General

  • Target

    ce2944509d3936280343639c38ed5240f0a35c8d1dd63a00ce0eef1052325124.elf

  • Size

    1.9MB

  • Sample

    241103-ef5qlaxlbp

  • MD5

    e55a695d2530b3fb5c80256f6036de29

  • SHA1

    cbf9fb21338b161a6b5ab67425e8afbcf9bbcd93

  • SHA256

    ce2944509d3936280343639c38ed5240f0a35c8d1dd63a00ce0eef1052325124

  • SHA512

    a59fec7fe64abf676a4b40737eaf4b5824daf78c78324ef1e8b58114f81bbeda4edb281fab0582026dd8363314905d0259b20ac842f9016f4da8bf1dab0fc89d

  • SSDEEP

    49152:XXPVKrbvGOQLeS7rb/TCvO90d7HjmAFd4A64nsfJrkaani38B4B+g2vUqHOErz1:tPXZz

Malware Config

Extracted

Family

kaiji

C2

ss.us-tv.top:1930

Targets

    • Target

      ce2944509d3936280343639c38ed5240f0a35c8d1dd63a00ce0eef1052325124.elf

    • Size

      1.9MB

    • MD5

      e55a695d2530b3fb5c80256f6036de29

    • SHA1

      cbf9fb21338b161a6b5ab67425e8afbcf9bbcd93

    • SHA256

      ce2944509d3936280343639c38ed5240f0a35c8d1dd63a00ce0eef1052325124

    • SHA512

      a59fec7fe64abf676a4b40737eaf4b5824daf78c78324ef1e8b58114f81bbeda4edb281fab0582026dd8363314905d0259b20ac842f9016f4da8bf1dab0fc89d

    • SSDEEP

      49152:XXPVKrbvGOQLeS7rb/TCvO90d7HjmAFd4A64nsfJrkaani38B4B+g2vUqHOErz1:tPXZz

    • Kaiji

      Kaiji payload

    • Kaiji family

    • Renames multiple (1040) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Executes dropped EXE

    • Modifies Watchdog functionality

      Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

    • Abuse Elevation Control Mechanism: Sudo and Sudo Caching

      Abuse sudo or cached sudo credentials to execute code.

    • Creates/modifies Cron job

      Cron allows running tasks on a schedule, and is commonly used for malware persistence.

    • Creates/modifies environment variables

      Creating/modifying environment variables is a common persistence mechanism.

    • Disables SELinux

      Disables SELinux security module.

    • Enumerates running processes

      Discovers information about currently running processes on the system

    • Modifies init.d

      Adds/modifies system service, likely for persistence.

    • Modifies systemd

      Adds/ modifies systemd service files. Likely to achieve persistence.

    • Write file to user bin folder

    • Modifies Bash startup script

MITRE ATT&CK Enterprise v15

Tasks