Analysis Overview
SHA256
3f5d9a1535b34fa397a15162abca45f8cefc97fbab8bf52116e550b646879a7b
Threat Level: Known bad
The file linux_386.elf was found to be: Known bad.
Malicious Activity Summary
Kaiji
Kaiji family
Executes dropped EXE
Modifies Watchdog functionality
Write file to user bin folder
Creates/modifies Cron job
Creates/modifies environment variables
Enumerates running processes
Modifies init.d
Modifies Bash startup script
Reads runtime system information
Enumerates kernel/hardware configuration
MITRE ATT&CK
Enterprise Matrix V16
Analysis: static1
Detonation Overview
Reported
2025-04-17 05:36
Signatures
Kaiji
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Kaiji family
Analysis: behavioral1
Detonation Overview
Submitted
2025-04-17 05:36
Reported
2025-04-17 05:39
Platform
ubuntu1804-amd64-20240508-en
Max time kernel
148s
Max time network
146s
Command Line
Signatures
Kaiji
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Kaiji family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | /etc/32676 | /tmp/linux_386.elf | N/A |
| N/A | /etc/opt.services.cfg | /etc/32676 | N/A |
| N/A | /etc/opt.services.cfg | /etc/32676 | N/A |
| N/A | /etc/opt.services.cfg | /etc/32676 | N/A |
| N/A | /etc/opt.services.cfg | /etc/32676 | N/A |
Modifies Watchdog functionality
| Description | Indicator | Process | Target |
| File opened for modification | /dev/watchdog | /tmp/linux_386.elf | N/A |
| File opened for modification | /dev/misc/watchdog | /tmp/linux_386.elf | N/A |
Creates/modifies Cron job
| Description | Indicator | Process | Target |
| File opened for modification | /etc/crontab | /tmp/linux_386.elf | N/A |
Creates/modifies environment variables
| Description | Indicator | Process | Target |
| File opened for modification | /etc/profile.d/bash_cfg | /tmp/linux_386.elf | N/A |
| File opened for modification | /etc/profile.d/bash_cfg.sh | /tmp/linux_386.elf | N/A |
| File opened for modification | /etc/profile.d/gateway.sh | /tmp/linux_386.elf | N/A |
Enumerates running processes
Modifies init.d
| Description | Indicator | Process | Target |
| File opened for modification | /etc/init.d/dbus | /tmp/linux_386.elf | N/A |
| File opened for modification | /etc/init.d/auditd | /tmp/linux_386.elf | N/A |
| File opened for modification | /etc/init.d/avahi-daemon | /tmp/linux_386.elf | N/A |
| File opened for modification | /etc/init.d/bluetooth | /tmp/linux_386.elf | N/A |
| File opened for modification | /etc/init.d/plymouth | /tmp/linux_386.elf | N/A |
| File opened for modification | /etc/init.d/procps | /tmp/linux_386.elf | N/A |
| File opened for modification | /etc/init.d/cups-browsed | /tmp/linux_386.elf | N/A |
| File opened for modification | /etc/init.d/anacron | /tmp/linux_386.elf | N/A |
| File opened for modification | /etc/init.d/apparmor | /tmp/linux_386.elf | N/A |
| File opened for modification | /etc/init.d/console-setup.sh | /tmp/linux_386.elf | N/A |
| File opened for modification | /etc/init.d/selinux-autorelabel | /tmp/linux_386.elf | N/A |
| File opened for modification | /etc/init.d/spice-vdagent | /tmp/linux_386.elf | N/A |
| File opened for modification | /etc/init.d/ssh | /tmp/linux_386.elf | N/A |
| File opened for modification | /etc/init.d/unattended-upgrades | /tmp/linux_386.elf | N/A |
| File opened for modification | /etc/init.d/acpid | /tmp/linux_386.elf | N/A |
| File opened for modification | /etc/init.d/speech-dispatcher | /tmp/linux_386.elf | N/A |
| File opened for modification | /etc/init.d/udev | /tmp/linux_386.elf | N/A |
| File opened for modification | /etc/init.d/uuidd | /tmp/linux_386.elf | N/A |
| File opened for modification | /etc/init.d/x11-common | /tmp/linux_386.elf | N/A |
| File opened for modification | /etc/init.d/alsa-utils | /tmp/linux_386.elf | N/A |
| File opened for modification | /etc/init.d/hwclock.sh | /tmp/linux_386.elf | N/A |
| File opened for modification | /etc/init.d/irqbalance | /tmp/linux_386.elf | N/A |
| File opened for modification | /etc/init.d/ufw | /tmp/linux_386.elf | N/A |
| File opened for modification | /etc/init.d/cron | /tmp/linux_386.elf | N/A |
| File opened for modification | /etc/init.d/gdm3 | /tmp/linux_386.elf | N/A |
| File opened for modification | /etc/init.d/keyboard-setup.sh | /tmp/linux_386.elf | N/A |
| File opened for modification | /etc/init.d/networking | /tmp/linux_386.elf | N/A |
| File opened for modification | /etc/init.d/plymouth-log | /tmp/linux_386.elf | N/A |
| File opened for modification | /etc/init.d/saned | /tmp/linux_386.elf | N/A |
| File opened for modification | /etc/init.d/cups | /tmp/linux_386.elf | N/A |
| File opened for modification | /etc/init.d/apport | /tmp/linux_386.elf | N/A |
| File opened for modification | /etc/init.d/kmod | /tmp/linux_386.elf | N/A |
| File opened for modification | /etc/init.d/rsync | /tmp/linux_386.elf | N/A |
| File opened for modification | /etc/init.d/rsyslog | /tmp/linux_386.elf | N/A |
Write file to user bin folder
| Description | Indicator | Process | Target |
| File opened for modification | /usr/bin/include/find | /tmp/linux_386.elf | N/A |
| File opened for modification | /usr/bin/include/lsof | /tmp/linux_386.elf | N/A |
| File opened for modification | /usr/bin/find | /tmp/linux_386.elf | N/A |
| File opened for modification | /usr/bin/lsof | /tmp/linux_386.elf | N/A |
Modifies Bash startup script
| Description | Indicator | Process | Target |
| File opened for modification | /etc/profile.d/bash_cfg | /tmp/linux_386.elf | N/A |
| File opened for modification | /etc/profile.d/bash_cfg.sh | /tmp/linux_386.elf | N/A |
| File opened for modification | /etc/profile.d/gateway.sh | /tmp/linux_386.elf | N/A |
Enumerates kernel/hardware configuration
| Description | Indicator | Process | Target |
| File opened for reading | /sys/kernel/mm/transparent_hugepage/hpage_pmd_size | /etc/opt.services.cfg | N/A |
| File opened for reading | /sys/kernel/mm/transparent_hugepage/hpage_pmd_size | N/A | N/A |
| File opened for reading | /sys/kernel/mm/transparent_hugepage/hpage_pmd_size | /tmp/linux_386.elf | N/A |
| File opened for reading | /sys/kernel/mm/transparent_hugepage/hpage_pmd_size | /etc/32676 | N/A |
| File opened for reading | /sys/kernel/mm/transparent_hugepage/hpage_pmd_size | /etc/opt.services.cfg | N/A |
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/cmdline | /bin/systemctl | N/A |
| File opened for reading | /proc/filesystems | /bin/systemctl | N/A |
| File opened for reading | /proc/filesystems | /bin/systemctl | N/A |
| File opened for reading | /proc/26/stat | /tmp/linux_386.elf | N/A |
| File opened for reading | /proc/filesystems | /bin/systemctl | N/A |
| File opened for reading | /proc/self/stat | /bin/systemctl | N/A |
| File opened for reading | /proc/cmdline | /bin/systemctl | N/A |
| File opened for reading | /proc/1/environ | /bin/systemctl | N/A |
| File opened for reading | /proc/cmdline | /bin/systemctl | N/A |
| File opened for reading | /proc/1/environ | /bin/systemctl | N/A |
| File opened for reading | /proc/1/environ | /bin/systemctl | N/A |
| File opened for reading | /proc/1064/stat | /tmp/linux_386.elf | N/A |
| File opened for reading | /proc/1182/stat | /tmp/linux_386.elf | N/A |
| File opened for reading | /proc/cmdline | /bin/systemctl | N/A |
| File opened for reading | /proc/1/sched | /bin/systemctl | N/A |
| File opened for reading | /proc/1/environ | /bin/systemctl | N/A |
| File opened for reading | /proc/cmdline | /bin/systemctl | N/A |
| File opened for reading | /proc/sys/kernel/osrelease | /bin/systemctl | N/A |
| File opened for reading | /proc/1/sched | /bin/systemctl | N/A |
| File opened for reading | /proc/656/stat | /tmp/linux_386.elf | N/A |
| File opened for reading | /proc/768/stat | /tmp/linux_386.elf | N/A |
| File opened for reading | /proc/1506/stat | /tmp/linux_386.elf | N/A |
| File opened for reading | /proc/filesystems | /bin/systemctl | N/A |
| File opened for reading | /proc/sys/kernel/osrelease | /bin/systemctl | N/A |
| File opened for reading | /proc/1/sched | /bin/systemctl | N/A |
| File opened for reading | /proc/1/environ | /bin/systemctl | N/A |
| File opened for reading | /proc/1/sched | /bin/systemctl | N/A |
| File opened for reading | /proc/4/stat | /tmp/linux_386.elf | N/A |
| File opened for reading | /proc/205/stat | /tmp/linux_386.elf | N/A |
| File opened for reading | /proc/744/stat | /tmp/linux_386.elf | N/A |
| File opened for reading | /proc/1119/stat | /tmp/linux_386.elf | N/A |
| File opened for reading | /proc/1183/stat | /tmp/linux_386.elf | N/A |
| File opened for reading | /proc/cmdline | /bin/systemctl | N/A |
| File opened for reading | /proc/1/sched | /bin/systemctl | N/A |
| File opened for reading | /proc/1/environ | /bin/systemctl | N/A |
| File opened for reading | /proc/599/stat | /tmp/linux_386.elf | N/A |
| File opened for reading | /proc/1/environ | /bin/systemctl | N/A |
| File opened for reading | /proc/cmdline | /bin/systemctl | N/A |
| File opened for reading | /proc/filesystems | /bin/systemctl | N/A |
| File opened for reading | /proc/1/sched | /bin/systemctl | N/A |
| File opened for reading | /proc/1/environ | /bin/systemctl | N/A |
| File opened for reading | /proc/sys/kernel/osrelease | /bin/systemctl | N/A |
| File opened for reading | /proc/cmdline | /bin/systemctl | N/A |
| File opened for reading | /proc/5/stat | /tmp/linux_386.elf | N/A |
| File opened for reading | /proc/526/stat | /tmp/linux_386.elf | N/A |
| File opened for reading | /proc/self/stat | /bin/systemctl | N/A |
| File opened for reading | /proc/filesystems | /bin/systemctl | N/A |
| File opened for reading | /proc/cmdline | /bin/systemctl | N/A |
| File opened for reading | /proc/1/sched | /bin/systemctl | N/A |
| File opened for reading | /proc/23/stat | /tmp/linux_386.elf | N/A |
| File opened for reading | /proc/1178/stat | /tmp/linux_386.elf | N/A |
| File opened for reading | /proc/self/stat | /bin/systemctl | N/A |
| File opened for reading | /proc/filesystems | /bin/systemctl | N/A |
| File opened for reading | /proc/cmdline | /bin/systemctl | N/A |
| File opened for reading | /proc/sys/kernel/osrelease | /tmp/linux_386.elf | N/A |
| File opened for reading | /proc/24/stat | /tmp/linux_386.elf | N/A |
| File opened for reading | /proc/self/stat | /bin/systemctl | N/A |
| File opened for reading | /proc/filesystems | /bin/systemctl | N/A |
| File opened for reading | /proc/cmdline | /bin/systemctl | N/A |
| File opened for reading | /proc/sys/kernel/osrelease | /bin/systemctl | N/A |
| File opened for reading | /proc/sys/kernel/osrelease | /bin/systemctl | N/A |
| File opened for reading | /proc/1/sched | /bin/systemctl | N/A |
| File opened for reading | /proc/sys/kernel/osrelease | /bin/systemctl | N/A |
| File opened for reading | /proc/1/environ | /bin/systemctl | N/A |
Processes
/tmp/linux_386.elf
[/tmp/linux_386.elf ]
/etc/32676
[/etc/32676]
/usr/bin/basename
[basename /usr/sbin/service]
/bin/sleep
[sleep 60]
/usr/bin/basename
[basename /usr/sbin/service]
/bin/systemctl
[systemctl --quiet is-active multi-user.target]
/bin/sed
[sed -ne s/\.socket\s*[a-z]*\s*$/.socket/p]
/bin/systemctl
[systemctl list-unit-files --full --type=socket]
/bin/systemctl
[systemctl -p Triggers show acpid.socket]
/bin/systemctl
[systemctl -p Triggers show apport-forward.socket]
/bin/systemctl
[systemctl -p Triggers show avahi-daemon.socket]
/bin/systemctl
[systemctl -p Triggers show cups.socket]
/bin/systemctl
[systemctl -p Triggers show dbus.socket]
/bin/systemctl
[systemctl -p Triggers show saned.socket]
/bin/systemctl
[systemctl -p Triggers show snapd.socket]
/bin/systemctl
[systemctl -p Triggers show ssh.socket]
/bin/systemctl
[systemctl -p Triggers show syslog.socket]
/bin/systemctl
[systemctl -p Triggers show systemd-fsckd.socket]
/bin/systemctl
[systemctl -p Triggers show systemd-initctl.socket]
/bin/systemctl
[systemctl -p Triggers show systemd-journald-audit.socket]
/bin/systemctl
[systemctl -p Triggers show systemd-journald-dev-log.socket]
/bin/systemctl
[systemctl -p Triggers show systemd-journald.socket]
/bin/systemctl
[systemctl -p Triggers show systemd-networkd.socket]
/bin/systemctl
[systemctl -p Triggers show systemd-rfkill.socket]
/bin/systemctl
[systemctl -p Triggers show systemd-udevd-control.socket]
/bin/systemctl
[systemctl -p Triggers show systemd-udevd-kernel.socket]
/bin/systemctl
[systemctl -p Triggers show uuidd.socket]
/usr/local/sbin/systemctl
[systemctl start crond.service]
/usr/local/bin/systemctl
[systemctl start crond.service]
/usr/sbin/systemctl
[systemctl start crond.service]
/usr/bin/systemctl
[systemctl start crond.service]
/sbin/systemctl
[systemctl start crond.service]
/bin/systemctl
[systemctl start crond.service]
/usr/bin/basename
[basename /usr/sbin/service]
/usr/bin/basename
[basename /usr/sbin/service]
/bin/systemctl
[systemctl --quiet is-active multi-user.target]
/bin/sed
[sed -ne s/\.socket\s*[a-z]*\s*$/.socket/p]
/bin/systemctl
[systemctl list-unit-files --full --type=socket]
/bin/systemctl
[systemctl -p Triggers show acpid.socket]
/bin/systemctl
[systemctl -p Triggers show apport-forward.socket]
/bin/systemctl
[systemctl -p Triggers show avahi-daemon.socket]
/bin/systemctl
[systemctl -p Triggers show cups.socket]
/bin/systemctl
[systemctl -p Triggers show dbus.socket]
/bin/systemctl
[systemctl -p Triggers show saned.socket]
/bin/systemctl
[systemctl -p Triggers show snapd.socket]
/bin/systemctl
[systemctl -p Triggers show ssh.socket]
/bin/systemctl
[systemctl -p Triggers show syslog.socket]
/bin/systemctl
[systemctl -p Triggers show systemd-fsckd.socket]
/bin/systemctl
[systemctl -p Triggers show systemd-initctl.socket]
/bin/systemctl
[systemctl -p Triggers show systemd-journald-audit.socket]
/bin/systemctl
[systemctl -p Triggers show systemd-journald-dev-log.socket]
/bin/systemctl
[systemctl -p Triggers show systemd-journald.socket]
/bin/systemctl
[systemctl -p Triggers show systemd-networkd.socket]
/bin/systemctl
[systemctl -p Triggers show systemd-rfkill.socket]
/bin/systemctl
[systemctl -p Triggers show systemd-udevd-control.socket]
/bin/systemctl
[systemctl -p Triggers show systemd-udevd-kernel.socket]
/bin/systemctl
[systemctl -p Triggers show uuidd.socket]
/usr/local/sbin/systemctl
[systemctl start cron.service]
/usr/local/bin/systemctl
[systemctl start cron.service]
/usr/sbin/systemctl
[systemctl start cron.service]
/usr/bin/systemctl
[systemctl start cron.service]
/sbin/systemctl
[systemctl start cron.service]
/bin/systemctl
[systemctl start cron.service]
/etc/opt.services.cfg
[/etc/opt.services.cfg ]
/bin/sleep
[sleep 60]
/etc/opt.services.cfg
[/etc/opt.services.cfg ]
/bin/sleep
[sleep 60]
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 185.125.188.61:443 | tcp | |
| GB | 185.125.188.61:443 | tcp | |
| US | 151.101.129.91:443 | tcp | |
| AU | 1.1.1.1:53 | ocp-ingress.fastly.gnome.org | udp |
| GB | 89.187.167.8:443 | tcp | |
| AU | 1.1.1.1:53 | odrs.gnome.org | udp |
| AU | 1.1.1.1:53 | odrs.gnome.org | udp |
| GB | 89.187.167.42:443 | odrs.gnome.org | tcp |
| AU | 1.1.1.1:53 | www.google.com | udp |
| AU | 1.1.1.1:53 | www.google.com | udp |
| HK | 103.45.68.160:888 | tcp |
Files
/etc/.walk
| MD5 | d2251bfea9a6b1de4eb296abf42c0ffc |
| SHA1 | 806c8013b9a2587f6d6e96017227994a204a03a7 |
| SHA256 | 8e09954878d172dbe6fcfb11beedc902fd710cb9ef8a8c2a401022f2c10c81ec |
| SHA512 | 26859c09b676c4ea1054033c5eb3a137c57ecd919dc2fbc1eb6e99461082aa91f1da87b8a3534f79f0029cd8c24c026911e45182c571d5ea589d4306de08b538 |
/etc/.walk
| MD5 | bd779dd44dd2a124b045ba61a669b7af |
| SHA1 | 2c2eb03fc3ca435414b4b8a8f3f722e91304e25f |
| SHA256 | 17d7548b0bb5ecb99f4098ccfb2a878f340279047d497cb78ce160bceca89e5b |
| SHA512 | d99d842b57de82df0f65b3f33bab29b7f55a21b6a3a3c143f6f294856d9c87c52c1ef7791265d62bd572bd09a638bbba41d0fef990cd8de8ce8406234203fd53 |
/etc/opt.services.cfg
| MD5 | 425032ac432cb4a58481c8f2fac1a298 |
| SHA1 | c7538b5ff5057f553bb7ae707e8fc98281e8a8bd |
| SHA256 | 3f5d9a1535b34fa397a15162abca45f8cefc97fbab8bf52116e550b646879a7b |
| SHA512 | db5631b8499f3be061e40166b4cac9a934a22c5d726a88d6fd63c9633f435de956b740addaa5accf769a09f3cfc5f8c0b34cca1dca24439986bd78ef39f2da76 |
/etc/32676
| MD5 | 47684525bfdf26f49fd1cf742b17c015 |
| SHA1 | c4ab14ba22420ff9acadfc698a38d0cd99e9fbfa |
| SHA256 | b7ce294613dd2c237a4a50548bfcd5c14d166107f2d2e965499bc78695300d5b |
| SHA512 | 948f9c519ae9afe1c821c5d58da2e584e50356dabef597ccd408853a9038560b9fb1c5894900e2725b48977ffd49d18a439436bb4946e2164ac9fcf2a8637621 |
/.mod
| MD5 | f5a3713282e43c200f30342f5ff5e2ea |
| SHA1 | 2b2ce1a207e2b691a074c6f78f71c4785aae426a |
| SHA256 | 6ab64e727571458d4884fb2fe82c27c467db0699cb8f648b3f0217c35d2b7511 |
| SHA512 | 5bcb8cd360409147a486755f90e0cdd97183af02ce8de5135b7c6a8a010deb9ef12dcd5ee9a2a8fd2e159347f68e72d6b7fd75e943b4fcd928d7a74b97476013 |
/usr/bin/include/find
| MD5 | f11b2b59639b1edcb46026472786c747 |
| SHA1 | a6fe59e11456bc7f19e28b38aa9c1f9c1a13b70d |
| SHA256 | 189fbf2416c8205430d8eaa85e2947bc15504ca335ad4a77ec668ff3cbf9c84a |
| SHA512 | 1967f43b4b274e2afbc30e8e1bad314085e488066b22233e6ec033dbae10ae111320296b9d429e94cb3079636a37e433aeac928b4ef23a56dedae1741815416b |
/usr/bin/include/lsof
| MD5 | e093dc78225e2a0a25e3b137c1c1e442 |
| SHA1 | c29497cfaae729eb576875e4fdfa400640ab16be |
| SHA256 | 1190f4dbc7be174de8fd4096c9bf7a28eebfac937d308b7cc533be4a1240d26e |
| SHA512 | fe1cc7a65327732eaaee89f427c10239ba822430e34177842f4681068d78d404b1830d808a2a71b1efcc5f126c6d8c053512237421173aaa150e215a672da6f0 |
/etc/profile.d/gateway.sh
| MD5 | 90d8461db20ae89d4b793b9390d5857e |
| SHA1 | 413acbb9e503ad08926279286acc9e900ae8283b |
| SHA256 | 8b6f6c562be44b1cc9d6328020d0bac0df834d89e3742ea23cba8dd0e96972ab |
| SHA512 | 6382d71a041b7b698d75aa9c9ae499cc44b8ffbd09f864df1c1e04cb7e3998c4d2f677cc285235908e66f38e30b43687516a3d4f7e85c1140cbce3eeb4807f06 |