kaiten | fd7fd7591a29ce6018b5739e56db30f81843d3740dff20d93fe9e9c65faf6081

Analysis

max time kernel
149s
max time network
153s
platform
ubuntu-24.04_amd64
resource
ubuntu2404-amd64-20250307-en
resource tags

arch:amd64arch:i386image:ubuntu2404-amd64-20250307-enkernel:6.8.0-31-genericlocale:en-usos:ubuntu-24.04-amd64system
submitted
27/03/2025, 20:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b666cd08b065132235303727f2d77997a30355ae0e5b557cd08d41c9ade7622d.elf
Size

1.8MB
MD5

c4fb78194bee0c53c86765f40bc3f674
SHA1

a59fd4626ddf91333b4a857fb12f3845f42cd774
SHA256

b666cd08b065132235303727f2d77997a30355ae0e5b557cd08d41c9ade7622d
SHA512

5fde5f8612966c925b850f854b305daf2e3e89e356744509e63d307b69f428d86b77b2045d8989a626da641a3a3c98ecd6a36763d5d6ce3f4851099820eb9329
SSDEEP

24576:5EBishE1l8Z/TgXuNuEAdOFD13cdl4FDeawbYxWgkJ7+WzhmV7ZVnkjAZ6bp8bUN:JsSg+UZGihabbwWgo+whmVN9Z6ObUr5

Score

10^/10

kaiten botnet discovery

Malware Config

Signatures

Detects Kaiten/Tsunami Payload 1 IoCs

resource	yara_rule
behavioral1/files/fstream-1.dat	family_kaiten2

Detects Kaiten/Tsunami payload 1 IoCs

resource	yara_rule
behavioral1/files/fstream-1.dat	family_kaiten

Kaiten family
kaiten
Kaiten/Tsunami
Linux-based IoT botnet which is controlled through IRC and normally used to carry out DDoS attacks.
botnet kaiten

Runs EXE from memory 1 IoCs

Runs an executable from memory, likely to minimize footprint

ioc	pid	Process
/proc/self/fd/3	7311	b666cd08b065132235303727f2d77997a30355ae0e5b557cd08d41c9ade7622d.elf

Enumerates kernel/hardware configuration 1 TTPs 1 IoCs

Reads contents of /sys virtual filesystem to enumerate system information.

discovery

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/kernel/mm/transparent_hugepage/hpage_pmd_size	b666cd08b065132235303727f2d77997a30355ae0e5b557cd08d41c9ade7622d.elf

Reads runtime system information 1 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/self/exe	b666cd08b065132235303727f2d77997a30355ae0e5b557cd08d41c9ade7622d.elf

/tmp/b666cd08b065132235303727f2d77997a30355ae0e5b557cd08d41c9ade7622d.elf
/tmp/b666cd08b065132235303727f2d77997a30355ae0e5b557cd08d41c9ade7622d.elf
1⤵
- Runs EXE from memory
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:7307

/proc/self/fd/3
sbin
1⤵
PID:7311

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/proc/self/fd/3

Filesize
585KB

MD5
cef652543ca6e02a916f01b297d9e6af

SHA1
bc8847d83ffa20c9bbcb92319dd8dd6301974e72

SHA256
add1bd578793d7618caabe3c087ddb2d0acb8a6dce76f455cd37ce41670a8482

SHA512
65de03ef7276f86b6f8f5becc7e868e1cb5152e3cc01904758496594602f2d128f4648a4a903359a6b9b5fca13e70a36f5e7647584c9d56f5b448e2582bc6176

Download Submit