kaiten | 317806eaebb1cec9ddb962ef7fa19ee0673a67db3a8c7d650d76885041031ce8

Sharing

General

Target

JaffaCakes118_317806eaebb1cec9ddb962ef7fa19ee0673a67db3a8c7d650d76885041031ce8
Size

23.6MB
Sample

241229-25zxzazmbp
MD5

7aee2b8a5260b302891cffddc0652371
SHA1

30edd1f3589dec98c4410d91920db206ae58453c
SHA256

317806eaebb1cec9ddb962ef7fa19ee0673a67db3a8c7d650d76885041031ce8
SHA512

988597537836a0e36d60aeecb1ceed76743c487c71a01d5c54b42f70e0d5bdeac10e6183749381e132c7ccf288b45013eed8635314a32d17b4b281243843cb5f
SSDEEP

393216:Ef+TQryHobwu8xS1W1RnOzEGPOhbHxMDbdBQ2b6Bs+pNSZGCnFO/um0c9GhdO:EhyISS1A5UEGPOBxMDbdBQOGs8ZCnFOZ

Score

10^/10

Malware Config

Targets

- Target
  
  SugarLogic_#teamtnt_by_@r3dbU7z/AWS.sh
- Size
  
  8KB
- MD5
  
  572c47986c61bf2fcd7f134299fcd5b2
- SHA1
  
  48193cee044078ba308b958cc50a42564c581159
- SHA256
  
  af2cf9af17f6db338ba3079b312f182593bad19fab9075a77698f162ce127758
- SHA512
  
  97685e6b0fe760342de129905bf05e5a5b6c21cab657b329d6e99c23667c8370ba846c34cd44d543d78f0c793e7641ab94f6761ce439d2c4962e128444ca074c
- SSDEEP
  
  96:A40rlQB3tYSQaRqCB4YwSsX9DsGE/D1ElSeU2148WKC2wHyrEGG0benp2GkOQPX1:B6l+425u1/+GK72wHyrEGG0bIp2GiF
Score

6^/10

antivm discovery evasion defense_evasion
- Enumerates running processes
  Discovers information about currently running processes on the system
- Reads list of loaded kernel modules
  Reads the list of currently loaded kernel modules, possibly to detect virtual environments.
  evasion
- Virtualization/Sandbox Evasion: Time Based Evasion
  Adversaries may detect and evade virtualized environments and sandboxes.
  defense_evasion
behavioral1 behavioral2 behavioral3 behavioral4
- Target
  
  SugarLogic_#teamtnt_by_@r3dbU7z/Docker-API.IP.Range.sh
- Size
  
  21KB
- MD5
  
  d0295e4ffb268b65f19e7e315f6ec5c6
- SHA1
  
  0164ad6ed68acd956395202fe8fd6561fe10e62c
- SHA256
  
  0dab485f5eacbbaa62c2dd5385a67becf2c352f2ebedd2b5184ab4fba89d8f19
- SHA512
  
  5795640f96e8f5514cce674e46fc2cac5c9d91c53ec7bc45e42ecb315a13851aabd83a9ed11702d7112179ea74f2f6b27febc77204aa6937409e873ec920b33a
- SSDEEP
  
  192:9Uml6l+q7osa5zmPXArSKUpVkzzfbmpWMzAH53p1RMFKodJZIYIHAFDMXT:mtHssOTmpWCAHvCdYHAFDkT
Score

6^/10

discovery antivm
- Enumerates running processes
  Discovers information about currently running processes on the system
- Legitimate hosting services abused for malware hosting/C2
behavioral5 behavioral6 behavioral7 behavioral8
- Target
  
  SugarLogic_#teamtnt_by_@r3dbU7z/Kubernetes.XMR.tmp.Setup.sh
- Size
  
  245B
- MD5
  
  fd486a6a0c30fea7fdc578fb576dcd8b
- SHA1
  
  260b829fbf48e4b75e7273e80d575a5ca3c7a67b
- SHA256
  
  721d15556bd3c22f3b4c6240ff9c6d58bfa60b73b3793fa8cdc64b9e89521c5b
- SHA512
  
  96fe620e0f26a4b866bb762176f4245367e383b17166d7b809981ba0196671b8e3690ede60ed305a04a5e930b48fd2be63e5ad23a1cc4305fe6b7ebd80bacaf7
Score

3^/10

discovery
behavioral10 behavioral9
- Target
  
  SugarLogic_#teamtnt_by_@r3dbU7z/Kubernetes.put.the.bot.sh
- Size
  
  257B
- MD5
  
  782b94c95c5e6eee4c396910b1a9c9f9
- SHA1
  
  37d059f2c2b635d7da59970c7ba2512a3658cd27
- SHA256
  
  220737c1ee400061e886eab23471f98dba38fa8e0098a018ea75d479dceece05
- SHA512
  
  feaf987f19465a3652cf1ef0f272c11f2ac0d668ffc7cf5ba966f07ca35c248e34490209dadb3666a0b04dd019d850f6c7f1d36e724334a902ed34e00468b072
Score

3^/10

discovery
behavioral11 behavioral12
- Target
  
  SugarLogic_#teamtnt_by_@r3dbU7z/Kubernetes_root_PayLoad_2.sh
- Size
  
  27KB
- MD5
  
  0da186f3e1f8c89c5fbe5672cbdf05b6
- SHA1
  
  a917ab4301ab25749d6e867a1812e61b3b09df3f
- SHA256
  
  f82ea98d1dc5d14817c80937b91b381e9cd29d82367a2dfbde60cfb073ea4316
- SHA512
  
  25c6afd296b855f8d230389479b95ac079b51a084b38ef7a9a2747024fae8d4441f45b2fb45071f59835868a3b31d7fab2549244be43a09942a5fc07240f7f1d
- SSDEEP
  
  384:ckWWRItydlaRM07lT2wDi/Y5vWCr7Q2K3v/lts1dIxRsnJEbOU89WV/:ckWcItYlaxlT2wDGWvWCrzPoRfOPO/
Score

7^/10

defense_evasion discovery persistence antivm execution credential_access
- File and Directory Permissions Modification
  Adversaries may modify file or directory permissions to evade defenses.
  defense_evasion
- Executes dropped EXE
- Flushes firewall rules
  Flushes/ disables firewall rules inside the Linux kernel.
  defense_evasion
- Modifies hosts file
  Adds to hosts file used for mapping hosts to IP addresses.
- OS Credential Dumping
  Adversaries may attempt to dump credentials to use it in password cracking.
  credential_access
- Writes DNS configuration
  Writes data to DNS resolver config file.
- Deletes log files
  Deletes log files on the system.
  defense_evasion
- Enumerates running processes
  Discovers information about currently running processes on the system
- Write file to user bin folder
  persistence
behavioral13 behavioral14 behavioral15 behavioral16
- Target
  
  SugarLogic_#teamtnt_by_@r3dbU7z/MountSshExploit.sh
- Size
  
  1KB
- MD5
  
  161e7ae70dfea47d17397e5549ef675c
- SHA1
  
  e2df43d8d12d90ba9b49e8bc2187431adda7358e
- SHA256
  
  da4a2ae560a6fad9c80182212da3440d678264b4d2d440c94168e36a530490a5
- SHA512
  
  b7af2215f5bcc7cc9a626c35269890a23f7e86891c309aadd2a04c5961dcbb82c9f1ebea93db8090f93d2b06fba53a8d26bf80d3a74a6fec27ff5e80fe52ed47
Score

3^/10

discovery
behavioral17 behavioral18
- Target
  
  SugarLogic_#teamtnt_by_@r3dbU7z/TNTb/aarch64
- Size
  
  93KB
- MD5
  
  777e1d9b717d339a7582e06ab28d0dd3
- SHA1
  
  2dedafccec26c368ed4aa7ae30971996577435e4
- SHA256
  
  95809d96f85e1571a3120c7c09a7f34fa84cb5902ad5172398dc2bb0ff1dd24a
- SHA512
  
  ebe96e76b1460a26947ea0a40f8554d17853ca4896315f44b2ac6e2b59af77b6135c17a096d82bd530ea49a0ea83544de69f31340e27cf94c7b3cc38626aebe0
- SSDEEP
  
  1536:x1YHQnOh/Tgl8FKkBuNsk0DueSzRk4eQU7021MIf3uIr:xmHMOh3uNsk02zRkOBMMGf
Score

1^/10
behavioral19 behavioral20 behavioral21 behavioral22
- Target
  
  SugarLogic_#teamtnt_by_@r3dbU7z/TNTb/x86_64
- Size
  
  41KB
- MD5
  
  bdb404a243e374cda8948a5480f263e6
- SHA1
  
  98bea07044c2a756f5179b8bc776971f9a03b7db
- SHA256
  
  33c8591edd61c6e968e727683a63fba0352b5b6b59a0b3005628c38848dd7dd3
- SHA512
  
  6d6ce4f156e3250965bf9b445be968967f8c5a596448ad1b8d41a189d28e9d4aa8fe8a32d8a0ad5956c020629b7401c705117832f48058bac071c7bb37e1ab62
- SSDEEP
  
  768:Yjo7npPeMEjUJ5xOcT8Pv2jwLME7ruzcKpV8gDfb7wIP:9p2MEjb/+jEucY17XwA
Score

10^/10

kaiten botnet discovery
- Detects Kaiten/Tsunami Payload
- Detects Kaiten/Tsunami payload
- Kaiten family
  kaiten
- Kaiten/Tsunami
  Linux-based IoT botnet which is controlled through IRC and normally used to carry out DDoS attacks.
  botnet kaiten
behavioral23
- Target
  
  SugarLogic_#teamtnt_by_@r3dbU7z/bot_u
- Size
  
  41KB
- MD5
  
  a00bbf635695b13c55e132ca2563755c
- SHA1
  
  26752d1733f9f7c67d5e0d088af032a6beed94d4
- SHA256
  
  5e1af7f4e6cf89cff44ee209399a9fab3bfd8f1ca9703fb54cee05cce2b16d4c
- SHA512
  
  0f9d29acce7b909ee46d3fb126f63d76be2f48521b66fc2598ecc796c6691f7995859c7916cad7e1af9dd4b499957e213a2468b41e636511e5ec659b185e533f
- SSDEEP
  
  768:Hj98GdqC5FO01I+ycmLoJNX8eDZXPx1+wak99nBQxnun5jFc8gPwIQ:e2du0zycJJN9BxkFk9Ixnun5jFc8iwr
Score

10^/10

kaiten botnet discovery
- Detects Kaiten/Tsunami Payload
- Detects Kaiten/Tsunami payload
- Kaiten family
  kaiten
- Kaiten/Tsunami
  Linux-based IoT botnet which is controlled through IRC and normally used to carry out DDoS attacks.
  botnet kaiten
behavioral24
- Target
  
  SugarLogic_#teamtnt_by_@r3dbU7z/kuben2.sh
- Size
  
  12KB
- MD5
  
  9ae176daeba86137a994770ec4b4510c
- SHA1
  
  e7ad20f142e4faad7f37fe06ab6a0e0212387796
- SHA256
  
  2d85b47cdb87a81d5fbac6000b8ee89daa1d8a3c8fbb5d2bce7a840dd348ff1d
- SHA512
  
  3d63ed3ace00c83a033ec148fb273a98ac45f3026b373772363089bedb1a2a308d2e740e902c45dbccf2fef7a62898465c8ff77877394cbae0caecb8955574f2
- SSDEEP
  
  384:mNZtdymLEGTSxEKkNNlVfZlmfklqfClvfvLR9NbpzKxtGWsYgeIuX5SCse5UkNXJ:m5N/Q
Score

4^/10

antivm discovery
behavioral25 behavioral26 behavioral27 behavioral28
- Target
  
  SugarLogic_#teamtnt_by_@r3dbU7z/libpcap.so
- Size
  
  303KB
- MD5
  
  2f6d7b419577e0fde4e1d31b0e82523f
- SHA1
  
  ceabd06f405e7a56e0b85969e72a2a620cf49ef7
- SHA256
  
  78facfc012957637c52763a17b94fd21f1e85f5dfaf26e459c1e4a9041e6f0e0
- SHA512
  
  7120e6873a12e6edafca92ad85e0519a7bb04c021fb66dc2d466452d82451bc08faa4db1f7f8df1bc785aeba20f7d1eb36760a5b9510e2541a334f5a34f261a1
- SSDEEP
  
  6144:xVa/13NAha+UWAN/uvk6mR548n4Nrdkkk0FkkLkkkuOqa1/Vl2Zc2P:xSNAc+Uh5KRkkk0FkkLkkk3n/Vl
Score

1^/10
behavioral29
- Target
  
  SugarLogic_#teamtnt_by_@r3dbU7z/mo.sh
- Size
  
  33KB
- MD5
  
  dd89ab7314e13989bdcae176a82078ac
- SHA1
  
  9ed46a6dde1dc1de4eed8185c1d622a5fc97092c
- SHA256
  
  1b72088fc6d780da95465f80ab26ba094d89232ff30a41b1b0113c355cfffa57
- SHA512
  
  e56722b308702bec178a1eca47c400af2435b57b190a10307aec0eebdfd4ef04ec6d63302a754b508a62d64668cb7b4edbc596a4e40c409e34b4934265d7db3d
- SSDEEP
  
  768:DBxlT2wDGWvWCrDN+FylT4hxXpGdKI3oB6RXrsdrCIZMfXxK2eJ5tLW:qWN+Fyl1dRoGrq9W
Score

10^/10

defense_evasion discovery antivm xmrig xmrig_linux miner persistence privilege_escalation
- XMRig Miner payload
  miner
- Xmrig family
  xmrig
- Xmrig_linux family
  xmrig_linux
- xmrig
  XMRig is a high performance, open source, cross platform CPU/GPU miner.
  miner xmrig
- File and Directory Permissions Modification
  Adversaries may modify file or directory permissions to evade defenses.
  defense_evasion
- Executes dropped EXE
- Flushes firewall rules
  Flushes/ disables firewall rules inside the Linux kernel.
  defense_evasion
- Writes DNS configuration
  Writes data to DNS resolver config file.
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
  Abuse sudo or cached sudo credentials to execute code.
  privilege_escalation defense_evasion
- Attempts to change immutable files
  Modifies inode attributes on the filesystem to allow changing of immutable files.
- Enumerates running processes
  Discovers information about currently running processes on the system
- Write file to user bin folder
  persistence
behavioral30 behavioral31 behavioral32