Sample : 86fbdd7df9486a17e9c408c7e50635e26402fdf297c9e97f1a5256100401dcc5

Summary


OS ABI

UNIX - System V
CPU class

32 bit
Persistence (user)

No
Persistence (root)

No
CPU byte order

2's complement MSB
File type

ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped
CPU type

MIPS I
Entropy

7.78332965309
Syscalls executed (root)

269380
Syscalls executed (user)

128714
ELF type

Executable file

ELF


Class

32 bit
Data encoding

2's complement MSB
Operating system ABI

UNIX - System V
Object file type

Executable file
ELF version

0.1
Machine

MIPS I
Link

static
Entrypoint

0x21f6b0
Number of segments

2
Number of sections

0
Program header table offset

52
Section header table offset

0
Program header table - size of entry

32
Section header table - size of entry

40
Program header table - entries

2
Section header table - entries

0
Section header table - index sections names

0
Stripped

True
Sections stripped

True
Anomalies


Segments
High entropy : PT_LOAD at offset 0x0 - 7.779709
Memory size doubles physical size : PT_LOAD at offset 0x5300


Sections
Section header table offset empty : True
Number of section headers empty : True


Debug information

False

Hash


MD5

5afdcceb2fc5fc1c15d7fdbef674c6a5
SHA1

a5a13c53defc2e2e13c4c3aa6087938c08057890
SHA256

86fbdd7df9486a17e9c408c7e50635e26402fdf297c9e97f1a5256100401dcc5
SHA512

8c8147545180ff3144b3177889cb6826c7175dd1bf31af232a6d277ff73e888ce8a167ed420f444dfb528bb87c94d682a0cf64ef91e7e9e5fb7ab00d3f600e90
ssdeep

24576:RbgIHyw/tOCGEfeboXH0/1Hk/PPU1RylcjWyNlqoS53Jhr7GP9xyZCLP:FHyJb6U19vNJquP9gZC7

Bytes


Entropy

7.78332965309
Min entropy (16KB blocks)

7.2177663796
Max entropy (16KB blocks)

7.82021488023
Unique bytes (0-255)

256
Null bytes

22375
White spaces

35490
Printable bytes

435819
First 16B

7f 45 4c 46 01 02 01 00 00 00 00 00 00 00 00 00
Last 16B

9b 87 31 18 ae 8f 5b eb 71 b1 df 54 6e 6a 0d 17
Longest same bytes sequence

Byte : 0x0

Offset : 0x65

Length : 11

Three rarest bytes

0xf2 - 1336 times

0xe5 - 1271 times

0xf9 - 840 times

Three most common bytes

0x0 - 22375 times

0xff - 15992 times

0x2 - 13503 times

File type


Mime type

application/x-executable
File type

ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped

VirusTotal


URL

https://www.virustotal.com/#/file/86fbdd7df9486a17e9c408c7e50635e26402fdf297c9e97f1a5256100401dcc5
Positive

32
Total AVs

56
Scan date

2019-02-15 18:29:02
AVClass

pnscan
Detection

Ad-Aware : Linux.Trojan.Agent.A

CAT-QuickHeal : Linux.Trojan.Agent.PR8b0

DrWeb : Linux.PNScan.2

Symantec : Linux.Raubdo

MicroWorld-eScan : Linux.Trojan.Agent.A

Jiangmin : Backdoor.Linux.aob

ZoneAlarm : Backdoor.Linux.Agent.ac

Tencent : Linux.Backdoor.Agent.Taft

Avast : ELF:PNScan-F [Cryp]

GData : Linux.Trojan.Agent.A

BitDefender : Linux.Trojan.Agent.A

AhnLab-V3 : Linux/Pnscan.1215093

NANO-Antivirus : Trojan.PNScan.fdbejx

TrendMicro-HouseCall : ELF_RAUBIDO.A

ESET-NOD32 : a variant of Linux/PNScan.A

AVG : ELF:PNScan-F [Cryp]

Zillya : Downloader.OpenConnection.JS.135745

MAX : malware (ai score=100)

Avira : LINUX/PNScan.9

Emsisoft : Linux.Trojan.Agent.A (B)

ClamAV : Unix.Malware.Agent-1393483

Arcabit : Linux.Trojan.Agent.A

Comodo : Malware@#2i0ca90qajwca

Kaspersky : Backdoor.Linux.Agent.ac

Ikarus : Trojan.Linux.Agent

ALYac : Linux.Trojan.Agent.A

Qihoo-360 : Win32/Backdoor.2cd

F-Secure : Malware.LINUX/PNScan.9

Sophos : Mal/Generic-S

TrendMicro : ELF_RAUBIDO.A

Microsoft : Trojan:Linux/Raubido.A

VBA32 : Linux.PNScan.2

Data Explore


Paths

~/

~/

~/

~/&

~/

~/

~/

URLs

http://upx.sf.net

IPs (v4 and v6)

1::

::

::

8::

20::

Code Explore


Nucleus

Eh_frame

Sandbox (user)


Standard output

Standard error

Sandbox (root)


Standard output

Standard error

Behavior


User behavior

Syscalls


Unique
clock_gettime
shutdown
rt_sigaction
epoll_ctl
mprotect
brk
connect
getsockname
close
getgid
poll
open
select
epoll_create
getegid
rt_sigprocmask
nanosleep
mkdir
send
write
setsid
exit
getpid
getrlimit
munmap
fstat
setrlimit
listen
fork
stat
dup2
read
clone
getppid
rt_sigsuspend
ioctl
readlink
getpeername
unlink
recv
execve
getsockopt
setsockopt
chdir
getuid
socket
bind
alarm
fcntl
gettimeofday
socketpair
mmap2
time
kill
geteuid


Unique number
55

Total number
128714

If uid is checked

True

If gid is checked

True

Permission related errors

True

Type of permission related error


EPERM
True

Number of processes

6

Trace lines lost

0

Dropped files


Modify
login2
86fbdd7df9486a17e9c408c7e50635e26402fdf297c9e97f1a5256100401dcc5.pid
daemon.log


Files being read

good2

files/srv_report

86fbdd7df9486a17e9c408c7e50635e26402fdf297c9e97f1a5256100401dcc5.pid

srv_cc

/media/truecrypt1/my/framework/../toolchains/cross-compiler-mips/mips-unknown-linux/ssl/openssl.cnf

/etc/resolv.conf

/etc/hosts

/dev/urandom

Max sleep

5.0

Ioctls


Total
19

Fail
TIOCNXCL




Root behavior

Syscalls


Unique
clock_gettime
getsockname
rt_sigaction
epoll_ctl
mprotect
brk
connect
shutdown
close
getgid
poll
open
select
epoll_create
getegid
rt_sigprocmask
nanosleep
mkdir
send
write
setsid
exit
getpid
getrlimit
munmap
fstat
setrlimit
listen
fork
stat
dup2
read
commit_creds
clone
getppid
rt_sigsuspend
ioctl
readlink
getpeername
unlink
recv
execve
getsockopt
setsockopt
chdir
getuid
socket
bind
alarm
fcntl
gettimeofday
socketpair
mmap2
time
kill
geteuid


Unique number
56

Total number
269380

Number of processes

6

Trace lines lost

0

Dropped files


Modify
login2
86fbdd7df9486a17e9c408c7e50635e26402fdf297c9e97f1a5256100401dcc5.pid
daemon.log


Files being read

good2

files/srv_report

86fbdd7df9486a17e9c408c7e50635e26402fdf297c9e97f1a5256100401dcc5.pid

srv_cc

/media/truecrypt1/my/framework/../toolchains/cross-compiler-mips/mips-unknown-linux/ssl/openssl.cnf

/etc/resolv.conf

/etc/hosts

/dev/urandom

Max sleep

5.0

Ioctls


Total
19

Fail
TIOCNXCL