Sample : 0ffa9e646e881568c1f65055917547b04d89a8a2150af45faa66beb2733e7427

Summary


OS ABI

UNIX - Linux
CPU class

32 bit
Persistence (user)

No
Persistence (root)

No
CPU byte order

2's complement LSB
File type

ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), statically linked, stripped
CPU type

Intel 80386
Entropy

7.90565873233
Syscalls executed (root)

366837
Syscalls executed (user)

335164
ELF type

Executable file

ELF


Class

32 bit
Data encoding

2's complement LSB
Operating system ABI

UNIX - Linux
Object file type

Executable file
ELF version

0.1
Machine

Intel 80386
Link

static
Entrypoint

0xcfd190
Number of segments

2
Number of sections

0
Program header table offset

52
Section header table offset

0
Program header table - size of entry

32
Section header table - size of entry

40
Program header table - entries

2
Section header table - entries

0
Section header table - index sections names

0
Stripped

True
Sections stripped

True
Anomalies


Segments
High entropy : PT_LOAD at offset 0x0 - 7.905697
Memory size doubles physical size : PT_LOAD at offset 0x5c8


Sections
Section header table offset empty : True
Number of section headers empty : True


Debug information

False

Hash


MD5

320adee47e53823a1be8a335e4beb246
SHA1

7feb14146ac938e5989cc0c9eda001540ef5d760
SHA256

0ffa9e646e881568c1f65055917547b04d89a8a2150af45faa66beb2733e7427
SHA512

8853638e48544cb8c086477e2b1743c2a19270733a88413c3a1021cf3fd651de0c1e76e883b563178b4ee70570e28900b3fc5064694eaf4c7d314e7ae112a41d
ssdeep

24576:KfUsEZDuGg5me+mk6bo5+g1fFR8M3poiMP9l72gxFehrO04OxFx:3sXGg5mQbo5+yFHoi8lKwFehrOkFx

Bytes


Entropy

7.90565873233
Min entropy (16KB blocks)

7.60317945109
Max entropy (16KB blocks)

7.8903177965
Unique bytes (0-255)

256
Null bytes

11142
White spaces

35443
Printable bytes

376544
First 16B

7f 45 4c 46 01 01 01 03 00 00 00 00 00 00 00 00
Last 16B

b8 59 52 72 1c 64 ca ef 70 6d ce 04 ad d3 1f d1
Longest same bytes sequence

Byte : 0x0

Offset : 0x1f

Length : 10

Three rarest bytes

0xf9 - 1992 times

0xf2 - 1789 times

0xe6 - 1589 times

Three most common bytes

0xff - 11345 times

0x0 - 11142 times

0x1 - 10044 times

File type


Mime type

application/x-executable
File type

ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), statically linked, stripped

VirusTotal


URL

https://www.virustotal.com/#/file/0ffa9e646e881568c1f65055917547b04d89a8a2150af45faa66beb2733e7427
Positive

32
Total AVs

54
Scan date

2019-02-24 01:12:35
AVClass

pnscan
Detection

Ad-Aware : Trojan.Linux.Agent.ACG

CAT-QuickHeal : Linux/Svirtu.PR77a

DrWeb : Linux.PNScan.2

Symantec : Linux.Raubdo

MicroWorld-eScan : Trojan.Linux.Agent.ACG

ZoneAlarm : Trojan.Linux.Agent.f

Avira : LINUX/PNScan.2.2

McAfee-GW-Edition : RDN/Generic.dx

Avast : ELF:PNScan-AA [Trj]

GData : Trojan.Linux.Agent.ACG

K7AntiVirus : Trojan ( 0001140e1 )

BitDefender : Trojan.Linux.Agent.ACG

AhnLab-V3 : Linux/Pnscan.1035157

NANO-Antivirus : Trojan.Elf32.Agent.ebdnxo

ESET-NOD32 : Linux/PNScan.A

AVG : ELF:PNScan-AA [Trj]

MAX : malware (ai score=100)

Ikarus : Trojan.Linux.Agent

K7GW : Trojan ( 0001140e1 )

Emsisoft : Trojan.Linux.Agent.ACG (B)

ClamAV : Unix.Malware.Agent-1393482

Arcabit : Trojan.Linux.Agent.ACG

McAfee : RDN/Generic.dx

Comodo : Malware@#3bqdlv583lryf

Kaspersky : Trojan.Linux.Agent.f

Fortinet : ELF/PnScan2.A!tr

ALYac : Trojan.Linux.Agent.ACG

Qihoo-360 : Win32/Trojan.564

Sophos : Mal/Generic-S

Tencent : Linux.Trojan.Agent.Lfpy

Microsoft : Trojan:Linux/Raubido.A

VBA32 : Linux.PNScan.2

Data Explore


Paths

~/9

~/^

~/G

~/F;

/proc/verc

~/x-w

~/ Nn

/proc/self/ex

URLs

http://upx.sf.net

IPs (v4 and v6)

::

F::

::

::

::

Code Explore


Nucleus

Number of functions : 0

Eh_frame

Sandbox (user)


Standard output

Standard error

Sandbox (root)


Standard output

Standard error

Behavior


User behavior

Syscalls


Unique
clock_gettime
getsockname
rt_sigaction
epoll_ctl
mprotect
brk
connect
shutdown
close
getgid
poll
open
select
getsockopt
getegid
recv
rt_sigprocmask
nanosleep
mkdir
send
write
setsid
exit
getpid
getrlimit
munmap
fstat
setrlimit
listen
fork
stat
dup2
read
clone
getppid
rt_sigsuspend
ioctl
readlink
getpeername
unlink
sigreturn
execve
setsockopt
chdir
getuid
socket
bind
alarm
fcntl
gettimeofday
socketpair
pipe
time
kill
geteuid


Unique number
55

Total number
335164

Instrumented libc calls


Unique
strchr


Unique number
1

Total number
1

If uid is checked

True

If gid is checked

True

Permission related errors

True

Type of permission related error


EPERM
True

Number of processes

6

Trace lines lost

0

Dropped files


Modify
login2
0ffa9e646e881568c1f65055917547b04d89a8a2150af45faa66beb2733e7427.pid
daemon.log
list2


Files being read

good2

files/srv_report

srv_cc

0ffa9e646e881568c1f65055917547b04d89a8a2150af45faa66beb2733e7427.pid

/etc/resolv.conf

/etc/hosts

/media/truecrypt1/my/framework/../toolchains/cross-compiler-i686/i686-unknown-linux/ssl/openssl.cnf

/dev/urandom

Max sleep

5.0

Ioctls


Total
27

Fail
TCGETS




Root behavior

Syscalls


Unique
fcntl
shutdown
rt_sigaction
clock_gettime
mprotect
brk
connect
getsockname
close
getgid
poll
open
select
getsockopt
getegid
recv
rt_sigprocmask
nanosleep
mkdir
send
write
setsid
exit
getpid
getrlimit
munmap
fstat
setrlimit
listen
fork
stat
dup2
read
commit_creds
clone
getppid
rt_sigsuspend
ioctl
readlink
getpeername
unlink
sigreturn
execve
setsockopt
chdir
getuid
socket
bind
alarm
epoll_ctl
gettimeofday
socketpair
pipe
time
kill
geteuid


Unique number
56

Total number
366837

Instrumented libc calls


Unique
strchr


Unique number
1

Total number
1

Number of processes

6

Trace lines lost

0

Dropped files


Modify
login2
0ffa9e646e881568c1f65055917547b04d89a8a2150af45faa66beb2733e7427.pid
daemon.log


Files being read

good2

files/srv_report

srv_cc

0ffa9e646e881568c1f65055917547b04d89a8a2150af45faa66beb2733e7427.pid

/etc/resolv.conf

/etc/hosts

/media/truecrypt1/my/framework/../toolchains/cross-compiler-i686/i686-unknown-linux/ssl/openssl.cnf

/dev/urandom

Max sleep

5.0

Ioctls


Total
19

Fail
TCGETS