Sample : c803e1f7c707c35f976b7658be89df720a0fc8e86e7561e380a21a343fe5ad76

Summary


OS ABI

UNIX - System V
CPU class

64 bit
Persistence (user)

No
Persistence (root)

No
CPU byte order

2's complement LSB
File type

ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, stripped
CPU type

AMD x86-64
Entropy

6.0828844239
Syscalls executed (root)

47185
Syscalls executed (user)

64660
ELF type

Executable file

ELF


Class

64 bit
Data encoding

2's complement LSB
Operating system ABI

UNIX - System V
Object file type

Executable file
ELF version

0.1
Machine

AMD x86-64
Link

static
Entrypoint

0x400433
Number of segments

4
Number of sections

16
Program header table offset

64
Section header table offset

709560
Program header table - size of entry

56
Section header table - size of entry

64
Program header table - entries

4
Section header table - entries

16
Section header table - index sections names

15
Stripped

True
Sections stripped

False
Anomalies


Segments
Memory size doubles physical size : PT_LOAD at offset 0xabe00
PT_TLS at offset 0xabe00


Sections
Uncommon sections : .tbss
section without a name
High entropy : .text - 6.412755


Debug information

False

Hash


MD5

ee119663da18f4f378472c9df2faa689
SHA1

4f2ef61208d4625b0112f21cb5d4f28b19ee5431
SHA256

c803e1f7c707c35f976b7658be89df720a0fc8e86e7561e380a21a343fe5ad76
SHA512

3cba83d3d2388060c16bd10708012743bd6a97ee84b6a9d294f8e864b4651fbd51e63e3ede6104fc0371464fa5151143136c0fa22bf647a9a0a1d6b0bff2e6b4
ssdeep

12288:E7eLtW6pjt/0fzWTCaiaF22IrYggrQ9nLDOM04lO5tAoDqN:b06pjYyTBF22IrYggrQ9nfOM04lOHAI

Bytes


Entropy

6.0828844239
Max entropy (16KB blocks)

6.75242833395
Unique bytes (0-255)

256
Null bytes

162912
White spaces

10796
Printable bytes

221765
First 16B

7f 45 4c 46 02 01 01 00 00 00 00 00 00 00 00 00
Last 16B

01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Longest same bytes sequence

Byte : 0x0

Offset : 0x9b672

Length : 63739

Three rarest bytes

0xb2 - 190 times

0xa1 - 184 times

0xa7 - 161 times

Three most common bytes

0x0 - 162912 times

0x48 - 32210 times

0xff - 26201 times

File type


Mime type

application/x-executable
File type

ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, stripped

VirusTotal


URL

https://www.virustotal.com/#/file/c803e1f7c707c35f976b7658be89df720a0fc8e86e7561e380a21a343fe5ad76
Positive

18
Total AVs

59
Scan date

2018-04-05 05:12:04
AVClass

miner
Detection

ClamAV : Multios.Trojan.CryptocoinMiner-6448864-1

NANO-Antivirus : Riskware.BitCoinMiner.eyyhgm

Sophos : Generic PUA EP (PUA)

Rising : Trojan.Linux.XMR-Miner!1.A988 (CLASSIC)

Qihoo-360 : Win32/Virus.RiskTool.42d

Microsoft : Trojan:Win32/CoinMiner.C!cl

Fortinet : Riskware/Miner

MAX : malware (ai score=95)

ESET-NOD32 : a variant of Linux/CoinMiner.AE potentially unwanted

Antiy-AVL : RiskWare[RiskTool]/Android.Miner.b

GData : Linux.Application.Agent.CWGQHA

TrendMicro-HouseCall : TROJ_GEN.R002H07CK18

Avira : LINUX/BitCoinMiner.xrlrh

Ikarus : PUA.CoinMiner

ZoneAlarm : not-a-virus:HEUR:RiskTool.AndroidOS.Miner.b

ALYac : Misc.Riskware.BitCoinMiner.Linux

DrWeb : Tool.Linux.BtcMine.426

Kaspersky : not-a-virus:HEUR:RiskTool.AndroidOS.Miner.b

Data Explore


Paths

/proc/se

/dev/null

/etc/cron.d/syslog

/etc/crontab

/etc/rc.local

/dev/null

/proc/self/exe

/proc/self/fd/%d

/dev/null

/proc/cpuinfo

/proc/self/stat

/proc/stat

/sys/devices/system/cpu/cpu%u/cpufreq/scaling_cur_freq

/dev/urandom

/dev/random

/dev/console

/dev/log

/etc/hosts

/etc/services

/etc/resolv.conf

/usr/local/bin:/bin:/usr/bin

/bin/sh

/etc/passwd

/var/run/nscd/socket

/proc/self/task

/etc/localtime

/usr/share/zoneinfo/

/etc/zoneinfo/

/bin/.syslog

URLs

https://gcc.gnu.org/bugs

IPs (v4 and v6)

::

::

d::

::

::

d::

d::

d::

d::

d::

::a

::c

::c

::

::e

::

::

::

::a

::a

::

::

::ba

::

ce::

d::

d::

d::

d::

d::

d::

d::

d::

d::

d::

::

::

::

::

127.0.0.1

Code Explore


Nucleus

Number of functions : 1818

Total size functions [B] : 3283357

Average size a function [B] : 1806.0269527

Percentage of covered .text section : 561.03319356

Percentage of covered LOAD segment : 464.657990597

Eh_frame

Sandbox (user)


Standard output

Standard error

Sandbox (root)


Standard output

Standard error

Behavior


User behavior

Syscalls


Unique
fork
gettid
exit_group
rt_sigprocmask
arch_prctl
setsid
brk
close
prlimit64
set_tid_address
execve


Unique number
11

Total number
64660

Instrumented libc calls


Unique
strchr


Unique number
1

Total number
1

Number of processes

3

Trace lines lost

0

Max sleep

-1.0



Root behavior

Syscalls


Unique
fork
gettid
exit_group
commit_creds
rt_sigprocmask
arch_prctl
setsid
brk
close
prlimit64
set_tid_address
execve


Unique number
12

Total number
47185

Instrumented libc calls


Unique
strchr


Unique number
1

Total number
1

Number of processes

3

Trace lines lost

0

Max sleep

-1.0