Overview

overview

10

Static

static

10

b22e1d8a5e...ad.elf

debian-9-mips

10

Analysis

  • max time kernel
    148s
  • max time network
    151s
  • platform
    debian-9_mips
  • resource
    debian9-mipsbe-20240729-en
  • resource tags

    arch:mipsimage:debian9-mipsbe-20240729-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipssystem
  • submitted
    24/02/2025, 12:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b22e1d8a5e844ba5c022214236d79149cfd31bba16505689b980613ea6e211ad.elf

  • Size

    5.6MB

  • MD5

    01fa4eba1eea6b33d1da3656a3867a8e

  • SHA1

    d3cf7247e42670b1aaa12719386bb682beff71fd

  • SHA256

    b22e1d8a5e844ba5c022214236d79149cfd31bba16505689b980613ea6e211ad

  • SHA512

    16fb77636eb901d49883dbc5101aa7e2e4ed40fb0862518b55c2e617181e19558c96291522a532fada3d988964f355d109d0631ae421548acd3d2eca9ba01019

  • SSDEEP

    49152:XW2ikDKMeT6zSjTmB+dGpawj/mNGZWtaan757Hhu/BQ37gMKUF+LEMpWXDDwG7bK:GT+L6zdDk

Score
10/10
kaijidiscoveryexecutionpersistenceprivilege_escalation

Malware Config

Signatures

  • Kaiji 1 IoCs

    Kaiji payload

  • Kaiji family
    kaiji
  • Executes dropped EXE 5 IoCs
  • Creates/modifies Cron job 1 TTPs 1 IoCs

    Cron allows running tasks on a schedule, and is commonly used for malware persistence.

    executionpersistenceprivilege_escalation
  • Command and Scripting Interpreter: Unix Shell 1 TTPs 2 IoCs

    Execute scripts via Unix Shell.

    execution
  • Enumerates kernel/hardware configuration 1 TTPs 37 IoCs

    Reads contents of /sys virtual filesystem to enumerate system information.

    discovery
  • Reads runtime system information 64 IoCs

    Reads data from /proc virtual filesystem.

    discovery

Processes

  • /tmp/b22e1d8a5e844ba5c022214236d79149cfd31bba16505689b980613ea6e211ad.elf
    /tmp/b22e1d8a5e844ba5c022214236d79149cfd31bba16505689b980613ea6e211ad.elf
    1⤵
    • Enumerates kernel/hardware configuration
    PID:726
    • /tmp/b22e1d8a5e844ba5c022214236d79149cfd31bba16505689b980613ea6e211ad.elf
      /tmp/b22e1d8a5e844ba5c022214236d79149cfd31bba16505689b980613ea6e211ad.elf " "
      2⤵
      • Enumerates kernel/hardware configuration
      PID:731
      • /bin/sh
        /bin/sh -c "/etc/32675&"
        3⤵
        • Executes dropped EXE
        • Command and Scripting Interpreter: Unix Shell
        PID:740
      • /usr/sbin/service
        service crond start
        3⤵
          PID:743
          • /usr/bin/basename
            basename /usr/sbin/service
            4⤵
              PID:744
            • /usr/bin/basename
              basename /usr/sbin/service
              4⤵
                PID:747
              • /bin/systemctl
                systemctl --quiet is-active multi-user.target
                4⤵
                • Enumerates kernel/hardware configuration
                • Reads runtime system information
                PID:748
              • /bin/systemctl
                systemctl list-unit-files --full "--type=socket"
                4⤵
                • Enumerates kernel/hardware configuration
                • Reads runtime system information
                PID:751
              • /bin/sed
                sed -ne "s/\\.socket\\s*[a-z]*\\s*\$/.socket/p"
                4⤵
                  PID:752
                • /bin/systemctl
                  systemctl -p Triggers show dbus.socket
                  4⤵
                  • Enumerates kernel/hardware configuration
                  • Reads runtime system information
                  PID:755
                • /bin/systemctl
                  systemctl -p Triggers show ssh.socket
                  4⤵
                  • Enumerates kernel/hardware configuration
                  • Reads runtime system information
                  PID:757
                • /bin/systemctl
                  systemctl -p Triggers show syslog.socket
                  4⤵
                  • Enumerates kernel/hardware configuration
                  • Reads runtime system information
                  PID:758
                • /bin/systemctl
                  systemctl -p Triggers show systemd-fsckd.socket
                  4⤵
                  • Enumerates kernel/hardware configuration
                  • Reads runtime system information
                  PID:760
                • /bin/systemctl
                  systemctl -p Triggers show systemd-initctl.socket
                  4⤵
                  • Enumerates kernel/hardware configuration
                  • Reads runtime system information
                  PID:761
                • /bin/systemctl
                  systemctl -p Triggers show systemd-journald-audit.socket
                  4⤵
                  • Enumerates kernel/hardware configuration
                  • Reads runtime system information
                  PID:762
                • /bin/systemctl
                  systemctl -p Triggers show systemd-journald-dev-log.socket
                  4⤵
                  • Enumerates kernel/hardware configuration
                  • Reads runtime system information
                  PID:763
                • /bin/systemctl
                  systemctl -p Triggers show systemd-journald.socket
                  4⤵
                  • Enumerates kernel/hardware configuration
                  • Reads runtime system information
                  PID:764
                • /bin/systemctl
                  systemctl -p Triggers show systemd-networkd.socket
                  4⤵
                  • Enumerates kernel/hardware configuration
                  • Reads runtime system information
                  PID:765
                • /bin/systemctl
                  systemctl -p Triggers show systemd-rfkill.socket
                  4⤵
                  • Enumerates kernel/hardware configuration
                  • Reads runtime system information
                  PID:766
                • /bin/systemctl
                  systemctl -p Triggers show systemd-udevd-control.socket
                  4⤵
                  • Enumerates kernel/hardware configuration
                  • Reads runtime system information
                  PID:767
                • /bin/systemctl
                  systemctl -p Triggers show systemd-udevd-kernel.socket
                  4⤵
                  • Enumerates kernel/hardware configuration
                  • Reads runtime system information
                  PID:768
              • /usr/local/sbin/systemctl
                systemctl start crond.service
                3⤵
                  PID:743
                • /usr/local/bin/systemctl
                  systemctl start crond.service
                  3⤵
                    PID:743
                  • /usr/sbin/systemctl
                    systemctl start crond.service
                    3⤵
                      PID:743
                    • /usr/bin/systemctl
                      systemctl start crond.service
                      3⤵
                        PID:743
                      • /sbin/systemctl
                        systemctl start crond.service
                        3⤵
                          PID:743
                        • /bin/systemctl
                          systemctl start crond.service
                          3⤵
                          • Enumerates kernel/hardware configuration
                          • Reads runtime system information
                          PID:743
                        • /bin/sh
                          /bin/sh -c "echo \"*/1 * * * * root /.mod \" >> /etc/crontab"
                          3⤵
                          • Creates/modifies Cron job
                          • Command and Scripting Interpreter: Unix Shell
                          PID:769
                        • /usr/bin/renice
                          renice -20 731
                          3⤵
                            PID:770
                          • /bin/mount
                            mount -o bind /tmp/ /proc/731
                            3⤵
                            • Reads runtime system information
                            PID:771
                          • /usr/sbin/service
                            service cron start
                            3⤵
                              PID:772
                              • /usr/bin/basename
                                basename /usr/sbin/service
                                4⤵
                                  PID:773
                                • /usr/bin/basename
                                  basename /usr/sbin/service
                                  4⤵
                                    PID:774
                                  • /bin/systemctl
                                    systemctl --quiet is-active multi-user.target
                                    4⤵
                                    • Enumerates kernel/hardware configuration
                                    • Reads runtime system information
                                    PID:775
                                  • /bin/systemctl
                                    systemctl list-unit-files --full "--type=socket"
                                    4⤵
                                    • Enumerates kernel/hardware configuration
                                    • Reads runtime system information
                                    PID:777
                                  • /bin/sed
                                    sed -ne "s/\\.socket\\s*[a-z]*\\s*\$/.socket/p"
                                    4⤵
                                      PID:778
                                    • /bin/systemctl
                                      systemctl -p Triggers show dbus.socket
                                      4⤵
                                      • Enumerates kernel/hardware configuration
                                      • Reads runtime system information
                                      PID:782
                                    • /bin/systemctl
                                      systemctl -p Triggers show ssh.socket
                                      4⤵
                                      • Enumerates kernel/hardware configuration
                                      • Reads runtime system information
                                      PID:784
                                    • /bin/systemctl
                                      systemctl -p Triggers show syslog.socket
                                      4⤵
                                      • Enumerates kernel/hardware configuration
                                      • Reads runtime system information
                                      PID:786
                                    • /bin/systemctl
                                      systemctl -p Triggers show systemd-fsckd.socket
                                      4⤵
                                      • Enumerates kernel/hardware configuration
                                      • Reads runtime system information
                                      PID:788
                                    • /bin/systemctl
                                      systemctl -p Triggers show systemd-initctl.socket
                                      4⤵
                                      • Enumerates kernel/hardware configuration
                                      • Reads runtime system information
                                      PID:790
                                    • /bin/systemctl
                                      systemctl -p Triggers show systemd-journald-audit.socket
                                      4⤵
                                      • Enumerates kernel/hardware configuration
                                      • Reads runtime system information
                                      PID:792
                                    • /bin/systemctl
                                      systemctl -p Triggers show systemd-journald-dev-log.socket
                                      4⤵
                                      • Enumerates kernel/hardware configuration
                                      • Reads runtime system information
                                      PID:794
                                    • /bin/systemctl
                                      systemctl -p Triggers show systemd-journald.socket
                                      4⤵
                                      • Enumerates kernel/hardware configuration
                                      • Reads runtime system information
                                      PID:796
                                    • /bin/systemctl
                                      systemctl -p Triggers show systemd-networkd.socket
                                      4⤵
                                      • Enumerates kernel/hardware configuration
                                      • Reads runtime system information
                                      PID:798
                                    • /bin/systemctl
                                      systemctl -p Triggers show systemd-rfkill.socket
                                      4⤵
                                      • Enumerates kernel/hardware configuration
                                      • Reads runtime system information
                                      PID:800
                                    • /bin/systemctl
                                      systemctl -p Triggers show systemd-udevd-control.socket
                                      4⤵
                                      • Enumerates kernel/hardware configuration
                                      • Reads runtime system information
                                      PID:803
                                    • /bin/systemctl
                                      systemctl -p Triggers show systemd-udevd-kernel.socket
                                      4⤵
                                      • Enumerates kernel/hardware configuration
                                      • Reads runtime system information
                                      PID:804
                                  • /usr/local/sbin/systemctl
                                    systemctl start cron.service
                                    3⤵
                                      PID:772
                                    • /usr/local/bin/systemctl
                                      systemctl start cron.service
                                      3⤵
                                        PID:772
                                      • /usr/sbin/systemctl
                                        systemctl start cron.service
                                        3⤵
                                          PID:772
                                        • /usr/bin/systemctl
                                          systemctl start cron.service
                                          3⤵
                                            PID:772
                                          • /sbin/systemctl
                                            systemctl start cron.service
                                            3⤵
                                              PID:772
                                            • /bin/systemctl
                                              systemctl start cron.service
                                              3⤵
                                              • Enumerates kernel/hardware configuration
                                              • Reads runtime system information
                                              PID:772
                                            • /bin/systemctl
                                              systemctl start crond.service
                                              3⤵
                                              • Enumerates kernel/hardware configuration
                                              PID:807
                                        • /etc/32675
                                          /etc/32675
                                          1⤵
                                          • Executes dropped EXE
                                          PID:742
                                          • /bin/sleep
                                            sleep 60
                                            2⤵
                                              PID:745
                                            • /etc/opt.services.cfg
                                              /etc/opt.services.cfg
                                              2⤵
                                              • Executes dropped EXE
                                              • Enumerates kernel/hardware configuration
                                              PID:893
                                              • /etc/opt.services.cfg
                                                /etc/opt.services.cfg " "
                                                3⤵
                                                • Enumerates kernel/hardware configuration
                                                PID:897
                                            • /bin/sleep
                                              sleep 60
                                              2⤵
                                                PID:898
                                              • /etc/opt.services.cfg
                                                /etc/opt.services.cfg
                                                2⤵
                                                • Executes dropped EXE
                                                • Enumerates kernel/hardware configuration
                                                PID:913
                                                • /etc/opt.services.cfg
                                                  /etc/opt.services.cfg " "
                                                  3⤵
                                                  • Enumerates kernel/hardware configuration
                                                  PID:917
                                              • /bin/sleep
                                                sleep 60
                                                2⤵
                                                  PID:918

                                              Network

                                              MITRE ATT&CK Enterprise v15

                                              Replay Monitor

                                              Loading Replay Monitor...

                                              Downloads

                                              • /.mod
                                                Filesize

                                                34B

                                                MD5

                                                f5a3713282e43c200f30342f5ff5e2ea

                                                SHA1

                                                2b2ce1a207e2b691a074c6f78f71c4785aae426a

                                                SHA256

                                                6ab64e727571458d4884fb2fe82c27c467db0699cb8f648b3f0217c35d2b7511

                                                SHA512

                                                5bcb8cd360409147a486755f90e0cdd97183af02ce8de5135b7c6a8a010deb9ef12dcd5ee9a2a8fd2e159347f68e72d6b7fd75e943b4fcd928d7a74b97476013

                                                Download Submit

                                              • /etc/.walk
                                                Filesize

                                                41B

                                                MD5

                                                56e375b5d214c31b76474d9a4877dabf

                                                SHA1

                                                c8eef6e4d0d77a6ea96c3616dfee1e089b4dfeed

                                                SHA256

                                                c622989ab3f594727052dc39d0344dea0bf89ccbe19105f925e9f8cb7b1815a6

                                                SHA512

                                                a88e85081c77b1536718bfba874c71f021351810a5cba23f85c5b25c300d23a5272d4b9c56bbd03ff8d1ef360648b2169fa4c02bb68ca6a0ab56573dc631046b

                                                Download Submit

                                              • /etc/.walk
                                                Filesize

                                                90B

                                                MD5

                                                0bd463afa5fd614b154071a516ae07cb

                                                SHA1

                                                8dff9bad1da0110609825a686ca19be3bf0a5730

                                                SHA256

                                                3b8789f28984b4f83a31f2e026ed2ce2edbeb68e75d37c7fd372ab20cf8d2f80

                                                SHA512

                                                10f6f9676e55d998c463103a724ad26040e3bf208b589fcaf280ef45b55cb426b7d7bb276fc58c874fa7ebb9b100a9068c9f116a974813915be7af91f3db4ee0

                                                Download Submit

                                              • /etc/32675
                                                Filesize

                                                61B

                                                MD5

                                                47684525bfdf26f49fd1cf742b17c015

                                                SHA1

                                                c4ab14ba22420ff9acadfc698a38d0cd99e9fbfa

                                                SHA256

                                                b7ce294613dd2c237a4a50548bfcd5c14d166107f2d2e965499bc78695300d5b

                                                SHA512

                                                948f9c519ae9afe1c821c5d58da2e584e50356dabef597ccd408853a9038560b9fb1c5894900e2725b48977ffd49d18a439436bb4946e2164ac9fcf2a8637621

                                                Download Submit

                                              • /etc/opt.services.cfg
                                                Filesize

                                                5.6MB

                                                MD5

                                                01fa4eba1eea6b33d1da3656a3867a8e

                                                SHA1

                                                d3cf7247e42670b1aaa12719386bb682beff71fd

                                                SHA256

                                                b22e1d8a5e844ba5c022214236d79149cfd31bba16505689b980613ea6e211ad

                                                SHA512

                                                16fb77636eb901d49883dbc5101aa7e2e4ed40fb0862518b55c2e617181e19558c96291522a532fada3d988964f355d109d0631ae421548acd3d2eca9ba01019

                                                Download Submit

                                              • /etc/profile.d/gateway.sh
                                                Filesize

                                                969B

                                                MD5

                                                0d099f3344d4c1d8b3407f1f2d8b8039

                                                SHA1

                                                b018379d7435eb7bdaefabbb796544f9f5e5394e

                                                SHA256

                                                2a9b7a256993fecb25d89d8905c15e1e8aad2be9069fd0de701dfd286c8f7c7a

                                                SHA512

                                                508ca915bfda3148cfe3e6291877ae8c9bdd5ab5979ab220880613ab69f8014fd12fbcf54d61669a965d868b1760ce6b96423f1d3f320c104a169f2a19f7ee7c

                                                Download Submit

                                              • /lib/system-mark
                                                Filesize

                                                4.8MB

                                                MD5

                                                51d0b453d5d4a311ccc4da14ddb95257

                                                SHA1

                                                d1bae13ad096d39cecc3bc16be8b46fca090fd7c

                                                SHA256

                                                f88df32167599e9137681e33ce326f9cfd08b4fbdbff5fe21fffc65220ad78b3

                                                SHA512

                                                032e1a8ee86974cc281b38c9f56146b8297e65ce13c2f883959cbac7baea9342bff027f060b24d852a640537b325744ea789395dde4a63b19146b64d485541c6

                                                Download Submit

                                              • /usr/bin/include/find
                                                Filesize

                                                240KB

                                                MD5

                                                97b5c6c1b307114efc38193175a343c3

                                                SHA1

                                                24015d4f95c6878ea5027c134eddebb7126b610f

                                                SHA256

                                                b1a89f313023b476fc826d8fac689679504e61ae8e650681fb966e810ed34970

                                                SHA512

                                                e5359f3e082f54f5cfd7afa7771d8724d161d48d09372f203bdca222a47a63919fdfb76b6db7fb8ff61e92f8fd04fdec962e94331ff12705cf53ce5e23d33180

                                                Download Submit