Sample : 6f7d1c77cd93a4fbcf8fb26d68ba62381848a5ec64cac20b4751c24c63048d30

Summary


OS ABI

UNIX - System V
CPU class

32 bit
Persistence (user)

No
Persistence (root)

No
CPU byte order

2's complement MSB
File type

ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, not stripped
CPU type

MIPS I
Entropy

5.26330655986
Syscalls executed (root)

370
Syscalls executed (user)

369
ELF type

Executable file

ELF


Class

32 bit
Data encoding

2's complement MSB
Operating system ABI

UNIX - System V
Object file type

Executable file
ELF version

0.1
Machine

MIPS I
Link

static
Entrypoint

0x4002a0
Number of segments

4
Number of sections

21
Program header table offset

52
Section header table offset

151984
Program header table - size of entry

32
Section header table - size of entry

40
Program header table - entries

4
Section header table - entries

21
Section header table - index sections names

18
Stripped

False
Sections stripped

False
Anomalies


Segments
W^X permission : PT_GNU_STACK at offset 0x0
Memory size doubles physical size : PT_LOAD at offset 0x21858


Sections
Uncommon sections : .pdr
.reginfo
.mdebug.abi32
.sbss
section without a name


Debug information

False
Comment

GCC: (GNU) 4.1.2

GCC: (GNU) 3.3.2

Hash


MD5

e0c6f28bb2c7f1468ec7e80f13ac7d46
SHA1

e8e341d2ef26197688addbf65c83e8a51d72e36b
SHA256

6f7d1c77cd93a4fbcf8fb26d68ba62381848a5ec64cac20b4751c24c63048d30
SHA512

e632e787b44130f990a02e2d823c23e2ae331b33f29057f8af0995042846a503979685b5db0ac24b8c83e09670f209471745c87ef2723ce896949d1fb9048e9f
ssdeep

3072:7lnDUMCNErQPnzryD046TDEhLM/SrldQnq2Z4c2bO:JnNnJ0lDbSrldQnq2Z4c2bO

Bytes


Entropy

5.26330655986
Min entropy (16KB blocks)

3.58669615345
Max entropy (16KB blocks)

5.81998331193
Unique bytes (0-255)

256
Null bytes

61487
White spaces

6730
Printable bytes

47978
First 16B

7f 45 4c 46 01 02 01 00 00 00 00 00 00 00 00 00
Last 16B

61 73 6b 00 67 65 74 73 6f 63 6b 6e 61 6d 65 00
Longest same bytes sequence

Byte : 0xff

Offset : 0x1d3ca

Length : 611

Three rarest bytes

0x9b - 10 times

0xbb - 10 times

0xd3 - 9 times

Three most common bytes

0x0 - 61487 times

0x8f - 6237 times

0x20 - 4437 times

File type


Mime type

application/x-executable
File type

ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, not stripped

VirusTotal


URL

https://www.virustotal.com/#/file/6f7d1c77cd93a4fbcf8fb26d68ba62381848a5ec64cac20b4751c24c63048d30
Positive

24
Total AVs

55
Scan date

2017-05-17 23:38:26
AVClass

gafgyt
Detection

MicroWorld-eScan : Gen:Variant.Backdoor.Linux.Gafgyt.1

NANO-Antivirus : Trojan.Gafgyt.embkud

F-Secure : Gen:Variant.Backdoor.Linux.Gafgyt.1

ESET-NOD32 : a variant of Linux/Gafgyt.LT

Qihoo-360 : Win32/Backdoor.9dc

GData : Gen:Variant.Backdoor.Linux.Gafgyt.1

Emsisoft : Gen:Variant.Backdoor.Linux.Gafgyt.1 (B)

Antiy-AVL : Trojan[Backdoor]/Linux.Gafgyt.aj

Cyren : ELF/Backdoor.UKYA-

Kaspersky : HEUR:Backdoor.Linux.Gafgyt.aj

Avira : LINUX/Gafgyt.kulvv

Avast : ELF:DDoS-Y [Trj]

ZoneAlarm : HEUR:Backdoor.Linux.Gafgyt.aj

Arcabit : Trojan.Backdoor.Linux.Gafgyt.1

ALYac : Gen:Variant.Backdoor.Linux.Gafgyt.1

Sophos : Linux/DDoS-BI

AhnLab-V3 : Linux/Backdoor.174218

Fortinet : Linux/Gafgyt.B!tr

BitDefender : Gen:Variant.Backdoor.Linux.Gafgyt.1

AVG : Linux/Fgt

Tencent : Linux.Backdoor.Gafgyt.Ajva

Ad-Aware : Gen:Variant.Backdoor.Linux.Gafgyt.1

DrWeb : Linux.BackDoor.Fgt.205

Symantec : Trojan.Gen.8!cloud

Data Explore


Paths

/bin/sh

/proc/cpuinfo

/dev/netslink/

/var/

/dev/

/var/run/

/dev/shm/

/mnt/

/usr/

/var/*

/var/log/wtmp

~/.bash_history

/bin/netstat

/sbin/iptables

/proc/net/route

/usr/bin/python

/usr/sbin/dropbear

/bin/sh

/dev/null

/etc/resolv.conf

/etc/config/resolv.conf

/etc/hosts

/etc/config/hosts

URLs

http://89.34.99.24/gtop

http://89.34.99.24

http://89.34.99.24

http://wortschatz.uni-leipzig.de/findlinks/

http://wortschatz.uni-leipzig.de/findlinks/

http://wortschatz.uni-leipzig.de/findlinks/

http://wortschatz.uni-leipzig.de/findlinks/

http://wortschatz.uni-leipzig.de/findlinks/

http://code.google.com/appengine

http://code.google.com/appengine

http://code.google.com/appengine

http://code.google.com/appengine

http://code.google.com/appengine

http://code.google.com/appengine

http://code.google.com/appengine

http://code.google.com/appengine

http://code.google.com/appengine

http://code.google.com/appengine

http://code.google.com/appengine

http://www.brandwatch.net

http://www.majestic12.co.uk/bot

http://www.majestic12.co.uk/bot

http://majestic12.co.uk/bot

http://majestic12.co.uk/bot

http://www.mojeek.com/bot

IPs (v4 and v6)

89.34.99.24

1.8.1.11

1.9.0.6

1.9.2.6

1.9.2.4

1.9.0.8

8.8.8.8

Code Explore


Nucleus

Eh_frame

Number of functions : 0

Sandbox (user)


Standard output

BUILD SERVER:0.0.0.0 BUILD SERVER:0.0.0.0
Standard error

Sandbox (root)


Standard output

BUILD SERVER:0.0.0.0 BUILD SERVER:0.0.0.0
Standard error

Behavior


User behavior

Syscalls


Unique
fcntl
rt_sigaction
connect
getsockname
prctl
close
open
select
access
geteuid
write
setsid
exit
getpid
fork
read
ioctl
nanosleep
execve
wait4
chdir
socket
time
rt_sigprocmask


Unique number
24

Total number
369

If uid is checked

True

Number of processes

3

Trace lines lost

0

Files being read

/proc/net/route

Max sleep

5.0

Process renaming

sshd

Ioctls


Total
3

Success
SIOCGIFHWADDR


Fail
TIOCNXCL




Root behavior

Syscalls


Unique
fcntl
rt_sigaction
connect
getsockname
prctl
close
open
select
access
geteuid
write
setsid
exit
getpid
fork
read
commit_creds
ioctl
nanosleep
execve
wait4
chdir
socket
time
rt_sigprocmask


Unique number
25

Total number
370

Number of processes

3

Trace lines lost

0

Files being read

/proc/net/route

Max sleep

5.0

Process renaming

sshd

Ioctls


Total
3

Success
SIOCGIFHWADDR


Fail
TIOCNXCL