popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

spc

ELF AntiVM AntiDebug
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6402 June 8, 2021, 9:53 a.m. June 8, 2021, 10 a.m.
Size 123.8KB
Type ELF 32-bit MSB executable, SPARC, version 1 (SYSV), statically linked, stripped
MD5 0600368dd5cd4cf1fc90f41827518b29
SHA256 2d9a786700a956f6817af1a3556c2ccf634220fb5288a2957b28da83e7928d3d
CRC32 4E07B3E4
ssdeep 3072:4DwHW5TrW7c05Qv+Towy6Fwu2NxgH7NIQfx:4yW305Qv+cwy2H24iQfx
Yara
  • IsELF - Executable and Linking Format executable file (Linux/Unix)

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
172.217.25.14 Active Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 2864
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73e80000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2864
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73771000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2864
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73861000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2864
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72da4000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2864
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73772000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2864
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73e01000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2864
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73ef1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2864
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72821000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2864
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6e621000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2864
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73db1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2864
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73dd1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2864
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x74e51000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2864
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x743c1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 8064
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73772000
process_handle: 0xffffffff
1 0 0
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description Checks if being debugged rule anti_dbg
description Bypass DEP rule disable_dep
host 172.217.25.14
registry HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\EDITPLUS.EXE
registry HKEY_LOCAL_MACHINE\SOFTWARE\Clients\Mail\Mozilla Thunderbird\Capabilities\Hidden
Process injection Process 3576 resumed a thread in remote process 2864
Time & API Arguments Status Return Repeated

NtResumeThread

 thread_handle: 0x00000288
suspend_count: 1
process_identifier: 2864
1 0 0
ClamAV Unix.Dropper.Mirai-7355719-0
FireEye Trojan.Linux.Mirai.1
McAfee Linux/Mirai.km
Sangfor Malware.ELF-Script.Save.bc740538
Cyren E32/Mirai.D.gen!Camelot
ESET-NOD32 a variant of Linux/Mirai.AVD
TrendMicro-HouseCall Trojan.Linux.MIRAI.SMMR1
Avast ELF:CVE-2017-17215-A [Expl]
Kaspersky HEUR:Backdoor.Linux.Mirai.cw
BitDefender Trojan.Linux.Mirai.1
MicroWorld-eScan Trojan.Linux.Mirai.1
Ad-Aware Trojan.Linux.Mirai.1
Emsisoft Trojan.Linux.Mirai.1 (B)
DrWeb Linux.Mirai.4513
TrendMicro Trojan.Linux.MIRAI.SMMR1
McAfee-GW-Edition Linux/Mirai.km
Sophos Linux/DDoS-CIA
Avast-Mobile ELF:Mirai-UM [Trj]
Jiangmin Backdoor.Linux.etbl
MAX malware (ai score=86)
Microsoft DDoS:Linux/Gafgyt.YA!MTB
ZoneAlarm HEUR:Backdoor.Linux.Mirai.ad
GData Linux.Trojan.Gafgyt.B
BitDefenderTheta Gen:NN.Mirai.34722
ALYac Trojan.Linux.Mirai.1
Rising Backdoor.Mirai/Linux!1.BAF6 (CLASSIC)
Ikarus Trojan.Linux.Gafgyt
Fortinet ELF/Mirai.OX!tr
AVG ELF:CVE-2017-17215-A [Expl]