Sample : d3b035d70a79322302aa57ef0dfdf78ee99a8fdc151fe045d22da6efc2c79f8e
Modules
Summary
OS ABI
UNIX - System V
CPU class
32 bit
Persistence (user)
No
Persistence (root)
No
CPU byte order
2's complement LSB
File type
ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, stripped
CPU type
Intel 80386
Entropy
5.92502070506
Syscalls executed (root)
33943
Syscalls executed (user)
65594
ELF type
Executable file
ELF
Class
32 bit
Data encoding
2's complement LSB
Operating system ABI
UNIX - System V
Object file type
Executable file
ELF version
0.1
Machine
Intel 80386
Link
static
Entrypoint
0x8048467
Number of segments
4
Number of sections
16
Program header table offset
52
Section header table offset
815716
Program header table - size of entry
32
Section header table - size of entry
40
Program header table - entries
4
Section header table - entries
16
Section header table - index sections names
15
Stripped
True
Sections stripped
False
Anomalies
Segments
Memory size doubles physical size : PT_LOAD at offset 0xc64e0
PT_TLS at offset 0xc64e0
Sections
Uncommon sections : .tbss
section without a name
High entropy : .text - 6.478120
.rodata - 6.770329
Debug information
False
Hash
MD5
924a1228e3eea786ee7e344e24fcdfd5
SHA1
21bb6b681527ae4ffe1c24c8db04af78bd904ded
SHA256
d3b035d70a79322302aa57ef0dfdf78ee99a8fdc151fe045d22da6efc2c79f8e
SHA512
ae7b929e667653f4f9f02939c62ae132a5ca644bb089bb0462a46b441d2f8f29416f8facb732b73e5c2eb838b1907a6c4a8ca2d72bed88e2ec87da1ff6b856ab
ssdeep
24576:xbLz2p4Osc5xwK3jQcOSS4VC6ieSWIrLgY8S+6/93u:dmx5mK3jQcOP4Cfe+Zt
Bytes
Entropy
5.92502070506
Max entropy (16KB blocks)
7.21293492028
Unique bytes (0-255)
256
Null bytes
216446
White spaces
20273
Printable bytes
196566
First 16B
7f 45 4c 46 01 01 01 00 00 00 00 00 00 00 00 00
Last 16B
00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00
Longest same bytes sequence
Byte :
0x0
Offset : 0xa7e92
Length : 121003
Offset : 0xa7e92
Length : 121003
Three rarest bytes
0x92 - 221 times
0x91 - 186 times
0xb2 - 182 times
0x91 - 186 times
0xb2 - 182 times
Three most common bytes
0x0 - 216446 times
0x24 - 30206 times
0xff - 28837 times
0x24 - 30206 times
0xff - 28837 times
File type
Mime type
application/x-executable
File type
ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, stripped
VirusTotal
URL
https://www.virustotal.com/#/file/d3b035d70a79322302aa57ef0dfdf78ee99a8fdc151fe045d22da6efc2c79f8e
Positive
13
Total AVs
58
Scan date
2018-04-21 16:10:46
AVClass
miner
Detection
Symantec :
Trojan.Gen.NPE
McAfee : RDN/Generic PUP.x
ClamAV : Multios.Trojan.CryptocoinMiner-6448864-1
Fortinet : Riskware/Miner
DrWeb : Tool.Linux.BtcMine.400
ESET-NOD32 : a variant of Linux/CoinMiner.AE potentially unwanted
Qihoo-360 : Win32/Virus.RiskTool.42d
TrendMicro-HouseCall : TROJ_GEN.R002H0CDK18
Avira : LINUX/BitCoinMiner.ecpqx
Sophos : Linux/Miner-GF
ZoneAlarm : not-a-virus:HEUR:RiskTool.AndroidOS.Miner.b
Kaspersky : not-a-virus:HEUR:RiskTool.AndroidOS.Miner.b
GData : Linux.Application.Agent.NER9OS
McAfee : RDN/Generic PUP.x
ClamAV : Multios.Trojan.CryptocoinMiner-6448864-1
Fortinet : Riskware/Miner
DrWeb : Tool.Linux.BtcMine.400
ESET-NOD32 : a variant of Linux/CoinMiner.AE potentially unwanted
Qihoo-360 : Win32/Virus.RiskTool.42d
TrendMicro-HouseCall : TROJ_GEN.R002H0CDK18
Avira : LINUX/BitCoinMiner.ecpqx
Sophos : Linux/Miner-GF
ZoneAlarm : not-a-virus:HEUR:RiskTool.AndroidOS.Miner.b
Kaspersky : not-a-virus:HEUR:RiskTool.AndroidOS.Miner.b
GData : Linux.Application.Agent.NER9OS
Data Explore
Paths
/proc/self/fd/%d
/dev/null
/proc/cpuinfo
/proc/self/stat
/proc/stat
/sys/devices/system/cpu/cpu%u/cpufreq/scaling_cur_freq
/proc/self/exe
/dev/urandom
/dev/random
/dev/console
/dev/log
/etc/hosts
/etc/services
/etc/resolv.conf
/usr/local/bin:/bin:/usr/bin
/etc/passwd
/var/run/nscd/socket
/proc/self/task
/etc/localtime
/usr/share/zoneinfo/
/etc/zoneinfo/
/dev/null
/proc/cpuinfo
/proc/self/stat
/proc/stat
/sys/devices/system/cpu/cpu%u/cpufreq/scaling_cur_freq
/proc/self/exe
/dev/urandom
/dev/random
/dev/console
/dev/log
/etc/hosts
/etc/services
/etc/resolv.conf
/usr/local/bin:/bin:/usr/bin
/etc/passwd
/var/run/nscd/socket
/proc/self/task
/etc/localtime
/usr/share/zoneinfo/
/etc/zoneinfo/
URLs
https://gcc.gnu.org/bugs/
IPs (v4 and v6)
::
::
d::
::
::
d::
d::
d::
d::
d::
::a
::c
::c
::
::e
::
::
::
::a
::a
::
::
::ba
::
ce::
d::
d::
d::
d::
d::
d::
d::
d::
d::
d::
::
::
::
::
127.0.0.1
::
d::
::
::
d::
d::
d::
d::
d::
::a
::c
::c
::
::e
::
::
::
::a
::a
::
::
::ba
::
ce::
d::
d::
d::
d::
d::
d::
d::
d::
d::
d::
::
::
::
::
127.0.0.1
Code Explore
Nucleus
Number of functions :
1918
Total size functions [B] : 1985307
Average size a function [B] : 1035.09228363
Percentage of covered .text section : 309.665207748
Percentage of covered LOAD segment : 244.187093418
Total size functions [B] : 1985307
Average size a function [B] : 1035.09228363
Percentage of covered .text section : 309.665207748
Percentage of covered LOAD segment : 244.187093418
Eh_frame
Sandbox (user)
Standard output
Standard error
Sandbox (root)
Standard output
Standard error
Behavior
User behavior
Syscalls
Unique
clock_gettime
rt_sigaction
epoll_create1
brk
close
open
clock_getres
mmap2
exit_group
rt_sigprocmask
umask
sched_getaffinity
write
setsid
set_tid_address
fstat
fork
read
set_thread_area
readlink
unlink
execve
gettid
pipe2
fcntl
ioctl
eventfd2
prlimit64
Unique number
28
Total number
65594
Instrumented libc calls
Unique
strchr
Unique number
1
Total number
1
Number of processes
3
Trace lines lost
0
Files being read
/dev/null
Max sleep
-1.0
Ioctls
Total
3
Success
FIONBIO
Fail
TIOCGWINSZ
Unlink files
/tmp/d3b035d70a79322302aa57ef0dfdf78ee99a8fdc151fe045d22da6efc2c79f8e
Unlink itself
True
Root behavior
Syscalls
Unique
fork
gettid
exit_group
commit_creds
rt_sigprocmask
setsid
set_thread_area
brk
close
prlimit64
set_tid_address
execve
Unique number
12
Total number
33943
Instrumented libc calls
Unique
strchr
Unique number
1
Total number
1
Number of processes
3
Trace lines lost
0
Max sleep
-1.0