Padawan live

Summary

OS ABI: UNIX - System V

CPU class: 64 bit

Persistence (user): No

Persistence (root): No

CPU byte order: 2's complement LSB

File type: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, stripped

CPU type: AMD x86-64

Entropy: 6.09825797554

Syscalls executed (root): 51100

Syscalls executed (user): 65663

ELF type: Executable file

ELF

Class: 64 bit

Data encoding: 2's complement LSB

Operating system ABI: UNIX - System V

Object file type: Executable file

ELF version: 0.1

Machine: AMD x86-64

Link: static

Entrypoint: 0x400423

Number of segments: 4

Number of sections: 16

Program header table offset: 64

Section header table offset: 709496

Program header table - size of entry: 56

Section header table - size of entry: 64

Program header table - entries: 4

Section header table - entries: 16

Section header table - index sections names: 15

Stripped: True

Sections stripped: False

PT_LOAD at offset 0xabe00
PT_TLS at offset 0xabe00

.tbss
section without a name

.text - 6.423212

Debug information: False

Hash

MD5: 94fd6b2f091d45135cc45f9e32b9e0eb

SHA1: d8be2533cf86c9ce1a83558bad9e7925540cd2c2

SHA256: f72b578788601d4e130715ea88746b0758f3cc7afe58c21a0db2b53d1c30cc27

SHA512: 3d93d2eaa7ecca7adb066318b7b7dab55201c92a5d67b0d13f18cfc50656ad30172499e2bf7b3ef8661aaa3cc98ae2dbe819ce7f84625a832cef88db50467ad6

ssdeep: 12288:saHuY698fBBi6r8B2Ak2MEw2+FS2IrYg4rQ9l2zOv96dGhdJMUxOrq0:XHuX9iBi6rtpESFS2IrYg4rQ9l8Ov96L

Bytes

Entropy: 6.09825797554

Max entropy (16KB blocks): 6.64026022088

Unique bytes (0-255): 256

Null bytes: 160502

White spaces: 10525

Printable bytes: 223956

First 16B: 7f 45 4c 46 02 01 01 00 00 00 00 00 00 00 00 00

Last 16B: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Byte: 0x0

Offset: 0x9b9d2

Length: 64307

0xb2 - 194 times
0xa1 - 176 times
0xa7 - 164 times

0x0 - 160502 times
0x48 - 32854 times
0xff - 26327 times

File type

Mime type: application/x-executable

File type: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, stripped

VirusTotal

URL: https://www.virustotal.com/#/file/f72b578788601d4e130715ea88746b0758f3cc7afe58c21a0db2b53d1c30cc27

Positive: 8

Total AVs: 59

Scan date: 2018-05-16 22:13:16

AVClass: miner

ClamAV: Multios.Trojan.CryptocoinMiner-6448864-1

Ikarus: PUA.CoinMiner

ESET-NOD32: a variant of Linux/CoinMiner.AE potentially unwanted

Sophos: Linux/Miner-GF

ZoneAlarm: not-a-virus:HEUR:RiskTool.AndroidOS.Miner.b

Cyren: ELF/Trojan.KBYQ-4

Kaspersky: not-a-virus:HEUR:RiskTool.AndroidOS.Miner.b

Antiy-AVL: RiskWare[RiskTool]/Android.Miner.b

Data Explore

/proc/se
/proc/self/fd/%d
/dev/null
/proc/cpuinfo
/proc/self/stat
/proc/stat
/sys/devices/system/cpu/cpu%u/cpufreq/scaling_cur_freq
/proc/self/exe
/dev/urandom
/dev/random
/dev/console
/dev/log
/etc/hosts
/etc/services
/etc/resolv.conf
/usr/local/bin:/bin:/usr/bin
/etc/passwd
/var/run/nscd/socket
/proc/self/task
/etc/localtime
/usr/share/zoneinfo/
/etc/zoneinfo/

https://gcc.gnu.org/bugs

::
::
d::
::
::
d::
d::
d::
d::
d::
::a
::c
::c
::
::e
::
::
::
::a
::a
::
::
::ba
::
ce::
d::
d::
d::
d::
d::
d::
d::
d::
d::
d::
::
::
::
::
127.0.0.1

Code Explore

Number of functions: 1806

Total size functions [B]: 3296249

Average size a function [B]: 1825.16555925

Percentage of covered .text section: 562.236940407

Percentage of covered LOAD segment: 465.581099061

Sandbox (user)

Standard output:

Standard error:

Sandbox (root)

Standard output:

Standard error:

Behavior

fcntl
rt_sigaction
epoll_create1
mprotect
brk
connect
readv
close
poll
open
clock_getres
mmap2
exit_group
epoll_wait
recvfrom
rt_sigprocmask
umask
sched_getaffinity
arch_prctl
write
setsid
set_tid_address
fstat
fork
setsockopt
read
clone
sendto
ioctl
readlink
unlink
execve
gettid
socket
munmap
pipe2
epoll_ctl
futex
eventfd2
prlimit64
bind

Unique number: 41

Total number: 65663

strchr

Unique number: 1

Total number: 1

Number of processes: 5

Trace lines lost: 0

/dev/null
/etc/resolv.conf
/etc/hosts

Max sleep: -1.0

Total: 3

FIONBIO

TIOCGWINSZ

/tmp/f72b578788601d4e130715ea88746b0758f3cc7afe58c21a0db2b53d1c30cc27

Unlink itself: True

fork
gettid
exit_group
commit_creds
rt_sigprocmask
arch_prctl
setsid
brk
close
prlimit64
set_tid_address
execve

Unique number: 12

Total number: 51100

strchr

Unique number: 1

Total number: 1

Number of processes: 3

Trace lines lost: 0

Max sleep: -1.0

f72b578788601d4e130715ea88746b0758f3cc7afe58c21a0db2b53d1c30cc27

Summary

ELF

Anomalies

Segments

Memory size doubles physical size

Sections

Uncommon sections

High entropy

Hash

Bytes

Longest same bytes sequence

Three rarest bytes

Three most common bytes

File type

VirusTotal

Detection

Data Explore

Paths

URLs

IPs (v4 and v6)

Code Explore

Nucleus

Eh_frame

Sandbox (user)

Sandbox (root)

Behavior

User behavior

Syscalls

Unique

Instrumented libc calls

Unique

Files being read

Ioctls

Success

Fail

Unlink files

Root behavior

Syscalls

Unique

Instrumented libc calls

Unique