Edit tour

Linux Analysis Report
Okami.sh4.elf

Overview

General Information

Sample name:	Okami.sh4.elf
Analysis ID:	1467987
MD5:	01b7d9d2ba31331844b0412c686c23fd
SHA1:	0d17e9987b91aee0746d6fc0c8c9a99de58b0a90
SHA256:	1cfe5f0955635876e67526d35e92f6d1ac467144fe535a8cc4e87c6586800576
Infos:

Detection

Mirai

Score:	72
Range:	0 - 100
Whitelisted:	false

Signatures

Antivirus / Scanner detection for submitted sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected Mirai

Detected TCP or UDP traffic on non-standard ports

Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable

Sample contains strings that are user agent strings indicative of HTTP manipulation

Uses the "uname" system call to query kernel version information (possible evasion)

Yara signature match

Classification

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1467987
Start date and time:	2024-07-05 08:06:11 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 13s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Sample name:	Okami.sh4.elf
Detection:	MAL
Classification:	mal72.troj.linELF@0/1@2/0

Runtime Messages

Command:	/tmp/Okami.sh4.elf
PID:	5490
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:	[ INFECTED ] Arch: SUPERH \|\| Type: LITTLE_ENDIAN]
Standard Error:

Process Tree

system is lnxubuntu20

Okami.sh4.elf (PID: 5490, Parent: 5414, MD5: 8943e5f8f8c280467b4472c15ae93ba9) Arguments: /tmp/Okami.sh4.elf

Okami.sh4.elf New Fork (PID: 5492, Parent: 5490)

Okami.sh4.elf New Fork (PID: 5494, Parent: 5492)

Okami.sh4.elf New Fork (PID: 5498, Parent: 5494)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Mirai	Mirai is one of the first significant botnets targeting exposed networking devices running Linux. Found in August 2016 by MalwareMustDie, its name means "future" in Japanese. Nowadays it targets a wide range of networked embedded devices such as IP cameras, home routers (many vendors involved), and other IoT devices. Since the source code was published on "Hack Forums" many variants of the Mirai family appeared, infecting mostly home networks all around the world.	No Attribution	http://osint.bambenekconsulting.com/feeds/ http://www.simonroses.com/2016/10/mirai-ddos-botnet-source-code-binary-analysis/ https://blog.malwaremustdie.org/2020/02/mmd-0065-2021-linuxmirai-fbot-re.html https://blog.netlab.360.com/another-lilin-dvr-0-day-being-used-to-spread-mirai-en/ https://blog.netlab.360.com/mirai_ptea-botnet-is-exploiting-undisclosed-kguard-dvr-vulnerability-en/	https://malpedia.caad.fkie.fraunhofer.de/details/elf.mirai

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
Okami.sh4.elf	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
Okami.sh4.elf	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0xcdfc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xce10:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xce24:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xce38:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xce4c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xce60:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xce74:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xce88:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xce9c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xceb0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xcec4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xced8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xceec:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xcf00:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xcf14:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xcf28:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xcf3c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xcf50:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xcf64:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xcf78:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xcf8c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F

Memory Dumps

Source	Rule	Description	Author	Strings
5494.1.00007f2094400000.00007f209440f000.r-x.sdmp	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
5494.1.00007f2094400000.00007f209440f000.r-x.sdmp	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0xcdfc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xce10:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xce24:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xce38:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xce4c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xce60:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xce74:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xce88:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xce9c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xceb0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xcec4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xced8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xceec:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xcf00:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xcf14:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xcf28:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xcf3c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xcf50:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xcf64:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xcf78:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xcf8c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
5492.1.00007f2094400000.00007f209440f000.r-x.sdmp	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
5492.1.00007f2094400000.00007f209440f000.r-x.sdmp	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0xcdfc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xce10:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xce24:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xce38:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xce4c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xce60:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xce74:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xce88:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xce9c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xceb0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xcec4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xced8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xceec:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xcf00:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xcf14:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xcf28:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xcf3c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xcf50:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xcf64:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xcf78:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xcf8c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
5490.1.00007f2094400000.00007f209440f000.r-x.sdmp	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
5490.1.00007f2094400000.00007f209440f000.r-x.sdmp	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0xcdfc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xce10:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xce24:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xce38:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xce4c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xce60:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xce74:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xce88:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xce9c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xceb0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xcec4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xced8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xceec:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xcf00:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xcf14:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xcf28:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xcf3c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xcf50:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xcf64:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xcf78:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xcf8c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
Process Memory Space: Okami.sh4.elf PID: 5490	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0x7e95:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x7ea9:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x7ebd:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x7ed1:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x7ee5:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x7ef9:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x7f0d:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x7f21:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x7f35:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x7f49:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x7f5d:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x7f71:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x7f85:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x7f99:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x7fad:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x7fc1:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x7fd5:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x7fe9:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x7ffd:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x8011:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x8025:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
Process Memory Space: Okami.sh4.elf PID: 5492	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
Process Memory Space: Okami.sh4.elf PID: 5492	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0x53ff:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x5413:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x5427:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x543b:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x544f:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x5463:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x5477:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x548b:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x549f:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x54b3:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x54c7:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x54db:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x54ef:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x5503:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x5517:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x552b:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x553f:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x5553:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x5567:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x557b:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x558f:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
Process Memory Space: Okami.sh4.elf PID: 5494	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
Process Memory Space: Okami.sh4.elf PID: 5494	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0x799f:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x79b3:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x79c7:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x79db:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x79ef:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x7a03:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x7a17:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x7a2b:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x7a3f:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x7a53:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x7a67:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x7a7b:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x7a8f:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x7aa3:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x7ab7:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x7acb:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x7adf:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x7af3:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x7b07:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x7b1b:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x7b2f:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
Click to see the 6 entries

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Okami.sh4.elf

Avira: detected

Multi AV Scanner detection for submitted file

Source: Okami.sh4.elf

Virustotal: Detection: 61%

Perma Link

Source: global traffic

TCP traffic: 192.168.2.14:44506 -> 93.123.85.246:6963

Source: unknown	TCP traffic detected without corresponding DNS query: 93.123.85.246
Source: unknown	TCP traffic detected without corresponding DNS query: 93.123.85.246
Source: unknown	TCP traffic detected without corresponding DNS query: 93.123.85.246

Source: global traffic

DNS traffic detected: DNS query: daisy.ubuntu.com

Source: Okami.sh4.elf	String found in binary or memory: http://fast.no/support/crawler.asp)
Source: Okami.sh4.elf	String found in binary or memory: http://feedback.redkolibri.com/
Source: Okami.sh4.elf	String found in binary or memory: http://www.baidu.com/search/spider.htm)
Source: Okami.sh4.elf	String found in binary or memory: http://www.baidu.com/search/spider.html)
Source: Okami.sh4.elf	String found in binary or memory: http://www.billybobbot.com/crawler/)

System Summary

Malicious sample detected (through community Yara rule)

Source: Okami.sh4.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: 5494.1.00007f2094400000.00007f209440f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: 5492.1.00007f2094400000.00007f209440f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: 5490.1.00007f2094400000.00007f209440f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: Process Memory Space: Okami.sh4.elf PID: 5490, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: Process Memory Space: Okami.sh4.elf PID: 5492, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: Process Memory Space: Okami.sh4.elf PID: 5494, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown

Source: Initial sample	String containing 'busybox' found: pkill -9 busybox
Source: Initial sample	String containing 'busybox' found: rm -rf /tmp/* /var/* /var/run/* /var/tmp/rm -rf /var/log/wtmprm -rf /tmp/rm -rf /bin/netstatiptables -Fpkill -9 busyboxpkill -9 perlpkill -9 pythonservice iptables stop/sbin/iptables -F; /sbin/iptables -Xservice firewalld stoprm -rf ~/.bash_historyhistory -c;history -wBIG_ENDIANLITTLE_ENDIANBIG_ENDIAN_WLITTLE_ENDIAN_WUNKNOWN/[ INFECTED ] Arch: %s \|\| Type: %s]DUP

Source: Okami.sh4.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: 5494.1.00007f2094400000.00007f209440f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: 5492.1.00007f2094400000.00007f209440f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: 5490.1.00007f2094400000.00007f209440f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: Process Memory Space: Okami.sh4.elf PID: 5490, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: Process Memory Space: Okami.sh4.elf PID: 5492, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: Process Memory Space: Okami.sh4.elf PID: 5494, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16

Source: classification engine

Classification label: mal72.troj.linELF@0/1@2/0

Source: Okami.sh4.elf	ELF static info symbol of initial sample: /home/firmware/build/temp-sh4/gcc-core/gcc/config/sh/lib1funcs.asm
Source: Okami.sh4.elf	ELF static info symbol of initial sample: /home/firmware/build/temp-sh4/gcc-core/gcc/config/sh/lib1funcs.asm
Source: Okami.sh4.elf	ELF static info symbol of initial sample: libc/string/sh/sh4/memcpy.S
Source: Okami.sh4.elf	ELF static info symbol of initial sample: libc/sysdeps/linux/sh/crt1.S
Source: Okami.sh4.elf	ELF static info symbol of initial sample: libc/sysdeps/linux/sh/crti.S
Source: Okami.sh4.elf	ELF static info symbol of initial sample: libc/sysdeps/linux/sh/crtn.S
Source: Okami.sh4.elf	ELF static info symbol of initial sample: libc/sysdeps/linux/sh/vfork.S

Source: /tmp/Okami.sh4.elf (PID: 5490)

Queries kernel information via 'uname':

Jump to behavior

Source: Okami.sh4.elf, 5490.1.0000560057032000.0000560057095000.rw-.sdmp, Okami.sh4.elf, 5492.1.0000560057032000.0000560057095000.rw-.sdmp, Okami.sh4.elf, 5494.1.0000560057032000.0000560057095000.rw-.sdmp	Binary or memory string: WV5!/etc/qemu-binfmt/sh4
Source: Okami.sh4.elf, 5490.1.00007ffff188e000.00007ffff18af000.rw-.sdmp, Okami.sh4.elf, 5492.1.00007ffff188e000.00007ffff18af000.rw-.sdmp, Okami.sh4.elf, 5494.1.00007ffff188e000.00007ffff18af000.rw-.sdmp	Binary or memory string: x86_64/usr/bin/qemu-sh4/tmp/Okami.sh4.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/Okami.sh4.elf
Source: Okami.sh4.elf, 5490.1.00007ffff188e000.00007ffff18af000.rw-.sdmp, Okami.sh4.elf, 5492.1.00007ffff188e000.00007ffff18af000.rw-.sdmp, Okami.sh4.elf, 5494.1.00007ffff188e000.00007ffff18af000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-sh4
Source: Okami.sh4.elf, 5490.1.0000560057032000.0000560057095000.rw-.sdmp, Okami.sh4.elf, 5492.1.0000560057032000.0000560057095000.rw-.sdmp, Okami.sh4.elf, 5494.1.0000560057032000.0000560057095000.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/sh4

Stealing of Sensitive Information

Yara detected Mirai

Source: Yara match	File source: Okami.sh4.elf, type: SAMPLE
Source: Yara match	File source: 5494.1.00007f2094400000.00007f209440f000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5492.1.00007f2094400000.00007f209440f000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5490.1.00007f2094400000.00007f209440f000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Okami.sh4.elf PID: 5492, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Okami.sh4.elf PID: 5494, type: MEMORYSTR

Source: Initial sample	User agent string found: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36
Source: Initial sample	User agent string found: Opera/9.80 (X11; Linux i686; Ubuntu/14.10) Presto/2.12.388 Version/12.16
Source: Initial sample	User agent string found: Mozilla/5.0 (Windows; U; Windows NT 6.1; rv:2.2) Gecko/20110201
Source: Initial sample	User agent string found: Opera/9.80 (Windows NT 5.2; U; ru) Presto/2.5.22 Version/10.51
Source: Initial sample	User agent string found: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Source: Initial sample	User agent string found: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko
Source: Initial sample	User agent string found: Mozilla/5.0 (Android; Linux armv7l; rv:9.0) Gecko/20111216 Firefox/9.0 Fennec/9.0
Source: Initial sample	User agent string found: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.56 Safari/536.5
Source: Initial sample	User agent string found: Opera/9.80 (Windows NT 5.1; U; en) Presto/2.10.229 Version/11.60
Source: Initial sample	User agent string found: Mozilla/5.0 (iPad; U; CPU OS 5_1 like Mac OS X) AppleWebKit/531.21.10 (KHTML, like Gecko) Version/4.0.4 Mobile/7B367 Safari/531.21.10 UCBrowser/3.4.3.532
Source: Initial sample	User agent string found: Mozilla/5.0 (Nintendo WiiU) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.4.2.12 NintendoBrowser/4.3.1.11264.US
Source: Initial sample	User agent string found: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:25.0) Gecko/20100101 Firefox/25.0
Source: Initial sample	User agent string found: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; pl) Opera 11.00
Source: Initial sample	User agent string found: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; en) Opera 11.00
Source: Initial sample	User agent string found: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; ja) Opera 11.00
Source: Initial sample	User agent string found: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; cn) Opera 11.00
Source: Initial sample	User agent string found: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; fr) Opera 11.00
Source: Initial sample	User agent string found: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36
Source: Initial sample	User agent string found: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:12.0) Gecko/20100101 Firefox/12.0
Source: Initial sample	User agent string found: Mozilla/5.0 (X11; U; Linux x86_64; de; rv:1.9.2.8) Gecko/20100723 Ubuntu/10.04 (lucid) Firefox/3.6.8
Source: Initial sample	User agent string found: Mozilla/5.0 (Windows NT 5.1; rv:13.0) Gecko/20100101 Firefox/13.0.1
Source: Initial sample	User agent string found: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:11.0) Gecko/20100101 Firefox/11.0
Source: Initial sample	User agent string found: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:13.0) Gecko/20100101 Firefox/13.0.1
Source: Initial sample	User agent string found: Opera/9.80 (Windows NT 5.1; U; en) Presto/2.10.289 Version/12.01
Source: Initial sample	User agent string found: Mozilla/5.0 (Windows NT 5.1; rv:5.0.1) Gecko/20100101 Firefox/5.0.1
Source: Initial sample	User agent string found: Mozilla/5.0 (Windows NT 6.1; rv:5.0) Gecko/20100101 Firefox/5.02
Source: Initial sample	User agent string found: Mozilla/5.0 (Windows NT 6.0) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Source: Initial sample	User agent string found: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36
Source: Initial sample	User agent string found: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36
Source: Initial sample	User agent string found: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36
Source: Initial sample	User agent string found: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36
Source: Initial sample	User agent string found: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.143 Safari/537.36

Remote Access Functionality

Yara detected Mirai

Source: Yara match	File source: Okami.sh4.elf, type: SAMPLE
Source: Yara match	File source: 5494.1.00007f2094400000.00007f209440f000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5492.1.00007f2094400000.00007f209440f000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5490.1.00007f2094400000.00007f209440f000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Okami.sh4.elf PID: 5492, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Okami.sh4.elf PID: 5494, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	Path Interception	Path Interception	Direct Volume Access	OS Credential Dumping	11 Security Software Discovery	Remote Services	Data from Local System	1 Data Obfuscation	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	1 Application Layer Protocol	Traffic Duplication	Data Destruction

Malware Configuration

⊘No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Okami.sh4.elf	62%	Virustotal		Browse
Okami.sh4.elf	100%	Avira	EXP/ELF.Mirai.Z.A

Dropped Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
daisy.ubuntu.com	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://www.billybobbot.com/crawler/)	100%	URL Reputation	malware
http://www.billybobbot.com/crawler/)	100%	URL Reputation	malware
http://fast.no/support/crawler.asp)	0%	URL Reputation	safe
http://feedback.redkolibri.com/	0%	URL Reputation	safe
http://www.baidu.com/search/spider.html)	0%	Avira URL Cloud	safe
http://www.baidu.com/search/spider.htm)	0%	Avira URL Cloud	safe
http://www.baidu.com/search/spider.html)	0%	Virustotal		Browse
http://www.baidu.com/search/spider.htm)	0%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
daisy.ubuntu.com	162.213.35.24	true	false	0%, Virustotal, Browse	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.baidu.com/search/spider.html)	Okami.sh4.elf	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.billybobbot.com/crawler/)	Okami.sh4.elf	true	URL Reputation: malware URL Reputation: malware	unknown
http://fast.no/support/crawler.asp)	Okami.sh4.elf	false	URL Reputation: safe	unknown
http://feedback.redkolibri.com/	Okami.sh4.elf	false	URL Reputation: safe	unknown
http://www.baidu.com/search/spider.htm)	Okami.sh4.elf	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
93.123.85.246	unknown	Bulgaria		43561	NET1-ASBG	false

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
93.123.85.246	Okami.x86.elf	Get hash	malicious	Mirai	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
daisy.ubuntu.com	1eMpWRaDQE.elf	Get hash	malicious	Unknown	Browse	162.213.35.24
	PMcyGpR57k.elf	Get hash	malicious	Unknown	Browse	162.213.35.25
	UhtzOix2fn.elf	Get hash	malicious	Unknown	Browse	162.213.35.25
	oF0U7TguWy.elf	Get hash	malicious	Unknown	Browse	162.213.35.24
	CgiHyL88Yf.elf	Get hash	malicious	Unknown	Browse	162.213.35.25
	NSWk4vIsis.elf	Get hash	malicious	Unknown	Browse	162.213.35.24
	oCzLnKp7Gq.elf	Get hash	malicious	Unknown	Browse	162.213.35.24
	SecuriteInfo.com.Linux.Siggen.9999.238.620.elf	Get hash	malicious	Unknown	Browse	162.213.35.25
	utY2mbjUuH.elf	Get hash	malicious	Unknown	Browse	162.213.35.25
	FIkYSk1fVy.elf	Get hash	malicious	Unknown	Browse	162.213.35.24

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
NET1-ASBG	Okami.x86.elf	Get hash	malicious	Mirai	Browse	93.123.85.246
	Leaked.exe	Get hash	malicious	XWorm	Browse	94.156.79.213
	file.exe	Get hash	malicious	Socks5Systemz	Browse	94.156.8.80
	94.156.79.13-bot.mips-2024-07-01T10_28_04.elf	Get hash	malicious	Mirai, Gafgyt, Okiru	Browse	94.156.79.13
	6RjPHp1yLG.exe	Get hash	malicious	Socks5Systemz	Browse	94.156.8.80
	https://goo.gl/sbdzp#3&1afkvs	Get hash	malicious	Unknown	Browse	93.123.118.245
	1719520929.094843_setup.exe	Get hash	malicious	LummaC Stealer, Mars Stealer, PrivateLoader, PureLog Stealer, Socks5Systemz, Stealc, Vidar	Browse	94.156.8.80
	eS7Fug0Co9.elf	Get hash	malicious	Mirai, Gafgyt, Okiru	Browse	93.123.39.123
	ww1lNntV17.elf	Get hash	malicious	Mirai, Gafgyt, Okiru	Browse	93.123.39.123
	oUgyJ7nLw8.elf	Get hash	malicious	Mirai, Gafgyt, Okiru	Browse	93.123.39.123

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

/run/systemd/resolve/stub-resolv.conf

Download File

Process:	/tmp/Okami.sh4.elf
File Type:	ASCII text
Category:	dropped
Size (bytes):	38
Entropy (8bit):	3.3918926446809334
Encrypted:	false
SSDEEP:	3:KkZRAkd:KaAu
MD5:	C7EA09D26E26605227076E0514A33038
SHA1:	C3F9736E9AF7BD0885578859A50B205C8FA5FC8E
SHA-256:	7E8AD76E0D200E93918CA2E93C99FF8ECD02071953BF1479819DB3AC0DBB6D07
SHA-512:	17D0088725EB9991E9EB82E8A3DE0878E45E6F394BBC2AD260AA59C786FF0AD565E145E21256425D1C0ABE15F3ECB402EBB0A6A5E1C2D5BA7A4D95EC93A2861F
Malicious:	false
Reputation:	high, very likely benign file
Preview:	nameserver 8.8.8.8.nameserver 8.8.4.4.

Static File Info

General

File type:	ELF 32-bit LSB executable, Renesas SH, version 1 (SYSV), statically linked, not stripped
Entropy (8bit):	6.581833420192207
TrID:	ELF Executable and Linkable format (generic) (4004/1) 100.00%
File name:	Okami.sh4.elf
File size:	85'864 bytes
MD5:	01b7d9d2ba31331844b0412c686c23fd
SHA1:	0d17e9987b91aee0746d6fc0c8c9a99de58b0a90
SHA256:	1cfe5f0955635876e67526d35e92f6d1ac467144fe535a8cc4e87c6586800576
SHA512:	23044a48da27dfb4062ea6da516b69b5859810b947a3deac1eece2cf70c8faeb84e35813f87d82e506065d4cd92f28b100d7970f937f10c7e56014cc4c5be8d4
SSDEEP:	1536:QWkDaiqMKJmuRO+4FCqMgTSAC55hrI6eKnUsLzk0y/fKsjy1n:1QGTJF4FvZ05hrI6ksLzk0y/ysjy1n
TLSH:	59833C47A8615FB3C14669B531FB1E300763E9910F4B1A8A713DAAF4474B9CE781EFA0
File Content Preview:	.ELF.....................@.4...........4. ...(...............@...@.8...8.....................A...A......g..........Q.td............................././"O.n........#.@........#.*@.....o&O.n...l..............................././.../.a"O.!...n...a.b("...q.

Static ELF Info

ELF header
Class:	ELF32
Data:	2's complement, little endian
Version:	1 (current)
Machine:	<unknown>
Version Number:	0x1
Type:	EXEC (Executable file)
OS/ABI:	UNIX - System V
ABI Version:	0
Entry Point Address:	0x4001a0
Flags:	0x9
ELF Header Size:	52
Program Header Offset:	52
Program Header Size:	32
Number of Program Headers:	3
Section Header Offset:	65540
Section Header Size:	40
Number of Section Headers:	16
Header String Table Index:	13

Sections

Name	Type	Address	Offset	Size	EntSize	Flags	Flags Description	Link	Info	Align
	NULL	0x0	0x0	0x0	0x0	0x0		0	0	0
.init	PROGBITS	0x400094	0x94	0x30	0x0	0x6	AX	0	0	4
.text	PROGBITS	0x4000e0	0xe0	0xb8a0	0x0	0x6	AX	0	0	32
.fini	PROGBITS	0x40b980	0xb980	0x24	0x0	0x6	AX	0	0	4
.rodata	PROGBITS	0x40b9a4	0xb9a4	0x3390	0x0	0x2	A	0	0	4
.eh_frame	PROGBITS	0x40ed34	0xed34	0x4	0x0	0x2	A	0	0	4
.ctors	PROGBITS	0x41f000	0xf000	0x8	0x0	0x3	WA	0	0	4
.dtors	PROGBITS	0x41f008	0xf008	0x8	0x0	0x3	WA	0	0	4
.jcr	PROGBITS	0x41f010	0xf010	0x4	0x0	0x3	WA	0	0	4
.data	PROGBITS	0x41f014	0xf014	0x468	0x0	0x3	WA	0	0	4
.got	PROGBITS	0x41f47c	0xf47c	0x10	0x4	0x3	WA	0	0	4
.bss	NOBITS	0x41f48c	0xf48c	0x635c	0x0	0x3	WA	0	0	4
.comment	PROGBITS	0x0	0xf48c	0xb0a	0x0	0x0		0	0	1
.shstrtab	STRTAB	0x0	0xff96	0x6b	0x0	0x0		0	0	1
.symtab	SYMTAB	0x0	0x10284	0x2bb0	0x10	0x0		15	259	4
.strtab	STRTAB	0x0	0x12e34	0x2134	0x0	0x0		0	0	1

Program Segments

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align	Section Mappings
LOAD	0x0	0x400000	0x400000	0xed38	0xed38	6.9277	0x5	R E	0x10000	.init .text .fini .rodata .eh_frame
LOAD	0xf000	0x41f000	0x41f000	0x48c	0x67e8	3.3577	0x6	RW	0x10000	.ctors .dtors .jcr .data .got .bss
GNU_STACK	0x0	0x0	0x0	0x0	0x0	0.0000	0x7	RWE	0x4

Symbols

Name	Section Name	Value	Size	Symbol Type	Symbol Bind	Symbol Visibility	Ndx
	.symtab	0x0	0	NOTYPE	<unknown>	DEFAULT	SHN_UNDEF
	.symtab	0x400094	0	SECTION	<unknown>	DEFAULT	1
	.symtab	0x4000e0	0	SECTION	<unknown>	DEFAULT	2
	.symtab	0x40b980	0	SECTION	<unknown>	DEFAULT	3
	.symtab	0x40b9a4	0	SECTION	<unknown>	DEFAULT	4
	.symtab	0x40ed34	0	SECTION	<unknown>	DEFAULT	5
	.symtab	0x41f000	0	SECTION	<unknown>	DEFAULT	6
	.symtab	0x41f008	0	SECTION	<unknown>	DEFAULT	7
	.symtab	0x41f010	0	SECTION	<unknown>	DEFAULT	8
	.symtab	0x41f014	0	SECTION	<unknown>	DEFAULT	9
	.symtab	0x41f47c	0	SECTION	<unknown>	DEFAULT	10
	.symtab	0x41f48c	0	SECTION	<unknown>	DEFAULT	11
	.symtab	0x0	0	SECTION	<unknown>	DEFAULT	12
	.symtab	0x0	0	SECTION	<unknown>	DEFAULT	13
	.symtab	0x0	0	SECTION	<unknown>	DEFAULT	14
	.symtab	0x0	0	SECTION	<unknown>	DEFAULT	15
/home/firmware/build/temp-sh4/gcc-core/gcc/config/sh/lib1funcs.asm	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
/home/firmware/build/temp-sh4/gcc-core/gcc/config/sh/lib1funcs.asm	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
L1	.symtab	0x404b1c	0	NOTYPE	<unknown>	DEFAULT	2
L_abort	.symtab	0x4001d0	0	NOTYPE	<unknown>	DEFAULT	2
L_fini	.symtab	0x4001c8	0	NOTYPE	<unknown>	DEFAULT	2
L_init	.symtab	0x4001c4	0	NOTYPE	<unknown>	DEFAULT	2
L_main	.symtab	0x4001c0	0	NOTYPE	<unknown>	DEFAULT	2
L_uClibc_main	.symtab	0x4001cc	0	NOTYPE	<unknown>	DEFAULT	2
Okami.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
Q	.symtab	0x41f4bc	16384	OBJECT	<unknown>	DEFAULT	11
RemoveTempDirs	.symtab	0x40418c	204	FUNC	<unknown>	DEFAULT	2
SendHTTP	.symtab	0x403354	524	FUNC	<unknown>	DEFAULT	2
SendSTD	.symtab	0x4024e8	912	FUNC	<unknown>	DEFAULT	2
SendSTDHEX	.symtab	0x402380	360	FUNC	<unknown>	DEFAULT	2
SendTCP	.symtab	0x402c88	1452	FUNC	<unknown>	DEFAULT	2
SendUDP	.symtab	0x402878	1040	FUNC	<unknown>	DEFAULT	2
UpdateNameSrvs	.symtab	0x4040e8	164	FUNC	<unknown>	DEFAULT	2
_GLOBAL_OFFSET_TABLE_	.symtab	0x41f47c	0	OBJECT	<unknown>	HIDDEN	10
_Jv_RegisterClasses	.symtab	0x0	0	NOTYPE	<unknown>	DEFAULT	SHN_UNDEF
_READ.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
_WRITE.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
__CTOR_END__	.symtab	0x41f004	0	OBJECT	<unknown>	DEFAULT	6
__CTOR_LIST__	.symtab	0x41f000	0	OBJECT	<unknown>	DEFAULT	6
__C_ctype_b	.symtab	0x41f11c	4	OBJECT	<unknown>	DEFAULT	9
__C_ctype_b.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
__C_ctype_b_data	.symtab	0x40d6cc	768	OBJECT	<unknown>	DEFAULT	4
__C_ctype_tolower	.symtab	0x41f458	4	OBJECT	<unknown>	DEFAULT	9
__C_ctype_tolower.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
__C_ctype_tolower_data	.symtab	0x40e93a	768	OBJECT	<unknown>	DEFAULT	4
__C_ctype_toupper	.symtab	0x41f124	4	OBJECT	<unknown>	DEFAULT	9
__C_ctype_toupper.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
__C_ctype_toupper_data	.symtab	0x40d9cc	768	OBJECT	<unknown>	DEFAULT	4
__DTOR_END__	.symtab	0x41f00c	0	OBJECT	<unknown>	DEFAULT	7
__DTOR_LIST__	.symtab	0x41f008	0	OBJECT	<unknown>	DEFAULT	7
__EH_FRAME_BEGIN__	.symtab	0x40ed34	0	OBJECT	<unknown>	DEFAULT	5
__FRAME_END__	.symtab	0x40ed34	0	OBJECT	<unknown>	DEFAULT	5
__GI___C_ctype_b	.symtab	0x41f11c	4	OBJECT	<unknown>	HIDDEN	9
__GI___C_ctype_b_data	.symtab	0x40d6cc	768	OBJECT	<unknown>	HIDDEN	4
__GI___C_ctype_tolower	.symtab	0x41f458	4	OBJECT	<unknown>	HIDDEN	9
__GI___C_ctype_tolower_data	.symtab	0x40e93a	768	OBJECT	<unknown>	HIDDEN	4
__GI___C_ctype_toupper	.symtab	0x41f124	4	OBJECT	<unknown>	HIDDEN	9
__GI___C_ctype_toupper_data	.symtab	0x40d9cc	768	OBJECT	<unknown>	HIDDEN	4
__GI___ctype_b	.symtab	0x41f120	4	OBJECT	<unknown>	HIDDEN	9
__GI___ctype_tolower	.symtab	0x41f45c	4	OBJECT	<unknown>	HIDDEN	9
__GI___ctype_toupper	.symtab	0x41f128	4	OBJECT	<unknown>	HIDDEN	9
__GI___errno_location	.symtab	0x40511c	20	FUNC	<unknown>	HIDDEN	2
__GI___fgetc_unlocked	.symtab	0x40b554	216	FUNC	<unknown>	HIDDEN	2
__GI___glibc_strerror_r	.symtab	0x4067d8	32	FUNC	<unknown>	HIDDEN	2
__GI___h_errno_location	.symtab	0x4084b8	20	FUNC	<unknown>	HIDDEN	2
__GI___libc_fcntl	.symtab	0x404b24	172	FUNC	<unknown>	HIDDEN	2
__GI___libc_fcntl64	.symtab	0x404bd0	152	FUNC	<unknown>	HIDDEN	2
__GI___libc_open	.symtab	0x404de8	160	FUNC	<unknown>	HIDDEN	2
__GI___uClibc_fini	.symtab	0x407e54	104	FUNC	<unknown>	HIDDEN	2
__GI___uClibc_init	.symtab	0x407f20	80	FUNC	<unknown>	HIDDEN	2
__GI___xpg_strerror_r	.symtab	0x4067f8	200	FUNC	<unknown>	HIDDEN	2
__GI__exit	.symtab	0x404c68	48	FUNC	<unknown>	HIDDEN	2
__GI_abort	.symtab	0x4073c4	244	FUNC	<unknown>	HIDDEN	2
__GI_atoi	.symtab	0x407a18	24	FUNC	<unknown>	HIDDEN	2
__GI_atol	.symtab	0x407a18	24	FUNC	<unknown>	HIDDEN	2
__GI_chdir	.symtab	0x404cd0	56	FUNC	<unknown>	HIDDEN	2
__GI_close	.symtab	0x404d08	56	FUNC	<unknown>	HIDDEN	2
__GI_connect	.symtab	0x406e1c	40	FUNC	<unknown>	HIDDEN	2
__GI_errno	.symtab	0x4256f0	4	OBJECT	<unknown>	HIDDEN	11
__GI_execl	.symtab	0x407bf8	228	FUNC	<unknown>	HIDDEN	2
__GI_execve	.symtab	0x408248	56	FUNC	<unknown>	HIDDEN	2
__GI_exit	.symtab	0x407b88	112	FUNC	<unknown>	HIDDEN	2
__GI_fclose	.symtab	0x40a014	272	FUNC	<unknown>	HIDDEN	2
__GI_fcntl	.symtab	0x404b24	172	FUNC	<unknown>	HIDDEN	2
__GI_fcntl64	.symtab	0x404bd0	152	FUNC	<unknown>	HIDDEN	2
__GI_fflush_unlocked	.symtab	0x40a698	320	FUNC	<unknown>	HIDDEN	2
__GI_fgetc_unlocked	.symtab	0x40b554	216	FUNC	<unknown>	HIDDEN	2
__GI_fgets	.symtab	0x40a540	120	FUNC	<unknown>	HIDDEN	2
__GI_fgets_unlocked	.symtab	0x40a7d8	128	FUNC	<unknown>	HIDDEN	2
__GI_fopen	.symtab	0x40a124	24	FUNC	<unknown>	HIDDEN	2
__GI_fork	.symtab	0x404d40	56	FUNC	<unknown>	HIDDEN	2
__GI_fputs_unlocked	.symtab	0x406010	68	FUNC	<unknown>	HIDDEN	2
__GI_fseek	.symtab	0x40a13c	28	FUNC	<unknown>	HIDDEN	2
__GI_fseeko64	.symtab	0x40a158	232	FUNC	<unknown>	HIDDEN	2
__GI_fwrite_unlocked	.symtab	0x406054	156	FUNC	<unknown>	HIDDEN	2
__GI_getc_unlocked	.symtab	0x40b554	216	FUNC	<unknown>	HIDDEN	2
__GI_getegid	.symtab	0x408280	56	FUNC	<unknown>	HIDDEN	2
__GI_geteuid	.symtab	0x4082b8	56	FUNC	<unknown>	HIDDEN	2
__GI_getgid	.symtab	0x4082f0	56	FUNC	<unknown>	HIDDEN	2
__GI_gethostbyname	.symtab	0x406b28	72	FUNC	<unknown>	HIDDEN	2
__GI_gethostbyname_r	.symtab	0x406b70	684	FUNC	<unknown>	HIDDEN	2
__GI_getpid	.symtab	0x404d78	56	FUNC	<unknown>	HIDDEN	2
__GI_getuid	.symtab	0x408328	56	FUNC	<unknown>	HIDDEN	2
__GI_h_errno	.symtab	0x4256f4	4	OBJECT	<unknown>	HIDDEN	11
__GI_inet_addr	.symtab	0x406afc	44	FUNC	<unknown>	HIDDEN	2
__GI_inet_aton	.symtab	0x4094a4	204	FUNC	<unknown>	HIDDEN	2
__GI_inet_ntoa	.symtab	0x406ae4	24	FUNC	<unknown>	HIDDEN	2
__GI_inet_ntoa_r	.symtab	0x406a6c	120	FUNC	<unknown>	HIDDEN	2
__GI_inet_ntop	.symtab	0x40ad78	492	FUNC	<unknown>	HIDDEN	2
__GI_inet_pton	.symtab	0x40aaa4	408	FUNC	<unknown>	HIDDEN	2
__GI_initstate_r	.symtab	0x407878	176	FUNC	<unknown>	HIDDEN	2
__GI_ioctl	.symtab	0x408360	148	FUNC	<unknown>	HIDDEN	2
__GI_isatty	.symtab	0x406948	36	FUNC	<unknown>	HIDDEN	2
__GI_kill	.symtab	0x404db0	56	FUNC	<unknown>	HIDDEN	2
__GI_lseek64	.symtab	0x40b4cc	96	FUNC	<unknown>	HIDDEN	2
__GI_memchr	.symtab	0x408e74	204	FUNC	<unknown>	HIDDEN	2
__GI_memcpy	.symtab	0x406180	636	FUNC	<unknown>	HIDDEN	2
__GI_memmove	.symtab	0x408f40	978	FUNC	<unknown>	HIDDEN	2
__GI_mempcpy	.symtab	0x409314	36	FUNC	<unknown>	HIDDEN	2
__GI_memrchr	.symtab	0x409338	204	FUNC	<unknown>	HIDDEN	2
__GI_memset	.symtab	0x406400	124	FUNC	<unknown>	HIDDEN	2
__GI_nanosleep	.symtab	0x4083f4	56	FUNC	<unknown>	HIDDEN	2
__GI_open	.symtab	0x404de8	160	FUNC	<unknown>	HIDDEN	2
__GI_poll	.symtab	0x409fdc	56	FUNC	<unknown>	HIDDEN	2
__GI_raise	.symtab	0x409e40	40	FUNC	<unknown>	HIDDEN	2
__GI_random	.symtab	0x4074cc	100	FUNC	<unknown>	HIDDEN	2
__GI_random_r	.symtab	0x40774c	104	FUNC	<unknown>	HIDDEN	2
__GI_rawmemchr	.symtab	0x40a858	152	FUNC	<unknown>	HIDDEN	2
__GI_read	.symtab	0x404ed4	56	FUNC	<unknown>	HIDDEN	2
__GI_recv	.symtab	0x406e70	40	FUNC	<unknown>	HIDDEN	2
__GI_sbrk	.symtab	0x408144	88	FUNC	<unknown>	HIDDEN	2
__GI_select	.symtab	0x404f0c	52	FUNC	<unknown>	HIDDEN	2
__GI_send	.symtab	0x406e98	40	FUNC	<unknown>	HIDDEN	2
__GI_sendto	.symtab	0x406ec0	48	FUNC	<unknown>	HIDDEN	2
__GI_seteuid	.symtab	0x404f40	108	FUNC	<unknown>	HIDDEN	2
__GI_setresuid	.symtab	0x404fac	56	FUNC	<unknown>	HIDDEN	2
__GI_setreuid	.symtab	0x404fe4	56	FUNC	<unknown>	HIDDEN	2
__GI_setsockopt	.symtab	0x406ef0	44	FUNC	<unknown>	HIDDEN	2
__GI_setstate_r	.symtab	0x407674	216	FUNC	<unknown>	HIDDEN	2
__GI_sigaction	.symtab	0x409e68	160	FUNC	<unknown>	HIDDEN	2
__GI_signal	.symtab	0x406f44	184	FUNC	<unknown>	HIDDEN	2
__GI_sigprocmask	.symtab	0x40842c	84	FUNC	<unknown>	HIDDEN	2
__GI_sleep	.symtab	0x407cdc	376	FUNC	<unknown>	HIDDEN	2
__GI_socket	.symtab	0x406f1c	40	FUNC	<unknown>	HIDDEN	2
__GI_sprintf	.symtab	0x405130	132	FUNC	<unknown>	HIDDEN	2
__GI_srandom_r	.symtab	0x4077b4	196	FUNC	<unknown>	HIDDEN	2
__GI_strcasecmp	.symtab	0x40b62c	64	FUNC	<unknown>	HIDDEN	2
__GI_strcasestr	.symtab	0x4068d8	88	FUNC	<unknown>	HIDDEN	2
__GI_strchr	.symtab	0x40647c	192	FUNC	<unknown>	HIDDEN	2
__GI_strcmp	.symtab	0x40653c	34	FUNC	<unknown>	HIDDEN	2
__GI_strcoll	.symtab	0x40653c	34	FUNC	<unknown>	HIDDEN	2
__GI_strcpy	.symtab	0x40655e	30	FUNC	<unknown>	HIDDEN	2
__GI_strdup	.symtab	0x40a9bc	76	FUNC	<unknown>	HIDDEN	2
__GI_strlen	.symtab	0x40657c	136	FUNC	<unknown>	HIDDEN	2
__GI_strncat	.symtab	0x40a8f0	154	FUNC	<unknown>	HIDDEN	2
__GI_strncpy	.symtab	0x406604	142	FUNC	<unknown>	HIDDEN	2
__GI_strnlen	.symtab	0x406694	132	FUNC	<unknown>	HIDDEN	2
__GI_strpbrk	.symtab	0x40947c	40	FUNC	<unknown>	HIDDEN	2
__GI_strspn	.symtab	0x40a98a	48	FUNC	<unknown>	HIDDEN	2
__GI_strstr	.symtab	0x406718	192	FUNC	<unknown>	HIDDEN	2
__GI_strtok	.symtab	0x406930	24	FUNC	<unknown>	HIDDEN	2
__GI_strtok_r	.symtab	0x409404	120	FUNC	<unknown>	HIDDEN	2
__GI_strtol	.symtab	0x407a30	20	FUNC	<unknown>	HIDDEN	2
__GI_tcgetattr	.symtab	0x40696c	116	FUNC	<unknown>	HIDDEN	2
__GI_time	.symtab	0x405054	56	FUNC	<unknown>	HIDDEN	2
__GI_tolower	.symtab	0x40b52c	40	FUNC	<unknown>	HIDDEN	2
__GI_toupper	.symtab	0x4050f4	40	FUNC	<unknown>	HIDDEN	2
__GI_vfork	.symtab	0x4081a0	54	FUNC	<unknown>	HIDDEN	2
__GI_vsnprintf	.symtab	0x4051b4	168	FUNC	<unknown>	HIDDEN	2
__GI_wait4	.symtab	0x408480	56	FUNC	<unknown>	HIDDEN	2
__GI_waitpid	.symtab	0x40508c	20	FUNC	<unknown>	HIDDEN	2
__GI_wcrtomb	.symtab	0x4084cc	68	FUNC	<unknown>	HIDDEN	2
__GI_wcsnrtombs	.symtab	0x408530	112	FUNC	<unknown>	HIDDEN	2
__GI_wcsrtombs	.symtab	0x408510	32	FUNC	<unknown>	HIDDEN	2
__GI_write	.symtab	0x4050a0	56	FUNC	<unknown>	HIDDEN	2
__JCR_END__	.symtab	0x41f010	0	OBJECT	<unknown>	DEFAULT	8
__JCR_LIST__	.symtab	0x41f010	0	OBJECT	<unknown>	DEFAULT	8
__app_fini	.symtab	0x4256e4	4	OBJECT	<unknown>	HIDDEN	11
__atexit_lock	.symtab	0x41f43c	24	OBJECT	<unknown>	DEFAULT	9
__bsd_signal	.symtab	0x406f44	184	FUNC	<unknown>	HIDDEN	2
__bss_start	.symtab	0x41f48c	0	NOTYPE	<unknown>	DEFAULT	SHN_ABS
__check_one_fd	.symtab	0x407ed6	74	FUNC	<unknown>	DEFAULT	2
__ctype_b	.symtab	0x41f120	4	OBJECT	<unknown>	DEFAULT	9
__ctype_tolower	.symtab	0x41f45c	4	OBJECT	<unknown>	DEFAULT	9
__ctype_toupper	.symtab	0x41f128	4	OBJECT	<unknown>	DEFAULT	9
__curbrk	.symtab	0x425714	4	OBJECT	<unknown>	HIDDEN	11
__data_start	.symtab	0x41f014	0	NOTYPE	<unknown>	DEFAULT	9
__decode_answer	.symtab	0x40b140	228	FUNC	<unknown>	HIDDEN	2
__decode_dotted	.symtab	0x40b718	200	FUNC	<unknown>	HIDDEN	2
__decode_header	.symtab	0x40b024	148	FUNC	<unknown>	HIDDEN	2
__deregister_frame_info	.symtab	0x0	0	NOTYPE	<unknown>	DEFAULT	SHN_UNDEF
__dns_lookup	.symtab	0x409570	1604	FUNC	<unknown>	HIDDEN	2
__do_global_ctors_aux	.symtab	0x40b940	0	FUNC	<unknown>	DEFAULT	2
__do_global_dtors_aux	.symtab	0x4000e0	0	FUNC	<unknown>	DEFAULT	2
__dso_handle	.symtab	0x41f014	0	OBJECT	<unknown>	HIDDEN	9
__encode_dotted	.symtab	0x40b66c	172	FUNC	<unknown>	HIDDEN	2
__encode_header	.symtab	0x40af64	192	FUNC	<unknown>	HIDDEN	2
__encode_question	.symtab	0x40b0b8	104	FUNC	<unknown>	HIDDEN	2
__environ	.symtab	0x4256dc	4	OBJECT	<unknown>	DEFAULT	11
__errno_location	.symtab	0x40511c	20	FUNC	<unknown>	DEFAULT	2
__errno_location.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
__exit_cleanup	.symtab	0x4256d4	4	OBJECT	<unknown>	HIDDEN	11
__fgetc_unlocked	.symtab	0x40b554	216	FUNC	<unknown>	DEFAULT	2
__fini_array_end	.symtab	0x41f000	0	NOTYPE	<unknown>	HIDDEN	SHN_ABS
__fini_array_start	.symtab	0x41f000	0	NOTYPE	<unknown>	HIDDEN	SHN_ABS
__get_hosts_byname_r	.symtab	0x409e0c	52	FUNC	<unknown>	HIDDEN	2
__glibc_strerror_r	.symtab	0x4067d8	32	FUNC	<unknown>	DEFAULT	2
__glibc_strerror_r.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
__h_errno_location	.symtab	0x4084b8	20	FUNC	<unknown>	DEFAULT	2
__h_errno_location.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
__heap_alloc	.symtab	0x407274	98	FUNC	<unknown>	DEFAULT	2
__heap_free	.symtab	0x407314	176	FUNC	<unknown>	DEFAULT	2
__heap_link_free_area	.symtab	0x4072d8	34	FUNC	<unknown>	DEFAULT	2
__heap_link_free_area_after	.symtab	0x4072fa	26	FUNC	<unknown>	DEFAULT	2
__init_array_end	.symtab	0x41f000	0	NOTYPE	<unknown>	HIDDEN	SHN_ABS
__init_array_start	.symtab	0x41f000	0	NOTYPE	<unknown>	HIDDEN	SHN_ABS
__init_brk	.symtab	0x409f60	68	FUNC	<unknown>	HIDDEN	2
__init_brk.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
__length_dotted	.symtab	0x40b7e0	64	FUNC	<unknown>	HIDDEN	2
__length_question	.symtab	0x40b120	32	FUNC	<unknown>	HIDDEN	2
__libc_close	.symtab	0x404d08	56	FUNC	<unknown>	DEFAULT	2
__libc_connect	.symtab	0x406e1c	40	FUNC	<unknown>	DEFAULT	2
__libc_creat	.symtab	0x404e88	24	FUNC	<unknown>	DEFAULT	2
__libc_fcntl	.symtab	0x404b24	172	FUNC	<unknown>	DEFAULT	2
__libc_fcntl64	.symtab	0x404bd0	152	FUNC	<unknown>	DEFAULT	2
__libc_fork	.symtab	0x404d40	56	FUNC	<unknown>	DEFAULT	2
__libc_getpid	.symtab	0x404d78	56	FUNC	<unknown>	DEFAULT	2
__libc_lseek64	.symtab	0x40b4cc	96	FUNC	<unknown>	DEFAULT	2
__libc_nanosleep	.symtab	0x4083f4	56	FUNC	<unknown>	DEFAULT	2
__libc_open	.symtab	0x404de8	160	FUNC	<unknown>	DEFAULT	2
__libc_poll	.symtab	0x409fdc	56	FUNC	<unknown>	DEFAULT	2
__libc_read	.symtab	0x404ed4	56	FUNC	<unknown>	DEFAULT	2
__libc_recv	.symtab	0x406e70	40	FUNC	<unknown>	DEFAULT	2
__libc_select	.symtab	0x404f0c	52	FUNC	<unknown>	DEFAULT	2
__libc_send	.symtab	0x406e98	40	FUNC	<unknown>	DEFAULT	2
__libc_sendto	.symtab	0x406ec0	48	FUNC	<unknown>	DEFAULT	2
__libc_sigaction	.symtab	0x409e68	160	FUNC	<unknown>	DEFAULT	2
__libc_stack_end	.symtab	0x4256d8	4	OBJECT	<unknown>	DEFAULT	11
__libc_system	.symtab	0x407928	240	FUNC	<unknown>	DEFAULT	2
__libc_waitpid	.symtab	0x40508c	20	FUNC	<unknown>	DEFAULT	2
__libc_write	.symtab	0x4050a0	56	FUNC	<unknown>	DEFAULT	2
__malloc_heap	.symtab	0x41f268	4	OBJECT	<unknown>	DEFAULT	9
__malloc_heap_lock	.symtab	0x4256b8	24	OBJECT	<unknown>	DEFAULT	11
__malloc_sbrk_lock	.symtab	0x4257a4	24	OBJECT	<unknown>	DEFAULT	11
__nameserver	.symtab	0x4257cc	12	OBJECT	<unknown>	HIDDEN	11
__nameservers	.symtab	0x4257d8	4	OBJECT	<unknown>	HIDDEN	11
__open_etc_hosts	.symtab	0x40b224	68	FUNC	<unknown>	HIDDEN	2
__open_nameservers	.symtab	0x409bb4	600	FUNC	<unknown>	HIDDEN	2
__pagesize	.symtab	0x4256e0	4	OBJECT	<unknown>	DEFAULT	11
__preinit_array_end	.symtab	0x41f000	0	NOTYPE	<unknown>	HIDDEN	SHN_ABS
__preinit_array_start	.symtab	0x41f000	0	NOTYPE	<unknown>	HIDDEN	SHN_ABS
__pthread_initialize_minimal	.symtab	0x0	0	NOTYPE	<unknown>	DEFAULT	SHN_UNDEF
__pthread_mutex_init	.symtab	0x407ebc	14	FUNC	<unknown>	DEFAULT	2
__pthread_mutex_lock	.symtab	0x407ebc	14	FUNC	<unknown>	DEFAULT	2
__pthread_mutex_trylock	.symtab	0x407ebc	14	FUNC	<unknown>	DEFAULT	2
__pthread_mutex_unlock	.symtab	0x407ebc	14	FUNC	<unknown>	DEFAULT	2
__pthread_return_0	.symtab	0x407ebc	14	FUNC	<unknown>	DEFAULT	2
__pthread_return_void	.symtab	0x407eca	12	FUNC	<unknown>	DEFAULT	2
__raise	.symtab	0x409e40	40	FUNC	<unknown>	HIDDEN	2
__read_etc_hosts_r	.symtab	0x40b268	612	FUNC	<unknown>	HIDDEN	2
__register_frame_info	.symtab	0x0	0	NOTYPE	<unknown>	DEFAULT	SHN_UNDEF
__resolv_lock	.symtab	0x41f464	24	OBJECT	<unknown>	DEFAULT	9
__rtld_fini	.symtab	0x4256e8	4	OBJECT	<unknown>	HIDDEN	11
__sdivsi3_i4	.symtab	0x40b918	14	FUNC	<unknown>	HIDDEN	2
__searchdomain	.symtab	0x4257bc	16	OBJECT	<unknown>	HIDDEN	11
__searchdomains	.symtab	0x4257dc	4	OBJECT	<unknown>	HIDDEN	11
__sigaddset	.symtab	0x407028	40	FUNC	<unknown>	DEFAULT	2
__sigdelset	.symtab	0x407050	42	FUNC	<unknown>	DEFAULT	2
__sigismember	.symtab	0x406ffc	44	FUNC	<unknown>	DEFAULT	2
__socketcall	.symtab	0x408210	56	FUNC	<unknown>	HIDDEN	2
__socketcall.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
__stdin	.symtab	0x41f138	4	OBJECT	<unknown>	DEFAULT	9
__stdio_READ	.symtab	0x40b820	80	FUNC	<unknown>	HIDDEN	2
__stdio_WRITE	.symtab	0x4085a0	148	FUNC	<unknown>	HIDDEN	2
__stdio_adjust_position	.symtab	0x40a240	180	FUNC	<unknown>	HIDDEN	2
__stdio_fwrite	.symtab	0x408634	264	FUNC	<unknown>	HIDDEN	2
__stdio_init_mutex	.symtab	0x4052c8	28	FUNC	<unknown>	HIDDEN	2
__stdio_mutex_initializer.3812	.symtab	0x40dccc	24	OBJECT	<unknown>	DEFAULT	4
__stdio_rfill	.symtab	0x40b870	48	FUNC	<unknown>	HIDDEN	2
__stdio_seek	.symtab	0x40a50c	52	FUNC	<unknown>	HIDDEN	2
__stdio_trans2r_o	.symtab	0x40b8a0	120	FUNC	<unknown>	HIDDEN	2
__stdio_trans2w_o	.symtab	0x40873c	176	FUNC	<unknown>	HIDDEN	2
__stdio_wcommit	.symtab	0x405378	52	FUNC	<unknown>	HIDDEN	2
__stdout	.symtab	0x41f13c	4	OBJECT	<unknown>	DEFAULT	9
__syscall_error	.symtab	0x4081e0	0	NOTYPE	<unknown>	DEFAULT	2
__syscall_fcntl.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
__syscall_fcntl64.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
__syscall_rt_sigaction	.symtab	0x409fa4	56	FUNC	<unknown>	HIDDEN	2
__syscall_rt_sigaction.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
__uClibc_fini	.symtab	0x407e54	104	FUNC	<unknown>	DEFAULT	2
__uClibc_init	.symtab	0x407f20	80	FUNC	<unknown>	DEFAULT	2
__uClibc_main	.symtab	0x407f70	468	FUNC	<unknown>	DEFAULT	2
__uClibc_main.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
__uclibc_progname	.symtab	0x41f454	4	OBJECT	<unknown>	HIDDEN	9
__udivsi3_i4	.symtab	0x404af4	48	FUNC	<unknown>	HIDDEN	2
__vfork	.symtab	0x4081a0	54	FUNC	<unknown>	HIDDEN	2
__xpg_strerror_r	.symtab	0x4067f8	200	FUNC	<unknown>	DEFAULT	2
__xpg_strerror_r.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
_adjust_pos.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
_brk	.symtab	0x409f28	56	FUNC	<unknown>	HIDDEN	2
_charpad	.symtab	0x4053ac	80	FUNC	<unknown>	DEFAULT	2
_cs_funcs.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
_dl_aux_init	.symtab	0x409f08	32	FUNC	<unknown>	DEFAULT	2
_dl_phdr	.symtab	0x4257e0	4	OBJECT	<unknown>	DEFAULT	11
_dl_phnum	.symtab	0x4257e4	4	OBJECT	<unknown>	DEFAULT	11
_edata	.symtab	0x41f48c	0	NOTYPE	<unknown>	DEFAULT	SHN_ABS
_end	.symtab	0x4257e8	0	NOTYPE	<unknown>	DEFAULT	SHN_ABS
_errno	.symtab	0x4256f0	4	OBJECT	<unknown>	DEFAULT	11
_exit	.symtab	0x404c68	48	FUNC	<unknown>	DEFAULT	2
_exit.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
_fini	.symtab	0x40b980	12	FUNC	<unknown>	HIDDEN	3
_fixed_buffers	.symtab	0x4234c4	8192	OBJECT	<unknown>	DEFAULT	11
_fopen.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
_fp_out_narrow	.symtab	0x4053fc	124	FUNC	<unknown>	DEFAULT	2
_fpmaxtostr	.symtab	0x408984	1264	FUNC	<unknown>	HIDDEN	2
_fpmaxtostr.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
_fwrite.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
_h_errno	.symtab	0x4256f4	4	OBJECT	<unknown>	DEFAULT	11
_init	.symtab	0x400094	12	FUNC	<unknown>	HIDDEN	1
_load_inttype	.symtab	0x4087ec	92	FUNC	<unknown>	HIDDEN	2
_load_inttype.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
_ppfs_init	.symtab	0x4059bc	120	FUNC	<unknown>	HIDDEN	2
_ppfs_init.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
_ppfs_parsespec	.symtab	0x405c88	902	FUNC	<unknown>	HIDDEN	2
_ppfs_parsespec.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
_ppfs_prepargs	.symtab	0x405a34	72	FUNC	<unknown>	HIDDEN	2
_ppfs_prepargs.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
_ppfs_setargs	.symtab	0x405a7c	464	FUNC	<unknown>	HIDDEN	2
_ppfs_setargs.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
_promoted_size	.symtab	0x405c4c	60	FUNC	<unknown>	DEFAULT	2
_pthread_cleanup_pop_restore	.symtab	0x407eca	12	FUNC	<unknown>	DEFAULT	2
_pthread_cleanup_push_defer	.symtab	0x407eca	12	FUNC	<unknown>	DEFAULT	2
_rfill.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
_sigintr	.symtab	0x425724	128	OBJECT	<unknown>	HIDDEN	11
_start	.symtab	0x4001a0	30	FUNC	<unknown>	DEFAULT	2
_stdio.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
_stdio_fopen	.symtab	0x40a2f4	536	FUNC	<unknown>	HIDDEN	2
_stdio_init	.symtab	0x40525c	108	FUNC	<unknown>	HIDDEN	2
_stdio_openlist	.symtab	0x41f140	4	OBJECT	<unknown>	DEFAULT	9
_stdio_openlist_add_lock	.symtab	0x41f144	24	OBJECT	<unknown>	DEFAULT	9
_stdio_openlist_dec_use	.symtab	0x40a5b8	224	FUNC	<unknown>	DEFAULT	2
_stdio_openlist_del_count	.symtab	0x4234c0	4	OBJECT	<unknown>	DEFAULT	11
_stdio_openlist_del_lock	.symtab	0x41f15c	24	OBJECT	<unknown>	DEFAULT	9
_stdio_openlist_use_count	.symtab	0x4234bc	4	OBJECT	<unknown>	DEFAULT	11
_stdio_streams	.symtab	0x41f178	240	OBJECT	<unknown>	DEFAULT	9
_stdio_term	.symtab	0x4052e4	148	FUNC	<unknown>	HIDDEN	2
_stdio_user_locking	.symtab	0x41f174	4	OBJECT	<unknown>	DEFAULT	9
_stdlib_strto_l	.symtab	0x407a44	324	FUNC	<unknown>	HIDDEN	2
_stdlib_strto_l.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
_store_inttype	.symtab	0x408848	56	FUNC	<unknown>	HIDDEN	2
_store_inttype.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
_string_syserrmsgs	.symtab	0x40dd9c	2906	OBJECT	<unknown>	HIDDEN	4
_string_syserrmsgs.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
_trans2r.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
_trans2w.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
_uintmaxtostr	.symtab	0x408880	260	FUNC	<unknown>	HIDDEN	2
_uintmaxtostr.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
_vfprintf_internal	.symtab	0x405478	1348	FUNC	<unknown>	HIDDEN	2
_vfprintf_internal.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
_wcommit.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
abort	.symtab	0x4073c4	244	FUNC	<unknown>	DEFAULT	2
abort.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
access	.symtab	0x404c98	56	FUNC	<unknown>	DEFAULT	2
access.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
advance_telstate	.symtab	0x4006c8	120	FUNC	<unknown>	DEFAULT	2
atoi	.symtab	0x407a18	24	FUNC	<unknown>	DEFAULT	2
atol	.symtab	0x407a18	24	FUNC	<unknown>	DEFAULT	2
atol.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
bcopy	.symtab	0x4068c0	24	FUNC	<unknown>	DEFAULT	2
bcopy.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
been_there_done_that	.symtab	0x4256d0	4	OBJECT	<unknown>	DEFAULT	11
been_there_done_that.2753	.symtab	0x4256ec	4	OBJECT	<unknown>	DEFAULT	11
bsd_signal	.symtab	0x406f44	184	FUNC	<unknown>	DEFAULT	2
buf.2577	.symtab	0x4254c8	16	OBJECT	<unknown>	DEFAULT	11
buf.4814	.symtab	0x4254d8	460	OBJECT	<unknown>	DEFAULT	11
c	.symtab	0x41f114	4	OBJECT	<unknown>	DEFAULT	9
chdir	.symtab	0x404cd0	56	FUNC	<unknown>	DEFAULT	2
chdir.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
close	.symtab	0x404d08	56	FUNC	<unknown>	DEFAULT	2
close.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
commServer	.symtab	0x41f020	4	OBJECT	<unknown>	DEFAULT	9
completed.2217	.symtab	0x41f48c	1	OBJECT	<unknown>	DEFAULT	11
connect	.symtab	0x406e1c	40	FUNC	<unknown>	DEFAULT	2
connect.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
connectTimeout	.symtab	0x4018e4	772	FUNC	<unknown>	DEFAULT	2
contains_string	.symtab	0x4003ac	196	FUNC	<unknown>	DEFAULT	2
creat	.symtab	0x404e88	24	FUNC	<unknown>	DEFAULT	2
crti.S	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
crtn.S	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
crtstuff.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
crtstuff.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
csum	.symtab	0x40205c	232	FUNC	<unknown>	DEFAULT	2
currentServer	.symtab	0x41f110	4	OBJECT	<unknown>	DEFAULT	9
data_start	.symtab	0x41f01c	0	NOTYPE	<unknown>	DEFAULT	9
decodea.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
decoded.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
decodeh.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
dl-support.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
dnslookup.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
encoded.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
encodeh.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
encodeq.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
environ	.symtab	0x4256dc	4	OBJECT	<unknown>	DEFAULT	11
errno	.symtab	0x4256f0	4	OBJECT	<unknown>	DEFAULT	11
errno.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
execl	.symtab	0x407bf8	228	FUNC	<unknown>	DEFAULT	2
execl.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
execve	.symtab	0x408248	56	FUNC	<unknown>	DEFAULT	2
execve.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
exit	.symtab	0x407b88	112	FUNC	<unknown>	DEFAULT	2
exit.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
exp10_table	.symtab	0x40ec50	72	OBJECT	<unknown>	DEFAULT	4
fclose	.symtab	0x40a014	272	FUNC	<unknown>	DEFAULT	2
fclose.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
fcntl	.symtab	0x404b24	172	FUNC	<unknown>	DEFAULT	2
fcntl64	.symtab	0x404bd0	152	FUNC	<unknown>	DEFAULT	2
fflush_unlocked	.symtab	0x40a698	320	FUNC	<unknown>	DEFAULT	2
fflush_unlocked.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
fgetc_unlocked	.symtab	0x40b554	216	FUNC	<unknown>	DEFAULT	2
fgetc_unlocked.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
fgets	.symtab	0x40a540	120	FUNC	<unknown>	DEFAULT	2
fgets.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
fgets_unlocked	.symtab	0x40a7d8	128	FUNC	<unknown>	DEFAULT	2
fgets_unlocked.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
fmt	.symtab	0x40ec3c	20	OBJECT	<unknown>	DEFAULT	4
fopen	.symtab	0x40a124	24	FUNC	<unknown>	DEFAULT	2
fopen.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
fork	.symtab	0x404d40	56	FUNC	<unknown>	DEFAULT	2
fork.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
fputs_unlocked	.symtab	0x406010	68	FUNC	<unknown>	DEFAULT	2
fputs_unlocked.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
frame_dummy	.symtab	0x400140	0	FUNC	<unknown>	DEFAULT	2
free	.symtab	0x407184	240	FUNC	<unknown>	DEFAULT	2
free.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
fseek	.symtab	0x40a13c	28	FUNC	<unknown>	DEFAULT	2
fseeko	.symtab	0x40a13c	28	FUNC	<unknown>	DEFAULT	2
fseeko.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
fseeko64	.symtab	0x40a158	232	FUNC	<unknown>	DEFAULT	2
fseeko64.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
fwrite_unlocked	.symtab	0x406054	156	FUNC	<unknown>	DEFAULT	2
fwrite_unlocked.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
getBuild	.symtab	0x4001d4	20	FUNC	<unknown>	DEFAULT	2
getEndianness	.symtab	0x404258	200	FUNC	<unknown>	DEFAULT	2
getHost	.symtab	0x40148c	84	FUNC	<unknown>	DEFAULT	2
getRandomIP	.symtab	0x402000	92	FUNC	<unknown>	DEFAULT	2
get_hosts_byname_r.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
get_telstate_host	.symtab	0x400688	64	FUNC	<unknown>	DEFAULT	2
getc_unlocked	.symtab	0x40b554	216	FUNC	<unknown>	DEFAULT	2
getegid	.symtab	0x408280	56	FUNC	<unknown>	DEFAULT	2
getegid.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
geteuid	.symtab	0x4082b8	56	FUNC	<unknown>	DEFAULT	2
geteuid.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
getgid	.symtab	0x4082f0	56	FUNC	<unknown>	DEFAULT	2
getgid.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
gethostbyname	.symtab	0x406b28	72	FUNC	<unknown>	DEFAULT	2
gethostbyname.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
gethostbyname_r	.symtab	0x406b70	684	FUNC	<unknown>	DEFAULT	2
gethostbyname_r.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
getpid	.symtab	0x404d78	56	FUNC	<unknown>	DEFAULT	2
getpid.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
getsockopt	.symtab	0x406e44	44	FUNC	<unknown>	DEFAULT	2
getsockopt.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
getuid	.symtab	0x408328	56	FUNC	<unknown>	DEFAULT	2
getuid.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
h.4813	.symtab	0x4256a4	20	OBJECT	<unknown>	DEFAULT	11
h_errno	.symtab	0x4256f4	4	OBJECT	<unknown>	DEFAULT	11
heap_alloc.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
heap_free.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
htonl	.symtab	0x406a26	46	FUNC	<unknown>	DEFAULT	2
htons	.symtab	0x406a54	22	FUNC	<unknown>	DEFAULT	2
i.4224	.symtab	0x41f118	4	OBJECT	<unknown>	DEFAULT	9
index	.symtab	0x40647c	192	FUNC	<unknown>	DEFAULT	2
inet_addr	.symtab	0x406afc	44	FUNC	<unknown>	DEFAULT	2
inet_aton	.symtab	0x4094a4	204	FUNC	<unknown>	DEFAULT	2
inet_aton.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
inet_makeaddr.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
inet_ntoa	.symtab	0x406ae4	24	FUNC	<unknown>	DEFAULT	2
inet_ntoa.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
inet_ntoa_r	.symtab	0x406a6c	120	FUNC	<unknown>	DEFAULT	2
inet_ntop	.symtab	0x40ad78	492	FUNC	<unknown>	DEFAULT	2
inet_ntop4	.symtab	0x40ac3c	316	FUNC	<unknown>	DEFAULT	2
inet_pton	.symtab	0x40aaa4	408	FUNC	<unknown>	DEFAULT	2
inet_pton4	.symtab	0x40aa08	156	FUNC	<unknown>	DEFAULT	2
initConnection	.symtab	0x403f94	340	FUNC	<unknown>	DEFAULT	2
init_rand	.symtab	0x4001e8	180	FUNC	<unknown>	DEFAULT	2
initial_fa	.symtab	0x41f26c	260	OBJECT	<unknown>	DEFAULT	9
initstate	.symtab	0x40759c	120	FUNC	<unknown>	DEFAULT	2
initstate_r	.symtab	0x407878	176	FUNC	<unknown>	DEFAULT	2
ioctl	.symtab	0x408360	148	FUNC	<unknown>	DEFAULT	2
ioctl.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
isatty	.symtab	0x406948	36	FUNC	<unknown>	DEFAULT	2
isatty.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
isspace	.symtab	0x4050d8	28	FUNC	<unknown>	DEFAULT	2
isspace.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
kill	.symtab	0x404db0	56	FUNC	<unknown>	DEFAULT	2
kill.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
lengthd.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
lengthq.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
libc/string/sh/sh4/memcpy.S	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
libc/sysdeps/linux/sh/crt1.S	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
libc/sysdeps/linux/sh/crti.S	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
libc/sysdeps/linux/sh/crtn.S	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
libc/sysdeps/linux/sh/vfork.S	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
listFork	.symtab	0x401be8	308	FUNC	<unknown>	DEFAULT	2
llseek.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
lseek64	.symtab	0x40b4cc	96	FUNC	<unknown>	DEFAULT	2
macAddress	.symtab	0x41f4b4	6	OBJECT	<unknown>	DEFAULT	11
main	.symtab	0x404320	2004	FUNC	<unknown>	DEFAULT	2
mainCommSock	.symtab	0x41f4a8	4	OBJECT	<unknown>	DEFAULT	11
makeIPPacket	.symtab	0x402258	224	FUNC	<unknown>	DEFAULT	2
makeRandomStr	.symtab	0x4014e0	156	FUNC	<unknown>	DEFAULT	2
malloc	.symtab	0x40707c	264	FUNC	<unknown>	DEFAULT	2
malloc.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
matchPrompt	.symtab	0x401e98	360	FUNC	<unknown>	DEFAULT	2
memchr	.symtab	0x408e74	204	FUNC	<unknown>	DEFAULT	2
memchr.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
memcpy	.symtab	0x406180	636	FUNC	<unknown>	DEFAULT	2
memmove	.symtab	0x408f40	978	FUNC	<unknown>	DEFAULT	2
memmove.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
mempcpy	.symtab	0x409314	36	FUNC	<unknown>	DEFAULT	2
mempcpy.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
memrchr	.symtab	0x409338	204	FUNC	<unknown>	DEFAULT	2
memrchr.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
memset	.symtab	0x406400	124	FUNC	<unknown>	DEFAULT	2
memset.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
mylock	.symtab	0x41f370	24	OBJECT	<unknown>	DEFAULT	9
mylock	.symtab	0x41f388	24	OBJECT	<unknown>	DEFAULT	9
mylock	.symtab	0x4256f8	24	OBJECT	<unknown>	DEFAULT	11
nanosleep	.symtab	0x4083f4	56	FUNC	<unknown>	DEFAULT	2
nanosleep.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
negotiate	.symtab	0x401d1c	380	FUNC	<unknown>	DEFAULT	2
next_start.1030	.symtab	0x4254c4	4	OBJECT	<unknown>	DEFAULT	11
ntohl	.symtab	0x4069e0	48	FUNC	<unknown>	DEFAULT	2
ntohl.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
ntohs	.symtab	0x406a10	22	FUNC	<unknown>	DEFAULT	2
ntop.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
numpids	.symtab	0x41f4ac	8	OBJECT	<unknown>	DEFAULT	11
object.2270	.symtab	0x41f490	24	OBJECT	<unknown>	DEFAULT	11
open	.symtab	0x404de8	160	FUNC	<unknown>	DEFAULT	2
open.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
opennameservers.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
ourIP	.symtab	0x425718	4	OBJECT	<unknown>	DEFAULT	11
p.2215	.symtab	0x41f018	0	OBJECT	<unknown>	DEFAULT	9
pids	.symtab	0x425720	4	OBJECT	<unknown>	DEFAULT	11
poll	.symtab	0x409fdc	56	FUNC	<unknown>	DEFAULT	2
poll.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
prctl	.symtab	0x404ea0	52	FUNC	<unknown>	DEFAULT	2
prctl.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
prefix.4023	.symtab	0x40dcf4	12	OBJECT	<unknown>	DEFAULT	4
print	.symtab	0x400c08	1072	FUNC	<unknown>	DEFAULT	2
printchar	.symtab	0x4008b0	104	FUNC	<unknown>	DEFAULT	2
printi	.symtab	0x400a70	408	FUNC	<unknown>	DEFAULT	2
prints	.symtab	0x400918	344	FUNC	<unknown>	DEFAULT	2
processCmd	.symtab	0x403560	2612	FUNC	<unknown>	DEFAULT	2
qual_chars.4029	.symtab	0x40dd08	20	OBJECT	<unknown>	DEFAULT	4
raise	.symtab	0x409e40	40	FUNC	<unknown>	DEFAULT	2
raise.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
rand	.symtab	0x4074b8	20	FUNC	<unknown>	DEFAULT	2
rand.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
rand_cmwc	.symtab	0x40029c	272	FUNC	<unknown>	DEFAULT	2
random	.symtab	0x4074cc	100	FUNC	<unknown>	DEFAULT	2
random.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
random_poly_info	.symtab	0x40e8f8	40	OBJECT	<unknown>	DEFAULT	4
random_r	.symtab	0x40774c	104	FUNC	<unknown>	DEFAULT	2
random_r.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
randtbl	.symtab	0x41f3bc	128	OBJECT	<unknown>	DEFAULT	9
rawmemchr	.symtab	0x40a858	152	FUNC	<unknown>	DEFAULT	2
rawmemchr.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
read	.symtab	0x404ed4	56	FUNC	<unknown>	DEFAULT	2
read.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
read_etc_hosts_r.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
read_until_response	.symtab	0x4005e8	160	FUNC	<unknown>	DEFAULT	2
read_with_timeout	.symtab	0x400470	376	FUNC	<unknown>	DEFAULT	2
recv	.symtab	0x406e70	40	FUNC	<unknown>	DEFAULT	2
recv.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
recvLine	.symtab	0x40157c	872	FUNC	<unknown>	DEFAULT	2
reset_telstate	.symtab	0x400740	60	FUNC	<unknown>	DEFAULT	2
sbrk	.symtab	0x408144	88	FUNC	<unknown>	DEFAULT	2
sbrk.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
scanPid	.symtab	0x42571c	4	OBJECT	<unknown>	DEFAULT	11
sclose	.symtab	0x402338	72	FUNC	<unknown>	DEFAULT	2
select	.symtab	0x404f0c	52	FUNC	<unknown>	DEFAULT	2
select.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
send	.symtab	0x406e98	40	FUNC	<unknown>	DEFAULT	2
send.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
sendto	.symtab	0x406ec0	48	FUNC	<unknown>	DEFAULT	2
sendto.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
seteuid	.symtab	0x404f40	108	FUNC	<unknown>	DEFAULT	2
seteuid.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
setresuid	.symtab	0x404fac	56	FUNC	<unknown>	DEFAULT	2
setresuid.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
setreuid	.symtab	0x404fe4	56	FUNC	<unknown>	DEFAULT	2
setreuid.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
setsockopt	.symtab	0x406ef0	44	FUNC	<unknown>	DEFAULT	2
setsockopt.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
setstate	.symtab	0x407530	108	FUNC	<unknown>	DEFAULT	2
setstate_r	.symtab	0x407674	216	FUNC	<unknown>	DEFAULT	2
setuid	.symtab	0x40501c	56	FUNC	<unknown>	DEFAULT	2
setuid.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
sigaction	.symtab	0x409e68	160	FUNC	<unknown>	DEFAULT	2
sigaction.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
signal	.symtab	0x406f44	184	FUNC	<unknown>	DEFAULT	2
signal.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
sigprocmask	.symtab	0x40842c	84	FUNC	<unknown>	DEFAULT	2
sigprocmask.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
sigsetops.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
sleep	.symtab	0x407cdc	376	FUNC	<unknown>	DEFAULT	2
sleep.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
socket	.symtab	0x406f1c	40	FUNC	<unknown>	DEFAULT	2
socket.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
socket_connect	.symtab	0x403234	288	FUNC	<unknown>	DEFAULT	2
sockprintf	.symtab	0x4011a8	388	FUNC	<unknown>	DEFAULT	2
spec_and_mask.4028	.symtab	0x40dd1c	16	OBJECT	<unknown>	DEFAULT	4
spec_base.4022	.symtab	0x40dd00	7	OBJECT	<unknown>	DEFAULT	4
spec_chars.4025	.symtab	0x40dd48	21	OBJECT	<unknown>	DEFAULT	4
spec_flags.4024	.symtab	0x40dd60	8	OBJECT	<unknown>	DEFAULT	4
spec_or_mask.4027	.symtab	0x40dd2c	16	OBJECT	<unknown>	DEFAULT	4
spec_ranges.4026	.symtab	0x40dd3c	9	OBJECT	<unknown>	DEFAULT	4
sprintf	.symtab	0x405130	132	FUNC	<unknown>	DEFAULT	2
sprintf.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
srand	.symtab	0x407614	96	FUNC	<unknown>	DEFAULT	2
srandom	.symtab	0x407614	96	FUNC	<unknown>	DEFAULT	2
srandom_r	.symtab	0x4077b4	196	FUNC	<unknown>	DEFAULT	2
static_id	.symtab	0x41f460	2	OBJECT	<unknown>	DEFAULT	9
static_ns	.symtab	0x425710	4	OBJECT	<unknown>	DEFAULT	11
stderr	.symtab	0x41f134	4	OBJECT	<unknown>	DEFAULT	9
stdin	.symtab	0x41f12c	4	OBJECT	<unknown>	DEFAULT	9
stdout	.symtab	0x41f130	4	OBJECT	<unknown>	DEFAULT	9
strcasecmp	.symtab	0x40b62c	64	FUNC	<unknown>	DEFAULT	2
strcasecmp.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
strcasestr	.symtab	0x4068d8	88	FUNC	<unknown>	DEFAULT	2
strcasestr.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
strchr	.symtab	0x40647c	192	FUNC	<unknown>	DEFAULT	2
strchr.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
strcmp	.symtab	0x40653c	34	FUNC	<unknown>	DEFAULT	2
strcmp.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
strcoll	.symtab	0x40653c	34	FUNC	<unknown>	DEFAULT	2
strcpy	.symtab	0x40655e	30	FUNC	<unknown>	DEFAULT	2
strcpy.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
strdup	.symtab	0x40a9bc	76	FUNC	<unknown>	DEFAULT	2
strdup.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
strerror_r	.symtab	0x4067f8	200	FUNC	<unknown>	DEFAULT	2
strlen	.symtab	0x40657c	136	FUNC	<unknown>	DEFAULT	2
strlen.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
strncat	.symtab	0x40a8f0	154	FUNC	<unknown>	DEFAULT	2
strncat.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
strncpy	.symtab	0x406604	142	FUNC	<unknown>	DEFAULT	2
strncpy.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
strnlen	.symtab	0x406694	132	FUNC	<unknown>	DEFAULT	2
strnlen.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
strpbrk	.symtab	0x40947c	40	FUNC	<unknown>	DEFAULT	2
strpbrk.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
strspn	.symtab	0x40a98a	48	FUNC	<unknown>	DEFAULT	2
strspn.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
strstr	.symtab	0x406718	192	FUNC	<unknown>	DEFAULT	2
strstr.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
strtok	.symtab	0x406930	24	FUNC	<unknown>	DEFAULT	2
strtok.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
strtok_r	.symtab	0x409404	120	FUNC	<unknown>	DEFAULT	2
strtok_r.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
strtol	.symtab	0x407a30	20	FUNC	<unknown>	DEFAULT	2
strtol.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
system	.symtab	0x407928	240	FUNC	<unknown>	DEFAULT	2
system.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
szprintf	.symtab	0x4010ec	188	FUNC	<unknown>	DEFAULT	2
tcgetattr	.symtab	0x40696c	116	FUNC	<unknown>	DEFAULT	2
tcgetattr.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
tcpcsum	.symtab	0x402144	276	FUNC	<unknown>	DEFAULT	2
time	.symtab	0x405054	56	FUNC	<unknown>	DEFAULT	2
time.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
tolower	.symtab	0x40b52c	40	FUNC	<unknown>	DEFAULT	2
tolower.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
toupper	.symtab	0x4050f4	40	FUNC	<unknown>	DEFAULT	2
toupper.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
trim	.symtab	0x40077c	308	FUNC	<unknown>	DEFAULT	2
trivial	.symtab	0x404b18	0	NOTYPE	<unknown>	DEFAULT	2
type_codes	.symtab	0x40dd68	24	OBJECT	<unknown>	DEFAULT	4
type_sizes	.symtab	0x40dd80	12	OBJECT	<unknown>	DEFAULT	4
unknown.1072	.symtab	0x40dd8c	14	OBJECT	<unknown>	DEFAULT	4
unsafe_state	.symtab	0x41f3a0	28	OBJECT	<unknown>	DEFAULT	9
useragents	.symtab	0x41f024	236	OBJECT	<unknown>	DEFAULT	9
vfork	.symtab	0x4081a0	54	FUNC	<unknown>	DEFAULT	2
vsnprintf	.symtab	0x4051b4	168	FUNC	<unknown>	DEFAULT	2
vsnprintf.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
wait4	.symtab	0x408480	56	FUNC	<unknown>	DEFAULT	2
wait4.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
waitpid	.symtab	0x40508c	20	FUNC	<unknown>	DEFAULT	2
waitpid.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
wcrtomb	.symtab	0x4084cc	68	FUNC	<unknown>	DEFAULT	2
wcrtomb.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
wcsnrtombs	.symtab	0x408530	112	FUNC	<unknown>	DEFAULT	2
wcsnrtombs.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
wcsrtombs	.symtab	0x408510	32	FUNC	<unknown>	DEFAULT	2
wcsrtombs.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
wildString	.symtab	0x40132c	352	FUNC	<unknown>	DEFAULT	2
write	.symtab	0x4050a0	56	FUNC	<unknown>	DEFAULT	2
write.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
xdigits.3026	.symtab	0x40ecfc	17	OBJECT	<unknown>	DEFAULT	4
zprintf	.symtab	0x401038	180	FUNC	<unknown>	DEFAULT	2

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 5, 2024 08:06:55.991374969 CEST	44506	6963	192.168.2.14	93.123.85.246
Jul 5, 2024 08:06:55.996201992 CEST	6963	44506	93.123.85.246	192.168.2.14
Jul 5, 2024 08:06:55.996258020 CEST	44506	6963	192.168.2.14	93.123.85.246
Jul 5, 2024 08:06:56.274566889 CEST	44506	6963	192.168.2.14	93.123.85.246
Jul 5, 2024 08:06:56.279495001 CEST	6963	44506	93.123.85.246	192.168.2.14

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 5, 2024 08:09:41.379447937 CEST	36395	53	192.168.2.14	8.8.8.8
Jul 5, 2024 08:09:41.379447937 CEST	36395	53	192.168.2.14	8.8.8.8
Jul 5, 2024 08:09:41.385979891 CEST	53	36395	8.8.8.8	192.168.2.14
Jul 5, 2024 08:09:41.386009932 CEST	53	36395	8.8.8.8	192.168.2.14

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jul 5, 2024 08:09:41.379447937 CEST	192.168.2.14	8.8.8.8	0x5551	Standard query (0)	daisy.ubuntu.com	A (IP address)	IN (0x0001)	false
Jul 5, 2024 08:09:41.379447937 CEST	192.168.2.14	8.8.8.8	0xca34	Standard query (0)	daisy.ubuntu.com	28	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jul 5, 2024 08:09:41.385979891 CEST	8.8.8.8	192.168.2.14	0x5551	No error (0)	daisy.ubuntu.com		162.213.35.24	A (IP address)	IN (0x0001)	false
Jul 5, 2024 08:09:41.385979891 CEST	8.8.8.8	192.168.2.14	0x5551	No error (0)	daisy.ubuntu.com		162.213.35.25	A (IP address)	IN (0x0001)	false

System Behavior

Analysis Process: Okami.sh4.elf PID: 5490, Parent PID: 5414

General

Start time (UTC):	06:06:54
Start date (UTC):	05/07/2024
Path:	/tmp/Okami.sh4.elf
Arguments:	/tmp/Okami.sh4.elf
File size:	4139976 bytes
MD5 hash:	8943e5f8f8c280467b4472c15ae93ba9

Chronological Activities

Analysis Process: Okami.sh4.elf PID: 5492, Parent PID: 5490

General

Start time (UTC):	06:06:55
Start date (UTC):	05/07/2024
Path:	/tmp/Okami.sh4.elf
Arguments:	-
File size:	4139976 bytes
MD5 hash:	8943e5f8f8c280467b4472c15ae93ba9

Chronological Activities

Analysis Process: Okami.sh4.elf PID: 5494, Parent PID: 5492

General

Start time (UTC):	06:06:55
Start date (UTC):	05/07/2024
Path:	/tmp/Okami.sh4.elf
Arguments:	-
File size:	4139976 bytes
MD5 hash:	8943e5f8f8c280467b4472c15ae93ba9

Chronological Activities

Analysis Process: Okami.sh4.elf PID: 5498, Parent PID: 5494

General

Start time (UTC):	06:06:55
Start date (UTC):	05/07/2024
Path:	/tmp/Okami.sh4.elf
Arguments:	-
File size:	4139976 bytes
MD5 hash:	8943e5f8f8c280467b4472c15ae93ba9

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may obfuscate command and control traffic to make it more difficult to detect. Command and control (C2) communications are hidden (but not necessarily encrypted) in an attempt to make the content more difficult to discover or decipher and to make the communication less conspicuous and hide commands from being seen. This encompasses many methods, such as adding junk data to protocol traffic, using steganography, or impersonating legitimate protocols.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report Okami.sh4.elf

Overview

General Information

Detection

Signatures

Classification

General Information

Runtime Messages

Process Tree

Malware Threat Intel

Yara Signatures

Initial Sample

Memory Dumps

Snort Signatures

Joe Sandbox Signatures

AV Detection

Networking

System Summary

Malware Analysis System Evasion

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

/run/systemd/resolve/stub-resolv.conf

Static File Info

General

Static ELF Info

ELF header

Sections

Program Segments

Symbols

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

System Behavior

Analysis Process: Okami.sh4.elf PID: 5490, Parent PID: 5414

General

Chronological Activities

Analysis Process: Okami.sh4.elf PID: 5492, Parent PID: 5490

General

Chronological Activities

Analysis Process: Okami.sh4.elf PID: 5494, Parent PID: 5492

General

Chronological Activities

Analysis Process: Okami.sh4.elf PID: 5498, Parent PID: 5494

General

Chronological Activities

Linux Analysis Report
Okami.sh4.elf