kaiten | 8e9cd77c31ba14b925208fa5e3d9f5675909f0a5ebc2399bdd9e36279314abd1

General

Target

8e9cd77c31ba14b925208fa5e3d9f5675909f0a5ebc2399bdd9e36279314abd1.elf
Size

515KB
MD5

2ad737fb9e6ce08a164ddb8386f19b16
SHA1

86e87501edbdb8b6ee6ada9497ba2b62d741decc
SHA256

8e9cd77c31ba14b925208fa5e3d9f5675909f0a5ebc2399bdd9e36279314abd1
SHA512

068f4f7659c1d29ac0a6510e591100fba7fa1ffc445db21ce6487d77c8b34370fce3a24b4e9ff18b8910757123f593342dd80e473c0e337e7fa504eb3a13754f
SSDEEP

12288:v/J7M48SdpPK0RkLbZLn4nQdVV05tXqozEpwK9:HplxmLbJ4sY5tlzuv

Score

10^/10

kaiten botnet defense_evasion discovery execution persistence privilege_escalatio

Malware Config

Signatures

Detects Kaiten/Tsunami Payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/747-1-0x00400000-0x005777e8-memory.dmp	family_kaiten2

Kaiten/Tsunami
Linux-based IoT botnet which is controlled through IRC and normally used to carry out DDoS attacks.
botnet kaiten
Creates/modifies Cron job 1 TTPs 1 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
execution persistence privilege_escalatio

Cron
T1053.003

Processes:

crontab

description ioc process

File opened for modification /var/spool/cron/crontabs/tmp.86dmNY crontab
Enumerates running processes
Discovers information about currently running processes on the system
Indicator Removal: Timestomp 1 TTPs 4 IoCs
Adversaries may remove indicators of compromise from the host to evade detection.
defense_evasion

Timestomp
T1070.006

Processes:

shtouchshtouch

pid process

753 sh
755 touch
795 sh
797 touch

description	ioc	process
File opened for modification	/var/spool/cron/crontabs/tmp.86dmNY	crontab

pid	process
753	sh
755	touch
795	sh
797	touch

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

discovery

Processes:

killallkillallkillallkillallkillallkillallkillallkillall

description	ioc	process
File opened for reading	/proc/27	killall
File opened for reading	/proc/34/stat	killall
File opened for reading	/proc/806	killall
File opened for reading	/proc/7	killall
File opened for reading	/proc/13	killall
File opened for reading	/proc/202/stat	killall
File opened for reading	/proc/714	killall
File opened for reading	/proc/30/stat	killall
File opened for reading	/proc/389	killall
File opened for reading	/proc/27	killall
File opened for reading	/proc/16/stat	killall
File opened for reading	/proc/186/stat	killall
File opened for reading	/proc/814/stat	killall
File opened for reading	/proc/827/stat	killall
File opened for reading	/proc/6/stat	killall
File opened for reading	/proc/820	killall
File opened for reading	/proc/47	killall
File opened for reading	/proc/1	killall
File opened for reading	/proc/26	killall
File opened for reading	/proc/844	killall
File opened for reading	/proc/20	killall
File opened for reading	/proc/379	killall
File opened for reading	/proc/426/stat	killall
File opened for reading	/proc/806/stat	killall
File opened for reading	/proc/830/stat	killall
File opened for reading	/proc/9	killall
File opened for reading	/proc/22/stat	killall
File opened for reading	/proc/25/stat	killall
File opened for reading	/proc/698/stat	killall
File opened for reading	/proc/15	killall
File opened for reading	/proc/113	killall
File opened for reading	/proc/59/stat	killall
File opened for reading	/proc/59	killall
File opened for reading	/proc/668	killall
File opened for reading	/proc/42	killall
File opened for reading	/proc/714	killall
File opened for reading	/proc/179/stat	killall
File opened for reading	/proc/7/stat	killall
File opened for reading	/proc/30	killall
File opened for reading	/proc/804/stat	killall
File opened for reading	/proc/53	killall
File opened for reading	/proc/681/stat	killall
File opened for reading	/proc/696/stat	killall
File opened for reading	/proc/27	killall
File opened for reading	/proc/759/stat	killall
File opened for reading	/proc/393	killall
File opened for reading	/proc/740	killall
File opened for reading	/proc/30	killall
File opened for reading	/proc/380	killall
File opened for reading	/proc/721	killall
File opened for reading	/proc/411	killall
File opened for reading	/proc/740/stat	killall
File opened for reading	/proc/30	killall
File opened for reading	/proc/804/stat	killall
File opened for reading	/proc/37/stat	killall
File opened for reading	/proc/379/stat	killall
File opened for reading	/proc/1	killall
File opened for reading	/proc/410/stat	killall
File opened for reading	/proc/26	killall
File opened for reading	/proc/202	killall
File opened for reading	/proc/32	killall
File opened for reading	/proc/814/stat	killall
File opened for reading	/proc/696	killall
File opened for reading	/proc/15/stat	killall

/tmp/8e9cd77c31ba14b925208fa5e3d9f5675909f0a5ebc2399bdd9e36279314abd1.elf
/tmp/8e9cd77c31ba14b925208fa5e3d9f5675909f0a5ebc2399bdd9e36279314abd1.elf
1⤵
PID:747

/bin/sh
sh -c "touch -acmr /bin/ls /tmp/8e9cd77c31ba14b925208fa5e3d9f5675909f0a5ebc2399bdd9e36279314abd1.elf"
2⤵
- Indicator Removal: Timestomp
PID:753

/usr/bin/touch
touch -acmr /bin/ls /tmp/8e9cd77c31ba14b925208fa5e3d9f5675909f0a5ebc2399bdd9e36279314abd1.elf
3⤵
- Indicator Removal: Timestomp
PID:755

/bin/sh
sh -c "(crontab -l | grep -v \"/tmp/8e9cd77c31ba14b925208fa5e3d9f5675909f0a5ebc2399bdd9e36279314abd1.elf\" | grep -v \"no cron\" | grep -v \"lesshts/run.sh\" > /var/run/.x00740882966) > /dev/null 2>&1"
2⤵
PID:757

/usr/bin/crontab
crontab -l
3⤵
PID:761

/usr/bin/grep
grep -v /tmp/8e9cd77c31ba14b925208fa5e3d9f5675909f0a5ebc2399bdd9e36279314abd1.elf
3⤵
PID:762

/usr/bin/grep
grep -v "no cron"
3⤵
PID:763

/usr/bin/grep
grep -v lesshts/run.sh
3⤵
PID:764

/bin/sh
sh -c "echo \"* * * * * /tmp/8e9cd77c31ba14b925208fa5e3d9f5675909f0a5ebc2399bdd9e36279314abd1.elf > /dev/null 2>&1 &\" >> /var/run/.x00740882966"
2⤵
PID:769

/bin/sh
sh -c "crontab /var/run/.x00740882966"
2⤵
PID:772

/usr/bin/crontab
crontab /var/run/.x00740882966
3⤵
- Creates/modifies Cron job
PID:775

/bin/sh
sh -c "rm -rf /var/run/.x00740882966"
2⤵
PID:777

/usr/bin/rm
rm -rf /var/run/.x00740882966
3⤵
PID:779

/bin/sh
sh -c "cat /etc/inittab | grep -v \"/tmp/8e9cd77c31ba14b925208fa5e3d9f5675909f0a5ebc2399bdd9e36279314abd1.elf\" > /etc/inittab2"
2⤵
PID:781

/usr/bin/cat
cat /etc/inittab
3⤵
PID:782

/usr/bin/grep
grep -v /tmp/8e9cd77c31ba14b925208fa5e3d9f5675909f0a5ebc2399bdd9e36279314abd1.elf
3⤵
PID:783

/bin/sh
sh -c "echo \"0:2345:respawn:/tmp/8e9cd77c31ba14b925208fa5e3d9f5675909f0a5ebc2399bdd9e36279314abd1.elf\" >> /etc/inittab2"
2⤵
PID:784

/bin/sh
sh -c "cat /etc/inittab2 > /etc/inittab"
2⤵
PID:786

/usr/bin/cat
cat /etc/inittab2
3⤵
PID:789

/bin/sh
sh -c "rm -rf /etc/inittab2"
2⤵
PID:790

/usr/bin/rm
rm -rf /etc/inittab2
3⤵
PID:793

/bin/sh
sh -c "touch -acmr /bin/ls /etc/inittab"
2⤵
- Indicator Removal: Timestomp
PID:795

/usr/bin/touch
touch -acmr /bin/ls /etc/inittab
3⤵
- Indicator Removal: Timestomp
PID:797

/bin/sh
sh -c "/bin/uname -n"
2⤵
PID:800

/bin/uname
/bin/uname -n
3⤵
PID:801

/bin/sh
sh -c "/bin/uname -n"
2⤵
PID:803

/bin/uname
/bin/uname -n
3⤵
PID:807

/bin/sh
sh -c "/bin/uname -n"
2⤵
PID:808

/bin/uname
/bin/uname -n
3⤵
PID:809

/bin/sh
sh -c "kill -9 `cat /var/run/httpd.pid` > /dev/null 2>&1 &"
2⤵
PID:810

/usr/bin/cat
cat /var/run/httpd.pid
3⤵
PID:813

/bin/sh
sh -c "service httpd stop > /dev/null 2>&1 &"
2⤵
PID:812

/bin/sh
sh -c "killall -9 mini_httpd > /dev/null 2>&1 &"
2⤵
PID:815

/bin/sh
sh -c "killall -9 minihttpd > /dev/null 2>&1 &"
2⤵
PID:817

/bin/sh
sh -c "kill -9 `cat /var/run/thttpd.pid` > /dev/null 2>&1 &"
2⤵
PID:819

/usr/bin/cat
cat /var/run/thttpd.pid
3⤵
PID:823

/bin/sh
sh -c "nvram set httpd_enable=0 > /dev/null 2>&1"
2⤵
PID:822

/bin/sh
sh -c "nvram set http_enable=0 > /dev/null 2>&1"
2⤵
PID:824

/bin/sh
sh -c "killall -9 httpd > /dev/null 2>&1 &"
2⤵
PID:826

/bin/sh
sh -c "service telnetd stop > /dev/null 2>&1 &"
2⤵
PID:831

/bin/sh
sh -c "service sshd stop > /dev/null 2>&1 &"
2⤵
PID:833

/bin/sh
sh -c "killall -9 telnetd > /dev/null 2>&1 &"
2⤵
PID:837

/bin/sh
sh -c "killall -9 utelnetd > /dev/null 2>&1 &"
2⤵
PID:841

/bin/sh
sh -c "killall -9 dropbear > /dev/null 2>&1 &"
2⤵
PID:845

/bin/sh
sh -c "killall -9 sshd > /dev/null 2>&1 &"
2⤵
PID:853

/bin/sh
sh -c "killall -9 lighttpd > /dev/null 2>&1 &"
2⤵
PID:855

/usr/sbin/service
service httpd stop
1⤵
PID:814

/usr/bin/basename
basename /usr/sbin/service
2⤵
PID:821

/usr/bin/basename
basename /usr/sbin/service
2⤵
PID:825

/usr/bin/sed
sed -ne "s/\\.socket\\s*[a-z]*\\s*\$/.socket/p"
2⤵
PID:830

/usr/bin/systemctl
systemctl list-unit-files --full "--type=socket"
2⤵
PID:828

/usr/bin/killall
killall -9 minihttpd
1⤵
- Reads runtime system information
PID:818

/usr/bin/killall
killall -9 mini_httpd
1⤵
- Reads runtime system information
PID:816

/usr/bin/killall
killall -9 httpd
1⤵
- Reads runtime system information
PID:829

/usr/sbin/service
service telnetd stop
1⤵
PID:832

/usr/bin/basename
basename /usr/sbin/service
2⤵
PID:838

/usr/bin/basename
basename /usr/sbin/service
2⤵
PID:842

/usr/bin/systemctl
systemctl list-unit-files --full "--type=socket"
2⤵
PID:849

/usr/bin/sed
sed -ne "s/\\.socket\\s*[a-z]*\\s*\$/.socket/p"
2⤵
PID:851

/usr/sbin/service
service sshd stop
1⤵
PID:836

/usr/bin/basename
basename /usr/sbin/service
2⤵
PID:839

/usr/bin/basename
basename /usr/sbin/service
2⤵
PID:843

/usr/bin/systemctl
systemctl list-unit-files --full "--type=socket"
2⤵
PID:848

/usr/bin/sed
sed -ne "s/\\.socket\\s*[a-z]*\\s*\$/.socket/p"
2⤵
PID:850

/usr/bin/killall
killall -9 telnetd
1⤵
- Reads runtime system information
PID:840

/usr/bin/killall
killall -9 utelnetd
1⤵
- Reads runtime system information
PID:844

/usr/bin/killall
killall -9 dropbear
1⤵
- Reads runtime system information
PID:852

/usr/bin/killall
killall -9 sshd
1⤵
- Reads runtime system information
PID:854

/usr/bin/killall
killall -9 lighttpd
1⤵
- Reads runtime system information
PID:856

/usr/local/sbin/systemctl
systemctl stop httpd.service
1⤵
PID:814

/usr/local/bin/systemctl
systemctl stop httpd.service
1⤵
PID:814

/usr/sbin/systemctl
systemctl stop httpd.service
1⤵
PID:814

/usr/bin/systemctl
systemctl stop httpd.service
1⤵
PID:814

/usr/local/sbin/systemctl
systemctl stop sshd.service
1⤵
PID:836

/usr/local/bin/systemctl
systemctl stop sshd.service
1⤵
PID:836

/usr/sbin/systemctl
systemctl stop sshd.service
1⤵
PID:836

/usr/bin/systemctl
systemctl stop sshd.service
1⤵
PID:836

/usr/local/sbin/systemctl
systemctl stop telnetd.service
1⤵
PID:832

/usr/local/bin/systemctl
systemctl stop telnetd.service
1⤵
PID:832

/usr/sbin/systemctl
systemctl stop telnetd.service
1⤵
PID:832

/usr/bin/systemctl
systemctl stop telnetd.service
1⤵
PID:832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Cron

1

T1053.003

Persistence

Scheduled Task/Job

1

T1053

Cron

1

T1053.003

Privilege Escalation

Scheduled Task/Job

1

T1053

Cron

1

T1053.003

Defense Evasion

Indicator Removal

1

T1070

Timestomp

1

T1070.006

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/etc/inittab2

Filesize
89B

MD5
ed9325576707c90f92f91a00018df6e1

SHA1
66b0c43f0a5fa8afb5b91cab54a881c758ee6617

SHA256
4545b1ca306caee15d18eed17776a0913a35f495a5667ff969f9b6bdeb71e798

SHA512
b959e227747b772bf5f91a83eaa2b2f1ffd0935249d96f65dff48ec90790a23257036afa44bb81ecf99f9308efbd9279a7b696403313d809e0645a2c326e8a3a

Download Submit
/run/.x00740882966

Filesize
103B

MD5
6ab55ecff77106ff23749db58f5507ca

SHA1
493ff266aa9f528acca3d4af6db710cd9507d53a

SHA256
8e18993cb8498b103a29e1eaec535eeb472a09d325d99ebdb9fe65217b6eafd3

SHA512
6ee6f11f24b3881e27c798e5daaca8a63f87eb2b8dc2a2417b06848c5178d0083793348840b2e413a1b81ffd22221b681a9bcb89005ae236163eff70a86a6a43

Download Submit
/var/spool/cron/crontabs/tmp.86dmNY

Filesize
299B

MD5
66cc1afc44f273f6afceaaaa359f8712

SHA1
fd90f906a48d49a29318748c9b9071168d5d7af7

SHA256
e51468cae16bd7e68514edfc01783e1a1c738ee93b148b257a544eadec845bd2

SHA512
15b937e458c7d84bf6e2fc6b69617048e650ab95634ac264009346116191595a5ab2dc0089a61ef37677704afd7af4c325147a7af51b8eb7a41ca3d2749d54f3

Download Submit
memory/747-1-0x00400000-0x005777e8-memory.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads