Analysis
-
max time kernel
148s -
max time network
146s -
platform
ubuntu-18.04_amd64 -
resource
ubuntu1804-amd64-20240508-en -
resource tags
arch:amd64arch:i386image:ubuntu1804-amd64-20240508-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system -
submitted
17/04/2025, 05:36
Behavioral task
behavioral1
Sample
linux_386.elf
Resource
ubuntu1804-amd64-20240508-en
General
-
Target
linux_386.elf
-
Size
1.8MB
-
MD5
425032ac432cb4a58481c8f2fac1a298
-
SHA1
c7538b5ff5057f553bb7ae707e8fc98281e8a8bd
-
SHA256
3f5d9a1535b34fa397a15162abca45f8cefc97fbab8bf52116e550b646879a7b
-
SHA512
db5631b8499f3be061e40166b4cac9a934a22c5d726a88d6fd63c9633f435de956b740addaa5accf769a09f3cfc5f8c0b34cca1dca24439986bd78ef39f2da76
-
SSDEEP
24576:DIww1az0HpQKMNRjiSZAwyZW82DBNbT5ppkmesFMpladOmslgBYVVWXyWz1v:/1TbVNH4plzm/BGWz1
Malware Config
Extracted
kaiji
103.45.68.160:888
Signatures
-
Kaiji 1 IoCs
Kaiji payload
resource yara_rule behavioral1/files/fstream-3.dat Kaiji -
Kaiji family
-
Executes dropped EXE 5 IoCs
ioc pid Process /etc/32676 1517 linux_386.elf /etc/opt.services.cfg 1606 32676 /etc/opt.services.cfg 1610 32676 /etc/opt.services.cfg 1625 32676 /etc/opt.services.cfg 1629 32676 -
Modifies Watchdog functionality 1 TTPs 2 IoCs
Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.
description ioc Process File opened for modification /dev/watchdog linux_386.elf File opened for modification /dev/misc/watchdog linux_386.elf -
Creates/modifies Cron job 1 TTPs 1 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
description ioc Process File opened for modification /etc/crontab linux_386.elf -
Creates/modifies environment variables 1 TTPs 3 IoCs
Creating/modifying environment variables is a common persistence mechanism.
description ioc Process File opened for modification /etc/profile.d/bash_cfg linux_386.elf File opened for modification /etc/profile.d/bash_cfg.sh linux_386.elf File opened for modification /etc/profile.d/gateway.sh linux_386.elf -
Enumerates running processes
Discovers information about currently running processes on the system
-
description ioc Process File opened for modification /etc/init.d/dbus linux_386.elf File opened for modification /etc/init.d/auditd linux_386.elf File opened for modification /etc/init.d/avahi-daemon linux_386.elf File opened for modification /etc/init.d/bluetooth linux_386.elf File opened for modification /etc/init.d/plymouth linux_386.elf File opened for modification /etc/init.d/procps linux_386.elf File opened for modification /etc/init.d/cups-browsed linux_386.elf File opened for modification /etc/init.d/anacron linux_386.elf File opened for modification /etc/init.d/apparmor linux_386.elf File opened for modification /etc/init.d/console-setup.sh linux_386.elf File opened for modification /etc/init.d/selinux-autorelabel linux_386.elf File opened for modification /etc/init.d/spice-vdagent linux_386.elf File opened for modification /etc/init.d/ssh linux_386.elf File opened for modification /etc/init.d/unattended-upgrades linux_386.elf File opened for modification /etc/init.d/acpid linux_386.elf File opened for modification /etc/init.d/speech-dispatcher linux_386.elf File opened for modification /etc/init.d/udev linux_386.elf File opened for modification /etc/init.d/uuidd linux_386.elf File opened for modification /etc/init.d/x11-common linux_386.elf File opened for modification /etc/init.d/alsa-utils linux_386.elf File opened for modification /etc/init.d/hwclock.sh linux_386.elf File opened for modification /etc/init.d/irqbalance linux_386.elf File opened for modification /etc/init.d/ufw linux_386.elf File opened for modification /etc/init.d/cron linux_386.elf File opened for modification /etc/init.d/gdm3 linux_386.elf File opened for modification /etc/init.d/keyboard-setup.sh linux_386.elf File opened for modification /etc/init.d/networking linux_386.elf File opened for modification /etc/init.d/plymouth-log linux_386.elf File opened for modification /etc/init.d/saned linux_386.elf File opened for modification /etc/init.d/cups linux_386.elf File opened for modification /etc/init.d/apport linux_386.elf File opened for modification /etc/init.d/kmod linux_386.elf File opened for modification /etc/init.d/rsync linux_386.elf File opened for modification /etc/init.d/rsyslog linux_386.elf -
Write file to user bin folder 4 IoCs
description ioc Process File opened for modification /usr/bin/include/find linux_386.elf File opened for modification /usr/bin/include/lsof linux_386.elf File opened for modification /usr/bin/find linux_386.elf File opened for modification /usr/bin/lsof linux_386.elf -
Modifies Bash startup script 2 TTPs 3 IoCs
description ioc Process File opened for modification /etc/profile.d/bash_cfg linux_386.elf File opened for modification /etc/profile.d/bash_cfg.sh linux_386.elf File opened for modification /etc/profile.d/gateway.sh linux_386.elf -
Enumerates kernel/hardware configuration 1 TTPs 5 IoCs
Reads contents of /sys virtual filesystem to enumerate system information.
description ioc Process File opened for reading /sys/kernel/mm/transparent_hugepage/hpage_pmd_size opt.services.cfg File opened for reading /sys/kernel/mm/transparent_hugepage/hpage_pmd_size Process not Found File opened for reading /sys/kernel/mm/transparent_hugepage/hpage_pmd_size linux_386.elf File opened for reading /sys/kernel/mm/transparent_hugepage/hpage_pmd_size 32676 File opened for reading /sys/kernel/mm/transparent_hugepage/hpage_pmd_size opt.services.cfg -
description ioc Process File opened for reading /proc/cmdline systemctl File opened for reading /proc/filesystems systemctl File opened for reading /proc/filesystems systemctl File opened for reading /proc/26/stat linux_386.elf File opened for reading /proc/filesystems systemctl File opened for reading /proc/self/stat systemctl File opened for reading /proc/cmdline systemctl File opened for reading /proc/1/environ systemctl File opened for reading /proc/cmdline systemctl File opened for reading /proc/1/environ systemctl File opened for reading /proc/1/environ systemctl File opened for reading /proc/1064/stat linux_386.elf File opened for reading /proc/1182/stat linux_386.elf File opened for reading /proc/cmdline systemctl File opened for reading /proc/1/sched systemctl File opened for reading /proc/1/environ systemctl File opened for reading /proc/cmdline systemctl File opened for reading /proc/sys/kernel/osrelease systemctl File opened for reading /proc/1/sched systemctl File opened for reading /proc/656/stat linux_386.elf File opened for reading /proc/768/stat linux_386.elf File opened for reading /proc/1506/stat linux_386.elf File opened for reading /proc/filesystems systemctl File opened for reading /proc/sys/kernel/osrelease systemctl File opened for reading /proc/1/sched systemctl File opened for reading /proc/1/environ systemctl File opened for reading /proc/1/sched systemctl File opened for reading /proc/4/stat linux_386.elf File opened for reading /proc/205/stat linux_386.elf File opened for reading /proc/744/stat linux_386.elf File opened for reading /proc/1119/stat linux_386.elf File opened for reading /proc/1183/stat linux_386.elf File opened for reading /proc/cmdline systemctl File opened for reading /proc/1/sched systemctl File opened for reading /proc/1/environ systemctl File opened for reading /proc/599/stat linux_386.elf File opened for reading /proc/1/environ systemctl File opened for reading /proc/cmdline systemctl File opened for reading /proc/filesystems systemctl File opened for reading /proc/1/sched systemctl File opened for reading /proc/1/environ systemctl File opened for reading /proc/sys/kernel/osrelease systemctl File opened for reading /proc/cmdline systemctl File opened for reading /proc/5/stat linux_386.elf File opened for reading /proc/526/stat linux_386.elf File opened for reading /proc/self/stat systemctl File opened for reading /proc/filesystems systemctl File opened for reading /proc/cmdline systemctl File opened for reading /proc/1/sched systemctl File opened for reading /proc/23/stat linux_386.elf File opened for reading /proc/1178/stat linux_386.elf File opened for reading /proc/self/stat systemctl File opened for reading /proc/filesystems systemctl File opened for reading /proc/cmdline systemctl File opened for reading /proc/sys/kernel/osrelease linux_386.elf File opened for reading /proc/24/stat linux_386.elf File opened for reading /proc/self/stat systemctl File opened for reading /proc/filesystems systemctl File opened for reading /proc/cmdline systemctl File opened for reading /proc/sys/kernel/osrelease systemctl File opened for reading /proc/sys/kernel/osrelease systemctl File opened for reading /proc/1/sched systemctl File opened for reading /proc/sys/kernel/osrelease systemctl File opened for reading /proc/1/environ systemctl
Processes
-
/tmp/linux_386.elf/tmp/linux_386.elf " "1⤵
- Executes dropped EXE
- Modifies Watchdog functionality
- Creates/modifies Cron job
- Creates/modifies environment variables
- Modifies init.d
- Write file to user bin folder
- Modifies Bash startup script
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:1512 -
/usr/bin/basenamebasename /usr/sbin/service2⤵PID:1520
-
-
/usr/bin/basenamebasename /usr/sbin/service2⤵PID:1521
-
-
/bin/systemctlsystemctl --quiet is-active multi-user.target2⤵
- Reads runtime system information
PID:1522
-
-
/bin/sedsed -ne "s/\\.socket\\s*[a-z]*\\s*\$/.socket/p"2⤵PID:1525
-
-
/bin/systemctlsystemctl list-unit-files --full "--type=socket"2⤵
- Reads runtime system information
PID:1524
-
-
/bin/systemctlsystemctl -p Triggers show acpid.socket2⤵
- Reads runtime system information
PID:1526
-
-
/bin/systemctlsystemctl -p Triggers show apport-forward.socket2⤵
- Reads runtime system information
PID:1528
-
-
/bin/systemctlsystemctl -p Triggers show avahi-daemon.socket2⤵PID:1531
-
-
/bin/systemctlsystemctl -p Triggers show cups.socket2⤵
- Reads runtime system information
PID:1532
-
-
/bin/systemctlsystemctl -p Triggers show dbus.socket2⤵
- Reads runtime system information
PID:1533
-
-
/bin/systemctlsystemctl -p Triggers show saned.socket2⤵
- Reads runtime system information
PID:1534
-
-
/bin/systemctlsystemctl -p Triggers show snapd.socket2⤵PID:1535
-
-
/bin/systemctlsystemctl -p Triggers show ssh.socket2⤵
- Reads runtime system information
PID:1536
-
-
/bin/systemctlsystemctl -p Triggers show syslog.socket2⤵
- Reads runtime system information
PID:1537
-
-
/bin/systemctlsystemctl -p Triggers show systemd-fsckd.socket2⤵
- Reads runtime system information
PID:1538
-
-
/bin/systemctlsystemctl -p Triggers show systemd-initctl.socket2⤵
- Reads runtime system information
PID:1539
-
-
/bin/systemctlsystemctl -p Triggers show systemd-journald-audit.socket2⤵PID:1540
-
-
/bin/systemctlsystemctl -p Triggers show systemd-journald-dev-log.socket2⤵
- Reads runtime system information
PID:1541
-
-
/bin/systemctlsystemctl -p Triggers show systemd-journald.socket2⤵PID:1542
-
-
/bin/systemctlsystemctl -p Triggers show systemd-networkd.socket2⤵PID:1543
-
-
/bin/systemctlsystemctl -p Triggers show systemd-rfkill.socket2⤵
- Reads runtime system information
PID:1544
-
-
/bin/systemctlsystemctl -p Triggers show systemd-udevd-control.socket2⤵PID:1545
-
-
/bin/systemctlsystemctl -p Triggers show systemd-udevd-kernel.socket2⤵
- Reads runtime system information
PID:1546
-
-
/bin/systemctlsystemctl -p Triggers show uuidd.socket2⤵
- Reads runtime system information
PID:1547
-
-
/usr/local/sbin/systemctlsystemctl start crond.service2⤵PID:1518
-
-
/usr/local/bin/systemctlsystemctl start crond.service2⤵PID:1518
-
-
/usr/sbin/systemctlsystemctl start crond.service2⤵PID:1518
-
-
/usr/bin/systemctlsystemctl start crond.service2⤵PID:1518
-
-
/sbin/systemctlsystemctl start crond.service2⤵PID:1518
-
-
/bin/systemctlsystemctl start crond.service2⤵
- Reads runtime system information
PID:1518
-
-
/usr/bin/basenamebasename /usr/sbin/service2⤵PID:1553
-
-
/usr/bin/basenamebasename /usr/sbin/service2⤵PID:1554
-
-
/bin/systemctlsystemctl --quiet is-active multi-user.target2⤵PID:1555
-
-
/bin/sedsed -ne "s/\\.socket\\s*[a-z]*\\s*\$/.socket/p"2⤵PID:1558
-
-
/bin/systemctlsystemctl list-unit-files --full "--type=socket"2⤵
- Reads runtime system information
PID:1557
-
-
/bin/systemctlsystemctl -p Triggers show acpid.socket2⤵
- Reads runtime system information
PID:1559
-
-
/bin/systemctlsystemctl -p Triggers show apport-forward.socket2⤵
- Reads runtime system information
PID:1560
-
-
/bin/systemctlsystemctl -p Triggers show avahi-daemon.socket2⤵
- Reads runtime system information
PID:1561
-
-
/bin/systemctlsystemctl -p Triggers show cups.socket2⤵
- Reads runtime system information
PID:1562
-
-
/bin/systemctlsystemctl -p Triggers show dbus.socket2⤵PID:1563
-
-
/bin/systemctlsystemctl -p Triggers show saned.socket2⤵
- Reads runtime system information
PID:1564
-
-
/bin/systemctlsystemctl -p Triggers show snapd.socket2⤵PID:1565
-
-
/bin/systemctlsystemctl -p Triggers show ssh.socket2⤵
- Reads runtime system information
PID:1566
-
-
/bin/systemctlsystemctl -p Triggers show syslog.socket2⤵PID:1567
-
-
/bin/systemctlsystemctl -p Triggers show systemd-fsckd.socket2⤵
- Reads runtime system information
PID:1568
-
-
/bin/systemctlsystemctl -p Triggers show systemd-initctl.socket2⤵
- Reads runtime system information
PID:1569
-
-
/bin/systemctlsystemctl -p Triggers show systemd-journald-audit.socket2⤵
- Reads runtime system information
PID:1570
-
-
/bin/systemctlsystemctl -p Triggers show systemd-journald-dev-log.socket2⤵
- Reads runtime system information
PID:1571
-
-
/bin/systemctlsystemctl -p Triggers show systemd-journald.socket2⤵PID:1572
-
-
/bin/systemctlsystemctl -p Triggers show systemd-networkd.socket2⤵
- Reads runtime system information
PID:1573
-
-
/bin/systemctlsystemctl -p Triggers show systemd-rfkill.socket2⤵PID:1574
-
-
/bin/systemctlsystemctl -p Triggers show systemd-udevd-control.socket2⤵
- Reads runtime system information
PID:1575
-
-
/bin/systemctlsystemctl -p Triggers show systemd-udevd-kernel.socket2⤵
- Reads runtime system information
PID:1576
-
-
/bin/systemctlsystemctl -p Triggers show uuidd.socket2⤵
- Reads runtime system information
PID:1577
-
-
/usr/local/sbin/systemctlsystemctl start cron.service2⤵PID:1552
-
-
/usr/local/bin/systemctlsystemctl start cron.service2⤵PID:1552
-
-
/usr/sbin/systemctlsystemctl start cron.service2⤵PID:1552
-
-
/usr/bin/systemctlsystemctl start cron.service2⤵PID:1552
-
-
/sbin/systemctlsystemctl start cron.service2⤵PID:1552
-
-
/bin/systemctlsystemctl start cron.service2⤵
- Reads runtime system information
PID:1552
-
-
/etc/32676/etc/326761⤵
- Executes dropped EXE
- Enumerates kernel/hardware configuration
PID:1517 -
/bin/sleepsleep 602⤵PID:1519
-
-
/etc/opt.services.cfg/etc/opt.services.cfg " "2⤵
- Enumerates kernel/hardware configuration
PID:1610
-
-
/bin/sleepsleep 602⤵PID:1611
-
-
/etc/opt.services.cfg/etc/opt.services.cfg " "2⤵
- Enumerates kernel/hardware configuration
PID:1629
-
-
/bin/sleepsleep 602⤵PID:1630
-
Network
MITRE ATT&CK Enterprise v16
Persistence
Boot or Logon Autostart Execution
2Boot or Logon Initialization Scripts
1RC Scripts
1Event Triggered Execution
1Unix Shell Configuration Modification
1Hijack Execution Flow
1Path Interception by PATH Environment Variable
1Scheduled Task/Job
1Cron
1Privilege Escalation
Boot or Logon Autostart Execution
2Boot or Logon Initialization Scripts
1RC Scripts
1Event Triggered Execution
1Unix Shell Configuration Modification
1Hijack Execution Flow
1Path Interception by PATH Environment Variable
1Scheduled Task/Job
1Cron
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
34B
MD5f5a3713282e43c200f30342f5ff5e2ea
SHA12b2ce1a207e2b691a074c6f78f71c4785aae426a
SHA2566ab64e727571458d4884fb2fe82c27c467db0699cb8f648b3f0217c35d2b7511
SHA5125bcb8cd360409147a486755f90e0cdd97183af02ce8de5135b7c6a8a010deb9ef12dcd5ee9a2a8fd2e159347f68e72d6b7fd75e943b4fcd928d7a74b97476013
-
Filesize
49B
MD5d2251bfea9a6b1de4eb296abf42c0ffc
SHA1806c8013b9a2587f6d6e96017227994a204a03a7
SHA2568e09954878d172dbe6fcfb11beedc902fd710cb9ef8a8c2a401022f2c10c81ec
SHA51226859c09b676c4ea1054033c5eb3a137c57ecd919dc2fbc1eb6e99461082aa91f1da87b8a3534f79f0029cd8c24c026911e45182c571d5ea589d4306de08b538
-
Filesize
98B
MD5bd779dd44dd2a124b045ba61a669b7af
SHA12c2eb03fc3ca435414b4b8a8f3f722e91304e25f
SHA25617d7548b0bb5ecb99f4098ccfb2a878f340279047d497cb78ce160bceca89e5b
SHA512d99d842b57de82df0f65b3f33bab29b7f55a21b6a3a3c143f6f294856d9c87c52c1ef7791265d62bd572bd09a638bbba41d0fef990cd8de8ce8406234203fd53
-
Filesize
61B
MD547684525bfdf26f49fd1cf742b17c015
SHA1c4ab14ba22420ff9acadfc698a38d0cd99e9fbfa
SHA256b7ce294613dd2c237a4a50548bfcd5c14d166107f2d2e965499bc78695300d5b
SHA512948f9c519ae9afe1c821c5d58da2e584e50356dabef597ccd408853a9038560b9fb1c5894900e2725b48977ffd49d18a439436bb4946e2164ac9fcf2a8637621
-
Filesize
1.8MB
MD5425032ac432cb4a58481c8f2fac1a298
SHA1c7538b5ff5057f553bb7ae707e8fc98281e8a8bd
SHA2563f5d9a1535b34fa397a15162abca45f8cefc97fbab8bf52116e550b646879a7b
SHA512db5631b8499f3be061e40166b4cac9a934a22c5d726a88d6fd63c9633f435de956b740addaa5accf769a09f3cfc5f8c0b34cca1dca24439986bd78ef39f2da76
-
Filesize
1KB
MD590d8461db20ae89d4b793b9390d5857e
SHA1413acbb9e503ad08926279286acc9e900ae8283b
SHA2568b6f6c562be44b1cc9d6328020d0bac0df834d89e3742ea23cba8dd0e96972ab
SHA5126382d71a041b7b698d75aa9c9ae499cc44b8ffbd09f864df1c1e04cb7e3998c4d2f677cc285235908e66f38e30b43687516a3d4f7e85c1140cbce3eeb4807f06
-
Filesize
232KB
MD5f11b2b59639b1edcb46026472786c747
SHA1a6fe59e11456bc7f19e28b38aa9c1f9c1a13b70d
SHA256189fbf2416c8205430d8eaa85e2947bc15504ca335ad4a77ec668ff3cbf9c84a
SHA5121967f43b4b274e2afbc30e8e1bad314085e488066b22233e6ec033dbae10ae111320296b9d429e94cb3079636a37e433aeac928b4ef23a56dedae1741815416b
-
Filesize
159KB
MD5e093dc78225e2a0a25e3b137c1c1e442
SHA1c29497cfaae729eb576875e4fdfa400640ab16be
SHA2561190f4dbc7be174de8fd4096c9bf7a28eebfac937d308b7cc533be4a1240d26e
SHA512fe1cc7a65327732eaaee89f427c10239ba822430e34177842f4681068d78d404b1830d808a2a71b1efcc5f126c6d8c053512237421173aaa150e215a672da6f0