Linux Analysis Report
mmb8.elf

AV Detection

Source: mmb8.elf

Avira: detected

Source: mmb8.elf

ReversingLabs: Detection: 52%

Spreading

Source: mmb8.elf

String: HTTP/1.1 200 OKtop1hbt.armtop1hbt.arm5top1hbt.arm6top1hbt.arm7top1hbt.mipstop1hbt.mpsltop1hbt.x86_64top1hbt.sh4/proc/proc/%d/cmdlinernetstatwgetcurlbusybox/bin/busybox/proc//proc/%s/exe/proc/self/exevar/Challengeapp/hi3511gmDVRiboxusr/dvr_main _8182T_1108mnt/mtd/app/guivar/Kylinl0 c/udevdanko-app/ankosample _8182T_1104var/tmp/soniahicorestm_hi3511_dvr/usr/lib/systemd/systemd/usr/libexec/openssh/sftp-serverusr/shellmnt/sys/bin/boot/media/srv/var/run/sbin/lib/etc/dev/home/Davincitelnetsshwatchdog/var/spool/var/Sofiasshd/usr/compress/bin//compress/bin/compress/usr/bashhttpdtelnetddropbearropbearencodersystem/root/dvr_gui//root/dvr_app//anko-app//opt/abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ3f

Networking

Source: Network traffic	Suricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.23:45804 -> 103.77.172.24:47925
Source: Network traffic	Suricata IDS: 2030489 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant Server Response : 103.77.172.24:47925 -> 192.168.2.23:45804

Source: global traffic

TCP traffic: 103.77.172.24 ports 47925,2,4,5,7,9

Source: unknown

DNS query: name: ducnhan.duckdns.org

Source: global traffic

TCP traffic: 192.168.2.23:45804 -> 103.77.172.24:47925

Source: global traffic	TCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443
Source: global traffic	TCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
Source: global traffic	TCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80

Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42

Source: global traffic

DNS traffic detected: DNS query: ducnhan.duckdns.org

Source: unknown	Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 42836 -> 443

System Summary

Source: mmb8.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: mmb8.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
Source: 6219.1.00007f42ec001000.00007f42ec01e000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: 6219.1.00007f42ec001000.00007f42ec01e000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
Source: Process Memory Space: mmb8.elf PID: 6219, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: Process Memory Space: mmb8.elf PID: 6219, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown

Source: Initial sample	String containing 'busybox' found: busybox
Source: Initial sample	String containing 'busybox' found: /bin/busybox
Source: Initial sample	String containing 'busybox' found: HTTP/1.1 200 OKtop1hbt.armtop1hbt.arm5top1hbt.arm6top1hbt.arm7top1hbt.mipstop1hbt.mpsltop1hbt.x86_64top1hbt.sh4/proc/proc/%d/cmdlinernetstatwgetcurlbusybox/bin/busybox/proc//proc/%s/exe/proc/self/exevar/Challengeapp/hi3511gmDVRiboxusr/dvr_main _8182T_1108mnt/mtd/app/guivar/Kylinl0 c/udevdanko-app/ankosample _8182T_1104var/tmp/soniahicorestm_hi3511_dvr/usr/lib/systemd/systemd/usr/libexec/openssh/sftp-serverusr/shellmnt/sys/bin/boot/media/srv/var/run/sbin/lib/etc/dev/home/Davincitelnetsshwatchdog/var/spool/var/Sofiasshd/usr/compress/bin//compress/bin/compress/usr/bashhttpdtelnetddropbearropbearencodersystem/root/dvr_gui//root/dvr_app//anko-app//opt/abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ3f

Source: ELF static info symbol of initial sample

.symtab present: no

Source: mmb8.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: mmb8.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
Source: 6219.1.00007f42ec001000.00007f42ec01e000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: 6219.1.00007f42ec001000.00007f42ec01e000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
Source: Process Memory Space: mmb8.elf PID: 6219, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: Process Memory Space: mmb8.elf PID: 6219, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16

Source: classification engine

Classification label: mal100.troj.linELF@0/1025@1/0

Persistence and Installation Behavior

Source: /tmp/mmb8.elf (PID: 6223)	File opened: /proc/1582/cmdline			Jump to behavior
Source: /tmp/mmb8.elf (PID: 6223)	File opened: /proc/3088/cmdline			Jump to behavior
Source: /tmp/mmb8.elf (PID: 6223)	File opened: /proc/230/cmdline			Jump to behavior
Source: /tmp/mmb8.elf (PID: 6223)	File opened: /proc/110/cmdline			Jump to behavior
Source: /tmp/mmb8.elf (PID: 6223)	File opened: /proc/231/cmdline			Jump to behavior
Source: /tmp/mmb8.elf (PID: 6223)	File opened: /proc/111/cmdline			Jump to behavior
Source: /tmp/mmb8.elf (PID: 6223)	File opened: /proc/232/cmdline			Jump to behavior
Source: /tmp/mmb8.elf (PID: 6223)	File opened: /proc/1579/cmdline			Jump to behavior
Source: /tmp/mmb8.elf (PID: 6223)	File opened: /proc/112/cmdline			Jump to behavior
Source: /tmp/mmb8.elf (PID: 6223)	File opened: /proc/233/cmdline			Jump to behavior
Source: /tmp/mmb8.elf (PID: 6223)	File opened: /proc/1699/cmdline			Jump to behavior
Source: /tmp/mmb8.elf (PID: 6223)	File opened: /proc/113/cmdline			Jump to behavior
Source: /tmp/mmb8.elf (PID: 6223)	File opened: /proc/234/cmdline			Jump to behavior
Source: /tmp/mmb8.elf (PID: 6223)	File opened: /proc/1335/cmdline			Jump to behavior
Source: /tmp/mmb8.elf (PID: 6223)	File opened: /proc/1698/cmdline			Jump to behavior
Source: /tmp/mmb8.elf (PID: 6223)	File opened: /proc/114/cmdline			Jump to behavior
Source: /tmp/mmb8.elf (PID: 6223)	File opened: /proc/235/cmdline			Jump to behavior
Source: /tmp/mmb8.elf (PID: 6223)	File opened: /proc/1334/cmdline			Jump to behavior
Source: /tmp/mmb8.elf (PID: 6223)	File opened: /proc/1576/cmdline			Jump to behavior
Source: /tmp/mmb8.elf (PID: 6223)	File opened: /proc/2302/cmdline			Jump to behavior
Source: /tmp/mmb8.elf (PID: 6223)	File opened: /proc/115/cmdline			Jump to behavior
Source: /tmp/mmb8.elf (PID: 6223)	File opened: /proc/236/cmdline			Jump to behavior
Source: /tmp/mmb8.elf (PID: 6223)	File opened: /proc/116/cmdline			Jump to behavior
Source: /tmp/mmb8.elf (PID: 6223)	File opened: /proc/237/cmdline			Jump to behavior
Source: /tmp/mmb8.elf (PID: 6223)	File opened: /proc/117/cmdline			Jump to behavior
Source: /tmp/mmb8.elf (PID: 6223)	File opened: /proc/118/cmdline			Jump to behavior
Source: /tmp/mmb8.elf (PID: 6223)	File opened: /proc/910/cmdline			Jump to behavior
Source: /tmp/mmb8.elf (PID: 6223)	File opened: /proc/119/cmdline			Jump to behavior
Source: /tmp/mmb8.elf (PID: 6223)	File opened: /proc/912/cmdline			Jump to behavior
Source: /tmp/mmb8.elf (PID: 6223)	File opened: /proc/10/cmdline			Jump to behavior
Source: /tmp/mmb8.elf (PID: 6223)	File opened: /proc/2307/cmdline			Jump to behavior
Source: /tmp/mmb8.elf (PID: 6223)	File opened: /proc/11/cmdline			Jump to behavior
Source: /tmp/mmb8.elf (PID: 6223)	File opened: /proc/918/cmdline			Jump to behavior
Source: /tmp/mmb8.elf (PID: 6223)	File opened: /proc/12/cmdline			Jump to behavior
Source: /tmp/mmb8.elf (PID: 6223)	File opened: /proc/13/cmdline			Jump to behavior
Source: /tmp/mmb8.elf (PID: 6223)	File opened: /proc/14/cmdline			Jump to behavior
Source: /tmp/mmb8.elf (PID: 6223)	File opened: /proc/15/cmdline			Jump to behavior
Source: /tmp/mmb8.elf (PID: 6223)	File opened: /proc/16/cmdline			Jump to behavior
Source: /tmp/mmb8.elf (PID: 6223)	File opened: /proc/17/cmdline			Jump to behavior
Source: /tmp/mmb8.elf (PID: 6223)	File opened: /proc/18/cmdline			Jump to behavior
Source: /tmp/mmb8.elf (PID: 6223)	File opened: /proc/1594/cmdline			Jump to behavior
Source: /tmp/mmb8.elf (PID: 6223)	File opened: /proc/120/cmdline			Jump to behavior
Source: /tmp/mmb8.elf (PID: 6223)	File opened: /proc/121/cmdline			Jump to behavior
Source: /tmp/mmb8.elf (PID: 6223)	File opened: /proc/1349/cmdline			Jump to behavior
Source: /tmp/mmb8.elf (PID: 6223)	File opened: /proc/1/cmdline			Jump to behavior
Source: /tmp/mmb8.elf (PID: 6223)	File opened: /proc/122/cmdline			Jump to behavior
Source: /tmp/mmb8.elf (PID: 6223)	File opened: /proc/243/cmdline			Jump to behavior
Source: /tmp/mmb8.elf (PID: 6223)	File opened: /proc/123/cmdline			Jump to behavior
Source: /tmp/mmb8.elf (PID: 6223)	File opened: /proc/2/cmdline			Jump to behavior
Source: /tmp/mmb8.elf (PID: 6223)	File opened: /proc/124/cmdline			Jump to behavior
Source: /tmp/mmb8.elf (PID: 6223)	File opened: /proc/3/cmdline			Jump to behavior
Source: /tmp/mmb8.elf (PID: 6223)	File opened: /proc/4/cmdline			Jump to behavior
Source: /tmp/mmb8.elf (PID: 6223)	File opened: /proc/125/cmdline			Jump to behavior
Source: /tmp/mmb8.elf (PID: 6223)	File opened: /proc/126/cmdline			Jump to behavior
Source: /tmp/mmb8.elf (PID: 6223)	File opened: /proc/1344/cmdline			Jump to behavior
Source: /tmp/mmb8.elf (PID: 6223)	File opened: /proc/1465/cmdline			Jump to behavior
Source: /tmp/mmb8.elf (PID: 6223)	File opened: /proc/1586/cmdline			Jump to behavior
Source: /tmp/mmb8.elf (PID: 6223)	File opened: /proc/127/cmdline			Jump to behavior
Source: /tmp/mmb8.elf (PID: 6223)	File opened: /proc/6/cmdline			Jump to behavior
Source: /tmp/mmb8.elf (PID: 6223)	File opened: /proc/248/cmdline			Jump to behavior
Source: /tmp/mmb8.elf (PID: 6223)	File opened: /proc/128/cmdline			Jump to behavior
Source: /tmp/mmb8.elf (PID: 6223)	File opened: /proc/249/cmdline			Jump to behavior
Source: /tmp/mmb8.elf (PID: 6223)	File opened: /proc/1463/cmdline			Jump to behavior
Source: /tmp/mmb8.elf (PID: 6223)	File opened: /proc/800/cmdline			Jump to behavior
Source: /tmp/mmb8.elf (PID: 6223)	File opened: /proc/9/cmdline			Jump to behavior
Source: /tmp/mmb8.elf (PID: 6223)	File opened: /proc/801/cmdline			Jump to behavior
Source: /tmp/mmb8.elf (PID: 6223)	File opened: /proc/20/cmdline			Jump to behavior
Source: /tmp/mmb8.elf (PID: 6223)	File opened: /proc/21/cmdline			Jump to behavior
Source: /tmp/mmb8.elf (PID: 6223)	File opened: /proc/1900/cmdline			Jump to behavior
Source: /tmp/mmb8.elf (PID: 6223)	File opened: /proc/22/cmdline			Jump to behavior
Source: /tmp/mmb8.elf (PID: 6223)	File opened: /proc/23/cmdline			Jump to behavior
Source: /tmp/mmb8.elf (PID: 6223)	File opened: /proc/24/cmdline			Jump to behavior
Source: /tmp/mmb8.elf (PID: 6223)	File opened: /proc/25/cmdline			Jump to behavior
Source: /tmp/mmb8.elf (PID: 6223)	File opened: /proc/26/cmdline			Jump to behavior
Source: /tmp/mmb8.elf (PID: 6223)	File opened: /proc/27/cmdline			Jump to behavior
Source: /tmp/mmb8.elf (PID: 6223)	File opened: /proc/28/cmdline			Jump to behavior
Source: /tmp/mmb8.elf (PID: 6223)	File opened: /proc/29/cmdline			Jump to behavior
Source: /tmp/mmb8.elf (PID: 6223)	File opened: /proc/491/cmdline			Jump to behavior
Source: /tmp/mmb8.elf (PID: 6223)	File opened: /proc/250/cmdline			Jump to behavior
Source: /tmp/mmb8.elf (PID: 6223)	File opened: /proc/130/cmdline			Jump to behavior
Source: /tmp/mmb8.elf (PID: 6223)	File opened: /proc/251/cmdline			Jump to behavior
Source: /tmp/mmb8.elf (PID: 6223)	File opened: /proc/252/cmdline			Jump to behavior
Source: /tmp/mmb8.elf (PID: 6223)	File opened: /proc/132/cmdline			Jump to behavior
Source: /tmp/mmb8.elf (PID: 6223)	File opened: /proc/253/cmdline			Jump to behavior
Source: /tmp/mmb8.elf (PID: 6223)	File opened: /proc/254/cmdline			Jump to behavior
Source: /tmp/mmb8.elf (PID: 6223)	File opened: /proc/255/cmdline			Jump to behavior
Source: /tmp/mmb8.elf (PID: 6223)	File opened: /proc/256/cmdline			Jump to behavior
Source: /tmp/mmb8.elf (PID: 6223)	File opened: /proc/1599/cmdline			Jump to behavior
Source: /tmp/mmb8.elf (PID: 6223)	File opened: /proc/257/cmdline			Jump to behavior
Source: /tmp/mmb8.elf (PID: 6223)	File opened: /proc/1477/cmdline			Jump to behavior
Source: /tmp/mmb8.elf (PID: 6223)	File opened: /proc/379/cmdline			Jump to behavior
Source: /tmp/mmb8.elf (PID: 6223)	File opened: /proc/258/cmdline			Jump to behavior
Source: /tmp/mmb8.elf (PID: 6223)	File opened: /proc/1476/cmdline			Jump to behavior
Source: /tmp/mmb8.elf (PID: 6223)	File opened: /proc/259/cmdline			Jump to behavior
Source: /tmp/mmb8.elf (PID: 6223)	File opened: /proc/1475/cmdline			Jump to behavior
Source: /tmp/mmb8.elf (PID: 6223)	File opened: /proc/4502/cmdline			Jump to behavior
Source: /tmp/mmb8.elf (PID: 6223)	File opened: /proc/936/cmdline			Jump to behavior
Source: /tmp/mmb8.elf (PID: 6223)	File opened: /proc/30/cmdline			Jump to behavior
Source: /tmp/mmb8.elf (PID: 6223)	File opened: /proc/2208/cmdline			Jump to behavior
Source: /tmp/mmb8.elf (PID: 6223)	File opened: /proc/35/cmdline			Jump to behavior
Source: /tmp/mmb8.elf (PID: 6223)	File opened: /proc/1809/cmdline			Jump to behavior
Source: /tmp/mmb8.elf (PID: 6223)	File opened: /proc/1494/cmdline			Jump to behavior
Source: /tmp/mmb8.elf (PID: 6223)	File opened: /proc/260/cmdline			Jump to behavior
Source: /tmp/mmb8.elf (PID: 6223)	File opened: /proc/261/cmdline			Jump to behavior
Source: /tmp/mmb8.elf (PID: 6223)	File opened: /proc/141/cmdline			Jump to behavior

Malware Analysis System Evasion

Source: /tmp/mmb8.elf (PID: 6219)

Queries kernel information via 'uname':

Jump to behavior

Source: mmb8.elf, 6219.1.000056260c8e2000.000056260c992000.rw-.sdmp	Binary or memory string: !/etc/qemu-binfmt/ppc11!hotpluggableq
Source: mmb8.elf, 6219.1.000056260c8e2000.000056260c992000.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/ppc
Source: mmb8.elf, 6219.1.00007fff486ed000.00007fff4870e000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-ppc
Source: mmb8.elf, 6219.1.00007fff486ed000.00007fff4870e000.rw-.sdmp	Binary or memory string: x86_64/usr/bin/qemu-ppc/tmp/mmb8.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/mmb8.elf

Stealing of Sensitive Information

Source: Yara match	File source: mmb8.elf, type: SAMPLE
Source: Yara match	File source: 6219.1.00007f42ec001000.00007f42ec01e000.r-x.sdmp, type: MEMORY

Source: Yara match	File source: mmb8.elf, type: SAMPLE
Source: Yara match	File source: 6219.1.00007f42ec001000.00007f42ec01e000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: mmb8.elf PID: 6219, type: MEMORYSTR

Source: Yara match	File source: mmb8.elf, type: SAMPLE
Source: Yara match	File source: 6219.1.00007f42ec001000.00007f42ec01e000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: mmb8.elf PID: 6219, type: MEMORYSTR

Remote Access Functionality

Source: Traffic	Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant Server Response
Source: Traffic	Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant Server Response
Source: Traffic	Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant Server Response
Source: Traffic	Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant Server Response
Source: Traffic	Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant Server Response
Source: Traffic	Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant Server Response
Source: Traffic	Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant Server Response

Source: Yara match	File source: mmb8.elf, type: SAMPLE
Source: Yara match	File source: 6219.1.00007f42ec001000.00007f42ec01e000.r-x.sdmp, type: MEMORY

Source: Yara match	File source: mmb8.elf, type: SAMPLE
Source: Yara match	File source: 6219.1.00007f42ec001000.00007f42ec01e000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: mmb8.elf PID: 6219, type: MEMORYSTR

Source: Yara match	File source: mmb8.elf, type: SAMPLE
Source: Yara match	File source: 6219.1.00007f42ec001000.00007f42ec01e000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: mmb8.elf PID: 6219, type: MEMORYSTR