General
-
Target
linux_amd64.elf
-
Size
5.2MB
-
Sample
250321-mbzb1szqx5
-
MD5
a7b189688ee7fb703c4885af25bb4702
-
SHA1
0dd7bb7f5483d7919646189a9dbdc0a1dcfe1d8d
-
SHA256
a066a4516cda5a762adbcd98681d94c3a86451f92c705e8e0ae4a863984b21de
-
SHA512
a5c0a16588b5806fe05e8213f8a7cc98fd02cffed04591e9fd53fbb934c2958fff16fc1a877c383abd6567b939e92dabbc09c47462981a20545221a597f4a5a9
-
SSDEEP
49152:7Xa6xzZWhrb/T4vO90dL3BmAFd4A64nsfJPJ6TdXnT9aqeJaz2xNkapDnYRQoj1q:b2ONLBzSxtSTcElHz
Malware Config
Extracted
kaiji
156.225.31.175:808
Targets
-
-
Target
linux_amd64.elf
-
Size
5.2MB
-
MD5
a7b189688ee7fb703c4885af25bb4702
-
SHA1
0dd7bb7f5483d7919646189a9dbdc0a1dcfe1d8d
-
SHA256
a066a4516cda5a762adbcd98681d94c3a86451f92c705e8e0ae4a863984b21de
-
SHA512
a5c0a16588b5806fe05e8213f8a7cc98fd02cffed04591e9fd53fbb934c2958fff16fc1a877c383abd6567b939e92dabbc09c47462981a20545221a597f4a5a9
-
SSDEEP
49152:7Xa6xzZWhrb/T4vO90dL3BmAFd4A64nsfJPJ6TdXnT9aqeJaz2xNkapDnYRQoj1q:b2ONLBzSxtSTcElHz
Score9/10-
Renames multiple (1156) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Executes dropped EXE
-
Modifies Watchdog functionality
Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.
-
Reads EFI boot settings
Reads EFI boot settings from the efivars filesystem, may contain security secrets or sensitive data.
-
Creates/modifies Cron job
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
-
Creates/modifies environment variables
Creating/modifying environment variables is a common persistence mechanism.
-
Enumerates running processes
Discovers information about currently running processes on the system
-
Modifies init.d
Adds/modifies system service, likely for persistence.
-
Modifies systemd
Adds/ modifies systemd service files. Likely to achieve persistence.
-
Write file to user bin folder
-
Modifies Bash startup script
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3XDG Autostart Entries
1Boot or Logon Initialization Scripts
1RC Scripts
1Create or Modify System Process
1Systemd Service
1Event Triggered Execution
1Unix Shell Configuration Modification
1Hijack Execution Flow
1Path Interception by PATH Environment Variable
1Pre-OS Boot
1Bootkit
1Scheduled Task/Job
1Cron
1Privilege Escalation
Boot or Logon Autostart Execution
3XDG Autostart Entries
1Boot or Logon Initialization Scripts
1RC Scripts
1Create or Modify System Process
1Systemd Service
1Event Triggered Execution
1Unix Shell Configuration Modification
1Hijack Execution Flow
1Path Interception by PATH Environment Variable
1Scheduled Task/Job
1Cron
1