Sample : 028ce18c471faaf9e7bf7c475fc54ae2b9c389b94fd20cfde905a5feb7f8831d

Summary


OS ABI

UNIX - System V
CPU class

32 bit
Persistence (user)

No
Persistence (root)

No
CPU byte order

2's complement LSB
File type

ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, not stripped
CPU type

Intel 80386
Entropy

6.29844644004
Syscalls executed (root)

325
Syscalls executed (user)

324
ELF type

Executable file

ELF


Class

32 bit
Data encoding

2's complement LSB
Operating system ABI

UNIX - System V
Object file type

Executable file
ELF version

0.1
Machine

Intel 80386
Link

static
Entrypoint

0x8048164
Number of segments

3
Number of sections

16
Program header table offset

52
Section header table offset

52784
Program header table - size of entry

32
Section header table - size of entry

40
Program header table - entries

3
Section header table - entries

16
Section header table - index sections names

13
Stripped

False
Sections stripped

False
Anomalies


Segments
High entropy : PT_LOAD at offset 0x0 - 6.589275
Memory size doubles physical size : PT_LOAD at offset 0xc000


Sections
Uncommon sections : section without a name
High entropy : .text - 6.475292


Debug information

False
Comment

GCC: (GNU) 4.1.2

Hash


MD5

ae8015968c7c71045fa43af718f1fbfb
SHA1

41e129af54af9cf3bd947101a8e6310947cef9c2
SHA256

028ce18c471faaf9e7bf7c475fc54ae2b9c389b94fd20cfde905a5feb7f8831d
SHA512

f019081db052fbac1fb0cf7a4d32829e4e4ac9a5629b59a097d079d65d14af74209a8681c4bec8f24669b3c978d5fcd1877ce1e9653d01b2df92d0761f11fca4
ssdeep

1536:BfaBN280V8+494o9nlmqe8ThfZ9iXSggmd+lVOCjUxfg71:Bfiw8oDeVplLFfzSSggmMlVOCAxfg71

Bytes


Entropy

6.29844644004
Min entropy (16KB blocks)

4.77785028122
Max entropy (16KB blocks)

6.51163366519
Unique bytes (0-255)

256
Null bytes

15061
White spaces

2210
Printable bytes

25212
First 16B

7f 45 4c 46 01 01 01 00 00 00 00 00 00 00 00 00
Last 16B

61 73 6b 00 67 65 74 73 6f 63 6b 6e 61 6d 65 00
Longest same bytes sequence

Byte : 0x0

Offset : 0xb87c

Length : 1925

Three rarest bytes

0x9b - 12 times

0xa2 - 12 times

0x9a - 7 times

Three most common bytes

0x0 - 15061 times

0xff - 2630 times

0x8 - 1837 times

File type


Mime type

application/x-executable
File type

ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, not stripped

VirusTotal


URL

https://www.virustotal.com/#/file/028ce18c471faaf9e7bf7c475fc54ae2b9c389b94fd20cfde905a5feb7f8831d
Positive

24
Total AVs

57
Scan date

2018-11-16 03:58:48
AVClass

gafgyt
Detection

Avast-Mobile : ELF:DDoS-S [Trj]

Sophos : Mal/Generic-S

Cyren : ELF/Trojan.YTPF-2

GData : Linux.Trojan.Agent.LEIC16

TrendMicro : TROJ_GEN.F04JC00K918

Tencent : Linux.Backdoor.Gafgyt.Lpuu

TrendMicro-HouseCall : TROJ_GEN.F04JC00K918

Microsoft : DDoS:Linux/Lightaidra!rfn

Ikarus : Trojan.Linux.Gafgyt

Qihoo-360 : Win32/Trojan.DDoS.1be

ClamAV : Unix.Malware.Agent-6744818-0

ESET-NOD32 : a variant of Linux/Gafgyt.ANR

Antiy-AVL : Trojan[Backdoor]/Linux.Gafgyt.bj

Fortinet : ELF/Gafgyt.BJ!tr

Kaspersky : HEUR:Backdoor.Linux.Gafgyt.bj

DrWeb : Linux.BackDoor.Fgt.1427

ZoneAlarm : HEUR:Backdoor.Linux.Gafgyt.bj

AVG : ELF:DDoS-Y [Trj]

Symantec : Linux.Lightaidra

McAfee-GW-Edition : Linux/Backdoor-gen.a

Avast : ELF:DDoS-Y [Trj]

Avira : LINUX/Gafgyt.wuxbw

McAfee : Linux/Backdoor-gen.a

MAX : malware (ai score=99)

Data Explore


Paths

/proc/net/route

/usr/bin/python

/usr/bin/perl

/usr/sbin/telnetd

/etc/apt/apt.conf

/etc/yum.conf

/dev/null

/etc/resolv.conf

/etc/config/resolv.conf

/etc/hosts

/etc/config/hosts

IPs (v4 and v6)

80.211.28.43

8.8.8.8

Code Explore


Nucleus

Number of functions : 213

Total size functions [B] : 49713

Average size a function [B] : 233.394366197

Percentage of covered .text section : 127.00030656

Percentage of covered LOAD segment : 103.655129274

Eh_frame

Number of functions : 0

Sandbox (user)


Standard output

Standard error

Sandbox (root)


Standard output

Standard error

Behavior


User behavior

Syscalls


Unique
fcntl
rt_sigaction
brk
connect
getsockname
close
open
select
getsockopt
send
access
setsid
exit
getpid
fork
read
ioctl
recv
execve
wait4
chdir
socket
time


Unique number
23

Total number
324

Instrumented libc calls


Unique
strchr


Unique number
1

Total number
1

Number of processes

3

Trace lines lost

0

Files being read

/proc/net/route

Max sleep

-1.0

Ioctls


Total
3

Success
SIOCGIFHWADDR


Fail
TCGETS




Root behavior

Syscalls


Unique
fcntl
rt_sigaction
brk
connect
getsockname
close
open
select
getsockopt
send
access
setsid
exit
getpid
fork
read
commit_creds
ioctl
recv
execve
wait4
chdir
socket
time


Unique number
24

Total number
325

Instrumented libc calls


Unique
strchr


Unique number
1

Total number
1

Number of processes

3

Trace lines lost

0

Files being read

/proc/net/route

Max sleep

-1.0

Ioctls


Total
3

Success
SIOCGIFHWADDR


Fail
TCGETS