General
-
Target
linux_arm5.elf
-
Size
5.1MB
-
Sample
250320-zzh16ayvay
-
MD5
e97e9063529c43795bb5e816fd367c53
-
SHA1
278d6c04e37a55c7f048848341fde88da1a6181c
-
SHA256
6588734a6825d6edc3ec28c541c6c48aa3a22de60fbdb383672ecd06243f19c1
-
SHA512
c63cd03465bb5635bc60ed005126127f65f2b178bff0b1fad593eff6ddb2caf9ca4a0ae781fa67cd13006277ecd18b0f5142cfc767c2f81382591877b3b09a3e
-
SSDEEP
49152:QtKY0CdO+kBRx0Tg0qTecEG7meYuhq+lYfQMcU1F1:OKY3U+qRxQ3qKWM
Malware Config
Extracted
kaiji
156.225.31.175:808
Targets
-
-
Target
linux_arm5.elf
-
Size
5.1MB
-
MD5
e97e9063529c43795bb5e816fd367c53
-
SHA1
278d6c04e37a55c7f048848341fde88da1a6181c
-
SHA256
6588734a6825d6edc3ec28c541c6c48aa3a22de60fbdb383672ecd06243f19c1
-
SHA512
c63cd03465bb5635bc60ed005126127f65f2b178bff0b1fad593eff6ddb2caf9ca4a0ae781fa67cd13006277ecd18b0f5142cfc767c2f81382591877b3b09a3e
-
SSDEEP
49152:QtKY0CdO+kBRx0Tg0qTecEG7meYuhq+lYfQMcU1F1:OKY3U+qRxQ3qKWM
Score9/10-
Renames multiple (1004) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Executes dropped EXE
-
Modifies Watchdog functionality
Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.
-
Creates/modifies Cron job
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
-
Creates/modifies environment variables
Creating/modifying environment variables is a common persistence mechanism.
-
Enumerates running processes
Discovers information about currently running processes on the system
-
Modifies init.d
Adds/modifies system service, likely for persistence.
-
Modifies systemd
Adds/ modifies systemd service files. Likely to achieve persistence.
-
Write file to user bin folder
-
Modifies Bash startup script
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3XDG Autostart Entries
1Boot or Logon Initialization Scripts
1RC Scripts
1Create or Modify System Process
1Systemd Service
1Event Triggered Execution
1Unix Shell Configuration Modification
1Hijack Execution Flow
1Path Interception by PATH Environment Variable
1Scheduled Task/Job
1Cron
1Privilege Escalation
Boot or Logon Autostart Execution
3XDG Autostart Entries
1Boot or Logon Initialization Scripts
1RC Scripts
1Create or Modify System Process
1Systemd Service
1Event Triggered Execution
1Unix Shell Configuration Modification
1Hijack Execution Flow
1Path Interception by PATH Environment Variable
1Scheduled Task/Job
1Cron
1