Analysis
-
max time kernel
148s -
max time network
146s -
platform
ubuntu-22.04_amd64 -
resource
ubuntu2204-amd64-20250410-en -
resource tags
arch:amd64arch:i386image:ubuntu2204-amd64-20250410-enkernel:5.15.0-105-genericlocale:en-usos:ubuntu-22.04-amd64system -
submitted
16/04/2025, 18:41
Behavioral task
behavioral1
Sample
linux_386.elf
Resource
ubuntu2204-amd64-20250410-en
General
-
Target
linux_386.elf
-
Size
1.8MB
-
MD5
259800bf6d1eb21a74ff1737f9826a0a
-
SHA1
1a13ffb1f327ae411689568840b0e812b7d40a59
-
SHA256
5aa6cc2b09d7fa0d3c5b6826f872826f5d3afb9af18c001ea3f4f1a1ccb188f7
-
SHA512
d3b013396695920dde44c4bc8af2b91e9e4142592151056e27946af54096056f2a70d528c4fd9abb27042d6a5ed2839648fbe3054b3e8a218bf29586237c1beb
-
SSDEEP
24576:Inoxw1zy7RvFMNRlnmxlJgAaI0ODBBri8wnJPVwchQItBPUgpxv2SzVVOMaWz1v:s/MBFBuEItpRpsSIWz1
Malware Config
Extracted
kaiji
154.40.47.248:809
Signatures
-
Kaiji 1 IoCs
Kaiji payload
resource yara_rule behavioral1/files/fstream-5.dat Kaiji -
Kaiji family
-
Executes dropped EXE 1 IoCs
ioc pid Process /etc/32676 1572 linux_386.elf -
Modifies Watchdog functionality 1 TTPs 2 IoCs
Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.
description ioc Process File opened for modification /dev/misc/watchdog linux_386.elf File opened for modification /dev/watchdog linux_386.elf -
Creates/modifies Cron job 1 TTPs 1 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
description ioc Process File opened for modification /etc/crontab linux_386.elf -
Creates/modifies environment variables 1 TTPs 3 IoCs
Creating/modifying environment variables is a common persistence mechanism.
description ioc Process File opened for modification /etc/profile.d/bash_cfg linux_386.elf File opened for modification /etc/profile.d/bash_cfg.sh linux_386.elf File opened for modification /etc/profile.d/gateway.sh linux_386.elf -
Enumerates running processes
Discovers information about currently running processes on the system
-
description ioc Process File opened for modification /etc/init.d/avahi-daemon linux_386.elf File opened for modification /etc/init.d/cups-browsed linux_386.elf File opened for modification /etc/init.d/kmod linux_386.elf File opened for modification /etc/init.d/x11-common linux_386.elf File opened for modification /etc/init.d/alsa-utils linux_386.elf File opened for modification /etc/init.d/cups linux_386.elf File opened for modification /etc/init.d/gdm3 linux_386.elf File opened for modification /etc/init.d/lvm2-lvmpolld linux_386.elf File opened for modification /etc/init.d/plymouth linux_386.elf File opened for modification /etc/init.d/procps linux_386.elf File opened for modification /etc/init.d/apparmor linux_386.elf File opened for modification /etc/init.d/cron linux_386.elf File opened for modification /etc/init.d/cryptdisks linux_386.elf File opened for modification /etc/init.d/hwclock.sh linux_386.elf File opened for modification /etc/init.d/keyboard-setup.sh linux_386.elf File opened for modification /etc/init.d/ssh linux_386.elf File opened for modification /etc/init.d/sssd linux_386.elf File opened for modification /etc/init.d/unattended-upgrades linux_386.elf File opened for modification /etc/init.d/console-setup.sh linux_386.elf File opened for modification /etc/init.d/rsync linux_386.elf File opened for modification /etc/init.d/apport linux_386.elf File opened for modification /etc/init.d/cryptdisks-early linux_386.elf File opened for modification /etc/init.d/dbus linux_386.elf File opened for modification /etc/init.d/openvpn linux_386.elf File opened for modification /etc/init.d/saned linux_386.elf File opened for modification /etc/init.d/spice-vdagent linux_386.elf File opened for modification /etc/init.d/anacron linux_386.elf File opened for modification /etc/init.d/bluetooth linux_386.elf File opened for modification /etc/init.d/iscsid linux_386.elf File opened for modification /etc/init.d/udev linux_386.elf File opened for modification /etc/init.d/acpid linux_386.elf File opened for modification /etc/init.d/open-iscsi linux_386.elf File opened for modification /etc/init.d/plymouth-log linux_386.elf -
Modifies systemd 2 TTPs 1 IoCs
Adds/ modifies systemd service files. Likely to achieve persistence.
description ioc Process File opened for modification /usr/lib/systemd/system/quotaoff.service linux_386.elf -
Write file to user bin folder 12 IoCs
description ioc Process File opened for modification /usr/bin/include/ps linux_386.elf File opened for modification /usr/bin/include/ls linux_386.elf File opened for modification /usr/bin/include/find linux_386.elf File opened for modification /usr/bin/include/lsof linux_386.elf File opened for modification /usr/bin/ps linux_386.elf File opened for modification /usr/bin/ss linux_386.elf File opened for modification /usr/bin/ls linux_386.elf File opened for modification /usr/bin/include/ss linux_386.elf File opened for modification /usr/bin/include/dir linux_386.elf File opened for modification /usr/bin/dir linux_386.elf File opened for modification /usr/bin/find linux_386.elf File opened for modification /usr/bin/lsof linux_386.elf -
Modifies Bash startup script 2 TTPs 3 IoCs
description ioc Process File opened for modification /etc/profile.d/bash_cfg linux_386.elf File opened for modification /etc/profile.d/bash_cfg.sh linux_386.elf File opened for modification /etc/profile.d/gateway.sh linux_386.elf -
Changes its process name 1 IoCs
description ioc pid Process Changes the process name, possibly in an attempt to hide itself ksoftirqd/0 1567 linux_386.elf -
Enumerates kernel/hardware configuration 1 TTPs 2 IoCs
Reads contents of /sys virtual filesystem to enumerate system information.
description ioc Process File opened for reading /sys/kernel/mm/transparent_hugepage/hpage_pmd_size linux_386.elf File opened for reading /sys/kernel/mm/transparent_hugepage/hpage_pmd_size Process not Found -
description ioc Process File opened for reading /proc/1243/stat linux_386.elf File opened for reading /proc/1356/stat linux_386.elf File opened for reading /proc/1567/stat linux_386.elf File opened for reading /proc/filesystems systemctl File opened for reading /proc/732/stat linux_386.elf File opened for reading /proc/736/stat linux_386.elf File opened for reading /proc/783/stat linux_386.elf File opened for reading /proc/1032/stat linux_386.elf File opened for reading /proc/1105/stat linux_386.elf File opened for reading /proc/1181/stat linux_386.elf File opened for reading /proc/896/stat linux_386.elf File opened for reading /proc/927/stat linux_386.elf File opened for reading /proc/988/stat linux_386.elf File opened for reading /proc/1012/stat linux_386.elf File opened for reading /proc/589/stat linux_386.elf File opened for reading /proc/926/stat linux_386.elf File opened for reading /proc/979/stat linux_386.elf File opened for reading /proc/1110/stat linux_386.elf File opened for reading /proc/1196/stat linux_386.elf File opened for reading /proc/filesystems sed File opened for reading /proc/filesystems systemctl File opened for reading /proc/890/stat linux_386.elf File opened for reading /proc/989/stat linux_386.elf File opened for reading /proc/1085/stat linux_386.elf File opened for reading /proc/1103/stat linux_386.elf File opened for reading /proc/1312/stat linux_386.elf File opened for reading /proc/1115/stat linux_386.elf File opened for reading /proc/418/stat linux_386.elf File opened for reading /proc/594/stat linux_386.elf File opened for reading /proc/907/stat linux_386.elf File opened for reading /proc/1119/stat linux_386.elf File opened for reading /proc/1344/stat linux_386.elf File opened for reading /proc/1520/stat linux_386.elf File opened for reading /proc/427/stat linux_386.elf File opened for reading /proc/559/stat linux_386.elf File opened for reading /proc/649/stat linux_386.elf File opened for reading /proc/997/stat linux_386.elf File opened for reading /proc/1125/stat linux_386.elf File opened for reading /proc/1324/stat linux_386.elf File opened for reading /proc/1449/stat linux_386.elf File opened for reading /proc/1574/stat linux_386.elf File opened for reading /proc/314/stat linux_386.elf File opened for reading /proc/799/stat linux_386.elf File opened for reading /proc/973/stat linux_386.elf File opened for reading /proc/1025/stat linux_386.elf File opened for reading /proc/1111/stat linux_386.elf File opened for reading /proc/1580/stat linux_386.elf File opened for reading /proc/407/stat linux_386.elf File opened for reading /proc/552/stat linux_386.elf File opened for reading /proc/590/stat linux_386.elf File opened for reading /proc/668/stat linux_386.elf File opened for reading /proc/1104/stat linux_386.elf File opened for reading /proc/1109/stat linux_386.elf File opened for reading /proc/1436/stat linux_386.elf File opened for reading /proc/filesystems journalctl File opened for reading /proc/741/stat linux_386.elf File opened for reading /proc/769/stat linux_386.elf File opened for reading /proc/315/stat linux_386.elf File opened for reading /proc/filesystems sed File opened for reading /proc/699/stat linux_386.elf File opened for reading /proc/760/stat linux_386.elf File opened for reading /proc/948/stat linux_386.elf File opened for reading /proc/1551/stat linux_386.elf File opened for reading /proc/775/stat linux_386.elf
Processes
-
/tmp/linux_386.elf/tmp/linux_386.elf " "1⤵
- Executes dropped EXE
- Modifies Watchdog functionality
- Creates/modifies Cron job
- Creates/modifies environment variables
- Modifies init.d
- Modifies systemd
- Write file to user bin folder
- Modifies Bash startup script
- Changes its process name
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:1567 -
/usr/bin/basenamebasename /usr/sbin/service2⤵PID:1575
-
-
/usr/bin/basenamebasename /usr/sbin/service2⤵PID:1576
-
-
/usr/bin/sedsed -ne "s/\\.socket\\s*[a-z]*\\s*\$/.socket/p"2⤵
- Reads runtime system information
PID:1579
-
-
/usr/bin/systemctlsystemctl list-unit-files --full "--type=socket"2⤵PID:1578
-
-
/usr/local/sbin/systemctlsystemctl start crond.service2⤵PID:1573
-
-
/usr/local/bin/systemctlsystemctl start crond.service2⤵PID:1573
-
-
/usr/sbin/systemctlsystemctl start crond.service2⤵PID:1573
-
-
/usr/bin/systemctlsystemctl start crond.service2⤵PID:1573
-
-
/usr/bin/systemctlsystemctl daemon-reload2⤵PID:1584
-
-
/usr/bin/systemctlsystemctl enable quotaoff.service2⤵PID:1618
-
-
/usr/bin/systemctlsystemctl start quotaoff.service2⤵
- Reads runtime system information
PID:1654
-
-
/usr/bin/journalctljournalctl -xe --no-pager2⤵
- Reads runtime system information
PID:1676
-
-
/usr/bin/basenamebasename /usr/sbin/service2⤵PID:1685
-
-
/usr/bin/basenamebasename /usr/sbin/service2⤵PID:1686
-
-
/usr/bin/sedsed -ne "s/\\.socket\\s*[a-z]*\\s*\$/.socket/p"2⤵
- Reads runtime system information
PID:1689
-
-
/usr/bin/systemctlsystemctl list-unit-files --full "--type=socket"2⤵
- Reads runtime system information
PID:1688
-
-
/usr/local/sbin/systemctlsystemctl start cron.service2⤵PID:1684
-
-
/usr/local/bin/systemctlsystemctl start cron.service2⤵PID:1684
-
-
/usr/sbin/systemctlsystemctl start cron.service2⤵PID:1684
-
-
/usr/bin/systemctlsystemctl start cron.service2⤵PID:1684
-
-
/etc/32676/etc/326761⤵PID:1572
-
/usr/bin/sleepsleep 602⤵PID:1574
-
-
/usr/bin/sleepsleep 602⤵PID:1772
-
-
/usr/bin/sleepsleep 602⤵PID:1787
-
Network
MITRE ATT&CK Enterprise v16
Persistence
Boot or Logon Autostart Execution
3XDG Autostart Entries
1Boot or Logon Initialization Scripts
1RC Scripts
1Create or Modify System Process
1Systemd Service
1Event Triggered Execution
1Unix Shell Configuration Modification
1Hijack Execution Flow
1Path Interception by PATH Environment Variable
1Scheduled Task/Job
1Cron
1Privilege Escalation
Boot or Logon Autostart Execution
3XDG Autostart Entries
1Boot or Logon Initialization Scripts
1RC Scripts
1Create or Modify System Process
1Systemd Service
1Event Triggered Execution
1Unix Shell Configuration Modification
1Hijack Execution Flow
1Path Interception by PATH Environment Variable
1Scheduled Task/Job
1Cron
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
34B
MD5f5a3713282e43c200f30342f5ff5e2ea
SHA12b2ce1a207e2b691a074c6f78f71c4785aae426a
SHA2566ab64e727571458d4884fb2fe82c27c467db0699cb8f648b3f0217c35d2b7511
SHA5125bcb8cd360409147a486755f90e0cdd97183af02ce8de5135b7c6a8a010deb9ef12dcd5ee9a2a8fd2e159347f68e72d6b7fd75e943b4fcd928d7a74b97476013
-
Filesize
1.8MB
MD5259800bf6d1eb21a74ff1737f9826a0a
SHA11a13ffb1f327ae411689568840b0e812b7d40a59
SHA2565aa6cc2b09d7fa0d3c5b6826f872826f5d3afb9af18c001ea3f4f1a1ccb188f7
SHA512d3b013396695920dde44c4bc8af2b91e9e4142592151056e27946af54096056f2a70d528c4fd9abb27042d6a5ed2839648fbe3054b3e8a218bf29586237c1beb
-
Filesize
49B
MD5be61c2bc8a19feeea95e41d0e94962fd
SHA1b6c8e9a0a0cbf3e798f1e6669508bc7e9ad43173
SHA256edb1c48d5c2a89d9e1a570967cf2dff861485814636c1c4a26bf4ee6dbe402e1
SHA512e229c10ac49bf73a846ed9a58fa4fdb6e49a8cc07209094b92a2bf9bc6b72954c68c129800e4c356a7c7b383a8a5fe70d0401eafa8cb1382142778303179c6ac
-
Filesize
98B
MD57fb437af67907135c8eb965295be8ea2
SHA1325692899cabcbb1fbf3ecb751f53ca78db88436
SHA25669b3cbc38cafc06e2a36e10cec346941953745563e2239d6284bd38bb0b1b5e7
SHA512c7eb8050562741c375a13b1076dc6e2cbb3533541f33222b09db0a9bd8cd02b8a1932566d53e5b2822d6b21feb2cf94ba0695b7bd9d6902874b1acfacf3ff2a8
-
Filesize
56B
MD5585f408444cbca746945f0cb63f2c3f0
SHA10e44bae17174f04514e770ca7fc4bec1007e39cd
SHA256ebb961c647363dfa90f302de378e0e61807b9b792fc86616635a713cca8f4299
SHA512022241dbafad55164701f67ef5b84154e3af97c5dfe77dee7bf8406f2befbd2962bbf4f243432b2f41d6c2376b87fcf551fd6945e03ddb02a5619c2f0f69c596
-
Filesize
5KB
MD5f2b1f3db600ea068846bf5937f3f0ea4
SHA1ec98496f6cfbd295a9679a912f3d75a72e1183fe
SHA256bd6a2dbd29257d09768bc45cbbd3a75fbafe26f49f8d1487ac35644cb7a53e47
SHA5127cc944508882ea9bf98c7f6e7d86394410fc273643430422d267595d498a919999e5ca939d90f4fdc81a69201b83cd1a687a7ffa9f4f671799fb5a0a6ea294be
-
Filesize
186B
MD5b02de6cd28cd922b18d9d93375a70d8b
SHA1021426a5a2ff9edc80ba5936c94b37525538885e
SHA256d8d8e5cd33aa3450cd74c63716a02f3dff39efef2836559f110bc93663b1380a
SHA512db3fe03ad5e599e6c03aaec7bf1242f5509fbb624adb9afb7499e25487daef3f3f1c6babf51570b527a5ac5c9f4b079ae4cc53baa9497c0a121328bef8d04422