Malware Analysis Report

2024-11-15 08:26

Sample ID 241104-s76zmavnbm
Target linux_mipsel.elf
SHA256 63e389a3d5251cbeaaab08d5d0cad2b49226eb0764652c64d3f663f7ad8a393f
Tags
kaiji defense_evasion discovery persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

63e389a3d5251cbeaaab08d5d0cad2b49226eb0764652c64d3f663f7ad8a393f

Threat Level: Known bad

The file linux_mipsel.elf was found to be: Known bad.

Malicious Activity Summary

kaiji defense_evasion discovery persistence

Kaiji family

kaiji_chaosbot

Kaiji

Executes dropped EXE

Modifies Watchdog functionality

Enumerates running processes

Modifies init.d

Enumerates kernel/hardware configuration

Reads runtime system information

System Network Configuration Discovery

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-04 15:47

Signatures

Kaiji

Description Indicator Process Target
N/A N/A N/A N/A

Kaiji family

kaiji

kaiji_chaosbot

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-04 15:47

Reported

2024-11-04 15:50

Platform

debian12-mipsel-20240221-en

Max time kernel

14s

Max time network

23s

Command Line

[/tmp/linux_mipsel.elf]

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A /etc/32678 /etc/32678 N/A

Modifies Watchdog functionality

defense_evasion
Description Indicator Process Target
File opened for modification /dev/watchdog /tmp/linux_mipsel.elf N/A
File opened for modification /dev/misc/watchdog /tmp/linux_mipsel.elf N/A

Enumerates running processes

Modifies init.d

persistence
Description Indicator Process Target
File opened for modification /etc/init.d/linux_kill /tmp/linux_mipsel.elf N/A

Enumerates kernel/hardware configuration

discovery
Description Indicator Process Target
File opened for reading /sys/kernel/mm/transparent_hugepage/hpage_pmd_size /tmp/linux_mipsel.elf N/A
File opened for reading /sys/kernel/mm/transparent_hugepage/hpage_pmd_size /tmp/linux_mipsel.elf N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/397/stat /tmp/linux_mipsel.elf N/A
File opened for reading /proc/784/stat /tmp/linux_mipsel.elf N/A
File opened for reading /proc/202/stat /tmp/linux_mipsel.elf N/A
File opened for reading /proc/781/stat /tmp/linux_mipsel.elf N/A
File opened for reading /proc/354/stat /tmp/linux_mipsel.elf N/A
File opened for reading /proc/394/stat /tmp/linux_mipsel.elf N/A
File opened for reading /proc/697/stat /tmp/linux_mipsel.elf N/A
File opened for reading /proc/711/stat /tmp/linux_mipsel.elf N/A
File opened for reading /proc/717/stat /tmp/linux_mipsel.elf N/A
File opened for reading /proc/762/stat /tmp/linux_mipsel.elf N/A
File opened for reading /proc/766/stat /tmp/linux_mipsel.elf N/A
File opened for reading /proc/770/stat /tmp/linux_mipsel.elf N/A
File opened for reading /proc/filesystems /usr/bin/systemctl N/A
File opened for reading /proc/346/stat /tmp/linux_mipsel.elf N/A
File opened for reading /proc/380/stat /tmp/linux_mipsel.elf N/A
File opened for reading /proc/416/stat /tmp/linux_mipsel.elf N/A
File opened for reading /proc/679/stat /tmp/linux_mipsel.elf N/A
File opened for reading /proc/720/stat /tmp/linux_mipsel.elf N/A
File opened for reading /proc/783/stat /tmp/linux_mipsel.elf N/A
File opened for reading /proc/417/stat /tmp/linux_mipsel.elf N/A
File opened for reading /proc/449/stat /tmp/linux_mipsel.elf N/A
File opened for reading /proc/787/stat /tmp/linux_mipsel.elf N/A
File opened for reading /proc/381/stat /tmp/linux_mipsel.elf N/A
File opened for reading /proc/667/stat /tmp/linux_mipsel.elf N/A
File opened for reading /proc/714/stat /tmp/linux_mipsel.elf N/A
File opened for reading /proc/730/stat /tmp/linux_mipsel.elf N/A
File opened for reading /proc/760/stat /tmp/linux_mipsel.elf N/A
File opened for reading /proc/773/stat /tmp/linux_mipsel.elf N/A
File opened for reading /proc/filesystems /usr/bin/sed N/A
File opened for reading /proc/680/stat /tmp/linux_mipsel.elf N/A
File opened for reading /proc/698/stat /tmp/linux_mipsel.elf N/A
File opened for reading /proc/712/stat /tmp/linux_mipsel.elf N/A
File opened for reading /proc/748/stat /tmp/linux_mipsel.elf N/A
File opened for reading /proc/731/stat /tmp/linux_mipsel.elf N/A
File opened for reading /proc/759/stat /tmp/linux_mipsel.elf N/A
File opened for reading /proc/767/stat /tmp/linux_mipsel.elf N/A
File opened for reading /proc/768/stat /tmp/linux_mipsel.elf N/A

System Network Configuration Discovery

discovery
Description Indicator Process Target
N/A N/A /tmp/linux_mipsel.elf N/A
N/A N/A /tmp/linux_mipsel.elf N/A

Processes

/tmp/linux_mipsel.elf

[/tmp/linux_mipsel.elf]

/usr/bin/sh

[sh -c /etc/32678&]

/usr/sbin/service

[service crond start]

/tmp/linux_mipsel.elf

[/tmp/linux_mipsel.elf ]

/etc/32678

[/etc/32678]

/usr/bin/basename

[basename /usr/sbin/service]

/usr/bin/sleep

[sleep 60]

/usr/bin/basename

[basename /usr/sbin/service]

/usr/bin/sed

[sed -ne s/\.socket\s*[a-z]*\s*$/.socket/p]

/usr/bin/systemctl

[systemctl list-unit-files --full --type=socket]

/usr/sbin/update-rc.d

[update-rc.d linux_kill defaults]

Network

Country Destination Domain Proto
US 1.1.1.1:53 www.google.com udp
US 1.1.1.1:53 www.google.com udp
US 1.1.1.1:53 78789.dns.army udp
US 1.1.1.1:53 78789.dns.army udp

Files

/etc/32678

MD5 768eaf287796da19e1cf5e0b2fb1b161
SHA1 6a1ce2ee5ccc86d1f33806feb14547b35290df2a
SHA256 1d22620dfb2a6715e5d745aed5cf841ede0e75e1747f12b9b925a2d346bc7ecb
SHA512 e6af30c9df4f7f47696069511e64ecbc8e841629d692ee4056503df3533fb7a7a74960698826260355e1dba7b6c562482a27a39bb51a4237473ce4b68472d620

/etc/init.d/linux_kill

MD5 3909975f7cc0d1121c1819b800069f31
SHA1 3e68de708c2e6c40fab6794afdee3104e5590189
SHA256 6876dac71f13a068afb863d257134275f2edba43b2acaf4924fabf97c079070b
SHA512 50600cceeb03b05f45ae61d890caee9f51ff390b6776930866e527e071d65d08241fc66673fd9b99d62fbc77d3c00fc3de4d7378cbc42f5daba5d83072b0906e