Analysis
-
max time kernel
149s -
max time network
146s -
platform
debian-9_armhf -
resource
debian9-armhf-20240418-en -
resource tags
arch:armhfimage:debian9-armhf-20240418-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem -
submitted
17/04/2025, 05:30
Behavioral task
behavioral1
Sample
linux_arm5.elf
Resource
debian9-armhf-20240418-en
General
-
Target
linux_arm5.elf
-
Size
2.0MB
-
MD5
f2c0f22bccb73b34d04e53c00718b65d
-
SHA1
9183973ad6b15e8c2230fee903dd60bf23487beb
-
SHA256
e3bbaa4dd4acfceaaee209232a3f8f4377b97ad1835fc50d8119c8bc24e5d2d6
-
SHA512
9c588e0af9c32696fef8331957410736e0ed304fac99fbd88289b96209ef684045df52ce1113940ef8c48cf041bd599752a444ab7c2e688c144017784a426d68
-
SSDEEP
24576:eajMIV0QZKaSmrzMjTgmJX5ZmrzXJu+M5lVhmhXZ1smHwEN3rWCh5WVhuBPnjKqK:e6s9DMqF2T1y
Malware Config
Extracted
kaiji
103.45.68.160:888
Signatures
-
Kaiji 1 IoCs
Kaiji payload
resource yara_rule behavioral1/files/fstream-3.dat Kaiji -
Kaiji family
-
Executes dropped EXE 5 IoCs
ioc pid Process /etc/32676 661 sh /etc/opt.services.cfg 828 32676 /etc/opt.services.cfg 832 opt.services.cfg /etc/opt.services.cfg 860 32676 /etc/opt.services.cfg 864 opt.services.cfg -
Modifies Watchdog functionality 1 TTPs 2 IoCs
Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.
description ioc Process File opened for modification /dev/watchdog linux_arm5.elf File opened for modification /dev/misc/watchdog linux_arm5.elf -
Creates/modifies Cron job 1 TTPs 1 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
description ioc Process File opened for modification /etc/crontab sh -
Creates/modifies environment variables 1 TTPs 3 IoCs
Creating/modifying environment variables is a common persistence mechanism.
description ioc Process File opened for modification /etc/profile.d/bash_cfg linux_arm5.elf File opened for modification /etc/profile.d/bash_cfg.sh linux_arm5.elf File opened for modification /etc/profile.d/gateway.sh linux_arm5.elf -
Enumerates running processes
Discovers information about currently running processes on the system
-
description ioc Process File opened for modification /etc/init.d/console-setup.sh linux_arm5.elf File opened for modification /etc/init.d/cron linux_arm5.elf File opened for modification /etc/init.d/dbus linux_arm5.elf File opened for modification /etc/init.d/networking linux_arm5.elf File opened for modification /etc/init.d/procps linux_arm5.elf File opened for modification /etc/init.d/selinux-autorelabel linux_arm5.elf File opened for modification /etc/init.d/sudo linux_arm5.elf File opened for modification /etc/init.d/exim4 linux_arm5.elf File opened for modification /etc/init.d/kmod linux_arm5.elf File opened for modification /etc/init.d/udev linux_arm5.elf File opened for modification /etc/init.d/auditd linux_arm5.elf File opened for modification /etc/init.d/hwclock.sh linux_arm5.elf File opened for modification /etc/init.d/keyboard-setup.sh linux_arm5.elf File opened for modification /etc/init.d/x11-common linux_arm5.elf File opened for modification /etc/init.d/alsa-utils linux_arm5.elf File opened for modification /etc/init.d/rsyslog linux_arm5.elf File opened for modification /etc/init.d/ssh linux_arm5.elf -
Write file to user bin folder 2 IoCs
description ioc Process File opened for modification /usr/bin/include/find linux_arm5.elf File opened for modification /usr/bin/find linux_arm5.elf -
Modifies Bash startup script 2 TTPs 3 IoCs
description ioc Process File opened for modification /etc/profile.d/bash_cfg linux_arm5.elf File opened for modification /etc/profile.d/bash_cfg.sh linux_arm5.elf File opened for modification /etc/profile.d/gateway.sh linux_arm5.elf -
Command and Scripting Interpreter: Unix Shell 1 TTPs 2 IoCs
Execute scripts via Unix Shell.
pid Process 659 sh 703 sh -
Enumerates kernel/hardware configuration 1 TTPs 37 IoCs
Reads contents of /sys virtual filesystem to enumerate system information.
description ioc Process File opened for reading /sys/fs/kdbus/0-system/bus systemctl File opened for reading /sys/fs/kdbus/0-system/bus systemctl File opened for reading /sys/kernel/mm/transparent_hugepage/hpage_pmd_size opt.services.cfg File opened for reading /sys/fs/kdbus/0-system/bus systemctl File opened for reading /sys/fs/kdbus/0-system/bus systemctl File opened for reading /sys/fs/kdbus/0-system/bus systemctl File opened for reading /sys/kernel/mm/transparent_hugepage/hpage_pmd_size opt.services.cfg File opened for reading /sys/fs/kdbus/0-system/bus systemctl File opened for reading /sys/fs/kdbus/0-system/bus systemctl File opened for reading /sys/fs/kdbus/0-system/bus systemctl File opened for reading /sys/fs/kdbus/0-system/bus systemctl File opened for reading /sys/fs/kdbus/0-system/bus systemctl File opened for reading /sys/kernel/mm/transparent_hugepage/hpage_pmd_size linux_arm5.elf File opened for reading /sys/fs/kdbus/0-system/bus systemctl File opened for reading /sys/fs/kdbus/0-system/bus systemctl File opened for reading /sys/fs/kdbus/0-system/bus systemctl File opened for reading /sys/fs/kdbus/0-system/bus systemctl File opened for reading /sys/fs/kdbus/0-system/bus systemctl File opened for reading /sys/fs/kdbus/0-system/bus systemctl File opened for reading /sys/fs/kdbus/0-system/bus systemctl File opened for reading /sys/fs/kdbus/0-system/bus systemctl File opened for reading /sys/kernel/mm/transparent_hugepage/hpage_pmd_size opt.services.cfg File opened for reading /sys/kernel/mm/transparent_hugepage/hpage_pmd_size opt.services.cfg File opened for reading /sys/fs/kdbus/0-system/bus systemctl File opened for reading /sys/fs/kdbus/0-system/bus systemctl File opened for reading /sys/fs/kdbus/0-system/bus systemctl File opened for reading /sys/fs/kdbus/0-system/bus systemctl File opened for reading /sys/fs/kdbus/0-system/bus systemctl File opened for reading /sys/fs/kdbus/0-system/bus systemctl File opened for reading /sys/fs/kdbus/0-system/bus systemctl File opened for reading /sys/kernel/mm/transparent_hugepage/hpage_pmd_size linux_arm5.elf File opened for reading /sys/fs/kdbus/0-system/bus systemctl File opened for reading /sys/fs/kdbus/0-system/bus systemctl File opened for reading /sys/fs/kdbus/0-system/bus systemctl File opened for reading /sys/fs/kdbus/0-system/bus systemctl File opened for reading /sys/fs/kdbus/0-system/bus systemctl File opened for reading /sys/fs/kdbus/0-system/bus systemctl -
description ioc Process File opened for reading /proc/597/stat linux_arm5.elf File opened for reading /proc/636/stat linux_arm5.elf File opened for reading /proc/655/stat linux_arm5.elf File opened for reading /proc/cmdline systemctl File opened for reading /proc/cmdline systemctl File opened for reading /proc/filesystems mount File opened for reading /proc/25/stat linux_arm5.elf File opened for reading /proc/1/environ systemctl File opened for reading /proc/filesystems systemctl File opened for reading /proc/self/stat systemctl File opened for reading /proc/filesystems systemctl File opened for reading /proc/cmdline systemctl File opened for reading /proc/29/stat linux_arm5.elf File opened for reading /proc/self/stat systemctl File opened for reading /proc/self/stat systemctl File opened for reading /proc/1/environ systemctl File opened for reading /proc/self/stat systemctl File opened for reading /proc/140/stat linux_arm5.elf File opened for reading /proc/1/environ systemctl File opened for reading /proc/self/stat systemctl File opened for reading /proc/self/stat systemctl File opened for reading /proc/1/environ systemctl File opened for reading /proc/1/environ systemctl File opened for reading /proc/139/stat linux_arm5.elf File opened for reading /proc/223/stat linux_arm5.elf File opened for reading /proc/filesystems systemctl File opened for reading /proc/1/environ systemctl File opened for reading /proc/cmdline systemctl File opened for reading /proc/filesystems systemctl File opened for reading /proc/278/stat linux_arm5.elf File opened for reading /proc/649/stat linux_arm5.elf File opened for reading /proc/1/environ systemctl File opened for reading /proc/filesystems systemctl File opened for reading /proc/filesystems systemctl File opened for reading /proc/cmdline systemctl File opened for reading /proc/18/stat linux_arm5.elf File opened for reading /proc/41/stat linux_arm5.elf File opened for reading /proc/43/stat linux_arm5.elf File opened for reading /proc/1/environ systemctl File opened for reading /proc/cmdline systemctl File opened for reading /proc/4/stat linux_arm5.elf File opened for reading /proc/22/stat linux_arm5.elf File opened for reading /proc/138/stat linux_arm5.elf File opened for reading /proc/152/stat linux_arm5.elf File opened for reading /proc/self/stat systemctl File opened for reading /proc/filesystems systemctl File opened for reading /proc/self/stat systemctl File opened for reading /proc/cmdline systemctl File opened for reading /proc/1/stat linux_arm5.elf File opened for reading /proc/21/stat linux_arm5.elf File opened for reading /proc/81/stat linux_arm5.elf File opened for reading /proc/112/stat linux_arm5.elf File opened for reading /proc/1/environ systemctl File opened for reading /proc/2/stat linux_arm5.elf File opened for reading /proc/26/stat linux_arm5.elf File opened for reading /proc/595/stat linux_arm5.elf File opened for reading /proc/cmdline systemctl File opened for reading /proc/cmdline systemctl File opened for reading /proc/cmdline systemctl File opened for reading /proc/filesystems systemctl File opened for reading /proc/641/stat linux_arm5.elf File opened for reading /proc/cmdline systemctl File opened for reading /proc/1/environ systemctl File opened for reading /proc/filesystems systemctl
Processes
-
/tmp/linux_arm5.elf/tmp/linux_arm5.elf1⤵
- Enumerates kernel/hardware configuration
PID:643 -
/tmp/linux_arm5.elf/tmp/linux_arm5.elf " "2⤵
- Modifies Watchdog functionality
- Creates/modifies environment variables
- Modifies init.d
- Write file to user bin folder
- Modifies Bash startup script
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:648 -
/bin/sh/bin/sh -c "/etc/32676&"3⤵
- Executes dropped EXE
- Command and Scripting Interpreter: Unix Shell
PID:659
-
-
/usr/sbin/serviceservice crond start3⤵PID:662
-
/usr/bin/basenamebasename /usr/sbin/service4⤵PID:664
-
-
/usr/bin/basenamebasename /usr/sbin/service4⤵PID:668
-
-
/bin/systemctlsystemctl --quiet is-active multi-user.target4⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:669
-
-
/bin/sedsed -ne "s/\\.socket\\s*[a-z]*\\s*\$/.socket/p"4⤵PID:676
-
-
/bin/systemctlsystemctl list-unit-files --full "--type=socket"4⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:675
-
-
/bin/systemctlsystemctl -p Triggers show dbus.socket4⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:684
-
-
/bin/systemctlsystemctl -p Triggers show ssh.socket4⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:688
-
-
/bin/systemctlsystemctl -p Triggers show syslog.socket4⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:689
-
-
/bin/systemctlsystemctl -p Triggers show systemd-fsckd.socket4⤵
- Enumerates kernel/hardware configuration
PID:691
-
-
/bin/systemctlsystemctl -p Triggers show systemd-initctl.socket4⤵
- Enumerates kernel/hardware configuration
PID:693
-
-
/bin/systemctlsystemctl -p Triggers show systemd-journald-audit.socket4⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:694
-
-
/bin/systemctlsystemctl -p Triggers show systemd-journald-dev-log.socket4⤵
- Enumerates kernel/hardware configuration
PID:695
-
-
/bin/systemctlsystemctl -p Triggers show systemd-journald.socket4⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:696
-
-
/bin/systemctlsystemctl -p Triggers show systemd-networkd.socket4⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:697
-
-
/bin/systemctlsystemctl -p Triggers show systemd-rfkill.socket4⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:698
-
-
/bin/systemctlsystemctl -p Triggers show systemd-udevd-control.socket4⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:699
-
-
/bin/systemctlsystemctl -p Triggers show systemd-udevd-kernel.socket4⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:700
-
-
-
/usr/local/sbin/systemctlsystemctl start crond.service3⤵PID:662
-
-
/usr/local/bin/systemctlsystemctl start crond.service3⤵PID:662
-
-
/usr/sbin/systemctlsystemctl start crond.service3⤵PID:662
-
-
/usr/bin/systemctlsystemctl start crond.service3⤵PID:662
-
-
/sbin/systemctlsystemctl start crond.service3⤵PID:662
-
-
/bin/systemctlsystemctl start crond.service3⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:662
-
-
/bin/sh/bin/sh -c "echo \"*/1 * * * * root /.mod \" >> /etc/crontab"3⤵
- Creates/modifies Cron job
- Command and Scripting Interpreter: Unix Shell
PID:703
-
-
/usr/bin/renicerenice -20 6483⤵PID:706
-
-
/bin/mountmount -o bind /tmp/ /proc/6483⤵
- Reads runtime system information
PID:708
-
-
/usr/sbin/serviceservice cron start3⤵PID:709
-
/usr/bin/basenamebasename /usr/sbin/service4⤵PID:710
-
-
/usr/bin/basenamebasename /usr/sbin/service4⤵PID:711
-
-
/bin/systemctlsystemctl --quiet is-active multi-user.target4⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:712
-
-
/bin/sedsed -ne "s/\\.socket\\s*[a-z]*\\s*\$/.socket/p"4⤵PID:715
-
-
/bin/systemctlsystemctl list-unit-files --full "--type=socket"4⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:714
-
-
/bin/systemctlsystemctl -p Triggers show dbus.socket4⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:719
-
-
/bin/systemctlsystemctl -p Triggers show ssh.socket4⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:720
-
-
/bin/systemctlsystemctl -p Triggers show syslog.socket4⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:721
-
-
/bin/systemctlsystemctl -p Triggers show systemd-fsckd.socket4⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:722
-
-
/bin/systemctlsystemctl -p Triggers show systemd-initctl.socket4⤵
- Enumerates kernel/hardware configuration
PID:723
-
-
/bin/systemctlsystemctl -p Triggers show systemd-journald-audit.socket4⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:724
-
-
/bin/systemctlsystemctl -p Triggers show systemd-journald-dev-log.socket4⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:725
-
-
/bin/systemctlsystemctl -p Triggers show systemd-journald.socket4⤵
- Enumerates kernel/hardware configuration
PID:727
-
-
/bin/systemctlsystemctl -p Triggers show systemd-networkd.socket4⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:728
-
-
/bin/systemctlsystemctl -p Triggers show systemd-rfkill.socket4⤵
- Enumerates kernel/hardware configuration
PID:729
-
-
/bin/systemctlsystemctl -p Triggers show systemd-udevd-control.socket4⤵
- Enumerates kernel/hardware configuration
PID:730
-
-
/bin/systemctlsystemctl -p Triggers show systemd-udevd-kernel.socket4⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:731
-
-
-
/usr/local/sbin/systemctlsystemctl start cron.service3⤵PID:709
-
-
/usr/local/bin/systemctlsystemctl start cron.service3⤵PID:709
-
-
/usr/sbin/systemctlsystemctl start cron.service3⤵PID:709
-
-
/usr/bin/systemctlsystemctl start cron.service3⤵PID:709
-
-
/sbin/systemctlsystemctl start cron.service3⤵PID:709
-
-
/bin/systemctlsystemctl start cron.service3⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:709
-
-
/bin/systemctlsystemctl start crond.service3⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:732
-
-
-
/etc/32676/etc/326761⤵
- Executes dropped EXE
PID:661 -
/bin/sleepsleep 602⤵PID:665
-
-
/etc/opt.services.cfg/etc/opt.services.cfg2⤵
- Executes dropped EXE
- Enumerates kernel/hardware configuration
PID:828 -
/etc/opt.services.cfg/etc/opt.services.cfg " "3⤵
- Enumerates kernel/hardware configuration
PID:832
-
-
-
/bin/sleepsleep 602⤵PID:833
-
-
/etc/opt.services.cfg/etc/opt.services.cfg2⤵
- Executes dropped EXE
- Enumerates kernel/hardware configuration
PID:860 -
/etc/opt.services.cfg/etc/opt.services.cfg " "3⤵
- Enumerates kernel/hardware configuration
PID:864
-
-
-
/bin/sleepsleep 602⤵PID:865
-
Network
MITRE ATT&CK Enterprise v16
Execution
Command and Scripting Interpreter
1Unix Shell
1Scheduled Task/Job
1Cron
1Persistence
Boot or Logon Autostart Execution
2Boot or Logon Initialization Scripts
1RC Scripts
1Event Triggered Execution
1Unix Shell Configuration Modification
1Hijack Execution Flow
1Path Interception by PATH Environment Variable
1Scheduled Task/Job
1Cron
1Privilege Escalation
Boot or Logon Autostart Execution
2Boot or Logon Initialization Scripts
1RC Scripts
1Event Triggered Execution
1Unix Shell Configuration Modification
1Hijack Execution Flow
1Path Interception by PATH Environment Variable
1Scheduled Task/Job
1Cron
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
34B
MD5f5a3713282e43c200f30342f5ff5e2ea
SHA12b2ce1a207e2b691a074c6f78f71c4785aae426a
SHA2566ab64e727571458d4884fb2fe82c27c467db0699cb8f648b3f0217c35d2b7511
SHA5125bcb8cd360409147a486755f90e0cdd97183af02ce8de5135b7c6a8a010deb9ef12dcd5ee9a2a8fd2e159347f68e72d6b7fd75e943b4fcd928d7a74b97476013
-
Filesize
41B
MD5348b8a56b58f9fed460f26849e095608
SHA1c7907efcbdbe1151d57d93628008b6a8b3df6aa0
SHA256c6a97edd7114d983c962725cf9d9f1687176dcce1b7be10e7979c99d4ec9b53a
SHA512426ed9e0424818a338974aaabfe28ce05f54ad9d2b48e81f9ca94b390d538ebf4f2e1e46fc434dcdf65274bd5d0702414df64815a247eebc13d52cecdd3e7370
-
Filesize
90B
MD567a8a672aa964a1b05521a0664040819
SHA1479e9eac69bd32a9af9a46ef5480f9baef774062
SHA2568785bde47641b58610db8f485726280c766ebed532cfcfa10591918f982f1f76
SHA512df5004baa6c5eeb1ee75da50763a8e414bae276e796f4d8ffe6a5df38f2f6af667853c8a73fb8dfe3483e016477e8c61f7acb1ce1365f07cdcac683e3c131b6c
-
Filesize
61B
MD547684525bfdf26f49fd1cf742b17c015
SHA1c4ab14ba22420ff9acadfc698a38d0cd99e9fbfa
SHA256b7ce294613dd2c237a4a50548bfcd5c14d166107f2d2e965499bc78695300d5b
SHA512948f9c519ae9afe1c821c5d58da2e584e50356dabef597ccd408853a9038560b9fb1c5894900e2725b48977ffd49d18a439436bb4946e2164ac9fcf2a8637621
-
Filesize
2.0MB
MD5f2c0f22bccb73b34d04e53c00718b65d
SHA19183973ad6b15e8c2230fee903dd60bf23487beb
SHA256e3bbaa4dd4acfceaaee209232a3f8f4377b97ad1835fc50d8119c8bc24e5d2d6
SHA5129c588e0af9c32696fef8331957410736e0ed304fac99fbd88289b96209ef684045df52ce1113940ef8c48cf041bd599752a444ab7c2e688c144017784a426d68
-
Filesize
915B
MD51affabcad4e31c4ffd5edbfbca7ff64a
SHA1013f0a3c631c6e721626e67c0e5c60438e290e51
SHA256b11da3af029e1439a0fd9fe735907d8599700f8fc038f0627dbfce9b1232c4d1
SHA512353bf467991e3b18add026c3a64d31e694f034dbebd060f60836245c79f088256acc209335dcddf7a08eba9b1650c6206b225f21ff77d090ecb121698ecb63b3
-
Filesize
134KB
MD5138a27d6fe52fa1132760a4fa48922e0
SHA1e0250e4d7bf33a5a1064344224148b889cb15138
SHA25681a10dad907b23521461bd3fc83c2cedb2218933a328d9a05e3c9f6a9a1d42aa
SHA512ee0078afad63fc2aaffdebb7127d1c7d4459287fee75358f57c82d397c39b7bf64338fb6996dfb1747cd9a896d714b3c76f0948727be91550f1affa1c0298a9e