General

  • Target

    linux_arm6.elf

  • Size

    2.0MB

  • Sample

    250416-w96cnatyhw

  • MD5

    30198502ebe9ec952f275e6cb842b9e4

  • SHA1

    0ab0b0fd62721e9971a0bb982a0c67fd09fa7893

  • SHA256

    6bfb8a3cddea503e067cbaa3565b03d9f6ed541a97bedf754074307b2bc251d1

  • SHA512

    7af427e3add50c1cb6a4f569ea44ea148df9664a9dfe2a1adaa6731b04b4b30c072f1d0e9c12d22c7e9c757e4e99322054428c24f8dadf334e2273bc319a62b4

  • SSDEEP

    24576:WWk1VBrzE64PCK6uiK9Pzd5c8o916IqZa4F9yXcnIm6zVIZLVhS7uofvsQ4XyUta:xxTsU2T1

Malware Config

Extracted

Family

kaiji

C2

154.40.47.248:888

Targets

    • Target

      linux_arm6.elf

    • Size

      2.0MB

    • MD5

      30198502ebe9ec952f275e6cb842b9e4

    • SHA1

      0ab0b0fd62721e9971a0bb982a0c67fd09fa7893

    • SHA256

      6bfb8a3cddea503e067cbaa3565b03d9f6ed541a97bedf754074307b2bc251d1

    • SHA512

      7af427e3add50c1cb6a4f569ea44ea148df9664a9dfe2a1adaa6731b04b4b30c072f1d0e9c12d22c7e9c757e4e99322054428c24f8dadf334e2273bc319a62b4

    • SSDEEP

      24576:WWk1VBrzE64PCK6uiK9Pzd5c8o916IqZa4F9yXcnIm6zVIZLVhS7uofvsQ4XyUta:xxTsU2T1

    • Renames multiple (1004) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Executes dropped EXE

    • Modifies Watchdog functionality

      Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

    • Creates/modifies Cron job

      Cron allows running tasks on a schedule, and is commonly used for malware persistence.

    • Creates/modifies environment variables

      Creating/modifying environment variables is a common persistence mechanism.

    • Disables SELinux

      Disables SELinux security module.

    • Modifies init.d

      Adds/modifies system service, likely for persistence.

    • Modifies systemd

      Adds/ modifies systemd service files. Likely to achieve persistence.

    • Write file to user bin folder

    • Modifies Bash startup script

MITRE ATT&CK Enterprise v16

Tasks