MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 719c9b7ed5d84ebfd5d4493d490468cf1bde46980b052a3f170441830ea04e1d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Kaiji


Vendor detections: 10


Intelligence 10 IOCs YARA 17 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 719c9b7ed5d84ebfd5d4493d490468cf1bde46980b052a3f170441830ea04e1d
SHA3-384 hash: 1b304e77442f7e484b7bd777811722da810b884c0e675bdbed6bc6118787ce62ecb04046634d81f122044f1af5d56761
SHA1 hash: 7459f84db70a6635b38f4d94f5011eceb6f369ca
MD5 hash: 949b041227374c2f598867f3bd2ed139
humanhash: white-november-ack-connecticut
File name:linux_ppc64el
Download: download sample
Signature Kaiji
Create hunting rule
File size:5'111'808 bytes
First seen:2025-11-13 18:36:51 UTC
Last seen:Never
File type: elf
MIME type:application/x-executable
ssdeep 49152:G+LzgiHMY+b67LQPeVrS1G/V3PVmbLlkDg/8FneJGIB1:rLzgiHf+b67LQPeVrS1K3PVPDg7J
TLSH T1D5364A46B7086FA9C920493385B38EE117727D956F215383AB14FABFA8B63454F05FC8
gimphash 211db7a0239e5fc99a6586de3a048800db896d42ff8d6ab26954b5ef47fc9ac0
TrID 50.1% (.) ELF Executable and Linkable format (Linux) (4022/12)
49.8% (.O) ELF Executable and Linkable format (generic) (4000/1)
Magika elf
Reporter abuse_ch
Tags:elf kaiji

Intelligence

File Origin
# of uploads :
1
# of downloads :
39
Origin country :
DE DE
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Malware.30444.LC.UNOFFICIAL
Create hunting rule

Unix.Malware.Kaiji-10002376-0
Create hunting rule

Unix.Malware.Kaiji-10003612-0
Create hunting rule

Unix.Malware.Kaiji-10025522-0
Create hunting rule

Unix.Malware.Kaiji-10028719-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Connection attempt
Sends data to a server
Launching a process
Creating a process from a recently created file
Receives data from a server
Manages services
Creating a file
Locks files
Changes the time when the file was created, accessed, or modified
Sets a written file as executable
DNS request
Writes files to system subdirectory
Writes files to system directory
Performs a bruteforce attack in the network
Creates or modifies files in /init.d to set up autorun
Gathering data
Verdict:
Malicious
File Type:
elf.64.le
First seen:
2025-11-13T15:41:00Z UTC
Last seen:
2025-11-14T10:24:00Z UTC
Hits:
~10
Detections:
HEUR:Trojan.Linux.Chaos.mj
Link:
https://opentip.kaspersky.com/719c9b7ed5d84ebfd5d4493d490468cf1bde46980b052a3f170441830ea04e1d/results?tab=lookup
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/14c3da19-397d-48a9-b147-7df3d34e0106
Behavior Graph:
Download SVG
%3 guuid=e8d11350-1b00-0000-fd00-1250890c0000 pid=3209 /usr/bin/sudo guuid=d3f08f53-1b00-0000-fd00-1250910c0000 pid=3217 /tmp/sample.bin guuid=e8d11350-1b00-0000-fd00-1250890c0000 pid=3209->guuid=d3f08f53-1b00-0000-fd00-1250910c0000 pid=3217 execve
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/97f5f279-928f-4761-b3f3-cad080b37dd5
Result
Threat name:
Chaos
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/1813606
Signature
Drops files in suspicious directories
Multi AV Scanner detection for submitted file
Sample tries to set files in /etc globally writable
Uses known network protocols on non-standard ports
Writes identical ELF files to multiple locations
Yara detected Chaos
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1813606 Sample: linux_ppc64el.elf Startdate: 13/11/2025 Architecture: LINUX Score: 72 100 www.ldbot.top 192.238.204.149, 1234, 41926, 41930 LEASEWEB-USA-LAX-11US United States 2->100 102 109.202.202.202, 80 INIT7CH Switzerland 2->102 104 3 other IPs or domains 2->104 106 Multi AV Scanner detection for submitted file 2->106 108 Yara detected Chaos 2->108 110 Uses known network protocols on non-standard ports 2->110 12 linux_ppc64el.elf 2->12         started        16 sshd sshd 2->16         started        18 sshd sshd 2->18         started        20 10 other processes 2->20 signatures3 process4 file5 96 /etc/id.services.conf, ELF 12->96 dropped 98 /etc/32678, POSIX 12->98 dropped 116 Sample tries to set files in /etc globally writable 12->116 118 Writes identical ELF files to multiple locations 12->118 22 linux_ppc64el.elf linux_ppc64el.elf 12->22         started        26 linux_ppc64el.elf bash 12->26         started        28 linux_ppc64el.elf service systemctl 12->28         started        30 sshd 16->30         started        32 sshd 18->32         started        34 sshd 20->34         started        36 sshd 20->36         started        signatures6 process7 file8 92 /etc/init.d/linux_kill, POSIX 22->92 dropped 94 /boot/System.img.config, ELF 22->94 dropped 112 Writes identical ELF files to multiple locations 22->112 114 Drops files in suspicious directories 22->114 38 linux_ppc64el.elf bash 22->38         started        40 linux_ppc64el.elf update-rc.d 22->40         started        42 bash 32678 26->42         started        44 service 28->44         started        46 service basename 28->46         started        48 service basename 28->48         started        50 service systemctl 28->50         started        signatures9 process10 process11 52 bash systemctl 38->52         started        54 bash systemctl 38->54         started        56 bash systemctl 38->56         started        58 update-rc.d systemctl 40->58         started        60 32678 id.services.conf 42->60         started        62 32678 sleep 42->62         started        64 service systemctl 44->64         started        66 service sed 44->66         started        process12 68 id.services.conf service systemctl 60->68         started        70 id.services.conf bash 60->70         started        72 id.services.conf pkill 60->72         started        74 id.services.conf id.services.conf 60->74         started        process13 76 service 68->76         started        78 service basename 68->78         started        80 service basename 68->80         started        82 service systemctl 68->82         started        84 bash 32678 70->84         started        process14 86 service systemctl 76->86         started        88 service sed 76->88         started        90 32678 sleep 84->90         started       
Score:
100%
Verdict:
Malware
File Type:
ELF
Link:
https://malprob.io/report/719c9b7ed5d84ebfd5d4493d490468cf1bde46980b052a3f170441830ea04e1d
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/719c9b7ed5d84ebfd5d4493d490468cf1bde46980b052a3f170441830ea04e1d/
Verdict:
Malicious
Threat:
Family.KAIJI
Link:
https://tip.neiki.dev/file/719c9b7ed5d84ebfd5d4493d490468cf1bde46980b052a3f170441830ea04e1d
Threat name:
Linux.Trojan.Chaos
Create hunting rule
Status:
Malicious
First seen:
2025-11-13 18:37:46 UTC
File Type:
ELF64 Little (Exe)
AV detection:
24 of 38 (63.16%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ogojw7wv3bhl7vouje6usbdiz4n54ruybmcsupyxaraygdvajyoq._file
Result
Malware family:
kaiji
Create hunting rule
Score:
  10/10
Tags:
family:kaiji linux
Link:
https://tria.ge/reports/251113-w9xerazjht/
Verdict:
Malicious
Tags:
trojan chaos kaiji Unix.Malware.Kaiji-10002376-0
YARA:
ELF_Kaiji_Chaos_April_2024
Link:
https://app.threat.zone/submission/cd365d73-b95d-4671-976e-999c2da53927
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.30
Link:
https://yomi.yoroi.company/submissions/719c9b7ed5d84ebfd5d4493d490468cf1bde46980b052a3f170441830ea04e1d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:DetectGoMethodSignatures
Create hunting rule
Author:Wyatt Tauber
Description:Detects Go method signatures in unpacked Go binaries
Rule name:Detect_Go_GOMAXPROCS
Create hunting rule
Author:Obscurity Labs LLC
Description:Detects Go binaries by the presence of runtime.GOMAXPROCS in the runtime metadata
Rule name:enterpriseapps2
Create hunting rule
Author:Tim Brown @timb_machine
Description:Enterprise apps
Rule name:F01_s1ckrule
Create hunting rule
Author:s1ckb017
Rule name:GoBinTest
Create hunting rule
Rule name:golang
Create hunting rule
Rule name:golang_binary_string
Create hunting rule
Description:Golang strings present
Rule name:identity_golang
Create hunting rule
Author:Eric Yocam
Description:find Golang malware
Rule name:Linux_Generic_Threat_a40aaa96
Create hunting rule
Author:Elastic Security
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:ProgramLanguage_Golang
Create hunting rule
Author:albertzsigovits
Description:Application written in Golang programming language
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:setsockopt
Create hunting rule
Author:Tim Brown @timb_machine
Description:Hunts for setsockopt() red flags
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:unixredflags3
Create hunting rule
Author:Tim Brown @timb_machine
Description:Hunts for UNIX red flags

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Kaiji

elf 719c9b7ed5d84ebfd5d4493d490468cf1bde46980b052a3f170441830ea04e1d

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3704584/
  
Delivery method
Distributed via web download

Comments