Analysis Overview
SHA256
e3bbaa4dd4acfceaaee209232a3f8f4377b97ad1835fc50d8119c8bc24e5d2d6
Threat Level: Known bad
The file linux_arm5.elf was found to be: Known bad.
Malicious Activity Summary
Kaiji family
Kaiji
Executes dropped EXE
Modifies Watchdog functionality
Write file to user bin folder
Enumerates running processes
Creates/modifies Cron job
Creates/modifies environment variables
Modifies init.d
Modifies Bash startup script
Enumerates kernel/hardware configuration
Reads runtime system information
Command and Scripting Interpreter: Unix Shell
MITRE ATT&CK
Enterprise Matrix V16
Analysis: static1
Detonation Overview
Reported
2025-04-17 05:30
Signatures
Kaiji
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Kaiji family
Analysis: behavioral1
Detonation Overview
Submitted
2025-04-17 05:30
Reported
2025-04-17 05:32
Platform
debian9-armhf-20240418-en
Max time kernel
149s
Max time network
146s
Command Line
Signatures
Kaiji
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Kaiji family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | /etc/32676 | /bin/sh | N/A |
| N/A | /etc/opt.services.cfg | /etc/32676 | N/A |
| N/A | /etc/opt.services.cfg | /etc/opt.services.cfg | N/A |
| N/A | /etc/opt.services.cfg | /etc/32676 | N/A |
| N/A | /etc/opt.services.cfg | /etc/opt.services.cfg | N/A |
Modifies Watchdog functionality
| Description | Indicator | Process | Target |
| File opened for modification | /dev/watchdog | /tmp/linux_arm5.elf | N/A |
| File opened for modification | /dev/misc/watchdog | /tmp/linux_arm5.elf | N/A |
Creates/modifies Cron job
| Description | Indicator | Process | Target |
| File opened for modification | /etc/crontab | /bin/sh | N/A |
Creates/modifies environment variables
| Description | Indicator | Process | Target |
| File opened for modification | /etc/profile.d/bash_cfg | /tmp/linux_arm5.elf | N/A |
| File opened for modification | /etc/profile.d/bash_cfg.sh | /tmp/linux_arm5.elf | N/A |
| File opened for modification | /etc/profile.d/gateway.sh | /tmp/linux_arm5.elf | N/A |
Enumerates running processes
Modifies init.d
| Description | Indicator | Process | Target |
| File opened for modification | /etc/init.d/console-setup.sh | /tmp/linux_arm5.elf | N/A |
| File opened for modification | /etc/init.d/cron | /tmp/linux_arm5.elf | N/A |
| File opened for modification | /etc/init.d/dbus | /tmp/linux_arm5.elf | N/A |
| File opened for modification | /etc/init.d/networking | /tmp/linux_arm5.elf | N/A |
| File opened for modification | /etc/init.d/procps | /tmp/linux_arm5.elf | N/A |
| File opened for modification | /etc/init.d/selinux-autorelabel | /tmp/linux_arm5.elf | N/A |
| File opened for modification | /etc/init.d/sudo | /tmp/linux_arm5.elf | N/A |
| File opened for modification | /etc/init.d/exim4 | /tmp/linux_arm5.elf | N/A |
| File opened for modification | /etc/init.d/kmod | /tmp/linux_arm5.elf | N/A |
| File opened for modification | /etc/init.d/udev | /tmp/linux_arm5.elf | N/A |
| File opened for modification | /etc/init.d/auditd | /tmp/linux_arm5.elf | N/A |
| File opened for modification | /etc/init.d/hwclock.sh | /tmp/linux_arm5.elf | N/A |
| File opened for modification | /etc/init.d/keyboard-setup.sh | /tmp/linux_arm5.elf | N/A |
| File opened for modification | /etc/init.d/x11-common | /tmp/linux_arm5.elf | N/A |
| File opened for modification | /etc/init.d/alsa-utils | /tmp/linux_arm5.elf | N/A |
| File opened for modification | /etc/init.d/rsyslog | /tmp/linux_arm5.elf | N/A |
| File opened for modification | /etc/init.d/ssh | /tmp/linux_arm5.elf | N/A |
Write file to user bin folder
| Description | Indicator | Process | Target |
| File opened for modification | /usr/bin/include/find | /tmp/linux_arm5.elf | N/A |
| File opened for modification | /usr/bin/find | /tmp/linux_arm5.elf | N/A |
Modifies Bash startup script
| Description | Indicator | Process | Target |
| File opened for modification | /etc/profile.d/bash_cfg | /tmp/linux_arm5.elf | N/A |
| File opened for modification | /etc/profile.d/bash_cfg.sh | /tmp/linux_arm5.elf | N/A |
| File opened for modification | /etc/profile.d/gateway.sh | /tmp/linux_arm5.elf | N/A |
Command and Scripting Interpreter: Unix Shell
| Description | Indicator | Process | Target |
| N/A | N/A | /bin/sh | N/A |
| N/A | N/A | /bin/sh | N/A |
Enumerates kernel/hardware configuration
| Description | Indicator | Process | Target |
| File opened for reading | /sys/fs/kdbus/0-system/bus | /bin/systemctl | N/A |
| File opened for reading | /sys/fs/kdbus/0-system/bus | /bin/systemctl | N/A |
| File opened for reading | /sys/kernel/mm/transparent_hugepage/hpage_pmd_size | /etc/opt.services.cfg | N/A |
| File opened for reading | /sys/fs/kdbus/0-system/bus | /bin/systemctl | N/A |
| File opened for reading | /sys/fs/kdbus/0-system/bus | /bin/systemctl | N/A |
| File opened for reading | /sys/fs/kdbus/0-system/bus | /bin/systemctl | N/A |
| File opened for reading | /sys/kernel/mm/transparent_hugepage/hpage_pmd_size | /etc/opt.services.cfg | N/A |
| File opened for reading | /sys/fs/kdbus/0-system/bus | /bin/systemctl | N/A |
| File opened for reading | /sys/fs/kdbus/0-system/bus | /bin/systemctl | N/A |
| File opened for reading | /sys/fs/kdbus/0-system/bus | /bin/systemctl | N/A |
| File opened for reading | /sys/fs/kdbus/0-system/bus | /bin/systemctl | N/A |
| File opened for reading | /sys/fs/kdbus/0-system/bus | /bin/systemctl | N/A |
| File opened for reading | /sys/kernel/mm/transparent_hugepage/hpage_pmd_size | /tmp/linux_arm5.elf | N/A |
| File opened for reading | /sys/fs/kdbus/0-system/bus | /bin/systemctl | N/A |
| File opened for reading | /sys/fs/kdbus/0-system/bus | /bin/systemctl | N/A |
| File opened for reading | /sys/fs/kdbus/0-system/bus | /bin/systemctl | N/A |
| File opened for reading | /sys/fs/kdbus/0-system/bus | /bin/systemctl | N/A |
| File opened for reading | /sys/fs/kdbus/0-system/bus | /bin/systemctl | N/A |
| File opened for reading | /sys/fs/kdbus/0-system/bus | /bin/systemctl | N/A |
| File opened for reading | /sys/fs/kdbus/0-system/bus | /bin/systemctl | N/A |
| File opened for reading | /sys/fs/kdbus/0-system/bus | /bin/systemctl | N/A |
| File opened for reading | /sys/kernel/mm/transparent_hugepage/hpage_pmd_size | /etc/opt.services.cfg | N/A |
| File opened for reading | /sys/kernel/mm/transparent_hugepage/hpage_pmd_size | /etc/opt.services.cfg | N/A |
| File opened for reading | /sys/fs/kdbus/0-system/bus | /bin/systemctl | N/A |
| File opened for reading | /sys/fs/kdbus/0-system/bus | /bin/systemctl | N/A |
| File opened for reading | /sys/fs/kdbus/0-system/bus | /bin/systemctl | N/A |
| File opened for reading | /sys/fs/kdbus/0-system/bus | /bin/systemctl | N/A |
| File opened for reading | /sys/fs/kdbus/0-system/bus | /bin/systemctl | N/A |
| File opened for reading | /sys/fs/kdbus/0-system/bus | /bin/systemctl | N/A |
| File opened for reading | /sys/fs/kdbus/0-system/bus | /bin/systemctl | N/A |
| File opened for reading | /sys/kernel/mm/transparent_hugepage/hpage_pmd_size | /tmp/linux_arm5.elf | N/A |
| File opened for reading | /sys/fs/kdbus/0-system/bus | /bin/systemctl | N/A |
| File opened for reading | /sys/fs/kdbus/0-system/bus | /bin/systemctl | N/A |
| File opened for reading | /sys/fs/kdbus/0-system/bus | /bin/systemctl | N/A |
| File opened for reading | /sys/fs/kdbus/0-system/bus | /bin/systemctl | N/A |
| File opened for reading | /sys/fs/kdbus/0-system/bus | /bin/systemctl | N/A |
| File opened for reading | /sys/fs/kdbus/0-system/bus | /bin/systemctl | N/A |
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/597/stat | /tmp/linux_arm5.elf | N/A |
| File opened for reading | /proc/636/stat | /tmp/linux_arm5.elf | N/A |
| File opened for reading | /proc/655/stat | /tmp/linux_arm5.elf | N/A |
| File opened for reading | /proc/cmdline | /bin/systemctl | N/A |
| File opened for reading | /proc/cmdline | /bin/systemctl | N/A |
| File opened for reading | /proc/filesystems | /bin/mount | N/A |
| File opened for reading | /proc/25/stat | /tmp/linux_arm5.elf | N/A |
| File opened for reading | /proc/1/environ | /bin/systemctl | N/A |
| File opened for reading | /proc/filesystems | /bin/systemctl | N/A |
| File opened for reading | /proc/self/stat | /bin/systemctl | N/A |
| File opened for reading | /proc/filesystems | /bin/systemctl | N/A |
| File opened for reading | /proc/cmdline | /bin/systemctl | N/A |
| File opened for reading | /proc/29/stat | /tmp/linux_arm5.elf | N/A |
| File opened for reading | /proc/self/stat | /bin/systemctl | N/A |
| File opened for reading | /proc/self/stat | /bin/systemctl | N/A |
| File opened for reading | /proc/1/environ | /bin/systemctl | N/A |
| File opened for reading | /proc/self/stat | /bin/systemctl | N/A |
| File opened for reading | /proc/140/stat | /tmp/linux_arm5.elf | N/A |
| File opened for reading | /proc/1/environ | /bin/systemctl | N/A |
| File opened for reading | /proc/self/stat | /bin/systemctl | N/A |
| File opened for reading | /proc/self/stat | /bin/systemctl | N/A |
| File opened for reading | /proc/1/environ | /bin/systemctl | N/A |
| File opened for reading | /proc/1/environ | /bin/systemctl | N/A |
| File opened for reading | /proc/139/stat | /tmp/linux_arm5.elf | N/A |
| File opened for reading | /proc/223/stat | /tmp/linux_arm5.elf | N/A |
| File opened for reading | /proc/filesystems | /bin/systemctl | N/A |
| File opened for reading | /proc/1/environ | /bin/systemctl | N/A |
| File opened for reading | /proc/cmdline | /bin/systemctl | N/A |
| File opened for reading | /proc/filesystems | /bin/systemctl | N/A |
| File opened for reading | /proc/278/stat | /tmp/linux_arm5.elf | N/A |
| File opened for reading | /proc/649/stat | /tmp/linux_arm5.elf | N/A |
| File opened for reading | /proc/1/environ | /bin/systemctl | N/A |
| File opened for reading | /proc/filesystems | /bin/systemctl | N/A |
| File opened for reading | /proc/filesystems | /bin/systemctl | N/A |
| File opened for reading | /proc/cmdline | /bin/systemctl | N/A |
| File opened for reading | /proc/18/stat | /tmp/linux_arm5.elf | N/A |
| File opened for reading | /proc/41/stat | /tmp/linux_arm5.elf | N/A |
| File opened for reading | /proc/43/stat | /tmp/linux_arm5.elf | N/A |
| File opened for reading | /proc/1/environ | /bin/systemctl | N/A |
| File opened for reading | /proc/cmdline | /bin/systemctl | N/A |
| File opened for reading | /proc/4/stat | /tmp/linux_arm5.elf | N/A |
| File opened for reading | /proc/22/stat | /tmp/linux_arm5.elf | N/A |
| File opened for reading | /proc/138/stat | /tmp/linux_arm5.elf | N/A |
| File opened for reading | /proc/152/stat | /tmp/linux_arm5.elf | N/A |
| File opened for reading | /proc/self/stat | /bin/systemctl | N/A |
| File opened for reading | /proc/filesystems | /bin/systemctl | N/A |
| File opened for reading | /proc/self/stat | /bin/systemctl | N/A |
| File opened for reading | /proc/cmdline | /bin/systemctl | N/A |
| File opened for reading | /proc/1/stat | /tmp/linux_arm5.elf | N/A |
| File opened for reading | /proc/21/stat | /tmp/linux_arm5.elf | N/A |
| File opened for reading | /proc/81/stat | /tmp/linux_arm5.elf | N/A |
| File opened for reading | /proc/112/stat | /tmp/linux_arm5.elf | N/A |
| File opened for reading | /proc/1/environ | /bin/systemctl | N/A |
| File opened for reading | /proc/2/stat | /tmp/linux_arm5.elf | N/A |
| File opened for reading | /proc/26/stat | /tmp/linux_arm5.elf | N/A |
| File opened for reading | /proc/595/stat | /tmp/linux_arm5.elf | N/A |
| File opened for reading | /proc/cmdline | /bin/systemctl | N/A |
| File opened for reading | /proc/cmdline | /bin/systemctl | N/A |
| File opened for reading | /proc/cmdline | /bin/systemctl | N/A |
| File opened for reading | /proc/filesystems | /bin/systemctl | N/A |
| File opened for reading | /proc/641/stat | /tmp/linux_arm5.elf | N/A |
| File opened for reading | /proc/cmdline | /bin/systemctl | N/A |
| File opened for reading | /proc/1/environ | /bin/systemctl | N/A |
| File opened for reading | /proc/filesystems | /bin/systemctl | N/A |
Processes
/tmp/linux_arm5.elf
[/tmp/linux_arm5.elf]
/tmp/linux_arm5.elf
[/tmp/linux_arm5.elf ]
/bin/sh
[/bin/sh -c /etc/32676&]
/usr/sbin/service
[service crond start]
/etc/32676
[/etc/32676]
/usr/bin/basename
[basename /usr/sbin/service]
/bin/sleep
[sleep 60]
/usr/bin/basename
[basename /usr/sbin/service]
/bin/systemctl
[systemctl --quiet is-active multi-user.target]
/bin/sed
[sed -ne s/\.socket\s*[a-z]*\s*$/.socket/p]
/bin/systemctl
[systemctl list-unit-files --full --type=socket]
/bin/systemctl
[systemctl -p Triggers show dbus.socket]
/bin/systemctl
[systemctl -p Triggers show ssh.socket]
/bin/systemctl
[systemctl -p Triggers show syslog.socket]
/bin/systemctl
[systemctl -p Triggers show systemd-fsckd.socket]
/bin/systemctl
[systemctl -p Triggers show systemd-initctl.socket]
/bin/systemctl
[systemctl -p Triggers show systemd-journald-audit.socket]
/bin/systemctl
[systemctl -p Triggers show systemd-journald-dev-log.socket]
/bin/systemctl
[systemctl -p Triggers show systemd-journald.socket]
/bin/systemctl
[systemctl -p Triggers show systemd-networkd.socket]
/bin/systemctl
[systemctl -p Triggers show systemd-rfkill.socket]
/bin/systemctl
[systemctl -p Triggers show systemd-udevd-control.socket]
/bin/systemctl
[systemctl -p Triggers show systemd-udevd-kernel.socket]
/usr/local/sbin/systemctl
[systemctl start crond.service]
/usr/local/bin/systemctl
[systemctl start crond.service]
/usr/sbin/systemctl
[systemctl start crond.service]
/usr/bin/systemctl
[systemctl start crond.service]
/sbin/systemctl
[systemctl start crond.service]
/bin/systemctl
[systemctl start crond.service]
/bin/sh
[/bin/sh -c echo "*/1 * * * * root /.mod " >> /etc/crontab]
/usr/bin/renice
[renice -20 648]
/bin/mount
[mount -o bind /tmp/ /proc/648]
/usr/sbin/service
[service cron start]
/usr/bin/basename
[basename /usr/sbin/service]
/usr/bin/basename
[basename /usr/sbin/service]
/bin/systemctl
[systemctl --quiet is-active multi-user.target]
/bin/sed
[sed -ne s/\.socket\s*[a-z]*\s*$/.socket/p]
/bin/systemctl
[systemctl list-unit-files --full --type=socket]
/bin/systemctl
[systemctl -p Triggers show dbus.socket]
/bin/systemctl
[systemctl -p Triggers show ssh.socket]
/bin/systemctl
[systemctl -p Triggers show syslog.socket]
/bin/systemctl
[systemctl -p Triggers show systemd-fsckd.socket]
/bin/systemctl
[systemctl -p Triggers show systemd-initctl.socket]
/bin/systemctl
[systemctl -p Triggers show systemd-journald-audit.socket]
/bin/systemctl
[systemctl -p Triggers show systemd-journald-dev-log.socket]
/bin/systemctl
[systemctl -p Triggers show systemd-journald.socket]
/bin/systemctl
[systemctl -p Triggers show systemd-networkd.socket]
/bin/systemctl
[systemctl -p Triggers show systemd-rfkill.socket]
/bin/systemctl
[systemctl -p Triggers show systemd-udevd-control.socket]
/bin/systemctl
[systemctl -p Triggers show systemd-udevd-kernel.socket]
/usr/local/sbin/systemctl
[systemctl start cron.service]
/usr/local/bin/systemctl
[systemctl start cron.service]
/usr/sbin/systemctl
[systemctl start cron.service]
/usr/bin/systemctl
[systemctl start cron.service]
/sbin/systemctl
[systemctl start cron.service]
/bin/systemctl
[systemctl start cron.service]
/bin/systemctl
[systemctl start crond.service]
/etc/opt.services.cfg
[/etc/opt.services.cfg]
/etc/opt.services.cfg
[/etc/opt.services.cfg ]
/bin/sleep
[sleep 60]
/etc/opt.services.cfg
[/etc/opt.services.cfg]
/etc/opt.services.cfg
[/etc/opt.services.cfg ]
/bin/sleep
[sleep 60]
Network
| Country | Destination | Domain | Proto |
| AU | 1.1.1.1:53 | www.google.com | udp |
| AU | 1.1.1.1:53 | www.google.com | udp |
| HK | 103.45.68.160:888 | tcp |
Files
/etc/.walk
| MD5 | 348b8a56b58f9fed460f26849e095608 |
| SHA1 | c7907efcbdbe1151d57d93628008b6a8b3df6aa0 |
| SHA256 | c6a97edd7114d983c962725cf9d9f1687176dcce1b7be10e7979c99d4ec9b53a |
| SHA512 | 426ed9e0424818a338974aaabfe28ce05f54ad9d2b48e81f9ca94b390d538ebf4f2e1e46fc434dcdf65274bd5d0702414df64815a247eebc13d52cecdd3e7370 |
/etc/.walk
| MD5 | 67a8a672aa964a1b05521a0664040819 |
| SHA1 | 479e9eac69bd32a9af9a46ef5480f9baef774062 |
| SHA256 | 8785bde47641b58610db8f485726280c766ebed532cfcfa10591918f982f1f76 |
| SHA512 | df5004baa6c5eeb1ee75da50763a8e414bae276e796f4d8ffe6a5df38f2f6af667853c8a73fb8dfe3483e016477e8c61f7acb1ce1365f07cdcac683e3c131b6c |
/etc/opt.services.cfg
| MD5 | f2c0f22bccb73b34d04e53c00718b65d |
| SHA1 | 9183973ad6b15e8c2230fee903dd60bf23487beb |
| SHA256 | e3bbaa4dd4acfceaaee209232a3f8f4377b97ad1835fc50d8119c8bc24e5d2d6 |
| SHA512 | 9c588e0af9c32696fef8331957410736e0ed304fac99fbd88289b96209ef684045df52ce1113940ef8c48cf041bd599752a444ab7c2e688c144017784a426d68 |
/etc/32676
| MD5 | 47684525bfdf26f49fd1cf742b17c015 |
| SHA1 | c4ab14ba22420ff9acadfc698a38d0cd99e9fbfa |
| SHA256 | b7ce294613dd2c237a4a50548bfcd5c14d166107f2d2e965499bc78695300d5b |
| SHA512 | 948f9c519ae9afe1c821c5d58da2e584e50356dabef597ccd408853a9038560b9fb1c5894900e2725b48977ffd49d18a439436bb4946e2164ac9fcf2a8637621 |
/.mod
| MD5 | f5a3713282e43c200f30342f5ff5e2ea |
| SHA1 | 2b2ce1a207e2b691a074c6f78f71c4785aae426a |
| SHA256 | 6ab64e727571458d4884fb2fe82c27c467db0699cb8f648b3f0217c35d2b7511 |
| SHA512 | 5bcb8cd360409147a486755f90e0cdd97183af02ce8de5135b7c6a8a010deb9ef12dcd5ee9a2a8fd2e159347f68e72d6b7fd75e943b4fcd928d7a74b97476013 |
/usr/bin/include/find
| MD5 | 138a27d6fe52fa1132760a4fa48922e0 |
| SHA1 | e0250e4d7bf33a5a1064344224148b889cb15138 |
| SHA256 | 81a10dad907b23521461bd3fc83c2cedb2218933a328d9a05e3c9f6a9a1d42aa |
| SHA512 | ee0078afad63fc2aaffdebb7127d1c7d4459287fee75358f57c82d397c39b7bf64338fb6996dfb1747cd9a896d714b3c76f0948727be91550f1affa1c0298a9e |
/etc/profile.d/gateway.sh
| MD5 | 1affabcad4e31c4ffd5edbfbca7ff64a |
| SHA1 | 013f0a3c631c6e721626e67c0e5c60438e290e51 |
| SHA256 | b11da3af029e1439a0fd9fe735907d8599700f8fc038f0627dbfce9b1232c4d1 |
| SHA512 | 353bf467991e3b18add026c3a64d31e694f034dbebd060f60836245c79f088256acc209335dcddf7a08eba9b1650c6206b225f21ff77d090ecb121698ecb63b3 |