Sample : 6dc5f7cae034da9f0a821a58add9c9f57fe5640fd239df27baf488cca33b5562

Modules

Summary

OS ABI

UNIX - System V
CPU class

64 bit
Persistence (user)

No
Persistence (root)

No
CPU byte order

2's complement LSB
File type

ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), statically linked, stripped
CPU type

AMD x86-64
Entropy

7.99883226802
Syscalls executed (root)

377964
Syscalls executed (user)

80775
ELF type

Shared object file

ELF

Class

64 bit
Data encoding

2's complement LSB
Operating system ABI

UNIX - System V
Object file type

Shared object file
ELF version

0.1
Machine

AMD x86-64
Link

static
Entrypoint

0x566c0
Number of segments

3
Number of sections

0
Program header table offset

64
Section header table offset

0
Program header table - size of entry

56
Section header table - size of entry

64
Program header table - entries

3
Section header table - entries

0
Section header table - index sections names

0
Stripped

True
Sections stripped

True
Anomalies


Segments
High entropy : PT_LOAD at offset 0x0 - 7.998880
Memory size doubles physical size : PT_LOAD at offset 0x0


Sections
Section header table offset empty : True
Number of section headers empty : True


Debug information

False

Hash

MD5

d6c2dd07bc5317f4e6c20f2766ba28fa
SHA1

df78f1fc2d67d72e3cbd6d78c1260c55fa19f082
SHA256

6dc5f7cae034da9f0a821a58add9c9f57fe5640fd239df27baf488cca33b5562
SHA512

97e572ffe9057a0576596d61fd57dd1ecba78c58c6bc87b1879401f65af4fed72aa72e61a69009ebc6f67610357c84781220873197982739c07d5c64d37b65ce
ssdeep

6144:O/2r9LdhrrRyrHR+RthRel6Hvz7TL6x5x+TFzZMHFIXR3mjorCGELWnd:f5hmHRitpHL7Cx36FzZyAWQC5LWnd

Bytes

Entropy

7.99883226802
Min entropy (16KB blocks)

7.96869856582
Max entropy (16KB blocks)

7.99012185226
Unique bytes (0-255)

256
Null bytes

1994
White spaces

8364
Printable bytes

131908
First 16B

7f 45 4c 46 02 01 01 00 00 00 00 00 00 00 00 00
Last 16B

ca 01 00 00 a0 3c 11 00 49 15 00 4d f4 00 00 00
Longest same bytes sequence

Byte : 0x20

Offset : 0x57182

Length : 69

Three rarest bytes

0xac - 1297 times

0xd - 1287 times

0x62 - 1258 times

Three most common bytes

0x0 - 1994 times

0x41 - 1528 times

0xb6 - 1526 times

File type

Mime type

application/x-sharedlib
File type

ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), statically linked, stripped

VirusTotal

URL

https://www.virustotal.com/#/file/6dc5f7cae034da9f0a821a58add9c9f57fe5640fd239df27baf488cca33b5562
Positive

3
Total AVs

58
Scan date

2018-10-05 22:42:51
Detection

ZoneAlarm : not-a-virus:HEUR:RiskTool.Linux.BitCoinMiner.n

Kaspersky : not-a-virus:HEUR:RiskTool.Linux.BitCoinMiner.n

Jiangmin : RiskTool.Linux.acx

Data Explore

Paths

/proc/self/exe

IPs (v4 and v6)

::

Code Explore

Nucleus

Number of functions : 0

Eh_frame

Sandbox (user)

Standard output

[2018-10-16 01:28:52] use pool pool.minexmr.com:5555 37.59.43.136 [2018-10-16 01:28:52] new job from pool.minexmr.com:5555 diff 15000 [2...
Standard error

Sandbox (root)

Standard output

[2018-10-16 01:36:43] use pool pool.minexmr.com:5555 188.165.254.85 [2018-10-16 01:36:44] new job from pool.minexmr.com:5555 diff 15000 ...
Standard error

Behavior

User behavior

Syscalls


Unique
epoll_ctl
rt_sigaction
epoll_create1
mprotect
brk
connect
readv
lseek
close
poll
open
clock_getres
eventfd2
getsockopt
getdents
epoll_wait
recvfrom
rt_sigprocmask
sched_getaffinity
arch_prctl
write
getpid
set_tid_address
fstat
fcntl
lstat
read
getppid
clone
sendto
sched_yield
ioctl
readlink
execve
setsockopt
socket
munmap
pipe2
futex
mmap2
prlimit64
bind
clock_gettime
nanosleep


Unique number
44

Total number
80775

Instrumented libc calls


Unique
strchr


Unique number
1

Total number
1

Permission related errors

True

Type of permission related error


EACCES
True

Number of processes

5

Trace lines lost

0

Files being read

/etc/localtime

/proc

/proc/self/exe

/lib/systemd/systemd

/dev/null

/etc/resolv.conf

/etc/hosts

/usr/lib/systemtap/stapio

Max sleep

8.0

Ioctls


Total
14

Success
FIONBIO


Fail
TCGETS
TIOCGWINSZ




Root behavior

Syscalls


Unique
epoll_ctl
rt_sigaction
epoll_create1
mprotect
brk
connect
readv
lseek
close
poll
open
clock_getres
eventfd2
getsockopt
getdents
epoll_wait
recvfrom
rt_sigprocmask
sched_getaffinity
arch_prctl
write
getpid
getppid
set_tid_address
fstat
fcntl
lstat
read
commit_creds
clone
sendto
sched_yield
ioctl
readlink
execve
setsockopt
socket
munmap
pipe2
futex
mmap2
prlimit64
bind
clock_gettime
nanosleep


Unique number
45

Total number
377964

Instrumented libc calls


Unique
strchr


Unique number
1

Total number
1

Number of processes

6

Trace lines lost

0

Files being read

/etc/localtime

/lib/systemd/systemd-journald

/sbin/agetty

/proc

/proc/self/exe

/lib/systemd/systemd

/dev/null

/usr/sbin/sshd

/usr/sbin/rsyslogd

/etc/resolv.conf

/etc/hosts

/usr/lib/policykit-1/polkitd

/usr/bin/dbus-daemon

/usr/lib/systemtap/stapio

/lib/systemd/systemd-logind

/usr/sbin/irqbalance

/usr/lib/accountsservice/accounts-daemon

/lib/systemd/systemd-udevd

Max sleep

8.0

Ioctls


Total
14

Success
FIONBIO


Fail
TCGETS
TIOCGWINSZ