Malware Analysis Report

2025-05-05 22:14

Sample ID 250417-fxyjaayxex
Target linux_mipsel
SHA256 e54588f9a60777a7feb8f16a55b8f64d4cf136fdfc59eff4653e0012575d0e5a
Tags
kaiji discovery execution
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e54588f9a60777a7feb8f16a55b8f64d4cf136fdfc59eff4653e0012575d0e5a

Threat Level: Known bad

The file linux_mipsel was found to be: Known bad.

Malicious Activity Summary

kaiji discovery execution

Kaiji

Kaiji family

Executes dropped EXE

Enumerates running processes

Command and Scripting Interpreter: Unix Shell

Enumerates kernel/hardware configuration

Reads runtime system information

System Network Configuration Discovery

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-04-17 05:15

Signatures

Kaiji

Description Indicator Process Target
N/A N/A N/A N/A

Kaiji family

kaiji

Analysis: behavioral1

Detonation Overview

Submitted

2025-04-17 05:15

Reported

2025-04-17 05:15

Platform

debian12-mipsel-20240729-en

Max time kernel

4s

Max time network

9s

Command Line

[/tmp/linux_mipsel]

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A /etc/32676 /bin/sh N/A

Enumerates running processes

Command and Scripting Interpreter: Unix Shell

execution
Description Indicator Process Target
N/A N/A /bin/sh N/A

Enumerates kernel/hardware configuration

discovery
Description Indicator Process Target
File opened for reading /sys/kernel/mm/transparent_hugepage/hpage_pmd_size /tmp/linux_mipsel N/A
File opened for reading /sys/kernel/mm/transparent_hugepage/hpage_pmd_size /tmp/linux_mipsel N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/3/stat /tmp/linux_mipsel N/A
File opened for reading /proc/21/stat /tmp/linux_mipsel N/A
File opened for reading /proc/712/stat /tmp/linux_mipsel N/A
File opened for reading /proc/717/stat /tmp/linux_mipsel N/A
File opened for reading /proc/1/stat /tmp/linux_mipsel N/A
File opened for reading /proc/12/stat /tmp/linux_mipsel N/A
File opened for reading /proc/18/stat /tmp/linux_mipsel N/A
File opened for reading /proc/47/stat /tmp/linux_mipsel N/A
File opened for reading /proc/110/stat /tmp/linux_mipsel N/A
File opened for reading /proc/119/stat /tmp/linux_mipsel N/A
File opened for reading /proc/138/stat /tmp/linux_mipsel N/A
File opened for reading /proc/733/stat /tmp/linux_mipsel N/A
File opened for reading /proc/24/stat /tmp/linux_mipsel N/A
File opened for reading /proc/111/stat /tmp/linux_mipsel N/A
File opened for reading /proc/428/stat /tmp/linux_mipsel N/A
File opened for reading /proc/661/stat /tmp/linux_mipsel N/A
File opened for reading /proc/748/stat /tmp/linux_mipsel N/A
File opened for reading /proc/filesystems /usr/bin/systemctl N/A
File opened for reading /proc/23/stat /tmp/linux_mipsel N/A
File opened for reading /proc/427/stat /tmp/linux_mipsel N/A
File opened for reading /proc/722/stat /tmp/linux_mipsel N/A
File opened for reading /proc/20/stat /tmp/linux_mipsel N/A
File opened for reading /proc/395/stat /tmp/linux_mipsel N/A
File opened for reading /proc/425/stat /tmp/linux_mipsel N/A
File opened for reading /proc/42/stat /tmp/linux_mipsel N/A
File opened for reading /proc/45/stat /tmp/linux_mipsel N/A
File opened for reading /proc/58/stat /tmp/linux_mipsel N/A
File opened for reading /proc/9/stat /tmp/linux_mipsel N/A
File opened for reading /proc/14/stat /tmp/linux_mipsel N/A
File opened for reading /proc/22/stat /tmp/linux_mipsel N/A
File opened for reading /proc/27/stat /tmp/linux_mipsel N/A
File opened for reading /proc/29/stat /tmp/linux_mipsel N/A
File opened for reading /proc/32/stat /tmp/linux_mipsel N/A
File opened for reading /proc/696/stat /tmp/linux_mipsel N/A
File opened for reading /proc/671/stat /tmp/linux_mipsel N/A
File opened for reading /proc/25/stat /tmp/linux_mipsel N/A
File opened for reading /proc/28/stat /tmp/linux_mipsel N/A
File opened for reading /proc/118/stat /tmp/linux_mipsel N/A
File opened for reading /proc/202/stat /tmp/linux_mipsel N/A
File opened for reading /proc/350/stat /tmp/linux_mipsel N/A
File opened for reading /proc/377/stat /tmp/linux_mipsel N/A
File opened for reading /proc/390/stat /tmp/linux_mipsel N/A
File opened for reading /proc/7/stat /tmp/linux_mipsel N/A
File opened for reading /proc/33/stat /tmp/linux_mipsel N/A
File opened for reading /proc/35/stat /tmp/linux_mipsel N/A
File opened for reading /proc/48/stat /tmp/linux_mipsel N/A
File opened for reading /proc/672/stat /tmp/linux_mipsel N/A
File opened for reading /proc/734/stat /tmp/linux_mipsel N/A
File opened for reading /proc/750/stat /tmp/linux_mipsel N/A
File opened for reading /proc/5/stat /tmp/linux_mipsel N/A
File opened for reading /proc/11/stat /tmp/linux_mipsel N/A
File opened for reading /proc/31/stat /tmp/linux_mipsel N/A
File opened for reading /proc/53/stat /tmp/linux_mipsel N/A
File opened for reading /proc/112/stat /tmp/linux_mipsel N/A
File opened for reading /proc/180/stat /tmp/linux_mipsel N/A
File opened for reading /proc/4/stat /tmp/linux_mipsel N/A
File opened for reading /proc/10/stat /tmp/linux_mipsel N/A
File opened for reading /proc/714/stat /tmp/linux_mipsel N/A
File opened for reading /proc/738/stat /tmp/linux_mipsel N/A
File opened for reading /proc/749/stat /tmp/linux_mipsel N/A
File opened for reading /proc/filesystems /usr/bin/sed N/A
File opened for reading /proc/2/stat /tmp/linux_mipsel N/A
File opened for reading /proc/34/stat /tmp/linux_mipsel N/A
File opened for reading /proc/137/stat /tmp/linux_mipsel N/A

System Network Configuration Discovery

discovery
Description Indicator Process Target
N/A N/A /tmp/linux_mipsel N/A
N/A N/A /tmp/linux_mipsel N/A

Processes

/tmp/linux_mipsel

[/tmp/linux_mipsel]

/tmp/linux_mipsel

[/tmp/linux_mipsel ]

/bin/sh

[/bin/sh -c /etc/32676&]

/etc/32676

[/etc/32676]

/usr/sbin/service

[service crond start]

/usr/bin/sleep

[sleep 60]

/usr/bin/basename

[basename /usr/sbin/service]

/usr/bin/basename

[basename /usr/sbin/service]

/usr/bin/sed

[sed -ne s/\.socket\s*[a-z]*\s*$/.socket/p]

/usr/bin/systemctl

[systemctl list-unit-files --full --type=socket]

Network

Country Destination Domain Proto
AU 1.1.1.1:53 debian12-mipsel-20240729-en-4 udp
AU 1.1.1.1:53 debian12-mipsel-20240729-en-4 udp
AU 1.1.1.1:53 debian12-mipsel-20240729-en-4 udp
AU 1.1.1.1:53 debian12-mipsel-20240729-en-4 udp

Files

/etc/.walk

MD5 6576f78b302edb55aeeb7048bba11683
SHA1 825391ed405be33e0c0f70f46b2530311cdf2a0c
SHA256 f8c5640a5a088cfd500d65d798a4e6f05f5016217b9b9c75d98afd4d4115917e
SHA512 f8b2c78b2363647df9296455f13848f84e7a0bb9126c5744cbdc4ba924d9a3daff1e4cfa90f7ad24d7222a2df1e544b3e69b80cab7f568ae9143a0e04d288280

/etc/.walk

MD5 239f58d5aff3f4bbb0e1ca2938a3c2f2
SHA1 df636d31443e18c0caa97b25c60620b00e22b66f
SHA256 42a0c58ec1db0ef3c337d0424c39fdf4981e7dec8424993450c45ce95150a1c1
SHA512 097edc69600efa7d4de907ea8e2ca4fef2d4c12c82998967d811478aa493ccd83eb4f8fc2607be57efcd0860da915a4aeada56ac2f2a449a4b5bf16df7a63926

/etc/32676

MD5 47684525bfdf26f49fd1cf742b17c015
SHA1 c4ab14ba22420ff9acadfc698a38d0cd99e9fbfa
SHA256 b7ce294613dd2c237a4a50548bfcd5c14d166107f2d2e965499bc78695300d5b
SHA512 948f9c519ae9afe1c821c5d58da2e584e50356dabef597ccd408853a9038560b9fb1c5894900e2725b48977ffd49d18a439436bb4946e2164ac9fcf2a8637621