General

  • Target

    linux_arm6.elf

  • Size

    5.1MB

  • Sample

    250412-w7fn8azvgy

  • MD5

    1694c7f4a11105a25c4ab1b2a08012b2

  • SHA1

    bae22f26fd7ad1bc749ebbe46c33b34c3ad483f2

  • SHA256

    b5fb1596b0b306ae93ecb350a0f27bbf6d5e53798779beeb4c11728237c422bb

  • SHA512

    716eb69b24a5fc8759d080f024ddff6ef804421140a9a5131b191726eab35e416ae64d25a002a36ec2877fe1e265ac99bb66683206907aac9eb1b18b0f6ffbfd

  • SSDEEP

    98304:8cSBHdgN2a7JP97kJru8cYWPAXqVu+60:8cS03tu+6

Malware Config

Extracted

Family

kaiji

C2

aresapp.456789456.xyz:52462

Targets

    • Target

      linux_arm6.elf

    • Size

      5.1MB

    • MD5

      1694c7f4a11105a25c4ab1b2a08012b2

    • SHA1

      bae22f26fd7ad1bc749ebbe46c33b34c3ad483f2

    • SHA256

      b5fb1596b0b306ae93ecb350a0f27bbf6d5e53798779beeb4c11728237c422bb

    • SHA512

      716eb69b24a5fc8759d080f024ddff6ef804421140a9a5131b191726eab35e416ae64d25a002a36ec2877fe1e265ac99bb66683206907aac9eb1b18b0f6ffbfd

    • SSDEEP

      98304:8cSBHdgN2a7JP97kJru8cYWPAXqVu+60:8cS03tu+6

    • Renames multiple (1004) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Executes dropped EXE

    • Modifies Watchdog functionality

      Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

    • Creates/modifies Cron job

      Cron allows running tasks on a schedule, and is commonly used for malware persistence.

    • Creates/modifies environment variables

      Creating/modifying environment variables is a common persistence mechanism.

    • Enumerates running processes

      Discovers information about currently running processes on the system

    • Modifies init.d

      Adds/modifies system service, likely for persistence.

    • Modifies systemd

      Adds/ modifies systemd service files. Likely to achieve persistence.

    • Write file to user bin folder

    • Modifies Bash startup script

MITRE ATT&CK Enterprise v16

Tasks