Analysis Overview
SHA256
63e389a3d5251cbeaaab08d5d0cad2b49226eb0764652c64d3f663f7ad8a393f
Threat Level: Known bad
The file linux_mipsel.elf was found to be: Known bad.
Malicious Activity Summary
Kaiji family
kaiji_chaosbot
Kaiji
Executes dropped EXE
Modifies Watchdog functionality
Enumerates running processes
Modifies init.d
Enumerates kernel/hardware configuration
Reads runtime system information
System Network Configuration Discovery
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-04 15:47
Signatures
Kaiji
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Kaiji family
kaiji_chaosbot
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-04 15:47
Reported
2024-11-04 15:50
Platform
debian12-mipsel-20240221-en
Max time kernel
14s
Max time network
23s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | /etc/32678 | /etc/32678 | N/A |
Modifies Watchdog functionality
| Description | Indicator | Process | Target |
| File opened for modification | /dev/watchdog | /tmp/linux_mipsel.elf | N/A |
| File opened for modification | /dev/misc/watchdog | /tmp/linux_mipsel.elf | N/A |
Enumerates running processes
Modifies init.d
| Description | Indicator | Process | Target |
| File opened for modification | /etc/init.d/linux_kill | /tmp/linux_mipsel.elf | N/A |
Enumerates kernel/hardware configuration
| Description | Indicator | Process | Target |
| File opened for reading | /sys/kernel/mm/transparent_hugepage/hpage_pmd_size | /tmp/linux_mipsel.elf | N/A |
| File opened for reading | /sys/kernel/mm/transparent_hugepage/hpage_pmd_size | /tmp/linux_mipsel.elf | N/A |
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/397/stat | /tmp/linux_mipsel.elf | N/A |
| File opened for reading | /proc/784/stat | /tmp/linux_mipsel.elf | N/A |
| File opened for reading | /proc/202/stat | /tmp/linux_mipsel.elf | N/A |
| File opened for reading | /proc/781/stat | /tmp/linux_mipsel.elf | N/A |
| File opened for reading | /proc/354/stat | /tmp/linux_mipsel.elf | N/A |
| File opened for reading | /proc/394/stat | /tmp/linux_mipsel.elf | N/A |
| File opened for reading | /proc/697/stat | /tmp/linux_mipsel.elf | N/A |
| File opened for reading | /proc/711/stat | /tmp/linux_mipsel.elf | N/A |
| File opened for reading | /proc/717/stat | /tmp/linux_mipsel.elf | N/A |
| File opened for reading | /proc/762/stat | /tmp/linux_mipsel.elf | N/A |
| File opened for reading | /proc/766/stat | /tmp/linux_mipsel.elf | N/A |
| File opened for reading | /proc/770/stat | /tmp/linux_mipsel.elf | N/A |
| File opened for reading | /proc/filesystems | /usr/bin/systemctl | N/A |
| File opened for reading | /proc/346/stat | /tmp/linux_mipsel.elf | N/A |
| File opened for reading | /proc/380/stat | /tmp/linux_mipsel.elf | N/A |
| File opened for reading | /proc/416/stat | /tmp/linux_mipsel.elf | N/A |
| File opened for reading | /proc/679/stat | /tmp/linux_mipsel.elf | N/A |
| File opened for reading | /proc/720/stat | /tmp/linux_mipsel.elf | N/A |
| File opened for reading | /proc/783/stat | /tmp/linux_mipsel.elf | N/A |
| File opened for reading | /proc/417/stat | /tmp/linux_mipsel.elf | N/A |
| File opened for reading | /proc/449/stat | /tmp/linux_mipsel.elf | N/A |
| File opened for reading | /proc/787/stat | /tmp/linux_mipsel.elf | N/A |
| File opened for reading | /proc/381/stat | /tmp/linux_mipsel.elf | N/A |
| File opened for reading | /proc/667/stat | /tmp/linux_mipsel.elf | N/A |
| File opened for reading | /proc/714/stat | /tmp/linux_mipsel.elf | N/A |
| File opened for reading | /proc/730/stat | /tmp/linux_mipsel.elf | N/A |
| File opened for reading | /proc/760/stat | /tmp/linux_mipsel.elf | N/A |
| File opened for reading | /proc/773/stat | /tmp/linux_mipsel.elf | N/A |
| File opened for reading | /proc/filesystems | /usr/bin/sed | N/A |
| File opened for reading | /proc/680/stat | /tmp/linux_mipsel.elf | N/A |
| File opened for reading | /proc/698/stat | /tmp/linux_mipsel.elf | N/A |
| File opened for reading | /proc/712/stat | /tmp/linux_mipsel.elf | N/A |
| File opened for reading | /proc/748/stat | /tmp/linux_mipsel.elf | N/A |
| File opened for reading | /proc/731/stat | /tmp/linux_mipsel.elf | N/A |
| File opened for reading | /proc/759/stat | /tmp/linux_mipsel.elf | N/A |
| File opened for reading | /proc/767/stat | /tmp/linux_mipsel.elf | N/A |
| File opened for reading | /proc/768/stat | /tmp/linux_mipsel.elf | N/A |
System Network Configuration Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | /tmp/linux_mipsel.elf | N/A |
| N/A | N/A | /tmp/linux_mipsel.elf | N/A |
Processes
/tmp/linux_mipsel.elf
[/tmp/linux_mipsel.elf]
/usr/bin/sh
[sh -c /etc/32678&]
/usr/sbin/service
[service crond start]
/tmp/linux_mipsel.elf
[/tmp/linux_mipsel.elf ]
/etc/32678
[/etc/32678]
/usr/bin/basename
[basename /usr/sbin/service]
/usr/bin/sleep
[sleep 60]
/usr/bin/basename
[basename /usr/sbin/service]
/usr/bin/sed
[sed -ne s/\.socket\s*[a-z]*\s*$/.socket/p]
/usr/bin/systemctl
[systemctl list-unit-files --full --type=socket]
/usr/sbin/update-rc.d
[update-rc.d linux_kill defaults]
Network
| Country | Destination | Domain | Proto |
| US | 1.1.1.1:53 | www.google.com | udp |
| US | 1.1.1.1:53 | www.google.com | udp |
| US | 1.1.1.1:53 | 78789.dns.army | udp |
| US | 1.1.1.1:53 | 78789.dns.army | udp |
Files
/etc/32678
| MD5 | 768eaf287796da19e1cf5e0b2fb1b161 |
| SHA1 | 6a1ce2ee5ccc86d1f33806feb14547b35290df2a |
| SHA256 | 1d22620dfb2a6715e5d745aed5cf841ede0e75e1747f12b9b925a2d346bc7ecb |
| SHA512 | e6af30c9df4f7f47696069511e64ecbc8e841629d692ee4056503df3533fb7a7a74960698826260355e1dba7b6c562482a27a39bb51a4237473ce4b68472d620 |
/etc/init.d/linux_kill
| MD5 | 3909975f7cc0d1121c1819b800069f31 |
| SHA1 | 3e68de708c2e6c40fab6794afdee3104e5590189 |
| SHA256 | 6876dac71f13a068afb863d257134275f2edba43b2acaf4924fabf97c079070b |
| SHA512 | 50600cceeb03b05f45ae61d890caee9f51ff390b6776930866e527e071d65d08241fc66673fd9b99d62fbc77d3c00fc3de4d7378cbc42f5daba5d83072b0906e |