Sample:

6dc5f7cae034da9f0a821a58add9c9f57fe5640fd239df27baf488cca33b5562



Summary

OS ABI: UNIX - System V

CPU class: 64 bit

Persistence (user): No

Persistence (root): No

CPU byte order: 2's complement LSB

File type: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), statically linked, stripped

CPU type: AMD x86-64

Entropy: 7.99883226802

Syscalls executed (root): 377964

Syscalls executed (user): 80775

ELF type: Shared object file

ELF

Class: 64 bit

Data encoding: 2's complement LSB

Operating system ABI: UNIX - System V

Object file type: Shared object file

ELF version: 0.1

Machine: AMD x86-64

Link: static

Entrypoint: 0x566c0

Number of segments: 3

Number of sections: 0

Program header table offset: 64

Section header table offset: 0

Program header table - size of entry: 56

Section header table - size of entry: 64

Program header table - entries: 3

Section header table - entries: 0

Section header table - index sections names: 0

Stripped: True

Sections stripped: True

  • PT_LOAD at offset 0x0 - 7.998880
  • PT_LOAD at offset 0x0

Section header table offset empty: True

Number of section headers empty: True

Debug information: False

Hash

MD5: d6c2dd07bc5317f4e6c20f2766ba28fa

SHA1: df78f1fc2d67d72e3cbd6d78c1260c55fa19f082

SHA256: 6dc5f7cae034da9f0a821a58add9c9f57fe5640fd239df27baf488cca33b5562

SHA512: 97e572ffe9057a0576596d61fd57dd1ecba78c58c6bc87b1879401f65af4fed72aa72e61a69009ebc6f67610357c84781220873197982739c07d5c64d37b65ce

ssdeep: 6144:O/2r9LdhrrRyrHR+RthRel6Hvz7TL6x5x+TFzZMHFIXR3mjorCGELWnd:f5hmHRitpHL7Cx36FzZyAWQC5LWnd

Bytes

Entropy: 7.99883226802

Min entropy (16KB blocks): 7.96869856582

Max entropy (16KB blocks): 7.99012185226

Unique bytes (0-255): 256

Null bytes: 1994

White spaces: 8364

Printable bytes: 131908

First 16B: 7f 45 4c 46 02 01 01 00 00 00 00 00 00 00 00 00

Last 16B: ca 01 00 00 a0 3c 11 00 49 15 00 4d f4 00 00 00

Byte: 0x20

Offset: 0x57182

Length: 69

  • 0xac - 1297 times
  • 0xd - 1287 times
  • 0x62 - 1258 times
  • 0x0 - 1994 times
  • 0x41 - 1528 times
  • 0xb6 - 1526 times

File type

Mime type: application/x-sharedlib

File type: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), statically linked, stripped

VirusTotal

URL: https://www.virustotal.com/#/file/6dc5f7cae034da9f0a821a58add9c9f57fe5640fd239df27baf488cca33b5562

Positive: 3

Total AVs: 58

Scan date: 2018-10-05 22:42:51

ZoneAlarm: not-a-virus:HEUR:RiskTool.Linux.BitCoinMiner.n

Kaspersky: not-a-virus:HEUR:RiskTool.Linux.BitCoinMiner.n

Jiangmin: RiskTool.Linux.acx

Data Explore

  • /proc/self/exe
  • ::

Code Explore

Number of functions: 0

Sandbox (user)

Standard output: [2018-10-16 01:28:52] use pool pool.minexmr.com:5555 37.59.43.136 [2018-10-16 01:28:52] new job from pool.minexmr.com:5555 diff 15000 [2...

Standard error:

Sandbox (root)

Standard output: [2018-10-16 01:36:43] use pool pool.minexmr.com:5555 188.165.254.85 [2018-10-16 01:36:44] new job from pool.minexmr.com:5555 diff 15000 ...

Standard error:

Behavior

  • epoll_ctl
  • rt_sigaction
  • epoll_create1
  • mprotect
  • brk
  • connect
  • readv
  • lseek
  • close
  • poll
  • open
  • clock_getres
  • eventfd2
  • getsockopt
  • getdents
  • epoll_wait
  • recvfrom
  • rt_sigprocmask
  • sched_getaffinity
  • arch_prctl
  • write
  • getpid
  • set_tid_address
  • fstat
  • fcntl
  • lstat
  • read
  • getppid
  • clone
  • sendto
  • sched_yield
  • ioctl
  • readlink
  • execve
  • setsockopt
  • socket
  • munmap
  • pipe2
  • futex
  • mmap2
  • prlimit64
  • bind
  • clock_gettime
  • nanosleep

Unique number: 44

Total number: 80775

  • strchr

Unique number: 1

Total number: 1

Permission related errors: True

Number of processes: 5

Trace lines lost: 0

  • /etc/localtime
  • /proc
  • /proc/self/exe
  • /lib/systemd/systemd
  • /dev/null
  • /etc/resolv.conf
  • /etc/hosts
  • /usr/lib/systemtap/stapio

Max sleep: 8.0

Total: 14

  • FIONBIO
  • TCGETS
  • TIOCGWINSZ
  • epoll_ctl
  • rt_sigaction
  • epoll_create1
  • mprotect
  • brk
  • connect
  • readv
  • lseek
  • close
  • poll
  • open
  • clock_getres
  • eventfd2
  • getsockopt
  • getdents
  • epoll_wait
  • recvfrom
  • rt_sigprocmask
  • sched_getaffinity
  • arch_prctl
  • write
  • getpid
  • getppid
  • set_tid_address
  • fstat
  • fcntl
  • lstat
  • read
  • commit_creds
  • clone
  • sendto
  • sched_yield
  • ioctl
  • readlink
  • execve
  • setsockopt
  • socket
  • munmap
  • pipe2
  • futex
  • mmap2
  • prlimit64
  • bind
  • clock_gettime
  • nanosleep

Unique number: 45

Total number: 377964

  • strchr

Unique number: 1

Total number: 1

Number of processes: 6

Trace lines lost: 0

  • /etc/localtime
  • /lib/systemd/systemd-journald
  • /sbin/agetty
  • /proc
  • /proc/self/exe
  • /lib/systemd/systemd
  • /dev/null
  • /usr/sbin/sshd
  • /usr/sbin/rsyslogd
  • /etc/resolv.conf
  • /etc/hosts
  • /usr/lib/policykit-1/polkitd
  • /usr/bin/dbus-daemon
  • /usr/lib/systemtap/stapio
  • /lib/systemd/systemd-logind
  • /usr/sbin/irqbalance
  • /usr/lib/accountsservice/accounts-daemon
  • /lib/systemd/systemd-udevd

Max sleep: 8.0

Total: 14

  • FIONBIO
  • TCGETS
  • TIOCGWINSZ