Malware Analysis Report

2024-11-13 15:54

Sample ID 241027-ntldjsvlfm
Target irq2
SHA256 8e9cd77c31ba14b925208fa5e3d9f5675909f0a5ebc2399bdd9e36279314abd1
Tags
kaiten botnet defense_evasion discovery execution persistence privilege_escalatio
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8e9cd77c31ba14b925208fa5e3d9f5675909f0a5ebc2399bdd9e36279314abd1

Threat Level: Known bad

The file irq2 was found to be: Known bad.

Malicious Activity Summary

kaiten botnet defense_evasion discovery execution persistence privilege_escalatio

Detects Kaiten/Tsunami Payload

Kaiten family

Kaiten/Tsunami

Creates/modifies Cron job

Enumerates running processes

Indicator Removal: Timestomp

Reads runtime system information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-27 11:41

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-27 11:41

Reported

2024-10-27 11:44

Platform

debian12-mipsel-20240221-en

Max time kernel

36s

Max time network

12s

Command Line

[/tmp/irq2]

Signatures

Detects Kaiten/Tsunami Payload

Description Indicator Process Target
N/A N/A N/A N/A

Kaiten family

kaiten

Kaiten/Tsunami

botnet kaiten

Creates/modifies Cron job

execution persistence privilege_escalatio
Description Indicator Process Target
File opened for modification /var/spool/cron/crontabs/tmp.EzCKHu /usr/bin/crontab N/A

Enumerates running processes

Indicator Removal: Timestomp

defense_evasion
Description Indicator Process Target
N/A N/A /usr/bin/touch N/A
N/A N/A /bin/sh N/A
N/A N/A /usr/bin/touch N/A
N/A N/A /bin/sh N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/33 /usr/bin/killall N/A
File opened for reading /proc/30/stat /usr/bin/killall N/A
File opened for reading /proc/829 /usr/bin/killall N/A
File opened for reading /proc/6 /usr/bin/killall N/A
File opened for reading /proc/341 /usr/bin/killall N/A
File opened for reading /proc/33 /usr/bin/killall N/A
File opened for reading /proc/42 /usr/bin/killall N/A
File opened for reading /proc/6 /usr/bin/killall N/A
File opened for reading /proc/29 /usr/bin/killall N/A
File opened for reading /proc/22 /usr/bin/killall N/A
File opened for reading /proc/831 /usr/bin/killall N/A
File opened for reading /proc/26 /usr/bin/killall N/A
File opened for reading /proc/679/stat /usr/bin/killall N/A
File opened for reading /proc/47/stat /usr/bin/killall N/A
File opened for reading /proc/115 /usr/bin/killall N/A
File opened for reading /proc/354/stat /usr/bin/killall N/A
File opened for reading /proc/18 /usr/bin/killall N/A
File opened for reading /proc/698 /usr/bin/killall N/A
File opened for reading /proc/841/stat /usr/bin/killall N/A
File opened for reading /proc/24 /usr/bin/killall N/A
File opened for reading /proc/341 /usr/bin/killall N/A
File opened for reading /proc/137/cmdline /usr/bin/killall N/A
File opened for reading /proc/851 /usr/bin/killall N/A
File opened for reading /proc/19/stat /usr/bin/killall N/A
File opened for reading /proc/3/stat /usr/bin/killall N/A
File opened for reading /proc/10 /usr/bin/killall N/A
File opened for reading /proc/24 /usr/bin/killall N/A
File opened for reading /proc/27/stat /usr/bin/killall N/A
File opened for reading /proc/19/stat /usr/bin/killall N/A
File opened for reading /proc/180 /usr/bin/killall N/A
File opened for reading /proc/10/stat /usr/bin/killall N/A
File opened for reading /proc/34/stat /usr/bin/killall N/A
File opened for reading /proc/450/stat /usr/bin/killall N/A
File opened for reading /proc/4 /usr/bin/killall N/A
File opened for reading /proc/6/stat /usr/bin/killall N/A
File opened for reading /proc/4 /usr/bin/killall N/A
File opened for reading /proc/1/stat /usr/bin/killall N/A
File opened for reading /proc/31/stat /usr/bin/killall N/A
File opened for reading /proc/6/stat /usr/bin/killall N/A
File opened for reading /proc/filesystems /usr/bin/systemctl N/A
File opened for reading /proc/813 /usr/bin/killall N/A
File opened for reading /proc/37 /usr/bin/killall N/A
File opened for reading /proc/732/stat /usr/bin/killall N/A
File opened for reading /proc/11 /usr/bin/killall N/A
File opened for reading /proc/44/stat /usr/bin/killall N/A
File opened for reading /proc/59/stat /usr/bin/killall N/A
File opened for reading /proc/13 /usr/bin/killall N/A
File opened for reading /proc/42/stat /usr/bin/killall N/A
File opened for reading /proc/114 /usr/bin/killall N/A
File opened for reading /proc/809 /usr/bin/killall N/A
File opened for reading /proc/5 /usr/bin/killall N/A
File opened for reading /proc/818 /usr/bin/killall N/A
File opened for reading /proc/114 /usr/bin/killall N/A
File opened for reading /proc/26 /usr/bin/killall N/A
File opened for reading /proc/818/stat /usr/bin/killall N/A
File opened for reading /proc/47 /usr/bin/killall N/A
File opened for reading /proc/2 /usr/bin/killall N/A
File opened for reading /proc/114 /usr/bin/killall N/A
File opened for reading /proc/710/stat /usr/bin/killall N/A
File opened for reading /proc/710/stat /usr/bin/killall N/A
File opened for reading /proc/1/stat /usr/bin/killall N/A
File opened for reading /proc/4 /usr/bin/killall N/A
File opened for reading /proc/28/stat /usr/bin/killall N/A
File opened for reading /proc/30/stat /usr/bin/killall N/A

Processes

/tmp/irq2

[/tmp/irq2]

/bin/sh

[sh -c touch -acmr /bin/ls /tmp/irq2]

/usr/bin/touch

[touch -acmr /bin/ls /tmp/irq2]

/bin/sh

[sh -c (crontab -l | grep -v "/tmp/irq2" | grep -v "no cron" | grep -v "lesshts/run.sh" > /var/run/.x00740882966) > /dev/null 2>&1]

/usr/bin/crontab

[crontab -l]

/usr/bin/grep

[grep -v /tmp/irq2]

/usr/bin/grep

[grep -v no cron]

/usr/bin/grep

[grep -v lesshts/run.sh]

/bin/sh

[sh -c echo "* * * * * /tmp/irq2 > /dev/null 2>&1 &" >> /var/run/.x00740882966]

/bin/sh

[sh -c crontab /var/run/.x00740882966]

/usr/bin/crontab

[crontab /var/run/.x00740882966]

/bin/sh

[sh -c rm -rf /var/run/.x00740882966]

/usr/bin/rm

[rm -rf /var/run/.x00740882966]

/bin/sh

[sh -c cat /etc/inittab | grep -v "/tmp/irq2" > /etc/inittab2]

/usr/bin/cat

[cat /etc/inittab]

/usr/bin/grep

[grep -v /tmp/irq2]

/bin/sh

[sh -c echo "0:2345:respawn:/tmp/irq2" >> /etc/inittab2]

/bin/sh

[sh -c cat /etc/inittab2 > /etc/inittab]

/bin/sh

[sh -c rm -rf /etc/inittab2]

/usr/bin/rm

[rm -rf /etc/inittab2]

/bin/sh

[sh -c touch -acmr /bin/ls /etc/inittab]

/usr/bin/touch

[touch -acmr /bin/ls /etc/inittab]

/bin/sh

[sh -c /bin/uname -n]

/bin/uname

[/bin/uname -n]

/bin/sh

[sh -c /bin/uname -n]

/bin/uname

[/bin/uname -n]

/bin/sh

[sh -c /bin/uname -n]

/bin/uname

[/bin/uname -n]

/bin/sh

[sh -c kill -9 `cat /var/run/httpd.pid` > /dev/null 2>&1 &]

/bin/sh

[sh -c service httpd stop > /dev/null 2>&1 &]

/usr/bin/cat

[cat /var/run/httpd.pid]

/bin/sh

[sh -c killall -9 mini_httpd > /dev/null 2>&1 &]

/usr/sbin/service

[service httpd stop]

/bin/sh

[sh -c killall -9 minihttpd > /dev/null 2>&1 &]

/usr/bin/killall

[killall -9 mini_httpd]

/usr/bin/basename

[basename /usr/sbin/service]

/bin/sh

[sh -c kill -9 `cat /var/run/thttpd.pid` > /dev/null 2>&1 &]

/usr/bin/killall

[killall -9 minihttpd]

/usr/bin/basename

[basename /usr/sbin/service]

/bin/sh

[sh -c nvram set httpd_enable=0 > /dev/null 2>&1]

/usr/bin/cat

[cat /var/run/thttpd.pid]

/usr/bin/systemctl

[systemctl list-unit-files --full --type=socket]

/usr/bin/sed

[sed -ne s/\.socket\s*[a-z]*\s*$/.socket/p]

/bin/sh

[sh -c nvram set http_enable=0 > /dev/null 2>&1]

/bin/sh

[sh -c killall -9 httpd > /dev/null 2>&1 &]

/bin/sh

[sh -c service telnetd stop > /dev/null 2>&1 &]

/usr/bin/killall

[killall -9 httpd]

/bin/sh

[sh -c service sshd stop > /dev/null 2>&1 &]

/usr/sbin/service

[service telnetd stop]

/usr/sbin/service

[service sshd stop]

/bin/sh

[sh -c killall -9 telnetd > /dev/null 2>&1 &]

/usr/bin/basename

[basename /usr/sbin/service]

/usr/bin/basename

[basename /usr/sbin/service]

/bin/sh

[sh -c killall -9 utelnetd > /dev/null 2>&1 &]

/usr/bin/killall

[killall -9 telnetd]

/usr/bin/basename

[basename /usr/sbin/service]

/usr/bin/basename

[basename /usr/sbin/service]

/bin/sh

[sh -c killall -9 dropbear > /dev/null 2>&1 &]

/usr/bin/killall

[killall -9 utelnetd]

/bin/sh

[sh -c killall -9 sshd > /dev/null 2>&1 &]

/usr/bin/killall

[killall -9 dropbear]

/usr/bin/sed

[sed -ne s/\.socket\s*[a-z]*\s*$/.socket/p]

/usr/bin/systemctl

[systemctl list-unit-files --full --type=socket]

/usr/bin/sed

[sed -ne s/\.socket\s*[a-z]*\s*$/.socket/p]

/usr/bin/systemctl

[systemctl list-unit-files --full --type=socket]

/usr/bin/killall

[killall -9 sshd]

/bin/sh

[sh -c killall -9 lighttpd > /dev/null 2>&1 &]

/usr/bin/killall

[killall -9 lighttpd]

/usr/local/sbin/systemctl

[systemctl stop httpd.service]

/usr/local/bin/systemctl

[systemctl stop httpd.service]

/usr/sbin/systemctl

[systemctl stop httpd.service]

/usr/bin/systemctl

[systemctl stop httpd.service]

/usr/local/sbin/systemctl

[systemctl stop telnetd.service]

/usr/local/bin/systemctl

[systemctl stop telnetd.service]

/usr/sbin/systemctl

[systemctl stop telnetd.service]

/usr/bin/systemctl

[systemctl stop telnetd.service]

/usr/local/sbin/systemctl

[systemctl stop sshd.service]

/usr/local/bin/systemctl

[systemctl stop sshd.service]

/usr/sbin/systemctl

[systemctl stop sshd.service]

/usr/bin/systemctl

[systemctl stop sshd.service]

Network

Country Destination Domain Proto
RU 195.133.232.91:8080 tcp
US 1.1.1.1:53 debian12-mipsel-20240221-en-14 udp
US 1.1.1.1:53 debian12-mipsel-20240221-en-14 udp
US 1.1.1.1:53 debian12-mipsel-20240221-en-14 udp
US 1.1.1.1:53 debian12-mipsel-20240221-en-14 udp

Files

memory/743-1-0x00400000-0x005777e8-memory.dmp

/run/.x00740882966

MD5 65c1bbfcb74ec6f5c0efb513ebf1e69d
SHA1 a7a758354c25c91d88d9da83f90552bd9f973e9b
SHA256 5ca8963c17b0b8ff4dc3d6ac469b22eed780405b6574ab26b7da3074cc089001
SHA512 b86ac43a202e47d1ec305904b7227f9c5b32389b7702f9fa0856674812ae7c33f9a410901b14f6e9428fc14428c5adfaac20690d4d74c8755582566890e06abc

/var/spool/cron/crontabs/tmp.EzCKHu

MD5 86914499bb6f61e546b730041a1f6ed9
SHA1 984e52fa12f9fda8c27d801a350158e1a3345d7b
SHA256 c69f56374b512e816ad31ea035f4ae2f16127096a52e359457982b0ddf3fa1c1
SHA512 129913a5dbe6e6bb5fabab4e5a76291af0cf8f457f820dba725bf569411902df82a54ccb16978aa1f0b8d2caa27b8511a2ec6c2c637a59d4b4822947207499b9

/etc/inittab2

MD5 23a6588a2dbaf98c20dd9ad548f99576
SHA1 1d4504154b3abcef8b652f4832de895669737941
SHA256 6c7a9e9b6883cbcff02f673e5fb8bcdbe0b23459f0e063b80cba76ad22b1aff0
SHA512 de52be0bb66cc880f2cdd0cfc9d47949cbfa161a286d48d22fc22b42f484fcdb4317f34ee05194ab8f61b54e444d04c69459c5bb2fa4ebf8542194949fbc4837