Analysis

  • max time kernel
    148s
  • max time network
    143s
  • platform
    ubuntu-22.04_amd64
  • resource
    ubuntu2204-amd64-20250307-en
  • resource tags

    arch:amd64arch:i386image:ubuntu2204-amd64-20250307-enkernel:5.15.0-105-genericlocale:en-usos:ubuntu-22.04-amd64system
  • submitted
    18/04/2025, 01:06

General

  • Target

    5aa6cc2b09d7fa0d3c5b6826f872826f5d3afb9af18c001ea3f4f1a1ccb188f7.elf

  • Size

    1.8MB

  • MD5

    259800bf6d1eb21a74ff1737f9826a0a

  • SHA1

    1a13ffb1f327ae411689568840b0e812b7d40a59

  • SHA256

    5aa6cc2b09d7fa0d3c5b6826f872826f5d3afb9af18c001ea3f4f1a1ccb188f7

  • SHA512

    d3b013396695920dde44c4bc8af2b91e9e4142592151056e27946af54096056f2a70d528c4fd9abb27042d6a5ed2839648fbe3054b3e8a218bf29586237c1beb

  • SSDEEP

    24576:Inoxw1zy7RvFMNRlnmxlJgAaI0ODBBri8wnJPVwchQItBPUgpxv2SzVVOMaWz1v:s/MBFBuEItpRpsSIWz1

Malware Config

Extracted

Family

kaiji

C2

154.40.47.248:809

Signatures

  • Kaiji 1 IoCs

    Kaiji payload

  • Kaiji family
  • Executes dropped EXE 1 IoCs
  • Modifies Watchdog functionality 1 TTPs 2 IoCs

    Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

  • Creates/modifies Cron job 1 TTPs 1 IoCs

    Cron allows running tasks on a schedule, and is commonly used for malware persistence.

  • Creates/modifies environment variables 1 TTPs 3 IoCs

    Creating/modifying environment variables is a common persistence mechanism.

  • Modifies init.d 2 TTPs 33 IoCs

    Adds/modifies system service, likely for persistence.

  • Modifies systemd 2 TTPs 1 IoCs

    Adds/ modifies systemd service files. Likely to achieve persistence.

  • Write file to user bin folder 12 IoCs
  • Modifies Bash startup script 2 TTPs 3 IoCs
  • Changes its process name 1 IoCs
  • Enumerates kernel/hardware configuration 1 TTPs 2 IoCs

    Reads contents of /sys virtual filesystem to enumerate system information.

  • Reads runtime system information 11 IoCs

    Reads data from /proc virtual filesystem.

Processes

  • /tmp/5aa6cc2b09d7fa0d3c5b6826f872826f5d3afb9af18c001ea3f4f1a1ccb188f7.elf
    /tmp/5aa6cc2b09d7fa0d3c5b6826f872826f5d3afb9af18c001ea3f4f1a1ccb188f7.elf " "
    1⤵
    • Executes dropped EXE
    • Modifies Watchdog functionality
    • Creates/modifies Cron job
    • Creates/modifies environment variables
    • Modifies init.d
    • Modifies systemd
    • Write file to user bin folder
    • Modifies Bash startup script
    • Changes its process name
    • Enumerates kernel/hardware configuration
    • Reads runtime system information
    PID:1571
    • /usr/bin/basename
      basename /usr/sbin/service
      2⤵
        PID:1579
      • /usr/bin/basename
        basename /usr/sbin/service
        2⤵
          PID:1580
        • /usr/bin/sed
          sed -ne "s/\\.socket\\s*[a-z]*\\s*\$/.socket/p"
          2⤵
          • Reads runtime system information
          PID:1583
        • /usr/bin/systemctl
          systemctl list-unit-files --full "--type=socket"
          2⤵
          • Reads runtime system information
          PID:1582
        • /usr/local/sbin/systemctl
          systemctl start crond.service
          2⤵
            PID:1577
          • /usr/local/bin/systemctl
            systemctl start crond.service
            2⤵
              PID:1577
            • /usr/sbin/systemctl
              systemctl start crond.service
              2⤵
                PID:1577
              • /usr/bin/systemctl
                systemctl start crond.service
                2⤵
                • Reads runtime system information
                PID:1577
              • /usr/bin/systemctl
                systemctl daemon-reload
                2⤵
                • Reads runtime system information
                PID:1589
              • /usr/bin/systemctl
                systemctl enable quotaoff.service
                2⤵
                • Reads runtime system information
                PID:1623
              • /usr/bin/systemctl
                systemctl start quotaoff.service
                2⤵
                • Reads runtime system information
                PID:1657
              • /usr/bin/journalctl
                journalctl -xe --no-pager
                2⤵
                • Reads runtime system information
                PID:1665
              • /usr/bin/basename
                basename /usr/sbin/service
                2⤵
                  PID:1680
                • /usr/bin/basename
                  basename /usr/sbin/service
                  2⤵
                    PID:1681
                  • /usr/bin/sed
                    sed -ne "s/\\.socket\\s*[a-z]*\\s*\$/.socket/p"
                    2⤵
                    • Reads runtime system information
                    PID:1684
                  • /usr/bin/systemctl
                    systemctl list-unit-files --full "--type=socket"
                    2⤵
                    • Reads runtime system information
                    PID:1683
                  • /usr/local/sbin/systemctl
                    systemctl start cron.service
                    2⤵
                      PID:1679
                    • /usr/local/bin/systemctl
                      systemctl start cron.service
                      2⤵
                        PID:1679
                      • /usr/sbin/systemctl
                        systemctl start cron.service
                        2⤵
                          PID:1679
                        • /usr/bin/systemctl
                          systemctl start cron.service
                          2⤵
                          • Reads runtime system information
                          PID:1679
                      • /etc/32676
                        /etc/32676
                        1⤵
                          PID:1576
                          • /usr/bin/sleep
                            sleep 60
                            2⤵
                              PID:1578
                            • /usr/bin/sleep
                              sleep 60
                              2⤵
                                PID:1719
                              • /usr/bin/sleep
                                sleep 60
                                2⤵
                                  PID:1734

                              Network

                              MITRE ATT&CK Enterprise v16

                              Replay Monitor

                              Loading Replay Monitor...

                              Downloads

                              • /.mod

                                Filesize

                                34B

                                MD5

                                f5a3713282e43c200f30342f5ff5e2ea

                                SHA1

                                2b2ce1a207e2b691a074c6f78f71c4785aae426a

                                SHA256

                                6ab64e727571458d4884fb2fe82c27c467db0699cb8f648b3f0217c35d2b7511

                                SHA512

                                5bcb8cd360409147a486755f90e0cdd97183af02ce8de5135b7c6a8a010deb9ef12dcd5ee9a2a8fd2e159347f68e72d6b7fd75e943b4fcd928d7a74b97476013

                              • /boot/System.mod

                                Filesize

                                1.8MB

                                MD5

                                259800bf6d1eb21a74ff1737f9826a0a

                                SHA1

                                1a13ffb1f327ae411689568840b0e812b7d40a59

                                SHA256

                                5aa6cc2b09d7fa0d3c5b6826f872826f5d3afb9af18c001ea3f4f1a1ccb188f7

                                SHA512

                                d3b013396695920dde44c4bc8af2b91e9e4142592151056e27946af54096056f2a70d528c4fd9abb27042d6a5ed2839648fbe3054b3e8a218bf29586237c1beb

                              • /etc/.walk

                                Filesize

                                49B

                                MD5

                                c43ed4fb3194f22b1bedfd47f952652f

                                SHA1

                                1c7ed537a42b5f25959c26d0fc0e1d34261fd3db

                                SHA256

                                66a5dbc04023a9236feb76957789d294222f876de8063ad97d32121a6c478d81

                                SHA512

                                0bee3e17dbb627c541247e9add297d9f51c87691c10e93d6fe369951c8034b4eee2adbb874977357951982f8d979e21d4d354403403d3ee335cd06e7a5b47e51

                              • /etc/.walk

                                Filesize

                                98B

                                MD5

                                98ffb0516b1ce1d4e0620c46e66f28ed

                                SHA1

                                a8b7bc7822c3ee17868353624f8331bd52cb70db

                                SHA256

                                d5c21c9b54d54f17c1c2f079d55dc0c3f54b37dd86c0970827c334e891648b6d

                                SHA512

                                3f87d95063eaf4d3dd6842b4955527f2b36efba36995df6f2aadb7cb319741561945311ea8117e34e1141b3ae7d4d4d55c48cca6f513445fb42d8be6a995e763

                              • /etc/32676

                                Filesize

                                56B

                                MD5

                                585f408444cbca746945f0cb63f2c3f0

                                SHA1

                                0e44bae17174f04514e770ca7fc4bec1007e39cd

                                SHA256

                                ebb961c647363dfa90f302de378e0e61807b9b792fc86616635a713cca8f4299

                                SHA512

                                022241dbafad55164701f67ef5b84154e3af97c5dfe77dee7bf8406f2befbd2962bbf4f243432b2f41d6c2376b87fcf551fd6945e03ddb02a5619c2f0f69c596

                              • /etc/profile.d/gateway.sh

                                Filesize

                                5KB

                                MD5

                                2e31921004103525b2942afb1f95c164

                                SHA1

                                45ea67941d55c8db425324f097f0741147777a60

                                SHA256

                                ec9711c9e48409b0379845127f729e07b6dafd31a060069c9c91547d8b77621f

                                SHA512

                                b814d4259c559423137c32c6ea09ef2cac8b7d67654011b54c096cff726c2286719d7ac340085c169c92b84b993a09c76cbf6b54aae12bc038e20e15826b24df

                              • /usr/lib/systemd/system/quotaoff.service

                                Filesize

                                186B

                                MD5

                                b02de6cd28cd922b18d9d93375a70d8b

                                SHA1

                                021426a5a2ff9edc80ba5936c94b37525538885e

                                SHA256

                                d8d8e5cd33aa3450cd74c63716a02f3dff39efef2836559f110bc93663b1380a

                                SHA512

                                db3fe03ad5e599e6c03aaec7bf1242f5509fbb624adb9afb7499e25487daef3f3f1c6babf51570b527a5ac5c9f4b079ae4cc53baa9497c0a121328bef8d04422