Analysis
-
max time kernel
149s -
max time network
151s -
platform
debian-9_armhf -
resource
debian9-armhf-20240418-en -
resource tags
arch:armhfimage:debian9-armhf-20240418-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem -
submitted
02-11-2024 04:07
Behavioral task
behavioral1
Sample
linux_arm7.elf
Resource
debian9-armhf-20240418-en
General
-
Target
linux_arm7.elf
-
Size
2.0MB
-
MD5
a3ae5faa01a7db12ab76104d756cffe4
-
SHA1
976dcf62f67e5acc7dd97b81530e226532323104
-
SHA256
9c176e91a4175ef8e14a6408ab340439f6eb0f3d12c0c38d34bfdc44e8e278cd
-
SHA512
5b1b9bea5dfcffbc15594b5d6f035c5b435a7af6e1d99fe9b7357a4a6c34f17b3216be60cb6b5eee802c772863ea971ed70090fd7d357023aacb05aac8771654
-
SSDEEP
24576:gNwGGRggwEGpD5IaZIJzIDgliOAMUh1Rskiq1zpQHCaRU7axVL0rKUk3dVh/cviW:VrcNoLn3z82T16
Malware Config
Extracted
kaiji
ss.us-tv.top:1930
Signatures
-
Kaiji 1 IoCs
Kaiji payload
Processes:
resource yara_rule /etc/opt.services.cfg Kaiji -
Kaiji family
-
Executes dropped EXE 5 IoCs
Processes:
32676opt.services.cfgopt.services.cfgopt.services.cfgopt.services.cfgioc pid process /etc/32676 660 32676 /etc/opt.services.cfg 808 opt.services.cfg /etc/opt.services.cfg 812 opt.services.cfg /etc/opt.services.cfg 840 opt.services.cfg /etc/opt.services.cfg 844 opt.services.cfg -
Modifies Watchdog functionality 1 TTPs 2 IoCs
Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.
Processes:
linux_arm7.elfdescription ioc process File opened for modification /dev/watchdog linux_arm7.elf File opened for modification /dev/misc/watchdog linux_arm7.elf -
Creates/modifies Cron job 1 TTPs 1 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
-
Creates/modifies environment variables 1 TTPs 3 IoCs
Creating/modifying environment variables is a common persistence mechanism.
Processes:
linux_arm7.elfdescription ioc process File opened for modification /etc/profile.d/bash_cfg.sh linux_arm7.elf File opened for modification /etc/profile.d/gateway.sh linux_arm7.elf File opened for modification /etc/profile.d/bash_cfg linux_arm7.elf -
Enumerates running processes
Discovers information about currently running processes on the system
-
Processes:
linux_arm7.elfdescription ioc process File opened for modification /etc/init.d/exim4 linux_arm7.elf File opened for modification /etc/init.d/hwclock.sh linux_arm7.elf File opened for modification /etc/init.d/selinux-autorelabel linux_arm7.elf File opened for modification /etc/init.d/console-setup.sh linux_arm7.elf File opened for modification /etc/init.d/networking linux_arm7.elf File opened for modification /etc/init.d/rsyslog linux_arm7.elf File opened for modification /etc/init.d/sudo linux_arm7.elf File opened for modification /etc/init.d/x11-common linux_arm7.elf File opened for modification /etc/init.d/alsa-utils linux_arm7.elf File opened for modification /etc/init.d/kmod linux_arm7.elf File opened for modification /etc/init.d/ssh linux_arm7.elf File opened for modification /etc/init.d/auditd linux_arm7.elf File opened for modification /etc/init.d/dbus linux_arm7.elf File opened for modification /etc/init.d/keyboard-setup.sh linux_arm7.elf File opened for modification /etc/init.d/procps linux_arm7.elf File opened for modification /etc/init.d/udev linux_arm7.elf File opened for modification /etc/init.d/cron linux_arm7.elf -
Write file to user bin folder 2 IoCs
Processes:
linux_arm7.elfdescription ioc process File opened for modification /usr/bin/find linux_arm7.elf File opened for modification /usr/bin/include/find linux_arm7.elf -
Modifies Bash startup script 2 TTPs 3 IoCs
Processes:
linux_arm7.elfdescription ioc process File opened for modification /etc/profile.d/bash_cfg linux_arm7.elf File opened for modification /etc/profile.d/bash_cfg.sh linux_arm7.elf File opened for modification /etc/profile.d/gateway.sh linux_arm7.elf -
Command and Scripting Interpreter: Unix Shell 1 TTPs 2 IoCs
Execute scripts via Unix Shell.
-
Enumerates kernel/hardware configuration 1 TTPs 13 IoCs
Reads contents of /sys virtual filesystem to enumerate system information.
Processes:
systemctlopt.services.cfgopt.services.cfgopt.services.cfgsystemctllinux_arm7.elflinux_arm7.elfsystemctlsystemctlsystemctlsystemctlsystemctlopt.services.cfgdescription ioc process File opened for reading /sys/fs/kdbus/0-system/bus systemctl File opened for reading /sys/kernel/mm/transparent_hugepage/hpage_pmd_size opt.services.cfg File opened for reading /sys/kernel/mm/transparent_hugepage/hpage_pmd_size opt.services.cfg File opened for reading /sys/kernel/mm/transparent_hugepage/hpage_pmd_size opt.services.cfg File opened for reading /sys/fs/kdbus/0-system/bus systemctl File opened for reading /sys/kernel/mm/transparent_hugepage/hpage_pmd_size linux_arm7.elf File opened for reading /sys/kernel/mm/transparent_hugepage/hpage_pmd_size linux_arm7.elf File opened for reading /sys/fs/kdbus/0-system/bus systemctl File opened for reading /sys/fs/kdbus/0-system/bus systemctl File opened for reading /sys/fs/kdbus/0-system/bus systemctl File opened for reading /sys/fs/kdbus/0-system/bus systemctl File opened for reading /sys/fs/kdbus/0-system/bus systemctl File opened for reading /sys/kernel/mm/transparent_hugepage/hpage_pmd_size opt.services.cfg -
Processes:
linux_arm7.elfsystemctlsystemctlsystemctlsystemctlsystemctlsystemctlsystemctlseddescription ioc process File opened for reading /proc/140/stat linux_arm7.elf File opened for reading /proc/312/stat linux_arm7.elf File opened for reading /proc/636/stat linux_arm7.elf File opened for reading /proc/637/stat linux_arm7.elf File opened for reading /proc/1/environ systemctl File opened for reading /proc/8/stat linux_arm7.elf File opened for reading /proc/16/stat linux_arm7.elf File opened for reading /proc/21/stat linux_arm7.elf File opened for reading /proc/149/stat linux_arm7.elf File opened for reading /proc/215/stat linux_arm7.elf File opened for reading /proc/625/stat linux_arm7.elf File opened for reading /proc/filesystems systemctl File opened for reading /proc/1/environ systemctl File opened for reading /proc/10/stat linux_arm7.elf File opened for reading /proc/12/stat linux_arm7.elf File opened for reading /proc/filesystems systemctl File opened for reading /proc/280/stat linux_arm7.elf File opened for reading /proc/632/stat linux_arm7.elf File opened for reading /proc/cmdline systemctl File opened for reading /proc/cmdline systemctl File opened for reading /proc/28/stat linux_arm7.elf File opened for reading /proc/107/stat linux_arm7.elf File opened for reading /proc/self/stat systemctl File opened for reading /proc/filesystems systemctl File opened for reading /proc/4/stat linux_arm7.elf File opened for reading /proc/142/stat linux_arm7.elf File opened for reading /proc/267/stat linux_arm7.elf File opened for reading /proc/631/stat linux_arm7.elf File opened for reading /proc/646/stat linux_arm7.elf File opened for reading /proc/22/stat linux_arm7.elf File opened for reading /proc/29/stat linux_arm7.elf File opened for reading /proc/11/stat linux_arm7.elf File opened for reading /proc/25/stat linux_arm7.elf File opened for reading /proc/41/stat linux_arm7.elf File opened for reading /proc/109/stat linux_arm7.elf File opened for reading /proc/586/stat linux_arm7.elf File opened for reading /proc/1/stat linux_arm7.elf File opened for reading /proc/3/stat linux_arm7.elf File opened for reading /proc/cmdline systemctl File opened for reading /proc/filesystems systemctl File opened for reading /proc/1/environ systemctl File opened for reading /proc/self/stat systemctl File opened for reading /proc/76/stat linux_arm7.elf File opened for reading /proc/self/stat systemctl File opened for reading /proc/24/stat linux_arm7.elf File opened for reading /proc/588/stat linux_arm7.elf File opened for reading /proc/644/stat linux_arm7.elf File opened for reading /proc/649/stat linux_arm7.elf File opened for reading /proc/self/stat systemctl File opened for reading /proc/1/environ systemctl File opened for reading /proc/9/stat linux_arm7.elf File opened for reading /proc/19/stat linux_arm7.elf File opened for reading /proc/filesystems systemctl File opened for reading /proc/638/stat linux_arm7.elf File opened for reading /proc/cmdline systemctl File opened for reading /proc/43/stat linux_arm7.elf File opened for reading /proc/141/stat linux_arm7.elf File opened for reading /proc/98/stat linux_arm7.elf File opened for reading /proc/278/stat linux_arm7.elf File opened for reading /proc/filesystems sed File opened for reading /proc/filesystems systemctl File opened for reading /proc/18/stat linux_arm7.elf File opened for reading /proc/42/stat linux_arm7.elf File opened for reading /proc/20/stat linux_arm7.elf
Processes
-
/tmp/linux_arm7.elf/tmp/linux_arm7.elf1⤵
- Enumerates kernel/hardware configuration
PID:639 -
/tmp/linux_arm7.elf/tmp/linux_arm7.elf " "2⤵
- Modifies Watchdog functionality
- Creates/modifies environment variables
- Modifies init.d
- Write file to user bin folder
- Modifies Bash startup script
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:644 -
/bin/sh/bin/sh -c "/etc/32676&"3⤵
- Command and Scripting Interpreter: Unix Shell
PID:658 -
/usr/sbin/serviceservice crond start3⤵PID:661
-
/usr/bin/basenamebasename /usr/sbin/service4⤵PID:663
-
/usr/bin/basenamebasename /usr/sbin/service4⤵PID:667
-
/bin/systemctlsystemctl --quiet is-active multi-user.target4⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:670 -
/bin/systemctlsystemctl list-unit-files --full "--type=socket"4⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:675 -
/bin/sedsed -ne "s/\\.socket\\s*[a-z]*\\s*\$/.socket/p"4⤵
- Reads runtime system information
PID:676 -
/usr/local/sbin/systemctlsystemctl "--job-mode=ignore-dependencies" start crond.service3⤵PID:661
-
/usr/local/bin/systemctlsystemctl "--job-mode=ignore-dependencies" start crond.service3⤵PID:661
-
/usr/sbin/systemctlsystemctl "--job-mode=ignore-dependencies" start crond.service3⤵PID:661
-
/usr/bin/systemctlsystemctl "--job-mode=ignore-dependencies" start crond.service3⤵PID:661
-
/sbin/systemctlsystemctl "--job-mode=ignore-dependencies" start crond.service3⤵PID:661
-
/bin/systemctlsystemctl "--job-mode=ignore-dependencies" start crond.service3⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:661 -
/bin/sh/bin/sh -c "echo \"*/1 * * * * root /.mod \" >> /etc/crontab"3⤵
- Creates/modifies Cron job
- Command and Scripting Interpreter: Unix Shell
PID:682 -
/usr/bin/renicerenice -20 6443⤵PID:687
-
/bin/mountmount -o bind /tmp/ /proc/6443⤵PID:688
-
/usr/sbin/serviceservice cron start3⤵PID:689
-
/usr/bin/basenamebasename /usr/sbin/service4⤵PID:690
-
/usr/bin/basenamebasename /usr/sbin/service4⤵PID:692
-
/bin/systemctlsystemctl --quiet is-active multi-user.target4⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:693 -
/bin/sedsed -ne "s/\\.socket\\s*[a-z]*\\s*\$/.socket/p"4⤵PID:696
-
/bin/systemctlsystemctl list-unit-files --full "--type=socket"4⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:695 -
/usr/local/sbin/systemctlsystemctl start cron.service3⤵PID:689
-
/usr/local/bin/systemctlsystemctl start cron.service3⤵PID:689
-
/usr/sbin/systemctlsystemctl start cron.service3⤵PID:689
-
/usr/bin/systemctlsystemctl start cron.service3⤵PID:689
-
/sbin/systemctlsystemctl start cron.service3⤵PID:689
-
/bin/systemctlsystemctl start cron.service3⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:689 -
/bin/systemctlsystemctl start crond.service3⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:697
-
/etc/32676/etc/326761⤵
- Executes dropped EXE
PID:660 -
/bin/sleepsleep 602⤵PID:664
-
/etc/opt.services.cfg/etc/opt.services.cfg2⤵
- Executes dropped EXE
- Enumerates kernel/hardware configuration
PID:808 -
/etc/opt.services.cfg/etc/opt.services.cfg " "3⤵
- Executes dropped EXE
- Enumerates kernel/hardware configuration
PID:812 -
/bin/sleepsleep 602⤵PID:813
-
/etc/opt.services.cfg/etc/opt.services.cfg2⤵
- Executes dropped EXE
- Enumerates kernel/hardware configuration
PID:840 -
/etc/opt.services.cfg/etc/opt.services.cfg " "3⤵
- Executes dropped EXE
- Enumerates kernel/hardware configuration
PID:844 -
/bin/sleepsleep 602⤵PID:845
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1Unix Shell
1Scheduled Task/Job
1Cron
1Persistence
Boot or Logon Autostart Execution
2Boot or Logon Initialization Scripts
1RC Scripts
1Event Triggered Execution
1Unix Shell Configuration Modification
1Hijack Execution Flow
1Path Interception by PATH Environment Variable
1Scheduled Task/Job
1Cron
1Privilege Escalation
Boot or Logon Autostart Execution
2Boot or Logon Initialization Scripts
1RC Scripts
1Event Triggered Execution
1Unix Shell Configuration Modification
1Hijack Execution Flow
1Path Interception by PATH Environment Variable
1Scheduled Task/Job
1Cron
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
34B
MD5f5a3713282e43c200f30342f5ff5e2ea
SHA12b2ce1a207e2b691a074c6f78f71c4785aae426a
SHA2566ab64e727571458d4884fb2fe82c27c467db0699cb8f648b3f0217c35d2b7511
SHA5125bcb8cd360409147a486755f90e0cdd97183af02ce8de5135b7c6a8a010deb9ef12dcd5ee9a2a8fd2e159347f68e72d6b7fd75e943b4fcd928d7a74b97476013
-
Filesize
41B
MD5848e7c35a84718fa1f17fce23a005c21
SHA15e389e1a4ad4364a30b9a0912685f55cc639876c
SHA2565957056ad849acd3b6f945cf0a81d137d9e82541648717626050a3698a36a8fc
SHA51222511d179960b0465d7a7107861177930312a77881ef213edd017804b12402a741bb61e5b68446de95ee81c477ef8dce9f0299746db72edd0a3dbbb559c5b893
-
Filesize
90B
MD50bd10991da51342224d669a2ba87403a
SHA1982e4866d12e58576ddd307b2d0b6ca25ec53473
SHA256e013e3dd84120e3bd1f0555e322cec5c30383f4e05c8130cc6b77a111f9817fe
SHA512c4534c7b0f75ee2c603deeaca2cbe5b7117e254cfbc2fa9867fac0c4bcbf81d7621a836c3dd19fe4e593e4fa2a5be6a74cdc3980c22e788ab5f7ea3301950389
-
Filesize
61B
MD547684525bfdf26f49fd1cf742b17c015
SHA1c4ab14ba22420ff9acadfc698a38d0cd99e9fbfa
SHA256b7ce294613dd2c237a4a50548bfcd5c14d166107f2d2e965499bc78695300d5b
SHA512948f9c519ae9afe1c821c5d58da2e584e50356dabef597ccd408853a9038560b9fb1c5894900e2725b48977ffd49d18a439436bb4946e2164ac9fcf2a8637621
-
Filesize
2.0MB
MD5a3ae5faa01a7db12ab76104d756cffe4
SHA1976dcf62f67e5acc7dd97b81530e226532323104
SHA2569c176e91a4175ef8e14a6408ab340439f6eb0f3d12c0c38d34bfdc44e8e278cd
SHA5125b1b9bea5dfcffbc15594b5d6f035c5b435a7af6e1d99fe9b7357a4a6c34f17b3216be60cb6b5eee802c772863ea971ed70090fd7d357023aacb05aac8771654
-
Filesize
915B
MD55107c4303eba6c0fc770956d43b4c7e6
SHA1f9444e5004eec5817f60449b232e9854607383f6
SHA2565707914b73384c71d032b52535e6a4ddbd9cd92a612b15e86b43c417ff51b9a1
SHA51299addcaa167ced119746184f17dc9cc94b46715bb4f20b241d86db2f1b6f339eae9000b014d75c48f3b18817ce8380d218be15c2464b1c0e15f4289fb180861d
-
Filesize
134KB
MD5138a27d6fe52fa1132760a4fa48922e0
SHA1e0250e4d7bf33a5a1064344224148b889cb15138
SHA25681a10dad907b23521461bd3fc83c2cedb2218933a328d9a05e3c9f6a9a1d42aa
SHA512ee0078afad63fc2aaffdebb7127d1c7d4459287fee75358f57c82d397c39b7bf64338fb6996dfb1747cd9a896d714b3c76f0948727be91550f1affa1c0298a9e