Edit tour

Linux Analysis Report
file-grey.elf

Overview

General Information

Sample name:	file-grey.elf
Analysis ID:	1583386
MD5:	9df07b64a28b61e4c7a9f8c8e8d2a801
SHA1:	a3aae326109751edac5145ff1b679f8935177ad7
SHA256:	a02eeb92a977c0749f93e6c7959159e68aa3a9e93c77f1fce81dc4b014e7c545
Tags:	elfmalwaretrojanuser-Joker
Infos:

Detection

Score:	56
Range:	0 - 100
Whitelisted:	false

Signatures

Multi AV Scanner detection for submitted file

Sample and/or dropped files likely contain functionality related to malicious behavior

Sample tries to persist itself using System V runlevels

Creates hidden files and/or directories

Executes commands using a shell command-line interpreter

Executes the "chmod" command used to modify permissions

Reads CPU information from /sys indicative of miner or evasive malware

Sample and/or dropped files contains symbols with suspicious names

Sample listens on a socket

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Uses the "uname" system call to query kernel version information (possible evasion)

Classification

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1583386
Start date and time:	2025-01-02 15:58:05 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 41s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Sample name:	file-grey.elf
Detection:	MAL
Classification:	mal56.troj.linELF@0/1@0/0

Warnings

VT rate limit hit for: file-grey.elf

Runtime Messages

Command:	/tmp/file-grey.elf
PID:	6220
Exit Code:
Exit Code Info:
Killed:	True
Standard Output:
Standard Error:	chmod: cannot access 'script/hodin_daemon.sh': No such file or directory chmod: cannot access 'script/delete_startup.sh': No such file or directory chmod: cannot access 'script/startup.sh': No such file or directory cp: cannot stat 'script/hodin_daemon.sh': No such file or directory cp: cannot stat 'srv_hodin': No such file or directory cp: cannot stat 'srv_hodin': No such file or directory

Process Tree

system is lnxubuntu20

file-grey.elf (PID: 6220, Parent: 6137, MD5: 9df07b64a28b61e4c7a9f8c8e8d2a801) Arguments: /tmp/file-grey.elf

file-grey.elf New Fork (PID: 6221, Parent: 6220)

sh (PID: 6221, Parent: 6220, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "chmod +x script/hodin_daemon.sh"

sh New Fork (PID: 6222, Parent: 6221)

chmod (PID: 6222, Parent: 6221, MD5: 739483b900c045ae1374d6f53a86a279) Arguments: chmod +x script/hodin_daemon.sh

file-grey.elf New Fork (PID: 6223, Parent: 6220)

sh (PID: 6223, Parent: 6220, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "chmod +x script/delete_startup.sh"

sh New Fork (PID: 6224, Parent: 6223)

chmod (PID: 6224, Parent: 6223, MD5: 739483b900c045ae1374d6f53a86a279) Arguments: chmod +x script/delete_startup.sh

file-grey.elf New Fork (PID: 6225, Parent: 6220)

sh (PID: 6225, Parent: 6220, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "chmod +x script/startup.sh"

sh New Fork (PID: 6226, Parent: 6225)

chmod (PID: 6226, Parent: 6225, MD5: 739483b900c045ae1374d6f53a86a279) Arguments: chmod +x script/startup.sh

file-grey.elf New Fork (PID: 6227, Parent: 6220)

sh (PID: 6227, Parent: 6220, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "cp script/hodin_daemon.sh /etc/init.d/"

sh New Fork (PID: 6228, Parent: 6227)

cp (PID: 6228, Parent: 6227, MD5: 40f10ae7ea3e44218d1a8c306f79c83f) Arguments: cp script/hodin_daemon.sh /etc/init.d/

file-grey.elf New Fork (PID: 6229, Parent: 6220)

sh (PID: 6229, Parent: 6220, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "cp srv_hodin /usr/bin/"

sh New Fork (PID: 6230, Parent: 6229)

cp (PID: 6230, Parent: 6229, MD5: 40f10ae7ea3e44218d1a8c306f79c83f) Arguments: cp srv_hodin /usr/bin/

file-grey.elf New Fork (PID: 6231, Parent: 6220)

sh (PID: 6231, Parent: 6220, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "cp srv_hodin /usr/sbin/"

sh New Fork (PID: 6232, Parent: 6231)

cp (PID: 6232, Parent: 6231, MD5: 40f10ae7ea3e44218d1a8c306f79c83f) Arguments: cp srv_hodin /usr/sbin/

file-grey.elf New Fork (PID: 6233, Parent: 6220)

sh (PID: 6233, Parent: 6220, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "ln -s /etc/init.d/hodin_daemon.sh /etc/rc2.d/S88hodin_daemon.sh"

sh New Fork (PID: 6234, Parent: 6233)

ln (PID: 6234, Parent: 6233, MD5: e933cf05571f62c0157d4e2dfcaea282) Arguments: ln -s /etc/init.d/hodin_daemon.sh /etc/rc2.d/S88hodin_daemon.sh

file-grey.elf New Fork (PID: 6235, Parent: 6220)

gst-plugin-scanner (PID: 6235, Parent: 6220, MD5: caaae748bd9798d2f4b3d09c94a9e5f4) Arguments: /usr/lib/x86_64-linux-gnu/gstreamer1.0/gstreamer-1.0/gst-plugin-scanner -l /tmp/file-grey.elf

cleanup

Yara Signatures

⊘No yara matches

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: file-grey.elf

ReversingLabs: Detection: 42%

Source: /usr/lib/x86_64-linux-gnu/gstreamer1.0/gstreamer-1.0/gst-plugin-scanner (PID: 6235)

Reads CPU info from /sys: /sys/devices/system/cpu/online

Jump to behavior

Source: /tmp/file-grey.elf (PID: 6220)

Socket: 0.0.0.0:4444

Jump to behavior

Source: global traffic	TCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443
Source: global traffic	TCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
Source: global traffic	TCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80

Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43

Source: file-grey.elf, 6220.1.000055dd5e110000.000055dd5e551000.rw-.sdmp	String found in binary or memory: http://www.clutter-project.org
Source: file-grey.elf, 6220.1.000055dd5e110000.000055dd5e551000.rw-.sdmp	String found in binary or memory: http://www.clutter-project.orgadpcmencADPCM
Source: file-grey.elf, 6220.1.000055dd5e110000.000055dd5e551000.rw-.sdmp	String found in binary or memory: http://www.freedesktop.org/wiki/Software/Farstream
Source: file-grey.elf, 6220.1.000055dd5e110000.000055dd5e551000.rw-.sdmp	String found in binary or memory: http://www.freedesktop.org/wiki/Software/Farstreamapplication/x-rtp
Source: file-grey.elf, 6220.1.000055dd5e110000.000055dd5e551000.rw-.sdmp	String found in binary or memory: http://xiph.org
Source: file-grey.elf, 6220.1.000055dd5e110000.000055dd5e551000.rw-.sdmp	String found in binary or memory: http://xiph.org)
Source: file-grey.elf, 6220.1.000055dd5e110000.000055dd5e551000.rw-.sdmp	String found in binary or memory: http://xiph.org)//xiph.org
Source: file-grey.elf, 6220.1.000055dd5e110000.000055dd5e551000.rw-.sdmp	String found in binary or memory: http://xiph.org)audio/x-vorbisapplication/x-ogg-aviapplication/oggapplication/x-ogm-textapplication/
Source: file-grey.elf, 6220.1.000055dd5e110000.000055dd5e551000.rw-.sdmp	String found in binary or memory: http://xiph.org)ph.org
Source: file-grey.elf, 6220.1.000055dd5e110000.000055dd5e551000.rw-.sdmp	String found in binary or memory: http://xiph.org)xiph.org
Source: registry.x86_64.bin.tmpE9S3Z2.12.dr	String found in binary or memory: https://launchpad.net/distros/ubuntu/
Source: file-grey.elf, 6220.1.000055dd5e110000.000055dd5e551000.rw-.sdmp	String found in binary or memory: https://nice.freedesktop.org/
Source: file-grey.elf, 6220.1.000055dd5e110000.000055dd5e551000.rw-.sdmp	String found in binary or memory: https://nice.freedesktop.org/vpxVP8

Source: unknown	Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 42836 -> 443

System Summary

Sample and/or dropped files likely contain functionality related to malicious behavior

Source: file-grey.elf	ELF static info symbol of initial sample: debian_keylogger_init
Source: file-grey.elf	ELF static info symbol of initial sample: debian_keylogger_utils.c
Source: file-grey.elf	ELF static info symbol of initial sample: fedora_keylogger_init
Source: file-grey.elf	ELF static info symbol of initial sample: kali_keylogger_init
Source: file-grey.elf	ELF static info symbol of initial sample: keylogger
Source: file-grey.elf	ELF static info symbol of initial sample: keylogger.c
Source: file-grey.elf	ELF static info symbol of initial sample: keylogger_utils.c
Source: file-grey.elf	ELF static info symbol of initial sample: mint_keylogger_init
Source: file-grey.elf	ELF static info symbol of initial sample: ubuntu16_keylogger_init
Source: file-grey.elf	ELF static info symbol of initial sample: ubuntu18_keylogger_init

Source: file-grey.elf	ELF static info symbol of initial sample: execute_cmd
Source: file-grey.elf	ELF static info symbol of initial sample: execute_record_cmd

Source: classification engine

Classification label: mal56.troj.linELF@0/1@0/0

Persistence and Installation Behavior

Sample tries to persist itself using System V runlevels

Source: /usr/bin/ln (PID: 6234)

File: /etc/rc2.d/S88hodin_daemon.sh -> /etc/init.d/hodin_daemon.sh

Jump to behavior

Source: /usr/lib/x86_64-linux-gnu/gstreamer1.0/gstreamer-1.0/gst-plugin-scanner (PID: 6235)	Directory: /root/.ladspa	Jump to behavior
Source: /usr/lib/x86_64-linux-gnu/gstreamer1.0/gstreamer-1.0/gst-plugin-scanner (PID: 6235)	Directory: /root/.lv2	Jump to behavior
Source: /usr/lib/x86_64-linux-gnu/gstreamer1.0/gstreamer-1.0/gst-plugin-scanner (PID: 6235)	Directory: /root/.cache	Jump to behavior

Source: /tmp/file-grey.elf (PID: 6221)	Shell command executed: sh -c "chmod +x script/hodin_daemon.sh"	Jump to behavior
Source: /tmp/file-grey.elf (PID: 6223)	Shell command executed: sh -c "chmod +x script/delete_startup.sh"	Jump to behavior
Source: /tmp/file-grey.elf (PID: 6225)	Shell command executed: sh -c "chmod +x script/startup.sh"	Jump to behavior
Source: /tmp/file-grey.elf (PID: 6227)	Shell command executed: sh -c "cp script/hodin_daemon.sh /etc/init.d/"	Jump to behavior
Source: /tmp/file-grey.elf (PID: 6229)	Shell command executed: sh -c "cp srv_hodin /usr/bin/"	Jump to behavior
Source: /tmp/file-grey.elf (PID: 6231)	Shell command executed: sh -c "cp srv_hodin /usr/sbin/"	Jump to behavior
Source: /tmp/file-grey.elf (PID: 6233)	Shell command executed: sh -c "ln -s /etc/init.d/hodin_daemon.sh /etc/rc2.d/S88hodin_daemon.sh"	Jump to behavior

Source: /bin/sh (PID: 6222)	Chmod executable: /usr/bin/chmod -> chmod +x script/hodin_daemon.sh	Jump to behavior
Source: /bin/sh (PID: 6224)	Chmod executable: /usr/bin/chmod -> chmod +x script/delete_startup.sh	Jump to behavior
Source: /bin/sh (PID: 6226)	Chmod executable: /usr/bin/chmod -> chmod +x script/startup.sh	Jump to behavior

Source: /usr/lib/x86_64-linux-gnu/gstreamer1.0/gstreamer-1.0/gst-plugin-scanner (PID: 6235)

Reads CPU info from /sys: /sys/devices/system/cpu/online

Jump to behavior

Source: /tmp/file-grey.elf (PID: 6220)	Queries kernel information via 'uname':			Jump to behavior
Source: /usr/lib/x86_64-linux-gnu/gstreamer1.0/gstreamer-1.0/gst-plugin-scanner (PID: 6235)	Queries kernel information via 'uname':			Jump to behavior

Source: file-grey.elf, 6220.1.000055dd5e110000.000055dd5e551000.rw-.sdmp	Binary or memory string: Decode VmWare video to raw (RGB) video
Source: file-grey.elf, 6220.1.000055dd5e110000.000055dd5e551000.rw-.sdmp	Binary or memory string: libav VMware Screen Codec / VMware Video decoder
Source: file-grey.elf, 6220.1.000055dd5e110000.000055dd5e551000.rw-.sdmp	Binary or memory string: VmWare Video Codec plugins
Source: file-grey.elf, 6220.1.000055dd5e110000.000055dd5e551000.rw-.sdmp	Binary or memory string: ame=(string)"VMnc\ video\ decoder", klass=(string)Codec/Decoder/Video, description=(string)"Decode\ VmWare\ video\ to\ raw\ \(RGB\)\ video", author=(string)"Michael\ Smith\ \<msmith\@xiph.org\>";
Source: file-grey.elf, 6220.1.000055dd5e110000.000055dd5e551000.rw-.sdmp	Binary or memory string: video/x-raw, format=(string){ I420, YV12, Y42B, Y444, I420_10LE, I420_12LE, I422_10LE, I422_12LE, Y444_10LE, Y444_12LE }, width=(int)[ 1, 2147483647 ], height=(int)[ 1, 2147483647 ], framerate=(fraction)[ 0/1, 2147483647/1 ]video/x-raw, format=(string){ I420, Y42B, Y444, YV12 }, framerate=(fraction)[ 0/1, 2147483647/1 ], width=(int)[ 4, 2147483647 ], height=(int)[ 4, 2147483647 ]oss4Open Sound System (OSS) version 4 support for GStreameraudio/x-alaw, rate=(int)[ 1, 192000 ], channels=(int)[ 1, 4096 ]; audio/x-mulaw, rate=(int)[ 1, 192000 ], channels=(int)[ 1, 4096 ]; audio/x-raw, format=(string){ S32LE, S32BE, S24_32LE, S24_32BE, S24LE, S16LE, S16BE, U16LE, U16BE, S8, U8 }, layout=(string)interleaved, rate=(int)[ 1, 192000 ], channels=(int)[ 1, 4096 ]goomGOOM visualization filteraudiomixmatrixAudio matrix mixaudio/x-raw, channels=(int)[ 1, 2147483647 ], layout=(string)interleaved, format=(string){ F32LE, F64LE, S16LE, S32LE }mpegtsdemuxMPEG TS demuxerprivate_%01x_%05xsubpicture_%01x_%05xsubpicture/x-pgs; subpicture/x-dvd; subpicture/x-dvbaudio_%01x_%05xaudio/mpeg, mpegversion=(int)1; audio/mpeg, mpegversion=(int)2, stream-format=(string)adts; audio/mpeg, mpegversion=(int)4, stream-format=(string)loas; audio/x-lpcm, width=(int){ 16, 20, 24 }, rate=(int){ 48000, 96000 }, channels=(int)[ 1, 8 ], dynamic_range=(int)[ 0, 255 ], emphasis=(boolean){ false, true }, mute=(boolean){ false, true }; audio/x-ac3; audio/x-eac3; audio/x-dts; audio/x-opus; audio/x-private-ts-lpcmvideo_%01x_%05xvideo/mpeg, mpegversion=(int){ 1, 2, 4 }, systemstream=(boolean)false; video/x-h264, stream-format=(string)byte-stream, alignment=(string)nal; video/x-h265, stream-format=(string)byte-stream, alignment=(string)nal; video/x-dirac; video/x-cavs; video/x-wmv, wmvversion=(int)3, format=(string)WVC1; image/x-jpcprogram_%udtsdecDecodes DTS audio streamsaudio/x-raw, format=(string)F32LE, layout=(string)interleaved, rate=(int)[ 4000, 96000 ], channels=(int)[ 1, 6 ]audio/x-dts; audio/x-private1-dtssndfileuse libsndfile to read and write various audio formatsaudio/x-ircam; audio/x-nist; audio/x-paris; audio/x-rf64; audio/x-sds; audio/x-svx; audio/x-voc; audio/x-w64; audio/x-xiaudio/x-raw, format=(string){ F32LE, S32LE, S16LE }, layout=(string)interleaved, rate=(int)[ 1, 2147483647 ], channels=(int)[ 1, 2147483647 ]apetagAPEv1/2 tag readershout2Sends data to an icecast server using libshout2application/ogg; audio/ogg; video/ogg; audio/mpeg, mpegversion=(int)1, layer=(int)[ 1, 3 ]; video/webm; audio/webminterplugin for inter-pipeline communicationtext/plainapplication/unknownivtcInverse Telecinevideo/x-raw, format=(string){ I420, Y444, Y42B }, width=(int)[ 1, 2048 ], height=(int)[ 1, 2147483647 ], framerate=(fraction)[ 0/1, 2147483647/1 ]libvisuallibvisual visualization pluginsvmncVmWare Video Codec pluginsvideo/x-vmnc, version=(int)1, framerate=(fraction)[ 0/1, 2147483647/1 ], width=(int)[ 0, 2147483647 ], height=(int)[ 0, 2147483647 ]video/x-raw, format=(string){ RGBx, BGRx, xRGB, x
Source: file-grey.elf, 6220.1.000055dd5e110000.000055dd5e551000.rw-.sdmp	Binary or memory string: ame=(string)"libav\ VMware\ Screen\ Codec\ /\ VMware\ Video\ decoder", klass=(string)Codec/Decoder/Video, description=(string)"libav\ vmnc\ decoder", author=(string)"Wim\ Taymans\ \<wim.taymans\@gmail.com\>\,\ Ronald\ Bultje\ \<rbultje\@ronald.bitfreak.net\>\,\ Edward\ Hervey\ \<bilboed\@bilboed.com\>";
Source: file-grey.elf, 6220.1.000055dd5e110000.000055dd5e551000.rw-.sdmp	Binary or memory string: Uame=(string)"VMnc\ video\ decoder", klass=(string)Codec/Decoder/Video, description=(string)"Decode\ VmWare\ video\ to\ raw\ \(RGB\)\ video", author=(string)"Michael\ Smith\ \<msmith\@xiph.org\>";
Source: file-grey.elf, 6220.1.000055dd5e110000.000055dd5e551000.rw-.sdmp	Binary or memory string: Qlibav VMware Screen Codec / VMware Video decoderdecoder"!libav vp6a decoderer"
Source: file-grey.elf, 6220.1.000055dd5e110000.000055dd5e551000.rw-.sdmp	Binary or memory string: U!HOME/.libvisual/actor!plugin151A/usr/lib/x86_64-linux-gnu/gstreamer-1.0/libgstvmnc.so!libgstvmnc.so!vmncdec5!VMnc video decoderer"!Codec/Decoder/VideoQGL Shading Language effects - Sepia Toning Effect Effect"ADecode VmWare video to raw (RGB) video)\ video"

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	Valid Accounts	Windows Management Instrumentation	1 Scripting	Path Interception	11 Masquerading	OS Credential Dumping	11 Security Software Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 File and Directory Permissions Modification	LSASS Memory	1 System Information Discovery	Remote Desktop Protocol	Data from Removable Media	1 Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Hidden Files and Directories	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact

Malware Configuration

⊘No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
file-grey.elf	42%	ReversingLabs	Win32.Trojan.Generic

Dropped Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://xiph.org)//xiph.org	0%	Avira URL Cloud	safe
http://xiph.org)xiph.org	0%	Avira URL Cloud	safe
http://www.freedesktop.org/wiki/Software/Farstreamapplication/x-rtp	0%	Avira URL Cloud	safe
https://nice.freedesktop.org/	0%	Avira URL Cloud	safe
http://xiph.org)audio/x-vorbisapplication/x-ogg-aviapplication/oggapplication/x-ogm-textapplication/	0%	Avira URL Cloud	safe
https://nice.freedesktop.org/vpxVP8	0%	Avira URL Cloud	safe
http://xiph.org)	0%	Avira URL Cloud	safe
http://www.clutter-project.org	0%	Avira URL Cloud	safe
http://www.clutter-project.orgadpcmencADPCM	0%	Avira URL Cloud	safe
http://xiph.org)ph.org	0%	Avira URL Cloud	safe
http://www.freedesktop.org/wiki/Software/Farstream	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

⊘No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://launchpad.net/distros/ubuntu/	registry.x86_64.bin.tmpE9S3Z2.12.dr	false		high
http://xiph.org)//xiph.org	file-grey.elf, 6220.1.000055dd5e110000.000055dd5e551000.rw-.sdmp	false	Avira URL Cloud: safe	unknown
http://xiph.org)xiph.org	file-grey.elf, 6220.1.000055dd5e110000.000055dd5e551000.rw-.sdmp	false	Avira URL Cloud: safe	unknown
http://www.freedesktop.org/wiki/Software/Farstreamapplication/x-rtp	file-grey.elf, 6220.1.000055dd5e110000.000055dd5e551000.rw-.sdmp	false	Avira URL Cloud: safe	unknown
http://xiph.org)	file-grey.elf, 6220.1.000055dd5e110000.000055dd5e551000.rw-.sdmp	false	Avira URL Cloud: safe	unknown
http://xiph.org)ph.org	file-grey.elf, 6220.1.000055dd5e110000.000055dd5e551000.rw-.sdmp	false	Avira URL Cloud: safe	unknown
http://xiph.org	file-grey.elf, 6220.1.000055dd5e110000.000055dd5e551000.rw-.sdmp	false		high
https://nice.freedesktop.org/vpxVP8	file-grey.elf, 6220.1.000055dd5e110000.000055dd5e551000.rw-.sdmp	false	Avira URL Cloud: safe	unknown
https://nice.freedesktop.org/	file-grey.elf, 6220.1.000055dd5e110000.000055dd5e551000.rw-.sdmp	false	Avira URL Cloud: safe	unknown
http://www.clutter-project.org	file-grey.elf, 6220.1.000055dd5e110000.000055dd5e551000.rw-.sdmp	false	Avira URL Cloud: safe	unknown
http://www.clutter-project.orgadpcmencADPCM	file-grey.elf, 6220.1.000055dd5e110000.000055dd5e551000.rw-.sdmp	false	Avira URL Cloud: safe	unknown
http://xiph.org)audio/x-vorbisapplication/x-ogg-aviapplication/oggapplication/x-ogm-textapplication/	file-grey.elf, 6220.1.000055dd5e110000.000055dd5e551000.rw-.sdmp	false	Avira URL Cloud: safe	unknown
http://www.freedesktop.org/wiki/Software/Farstream	file-grey.elf, 6220.1.000055dd5e110000.000055dd5e551000.rw-.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
109.202.202.202	unknown	Switzerland	13030	INIT7CH	false
91.189.91.43	unknown	United Kingdom	41231	CANONICAL-ASGB	false
91.189.91.42	unknown	United Kingdom	41231	CANONICAL-ASGB	false

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
109.202.202.202	kpLwzBouH4.elf	Get hash	malicious	Unknown	Browse	ch.archive.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_92.0%2bbuild3-0ubuntu0.20.04.1_amd64.deb
91.189.91.43	Aqua.mips.elf	Get hash	malicious	Unknown	Browse
	Aqua.mpsl.elf	Get hash	malicious	Unknown	Browse
	DEMONS.mips.elf	Get hash	malicious	Unknown	Browse
	i.elf	Get hash	malicious	Unknown	Browse
	i.elf	Get hash	malicious	Unknown	Browse
	Hilix.arm5.elf	Get hash	malicious	Mirai	Browse
	i586.elf	Get hash	malicious	Unknown	Browse
	x86_64.elf	Get hash	malicious	Unknown	Browse
	socat.elf	Get hash	malicious	Unknown	Browse
	arm5.elf	Get hash	malicious	Unknown	Browse
91.189.91.42	Aqua.mips.elf	Get hash	malicious	Unknown	Browse
	Aqua.mpsl.elf	Get hash	malicious	Unknown	Browse
	DEMONS.mips.elf	Get hash	malicious	Unknown	Browse
	i.elf	Get hash	malicious	Unknown	Browse
	i.elf	Get hash	malicious	Unknown	Browse
	Hilix.arm5.elf	Get hash	malicious	Mirai	Browse
	i586.elf	Get hash	malicious	Unknown	Browse
	x86_64.elf	Get hash	malicious	Unknown	Browse
	socat.elf	Get hash	malicious	Unknown	Browse
	arm5.elf	Get hash	malicious	Unknown	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CANONICAL-ASGB	Aqua.mips.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	Aqua.mpsl.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	DEMONS.mips.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	DEMONS.arm5.elf	Get hash	malicious	Unknown	Browse	185.125.190.26
	DEMONS.arm7.elf	Get hash	malicious	Mirai	Browse	185.125.190.26
	i.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	i.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	Hilix.arm5.elf	Get hash	malicious	Mirai	Browse	91.189.91.42
	powerpc.elf	Get hash	malicious	Unknown	Browse	185.125.190.26
	i586.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
CANONICAL-ASGB	Aqua.mips.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	Aqua.mpsl.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	DEMONS.mips.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	DEMONS.arm5.elf	Get hash	malicious	Unknown	Browse	185.125.190.26
	DEMONS.arm7.elf	Get hash	malicious	Mirai	Browse	185.125.190.26
	i.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	i.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	Hilix.arm5.elf	Get hash	malicious	Mirai	Browse	91.189.91.42
	powerpc.elf	Get hash	malicious	Unknown	Browse	185.125.190.26
	i586.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
INIT7CH	Aqua.mips.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	Aqua.mpsl.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	DEMONS.mips.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	i.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	i.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	Hilix.arm5.elf	Get hash	malicious	Mirai	Browse	109.202.202.202
	i586.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	x86_64.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	socat.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	arm5.elf	Get hash	malicious	Unknown	Browse	109.202.202.202

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

/root/.cache/gstreamer-1.0/registry.x86_64.bin.tmpE9S3Z2

Download File

Process:	/tmp/file-grey.elf
File Type:	GStreamer binary registry, version 1.12.0
Category:	dropped
Size (bytes):	79664
Entropy (8bit):	5.487370235881576
Encrypted:	false
SSDEEP:	1536:pbKWoP4sZOKzDSPzKoBdt3afOeWAbOArMN/0Ocskiyg/gQlO6H7xhho:b0gA7skiyofu
MD5:	4C60FBB1C270CAB8AA25065D6F77AB5D
SHA1:	3CA70D6D627C90F45EA29A7D1745EFDA02EDC03A
SHA-256:	45523B7623881E88CE92DA5AA50BE0A4FAA1BC9862EF451E97CB3ADA6A94ABF3
SHA-512:	DDC7332FAD733F27EBC64BFF55E95B909CA05D5B636FC74FB6FFC964EE65E379286636643814FDDF486B419D731C46E0134B086BEF2854D0CD3B1DB507CB2FBE
Malicious:	false
Reputation:	low
Preview:	....1.12.0...............................................................................'.`............videorate.Adjusts video frames./usr/lib/x86_64-linux-gnu/gstreamer-1.0/libgstvideorate.so.1.16.2.LGPL.gst-plugins-base.GStreamer Base Plugins (Ubuntu).https://launchpad.net/distros/ubuntu/+source/gst-plugins-base1.0.2019-12-03..GstElementFactory.videorate.........................metadata, long-name=(string)"Video\ rate\ adjuster", klass=(string)Filter/Effect/Video, description=(string)"Drops/duplicates/adjusts\ timestamps\ on\ video\ frames\ to\ make\ a\ perfect\ stream", author=(string)"Wim\ Taymans\ \<wim\@fluendo.com\>";...............sink.video/x-raw(ANY); video/x-bayer(ANY); image/jpeg(ANY); image/png(ANY)..............src.video/x-raw(ANY); video/x-bayer(ANY); image/jpeg(ANY); image/png(ANY)........{.......Rx`............level.Audio level plugin./usr/lib/x86_64-linux-gnu/gstreamer-1.0/libgstlevel.so.1.16.2.LGPL.gst-plugins-good.GStreamer Good Plugins (Ubuntu).https://launchpad.n

Static File Info

General

File type:	ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=16dde2b99c391271495c20fcf806ec19837098e1, not stripped
Entropy (8bit):	5.510166103682835
TrID:	ELF Executable and Linkable format (Linux) (4029/14) 49.77% ELF Executable and Linkable format (generic) (4004/1) 49.46% Lumena CEL bitmap (63/63) 0.78%
File name:	file-grey.elf
File size:	53'920 bytes
MD5:	9df07b64a28b61e4c7a9f8c8e8d2a801
SHA1:	a3aae326109751edac5145ff1b679f8935177ad7
SHA256:	a02eeb92a977c0749f93e6c7959159e68aa3a9e93c77f1fce81dc4b014e7c545
SHA512:	1cdda2ae5944c9b38d102b7cbdeee0ad61cc89b4c92d80553f7d7fcd4c9b58245a4417524e10d0d064973936ee4a6cefc0b112c932c55e2899236550364418bf
SSDEEP:	1536:9sU7CNr299ggdjVEs3n9DXPtxOnb1Cy4u:yUqr+FdjVT3n9Dt0Cy3
TLSH:	7F33B5C0EA808974C1C4D771C8EF6117A8B2FCADC7741B6F1504B53A7D6A2162F2ABB5
File Content Preview:	.ELF..............>.............@.......`...........@.8...@.............@.......@.......@.......................................8.......8.......8................................................................................. .............8.......8. ....

Static ELF Info

ELF header
Class:	ELF64
Data:	2's complement, little endian
Version:	1 (current)
Machine:	Advanced Micro Devices X86-64
Version Number:	0x1
Type:	DYN (Shared object file)
OS/ABI:	UNIX - System V
ABI Version:	0
Entry Point Address:	0x1f10
Flags:	0x0
ELF Header Size:	64
Program Header Offset:	64
Program Header Size:	56
Number of Program Headers:	9
Section Header Offset:	52064
Section Header Size:	64
Number of Section Headers:	29
Header String Table Index:	28

Sections

Name	Type	Address	Offset	Size	EntSize	Flags	Flags Description	Link	Info	Align
	NULL	0x0	0x0	0x0	0x0	0x0		0	0	0
.interp	PROGBITS	0x238	0x238	0x1c	0x0	0x2	A	0	0	1
.note.ABI-tag	NOTE	0x254	0x254	0x20	0x0	0x2	A	0	0	4
.note.gnu.build-id	NOTE	0x274	0x274	0x24	0x0	0x2	A	0	0	4
.gnu.hash	GNU_HASH	0x298	0x298	0x48	0x0	0x2	A	5	0	8
.dynsym	DYNSYM	0x2e0	0x2e0	0x840	0x18	0x2	A	6	1	8
.dynstr	STRTAB	0xb20	0xb20	0x3d8	0x0	0x2	A	0	0	1
.gnu.version	VERSYM	0xef8	0xef8	0xb0	0x2	0x2	A	5	0	2
.gnu.version_r	VERNEED	0xfa8	0xfa8	0x60	0x0	0x2	A	6	2	8
.rela.dyn	RELA	0x1008	0x1008	0x108	0x18	0x2	A	5	0	8
.rela.plt	RELA	0x1110	0x1110	0x6d8	0x18	0x42	AI	5	22	8
.init	PROGBITS	0x17e8	0x17e8	0x17	0x0	0x6	AX	0	0	4
.plt	PROGBITS	0x1800	0x1800	0x4a0	0x10	0x6	AX	0	0	16
.plt.got	PROGBITS	0x1ca0	0x1ca0	0x8	0x8	0x6	AX	0	0	8
.text	PROGBITS	0x1cb0	0x1cb0	0x64c2	0x0	0x6	AX	0	0	16
.fini	PROGBITS	0x8174	0x8174	0x9	0x0	0x6	AX	0	0	4
.rodata	PROGBITS	0x8180	0x8180	0x2118	0x0	0x2	A	0	0	16
.eh_frame_hdr	PROGBITS	0xa298	0xa298	0x124	0x0	0x2	A	0	0	4
.eh_frame	PROGBITS	0xa3c0	0xa3c0	0x5e0	0x0	0x2	A	0	0	8
.init_array	INIT_ARRAY	0x20ab38	0xab38	0x8	0x8	0x3	WA	0	0	8
.fini_array	FINI_ARRAY	0x20ab40	0xab40	0x8	0x8	0x3	WA	0	0	8
.dynamic	DYNAMIC	0x20ab48	0xab48	0x230	0x10	0x3	WA	6	0	8
.got	PROGBITS	0x20ad78	0xad78	0x288	0x8	0x3	WA	0	0	8
.data	PROGBITS	0x20b000	0xb000	0x14	0x0	0x3	WA	0	0	8
.bss	NOBITS	0x20b020	0xb014	0x40	0x0	0x3	WA	0	0	32
.comment	PROGBITS	0x0	0xb014	0x2b	0x1	0x30	MS	0	0	1
.symtab	SYMTAB	0x0	0xb040	0x1068	0x18	0x0		27	51	8
.strtab	STRTAB	0x0	0xc0a8	0x9b4	0x0	0x0		0	0	1
.shstrtab	STRTAB	0x0	0xca5c	0xfe	0x0	0x0		0	0	1

Program Segments

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align	Prog Interpreter	Section Mappings
PHDR	0x40	0x40	0x40	0x1f8	0x1f8	1.7455	0x4	R	0x8
INTERP	0x238	0x238	0x238	0x1c	0x1c	3.9408	0x4	R	0x1	/lib64/ld-linux-x86-64.so.2	.interp
LOAD	0x0	0x0	0x0	0xa9a0	0xa9a0	5.8474	0x5	R E	0x200000		.interp .note.ABI-tag .note.gnu.build-id .gnu.hash .dynsym .dynstr .gnu.version .gnu.version_r .rela.dyn .rela.plt .init .plt .plt.got .text .fini .rodata .eh_frame_hdr .eh_frame
LOAD	0xab38	0x20ab38	0x20ab38	0x4dc	0x528	1.8581	0x6	RW	0x200000		.init_array .fini_array .dynamic .got .data .bss
DYNAMIC	0xab48	0x20ab48	0x20ab48	0x230	0x230	1.5604	0x6	RW	0x8		.dynamic
NOTE	0x254	0x254	0x254	0x44	0x44	3.3967	0x4	R	0x4		.note.ABI-tag .note.gnu.build-id
GNU_EH_FRAME	0xa298	0xa298	0xa298	0x124	0x124	4.2903	0x4	R	0x4		.eh_frame_hdr
GNU_STACK	0x0	0x0	0x0	0x0	0x0	0.0000	0x6	RW	0x10
GNU_RELRO	0xab38	0x20ab38	0x20ab38	0x4c8	0x4c8	1.8420	0x4	R	0x1		.init_array .fini_array .dynamic .got

Dynamic Tags

Type	Meta	Value	Tag
DT_NEEDED	sharedlib	libgobject-2.0.so.0	0x1
DT_NEEDED	sharedlib	libglib-2.0.so.0	0x1
DT_NEEDED	sharedlib	libgstreamer-1.0.so.0	0x1
DT_NEEDED	sharedlib	libpthread.so.0	0x1
DT_NEEDED	sharedlib	libc.so.6	0x1
DT_INIT	value	0x17e8	0xc
DT_FINI	value	0x8174	0xd
DT_INIT_ARRAY	value	0x20ab38	0x19
DT_INIT_ARRAYSZ	bytes	8	0x1b
DT_FINI_ARRAY	value	0x20ab40	0x1a
DT_FINI_ARRAYSZ	bytes	8	0x1c
DT_GNU_HASH	value	0x298	0x6ffffef5
DT_STRTAB	value	0xb20	0x5
DT_SYMTAB	value	0x2e0	0x6
DT_STRSZ	bytes	984	0xa
DT_SYMENT	bytes	24	0xb
DT_DEBUG	value	0x0	0x15
DT_PLTGOT	value	0x20ad78	0x3
DT_PLTRELSZ	bytes	1752	0x2
DT_PLTREL	pltrel	DT_RELA	0x14
DT_JMPREL	value	0x1110	0x17
DT_RELA	value	0x1008	0x7
DT_RELASZ	bytes	264	0x8
DT_RELAENT	bytes	24	0x9
DT_FLAGS	value	0x8	0x1e
DT_FLAGS_1	value	0x8000001	0x6ffffffb
DT_VERNEED	value	0xfa8	0x6ffffffe
DT_VERNEEDNUM	value	2	0x6fffffff
DT_VERSYM	value	0xef8	0x6ffffff0
DT_RELACOUNT	value	3	0x6ffffff9
DT_NULL	value	0x0	0x0

Symbols

Name	Version Info Name	Version Info File Name	Section Name	Value	Size	Symbol Type	Symbol Bind	Symbol Visibility	Ndx
			.dynsym	0x0	0	NOTYPE	<unknown>	DEFAULT	SHN_UNDEF
_ITM_deregisterTMCloneTable			.dynsym	0x0	0	NOTYPE	<unknown>	DEFAULT	SHN_UNDEF
_ITM_registerTMCloneTable			.dynsym	0x0	0	NOTYPE	<unknown>	DEFAULT	SHN_UNDEF
__bss_start			.dynsym	0x20b014	0	NOTYPE	<unknown>	DEFAULT	24
__cxa_finalize	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
__errno_location	GLIBC_2.2.5	libpthread.so.0	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
__gmon_start__			.dynsym	0x0	0	NOTYPE	<unknown>	DEFAULT	SHN_UNDEF
__libc_start_main	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
__printf_chk	GLIBC_2.3.4	libc.so.6	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
__recv_chk	GLIBC_2.4	libc.so.6	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
__snprintf_chk	GLIBC_2.3.4	libc.so.6	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
__stack_chk_fail	GLIBC_2.4	libc.so.6	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
__strncat_chk	GLIBC_2.3.4	libc.so.6	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
__syslog_chk	GLIBC_2.4	libc.so.6	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
__xstat	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
_edata			.dynsym	0x20b014	0	NOTYPE	<unknown>	DEFAULT	23
_end			.dynsym	0x20b060	0	NOTYPE	<unknown>	DEFAULT	24
_fini			.dynsym	0x8174	0	FUNC	<unknown>	DEFAULT	15
_init			.dynsym	0x17e8	0	FUNC	<unknown>	DEFAULT	11
accept	GLIBC_2.2.5	libpthread.so.0	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
bind	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
chdir	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
clock	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
error			.dynsym	0x2230	57	FUNC	<unknown>	DEFAULT	14
execv	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
exit	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
fclose	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
fgetc	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
fgets	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
fopen	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
fork	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
fputc	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
fread	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
free	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
freopen	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
fseek	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
ftell	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
fwrite	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
g_error_free			.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
g_free			.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
g_main_loop_new			.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
g_main_loop_quit			.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
g_main_loop_run			.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
g_main_loop_unref			.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
g_print			.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
g_printerr			.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
g_signal_connect_data			.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
getenv	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
gst_bus_add_signal_watch			.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
gst_element_get_bus			.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
gst_element_set_state			.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
gst_init			.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
gst_message_parse_buffering			.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
gst_message_parse_error			.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
gst_object_unref			.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
gst_parse_launch			.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
listen	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
localtime	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
malloc	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
memset	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
open	GLIBC_2.2.5	libpthread.so.0	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
pclose	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
perror	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
popen	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
pthread_create	GLIBC_2.2.5	libpthread.so.0	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
pthread_exit	GLIBC_2.2.5	libpthread.so.0	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
pthread_join	GLIBC_2.2.5	libpthread.so.0	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
puts	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
read	GLIBC_2.2.5	libpthread.so.0	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
recv	GLIBC_2.2.5	libpthread.so.0	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
rewind	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
send	GLIBC_2.2.5	libpthread.so.0	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
setbuf	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
setsockopt	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
shutdown	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
socket	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
stderr	GLIBC_2.2.5	libc.so.6	.dynsym	0x20b040	8	OBJECT	<unknown>	DEFAULT	24
stdin	GLIBC_2.2.5	libc.so.6	.dynsym	0x20b020	8	OBJECT	<unknown>	DEFAULT	24
stdout	GLIBC_2.2.5	libc.so.6	.dynsym	0x20b048	8	OBJECT	<unknown>	DEFAULT	24
strcat	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
strerror	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
strftime	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
strlen	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
strncpy	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
strstr	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
system	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
time	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
umask	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
			.symtab	0x0	0	NOTYPE	<unknown>	DEFAULT	SHN_UNDEF
			.symtab	0x238	0	SECTION	<unknown>	DEFAULT	1
	GLIBC_2.2.5	libc.so.6	.symtab	0x254	0	SECTION	<unknown>	DEFAULT	2
			.symtab	0x274	0	SECTION	<unknown>	DEFAULT	3
	GLIBC_2.2.5	libc.so.6	.symtab	0x298	0	SECTION	<unknown>	DEFAULT	4
	GLIBC_2.2.5	libc.so.6	.symtab	0x2e0	0	SECTION	<unknown>	DEFAULT	5
	GLIBC_2.2.5	libc.so.6	.symtab	0xb20	0	SECTION	<unknown>	DEFAULT	6
	GLIBC_2.2.5	libc.so.6	.symtab	0xef8	0	SECTION	<unknown>	DEFAULT	7
			.symtab	0xfa8	0	SECTION	<unknown>	DEFAULT	8
			.symtab	0x1008	0	SECTION	<unknown>	DEFAULT	9
			.symtab	0x1110	0	SECTION	<unknown>	DEFAULT	10
			.symtab	0x17e8	0	SECTION	<unknown>	DEFAULT	11
	GLIBC_2.2.5	libc.so.6	.symtab	0x1800	0	SECTION	<unknown>	DEFAULT	12
	GLIBC_2.2.5	libc.so.6	.symtab	0x1ca0	0	SECTION	<unknown>	DEFAULT	13
	GLIBC_2.2.5	libc.so.6	.symtab	0x1cb0	0	SECTION	<unknown>	DEFAULT	14
	GLIBC_2.3.4	libc.so.6	.symtab	0x8174	0	SECTION	<unknown>	DEFAULT	15
			.symtab	0x8180	0	SECTION	<unknown>	DEFAULT	16
	GLIBC_2.2.5	libpthread.so.0	.symtab	0xa298	0	SECTION	<unknown>	DEFAULT	17
			.symtab	0xa3c0	0	SECTION	<unknown>	DEFAULT	18
	GLIBC_2.2.5	libc.so.6	.symtab	0x20ab38	0	SECTION	<unknown>	DEFAULT	19
	GLIBC_2.2.5	libc.so.6	.symtab	0x20ab40	0	SECTION	<unknown>	DEFAULT	20
	GLIBC_2.2.5	libc.so.6	.symtab	0x20ab48	0	SECTION	<unknown>	DEFAULT	21
	GLIBC_2.2.5	libpthread.so.0	.symtab	0x20ad78	0	SECTION	<unknown>	DEFAULT	22
	GLIBC_2.2.5	libc.so.6	.symtab	0x20b000	0	SECTION	<unknown>	DEFAULT	23
	GLIBC_2.2.5	libc.so.6	.symtab	0x20b020	0	SECTION	<unknown>	DEFAULT	24
	GLIBC_2.2.5	libc.so.6	.symtab	0x0	0	SECTION	<unknown>	DEFAULT	25
			.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
Lshift_used			.symtab	0x3e50	1466	FUNC	<unknown>	DEFAULT	14
Lshift_used_sustained	GLIBC_2.2.5	libc.so.6	.symtab	0x24d0	1763	FUNC	<unknown>	DEFAULT	14
Rshift_used			.symtab	0x38a0	1441	FUNC	<unknown>	DEFAULT	14
Rshift_used_sustained			.symtab	0x4410	1763	FUNC	<unknown>	DEFAULT	14
_DYNAMIC	GLIBC_2.2.5	libc.so.6	.symtab	0x20ab48	0	OBJECT	<unknown>	DEFAULT	21
_GLOBAL_OFFSET_TABLE_	GLIBC_2.2.5	libc.so.6	.symtab	0x20ad78	0	OBJECT	<unknown>	DEFAULT	22
_IO_stdin_used			.symtab	0x8180	4	OBJECT	<unknown>	DEFAULT	16
_ITM_deregisterTMCloneTable			.symtab	0x0	0	NOTYPE	<unknown>	DEFAULT	SHN_UNDEF
_ITM_registerTMCloneTable			.symtab	0x0	0	NOTYPE	<unknown>	DEFAULT	SHN_UNDEF
__FRAME_END__	GLIBC_2.2.5	libpthread.so.0	.symtab	0xa99c	0	OBJECT	<unknown>	DEFAULT	18
__GNU_EH_FRAME_HDR	GLIBC_2.4	libc.so.6	.symtab	0xa298	0	NOTYPE	<unknown>	DEFAULT	17
__TMC_END__			.symtab	0x20b018	0	OBJECT	<unknown>	HIDDEN	23
__bss_start			.symtab	0x20b014	0	NOTYPE	<unknown>	DEFAULT	24
__cxa_finalize@@GLIBC_2.2.5			.symtab	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
__data_start			.symtab	0x20b000	0	NOTYPE	<unknown>	DEFAULT	23
__do_global_dtors_aux	GLIBC_2.2.5	libc.so.6	.symtab	0x1fd0	0	FUNC	<unknown>	DEFAULT	14
__do_global_dtors_aux_fini_array_entry	GLIBC_2.4	libc.so.6	.symtab	0x20ab40	0	OBJECT	<unknown>	DEFAULT	20
__dso_handle			.symtab	0x20b008	0	OBJECT	<unknown>	HIDDEN	23
__errno_location@@GLIBC_2.2.5			.symtab	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
__frame_dummy_init_array_entry	GLIBC_2.2.5	libc.so.6	.symtab	0x20ab38	0	OBJECT	<unknown>	DEFAULT	19
__gmon_start__	GLIBC_2.3.4	libc.so.6	.symtab	0x0	0	NOTYPE	<unknown>	DEFAULT	SHN_UNDEF
__init_array_end	GLIBC_2.2.5	libc.so.6	.symtab	0x20ab40	0	NOTYPE	<unknown>	DEFAULT	19
__init_array_start	GLIBC_2.2.5	libc.so.6	.symtab	0x20ab38	0	NOTYPE	<unknown>	DEFAULT	19
__libc_csu_fini			.symtab	0x8170	2	FUNC	<unknown>	DEFAULT	14
__libc_csu_init			.symtab	0x8100	101	FUNC	<unknown>	DEFAULT	14
__libc_start_main@@GLIBC_2.2.5			.symtab	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
__printf_chk@@GLIBC_2.3.4	GLIBC_2.2.5	libc.so.6	.symtab	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
__recv_chk@@GLIBC_2.4			.symtab	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
__snprintf_chk@@GLIBC_2.3.4			.symtab	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
__stack_chk_fail@@GLIBC_2.4			.symtab	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
__strncat_chk@@GLIBC_2.3.4			.symtab	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
__syslog_chk@@GLIBC_2.4			.symtab	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
__xstat@@GLIBC_2.2.5			.symtab	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
_edata			.symtab	0x20b014	0	NOTYPE	<unknown>	DEFAULT	23
_end			.symtab	0x20b060	0	NOTYPE	<unknown>	DEFAULT	24
_fini	GLIBC_2.2.5	libc.so.6	.symtab	0x8174	0	FUNC	<unknown>	DEFAULT	15
_init			.symtab	0x17e8	0	FUNC	<unknown>	DEFAULT	11
_start	GLIBC_2.2.5	libc.so.6	.symtab	0x1f10	43	FUNC	<unknown>	DEFAULT	14
accept@@GLIBC_2.2.5			.symtab	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
bind@@GLIBC_2.2.5			.symtab	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
cb_message	GLIBC_2.2.5	libc.so.6	.symtab	0x5950	289	FUNC	<unknown>	DEFAULT	14
chdir@@GLIBC_2.2.5			.symtab	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
clean_buffer			.symtab	0x80a0	24	FUNC	<unknown>	DEFAULT	14
clock@@GLIBC_2.2.5			.symtab	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
completed.7697	GLIBC_2.2.5	libc.so.6	.symtab	0x20b050	1	OBJECT	<unknown>	DEFAULT	24
crtstuff.c	GLIBC_2.2.5	libc.so.6	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
crtstuff.c	GLIBC_2.2.5	libc.so.6	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
csock			.symtab	0x20b054	4	OBJECT	<unknown>	DEFAULT	24
daemonize			.symtab	0x7f20	381	FUNC	<unknown>	DEFAULT	14
data_start			.symtab	0x20b000	0	NOTYPE	<unknown>	DEFAULT	23
debian_error			.symtab	0x2020	57	FUNC	<unknown>	DEFAULT	14
debian_get_kb_device_filename			.symtab	0x2060	358	FUNC	<unknown>	DEFAULT	14
debian_keylogger_init			.symtab	0x2200	2	FUNC	<unknown>	DEFAULT	14
debian_keylogger_utils.c	GLIBC_2.2.5	libc.so.6	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
deregister_tm_clones			.symtab	0x1f40	0	FUNC	<unknown>	DEFAULT	14
dispatch_modules	GLIBC_2.2.5	libc.so.6	.symtab	0x6db0	4450	FUNC	<unknown>	DEFAULT	14
error			.symtab	0x2230	57	FUNC	<unknown>	DEFAULT	14
exec_get_proces_cmd	GLIBC_2.2.5	libc.so.6	.symtab	0x4b00	613	FUNC	<unknown>	DEFAULT	14
execute_cmd	GLIBC_2.2.5	libc.so.6	.symtab	0x5ea0	444	FUNC	<unknown>	DEFAULT	14
execute_record_cmd			.symtab	0x6060	1635	FUNC	<unknown>	DEFAULT	14
execv@@GLIBC_2.2.5	GLIBC_2.4	libc.so.6	.symtab	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
exit@@GLIBC_2.2.5	GLIBC_2.2.5	libc.so.6	.symtab	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
fclose@@GLIBC_2.2.5			.symtab	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
fedora_keylogger_init			.symtab	0x2220	2	FUNC	<unknown>	DEFAULT	14
fgetc@@GLIBC_2.2.5			.symtab	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
fgets@@GLIBC_2.2.5			.symtab	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
fopen@@GLIBC_2.2.5			.symtab	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
fork@@GLIBC_2.2.5			.symtab	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
fputc@@GLIBC_2.2.5			.symtab	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
frame_dummy	GLIBC_2.2.5	libc.so.6	.symtab	0x2010	0	FUNC	<unknown>	DEFAULT	14
fread@@GLIBC_2.2.5			.symtab	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
free@@GLIBC_2.2.5			.symtab	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
freopen@@GLIBC_2.2.5			.symtab	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
fseek@@GLIBC_2.2.5	GLIBC_2.2.5	libc.so.6	.symtab	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
ftell@@GLIBC_2.2.5			.symtab	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
fwrite@@GLIBC_2.2.5			.symtab	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
g_error_free			.symtab	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
g_free	GLIBC_2.2.5	libpthread.so.0	.symtab	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
g_main_loop_new			.symtab	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
g_main_loop_quit	GLIBC_2.2.5	libc.so.6	.symtab	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
g_main_loop_run			.symtab	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
g_main_loop_unref			.symtab	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
g_print			.symtab	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
g_printerr	GLIBC_2.3.4	libc.so.6	.symtab	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
g_signal_connect_data			.symtab	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
get_kb_device_filename			.symtab	0x2270	598	FUNC	<unknown>	DEFAULT	14
getenv@@GLIBC_2.2.5			.symtab	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
gst_bus_add_signal_watch	GLIBC_2.2.5	libpthread.so.0	.symtab	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
gst_element_get_bus			.symtab	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
gst_element_set_state			.symtab	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
gst_init			.symtab	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
gst_message_parse_buffering			.symtab	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
gst_message_parse_error			.symtab	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
gst_object_unref	GLIBC_2.2.5	libc.so.6	.symtab	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
gst_parse_launch	GLIBC_2.2.5	libc.so.6	.symtab	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
kali_keylogger_init			.symtab	0x2210	2	FUNC	<unknown>	DEFAULT	14
keylogger			.symtab	0x2bc0	3295	FUNC	<unknown>	DEFAULT	14
keylogger.c	GLIBC_2.2.5	libpthread.so.0	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
keylogger_utils.c	GLIBC_2.2.5	libc.so.6	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
listen@@GLIBC_2.2.5			.symtab	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
localtime@@GLIBC_2.2.5			.symtab	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
log_keys.c	GLIBC_2.2.5	libc.so.6	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
main			.symtab	0x1cb0	598	FUNC	<unknown>	DEFAULT	14
malloc@@GLIBC_2.2.5	GLIBC_2.2.5	libc.so.6	.symtab	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
memset@@GLIBC_2.2.5	GLIBC_2.2.5	libpthread.so.0	.symtab	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
mint_keylogger_init			.symtab	0x21f0	2	FUNC	<unknown>	DEFAULT	14
on_video	GLIBC_2.2.5	libc.so.6	.symtab	0x20b010	4	OBJECT	<unknown>	DEFAULT	23
open@@GLIBC_2.2.5			.symtab	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
pclose@@GLIBC_2.2.5			.symtab	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
perror@@GLIBC_2.2.5			.symtab	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
popen@@GLIBC_2.2.5			.symtab	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
pthread_create@@GLIBC_2.2.5			.symtab	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
pthread_exit@@GLIBC_2.2.5			.symtab	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
pthread_join@@GLIBC_2.2.5			.symtab	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
puts@@GLIBC_2.2.5			.symtab	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
read@@GLIBC_2.2.5	GLIBC_2.2.5	libpthread.so.0	.symtab	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
recv@@GLIBC_2.2.5	GLIBC_2.2.5	libc.so.6	.symtab	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
recv_upload			.symtab	0x66d0	1751	FUNC	<unknown>	DEFAULT	14
register_tm_clones	GLIBC_2.2.5	libpthread.so.0	.symtab	0x1f80	0	FUNC	<unknown>	DEFAULT	14
rewind@@GLIBC_2.2.5			.symtab	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
send@@GLIBC_2.2.5			.symtab	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
send_dowloaded_binarie			.symtab	0x5070	739	FUNC	<unknown>	DEFAULT	14
send_dowloaded_file			.symtab	0x5620	813	FUNC	<unknown>	DEFAULT	14
send_hosts_file			.symtab	0x5360	702	FUNC	<unknown>	DEFAULT	14
send_logger_log			.symtab	0x4d70	768	FUNC	<unknown>	DEFAULT	14
setbuf@@GLIBC_2.2.5			.symtab	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
setsockopt@@GLIBC_2.2.5			.symtab	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
shutdown@@GLIBC_2.2.5			.symtab	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
sock	GLIBC_2.2.5	libc.so.6	.symtab	0x20b058	4	OBJECT	<unknown>	DEFAULT	24
socket@@GLIBC_2.2.5			.symtab	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
srv_main.c			.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
start_remote_shell	GLIBC_2.2.5	libc.so.6	.symtab	0x5a80	1055	FUNC	<unknown>	DEFAULT	14
stderr@@GLIBC_2.2.5			.symtab	0x20b040	8	OBJECT	<unknown>	DEFAULT	24
stdin@@GLIBC_2.2.5			.symtab	0x20b020	8	OBJECT	<unknown>	DEFAULT	24
stdout@@GLIBC_2.2.5			.symtab	0x20b048	8	OBJECT	<unknown>	DEFAULT	24
strcat@@GLIBC_2.2.5			.symtab	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
strerror@@GLIBC_2.2.5			.symtab	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
strftime@@GLIBC_2.2.5			.symtab	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
strlen@@GLIBC_2.2.5			.symtab	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
strncpy@@GLIBC_2.2.5			.symtab	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
strstr@@GLIBC_2.2.5			.symtab	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
system@@GLIBC_2.2.5			.symtab	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
time@@GLIBC_2.2.5			.symtab	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
ubuntu16_keylogger_init			.symtab	0x21d0	12	FUNC	<unknown>	DEFAULT	14
ubuntu18_keylogger_init			.symtab	0x21e0	12	FUNC	<unknown>	DEFAULT	14
umask@@GLIBC_2.2.5			.symtab	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
utils.c	GLIBC_2.2.5	libc.so.6	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
wait_time_end			.symtab	0x80c0	56	FUNC	<unknown>	DEFAULT	14

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 2, 2025 15:58:48.630688906 CET	43928	443	192.168.2.23	91.189.91.42
Jan 2, 2025 15:58:54.261909008 CET	42836	443	192.168.2.23	91.189.91.43
Jan 2, 2025 15:58:55.797689915 CET	42516	80	192.168.2.23	109.202.202.202
Jan 2, 2025 15:59:09.619807959 CET	43928	443	192.168.2.23	91.189.91.42
Jan 2, 2025 15:59:19.858375072 CET	42836	443	192.168.2.23	91.189.91.43
Jan 2, 2025 15:59:26.001493931 CET	42516	80	192.168.2.23	109.202.202.202
Jan 2, 2025 15:59:50.574203014 CET	43928	443	192.168.2.23	91.189.91.42
Jan 2, 2025 16:00:11.051348925 CET	42836	443	192.168.2.23	91.189.91.43

System Behavior

Analysis Process: file-grey.elf PID: 6220, Parent PID: 6137

General

Start time (UTC):	14:58:45
Start date (UTC):	02/01/2025
Path:	/tmp/file-grey.elf
Arguments:	/tmp/file-grey.elf
File size:	53920 bytes
MD5 hash:	9df07b64a28b61e4c7a9f8c8e8d2a801

Chronological Activities

Analysis Process: file-grey.elf PID: 6221, Parent PID: 6220

General

Start time (UTC):	14:58:45
Start date (UTC):	02/01/2025
Path:	/tmp/file-grey.elf
Arguments:	-
File size:	53920 bytes
MD5 hash:	9df07b64a28b61e4c7a9f8c8e8d2a801

Chronological Activities

Analysis Process: sh PID: 6221, Parent PID: 6220

General

Start time (UTC):	14:58:45
Start date (UTC):	02/01/2025
Path:	/bin/sh
Arguments:	sh -c "chmod +x script/hodin_daemon.sh"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 6222, Parent PID: 6221

General

Start time (UTC):	14:58:45
Start date (UTC):	02/01/2025
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: chmod PID: 6222, Parent PID: 6221

General

Start time (UTC):	14:58:45
Start date (UTC):	02/01/2025
Path:	/usr/bin/chmod
Arguments:	chmod +x script/hodin_daemon.sh
File size:	63864 bytes
MD5 hash:	739483b900c045ae1374d6f53a86a279

Chronological Activities

Analysis Process: file-grey.elf PID: 6223, Parent PID: 6220

General

Start time (UTC):	14:58:45
Start date (UTC):	02/01/2025
Path:	/tmp/file-grey.elf
Arguments:	-
File size:	53920 bytes
MD5 hash:	9df07b64a28b61e4c7a9f8c8e8d2a801

Chronological Activities

Analysis Process: sh PID: 6223, Parent PID: 6220

General

Start time (UTC):	14:58:45
Start date (UTC):	02/01/2025
Path:	/bin/sh
Arguments:	sh -c "chmod +x script/delete_startup.sh"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 6224, Parent PID: 6223

General

Start time (UTC):	14:58:45
Start date (UTC):	02/01/2025
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: chmod PID: 6224, Parent PID: 6223

General

Start time (UTC):	14:58:45
Start date (UTC):	02/01/2025
Path:	/usr/bin/chmod
Arguments:	chmod +x script/delete_startup.sh
File size:	63864 bytes
MD5 hash:	739483b900c045ae1374d6f53a86a279

Chronological Activities

Analysis Process: file-grey.elf PID: 6225, Parent PID: 6220

General

Start time (UTC):	14:58:45
Start date (UTC):	02/01/2025
Path:	/tmp/file-grey.elf
Arguments:	-
File size:	53920 bytes
MD5 hash:	9df07b64a28b61e4c7a9f8c8e8d2a801

Chronological Activities

Analysis Process: sh PID: 6225, Parent PID: 6220

General

Start time (UTC):	14:58:45
Start date (UTC):	02/01/2025
Path:	/bin/sh
Arguments:	sh -c "chmod +x script/startup.sh"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 6226, Parent PID: 6225

General

Start time (UTC):	14:58:45
Start date (UTC):	02/01/2025
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: chmod PID: 6226, Parent PID: 6225

General

Start time (UTC):	14:58:45
Start date (UTC):	02/01/2025
Path:	/usr/bin/chmod
Arguments:	chmod +x script/startup.sh
File size:	63864 bytes
MD5 hash:	739483b900c045ae1374d6f53a86a279

Chronological Activities

Analysis Process: file-grey.elf PID: 6227, Parent PID: 6220

General

Start time (UTC):	14:58:46
Start date (UTC):	02/01/2025
Path:	/tmp/file-grey.elf
Arguments:	-
File size:	53920 bytes
MD5 hash:	9df07b64a28b61e4c7a9f8c8e8d2a801

Chronological Activities

Analysis Process: sh PID: 6227, Parent PID: 6220

General

Start time (UTC):	14:58:46
Start date (UTC):	02/01/2025
Path:	/bin/sh
Arguments:	sh -c "cp script/hodin_daemon.sh /etc/init.d/"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 6228, Parent PID: 6227

General

Start time (UTC):	14:58:46
Start date (UTC):	02/01/2025
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: cp PID: 6228, Parent PID: 6227

General

Start time (UTC):	14:58:46
Start date (UTC):	02/01/2025
Path:	/usr/bin/cp
Arguments:	cp script/hodin_daemon.sh /etc/init.d/
File size:	153976 bytes
MD5 hash:	40f10ae7ea3e44218d1a8c306f79c83f

Chronological Activities

Analysis Process: file-grey.elf PID: 6229, Parent PID: 6220

General

Start time (UTC):	14:58:46
Start date (UTC):	02/01/2025
Path:	/tmp/file-grey.elf
Arguments:	-
File size:	53920 bytes
MD5 hash:	9df07b64a28b61e4c7a9f8c8e8d2a801

Chronological Activities

Analysis Process: sh PID: 6229, Parent PID: 6220

General

Start time (UTC):	14:58:46
Start date (UTC):	02/01/2025
Path:	/bin/sh
Arguments:	sh -c "cp srv_hodin /usr/bin/"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 6230, Parent PID: 6229

General

Start time (UTC):	14:58:46
Start date (UTC):	02/01/2025
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: cp PID: 6230, Parent PID: 6229

General

Start time (UTC):	14:58:46
Start date (UTC):	02/01/2025
Path:	/usr/bin/cp
Arguments:	cp srv_hodin /usr/bin/
File size:	153976 bytes
MD5 hash:	40f10ae7ea3e44218d1a8c306f79c83f

Chronological Activities

Analysis Process: file-grey.elf PID: 6231, Parent PID: 6220

General

Start time (UTC):	14:58:46
Start date (UTC):	02/01/2025
Path:	/tmp/file-grey.elf
Arguments:	-
File size:	53920 bytes
MD5 hash:	9df07b64a28b61e4c7a9f8c8e8d2a801

Chronological Activities

Analysis Process: sh PID: 6231, Parent PID: 6220

General

Start time (UTC):	14:58:46
Start date (UTC):	02/01/2025
Path:	/bin/sh
Arguments:	sh -c "cp srv_hodin /usr/sbin/"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 6232, Parent PID: 6231

General

Start time (UTC):	14:58:46
Start date (UTC):	02/01/2025
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: cp PID: 6232, Parent PID: 6231

General

Start time (UTC):	14:58:46
Start date (UTC):	02/01/2025
Path:	/usr/bin/cp
Arguments:	cp srv_hodin /usr/sbin/
File size:	153976 bytes
MD5 hash:	40f10ae7ea3e44218d1a8c306f79c83f

Chronological Activities

Analysis Process: file-grey.elf PID: 6233, Parent PID: 6220

General

Start time (UTC):	14:58:46
Start date (UTC):	02/01/2025
Path:	/tmp/file-grey.elf
Arguments:	-
File size:	53920 bytes
MD5 hash:	9df07b64a28b61e4c7a9f8c8e8d2a801

Chronological Activities

Analysis Process: sh PID: 6233, Parent PID: 6220

General

Start time (UTC):	14:58:46
Start date (UTC):	02/01/2025
Path:	/bin/sh
Arguments:	sh -c "ln -s /etc/init.d/hodin_daemon.sh /etc/rc2.d/S88hodin_daemon.sh"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 6234, Parent PID: 6233

General

Start time (UTC):	14:58:46
Start date (UTC):	02/01/2025
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: ln PID: 6234, Parent PID: 6233

General

Start time (UTC):	14:58:46
Start date (UTC):	02/01/2025
Path:	/usr/bin/ln
Arguments:	ln -s /etc/init.d/hodin_daemon.sh /etc/rc2.d/S88hodin_daemon.sh
File size:	76160 bytes
MD5 hash:	e933cf05571f62c0157d4e2dfcaea282

Chronological Activities

Analysis Process: file-grey.elf PID: 6235, Parent PID: 6220

General

Start time (UTC):	14:58:46
Start date (UTC):	02/01/2025
Path:	/tmp/file-grey.elf
Arguments:	-
File size:	53920 bytes
MD5 hash:	9df07b64a28b61e4c7a9f8c8e8d2a801

Chronological Activities

Analysis Process: gst-plugin-scanner PID: 6235, Parent PID: 6220

General

Start time (UTC):	14:58:46
Start date (UTC):	02/01/2025
Path:	/usr/lib/x86_64-linux-gnu/gstreamer1.0/gstreamer-1.0/gst-plugin-scanner
Arguments:	/usr/lib/x86_64-linux-gnu/gstreamer1.0/gstreamer-1.0/gst-plugin-scanner -l /tmp/file-grey.elf
File size:	14488 bytes
MD5 hash:	caaae748bd9798d2f4b3d09c94a9e5f4

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files.File and directory permissions are commonly managed by ACLs configured by the file or directory owner, or users with the appropriate permissions. File and directory ACL implementations vary by platform, but generally explicitly designate which users or groups can perform which actions (read, write, execute, etc.).
Tactics:	Defense Evasion
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report file-grey.elf

Overview

General Information

Detection

Signatures

Classification

General Information

Warnings

Runtime Messages

Process Tree

Yara Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Bitcoin Miner

Networking

System Summary

Persistence and Installation Behavior

Malware Analysis System Evasion

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

/root/.cache/gstreamer-1.0/registry.x86_64.bin.tmpE9S3Z2

Static File Info

General

Static ELF Info

ELF header

Sections

Program Segments

Dynamic Tags

Symbols

Network Behavior

Network Port Distribution

TCP Packets

System Behavior

Analysis Process: file-grey.elf PID: 6220, Parent PID: 6137

General

Chronological Activities

Analysis Process: file-grey.elf PID: 6221, Parent PID: 6220

General

Chronological Activities

Analysis Process: sh PID: 6221, Parent PID: 6220

General

Chronological Activities

Analysis Process: sh PID: 6222, Parent PID: 6221

General

Chronological Activities

Analysis Process: chmod PID: 6222, Parent PID: 6221

General

Chronological Activities

Analysis Process: file-grey.elf PID: 6223, Parent PID: 6220

General

Chronological Activities

Analysis Process: sh PID: 6223, Parent PID: 6220

Linux Analysis Report
file-grey.elf