General

  • Target

    linux_arm6.elf

  • Size

    2.0MB

  • Sample

    250412-w9d86szj13

  • MD5

    3ccd0e1bc9264d7ee4ee164e2fe5d05f

  • SHA1

    31b7776de4546f5c6c213235ba25c2995a4e6b90

  • SHA256

    abc1e6c631b4c3ccdc6e1c01ae0eccb91bcfe395085661a3145820bc42991609

  • SHA512

    0b95064b4f088f9e4701d95a7c8ccdad1952b313ad5b53eeb90f748fc49ce5f245534a36bc3a2e7bdbb38144d61290531d35c8da594e9befc0ea3bd08119d31a

  • SSDEEP

    24576:JgCbFbDVZ7bVCj3ozPQPTUkrtQ05OYRWNOrdErF4ff1kRrfnyVhv8uofvsRWA1SH:VCWTuM2T1s

Malware Config

Extracted

Family

kaiji

C2

aresweb.456789456.xyz:12345

Targets

    • Target

      linux_arm6.elf

    • Size

      2.0MB

    • MD5

      3ccd0e1bc9264d7ee4ee164e2fe5d05f

    • SHA1

      31b7776de4546f5c6c213235ba25c2995a4e6b90

    • SHA256

      abc1e6c631b4c3ccdc6e1c01ae0eccb91bcfe395085661a3145820bc42991609

    • SHA512

      0b95064b4f088f9e4701d95a7c8ccdad1952b313ad5b53eeb90f748fc49ce5f245534a36bc3a2e7bdbb38144d61290531d35c8da594e9befc0ea3bd08119d31a

    • SSDEEP

      24576:JgCbFbDVZ7bVCj3ozPQPTUkrtQ05OYRWNOrdErF4ff1kRrfnyVhv8uofvsRWA1SH:VCWTuM2T1s

    • Kaiji

      Kaiji payload

    • Kaiji family

    • Executes dropped EXE

    • Modifies Watchdog functionality

      Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

    • Creates a large amount of network flows

      This may indicate a network scan to discover remotely running services.

    • Creates/modifies Cron job

      Cron allows running tasks on a schedule, and is commonly used for malware persistence.

    • Creates/modifies environment variables

      Creating/modifying environment variables is a common persistence mechanism.

    • Enumerates running processes

      Discovers information about currently running processes on the system

    • Modifies init.d

      Adds/modifies system service, likely for persistence.

    • Write file to user bin folder

    • Modifies Bash startup script

MITRE ATT&CK Enterprise v16

Tasks