Edit tour

Linux Analysis Report
IdpLihor52.elf

Overview

General Information

Sample name:	IdpLihor52.elf renamed because original name is a hash value
Original sample name:	815b74947d3a78a1b7d2aece43596ddc0ffc264e26092f1f9b6409c62e1437d6.elf
Analysis ID:	1654374
MD5:	db85cb255d2e559ce9388349cf626618
SHA1:	b92a02f1b1b1cd86ff13eb13f8bbb08eef315acb
SHA256:	815b74947d3a78a1b7d2aece43596ddc0ffc264e26092f1f9b6409c62e1437d6
Tags:	AutoColorelfLinuxuser-KodaDr
Infos:

Detection

Score:	76
Range:	0 - 100

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Multi AV Scanner detection for submitted file

Creates /etc/ld.so.preload

Deletes /etc/ld.so.preload (likely AV evasion)

Performs DNS queries to domains with low reputation

Contains symbols related to standard C library sleeps (sometimes used to evade sandboxing)

Deletes log files

Executes the "rm" command used to delete files or directories

Reads the 'hosts' file potentially containing internal network hosts

Sample and/or dropped files contains symbols with suspicious names

Sample has stripped symbol table

Uses the "uname" system call to query kernel version information (possible evasion)

Writes ELF files to disk

Classification

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1654374
Start date and time:	2025-04-02 10:13:50 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 10m 41s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Sample name:	IdpLihor52.elf renamed because original name is a hash value
Original Sample Name:	815b74947d3a78a1b7d2aece43596ddc0ffc264e26092f1f9b6409c62e1437d6.elf
Detection:	MAL
Classification:	mal76.troj.evad.linELF@0/4@1/0
Cookbook Comments:	Analysis time extended to 480s due to sleep detection in submitted sample

Warnings

VT rate limit hit for: check.linux-kernel.xyz

Runtime Messages

Command:	/tmp/IdpLihor52.elf
PID:	6231
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:	#install... #install ok #install... #install ok
Standard Error:

Process Tree

system is lnxubuntu20

IdpLihor52.elf (PID: 6231, Parent: 6154, MD5: db85cb255d2e559ce9388349cf626618) Arguments: /tmp/IdpLihor52.elf

IdpLihor52.elf New Fork (PID: 6232, Parent: 6231)

IdpLihor52.elf New Fork (PID: 6233, Parent: 6232)

dash New Fork (PID: 6294, Parent: 4331)

rm (PID: 6294, Parent: 4331, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -f /tmp/tmp.nEIL30cwr8 /tmp/tmp.rCZmIxfk9m /tmp/tmp.yNQ3b3XGSF

dash New Fork (PID: 6295, Parent: 4331)

rm (PID: 6295, Parent: 4331, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -f /tmp/tmp.nEIL30cwr8 /tmp/tmp.rCZmIxfk9m /tmp/tmp.yNQ3b3XGSF

cleanup

Yara Signatures

⊘No yara matches

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

• AV Detection
• Networking
• System Summary
• Persistence and Installation Behavior
• Malware Analysis System Evasion
• HIPS / PFW / Operating System Protection Evasion

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: IdpLihor52.elf

Avira: detected

Antivirus detection for dropped file

Source: /var/log/cross/auto-color

Avira: detection malicious, Label: LINUX/AVA.Filecoder.dtesp

Multi AV Scanner detection for submitted file

Source: IdpLihor52.elf	ReversingLabs: Detection: 30%
Source: IdpLihor52.elf	Virustotal: Detection: 32%			Perma Link

Networking

Performs DNS queries to domains with low reputation

Source:

DNS query: check.linux-kernel.xyz

Source: /tmp/IdpLihor52.elf (PID: 6233)

Reads hosts file: /etc/hosts

Jump to behavior

Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 34.249.145.219
Source: unknown	TCP traffic detected without corresponding DNS query: 34.249.145.219
Source: unknown	TCP traffic detected without corresponding DNS query: 34.249.145.219
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 34.249.145.219
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: check.linux-kernel.xyz

Source: unknown	Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 39258
Source: unknown	Network traffic detected: HTTP traffic on port 39258 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 42836 -> 443

Source: libcext.so.2.12.dr	ELF static info symbol of dropped file: _Z13pcap_dispatchP4pcapiPFvPhPK11pcap_pkthdrPKhES1_
Source: libcext.so.2.12.dr	ELF static info symbol of dropped file: _Z9pcap_loopP4pcapiPFvPhPK11pcap_pkthdrPKhES1_

Source: ELF static info symbol of initial sample

.symtab present: no

Source: classification engine

Classification label: mal76.troj.evad.linELF@0/4@1/0

Persistence and Installation Behavior

Creates /etc/ld.so.preload

Source: /tmp/IdpLihor52.elf (PID: 6231)

Created: /etc/ld.so.preload

Jump to behavior

Source: /usr/bin/dash (PID: 6294)	Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.nEIL30cwr8 /tmp/tmp.rCZmIxfk9m /tmp/tmp.yNQ3b3XGSF			Jump to behavior
Source: /usr/bin/dash (PID: 6295)	Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.nEIL30cwr8 /tmp/tmp.rCZmIxfk9m /tmp/tmp.yNQ3b3XGSF			Jump to behavior

Source: /tmp/IdpLihor52.elf (PID: 6231)	File written: /var/log/cross/auto-color			Jump to dropped file
Source: /tmp/IdpLihor52.elf (PID: 6231)	File written: /usr/lib/x86_64-linux-gnu/libcext.so.2			Jump to dropped file

Source: ELF symbol in initial sample

Symbol name: usleep

Source: /tmp/IdpLihor52.elf (PID: 6231)	Truncated file: /var/log/cross/auto-color			Jump to behavior
Source: /tmp/IdpLihor52.elf (PID: 6233)	Truncated file: /var/log/cross/0/config-err-7500b1b			Jump to behavior

Source: /tmp/IdpLihor52.elf (PID: 6233)

Queries kernel information via 'uname':

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Deletes /etc/ld.so.preload (likely AV evasion)

Source: /tmp/IdpLihor52.elf (PID: 6231)

Deletion: /etc/ld.so.preload

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	Path Interception	1 Process Injection	1 Masquerading	OS Credential Dumping	1 Security Software Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Exploitation for Defense Evasion	LSASS Memory	1 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Virtualization/Sandbox Evasion	Security Account Manager	1 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Process Injection	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Indicator Removal	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 File Deletion	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Malware Configuration

⊘No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Screenshots

Download Video

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
IdpLihor52.elf	31%	ReversingLabs	Linux.Trojan.Generic
IdpLihor52.elf	32%	Virustotal		Browse
IdpLihor52.elf	100%	Avira	LINUX/AVA.Filecoder.dtesp

Dropped Files

Source	Detection	Scanner	Label	Link
/var/log/cross/auto-color	100%	Avira	LINUX/AVA.Filecoder.dtesp
/var/log/cross/auto-color	31%	ReversingLabs	Linux.Trojan.Generic

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Download Network PCAP: filtered – full

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
check.linux-kernel.xyz	18.167.12.195	true	true		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
34.249.145.219	unknown	United States	16509	AMAZON-02US	false
18.167.12.195	check.linux-kernel.xyz	United States	16509	AMAZON-02US	true
109.202.202.202	unknown	Switzerland	13030	INIT7CH	false
91.189.91.43	unknown	United Kingdom	41231	CANONICAL-ASGB	false
91.189.91.42	unknown	United Kingdom	41231	CANONICAL-ASGB	false

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
34.249.145.219	Space.mips.elf	Get hash	malicious	Unknown	Browse
	Space.spc.elf	Get hash	malicious	Mirai	Browse
	Space.arc.elf	Get hash	malicious	Mirai	Browse
	mips.elf	Get hash	malicious	Unknown	Browse
	FBI.x86.elf	Get hash	malicious	Gafgyt, Mirai	Browse
	FBI.arm5.elf	Get hash	malicious	Gafgyt, Mirai	Browse
	na.elf	Get hash	malicious	Prometei	Browse
	na.elf	Get hash	malicious	Prometei	Browse
	efefa7.elf	Get hash	malicious	Mirai	Browse
	sh4.elf	Get hash	malicious	Unknown	Browse
109.202.202.202	kpLwzBouH4.elf	Get hash	malicious	Unknown	Browse	ch.archive.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_92.0%2bbuild3-0ubuntu0.20.04.1_amd64.deb
91.189.91.43	Space.mips.elf	Get hash	malicious	Unknown	Browse
	rrrdsl.elf	Get hash	malicious	Unknown	Browse
	Space.spc.elf	Get hash	malicious	Mirai	Browse
	Space.ppc.elf	Get hash	malicious	Unknown	Browse
	Space.arc.elf	Get hash	malicious	Mirai	Browse
	mips.elf	Get hash	malicious	Unknown	Browse
	FBI.mpsl.elf	Get hash	malicious	Gafgyt, Mirai	Browse
	FBI.x86.elf	Get hash	malicious	Gafgyt, Mirai	Browse
	FBI.arm5.elf	Get hash	malicious	Gafgyt, Mirai	Browse
	na.elf	Get hash	malicious	Prometei	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
INIT7CH	Space.mips.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	rrrdsl.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	Space.spc.elf	Get hash	malicious	Mirai	Browse	109.202.202.202
	Space.ppc.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	Space.arc.elf	Get hash	malicious	Mirai	Browse	109.202.202.202
	mips.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	FBI.mpsl.elf	Get hash	malicious	Gafgyt, Mirai	Browse	109.202.202.202
	FBI.x86.elf	Get hash	malicious	Gafgyt, Mirai	Browse	109.202.202.202
	FBI.arm5.elf	Get hash	malicious	Gafgyt, Mirai	Browse	109.202.202.202
	na.elf	Get hash	malicious	Prometei	Browse	109.202.202.202
AMAZON-02US	RFQ DETAILS.exe	Get hash	malicious	FormBook	Browse	13.226.94.19
	PO25022-INQ.js	Get hash	malicious	FormBook	Browse	13.248.169.48
	Swift_advice.js	Get hash	malicious	FormBook	Browse	13.248.169.48
	DHL AWB TRACKING DETAILS.exe	Get hash	malicious	FormBook	Browse	18.162.124.14
	DHL Delivery Invoice.scr.exe	Get hash	malicious	FormBook	Browse	13.248.169.48
	Space.mips.elf	Get hash	malicious	Unknown	Browse	34.249.145.219
	rrrdsl.elf	Get hash	malicious	Unknown	Browse	54.171.230.55
	Space.spc.elf	Get hash	malicious	Mirai	Browse	34.249.145.219
	Space.arc.elf	Get hash	malicious	Mirai	Browse	34.249.145.219
	5AzgNwCtN5.exe	Get hash	malicious	CryptOne, LummaC Stealer	Browse	108.139.47.92
AMAZON-02US	RFQ DETAILS.exe	Get hash	malicious	FormBook	Browse	13.226.94.19
	PO25022-INQ.js	Get hash	malicious	FormBook	Browse	13.248.169.48
	Swift_advice.js	Get hash	malicious	FormBook	Browse	13.248.169.48
	DHL AWB TRACKING DETAILS.exe	Get hash	malicious	FormBook	Browse	18.162.124.14
	DHL Delivery Invoice.scr.exe	Get hash	malicious	FormBook	Browse	13.248.169.48
	Space.mips.elf	Get hash	malicious	Unknown	Browse	34.249.145.219
	rrrdsl.elf	Get hash	malicious	Unknown	Browse	54.171.230.55
	Space.spc.elf	Get hash	malicious	Mirai	Browse	34.249.145.219
	Space.arc.elf	Get hash	malicious	Mirai	Browse	34.249.145.219
	5AzgNwCtN5.exe	Get hash	malicious	CryptOne, LummaC Stealer	Browse	108.139.47.92

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

/etc/ld.so.preload

Download File

Process:	/tmp/IdpLihor52.elf
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	34
Entropy (8bit):	4.175123135113461
Encrypted:	false
SSDEEP:	3:/qdR63SMjLNj:/qdY/3Nj
MD5:	3667162F824C13B03C42749611D389C8
SHA1:	3B0C29FD2079CEFD1FF13F9260D2A9C311DC5AD5
SHA-256:	B8B975818566332FA0E12460516FA18BA4666FABC605CB4B1819096E591CD47D
SHA-512:	1EBA85FF3AB8A8A7E2BEFDCF01D5CF336C49670D00059B72AE6CC1A502743C3EDCDAF1687D8A84A70CDC4C458A0B3D80D6FFBFE7756A63000731F85E5D297B61
Malicious:	true
Reputation:	low
Preview:	/lib/x86_64-linux-gnu/libcext.so.2

/usr/lib/x86_64-linux-gnu/libcext.so.2

Download File

Process:	/tmp/IdpLihor52.elf
File Type:	ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=f453fd9ec42fdc8362c10ee011a85ddb6d0c835f, stripped
Category:	dropped
Size (bytes):	35176
Entropy (8bit):	4.807101699118741
Encrypted:	false
SSDEEP:	768:f4RVXHfXvn/3PHfXvn/3PHfayqC6SKiayqC6SKiaqekmkcN/odCkHaFkuwXY:f42N/UHJ
MD5:	1451ED5B4AC7070F08BBE9B60E12A7B4
SHA1:	A9FF6EB1174C8902E178B07CA3FD0CDE660197E7
SHA-256:	D4A1186387072207607684A016AF05804A9F1CE90C987C80827B2D5223BDDC9E
SHA-512:	5F49A542722BC5D7825C825EDA68A2844C98F90FDCA1A5045E7530D4D5CFBE05297896C77E0B3C11F74DF9D2917D71AA4A1CFA3B013D27CC1F92C6D1BA129B05
Malicious:	false
Reputation:	low
Preview:	.ELF..............>......$......@.......h...........@.8...@...................................................................... ....... ....... .......E.......E.......................p.......p.......p.......................................}......................P.......P........................~.............................................................................. ....... ...............................................$.......$...............S.td............................ ....... ...............P.td.....q.......q.......q......L.......L...............Q.td....................................................R.td.....}..........................................................GNU.............................GNU..S.../.b.....].m.._........).............!....A....(. ..P...........H.)...*...,.......0...........2...4...6...8...9.......<...>...?...@...-...v.\|._9.....7..zV.O.}.s..e..!t...3..'U..j...Ja..#. ...=ms....?]..]Ust,.`...a..v....]..>+.."............................4.......

/var/log/cross/0/config-err-7500b1b

Download File

Process:	/tmp/IdpLihor52.elf
File Type:	ISO-8859 text, with no line terminators
Category:	dropped
Size (bytes):	8
Entropy (8bit):	1.75
Encrypted:	false
SSDEEP:	3:aJS/:aJi
MD5:	8CA63731B1A6A2A33C71354429F577B9
SHA1:	EF84B5087D8C21C5BCC108860F89278FCCFE5BCA
SHA-256:	C1635A9F1819F1A99A68615456CA6DE6A6885F6D711624172FED9CAA87886CD2
SHA-512:	B4041B206BA9B5663FDB9F607CE91366627CCE16709B341C8199E689035917304CBC5A66D3594A4018A2D8B0936E0D838CBE60EADDF7EF73532C92B41A52C522
Malicious:	false
Reputation:	low
Preview:	...g....

/var/log/cross/auto-color

Download File

Process:	/tmp/IdpLihor52.elf
File Type:	ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=08a8401aef311e569e8bcbc3b46829560334ec0a, for GNU/Linux 3.2.0, stripped
Category:	dropped
Size (bytes):	216872
Entropy (8bit):	5.575882078455821
Encrypted:	false
SSDEEP:	3072:+9EyjkLT4IIeLeKt/VIuCp0hZPV9eFxaXyQpcGIULNCD4wMHJmYH7imVAH:+9EnkKlZkxmIUA9MHJmYH7ZAH
MD5:	DB85CB255D2E559CE9388349CF626618
SHA1:	B92A02F1B1B1CD86FF13EB13F8BBB08EEF315ACB
SHA-256:	815B74947D3A78A1B7D2AECE43596DDC0FFC264E26092F1F9B6409C62E1437D6
SHA-512:	285641559E40B96F176D126388BFCA398EC8F4F5911D0268BF4081732A4553BB57197263FE7776B5D0880B1A17400019CC7CBF76801B6FE7CFAC6A86EB741BC4
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 31%
Reputation:	low
Preview:	.ELF..............>......b......@........F..........@.8...@.".!.........@.......@.......@.......................................P.......P.......P................................................................A.......A.......................P.......P.......P......A.......A........................ ....... ....... ......U.......U.......................()......(9......(9...... ........-.......................9.......I.......I...... ....... .......................p.......p.......p....... ....... ...............................................D.......D.......................()......(9......(9..............................S.td....p.......p.......p....... ....... ...............P.td....D.......D.......D.......\|.......\|...............Q.td....................................................R.td....()......(9......(9............................../lib64/ld-linux-x86-64.so.2.................GNU.............................GNU...@..1.V....h)V.4..............GNU.........................y...........

Static File Info

General

File type:	ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=08a8401aef311e569e8bcbc3b46829560334ec0a, for GNU/Linux 3.2.0, stripped
Entropy (8bit):	5.575882078455821
TrID:	ELF Executable and Linkable format (Linux) (4029/14) 49.77% ELF Executable and Linkable format (generic) (4004/1) 49.46% Lumena CEL bitmap (63/63) 0.78%
File name:	IdpLihor52.elf
File size:	216'872 bytes
MD5:	db85cb255d2e559ce9388349cf626618
SHA1:	b92a02f1b1b1cd86ff13eb13f8bbb08eef315acb
SHA256:	815b74947d3a78a1b7d2aece43596ddc0ffc264e26092f1f9b6409c62e1437d6
SHA512:	285641559e40b96f176d126388bfca398ec8f4f5911d0268bf4081732a4553bb57197263fe7776b5d0880b1a17400019cc7cbf76801b6fe7cfac6a86eb741bc4
SSDEEP:	3072:+9EyjkLT4IIeLeKt/VIuCp0hZPV9eFxaXyQpcGIULNCD4wMHJmYH7imVAH:+9EnkKlZkxmIUA9MHJmYH7ZAH
TLSH:	8624F71BB2B199BDD09AF4348A8FD2A26870F0F42332752F37829D772D57D850BA8751
File Content Preview:	.ELF..............>......b......@........F..........@.8...@.".!.........@.......@.......@.......................................P.......P.......P................................................................A.......A.......................P.......P.....

Static ELF Info

ELF header
Class:	ELF64
Data:	2's complement, little endian
Version:	1 (current)
Machine:	Advanced Micro Devices X86-64
Version Number:	0x1
Type:	DYN (Shared object file)
OS/ABI:	UNIX - System V
ABI Version:	0
Entry Point Address:	0x6290
Flags:	0x0
ELF Header Size:	64
Program Header Offset:	64
Program Header Size:	56
Number of Program Headers:	14
Section Header Offset:	214696
Section Header Size:	64
Number of Section Headers:	34
Header String Table Index:	33

Sections

Name	Type	Address	Offset	Size	EntSize	Flags	Flags Description	Link	Info	Align
	NULL	0x0	0x0	0x0	0x0	0x0		0	0	0
.interp	PROGBITS	0x350	0x350	0x1c	0x0	0x2	A	0	0	1
.note.gnu.property	NOTE	0x370	0x370	0x20	0x0	0x2	A	0	0	8
.note.gnu.build-id	NOTE	0x390	0x390	0x24	0x0	0x2	A	0	0	4
.note.ABI-tag	NOTE	0x3b4	0x3b4	0x20	0x0	0x2	A	0	0	4
.gnu.hash	GNU_HASH	0x3d8	0x3d8	0x38	0x0	0x2	A	6	0	8
.dynsym	DYNSYM	0x410	0x410	0xbd0	0x18	0x2	A	7	1	8
.dynstr	STRTAB	0xfe0	0xfe0	0x555	0x0	0x2	A	0	0	1
.gnu.version	VERSYM	0x1536	0x1536	0xfc	0x2	0x2	A	6	0	2
.gnu.version_r	VERNEED	0x1638	0x1638	0xb0	0x0	0x2	A	7	4	8
.rela.dyn	RELA	0x16e8	0x16e8	0x2058	0x18	0x2	A	6	0	8
.rela.plt	RELA	0x3740	0x3740	0xab0	0x18	0x42	AI	6	28	8
.init	PROGBITS	0x5000	0x5000	0x1b	0x0	0x6	AX	0	0	4
.plt	PROGBITS	0x5020	0x5020	0x730	0x10	0x6	AX	0	0	16
.plt.got	PROGBITS	0x5750	0x5750	0x20	0x10	0x6	AX	0	0	16
.plt.sec	PROGBITS	0x5770	0x5770	0x720	0x10	0x6	AX	0	0	16
.text	PROGBITS	0x5e90	0x5e90	0x1bfa4	0x0	0x6	AX	0	0	16
.fini	PROGBITS	0x21e34	0x21e34	0xd	0x0	0x6	AX	0	0	4
.rodata	PROGBITS	0x22000	0x22000	0xa740	0x0	0x2	A	0	0	32
.stapsdt.base	PROGBITS	0x2c740	0x2c740	0x1	0x0	0x2	A	0	0	1
.eh_frame_hdr	PROGBITS	0x2c744	0x2c744	0xd7c	0x0	0x2	A	0	0	4
.eh_frame	PROGBITS	0x2d4c0	0x2d4c0	0x4060	0x0	0x2	A	0	0	8
.gcc_except_table	PROGBITS	0x31520	0x31520	0x535	0x0	0x2	A	0	0	4
.tbss	NOBITS	0x33928	0x32928	0x10	0x0	0x403	WAT	0	0	8
.init_array	INIT_ARRAY	0x33928	0x32928	0x10	0x8	0x3	WA	0	0	8
.fini_array	FINI_ARRAY	0x33938	0x32938	0x8	0x8	0x3	WA	0	0	8
.data.rel.ro	PROGBITS	0x33940	0x32940	0x10a8	0x0	0x3	WA	0	0	32
.dynamic	DYNAMIC	0x349e8	0x339e8	0x220	0x10	0x3	WA	7	0	8
.got	PROGBITS	0x34c08	0x33c08	0x3e8	0x8	0x3	WA	0	0	8
.data	PROGBITS	0x35000	0x34000	0x448	0x0	0x3	WA	0	0	32
.bss	NOBITS	0x35460	0x34448	0x12c0	0x0	0x3	WA	0	0	32
.comment	PROGBITS	0x0	0x34448	0x2a	0x1	0x30	MS	0	0	1
.note.stapsdt	NOTE	0x0	0x34474	0xe8	0x0	0x0		0	0	4
.shstrtab	STRTAB	0x0	0x3455c	0x14b	0x0	0x0		0	0	1

Program Segments

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align	Prog Interpreter	Section Mappings
PHDR	0x40	0x40	0x40	0x310	0x310	1.8556	0x4	R	0x8
INTERP	0x350	0x350	0x350	0x1c	0x1c	3.9408	0x4	R	0x1	/lib64/ld-linux-x86-64.so.2	.interp
LOAD	0x0	0x0	0x0	0x41f0	0x41f0	2.7236	0x4	R	0x1000		.interp .note.gnu.property .note.gnu.build-id .note.ABI-tag .gnu.hash .dynsym .dynstr .gnu.version .gnu.version_r .rela.dyn .rela.plt
LOAD	0x5000	0x5000	0x5000	0x1ce41	0x1ce41	6.0652	0x5	R E	0x1000		.init .plt .plt.got .plt.sec .text .fini
LOAD	0x22000	0x22000	0x22000	0xfa55	0xfa55	5.4342	0x4	R	0x1000		.rodata .stapsdt.base .eh_frame_hdr .eh_frame .gcc_except_table
LOAD	0x32928	0x33928	0x33928	0x1b20	0x2df8	2.2376	0x6	RW	0x1000		.tbss .init_array .fini_array .data.rel.ro .dynamic .got .data .bss
DYNAMIC	0x339e8	0x349e8	0x349e8	0x220	0x220	1.6087	0x6	RW	0x8		.dynamic
NOTE	0x370	0x370	0x370	0x20	0x20	1.8716	0x4	R	0x8		.note.gnu.property
NOTE	0x390	0x390	0x390	0x44	0x44	3.3267	0x4	R	0x4		.note.gnu.build-id .note.ABI-tag
TLS	0x32928	0x33928	0x33928	0x0	0x10	0.0000	0x4	R	0x8		.tbss
GNU_PROPERTY	0x370	0x370	0x370	0x20	0x20	1.8716	0x4	R	0x8		.note.gnu.property
GNU_EH_FRAME	0x2c744	0x2c744	0x2c744	0xd7c	0xd7c	5.4174	0x4	R	0x4		.eh_frame_hdr
GNU_STACK	0x0	0x0	0x0	0x0	0x0	0.0000	0x6	RW	0x10
GNU_RELRO	0x32928	0x33928	0x33928	0x16d8	0x16d8	2.3268	0x4	R	0x1		.tbss .init_array .fini_array .data.rel.ro .dynamic .got

Dynamic Tags

Type	Meta	Value	Tag
DT_NEEDED	sharedlib	libpthread.so.0	0x1
DT_NEEDED	sharedlib	libdl.so.2	0x1
DT_NEEDED	sharedlib	libc.so.6	0x1
DT_NEEDED	sharedlib	ld-linux-x86-64.so.2	0x1
DT_INIT	value	0x5000	0xc
DT_FINI	value	0x21e34	0xd
DT_INIT_ARRAY	value	0x33928	0x19
DT_INIT_ARRAYSZ	bytes	16	0x1b
DT_FINI_ARRAY	value	0x33938	0x1a
DT_FINI_ARRAYSZ	bytes	8	0x1c
DT_GNU_HASH	value	0x3d8	0x6ffffef5
DT_STRTAB	value	0xfe0	0x5
DT_SYMTAB	value	0x410	0x6
DT_STRSZ	bytes	1365	0xa
DT_SYMENT	bytes	24	0xb
DT_DEBUG	value	0x0	0x15
DT_PLTGOT	value	0x34c08	0x3
DT_PLTRELSZ	bytes	2736	0x2
DT_PLTREL	pltrel	DT_RELA	0x14
DT_JMPREL	value	0x3740	0x17
DT_RELA	value	0x16e8	0x7
DT_RELASZ	bytes	8280	0x8
DT_RELAENT	bytes	24	0x9
DT_FLAGS	value	0x8	0x1e
DT_FLAGS_1	value	0x8000001	0x6ffffffb
DT_VERNEED	value	0x1638	0x6ffffffe
DT_VERNEEDNUM	value	4	0x6fffffff
DT_VERSYM	value	0x1536	0x6ffffff0
DT_RELACOUNT	value	336	0x6ffffff9
DT_NULL	value	0x0	0x0

Symbols

Name	Version Info Name	Version Info File Name	Section Name	Value	Size	Symbol Type	Symbol Bind	Symbol Visibility	Ndx
			.dynsym	0x0	0	NOTYPE	<unknown>	DEFAULT	SHN_UNDEF
_ITM_deregisterTMCloneTable			.dynsym	0x0	0	NOTYPE	<unknown>	DEFAULT	SHN_UNDEF
_ITM_registerTMCloneTable			.dynsym	0x0	0	NOTYPE	<unknown>	DEFAULT	SHN_UNDEF
__cxa_finalize	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
__environ	GLIBC_2.2.5	libc.so.6	.dynsym	0x35460	8	OBJECT	<unknown>	DEFAULT	30
__errno_location	GLIBC_2.2.5	libpthread.so.0	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
__gmon_start__			.dynsym	0x0	0	NOTYPE	<unknown>	DEFAULT	SHN_UNDEF
__libc_start_main	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
__pthread_key_create	GLIBC_2.2.5	libpthread.so.0	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
__sprintf_chk	GLIBC_2.3.4	libc.so.6	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
__stack_chk_fail	GLIBC_2.4	libc.so.6	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
__tls_get_addr	GLIBC_2.3	ld-linux-x86-64.so.2	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
__xstat	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
_environ	GLIBC_2.2.5	libc.so.6	.dynsym	0x35460	8	OBJECT	<unknown>	DEFAULT	30
abort	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
accept	GLIBC_2.2.5	libpthread.so.0	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
access	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
atoi	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
bind	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
chdir	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
close	GLIBC_2.2.5	libpthread.so.0	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
closedir	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
connect	GLIBC_2.2.5	libpthread.so.0	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
dl_iterate_phdr	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
dladdr	GLIBC_2.2.5	libdl.so.2	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
dlopen	GLIBC_2.2.5	libdl.so.2	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
dlsym	GLIBC_2.2.5	libdl.so.2	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
dup2	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
environ	GLIBC_2.2.5	libc.so.6	.dynsym	0x35460	8	OBJECT	<unknown>	DEFAULT	30
execve	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
exit	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
fcntl	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
flock	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
fork	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
fputc	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
fputs	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
fread	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
free	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
fwrite	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
get_nprocs_conf	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
getdtablesize	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
geteuid	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
gethostbyname	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
gethostname	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
getpeername	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
getpgid	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
getpid	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
getpwuid	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
getsockname	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
getsockopt	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
gettimeofday	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
htonl	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
htons	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
inet_ntoa	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
kill	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
listen	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
localtime	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
lseek	GLIBC_2.2.5	libpthread.so.0	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
malloc	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
mallopt	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
memcmp	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
memcpy	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
memset	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
mkdir	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
ntohl	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
ntohs	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
open	GLIBC_2.2.5	libpthread.so.0	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
opendir	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
pclose	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
pipe	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
popen	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
printf	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
pthread_attr_destroy	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
pthread_attr_init	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
pthread_attr_setdetachstate	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
pthread_attr_setstacksize	GLIBC_2.2.5	libpthread.so.0	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
pthread_cond_destroy	GLIBC_2.3.2	libpthread.so.0	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
pthread_cond_init	GLIBC_2.3.2	libpthread.so.0	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
pthread_cond_signal	GLIBC_2.3.2	libpthread.so.0	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
pthread_cond_timedwait	GLIBC_2.3.2	libpthread.so.0	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
pthread_cond_wait	GLIBC_2.3.2	libpthread.so.0	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
pthread_create	GLIBC_2.2.5	libpthread.so.0	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
pthread_join	GLIBC_2.2.5	libpthread.so.0	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
pthread_mutex_destroy	GLIBC_2.2.5	libpthread.so.0	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
pthread_mutex_init	GLIBC_2.2.5	libpthread.so.0	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
pthread_mutex_lock	GLIBC_2.2.5	libpthread.so.0	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
pthread_mutex_unlock	GLIBC_2.2.5	libpthread.so.0	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
pthread_mutexattr_destroy	GLIBC_2.2.5	libpthread.so.0	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
pthread_mutexattr_init	GLIBC_2.2.5	libpthread.so.0	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
pthread_mutexattr_settype	GLIBC_2.2.5	libpthread.so.0	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
pthread_once	GLIBC_2.2.5	libpthread.so.0	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
puts	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
read	GLIBC_2.2.5	libpthread.so.0	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
readdir	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
readlink	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
realloc	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
recv	GLIBC_2.2.5	libpthread.so.0	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
recvfrom	GLIBC_2.2.5	libpthread.so.0	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
remove	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
rename	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
select	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
send	GLIBC_2.2.5	libpthread.so.0	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
sendto	GLIBC_2.2.5	libpthread.so.0	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
setsid	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
setsockopt	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
shmat	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
shmget	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
snprintf	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
socket	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
sprintf	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
statfs	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
stderr	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	0	OBJECT	<unknown>	DEFAULT	SHN_UNDEF
strcasecmp	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
strcat	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
strcmp	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
strcpy	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
strerror	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
strlen	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
strncasecmp	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
strtol	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
syscall	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
time	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
umask	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
usleep	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
waitpid	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
write	GLIBC_2.2.5	libpthread.so.0	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF

Network Behavior

Download Network PCAP: filtered – full

Network Port Distribution

Total Packets: 126
• 5353 undefined
• 443 (HTTPS)
• 80 (HTTP)
• 53 (DNS)

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 2, 2025 10:14:36.952414036 CEST	43928	443	192.168.2.23	91.189.91.42
Apr 2, 2025 10:14:37.736655951 CEST	41900	5353	192.168.2.23	18.167.12.195
Apr 2, 2025 10:14:38.059732914 CEST	5353	41900	18.167.12.195	192.168.2.23
Apr 2, 2025 10:14:42.076524019 CEST	41902	5353	192.168.2.23	18.167.12.195
Apr 2, 2025 10:14:42.327797890 CEST	42836	443	192.168.2.23	91.189.91.43
Apr 2, 2025 10:14:42.389566898 CEST	5353	41902	18.167.12.195	192.168.2.23
Apr 2, 2025 10:14:43.863657951 CEST	42516	80	192.168.2.23	109.202.202.202
Apr 2, 2025 10:14:46.402718067 CEST	41904	5353	192.168.2.23	18.167.12.195
Apr 2, 2025 10:14:46.724173069 CEST	5353	41904	18.167.12.195	192.168.2.23
Apr 2, 2025 10:14:50.738101006 CEST	41906	5353	192.168.2.23	18.167.12.195
Apr 2, 2025 10:14:51.050956964 CEST	5353	41906	18.167.12.195	192.168.2.23
Apr 2, 2025 10:14:55.067051888 CEST	41908	5353	192.168.2.23	18.167.12.195
Apr 2, 2025 10:14:55.375917912 CEST	5353	41908	18.167.12.195	192.168.2.23
Apr 2, 2025 10:14:57.941477060 CEST	43928	443	192.168.2.23	91.189.91.42
Apr 2, 2025 10:14:58.339015961 CEST	39258	443	192.168.2.23	34.249.145.219
Apr 2, 2025 10:14:58.339061975 CEST	443	39258	34.249.145.219	192.168.2.23
Apr 2, 2025 10:14:58.339150906 CEST	39258	443	192.168.2.23	34.249.145.219
Apr 2, 2025 10:14:58.339792967 CEST	39258	443	192.168.2.23	34.249.145.219
Apr 2, 2025 10:14:58.339806080 CEST	443	39258	34.249.145.219	192.168.2.23
Apr 2, 2025 10:14:59.387406111 CEST	41912	5353	192.168.2.23	18.167.12.195
Apr 2, 2025 10:14:59.696358919 CEST	5353	41912	18.167.12.195	192.168.2.23
Apr 2, 2025 10:15:03.709484100 CEST	41914	5353	192.168.2.23	18.167.12.195
Apr 2, 2025 10:15:04.017190933 CEST	5353	41914	18.167.12.195	192.168.2.23
Apr 2, 2025 10:15:08.038084984 CEST	41916	5353	192.168.2.23	18.167.12.195
Apr 2, 2025 10:15:08.180027008 CEST	42836	443	192.168.2.23	91.189.91.43
Apr 2, 2025 10:15:08.356614113 CEST	5353	41916	18.167.12.195	192.168.2.23
Apr 2, 2025 10:15:12.369074106 CEST	41918	5353	192.168.2.23	18.167.12.195
Apr 2, 2025 10:15:12.684931040 CEST	5353	41918	18.167.12.195	192.168.2.23
Apr 2, 2025 10:15:14.323167086 CEST	42516	80	192.168.2.23	109.202.202.202
Apr 2, 2025 10:15:16.701630116 CEST	41920	5353	192.168.2.23	18.167.12.195
Apr 2, 2025 10:15:17.012861967 CEST	5353	41920	18.167.12.195	192.168.2.23
Apr 2, 2025 10:15:21.029769897 CEST	41922	5353	192.168.2.23	18.167.12.195
Apr 2, 2025 10:15:21.338325024 CEST	5353	41922	18.167.12.195	192.168.2.23
Apr 2, 2025 10:15:25.351371050 CEST	41924	5353	192.168.2.23	18.167.12.195
Apr 2, 2025 10:15:25.665859938 CEST	5353	41924	18.167.12.195	192.168.2.23
Apr 2, 2025 10:15:29.678582907 CEST	41926	5353	192.168.2.23	18.167.12.195
Apr 2, 2025 10:15:29.992975950 CEST	5353	41926	18.167.12.195	192.168.2.23
Apr 2, 2025 10:15:34.006987095 CEST	41928	5353	192.168.2.23	18.167.12.195
Apr 2, 2025 10:15:34.320763111 CEST	5353	41928	18.167.12.195	192.168.2.23
Apr 2, 2025 10:15:38.337178946 CEST	41930	5353	192.168.2.23	18.167.12.195
Apr 2, 2025 10:15:38.652415991 CEST	5353	41930	18.167.12.195	192.168.2.23
Apr 2, 2025 10:15:38.895677090 CEST	43928	443	192.168.2.23	91.189.91.42
Apr 2, 2025 10:15:42.667947054 CEST	41932	5353	192.168.2.23	18.167.12.195
Apr 2, 2025 10:15:42.974477053 CEST	5353	41932	18.167.12.195	192.168.2.23
Apr 2, 2025 10:15:46.988985062 CEST	41934	5353	192.168.2.23	18.167.12.195
Apr 2, 2025 10:15:47.299674988 CEST	5353	41934	18.167.12.195	192.168.2.23
Apr 2, 2025 10:15:51.312290907 CEST	41936	5353	192.168.2.23	18.167.12.195
Apr 2, 2025 10:15:51.621603966 CEST	5353	41936	18.167.12.195	192.168.2.23
Apr 2, 2025 10:15:55.650603056 CEST	41938	5353	192.168.2.23	18.167.12.195
Apr 2, 2025 10:15:55.959903002 CEST	5353	41938	18.167.12.195	192.168.2.23
Apr 2, 2025 10:15:58.331088066 CEST	39258	443	192.168.2.23	34.249.145.219
Apr 2, 2025 10:15:58.376322031 CEST	443	39258	34.249.145.219	192.168.2.23
Apr 2, 2025 10:15:59.372668028 CEST	42836	443	192.168.2.23	91.189.91.43
Apr 2, 2025 10:15:59.990549088 CEST	41940	5353	192.168.2.23	18.167.12.195
Apr 2, 2025 10:16:00.302437067 CEST	5353	41940	18.167.12.195	192.168.2.23
Apr 2, 2025 10:16:04.316804886 CEST	41942	5353	192.168.2.23	18.167.12.195
Apr 2, 2025 10:16:04.627589941 CEST	5353	41942	18.167.12.195	192.168.2.23
Apr 2, 2025 10:16:08.641017914 CEST	41944	5353	192.168.2.23	18.167.12.195
Apr 2, 2025 10:16:08.953211069 CEST	5353	41944	18.167.12.195	192.168.2.23
Apr 2, 2025 10:16:12.969630957 CEST	41946	5353	192.168.2.23	18.167.12.195
Apr 2, 2025 10:16:13.282816887 CEST	5353	41946	18.167.12.195	192.168.2.23
Apr 2, 2025 10:16:17.307140112 CEST	41948	5353	192.168.2.23	18.167.12.195
Apr 2, 2025 10:16:17.615207911 CEST	5353	41948	18.167.12.195	192.168.2.23
Apr 2, 2025 10:16:21.653465986 CEST	41950	5353	192.168.2.23	18.167.12.195
Apr 2, 2025 10:16:21.962518930 CEST	5353	41950	18.167.12.195	192.168.2.23
Apr 2, 2025 10:16:26.004919052 CEST	41952	5353	192.168.2.23	18.167.12.195
Apr 2, 2025 10:16:26.314913034 CEST	5353	41952	18.167.12.195	192.168.2.23
Apr 2, 2025 10:16:30.359895945 CEST	41954	5353	192.168.2.23	18.167.12.195
Apr 2, 2025 10:16:30.666311979 CEST	5353	41954	18.167.12.195	192.168.2.23
Apr 2, 2025 10:16:34.689626932 CEST	41956	5353	192.168.2.23	18.167.12.195
Apr 2, 2025 10:16:35.001086950 CEST	5353	41956	18.167.12.195	192.168.2.23
Apr 2, 2025 10:16:39.017637968 CEST	41958	5353	192.168.2.23	18.167.12.195
Apr 2, 2025 10:16:39.331289053 CEST	5353	41958	18.167.12.195	192.168.2.23
Apr 2, 2025 10:16:43.389234066 CEST	41960	5353	192.168.2.23	18.167.12.195
Apr 2, 2025 10:16:43.703190088 CEST	5353	41960	18.167.12.195	192.168.2.23
Apr 2, 2025 10:16:47.756519079 CEST	41962	5353	192.168.2.23	18.167.12.195
Apr 2, 2025 10:16:48.068412066 CEST	5353	41962	18.167.12.195	192.168.2.23
Apr 2, 2025 10:16:52.103882074 CEST	41964	5353	192.168.2.23	18.167.12.195
Apr 2, 2025 10:16:52.413959980 CEST	5353	41964	18.167.12.195	192.168.2.23
Apr 2, 2025 10:16:56.439549923 CEST	41966	5353	192.168.2.23	18.167.12.195
Apr 2, 2025 10:16:56.748045921 CEST	5353	41966	18.167.12.195	192.168.2.23
Apr 2, 2025 10:17:00.764482975 CEST	41968	5353	192.168.2.23	18.167.12.195
Apr 2, 2025 10:17:01.078543901 CEST	5353	41968	18.167.12.195	192.168.2.23
Apr 2, 2025 10:17:05.093790054 CEST	41970	5353	192.168.2.23	18.167.12.195
Apr 2, 2025 10:17:05.404474020 CEST	5353	41970	18.167.12.195	192.168.2.23
Apr 2, 2025 10:17:09.426455975 CEST	41972	5353	192.168.2.23	18.167.12.195
Apr 2, 2025 10:17:09.741403103 CEST	5353	41972	18.167.12.195	192.168.2.23
Apr 2, 2025 10:17:13.772568941 CEST	41974	5353	192.168.2.23	18.167.12.195
Apr 2, 2025 10:17:14.087766886 CEST	5353	41974	18.167.12.195	192.168.2.23
Apr 2, 2025 10:17:18.116452932 CEST	41976	5353	192.168.2.23	18.167.12.195
Apr 2, 2025 10:17:18.428430080 CEST	5353	41976	18.167.12.195	192.168.2.23
Apr 2, 2025 10:17:22.506757021 CEST	41978	5353	192.168.2.23	18.167.12.195
Apr 2, 2025 10:17:22.819618940 CEST	5353	41978	18.167.12.195	192.168.2.23
Apr 2, 2025 10:17:26.940499067 CEST	41980	5353	192.168.2.23	18.167.12.195
Apr 2, 2025 10:17:27.249777079 CEST	5353	41980	18.167.12.195	192.168.2.23
Apr 2, 2025 10:17:31.262799978 CEST	41982	5353	192.168.2.23	18.167.12.195
Apr 2, 2025 10:17:31.574240923 CEST	5353	41982	18.167.12.195	192.168.2.23
Apr 2, 2025 10:17:35.615418911 CEST	41984	5353	192.168.2.23	18.167.12.195
Apr 2, 2025 10:17:35.935755014 CEST	5353	41984	18.167.12.195	192.168.2.23
Apr 2, 2025 10:17:39.952816010 CEST	41986	5353	192.168.2.23	18.167.12.195
Apr 2, 2025 10:17:40.265177011 CEST	5353	41986	18.167.12.195	192.168.2.23
Apr 2, 2025 10:17:44.284878016 CEST	41988	5353	192.168.2.23	18.167.12.195
Apr 2, 2025 10:17:44.596421003 CEST	5353	41988	18.167.12.195	192.168.2.23
Apr 2, 2025 10:17:48.623640060 CEST	41990	5353	192.168.2.23	18.167.12.195
Apr 2, 2025 10:17:48.936783075 CEST	5353	41990	18.167.12.195	192.168.2.23
Apr 2, 2025 10:17:52.952917099 CEST	41992	5353	192.168.2.23	18.167.12.195
Apr 2, 2025 10:17:53.261688948 CEST	5353	41992	18.167.12.195	192.168.2.23
Apr 2, 2025 10:17:57.273355007 CEST	41994	5353	192.168.2.23	18.167.12.195
Apr 2, 2025 10:17:57.580063105 CEST	5353	41994	18.167.12.195	192.168.2.23
Apr 2, 2025 10:18:01.630572081 CEST	41996	5353	192.168.2.23	18.167.12.195
Apr 2, 2025 10:18:01.942364931 CEST	5353	41996	18.167.12.195	192.168.2.23
Apr 2, 2025 10:18:05.962517977 CEST	41998	5353	192.168.2.23	18.167.12.195
Apr 2, 2025 10:18:06.275791883 CEST	5353	41998	18.167.12.195	192.168.2.23
Apr 2, 2025 10:18:10.293570995 CEST	42000	5353	192.168.2.23	18.167.12.195
Apr 2, 2025 10:18:10.606024981 CEST	5353	42000	18.167.12.195	192.168.2.23
Apr 2, 2025 10:18:14.621436119 CEST	42002	5353	192.168.2.23	18.167.12.195
Apr 2, 2025 10:18:14.947444916 CEST	5353	42002	18.167.12.195	192.168.2.23
Apr 2, 2025 10:18:18.962826967 CEST	42004	5353	192.168.2.23	18.167.12.195
Apr 2, 2025 10:18:19.273925066 CEST	5353	42004	18.167.12.195	192.168.2.23
Apr 2, 2025 10:18:23.312836885 CEST	42006	5353	192.168.2.23	18.167.12.195
Apr 2, 2025 10:18:23.619990110 CEST	5353	42006	18.167.12.195	192.168.2.23
Apr 2, 2025 10:18:27.652067900 CEST	42008	5353	192.168.2.23	18.167.12.195
Apr 2, 2025 10:18:27.959321022 CEST	5353	42008	18.167.12.195	192.168.2.23
Apr 2, 2025 10:18:31.972630024 CEST	42010	5353	192.168.2.23	18.167.12.195
Apr 2, 2025 10:18:32.282866001 CEST	5353	42010	18.167.12.195	192.168.2.23
Apr 2, 2025 10:18:36.304913998 CEST	42012	5353	192.168.2.23	18.167.12.195
Apr 2, 2025 10:18:36.621391058 CEST	5353	42012	18.167.12.195	192.168.2.23
Apr 2, 2025 10:18:40.638207912 CEST	42014	5353	192.168.2.23	18.167.12.195
Apr 2, 2025 10:18:40.954113960 CEST	5353	42014	18.167.12.195	192.168.2.23
Apr 2, 2025 10:18:44.971760035 CEST	42016	5353	192.168.2.23	18.167.12.195
Apr 2, 2025 10:18:45.287988901 CEST	5353	42016	18.167.12.195	192.168.2.23
Apr 2, 2025 10:18:49.312581062 CEST	42018	5353	192.168.2.23	18.167.12.195
Apr 2, 2025 10:18:49.629542112 CEST	5353	42018	18.167.12.195	192.168.2.23
Apr 2, 2025 10:18:53.656112909 CEST	42020	5353	192.168.2.23	18.167.12.195
Apr 2, 2025 10:18:53.963119030 CEST	5353	42020	18.167.12.195	192.168.2.23
Apr 2, 2025 10:18:57.983922005 CEST	42022	5353	192.168.2.23	18.167.12.195
Apr 2, 2025 10:18:58.293030024 CEST	5353	42022	18.167.12.195	192.168.2.23
Apr 2, 2025 10:19:02.318941116 CEST	42024	5353	192.168.2.23	18.167.12.195
Apr 2, 2025 10:19:02.626975060 CEST	5353	42024	18.167.12.195	192.168.2.23
Apr 2, 2025 10:19:06.647387028 CEST	42026	5353	192.168.2.23	18.167.12.195
Apr 2, 2025 10:19:06.959849119 CEST	5353	42026	18.167.12.195	192.168.2.23
Apr 2, 2025 10:19:11.008224010 CEST	42028	5353	192.168.2.23	18.167.12.195
Apr 2, 2025 10:19:11.321376085 CEST	5353	42028	18.167.12.195	192.168.2.23
Apr 2, 2025 10:19:15.386707067 CEST	42030	5353	192.168.2.23	18.167.12.195
Apr 2, 2025 10:19:15.698549032 CEST	5353	42030	18.167.12.195	192.168.2.23
Apr 2, 2025 10:19:19.715924025 CEST	42032	5353	192.168.2.23	18.167.12.195
Apr 2, 2025 10:19:20.028939009 CEST	5353	42032	18.167.12.195	192.168.2.23
Apr 2, 2025 10:19:24.079004049 CEST	42034	5353	192.168.2.23	18.167.12.195
Apr 2, 2025 10:19:24.390043974 CEST	5353	42034	18.167.12.195	192.168.2.23
Apr 2, 2025 10:19:28.405971050 CEST	42036	5353	192.168.2.23	18.167.12.195
Apr 2, 2025 10:19:28.715857029 CEST	5353	42036	18.167.12.195	192.168.2.23
Apr 2, 2025 10:19:32.739279985 CEST	42038	5353	192.168.2.23	18.167.12.195
Apr 2, 2025 10:19:33.047534943 CEST	5353	42038	18.167.12.195	192.168.2.23
Apr 2, 2025 10:19:37.060944080 CEST	42040	5353	192.168.2.23	18.167.12.195
Apr 2, 2025 10:19:37.373469114 CEST	5353	42040	18.167.12.195	192.168.2.23
Apr 2, 2025 10:19:41.393729925 CEST	42042	5353	192.168.2.23	18.167.12.195
Apr 2, 2025 10:19:41.700622082 CEST	5353	42042	18.167.12.195	192.168.2.23
Apr 2, 2025 10:19:45.723942995 CEST	42044	5353	192.168.2.23	18.167.12.195
Apr 2, 2025 10:19:46.035358906 CEST	5353	42044	18.167.12.195	192.168.2.23
Apr 2, 2025 10:19:50.052654028 CEST	42046	5353	192.168.2.23	18.167.12.195
Apr 2, 2025 10:19:50.365058899 CEST	5353	42046	18.167.12.195	192.168.2.23
Apr 2, 2025 10:19:54.389532089 CEST	42048	5353	192.168.2.23	18.167.12.195
Apr 2, 2025 10:19:54.697244883 CEST	5353	42048	18.167.12.195	192.168.2.23
Apr 2, 2025 10:19:58.720366001 CEST	42050	5353	192.168.2.23	18.167.12.195
Apr 2, 2025 10:19:59.030370951 CEST	5353	42050	18.167.12.195	192.168.2.23
Apr 2, 2025 10:20:03.051285982 CEST	42052	5353	192.168.2.23	18.167.12.195
Apr 2, 2025 10:20:03.363147020 CEST	5353	42052	18.167.12.195	192.168.2.23
Apr 2, 2025 10:20:07.377835035 CEST	42054	5353	192.168.2.23	18.167.12.195
Apr 2, 2025 10:20:07.689791918 CEST	5353	42054	18.167.12.195	192.168.2.23
Apr 2, 2025 10:20:11.709330082 CEST	42056	5353	192.168.2.23	18.167.12.195
Apr 2, 2025 10:20:12.028477907 CEST	5353	42056	18.167.12.195	192.168.2.23
Apr 2, 2025 10:20:16.054928064 CEST	42058	5353	192.168.2.23	18.167.12.195
Apr 2, 2025 10:20:16.366508961 CEST	5353	42058	18.167.12.195	192.168.2.23
Apr 2, 2025 10:20:20.411374092 CEST	42060	5353	192.168.2.23	18.167.12.195
Apr 2, 2025 10:20:20.722012997 CEST	5353	42060	18.167.12.195	192.168.2.23
Apr 2, 2025 10:20:24.745095015 CEST	42062	5353	192.168.2.23	18.167.12.195
Apr 2, 2025 10:20:25.054327011 CEST	5353	42062	18.167.12.195	192.168.2.23
Apr 2, 2025 10:20:29.075098991 CEST	42064	5353	192.168.2.23	18.167.12.195
Apr 2, 2025 10:20:29.400012970 CEST	5353	42064	18.167.12.195	192.168.2.23
Apr 2, 2025 10:20:33.428639889 CEST	42066	5353	192.168.2.23	18.167.12.195
Apr 2, 2025 10:20:33.735671043 CEST	5353	42066	18.167.12.195	192.168.2.23
Apr 2, 2025 10:20:37.753803015 CEST	42068	5353	192.168.2.23	18.167.12.195
Apr 2, 2025 10:20:38.756690979 CEST	42068	5353	192.168.2.23	18.167.12.195
Apr 2, 2025 10:20:39.067909956 CEST	5353	42068	18.167.12.195	192.168.2.23
Apr 2, 2025 10:20:43.083420992 CEST	42070	5353	192.168.2.23	18.167.12.195
Apr 2, 2025 10:20:43.395519972 CEST	5353	42070	18.167.12.195	192.168.2.23
Apr 2, 2025 10:20:47.407146931 CEST	42072	5353	192.168.2.23	18.167.12.195
Apr 2, 2025 10:20:47.719717979 CEST	5353	42072	18.167.12.195	192.168.2.23
Apr 2, 2025 10:20:51.735667944 CEST	42074	5353	192.168.2.23	18.167.12.195
Apr 2, 2025 10:20:52.046399117 CEST	5353	42074	18.167.12.195	192.168.2.23
Apr 2, 2025 10:20:56.063050032 CEST	42076	5353	192.168.2.23	18.167.12.195
Apr 2, 2025 10:20:56.372376919 CEST	5353	42076	18.167.12.195	192.168.2.23
Apr 2, 2025 10:21:00.385559082 CEST	42078	5353	192.168.2.23	18.167.12.195
Apr 2, 2025 10:21:00.700613022 CEST	5353	42078	18.167.12.195	192.168.2.23
Apr 2, 2025 10:21:04.716134071 CEST	42080	5353	192.168.2.23	18.167.12.195
Apr 2, 2025 10:21:05.022735119 CEST	5353	42080	18.167.12.195	192.168.2.23
Apr 2, 2025 10:21:09.034903049 CEST	42082	5353	192.168.2.23	18.167.12.195
Apr 2, 2025 10:21:09.344002962 CEST	5353	42082	18.167.12.195	192.168.2.23
Apr 2, 2025 10:21:13.360308886 CEST	42084	5353	192.168.2.23	18.167.12.195
Apr 2, 2025 10:21:13.679776907 CEST	5353	42084	18.167.12.195	192.168.2.23
Apr 2, 2025 10:21:17.695676088 CEST	42086	5353	192.168.2.23	18.167.12.195
Apr 2, 2025 10:21:18.007987976 CEST	5353	42086	18.167.12.195	192.168.2.23
Apr 2, 2025 10:21:22.021996975 CEST	42088	5353	192.168.2.23	18.167.12.195
Apr 2, 2025 10:21:22.334268093 CEST	5353	42088	18.167.12.195	192.168.2.23
Apr 2, 2025 10:21:26.349641085 CEST	42090	5353	192.168.2.23	18.167.12.195
Apr 2, 2025 10:21:26.664474964 CEST	5353	42090	18.167.12.195	192.168.2.23
Apr 2, 2025 10:21:30.677453041 CEST	42092	5353	192.168.2.23	18.167.12.195
Apr 2, 2025 10:21:30.986371994 CEST	5353	42092	18.167.12.195	192.168.2.23
Apr 2, 2025 10:21:35.004587889 CEST	42094	5353	192.168.2.23	18.167.12.195
Apr 2, 2025 10:21:35.325359106 CEST	5353	42094	18.167.12.195	192.168.2.23
Apr 2, 2025 10:21:39.337435007 CEST	42096	5353	192.168.2.23	18.167.12.195
Apr 2, 2025 10:21:39.645119905 CEST	5353	42096	18.167.12.195	192.168.2.23
Apr 2, 2025 10:21:43.658837080 CEST	42098	5353	192.168.2.23	18.167.12.195
Apr 2, 2025 10:21:43.966949940 CEST	5353	42098	18.167.12.195	192.168.2.23
Apr 2, 2025 10:21:47.978071928 CEST	42100	5353	192.168.2.23	18.167.12.195
Apr 2, 2025 10:21:48.290224075 CEST	5353	42100	18.167.12.195	192.168.2.23
Apr 2, 2025 10:21:52.306179047 CEST	42102	5353	192.168.2.23	18.167.12.195
Apr 2, 2025 10:21:52.619309902 CEST	5353	42102	18.167.12.195	192.168.2.23
Apr 2, 2025 10:21:56.632729053 CEST	42104	5353	192.168.2.23	18.167.12.195
Apr 2, 2025 10:21:56.944206953 CEST	5353	42104	18.167.12.195	192.168.2.23
Apr 2, 2025 10:22:00.956440926 CEST	42106	5353	192.168.2.23	18.167.12.195
Apr 2, 2025 10:22:01.274765015 CEST	5353	42106	18.167.12.195	192.168.2.23
Apr 2, 2025 10:22:05.286277056 CEST	42108	5353	192.168.2.23	18.167.12.195
Apr 2, 2025 10:22:05.593575001 CEST	5353	42108	18.167.12.195	192.168.2.23
Apr 2, 2025 10:22:09.612512112 CEST	42110	5353	192.168.2.23	18.167.12.195
Apr 2, 2025 10:22:09.919843912 CEST	5353	42110	18.167.12.195	192.168.2.23
Apr 2, 2025 10:22:13.934859991 CEST	42112	5353	192.168.2.23	18.167.12.195
Apr 2, 2025 10:22:14.241786003 CEST	5353	42112	18.167.12.195	192.168.2.23
Apr 2, 2025 10:22:18.254693031 CEST	42114	5353	192.168.2.23	18.167.12.195
Apr 2, 2025 10:22:18.562319994 CEST	5353	42114	18.167.12.195	192.168.2.23
Apr 2, 2025 10:22:22.579864025 CEST	42116	5353	192.168.2.23	18.167.12.195
Apr 2, 2025 10:22:22.892448902 CEST	5353	42116	18.167.12.195	192.168.2.23
Apr 2, 2025 10:22:26.906470060 CEST	42118	5353	192.168.2.23	18.167.12.195
Apr 2, 2025 10:22:27.217952013 CEST	5353	42118	18.167.12.195	192.168.2.23
Apr 2, 2025 10:22:31.231905937 CEST	42120	5353	192.168.2.23	18.167.12.195
Apr 2, 2025 10:22:31.544441938 CEST	5353	42120	18.167.12.195	192.168.2.23
Apr 2, 2025 10:22:35.570961952 CEST	42122	5353	192.168.2.23	18.167.12.195
Apr 2, 2025 10:22:35.882189035 CEST	5353	42122	18.167.12.195	192.168.2.23
Apr 2, 2025 10:22:39.898097038 CEST	42124	5353	192.168.2.23	18.167.12.195
Apr 2, 2025 10:22:40.205548048 CEST	5353	42124	18.167.12.195	192.168.2.23

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 2, 2025 10:14:37.567222118 CEST	50409	53	192.168.2.23	1.1.1.1
Apr 2, 2025 10:14:37.735455036 CEST	53	50409	1.1.1.1	192.168.2.23

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Apr 2, 2025 10:14:37.567222118 CEST	192.168.2.23	1.1.1.1	0x8ed2	Standard query (0)	check.linux-kernel.xyz	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Apr 2, 2025 10:14:37.735455036 CEST	1.1.1.1	192.168.2.23	0x8ed2	No error (0)	check.linux-kernel.xyz		18.167.12.195	A (IP address)	IN (0x0001)	false

System Behavior

Analysis Process: IdpLihor52.elf PID: 6231, Parent PID: 6154

General

Start time (UTC):	08:14:36
Start date (UTC):	02/04/2025
Path:	/tmp/IdpLihor52.elf
Arguments:	/tmp/IdpLihor52.elf
File size:	216872 bytes
MD5 hash:	db85cb255d2e559ce9388349cf626618

File Activities

File Opened

File Deleted

File Read

File Written

Directory Created

Process Activities

Process Forked

Chronological Activities

Analysis Process: IdpLihor52.elf PID: 6232, Parent PID: 6231

General

Start time (UTC):	08:14:36
Start date (UTC):	02/04/2025
Path:	/tmp/IdpLihor52.elf
Arguments:	-
File size:	216872 bytes
MD5 hash:	db85cb255d2e559ce9388349cf626618

Process Activities

Process Forked

Chronological Activities

Analysis Process: IdpLihor52.elf PID: 6233, Parent PID: 6232

General

Start time (UTC):	08:14:36
Start date (UTC):	02/04/2025
Path:	/tmp/IdpLihor52.elf
Arguments:	-
File size:	216872 bytes
MD5 hash:	db85cb255d2e559ce9388349cf626618

File Activities

File Opened

File Read

File Written

Directory Created

Process Activities

Thread Sleep

System Activities

Query System Information (uname)

Network Activities

Socket Connecting

Chronological Activities

Analysis Process: dash PID: 6294, Parent PID: 4331

General

Start time (UTC):	08:15:57
Start date (UTC):	02/04/2025
Path:	/usr/bin/dash
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: rm PID: 6294, Parent PID: 4331

General

Start time (UTC):	08:15:57
Start date (UTC):	02/04/2025
Path:	/usr/bin/rm
Arguments:	rm -f /tmp/tmp.nEIL30cwr8 /tmp/tmp.rCZmIxfk9m /tmp/tmp.yNQ3b3XGSF
File size:	72056 bytes
MD5 hash:	aa2b5496fdbfd88e38791ab81f90b95b

File Activities

File Opened

File Deleted

File Read

Chronological Activities

Analysis Process: dash PID: 6295, Parent PID: 4331

General

Start time (UTC):	08:15:57
Start date (UTC):	02/04/2025
Path:	/usr/bin/dash
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: rm PID: 6295, Parent PID: 4331

General

Start time (UTC):	08:15:57
Start date (UTC):	02/04/2025
Path:	/usr/bin/rm
Arguments:	rm -f /tmp/tmp.nEIL30cwr8 /tmp/tmp.rCZmIxfk9m /tmp/tmp.yNQ3b3XGSF
File size:	72056 bytes
MD5 hash:	aa2b5496fdbfd88e38791ab81f90b95b

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit a system or application vulnerability to bypass security features. Exploitation of a vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Vulnerabilities may exist in defensive security software that can be used to disable or circumvent them.
Tactics:	Defense Evasion
Data Sources:	Application Log: Application Log Content, Process: Process Creation
Platforms:	IaaS, Linux, macOS, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete or modify artifacts generated within systems to remove evidence of their presence or hinder defenses. Various artifacts may be created by an adversary or something that can be attributed to an adversary’s actions. Typically these artifacts are used as defensive indicators related to monitored events, such as strings from downloaded files, logs that are generated from user actions, and other data analyzed by defenders. Location, format, and type of artifact (such as command or login history) are often specific to each platform.
Tactics:	Defense Evasion
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Deletion, File: File Metadata, File: File Modification, Firewall: Firewall Rule Modification, Network Traffic: Network Traffic Content, Process: OS API Execution, Process: Process Creation, Scheduled Job: Scheduled Job Modification, User Account: User Account Authentication, User Account: User Account Deletion, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, Google Workspace, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report IdpLihor52.elf

Overview

General Information

Detection

Signatures

Classification

General Information

Warnings

Runtime Messages

Process Tree

Yara Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Networking

System Summary

Persistence and Installation Behavior

Malware Analysis System Evasion

HIPS / PFW / Operating System Protection Evasion

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

/etc/ld.so.preload

/usr/lib/x86_64-linux-gnu/libcext.so.2

/var/log/cross/0/config-err-7500b1b

/var/log/cross/auto-color

Static File Info

General

Static ELF Info

ELF header

Sections

Program Segments

Dynamic Tags

Symbols

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

System Behavior

Analysis Process: IdpLihor52.elf PID: 6231, Parent PID: 6154

General

File Activities

File Opened

File Deleted

File Read

File Written

Directory Created

Process Activities

Process Forked

Chronological Activities

Analysis Process: IdpLihor52.elf PID: 6232, Parent PID: 6231

General

Process Activities

Linux Analysis Report
IdpLihor52.elf