Malware Analysis Report

2025-05-05 22:14

Sample ID 250417-gaaz5ssry9
Target linux_mips.elf
SHA256 af6b7d2303e41e97b25d9c22c60e6fbee0c053671307cf2eeb81f85729231e4b
Tags
kaiji discovery execution persistence privilege_escalation
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

af6b7d2303e41e97b25d9c22c60e6fbee0c053671307cf2eeb81f85729231e4b

Threat Level: Known bad

The file linux_mips.elf was found to be: Known bad.

Malicious Activity Summary

kaiji discovery execution persistence privilege_escalation

Kaiji

Kaiji family

Executes dropped EXE

Creates/modifies Cron job

Command and Scripting Interpreter: Unix Shell

Enumerates kernel/hardware configuration

Reads runtime system information

System Network Configuration Discovery

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-04-17 05:35

Signatures

Kaiji

Description Indicator Process Target
N/A N/A N/A N/A

Kaiji family

kaiji

Analysis: behavioral1

Detonation Overview

Submitted

2025-04-17 05:35

Reported

2025-04-17 05:38

Platform

debian9-mipsbe-20250410-en

Max time kernel

148s

Max time network

150s

Command Line

[/tmp/linux_mips.elf]

Signatures

Kaiji

Description Indicator Process Target
N/A N/A N/A N/A

Kaiji family

kaiji

Executes dropped EXE

Description Indicator Process Target
N/A /etc/32676 /bin/sh N/A
N/A /etc/opt.services.cfg /etc/32676 N/A
N/A /etc/opt.services.cfg /etc/opt.services.cfg N/A
N/A /etc/opt.services.cfg /etc/32676 N/A
N/A /etc/opt.services.cfg /etc/opt.services.cfg N/A

Creates/modifies Cron job

execution persistence privilege_escalation
Description Indicator Process Target
File opened for modification /etc/crontab /bin/sh N/A

Command and Scripting Interpreter: Unix Shell

execution
Description Indicator Process Target
N/A N/A /bin/sh N/A
N/A N/A /bin/sh N/A

Enumerates kernel/hardware configuration

discovery
Description Indicator Process Target
File opened for reading /sys/fs/kdbus/0-system/bus /bin/systemctl N/A
File opened for reading /sys/fs/kdbus/0-system/bus /bin/systemctl N/A
File opened for reading /sys/fs/kdbus/0-system/bus /bin/systemctl N/A
File opened for reading /sys/kernel/mm/transparent_hugepage/hpage_pmd_size /etc/opt.services.cfg N/A
File opened for reading /sys/fs/kdbus/0-system/bus /bin/systemctl N/A
File opened for reading /sys/kernel/mm/transparent_hugepage/hpage_pmd_size /etc/opt.services.cfg N/A
File opened for reading /sys/fs/kdbus/0-system/bus /bin/systemctl N/A
File opened for reading /sys/fs/kdbus/0-system/bus /bin/systemctl N/A
File opened for reading /sys/fs/kdbus/0-system/bus /bin/systemctl N/A
File opened for reading /sys/fs/kdbus/0-system/bus /bin/systemctl N/A
File opened for reading /sys/kernel/mm/transparent_hugepage/hpage_pmd_size /tmp/linux_mips.elf N/A
File opened for reading /sys/fs/kdbus/0-system/bus /bin/systemctl N/A
File opened for reading /sys/fs/kdbus/0-system/bus /bin/systemctl N/A
File opened for reading /sys/fs/kdbus/0-system/bus /bin/systemctl N/A
File opened for reading /sys/fs/kdbus/0-system/bus /bin/systemctl N/A
File opened for reading /sys/fs/kdbus/0-system/bus /bin/systemctl N/A
File opened for reading /sys/kernel/mm/transparent_hugepage/hpage_pmd_size /etc/opt.services.cfg N/A
File opened for reading /sys/fs/kdbus/0-system/bus /bin/systemctl N/A
File opened for reading /sys/fs/kdbus/0-system/bus /bin/systemctl N/A
File opened for reading /sys/fs/kdbus/0-system/bus /bin/systemctl N/A
File opened for reading /sys/fs/kdbus/0-system/bus /bin/systemctl N/A
File opened for reading /sys/fs/kdbus/0-system/bus /bin/systemctl N/A
File opened for reading /sys/kernel/mm/transparent_hugepage/hpage_pmd_size /etc/opt.services.cfg N/A
File opened for reading /sys/fs/kdbus/0-system/bus /bin/systemctl N/A
File opened for reading /sys/fs/kdbus/0-system/bus /bin/systemctl N/A
File opened for reading /sys/fs/kdbus/0-system/bus /bin/systemctl N/A
File opened for reading /sys/fs/kdbus/0-system/bus /bin/systemctl N/A
File opened for reading /sys/fs/kdbus/0-system/bus /bin/systemctl N/A
File opened for reading /sys/fs/kdbus/0-system/bus /bin/systemctl N/A
File opened for reading /sys/fs/kdbus/0-system/bus /bin/systemctl N/A
File opened for reading /sys/fs/kdbus/0-system/bus /bin/systemctl N/A
File opened for reading /sys/kernel/mm/transparent_hugepage/hpage_pmd_size /tmp/linux_mips.elf N/A
File opened for reading /sys/fs/kdbus/0-system/bus /bin/systemctl N/A
File opened for reading /sys/fs/kdbus/0-system/bus /bin/systemctl N/A
File opened for reading /sys/fs/kdbus/0-system/bus /bin/systemctl N/A
File opened for reading /sys/fs/kdbus/0-system/bus /bin/systemctl N/A
File opened for reading /sys/fs/kdbus/0-system/bus /bin/systemctl N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/cmdline /bin/systemctl N/A
File opened for reading /proc/filesystems /bin/sed N/A
File opened for reading /proc/filesystems /bin/systemctl N/A
File opened for reading /proc/cmdline /bin/systemctl N/A
File opened for reading /proc/self/stat /bin/systemctl N/A
File opened for reading /proc/cmdline /bin/systemctl N/A
File opened for reading /proc/1/environ /bin/systemctl N/A
File opened for reading /proc/1/environ /bin/systemctl N/A
File opened for reading /proc/self/stat /bin/systemctl N/A
File opened for reading /proc/1/environ /bin/systemctl N/A
File opened for reading /proc/self/stat /bin/systemctl N/A
File opened for reading /proc/cmdline /bin/systemctl N/A
File opened for reading /proc/filesystems /bin/systemctl N/A
File opened for reading /proc/filesystems /bin/systemctl N/A
File opened for reading /proc/1/environ /bin/systemctl N/A
File opened for reading /proc/cmdline /bin/systemctl N/A
File opened for reading /proc/cmdline /bin/systemctl N/A
File opened for reading /proc/filesystems /bin/systemctl N/A
File opened for reading /proc/self/stat /bin/systemctl N/A
File opened for reading /proc/filesystems /bin/systemctl N/A
File opened for reading /proc/cmdline /bin/systemctl N/A
File opened for reading /proc/1/environ /bin/systemctl N/A
File opened for reading /proc/1/environ /bin/systemctl N/A
File opened for reading /proc/cmdline /bin/systemctl N/A
File opened for reading /proc/self/stat /bin/systemctl N/A
File opened for reading /proc/self/stat /bin/systemctl N/A
File opened for reading /proc/cmdline /bin/systemctl N/A
File opened for reading /proc/self/stat /bin/systemctl N/A
File opened for reading /proc/1/environ /bin/systemctl N/A
File opened for reading /proc/self/stat /bin/systemctl N/A
File opened for reading /proc/self/stat /bin/systemctl N/A
File opened for reading /proc/filesystems /bin/systemctl N/A
File opened for reading /proc/self/stat /bin/systemctl N/A
File opened for reading /proc/self/stat /bin/systemctl N/A
File opened for reading /proc/self/stat /bin/systemctl N/A
File opened for reading /proc/filesystems /bin/mount N/A
File opened for reading /proc/self/stat /bin/systemctl N/A
File opened for reading /proc/self/stat /bin/systemctl N/A
File opened for reading /proc/self/stat /bin/systemctl N/A
File opened for reading /proc/filesystems /bin/systemctl N/A
File opened for reading /proc/filesystems /bin/systemctl N/A
File opened for reading /proc/filesystems /bin/systemctl N/A
File opened for reading /proc/filesystems /bin/systemctl N/A
File opened for reading /proc/1/environ /bin/systemctl N/A
File opened for reading /proc/filesystems /bin/systemctl N/A
File opened for reading /proc/filesystems /bin/systemctl N/A
File opened for reading /proc/1/environ /bin/systemctl N/A
File opened for reading /proc/filesystems /bin/systemctl N/A
File opened for reading /proc/1/environ /bin/systemctl N/A
File opened for reading /proc/self/stat /bin/systemctl N/A
File opened for reading /proc/filesystems /bin/systemctl N/A
File opened for reading /proc/filesystems /bin/systemctl N/A
File opened for reading /proc/self/stat /bin/systemctl N/A
File opened for reading /proc/1/environ /bin/systemctl N/A
File opened for reading /proc/filesystems /bin/systemctl N/A
File opened for reading /proc/cmdline /bin/systemctl N/A
File opened for reading /proc/cmdline /bin/systemctl N/A
File opened for reading /proc/cmdline /bin/systemctl N/A
File opened for reading /proc/cmdline /bin/systemctl N/A
File opened for reading /proc/self/stat /bin/systemctl N/A
File opened for reading /proc/1/environ /bin/systemctl N/A
File opened for reading /proc/1/environ /bin/systemctl N/A
File opened for reading /proc/1/environ /bin/systemctl N/A
File opened for reading /proc/1/environ /bin/systemctl N/A

System Network Configuration Discovery

discovery
Description Indicator Process Target
N/A N/A /tmp/linux_mips.elf N/A
N/A N/A /tmp/linux_mips.elf N/A

Processes

/tmp/linux_mips.elf

[/tmp/linux_mips.elf]

/tmp/linux_mips.elf

[/tmp/linux_mips.elf ]

/bin/sh

[/bin/sh -c /etc/32676&]

/etc/32676

[/etc/32676]

/usr/sbin/service

[service crond start]

/usr/bin/basename

[basename /usr/sbin/service]

/bin/sleep

[sleep 60]

/usr/bin/basename

[basename /usr/sbin/service]

/bin/systemctl

[systemctl --quiet is-active multi-user.target]

/bin/systemctl

[systemctl list-unit-files --full --type=socket]

/bin/sed

[sed -ne s/\.socket\s*[a-z]*\s*$/.socket/p]

/bin/systemctl

[systemctl -p Triggers show dbus.socket]

/bin/systemctl

[systemctl -p Triggers show ssh.socket]

/bin/systemctl

[systemctl -p Triggers show syslog.socket]

/bin/systemctl

[systemctl -p Triggers show systemd-fsckd.socket]

/bin/systemctl

[systemctl -p Triggers show systemd-initctl.socket]

/bin/systemctl

[systemctl -p Triggers show systemd-journald-audit.socket]

/bin/systemctl

[systemctl -p Triggers show systemd-journald-dev-log.socket]

/bin/systemctl

[systemctl -p Triggers show systemd-journald.socket]

/bin/systemctl

[systemctl -p Triggers show systemd-networkd.socket]

/bin/systemctl

[systemctl -p Triggers show systemd-rfkill.socket]

/bin/systemctl

[systemctl -p Triggers show systemd-udevd-control.socket]

/bin/systemctl

[systemctl -p Triggers show systemd-udevd-kernel.socket]

/usr/local/sbin/systemctl

[systemctl start crond.service]

/usr/local/bin/systemctl

[systemctl start crond.service]

/usr/sbin/systemctl

[systemctl start crond.service]

/usr/bin/systemctl

[systemctl start crond.service]

/sbin/systemctl

[systemctl start crond.service]

/bin/systemctl

[systemctl start crond.service]

/bin/sh

[/bin/sh -c echo "*/1 * * * * root /.mod " >> /etc/crontab]

/usr/bin/renice

[renice -20 721]

/bin/mount

[mount -o bind /tmp/ /proc/721]

/usr/sbin/service

[service cron start]

/usr/bin/basename

[basename /usr/sbin/service]

/usr/bin/basename

[basename /usr/sbin/service]

/bin/systemctl

[systemctl --quiet is-active multi-user.target]

/bin/systemctl

[systemctl list-unit-files --full --type=socket]

/bin/sed

[sed -ne s/\.socket\s*[a-z]*\s*$/.socket/p]

/bin/systemctl

[systemctl -p Triggers show dbus.socket]

/bin/systemctl

[systemctl -p Triggers show ssh.socket]

/bin/systemctl

[systemctl -p Triggers show syslog.socket]

/bin/systemctl

[systemctl -p Triggers show systemd-fsckd.socket]

/bin/systemctl

[systemctl -p Triggers show systemd-initctl.socket]

/bin/systemctl

[systemctl -p Triggers show systemd-journald-audit.socket]

/bin/systemctl

[systemctl -p Triggers show systemd-journald-dev-log.socket]

/bin/systemctl

[systemctl -p Triggers show systemd-journald.socket]

/bin/systemctl

[systemctl -p Triggers show systemd-networkd.socket]

/bin/systemctl

[systemctl -p Triggers show systemd-rfkill.socket]

/bin/systemctl

[systemctl -p Triggers show systemd-udevd-control.socket]

/bin/systemctl

[systemctl -p Triggers show systemd-udevd-kernel.socket]

/usr/local/sbin/systemctl

[systemctl start cron.service]

/usr/local/bin/systemctl

[systemctl start cron.service]

/usr/sbin/systemctl

[systemctl start cron.service]

/usr/bin/systemctl

[systemctl start cron.service]

/sbin/systemctl

[systemctl start cron.service]

/bin/systemctl

[systemctl start cron.service]

/bin/systemctl

[systemctl start crond.service]

/etc/opt.services.cfg

[/etc/opt.services.cfg]

/etc/opt.services.cfg

[/etc/opt.services.cfg ]

/bin/sleep

[sleep 60]

/etc/opt.services.cfg

[/etc/opt.services.cfg]

/etc/opt.services.cfg

[/etc/opt.services.cfg ]

/bin/sleep

[sleep 60]

Network

Country Destination Domain Proto
AU 1.1.1.1:53 www.google.com udp
AU 1.1.1.1:53 www.google.com udp
HK 103.45.68.160:888 tcp

Files

/etc/.walk

MD5 405ea7aa9ebe3c5f397ee6da9784cd92
SHA1 e4b3de80bf97d97c9194de35d63e8fdfd37823c7
SHA256 8176caa5023d1e0f5719220777ecd7b9b3901c68ecb0ad1f6e802df80d90a4bf
SHA512 833f045507160bc2b7374e0f2748de72b9605374d4a0df5482edbc799729f8328f4753f6495a134b46f2beafaa6dbbe4c21966b785ecf160f7b47146492cfe93

/etc/.walk

MD5 487aaa2d9e8103de54e74f708a988a25
SHA1 8cd396d5c6bc7d057275736c0b59086bbd8a4169
SHA256 ab15959587e0a32350ad92777b3ae32af599f5630b65002d924f686c4a30a827
SHA512 0187cecafaefbffc2546b4d7f27f06b555daa003b4591a282040808eb2719820e89673013546818b4ad9472d81c8135611c25d8b6b85b03e4d62854655ea96fd

/etc/opt.services.cfg

MD5 177200b0a67f809a1b8364a6cab3da3b
SHA1 04acdc698453106942a55be34ad9cc2da042f20f
SHA256 af6b7d2303e41e97b25d9c22c60e6fbee0c053671307cf2eeb81f85729231e4b
SHA512 6c4e71159517f3e0f0a079ddd297d5714852341755ffa392dd314bc8b174b9cfdc293a8f8999bb52d473551e1eee076efddffa8ab2011b7364c594031c493a93

/etc/32676

MD5 47684525bfdf26f49fd1cf742b17c015
SHA1 c4ab14ba22420ff9acadfc698a38d0cd99e9fbfa
SHA256 b7ce294613dd2c237a4a50548bfcd5c14d166107f2d2e965499bc78695300d5b
SHA512 948f9c519ae9afe1c821c5d58da2e584e50356dabef597ccd408853a9038560b9fb1c5894900e2725b48977ffd49d18a439436bb4946e2164ac9fcf2a8637621

/.mod

MD5 f5a3713282e43c200f30342f5ff5e2ea
SHA1 2b2ce1a207e2b691a074c6f78f71c4785aae426a
SHA256 6ab64e727571458d4884fb2fe82c27c467db0699cb8f648b3f0217c35d2b7511
SHA512 5bcb8cd360409147a486755f90e0cdd97183af02ce8de5135b7c6a8a010deb9ef12dcd5ee9a2a8fd2e159347f68e72d6b7fd75e943b4fcd928d7a74b97476013

/usr/bin/include/find

MD5 97b5c6c1b307114efc38193175a343c3
SHA1 24015d4f95c6878ea5027c134eddebb7126b610f
SHA256 b1a89f313023b476fc826d8fac689679504e61ae8e650681fb966e810ed34970
SHA512 e5359f3e082f54f5cfd7afa7771d8724d161d48d09372f203bdca222a47a63919fdfb76b6db7fb8ff61e92f8fd04fdec962e94331ff12705cf53ce5e23d33180

/etc/profile.d/gateway.sh

MD5 217d1865cb2770d7650ead8960539181
SHA1 5f0f39bd441fa71c36306386d8a81f59480d4e53
SHA256 fff6d267ac34e86916b0f08ff177c854a20f9353ecd1c3d0250c18fd0b375fa3
SHA512 f3442829f25e60dc17504619798da502922ea3ab2d92355316e67bd236423e28ed0af8f3d2270b52fe3e7108f5280ea113ec9a03cc1abdc8d6360ecece455d31