Linux Analysis Report
tgTVz5WFbs.elf

Overview

General Information

Sample name: tgTVz5WFbs.elf
renamed because original name is a hash value
Original sample name: cda67b5ce0ee86239b9778cbfc57ca06.elf
Analysis ID: 1436499
MD5: cda67b5ce0ee86239b9778cbfc57ca06
SHA1: 007e1dda8ecd4a2a837b0c8720d8e7a9741911e9
SHA256: 6da2951210df8484d3faabb434eddf3ca43a92c7a6eea3df62384169318e8de1
Tags: 32elfmips
Infos:

Detection

Kaiji
Score: 56
Range: 0 - 100
Whitelisted: false

Signatures

Multi AV Scanner detection for submitted file
Yara detected Kaiji
Sample has stripped symbol table
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Uses the "uname" system call to query kernel version information (possible evasion)

Classification

Name Description Attribution Blogpost URLs Link
Kaiji Surfaced in late April 2020, Intezer describes Kaiji as a DDoS malware written in Go that spreads through SSH brute force attacks. Recovered function names are an English representation of Chinese words, hinting about the origin. The name Kaiji was given by MalwareMustDie based on strings found in samples. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/elf.kaiji

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: tgTVz5WFbs.elf Virustotal: Detection: 19% Perma Link
Source: tgTVz5WFbs.elf ReversingLabs: Detection: 21%
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Source: global traffic TCP traffic: 192.168.2.13:48202 -> 185.125.190.26:443
Source: unknown TCP traffic detected without corresponding DNS query: 185.125.190.26
Source: unknown TCP traffic detected without corresponding DNS query: 185.125.190.26
Source: unknown Network traffic detected: HTTP traffic on port 48202 -> 443
Sample has stripped symbol table
Source: ELF static info symbol of initial sample .symtab present: no
Source: classification engine Classification label: mal56.troj.linELF@0/0@0/0
Source: ELF file section Submission: tgTVz5WFbs.elf
Uses the "uname" system call to query kernel version information (possible evasion)
Source: /tmp/tgTVz5WFbs.elf (PID: 5455) Queries kernel information via 'uname': Jump to behavior
Source: tgTVz5WFbs.elf, 5455.1.00007fffa2ee7000.00007fffa2f08000.rw-.sdmp Binary or memory string: x86_64/usr/bin/qemu-mips/tmp/tgTVz5WFbs.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/tgTVz5WFbs.elf
Source: tgTVz5WFbs.elf, 5455.1.000056153b4ca000.000056153b7d0000.rw-.sdmp Binary or memory string: V!/etc/qemu-binfmt/mips
Source: tgTVz5WFbs.elf, 5455.1.000056153b4ca000.000056153b7d0000.rw-.sdmp Binary or memory string: /etc/qemu-binfmt/mips
Source: tgTVz5WFbs.elf, 5455.1.00007fffa2ee7000.00007fffa2f08000.rw-.sdmp Binary or memory string: /usr/bin/qemu-mips

Stealing of Sensitive Information
barindex
Yara detected Kaiji
Source: Yara match File source: tgTVz5WFbs.elf, type: SAMPLE

Remote Access Functionality
barindex
Yara detected Kaiji
Source: Yara match File source: tgTVz5WFbs.elf, type: SAMPLE

No Screenshots

  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
185.125.190.26
 unknown United Kingdom
41231 CANONICAL-ASGB false