General

  • Target

    linux_amd64.elf

  • Size

    5.2MB

  • Sample

    250419-xgzvvaszhx

  • MD5

    c4e724e0dc8ffca84df77d1880e3fec2

  • SHA1

    700f978d0bb329991f18d5859c9a2d4e22b44a62

  • SHA256

    dfb97975c5aa62dcf0c1e0dbe9ff6e9ed9662dc1703e701112f5b1bfa179bf12

  • SHA512

    6fa023b96a5e49e5da1de248001b039d3397ee2e1867c167cc62d2a795c24eed7b69776b6673c9ca76571767c4230f19579e14c7466355da0039a52109abed31

  • SSDEEP

    49152:6Af+Z7lUfrb/T4vO90dL3BmAFd4A64nsfJcQrXFdmS7KMQqangxlE9/XjIYUAbcg:3JPzGnUSfTjKEBc+

Malware Config

Extracted

Family

kaiji

C2

2.59.151.111:8080

Targets

    • Target

      linux_amd64.elf

    • Size

      5.2MB

    • MD5

      c4e724e0dc8ffca84df77d1880e3fec2

    • SHA1

      700f978d0bb329991f18d5859c9a2d4e22b44a62

    • SHA256

      dfb97975c5aa62dcf0c1e0dbe9ff6e9ed9662dc1703e701112f5b1bfa179bf12

    • SHA512

      6fa023b96a5e49e5da1de248001b039d3397ee2e1867c167cc62d2a795c24eed7b69776b6673c9ca76571767c4230f19579e14c7466355da0039a52109abed31

    • SSDEEP

      49152:6Af+Z7lUfrb/T4vO90dL3BmAFd4A64nsfJcQrXFdmS7KMQqangxlE9/XjIYUAbcg:3JPzGnUSfTjKEBc+

    • Renames multiple (1156) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Executes dropped EXE

    • Modifies Watchdog functionality

      Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

    • Reads EFI boot settings

      Reads EFI boot settings from the efivars filesystem, may contain security secrets or sensitive data.

    • Creates/modifies Cron job

      Cron allows running tasks on a schedule, and is commonly used for malware persistence.

    • Creates/modifies environment variables

      Creating/modifying environment variables is a common persistence mechanism.

    • Enumerates running processes

      Discovers information about currently running processes on the system

    • Modifies init.d

      Adds/modifies system service, likely for persistence.

    • Modifies systemd

      Adds/ modifies systemd service files. Likely to achieve persistence.

    • Write file to user bin folder

    • Modifies Bash startup script

MITRE ATT&CK Enterprise v16

Tasks