Malware Analysis Report

2025-05-05 22:14

Sample ID 250417-f69mxayycz
Target linux_arm5.elf
SHA256 e3bbaa4dd4acfceaaee209232a3f8f4377b97ad1835fc50d8119c8bc24e5d2d6
Tags
kaiji defense_evasion discovery execution persistence privilege_escalation
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e3bbaa4dd4acfceaaee209232a3f8f4377b97ad1835fc50d8119c8bc24e5d2d6

Threat Level: Known bad

The file linux_arm5.elf was found to be: Known bad.

Malicious Activity Summary

kaiji defense_evasion discovery execution persistence privilege_escalation

Kaiji family

Kaiji

Executes dropped EXE

Modifies Watchdog functionality

Write file to user bin folder

Enumerates running processes

Creates/modifies Cron job

Creates/modifies environment variables

Modifies init.d

Modifies Bash startup script

Enumerates kernel/hardware configuration

Reads runtime system information

Command and Scripting Interpreter: Unix Shell

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-04-17 05:30

Signatures

Kaiji

Description Indicator Process Target
N/A N/A N/A N/A

Kaiji family

kaiji

Analysis: behavioral1

Detonation Overview

Submitted

2025-04-17 05:30

Reported

2025-04-17 05:32

Platform

debian9-armhf-20240418-en

Max time kernel

149s

Max time network

146s

Command Line

[/tmp/linux_arm5.elf]

Signatures

Kaiji

Description Indicator Process Target
N/A N/A N/A N/A

Kaiji family

kaiji

Executes dropped EXE

Description Indicator Process Target
N/A /etc/32676 /bin/sh N/A
N/A /etc/opt.services.cfg /etc/32676 N/A
N/A /etc/opt.services.cfg /etc/opt.services.cfg N/A
N/A /etc/opt.services.cfg /etc/32676 N/A
N/A /etc/opt.services.cfg /etc/opt.services.cfg N/A

Modifies Watchdog functionality

defense_evasion
Description Indicator Process Target
File opened for modification /dev/watchdog /tmp/linux_arm5.elf N/A
File opened for modification /dev/misc/watchdog /tmp/linux_arm5.elf N/A

Creates/modifies Cron job

execution persistence privilege_escalation
Description Indicator Process Target
File opened for modification /etc/crontab /bin/sh N/A

Creates/modifies environment variables

persistence privilege_escalation defense_evasion
Description Indicator Process Target
File opened for modification /etc/profile.d/bash_cfg /tmp/linux_arm5.elf N/A
File opened for modification /etc/profile.d/bash_cfg.sh /tmp/linux_arm5.elf N/A
File opened for modification /etc/profile.d/gateway.sh /tmp/linux_arm5.elf N/A

Enumerates running processes

Modifies init.d

persistence
Description Indicator Process Target
File opened for modification /etc/init.d/console-setup.sh /tmp/linux_arm5.elf N/A
File opened for modification /etc/init.d/cron /tmp/linux_arm5.elf N/A
File opened for modification /etc/init.d/dbus /tmp/linux_arm5.elf N/A
File opened for modification /etc/init.d/networking /tmp/linux_arm5.elf N/A
File opened for modification /etc/init.d/procps /tmp/linux_arm5.elf N/A
File opened for modification /etc/init.d/selinux-autorelabel /tmp/linux_arm5.elf N/A
File opened for modification /etc/init.d/sudo /tmp/linux_arm5.elf N/A
File opened for modification /etc/init.d/exim4 /tmp/linux_arm5.elf N/A
File opened for modification /etc/init.d/kmod /tmp/linux_arm5.elf N/A
File opened for modification /etc/init.d/udev /tmp/linux_arm5.elf N/A
File opened for modification /etc/init.d/auditd /tmp/linux_arm5.elf N/A
File opened for modification /etc/init.d/hwclock.sh /tmp/linux_arm5.elf N/A
File opened for modification /etc/init.d/keyboard-setup.sh /tmp/linux_arm5.elf N/A
File opened for modification /etc/init.d/x11-common /tmp/linux_arm5.elf N/A
File opened for modification /etc/init.d/alsa-utils /tmp/linux_arm5.elf N/A
File opened for modification /etc/init.d/rsyslog /tmp/linux_arm5.elf N/A
File opened for modification /etc/init.d/ssh /tmp/linux_arm5.elf N/A

Write file to user bin folder

persistence
Description Indicator Process Target
File opened for modification /usr/bin/include/find /tmp/linux_arm5.elf N/A
File opened for modification /usr/bin/find /tmp/linux_arm5.elf N/A

Modifies Bash startup script

persistence
Description Indicator Process Target
File opened for modification /etc/profile.d/bash_cfg /tmp/linux_arm5.elf N/A
File opened for modification /etc/profile.d/bash_cfg.sh /tmp/linux_arm5.elf N/A
File opened for modification /etc/profile.d/gateway.sh /tmp/linux_arm5.elf N/A

Command and Scripting Interpreter: Unix Shell

execution
Description Indicator Process Target
N/A N/A /bin/sh N/A
N/A N/A /bin/sh N/A

Enumerates kernel/hardware configuration

discovery
Description Indicator Process Target
File opened for reading /sys/fs/kdbus/0-system/bus /bin/systemctl N/A
File opened for reading /sys/fs/kdbus/0-system/bus /bin/systemctl N/A
File opened for reading /sys/kernel/mm/transparent_hugepage/hpage_pmd_size /etc/opt.services.cfg N/A
File opened for reading /sys/fs/kdbus/0-system/bus /bin/systemctl N/A
File opened for reading /sys/fs/kdbus/0-system/bus /bin/systemctl N/A
File opened for reading /sys/fs/kdbus/0-system/bus /bin/systemctl N/A
File opened for reading /sys/kernel/mm/transparent_hugepage/hpage_pmd_size /etc/opt.services.cfg N/A
File opened for reading /sys/fs/kdbus/0-system/bus /bin/systemctl N/A
File opened for reading /sys/fs/kdbus/0-system/bus /bin/systemctl N/A
File opened for reading /sys/fs/kdbus/0-system/bus /bin/systemctl N/A
File opened for reading /sys/fs/kdbus/0-system/bus /bin/systemctl N/A
File opened for reading /sys/fs/kdbus/0-system/bus /bin/systemctl N/A
File opened for reading /sys/kernel/mm/transparent_hugepage/hpage_pmd_size /tmp/linux_arm5.elf N/A
File opened for reading /sys/fs/kdbus/0-system/bus /bin/systemctl N/A
File opened for reading /sys/fs/kdbus/0-system/bus /bin/systemctl N/A
File opened for reading /sys/fs/kdbus/0-system/bus /bin/systemctl N/A
File opened for reading /sys/fs/kdbus/0-system/bus /bin/systemctl N/A
File opened for reading /sys/fs/kdbus/0-system/bus /bin/systemctl N/A
File opened for reading /sys/fs/kdbus/0-system/bus /bin/systemctl N/A
File opened for reading /sys/fs/kdbus/0-system/bus /bin/systemctl N/A
File opened for reading /sys/fs/kdbus/0-system/bus /bin/systemctl N/A
File opened for reading /sys/kernel/mm/transparent_hugepage/hpage_pmd_size /etc/opt.services.cfg N/A
File opened for reading /sys/kernel/mm/transparent_hugepage/hpage_pmd_size /etc/opt.services.cfg N/A
File opened for reading /sys/fs/kdbus/0-system/bus /bin/systemctl N/A
File opened for reading /sys/fs/kdbus/0-system/bus /bin/systemctl N/A
File opened for reading /sys/fs/kdbus/0-system/bus /bin/systemctl N/A
File opened for reading /sys/fs/kdbus/0-system/bus /bin/systemctl N/A
File opened for reading /sys/fs/kdbus/0-system/bus /bin/systemctl N/A
File opened for reading /sys/fs/kdbus/0-system/bus /bin/systemctl N/A
File opened for reading /sys/fs/kdbus/0-system/bus /bin/systemctl N/A
File opened for reading /sys/kernel/mm/transparent_hugepage/hpage_pmd_size /tmp/linux_arm5.elf N/A
File opened for reading /sys/fs/kdbus/0-system/bus /bin/systemctl N/A
File opened for reading /sys/fs/kdbus/0-system/bus /bin/systemctl N/A
File opened for reading /sys/fs/kdbus/0-system/bus /bin/systemctl N/A
File opened for reading /sys/fs/kdbus/0-system/bus /bin/systemctl N/A
File opened for reading /sys/fs/kdbus/0-system/bus /bin/systemctl N/A
File opened for reading /sys/fs/kdbus/0-system/bus /bin/systemctl N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/597/stat /tmp/linux_arm5.elf N/A
File opened for reading /proc/636/stat /tmp/linux_arm5.elf N/A
File opened for reading /proc/655/stat /tmp/linux_arm5.elf N/A
File opened for reading /proc/cmdline /bin/systemctl N/A
File opened for reading /proc/cmdline /bin/systemctl N/A
File opened for reading /proc/filesystems /bin/mount N/A
File opened for reading /proc/25/stat /tmp/linux_arm5.elf N/A
File opened for reading /proc/1/environ /bin/systemctl N/A
File opened for reading /proc/filesystems /bin/systemctl N/A
File opened for reading /proc/self/stat /bin/systemctl N/A
File opened for reading /proc/filesystems /bin/systemctl N/A
File opened for reading /proc/cmdline /bin/systemctl N/A
File opened for reading /proc/29/stat /tmp/linux_arm5.elf N/A
File opened for reading /proc/self/stat /bin/systemctl N/A
File opened for reading /proc/self/stat /bin/systemctl N/A
File opened for reading /proc/1/environ /bin/systemctl N/A
File opened for reading /proc/self/stat /bin/systemctl N/A
File opened for reading /proc/140/stat /tmp/linux_arm5.elf N/A
File opened for reading /proc/1/environ /bin/systemctl N/A
File opened for reading /proc/self/stat /bin/systemctl N/A
File opened for reading /proc/self/stat /bin/systemctl N/A
File opened for reading /proc/1/environ /bin/systemctl N/A
File opened for reading /proc/1/environ /bin/systemctl N/A
File opened for reading /proc/139/stat /tmp/linux_arm5.elf N/A
File opened for reading /proc/223/stat /tmp/linux_arm5.elf N/A
File opened for reading /proc/filesystems /bin/systemctl N/A
File opened for reading /proc/1/environ /bin/systemctl N/A
File opened for reading /proc/cmdline /bin/systemctl N/A
File opened for reading /proc/filesystems /bin/systemctl N/A
File opened for reading /proc/278/stat /tmp/linux_arm5.elf N/A
File opened for reading /proc/649/stat /tmp/linux_arm5.elf N/A
File opened for reading /proc/1/environ /bin/systemctl N/A
File opened for reading /proc/filesystems /bin/systemctl N/A
File opened for reading /proc/filesystems /bin/systemctl N/A
File opened for reading /proc/cmdline /bin/systemctl N/A
File opened for reading /proc/18/stat /tmp/linux_arm5.elf N/A
File opened for reading /proc/41/stat /tmp/linux_arm5.elf N/A
File opened for reading /proc/43/stat /tmp/linux_arm5.elf N/A
File opened for reading /proc/1/environ /bin/systemctl N/A
File opened for reading /proc/cmdline /bin/systemctl N/A
File opened for reading /proc/4/stat /tmp/linux_arm5.elf N/A
File opened for reading /proc/22/stat /tmp/linux_arm5.elf N/A
File opened for reading /proc/138/stat /tmp/linux_arm5.elf N/A
File opened for reading /proc/152/stat /tmp/linux_arm5.elf N/A
File opened for reading /proc/self/stat /bin/systemctl N/A
File opened for reading /proc/filesystems /bin/systemctl N/A
File opened for reading /proc/self/stat /bin/systemctl N/A
File opened for reading /proc/cmdline /bin/systemctl N/A
File opened for reading /proc/1/stat /tmp/linux_arm5.elf N/A
File opened for reading /proc/21/stat /tmp/linux_arm5.elf N/A
File opened for reading /proc/81/stat /tmp/linux_arm5.elf N/A
File opened for reading /proc/112/stat /tmp/linux_arm5.elf N/A
File opened for reading /proc/1/environ /bin/systemctl N/A
File opened for reading /proc/2/stat /tmp/linux_arm5.elf N/A
File opened for reading /proc/26/stat /tmp/linux_arm5.elf N/A
File opened for reading /proc/595/stat /tmp/linux_arm5.elf N/A
File opened for reading /proc/cmdline /bin/systemctl N/A
File opened for reading /proc/cmdline /bin/systemctl N/A
File opened for reading /proc/cmdline /bin/systemctl N/A
File opened for reading /proc/filesystems /bin/systemctl N/A
File opened for reading /proc/641/stat /tmp/linux_arm5.elf N/A
File opened for reading /proc/cmdline /bin/systemctl N/A
File opened for reading /proc/1/environ /bin/systemctl N/A
File opened for reading /proc/filesystems /bin/systemctl N/A

Processes

/tmp/linux_arm5.elf

[/tmp/linux_arm5.elf]

/tmp/linux_arm5.elf

[/tmp/linux_arm5.elf ]

/bin/sh

[/bin/sh -c /etc/32676&]

/usr/sbin/service

[service crond start]

/etc/32676

[/etc/32676]

/usr/bin/basename

[basename /usr/sbin/service]

/bin/sleep

[sleep 60]

/usr/bin/basename

[basename /usr/sbin/service]

/bin/systemctl

[systemctl --quiet is-active multi-user.target]

/bin/sed

[sed -ne s/\.socket\s*[a-z]*\s*$/.socket/p]

/bin/systemctl

[systemctl list-unit-files --full --type=socket]

/bin/systemctl

[systemctl -p Triggers show dbus.socket]

/bin/systemctl

[systemctl -p Triggers show ssh.socket]

/bin/systemctl

[systemctl -p Triggers show syslog.socket]

/bin/systemctl

[systemctl -p Triggers show systemd-fsckd.socket]

/bin/systemctl

[systemctl -p Triggers show systemd-initctl.socket]

/bin/systemctl

[systemctl -p Triggers show systemd-journald-audit.socket]

/bin/systemctl

[systemctl -p Triggers show systemd-journald-dev-log.socket]

/bin/systemctl

[systemctl -p Triggers show systemd-journald.socket]

/bin/systemctl

[systemctl -p Triggers show systemd-networkd.socket]

/bin/systemctl

[systemctl -p Triggers show systemd-rfkill.socket]

/bin/systemctl

[systemctl -p Triggers show systemd-udevd-control.socket]

/bin/systemctl

[systemctl -p Triggers show systemd-udevd-kernel.socket]

/usr/local/sbin/systemctl

[systemctl start crond.service]

/usr/local/bin/systemctl

[systemctl start crond.service]

/usr/sbin/systemctl

[systemctl start crond.service]

/usr/bin/systemctl

[systemctl start crond.service]

/sbin/systemctl

[systemctl start crond.service]

/bin/systemctl

[systemctl start crond.service]

/bin/sh

[/bin/sh -c echo "*/1 * * * * root /.mod " >> /etc/crontab]

/usr/bin/renice

[renice -20 648]

/bin/mount

[mount -o bind /tmp/ /proc/648]

/usr/sbin/service

[service cron start]

/usr/bin/basename

[basename /usr/sbin/service]

/usr/bin/basename

[basename /usr/sbin/service]

/bin/systemctl

[systemctl --quiet is-active multi-user.target]

/bin/sed

[sed -ne s/\.socket\s*[a-z]*\s*$/.socket/p]

/bin/systemctl

[systemctl list-unit-files --full --type=socket]

/bin/systemctl

[systemctl -p Triggers show dbus.socket]

/bin/systemctl

[systemctl -p Triggers show ssh.socket]

/bin/systemctl

[systemctl -p Triggers show syslog.socket]

/bin/systemctl

[systemctl -p Triggers show systemd-fsckd.socket]

/bin/systemctl

[systemctl -p Triggers show systemd-initctl.socket]

/bin/systemctl

[systemctl -p Triggers show systemd-journald-audit.socket]

/bin/systemctl

[systemctl -p Triggers show systemd-journald-dev-log.socket]

/bin/systemctl

[systemctl -p Triggers show systemd-journald.socket]

/bin/systemctl

[systemctl -p Triggers show systemd-networkd.socket]

/bin/systemctl

[systemctl -p Triggers show systemd-rfkill.socket]

/bin/systemctl

[systemctl -p Triggers show systemd-udevd-control.socket]

/bin/systemctl

[systemctl -p Triggers show systemd-udevd-kernel.socket]

/usr/local/sbin/systemctl

[systemctl start cron.service]

/usr/local/bin/systemctl

[systemctl start cron.service]

/usr/sbin/systemctl

[systemctl start cron.service]

/usr/bin/systemctl

[systemctl start cron.service]

/sbin/systemctl

[systemctl start cron.service]

/bin/systemctl

[systemctl start cron.service]

/bin/systemctl

[systemctl start crond.service]

/etc/opt.services.cfg

[/etc/opt.services.cfg]

/etc/opt.services.cfg

[/etc/opt.services.cfg ]

/bin/sleep

[sleep 60]

/etc/opt.services.cfg

[/etc/opt.services.cfg]

/etc/opt.services.cfg

[/etc/opt.services.cfg ]

/bin/sleep

[sleep 60]

Network

Country Destination Domain Proto
AU 1.1.1.1:53 www.google.com udp
AU 1.1.1.1:53 www.google.com udp
HK 103.45.68.160:888 tcp

Files

/etc/.walk

MD5 348b8a56b58f9fed460f26849e095608
SHA1 c7907efcbdbe1151d57d93628008b6a8b3df6aa0
SHA256 c6a97edd7114d983c962725cf9d9f1687176dcce1b7be10e7979c99d4ec9b53a
SHA512 426ed9e0424818a338974aaabfe28ce05f54ad9d2b48e81f9ca94b390d538ebf4f2e1e46fc434dcdf65274bd5d0702414df64815a247eebc13d52cecdd3e7370

/etc/.walk

MD5 67a8a672aa964a1b05521a0664040819
SHA1 479e9eac69bd32a9af9a46ef5480f9baef774062
SHA256 8785bde47641b58610db8f485726280c766ebed532cfcfa10591918f982f1f76
SHA512 df5004baa6c5eeb1ee75da50763a8e414bae276e796f4d8ffe6a5df38f2f6af667853c8a73fb8dfe3483e016477e8c61f7acb1ce1365f07cdcac683e3c131b6c

/etc/opt.services.cfg

MD5 f2c0f22bccb73b34d04e53c00718b65d
SHA1 9183973ad6b15e8c2230fee903dd60bf23487beb
SHA256 e3bbaa4dd4acfceaaee209232a3f8f4377b97ad1835fc50d8119c8bc24e5d2d6
SHA512 9c588e0af9c32696fef8331957410736e0ed304fac99fbd88289b96209ef684045df52ce1113940ef8c48cf041bd599752a444ab7c2e688c144017784a426d68

/etc/32676

MD5 47684525bfdf26f49fd1cf742b17c015
SHA1 c4ab14ba22420ff9acadfc698a38d0cd99e9fbfa
SHA256 b7ce294613dd2c237a4a50548bfcd5c14d166107f2d2e965499bc78695300d5b
SHA512 948f9c519ae9afe1c821c5d58da2e584e50356dabef597ccd408853a9038560b9fb1c5894900e2725b48977ffd49d18a439436bb4946e2164ac9fcf2a8637621

/.mod

MD5 f5a3713282e43c200f30342f5ff5e2ea
SHA1 2b2ce1a207e2b691a074c6f78f71c4785aae426a
SHA256 6ab64e727571458d4884fb2fe82c27c467db0699cb8f648b3f0217c35d2b7511
SHA512 5bcb8cd360409147a486755f90e0cdd97183af02ce8de5135b7c6a8a010deb9ef12dcd5ee9a2a8fd2e159347f68e72d6b7fd75e943b4fcd928d7a74b97476013

/usr/bin/include/find

MD5 138a27d6fe52fa1132760a4fa48922e0
SHA1 e0250e4d7bf33a5a1064344224148b889cb15138
SHA256 81a10dad907b23521461bd3fc83c2cedb2218933a328d9a05e3c9f6a9a1d42aa
SHA512 ee0078afad63fc2aaffdebb7127d1c7d4459287fee75358f57c82d397c39b7bf64338fb6996dfb1747cd9a896d714b3c76f0948727be91550f1affa1c0298a9e

/etc/profile.d/gateway.sh

MD5 1affabcad4e31c4ffd5edbfbca7ff64a
SHA1 013f0a3c631c6e721626e67c0e5c60438e290e51
SHA256 b11da3af029e1439a0fd9fe735907d8599700f8fc038f0627dbfce9b1232c4d1
SHA512 353bf467991e3b18add026c3a64d31e694f034dbebd060f60836245c79f088256acc209335dcddf7a08eba9b1650c6206b225f21ff77d090ecb121698ecb63b3