Sample : f72b578788601d4e130715ea88746b0758f3cc7afe58c21a0db2b53d1c30cc27
Modules
Summary
OS ABI
UNIX - System V
CPU class
64 bit
Persistence (user)
No
Persistence (root)
No
CPU byte order
2's complement LSB
File type
ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, stripped
CPU type
AMD x86-64
Entropy
6.09825797554
Syscalls executed (root)
51100
Syscalls executed (user)
65663
ELF type
Executable file
ELF
Class
64 bit
Data encoding
2's complement LSB
Operating system ABI
UNIX - System V
Object file type
Executable file
ELF version
0.1
Machine
AMD x86-64
Link
static
Entrypoint
0x400423
Number of segments
4
Number of sections
16
Program header table offset
64
Section header table offset
709496
Program header table - size of entry
56
Section header table - size of entry
64
Program header table - entries
4
Section header table - entries
16
Section header table - index sections names
15
Stripped
True
Sections stripped
False
Anomalies
Segments
Memory size doubles physical size : PT_LOAD at offset 0xabe00
PT_TLS at offset 0xabe00
Sections
Uncommon sections : .tbss
section without a name
High entropy : .text - 6.423212
Debug information
False
Hash
MD5
94fd6b2f091d45135cc45f9e32b9e0eb
SHA1
d8be2533cf86c9ce1a83558bad9e7925540cd2c2
SHA256
f72b578788601d4e130715ea88746b0758f3cc7afe58c21a0db2b53d1c30cc27
SHA512
3d93d2eaa7ecca7adb066318b7b7dab55201c92a5d67b0d13f18cfc50656ad30172499e2bf7b3ef8661aaa3cc98ae2dbe819ce7f84625a832cef88db50467ad6
ssdeep
12288:saHuY698fBBi6r8B2Ak2MEw2+FS2IrYg4rQ9l2zOv96dGhdJMUxOrq0:XHuX9iBi6rtpESFS2IrYg4rQ9l8Ov96L
Bytes
Entropy
6.09825797554
Max entropy (16KB blocks)
6.64026022088
Unique bytes (0-255)
256
Null bytes
160502
White spaces
10525
Printable bytes
223956
First 16B
7f 45 4c 46 02 01 01 00 00 00 00 00 00 00 00 00
Last 16B
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Longest same bytes sequence
Byte :
0x0
Offset : 0x9b9d2
Length : 64307
Offset : 0x9b9d2
Length : 64307
Three rarest bytes
0xb2 - 194 times
0xa1 - 176 times
0xa7 - 164 times
0xa1 - 176 times
0xa7 - 164 times
Three most common bytes
0x0 - 160502 times
0x48 - 32854 times
0xff - 26327 times
0x48 - 32854 times
0xff - 26327 times
File type
Mime type
application/x-executable
File type
ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, stripped
VirusTotal
URL
https://www.virustotal.com/#/file/f72b578788601d4e130715ea88746b0758f3cc7afe58c21a0db2b53d1c30cc27
Positive
8
Total AVs
59
Scan date
2018-05-16 22:13:16
AVClass
miner
Detection
ClamAV :
Multios.Trojan.CryptocoinMiner-6448864-1
Ikarus : PUA.CoinMiner
ESET-NOD32 : a variant of Linux/CoinMiner.AE potentially unwanted
Sophos : Linux/Miner-GF
ZoneAlarm : not-a-virus:HEUR:RiskTool.AndroidOS.Miner.b
Cyren : ELF/Trojan.KBYQ-4
Kaspersky : not-a-virus:HEUR:RiskTool.AndroidOS.Miner.b
Antiy-AVL : RiskWare[RiskTool]/Android.Miner.b
Ikarus : PUA.CoinMiner
ESET-NOD32 : a variant of Linux/CoinMiner.AE potentially unwanted
Sophos : Linux/Miner-GF
ZoneAlarm : not-a-virus:HEUR:RiskTool.AndroidOS.Miner.b
Cyren : ELF/Trojan.KBYQ-4
Kaspersky : not-a-virus:HEUR:RiskTool.AndroidOS.Miner.b
Antiy-AVL : RiskWare[RiskTool]/Android.Miner.b
Data Explore
Paths
/proc/se
/proc/self/fd/%d
/dev/null
/proc/cpuinfo
/proc/self/stat
/proc/stat
/sys/devices/system/cpu/cpu%u/cpufreq/scaling_cur_freq
/proc/self/exe
/dev/urandom
/dev/random
/dev/console
/dev/log
/etc/hosts
/etc/services
/etc/resolv.conf
/usr/local/bin:/bin:/usr/bin
/etc/passwd
/var/run/nscd/socket
/proc/self/task
/etc/localtime
/usr/share/zoneinfo/
/etc/zoneinfo/
/proc/self/fd/%d
/dev/null
/proc/cpuinfo
/proc/self/stat
/proc/stat
/sys/devices/system/cpu/cpu%u/cpufreq/scaling_cur_freq
/proc/self/exe
/dev/urandom
/dev/random
/dev/console
/dev/log
/etc/hosts
/etc/services
/etc/resolv.conf
/usr/local/bin:/bin:/usr/bin
/etc/passwd
/var/run/nscd/socket
/proc/self/task
/etc/localtime
/usr/share/zoneinfo/
/etc/zoneinfo/
URLs
https://gcc.gnu.org/bugs
IPs (v4 and v6)
::
::
d::
::
::
d::
d::
d::
d::
d::
::a
::c
::c
::
::e
::
::
::
::a
::a
::
::
::ba
::
ce::
d::
d::
d::
d::
d::
d::
d::
d::
d::
d::
::
::
::
::
127.0.0.1
::
d::
::
::
d::
d::
d::
d::
d::
::a
::c
::c
::
::e
::
::
::
::a
::a
::
::
::ba
::
ce::
d::
d::
d::
d::
d::
d::
d::
d::
d::
d::
::
::
::
::
127.0.0.1
Code Explore
Nucleus
Number of functions :
1806
Total size functions [B] : 3296249
Average size a function [B] : 1825.16555925
Percentage of covered .text section : 562.236940407
Percentage of covered LOAD segment : 465.581099061
Total size functions [B] : 3296249
Average size a function [B] : 1825.16555925
Percentage of covered .text section : 562.236940407
Percentage of covered LOAD segment : 465.581099061
Eh_frame
Sandbox (user)
Standard output
Standard error
Sandbox (root)
Standard output
Standard error
Behavior
User behavior
Syscalls
Unique
fcntl
rt_sigaction
epoll_create1
mprotect
brk
connect
readv
close
poll
open
clock_getres
mmap2
exit_group
epoll_wait
recvfrom
rt_sigprocmask
umask
sched_getaffinity
arch_prctl
write
setsid
set_tid_address
fstat
fork
setsockopt
read
clone
sendto
ioctl
readlink
unlink
execve
gettid
socket
munmap
pipe2
epoll_ctl
futex
eventfd2
prlimit64
bind
Unique number
41
Total number
65663
Instrumented libc calls
Unique
strchr
Unique number
1
Total number
1
Number of processes
5
Trace lines lost
0
Files being read
/dev/null
/etc/resolv.conf
/etc/hosts
/etc/resolv.conf
/etc/hosts
Max sleep
-1.0
Ioctls
Total
3
Success
FIONBIO
Fail
TIOCGWINSZ
Unlink files
/tmp/f72b578788601d4e130715ea88746b0758f3cc7afe58c21a0db2b53d1c30cc27
Unlink itself
True
Root behavior
Syscalls
Unique
fork
gettid
exit_group
commit_creds
rt_sigprocmask
arch_prctl
setsid
brk
close
prlimit64
set_tid_address
execve
Unique number
12
Total number
51100
Instrumented libc calls
Unique
strchr
Unique number
1
Total number
1
Number of processes
3
Trace lines lost
0
Max sleep
-1.0