Sample : 50ac4fcd3fbc8abcaa766449841b3a0a684b3e217fc40935f1ac22c34c58a9ec

Summary


OS ABI

UNIX - System V
CPU class

32 bit
Persistence (user)

No
Persistence (root)

No
CPU byte order

2's complement MSB
File type

ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped
CPU type

MIPS I
Entropy

5.86156721126
Syscalls executed (root)

131124
Syscalls executed (user)

62597
ELF type

Executable file

ELF


Class

32 bit
Data encoding

2's complement MSB
Operating system ABI

UNIX - System V
Object file type

Executable file
ELF version

0.1
Machine

MIPS I
Link

static
Entrypoint

0x4002a0
Number of segments

4
Number of sections

18
Program header table offset

52
Section header table offset

492728
Program header table - size of entry

32
Section header table - size of entry

40
Program header table - entries

4
Section header table - entries

18
Section header table - index sections names

17
Stripped

True
Sections stripped

False
Anomalies


Segments
W^X permission : PT_GNU_STACK at offset 0x0


Sections
Uncommon sections : .pdr
.reginfo
.mdebug.abi32
.sbss
section without a name
High entropy : .rodata - 6.823592


Debug information

False

Hash


MD5

45871bad3a9b4594fc3de39e4b5930ad
SHA1

cbf45c52046564af6fa40b65bc41725e23935cd7
SHA256

50ac4fcd3fbc8abcaa766449841b3a0a684b3e217fc40935f1ac22c34c58a9ec
SHA512

d251f6e2a345288dcf6a075dcecdc6c3075dcfb1dbf52ceddba13cc6ab229bb04e65767f095ff4e8bac55946135eb25286f51e989c34ff447152ab5c5b5252d2
ssdeep

6144:9QkvS9EWCxns8zTwJWIck9NpU6zT3C+rkoyoa3y0c2TLCAVrSj2+9Ea:89EhLkdfLQXoaE2TOAV2Rt

Bytes


Entropy

5.86156721126
Min entropy (16KB blocks)

2.39092940575
Max entropy (16KB blocks)

7.0049441092
Unique bytes (0-255)

256
Null bytes

133467
White spaces

22147
Printable bytes

130607
First 16B

7f 45 4c 46 01 02 01 00 00 00 00 00 00 00 00 00
Last 16B

00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00
Longest same bytes sequence

Byte : 0x0

Offset : 0x68e13

Length : 494

Three rarest bytes

0x9d - 104 times

0x9b - 100 times

0x7b - 79 times

Three most common bytes

0x0 - 133467 times

0x8f - 17172 times

0x21 - 15068 times

File type


Mime type

application/x-executable
File type

ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped

VirusTotal


URL

https://www.virustotal.com/#/file/50ac4fcd3fbc8abcaa766449841b3a0a684b3e217fc40935f1ac22c34c58a9ec
Positive

38
Total AVs

59
Scan date

2018-06-26 07:54:27
AVClass

vpnfilter
Detection

ClamAV : Unix.Trojan.Vpnfilter-6425811-0

McAfee : Linux/VPNFilter

AegisLab : Backdoor.Linux.Vpnfilter!c

Rising : Backdoor.Linux.VPNFilter.a (CLASSIC)

Symantec : Linux.VPNFilter

Arcabit : Trojan.Linux.VPNFilter.A

Microsoft : Trojan:Linux/VPNFilt

Fortinet : Elf/Agent.1731!tr

TrendMicro-HouseCall : ELF_VPNFILT.A

BitDefender : Trojan.Linux.VPNFilter.A

Antiy-AVL : Trojan/Win32.AGeneric

Qihoo-360 : HEUR:Backdoor.Linux.Vpnfilter.a

Emsisoft : Trojan.Linux.VPNFilter.A (B)

Sophos : Linux/VPNFilt-A

ALYac : Trojan.Linux.VPNFilter

Ad-Aware : Trojan.Linux.VPNFilter.A

Cyren : ELF/VPNFilt.A

Comodo : TrojWare.Linux.Vpnfilter.~A

Avast : ELF:VPNFilter-G [Trj]

Kaspersky : HEUR:Backdoor.Linux.Vpnfilter.a

ViRobot : Linux.S.Agent.493448

AVG : ELF:VPNFilter-G [Trj]

F-Prot : ELF/VPNFilt.A

Jiangmin : Backdoor.Linux.bbqd

DrWeb : Linux.VPNFilter.2

ESET-NOD32 : a variant of Linux/VPNFilter.A

CAT-QuickHeal : ELF.Linux.VPNFilter.GC

TrendMicro : ELF_VPNFILT.A

F-Secure : Trojan.Linux.VPNFilter.A

Ikarus : Trojan.Linux.VPNFilter

McAfee-GW-Edition : Linux/VPNFilter

Avira : LINUX/VPNFilter.1

AhnLab-V3 : Linux/Vpnfilter.493448

ZoneAlarm : HEUR:Backdoor.Linux.Vpnfilter.a

MAX : malware (ai score=97)

MicroWorld-eScan : Trojan.Linux.VPNFilter.A

VBA32 : Backdoor.Linux.Vpnfilter.a

GData : Trojan.Linux.VPNFilter.A

Data Explore


Paths

/var/

/proc/%s/status

/proc/%u/status

/etc/passwd

/dev/urandom

/dev/null

/etc/resolv.conf

/etc/config/resolv.conf

/etc/hosts

/etc/config/hosts

IPs (v4 and v6)

8.8.8.8

0.0.0.0

::

Code Explore


Nucleus

Eh_frame

Number of functions : 0

Sandbox (user)


Standard output

Standard error

Sandbox (root)


Standard output

Standard error

Behavior


User behavior

Syscalls


Unique
fork
chdir
setsid
ioctl
exit
close
getrlimit
execve


Unique number
8

Total number
62597

Number of processes

2

Trace lines lost

0

Max sleep

-1.0

Ioctls


Total
2

Fail
TIOCNXCL




Root behavior

Syscalls


Unique
fork
chdir
rt_sigaction
brk
commit_creds
rt_sigprocmask
umask
setsid
write
ioctl
exit
time
close
getrlimit
open
nanosleep
execve


Unique number
17

Total number
131124

Number of processes

4

Trace lines lost

0

Dropped files


Create
/tmp/client.key
/tmp/client_ca.crt
/tmp/client.crt


Max sleep

120.0

Ioctls


Total
5

Fail
TIOCNXCL