Analysis

  • max time kernel
    148s
  • max time network
    147s
  • platform
    ubuntu-22.04_amd64
  • resource
    ubuntu2204-amd64-20250410-en
  • resource tags

    arch:amd64arch:i386image:ubuntu2204-amd64-20250410-enkernel:5.15.0-105-genericlocale:en-usos:ubuntu-22.04-amd64system
  • submitted
    16/04/2025, 18:45

General

  • Target

    linux_amd64.elf

  • Size

    1.9MB

  • MD5

    4a67fbaac9ab2555654663e56ad125a1

  • SHA1

    d6dbe82c06c8bd5b83eea3daa26605b10c4e4457

  • SHA256

    c09b6758cad544622f1a8a0e5edb64af4b952eb95ae94dcfe20fc1af2a9ab7e4

  • SHA512

    7a88709312bfdf50b3900abeab5e916fcbb63e773b58e158b557f239d1e8b861c4294dd86cfec80e4baf199fcb606d484da991c7b42594ec8999f945a4afb154

  • SSDEEP

    49152:PTcFMvG6RMCg9orb/T9vO90d7HjmAFd4A64nsfJcFaJysrgftB+g2vUqHY/Wz1:wKbocwr

Malware Config

Extracted

Family

kaiji

C2

154.40.47.248:888

Signatures

  • Kaiji 1 IoCs

    Kaiji payload

  • Kaiji family
  • Executes dropped EXE 1 IoCs
  • Modifies Watchdog functionality 1 TTPs 2 IoCs

    Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

  • Creates/modifies Cron job 1 TTPs 1 IoCs

    Cron allows running tasks on a schedule, and is commonly used for malware persistence.

  • Creates/modifies environment variables 1 TTPs 3 IoCs

    Creating/modifying environment variables is a common persistence mechanism.

  • Enumerates running processes

    Discovers information about currently running processes on the system

  • Modifies init.d 2 TTPs 33 IoCs

    Adds/modifies system service, likely for persistence.

  • Modifies systemd 2 TTPs 1 IoCs

    Adds/ modifies systemd service files. Likely to achieve persistence.

  • Write file to user bin folder 12 IoCs
  • Modifies Bash startup script 2 TTPs 3 IoCs
  • Changes its process name 1 IoCs
  • Command and Scripting Interpreter: Unix Shell 1 TTPs 4 IoCs

    Execute scripts via Unix Shell.

  • Enumerates kernel/hardware configuration 1 TTPs 2 IoCs

    Reads contents of /sys virtual filesystem to enumerate system information.

  • Reads runtime system information 64 IoCs

    Reads data from /proc virtual filesystem.

Processes

  • /tmp/linux_amd64.elf
    /tmp/linux_amd64.elf
    1⤵
    • Enumerates kernel/hardware configuration
    PID:1570
    • /tmp/linux_amd64.elf
      /tmp/linux_amd64.elf " "
      2⤵
      • Modifies Watchdog functionality
      • Creates/modifies environment variables
      • Modifies init.d
      • Modifies systemd
      • Write file to user bin folder
      • Modifies Bash startup script
      • Changes its process name
      • Enumerates kernel/hardware configuration
      • Reads runtime system information
      PID:1574
      • /bin/sh
        /bin/sh -c "/etc/32676&"
        3⤵
        • Executes dropped EXE
        • Command and Scripting Interpreter: Unix Shell
        PID:1578
      • /usr/sbin/service
        service crond start
        3⤵
          PID:1580
          • /usr/bin/basename
            basename /usr/sbin/service
            4⤵
              PID:1582
            • /usr/bin/basename
              basename /usr/sbin/service
              4⤵
                PID:1583
              • /usr/bin/sed
                sed -ne "s/\\.socket\\s*[a-z]*\\s*\$/.socket/p"
                4⤵
                • Reads runtime system information
                PID:1586
              • /usr/bin/systemctl
                systemctl list-unit-files --full "--type=socket"
                4⤵
                  PID:1585
              • /usr/local/sbin/systemctl
                systemctl start crond.service
                3⤵
                  PID:1580
                • /usr/local/bin/systemctl
                  systemctl start crond.service
                  3⤵
                    PID:1580
                  • /usr/sbin/systemctl
                    systemctl start crond.service
                    3⤵
                      PID:1580
                    • /usr/bin/systemctl
                      systemctl start crond.service
                      3⤵
                      • Reads runtime system information
                      PID:1580
                    • /bin/sh
                      /bin/sh -c "cd /boot;systemctl daemon-reload;systemctl enable quotaoff.service;systemctl start quotaoff.service;journalctl -xe --no-pager"
                      3⤵
                      • Command and Scripting Interpreter: Unix Shell
                      PID:1590
                      • /usr/bin/systemctl
                        systemctl daemon-reload
                        4⤵
                          PID:1591
                        • /usr/bin/systemctl
                          systemctl enable quotaoff.service
                          4⤵
                            PID:1625
                          • /usr/bin/systemctl
                            systemctl start quotaoff.service
                            4⤵
                            • Reads runtime system information
                            PID:1659
                          • /usr/bin/journalctl
                            journalctl -xe --no-pager
                            4⤵
                              PID:1674
                          • /bin/sh
                            /bin/sh -c "cd /boot;ausearch -c 'System.mod' --raw | audit2allow -M my-Systemmod;semodule -X 300 -i my-Systemmod.pp"
                            3⤵
                            • Command and Scripting Interpreter: Unix Shell
                            PID:1675
                          • /bin/sh
                            /bin/sh -c "echo \"*/1 * * * * root /.mod \" >> /etc/crontab"
                            3⤵
                            • Creates/modifies Cron job
                            • Command and Scripting Interpreter: Unix Shell
                            PID:1678
                          • /usr/bin/renice
                            renice -20 1574
                            3⤵
                              PID:1679
                            • /usr/bin/mount
                              mount -o bind /tmp/ /proc/1574
                              3⤵
                              • Reads runtime system information
                              PID:1680
                            • /usr/sbin/service
                              service cron start
                              3⤵
                                PID:1682
                                • /usr/bin/basename
                                  basename /usr/sbin/service
                                  4⤵
                                    PID:1683
                                  • /usr/bin/basename
                                    basename /usr/sbin/service
                                    4⤵
                                      PID:1684
                                    • /usr/bin/sed
                                      sed -ne "s/\\.socket\\s*[a-z]*\\s*\$/.socket/p"
                                      4⤵
                                        PID:1687
                                      • /usr/bin/systemctl
                                        systemctl list-unit-files --full "--type=socket"
                                        4⤵
                                          PID:1686
                                      • /usr/local/sbin/systemctl
                                        systemctl start cron.service
                                        3⤵
                                          PID:1682
                                        • /usr/local/bin/systemctl
                                          systemctl start cron.service
                                          3⤵
                                            PID:1682
                                          • /usr/sbin/systemctl
                                            systemctl start cron.service
                                            3⤵
                                              PID:1682
                                            • /usr/bin/systemctl
                                              systemctl start cron.service
                                              3⤵
                                              • Reads runtime system information
                                              PID:1682
                                            • /usr/bin/systemctl
                                              systemctl start crond.service
                                              3⤵
                                              • Reads runtime system information
                                              PID:1688
                                        • /etc/32676
                                          /etc/32676
                                          1⤵
                                            PID:1579
                                            • /usr/bin/sleep
                                              sleep 60
                                              2⤵
                                                PID:1581
                                              • /usr/bin/sleep
                                                sleep 60
                                                2⤵
                                                  PID:1722
                                                • /usr/bin/sleep
                                                  sleep 60
                                                  2⤵
                                                    PID:1737

                                                Network

                                                MITRE ATT&CK Enterprise v16

                                                Replay Monitor

                                                Loading Replay Monitor...

                                                Downloads

                                                • /.mod

                                                  Filesize

                                                  34B

                                                  MD5

                                                  f5a3713282e43c200f30342f5ff5e2ea

                                                  SHA1

                                                  2b2ce1a207e2b691a074c6f78f71c4785aae426a

                                                  SHA256

                                                  6ab64e727571458d4884fb2fe82c27c467db0699cb8f648b3f0217c35d2b7511

                                                  SHA512

                                                  5bcb8cd360409147a486755f90e0cdd97183af02ce8de5135b7c6a8a010deb9ef12dcd5ee9a2a8fd2e159347f68e72d6b7fd75e943b4fcd928d7a74b97476013

                                                • /boot/System.mod

                                                  Filesize

                                                  1.9MB

                                                  MD5

                                                  4a67fbaac9ab2555654663e56ad125a1

                                                  SHA1

                                                  d6dbe82c06c8bd5b83eea3daa26605b10c4e4457

                                                  SHA256

                                                  c09b6758cad544622f1a8a0e5edb64af4b952eb95ae94dcfe20fc1af2a9ab7e4

                                                  SHA512

                                                  7a88709312bfdf50b3900abeab5e916fcbb63e773b58e158b557f239d1e8b861c4294dd86cfec80e4baf199fcb606d484da991c7b42594ec8999f945a4afb154

                                                • /etc/.walk

                                                  Filesize

                                                  49B

                                                  MD5

                                                  8f30fc5c9bc57e29f60a3bbc55233340

                                                  SHA1

                                                  cd71c7c3d63ddb4ece0a11590a5c99b7139bcbbf

                                                  SHA256

                                                  87bb285fc080a6373ed6c0797993e459411392778563b1ca1ed9d8edb7bf3a35

                                                  SHA512

                                                  73b3ecc8df6140d7b1fbaa8b73010484fe765161c3b46c7efad5606d60677431f5a7896b314e6db0517390bd7e957658d5ad44c4a68c5cd6696213bda41871fe

                                                • /etc/.walk

                                                  Filesize

                                                  98B

                                                  MD5

                                                  508d9067c51abc99613135a58cf4c9f2

                                                  SHA1

                                                  da531b9d4223e33e82274e56d065dc25a12de4fd

                                                  SHA256

                                                  e65efc23357df0b10d2a985f42334b19626499bb6b5c0aa5e252359525cb1278

                                                  SHA512

                                                  023fef9023a4f7387a5b528bdd873c3ec84a4fd85a2f6bd5a16af4324449d0a533e973e4036dc5d4f20f8e8635cd93cf525aa06a2187cc0eaedc18208526e5e2

                                                • /etc/32676

                                                  Filesize

                                                  56B

                                                  MD5

                                                  585f408444cbca746945f0cb63f2c3f0

                                                  SHA1

                                                  0e44bae17174f04514e770ca7fc4bec1007e39cd

                                                  SHA256

                                                  ebb961c647363dfa90f302de378e0e61807b9b792fc86616635a713cca8f4299

                                                  SHA512

                                                  022241dbafad55164701f67ef5b84154e3af97c5dfe77dee7bf8406f2befbd2962bbf4f243432b2f41d6c2376b87fcf551fd6945e03ddb02a5619c2f0f69c596

                                                • /etc/profile.d/gateway.sh

                                                  Filesize

                                                  5KB

                                                  MD5

                                                  227a551a2ad43e9a81c45248e53cb23f

                                                  SHA1

                                                  a29d7440a50030bb93310486f52972b3ffac2eed

                                                  SHA256

                                                  590f1470687fe8cedf2b4a702258987fc4fdd82f71f570dadcf9728553f30018

                                                  SHA512

                                                  9e5fd551602461d6b2626a3f9258934aca273ed13e53d51e72bcfc1a446bcc7bd44cfcbe6b670bef760c06dbdbfef6261046cd01ec1c9e669d1c7251b789ccff

                                                • /usr/lib/systemd/system/quotaoff.service

                                                  Filesize

                                                  186B

                                                  MD5

                                                  b02de6cd28cd922b18d9d93375a70d8b

                                                  SHA1

                                                  021426a5a2ff9edc80ba5936c94b37525538885e

                                                  SHA256

                                                  d8d8e5cd33aa3450cd74c63716a02f3dff39efef2836559f110bc93663b1380a

                                                  SHA512

                                                  db3fe03ad5e599e6c03aaec7bf1242f5509fbb624adb9afb7499e25487daef3f3f1c6babf51570b527a5ac5c9f4b079ae4cc53baa9497c0a121328bef8d04422