Analysis
-
max time kernel
8s -
max time network
5s -
platform
debian-9_mipsel -
resource
debian9-mipsel-20240611-en -
resource tags
arch:mipselimage:debian9-mipsel-20240611-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipselsystem -
submitted
27-10-2024 14:45
Static task
static1
Behavioral task
behavioral1
Sample
749eb7fd01d545c73582592fd8a78d632c9f66a57769d13484d1e1599b05a28c
Resource
debian9-mipsel-20240611-en
General
-
Target
749eb7fd01d545c73582592fd8a78d632c9f66a57769d13484d1e1599b05a28c
-
Size
515KB
-
MD5
0a1b377a36e48b5a59d7cc3327c5a2d9
-
SHA1
76bc8feded70c1e72b828aed8c9087dcebf97886
-
SHA256
749eb7fd01d545c73582592fd8a78d632c9f66a57769d13484d1e1599b05a28c
-
SHA512
acf3efc430d95eb2fc67e78e8a4fad597b7199e63425d4f4e951ab2d85b5b855cf3963b1d84b855126215745c7c1986c55d397f35f1ba2a109d0e84b76fcadd1
-
SSDEEP
12288:IZ/Q8mhPZBXybwIIdQLAxCnNXsUKpH0fyXNGqvZ48B8dfQwD26N:4I8oxBL7+MxGCp5zR468pQe
Malware Config
Signatures
-
Detects Kaiten/Tsunami Payload 1 IoCs
resource yara_rule behavioral1/memory/700-1-0x00400000-0x005777e8-memory.dmp family_kaiten2 -
Kaiten family
-
Creates/modifies Cron job 1 TTPs 1 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
description ioc Process File opened for modification /var/spool/cron/crontabs/tmp.dfqTdg crontab -
Enumerates running processes
Discovers information about currently running processes on the system
-
Indicator Removal: Timestomp 1 TTPs 4 IoCs
Adversaries may remove indicators of compromise from the host to evade detection.
pid Process 703 sh 705 touch 742 sh 744 touch -
Enumerates kernel/hardware configuration 1 TTPs 9 IoCs
Reads contents of /sys virtual filesystem to enumerate system information.
description ioc Process File opened for reading /sys/fs/kdbus/0-system/bus systemctl File opened for reading /sys/fs/kdbus/0-system/bus systemctl File opened for reading /sys/fs/kdbus/0-system/bus systemctl File opened for reading /sys/fs/kdbus/0-system/bus systemctl File opened for reading /sys/fs/kdbus/0-system/bus systemctl File opened for reading /sys/fs/kdbus/0-system/bus systemctl File opened for reading /sys/fs/kdbus/0-system/bus systemctl File opened for reading /sys/fs/kdbus/0-system/bus systemctl File opened for reading /sys/fs/kdbus/0-system/bus systemctl -
description ioc Process File opened for reading /proc/230/stat killall File opened for reading /proc/6/stat killall File opened for reading /proc/772/stat killall File opened for reading /proc/71/stat killall File opened for reading /proc/77/stat killall File opened for reading /proc/167/stat killall File opened for reading /proc/76/stat killall File opened for reading /proc/23/stat killall File opened for reading /proc/754/stat killall File opened for reading /proc/2/stat killall File opened for reading /proc/20/stat killall File opened for reading /proc/self/stat systemctl File opened for reading /proc/692/stat killall File opened for reading /proc/22/stat killall File opened for reading /proc/372/stat killall File opened for reading /proc/36/stat killall File opened for reading /proc/699/stat killall File opened for reading /proc/345/stat killall File opened for reading /proc/372/stat killall File opened for reading /proc/745/stat killall File opened for reading /proc/754/stat killall File opened for reading /proc/82/stat killall File opened for reading /proc/5/stat killall File opened for reading /proc/filesystems killall File opened for reading /proc/345/stat killall File opened for reading /proc/7/stat killall File opened for reading /proc/78/stat killall File opened for reading /proc/660/stat killall File opened for reading /proc/13/stat killall File opened for reading /proc/150/stat killall File opened for reading /proc/78/stat killall File opened for reading /proc/138/cmdline killall File opened for reading /proc/filesystems systemctl File opened for reading /proc/cmdline systemctl File opened for reading /proc/790/stat killall File opened for reading /proc/23/stat killall File opened for reading /proc/115/cmdline killall File opened for reading /proc/5/stat killall File opened for reading /proc/cmdline systemctl File opened for reading /proc/16/stat killall File opened for reading /proc/698/stat killall File opened for reading /proc/11/stat killall File opened for reading /proc/78/stat killall File opened for reading /proc/67/stat killall File opened for reading /proc/24/stat killall File opened for reading /proc/68/stat killall File opened for reading /proc/11/stat killall File opened for reading /proc/421/stat killall File opened for reading /proc/1/stat killall File opened for reading /proc/11/stat killall File opened for reading /proc/421/stat killall File opened for reading /proc/769/stat killall File opened for reading /proc/68/stat killall File opened for reading /proc/754/stat killall File opened for reading /proc/5/stat killall File opened for reading /proc/777/stat killall File opened for reading /proc/15/stat killall File opened for reading /proc/70/stat killall File opened for reading /proc/138/cmdline killall File opened for reading /proc/2/stat killall File opened for reading /proc/self/stat systemctl File opened for reading /proc/filesystems killall File opened for reading /proc/11/stat killall File opened for reading /proc/138/cmdline killall
Processes
-
/tmp/749eb7fd01d545c73582592fd8a78d632c9f66a57769d13484d1e1599b05a28c/tmp/749eb7fd01d545c73582592fd8a78d632c9f66a57769d13484d1e1599b05a28c1⤵PID:700
-
/bin/shsh -c "touch -acmr /bin/ls /tmp/749eb7fd01d545c73582592fd8a78d632c9f66a57769d13484d1e1599b05a28c"2⤵
- Indicator Removal: Timestomp
PID:703 -
/usr/bin/touchtouch -acmr /bin/ls /tmp/749eb7fd01d545c73582592fd8a78d632c9f66a57769d13484d1e1599b05a28c3⤵
- Indicator Removal: Timestomp
PID:705
-
-
-
/bin/shsh -c "(crontab -l | grep -v \"/tmp/749eb7fd01d545c73582592fd8a78d632c9f66a57769d13484d1e1599b05a28c\" | grep -v \"no cron\" | grep -v \"lesshts/run.sh\" > /var/run/.x00740882966) > /dev/null 2>&1"2⤵PID:707
-
/bin/grepgrep -v /tmp/749eb7fd01d545c73582592fd8a78d632c9f66a57769d13484d1e1599b05a28c3⤵PID:714
-
-
/bin/grepgrep -v "no cron"3⤵PID:715
-
-
/usr/bin/crontabcrontab -l3⤵PID:713
-
-
/bin/grepgrep -v lesshts/run.sh3⤵PID:716
-
-
-
/bin/shsh -c "echo \"* * * * * /tmp/749eb7fd01d545c73582592fd8a78d632c9f66a57769d13484d1e1599b05a28c > /dev/null 2>&1 &\" >> /var/run/.x00740882966"2⤵PID:719
-
-
/bin/shsh -c "crontab /var/run/.x00740882966"2⤵PID:721
-
/usr/bin/crontabcrontab /var/run/.x007408829663⤵
- Creates/modifies Cron job
PID:723
-
-
-
/bin/shsh -c "rm -rf /var/run/.x00740882966"2⤵PID:726
-
/bin/rmrm -rf /var/run/.x007408829663⤵PID:728
-
-
-
/bin/shsh -c "cat /etc/inittab | grep -v \"/tmp/749eb7fd01d545c73582592fd8a78d632c9f66a57769d13484d1e1599b05a28c\" > /etc/inittab2"2⤵PID:730
-
/bin/catcat /etc/inittab3⤵PID:732
-
-
/bin/grepgrep -v /tmp/749eb7fd01d545c73582592fd8a78d632c9f66a57769d13484d1e1599b05a28c3⤵PID:733
-
-
-
/bin/shsh -c "echo \"0:2345:respawn:/tmp/749eb7fd01d545c73582592fd8a78d632c9f66a57769d13484d1e1599b05a28c\" >> /etc/inittab2"2⤵PID:736
-
-
/bin/shsh -c "cat /etc/inittab2 > /etc/inittab"2⤵PID:737
-
/bin/catcat /etc/inittab23⤵PID:738
-
-
-
/bin/shsh -c "rm -rf /etc/inittab2"2⤵PID:739
-
/bin/rmrm -rf /etc/inittab23⤵PID:741
-
-
-
/bin/shsh -c "touch -acmr /bin/ls /etc/inittab"2⤵
- Indicator Removal: Timestomp
PID:742 -
/usr/bin/touchtouch -acmr /bin/ls /etc/inittab3⤵
- Indicator Removal: Timestomp
PID:744
-
-
-
/bin/shsh -c "/bin/uname -n"2⤵PID:746
-
/bin/uname/bin/uname -n3⤵PID:747
-
-
-
/bin/shsh -c "/bin/uname -n"2⤵PID:748
-
/bin/uname/bin/uname -n3⤵PID:749
-
-
-
/bin/shsh -c "/bin/uname -n"2⤵PID:751
-
/bin/uname/bin/uname -n3⤵PID:752
-
-
-
/bin/shsh -c "kill -9 `cat /var/run/httpd.pid` > /dev/null 2>&1 &"2⤵PID:757
-
/bin/catcat /var/run/httpd.pid3⤵PID:760
-
-
-
/bin/shsh -c "service httpd stop > /dev/null 2>&1 &"2⤵PID:759
-
-
/bin/shsh -c "killall -9 mini_httpd > /dev/null 2>&1 &"2⤵PID:762
-
-
/bin/shsh -c "killall -9 minihttpd > /dev/null 2>&1 &"2⤵PID:764
-
-
/bin/shsh -c "kill -9 `cat /var/run/thttpd.pid` > /dev/null 2>&1 &"2⤵PID:767
-
/bin/catcat /var/run/thttpd.pid3⤵PID:771
-
-
-
/bin/shsh -c "nvram set httpd_enable=0 > /dev/null 2>&1"2⤵PID:770
-
-
/bin/shsh -c "nvram set http_enable=0 > /dev/null 2>&1"2⤵PID:773
-
-
/bin/shsh -c "killall -9 httpd > /dev/null 2>&1 &"2⤵PID:774
-
-
/bin/shsh -c "service telnetd stop > /dev/null 2>&1 &"2⤵PID:776
-
-
/bin/shsh -c "service sshd stop > /dev/null 2>&1 &"2⤵PID:778
-
-
/bin/shsh -c "killall -9 telnetd > /dev/null 2>&1 &"2⤵PID:783
-
-
/bin/shsh -c "killall -9 utelnetd > /dev/null 2>&1 &"2⤵PID:786
-
-
/bin/shsh -c "killall -9 dropbear > /dev/null 2>&1 &"2⤵PID:790
-
-
/bin/shsh -c "killall -9 sshd > /dev/null 2>&1 &"2⤵PID:794
-
-
/bin/shsh -c "killall -9 lighttpd > /dev/null 2>&1 &"2⤵PID:797
-
-
/usr/sbin/serviceservice httpd stop1⤵PID:761
-
/usr/bin/basenamebasename /usr/sbin/service2⤵PID:765
-
-
/usr/bin/basenamebasename /usr/sbin/service2⤵PID:768
-
-
/bin/systemctlsystemctl --quiet is-active multi-user.target2⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:772
-
-
/bin/systemctlsystemctl list-unit-files --full "--type=socket"2⤵
- Enumerates kernel/hardware configuration
PID:780
-
-
/bin/sedsed -ne "s/\\.socket\\s*[a-z]*\\s*\$/.socket/p"2⤵PID:781
-
-
/usr/bin/killallkillall -9 mini_httpd1⤵
- Reads runtime system information
PID:763
-
/usr/bin/killallkillall -9 minihttpd1⤵
- Reads runtime system information
PID:766
-
/usr/bin/killallkillall -9 httpd1⤵
- Reads runtime system information
PID:775
-
/usr/sbin/serviceservice telnetd stop1⤵PID:777
-
/usr/bin/basenamebasename /usr/sbin/service2⤵PID:784
-
-
/usr/bin/basenamebasename /usr/sbin/service2⤵PID:788
-
-
/bin/systemctlsystemctl --quiet is-active multi-user.target2⤵
- Enumerates kernel/hardware configuration
PID:793
-
-
/bin/systemctlsystemctl list-unit-files --full "--type=socket"2⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:801
-
-
/bin/sedsed -ne "s/\\.socket\\s*[a-z]*\\s*\$/.socket/p"2⤵PID:802
-
-
/usr/sbin/serviceservice sshd stop1⤵PID:782
-
/usr/bin/basenamebasename /usr/sbin/service2⤵PID:787
-
-
/usr/bin/basenamebasename /usr/sbin/service2⤵PID:791
-
-
/bin/systemctlsystemctl --quiet is-active multi-user.target2⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:795
-
-
/bin/sedsed -ne "s/\\.socket\\s*[a-z]*\\s*\$/.socket/p"2⤵PID:806
-
-
/bin/systemctlsystemctl list-unit-files --full "--type=socket"2⤵
- Enumerates kernel/hardware configuration
PID:805
-
-
/usr/bin/killallkillall -9 telnetd1⤵
- Reads runtime system information
PID:785
-
/usr/bin/killallkillall -9 utelnetd1⤵
- Reads runtime system information
PID:789
-
/usr/local/sbin/systemctlsystemctl "--job-mode=ignore-dependencies" stop httpd.service1⤵PID:761
-
/usr/local/bin/systemctlsystemctl "--job-mode=ignore-dependencies" stop httpd.service1⤵PID:761
-
/usr/sbin/systemctlsystemctl "--job-mode=ignore-dependencies" stop httpd.service1⤵PID:761
-
/usr/bin/systemctlsystemctl "--job-mode=ignore-dependencies" stop httpd.service1⤵PID:761
-
/sbin/systemctlsystemctl "--job-mode=ignore-dependencies" stop httpd.service1⤵PID:761
-
/bin/systemctlsystemctl "--job-mode=ignore-dependencies" stop httpd.service1⤵
- Enumerates kernel/hardware configuration
PID:761
-
/usr/bin/killallkillall -9 dropbear1⤵
- Reads runtime system information
PID:792
-
/usr/bin/killallkillall -9 sshd1⤵
- Reads runtime system information
PID:796
-
/usr/bin/killallkillall -9 lighttpd1⤵
- Reads runtime system information
PID:798
-
/usr/local/sbin/systemctlsystemctl "--job-mode=ignore-dependencies" stop telnetd.service1⤵PID:777
-
/usr/local/bin/systemctlsystemctl "--job-mode=ignore-dependencies" stop telnetd.service1⤵PID:777
-
/usr/sbin/systemctlsystemctl "--job-mode=ignore-dependencies" stop telnetd.service1⤵PID:777
-
/usr/bin/systemctlsystemctl "--job-mode=ignore-dependencies" stop telnetd.service1⤵PID:777
-
/sbin/systemctlsystemctl "--job-mode=ignore-dependencies" stop telnetd.service1⤵PID:777
-
/bin/systemctlsystemctl "--job-mode=ignore-dependencies" stop telnetd.service1⤵
- Enumerates kernel/hardware configuration
PID:777
-
/usr/local/sbin/systemctlsystemctl "--job-mode=ignore-dependencies" stop sshd.service1⤵PID:782
-
/usr/local/bin/systemctlsystemctl "--job-mode=ignore-dependencies" stop sshd.service1⤵PID:782
-
/usr/sbin/systemctlsystemctl "--job-mode=ignore-dependencies" stop sshd.service1⤵PID:782
-
/usr/bin/systemctlsystemctl "--job-mode=ignore-dependencies" stop sshd.service1⤵PID:782
-
/sbin/systemctlsystemctl "--job-mode=ignore-dependencies" stop sshd.service1⤵PID:782
-
/bin/systemctlsystemctl "--job-mode=ignore-dependencies" stop sshd.service1⤵
- Enumerates kernel/hardware configuration
PID:782
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
85B
MD5b6789402fc08db781649a3fce1776ece
SHA1df66ddabc65d910bb1617dfffcea6e01c651e478
SHA2562dd5ebb0768ec6da19582bd64eebcd975d94125542d01a38c75f97b581dd4eaf
SHA512799b8b08b044571f7659a3044bb3c09073bee717db6dd934f8fbfdf1e79f3babb0b8b0f22d6377e2ba8281eb3dcddc4ba705b8483c88388dc1d5f44fc78dd68d
-
Filesize
99B
MD5902500eb591448fdf0429190ca97b1b8
SHA1abcab7548580c6edda59d47e7defc8f57c77bfc9
SHA256f998d3658ddd489491adf1d1e4258a8e517fe0daf59c97d20ed289bb5694ee2e
SHA512c6821fbaf2bc0cc1eec1dd46753c78aa410ec4b89be7d5001b6a9b904933e24dc84a3969615d981dfb15bd0cab38b2fd639dea2bea4264343a9bb551ad24b7c4
-
Filesize
295B
MD5afa442e0c7e7a7f4b351c19901209c21
SHA108be14f5db36070b7caad4b5d0b36578e6a07fbd
SHA2569417bcd3aa8d95abeebbec85d036d5e3930d6d04e0067d0fc41a038f9203dc5f
SHA512d319c83a08e4018d6637955a4c0e5565e84c13f7f8aff26620170e7938e7331a787bc23606c6f4031d13e53c6f0403fa74e19299e9984d704d344f1e5fc4017c