Sample : 248edc830b8178d678ab3bcb441e89055e9ea0bc904166a09ee3b0983f716c14
Modules
Summary
OS ABI
UNIX - System V
CPU class
32 bit
Persistence (user)
No
Persistence (root)
No
CPU byte order
2's complement MSB
File type
ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped
CPU type
MIPS I
Entropy
7.69448625991
Syscalls executed (root)
12
Syscalls executed (user)
11
ELF type
Executable file
ELF
Class
32 bit
Data encoding
2's complement MSB
Operating system ABI
UNIX - System V
Object file type
Executable file
ELF version
0.1
Machine
MIPS I
Link
static
Entrypoint
0x103208
Number of segments
2
Number of sections
0
Program header table offset
52
Section header table offset
0
Program header table - size of entry
32
Section header table - size of entry
40
Program header table - entries
2
Section header table - entries
0
Section header table - index sections names
0
Stripped
True
Sections stripped
True
Anomalies
Segments
High entropy : PT_LOAD at offset 0x0 - 7.694486
Memory size doubles physical size : PT_LOAD at offset 0xf8a0
Sections
Section header table offset empty : True
Number of section headers empty : True
Debug information
False
Hash
MD5
71e6fc06f5f4bb11782d2e90a7fcde99
SHA1
faeda4d8bfdb4b2225b029079220bc81c963f8a1
SHA256
248edc830b8178d678ab3bcb441e89055e9ea0bc904166a09ee3b0983f716c14
SHA512
edea93e6c281a1b74ce9611b055331cd59845393173cc0015e80a95a5e0961bd375d6126c25e4a4a64b3e601be34da137158bdbe1ecbe7394dee752c49921dde
ssdeep
192:IHpVDxx0mHzDYqw5OVRhluKLtExLPKw3wjb5L5pBccsqEJFtHBU0dmqRLjOpfYNH:IHpCmHgrkJLkLyVpWFjU0dNZjYY8K6T+
Bytes
Entropy
7.69448625991
Min entropy (16KB blocks)
-1.0
Max entropy (16KB blocks)
-1.0
Unique bytes (0-255)
256
Null bytes
503
White spaces
665
Printable bytes
5958
First 16B
7f 45 4c 46 01 02 01 00 00 00 00 00 00 00 00 00
Last 16B
c7 30 2c 28 24 00 00 18 a4 20 38 24 00 00 00 ff
Longest same bytes sequence
Byte :
0x0
Offset : 0x66
Length : 10
Offset : 0x66
Length : 10
Three rarest bytes
0x71 - 10 times
0xf5 - 9 times
0xfa - 7 times
0xf5 - 9 times
0xfa - 7 times
Three most common bytes
0x0 - 503 times
0x20 - 206 times
0x3 - 198 times
0x20 - 206 times
0x3 - 198 times
File type
Mime type
application/x-executable
File type
ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped
VirusTotal
URL
https://www.virustotal.com/#/file/248edc830b8178d678ab3bcb441e89055e9ea0bc904166a09ee3b0983f716c14
Positive
3
Total AVs
55
Scan date
2016-10-26 07:24:13
AVClass
gafgyt
Detection
DrWeb :
Linux.BackDoor.Fgt.205
Ikarus : Trojan.Linux.Gafgyt
ESET-NOD32 : a variant of Linux/Gafgyt.UM
Ikarus : Trojan.Linux.Gafgyt
ESET-NOD32 : a variant of Linux/Gafgyt.UM
Data Explore
Paths
/proc/self/exe7
URLs
http://upx.sf.net
Code Explore
Nucleus
Eh_frame
Sandbox (user)
Standard output
Standard error
Sandbox (root)
Standard output
Standard error
Behavior
User behavior
Syscalls
Unique
mprotect
mmap2
exit
brk
readlink
open
execve
Unique number
7
Total number
11
Number of processes
1
Trace lines lost
0
Files being read
/lib/ld-uClibc.so.0
Max sleep
-1.0
Root behavior
Syscalls
Unique
commit_creds
mprotect
mmap2
exit
readlink
brk
open
execve
Unique number
8
Total number
12
Number of processes
1
Trace lines lost
0
Files being read
/lib/ld-uClibc.so.0
Max sleep
-1.0