user@threatcheck.sh ~ threat-analysis
bash
$ analyze-threat Trojan:Linux/Kaiji.A!MTB
Trojan:Linux/Kaiji.A!MTB - Windows Defender threat signature analysis

Trojan:Linux/Kaiji.A!MTB - Windows Defender Threat Analysis

$ cat analysis.txt
=== THREAT ANALYSIS REPORT ===
Threat Name: Trojan:Linux/Kaiji.A!MTB
Classification:
Type:Trojan
Platform:Linux
Family:Kaiji
Detection Type:Concrete
Known malware family with identified signatures
Variant:A
Specific signature variant within the malware family
Suffix:!MTB
Detected via machine learning and behavioral analysis
Detection Method:Behavioral
Confidence:Very High
False-Positive Risk:Low

Concrete signature match: Trojan - Appears legitimate but performs malicious actions for Linux platform, family Kaiji

Summary:

This threat is a variant of the Kaiji botnet malware, a trojan specifically targeting Linux systems. It is primarily used for Distributed Denial-of-Service (DDoS) attacks, but the presence of strings like 'KeyLogWriter' suggests it may also have keylogging capabilities. The detection on a Windows system indicates a malicious Linux binary is present, likely within the Windows Subsystem for Linux (WSL), a container, or as a downloaded file.

Severity:
High
VDM Static Detection:
Relevant strings associated with this threat:
 - |#d1e49aac-8f56-4280-b9ba-993a6d77406c (NID)
 - }#d1e49aac-8f56-4280-b9ba-993a6d77406c (NID)
 - &|#b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 (NID)
 - &}#b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 (NID)
 - y*|#56a863a9-875e-4185-98a7-b882c64b5ce5 (NID)
 - y*}#56a863a9-875e-4185-98a7-b882c64b5ce5 (NID)
 - C|#be9ba2d9-53ea-4cdc-84e5-9b1eeee46550 (NID)
 - C}#be9ba2d9-53ea-4cdc-84e5-9b1eeee46550 (NID)
 - L|#3b576869-a4ec-4529-8536-b80a7769e899 (NID)
 - L}#3b576869-a4ec-4529-8536-b80a7769e899 (NID)
 - |#5beb7efe-fd9a-4556-801d-275e5ffc04cc (NID)
 - }#5beb7efe-fd9a-4556-801d-275e5ffc04cc (NID)
 - |#01443614-cd74-433a-b99e-2ecdc07bfc25 (NID)
 - }#01443614-cd74-433a-b99e-2ecdc07bfc25 (NID)
 - |#d3e037e1-3eb8-44c8-a917-57927947596d (NID)
 - }#d3e037e1-3eb8-44c8-a917-57927947596d (NID)
 - |#7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c (NID)
 - }#7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c (NID)
 - |#92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b (NID)
 - }#92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b (NID)
YARA Rule:
rule Trojan_Linux_Kaiji_A_2147764476_0
{
    meta:
        author = "threatcheck.sh"
        detection_name = "Trojan:Linux/Kaiji.A!MTB"
        threat_id = "2147764476"
        type = "Trojan"
        platform = "Linux: Linux platform"
        family = "Kaiji"
        severity = "Critical"
        info = "MTB: Microsoft Threat Behavior"
        signature_type = "SIGNATURE_TYPE_ELFHSTR_EXT"
        threshold = "4"
        strings_accuracy = "High"
    strings:
        $x_1_1 = "main.Allowlist" ascii //weight: 1
        $x_1_2 = ".RNG" ascii //weight: 1
        $x_1_3 = "fakeLocker" ascii //weight: 1
        $x_1_4 = "KeyLogWriter" ascii //weight: 1
    condition:
        (filesize < 20MB) and
        (all of ($x*))
}
Known malware which is associated with this threat:
Filename: mipsel
bf51fefe94d0548bfbcefd909e4c5207a7b9a6a6fff0e9aab11afb986d7728b5
20/11/2025
VirusTotalDownload Sample
Remediation Steps:
Isolate the affected system and use the security software to remove the detected file. Investigate the origin of the malicious file, focusing on any running Linux environments (WSL, Docker, VMs) which may be compromised. Scan these environments for compromise, check for weak credentials, and monitor network traffic for any signs of C2 communication or DDoS activity.
=== END REPORT ===
$ reanalyze-threat
This analysis was last updated on 20/11/2025. Do you want to analyze it again?
$ ls available-commands/
→ cd /home
user@threatcheck.sh:~$