Analysis
-
max time kernel
148s -
max time network
150s -
platform
debian-9_mips -
resource
debian9-mipsbe-20250410-en -
resource tags
arch:mipsimage:debian9-mipsbe-20250410-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipssystem -
submitted
17/04/2025, 05:35
Behavioral task
behavioral1
Sample
linux_mips.elf
Resource
debian9-mipsbe-20250410-en
General
-
Target
linux_mips.elf
-
Size
2.2MB
-
MD5
177200b0a67f809a1b8364a6cab3da3b
-
SHA1
04acdc698453106942a55be34ad9cc2da042f20f
-
SHA256
af6b7d2303e41e97b25d9c22c60e6fbee0c053671307cf2eeb81f85729231e4b
-
SHA512
6c4e71159517f3e0f0a079ddd297d5714852341755ffa392dd314bc8b174b9cfdc293a8f8999bb52d473551e1eee076efddffa8ab2011b7364c594031c493a93
-
SSDEEP
24576:T+aH1HyiHIg84gD5ZhcyOt62bKLR+RVXawqel9R47cR:QKt7nqel87u
Malware Config
Signatures
-
Kaiji 1 IoCs
Kaiji payload
resource yara_rule behavioral1/files/fstream-3.dat Kaiji -
Kaiji family
-
Executes dropped EXE 5 IoCs
ioc pid Process /etc/32676 733 sh /etc/opt.services.cfg 884 32676 /etc/opt.services.cfg 888 opt.services.cfg /etc/opt.services.cfg 903 32676 /etc/opt.services.cfg 907 opt.services.cfg -
Creates/modifies Cron job 1 TTPs 1 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
description ioc Process File opened for modification /etc/crontab sh -
Command and Scripting Interpreter: Unix Shell 1 TTPs 2 IoCs
Execute scripts via Unix Shell.
pid Process 731 sh 769 sh -
Enumerates kernel/hardware configuration 1 TTPs 37 IoCs
Reads contents of /sys virtual filesystem to enumerate system information.
description ioc Process File opened for reading /sys/fs/kdbus/0-system/bus systemctl File opened for reading /sys/fs/kdbus/0-system/bus systemctl File opened for reading /sys/fs/kdbus/0-system/bus systemctl File opened for reading /sys/kernel/mm/transparent_hugepage/hpage_pmd_size opt.services.cfg File opened for reading /sys/fs/kdbus/0-system/bus systemctl File opened for reading /sys/kernel/mm/transparent_hugepage/hpage_pmd_size opt.services.cfg File opened for reading /sys/fs/kdbus/0-system/bus systemctl File opened for reading /sys/fs/kdbus/0-system/bus systemctl File opened for reading /sys/fs/kdbus/0-system/bus systemctl File opened for reading /sys/fs/kdbus/0-system/bus systemctl File opened for reading /sys/kernel/mm/transparent_hugepage/hpage_pmd_size linux_mips.elf File opened for reading /sys/fs/kdbus/0-system/bus systemctl File opened for reading /sys/fs/kdbus/0-system/bus systemctl File opened for reading /sys/fs/kdbus/0-system/bus systemctl File opened for reading /sys/fs/kdbus/0-system/bus systemctl File opened for reading /sys/fs/kdbus/0-system/bus systemctl File opened for reading /sys/kernel/mm/transparent_hugepage/hpage_pmd_size opt.services.cfg File opened for reading /sys/fs/kdbus/0-system/bus systemctl File opened for reading /sys/fs/kdbus/0-system/bus systemctl File opened for reading /sys/fs/kdbus/0-system/bus systemctl File opened for reading /sys/fs/kdbus/0-system/bus systemctl File opened for reading /sys/fs/kdbus/0-system/bus systemctl File opened for reading /sys/kernel/mm/transparent_hugepage/hpage_pmd_size opt.services.cfg File opened for reading /sys/fs/kdbus/0-system/bus systemctl File opened for reading /sys/fs/kdbus/0-system/bus systemctl File opened for reading /sys/fs/kdbus/0-system/bus systemctl File opened for reading /sys/fs/kdbus/0-system/bus systemctl File opened for reading /sys/fs/kdbus/0-system/bus systemctl File opened for reading /sys/fs/kdbus/0-system/bus systemctl File opened for reading /sys/fs/kdbus/0-system/bus systemctl File opened for reading /sys/fs/kdbus/0-system/bus systemctl File opened for reading /sys/kernel/mm/transparent_hugepage/hpage_pmd_size linux_mips.elf File opened for reading /sys/fs/kdbus/0-system/bus systemctl File opened for reading /sys/fs/kdbus/0-system/bus systemctl File opened for reading /sys/fs/kdbus/0-system/bus systemctl File opened for reading /sys/fs/kdbus/0-system/bus systemctl File opened for reading /sys/fs/kdbus/0-system/bus systemctl -
description ioc Process File opened for reading /proc/cmdline systemctl File opened for reading /proc/filesystems sed File opened for reading /proc/filesystems systemctl File opened for reading /proc/cmdline systemctl File opened for reading /proc/self/stat systemctl File opened for reading /proc/cmdline systemctl File opened for reading /proc/1/environ systemctl File opened for reading /proc/1/environ systemctl File opened for reading /proc/self/stat systemctl File opened for reading /proc/1/environ systemctl File opened for reading /proc/self/stat systemctl File opened for reading /proc/cmdline systemctl File opened for reading /proc/filesystems systemctl File opened for reading /proc/filesystems systemctl File opened for reading /proc/1/environ systemctl File opened for reading /proc/cmdline systemctl File opened for reading /proc/cmdline systemctl File opened for reading /proc/filesystems systemctl File opened for reading /proc/self/stat systemctl File opened for reading /proc/filesystems systemctl File opened for reading /proc/cmdline systemctl File opened for reading /proc/1/environ systemctl File opened for reading /proc/1/environ systemctl File opened for reading /proc/cmdline systemctl File opened for reading /proc/self/stat systemctl File opened for reading /proc/self/stat systemctl File opened for reading /proc/cmdline systemctl File opened for reading /proc/self/stat systemctl File opened for reading /proc/1/environ systemctl File opened for reading /proc/self/stat systemctl File opened for reading /proc/self/stat systemctl File opened for reading /proc/filesystems systemctl File opened for reading /proc/self/stat systemctl File opened for reading /proc/self/stat systemctl File opened for reading /proc/self/stat systemctl File opened for reading /proc/filesystems mount File opened for reading /proc/self/stat systemctl File opened for reading /proc/self/stat systemctl File opened for reading /proc/self/stat systemctl File opened for reading /proc/filesystems systemctl File opened for reading /proc/filesystems systemctl File opened for reading /proc/filesystems systemctl File opened for reading /proc/filesystems systemctl File opened for reading /proc/1/environ systemctl File opened for reading /proc/filesystems systemctl File opened for reading /proc/filesystems systemctl File opened for reading /proc/1/environ systemctl File opened for reading /proc/filesystems systemctl File opened for reading /proc/1/environ systemctl File opened for reading /proc/self/stat systemctl File opened for reading /proc/filesystems systemctl File opened for reading /proc/filesystems systemctl File opened for reading /proc/self/stat systemctl File opened for reading /proc/1/environ systemctl File opened for reading /proc/filesystems systemctl File opened for reading /proc/cmdline systemctl File opened for reading /proc/cmdline systemctl File opened for reading /proc/cmdline systemctl File opened for reading /proc/cmdline systemctl File opened for reading /proc/self/stat systemctl File opened for reading /proc/1/environ systemctl File opened for reading /proc/1/environ systemctl File opened for reading /proc/1/environ systemctl File opened for reading /proc/1/environ systemctl -
System Network Configuration Discovery 1 TTPs 2 IoCs
Adversaries may gather information about the network configuration of a system.
pid Process 714 linux_mips.elf 721 linux_mips.elf
Processes
-
/tmp/linux_mips.elf/tmp/linux_mips.elf1⤵
- Enumerates kernel/hardware configuration
- System Network Configuration Discovery
PID:714 -
/tmp/linux_mips.elf/tmp/linux_mips.elf " "2⤵
- Enumerates kernel/hardware configuration
- System Network Configuration Discovery
PID:721 -
/bin/sh/bin/sh -c "/etc/32676&"3⤵
- Executes dropped EXE
- Command and Scripting Interpreter: Unix Shell
PID:731
-
-
/usr/sbin/serviceservice crond start3⤵PID:734
-
/usr/bin/basenamebasename /usr/sbin/service4⤵PID:736
-
-
/usr/bin/basenamebasename /usr/sbin/service4⤵PID:739
-
-
/bin/systemctlsystemctl --quiet is-active multi-user.target4⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:741
-
-
/bin/systemctlsystemctl list-unit-files --full "--type=socket"4⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:746
-
-
/bin/sedsed -ne "s/\\.socket\\s*[a-z]*\\s*\$/.socket/p"4⤵PID:747
-
-
/bin/systemctlsystemctl -p Triggers show dbus.socket4⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:750
-
-
/bin/systemctlsystemctl -p Triggers show ssh.socket4⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:752
-
-
/bin/systemctlsystemctl -p Triggers show syslog.socket4⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:754
-
-
/bin/systemctlsystemctl -p Triggers show systemd-fsckd.socket4⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:757
-
-
/bin/systemctlsystemctl -p Triggers show systemd-initctl.socket4⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:759
-
-
/bin/systemctlsystemctl -p Triggers show systemd-journald-audit.socket4⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:761
-
-
/bin/systemctlsystemctl -p Triggers show systemd-journald-dev-log.socket4⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:762
-
-
/bin/systemctlsystemctl -p Triggers show systemd-journald.socket4⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:764
-
-
/bin/systemctlsystemctl -p Triggers show systemd-networkd.socket4⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:765
-
-
/bin/systemctlsystemctl -p Triggers show systemd-rfkill.socket4⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:766
-
-
/bin/systemctlsystemctl -p Triggers show systemd-udevd-control.socket4⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:767
-
-
/bin/systemctlsystemctl -p Triggers show systemd-udevd-kernel.socket4⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:768
-
-
-
/usr/local/sbin/systemctlsystemctl start crond.service3⤵PID:734
-
-
/usr/local/bin/systemctlsystemctl start crond.service3⤵PID:734
-
-
/usr/sbin/systemctlsystemctl start crond.service3⤵PID:734
-
-
/usr/bin/systemctlsystemctl start crond.service3⤵PID:734
-
-
/sbin/systemctlsystemctl start crond.service3⤵PID:734
-
-
/bin/systemctlsystemctl start crond.service3⤵
- Enumerates kernel/hardware configuration
PID:734
-
-
/bin/sh/bin/sh -c "echo \"*/1 * * * * root /.mod \" >> /etc/crontab"3⤵
- Creates/modifies Cron job
- Command and Scripting Interpreter: Unix Shell
PID:769
-
-
/usr/bin/renicerenice -20 7213⤵PID:770
-
-
/bin/mountmount -o bind /tmp/ /proc/7213⤵
- Reads runtime system information
PID:771
-
-
/usr/sbin/serviceservice cron start3⤵PID:772
-
/usr/bin/basenamebasename /usr/sbin/service4⤵PID:773
-
-
/usr/bin/basenamebasename /usr/sbin/service4⤵PID:774
-
-
/bin/systemctlsystemctl --quiet is-active multi-user.target4⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:775
-
-
/bin/systemctlsystemctl list-unit-files --full "--type=socket"4⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:777
-
-
/bin/sedsed -ne "s/\\.socket\\s*[a-z]*\\s*\$/.socket/p"4⤵
- Reads runtime system information
PID:778
-
-
/bin/systemctlsystemctl -p Triggers show dbus.socket4⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:779
-
-
/bin/systemctlsystemctl -p Triggers show ssh.socket4⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:780
-
-
/bin/systemctlsystemctl -p Triggers show syslog.socket4⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:781
-
-
/bin/systemctlsystemctl -p Triggers show systemd-fsckd.socket4⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:782
-
-
/bin/systemctlsystemctl -p Triggers show systemd-initctl.socket4⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:783
-
-
/bin/systemctlsystemctl -p Triggers show systemd-journald-audit.socket4⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:784
-
-
/bin/systemctlsystemctl -p Triggers show systemd-journald-dev-log.socket4⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:785
-
-
/bin/systemctlsystemctl -p Triggers show systemd-journald.socket4⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:786
-
-
/bin/systemctlsystemctl -p Triggers show systemd-networkd.socket4⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:787
-
-
/bin/systemctlsystemctl -p Triggers show systemd-rfkill.socket4⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:788
-
-
/bin/systemctlsystemctl -p Triggers show systemd-udevd-control.socket4⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:790
-
-
/bin/systemctlsystemctl -p Triggers show systemd-udevd-kernel.socket4⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:792
-
-
-
/usr/local/sbin/systemctlsystemctl start cron.service3⤵PID:772
-
-
/usr/local/bin/systemctlsystemctl start cron.service3⤵PID:772
-
-
/usr/sbin/systemctlsystemctl start cron.service3⤵PID:772
-
-
/usr/bin/systemctlsystemctl start cron.service3⤵PID:772
-
-
/sbin/systemctlsystemctl start cron.service3⤵PID:772
-
-
/bin/systemctlsystemctl start cron.service3⤵
- Enumerates kernel/hardware configuration
PID:772
-
-
/bin/systemctlsystemctl start crond.service3⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:795
-
-
-
/etc/32676/etc/326761⤵
- Executes dropped EXE
PID:733 -
/bin/sleepsleep 602⤵PID:737
-
-
/etc/opt.services.cfg/etc/opt.services.cfg2⤵
- Executes dropped EXE
- Enumerates kernel/hardware configuration
PID:884 -
/etc/opt.services.cfg/etc/opt.services.cfg " "3⤵
- Enumerates kernel/hardware configuration
PID:888
-
-
-
/bin/sleepsleep 602⤵PID:889
-
-
/etc/opt.services.cfg/etc/opt.services.cfg2⤵
- Executes dropped EXE
- Enumerates kernel/hardware configuration
PID:903 -
/etc/opt.services.cfg/etc/opt.services.cfg " "3⤵
- Enumerates kernel/hardware configuration
PID:907
-
-
-
/bin/sleepsleep 602⤵PID:908
-
Network
MITRE ATT&CK Enterprise v16
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
34B
MD5f5a3713282e43c200f30342f5ff5e2ea
SHA12b2ce1a207e2b691a074c6f78f71c4785aae426a
SHA2566ab64e727571458d4884fb2fe82c27c467db0699cb8f648b3f0217c35d2b7511
SHA5125bcb8cd360409147a486755f90e0cdd97183af02ce8de5135b7c6a8a010deb9ef12dcd5ee9a2a8fd2e159347f68e72d6b7fd75e943b4fcd928d7a74b97476013
-
Filesize
41B
MD5405ea7aa9ebe3c5f397ee6da9784cd92
SHA1e4b3de80bf97d97c9194de35d63e8fdfd37823c7
SHA2568176caa5023d1e0f5719220777ecd7b9b3901c68ecb0ad1f6e802df80d90a4bf
SHA512833f045507160bc2b7374e0f2748de72b9605374d4a0df5482edbc799729f8328f4753f6495a134b46f2beafaa6dbbe4c21966b785ecf160f7b47146492cfe93
-
Filesize
90B
MD5487aaa2d9e8103de54e74f708a988a25
SHA18cd396d5c6bc7d057275736c0b59086bbd8a4169
SHA256ab15959587e0a32350ad92777b3ae32af599f5630b65002d924f686c4a30a827
SHA5120187cecafaefbffc2546b4d7f27f06b555daa003b4591a282040808eb2719820e89673013546818b4ad9472d81c8135611c25d8b6b85b03e4d62854655ea96fd
-
Filesize
61B
MD547684525bfdf26f49fd1cf742b17c015
SHA1c4ab14ba22420ff9acadfc698a38d0cd99e9fbfa
SHA256b7ce294613dd2c237a4a50548bfcd5c14d166107f2d2e965499bc78695300d5b
SHA512948f9c519ae9afe1c821c5d58da2e584e50356dabef597ccd408853a9038560b9fb1c5894900e2725b48977ffd49d18a439436bb4946e2164ac9fcf2a8637621
-
Filesize
2.2MB
MD5177200b0a67f809a1b8364a6cab3da3b
SHA104acdc698453106942a55be34ad9cc2da042f20f
SHA256af6b7d2303e41e97b25d9c22c60e6fbee0c053671307cf2eeb81f85729231e4b
SHA5126c4e71159517f3e0f0a079ddd297d5714852341755ffa392dd314bc8b174b9cfdc293a8f8999bb52d473551e1eee076efddffa8ab2011b7364c594031c493a93
-
Filesize
915B
MD5217d1865cb2770d7650ead8960539181
SHA15f0f39bd441fa71c36306386d8a81f59480d4e53
SHA256fff6d267ac34e86916b0f08ff177c854a20f9353ecd1c3d0250c18fd0b375fa3
SHA512f3442829f25e60dc17504619798da502922ea3ab2d92355316e67bd236423e28ed0af8f3d2270b52fe3e7108f5280ea113ec9a03cc1abdc8d6360ecece455d31
-
Filesize
240KB
MD597b5c6c1b307114efc38193175a343c3
SHA124015d4f95c6878ea5027c134eddebb7126b610f
SHA256b1a89f313023b476fc826d8fac689679504e61ae8e650681fb966e810ed34970
SHA512e5359f3e082f54f5cfd7afa7771d8724d161d48d09372f203bdca222a47a63919fdfb76b6db7fb8ff61e92f8fd04fdec962e94331ff12705cf53ce5e23d33180