Analysis
-
max time kernel
149s -
max time network
154s -
platform
debian-9_armhf -
resource
debian9-armhf-20240611-en -
resource tags
arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem -
submitted
02-11-2024 02:52
Behavioral task
behavioral1
Sample
639af202eb3c903183b8ae3d8ba4951e.elf
Resource
debian9-armhf-20240611-en
General
-
Target
639af202eb3c903183b8ae3d8ba4951e.elf
-
Size
2.0MB
-
MD5
639af202eb3c903183b8ae3d8ba4951e
-
SHA1
78ad606c247165cb75c4e349d9be702517203224
-
SHA256
668e2cdc076b620be68a4d5aa2ed14d2fa9b48b556f0e8f69548d8a972436155
-
SHA512
1eb84b880900795da9bb834e88422c8a81bd83f7fb0dcdf090f8b178b21e486e0010126bd249c84cf2b2f6dcad3fc0597acad073b299512fba8f9f02ef0c4767
-
SSDEEP
24576:J1rMILphWsdRm6vM7lUVJtq8wfe9OqbVgYQ3k48jtIMoG34RJnWVh1BPnjKqZdtX:JVfjmRMo2T1
Malware Config
Extracted
kaiji
ss.us-tv.top:1930
Signatures
-
Kaiji 1 IoCs
Kaiji payload
Processes:
resource yara_rule /etc/opt.services.cfg Kaiji -
Kaiji family
-
Executes dropped EXE 5 IoCs
Processes:
32676opt.services.cfgopt.services.cfgopt.services.cfgopt.services.cfgioc pid process /etc/32676 681 32676 /etc/opt.services.cfg 829 opt.services.cfg /etc/opt.services.cfg 834 opt.services.cfg /etc/opt.services.cfg 860 opt.services.cfg /etc/opt.services.cfg 864 opt.services.cfg -
Modifies Watchdog functionality 1 TTPs 2 IoCs
Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.
Processes:
639af202eb3c903183b8ae3d8ba4951e.elfdescription ioc process File opened for modification /dev/watchdog 639af202eb3c903183b8ae3d8ba4951e.elf File opened for modification /dev/misc/watchdog 639af202eb3c903183b8ae3d8ba4951e.elf -
Creates/modifies Cron job 1 TTPs 1 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
-
Creates/modifies environment variables 1 TTPs 3 IoCs
Creating/modifying environment variables is a common persistence mechanism.
Processes:
639af202eb3c903183b8ae3d8ba4951e.elfdescription ioc process File opened for modification /etc/profile.d/bash_cfg 639af202eb3c903183b8ae3d8ba4951e.elf File opened for modification /etc/profile.d/bash_cfg.sh 639af202eb3c903183b8ae3d8ba4951e.elf File opened for modification /etc/profile.d/gateway.sh 639af202eb3c903183b8ae3d8ba4951e.elf -
Enumerates running processes
Discovers information about currently running processes on the system
-
Processes:
639af202eb3c903183b8ae3d8ba4951e.elfdescription ioc process File opened for modification /etc/init.d/ssh 639af202eb3c903183b8ae3d8ba4951e.elf File opened for modification /etc/init.d/sudo 639af202eb3c903183b8ae3d8ba4951e.elf File opened for modification /etc/init.d/udev 639af202eb3c903183b8ae3d8ba4951e.elf File opened for modification /etc/init.d/exim4 639af202eb3c903183b8ae3d8ba4951e.elf File opened for modification /etc/init.d/keyboard-setup.sh 639af202eb3c903183b8ae3d8ba4951e.elf File opened for modification /etc/init.d/selinux-autorelabel 639af202eb3c903183b8ae3d8ba4951e.elf File opened for modification /etc/init.d/alsa-utils 639af202eb3c903183b8ae3d8ba4951e.elf File opened for modification /etc/init.d/console-setup.sh 639af202eb3c903183b8ae3d8ba4951e.elf File opened for modification /etc/init.d/networking 639af202eb3c903183b8ae3d8ba4951e.elf File opened for modification /etc/init.d/hwclock.sh 639af202eb3c903183b8ae3d8ba4951e.elf File opened for modification /etc/init.d/kmod 639af202eb3c903183b8ae3d8ba4951e.elf File opened for modification /etc/init.d/procps 639af202eb3c903183b8ae3d8ba4951e.elf File opened for modification /etc/init.d/rsyslog 639af202eb3c903183b8ae3d8ba4951e.elf File opened for modification /etc/init.d/x11-common 639af202eb3c903183b8ae3d8ba4951e.elf File opened for modification /etc/init.d/auditd 639af202eb3c903183b8ae3d8ba4951e.elf File opened for modification /etc/init.d/cron 639af202eb3c903183b8ae3d8ba4951e.elf File opened for modification /etc/init.d/dbus 639af202eb3c903183b8ae3d8ba4951e.elf -
Write file to user bin folder 2 IoCs
Processes:
639af202eb3c903183b8ae3d8ba4951e.elfdescription ioc process File opened for modification /usr/bin/include/find 639af202eb3c903183b8ae3d8ba4951e.elf File opened for modification /usr/bin/find 639af202eb3c903183b8ae3d8ba4951e.elf -
Modifies Bash startup script 2 TTPs 3 IoCs
Processes:
639af202eb3c903183b8ae3d8ba4951e.elfdescription ioc process File opened for modification /etc/profile.d/bash_cfg 639af202eb3c903183b8ae3d8ba4951e.elf File opened for modification /etc/profile.d/bash_cfg.sh 639af202eb3c903183b8ae3d8ba4951e.elf File opened for modification /etc/profile.d/gateway.sh 639af202eb3c903183b8ae3d8ba4951e.elf -
Command and Scripting Interpreter: Unix Shell 1 TTPs 2 IoCs
Execute scripts via Unix Shell.
-
Enumerates kernel/hardware configuration 1 TTPs 13 IoCs
Reads contents of /sys virtual filesystem to enumerate system information.
Processes:
opt.services.cfgsystemctlsystemctlsystemctlopt.services.cfgopt.services.cfgsystemctlopt.services.cfg639af202eb3c903183b8ae3d8ba4951e.elf639af202eb3c903183b8ae3d8ba4951e.elfsystemctlsystemctlsystemctldescription ioc process File opened for reading /sys/kernel/mm/transparent_hugepage/hpage_pmd_size opt.services.cfg File opened for reading /sys/fs/kdbus/0-system/bus systemctl File opened for reading /sys/fs/kdbus/0-system/bus systemctl File opened for reading /sys/fs/kdbus/0-system/bus systemctl File opened for reading /sys/kernel/mm/transparent_hugepage/hpage_pmd_size opt.services.cfg File opened for reading /sys/kernel/mm/transparent_hugepage/hpage_pmd_size opt.services.cfg File opened for reading /sys/fs/kdbus/0-system/bus systemctl File opened for reading /sys/kernel/mm/transparent_hugepage/hpage_pmd_size opt.services.cfg File opened for reading /sys/kernel/mm/transparent_hugepage/hpage_pmd_size 639af202eb3c903183b8ae3d8ba4951e.elf File opened for reading /sys/kernel/mm/transparent_hugepage/hpage_pmd_size 639af202eb3c903183b8ae3d8ba4951e.elf File opened for reading /sys/fs/kdbus/0-system/bus systemctl File opened for reading /sys/fs/kdbus/0-system/bus systemctl File opened for reading /sys/fs/kdbus/0-system/bus systemctl -
Processes:
systemctlsystemctl639af202eb3c903183b8ae3d8ba4951e.elfsystemctlsystemctlsystemctlsystemctlsystemctlmountseddescription ioc process File opened for reading /proc/cmdline systemctl File opened for reading /proc/1/environ systemctl File opened for reading /proc/29/stat 639af202eb3c903183b8ae3d8ba4951e.elf File opened for reading /proc/665/stat 639af202eb3c903183b8ae3d8ba4951e.elf File opened for reading /proc/670/stat 639af202eb3c903183b8ae3d8ba4951e.elf File opened for reading /proc/1/environ systemctl File opened for reading /proc/filesystems systemctl File opened for reading /proc/cmdline systemctl File opened for reading /proc/5/stat 639af202eb3c903183b8ae3d8ba4951e.elf File opened for reading /proc/18/stat 639af202eb3c903183b8ae3d8ba4951e.elf File opened for reading /proc/23/stat 639af202eb3c903183b8ae3d8ba4951e.elf File opened for reading /proc/cmdline systemctl File opened for reading /proc/1/environ systemctl File opened for reading /proc/1/stat 639af202eb3c903183b8ae3d8ba4951e.elf File opened for reading /proc/106/stat 639af202eb3c903183b8ae3d8ba4951e.elf File opened for reading /proc/149/stat 639af202eb3c903183b8ae3d8ba4951e.elf File opened for reading /proc/287/stat 639af202eb3c903183b8ae3d8ba4951e.elf File opened for reading /proc/27/stat 639af202eb3c903183b8ae3d8ba4951e.elf File opened for reading /proc/filesystems mount File opened for reading /proc/filesystems systemctl File opened for reading /proc/6/stat 639af202eb3c903183b8ae3d8ba4951e.elf File opened for reading /proc/19/stat 639af202eb3c903183b8ae3d8ba4951e.elf File opened for reading /proc/21/stat 639af202eb3c903183b8ae3d8ba4951e.elf File opened for reading /proc/24/stat 639af202eb3c903183b8ae3d8ba4951e.elf File opened for reading /proc/394/stat 639af202eb3c903183b8ae3d8ba4951e.elf File opened for reading /proc/650/stat 639af202eb3c903183b8ae3d8ba4951e.elf File opened for reading /proc/659/stat 639af202eb3c903183b8ae3d8ba4951e.elf File opened for reading /proc/666/stat 639af202eb3c903183b8ae3d8ba4951e.elf File opened for reading /proc/26/stat 639af202eb3c903183b8ae3d8ba4951e.elf File opened for reading /proc/97/stat 639af202eb3c903183b8ae3d8ba4951e.elf File opened for reading /proc/137/stat 639af202eb3c903183b8ae3d8ba4951e.elf File opened for reading /proc/286/stat 639af202eb3c903183b8ae3d8ba4951e.elf File opened for reading /proc/self/stat systemctl File opened for reading /proc/cmdline systemctl File opened for reading /proc/3/stat 639af202eb3c903183b8ae3d8ba4951e.elf File opened for reading /proc/1/environ systemctl File opened for reading /proc/1/environ systemctl File opened for reading /proc/651/stat 639af202eb3c903183b8ae3d8ba4951e.elf File opened for reading /proc/filesystems systemctl File opened for reading /proc/cmdline systemctl File opened for reading /proc/filesystems systemctl File opened for reading /proc/41/stat 639af202eb3c903183b8ae3d8ba4951e.elf File opened for reading /proc/42/stat 639af202eb3c903183b8ae3d8ba4951e.elf File opened for reading /proc/138/stat 639af202eb3c903183b8ae3d8ba4951e.elf File opened for reading /proc/155/stat 639af202eb3c903183b8ae3d8ba4951e.elf File opened for reading /proc/398/stat 639af202eb3c903183b8ae3d8ba4951e.elf File opened for reading /proc/filesystems systemctl File opened for reading /proc/12/stat 639af202eb3c903183b8ae3d8ba4951e.elf File opened for reading /proc/17/stat 639af202eb3c903183b8ae3d8ba4951e.elf File opened for reading /proc/20/stat 639af202eb3c903183b8ae3d8ba4951e.elf File opened for reading /proc/43/stat 639af202eb3c903183b8ae3d8ba4951e.elf File opened for reading /proc/284/stat 639af202eb3c903183b8ae3d8ba4951e.elf File opened for reading /proc/filesystems sed File opened for reading /proc/cmdline systemctl File opened for reading /proc/4/stat 639af202eb3c903183b8ae3d8ba4951e.elf File opened for reading /proc/7/stat 639af202eb3c903183b8ae3d8ba4951e.elf File opened for reading /proc/76/stat 639af202eb3c903183b8ae3d8ba4951e.elf File opened for reading /proc/108/stat 639af202eb3c903183b8ae3d8ba4951e.elf File opened for reading /proc/658/stat 639af202eb3c903183b8ae3d8ba4951e.elf File opened for reading /proc/1/environ systemctl File opened for reading /proc/8/stat 639af202eb3c903183b8ae3d8ba4951e.elf File opened for reading /proc/13/stat 639af202eb3c903183b8ae3d8ba4951e.elf File opened for reading /proc/274/stat 639af202eb3c903183b8ae3d8ba4951e.elf File opened for reading /proc/306/stat 639af202eb3c903183b8ae3d8ba4951e.elf
Processes
-
/tmp/639af202eb3c903183b8ae3d8ba4951e.elf/tmp/639af202eb3c903183b8ae3d8ba4951e.elf1⤵
- Enumerates kernel/hardware configuration
PID:660 -
/tmp/639af202eb3c903183b8ae3d8ba4951e.elf/tmp/639af202eb3c903183b8ae3d8ba4951e.elf " "2⤵
- Modifies Watchdog functionality
- Creates/modifies environment variables
- Modifies init.d
- Write file to user bin folder
- Modifies Bash startup script
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:666 -
/bin/sh/bin/sh -c "/etc/32676&"3⤵
- Command and Scripting Interpreter: Unix Shell
PID:679 -
/usr/sbin/serviceservice crond start3⤵PID:682
-
/usr/bin/basenamebasename /usr/sbin/service4⤵PID:685
-
/usr/bin/basenamebasename /usr/sbin/service4⤵PID:687
-
/bin/systemctlsystemctl --quiet is-active multi-user.target4⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:690 -
/bin/sedsed -ne "s/\\.socket\\s*[a-z]*\\s*\$/.socket/p"4⤵PID:696
-
/bin/systemctlsystemctl list-unit-files --full "--type=socket"4⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:695 -
/usr/local/sbin/systemctlsystemctl "--job-mode=ignore-dependencies" start crond.service3⤵PID:682
-
/usr/local/bin/systemctlsystemctl "--job-mode=ignore-dependencies" start crond.service3⤵PID:682
-
/usr/sbin/systemctlsystemctl "--job-mode=ignore-dependencies" start crond.service3⤵PID:682
-
/usr/bin/systemctlsystemctl "--job-mode=ignore-dependencies" start crond.service3⤵PID:682
-
/sbin/systemctlsystemctl "--job-mode=ignore-dependencies" start crond.service3⤵PID:682
-
/bin/systemctlsystemctl "--job-mode=ignore-dependencies" start crond.service3⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:682 -
/bin/sh/bin/sh -c "echo \"*/1 * * * * root /.mod \" >> /etc/crontab"3⤵
- Creates/modifies Cron job
- Command and Scripting Interpreter: Unix Shell
PID:703 -
/usr/bin/renicerenice -20 6663⤵PID:710
-
/bin/mountmount -o bind /tmp/ /proc/6663⤵
- Reads runtime system information
PID:712 -
/usr/sbin/serviceservice cron start3⤵PID:713
-
/usr/bin/basenamebasename /usr/sbin/service4⤵PID:714
-
/usr/bin/basenamebasename /usr/sbin/service4⤵PID:715
-
/bin/systemctlsystemctl --quiet is-active multi-user.target4⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:716 -
/bin/systemctlsystemctl list-unit-files --full "--type=socket"4⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:718 -
/bin/sedsed -ne "s/\\.socket\\s*[a-z]*\\s*\$/.socket/p"4⤵
- Reads runtime system information
PID:719 -
/usr/local/sbin/systemctlsystemctl "--job-mode=ignore-dependencies" start cron.service3⤵PID:713
-
/usr/local/bin/systemctlsystemctl "--job-mode=ignore-dependencies" start cron.service3⤵PID:713
-
/usr/sbin/systemctlsystemctl "--job-mode=ignore-dependencies" start cron.service3⤵PID:713
-
/usr/bin/systemctlsystemctl "--job-mode=ignore-dependencies" start cron.service3⤵PID:713
-
/sbin/systemctlsystemctl "--job-mode=ignore-dependencies" start cron.service3⤵PID:713
-
/bin/systemctlsystemctl "--job-mode=ignore-dependencies" start cron.service3⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:713 -
/bin/systemctlsystemctl start crond.service3⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:720
-
/etc/32676/etc/326761⤵
- Executes dropped EXE
PID:681 -
/bin/sleepsleep 602⤵PID:684
-
/etc/opt.services.cfg/etc/opt.services.cfg2⤵
- Executes dropped EXE
- Enumerates kernel/hardware configuration
PID:829 -
/etc/opt.services.cfg/etc/opt.services.cfg " "3⤵
- Executes dropped EXE
- Enumerates kernel/hardware configuration
PID:834 -
/bin/sleepsleep 602⤵PID:835
-
/etc/opt.services.cfg/etc/opt.services.cfg2⤵
- Executes dropped EXE
- Enumerates kernel/hardware configuration
PID:860 -
/etc/opt.services.cfg/etc/opt.services.cfg " "3⤵
- Executes dropped EXE
- Enumerates kernel/hardware configuration
PID:864 -
/bin/sleepsleep 602⤵PID:865
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1Unix Shell
1Scheduled Task/Job
1Cron
1Persistence
Boot or Logon Autostart Execution
2Boot or Logon Initialization Scripts
1RC Scripts
1Event Triggered Execution
1Unix Shell Configuration Modification
1Hijack Execution Flow
1Path Interception by PATH Environment Variable
1Scheduled Task/Job
1Cron
1Privilege Escalation
Boot or Logon Autostart Execution
2Boot or Logon Initialization Scripts
1RC Scripts
1Event Triggered Execution
1Unix Shell Configuration Modification
1Hijack Execution Flow
1Path Interception by PATH Environment Variable
1Scheduled Task/Job
1Cron
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
34B
MD5f5a3713282e43c200f30342f5ff5e2ea
SHA12b2ce1a207e2b691a074c6f78f71c4785aae426a
SHA2566ab64e727571458d4884fb2fe82c27c467db0699cb8f648b3f0217c35d2b7511
SHA5125bcb8cd360409147a486755f90e0cdd97183af02ce8de5135b7c6a8a010deb9ef12dcd5ee9a2a8fd2e159347f68e72d6b7fd75e943b4fcd928d7a74b97476013
-
Filesize
41B
MD5bd5200042c2d93c06332794e70842aa3
SHA1c1ed0f33ebe8c81f83893d3a7c11307807243114
SHA25636365132b46f5a24a78d726ea48c64fb4ee15712e90a3d9ead78fd4ec9da34db
SHA5126f85dc569cc94562bb693754467ecf50959720ad5210ce436b08c8169105a983adc23ef5daf851acb3618e078ab014c89c373cf88779621df86c3d6c8a56185b
-
Filesize
90B
MD5165cd16149a4db6c9bac369094f58268
SHA1ba97b130648042a2f0d1337474e9e7c94f512033
SHA256ef735507a28452384d2dfcbb26e9e735ea1f2fa7898273e529714c1877bcdcc5
SHA512618624ca3e53fa500ad0e93a23d3299c43731b3f0a5ec983182f5797ab64b5302104284f2c033af98a9573cc971c147e5072c58aca16beb3fdd85d5bafeb1560
-
Filesize
61B
MD547684525bfdf26f49fd1cf742b17c015
SHA1c4ab14ba22420ff9acadfc698a38d0cd99e9fbfa
SHA256b7ce294613dd2c237a4a50548bfcd5c14d166107f2d2e965499bc78695300d5b
SHA512948f9c519ae9afe1c821c5d58da2e584e50356dabef597ccd408853a9038560b9fb1c5894900e2725b48977ffd49d18a439436bb4946e2164ac9fcf2a8637621
-
Filesize
2.0MB
MD5639af202eb3c903183b8ae3d8ba4951e
SHA178ad606c247165cb75c4e349d9be702517203224
SHA256668e2cdc076b620be68a4d5aa2ed14d2fa9b48b556f0e8f69548d8a972436155
SHA5121eb84b880900795da9bb834e88422c8a81bd83f7fb0dcdf090f8b178b21e486e0010126bd249c84cf2b2f6dcad3fc0597acad073b299512fba8f9f02ef0c4767
-
Filesize
937B
MD5dc6a9b4472df32de481b4167da1e6b2a
SHA1d637ce0d6f1da12df1b1db75048483ad0880e2f6
SHA2566edd780fb06a8238388aa1f757772ffe629eaf377d7a611a8aed1f994bf8dcc2
SHA51246b3d2dc982bcadb78c811fa7dee33e17347319b512a2d7afa3463b122bef4fbde4754f406d369b536f06c5ee402e577ccdb2fe2af5ba128135bec136afd0760
-
Filesize
134KB
MD5138a27d6fe52fa1132760a4fa48922e0
SHA1e0250e4d7bf33a5a1064344224148b889cb15138
SHA25681a10dad907b23521461bd3fc83c2cedb2218933a328d9a05e3c9f6a9a1d42aa
SHA512ee0078afad63fc2aaffdebb7127d1c7d4459287fee75358f57c82d397c39b7bf64338fb6996dfb1747cd9a896d714b3c76f0948727be91550f1affa1c0298a9e