Sample : 404eb95db215d1d30c55ac5b37986e9b2e93f03fddae691b79e1ad903d50f038

Summary


OS ABI

UNIX - System V
CPU class

32 bit
CPU byte order

2's complement MSB
File type

ELF 32-bit MSB executable, SPARC, version 1 (SYSV), statically linked, not stripped
CPU type

SPARC
Entropy

5.97154717793
ELF type

Executable file

ELF


Class

32 bit
Data encoding

2's complement MSB
Operating system ABI

UNIX - System V
Object file type

Executable file
ELF version

0.1
Machine

SPARC
Link

static
Entrypoint

0x101a4
Number of segments

3
Number of sections

24
Program header table offset

52
Section header table offset

117472
Program header table - size of entry

32
Section header table - size of entry

40
Program header table - entries

3
Section header table - entries

24
Section header table - index sections names

21
Stripped

False
Sections stripped

False
Anomalies


Segments
Memory size doubles physical size : PT_LOAD at offset 0x1b48c


Sections
Uncommon sections : .debug_frame
.debug_loc
.debug_ranges
section without a name


Debug information

True
Comment

GCC: (GNU) 4.1.2

Hash


MD5

d61a0668d993e32efb157283463ec454
SHA1

2efaebc688416ea00f924698ca5ac800de817e35
SHA256

404eb95db215d1d30c55ac5b37986e9b2e93f03fddae691b79e1ad903d50f038
SHA512

5e9fee3168b8b9884ac63d427f9bc87dc65385c5cb00f63ca44e062efd7fba27e5fd39a3bc9fcac3e840200f4bd1e640db43a01a1ad721943583e10721c7dea8
ssdeep

3072:/aW23PR5vqxFSNPULwSu6JRtIzjX4I5XBJu:/P2fRVlURTJRtIzjX4I5XBJu

Bytes


Entropy

5.97154717793
Min entropy (16KB blocks)

4.3850998996
Max entropy (16KB blocks)

5.96263308704
Unique bytes (0-255)

256
Null bytes

29971
White spaces

5180
Printable bytes

36839
First 16B

7f 45 4c 46 01 02 01 00 00 00 00 00 00 00 00 00
Last 16B

61 73 6b 00 67 65 74 73 6f 63 6b 6e 61 6d 65 00
Longest same bytes sequence

Byte : 0xff

Offset : 0x172d2

Length : 611

Three rarest bytes

0xa9 - 13 times

0xb3 - 12 times

0xd7 - 12 times

Three most common bytes

0x0 - 29971 times

0x10 - 5798 times

0x1 - 4325 times

File type


Mime type

application/x-executable
File type

ELF 32-bit MSB executable, SPARC, version 1 (SYSV), statically linked, not stripped

VirusTotal


URL

https://www.virustotal.com/#/file/404eb95db215d1d30c55ac5b37986e9b2e93f03fddae691b79e1ad903d50f038
Positive

26
Total AVs

59
Scan date

2017-12-04 09:41:57
AVClass

gafgyt
Detection

GData : Linux.Trojan-DDoS.Lightaidra.A

Jiangmin : Backdoor.Linux.aftv

NANO-Antivirus : Trojan.Gafgyt.euutdp

ESET-NOD32 : a variant of Linux/Gafgyt.LT

Avast-Mobile : ELF:Gafgyt-EA [Trj]

Qihoo-360 : Win32/Trojan.BO.74f

Ikarus : Trojan.Linux.Gafgyt

Antiy-AVL : Trojan[Backdoor]/Linux.Gafgyt.bj

MAX : malware (ai score=99)

Avast : ELF:Gafgyt-BO [Trj]

Rising : Trojan.Linux/Gafgyt!1.AD53 (CLASSIC)

AVG : ELF:Gafgyt-BO [Trj]

Kaspersky : HEUR:Backdoor.Linux.Gafgyt.bj

Avira : LINUX/Gafgyt.doyte

Cyren : ELF/Trojan.VKPF-4

ZoneAlarm : HEUR:Backdoor.Linux.Gafgyt.bj

Sophos : Linux/DDoS-BI

TrendMicro : Possible_BASHLITE.SMLBZ3

Fortinet : ELF/Gafgyt.WN!tr.bdr

AegisLab : Backdoor.Linux.Gafgyt!c

Tencent : Linux.Backdoor.Gafgyt.Wozi

ClamAV : Unix.Trojan.Mirai-5607483-0

DrWeb : Linux.BackDoor.Fgt.241

Symantec : Linux.Lightaidra

TrendMicro-HouseCall : Suspicious_GEN.F47V1106

Microsoft : DDoS:Linux/Lightaidra!rfn

Data Explore


Paths

/var/run

/proc/net/route

/usr/bins/python

/usr/sbins/dropbear

/dev/null

/etc/resolv.conf

/etc/config/resolv.conf

/etc/hosts

/etc/config/hosts

/home/firmware/build/temp-sparc/gcc-core/gcc

/home/firmware/build/temp-sparc/gcc-core/gcc/libgcc2.c

/home/firmware/build/temp-sparc/build-gcc/gcc

URLs

http://wortschatz.uni-leipzig.de/findlinks/

http://wortschatz.uni-leipzig.de/findlinks/

http://wortschatz.uni-leipzig.de/findlinks/

http://wortschatz.uni-leipzig.de/findlinks/

http://wortschatz.uni-leipzig.de/findlinks/

http://code.google.com/appengine

http://code.google.com/appengine

http://code.google.com/appengine

http://code.google.com/appengine

http://code.google.com/appengine

http://code.google.com/appengine

http://code.google.com/appengine

http://code.google.com/appengine

http://code.google.com/appengine

http://code.google.com/appengine

http://code.google.com/appengine

http://www.brandwatch.net

http://www.majestic12.co.uk/bot

http://www.majestic12.co.uk/bot

http://majestic12.co.uk/bot

http://majestic12.co.uk/bot

http://www.mojeek.com/bot

IPs (v4 and v6)

192.187.124.194

1.8.1.11

1.9.0.6

1.9.2.6

1.9.2.4

1.9.0.8

192.187.124.194

Code Explore


Nucleus

Eh_frame

Number of functions : 0