Padawan live

Summary

OS ABI: UNIX - System V

CPU class: 32 bit

Persistence (user): Yes

Persistence (root): Yes

CPU byte order: 2's complement LSB

File type: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, for GNU/Linux 2.2.5, not stripped

CPU type: Intel 80386

Entropy: 6.41429545577

Syscalls executed (root): 7036

Syscalls executed (user): 3127

ELF type: Executable file

ELF

Class: 32 bit

Data encoding: 2's complement LSB

Operating system ABI: UNIX - System V

Object file type: Executable file

ELF version: 0.1

Machine: Intel 80386

Link: static

Entrypoint: 0x8048120

Number of segments: 5

Number of sections: 28

Program header table offset: 52

Section header table offset: 965476

Program header table - size of entry: 32

Section header table - size of entry: 40

Program header table - entries: 5

Section header table - entries: 28

Section header table - index sections names: 25

Stripped: False

Sections stripped: False

PT_LOAD at offset 0xe9000
PT_TLS at offset 0xe9000

__libc_thread_subfreeres
__libc_freeres_fn
__libc_subfreeres
.tbss
.tdata
__libc_freeres_ptrs
section without a name
__libc_atexit
__libc_thread_freeres_fn

__libc_freeres_fn - 6.418420

Debug information: False

GCC: (GNU) 4.0.0 20050525 (Red Hat 4.0.0-9)
GCC: (GNU) 4.0.0 20050519 (Red Hat 4.0.0-8)

GNU :

Hash

MD5: 0ab3b36702c467ea381e877dfed33f92

SHA1: 905b0fea1e6ed1c492438ff322dfcab23532d65f

SHA256: ad72efedf8c2b6cd88133fea72d1bc8b7c16a6cc592e0f7ec5371a14c33d6115

SHA512: 30da79fb7a663c51462b24157c1c9e0aedcc0f1c1605ff015072f2d51965ede6421486b705ffaccddc3461aa135e43a08fa005c3d19500ab09d88668bd82fd36

ssdeep: 24576:e845rUHu6gVJKG75oFpA0VWLX4G2y1q2rJp0:7451RVJKGtSA0VWLoVu9p0

Bytes

Entropy: 6.41429545577

Min entropy (16KB blocks): 1.31774242922

Max entropy (16KB blocks): 6.62059556985

Unique bytes (0-255): 256

Null bytes: 201912

White spaces: 30534

Printable bytes: 381205

First 16B: 7f 45 4c 46 01 01 01 00 00 00 00 00 00 00 00 00

Last 16B: 67 65 74 5f 61 6c 6c 6f 63 61 74 6f 72 45 76 00

Byte: 0x0

Offset: 0xb7ab3

Length: 4686

0xaf - 401 times
0xdd - 379 times
0xa7 - 345 times

0x0 - 201912 times
0xff - 69664 times
0x8 - 38392 times

File type

Mime type: application/x-executable

File type: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, for GNU/Linux 2.2.5, not stripped

VirusTotal

URL: https://www.virustotal.com/#/file/ad72efedf8c2b6cd88133fea72d1bc8b7c16a6cc592e0f7ec5371a14c33d6115

Positive: 37

Total AVs: 59

Scan date: 2018-05-18 06:49:02

AVClass: setag

ClamAV: Unix.Trojan.Agent-37008

McAfee: Linux/Gates

AegisLab: Backdoor.Linux.Ganiw!c

Rising: Backdoor.Linux.Flood.a (CLASSIC)

Symantec: Linux.Chikdos.B

Arcabit: Trojan.Linux.Billgates.G

Microsoft: Backdoor:Linux/Setag!rfn

Fortinet: ELF/Ganiw.A!tr

TrendMicro-HouseCall: ELF_SETAG.SM

Antiy-AVL: Trojan[Backdoor]/Linux.Ganiw.a

Qihoo-360: virus.elf.ddos.f

Emsisoft: Trojan.Linux.Billgates.G (B)

Sophos: Linux/DDoS-BD

Ad-Aware: Trojan.Linux.Billgates.G

Cyren: ELF/Trojan.TKZK-1

Comodo: UnclassifiedMalware

Avast: ELF:Elknot-AE [Trj]

Kaspersky: HEUR:Backdoor.Linux.Ganiw.d

NANO-Antivirus: Trojan.Elf32.Ganiw.ditcrf

AVG: ELF:Elknot-AE [Trj]

Jiangmin: Backdoor/Linux.io

BitDefender: Trojan.Linux.Billgates.G

MAX: malware (ai score=98)

ESET-NOD32: Linux/Setag.B.Gen

CAT-QuickHeal: Backdoor.Linux.Setag.E

TrendMicro: ELF_SETAG.SM

F-Secure: Trojan.Linux.Billgates.G

Ikarus: Trojan.Linux.Setag

McAfee-GW-Edition: Linux/Gates

Avira: LINUX/Setag.ztrec

Tencent: Trojan.Linux.Ganiw.a

AhnLab-V3: Linux/Backdoor.1223123.B

ZoneAlarm: HEUR:Backdoor.Linux.Ganiw.d

ALYac: Trojan.Linux.Billgates.G

MicroWorld-eScan: Trojan.Linux.Billgates.G

Zillya: Trojan.Agent.Linux.12

GData: Linux.Trojan.Siggen.D

Data Explore

/etc/resolv.conf
/home/ll2
/usr/lib/libamplify.so
/usr/lib/libamplify.so
/proc/meminfo
/proc/stat
/proc/net/dev
/proc/cpuinfo
/proc/net/arp
/proc/net/route
/bin/netstat
/bin/lsof
/bin/ps
/bin/ss
/usr/bin/netstat
/usr/bin/lsof
/usr/bin/ps
/usr/bin/ss
/usr/sbin/netstat
/usr/sbin/lsof
/usr/sbin/ps
/usr/sbin/ss
/usr/bin/
/proc/net/pktgen/eth%d
/proc/net/pktgen/kpktgend_%d
/proc/net/pktgen/pgctrl
/dev/ptmx
/bin/sh
/dev/null
/proc/%d/exe
/etc/init.d/
/bin/bash %s
/etc/rc%d.d/S%d%s
/etc/init.d/%s
/proc/sys/kernel/version
/proc/sys/kernel/osrelease
/dev/null
/bin/sh
/dev/tty
/proc/self/maps
/usr/libexec/getconf
/proc/sys/kernel/ngroups_max
/proc/sys/kernel/rtsig-max
/dev/log
/dev/console
/etc/mtab
/etc/fstab
/usr/libexec/pt_chown
/dev/pts/
/var/tmp
/var/profile
/etc/suid-debug
/usr/lib/gconv
/usr/lib/gconv/gconv-modules.cache
/usr/lib/locale
/usr/lib/locale/locale-archive
/usr/share/locale
/usr/share/locale
/etc/localtime
/usr/share/zoneinfo
/etc/resolv.conf
/etc/nsswitch.conf
/var/run/nscd/socket
/dev/ptmx
/dev/pts
/dev/
/lib/
/usr/lib/
/lib/obsolete/linuxthreads/
/etc/ld.so.cache
/proc/self/exe

http://www.gnu.org/software/libc/bugs

127.0.0.1
::
::
::
8.8.8.8
8.8.4.4
::
::
8.8.8.8
::
127.0.0.1
::
::
61.132.163.68
202.102.192.68
202.102.213.68
202.102.200.101
58.242.2.2
202.38.64.1
211.91.88.129
211.138.180.2
218.104.78.2
202.102.199.68
202.175.3.3
202.175.3.8
202.112.144.30
61.233.9.9
61.233.9.61
124.207.160.110
202.97.7.6
202.97.7.17
202.106.0.20
202.106.46.151
202.106.195.68
202.106.196.115
202.106.196.212
202.106.196.228
202.106.196.230
202.106.196.232
202.106.196.237
202.112.112.10
211.136.17.107
211.136.28.231
211.136.28.234
211.136.28.237
211.147.6.3
219.141.136.10
219.141.140.10
219.141.148.37
219.141.148.39
219.239.26.42
221.130.32.100
221.130.32.103
221.130.32.106
221.130.32.109
221.130.33.52
221.130.33.60
221.176.3.70
221.176.3.73
221.176.3.76
221.176.3.79
221.176.3.83
221.176.3.85
221.176.4.6
221.176.4.9
221.176.4.12
221.176.4.15
221.176.4.18
221.176.4.21
58.22.96.66
218.104.128.106
202.101.98.55
211.138.145.194
211.138.151.161
211.138.156.66
218.85.152.99
218.85.157.99
222.47.29.93
202.101.107.85
119.233.255.228
222.47.62.142
122.72.33.240
211.98.121.27
218.203.160.194
221.7.34.10
61.235.70.98
113.111.211.22
202.96.128.68
202.96.128.86
202.96.128.166
210.21.3.140
210.21.4.130
211.95.193.97
211.98.2.4
211.98.4.1
211.162.61.225
211.162.61.235
211.162.61.255
211.162.62.1
211.162.62.60
221.4.66.66
202.103.176.22
202.96.144.47
210.38.192.33
202.96.134.33
202.96.134.133
202.96.154.15
210.21.196.6
221.5.88.88
202.103.243.112
202.193.64.33
61.235.164.13
61.235.164.18
202.103.225.68
221.7.136.68
202.103.224.68
211.97.64.129
211.138.240.100
211.138.242.18
211.138.245.180
221.7.128.68
222.52.118.162
202.98.192.67
202.98.198.167
211.92.136.81
211.139.1.3
211.139.2.18
202.100.192.68
211.97.96.65
211.138.164.6
221.11.132.2
202.100.199.8
202.99.160.68
202.99.166.4
202.99.168.8
222.222.222.222
202.102.224.68
202.102.227.68
222.85.85.85
222.88.88.88
210.42.241.1
202.196.64.1
112.100.100.100
202.97.224.68
219.235.127.1
61.236.93.33
211.93.24.129
211.137.241.34
219.147.198.230
202.103.0.68
202.103.0.117
202.103.24.68
202.103.44.150
202.114.0.242
202.114.240.6
211.161.158.11
211.161.159.3
218.104.111.114
218.104.111.122
218.106.127.114
218.106.127.122
221.232.129.30
59.51.78.210
61.234.254.5
202.103.96.112
219.72.225.253
222.243.129.81
222.246.129.80
211.142.210.98
211.142.210.100
220.168.208.3
220.168.208.6
220.170.64.68
218.76.192.100
61.187.98.3
61.187.98.6
202.98.0.68
211.93.64.129
211.141.16.99
202.98.5.68
219.149.194.55
211.138.200.69
202.102.3.141
202.102.3.144
58.240.57.33
112.4.0.55
114.114.114.114
114.114.115.115
202.102.24.34
218.2.135.1
221.6.4.66
221.131.143.69
202.102.8.141
222.45.0.110
61.177.7.1
218.104.32.106
211.103.13.101
221.228.255.1
61.147.37.1
222.45.1.40
58.241.208.46
202.102.9.141
202.102.7.90
202.101.224.68
202.101.226.68
211.141.90.68
211.137.32.178
202.96.69.38
211.140.197.58
219.149.6.99
202.96.86.18
101.47.189.10
101.47.189.18
118.29.249.50
118.29.249.54
202.96.64.68
202.96.75.68
202.118.1.29
202.118.1.53
219.148.204.66
202.99.224.8
202.99.224.67
211.90.72.65
211.138.91.1
218.203.101.3
202.100.96.68
211.93.0.81
222.75.152.129
211.138.75.123
202.102.154.3
202.102.152.3
219.146.1.66
219.147.1.66
202.102.128.68
202.102.134.68
211.138.106.19
211.90.80.65
202.99.192.66
202.99.192.68
61.134.1.4
202.117.96.5
202.117.96.10
218.30.19.40
218.30.19.50
116.228.111.118
180.168.255.18
202.96.209.5
202.96.209.133
202.101.6.2
211.95.1.97
211.95.72.1
211.136.112.50
211.136.150.66
119.6.6.6
124.161.97.234
124.161.97.238
124.161.97.242
61.139.2.69
202.98.96.68
202.115.32.36
202.115.32.39
218.6.200.139
218.89.0.124
61.139.54.66
61.139.39.73
139.175.10.20
139.175.55.244
139.175.150.20
139.175.252.16
168.95.1.1
210.200.211.193
210.200.211.225
211.78.130.1
61.31.1.1
61.31.233.1
168.95.192.1
168.95.192.174
61.60.224.3
61.60.224.5
202.113.16.10
202.113.16.11
202.99.96.68
202.99.104.68
211.137.160.5
211.137.160.185
219.150.32.132
202.98.224.68
211.139.73.34
61.10.0.130
61.10.1.130
202.14.67.4
202.14.67.14
202.45.84.58
202.45.84.67
202.60.252.8
202.85.128.32
203.80.96.9
203.142.100.18
203.142.100.21
203.186.94.20
203.186.94.241
221.7.1.20
61.128.114.133
61.128.114.166
218.202.152.130
61.166.150.123
202.203.128.33
211.98.72.7
211.139.29.68
211.139.29.150
211.139.29.170
221.3.131.11
222.172.200.68
61.166.150.101
61.166.150.139
202.203.144.33
202.203.160.33
202.203.192.33
202.203.208.33
202.203.224.33
211.92.144.161
222.221.5.240
61.166.25.129
202.96.103.36
221.12.1.227
221.130.252.200
222.46.120.5
202.96.96.68
218.108.248.219
218.108.248.245
61.130.254.34
60.191.244.5
202.96.104.15
202.96.104.26
221.12.33.227
202.96.107.27
61.128.128.68
61.128.192.68
218.201.17.2
221.5.203.86
221.5.203.90
221.5.203.98
221.7.92.86
221.7.92.98
::
::
::
::
1.0.0.0
1.0.0.1
255.0.0.0
254.255.255.254
127.0.0.1
127.0.0.1
::
::
::
10.0.0.0
10.255.255.255
127.0.0.0
127.255.255.255
172.16.0.0
172.31.255.255
192.168.0.0
192.168.255.255
255.0.0.0
254.255.255.254
::
::
::a
::c
::c
::
::ba
::
::a
::
::
::
::e
::a
::
::
d::
d::
d::
d::
d::
d::
d::
d::
d::
d::

Code Explore

Number of functions: 3661

Total size functions [B]: 2605985

Average size a function [B]: 711.82327233

Percentage of covered .text section: 349.965755264

Percentage of covered LOAD segment: 271.682323763

Number of functions: 1729

Total size functions [B]: 373146

Average size a function [B]: 215.816078658

Percentage of covered .text section: 50.1109260851

Percentage of covered LOAD segment: 38.9016714919

Sandbox (user)

Standard output:

Standard error:

Sandbox (root)

Standard output:

Standard error:

Behavior

lseek
getegid
sysctl
rt_sigaction
mprotect
geteuid
uname
brk
connect
getsockname
close
flock
open
getgid
write
exit_group
recv
rt_sigprocmask
send
access
setsid
exit
getpid
getrlimit
set_tid_address
fstat
fcntl
stat
dup2
read
clone
getppid
set_thread_area
readlink
waitpid
unlink
sigreturn
execve
socket
wait4
setsockopt
getuid
getdents
munmap
gettimeofday
futex
mmap2
time
ftruncate
recvfrom
nanosleep

Unique number: 51

Total number: 3127

strchr
memcmp
strcmp
strtok

Unique number: 4

Total number: 27

If uid is checked: True

If gid is checked: True

Number of processes: 8

Trace lines lost: 0

/etc/init.d/DbSecuritySpt

/tmp/moni.lod
/dev/null
/tmp/gates.lod
/tmp/bill.lock
/tmp/conf.n

/proc/net/arp
/etc/ld.so.cache
/tmp/conf.n
/proc/cpuinfo
/tmp/cmd.n
/proc/net/dev
/tmp/
/proc/net/route
/etc/resolv.conf
/proc/stat
/proc/meminfo
/usr/lib/libamplify.so
/opt/lib/libc.so.6
/tmp/gates.lod
/lib/modules/4.4.0-77-generic/modules.softdep
/proc/cmdline

Max sleep: 120.0

insmod /tmp/xpacket.ko

"insmod", "until"
"insmod", "continue"
"insmod", "insmod"
"insmod", "jobs"
"lsmod", "insmod"
"rmmod", "insmod"
"sctp", "pre:", 4
"insmod", "export"
"insmod", "for"
"pre: crc32c", "pre:", 4
"insmod", "then"
"insmod", "in"
"insmod", "hash"
"pre: sctp", "pre:", 4
"insmod", "getopts"

lseek
getegid
sysctl
getsockname
rt_sigaction
mkdir
mprotect
geteuid
uname
brk
connect
llseek
close
flock
open
getgid
write
exit_group
recv
rt_sigprocmask
umask
send
access
setsid
exit
getpid
getrlimit
set_tid_address
fstat
fcntl
stat
dup2
read
commit_creds
clone
getppid
statfs64
symlink
fadvise64
set_robust_list
set_thread_area
readlink
waitpid
unlink
sigreturn
execve
socket
wait4
setsockopt
chdir
getuid
getdents
munmap
gettimeofday
futex
mmap2
time
ftruncate
recvfrom
nanosleep

Unique number: 60

Total number: 7036

strchr
strtok
strcmp
memchr
memcmp

Unique number: 5

Total number: 2470

Number of processes: 38

Trace lines lost: 0

/etc/init.d/DbSecuritySpt

/etc/rc5.d/S97DbSecuritySpt
/etc/rc2.d/S97DbSecuritySpt
/etc/rc3.d/S97DbSecuritySpt
/etc/rc1.d/S97DbSecuritySpt
/etc/rc4.d/S97DbSecuritySpt

/etc/init.d/DbSecuritySpt

/usr/bin/.sshd
/usr/bin/bsd-port/getty

/tmp/moni.lod
/tmp/conf.n
/dev/null
/tmp/notify.file
/usr/bin/bsd-port/udevd.lock
/tmp/gates.lod
/tmp/bill.lock
/usr/bin/bsd-port/getty.lock

/lib/i386-linux-gnu/libpcre.so.3
/opt/lib/libpthread.so.0
/opt/lib/locale/en_US.utf8/LC_IDENTIFICATION
/tmp/
/proc/filesystems
/opt/lib/locale/locale-archive
/usr/lib/libamplify.so
/lib/i386-linux-gnu/libselinux.so.1
/tmp/gates.lod
/opt/lib/libdl.so.2
/proc/cmdline
/opt/lib/libc.so.6
/opt/lib/locale/en.UTF-8/LC_IDENTIFICATION
/opt/lib/locale/en_US/LC_IDENTIFICATION
/lib/i386-linux-gnu/libacl.so.1
/proc/stat
/proc/meminfo
/tmp/moni.lod
/lib/modules/4.4.0-77-generic/modules.softdep
/proc/net/arp
/etc/ld.so.cache
/proc/cpuinfo
/opt/share/locale/locale.alias
/lib/i386-linux-gnu/libattr.so.1
/etc/resolv.conf
/proc/net/route
/tmp/conf.n
/opt/lib/locale/en/LC_IDENTIFICATION
/opt/lib/locale/en_US.UTF-8/LC_IDENTIFICATION
/tmp/ad72efedf8c2b6cd88133fea72d1bc8b7c16a6cc592e0f7ec5371a14c33d6115
/opt/lib/locale/en.utf8/LC_IDENTIFICATION
/tmp/cmd.n
/proc/net/dev

Max sleep: 120.0

/tmp/notify.file

"/usr/bin/bsd-port/getty", "elif"
"", "C"
"en_US.UTF-8", b7660624
"cp", "jobs"
"/opt/lib/locale/en.UTF-8/LC_IDENTIFICATION", "/opt/lib/locale/en.UTF-8.utf8/LC_IDENTIFICATION"
"/opt/lib/locale/en.UTF-8/LC_IDENTIFICATION", "/opt/lib/locale/en.UTF-8/LC_IDENTIFICATION"
"insmod", "for"
"insmod", "then"
"/opt/lib/locale/en/LC_IDENTIFICATION", "/opt/lib/locale/en/LC_IDENTIFICATION"
"/opt/lib/locale/en_US/LC_IDENTIFICATION", "/opt/lib/locale/en.UTF-8.utf8/LC_IDENTIFICATION"
"mkdir", "local"
"/opt/lib/locale/en_US/LC_IDENTIFICATION", "/opt/lib/locale/en.utf8/LC_IDENTIFICATION"
"lsmod", "insmod"
"/opt/lib/locale/en_US.UTF-8.utf8/LC_IDENTIFICATION", "/opt/lib/locale/en.UTF-8.utf8/LC_IDENTIFICATI...
"UTF-8", "utf8"
"selinuxfs", "inuxfs", 6
"pre: crc32c", "pre:", 4
"mkdir", "for"
"/usr/bin/bsd-port/getty", "!"
"mkdir", "printf"
"ln", "kill"
"mkdir", "until"
"insmod", "export"
"en_US.UTF-8", "C"
"/opt/lib/locale/en_US/LC_IDENTIFICATION", "/opt/lib/locale/en_US.utf8/LC_IDENTIFICATION"
"insmod", "getopts"
"/usr/bin/.sshd", "!"
"ln", "then"
"cp", "for"
"/opt/lib/locale/en/LC_IDENTIFICATION", "/opt/lib/locale/en.utf8/LC_IDENTIFICATION"
"/opt/lib/locale/en_US.UTF-8/LC_IDENTIFICATION", "/opt/lib/locale/en.UTF-8.utf8/LC_IDENTIFICATION"
"/usr/bin/.sshd", "case"
"SMP", "P", 1
"", b7710a7b
"/usr/bin/bsd-port/getty", "case"
"/opt/lib/locale/en/LC_IDENTIFICATION", "/opt/lib/locale/en.UTF-8.utf8/LC_IDENTIFICATION"
"/opt/lib/locale/en_US.UTF-8/LC_IDENTIFICATION", "/opt/lib/locale/en/LC_IDENTIFICATION"
"en_US.UTF-8", "POSIX"
"/opt/lib/locale/en_US.UTF-8.utf8/LC_IDENTIFICATION", "/opt/lib/locale/en.utf8/LC_IDENTIFICATION"
"/opt/lib/locale/en_US.UTF-8.utf8/LC_IDENTIFICATION", "/opt/lib/locale/en.UTF-8/LC_IDENTIFICATION"
"en_US.UTF-8", b76c0624
"mkdir", "read"
"ln", "printf"
"/opt/lib/locale/en_US.UTF-8.utf8/LC_IDENTIFICATION", "/opt/lib/locale/en/LC_IDENTIFICATION"
"mkdir", "jobs"
"cp", "case"
"/usr/share/locale", "/opt/share/locale"
"cp", "continue"
"/opt/lib/locale/en_US/LC_IDENTIFICATION", "/opt/lib/locale/en_US/LC_IDENTIFICATION"
"ln", "jobs"
"pre: sctp", "pre:", 4
"insmod", "continue"
"/opt/lib/locale/en_US/LC_IDENTIFICATION", "/opt/lib/locale/en.UTF-8/LC_IDENTIFICATION"
"/opt/lib/locale/en_US.utf8/LC_IDENTIFICATION", "/opt/lib/locale/en.utf8/LC_IDENTIFICATION"
"/opt/lib/locale/en_US.utf8/LC_IDENTIFICATION", "/opt/lib/locale/en/LC_IDENTIFICATION"
"insmod", "in"
"cp", "export"
"/usr/bin/.sshd", "elif"
"/opt/lib/locale/en.utf8/LC_IDENTIFICATION", "/opt/lib/locale/en.UTF-8.utf8/LC_IDENTIFICATION"
"/opt/lib/locale/en_US/LC_IDENTIFICATION", "/opt/lib/locale/en/LC_IDENTIFICATION"
"cp", "do"
"/usr/bin/bsd-port/getty", "do"
"/usr/bin/bsd-port/getty", "for"
"cp", "exec"
"insmod", "jobs"
"ln", "local"
"mkdir", "then"
"/opt/lib/locale/en_US.UTF-8/LC_IDENTIFICATION", "/opt/lib/locale/en_US.utf8/LC_IDENTIFICATION"
"/opt/lib/locale/en.utf8/LC_IDENTIFICATION", "/opt/lib/locale/en.utf8/LC_IDENTIFICATION"
"/opt/lib/locale/en.UTF-8/LC_IDENTIFICATION", "/opt/lib/locale/en.utf8/LC_IDENTIFICATION"
"/opt/lib/locale/en_US.UTF-8/LC_IDENTIFICATION", "/opt/lib/locale/en.UTF-8/LC_IDENTIFICATION"
"coreutils", "messages"
"/usr/bin/.sshd", "do"
"ln", "for"
"/opt/lib/locale/en_US.UTF-8/LC_IDENTIFICATION", "/opt/lib/locale/en_US/LC_IDENTIFICATION"
"/usr/bin/.sshd", "for"
"cp", "eval"
"/opt/lib/locale/en/LC_IDENTIFICATION", "/opt/lib/locale/en.UTF-8/LC_IDENTIFICATION"
"/opt/lib/locale/en_US.UTF-8/LC_IDENTIFICATION", "/opt/lib/locale/en.utf8/LC_IDENTIFICATION"
"ln", "read"
"mkdir", "test"
"rmmod", "insmod"
"ln", "until"
"/opt/lib/locale/en.utf8/LC_IDENTIFICATION", "/opt/lib/locale/en.UTF-8/LC_IDENTIFICATION"
"/opt/lib/locale/en_US.utf8/LC_IDENTIFICATION", "/opt/lib/locale/en.UTF-8/LC_IDENTIFICATION"
"/opt/lib/locale/en_US.UTF-8.utf8/LC_IDENTIFICATION", "/opt/lib/locale/en_US.UTF-8/LC_IDENTIFICATION...
"ln", "in"
"insmod", "until"
"ln", "test"
"insmod", "insmod"
"sctp", "pre:", 4
"cp", "elif"
"/opt/lib/locale/en_US.utf8/LC_IDENTIFICATION", "/opt/lib/locale/en.UTF-8.utf8/LC_IDENTIFICATION"
"insmod", "hash"
"cp", "echo"
"mkdir", "in"

ad72efedf8c2b6cd88133fea72d1bc8b7c16a6cc592e0f7ec5371a14c33d6115

Summary

ELF

Anomalies

Segments

Memory size doubles physical size

Sections

Uncommon sections

High entropy

Comment

Note

Hash

Bytes

Longest same bytes sequence

Three rarest bytes

Three most common bytes

File type

VirusTotal

Detection

Data Explore

Paths

URLs

IPs (v4 and v6)

Code Explore

Nucleus

Eh_frame

Sandbox (user)

Sandbox (root)

Behavior

User behavior

Syscalls

Unique

Instrumented libc calls

Unique

Type of permission related error

Persistence

Modify

Dropped files

Modify

Files being read

System cmds

String or memory comparison

Root behavior

Syscalls

Unique

Instrumented libc calls

Unique

Persistence

Modify

Link

Link from

Dropped files

Create

Modify

Files being read

Unlink files

String or memory comparison