Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    debian-9_mipsel
  • resource
    debian9-mipsel-20240418-en
  • resource tags

    arch:mipselimage:debian9-mipsel-20240418-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipselsystem
  • submitted
    03-11-2024 13:38

General

  • Target

    628a4a3d5b1f134676431472700ee2240630e63e0732d3542f5c99163628f9b6.elf

  • Size

    2.2MB

  • MD5

    2e553ae934700ad207d20da88ada397d

  • SHA1

    83701c9fee81fbe26834a27993c1e683c1b100b5

  • SHA256

    628a4a3d5b1f134676431472700ee2240630e63e0732d3542f5c99163628f9b6

  • SHA512

    9d44c2aad90ee0a7bf203c01c190593f0c0f8316a277fc020b441e99234902106870e9df50a2001f0fb20cc349ecf1a27a2617c68424648d2ec1f121ee37523d

  • SSDEEP

    24576:kO+PuaNFZRml7/I1n0TOakVXFYd+lCQYWz1v:9eNkxd+lCWz1

Malware Config

Signatures

  • Kaiji 1 IoCs

    Kaiji payload

  • Kaiji family
  • Executes dropped EXE 5 IoCs
  • Creates/modifies Cron job 1 TTPs 1 IoCs

    Cron allows running tasks on a schedule, and is commonly used for malware persistence.

  • Command and Scripting Interpreter: Unix Shell 1 TTPs 2 IoCs

    Execute scripts via Unix Shell.

  • Enumerates kernel/hardware configuration 1 TTPs 13 IoCs

    Reads contents of /sys virtual filesystem to enumerate system information.

  • Reads runtime system information 31 IoCs

    Reads data from /proc virtual filesystem.

Processes

  • /tmp/628a4a3d5b1f134676431472700ee2240630e63e0732d3542f5c99163628f9b6.elf
    /tmp/628a4a3d5b1f134676431472700ee2240630e63e0732d3542f5c99163628f9b6.elf
    1⤵
    • Enumerates kernel/hardware configuration
    PID:714
    • /tmp/628a4a3d5b1f134676431472700ee2240630e63e0732d3542f5c99163628f9b6.elf
      /tmp/628a4a3d5b1f134676431472700ee2240630e63e0732d3542f5c99163628f9b6.elf " "
      2⤵
      • Enumerates kernel/hardware configuration
      PID:722
      • /bin/sh
        /bin/sh -c "/etc/32676&"
        3⤵
        • Command and Scripting Interpreter: Unix Shell
        PID:732
        • /etc/32676
          /etc/32676
          4⤵
          • Executes dropped EXE
          PID:734
          • /bin/sleep
            sleep 60
            5⤵
              PID:737
            • /etc/opt.services.cfg
              /etc/opt.services.cfg
              5⤵
              • Executes dropped EXE
              • Enumerates kernel/hardware configuration
              PID:860
              • /etc/opt.services.cfg
                /etc/opt.services.cfg " "
                6⤵
                • Executes dropped EXE
                • Enumerates kernel/hardware configuration
                PID:864
            • /bin/sleep
              sleep 60
              5⤵
                PID:865
              • /etc/opt.services.cfg
                /etc/opt.services.cfg
                5⤵
                • Executes dropped EXE
                • Enumerates kernel/hardware configuration
                PID:881
                • /etc/opt.services.cfg
                  /etc/opt.services.cfg " "
                  6⤵
                  • Executes dropped EXE
                  • Enumerates kernel/hardware configuration
                  PID:885
              • /bin/sleep
                sleep 60
                5⤵
                  PID:886
            • /usr/sbin/service
              service crond start
              3⤵
                PID:735
                • /usr/bin/basename
                  basename /usr/sbin/service
                  4⤵
                    PID:738
                  • /usr/bin/basename
                    basename /usr/sbin/service
                    4⤵
                      PID:740
                    • /bin/systemctl
                      systemctl --quiet is-active multi-user.target
                      4⤵
                      • Enumerates kernel/hardware configuration
                      • Reads runtime system information
                      PID:743
                    • /bin/systemctl
                      systemctl list-unit-files --full "--type=socket"
                      4⤵
                      • Enumerates kernel/hardware configuration
                      • Reads runtime system information
                      PID:747
                    • /bin/sed
                      sed -ne "s/\\.socket\\s*[a-z]*\\s*\$/.socket/p"
                      4⤵
                      • Reads runtime system information
                      PID:748
                  • /usr/local/sbin/systemctl
                    systemctl "--job-mode=ignore-dependencies" start crond.service
                    3⤵
                      PID:735
                    • /usr/local/bin/systemctl
                      systemctl "--job-mode=ignore-dependencies" start crond.service
                      3⤵
                        PID:735
                      • /usr/sbin/systemctl
                        systemctl "--job-mode=ignore-dependencies" start crond.service
                        3⤵
                          PID:735
                        • /usr/bin/systemctl
                          systemctl "--job-mode=ignore-dependencies" start crond.service
                          3⤵
                            PID:735
                          • /sbin/systemctl
                            systemctl "--job-mode=ignore-dependencies" start crond.service
                            3⤵
                              PID:735
                            • /bin/systemctl
                              systemctl "--job-mode=ignore-dependencies" start crond.service
                              3⤵
                              • Enumerates kernel/hardware configuration
                              • Reads runtime system information
                              PID:735
                            • /bin/sh
                              /bin/sh -c "echo \"*/1 * * * * root /.mod \" >> /etc/crontab"
                              3⤵
                              • Creates/modifies Cron job
                              • Command and Scripting Interpreter: Unix Shell
                              PID:751
                            • /usr/bin/renice
                              renice -20 722
                              3⤵
                                PID:756
                              • /bin/mount
                                mount -o bind /tmp/ /proc/722
                                3⤵
                                • Reads runtime system information
                                PID:757
                              • /usr/sbin/service
                                service cron start
                                3⤵
                                  PID:758
                                  • /usr/bin/basename
                                    basename /usr/sbin/service
                                    4⤵
                                      PID:759
                                    • /usr/bin/basename
                                      basename /usr/sbin/service
                                      4⤵
                                        PID:760
                                      • /bin/systemctl
                                        systemctl --quiet is-active multi-user.target
                                        4⤵
                                        • Enumerates kernel/hardware configuration
                                        • Reads runtime system information
                                        PID:761
                                      • /bin/sed
                                        sed -ne "s/\\.socket\\s*[a-z]*\\s*\$/.socket/p"
                                        4⤵
                                        • Reads runtime system information
                                        PID:764
                                      • /bin/systemctl
                                        systemctl list-unit-files --full "--type=socket"
                                        4⤵
                                        • Enumerates kernel/hardware configuration
                                        • Reads runtime system information
                                        PID:763
                                    • /usr/local/sbin/systemctl
                                      systemctl "--job-mode=ignore-dependencies" start cron.service
                                      3⤵
                                        PID:758
                                      • /usr/local/bin/systemctl
                                        systemctl "--job-mode=ignore-dependencies" start cron.service
                                        3⤵
                                          PID:758
                                        • /usr/sbin/systemctl
                                          systemctl "--job-mode=ignore-dependencies" start cron.service
                                          3⤵
                                            PID:758
                                          • /usr/bin/systemctl
                                            systemctl "--job-mode=ignore-dependencies" start cron.service
                                            3⤵
                                              PID:758
                                            • /sbin/systemctl
                                              systemctl "--job-mode=ignore-dependencies" start cron.service
                                              3⤵
                                                PID:758
                                              • /bin/systemctl
                                                systemctl "--job-mode=ignore-dependencies" start cron.service
                                                3⤵
                                                • Enumerates kernel/hardware configuration
                                                • Reads runtime system information
                                                PID:758
                                              • /bin/systemctl
                                                systemctl start crond.service
                                                3⤵
                                                • Enumerates kernel/hardware configuration
                                                • Reads runtime system information
                                                PID:765

                                          Network

                                          MITRE ATT&CK Enterprise v15

                                          Replay Monitor

                                          Loading Replay Monitor...

                                          Downloads

                                          • /.mod

                                            Filesize

                                            34B

                                            MD5

                                            f5a3713282e43c200f30342f5ff5e2ea

                                            SHA1

                                            2b2ce1a207e2b691a074c6f78f71c4785aae426a

                                            SHA256

                                            6ab64e727571458d4884fb2fe82c27c467db0699cb8f648b3f0217c35d2b7511

                                            SHA512

                                            5bcb8cd360409147a486755f90e0cdd97183af02ce8de5135b7c6a8a010deb9ef12dcd5ee9a2a8fd2e159347f68e72d6b7fd75e943b4fcd928d7a74b97476013

                                          • /etc/.walk

                                            Filesize

                                            90B

                                            MD5

                                            96f5f469ad0e1108eede96fa9f1c4794

                                            SHA1

                                            6a764218b4ce28f06892bf7efe7d3ffe21b2f77d

                                            SHA256

                                            f31bf9e8af9cd69e039f460c98339aa87d7ccb125b6a96a818431d6a5ee438a4

                                            SHA512

                                            64def3bcedecb894f954793f0fd5c1a217dac2f036c38a42d30234122763aa6c010bef1997243683f81a88d7ec08f08bb3a54ca28535b4bd580d128dca7a3988

                                          • /etc/32676

                                            Filesize

                                            61B

                                            MD5

                                            47684525bfdf26f49fd1cf742b17c015

                                            SHA1

                                            c4ab14ba22420ff9acadfc698a38d0cd99e9fbfa

                                            SHA256

                                            b7ce294613dd2c237a4a50548bfcd5c14d166107f2d2e965499bc78695300d5b

                                            SHA512

                                            948f9c519ae9afe1c821c5d58da2e584e50356dabef597ccd408853a9038560b9fb1c5894900e2725b48977ffd49d18a439436bb4946e2164ac9fcf2a8637621

                                          • /etc/opt.services.cfg

                                            Filesize

                                            2.2MB

                                            MD5

                                            2e553ae934700ad207d20da88ada397d

                                            SHA1

                                            83701c9fee81fbe26834a27993c1e683c1b100b5

                                            SHA256

                                            628a4a3d5b1f134676431472700ee2240630e63e0732d3542f5c99163628f9b6

                                            SHA512

                                            9d44c2aad90ee0a7bf203c01c190593f0c0f8316a277fc020b441e99234902106870e9df50a2001f0fb20cc349ecf1a27a2617c68424648d2ec1f121ee37523d

                                          • /etc/profile.d/gateway.sh

                                            Filesize

                                            969B

                                            MD5

                                            37b6ee30182cc160ca264b462b4c9c92

                                            SHA1

                                            f36aedf44dae78c30d1a6dba8f2c105888efd3a5

                                            SHA256

                                            32e48764684278116d72b924ad0fac11720d7ea39ea9e13ea87f0028971a5b9e

                                            SHA512

                                            3a5a8a686e9468a19b5a0973654d83ede07ae3543844697d434d8db512c74b72d7f39f7a86bd3c26b42f0115e7d837116139bbd03f55f0a9585dca0500ffad28

                                          • /usr/bin/include/find

                                            Filesize

                                            240KB

                                            MD5

                                            bb4edcad76062a76284c69f5fe4e50ea

                                            SHA1

                                            86055be4ce94fa3cffa9924e7b511e95df636606

                                            SHA256

                                            b7e25e128c130473f33c5135c78f591f35d7c4a7c5e1246c12eaa298db453474

                                            SHA512

                                            254acc62d2f83f5a4686adcf3fe6ad4697f392c288c5baa323830bb6f2466c303fd7bc9f237e98b2ca76bc3abb6b4c264e042be8c4291ae5cc21b2189d996521