General

  • Target

    linux_amd64.elf

  • Size

    5.2MB

  • Sample

    250412-xb62zazkv2

  • MD5

    cb36b85a9cb78999875e2b00b1d4db6e

  • SHA1

    95a2c51f333b7e74e77aa6089890a2ae5db0310a

  • SHA256

    eb6c4a5985b1e644ad64ce61fb3eee4f93a2f16ac2960ece0b23f9c39e37dc04

  • SHA512

    16385286be811d5417f96e6f9f1bcf789412f19eb81ae5b773e2e338bc91ed2c84b965622a2a979fe42377d14c72019ff104b8d301bc9c2c9a12594239871a00

  • SSDEEP

    49152:7Xa6xzZWhrb/T4vO90dL3BmAFd4A64nsfJPJ6TdXnT9aqeJaz2xNkapDnYRQoj1S:b2ONLBzSxtSTwElHz

Malware Config

Extracted

Family

kaiji

C2

aresapp.456789456.xyz:52462

Targets

    • Target

      linux_amd64.elf

    • Size

      5.2MB

    • MD5

      cb36b85a9cb78999875e2b00b1d4db6e

    • SHA1

      95a2c51f333b7e74e77aa6089890a2ae5db0310a

    • SHA256

      eb6c4a5985b1e644ad64ce61fb3eee4f93a2f16ac2960ece0b23f9c39e37dc04

    • SHA512

      16385286be811d5417f96e6f9f1bcf789412f19eb81ae5b773e2e338bc91ed2c84b965622a2a979fe42377d14c72019ff104b8d301bc9c2c9a12594239871a00

    • SSDEEP

      49152:7Xa6xzZWhrb/T4vO90dL3BmAFd4A64nsfJPJ6TdXnT9aqeJaz2xNkapDnYRQoj1S:b2ONLBzSxtSTwElHz

    • Kaiji

      Kaiji payload

    • Kaiji family

    • kaiji_chaosbot

      Chaos-variant payload

    • Renames multiple (1040) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Executes dropped EXE

    • Modifies Watchdog functionality

      Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

    • Abuse Elevation Control Mechanism: Sudo and Sudo Caching

      Abuse sudo or cached sudo credentials to execute code.

    • Creates/modifies Cron job

      Cron allows running tasks on a schedule, and is commonly used for malware persistence.

    • Creates/modifies environment variables

      Creating/modifying environment variables is a common persistence mechanism.

    • Enumerates running processes

      Discovers information about currently running processes on the system

    • Modifies init.d

      Adds/modifies system service, likely for persistence.

    • Modifies systemd

      Adds/ modifies systemd service files. Likely to achieve persistence.

    • Write file to user bin folder

    • Modifies Bash startup script

MITRE ATT&CK Enterprise v16

Tasks