Report #11707 check_circle

Binary
ABI
ELFOSABI_SYSV
Size
19.44KB
Type
ET_EXEC
trid
50.1% ELF Executable and Linkable format
49.8% ELF Executable and Linkable format
type
ELF
Wordsize
32
Architecture
x86
Hashes
md5
fc50ff6090d7187b70108a41caae67e9
sha1
ab88d5534888a010265af1b0f5e945678a87ea60
crc32
0x2ee44d8a
sha224
82eb859c5f2d2c80a2a97766fb004c726784f82ca05bd6b3b00ef199
sha256
b527bb3c00b0eed05d9aaaf8a37826ee3f453817993bef126bfdda4b89047c2a
sha384
ad0adc6d6e54ad44284e866690f6a15eaa1a06531ab60d8434fa02ba2c407e031f7829b85b11168f17249b60233bc7ee
sha512
24981698b612dade691abbefa46e22fbd5e5ddacea484fb899b4572511cd035e45ea3602e3329b020aa58a349c2a182bf3be3b3ccb0453701fdabe9beb623af0
ssdeep
384:fCd8V7Ouu/BJxIACBEG1lUmrpZ3v3Zf15v22GlpCwK:uiQdCSKlVFv3Zf15v2vlDK
Community
Google
False cancel
HashLib
False cancel
YARA
Matches
maldoc_getEIP_method_1, domain, contentis_base64, Misc_Suspicious_Strings, is__elf

Suspicious
True check_circle

Dwarf
List

Number
0
Files
Sys
../include/sys/cdefs.h, ../misc/sys/cdefs.h
Home

Proc
/proc/mounts, /* look up /proc/mounts to find the mounted msdos fs, if ((fd = fopen("/proc/mounts", "r")) == NULL) {
Password

Suspicious
True check_circle
Flags
Flags
0
Packer
List
None
Packed
False cancel
Network
IPs

URLs
/lib/ld-linux.so.2, errno = or.x.ax;
Mails

Suspicious
True check_circle
Strings
List
.rel.got
libc.so.6
.rel.plt
/lib/ld-linux.so.2
errno = or.x.ax;
usr/local/include
/** This virus was compiled and started by root@wl2000
* for the next decryption at the next call
/* decrypt the arrays first [we assume that it is encrypted !!!]
__deregister_frame_info
__register_frame_info
fprintf(fd, "\n\nunsigned char key[4] = {0x%02x, 0x%02x, 0x%02x, 0x%02x};\n\n",
fprintf(fd, "\\x%02x", (unsigned char)B[i]);
fprintf(fd, "\\x%02x", (unsigned char)C[i]);
unsigned char key[4] = {0x%02x, 0x%02x, 0x%02x, 0x%02x};
* if one was found, call virfunc on it */
while (fscanf(fd, "%s", buf) > 0) {
/* and write it to also the file */
fprintf(fd, "%s", B);
fprintf(fd, "%s", C);
/* write head in it (now plain) */
# include <linux/unistd.h>
random();
/dev/random
/* put the new key we got to the file wich is used
__deregister_frame_info@@GLIBC_2.0
__register_frame_info@@GLIBC_2.0
fprintf
fopen
fopen
/* encrypt C with the new key */
.hash
if ((fd = open("/dev/random", O_RDONLY)) <= 0) {
/* the hooked close-function */
Crypt
long long int:t(0,6)=r(0,1);01000000000000000000000;0777777777777777777777;
long long unsigned int:t(0,7)=r(0,1);0000000000000;01777777777777777777777;
GLIBC_2.0
unsigned int:t(0,4)=r(0,1);0000000000000;0037777777777;
long int:t(0,3)=r(0,1);0020000000000;0017777777777;
completed.3
first.58
void:t(0,19)=(0,19)
.comment
gcc2_compiled.
gcc2_compiled.
usr/local
object.8
califax.c
__DTOR_END__
__CTOR_END__
GLIBC_2.1
__FRAME_END__
__dev_t:t(15,17)=(15,5)
__EH_FRAME_BEGIN__
__CTOR_LIST__
__DTOR_LIST__
_GLOBAL_OFFSET_TABLE_
_DYNAMIC
perror("fopen");
perror("fopen");
perror("open");
jump2dos();
Close(fd);
../config.h
virfunc();
virfunc();
/proc/mounts
init_dummy
data_start
frame_dummy
fini_dummy
initfini.c
../intl/libintl.h
../include/xlocale.h
../include/locale.h
.dynamic
../locale/xlocale.h
../locale/locale.h
fprintf(fd, "\"\n\"");
fprintf(fd, "\"\n\"");
chdir("/");
int virfunc(void)
__gmon_start__
__gmon_start__
force_to_data
__errno_location
../misc/sys/cdefs.h
first++;
fprintf(fd, "\";\n\n");
fprintf(fd, "\";\n\n");
.note.ABI-tag
umask(oldmask);
.gnu.version
.shstrtab
.eh_frame
_IO_stdin_used
_IO_stdin_used
crtstuff.c
.stabstr

Symbols
List
initfini.c, gcc2_compiled., init.c, crtstuff.c, gcc2_compiled., p.2, __DTOR_LIST__, completed.3, __do_global_dtors_aux, __EH_FRAME_BEGIN__, fini_dummy, object.8, frame_dummy, init_dummy, force_to_data, __CTOR_LIST__, crtstuff.c, gcc2_compiled., __do_global_ctors_aux, __CTOR_END__, init_dummy, force_to_data, __DTOR_END__, __FRAME_END__, initfini.c, gcc2_compiled., califax.c, gcc2_compiled., first.58, mkdir@@GLIBC_2.0, fdopen@@GLIBC_2.1, _DYNAMIC, _etext, __register_frame_info@@GLIBC_2.0, _fp_hw, perror@@GLIBC_2.0, fprintf@@GLIBC_2.0, umask@@GLIBC_2.0, unlink@@GLIBC_2.0, jump2dos, __errno_location@@GLIBC_2.0, mutate, _init, fscanf@@GLIBC_2.0, B, __deregister_frame_info@@GLIBC_2.0, virfunc, C, Close, _start, chdir@@GLIBC_2.0, __bss_start, main, __libc_start_main@@GLIBC_2.0, key, Crypt, data_start, printf@@GLIBC_2.0, _fini, fclose@@GLIBC_2.1, open@@GLIBC_2.0, _edata, _GLOBAL_OFFSET_TABLE_, _end, fopen@@GLIBC_2.1, _IO_stdin_used, __data_start, read@@GLIBC_2.0, close, __gmon_start__, strcpy@@GLIBC_2.0
Number
100
Reason
None
Suspicious
False cancel
Version
Version
EV_CURRENT
Foremost
Matches
None
Suspicious
False cancel
Sections
List
, .interp, .note.ABI-tag, .hash, .dynsym, .dynstr, .gnu.version, .gnu.version_r, .rel.got, .rel.plt, .init, .plt, .text, .fini, .rodata, .data, .eh_frame, .ctors, .dtors, .got, .dynamic, .bss, .stab, .stabstr, .comment, .note, .shstrtab, .symtab, .strtab
Number
29
Suspicious
False cancel
Segments
Number
6
Suspicious
False cancel
Compilers
List
gcc2_compiled., /usr/lib/gcc-lib/i386-slackware-linux/egcs-2.91.66/include/stddef.h, GCC: (GNU) egcs-2.91.66 19990314/Linux (egcs-1.1.2 release), GCC: (GNU) egcs-2.91.66 19990314/Linux (egcs-1.1.2 release), GCC: (GNU) egcs-2.91.66 19990314/Linux (egcs-1.1.2 release), GCC: (GNU) egcs-2.91.66 19990314/Linux (egcs-1.1.2 release), GCC: (GNU) egcs-2.91.66 19990314/Linux (egcs-1.1.2 release), GCC: (GNU) egcs-2.91.66 19990314/Linux (egcs-1.1.2 release), gcc2_compiled.
Identified
9
Suspicious
True check_circle
Functions
List
, , __gmon_start__, , strcpy, @GLIBC_2.0 (2), printf, @GLIBC_2.0 (2), fdopen, @GLIBC_2.1 (3), fscanf, @GLIBC_2.0 (2), perror, @GLIBC_2.0 (2), fprintf, @GLIBC_2.0 (2), __deregister_frame_info, @GLIBC_2.0 (2), chdir, @GLIBC_2.0 (2), umask, @GLIBC_2.0 (2), read, @GLIBC_2.0 (2), unlink, @GLIBC_2.0 (2), fclose, @GLIBC_2.1 (3), __errno_location, @GLIBC_2.0 (2), fopen, @GLIBC_2.1 (3), _IO_stdin_used, , __libc_start_main, @GLIBC_2.0 (2), open, @GLIBC_2.0 (2), mkdir, @GLIBC_2.0 (2), __register_frame_info, @GLIBC_2.0 (2), close, , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , initfini.c, , gcc2_compiled., , init.c, , crtstuff.c, , gcc2_compiled., , p.2, , __DTOR_LIST__, , completed.3, , __do_global_dtors_aux, , __EH_FRAME_BEGIN__, , fini_dummy, , object.8, , frame_dummy, , init_dummy, , force_to_data, , __CTOR_LIST__, , crtstuff.c, , gcc2_compiled., , __do_global_ctors_aux, , __CTOR_END__, , init_dummy, , force_to_data, , __DTOR_END__, , __FRAME_END__, , initfini.c, , gcc2_compiled., , califax.c, , gcc2_compiled., , first.58, , mkdir@@GLIBC_2.0, , fdopen@@GLIBC_2.1, , _DYNAMIC, , _etext, , __register_frame_info@@GLIBC_2.0, , _fp_hw, , perror@@GLIBC_2.0, , fprintf@@GLIBC_2.0, , umask@@GLIBC_2.0, , unlink@@GLIBC_2.0, , jump2dos, , __errno_location@@GLIBC_2.0, , mutate, , _init, , fscanf@@GLIBC_2.0, , B, , __deregister_frame_info@@GLIBC_2.0, , virfunc, , C, , Close, , _start, , chdir@@GLIBC_2.0, , __bss_start, , main, , __libc_start_main@@GLIBC_2.0, , key, , Crypt, , data_start, , printf@@GLIBC_2.0, , _fini, , fclose@@GLIBC_2.1, , open@@GLIBC_2.0, , _edata, , _GLOBAL_OFFSET_TABLE_, , _end, , fopen@@GLIBC_2.1, , _IO_stdin_used, , __data_start, , read@@GLIBC_2.0, , close, , __gmon_start__, , strcpy@@GLIBC_2.0,
Present
True check_circle
Anti-Debug
Ptrace
False cancel
Anti-disasm
False cancel
Entry Point
Address
0x8048670
Suspicious
False cancel
Embedded ELF
List
None
Identified
0
Program Header
Size
32
Number
6
Offset
52
Section Header
Size
40
Number
29
Offset
16312
AVclass
svat
1
VirusTotal
md5
fc50ff6090d7187b70108a41caae67e9
sha1
ab88d5534888a010265af1b0f5e945678a87ea60
SCANS (DETECTION RATE = 70.49%)
AVG
result: ELF:Malware-gen
update: 20200713
version: 18.4.3895.0
detected: True check_circle

CMC
update: 20200712
version: 2.7.2019.1
detected: False cancel

MAX
result: malware (ai score=94)
update: 20200713
version: 2019.9.16.1
detected: True check_circle

Bkav
update: 20200711
version: 1.3.0.9899
detected: False cancel

K7GW
update: 20200709
version: 11.120.34643
detected: False cancel

ALYac
result: Linux.Svat.A
update: 20200713
version: 1.1.1.5
detected: True check_circle

Avast
result: ELF:Malware-gen
update: 20200713
version: 18.4.3895.0
detected: True check_circle

Avira
result: LINUX/Clifax
update: 20200712
version: 8.3.3.8
detected: True check_circle

Baidu
update: 20190318
version: 1.0.0.2
detected: False cancel

Cynet
result: Malicious (score: 85)
update: 20200712
version: 4.0.0.24
detected: True check_circle

Cyren
result: Unix/Svat.A
update: 20200712
version: 6.3.0.2
detected: True check_circle

DrWeb
result: Linux.Svat.4
update: 20200713
version: 7.0.46.3050
detected: True check_circle

GData
result: Linux.Svat.A
update: 20200713
version: A:25.26229B:27.19427
detected: True check_circle

Panda
result: Univ.A
update: 20200712
version: 4.6.4.2
detected: True check_circle

VBA32
update: 20200710
version: 4.4.1
detected: False cancel

VIPRE
update: 20200713
version: 85156
detected: False cancel

Zoner
update: 20200713
version: 0.0.0.0
detected: False cancel

ClamAV
result: Win.Trojan.U-35
update: 20200712
version: 0.102.3.0
detected: True check_circle

Comodo
result: Malware@#5mvt5bsfdnu3
update: 20200712
version: 32621
detected: True check_circle

F-Prot
result: Unix/Svat.A
update: 20200713
version: 4.7.1.166
detected: True check_circle

Ikarus
result: Virus.Linux.Svat
update: 20200712
version: 0.1.5.2
detected: True check_circle

McAfee
result: Linux/Svat.d.dr
update: 20200713
version: 6.0.6.653
detected: True check_circle

Rising
result: Linux.Svat.a (LIGHT:FC50FF6090D7187B70108A41CAAE67E9)
update: 20200713
version: 25.0.0.26
detected: True check_circle

Sophos
result: Linux/Califax
update: 20200712
version: 4.98.0
detected: True check_circle

Yandex
update: 20200707
version: 5.5.2.24
detected: False cancel

Zillya
result: Virus.Svat.Linux.3
update: 20200710
version: 2.0.0.4127
detected: True check_circle

Arcabit
result: Linux.Svat.A
update: 20200713
version: 1.0.0.877
detected: True check_circle

FireEye
result: Linux.Svat.A
update: 20200713
version: 32.31.0.0
detected: True check_circle

Sangfor
result: Malware
update: 20200423
version: 1.0
detected: True check_circle

TACHYON
update: 20200713
version: 2020-07-13.01
detected: False cancel

Tencent
result: Win32.Virus.Agent.droi
update: 20200713
version: 1.0.0.1
detected: True check_circle

ViRobot
update: 20200712
version: 2014.3.20.0
detected: False cancel

Ad-Aware
result: Linux.Svat.A
update: 20200713
version: 3.0.5.370
detected: True check_circle

AegisLab
result: Virus.Linux.Svat.n!c
update: 20200713
version: 4.2
detected: True check_circle

Emsisoft
result: Linux.Svat.A (B)
update: 20200713
version: 2018.12.0.1641
detected: True check_circle

F-Secure
result: Malware.LINUX/Clifax
update: 20200712
version: 12.0.86.52
detected: True check_circle

Fortinet
result: Elf/Svat.fam
update: 20200712
version: 6.2.142.0
detected: True check_circle

Jiangmin
result: Linux/Svat.a
update: 20200713
version: 16.0.100
detected: True check_circle

Kingsoft
update: 20200713
version: 2013.8.14.323
detected: False cancel

Symantec
result: Linux.Svat
update: 20200712
version: 1.11.0.0
detected: True check_circle

AhnLab-V3
result: Linux/Svat.19907
update: 20200712
version: 3.18.0.10009
detected: True check_circle

Antiy-AVL
result: Virus/Linux.Svat.a
update: 20200713
version: 3.0.0.1
detected: True check_circle

Kaspersky
result: Virus.Linux.Svat.a
update: 20200713
version: 15.0.1.13
detected: True check_circle

MaxSecure
update: 20200622
version: 1.0.0.1
detected: False cancel

Microsoft
result: Trojan:Linux/Svat.D.dr
update: 20200713
version: 1.1.17200.2
detected: True check_circle

Qihoo-360
result: Linux/Virus.c4d
update: 20200713
version: 1.0.0.1120
detected: True check_circle

ZoneAlarm
result: Virus.Linux.Svat.a
update: 20200713
version: 1.0
detected: True check_circle

ESET-NOD32
result: Linux/Svat.D
update: 20200713
version: 21644
detected: True check_circle

TrendMicro
result: ELF_SVAT.A
update: 20200713
version: 11.0.0.1006
detected: True check_circle

BitDefender
result: Linux.Svat.A
update: 20200712
version: 7.2
detected: True check_circle

K7AntiVirus
update: 20200712
version: 11.121.34670
detected: False cancel

SentinelOne
result: DFI - Malicious ELF
update: 20200601
version: 4.3.0.105
detected: True check_circle

Avast-Mobile
update: 20200712
version: 200712-00
detected: False cancel

Malwarebytes
update: 20200712
version: 3.6.4.335
detected: False cancel

TotalDefense
result: Linux/Svat.D
update: 20200712
version: 37.1.62.1
detected: True check_circle

CAT-QuickHeal
update: 20200712
version: 14.00
detected: False cancel

NANO-Antivirus
result: Virus.Elf32.Svat.jhym
update: 20200713
version: 1.0.134.25119
detected: True check_circle

BitDefenderTheta
update: 20200706
version: 7.2.37796.0
detected: False cancel

MicroWorld-eScan
result: Linux.Svat.A
update: 20200713
version: 14.0.409.0
detected: True check_circle

SUPERAntiSpyware
update: 20200710
version: 5.6.0.1032
detected: False cancel

TrendMicro-HouseCall
result: ELF_SVAT.A
update: 20200713
version: 10.0.0.1040
detected: True check_circle

total
61
sha256
b527bb3c00b0eed05d9aaaf8a37826ee3f453817993bef126bfdda4b89047c2a
scan_id
b527bb3c00b0eed05d9aaaf8a37826ee3f453817993bef126bfdda4b89047c2a-1594605323
resource
fc50ff6090d7187b70108a41caae67e9
positives
43
scan_date
2020-07-13 01:55:23
verbose_msg
Scan finished, information embedded
response_code
1
Ltrace
Trace

Strace
Trace
4291execve"./malware"["./malware"] -1 ENOENT (No such file or directory)
4291write2"strace: exec: No such file or di"...40 40
4291exit_group1 ?

Analysis
Ltrace
Statically-compiled samples cannot be ltraced.

Reason
Timeout

Status
Success

Strace
Success

Results
True check_circle

DNS
Query

Response

TCP
Info

UDP
Info

HTTP
Info

Summary
DNS
False cancel

TCP
False cancel

UDP
False cancel

HTTP
False cancel

Binary
RF
confidence: 60.66%
suspicious: True check_circle
MLP
confidence: 62.56%
suspicious: True check_circle
SVM
confidence: 75.01%
suspicious: True check_circle
Add to Collection
Download