Loading ...

Play interactive tourEdit tour

Analysis Report m8XMnec4Vb.elf

Overview

General Information

Joe Sandbox Version:28.0.0 Lapis Lazuli
Analysis ID:185754
Start date:28.10.2019
Start time:17:41:19
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 10m 5s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:m8XMnec4Vb.elf
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 16.04 x64 (Kernel 4.4.0-116, Firefox 59.0, Document Viewer 3.18.2, LibreOffice 5.1.6.2, OpenJDK 1.8.0_171)
Detection:MAL
Classification:mal48.evad.linELF@0/1@0/0
Warnings:
Show All
  • Excluded IPs from analysis (whitelisted): 91.189.92.41, 91.189.92.20, 91.189.92.19, 91.189.92.38
  • Excluded domains from analysis (whitelisted): api.snapcraft.io

Detection

StrategyScoreRangeReportingWhitelistedDetection
Threshold480 - 100falsemalicious

Classification

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and Control
Valid AccountsWindows Remote ManagementWinlogon Helper DLLPort MonitorsFile Deletion11Credential DumpingSystem Service DiscoveryApplication Deployment SoftwareData from Local SystemData CompressedData Obfuscation

Signature Overview

Click to jump to signature section


System Summary:

barindex
Classification labelShow sources
Source: classification engineClassification label: mal48.evad.linELF@0/1@0/0

Persistence and Installation Behavior:

barindex
Changes permissions of common UNIX (system) binary directoriesShow sources
Source: /bin/dash (PID: 20771)Chmod directory: /bin/chmod -> /bin/chmod 755 /dev/shm/kdmtmpflush
Executes the "chmod" command used to modify permissionsShow sources
Source: /bin/dash (PID: 20771)Chmod executable: /bin/chmod -> /bin/chmod 755 /dev/shm/kdmtmpflush
Executes the "rm" command used to delete files or directoriesShow sources
Source: /bin/dash (PID: 20762)Rm executable: /bin/rm -> /bin/rm -f /dev/shm/kdmtmpflush
Source: /bin/dash (PID: 20783)Rm executable: /bin/rm -> /bin/rm -f /dev/shm/kdmtmpflush
Sample tries to set the executable flagShow sources
Source: /bin/chmod (PID: 20771)File: /dev/shm/kdmtmpflush (bits: - usr: rx grp: rx all: rwx)
Writes ELF files to diskShow sources
Source: /bin/cp (PID: 20765)File written: /dev/shm/kdmtmpflushJump to dropped file

Hooking and other Techniques for Hiding and Protection:

barindex
Sample deletes itselfShow sources
Source: /bin/rm (PID: 20762)File: /dev/shm/kdmtmpflush
Source: /bin/rm (PID: 20783)File: /dev/shm/kdmtmpflush


Runtime Messages

Command:/tmp/m8XMnec4Vb.elf
Exit Code:0
Exit Code Info:
Killed:False
Standard Output:
Standard Error:

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Number of created Files
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 185754 Sample: m8XMnec4Vb.elf Startdate: 28/10/2019 Architecture: LINUX Score: 48 7 m8XMnec4Vb.elf 2->7         started        process3 9 m8XMnec4Vb.elf dash 7->9         started        process4 11 dash rm 9->11         started        14 dash chmod 9->14         started        16 dash rm 9->16         started        18 2 other processes 9->18 file5 25 Sample deletes itself 11->25 27 Changes permissions of common UNIX (system) binary directories 14->27 23 /dev/shm/kdmtmpflush, ELF 18->23 dropped 21 kdmtmpflush 18->21         started        signatures6 process7

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Sigma Overview

No Sigma rule has matched

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
m8XMnec4Vb.elf0%VirustotalBrowse

Dropped Files

SourceDetectionScannerLabelLink
/dev/shm/kdmtmpflush0%VirustotalBrowse

Domains

No Antivirus matches

URLs

No Antivirus matches

Startup

  • system is lnxubuntu1
  • m8XMnec4Vb.elf (PID: 20758, Parent: 20706, MD5: 0017f7b913ce66e4d80f7e78cf830a2b) Arguments: /tmp/m8XMnec4Vb.elf
    • dash (PID: 20760, Parent: 20758, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: sh -c "/bin/rm -f /dev/shm/kdmtmpflush;/bin/cp /tmp/m8XMnec4Vb.elf /dev/shm/kdmtmpflush && /bin/chmod 755 /dev/shm/kdmtmpflush && /dev/shm/kdmtmpflush --init && /bin/rm -f /dev/shm/kdmtmpflush"
      • dash New Fork (PID: 20762, Parent: 20760)
      • rm (PID: 20762, Parent: 20760, MD5: b79876063d894c449856cca508ecca7f) Arguments: /bin/rm -f /dev/shm/kdmtmpflush
      • dash New Fork (PID: 20765, Parent: 20760)
      • cp (PID: 20765, Parent: 20760, MD5: b9c85244be9733bc79eca588db7bf306) Arguments: /bin/cp /tmp/m8XMnec4Vb.elf /dev/shm/kdmtmpflush
      • dash New Fork (PID: 20771, Parent: 20760)
      • chmod (PID: 20771, Parent: 20760, MD5: 32c8c7318223ebc5b934a78cfc153d6f) Arguments: /bin/chmod 755 /dev/shm/kdmtmpflush
      • dash New Fork (PID: 20776, Parent: 20760)
      • kdmtmpflush (PID: 20776, Parent: 20760, MD5: unknown) Arguments: /dev/shm/kdmtmpflush --init
      • dash New Fork (PID: 20783, Parent: 20760)
      • rm (PID: 20783, Parent: 20760, MD5: b79876063d894c449856cca508ecca7f) Arguments: /bin/rm -f /dev/shm/kdmtmpflush
  • cleanup

Created / dropped Files

/dev/shm/kdmtmpflush
Process:/bin/cp
File Type:ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/l, for GNU/Linux 2.6.32, BuildID[sha1]=1e3c06cce8dc23d9bf96c3a524404122bc281c71, not stripped
Size (bytes):28832
Entropy (8bit):4.890459011756629
Encrypted:false
MD5:0017F7B913CE66E4D80F7E78CF830A2B
SHA1:F1BF775746A5C882B9EC003617B2A70CF5A5B029
SHA-256:FA0DEFDABD9FD43FE2EF1EC33574EA1AF1290BD3D763FDB2BED443F2BD996D73
SHA-512:FF5DD28BA3F5CE1F85F85FA9B65F9F30FBD300F2CA238CB2713DA7077B7A0A8FF094CFF4D7DE9381726925ABDD9EA065FA75CCD02FA5A816B71A6F91479363C1
Malicious:true
Antivirus:
  • Antivirus: Virustotal, Detection: 0%, Browse
Reputation:low
Preview: .ELF..............>.....0.@.....@........S..........@.8...@.............@.......@.@.....@.@.....................................8.......8.@.....8.@...............................................@.......@......I.......I........ ..............N.......N`......N`....................... .............(N......(N`.....(N`.....................................T.......T.@.....T.@.....D.......D...............P.td.....D.......D@......D@.............................Q.td....................................................R.td.....N.......N`......N`............................./lib64/ld-linux-x86-64.so.2.............GNU............. ...............GNU..<....#...$@A".(.q....:...........0.....@.:...<............k..@................................................|.......................W.......................>.......................l.......................................................................g.......................y.......................-...............................................

Domains and IPs

Contacted Domains

No contacted domains info

Contacted IPs

No contacted IP infos

Static File Info

General

File type:ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/l, for GNU/Linux 2.6.32, BuildID[sha1]=1e3c06cce8dc23d9bf96c3a524404122bc281c71, not stripped
Entropy (8bit):4.890459011756629
TrID:
  • ELF Executable and Linkable format (Linux) (4029/14) 49.77%
  • ELF Executable and Linkable format (generic) (4004/1) 49.46%
  • Lumena CEL bitmap (63/63) 0.78%
File name:m8XMnec4Vb.elf
File size:28832
MD5:0017f7b913ce66e4d80f7e78cf830a2b
SHA1:f1bf775746a5c882b9ec003617b2a70cf5a5b029
SHA256:fa0defdabd9fd43fe2ef1ec33574ea1af1290bd3d763fdb2bed443f2bd996d73
SHA512:ff5dd28ba3f5ce1f85f85fa9b65f9f30fbd300f2ca238cb2713da7077b7a0a8ff094cff4d7de9381726925abdd9ea065fa75ccd02fa5a816b71a6f91479363c1
SSDEEP:384:D4Vc7TIqaFxrfIyqk/MyV36nk/h0iFHCN7qvUa+BlmYJNZRR5uRh0I:D4gQAsMyOi0iFHCF3zZX5uRh0I
File Content Preview:.ELF..............>.....0.@.....@........S..........@.8...@.............@.......@.@.....@.@.....................................8.......8.@.....8.@...............................................@.......@......I.......I........ ..............N.......N`....

Static ELF Info

ELF header

Class:ELF64
Data:2's complement, little endian
Version:1 (current)
Machine:Advanced Micro Devices X86-64
Version Number:0x1
Type:EXEC (Executable file)
OS/ABI:UNIX - System V
ABI Version:0
Entry Point Address:0x401430
Flags:0x0
ELF Header Size:64
Program Header Offset:64
Program Header Size:56
Number of Program Headers:9
Section Header Offset:21272
Section Header Size:64
Number of Section Headers:30
Header String Table Index:27

Sections

NameTypeAddressOffsetSizeEntSizeFlagsFlags DescriptionLinkInfoAlign
NULL0x00x00x00x00x0000
.interpPROGBITS0x4002380x2380x1c0x00x2A001
.note.ABI-tagNOTE0x4002540x2540x200x00x2A004
.note.gnu.build-idNOTE0x4002740x2740x240x00x2A004
.gnu.hashGNU_HASH0x4002980x2980x300x00x2A508
.dynsymDYNSYM0x4002c80x2c80x5b80x180x2A618
.dynstrSTRTAB0x4008800x8800x1be0x00x2A001
.gnu.versionVERSYM0x400a3e0xa3e0x7a0x20x2A502
.gnu.version_rVERNEED0x400ab80xab80x300x00x2A618
.rela.dynRELA0x400ae80xae80x300x180x2A508
.rela.pltRELA0x400b180xb180x5580x180x2A5128
.initPROGBITS0x4010700x10700x1a0x00x6AX004
.pltPROGBITS0x4010900x10900x3a00x100x6AX0016
.textPROGBITS0x4014300x14300x2d5c0x00x6AX0016
.finiPROGBITS0x40418c0x418c0x90x00x6AX004
.rodataPROGBITS0x4041a00x41a00x2680x00x2A0032
.eh_frame_hdrPROGBITS0x4044080x44080xfc0x00x2A004
.eh_framePROGBITS0x4045080x45080x40c0x00x2A008
.init_arrayINIT_ARRAY0x604e100x4e100x80x00x3WA008
.fini_arrayFINI_ARRAY0x604e180x4e180x80x00x3WA008
.jcrPROGBITS0x604e200x4e200x80x00x3WA008
.dynamicDYNAMIC0x604e280x4e280x1d00x100x3WA608
.gotPROGBITS0x604ff80x4ff80x80x80x3WA008
.got.pltPROGBITS0x6050000x50000x1e00x80x3WA008
.dataPROGBITS0x6051e00x51e00x40x00x3WA004
.bssNOBITS0x6052000x51e40x4f80x00x3WA0032
.commentPROGBITS0x00x51e40x2c0x10x30MS001
.shstrtabSTRTAB0x00x52100x1080x00x0001
.symtabSYMTAB0x00x5a980xe700x180x029508
.strtabSTRTAB0x00x69080x7980x00x0001

Program Segments

TypeOffsetVirtual AddressPhysical AddressFile SizeMemory SizeFlagsFlags DescriptionAlignProg InterpreterSection Mappings
PHDR0x400x4000400x4000400x1f80x1f80x5R E0x8
INTERP0x2380x4002380x4002380x1c0x1c0x4R 0x1/lib64/ld-linux-x86-64.so.2.interp
LOAD0x00x4000000x4000000x49140x49140x5R E0x200000.interp .note.ABI-tag .note.gnu.build-id .gnu.hash .dynsym .dynstr .gnu.version .gnu.version_r .rela.dyn .rela.plt .init .plt .text .fini .rodata .eh_frame_hdr .eh_frame
LOAD0x4e100x604e100x604e100x3d40x8e80x6RW 0x200000.init_array .fini_array .jcr .dynamic .got .got.plt .data .bss
DYNAMIC0x4e280x604e280x604e280x1d00x1d00x6RW 0x8.dynamic
NOTE0x2540x4002540x4002540x440x440x4R 0x4.note.ABI-tag .note.gnu.build-id
GNU_EH_FRAME0x44080x4044080x4044080xfc0xfc0x4R 0x4.eh_frame_hdr
GNU_STACK0x00x00x00x00x00x6RW 0x10
GNU_RELRO0x4e100x604e100x604e100x1f00x1f00x4R 0x1.init_array .fini_array .jcr .dynamic .got

Dynamic Tags

TypeMetaValueTag
DT_NEEDEDsharedliblibc.so.60x1
DT_INITvalue0x4010700xc
DT_FINIvalue0x40418c0xd
DT_INIT_ARRAYvalue0x604e100x19
DT_INIT_ARRAYSZbytes80x1b
DT_FINI_ARRAYvalue0x604e180x1a
DT_FINI_ARRAYSZbytes80x1c
DT_GNU_HASHvalue0x4002980x6ffffef5
DT_STRTABvalue0x4008800x5
DT_SYMTABvalue0x4002c80x6
DT_STRSZbytes4460xa
DT_SYMENTbytes240xb
DT_DEBUGvalue0x00x15
DT_PLTGOTvalue0x6050000x3
DT_PLTRELSZbytes13680x2
DT_PLTRELpltrelDT_RELA0x14
DT_JMPRELvalue0x400b180x17
DT_RELAvalue0x400ae80x7
DT_RELASZbytes480x8
DT_RELAENTbytes240x9
DT_VERNEEDvalue0x400ab80x6ffffffe
DT_VERNEEDNUMvalue10x6fffffff
DT_VERSYMvalue0x400a3e0x6ffffff0
DT_NULLvalue0x00x0

Symbols

NameVersion Info NameVersion Info File NameSection NameValueSizeSymbol TypeSymbol BindSymbol VisibilityNdx
.dynsym0x00NOTYPE<unknown>DEFAULTSHN_UNDEF
__cxa_atexitGLIBC_2.2.5libc.so.6.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
__environGLIBC_2.2.5libc.so.6.dynsym0x6052008OBJECT<unknown>DEFAULT25
__gmon_start__.dynsym0x00NOTYPE<unknown>DEFAULTSHN_UNDEF
__libc_start_mainGLIBC_2.2.5libc.so.6.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
_environGLIBC_2.2.5libc.so.6.dynsym0x6052008OBJECT<unknown>DEFAULT25
_exitGLIBC_2.2.5libc.so.6.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
acceptGLIBC_2.2.5libc.so.6.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
accessGLIBC_2.2.5libc.so.6.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
bindGLIBC_2.2.5libc.so.6.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
bzeroGLIBC_2.2.5libc.so.6.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
chdirGLIBC_2.2.5libc.so.6.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
closeGLIBC_2.2.5libc.so.6.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
connectGLIBC_2.2.5libc.so.6.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
daemonGLIBC_2.2.5libc.so.6.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
dup2GLIBC_2.2.5libc.so.6.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
environGLIBC_2.2.5libc.so.6.dynsym0x6052008OBJECT<unknown>DEFAULT25
execveGLIBC_2.2.5libc.so.6.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
exitGLIBC_2.2.5libc.so.6.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
forkGLIBC_2.2.5libc.so.6.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
freeGLIBC_2.2.5libc.so.6.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
getpidGLIBC_2.2.5libc.so.6.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
getuidGLIBC_2.2.5libc.so.6.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
grantptGLIBC_2.2.5libc.so.6.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
htonsGLIBC_2.2.5libc.so.6.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
inet_ntoaGLIBC_2.2.5libc.so.6.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
ioctlGLIBC_2.2.5libc.so.6.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
killGLIBC_2.2.5libc.so.6.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
listenGLIBC_2.2.5libc.so.6.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
mallocGLIBC_2.2.5libc.so.6.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
memchrGLIBC_2.2.5libc.so.6.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
memcmpGLIBC_2.2.5libc.so.6.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
memcpyGLIBC_2.14libc.so.6.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
memsetGLIBC_2.2.5libc.so.6.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
ntohsGLIBC_2.2.5libc.so.6.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
openGLIBC_2.2.5libc.so.6.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
prctlGLIBC_2.2.5libc.so.6.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
ptsnameGLIBC_2.2.5libc.so.6.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
randGLIBC_2.2.5libc.so.6.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
readGLIBC_2.2.5libc.so.6.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
recvfromGLIBC_2.2.5libc.so.6.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
selectGLIBC_2.2.5libc.so.6.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
sendtoGLIBC_2.2.5libc.so.6.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
setsidGLIBC_2.2.5libc.so.6.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
setsockoptGLIBC_2.2.5libc.so.6.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
signalGLIBC_2.2.5libc.so.6.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
sleepGLIBC_2.2.5libc.so.6.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
snprintfGLIBC_2.2.5libc.so.6.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
socketGLIBC_2.2.5libc.so.6.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
srandGLIBC_2.2.5libc.so.6.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
strcpyGLIBC_2.2.5libc.so.6.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
strlenGLIBC_2.2.5libc.so.6.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
strncpyGLIBC_2.2.5libc.so.6.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
systemGLIBC_2.2.5libc.so.6.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
timeGLIBC_2.2.5libc.so.6.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
unlinkGLIBC_2.2.5libc.so.6.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
unlockptGLIBC_2.2.5libc.so.6.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
utimesGLIBC_2.2.5libc.so.6.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
vhangupGLIBC_2.2.5libc.so.6.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
waitpidGLIBC_2.2.5libc.so.6.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
writeGLIBC_2.2.5libc.so.6.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
.symtab0x00NOTYPE<unknown>DEFAULTSHN_UNDEF
GLIBC_2.2.5libc.so.6.symtab0x4002380SECTION<unknown>DEFAULT1
GLIBC_2.2.5libc.so.6.symtab0x4002540SECTION<unknown>DEFAULT2
GLIBC_2.2.5libc.so.6.symtab0x4002740SECTION<unknown>DEFAULT3
GLIBC_2.2.5libc.so.6.symtab0x4002980SECTION<unknown>DEFAULT4
GLIBC_2.2.5libc.so.6.symtab0x4002c80SECTION<unknown>DEFAULT5
GLIBC_2.2.5libc.so.6.symtab0x4008800SECTION<unknown>DEFAULT6
GLIBC_2.2.5libc.so.6.symtab0x400a3e0SECTION<unknown>DEFAULT7
GLIBC_2.2.5libc.so.6.symtab0x400ab80SECTION<unknown>DEFAULT8
GLIBC_2.2.5libc.so.6.symtab0x400ae80SECTION<unknown>DEFAULT9
GLIBC_2.2.5libc.so.6.symtab0x400b180SECTION<unknown>DEFAULT10
GLIBC_2.2.5libc.so.6.symtab0x4010700SECTION<unknown>DEFAULT11
GLIBC_2.2.5libc.so.6.symtab0x4010900SECTION<unknown>DEFAULT12
GLIBC_2.2.5libc.so.6.symtab0x4014300SECTION<unknown>DEFAULT13
GLIBC_2.2.5libc.so.6.symtab0x40418c0SECTION<unknown>DEFAULT14
GLIBC_2.2.5libc.so.6.symtab0x4041a00SECTION<unknown>DEFAULT15
GLIBC_2.2.5libc.so.6.symtab0x4044080SECTION<unknown>DEFAULT16
GLIBC_2.2.5libc.so.6.symtab0x4045080SECTION<unknown>DEFAULT17
GLIBC_2.2.5libc.so.6.symtab0x604e100SECTION<unknown>DEFAULT18
GLIBC_2.2.5libc.so.6.symtab0x604e180SECTION<unknown>DEFAULT19
GLIBC_2.2.5libc.so.6.symtab0x604e200SECTION<unknown>DEFAULT20
GLIBC_2.2.5libc.so.6.symtab0x604e280SECTION<unknown>DEFAULT21
GLIBC_2.2.5libc.so.6.symtab0x604ff80SECTION<unknown>DEFAULT22
GLIBC_2.2.5libc.so.6.symtab0x6050000SECTION<unknown>DEFAULT23
GLIBC_2.2.5libc.so.6.symtab0x6051e00SECTION<unknown>DEFAULT24
GLIBC_2.2.5libc.so.6.symtab0x6052000SECTION<unknown>DEFAULT25
GLIBC_2.2.5libc.so.6.symtab0x00SECTION<unknown>DEFAULT26
GLIBC_2.2.5libc.so.6.symtab0x00FILE<unknown>DEFAULTSHN_ABS
_DYNAMICGLIBC_2.2.5libc.so.6.symtab0x604e280OBJECT<unknown>DEFAULT21
_GLOBAL_OFFSET_TABLE_GLIBC_2.2.5libc.so.6.symtab0x6050000OBJECT<unknown>DEFAULT23
_IO_stdin_used.symtab0x4041a04OBJECT<unknown>DEFAULT15
_ITM_deregisterTMCloneTableGLIBC_2.2.5libc.so.6.symtab0x00NOTYPE<unknown>DEFAULTSHN_UNDEF
_ITM_registerTMCloneTable.symtab0x00NOTYPE<unknown>DEFAULTSHN_UNDEF
_Jv_RegisterClasses.symtab0x00NOTYPE<unknown>DEFAULTSHN_UNDEF
__FRAME_END__GLIBC_2.2.5libc.so.6.symtab0x4049100OBJECT<unknown>DEFAULT17
__JCR_END__GLIBC_2.2.5libc.so.6.symtab0x604e200OBJECT<unknown>DEFAULT20
__JCR_LIST__GLIBC_2.2.5libc.so.6.symtab0x604e200OBJECT<unknown>DEFAULT20
__TMC_END__.symtab0x6051e80OBJECT<unknown>HIDDEN24
__bss_start.symtab0x6051e40NOTYPE<unknown>DEFAULT25
__cxa_atexit@@GLIBC_2.2.5.symtab0x00FUNC<unknown>DEFAULTSHN_UNDEF
__data_start.symtab0x6051e00NOTYPE<unknown>DEFAULT24
__do_global_dtors_auxGLIBC_2.2.5libc.so.6.symtab0x4014d00FUNC<unknown>DEFAULT13
__do_global_dtors_aux_fini_array_entryGLIBC_2.14libc.so.6.symtab0x604e180OBJECT<unknown>DEFAULT19
__dso_handle.symtab0x4041a80OBJECT<unknown>HIDDEN15
__environ@@GLIBC_2.2.5.symtab0x6052008OBJECT<unknown>DEFAULT25
__frame_dummy_init_array_entryGLIBC_2.2.5libc.so.6.symtab0x604e100OBJECT<unknown>DEFAULT18
__gmon_start__.symtab0x00NOTYPE<unknown>DEFAULTSHN_UNDEF
__init_array_endGLIBC_2.2.5libc.so.6.symtab0x604e180NOTYPE<unknown>DEFAULT18
__init_array_startGLIBC_2.2.5libc.so.6.symtab0x604e100NOTYPE<unknown>DEFAULT18
__libc_csu_finiGLIBC_2.2.5libc.so.6.symtab0x4041602FUNC<unknown>DEFAULT13
__libc_csu_init.symtab0x4040f0101FUNC<unknown>DEFAULT13
__libc_start_main@@GLIBC_2.2.5.symtab0x00FUNC<unknown>DEFAULTSHN_UNDEF
_edata.symtab0x6051e40NOTYPE<unknown>DEFAULT24
_end.symtab0x6056f80NOTYPE<unknown>DEFAULT25
_exit@@GLIBC_2.2.5.symtab0x00FUNC<unknown>DEFAULTSHN_UNDEF
_fini.symtab0x40418c0FUNC<unknown>DEFAULT14
_init.symtab0x4010700FUNC<unknown>DEFAULT11
_start.symtab0x4014300FUNC<unknown>DEFAULT13
a.cGLIBC_2.2.5libc.so.6.symtab0x00FILE<unknown>DEFAULTSHN_ABS
accept@@GLIBC_2.2.5.symtab0x00FUNC<unknown>DEFAULTSHN_UNDEF
access@@GLIBC_2.2.5.symtab0x00FUNC<unknown>DEFAULTSHN_UNDEF
argv0.symtab0x6052108OBJECT<unknown>DEFAULT25
atexit.symtab0x40417026FUNC<unknown>HIDDEN13
b.symtab0x4027a1222FUNC<unknown>DEFAULT13
bind@@GLIBC_2.2.5.symtab0x00FUNC<unknown>DEFAULTSHN_UNDEF
bzero@@GLIBC_2.2.5.symtab0x00FUNC<unknown>DEFAULTSHN_UNDEF
cfg.symtab0x605360548OBJECT<unknown>DEFAULT25
chdir@@GLIBC_2.2.5.symtab0x00FUNC<unknown>DEFAULTSHN_UNDEF
close@@GLIBC_2.2.5.symtab0x00FUNC<unknown>DEFAULTSHN_UNDEF
completed.6342.symtab0x6052081OBJECT<unknown>DEFAULT25
connect@@GLIBC_2.2.5.symtab0x00FUNC<unknown>DEFAULTSHN_UNDEF
cread.symtab0x4017ba90FUNC<unknown>DEFAULT13
crtstuff.cGLIBC_2.2.5libc.so.6.symtab0x00FILE<unknown>DEFAULTSHN_ABS
crtstuff.cGLIBC_2.2.5libc.so.6.symtab0x00FILE<unknown>DEFAULTSHN_ABS
crypt_ctx.symtab0x6055a0258OBJECT<unknown>DEFAULT25
cwrite.symtab0x401722152FUNC<unknown>DEFAULT13
daemon@@GLIBC_2.2.5.symtab0x00FUNC<unknown>DEFAULTSHN_UNDEF
data_start.symtab0x6051e00NOTYPE<unknown>DEFAULT24
decrypt_ctxGLIBC_2.2.5libc.so.6.symtab0x605240258OBJECT<unknown>DEFAULT25
deregister_tm_clonesGLIBC_2.2.5libc.so.6.symtab0x4014600FUNC<unknown>DEFAULT13
dup2@@GLIBC_2.2.5.symtab0x00FUNC<unknown>DEFAULTSHN_UNDEF
environ@@GLIBC_2.2.5.symtab0x6052008OBJECT<unknown>DEFAULT25
execve@@GLIBC_2.2.5.symtab0x00FUNC<unknown>DEFAULTSHN_UNDEF
exit@@GLIBC_2.2.5.symtab0x00FUNC<unknown>DEFAULTSHN_UNDEF
fork@@GLIBC_2.2.5.symtab0x00FUNC<unknown>DEFAULTSHN_UNDEF
frame_dummyGLIBC_2.2.5libc.so.6.symtab0x4014f00FUNC<unknown>DEFAULT13
free@@GLIBC_2.2.5GLIBC_2.2.5libc.so.6.symtab0x00FUNC<unknown>DEFAULTSHN_UNDEF
getpid@@GLIBC_2.2.5.symtab0x00FUNC<unknown>DEFAULTSHN_UNDEF
getshell.symtab0x4028c52321FUNC<unknown>DEFAULT13
getuid@@GLIBC_2.2.5.symtab0x00FUNC<unknown>DEFAULTSHN_UNDEF
godpid.symtab0x6053444OBJECT<unknown>DEFAULT25
grantpt@@GLIBC_2.2.5.symtab0x00FUNC<unknown>DEFAULTSHN_UNDEF
htons@@GLIBC_2.2.5.symtab0x00FUNC<unknown>DEFAULTSHN_UNDEF
inet_ntoa@@GLIBC_2.2.5.symtab0x00FUNC<unknown>DEFAULTSHN_UNDEF
init_signalGLIBC_2.2.5libc.so.6.symtab0x4018a832FUNC<unknown>DEFAULT13
ioctl@@GLIBC_2.2.5.symtab0x00FUNC<unknown>DEFAULTSHN_UNDEF
kill@@GLIBC_2.2.5.symtab0x00FUNC<unknown>DEFAULTSHN_UNDEF
listen@@GLIBC_2.2.5.symtab0x00FUNC<unknown>DEFAULTSHN_UNDEF
logon.symtab0x402292118FUNC<unknown>DEFAULT13
main.symtab0x403e2e702FUNC<unknown>DEFAULT13
malloc@@GLIBC_2.2.5.symtab0x00FUNC<unknown>DEFAULTSHN_UNDEF
memchr@@GLIBC_2.2.5.symtab0x00FUNC<unknown>DEFAULTSHN_UNDEF
memcmp@@GLIBC_2.2.5.symtab0x00FUNC<unknown>DEFAULTSHN_UNDEF
memcpy@@GLIBC_2.14.symtab0x00FUNC<unknown>DEFAULTSHN_UNDEF
memset@@GLIBC_2.2.5.symtab0x00FUNC<unknown>DEFAULTSHN_UNDEF
monGLIBC_2.2.5libc.so.6.symtab0x401b48169FUNC<unknown>DEFAULT13
ntohs@@GLIBC_2.2.5.symtab0x00FUNC<unknown>DEFAULTSHN_UNDEF
on_terminateGLIBC_2.2.5libc.so.6.symtab0x40189618FUNC<unknown>DEFAULT13
open@@GLIBC_2.2.5.symtab0x00FUNC<unknown>DEFAULTSHN_UNDEF
open_ttyGLIBC_2.2.5libc.so.6.symtab0x401a6786FUNC<unknown>DEFAULT13
packet_loop.symtab0x4023081177FUNC<unknown>DEFAULT13
pid_path.symtab0x6056c050OBJECT<unknown>DEFAULT25
prctl@@GLIBC_2.2.5.symtab0x00FUNC<unknown>DEFAULTSHN_UNDEF
ptsname@@GLIBC_2.2.5GLIBC_2.2.5libc.so.6.symtab0x00FUNC<unknown>DEFAULTSHN_UNDEF
ptyGLIBC_2.2.5libc.so.6.symtab0x6052204OBJECT<unknown>DEFAULT25
ptym_open.symtab0x4018f8197FUNC<unknown>DEFAULT13
ptys_open.symtab0x4019bd170FUNC<unknown>DEFAULT13
rand@@GLIBC_2.2.5.symtab0x00FUNC<unknown>DEFAULTSHN_UNDEF
rc4.symtab0x401625253FUNC<unknown>DEFAULT13
rc4_init.symtab0x40154f214FUNC<unknown>DEFAULT13
read@@GLIBC_2.2.5.symtab0x00FUNC<unknown>DEFAULTSHN_UNDEF
recvfrom@@GLIBC_2.2.5.symtab0x00FUNC<unknown>DEFAULTSHN_UNDEF
register_tm_clonesGLIBC_2.2.5libc.so.6.symtab0x4014900FUNC<unknown>DEFAULT13
remove_pidGLIBC_2.2.5libc.so.6.symtab0x40181426FUNC<unknown>DEFAULT13
select@@GLIBC_2.2.5.symtab0x00FUNC<unknown>DEFAULTSHN_UNDEF
sendto@@GLIBC_2.2.5.symtab0x00FUNC<unknown>DEFAULTSHN_UNDEF
set_proc_name.symtab0x401bf1626FUNC<unknown>DEFAULT13
setsid@@GLIBC_2.2.5.symtab0x00FUNC<unknown>DEFAULTSHN_UNDEF
setsockopt@@GLIBC_2.2.5.symtab0x00FUNC<unknown>DEFAULTSHN_UNDEF
setup_timeGLIBC_2.2.5libc.so.6.symtab0x40182e65FUNC<unknown>DEFAULT13
shell.symtab0x4031d63160FUNC<unknown>DEFAULT13
sig_child.symtab0x4018c848FUNC<unknown>DEFAULT13
signal@@GLIBC_2.2.5.symtab0x00FUNC<unknown>DEFAULTSHN_UNDEF
sleep@@GLIBC_2.2.5.symtab0x00FUNC<unknown>DEFAULTSHN_UNDEF
snprintf@@GLIBC_2.2.5.symtab0x00FUNC<unknown>DEFAULTSHN_UNDEF
socket@@GLIBC_2.2.5.symtab0x00FUNC<unknown>DEFAULTSHN_UNDEF
srand@@GLIBC_2.2.5.symtab0x00FUNC<unknown>DEFAULTSHN_UNDEF
strcpy@@GLIBC_2.2.5.symtab0x00FUNC<unknown>DEFAULTSHN_UNDEF
strlen@@GLIBC_2.2.5.symtab0x00FUNC<unknown>DEFAULTSHN_UNDEF
strncpy@@GLIBC_2.2.5GLIBC_2.2.5libc.so.6.symtab0x00FUNC<unknown>DEFAULTSHN_UNDEF
system@@GLIBC_2.2.5.symtab0x00FUNC<unknown>DEFAULTSHN_UNDEF
terminateGLIBC_2.2.5libc.so.6.symtab0x40186f39FUNC<unknown>DEFAULT13
time@@GLIBC_2.2.5.symtab0x00FUNC<unknown>DEFAULTSHN_UNDEF
to_open.symtab0x401e631071FUNC<unknown>DEFAULT13
try_linkGLIBC_2.2.5libc.so.6.symtab0x401abd139FUNC<unknown>DEFAULT13
tty.symtab0x6053484OBJECT<unknown>DEFAULT25
unlink@@GLIBC_2.2.5GLIBC_2.2.5libc.so.6.symtab0x00FUNC<unknown>DEFAULTSHN_UNDEF
unlockpt@@GLIBC_2.2.5.symtab0x00FUNC<unknown>DEFAULTSHN_UNDEF
utimes@@GLIBC_2.2.5.symtab0x00FUNC<unknown>DEFAULTSHN_UNDEF
vhangup@@GLIBC_2.2.5.symtab0x00FUNC<unknown>DEFAULTSHN_UNDEF
w.symtab0x40287f70FUNC<unknown>DEFAULT13
waitpid@@GLIBC_2.2.5.symtab0x00FUNC<unknown>DEFAULTSHN_UNDEF
write@@GLIBC_2.2.5.symtab0x00FUNC<unknown>DEFAULTSHN_UNDEF
xchg.symtab0x40152047FUNC<unknown>DEFAULT13

Network Behavior

Network Port Distribution

UDP Packets

TimestampSource PortDest PortSource IPDest IP
Oct 28, 2019 17:42:16.240053892 CET5956053192.168.2.208.8.8.8
Oct 28, 2019 17:42:16.240307093 CET4744953192.168.2.208.8.8.8
Oct 28, 2019 17:42:16.253628016 CET53595608.8.8.8192.168.2.20
Oct 28, 2019 17:42:16.254373074 CET53474498.8.8.8192.168.2.20

System Behavior

Analysis Process: m8XMnec4Vb.elf PID: 20758 Parent PID: 20706

General

Start time:17:42:04
Start date:28/10/2019
Path:/tmp/m8XMnec4Vb.elf
Arguments:/tmp/m8XMnec4Vb.elf
File size:28832 bytes
MD5 hash:0017f7b913ce66e4d80f7e78cf830a2b

Chronological Activities

Analysis Process: m8XMnec4Vb.elf PID: 20760 Parent PID: 20758

General

Start time:17:42:04
Start date:28/10/2019
Path:/tmp/m8XMnec4Vb.elf
Arguments:n/a
File size:28832 bytes
MD5 hash:0017f7b913ce66e4d80f7e78cf830a2b

Chronological Activities

Analysis Process: dash PID: 20760 Parent PID: 20758

General

Start time:17:42:04
Start date:28/10/2019
Path:/bin/dash
Arguments:sh -c "/bin/rm -f /dev/shm/kdmtmpflush;/bin/cp /tmp/m8XMnec4Vb.elf /dev/shm/kdmtmpflush && /bin/chmod 755 /dev/shm/kdmtmpflush && /dev/shm/kdmtmpflush --init && /bin/rm -f /dev/shm/kdmtmpflush"
File size:154072 bytes
MD5 hash:e02ea3c3450d44126c46d658fa9e654c

Chronological Activities

Analysis Process: dash PID: 20762 Parent PID: 20760

General

Start time:17:42:04
Start date:28/10/2019
Path:/bin/dash
Arguments:n/a
File size:154072 bytes
MD5 hash:e02ea3c3450d44126c46d658fa9e654c

Chronological Activities

Analysis Process: rm PID: 20762 Parent PID: 20760

General

Start time:17:42:04
Start date:28/10/2019
Path:/bin/rm
Arguments:/bin/rm -f /dev/shm/kdmtmpflush
File size:60272 bytes
MD5 hash:b79876063d894c449856cca508ecca7f

Chronological Activities

Analysis Process: dash PID: 20765 Parent PID: 20760

General

Start time:17:42:04
Start date:28/10/2019
Path:/bin/dash
Arguments:n/a
File size:154072 bytes
MD5 hash:e02ea3c3450d44126c46d658fa9e654c

Chronological Activities

Analysis Process: cp PID: 20765 Parent PID: 20760

General

Start time:17:42:04
Start date:28/10/2019
Path:/bin/cp
Arguments:/bin/cp /tmp/m8XMnec4Vb.elf /dev/shm/kdmtmpflush
File size:151024 bytes
MD5 hash:b9c85244be9733bc79eca588db7bf306

Chronological Activities

Analysis Process: dash PID: 20771 Parent PID: 20760

General

Start time:17:42:04
Start date:28/10/2019
Path:/bin/dash
Arguments:n/a
File size:154072 bytes
MD5 hash:e02ea3c3450d44126c46d658fa9e654c

Chronological Activities

Analysis Process: chmod PID: 20771 Parent PID: 20760

General

Start time:17:42:04
Start date:28/10/2019
Path:/bin/chmod
Arguments:/bin/chmod 755 /dev/shm/kdmtmpflush
File size:56112 bytes
MD5 hash:32c8c7318223ebc5b934a78cfc153d6f

Chronological Activities

Analysis Process: dash PID: 20776 Parent PID: 20760

General

Start time:17:42:04
Start date:28/10/2019
Path:/bin/dash
Arguments:n/a
File size:154072 bytes
MD5 hash:e02ea3c3450d44126c46d658fa9e654c

Chronological Activities

Analysis Process: kdmtmpflush PID: 20776 Parent PID: 20760

General

Start time:17:42:04
Start date:28/10/2019
Path:/dev/shm/kdmtmpflush
Arguments:/dev/shm/kdmtmpflush --init
File size:0 bytes
MD5 hash:unknown

Chronological Activities

Analysis Process: kdmtmpflush PID: 20782 Parent PID: 20776

General

Start time:17:42:04
Start date:28/10/2019
Path:/dev/shm/kdmtmpflush
Arguments:n/a
File size:0 bytes
MD5 hash:unknown

Chronological Activities

Analysis Process: dash PID: 20783 Parent PID: 20760

General

Start time:17:42:04
Start date:28/10/2019
Path:/bin/dash
Arguments:n/a
File size:154072 bytes
MD5 hash:e02ea3c3450d44126c46d658fa9e654c

Chronological Activities

Analysis Process: rm PID: 20783 Parent PID: 20760

General

Start time:17:42:04
Start date:28/10/2019
Path:/bin/rm
Arguments:/bin/rm -f /dev/shm/kdmtmpflush
File size:60272 bytes
MD5 hash:b79876063d894c449856cca508ecca7f

Chronological Activities