Analysis
-
max time kernel
148s -
max time network
147s -
platform
ubuntu-22.04_amd64 -
resource
ubuntu2204-amd64-20250410-en -
resource tags
arch:amd64arch:i386image:ubuntu2204-amd64-20250410-enkernel:5.15.0-105-genericlocale:en-usos:ubuntu-22.04-amd64system -
submitted
16/04/2025, 18:45
Behavioral task
behavioral1
Sample
linux_amd64.elf
Resource
ubuntu2204-amd64-20250410-en
General
-
Target
linux_amd64.elf
-
Size
1.9MB
-
MD5
4a67fbaac9ab2555654663e56ad125a1
-
SHA1
d6dbe82c06c8bd5b83eea3daa26605b10c4e4457
-
SHA256
c09b6758cad544622f1a8a0e5edb64af4b952eb95ae94dcfe20fc1af2a9ab7e4
-
SHA512
7a88709312bfdf50b3900abeab5e916fcbb63e773b58e158b557f239d1e8b861c4294dd86cfec80e4baf199fcb606d484da991c7b42594ec8999f945a4afb154
-
SSDEEP
49152:PTcFMvG6RMCg9orb/T9vO90d7HjmAFd4A64nsfJcFaJysrgftB+g2vUqHY/Wz1:wKbocwr
Malware Config
Extracted
kaiji
154.40.47.248:888
Signatures
-
Kaiji 1 IoCs
Kaiji payload
resource yara_rule behavioral1/files/fstream-5.dat Kaiji -
Kaiji family
-
Executes dropped EXE 1 IoCs
ioc pid Process /etc/32676 1579 sh -
Modifies Watchdog functionality 1 TTPs 2 IoCs
Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.
description ioc Process File opened for modification /dev/watchdog linux_amd64.elf File opened for modification /dev/misc/watchdog linux_amd64.elf -
Creates/modifies Cron job 1 TTPs 1 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
description ioc Process File opened for modification /etc/crontab sh -
Creates/modifies environment variables 1 TTPs 3 IoCs
Creating/modifying environment variables is a common persistence mechanism.
description ioc Process File opened for modification /etc/profile.d/bash_cfg linux_amd64.elf File opened for modification /etc/profile.d/bash_cfg.sh linux_amd64.elf File opened for modification /etc/profile.d/gateway.sh linux_amd64.elf -
Enumerates running processes
Discovers information about currently running processes on the system
-
description ioc Process File opened for modification /etc/init.d/plymouth linux_amd64.elf File opened for modification /etc/init.d/anacron linux_amd64.elf File opened for modification /etc/init.d/apparmor linux_amd64.elf File opened for modification /etc/init.d/kmod linux_amd64.elf File opened for modification /etc/init.d/cryptdisks linux_amd64.elf File opened for modification /etc/init.d/hwclock.sh linux_amd64.elf File opened for modification /etc/init.d/lvm2-lvmpolld linux_amd64.elf File opened for modification /etc/init.d/sssd linux_amd64.elf File opened for modification /etc/init.d/acpid linux_amd64.elf File opened for modification /etc/init.d/alsa-utils linux_amd64.elf File opened for modification /etc/init.d/iscsid linux_amd64.elf File opened for modification /etc/init.d/open-iscsi linux_amd64.elf File opened for modification /etc/init.d/procps linux_amd64.elf File opened for modification /etc/init.d/ssh linux_amd64.elf File opened for modification /etc/init.d/unattended-upgrades linux_amd64.elf File opened for modification /etc/init.d/apport linux_amd64.elf File opened for modification /etc/init.d/bluetooth linux_amd64.elf File opened for modification /etc/init.d/cryptdisks-early linux_amd64.elf File opened for modification /etc/init.d/cups-browsed linux_amd64.elf File opened for modification /etc/init.d/udev linux_amd64.elf File opened for modification /etc/init.d/avahi-daemon linux_amd64.elf File opened for modification /etc/init.d/keyboard-setup.sh linux_amd64.elf File opened for modification /etc/init.d/rsync linux_amd64.elf File opened for modification /etc/init.d/x11-common linux_amd64.elf File opened for modification /etc/init.d/cron linux_amd64.elf File opened for modification /etc/init.d/plymouth-log linux_amd64.elf File opened for modification /etc/init.d/spice-vdagent linux_amd64.elf File opened for modification /etc/init.d/console-setup.sh linux_amd64.elf File opened for modification /etc/init.d/dbus linux_amd64.elf File opened for modification /etc/init.d/saned linux_amd64.elf File opened for modification /etc/init.d/cups linux_amd64.elf File opened for modification /etc/init.d/gdm3 linux_amd64.elf File opened for modification /etc/init.d/openvpn linux_amd64.elf -
Modifies systemd 2 TTPs 1 IoCs
Adds/ modifies systemd service files. Likely to achieve persistence.
description ioc Process File opened for modification /usr/lib/systemd/system/quotaoff.service linux_amd64.elf -
Write file to user bin folder 12 IoCs
description ioc Process File opened for modification /usr/bin/include/ps linux_amd64.elf File opened for modification /usr/bin/include/ss linux_amd64.elf File opened for modification /usr/bin/include/ls linux_amd64.elf File opened for modification /usr/bin/include/find linux_amd64.elf File opened for modification /usr/bin/dir linux_amd64.elf File opened for modification /usr/bin/include/dir linux_amd64.elf File opened for modification /usr/bin/include/lsof linux_amd64.elf File opened for modification /usr/bin/ps linux_amd64.elf File opened for modification /usr/bin/ss linux_amd64.elf File opened for modification /usr/bin/ls linux_amd64.elf File opened for modification /usr/bin/find linux_amd64.elf File opened for modification /usr/bin/lsof linux_amd64.elf -
Modifies Bash startup script 2 TTPs 3 IoCs
description ioc Process File opened for modification /etc/profile.d/bash_cfg linux_amd64.elf File opened for modification /etc/profile.d/bash_cfg.sh linux_amd64.elf File opened for modification /etc/profile.d/gateway.sh linux_amd64.elf -
Changes its process name 1 IoCs
description ioc pid Process Changes the process name, possibly in an attempt to hide itself ksoftirqd/0 1574 linux_amd64.elf -
Command and Scripting Interpreter: Unix Shell 1 TTPs 4 IoCs
Execute scripts via Unix Shell.
pid Process 1590 sh 1675 sh 1678 sh 1578 sh -
Enumerates kernel/hardware configuration 1 TTPs 2 IoCs
Reads contents of /sys virtual filesystem to enumerate system information.
description ioc Process File opened for reading /sys/kernel/mm/transparent_hugepage/hpage_pmd_size linux_amd64.elf File opened for reading /sys/kernel/mm/transparent_hugepage/hpage_pmd_size linux_amd64.elf -
description ioc Process File opened for reading /proc/1737/stat linux_amd64.elf File opened for reading /proc/556/stat linux_amd64.elf File opened for reading /proc/1587/stat linux_amd64.elf File opened for reading /proc/774/stat linux_amd64.elf File opened for reading /proc/1080/stat linux_amd64.elf File opened for reading /proc/1178/stat linux_amd64.elf File opened for reading /proc/1220/stat linux_amd64.elf File opened for reading /proc/filesystems systemctl File opened for reading /proc/680/stat linux_amd64.elf File opened for reading /proc/799/stat linux_amd64.elf File opened for reading /proc/1381/stat linux_amd64.elf File opened for reading /proc/1199/stat linux_amd64.elf File opened for reading /proc/788/stat linux_amd64.elf File opened for reading /proc/1097/stat linux_amd64.elf File opened for reading /proc/1228/stat linux_amd64.elf File opened for reading /proc/filesystems systemctl File opened for reading /proc/666/stat linux_amd64.elf File opened for reading /proc/973/stat linux_amd64.elf File opened for reading /proc/1032/stat linux_amd64.elf File opened for reading /proc/1096/stat linux_amd64.elf File opened for reading /proc/413/stat linux_amd64.elf File opened for reading /proc/915/stat linux_amd64.elf File opened for reading /proc/1094/stat linux_amd64.elf File opened for reading /proc/1512/stat linux_amd64.elf File opened for reading /proc/filesystems systemctl File opened for reading /proc/415/stat linux_amd64.elf File opened for reading /proc/803/stat linux_amd64.elf File opened for reading /proc/890/stat linux_amd64.elf File opened for reading /proc/1492/stat linux_amd64.elf File opened for reading /proc/989/stat linux_amd64.elf File opened for reading /proc/1574/stat linux_amd64.elf File opened for reading /proc/1332/stat linux_amd64.elf File opened for reading /proc/filesystems mount File opened for reading /proc/636/stat linux_amd64.elf File opened for reading /proc/1101/stat linux_amd64.elf File opened for reading /proc/1104/stat linux_amd64.elf File opened for reading /proc/1581/stat linux_amd64.elf File opened for reading /proc/377/stat linux_amd64.elf File opened for reading /proc/522/stat linux_amd64.elf File opened for reading /proc/641/stat linux_amd64.elf File opened for reading /proc/1455/stat linux_amd64.elf File opened for reading /proc/426/stat linux_amd64.elf File opened for reading /proc/686/stat linux_amd64.elf File opened for reading /proc/1018/stat linux_amd64.elf File opened for reading /proc/1108/stat linux_amd64.elf File opened for reading /proc/filesystems systemctl File opened for reading /proc/634/stat linux_amd64.elf File opened for reading /proc/927/stat linux_amd64.elf File opened for reading /proc/1092/stat linux_amd64.elf File opened for reading /proc/1125/stat linux_amd64.elf File opened for reading /proc/1435/stat linux_amd64.elf File opened for reading /proc/1203/stat linux_amd64.elf File opened for reading /proc/1214/stat linux_amd64.elf File opened for reading /proc/948/stat linux_amd64.elf File opened for reading /proc/979/stat linux_amd64.elf File opened for reading /proc/1127/stat linux_amd64.elf File opened for reading /proc/filesystems sed File opened for reading /proc/1249/stat linux_amd64.elf File opened for reading /proc/586/stat linux_amd64.elf File opened for reading /proc/1442/stat linux_amd64.elf File opened for reading /proc/1722/stat linux_amd64.elf File opened for reading /proc/907/stat linux_amd64.elf File opened for reading /proc/315/stat linux_amd64.elf File opened for reading /proc/594/stat linux_amd64.elf
Processes
-
/tmp/linux_amd64.elf/tmp/linux_amd64.elf1⤵
- Enumerates kernel/hardware configuration
PID:1570 -
/tmp/linux_amd64.elf/tmp/linux_amd64.elf " "2⤵
- Modifies Watchdog functionality
- Creates/modifies environment variables
- Modifies init.d
- Modifies systemd
- Write file to user bin folder
- Modifies Bash startup script
- Changes its process name
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:1574 -
/bin/sh/bin/sh -c "/etc/32676&"3⤵
- Executes dropped EXE
- Command and Scripting Interpreter: Unix Shell
PID:1578
-
-
/usr/sbin/serviceservice crond start3⤵PID:1580
-
/usr/bin/basenamebasename /usr/sbin/service4⤵PID:1582
-
-
/usr/bin/basenamebasename /usr/sbin/service4⤵PID:1583
-
-
/usr/bin/sedsed -ne "s/\\.socket\\s*[a-z]*\\s*\$/.socket/p"4⤵
- Reads runtime system information
PID:1586
-
-
/usr/bin/systemctlsystemctl list-unit-files --full "--type=socket"4⤵PID:1585
-
-
-
/usr/local/sbin/systemctlsystemctl start crond.service3⤵PID:1580
-
-
/usr/local/bin/systemctlsystemctl start crond.service3⤵PID:1580
-
-
/usr/sbin/systemctlsystemctl start crond.service3⤵PID:1580
-
-
/usr/bin/systemctlsystemctl start crond.service3⤵
- Reads runtime system information
PID:1580
-
-
/bin/sh/bin/sh -c "cd /boot;systemctl daemon-reload;systemctl enable quotaoff.service;systemctl start quotaoff.service;journalctl -xe --no-pager"3⤵
- Command and Scripting Interpreter: Unix Shell
PID:1590 -
/usr/bin/systemctlsystemctl daemon-reload4⤵PID:1591
-
-
/usr/bin/systemctlsystemctl enable quotaoff.service4⤵PID:1625
-
-
/usr/bin/systemctlsystemctl start quotaoff.service4⤵
- Reads runtime system information
PID:1659
-
-
/usr/bin/journalctljournalctl -xe --no-pager4⤵PID:1674
-
-
-
/bin/sh/bin/sh -c "cd /boot;ausearch -c 'System.mod' --raw | audit2allow -M my-Systemmod;semodule -X 300 -i my-Systemmod.pp"3⤵
- Command and Scripting Interpreter: Unix Shell
PID:1675
-
-
/bin/sh/bin/sh -c "echo \"*/1 * * * * root /.mod \" >> /etc/crontab"3⤵
- Creates/modifies Cron job
- Command and Scripting Interpreter: Unix Shell
PID:1678
-
-
/usr/bin/renicerenice -20 15743⤵PID:1679
-
-
/usr/bin/mountmount -o bind /tmp/ /proc/15743⤵
- Reads runtime system information
PID:1680
-
-
/usr/sbin/serviceservice cron start3⤵PID:1682
-
/usr/bin/basenamebasename /usr/sbin/service4⤵PID:1683
-
-
/usr/bin/basenamebasename /usr/sbin/service4⤵PID:1684
-
-
/usr/bin/sedsed -ne "s/\\.socket\\s*[a-z]*\\s*\$/.socket/p"4⤵PID:1687
-
-
/usr/bin/systemctlsystemctl list-unit-files --full "--type=socket"4⤵PID:1686
-
-
-
/usr/local/sbin/systemctlsystemctl start cron.service3⤵PID:1682
-
-
/usr/local/bin/systemctlsystemctl start cron.service3⤵PID:1682
-
-
/usr/sbin/systemctlsystemctl start cron.service3⤵PID:1682
-
-
/usr/bin/systemctlsystemctl start cron.service3⤵
- Reads runtime system information
PID:1682
-
-
/usr/bin/systemctlsystemctl start crond.service3⤵
- Reads runtime system information
PID:1688
-
-
-
/etc/32676/etc/326761⤵PID:1579
-
/usr/bin/sleepsleep 602⤵PID:1581
-
-
/usr/bin/sleepsleep 602⤵PID:1722
-
-
/usr/bin/sleepsleep 602⤵PID:1737
-
Network
MITRE ATT&CK Enterprise v16
Execution
Command and Scripting Interpreter
1Unix Shell
1Scheduled Task/Job
1Cron
1Persistence
Boot or Logon Autostart Execution
3XDG Autostart Entries
1Boot or Logon Initialization Scripts
1RC Scripts
1Create or Modify System Process
1Systemd Service
1Event Triggered Execution
1Unix Shell Configuration Modification
1Hijack Execution Flow
1Path Interception by PATH Environment Variable
1Scheduled Task/Job
1Cron
1Privilege Escalation
Boot or Logon Autostart Execution
3XDG Autostart Entries
1Boot or Logon Initialization Scripts
1RC Scripts
1Create or Modify System Process
1Systemd Service
1Event Triggered Execution
1Unix Shell Configuration Modification
1Hijack Execution Flow
1Path Interception by PATH Environment Variable
1Scheduled Task/Job
1Cron
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
34B
MD5f5a3713282e43c200f30342f5ff5e2ea
SHA12b2ce1a207e2b691a074c6f78f71c4785aae426a
SHA2566ab64e727571458d4884fb2fe82c27c467db0699cb8f648b3f0217c35d2b7511
SHA5125bcb8cd360409147a486755f90e0cdd97183af02ce8de5135b7c6a8a010deb9ef12dcd5ee9a2a8fd2e159347f68e72d6b7fd75e943b4fcd928d7a74b97476013
-
Filesize
1.9MB
MD54a67fbaac9ab2555654663e56ad125a1
SHA1d6dbe82c06c8bd5b83eea3daa26605b10c4e4457
SHA256c09b6758cad544622f1a8a0e5edb64af4b952eb95ae94dcfe20fc1af2a9ab7e4
SHA5127a88709312bfdf50b3900abeab5e916fcbb63e773b58e158b557f239d1e8b861c4294dd86cfec80e4baf199fcb606d484da991c7b42594ec8999f945a4afb154
-
Filesize
49B
MD58f30fc5c9bc57e29f60a3bbc55233340
SHA1cd71c7c3d63ddb4ece0a11590a5c99b7139bcbbf
SHA25687bb285fc080a6373ed6c0797993e459411392778563b1ca1ed9d8edb7bf3a35
SHA51273b3ecc8df6140d7b1fbaa8b73010484fe765161c3b46c7efad5606d60677431f5a7896b314e6db0517390bd7e957658d5ad44c4a68c5cd6696213bda41871fe
-
Filesize
98B
MD5508d9067c51abc99613135a58cf4c9f2
SHA1da531b9d4223e33e82274e56d065dc25a12de4fd
SHA256e65efc23357df0b10d2a985f42334b19626499bb6b5c0aa5e252359525cb1278
SHA512023fef9023a4f7387a5b528bdd873c3ec84a4fd85a2f6bd5a16af4324449d0a533e973e4036dc5d4f20f8e8635cd93cf525aa06a2187cc0eaedc18208526e5e2
-
Filesize
56B
MD5585f408444cbca746945f0cb63f2c3f0
SHA10e44bae17174f04514e770ca7fc4bec1007e39cd
SHA256ebb961c647363dfa90f302de378e0e61807b9b792fc86616635a713cca8f4299
SHA512022241dbafad55164701f67ef5b84154e3af97c5dfe77dee7bf8406f2befbd2962bbf4f243432b2f41d6c2376b87fcf551fd6945e03ddb02a5619c2f0f69c596
-
Filesize
5KB
MD5227a551a2ad43e9a81c45248e53cb23f
SHA1a29d7440a50030bb93310486f52972b3ffac2eed
SHA256590f1470687fe8cedf2b4a702258987fc4fdd82f71f570dadcf9728553f30018
SHA5129e5fd551602461d6b2626a3f9258934aca273ed13e53d51e72bcfc1a446bcc7bd44cfcbe6b670bef760c06dbdbfef6261046cd01ec1c9e669d1c7251b789ccff
-
Filesize
186B
MD5b02de6cd28cd922b18d9d93375a70d8b
SHA1021426a5a2ff9edc80ba5936c94b37525538885e
SHA256d8d8e5cd33aa3450cd74c63716a02f3dff39efef2836559f110bc93663b1380a
SHA512db3fe03ad5e599e6c03aaec7bf1242f5509fbb624adb9afb7499e25487daef3f3f1c6babf51570b527a5ac5c9f4b079ae4cc53baa9497c0a121328bef8d04422