kaiji | efdc414232bc0a035bb6980c8bd5034096d57e07b1a914845eac55ff6ca44792 | Triage

Resubmissions

26/02/2025, 17:17

250226-vtnbgawzex 10

23/02/2025, 03:06

250223-dlrkgsvpg1 10

Sharing

General

Target

efdc414232bc0a035bb6980c8bd5034096d57e07b1a914845eac55ff6ca44792.elf
Size

5.0MB
Sample

250226-vtnbgawzex
MD5

cdff4380cd03068d5d82f3b0d1a1261b
SHA1

a5d69b6d3b6877d71fbf1fdc652410a5dfa61e27
SHA256

efdc414232bc0a035bb6980c8bd5034096d57e07b1a914845eac55ff6ca44792
SHA512

a9db69bba97ed167e450bfbfbc2cf7375770a6018c5fb3ec7348fc04cf5479a08654d0478322f9b89d23ded8220c358aa551fc3c37e657a4df678d069cc74347
SSDEEP

49152:aIJ8Ou+wh2zUVtN9vEaBPC3uIdlLloDH8QEpuGr6KpZd1I1J:ayxyl/N9vROqcK

Score

10^/10

kaiji defense_evasion discovery execution linux persistence privilege_escalation ransomware rootkit

Malware Config

Extracted

Family

kaiji

C2

196.251.85.22:50000

Targets

- Target
  
  efdc414232bc0a035bb6980c8bd5034096d57e07b1a914845eac55ff6ca44792.elf
- Size
  
  5.0MB
- MD5
  
  cdff4380cd03068d5d82f3b0d1a1261b
- SHA1
  
  a5d69b6d3b6877d71fbf1fdc652410a5dfa61e27
- SHA256
  
  efdc414232bc0a035bb6980c8bd5034096d57e07b1a914845eac55ff6ca44792
- SHA512
  
  a9db69bba97ed167e450bfbfbc2cf7375770a6018c5fb3ec7348fc04cf5479a08654d0478322f9b89d23ded8220c358aa551fc3c37e657a4df678d069cc74347
- SSDEEP
  
  49152:aIJ8Ou+wh2zUVtN9vEaBPC3uIdlLloDH8QEpuGr6KpZd1I1J:ayxyl/N9vROqcK
Score

10^/10

kaiji defense_evasion discovery execution persistence privilege_escalation ransomware rootkit
- Kaiji
  Kaiji payload
- Kaiji family
  kaiji
- Renames multiple (1040) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Executes dropped EXE
- Loads a kernel module
  Loads a Linux kernel module, potentially to achieve persistence
  rootkit
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
  Abuse sudo or cached sudo credentials to execute code.
  privilege_escalation defense_evasion
- Creates/modifies Cron job
  Cron allows running tasks on a schedule, and is commonly used for malware persistence.
  execution persistence privilege_escalation
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Cron

Persistence

Scheduled Task/Job

Cron

Privilege Escalation

Abuse Elevation Control Mechanism

Sudo and Sudo Caching

Scheduled Task/Job

Cron

Defense Evasion

Abuse Elevation Control Mechanism

Sudo and Sudo Caching

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

kaijidefense_evasiondiscoveryexecutionpersistenceprivilege_escalationransomwarerootkit