Sample : 0e4b92d3c26d72a4b56aa858f57c3d923b9f9219a916982cbd8e120dd5300a59

Summary


OS ABI

UNIX - System V
CPU class

32 bit
Persistence (user)

No
Persistence (root)

No
CPU byte order

2's complement MSB
File type

ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped
CPU type

MIPS I
Entropy

7.71115219848
Syscalls executed (root)

12
Syscalls executed (user)

11
ELF type

Executable file

ELF


Class

32 bit
Data encoding

2's complement MSB
Operating system ABI

UNIX - System V
Object file type

Executable file
ELF version

0.1
Machine

MIPS I
Link

static
Entrypoint

0x104fe0
Number of segments

2
Number of sections

0
Program header table offset

52
Section header table offset

0
Program header table - size of entry

32
Section header table - size of entry

40
Program header table - entries

2
Section header table - entries

0
Section header table - index sections names

0
Stripped

True
Sections stripped

True
Anomalies


Segments
High entropy : PT_LOAD at offset 0x0 - 7.718773
Memory size doubles physical size : PT_LOAD at offset 0xfac8


Sections
Section header table offset empty : True
Number of section headers empty : True


Debug information

False

Hash


MD5

21cb19950fdff9b3a4b63687f7013440
SHA1

940051f19b146c1bd977a6cf993c5345210aec66
SHA256

0e4b92d3c26d72a4b56aa858f57c3d923b9f9219a916982cbd8e120dd5300a59
SHA512

d8e4be961ac6bb7272603eac9cd6ce3a87386aa6fe6cf0c96a26b5c9462d78884591e32ebe491b6e464ce7525ccf4affc4c751680634b906af131c4085b226a5
ssdeep

384:P/NvVbJSi/K8YCdnjViLzJj9J988kIOb1Qf+Mtm8G1etToLFahAFh:PltbJSii8YEnRKx9VkIOb1QH/G1etTDu

Bytes


Entropy

7.71115219848
Min entropy (16KB blocks)

7.74337439922
Max entropy (16KB blocks)

7.74337439922
Unique bytes (0-255)

256
Null bytes

736
White spaces

812
Printable bytes

8444
First 16B

7f 45 4c 46 01 02 01 00 00 00 00 00 00 00 00 00
Last 16B

95 e1 ea b7 00 00 b9 64 00 00 00 b6 00 00 00 80
Longest same bytes sequence

Byte : 0x0

Offset : 0x66

Length : 10

Three rarest bytes

0xf9 - 20 times

0xf2 - 14 times

0xf5 - 14 times

Three most common bytes

0x0 - 736 times

0x3 - 330 times

0x7 - 319 times

File type


Mime type

application/x-executable
File type

ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped

VirusTotal


URL

https://www.virustotal.com/#/file/0e4b92d3c26d72a4b56aa858f57c3d923b9f9219a916982cbd8e120dd5300a59
Positive

23
Total AVs

59
Scan date

2018-07-30 12:25:51
AVClass

gafgyt
Detection

Cyren : ELF/Trojan.WHRC-2

TrendMicro-HouseCall : TROJ_GEN.F04JC00B718

Symantec : Linux.Lightaidra

ZoneAlarm : HEUR:Backdoor.Linux.Gafgyt.af

Tencent : Linux.Backdoor.Gafgyt.Hqvr

Avast : Other:Malware-gen [Trj]

GData : Linux.Trojan.Agent.NAGGX3

DrWeb : Linux.BackDoor.Tsunami.844

NANO-Antivirus : Trojan.Gafgyt.exxckq

ESET-NOD32 : a variant of Linux/IRCBot.AY

AVG : Other:Malware-gen [Trj]

Jiangmin : Backdoor.Linux.astx

Ikarus : LINUX.Gafgyt

Avira : LINUX/Gafgyt.lsszl

Comodo : UnclassifiedMalware

AegisLab : Backdoor.Linux.Gafgyt!c

Kaspersky : HEUR:Backdoor.Linux.Gafgyt.af

Zillya : Backdoor.Gafgyt.Linux.23050

Fortinet : Linux/Gafgyt.AF!tr.bdr

Qihoo-360 : Win32/Backdoor.746

Sophos : Mal/Generic-S

TrendMicro : TROJ_GEN.F04JC00B718

Microsoft : Backdoor:Linux/Mirai!rfn

Data Explore


Paths

/proc/self/exe7

Code Explore


Nucleus

Eh_frame

Sandbox (user)


Standard output

Standard error

Sandbox (root)


Standard output

Standard error

Behavior


User behavior

Syscalls


Unique
mprotect
mmap2
exit
brk
readlink
open
execve


Unique number
7

Total number
11

Number of processes

1

Trace lines lost

0

Files being read

/lib/ld-uClibc.so.0

Max sleep

-1.0



Root behavior

Syscalls


Unique
commit_creds
mprotect
mmap2
exit
readlink
brk
open
execve


Unique number
8

Total number
12

Number of processes

1

Trace lines lost

0

Files being read

/lib/ld-uClibc.so.0

Max sleep

-1.0