Analysis
-
max time kernel
148s -
max time network
143s -
platform
ubuntu-22.04_amd64 -
resource
ubuntu2204-amd64-20250307-en -
resource tags
arch:amd64arch:i386image:ubuntu2204-amd64-20250307-enkernel:5.15.0-105-genericlocale:en-usos:ubuntu-22.04-amd64system -
submitted
18/04/2025, 01:06
Behavioral task
behavioral1
Sample
5aa6cc2b09d7fa0d3c5b6826f872826f5d3afb9af18c001ea3f4f1a1ccb188f7.elf
Resource
ubuntu2204-amd64-20250307-en
General
-
Target
5aa6cc2b09d7fa0d3c5b6826f872826f5d3afb9af18c001ea3f4f1a1ccb188f7.elf
-
Size
1.8MB
-
MD5
259800bf6d1eb21a74ff1737f9826a0a
-
SHA1
1a13ffb1f327ae411689568840b0e812b7d40a59
-
SHA256
5aa6cc2b09d7fa0d3c5b6826f872826f5d3afb9af18c001ea3f4f1a1ccb188f7
-
SHA512
d3b013396695920dde44c4bc8af2b91e9e4142592151056e27946af54096056f2a70d528c4fd9abb27042d6a5ed2839648fbe3054b3e8a218bf29586237c1beb
-
SSDEEP
24576:Inoxw1zy7RvFMNRlnmxlJgAaI0ODBBri8wnJPVwchQItBPUgpxv2SzVVOMaWz1v:s/MBFBuEItpRpsSIWz1
Malware Config
Extracted
kaiji
154.40.47.248:809
Signatures
-
Kaiji 1 IoCs
Kaiji payload
resource yara_rule behavioral1/files/fstream-5.dat Kaiji -
Kaiji family
-
Executes dropped EXE 1 IoCs
ioc pid Process /etc/32676 1576 5aa6cc2b09d7fa0d3c5b6826f872826f5d3afb9af18c001ea3f4f1a1ccb188f7.elf -
Modifies Watchdog functionality 1 TTPs 2 IoCs
Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.
description ioc Process File opened for modification /dev/misc/watchdog 5aa6cc2b09d7fa0d3c5b6826f872826f5d3afb9af18c001ea3f4f1a1ccb188f7.elf File opened for modification /dev/watchdog 5aa6cc2b09d7fa0d3c5b6826f872826f5d3afb9af18c001ea3f4f1a1ccb188f7.elf -
Creates/modifies Cron job 1 TTPs 1 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
description ioc Process File opened for modification /etc/crontab 5aa6cc2b09d7fa0d3c5b6826f872826f5d3afb9af18c001ea3f4f1a1ccb188f7.elf -
Creates/modifies environment variables 1 TTPs 3 IoCs
Creating/modifying environment variables is a common persistence mechanism.
description ioc Process File opened for modification /etc/profile.d/bash_cfg 5aa6cc2b09d7fa0d3c5b6826f872826f5d3afb9af18c001ea3f4f1a1ccb188f7.elf File opened for modification /etc/profile.d/bash_cfg.sh 5aa6cc2b09d7fa0d3c5b6826f872826f5d3afb9af18c001ea3f4f1a1ccb188f7.elf File opened for modification /etc/profile.d/gateway.sh 5aa6cc2b09d7fa0d3c5b6826f872826f5d3afb9af18c001ea3f4f1a1ccb188f7.elf -
description ioc Process File opened for modification /etc/init.d/rsync 5aa6cc2b09d7fa0d3c5b6826f872826f5d3afb9af18c001ea3f4f1a1ccb188f7.elf File opened for modification /etc/init.d/ssh 5aa6cc2b09d7fa0d3c5b6826f872826f5d3afb9af18c001ea3f4f1a1ccb188f7.elf File opened for modification /etc/init.d/apparmor 5aa6cc2b09d7fa0d3c5b6826f872826f5d3afb9af18c001ea3f4f1a1ccb188f7.elf File opened for modification /etc/init.d/cryptdisks-early 5aa6cc2b09d7fa0d3c5b6826f872826f5d3afb9af18c001ea3f4f1a1ccb188f7.elf File opened for modification /etc/init.d/keyboard-setup.sh 5aa6cc2b09d7fa0d3c5b6826f872826f5d3afb9af18c001ea3f4f1a1ccb188f7.elf File opened for modification /etc/init.d/open-iscsi 5aa6cc2b09d7fa0d3c5b6826f872826f5d3afb9af18c001ea3f4f1a1ccb188f7.elf File opened for modification /etc/init.d/x11-common 5aa6cc2b09d7fa0d3c5b6826f872826f5d3afb9af18c001ea3f4f1a1ccb188f7.elf File opened for modification /etc/init.d/cron 5aa6cc2b09d7fa0d3c5b6826f872826f5d3afb9af18c001ea3f4f1a1ccb188f7.elf File opened for modification /etc/init.d/cups-browsed 5aa6cc2b09d7fa0d3c5b6826f872826f5d3afb9af18c001ea3f4f1a1ccb188f7.elf File opened for modification /etc/init.d/procps 5aa6cc2b09d7fa0d3c5b6826f872826f5d3afb9af18c001ea3f4f1a1ccb188f7.elf File opened for modification /etc/init.d/spice-vdagent 5aa6cc2b09d7fa0d3c5b6826f872826f5d3afb9af18c001ea3f4f1a1ccb188f7.elf File opened for modification /etc/init.d/acpid 5aa6cc2b09d7fa0d3c5b6826f872826f5d3afb9af18c001ea3f4f1a1ccb188f7.elf File opened for modification /etc/init.d/alsa-utils 5aa6cc2b09d7fa0d3c5b6826f872826f5d3afb9af18c001ea3f4f1a1ccb188f7.elf File opened for modification /etc/init.d/lvm2-lvmpolld 5aa6cc2b09d7fa0d3c5b6826f872826f5d3afb9af18c001ea3f4f1a1ccb188f7.elf File opened for modification /etc/init.d/dbus 5aa6cc2b09d7fa0d3c5b6826f872826f5d3afb9af18c001ea3f4f1a1ccb188f7.elf File opened for modification /etc/init.d/apport 5aa6cc2b09d7fa0d3c5b6826f872826f5d3afb9af18c001ea3f4f1a1ccb188f7.elf File opened for modification /etc/init.d/bluetooth 5aa6cc2b09d7fa0d3c5b6826f872826f5d3afb9af18c001ea3f4f1a1ccb188f7.elf File opened for modification /etc/init.d/cryptdisks 5aa6cc2b09d7fa0d3c5b6826f872826f5d3afb9af18c001ea3f4f1a1ccb188f7.elf File opened for modification /etc/init.d/openvpn 5aa6cc2b09d7fa0d3c5b6826f872826f5d3afb9af18c001ea3f4f1a1ccb188f7.elf File opened for modification /etc/init.d/sssd 5aa6cc2b09d7fa0d3c5b6826f872826f5d3afb9af18c001ea3f4f1a1ccb188f7.elf File opened for modification /etc/init.d/unattended-upgrades 5aa6cc2b09d7fa0d3c5b6826f872826f5d3afb9af18c001ea3f4f1a1ccb188f7.elf File opened for modification /etc/init.d/hwclock.sh 5aa6cc2b09d7fa0d3c5b6826f872826f5d3afb9af18c001ea3f4f1a1ccb188f7.elf File opened for modification /etc/init.d/kmod 5aa6cc2b09d7fa0d3c5b6826f872826f5d3afb9af18c001ea3f4f1a1ccb188f7.elf File opened for modification /etc/init.d/udev 5aa6cc2b09d7fa0d3c5b6826f872826f5d3afb9af18c001ea3f4f1a1ccb188f7.elf File opened for modification /etc/init.d/anacron 5aa6cc2b09d7fa0d3c5b6826f872826f5d3afb9af18c001ea3f4f1a1ccb188f7.elf File opened for modification /etc/init.d/avahi-daemon 5aa6cc2b09d7fa0d3c5b6826f872826f5d3afb9af18c001ea3f4f1a1ccb188f7.elf File opened for modification /etc/init.d/iscsid 5aa6cc2b09d7fa0d3c5b6826f872826f5d3afb9af18c001ea3f4f1a1ccb188f7.elf File opened for modification /etc/init.d/plymouth 5aa6cc2b09d7fa0d3c5b6826f872826f5d3afb9af18c001ea3f4f1a1ccb188f7.elf File opened for modification /etc/init.d/console-setup.sh 5aa6cc2b09d7fa0d3c5b6826f872826f5d3afb9af18c001ea3f4f1a1ccb188f7.elf File opened for modification /etc/init.d/gdm3 5aa6cc2b09d7fa0d3c5b6826f872826f5d3afb9af18c001ea3f4f1a1ccb188f7.elf File opened for modification /etc/init.d/saned 5aa6cc2b09d7fa0d3c5b6826f872826f5d3afb9af18c001ea3f4f1a1ccb188f7.elf File opened for modification /etc/init.d/cups 5aa6cc2b09d7fa0d3c5b6826f872826f5d3afb9af18c001ea3f4f1a1ccb188f7.elf File opened for modification /etc/init.d/plymouth-log 5aa6cc2b09d7fa0d3c5b6826f872826f5d3afb9af18c001ea3f4f1a1ccb188f7.elf -
Modifies systemd 2 TTPs 1 IoCs
Adds/ modifies systemd service files. Likely to achieve persistence.
description ioc Process File opened for modification /usr/lib/systemd/system/quotaoff.service 5aa6cc2b09d7fa0d3c5b6826f872826f5d3afb9af18c001ea3f4f1a1ccb188f7.elf -
Write file to user bin folder 12 IoCs
description ioc Process File opened for modification /usr/bin/include/dir 5aa6cc2b09d7fa0d3c5b6826f872826f5d3afb9af18c001ea3f4f1a1ccb188f7.elf File opened for modification /usr/bin/include/lsof 5aa6cc2b09d7fa0d3c5b6826f872826f5d3afb9af18c001ea3f4f1a1ccb188f7.elf File opened for modification /usr/bin/ps 5aa6cc2b09d7fa0d3c5b6826f872826f5d3afb9af18c001ea3f4f1a1ccb188f7.elf File opened for modification /usr/bin/ss 5aa6cc2b09d7fa0d3c5b6826f872826f5d3afb9af18c001ea3f4f1a1ccb188f7.elf File opened for modification /usr/bin/lsof 5aa6cc2b09d7fa0d3c5b6826f872826f5d3afb9af18c001ea3f4f1a1ccb188f7.elf File opened for modification /usr/bin/include/ps 5aa6cc2b09d7fa0d3c5b6826f872826f5d3afb9af18c001ea3f4f1a1ccb188f7.elf File opened for modification /usr/bin/include/ss 5aa6cc2b09d7fa0d3c5b6826f872826f5d3afb9af18c001ea3f4f1a1ccb188f7.elf File opened for modification /usr/bin/include/ls 5aa6cc2b09d7fa0d3c5b6826f872826f5d3afb9af18c001ea3f4f1a1ccb188f7.elf File opened for modification /usr/bin/include/find 5aa6cc2b09d7fa0d3c5b6826f872826f5d3afb9af18c001ea3f4f1a1ccb188f7.elf File opened for modification /usr/bin/ls 5aa6cc2b09d7fa0d3c5b6826f872826f5d3afb9af18c001ea3f4f1a1ccb188f7.elf File opened for modification /usr/bin/dir 5aa6cc2b09d7fa0d3c5b6826f872826f5d3afb9af18c001ea3f4f1a1ccb188f7.elf File opened for modification /usr/bin/find 5aa6cc2b09d7fa0d3c5b6826f872826f5d3afb9af18c001ea3f4f1a1ccb188f7.elf -
Modifies Bash startup script 2 TTPs 3 IoCs
description ioc Process File opened for modification /etc/profile.d/bash_cfg 5aa6cc2b09d7fa0d3c5b6826f872826f5d3afb9af18c001ea3f4f1a1ccb188f7.elf File opened for modification /etc/profile.d/bash_cfg.sh 5aa6cc2b09d7fa0d3c5b6826f872826f5d3afb9af18c001ea3f4f1a1ccb188f7.elf File opened for modification /etc/profile.d/gateway.sh 5aa6cc2b09d7fa0d3c5b6826f872826f5d3afb9af18c001ea3f4f1a1ccb188f7.elf -
Changes its process name 1 IoCs
description ioc pid Process Changes the process name, possibly in an attempt to hide itself ksoftirqd/0 1571 5aa6cc2b09d7fa0d3c5b6826f872826f5d3afb9af18c001ea3f4f1a1ccb188f7.elf -
Enumerates kernel/hardware configuration 1 TTPs 2 IoCs
Reads contents of /sys virtual filesystem to enumerate system information.
description ioc Process File opened for reading /sys/kernel/mm/transparent_hugepage/hpage_pmd_size Process not Found File opened for reading /sys/kernel/mm/transparent_hugepage/hpage_pmd_size 5aa6cc2b09d7fa0d3c5b6826f872826f5d3afb9af18c001ea3f4f1a1ccb188f7.elf -
description ioc Process File opened for reading /proc/filesystems systemctl File opened for reading /proc/filesystems systemctl File opened for reading /proc/filesystems sed File opened for reading /proc/filesystems systemctl File opened for reading /proc/filesystems systemctl File opened for reading /proc/filesystems systemctl File opened for reading /proc/filesystems journalctl File opened for reading /proc/filesystems systemctl File opened for reading /proc/filesystems systemctl File opened for reading /proc/filesystems 5aa6cc2b09d7fa0d3c5b6826f872826f5d3afb9af18c001ea3f4f1a1ccb188f7.elf File opened for reading /proc/filesystems sed
Processes
-
/tmp/5aa6cc2b09d7fa0d3c5b6826f872826f5d3afb9af18c001ea3f4f1a1ccb188f7.elf/tmp/5aa6cc2b09d7fa0d3c5b6826f872826f5d3afb9af18c001ea3f4f1a1ccb188f7.elf " "1⤵
- Executes dropped EXE
- Modifies Watchdog functionality
- Creates/modifies Cron job
- Creates/modifies environment variables
- Modifies init.d
- Modifies systemd
- Write file to user bin folder
- Modifies Bash startup script
- Changes its process name
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:1571 -
/usr/bin/basenamebasename /usr/sbin/service2⤵PID:1579
-
-
/usr/bin/basenamebasename /usr/sbin/service2⤵PID:1580
-
-
/usr/bin/sedsed -ne "s/\\.socket\\s*[a-z]*\\s*\$/.socket/p"2⤵
- Reads runtime system information
PID:1583
-
-
/usr/bin/systemctlsystemctl list-unit-files --full "--type=socket"2⤵
- Reads runtime system information
PID:1582
-
-
/usr/local/sbin/systemctlsystemctl start crond.service2⤵PID:1577
-
-
/usr/local/bin/systemctlsystemctl start crond.service2⤵PID:1577
-
-
/usr/sbin/systemctlsystemctl start crond.service2⤵PID:1577
-
-
/usr/bin/systemctlsystemctl start crond.service2⤵
- Reads runtime system information
PID:1577
-
-
/usr/bin/systemctlsystemctl daemon-reload2⤵
- Reads runtime system information
PID:1589
-
-
/usr/bin/systemctlsystemctl enable quotaoff.service2⤵
- Reads runtime system information
PID:1623
-
-
/usr/bin/systemctlsystemctl start quotaoff.service2⤵
- Reads runtime system information
PID:1657
-
-
/usr/bin/journalctljournalctl -xe --no-pager2⤵
- Reads runtime system information
PID:1665
-
-
/usr/bin/basenamebasename /usr/sbin/service2⤵PID:1680
-
-
/usr/bin/basenamebasename /usr/sbin/service2⤵PID:1681
-
-
/usr/bin/sedsed -ne "s/\\.socket\\s*[a-z]*\\s*\$/.socket/p"2⤵
- Reads runtime system information
PID:1684
-
-
/usr/bin/systemctlsystemctl list-unit-files --full "--type=socket"2⤵
- Reads runtime system information
PID:1683
-
-
/usr/local/sbin/systemctlsystemctl start cron.service2⤵PID:1679
-
-
/usr/local/bin/systemctlsystemctl start cron.service2⤵PID:1679
-
-
/usr/sbin/systemctlsystemctl start cron.service2⤵PID:1679
-
-
/usr/bin/systemctlsystemctl start cron.service2⤵
- Reads runtime system information
PID:1679
-
-
/etc/32676/etc/326761⤵PID:1576
-
/usr/bin/sleepsleep 602⤵PID:1578
-
-
/usr/bin/sleepsleep 602⤵PID:1719
-
-
/usr/bin/sleepsleep 602⤵PID:1734
-
Network
MITRE ATT&CK Enterprise v16
Persistence
Boot or Logon Autostart Execution
3XDG Autostart Entries
1Boot or Logon Initialization Scripts
1RC Scripts
1Create or Modify System Process
1Systemd Service
1Event Triggered Execution
1Unix Shell Configuration Modification
1Hijack Execution Flow
1Path Interception by PATH Environment Variable
1Scheduled Task/Job
1Cron
1Privilege Escalation
Boot or Logon Autostart Execution
3XDG Autostart Entries
1Boot or Logon Initialization Scripts
1RC Scripts
1Create or Modify System Process
1Systemd Service
1Event Triggered Execution
1Unix Shell Configuration Modification
1Hijack Execution Flow
1Path Interception by PATH Environment Variable
1Scheduled Task/Job
1Cron
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
34B
MD5f5a3713282e43c200f30342f5ff5e2ea
SHA12b2ce1a207e2b691a074c6f78f71c4785aae426a
SHA2566ab64e727571458d4884fb2fe82c27c467db0699cb8f648b3f0217c35d2b7511
SHA5125bcb8cd360409147a486755f90e0cdd97183af02ce8de5135b7c6a8a010deb9ef12dcd5ee9a2a8fd2e159347f68e72d6b7fd75e943b4fcd928d7a74b97476013
-
Filesize
1.8MB
MD5259800bf6d1eb21a74ff1737f9826a0a
SHA11a13ffb1f327ae411689568840b0e812b7d40a59
SHA2565aa6cc2b09d7fa0d3c5b6826f872826f5d3afb9af18c001ea3f4f1a1ccb188f7
SHA512d3b013396695920dde44c4bc8af2b91e9e4142592151056e27946af54096056f2a70d528c4fd9abb27042d6a5ed2839648fbe3054b3e8a218bf29586237c1beb
-
Filesize
49B
MD5c43ed4fb3194f22b1bedfd47f952652f
SHA11c7ed537a42b5f25959c26d0fc0e1d34261fd3db
SHA25666a5dbc04023a9236feb76957789d294222f876de8063ad97d32121a6c478d81
SHA5120bee3e17dbb627c541247e9add297d9f51c87691c10e93d6fe369951c8034b4eee2adbb874977357951982f8d979e21d4d354403403d3ee335cd06e7a5b47e51
-
Filesize
98B
MD598ffb0516b1ce1d4e0620c46e66f28ed
SHA1a8b7bc7822c3ee17868353624f8331bd52cb70db
SHA256d5c21c9b54d54f17c1c2f079d55dc0c3f54b37dd86c0970827c334e891648b6d
SHA5123f87d95063eaf4d3dd6842b4955527f2b36efba36995df6f2aadb7cb319741561945311ea8117e34e1141b3ae7d4d4d55c48cca6f513445fb42d8be6a995e763
-
Filesize
56B
MD5585f408444cbca746945f0cb63f2c3f0
SHA10e44bae17174f04514e770ca7fc4bec1007e39cd
SHA256ebb961c647363dfa90f302de378e0e61807b9b792fc86616635a713cca8f4299
SHA512022241dbafad55164701f67ef5b84154e3af97c5dfe77dee7bf8406f2befbd2962bbf4f243432b2f41d6c2376b87fcf551fd6945e03ddb02a5619c2f0f69c596
-
Filesize
5KB
MD52e31921004103525b2942afb1f95c164
SHA145ea67941d55c8db425324f097f0741147777a60
SHA256ec9711c9e48409b0379845127f729e07b6dafd31a060069c9c91547d8b77621f
SHA512b814d4259c559423137c32c6ea09ef2cac8b7d67654011b54c096cff726c2286719d7ac340085c169c92b84b993a09c76cbf6b54aae12bc038e20e15826b24df
-
Filesize
186B
MD5b02de6cd28cd922b18d9d93375a70d8b
SHA1021426a5a2ff9edc80ba5936c94b37525538885e
SHA256d8d8e5cd33aa3450cd74c63716a02f3dff39efef2836559f110bc93663b1380a
SHA512db3fe03ad5e599e6c03aaec7bf1242f5509fbb624adb9afb7499e25487daef3f3f1c6babf51570b527a5ac5c9f4b079ae4cc53baa9497c0a121328bef8d04422