General

  • Target

    linux_arm5.elf

  • Size

    2.0MB

  • Sample

    250416-xanh8styh1

  • MD5

    f18fa7b1e7437460d01654ea9e134e29

  • SHA1

    3ac4b626f05253533ed401cd958d7a82d66e6acf

  • SHA256

    8235183b4bbede6402a39a1db714593fc27fecfda575347ebb0d3f87ac793254

  • SHA512

    524a437556d1a4a9202b99d35e20af417dbd38ba08f872db73d478c065178b78c78102deee89a6a7d1b78e8534d669ef573ac9235ab80fe59c6787489e8bee25

  • SSDEEP

    24576:NmGM05U6zdl5megDmMTwJCmxjZthdwpVQsl6nBVSDr21p27DCcSXHXHVhSBPnjKm:N/bNmkr12T1

Malware Config

Extracted

Family

kaiji

C2

154.40.47.248:888

Targets

    • Target

      linux_arm5.elf

    • Size

      2.0MB

    • MD5

      f18fa7b1e7437460d01654ea9e134e29

    • SHA1

      3ac4b626f05253533ed401cd958d7a82d66e6acf

    • SHA256

      8235183b4bbede6402a39a1db714593fc27fecfda575347ebb0d3f87ac793254

    • SHA512

      524a437556d1a4a9202b99d35e20af417dbd38ba08f872db73d478c065178b78c78102deee89a6a7d1b78e8534d669ef573ac9235ab80fe59c6787489e8bee25

    • SSDEEP

      24576:NmGM05U6zdl5megDmMTwJCmxjZthdwpVQsl6nBVSDr21p27DCcSXHXHVhSBPnjKm:N/bNmkr12T1

    • Kaiji

      Kaiji payload

    • Kaiji family

    • Executes dropped EXE

    • Modifies Watchdog functionality

      Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

    • Creates/modifies Cron job

      Cron allows running tasks on a schedule, and is commonly used for malware persistence.

    • Creates/modifies environment variables

      Creating/modifying environment variables is a common persistence mechanism.

    • Enumerates running processes

      Discovers information about currently running processes on the system

    • Modifies init.d

      Adds/modifies system service, likely for persistence.

    • Write file to user bin folder

    • Modifies Bash startup script

MITRE ATT&CK Enterprise v16

Tasks