Loading... Additional Content is being loaded
Linux
Analysis Report
linux_aarch64.elf
Overview
General Information
| Sample name: | linux_aarch64.elf |
| Analysis ID: | 1562743 |
| MD5: | b64c72dccf36a9775850933de2e1b852 |
| SHA1: | 9196a018e1ee50a59256a69408b7b82dd41d4a27 |
| SHA256: | 6acdf01289672bbd8dc5e28d30b8bcf49d4a2e9f4633c8d6379005df3f154dea |
| Tags: | elfuser-abuse_ch |
| Infos: |  |
Detection
Kaiji
| Score: | 80 |
| Range: | 0 - 100 |
| Whitelisted: | false |
Signatures
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Kaiji
Drops files in suspicious directories
Sample tries to persist itself using /etc/profile
Sample tries to persist itself using cron
Sample tries to set files in /etc globally writable
Creates hidden files and/or directories
Creates hidden files without content (potentially used as a mutex)
Detected TCP or UDP traffic on non-standard ports
Enumerates processes within the "proc" file system
Executes commands using a shell command-line interpreter
Executes the "sleep" command used to delay execution and potentially evade sandboxes
Executes the "systemctl" command used for controlling the systemd system and service manager
Reads the 'hosts' file potentially containing internal network hosts
Sample has stripped symbol table
Sample tries to set the executable flag
Sleeps for long times indicative of sandbox evasion
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Uses the "uname" system call to query kernel version information (possible evasion)
Writes shell script file to disk with an unusual file extension
Writes shell script files to disk
Classification
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| Kaiji | Surfaced in late April 2020, Intezer describes Kaiji as a DDoS malware written in Go that spreads through SSH brute force attacks. Recovered function names are an English representation of Chinese words, hinting about the origin. The name Kaiji was given by MalwareMustDie based on strings found in samples. | No Attribution |
|
AV Detection |
  |
|---|
| Source: |
ReversingLabs: |
||
Networking |
|
|---|
| Source: |
Suricata IDS: |
||
| Source: |
TCP traffic: |
||
| Source: |
Reads hosts file: |
Jump to behavior | ||
| Source: |
TCP traffic: |
||
| Source: |
TCP traffic: |
||
| Source: |
TCP traffic: |
||
| Source: |
TCP traffic detected without corresponding DNS query: |
||
| Source: |
TCP traffic detected without corresponding DNS query: |
||
| Source: |
TCP traffic detected without corresponding DNS query: |
||
| Source: |
TCP traffic detected without corresponding DNS query: |
||
| Source: |
TCP traffic detected without corresponding DNS query: |
||
| Source: |
TCP traffic detected without corresponding DNS query: |
||
| Source: |
TCP traffic detected without corresponding DNS query: |
||
| Source: |
UDP traffic detected without corresponding DNS query: |
||
| Source: |
UDP traffic detected without corresponding DNS query: |
||
| Source: |
UDP traffic detected without corresponding DNS query: |
||
| Source: |
UDP traffic detected without corresponding DNS query: |
||
| Source: |
DNS traffic detected: |
||
| Source: |
DNS traffic detected: |
||
| Source: |
Network traffic detected: |
||
| Source: |
Network traffic detected: |
||
| Source: |
.symtab present: |
||
| Source: |
Classification label: |
||
| Source: |
Submission: |
||
Persistence and Installation Behavior |
|
|---|
| Source: |
File: |
Jump to behavior | ||
| Source: |
File: |
Jump to behavior | ||
| Source: |
File: |
Jump to behavior | ||
| Source: |
File: |
Jump to behavior | ||
| Source: |
File: |
Jump to behavior | ||
| Source: |
File: |
Jump to behavior | ||
| Source: |
File: |
Jump to behavior | ||
| Source: |
File: |
Jump to behavior | ||
| Source: |
File: |
Jump to behavior | ||
| Source: |
File: |
Jump to behavior | ||
| Source: |
File: |
Jump to behavior | ||
| Source: |
File: |
Jump to behavior | ||
| Source: |
Directory: |
Jump to behavior | ||
| Source: |
Directory: |
Jump to behavior | ||
| Source: |
Empty hidden file: |
Jump to behavior | ||
| Source: |
Empty hidden file: |
Jump to behavior | ||
| Source: |
Empty hidden file: |
Jump to behavior | ||
| Source: |
File opened: |
Jump to behavior | ||
| Source: |
File opened: |
Jump to behavior | ||
| Source: |
File opened: |
Jump to behavior | ||
| Source: |
File opened: |
Jump to behavior | ||
| Source: |
File opened: |
Jump to behavior | ||
| Source: |
File opened: |
Jump to behavior | ||
| Source: |
File opened: |
Jump to behavior | ||
| Source: |
File opened: |
Jump to behavior | ||
| Source: |
File opened: |
Jump to behavior | ||
| Source: |
File opened: |
Jump to behavior | ||
| Source: |
File opened: |
Jump to behavior | ||
| Source: |
File opened: |
Jump to behavior | ||
| Source: |
File opened: |
Jump to behavior | ||
| Source: |
File opened: |
Jump to behavior | ||
| Source: |
File opened: |
Jump to behavior | ||
| Source: |
File opened: |
Jump to behavior | ||
| Source: |
File opened: |
Jump to behavior | ||
| Source: |
File opened: |
Jump to behavior | ||
| Source: |
File opened: |
Jump to behavior | ||
| Source: |
File opened: |
Jump to behavior | ||
| Source: |
File opened: |
Jump to behavior | ||
| Source: |
File opened: |
Jump to behavior | ||
| Source: |
File opened: |
Jump to behavior | ||
| Source: |
File opened: |
Jump to behavior | ||
| Source: |
File opened: |
Jump to behavior | ||
| Source: |
File opened: |
Jump to behavior | ||
| Source: |
File opened: |
Jump to behavior | ||
| Source: |
File opened: |
Jump to behavior | ||
| Source: |
File opened: |
Jump to behavior | ||
| Source: |
File opened: |
Jump to behavior | ||
| Source: |
File opened: |
Jump to behavior | ||
| Source: |
File opened: |
Jump to behavior | ||
| Source: |
File opened: |
Jump to behavior | ||
| Source: |
File opened: |
Jump to behavior | ||
| Source: |
File opened: |
Jump to behavior | ||
| Source: |
File opened: |
Jump to behavior | ||
| Source: |
File opened: |
Jump to behavior | ||
| Source: |
File opened: |
Jump to behavior | ||
| Source: |
File opened: |
Jump to behavior | ||
| Source: |
File opened: |
Jump to behavior | ||
| Source: |
File opened: |
Jump to behavior | ||
| Source: |
File opened: |
Jump to behavior | ||
| Source: |
File opened: |
Jump to behavior | ||
| Source: |
File opened: |
Jump to behavior | ||
| Source: |
File opened: |
Jump to behavior | ||
| Source: |
File opened: |
Jump to behavior | ||
| Source: |
File opened: |
Jump to behavior | ||
| Source: |
File opened: |
Jump to behavior | ||
| Source: |
File opened: |
Jump to behavior | ||
| Source: |
File opened: |
Jump to behavior | ||
| Source: |
File opened: |
Jump to behavior | ||
| Source: |
File opened: |
Jump to behavior | ||
| Source: |
File opened: |
Jump to behavior | ||
| Source: |
File opened: |
Jump to behavior | ||
| Source: |
File opened: |
Jump to behavior | ||
| Source: |
File opened: |
Jump to behavior | ||
| Source: |
File opened: |
Jump to behavior | ||
| Source: |
File opened: |
Jump to behavior | ||
| Source: |
File opened: |
Jump to behavior | ||
| Source: |
File opened: |
Jump to behavior | ||
| Source: |
File opened: |
Jump to behavior | ||
| Source: |
File opened: |
Jump to behavior | ||
| Source: |
File opened: |
Jump to behavior | ||
| Source: |
File opened: |
Jump to behavior | ||
| Source: |
File opened: |
Jump to behavior | ||
| Source: |
File opened: |
Jump to behavior | ||
| Source: |
File opened: |
Jump to behavior | ||
| Source: |
File opened: |
Jump to behavior | ||
| Source: |
File opened: |
Jump to behavior | ||
| Source: |
File opened: |
Jump to behavior | ||
| Source: |
File opened: |
Jump to behavior | ||
| Source: |
File opened: |
Jump to behavior | ||
| Source: |
File opened: |
Jump to behavior | ||
| Source: |
File opened: |
Jump to behavior | ||
| Source: |
File opened: |
Jump to behavior | ||
| Source: |
File opened: |
Jump to behavior | ||
| Source: |
File opened: |
Jump to behavior | ||
| Source: |
File opened: |
Jump to behavior | ||
| Source: |
File opened: |
Jump to behavior | ||
| Source: |
File opened: |
Jump to behavior | ||
| Source: |
File opened: |
Jump to behavior | ||
| Source: |
File opened: |
Jump to behavior | ||
| Source: |
File opened: |
Jump to behavior | ||
| Source: |
File opened: |
Jump to behavior | ||
| Source: |
File opened: |
Jump to behavior | ||
| Source: |
File opened: |
Jump to behavior | ||
| Source: |
File opened: |
Jump to behavior | ||
| Source: |
File opened: |
Jump to behavior | ||
| Source: |
File opened: |
Jump to behavior | ||
| Source: |
File opened: |
Jump to behavior | ||
| Source: |
File opened: |
Jump to behavior | ||
| Source: |
File opened: |
Jump to behavior | ||
| Source: |
File opened: |
Jump to behavior | ||
| Source: |
File opened: |
Jump to behavior | ||
| Source: |
File opened: |
Jump to behavior | ||
| Source: |
File opened: |
Jump to behavior | ||
| Source: |
File opened: |
Jump to behavior | ||
| Source: |
File opened: |
Jump to behavior | ||
| Source: |
File opened: |
Jump to behavior | ||
| Source: |
File opened: |
Jump to behavior | ||
| Source: |
File opened: |
Jump to behavior | ||
| Source: |
File opened: |
Jump to behavior | ||
| Source: |
File opened: |
Jump to behavior | ||
| Source: |
File opened: |
Jump to behavior | ||
| Source: |
File opened: |
Jump to behavior | ||
| Source: |
Shell command executed: |
Jump to behavior | ||
| Source: |
Shell command executed: |
Jump to behavior | ||
| Source: |
Shell command executed: |
Jump to behavior | ||
| Source: |
Shell command executed: |
Jump to behavior | ||
| Source: |
Shell command executed: |
Jump to behavior | ||
| Source: |
Shell command executed: |
Jump to behavior | ||
| Source: |
Systemctl executable: |
Jump to behavior | ||
| Source: |
Systemctl executable: |
Jump to behavior | ||
| Source: |
Systemctl executable: |
Jump to behavior | ||
| Source: |
Systemctl executable: |
Jump to behavior | ||
| Source: |
Systemctl executable: |
Jump to behavior | ||
| Source: |
Systemctl executable: |
Jump to behavior | ||
| Source: |
Systemctl executable: |
Jump to behavior | ||
| Source: |
Systemctl executable: |
Jump to behavior | ||
| Source: |
Systemctl executable: |
Jump to behavior | ||
| Source: |
Systemctl executable: |
Jump to behavior | ||
| Source: |
File: |
Jump to behavior | ||
| Source: |
File: |
Jump to behavior | ||
| Source: |
File: |
Jump to behavior | ||
| Source: |
File: |
Jump to behavior | ||
| Source: |
File: |
Jump to behavior | ||
| Source: |
File: |
Jump to behavior | ||
| Source: |
File: |
Jump to behavior | ||
| Source: |
File: |
Jump to behavior | ||
| Source: |
File: |
Jump to behavior | ||
| Source: |
File: |
Jump to behavior | ||
| Source: |
File: |
Jump to behavior | ||
| Source: |
File: |
Jump to behavior | ||
| Source: |
File: |
Jump to behavior | ||
| Source: |
File: |
Jump to behavior | ||
| Source: |
File: |
Jump to behavior | ||
| Source: |
File: |
Jump to behavior | ||
| Source: |
File: |
Jump to behavior | ||
| Source: |
File: |
Jump to behavior | ||
| Source: |
File: |
Jump to behavior | ||
| Source: |
File: |
Jump to behavior | ||
| Source: |
Writes shell script file to disk with an unusual file extension: |
Jump to dropped file | ||
| Source: |
Writes shell script file to disk with an unusual file extension: |
Jump to dropped file | ||
| Source: |
Writes shell script file to disk with an unusual file extension: |
Jump to dropped file | ||
| Source: |
Writes shell script file to disk with an unusual file extension: |
Jump to dropped file | ||
| Source: |
Writes shell script file to disk with an unusual file extension: |
Jump to dropped file | ||
| Source: |
Writes shell script file to disk with an unusual file extension: |
Jump to dropped file | ||
| Source: |
Writes shell script file to disk with an unusual file extension: |
Jump to dropped file | ||
| Source: |
Writes shell script file to disk with an unusual file extension: |
Jump to dropped file | ||
| Source: |
Writes shell script file to disk with an unusual file extension: |
Jump to dropped file | ||
| Source: |
Writes shell script file to disk with an unusual file extension: |
Jump to dropped file | ||
| Source: |
Writes shell script file to disk with an unusual file extension: |
Jump to dropped file | ||
| Source: |
Writes shell script file to disk with an unusual file extension: |
Jump to dropped file | ||
| Source: |
Writes shell script file to disk with an unusual file extension: |
Jump to dropped file | ||
| Source: |
Writes shell script file to disk with an unusual file extension: |
Jump to dropped file | ||
| Source: |
Writes shell script file to disk with an unusual file extension: |
Jump to dropped file | ||
| Source: |
Writes shell script file to disk with an unusual file extension: |
Jump to dropped file | ||
| Source: |
Writes shell script file to disk with an unusual file extension: |
Jump to dropped file | ||
| Source: |
Writes shell script file to disk with an unusual file extension: |
Jump to dropped file | ||
| Source: |
Writes shell script file to disk with an unusual file extension: |
Jump to dropped file | ||
| Source: |
Writes shell script file to disk with an unusual file extension: |
Jump to dropped file | ||
| Source: |
Writes shell script file to disk with an unusual file extension: |
Jump to dropped file | ||
| Source: |
Writes shell script file to disk with an unusual file extension: |
Jump to dropped file | ||
| Source: |
Writes shell script file to disk with an unusual file extension: |
Jump to dropped file | ||
| Source: |
Writes shell script file to disk with an unusual file extension: |
Jump to dropped file | ||
| Source: |
Writes shell script file to disk with an unusual file extension: |
Jump to dropped file | ||
| Source: |
Writes shell script file to disk with an unusual file extension: |
Jump to dropped file | ||
| Source: |
Writes shell script file to disk with an unusual file extension: |
Jump to dropped file | ||
| Source: |
Writes shell script file to disk with an unusual file extension: |
Jump to dropped file | ||
| Source: |
Writes shell script file to disk with an unusual file extension: |
Jump to dropped file | ||
| Source: |
Writes shell script file to disk with an unusual file extension: |
Jump to dropped file | ||
| Source: |
Writes shell script file to disk with an unusual file extension: |
Jump to dropped file | ||
| Source: |
Writes shell script file to disk with an unusual file extension: |
Jump to dropped file | ||
| Source: |
Writes shell script file to disk with an unusual file extension: |
Jump to dropped file | ||
| Source: |
Writes shell script file to disk with an unusual file extension: |
Jump to dropped file | ||
| Source: |
Writes shell script file to disk with an unusual file extension: |
Jump to dropped file | ||
| Source: |
Writes shell script file to disk with an unusual file extension: |
Jump to dropped file | ||
| Source: |
Writes shell script file to disk with an unusual file extension: |
Jump to dropped file | ||
| Source: |
Writes shell script file to disk with an unusual file extension: |
Jump to dropped file | ||
| Source: |
Writes shell script file to disk with an unusual file extension: |
Jump to dropped file | ||
| Source: |
Writes shell script file to disk with an unusual file extension: |
Jump to dropped file | ||
| Source: |
Writes shell script file to disk with an unusual file extension: |
Jump to dropped file | ||
| Source: |
Writes shell script file to disk with an unusual file extension: |
Jump to dropped file | ||
| Source: |
Shell script file created: |
Jump to dropped file | ||
| Source: |
Shell script file created: |
Jump to dropped file | ||
| Source: |
Shell script file created: |
Jump to dropped file | ||
| Source: |
Shell script file created: |
Jump to dropped file | ||
| Source: |
Shell script file created: |
Jump to dropped file | ||
| Source: |
Sed executable: |
Jump to behavior | ||
| Source: |
Sed executable: |
Jump to behavior | ||
Hooking and other Techniques for Hiding and Protection |
|
|---|
| Source: |
File: |
Jump to dropped file | ||
| Source: |
File: |
Jump to dropped file | ||
| Source: |
File: |
Jump to dropped file | ||
| Source: |
File: |
Jump to dropped file | ||
| Source: |
File: |
Jump to dropped file | ||
| Source: |
File: |
Jump to dropped file | ||
| Source: |
File: |
Jump to dropped file | ||
| Source: |
File: |
Jump to dropped file | ||
| Source: |
File: |
Jump to dropped file | ||
| Source: |
File: |
Jump to dropped file | ||
| Source: |
File: |
Jump to dropped file | ||
| Source: |
File: |
Jump to dropped file | ||
| Source: |
File: |
Jump to dropped file | ||
| Source: |
File: |
Jump to dropped file | ||
| Source: |
File: |
Jump to dropped file | ||
| Source: |
File: |
Jump to dropped file | ||
| Source: |
File: |
Jump to dropped file | ||
| Source: |
File: |
Jump to dropped file | ||
| Source: |
File: |
Jump to dropped file | ||
| Source: |
File: |
Jump to dropped file | ||
| Source: |
File: |
Jump to dropped file | ||
| Source: |
File: |
Jump to dropped file | ||
| Source: |
File: |
Jump to dropped file | ||
| Source: |
File: |
Jump to dropped file | ||
| Source: |
File: |
Jump to dropped file | ||
| Source: |
File: |
Jump to dropped file | ||
| Source: |
File: |
Jump to dropped file | ||
| Source: |
File: |
Jump to dropped file | ||
| Source: |
File: |
Jump to dropped file | ||
| Source: |
File: |
Jump to dropped file | ||
| Source: |
File: |
Jump to dropped file | ||
| Source: |
File: |
Jump to dropped file | ||
| Source: |
File: |
Jump to dropped file | ||
| Source: |
File: |
Jump to dropped file | ||
| Source: |
File: |
Jump to dropped file | ||
| Source: |
File: |
Jump to dropped file | ||
| Source: |
File: |
Jump to dropped file | ||
| Source: |
File: |
Jump to dropped file | ||
| Source: |
File: |
Jump to dropped file | ||
| Source: |
File: |
Jump to dropped file | ||
| Source: |
File: |
Jump to dropped file | ||
| Source: |
File: |
Jump to dropped file | ||
| Source: |
File: |
Jump to dropped file | ||
| Source: |
Sleep executable: |
Jump to behavior | ||
| Source: |
Sleep executable: |
Jump to behavior | ||
| Source: |
Sleep executable: |
Jump to behavior | ||
| Source: |
Sleeps longer then 60s: |
Jump to behavior | ||
| Source: |
Sleeps longer then 60s: |
Jump to behavior | ||
| Source: |
Sleeps longer then 60s: |
Jump to behavior | ||
| Source: |
Sleeps longer then 60s: |
Jump to behavior | ||
| Source: |
Sleeps longer then 60s: |
Jump to behavior | ||
| Source: |
Sleeps longer then 60s: |
Jump to behavior | ||
| Source: |
Queries kernel information via 'uname': |
Jump to behavior | ||
| Source: |
Queries kernel information via 'uname': |
Jump to behavior | ||
| Source: |
Queries kernel information via 'uname': |
Jump to behavior | ||
| Source: |
Queries kernel information via 'uname': |
Jump to behavior | ||
| Source: |
Queries kernel information via 'uname': |
Jump to behavior | ||
| Source: |
Queries kernel information via 'uname': |
Jump to behavior | ||
| Source: |
Queries kernel information via 'uname': |
Jump to behavior | ||
| Source: |
Queries kernel information via 'uname': |
Jump to behavior | ||
| Source: |
Queries kernel information via 'uname': |
Jump to behavior | ||
| Source: |
Binary or memory string: |
||
| Source: |
Binary or memory string: |
||
| Source: |
Binary or memory string: |
||
| Source: |
Binary or memory string: |
||
| Source: |
Binary or memory string: |
||
| Source: |
Binary or memory string: |
||
| Source: |
Binary or memory string: |
||
| Source: |
Binary or memory string: |
||
| Source: |
Binary or memory string: |
||
| Source: |
Binary or memory string: |
||
| Source: |
Binary or memory string: |
||
| Source: |
Binary or memory string: |
||
| Source: |
Binary or memory string: |
||
| Source: |
Binary or memory string: |
||
| Source: |
Binary or memory string: |
||
| Source: |
Binary or memory string: |
||
| Source: |
Binary or memory string: |
||
Stealing of Sensitive Information |
|
|---|
| Source: |
File source: |
||
Remote Access Functionality |
|
|---|
| Source: |
File source: |
||
No Screenshots
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
Contacted Public IPs
| IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
|---|---|---|---|---|---|---|
| 103.135.101.188 | wdearas.liveya.org | Hong Kong | 4842 | TH-AS-APTianhaiInfoTechCN | true | |
| 109.202.202.202 | unknown | Switzerland | 13030 | INIT7CH | false | |
| 91.189.91.43 | unknown | United Kingdom | 41231 | CANONICAL-ASGB | false | |
| 91.189.91.42 | unknown | United Kingdom | 41231 | CANONICAL-ASGB | false |
Contacted Domains
| Name | IP | Active |
|---|---|---|
| wdearas.liveya.org | 103.135.101.188 | true |
| www.google.com | 172.217.21.36 | true |