Sample : 404eb95db215d1d30c55ac5b37986e9b2e93f03fddae691b79e1ad903d50f038
Modules
Summary
OS ABI
UNIX - System V
CPU class
32 bit
CPU byte order
2's complement MSB
File type
ELF 32-bit MSB executable, SPARC, version 1 (SYSV), statically linked, not stripped
CPU type
SPARC
Entropy
5.97154717793
ELF type
Executable file
ELF
Class
32 bit
Data encoding
2's complement MSB
Operating system ABI
UNIX - System V
Object file type
Executable file
ELF version
0.1
Machine
SPARC
Link
static
Entrypoint
0x101a4
Number of segments
3
Number of sections
24
Program header table offset
52
Section header table offset
117472
Program header table - size of entry
32
Section header table - size of entry
40
Program header table - entries
3
Section header table - entries
24
Section header table - index sections names
21
Stripped
False
Sections stripped
False
Anomalies
Segments
Memory size doubles physical size : PT_LOAD at offset 0x1b48c
Sections
Uncommon sections : .debug_frame
.debug_loc
.debug_ranges
section without a name
Debug information
True
Comment
GCC: (GNU) 4.1.2
Hash
MD5
d61a0668d993e32efb157283463ec454
SHA1
2efaebc688416ea00f924698ca5ac800de817e35
SHA256
404eb95db215d1d30c55ac5b37986e9b2e93f03fddae691b79e1ad903d50f038
SHA512
5e9fee3168b8b9884ac63d427f9bc87dc65385c5cb00f63ca44e062efd7fba27e5fd39a3bc9fcac3e840200f4bd1e640db43a01a1ad721943583e10721c7dea8
ssdeep
3072:/aW23PR5vqxFSNPULwSu6JRtIzjX4I5XBJu:/P2fRVlURTJRtIzjX4I5XBJu
Bytes
Entropy
5.97154717793
Min entropy (16KB blocks)
4.3850998996
Max entropy (16KB blocks)
5.96263308704
Unique bytes (0-255)
256
Null bytes
29971
White spaces
5180
Printable bytes
36839
First 16B
7f 45 4c 46 01 02 01 00 00 00 00 00 00 00 00 00
Last 16B
61 73 6b 00 67 65 74 73 6f 63 6b 6e 61 6d 65 00
Longest same bytes sequence
Byte :
0xff
Offset : 0x172d2
Length : 611
Offset : 0x172d2
Length : 611
Three rarest bytes
0xa9 - 13 times
0xb3 - 12 times
0xd7 - 12 times
0xb3 - 12 times
0xd7 - 12 times
Three most common bytes
0x0 - 29971 times
0x10 - 5798 times
0x1 - 4325 times
0x10 - 5798 times
0x1 - 4325 times
File type
Mime type
application/x-executable
File type
ELF 32-bit MSB executable, SPARC, version 1 (SYSV), statically linked, not stripped
VirusTotal
URL
https://www.virustotal.com/#/file/404eb95db215d1d30c55ac5b37986e9b2e93f03fddae691b79e1ad903d50f038
Positive
26
Total AVs
59
Scan date
2017-12-04 09:41:57
AVClass
gafgyt
Detection
GData :
Linux.Trojan-DDoS.Lightaidra.A
Jiangmin : Backdoor.Linux.aftv
NANO-Antivirus : Trojan.Gafgyt.euutdp
ESET-NOD32 : a variant of Linux/Gafgyt.LT
Avast-Mobile : ELF:Gafgyt-EA [Trj]
Qihoo-360 : Win32/Trojan.BO.74f
Ikarus : Trojan.Linux.Gafgyt
Antiy-AVL : Trojan[Backdoor]/Linux.Gafgyt.bj
MAX : malware (ai score=99)
Avast : ELF:Gafgyt-BO [Trj]
Rising : Trojan.Linux/Gafgyt!1.AD53 (CLASSIC)
AVG : ELF:Gafgyt-BO [Trj]
Kaspersky : HEUR:Backdoor.Linux.Gafgyt.bj
Avira : LINUX/Gafgyt.doyte
Cyren : ELF/Trojan.VKPF-4
ZoneAlarm : HEUR:Backdoor.Linux.Gafgyt.bj
Sophos : Linux/DDoS-BI
TrendMicro : Possible_BASHLITE.SMLBZ3
Fortinet : ELF/Gafgyt.WN!tr.bdr
AegisLab : Backdoor.Linux.Gafgyt!c
Tencent : Linux.Backdoor.Gafgyt.Wozi
ClamAV : Unix.Trojan.Mirai-5607483-0
DrWeb : Linux.BackDoor.Fgt.241
Symantec : Linux.Lightaidra
TrendMicro-HouseCall : Suspicious_GEN.F47V1106
Microsoft : DDoS:Linux/Lightaidra!rfn
Jiangmin : Backdoor.Linux.aftv
NANO-Antivirus : Trojan.Gafgyt.euutdp
ESET-NOD32 : a variant of Linux/Gafgyt.LT
Avast-Mobile : ELF:Gafgyt-EA [Trj]
Qihoo-360 : Win32/Trojan.BO.74f
Ikarus : Trojan.Linux.Gafgyt
Antiy-AVL : Trojan[Backdoor]/Linux.Gafgyt.bj
MAX : malware (ai score=99)
Avast : ELF:Gafgyt-BO [Trj]
Rising : Trojan.Linux/Gafgyt!1.AD53 (CLASSIC)
AVG : ELF:Gafgyt-BO [Trj]
Kaspersky : HEUR:Backdoor.Linux.Gafgyt.bj
Avira : LINUX/Gafgyt.doyte
Cyren : ELF/Trojan.VKPF-4
ZoneAlarm : HEUR:Backdoor.Linux.Gafgyt.bj
Sophos : Linux/DDoS-BI
TrendMicro : Possible_BASHLITE.SMLBZ3
Fortinet : ELF/Gafgyt.WN!tr.bdr
AegisLab : Backdoor.Linux.Gafgyt!c
Tencent : Linux.Backdoor.Gafgyt.Wozi
ClamAV : Unix.Trojan.Mirai-5607483-0
DrWeb : Linux.BackDoor.Fgt.241
Symantec : Linux.Lightaidra
TrendMicro-HouseCall : Suspicious_GEN.F47V1106
Microsoft : DDoS:Linux/Lightaidra!rfn
Data Explore
Paths
/var/run
/proc/net/route
/usr/bins/python
/usr/sbins/dropbear
/dev/null
/etc/resolv.conf
/etc/config/resolv.conf
/etc/hosts
/etc/config/hosts
/home/firmware/build/temp-sparc/gcc-core/gcc
/home/firmware/build/temp-sparc/gcc-core/gcc/libgcc2.c
/home/firmware/build/temp-sparc/build-gcc/gcc
/proc/net/route
/usr/bins/python
/usr/sbins/dropbear
/dev/null
/etc/resolv.conf
/etc/config/resolv.conf
/etc/hosts
/etc/config/hosts
/home/firmware/build/temp-sparc/gcc-core/gcc
/home/firmware/build/temp-sparc/gcc-core/gcc/libgcc2.c
/home/firmware/build/temp-sparc/build-gcc/gcc
URLs
http://wortschatz.uni-leipzig.de/findlinks/
http://wortschatz.uni-leipzig.de/findlinks/
http://wortschatz.uni-leipzig.de/findlinks/
http://wortschatz.uni-leipzig.de/findlinks/
http://wortschatz.uni-leipzig.de/findlinks/
http://code.google.com/appengine
http://code.google.com/appengine
http://code.google.com/appengine
http://code.google.com/appengine
http://code.google.com/appengine
http://code.google.com/appengine
http://code.google.com/appengine
http://code.google.com/appengine
http://code.google.com/appengine
http://code.google.com/appengine
http://code.google.com/appengine
http://www.brandwatch.net
http://www.majestic12.co.uk/bot
http://www.majestic12.co.uk/bot
http://majestic12.co.uk/bot
http://majestic12.co.uk/bot
http://www.mojeek.com/bot
http://wortschatz.uni-leipzig.de/findlinks/
http://wortschatz.uni-leipzig.de/findlinks/
http://wortschatz.uni-leipzig.de/findlinks/
http://wortschatz.uni-leipzig.de/findlinks/
http://code.google.com/appengine
http://code.google.com/appengine
http://code.google.com/appengine
http://code.google.com/appengine
http://code.google.com/appengine
http://code.google.com/appengine
http://code.google.com/appengine
http://code.google.com/appengine
http://code.google.com/appengine
http://code.google.com/appengine
http://code.google.com/appengine
http://www.brandwatch.net
http://www.majestic12.co.uk/bot
http://www.majestic12.co.uk/bot
http://majestic12.co.uk/bot
http://majestic12.co.uk/bot
http://www.mojeek.com/bot
IPs (v4 and v6)
192.187.124.194
1.8.1.11
1.9.0.6
1.9.2.6
1.9.2.4
1.9.0.8
192.187.124.194
1.8.1.11
1.9.0.6
1.9.2.6
1.9.2.4
1.9.0.8
192.187.124.194
Code Explore
Nucleus
Eh_frame
Number of functions :
0