Sample:

50ac4fcd3fbc8abcaa766449841b3a0a684b3e217fc40935f1ac22c34c58a9ec



Summary

OS ABI: UNIX - System V

CPU class: 32 bit

Persistence (user): No

Persistence (root): No

CPU byte order: 2's complement MSB

File type: ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped

CPU type: MIPS I

Entropy: 5.86156721126

Syscalls executed (root): 131124

Syscalls executed (user): 62597

ELF type: Executable file

ELF

Class: 32 bit

Data encoding: 2's complement MSB

Operating system ABI: UNIX - System V

Object file type: Executable file

ELF version: 0.1

Machine: MIPS I

Entrypoint: 0x4002a0

Number of segments: 4

Number of sections: 18

Program header table offset: 52

Section header table offset: 492728

Program header table - size of entry: 32

Section header table - size of entry: 40

Program header table - entries: 4

Section header table - entries: 18

Section header table - index sections names: 17

Stripped: True

Sections stripped: False

  • PT_GNU_STACK at offset 0x0
  • .pdr
  • .reginfo
  • .mdebug.abi32
  • .sbss
  • section without a name
  • .rodata - 6.823592

Debug information: False

Hash

MD5: 45871bad3a9b4594fc3de39e4b5930ad

SHA1: cbf45c52046564af6fa40b65bc41725e23935cd7

SHA256: 50ac4fcd3fbc8abcaa766449841b3a0a684b3e217fc40935f1ac22c34c58a9ec

SHA512: d251f6e2a345288dcf6a075dcecdc6c3075dcfb1dbf52ceddba13cc6ab229bb04e65767f095ff4e8bac55946135eb25286f51e989c34ff447152ab5c5b5252d2

ssdeep: 6144:9QkvS9EWCxns8zTwJWIck9NpU6zT3C+rkoyoa3y0c2TLCAVrSj2+9Ea:89EhLkdfLQXoaE2TOAV2Rt

Bytes

Entropy: 5.86156721126

Min entropy (16KB blocks): 2.39092940575

Max entropy (16KB blocks): 7.0049441092

Unique bytes (0-255): 256

Null bytes: 133467

White spaces: 22147

Printable bytes: 130607

First 16B: 7f 45 4c 46 01 02 01 00 00 00 00 00 00 00 00 00

Last 16B: 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00

Byte: 0x0

Offset: 0x68e13

Length: 494

  • 0x9d - 104 times
  • 0x9b - 100 times
  • 0x7b - 79 times
  • 0x0 - 133467 times
  • 0x8f - 17172 times
  • 0x21 - 15068 times

File type

Mime type: application/x-executable

File type: ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped

VirusTotal

URL: https://www.virustotal.com/#/file/50ac4fcd3fbc8abcaa766449841b3a0a684b3e217fc40935f1ac22c34c58a9ec

Positive: 38

Total AVs: 59

Scan date: 2018-06-26 07:54:27

AVClass: vpnfilter

ClamAV: Unix.Trojan.Vpnfilter-6425811-0

McAfee: Linux/VPNFilter

AegisLab: Backdoor.Linux.Vpnfilter!c

Rising: Backdoor.Linux.VPNFilter.a (CLASSIC)

Symantec: Linux.VPNFilter

Arcabit: Trojan.Linux.VPNFilter.A

Microsoft: Trojan:Linux/VPNFilt

Fortinet: Elf/Agent.1731!tr

TrendMicro-HouseCall: ELF_VPNFILT.A

BitDefender: Trojan.Linux.VPNFilter.A

Antiy-AVL: Trojan/Win32.AGeneric

Qihoo-360: HEUR:Backdoor.Linux.Vpnfilter.a

Emsisoft: Trojan.Linux.VPNFilter.A (B)

Sophos: Linux/VPNFilt-A

ALYac: Trojan.Linux.VPNFilter

Ad-Aware: Trojan.Linux.VPNFilter.A

Cyren: ELF/VPNFilt.A

Comodo: TrojWare.Linux.Vpnfilter.~A

Avast: ELF:VPNFilter-G [Trj]

Kaspersky: HEUR:Backdoor.Linux.Vpnfilter.a

ViRobot: Linux.S.Agent.493448

AVG: ELF:VPNFilter-G [Trj]

F-Prot: ELF/VPNFilt.A

Jiangmin: Backdoor.Linux.bbqd

DrWeb: Linux.VPNFilter.2

ESET-NOD32: a variant of Linux/VPNFilter.A

CAT-QuickHeal: ELF.Linux.VPNFilter.GC

TrendMicro: ELF_VPNFILT.A

F-Secure: Trojan.Linux.VPNFilter.A

Ikarus: Trojan.Linux.VPNFilter

McAfee-GW-Edition: Linux/VPNFilter

Avira: LINUX/VPNFilter.1

AhnLab-V3: Linux/Vpnfilter.493448

ZoneAlarm: HEUR:Backdoor.Linux.Vpnfilter.a

MAX: malware (ai score=97)

MicroWorld-eScan: Trojan.Linux.VPNFilter.A

VBA32: Backdoor.Linux.Vpnfilter.a

GData: Trojan.Linux.VPNFilter.A

Data Explore

  • /var/
  • /proc/%s/status
  • /proc/%u/status
  • /etc/passwd
  • /dev/urandom
  • /dev/null
  • /etc/resolv.conf
  • /etc/config/resolv.conf
  • /etc/hosts
  • /etc/config/hosts
  • 8.8.8.8
  • 0.0.0.0
  • ::

Code Explore

Number of functions: 0

Sandbox (user)

Standard output:

Standard error:

Sandbox (root)

Standard output:

Standard error:

Behavior

  • fork
  • chdir
  • setsid
  • ioctl
  • exit
  • close
  • getrlimit
  • execve

Unique number: 8

Total number: 62597

Number of processes: 2

Trace lines lost: 0

Max sleep: -1.0

Total: 2

  • TIOCNXCL
  • fork
  • chdir
  • rt_sigaction
  • brk
  • commit_creds
  • rt_sigprocmask
  • umask
  • setsid
  • write
  • ioctl
  • exit
  • time
  • close
  • getrlimit
  • open
  • nanosleep
  • execve

Unique number: 17

Total number: 131124

Number of processes: 4

Trace lines lost: 0

  • /tmp/client.key
  • /tmp/client_ca.crt
  • /tmp/client.crt

Max sleep: 120.0

Total: 5

  • TIOCNXCL