General

  • Target

    linux_arm6.elf

  • Size

    5.1MB

  • Sample

    241028-es33jaxqep

  • MD5

    735cd0c7f66c6557ea4220af537430d5

  • SHA1

    1425a4d8b9a26dd04547d14c4bc74072ff0689f1

  • SHA256

    dc505dccbcf7701a65a3387ab2ecbb4cb2e5665fbcafc771937e5d37b8b7f3bf

  • SHA512

    eb097e83f018f7d26ccf3d811ca96424640b839d53670314034c2745ec893c28d4f0581f327fdfa5bcf435d37b4867c431679bcd03bc47ee0a1998ca2dab00c4

  • SSDEEP

    98304:8cSBHdgN2a7JP97kJru8cYWPAXqIu+60:8cS03Qu+6

Malware Config

Extracted

Family

kaiji

C2

154.12.82.11:808

Targets

    • Target

      linux_arm6.elf

    • Size

      5.1MB

    • MD5

      735cd0c7f66c6557ea4220af537430d5

    • SHA1

      1425a4d8b9a26dd04547d14c4bc74072ff0689f1

    • SHA256

      dc505dccbcf7701a65a3387ab2ecbb4cb2e5665fbcafc771937e5d37b8b7f3bf

    • SHA512

      eb097e83f018f7d26ccf3d811ca96424640b839d53670314034c2745ec893c28d4f0581f327fdfa5bcf435d37b4867c431679bcd03bc47ee0a1998ca2dab00c4

    • SSDEEP

      98304:8cSBHdgN2a7JP97kJru8cYWPAXqIu+60:8cS03Qu+6

    • Renames multiple (1004) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Executes dropped EXE

    • Modifies Watchdog functionality

      Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

    • Creates/modifies Cron job

      Cron allows running tasks on a schedule, and is commonly used for malware persistence.

    • Creates/modifies environment variables

      Creating/modifying environment variables is a common persistence mechanism.

    • Enumerates running processes

      Discovers information about currently running processes on the system

    • Modifies init.d

      Adds/modifies system service, likely for persistence.

    • Modifies systemd

      Adds/ modifies systemd service files. Likely to achieve persistence.

    • Write file to user bin folder

    • Modifies Bash startup script

MITRE ATT&CK Enterprise v15

Tasks