Analysis
-
max time kernel
36s -
max time network
12s -
platform
debian-12_mipsel -
resource
debian12-mipsel-20240221-en -
resource tags
arch:mipselimage:debian12-mipsel-20240221-enkernel:6.1.0-17-4kc-maltalocale:en-usos:debian-12-mipselsystem -
submitted
27-10-2024 11:41
Static task
static1
Behavioral task
behavioral1
Sample
irq2
Resource
debian12-mipsel-20240221-en
General
-
Target
irq2
-
Size
515KB
-
MD5
2ad737fb9e6ce08a164ddb8386f19b16
-
SHA1
86e87501edbdb8b6ee6ada9497ba2b62d741decc
-
SHA256
8e9cd77c31ba14b925208fa5e3d9f5675909f0a5ebc2399bdd9e36279314abd1
-
SHA512
068f4f7659c1d29ac0a6510e591100fba7fa1ffc445db21ce6487d77c8b34370fce3a24b4e9ff18b8910757123f593342dd80e473c0e337e7fa504eb3a13754f
-
SSDEEP
12288:v/J7M48SdpPK0RkLbZLn4nQdVV05tXqozEpwK9:HplxmLbJ4sY5tlzuv
Malware Config
Signatures
-
Detects Kaiten/Tsunami Payload 1 IoCs
resource yara_rule behavioral1/memory/743-1-0x00400000-0x005777e8-memory.dmp family_kaiten2 -
Kaiten family
-
Creates/modifies Cron job 1 TTPs 1 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
description ioc Process File opened for modification /var/spool/cron/crontabs/tmp.EzCKHu crontab -
Enumerates running processes
Discovers information about currently running processes on the system
-
Indicator Removal: Timestomp 1 TTPs 4 IoCs
Adversaries may remove indicators of compromise from the host to evade detection.
pid Process 752 touch 789 sh 791 touch 749 sh -
description ioc Process File opened for reading /proc/33 killall File opened for reading /proc/30/stat killall File opened for reading /proc/829 killall File opened for reading /proc/6 killall File opened for reading /proc/341 killall File opened for reading /proc/33 killall File opened for reading /proc/42 killall File opened for reading /proc/6 killall File opened for reading /proc/29 killall File opened for reading /proc/22 killall File opened for reading /proc/831 killall File opened for reading /proc/26 killall File opened for reading /proc/679/stat killall File opened for reading /proc/47/stat killall File opened for reading /proc/115 killall File opened for reading /proc/354/stat killall File opened for reading /proc/18 killall File opened for reading /proc/698 killall File opened for reading /proc/841/stat killall File opened for reading /proc/24 killall File opened for reading /proc/341 killall File opened for reading /proc/137/cmdline killall File opened for reading /proc/851 killall File opened for reading /proc/19/stat killall File opened for reading /proc/3/stat killall File opened for reading /proc/10 killall File opened for reading /proc/24 killall File opened for reading /proc/27/stat killall File opened for reading /proc/19/stat killall File opened for reading /proc/180 killall File opened for reading /proc/10/stat killall File opened for reading /proc/34/stat killall File opened for reading /proc/450/stat killall File opened for reading /proc/4 killall File opened for reading /proc/6/stat killall File opened for reading /proc/4 killall File opened for reading /proc/1/stat killall File opened for reading /proc/31/stat killall File opened for reading /proc/6/stat killall File opened for reading /proc/filesystems systemctl File opened for reading /proc/813 killall File opened for reading /proc/37 killall File opened for reading /proc/732/stat killall File opened for reading /proc/11 killall File opened for reading /proc/44/stat killall File opened for reading /proc/59/stat killall File opened for reading /proc/13 killall File opened for reading /proc/42/stat killall File opened for reading /proc/114 killall File opened for reading /proc/809 killall File opened for reading /proc/5 killall File opened for reading /proc/818 killall File opened for reading /proc/114 killall File opened for reading /proc/26 killall File opened for reading /proc/818/stat killall File opened for reading /proc/47 killall File opened for reading /proc/2 killall File opened for reading /proc/114 killall File opened for reading /proc/710/stat killall File opened for reading /proc/710/stat killall File opened for reading /proc/1/stat killall File opened for reading /proc/4 killall File opened for reading /proc/28/stat killall File opened for reading /proc/30/stat killall
Processes
-
/tmp/irq2/tmp/irq21⤵PID:743
-
/bin/shsh -c "touch -acmr /bin/ls /tmp/irq2"2⤵
- Indicator Removal: Timestomp
PID:749 -
/usr/bin/touchtouch -acmr /bin/ls /tmp/irq23⤵
- Indicator Removal: Timestomp
PID:752
-
-
-
/bin/shsh -c "(crontab -l | grep -v \"/tmp/irq2\" | grep -v \"no cron\" | grep -v \"lesshts/run.sh\" > /var/run/.x00740882966) > /dev/null 2>&1"2⤵PID:755
-
/usr/bin/crontabcrontab -l3⤵PID:758
-
-
/usr/bin/grepgrep -v /tmp/irq23⤵PID:759
-
-
/usr/bin/grepgrep -v "no cron"3⤵PID:760
-
-
/usr/bin/grepgrep -v lesshts/run.sh3⤵PID:761
-
-
-
/bin/shsh -c "echo \"* * * * * /tmp/irq2 > /dev/null 2>&1 &\" >> /var/run/.x00740882966"2⤵PID:766
-
-
/bin/shsh -c "crontab /var/run/.x00740882966"2⤵PID:768
-
/usr/bin/crontabcrontab /var/run/.x007408829663⤵
- Creates/modifies Cron job
PID:770
-
-
-
/bin/shsh -c "rm -rf /var/run/.x00740882966"2⤵PID:774
-
/usr/bin/rmrm -rf /var/run/.x007408829663⤵PID:776
-
-
-
/bin/shsh -c "cat /etc/inittab | grep -v \"/tmp/irq2\" > /etc/inittab2"2⤵PID:778
-
/usr/bin/catcat /etc/inittab3⤵PID:780
-
-
/usr/bin/grepgrep -v /tmp/irq23⤵PID:781
-
-
-
/bin/shsh -c "echo \"0:2345:respawn:/tmp/irq2\" >> /etc/inittab2"2⤵PID:783
-
-
/bin/shsh -c "cat /etc/inittab2 > /etc/inittab"2⤵PID:784
-
-
/bin/shsh -c "rm -rf /etc/inittab2"2⤵PID:786
-
/usr/bin/rmrm -rf /etc/inittab23⤵PID:788
-
-
-
/bin/shsh -c "touch -acmr /bin/ls /etc/inittab"2⤵
- Indicator Removal: Timestomp
PID:789 -
/usr/bin/touchtouch -acmr /bin/ls /etc/inittab3⤵
- Indicator Removal: Timestomp
PID:791
-
-
-
/bin/shsh -c "/bin/uname -n"2⤵PID:795
-
/bin/uname/bin/uname -n3⤵PID:797
-
-
-
/bin/shsh -c "/bin/uname -n"2⤵PID:800
-
/bin/uname/bin/uname -n3⤵PID:801
-
-
-
/bin/shsh -c "/bin/uname -n"2⤵PID:803
-
/bin/uname/bin/uname -n3⤵PID:805
-
-
-
/bin/shsh -c "kill -9 `cat /var/run/httpd.pid` > /dev/null 2>&1 &"2⤵PID:814
-
/usr/bin/catcat /var/run/httpd.pid3⤵PID:817
-
-
-
/bin/shsh -c "service httpd stop > /dev/null 2>&1 &"2⤵PID:816
-
-
/bin/shsh -c "killall -9 mini_httpd > /dev/null 2>&1 &"2⤵PID:819
-
-
/bin/shsh -c "killall -9 minihttpd > /dev/null 2>&1 &"2⤵PID:821
-
-
/bin/shsh -c "kill -9 `cat /var/run/thttpd.pid` > /dev/null 2>&1 &"2⤵PID:824
-
/usr/bin/catcat /var/run/thttpd.pid3⤵PID:828
-
-
-
/bin/shsh -c "nvram set httpd_enable=0 > /dev/null 2>&1"2⤵PID:827
-
-
/bin/shsh -c "nvram set http_enable=0 > /dev/null 2>&1"2⤵PID:832
-
-
/bin/shsh -c "killall -9 httpd > /dev/null 2>&1 &"2⤵PID:833
-
-
/bin/shsh -c "service telnetd stop > /dev/null 2>&1 &"2⤵PID:835
-
-
/bin/shsh -c "service sshd stop > /dev/null 2>&1 &"2⤵PID:837
-
-
/bin/shsh -c "killall -9 telnetd > /dev/null 2>&1 &"2⤵PID:839
-
-
/bin/shsh -c "killall -9 utelnetd > /dev/null 2>&1 &"2⤵PID:843
-
-
/bin/shsh -c "killall -9 dropbear > /dev/null 2>&1 &"2⤵PID:847
-
-
/bin/shsh -c "killall -9 sshd > /dev/null 2>&1 &"2⤵PID:850
-
-
/bin/shsh -c "killall -9 lighttpd > /dev/null 2>&1 &"2⤵PID:857
-
-
/usr/sbin/serviceservice httpd stop1⤵PID:818
-
/usr/bin/basenamebasename /usr/sbin/service2⤵PID:822
-
-
/usr/bin/basenamebasename /usr/sbin/service2⤵PID:825
-
-
/usr/bin/systemctlsystemctl list-unit-files --full "--type=socket"2⤵PID:830
-
-
/usr/bin/sedsed -ne "s/\\.socket\\s*[a-z]*\\s*\$/.socket/p"2⤵PID:831
-
-
/usr/bin/killallkillall -9 mini_httpd1⤵
- Reads runtime system information
PID:820
-
/usr/bin/killallkillall -9 minihttpd1⤵
- Reads runtime system information
PID:823
-
/usr/bin/killallkillall -9 httpd1⤵
- Reads runtime system information
PID:834
-
/usr/sbin/serviceservice telnetd stop1⤵PID:836
-
/usr/bin/basenamebasename /usr/sbin/service2⤵PID:840
-
-
/usr/bin/basenamebasename /usr/sbin/service2⤵PID:845
-
-
/usr/bin/sedsed -ne "s/\\.socket\\s*[a-z]*\\s*\$/.socket/p"2⤵PID:853
-
-
/usr/bin/systemctlsystemctl list-unit-files --full "--type=socket"2⤵PID:852
-
-
/usr/sbin/serviceservice sshd stop1⤵PID:838
-
/usr/bin/basenamebasename /usr/sbin/service2⤵PID:842
-
-
/usr/bin/basenamebasename /usr/sbin/service2⤵PID:844
-
-
/usr/bin/sedsed -ne "s/\\.socket\\s*[a-z]*\\s*\$/.socket/p"2⤵PID:855
-
-
/usr/bin/systemctlsystemctl list-unit-files --full "--type=socket"2⤵PID:854
-
-
/usr/bin/killallkillall -9 telnetd1⤵
- Reads runtime system information
PID:841
-
/usr/bin/killallkillall -9 utelnetd1⤵
- Reads runtime system information
PID:846
-
/usr/bin/killallkillall -9 dropbear1⤵
- Reads runtime system information
PID:848
-
/usr/bin/killallkillall -9 sshd1⤵
- Reads runtime system information
PID:856
-
/usr/bin/killallkillall -9 lighttpd1⤵
- Reads runtime system information
PID:858
-
/usr/local/sbin/systemctlsystemctl stop httpd.service1⤵PID:818
-
/usr/local/bin/systemctlsystemctl stop httpd.service1⤵PID:818
-
/usr/sbin/systemctlsystemctl stop httpd.service1⤵PID:818
-
/usr/bin/systemctlsystemctl stop httpd.service1⤵PID:818
-
/usr/local/sbin/systemctlsystemctl stop telnetd.service1⤵PID:836
-
/usr/local/bin/systemctlsystemctl stop telnetd.service1⤵PID:836
-
/usr/sbin/systemctlsystemctl stop telnetd.service1⤵PID:836
-
/usr/bin/systemctlsystemctl stop telnetd.service1⤵PID:836
-
/usr/local/sbin/systemctlsystemctl stop sshd.service1⤵PID:838
-
/usr/local/bin/systemctlsystemctl stop sshd.service1⤵PID:838
-
/usr/sbin/systemctlsystemctl stop sshd.service1⤵PID:838
-
/usr/bin/systemctlsystemctl stop sshd.service1⤵
- Reads runtime system information
PID:838
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
25B
MD523a6588a2dbaf98c20dd9ad548f99576
SHA11d4504154b3abcef8b652f4832de895669737941
SHA2566c7a9e9b6883cbcff02f673e5fb8bcdbe0b23459f0e063b80cba76ad22b1aff0
SHA512de52be0bb66cc880f2cdd0cfc9d47949cbfa161a286d48d22fc22b42f484fcdb4317f34ee05194ab8f61b54e444d04c69459c5bb2fa4ebf8542194949fbc4837
-
Filesize
39B
MD565c1bbfcb74ec6f5c0efb513ebf1e69d
SHA1a7a758354c25c91d88d9da83f90552bd9f973e9b
SHA2565ca8963c17b0b8ff4dc3d6ac469b22eed780405b6574ab26b7da3074cc089001
SHA512b86ac43a202e47d1ec305904b7227f9c5b32389b7702f9fa0856674812ae7c33f9a410901b14f6e9428fc14428c5adfaac20690d4d74c8755582566890e06abc
-
Filesize
235B
MD586914499bb6f61e546b730041a1f6ed9
SHA1984e52fa12f9fda8c27d801a350158e1a3345d7b
SHA256c69f56374b512e816ad31ea035f4ae2f16127096a52e359457982b0ddf3fa1c1
SHA512129913a5dbe6e6bb5fabab4e5a76291af0cf8f457f820dba725bf569411902df82a54ccb16978aa1f0b8d2caa27b8511a2ec6c2c637a59d4b4822947207499b9