Loading ...

Play interactive tourEdit tour

Analysis Report MGTyV3yLFW

Overview

General Information

Sample Name:MGTyV3yLFW
Analysis ID:321442
MD5:9a0e765eecc5433af3dc726206ecc56e
SHA1:5996d02c142588b6c1ed850e461845458bd94d17
SHA256:35ff79dd456fe3054a60fe0a16f38bf5fc3928e1e8439ca4d945573f8c48c0b8

Detection

Score:68
Range:0 - 100
Whitelisted:false

Signatures

Antivirus / Scanner detection for submitted sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Machine Learning detection for sample
Creates hidden files and/or directories
Executes the "grep" command used to find patterns in files or piped streams
Executes the "mkdir" command used to create folders
Executes the "mktemp" command used to create a temporary unique file name
Executes the "rm" command used to delete files or directories
Executes the "sleep" command used to delay execution and potentially evade sandboxes
Sample contains symbols with suspicious names
Sample has stripped symbol table
Yara signature match

Classification

Startup

  • system is lnxubuntu1
  • dash New Fork (PID: 3190, Parent: 3189)
  • sed (PID: 3190, Parent: 3189, MD5: c1a00c583ba08e728b10f3f46f5776d6) Arguments: sed -n "/^DNS=/ { s/^DNS=/nameserver /; p}" /run/systemd/netif/state /run/systemd/netif/leases/*
  • dash New Fork (PID: 3191, Parent: 3189)
  • sort (PID: 3191, Parent: 3189, MD5: fb4c334af5810c835b37ec2ec14a35bd) Arguments: sort -u
  • dash New Fork (PID: 3192, Parent: 2524)
  • sleep (PID: 3192, Parent: 2524, MD5: e9887f1d8cae3dc50b4cbac09435a162) Arguments: sleep 1
  • dash New Fork (PID: 3218, Parent: 3217)
  • sed (PID: 3218, Parent: 3217, MD5: c1a00c583ba08e728b10f3f46f5776d6) Arguments: sed -n "/^DNS=/ { s/^DNS=/nameserver /; p}" /run/systemd/netif/state /run/systemd/netif/leases/*
  • dash New Fork (PID: 3219, Parent: 3217)
  • sort (PID: 3219, Parent: 3217, MD5: fb4c334af5810c835b37ec2ec14a35bd) Arguments: sort -u
  • dash New Fork (PID: 3223, Parent: 2524)
  • sleep (PID: 3223, Parent: 2524, MD5: e9887f1d8cae3dc50b4cbac09435a162) Arguments: sleep 1
  • dash New Fork (PID: 3246, Parent: 3245)
  • sed (PID: 3246, Parent: 3245, MD5: c1a00c583ba08e728b10f3f46f5776d6) Arguments: sed -n "/^DNS=/ { s/^DNS=/nameserver /; p}" /run/systemd/netif/state /run/systemd/netif/leases/*
  • dash New Fork (PID: 3247, Parent: 3245)
  • sort (PID: 3247, Parent: 3245, MD5: fb4c334af5810c835b37ec2ec14a35bd) Arguments: sort -u
  • dash New Fork (PID: 3248, Parent: 2524)
  • sleep (PID: 3248, Parent: 2524, MD5: e9887f1d8cae3dc50b4cbac09435a162) Arguments: sleep 1
  • dash New Fork (PID: 3274, Parent: 3273)
  • sed (PID: 3274, Parent: 3273, MD5: c1a00c583ba08e728b10f3f46f5776d6) Arguments: sed -n "/^DNS=/ { s/^DNS=/nameserver /; p}" /run/systemd/netif/state /run/systemd/netif/leases/*
  • dash New Fork (PID: 3275, Parent: 3273)
  • sort (PID: 3275, Parent: 3273, MD5: fb4c334af5810c835b37ec2ec14a35bd) Arguments: sort -u
  • dash New Fork (PID: 3279, Parent: 2524)
  • sleep (PID: 3279, Parent: 2524, MD5: e9887f1d8cae3dc50b4cbac09435a162) Arguments: sleep 1
  • dash New Fork (PID: 3302, Parent: 3301)
  • sed (PID: 3302, Parent: 3301, MD5: c1a00c583ba08e728b10f3f46f5776d6) Arguments: sed -n "/^DNS=/ { s/^DNS=/nameserver /; p}" /run/systemd/netif/state /run/systemd/netif/leases/*
  • dash New Fork (PID: 3303, Parent: 3301)
  • sort (PID: 3303, Parent: 3301, MD5: fb4c334af5810c835b37ec2ec14a35bd) Arguments: sort -u
  • dash New Fork (PID: 3307, Parent: 2524)
  • sleep (PID: 3307, Parent: 2524, MD5: e9887f1d8cae3dc50b4cbac09435a162) Arguments: sleep 1
  • dash New Fork (PID: 3330, Parent: 3329)
  • sed (PID: 3330, Parent: 3329, MD5: c1a00c583ba08e728b10f3f46f5776d6) Arguments: sed -n "/^DNS=/ { s/^DNS=/nameserver /; p}" /run/systemd/netif/state /run/systemd/netif/leases/*
  • dash New Fork (PID: 3331, Parent: 3329)
  • sort (PID: 3331, Parent: 3329, MD5: fb4c334af5810c835b37ec2ec14a35bd) Arguments: sort -u
  • dash New Fork (PID: 3332, Parent: 2524)
  • sleep (PID: 3332, Parent: 2524, MD5: e9887f1d8cae3dc50b4cbac09435a162) Arguments: sleep 1
  • dash New Fork (PID: 3358, Parent: 3357)
  • sed (PID: 3358, Parent: 3357, MD5: c1a00c583ba08e728b10f3f46f5776d6) Arguments: sed -n "/^DNS=/ { s/^DNS=/nameserver /; p}" /run/systemd/netif/state /run/systemd/netif/leases/*
  • dash New Fork (PID: 3359, Parent: 3357)
  • sort (PID: 3359, Parent: 3357, MD5: fb4c334af5810c835b37ec2ec14a35bd) Arguments: sort -u
  • dash New Fork (PID: 3370, Parent: 2524)
  • sleep (PID: 3370, Parent: 2524, MD5: e9887f1d8cae3dc50b4cbac09435a162) Arguments: sleep 1
  • dash New Fork (PID: 3386, Parent: 3385)
  • sed (PID: 3386, Parent: 3385, MD5: c1a00c583ba08e728b10f3f46f5776d6) Arguments: sed -n "/^DNS=/ { s/^DNS=/nameserver /; p}" /run/systemd/netif/state /run/systemd/netif/leases/*
  • dash New Fork (PID: 3387, Parent: 3385)
  • sort (PID: 3387, Parent: 3385, MD5: fb4c334af5810c835b37ec2ec14a35bd) Arguments: sort -u
  • dash New Fork (PID: 3402, Parent: 2524)
  • sleep (PID: 3402, Parent: 2524, MD5: e9887f1d8cae3dc50b4cbac09435a162) Arguments: sleep 1
  • dash New Fork (PID: 3414, Parent: 3413)
  • sed (PID: 3414, Parent: 3413, MD5: c1a00c583ba08e728b10f3f46f5776d6) Arguments: sed -n "/^DNS=/ { s/^DNS=/nameserver /; p}" /run/systemd/netif/state /run/systemd/netif/leases/*
  • dash New Fork (PID: 3415, Parent: 3413)
  • sort (PID: 3415, Parent: 3413, MD5: fb4c334af5810c835b37ec2ec14a35bd) Arguments: sort -u
  • dash New Fork (PID: 3427, Parent: 2524)
  • sleep (PID: 3427, Parent: 2524, MD5: e9887f1d8cae3dc50b4cbac09435a162) Arguments: sleep 1
  • dash New Fork (PID: 3442, Parent: 3441)
  • sed (PID: 3442, Parent: 3441, MD5: c1a00c583ba08e728b10f3f46f5776d6) Arguments: sed -n "/^DNS=/ { s/^DNS=/nameserver /; p}" /run/systemd/netif/state /run/systemd/netif/leases/*
  • dash New Fork (PID: 3443, Parent: 3441)
  • sort (PID: 3443, Parent: 3441, MD5: fb4c334af5810c835b37ec2ec14a35bd) Arguments: sort -u
  • dash New Fork (PID: 3455, Parent: 2524)
  • sleep (PID: 3455, Parent: 2524, MD5: e9887f1d8cae3dc50b4cbac09435a162) Arguments: sleep 1
  • dash New Fork (PID: 3485, Parent: 3484)
  • sed (PID: 3485, Parent: 3484, MD5: c1a00c583ba08e728b10f3f46f5776d6) Arguments: sed -n "/^DNS=/ { s/^DNS=/nameserver /; p}" /run/systemd/netif/state /run/systemd/netif/leases/*
  • dash New Fork (PID: 3486, Parent: 3484)
  • sort (PID: 3486, Parent: 3484, MD5: fb4c334af5810c835b37ec2ec14a35bd) Arguments: sort -u
  • dash New Fork (PID: 3487, Parent: 2524)
  • sleep (PID: 3487, Parent: 2524, MD5: e9887f1d8cae3dc50b4cbac09435a162) Arguments: sleep 1
  • dash New Fork (PID: 3513, Parent: 3512)
  • sed (PID: 3513, Parent: 3512, MD5: c1a00c583ba08e728b10f3f46f5776d6) Arguments: sed -n "/^DNS=/ { s/^DNS=/nameserver /; p}" /run/systemd/netif/state /run/systemd/netif/leases/*
  • dash New Fork (PID: 3514, Parent: 3512)
  • sort (PID: 3514, Parent: 3512, MD5: fb4c334af5810c835b37ec2ec14a35bd) Arguments: sort -u
  • dash New Fork (PID: 3528, Parent: 2524)
  • sleep (PID: 3528, Parent: 2524, MD5: e9887f1d8cae3dc50b4cbac09435a162) Arguments: sleep 1
  • dash New Fork (PID: 3541, Parent: 3540)
  • sed (PID: 3541, Parent: 3540, MD5: c1a00c583ba08e728b10f3f46f5776d6) Arguments: sed -n "/^DNS=/ { s/^DNS=/nameserver /; p}" /run/systemd/netif/state /run/systemd/netif/leases/*
  • dash New Fork (PID: 3542, Parent: 3540)
  • sort (PID: 3542, Parent: 3540, MD5: fb4c334af5810c835b37ec2ec14a35bd) Arguments: sort -u
  • dash New Fork (PID: 3543, Parent: 2524)
  • sleep (PID: 3543, Parent: 2524, MD5: e9887f1d8cae3dc50b4cbac09435a162) Arguments: sleep 1
  • dash New Fork (PID: 3569, Parent: 3568)
  • sed (PID: 3569, Parent: 3568, MD5: c1a00c583ba08e728b10f3f46f5776d6) Arguments: sed -n "/^DNS=/ { s/^DNS=/nameserver /; p}" /run/systemd/netif/state /run/systemd/netif/leases/*
  • dash New Fork (PID: 3570, Parent: 3568)
  • sort (PID: 3570, Parent: 3568, MD5: fb4c334af5810c835b37ec2ec14a35bd) Arguments: sort -u
  • dash New Fork (PID: 3585, Parent: 2524)
  • sleep (PID: 3585, Parent: 2524, MD5: e9887f1d8cae3dc50b4cbac09435a162) Arguments: sleep 1
  • dash New Fork (PID: 3596, Parent: 2524)
  • sed (PID: 3596, Parent: 2524, MD5: c1a00c583ba08e728b10f3f46f5776d6) Arguments: sed -n "/^DOMAINS=/ { s/^.*=/search /; p}" /run/systemd/netif/state
  • dash New Fork (PID: 3597, Parent: 2524)
  • resolvconf (PID: 3597, Parent: 2524, MD5: 4e4ff2bfda7a6d18405a462937b63a2e) Arguments: /bin/sh /sbin/resolvconf -a networkd
    • mkdir (PID: 3609, Parent: 3597, MD5: a97f666f21c85ec62ea47d022263ef41) Arguments: mkdir -p /run/resolvconf/interface
    • resolvconf New Fork (PID: 3616, Parent: 3597)
      • sed (PID: 3617, Parent: 3616, MD5: c1a00c583ba08e728b10f3f46f5776d6) Arguments: sed -e s/#.*$// -e s/[[:blank:]]\\+$// -e s/^[[:blank:]]\\+// -e "s/[[:blank:]]\\+/ /g" -e "/^nameserver/!b ENDOFCYCLE" -e "s/$/ /" -e "s/\\([:. ]\\)0\\+/\\10/g" -e "s/\\([:. ]\\)0\\([123456789abcdefABCDEF][[:xdigit:]]*\\)/\\1\\2/g" -e "/::/b ENDOFCYCLE; s/ \\(0[: ]\\)\\+/ ::/" -e "/::/b ENDOFCYCLE; s/:\\(0[: ]\\)\\+/::/" -e ": ENDOFCYCLE" -
      • sed (PID: 3618, Parent: 3616, MD5: c1a00c583ba08e728b10f3f46f5776d6) Arguments: sed -e s/[[:blank:]]\\+$// -e /^$/d
  • dash New Fork (PID: 3647, Parent: 2079)
  • mkdir (PID: 3647, Parent: 2079, MD5: a97f666f21c85ec62ea47d022263ef41) Arguments: mkdir -p /home/user/.cache/logrotate
  • dash New Fork (PID: 3648, Parent: 2079)
  • mkdir (PID: 3648, Parent: 2079, MD5: a97f666f21c85ec62ea47d022263ef41) Arguments: mkdir -p /home/user/.cache/upstart
  • dash New Fork (PID: 3649, Parent: 2079)
  • egrep (PID: 3649, Parent: 2079, MD5: ef55d1537377114cc24cdc398fbdd930) Arguments: /bin/sh /bin/egrep [^[:print:]] /home/user/.cache/logrotate/status
  • grep (PID: 3649, Parent: 2079, MD5: fc9b0a0ff848b35b3716768695bf2427) Arguments: grep -E [^[:print:]] /home/user/.cache/logrotate/status
  • dash New Fork (PID: 3651, Parent: 2079)
  • mktemp (PID: 3651, Parent: 2079, MD5: 91cf2e2a84f3b49fdecdd8b631902009) Arguments: mktemp
  • dash New Fork (PID: 3712, Parent: 2079)
  • cat (PID: 3712, Parent: 2079, MD5: efa10d52f37361f2e3a5d22742f0fcc4) Arguments: cat
  • dash New Fork (PID: 3720, Parent: 2079)
  • logrotate (PID: 3720, Parent: 2079, MD5: d0eaf9942936032d217478b93e9cd4b1) Arguments: logrotate -s /home/user/.cache/logrotate/status /tmp/tmp.s1YjGIpgkp
    • gzip (PID: 3721, Parent: 3720, MD5: 25ea567880cec4ac02e7a77ad304e3c6) Arguments: /bin/gzip
    • gzip (PID: 3722, Parent: 3720, MD5: 25ea567880cec4ac02e7a77ad304e3c6) Arguments: /bin/gzip
    • gzip (PID: 3728, Parent: 3720, MD5: 25ea567880cec4ac02e7a77ad304e3c6) Arguments: /bin/gzip
    • gzip (PID: 3733, Parent: 3720, MD5: 25ea567880cec4ac02e7a77ad304e3c6) Arguments: /bin/gzip
    • gzip (PID: 3755, Parent: 3720, MD5: 25ea567880cec4ac02e7a77ad304e3c6) Arguments: /bin/gzip
    • gzip (PID: 3782, Parent: 3720, MD5: 25ea567880cec4ac02e7a77ad304e3c6) Arguments: /bin/gzip
    • gzip (PID: 3783, Parent: 3720, MD5: 25ea567880cec4ac02e7a77ad304e3c6) Arguments: /bin/gzip
  • dash New Fork (PID: 3784, Parent: 2079)
  • rm (PID: 3784, Parent: 2079, MD5: b79876063d894c449856cca508ecca7f) Arguments: rm -f /tmp/tmp.s1YjGIpgkp
  • cleanup

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
MGTyV3yLFWNetWiredRC_BNetWiredRCJean-Philippe Teissier / @Jipe_
  • 0xe74f:$str4: [%s] - [%.2d/%.2d/%d %.2d:%.2d:%.2d]
  • 0xe095:$str5: %.2d/%.2d/%d %.2d:%.2d:%.2d
  • 0xe757:$str5: %.2d/%.2d/%d %.2d:%.2d:%.2d
  • 0xe955:$str5: %.2d/%.2d/%d %.2d:%.2d:%.2d
  • 0xe69d:$klg1: [Backspace]
  • 0xe72e:$klg2: [Enter]
  • 0xe6d8:$klg3: [Tab]
  • 0xe66a:$klg4: [Arrow Left]
  • 0xe677:$klg5: [Arrow Up]
  • 0xe682:$klg6: [Arrow Right]
  • 0xe690:$klg7: [Arrow Down]
  • 0xe6de:$klg8: [Home]
  • 0xe6e5:$klg9: [Page Up]
  • 0xe6ef:$klg10: [Page Down]
  • 0xe6fb:$klg11: [End]
  • 0xe709:$klg12: [Break]
  • 0xe6a9:$klg13: [Delete]
  • 0xe711:$klg14: [Insert]
  • 0xe736:$klg15: [Print Screen]
  • 0xe71a:$klg16: [Scroll Lock]
  • 0xe651:$klg17: [Caps Lock]

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Antivirus / Scanner detection for submitted sampleShow sources
Source: MGTyV3yLFWAvira: detected
Multi AV Scanner detection for submitted fileShow sources
Source: MGTyV3yLFWVirustotal: Detection: 68%Perma Link
Source: MGTyV3yLFWMetadefender: Detection: 67%Perma Link
Source: MGTyV3yLFWReversingLabs: Detection: 77%
Machine Learning detection for sampleShow sources
Source: MGTyV3yLFWJoe Sandbox ML: detected

System Summary:

barindex
Malicious sample detected (through community Yara rule)Show sources
Source: MGTyV3yLFW, type: SAMPLEMatched rule: NetWiredRC Author: Jean-Philippe Teissier / @Jipe_
Source: ELF static info symbol of initial sampleName: DecodeSQLitePayloadData
Source: ELF static info symbol of initial sampleName: GetChromiumPasswords
Source: ELF static info symbol of initial sampleName: GetGoogleChromePasswords
Source: ELF static info symbol of initial sampleName: GetMozillaProductPasswords
Source: ELF static info symbol of initial sampleName: GetPidginPasswords
Source: ELF static info symbol of initial sampleName: Password
Source: ELF static info symbol of initial sampleName: cpGetUsername
Source: ELF static info symbol of initial sample.symtab present: no
Source: MGTyV3yLFW, type: SAMPLEMatched rule: NetWiredRC_B date = 2014-12-23, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = NetWiredRC, version = 1.1
Source: classification engineClassification label: mal68.lin@0/9@0/0
Source: /bin/mkdir (PID: 3647)Directory: .cache
Source: /bin/mkdir (PID: 3648)Directory: .cache
Source: /bin/egrep (PID: 3649)Grep executable: /bin/grep -> grep -E [^[:print:]] /home/user/.cache/logrotate/status
Source: /sbin/resolvconf (PID: 3609)Mkdir executable: /bin/mkdir -> mkdir -p /run/resolvconf/interface
Source: /bin/dash (PID: 3647)Mkdir executable: /bin/mkdir -> mkdir -p /home/user/.cache/logrotate
Source: /bin/dash (PID: 3648)Mkdir executable: /bin/mkdir -> mkdir -p /home/user/.cache/upstart
Source: /bin/dash (PID: 3651)Mktemp executable: /bin/mktemp -> mktemp
Source: /bin/dash (PID: 3784)Rm executable: /bin/rm -> rm -f /tmp/tmp.s1YjGIpgkp
Source: /bin/dash (PID: 3192)Sleep executable: /bin/sleep -> sleep 1
Source: /bin/dash (PID: 3223)Sleep executable: /bin/sleep -> sleep 1
Source: /bin/dash (PID: 3248)Sleep executable: /bin/sleep -> sleep 1
Source: /bin/dash (PID: 3279)Sleep executable: /bin/sleep -> sleep 1
Source: /bin/dash (PID: 3307)Sleep executable: /bin/sleep -> sleep 1
Source: /bin/dash (PID: 3332)Sleep executable: /bin/sleep -> sleep 1
Source: /bin/dash (PID: 3370)Sleep executable: /bin/sleep -> sleep 1
Source: /bin/dash (PID: 3402)Sleep executable: /bin/sleep -> sleep 1
Source: /bin/dash (PID: 3427)Sleep executable: /bin/sleep -> sleep 1
Source: /bin/dash (PID: 3455)Sleep executable: /bin/sleep -> sleep 1
Source: /bin/dash (PID: 3487)Sleep executable: /bin/sleep -> sleep 1
Source: /bin/dash (PID: 3528)Sleep executable: /bin/sleep -> sleep 1
Source: /bin/dash (PID: 3543)Sleep executable: /bin/sleep -> sleep 1
Source: /bin/dash (PID: 3585)Sleep executable: /bin/sleep -> sleep 1

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsWindows Management InstrumentationPath InterceptionPath InterceptionMasquerading1OS Credential DumpingSystem Service DiscoveryRemote ServicesData from Local SystemExfiltration Over Other Network MediumData ObfuscationEavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsHidden Files and Directories1LSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)File Deletion1Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Number of created Files
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 321442 Sample: MGTyV3yLFW Startdate: 22/11/2020 Architecture: LINUX Score: 68 31 Malicious sample detected (through community Yara rule) 2->31 33 Antivirus / Scanner detection for submitted sample 2->33 35 Multi AV Scanner detection for submitted file 2->35 37 Machine Learning detection for sample 2->37 7 dash logrotate 2->7         started        9 dash resolvconf 2->9         started        11 dash egrep grep 2->11         started        13 48 other processes 2->13 process3 process4 15 logrotate gzip 7->15         started        17 logrotate gzip 7->17         started        19 logrotate gzip 7->19         started        25 4 other processes 7->25 21 resolvconf 9->21         started        23 resolvconf mkdir 9->23         started        process5 27 resolvconf sed 21->27         started        29 resolvconf sed 21->29         started       

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
MGTyV3yLFW69%VirustotalBrowse
MGTyV3yLFW68%MetadefenderBrowse
MGTyV3yLFW77%ReversingLabsLinux.Trojan.NetWeirdRc
MGTyV3yLFW100%AviraLINUX/Wirenet.A
MGTyV3yLFW100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:31.0.0 Red Diamond
Analysis ID:321442
Start date:22.11.2020
Start time:06:17:29
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 4m 24s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:MGTyV3yLFW
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 16.04 x64 (Kernel 4.4.0-116, Firefox 59.0, Document Viewer 3.18.2, LibreOffice 5.1.6.2, OpenJDK 1.8.0_171)
Detection:MAL
Classification:mal68.lin@0/9@0/0


Runtime Messages

Command:/tmp/MGTyV3yLFW
Exit Code:255
Exit Code Info:
Killed:False
Standard Output:

Standard Error:

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

/home/user/.cache/logrotate/status.tmp
Process:/usr/sbin/logrotate
File Type:ASCII text
Category:dropped
Size (bytes):1080
Entropy (8bit):4.848386448487773
Encrypted:false
SSDEEP:24:fOeWfnS8JWfnrQDLWfnw7WfnDvMTSbWMHtW8MF8iQlSwWfnRvu:2elIsknsHtWbFL2sG
MD5:C856E7FFD320C2562194B1FA01EDE94E
SHA1:9D0035D2FAC642BA6BCC13553EA522D65F60A8F4
SHA-256:793CD30D83F9AB30819601D73964D40060B0888385FD0A99FFB83B5606430E73
SHA-512:4B85BFFF3F757809A9E4DD4BA08442D6400611CF8EA64EB2F0642EBF4136DDACDD3BE4A7C0EB6AA33F5B5635A925FDA5C16ED86F3F262185B39D9E3CEE9D2DA0
Malicious:false
Reputation:low
Preview: logrotate state -- version 2."/home/user/.cache/upstart/indicator-application.log" 2018-5-7-11:38:22."/home/user/.cache/upstart/indicator-sound.log" 2018-5-7-10:33:19."/home/user/.cache/upstart/indicator-session.log" 2018-5-7-11:38:22."/home/user/.cache/upstart/dbus.log" 2020-11-22-7:18:15."/home/user/.cache/upstart/gnome-keyring-ssh.log" 2020-11-22-7:18:15."/home/user/.cache/upstart/indicator-bluetooth.log" 2018-5-7-11:38:22."/home/user/.cache/upstart/indicator-datetime.log" 2018-5-7-11:38:22."/home/user/.cache/upstart/startxfce4.log" 2020-11-22-7:18:15."/home/user/.cache/upstart/update-notifier-release.log" 2020-11-22-7:18:15."/home/user/.cache/upstart/ssh-agent.log" 2020-11-22-7:18:15."/home/user/.cache/upstart/update-notifier-crash-_var_crash__usr_bin_blueman-applet.0.crash.log" 2018-5-7-10:33:19."/home/user/.cache/upstart/indicator-keyboard.log" 2018-5-7-10:33:19."/home/user/.cache/upstart/upstart-event-bridge.log" 2020-11-22-7:18:15."/home/user/.cache/upstart/indicator-power.log"
/home/user/.cache/upstart/dbus.log.1.gz
Process:/bin/gzip
File Type:Sun Nov 22 05:17:34 2020, from Unix
Category:dropped
Size (bytes):267
Entropy (8bit):7.1840953006551365
Encrypted:false
SSDEEP:6:X31YlQuom0gW0F46ASWpC8t0BEP80ryEbjL+swraiuWRGI:X31/nLT0F48WUTBEEAJPyROi0I
MD5:B725F19E6A1127ACD11E10BA4B3BD6CE
SHA1:DDD15B156D604B604932115333B7C58921E602D1
SHA-256:25EC0026C6755BC269EA9A498887A4000AFB93A519AE94BD9B4B109A1FCDC1B8
SHA-512:0A8686CDE149E6737AEFC111B610C21E7C1DBF33DA968EA19F85CA962488030CD6AB0D7D468E7670F73B2D8AB04523DD34EE4C023F3090C49B7F255C77E7E50B
Malicious:false
Reputation:low
Preview: ....n.._.....N.0...H.Co.E*w.E.8.MbL....EMc.;...3........._~..?.....i....=./(...,........9[....p,......!..p..ANb.e..0....(.y...K...N..<.x..i."+.j=.tfpl..=Ee...."....|`..zb*..KKQ.|Yz..nK!......'"T..f=G=.....s.#.N...eOD....s...u....h@..+...j...P.......A.S.....
/home/user/.cache/upstart/gnome-keyring-ssh.log.1.gz
Process:/bin/gzip
File Type:Mon Jul 27 09:05:22 2020, from Unix
Category:dropped
Size (bytes):99
Entropy (8bit):6.129257882662173
Encrypted:false
SSDEEP:3:FtPaGuofByOJ9+JbgcpuvfIMGddoffEwZW/l:XPa25NrQbgYuoMBfMsGl
MD5:2B8D9549C00943FB9FFC73FD80E6AC1A
SHA1:E6348E8BB25396F0542E7E74AE30AF03F48E237E
SHA-256:606AE477FACBE88A7BF8C1718AE0259E50487BB5F98B80F0E2895DD799BBE858
SHA-512:C2CA8D2DFC0B0E28FDB3E94EF2BE74D7D663E9943EE55D03F9F8C8E1425AC4C0C07391020DEE0931EC9967185BDD75BDA438BC413DDBC6AB18D2EF28388C9D59
Malicious:false
Reputation:moderate, very likely benign file
Preview: ......_....... ....;t...!.@....-.....+B..X.%.J.>..`..jA....:-i.8...i7..f..+....@jB.X.y.OK..Y...
/home/user/.cache/upstart/gpg-agent.log.1.gz
Process:/bin/gzip
File Type:Mon Jul 27 09:05:26 2020, from Unix
Category:dropped
Size (bytes):109
Entropy (8bit):6.285347714840308
Encrypted:false
SSDEEP:3:Ft+KspyDBmKyr7JtqZioTFBkdMl/:X+KspyDB94JtYPk+
MD5:13A3054AF030A536BDA784F022481B4C
SHA1:062CEC7C61E642887CE10970A7353066C4283DFD
SHA-256:0D9475D2511F0A2C555242326C2D4EB69E4456726BDDB84913B95EC59F8FDCF6
SHA-512:EB0A9DDC9D084934F42DF3AC9FE92CE534A841B38F6008774F29788EEFEC4FD22BFE12570B30558A351755347E92742C867B3B65E0616294146C390FB60A3388
Malicious:false
Reputation:moderate, very likely benign file
Preview: ......_.......0....=l...E.C....p&.....fX.L..Wt...)*.*...e.X.......).Fj+.,."E..5f......X.K..w...........
/home/user/.cache/upstart/ssh-agent.log.1.gz
Process:/bin/gzip
File Type:Mon Jul 27 09:05:22 2020, from Unix
Category:dropped
Size (bytes):60
Entropy (8bit):5.121567004295788
Encrypted:false
SSDEEP:3:FtPa5qBO0YYLB0trI1mlwdn:XPa5W2Yt02g6n
MD5:32CF70DC61DECD8DFBC64EB2F2529FAC
SHA1:DAC70D15E4E11407299DC63AAA6774A2393C2316
SHA-256:5F46EF0AAB4AD28F5384537011EDB096F22592BE4EA83194C1A52A11ECAD51D5
SHA-512:D89B691D4403CB3B836F4B50795046DE26AC588D2C03020EC9B944B97259DD7ED759509229E92B601C5050F2A43DCAFA0D098E2EE5E324A56F69E1EE4BB35E87
Malicious:false
Reputation:moderate, very likely benign file
Preview: ......_..+...MLO.+Q(.././(J.-.I,*.Q((.ON-.V024.......["(...
/home/user/.cache/upstart/startxfce4.log.1.gz
Process:/bin/gzip
File Type:Sun Nov 22 06:17:58 2020, from Unix
Category:dropped
Size (bytes):1151
Entropy (8bit):7.83913025501126
Encrypted:false
SSDEEP:24:XUH9+BojMnJnBU5Lk9eIEtZHE9LYIOzgczACtLQ1vzKpDk/aR:X0+iI9u5LCEtFE9LBOzjACEKQA
MD5:ECC112ED0F24742CD719D9CA76C9D02C
SHA1:90B502A6F2BD9CCFA9A10C9A8E334B961780158B
SHA-256:5A9125BE2B63F2E23D11D0A663C229C4DE6F56583EE26A23427A07BED488A085
SHA-512:DA40F1AB96EF14CE3DDCB0C9FAC55A21722BE9B9C2561AFD165187A9FE42101E8A6C2238A1389A44BCB04C112E897A95321CAC61610BF764347354DF4683C645
Malicious:false
Reputation:low
Preview: ......._...V.n.8....?....d;.M.t#....i'...@Ke..D...V.~....9...s. ..W.{E...7.u}..?.~:J...<.3...w..t...)L..`.....R..z.T.fi...g....%7...s......1\...`%......T.._.e.Ln.}.0.......y.@K...$us...;A..jH..`.gt2."1.i..I_.X....h'....(.Q.k........oW..Z1.g...n...U.....B..-......k.$..t.K.v.`.c...~..nKU&.,"J]X..:.-.n.#j..uoq........Y%Y.=G.O..w...?.]@..U...$.Y....7..7s......u:8.K.....pc..-.g)c..KH@.j.m...9._X.S..4...).O.-.k>...&.....N....L.L.:3.W5.f(^...v.~......}.3bE.O......5......<.4y..4.{..3q.R*u..5b'..e+.'.....R.5... X.[..%...}k..kf@H.J../...!r5...*P..$...p..R..a<HG..w..n.$..r.....f,_V.\.x:g.N$f.4.?p3"y.y.).......m....]...x.i..1....3...^.Z....6}......\...A(y..#.g..a...@........Rc.....8Z..f..tHf.^"%........(i...[..Q....6.t4......+"..l.E!..9..$..V.S..h.H..F....BF..Q..d.y.<a..H..../..U.I.]0.9.h...c.J.;....p;.<.I6k....Y.:..9..>......^...w.4..e..K..u...i.DPIg.........rP.....;....>..).(.+*.....E.p..W$....<;..vE\P..*.l.^S....e.>.1|.v.K...EK.B....;...uZPG.8.:J.&.....@
/home/user/.cache/upstart/update-notifier-release.log.1.gz
Process:/bin/gzip
File Type:Mon Jul 27 09:05:22 2020, from Unix
Category:dropped
Size (bytes):73
Entropy (8bit):5.311208593298957
Encrypted:false
SSDEEP:3:FtPacK82rsFX+TP4P2gt:XPacf2rNWt
MD5:6B9C8B79E6508C02BCACF1C11363D3BC
SHA1:F450E69D5A258FCF4D89E7CDB1FBD7EEC5E19A77
SHA-256:735DFDFE533A05589BFDC9044627395F29312064CFBA09CCB60E010AEC692411
SHA-512:AAE4EF554245D1419335B80EA6ED0E357FCC7032BF991D4808B8A2E09F671BA318B7EF0A8824FA334D6B51EF7104351461814D1EE096D357305914A83380CC35
Malicious:false
Reputation:moderate, very likely benign file
Preview: ......_.....S.*.Q02W04.20.22Rpv..Q0202P.K-W(J.IM,NUH,K..IL.I.......5...
/home/user/.cache/upstart/upstart-event-bridge.log.1.gz
Process:/bin/gzip
File Type:Mon Jul 27 09:05:22 2020, from Unix
Category:dropped
Size (bytes):68
Entropy (8bit):5.395998870534845
Encrypted:false
SSDEEP:3:FtPa5wG0BMPWNLPgXseOBMky:XPa5wG+OQP4OBMV
MD5:1395D405968C76307CBA75C5DDC9CA19
SHA1:C36CEE03E5DF12FBFB57A5EBCEAE329B41AFA1F7
SHA-256:33785027CEE82E878434593B532FE1DF25D46676379757272C1E15C9AADD3B1F
SHA-512:09CAB8DFF495DA9ED715C94E9F24B0C5C40CF0BC8C1B0DEEFB90C54081020AD80AF51636ADCBA368980E2C69119697A65E2E4AC5B834E0F08F88AEA52EFDA257
Malicious:false
Reputation:moderate, very likely benign file
Preview: ......_..+-(.I,*.M-K.+.M*.LIOU(.././(J....(...'...+..X..r......3...
/tmp/tmp.s1YjGIpgkp
Process:/bin/cat
File Type:ASCII text
Category:dropped
Size (bytes):141
Entropy (8bit):3.7760909131289533
Encrypted:false
SSDEEP:3:PgWA0uU95y/1aF/g2FFXwyyVDoGeRqcOAvC:PgWl195y9aF/g2FFgfNepvK
MD5:46261223A62EF65D03C70F15EE935267
SHA1:E9102D8808BA6E171405F1830BD7C6B8179C9BF2
SHA-256:DFECC8990014230F50FBAD269AD523A74D16CFB455065EC8D9041764D684C239
SHA-512:380CFA479D6DB2361DCE6A52A516ECBA4D5CCE647299A87C3C3ED5887DB929C81A0F970097E6CF02C11440BCE87299D611B01CE56CF9AF09DCFBBA14249E9AF9
Malicious:false
Reputation:moderate, very likely benign file
Preview: "/home/user/.cache/upstart/*.log" {. hourly. missingok. rotate 7. compress. notifempty. nocreate.}.

Static File Info

General

File type:ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, BuildID[sha1]=1d6a83ebcbe23ce206306ae89f0ec24b4c028b2c, stripped
Entropy (8bit):6.240238069051112
TrID:
  • ELF Executable and Linkable format (Linux) (4029/14) 50.16%
  • ELF Executable and Linkable format (generic) (4004/1) 49.84%
File name:MGTyV3yLFW
File size:64400
MD5:9a0e765eecc5433af3dc726206ecc56e
SHA1:5996d02c142588b6c1ed850e461845458bd94d17
SHA256:35ff79dd456fe3054a60fe0a16f38bf5fc3928e1e8439ca4d945573f8c48c0b8
SHA512:c9498f180b1da005a29df1f38e7a374edb08f44485563e6091c2f2666c7222e755c262c77367cff01cca11dbd4d8ec298255f14eb7b04616e6de514eec4b42ab
SSDEEP:1536:CkdOMtSwcfp9f25MgHmtS+IekQiPT5cL:CkdOMtufO5MgmYxQiP
File Content Preview:.ELF........................4...H.......4. ...(.........4...4...4... ... ...............T...T...T.......................................................<...<...<.......hC..............<...<...<.......................h...h...h...$...$...........P.tdx...xi.

Static ELF Info

ELF header

Class:ELF32
Data:2's complement, little endian
Version:1 (current)
Machine:Intel 80386
Version Number:0x1
Type:EXEC (Executable file)
OS/ABI:UNIX - System V
ABI Version:0
Entry Point Address:0x804ccda
Flags:0x0
ELF Header Size:52
Program Header Offset:52
Program Header Size:32
Number of Program Headers:9
Section Header Offset:63560
Section Header Size:40
Number of Section Headers:21
Header String Table Index:20

Sections

NameTypeAddressOffsetSizeEntSizeFlagsFlags DescriptionLinkInfoAlign
NULL0x00x00x00x00x0000
.interpPROGBITS0x80481540x1540x130x00x2A001
.note.gnu.build-idNOTE0x80481680x1680x240x00x2A004
.hashHASH0x804818c0x18c0x9040x40x2A504
.gnu.hashGNU_HASH0x8048a900xa900x7d80x40x2A504
.dynsymDYNSYM0x80492680x12680x13800x100x2A614
.dynstrSTRTAB0x804a5e80x25e80xfa90x00x2A001
.gnu.versionVERSYM0x804b5920x35920x2700x20x2A502
.gnu.version_rVERNEED0x804b8040x38040xe00x00x2A634
.rel.pltREL0x804b8e40x38e40x2500x80x2A5104
.pltPROGBITS0x804bb400x3b400x4b00x40x6AX0016
.textPROGBITS0x804bff00x3ff00x9e920x00x6AX0016
.rodataPROGBITS0x8055e880xde880xaed0x00x2A008
.eh_frame_hdrPROGBITS0x80569780xe9780x240x00x2A004
.eh_framePROGBITS0x805699c0xe99c0x800x00x2A004
.dynamicDYNAMIC0x8057f3c0xef3c0xb80x80x3WA604
.got.pltPROGBITS0x8057ff40xeff40x1340x40x3WA004
.dataPROGBITS0x80581280xf1280x6180x00x3WA004
.bssNOBITS0x80587400xf7400x3b640x00x3WA004
.commentPROGBITS0x00xf7400x560x10x30MS001
.shstrtabSTRTAB0x00xf7960xb10x00x0001

Program Segments

TypeOffsetVirtual AddressPhysical AddressFile SizeMemory SizeFlagsFlags DescriptionAlignProg InterpreterSection Mappings
PHDR0x340x80480340x80480340x1200x1200x5R E0x4
INTERP0x1540x80481540x80481540x130x130x4R 0x1/lib/ld-linux.so.2.interp
LOAD0x00x80480000x80480000xea1c0xea1c0x5R E0x1000.interp .note.gnu.build-id .hash .gnu.hash .dynsym .dynstr .gnu.version .gnu.version_r .rel.plt .plt .text .rodata .eh_frame_hdr .eh_frame
LOAD0xef3c0x8057f3c0x8057f3c0x8040x43680x6RW 0x1000.dynamic .got.plt .data .bss
DYNAMIC0xef3c0x8057f3c0x8057f3c0xb80xb80x6RW 0x4.dynamic
NOTE0x1680x80481680x80481680x240x240x4R 0x4.note.gnu.build-id
GNU_EH_FRAME0xe9780x80569780x80569780x240x240x4R 0x4.eh_frame_hdr
GNU_STACK0x00x00x00x00x00x6RW 0x4
GNU_RELRO0xef3c0x8057f3c0x8057f3c0xc40xc40x4R 0x1.dynamic

Dynamic Tags

TypeMetaValueTag
DT_NEEDEDsharedliblibdl.so.20x1
DT_NEEDEDsharedliblibpthread.so.00x1
DT_NEEDEDsharedliblibc.so.60x1
DT_HASHvalue0x804818c0x4
DT_GNU_HASHvalue0x8048a900x6ffffef5
DT_STRTABvalue0x804a5e80x5
DT_SYMTABvalue0x80492680x6
DT_STRSZbytes40090xa
DT_SYMENTbytes160xb
DT_DEBUGvalue0x00x15
DT_PLTGOTvalue0x8057ff40x3
DT_PLTRELSZbytes5920x2
DT_PLTRELpltrelDT_REL0x14
DT_JMPRELvalue0x804b8e40x17
DT_VERNEEDvalue0x804b8040x6ffffffe
DT_VERNEEDNUMvalue30x6fffffff
DT_VERSYMvalue0x804b5920x6ffffff0
DT_NULLvalue0x00x0

Symbols

NameVersion Info NameVersion Info File NameSection NameValueSizeSymbol TypeSymbol BindSymbol VisibilityNdx
.dynsym0x00NOTYPE<unknown>DEFAULTSHN_UNDEF
AESAllocateContext.dynsym0x805460a108FUNC<unknown>DEFAULT11
AESBlockDecrypt.dynsym0x805470d149FUNC<unknown>DEFAULT11
AESBlockEncrypt.dynsym0x8054676151FUNC<unknown>DEFAULT11
AESCryptCFB.dynsym0x80547a2197FUNC<unknown>DEFAULT11
AESFreeContext.dynsym0x805486737FUNC<unknown>DEFAULT11
AddRoundKey.dynsym0x80541d468FUNC<unknown>DEFAULT11
AddressList.dynsym0x805b9cc4OBJECT<unknown>DEFAULT18
AuthenticatedSocket.dynsym0x80587244OBJECT<unknown>DEFAULT17
BindShell.dynsym0x804fdc81476FUNC<unknown>DEFAULT11
BitmapToJPEG.dynsym0x804d6c02399FUNC<unknown>DEFAULT11
BoolSettingsByte.dynsym0x80583704OBJECT<unknown>DEFAULT17
BuilderEncryptionKey.dynsym0x80584d817OBJECT<unknown>DEFAULT17
Calculate.dynsym0x80549f5174FUNC<unknown>DEFAULT11
CaptureScreen.dynsym0x80505c5168FUNC<unknown>DEFAULT11
CaptureScreenToJPEG.dynsym0x805066d127FUNC<unknown>DEFAULT11
ChangeWindowTitle.dynsym0x80538dd222FUNC<unknown>DEFAULT11
CharCount.dynsym0x805215e36FUNC<unknown>DEFAULT11
CharPosition.dynsym0x805218234FUNC<unknown>DEFAULT11
CharToLower.dynsym0x805214e16FUNC<unknown>DEFAULT11
CharToUpper.dynsym0x805209816FUNC<unknown>DEFAULT11
CleanUpMozilla.dynsym0x8050d7a36FUNC<unknown>DEFAULT11
CloseAllTransfers.dynsym0x805312d32FUNC<unknown>DEFAULT11
CloseMutexHandle.dynsym0x805297b68FUNC<unknown>DEFAULT11
CloseSocket.dynsym0x804e82750FUNC<unknown>DEFAULT11
CloseTransfer.dynsym0x80530f655FUNC<unknown>DEFAULT11
CloseX11Connection.dynsym0x8055cf937FUNC<unknown>DEFAULT11
ConnectionMode.dynsym0x80530cc17FUNC<unknown>DEFAULT11
ConnectionString.dynsym0x8058610256OBJECT<unknown>DEFAULT17
ConnectionType.dynsym0x805836c4OBJECT<unknown>DEFAULT17
CurrentProxy.dynsym0x805b9c44OBJECT<unknown>DEFAULT18
CurrentScaleFactor.dynsym0x80587401OBJECT<unknown>DEFAULT18
DecodeSQLitePayloadData.dynsym0x80517af473FUNC<unknown>DEFAULT11
DecryptLoginData.dynsym0x8051acc419FUNC<unknown>DEFAULT11
DecryptSettings.dynsym0x8052dec220FUNC<unknown>DEFAULT11
DecryptionContext.dynsym0x805c2a04OBJECT<unknown>DEFAULT18
EncryptionContext.dynsym0x805c28c4OBJECT<unknown>DEFAULT18
EnumerateWindows.dynsym0x8053688243FUNC<unknown>DEFAULT11
EstablishConnection.dynsym0x804e859563FUNC<unknown>DEFAULT11
EstablishConnectionLoop.dynsym0x804ea8c80FUNC<unknown>DEFAULT11
ExtractFileName.dynsym0x80522bc86FUNC<unknown>DEFAULT11
ExtractFilePath.dynsym0x805227670FUNC<unknown>DEFAULT11
ExtractProfileName.dynsym0x8050be8208FUNC<unknown>DEFAULT11
FileUploadWrite.dynsym0x8053623100FUNC<unknown>DEFAULT11
FindFile.dynsym0x804f39a257FUNC<unknown>DEFAULT11
FindMozillaLib.dynsym0x8050cb8194FUNC<unknown>DEFAULT11
FindSpace.dynsym0x804f9e040FUNC<unknown>DEFAULT11
GenerateRandomData.dynsym0x80549a877FUNC<unknown>DEFAULT11
GetChromiumPasswords.dynsym0x8051ca756FUNC<unknown>DEFAULT11
GetGoogleChromePasswords.dynsym0x8051c6f56FUNC<unknown>DEFAULT11
GetLoginDataPath.dynsym0x8051a6b97FUNC<unknown>DEFAULT11
GetMozillaProductPasswords.dynsym0x8050eda1583FUNC<unknown>DEFAULT11
GetOperaWand.dynsym0x8051509261FUNC<unknown>DEFAULT11
GetPidginPasswords.dynsym0x805160e332FUNC<unknown>DEFAULT11
GetRandom.dynsym0x8054c2357FUNC<unknown>DEFAULT11
GetSQLitePageId.dynsym0x8051988227FUNC<unknown>DEFAULT11
HandleHTTPConnect.dynsym0x804e512150FUNC<unknown>DEFAULT11
HandleProxy.dynsym0x804e5a8130FUNC<unknown>DEFAULT11
HandleReverseSocks.dynsym0x8053be3525FUNC<unknown>DEFAULT11
HandleSocks4.dynsym0x804e0c9288FUNC<unknown>DEFAULT11
HandleSocks4a.dynsym0x804e1e9316FUNC<unknown>DEFAULT11
HandleSocks5.dynsym0x804e325493FUNC<unknown>DEFAULT11
HostId.dynsym0x80584c417OBJECT<unknown>DEFAULT17
InitAESTables.dynsym0x8054535213FUNC<unknown>DEFAULT11
InitTransfersList.dynsym0x80530e022FUNC<unknown>DEFAULT11
InitializationVector.dynsym0x805c29016OBJECT<unknown>DEFAULT18
InstallHost.dynsym0x8052a58916FUNC<unknown>DEFAULT11
InstallPath.dynsym0x8058434129OBJECT<unknown>DEFAULT17
InverseMixColumns.dynsym0x8054289684FUNC<unknown>DEFAULT11
InverseShiftRows.dynsym0x805421872FUNC<unknown>DEFAULT11
InverseSubBytes.dynsym0x805426041FUNC<unknown>DEFAULT11
IsCommandAllowed.dynsym0x804ccbd29FUNC<unknown>DEFAULT11
IsDataSizeAllowed.dynsym0x804cc9738FUNC<unknown>DEFAULT11
IsInteger.dynsym0x805206c35FUNC<unknown>DEFAULT11
IsOptionEnabled.dynsym0x805287930FUNC<unknown>DEFAULT11
IsSocketReadable.dynsym0x804eadc198FUNC<unknown>DEFAULT11
IsSpace.dynsym0x805208f9FUNC<unknown>DEFAULT11
IsTransferOpen.dynsym0x805314d26FUNC<unknown>DEFAULT11
IsX11LibAPILoaded.dynsym0x80558b71090FUNC<unknown>DEFAULT11
JPEGBuffer.dynsym0x80587484OBJECT<unknown>DEFAULT18
JPEGSize.dynsym0x80587444OBJECT<unknown>DEFAULT18
KeyExpansion.dynsym0x8053ef2150FUNC<unknown>DEFAULT11
KeyLoggerEncode.dynsym0x8054c7832FUNC<unknown>DEFAULT11
KeyLoggerFileName.dynsym0x8058374129OBJECT<unknown>DEFAULT17
KeyLoggerState.dynsym0x80587304OBJECT<unknown>DEFAULT17
ListWindows.dynsym0x805377b103FUNC<unknown>DEFAULT11
LoadKeyLoggerAPI.dynsym0x80551e3778FUNC<unknown>DEFAULT11
LoadMozillaLibs.dynsym0x8050d9e316FUNC<unknown>DEFAULT11
LogKey.dynsym0x8054d551166FUNC<unknown>DEFAULT11
MemCompare.dynsym0x805223346FUNC<unknown>DEFAULT11
MixColumns.dynsym0x8053ffa474FUNC<unknown>DEFAULT11
MutexName.dynsym0x80584b89OBJECT<unknown>DEFAULT17
OpenMutexHandle.dynsym0x80529bf153FUNC<unknown>DEFAULT11
ParseAuthenticationPacket.dynsym0x8054b62157FUNC<unknown>DEFAULT11
Password.dynsym0x80584ec33OBJECT<unknown>DEFAULT17
ProcessData.dynsym0x804c0503143FUNC<unknown>DEFAULT11
ProcessWindowCommand.dynsym0x80539bb175FUNC<unknown>DEFAULT11
ProxyList.dynsym0x805b9c84OBJECT<unknown>DEFAULT18
ProxyString.dynsym0x8058510256OBJECT<unknown>DEFAULT17
RC4Crypt.dynsym0x8054906128FUNC<unknown>DEFAULT11
RC4Setup.dynsym0x805488c122FUNC<unknown>DEFAULT11
RGB_buffer.dynsym0x805874c4OBJECT<unknown>DEFAULT18
RandomRange.dynsym0x8054c5c26FUNC<unknown>DEFAULT11
ReadBigEndianWORD.dynsym0x805179526FUNC<unknown>DEFAULT11
ReadFile.dynsym0x805235e100FUNC<unknown>DEFAULT11
ReadPacket.dynsym0x804eba258FUNC<unknown>DEFAULT11
ReadSettings.dynsym0x8052ec8516FUNC<unknown>DEFAULT11
ReadVarint.dynsym0x805175a59FUNC<unknown>DEFAULT11
RelayData.dynsym0x8053a6c338FUNC<unknown>DEFAULT11
ReleaseHeap.dynsym0x804f57c37FUNC<unknown>DEFAULT11
ResolveHost.dynsym0x804e02073FUNC<unknown>DEFAULT11
RotateLeft.dynsym0x805498832FUNC<unknown>DEFAULT11
RotateWord.dynsym0x8053ed331FUNC<unknown>DEFAULT11
RunAsDaemon.dynsym0x8052897100FUNC<unknown>DEFAULT11
SaveXImageToBitmap.dynsym0x80503d0501FUNC<unknown>DEFAULT11
SearchPId.dynsym0x805b9f04OBJECT<unknown>DEFAULT18
SeedRandom.dynsym0x8054c0035FUNC<unknown>DEFAULT11
SendAuthenticationPacket.dynsym0x8054aa3191FUNC<unknown>DEFAULT11
SendData.dynsym0x804e62a509FUNC<unknown>DEFAULT11
SendDownloadStatus.dynsym0x804f6b8111FUNC<unknown>DEFAULT11
SendResponse.dynsym0x8053bbe37FUNC<unknown>DEFAULT11
SetSocketOptions.dynsym0x804e06996FUNC<unknown>DEFAULT11
ShellPId.dynsym0x805b9f84OBJECT<unknown>DEFAULT18
ShiftRows.dynsym0x8053fb173FUNC<unknown>DEFAULT11
StartReverseSocks.dynsym0x8053df0120FUNC<unknown>DEFAULT11
StartupKeyName1.dynsym0x805842017OBJECT<unknown>DEFAULT17
StartupKeyName2.dynsym0x80583f839OBJECT<unknown>DEFAULT17
StrConcatenate.dynsym0x8051d1b100FUNC<unknown>DEFAULT11
StrCopy.dynsym0x8051ce059FUNC<unknown>DEFAULT11
StrNCompare.dynsym0x805204836FUNC<unknown>DEFAULT11
StrPosition.dynsym0x8051d7f97FUNC<unknown>DEFAULT11
StrSplit.dynsym0x80521a4143FUNC<unknown>DEFAULT11
StrToInt.dynsym0x8051de082FUNC<unknown>DEFAULT11
StrToInt64.dynsym0x8051e32187FUNC<unknown>DEFAULT11
StrTrim.dynsym0x8051eed66FUNC<unknown>DEFAULT11
SubBytes.dynsym0x8053f8841FUNC<unknown>DEFAULT11
SubWord.dynsym0x8053e8f68FUNC<unknown>DEFAULT11
TerminateRunningOperations.dynsym0x804bff096FUNC<unknown>DEFAULT11
TestPacket.dynsym0x805871416OBJECT<unknown>DEFAULT17
TransferFile.dynsym0x80531671212FUNC<unknown>DEFAULT11
TranslateMacros.dynsym0x80526cc429FUNC<unknown>DEFAULT11
UninstallHost.dynsym0x80528fb128FUNC<unknown>DEFAULT11
UpdateHost.dynsym0x805268866FUNC<unknown>DEFAULT11
WildcardCompare.dynsym0x80520a8166FUNC<unknown>DEFAULT11
WindowOperation.dynsym0x80537e2251FUNC<unknown>DEFAULT11
WriteCommand.dynsym0x805038c68FUNC<unknown>DEFAULT11
Ximage.dynsym0x805be8a2OBJECT<unknown>DEFAULT18
Yimage.dynsym0x805be882OBJECT<unknown>DEFAULT18
_XChangeProperty.dynsym0x805be544OBJECT<unknown>DEFAULT18
_XCloseDisplay.dynsym0x805be6c4OBJECT<unknown>DEFAULT18
_XDestroyImage.dynsym0x805be604OBJECT<unknown>DEFAULT18
_XFlush.dynsym0x805be1c4OBJECT<unknown>DEFAULT18
_XFree.dynsym0x805be2c4OBJECT<unknown>DEFAULT18
_XGetGeometry.dynsym0x805be744OBJECT<unknown>DEFAULT18
_XGetImage.dynsym0x805be644OBJECT<unknown>DEFAULT18
_XGetInputFocus.dynsym0x805be684OBJECT<unknown>DEFAULT18
_XGetWMName.dynsym0x805be284OBJECT<unknown>DEFAULT18
_XInternAtom.dynsym0x805be584OBJECT<unknown>DEFAULT18
_XKeysymToKeycode.dynsym0x805be244OBJECT<unknown>DEFAULT18
_XListInputDevices.dynsym0x805be5c4OBJECT<unknown>DEFAULT18
_XLookupString.dynsym0x805be204OBJECT<unknown>DEFAULT18
_XMapWindow.dynsym0x805be504OBJECT<unknown>DEFAULT18
_XNextEvent.dynsym0x805be304OBJECT<unknown>DEFAULT18
_XOpenDevice.dynsym0x805be444OBJECT<unknown>DEFAULT18
_XOpenDisplay.dynsym0x805be344OBJECT<unknown>DEFAULT18
_XQueryExtension.dynsym0x805be804OBJECT<unknown>DEFAULT18
_XQueryPointer.dynsym0x805be7c4OBJECT<unknown>DEFAULT18
_XQueryTree.dynsym0x805be484OBJECT<unknown>DEFAULT18
_XSelectExtensionEvent.dynsym0x805be384OBJECT<unknown>DEFAULT18
_XSelectInput.dynsym0x805be844OBJECT<unknown>DEFAULT18
_XSendEvent.dynsym0x805be3c4OBJECT<unknown>DEFAULT18
_XSetErrorHandler.dynsym0x805be704OBJECT<unknown>DEFAULT18
_XSync.dynsym0x805be404OBJECT<unknown>DEFAULT18
_XUnmapWindow.dynsym0x805be784OBJECT<unknown>DEFAULT18
_XWarpPointer.dynsym0x805be4c4OBJECT<unknown>DEFAULT18
__asprintf_chkGLIBC_2.8libc.so.6.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
__bss_start.dynsym0x80587400NOTYPE<unknown>DEFAULTSHN_ABS
__errno_locationGLIBC_2.0libpthread.so.0.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
__lxstat64GLIBC_2.2libc.so.6.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
__memcpy_chkGLIBC_2.3.4libc.so.6.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
__snprintf_chkGLIBC_2.3.4libc.so.6.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
__stack_chk_failGLIBC_2.4libc.so.6.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
__xstat64GLIBC_2.2libc.so.6.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
_edata.dynsym0x80587400NOTYPE<unknown>DEFAULTSHN_ABS
_end.dynsym0x805c2a40NOTYPE<unknown>DEFAULTSHN_ABS
_main.dynsym0x804ccda313FUNC<unknown>DEFAULT11
aStrConcatenate.dynsym0x8051f2f281FUNC<unknown>DEFAULT11
accessGLIBC_2.0libc.so.6.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
aes_mul_manual.dynsym0x8053e6839FUNC<unknown>DEFAULT11
chdirGLIBC_2.0libc.so.6.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
chmodGLIBC_2.0libc.so.6.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
closeGLIBC_2.0libpthread.so.0.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
closedirGLIBC_2.0libc.so.6.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
compute_Huffman_table.dynsym0x804d04883FUNC<unknown>DEFAULT11
connectGLIBC_2.0libpthread.so.0.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
cpBeginThread.dynsym0x804f55935FUNC<unknown>DEFAULT11
cpClearLog.dynsym0x805588b38FUNC<unknown>DEFAULT11
cpCopyFile.dynsym0x804f172265FUNC<unknown>DEFAULT11
cpCopyFileEx.dynsym0x804f27b223FUNC<unknown>DEFAULT11
cpDeleteFile.dynsym0x804f0fc21FUNC<unknown>DEFAULT11
cpDirectoryExists.dynsym0x804f14149FUNC<unknown>DEFAULT11
cpDownloadFile.dynsym0x804f727697FUNC<unknown>DEFAULT11
cpExecuteFile.dynsym0x804f0a686FUNC<unknown>DEFAULT11
cpFileExists.dynsym0x804f12a23FUNC<unknown>DEFAULT11
cpFreeLibrary.dynsym0x804f6aa14FUNC<unknown>DEFAULT11
cpGetComputerName.dynsym0x805231457FUNC<unknown>DEFAULT11
cpGetCurrentProcessId.dynsym0x804fdc25FUNC<unknown>DEFAULT11
cpGetFileSize.dynsym0x804f35a43FUNC<unknown>DEFAULT11
cpGetLocalFileName.dynsym0x804f49b106FUNC<unknown>DEFAULT11
cpGetLocalFilePath.dynsym0x804f50567FUNC<unknown>DEFAULT11
cpGetLog.dynsym0x80557c5198FUNC<unknown>DEFAULT11
cpGetOSVersion.dynsym0x80523c2171FUNC<unknown>DEFAULT11
cpGetProcAddress.dynsym0x804f6a55FUNC<unknown>DEFAULT11
cpGetUsername.dynsym0x805234d17FUNC<unknown>DEFAULT11
cpKeyDown.dynsym0x80507af196FUNC<unknown>DEFAULT11
cpKeyUp.dynsym0x8050873196FUNC<unknown>DEFAULT11
cpKillProcess.dynsym0x804fda331FUNC<unknown>DEFAULT11
cpListDrives.dynsym0x804ebdc22FUNC<unknown>DEFAULT11
cpListFiles.dynsym0x804ebf2572FUNC<unknown>DEFAULT11
cpListProcesses.dynsym0x804fa08923FUNC<unknown>DEFAULT11
cpLoadLibrary.dynsym0x804f69318FUNC<unknown>DEFAULT11
cpLogonSessions.dynsym0x8055d20230FUNC<unknown>DEFAULT11
cpMemoryStatus.dynsym0x805246d108FUNC<unknown>DEFAULT11
cpMkDir.dynsym0x804f38521FUNC<unknown>DEFAULT11
cpMouseDown.dynsym0x8050937292FUNC<unknown>DEFAULT11
cpMouseMove.dynsym0x8050b8795FUNC<unknown>DEFAULT11
cpMouseUp.dynsym0x8050a5b300FUNC<unknown>DEFAULT11
cpReadFileData.dynsym0x804f5a1242FUNC<unknown>DEFAULT11
cpRenameFile.dynsym0x804f11125FUNC<unknown>DEFAULT11
cpScreenCapture.dynsym0x80506ec195FUNC<unknown>DEFAULT11
cpSearchFiles.dynsym0x804ee2e632FUNC<unknown>DEFAULT11
cpSleep.dynsym0x804f54817FUNC<unknown>DEFAULT11
cpStartKeyLogger.dynsym0x80554ed728FUNC<unknown>DEFAULT11
cpSystemInformation.dynsym0x80524d9429FUNC<unknown>DEFAULT11
dlcloseGLIBC_2.0libdl.so.2.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
dlopenGLIBC_2.1libdl.so.2.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
dlsymGLIBC_2.0libdl.so.2.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
dupGLIBC_2.0libc.so.6.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
endutxentGLIBC_2.1libc.so.6.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
execlGLIBC_2.0libc.so.6.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
execlpGLIBC_2.0libc.so.6.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
exitGLIBC_2.0libc.so.6.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
fcloseGLIBC_2.1libc.so.6.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
fcntlGLIBC_2.0libpthread.so.0.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
fdct_and_quantization.dynsym0x804d221589FUNC<unknown>DEFAULT11
fgetsGLIBC_2.0libc.so.6.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
fopen64GLIBC_2.1libc.so.6.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
forkGLIBC_2.0libpthread.so.0.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
freadGLIBC_2.0libc.so.6.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
freeGLIBC_2.0libc.so.6.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
fseekGLIBC_2.0libc.so.6.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
ftellGLIBC_2.0libc.so.6.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
fwriteGLIBC_2.0libc.so.6.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
g_aes_ilogt.dynsym0x805c08c256OBJECT<unknown>DEFAULT18
g_aes_isbox.dynsym0x805bf8c256OBJECT<unknown>DEFAULT18
g_aes_logt.dynsym0x805be8c256OBJECT<unknown>DEFAULT18
g_aes_sbox.dynsym0x805c18c256OBJECT<unknown>DEFAULT18
getenvGLIBC_2.0libc.so.6.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
gethostbynameGLIBC_2.0libc.so.6.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
gethostnameGLIBC_2.0libc.so.6.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
getpidGLIBC_2.0libc.so.6.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
getutxentGLIBC_2.1libc.so.6.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
gmtimeGLIBC_2.0libc.so.6.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
gmtime_rGLIBC_2.0libc.so.6.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
init_Huffman_tables.dynsym0x804d09b87FUNC<unknown>DEFAULT11
killGLIBC_2.0libc.so.6.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
ldivGLIBC_2.0libc.so.6.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
load_data_units_from_RGB_buffer.dynsym0x804d5db229FUNC<unknown>DEFAULT11
localtimeGLIBC_2.0libc.so.6.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
mallocGLIBC_2.0libc.so.6.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
mkdirGLIBC_2.0libc.so.6.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
open64GLIBC_2.2libpthread.so.0.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
opendirGLIBC_2.0libc.so.6.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
pipeGLIBC_2.0libc.so.6.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
precalculate_YCbCr_tables.dynsym0x804d0f2158FUNC<unknown>DEFAULT11
prepare_quant_tables.dynsym0x804d190145FUNC<unknown>DEFAULT11
process_DU.dynsym0x804d46e365FUNC<unknown>DEFAULT11
pthread_createGLIBC_2.1libpthread.so.0.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
pthread_mutex_lockGLIBC_2.0libpthread.so.0.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
pthread_mutex_unlockGLIBC_2.0libpthread.so.0.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
readGLIBC_2.0libpthread.so.0.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
readdir64GLIBC_2.2libc.so.6.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
readlinkGLIBC_2.0libc.so.6.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
reallocGLIBC_2.0libc.so.6.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
recvGLIBC_2.0libpthread.so.0.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
removeGLIBC_2.0libc.so.6.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
renameGLIBC_2.0libc.so.6.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
selectGLIBC_2.0libc.so.6.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
sendGLIBC_2.0libpthread.so.0.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
set_DHTinfo.dynsym0x804ceef211FUNC<unknown>DEFAULT11
set_DQTinfo.dynsym0x804ce9d82FUNC<unknown>DEFAULT11
set_quant_table.dynsym0x804ce4984FUNC<unknown>DEFAULT11
setsidGLIBC_2.0libc.so.6.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
setsockoptGLIBC_2.0libc.so.6.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
setutxentGLIBC_2.1libc.so.6.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
shutdownGLIBC_2.0libc.so.6.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
snprintfGLIBC_2.0libc.so.6.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
socketGLIBC_2.0libc.so.6.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
sscanfGLIBC_2.0libc.so.6.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
strcmpGLIBC_2.0libc.so.6.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
strlenW.dynsym0x805226121FUNC<unknown>DEFAULT11
strstrGLIBC_2.0libc.so.6.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
sysconfGLIBC_2.0libc.so.6.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
sysinfoGLIBC_2.0libc.so.6.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
timeGLIBC_2.0libc.so.6.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
umaskGLIBC_2.0libc.so.6.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
usleepGLIBC_2.0libc.so.6.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
waitpidGLIBC_2.0libpthread.so.0.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
writeGLIBC_2.0libpthread.so.0.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
writebits.dynsym0x804cfc2134FUNC<unknown>DEFAULT11
writebyte.dynsym0x804ce1425FUNC<unknown>DEFAULT11
writeword.dynsym0x804ce2d28FUNC<unknown>DEFAULT11

Network Behavior

No network behavior found

System Behavior