Edit tour

Linux Analysis Report
PwP4tXNi4a.elf

Overview

General Information

Sample name:	PwP4tXNi4a.elf renamed because original name is a hash value
Original sample name:	e0430921164e36df90959de0e02b7026.elf
Analysis ID:	1427709
MD5:	e0430921164e36df90959de0e02b7026
SHA1:	d8014c0261891daa725f619dd3fa5b355edc2f8b
SHA256:	afa3a08f29d9f3f60898213906c9d8a2e1695204812c13d219beaf3ebf6a5139
Tags:	32armelfgafgyt
Infos:

Detection

Gafgyt, Mirai

Score:	92
Range:	0 - 100
Whitelisted:	false

Signatures

Antivirus / Scanner detection for submitted sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Yara detected Gafgyt

Yara detected Mirai

Opens /proc/net/* files useful for finding connected devices and routers

Detected TCP or UDP traffic on non-standard ports

Sample contains strings that are user agent strings indicative of HTTP manipulation

Uses the "uname" system call to query kernel version information (possible evasion)

Yara signature match

Classification

Analysis Advice

Static ELF header machine description suggests that the sample might not execute correctly on this machine.

Static ELF header machine description suggests that the sample might only run correctly on MIPS or ARM architectures.

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1427709
Start date and time:	2024-04-18 01:26:11 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 31s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Sample name:	PwP4tXNi4a.elf renamed because original name is a hash value
Original Sample Name:	e0430921164e36df90959de0e02b7026.elf
Detection:	MAL
Classification:	mal92.spre.troj.linELF@0/0@2/0

Warnings

VT rate limit hit for: PwP4tXNi4a.elf

Runtime Messages

Command:	/tmp/PwP4tXNi4a.elf
PID:	5533
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:	gosh that chinese family at the other table sure ate alot
Standard Error:

Process Tree

system is lnxubuntu20

PwP4tXNi4a.elf (PID: 5533, Parent: 5452, MD5: 5ebfcae4fe2471fcc5695c2394773ff1) Arguments: /tmp/PwP4tXNi4a.elf

PwP4tXNi4a.elf New Fork (PID: 5535, Parent: 5533)

PwP4tXNi4a.elf New Fork (PID: 5536, Parent: 5533)

PwP4tXNi4a.elf New Fork (PID: 5539, Parent: 5536)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Bashlite, Gafgyt	Bashlite is a malware family which infects Linux systems in order to launch distributed denial-of-service attacks (DDoS). Originally it was also known under the name Bashdoor, but this term now refers to the exploit method used by the malware. It has been used to launch attacks of up to 400 Gbps.	No Attribution	http://blog.trendmicro.com/trendlabs-security-intelligence/bashlite-affects-devices-running-on-busybox/ https://blog.cyber5w.com/gafgyt-backdoor-analysis https://blog.netlab.360.com/gafgtyt_tor-and-necro-are-on-the-move-again/ https://blog.netlab.360.com/public-cloud-threat-intelligence-202203/ https://blog.netlab.360.com/some_details_of_the_ddos_attacks_targeting_ukraine_and_russia_in_recent_days/	https://malpedia.caad.fkie.fraunhofer.de/details/elf.bashlite

Name	Description	Attribution	Blogpost URLs	Link
Mirai	Mirai is one of the first significant botnets targeting exposed networking devices running Linux. Found in August 2016 by MalwareMustDie, its name means "future" in Japanese. Nowadays it targets a wide range of networked embedded devices such as IP cameras, home routers (many vendors involved), and other IoT devices. Since the source code was published on "Hack Forums" many variants of the Mirai family appeared, infecting mostly home networks all around the world.	No Attribution	http://osint.bambenekconsulting.com/feeds/ http://www.simonroses.com/2016/10/mirai-ddos-botnet-source-code-binary-analysis/ https://blog.malwaremustdie.org/2020/02/mmd-0065-2021-linuxmirai-fbot-re.html https://blog.netlab.360.com/another-lilin-dvr-0-day-being-used-to-spread-mirai-en/ https://blog.netlab.360.com/mirai_ptea-botnet-is-exploiting-undisclosed-kguard-dvr-vulnerability-en/	https://malpedia.caad.fkie.fraunhofer.de/details/elf.mirai

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
PwP4tXNi4a.elf	JoeSecurity_Gafgyt	Yara detected Gafgyt	Joe Security
PwP4tXNi4a.elf	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
PwP4tXNi4a.elf	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0x15b48:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x15b5c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x15b70:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x15b84:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x15b98:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x15bac:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x15bc0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x15bd4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x15be8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x15bfc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x15c10:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x15c24:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x15c38:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x15c4c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x15c60:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x15c74:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x15c88:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x15c9c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x15cb0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x15cc4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x15cd8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
PwP4tXNi4a.elf	Linux_Trojan_Gafgyt_6a510422	unknown	unknown	0x1b9e:$a: 0B E5 24 30 1B E5 2C 30 0B E5 1C 00 00 EA 18 30 1B E5 00 30
PwP4tXNi4a.elf	Linux_Trojan_Gafgyt_d2953f92	unknown	unknown	0x1aae:$a: 1B E5 2A 00 53 E3 0A 00 00 0A 30 30 1B E5 3F 00 53 E3 23 00

Memory Dumps

Source	Rule	Description	Author	Strings
5535.1.00007f8d8c017000.00007f8d8c030000.r-x.sdmp	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
5535.1.00007f8d8c017000.00007f8d8c030000.r-x.sdmp	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0x15b48:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x15b5c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x15b70:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x15b84:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x15b98:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x15bac:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x15bc0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x15bd4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x15be8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x15bfc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x15c10:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x15c24:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x15c38:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x15c4c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x15c60:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x15c74:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x15c88:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x15c9c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x15cb0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x15cc4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x15cd8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
5535.1.00007f8d8c017000.00007f8d8c030000.r-x.sdmp	Linux_Trojan_Gafgyt_6a510422	unknown	unknown	0x1b9e:$a: 0B E5 24 30 1B E5 2C 30 0B E5 1C 00 00 EA 18 30 1B E5 00 30
5535.1.00007f8d8c017000.00007f8d8c030000.r-x.sdmp	Linux_Trojan_Gafgyt_d2953f92	unknown	unknown	0x1aae:$a: 1B E5 2A 00 53 E3 0A 00 00 0A 30 30 1B E5 3F 00 53 E3 23 00
5533.1.00007f8d8c017000.00007f8d8c030000.r-x.sdmp	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
5533.1.00007f8d8c017000.00007f8d8c030000.r-x.sdmp	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0x15b48:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x15b5c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x15b70:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x15b84:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x15b98:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x15bac:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x15bc0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x15bd4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x15be8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x15bfc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x15c10:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x15c24:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x15c38:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x15c4c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x15c60:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x15c74:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x15c88:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x15c9c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x15cb0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x15cc4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x15cd8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
5533.1.00007f8d8c017000.00007f8d8c030000.r-x.sdmp	Linux_Trojan_Gafgyt_6a510422	unknown	unknown	0x1b9e:$a: 0B E5 24 30 1B E5 2C 30 0B E5 1C 00 00 EA 18 30 1B E5 00 30
5533.1.00007f8d8c017000.00007f8d8c030000.r-x.sdmp	Linux_Trojan_Gafgyt_d2953f92	unknown	unknown	0x1aae:$a: 1B E5 2A 00 53 E3 0A 00 00 0A 30 30 1B E5 3F 00 53 E3 23 00
5536.1.00007f8d8c017000.00007f8d8c030000.r-x.sdmp	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
5536.1.00007f8d8c017000.00007f8d8c030000.r-x.sdmp	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0x15b48:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x15b5c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x15b70:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x15b84:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x15b98:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x15bac:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x15bc0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x15bd4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x15be8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x15bfc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x15c10:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x15c24:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x15c38:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x15c4c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x15c60:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x15c74:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x15c88:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x15c9c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x15cb0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x15cc4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x15cd8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
5536.1.00007f8d8c017000.00007f8d8c030000.r-x.sdmp	Linux_Trojan_Gafgyt_6a510422	unknown	unknown	0x1b9e:$a: 0B E5 24 30 1B E5 2C 30 0B E5 1C 00 00 EA 18 30 1B E5 00 30
5536.1.00007f8d8c017000.00007f8d8c030000.r-x.sdmp	Linux_Trojan_Gafgyt_d2953f92	unknown	unknown	0x1aae:$a: 1B E5 2A 00 53 E3 0A 00 00 0A 30 30 1B E5 3F 00 53 E3 23 00
Process Memory Space: PwP4tXNi4a.elf PID: 5533	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0x5342:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x5356:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x536a:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x537e:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x5392:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x53a6:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x53ba:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x53ce:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x53e2:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x53f6:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x540a:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x541e:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x5432:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x5446:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x545a:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x546e:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x5482:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x5496:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x54aa:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x54be:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x54d2:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
Process Memory Space: PwP4tXNi4a.elf PID: 5535	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0x1969:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x197d:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1991:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x19a5:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x19b9:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x19cd:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x19e1:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x19f5:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1a09:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1a1d:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1a31:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1a45:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1a59:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1a6d:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1a81:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1a95:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1aa9:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1abd:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1ad1:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1ae5:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1af9:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
Process Memory Space: PwP4tXNi4a.elf PID: 5536	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0x13acd:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x13ae1:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x13af5:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x13b09:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x13b1d:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x13b31:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x13b45:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x13b59:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x13b6d:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x13b81:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x13b95:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x13ba9:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x13bbd:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x13bd1:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x13be5:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x13bf9:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x13c0d:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x13c21:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x13c35:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x13c49:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x13c5d:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
Click to see the 10 entries

Snort Signatures

ETPRO TROJAN ELF/BASHLITE Variant CnC Server Response - Source IP: 185.150.26.226 - Destination IP: 192.168.2.15

Timestamp:	04/18/24-01:27:46.519770
SID:	2839489
Source Port:	1486
Destination Port:	41112
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN ELF/BASHLITE Variant CnC Server Response - Source IP: 185.150.26.226 - Destination IP: 192.168.2.15

Timestamp:	04/18/24-01:28:48.258280
SID:	2839489
Source Port:	1486
Destination Port:	41120
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN ELF/BASHLITE Variant CnC Server Response - Source IP: 185.150.26.226 - Destination IP: 192.168.2.15

Timestamp:	04/18/24-01:27:31.110122
SID:	2839489
Source Port:	1486
Destination Port:	41110
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN ELF/BASHLITE Variant CnC Server Response - Source IP: 185.150.26.226 - Destination IP: 192.168.2.15

Timestamp:	04/18/24-01:29:03.664496
SID:	2839489
Source Port:	1486
Destination Port:	41122
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN ELF/BASHLITE Variant CnC Server Response - Source IP: 185.150.26.226 - Destination IP: 192.168.2.15

Timestamp:	04/18/24-01:28:01.935052
SID:	2839489
Source Port:	1486
Destination Port:	41114
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN ELF/BASHLITE Variant CnC Server Response - Source IP: 185.150.26.226 - Destination IP: 192.168.2.15

Timestamp:	04/18/24-01:29:19.126700
SID:	2839489
Source Port:	1486
Destination Port:	41124
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN ELF/BASHLITE Variant CnC Server Response - Source IP: 185.150.26.226 - Destination IP: 192.168.2.15

Timestamp:	04/18/24-01:30:05.376252
SID:	2839489
Source Port:	1486
Destination Port:	41130
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN ELF/BASHLITE Variant CnC Server Response - Source IP: 185.150.26.226 - Destination IP: 192.168.2.15

Timestamp:	04/18/24-01:30:20.789102
SID:	2839489
Source Port:	1486
Destination Port:	41132
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN ELF/BASHLITE Variant CnC Server Response - Source IP: 185.150.26.226 - Destination IP: 192.168.2.14

Timestamp:	04/18/24-01:27:13.871875
SID:	2839489
Source Port:	1486
Destination Port:	60996
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN ELF/BASHLITE Variant CnC Server Response - Source IP: 185.150.26.226 - Destination IP: 192.168.2.15

Timestamp:	04/18/24-01:29:49.962139
SID:	2839489
Source Port:	1486
Destination Port:	41128
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN ELF/BASHLITE Variant CnC Server Response - Source IP: 185.150.26.226 - Destination IP: 192.168.2.14

Timestamp:	04/18/24-01:26:58.412823
SID:	2839489
Source Port:	1486
Destination Port:	60994
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN ELF/BASHLITE Variant CnC Server Response - Source IP: 185.150.26.226 - Destination IP: 192.168.2.15

Timestamp:	04/18/24-01:29:34.543208
SID:	2839489
Source Port:	1486
Destination Port:	41126
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN ELF/BASHLITE Variant CnC Server Response - Source IP: 185.150.26.226 - Destination IP: 192.168.2.14

Timestamp:	04/18/24-01:27:29.334720
SID:	2839489
Source Port:	1486
Destination Port:	60998
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN ELF/BASHLITE Variant CnC Server Response - Source IP: 185.150.26.226 - Destination IP: 192.168.2.15

Timestamp:	04/18/24-01:28:32.798760
SID:	2839489
Source Port:	1486
Destination Port:	41118
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN ELF/BASHLITE Variant CnC Server Response - Source IP: 185.150.26.226 - Destination IP: 192.168.2.14

Timestamp:	04/18/24-01:28:00.248642
SID:	2839489
Source Port:	1486
Destination Port:	32770
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN ELF/BASHLITE Variant CnC Server Response - Source IP: 185.150.26.226 - Destination IP: 192.168.2.15

Timestamp:	04/18/24-01:28:17.344777
SID:	2839489
Source Port:	1486
Destination Port:	41116
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN ELF/BASHLITE Variant CnC Server Response - Source IP: 185.150.26.226 - Destination IP: 192.168.2.14

Timestamp:	04/18/24-01:27:44.796770
SID:	2839489
Source Port:	1486
Destination Port:	32768
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN ELF/BASHLITE Variant CnC Server Response - Source IP: 185.150.26.226 - Destination IP: 192.168.2.15

Timestamp:	04/18/24-01:27:00.225610
SID:	2839489
Source Port:	1486
Destination Port:	41106
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN ELF/BASHLITE Variant CnC Server Response - Source IP: 185.150.26.226 - Destination IP: 192.168.2.15

Timestamp:	04/18/24-01:27:15.649607
SID:	2839489
Source Port:	1486
Destination Port:	41108
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: PwP4tXNi4a.elf

Avira: detected

Multi AV Scanner detection for submitted file

Source: PwP4tXNi4a.elf

ReversingLabs: Detection: 68%

Spreading

Opens /proc/net/* files useful for finding connected devices and routers

Source: /tmp/PwP4tXNi4a.elf (PID: 5533)

Opens: /proc/net/route

Jump to behavior

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2839489 ETPRO TROJAN ELF/BASHLITE Variant CnC Server Response 185.150.26.226:1486 -> 192.168.2.14:60994
Source: Traffic	Snort IDS: 2839489 ETPRO TROJAN ELF/BASHLITE Variant CnC Server Response 185.150.26.226:1486 -> 192.168.2.14:60996
Source: Traffic	Snort IDS: 2839489 ETPRO TROJAN ELF/BASHLITE Variant CnC Server Response 185.150.26.226:1486 -> 192.168.2.14:60998
Source: Traffic	Snort IDS: 2839489 ETPRO TROJAN ELF/BASHLITE Variant CnC Server Response 185.150.26.226:1486 -> 192.168.2.14:32768
Source: Traffic	Snort IDS: 2839489 ETPRO TROJAN ELF/BASHLITE Variant CnC Server Response 185.150.26.226:1486 -> 192.168.2.14:32770
Source: Traffic	Snort IDS: 2839489 ETPRO TROJAN ELF/BASHLITE Variant CnC Server Response 185.150.26.226:1486 -> 192.168.2.15:41106
Source: Traffic	Snort IDS: 2839489 ETPRO TROJAN ELF/BASHLITE Variant CnC Server Response 185.150.26.226:1486 -> 192.168.2.15:41108
Source: Traffic	Snort IDS: 2839489 ETPRO TROJAN ELF/BASHLITE Variant CnC Server Response 185.150.26.226:1486 -> 192.168.2.15:41110
Source: Traffic	Snort IDS: 2839489 ETPRO TROJAN ELF/BASHLITE Variant CnC Server Response 185.150.26.226:1486 -> 192.168.2.15:41112
Source: Traffic	Snort IDS: 2839489 ETPRO TROJAN ELF/BASHLITE Variant CnC Server Response 185.150.26.226:1486 -> 192.168.2.15:41114
Source: Traffic	Snort IDS: 2839489 ETPRO TROJAN ELF/BASHLITE Variant CnC Server Response 185.150.26.226:1486 -> 192.168.2.15:41116
Source: Traffic	Snort IDS: 2839489 ETPRO TROJAN ELF/BASHLITE Variant CnC Server Response 185.150.26.226:1486 -> 192.168.2.15:41118
Source: Traffic	Snort IDS: 2839489 ETPRO TROJAN ELF/BASHLITE Variant CnC Server Response 185.150.26.226:1486 -> 192.168.2.15:41120
Source: Traffic	Snort IDS: 2839489 ETPRO TROJAN ELF/BASHLITE Variant CnC Server Response 185.150.26.226:1486 -> 192.168.2.15:41122
Source: Traffic	Snort IDS: 2839489 ETPRO TROJAN ELF/BASHLITE Variant CnC Server Response 185.150.26.226:1486 -> 192.168.2.15:41124
Source: Traffic	Snort IDS: 2839489 ETPRO TROJAN ELF/BASHLITE Variant CnC Server Response 185.150.26.226:1486 -> 192.168.2.15:41126
Source: Traffic	Snort IDS: 2839489 ETPRO TROJAN ELF/BASHLITE Variant CnC Server Response 185.150.26.226:1486 -> 192.168.2.15:41128
Source: Traffic	Snort IDS: 2839489 ETPRO TROJAN ELF/BASHLITE Variant CnC Server Response 185.150.26.226:1486 -> 192.168.2.15:41130
Source: Traffic	Snort IDS: 2839489 ETPRO TROJAN ELF/BASHLITE Variant CnC Server Response 185.150.26.226:1486 -> 192.168.2.15:41132

Source: global traffic

TCP traffic: 192.168.2.15:41106 -> 185.150.26.226:1486

Source: unknown	TCP traffic detected without corresponding DNS query: 185.150.26.226
Source: unknown	TCP traffic detected without corresponding DNS query: 185.150.26.226
Source: unknown	TCP traffic detected without corresponding DNS query: 185.150.26.226
Source: unknown	TCP traffic detected without corresponding DNS query: 185.150.26.226
Source: unknown	TCP traffic detected without corresponding DNS query: 185.150.26.226
Source: unknown	TCP traffic detected without corresponding DNS query: 185.150.26.226
Source: unknown	TCP traffic detected without corresponding DNS query: 185.150.26.226
Source: unknown	TCP traffic detected without corresponding DNS query: 185.150.26.226
Source: unknown	TCP traffic detected without corresponding DNS query: 185.150.26.226
Source: unknown	TCP traffic detected without corresponding DNS query: 185.150.26.226
Source: unknown	TCP traffic detected without corresponding DNS query: 185.150.26.226
Source: unknown	TCP traffic detected without corresponding DNS query: 185.150.26.226
Source: unknown	TCP traffic detected without corresponding DNS query: 185.150.26.226
Source: unknown	TCP traffic detected without corresponding DNS query: 185.150.26.226
Source: unknown	TCP traffic detected without corresponding DNS query: 185.150.26.226
Source: unknown	TCP traffic detected without corresponding DNS query: 185.150.26.226
Source: unknown	TCP traffic detected without corresponding DNS query: 185.150.26.226
Source: unknown	TCP traffic detected without corresponding DNS query: 185.150.26.226
Source: unknown	TCP traffic detected without corresponding DNS query: 185.150.26.226
Source: unknown	TCP traffic detected without corresponding DNS query: 185.150.26.226
Source: unknown	TCP traffic detected without corresponding DNS query: 185.150.26.226
Source: unknown	TCP traffic detected without corresponding DNS query: 185.150.26.226
Source: unknown	TCP traffic detected without corresponding DNS query: 185.150.26.226
Source: unknown	TCP traffic detected without corresponding DNS query: 185.150.26.226
Source: unknown	TCP traffic detected without corresponding DNS query: 185.150.26.226
Source: unknown	TCP traffic detected without corresponding DNS query: 185.150.26.226
Source: unknown	TCP traffic detected without corresponding DNS query: 185.150.26.226
Source: unknown	TCP traffic detected without corresponding DNS query: 185.150.26.226
Source: unknown	TCP traffic detected without corresponding DNS query: 185.150.26.226
Source: unknown	TCP traffic detected without corresponding DNS query: 185.150.26.226
Source: unknown	TCP traffic detected without corresponding DNS query: 185.150.26.226
Source: unknown	TCP traffic detected without corresponding DNS query: 185.150.26.226
Source: unknown	TCP traffic detected without corresponding DNS query: 185.150.26.226
Source: unknown	TCP traffic detected without corresponding DNS query: 185.150.26.226
Source: unknown	TCP traffic detected without corresponding DNS query: 185.150.26.226
Source: unknown	TCP traffic detected without corresponding DNS query: 185.150.26.226
Source: unknown	TCP traffic detected without corresponding DNS query: 185.150.26.226
Source: unknown	TCP traffic detected without corresponding DNS query: 185.150.26.226
Source: unknown	TCP traffic detected without corresponding DNS query: 185.150.26.226
Source: unknown	TCP traffic detected without corresponding DNS query: 185.150.26.226
Source: unknown	TCP traffic detected without corresponding DNS query: 185.150.26.226
Source: unknown	TCP traffic detected without corresponding DNS query: 185.150.26.226
Source: unknown	TCP traffic detected without corresponding DNS query: 185.150.26.226
Source: unknown	TCP traffic detected without corresponding DNS query: 185.150.26.226
Source: unknown	TCP traffic detected without corresponding DNS query: 185.150.26.226
Source: unknown	TCP traffic detected without corresponding DNS query: 185.150.26.226
Source: unknown	TCP traffic detected without corresponding DNS query: 185.150.26.226
Source: unknown	TCP traffic detected without corresponding DNS query: 185.150.26.226
Source: unknown	TCP traffic detected without corresponding DNS query: 185.150.26.226
Source: unknown	TCP traffic detected without corresponding DNS query: 185.150.26.226

Source: unknown

DNS traffic detected: queries for: daisy.ubuntu.com

System Summary

Malicious sample detected (through community Yara rule)

Source: PwP4tXNi4a.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: PwP4tXNi4a.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_6a510422 Author: unknown
Source: PwP4tXNi4a.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_d2953f92 Author: unknown
Source: 5535.1.00007f8d8c017000.00007f8d8c030000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: 5535.1.00007f8d8c017000.00007f8d8c030000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_6a510422 Author: unknown
Source: 5535.1.00007f8d8c017000.00007f8d8c030000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_d2953f92 Author: unknown
Source: 5533.1.00007f8d8c017000.00007f8d8c030000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: 5533.1.00007f8d8c017000.00007f8d8c030000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_6a510422 Author: unknown
Source: 5533.1.00007f8d8c017000.00007f8d8c030000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_d2953f92 Author: unknown
Source: 5536.1.00007f8d8c017000.00007f8d8c030000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: 5536.1.00007f8d8c017000.00007f8d8c030000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_6a510422 Author: unknown
Source: 5536.1.00007f8d8c017000.00007f8d8c030000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_d2953f92 Author: unknown
Source: Process Memory Space: PwP4tXNi4a.elf PID: 5533, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: Process Memory Space: PwP4tXNi4a.elf PID: 5535, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: Process Memory Space: PwP4tXNi4a.elf PID: 5536, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown

Source: PwP4tXNi4a.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: PwP4tXNi4a.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_6a510422 severity = 100, os = linux, arch_context = x86, creation_date = 2021-06-28, scan_context = file, memory, reference = 14cc92b99daa0c91aa09d9a7996ee5549a5cacd7be733960b2cf3681a7c2b628, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 8ee116ff41236771cdc8dc4b796c3b211502413ae631d5b5aedbbaa2eccc3b75, id = 6a510422-3662-4fdb-9c03-0101f16e87cd, last_modified = 2021-09-16
Source: PwP4tXNi4a.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_d2953f92 severity = 100, os = linux, arch_context = x86, creation_date = 2021-06-28, scan_context = file, memory, reference = 14cc92b99daa0c91aa09d9a7996ee5549a5cacd7be733960b2cf3681a7c2b628, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 276c6d62a8a335d0e2421b6b5b90c2c0eb69eec294bc9fcdeb7743abbf08d8bc, id = d2953f92-62ee-428d-88c5-723914c88c6e, last_modified = 2021-09-16
Source: 5535.1.00007f8d8c017000.00007f8d8c030000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: 5535.1.00007f8d8c017000.00007f8d8c030000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_6a510422 severity = 100, os = linux, arch_context = x86, creation_date = 2021-06-28, scan_context = file, memory, reference = 14cc92b99daa0c91aa09d9a7996ee5549a5cacd7be733960b2cf3681a7c2b628, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 8ee116ff41236771cdc8dc4b796c3b211502413ae631d5b5aedbbaa2eccc3b75, id = 6a510422-3662-4fdb-9c03-0101f16e87cd, last_modified = 2021-09-16
Source: 5535.1.00007f8d8c017000.00007f8d8c030000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_d2953f92 severity = 100, os = linux, arch_context = x86, creation_date = 2021-06-28, scan_context = file, memory, reference = 14cc92b99daa0c91aa09d9a7996ee5549a5cacd7be733960b2cf3681a7c2b628, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 276c6d62a8a335d0e2421b6b5b90c2c0eb69eec294bc9fcdeb7743abbf08d8bc, id = d2953f92-62ee-428d-88c5-723914c88c6e, last_modified = 2021-09-16
Source: 5533.1.00007f8d8c017000.00007f8d8c030000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: 5533.1.00007f8d8c017000.00007f8d8c030000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_6a510422 severity = 100, os = linux, arch_context = x86, creation_date = 2021-06-28, scan_context = file, memory, reference = 14cc92b99daa0c91aa09d9a7996ee5549a5cacd7be733960b2cf3681a7c2b628, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 8ee116ff41236771cdc8dc4b796c3b211502413ae631d5b5aedbbaa2eccc3b75, id = 6a510422-3662-4fdb-9c03-0101f16e87cd, last_modified = 2021-09-16
Source: 5533.1.00007f8d8c017000.00007f8d8c030000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_d2953f92 severity = 100, os = linux, arch_context = x86, creation_date = 2021-06-28, scan_context = file, memory, reference = 14cc92b99daa0c91aa09d9a7996ee5549a5cacd7be733960b2cf3681a7c2b628, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 276c6d62a8a335d0e2421b6b5b90c2c0eb69eec294bc9fcdeb7743abbf08d8bc, id = d2953f92-62ee-428d-88c5-723914c88c6e, last_modified = 2021-09-16
Source: 5536.1.00007f8d8c017000.00007f8d8c030000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: 5536.1.00007f8d8c017000.00007f8d8c030000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_6a510422 severity = 100, os = linux, arch_context = x86, creation_date = 2021-06-28, scan_context = file, memory, reference = 14cc92b99daa0c91aa09d9a7996ee5549a5cacd7be733960b2cf3681a7c2b628, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 8ee116ff41236771cdc8dc4b796c3b211502413ae631d5b5aedbbaa2eccc3b75, id = 6a510422-3662-4fdb-9c03-0101f16e87cd, last_modified = 2021-09-16
Source: 5536.1.00007f8d8c017000.00007f8d8c030000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_d2953f92 severity = 100, os = linux, arch_context = x86, creation_date = 2021-06-28, scan_context = file, memory, reference = 14cc92b99daa0c91aa09d9a7996ee5549a5cacd7be733960b2cf3681a7c2b628, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 276c6d62a8a335d0e2421b6b5b90c2c0eb69eec294bc9fcdeb7743abbf08d8bc, id = d2953f92-62ee-428d-88c5-723914c88c6e, last_modified = 2021-09-16
Source: Process Memory Space: PwP4tXNi4a.elf PID: 5533, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: Process Memory Space: PwP4tXNi4a.elf PID: 5535, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: Process Memory Space: PwP4tXNi4a.elf PID: 5536, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16

Source: classification engine

Classification label: mal92.spre.troj.linELF@0/0@2/0

Source: PwP4tXNi4a.elf	ELF static info symbol of initial sample: /home/landley/work/ab7/build/temp-armv5l/gcc-core/gcc/config/arm/lib1funcs.asm
Source: PwP4tXNi4a.elf	ELF static info symbol of initial sample: /home/landley/work/ab7/build/temp-armv5l/gcc-core/gcc/config/arm/lib1funcs.asm
Source: PwP4tXNi4a.elf	ELF static info symbol of initial sample: /home/landley/work/ab7/build/temp-armv5l/gcc-core/gcc/config/arm/lib1funcs.asm
Source: PwP4tXNi4a.elf	ELF static info symbol of initial sample: /home/landley/work/ab7/build/temp-armv5l/gcc-core/gcc/config/arm/lib1funcs.asm
Source: PwP4tXNi4a.elf	ELF static info symbol of initial sample: /home/landley/work/ab7/build/temp-armv5l/gcc-core/gcc/config/arm/lib1funcs.asm
Source: PwP4tXNi4a.elf	ELF static info symbol of initial sample: /home/landley/work/ab7/build/temp-armv5l/gcc-core/gcc/config/arm/lib1funcs.asm
Source: PwP4tXNi4a.elf	ELF static info symbol of initial sample: /home/landley/work/ab7/build/temp-armv5l/gcc-core/gcc/config/arm/lib1funcs.asm
Source: PwP4tXNi4a.elf	ELF static info symbol of initial sample: libc/string/arm/_memcpy.S

Source: /tmp/PwP4tXNi4a.elf (PID: 5533)

Queries kernel information via 'uname':

Jump to behavior

Source: PwP4tXNi4a.elf, 5533.1.00007ffc4e5c8000.00007ffc4e5e9000.rw-.sdmp, PwP4tXNi4a.elf, 5535.1.00007ffc4e5c8000.00007ffc4e5e9000.rw-.sdmp, PwP4tXNi4a.elf, 5536.1.00007ffc4e5c8000.00007ffc4e5e9000.rw-.sdmp	Binary or memory string: x86_64/usr/bin/qemu-arm/tmp/PwP4tXNi4a.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/PwP4tXNi4a.elf
Source: PwP4tXNi4a.elf, 5533.1.000055f93a08a000.000055f93a1d9000.rw-.sdmp, PwP4tXNi4a.elf, 5535.1.000055f93a08a000.000055f93a1d9000.rw-.sdmp, PwP4tXNi4a.elf, 5536.1.000055f93a08a000.000055f93a1d9000.rw-.sdmp	Binary or memory string: U!/etc/qemu-binfmt/arm
Source: PwP4tXNi4a.elf, 5533.1.000055f93a08a000.000055f93a1d9000.rw-.sdmp, PwP4tXNi4a.elf, 5535.1.000055f93a08a000.000055f93a1d9000.rw-.sdmp, PwP4tXNi4a.elf, 5536.1.000055f93a08a000.000055f93a1d9000.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/arm
Source: PwP4tXNi4a.elf, 5533.1.00007ffc4e5c8000.00007ffc4e5e9000.rw-.sdmp, PwP4tXNi4a.elf, 5535.1.00007ffc4e5c8000.00007ffc4e5e9000.rw-.sdmp, PwP4tXNi4a.elf, 5536.1.00007ffc4e5c8000.00007ffc4e5e9000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-arm

Stealing of Sensitive Information

Yara detected Gafgyt

Source: Yara match

File source: PwP4tXNi4a.elf, type: SAMPLE

Yara detected Mirai

Source: Yara match	File source: PwP4tXNi4a.elf, type: SAMPLE
Source: Yara match	File source: 5535.1.00007f8d8c017000.00007f8d8c030000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5533.1.00007f8d8c017000.00007f8d8c030000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5536.1.00007f8d8c017000.00007f8d8c030000.r-x.sdmp, type: MEMORY

Source: Initial sample	User agent string found: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; pl) Opera 11.00
Source: Initial sample	User agent string found: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; en) Opera 11.00
Source: Initial sample	User agent string found: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; ja) Opera 11.00
Source: Initial sample	User agent string found: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; de) Opera 11.01
Source: Initial sample	User agent string found: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; fr) Opera 11.00
Source: Initial sample	User agent string found: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36
Source: Initial sample	User agent string found: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.79 Safari/537.36
Source: Initial sample	User agent string found: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0
Source: Initial sample	User agent string found: Mozilla/5.0 (iPhone; CPU iPhone OS 8_4 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Version/8.0 Mobile/12H143 Safari/600.1.4
Source: Initial sample	User agent string found: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:41.0) Gecko/20100101 Firefox/41.0
Source: Initial sample	User agent string found: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.101 Safari/537.36
Source: Initial sample	User agent string found: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.80 Safari/537.36
Source: Initial sample	User agent string found: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11) AppleWebKit/601.1.56 (KHTML, like Gecko) Version/9.0 Safari/601.1.56
Source: Initial sample	User agent string found: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_1) AppleWebKit/601.2.7 (KHTML, like Gecko) Version/9.0.1 Safari/601.2.7
Source: Initial sample	User agent string found: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Source: Initial sample	User agent string found: Opera/9.80 (Windows NT 5.2; U; ru) Presto/2.5.22 Version/10.51
Source: Initial sample	User agent string found: Opera/9.80 (X11; Linux i686; Ubuntu/14.10) Presto/2.12.388 Version/12.16
Source: Initial sample	User agent string found: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.75.14 (KHTML, like Gecko) Version/7.0.3 Safari/7046A194A
Source: Initial sample	User agent string found: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36
Source: Initial sample	User agent string found: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.94 Safari/537.36
Source: Initial sample	User agent string found: Mozilla/5.0 (Linux; Android 4.4.3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.89 Mobile Safari/537.36
Source: Initial sample	User agent string found: Mozilla/5.0 (Linux; Android 4.4.3; HTC_0PCV2 Build/KTU84L) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/33.0.0.0 Mobile Safari/537.36
Source: Initial sample	User agent string found: Mozilla/4.0 (compatible; MSIE 8.0; X11; Linux x86_64; pl) Opera 11.00
Source: Initial sample	User agent string found: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:25.0) Gecko/20100101 Firefox/25.0
Source: Initial sample	User agent string found: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:21.0) Gecko/20100101 Firefox/21.0
Source: Initial sample	User agent string found: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:24.0) Gecko/20100101 Firefox/24.0
Source: Initial sample	User agent string found: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10; rv:33.0) Gecko/20100101 Firefox/33.0

Remote Access Functionality

Yara detected Gafgyt

Source: Yara match

File source: PwP4tXNi4a.elf, type: SAMPLE

Yara detected Mirai

Source: Yara match	File source: PwP4tXNi4a.elf, type: SAMPLE
Source: Yara match	File source: 5535.1.00007f8d8c017000.00007f8d8c030000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5533.1.00007f8d8c017000.00007f8d8c030000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5536.1.00007f8d8c017000.00007f8d8c030000.r-x.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	Path Interception	Path Interception	Direct Volume Access	OS Credential Dumping	11 Security Software Discovery	Remote Services	Data from Local System	1 Data Obfuscation	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	1 Remote System Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	1 Application Layer Protocol	Traffic Duplication	Data Destruction

Malware Configuration

⊘No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
PwP4tXNi4a.elf	68%	ReversingLabs	Linux.Trojan.LnxGafgyt
PwP4tXNi4a.elf	100%	Avira	LINUX/Gafgyt.opnd

Dropped Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
daisy.ubuntu.com	162.213.35.24	true	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.150.26.226	unknown	Netherlands		44592	SKYLINKNL	true

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
185.150.26.226	8xnQBClhg7.elf	Get hash	malicious	Gafgyt, Mirai	Browse
185.150.26.226	YgpPblX7Ct.elf	Get hash	malicious	Gafgyt, Mirai	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
daisy.ubuntu.com	8xnQBClhg7.elf	Get hash	malicious	Gafgyt, Mirai	Browse	162.213.35.24
	ClPVG70TmC.elf	Get hash	malicious	Mirai	Browse	162.213.35.25
	5VaGSbWdTq.elf	Get hash	malicious	Mirai	Browse	162.213.35.24
	n3l6rOHrCy.elf	Get hash	malicious	Mirai	Browse	162.213.35.25
	Ag0lD8sQ2M.elf	Get hash	malicious	Mirai	Browse	162.213.35.24
	64ZOedXgZ1.elf	Get hash	malicious	Mirai	Browse	162.213.35.24
	ZNmO15OLbB.elf	Get hash	malicious	Mirai	Browse	162.213.35.25
	p83YQKCH5M.elf	Get hash	malicious	Mirai	Browse	162.213.35.24
	YHbakNEfOJ.elf	Get hash	malicious	Gafgyt, Mirai	Browse	162.213.35.24
	8hQCf2Y8Ra.elf	Get hash	malicious	Gafgyt, Mirai	Browse	162.213.35.24

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
SKYLINKNL	8xnQBClhg7.elf	Get hash	malicious	Gafgyt, Mirai	Browse	185.150.26.226
	YgpPblX7Ct.elf	Get hash	malicious	Gafgyt, Mirai	Browse	185.150.26.226
	wXKNYp2Oz7.elf	Get hash	malicious	Unknown	Browse	185.150.26.199
	u03NaKUcTE.elf	Get hash	malicious	Unknown	Browse	185.150.26.199
	OxijfIfpE4.elf	Get hash	malicious	Unknown	Browse	185.150.26.199
	iohvlkX3du.elf	Get hash	malicious	Unknown	Browse	185.150.26.199
	3c5LsY4PK6.elf	Get hash	malicious	Unknown	Browse	185.150.26.199
	hEy4ti72CC.elf	Get hash	malicious	Unknown	Browse	185.150.26.199
	NNS8GpmHiy.elf	Get hash	malicious	Unknown	Browse	185.150.26.199
	MBK672tbE2.elf	Get hash	malicious	Unknown	Browse	185.150.26.199

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	ELF 32-bit LSB executable, ARM, EABI4 version 1 (SYSV), statically linked, with debug_info, not stripped
Entropy (8bit):	6.092264541679494
TrID:	ELF Executable and Linkable format (generic) (4004/1) 100.00%
File name:	PwP4tXNi4a.elf
File size:	143'019 bytes
MD5:	e0430921164e36df90959de0e02b7026
SHA1:	d8014c0261891daa725f619dd3fa5b355edc2f8b
SHA256:	afa3a08f29d9f3f60898213906c9d8a2e1695204812c13d219beaf3ebf6a5139
SHA512:	fcc9ceed2ea43acfa219881bbb20421c2930feb774924f36ea9eabe6a083d6f96f6346c1ece0353173e069816d2e304ac05791cad79ec3b2a449cb35089f2197
SSDEEP:	3072:Cv/WwsLgaq353qHiCOvhOOwq1DQHbe1kmhxQwoVSUNu:KPLaq351hOOwq1L1kmhxQwoVSUNu
TLSH:	E9E32A30D4504B17C2D213FAA79E825E3F221F9793DB33115B38BAB41FE279A1D69924
File Content Preview:	.ELF..............(.........4...D.......4. ...(........p,...,...,...................................<...<................................k..........Q.td..................................-...L..................G.F.G.F.G.F.G.F G.F(G.F0G.F8G.F@G.FHG.FPG.FXG.

Static ELF Info

ELF header
Class:	ELF32
Data:	2's complement, little endian
Version:	1 (current)
Machine:	ARM
Version Number:	0x1
Type:	EXEC (Executable file)
OS/ABI:	UNIX - System V
ABI Version:	0
Entry Point Address:	0x81b0
Flags:	0x4000002
ELF Header Size:	52
Program Header Offset:	52
Program Header Size:	32
Number of Program Headers:	4
Section Header Offset:	110148
Section Header Size:	40
Number of Section Headers:	24
Header String Table Index:	21

Sections

Name	Type	Address	Offset	Size	EntSize	Flags	Flags Description	Link	Info	Align
	NULL	0x0	0x0	0x0	0x0	0x0		0	0	0
.init	PROGBITS	0x80b4	0xb4	0x10	0x0	0x6	AX	0	0	4
.text	PROGBITS	0x80d0	0xd0	0x14954	0x0	0x6	AX	0	0	16
.fini	PROGBITS	0x1ca24	0x14a24	0x10	0x0	0x6	AX	0	0	4
.rodata	PROGBITS	0x1ca38	0x14a38	0x44dc	0x0	0x2	A	0	0	8
.ARM.extab	PROGBITS	0x20f14	0x18f14	0x18	0x0	0x2	A	0	0	4
.ARM.exidx	ARM_EXIDX	0x20f2c	0x18f2c	0x10	0x0	0x82	AL	2	0	4
.eh_frame	PROGBITS	0x29000	0x19000	0x4	0x0	0x3	WA	0	0	4
.init_array	INIT_ARRAY	0x29004	0x19004	0x4	0x0	0x3	WA	0	0	4
.fini_array	FINI_ARRAY	0x29008	0x19008	0x4	0x0	0x3	WA	0	0	4
.jcr	PROGBITS	0x2900c	0x1900c	0x4	0x0	0x3	WA	0	0	4
.got	PROGBITS	0x29010	0x19010	0x78	0x4	0x3	WA	0	0	4
.data	PROGBITS	0x29088	0x19088	0x31c	0x0	0x3	WA	0	0	4
.bss	NOBITS	0x293a8	0x193a4	0x6764	0x0	0x3	WA	0	0	8
.comment	PROGBITS	0x0	0x193a4	0xce2	0x0	0x0		0	0	1
.debug_aranges	PROGBITS	0x0	0x1a088	0xe0	0x0	0x0		0	0	8
.debug_info	PROGBITS	0x0	0x1a168	0x4b0	0x0	0x0		0	0	1
.debug_abbrev	PROGBITS	0x0	0x1a618	0x8c	0x0	0x0		0	0	1
.debug_line	PROGBITS	0x0	0x1a6a4	0x655	0x0	0x0		0	0	1
.debug_frame	PROGBITS	0x0	0x1acfc	0x58	0x0	0x0		0	0	4
.ARM.attributes	ARM_ATTRIBUTES	0x0	0x1ad54	0x10	0x0	0x0		0	0	1
.shstrtab	STRTAB	0x0	0x1ad64	0xdd	0x0	0x0		0	0	1
.symtab	SYMTAB	0x0	0x1b204	0x5130	0x10	0x0		23	700	4
.strtab	STRTAB	0x0	0x20334	0x2b77	0x0	0x0		0	0	1

Program Segments

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align	Section Mappings
EXIDX	0x18f2c	0x20f2c	0x20f2c	0x10	0x10	2.4056	0x4	R	0x4	.ARM.exidx
LOAD	0x0	0x8000	0x8000	0x18f3c	0x18f3c	6.1952	0x5	R E	0x8000	.init .text .fini .rodata .ARM.extab .ARM.exidx
LOAD	0x19000	0x29000	0x29000	0x3a4	0x6b0c	3.9649	0x6	RW	0x8000	.eh_frame .init_array .fini_array .jcr .got .data .bss
GNU_STACK	0x0	0x0	0x0	0x0	0x0	0.0000	0x7	RWE	0x4

Symbols

Name	Section Name	Value	Size	Symbol Type	Symbol Bind	Symbol Visibility	Ndx
	.symtab	0x0	0	NOTYPE	<unknown>	DEFAULT	SHN_UNDEF
	.symtab	0x80b4	0	SECTION	<unknown>	DEFAULT	1
	.symtab	0x80d0	0	SECTION	<unknown>	DEFAULT	2
	.symtab	0x1ca24	0	SECTION	<unknown>	DEFAULT	3
	.symtab	0x1ca38	0	SECTION	<unknown>	DEFAULT	4
	.symtab	0x20f14	0	SECTION	<unknown>	DEFAULT	5
	.symtab	0x20f2c	0	SECTION	<unknown>	DEFAULT	6
	.symtab	0x29000	0	SECTION	<unknown>	DEFAULT	7
	.symtab	0x29004	0	SECTION	<unknown>	DEFAULT	8
	.symtab	0x29008	0	SECTION	<unknown>	DEFAULT	9
	.symtab	0x2900c	0	SECTION	<unknown>	DEFAULT	10
	.symtab	0x29010	0	SECTION	<unknown>	DEFAULT	11
	.symtab	0x29088	0	SECTION	<unknown>	DEFAULT	12
	.symtab	0x293a8	0	SECTION	<unknown>	DEFAULT	13
	.symtab	0x0	0	SECTION	<unknown>	DEFAULT	14
	.symtab	0x0	0	SECTION	<unknown>	DEFAULT	15
	.symtab	0x0	0	SECTION	<unknown>	DEFAULT	16
	.symtab	0x0	0	SECTION	<unknown>	DEFAULT	17
	.symtab	0x0	0	SECTION	<unknown>	DEFAULT	18
	.symtab	0x0	0	SECTION	<unknown>	DEFAULT	19
	.symtab	0x0	0	SECTION	<unknown>	DEFAULT	20
	.symtab	0x0	0	SECTION	<unknown>	DEFAULT	21
	.symtab	0x0	0	SECTION	<unknown>	DEFAULT	22
	.symtab	0x0	0	SECTION	<unknown>	DEFAULT	23
$a	.symtab	0x80b4	0	NOTYPE	<unknown>	DEFAULT	1
$a	.symtab	0x1ca24	0	NOTYPE	<unknown>	DEFAULT	3
$a	.symtab	0x80c0	0	NOTYPE	<unknown>	DEFAULT	1
$a	.symtab	0x1ca30	0	NOTYPE	<unknown>	DEFAULT	3
$a	.symtab	0x810c	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x8150	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x81b0	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x81ec	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x8614	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x8760	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x8838	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x8990	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x8ad4	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x93c8	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x97a8	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x9930	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x9a88	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x9db4	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0xa08c	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0xa4a8	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0xa50c	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0xb530	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0xbc08	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0xbd2c	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0xc3c0	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0xca70	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0xdabc	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0xe798	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0xea54	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0xf38c	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0xf420	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0xf4f4	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0xf67c	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x1011c	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x10300	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x1034c	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x10398	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x10404	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x10490	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x10618	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x1142c	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x11540	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x11560	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x115a0	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x115d4	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x115e8	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x11648	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x1167c	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x11690	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x116c0	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x11700	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x11714	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x11748	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x11764	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x11798	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x117d8	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x1180c	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x11838	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x1186c	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x118a0	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x11978	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x119ac	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x11a00	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x11a2c	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x11a64	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x11a98	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x11ac8	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x11ae4	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x11b18	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x11b4c	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x11c00	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x11c68	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x11c9c	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x11d70	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x11da0	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x12560	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x12600	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x12644	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x127f4	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x12848	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x12db8	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x12df0	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x12ea0	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x12f40	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x12fa0	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x12fb0	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x12fd0	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x12fe0	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x12ff0	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x130ec	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x131b8	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x131dc	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x13298	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x13388	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x133a0	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x133d0	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x134d0	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x134f4	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x13570	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x135d0	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x135f8	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x13614	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x1367c	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x136b4	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x136ec	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x13730	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x13768	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x137a4	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x137dc	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x1381c	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x13860	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x13898	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x138b4	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x138f8	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x1390c	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x139c4	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x13a30	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x143c8	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x144fc	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x148b0	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x14d50	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x14d90	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x14eb8	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x14ed0	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x14f74	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x1502c	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x150ec	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x15190	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x15274	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x15304	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x153dc	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x154c0	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x154e0	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x154fc	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x156bc	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x15774	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x15820	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x1596c	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x15f44	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x15ff0	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x16040	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x16100	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x16154	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x161c0	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x16494	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x164fc	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x1651c	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x165a4	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x165b0	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x165bc	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x165f0	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x16624	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x1664c	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x16660	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x16694	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x166c8	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x166dc	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x16748	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x1675c	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x16790	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x167c4	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x16804	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x16818	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x1684c	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x16944	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x16a14	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x16ac0	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x16b58	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x16c44	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x16c60	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x17004	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x17058	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x1707c	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x1712c	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x172e0	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x17300	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x173b4	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x176bc	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x177fc	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x178cc	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x1793c	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x17968	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x17ac4	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x182b8	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x18394	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x18450	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x185d8	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x187e4	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x18910	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x189b0	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x18e40	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x18f30	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x18fa8	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x18fec	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x1909c	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x1917c	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x191c8	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x19218	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x1923c	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x19328	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x19368	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x19460	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x19700	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x19738	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x19784	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x19790	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x197e8	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x19a18	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x19b5c	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x19b80	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x19cd0	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x19d28	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x19dec	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x19e1c	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x19eb4	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x19ef0	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x1a1dc	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x1a5a4	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x1a69c	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x1ae84	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x1aed8	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x1af30	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x1b38c	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x1b424	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x1b470	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x1b768	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x1b79c	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x1b814	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x1b86c	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x1b8d0	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x1b8e0	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x1b914	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x1ba00	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x1bab4	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x1bb14	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x1bb44	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x1bd48	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x1bd7c	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x1bde8	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x1be94	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x1bfd8	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x1c3f4	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x1c890	0	NOTYPE	<unknown>	DEFAULT	2
$a	.symtab	0x1c9d0	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x8144	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x29008	0	NOTYPE	<unknown>	DEFAULT	9
$d	.symtab	0x819c	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x29004	0	NOTYPE	<unknown>	DEFAULT	8
$d	.symtab	0x2908c	0	NOTYPE	<unknown>	DEFAULT	12
$d	.symtab	0x81e0	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x29090	0	NOTYPE	<unknown>	DEFAULT	12
$d	.symtab	0x875c	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x8830	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x898c	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x8ac8	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x93c4	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x9798	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x992c	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x1d72c	0	NOTYPE	<unknown>	DEFAULT	4
$d	.symtab	0x9a84	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x9db0	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0xa088	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0xa4a0	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0xa508	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0xb514	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0xbc00	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0xbd28	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0xc3bc	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0xca44	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0xda68	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0xe778	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0xea40	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0xf35c	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0xf410	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0xf4e4	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0xf678	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x29144	0	NOTYPE	<unknown>	DEFAULT	12
$d	.symtab	0x102a4	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x10348	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x10394	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x10400	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x1048c	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x10610	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x11ac0	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x29148	0	NOTYPE	<unknown>	DEFAULT	12
$d	.symtab	0x29150	0	NOTYPE	<unknown>	DEFAULT	12
$d	.symtab	0x11adc	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x11b14	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x11c60	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x11c94	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x11d5c	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x2918c	0	NOTYPE	<unknown>	DEFAULT	12
$d	.symtab	0x29158	0	NOTYPE	<unknown>	DEFAULT	12
$d	.symtab	0x1fe70	0	NOTYPE	<unknown>	DEFAULT	4
$d	.symtab	0x12540	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x127f0	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x1283c	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x12d88	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x29294	0	NOTYPE	<unknown>	DEFAULT	12
$d	.symtab	0x131b0	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x13380	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x133c8	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x134c4	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x1356c	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x13670	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x136b0	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x136e8	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x1372c	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x13764	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x137d8	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x13818	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x1385c	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x13894	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x139bc	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x143ac	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x29298	0	NOTYPE	<unknown>	DEFAULT	12
$d	.symtab	0x144e4	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x14894	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x14d34	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x14d88	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x14ea4	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x292b0	0	NOTYPE	<unknown>	DEFAULT	12
$d	.symtab	0x14f58	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x15010	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x150d0	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x15174	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x292c8	0	NOTYPE	<unknown>	DEFAULT	12
$d	.symtab	0x29360	0	NOTYPE	<unknown>	DEFAULT	12
$d	.symtab	0x1526c	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x15300	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x153d0	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x154b8	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x20a9c	0	NOTYPE	<unknown>	DEFAULT	4
$d	.symtab	0x156b4	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x15754	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x29374	0	NOTYPE	<unknown>	DEFAULT	12
$d	.symtab	0x1581c	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x15948	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x15f20	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x15fe8	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x1603c	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x160ec	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x1614c	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x161b0	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x16454	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x2938c	0	NOTYPE	<unknown>	DEFAULT	12
$d	.symtab	0x16598	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x16644	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x16740	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x16930	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x16a0c	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x16abc	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x20b18	0	NOTYPE	<unknown>	DEFAULT	4
$d	.symtab	0x16c30	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x2f5f8	0	NOTYPE	<unknown>	DEFAULT	13
$d	.symtab	0x16c58	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x16ffc	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x172c0	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x17688	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x18298	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x20b48	0	NOTYPE	<unknown>	DEFAULT	4
$d	.symtab	0x18380	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x1843c	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x185ac	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x187c0	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x18908	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x18f28	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x19094	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x19174	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x19320	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x19458	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x1972c	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x1977c	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x19cbc	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x1a1d0	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x1a598	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x1ae48	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x1aed0	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x1af28	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x1b344	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x1b40c	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x1bb3c	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x1bd3c	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x1bde0	0	NOTYPE	<unknown>	DEFAULT	2
$d	.symtab	0x2939c	0	NOTYPE	<unknown>	DEFAULT	12
$t	.symtab	0x80d0	0	NOTYPE	<unknown>	DEFAULT	2
/home/landley/work/ab7/build/temp-armv5l/gcc-core/gcc/config/arm/lib1funcs.asm	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
/home/landley/work/ab7/build/temp-armv5l/gcc-core/gcc/config/arm/lib1funcs.asm	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
/home/landley/work/ab7/build/temp-armv5l/gcc-core/gcc/config/arm/lib1funcs.asm	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
/home/landley/work/ab7/build/temp-armv5l/gcc-core/gcc/config/arm/lib1funcs.asm	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
/home/landley/work/ab7/build/temp-armv5l/gcc-core/gcc/config/arm/lib1funcs.asm	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
/home/landley/work/ab7/build/temp-armv5l/gcc-core/gcc/config/arm/lib1funcs.asm	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
/home/landley/work/ab7/build/temp-armv5l/gcc-core/gcc/config/arm/lib1funcs.asm	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
C.1.3506	.symtab	0x20b18	24	OBJECT	<unknown>	DEFAULT	4
C.147.6116	.symtab	0x1ee4c	40	OBJECT	<unknown>	DEFAULT	4
C.177.6397	.symtab	0x1eeb8	16	OBJECT	<unknown>	DEFAULT	4
C.178.6398	.symtab	0x1ee8c	20	OBJECT	<unknown>	DEFAULT	4
KHcommSOCK	.symtab	0x293c8	4	OBJECT	<unknown>	DEFAULT	13
KHserverHACKER	.symtab	0x29134	4	OBJECT	<unknown>	DEFAULT	12
LOCAL_ADDR	.symtab	0x2f624	4	OBJECT	<unknown>	DEFAULT	13
Laligned	.symtab	0x12f68	0	NOTYPE	<unknown>	DEFAULT	2
Llastword	.symtab	0x12f84	0	NOTYPE	<unknown>	DEFAULT	2
Q	.symtab	0x293e4	16384	OBJECT	<unknown>	DEFAULT	13
UserAgents	.symtab	0x290a4	144	OBJECT	<unknown>	DEFAULT	12
_Exit	.symtab	0x11a00	44	FUNC	<unknown>	DEFAULT	2
_GLOBAL_OFFSET_TABLE_	.symtab	0x29010	0	OBJECT	<unknown>	HIDDEN	11
_Jv_RegisterClasses	.symtab	0x0	0	NOTYPE	<unknown>	DEFAULT	SHN_UNDEF
_READ.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
_WRITE.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
__C_ctype_b	.symtab	0x29148	4	OBJECT	<unknown>	DEFAULT	12
__C_ctype_b.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
__C_ctype_b_data	.symtab	0x1f870	768	OBJECT	<unknown>	DEFAULT	4
__C_ctype_tolower	.symtab	0x2939c	4	OBJECT	<unknown>	DEFAULT	12
__C_ctype_tolower.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
__C_ctype_tolower_data	.symtab	0x20c14	768	OBJECT	<unknown>	DEFAULT	4
__C_ctype_toupper	.symtab	0x29150	4	OBJECT	<unknown>	DEFAULT	12
__C_ctype_toupper.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
__C_ctype_toupper_data	.symtab	0x1fb70	768	OBJECT	<unknown>	DEFAULT	4
__EH_FRAME_BEGIN__	.symtab	0x29000	0	OBJECT	<unknown>	DEFAULT	7
__FRAME_END__	.symtab	0x29000	0	OBJECT	<unknown>	DEFAULT	7
__GI___C_ctype_b	.symtab	0x29148	4	OBJECT	<unknown>	HIDDEN	12
__GI___C_ctype_tolower	.symtab	0x2939c	4	OBJECT	<unknown>	HIDDEN	12
__GI___C_ctype_toupper	.symtab	0x29150	4	OBJECT	<unknown>	HIDDEN	12
__GI___ctype_b	.symtab	0x2914c	4	OBJECT	<unknown>	HIDDEN	12
__GI___ctype_tolower	.symtab	0x293a0	4	OBJECT	<unknown>	HIDDEN	12
__GI___ctype_toupper	.symtab	0x29154	4	OBJECT	<unknown>	HIDDEN	12
__GI___errno_location	.symtab	0x11ac8	28	FUNC	<unknown>	HIDDEN	2
__GI___fcntl_nocancel	.symtab	0x1190c	108	FUNC	<unknown>	HIDDEN	2
__GI___fgetc_unlocked	.symtab	0x187e4	300	FUNC	<unknown>	HIDDEN	2
__GI___glibc_strerror_r	.symtab	0x13388	24	FUNC	<unknown>	HIDDEN	2
__GI___h_errno_location	.symtab	0x16c44	28	FUNC	<unknown>	HIDDEN	2
__GI___libc_fcntl	.symtab	0x118a0	108	FUNC	<unknown>	HIDDEN	2
__GI___sigaddset	.symtab	0x139e8	36	FUNC	<unknown>	HIDDEN	2
__GI___sigdelset	.symtab	0x13a0c	36	FUNC	<unknown>	HIDDEN	2
__GI___sigismember	.symtab	0x139c4	36	FUNC	<unknown>	HIDDEN	2
__GI___uClibc_fini	.symtab	0x16084	124	FUNC	<unknown>	HIDDEN	2
__GI___uClibc_init	.symtab	0x16154	108	FUNC	<unknown>	HIDDEN	2
__GI___xpg_strerror_r	.symtab	0x133d0	256	FUNC	<unknown>	HIDDEN	2
__GI__exit	.symtab	0x11a00	44	FUNC	<unknown>	HIDDEN	2
__GI_abort	.symtab	0x14d90	296	FUNC	<unknown>	HIDDEN	2
__GI_atoi	.symtab	0x154c0	32	FUNC	<unknown>	HIDDEN	2
__GI_brk	.symtab	0x19738	76	FUNC	<unknown>	HIDDEN	2
__GI_clock_getres	.symtab	0x16660	52	FUNC	<unknown>	HIDDEN	2
__GI_close	.symtab	0x11a64	52	FUNC	<unknown>	HIDDEN	2
__GI_closedir	.symtab	0x1684c	248	FUNC	<unknown>	HIDDEN	2
__GI_config_close	.symtab	0x16f88	52	FUNC	<unknown>	HIDDEN	2
__GI_config_open	.symtab	0x16fbc	72	FUNC	<unknown>	HIDDEN	2
__GI_config_read	.symtab	0x16c60	808	FUNC	<unknown>	HIDDEN	2
__GI_connect	.symtab	0x1367c	56	FUNC	<unknown>	HIDDEN	2
__GI_dup2	.symtab	0x115a0	52	FUNC	<unknown>	HIDDEN	2
__GI_errno	.symtab	0x2f5f8	4	OBJECT	<unknown>	HIDDEN	13
__GI_execl	.symtab	0x15f44	172	FUNC	<unknown>	HIDDEN	2
__GI_execve	.symtab	0x165f0	52	FUNC	<unknown>	HIDDEN	2
__GI_exit	.symtab	0x156bc	184	FUNC	<unknown>	HIDDEN	2
__GI_fclose	.symtab	0x1712c	436	FUNC	<unknown>	HIDDEN	2
__GI_fcntl	.symtab	0x118a0	108	FUNC	<unknown>	HIDDEN	2
__GI_fflush_unlocked	.symtab	0x185d8	524	FUNC	<unknown>	HIDDEN	2
__GI_fgetc	.symtab	0x182b8	220	FUNC	<unknown>	HIDDEN	2
__GI_fgetc_unlocked	.symtab	0x187e4	300	FUNC	<unknown>	HIDDEN	2
__GI_fgets	.symtab	0x18394	188	FUNC	<unknown>	HIDDEN	2
__GI_fgets_unlocked	.symtab	0x18910	160	FUNC	<unknown>	HIDDEN	2
__GI_fopen	.symtab	0x172e0	32	FUNC	<unknown>	HIDDEN	2
__GI_fork	.symtab	0x11714	52	FUNC	<unknown>	HIDDEN	2
__GI_fputs_unlocked	.symtab	0x12db8	56	FUNC	<unknown>	HIDDEN	2
__GI_fseek	.symtab	0x19b5c	36	FUNC	<unknown>	HIDDEN	2
__GI_fseeko64	.symtab	0x19b80	336	FUNC	<unknown>	HIDDEN	2
__GI_fstat	.symtab	0x19790	88	FUNC	<unknown>	HIDDEN	2
__GI_fwrite_unlocked	.symtab	0x12df0	176	FUNC	<unknown>	HIDDEN	2
__GI_getc_unlocked	.symtab	0x187e4	300	FUNC	<unknown>	HIDDEN	2
__GI_getdtablesize	.symtab	0x1180c	44	FUNC	<unknown>	HIDDEN	2
__GI_getegid	.symtab	0x166c8	20	FUNC	<unknown>	HIDDEN	2
__GI_geteuid	.symtab	0x11700	20	FUNC	<unknown>	HIDDEN	2
__GI_getgid	.symtab	0x16748	20	FUNC	<unknown>	HIDDEN	2
__GI_gethostbyname	.symtab	0x135f8	28	FUNC	<unknown>	HIDDEN	2
__GI_gethostbyname2	.symtab	0x13614	104	FUNC	<unknown>	HIDDEN	2
__GI_gethostbyname2_r	.symtab	0x19460	672	FUNC	<unknown>	HIDDEN	2
__GI_gethostbyname_r	.symtab	0x1b470	760	FUNC	<unknown>	HIDDEN	2
__GI_gethostname	.symtab	0x1b79c	120	FUNC	<unknown>	HIDDEN	2
__GI_getpagesize	.symtab	0x16624	40	FUNC	<unknown>	HIDDEN	2
__GI_getpid	.symtab	0x1167c	20	FUNC	<unknown>	HIDDEN	2
__GI_getrlimit	.symtab	0x16694	52	FUNC	<unknown>	HIDDEN	2
__GI_getsockname	.symtab	0x136b4	56	FUNC	<unknown>	HIDDEN	2
__GI_gettimeofday	.symtab	0x1186c	52	FUNC	<unknown>	HIDDEN	2
__GI_getuid	.symtab	0x1664c	20	FUNC	<unknown>	HIDDEN	2
__GI_h_errno	.symtab	0x2f5fc	4	OBJECT	<unknown>	HIDDEN	13
__GI_htonl	.symtab	0x13580	32	FUNC	<unknown>	HIDDEN	2
__GI_htons	.symtab	0x13570	16	FUNC	<unknown>	HIDDEN	2
__GI_inet_addr	.symtab	0x135d0	40	FUNC	<unknown>	HIDDEN	2
__GI_inet_aton	.symtab	0x19368	248	FUNC	<unknown>	HIDDEN	2
__GI_inet_ntop	.symtab	0x1a320	644	FUNC	<unknown>	HIDDEN	2
__GI_inet_pton	.symtab	0x19fc0	540	FUNC	<unknown>	HIDDEN	2
__GI_initstate_r	.symtab	0x153dc	228	FUNC	<unknown>	HIDDEN	2
__GI_ioctl	.symtab	0x119ac	84	FUNC	<unknown>	HIDDEN	2
__GI_isatty	.symtab	0x134d0	36	FUNC	<unknown>	HIDDEN	2
__GI_kill	.symtab	0x11838	52	FUNC	<unknown>	HIDDEN	2
__GI_lseek64	.symtab	0x1b86c	100	FUNC	<unknown>	HIDDEN	2
__GI_memchr	.symtab	0x18e40	240	FUNC	<unknown>	HIDDEN	2
__GI_memcpy	.symtab	0x12fd0	4	FUNC	<unknown>	HIDDEN	2
__GI_memmove	.symtab	0x1b8d0	4	FUNC	<unknown>	HIDDEN	2
__GI_mempcpy	.symtab	0x19218	36	FUNC	<unknown>	HIDDEN	2
__GI_memrchr	.symtab	0x1909c	224	FUNC	<unknown>	HIDDEN	2
__GI_memset	.symtab	0x12ea0	156	FUNC	<unknown>	HIDDEN	2
__GI_mmap	.symtab	0x16494	104	FUNC	<unknown>	HIDDEN	2
__GI_mremap	.symtab	0x167c4	64	FUNC	<unknown>	HIDDEN	2
__GI_munmap	.symtab	0x1675c	52	FUNC	<unknown>	HIDDEN	2
__GI_nanosleep	.symtab	0x16790	52	FUNC	<unknown>	HIDDEN	2
__GI_ntohl	.symtab	0x135b0	32	FUNC	<unknown>	HIDDEN	2
__GI_ntohs	.symtab	0x135a0	16	FUNC	<unknown>	HIDDEN	2
__GI_open	.symtab	0x115e8	96	FUNC	<unknown>	HIDDEN	2
__GI_opendir	.symtab	0x16a14	172	FUNC	<unknown>	HIDDEN	2
__GI_pipe	.symtab	0x11648	52	FUNC	<unknown>	HIDDEN	2
__GI_poll	.symtab	0x1b768	52	FUNC	<unknown>	HIDDEN	2
__GI_raise	.symtab	0x13898	28	FUNC	<unknown>	HIDDEN	2
__GI_random	.symtab	0x14ed0	164	FUNC	<unknown>	HIDDEN	2
__GI_random_r	.symtab	0x15274	144	FUNC	<unknown>	HIDDEN	2
__GI_rawmemchr	.symtab	0x18fec	176	FUNC	<unknown>	HIDDEN	2
__GI_read	.symtab	0x117d8	52	FUNC	<unknown>	HIDDEN	2
__GI_readdir64	.symtab	0x16b58	236	FUNC	<unknown>	HIDDEN	2
__GI_recv	.symtab	0x13730	56	FUNC	<unknown>	HIDDEN	2
__GI_recvfrom	.symtab	0x13768	60	FUNC	<unknown>	HIDDEN	2
__GI_sbrk	.symtab	0x166dc	108	FUNC	<unknown>	HIDDEN	2
__GI_select	.symtab	0x11798	64	FUNC	<unknown>	HIDDEN	2
__GI_send	.symtab	0x137a4	56	FUNC	<unknown>	HIDDEN	2
__GI_sendto	.symtab	0x137dc	64	FUNC	<unknown>	HIDDEN	2
__GI_setsockopt	.symtab	0x1381c	68	FUNC	<unknown>	HIDDEN	2
__GI_setstate_r	.symtab	0x15190	228	FUNC	<unknown>	HIDDEN	2
__GI_sigaction	.symtab	0x1651c	136	FUNC	<unknown>	HIDDEN	2
__GI_sigaddset	.symtab	0x138b4	68	FUNC	<unknown>	HIDDEN	2
__GI_sigemptyset	.symtab	0x138f8	20	FUNC	<unknown>	HIDDEN	2
__GI_signal	.symtab	0x1390c	184	FUNC	<unknown>	HIDDEN	2
__GI_sigprocmask	.symtab	0x11a2c	56	FUNC	<unknown>	HIDDEN	2
__GI_sleep	.symtab	0x15774	172	FUNC	<unknown>	HIDDEN	2
__GI_socket	.symtab	0x13860	56	FUNC	<unknown>	HIDDEN	2
__GI_sprintf	.symtab	0x11b18	52	FUNC	<unknown>	HIDDEN	2
__GI_srandom_r	.symtab	0x15304	216	FUNC	<unknown>	HIDDEN	2
__GI_stat	.symtab	0x1b814	88	FUNC	<unknown>	HIDDEN	2
__GI_strcasecmp	.symtab	0x1bd7c	108	FUNC	<unknown>	HIDDEN	2
__GI_strchr	.symtab	0x13298	240	FUNC	<unknown>	HIDDEN	2
__GI_strchrnul	.symtab	0x1923c	236	FUNC	<unknown>	HIDDEN	2
__GI_strcmp	.symtab	0x12fb0	28	FUNC	<unknown>	HIDDEN	2
__GI_strcoll	.symtab	0x12fb0	28	FUNC	<unknown>	HIDDEN	2
__GI_strcpy	.symtab	0x131b8	36	FUNC	<unknown>	HIDDEN	2
__GI_strcspn	.symtab	0x18fa8	68	FUNC	<unknown>	HIDDEN	2
__GI_strdup	.symtab	0x1b8e0	52	FUNC	<unknown>	HIDDEN	2
__GI_strlen	.symtab	0x12f40	96	FUNC	<unknown>	HIDDEN	2
__GI_strncpy	.symtab	0x131dc	188	FUNC	<unknown>	HIDDEN	2
__GI_strnlen	.symtab	0x130ec	204	FUNC	<unknown>	HIDDEN	2
__GI_strpbrk	.symtab	0x19328	64	FUNC	<unknown>	HIDDEN	2
__GI_strrchr	.symtab	0x191c8	80	FUNC	<unknown>	HIDDEN	2
__GI_strspn	.symtab	0x1917c	76	FUNC	<unknown>	HIDDEN	2
__GI_strstr	.symtab	0x12ff0	252	FUNC	<unknown>	HIDDEN	2
__GI_strtok	.symtab	0x133a0	48	FUNC	<unknown>	HIDDEN	2
__GI_strtok_r	.symtab	0x18f30	120	FUNC	<unknown>	HIDDEN	2
__GI_strtol	.symtab	0x154e0	28	FUNC	<unknown>	HIDDEN	2
__GI_sysconf	.symtab	0x1596c	1496	FUNC	<unknown>	HIDDEN	2
__GI_tcgetattr	.symtab	0x134f4	124	FUNC	<unknown>	HIDDEN	2
__GI_time	.symtab	0x11690	48	FUNC	<unknown>	HIDDEN	2
__GI_times	.symtab	0x16804	20	FUNC	<unknown>	HIDDEN	2
__GI_toupper	.symtab	0x11a98	48	FUNC	<unknown>	HIDDEN	2
__GI_uname	.symtab	0x1bd48	52	FUNC	<unknown>	HIDDEN	2
__GI_vfork	.symtab	0x11560	64	FUNC	<unknown>	HIDDEN	2
__GI_vsnprintf	.symtab	0x11b4c	180	FUNC	<unknown>	HIDDEN	2
__GI_wait4	.symtab	0x165bc	52	FUNC	<unknown>	HIDDEN	2
__GI_waitpid	.symtab	0x11748	28	FUNC	<unknown>	HIDDEN	2
__GI_wcrtomb	.symtab	0x17004	84	FUNC	<unknown>	HIDDEN	2
__GI_wcsnrtombs	.symtab	0x1707c	176	FUNC	<unknown>	HIDDEN	2
__GI_wcsrtombs	.symtab	0x17058	36	FUNC	<unknown>	HIDDEN	2
__GI_write	.symtab	0x11978	52	FUNC	<unknown>	HIDDEN	2
__JCR_END__	.symtab	0x2900c	0	OBJECT	<unknown>	DEFAULT	10
__JCR_LIST__	.symtab	0x2900c	0	OBJECT	<unknown>	DEFAULT	10
__adddf3	.symtab	0x1bfe4	784	FUNC	<unknown>	HIDDEN	2
__aeabi_cdcmpeq	.symtab	0x1c940	24	FUNC	<unknown>	HIDDEN	2
__aeabi_cdcmple	.symtab	0x1c940	24	FUNC	<unknown>	HIDDEN	2
__aeabi_cdrcmple	.symtab	0x1c924	52	FUNC	<unknown>	HIDDEN	2
__aeabi_d2uiz	.symtab	0x1c9d0	84	FUNC	<unknown>	HIDDEN	2
__aeabi_dadd	.symtab	0x1bfe4	784	FUNC	<unknown>	HIDDEN	2
__aeabi_dcmpeq	.symtab	0x1c958	24	FUNC	<unknown>	HIDDEN	2
__aeabi_dcmpge	.symtab	0x1c9a0	24	FUNC	<unknown>	HIDDEN	2
__aeabi_dcmpgt	.symtab	0x1c9b8	24	FUNC	<unknown>	HIDDEN	2
__aeabi_dcmple	.symtab	0x1c988	24	FUNC	<unknown>	HIDDEN	2
__aeabi_dcmplt	.symtab	0x1c970	24	FUNC	<unknown>	HIDDEN	2
__aeabi_ddiv	.symtab	0x1c684	524	FUNC	<unknown>	HIDDEN	2
__aeabi_dmul	.symtab	0x1c3f4	656	FUNC	<unknown>	HIDDEN	2
__aeabi_drsub	.symtab	0x1bfd8	0	FUNC	<unknown>	HIDDEN	2
__aeabi_dsub	.symtab	0x1bfe0	788	FUNC	<unknown>	HIDDEN	2
__aeabi_f2d	.symtab	0x1c340	64	FUNC	<unknown>	HIDDEN	2
__aeabi_i2d	.symtab	0x1c318	40	FUNC	<unknown>	HIDDEN	2
__aeabi_idiv	.symtab	0x1be94	0	FUNC	<unknown>	HIDDEN	2
__aeabi_idivmod	.symtab	0x1bfc0	24	FUNC	<unknown>	HIDDEN	2
__aeabi_l2d	.symtab	0x1c394	96	FUNC	<unknown>	HIDDEN	2
__aeabi_ui2d	.symtab	0x1c2f4	36	FUNC	<unknown>	HIDDEN	2
__aeabi_uidiv	.symtab	0x1142c	0	FUNC	<unknown>	HIDDEN	2
__aeabi_uidivmod	.symtab	0x11528	24	FUNC	<unknown>	HIDDEN	2
__aeabi_ul2d	.symtab	0x1c380	116	FUNC	<unknown>	HIDDEN	2
__aeabi_unwind_cpp_pr0	.symtab	0x19784	4	FUNC	<unknown>	DEFAULT	2
__aeabi_unwind_cpp_pr1	.symtab	0x19788	4	FUNC	<unknown>	DEFAULT	2
__aeabi_unwind_cpp_pr2	.symtab	0x1978c	4	FUNC	<unknown>	DEFAULT	2
__app_fini	.symtab	0x2f5f0	4	OBJECT	<unknown>	HIDDEN	13
__atexit_lock	.symtab	0x29374	24	OBJECT	<unknown>	DEFAULT	12
__bss_end__	.symtab	0x2fb0c	0	NOTYPE	<unknown>	DEFAULT	SHN_ABS
__bss_start	.symtab	0x293a4	0	NOTYPE	<unknown>	DEFAULT	SHN_ABS
__bss_start__	.symtab	0x293a4	0	NOTYPE	<unknown>	DEFAULT	SHN_ABS
__check_one_fd	.symtab	0x16100	84	FUNC	<unknown>	DEFAULT	2
__close_nameservers	.symtab	0x1b38c	152	FUNC	<unknown>	HIDDEN	2
__cmpdf2	.symtab	0x1c8a0	132	FUNC	<unknown>	HIDDEN	2
__ctype_b	.symtab	0x2914c	4	OBJECT	<unknown>	DEFAULT	12
__ctype_tolower	.symtab	0x293a0	4	OBJECT	<unknown>	DEFAULT	12
__ctype_toupper	.symtab	0x29154	4	OBJECT	<unknown>	DEFAULT	12
__curbrk	.symtab	0x2f600	4	OBJECT	<unknown>	HIDDEN	13
__data_start	.symtab	0x29088	0	NOTYPE	<unknown>	DEFAULT	12
__decode_dotted	.symtab	0x1a5a4	248	FUNC	<unknown>	HIDDEN	2
__decode_header	.symtab	0x1ba00	180	FUNC	<unknown>	HIDDEN	2
__default_rt_sa_restorer	.symtab	0x165b4	0	FUNC	<unknown>	DEFAULT	2
__default_sa_restorer	.symtab	0x165a8	0	FUNC	<unknown>	DEFAULT	2
__deregister_frame_info	.symtab	0x0	0	NOTYPE	<unknown>	DEFAULT	SHN_UNDEF
__div0	.symtab	0x11540	20	FUNC	<unknown>	HIDDEN	2
__divdf3	.symtab	0x1c684	524	FUNC	<unknown>	HIDDEN	2
__divsi3	.symtab	0x1be94	300	FUNC	<unknown>	HIDDEN	2
__dns_lookup	.symtab	0x1a69c	2024	FUNC	<unknown>	HIDDEN	2
__do_global_dtors_aux	.symtab	0x810c	0	FUNC	<unknown>	DEFAULT	2
__do_global_dtors_aux_fini_array_entry	.symtab	0x29008	0	OBJECT	<unknown>	DEFAULT	9
__dso_handle	.symtab	0x29088	0	OBJECT	<unknown>	HIDDEN	12
__encode_dotted	.symtab	0x1bde8	172	FUNC	<unknown>	HIDDEN	2
__encode_header	.symtab	0x1b914	236	FUNC	<unknown>	HIDDEN	2
__encode_question	.symtab	0x1bab4	96	FUNC	<unknown>	HIDDEN	2
__end__	.symtab	0x2fb0c	0	NOTYPE	<unknown>	DEFAULT	SHN_ABS
__environ	.symtab	0x2f5e8	4	OBJECT	<unknown>	DEFAULT	13
__eqdf2	.symtab	0x1c8a0	132	FUNC	<unknown>	HIDDEN	2
__errno_location	.symtab	0x11ac8	28	FUNC	<unknown>	DEFAULT	2
__errno_location.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
__error	.symtab	0x1159c	0	NOTYPE	<unknown>	DEFAULT	2
__exidx_end	.symtab	0x20f3c	0	NOTYPE	<unknown>	DEFAULT	SHN_ABS
__exidx_start	.symtab	0x20f2c	0	NOTYPE	<unknown>	DEFAULT	SHN_ABS
__exit_cleanup	.symtab	0x2f5e0	4	OBJECT	<unknown>	HIDDEN	13
__extendsfdf2	.symtab	0x1c340	64	FUNC	<unknown>	HIDDEN	2
__fcntl_nocancel	.symtab	0x1190c	108	FUNC	<unknown>	DEFAULT	2
__fgetc_unlocked	.symtab	0x187e4	300	FUNC	<unknown>	DEFAULT	2
__fini_array_end	.symtab	0x2900c	0	NOTYPE	<unknown>	HIDDEN	9
__fini_array_start	.symtab	0x29008	0	NOTYPE	<unknown>	HIDDEN	9
__fixunsdfsi	.symtab	0x1c9d0	84	FUNC	<unknown>	HIDDEN	2
__floatdidf	.symtab	0x1c394	96	FUNC	<unknown>	HIDDEN	2
__floatsidf	.symtab	0x1c318	40	FUNC	<unknown>	HIDDEN	2
__floatundidf	.symtab	0x1c380	116	FUNC	<unknown>	HIDDEN	2
__floatunsidf	.symtab	0x1c2f4	36	FUNC	<unknown>	HIDDEN	2
__frame_dummy_init_array_entry	.symtab	0x29004	0	OBJECT	<unknown>	DEFAULT	8
__gedf2	.symtab	0x1c890	148	FUNC	<unknown>	HIDDEN	2
__get_hosts_byname_r	.symtab	0x1b424	76	FUNC	<unknown>	HIDDEN	2
__getdents64	.symtab	0x19a18	324	FUNC	<unknown>	HIDDEN	2
__getpagesize	.symtab	0x16624	40	FUNC	<unknown>	DEFAULT	2
__glibc_strerror_r	.symtab	0x13388	24	FUNC	<unknown>	DEFAULT	2
__glibc_strerror_r.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
__gtdf2	.symtab	0x1c890	148	FUNC	<unknown>	HIDDEN	2
__h_errno_location	.symtab	0x16c44	28	FUNC	<unknown>	DEFAULT	2
__h_errno_location.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
__init_array_end	.symtab	0x29008	0	NOTYPE	<unknown>	HIDDEN	8
__init_array_start	.symtab	0x29004	0	NOTYPE	<unknown>	HIDDEN	8
__ledf2	.symtab	0x1c898	140	FUNC	<unknown>	HIDDEN	2
__libc_close	.symtab	0x11a64	52	FUNC	<unknown>	DEFAULT	2
__libc_connect	.symtab	0x1367c	56	FUNC	<unknown>	DEFAULT	2
__libc_fcntl	.symtab	0x118a0	108	FUNC	<unknown>	DEFAULT	2
__libc_fork	.symtab	0x11714	52	FUNC	<unknown>	DEFAULT	2
__libc_lseek64	.symtab	0x1b86c	100	FUNC	<unknown>	DEFAULT	2
__libc_nanosleep	.symtab	0x16790	52	FUNC	<unknown>	DEFAULT	2
__libc_open	.symtab	0x115e8	96	FUNC	<unknown>	DEFAULT	2
__libc_read	.symtab	0x117d8	52	FUNC	<unknown>	DEFAULT	2
__libc_recv	.symtab	0x13730	56	FUNC	<unknown>	DEFAULT	2
__libc_recvfrom	.symtab	0x13768	60	FUNC	<unknown>	DEFAULT	2
__libc_select	.symtab	0x11798	64	FUNC	<unknown>	DEFAULT	2
__libc_send	.symtab	0x137a4	56	FUNC	<unknown>	DEFAULT	2
__libc_sendto	.symtab	0x137dc	64	FUNC	<unknown>	DEFAULT	2
__libc_sigaction	.symtab	0x1651c	136	FUNC	<unknown>	DEFAULT	2
__libc_stack_end	.symtab	0x2f5e4	4	OBJECT	<unknown>	DEFAULT	13
__libc_waitpid	.symtab	0x11748	28	FUNC	<unknown>	DEFAULT	2
__libc_write	.symtab	0x11978	52	FUNC	<unknown>	DEFAULT	2
__local_nameserver	.symtab	0x20bf4	16	OBJECT	<unknown>	HIDDEN	4
__ltdf2	.symtab	0x1c898	140	FUNC	<unknown>	HIDDEN	2
__malloc_consolidate	.symtab	0x14960	436	FUNC	<unknown>	HIDDEN	2
__malloc_largebin_index	.symtab	0x13a30	120	FUNC	<unknown>	DEFAULT	2
__malloc_lock	.symtab	0x29298	24	OBJECT	<unknown>	DEFAULT	12
__malloc_state	.symtab	0x2f778	888	OBJECT	<unknown>	DEFAULT	13
__malloc_trim	.symtab	0x148b0	176	FUNC	<unknown>	DEFAULT	2
__muldf3	.symtab	0x1c3f4	656	FUNC	<unknown>	HIDDEN	2
__nameserver	.symtab	0x2fb00	4	OBJECT	<unknown>	HIDDEN	13
__nameservers	.symtab	0x2fb04	4	OBJECT	<unknown>	HIDDEN	13
__nedf2	.symtab	0x1c8a0	132	FUNC	<unknown>	HIDDEN	2
__open_etc_hosts	.symtab	0x1bb14	48	FUNC	<unknown>	HIDDEN	2
__open_nameservers	.symtab	0x1af30	1116	FUNC	<unknown>	HIDDEN	2
__pagesize	.symtab	0x2f5ec	4	OBJECT	<unknown>	DEFAULT	13
__preinit_array_end	.symtab	0x29004	0	NOTYPE	<unknown>	HIDDEN	SHN_ABS
__preinit_array_start	.symtab	0x29004	0	NOTYPE	<unknown>	HIDDEN	SHN_ABS
__progname	.symtab	0x29390	4	OBJECT	<unknown>	DEFAULT	12
__progname_full	.symtab	0x29394	4	OBJECT	<unknown>	DEFAULT	12
__pthread_initialize_minimal	.symtab	0x0	0	NOTYPE	<unknown>	DEFAULT	SHN_UNDEF
__pthread_mutex_init	.symtab	0x16048	8	FUNC	<unknown>	DEFAULT	2
__pthread_mutex_lock	.symtab	0x16040	8	FUNC	<unknown>	DEFAULT	2
__pthread_mutex_trylock	.symtab	0x16040	8	FUNC	<unknown>	DEFAULT	2
__pthread_mutex_unlock	.symtab	0x16040	8	FUNC	<unknown>	DEFAULT	2
__pthread_return_0	.symtab	0x16040	8	FUNC	<unknown>	DEFAULT	2
__read_etc_hosts_r	.symtab	0x1bb44	516	FUNC	<unknown>	HIDDEN	2
__register_frame_info	.symtab	0x0	0	NOTYPE	<unknown>	DEFAULT	SHN_UNDEF
__res_sync	.symtab	0x2faf8	4	OBJECT	<unknown>	HIDDEN	13
__resolv_attempts	.symtab	0x2939b	1	OBJECT	<unknown>	HIDDEN	12
__resolv_lock	.symtab	0x2f608	24	OBJECT	<unknown>	DEFAULT	13
__resolv_timeout	.symtab	0x2939a	1	OBJECT	<unknown>	HIDDEN	12
__rtld_fini	.symtab	0x2f5f4	4	OBJECT	<unknown>	HIDDEN	13
__searchdomain	.symtab	0x2fafc	4	OBJECT	<unknown>	HIDDEN	13
__searchdomains	.symtab	0x2fb08	4	OBJECT	<unknown>	HIDDEN	13
__sigaddset	.symtab	0x139e8	36	FUNC	<unknown>	DEFAULT	2
__sigdelset	.symtab	0x13a0c	36	FUNC	<unknown>	DEFAULT	2
__sigismember	.symtab	0x139c4	36	FUNC	<unknown>	DEFAULT	2
__stdin	.symtab	0x29198	4	OBJECT	<unknown>	DEFAULT	12
__stdio_READ	.symtab	0x19cd0	88	FUNC	<unknown>	HIDDEN	2
__stdio_WRITE	.symtab	0x17300	180	FUNC	<unknown>	HIDDEN	2
__stdio_adjust_position	.symtab	0x19d28	196	FUNC	<unknown>	HIDDEN	2
__stdio_fwrite	.symtab	0x176bc	320	FUNC	<unknown>	HIDDEN	2
__stdio_init_mutex	.symtab	0x11c68	52	FUNC	<unknown>	HIDDEN	2
__stdio_mutex_initializer.4636	.symtab	0x1fe70	24	OBJECT	<unknown>	DEFAULT	4
__stdio_rfill	.symtab	0x19dec	48	FUNC	<unknown>	HIDDEN	2
__stdio_seek	.symtab	0x19eb4	60	FUNC	<unknown>	HIDDEN	2
__stdio_trans2r_o	.symtab	0x19e1c	152	FUNC	<unknown>	HIDDEN	2
__stdio_trans2w_o	.symtab	0x177fc	208	FUNC	<unknown>	HIDDEN	2
__stdio_wcommit	.symtab	0x11d70	48	FUNC	<unknown>	HIDDEN	2
__stdout	.symtab	0x2919c	4	OBJECT	<unknown>	DEFAULT	12
__subdf3	.symtab	0x1bfe0	788	FUNC	<unknown>	HIDDEN	2
__syscall_error	.symtab	0x164fc	32	FUNC	<unknown>	HIDDEN	2
__syscall_error.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
__syscall_fcntl.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
__syscall_rt_sigaction	.symtab	0x16818	52	FUNC	<unknown>	DEFAULT	2
__syscall_rt_sigaction.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
__uClibc_fini	.symtab	0x16084	124	FUNC	<unknown>	DEFAULT	2
__uClibc_init	.symtab	0x16154	108	FUNC	<unknown>	DEFAULT	2
__uClibc_main	.symtab	0x161c0	724	FUNC	<unknown>	DEFAULT	2
__uClibc_main.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
__uclibc_progname	.symtab	0x2938c	4	OBJECT	<unknown>	HIDDEN	12
__udivsi3	.symtab	0x1142c	252	FUNC	<unknown>	HIDDEN	2
__vfork	.symtab	0x11560	64	FUNC	<unknown>	HIDDEN	2
__xpg_strerror_r	.symtab	0x133d0	256	FUNC	<unknown>	DEFAULT	2
__xpg_strerror_r.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
__xstat32_conv	.symtab	0x198b4	172	FUNC	<unknown>	HIDDEN	2
__xstat64_conv	.symtab	0x197e8	204	FUNC	<unknown>	HIDDEN	2
__xstat_conv	.symtab	0x19960	184	FUNC	<unknown>	HIDDEN	2
_adjust_pos.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
_bss_custom_printf_spec	.symtab	0x2f400	10	OBJECT	<unknown>	DEFAULT	13
_bss_end__	.symtab	0x2fb0c	0	NOTYPE	<unknown>	DEFAULT	SHN_ABS
_call_via_fp	.symtab	0x80fd	4	FUNC	<unknown>	HIDDEN	2
_call_via_ip	.symtab	0x8101	4	FUNC	<unknown>	HIDDEN	2
_call_via_lr	.symtab	0x8109	4	FUNC	<unknown>	HIDDEN	2
_call_via_r0	.symtab	0x80d1	4	FUNC	<unknown>	HIDDEN	2
_call_via_r1	.symtab	0x80d5	4	FUNC	<unknown>	HIDDEN	2
_call_via_r2	.symtab	0x80d9	4	FUNC	<unknown>	HIDDEN	2
_call_via_r3	.symtab	0x80dd	4	FUNC	<unknown>	HIDDEN	2
_call_via_r4	.symtab	0x80e1	4	FUNC	<unknown>	HIDDEN	2
_call_via_r5	.symtab	0x80e5	4	FUNC	<unknown>	HIDDEN	2
_call_via_r6	.symtab	0x80e9	4	FUNC	<unknown>	HIDDEN	2
_call_via_r7	.symtab	0x80ed	4	FUNC	<unknown>	HIDDEN	2
_call_via_r8	.symtab	0x80f1	4	FUNC	<unknown>	HIDDEN	2
_call_via_r9	.symtab	0x80f5	4	FUNC	<unknown>	HIDDEN	2
_call_via_sl	.symtab	0x80f9	4	FUNC	<unknown>	HIDDEN	2
_call_via_sp	.symtab	0x8105	4	FUNC	<unknown>	HIDDEN	2
_charpad	.symtab	0x11da0	84	FUNC	<unknown>	DEFAULT	2
_cs_funcs.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
_custom_printf_arginfo	.symtab	0x2f720	40	OBJECT	<unknown>	HIDDEN	13
_custom_printf_handler	.symtab	0x2f748	40	OBJECT	<unknown>	HIDDEN	13
_custom_printf_spec	.symtab	0x29294	4	OBJECT	<unknown>	HIDDEN	12
_dl_aux_init	.symtab	0x19700	56	FUNC	<unknown>	DEFAULT	2
_dl_phdr	.symtab	0x2faf0	4	OBJECT	<unknown>	DEFAULT	13
_dl_phnum	.symtab	0x2faf4	4	OBJECT	<unknown>	DEFAULT	13
_edata	.symtab	0x293a4	0	NOTYPE	<unknown>	DEFAULT	SHN_ABS
_end	.symtab	0x2fb0c	0	NOTYPE	<unknown>	DEFAULT	SHN_ABS
_errno	.symtab	0x2f5f8	4	OBJECT	<unknown>	DEFAULT	13
_exit	.symtab	0x11a00	44	FUNC	<unknown>	DEFAULT	2
_exit.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
_fini	.symtab	0x1ca24	0	FUNC	<unknown>	DEFAULT	3
_fixed_buffers	.symtab	0x2d400	8192	OBJECT	<unknown>	DEFAULT	13
_fopen.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
_fp_out_narrow	.symtab	0x11df4	132	FUNC	<unknown>	DEFAULT	2
_fpmaxtostr	.symtab	0x17ac4	2036	FUNC	<unknown>	HIDDEN	2
_fpmaxtostr.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
_fwrite.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
_h_errno	.symtab	0x2f5fc	4	OBJECT	<unknown>	DEFAULT	13
_init	.symtab	0x80b4	0	FUNC	<unknown>	DEFAULT	1
_load_inttype	.symtab	0x178cc	112	FUNC	<unknown>	HIDDEN	2
_load_inttype.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
_memcpy	.symtab	0x189b0	0	FUNC	<unknown>	HIDDEN	2
_ppfs_init	.symtab	0x12560	160	FUNC	<unknown>	HIDDEN	2
_ppfs_init.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
_ppfs_parsespec	.symtab	0x12848	1392	FUNC	<unknown>	HIDDEN	2
_ppfs_parsespec.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
_ppfs_prepargs	.symtab	0x12600	68	FUNC	<unknown>	HIDDEN	2
_ppfs_prepargs.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
_ppfs_setargs	.symtab	0x12644	432	FUNC	<unknown>	HIDDEN	2
_ppfs_setargs.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
_promoted_size	.symtab	0x127f4	84	FUNC	<unknown>	DEFAULT	2
_pthread_cleanup_pop_restore	.symtab	0x16058	44	FUNC	<unknown>	DEFAULT	2
_pthread_cleanup_push_defer	.symtab	0x16050	8	FUNC	<unknown>	DEFAULT	2
_rfill.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
_sigintr	.symtab	0x2f770	8	OBJECT	<unknown>	HIDDEN	13
_start	.symtab	0x81b0	0	FUNC	<unknown>	DEFAULT	2
_stdio.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
_stdio_fopen	.symtab	0x173b4	776	FUNC	<unknown>	HIDDEN	2
_stdio_init	.symtab	0x11c00	104	FUNC	<unknown>	HIDDEN	2
_stdio_openlist	.symtab	0x291a0	4	OBJECT	<unknown>	DEFAULT	12
_stdio_openlist_add_lock	.symtab	0x29158	24	OBJECT	<unknown>	DEFAULT	12
_stdio_openlist_dec_use	.symtab	0x18450	392	FUNC	<unknown>	HIDDEN	2
_stdio_openlist_del_count	.symtab	0x2d3fc	4	OBJECT	<unknown>	DEFAULT	13
_stdio_openlist_del_lock	.symtab	0x29170	24	OBJECT	<unknown>	DEFAULT	12
_stdio_openlist_use_count	.symtab	0x2d3f8	4	OBJECT	<unknown>	DEFAULT	13
_stdio_streams	.symtab	0x291a4	240	OBJECT	<unknown>	DEFAULT	12
_stdio_term	.symtab	0x11c9c	212	FUNC	<unknown>	HIDDEN	2
_stdio_user_locking	.symtab	0x29188	4	OBJECT	<unknown>	DEFAULT	12
_stdlib_strto_l	.symtab	0x154fc	448	FUNC	<unknown>	HIDDEN	2
_stdlib_strto_l.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
_store_inttype	.symtab	0x1793c	44	FUNC	<unknown>	HIDDEN	2
_store_inttype.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
_string_syserrmsgs	.symtab	0x1ff40	2906	OBJECT	<unknown>	HIDDEN	4
_string_syserrmsgs.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
_trans2r.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
_trans2w.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
_uintmaxtostr	.symtab	0x17968	348	FUNC	<unknown>	HIDDEN	2
_uintmaxtostr.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
_vfprintf_internal	.symtab	0x11e78	1768	FUNC	<unknown>	HIDDEN	2
_vfprintf_internal.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
_wcommit.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
abort	.symtab	0x14d90	296	FUNC	<unknown>	DEFAULT	2
abort.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
access	.symtab	0x11764	52	FUNC	<unknown>	DEFAULT	2
access.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
acnc	.symtab	0xc3c0	208	FUNC	<unknown>	DEFAULT	2
add_entry	.symtab	0x10404	140	FUNC	<unknown>	DEFAULT	2
aeabi_unwind_cpp_pr1.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
atoi	.symtab	0x154c0	32	FUNC	<unknown>	DEFAULT	2
atol	.symtab	0x154c0	32	FUNC	<unknown>	DEFAULT	2
atol.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
axis_bp	.symtab	0x290a0	4	OBJECT	<unknown>	DEFAULT	12
bcopy	.symtab	0x12fa0	16	FUNC	<unknown>	DEFAULT	2
been_there_done_that	.symtab	0x2f5dc	4	OBJECT	<unknown>	DEFAULT	13
brk	.symtab	0x19738	76	FUNC	<unknown>	DEFAULT	2
brk.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
bsd_signal	.symtab	0x1390c	184	FUNC	<unknown>	DEFAULT	2
buf.5444	.symtab	0x2f410	440	OBJECT	<unknown>	DEFAULT	13
bzero	.symtab	0x12fe0	12	FUNC	<unknown>	DEFAULT	2
c	.symtab	0x2913c	4	OBJECT	<unknown>	DEFAULT	12
calloc	.symtab	0x143c8	308	FUNC	<unknown>	DEFAULT	2
calloc.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
checksum.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
checksum_generic	.symtab	0x81ec	216	FUNC	<unknown>	DEFAULT	2
checksum_tcp_udp	.symtab	0x82c4	424	FUNC	<unknown>	DEFAULT	2
checksum_tcpudp	.symtab	0x846c	424	FUNC	<unknown>	DEFAULT	2
clock	.symtab	0x11ae4	52	FUNC	<unknown>	DEFAULT	2
clock.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
clock_getres	.symtab	0x16660	52	FUNC	<unknown>	DEFAULT	2
clock_getres.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
close	.symtab	0x11a64	52	FUNC	<unknown>	DEFAULT	2
close.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
closedir	.symtab	0x1684c	248	FUNC	<unknown>	DEFAULT	2
closedir.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
closenameservers.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
completed.4959	.symtab	0x293a8	1	OBJECT	<unknown>	DEFAULT	13
connect	.symtab	0x1367c	56	FUNC	<unknown>	DEFAULT	2
connect.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
connectTimeout	.symtab	0xa08c	628	FUNC	<unknown>	DEFAULT	2
crtstuff.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
crtstuff.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
csum	.symtab	0xa50c	340	FUNC	<unknown>	DEFAULT	2
data_start	.symtab	0x2908c	0	NOTYPE	<unknown>	DEFAULT	12
decoded.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
decodeh.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
dl-support.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
dnslookup.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
dup2	.symtab	0x115a0	52	FUNC	<unknown>	DEFAULT	2
dup2.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
encoded.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
encodeh.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
encodeq.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
environ	.symtab	0x2f5e8	4	OBJECT	<unknown>	DEFAULT	13
errno	.symtab	0x2f5f8	4	OBJECT	<unknown>	DEFAULT	13
errno.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
execl	.symtab	0x15f44	172	FUNC	<unknown>	DEFAULT	2
execl.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
execve	.symtab	0x165f0	52	FUNC	<unknown>	DEFAULT	2
execve.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
exit	.symtab	0x156bc	184	FUNC	<unknown>	DEFAULT	2
exit.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
exp10_table	.symtab	0x20b48	72	OBJECT	<unknown>	DEFAULT	4
fclose	.symtab	0x1712c	436	FUNC	<unknown>	DEFAULT	2
fclose.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
fcntl	.symtab	0x118a0	108	FUNC	<unknown>	DEFAULT	2
fd_to_DIR	.symtab	0x16944	208	FUNC	<unknown>	DEFAULT	2
fdgets	.symtab	0x9930	212	FUNC	<unknown>	DEFAULT	2
fdopen_pids	.symtab	0x2d3e4	4	OBJECT	<unknown>	DEFAULT	13
fdopendir	.symtab	0x16ac0	152	FUNC	<unknown>	DEFAULT	2
fdpclose	.symtab	0x97a8	392	FUNC	<unknown>	DEFAULT	2
fdpopen	.symtab	0x9520	648	FUNC	<unknown>	DEFAULT	2
fflush_unlocked	.symtab	0x185d8	524	FUNC	<unknown>	DEFAULT	2
fflush_unlocked.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
fgetc	.symtab	0x182b8	220	FUNC	<unknown>	DEFAULT	2
fgetc.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
fgetc_unlocked	.symtab	0x187e4	300	FUNC	<unknown>	DEFAULT	2
fgetc_unlocked.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
fgets	.symtab	0x18394	188	FUNC	<unknown>	DEFAULT	2
fgets.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
fgets_unlocked	.symtab	0x18910	160	FUNC	<unknown>	DEFAULT	2
fgets_unlocked.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
findRandIP	.symtab	0xa4a8	100	FUNC	<unknown>	DEFAULT	2
fmt	.symtab	0x20b30	20	OBJECT	<unknown>	DEFAULT	4
fopen	.symtab	0x172e0	32	FUNC	<unknown>	DEFAULT	2
fopen.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
fork	.symtab	0x11714	52	FUNC	<unknown>	DEFAULT	2
fork.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
fputs_unlocked	.symtab	0x12db8	56	FUNC	<unknown>	DEFAULT	2
fputs_unlocked.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
frame_dummy	.symtab	0x8150	0	FUNC	<unknown>	DEFAULT	2
free	.symtab	0x14b14	572	FUNC	<unknown>	DEFAULT	2
free.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
fseek	.symtab	0x19b5c	36	FUNC	<unknown>	DEFAULT	2
fseeko	.symtab	0x19b5c	36	FUNC	<unknown>	DEFAULT	2
fseeko.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
fseeko64	.symtab	0x19b80	336	FUNC	<unknown>	DEFAULT	2
fseeko64.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
fstat	.symtab	0x19790	88	FUNC	<unknown>	DEFAULT	2
fstat.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
fwrite_unlocked	.symtab	0x12df0	176	FUNC	<unknown>	DEFAULT	2
fwrite_unlocked.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
getBuild	.symtab	0xea54	24	FUNC	<unknown>	DEFAULT	2
getHost	.symtab	0x9c34	104	FUNC	<unknown>	DEFAULT	2
getOurIP	.symtab	0xe798	700	FUNC	<unknown>	DEFAULT	2
get_hosts_byname_r.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
getc	.symtab	0x182b8	220	FUNC	<unknown>	DEFAULT	2
getc_unlocked	.symtab	0x187e4	300	FUNC	<unknown>	DEFAULT	2
getdents64.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
getdtablesize	.symtab	0x1180c	44	FUNC	<unknown>	DEFAULT	2
getdtablesize.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
getegid	.symtab	0x166c8	20	FUNC	<unknown>	DEFAULT	2
getegid.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
geteuid	.symtab	0x11700	20	FUNC	<unknown>	DEFAULT	2
geteuid.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
getgid	.symtab	0x16748	20	FUNC	<unknown>	DEFAULT	2
getgid.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
gethostbyname	.symtab	0x135f8	28	FUNC	<unknown>	DEFAULT	2
gethostbyname.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
gethostbyname2	.symtab	0x13614	104	FUNC	<unknown>	DEFAULT	2
gethostbyname2.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
gethostbyname2_r	.symtab	0x19460	672	FUNC	<unknown>	DEFAULT	2
gethostbyname2_r.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
gethostbyname_r	.symtab	0x1b470	760	FUNC	<unknown>	DEFAULT	2
gethostbyname_r.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
gethostname	.symtab	0x1b79c	120	FUNC	<unknown>	DEFAULT	2
gethostname.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
getpagesize	.symtab	0x16624	40	FUNC	<unknown>	DEFAULT	2
getpagesize.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
getpid	.symtab	0x1167c	20	FUNC	<unknown>	DEFAULT	2
getpid.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
getppid	.symtab	0x115d4	20	FUNC	<unknown>	DEFAULT	2
getppid.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
getrlimit	.symtab	0x16694	52	FUNC	<unknown>	DEFAULT	2
getrlimit.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
getsockname	.symtab	0x136b4	56	FUNC	<unknown>	DEFAULT	2
getsockname.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
getsockopt	.symtab	0x136ec	68	FUNC	<unknown>	DEFAULT	2
getsockopt.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
gettimeofday	.symtab	0x1186c	52	FUNC	<unknown>	DEFAULT	2
gettimeofday.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
getuid	.symtab	0x1664c	20	FUNC	<unknown>	DEFAULT	2
getuid.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
h_errno	.symtab	0x2f5fc	4	OBJECT	<unknown>	DEFAULT	13
hacks	.symtab	0x29090	4	OBJECT	<unknown>	DEFAULT	12
hacks2	.symtab	0x29094	4	OBJECT	<unknown>	DEFAULT	12
hacks3	.symtab	0x29098	4	OBJECT	<unknown>	DEFAULT	12
hacks4	.symtab	0x2909c	4	OBJECT	<unknown>	DEFAULT	12
hextable	.symtab	0x1d72c	1024	OBJECT	<unknown>	DEFAULT	4
hoste.5443	.symtab	0x2f5c8	20	OBJECT	<unknown>	DEFAULT	13
htonl	.symtab	0x13580	32	FUNC	<unknown>	DEFAULT	2
htons	.symtab	0x13570	16	FUNC	<unknown>	DEFAULT	2
httphex	.symtab	0xc5bc	1204	FUNC	<unknown>	DEFAULT	2
i.4902	.symtab	0x29140	4	OBJECT	<unknown>	DEFAULT	12
index	.symtab	0x13298	240	FUNC	<unknown>	DEFAULT	2
inet_addr	.symtab	0x135d0	40	FUNC	<unknown>	DEFAULT	2
inet_aton	.symtab	0x19368	248	FUNC	<unknown>	DEFAULT	2
inet_aton.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
inet_makeaddr.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
inet_ntop	.symtab	0x1a320	644	FUNC	<unknown>	DEFAULT	2
inet_ntop4	.symtab	0x1a1dc	324	FUNC	<unknown>	DEFAULT	2
inet_pton	.symtab	0x19fc0	540	FUNC	<unknown>	DEFAULT	2
inet_pton4	.symtab	0x19ef0	208	FUNC	<unknown>	DEFAULT	2
initConnection	.symtab	0xe570	552	FUNC	<unknown>	DEFAULT	2
init_rand	.symtab	0x8760	216	FUNC	<unknown>	DEFAULT	2
initfini.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
initfini.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
initstate	.symtab	0x1502c	192	FUNC	<unknown>	DEFAULT	2
initstate_r	.symtab	0x153dc	228	FUNC	<unknown>	DEFAULT	2
ioctl	.symtab	0x119ac	84	FUNC	<unknown>	DEFAULT	2
ioctl.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
isatty	.symtab	0x134d0	36	FUNC	<unknown>	DEFAULT	2
isatty.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
kill	.symtab	0x11838	52	FUNC	<unknown>	DEFAULT	2
kill.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
killer_status	.symtab	0x293d8	4	OBJECT	<unknown>	DEFAULT	13
last_id.5501	.symtab	0x29398	2	OBJECT	<unknown>	DEFAULT	12
last_ns_num.5500	.symtab	0x2f604	4	OBJECT	<unknown>	DEFAULT	13
libc/string/arm/_memcpy.S	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
04/18/24-01:27:46.519770	TCP	2839489	ETPRO TROJAN ELF/BASHLITE Variant CnC Server Response	1486	41112	185.150.26.226	192.168.2.15
04/18/24-01:28:48.258280	TCP	2839489	ETPRO TROJAN ELF/BASHLITE Variant CnC Server Response	1486	41120	185.150.26.226	192.168.2.15
04/18/24-01:27:31.110122	TCP	2839489	ETPRO TROJAN ELF/BASHLITE Variant CnC Server Response	1486	41110	185.150.26.226	192.168.2.15
04/18/24-01:29:03.664496	TCP	2839489	ETPRO TROJAN ELF/BASHLITE Variant CnC Server Response	1486	41122	185.150.26.226	192.168.2.15
04/18/24-01:28:01.935052	TCP	2839489	ETPRO TROJAN ELF/BASHLITE Variant CnC Server Response	1486	41114	185.150.26.226	192.168.2.15
04/18/24-01:29:19.126700	TCP	2839489	ETPRO TROJAN ELF/BASHLITE Variant CnC Server Response	1486	41124	185.150.26.226	192.168.2.15
04/18/24-01:30:05.376252	TCP	2839489	ETPRO TROJAN ELF/BASHLITE Variant CnC Server Response	1486	41130	185.150.26.226	192.168.2.15
04/18/24-01:30:20.789102	TCP	2839489	ETPRO TROJAN ELF/BASHLITE Variant CnC Server Response	1486	41132	185.150.26.226	192.168.2.15
04/18/24-01:27:13.871875	TCP	2839489	ETPRO TROJAN ELF/BASHLITE Variant CnC Server Response	1486	60996	185.150.26.226	192.168.2.14
04/18/24-01:29:49.962139	TCP	2839489	ETPRO TROJAN ELF/BASHLITE Variant CnC Server Response	1486	41128	185.150.26.226	192.168.2.15
04/18/24-01:26:58.412823	TCP	2839489	ETPRO TROJAN ELF/BASHLITE Variant CnC Server Response	1486	60994	185.150.26.226	192.168.2.14
04/18/24-01:29:34.543208	TCP	2839489	ETPRO TROJAN ELF/BASHLITE Variant CnC Server Response	1486	41126	185.150.26.226	192.168.2.15
04/18/24-01:27:29.334720	TCP	2839489	ETPRO TROJAN ELF/BASHLITE Variant CnC Server Response	1486	60998	185.150.26.226	192.168.2.14
04/18/24-01:28:32.798760	TCP	2839489	ETPRO TROJAN ELF/BASHLITE Variant CnC Server Response	1486	41118	185.150.26.226	192.168.2.15
04/18/24-01:28:00.248642	TCP	2839489	ETPRO TROJAN ELF/BASHLITE Variant CnC Server Response	1486	32770	185.150.26.226	192.168.2.14
04/18/24-01:28:17.344777	TCP	2839489	ETPRO TROJAN ELF/BASHLITE Variant CnC Server Response	1486	41116	185.150.26.226	192.168.2.15
04/18/24-01:27:44.796770	TCP	2839489	ETPRO TROJAN ELF/BASHLITE Variant CnC Server Response	1486	32768	185.150.26.226	192.168.2.14
04/18/24-01:27:00.225610	TCP	2839489	ETPRO TROJAN ELF/BASHLITE Variant CnC Server Response	1486	41106	185.150.26.226	192.168.2.15
04/18/24-01:27:15.649607	TCP	2839489	ETPRO TROJAN ELF/BASHLITE Variant CnC Server Response	1486	41108	185.150.26.226	192.168.2.15

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 18, 2024 01:26:59.812838078 CEST	41106	1486	192.168.2.15	185.150.26.226
Apr 18, 2024 01:27:00.019088030 CEST	1486	41106	185.150.26.226	192.168.2.15
Apr 18, 2024 01:27:00.019171953 CEST	41106	1486	192.168.2.15	185.150.26.226
Apr 18, 2024 01:27:00.019540071 CEST	41106	1486	192.168.2.15	185.150.26.226
Apr 18, 2024 01:27:00.225610018 CEST	1486	41106	185.150.26.226	192.168.2.15
Apr 18, 2024 01:27:00.225644112 CEST	1486	41106	185.150.26.226	192.168.2.15
Apr 18, 2024 01:27:00.225653887 CEST	1486	41106	185.150.26.226	192.168.2.15
Apr 18, 2024 01:27:00.225708008 CEST	41106	1486	192.168.2.15	185.150.26.226
Apr 18, 2024 01:27:00.226293087 CEST	41106	1486	192.168.2.15	185.150.26.226
Apr 18, 2024 01:27:00.432010889 CEST	1486	41106	185.150.26.226	192.168.2.15
Apr 18, 2024 01:27:00.432192087 CEST	1486	41106	185.150.26.226	192.168.2.15
Apr 18, 2024 01:27:15.227210045 CEST	41108	1486	192.168.2.15	185.150.26.226
Apr 18, 2024 01:27:15.437990904 CEST	1486	41108	185.150.26.226	192.168.2.15
Apr 18, 2024 01:27:15.438664913 CEST	41108	1486	192.168.2.15	185.150.26.226
Apr 18, 2024 01:27:15.439162016 CEST	41108	1486	192.168.2.15	185.150.26.226
Apr 18, 2024 01:27:15.649606943 CEST	1486	41108	185.150.26.226	192.168.2.15
Apr 18, 2024 01:27:15.649800062 CEST	1486	41108	185.150.26.226	192.168.2.15
Apr 18, 2024 01:27:15.649852037 CEST	1486	41108	185.150.26.226	192.168.2.15
Apr 18, 2024 01:27:15.650229931 CEST	41108	1486	192.168.2.15	185.150.26.226
Apr 18, 2024 01:27:15.650712013 CEST	41108	1486	192.168.2.15	185.150.26.226
Apr 18, 2024 01:27:15.860958099 CEST	1486	41108	185.150.26.226	192.168.2.15
Apr 18, 2024 01:27:15.861197948 CEST	1486	41108	185.150.26.226	192.168.2.15
Apr 18, 2024 01:27:30.651210070 CEST	41110	1486	192.168.2.15	185.150.26.226
Apr 18, 2024 01:27:30.880215883 CEST	1486	41110	185.150.26.226	192.168.2.15
Apr 18, 2024 01:27:30.880904913 CEST	41110	1486	192.168.2.15	185.150.26.226
Apr 18, 2024 01:27:30.881052971 CEST	41110	1486	192.168.2.15	185.150.26.226
Apr 18, 2024 01:27:31.110043049 CEST	1486	41110	185.150.26.226	192.168.2.15
Apr 18, 2024 01:27:31.110121965 CEST	1486	41110	185.150.26.226	192.168.2.15
Apr 18, 2024 01:27:31.110146046 CEST	1486	41110	185.150.26.226	192.168.2.15
Apr 18, 2024 01:27:31.110748053 CEST	41110	1486	192.168.2.15	185.150.26.226
Apr 18, 2024 01:27:31.339684963 CEST	1486	41110	185.150.26.226	192.168.2.15
Apr 18, 2024 01:27:46.111470938 CEST	41112	1486	192.168.2.15	185.150.26.226
Apr 18, 2024 01:27:46.315119028 CEST	1486	41112	185.150.26.226	192.168.2.15
Apr 18, 2024 01:27:46.316026926 CEST	41112	1486	192.168.2.15	185.150.26.226
Apr 18, 2024 01:27:46.316040039 CEST	41112	1486	192.168.2.15	185.150.26.226
Apr 18, 2024 01:27:46.519727945 CEST	1486	41112	185.150.26.226	192.168.2.15
Apr 18, 2024 01:27:46.519769907 CEST	1486	41112	185.150.26.226	192.168.2.15
Apr 18, 2024 01:27:46.519789934 CEST	1486	41112	185.150.26.226	192.168.2.15
Apr 18, 2024 01:27:46.520188093 CEST	41112	1486	192.168.2.15	185.150.26.226
Apr 18, 2024 01:27:46.723601103 CEST	1486	41112	185.150.26.226	192.168.2.15
Apr 18, 2024 01:28:01.520670891 CEST	41114	1486	192.168.2.15	185.150.26.226
Apr 18, 2024 01:28:01.727595091 CEST	1486	41114	185.150.26.226	192.168.2.15
Apr 18, 2024 01:28:01.727973938 CEST	41114	1486	192.168.2.15	185.150.26.226
Apr 18, 2024 01:28:01.728267908 CEST	41114	1486	192.168.2.15	185.150.26.226
Apr 18, 2024 01:28:01.935051918 CEST	1486	41114	185.150.26.226	192.168.2.15
Apr 18, 2024 01:28:01.935110092 CEST	1486	41114	185.150.26.226	192.168.2.15
Apr 18, 2024 01:28:01.935147047 CEST	1486	41114	185.150.26.226	192.168.2.15
Apr 18, 2024 01:28:01.935424089 CEST	41114	1486	192.168.2.15	185.150.26.226
Apr 18, 2024 01:28:01.935729027 CEST	41114	1486	192.168.2.15	185.150.26.226
Apr 18, 2024 01:28:02.142390013 CEST	1486	41114	185.150.26.226	192.168.2.15
Apr 18, 2024 01:28:02.142560005 CEST	1486	41114	185.150.26.226	192.168.2.15
Apr 18, 2024 01:28:16.935894012 CEST	41116	1486	192.168.2.15	185.150.26.226
Apr 18, 2024 01:28:17.140439034 CEST	1486	41116	185.150.26.226	192.168.2.15
Apr 18, 2024 01:28:17.140620947 CEST	41116	1486	192.168.2.15	185.150.26.226
Apr 18, 2024 01:28:17.140789032 CEST	41116	1486	192.168.2.15	185.150.26.226
Apr 18, 2024 01:28:17.344777107 CEST	1486	41116	185.150.26.226	192.168.2.15
Apr 18, 2024 01:28:17.344799995 CEST	1486	41116	185.150.26.226	192.168.2.15
Apr 18, 2024 01:28:17.344815016 CEST	1486	41116	185.150.26.226	192.168.2.15
Apr 18, 2024 01:28:17.344928980 CEST	41116	1486	192.168.2.15	185.150.26.226
Apr 18, 2024 01:28:17.345155001 CEST	41116	1486	192.168.2.15	185.150.26.226
Apr 18, 2024 01:28:17.549083948 CEST	1486	41116	185.150.26.226	192.168.2.15
Apr 18, 2024 01:28:17.549210072 CEST	1486	41116	185.150.26.226	192.168.2.15
Apr 18, 2024 01:28:32.345788956 CEST	41118	1486	192.168.2.15	185.150.26.226
Apr 18, 2024 01:28:32.572190046 CEST	1486	41118	185.150.26.226	192.168.2.15
Apr 18, 2024 01:28:32.572577000 CEST	41118	1486	192.168.2.15	185.150.26.226
Apr 18, 2024 01:28:32.572635889 CEST	41118	1486	192.168.2.15	185.150.26.226
Apr 18, 2024 01:28:32.798731089 CEST	1486	41118	185.150.26.226	192.168.2.15
Apr 18, 2024 01:28:32.798759937 CEST	1486	41118	185.150.26.226	192.168.2.15
Apr 18, 2024 01:28:32.798779011 CEST	1486	41118	185.150.26.226	192.168.2.15
Apr 18, 2024 01:28:32.798923969 CEST	41118	1486	192.168.2.15	185.150.26.226
Apr 18, 2024 01:28:33.025158882 CEST	1486	41118	185.150.26.226	192.168.2.15
Apr 18, 2024 01:28:47.799173117 CEST	41120	1486	192.168.2.15	185.150.26.226
Apr 18, 2024 01:28:48.028645039 CEST	1486	41120	185.150.26.226	192.168.2.15
Apr 18, 2024 01:28:48.028815985 CEST	41120	1486	192.168.2.15	185.150.26.226
Apr 18, 2024 01:28:48.028950930 CEST	41120	1486	192.168.2.15	185.150.26.226
Apr 18, 2024 01:28:48.258280039 CEST	1486	41120	185.150.26.226	192.168.2.15
Apr 18, 2024 01:28:48.258347988 CEST	1486	41120	185.150.26.226	192.168.2.15
Apr 18, 2024 01:28:48.258373976 CEST	1486	41120	185.150.26.226	192.168.2.15
Apr 18, 2024 01:28:48.258414984 CEST	41120	1486	192.168.2.15	185.150.26.226
Apr 18, 2024 01:28:48.258517027 CEST	41120	1486	192.168.2.15	185.150.26.226
Apr 18, 2024 01:28:48.487812042 CEST	1486	41120	185.150.26.226	192.168.2.15
Apr 18, 2024 01:28:48.487857103 CEST	1486	41120	185.150.26.226	192.168.2.15
Apr 18, 2024 01:29:03.258836031 CEST	41122	1486	192.168.2.15	185.150.26.226
Apr 18, 2024 01:29:03.461575985 CEST	1486	41122	185.150.26.226	192.168.2.15
Apr 18, 2024 01:29:03.461810112 CEST	41122	1486	192.168.2.15	185.150.26.226
Apr 18, 2024 01:29:03.461810112 CEST	41122	1486	192.168.2.15	185.150.26.226
Apr 18, 2024 01:29:03.664448023 CEST	1486	41122	185.150.26.226	192.168.2.15
Apr 18, 2024 01:29:03.664495945 CEST	1486	41122	185.150.26.226	192.168.2.15
Apr 18, 2024 01:29:03.664511919 CEST	1486	41122	185.150.26.226	192.168.2.15
Apr 18, 2024 01:29:03.664653063 CEST	41122	1486	192.168.2.15	185.150.26.226
Apr 18, 2024 01:29:03.867259026 CEST	1486	41122	185.150.26.226	192.168.2.15
Apr 18, 2024 01:29:18.664872885 CEST	41124	1486	192.168.2.15	185.150.26.226
Apr 18, 2024 01:29:18.895668983 CEST	1486	41124	185.150.26.226	192.168.2.15
Apr 18, 2024 01:29:18.895858049 CEST	41124	1486	192.168.2.15	185.150.26.226
Apr 18, 2024 01:29:18.895904064 CEST	41124	1486	192.168.2.15	185.150.26.226
Apr 18, 2024 01:29:19.126653910 CEST	1486	41124	185.150.26.226	192.168.2.15
Apr 18, 2024 01:29:19.126699924 CEST	1486	41124	185.150.26.226	192.168.2.15
Apr 18, 2024 01:29:19.126734018 CEST	1486	41124	185.150.26.226	192.168.2.15
Apr 18, 2024 01:29:19.127136946 CEST	41124	1486	192.168.2.15	185.150.26.226
Apr 18, 2024 01:29:19.357959986 CEST	1486	41124	185.150.26.226	192.168.2.15
Apr 18, 2024 01:29:34.127367020 CEST	41126	1486	192.168.2.15	185.150.26.226
Apr 18, 2024 01:29:34.335182905 CEST	1486	41126	185.150.26.226	192.168.2.15
Apr 18, 2024 01:29:34.335364103 CEST	41126	1486	192.168.2.15	185.150.26.226
Apr 18, 2024 01:29:34.335447073 CEST	41126	1486	192.168.2.15	185.150.26.226
Apr 18, 2024 01:29:34.543188095 CEST	1486	41126	185.150.26.226	192.168.2.15
Apr 18, 2024 01:29:34.543207884 CEST	1486	41126	185.150.26.226	192.168.2.15
Apr 18, 2024 01:29:34.543265104 CEST	1486	41126	185.150.26.226	192.168.2.15
Apr 18, 2024 01:29:34.543314934 CEST	41126	1486	192.168.2.15	185.150.26.226
Apr 18, 2024 01:29:34.751094103 CEST	1486	41126	185.150.26.226	192.168.2.15
Apr 18, 2024 01:29:49.543987989 CEST	41128	1486	192.168.2.15	185.150.26.226
Apr 18, 2024 01:29:49.752592087 CEST	1486	41128	185.150.26.226	192.168.2.15
Apr 18, 2024 01:29:49.752779007 CEST	41128	1486	192.168.2.15	185.150.26.226
Apr 18, 2024 01:29:49.752880096 CEST	41128	1486	192.168.2.15	185.150.26.226
Apr 18, 2024 01:29:49.962138891 CEST	1486	41128	185.150.26.226	192.168.2.15
Apr 18, 2024 01:29:49.962169886 CEST	1486	41128	185.150.26.226	192.168.2.15
Apr 18, 2024 01:29:49.962265968 CEST	41128	1486	192.168.2.15	185.150.26.226
Apr 18, 2024 01:29:49.962400913 CEST	41128	1486	192.168.2.15	185.150.26.226
Apr 18, 2024 01:29:49.962480068 CEST	1486	41128	185.150.26.226	192.168.2.15
Apr 18, 2024 01:29:50.170568943 CEST	1486	41128	185.150.26.226	192.168.2.15
Apr 18, 2024 01:29:50.170622110 CEST	1486	41128	185.150.26.226	192.168.2.15
Apr 18, 2024 01:30:04.962941885 CEST	41130	1486	192.168.2.15	185.150.26.226
Apr 18, 2024 01:30:05.169495106 CEST	1486	41130	185.150.26.226	192.168.2.15
Apr 18, 2024 01:30:05.169692039 CEST	41130	1486	192.168.2.15	185.150.26.226
Apr 18, 2024 01:30:05.169754028 CEST	41130	1486	192.168.2.15	185.150.26.226
Apr 18, 2024 01:30:05.376215935 CEST	1486	41130	185.150.26.226	192.168.2.15
Apr 18, 2024 01:30:05.376251936 CEST	1486	41130	185.150.26.226	192.168.2.15
Apr 18, 2024 01:30:05.376271963 CEST	1486	41130	185.150.26.226	192.168.2.15
Apr 18, 2024 01:30:05.376399040 CEST	41130	1486	192.168.2.15	185.150.26.226
Apr 18, 2024 01:30:05.582958937 CEST	1486	41130	185.150.26.226	192.168.2.15
Apr 18, 2024 01:30:20.377187014 CEST	41132	1486	192.168.2.15	185.150.26.226
Apr 18, 2024 01:30:20.583059072 CEST	1486	41132	185.150.26.226	192.168.2.15
Apr 18, 2024 01:30:20.583249092 CEST	41132	1486	192.168.2.15	185.150.26.226
Apr 18, 2024 01:30:20.583437920 CEST	41132	1486	192.168.2.15	185.150.26.226
Apr 18, 2024 01:30:20.789102077 CEST	1486	41132	185.150.26.226	192.168.2.15
Apr 18, 2024 01:30:20.789160013 CEST	1486	41132	185.150.26.226	192.168.2.15
Apr 18, 2024 01:30:20.789201021 CEST	1486	41132	185.150.26.226	192.168.2.15
Apr 18, 2024 01:30:20.789335012 CEST	41132	1486	192.168.2.15	185.150.26.226
Apr 18, 2024 01:30:20.995136023 CEST	1486	41132	185.150.26.226	192.168.2.15

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 18, 2024 01:29:42.342498064 CEST	39090	53	192.168.2.15	1.1.1.1
Apr 18, 2024 01:29:42.342648983 CEST	36940	53	192.168.2.15	1.1.1.1
Apr 18, 2024 01:29:42.446943045 CEST	53	36940	1.1.1.1	192.168.2.15
Apr 18, 2024 01:29:42.447976112 CEST	53	39090	1.1.1.1	192.168.2.15

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Apr 18, 2024 01:29:42.342498064 CEST	192.168.2.15	1.1.1.1	0x96fc	Standard query (0)	daisy.ubuntu.com	A (IP address)	IN (0x0001)	false
Apr 18, 2024 01:29:42.342648983 CEST	192.168.2.15	1.1.1.1	0xc1a6	Standard query (0)	daisy.ubuntu.com	28	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Apr 18, 2024 01:29:42.447976112 CEST	1.1.1.1	192.168.2.15	0x96fc	No error (0)	daisy.ubuntu.com		162.213.35.24	A (IP address)	IN (0x0001)	false
Apr 18, 2024 01:29:42.447976112 CEST	1.1.1.1	192.168.2.15	0x96fc	No error (0)	daisy.ubuntu.com		162.213.35.25	A (IP address)	IN (0x0001)	false

System Behavior

Analysis Process: PwP4tXNi4a.elf PID: 5533, Parent PID: 5452

General

Start time (UTC):	23:26:58
Start date (UTC):	17/04/2024
Path:	/tmp/PwP4tXNi4a.elf
Arguments:	/tmp/PwP4tXNi4a.elf
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Chronological Activities

Analysis Process: PwP4tXNi4a.elf PID: 5535, Parent PID: 5533

General

Start time (UTC):	23:26:59
Start date (UTC):	17/04/2024
Path:	/tmp/PwP4tXNi4a.elf
Arguments:	-
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Chronological Activities

Analysis Process: PwP4tXNi4a.elf PID: 5536, Parent PID: 5533

General

Start time (UTC):	23:26:59
Start date (UTC):	17/04/2024
Path:	/tmp/PwP4tXNi4a.elf
Arguments:	-
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Chronological Activities

Analysis Process: PwP4tXNi4a.elf PID: 5539, Parent PID: 5536

General

Start time (UTC):	23:26:59
Start date (UTC):	17/04/2024
Path:	/tmp/PwP4tXNi4a.elf
Arguments:	-
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may obfuscate command and control traffic to make it more difficult to detect. Command and control (C2) communications are hidden (but not necessarily encrypted) in an attempt to make the content more difficult to discover or decipher and to make the communication less conspicuous and hide commands from being seen. This encompasses many methods, such as adding junk data to protocol traffic, using steganography, or impersonating legitimate protocols.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report PwP4tXNi4a.elf

Overview

General Information

Detection

Signatures

Classification

Analysis Advice

General Information

Warnings

Runtime Messages

Process Tree

Malware Threat Intel

Yara Signatures

Initial Sample

Memory Dumps

Snort Signatures

Joe Sandbox Signatures

AV Detection

Spreading

Networking

System Summary

Malware Analysis System Evasion

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

Static ELF Info

ELF header

Sections

Program Segments

Symbols

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

System Behavior

Analysis Process: PwP4tXNi4a.elf PID: 5533, Parent PID: 5452

General

Chronological Activities

Analysis Process: PwP4tXNi4a.elf PID: 5535, Parent PID: 5533

General

Chronological Activities

Analysis Process: PwP4tXNi4a.elf PID: 5536, Parent PID: 5533

General

Chronological Activities

Analysis Process: PwP4tXNi4a.elf PID: 5539, Parent PID: 5536

General

Linux Analysis Report
PwP4tXNi4a.elf