Edit tour

Linux Analysis Report
e.dat.elf

Overview

General Information

Sample name:	e.dat.elf
Analysis ID:	1548703
MD5:	64cc86931bab241dcc08db03e659bcc5
SHA1:	8ce3f9f92c6533d14ae2c8749936b4c59fcb95c5
SHA256:	6ef9a0b6301d737763f6c59ae6d5b3be4cf38941a69517be0f069d0a35f394dd
Tags:	elfuser-abuse_ch
Infos:

Detection

Score:	48
Range:	0 - 100
Whitelisted:	false

Signatures

Multi AV Scanner detection for submitted file

Contains symbols related to standard C library sleeps (sometimes used to evade sandboxing)

Executes commands using a shell command-line interpreter

Executes the "touch" command used to create files or modify time stamps

Sample has stripped symbol table

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Classification

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1548703
Start date and time:	2024-11-04 19:02:08 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 10m 15s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Sample name:	e.dat.elf
Detection:	MAL
Classification:	mal48.linELF@0/0@0/0
Cookbook Comments:	Analysis time extended to 480s due to sleep detection in submitted sample

Warnings

VT rate limit hit for: e.dat.elf

Runtime Messages

Command:	/tmp/e.dat.elf
PID:	6220
Exit Code:	139
Exit Code Info:	SIGSEGV (11) Segmentation fault invalid memory reference
Killed:	False
Standard Output:
Standard Error:

Process Tree

system is lnxubuntu20

e.dat.elf (PID: 6220, Parent: 6139, MD5: 64cc86931bab241dcc08db03e659bcc5) Arguments: /tmp/e.dat.elf

e.dat.elf New Fork (PID: 6221, Parent: 6220)

sh (PID: 6221, Parent: 6220, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "touch a"

sh New Fork (PID: 6222, Parent: 6221)

touch (PID: 6222, Parent: 6221, MD5: 3859c173f5d3b37be3e531b7c84a9c68) Arguments: touch a

cleanup

Yara Signatures

⊘No yara matches

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

• AV Detection
• Networking
• System Summary
• Persistence and Installation Behavior
• Malware Analysis System Evasion

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: e.dat.elf

ReversingLabs: Detection: 28%

Source: global traffic	TCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443
Source: global traffic	TCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
Source: global traffic	TCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80

Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42

Source: e.dat.elf

String found in binary or memory: https://qtox.github.io

Source: unknown	Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 42836 -> 443

Source: ELF static info symbol of initial sample

.symtab present: no

Source: classification engine

Classification label: mal48.linELF@0/0@0/0

Source: /tmp/e.dat.elf (PID: 6221)

Shell command executed: sh -c "touch a"

Jump to behavior

Source: /bin/sh (PID: 6222)

Touch executable: /usr/bin/touch -> touch a

Jump to behavior

Source: ELF symbol in initial sample

Symbol name: sleep

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	Valid Accounts	Windows Management Instrumentation	1 Scripting	Path Interception	1 Virtualization/Sandbox Evasion	OS Credential Dumping	1 Virtualization/Sandbox Evasion	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Indicator Removal	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	1 Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service

Malware Configuration

⊘No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Screenshots

Download Video

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
e.dat.elf	29%	ReversingLabs	Linux.Trojan.Generic

Dropped Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Download Network PCAP: filtered – full

Contacted Domains

⊘No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://qtox.github.io	e.dat.elf	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
109.202.202.202	unknown	Switzerland	13030	INIT7CH	false
91.189.91.43	unknown	United Kingdom	41231	CANONICAL-ASGB	false
91.189.91.42	unknown	United Kingdom	41231	CANONICAL-ASGB	false

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
109.202.202.202	kpLwzBouH4.elf	Get hash	malicious	Unknown	Browse	ch.archive.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_92.0%2bbuild3-0ubuntu0.20.04.1_amd64.deb
91.189.91.43	nuklear.spc.elf	Get hash	malicious	Mirai, Moobot	Browse
	linux_arm6.elf	Get hash	malicious	Chaos	Browse
	nuklear.x86.elf	Get hash	malicious	Mirai, Moobot	Browse
	nuklear.mips.elf	Get hash	malicious	Mirai, Moobot	Browse
	main_arm5.elf	Get hash	malicious	Mirai	Browse
	linux_arm5.elf	Get hash	malicious	Chaos	Browse
	linux_mipsel_softfloat.elf	Get hash	malicious	Chaos	Browse
	linux_arm7.elf	Get hash	malicious	Chaos	Browse
	.i.elf	Get hash	malicious	Unknown	Browse
	.i.elf	Get hash	malicious	Unknown	Browse
91.189.91.42	nuklear.spc.elf	Get hash	malicious	Mirai, Moobot	Browse
	linux_arm6.elf	Get hash	malicious	Chaos	Browse
	nuklear.x86.elf	Get hash	malicious	Mirai, Moobot	Browse
	nuklear.mips.elf	Get hash	malicious	Mirai, Moobot	Browse
	main_arm5.elf	Get hash	malicious	Mirai	Browse
	linux_arm5.elf	Get hash	malicious	Chaos	Browse
	linux_mipsel_softfloat.elf	Get hash	malicious	Chaos	Browse
	linux_arm7.elf	Get hash	malicious	Chaos	Browse
	.i.elf	Get hash	malicious	Unknown	Browse
	.i.elf	Get hash	malicious	Unknown	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CANONICAL-ASGB	nuklear.spc.elf	Get hash	malicious	Mirai, Moobot	Browse	91.189.91.42
	linux_arm6.elf	Get hash	malicious	Chaos	Browse	91.189.91.42
	nuklear.x86.elf	Get hash	malicious	Mirai, Moobot	Browse	91.189.91.42
	nuklear.mips.elf	Get hash	malicious	Mirai, Moobot	Browse	91.189.91.42
	main_arm5.elf	Get hash	malicious	Mirai	Browse	91.189.91.42
	linux_arm5.elf	Get hash	malicious	Chaos	Browse	91.189.91.42
	linux_mipsel_softfloat.elf	Get hash	malicious	Chaos	Browse	91.189.91.42
	linux_arm7.elf	Get hash	malicious	Chaos	Browse	91.189.91.42
	.i.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	.i.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
CANONICAL-ASGB	nuklear.spc.elf	Get hash	malicious	Mirai, Moobot	Browse	91.189.91.42
	linux_arm6.elf	Get hash	malicious	Chaos	Browse	91.189.91.42
	nuklear.x86.elf	Get hash	malicious	Mirai, Moobot	Browse	91.189.91.42
	nuklear.mips.elf	Get hash	malicious	Mirai, Moobot	Browse	91.189.91.42
	main_arm5.elf	Get hash	malicious	Mirai	Browse	91.189.91.42
	linux_arm5.elf	Get hash	malicious	Chaos	Browse	91.189.91.42
	linux_mipsel_softfloat.elf	Get hash	malicious	Chaos	Browse	91.189.91.42
	linux_arm7.elf	Get hash	malicious	Chaos	Browse	91.189.91.42
	.i.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	.i.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
INIT7CH	nuklear.spc.elf	Get hash	malicious	Mirai, Moobot	Browse	109.202.202.202
	linux_arm6.elf	Get hash	malicious	Chaos	Browse	109.202.202.202
	nuklear.x86.elf	Get hash	malicious	Mirai, Moobot	Browse	109.202.202.202
	nuklear.mips.elf	Get hash	malicious	Mirai, Moobot	Browse	109.202.202.202
	main_arm5.elf	Get hash	malicious	Mirai	Browse	109.202.202.202
	linux_arm5.elf	Get hash	malicious	Chaos	Browse	109.202.202.202
	linux_mipsel_softfloat.elf	Get hash	malicious	Chaos	Browse	109.202.202.202
	linux_arm7.elf	Get hash	malicious	Chaos	Browse	109.202.202.202
	.i.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	.i.elf	Get hash	malicious	Unknown	Browse	109.202.202.202

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.18, BuildID[sha1]=55bbc9891f55a5fbe794970b3da3b190a94abcc6, stripped
Entropy (8bit):	6.254118434413972
TrID:	ELF Executable and Linkable format (Linux) (4029/14) 49.77% ELF Executable and Linkable format (generic) (4004/1) 49.46% Lumena CEL bitmap (63/63) 0.78%
File name:	e.dat.elf
File size:	242'999 bytes
MD5:	64cc86931bab241dcc08db03e659bcc5
SHA1:	8ce3f9f92c6533d14ae2c8749936b4c59fcb95c5
SHA256:	6ef9a0b6301d737763f6c59ae6d5b3be4cf38941a69517be0f069d0a35f394dd
SHA512:	8c0cbb7690fd4560817716df37c93fdeb7e722b22480097aaba26654efff85779d719a32bd33e6f313d53682b797095cd251cbe207ad233fe3880f25ffe9f3a3
SSDEEP:	6144:D7NIYS51ntUZNzc56IxAhlYddSOazfYsO:fN1AR2HE1xslY/SOa+
TLSH:	85345A47F9A758FDDD9BC03556AB563669A2B06803207A3A31C4DF303E52FA06F1DB90
File Content Preview:	.ELF..............>.....0[@.....@.......(...........@.8...@.............@.......@.@.....@.@...............................................@.......@...............................................@.......@....................... .......................c....

Static ELF Info

ELF header
Class:	ELF64
Data:	2's complement, little endian
Version:	1 (current)
Machine:	Advanced Micro Devices X86-64
Version Number:	0x1
Type:	EXEC (Executable file)
OS/ABI:	UNIX - System V
ABI Version:	0
Entry Point Address:	0x405b30
Flags:	0x0
ELF Header Size:	64
Program Header Offset:	64
Program Header Size:	56
Number of Program Headers:	8
Section Header Offset:	240680
Section Header Size:	64
Number of Section Headers:	28
Header String Table Index:	27

Sections

Name	Type	Address	Offset	Size	EntSize	Flags	Flags Description	Link	Info	Align
	NULL	0x0	0x0	0x0	0x0	0x0		0	0	0
.interp	PROGBITS	0x400200	0x200	0x1c	0x0	0x2	A	0	0	1
.note.ABI-tag	NOTE	0x40021c	0x21c	0x20	0x0	0x2	A	0	0	4
.note.gnu.build-id	NOTE	0x40023c	0x23c	0x24	0x0	0x2	A	0	0	4
.gnu.hash	GNU_HASH	0x400260	0x260	0xa44	0x0	0x2	A	5	0	8
.dynsym	DYNSYM	0x400ca8	0xca8	0x24d8	0x18	0x2	A	6	1	8
.dynstr	STRTAB	0x403180	0x3180	0x1bc0	0x0	0x2	A	0	0	1
.gnu.version	VERSYM	0x404d40	0x4d40	0x312	0x2	0x2	A	5	0	2
.gnu.version_r	VERNEED	0x405058	0x5058	0x50	0x0	0x2	A	6	2	8
.rela.dyn	RELA	0x4050a8	0x50a8	0x30	0x18	0x2	A	5	0	8
.rela.plt	RELA	0x4050d8	0x50d8	0x618	0x18	0x2	A	5	12	8
.init	PROGBITS	0x4056f0	0x56f0	0x18	0x0	0x6	AX	0	0	4
.plt	PROGBITS	0x405708	0x5708	0x420	0x10	0x6	AX	0	0	4
.text	PROGBITS	0x405b30	0x5b30	0x283e8	0x0	0x6	AX	0	0	16
.fini	PROGBITS	0x42df18	0x2df18	0xe	0x0	0x6	AX	0	0	4
.rodata	PROGBITS	0x42df40	0x2df40	0x60a8	0x0	0x2	A	0	0	32
.eh_frame_hdr	PROGBITS	0x433fe8	0x33fe8	0xad4	0x0	0x2	A	0	0	4
.eh_frame	PROGBITS	0x434ac0	0x34ac0	0x3c54	0x0	0x2	A	0	0	8
.ctors	PROGBITS	0x639000	0x39000	0x10	0x0	0x3	WA	0	0	8
.dtors	PROGBITS	0x639010	0x39010	0x10	0x0	0x3	WA	0	0	8
.jcr	PROGBITS	0x639020	0x39020	0x8	0x0	0x3	WA	0	0	8
.dynamic	DYNAMIC	0x639028	0x39028	0x1a0	0x10	0x3	WA	6	0	8
.got	PROGBITS	0x6391c8	0x391c8	0x10	0x8	0x3	WA	0	0	8
.got.plt	PROGBITS	0x6391d8	0x391d8	0x220	0x8	0x3	WA	0	0	8
.data	PROGBITS	0x639400	0x39400	0x1708	0x0	0x3	WA	0	0	32
.bss	NOBITS	0x63ab20	0x3ab08	0x2298	0x0	0x3	WA	0	0	32
.comment	PROGBITS	0x0	0x3ab08	0x2c	0x1	0x30	MS	0	0	1
.shstrtab	STRTAB	0x0	0x3ab34	0xee	0x0	0x0		0	0	1

Program Segments

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align	Prog Interpreter	Section Mappings
PHDR	0x40	0x400040	0x400040	0x1c0	0x1c0	1.8031	0x5	R E	0x8
INTERP	0x200	0x400200	0x400200	0x1c	0x1c	3.9408	0x4	R	0x1	/lib64/ld-linux-x86-64.so.2	.interp
LOAD	0x0	0x400000	0x400000	0x38714	0x38714	6.4048	0x5	R E	0x200000		.interp .note.ABI-tag .note.gnu.build-id .gnu.hash .dynsym .dynstr .gnu.version .gnu.version_r .rela.dyn .rela.plt .init .plt .text .fini .rodata .eh_frame_hdr .eh_frame
LOAD	0x39000	0x639000	0x639000	0x1b08	0x3db8	1.2427	0x6	RW	0x200000		.ctors .dtors .jcr .dynamic .got .got.plt .data .bss
DYNAMIC	0x39028	0x639028	0x639028	0x1a0	0x1a0	1.5236	0x6	RW	0x8		.dynamic
NOTE	0x21c	0x40021c	0x40021c	0x44	0x44	3.4336	0x4	R	0x4		.note.ABI-tag .note.gnu.build-id
GNU_EH_FRAME	0x33fe8	0x433fe8	0x433fe8	0xad4	0xad4	5.1661	0x4	R	0x4		.eh_frame_hdr
GNU_STACK	0x0	0x0	0x0	0x0	0x0	0.0000	0x6	RW	0x8

Dynamic Tags

Type	Meta	Value	Tag
DT_NEEDED	sharedlib	libpthread.so.0	0x1
DT_NEEDED	sharedlib	libc.so.6	0x1
DT_INIT	value	0x4056f0	0xc
DT_FINI	value	0x42df18	0xd
DT_GNU_HASH	value	0x400260	0x6ffffef5
DT_STRTAB	value	0x403180	0x5
DT_SYMTAB	value	0x400ca8	0x6
DT_STRSZ	bytes	7104	0xa
DT_SYMENT	bytes	24	0xb
DT_DEBUG	value	0x0	0x15
DT_PLTGOT	value	0x6391d8	0x3
DT_PLTRELSZ	bytes	1560	0x2
DT_PLTREL	pltrel	DT_RELA	0x14
DT_JMPREL	value	0x4050d8	0x17
DT_RELA	value	0x4050a8	0x7
DT_RELASZ	bytes	48	0x8
DT_RELAENT	bytes	24	0x9
DT_VERNEED	value	0x405058	0x6ffffffe
DT_VERNEEDNUM	value	2	0x6fffffff
DT_VERSYM	value	0x404d40	0x6ffffff0
DT_NULL	value	0x0	0x0

Symbols

Name	Version Info Name	Version Info File Name	Section Name	Value	Size	Symbol Type	Symbol Bind	Symbol Visibility	Ndx
			.dynsym	0x0	0	NOTYPE	<unknown>	DEFAULT	SHN_UNDEF
_IO_getc	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
_IO_putc	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
_IO_stdin_used			.dynsym	0x42df40	4	OBJECT	<unknown>	DEFAULT	15
_Jv_RegisterClasses			.dynsym	0x0	0	NOTYPE	<unknown>	DEFAULT	SHN_UNDEF
__bss_start			.dynsym	0x63ab08	0	NOTYPE	<unknown>	DEFAULT	SHN_ABS
__ctype_b_loc	GLIBC_2.3	libc.so.6	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
__ctype_tolower_loc	GLIBC_2.3	libc.so.6	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
__cxa_atexit	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
__data_start			.dynsym	0x639400	0	NOTYPE	<unknown>	DEFAULT	24
__errno_location	GLIBC_2.2.5	libpthread.so.0	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
__gmon_start__			.dynsym	0x0	0	NOTYPE	<unknown>	DEFAULT	SHN_UNDEF
__libc_csu_fini			.dynsym	0x42de20	2	FUNC	<unknown>	DEFAULT	13
__libc_csu_init			.dynsym	0x42de30	137	FUNC	<unknown>	DEFAULT	13
__libc_start_main	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
__xstat64	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
_edata			.dynsym	0x63ab08	0	NOTYPE	<unknown>	DEFAULT	SHN_ABS
_end			.dynsym	0x63cdb8	0	NOTYPE	<unknown>	DEFAULT	SHN_ABS
_fini			.dynsym	0x42df18	0	FUNC	<unknown>	DEFAULT	14
_finit_			.dynsym	0x407390	67	FUNC	<unknown>	DEFAULT	13
_init			.dynsym	0x4056f0	0	FUNC	<unknown>	DEFAULT	11
_init_			.dynsym	0x4074c0	99	FUNC	<unknown>	DEFAULT	13
_mxml_entity_cb			.dynsym	0x429020	188	FUNC	<unknown>	DEFAULT	13
_mxml_global			.dynsym	0x428ef0	6	FUNC	<unknown>	DEFAULT	13
_mxml_strdupf			.dynsym	0x42d320	147	FUNC	<unknown>	DEFAULT	13
_mxml_strlcat			.dynsym	0x42d100	139	FUNC	<unknown>	DEFAULT	13
_mxml_strlcpy			.dynsym	0x42d090	102	FUNC	<unknown>	DEFAULT	13
_mxml_vstrdupf			.dynsym	0x42d1f0	291	FUNC	<unknown>	DEFAULT	13
_remove			.dynsym	0x4073e0	10	FUNC	<unknown>	DEFAULT	13
_start			.dynsym	0x405b30	0	FUNC	<unknown>	DEFAULT	13
access	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
b_create_node			.dynsym	0x406660	148	FUNC	<unknown>	DEFAULT	13
b_free_node			.dynsym	0x405c80	33	FUNC	<unknown>	DEFAULT	13
b_gen_readme_file			.dynsym	0x405f00	385	FUNC	<unknown>	DEFAULT	13
b_gen_salsa_key			.dynsym	0x405e30	203	FUNC	<unknown>	DEFAULT	13
b_get_file_size			.dynsym	0x405cb0	43	FUNC	<unknown>	DEFAULT	13
b_hex_to_string			.dynsym	0x406090	131	FUNC	<unknown>	DEFAULT	13
b_malloc			.dynsym	0x405df0	63	FUNC	<unknown>	DEFAULT	13
b_mxml_get_text			.dynsym	0x405c20	9	FUNC	<unknown>	DEFAULT	13
b_queue_pop_node			.dynsym	0x405ce0	113	FUNC	<unknown>	DEFAULT	13
b_queue_push_node			.dynsym	0x405d60	129	FUNC	<unknown>	DEFAULT	13
b_rename			.dynsym	0x406700	170	FUNC	<unknown>	DEFAULT	13
b_rsa_enc			.dynsym	0x406df0	1429	FUNC	<unknown>	DEFAULT	13
b_skip_some_file			.dynsym	0x4068a0	313	FUNC	<unknown>	DEFAULT	13
b_str_to_lower			.dynsym	0x405c30	71	FUNC	<unknown>	DEFAULT	13
b_work			.dynsym	0x4069e0	1026	FUNC	<unknown>	DEFAULT	13
calloc	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
close	GLIBC_2.2.5	libpthread.so.0	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
closedir	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
cry_thread			.dynsym	0x4075e0	622	FUNC	<unknown>	DEFAULT	13
data_start			.dynsym	0x639400	0	NOTYPE	<unknown>	DEFAULT	24
exec_cmds			.dynsym	0x407420	146	FUNC	<unknown>	DEFAULT	13
exit	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
fclose	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
ferror	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
fgets	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
fopen64	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
fprintf	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
fread	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
free	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
fseek	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
ftell	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
fwrite	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
g_ext			.dynsym	0x63cda0	8	OBJECT	<unknown>	DEFAULT	25
get_cry_ext			.dynsym	0x406120	697	FUNC	<unknown>	DEFAULT	13
gmtime_r	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
goto_overlay			.dynsym	0x4067b0	237	FUNC	<unknown>	DEFAULT	13
init_xml			.dynsym	0x4073f0	33	FUNC	<unknown>	DEFAULT	13
kill_all_vms			.dynsym	0x406630	38	FUNC	<unknown>	DEFAULT	13
kill_vms			.dynsym	0x4063e0	591	FUNC	<unknown>	DEFAULT	13
lseek64	GLIBC_2.2.5	libpthread.so.0	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
main			.dynsym	0x407530	169	FUNC	<unknown>	DEFAULT	13
malloc	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
mbedtls_aes_crypt_cbc			.dynsym	0x41f2a0	1101	FUNC	<unknown>	DEFAULT	13
mbedtls_aes_crypt_cfb128			.dynsym	0x41f960	330	FUNC	<unknown>	DEFAULT	13
mbedtls_aes_crypt_cfb8			.dynsym	0x41f0e0	444	FUNC	<unknown>	DEFAULT	13
mbedtls_aes_crypt_ctr			.dynsym	0x41f6f0	610	FUNC	<unknown>	DEFAULT	13
mbedtls_aes_crypt_ecb			.dynsym	0x41dc70	182	FUNC	<unknown>	DEFAULT	13
mbedtls_aes_crypt_ofb			.dynsym	0x41f000	209	FUNC	<unknown>	DEFAULT	13
mbedtls_aes_crypt_xts			.dynsym	0x41fab0	1557	FUNC	<unknown>	DEFAULT	13
mbedtls_aes_free			.dynsym	0x41dd30	18	FUNC	<unknown>	DEFAULT	13
mbedtls_aes_init			.dynsym	0x41d080	11	FUNC	<unknown>	DEFAULT	13
mbedtls_aes_self_test			.dynsym	0x4200d0	3291	FUNC	<unknown>	DEFAULT	13
mbedtls_aes_setkey_dec			.dynsym	0x41ecc0	629	FUNC	<unknown>	DEFAULT	13
mbedtls_aes_setkey_enc			.dynsym	0x41dd50	3773	FUNC	<unknown>	DEFAULT	13
mbedtls_aes_xts_free			.dynsym	0x41efd0	42	FUNC	<unknown>	DEFAULT	13
mbedtls_aes_xts_init			.dynsym	0x41eca0	29	FUNC	<unknown>	DEFAULT	13
mbedtls_aes_xts_setkey_dec			.dynsym	0x41ef40	139	FUNC	<unknown>	DEFAULT	13
mbedtls_aes_xts_setkey_enc			.dynsym	0x41ec10	139	FUNC	<unknown>	DEFAULT	13
mbedtls_aesni_crypt_ecb			.dynsym	0x424130	92	FUNC	<unknown>	DEFAULT	13
mbedtls_aesni_gcm_mult			.dynsym	0x424190	661	FUNC	<unknown>	DEFAULT	13
mbedtls_aesni_has_support			.dynsym	0x424100	47	FUNC	<unknown>	DEFAULT	13
mbedtls_aesni_inverse_key			.dynsym	0x4246a0	122	FUNC	<unknown>	DEFAULT	13
mbedtls_aesni_setkey_enc			.dynsym	0x424430	621	FUNC	<unknown>	DEFAULT	13
mbedtls_ctr_drbg_free			.dynsym	0x414a50	47	FUNC	<unknown>	DEFAULT	13
mbedtls_ctr_drbg_init			.dynsym	0x413bc0	28	FUNC	<unknown>	DEFAULT	13
mbedtls_ctr_drbg_random			.dynsym	0x414cd0	5	FUNC	<unknown>	DEFAULT	13
mbedtls_ctr_drbg_random_with_add			.dynsym	0x414740	655	FUNC	<unknown>	DEFAULT	13
mbedtls_ctr_drbg_reseed			.dynsym	0x414730	7	FUNC	<unknown>	DEFAULT	13
mbedtls_ctr_drbg_seed			.dynsym	0x414640	234	FUNC	<unknown>	DEFAULT	13
mbedtls_ctr_drbg_self_test			.dynsym	0x414da0	950	FUNC	<unknown>	DEFAULT	13
mbedtls_ctr_drbg_set_entropy_len			.dynsym	0x413b40	5	FUNC	<unknown>	DEFAULT	13
mbedtls_ctr_drbg_set_nonce_len			.dynsym	0x413b50	38	FUNC	<unknown>	DEFAULT	13
mbedtls_ctr_drbg_set_prediction_resistance			.dynsym	0x413b30	4	FUNC	<unknown>	DEFAULT	13
mbedtls_ctr_drbg_set_reseed_interval			.dynsym	0x413b80	4	FUNC	<unknown>	DEFAULT	13
mbedtls_ctr_drbg_update			.dynsym	0x4149d0	117	FUNC	<unknown>	DEFAULT	13
mbedtls_ctr_drbg_update_seed_file			.dynsym	0x415160	413	FUNC	<unknown>	DEFAULT	13
mbedtls_ctr_drbg_write_seed_file			.dynsym	0x414ce0	181	FUNC	<unknown>	DEFAULT	13
mbedtls_entropy_add_source			.dynsym	0x4193f0	68	FUNC	<unknown>	DEFAULT	13
mbedtls_entropy_free			.dynsym	0x419480	53	FUNC	<unknown>	DEFAULT	13
mbedtls_entropy_func			.dynsym	0x419770	373	FUNC	<unknown>	DEFAULT	13
mbedtls_entropy_gather			.dynsym	0x419760	5	FUNC	<unknown>	DEFAULT	13
mbedtls_entropy_init			.dynsym	0x4194c0	122	FUNC	<unknown>	DEFAULT	13
mbedtls_entropy_self_test			.dynsym	0x419f00	1515	FUNC	<unknown>	DEFAULT	13
mbedtls_entropy_update_manual			.dynsym	0x419b60	246	FUNC	<unknown>	DEFAULT	13
mbedtls_entropy_update_seed_file			.dynsym	0x419c60	668	FUNC	<unknown>	DEFAULT	13
mbedtls_entropy_write_seed_file			.dynsym	0x419ab0	164	FUNC	<unknown>	DEFAULT	13
mbedtls_internal_aes_decrypt			.dynsym	0x41d090	1510	FUNC	<unknown>	DEFAULT	13
mbedtls_internal_aes_encrypt			.dynsym	0x41d680	1519	FUNC	<unknown>	DEFAULT	13
mbedtls_internal_md5_process			.dynsym	0x4094c0	2697	FUNC	<unknown>	DEFAULT	13
mbedtls_internal_ripemd160_process			.dynsym	0x426560	6811	FUNC	<unknown>	DEFAULT	13
mbedtls_internal_sha1_process			.dynsym	0x41ad60	5918	FUNC	<unknown>	DEFAULT	13
mbedtls_internal_sha256_process			.dynsym	0x424860	4504	FUNC	<unknown>	DEFAULT	13
mbedtls_internal_sha512_process			.dynsym	0x421be0	2957	FUNC	<unknown>	DEFAULT	13
mbedtls_md			.dynsym	0x420e90	152	FUNC	<unknown>	DEFAULT	13
mbedtls_md5			.dynsym	0x40a420	197	FUNC	<unknown>	DEFAULT	13
mbedtls_md5_clone			.dynsym	0x4093f0	87	FUNC	<unknown>	DEFAULT	13
mbedtls_md5_finish			.dynsym	0x409f50	446	FUNC	<unknown>	DEFAULT	13
mbedtls_md5_free			.dynsym	0x40a210	18	FUNC	<unknown>	DEFAULT	13
mbedtls_md5_info			.dynsym	0x4313c0	16	OBJECT	<unknown>	DEFAULT	15
mbedtls_md5_init			.dynsym	0x409480	54	FUNC	<unknown>	DEFAULT	13
mbedtls_md5_self_test			.dynsym	0x40a230	493	FUNC	<unknown>	DEFAULT	13
mbedtls_md5_starts			.dynsym	0x409450	44	FUNC	<unknown>	DEFAULT	13
mbedtls_md5_update			.dynsym	0x40a110	247	FUNC	<unknown>	DEFAULT	13
mbedtls_md_clone			.dynsym	0x421420	158	FUNC	<unknown>	DEFAULT	13
mbedtls_md_file			.dynsym	0x421710	310	FUNC	<unknown>	DEFAULT	13
mbedtls_md_finish			.dynsym	0x420f30	85	FUNC	<unknown>	DEFAULT	13
mbedtls_md_free			.dynsym	0x4214c0	194	FUNC	<unknown>	DEFAULT	13
mbedtls_md_get_name			.dynsym	0x420e00	12	FUNC	<unknown>	DEFAULT	13
mbedtls_md_get_size			.dynsym	0x420de0	13	FUNC	<unknown>	DEFAULT	13
mbedtls_md_get_type			.dynsym	0x420df0	12	FUNC	<unknown>	DEFAULT	13
mbedtls_md_hmac			.dynsym	0x4219d0	217	FUNC	<unknown>	DEFAULT	13
mbedtls_md_hmac_finish			.dynsym	0x421110	196	FUNC	<unknown>	DEFAULT	13
mbedtls_md_hmac_reset			.dynsym	0x4210a0	104	FUNC	<unknown>	DEFAULT	13
mbedtls_md_hmac_starts			.dynsym	0x4211e0	568	FUNC	<unknown>	DEFAULT	13
mbedtls_md_hmac_update			.dynsym	0x420ff0	34	FUNC	<unknown>	DEFAULT	13
mbedtls_md_info_from_string			.dynsym	0x421850	371	FUNC	<unknown>	DEFAULT	13
mbedtls_md_info_from_type			.dynsym	0x420dc0	22	FUNC	<unknown>	DEFAULT	13
mbedtls_md_init			.dynsym	0x420e70	24	FUNC	<unknown>	DEFAULT	13
mbedtls_md_list			.dynsym	0x420db0	6	FUNC	<unknown>	DEFAULT	13
mbedtls_md_process			.dynsym	0x420e10	85	FUNC	<unknown>	DEFAULT	13
mbedtls_md_setup			.dynsym	0x421590	383	FUNC	<unknown>	DEFAULT	13
mbedtls_md_starts			.dynsym	0x421020	117	FUNC	<unknown>	DEFAULT	13
mbedtls_md_update			.dynsym	0x420f90	85	FUNC	<unknown>	DEFAULT	13
mbedtls_mpi_add_abs			.dynsym	0x40ce60	509	FUNC	<unknown>	DEFAULT	13
mbedtls_mpi_add_int			.dynsym	0x40d3c0	69	FUNC	<unknown>	DEFAULT	13
mbedtls_mpi_add_mpi			.dynsym	0x40d060	861	FUNC	<unknown>	DEFAULT	13
mbedtls_mpi_bitlen			.dynsym	0x40a590	136	FUNC	<unknown>	DEFAULT	13
mbedtls_mpi_cmp_abs			.dynsym	0x40a620	201	FUNC	<unknown>	DEFAULT	13
mbedtls_mpi_cmp_int			.dynsym	0x40bae0	231	FUNC	<unknown>	DEFAULT	13
mbedtls_mpi_cmp_mpi			.dynsym	0x40a6f0	250	FUNC	<unknown>	DEFAULT	13
mbedtls_mpi_copy			.dynsym	0x40ccc0	410	FUNC	<unknown>	DEFAULT	13
mbedtls_mpi_div_int			.dynsym	0x412720	69	FUNC	<unknown>	DEFAULT	13
mbedtls_mpi_div_mpi			.dynsym	0x40f7f0	2442	FUNC	<unknown>	DEFAULT	13
mbedtls_mpi_exp_mod			.dynsym	0x410cc0	2509	FUNC	<unknown>	DEFAULT	13
mbedtls_mpi_fill_random			.dynsym	0x40c040	457	FUNC	<unknown>	DEFAULT	13
mbedtls_mpi_free			.dynsym	0x40b8b0	64	FUNC	<unknown>	DEFAULT	13
mbedtls_mpi_gcd			.dynsym	0x40d940	1160	FUNC	<unknown>	DEFAULT	13
mbedtls_mpi_gen_prime			.dynsym	0x412100	1560	FUNC	<unknown>	DEFAULT	13
mbedtls_mpi_get_bit			.dynsym	0x40a510	43	FUNC	<unknown>	DEFAULT	13
mbedtls_mpi_grow			.dynsym	0x40b760	162	FUNC	<unknown>	DEFAULT	13
mbedtls_mpi_init			.dynsym	0x40a4f0	23	FUNC	<unknown>	DEFAULT	13
mbedtls_mpi_inv_mod			.dynsym	0x4103b0	2306	FUNC	<unknown>	DEFAULT	13
mbedtls_mpi_is_prime_ext			.dynsym	0x412030	197	FUNC	<unknown>	DEFAULT	13
mbedtls_mpi_lsb			.dynsym	0x40a540	76	FUNC	<unknown>	DEFAULT	13
mbedtls_mpi_lset			.dynsym	0x40bdf0	216	FUNC	<unknown>	DEFAULT	13
mbedtls_mpi_lt_mpi_ct			.dynsym	0x40a7f0	226	FUNC	<unknown>	DEFAULT	13
mbedtls_mpi_mod_int			.dynsym	0x40a8e0	168	FUNC	<unknown>	DEFAULT	13
mbedtls_mpi_mod_mpi			.dynsym	0x410180	556	FUNC	<unknown>	DEFAULT	13
mbedtls_mpi_mul_int			.dynsym	0x40e800	1346	FUNC	<unknown>	DEFAULT	13
mbedtls_mpi_mul_mpi			.dynsym	0x40ed50	1807	FUNC	<unknown>	DEFAULT	13
mbedtls_mpi_random			.dynsym	0x40d580	950	FUNC	<unknown>	DEFAULT	13
mbedtls_mpi_read_binary			.dynsym	0x40c460	698	FUNC	<unknown>	DEFAULT	13
mbedtls_mpi_read_binary_le			.dynsym	0x40c720	408	FUNC	<unknown>	DEFAULT	13
mbedtls_mpi_read_file			.dynsym	0x40e680	370	FUNC	<unknown>	DEFAULT	13
mbedtls_mpi_read_string			.dynsym	0x40ddd0	2218	FUNC	<unknown>	DEFAULT	13
mbedtls_mpi_safe_cond_assign			.dynsym	0x40bbd0	530	FUNC	<unknown>	DEFAULT	13
mbedtls_mpi_safe_cond_swap			.dynsym	0x40cae0	473	FUNC	<unknown>	DEFAULT	13
mbedtls_mpi_self_test			.dynsym	0x412770	1621	FUNC	<unknown>	DEFAULT	13
mbedtls_mpi_set_bit			.dynsym	0x40b810	154	FUNC	<unknown>	DEFAULT	13
mbedtls_mpi_shift_l			.dynsym	0x40c8c0	542	FUNC	<unknown>	DEFAULT	13
mbedtls_mpi_shift_r			.dynsym	0x40d410	368	FUNC	<unknown>	DEFAULT	13
mbedtls_mpi_shrink			.dynsym	0x40bed0	353	FUNC	<unknown>	DEFAULT	13
mbedtls_mpi_size			.dynsym	0x40b8f0	136	FUNC	<unknown>	DEFAULT	13
mbedtls_mpi_sub_abs			.dynsym	0x40c210	586	FUNC	<unknown>	DEFAULT	13
mbedtls_mpi_sub_int			.dynsym	0x40f7a0	69	FUNC	<unknown>	DEFAULT	13
mbedtls_mpi_sub_mpi			.dynsym	0x40f460	823	FUNC	<unknown>	DEFAULT	13
mbedtls_mpi_swap			.dynsym	0x40b730	43	FUNC	<unknown>	DEFAULT	13
mbedtls_mpi_write_binary			.dynsym	0x40ab70	216	FUNC	<unknown>	DEFAULT	13
mbedtls_mpi_write_binary_le			.dynsym	0x40ac50	202	FUNC	<unknown>	DEFAULT	13
mbedtls_mpi_write_file			.dynsym	0x412dd0	1858	FUNC	<unknown>	DEFAULT	13
mbedtls_mpi_write_string			.dynsym	0x413520	1550	FUNC	<unknown>	DEFAULT	13
mbedtls_oid_get_attr_short_name			.dynsym	0x41ac10	102	FUNC	<unknown>	DEFAULT	13
mbedtls_oid_get_certificate_policies			.dynsym	0x41aac0	102	FUNC	<unknown>	DEFAULT	13
mbedtls_oid_get_cipher_alg			.dynsym	0x41a890	102	FUNC	<unknown>	DEFAULT	13
mbedtls_oid_get_ec_grp			.dynsym	0x41a900	102	FUNC	<unknown>	DEFAULT	13
mbedtls_oid_get_extended_key_usage			.dynsym	0x41ab30	102	FUNC	<unknown>	DEFAULT	13
mbedtls_oid_get_md_alg			.dynsym	0x41a820	102	FUNC	<unknown>	DEFAULT	13
mbedtls_oid_get_md_hmac			.dynsym	0x41a7b0	102	FUNC	<unknown>	DEFAULT	13
mbedtls_oid_get_numeric_string			.dynsym	0x41a630	270	FUNC	<unknown>	DEFAULT	13
mbedtls_oid_get_oid_by_ec_grp			.dynsym	0x41a590	77	FUNC	<unknown>	DEFAULT	13
mbedtls_oid_get_oid_by_md			.dynsym	0x41a5e0	77	FUNC	<unknown>	DEFAULT	13
mbedtls_oid_get_oid_by_pk_alg			.dynsym	0x41a540	77	FUNC	<unknown>	DEFAULT	13
mbedtls_oid_get_oid_by_sig_alg			.dynsym	0x41a4f0	69	FUNC	<unknown>	DEFAULT	13
mbedtls_oid_get_pk_alg			.dynsym	0x41a970	102	FUNC	<unknown>	DEFAULT	13
mbedtls_oid_get_pkcs12_pbe_alg			.dynsym	0x41a740	102	FUNC	<unknown>	DEFAULT	13
mbedtls_oid_get_sig_alg			.dynsym	0x41a9e0	102	FUNC	<unknown>	DEFAULT	13
mbedtls_oid_get_sig_alg_desc			.dynsym	0x41aa50	102	FUNC	<unknown>	DEFAULT	13
mbedtls_oid_get_x509_ext_type			.dynsym	0x41aba0	102	FUNC	<unknown>	DEFAULT	13
mbedtls_platform_entropy_poll			.dynsym	0x41cb50	151	FUNC	<unknown>	DEFAULT	13
mbedtls_platform_gmtime_r			.dynsym	0x415320	5	FUNC	<unknown>	DEFAULT	13
mbedtls_platform_zeroize			.dynsym	0x415300	30	FUNC	<unknown>	DEFAULT	13
mbedtls_ripemd160			.dynsym	0x428400	205	FUNC	<unknown>	DEFAULT	13
mbedtls_ripemd160_clone			.dynsym	0x426480	93	FUNC	<unknown>	DEFAULT	13
mbedtls_ripemd160_finish			.dynsym	0x428120	728	FUNC	<unknown>	DEFAULT	13
mbedtls_ripemd160_free			.dynsym	0x428100	18	FUNC	<unknown>	DEFAULT	13
mbedtls_ripemd160_info			.dynsym	0x4313d0	16	OBJECT	<unknown>	DEFAULT	15
mbedtls_ripemd160_init			.dynsym	0x426520	54	FUNC	<unknown>	DEFAULT	13
mbedtls_ripemd160_self_test			.dynsym	0x4284d0	541	FUNC	<unknown>	DEFAULT	13
mbedtls_ripemd160_starts			.dynsym	0x4264e0	51	FUNC	<unknown>	DEFAULT	13
mbedtls_ripemd160_update			.dynsym	0x428000	247	FUNC	<unknown>	DEFAULT	13
mbedtls_rsa_check_privkey			.dynsym	0x4186d0	290	FUNC	<unknown>	DEFAULT	13
mbedtls_rsa_check_pub_priv			.dynsym	0x418c60	186	FUNC	<unknown>	DEFAULT	13
mbedtls_rsa_check_pubkey			.dynsym	0x416a30	127	FUNC	<unknown>	DEFAULT	13
mbedtls_rsa_complete			.dynsym	0x417d20	797	FUNC	<unknown>	DEFAULT	13
mbedtls_rsa_copy			.dynsym	0x415420	389	FUNC	<unknown>	DEFAULT	13
mbedtls_rsa_deduce_crt			.dynsym	0x423ae0	236	FUNC	<unknown>	DEFAULT	13
mbedtls_rsa_deduce_primes			.dynsym	0x423d20	991	FUNC	<unknown>	DEFAULT	13
mbedtls_rsa_deduce_private_exponent			.dynsym	0x423bd0	333	FUNC	<unknown>	DEFAULT	13
mbedtls_rsa_export			.dynsym	0x415cf0	383	FUNC	<unknown>	DEFAULT	13
mbedtls_rsa_export_crt			.dynsym	0x415bf0	247	FUNC	<unknown>	DEFAULT	13
mbedtls_rsa_export_raw			.dynsym	0x415e70	457	FUNC	<unknown>	DEFAULT	13
mbedtls_rsa_free			.dynsym	0x415340	162	FUNC	<unknown>	DEFAULT	13
mbedtls_rsa_gen_key			.dynsym	0x418800	1106	FUNC	<unknown>	DEFAULT	13
mbedtls_rsa_get_len			.dynsym	0x415330	5	FUNC	<unknown>	DEFAULT	13
mbedtls_rsa_import			.dynsym	0x415b10	224	FUNC	<unknown>	DEFAULT	13
mbedtls_rsa_import_raw			.dynsym	0x415a10	242	FUNC	<unknown>	DEFAULT	13
mbedtls_rsa_init			.dynsym	0x415830	11	FUNC	<unknown>	DEFAULT	13
mbedtls_rsa_pkcs1_decrypt			.dynsym	0x4185f0	58	FUNC	<unknown>	DEFAULT	13
mbedtls_rsa_pkcs1_encrypt			.dynsym	0x418d20	812	FUNC	<unknown>	DEFAULT	13
mbedtls_rsa_pkcs1_sign			.dynsym	0x418630	86	FUNC	<unknown>	DEFAULT	13
mbedtls_rsa_pkcs1_verify			.dynsym	0x418690	55	FUNC	<unknown>	DEFAULT	13
mbedtls_rsa_private			.dynsym	0x416ab0	1889	FUNC	<unknown>	DEFAULT	13
mbedtls_rsa_public			.dynsym	0x416170	255	FUNC	<unknown>	DEFAULT	13
mbedtls_rsa_rsaes_oaep_decrypt			.dynsym	0x417a30	748	FUNC	<unknown>	DEFAULT	13
mbedtls_rsa_rsaes_oaep_encrypt			.dynsym	0x416800	550	FUNC	<unknown>	DEFAULT	13
mbedtls_rsa_rsaes_pkcs1_v15_decrypt			.dynsym	0x4176d0	862	FUNC	<unknown>	DEFAULT	13
mbedtls_rsa_rsaes_pkcs1_v15_encrypt			.dynsym	0x4166b0	335	FUNC	<unknown>	DEFAULT	13
mbedtls_rsa_rsassa_pkcs1_v15_sign			.dynsym	0x417220	341	FUNC	<unknown>	DEFAULT	13
mbedtls_rsa_rsassa_pkcs1_v15_verify			.dynsym	0x416270	309	FUNC	<unknown>	DEFAULT	13
mbedtls_rsa_rsassa_pss_sign			.dynsym	0x4176a0	31	FUNC	<unknown>	DEFAULT	13
mbedtls_rsa_rsassa_pss_sign_ext			.dynsym	0x4176c0	5	FUNC	<unknown>	DEFAULT	13
mbedtls_rsa_rsassa_pss_verify			.dynsym	0x4182f0	23	FUNC	<unknown>	DEFAULT	13
mbedtls_rsa_rsassa_pss_verify_ext			.dynsym	0x4163b0	764	FUNC	<unknown>	DEFAULT	13
mbedtls_rsa_self_test			.dynsym	0x419050	928	FUNC	<unknown>	DEFAULT	13
mbedtls_rsa_set_padding			.dynsym	0x4155b0	97	FUNC	<unknown>	DEFAULT	13
mbedtls_rsa_validate_crt			.dynsym	0x4234e0	563	FUNC	<unknown>	DEFAULT	13
mbedtls_rsa_validate_params			.dynsym	0x423720	952	FUNC	<unknown>	DEFAULT	13
mbedtls_sha1			.dynsym	0x41ca80	205	FUNC	<unknown>	DEFAULT	13
mbedtls_sha1_clone			.dynsym	0x41ac80	93	FUNC	<unknown>	DEFAULT	13
mbedtls_sha1_finish			.dynsym	0x41c480	478	FUNC	<unknown>	DEFAULT	13
mbedtls_sha1_free			.dynsym	0x41c760	18	FUNC	<unknown>	DEFAULT	13
mbedtls_sha1_info			.dynsym	0x4313e0	16	OBJECT	<unknown>	DEFAULT	15
mbedtls_sha1_init			.dynsym	0x41ad20	54	FUNC	<unknown>	DEFAULT	13
mbedtls_sha1_self_test			.dynsym	0x41c780	763	FUNC	<unknown>	DEFAULT	13
mbedtls_sha1_starts			.dynsym	0x41ace0	51	FUNC	<unknown>	DEFAULT	13
mbedtls_sha1_update			.dynsym	0x41c660	247	FUNC	<unknown>	DEFAULT	13
mbedtls_sha224_info			.dynsym	0x4313f0	16	OBJECT	<unknown>	DEFAULT	15
mbedtls_sha256			.dynsym	0x426280	497	FUNC	<unknown>	DEFAULT	13
mbedtls_sha256_clone			.dynsym	0x424720	109	FUNC	<unknown>	DEFAULT	13
mbedtls_sha256_finish			.dynsym	0x425a00	574	FUNC	<unknown>	DEFAULT	13
mbedtls_sha256_free			.dynsym	0x425d40	18	FUNC	<unknown>	DEFAULT	13
mbedtls_sha256_info			.dynsym	0x431400	16	OBJECT	<unknown>	DEFAULT	15
mbedtls_sha256_init			.dynsym	0x424820	54	FUNC	<unknown>	DEFAULT	13
mbedtls_sha256_self_test			.dynsym	0x425d60	1297	FUNC	<unknown>	DEFAULT	13
mbedtls_sha256_starts			.dynsym	0x424790	142	FUNC	<unknown>	DEFAULT	13
mbedtls_sha256_update			.dynsym	0x425c40	247	FUNC	<unknown>	DEFAULT	13
mbedtls_sha384_info			.dynsym	0x431410	16	OBJECT	<unknown>	DEFAULT	15
mbedtls_sha512			.dynsym	0x423270	617	FUNC	<unknown>	DEFAULT	13
mbedtls_sha512_clone			.dynsym	0x421ab0	9	FUNC	<unknown>	DEFAULT	13
mbedtls_sha512_finish			.dynsym	0x422770	1070	FUNC	<unknown>	DEFAULT	13
mbedtls_sha512_free			.dynsym	0x422cb0	18	FUNC	<unknown>	DEFAULT	13
mbedtls_sha512_info			.dynsym	0x431420	16	OBJECT	<unknown>	DEFAULT	15
mbedtls_sha512_init			.dynsym	0x421bd0	11	FUNC	<unknown>	DEFAULT	13
mbedtls_sha512_self_test			.dynsym	0x422cd0	1439	FUNC	<unknown>	DEFAULT	13
mbedtls_sha512_starts			.dynsym	0x421ac0	265	FUNC	<unknown>	DEFAULT	13
mbedtls_sha512_update			.dynsym	0x422ba0	263	FUNC	<unknown>	DEFAULT	13
memcmp	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
memcpy	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
memmove	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
memset	GLIBC_2.2.5	libc.so.6	.dynsym	0x405738	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
mxmlAdd			.dynsym	0x42d6c0	397	FUNC	<unknown>	DEFAULT	13
mxmlDelete			.dynsym	0x42d5a0	231	FUNC	<unknown>	DEFAULT	13
mxmlElementDeleteAttr			.dynsym	0x429580	177	FUNC	<unknown>	DEFAULT	13
mxmlElementGetAttr			.dynsym	0x429260	114	FUNC	<unknown>	DEFAULT	13
mxmlElementGetAttrByIndex			.dynsym	0x4291f0	73	FUNC	<unknown>	DEFAULT	13
mxmlElementGetAttrCount			.dynsym	0x429240	19	FUNC	<unknown>	DEFAULT	13
mxmlElementSetAttr			.dynsym	0x429500	118	FUNC	<unknown>	DEFAULT	13
mxmlElementSetAttrf			.dynsym	0x4293e0	277	FUNC	<unknown>	DEFAULT	13
mxmlEntityAddCallback			.dynsym	0x4291b0	59	FUNC	<unknown>	DEFAULT	13
mxmlEntityGetName			.dynsym	0x429000	22	FUNC	<unknown>	DEFAULT	13
mxmlEntityGetValue			.dynsym	0x4290e0	96	FUNC	<unknown>	DEFAULT	13
mxmlEntityRemoveCallback			.dynsym	0x429140	105	FUNC	<unknown>	DEFAULT	13
mxmlFindElement			.dynsym	0x4287c0	1289	FUNC	<unknown>	DEFAULT	13
mxmlFindPath			.dynsym	0x428cd0	469	FUNC	<unknown>	DEFAULT	13
mxmlGetRefCount			.dynsym	0x42d3c0	12	FUNC	<unknown>	DEFAULT	13
mxmlLoadFd			.dynsym	0x42b640	52	FUNC	<unknown>	DEFAULT	13
mxmlLoadFile			.dynsym	0x42b630	16	FUNC	<unknown>	DEFAULT	13
mxmlLoadString			.dynsym	0x42b600	35	FUNC	<unknown>	DEFAULT	13
mxmlNewCDATA			.dynsym	0x42dc40	76	FUNC	<unknown>	DEFAULT	13
mxmlNewCustom			.dynsym	0x42db00	58	FUNC	<unknown>	DEFAULT	13
mxmlNewElement			.dynsym	0x42dbf0	69	FUNC	<unknown>	DEFAULT	13
mxmlNewInteger			.dynsym	0x42dae0	23	FUNC	<unknown>	DEFAULT	13
mxmlNewOpaque			.dynsym	0x42dba0	72	FUNC	<unknown>	DEFAULT	13
mxmlNewOpaquef			.dynsym	0x42da20	184	FUNC	<unknown>	DEFAULT	13
mxmlNewReal			.dynsym	0x42d9f0	39	FUNC	<unknown>	DEFAULT	13
mxmlNewText			.dynsym	0x42db40	88	FUNC	<unknown>	DEFAULT	13
mxmlNewTextf			.dynsym	0x42d910	219	FUNC	<unknown>	DEFAULT	13
mxmlNewXML			.dynsym	0x42dc90	86	FUNC	<unknown>	DEFAULT	13
mxmlRelease			.dynsym	0x42d690	41	FUNC	<unknown>	DEFAULT	13
mxmlRemove			.dynsym	0x42d3d0	102	FUNC	<unknown>	DEFAULT	13
mxmlRetain			.dynsym	0x42d440	21	FUNC	<unknown>	DEFAULT	13
mxmlSAXLoadFd			.dynsym	0x42b5c0	52	FUNC	<unknown>	DEFAULT	13
mxmlSAXLoadFile			.dynsym	0x42b5b0	16	FUNC	<unknown>	DEFAULT	13
mxmlSAXLoadString			.dynsym	0x42b580	35	FUNC	<unknown>	DEFAULT	13
mxmlSaveAllocString			.dynsym	0x42cf30	342	FUNC	<unknown>	DEFAULT	13
mxmlSaveFd			.dynsym	0x42cd10	193	FUNC	<unknown>	DEFAULT	13
mxmlSaveFile			.dynsym	0x42cde0	119	FUNC	<unknown>	DEFAULT	13
mxmlSaveString			.dynsym	0x42ce60	198	FUNC	<unknown>	DEFAULT	13
mxmlSetCustomHandlers			.dynsym	0x429720	54	FUNC	<unknown>	DEFAULT	13
mxmlSetErrorCallback			.dynsym	0x429710	14	FUNC	<unknown>	DEFAULT	13
mxmlSetWrapMargin			.dynsym	0x429700	16	FUNC	<unknown>	DEFAULT	13
mxmlWalkNext			.dynsym	0x4286f0	100	FUNC	<unknown>	DEFAULT	13
mxmlWalkPrev			.dynsym	0x428760	84	FUNC	<unknown>	DEFAULT	13
mxml_error			.dynsym	0x428f00	255	FUNC	<unknown>	DEFAULT	13
mxml_ignore_cb			.dynsym	0x428eb0	6	FUNC	<unknown>	DEFAULT	13
mxml_integer_cb			.dynsym	0x428ec0	6	FUNC	<unknown>	DEFAULT	13
mxml_opaque_cb			.dynsym	0x428ed0	6	FUNC	<unknown>	DEFAULT	13
mxml_real_cb			.dynsym	0x428ee0	6	FUNC	<unknown>	DEFAULT	13
mxml_root			.dynsym	0x63cd98	8	OBJECT	<unknown>	DEFAULT	25
my_strdup			.dynsym	0x42d190	87	FUNC	<unknown>	DEFAULT	13
open64	GLIBC_2.2.5	libpthread.so.0	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
opendir	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
pclose	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
popen	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
printf	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
pthread_create	GLIBC_2.2.5	libpthread.so.0	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
pthread_join	GLIBC_2.2.5	libpthread.so.0	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
pthread_mutex_init	GLIBC_2.2.5	libpthread.so.0	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
pthread_mutex_lock	GLIBC_2.2.5	libpthread.so.0	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
pthread_mutex_unlock	GLIBC_2.2.5	libpthread.so.0	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
putchar	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
puts	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
rand	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
read	GLIBC_2.2.5	libpthread.so.0	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
readdir64	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
realloc	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
remove	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
rename	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
s20_crypt			.dynsym	0x4086d0	442	FUNC	<unknown>	DEFAULT	13
self_path			.dynsym	0x63cd90	8	OBJECT	<unknown>	DEFAULT	25
sem_init	GLIBC_2.2.5	libpthread.so.0	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
sem_post	GLIBC_2.2.5	libpthread.so.0	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
sem_wait	GLIBC_2.2.5	libpthread.so.0	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
sleep	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
snprintf	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
sprintf	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
stderr	GLIBC_2.2.5	libc.so.6	.dynsym	0x63ab20	8	OBJECT	<unknown>	DEFAULT	25
strcat	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
strchr	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
strcmp	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
strcpy	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
strlen	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
strrchr	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
strstr	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
strtod	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
strtol	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
t_key			.dynsym	0x63cda8	8	OBJECT	<unknown>	DEFAULT	25
t_rsa_key			.dynsym	0x63cdb0	8	OBJECT	<unknown>	DEFAULT	25
vsnprintf	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
walk_thread			.dynsym	0x407850	449	FUNC	<unknown>	DEFAULT	13
write	GLIBC_2.2.5	libpthread.so.0	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
xml_buff			.dynsym	0x639420	5000	OBJECT	<unknown>	DEFAULT	24

Network Behavior

Download Network PCAP: filtered – full

Network Port Distribution

Total Packets: 7
• 443 (HTTPS)
• 80 (HTTP)

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 4, 2024 19:02:47.709270000 CET	43928	443	192.168.2.23	91.189.91.42
Nov 4, 2024 19:02:53.340668917 CET	42836	443	192.168.2.23	91.189.91.43
Nov 4, 2024 19:02:54.620605946 CET	42516	80	192.168.2.23	109.202.202.202
Nov 4, 2024 19:03:07.674571037 CET	43928	443	192.168.2.23	91.189.91.42
Nov 4, 2024 19:03:19.960882902 CET	42836	443	192.168.2.23	91.189.91.43
Nov 4, 2024 19:03:24.056360006 CET	42516	80	192.168.2.23	109.202.202.202
Nov 4, 2024 19:03:48.629069090 CET	43928	443	192.168.2.23	91.189.91.42

System Behavior

Analysis Process: e.dat.elf PID: 6220, Parent PID: 6139

General

Start time (UTC):	18:02:45
Start date (UTC):	04/11/2024
Path:	/tmp/e.dat.elf
Arguments:	/tmp/e.dat.elf
File size:	242999 bytes
MD5 hash:	64cc86931bab241dcc08db03e659bcc5

File Activities

File Opened

File Read

Process Activities

Process Forked

Chronological Activities

Analysis Process: e.dat.elf PID: 6221, Parent PID: 6220

General

Start time (UTC):	18:02:45
Start date (UTC):	04/11/2024
Path:	/tmp/e.dat.elf
Arguments:	-
File size:	242999 bytes
MD5 hash:	64cc86931bab241dcc08db03e659bcc5

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: sh PID: 6221, Parent PID: 6220

General

Start time (UTC):	18:02:45
Start date (UTC):	04/11/2024
Path:	/bin/sh
Arguments:	sh -c "touch a"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

File Activities

File Opened

File Read

Process Activities

Process Forked

Chronological Activities

Analysis Process: sh PID: 6222, Parent PID: 6221

General

Start time (UTC):	18:02:45
Start date (UTC):	04/11/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: touch PID: 6222, Parent PID: 6221

General

Start time (UTC):	18:02:45
Start date (UTC):	04/11/2024
Path:	/usr/bin/touch
Arguments:	touch a
File size:	100728 bytes
MD5 hash:	3859c173f5d3b37be3e531b7c84a9c68

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete or modify artifacts generated within systems to remove evidence of their presence or hinder defenses. Various artifacts may be created by an adversary or something that can be attributed to an adversary’s actions. Typically these artifacts are used as defensive indicators related to monitored events, such as strings from downloaded files, logs that are generated from user actions, and other data analyzed by defenders. Location, format, and type of artifact (such as command or login history) are often specific to each platform.
Tactics:	Defense Evasion
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Deletion, File: File Metadata, File: File Modification, Firewall: Firewall Rule Modification, Network Traffic: Network Traffic Content, Process: OS API Execution, Process: Process Creation, Scheduled Job: Scheduled Job Modification, User Account: User Account Authentication, User Account: User Account Deletion, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, Google Workspace, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report e.dat.elf

Overview

General Information

Detection

Signatures

Classification

General Information

Warnings

Runtime Messages

Process Tree

Yara Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Networking

System Summary

Persistence and Installation Behavior

Malware Analysis System Evasion

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

Static ELF Info

ELF header

Sections

Program Segments

Dynamic Tags

Symbols

Network Behavior

Network Port Distribution

TCP Packets

System Behavior

Analysis Process: e.dat.elf PID: 6220, Parent PID: 6139

General

File Activities

File Opened

File Read

Process Activities

Process Forked

Chronological Activities

Analysis Process: e.dat.elf PID: 6221, Parent PID: 6220

General

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: sh PID: 6221, Parent PID: 6220

General

File Activities

File Opened

File Read

Process Activities

Process Forked

Chronological Activities

Linux Analysis Report
e.dat.elf