Analysis
-
max time kernel
148s -
max time network
152s -
platform
ubuntu-22.04_amd64 -
resource
ubuntu2204-amd64-20240729-en -
resource tags
arch:amd64arch:i386image:ubuntu2204-amd64-20240729-enkernel:5.15.0-105-genericlocale:en-usos:ubuntu-22.04-amd64system -
submitted
02-11-2024 02:52
Behavioral task
behavioral1
Sample
e55a695d2530b3fb5c80256f6036de29.elf
Resource
ubuntu2204-amd64-20240729-en
General
-
Target
e55a695d2530b3fb5c80256f6036de29.elf
-
Size
1.9MB
-
MD5
e55a695d2530b3fb5c80256f6036de29
-
SHA1
cbf9fb21338b161a6b5ab67425e8afbcf9bbcd93
-
SHA256
ce2944509d3936280343639c38ed5240f0a35c8d1dd63a00ce0eef1052325124
-
SHA512
a59fec7fe64abf676a4b40737eaf4b5824daf78c78324ef1e8b58114f81bbeda4edb281fab0582026dd8363314905d0259b20ac842f9016f4da8bf1dab0fc89d
-
SSDEEP
49152:XXPVKrbvGOQLeS7rb/TCvO90d7HjmAFd4A64nsfJrkaani38B4B+g2vUqHOErz1:tPXZz
Malware Config
Extracted
kaiji
ss.us-tv.top:1930
Signatures
-
Kaiji 1 IoCs
Kaiji payload
Processes:
resource yara_rule /boot/System.mod Kaiji -
Kaiji family
-
Executes dropped EXE 5 IoCs
Processes:
32676opt.services.cfgopt.services.cfgopt.services.cfgopt.services.cfgioc pid process /etc/32676 1586 32676 /etc/opt.services.cfg 1720 opt.services.cfg /etc/opt.services.cfg 1724 opt.services.cfg /etc/opt.services.cfg 1743 opt.services.cfg /etc/opt.services.cfg 1747 opt.services.cfg -
Modifies Watchdog functionality 1 TTPs 2 IoCs
Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.
Processes:
e55a695d2530b3fb5c80256f6036de29.elfdescription ioc process File opened for modification /dev/watchdog e55a695d2530b3fb5c80256f6036de29.elf File opened for modification /dev/misc/watchdog e55a695d2530b3fb5c80256f6036de29.elf -
Creates/modifies Cron job 1 TTPs 1 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
-
Creates/modifies environment variables 1 TTPs 3 IoCs
Creating/modifying environment variables is a common persistence mechanism.
Processes:
e55a695d2530b3fb5c80256f6036de29.elfdescription ioc process File opened for modification /etc/profile.d/bash_cfg e55a695d2530b3fb5c80256f6036de29.elf File opened for modification /etc/profile.d/bash_cfg.sh e55a695d2530b3fb5c80256f6036de29.elf File opened for modification /etc/profile.d/gateway.sh e55a695d2530b3fb5c80256f6036de29.elf -
Enumerates running processes
Discovers information about currently running processes on the system
-
Processes:
e55a695d2530b3fb5c80256f6036de29.elfdescription ioc process File opened for modification /etc/init.d/openvpn e55a695d2530b3fb5c80256f6036de29.elf File opened for modification /etc/init.d/acpid e55a695d2530b3fb5c80256f6036de29.elf File opened for modification /etc/init.d/avahi-daemon e55a695d2530b3fb5c80256f6036de29.elf File opened for modification /etc/init.d/ssh e55a695d2530b3fb5c80256f6036de29.elf File opened for modification /etc/init.d/x11-common e55a695d2530b3fb5c80256f6036de29.elf File opened for modification /etc/init.d/apport e55a695d2530b3fb5c80256f6036de29.elf File opened for modification /etc/init.d/lvm2-lvmpolld e55a695d2530b3fb5c80256f6036de29.elf File opened for modification /etc/init.d/open-iscsi e55a695d2530b3fb5c80256f6036de29.elf File opened for modification /etc/init.d/saned e55a695d2530b3fb5c80256f6036de29.elf File opened for modification /etc/init.d/gdm3 e55a695d2530b3fb5c80256f6036de29.elf File opened for modification /etc/init.d/hwclock.sh e55a695d2530b3fb5c80256f6036de29.elf File opened for modification /etc/init.d/kmod e55a695d2530b3fb5c80256f6036de29.elf File opened for modification /etc/init.d/sssd e55a695d2530b3fb5c80256f6036de29.elf File opened for modification /etc/init.d/console-setup.sh e55a695d2530b3fb5c80256f6036de29.elf File opened for modification /etc/init.d/iscsid e55a695d2530b3fb5c80256f6036de29.elf File opened for modification /etc/init.d/cryptdisks e55a695d2530b3fb5c80256f6036de29.elf File opened for modification /etc/init.d/plymouth e55a695d2530b3fb5c80256f6036de29.elf File opened for modification /etc/init.d/unattended-upgrades e55a695d2530b3fb5c80256f6036de29.elf File opened for modification /etc/init.d/alsa-utils e55a695d2530b3fb5c80256f6036de29.elf File opened for modification /etc/init.d/anacron e55a695d2530b3fb5c80256f6036de29.elf File opened for modification /etc/init.d/bluetooth e55a695d2530b3fb5c80256f6036de29.elf File opened for modification /etc/init.d/cron e55a695d2530b3fb5c80256f6036de29.elf File opened for modification /etc/init.d/procps e55a695d2530b3fb5c80256f6036de29.elf File opened for modification /etc/init.d/rsync e55a695d2530b3fb5c80256f6036de29.elf File opened for modification /etc/init.d/spice-vdagent e55a695d2530b3fb5c80256f6036de29.elf File opened for modification /etc/init.d/udev e55a695d2530b3fb5c80256f6036de29.elf File opened for modification /etc/init.d/cryptdisks-early e55a695d2530b3fb5c80256f6036de29.elf File opened for modification /etc/init.d/cups-browsed e55a695d2530b3fb5c80256f6036de29.elf File opened for modification /etc/init.d/dbus e55a695d2530b3fb5c80256f6036de29.elf File opened for modification /etc/init.d/keyboard-setup.sh e55a695d2530b3fb5c80256f6036de29.elf File opened for modification /etc/init.d/apparmor e55a695d2530b3fb5c80256f6036de29.elf File opened for modification /etc/init.d/cups e55a695d2530b3fb5c80256f6036de29.elf File opened for modification /etc/init.d/plymouth-log e55a695d2530b3fb5c80256f6036de29.elf -
Modifies systemd 2 TTPs 1 IoCs
Adds/ modifies systemd service files. Likely to achieve persistence.
Processes:
e55a695d2530b3fb5c80256f6036de29.elfdescription ioc process File opened for modification /usr/lib/systemd/system/quotaoff.service e55a695d2530b3fb5c80256f6036de29.elf -
Write file to user bin folder 12 IoCs
Processes:
e55a695d2530b3fb5c80256f6036de29.elfdescription ioc process File opened for modification /usr/bin/lsof e55a695d2530b3fb5c80256f6036de29.elf File opened for modification /usr/bin/include/ss e55a695d2530b3fb5c80256f6036de29.elf File opened for modification /usr/bin/include/ls e55a695d2530b3fb5c80256f6036de29.elf File opened for modification /usr/bin/include/dir e55a695d2530b3fb5c80256f6036de29.elf File opened for modification /usr/bin/include/lsof e55a695d2530b3fb5c80256f6036de29.elf File opened for modification /usr/bin/ps e55a695d2530b3fb5c80256f6036de29.elf File opened for modification /usr/bin/ss e55a695d2530b3fb5c80256f6036de29.elf File opened for modification /usr/bin/ls e55a695d2530b3fb5c80256f6036de29.elf File opened for modification /usr/bin/include/ps e55a695d2530b3fb5c80256f6036de29.elf File opened for modification /usr/bin/include/find e55a695d2530b3fb5c80256f6036de29.elf File opened for modification /usr/bin/dir e55a695d2530b3fb5c80256f6036de29.elf File opened for modification /usr/bin/find e55a695d2530b3fb5c80256f6036de29.elf -
Modifies Bash startup script 2 TTPs 3 IoCs
Processes:
e55a695d2530b3fb5c80256f6036de29.elfdescription ioc process File opened for modification /etc/profile.d/gateway.sh e55a695d2530b3fb5c80256f6036de29.elf File opened for modification /etc/profile.d/bash_cfg e55a695d2530b3fb5c80256f6036de29.elf File opened for modification /etc/profile.d/bash_cfg.sh e55a695d2530b3fb5c80256f6036de29.elf -
Command and Scripting Interpreter: Unix Shell 1 TTPs 4 IoCs
Execute scripts via Unix Shell.
-
Enumerates kernel/hardware configuration 1 TTPs 6 IoCs
Reads contents of /sys virtual filesystem to enumerate system information.
Processes:
opt.services.cfgopt.services.cfgopt.services.cfgopt.services.cfge55a695d2530b3fb5c80256f6036de29.elfe55a695d2530b3fb5c80256f6036de29.elfdescription ioc process File opened for reading /sys/kernel/mm/transparent_hugepage/hpage_pmd_size opt.services.cfg File opened for reading /sys/kernel/mm/transparent_hugepage/hpage_pmd_size opt.services.cfg File opened for reading /sys/kernel/mm/transparent_hugepage/hpage_pmd_size opt.services.cfg File opened for reading /sys/kernel/mm/transparent_hugepage/hpage_pmd_size opt.services.cfg File opened for reading /sys/kernel/mm/transparent_hugepage/hpage_pmd_size e55a695d2530b3fb5c80256f6036de29.elf File opened for reading /sys/kernel/mm/transparent_hugepage/hpage_pmd_size e55a695d2530b3fb5c80256f6036de29.elf -
Processes:
e55a695d2530b3fb5c80256f6036de29.elfjournalctlsystemctlsystemctlsystemctlseddescription ioc process File opened for reading /proc/210/stat e55a695d2530b3fb5c80256f6036de29.elf File opened for reading /proc/524/stat e55a695d2530b3fb5c80256f6036de29.elf File opened for reading /proc/592/stat e55a695d2530b3fb5c80256f6036de29.elf File opened for reading /proc/1573/stat e55a695d2530b3fb5c80256f6036de29.elf File opened for reading /proc/filesystems journalctl File opened for reading /proc/160/stat e55a695d2530b3fb5c80256f6036de29.elf File opened for reading /proc/200/stat e55a695d2530b3fb5c80256f6036de29.elf File opened for reading /proc/263/stat e55a695d2530b3fb5c80256f6036de29.elf File opened for reading /proc/611/stat e55a695d2530b3fb5c80256f6036de29.elf File opened for reading /proc/634/stat e55a695d2530b3fb5c80256f6036de29.elf File opened for reading /proc/1096/stat e55a695d2530b3fb5c80256f6036de29.elf File opened for reading /proc/1108/stat e55a695d2530b3fb5c80256f6036de29.elf File opened for reading /proc/1511/stat e55a695d2530b3fb5c80256f6036de29.elf File opened for reading /proc/25/stat e55a695d2530b3fb5c80256f6036de29.elf File opened for reading /proc/26/stat e55a695d2530b3fb5c80256f6036de29.elf File opened for reading /proc/114/stat e55a695d2530b3fb5c80256f6036de29.elf File opened for reading /proc/208/stat e55a695d2530b3fb5c80256f6036de29.elf File opened for reading /proc/585/stat e55a695d2530b3fb5c80256f6036de29.elf File opened for reading /proc/741/stat e55a695d2530b3fb5c80256f6036de29.elf File opened for reading /proc/770/stat e55a695d2530b3fb5c80256f6036de29.elf File opened for reading /proc/865/stat e55a695d2530b3fb5c80256f6036de29.elf File opened for reading /proc/77/stat e55a695d2530b3fb5c80256f6036de29.elf File opened for reading /proc/79/stat e55a695d2530b3fb5c80256f6036de29.elf File opened for reading /proc/1578/stat e55a695d2530b3fb5c80256f6036de29.elf File opened for reading /proc/filesystems systemctl File opened for reading /proc/1178/stat e55a695d2530b3fb5c80256f6036de29.elf File opened for reading /proc/1280/stat e55a695d2530b3fb5c80256f6036de29.elf File opened for reading /proc/841/stat e55a695d2530b3fb5c80256f6036de29.elf File opened for reading /proc/1148/stat e55a695d2530b3fb5c80256f6036de29.elf File opened for reading /proc/4/stat e55a695d2530b3fb5c80256f6036de29.elf File opened for reading /proc/88/stat e55a695d2530b3fb5c80256f6036de29.elf File opened for reading /proc/1101/stat e55a695d2530b3fb5c80256f6036de29.elf File opened for reading /proc/1347/stat e55a695d2530b3fb5c80256f6036de29.elf File opened for reading /proc/1571/stat e55a695d2530b3fb5c80256f6036de29.elf File opened for reading /proc/filesystems systemctl File opened for reading /proc/5/stat e55a695d2530b3fb5c80256f6036de29.elf File opened for reading /proc/202/stat e55a695d2530b3fb5c80256f6036de29.elf File opened for reading /proc/1135/stat e55a695d2530b3fb5c80256f6036de29.elf File opened for reading /proc/1165/stat e55a695d2530b3fb5c80256f6036de29.elf File opened for reading /proc/81/stat e55a695d2530b3fb5c80256f6036de29.elf File opened for reading /proc/119/stat e55a695d2530b3fb5c80256f6036de29.elf File opened for reading /proc/956/stat e55a695d2530b3fb5c80256f6036de29.elf File opened for reading /proc/416/stat e55a695d2530b3fb5c80256f6036de29.elf File opened for reading /proc/587/stat e55a695d2530b3fb5c80256f6036de29.elf File opened for reading /proc/314/stat e55a695d2530b3fb5c80256f6036de29.elf File opened for reading /proc/646/stat e55a695d2530b3fb5c80256f6036de29.elf File opened for reading /proc/746/stat e55a695d2530b3fb5c80256f6036de29.elf File opened for reading /proc/1056/stat e55a695d2530b3fb5c80256f6036de29.elf File opened for reading /proc/1315/stat e55a695d2530b3fb5c80256f6036de29.elf File opened for reading /proc/filesystems systemctl File opened for reading /proc/8/stat e55a695d2530b3fb5c80256f6036de29.elf File opened for reading /proc/99/stat e55a695d2530b3fb5c80256f6036de29.elf File opened for reading /proc/687/stat e55a695d2530b3fb5c80256f6036de29.elf File opened for reading /proc/721/stat e55a695d2530b3fb5c80256f6036de29.elf File opened for reading /proc/1164/stat e55a695d2530b3fb5c80256f6036de29.elf File opened for reading /proc/1171/stat e55a695d2530b3fb5c80256f6036de29.elf File opened for reading /proc/1175/stat e55a695d2530b3fb5c80256f6036de29.elf File opened for reading /proc/filesystems sed File opened for reading /proc/7/stat e55a695d2530b3fb5c80256f6036de29.elf File opened for reading /proc/216/stat e55a695d2530b3fb5c80256f6036de29.elf File opened for reading /proc/593/stat e55a695d2530b3fb5c80256f6036de29.elf File opened for reading /proc/1159/stat e55a695d2530b3fb5c80256f6036de29.elf File opened for reading /proc/1161/stat e55a695d2530b3fb5c80256f6036de29.elf File opened for reading /proc/1162/stat e55a695d2530b3fb5c80256f6036de29.elf
Processes
-
/tmp/e55a695d2530b3fb5c80256f6036de29.elf/tmp/e55a695d2530b3fb5c80256f6036de29.elf1⤵
- Enumerates kernel/hardware configuration
PID:1574 -
/tmp/e55a695d2530b3fb5c80256f6036de29.elf/tmp/e55a695d2530b3fb5c80256f6036de29.elf " "2⤵
- Modifies Watchdog functionality
- Creates/modifies environment variables
- Modifies init.d
- Modifies systemd
- Write file to user bin folder
- Modifies Bash startup script
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:1578 -
/bin/sh/bin/sh -c "/etc/32676&"3⤵
- Command and Scripting Interpreter: Unix Shell
PID:1585 -
/usr/sbin/serviceservice crond start3⤵PID:1587
-
/usr/bin/basenamebasename /usr/sbin/service4⤵PID:1589
-
/usr/bin/basenamebasename /usr/sbin/service4⤵PID:1590
-
/usr/bin/sedsed -ne "s/\\.socket\\s*[a-z]*\\s*\$/.socket/p"4⤵PID:1593
-
/usr/bin/systemctlsystemctl list-unit-files --full "--type=socket"4⤵
- Reads runtime system information
PID:1592 -
/usr/local/sbin/systemctlsystemctl start crond.service3⤵PID:1587
-
/usr/local/bin/systemctlsystemctl start crond.service3⤵PID:1587
-
/usr/sbin/systemctlsystemctl start crond.service3⤵PID:1587
-
/usr/bin/systemctlsystemctl start crond.service3⤵PID:1587
-
/bin/sh/bin/sh -c "cd /boot;systemctl daemon-reload;systemctl enable quotaoff.service;systemctl start quotaoff.service;journalctl -xe --no-pager"3⤵
- Command and Scripting Interpreter: Unix Shell
PID:1594 -
/usr/bin/systemctlsystemctl daemon-reload4⤵
- Reads runtime system information
PID:1595 -
/usr/bin/systemctlsystemctl enable quotaoff.service4⤵PID:1629
-
/usr/bin/systemctlsystemctl start quotaoff.service4⤵PID:1663
-
/usr/bin/journalctljournalctl -xe --no-pager4⤵
- Reads runtime system information
PID:1678 -
/bin/sh/bin/sh -c "cd /boot;ausearch -c 'System.mod' --raw | audit2allow -M my-Systemmod;semodule -X 300 -i my-Systemmod.pp"3⤵
- Command and Scripting Interpreter: Unix Shell
PID:1679 -
/bin/sh/bin/sh -c "echo \"*/1 * * * * root /.mod \" >> /etc/crontab"3⤵
- Creates/modifies Cron job
- Command and Scripting Interpreter: Unix Shell
PID:1682 -
/usr/bin/renicerenice -20 15783⤵PID:1683
-
/usr/bin/mountmount -o bind /tmp/ /proc/15783⤵PID:1684
-
/usr/sbin/serviceservice cron start3⤵PID:1686
-
/usr/bin/basenamebasename /usr/sbin/service4⤵PID:1687
-
/usr/bin/basenamebasename /usr/sbin/service4⤵PID:1688
-
/usr/bin/sedsed -ne "s/\\.socket\\s*[a-z]*\\s*\$/.socket/p"4⤵
- Reads runtime system information
PID:1691 -
/usr/bin/systemctlsystemctl list-unit-files --full "--type=socket"4⤵
- Reads runtime system information
PID:1690 -
/usr/local/sbin/systemctlsystemctl start cron.service3⤵PID:1686
-
/usr/local/bin/systemctlsystemctl start cron.service3⤵PID:1686
-
/usr/sbin/systemctlsystemctl start cron.service3⤵PID:1686
-
/usr/bin/systemctlsystemctl start cron.service3⤵PID:1686
-
/usr/bin/systemctlsystemctl start crond.service3⤵PID:1692
-
/etc/32676/etc/326761⤵
- Executes dropped EXE
PID:1586 -
/usr/bin/sleepsleep 602⤵PID:1588
-
/etc/opt.services.cfg/etc/opt.services.cfg2⤵
- Executes dropped EXE
- Enumerates kernel/hardware configuration
PID:1720 -
/etc/opt.services.cfg/etc/opt.services.cfg " "3⤵
- Executes dropped EXE
- Enumerates kernel/hardware configuration
PID:1724 -
/usr/bin/sleepsleep 602⤵PID:1725
-
/etc/opt.services.cfg/etc/opt.services.cfg2⤵
- Executes dropped EXE
- Enumerates kernel/hardware configuration
PID:1743 -
/etc/opt.services.cfg/etc/opt.services.cfg " "3⤵
- Executes dropped EXE
- Enumerates kernel/hardware configuration
PID:1747 -
/usr/bin/sleepsleep 602⤵PID:1748
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1Unix Shell
1Scheduled Task/Job
1Cron
1Persistence
Boot or Logon Autostart Execution
3XDG Autostart Entries
1Boot or Logon Initialization Scripts
1RC Scripts
1Create or Modify System Process
1Systemd Service
1Event Triggered Execution
1Unix Shell Configuration Modification
1Hijack Execution Flow
1Path Interception by PATH Environment Variable
1Scheduled Task/Job
1Cron
1Privilege Escalation
Boot or Logon Autostart Execution
3XDG Autostart Entries
1Boot or Logon Initialization Scripts
1RC Scripts
1Create or Modify System Process
1Systemd Service
1Event Triggered Execution
1Unix Shell Configuration Modification
1Hijack Execution Flow
1Path Interception by PATH Environment Variable
1Scheduled Task/Job
1Cron
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
34B
MD5f5a3713282e43c200f30342f5ff5e2ea
SHA12b2ce1a207e2b691a074c6f78f71c4785aae426a
SHA2566ab64e727571458d4884fb2fe82c27c467db0699cb8f648b3f0217c35d2b7511
SHA5125bcb8cd360409147a486755f90e0cdd97183af02ce8de5135b7c6a8a010deb9ef12dcd5ee9a2a8fd2e159347f68e72d6b7fd75e943b4fcd928d7a74b97476013
-
Filesize
1.9MB
MD5e55a695d2530b3fb5c80256f6036de29
SHA1cbf9fb21338b161a6b5ab67425e8afbcf9bbcd93
SHA256ce2944509d3936280343639c38ed5240f0a35c8d1dd63a00ce0eef1052325124
SHA512a59fec7fe64abf676a4b40737eaf4b5824daf78c78324ef1e8b58114f81bbeda4edb281fab0582026dd8363314905d0259b20ac842f9016f4da8bf1dab0fc89d
-
Filesize
49B
MD5ee57f6cb3b362d7140dc023687b4d959
SHA12c85632599f651984f0408b5d733b265fcf76ebc
SHA25650e249e8740c366ad2c0b3835e0554ded413aeb995d2fd339e82b3d3c14bf155
SHA512838628f79a2e91805df9df34fcf8d70c4a4b77bdb9e84149930a1ef45fd29d69e6ce5d96ce4cd56ed6e7e3d5e10d221b3ce41b6d8aeb658abd941c335ef9a578
-
Filesize
98B
MD5831c33539ef5df68c1ee88d087dca211
SHA1c5e582f85248a12ceb23ca059b66036523dec44f
SHA256130fa7342378db9d67c7b7596ac7fc83356edc6d2741bdb555e48f88338c9ea1
SHA512ff11bf8cdede01a9722bd08188bbfda81241b568d023f00504281191fa47dd66165dec97a104d63f0414234cb5e16d32f1b460411c3c9216e43055e71f3616fb
-
Filesize
61B
MD547684525bfdf26f49fd1cf742b17c015
SHA1c4ab14ba22420ff9acadfc698a38d0cd99e9fbfa
SHA256b7ce294613dd2c237a4a50548bfcd5c14d166107f2d2e965499bc78695300d5b
SHA512948f9c519ae9afe1c821c5d58da2e584e50356dabef597ccd408853a9038560b9fb1c5894900e2725b48977ffd49d18a439436bb4946e2164ac9fcf2a8637621
-
Filesize
5KB
MD5716f713790b4e56c299c857a96fcad5b
SHA11e1f07ae0a69dafb5c3d67859d6729f96d207109
SHA2568a9fe275a2d9d6b3643669c5096b44f08eca9adef36255987e111fab126c37b9
SHA5127a5c67b96345929cdd986ddd87e749335f0045dea89bec0d3f50646e9a7b2fac6ae33b64bc026f34cef8fe43387323f520d1579e867380eecc535fe1165ed528
-
Filesize
186B
MD5b02de6cd28cd922b18d9d93375a70d8b
SHA1021426a5a2ff9edc80ba5936c94b37525538885e
SHA256d8d8e5cd33aa3450cd74c63716a02f3dff39efef2836559f110bc93663b1380a
SHA512db3fe03ad5e599e6c03aaec7bf1242f5509fbb624adb9afb7499e25487daef3f3f1c6babf51570b527a5ac5c9f4b079ae4cc53baa9497c0a121328bef8d04422