Malware Analysis Report

2025-05-05 22:14

Sample ID 250417-gaz92asrz6
Target linux_386.elf
SHA256 3f5d9a1535b34fa397a15162abca45f8cefc97fbab8bf52116e550b646879a7b
Tags
kaiji defense_evasion discovery execution persistence privilege_escalation
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3f5d9a1535b34fa397a15162abca45f8cefc97fbab8bf52116e550b646879a7b

Threat Level: Known bad

The file linux_386.elf was found to be: Known bad.

Malicious Activity Summary

kaiji defense_evasion discovery execution persistence privilege_escalation

Kaiji

Kaiji family

Executes dropped EXE

Modifies Watchdog functionality

Write file to user bin folder

Creates/modifies Cron job

Creates/modifies environment variables

Enumerates running processes

Modifies init.d

Modifies Bash startup script

Reads runtime system information

Enumerates kernel/hardware configuration

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-04-17 05:36

Signatures

Kaiji

Description Indicator Process Target
N/A N/A N/A N/A

Kaiji family

kaiji

Analysis: behavioral1

Detonation Overview

Submitted

2025-04-17 05:36

Reported

2025-04-17 05:39

Platform

ubuntu1804-amd64-20240508-en

Max time kernel

148s

Max time network

146s

Command Line

[/tmp/linux_386.elf ]

Signatures

Kaiji

Description Indicator Process Target
N/A N/A N/A N/A

Kaiji family

kaiji

Executes dropped EXE

Description Indicator Process Target
N/A /etc/32676 /tmp/linux_386.elf N/A
N/A /etc/opt.services.cfg /etc/32676 N/A
N/A /etc/opt.services.cfg /etc/32676 N/A
N/A /etc/opt.services.cfg /etc/32676 N/A
N/A /etc/opt.services.cfg /etc/32676 N/A

Modifies Watchdog functionality

defense_evasion
Description Indicator Process Target
File opened for modification /dev/watchdog /tmp/linux_386.elf N/A
File opened for modification /dev/misc/watchdog /tmp/linux_386.elf N/A

Creates/modifies Cron job

execution persistence privilege_escalation
Description Indicator Process Target
File opened for modification /etc/crontab /tmp/linux_386.elf N/A

Creates/modifies environment variables

persistence privilege_escalation defense_evasion
Description Indicator Process Target
File opened for modification /etc/profile.d/bash_cfg /tmp/linux_386.elf N/A
File opened for modification /etc/profile.d/bash_cfg.sh /tmp/linux_386.elf N/A
File opened for modification /etc/profile.d/gateway.sh /tmp/linux_386.elf N/A

Enumerates running processes

Modifies init.d

persistence
Description Indicator Process Target
File opened for modification /etc/init.d/dbus /tmp/linux_386.elf N/A
File opened for modification /etc/init.d/auditd /tmp/linux_386.elf N/A
File opened for modification /etc/init.d/avahi-daemon /tmp/linux_386.elf N/A
File opened for modification /etc/init.d/bluetooth /tmp/linux_386.elf N/A
File opened for modification /etc/init.d/plymouth /tmp/linux_386.elf N/A
File opened for modification /etc/init.d/procps /tmp/linux_386.elf N/A
File opened for modification /etc/init.d/cups-browsed /tmp/linux_386.elf N/A
File opened for modification /etc/init.d/anacron /tmp/linux_386.elf N/A
File opened for modification /etc/init.d/apparmor /tmp/linux_386.elf N/A
File opened for modification /etc/init.d/console-setup.sh /tmp/linux_386.elf N/A
File opened for modification /etc/init.d/selinux-autorelabel /tmp/linux_386.elf N/A
File opened for modification /etc/init.d/spice-vdagent /tmp/linux_386.elf N/A
File opened for modification /etc/init.d/ssh /tmp/linux_386.elf N/A
File opened for modification /etc/init.d/unattended-upgrades /tmp/linux_386.elf N/A
File opened for modification /etc/init.d/acpid /tmp/linux_386.elf N/A
File opened for modification /etc/init.d/speech-dispatcher /tmp/linux_386.elf N/A
File opened for modification /etc/init.d/udev /tmp/linux_386.elf N/A
File opened for modification /etc/init.d/uuidd /tmp/linux_386.elf N/A
File opened for modification /etc/init.d/x11-common /tmp/linux_386.elf N/A
File opened for modification /etc/init.d/alsa-utils /tmp/linux_386.elf N/A
File opened for modification /etc/init.d/hwclock.sh /tmp/linux_386.elf N/A
File opened for modification /etc/init.d/irqbalance /tmp/linux_386.elf N/A
File opened for modification /etc/init.d/ufw /tmp/linux_386.elf N/A
File opened for modification /etc/init.d/cron /tmp/linux_386.elf N/A
File opened for modification /etc/init.d/gdm3 /tmp/linux_386.elf N/A
File opened for modification /etc/init.d/keyboard-setup.sh /tmp/linux_386.elf N/A
File opened for modification /etc/init.d/networking /tmp/linux_386.elf N/A
File opened for modification /etc/init.d/plymouth-log /tmp/linux_386.elf N/A
File opened for modification /etc/init.d/saned /tmp/linux_386.elf N/A
File opened for modification /etc/init.d/cups /tmp/linux_386.elf N/A
File opened for modification /etc/init.d/apport /tmp/linux_386.elf N/A
File opened for modification /etc/init.d/kmod /tmp/linux_386.elf N/A
File opened for modification /etc/init.d/rsync /tmp/linux_386.elf N/A
File opened for modification /etc/init.d/rsyslog /tmp/linux_386.elf N/A

Write file to user bin folder

persistence
Description Indicator Process Target
File opened for modification /usr/bin/include/find /tmp/linux_386.elf N/A
File opened for modification /usr/bin/include/lsof /tmp/linux_386.elf N/A
File opened for modification /usr/bin/find /tmp/linux_386.elf N/A
File opened for modification /usr/bin/lsof /tmp/linux_386.elf N/A

Modifies Bash startup script

persistence
Description Indicator Process Target
File opened for modification /etc/profile.d/bash_cfg /tmp/linux_386.elf N/A
File opened for modification /etc/profile.d/bash_cfg.sh /tmp/linux_386.elf N/A
File opened for modification /etc/profile.d/gateway.sh /tmp/linux_386.elf N/A

Enumerates kernel/hardware configuration

discovery
Description Indicator Process Target
File opened for reading /sys/kernel/mm/transparent_hugepage/hpage_pmd_size /etc/opt.services.cfg N/A
File opened for reading /sys/kernel/mm/transparent_hugepage/hpage_pmd_size N/A N/A
File opened for reading /sys/kernel/mm/transparent_hugepage/hpage_pmd_size /tmp/linux_386.elf N/A
File opened for reading /sys/kernel/mm/transparent_hugepage/hpage_pmd_size /etc/32676 N/A
File opened for reading /sys/kernel/mm/transparent_hugepage/hpage_pmd_size /etc/opt.services.cfg N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/cmdline /bin/systemctl N/A
File opened for reading /proc/filesystems /bin/systemctl N/A
File opened for reading /proc/filesystems /bin/systemctl N/A
File opened for reading /proc/26/stat /tmp/linux_386.elf N/A
File opened for reading /proc/filesystems /bin/systemctl N/A
File opened for reading /proc/self/stat /bin/systemctl N/A
File opened for reading /proc/cmdline /bin/systemctl N/A
File opened for reading /proc/1/environ /bin/systemctl N/A
File opened for reading /proc/cmdline /bin/systemctl N/A
File opened for reading /proc/1/environ /bin/systemctl N/A
File opened for reading /proc/1/environ /bin/systemctl N/A
File opened for reading /proc/1064/stat /tmp/linux_386.elf N/A
File opened for reading /proc/1182/stat /tmp/linux_386.elf N/A
File opened for reading /proc/cmdline /bin/systemctl N/A
File opened for reading /proc/1/sched /bin/systemctl N/A
File opened for reading /proc/1/environ /bin/systemctl N/A
File opened for reading /proc/cmdline /bin/systemctl N/A
File opened for reading /proc/sys/kernel/osrelease /bin/systemctl N/A
File opened for reading /proc/1/sched /bin/systemctl N/A
File opened for reading /proc/656/stat /tmp/linux_386.elf N/A
File opened for reading /proc/768/stat /tmp/linux_386.elf N/A
File opened for reading /proc/1506/stat /tmp/linux_386.elf N/A
File opened for reading /proc/filesystems /bin/systemctl N/A
File opened for reading /proc/sys/kernel/osrelease /bin/systemctl N/A
File opened for reading /proc/1/sched /bin/systemctl N/A
File opened for reading /proc/1/environ /bin/systemctl N/A
File opened for reading /proc/1/sched /bin/systemctl N/A
File opened for reading /proc/4/stat /tmp/linux_386.elf N/A
File opened for reading /proc/205/stat /tmp/linux_386.elf N/A
File opened for reading /proc/744/stat /tmp/linux_386.elf N/A
File opened for reading /proc/1119/stat /tmp/linux_386.elf N/A
File opened for reading /proc/1183/stat /tmp/linux_386.elf N/A
File opened for reading /proc/cmdline /bin/systemctl N/A
File opened for reading /proc/1/sched /bin/systemctl N/A
File opened for reading /proc/1/environ /bin/systemctl N/A
File opened for reading /proc/599/stat /tmp/linux_386.elf N/A
File opened for reading /proc/1/environ /bin/systemctl N/A
File opened for reading /proc/cmdline /bin/systemctl N/A
File opened for reading /proc/filesystems /bin/systemctl N/A
File opened for reading /proc/1/sched /bin/systemctl N/A
File opened for reading /proc/1/environ /bin/systemctl N/A
File opened for reading /proc/sys/kernel/osrelease /bin/systemctl N/A
File opened for reading /proc/cmdline /bin/systemctl N/A
File opened for reading /proc/5/stat /tmp/linux_386.elf N/A
File opened for reading /proc/526/stat /tmp/linux_386.elf N/A
File opened for reading /proc/self/stat /bin/systemctl N/A
File opened for reading /proc/filesystems /bin/systemctl N/A
File opened for reading /proc/cmdline /bin/systemctl N/A
File opened for reading /proc/1/sched /bin/systemctl N/A
File opened for reading /proc/23/stat /tmp/linux_386.elf N/A
File opened for reading /proc/1178/stat /tmp/linux_386.elf N/A
File opened for reading /proc/self/stat /bin/systemctl N/A
File opened for reading /proc/filesystems /bin/systemctl N/A
File opened for reading /proc/cmdline /bin/systemctl N/A
File opened for reading /proc/sys/kernel/osrelease /tmp/linux_386.elf N/A
File opened for reading /proc/24/stat /tmp/linux_386.elf N/A
File opened for reading /proc/self/stat /bin/systemctl N/A
File opened for reading /proc/filesystems /bin/systemctl N/A
File opened for reading /proc/cmdline /bin/systemctl N/A
File opened for reading /proc/sys/kernel/osrelease /bin/systemctl N/A
File opened for reading /proc/sys/kernel/osrelease /bin/systemctl N/A
File opened for reading /proc/1/sched /bin/systemctl N/A
File opened for reading /proc/sys/kernel/osrelease /bin/systemctl N/A
File opened for reading /proc/1/environ /bin/systemctl N/A

Processes

/tmp/linux_386.elf

[/tmp/linux_386.elf ]

/etc/32676

[/etc/32676]

/usr/bin/basename

[basename /usr/sbin/service]

/bin/sleep

[sleep 60]

/usr/bin/basename

[basename /usr/sbin/service]

/bin/systemctl

[systemctl --quiet is-active multi-user.target]

/bin/sed

[sed -ne s/\.socket\s*[a-z]*\s*$/.socket/p]

/bin/systemctl

[systemctl list-unit-files --full --type=socket]

/bin/systemctl

[systemctl -p Triggers show acpid.socket]

/bin/systemctl

[systemctl -p Triggers show apport-forward.socket]

/bin/systemctl

[systemctl -p Triggers show avahi-daemon.socket]

/bin/systemctl

[systemctl -p Triggers show cups.socket]

/bin/systemctl

[systemctl -p Triggers show dbus.socket]

/bin/systemctl

[systemctl -p Triggers show saned.socket]

/bin/systemctl

[systemctl -p Triggers show snapd.socket]

/bin/systemctl

[systemctl -p Triggers show ssh.socket]

/bin/systemctl

[systemctl -p Triggers show syslog.socket]

/bin/systemctl

[systemctl -p Triggers show systemd-fsckd.socket]

/bin/systemctl

[systemctl -p Triggers show systemd-initctl.socket]

/bin/systemctl

[systemctl -p Triggers show systemd-journald-audit.socket]

/bin/systemctl

[systemctl -p Triggers show systemd-journald-dev-log.socket]

/bin/systemctl

[systemctl -p Triggers show systemd-journald.socket]

/bin/systemctl

[systemctl -p Triggers show systemd-networkd.socket]

/bin/systemctl

[systemctl -p Triggers show systemd-rfkill.socket]

/bin/systemctl

[systemctl -p Triggers show systemd-udevd-control.socket]

/bin/systemctl

[systemctl -p Triggers show systemd-udevd-kernel.socket]

/bin/systemctl

[systemctl -p Triggers show uuidd.socket]

/usr/local/sbin/systemctl

[systemctl start crond.service]

/usr/local/bin/systemctl

[systemctl start crond.service]

/usr/sbin/systemctl

[systemctl start crond.service]

/usr/bin/systemctl

[systemctl start crond.service]

/sbin/systemctl

[systemctl start crond.service]

/bin/systemctl

[systemctl start crond.service]

/usr/bin/basename

[basename /usr/sbin/service]

/usr/bin/basename

[basename /usr/sbin/service]

/bin/systemctl

[systemctl --quiet is-active multi-user.target]

/bin/sed

[sed -ne s/\.socket\s*[a-z]*\s*$/.socket/p]

/bin/systemctl

[systemctl list-unit-files --full --type=socket]

/bin/systemctl

[systemctl -p Triggers show acpid.socket]

/bin/systemctl

[systemctl -p Triggers show apport-forward.socket]

/bin/systemctl

[systemctl -p Triggers show avahi-daemon.socket]

/bin/systemctl

[systemctl -p Triggers show cups.socket]

/bin/systemctl

[systemctl -p Triggers show dbus.socket]

/bin/systemctl

[systemctl -p Triggers show saned.socket]

/bin/systemctl

[systemctl -p Triggers show snapd.socket]

/bin/systemctl

[systemctl -p Triggers show ssh.socket]

/bin/systemctl

[systemctl -p Triggers show syslog.socket]

/bin/systemctl

[systemctl -p Triggers show systemd-fsckd.socket]

/bin/systemctl

[systemctl -p Triggers show systemd-initctl.socket]

/bin/systemctl

[systemctl -p Triggers show systemd-journald-audit.socket]

/bin/systemctl

[systemctl -p Triggers show systemd-journald-dev-log.socket]

/bin/systemctl

[systemctl -p Triggers show systemd-journald.socket]

/bin/systemctl

[systemctl -p Triggers show systemd-networkd.socket]

/bin/systemctl

[systemctl -p Triggers show systemd-rfkill.socket]

/bin/systemctl

[systemctl -p Triggers show systemd-udevd-control.socket]

/bin/systemctl

[systemctl -p Triggers show systemd-udevd-kernel.socket]

/bin/systemctl

[systemctl -p Triggers show uuidd.socket]

/usr/local/sbin/systemctl

[systemctl start cron.service]

/usr/local/bin/systemctl

[systemctl start cron.service]

/usr/sbin/systemctl

[systemctl start cron.service]

/usr/bin/systemctl

[systemctl start cron.service]

/sbin/systemctl

[systemctl start cron.service]

/bin/systemctl

[systemctl start cron.service]

/etc/opt.services.cfg

[/etc/opt.services.cfg ]

/bin/sleep

[sleep 60]

/etc/opt.services.cfg

[/etc/opt.services.cfg ]

/bin/sleep

[sleep 60]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 185.125.188.61:443 tcp
GB 185.125.188.61:443 tcp
US 151.101.129.91:443 tcp
AU 1.1.1.1:53 ocp-ingress.fastly.gnome.org udp
GB 89.187.167.8:443 tcp
AU 1.1.1.1:53 odrs.gnome.org udp
AU 1.1.1.1:53 odrs.gnome.org udp
GB 89.187.167.42:443 odrs.gnome.org tcp
AU 1.1.1.1:53 www.google.com udp
AU 1.1.1.1:53 www.google.com udp
HK 103.45.68.160:888 tcp

Files

/etc/.walk

MD5 d2251bfea9a6b1de4eb296abf42c0ffc
SHA1 806c8013b9a2587f6d6e96017227994a204a03a7
SHA256 8e09954878d172dbe6fcfb11beedc902fd710cb9ef8a8c2a401022f2c10c81ec
SHA512 26859c09b676c4ea1054033c5eb3a137c57ecd919dc2fbc1eb6e99461082aa91f1da87b8a3534f79f0029cd8c24c026911e45182c571d5ea589d4306de08b538

/etc/.walk

MD5 bd779dd44dd2a124b045ba61a669b7af
SHA1 2c2eb03fc3ca435414b4b8a8f3f722e91304e25f
SHA256 17d7548b0bb5ecb99f4098ccfb2a878f340279047d497cb78ce160bceca89e5b
SHA512 d99d842b57de82df0f65b3f33bab29b7f55a21b6a3a3c143f6f294856d9c87c52c1ef7791265d62bd572bd09a638bbba41d0fef990cd8de8ce8406234203fd53

/etc/opt.services.cfg

MD5 425032ac432cb4a58481c8f2fac1a298
SHA1 c7538b5ff5057f553bb7ae707e8fc98281e8a8bd
SHA256 3f5d9a1535b34fa397a15162abca45f8cefc97fbab8bf52116e550b646879a7b
SHA512 db5631b8499f3be061e40166b4cac9a934a22c5d726a88d6fd63c9633f435de956b740addaa5accf769a09f3cfc5f8c0b34cca1dca24439986bd78ef39f2da76

/etc/32676

MD5 47684525bfdf26f49fd1cf742b17c015
SHA1 c4ab14ba22420ff9acadfc698a38d0cd99e9fbfa
SHA256 b7ce294613dd2c237a4a50548bfcd5c14d166107f2d2e965499bc78695300d5b
SHA512 948f9c519ae9afe1c821c5d58da2e584e50356dabef597ccd408853a9038560b9fb1c5894900e2725b48977ffd49d18a439436bb4946e2164ac9fcf2a8637621

/.mod

MD5 f5a3713282e43c200f30342f5ff5e2ea
SHA1 2b2ce1a207e2b691a074c6f78f71c4785aae426a
SHA256 6ab64e727571458d4884fb2fe82c27c467db0699cb8f648b3f0217c35d2b7511
SHA512 5bcb8cd360409147a486755f90e0cdd97183af02ce8de5135b7c6a8a010deb9ef12dcd5ee9a2a8fd2e159347f68e72d6b7fd75e943b4fcd928d7a74b97476013

/usr/bin/include/find

MD5 f11b2b59639b1edcb46026472786c747
SHA1 a6fe59e11456bc7f19e28b38aa9c1f9c1a13b70d
SHA256 189fbf2416c8205430d8eaa85e2947bc15504ca335ad4a77ec668ff3cbf9c84a
SHA512 1967f43b4b274e2afbc30e8e1bad314085e488066b22233e6ec033dbae10ae111320296b9d429e94cb3079636a37e433aeac928b4ef23a56dedae1741815416b

/usr/bin/include/lsof

MD5 e093dc78225e2a0a25e3b137c1c1e442
SHA1 c29497cfaae729eb576875e4fdfa400640ab16be
SHA256 1190f4dbc7be174de8fd4096c9bf7a28eebfac937d308b7cc533be4a1240d26e
SHA512 fe1cc7a65327732eaaee89f427c10239ba822430e34177842f4681068d78d404b1830d808a2a71b1efcc5f126c6d8c053512237421173aaa150e215a672da6f0

/etc/profile.d/gateway.sh

MD5 90d8461db20ae89d4b793b9390d5857e
SHA1 413acbb9e503ad08926279286acc9e900ae8283b
SHA256 8b6f6c562be44b1cc9d6328020d0bac0df834d89e3742ea23cba8dd0e96972ab
SHA512 6382d71a041b7b698d75aa9c9ae499cc44b8ffbd09f864df1c1e04cb7e3998c4d2f677cc285235908e66f38e30b43687516a3d4f7e85c1140cbce3eeb4807f06