Linux Analysis Report
ntpd

Overview

General Information

Sample Name: ntpd
Analysis ID: 635359
MD5: bc8137a7fddaa5ae9b9e38ac8fa4a92d
SHA1: d2133f4ed241159bf1d9ce02a702a9b61f424680
SHA256: 9e512c9f31a19bb2efc1e772d210602b3f383d55cb758bdffc408e80801256f5
Infos:

Detection

Score: 60
Range: 0 - 100
Whitelisted: false

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Opens /proc/net/* files useful for finding connected devices and routers
Sample contains symbols with suspicious names
Uses the "uname" system call to query kernel version information (possible evasion)

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: ntpd Avira: detected
Multi AV Scanner detection for submitted file
Source: ntpd Virustotal: Detection: 66% Perma Link
Source: ntpd ReversingLabs: Detection: 73%

Spreading
barindex
Opens /proc/net/* files useful for finding connected devices and routers
Source: /tmp/ntpd (PID: 6226) Opens: /proc/net/route Jump to behavior
Source: ntpd String found in binary or memory: http://45.95.55.12/bins.sh;
Sample contains symbols with suspicious names
Source: ELF static info symbol of initial sample Name: passwords
Source: ELF static info symbol of initial sample Name: usernames
Source: ELF static info symbol of initial sample FILE: libc/string/mips/memcpy.S
Source: ELF static info symbol of initial sample FILE: libc/string/mips/memset.S
Source: ELF static info symbol of initial sample FILE: libc/sysdeps/linux/mips/crt1.S
Source: ELF static info symbol of initial sample FILE: libc/sysdeps/linux/mips/crti.S
Source: ELF static info symbol of initial sample FILE: libc/sysdeps/linux/mips/crtn.S
Source: ELF static info symbol of initial sample FILE: libc/sysdeps/linux/mips/pipe.S
Source: classification engine Classification label: mal60.spre.lin@0/1@0/0
Uses the "uname" system call to query kernel version information (possible evasion)
Source: /tmp/ntpd (PID: 6226) Queries kernel information via 'uname': Jump to behavior
Source: ntpd, 6226.1.00000000746dfa48.00000000f019ae95.rw-.sdmp, ntpd, 6228.1.00000000746dfa48.00000000f019ae95.rw-.sdmp, ntpd, 6256.1.00000000746dfa48.00000000f019ae95.rw-.sdmp, ntpd, 6291.1.00000000746dfa48.00000000f019ae95.rw-.sdmp Binary or memory string: V!/etc/qemu-binfmt/mips
Source: ntpd, 6226.1.00000000746dfa48.00000000f019ae95.rw-.sdmp, ntpd, 6228.1.00000000746dfa48.00000000f019ae95.rw-.sdmp, ntpd, 6256.1.00000000746dfa48.00000000f019ae95.rw-.sdmp, ntpd, 6291.1.00000000746dfa48.00000000f019ae95.rw-.sdmp Binary or memory string: /etc/qemu-binfmt/mips
Source: ntpd, 6226.1.00000000b4f86922.00000000f8117199.rw-.sdmp Binary or memory string: /tmp/qemu-open.xqNPAW
Source: ntpd, 6226.1.00000000b4f86922.00000000f8117199.rw-.sdmp, ntpd, 6228.1.00000000b4f86922.00000000f8117199.rw-.sdmp, ntpd, 6256.1.00000000b4f86922.00000000f8117199.rw-.sdmp, ntpd, 6291.1.00000000b4f86922.00000000f8117199.rw-.sdmp Binary or memory string: /usr/bin/qemu-mips
Source: ntpd, 6226.1.00000000b4f86922.00000000f8117199.rw-.sdmp, ntpd, 6228.1.00000000b4f86922.00000000f8117199.rw-.sdmp, ntpd, 6256.1.00000000b4f86922.00000000f8117199.rw-.sdmp, ntpd, 6291.1.00000000b4f86922.00000000f8117199.rw-.sdmp Binary or memory string: yx86_64/usr/bin/qemu-mips/tmp/ntpdSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/ntpd
Source: ntpd, 6226.1.00000000b4f86922.00000000f8117199.rw-.sdmp Binary or memory string: V/tmp/qemu-open.xqNPAW\d

No Screenshots

No contacted IP infos