General

  • Target

    4b53bd2b79fc8f18d1a5e591358bcfb9.bin

  • Size

    2.1MB

  • Sample

    241029-bk2b7azjfx

  • MD5

    6a826fe7ff3349ca672aaf5ed85b6423

  • SHA1

    8ff5cf4426da3329ca57e7809be7110efe7a0543

  • SHA256

    344b1624a79b83a01859b883b93913037dd4954e24c6cf90e150dca14d511237

  • SHA512

    bf2a27df76616f720bc9cd5f48cada06e5abde942ac4f1d3f37733591c31c95af5d9958141fc85d444d591098ce32aa35f437058052e6a2ba08ec9ace7a6cd17

  • SSDEEP

    49152:NuD6NgjPyT+7oAvlzzKLHGAuhqWOoYi+mliCjPEttjD58u:1N4ZM2lzmClhqroV+g0t5D58u

Malware Config

Extracted

Family

kaiji

C2

154.12.82.11:808

Targets

    • Target

      30523d9f0e7898f89538e2babd0e305b4e25b06521418e299e4e983c8597b558.elf

    • Size

      5.0MB

    • MD5

      4b53bd2b79fc8f18d1a5e591358bcfb9

    • SHA1

      4cde3dce676fb3a040472458c807b945d8ffefd8

    • SHA256

      30523d9f0e7898f89538e2babd0e305b4e25b06521418e299e4e983c8597b558

    • SHA512

      f5c2b671a899551f1c0f447c528d6c3c45933dce057cf16b5fea07c07dcb9b450698b1a36395852ae1822e2e22c61260b490ba6a469540b33da4704df783aa79

    • SSDEEP

      49152:E33d0lGt6UHcFL7Rn2o03wiEhiDmzzd/9sARlBs/00Cpfx9a9uNHp9hW16klbU6V:E33GlbU8FwmzzRDZ9moqRV

    • Renames multiple (1156) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Executes dropped EXE

    • Modifies Watchdog functionality

      Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

    • Reads EFI boot settings

      Reads EFI boot settings from the efivars filesystem, may contain security secrets or sensitive data.

    • Creates/modifies Cron job

      Cron allows running tasks on a schedule, and is commonly used for malware persistence.

    • Creates/modifies environment variables

      Creating/modifying environment variables is a common persistence mechanism.

    • Enumerates running processes

      Discovers information about currently running processes on the system

    • Modifies init.d

      Adds/modifies system service, likely for persistence.

    • Modifies systemd

      Adds/ modifies systemd service files. Likely to achieve persistence.

    • Write file to user bin folder

    • Modifies Bash startup script

MITRE ATT&CK Enterprise v15

Tasks