Edit tour

Linux Analysis Report
sh4.elf

Overview

General Information

Sample name:sh4.elf
Analysis ID:1616928
MD5:9cc23e06a91999d097f8d5fa12cb7c16
SHA1:7eea606962da8d2c5c2c0f6de6d58adb177cfe8f
SHA256:4117f651310c95849278e7ebf95625261e127a5d25ba35ccb241496b01c055eb
Tags:elfuser-abuse_ch
Infos:

Detection

Score:52
Range:0 - 100

Signatures

Multi AV Scanner detection for submitted file
Sample reads /proc/mounts (often used for finding a writable filesystem)
Enumerates processes within the "proc" file system
Sample has stripped symbol table
Sample listens on a socket
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Uses the "uname" system call to query kernel version information (possible evasion)

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
Joe Sandbox version:42.0.0 Malachite
Analysis ID:1616928
Start date and time:2025-02-17 11:03:21 +01:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 30s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Sample name:sh4.elf
Detection:MAL
Classification:mal52.troj.linELF@0/1@2/0
Command:/tmp/sh4.elf
PID:5486
Exit Code:139
Exit Code Info:SIGSEGV (11) Segmentation fault invalid memory reference
Killed:False
Standard Output:

Standard Error:qemu: uncaught target signal 11 (Segmentation fault) - core dumped
  • system is lnxubuntu20
  • sh4.elf (PID: 5486, Parent: 5411, MD5: 8943e5f8f8c280467b4472c15ae93ba9) Arguments: /tmp/sh4.elf
  • cleanup
No yara matches
No Suricata rule has matched

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: sh4.elfReversingLabs: Detection: 13%
Source: /tmp/sh4.elf (PID: 5486)Socket: 127.0.0.1:43478Jump to behavior
Source: global trafficTCP traffic: 192.168.2.14:46540 -> 185.125.190.26:443
Source: unknownTCP traffic detected without corresponding DNS query: 185.125.190.26
Source: unknownTCP traffic detected without corresponding DNS query: 185.125.190.26
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficDNS traffic detected: DNS query: daisy.ubuntu.com
Source: unknownNetwork traffic detected: HTTP traffic on port 46540 -> 443
Source: ELF static info symbol of initial sample.symtab present: no
Source: classification engineClassification label: mal52.troj.linELF@0/1@2/0

Persistence and Installation Behavior

barindex
Source: /tmp/sh4.elf (PID: 5486)File: /proc/5486/mountsJump to behavior
Source: /tmp/sh4.elf (PID: 5486)File opened: /proc/3244/mapsJump to behavior
Source: /tmp/sh4.elf (PID: 5486)File opened: /proc/3244/statusJump to behavior
Source: /tmp/sh4.elf (PID: 5486)File opened: /proc/3244/cmdlineJump to behavior
Source: /tmp/sh4.elf (PID: 5486)File opened: /proc/3120/mapsJump to behavior
Source: /tmp/sh4.elf (PID: 5486)File opened: /proc/3120/statusJump to behavior
Source: /tmp/sh4.elf (PID: 5486)File opened: /proc/3120/cmdlineJump to behavior
Source: /tmp/sh4.elf (PID: 5486)File opened: /proc/3361/mapsJump to behavior
Source: /tmp/sh4.elf (PID: 5486)File opened: /proc/3361/statusJump to behavior
Source: /tmp/sh4.elf (PID: 5486)File opened: /proc/3361/cmdlineJump to behavior
Source: /tmp/sh4.elf (PID: 5486)File opened: /proc/3239/mapsJump to behavior
Source: /tmp/sh4.elf (PID: 5486)File opened: /proc/3239/statusJump to behavior
Source: /tmp/sh4.elf (PID: 5486)File opened: /proc/3239/cmdlineJump to behavior
Source: /tmp/sh4.elf (PID: 5486)File opened: /proc/1577/mapsJump to behavior
Source: /tmp/sh4.elf (PID: 5486)File opened: /proc/1577/statusJump to behavior
Source: /tmp/sh4.elf (PID: 5486)File opened: /proc/1577/cmdlineJump to behavior
Source: /tmp/sh4.elf (PID: 5486)File opened: /proc/1610/mapsJump to behavior
Source: /tmp/sh4.elf (PID: 5486)File opened: /proc/1610/statusJump to behavior
Source: /tmp/sh4.elf (PID: 5486)File opened: /proc/1610/cmdlineJump to behavior
Source: /tmp/sh4.elf (PID: 5486)File opened: /proc/1299/mapsJump to behavior
Source: /tmp/sh4.elf (PID: 5486)File opened: /proc/1299/statusJump to behavior
Source: /tmp/sh4.elf (PID: 5486)File opened: /proc/1299/cmdlineJump to behavior
Source: /tmp/sh4.elf (PID: 5486)File opened: /proc/3235/mapsJump to behavior
Source: /tmp/sh4.elf (PID: 5486)File opened: /proc/3235/statusJump to behavior
Source: /tmp/sh4.elf (PID: 5486)File opened: /proc/3235/cmdlineJump to behavior
Source: /tmp/sh4.elf (PID: 5486)File opened: /proc/2946/mapsJump to behavior
Source: /tmp/sh4.elf (PID: 5486)File opened: /proc/2946/statusJump to behavior
Source: /tmp/sh4.elf (PID: 5486)File opened: /proc/2946/cmdlineJump to behavior
Source: /tmp/sh4.elf (PID: 5486)File opened: /proc/917/mapsJump to behavior
Source: /tmp/sh4.elf (PID: 5486)File opened: /proc/917/statusJump to behavior
Source: /tmp/sh4.elf (PID: 5486)File opened: /proc/917/cmdlineJump to behavior
Source: /tmp/sh4.elf (PID: 5486)File opened: /proc/3134/mapsJump to behavior
Source: /tmp/sh4.elf (PID: 5486)File opened: /proc/3134/statusJump to behavior
Source: /tmp/sh4.elf (PID: 5486)File opened: /proc/3134/cmdlineJump to behavior
Source: /tmp/sh4.elf (PID: 5486)File opened: /proc/1593/mapsJump to behavior
Source: /tmp/sh4.elf (PID: 5486)File opened: /proc/1593/statusJump to behavior
Source: /tmp/sh4.elf (PID: 5486)File opened: /proc/1593/cmdlineJump to behavior
Source: /tmp/sh4.elf (PID: 5486)File opened: /proc/3011/mapsJump to behavior
Source: /tmp/sh4.elf (PID: 5486)File opened: /proc/3011/statusJump to behavior
Source: /tmp/sh4.elf (PID: 5486)File opened: /proc/3011/cmdlineJump to behavior
Source: /tmp/sh4.elf (PID: 5486)File opened: /proc/3094/mapsJump to behavior
Source: /tmp/sh4.elf (PID: 5486)File opened: /proc/3094/statusJump to behavior
Source: /tmp/sh4.elf (PID: 5486)File opened: /proc/3094/cmdlineJump to behavior
Source: /tmp/sh4.elf (PID: 5486)File opened: /proc/2955/mapsJump to behavior
Source: /tmp/sh4.elf (PID: 5486)File opened: /proc/2955/statusJump to behavior
Source: /tmp/sh4.elf (PID: 5486)File opened: /proc/2955/cmdlineJump to behavior
Source: /tmp/sh4.elf (PID: 5486)File opened: /proc/3406/mapsJump to behavior
Source: /tmp/sh4.elf (PID: 5486)File opened: /proc/3406/statusJump to behavior
Source: /tmp/sh4.elf (PID: 5486)File opened: /proc/3406/cmdlineJump to behavior
Source: /tmp/sh4.elf (PID: 5486)File opened: /proc/1/mapsJump to behavior
Source: /tmp/sh4.elf (PID: 5486)File opened: /proc/1/statusJump to behavior
Source: /tmp/sh4.elf (PID: 5486)File opened: /proc/1/cmdlineJump to behavior
Source: /tmp/sh4.elf (PID: 5486)File opened: /proc/1589/mapsJump to behavior
Source: /tmp/sh4.elf (PID: 5486)File opened: /proc/1589/statusJump to behavior
Source: /tmp/sh4.elf (PID: 5486)File opened: /proc/1589/cmdlineJump to behavior
Source: /tmp/sh4.elf (PID: 5486)File opened: /proc/3129/mapsJump to behavior
Source: /tmp/sh4.elf (PID: 5486)File opened: /proc/3129/statusJump to behavior
Source: /tmp/sh4.elf (PID: 5486)File opened: /proc/3129/cmdlineJump to behavior
Source: /tmp/sh4.elf (PID: 5486)File opened: /proc/1588/mapsJump to behavior
Source: /tmp/sh4.elf (PID: 5486)File opened: /proc/1588/statusJump to behavior
Source: /tmp/sh4.elf (PID: 5486)File opened: /proc/1588/cmdlineJump to behavior
Source: /tmp/sh4.elf (PID: 5486)File opened: /proc/3402/mapsJump to behavior
Source: /tmp/sh4.elf (PID: 5486)File opened: /proc/3402/statusJump to behavior
Source: /tmp/sh4.elf (PID: 5486)File opened: /proc/3402/cmdlineJump to behavior
Source: /tmp/sh4.elf (PID: 5486)File opened: /proc/3125/mapsJump to behavior
Source: /tmp/sh4.elf (PID: 5486)File opened: /proc/3125/statusJump to behavior
Source: /tmp/sh4.elf (PID: 5486)File opened: /proc/3125/cmdlineJump to behavior
Source: /tmp/sh4.elf (PID: 5486)File opened: /proc/3246/mapsJump to behavior
Source: /tmp/sh4.elf (PID: 5486)File opened: /proc/3246/statusJump to behavior
Source: /tmp/sh4.elf (PID: 5486)File opened: /proc/3246/cmdlineJump to behavior
Source: /tmp/sh4.elf (PID: 5486)File opened: /proc/3245/mapsJump to behavior
Source: /tmp/sh4.elf (PID: 5486)File opened: /proc/3245/statusJump to behavior
Source: /tmp/sh4.elf (PID: 5486)File opened: /proc/3245/cmdlineJump to behavior
Source: /tmp/sh4.elf (PID: 5486)File opened: /proc/767/mapsJump to behavior
Source: /tmp/sh4.elf (PID: 5486)File opened: /proc/767/statusJump to behavior
Source: /tmp/sh4.elf (PID: 5486)File opened: /proc/767/cmdlineJump to behavior
Source: /tmp/sh4.elf (PID: 5486)File opened: /proc/800/mapsJump to behavior
Source: /tmp/sh4.elf (PID: 5486)File opened: /proc/800/statusJump to behavior
Source: /tmp/sh4.elf (PID: 5486)File opened: /proc/800/cmdlineJump to behavior
Source: /tmp/sh4.elf (PID: 5486)File opened: /proc/888/mapsJump to behavior
Source: /tmp/sh4.elf (PID: 5486)File opened: /proc/888/statusJump to behavior
Source: /tmp/sh4.elf (PID: 5486)File opened: /proc/888/cmdlineJump to behavior
Source: /tmp/sh4.elf (PID: 5486)File opened: /proc/801/mapsJump to behavior
Source: /tmp/sh4.elf (PID: 5486)File opened: /proc/801/statusJump to behavior
Source: /tmp/sh4.elf (PID: 5486)File opened: /proc/801/cmdlineJump to behavior
Source: /tmp/sh4.elf (PID: 5486)File opened: /proc/769/mapsJump to behavior
Source: /tmp/sh4.elf (PID: 5486)File opened: /proc/769/statusJump to behavior
Source: /tmp/sh4.elf (PID: 5486)File opened: /proc/769/cmdlineJump to behavior
Source: /tmp/sh4.elf (PID: 5486)File opened: /proc/803/mapsJump to behavior
Source: /tmp/sh4.elf (PID: 5486)File opened: /proc/803/statusJump to behavior
Source: /tmp/sh4.elf (PID: 5486)File opened: /proc/803/cmdlineJump to behavior
Source: /tmp/sh4.elf (PID: 5486)File opened: /proc/806/mapsJump to behavior
Source: /tmp/sh4.elf (PID: 5486)File opened: /proc/806/statusJump to behavior
Source: /tmp/sh4.elf (PID: 5486)File opened: /proc/806/cmdlineJump to behavior
Source: /tmp/sh4.elf (PID: 5486)File opened: /proc/807/mapsJump to behavior
Source: /tmp/sh4.elf (PID: 5486)File opened: /proc/807/statusJump to behavior
Source: /tmp/sh4.elf (PID: 5486)File opened: /proc/807/cmdlineJump to behavior
Source: /tmp/sh4.elf (PID: 5486)File opened: /proc/928/mapsJump to behavior
Source: /tmp/sh4.elf (PID: 5486)File opened: /proc/928/statusJump to behavior
Source: /tmp/sh4.elf (PID: 5486)File opened: /proc/928/cmdlineJump to behavior
Source: /tmp/sh4.elf (PID: 5486)File opened: /proc/2956/mapsJump to behavior
Source: /tmp/sh4.elf (PID: 5486)File opened: /proc/2956/statusJump to behavior
Source: /tmp/sh4.elf (PID: 5486)File opened: /proc/2956/cmdlineJump to behavior
Source: /tmp/sh4.elf (PID: 5486)File opened: /proc/3420/mapsJump to behavior
Source: /tmp/sh4.elf (PID: 5486)File opened: /proc/3420/statusJump to behavior
Source: /tmp/sh4.elf (PID: 5486)File opened: /proc/3420/cmdlineJump to behavior
Source: /tmp/sh4.elf (PID: 5486)Queries kernel information via 'uname': Jump to behavior
Source: sh4.elf, 5486.1.00007ffdb25db000.00007ffdb25fc000.rw-.sdmpBinary or memory string: =x86_64/usr/bin/qemu-sh4/tmp/sh4.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/sh4.elf
Source: sh4.elf, 5486.1.00007ffdb25db000.00007ffdb25fc000.rw-.sdmpBinary or memory string: 9rU/tmp/qemu-open.wEwSs1
Source: sh4.elf, 5486.1.00007ffdb25db000.00007ffdb25fc000.rw-.sdmpBinary or memory string: /qemu-open.XXXXX
Source: sh4.elf, 5486.1.00007ffdb25db000.00007ffdb25fc000.rw-.sdmpBinary or memory string: /usr/bin/qemu-sh4
Source: sh4.elf, 5486.1.000055723ca7d000.000055723cb00000.rw-.sdmpBinary or memory string: /etc/qemu-binfmt/sh4
Source: sh4.elf, 5486.1.00007ffdb25db000.00007ffdb25fc000.rw-.sdmpBinary or memory string: /tmp/qemu-open.wEwSs1
Source: sh4.elf, 5486.1.00007ffdb25db000.00007ffdb25fc000.rw-.sdmpBinary or memory string: /proc/n/qemu-open.XXXXX
Source: sh4.elf, 5486.1.000055723ca7d000.000055723cb00000.rw-.sdmpBinary or memory string: <rU5!/etc/qemu-binfmt/sh4
Source: sh4.elf, 5486.1.00007ffdb25db000.00007ffdb25fc000.rw-.sdmpBinary or memory string: qemu: uncaught target signal 11 (Segmentation fault) - core dumped
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management InstrumentationPath InterceptionPath InterceptionDirect Volume Access1
OS Credential Dumping
11
Security Software Discovery
Remote ServicesData from Local System1
Encrypted Channel
Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS Memory1
File and Directory Discovery
Remote Desktop ProtocolData from Removable Media1
Non-Application Layer Protocol
Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared Drive2
Application Layer Protocol
Automated ExfiltrationData Encrypted for Impact
No configs have been found
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Number of created Files
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1616928 Sample: sh4.elf Startdate: 17/02/2025 Architecture: LINUX Score: 52 9 185.125.190.26, 443 CANONICAL-ASGB United Kingdom 2->9 11 daisy.ubuntu.com 2->11 13 Multi AV Scanner detection for submitted file 2->13 6 sh4.elf 2->6         started        signatures3 process4 signatures5 15 Sample reads /proc/mounts (often used for finding a writable filesystem) 6->15
SourceDetectionScannerLabelLink
sh4.elf14%ReversingLabsLinux.Backdoor.Gafgyt
No Antivirus matches
No Antivirus matches
No Antivirus matches

Download Network PCAP: filteredfull

NameIPActiveMaliciousAntivirus DetectionReputation
daisy.ubuntu.com
162.213.35.24
truefalse
    high
    • No. of IPs < 25%
    • 25% < No. of IPs < 50%
    • 50% < No. of IPs < 75%
    • 75% < No. of IPs
    IPDomainCountryFlagASNASN NameMalicious
    185.125.190.26
    unknownUnited Kingdom
    41231CANONICAL-ASGBfalse
    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
    185.125.190.26na.elfGet hashmaliciousPrometeiBrowse
      a-r.m-4.Sakura.elfGet hashmaliciousGafgyt, MiraiBrowse
        m-6.8-k.Sakura.elfGet hashmaliciousGafgyt, MiraiBrowse
          main_x86.elfGet hashmaliciousMiraiBrowse
            na.elfGet hashmaliciousPrometeiBrowse
              linux_mipsel_softfloat.elfGet hashmaliciousChaosBrowse
                linux_ppc64.elfGet hashmaliciousChaosBrowse
                  EdiAf.arm7.elfGet hashmaliciousUnknownBrowse
                    Demon.mpsl.elfGet hashmaliciousMiraiBrowse
                      Demon.x86_64.elfGet hashmaliciousMiraiBrowse
                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        daisy.ubuntu.comna.elfGet hashmaliciousUnknownBrowse
                        • 162.213.35.24
                        sh4.elfGet hashmaliciousUnknownBrowse
                        • 162.213.35.24
                        na.elfGet hashmaliciousUnknownBrowse
                        • 162.213.35.24
                        arm.elfGet hashmaliciousUnknownBrowse
                        • 162.213.35.24
                        armv5l.elfGet hashmaliciousUnknownBrowse
                        • 162.213.35.25
                        arm5.elfGet hashmaliciousUnknownBrowse
                        • 162.213.35.24
                        i686.elfGet hashmaliciousUnknownBrowse
                        • 162.213.35.25
                        i-5.8-6.Sakura.elfGet hashmaliciousGafgyt, MiraiBrowse
                        • 162.213.35.25
                        a-r.m-6.Sakura.elfGet hashmaliciousGafgyt, MiraiBrowse
                        • 162.213.35.24
                        a-r.m-4.Sakura.elfGet hashmaliciousGafgyt, MiraiBrowse
                        • 162.213.35.25
                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        CANONICAL-ASGBm68k.elfGet hashmaliciousUnknownBrowse
                        • 91.189.91.42
                        na.elfGet hashmaliciousPrometeiBrowse
                        • 185.125.190.26
                        mpsl.elfGet hashmaliciousUnknownBrowse
                        • 91.189.91.42
                        na.elfGet hashmaliciousPrometeiBrowse
                        • 91.189.91.42
                        na.elfGet hashmaliciousPrometeiBrowse
                        • 91.189.91.42
                        .i.elfGet hashmaliciousUnknownBrowse
                        • 91.189.91.42
                        na.elfGet hashmaliciousPrometeiBrowse
                        • 91.189.91.42
                        na.elfGet hashmaliciousPrometeiBrowse
                        • 91.189.91.42
                        armv7l.elfGet hashmaliciousUnknownBrowse
                        • 91.189.91.42
                        x-3.2-.Sakura.elfGet hashmaliciousGafgyt, MiraiBrowse
                        • 91.189.91.42
                        No context
                        No context
                        Process:/tmp/sh4.elf
                        File Type:ASCII text, with no line terminators
                        Category:dropped
                        Size (bytes):13
                        Entropy (8bit):3.5465935642949384
                        Encrypted:false
                        SSDEEP:3:TgKYn:TgKYn
                        MD5:AEF4020327A62D78F5A8202D453B0A74
                        SHA1:84FC7A7CBE0B4EF5BDB927B95EA1BD01665BE8B1
                        SHA-256:1878DDF74B755A998CBFD2140779771966ADF507D2B95CA86906476BFD80575B
                        SHA-512:0E1BF58363F746F19B92730E15E2091F05A2C87B120B004F3819735F4D60268E66711EBEB06E3B771B2DE327FCBB3DDD368241E7A6E1A1B759384F6D70A2C528
                        Malicious:false
                        Reputation:moderate, very likely benign file
                        Preview:/tmp/sh4.elf.
                        File type:ELF 32-bit LSB executable, Renesas SH, version 1 (SYSV), statically linked, stripped
                        Entropy (8bit):6.895743987953786
                        TrID:
                        • ELF Executable and Linkable format (generic) (4004/1) 100.00%
                        File name:sh4.elf
                        File size:66'988 bytes
                        MD5:9cc23e06a91999d097f8d5fa12cb7c16
                        SHA1:7eea606962da8d2c5c2c0f6de6d58adb177cfe8f
                        SHA256:4117f651310c95849278e7ebf95625261e127a5d25ba35ccb241496b01c055eb
                        SHA512:cff4b98849b68fbc202e63e2550be6cd754443afdb6aaca17a48f7bce8de19b10fff524c72b10fd7f03c8e5f9355dc7c1dda1b89fdff101401bb17d65f4a3bdb
                        SSDEEP:1536:Ab+ovX0MPuy9aXKKkRJKtt1+7cHaEBA2CDncjb:6rrsXKrwt+3yA2tjb
                        TLSH:99636A27CC6A2F58D548D9B1B4348FB91763A861C44B5FEA8567C23A9083E8DF5823F4
                        File Content Preview:.ELF..............*.......@.4...........4. ...(...............@...@...........................A...A......f..........Q.td............................././"O.n........#.*@........#.*@.....o&O.n...l..............................././.../.a"O.!...n...a.b("...q.

                        ELF header

                        Class:ELF32
                        Data:2's complement, little endian
                        Version:1 (current)
                        Machine:<unknown>
                        Version Number:0x1
                        Type:EXEC (Executable file)
                        OS/ABI:UNIX - System V
                        ABI Version:0
                        Entry Point Address:0x4001a0
                        Flags:0x9
                        ELF Header Size:52
                        Program Header Offset:52
                        Program Header Size:32
                        Number of Program Headers:3
                        Section Header Offset:66588
                        Section Header Size:40
                        Number of Section Headers:10
                        Header String Table Index:9
                        NameTypeAddressOffsetSizeEntSizeFlagsFlags DescriptionLinkInfoAlign
                        NULL0x00x00x00x00x0000
                        .initPROGBITS0x4000940x940x300x00x6AX004
                        .textPROGBITS0x4000e00xe00xdee00x00x6AX0032
                        .finiPROGBITS0x40dfc00xdfc00x240x00x6AX004
                        .rodataPROGBITS0x40dfe40xdfe40x1de40x00x2A004
                        .ctorsPROGBITS0x4100000x100000x80x00x3WA004
                        .dtorsPROGBITS0x4100080x100080x80x00x3WA004
                        .dataPROGBITS0x4100140x100140x3c80x00x3WA004
                        .bssNOBITS0x4103dc0x103dc0x62c00x00x3WA004
                        .shstrtabSTRTAB0x00x103dc0x3e0x00x0001
                        TypeOffsetVirtual AddressPhysical AddressFile SizeMemory SizeEntropyFlagsFlags DescriptionAlignProg InterpreterSection Mappings
                        LOAD0x00x4000000x4000000xfdc80xfdc86.97700x5R E0x10000.init .text .fini .rodata
                        LOAD0x100000x4100000x4100000x3dc0x669c3.02100x6RW 0x10000.ctors .dtors .data .bss
                        GNU_STACK0x00x00x00x00x00.00000x7RWE0x4

                        Download Network PCAP: filteredfull

                        • Total Packets: 4
                        • 443 (HTTPS)
                        • 53 (DNS)
                        TimestampSource PortDest PortSource IPDest IP
                        Feb 17, 2025 11:04:17.177622080 CET46540443192.168.2.14185.125.190.26
                        Feb 17, 2025 11:04:48.152359009 CET46540443192.168.2.14185.125.190.26
                        TimestampSource PortDest PortSource IPDest IP
                        Feb 17, 2025 11:04:09.339449883 CET4307053192.168.2.141.1.1.1
                        Feb 17, 2025 11:04:09.339449883 CET4187353192.168.2.141.1.1.1
                        Feb 17, 2025 11:04:09.347073078 CET53418731.1.1.1192.168.2.14
                        Feb 17, 2025 11:04:09.347090960 CET53430701.1.1.1192.168.2.14
                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                        Feb 17, 2025 11:04:09.339449883 CET192.168.2.141.1.1.10x93d7Standard query (0)daisy.ubuntu.com28IN (0x0001)false
                        Feb 17, 2025 11:04:09.339449883 CET192.168.2.141.1.1.10x8fbaStandard query (0)daisy.ubuntu.comA (IP address)IN (0x0001)false
                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                        Feb 17, 2025 11:04:09.347073078 CET1.1.1.1192.168.2.140x8fbaNo error (0)daisy.ubuntu.com162.213.35.24A (IP address)IN (0x0001)false
                        Feb 17, 2025 11:04:09.347073078 CET1.1.1.1192.168.2.140x8fbaNo error (0)daisy.ubuntu.com162.213.35.25A (IP address)IN (0x0001)false

                        System Behavior