Linux Analysis Report
M74QLI3COX.elf

Overview

General Information

Sample name: M74QLI3COX.elf
renamed because original name is a hash value
Original sample name: 16f920f318bc3fe46bf66d063153d2ef.elf
Analysis ID: 1436495
MD5: 16f920f318bc3fe46bf66d063153d2ef
SHA1: 0d0af14367b108967a9ad93e182b437c1565d4bf
SHA256: 4da76cd7ebfd5412d4681e2f25fcf187863fd15ecc0f952171c841b1290b64b1
Tags: elfmips
Infos:

Detection

Kaiji
Score: 56
Range: 0 - 100
Whitelisted: false

Signatures

Multi AV Scanner detection for submitted file
Yara detected Kaiji
Executes the "rm" command used to delete files or directories
Sample has stripped symbol table
Uses the "uname" system call to query kernel version information (possible evasion)

Classification

Name Description Attribution Blogpost URLs Link
Kaiji Surfaced in late April 2020, Intezer describes Kaiji as a DDoS malware written in Go that spreads through SSH brute force attacks. Recovered function names are an English representation of Chinese words, hinting about the origin. The name Kaiji was given by MalwareMustDie based on strings found in samples. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/elf.kaiji

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: M74QLI3COX.elf ReversingLabs: Detection: 18%
Source: M74QLI3COX.elf Virustotal: Detection: 12% Perma Link
Source: unknown HTTPS traffic detected: 54.217.10.153:443 -> 192.168.2.15:49566 version: TLS 1.2
Source: unknown Network traffic detected: HTTP traffic on port 49566 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49566
Source: unknown HTTPS traffic detected: 54.217.10.153:443 -> 192.168.2.15:49566 version: TLS 1.2
Sample has stripped symbol table
Source: ELF static info symbol of initial sample .symtab present: no
Source: classification engine Classification label: mal56.troj.linELF@0/0@0/0
Source: ELF file section Submission: M74QLI3COX.elf
Executes the "rm" command used to delete files or directories
Source: /usr/bin/dash (PID: 5513) Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.fZhFj81utJ /tmp/tmp.5BuHKRtIt9 /tmp/tmp.iMWgMwkDqB Jump to behavior
Source: /usr/bin/dash (PID: 5522) Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.fZhFj81utJ /tmp/tmp.5BuHKRtIt9 /tmp/tmp.iMWgMwkDqB Jump to behavior
Uses the "uname" system call to query kernel version information (possible evasion)
Source: /tmp/M74QLI3COX.elf (PID: 5509) Queries kernel information via 'uname': Jump to behavior
Source: M74QLI3COX.elf, 5509.1.00007ffe5854e000.00007ffe5856f000.rw-.sdmp Binary or memory string: /usr/bin/qemu-mips64el
Source: M74QLI3COX.elf, 5509.1.0000556a496ab000.0000556a49a27000.rw-.sdmp Binary or memory string: ?nIjU1MIPS64R2-generic-mips64-cpu1/etc/qemu-binfmt/mips64elu
Source: M74QLI3COX.elf, 5509.1.0000556a496ab000.0000556a49a27000.rw-.sdmp Binary or memory string: /etc/qemu-binfmt/mips64el
Source: M74QLI3COX.elf, 5509.1.00007ffe5854e000.00007ffe5856f000.rw-.sdmp Binary or memory string: x86_64/usr/bin/qemu-mips64el/tmp/M74QLI3COX.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/M74QLI3COX.elf

Stealing of Sensitive Information
barindex
Yara detected Kaiji
Source: Yara match File source: M74QLI3COX.elf, type: SAMPLE

Remote Access Functionality
barindex
Yara detected Kaiji
Source: Yara match File source: M74QLI3COX.elf, type: SAMPLE
windows-stand
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
54.217.10.153
 unknown United States
16509 AMAZON-02US false