Sample : 119fc6c2cece9c70258353918e5acd1bcd63d0e7c998eabda09c0e4827b39122

Summary


OS ABI

ARM
CPU class

32 bit
Persistence (user)

No
Persistence (root)

No
CPU byte order

2's complement LSB
File type

ELF 32-bit LSB executable, ARM, version 1, statically linked, not stripped
CPU type

ARM 32-bit
Entropy

5.89303699229
Syscalls executed (root)

115450
Syscalls executed (user)

92872
ELF type

Executable file

ELF


Class

32 bit
Data encoding

2's complement LSB
Operating system ABI

ARM
Object file type

Executable file
ELF version

0.1
Machine

ARM 32-bit
Link

static
Entrypoint

0x8190
Number of segments

3
Number of sections

20
Program header table offset

52
Section header table offset

100396
Program header table - size of entry

32
Section header table - size of entry

40
Program header table - entries

3
Section header table - entries

20
Section header table - index sections names

17
Stripped

False
Sections stripped

False
Anomalies


Segments
W^X permission : PT_GNU_STACK at offset 0x0
Memory size doubles physical size : PT_LOAD at offset 0x16000


Sections
Uncommon sections : .debug_frame
section without a name


Debug information

True
Comment

GCC: (GNU) 4.1.2

GCC: (GNU) 3.3.2 20031005 (Debian prerelease)

Hash


MD5

eba4382effd4275ca83810cf0d46f82f
SHA1

edfa8da4dd1581149bc501d43bd46267828a3a65
SHA256

119fc6c2cece9c70258353918e5acd1bcd63d0e7c998eabda09c0e4827b39122
SHA512

c6a5b8df6ac258e5a036d8921e47dbc45069f0e7c4a861fee615ddc362bab598c355bef0c772ee71ca1f7823a4d2c5f439b90ba3544f473cfa6800af6d2935f5
ssdeep

3072:/dfB88zeV6Vs7H6NpLmlWvz3GLfzuNvJY6aHJXw/CQS+9DQmgh:/xBJmlWb2LKNvAXw/CQS+9DQmgh

Bytes


Entropy

5.89303699229
Min entropy (16KB blocks)

3.5959763938
Max entropy (16KB blocks)

6.13740570494
Unique bytes (0-255)

256
Null bytes

30846
White spaces

5798
Printable bytes

37824
First 16B

7f 45 4c 46 01 01 01 61 00 00 00 00 00 00 00 00
Last 16B

61 73 6b 00 67 65 74 73 6f 63 6b 6e 61 6d 65 00
Longest same bytes sequence

Byte : 0x0

Offset : 0x155e3

Length : 2590

Three rarest bytes

0xcf - 18 times

0xd9 - 17 times

0xc7 - 16 times

Three most common bytes

0x0 - 30846 times

0xe5 - 5277 times

0x30 - 5096 times

File type


Mime type

application/x-executable
File type

ELF 32-bit LSB executable, ARM, version 1, statically linked, not stripped

VirusTotal


URL

https://www.virustotal.com/#/file/119fc6c2cece9c70258353918e5acd1bcd63d0e7c998eabda09c0e4827b39122
Positive

29
Total AVs

58
Scan date

2018-01-26 17:51:40
AVClass

gafgyt
Detection

Kaspersky : HEUR:Backdoor.Linux.Gafgyt.af

TrendMicro-HouseCall : TROJ_GEN.F04JC00AH18

Jiangmin : Backdoor.Linux.ygd

NANO-Antivirus : Trojan.Gafgyt.ernshh

ESET-NOD32 : a variant of Linux/Gafgyt.WN

Avast-Mobile : ELF:Gafgyt-DO [Trj]

MAX : malware (ai score=99)

Qihoo-360 : Win32/Trojan.080

GData : Linux.Trojan-DDoS.Lightaidra.A

Antiy-AVL : Trojan[Backdoor]/Linux.Gafgyt.af

Microsoft : DDoS:Linux/Lightaidra!rfn

Cyren : ELF/Trojan.SIBV-8

Rising : Trojan.Linux/Gafgyt!1.AD1B (CLASSIC)

AVG : ELF:Gafgyt-D [Trj]

Comodo : UnclassifiedMalware

McAfee-GW-Edition : RDN/Generic BackDoor

Avira : LINUX/Gafgyt.asbdx

Avast : ELF:Gafgyt-D [Trj]

ZoneAlarm : HEUR:Backdoor.Linux.Gafgyt.af

AegisLab : Backdoor.Linux.Gafgyt!c

Ikarus : Trojan.Linux.Fgt

Sophos : Linux/DDoS-BI

McAfee : RDN/Generic BackDoor

Zillya : Backdoor.Gafgyt.Linux.10374

Tencent : Linux.Backdoor.Gafgyt.Anfo

ClamAV : Unix.Trojan.Mirai-5607483-0

DrWeb : Linux.BackDoor.Fgt.737

Symantec : Linux.Lightaidra

TrendMicro : TROJ_GEN.F04JC00AH18

Data Explore


Paths

/var/run

/var/run

/dev/netslink/

/var/

/dev/

/var/run/

/dev/shm/

/mnt/

/usr/

/bin/sh

/proc/cpuinfo

/var/;

/proc/net/route

/etc/rc.d/rc.local

/etc/rc.conf

/bin/sh

/dev/null

/etc/resolv.conf

/etc/config/resolv.conf

/etc/hosts

/etc/config/hosts

/home/firmware/build/temp-armv4l/gcc-core/gcc/config/arm/lib1funcs.asm

/home/firmware/build/temp-armv4l/build-gcc/gcc

/home/firmware/build/temp-armv4l/gcc-core/gcc/config/arm/lib1funcs.asm

/home/firmware/build/temp-armv4l/build-gcc/gcc

/home/firmware/build/temp-armv4l/gcc-core/gcc/config/arm/lib1funcs.asm

/home/firmware/build/temp-armv4l/build-gcc/gcc

/home/firmware/build/temp-armv4l/gcc-core/gcc/config/arm/lib1funcs.asm

/home/firmware/build/temp-armv4l/build-gcc/gcc

/home/firmware/build/temp-armv4l/gcc-core/gcc/config/arm/lib1funcs.asm

/home/firmware/build/temp-armv4l/build-gcc/gcc

/home/firmware/build/temp-armv4l/gcc-core/gcc/config/arm/ieee754-df.S

/home/firmware/build/temp-armv4l/build-gcc/gcc

/home/firmware/build/temp-armv4l/gcc-core/gcc/config/arm/ieee754-df.S

/home/firmware/build/temp-armv4l/build-gcc/gcc

/home/firmware/build/temp-armv4l/gcc-core/gcc/config/arm/ieee754-df.S

/home/firmware/build/temp-armv4l/build-gcc/gcc

/home/firmware/build/temp-armv4l/gcc-core/gcc/config/arm/ieee754-df.S

/home/firmware/build/temp-armv4l/build-gcc/gcc

/home/firmware/build/temp-armv4l/gcc-core/gcc/config/arm

/home/firmware/build/temp-armv4l/gcc-core/gcc/config/arm

/home/firmware/build/temp-armv4l/gcc-core/gcc/config/arm

/home/firmware/build/temp-armv4l/gcc-core/gcc/config/arm

/home/firmware/build/temp-armv4l/gcc-core/gcc/config/arm

/home/firmware/build/temp-armv4l/gcc-core/gcc/config/arm

/home/firmware/build/temp-armv4l/gcc-core/gcc/config/arm

/home/firmware/build/temp-armv4l/gcc-core/gcc/config/arm

/home/firmware/build/temp-armv4l/gcc-core/gcc/config/arm

/home/firmware/build/temp-armv4l/gcc-core/gcc/config/arm/lib1funcs.asm

URLs

http://www.mojeek.com/bot

IPs (v4 and v6)

185.165.29.25

8.8.8.8

Code Explore


Nucleus

Eh_frame

Number of functions : 0

Sandbox (user)


Standard output

Standard error

Sandbox (root)


Standard output

Standard error

Behavior


User behavior

Errors


Syscall not implemented
True

Syscalls


Unique
execve
ni_syscall


Unique number
2

Total number
92872

Number of processes

1

Trace lines lost

0

Max sleep

-1.0



Root behavior

Errors


Syscall not implemented
True

Syscalls


Unique
commit_creds
execve
ni_syscall


Unique number
3

Total number
115450

Number of processes

1

Trace lines lost

0

Max sleep

-1.0