Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Linux Analysis Report
Malware

Overview

General Information

Sample Name:Malware
Analysis ID:626597
MD5:686a654a185db3f40514966d1409b2b1
SHA1:fe3168d630ccb61559c06b6b0ab68d5cfa1c1a8f
SHA256:74ef6cc38f5a1a80148752b63c117e6846984debd2af806c65887195a8eccc56
Tags:BFPDoorelf
Infos:

Detection

Score:52
Range:0 - 100
Whitelisted:false

Signatures

Multi AV Scanner detection for submitted file
Machine Learning detection for sample
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Yara signature match

Classification

Analysis Advice

All HTTP servers contacted by the sample do not answer. The sample is likely an old dropper which does no longer work.
Non-zero exit code suggests an error during the execution. Lookup the error code for hints.

General Information

Joe Sandbox Version:34.0.0 Boulder Opal
Analysis ID:626597
Start date and time: 14/05/202215:12:042022-05-14 15:12:04 +02:00
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 5m 16s
Hypervisor based Inspection enabled:false
Report type:light
Sample file name:Malware
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Detection:MAL
Classification:mal52.lin@0/0@0/0

Runtime Messages

Command:/tmp/Malware
PID:6222
Exit Code:1
Exit Code Info:
Killed:False
Standard Output:

Standard Error:/tmp/Malware: /lib/x86_64-linux-gnu/libc.so.6: version `GLIBC_2.34' not found (required by /tmp/Malware)

Process Tree

  • system is lnxubuntu20
  • Malware (PID: 6222, Parent: 6125, MD5: 686a654a185db3f40514966d1409b2b1) Arguments: /tmp/Malware
  • cleanup

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
MalwareAPT_MAL_LNX_RedMenshen_BPFDoor_Controller_May22_3Detects BPFDoor implants used by Chinese actor Red MenshenFlorian Roth
  • 0x6080:$s1: hald-addon-acpi: listening on acpi kernel interface /proc/acpi/event
  • 0x6035:$s2: /sbin/mingetty /dev
  • 0x60e6:$s3: pickup -l -t fifo -u
MalwareAPT_MAL_LNX_RedMenshen_BPFDoor_Controller_Generic_May22_1Detects BPFDoor malwareFlorian Roth
  • 0x2865:$op1: C6 80 01 01 00 00 00 48 8B 45 D8 0F B6 90 01 01 00 00 48 8B 45 D8 88 90 00 01 00 00 C6 45 F6 00 0F B6 45 F6 88 45
  • 0x2861:$op5: 48 8B 45 D8 C6 80 01 01 00 00 00 48 8B 45 D8 0F B6 90 01 01 00 00 48 8B 45 D8 88 90 00 01 00 00 C6 45 F6 00 0F B6 45

Memory Dumps

SourceRuleDescriptionAuthorStrings
6222.1.00000000517089bc.000000004d171c55.rw-.sdmpAPT_MAL_LNX_RedMenshen_BPFDoor_Controller_May22_3Detects BPFDoor implants used by Chinese actor Red MenshenFlorian Roth
  • 0x80:$s1: hald-addon-acpi: listening on acpi kernel interface /proc/acpi/event
  • 0x35:$s2: /sbin/mingetty /dev
  • 0xe6:$s3: pickup -l -t fifo -u

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for submitted file
Source: MalwareVirustotal: Detection: 40%Perma Link
Source: MalwareReversingLabs: Detection: 46%
Machine Learning detection for sample
Source: MalwareJoe Sandbox ML: detected
Source: global trafficTCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
Source: global trafficTCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80
Source: global trafficTCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443
Source: unknownNetwork traffic detected: HTTP traffic on port 43928 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 42836 -> 443
Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknownTCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknownTCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.43
Source: Malware, type: SAMPLEMatched rule: APT_MAL_LNX_RedMenshen_BPFDoor_Controller_May22_3 date = 2022-05-08, hash2 = fa0defdabd9fd43fe2ef1ec33574ea1af1290bd3d763fdb2bed443f2bd996d73, author = Florian Roth, description = Detects BPFDoor implants used by Chinese actor Red Menshen, reference = https://doublepulsar.com/bpfdoor-an-active-chinese-global-surveillance-tool-54b078f1a896, score = 144526d30ae747982079d5d340d1ff116a7963aba2e3ed589e7ebc297ba0c1b3
Source: Malware, type: SAMPLEMatched rule: APT_MAL_LNX_RedMenshen_BPFDoor_Controller_Generic_May22_1 date = 2022-05-09, hash5 = 599ae527f10ddb4625687748b7d3734ee51673b664f2e5d0346e64f85e185683, hash4 = 591198c234416c6ccbcea6967963ca2ca0f17050be7eed1602198308d9127c78, hash3 = 4c5cf8f977fc7c368a8e095700a44be36c8332462c0b1e41bff03238b2bf2a2d, hash2 = 1925e3cd8a1b0bba0d297830636cdb9ebf002698c8fa71e0063581204f4e8345, author = Florian Roth, description = Detects BPFDoor malware, hash10 = 96e906128095dead57fdc9ce8688bb889166b67c9a1b8fdb93d7cff7f3836bb9, hash11 = 97a546c7d08ad34dfab74c9c8a96986c54768c592a8dae521ddcf612a84fb8cc, hash12 = c796fc66b655f6107eacbe78a37f0e8a2926f01fecebd9e68a66f0e261f91276, hash9 = 93f4262fce8c6b4f8e239c35a0679fbbbb722141b95a5f2af53a2bcafe4edd1c, hash8 = 76bf736b25d5c9aaf6a84edd4e615796fffc338a893b49c120c0b4941ce37925, hash7 = 5faab159397964e630c4156f8852bcc6ee46df1cdd8be2a8d3f3d8e5980f3bb3, hash6 = 5b2a079690efb5f4e0944353dd883303ffd6bab4aad1f0c88b49a76ddcb28ee9, hash17 = fd1b20ee5bd429046d3c04e9c675c41e9095bea70e0329bd32d7edd17ebaf68a, reference = https://doublepulsar.com/bpfdoor-an-active-chinese-global-surveillance-tool-54b078f1a896, score = 07ecb1f2d9ffbd20a46cd36cd06b022db3cc8e45b1ecab62cd11f9ca7a26ab6d, hash13 = c80bd1c4a796b4d3944a097e96f384c85687daeedcdcf05cc885c8c9b279b09c, hash14 = f47de978da1dbfc5e0f195745e3368d3ceef034e964817c66ba01396a1953d72, hash15 = f8a5e735d6e79eb587954a371515a82a15883cf2eda9d7ddb8938b86e714ea27, hash16 = fa0defdabd9fd43fe2ef1ec33574ea1af1290bd3d763fdb2bed443f2bd996d73
Source: 6222.1.00000000517089bc.000000004d171c55.rw-.sdmp, type: MEMORYMatched rule: APT_MAL_LNX_RedMenshen_BPFDoor_Controller_May22_3 date = 2022-05-08, hash2 = fa0defdabd9fd43fe2ef1ec33574ea1af1290bd3d763fdb2bed443f2bd996d73, author = Florian Roth, description = Detects BPFDoor implants used by Chinese actor Red Menshen, reference = https://doublepulsar.com/bpfdoor-an-active-chinese-global-surveillance-tool-54b078f1a896, score = 144526d30ae747982079d5d340d1ff116a7963aba2e3ed589e7ebc297ba0c1b3
Source: classification engineClassification label: mal52.lin@0/0@0/0

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsWindows Management InstrumentationPath InterceptionPath InterceptionDirect Volume AccessOS Credential DumpingSystem Service DiscoveryRemote ServicesData from Local SystemExfiltration Over Other Network Medium1
Encrypted Channel		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth1
Application Layer Protocol		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout

Malware Configuration

No configs have been found

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Number of created Files
  • Is malicious
  • Internet

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
Malware40%VirustotalBrowse
Malware46%ReversingLabsLinux.Backdoor.Bpfdoor
Malware100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

World Map of Contacted IPs

  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Public IPs

IPDomainCountryFlagASNASN NameMalicious
109.202.202.202
unknownSwitzerland
13030INIT7CHfalse
91.189.91.43
unknownUnited Kingdom
41231CANONICAL-ASGBfalse
91.189.91.42
unknownUnited Kingdom
41231CANONICAL-ASGBfalse

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General

File type:ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=baa0c7d6b74504b26c1eef16043a52af235bbac1, for GNU/Linux 3.2.0, not stripped
Entropy (8bit):3.988288057662513
TrID:
  • ELF Executable and Linkable format (Linux) (4029/14) 49.77%
  • ELF Executable and Linkable format (generic) (4004/1) 49.46%
  • Lumena CEL bitmap (63/63) 0.78%
File name:Malware
File size:35704
MD5:686a654a185db3f40514966d1409b2b1
SHA1:fe3168d630ccb61559c06b6b0ab68d5cfa1c1a8f
SHA256:74ef6cc38f5a1a80148752b63c117e6846984debd2af806c65887195a8eccc56
SHA512:def8ba24db0072def2bcc208c1fc01ad54f1ce9321d23d42352df0b6f73fe2a3f31942bccae24aae2097d212644acae7f28512cc63123b408f5351e31e9dfbe1
SSDEEP:768:DvqoAYwIg4QoAYwIg4QbTLD7zrjbTLD7zrjbTLD7zrjbTLD7zrjOm+Wu0jIEYvA+:DgTpzJ
TLSH:10F2841EF391CE3CC8C9A2312ECBD5705170B0B4AB32211B379167BB3AA679D5979E11
File Content Preview:.ELF..............>......'......@...................@.8...@.............@.......@.......@........................................................................................................................................................ ....... .....

Static ELF Info

ELF header

Class:ELF64
Data:2's complement, little endian
Version:1 (current)
Machine:Advanced Micro Devices X86-64
Version Number:0x1
Type:DYN (Shared object file)
OS/ABI:UNIX - System V
ABI Version:0
Entry Point Address:0x2700
Flags:0x0
ELF Header Size:64
Program Header Offset:64
Program Header Size:56
Number of Program Headers:13
Section Header Offset:33720
Section Header Size:64
Number of Section Headers:31
Header String Table Index:30

Sections

NameTypeAddressOffsetSizeEntSizeFlagsFlags DescriptionLinkInfoAlign
NULL0x00x00x00x00x0000
.interpPROGBITS0x3180x3180x1c0x00x2A001
.note.gnu.propertyNOTE0x3380x3380x300x00x2A008
.note.gnu.build-idNOTE0x3680x3680x240x00x2A004
.note.ABI-tagNOTE0x38c0x38c0x200x00x2A004
.gnu.hashGNU_HASH0x3b00x3b00x340x00x2A608
.dynsymDYNSYM0x3e80x3e80x5e80x180x2A718
.dynstrSTRTAB0x9d00x9d00x21c0x00x2A001
.gnu.versionVERSYM0xbec0xbec0x7e0x20x2A602
.gnu.version_rVERNEED0xc700xc700x500x00x2A718
.rela.dynRELA0xcc00xcc00xd80x180x2A608
.rela.pltRELA0xd980xd980x5100x180x42AI6248
.initPROGBITS0x20000x20000x1b0x00x6AX004
.pltPROGBITS0x20200x20200x3700x100x6AX0016
.plt.gotPROGBITS0x23900x23900x100x100x6AX0016
.plt.secPROGBITS0x23a00x23a00x3600x100x6AX0016
.textPROGBITS0x27000x27000x29620x00x6AX0016
.finiPROGBITS0x50640x50640xd0x00x6AX004
.rodataPROGBITS0x60000x60000x1560x00x2A008
.eh_frame_hdrPROGBITS0x61580x61580xfc0x00x2A004
.eh_framePROGBITS0x62580x62580x3c00x00x2A008
.init_arrayINIT_ARRAY0x7c100x6c100x80x80x3WA008
.fini_arrayFINI_ARRAY0x7c180x6c180x80x80x3WA008
.dynamicDYNAMIC0x7c200x6c200x1f00x100x3WA708
.gotPROGBITS0x7e100x6e100x1f00x80x3WA008
.dataPROGBITS0x80000x70000x100x00x3WA008
.bssNOBITS0x80200x70100x4c80x00x3WA0032
.commentPROGBITS0x00x70100x260x10x30MS001
.symtabSYMTAB0x00x70380xba00x180x029248
.strtabSTRTAB0x00x7bd80x6c10x00x0001
.shstrtabSTRTAB0x00x82990x11a0x00x0001

Program Segments

TypeOffsetVirtual AddressPhysical AddressFile SizeMemory SizeEntropyFlagsFlags DescriptionAlignProg InterpreterSection Mappings
PHDR0x400x400x400x2d80x2d81.49840x4R 0x8
INTERP0x3180x3180x3180x1c0x1c3.94080x4R 0x1/lib64/ld-linux-x86-64.so.2.interp
LOAD0x00x00x00x12a80x12a82.21350x4R 0x1000.interp .note.gnu.property .note.gnu.build-id .note.ABI-tag .gnu.hash .dynsym .dynstr .gnu.version .gnu.version_r .rela.dyn .rela.plt
LOAD0x20000x20000x20000x30710x30712.78060x5R E0x1000.init .plt .plt.got .plt.sec .text .fini
LOAD0x60000x60000x60000x6180x6183.91490x4R 0x1000.rodata .eh_frame_hdr .eh_frame
LOAD0x6c100x7c100x7c100x4000x8d81.28250x6RW 0x1000.init_array .fini_array .dynamic .got .data .bss
DYNAMIC0x6c200x7c200x7c200x1f00x1f01.12150x6RW 0x8.dynamic
NOTE0x3380x3380x3380x300x301.62720x4R 0x8.note.gnu.property
NOTE0x3680x3680x3680x440x442.41320x4R 0x4.note.gnu.build-id .note.ABI-tag
LOOS+474e5530x3380x3380x3380x300x301.62720x4R 0x8.note.gnu.property
GNU_EH_FRAME0x61580x61580x61580xfc0xfc2.00440x4R 0x4.eh_frame_hdr
GNU_STACK0x00x00x00x00x00.00000x6RW 0x10
GNU_RELRO0x6c100x7c100x7c100x3f00x3f01.29090x4R 0x1.init_array .fini_array .dynamic .got

Dynamic Tags

TypeMetaValueTag
DT_NEEDEDsharedliblibc.so.60x1
DT_INITvalue0x20000xc
DT_FINIvalue0x50640xd
DT_INIT_ARRAYvalue0x7c100x19
DT_INIT_ARRAYSZbytes80x1b
DT_FINI_ARRAYvalue0x7c180x1a
DT_FINI_ARRAYSZbytes80x1c
DT_GNU_HASHvalue0x3b00x6ffffef5
DT_STRTABvalue0x9d00x5
DT_SYMTABvalue0x3e80x6
DT_STRSZbytes5400xa
DT_SYMENTbytes240xb
DT_DEBUGvalue0x00x15
DT_PLTGOTvalue0x7e100x3
DT_PLTRELSZbytes12960x2
DT_PLTRELpltrelDT_RELA0x14
DT_JMPRELvalue0xd980x17
DT_RELAvalue0xcc00x7
DT_RELASZbytes2160x8
DT_RELAENTbytes240x9
DT_FLAGSvalue0x80x1e
DT_FLAGS_1value0x80000010x6ffffffb
DT_VERNEEDvalue0xc700x6ffffffe
DT_VERNEEDNUMvalue10x6fffffff
DT_VERSYMvalue0xbec0x6ffffff0
DT_RELACOUNTvalue30x6ffffff9
DT_NULLvalue0x00x0

Symbols

NameVersion Info NameVersion Info File NameSection NameValueSizeSymbol TypeSymbol BindSymbol VisibilityNdx
.dynsym0x00NOTYPE<unknown>DEFAULTSHN_UNDEF
_ITM_deregisterTMCloneTable.dynsym0x00NOTYPE<unknown>DEFAULTSHN_UNDEF
_ITM_registerTMCloneTable.dynsym0x00NOTYPE<unknown>DEFAULTSHN_UNDEF
__cxa_atexitGLIBC_2.2.5libc.so.6.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
__cxa_finalizeGLIBC_2.2.5libc.so.6.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
__environGLIBC_2.2.5libc.so.6.dynsym0x80208OBJECT<unknown>DEFAULT26
__gmon_start__.dynsym0x00NOTYPE<unknown>DEFAULTSHN_UNDEF
__libc_start_mainGLIBC_2.34libc.so.6.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
__stack_chk_failGLIBC_2.4libc.so.6.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
_environGLIBC_2.2.5libc.so.6.dynsym0x80208OBJECT<unknown>DEFAULT26
_exitGLIBC_2.2.5libc.so.6.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
acceptGLIBC_2.2.5libc.so.6.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
accessGLIBC_2.2.5libc.so.6.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
bindGLIBC_2.2.5libc.so.6.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
chdirGLIBC_2.2.5libc.so.6.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
closeGLIBC_2.2.5libc.so.6.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
connectGLIBC_2.2.5libc.so.6.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
dup2GLIBC_2.2.5libc.so.6.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
environGLIBC_2.2.5libc.so.6.dynsym0x80208OBJECT<unknown>DEFAULT26
execveGLIBC_2.2.5libc.so.6.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
exitGLIBC_2.2.5libc.so.6.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
forkGLIBC_2.2.5libc.so.6.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
freeGLIBC_2.2.5libc.so.6.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
getpidGLIBC_2.2.5libc.so.6.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
getuidGLIBC_2.2.5libc.so.6.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
grantptGLIBC_2.2.5libc.so.6.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
htonsGLIBC_2.2.5libc.so.6.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
inet_ntoaGLIBC_2.2.5libc.so.6.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
ioctlGLIBC_2.2.5libc.so.6.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
killGLIBC_2.2.5libc.so.6.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
listenGLIBC_2.2.5libc.so.6.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
mallocGLIBC_2.2.5libc.so.6.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
memchrGLIBC_2.2.5libc.so.6.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
memcmpGLIBC_2.2.5libc.so.6.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
memcpyGLIBC_2.14libc.so.6.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
memsetGLIBC_2.2.5libc.so.6.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
ntohsGLIBC_2.2.5libc.so.6.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
openGLIBC_2.2.5libc.so.6.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
prctlGLIBC_2.2.5libc.so.6.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
ptsnameGLIBC_2.2.5libc.so.6.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
randGLIBC_2.2.5libc.so.6.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
readGLIBC_2.2.5libc.so.6.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
recvfromGLIBC_2.2.5libc.so.6.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
selectGLIBC_2.2.5libc.so.6.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
sendtoGLIBC_2.2.5libc.so.6.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
setsidGLIBC_2.2.5libc.so.6.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
setsockoptGLIBC_2.2.5libc.so.6.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
signalGLIBC_2.2.5libc.so.6.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
sleepGLIBC_2.2.5libc.so.6.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
snprintfGLIBC_2.2.5libc.so.6.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
socketGLIBC_2.2.5libc.so.6.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
srandGLIBC_2.2.5libc.so.6.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
strcpyGLIBC_2.2.5libc.so.6.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
strlenGLIBC_2.2.5libc.so.6.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
strncpyGLIBC_2.2.5libc.so.6.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
systemGLIBC_2.2.5libc.so.6.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
timeGLIBC_2.2.5libc.so.6.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
unlinkGLIBC_2.2.5libc.so.6.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
unlockptGLIBC_2.2.5libc.so.6.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
utimesGLIBC_2.2.5libc.so.6.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
vhangupGLIBC_2.2.5libc.so.6.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
waitpidGLIBC_2.2.5libc.so.6.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
writeGLIBC_2.2.5libc.so.6.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
.symtab0x00NOTYPE<unknown>DEFAULTSHN_UNDEF
GLIBC_2.2.5libc.so.6.symtab0x00FILE<unknown>DEFAULTSHN_ABS
Red Menshen BPFDoor Source Code( ).cGLIBC_2.2.5libc.so.6.symtab0x00FILE<unknown>DEFAULTSHN_ABS
Scrt1.oGLIBC_2.2.5libc.so.6.symtab0x00FILE<unknown>DEFAULTSHN_ABS
_DYNAMICGLIBC_2.2.5libc.so.6.symtab0x7c200OBJECT<unknown>DEFAULT23
_GLOBAL_OFFSET_TABLE_GLIBC_2.2.5libc.so.6.symtab0x7e100OBJECT<unknown>DEFAULT24
_IO_stdin_used.symtab0x60004OBJECT<unknown>DEFAULT18
_ITM_deregisterTMCloneTable.symtab0x00NOTYPE<unknown>DEFAULTSHN_UNDEF
_ITM_registerTMCloneTable.symtab0x00NOTYPE<unknown>DEFAULTSHN_UNDEF
__FRAME_END__GLIBC_2.2.5libc.so.6.symtab0x66140OBJECT<unknown>DEFAULT20
__GNU_EH_FRAME_HDRGLIBC_2.2.5libc.so.6.symtab0x61580NOTYPE<unknown>DEFAULT19
__TMC_END__.symtab0x80100OBJECT<unknown>HIDDEN25
__abi_tagGLIBC_2.2.5libc.so.6.symtab0x38c32OBJECT<unknown>DEFAULT4
__bss_start.symtab0x80100NOTYPE<unknown>DEFAULT26
__cxa_atexit@GLIBC_2.2.5.symtab0x00FUNC<unknown>DEFAULTSHN_UNDEF
__cxa_finalize@GLIBC_2.2.5.symtab0x00FUNC<unknown>DEFAULTSHN_UNDEF
__data_start.symtab0x80000NOTYPE<unknown>DEFAULT25
__do_global_dtors_aux.symtab0x27a00FUNC<unknown>DEFAULT16
__do_global_dtors_aux_fini_array_entryGLIBC_2.2.5libc.so.6.symtab0x7c180OBJECT<unknown>DEFAULT22
__dso_handle.symtab0x80080OBJECT<unknown>HIDDEN25
__environ@GLIBC_2.2.5.symtab0x80208OBJECT<unknown>DEFAULT26
__frame_dummy_init_array_entryGLIBC_2.2.5libc.so.6.symtab0x7c100OBJECT<unknown>DEFAULT21
__gmon_start__.symtab0x00NOTYPE<unknown>DEFAULTSHN_UNDEF
__libc_start_main@GLIBC_2.34GLIBC_2.2.5libc.so.6.symtab0x00FUNC<unknown>DEFAULTSHN_UNDEF
__stack_chk_fail@GLIBC_2.4GLIBC_2.2.5libc.so.6.symtab0x00FUNC<unknown>DEFAULTSHN_UNDEF
_edataGLIBC_2.2.5libc.so.6.symtab0x80100NOTYPE<unknown>DEFAULT25
_end.symtab0x84e80NOTYPE<unknown>DEFAULT26
_exit@GLIBC_2.2.5GLIBC_2.2.5libc.so.6.symtab0x00FUNC<unknown>DEFAULTSHN_UNDEF
_finiGLIBC_2.2.5libc.so.6.symtab0x50640FUNC<unknown>HIDDEN17
_init.symtab0x20000FUNC<unknown>HIDDEN12
_start.symtab0x270038FUNC<unknown>DEFAULT16
accept@GLIBC_2.2.5.symtab0x00FUNC<unknown>DEFAULTSHN_UNDEF
access@GLIBC_2.2.5.symtab0x00FUNC<unknown>DEFAULTSHN_UNDEF
argv0.symtab0x82b88OBJECT<unknown>DEFAULT26
atexitGLIBC_2.2.5libc.so.6.symtab0x505018FUNC<unknown>DEFAULT16
bGLIBC_2.2.5libc.so.6.symtab0x3e90262FUNC<unknown>DEFAULT16
bind@GLIBC_2.2.5.symtab0x00FUNC<unknown>DEFAULTSHN_UNDEF
cfgGLIBC_2.2.5libc.so.6.symtab0x8040548OBJECT<unknown>DEFAULT26
chdir@GLIBC_2.2.5GLIBC_2.2.5libc.so.6.symtab0x00FUNC<unknown>DEFAULTSHN_UNDEF
close@GLIBC_2.2.5GLIBC_2.2.5libc.so.6.symtab0x00FUNC<unknown>DEFAULTSHN_UNDEF
completed.0GLIBC_2.2.5libc.so.6.symtab0x80281OBJECT<unknown>DEFAULT26
connect@GLIBC_2.2.5.symtab0x00FUNC<unknown>DEFAULTSHN_UNDEF
creadGLIBC_2.2.5libc.so.6.symtab0x2a9996FUNC<unknown>DEFAULT16
crtstuff.cGLIBC_2.34libc.so.6.symtab0x00FILE<unknown>DEFAULTSHN_ABS
crtstuff.cGLIBC_2.2.5libc.so.6.symtab0x00FILE<unknown>DEFAULTSHN_ABS
crypt_ctx.symtab0x82c0258OBJECT<unknown>DEFAULT26
cwriteGLIBC_2.2.5libc.so.6.symtab0x29fb158FUNC<unknown>DEFAULT16
data_startGLIBC_2.14libc.so.6.symtab0x80000NOTYPE<unknown>DEFAULT25
decrypt_ctxGLIBC_2.2.5libc.so.6.symtab0x83e0258OBJECT<unknown>DEFAULT26
deregister_tm_clonesGLIBC_2.2.5libc.so.6.symtab0x27300FUNC<unknown>DEFAULT16
dup2@GLIBC_2.2.5.symtab0x00FUNC<unknown>DEFAULTSHN_UNDEF
environ@GLIBC_2.2.5.symtab0x80208OBJECT<unknown>DEFAULT26
execve@GLIBC_2.2.5.symtab0x00FUNC<unknown>DEFAULTSHN_UNDEF
exit@GLIBC_2.2.5.symtab0x00FUNC<unknown>DEFAULTSHN_UNDEF
fork@GLIBC_2.2.5.symtab0x00FUNC<unknown>DEFAULTSHN_UNDEF
frame_dummyGLIBC_2.2.5libc.so.6.symtab0x27e00FUNC<unknown>DEFAULT16
free@GLIBC_2.2.5GLIBC_2.2.5libc.so.6.symtab0x00FUNC<unknown>DEFAULTSHN_UNDEF
getpid@GLIBC_2.2.5GLIBC_2.2.5libc.so.6.symtab0x00FUNC<unknown>DEFAULTSHN_UNDEF
getshell.symtab0x40031065FUNC<unknown>DEFAULT16
getuid@GLIBC_2.2.5GLIBC_2.2.5libc.so.6.symtab0x00FUNC<unknown>DEFAULTSHN_UNDEF
godpidGLIBC_2.2.5libc.so.6.symtab0x826c4OBJECT<unknown>DEFAULT26
grantpt@GLIBC_2.2.5.symtab0x00FUNC<unknown>DEFAULTSHN_UNDEF
htons@GLIBC_2.2.5GLIBC_2.2.5libc.so.6.symtab0x00FUNC<unknown>DEFAULTSHN_UNDEF
inet_ntoa@GLIBC_2.2.5GLIBC_2.2.5libc.so.6.symtab0x00FUNC<unknown>DEFAULTSHN_UNDEF
init_signalGLIBC_2.2.5libc.so.6.symtab0x2bc846FUNC<unknown>DEFAULT16
ioctl@GLIBC_2.2.5GLIBC_2.2.5libc.so.6.symtab0x00FUNC<unknown>DEFAULTSHN_UNDEF
kill@GLIBC_2.2.5.symtab0x00FUNC<unknown>DEFAULTSHN_UNDEF
listen@GLIBC_2.2.5.symtab0x00FUNC<unknown>DEFAULTSHN_UNDEF
logon.symtab0x352c142FUNC<unknown>DEFAULT16
main.symtab0x4d23800FUNC<unknown>DEFAULT16
malloc@GLIBC_2.2.5.symtab0x00FUNC<unknown>DEFAULTSHN_UNDEF
memchr@GLIBC_2.2.5.symtab0x00FUNC<unknown>DEFAULTSHN_UNDEF
memcmp@GLIBC_2.2.5.symtab0x00FUNC<unknown>DEFAULTSHN_UNDEF
memcpy@GLIBC_2.14.symtab0x00FUNC<unknown>DEFAULTSHN_UNDEF
memset@GLIBC_2.2.5GLIBC_2.2.5libc.so.6.symtab0x00FUNC<unknown>DEFAULTSHN_UNDEF
monGLIBC_2.2.5libc.so.6.symtab0x2ede212FUNC<unknown>DEFAULT16
ntohs@GLIBC_2.2.5.symtab0x00FUNC<unknown>DEFAULTSHN_UNDEF
on_terminateGLIBC_2.4libc.so.6.symtab0x2bb123FUNC<unknown>DEFAULT16
open@GLIBC_2.2.5.symtab0x00FUNC<unknown>DEFAULTSHN_UNDEF
open_ttyGLIBC_2.2.5libc.so.6.symtab0x2dad125FUNC<unknown>DEFAULT16
packet_loop.symtab0x35ba2262FUNC<unknown>DEFAULT16
pid_path.symtab0x828050OBJECT<unknown>DEFAULT26
prctl@GLIBC_2.2.5.symtab0x00FUNC<unknown>DEFAULTSHN_UNDEF
ptsname@GLIBC_2.2.5GLIBC_2.2.5libc.so.6.symtab0x00FUNC<unknown>DEFAULTSHN_UNDEF
ptyGLIBC_2.2.5libc.so.6.symtab0x82644OBJECT<unknown>DEFAULT26
ptym_open.symtab0x2c30201FUNC<unknown>DEFAULT16
ptys_open.symtab0x2cf9180FUNC<unknown>DEFAULT16
rand@GLIBC_2.2.5.symtab0x00FUNC<unknown>DEFAULTSHN_UNDEF
rc4.symtab0x28f9258FUNC<unknown>DEFAULT16
rc4_init.symtab0x281d220FUNC<unknown>DEFAULT16
read@GLIBC_2.2.5.symtab0x00FUNC<unknown>DEFAULTSHN_UNDEF
recvfrom@GLIBC_2.2.5.symtab0x00FUNC<unknown>DEFAULTSHN_UNDEF
register_tm_clonesGLIBC_2.2.5libc.so.6.symtab0x27600FUNC<unknown>DEFAULT16
remove_pidGLIBC_2.2.5libc.so.6.symtab0x2af931FUNC<unknown>DEFAULT16
select@GLIBC_2.2.5.symtab0x00FUNC<unknown>DEFAULTSHN_UNDEF
sendto@GLIBC_2.2.5GLIBC_2.2.5libc.so.6.symtab0x00FUNC<unknown>DEFAULTSHN_UNDEF
set_proc_nameGLIBC_2.2.5libc.so.6.symtab0x2fb2615FUNC<unknown>DEFAULT16
setsid@GLIBC_2.2.5.symtab0x00FUNC<unknown>DEFAULTSHN_UNDEF
setsockopt@GLIBC_2.2.5GLIBC_2.2.5libc.so.6.symtab0x00FUNC<unknown>DEFAULTSHN_UNDEF
setup_timeGLIBC_2.2.5libc.so.6.symtab0x2b18105FUNC<unknown>DEFAULT16
shell.symtab0x442c2295FUNC<unknown>DEFAULT16
sig_child.symtab0x2bf658FUNC<unknown>DEFAULT16
signal@GLIBC_2.2.5.symtab0x00FUNC<unknown>DEFAULTSHN_UNDEF
sleep@GLIBC_2.2.5.symtab0x00FUNC<unknown>DEFAULTSHN_UNDEF
snprintf@GLIBC_2.2.5GLIBC_2.2.5libc.so.6.symtab0x00FUNC<unknown>DEFAULTSHN_UNDEF
socket@GLIBC_2.2.5.symtab0x00FUNC<unknown>DEFAULTSHN_UNDEF
srand@GLIBC_2.2.5.symtab0x00FUNC<unknown>DEFAULTSHN_UNDEF
strcpy@GLIBC_2.2.5GLIBC_2.2.5libc.so.6.symtab0x00FUNC<unknown>DEFAULTSHN_UNDEF
strlen@GLIBC_2.2.5GLIBC_2.2.5libc.so.6.symtab0x00FUNC<unknown>DEFAULTSHN_UNDEF
strncpy@GLIBC_2.2.5GLIBC_2.2.5libc.so.6.symtab0x00FUNC<unknown>DEFAULTSHN_UNDEF
system@GLIBC_2.2.5GLIBC_2.2.5libc.so.6.symtab0x00FUNC<unknown>DEFAULTSHN_UNDEF
terminateGLIBC_2.2.5libc.so.6.symtab0x2b8148FUNC<unknown>DEFAULT16
time@GLIBC_2.2.5.symtab0x00FUNC<unknown>DEFAULTSHN_UNDEF
to_open.symtab0x3219787FUNC<unknown>DEFAULT16
try_linkGLIBC_2.2.5libc.so.6.symtab0x2e2a180FUNC<unknown>DEFAULT16
ttyGLIBC_2.2.5libc.so.6.symtab0x82684OBJECT<unknown>DEFAULT26
unlink@GLIBC_2.2.5GLIBC_2.2.5libc.so.6.symtab0x00FUNC<unknown>DEFAULTSHN_UNDEF
unlockpt@GLIBC_2.2.5.symtab0x00FUNC<unknown>DEFAULTSHN_UNDEF
utimes@GLIBC_2.2.5.symtab0x00FUNC<unknown>DEFAULTSHN_UNDEF
vhangup@GLIBC_2.2.5.symtab0x00FUNC<unknown>DEFAULTSHN_UNDEF
w.symtab0x3f96109FUNC<unknown>DEFAULT16
waitpid@GLIBC_2.2.5.symtab0x00FUNC<unknown>DEFAULTSHN_UNDEF
write@GLIBC_2.2.5GLIBC_2.2.5libc.so.6.symtab0x00FUNC<unknown>DEFAULTSHN_UNDEF
xchg.symtab0x27e952FUNC<unknown>DEFAULT16

Network Behavior

Network Port Distribution

TCP Packets

TimestampSource PortDest PortSource IPDest IP
May 14, 2022 15:12:52.943727970 CEST42836443192.168.2.2391.189.91.43
May 14, 2022 15:12:53.711901903 CEST4251680192.168.2.23109.202.202.202
May 14, 2022 15:13:08.303927898 CEST43928443192.168.2.2391.189.91.42
May 14, 2022 15:13:18.543988943 CEST42836443192.168.2.2391.189.91.43
May 14, 2022 15:13:24.687989950 CEST4251680192.168.2.23109.202.202.202
May 14, 2022 15:13:49.264178991 CEST43928443192.168.2.2391.189.91.42
May 14, 2022 15:14:09.744436026 CEST42836443192.168.2.2391.189.91.43

System Behavior

General

Start time:15:12:52
Start date:14/05/2022
Path:/tmp/Malware
Arguments:/tmp/Malware
File size:35704 bytes
MD5 hash:686a654a185db3f40514966d1409b2b1