Sample : 5685b086ce12ffede8814e303223a67eca476735dfe4e9e84b751354a5ea0232

Summary


OS ABI

UNIX - Linux
CPU class

32 bit
Persistence (user)

No
Persistence (root)

No
CPU byte order

2's complement LSB
File type

ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), statically linked, stripped
CPU type

Intel 80386
Entropy

7.9054355751
Syscalls executed (root)

76701
Syscalls executed (user)

149002
ELF type

Executable file

ELF


Class

32 bit
Data encoding

2's complement LSB
Operating system ABI

UNIX - Linux
Object file type

Executable file
ELF version

0.1
Machine

Intel 80386
Link

static
Entrypoint

0xcfce38
Number of segments

2
Number of sections

0
Program header table offset

52
Section header table offset

0
Program header table - size of entry

32
Section header table - size of entry

40
Program header table - entries

2
Section header table - entries

0
Section header table - index sections names

0
Stripped

True
Sections stripped

True
Anomalies


Segments
High entropy : PT_LOAD at offset 0x0 - 7.905468
Memory size doubles physical size : PT_LOAD at offset 0xd68


Sections
Section header table offset empty : True
Number of section headers empty : True


Debug information

False

Hash


MD5

6fb6f95546d5bdf4db11655249ee5288
SHA1

2d3e2ce680de6c13ab3236429efd4bca3bfaa79d
SHA256

5685b086ce12ffede8814e303223a67eca476735dfe4e9e84b751354a5ea0232
SHA512

56d5879509ae39cb89720db610ba7f7b1d44b9fd5366648271b48c89c7aedfa0f275aac26263411cd2d9bc10a36560da665a8f2d3bc5649b07884aea599a8fc7
ssdeep

24576:Sqa18r8TpbPiToI6Rbzjvme0IdUMcbtppdnrt4xup34armEe:Swr8TMToI6RsR7aEItl

Bytes


Entropy

7.9054355751
Min entropy (16KB blocks)

7.60919538513
Max entropy (16KB blocks)

7.89266883382
Unique bytes (0-255)

256
Null bytes

11083
White spaces

35499
Printable bytes

375132
First 16B

7f 45 4c 46 01 01 01 03 00 00 00 00 00 00 00 00
Last 16B

d2 40 81 64 b0 3e 92 91 6e f1 0a 15 5b 6f 0a b9
Longest same bytes sequence

Byte : 0x0

Offset : 0x1f

Length : 10

Three rarest bytes

0xf9 - 1993 times

0xf2 - 1882 times

0xe6 - 1582 times

Three most common bytes

0xff - 11379 times

0x0 - 11083 times

0x1 - 10152 times

File type


Mime type

application/x-executable
File type

ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), statically linked, stripped

VirusTotal


URL

https://www.virustotal.com/#/file/5685b086ce12ffede8814e303223a67eca476735dfe4e9e84b751354a5ea0232
Positive

30
Total AVs

59
Scan date

2018-05-14 23:58:15
AVClass

pnscan
Detection

Symantec : Linux.Raubdo

McAfee : RDN/Generic BackDoor

AegisLab : Troj.Linux.Agent!c

McAfee-GW-Edition : RDN/Generic BackDoor

ClamAV : Unix.Malware.Agent-1393532

Arcabit : Trojan.Linux.PNScan.A

Microsoft : Trojan:Win32/Bitrep.B

Fortinet : Linux/Agent.A!tr.bdr

TrendMicro-HouseCall : ELF_RAUBIDO.A

Qihoo-360 : Win32/Trojan.49b

Emsisoft : Trojan.Linux.PNScan.A (B)

Sophos : Linux/Bckdr-RTH

Cyren : ELF/Trojan.RHSZ-4

Avast : ELF:PNScan-Q [Cryp]

NANO-Antivirus : Trojan.Elf32.Agent.ebdnka

AVG : ELF:PNScan-Q [Cryp]

BitDefender : Trojan.Linux.PNScan.A

MAX : malware (ai score=100)

ESET-NOD32 : a variant of Linux/PNScan.A

CAT-QuickHeal : Linux.Agent.PR8d5

TrendMicro : ELF_RAUBIDO.A

F-Secure : Trojan.Linux.PNScan.A

Ikarus : Trojan.Linux.Agent

Ad-Aware : Trojan.Linux.PNScan.A

Avira : LINUX/PNScan.6.2

Tencent : Linux.Backdoor.Agent.Wtny

AhnLab-V3 : Linux/Pnscan.1034309

ALYac : Trojan.Linux.PNScan.A

MicroWorld-eScan : Trojan.Linux.PNScan.A

GData : Trojan.Linux.PNScan.A

Data Explore


Paths

~/9

~/lD

~/GF

~/F;

~/&p

~/

/proc/vercunameH

/proc/self/ex

URLs

http://upx.sf.net

IPs (v4 and v6)

0::

::

::

::

Code Explore


Nucleus

Number of functions : 0

Eh_frame

Sandbox (user)


Standard output

Standard error

Sandbox (root)


Standard output

Standard error

Behavior


User behavior

Syscalls


Unique
clock_gettime
getsockname
rt_sigaction
epoll_ctl
mprotect
brk
connect
shutdown
close
getgid
poll
open
select
getsockopt
getegid
recv
rt_sigprocmask
nanosleep
mkdir
send
write
setsid
exit
getpid
getrlimit
munmap
fstat
setrlimit
listen
fork
stat
dup2
read
clone
getppid
rt_sigsuspend
ioctl
readlink
getpeername
unlink
sigreturn
execve
setsockopt
chdir
getuid
socket
bind
alarm
fcntl
gettimeofday
socketpair
pipe
time
kill
geteuid


Unique number
55

Total number
149002

Instrumented libc calls


Unique
strchr


Unique number
1

Total number
1

If uid is checked

True

If gid is checked

True

Permission related errors

True

Type of permission related error


EPERM
True

Number of processes

6

Trace lines lost

0

Dropped files


Modify
login2
5685b086ce12ffede8814e303223a67eca476735dfe4e9e84b751354a5ea0232.pid
daemon.log
list2


Files being read

srv_cc

5685b086ce12ffede8814e303223a67eca476735dfe4e9e84b751354a5ea0232.pid

/etc/resolv.conf

/etc/hosts

files/srv_report

/media/truecrypt1/my/framework/../toolchains/cross-compiler-i686/i686-unknown-linux/ssl/openssl.cnf

/dev/urandom

Max sleep

5.0

Ioctls


Total
108

Fail
TCGETS




Root behavior

Syscalls


Unique
fcntl
shutdown
rt_sigaction
clock_gettime
mprotect
brk
connect
getsockname
close
getgid
poll
open
select
getsockopt
getegid
recv
rt_sigprocmask
nanosleep
mkdir
send
write
setsid
exit
getpid
getrlimit
munmap
fstat
setrlimit
listen
fork
stat
dup2
read
commit_creds
clone
getppid
rt_sigsuspend
ioctl
readlink
getpeername
unlink
sigreturn
execve
setsockopt
chdir
getuid
socket
bind
alarm
epoll_ctl
gettimeofday
socketpair
pipe
time
kill
geteuid


Unique number
56

Total number
76701

Instrumented libc calls


Unique
strchr


Unique number
1

Total number
1

Number of processes

6

Trace lines lost

0

Dropped files


Modify
login2
5685b086ce12ffede8814e303223a67eca476735dfe4e9e84b751354a5ea0232.pid
daemon.log


Files being read

srv_cc

5685b086ce12ffede8814e303223a67eca476735dfe4e9e84b751354a5ea0232.pid

/etc/resolv.conf

/etc/hosts

files/srv_report

/media/truecrypt1/my/framework/../toolchains/cross-compiler-i686/i686-unknown-linux/ssl/openssl.cnf

/dev/urandom

Max sleep

5.0

Ioctls


Total
19

Fail
TCGETS