Sample : ba8485d90477ed818860db6e720818c5a1877c8914a112b956a12eb462c45c3e

Summary


OS ABI

UNIX - System V
CPU class

32 bit
Persistence (user)

No
Persistence (root)

No
CPU byte order

2's complement LSB
File type

ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, corrupted section header size
CPU type

Intel 80386
Entropy

4.72237878504
Syscalls executed (root)

9
Syscalls executed (user)

11
ELF type

Executable file

ELF


Class

32 bit
Data encoding

2's complement LSB
Operating system ABI

UNIX - System V
Object file type

Executable file
ELF version

0.1
Machine

Intel 80386
Link

static
Entrypoint

0x8048054
Number of segments

1
Number of sections

0
Program header table offset

52
Section header table offset

0
Program header table - size of entry

32
Section header table - size of entry

0
Program header table - entries

1
Section header table - entries

0
Section header table - index sections names

0
Stripped

True
Sections stripped

True
Anomalies


Entrypoint
Permission : W
^
X


Segments
W^X permission : PT_LOAD at offset 0x0


Sections
Null section headers : True


Debug information

False

Hash


MD5

6c33c2720e2088d3ec4d38cad8ba3832
SHA1

3f57c0fbe6d82f47608533eff770c54feecd70a0
SHA256

ba8485d90477ed818860db6e720818c5a1877c8914a112b956a12eb462c45c3e
SHA512

00fbd0339574e242431fe85d2ca4a2841b8d9efb58870e819b28d4d0e583421097f666e5306ca2442a213133481cc573ad54af253aa1ee18f93cee0c7efcde64
ssdeep

3:Bkkk/tMlwXll/O/slrCs4X1lFrSwfPazNnlSIM8IPNioOHyUvwGcV5QfE2:Btk/tMl//E2s4mwIKQXSEwhV5QfE2

Bytes


Entropy

4.72237878504
Min entropy (16KB blocks)

-1.0
Max entropy (16KB blocks)

-1.0
Unique bytes (0-255)

68
Null bytes

68
White spaces

5
Printable bytes

42
First 16B

7f 45 4c 46 01 01 01 00 00 00 00 00 00 00 00 00
Last 16B

78 02 ff e1 b8 01 00 00 00 bb 01 00 00 00 cd 80
Longest same bytes sequence

Byte : 0x0

Offset : 0x1f

Length : 10

Three rarest bytes

0xfc - 0 times

0xfd - 0 times

0xfe - 0 times

Three most common bytes

0x0 - 68 times

0x1 - 9 times

0x80 - 9 times

File type


Mime type

application/x-executable
File type

ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, corrupted section header size

VirusTotal


URL

https://www.virustotal.com/#/file/ba8485d90477ed818860db6e720818c5a1877c8914a112b956a12eb462c45c3e
Positive

11
Total AVs

59
Scan date

2019-03-14 07:16:34
Detection

Avast : ELF:Agent-JV [Trj]

Tencent : Trojan.Linux.ShellConn.a

DrWeb : Linux.BackConn.19

SentinelOne : DFI - Suspicious ELF

TrendMicro-HouseCall : Possible_SHELLSHOCK.SMLB7

ESET-NOD32 : Linux/Shellcode.ConnectBack.F

McAfee : Linux/GenericAA-HT

AVG : ELF:Agent-JV [Trj]

Kaspersky : HEUR:Backdoor.Linux.Agent.ar

TrendMicro : Possible_SHELLSHOCK.SMLB7

ZoneAlarm : HEUR:Backdoor.Linux.Agent.ar

Code Explore


Nucleus

Number of functions : 0

Eh_frame

Sandbox (user)


Standard output

Standard error

Sandbox (root)


Standard output

Standard error

Behavior


User behavior

Syscalls


Unique
nanosleep
socket
execve
connect


Unique number
4

Total number
11

Instrumented libc calls


Unique
strchr


Unique number
1

Total number
1

Number of processes

1

Trace lines lost

0

Max sleep

5.0



Root behavior

Syscalls


Unique
commit_creds
nanosleep
socket
execve
connect


Unique number
5

Total number
9

Instrumented libc calls


Unique
strchr


Unique number
1

Total number
1

Number of processes

1

Trace lines lost

0

Max sleep

5.0