf5f91a83eaa2b2f1ffd0935249d96f65dff48ec90790a23257036afa44bb81ecf99f9308efbd9279a7b696403313d809e0645a2c326e8a3a

Download Submit
/run/.x00740882966

Filesize
103B

MD5
6ab55ecff77106ff23749db58f5507ca

SHA1
493ff266aa9f528acca3d4af6db710cd9507d53a

SHA256
8e18993cb8498b103a29e1eaec535eeb472a09d325d99ebdb9fe65217b6eafd3

SHA512
6ee6f11f24b3881e27c798e5daaca8a63f87eb2b8dc2a2417b06848c5178d0083793348840b2e413a1b81ffd22221b681a9bcb89005ae236163eff70a86a6a43

Download Submit
/var/spool/cron/crontabs/tmp.bJiXgk

Filesize
299B

MD5
ea472e72e79d5db0470905d9e71ffd17

SHA1
c5c51d36f0bcc8f0aa6d13fbc31d2808d9bdf49f

SHA256
fd5899ea4ccd3ac6076f1a410e043086f8273f229a18eb7fc7ddbf3bad9e2338

SHA512
3b710d8c916aee9fe494039efcff863e2523f1ae4afea6cf6371ce97f2b0e6eebacb98e0777e427f560d4cd1e46d75151243c2335466b49b6898654180cdd162

Download Submit
memory/739-1-0x00400000-0x005777e8-memory.dmp

Download