Analysis Overview
SHA256
628a4a3d5b1f134676431472700ee2240630e63e0732d3542f5c99163628f9b6
Threat Level: Known bad
The file 628a4a3d5b1f134676431472700ee2240630e63e0732d3542f5c99163628f9b6.elf was found to be: Known bad.
Malicious Activity Summary
Kaiji
Kaiji family
Executes dropped EXE
Enumerates running processes
Reads runtime system information
Command and Scripting Interpreter: Unix Shell
Enumerates kernel/hardware configuration
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-03 02:53
Signatures
Kaiji
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Kaiji family
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-03 02:53
Reported
2024-11-03 02:56
Platform
debian12-mipsel-20240729-en
Max time kernel
5s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | /etc/32676 | /etc/32676 | N/A |
Enumerates running processes
Command and Scripting Interpreter: Unix Shell
| Description | Indicator | Process | Target |
| N/A | N/A | /bin/sh | N/A |
Enumerates kernel/hardware configuration
| Description | Indicator | Process | Target |
| File opened for reading | /sys/kernel/mm/transparent_hugepage/hpage_pmd_size | /tmp/628a4a3d5b1f134676431472700ee2240630e63e0732d3542f5c99163628f9b6.elf | N/A |
| File opened for reading | /sys/kernel/mm/transparent_hugepage/hpage_pmd_size | /tmp/628a4a3d5b1f134676431472700ee2240630e63e0732d3542f5c99163628f9b6.elf | N/A |
Reads runtime system information
Processes
/tmp/628a4a3d5b1f134676431472700ee2240630e63e0732d3542f5c99163628f9b6.elf
[/tmp/628a4a3d5b1f134676431472700ee2240630e63e0732d3542f5c99163628f9b6.elf]
/tmp/628a4a3d5b1f134676431472700ee2240630e63e0732d3542f5c99163628f9b6.elf
[/tmp/628a4a3d5b1f134676431472700ee2240630e63e0732d3542f5c99163628f9b6.elf ]
/bin/sh
[/bin/sh -c /etc/32676&]
/etc/32676
[/etc/32676]
/usr/sbin/service
[service crond start]
/usr/bin/sleep
[sleep 60]
/usr/bin/basename
[basename /usr/sbin/service]
/usr/bin/basename
[basename /usr/sbin/service]
/usr/bin/systemctl
[systemctl list-unit-files --full --type=socket]
/usr/bin/sed
[sed -ne s/\.socket\s*[a-z]*\s*$/.socket/p]
Network
Files
/etc/.walk
| MD5 | 7db9364ee0f77bf3c0f0745ffce6f223 |
| SHA1 | fb8480bfda304979fc908631852a09008766a354 |
| SHA256 | 2ed7facc81e029a5a8fab2820e18c5400ee180c379309ff3e1713cc6e9473b96 |
| SHA512 | 802decd31b2eb1bb41b902335cc9b4a24db5c2c393459cdf636e4b48f034b80514aba03ea54c84e54cb68078d9a6e68a363af028233c25e7035ff675474c4eff |
/etc/.walk
| MD5 | 99d3c8d23102dd11e4e700af556124f2 |
| SHA1 | b9ce0fb93245e5d356dec908f5cc57738fa96a48 |
| SHA256 | eff0865ccd00edcbd7488867c3a29d2bd667e8a0efaefe8c2ab86c2ec8b36be8 |
| SHA512 | d8d93a19647f3eb401a8ea128db466c5cd18c93bb7dabc4d4d0c8b3845c8baf027158b7121e2f97debd395ea47c138ee18c2032524d2df8fd13086aa504467e1 |
/etc/32676
| MD5 | 47684525bfdf26f49fd1cf742b17c015 |
| SHA1 | c4ab14ba22420ff9acadfc698a38d0cd99e9fbfa |
| SHA256 | b7ce294613dd2c237a4a50548bfcd5c14d166107f2d2e965499bc78695300d5b |
| SHA512 | 948f9c519ae9afe1c821c5d58da2e584e50356dabef597ccd408853a9038560b9fb1c5894900e2725b48977ffd49d18a439436bb4946e2164ac9fcf2a8637621 |