Edit tour

Linux Analysis Report
6eYKWxlBqa.elf

Overview

General Information

Sample name:	6eYKWxlBqa.elf renamed because original name is a hash value
Original sample name:	a01abd7f86858f0f0cd2f03c9ef28c40.elf
Analysis ID:	1447842
MD5:	a01abd7f86858f0f0cd2f03c9ef28c40
SHA1:	58227ea5a96433cec2c34fb1e77bd6b38caf7496
SHA256:	ff1fbf46cdd1af1cd2fc7b092b2fc0856671a1b8e9bdd936840587f53761d215
Tags:	32armelfgafgyt
Infos:

Detection

Gafgyt, Mirai

Score:	92
Range:	0 - 100
Whitelisted:	false

Signatures

Antivirus / Scanner detection for submitted sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Yara detected Gafgyt

Yara detected Mirai

Opens /proc/net/* files useful for finding connected devices and routers

Detected TCP or UDP traffic on non-standard ports

Sample and/or dropped files contains symbols with suspicious names

Sample contains strings that are user agent strings indicative of HTTP manipulation

Uses the "uname" system call to query kernel version information (possible evasion)

Yara signature match

Classification

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1447842
Start date and time:	2024-05-27 09:08:00 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 10s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Sample name:	6eYKWxlBqa.elf renamed because original name is a hash value
Original Sample Name:	a01abd7f86858f0f0cd2f03c9ef28c40.elf
Detection:	MAL
Classification:	mal92.spre.troj.linELF@0/0@2/0

Runtime Messages

Command:	/tmp/6eYKWxlBqa.elf
PID:	5524
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:	gosh that chinese family at the other table sure ate alot
Standard Error:

Process Tree

system is lnxubuntu20

6eYKWxlBqa.elf (PID: 5524, Parent: 5447, MD5: 5ebfcae4fe2471fcc5695c2394773ff1) Arguments: /tmp/6eYKWxlBqa.elf

6eYKWxlBqa.elf New Fork (PID: 5526, Parent: 5524)

6eYKWxlBqa.elf New Fork (PID: 5527, Parent: 5524)

6eYKWxlBqa.elf New Fork (PID: 5530, Parent: 5527)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Bashlite, Gafgyt	Bashlite is a malware family which infects Linux systems in order to launch distributed denial-of-service attacks (DDoS). Originally it was also known under the name Bashdoor, but this term now refers to the exploit method used by the malware. It has been used to launch attacks of up to 400 Gbps.	No Attribution	http://blog.trendmicro.com/trendlabs-security-intelligence/bashlite-affects-devices-running-on-busybox/ https://blog.cyber5w.com/gafgyt-backdoor-analysis https://blog.netlab.360.com/gafgtyt_tor-and-necro-are-on-the-move-again/ https://blog.netlab.360.com/public-cloud-threat-intelligence-202203/ https://blog.netlab.360.com/some_details_of_the_ddos_attacks_targeting_ukraine_and_russia_in_recent_days/	https://malpedia.caad.fkie.fraunhofer.de/details/elf.bashlite

Name	Description	Attribution	Blogpost URLs	Link
Mirai	Mirai is one of the first significant botnets targeting exposed networking devices running Linux. Found in August 2016 by MalwareMustDie, its name means "future" in Japanese. Nowadays it targets a wide range of networked embedded devices such as IP cameras, home routers (many vendors involved), and other IoT devices. Since the source code was published on "Hack Forums" many variants of the Mirai family appeared, infecting mostly home networks all around the world.	No Attribution	http://osint.bambenekconsulting.com/feeds/ http://www.simonroses.com/2016/10/mirai-ddos-botnet-source-code-binary-analysis/ https://blog.malwaremustdie.org/2020/02/mmd-0065-2021-linuxmirai-fbot-re.html https://blog.netlab.360.com/another-lilin-dvr-0-day-being-used-to-spread-mirai-en/ https://blog.netlab.360.com/mirai_ptea-botnet-is-exploiting-undisclosed-kguard-dvr-vulnerability-en/	https://malpedia.caad.fkie.fraunhofer.de/details/elf.mirai

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
6eYKWxlBqa.elf	JoeSecurity_Gafgyt	Yara detected Gafgyt	Joe Security
6eYKWxlBqa.elf	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
6eYKWxlBqa.elf	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0x19050:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x19064:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x19078:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1908c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x190a0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x190b4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x190c8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x190dc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x190f0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x19104:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x19118:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1912c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x19140:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x19154:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x19168:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1917c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x19190:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x191a4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x191b8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x191cc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x191e0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
6eYKWxlBqa.elf	Linux_Trojan_Gafgyt_6a510422	unknown	unknown	0x1bbe:$a: 0B E5 24 30 1B E5 2C 30 0B E5 1C 00 00 EA 18 30 1B E5 00 30
6eYKWxlBqa.elf	Linux_Trojan_Gafgyt_d2953f92	unknown	unknown	0x1ace:$a: 1B E5 2A 00 53 E3 0A 00 00 0A 30 30 1B E5 3F 00 53 E3 23 00

Memory Dumps

Source	Rule	Description	Author	Strings
5524.1.00007f0318017000.00007f0318034000.r-x.sdmp	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
5524.1.00007f0318017000.00007f0318034000.r-x.sdmp	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0x19050:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x19064:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x19078:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1908c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x190a0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x190b4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x190c8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x190dc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x190f0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x19104:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x19118:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1912c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x19140:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x19154:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x19168:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1917c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x19190:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x191a4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x191b8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x191cc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x191e0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
5524.1.00007f0318017000.00007f0318034000.r-x.sdmp	Linux_Trojan_Gafgyt_6a510422	unknown	unknown	0x1bbe:$a: 0B E5 24 30 1B E5 2C 30 0B E5 1C 00 00 EA 18 30 1B E5 00 30
5524.1.00007f0318017000.00007f0318034000.r-x.sdmp	Linux_Trojan_Gafgyt_d2953f92	unknown	unknown	0x1ace:$a: 1B E5 2A 00 53 E3 0A 00 00 0A 30 30 1B E5 3F 00 53 E3 23 00
5527.1.00007f0318017000.00007f0318034000.r-x.sdmp	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
5527.1.00007f0318017000.00007f0318034000.r-x.sdmp	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0x19050:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x19064:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x19078:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1908c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x190a0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x190b4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x190c8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x190dc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x190f0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x19104:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x19118:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1912c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x19140:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x19154:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x19168:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1917c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x19190:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x191a4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x191b8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x191cc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x191e0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
5527.1.00007f0318017000.00007f0318034000.r-x.sdmp	Linux_Trojan_Gafgyt_6a510422	unknown	unknown	0x1bbe:$a: 0B E5 24 30 1B E5 2C 30 0B E5 1C 00 00 EA 18 30 1B E5 00 30
5527.1.00007f0318017000.00007f0318034000.r-x.sdmp	Linux_Trojan_Gafgyt_d2953f92	unknown	unknown	0x1ace:$a: 1B E5 2A 00 53 E3 0A 00 00 0A 30 30 1B E5 3F 00 53 E3 23 00
5526.1.00007f0318017000.00007f0318034000.r-x.sdmp	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
5526.1.00007f0318017000.00007f0318034000.r-x.sdmp	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0x19050:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x19064:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x19078:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1908c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x190a0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x190b4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x190c8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x190dc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x190f0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x19104:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x19118:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1912c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x19140:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x19154:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x19168:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1917c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x19190:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x191a4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x191b8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x191cc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x191e0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
5526.1.00007f0318017000.00007f0318034000.r-x.sdmp	Linux_Trojan_Gafgyt_6a510422	unknown	unknown	0x1bbe:$a: 0B E5 24 30 1B E5 2C 30 0B E5 1C 00 00 EA 18 30 1B E5 00 30
5526.1.00007f0318017000.00007f0318034000.r-x.sdmp	Linux_Trojan_Gafgyt_d2953f92	unknown	unknown	0x1ace:$a: 1B E5 2A 00 53 E3 0A 00 00 0A 30 30 1B E5 3F 00 53 E3 23 00
Process Memory Space: 6eYKWxlBqa.elf PID: 5524	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
Process Memory Space: 6eYKWxlBqa.elf PID: 5524	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0x132ac:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x132c0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x132d4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x132e8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x132fc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x13310:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x13324:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x13338:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1334c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x13360:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x13374:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x13388:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1339c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x133b0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x133c4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x133d8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x133ec:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x13400:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x13414:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x13428:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1343c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
Process Memory Space: 6eYKWxlBqa.elf PID: 5526	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
Process Memory Space: 6eYKWxlBqa.elf PID: 5526	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0x115d3:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x115e7:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x115fb:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1160f:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x11623:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x11637:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1164b:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1165f:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x11673:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x11687:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1169b:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x116af:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x116c3:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x116d7:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x116eb:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x116ff:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x11713:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x11727:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1173b:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1174f:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x11763:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
Process Memory Space: 6eYKWxlBqa.elf PID: 5527	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
Process Memory Space: 6eYKWxlBqa.elf PID: 5527	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0x1126a:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1127e:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x11292:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x112a6:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x112ba:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x112ce:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x112e2:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x112f6:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1130a:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1131e:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x11332:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x11346:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1135a:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1136e:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x11382:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x11396:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x113aa:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x113be:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x113d2:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x113e6:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x113fa:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
Click to see the 13 entries

Snort Signatures

ETPRO TROJAN ELF/BASHLITE Variant CnC Server Response - Source IP: 176.123.4.187 - Destination IP: 192.168.2.15

Timestamp:	05/27/24-09:10:00.509833
SID:	2839489
Source Port:	666
Destination Port:	40178
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN ELF/BASHLITE Variant CnC Server Response - Source IP: 176.123.4.187 - Destination IP: 192.168.2.15

Timestamp:	05/27/24-09:08:42.343969
SID:	2839489
Source Port:	666
Destination Port:	40168
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN ELF/BASHLITE Variant CnC Server Response - Source IP: 176.123.4.187 - Destination IP: 192.168.2.15

Timestamp:	05/27/24-09:12:05.508837
SID:	2839489
Source Port:	666
Destination Port:	40194
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN ELF/BASHLITE Variant CnC Server Response - Source IP: 176.123.4.187 - Destination IP: 192.168.2.15

Timestamp:	05/27/24-09:09:13.625064
SID:	2839489
Source Port:	666
Destination Port:	40172
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN ELF/BASHLITE Variant CnC Server Response - Source IP: 176.123.4.187 - Destination IP: 192.168.2.15

Timestamp:	05/27/24-09:11:34.265443
SID:	2839489
Source Port:	666
Destination Port:	40190
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN ELF/BASHLITE Variant CnC Server Response - Source IP: 176.123.4.187 - Destination IP: 192.168.2.15

Timestamp:	05/27/24-09:08:57.997243
SID:	2839489
Source Port:	666
Destination Port:	40170
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN ELF/BASHLITE Variant CnC Server Response - Source IP: 176.123.4.187 - Destination IP: 192.168.2.15

Timestamp:	05/27/24-09:11:49.888617
SID:	2839489
Source Port:	666
Destination Port:	40192
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN ELF/BASHLITE Variant CnC Server Response - Source IP: 176.123.4.187 - Destination IP: 192.168.2.15

Timestamp:	05/27/24-09:09:29.251476
SID:	2839489
Source Port:	666
Destination Port:	40174
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN ELF/BASHLITE Variant CnC Server Response - Source IP: 176.123.4.187 - Destination IP: 192.168.2.15

Timestamp:	05/27/24-09:09:44.880692
SID:	2839489
Source Port:	666
Destination Port:	40176
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN ELF/BASHLITE Variant CnC Server Response - Source IP: 176.123.4.187 - Destination IP: 192.168.2.15

Timestamp:	05/27/24-09:10:47.383741
SID:	2839489
Source Port:	666
Destination Port:	40184
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN ELF/BASHLITE Variant CnC Server Response - Source IP: 176.123.4.187 - Destination IP: 192.168.2.15

Timestamp:	05/27/24-09:11:03.012444
SID:	2839489
Source Port:	666
Destination Port:	40186
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN ELF/BASHLITE Variant CnC Server Response - Source IP: 176.123.4.187 - Destination IP: 192.168.2.15

Timestamp:	05/27/24-09:11:18.633977
SID:	2839489
Source Port:	666
Destination Port:	40188
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN ELF/BASHLITE Variant CnC Server Response - Source IP: 176.123.4.187 - Destination IP: 192.168.2.15

Timestamp:	05/27/24-09:10:16.127962
SID:	2839489
Source Port:	666
Destination Port:	40180
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN ELF/BASHLITE Variant CnC Server Response - Source IP: 176.123.4.187 - Destination IP: 192.168.2.15

Timestamp:	05/27/24-09:10:31.750956
SID:	2839489
Source Port:	666
Destination Port:	40182
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: 6eYKWxlBqa.elf

Avira: detected

Multi AV Scanner detection for submitted file

Source: 6eYKWxlBqa.elf	ReversingLabs: Detection: 68%
Source: 6eYKWxlBqa.elf	Virustotal: Detection: 68%			Perma Link

Spreading

Opens /proc/net/* files useful for finding connected devices and routers

Source: /tmp/6eYKWxlBqa.elf (PID: 5524)

Opens: /proc/net/route

Jump to behavior

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2839489 ETPRO TROJAN ELF/BASHLITE Variant CnC Server Response 176.123.4.187:666 -> 192.168.2.15:40168
Source: Traffic	Snort IDS: 2839489 ETPRO TROJAN ELF/BASHLITE Variant CnC Server Response 176.123.4.187:666 -> 192.168.2.15:40170
Source: Traffic	Snort IDS: 2839489 ETPRO TROJAN ELF/BASHLITE Variant CnC Server Response 176.123.4.187:666 -> 192.168.2.15:40172
Source: Traffic	Snort IDS: 2839489 ETPRO TROJAN ELF/BASHLITE Variant CnC Server Response 176.123.4.187:666 -> 192.168.2.15:40174
Source: Traffic	Snort IDS: 2839489 ETPRO TROJAN ELF/BASHLITE Variant CnC Server Response 176.123.4.187:666 -> 192.168.2.15:40176
Source: Traffic	Snort IDS: 2839489 ETPRO TROJAN ELF/BASHLITE Variant CnC Server Response 176.123.4.187:666 -> 192.168.2.15:40178
Source: Traffic	Snort IDS: 2839489 ETPRO TROJAN ELF/BASHLITE Variant CnC Server Response 176.123.4.187:666 -> 192.168.2.15:40180
Source: Traffic	Snort IDS: 2839489 ETPRO TROJAN ELF/BASHLITE Variant CnC Server Response 176.123.4.187:666 -> 192.168.2.15:40182
Source: Traffic	Snort IDS: 2839489 ETPRO TROJAN ELF/BASHLITE Variant CnC Server Response 176.123.4.187:666 -> 192.168.2.15:40184
Source: Traffic	Snort IDS: 2839489 ETPRO TROJAN ELF/BASHLITE Variant CnC Server Response 176.123.4.187:666 -> 192.168.2.15:40186
Source: Traffic	Snort IDS: 2839489 ETPRO TROJAN ELF/BASHLITE Variant CnC Server Response 176.123.4.187:666 -> 192.168.2.15:40188
Source: Traffic	Snort IDS: 2839489 ETPRO TROJAN ELF/BASHLITE Variant CnC Server Response 176.123.4.187:666 -> 192.168.2.15:40190
Source: Traffic	Snort IDS: 2839489 ETPRO TROJAN ELF/BASHLITE Variant CnC Server Response 176.123.4.187:666 -> 192.168.2.15:40192
Source: Traffic	Snort IDS: 2839489 ETPRO TROJAN ELF/BASHLITE Variant CnC Server Response 176.123.4.187:666 -> 192.168.2.15:40194

Source: global traffic

TCP traffic: 192.168.2.15:40168 -> 176.123.4.187:666

Source: unknown	TCP traffic detected without corresponding DNS query: 176.123.4.187
Source: unknown	TCP traffic detected without corresponding DNS query: 176.123.4.187
Source: unknown	TCP traffic detected without corresponding DNS query: 176.123.4.187
Source: unknown	TCP traffic detected without corresponding DNS query: 176.123.4.187
Source: unknown	TCP traffic detected without corresponding DNS query: 176.123.4.187
Source: unknown	TCP traffic detected without corresponding DNS query: 176.123.4.187
Source: unknown	TCP traffic detected without corresponding DNS query: 176.123.4.187
Source: unknown	TCP traffic detected without corresponding DNS query: 176.123.4.187
Source: unknown	TCP traffic detected without corresponding DNS query: 176.123.4.187
Source: unknown	TCP traffic detected without corresponding DNS query: 176.123.4.187
Source: unknown	TCP traffic detected without corresponding DNS query: 176.123.4.187
Source: unknown	TCP traffic detected without corresponding DNS query: 176.123.4.187
Source: unknown	TCP traffic detected without corresponding DNS query: 176.123.4.187
Source: unknown	TCP traffic detected without corresponding DNS query: 176.123.4.187
Source: unknown	TCP traffic detected without corresponding DNS query: 176.123.4.187
Source: unknown	TCP traffic detected without corresponding DNS query: 176.123.4.187
Source: unknown	TCP traffic detected without corresponding DNS query: 176.123.4.187
Source: unknown	TCP traffic detected without corresponding DNS query: 176.123.4.187
Source: unknown	TCP traffic detected without corresponding DNS query: 176.123.4.187
Source: unknown	TCP traffic detected without corresponding DNS query: 176.123.4.187
Source: unknown	TCP traffic detected without corresponding DNS query: 176.123.4.187
Source: unknown	TCP traffic detected without corresponding DNS query: 176.123.4.187
Source: unknown	TCP traffic detected without corresponding DNS query: 176.123.4.187
Source: unknown	TCP traffic detected without corresponding DNS query: 176.123.4.187
Source: unknown	TCP traffic detected without corresponding DNS query: 176.123.4.187
Source: unknown	TCP traffic detected without corresponding DNS query: 176.123.4.187
Source: unknown	TCP traffic detected without corresponding DNS query: 176.123.4.187
Source: unknown	TCP traffic detected without corresponding DNS query: 176.123.4.187
Source: unknown	TCP traffic detected without corresponding DNS query: 176.123.4.187
Source: unknown	TCP traffic detected without corresponding DNS query: 176.123.4.187
Source: unknown	TCP traffic detected without corresponding DNS query: 176.123.4.187
Source: unknown	TCP traffic detected without corresponding DNS query: 176.123.4.187
Source: unknown	TCP traffic detected without corresponding DNS query: 176.123.4.187
Source: unknown	TCP traffic detected without corresponding DNS query: 176.123.4.187
Source: unknown	TCP traffic detected without corresponding DNS query: 176.123.4.187
Source: unknown	TCP traffic detected without corresponding DNS query: 176.123.4.187
Source: unknown	TCP traffic detected without corresponding DNS query: 176.123.4.187
Source: unknown	TCP traffic detected without corresponding DNS query: 176.123.4.187
Source: unknown	TCP traffic detected without corresponding DNS query: 176.123.4.187
Source: unknown	TCP traffic detected without corresponding DNS query: 176.123.4.187
Source: unknown	TCP traffic detected without corresponding DNS query: 176.123.4.187
Source: unknown	TCP traffic detected without corresponding DNS query: 176.123.4.187
Source: unknown	TCP traffic detected without corresponding DNS query: 176.123.4.187
Source: unknown	TCP traffic detected without corresponding DNS query: 176.123.4.187
Source: unknown	TCP traffic detected without corresponding DNS query: 176.123.4.187
Source: unknown	TCP traffic detected without corresponding DNS query: 176.123.4.187
Source: unknown	TCP traffic detected without corresponding DNS query: 176.123.4.187
Source: unknown	TCP traffic detected without corresponding DNS query: 176.123.4.187
Source: unknown	TCP traffic detected without corresponding DNS query: 176.123.4.187
Source: unknown	TCP traffic detected without corresponding DNS query: 176.123.4.187

Source: global traffic

DNS traffic detected: DNS query: daisy.ubuntu.com

System Summary

Malicious sample detected (through community Yara rule)

Source: 6eYKWxlBqa.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: 6eYKWxlBqa.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_6a510422 Author: unknown
Source: 6eYKWxlBqa.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_d2953f92 Author: unknown
Source: 5524.1.00007f0318017000.00007f0318034000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: 5524.1.00007f0318017000.00007f0318034000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_6a510422 Author: unknown
Source: 5524.1.00007f0318017000.00007f0318034000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_d2953f92 Author: unknown
Source: 5527.1.00007f0318017000.00007f0318034000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: 5527.1.00007f0318017000.00007f0318034000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_6a510422 Author: unknown
Source: 5527.1.00007f0318017000.00007f0318034000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_d2953f92 Author: unknown
Source: 5526.1.00007f0318017000.00007f0318034000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: 5526.1.00007f0318017000.00007f0318034000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_6a510422 Author: unknown
Source: 5526.1.00007f0318017000.00007f0318034000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_d2953f92 Author: unknown
Source: Process Memory Space: 6eYKWxlBqa.elf PID: 5524, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: Process Memory Space: 6eYKWxlBqa.elf PID: 5526, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: Process Memory Space: 6eYKWxlBqa.elf PID: 5527, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown

Source: 6eYKWxlBqa.elf

ELF static info symbol of initial sample: __gnu_unwind_execute

Source: 6eYKWxlBqa.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: 6eYKWxlBqa.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_6a510422 severity = 100, os = linux, arch_context = x86, creation_date = 2021-06-28, scan_context = file, memory, reference = 14cc92b99daa0c91aa09d9a7996ee5549a5cacd7be733960b2cf3681a7c2b628, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 8ee116ff41236771cdc8dc4b796c3b211502413ae631d5b5aedbbaa2eccc3b75, id = 6a510422-3662-4fdb-9c03-0101f16e87cd, last_modified = 2021-09-16
Source: 6eYKWxlBqa.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_d2953f92 severity = 100, os = linux, arch_context = x86, creation_date = 2021-06-28, scan_context = file, memory, reference = 14cc92b99daa0c91aa09d9a7996ee5549a5cacd7be733960b2cf3681a7c2b628, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 276c6d62a8a335d0e2421b6b5b90c2c0eb69eec294bc9fcdeb7743abbf08d8bc, id = d2953f92-62ee-428d-88c5-723914c88c6e, last_modified = 2021-09-16
Source: 5524.1.00007f0318017000.00007f0318034000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: 5524.1.00007f0318017000.00007f0318034000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_6a510422 severity = 100, os = linux, arch_context = x86, creation_date = 2021-06-28, scan_context = file, memory, reference = 14cc92b99daa0c91aa09d9a7996ee5549a5cacd7be733960b2cf3681a7c2b628, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 8ee116ff41236771cdc8dc4b796c3b211502413ae631d5b5aedbbaa2eccc3b75, id = 6a510422-3662-4fdb-9c03-0101f16e87cd, last_modified = 2021-09-16
Source: 5524.1.00007f0318017000.00007f0318034000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_d2953f92 severity = 100, os = linux, arch_context = x86, creation_date = 2021-06-28, scan_context = file, memory, reference = 14cc92b99daa0c91aa09d9a7996ee5549a5cacd7be733960b2cf3681a7c2b628, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 276c6d62a8a335d0e2421b6b5b90c2c0eb69eec294bc9fcdeb7743abbf08d8bc, id = d2953f92-62ee-428d-88c5-723914c88c6e, last_modified = 2021-09-16
Source: 5527.1.00007f0318017000.00007f0318034000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: 5527.1.00007f0318017000.00007f0318034000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_6a510422 severity = 100, os = linux, arch_context = x86, creation_date = 2021-06-28, scan_context = file, memory, reference = 14cc92b99daa0c91aa09d9a7996ee5549a5cacd7be733960b2cf3681a7c2b628, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 8ee116ff41236771cdc8dc4b796c3b211502413ae631d5b5aedbbaa2eccc3b75, id = 6a510422-3662-4fdb-9c03-0101f16e87cd, last_modified = 2021-09-16
Source: 5527.1.00007f0318017000.00007f0318034000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_d2953f92 severity = 100, os = linux, arch_context = x86, creation_date = 2021-06-28, scan_context = file, memory, reference = 14cc92b99daa0c91aa09d9a7996ee5549a5cacd7be733960b2cf3681a7c2b628, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 276c6d62a8a335d0e2421b6b5b90c2c0eb69eec294bc9fcdeb7743abbf08d8bc, id = d2953f92-62ee-428d-88c5-723914c88c6e, last_modified = 2021-09-16
Source: 5526.1.00007f0318017000.00007f0318034000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: 5526.1.00007f0318017000.00007f0318034000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_6a510422 severity = 100, os = linux, arch_context = x86, creation_date = 2021-06-28, scan_context = file, memory, reference = 14cc92b99daa0c91aa09d9a7996ee5549a5cacd7be733960b2cf3681a7c2b628, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 8ee116ff41236771cdc8dc4b796c3b211502413ae631d5b5aedbbaa2eccc3b75, id = 6a510422-3662-4fdb-9c03-0101f16e87cd, last_modified = 2021-09-16
Source: 5526.1.00007f0318017000.00007f0318034000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_d2953f92 severity = 100, os = linux, arch_context = x86, creation_date = 2021-06-28, scan_context = file, memory, reference = 14cc92b99daa0c91aa09d9a7996ee5549a5cacd7be733960b2cf3681a7c2b628, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 276c6d62a8a335d0e2421b6b5b90c2c0eb69eec294bc9fcdeb7743abbf08d8bc, id = d2953f92-62ee-428d-88c5-723914c88c6e, last_modified = 2021-09-16
Source: Process Memory Space: 6eYKWxlBqa.elf PID: 5524, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: Process Memory Space: 6eYKWxlBqa.elf PID: 5526, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: Process Memory Space: 6eYKWxlBqa.elf PID: 5527, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16

Source: classification engine

Classification label: mal92.spre.troj.linELF@0/0@2/0

Source: /tmp/6eYKWxlBqa.elf (PID: 5524)

Queries kernel information via 'uname':

Jump to behavior

Source: 6eYKWxlBqa.elf, 5524.1.000055ce6aceb000.000055ce6ae3a000.rw-.sdmp, 6eYKWxlBqa.elf, 5526.1.000055ce6aceb000.000055ce6ae3a000.rw-.sdmp, 6eYKWxlBqa.elf, 5527.1.000055ce6aceb000.000055ce6ae3a000.rw-.sdmp	Binary or memory string: U!/etc/qemu-binfmt/arm
Source: 6eYKWxlBqa.elf, 5524.1.000055ce6aceb000.000055ce6ae3a000.rw-.sdmp, 6eYKWxlBqa.elf, 5526.1.000055ce6aceb000.000055ce6ae3a000.rw-.sdmp, 6eYKWxlBqa.elf, 5527.1.000055ce6aceb000.000055ce6ae3a000.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/arm
Source: 6eYKWxlBqa.elf, 5524.1.00007ffe66ce1000.00007ffe66d02000.rw-.sdmp, 6eYKWxlBqa.elf, 5526.1.00007ffe66ce1000.00007ffe66d02000.rw-.sdmp, 6eYKWxlBqa.elf, 5527.1.00007ffe66ce1000.00007ffe66d02000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-arm
Source: 6eYKWxlBqa.elf, 5524.1.00007ffe66ce1000.00007ffe66d02000.rw-.sdmp, 6eYKWxlBqa.elf, 5526.1.00007ffe66ce1000.00007ffe66d02000.rw-.sdmp, 6eYKWxlBqa.elf, 5527.1.00007ffe66ce1000.00007ffe66d02000.rw-.sdmp	Binary or memory string: x86_64/usr/bin/qemu-arm/tmp/6eYKWxlBqa.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/6eYKWxlBqa.elf

Stealing of Sensitive Information

Yara detected Gafgyt

Source: Yara match

File source: 6eYKWxlBqa.elf, type: SAMPLE

Yara detected Mirai

Source: Yara match	File source: 6eYKWxlBqa.elf, type: SAMPLE
Source: Yara match	File source: 5524.1.00007f0318017000.00007f0318034000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5527.1.00007f0318017000.00007f0318034000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5526.1.00007f0318017000.00007f0318034000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 6eYKWxlBqa.elf PID: 5524, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 6eYKWxlBqa.elf PID: 5526, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 6eYKWxlBqa.elf PID: 5527, type: MEMORYSTR

Source: Initial sample	User agent string found: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; pl) Opera 11.00
Source: Initial sample	User agent string found: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; en) Opera 11.00
Source: Initial sample	User agent string found: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; ja) Opera 11.00
Source: Initial sample	User agent string found: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; de) Opera 11.01
Source: Initial sample	User agent string found: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; fr) Opera 11.00
Source: Initial sample	User agent string found: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36
Source: Initial sample	User agent string found: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.79 Safari/537.36
Source: Initial sample	User agent string found: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0
Source: Initial sample	User agent string found: Mozilla/5.0 (iPhone; CPU iPhone OS 8_4 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Version/8.0 Mobile/12H143 Safari/600.1.4
Source: Initial sample	User agent string found: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:41.0) Gecko/20100101 Firefox/41.0
Source: Initial sample	User agent string found: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.101 Safari/537.36
Source: Initial sample	User agent string found: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.80 Safari/537.36
Source: Initial sample	User agent string found: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11) AppleWebKit/601.1.56 (KHTML, like Gecko) Version/9.0 Safari/601.1.56
Source: Initial sample	User agent string found: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_1) AppleWebKit/601.2.7 (KHTML, like Gecko) Version/9.0.1 Safari/601.2.7
Source: Initial sample	User agent string found: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Source: Initial sample	User agent string found: Opera/9.80 (Windows NT 5.2; U; ru) Presto/2.5.22 Version/10.51
Source: Initial sample	User agent string found: Opera/9.80 (X11; Linux i686; Ubuntu/14.10) Presto/2.12.388 Version/12.16
Source: Initial sample	User agent string found: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.75.14 (KHTML, like Gecko) Version/7.0.3 Safari/7046A194A
Source: Initial sample	User agent string found: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36
Source: Initial sample	User agent string found: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.94 Safari/537.36
Source: Initial sample	User agent string found: Mozilla/5.0 (Linux; Android 4.4.3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.89 Mobile Safari/537.36
Source: Initial sample	User agent string found: Mozilla/5.0 (Linux; Android 4.4.3; HTC_0PCV2 Build/KTU84L) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/33.0.0.0 Mobile Safari/537.36
Source: Initial sample	User agent string found: Mozilla/4.0 (compatible; MSIE 8.0; X11; Linux x86_64; pl) Opera 11.00
Source: Initial sample	User agent string found: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:25.0) Gecko/20100101 Firefox/25.0
Source: Initial sample	User agent string found: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:21.0) Gecko/20100101 Firefox/21.0
Source: Initial sample	User agent string found: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:24.0) Gecko/20100101 Firefox/24.0
Source: Initial sample	User agent string found: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10; rv:33.0) Gecko/20100101 Firefox/33.0

Remote Access Functionality

Yara detected Gafgyt

Source: Yara match

File source: 6eYKWxlBqa.elf, type: SAMPLE

Yara detected Mirai

Source: Yara match	File source: 6eYKWxlBqa.elf, type: SAMPLE
Source: Yara match	File source: 5524.1.00007f0318017000.00007f0318034000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5527.1.00007f0318017000.00007f0318034000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5526.1.00007f0318017000.00007f0318034000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 6eYKWxlBqa.elf PID: 5524, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 6eYKWxlBqa.elf PID: 5526, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 6eYKWxlBqa.elf PID: 5527, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	Path Interception	Path Interception	1 Masquerading	OS Credential Dumping	11 Security Software Discovery	Remote Services	Data from Local System	1 Data Obfuscation	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	1 Remote System Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	1 Application Layer Protocol	Traffic Duplication	Data Destruction

Malware Configuration

⊘No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
6eYKWxlBqa.elf	68%	ReversingLabs	Linux.Trojan.Gafgyt
6eYKWxlBqa.elf	68%	Virustotal		Browse
6eYKWxlBqa.elf	100%	Avira	LINUX/Gafgyt.opnd

Dropped Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
daisy.ubuntu.com	0%	Virustotal		Browse

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
daisy.ubuntu.com	162.213.35.25	true	false	0%, Virustotal, Browse	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
176.123.4.187	unknown	Moldova Republic of		200019	ALEXHOSTMD	true

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
176.123.4.187	4CB2w5yQL3.elf	Get hash	malicious	Gafgyt, Mirai	Browse
	rV97CNwo30.elf	Get hash	malicious	Gafgyt, Mirai	Browse
	mZ2LgS47Z1.elf	Get hash	malicious	Gafgyt, Mirai	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
daisy.ubuntu.com	4CB2w5yQL3.elf	Get hash	malicious	Gafgyt, Mirai	Browse	162.213.35.25
	rV97CNwo30.elf	Get hash	malicious	Gafgyt, Mirai	Browse	162.213.35.25
	mZ2LgS47Z1.elf	Get hash	malicious	Gafgyt, Mirai	Browse	162.213.35.24
	Hcmes4e8Sw.elf	Get hash	malicious	Unknown	Browse	162.213.35.24
	M4huqujaBY.elf	Get hash	malicious	Unknown	Browse	162.213.35.25
	cVxP229sNF.elf	Get hash	malicious	Unknown	Browse	162.213.35.24
	ZVQBodhgp1.elf	Get hash	malicious	Mirai, Moobot	Browse	162.213.35.25
	1rA2CJx2rg.elf	Get hash	malicious	Mirai, Moobot	Browse	162.213.35.24
	nJNBF70tP9.elf	Get hash	malicious	Mirai	Browse	162.213.35.25
	SjLTg00G6b.elf	Get hash	malicious	Mirai	Browse	162.213.35.25

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ALEXHOSTMD	4CB2w5yQL3.elf	Get hash	malicious	Gafgyt, Mirai	Browse	176.123.4.187
	rV97CNwo30.elf	Get hash	malicious	Gafgyt, Mirai	Browse	176.123.4.187
	mZ2LgS47Z1.elf	Get hash	malicious	Gafgyt, Mirai	Browse	176.123.4.187
	472.rtf.doc	Get hash	malicious	SmokeLoader	Browse	45.84.0.173
	support.Client.exe.zip	Get hash	malicious	ScreenConnect Tool	Browse	176.123.10.70
	https://coanj.com/	Get hash	malicious	Unknown	Browse	45.142.212.163
	Q1a9z2AS7p.elf	Get hash	malicious	Unknown	Browse	176.123.1.127
	3sbAd2pTKO.elf	Get hash	malicious	Unknown	Browse	176.123.1.127
	5SgnZcDoHg.elf	Get hash	malicious	Unknown	Browse	176.123.1.127
	uKzd18tKZ2.elf	Get hash	malicious	Unknown	Browse	176.123.1.127

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	ELF 32-bit LSB executable, ARM, EABI4 version 1 (SYSV), statically linked, with debug_info, not stripped
Entropy (8bit):	6.059339497916822
TrID:	ELF Executable and Linkable format (generic) (4004/1) 100.00%
File name:	6eYKWxlBqa.elf
File size:	181'882 bytes
MD5:	a01abd7f86858f0f0cd2f03c9ef28c40
SHA1:	58227ea5a96433cec2c34fb1e77bd6b38caf7496
SHA256:	ff1fbf46cdd1af1cd2fc7b092b2fc0856671a1b8e9bdd936840587f53761d215
SHA512:	c698ad3f084ebee5b1f3f217c823d6151e335eba82e8f4c524afd7ccac4689a83285b8478372521e9dceff56ff890a2522e8cced3a7f2611ecb4d7747ad0b5cd
SSDEEP:	3072:6PC+RjGkWa6s/qSPeAjQM6PBt9ZbPtMAV7sAfymUwwFB7DXNu:61fWa6s/qSGAYPBbZbPtMAV7sAfymUwr
TLSH:	6E042934D6504B17C1D223BAA69B424E3F234F97A3D733095638BBB43FE279A0D62915
File Content Preview:	.ELF..............(.........4....2......4. ...(........p.....D...D.. ... ................................................................u..........................................Q.td..................................-...L..................G.F.G.F.G.F.G.

Static ELF Info

ELF header
Class:	ELF32
Data:	2's complement, little endian
Version:	1 (current)
Machine:	ARM
Version Number:	0x1
Type:	EXEC (Executable file)
OS/ABI:	UNIX - System V
ABI Version:	0
Entry Point Address:	0x81d0
Flags:	0x4000002
ELF Header Size:	52
Program Header Offset:	52
Program Header Size:	32
Number of Program Headers:	5
Section Header Offset:	144048
Section Header Size:	40
Number of Section Headers:	29
Header String Table Index:	26

Sections

Name	Type	Address	Offset	Size	EntSize	Flags	Flags Description	Link	Info	Align
	NULL	0x0	0x0	0x0	0x0	0x0		0	0	0
.init	PROGBITS	0x80d4	0xd4	0x10	0x0	0x6	AX	0	0	4
.text	PROGBITS	0x80f0	0xf0	0x17e40	0x0	0x6	AX	0	0	16
.fini	PROGBITS	0x1ff30	0x17f30	0x10	0x0	0x6	AX	0	0	4
.rodata	PROGBITS	0x1ff40	0x17f40	0x452c	0x0	0x2	A	0	0	8
.ARM.extab	PROGBITS	0x2446c	0x1c46c	0x18	0x0	0x2	A	0	0	4
.ARM.exidx	ARM_EXIDX	0x24484	0x1c484	0x120	0x0	0x82	AL	2	0	4
.eh_frame	PROGBITS	0x2c5a4	0x1c5a4	0x4	0x0	0x3	WA	0	0	4
.tbss	NOBITS	0x2c5a8	0x1c5a8	0x8	0x0	0x403	WAT	0	0	4
.init_array	INIT_ARRAY	0x2c5a8	0x1c5a8	0x4	0x0	0x3	WA	0	0	4
.fini_array	FINI_ARRAY	0x2c5ac	0x1c5ac	0x4	0x0	0x3	WA	0	0	4
.jcr	PROGBITS	0x2c5b0	0x1c5b0	0x4	0x0	0x3	WA	0	0	4
.got	PROGBITS	0x2c5b4	0x1c5b4	0xb0	0x4	0x3	WA	0	0	4
.data	PROGBITS	0x2c664	0x1c664	0x2cc	0x0	0x3	WA	0	0	4
.bss	NOBITS	0x2c930	0x1c930	0x7224	0x0	0x3	WA	0	0	8
.comment	PROGBITS	0x0	0x1c930	0xcf4	0x0	0x0		0	0	1
.debug_aranges	PROGBITS	0x0	0x1d628	0x140	0x0	0x0		0	0	8
.debug_pubnames	PROGBITS	0x0	0x1d768	0x213	0x0	0x0		0	0	1
.debug_info	PROGBITS	0x0	0x1d97b	0x2043	0x0	0x0		0	0	1
.debug_abbrev	PROGBITS	0x0	0x1f9be	0x6e2	0x0	0x0		0	0	1
.debug_line	PROGBITS	0x0	0x200a0	0xe76	0x0	0x0		0	0	1
.debug_frame	PROGBITS	0x0	0x20f18	0x2b8	0x0	0x0		0	0	4
.debug_str	PROGBITS	0x0	0x211d0	0x8ca	0x1	0x30	MS	0	0	1
.debug_loc	PROGBITS	0x0	0x21a9a	0x118f	0x0	0x0		0	0	1
.debug_ranges	PROGBITS	0x0	0x22c29	0x558	0x0	0x0		0	0	1
.ARM.attributes	ARM_ATTRIBUTES	0x0	0x23181	0x16	0x0	0x0		0	0	1
.shstrtab	STRTAB	0x0	0x23197	0x117	0x0	0x0		0	0	1
.symtab	SYMTAB	0x0	0x23738	0x5e70	0x10	0x0		28	838	4
.strtab	STRTAB	0x0	0x295a8	0x30d2	0x0	0x0		0	0	1

Program Segments

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align	Section Mappings
EXIDX	0x1c484	0x24484	0x24484	0x120	0x120	4.3818	0x4	R	0x4	.ARM.exidx
LOAD	0x0	0x8000	0x8000	0x1c5a4	0x1c5a4	6.1989	0x5	R E	0x8000	.init .text .fini .rodata .ARM.extab .ARM.exidx
LOAD	0x1c5a4	0x2c5a4	0x2c5a4	0x38c	0x75b0	4.1884	0x6	RW	0x8000	.eh_frame .tbss .init_array .fini_array .jcr .got .data .bss
TLS	0x1c5a8	0x2c5a8	0x2c5a8	0x0	0x8	0.0000	0x4	R	0x4	.tbss
GNU_STACK	0x0	0x0	0x0	0x0	0x0	0.0000	0x7	RWE	0x4

Symbols

Name	Section Name	Value	Size	Symbol Type	Symbol Bind	Symbol Visibility	Ndx
	.symtab	0x0	0	NOTYPE	<unknown>	DEFAULT	SHN_UNDEF
	.symtab	0x80d4	0	SECTION	<unknown>	DEFAULT	1
	.symtab	0x80f0	0	SECTION	<unknown>	DEFAULT	2
	.symtab	0x1ff30	0	SECTION	<unknown>	DEFAULT	3
	.symtab	0x1ff40	0	SECTION	<unknown>	DEFAULT	4
	.symtab	0x2446c	0	SECTION	<unknown>	DEFAULT	5
	.symtab	0x24484	0	SECTION	<unknown>	DEFAULT	6
	.symtab	0x2c5a4	0	SECTION	<unknown>	DEFAULT	7
	.symtab	0x2c5a8	0	SECTION	<unknown>	DEFAULT	8
	.symtab	0x2c5a8	0	SECTION	<unknown>	DEFAULT	9
	.symtab	0x2c5ac	0	SECTION	<unknown>	DEFAULT	10
	.symtab	0x2c5b0	0	SECTION	<unknown>	DEFAULT	11
	.symtab	0x2c5b4	0	SECTION	<unknown>	DEFAULT	12
	.symtab	0x2c664	0	SECTION	<unknown>	DEFAULT	13
	.symtab	0x2c930	0	SECTION	<unknown>	DEFAULT	14
	.symtab	0x0	0	SECTION	<unknown>	DEFAULT	15
	.symtab	0x0	0	SECTION	<unknown>	DEFAULT	16
	.symtab	0x0	0	SECTION	<unknown>	DEFAULT	17
	.symtab	0x0	0	SECTION	<unknown>	DEFAULT	18
	.symtab	0x0	0	SECTION	<unknown>	DEFAULT	19
	.symtab	0x0	0	SECTION	<unknown>	DEFAULT	20
	.symtab	0x0	0	SECTION	<unknown>	DEFAULT	21
	.symtab	0x0	0	SECTION	<unknown>	DEFAULT	22
	.symtab	0x0	0	SECTION	<unknown>	DEFAULT	23
	.symtab	0x0	0	SECTION	<unknown>	DEFAULT	24
	.symtab	0x0	0	SECTION	<unknown>	DEFAULT	25
$a	.symtab	0x80d4	0	NOTYPE	<unknown>	DEFAULT	1
$a	.symtab	0x1ff30	0	NOTYPE	<unknown>	DEFAULT	3
$a	.symtab	0x80e0	0	NOTYPE	<unknown>	DEFAULT	1
$a	.symtab	0x1ff3c	0	NOTYPE	<unknown>	DEFAULT	3
$a	.symtab	0x812c	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x8170	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x81d0	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x820c	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x8634	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x8780	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x8858	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x89b0	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x8af4	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x93e8	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x97c8	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x9950	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x9aa8	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x9dd4	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0xa0ac	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0xa4c8	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0xa52c	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0xb550	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0xbc28	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0xbd4c	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0xc3e0	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0xca90	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0xdadc	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0xe7b8	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0xea74	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0xf3ac	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0xf440	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0xf514	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0xf69c	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x1013c	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x10320	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x1036c	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x103b8	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x10424	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x104b0	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x10638	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x1144c	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x11560	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x11574	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x1160c	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x11700	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x11768	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x117a8	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x117e8	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x11814	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x11828	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x1183c	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x11874	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x11954	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x1198c	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x119cc	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x11a10	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x11a54	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x11ad8	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x11b64	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x11b94	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x11c10	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x11c40	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x11c60	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x11c94	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x11cc8	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x11d98	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x12564	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x12604	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x12648	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x127f8	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x1284c	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x12dbc	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x12df4	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x12eb0	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x12ec0	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x12ed0	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x12ee0	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x12f80	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x12fa0	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x13000	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x130f0	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x13114	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x131d0	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x1329c	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x13398	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x133b0	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x134bc	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x134ec	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x1354c	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x13574	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x13590	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x13600	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x13644	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x136b8	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x136fc	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x13744	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x13788	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x137f8	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x13840	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x138c8	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x1390c	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x1397c	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x139c8	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x13a50	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x13a98	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x13adc	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x13b2c	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x13b40	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x13c04	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x13c70	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x14620	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x14760	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x14b20	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x14fc0	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x15000	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x15128	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x15140	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x151e4	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x1529c	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x1535c	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x15400	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x15490	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x15568	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x15660	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x1574c	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x1576c	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x15788	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x15960	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x15a24	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x15ad0	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x15c1c	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x16240	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x16290	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x16300	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x166cc	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x16764	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x167c8	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x16950	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x16998	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x16a88	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x16bc4	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x16c1c	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x16c24	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x16c54	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x16cac	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x16cb4	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x16ce4	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x16d3c	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x16d44	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x16d74	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x16dcc	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x16dd4	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x16e00	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x16e88	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x16f64	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x17024	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x17078	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x170d0	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x174bc	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x17538	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x17564	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x175ec	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x175f4	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x17600	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x17610	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x17620	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x17660	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x176a0	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x176b4	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x176c8	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x176f0	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x17730	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x17744	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x17788	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x177c8	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x17808	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x17868	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x178d4	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x178e8	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x17920	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x17a30	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x17b00	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x17bc4	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x17c74	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x17d60	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x18104	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x18158	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x1817c	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x18238	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x18568	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x18588	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x189e8	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x18b28	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x18ba8	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x18d0c	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x18de8	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x18e18	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x18e8c	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x18eb8	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x19014	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x19808	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x1994c	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x19a68	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x19d18	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x1a0c4	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x1a1f0	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x1a290	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x1a720	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x1a810	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x1a8f0	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x1a9dc	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x1aa20	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x1aa70	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x1aabc	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x1ab34	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x1ab74	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x1ab98	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x1ac14	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x1ad0c	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x1afe0	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x1b058	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x1b0c0	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x1b314	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x1b320	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x1b358	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x1b3b0	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x1b408	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x1b414	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x1b478	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x1b5f0	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x1b738	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x1b75c	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x1b91c	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x1b974	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x1ba50	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x1bb18	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x1bb48	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x1bbec	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x1bc28	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x1bc4c	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x1bcfc	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x1bff4	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x1c144	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x1c3e0	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x1c4d8	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x1cce8	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x1cd3c	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x1cd94	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x1d1f0	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x1d288	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x1d2d4	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x1d618	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x1d658	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x1d6dc	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x1d71c	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x1d790	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x1d7f4	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x1d834	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x1d8b0	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x1d8c0	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x1d8f4	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x1d9e0	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x1da94	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x1daf4	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x1db24	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x1dd3c	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x1dda8	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x1de54	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x1df98	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x1e3b4	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x1e850	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x1e990	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x1e9e4	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x1ea30	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x1ea7c	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x1ea84	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x1ea88	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x1eab4	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x1eac0	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x1eacc	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x1ecec	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x1ee3c	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x1ee58	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x1eeb8	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x1ef24	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x1efdc	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x1effc	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x1f140	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x1f688	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x1f690	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x1f698	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x1f6a0	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x1f75c	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x1f7a0	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x1feb4	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x1fefc	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x8164	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x2c5ac	0	NOTYPE	<unknown>	DEFAULT	10
$d	.symtab	0x81bc	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x2c5a8	0	NOTYPE	<unknown>	DEFAULT	9
$d	.symtab	0x2c668	0	NOTYPE	<unknown>	DEFAULT	13
$d	.symtab	0x8200	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x2c66c	0	NOTYPE	<unknown>	DEFAULT	13
$d	.symtab	0x877c	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x8850	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x89ac	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x8ae8	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x93e4	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x97b8	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x994c	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x20c34	0	NOTYPE	<unknown>	DEFAULT	4
$d	.symtab	0x9aa4	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x9dd0	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0xa0a8	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0xa4c0	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0xa528	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0xb534	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0xbc20	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0xbd48	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0xc3dc	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0xca64	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0xda88	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0xe798	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0xea60	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0xf37c	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0xf430	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0xf504	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0xf698	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x2c720	0	NOTYPE	<unknown>	DEFAULT	13
$d	.symtab	0x102c4	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x10368	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x103b4	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x10420	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x104ac	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x10630	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x0	0	NOTYPE	<unknown>	DEFAULT	21
$d	.symtab	0x20	0	NOTYPE	<unknown>	DEFAULT	21
$d	.symtab	0x26	0	NOTYPE	<unknown>	DEFAULT	21
$d	.symtab	0x11604	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x116f0	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x11760	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x117a4	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x117e4	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x11870	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x11944	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x11988	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x119c8	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x11a0c	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x11a50	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x11ad0	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x11b60	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x11c08	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x11c38	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x2c724	0	NOTYPE	<unknown>	DEFAULT	13
$d	.symtab	0x22d78	0	NOTYPE	<unknown>	DEFAULT	4
$d	.symtab	0x2c72c	0	NOTYPE	<unknown>	DEFAULT	13
$d	.symtab	0x23078	0	NOTYPE	<unknown>	DEFAULT	4
$d	.symtab	0x11c5c	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x11c90	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x11d90	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x12540	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x233a0	0	NOTYPE	<unknown>	DEFAULT	4
$d	.symtab	0x127f4	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x12840	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x12d8c	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x2c734	0	NOTYPE	<unknown>	DEFAULT	13
$d	.symtab	0x233a8	0	NOTYPE	<unknown>	DEFAULT	4
$d	.symtab	0x12eac	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x130e8	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x13294	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x134ac	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x2342c	0	NOTYPE	<unknown>	DEFAULT	4
$d	.symtab	0x134e4	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x135f0	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x1363c	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x136b0	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x136f4	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x1373c	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x13780	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x137f0	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x1383c	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x138c0	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x13904	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x13974	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x139c0	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x13a48	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x13a90	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x13ad4	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x13b28	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x13bf8	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x145fc	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x2c738	0	NOTYPE	<unknown>	DEFAULT	13
$d	.symtab	0x14744	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x14b00	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x14fa4	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x14ff8	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x15114	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x2c750	0	NOTYPE	<unknown>	DEFAULT	13
$d	.symtab	0x151c8	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x15280	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x15340	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x153e4	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x2c768	0	NOTYPE	<unknown>	DEFAULT	13
$d	.symtab	0x2c800	0	NOTYPE	<unknown>	DEFAULT	13
$d	.symtab	0x1548c	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x1555c	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x15650	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x15740	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x23f98	0	NOTYPE	<unknown>	DEFAULT	4
$d	.symtab	0x15950	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x15a04	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x2c814	0	NOTYPE	<unknown>	DEFAULT	13
$d	.symtab	0x15ac8	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x15bf8	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x16214	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x1628c	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x166a4	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x167c0	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x16940	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x16a7c	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x16ba8	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x16bc0	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x16c50	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x16ce0	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x16d70	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x16f5c	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x17010	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x17070	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x170c4	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x17470	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x2c82c	0	NOTYPE	<unknown>	DEFAULT	13
$d	.symtab	0x17530	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x17560	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x175e0	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x1765c	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x1769c	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x176e8	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x1772c	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x17784	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x177c4	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x17804	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x17860	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x178cc	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x1791c	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x17a14	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x17af8	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x17bb8	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x17c6c	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x2402c	0	NOTYPE	<unknown>	DEFAULT	4
$d	.symtab	0x17d4c	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x180fc	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x18234	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x18558	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x189b4	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x18b98	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x18cf0	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x2c83c	0	NOTYPE	<unknown>	DEFAULT	13
$d	.symtab	0x2c838	0	NOTYPE	<unknown>	DEFAULT	13
$d	.symtab	0x18de4	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x197e8	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x24090	0	NOTYPE	<unknown>	DEFAULT	4
$d	.symtab	0x19cfc	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x1a0ac	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x1a1e8	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x1a808	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x1a8e8	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x1a9d4	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x1ac10	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x1ad04	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x1afcc	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x1b040	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x1b0b0	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x1b2ec	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x1b34c	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x2c920	0	NOTYPE	<unknown>	DEFAULT	13
$d	.symtab	0x1b3fc	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x1b474	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x1b730	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x1b918	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x1ba4c	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x1bb14	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x1bbe8	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x1bcf4	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x1bfe4	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x1c140	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x1c3cc	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x1cca0	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x2c924	0	NOTYPE	<unknown>	DEFAULT	13
$d	.symtab	0x1cd34	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x1cd8c	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x1d1a8	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x2c926	0	NOTYPE	<unknown>	DEFAULT	13
$d	.symtab	0x2414c	0	NOTYPE	<unknown>	DEFAULT	4
$d	.symtab	0x1d270	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x1d600	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x1d6d8	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x1d718	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x1d788	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x1d7f0	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x1d830	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x1d8a0	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x1db1c	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x1dd2c	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x1dda0	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x2c928	0	NOTYPE	<unknown>	DEFAULT	13
$d	.symtab	0x2416c	0	NOTYPE	<unknown>	DEFAULT	4
$d	.symtab	0x2c	0	NOTYPE	<unknown>	DEFAULT	21
$d	.symtab	0x4c	0	NOTYPE	<unknown>	DEFAULT	21
$d	.symtab	0x53	0	NOTYPE	<unknown>	DEFAULT	21
$d	.symtab	0x1ecd0	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x1f678	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x58	0	NOTYPE	<unknown>	DEFAULT	21
$d	.symtab	0x0	0	NOTYPE	<unknown>	DEFAULT	23
$d	.symtab	0x23c	0	NOTYPE	<unknown>	DEFAULT	21
$d	.symtab	0xe39	0	NOTYPE	<unknown>	DEFAULT	23
$t	.symtab	0x80f0	0	NOTYPE	<unknown>	DEFAULT	2
C.11.5548	.symtab	0x24008	12	OBJECT	<unknown>	DEFAULT	4
C.147.6272	.symtab	0x22354	40	OBJECT	<unknown>	DEFAULT	4
C.177.6553	.symtab	0x223c0	16	OBJECT	<unknown>	DEFAULT	4
C.178.6554	.symtab	0x22394	20	OBJECT	<unknown>	DEFAULT	4
C.5.5083	.symtab	0x2402c	24	OBJECT	<unknown>	DEFAULT	4
C.7.5370	.symtab	0x24014	12	OBJECT	<unknown>	DEFAULT	4
C.7.6078	.symtab	0x23378	12	OBJECT	<unknown>	DEFAULT	4
C.7.6109	.symtab	0x24068	12	OBJECT	<unknown>	DEFAULT	4
C.7.6182	.symtab	0x24044	12	OBJECT	<unknown>	DEFAULT	4
C.8.6110	.symtab	0x2405c	12	OBJECT	<unknown>	DEFAULT	4
C.9.6119	.symtab	0x24050	12	OBJECT	<unknown>	DEFAULT	4
KHcommSOCK	.symtab	0x2c950	4	OBJECT	<unknown>	DEFAULT	14
KHserverHACKER	.symtab	0x2c710	4	OBJECT	<unknown>	DEFAULT	13
LOCAL_ADDR	.symtab	0x33640	4	OBJECT	<unknown>	DEFAULT	14
Laligned	.symtab	0x12fc8	0	NOTYPE	<unknown>	DEFAULT	2
Llastword	.symtab	0x12fe4	0	NOTYPE	<unknown>	DEFAULT	2
Q	.symtab	0x2c96c	16384	OBJECT	<unknown>	DEFAULT	14
UserAgents	.symtab	0x2c680	144	OBJECT	<unknown>	DEFAULT	13
_Exit	.symtab	0x11700	104	FUNC	<unknown>	DEFAULT	2
_GLOBAL_OFFSET_TABLE_	.symtab	0x2c5b4	0	OBJECT	<unknown>	HIDDEN	12
_Jv_RegisterClasses	.symtab	0x0	0	NOTYPE	<unknown>	DEFAULT	SHN_UNDEF
_READ.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
_Unwind_Complete	.symtab	0x1ea84	4	FUNC	<unknown>	HIDDEN	2
_Unwind_DeleteException	.symtab	0x1ea88	44	FUNC	<unknown>	HIDDEN	2
_Unwind_ForcedUnwind	.symtab	0x1f738	36	FUNC	<unknown>	HIDDEN	2
_Unwind_GetCFA	.symtab	0x1ea7c	8	FUNC	<unknown>	HIDDEN	2
_Unwind_GetDataRelBase	.symtab	0x1eac0	12	FUNC	<unknown>	HIDDEN	2
_Unwind_GetLanguageSpecificData	.symtab	0x1f75c	68	FUNC	<unknown>	HIDDEN	2
_Unwind_GetRegionStart	.symtab	0x1fefc	52	FUNC	<unknown>	HIDDEN	2
_Unwind_GetTextRelBase	.symtab	0x1eab4	12	FUNC	<unknown>	HIDDEN	2
_Unwind_RaiseException	.symtab	0x1f6cc	36	FUNC	<unknown>	HIDDEN	2
_Unwind_Resume	.symtab	0x1f6f0	36	FUNC	<unknown>	HIDDEN	2
_Unwind_Resume_or_Rethrow	.symtab	0x1f714	36	FUNC	<unknown>	HIDDEN	2
_Unwind_VRS_Get	.symtab	0x1e9e4	76	FUNC	<unknown>	HIDDEN	2
_Unwind_VRS_Pop	.symtab	0x1effc	324	FUNC	<unknown>	HIDDEN	2
_Unwind_VRS_Set	.symtab	0x1ea30	76	FUNC	<unknown>	HIDDEN	2
_WRITE.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
__C_ctype_b	.symtab	0x2c724	4	OBJECT	<unknown>	DEFAULT	13
__C_ctype_b.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
__C_ctype_b_data	.symtab	0x22d78	768	OBJECT	<unknown>	DEFAULT	4
__C_ctype_tolower	.symtab	0x2c928	4	OBJECT	<unknown>	DEFAULT	13
__C_ctype_tolower.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
__C_ctype_tolower_data	.symtab	0x2416c	768	OBJECT	<unknown>	DEFAULT	4
__C_ctype_toupper	.symtab	0x2c72c	4	OBJECT	<unknown>	DEFAULT	13
__C_ctype_toupper.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
__C_ctype_toupper_data	.symtab	0x23078	768	OBJECT	<unknown>	DEFAULT	4
__EH_FRAME_BEGIN__	.symtab	0x2c5a4	0	OBJECT	<unknown>	DEFAULT	7
__FRAME_END__	.symtab	0x2c5a4	0	OBJECT	<unknown>	DEFAULT	7
__GI___C_ctype_b	.symtab	0x2c724	4	OBJECT	<unknown>	HIDDEN	13
__GI___C_ctype_tolower	.symtab	0x2c928	4	OBJECT	<unknown>	HIDDEN	13
__GI___C_ctype_toupper	.symtab	0x2c72c	4	OBJECT	<unknown>	HIDDEN	13
__GI___close	.symtab	0x16be0	100	FUNC	<unknown>	HIDDEN	2
__GI___close_nocancel	.symtab	0x16bc4	24	FUNC	<unknown>	HIDDEN	2
__GI___ctype_b	.symtab	0x2c728	4	OBJECT	<unknown>	HIDDEN	13
__GI___ctype_tolower	.symtab	0x2c92c	4	OBJECT	<unknown>	HIDDEN	13
__GI___ctype_toupper	.symtab	0x2c730	4	OBJECT	<unknown>	HIDDEN	13
__GI___errno_location	.symtab	0x11c40	32	FUNC	<unknown>	HIDDEN	2
__GI___fcntl_nocancel	.symtab	0x11574	152	FUNC	<unknown>	HIDDEN	2
__GI___fgetc_unlocked	.symtab	0x1a0c4	300	FUNC	<unknown>	HIDDEN	2
__GI___glibc_strerror_r	.symtab	0x13398	24	FUNC	<unknown>	HIDDEN	2
__GI___libc_close	.symtab	0x16be0	100	FUNC	<unknown>	HIDDEN	2
__GI___libc_fcntl	.symtab	0x1160c	244	FUNC	<unknown>	HIDDEN	2
__GI___libc_open	.symtab	0x16c70	100	FUNC	<unknown>	HIDDEN	2
__GI___libc_read	.symtab	0x16d90	100	FUNC	<unknown>	HIDDEN	2
__GI___libc_write	.symtab	0x16d00	100	FUNC	<unknown>	HIDDEN	2
__GI___open	.symtab	0x16c70	100	FUNC	<unknown>	HIDDEN	2
__GI___open_nocancel	.symtab	0x16c54	24	FUNC	<unknown>	HIDDEN	2
__GI___read	.symtab	0x16d90	100	FUNC	<unknown>	HIDDEN	2
__GI___read_nocancel	.symtab	0x16d74	24	FUNC	<unknown>	HIDDEN	2
__GI___register_atfork	.symtab	0x167c8	392	FUNC	<unknown>	HIDDEN	2
__GI___sigaddset	.symtab	0x13c28	36	FUNC	<unknown>	HIDDEN	2
__GI___sigdelset	.symtab	0x13c4c	36	FUNC	<unknown>	HIDDEN	2
__GI___sigismember	.symtab	0x13c04	36	FUNC	<unknown>	HIDDEN	2
__GI___uClibc_fini	.symtab	0x16fa8	124	FUNC	<unknown>	HIDDEN	2
__GI___uClibc_init	.symtab	0x17078	88	FUNC	<unknown>	HIDDEN	2
__GI___write	.symtab	0x16d00	100	FUNC	<unknown>	HIDDEN	2
__GI___write_nocancel	.symtab	0x16ce4	24	FUNC	<unknown>	HIDDEN	2
__GI___xpg_strerror_r	.symtab	0x133b0	268	FUNC	<unknown>	HIDDEN	2
__GI__exit	.symtab	0x11700	104	FUNC	<unknown>	HIDDEN	2
__GI_abort	.symtab	0x15000	296	FUNC	<unknown>	HIDDEN	2
__GI_atoi	.symtab	0x1574c	32	FUNC	<unknown>	HIDDEN	2
__GI_brk	.symtab	0x1b3b0	88	FUNC	<unknown>	HIDDEN	2
__GI_close	.symtab	0x16be0	100	FUNC	<unknown>	HIDDEN	2
__GI_closedir	.symtab	0x17920	272	FUNC	<unknown>	HIDDEN	2
__GI_config_close	.symtab	0x18088	52	FUNC	<unknown>	HIDDEN	2
__GI_config_open	.symtab	0x180bc	72	FUNC	<unknown>	HIDDEN	2
__GI_config_read	.symtab	0x17d60	808	FUNC	<unknown>	HIDDEN	2
__GI_connect	.symtab	0x13644	116	FUNC	<unknown>	HIDDEN	2
__GI_dup2	.symtab	0x117a8	64	FUNC	<unknown>	HIDDEN	2
__GI_execl	.symtab	0x15a24	172	FUNC	<unknown>	HIDDEN	2
__GI_execve	.symtab	0x17660	64	FUNC	<unknown>	HIDDEN	2
__GI_exit	.symtab	0x15960	196	FUNC	<unknown>	HIDDEN	2
__GI_fclose	.symtab	0x18238	816	FUNC	<unknown>	HIDDEN	2
__GI_fcntl	.symtab	0x1160c	244	FUNC	<unknown>	HIDDEN	2
__GI_fflush_unlocked	.symtab	0x19d18	940	FUNC	<unknown>	HIDDEN	2
__GI_fgetc	.symtab	0x19808	324	FUNC	<unknown>	HIDDEN	2
__GI_fgetc_unlocked	.symtab	0x1a0c4	300	FUNC	<unknown>	HIDDEN	2
__GI_fgets	.symtab	0x1994c	284	FUNC	<unknown>	HIDDEN	2
__GI_fgets_unlocked	.symtab	0x1a1f0	160	FUNC	<unknown>	HIDDEN	2
__GI_fopen	.symtab	0x18568	32	FUNC	<unknown>	HIDDEN	2
__GI_fork	.symtab	0x16300	972	FUNC	<unknown>	HIDDEN	2
__GI_fputs_unlocked	.symtab	0x12dbc	56	FUNC	<unknown>	HIDDEN	2
__GI_fseek	.symtab	0x1b738	36	FUNC	<unknown>	HIDDEN	2
__GI_fseeko64	.symtab	0x1b75c	448	FUNC	<unknown>	HIDDEN	2
__GI_fstat	.symtab	0x1b414	100	FUNC	<unknown>	HIDDEN	2
__GI_fwrite_unlocked	.symtab	0x12df4	188	FUNC	<unknown>	HIDDEN	2
__GI_getc_unlocked	.symtab	0x1a0c4	300	FUNC	<unknown>	HIDDEN	2
__GI_getdtablesize	.symtab	0x117e8	44	FUNC	<unknown>	HIDDEN	2
__GI_getegid	.symtab	0x176a0	20	FUNC	<unknown>	HIDDEN	2
__GI_geteuid	.symtab	0x11814	20	FUNC	<unknown>	HIDDEN	2
__GI_getgid	.symtab	0x176b4	20	FUNC	<unknown>	HIDDEN	2
__GI_gethostbyname	.symtab	0x13574	28	FUNC	<unknown>	HIDDEN	2
__GI_gethostbyname2	.symtab	0x13590	112	FUNC	<unknown>	HIDDEN	2
__GI_gethostbyname2_r	.symtab	0x1ad0c	724	FUNC	<unknown>	HIDDEN	2
__GI_gethostbyname_r	.symtab	0x1d2d4	836	FUNC	<unknown>	HIDDEN	2
__GI_gethostname	.symtab	0x1d658	132	FUNC	<unknown>	HIDDEN	2
__GI_getpagesize	.symtab	0x176c8	40	FUNC	<unknown>	HIDDEN	2
__GI_getpid	.symtab	0x16950	72	FUNC	<unknown>	HIDDEN	2
__GI_getrlimit	.symtab	0x1183c	56	FUNC	<unknown>	HIDDEN	2
__GI_getsockname	.symtab	0x136b8	68	FUNC	<unknown>	HIDDEN	2
__GI_gettimeofday	.symtab	0x176f0	64	FUNC	<unknown>	HIDDEN	2
__GI_getuid	.symtab	0x17730	20	FUNC	<unknown>	HIDDEN	2
__GI_htonl	.symtab	0x134fc	32	FUNC	<unknown>	HIDDEN	2
__GI_htons	.symtab	0x134ec	16	FUNC	<unknown>	HIDDEN	2
__GI_inet_addr	.symtab	0x1354c	40	FUNC	<unknown>	HIDDEN	2
__GI_inet_aton	.symtab	0x1ac14	248	FUNC	<unknown>	HIDDEN	2
__GI_inet_ntop	.symtab	0x1c144	668	FUNC	<unknown>	HIDDEN	2
__GI_inet_pton	.symtab	0x1bdcc	552	FUNC	<unknown>	HIDDEN	2
__GI_initstate_r	.symtab	0x15568	248	FUNC	<unknown>	HIDDEN	2
__GI_ioctl	.symtab	0x11874	224	FUNC	<unknown>	HIDDEN	2
__GI_isatty	.symtab	0x1ab74	36	FUNC	<unknown>	HIDDEN	2
__GI_kill	.symtab	0x11954	56	FUNC	<unknown>	HIDDEN	2
__GI_lseek64	.symtab	0x1d834	112	FUNC	<unknown>	HIDDEN	2
__GI_memchr	.symtab	0x1a720	240	FUNC	<unknown>	HIDDEN	2
__GI_memcpy	.symtab	0x12ed0	4	FUNC	<unknown>	HIDDEN	2
__GI_memmove	.symtab	0x1d8b0	4	FUNC	<unknown>	HIDDEN	2
__GI_mempcpy	.symtab	0x1bc28	36	FUNC	<unknown>	HIDDEN	2
__GI_memrchr	.symtab	0x1a810	224	FUNC	<unknown>	HIDDEN	2
__GI_memset	.symtab	0x12ee0	156	FUNC	<unknown>	HIDDEN	2
__GI_mmap	.symtab	0x174bc	124	FUNC	<unknown>	HIDDEN	2
__GI_mremap	.symtab	0x17744	68	FUNC	<unknown>	HIDDEN	2
__GI_munmap	.symtab	0x17788	64	FUNC	<unknown>	HIDDEN	2
__GI_nanosleep	.symtab	0x17808	96	FUNC	<unknown>	HIDDEN	2
__GI_ntohl	.symtab	0x1352c	32	FUNC	<unknown>	HIDDEN	2
__GI_ntohs	.symtab	0x1351c	16	FUNC	<unknown>	HIDDEN	2
__GI_open	.symtab	0x16c70	100	FUNC	<unknown>	HIDDEN	2
__GI_opendir	.symtab	0x17b00	196	FUNC	<unknown>	HIDDEN	2
__GI_pipe	.symtab	0x1198c	64	FUNC	<unknown>	HIDDEN	2
__GI_poll	.symtab	0x1d71c	116	FUNC	<unknown>	HIDDEN	2
__GI_raise	.symtab	0x16998	240	FUNC	<unknown>	HIDDEN	2
__GI_random	.symtab	0x15140	164	FUNC	<unknown>	HIDDEN	2
__GI_random_r	.symtab	0x15400	144	FUNC	<unknown>	HIDDEN	2
__GI_rawmemchr	.symtab	0x1bc4c	176	FUNC	<unknown>	HIDDEN	2
__GI_read	.symtab	0x16d90	100	FUNC	<unknown>	HIDDEN	2
__GI_readdir64	.symtab	0x17c74	236	FUNC	<unknown>	HIDDEN	2
__GI_recv	.symtab	0x13788	112	FUNC	<unknown>	HIDDEN	2
__GI_recvfrom	.symtab	0x13840	136	FUNC	<unknown>	HIDDEN	2
__GI_sbrk	.symtab	0x17868	108	FUNC	<unknown>	HIDDEN	2
__GI_select	.symtab	0x11a54	132	FUNC	<unknown>	HIDDEN	2
__GI_send	.symtab	0x1390c	112	FUNC	<unknown>	HIDDEN	2
__GI_sendto	.symtab	0x139c8	136	FUNC	<unknown>	HIDDEN	2
__GI_setsockopt	.symtab	0x13a50	72	FUNC	<unknown>	HIDDEN	2
__GI_setstate_r	.symtab	0x15660	236	FUNC	<unknown>	HIDDEN	2
__GI_sigaction	.symtab	0x17564	136	FUNC	<unknown>	HIDDEN	2
__GI_sigaddset	.symtab	0x13adc	80	FUNC	<unknown>	HIDDEN	2
__GI_sigemptyset	.symtab	0x13b2c	20	FUNC	<unknown>	HIDDEN	2
__GI_signal	.symtab	0x13b40	196	FUNC	<unknown>	HIDDEN	2
__GI_sigprocmask	.symtab	0x11ad8	140	FUNC	<unknown>	HIDDEN	2
__GI_sleep	.symtab	0x16a88	300	FUNC	<unknown>	HIDDEN	2
__GI_socket	.symtab	0x13a98	68	FUNC	<unknown>	HIDDEN	2
__GI_sprintf	.symtab	0x11c94	52	FUNC	<unknown>	HIDDEN	2
__GI_srandom_r	.symtab	0x15490	216	FUNC	<unknown>	HIDDEN	2
__GI_stat	.symtab	0x1d790	100	FUNC	<unknown>	HIDDEN	2
__GI_strcasecmp	.symtab	0x1dd3c	108	FUNC	<unknown>	HIDDEN	2
__GI_strchr	.symtab	0x13000	240	FUNC	<unknown>	HIDDEN	2
__GI_strchrnul	.symtab	0x1a8f0	236	FUNC	<unknown>	HIDDEN	2
__GI_strcmp	.symtab	0x12f80	28	FUNC	<unknown>	HIDDEN	2
__GI_strcoll	.symtab	0x12f80	28	FUNC	<unknown>	HIDDEN	2
__GI_strcpy	.symtab	0x130f0	36	FUNC	<unknown>	HIDDEN	2
__GI_strcspn	.symtab	0x1a9dc	68	FUNC	<unknown>	HIDDEN	2
__GI_strdup	.symtab	0x1d8c0	52	FUNC	<unknown>	HIDDEN	2
__GI_strlen	.symtab	0x12fa0	96	FUNC	<unknown>	HIDDEN	2
__GI_strncpy	.symtab	0x13114	188	FUNC	<unknown>	HIDDEN	2
__GI_strnlen	.symtab	0x131d0	204	FUNC	<unknown>	HIDDEN	2
__GI_strpbrk	.symtab	0x1ab34	64	FUNC	<unknown>	HIDDEN	2
__GI_strrchr	.symtab	0x1aa20	80	FUNC	<unknown>	HIDDEN	2
__GI_strspn	.symtab	0x1aa70	76	FUNC	<unknown>	HIDDEN	2
__GI_strstr	.symtab	0x1329c	252	FUNC	<unknown>	HIDDEN	2
__GI_strtok	.symtab	0x134bc	48	FUNC	<unknown>	HIDDEN	2
__GI_strtok_r	.symtab	0x1aabc	120	FUNC	<unknown>	HIDDEN	2
__GI_strtol	.symtab	0x1576c	28	FUNC	<unknown>	HIDDEN	2
__GI_sysconf	.symtab	0x15c1c	1572	FUNC	<unknown>	HIDDEN	2
__GI_tcgetattr	.symtab	0x1ab98	124	FUNC	<unknown>	HIDDEN	2
__GI_time	.symtab	0x11b64	48	FUNC	<unknown>	HIDDEN	2
__GI_times	.symtab	0x178d4	20	FUNC	<unknown>	HIDDEN	2
__GI_toupper	.symtab	0x11c10	48	FUNC	<unknown>	HIDDEN	2
__GI_uname	.symtab	0x1d7f4	64	FUNC	<unknown>	HIDDEN	2
__GI_vfork	.symtab	0x16290	112	FUNC	<unknown>	HIDDEN	2
__GI_vsnprintf	.symtab	0x11cc8	208	FUNC	<unknown>	HIDDEN	2
__GI_wait4	.symtab	0x178e8	56	FUNC	<unknown>	HIDDEN	2
__GI_waitpid	.symtab	0x11b94	124	FUNC	<unknown>	HIDDEN	2
__GI_wcrtomb	.symtab	0x18104	84	FUNC	<unknown>	HIDDEN	2
__GI_wcsnrtombs	.symtab	0x1817c	188	FUNC	<unknown>	HIDDEN	2
__GI_wcsrtombs	.symtab	0x18158	36	FUNC	<unknown>	HIDDEN	2
__GI_write	.symtab	0x16d00	100	FUNC	<unknown>	HIDDEN	2
__JCR_END__	.symtab	0x2c5b0	0	OBJECT	<unknown>	DEFAULT	11
__JCR_LIST__	.symtab	0x2c5b0	0	OBJECT	<unknown>	DEFAULT	11
___Unwind_ForcedUnwind	.symtab	0x1f738	36	FUNC	<unknown>	HIDDEN	2
___Unwind_RaiseException	.symtab	0x1f6cc	36	FUNC	<unknown>	HIDDEN	2
___Unwind_Resume	.symtab	0x1f6f0	36	FUNC	<unknown>	HIDDEN	2
___Unwind_Resume_or_Rethrow	.symtab	0x1f714	36	FUNC	<unknown>	HIDDEN	2
__adddf3	.symtab	0x1dfa4	784	FUNC	<unknown>	HIDDEN	2
__aeabi_cdcmpeq	.symtab	0x1e900	24	FUNC	<unknown>	HIDDEN	2
__aeabi_cdcmple	.symtab	0x1e900	24	FUNC	<unknown>	HIDDEN	2
__aeabi_cdrcmple	.symtab	0x1e8e4	52	FUNC	<unknown>	HIDDEN	2
__aeabi_d2uiz	.symtab	0x1e990	84	FUNC	<unknown>	HIDDEN	2
__aeabi_dadd	.symtab	0x1dfa4	784	FUNC	<unknown>	HIDDEN	2
__aeabi_dcmpeq	.symtab	0x1e918	24	FUNC	<unknown>	HIDDEN	2
__aeabi_dcmpge	.symtab	0x1e960	24	FUNC	<unknown>	HIDDEN	2
__aeabi_dcmpgt	.symtab	0x1e978	24	FUNC	<unknown>	HIDDEN	2
__aeabi_dcmple	.symtab	0x1e948	24	FUNC	<unknown>	HIDDEN	2
__aeabi_dcmplt	.symtab	0x1e930	24	FUNC	<unknown>	HIDDEN	2
__aeabi_ddiv	.symtab	0x1e644	524	FUNC	<unknown>	HIDDEN	2
__aeabi_dmul	.symtab	0x1e3b4	656	FUNC	<unknown>	HIDDEN	2
__aeabi_drsub	.symtab	0x1df98	0	FUNC	<unknown>	HIDDEN	2
__aeabi_dsub	.symtab	0x1dfa0	788	FUNC	<unknown>	HIDDEN	2
__aeabi_f2d	.symtab	0x1e300	64	FUNC	<unknown>	HIDDEN	2
__aeabi_i2d	.symtab	0x1e2d8	40	FUNC	<unknown>	HIDDEN	2
__aeabi_idiv	.symtab	0x1de54	0	FUNC	<unknown>	HIDDEN	2
__aeabi_idivmod	.symtab	0x1df80	24	FUNC	<unknown>	HIDDEN	2
__aeabi_l2d	.symtab	0x1e354	96	FUNC	<unknown>	HIDDEN	2
__aeabi_read_tp	.symtab	0x17610	8	FUNC	<unknown>	DEFAULT	2
__aeabi_ui2d	.symtab	0x1e2b4	36	FUNC	<unknown>	HIDDEN	2
__aeabi_uidiv	.symtab	0x1144c	0	FUNC	<unknown>	HIDDEN	2
__aeabi_uidivmod	.symtab	0x11548	24	FUNC	<unknown>	HIDDEN	2
__aeabi_ul2d	.symtab	0x1e340	116	FUNC	<unknown>	HIDDEN	2
__aeabi_unwind_cpp_pr0	.symtab	0x1f698	8	FUNC	<unknown>	HIDDEN	2
__aeabi_unwind_cpp_pr1	.symtab	0x1f690	8	FUNC	<unknown>	HIDDEN	2
__aeabi_unwind_cpp_pr2	.symtab	0x1f688	8	FUNC	<unknown>	HIDDEN	2
__app_fini	.symtab	0x310b8	4	OBJECT	<unknown>	HIDDEN	14
__atexit_lock	.symtab	0x2c814	24	OBJECT	<unknown>	DEFAULT	13
__bss_end__	.symtab	0x33b54	0	NOTYPE	<unknown>	DEFAULT	SHN_ABS
__bss_start	.symtab	0x2c930	0	NOTYPE	<unknown>	DEFAULT	SHN_ABS
__bss_start__	.symtab	0x2c930	0	NOTYPE	<unknown>	DEFAULT	SHN_ABS
__check_one_fd	.symtab	0x17024	84	FUNC	<unknown>	DEFAULT	2
__close	.symtab	0x16be0	100	FUNC	<unknown>	DEFAULT	2
__close_nameservers	.symtab	0x1d1f0	152	FUNC	<unknown>	HIDDEN	2
__close_nocancel	.symtab	0x16bc4	24	FUNC	<unknown>	DEFAULT	2
__cmpdf2	.symtab	0x1e860	132	FUNC	<unknown>	HIDDEN	2
__ctype_b	.symtab	0x2c728	4	OBJECT	<unknown>	DEFAULT	13
__ctype_tolower	.symtab	0x2c92c	4	OBJECT	<unknown>	DEFAULT	13
__ctype_toupper	.symtab	0x2c730	4	OBJECT	<unknown>	DEFAULT	13
__curbrk	.symtab	0x3361c	4	OBJECT	<unknown>	HIDDEN	14
__cxa_begin_cleanup	.symtab	0x0	0	NOTYPE	<unknown>	DEFAULT	SHN_UNDEF
__cxa_call_unexpected	.symtab	0x0	0	NOTYPE	<unknown>	DEFAULT	SHN_UNDEF
__cxa_type_match	.symtab	0x0	0	NOTYPE	<unknown>	DEFAULT	SHN_UNDEF
__data_start	.symtab	0x2c664	0	NOTYPE	<unknown>	DEFAULT	13
__decode_dotted	.symtab	0x1c3e0	248	FUNC	<unknown>	HIDDEN	2
__decode_header	.symtab	0x1d9e0	180	FUNC	<unknown>	HIDDEN	2
__default_rt_sa_restorer	.symtab	0x17604	0	FUNC	<unknown>	DEFAULT	2
__default_sa_restorer	.symtab	0x175f8	0	FUNC	<unknown>	DEFAULT	2
__deregister_frame_info	.symtab	0x0	0	NOTYPE	<unknown>	DEFAULT	SHN_UNDEF
__div0	.symtab	0x11560	20	FUNC	<unknown>	HIDDEN	2
__divdf3	.symtab	0x1e644	524	FUNC	<unknown>	HIDDEN	2
__divsi3	.symtab	0x1de54	300	FUNC	<unknown>	HIDDEN	2
__dns_lookup	.symtab	0x1c4d8	2064	FUNC	<unknown>	HIDDEN	2
__do_global_dtors_aux	.symtab	0x812c	0	FUNC	<unknown>	DEFAULT	2
__do_global_dtors_aux_fini_array_entry	.symtab	0x2c5ac	0	OBJECT	<unknown>	DEFAULT	10
__dso_handle	.symtab	0x2c664	0	OBJECT	<unknown>	HIDDEN	13
__encode_dotted	.symtab	0x1dda8	172	FUNC	<unknown>	HIDDEN	2
__encode_header	.symtab	0x1d8f4	236	FUNC	<unknown>	HIDDEN	2
__encode_question	.symtab	0x1da94	96	FUNC	<unknown>	HIDDEN	2
__end__	.symtab	0x33b54	0	NOTYPE	<unknown>	DEFAULT	SHN_ABS
__environ	.symtab	0x310b0	4	OBJECT	<unknown>	DEFAULT	14
__eqdf2	.symtab	0x1e860	132	FUNC	<unknown>	HIDDEN	2
__errno_location	.symtab	0x11c40	32	FUNC	<unknown>	DEFAULT	2
__errno_location.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
__error	.symtab	0x162fc	0	NOTYPE	<unknown>	DEFAULT	2
__exidx_end	.symtab	0x245a4	0	NOTYPE	<unknown>	DEFAULT	SHN_ABS
__exidx_start	.symtab	0x24484	0	NOTYPE	<unknown>	DEFAULT	SHN_ABS
__exit_cleanup	.symtab	0x30b60	4	OBJECT	<unknown>	HIDDEN	14
__extendsfdf2	.symtab	0x1e300	64	FUNC	<unknown>	HIDDEN	2
__fcntl_nocancel	.symtab	0x11574	152	FUNC	<unknown>	DEFAULT	2
__fgetc_unlocked	.symtab	0x1a0c4	300	FUNC	<unknown>	DEFAULT	2
__fini_array_end	.symtab	0x2c5b0	0	NOTYPE	<unknown>	HIDDEN	10
__fini_array_start	.symtab	0x2c5ac	0	NOTYPE	<unknown>	HIDDEN	10
__fixunsdfsi	.symtab	0x1e990	84	FUNC	<unknown>	HIDDEN	2
__floatdidf	.symtab	0x1e354	96	FUNC	<unknown>	HIDDEN	2
__floatsidf	.symtab	0x1e2d8	40	FUNC	<unknown>	HIDDEN	2
__floatundidf	.symtab	0x1e340	116	FUNC	<unknown>	HIDDEN	2
__floatunsidf	.symtab	0x1e2b4	36	FUNC	<unknown>	HIDDEN	2
__fork	.symtab	0x16300	972	FUNC	<unknown>	DEFAULT	2
__fork_generation_pointer	.symtab	0x33b0c	4	OBJECT	<unknown>	HIDDEN	14
__fork_handlers	.symtab	0x33b10	4	OBJECT	<unknown>	HIDDEN	14
__fork_lock	.symtab	0x30b64	4	OBJECT	<unknown>	HIDDEN	14
__frame_dummy_init_array_entry	.symtab	0x2c5a8	0	OBJECT	<unknown>	DEFAULT	9
__gedf2	.symtab	0x1e850	148	FUNC	<unknown>	HIDDEN	2
__get_hosts_byname_r	.symtab	0x1d288	76	FUNC	<unknown>	HIDDEN	2
__getdents64	.symtab	0x1b5f0	328	FUNC	<unknown>	HIDDEN	2
__getpagesize	.symtab	0x176c8	40	FUNC	<unknown>	DEFAULT	2
__getpid	.symtab	0x16950	72	FUNC	<unknown>	DEFAULT	2
__glibc_strerror_r	.symtab	0x13398	24	FUNC	<unknown>	DEFAULT	2
__glibc_strerror_r.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
__gnu_Unwind_Find_exidx	.symtab	0x0	0	NOTYPE	<unknown>	DEFAULT	SHN_UNDEF
__gnu_Unwind_ForcedUnwind	.symtab	0x1ee3c	28	FUNC	<unknown>	HIDDEN	2
__gnu_Unwind_RaiseException	.symtab	0x1ef24	184	FUNC	<unknown>	HIDDEN	2
__gnu_Unwind_Restore_VFP	.symtab	0x1f6bc	0	FUNC	<unknown>	HIDDEN	2
__gnu_Unwind_Resume	.symtab	0x1eeb8	108	FUNC	<unknown>	HIDDEN	2
__gnu_Unwind_Resume_or_Rethrow	.symtab	0x1efdc	32	FUNC	<unknown>	HIDDEN	2
__gnu_Unwind_Save_VFP	.symtab	0x1f6c4	0	FUNC	<unknown>	HIDDEN	2
__gnu_unwind_execute	.symtab	0x1f7a0	1812	FUNC	<unknown>	HIDDEN	2
__gnu_unwind_frame	.symtab	0x1feb4	72	FUNC	<unknown>	HIDDEN	2
__gnu_unwind_pr_common	.symtab	0x1f140	1352	FUNC	<unknown>	DEFAULT	2
__gtdf2	.symtab	0x1e850	148	FUNC	<unknown>	HIDDEN	2
__h_errno_location	.symtab	0x0	0	NOTYPE	<unknown>	DEFAULT	SHN_UNDEF
__init_array_end	.symtab	0x2c5ac	0	NOTYPE	<unknown>	HIDDEN	9
__init_array_start	.symtab	0x2c5a8	0	NOTYPE	<unknown>	HIDDEN	9
__ledf2	.symtab	0x1e858	140	FUNC	<unknown>	HIDDEN	2
__libc_close	.symtab	0x16be0	100	FUNC	<unknown>	DEFAULT	2
__libc_connect	.symtab	0x13644	116	FUNC	<unknown>	DEFAULT	2
__libc_disable_asynccancel	.symtab	0x16e00	136	FUNC	<unknown>	HIDDEN	2
__libc_enable_asynccancel	.symtab	0x16e88	220	FUNC	<unknown>	HIDDEN	2
__libc_errno	.symtab	0x0	4	TLS	<unknown>	HIDDEN	8
__libc_fcntl	.symtab	0x1160c	244	FUNC	<unknown>	DEFAULT	2
__libc_fork	.symtab	0x16300	972	FUNC	<unknown>	DEFAULT	2
__libc_h_errno	.symtab	0x4	4	TLS	<unknown>	HIDDEN	8
__libc_multiple_threads	.symtab	0x33b14	4	OBJECT	<unknown>	HIDDEN	14
__libc_nanosleep	.symtab	0x17808	96	FUNC	<unknown>	DEFAULT	2
__libc_open	.symtab	0x16c70	100	FUNC	<unknown>	DEFAULT	2
__libc_read	.symtab	0x16d90	100	FUNC	<unknown>	DEFAULT	2
__libc_recv	.symtab	0x13788	112	FUNC	<unknown>	DEFAULT	2
__libc_recvfrom	.symtab	0x13840	136	FUNC	<unknown>	DEFAULT	2
__libc_select	.symtab	0x11a54	132	FUNC	<unknown>	DEFAULT	2
__libc_send	.symtab	0x1390c	112	FUNC	<unknown>	DEFAULT	2
__libc_sendto	.symtab	0x139c8	136	FUNC	<unknown>	DEFAULT	2
__libc_setup_tls	.symtab	0x1b0e4	560	FUNC	<unknown>	DEFAULT	2
__libc_sigaction	.symtab	0x17564	136	FUNC	<unknown>	DEFAULT	2
__libc_stack_end	.symtab	0x310ac	4	OBJECT	<unknown>	DEFAULT	14
__libc_waitpid	.symtab	0x11b94	124	FUNC	<unknown>	DEFAULT	2
__libc_write	.symtab	0x16d00	100	FUNC	<unknown>	DEFAULT	2
__linkin_atfork	.symtab	0x16764	100	FUNC	<unknown>	HIDDEN	2
__lll_lock_wait_private	.symtab	0x166cc	152	FUNC	<unknown>	HIDDEN	2
__local_nameserver	.symtab	0x2414c	16	OBJECT	<unknown>	HIDDEN	4
__ltdf2	.symtab	0x1e858	140	FUNC	<unknown>	HIDDEN	2
__malloc_consolidate	.symtab	0x14bd0	436	FUNC	<unknown>	HIDDEN	2
__malloc_largebin_index	.symtab	0x13c70	120	FUNC	<unknown>	DEFAULT	2
__malloc_lock	.symtab	0x2c738	24	OBJECT	<unknown>	DEFAULT	13
__malloc_state	.symtab	0x33794	888	OBJECT	<unknown>	DEFAULT	14
__malloc_trim	.symtab	0x14b20	176	FUNC	<unknown>	DEFAULT	2
__muldf3	.symtab	0x1e3b4	656	FUNC	<unknown>	HIDDEN	2
__nameserver	.symtab	0x33b48	4	OBJECT	<unknown>	HIDDEN	14
__nameservers	.symtab	0x33b4c	4	OBJECT	<unknown>	HIDDEN	14
__nedf2	.symtab	0x1e860	132	FUNC	<unknown>	HIDDEN	2
__nptl_deallocate_tsd	.symtab	0x0	0	NOTYPE	<unknown>	DEFAULT	SHN_UNDEF
__nptl_nthreads	.symtab	0x0	0	NOTYPE	<unknown>	DEFAULT	SHN_UNDEF
__open	.symtab	0x16c70	100	FUNC	<unknown>	DEFAULT	2
__open_etc_hosts	.symtab	0x1daf4	48	FUNC	<unknown>	HIDDEN	2
__open_nameservers	.symtab	0x1cd94	1116	FUNC	<unknown>	HIDDEN	2
__open_nocancel	.symtab	0x16c54	24	FUNC	<unknown>	DEFAULT	2
__pagesize	.symtab	0x310b4	4	OBJECT	<unknown>	DEFAULT	14
__preinit_array_end	.symtab	0x2c5a8	0	NOTYPE	<unknown>	HIDDEN	8
__preinit_array_start	.symtab	0x2c5a8	0	NOTYPE	<unknown>	HIDDEN	8
__progname	.symtab	0x2c830	4	OBJECT	<unknown>	DEFAULT	13
__progname_full	.symtab	0x2c834	4	OBJECT	<unknown>	DEFAULT	13
__pthread_initialize_minimal	.symtab	0x1b314	12	FUNC	<unknown>	DEFAULT	2
__pthread_mutex_init	.symtab	0x16f6c	8	FUNC	<unknown>	DEFAULT	2
__pthread_mutex_lock	.symtab	0x16f64	8	FUNC	<unknown>	DEFAULT	2
__pthread_mutex_trylock	.symtab	0x16f64	8	FUNC	<unknown>	DEFAULT	2
__pthread_mutex_unlock	.symtab	0x16f64	8	FUNC	<unknown>	DEFAULT	2
__pthread_return_0	.symtab	0x16f64	8	FUNC	<unknown>	DEFAULT	2
__pthread_unwind	.symtab	0x0	0	NOTYPE	<unknown>	DEFAULT	SHN_UNDEF
__read	.symtab	0x16d90	100	FUNC	<unknown>	DEFAULT	2
__read_etc_hosts_r	.symtab	0x1db24	536	FUNC	<unknown>	HIDDEN	2
__read_nocancel	.symtab	0x16d74	24	FUNC	<unknown>	DEFAULT	2
__register_atfork	.symtab	0x167c8	392	FUNC	<unknown>	DEFAULT	2
__register_frame_info	.symtab	0x0	0	NOTYPE	<unknown>	DEFAULT	SHN_UNDEF
__res_sync	.symtab	0x33b40	4	OBJECT	<unknown>	HIDDEN	14
__resolv_attempts	.symtab	0x2c927	1	OBJECT	<unknown>	HIDDEN	13
__resolv_lock	.symtab	0x33624	24	OBJECT	<unknown>	DEFAULT	14
__resolv_timeout	.symtab	0x2c926	1	OBJECT	<unknown>	HIDDEN	13
__restore_core_regs	.symtab	0x1f6a0	28	FUNC	<unknown>	HIDDEN	2
__rtld_fini	.symtab	0x310bc	4	OBJECT	<unknown>	HIDDEN	14
__searchdomain	.symtab	0x33b44	4	OBJECT	<unknown>	HIDDEN	14
__searchdomains	.symtab	0x33b50	4	OBJECT	<unknown>	HIDDEN	14
__sigaddset	.symtab	0x13c28	36	FUNC	<unknown>	DEFAULT	2
__sigdelset	.symtab	0x13c4c	36	FUNC	<unknown>	DEFAULT	2
__sigismember	.symtab	0x13c04	36	FUNC	<unknown>	DEFAULT	2
__sigjmp_save	.symtab	0x1d618	64	FUNC	<unknown>	HIDDEN	2
__sigsetjmp	.symtab	0x1b408	12	FUNC	<unknown>	DEFAULT	2
__stdin	.symtab	0x2c848	4	OBJECT	<unknown>	DEFAULT	13
__stdio_READ	.symtab	0x1b91c	88	FUNC	<unknown>	HIDDEN	2
__stdio_WRITE	.symtab	0x1b974	220	FUNC	<unknown>	HIDDEN	2
__stdio_adjust_position	.symtab	0x1ba50	200	FUNC	<unknown>	HIDDEN	2
__stdio_fwrite	.symtab	0x189e8	320	FUNC	<unknown>	HIDDEN	2
__stdio_rfill	.symtab	0x1bb18	48	FUNC	<unknown>	HIDDEN	2
__stdio_seek	.symtab	0x1bbec	60	FUNC	<unknown>	HIDDEN	2
__stdio_trans2r_o	.symtab	0x1bb48	164	FUNC	<unknown>	HIDDEN	2
__stdio_trans2w_o	.symtab	0x18d0c	220	FUNC	<unknown>	HIDDEN	2
__stdio_wcommit	.symtab	0x18de8	48	FUNC	<unknown>	HIDDEN	2
__stdout	.symtab	0x2c84c	4	OBJECT	<unknown>	DEFAULT	13
__subdf3	.symtab	0x1dfa0	788	FUNC	<unknown>	HIDDEN	2
__sys_connect	.symtab	0x13600	68	FUNC	<unknown>	DEFAULT	2
__sys_recv	.symtab	0x13744	68	FUNC	<unknown>	DEFAULT	2
__sys_recvfrom	.symtab	0x137f8	72	FUNC	<unknown>	DEFAULT	2
__sys_send	.symtab	0x138c8	68	FUNC	<unknown>	DEFAULT	2
__sys_sendto	.symtab	0x1397c	76	FUNC	<unknown>	DEFAULT	2
__syscall_error	.symtab	0x17538	44	FUNC	<unknown>	HIDDEN	2
__syscall_error.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
__syscall_fcntl.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
__syscall_nanosleep	.symtab	0x177c8	64	FUNC	<unknown>	DEFAULT	2
__syscall_poll	.symtab	0x1d6dc	64	FUNC	<unknown>	DEFAULT	2
__syscall_rt_sigaction	.symtab	0x17620	64	FUNC	<unknown>	DEFAULT	2
__syscall_rt_sigaction.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
__syscall_select	.symtab	0x11a10	68	FUNC	<unknown>	DEFAULT	2
__tls_get_addr	.symtab	0x1b0c0	36	FUNC	<unknown>	DEFAULT	2
__uClibc_fini	.symtab	0x16fa8	124	FUNC	<unknown>	DEFAULT	2
__uClibc_init	.symtab	0x17078	88	FUNC	<unknown>	DEFAULT	2
__uClibc_main	.symtab	0x170d0	1004	FUNC	<unknown>	DEFAULT	2
__uClibc_main.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
__uclibc_progname	.symtab	0x2c82c	4	OBJECT	<unknown>	HIDDEN	13
__udivsi3	.symtab	0x1144c	252	FUNC	<unknown>	HIDDEN	2
__vfork	.symtab	0x16290	112	FUNC	<unknown>	HIDDEN	2
__write	.symtab	0x16d00	100	FUNC	<unknown>	DEFAULT	2
__write_nocancel	.symtab	0x16ce4	24	FUNC	<unknown>	DEFAULT	2
__xpg_strerror_r	.symtab	0x133b0	268	FUNC	<unknown>	DEFAULT	2
__xpg_strerror_r.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
__xstat32_conv	.symtab	0x1b544	172	FUNC	<unknown>	HIDDEN	2
__xstat64_conv	.symtab	0x1b478	204	FUNC	<unknown>	HIDDEN	2
_adjust_pos.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
_bss_custom_printf_spec	.symtab	0x30980	10	OBJECT	<unknown>	DEFAULT	14
_bss_end__	.symtab	0x33b54	0	NOTYPE	<unknown>	DEFAULT	SHN_ABS
_call_via_fp	.symtab	0x811d	4	FUNC	<unknown>	HIDDEN	2
_call_via_ip	.symtab	0x8121	4	FUNC	<unknown>	HIDDEN	2
_call_via_lr	.symtab	0x8129	4	FUNC	<unknown>	HIDDEN	2
_call_via_r0	.symtab	0x80f1	4	FUNC	<unknown>	HIDDEN	2
_call_via_r1	.symtab	0x80f5	4	FUNC	<unknown>	HIDDEN	2
_call_via_r2	.symtab	0x80f9	4	FUNC	<unknown>	HIDDEN	2
_call_via_r3	.symtab	0x80fd	4	FUNC	<unknown>	HIDDEN	2
_call_via_r4	.symtab	0x8101	4	FUNC	<unknown>	HIDDEN	2
_call_via_r5	.symtab	0x8105	4	FUNC	<unknown>	HIDDEN	2
_call_via_r6	.symtab	0x8109	4	FUNC	<unknown>	HIDDEN	2
_call_via_r7	.symtab	0x810d	4	FUNC	<unknown>	HIDDEN	2
_call_via_r8	.symtab	0x8111	4	FUNC	<unknown>	HIDDEN	2
_call_via_r9	.symtab	0x8115	4	FUNC	<unknown>	HIDDEN	2
_call_via_sl	.symtab	0x8119	4	FUNC	<unknown>	HIDDEN	2
_call_via_sp	.symtab	0x8125	4	FUNC	<unknown>	HIDDEN	2
_charpad	.symtab	0x11d98	84	FUNC	<unknown>	DEFAULT	2
_cs_funcs.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
_custom_printf_arginfo	.symtab	0x3373c	40	OBJECT	<unknown>	HIDDEN	14
_custom_printf_handler	.symtab	0x33764	40	OBJECT	<unknown>	HIDDEN	14
_custom_printf_spec	.symtab	0x2c734	4	OBJECT	<unknown>	HIDDEN	13
_dl_aux_init	.symtab	0x1b320	56	FUNC	<unknown>	DEFAULT	2
_dl_init_static_tls	.symtab	0x2c920	4	OBJECT	<unknown>	DEFAULT	13
_dl_nothread_init_static_tls	.symtab	0x1b358	88	FUNC	<unknown>	HIDDEN	2
_dl_phdr	.symtab	0x33b38	4	OBJECT	<unknown>	DEFAULT	14
_dl_phnum	.symtab	0x33b3c	4	OBJECT	<unknown>	DEFAULT	14
_dl_tls_dtv_gaps	.symtab	0x33b2c	1	OBJECT	<unknown>	DEFAULT	14
_dl_tls_dtv_slotinfo_list	.symtab	0x33b28	4	OBJECT	<unknown>	DEFAULT	14
_dl_tls_generation	.symtab	0x33b30	4	OBJECT	<unknown>	DEFAULT	14
_dl_tls_max_dtv_idx	.symtab	0x33b20	4	OBJECT	<unknown>	DEFAULT	14
_dl_tls_setup	.symtab	0x1b058	104	FUNC	<unknown>	DEFAULT	2
_dl_tls_static_align	.symtab	0x33b1c	4	OBJECT	<unknown>	DEFAULT	14
_dl_tls_static_nelem	.symtab	0x33b34	4	OBJECT	<unknown>	DEFAULT	14
_dl_tls_static_size	.symtab	0x33b24	4	OBJECT	<unknown>	DEFAULT	14
_dl_tls_static_used	.symtab	0x33b18	4	OBJECT	<unknown>	DEFAULT	14
_edata	.symtab	0x2c930	0	NOTYPE	<unknown>	DEFAULT	SHN_ABS
_end	.symtab	0x33b54	0	NOTYPE	<unknown>	DEFAULT	SHN_ABS
_exit	.symtab	0x11700	104	FUNC	<unknown>	DEFAULT	2
_exit.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
_fini	.symtab	0x1ff30	0	FUNC	<unknown>	DEFAULT	3
_fixed_buffers	.symtab	0x310e0	8192	OBJECT	<unknown>	DEFAULT	14
_fopen.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
_fp_out_narrow	.symtab	0x11dec	132	FUNC	<unknown>	DEFAULT	2
_fpmaxtostr	.symtab	0x19014	2036	FUNC	<unknown>	HIDDEN	2
_fpmaxtostr.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
_fwrite.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
_init	.symtab	0x80d4	0	FUNC	<unknown>	DEFAULT	1
_load_inttype	.symtab	0x18e18	116	FUNC	<unknown>	HIDDEN	2
_load_inttype.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
_memcpy	.symtab	0x1a290	0	FUNC	<unknown>	HIDDEN	2
_ppfs_init	.symtab	0x12564	160	FUNC	<unknown>	HIDDEN	2
_ppfs_init.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
05/27/24-09:10:00.509833	TCP	2839489	ETPRO TROJAN ELF/BASHLITE Variant CnC Server Response	666	40178	176.123.4.187	192.168.2.15
05/27/24-09:08:42.343969	TCP	2839489	ETPRO TROJAN ELF/BASHLITE Variant CnC Server Response	666	40168	176.123.4.187	192.168.2.15
05/27/24-09:12:05.508837	TCP	2839489	ETPRO TROJAN ELF/BASHLITE Variant CnC Server Response	666	40194	176.123.4.187	192.168.2.15
05/27/24-09:09:13.625064	TCP	2839489	ETPRO TROJAN ELF/BASHLITE Variant CnC Server Response	666	40172	176.123.4.187	192.168.2.15
05/27/24-09:11:34.265443	TCP	2839489	ETPRO TROJAN ELF/BASHLITE Variant CnC Server Response	666	40190	176.123.4.187	192.168.2.15
05/27/24-09:08:57.997243	TCP	2839489	ETPRO TROJAN ELF/BASHLITE Variant CnC Server Response	666	40170	176.123.4.187	192.168.2.15
05/27/24-09:11:49.888617	TCP	2839489	ETPRO TROJAN ELF/BASHLITE Variant CnC Server Response	666	40192	176.123.4.187	192.168.2.15
05/27/24-09:09:29.251476	TCP	2839489	ETPRO TROJAN ELF/BASHLITE Variant CnC Server Response	666	40174	176.123.4.187	192.168.2.15
05/27/24-09:09:44.880692	TCP	2839489	ETPRO TROJAN ELF/BASHLITE Variant CnC Server Response	666	40176	176.123.4.187	192.168.2.15
05/27/24-09:10:47.383741	TCP	2839489	ETPRO TROJAN ELF/BASHLITE Variant CnC Server Response	666	40184	176.123.4.187	192.168.2.15
05/27/24-09:11:03.012444	TCP	2839489	ETPRO TROJAN ELF/BASHLITE Variant CnC Server Response	666	40186	176.123.4.187	192.168.2.15
05/27/24-09:11:18.633977	TCP	2839489	ETPRO TROJAN ELF/BASHLITE Variant CnC Server Response	666	40188	176.123.4.187	192.168.2.15
05/27/24-09:10:16.127962	TCP	2839489	ETPRO TROJAN ELF/BASHLITE Variant CnC Server Response	666	40180	176.123.4.187	192.168.2.15
05/27/24-09:10:31.750956	TCP	2839489	ETPRO TROJAN ELF/BASHLITE Variant CnC Server Response	666	40182	176.123.4.187	192.168.2.15

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 27, 2024 09:08:41.717639923 CEST	40168	666	192.168.2.15	176.123.4.187
May 27, 2024 09:08:41.722809076 CEST	666	40168	176.123.4.187	192.168.2.15
May 27, 2024 09:08:41.722883940 CEST	40168	666	192.168.2.15	176.123.4.187
May 27, 2024 09:08:41.723134995 CEST	40168	666	192.168.2.15	176.123.4.187
May 27, 2024 09:08:41.728049994 CEST	666	40168	176.123.4.187	192.168.2.15
May 27, 2024 09:08:42.343969107 CEST	666	40168	176.123.4.187	192.168.2.15
May 27, 2024 09:08:42.344177008 CEST	40168	666	192.168.2.15	176.123.4.187
May 27, 2024 09:08:42.344259977 CEST	666	40168	176.123.4.187	192.168.2.15
May 27, 2024 09:08:42.344708920 CEST	40168	666	192.168.2.15	176.123.4.187
May 27, 2024 09:08:42.349745989 CEST	666	40168	176.123.4.187	192.168.2.15
May 27, 2024 09:08:57.345798016 CEST	40170	666	192.168.2.15	176.123.4.187
May 27, 2024 09:08:57.351303101 CEST	666	40170	176.123.4.187	192.168.2.15
May 27, 2024 09:08:57.351452112 CEST	40170	666	192.168.2.15	176.123.4.187
May 27, 2024 09:08:57.351918936 CEST	40170	666	192.168.2.15	176.123.4.187
May 27, 2024 09:08:57.357212067 CEST	666	40170	176.123.4.187	192.168.2.15
May 27, 2024 09:08:57.997242928 CEST	666	40170	176.123.4.187	192.168.2.15
May 27, 2024 09:08:57.997544050 CEST	40170	666	192.168.2.15	176.123.4.187
May 27, 2024 09:08:57.997622967 CEST	666	40170	176.123.4.187	192.168.2.15
May 27, 2024 09:08:57.997910023 CEST	40170	666	192.168.2.15	176.123.4.187
May 27, 2024 09:08:58.003251076 CEST	666	40170	176.123.4.187	192.168.2.15
May 27, 2024 09:09:12.998703003 CEST	40172	666	192.168.2.15	176.123.4.187
May 27, 2024 09:09:13.006558895 CEST	666	40172	176.123.4.187	192.168.2.15
May 27, 2024 09:09:13.006704092 CEST	40172	666	192.168.2.15	176.123.4.187
May 27, 2024 09:09:13.006779909 CEST	40172	666	192.168.2.15	176.123.4.187
May 27, 2024 09:09:13.011631966 CEST	666	40172	176.123.4.187	192.168.2.15
May 27, 2024 09:09:13.625063896 CEST	666	40172	176.123.4.187	192.168.2.15
May 27, 2024 09:09:13.625145912 CEST	666	40172	176.123.4.187	192.168.2.15
May 27, 2024 09:09:13.625199080 CEST	40172	666	192.168.2.15	176.123.4.187
May 27, 2024 09:09:13.625431061 CEST	40172	666	192.168.2.15	176.123.4.187
May 27, 2024 09:09:13.630390882 CEST	666	40172	176.123.4.187	192.168.2.15
May 27, 2024 09:09:28.626121998 CEST	40174	666	192.168.2.15	176.123.4.187
May 27, 2024 09:09:28.631411076 CEST	666	40174	176.123.4.187	192.168.2.15
May 27, 2024 09:09:28.631726980 CEST	40174	666	192.168.2.15	176.123.4.187
May 27, 2024 09:09:28.631798983 CEST	40174	666	192.168.2.15	176.123.4.187
May 27, 2024 09:09:28.636696100 CEST	666	40174	176.123.4.187	192.168.2.15
May 27, 2024 09:09:29.251476049 CEST	666	40174	176.123.4.187	192.168.2.15
May 27, 2024 09:09:29.251739979 CEST	40174	666	192.168.2.15	176.123.4.187
May 27, 2024 09:09:29.251837969 CEST	666	40174	176.123.4.187	192.168.2.15
May 27, 2024 09:09:29.251983881 CEST	40174	666	192.168.2.15	176.123.4.187
May 27, 2024 09:09:29.260610104 CEST	666	40174	176.123.4.187	192.168.2.15
May 27, 2024 09:09:44.252959013 CEST	40176	666	192.168.2.15	176.123.4.187
May 27, 2024 09:09:44.258169889 CEST	666	40176	176.123.4.187	192.168.2.15
May 27, 2024 09:09:44.258285999 CEST	40176	666	192.168.2.15	176.123.4.187
May 27, 2024 09:09:44.258399963 CEST	40176	666	192.168.2.15	176.123.4.187
May 27, 2024 09:09:44.263262987 CEST	666	40176	176.123.4.187	192.168.2.15
May 27, 2024 09:09:44.880692005 CEST	666	40176	176.123.4.187	192.168.2.15
May 27, 2024 09:09:44.880872011 CEST	40176	666	192.168.2.15	176.123.4.187
May 27, 2024 09:09:44.880991936 CEST	666	40176	176.123.4.187	192.168.2.15
May 27, 2024 09:09:44.881108046 CEST	40176	666	192.168.2.15	176.123.4.187
May 27, 2024 09:09:44.886058092 CEST	666	40176	176.123.4.187	192.168.2.15
May 27, 2024 09:09:59.881619930 CEST	40178	666	192.168.2.15	176.123.4.187
May 27, 2024 09:09:59.887075901 CEST	666	40178	176.123.4.187	192.168.2.15
May 27, 2024 09:09:59.887218952 CEST	40178	666	192.168.2.15	176.123.4.187
May 27, 2024 09:09:59.887293100 CEST	40178	666	192.168.2.15	176.123.4.187
May 27, 2024 09:09:59.892340899 CEST	666	40178	176.123.4.187	192.168.2.15
May 27, 2024 09:10:00.509833097 CEST	666	40178	176.123.4.187	192.168.2.15
May 27, 2024 09:10:00.510066986 CEST	40178	666	192.168.2.15	176.123.4.187
May 27, 2024 09:10:00.513195992 CEST	666	40178	176.123.4.187	192.168.2.15
May 27, 2024 09:10:00.513330936 CEST	40178	666	192.168.2.15	176.123.4.187
May 27, 2024 09:10:00.518632889 CEST	666	40178	176.123.4.187	192.168.2.15
May 27, 2024 09:10:15.513966084 CEST	40180	666	192.168.2.15	176.123.4.187
May 27, 2024 09:10:15.519237995 CEST	666	40180	176.123.4.187	192.168.2.15
May 27, 2024 09:10:15.519540071 CEST	40180	666	192.168.2.15	176.123.4.187
May 27, 2024 09:10:15.519829988 CEST	40180	666	192.168.2.15	176.123.4.187
May 27, 2024 09:10:15.524813890 CEST	666	40180	176.123.4.187	192.168.2.15
May 27, 2024 09:10:16.127962112 CEST	666	40180	176.123.4.187	192.168.2.15
May 27, 2024 09:10:16.128079891 CEST	666	40180	176.123.4.187	192.168.2.15
May 27, 2024 09:10:16.128436089 CEST	40180	666	192.168.2.15	176.123.4.187
May 27, 2024 09:10:16.128606081 CEST	40180	666	192.168.2.15	176.123.4.187
May 27, 2024 09:10:16.133537054 CEST	666	40180	176.123.4.187	192.168.2.15
May 27, 2024 09:10:31.129479885 CEST	40182	666	192.168.2.15	176.123.4.187
May 27, 2024 09:10:31.134803057 CEST	666	40182	176.123.4.187	192.168.2.15
May 27, 2024 09:10:31.135180950 CEST	40182	666	192.168.2.15	176.123.4.187
May 27, 2024 09:10:31.135343075 CEST	40182	666	192.168.2.15	176.123.4.187
May 27, 2024 09:10:31.140785933 CEST	666	40182	176.123.4.187	192.168.2.15
May 27, 2024 09:10:31.750956059 CEST	666	40182	176.123.4.187	192.168.2.15
May 27, 2024 09:10:31.751473904 CEST	666	40182	176.123.4.187	192.168.2.15
May 27, 2024 09:10:31.751492977 CEST	40182	666	192.168.2.15	176.123.4.187
May 27, 2024 09:10:31.751687050 CEST	40182	666	192.168.2.15	176.123.4.187
May 27, 2024 09:10:31.756927013 CEST	666	40182	176.123.4.187	192.168.2.15
May 27, 2024 09:10:46.752340078 CEST	40184	666	192.168.2.15	176.123.4.187
May 27, 2024 09:10:46.758559942 CEST	666	40184	176.123.4.187	192.168.2.15
May 27, 2024 09:10:46.759006977 CEST	40184	666	192.168.2.15	176.123.4.187
May 27, 2024 09:10:46.759006977 CEST	40184	666	192.168.2.15	176.123.4.187
May 27, 2024 09:10:46.764408112 CEST	666	40184	176.123.4.187	192.168.2.15
May 27, 2024 09:10:47.383740902 CEST	666	40184	176.123.4.187	192.168.2.15
May 27, 2024 09:10:47.384128094 CEST	666	40184	176.123.4.187	192.168.2.15
May 27, 2024 09:10:47.384252071 CEST	40184	666	192.168.2.15	176.123.4.187
May 27, 2024 09:10:47.384392023 CEST	40184	666	192.168.2.15	176.123.4.187
May 27, 2024 09:10:47.389681101 CEST	666	40184	176.123.4.187	192.168.2.15
May 27, 2024 09:11:02.385489941 CEST	40186	666	192.168.2.15	176.123.4.187
May 27, 2024 09:11:02.391819954 CEST	666	40186	176.123.4.187	192.168.2.15
May 27, 2024 09:11:02.392571926 CEST	40186	666	192.168.2.15	176.123.4.187
May 27, 2024 09:11:02.392673969 CEST	40186	666	192.168.2.15	176.123.4.187
May 27, 2024 09:11:02.398349047 CEST	666	40186	176.123.4.187	192.168.2.15
May 27, 2024 09:11:03.012444019 CEST	666	40186	176.123.4.187	192.168.2.15
May 27, 2024 09:11:03.012523890 CEST	666	40186	176.123.4.187	192.168.2.15
May 27, 2024 09:11:03.012816906 CEST	40186	666	192.168.2.15	176.123.4.187
May 27, 2024 09:11:03.013103962 CEST	40186	666	192.168.2.15	176.123.4.187
May 27, 2024 09:11:03.018358946 CEST	666	40186	176.123.4.187	192.168.2.15
May 27, 2024 09:11:18.014113903 CEST	40188	666	192.168.2.15	176.123.4.187
May 27, 2024 09:11:18.022521019 CEST	666	40188	176.123.4.187	192.168.2.15
May 27, 2024 09:11:18.022731066 CEST	40188	666	192.168.2.15	176.123.4.187
May 27, 2024 09:11:18.022797108 CEST	40188	666	192.168.2.15	176.123.4.187
May 27, 2024 09:11:18.028799057 CEST	666	40188	176.123.4.187	192.168.2.15
May 27, 2024 09:11:18.633976936 CEST	666	40188	176.123.4.187	192.168.2.15
May 27, 2024 09:11:18.634044886 CEST	666	40188	176.123.4.187	192.168.2.15
May 27, 2024 09:11:18.634496927 CEST	40188	666	192.168.2.15	176.123.4.187
May 27, 2024 09:11:18.634784937 CEST	40188	666	192.168.2.15	176.123.4.187
May 27, 2024 09:11:18.639890909 CEST	666	40188	176.123.4.187	192.168.2.15
May 27, 2024 09:11:33.635366917 CEST	40190	666	192.168.2.15	176.123.4.187
May 27, 2024 09:11:33.640825987 CEST	666	40190	176.123.4.187	192.168.2.15
May 27, 2024 09:11:33.641258001 CEST	40190	666	192.168.2.15	176.123.4.187
May 27, 2024 09:11:33.641436100 CEST	40190	666	192.168.2.15	176.123.4.187
May 27, 2024 09:11:33.646851063 CEST	666	40190	176.123.4.187	192.168.2.15
May 27, 2024 09:11:34.265443087 CEST	666	40190	176.123.4.187	192.168.2.15
May 27, 2024 09:11:34.265511990 CEST	666	40190	176.123.4.187	192.168.2.15
May 27, 2024 09:11:34.265818119 CEST	40190	666	192.168.2.15	176.123.4.187
May 27, 2024 09:11:34.265818119 CEST	40190	666	192.168.2.15	176.123.4.187
May 27, 2024 09:11:34.271476030 CEST	666	40190	176.123.4.187	192.168.2.15
May 27, 2024 09:11:49.266436100 CEST	40192	666	192.168.2.15	176.123.4.187
May 27, 2024 09:11:49.272025108 CEST	666	40192	176.123.4.187	192.168.2.15
May 27, 2024 09:11:49.272459030 CEST	40192	666	192.168.2.15	176.123.4.187
May 27, 2024 09:11:49.272459030 CEST	40192	666	192.168.2.15	176.123.4.187
May 27, 2024 09:11:49.277895927 CEST	666	40192	176.123.4.187	192.168.2.15
May 27, 2024 09:11:49.888617039 CEST	666	40192	176.123.4.187	192.168.2.15
May 27, 2024 09:11:49.888669968 CEST	666	40192	176.123.4.187	192.168.2.15
May 27, 2024 09:11:49.889296055 CEST	40192	666	192.168.2.15	176.123.4.187
May 27, 2024 09:11:49.889384985 CEST	40192	666	192.168.2.15	176.123.4.187
May 27, 2024 09:11:49.895023108 CEST	666	40192	176.123.4.187	192.168.2.15
May 27, 2024 09:12:04.890187979 CEST	40194	666	192.168.2.15	176.123.4.187
May 27, 2024 09:12:04.896533012 CEST	666	40194	176.123.4.187	192.168.2.15
May 27, 2024 09:12:04.897267103 CEST	40194	666	192.168.2.15	176.123.4.187
May 27, 2024 09:12:04.897444010 CEST	40194	666	192.168.2.15	176.123.4.187
May 27, 2024 09:12:04.903140068 CEST	666	40194	176.123.4.187	192.168.2.15
May 27, 2024 09:12:05.508836985 CEST	666	40194	176.123.4.187	192.168.2.15
May 27, 2024 09:12:05.508974075 CEST	666	40194	176.123.4.187	192.168.2.15
May 27, 2024 09:12:05.509712934 CEST	40194	666	192.168.2.15	176.123.4.187
May 27, 2024 09:12:05.509884119 CEST	40194	666	192.168.2.15	176.123.4.187
May 27, 2024 09:12:05.515958071 CEST	666	40194	176.123.4.187	192.168.2.15

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 27, 2024 09:11:26.646256924 CEST	46863	53	192.168.2.15	1.1.1.1
May 27, 2024 09:11:26.646334887 CEST	41681	53	192.168.2.15	1.1.1.1
May 27, 2024 09:11:26.653606892 CEST	53	41681	1.1.1.1	192.168.2.15
May 27, 2024 09:11:26.653706074 CEST	53	46863	1.1.1.1	192.168.2.15

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
May 27, 2024 09:11:26.646256924 CEST	192.168.2.15	1.1.1.1	0xb857	Standard query (0)	daisy.ubuntu.com	A (IP address)	IN (0x0001)	false
May 27, 2024 09:11:26.646334887 CEST	192.168.2.15	1.1.1.1	0x5167	Standard query (0)	daisy.ubuntu.com	28	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
May 27, 2024 09:11:26.653706074 CEST	1.1.1.1	192.168.2.15	0xb857	No error (0)	daisy.ubuntu.com		162.213.35.25	A (IP address)	IN (0x0001)	false
May 27, 2024 09:11:26.653706074 CEST	1.1.1.1	192.168.2.15	0xb857	No error (0)	daisy.ubuntu.com		162.213.35.24	A (IP address)	IN (0x0001)	false

System Behavior

Analysis Process: 6eYKWxlBqa.elf PID: 5524, Parent PID: 5447

General

Start time (UTC):	07:08:40
Start date (UTC):	27/05/2024
Path:	/tmp/6eYKWxlBqa.elf
Arguments:	/tmp/6eYKWxlBqa.elf
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Chronological Activities

Analysis Process: 6eYKWxlBqa.elf PID: 5526, Parent PID: 5524

General

Start time (UTC):	07:08:41
Start date (UTC):	27/05/2024
Path:	/tmp/6eYKWxlBqa.elf
Arguments:	-
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Chronological Activities

Analysis Process: 6eYKWxlBqa.elf PID: 5527, Parent PID: 5524

General

Start time (UTC):	07:08:41
Start date (UTC):	27/05/2024
Path:	/tmp/6eYKWxlBqa.elf
Arguments:	-
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Chronological Activities

Analysis Process: 6eYKWxlBqa.elf PID: 5530, Parent PID: 5527

General

Start time (UTC):	07:08:41
Start date (UTC):	27/05/2024
Path:	/tmp/6eYKWxlBqa.elf
Arguments:	-
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system. Functionality could exist within remote access tools to enable this, but utilities available on the operating system could also be used such as Ping or `net view` using Net .
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Network Traffic: Network Connection Creation, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may obfuscate command and control traffic to make it more difficult to detect. Command and control (C2) communications are hidden (but not necessarily encrypted) in an attempt to make the content more difficult to discover or decipher and to make the communication less conspicuous and hide commands from being seen. This encompasses many methods, such as adding junk data to protocol traffic, using steganography, or impersonating legitimate protocols.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report 6eYKWxlBqa.elf

Overview

General Information

Detection

Signatures

Classification

General Information

Runtime Messages

Process Tree

Malware Threat Intel

Yara Signatures

Initial Sample

Memory Dumps

Snort Signatures

Joe Sandbox Signatures

AV Detection

Spreading

Networking

System Summary

Malware Analysis System Evasion

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

Static ELF Info

ELF header

Sections

Program Segments

Symbols

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

System Behavior

Analysis Process: 6eYKWxlBqa.elf PID: 5524, Parent PID: 5447

General

Chronological Activities

Analysis Process: 6eYKWxlBqa.elf PID: 5526, Parent PID: 5524

General

Chronological Activities

Analysis Process: 6eYKWxlBqa.elf PID: 5527, Parent PID: 5524

General

Chronological Activities

Analysis Process: 6eYKWxlBqa.elf PID: 5530, Parent PID: 5527

General

Linux Analysis Report
6eYKWxlBqa.elf