Sample : 3f42479f1fe5ba1abe1000ea15a7609b1f196b0bfa5ef4c2b20c81175c437a80

Summary


OS ABI

UNIX - System V
CPU class

64 bit
Persistence (user)

No
Persistence (root)

No
CPU byte order

2's complement LSB
File type

ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, stripped
CPU type

AMD x86-64
Entropy

6.09826353762
Syscalls executed (root)

58318
Syscalls executed (user)

74162
ELF type

Executable file

ELF


Class

64 bit
Data encoding

2's complement LSB
Operating system ABI

UNIX - System V
Object file type

Executable file
ELF version

0.1
Machine

AMD x86-64
Link

static
Entrypoint

0x400423
Number of segments

4
Number of sections

16
Program header table offset

64
Section header table offset

709496
Program header table - size of entry

56
Section header table - size of entry

64
Program header table - entries

4
Section header table - entries

16
Section header table - index sections names

15
Stripped

True
Sections stripped

False
Anomalies


Segments
Memory size doubles physical size : PT_LOAD at offset 0xabe00
PT_TLS at offset 0xabe00


Sections
Uncommon sections : .tbss
section without a name
High entropy : .text - 6.423212


Debug information

False

Hash


MD5

d026f66c0344f10894f95f7ed5f4db49
SHA1

9d8c1611c9dea53ed14c873db5f49e5b0052042b
SHA256

3f42479f1fe5ba1abe1000ea15a7609b1f196b0bfa5ef4c2b20c81175c437a80
SHA512

38c85cc90480a5c14c122be528ca96e44a43bce76c85a03d6d5ee15af6ce9f22b196c32fd8d00a51834bc80ec35f93b5416fee86b6513959511f8051bf0a71f3
ssdeep

12288:saHuY698fBBi6r8B2Ak2MEw2+FS2IrYg4rQ9l2zOv96dGhdJMUxOrq0:XHuX9iBi6rtpESFS2IrYg4rQ9l8Ov96L

Bytes


Entropy

6.09826353762
Max entropy (16KB blocks)

6.64026022088
Unique bytes (0-255)

256
Null bytes

160501
White spaces

10525
Printable bytes

223956
First 16B

7f 45 4c 46 02 01 01 00 00 00 00 00 00 00 00 00
Last 16B

01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Longest same bytes sequence

Byte : 0x0

Offset : 0x9b9d2

Length : 64307

Three rarest bytes

0xb2 - 194 times

0xa1 - 176 times

0xa7 - 164 times

Three most common bytes

0x0 - 160501 times

0x48 - 32854 times

0xff - 26327 times

File type


Mime type

application/x-executable
File type

ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, stripped

VirusTotal


URL

https://www.virustotal.com/#/file/3f42479f1fe5ba1abe1000ea15a7609b1f196b0bfa5ef4c2b20c81175c437a80
Positive

13
Total AVs

60
Scan date

2018-04-21 12:37:12
AVClass

miner
Detection

Symantec : Trojan.Gen.NPE

ClamAV : Multios.Trojan.CryptocoinMiner-6448864-1

Fortinet : Riskware/Miner

TrendMicro-HouseCall : TROJ_GEN.R002H0CDK18

ESET-NOD32 : a variant of Linux/CoinMiner.AE potentially unwanted

DrWeb : Tool.Linux.BtcMine.426

Qihoo-360 : Win32/Virus.DoS.dc1

Ikarus : PUA.CoinMiner

Avira : LINUX/BitCoinMiner.ubmec

Sophos : Linux/Miner-GF

ZoneAlarm : not-a-virus:HEUR:RiskTool.AndroidOS.Miner.b

Kaspersky : not-a-virus:HEUR:RiskTool.AndroidOS.Miner.b

GData : Linux.Application.Agent.D08V35

Data Explore


Paths

/proc/se

/proc/self/fd/%d

/dev/null

/proc/cpuinfo

/proc/self/stat

/proc/stat

/sys/devices/system/cpu/cpu%u/cpufreq/scaling_cur_freq

/proc/self/exe

/dev/urandom

/dev/random

/dev/console

/dev/log

/etc/hosts

/etc/services

/etc/resolv.conf

/usr/local/bin:/bin:/usr/bin

/etc/passwd

/var/run/nscd/socket

/proc/self/task

/etc/localtime

/usr/share/zoneinfo/

/etc/zoneinfo/

URLs

https://gcc.gnu.org/bugs

IPs (v4 and v6)

::

::

d::

::

::

d::

d::

d::

d::

d::

::a

::c

::c

::

::e

::

::

::

::a

::a

::

::

::ba

::

ce::

d::

d::

d::

d::

d::

d::

d::

d::

d::

d::

::

::

::

::

127.0.0.1

Code Explore


Nucleus

Number of functions : 1806

Total size functions [B] : 3296249

Average size a function [B] : 1825.16555925

Percentage of covered .text section : 562.236940407

Percentage of covered LOAD segment : 465.581099061

Eh_frame

Sandbox (user)


Standard output

Standard error

Sandbox (root)


Standard output

Standard error

Behavior


User behavior

Syscalls


Unique
fcntl
rt_sigaction
epoll_create1
mprotect
brk
connect
readv
close
poll
open
clock_getres
mmap2
getsockopt
exit_group
epoll_wait
recvfrom
rt_sigprocmask
umask
sched_getaffinity
arch_prctl
write
setsid
set_tid_address
fstat
fork
setsockopt
read
clone
sendto
sched_yield
ioctl
readlink
unlink
execve
gettid
socket
munmap
pipe2
epoll_ctl
futex
eventfd2
prlimit64
bind
nanosleep


Unique number
44

Total number
74162

Instrumented libc calls


Unique
strchr


Unique number
1

Total number
1

Number of processes

7

Trace lines lost

0

Files being read

/dev/null

/etc/localtime

/etc/resolv.conf

/etc/hosts

Max sleep

0.2

Ioctls


Total
3

Success
FIONBIO


Fail
TIOCGWINSZ


Unlink files

/tmp/3f42479f1fe5ba1abe1000ea15a7609b1f196b0bfa5ef4c2b20c81175c437a80

Unlink itself

True



Root behavior

Syscalls


Unique
fork
gettid
exit_group
commit_creds
rt_sigprocmask
arch_prctl
setsid
brk
close
prlimit64
set_tid_address
execve


Unique number
12

Total number
58318

Instrumented libc calls


Unique
strchr


Unique number
1

Total number
1

Number of processes

3

Trace lines lost

0

Max sleep

-1.0