kaiten | 0de9266af49aab24256c289d39e86649d978d5a4c9d0ff2041a22140b88ea688

Sharing

General

Target

myxmrig.tgz
Size

7.7MB
Sample

241108-nqwp4s1jd1
MD5

2ec67d8da4b24291da6ed89c45afd347
SHA1

8b9dbae7e18f7f37dd5dfaaddbfe368afcbe9a07
SHA256

0de9266af49aab24256c289d39e86649d978d5a4c9d0ff2041a22140b88ea688
SHA512

fb487062eab467a870e012885cd95accc77d9c8d6a8e4ed010e7d7ca7669ef223d628dd984673697c3997b744ae1e80c57fd6f3a2562269171cc9d9bdaa71b1a
SSDEEP

196608:fle+4MUiVMWN1hL8jDGBz+kGkFbZHPZugY17N4OtN0CLz1O:fQ+OWN1hYioD6bpE7/pLzc

Score

10^/10

Malware Config

Targets

- Target
  
  .systemd/.i686
- Size
  
  174KB
- MD5
  
  ffadb993181c0a9dbb715df2b9c2a5e0
- SHA1
  
  04719b1ba0f9df8a131b7271099a813b41611992
- SHA256
  
  310352d93eca9c4800c6a11552c0d976b17f5e1cfbcfcbd4c79fbc5bca7a0c61
- SHA512
  
  ecc22e8d4b0f2df0a47306b096fdae7e61c3a161d581f14a61e30ecc6d33a621a8fdf42a96359fdf141a8b921345a1695ec37303abafe59280c82f69fd676535
- SSDEEP
  
  3072:QHN302U/EaT2zu9s7SlGShG0NnqrKmaJiUZQYHhCsVkbk6ucxmtC8:QHNPU/EaKa9sGrG0dqpsiU6YHhCs0Zu/
Score

3^/10

discovery
behavioral1
- Target
  
  .systemd/.run
- Size
  
  415B
- MD5
  
  4c7b4fb257df508abb56e1202d63fb9c
- SHA1
  
  b490c80ca53c03ad04adc3ac024cb58ae2456161
- SHA256
  
  19cb430a8f94daf1e4ff121e28814cc3f11493d640e555105c604702980b9117
- SHA512
  
  2f44151a628f8b94911db42a5d9a83d2ae7b828ab45854954c0579be898843016595da5cfdbe0d882853c6626f6519de3dfeb79eed196a6b008ef5e14132651d
Score

7^/10

discovery upx
- Executes dropped EXE
- Enumerates running processes
  Discovers information about currently running processes on the system
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral2 behavioral3 behavioral4 behavioral5
- Target
  
  .systemd/.x86_64
- Size
  
  184KB
- MD5
  
  92dc30d449f563a5bdbba08d4a9d57fc
- SHA1
  
  ff609eed2df786396203a8806400566df079cc7f
- SHA256
  
  86db0330a233efe6e11f944833f9e9b7472d7f34595cf693f001d99df641513b
- SHA512
  
  573fa375ddcb6a49690f5168d791af2529a89233d3bf0ff50c2b88686c27e4cef59432e0f6ae71745fecfa2657c23248ad33ea50ac8b9f1c96721f38e3325097
- SSDEEP
  
  3072:JRuD2higiW5WdO4VgJYmntSxu23Ea8qxop/bW448wod7XSUdq7:JE6igifdlcYmtSb3d8qGjNHSQg
Score

10^/10

kaiten botnet discovery
- Detects Kaiten/Tsunami Payload
- Detects Kaiten/Tsunami payload
- Kaiten family
  kaiten
- Kaiten/Tsunami
  Linux-based IoT botnet which is controlled through IRC and normally used to carry out DDoS attacks.
  botnet kaiten
behavioral6
- Target
  
  .systemd/auto
- Size
  
  546B
- MD5
  
  e587a0a58aaac49aeb3bf0eff743eab2
- SHA1
  
  636b68d9e02328e5d68880e22fdf73f6e0df4a66
- SHA256
  
  7c7fef23a91fb19f98f584f545a27f58bdf7eda4f57bd80d173825413ac6662d
- SHA512
  
  4168c61744633ded40261c99cb06ddb07fea4bd6fbff6bfacabd1668166a86ba7f344b5d20c2933877860f204373b1560cdf398a25d1770c8b3a0f28146b7da9
Score

7^/10

defense_evasion discovery execution persistence privilege_escalatio
- File and Directory Permissions Modification
  Adversaries may modify file or directory permissions to evade defenses.
  defense_evasion
- Creates/modifies Cron job
  Cron allows running tasks on a schedule, and is commonly used for malware persistence.
  execution persistence privilege_escalatio
behavioral10 behavioral7 behavioral8 behavioral9
- Target
  
  .systemd/clean
- Size
  
  306B
- MD5
  
  a344627bc9286c17978b4e1391c3b820
- SHA1
  
  706313eec583accdb10fb315b8a1ecc88401c211
- SHA256
  
  688bee092842f0545e425685e133e1d3abfe55b42f7afaeccfec0266c461d927
- SHA512
  
  14394c073ef879e9b5a2c7724a47d403d2e64b57a53f28b5f107df85681aa2ad63b777e7be4e21a9fd91d0f94d4ecf11c74b79f1332b0da81d000f0530196ca3
Score

1^/10
behavioral11 behavioral12 behavioral13 behavioral14
- Target
  
  .systemd/go
- Size
  
  535B
- MD5
  
  9066e6a118c61eb95d8c9a0b0b85e98c
- SHA1
  
  4fdd4b943c477fb46cbb3643d3388bda1988996e
- SHA256
  
  85818b573931ee3af0b7290e11a300bf0d0720db8f7db44815bab20bbe4a6413
- SHA512
  
  5c472bea5f8fedcb90fb96b5b840b7edbfb211a1f04bea831def58a3691dc8b740ee5b06481ea147eabdad2ad5f51123016792c4b372b356315e6d7b12bb00e0
Score

1^/10
behavioral15 behavioral16 behavioral17 behavioral18
- Target
  
  .systemd/ntpdate
- Size
  
  4KB
- MD5
  
  e1e04a6303387665ef0db838157d63d6
- SHA1
  
  ebb08e424ce4251827c0ddea5ac91f971a1a8f73
- SHA256
  
  af0b766bcffc9bf2e2a1a6059515d0bc58e60d4de3fe19598de7411fb619b65d
- SHA512
  
  f2eea4ac06e9cb750e36a35a10e22cdd60403982f9d1597cd96002972b7fe3228c8ae3caf5f7cc028221a36d81615be4369a9f34fa4c81ae84dd1dd0f5cf4f76
- SSDEEP
  
  48:QuH1wKQWqaT2WHKBNCNN12WHNS4g2WHEoeXa5J2WH95J2WHT:1V4WH+C4WHNRWHEoeRWHsWHT
Score

7^/10

defense_evasion discovery execution persistence privilege_escalatio upx
- File and Directory Permissions Modification
  Adversaries may modify file or directory permissions to evade defenses.
  defense_evasion
- Attempts to change immutable files
  Modifies inode attributes on the filesystem to allow changing of immutable files.
- Creates/modifies Cron job
  Cron allows running tasks on a schedule, and is commonly used for malware persistence.
  execution persistence privilege_escalatio
- Modifies init.d
  Adds/modifies system service, likely for persistence.
  persistence
- Writes file to system bin folder
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral19 behavioral20 behavioral21 behavioral22
- Target
  
  .update/.i686
- Size
  
  1.4MB
- MD5
  
  0418fda2bb712a2a2dfe38bbbd9e6390
- SHA1
  
  3a7db599e916e40ae844e4998b665bad5307154d
- SHA256
  
  05bfc9c56ad09d2b15a43f7887087d4f601016c0d81a822f42fc23ca70fbbf33
- SHA512
  
  d40c63ec0d5e60db266c9223a02d5b2d97787cca481c9f56beddcd3ffe3022badd8ff6e4fa25a73d56be06f99cc6555031af185f88017a74bcd050ac5be33401
- SSDEEP
  
  24576:bZ9yQjOF5thg8/LRLgP+kMzdroSXcRb+34YlCB0V4XLNw3QgRHpV8RDHkSrWgfqH:lNC5tOcRL4M4Rbo4YibwggRM1rCjPF
Score

6^/10

antivm discovery execution persistence privilege_escalatio
- Checks hardware identifiers (DMI)
  Checks DMI information which indicate if the system is a virtual machine.
  antivm
- Creates/modifies Cron job
  Cron allows running tasks on a schedule, and is commonly used for malware persistence.
  execution persistence privilege_escalatio
- Enumerates running processes
  Discovers information about currently running processes on the system
- Reads hardware information
  Accesses system info like serial numbers, manufacturer names etc.
  discovery
- Security Software Discovery
  Adversaries may attempt to discover installed security software and its configurations.
  discovery
behavioral23
- Target
  
  .update/.run
- Size
  
  485B
- MD5
  
  279171e9a52627c005d882b4c31f0158
- SHA1
  
  419d14ecd9ba9b819219db32624e7d6244b36d3e
- SHA256
  
  4257bc327cf5312bb7b76154c0d3c31a8845288955611dfc937b75cb86073fb7
- SHA512
  
  a7d4cda901507e9327e92450386032fe678e9a3e281a3e4139c3f3e109e15ac10de9aeb1a6eb976b45f2aa4f0ea3d60a5ef4376fd82cba7795c9eeab5162c665
Score

3^/10
behavioral24 behavioral25 behavioral26 behavioral27
- Target
  
  .update/.x86_64
- Size
  
  2.3MB
- MD5
  
  fb95fc8c3ed253dec1b08722f1bbf18e
- SHA1
  
  d48d6dc76323efa8c0ae799d245a650b9d914c09
- SHA256
  
  215293b8bdd0a57497d5cc62421e64bb29334e088578679cbf509d66c7b7dc7e
- SHA512
  
  498f68c04f66a4cbcfed7e38f779183b2a7766948def1d159158c2799893ddcfb9a7dc2762c8958d6ae479a62f71edee460ac31a5939aa3c149efe59a987834e
- SSDEEP
  
  49152:QM4HMaoo1fdQLCS1ytoWW7b/7GN2PM6jm:94Hp11aChtoB7b/7GYEZ
Score

10^/10

xmrig antivm discovery execution miner persistence privilege_escalatio
- Xmrig family
  xmrig
- xmrig
  XMRig is a high performance, open source, cross platform CPU/GPU miner.
  miner xmrig
- XMRig Miner payload
  miner
- Checks hardware identifiers (DMI)
  Checks DMI information which indicate if the system is a virtual machine.
  antivm
- Creates/modifies Cron job
  Cron allows running tasks on a schedule, and is commonly used for malware persistence.
  execution persistence privilege_escalatio
- Enumerates running processes
  Discovers information about currently running processes on the system
- Reads hardware information
  Accesses system info like serial numbers, manufacturer names etc.
  discovery
- Security Software Discovery
  Adversaries may attempt to discover installed security software and its configurations.
  discovery
behavioral28
- Target
  
  .update/auth
- Size
  
  2KB
- MD5
  
  90ded2b48075101fafbd34a7e4219c44
- SHA1
  
  1f58b4b27921c813ffe5b2ef9adb1de4f6976718
- SHA256
  
  1ef564b8c8f52d152b7c0f75c1442e9edb5841e93aee31d1da25a452168ef3c3
- SHA512
  
  4aa75f3fb670507585f58eb347c1f3911def77e6fc84f23f3f437a71b968b229c516e6b98ee2f90629542b873b486bd2f8915f3db0a8e701ff0c6a311d7ab57b
Score

8^/10

discovery persistence privilege_escalation
- Adds new SSH keys
  Linux special file to hold SSH keys. The threat actor may add new keys for further remote access.
  persistence privilege_escalation
behavioral29 behavioral30 behavioral31 behavioral32