General

  • Target

    4GGW4_linux_arm5.elf

  • Size

    2.0MB

  • Sample

    250412-xe9bhazwct

  • MD5

    a27d74c4b92bd0c318c197a989de939e

  • SHA1

    1f445f0d5355c86289bea4cca14b68508be42235

  • SHA256

    c7c5d317437fd744317b2298306ef6e9dbf47d64753cb149fe80d5e23a83bc9c

  • SHA512

    f51e02f7cafb9c0abbef3f7fb8bf751e5267fa839f8570393aa7c27cfcd8993f6bd098e2ac34c4483ea4c5e8cf8f64c6d68e8543f3ec06a79bee33331cad307e

  • SSDEEP

    24576:J1rMILphWsdRm6vM7lUVJtq8wfe9OqbVgYQ3k48jtIMoG34LJnWVh1BPnjKqZdtX:JVfjm/Mo2T1

Malware Config

Extracted

Family

kaiji

C2

aresweb.456789456.xyz:12345

Targets

    • Target

      4GGW4_linux_arm5.elf

    • Size

      2.0MB

    • MD5

      a27d74c4b92bd0c318c197a989de939e

    • SHA1

      1f445f0d5355c86289bea4cca14b68508be42235

    • SHA256

      c7c5d317437fd744317b2298306ef6e9dbf47d64753cb149fe80d5e23a83bc9c

    • SHA512

      f51e02f7cafb9c0abbef3f7fb8bf751e5267fa839f8570393aa7c27cfcd8993f6bd098e2ac34c4483ea4c5e8cf8f64c6d68e8543f3ec06a79bee33331cad307e

    • SSDEEP

      24576:J1rMILphWsdRm6vM7lUVJtq8wfe9OqbVgYQ3k48jtIMoG34LJnWVh1BPnjKqZdtX:JVfjm/Mo2T1

    • Renames multiple (1004) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Executes dropped EXE

    • Modifies Watchdog functionality

      Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

    • Creates/modifies Cron job

      Cron allows running tasks on a schedule, and is commonly used for malware persistence.

    • Creates/modifies environment variables

      Creating/modifying environment variables is a common persistence mechanism.

    • Disables SELinux

      Disables SELinux security module.

    • Enumerates running processes

      Discovers information about currently running processes on the system

    • Modifies init.d

      Adds/modifies system service, likely for persistence.

    • Modifies systemd

      Adds/ modifies systemd service files. Likely to achieve persistence.

    • Write file to user bin folder

    • Modifies Bash startup script

MITRE ATT&CK Enterprise v16

Tasks