Summary

The binary is a Linux user-space daemon that launches background threads to 1) capture keystrokes from any active X11 session, 2) attach to interactive shells via ptrace, 3) proxy a victim’s terminal through a controlled PTY, and 4) exfiltrate data with raw Ethernet frames. It watches /proc for bash processes, hijacks their TTY with ptrace-assisted dup2/TIOCSCTTY (Appendix pty_daemon), and begins forwarding I/O while logging all keystrokes captured through the XInput extension (Appendix keylog_thread).
Collected keystrokes are appended to per-user files under a program-defined directory (Appendix file_dump). A polling loop then transmits crafted packets via an AF_PACKET raw socket (Appendix raw_tx)—providing firewall-agnostic egress. Numerous helper routines enumerate /proc, resolve terminal devices, and parse memory maps to support precise targeting (Appendix bash_finder, maps_parse). Error handling is verbose and the build appears polished, but no effort is made to encrypt payloads or hide strings, indicating moderate stealth only.

Conclusion

Verdict: Likely Malicious

Rationale: The binary performs unauthorized keylogging, hijacks user terminals with ptrace, drops privileges to impersonate desktop users, and transmits data over raw packets—behavior indistinguishable from a surveillance implant (see Appendix rows keylog_thread, pty_daemon, raw_tx).

Recommendation: Block & investigate immediately. Execute only inside an isolated sandbox for further study.

Detailed Analysis

Orchestration & Higher-Order Logic

main stores a supplied token, spawns worker threads (keylog_thread, raw_tx), then sleeps forever—acting as a simple dispatcher.

Installation & Configuration

Nothing to report.

Persistence & Privilege Escalation

No autostart observed; it drops privileges (seteuid) to match desktop users (Appendix session_enum).

Code Protection & Obfuscation

None; symbols stripped but control flow is direct.

Environment Awareness & Anti-Analysis

Reads /proc/*/maps and uses ptrace extensively but no VM or debugger checks.

Runtime Behaviors & Execution Flows

• Attaches to newly discovered bash PIDs (bash_finder) and re-wires their stdio to a PTY under attacker control.
• Continuously logs keystrokes from all X devices.

Network Communication

Single raw AF_PACKET socket; builds and sends one-off crafted frames (raw_tx). No C2 endpoint hard-coded.

Data Handling & Privacy

UTF-8 keystrokes are written to log files, then shipped verbatim over the packet socket; no encryption.

Cryptography

Nothing to report.

Credential Access

Captures all terminal and X11 keyboard input—potentially harvesting passwords.

Destructive Actions

Nothing to report.

Build Quality

Rich error messages, linked-list bookkeeping, clean teardown; suggests experienced developer.

Platform-Specific Notes

Linux-only; heavy X11 and /proc reliance.

High-Value Indicators (IoCs)

Appendix

keylog_thread - X11 keystroke collector

Initializes XInput devices, registers extension events, loops with select, translates keysyms via static tables, and writes UTF-8 bytes to disk.
Locations: start_routine_4087ab @ 0x4087ab

pty_daemon - PTY hijack & proxy

Forks to background, opens PTY master/slave, uses ptrace to dup2 the slave into a target shell, then relays data with select, handling signals.
Locations: sub_40a000 @ 0x40a000

raw_tx - raw Ethernet transmitter

Creates socket(AF_PACKET, SOCK_RAW, 0x0B), binds, fills msghdr/iovec, and calls sendmsg. Exits thread on error.
Locations: start_routine_405ec4 @ 0x405ec4

bash_finder - locate interactive shells

Scans /proc, compares /status names to “bash”, spawns a worker thread on match.
Locations: sub_405681 @ 0x405681

maps_parse - /proc/<pid>/maps parser

Reads and tokenizes each line, builds doubly-linked list of memory regions for later address scanning.
Locations: sub_404c2d @ 0x404c2d

file_dump - append keystrokes to disk

Derives filename from first token of a provided string, ensures path hierarchy, opens with fopen(...,"a"), writes via fwrite.
Locations: sub_408490 @ 0x408490