General

  • Target

    linux_arm5.elf

  • Size

    5.1MB

  • Sample

    241031-znkevavmhq

  • MD5

    ccd26ce76ba241bb57206af170add530

  • SHA1

    0456caf337158a5cda120d85133296cf4ffe373a

  • SHA256

    4f45461d708ccdeb18646b2f7a6003f4f1bf513e86f3a2ea7846ac2f14194c90

  • SHA512

    b52d897506d5e06f65742ab53d4e369ca5ac68be2c3dad6ea0785c7fbed36ba5bfec90e776f659268bac19da18075c1801ec68f783aadaa7acb312cee8cc9140

  • SSDEEP

    49152:QtKY0CdO+kBRx0Tg0qTecEG7meYuhL+lYfQMcU1F1:OKY3U+qRxQ3qKRM

Malware Config

Extracted

Family

kaiji

C2

78789.dns.army:808

Targets

    • Target

      linux_arm5.elf

    • Size

      5.1MB

    • MD5

      ccd26ce76ba241bb57206af170add530

    • SHA1

      0456caf337158a5cda120d85133296cf4ffe373a

    • SHA256

      4f45461d708ccdeb18646b2f7a6003f4f1bf513e86f3a2ea7846ac2f14194c90

    • SHA512

      b52d897506d5e06f65742ab53d4e369ca5ac68be2c3dad6ea0785c7fbed36ba5bfec90e776f659268bac19da18075c1801ec68f783aadaa7acb312cee8cc9140

    • SSDEEP

      49152:QtKY0CdO+kBRx0Tg0qTecEG7meYuhL+lYfQMcU1F1:OKY3U+qRxQ3qKRM

    • Renames multiple (1004) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Executes dropped EXE

    • Modifies Watchdog functionality

      Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

    • Creates/modifies Cron job

      Cron allows running tasks on a schedule, and is commonly used for malware persistence.

    • Creates/modifies environment variables

      Creating/modifying environment variables is a common persistence mechanism.

    • Enumerates running processes

      Discovers information about currently running processes on the system

    • Modifies init.d

      Adds/modifies system service, likely for persistence.

    • Modifies systemd

      Adds/ modifies systemd service files. Likely to achieve persistence.

    • Write file to user bin folder

    • Modifies Bash startup script

MITRE ATT&CK Enterprise v15

Tasks