Malware Analysis Report

2025-05-05 22:15

Sample ID 250418-bg2hsazlv9
Target 06a141032d508ea7639d82c044851727.bin
SHA256 98a7c776d3e9c5afcbe106e79dfa3da581527a557ced1c6c536f8ed05879d2da
Tags
kaiji discovery execution
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

98a7c776d3e9c5afcbe106e79dfa3da581527a557ced1c6c536f8ed05879d2da

Threat Level: Known bad

The file 06a141032d508ea7639d82c044851727.bin was found to be: Known bad.

Malicious Activity Summary

kaiji discovery execution

Kaiji

Kaiji family

Executes dropped EXE

Command and Scripting Interpreter: Unix Shell

Enumerates kernel/hardware configuration

Reads runtime system information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-04-18 01:07

Signatures

Kaiji

Description Indicator Process Target
N/A N/A N/A N/A

Kaiji family

kaiji

Analysis: behavioral1

Detonation Overview

Submitted

2025-04-18 01:07

Reported

2025-04-18 01:10

Platform

debian12-mipsel-20250410-en

Max time kernel

4s

Max time network

10s

Command Line

[/tmp/d3030e1575b48293f9364353127bd44892ec65120c11d1710eead510373aab55.elf]

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A /etc/32676 /bin/sh N/A

Command and Scripting Interpreter: Unix Shell

execution
Description Indicator Process Target
N/A N/A /bin/sh N/A

Enumerates kernel/hardware configuration

discovery
Description Indicator Process Target
File opened for reading /sys/kernel/mm/transparent_hugepage/hpage_pmd_size /tmp/d3030e1575b48293f9364353127bd44892ec65120c11d1710eead510373aab55.elf N/A
File opened for reading /sys/kernel/mm/transparent_hugepage/hpage_pmd_size /tmp/d3030e1575b48293f9364353127bd44892ec65120c11d1710eead510373aab55.elf N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/filesystems /usr/bin/systemctl N/A
File opened for reading /proc/filesystems /usr/bin/sed N/A

Processes

/tmp/d3030e1575b48293f9364353127bd44892ec65120c11d1710eead510373aab55.elf

[/tmp/d3030e1575b48293f9364353127bd44892ec65120c11d1710eead510373aab55.elf]

/tmp/d3030e1575b48293f9364353127bd44892ec65120c11d1710eead510373aab55.elf

[/tmp/d3030e1575b48293f9364353127bd44892ec65120c11d1710eead510373aab55.elf ]

/bin/sh

[/bin/sh -c /etc/32676&]

/etc/32676

[/etc/32676]

/usr/sbin/service

[service crond start]

/usr/bin/sleep

[sleep 60]

/usr/bin/basename

[basename /usr/sbin/service]

/usr/bin/basename

[basename /usr/sbin/service]

/usr/bin/sed

[sed -ne s/\.socket\s*[a-z]*\s*$/.socket/p]

/usr/bin/systemctl

[systemctl list-unit-files --full --type=socket]

Network

Country Destination Domain Proto
AU 1.1.1.1:53 debian12-mipsel-20250410-en-13 udp

Files

/etc/.walk

MD5 89c996eff0267172b93ad1683573f8ea
SHA1 5adf85060b666e654db55684b0ecdaff74d527da
SHA256 f21ee0198323e1e99bb4e302f400a26d92a1a91102f2205b80b208422881d2aa
SHA512 1a3db17810cc6e508f868a3d4c00162049f22c7e2546b0db9d0efe239821944ea1d62568171441df564f97604caf5092d5797b3910315a3f1c9ca00e0b8c48ed

/etc/.walk

MD5 39f840fade1762fdaa85ae0bc76ee446
SHA1 b292f241d76a753759e25c8a295c3bd13b050232
SHA256 5bb6d419837871dcd40bee9a0d1e52f1a2b0a0167e70b29168182b608374d0f7
SHA512 1f8a00a35d9ca49d49e4b7cd49e555789dca8a890bf27cb75459cfb050e5b273984cd9ffa15810442d2f303a384b4a50f4c0e600644468c62239ba4c54582cc8

/etc/32676

MD5 585f408444cbca746945f0cb63f2c3f0
SHA1 0e44bae17174f04514e770ca7fc4bec1007e39cd
SHA256 ebb961c647363dfa90f302de378e0e61807b9b792fc86616635a713cca8f4299
SHA512 022241dbafad55164701f67ef5b84154e3af97c5dfe77dee7bf8406f2befbd2962bbf4f243432b2f41d6c2376b87fcf551fd6945e03ddb02a5619c2f0f69c596