General

  • Target

    linux_arm7.elf

  • Size

    2.0MB

  • Sample

    250420-prt4caymt4

  • MD5

    3b1d849963b2c09dd7f056582a620909

  • SHA1

    5b40d62d0e1b5f33f6419ed9fdad0418fe93fb17

  • SHA256

    4660b0c1bc0d913e7b7f342001284f11c4d048fe7c0fb4e4f6586c26574bf2ec

  • SHA512

    29532ac4e2f32ea64f15c3b011f53d87842dd296383ad84f9bd7fa18e4d29d6a4c901121a0d7c7911703a8494f5129138af5d3dec24cbaaaa8171a023f147a5f

  • SSDEEP

    24576:sG/LbVzKHSGLGrs4ICJHfRFMX/vwshhILrZaq7xNpvpPEE93nH/aqVhqHviGC2+q:djZ/aGL2T1

Malware Config

Extracted

Family

kaiji

C2

154.201.91.52:888

Targets

    • Target

      linux_arm7.elf

    • Size

      2.0MB

    • MD5

      3b1d849963b2c09dd7f056582a620909

    • SHA1

      5b40d62d0e1b5f33f6419ed9fdad0418fe93fb17

    • SHA256

      4660b0c1bc0d913e7b7f342001284f11c4d048fe7c0fb4e4f6586c26574bf2ec

    • SHA512

      29532ac4e2f32ea64f15c3b011f53d87842dd296383ad84f9bd7fa18e4d29d6a4c901121a0d7c7911703a8494f5129138af5d3dec24cbaaaa8171a023f147a5f

    • SSDEEP

      24576:sG/LbVzKHSGLGrs4ICJHfRFMX/vwshhILrZaq7xNpvpPEE93nH/aqVhqHviGC2+q:djZ/aGL2T1

    • Renames multiple (1004) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Executes dropped EXE

    • Modifies Watchdog functionality

      Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

    • Creates/modifies Cron job

      Cron allows running tasks on a schedule, and is commonly used for malware persistence.

    • Creates/modifies environment variables

      Creating/modifying environment variables is a common persistence mechanism.

    • Disables SELinux

      Disables SELinux security module.

    • Modifies init.d

      Adds/modifies system service, likely for persistence.

    • Modifies systemd

      Adds/ modifies systemd service files. Likely to achieve persistence.

    • Write file to user bin folder

    • Modifies Bash startup script

MITRE ATT&CK Enterprise v16

Tasks