General

  • Target

    linux_arm6.elf

  • Size

    5.1MB

  • Sample

    241031-2h95eswjhr

  • MD5

    09953c0fdf5fd2a6f4e264b3f85f6255

  • SHA1

    50350925a1444e4dc0bb60bff1a11f1bc06c18a7

  • SHA256

    d5f2ac7ce84a2b75c3011d08df6c54a115f0058bab9d286d759eb2e6ea47fd6f

  • SHA512

    d2ae3c8e6244d419ebe4b0c9035568c28a960d0fc027b1383c001954fbf017766b96b5a48f15cebf4e22390f5d26d9d8df104b7497ee6ca1dad680cd50b75289

  • SSDEEP

    98304:8cSBHdgN2a7JP97kJru8cYWPAXqOu+60:8cS03Wu+6

Malware Config

Extracted

Family

kaiji

C2

78789.dns.army:808

Targets

    • Target

      linux_arm6.elf

    • Size

      5.1MB

    • MD5

      09953c0fdf5fd2a6f4e264b3f85f6255

    • SHA1

      50350925a1444e4dc0bb60bff1a11f1bc06c18a7

    • SHA256

      d5f2ac7ce84a2b75c3011d08df6c54a115f0058bab9d286d759eb2e6ea47fd6f

    • SHA512

      d2ae3c8e6244d419ebe4b0c9035568c28a960d0fc027b1383c001954fbf017766b96b5a48f15cebf4e22390f5d26d9d8df104b7497ee6ca1dad680cd50b75289

    • SSDEEP

      98304:8cSBHdgN2a7JP97kJru8cYWPAXqOu+60:8cS03Wu+6

    • Renames multiple (1004) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Executes dropped EXE

    • Modifies Watchdog functionality

      Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

    • Creates/modifies Cron job

      Cron allows running tasks on a schedule, and is commonly used for malware persistence.

    • Creates/modifies environment variables

      Creating/modifying environment variables is a common persistence mechanism.

    • Enumerates running processes

      Discovers information about currently running processes on the system

    • Modifies init.d

      Adds/modifies system service, likely for persistence.

    • Modifies systemd

      Adds/ modifies systemd service files. Likely to achieve persistence.

    • Write file to user bin folder

    • Modifies Bash startup script

MITRE ATT&CK Enterprise v15

Tasks