Analysis Overview
SHA256
98a7c776d3e9c5afcbe106e79dfa3da581527a557ced1c6c536f8ed05879d2da
Threat Level: Known bad
The file 06a141032d508ea7639d82c044851727.bin was found to be: Known bad.
Malicious Activity Summary
Kaiji
Kaiji family
Executes dropped EXE
Command and Scripting Interpreter: Unix Shell
Enumerates kernel/hardware configuration
Reads runtime system information
MITRE ATT&CK
Enterprise Matrix V16
Analysis: static1
Detonation Overview
Reported
2025-04-18 01:07
Signatures
Kaiji
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Kaiji family
Analysis: behavioral1
Detonation Overview
Submitted
2025-04-18 01:07
Reported
2025-04-18 01:10
Platform
debian12-mipsel-20250410-en
Max time kernel
4s
Max time network
10s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | /etc/32676 | /bin/sh | N/A |
Command and Scripting Interpreter: Unix Shell
| Description | Indicator | Process | Target |
| N/A | N/A | /bin/sh | N/A |
Enumerates kernel/hardware configuration
| Description | Indicator | Process | Target |
| File opened for reading | /sys/kernel/mm/transparent_hugepage/hpage_pmd_size | /tmp/d3030e1575b48293f9364353127bd44892ec65120c11d1710eead510373aab55.elf | N/A |
| File opened for reading | /sys/kernel/mm/transparent_hugepage/hpage_pmd_size | /tmp/d3030e1575b48293f9364353127bd44892ec65120c11d1710eead510373aab55.elf | N/A |
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/filesystems | /usr/bin/systemctl | N/A |
| File opened for reading | /proc/filesystems | /usr/bin/sed | N/A |
Processes
/tmp/d3030e1575b48293f9364353127bd44892ec65120c11d1710eead510373aab55.elf
[/tmp/d3030e1575b48293f9364353127bd44892ec65120c11d1710eead510373aab55.elf]
/tmp/d3030e1575b48293f9364353127bd44892ec65120c11d1710eead510373aab55.elf
[/tmp/d3030e1575b48293f9364353127bd44892ec65120c11d1710eead510373aab55.elf ]
/bin/sh
[/bin/sh -c /etc/32676&]
/etc/32676
[/etc/32676]
/usr/sbin/service
[service crond start]
/usr/bin/sleep
[sleep 60]
/usr/bin/basename
[basename /usr/sbin/service]
/usr/bin/basename
[basename /usr/sbin/service]
/usr/bin/sed
[sed -ne s/\.socket\s*[a-z]*\s*$/.socket/p]
/usr/bin/systemctl
[systemctl list-unit-files --full --type=socket]
Network
| Country | Destination | Domain | Proto |
| AU | 1.1.1.1:53 | debian12-mipsel-20250410-en-13 | udp |
Files
/etc/.walk
| MD5 | 89c996eff0267172b93ad1683573f8ea |
| SHA1 | 5adf85060b666e654db55684b0ecdaff74d527da |
| SHA256 | f21ee0198323e1e99bb4e302f400a26d92a1a91102f2205b80b208422881d2aa |
| SHA512 | 1a3db17810cc6e508f868a3d4c00162049f22c7e2546b0db9d0efe239821944ea1d62568171441df564f97604caf5092d5797b3910315a3f1c9ca00e0b8c48ed |
/etc/.walk
| MD5 | 39f840fade1762fdaa85ae0bc76ee446 |
| SHA1 | b292f241d76a753759e25c8a295c3bd13b050232 |
| SHA256 | 5bb6d419837871dcd40bee9a0d1e52f1a2b0a0167e70b29168182b608374d0f7 |
| SHA512 | 1f8a00a35d9ca49d49e4b7cd49e555789dca8a890bf27cb75459cfb050e5b273984cd9ffa15810442d2f303a384b4a50f4c0e600644468c62239ba4c54582cc8 |
/etc/32676
| MD5 | 585f408444cbca746945f0cb63f2c3f0 |
| SHA1 | 0e44bae17174f04514e770ca7fc4bec1007e39cd |
| SHA256 | ebb961c647363dfa90f302de378e0e61807b9b792fc86616635a713cca8f4299 |
| SHA512 | 022241dbafad55164701f67ef5b84154e3af97c5dfe77dee7bf8406f2befbd2962bbf4f243432b2f41d6c2376b87fcf551fd6945e03ddb02a5619c2f0f69c596 |