General

  • Target

    linux_arm5.elf

  • Size

    2.0MB

  • Sample

    250420-ptgwssymx2

  • MD5

    1d97cd7f9c94a0e92606e8f5bf922bbf

  • SHA1

    5f2c274b638f3fde2c9959190565a2193076626d

  • SHA256

    def144637e9c3a244a8274f683700b8b4784dc490b6b2bb645d6c3937fccc173

  • SHA512

    2618d70d92e21c30f010611cf33ecf8040659601c6b6436d00146749493263bfb5a9dc6e54338b7bcf05a31da45c5b3f090e5b6d9ece34a2a9adf0b83c94e636

  • SSDEEP

    24576:NmGM05U6zdl5megDmMTwJCmxjZthdwpVQsl6nBVSDr21p27DCcStHXHVhSBPnjKm:N/bNmer12T1

Malware Config

Extracted

Family

kaiji

C2

154.201.91.52:888

Targets

    • Target

      linux_arm5.elf

    • Size

      2.0MB

    • MD5

      1d97cd7f9c94a0e92606e8f5bf922bbf

    • SHA1

      5f2c274b638f3fde2c9959190565a2193076626d

    • SHA256

      def144637e9c3a244a8274f683700b8b4784dc490b6b2bb645d6c3937fccc173

    • SHA512

      2618d70d92e21c30f010611cf33ecf8040659601c6b6436d00146749493263bfb5a9dc6e54338b7bcf05a31da45c5b3f090e5b6d9ece34a2a9adf0b83c94e636

    • SSDEEP

      24576:NmGM05U6zdl5megDmMTwJCmxjZthdwpVQsl6nBVSDr21p27DCcStHXHVhSBPnjKm:N/bNmer12T1

    • Renames multiple (1004) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Executes dropped EXE

    • Modifies Watchdog functionality

      Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

    • Creates/modifies Cron job

      Cron allows running tasks on a schedule, and is commonly used for malware persistence.

    • Creates/modifies environment variables

      Creating/modifying environment variables is a common persistence mechanism.

    • Disables SELinux

      Disables SELinux security module.

    • Modifies init.d

      Adds/modifies system service, likely for persistence.

    • Modifies systemd

      Adds/ modifies systemd service files. Likely to achieve persistence.

    • Write file to user bin folder

    • Modifies Bash startup script

MITRE ATT&CK Enterprise v16

Tasks