Padawan live

Summary

OS ABI: UNIX - System V

CPU class: 32 bit

Persistence (user): No

Persistence (root): No

CPU byte order: 2's complement LSB

File type: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, stripped

CPU type: Intel 80386

Entropy: 5.92502070506

Syscalls executed (root): 33943

Syscalls executed (user): 65594

ELF type: Executable file

ELF

Class: 32 bit

Data encoding: 2's complement LSB

Operating system ABI: UNIX - System V

Object file type: Executable file

ELF version: 0.1

Machine: Intel 80386

Link: static

Entrypoint: 0x8048467

Number of segments: 4

Number of sections: 16

Program header table offset: 52

Section header table offset: 815716

Program header table - size of entry: 32

Section header table - size of entry: 40

Program header table - entries: 4

Section header table - entries: 16

Section header table - index sections names: 15

Stripped: True

Sections stripped: False

PT_LOAD at offset 0xc64e0
PT_TLS at offset 0xc64e0

.tbss
section without a name

.text - 6.478120
.rodata - 6.770329

Debug information: False

Hash

MD5: 924a1228e3eea786ee7e344e24fcdfd5

SHA1: 21bb6b681527ae4ffe1c24c8db04af78bd904ded

SHA256: d3b035d70a79322302aa57ef0dfdf78ee99a8fdc151fe045d22da6efc2c79f8e

SHA512: ae7b929e667653f4f9f02939c62ae132a5ca644bb089bb0462a46b441d2f8f29416f8facb732b73e5c2eb838b1907a6c4a8ca2d72bed88e2ec87da1ff6b856ab

ssdeep: 24576:xbLz2p4Osc5xwK3jQcOSS4VC6ieSWIrLgY8S+6/93u:dmx5mK3jQcOP4Cfe+Zt

Bytes

Entropy: 5.92502070506

Max entropy (16KB blocks): 7.21293492028

Unique bytes (0-255): 256

Null bytes: 216446

White spaces: 20273

Printable bytes: 196566

First 16B: 7f 45 4c 46 01 01 01 00 00 00 00 00 00 00 00 00

Last 16B: 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00

Byte: 0x0

Offset: 0xa7e92

Length: 121003

0x92 - 221 times
0x91 - 186 times
0xb2 - 182 times

0x0 - 216446 times
0x24 - 30206 times
0xff - 28837 times

File type

Mime type: application/x-executable

File type: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, stripped

VirusTotal

URL: https://www.virustotal.com/#/file/d3b035d70a79322302aa57ef0dfdf78ee99a8fdc151fe045d22da6efc2c79f8e

Positive: 13

Total AVs: 58

Scan date: 2018-04-21 16:10:46

AVClass: miner

Symantec: Trojan.Gen.NPE

McAfee: RDN/Generic PUP.x

ClamAV: Multios.Trojan.CryptocoinMiner-6448864-1

Fortinet: Riskware/Miner

DrWeb: Tool.Linux.BtcMine.400

ESET-NOD32: a variant of Linux/CoinMiner.AE potentially unwanted

Qihoo-360: Win32/Virus.RiskTool.42d

TrendMicro-HouseCall: TROJ_GEN.R002H0CDK18

Avira: LINUX/BitCoinMiner.ecpqx

Sophos: Linux/Miner-GF

ZoneAlarm: not-a-virus:HEUR:RiskTool.AndroidOS.Miner.b

Kaspersky: not-a-virus:HEUR:RiskTool.AndroidOS.Miner.b

GData: Linux.Application.Agent.NER9OS

Data Explore

/proc/self/fd/%d
/dev/null
/proc/cpuinfo
/proc/self/stat
/proc/stat
/sys/devices/system/cpu/cpu%u/cpufreq/scaling_cur_freq
/proc/self/exe
/dev/urandom
/dev/random
/dev/console
/dev/log
/etc/hosts
/etc/services
/etc/resolv.conf
/usr/local/bin:/bin:/usr/bin
/etc/passwd
/var/run/nscd/socket
/proc/self/task
/etc/localtime
/usr/share/zoneinfo/
/etc/zoneinfo/

https://gcc.gnu.org/bugs/

::
::
d::
::
::
d::
d::
d::
d::
d::
::a
::c
::c
::
::e
::
::
::
::a
::a
::
::
::ba
::
ce::
d::
d::
d::
d::
d::
d::
d::
d::
d::
d::
::
::
::
::
127.0.0.1

Code Explore

Number of functions: 1918

Total size functions [B]: 1985307

Average size a function [B]: 1035.09228363

Percentage of covered .text section: 309.665207748

Percentage of covered LOAD segment: 244.187093418

Sandbox (user)

Standard output:

Standard error:

Sandbox (root)

Standard output:

Standard error:

Behavior

clock_gettime
rt_sigaction
epoll_create1
brk
close
open
clock_getres
mmap2
exit_group
rt_sigprocmask
umask
sched_getaffinity
write
setsid
set_tid_address
fstat
fork
read
set_thread_area
readlink
unlink
execve
gettid
pipe2
fcntl
ioctl
eventfd2
prlimit64

Unique number: 28

Total number: 65594

strchr

Unique number: 1

Total number: 1

Number of processes: 3

Trace lines lost: 0

/dev/null

Max sleep: -1.0

Total: 3

FIONBIO

TIOCGWINSZ

/tmp/d3b035d70a79322302aa57ef0dfdf78ee99a8fdc151fe045d22da6efc2c79f8e

Unlink itself: True

fork
gettid
exit_group
commit_creds
rt_sigprocmask
setsid
set_thread_area
brk
close
prlimit64
set_tid_address
execve

Unique number: 12

Total number: 33943

strchr

Unique number: 1

Total number: 1

Number of processes: 3

Trace lines lost: 0

Max sleep: -1.0

d3b035d70a79322302aa57ef0dfdf78ee99a8fdc151fe045d22da6efc2c79f8e

Summary

ELF

Anomalies

Segments

Memory size doubles physical size

Sections

Uncommon sections

High entropy

Hash

Bytes

Longest same bytes sequence

Three rarest bytes

Three most common bytes

File type

VirusTotal

Detection

Data Explore

Paths

URLs

IPs (v4 and v6)

Code Explore

Nucleus

Eh_frame

Sandbox (user)

Sandbox (root)

Behavior

User behavior

Syscalls

Unique

Instrumented libc calls

Unique

Files being read

Ioctls

Success

Fail

Unlink files

Root behavior

Syscalls

Unique

Instrumented libc calls

Unique