popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

gan105

Generic Malware ELF AntiVM AntiDebug
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 July 27, 2021, 5:54 p.m. July 27, 2021, 6:08 p.m.
Size 968.4KB
Type ELF 32-bit LSB executable, ARM, EABI5 version 1 (SYSV), statically linked, for GNU/Linux 2.6.14, with debug_info, not stripped
MD5 f4217eea477c2bcef9f68465077b08df
SHA256 e9f988c03da8b6f0e8b7e6d002385233ef72a7738a8ec4310afdd32793dfa9bd
CRC32 ADB48DB7
ssdeep 12288:vf54iYqmS4Mh2pIzp37Pe6MoQUNpjfekSEw8v1fqgPv1nc4yG5x9uNKxf2uWgcsQ:35nEYdFNpbekSEw8vDukxfRFc3WUQ78n
Yara
  • IsELF - Executable and Linking Format executable file (Linux/Unix)
  • Generic_Malware_Zero - Generic Malware

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
164.124.101.2 Active Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 2076
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73770000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2076
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x729d1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2076
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72941000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2076
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72904000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2076
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x729d2000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2076
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72a91000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2076
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72c41000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2076
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72b41000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2076
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72711000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2076
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x726d1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2076
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x743d1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2076
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x74e51000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2076
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x743b1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2856
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x729d2000
process_handle: 0xffffffff
1 0 0
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description Checks if being debugged rule anti_dbg
description Bypass DEP rule disable_dep
registry HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\EDITPLUS.EXE
registry HKEY_LOCAL_MACHINE\SOFTWARE\Clients\Mail\Microsoft Outlook\Capabilities\FileAssociations
Process injection Process 2232 resumed a thread in remote process 2076
Time & API Arguments Status Return Repeated

NtResumeThread

 thread_handle: 0x0000028c
suspend_count: 1
process_identifier: 2076
1 0 0
ClamAV Unix.Trojan.Spike-6301360-0
McAfee Linux/Dofloo.b
Zillya Backdoor.Dofloo.Linux.31
Sangfor Malware.ELF-Script.Save.aacd5914
ESET-NOD32 a variant of Linux/Dofloo.C
TrendMicro-HouseCall ELF_SONEX.SMA
Avast ELF:Agent-IF [Trj]
Kaspersky HEUR:Backdoor.Linux.Dofloo.d
BitDefender Trojan.GenericKD.42989312
MicroWorld-eScan Trojan.GenericKD.42989312
Rising Backdoor.Dofloo/Linux!1.BA3A (CLASSIC)
Ad-Aware Trojan.GenericKD.42989312
Sophos Linux/DDoS-BE
DrWeb Linux.Mrblack.104
TrendMicro ELF_SONEX.SMA
McAfee-GW-Edition BehavesLike.JS.Dofloo.dj
FireEye Trojan.GenericKD.42989312
Emsisoft Trojan.GenericKD.42989312 (B)
GData Trojan.GenericKD.42989312
Jiangmin Backdoor.Linux.ohi
Antiy-AVL Trojan/Generic.ASELF.5B7B
Microsoft Trojan:Win32/Berbew
Arcabit Trojan.Generic.D28FF700
Avast-Mobile ELF:Flooder-SR [Trj]
AhnLab-V3 Linux/Ddosagent.811008
ALYac Trojan.GenericKD.42989312
MAX malware (ai score=82)
Tencent Backdoor.Linux.Dofloo.da
Ikarus Trojan.Linux.Dofloo
Fortinet ELF/Dofloo.C!tr
AVG ELF:Agent-IF [Trj]