{
	"id": "4c42d697-c16f-4227-9f3a-88daaba28022",
	"created_at": "2026-04-06T00:20:00.756583Z",
	"updated_at": "2026-04-10T13:13:08.389012Z",
	"deleted_at": null,
	"sha1_hash": "564f24384facefbcf8c1e040b8637e2adb92a246",
	"title": "Dec 2012 Linux.Chapro - trojan Apache iframer",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 75700,
	"plain_text": "Dec 2012 Linux.Chapro - trojan Apache iframer\r\nArchived: 2026-04-05 20:34:43 UTC\r\nHere is another notable development of 2012 - Linux malware (see Wirenet trojan posted\r\nearlier too)\r\nResearch: ESET Malicious Apache module used for content injection: Linux/Chapro.A\r\nAll the samples are below. I did not test it thus no pcaps this time.\r\n------Linux/Chapro.A  e022de72cce8129bd5ac8a0675996318\r\n------Injected iframe    111e3e0bf96b6ebda0aeffdb444bcf8d\r\n------Java exploit         2bd88b0f267e5aa5ec00d1452a63d9dc\r\n------Zeus binary         3840a6506d9d5c2443687d1cf07e25d0\r\nDownload\r\n------Linux/Chapro.A  e022de72cce8129bd5ac8a0675996318\r\n------Java exploit         2bd88b0f267e5aa5ec00d1452a63d9dc\r\n------Zeus binary         3840a6506d9d5c2443687d1cf07e25d0\r\nAutomatic scans\r\n Analysis  ESET Malicious Apache module used for content injection:\r\nSHA256: 345a86f839372db0ee7367be0b9df2d2d844cef406407695a2f869d6b3380ece\r\nSHA1: 2ccb789d57d3ce3dd929307eb78878e6e5c61ccf\r\nMD5: e022de72cce8129bd5ac8a0675996318\r\nFile size: 38.3 KB ( 39176 bytes )\r\nFile name: e022de72cce8129bd5ac8a0675996318\r\nFile type: ELF\r\nTags: elf\r\nhttp://contagiodump.blogspot.com/2012/12/dec-2012-linuxchapro-trojan-apache.html\r\nPage 1 of 5\n\nDetection ratio: 19 / 46\r\nAnalysis date: 2012-12-21 19:12:13 UTC ( 2 days, 11 hours ago ) \r\nAVG Generic6_c.CLGW 20121221\r\nBitDefender Backdoor.Linux.Agent.E 20121221\r\nCAT-QuickHeal - 20121220\r\nCommtouch - 20121221\r\nComodo UnclassifiedMalware 20121221\r\nDrWeb Linux.Iframe.1 20121221\r\nESET-NOD32 Linux/Chapro.A 20121221\r\nF-Secure Backdoor.Linux.Agent.E 20121221\r\nGData Backdoor.Linux.Agent.E 20121221\r\nIkarus Backdoor.Linux.Apmod 20121221\r\nJiangmin Backdoor/Linux.fs 20121221\r\nK7AntiVirus Trojan 20121221\r\nKaspersky HEUR:Backdoor.Linux.Apmod.gen 20121221\r\nMicroWorld-eScan Backdoor.Linux.Agent.E 20121221\r\nnProtect Backdoor.Linux.Agent.E 20121221\r\nPCTools Malware.Linux-Chapro 20121221\r\nSophos Troj/Apmod-D 20121221\r\nSUPERAntiSpyware - 20121221\r\nSymantec Linux.Chapro 20121221\r\nTrendMicro ELF_CHAPRO.A 20121221\r\nTrendMicro-HouseCall ELF_CHAPRO.A 20121221\r\nViRobot Linux.A.Apmod.39176 20121221\r\nExploit:Java/CVE-2012-1723\r\nSHA256: a70a8891829344ad3db818b3c4ad76e38a78b0ce3c43d7aaf65752fe56d10e09\r\nhttp://contagiodump.blogspot.com/2012/12/dec-2012-linuxchapro-trojan-apache.html\r\nPage 2 of 5\n\nSHA1: d01f76f5467c86bfa266c429e1315e7aad821f93\r\nMD5: 2bd88b0f267e5aa5ec00d1452a63d9dc\r\nFile size: 30.2 KB ( 30957 bytes )\r\nFile name: nYCND\r\nFile type: ZIP\r\nTags: exploit zip cve-2012-1723\r\nDetection ratio: 2 / 43\r\nAnalysis date: 2012-11-23 09:54:46 UTC ( 1 month ago ) \r\nKaspersky UDS:DangerousObject.Multi.Generic 20121123\r\nMicrosoft Exploit:Java/CVE-2012-1723!generic 20121123\r\nSHA256: 12f38f9be4df1909a1370d77588b74c60b25f65a098a08cf81389c97d3352f82\r\nSHA1: 5050b57e01bb2aa9730f826f36ad4d41477d8bd9\r\nMD5: 3840a6506d9d5c2443687d1cf07e25d0\r\nFile size: 222.0 KB ( 227328 bytes )\r\nFile name: 3840a6506d9d5c2443687d1cf07e25d0\r\nFile type: Win32 EXE\r\nTags: peexe\r\nDetection ratio: 32 / 44\r\nAnalysis date: 2012-12-22 20:02:23 UTC ( 1 day, 10 hours ago ) \r\nAgnitum Trojan.Injector!5xrrtg7IXGQ 20121222\r\nAntiVir TR/PSW.Zbot.2884 20121222\r\nAvast Win32:Crypt-OMW [Trj] 20121222\r\nAVG PSW.Generic10.AOEA 20121222\r\nBitDefender Trojan.Generic.8218925 20121222\r\nComodo TrojWare.Win32.Trojan.Agent.Gen 20121222\r\nDrWeb Trojan.PWS.Panda.368 20121222\r\nhttp://contagiodump.blogspot.com/2012/12/dec-2012-linuxchapro-trojan-apache.html\r\nPage 3 of 5\n\nESET-NOD32 a variant of Win32/Injector.ZRA 20121222\r\nF-Secure Trojan.Generic.8218925 20121222\r\nFortinet W32/Zbot.ARO!tr 20121222\r\nGData Trojan.Generic.8218925 20121222\r\nIkarus Trojan.Win32.Yakes 20121222\r\nJiangmin TrojanSpy.Zbot.csit 20121221\r\nK7AntiVirus Spyware 20121221\r\nKaspersky Trojan-Spy.Win32.Zbot.gmeq 20121222\r\nKingsoft Win32.Troj.Zbot.gm.(kcloud) 20121217\r\nMalwarebytes Trojan.Agent 20121222\r\nMcAfee PWS-Zbot.gen.aro 20121222\r\nMcAfee-GW-Edition PWS-Zbot.gen.aro 20121222\r\nMicrosoft PWS:Win32/Zbot 20121222\r\nNorman W32/ZBot.DIJG 20121222\r\nnProtect Trojan.Generic.8218925 20121222\r\nPanda Trj/Genetic.gen 20121222\r\nPCTools Trojan-PSW.Generic!rem 20121222\r\nSophos Mal/Zbot-JM 20121222\r\nSUPERAntiSpyware Trojan.Agent/Gen-Zbot 20121222\r\nSymantec Infostealer 20121222\r\nTheHacker Trojan/Injector.zra 20121222\r\nTrendMicro TROJ_GEN.R21CDLF 20121222\r\nTrendMicro-HouseCall TROJ_GEN.R21CDLF 20121222\r\nVBA32 TrojanSpy.Zbot.gmeq 20121221\r\nVIPRE Trojan.Win32.Generic!BT 20121222\r\nhttp://contagiodump.blogspot.com/2012/12/dec-2012-linuxchapro-trojan-apache.html\r\nPage 4 of 5\n\nSource: http://contagiodump.blogspot.com/2012/12/dec-2012-linuxchapro-trojan-apache.html\r\nhttp://contagiodump.blogspot.com/2012/12/dec-2012-linuxchapro-trojan-apache.html\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"http://contagiodump.blogspot.com/2012/12/dec-2012-linuxchapro-trojan-apache.html"
	],
	"report_names": [
		"dec-2012-linuxchapro-trojan-apache.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434800,
	"ts_updated_at": 1775826788,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/564f24384facefbcf8c1e040b8637e2adb92a246.pdf",
		"text": "https://archive.orkl.eu/564f24384facefbcf8c1e040b8637e2adb92a246.txt",
		"img": "https://archive.orkl.eu/564f24384facefbcf8c1e040b8637e2adb92a246.jpg"
	}
}