Edit tour

Linux Analysis Report
mqi686.elf

Overview

General Information

Sample name:	mqi686.elf
Analysis ID:	1665485
MD5:	079d22d5ba3763a097c9459eeafa98ed
SHA1:	6577e4d2a1f201d540d2a1bbcb610798a8001fef
SHA256:	f3665dbb831f2457bdbfb1ea6778471fab35102aa7866ba53a86b25001535a2c
Tags:	elfuser-abuse_ch
Infos:

Detection

Mirai

Score:	64
Range:	0 - 100

Signatures

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected Mirai

Enumerates processes within the "proc" file system

Executes commands using a shell command-line interpreter

Executes the "kill" or "pkill" command typically used to terminate processes

Executes the "rm" command used to delete files or directories

Reads CPU information from /sys indicative of miner or evasive malware

Reads the 'hosts' file potentially containing internal network hosts

Sample and/or dropped files contains symbols with suspicious names

Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable

Sample contains strings indicative of password brute-forcing capabilities

Sample contains strings that are user agent strings indicative of HTTP manipulation

Uses the "uname" system call to query kernel version information (possible evasion)

Yara signature match

Classification

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1665485
Start date and time:	2025-04-15 15:33:30 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 41s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Sample name:	mqi686.elf
Detection:	MAL
Classification:	mal64.troj.linELF@0/0@1/0

Warnings

Report size exceeded maximum capacity and may have missing behavior information.
VT rate limit hit for: irc.psychz.net

Runtime Messages

Command:	/tmp/mqi686.elf
PID:	6229
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:	CAPSAICIN
Standard Error:

Process Tree

system is lnxubuntu20

mqi686.elf (PID: 6229, Parent: 6147, MD5: 079d22d5ba3763a097c9459eeafa98ed) Arguments: /tmp/mqi686.elf

mqi686.elf New Fork (PID: 6230, Parent: 6229)

mqi686.elf New Fork (PID: 6231, Parent: 6230)

mqi686.elf New Fork (PID: 6232, Parent: 6230)

mqi686.elf New Fork (PID: 6233, Parent: 6230)

sh (PID: 6233, Parent: 6230, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "pkill -9 902i13 || busybox pkill -9 902i13"

sh New Fork (PID: 6234, Parent: 6233)

pkill (PID: 6234, Parent: 6233, MD5: fa96a75a08109d8842e4865b2907d51f) Arguments: pkill -9 902i13

sh New Fork (PID: 6249, Parent: 6233)

busybox (PID: 6249, Parent: 6233, MD5: 70584dffe9cb0309eb22ba78aa54bcdc) Arguments: busybox pkill -9 902i13

mqi686.elf New Fork (PID: 6250, Parent: 6230)

sh (PID: 6250, Parent: 6230, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "pkill -9 BzSxLxBxeY || busybox pkill -9 BzSxLxBxeY"

sh New Fork (PID: 6251, Parent: 6250)

pkill (PID: 6251, Parent: 6250, MD5: fa96a75a08109d8842e4865b2907d51f) Arguments: pkill -9 BzSxLxBxeY

sh New Fork (PID: 6261, Parent: 6250)

busybox (PID: 6261, Parent: 6250, MD5: 70584dffe9cb0309eb22ba78aa54bcdc) Arguments: busybox pkill -9 BzSxLxBxeY

mqi686.elf New Fork (PID: 6262, Parent: 6230)

sh (PID: 6262, Parent: 6230, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "pkill -9 HOHO-LUGO7 || busybox pkill -9 HOHO-LUGO7"

sh New Fork (PID: 6263, Parent: 6262)

pkill (PID: 6263, Parent: 6262, MD5: fa96a75a08109d8842e4865b2907d51f) Arguments: pkill -9 HOHO-LUGO7

sh New Fork (PID: 6264, Parent: 6262)

busybox (PID: 6264, Parent: 6262, MD5: 70584dffe9cb0309eb22ba78aa54bcdc) Arguments: busybox pkill -9 HOHO-LUGO7

mqi686.elf New Fork (PID: 6265, Parent: 6230)

sh (PID: 6265, Parent: 6230, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "pkill -9 HOHO-U79OL || busybox pkill -9 HOHO-U79OL"

sh New Fork (PID: 6266, Parent: 6265)

pkill (PID: 6266, Parent: 6265, MD5: fa96a75a08109d8842e4865b2907d51f) Arguments: pkill -9 HOHO-U79OL

sh New Fork (PID: 6269, Parent: 6265)

busybox (PID: 6269, Parent: 6265, MD5: 70584dffe9cb0309eb22ba78aa54bcdc) Arguments: busybox pkill -9 HOHO-U79OL

mqi686.elf New Fork (PID: 6270, Parent: 6230)

sh (PID: 6270, Parent: 6230, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "pkill -9 JuYfouyf87 || busybox pkill -9 JuYfouyf87"

sh New Fork (PID: 6271, Parent: 6270)

pkill (PID: 6271, Parent: 6270, MD5: fa96a75a08109d8842e4865b2907d51f) Arguments: pkill -9 JuYfouyf87

sh New Fork (PID: 6273, Parent: 6270)

busybox (PID: 6273, Parent: 6270, MD5: 70584dffe9cb0309eb22ba78aa54bcdc) Arguments: busybox pkill -9 JuYfouyf87

mqi686.elf New Fork (PID: 6274, Parent: 6230)

sh (PID: 6274, Parent: 6230, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "pkill -9 NiGGeR69xd || busybox pkill -9 NiGGeR69xd"

sh New Fork (PID: 6275, Parent: 6274)

pkill (PID: 6275, Parent: 6274, MD5: fa96a75a08109d8842e4865b2907d51f) Arguments: pkill -9 NiGGeR69xd

sh New Fork (PID: 6278, Parent: 6274)

busybox (PID: 6278, Parent: 6274, MD5: 70584dffe9cb0309eb22ba78aa54bcdc) Arguments: busybox pkill -9 NiGGeR69xd

mqi686.elf New Fork (PID: 6279, Parent: 6230)

sh (PID: 6279, Parent: 6230, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "pkill -9 SO190Ij1X || busybox pkill -9 SO190Ij1X"

sh New Fork (PID: 6280, Parent: 6279)

pkill (PID: 6280, Parent: 6279, MD5: fa96a75a08109d8842e4865b2907d51f) Arguments: pkill -9 SO190Ij1X

sh New Fork (PID: 6281, Parent: 6279)

busybox (PID: 6281, Parent: 6279, MD5: 70584dffe9cb0309eb22ba78aa54bcdc) Arguments: busybox pkill -9 SO190Ij1X

mqi686.elf New Fork (PID: 6301, Parent: 6230)

sh (PID: 6301, Parent: 6230, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "pkill -9 LOLKIKEEEDDE || busybox pkill -9 LOLKIKEEEDDE"

sh New Fork (PID: 6302, Parent: 6301)

pkill (PID: 6302, Parent: 6301, MD5: fa96a75a08109d8842e4865b2907d51f) Arguments: pkill -9 LOLKIKEEEDDE

sh New Fork (PID: 6303, Parent: 6301)

busybox (PID: 6303, Parent: 6301, MD5: 70584dffe9cb0309eb22ba78aa54bcdc) Arguments: busybox pkill -9 LOLKIKEEEDDE

mqi686.elf New Fork (PID: 6306, Parent: 6230)

sh (PID: 6306, Parent: 6230, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "pkill -9 ekjheory98e || busybox pkill -9 ekjheory98e"

sh New Fork (PID: 6307, Parent: 6306)

pkill (PID: 6307, Parent: 6306, MD5: fa96a75a08109d8842e4865b2907d51f) Arguments: pkill -9 ekjheory98e

sh New Fork (PID: 6308, Parent: 6306)

busybox (PID: 6308, Parent: 6306, MD5: 70584dffe9cb0309eb22ba78aa54bcdc) Arguments: busybox pkill -9 ekjheory98e

mqi686.elf New Fork (PID: 6309, Parent: 6230)

sh (PID: 6309, Parent: 6230, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "pkill -9 scansh4 || busybox pkill -9 scansh4"

sh New Fork (PID: 6310, Parent: 6309)

pkill (PID: 6310, Parent: 6309, MD5: fa96a75a08109d8842e4865b2907d51f) Arguments: pkill -9 scansh4

sh New Fork (PID: 6335, Parent: 6309)

busybox (PID: 6335, Parent: 6309, MD5: 70584dffe9cb0309eb22ba78aa54bcdc) Arguments: busybox pkill -9 scansh4

mqi686.elf New Fork (PID: 6336, Parent: 6230)

sh (PID: 6336, Parent: 6230, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "pkill -9 MDMA || busybox pkill -9 MDMA"

sh New Fork (PID: 6337, Parent: 6336)

pkill (PID: 6337, Parent: 6336, MD5: fa96a75a08109d8842e4865b2907d51f) Arguments: pkill -9 MDMA

sh New Fork (PID: 6338, Parent: 6336)

busybox (PID: 6338, Parent: 6336, MD5: 70584dffe9cb0309eb22ba78aa54bcdc) Arguments: busybox pkill -9 MDMA

mqi686.elf New Fork (PID: 6339, Parent: 6230)

sh (PID: 6339, Parent: 6230, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "pkill -9 fdevalvex || busybox pkill -9 fdevalvex"

sh New Fork (PID: 6340, Parent: 6339)

pkill (PID: 6340, Parent: 6339, MD5: fa96a75a08109d8842e4865b2907d51f) Arguments: pkill -9 fdevalvex

sh New Fork (PID: 6341, Parent: 6339)

busybox (PID: 6341, Parent: 6339, MD5: 70584dffe9cb0309eb22ba78aa54bcdc) Arguments: busybox pkill -9 fdevalvex

mqi686.elf New Fork (PID: 6344, Parent: 6230)

sh (PID: 6344, Parent: 6230, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "pkill -9 scanspc || busybox pkill -9 scanspc"

sh New Fork (PID: 6345, Parent: 6344)

pkill (PID: 6345, Parent: 6344, MD5: fa96a75a08109d8842e4865b2907d51f) Arguments: pkill -9 scanspc

sh New Fork (PID: 6346, Parent: 6344)

busybox (PID: 6346, Parent: 6344, MD5: 70584dffe9cb0309eb22ba78aa54bcdc) Arguments: busybox pkill -9 scanspc

mqi686.elf New Fork (PID: 6347, Parent: 6230)

sh (PID: 6347, Parent: 6230, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "pkill -9 MELTEDNINJAREALZ || busybox pkill -9 MELTEDNINJAREALZ"

sh New Fork (PID: 6348, Parent: 6347)

pkill (PID: 6348, Parent: 6347, MD5: fa96a75a08109d8842e4865b2907d51f) Arguments: pkill -9 MELTEDNINJAREALZ

sh New Fork (PID: 6349, Parent: 6347)

busybox (PID: 6349, Parent: 6347, MD5: 70584dffe9cb0309eb22ba78aa54bcdc) Arguments: busybox pkill -9 MELTEDNINJAREALZ

mqi686.elf New Fork (PID: 6350, Parent: 6230)

sh (PID: 6350, Parent: 6230, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "pkill -9 flexsonskids || busybox pkill -9 flexsonskids"

sh New Fork (PID: 6351, Parent: 6350)

pkill (PID: 6351, Parent: 6350, MD5: fa96a75a08109d8842e4865b2907d51f) Arguments: pkill -9 flexsonskids

sh New Fork (PID: 6354, Parent: 6350)

busybox (PID: 6354, Parent: 6350, MD5: 70584dffe9cb0309eb22ba78aa54bcdc) Arguments: busybox pkill -9 flexsonskids

mqi686.elf New Fork (PID: 6355, Parent: 6230)

sh (PID: 6355, Parent: 6230, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "pkill -9 scanx86 || busybox pkill -9 scanx86"

sh New Fork (PID: 6356, Parent: 6355)

pkill (PID: 6356, Parent: 6355, MD5: fa96a75a08109d8842e4865b2907d51f) Arguments: pkill -9 scanx86

sh New Fork (PID: 6357, Parent: 6355)

busybox (PID: 6357, Parent: 6355, MD5: 70584dffe9cb0309eb22ba78aa54bcdc) Arguments: busybox pkill -9 scanx86

mqi686.elf New Fork (PID: 6358, Parent: 6230)

sh (PID: 6358, Parent: 6230, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "pkill -9 MISAKI-U79OL || busybox pkill -9 MISAKI-U79OL"

sh New Fork (PID: 6359, Parent: 6358)

pkill (PID: 6359, Parent: 6358, MD5: fa96a75a08109d8842e4865b2907d51f) Arguments: pkill -9 MISAKI-U79OL

sh New Fork (PID: 6362, Parent: 6358)

busybox (PID: 6362, Parent: 6358, MD5: 70584dffe9cb0309eb22ba78aa54bcdc) Arguments: busybox pkill -9 MISAKI-U79OL

mqi686.elf New Fork (PID: 6363, Parent: 6230)

sh (PID: 6363, Parent: 6230, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "pkill -9 foAxi102kxe || busybox pkill -9 foAxi102kxe"

sh New Fork (PID: 6364, Parent: 6363)

pkill (PID: 6364, Parent: 6363, MD5: fa96a75a08109d8842e4865b2907d51f) Arguments: pkill -9 foAxi102kxe

sh New Fork (PID: 6365, Parent: 6363)

busybox (PID: 6365, Parent: 6363, MD5: 70584dffe9cb0309eb22ba78aa54bcdc) Arguments: busybox pkill -9 foAxi102kxe

mqi686.elf New Fork (PID: 6367, Parent: 6230)

sh (PID: 6367, Parent: 6230, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "pkill -9 swodjwodjwoj || busybox pkill -9 swodjwodjwoj"

sh New Fork (PID: 6368, Parent: 6367)

pkill (PID: 6368, Parent: 6367, MD5: fa96a75a08109d8842e4865b2907d51f) Arguments: pkill -9 swodjwodjwoj

sh New Fork (PID: 6369, Parent: 6367)

busybox (PID: 6369, Parent: 6367, MD5: 70584dffe9cb0309eb22ba78aa54bcdc) Arguments: busybox pkill -9 swodjwodjwoj

mqi686.elf New Fork (PID: 6372, Parent: 6230)

sh (PID: 6372, Parent: 6230, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "pkill -9 MmKiy7f87l || busybox pkill -9 MmKiy7f87l"

sh New Fork (PID: 6373, Parent: 6372)

pkill (PID: 6373, Parent: 6372, MD5: fa96a75a08109d8842e4865b2907d51f) Arguments: pkill -9 MmKiy7f87l

sh New Fork (PID: 6374, Parent: 6372)

busybox (PID: 6374, Parent: 6372, MD5: 70584dffe9cb0309eb22ba78aa54bcdc) Arguments: busybox pkill -9 MmKiy7f87l

mqi686.elf New Fork (PID: 6377, Parent: 6230)

sh (PID: 6377, Parent: 6230, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "pkill -9 freecookiex86 || busybox pkill -9 freecookiex86"

sh New Fork (PID: 6378, Parent: 6377)

pkill (PID: 6378, Parent: 6377, MD5: fa96a75a08109d8842e4865b2907d51f) Arguments: pkill -9 freecookiex86

sh New Fork (PID: 6379, Parent: 6377)

busybox (PID: 6379, Parent: 6377, MD5: 70584dffe9cb0309eb22ba78aa54bcdc) Arguments: busybox pkill -9 freecookiex86

mqi686.elf New Fork (PID: 6382, Parent: 6230)

sh (PID: 6382, Parent: 6230, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "pkill -9 sysgpu || busybox pkill -9 sysgpu"

sh New Fork (PID: 6383, Parent: 6382)

pkill (PID: 6383, Parent: 6382, MD5: fa96a75a08109d8842e4865b2907d51f) Arguments: pkill -9 sysgpu

sh New Fork (PID: 6384, Parent: 6382)

busybox (PID: 6384, Parent: 6382, MD5: 70584dffe9cb0309eb22ba78aa54bcdc) Arguments: busybox pkill -9 sysgpu

mqi686.elf New Fork (PID: 6385, Parent: 6230)

sh (PID: 6385, Parent: 6230, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "pkill -9 NiGGeR69xd || busybox pkill -9 NiGGeR69xd"

sh New Fork (PID: 6386, Parent: 6385)

pkill (PID: 6386, Parent: 6385, MD5: fa96a75a08109d8842e4865b2907d51f) Arguments: pkill -9 NiGGeR69xd

sh New Fork (PID: 6387, Parent: 6385)

busybox (PID: 6387, Parent: 6385, MD5: 70584dffe9cb0309eb22ba78aa54bcdc) Arguments: busybox pkill -9 NiGGeR69xd

mqi686.elf New Fork (PID: 6390, Parent: 6230)

sh (PID: 6390, Parent: 6230, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "pkill -9 frgege || busybox pkill -9 frgege"

sh New Fork (PID: 6391, Parent: 6390)

pkill (PID: 6391, Parent: 6390, MD5: fa96a75a08109d8842e4865b2907d51f) Arguments: pkill -9 frgege

sh New Fork (PID: 6392, Parent: 6390)

busybox (PID: 6392, Parent: 6390, MD5: 70584dffe9cb0309eb22ba78aa54bcdc) Arguments: busybox pkill -9 frgege

mqi686.elf New Fork (PID: 6393, Parent: 6230)

sh (PID: 6393, Parent: 6230, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "pkill -9 sysupdater || busybox pkill -9 sysupdater"

sh New Fork (PID: 6394, Parent: 6393)

pkill (PID: 6394, Parent: 6393, MD5: fa96a75a08109d8842e4865b2907d51f) Arguments: pkill -9 sysupdater

sh New Fork (PID: 6395, Parent: 6393)

busybox (PID: 6395, Parent: 6393, MD5: 70584dffe9cb0309eb22ba78aa54bcdc) Arguments: busybox pkill -9 sysupdater

mqi686.elf New Fork (PID: 6398, Parent: 6230)

sh (PID: 6398, Parent: 6230, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "pkill -9 0DnAzepd || busybox pkill -9 0DnAzepd"

sh New Fork (PID: 6399, Parent: 6398)

pkill (PID: 6399, Parent: 6398, MD5: fa96a75a08109d8842e4865b2907d51f) Arguments: pkill -9 0DnAzepd

sh New Fork (PID: 6400, Parent: 6398)

busybox (PID: 6400, Parent: 6398, MD5: 70584dffe9cb0309eb22ba78aa54bcdc) Arguments: busybox pkill -9 0DnAzepd

mqi686.elf New Fork (PID: 6401, Parent: 6230)

sh (PID: 6401, Parent: 6230, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "pkill -9 NiGGeRD0nks69 || busybox pkill -9 NiGGeRD0nks69"

sh New Fork (PID: 6402, Parent: 6401)

pkill (PID: 6402, Parent: 6401, MD5: fa96a75a08109d8842e4865b2907d51f) Arguments: pkill -9 NiGGeRD0nks69

sh New Fork (PID: 6403, Parent: 6401)

busybox (PID: 6403, Parent: 6401, MD5: 70584dffe9cb0309eb22ba78aa54bcdc) Arguments: busybox pkill -9 NiGGeRD0nks69

mqi686.elf New Fork (PID: 6404, Parent: 6230)

sh (PID: 6404, Parent: 6230, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "pkill -9 frgreu || busybox pkill -9 frgreu"

sh New Fork (PID: 6405, Parent: 6404)

pkill (PID: 6405, Parent: 6404, MD5: fa96a75a08109d8842e4865b2907d51f) Arguments: pkill -9 frgreu

sh New Fork (PID: 6408, Parent: 6404)

busybox (PID: 6408, Parent: 6404, MD5: 70584dffe9cb0309eb22ba78aa54bcdc) Arguments: busybox pkill -9 frgreu

mqi686.elf New Fork (PID: 6409, Parent: 6230)

sh (PID: 6409, Parent: 6230, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "pkill -9 telnetd || busybox pkill -9 telnetd"

sh New Fork (PID: 6410, Parent: 6409)

pkill (PID: 6410, Parent: 6409, MD5: fa96a75a08109d8842e4865b2907d51f) Arguments: pkill -9 telnetd

sh New Fork (PID: 6411, Parent: 6409)

busybox (PID: 6411, Parent: 6409, MD5: 70584dffe9cb0309eb22ba78aa54bcdc) Arguments: busybox pkill -9 telnetd

mqi686.elf New Fork (PID: 6412, Parent: 6230)

sh (PID: 6412, Parent: 6230, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "pkill -9 0x766f6964 || busybox pkill -9 0x766f6964"

sh New Fork (PID: 6413, Parent: 6412)

pkill (PID: 6413, Parent: 6412, MD5: fa96a75a08109d8842e4865b2907d51f) Arguments: pkill -9 0x766f6964

sh New Fork (PID: 6416, Parent: 6412)

busybox (PID: 6416, Parent: 6412, MD5: 70584dffe9cb0309eb22ba78aa54bcdc) Arguments: busybox pkill -9 0x766f6964

mqi686.elf New Fork (PID: 6417, Parent: 6230)

sh (PID: 6417, Parent: 6230, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "pkill -9 NiGGeRd0nks1337 || busybox pkill -9 NiGGeRd0nks1337"

sh New Fork (PID: 6418, Parent: 6417)

pkill (PID: 6418, Parent: 6417, MD5: fa96a75a08109d8842e4865b2907d51f) Arguments: pkill -9 NiGGeRd0nks1337

sh New Fork (PID: 6420, Parent: 6417)

busybox (PID: 6420, Parent: 6417, MD5: 70584dffe9cb0309eb22ba78aa54bcdc) Arguments: busybox pkill -9 NiGGeRd0nks1337

mqi686.elf New Fork (PID: 6421, Parent: 6230)

sh (PID: 6421, Parent: 6230, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "pkill -9 gaft || busybox pkill -9 gaft"

sh New Fork (PID: 6422, Parent: 6421)

pkill (PID: 6422, Parent: 6421, MD5: fa96a75a08109d8842e4865b2907d51f) Arguments: pkill -9 gaft

sh New Fork (PID: 6423, Parent: 6421)

busybox (PID: 6423, Parent: 6421, MD5: 70584dffe9cb0309eb22ba78aa54bcdc) Arguments: busybox pkill -9 gaft

mqi686.elf New Fork (PID: 6426, Parent: 6230)

sh (PID: 6426, Parent: 6230, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "pkill -9 urasgbsigboa || busybox pkill -9 urasgbsigboa"

sh New Fork (PID: 6427, Parent: 6426)

pkill (PID: 6427, Parent: 6426, MD5: fa96a75a08109d8842e4865b2907d51f) Arguments: pkill -9 urasgbsigboa

sh New Fork (PID: 6428, Parent: 6426)

busybox (PID: 6428, Parent: 6426, MD5: 70584dffe9cb0309eb22ba78aa54bcdc) Arguments: busybox pkill -9 urasgbsigboa

mqi686.elf New Fork (PID: 6429, Parent: 6230)

sh (PID: 6429, Parent: 6230, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "pkill -9 120i3UI49 || busybox pkill -9 120i3UI49"

sh New Fork (PID: 6430, Parent: 6429)

pkill (PID: 6430, Parent: 6429, MD5: fa96a75a08109d8842e4865b2907d51f) Arguments: pkill -9 120i3UI49

sh New Fork (PID: 6431, Parent: 6429)

busybox (PID: 6431, Parent: 6429, MD5: 70584dffe9cb0309eb22ba78aa54bcdc) Arguments: busybox pkill -9 120i3UI49

mqi686.elf New Fork (PID: 6432, Parent: 6230)

sh (PID: 6432, Parent: 6230, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "pkill -9 OaF3 || busybox pkill -9 OaF3"

sh New Fork (PID: 6435, Parent: 6432)

pkill (PID: 6435, Parent: 6432, MD5: fa96a75a08109d8842e4865b2907d51f) Arguments: pkill -9 OaF3

sh New Fork (PID: 6436, Parent: 6432)

busybox (PID: 6436, Parent: 6432, MD5: 70584dffe9cb0309eb22ba78aa54bcdc) Arguments: busybox pkill -9 OaF3

mqi686.elf New Fork (PID: 6437, Parent: 6230)

sh (PID: 6437, Parent: 6230, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "pkill -9 geae || busybox pkill -9 geae"

sh New Fork (PID: 6438, Parent: 6437)

pkill (PID: 6438, Parent: 6437, MD5: fa96a75a08109d8842e4865b2907d51f) Arguments: pkill -9 geae

sh New Fork (PID: 6439, Parent: 6437)

busybox (PID: 6439, Parent: 6437, MD5: 70584dffe9cb0309eb22ba78aa54bcdc) Arguments: busybox pkill -9 geae

mqi686.elf New Fork (PID: 6440, Parent: 6230)

sh (PID: 6440, Parent: 6230, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "pkill -9 vaiolmao || busybox pkill -9 vaiolmao"

sh New Fork (PID: 6441, Parent: 6440)

pkill (PID: 6441, Parent: 6440, MD5: fa96a75a08109d8842e4865b2907d51f) Arguments: pkill -9 vaiolmao

sh New Fork (PID: 6444, Parent: 6440)

busybox (PID: 6444, Parent: 6440, MD5: 70584dffe9cb0309eb22ba78aa54bcdc) Arguments: busybox pkill -9 vaiolmao

mqi686.elf New Fork (PID: 6445, Parent: 6230)

sh (PID: 6445, Parent: 6230, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "pkill -9 123123a || busybox pkill -9 123123a"

sh New Fork (PID: 6446, Parent: 6445)

pkill (PID: 6446, Parent: 6445, MD5: fa96a75a08109d8842e4865b2907d51f) Arguments: pkill -9 123123a

sh New Fork (PID: 6447, Parent: 6445)

busybox (PID: 6447, Parent: 6445, MD5: 70584dffe9cb0309eb22ba78aa54bcdc) Arguments: busybox pkill -9 123123a

mqi686.elf New Fork (PID: 6448, Parent: 6230)

sh (PID: 6448, Parent: 6230, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "pkill -9 Ofurain0n4H34D || busybox pkill -9 Ofurain0n4H34D"

sh New Fork (PID: 6449, Parent: 6448)

pkill (PID: 6449, Parent: 6448, MD5: fa96a75a08109d8842e4865b2907d51f) Arguments: pkill -9 Ofurain0n4H34D

sh New Fork (PID: 6452, Parent: 6448)

busybox (PID: 6452, Parent: 6448, MD5: 70584dffe9cb0309eb22ba78aa54bcdc) Arguments: busybox pkill -9 Ofurain0n4H34D

mqi686.elf New Fork (PID: 6453, Parent: 6230)

sh (PID: 6453, Parent: 6230, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "pkill -9 ggTrex || busybox pkill -9 ggTrex"

sh New Fork (PID: 6454, Parent: 6453)

pkill (PID: 6454, Parent: 6453, MD5: fa96a75a08109d8842e4865b2907d51f) Arguments: pkill -9 ggTrex

sh New Fork (PID: 6455, Parent: 6453)

busybox (PID: 6455, Parent: 6453, MD5: 70584dffe9cb0309eb22ba78aa54bcdc) Arguments: busybox pkill -9 ggTrex

mqi686.elf New Fork (PID: 6456, Parent: 6230)

sh (PID: 6456, Parent: 6230, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "pkill -9 wasads || busybox pkill -9 wasads"

sh New Fork (PID: 6457, Parent: 6456)

pkill (PID: 6457, Parent: 6456, MD5: fa96a75a08109d8842e4865b2907d51f) Arguments: pkill -9 wasads

sh New Fork (PID: 6459, Parent: 6456)

busybox (PID: 6459, Parent: 6456, MD5: 70584dffe9cb0309eb22ba78aa54bcdc) Arguments: busybox pkill -9 wasads

mqi686.elf New Fork (PID: 6462, Parent: 6230)

sh (PID: 6462, Parent: 6230, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "pkill -9 1293194hjXD || busybox pkill -9 1293194hjXD"

sh New Fork (PID: 6463, Parent: 6462)

pkill (PID: 6463, Parent: 6462, MD5: fa96a75a08109d8842e4865b2907d51f) Arguments: pkill -9 1293194hjXD

sh New Fork (PID: 6464, Parent: 6462)

busybox (PID: 6464, Parent: 6462, MD5: 70584dffe9cb0309eb22ba78aa54bcdc) Arguments: busybox pkill -9 1293194hjXD

mqi686.elf New Fork (PID: 6465, Parent: 6230)

sh (PID: 6465, Parent: 6230, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "pkill -9 OthLaLosn || busybox pkill -9 OthLaLosn"

sh New Fork (PID: 6466, Parent: 6465)

pkill (PID: 6466, Parent: 6465, MD5: fa96a75a08109d8842e4865b2907d51f) Arguments: pkill -9 OthLaLosn

sh New Fork (PID: 6467, Parent: 6465)

busybox (PID: 6467, Parent: 6465, MD5: 70584dffe9cb0309eb22ba78aa54bcdc) Arguments: busybox pkill -9 OthLaLosn

mqi686.elf New Fork (PID: 6468, Parent: 6230)

sh (PID: 6468, Parent: 6230, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "pkill -9 ggt || busybox pkill -9 ggt"

sh New Fork (PID: 6469, Parent: 6468)

pkill (PID: 6469, Parent: 6468, MD5: fa96a75a08109d8842e4865b2907d51f) Arguments: pkill -9 ggt

sh New Fork (PID: 6472, Parent: 6468)

busybox (PID: 6472, Parent: 6468, MD5: 70584dffe9cb0309eb22ba78aa54bcdc) Arguments: busybox pkill -9 ggt

mqi686.elf New Fork (PID: 6473, Parent: 6230)

sh (PID: 6473, Parent: 6230, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "pkill -9 wget-log || busybox pkill -9 wget-log"

sh New Fork (PID: 6474, Parent: 6473)

pkill (PID: 6474, Parent: 6473, MD5: fa96a75a08109d8842e4865b2907d51f) Arguments: pkill -9 wget-log

sh New Fork (PID: 6475, Parent: 6473)

busybox (PID: 6475, Parent: 6473, MD5: 70584dffe9cb0309eb22ba78aa54bcdc) Arguments: busybox pkill -9 wget-log

mqi686.elf New Fork (PID: 6477, Parent: 6230)

sh (PID: 6477, Parent: 6230, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "pkill -9 1337SoraLOADER || busybox pkill -9 1337SoraLOADER"

sh New Fork (PID: 6478, Parent: 6477)

pkill (PID: 6478, Parent: 6477, MD5: fa96a75a08109d8842e4865b2907d51f) Arguments: pkill -9 1337SoraLOADER

sh New Fork (PID: 6479, Parent: 6477)

busybox (PID: 6479, Parent: 6477, MD5: 70584dffe9cb0309eb22ba78aa54bcdc) Arguments: busybox pkill -9 1337SoraLOADER

mqi686.elf New Fork (PID: 6482, Parent: 6230)

sh (PID: 6482, Parent: 6230, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "pkill -9 SAIAKINA || busybox pkill -9 SAIAKINA"

sh New Fork (PID: 6483, Parent: 6482)

pkill (PID: 6483, Parent: 6482, MD5: fa96a75a08109d8842e4865b2907d51f) Arguments: pkill -9 SAIAKINA

sh New Fork (PID: 6484, Parent: 6482)

busybox (PID: 6484, Parent: 6482, MD5: 70584dffe9cb0309eb22ba78aa54bcdc) Arguments: busybox pkill -9 SAIAKINA

mqi686.elf New Fork (PID: 6487, Parent: 6230)

sh (PID: 6487, Parent: 6230, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "pkill -9 ggtq || busybox pkill -9 ggtq"

sh New Fork (PID: 6488, Parent: 6487)

pkill (PID: 6488, Parent: 6487, MD5: fa96a75a08109d8842e4865b2907d51f) Arguments: pkill -9 ggtq

sh New Fork (PID: 6489, Parent: 6487)

busybox (PID: 6489, Parent: 6487, MD5: 70584dffe9cb0309eb22ba78aa54bcdc) Arguments: busybox pkill -9 ggtq

mqi686.elf New Fork (PID: 6492, Parent: 6230)

sh (PID: 6492, Parent: 6230, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "pkill -9 1378bfp919GRB1Q2 || busybox pkill -9 1378bfp919GRB1Q2"

sh New Fork (PID: 6493, Parent: 6492)

pkill (PID: 6493, Parent: 6492, MD5: fa96a75a08109d8842e4865b2907d51f) Arguments: pkill -9 1378bfp919GRB1Q2

sh New Fork (PID: 6494, Parent: 6492)

busybox (PID: 6494, Parent: 6492, MD5: 70584dffe9cb0309eb22ba78aa54bcdc) Arguments: busybox pkill -9 1378bfp919GRB1Q2

mqi686.elf New Fork (PID: 6495, Parent: 6230)

sh (PID: 6495, Parent: 6230, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "pkill -9 SAIAKUSO || busybox pkill -9 SAIAKUSO"

sh New Fork (PID: 6496, Parent: 6495)

pkill (PID: 6496, Parent: 6495, MD5: fa96a75a08109d8842e4865b2907d51f) Arguments: pkill -9 SAIAKUSO

sh New Fork (PID: 6497, Parent: 6495)

busybox (PID: 6497, Parent: 6495, MD5: 70584dffe9cb0309eb22ba78aa54bcdc) Arguments: busybox pkill -9 SAIAKUSO

mqi686.elf New Fork (PID: 6500, Parent: 6230)

sh (PID: 6500, Parent: 6230, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "pkill -9 ggtr || busybox pkill -9 ggtr"

sh New Fork (PID: 6501, Parent: 6500)

pkill (PID: 6501, Parent: 6500, MD5: fa96a75a08109d8842e4865b2907d51f) Arguments: pkill -9 ggtr

sh New Fork (PID: 6502, Parent: 6500)

busybox (PID: 6502, Parent: 6500, MD5: 70584dffe9cb0309eb22ba78aa54bcdc) Arguments: busybox pkill -9 ggtr

mqi686.elf New Fork (PID: 6503, Parent: 6230)

sh (PID: 6503, Parent: 6230, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "pkill -9 14Fa || busybox pkill -9 14Fa"

sh New Fork (PID: 6504, Parent: 6503)

pkill (PID: 6504, Parent: 6503, MD5: fa96a75a08109d8842e4865b2907d51f) Arguments: pkill -9 14Fa

sh New Fork (PID: 6505, Parent: 6503)

busybox (PID: 6505, Parent: 6503, MD5: 70584dffe9cb0309eb22ba78aa54bcdc) Arguments: busybox pkill -9 14Fa

mqi686.elf New Fork (PID: 6508, Parent: 6230)

sh (PID: 6508, Parent: 6230, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "pkill -9 SEXSLAVE1337 || busybox pkill -9 SEXSLAVE1337"

sh New Fork (PID: 6509, Parent: 6508)

pkill (PID: 6509, Parent: 6508, MD5: fa96a75a08109d8842e4865b2907d51f) Arguments: pkill -9 SEXSLAVE1337

sh New Fork (PID: 6510, Parent: 6508)

busybox (PID: 6510, Parent: 6508, MD5: 70584dffe9cb0309eb22ba78aa54bcdc) Arguments: busybox pkill -9 SEXSLAVE1337

mqi686.elf New Fork (PID: 6511, Parent: 6230)

sh (PID: 6511, Parent: 6230, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "pkill -9 ggtt || busybox pkill -9 ggtt"

sh New Fork (PID: 6512, Parent: 6511)

pkill (PID: 6512, Parent: 6511, MD5: fa96a75a08109d8842e4865b2907d51f) Arguments: pkill -9 ggtt

dash New Fork (PID: 6311, Parent: 4331)

rm (PID: 6311, Parent: 4331, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -f /tmp/tmp.iKB4nT23am /tmp/tmp.q45Y17XWSs /tmp/tmp.mCYUeI0L7T

dash New Fork (PID: 6312, Parent: 4331)

rm (PID: 6312, Parent: 4331, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -f /tmp/tmp.iKB4nT23am /tmp/tmp.q45Y17XWSs /tmp/tmp.mCYUeI0L7T

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Mirai	Mirai is one of the first significant botnets targeting exposed networking devices running Linux. Found in August 2016 by MalwareMustDie, its name means "future" in Japanese. Nowadays it targets a wide range of networked embedded devices such as IP cameras, home routers (many vendors involved), and other IoT devices. Since the source code was published on "Hack Forums" many variants of the Mirai family appeared, infecting mostly home networks all around the world.	No Attribution	http://osint.bambenekconsulting.com/feeds/ http://www.simonroses.com/2016/10/mirai-ddos-botnet-source-code-binary-analysis/ https://blog.malwaremustdie.org/2020/02/mmd-0065-2021-linuxmirai-fbot-re.html https://blog.netlab.360.com/another-lilin-dvr-0-day-being-used-to-spread-mirai-en/ https://blog.netlab.360.com/mirai_ptea-botnet-is-exploiting-undisclosed-kguard-dvr-vulnerability-en/	https://malpedia.caad.fkie.fraunhofer.de/details/elf.mirai

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
mqi686.elf	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
mqi686.elf	Linux_Trojan_Gafgyt_f51c5ac3	unknown	unknown	0x24e:$a: 74 2A 8B 45 0C 0F B6 00 84 C0 74 17 8B 45 0C 40 89 44 24 04 8B
mqi686.elf	Linux_Trojan_Gafgyt_27de1106	unknown	unknown	0x28e:$a: 0C 0F B6 00 84 C0 74 18 8B 45 0C 40 8B 55 08 42 89 44 24 04 89
mqi686.elf	Linux_Trojan_Gafgyt_1b2e2a3a	unknown	unknown	0x3683:$a: 83 7D 18 00 74 25 8B 45 1C 83 E0 02 85 C0 74 1B C7 44 24 04 2D 00
mqi686.elf	Linux_Trojan_Tsunami_0fa3a6e9	unknown	unknown	0x1d9:$a: EC 8B 55 EC C1 FA 10 0F B7 45 EC 01 C2 89 55 EC 8B 45 EC C1 0x887:$a: EC 8B 55 EC C1 FA 10 0F B7 45 EC 01 C2 89 55 EC 8B 45 EC C1
mqi686.elf	Linux_Trojan_Tsunami_8a11f9be	unknown	unknown	0x13115:$a: 3E 20 3C 70 6F 72 74 3E 20 3C 72 65 66 6C 65 63 74 69 6F 6E 20 0x137b1:$a: 3E 20 3C 70 6F 72 74 3E 20 3C 72 65 66 6C 65 63 74 69 6F 6E 20
mqi686.elf	Linux_Trojan_Tsunami_6b3974b2	unknown	unknown	0x457:$a: F4 89 45 EC 8B 45 EC C9 C3 55 89 E5 57 83 EC 0C EB 1F 8B 45 08 B9 FF FF
Click to see the 2 entries

Memory Dumps

Source	Rule	Description	Author	Strings
6232.1.0000000008048000.000000000805f000.r-x.sdmp	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
6232.1.0000000008048000.000000000805f000.r-x.sdmp	Linux_Trojan_Gafgyt_f51c5ac3	unknown	unknown	0x24e:$a: 74 2A 8B 45 0C 0F B6 00 84 C0 74 17 8B 45 0C 40 89 44 24 04 8B
6232.1.0000000008048000.000000000805f000.r-x.sdmp	Linux_Trojan_Gafgyt_27de1106	unknown	unknown	0x28e:$a: 0C 0F B6 00 84 C0 74 18 8B 45 0C 40 8B 55 08 42 89 44 24 04 89
6232.1.0000000008048000.000000000805f000.r-x.sdmp	Linux_Trojan_Gafgyt_1b2e2a3a	unknown	unknown	0x3683:$a: 83 7D 18 00 74 25 8B 45 1C 83 E0 02 85 C0 74 1B C7 44 24 04 2D 00
6232.1.0000000008048000.000000000805f000.r-x.sdmp	Linux_Trojan_Tsunami_0fa3a6e9	unknown	unknown	0x1d9:$a: EC 8B 55 EC C1 FA 10 0F B7 45 EC 01 C2 89 55 EC 8B 45 EC C1 0x887:$a: EC 8B 55 EC C1 FA 10 0F B7 45 EC 01 C2 89 55 EC 8B 45 EC C1
6232.1.0000000008048000.000000000805f000.r-x.sdmp	Linux_Trojan_Tsunami_8a11f9be	unknown	unknown	0x13115:$a: 3E 20 3C 70 6F 72 74 3E 20 3C 72 65 66 6C 65 63 74 69 6F 6E 20 0x137b1:$a: 3E 20 3C 70 6F 72 74 3E 20 3C 72 65 66 6C 65 63 74 69 6F 6E 20
6232.1.0000000008048000.000000000805f000.r-x.sdmp	Linux_Trojan_Tsunami_6b3974b2	unknown	unknown	0x457:$a: F4 89 45 EC 8B 45 EC C9 C3 55 89 E5 57 83 EC 0C EB 1F 8B 45 08 B9 FF FF
6229.1.0000000008048000.000000000805f000.r-x.sdmp	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
6229.1.0000000008048000.000000000805f000.r-x.sdmp	Linux_Trojan_Gafgyt_f51c5ac3	unknown	unknown	0x24e:$a: 74 2A 8B 45 0C 0F B6 00 84 C0 74 17 8B 45 0C 40 89 44 24 04 8B
6229.1.0000000008048000.000000000805f000.r-x.sdmp	Linux_Trojan_Gafgyt_27de1106	unknown	unknown	0x28e:$a: 0C 0F B6 00 84 C0 74 18 8B 45 0C 40 8B 55 08 42 89 44 24 04 89
6229.1.0000000008048000.000000000805f000.r-x.sdmp	Linux_Trojan_Gafgyt_1b2e2a3a	unknown	unknown	0x3683:$a: 83 7D 18 00 74 25 8B 45 1C 83 E0 02 85 C0 74 1B C7 44 24 04 2D 00
6229.1.0000000008048000.000000000805f000.r-x.sdmp	Linux_Trojan_Tsunami_0fa3a6e9	unknown	unknown	0x1d9:$a: EC 8B 55 EC C1 FA 10 0F B7 45 EC 01 C2 89 55 EC 8B 45 EC C1 0x887:$a: EC 8B 55 EC C1 FA 10 0F B7 45 EC 01 C2 89 55 EC 8B 45 EC C1
6229.1.0000000008048000.000000000805f000.r-x.sdmp	Linux_Trojan_Tsunami_8a11f9be	unknown	unknown	0x13115:$a: 3E 20 3C 70 6F 72 74 3E 20 3C 72 65 66 6C 65 63 74 69 6F 6E 20 0x137b1:$a: 3E 20 3C 70 6F 72 74 3E 20 3C 72 65 66 6C 65 63 74 69 6F 6E 20
6229.1.0000000008048000.000000000805f000.r-x.sdmp	Linux_Trojan_Tsunami_6b3974b2	unknown	unknown	0x457:$a: F4 89 45 EC 8B 45 EC C9 C3 55 89 E5 57 83 EC 0C EB 1F 8B 45 08 B9 FF FF
Process Memory Space: mqi686.elf PID: 6229	Linux_Trojan_Tsunami_8a11f9be	unknown	unknown	0x3fc8:$a: 3E 20 3C 70 6F 72 74 3E 20 3C 72 65 66 6C 65 63 74 69 6F 6E 20 0x40fd:$a: 3E 20 3C 70 6F 72 74 3E 20 3C 72 65 66 6C 65 63 74 69 6F 6E 20 0x4773:$a: 3E 20 3C 70 6F 72 74 3E 20 3C 72 65 66 6C 65 63 74 69 6F 6E 20
Process Memory Space: mqi686.elf PID: 6232	Linux_Trojan_Tsunami_8a11f9be	unknown	unknown	0x42b3:$a: 3E 20 3C 70 6F 72 74 3E 20 3C 72 65 66 6C 65 63 74 69 6F 6E 20 0x43e8:$a: 3E 20 3C 70 6F 72 74 3E 20 3C 72 65 66 6C 65 63 74 69 6F 6E 20 0x4a5e:$a: 3E 20 3C 70 6F 72 74 3E 20 3C 72 65 66 6C 65 63 74 69 6F 6E 20
Click to see the 11 entries

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: mqi686.elf

ReversingLabs: Detection: 58%

Source: /usr/bin/pkill (PID: 6234)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior
Source: /usr/bin/pkill (PID: 6251)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior
Source: /usr/bin/pkill (PID: 6263)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior
Source: /usr/bin/pkill (PID: 6266)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior
Source: /usr/bin/pkill (PID: 6271)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior
Source: /usr/bin/pkill (PID: 6275)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior
Source: /usr/bin/pkill (PID: 6280)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior
Source: /usr/bin/pkill (PID: 6302)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior
Source: /usr/bin/pkill (PID: 6307)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior
Source: /usr/bin/pkill (PID: 6310)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior
Source: /usr/bin/pkill (PID: 6337)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior
Source: /usr/bin/pkill (PID: 6340)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior
Source: /usr/bin/pkill (PID: 6345)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior
Source: /usr/bin/pkill (PID: 6348)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior
Source: /usr/bin/pkill (PID: 6351)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior
Source: /usr/bin/pkill (PID: 6356)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior
Source: /usr/bin/pkill (PID: 6359)	Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6364)	Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6368)	Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6373)	Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6378)	Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6383)	Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6386)	Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6391)	Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6394)	Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6399)	Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6402)	Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6405)	Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6410)	Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6413)	Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6418)	Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6422)	Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6427)	Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6430)	Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6435)	Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6438)	Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6441)	Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6446)	Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6449)	Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6454)	Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6457)	Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6463)	Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6466)	Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6469)	Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6474)	Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6478)	Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6483)	Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6488)	Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6493)	Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6496)	Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6501)	Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6504)	Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6509)	Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6512)	Reads CPU info from /sys: /sys/devices/system/cpu/online

Source: /tmp/mqi686.elf (PID: 6232)

Reads hosts file: /etc/hosts

Jump to behavior

Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 54.171.230.55
Source: unknown	TCP traffic detected without corresponding DNS query: 54.171.230.55
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: irc.psychz.net

Source: mqi686.elf	String found in binary or memory: http://xpl.altervista.org/bins.sh;
Source: mqi686.elf	String found in binary or memory: https://youtu.be/dQw4w9WgXcQ
Source: mqi686.elf	String found in binary or memory: https://youtu.be/dQw4w9WgXcQNever

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 33608
Source: unknown	Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 33608 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 42836 -> 443

System Summary

Malicious sample detected (through community Yara rule)

Source: mqi686.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_f51c5ac3 Author: unknown
Source: mqi686.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_27de1106 Author: unknown
Source: mqi686.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_1b2e2a3a Author: unknown
Source: mqi686.elf, type: SAMPLE	Matched rule: Linux_Trojan_Tsunami_0fa3a6e9 Author: unknown
Source: mqi686.elf, type: SAMPLE	Matched rule: Linux_Trojan_Tsunami_8a11f9be Author: unknown
Source: mqi686.elf, type: SAMPLE	Matched rule: Linux_Trojan_Tsunami_6b3974b2 Author: unknown
Source: 6232.1.0000000008048000.000000000805f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_f51c5ac3 Author: unknown
Source: 6232.1.0000000008048000.000000000805f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_27de1106 Author: unknown
Source: 6232.1.0000000008048000.000000000805f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_1b2e2a3a Author: unknown
Source: 6232.1.0000000008048000.000000000805f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Tsunami_0fa3a6e9 Author: unknown
Source: 6232.1.0000000008048000.000000000805f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Tsunami_8a11f9be Author: unknown
Source: 6232.1.0000000008048000.000000000805f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Tsunami_6b3974b2 Author: unknown
Source: 6229.1.0000000008048000.000000000805f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_f51c5ac3 Author: unknown
Source: 6229.1.0000000008048000.000000000805f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_27de1106 Author: unknown
Source: 6229.1.0000000008048000.000000000805f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_1b2e2a3a Author: unknown
Source: 6229.1.0000000008048000.000000000805f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Tsunami_0fa3a6e9 Author: unknown
Source: 6229.1.0000000008048000.000000000805f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Tsunami_8a11f9be Author: unknown
Source: 6229.1.0000000008048000.000000000805f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Tsunami_6b3974b2 Author: unknown
Source: Process Memory Space: mqi686.elf PID: 6229, type: MEMORYSTR	Matched rule: Linux_Trojan_Tsunami_8a11f9be Author: unknown
Source: Process Memory Space: mqi686.elf PID: 6232, type: MEMORYSTR	Matched rule: Linux_Trojan_Tsunami_8a11f9be Author: unknown

Source: mqi686.elf	ELF static info symbol of initial sample: passwords
Source: mqi686.elf	ELF static info symbol of initial sample: usernames

Source: Initial sample	String containing 'busybox' found: busybox
Source: Initial sample	String containing 'busybox' found: pkill -9 %s \|\| busybox pkill -9 %s
Source: Initial sample	String containing 'busybox' found: pkill -9 %s \|\| busybox pkill -9 %shistory -c;history -wcd /root;rm -f .bash_historycd /var/tmp; rm -f *NOTICE %s :MOVE <server>

Source: Initial sample	String containing potential weak password found: admin
Source: Initial sample	String containing potential weak password found: default
Source: Initial sample	String containing potential weak password found: support
Source: Initial sample	String containing potential weak password found: guest
Source: Initial sample	String containing potential weak password found: supervisor
Source: Initial sample	String containing potential weak password found: service
Source: Initial sample	String containing potential weak password found: 12345
Source: Initial sample	String containing potential weak password found: 123456
Source: Initial sample	String containing potential weak password found: password
Source: Initial sample	String containing potential weak password found: admin1234

Source: mqi686.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_f51c5ac3 reference_sample = 899c072730590003b98278bdda21c15ecaa2f49ad51e417ed59e88caf054a72d, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 34f254afdf94b1eb29bae4eb8e3864ea49e918a5dbe6e4c9d06a4292c104a792, id = f51c5ac3-ade9-4d01-b578-3473a2b116db, last_modified = 2021-09-16
Source: mqi686.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_27de1106 reference_sample = 899c072730590003b98278bdda21c15ecaa2f49ad51e417ed59e88caf054a72d, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 9a747f0fc7ccc55f24f2654344484f643103da709270a45de4c1174d8e4101cc, id = 27de1106-497d-40a0-8fc4-929f7a927628, last_modified = 2021-09-16
Source: mqi686.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_1b2e2a3a reference_sample = 899c072730590003b98278bdda21c15ecaa2f49ad51e417ed59e88caf054a72d, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 6f24b67d0a6a4fc4e1cfea5a5414b82af1332a3e6074eb2178aee6b27702b407, id = 1b2e2a3a-1302-41c7-be99-43edb5563294, last_modified = 2021-09-16
Source: mqi686.elf, type: SAMPLE	Matched rule: Linux_Trojan_Tsunami_0fa3a6e9 reference_sample = 40a15a186373a062bfb476b37a73c61e1ba84e5fa57282a7f9ec0481860f372a, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Tsunami, fingerprint = fed796c5275e2e91c75dcdbf73d0c0ab37591115989312c6f6c5adcd138bc91f, id = 0fa3a6e9-89f3-4bc8-8dc1-e9ccbeeb836d, last_modified = 2021-09-16
Source: mqi686.elf, type: SAMPLE	Matched rule: Linux_Trojan_Tsunami_8a11f9be reference_sample = 1f773d0e00d40eecde9e3ab80438698923a2620036c2fc33315ef95229e98571, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Tsunami, fingerprint = 91e2572a3bb8583e20042578e95e1746501c6a71ef7635af2c982a05b18d7c6d, id = 8a11f9be-dc85-4695-9f38-80ca0304780e, last_modified = 2021-09-16
Source: mqi686.elf, type: SAMPLE	Matched rule: Linux_Trojan_Tsunami_6b3974b2 reference_sample = 2216776ba5c6495d86a13f6a3ce61b655b72a328ca05b3678d1abb7a20829d04, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Tsunami, fingerprint = 942a35f7acacf1d07577fe159a34dc7b04e5d07ff32ea13be975cfeea23e34be, id = 6b3974b2-fd7f-4ebf-8aba-217761e7b846, last_modified = 2021-09-16
Source: 6232.1.0000000008048000.000000000805f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_f51c5ac3 reference_sample = 899c072730590003b98278bdda21c15ecaa2f49ad51e417ed59e88caf054a72d, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 34f254afdf94b1eb29bae4eb8e3864ea49e918a5dbe6e4c9d06a4292c104a792, id = f51c5ac3-ade9-4d01-b578-3473a2b116db, last_modified = 2021-09-16
Source: 6232.1.0000000008048000.000000000805f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_27de1106 reference_sample = 899c072730590003b98278bdda21c15ecaa2f49ad51e417ed59e88caf054a72d, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 9a747f0fc7ccc55f24f2654344484f643103da709270a45de4c1174d8e4101cc, id = 27de1106-497d-40a0-8fc4-929f7a927628, last_modified = 2021-09-16
Source: 6232.1.0000000008048000.000000000805f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_1b2e2a3a reference_sample = 899c072730590003b98278bdda21c15ecaa2f49ad51e417ed59e88caf054a72d, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 6f24b67d0a6a4fc4e1cfea5a5414b82af1332a3e6074eb2178aee6b27702b407, id = 1b2e2a3a-1302-41c7-be99-43edb5563294, last_modified = 2021-09-16
Source: 6232.1.0000000008048000.000000000805f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Tsunami_0fa3a6e9 reference_sample = 40a15a186373a062bfb476b37a73c61e1ba84e5fa57282a7f9ec0481860f372a, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Tsunami, fingerprint = fed796c5275e2e91c75dcdbf73d0c0ab37591115989312c6f6c5adcd138bc91f, id = 0fa3a6e9-89f3-4bc8-8dc1-e9ccbeeb836d, last_modified = 2021-09-16
Source: 6232.1.0000000008048000.000000000805f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Tsunami_8a11f9be reference_sample = 1f773d0e00d40eecde9e3ab80438698923a2620036c2fc33315ef95229e98571, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Tsunami, fingerprint = 91e2572a3bb8583e20042578e95e1746501c6a71ef7635af2c982a05b18d7c6d, id = 8a11f9be-dc85-4695-9f38-80ca0304780e, last_modified = 2021-09-16
Source: 6232.1.0000000008048000.000000000805f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Tsunami_6b3974b2 reference_sample = 2216776ba5c6495d86a13f6a3ce61b655b72a328ca05b3678d1abb7a20829d04, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Tsunami, fingerprint = 942a35f7acacf1d07577fe159a34dc7b04e5d07ff32ea13be975cfeea23e34be, id = 6b3974b2-fd7f-4ebf-8aba-217761e7b846, last_modified = 2021-09-16
Source: 6229.1.0000000008048000.000000000805f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_f51c5ac3 reference_sample = 899c072730590003b98278bdda21c15ecaa2f49ad51e417ed59e88caf054a72d, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 34f254afdf94b1eb29bae4eb8e3864ea49e918a5dbe6e4c9d06a4292c104a792, id = f51c5ac3-ade9-4d01-b578-3473a2b116db, last_modified = 2021-09-16
Source: 6229.1.0000000008048000.000000000805f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_27de1106 reference_sample = 899c072730590003b98278bdda21c15ecaa2f49ad51e417ed59e88caf054a72d, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 9a747f0fc7ccc55f24f2654344484f643103da709270a45de4c1174d8e4101cc, id = 27de1106-497d-40a0-8fc4-929f7a927628, last_modified = 2021-09-16
Source: 6229.1.0000000008048000.000000000805f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_1b2e2a3a reference_sample = 899c072730590003b98278bdda21c15ecaa2f49ad51e417ed59e88caf054a72d, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 6f24b67d0a6a4fc4e1cfea5a5414b82af1332a3e6074eb2178aee6b27702b407, id = 1b2e2a3a-1302-41c7-be99-43edb5563294, last_modified = 2021-09-16
Source: 6229.1.0000000008048000.000000000805f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Tsunami_0fa3a6e9 reference_sample = 40a15a186373a062bfb476b37a73c61e1ba84e5fa57282a7f9ec0481860f372a, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Tsunami, fingerprint = fed796c5275e2e91c75dcdbf73d0c0ab37591115989312c6f6c5adcd138bc91f, id = 0fa3a6e9-89f3-4bc8-8dc1-e9ccbeeb836d, last_modified = 2021-09-16
Source: 6229.1.0000000008048000.000000000805f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Tsunami_8a11f9be reference_sample = 1f773d0e00d40eecde9e3ab80438698923a2620036c2fc33315ef95229e98571, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Tsunami, fingerprint = 91e2572a3bb8583e20042578e95e1746501c6a71ef7635af2c982a05b18d7c6d, id = 8a11f9be-dc85-4695-9f38-80ca0304780e, last_modified = 2021-09-16
Source: 6229.1.0000000008048000.000000000805f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Tsunami_6b3974b2 reference_sample = 2216776ba5c6495d86a13f6a3ce61b655b72a328ca05b3678d1abb7a20829d04, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Tsunami, fingerprint = 942a35f7acacf1d07577fe159a34dc7b04e5d07ff32ea13be975cfeea23e34be, id = 6b3974b2-fd7f-4ebf-8aba-217761e7b846, last_modified = 2021-09-16
Source: Process Memory Space: mqi686.elf PID: 6229, type: MEMORYSTR	Matched rule: Linux_Trojan_Tsunami_8a11f9be reference_sample = 1f773d0e00d40eecde9e3ab80438698923a2620036c2fc33315ef95229e98571, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Tsunami, fingerprint = 91e2572a3bb8583e20042578e95e1746501c6a71ef7635af2c982a05b18d7c6d, id = 8a11f9be-dc85-4695-9f38-80ca0304780e, last_modified = 2021-09-16
Source: Process Memory Space: mqi686.elf PID: 6232, type: MEMORYSTR	Matched rule: Linux_Trojan_Tsunami_8a11f9be reference_sample = 1f773d0e00d40eecde9e3ab80438698923a2620036c2fc33315ef95229e98571, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Tsunami, fingerprint = 91e2572a3bb8583e20042578e95e1746501c6a71ef7635af2c982a05b18d7c6d, id = 8a11f9be-dc85-4695-9f38-80ca0304780e, last_modified = 2021-09-16

Source: classification engine

Classification label: mal64.troj.linELF@0/0@1/0

Source: mqi686.elf	ELF static info symbol of initial sample: libc/sysdeps/linux/i386/crt1.S
Source: mqi686.elf	ELF static info symbol of initial sample: libc/sysdeps/linux/i386/crti.S
Source: mqi686.elf	ELF static info symbol of initial sample: libc/sysdeps/linux/i386/crtn.S
Source: mqi686.elf	ELF static info symbol of initial sample: libc/sysdeps/linux/i386/mmap.S
Source: mqi686.elf	ELF static info symbol of initial sample: libc/sysdeps/linux/i386/vfork.S

Source: /usr/bin/pkill (PID: 6351)	File opened: /proc/6230/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6351)	File opened: /proc/6230/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6351)	File opened: /proc/6351/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6351)	File opened: /proc/6351/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6351)	File opened: /proc/6350/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6351)	File opened: /proc/6350/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6351)	File opened: /proc/6232/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6351)	File opened: /proc/6232/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6351)	File opened: /proc/6231/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6351)	File opened: /proc/6231/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6351)	File opened: /proc/1582/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6351)	File opened: /proc/1582/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6351)	File opened: /proc/3088/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6351)	File opened: /proc/3088/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6351)	File opened: /proc/230/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6351)	File opened: /proc/230/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6351)	File opened: /proc/110/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6351)	File opened: /proc/110/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6351)	File opened: /proc/231/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6351)	File opened: /proc/231/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6351)	File opened: /proc/111/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6351)	File opened: /proc/111/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6351)	File opened: /proc/232/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6351)	File opened: /proc/232/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6351)	File opened: /proc/1579/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6351)	File opened: /proc/1579/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6351)	File opened: /proc/112/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6351)	File opened: /proc/112/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6351)	File opened: /proc/233/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6351)	File opened: /proc/233/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6351)	File opened: /proc/1699/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6351)	File opened: /proc/1699/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6351)	File opened: /proc/113/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6351)	File opened: /proc/113/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6351)	File opened: /proc/234/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6351)	File opened: /proc/234/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6351)	File opened: /proc/1335/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6351)	File opened: /proc/1335/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6351)	File opened: /proc/1698/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6351)	File opened: /proc/1698/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6351)	File opened: /proc/114/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6351)	File opened: /proc/114/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6351)	File opened: /proc/235/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6351)	File opened: /proc/235/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6351)	File opened: /proc/1334/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6351)	File opened: /proc/1334/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6351)	File opened: /proc/1576/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6351)	File opened: /proc/1576/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6351)	File opened: /proc/2302/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6351)	File opened: /proc/2302/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6351)	File opened: /proc/115/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6351)	File opened: /proc/115/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6351)	File opened: /proc/236/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6351)	File opened: /proc/236/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6351)	File opened: /proc/116/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6351)	File opened: /proc/116/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6351)	File opened: /proc/237/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6351)	File opened: /proc/237/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6351)	File opened: /proc/117/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6351)	File opened: /proc/117/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6351)	File opened: /proc/118/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6351)	File opened: /proc/118/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6351)	File opened: /proc/910/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6351)	File opened: /proc/910/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6351)	File opened: /proc/119/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6351)	File opened: /proc/119/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6351)	File opened: /proc/912/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6351)	File opened: /proc/912/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6351)	File opened: /proc/10/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6351)	File opened: /proc/10/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6351)	File opened: /proc/2307/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6351)	File opened: /proc/2307/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6351)	File opened: /proc/11/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6351)	File opened: /proc/11/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6351)	File opened: /proc/918/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6351)	File opened: /proc/918/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6351)	File opened: /proc/12/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6351)	File opened: /proc/12/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6351)	File opened: /proc/13/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6351)	File opened: /proc/13/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6351)	File opened: /proc/14/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6351)	File opened: /proc/14/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6351)	File opened: /proc/15/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6351)	File opened: /proc/15/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6351)	File opened: /proc/16/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6351)	File opened: /proc/16/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6351)	File opened: /proc/17/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6351)	File opened: /proc/17/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6351)	File opened: /proc/18/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6351)	File opened: /proc/18/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6351)	File opened: /proc/1594/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6351)	File opened: /proc/1594/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6351)	File opened: /proc/120/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6351)	File opened: /proc/120/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6351)	File opened: /proc/121/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6351)	File opened: /proc/121/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6351)	File opened: /proc/1349/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6351)	File opened: /proc/1349/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6351)	File opened: /proc/1/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6351)	File opened: /proc/1/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6351)	File opened: /proc/122/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6351)	File opened: /proc/122/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6351)	File opened: /proc/243/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6351)	File opened: /proc/243/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6351)	File opened: /proc/123/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6351)	File opened: /proc/123/cmdline	Jump to behavior

Source: /tmp/mqi686.elf (PID: 6233)	Shell command executed: sh -c "pkill -9 902i13 \|\| busybox pkill -9 902i13"	Jump to behavior
Source: /tmp/mqi686.elf (PID: 6250)	Shell command executed: sh -c "pkill -9 BzSxLxBxeY \|\| busybox pkill -9 BzSxLxBxeY"	Jump to behavior
Source: /tmp/mqi686.elf (PID: 6262)	Shell command executed: sh -c "pkill -9 HOHO-LUGO7 \|\| busybox pkill -9 HOHO-LUGO7"	Jump to behavior
Source: /tmp/mqi686.elf (PID: 6265)	Shell command executed: sh -c "pkill -9 HOHO-U79OL \|\| busybox pkill -9 HOHO-U79OL"	Jump to behavior
Source: /tmp/mqi686.elf (PID: 6270)	Shell command executed: sh -c "pkill -9 JuYfouyf87 \|\| busybox pkill -9 JuYfouyf87"	Jump to behavior
Source: /tmp/mqi686.elf (PID: 6274)	Shell command executed: sh -c "pkill -9 NiGGeR69xd \|\| busybox pkill -9 NiGGeR69xd"	Jump to behavior
Source: /tmp/mqi686.elf (PID: 6279)	Shell command executed: sh -c "pkill -9 SO190Ij1X \|\| busybox pkill -9 SO190Ij1X"	Jump to behavior
Source: /tmp/mqi686.elf (PID: 6301)	Shell command executed: sh -c "pkill -9 LOLKIKEEEDDE \|\| busybox pkill -9 LOLKIKEEEDDE"	Jump to behavior
Source: /tmp/mqi686.elf (PID: 6306)	Shell command executed: sh -c "pkill -9 ekjheory98e \|\| busybox pkill -9 ekjheory98e"	Jump to behavior
Source: /tmp/mqi686.elf (PID: 6309)	Shell command executed: sh -c "pkill -9 scansh4 \|\| busybox pkill -9 scansh4"	Jump to behavior
Source: /tmp/mqi686.elf (PID: 6336)	Shell command executed: sh -c "pkill -9 MDMA \|\| busybox pkill -9 MDMA"	Jump to behavior
Source: /tmp/mqi686.elf (PID: 6339)	Shell command executed: sh -c "pkill -9 fdevalvex \|\| busybox pkill -9 fdevalvex"	Jump to behavior
Source: /tmp/mqi686.elf (PID: 6344)	Shell command executed: sh -c "pkill -9 scanspc \|\| busybox pkill -9 scanspc"	Jump to behavior
Source: /tmp/mqi686.elf (PID: 6347)	Shell command executed: sh -c "pkill -9 MELTEDNINJAREALZ \|\| busybox pkill -9 MELTEDNINJAREALZ"	Jump to behavior
Source: /tmp/mqi686.elf (PID: 6350)	Shell command executed: sh -c "pkill -9 flexsonskids \|\| busybox pkill -9 flexsonskids"	Jump to behavior
Source: /tmp/mqi686.elf (PID: 6355)	Shell command executed: sh -c "pkill -9 scanx86 \|\| busybox pkill -9 scanx86"	Jump to behavior
Source: /tmp/mqi686.elf (PID: 6358)	Shell command executed: sh -c "pkill -9 MISAKI-U79OL \|\| busybox pkill -9 MISAKI-U79OL"
Source: /tmp/mqi686.elf (PID: 6363)	Shell command executed: sh -c "pkill -9 foAxi102kxe \|\| busybox pkill -9 foAxi102kxe"
Source: /tmp/mqi686.elf (PID: 6367)	Shell command executed: sh -c "pkill -9 swodjwodjwoj \|\| busybox pkill -9 swodjwodjwoj"
Source: /tmp/mqi686.elf (PID: 6372)	Shell command executed: sh -c "pkill -9 MmKiy7f87l \|\| busybox pkill -9 MmKiy7f87l"
Source: /tmp/mqi686.elf (PID: 6377)	Shell command executed: sh -c "pkill -9 freecookiex86 \|\| busybox pkill -9 freecookiex86"
Source: /tmp/mqi686.elf (PID: 6382)	Shell command executed: sh -c "pkill -9 sysgpu \|\| busybox pkill -9 sysgpu"
Source: /tmp/mqi686.elf (PID: 6385)	Shell command executed: sh -c "pkill -9 NiGGeR69xd \|\| busybox pkill -9 NiGGeR69xd"
Source: /tmp/mqi686.elf (PID: 6390)	Shell command executed: sh -c "pkill -9 frgege \|\| busybox pkill -9 frgege"
Source: /tmp/mqi686.elf (PID: 6393)	Shell command executed: sh -c "pkill -9 sysupdater \|\| busybox pkill -9 sysupdater"
Source: /tmp/mqi686.elf (PID: 6398)	Shell command executed: sh -c "pkill -9 0DnAzepd \|\| busybox pkill -9 0DnAzepd"
Source: /tmp/mqi686.elf (PID: 6401)	Shell command executed: sh -c "pkill -9 NiGGeRD0nks69 \|\| busybox pkill -9 NiGGeRD0nks69"
Source: /tmp/mqi686.elf (PID: 6404)	Shell command executed: sh -c "pkill -9 frgreu \|\| busybox pkill -9 frgreu"
Source: /tmp/mqi686.elf (PID: 6409)	Shell command executed: sh -c "pkill -9 telnetd \|\| busybox pkill -9 telnetd"
Source: /tmp/mqi686.elf (PID: 6412)	Shell command executed: sh -c "pkill -9 0x766f6964 \|\| busybox pkill -9 0x766f6964"
Source: /tmp/mqi686.elf (PID: 6417)	Shell command executed: sh -c "pkill -9 NiGGeRd0nks1337 \|\| busybox pkill -9 NiGGeRd0nks1337"
Source: /tmp/mqi686.elf (PID: 6421)	Shell command executed: sh -c "pkill -9 gaft \|\| busybox pkill -9 gaft"
Source: /tmp/mqi686.elf (PID: 6426)	Shell command executed: sh -c "pkill -9 urasgbsigboa \|\| busybox pkill -9 urasgbsigboa"
Source: /tmp/mqi686.elf (PID: 6429)	Shell command executed: sh -c "pkill -9 120i3UI49 \|\| busybox pkill -9 120i3UI49"
Source: /tmp/mqi686.elf (PID: 6432)	Shell command executed: sh -c "pkill -9 OaF3 \|\| busybox pkill -9 OaF3"
Source: /tmp/mqi686.elf (PID: 6437)	Shell command executed: sh -c "pkill -9 geae \|\| busybox pkill -9 geae"
Source: /tmp/mqi686.elf (PID: 6440)	Shell command executed: sh -c "pkill -9 vaiolmao \|\| busybox pkill -9 vaiolmao"
Source: /tmp/mqi686.elf (PID: 6445)	Shell command executed: sh -c "pkill -9 123123a \|\| busybox pkill -9 123123a"
Source: /tmp/mqi686.elf (PID: 6448)	Shell command executed: sh -c "pkill -9 Ofurain0n4H34D \|\| busybox pkill -9 Ofurain0n4H34D"
Source: /tmp/mqi686.elf (PID: 6453)	Shell command executed: sh -c "pkill -9 ggTrex \|\| busybox pkill -9 ggTrex"
Source: /tmp/mqi686.elf (PID: 6456)	Shell command executed: sh -c "pkill -9 wasads \|\| busybox pkill -9 wasads"
Source: /tmp/mqi686.elf (PID: 6462)	Shell command executed: sh -c "pkill -9 1293194hjXD \|\| busybox pkill -9 1293194hjXD"
Source: /tmp/mqi686.elf (PID: 6465)	Shell command executed: sh -c "pkill -9 OthLaLosn \|\| busybox pkill -9 OthLaLosn"
Source: /tmp/mqi686.elf (PID: 6468)	Shell command executed: sh -c "pkill -9 ggt \|\| busybox pkill -9 ggt"
Source: /tmp/mqi686.elf (PID: 6473)	Shell command executed: sh -c "pkill -9 wget-log \|\| busybox pkill -9 wget-log"
Source: /tmp/mqi686.elf (PID: 6477)	Shell command executed: sh -c "pkill -9 1337SoraLOADER \|\| busybox pkill -9 1337SoraLOADER"
Source: /tmp/mqi686.elf (PID: 6482)	Shell command executed: sh -c "pkill -9 SAIAKINA \|\| busybox pkill -9 SAIAKINA"
Source: /tmp/mqi686.elf (PID: 6487)	Shell command executed: sh -c "pkill -9 ggtq \|\| busybox pkill -9 ggtq"
Source: /tmp/mqi686.elf (PID: 6492)	Shell command executed: sh -c "pkill -9 1378bfp919GRB1Q2 \|\| busybox pkill -9 1378bfp919GRB1Q2"
Source: /tmp/mqi686.elf (PID: 6495)	Shell command executed: sh -c "pkill -9 SAIAKUSO \|\| busybox pkill -9 SAIAKUSO"
Source: /tmp/mqi686.elf (PID: 6500)	Shell command executed: sh -c "pkill -9 ggtr \|\| busybox pkill -9 ggtr"
Source: /tmp/mqi686.elf (PID: 6503)	Shell command executed: sh -c "pkill -9 14Fa \|\| busybox pkill -9 14Fa"
Source: /tmp/mqi686.elf (PID: 6508)	Shell command executed: sh -c "pkill -9 SEXSLAVE1337 \|\| busybox pkill -9 SEXSLAVE1337"
Source: /tmp/mqi686.elf (PID: 6511)	Shell command executed: sh -c "pkill -9 ggtt \|\| busybox pkill -9 ggtt"

Source: /bin/sh (PID: 6234)	Pkill executable: /usr/bin/pkill -> pkill -9 902i13	Jump to behavior
Source: /bin/sh (PID: 6251)	Pkill executable: /usr/bin/pkill -> pkill -9 BzSxLxBxeY	Jump to behavior
Source: /bin/sh (PID: 6263)	Pkill executable: /usr/bin/pkill -> pkill -9 HOHO-LUGO7	Jump to behavior
Source: /bin/sh (PID: 6266)	Pkill executable: /usr/bin/pkill -> pkill -9 HOHO-U79OL	Jump to behavior
Source: /bin/sh (PID: 6271)	Pkill executable: /usr/bin/pkill -> pkill -9 JuYfouyf87	Jump to behavior
Source: /bin/sh (PID: 6275)	Pkill executable: /usr/bin/pkill -> pkill -9 NiGGeR69xd	Jump to behavior
Source: /bin/sh (PID: 6280)	Pkill executable: /usr/bin/pkill -> pkill -9 SO190Ij1X	Jump to behavior
Source: /bin/sh (PID: 6302)	Pkill executable: /usr/bin/pkill -> pkill -9 LOLKIKEEEDDE	Jump to behavior
Source: /bin/sh (PID: 6307)	Pkill executable: /usr/bin/pkill -> pkill -9 ekjheory98e	Jump to behavior
Source: /bin/sh (PID: 6310)	Pkill executable: /usr/bin/pkill -> pkill -9 scansh4	Jump to behavior
Source: /bin/sh (PID: 6337)	Pkill executable: /usr/bin/pkill -> pkill -9 MDMA	Jump to behavior
Source: /bin/sh (PID: 6340)	Pkill executable: /usr/bin/pkill -> pkill -9 fdevalvex	Jump to behavior
Source: /bin/sh (PID: 6345)	Pkill executable: /usr/bin/pkill -> pkill -9 scanspc	Jump to behavior
Source: /bin/sh (PID: 6348)	Pkill executable: /usr/bin/pkill -> pkill -9 MELTEDNINJAREALZ	Jump to behavior
Source: /bin/sh (PID: 6351)	Pkill executable: /usr/bin/pkill -> pkill -9 flexsonskids	Jump to behavior
Source: /bin/sh (PID: 6356)	Pkill executable: /usr/bin/pkill -> pkill -9 scanx86	Jump to behavior
Source: /bin/sh (PID: 6359)	Pkill executable: /usr/bin/pkill -> pkill -9 MISAKI-U79OL
Source: /bin/sh (PID: 6364)	Pkill executable: /usr/bin/pkill -> pkill -9 foAxi102kxe
Source: /bin/sh (PID: 6368)	Pkill executable: /usr/bin/pkill -> pkill -9 swodjwodjwoj
Source: /bin/sh (PID: 6373)	Pkill executable: /usr/bin/pkill -> pkill -9 MmKiy7f87l
Source: /bin/sh (PID: 6378)	Pkill executable: /usr/bin/pkill -> pkill -9 freecookiex86
Source: /bin/sh (PID: 6383)	Pkill executable: /usr/bin/pkill -> pkill -9 sysgpu
Source: /bin/sh (PID: 6386)	Pkill executable: /usr/bin/pkill -> pkill -9 NiGGeR69xd
Source: /bin/sh (PID: 6391)	Pkill executable: /usr/bin/pkill -> pkill -9 frgege
Source: /bin/sh (PID: 6394)	Pkill executable: /usr/bin/pkill -> pkill -9 sysupdater
Source: /bin/sh (PID: 6399)	Pkill executable: /usr/bin/pkill -> pkill -9 0DnAzepd
Source: /bin/sh (PID: 6402)	Pkill executable: /usr/bin/pkill -> pkill -9 NiGGeRD0nks69
Source: /bin/sh (PID: 6405)	Pkill executable: /usr/bin/pkill -> pkill -9 frgreu
Source: /bin/sh (PID: 6410)	Pkill executable: /usr/bin/pkill -> pkill -9 telnetd
Source: /bin/sh (PID: 6413)	Pkill executable: /usr/bin/pkill -> pkill -9 0x766f6964
Source: /bin/sh (PID: 6418)	Pkill executable: /usr/bin/pkill -> pkill -9 NiGGeRd0nks1337
Source: /bin/sh (PID: 6422)	Pkill executable: /usr/bin/pkill -> pkill -9 gaft
Source: /bin/sh (PID: 6427)	Pkill executable: /usr/bin/pkill -> pkill -9 urasgbsigboa
Source: /bin/sh (PID: 6430)	Pkill executable: /usr/bin/pkill -> pkill -9 120i3UI49
Source: /bin/sh (PID: 6435)	Pkill executable: /usr/bin/pkill -> pkill -9 OaF3
Source: /bin/sh (PID: 6438)	Pkill executable: /usr/bin/pkill -> pkill -9 geae
Source: /bin/sh (PID: 6441)	Pkill executable: /usr/bin/pkill -> pkill -9 vaiolmao
Source: /bin/sh (PID: 6446)	Pkill executable: /usr/bin/pkill -> pkill -9 123123a
Source: /bin/sh (PID: 6449)	Pkill executable: /usr/bin/pkill -> pkill -9 Ofurain0n4H34D
Source: /bin/sh (PID: 6454)	Pkill executable: /usr/bin/pkill -> pkill -9 ggTrex
Source: /bin/sh (PID: 6457)	Pkill executable: /usr/bin/pkill -> pkill -9 wasads
Source: /bin/sh (PID: 6463)	Pkill executable: /usr/bin/pkill -> pkill -9 1293194hjXD
Source: /bin/sh (PID: 6466)	Pkill executable: /usr/bin/pkill -> pkill -9 OthLaLosn
Source: /bin/sh (PID: 6469)	Pkill executable: /usr/bin/pkill -> pkill -9 ggt
Source: /bin/sh (PID: 6474)	Pkill executable: /usr/bin/pkill -> pkill -9 wget-log
Source: /bin/sh (PID: 6478)	Pkill executable: /usr/bin/pkill -> pkill -9 1337SoraLOADER
Source: /bin/sh (PID: 6483)	Pkill executable: /usr/bin/pkill -> pkill -9 SAIAKINA
Source: /bin/sh (PID: 6488)	Pkill executable: /usr/bin/pkill -> pkill -9 ggtq
Source: /bin/sh (PID: 6493)	Pkill executable: /usr/bin/pkill -> pkill -9 1378bfp919GRB1Q2
Source: /bin/sh (PID: 6496)	Pkill executable: /usr/bin/pkill -> pkill -9 SAIAKUSO
Source: /bin/sh (PID: 6501)	Pkill executable: /usr/bin/pkill -> pkill -9 ggtr
Source: /bin/sh (PID: 6504)	Pkill executable: /usr/bin/pkill -> pkill -9 14Fa
Source: /bin/sh (PID: 6509)	Pkill executable: /usr/bin/pkill -> pkill -9 SEXSLAVE1337
Source: /bin/sh (PID: 6512)	Pkill executable: /usr/bin/pkill -> pkill -9 ggtt

Source: /usr/bin/dash (PID: 6311)	Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.iKB4nT23am /tmp/tmp.q45Y17XWSs /tmp/tmp.mCYUeI0L7T
Source: /usr/bin/dash (PID: 6312)	Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.iKB4nT23am /tmp/tmp.q45Y17XWSs /tmp/tmp.mCYUeI0L7T

Source: /usr/bin/pkill (PID: 6234)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior
Source: /usr/bin/pkill (PID: 6251)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior
Source: /usr/bin/pkill (PID: 6263)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior
Source: /usr/bin/pkill (PID: 6266)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior
Source: /usr/bin/pkill (PID: 6271)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior
Source: /usr/bin/pkill (PID: 6275)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior
Source: /usr/bin/pkill (PID: 6280)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior
Source: /usr/bin/pkill (PID: 6302)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior
Source: /usr/bin/pkill (PID: 6307)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior
Source: /usr/bin/pkill (PID: 6310)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior
Source: /usr/bin/pkill (PID: 6337)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior
Source: /usr/bin/pkill (PID: 6340)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior
Source: /usr/bin/pkill (PID: 6345)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior
Source: /usr/bin/pkill (PID: 6348)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior
Source: /usr/bin/pkill (PID: 6351)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior
Source: /usr/bin/pkill (PID: 6356)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior
Source: /usr/bin/pkill (PID: 6359)	Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6364)	Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6368)	Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6373)	Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6378)	Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6383)	Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6386)	Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6391)	Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6394)	Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6399)	Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6402)	Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6405)	Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6410)	Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6413)	Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6418)	Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6422)	Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6427)	Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6430)	Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6435)	Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6438)	Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6441)	Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6446)	Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6449)	Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6454)	Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6457)	Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6463)	Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6466)	Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6469)	Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6474)	Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6478)	Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6483)	Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6488)	Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6493)	Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6496)	Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6501)	Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6504)	Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6509)	Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6512)	Reads CPU info from /sys: /sys/devices/system/cpu/online

Source: /usr/bin/busybox (PID: 6249)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/bin/busybox (PID: 6261)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/bin/busybox (PID: 6264)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/bin/busybox (PID: 6269)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/bin/busybox (PID: 6273)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/bin/busybox (PID: 6278)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/bin/busybox (PID: 6281)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/bin/busybox (PID: 6303)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/bin/busybox (PID: 6308)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/bin/busybox (PID: 6335)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/bin/busybox (PID: 6338)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/bin/busybox (PID: 6341)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/bin/busybox (PID: 6346)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/bin/busybox (PID: 6349)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/bin/busybox (PID: 6354)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/bin/busybox (PID: 6357)	Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 6362)	Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 6365)	Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 6369)	Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 6374)	Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 6379)	Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 6384)	Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 6387)	Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 6392)	Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 6395)	Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 6400)	Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 6403)	Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 6408)	Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 6411)	Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 6416)	Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 6420)	Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 6423)	Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 6428)	Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 6431)	Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 6436)	Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 6439)	Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 6444)	Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 6447)	Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 6452)	Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 6455)	Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 6459)	Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 6464)	Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 6467)	Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 6472)	Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 6475)	Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 6479)	Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 6484)	Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 6489)	Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 6494)	Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 6497)	Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 6502)	Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 6505)	Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 6510)	Queries kernel information via 'uname':

Stealing of Sensitive Information

Yara detected Mirai

Source: Yara match	File source: mqi686.elf, type: SAMPLE
Source: Yara match	File source: 6232.1.0000000008048000.000000000805f000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 6229.1.0000000008048000.000000000805f000.r-x.sdmp, type: MEMORY

Source: Initial sample	User agent string found: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:48.0) Gecko/20100101 Firefox/48.0
Source: Initial sample	User agent string found: Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en; rv:1.8.1.11) Gecko/20071128 Camino/1.5.4
Source: Initial sample	User agent string found: Mozilla/5.0 (Windows; U; Windows NT 6.1; rv:2.2) Gecko/20110201
Source: Initial sample	User agent string found: Mozilla/5.0 (Windows; U; Windows NT 6.1; cs; rv:1.9.2.6) Gecko/20100628 myibrow/4alpha2
Source: Initial sample	User agent string found: Mozilla/5.0 (Windows; U; Win 9x 4.90; SG; rv:1.9.2.4) Gecko/20101104 Netscape/9.1.0285
Source: Initial sample	User agent string found: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.2.0 Lightning/4.0.2
Source: Initial sample	User agent string found: Opera/9.80 (X11; Linux i686; Ubuntu/14.10) Presto/2.12.388 Version/12.16
Source: Initial sample	User agent string found: Opera/9.80 (Windows NT 5.1; U;) Presto/2.7.62 Version/11.01
Source: Initial sample	User agent string found: Mozilla/5.0 (X11; Linux x86_64; U; de; rv:1.9.1.6) Gecko/20091201 Firefox/3.5.6 Opera 10.62
Source: Initial sample	User agent string found: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Source: Initial sample	User agent string found: Mozilla/5.0 (Linux; Android 4.4.3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.89 Mobile Safari/537.36
Source: Initial sample	User agent string found: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:5.0) Gecko/20110517 Firefox/5.0 Fennec/5.0
Source: Initial sample	User agent string found: Mozilla/5.0 (Android; Linux armv7l; rv:9.0) Gecko/20111216 Firefox/9.0 Fennec/9.0
Source: Initial sample	User agent string found: Mozilla/5.0 (compatible; Teleca Q7; Brew 3.1.5; U; en) 480X800 LGE VX11000

Remote Access Functionality

Yara detected Mirai

Source: Yara match	File source: mqi686.elf, type: SAMPLE
Source: Yara match	File source: 6232.1.0000000008048000.000000000805f000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 6229.1.0000000008048000.000000000805f000.r-x.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	Valid Accounts	Windows Management Instrumentation	1 Scripting	Path Interception	1 Masquerading	1 OS Credential Dumping	1 Security Software Discovery	Remote Services	Data from Local System	1 Data Obfuscation	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Disable or Modify Tools	1 Brute Force	1 File and Directory Discovery	Remote Desktop Protocol	Data from Removable Media	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 File Deletion	Security Account Manager	1 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	2 Application Layer Protocol	Traffic Duplication	Data Destruction

Malware Configuration

⊘No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
mqi686.elf	58%	ReversingLabs	Linux.Trojan.Tsunami

Dropped Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
irc.psychz.net	108.181.56.253	true	false		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://youtu.be/dQw4w9WgXcQ	mqi686.elf	false		high
https://youtu.be/dQw4w9WgXcQNever	mqi686.elf	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
54.171.230.55	unknown	United States	16509	AMAZON-02US	false
109.202.202.202	unknown	Switzerland	13030	INIT7CH	false
91.189.91.43	unknown	United Kingdom	41231	CANONICAL-ASGB	false
91.189.91.42	unknown	United Kingdom	41231	CANONICAL-ASGB	false

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54.171.230.55	xd.arc.elf	Get hash	malicious	Mirai	Browse
	kyosh4.elf	Get hash	malicious	Unknown	Browse
	m68k.elf	Get hash	malicious	Mirai	Browse
	.i.elf	Get hash	malicious	Unknown	Browse
	na.elf	Get hash	malicious	Prometei	Browse
	na.elf	Get hash	malicious	Prometei	Browse
	na.elf	Get hash	malicious	Prometei	Browse
	na.elf	Get hash	malicious	Prometei	Browse
	na.elf	Get hash	malicious	Prometei	Browse
	na.elf	Get hash	malicious	Prometei	Browse
109.202.202.202	kpLwzBouH4.elf	Get hash	malicious	Unknown	Browse	ch.archive.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_92.0%2bbuild3-0ubuntu0.20.04.1_amd64.deb
91.189.91.43	.i.elf	Get hash	malicious	Unknown	Browse
	sshd.elf	Get hash	malicious	Unknown	Browse
	boatnet.arm.elf	Get hash	malicious	Mirai	Browse
	na.elf	Get hash	malicious	Prometei	Browse
	xd.arc.elf	Get hash	malicious	Mirai	Browse
	kyom68k.elf	Get hash	malicious	Unknown	Browse
	Space.mpsl.elf	Get hash	malicious	Unknown	Browse
	kyosh4.elf	Get hash	malicious	Unknown	Browse
	Space.arm7.elf	Get hash	malicious	Mirai	Browse
	Space.x86.elf	Get hash	malicious	Unknown	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
irc.psychz.net	mqi586.elf	Get hash	malicious	Mirai	Browse	108.181.56.253

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CANONICAL-ASGB	Mozi.m.elf	Get hash	malicious	Unknown	Browse	185.125.190.26
	.i.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	sshd.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	boatnet.arm.elf	Get hash	malicious	Mirai	Browse	91.189.91.42
	na.elf	Get hash	malicious	Prometei	Browse	91.189.91.42
	na.elf	Get hash	malicious	Prometei	Browse	91.189.91.42
	boatnet.ppc.elf	Get hash	malicious	Mirai	Browse	185.125.190.26
	xd.arc.elf	Get hash	malicious	Mirai	Browse	91.189.91.42
	kyom68k.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	Space.mpsl.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
AMAZON-02US	Fatura.pdf	Get hash	malicious	Unknown	Browse	3.22.30.40
	na.elf	Get hash	malicious	Prometei	Browse	52.11.240.239
	.i.elf	Get hash	malicious	Unknown	Browse	34.249.145.219
	boatnet.arm5.elf	Get hash	malicious	Unknown	Browse	54.247.62.1
	https://esco.blcges.com	Get hash	malicious	Unknown	Browse	3.5.216.59
	sshd.elf	Get hash	malicious	Unknown	Browse	34.249.145.219
	https://esco.blcges.com	Get hash	malicious	Unknown	Browse	3.5.217.39
	boatnet.arm.elf	Get hash	malicious	Mirai	Browse	34.249.145.219
	Complete via DocuSign_ #Dailycer_Doc. Signature required 4_14_2025.eml	Get hash	malicious	HTMLPhisher	Browse	3.161.136.24
	na.elf	Get hash	malicious	Prometei	Browse	52.11.240.239
INIT7CH	.i.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	sshd.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	boatnet.arm.elf	Get hash	malicious	Mirai	Browse	109.202.202.202
	na.elf	Get hash	malicious	Prometei	Browse	109.202.202.202
	na.elf	Get hash	malicious	Prometei	Browse	109.202.202.202
	xd.arc.elf	Get hash	malicious	Mirai	Browse	109.202.202.202
	kyom68k.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	Space.mpsl.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	kyosh4.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	Space.arm7.elf	Get hash	malicious	Mirai	Browse	109.202.202.202

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, not stripped
Entropy (8bit):	6.485041932410975
TrID:	ELF Executable and Linkable format (Linux) (4029/14) 50.16% ELF Executable and Linkable format (generic) (4004/1) 49.84%
File name:	mqi686.elf
File size:	122'430 bytes
MD5:	079d22d5ba3763a097c9459eeafa98ed
SHA1:	6577e4d2a1f201d540d2a1bbcb610798a8001fef
SHA256:	f3665dbb831f2457bdbfb1ea6778471fab35102aa7866ba53a86b25001535a2c
SHA512:	bd20c23a107a8d32420dc9cca3b9b24b9e995179303f96b74d7388033cea5195ccfa31eedafc795451323cfb2ee6cc3873aea0a2c3e945e1cd0a261bc7e78b9e
SSDEEP:	3072:4xkbVx+/0dzeM0oEI+RE8bmt/v69ny6JP/KTiFi:4Wx+cky5+R9mVv69ny6JHKTiFi
TLSH:	ABC33AC7E642C7F3C4830EB717A7E62D4625B8368D1A4F99F31C3CB49B129C9B219265
File Content Preview:	.ELF....................h...4...<z......4. ...(......................`...`...............`..........................Q.td............................U..S........p...h........[]...$.............U......=.....t..1...................u........t...$.............

Static ELF Info

ELF header
Class:	ELF32
Data:	2's complement, little endian
Version:	1 (current)
Machine:	Intel 80386
Version Number:	0x1
Type:	EXEC (Executable file)
OS/ABI:	UNIX - System V
ABI Version:	0
Entry Point Address:	0x8048168
Flags:	0x0
ELF Header Size:	52
Program Header Offset:	52
Program Header Size:	32
Number of Program Headers:	3
Section Header Offset:	96828
Section Header Size:	40
Number of Section Headers:	16
Header String Table Index:	13

Sections

Name	Type	Address	Offset	Size	EntSize	Flags	Flags Description	Link	Info	Align
	NULL	0x0	0x0	0x0	0x0	0x0		0	0	0
.init	PROGBITS	0x8048094	0x94	0x1c	0x0	0x6	AX	0	0	1
.text	PROGBITS	0x80480b0	0xb0	0x10bb4	0x0	0x6	AX	0	0	16
.fini	PROGBITS	0x8058c64	0x10c64	0x17	0x0	0x6	AX	0	0	1
.rodata	PROGBITS	0x8058c80	0x10c80	0x5412	0x0	0x2	A	0	0	32
.eh_frame	PROGBITS	0x805e094	0x16094	0x4	0x0	0x2	A	0	0	4
.ctors	PROGBITS	0x805f098	0x16098	0x8	0x0	0x3	WA	0	0	4
.dtors	PROGBITS	0x805f0a0	0x160a0	0x8	0x0	0x3	WA	0	0	4
.jcr	PROGBITS	0x805f0a8	0x160a8	0x4	0x0	0x3	WA	0	0	4
.got.plt	PROGBITS	0x805f0ac	0x160ac	0xc	0x4	0x3	WA	0	0	4
.data	PROGBITS	0x805f0c0	0x160c0	0xbc0	0x0	0x3	WA	0	0	32
.bss	NOBITS	0x805fc80	0x16c80	0x7ba8	0x0	0x3	WA	0	0	32
.comment	PROGBITS	0x0	0x16c80	0xd4a	0x0	0x0		0	0	1
.shstrtab	STRTAB	0x0	0x179ca	0x6f	0x0	0x0		0	0	1
.symtab	SYMTAB	0x0	0x17cbc	0x3840	0x10	0x0		15	296	4
.strtab	STRTAB	0x0	0x1b4fc	0x2942	0x0	0x0		0	0	1

Program Segments

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align	Section Mappings
LOAD	0x0	0x8048000	0x8048000	0x16098	0x16098	6.6165	0x5	R E	0x1000	.init .text .fini .rodata .eh_frame
LOAD	0x16098	0x805f098	0x805f098	0xbe8	0x8790	4.7783	0x6	RW	0x1000	.ctors .dtors .jcr .got.plt .data .bss
GNU_STACK	0x0	0x0	0x0	0x0	0x0	0.0000	0x6	RW	0x4

Symbols

Name	Section Name	Value	Size	Symbol Type	Symbol Bind	Symbol Visibility	Ndx
	.symtab	0x0	0	NOTYPE	<unknown>	DEFAULT	SHN_UNDEF
	.symtab	0x8048094	0	SECTION	<unknown>	DEFAULT	1
	.symtab	0x80480b0	0	SECTION	<unknown>	DEFAULT	2
	.symtab	0x8058c64	0	SECTION	<unknown>	DEFAULT	3
	.symtab	0x8058c80	0	SECTION	<unknown>	DEFAULT	4
	.symtab	0x805e094	0	SECTION	<unknown>	DEFAULT	5
	.symtab	0x805f098	0	SECTION	<unknown>	DEFAULT	6
	.symtab	0x805f0a0	0	SECTION	<unknown>	DEFAULT	7
	.symtab	0x805f0a8	0	SECTION	<unknown>	DEFAULT	8
	.symtab	0x805f0ac	0	SECTION	<unknown>	DEFAULT	9
	.symtab	0x805f0c0	0	SECTION	<unknown>	DEFAULT	10
	.symtab	0x805fc80	0	SECTION	<unknown>	DEFAULT	11
	.symtab	0x0	0	SECTION	<unknown>	DEFAULT	12
	.symtab	0x0	0	SECTION	<unknown>	DEFAULT	13
	.symtab	0x0	0	SECTION	<unknown>	DEFAULT	14
	.symtab	0x0	0	SECTION	<unknown>	DEFAULT	15
C.73.5600	.symtab	0x805a7e0	36	OBJECT	<unknown>	DEFAULT	4
C.91.5818	.symtab	0x805ae00	312	OBJECT	<unknown>	DEFAULT	4
ClearHistory	.symtab	0x804d8c8	44	FUNC	<unknown>	DEFAULT	2
HTTP	.symtab	0x804a0d7	273	FUNC	<unknown>	DEFAULT	2
Q	.symtab	0x80600e0	16384	OBJECT	<unknown>	DEFAULT	11
Send	.symtab	0x8048325	94	FUNC	<unknown>	DEFAULT	2
UserAgents	.symtab	0x805f420	144	OBJECT	<unknown>	DEFAULT	10
_352	.symtab	0x804ee29	5	FUNC	<unknown>	DEFAULT	2
_376	.symtab	0x804ed8d	122	FUNC	<unknown>	DEFAULT	2
_433	.symtab	0x804ee2e	54	FUNC	<unknown>	DEFAULT	2
_GLOBAL_OFFSET_TABLE_	.symtab	0x805f0ac	0	OBJECT	<unknown>	HIDDEN	9
_Jv_RegisterClasses	.symtab	0x0	0	NOTYPE	<unknown>	DEFAULT	SHN_UNDEF
_NICK	.symtab	0x804ee64	170	FUNC	<unknown>	DEFAULT	2
_PING	.symtab	0x804ee07	34	FUNC	<unknown>	DEFAULT	2
_PRIVMSG	.symtab	0x804e2b4	2777	FUNC	<unknown>	DEFAULT	2
_READ.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
_WRITE.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
__CTOR_END__	.symtab	0x805f09c	0	OBJECT	<unknown>	DEFAULT	6
__CTOR_LIST__	.symtab	0x805f098	0	OBJECT	<unknown>	DEFAULT	6
__C_ctype_b	.symtab	0x805fc3c	4	OBJECT	<unknown>	DEFAULT	10
__C_ctype_b.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
__C_ctype_b_data	.symtab	0x805d940	768	OBJECT	<unknown>	DEFAULT	4
__C_ctype_tolower	.symtab	0x805fc44	4	OBJECT	<unknown>	DEFAULT	10
__C_ctype_tolower.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
__C_ctype_tolower_data	.symtab	0x805dc40	768	OBJECT	<unknown>	DEFAULT	4
__C_ctype_toupper	.symtab	0x805f9e0	4	OBJECT	<unknown>	DEFAULT	10
__C_ctype_toupper.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
__C_ctype_toupper_data	.symtab	0x805c6a0	768	OBJECT	<unknown>	DEFAULT	4
__DTOR_END__	.symtab	0x805f0a4	0	OBJECT	<unknown>	DEFAULT	7
__DTOR_LIST__	.symtab	0x805f0a0	0	OBJECT	<unknown>	DEFAULT	7
__EH_FRAME_BEGIN__	.symtab	0x805e094	0	OBJECT	<unknown>	DEFAULT	5
__FRAME_END__	.symtab	0x805e094	0	OBJECT	<unknown>	DEFAULT	5
__GI___C_ctype_b	.symtab	0x805fc3c	4	OBJECT	<unknown>	HIDDEN	10
__GI___C_ctype_b_data	.symtab	0x805d940	768	OBJECT	<unknown>	HIDDEN	4
__GI___C_ctype_tolower	.symtab	0x805fc44	4	OBJECT	<unknown>	HIDDEN	10
__GI___C_ctype_tolower_data	.symtab	0x805dc40	768	OBJECT	<unknown>	HIDDEN	4
__GI___C_ctype_toupper	.symtab	0x805f9e0	4	OBJECT	<unknown>	HIDDEN	10
__GI___C_ctype_toupper_data	.symtab	0x805c6a0	768	OBJECT	<unknown>	HIDDEN	4
__GI___ctype_b	.symtab	0x805fc40	4	OBJECT	<unknown>	HIDDEN	10
__GI___ctype_tolower	.symtab	0x805fc48	4	OBJECT	<unknown>	HIDDEN	10
__GI___ctype_toupper	.symtab	0x805f9e4	4	OBJECT	<unknown>	HIDDEN	10
__GI___errno_location	.symtab	0x804ff6c	6	FUNC	<unknown>	HIDDEN	2
__GI___fgetc_unlocked	.symtab	0x805660c	220	FUNC	<unknown>	HIDDEN	2
__GI___fputc_unlocked	.symtab	0x8051a04	187	FUNC	<unknown>	HIDDEN	2
__GI___glibc_strerror_r	.symtab	0x8051c48	29	FUNC	<unknown>	HIDDEN	2
__GI___h_errno_location	.symtab	0x8055bb8	6	FUNC	<unknown>	HIDDEN	2
__GI___libc_fcntl	.symtab	0x804faec	87	FUNC	<unknown>	HIDDEN	2
__GI___libc_fcntl64	.symtab	0x804fb44	63	FUNC	<unknown>	HIDDEN	2
__GI___libc_open	.symtab	0x8055a20	75	FUNC	<unknown>	HIDDEN	2
__GI___uClibc_fini	.symtab	0x805540c	63	FUNC	<unknown>	HIDDEN	2
__GI___uClibc_init	.symtab	0x8055483	64	FUNC	<unknown>	HIDDEN	2
__GI___xpg_strerror_r	.symtab	0x8051c68	182	FUNC	<unknown>	HIDDEN	2
__GI__exit	.symtab	0x8055810	40	FUNC	<unknown>	HIDDEN	2
__GI_abort	.symtab	0x80548f8	273	FUNC	<unknown>	HIDDEN	2
__GI_accept	.symtab	0x805380c	43	FUNC	<unknown>	HIDDEN	2
__GI_asprintf	.symtab	0x8050188	30	FUNC	<unknown>	HIDDEN	2
__GI_atoi	.symtab	0x8054ec4	20	FUNC	<unknown>	HIDDEN	2
__GI_atol	.symtab	0x8054ec4	20	FUNC	<unknown>	HIDDEN	2
__GI_bind	.symtab	0x8053838	43	FUNC	<unknown>	HIDDEN	2
__GI_brk	.symtab	0x8058094	54	FUNC	<unknown>	HIDDEN	2
__GI_chdir	.symtab	0x804fb84	46	FUNC	<unknown>	HIDDEN	2
__GI_clock_getres	.symtab	0x8055838	50	FUNC	<unknown>	HIDDEN	2
__GI_close	.symtab	0x804fbb4	46	FUNC	<unknown>	HIDDEN	2
__GI_connect	.symtab	0x8053864	43	FUNC	<unknown>	HIDDEN	2
__GI_dup2	.symtab	0x805586c	50	FUNC	<unknown>	HIDDEN	2
__GI_endservent	.symtab	0x8056ad7	92	FUNC	<unknown>	HIDDEN	2
__GI_errno	.symtab	0x8066154	4	OBJECT	<unknown>	HIDDEN	11
__GI_execl	.symtab	0x805509c	105	FUNC	<unknown>	HIDDEN	2
__GI_execve	.symtab	0x80558a0	54	FUNC	<unknown>	HIDDEN	2
__GI_exit	.symtab	0x8055034	103	FUNC	<unknown>	HIDDEN	2
__GI_fclose	.symtab	0x804ff74	271	FUNC	<unknown>	HIDDEN	2
__GI_fcntl	.symtab	0x804faec	87	FUNC	<unknown>	HIDDEN	2
__GI_fcntl64	.symtab	0x804fb44	63	FUNC	<unknown>	HIDDEN	2
__GI_fdopen	.symtab	0x8055cb0	50	FUNC	<unknown>	HIDDEN	2
__GI_fflush_unlocked	.symtab	0x8051848	333	FUNC	<unknown>	HIDDEN	2
__GI_fgetc_unlocked	.symtab	0x805660c	220	FUNC	<unknown>	HIDDEN	2
__GI_fgets	.symtab	0x805160c	98	FUNC	<unknown>	HIDDEN	2
__GI_fgets_unlocked	.symtab	0x8051998	105	FUNC	<unknown>	HIDDEN	2
__GI_fopen	.symtab	0x8050084	24	FUNC	<unknown>	HIDDEN	2
__GI_fork	.symtab	0x804fbe4	38	FUNC	<unknown>	HIDDEN	2
__GI_fprintf	.symtab	0x8050168	30	FUNC	<unknown>	HIDDEN	2
__GI_fputc	.symtab	0x8051670	146	FUNC	<unknown>	HIDDEN	2
__GI_fputs	.symtab	0x8051704	95	FUNC	<unknown>	HIDDEN	2
__GI_fputs_unlocked	.symtab	0x8051ac0	49	FUNC	<unknown>	HIDDEN	2
__GI_freeaddrinfo	.symtab	0x80528fc	35	FUNC	<unknown>	HIDDEN	2
__GI_fseek	.symtab	0x80580e4	27	FUNC	<unknown>	HIDDEN	2
__GI_fseeko64	.symtab	0x8058164	231	FUNC	<unknown>	HIDDEN	2
__GI_fwrite_unlocked	.symtab	0x8051af4	120	FUNC	<unknown>	HIDDEN	2
__GI_getaddrinfo	.symtab	0x805291f	651	FUNC	<unknown>	HIDDEN	2
__GI_getc_unlocked	.symtab	0x805660c	220	FUNC	<unknown>	HIDDEN	2
__GI_getcwd	.symtab	0x804fc0c	184	FUNC	<unknown>	HIDDEN	2
__GI_getdtablesize	.symtab	0x804fcc4	37	FUNC	<unknown>	HIDDEN	2
__GI_getegid	.symtab	0x80558d8	38	FUNC	<unknown>	HIDDEN	2
__GI_geteuid	.symtab	0x8055900	38	FUNC	<unknown>	HIDDEN	2
__GI_getgid	.symtab	0x8055928	38	FUNC	<unknown>	HIDDEN	2
__GI_gethostbyaddr_r	.symtab	0x805349c	878	FUNC	<unknown>	HIDDEN	2
__GI_gethostbyname2_r	.symtab	0x805316c	815	FUNC	<unknown>	HIDDEN	2
__GI_gethostbyname_r	.symtab	0x8057bf8	818	FUNC	<unknown>	HIDDEN	2
__GI_getpagesize	.symtab	0x804fcec	17	FUNC	<unknown>	HIDDEN	2
__GI_getpid	.symtab	0x804fd00	38	FUNC	<unknown>	HIDDEN	2
__GI_getrlimit	.symtab	0x804fd50	50	FUNC	<unknown>	HIDDEN	2
__GI_getservbyname_r	.symtab	0x8056c8a	224	FUNC	<unknown>	HIDDEN	2
__GI_getservbyport	.symtab	0x8056c56	52	FUNC	<unknown>	HIDDEN	2
__GI_getservbyport_r	.symtab	0x8056ba6	176	FUNC	<unknown>	HIDDEN	2
__GI_getservent_r	.symtab	0x80568da	467	FUNC	<unknown>	HIDDEN	2
__GI_getuid	.symtab	0x8055950	38	FUNC	<unknown>	HIDDEN	2
__GI_h_errno	.symtab	0x8066158	4	OBJECT	<unknown>	HIDDEN	11
__GI_if_freenameindex	.symtab	0x805702a	52	FUNC	<unknown>	HIDDEN	2
__GI_if_nameindex	.symtab	0x8056e90	410	FUNC	<unknown>	HIDDEN	2
__GI_if_nametoindex	.symtab	0x8056e1b	117	FUNC	<unknown>	HIDDEN	2
__GI_in6addr_loopback	.symtab	0x805d658	16	OBJECT	<unknown>	HIDDEN	4
__GI_inet_addr	.symtab	0x8053144	37	FUNC	<unknown>	HIDDEN	2
__GI_inet_aton	.symtab	0x8057060	148	FUNC	<unknown>	HIDDEN	2
__GI_inet_ntoa	.symtab	0x805312f	21	FUNC	<unknown>	HIDDEN	2
__GI_inet_ntoa_r	.symtab	0x80530e0	79	FUNC	<unknown>	HIDDEN	2
__GI_inet_ntop	.symtab	0x8052f0d	465	FUNC	<unknown>	HIDDEN	2
__GI_inet_pton	.symtab	0x8052c32	458	FUNC	<unknown>	HIDDEN	2
__GI_initstate_r	.symtab	0x8054ce5	171	FUNC	<unknown>	HIDDEN	2
__GI_ioctl	.symtab	0x804fd84	63	FUNC	<unknown>	HIDDEN	2
__GI_isatty	.symtab	0x8051e18	29	FUNC	<unknown>	HIDDEN	2
__GI_kill	.symtab	0x804fdc4	50	FUNC	<unknown>	HIDDEN	2
__GI_listen	.symtab	0x80538cc	35	FUNC	<unknown>	HIDDEN	2
__GI_lseek64	.symtab	0x8058ac4	86	FUNC	<unknown>	HIDDEN	2
__GI_memchr	.symtab	0x80566e8	35	FUNC	<unknown>	HIDDEN	2
__GI_memcpy	.symtab	0x8051b6c	39	FUNC	<unknown>	HIDDEN	2
__GI_memmove	.symtab	0x805670c	39	FUNC	<unknown>	HIDDEN	2
__GI_mempcpy	.symtab	0x8056754	33	FUNC	<unknown>	HIDDEN	2
__GI_memrchr	.symtab	0x8056778	176	FUNC	<unknown>	HIDDEN	2
__GI_memset	.symtab	0x8051b94	21	FUNC	<unknown>	HIDDEN	2
__GI_mmap	.symtab	0x8055784	27	FUNC	<unknown>	HIDDEN	2
__GI_mremap	.symtab	0x8055978	63	FUNC	<unknown>	HIDDEN	2
__GI_munmap	.symtab	0x80559b8	50	FUNC	<unknown>	HIDDEN	2
__GI_nanosleep	.symtab	0x80559ec	50	FUNC	<unknown>	HIDDEN	2
__GI_open	.symtab	0x8055a20	75	FUNC	<unknown>	HIDDEN	2
__GI_perror	.symtab	0x805009c	50	FUNC	<unknown>	HIDDEN	2
__GI_pipe	.symtab	0x8055a84	46	FUNC	<unknown>	HIDDEN	2
__GI_poll	.symtab	0x804fdf8	54	FUNC	<unknown>	HIDDEN	2
__GI_putc	.symtab	0x8051670	146	FUNC	<unknown>	HIDDEN	2
__GI_putc_unlocked	.symtab	0x8051a04	187	FUNC	<unknown>	HIDDEN	2
__GI_raise	.symtab	0x8057f54	24	FUNC	<unknown>	HIDDEN	2
__GI_random	.symtab	0x8054a14	72	FUNC	<unknown>	HIDDEN	2
__GI_random_r	.symtab	0x8054bed	94	FUNC	<unknown>	HIDDEN	2
__GI_rawmemchr	.symtab	0x805845c	99	FUNC	<unknown>	HIDDEN	2
__GI_read	.symtab	0x8058b1c	54	FUNC	<unknown>	HIDDEN	2
__GI_recv	.symtab	0x80538f0	51	FUNC	<unknown>	HIDDEN	2
__GI_rewind	.symtab	0x8058100	98	FUNC	<unknown>	HIDDEN	2
__GI_sbrk	.symtab	0x8055ab4	78	FUNC	<unknown>	HIDDEN	2
__GI_select	.symtab	0x804fe30	63	FUNC	<unknown>	HIDDEN	2
__GI_send	.symtab	0x8053924	51	FUNC	<unknown>	HIDDEN	2
__GI_sendto	.symtab	0x8053958	67	FUNC	<unknown>	HIDDEN	2
__GI_setservent	.symtab	0x8056b33	115	FUNC	<unknown>	HIDDEN	2
__GI_setsid	.symtab	0x804fe70	38	FUNC	<unknown>	HIDDEN	2
__GI_setsockopt	.symtab	0x805399c	59	FUNC	<unknown>	HIDDEN	2
__GI_setstate_r	.symtab	0x8054b54	153	FUNC	<unknown>	HIDDEN	2
__GI_sigaction	.symtab	0x805568f	218	FUNC	<unknown>	HIDDEN	2
__GI_signal	.symtab	0x8057f6c	175	FUNC	<unknown>	HIDDEN	2
__GI_sigprocmask	.symtab	0x8055b04	85	FUNC	<unknown>	HIDDEN	2
__GI_sleep	.symtab	0x8055108	393	FUNC	<unknown>	HIDDEN	2
__GI_socket	.symtab	0x80539d8	43	FUNC	<unknown>	HIDDEN	2
__GI_sprintf	.symtab	0x80501a8	31	FUNC	<unknown>	HIDDEN	2
__GI_srandom_r	.symtab	0x8054c4b	154	FUNC	<unknown>	HIDDEN	2
__GI_strcasecmp	.symtab	0x8051d38	54	FUNC	<unknown>	HIDDEN	2
__GI_strcasestr	.symtab	0x8051d70	83	FUNC	<unknown>	HIDDEN	2
__GI_strchr	.symtab	0x8056734	30	FUNC	<unknown>	HIDDEN	2
__GI_strcmp	.symtab	0x805840c	29	FUNC	<unknown>	HIDDEN	2
__GI_strcoll	.symtab	0x805840c	29	FUNC	<unknown>	HIDDEN	2
__GI_strcpy	.symtab	0x8051bac	27	FUNC	<unknown>	HIDDEN	2
__GI_strdup	.symtab	0x8051dc4	54	FUNC	<unknown>	HIDDEN	2
__GI_strlen	.symtab	0x8051bc8	19	FUNC	<unknown>	HIDDEN	2
__GI_strncat	.symtab	0x805842c	46	FUNC	<unknown>	HIDDEN	2
__GI_strncmp	.symtab	0x8051bdc	37	FUNC	<unknown>	HIDDEN	2
__GI_strncpy	.symtab	0x8051c04	38	FUNC	<unknown>	HIDDEN	2
__GI_strnlen	.symtab	0x8051c2c	25	FUNC	<unknown>	HIDDEN	2
__GI_strpbrk	.symtab	0x8056884	39	FUNC	<unknown>	HIDDEN	2
__GI_strspn	.symtab	0x80584c0	50	FUNC	<unknown>	HIDDEN	2
__GI_strtok	.symtab	0x8051dfc	25	FUNC	<unknown>	HIDDEN	2
__GI_strtok_r	.symtab	0x8056828	89	FUNC	<unknown>	HIDDEN	2
__GI_strtol	.symtab	0x8054ed8	26	FUNC	<unknown>	HIDDEN	2
__GI_strtoul	.symtab	0x8054ef4	26	FUNC	<unknown>	HIDDEN	2
__GI_sysconf	.symtab	0x8055294	325	FUNC	<unknown>	HIDDEN	2
__GI_tcgetattr	.symtab	0x8051e38	112	FUNC	<unknown>	HIDDEN	2
__GI_time	.symtab	0x804fe98	46	FUNC	<unknown>	HIDDEN	2
__GI_tolower	.symtab	0x8055b98	29	FUNC	<unknown>	HIDDEN	2
__GI_toupper	.symtab	0x804ff4c	29	FUNC	<unknown>	HIDDEN	2
__GI_vasprintf	.symtab	0x80501c8	115	FUNC	<unknown>	HIDDEN	2
__GI_vfork	.symtab	0x805576c	21	FUNC	<unknown>	HIDDEN	2
__GI_vfprintf	.symtab	0x8050918	136	FUNC	<unknown>	HIDDEN	2
__GI_vsnprintf	.symtab	0x805023c	176	FUNC	<unknown>	HIDDEN	2
__GI_wait4	.symtab	0x8055b5c	59	FUNC	<unknown>	HIDDEN	2
__GI_waitpid	.symtab	0x804fef8	26	FUNC	<unknown>	HIDDEN	2
__GI_wcrtomb	.symtab	0x8055bc0	69	FUNC	<unknown>	HIDDEN	2
__GI_wcsnrtombs	.symtab	0x8055c28	133	FUNC	<unknown>	HIDDEN	2
__GI_wcsrtombs	.symtab	0x8055c08	30	FUNC	<unknown>	HIDDEN	2
__GI_write	.symtab	0x804ff14	54	FUNC	<unknown>	HIDDEN	2
__JCR_END__	.symtab	0x805f0a8	0	OBJECT	<unknown>	DEFAULT	8
__JCR_LIST__	.symtab	0x805f0a8	0	OBJECT	<unknown>	DEFAULT	8
__app_fini	.symtab	0x8066148	4	OBJECT	<unknown>	HIDDEN	11
__atexit_lock	.symtab	0x805fc20	24	OBJECT	<unknown>	DEFAULT	10
__bsd_signal	.symtab	0x8057f6c	175	FUNC	<unknown>	HIDDEN	2
__bss_start	.symtab	0x805fc80	0	NOTYPE	<unknown>	DEFAULT	SHN_ABS
__check_one_fd	.symtab	0x805544f	52	FUNC	<unknown>	DEFAULT	2
__ctype_b	.symtab	0x805fc40	4	OBJECT	<unknown>	DEFAULT	10
__ctype_tolower	.symtab	0x805fc48	4	OBJECT	<unknown>	DEFAULT	10
__ctype_toupper	.symtab	0x805f9e4	4	OBJECT	<unknown>	DEFAULT	10
__curbrk	.symtab	0x8066194	4	OBJECT	<unknown>	HIDDEN	11
__data_start	.symtab	0x805f0c8	0	NOTYPE	<unknown>	DEFAULT	10
__decode_answer	.symtab	0x80586c0	249	FUNC	<unknown>	HIDDEN	2
__decode_dotted	.symtab	0x80570f4	217	FUNC	<unknown>	HIDDEN	2
__decode_header	.symtab	0x80585a4	171	FUNC	<unknown>	HIDDEN	2
__deregister_frame_info_bases	.symtab	0x0	0	NOTYPE	<unknown>	DEFAULT	SHN_UNDEF
__dns_lookup	.symtab	0x80571d0	1876	FUNC	<unknown>	HIDDEN	2
__do_global_ctors_aux	.symtab	0x8058c30	0	FUNC	<unknown>	DEFAULT	2
__do_global_dtors_aux	.symtab	0x80480c0	0	FUNC	<unknown>	DEFAULT	2
__dso_handle	.symtab	0x805f0c0	0	OBJECT	<unknown>	HIDDEN	10
__encode_dotted	.symtab	0x8058b54	144	FUNC	<unknown>	HIDDEN	2
__encode_header	.symtab	0x80584f4	175	FUNC	<unknown>	HIDDEN	2
__encode_question	.symtab	0x8058650	83	FUNC	<unknown>	HIDDEN	2
__environ	.symtab	0x8066140	4	OBJECT	<unknown>	DEFAULT	11
__errno_location	.symtab	0x804ff6c	6	FUNC	<unknown>	DEFAULT	2
__errno_location.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
__exit_cleanup	.symtab	0x8066138	4	OBJECT	<unknown>	HIDDEN	11
__fgetc_unlocked	.symtab	0x805660c	220	FUNC	<unknown>	DEFAULT	2
__fini_array_end	.symtab	0x805f098	0	NOTYPE	<unknown>	HIDDEN	SHN_ABS
__fini_array_start	.symtab	0x805f098	0	NOTYPE	<unknown>	HIDDEN	SHN_ABS
__fputc_unlocked	.symtab	0x8051a04	187	FUNC	<unknown>	DEFAULT	2
__get_hosts_byaddr_r	.symtab	0x8057b94	97	FUNC	<unknown>	HIDDEN	2
__get_hosts_byname_r	.symtab	0x8057b68	44	FUNC	<unknown>	HIDDEN	2
__get_pc_thunk_bx	.symtab	0x80480b0	0	FUNC	<unknown>	HIDDEN	2
__getpagesize	.symtab	0x804fcec	17	FUNC	<unknown>	DEFAULT	2
__glibc_strerror_r	.symtab	0x8051c48	29	FUNC	<unknown>	DEFAULT	2
__glibc_strerror_r.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
__h_errno_location	.symtab	0x8055bb8	6	FUNC	<unknown>	DEFAULT	2
__h_errno_location.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
__init_array_end	.symtab	0x805f098	0	NOTYPE	<unknown>	HIDDEN	SHN_ABS
__init_array_start	.symtab	0x805f098	0	NOTYPE	<unknown>	HIDDEN	SHN_ABS
__initbuf	.symtab	0x80568ac	46	FUNC	<unknown>	DEFAULT	2
__length_dotted	.symtab	0x8058be4	65	FUNC	<unknown>	HIDDEN	2
__length_question	.symtab	0x80586a4	28	FUNC	<unknown>	HIDDEN	2
__libc_accept	.symtab	0x805380c	43	FUNC	<unknown>	DEFAULT	2
__libc_close	.symtab	0x804fbb4	46	FUNC	<unknown>	DEFAULT	2
__libc_connect	.symtab	0x8053864	43	FUNC	<unknown>	DEFAULT	2
__libc_creat	.symtab	0x8055a6b	25	FUNC	<unknown>	DEFAULT	2
__libc_fcntl	.symtab	0x804faec	87	FUNC	<unknown>	DEFAULT	2
__libc_fcntl64	.symtab	0x804fb44	63	FUNC	<unknown>	DEFAULT	2
__libc_fork	.symtab	0x804fbe4	38	FUNC	<unknown>	DEFAULT	2
__libc_getpid	.symtab	0x804fd00	38	FUNC	<unknown>	DEFAULT	2
__libc_lseek64	.symtab	0x8058ac4	86	FUNC	<unknown>	DEFAULT	2
__libc_nanosleep	.symtab	0x80559ec	50	FUNC	<unknown>	DEFAULT	2
__libc_open	.symtab	0x8055a20	75	FUNC	<unknown>	DEFAULT	2
__libc_poll	.symtab	0x804fdf8	54	FUNC	<unknown>	DEFAULT	2
__libc_read	.symtab	0x8058b1c	54	FUNC	<unknown>	DEFAULT	2
__libc_recv	.symtab	0x80538f0	51	FUNC	<unknown>	DEFAULT	2
__libc_select	.symtab	0x804fe30	63	FUNC	<unknown>	DEFAULT	2
__libc_send	.symtab	0x8053924	51	FUNC	<unknown>	DEFAULT	2
__libc_sendto	.symtab	0x8053958	67	FUNC	<unknown>	DEFAULT	2
__libc_sigaction	.symtab	0x805568f	218	FUNC	<unknown>	DEFAULT	2
__libc_stack_end	.symtab	0x806613c	4	OBJECT	<unknown>	DEFAULT	11
__libc_system	.symtab	0x8054d90	305	FUNC	<unknown>	DEFAULT	2
__libc_waitpid	.symtab	0x804fef8	26	FUNC	<unknown>	DEFAULT	2
__libc_write	.symtab	0x804ff14	54	FUNC	<unknown>	DEFAULT	2
__malloc_consolidate	.symtab	0x8054591	424	FUNC	<unknown>	HIDDEN	2
__malloc_largebin_index	.symtab	0x8053a04	38	FUNC	<unknown>	DEFAULT	2
__malloc_lock	.symtab	0x805fb30	24	OBJECT	<unknown>	DEFAULT	10
__malloc_state	.symtab	0x8067400	888	OBJECT	<unknown>	DEFAULT	11
__malloc_trim	.symtab	0x8054504	141	FUNC	<unknown>	DEFAULT	2
__nameserver	.symtab	0x8067788	12	OBJECT	<unknown>	HIDDEN	11
__nameservers	.symtab	0x8067794	4	OBJECT	<unknown>	HIDDEN	11
__open_etc_hosts	.symtab	0x80587bc	49	FUNC	<unknown>	HIDDEN	2
__open_nameservers	.symtab	0x8057924	579	FUNC	<unknown>	HIDDEN	2
__opensock	.symtab	0x8057f2c	40	FUNC	<unknown>	HIDDEN	2
__pagesize	.symtab	0x8066144	4	OBJECT	<unknown>	DEFAULT	11
__preinit_array_end	.symtab	0x805f098	0	NOTYPE	<unknown>	HIDDEN	SHN_ABS
__preinit_array_start	.symtab	0x805f098	0	NOTYPE	<unknown>	HIDDEN	SHN_ABS
__pthread_initialize_minimal	.symtab	0x0	0	NOTYPE	<unknown>	DEFAULT	SHN_UNDEF
__pthread_mutex_init	.symtab	0x805544b	3	FUNC	<unknown>	DEFAULT	2
__pthread_mutex_lock	.symtab	0x805544b	3	FUNC	<unknown>	DEFAULT	2
__pthread_mutex_trylock	.symtab	0x805544b	3	FUNC	<unknown>	DEFAULT	2
__pthread_mutex_unlock	.symtab	0x805544b	3	FUNC	<unknown>	DEFAULT	2
__pthread_return_0	.symtab	0x805544b	3	FUNC	<unknown>	DEFAULT	2
__pthread_return_void	.symtab	0x805544e	1	FUNC	<unknown>	DEFAULT	2
__raise	.symtab	0x8057f54	24	FUNC	<unknown>	HIDDEN	2
__read_etc_hosts_r	.symtab	0x80587ed	724	FUNC	<unknown>	HIDDEN	2
__register_frame_info_bases	.symtab	0x0	0	NOTYPE	<unknown>	DEFAULT	SHN_UNDEF
__resolv_lock	.symtab	0x805fc68	24	OBJECT	<unknown>	DEFAULT	10
__restore	.symtab	0x8055687	0	NOTYPE	<unknown>	DEFAULT	2
__restore_rt	.symtab	0x8055680	0	NOTYPE	<unknown>	DEFAULT	2
__rtld_fini	.symtab	0x806614c	4	OBJECT	<unknown>	HIDDEN	11
__searchdomain	.symtab	0x8067778	16	OBJECT	<unknown>	HIDDEN	11
__searchdomains	.symtab	0x8067798	4	OBJECT	<unknown>	HIDDEN	11
__sigaddset	.symtab	0x8058040	32	FUNC	<unknown>	DEFAULT	2
__sigdelset	.symtab	0x8058060	32	FUNC	<unknown>	DEFAULT	2
__sigismember	.symtab	0x805801c	36	FUNC	<unknown>	DEFAULT	2
__socketcall	.symtab	0x80557a0	50	FUNC	<unknown>	HIDDEN	2
__socketcall.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
__stdin	.symtab	0x805f9f4	4	OBJECT	<unknown>	DEFAULT	10
__stdio_READ	.symtab	0x805824c	79	FUNC	<unknown>	HIDDEN	2
__stdio_WRITE	.symtab	0x8055ce4	128	FUNC	<unknown>	HIDDEN	2
__stdio_adjust_position	.symtab	0x805829c	164	FUNC	<unknown>	HIDDEN	2
__stdio_fwrite	.symtab	0x8055d64	234	FUNC	<unknown>	HIDDEN	2
__stdio_init_mutex	.symtab	0x805084b	23	FUNC	<unknown>	HIDDEN	2
__stdio_mutex_initializer.4160	.symtab	0x805c9b8	24	OBJECT	<unknown>	DEFAULT	4
__stdio_rfill	.symtab	0x8058340	40	FUNC	<unknown>	HIDDEN	2
__stdio_seek	.symtab	0x80583d8	51	FUNC	<unknown>	HIDDEN	2
__stdio_trans2r_o	.symtab	0x8058368	110	FUNC	<unknown>	HIDDEN	2
__stdio_trans2w_o	.symtab	0x8055e50	167	FUNC	<unknown>	HIDDEN	2
__stdio_wcommit	.symtab	0x80508ec	43	FUNC	<unknown>	HIDDEN	2
__stdout	.symtab	0x805f9f8	4	OBJECT	<unknown>	DEFAULT	10
__syscall_error	.symtab	0x80580cc	21	FUNC	<unknown>	HIDDEN	2
__syscall_error.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
__syscall_fcntl.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
__syscall_fcntl64.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
__syscall_rt_sigaction	.symtab	0x80557d4	59	FUNC	<unknown>	HIDDEN	2
__syscall_rt_sigaction.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
__uClibc_fini	.symtab	0x805540c	63	FUNC	<unknown>	DEFAULT	2
__uClibc_init	.symtab	0x8055483	64	FUNC	<unknown>	DEFAULT	2
__uClibc_main	.symtab	0x80554c3	443	FUNC	<unknown>	DEFAULT	2
__uClibc_main.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
__uclibc_progname	.symtab	0x805fc38	4	OBJECT	<unknown>	HIDDEN	10
__vfork	.symtab	0x805576c	21	FUNC	<unknown>	HIDDEN	2
__xpg_strerror_r	.symtab	0x8051c68	182	FUNC	<unknown>	DEFAULT	2
__xpg_strerror_r.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
_adjust_pos.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
_charpad	.symtab	0x80509a0	54	FUNC	<unknown>	DEFAULT	2
_cs_funcs.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
_dl_aux_init	.symtab	0x8058080	18	FUNC	<unknown>	DEFAULT	2
_dl_phdr	.symtab	0x8067820	4	OBJECT	<unknown>	DEFAULT	11
_dl_phnum	.symtab	0x8067824	4	OBJECT	<unknown>	DEFAULT	11
_edata	.symtab	0x805fc80	0	NOTYPE	<unknown>	DEFAULT	SHN_ABS
_end	.symtab	0x8067828	0	NOTYPE	<unknown>	DEFAULT	SHN_ABS
_errno	.symtab	0x8066154	4	OBJECT	<unknown>	DEFAULT	11
_exit	.symtab	0x8055810	40	FUNC	<unknown>	DEFAULT	2
_exit.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
_fini	.symtab	0x8058c64	3	FUNC	<unknown>	DEFAULT	3
_fixed_buffers	.symtab	0x8064120	8192	OBJECT	<unknown>	DEFAULT	11
_fopen.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
_fp_out_narrow	.symtab	0x80509d6	106	FUNC	<unknown>	DEFAULT	2
_fpmaxtostr	.symtab	0x8056060	1449	FUNC	<unknown>	HIDDEN	2
_fpmaxtostr.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
_fwrite.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
_h_errno	.symtab	0x8066158	4	OBJECT	<unknown>	DEFAULT	11
_init	.symtab	0x8048094	3	FUNC	<unknown>	DEFAULT	1
_load_inttype	.symtab	0x8055ef8	86	FUNC	<unknown>	HIDDEN	2
_load_inttype.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
_ppfs_init	.symtab	0x8050ff8	111	FUNC	<unknown>	HIDDEN	2
_ppfs_init.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
_ppfs_parsespec	.symtab	0x80511e9	975	FUNC	<unknown>	HIDDEN	2
_ppfs_parsespec.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
_ppfs_prepargs	.symtab	0x8051068	66	FUNC	<unknown>	HIDDEN	2
_ppfs_prepargs.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
_ppfs_setargs	.symtab	0x80510ac	273	FUNC	<unknown>	HIDDEN	2
_ppfs_setargs.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
_promoted_size	.symtab	0x80511c0	41	FUNC	<unknown>	DEFAULT	2
_pthread_cleanup_pop_restore	.symtab	0x805544e	1	FUNC	<unknown>	DEFAULT	2
_pthread_cleanup_push_defer	.symtab	0x805544e	1	FUNC	<unknown>	DEFAULT	2
_rfill.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
_sigintr	.symtab	0x80677a0	128	OBJECT	<unknown>	HIDDEN	11
_start	.symtab	0x8048168	34	FUNC	<unknown>	DEFAULT	2
_stdio.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
_stdio_fopen	.symtab	0x80505a4	579	FUNC	<unknown>	HIDDEN	2
_stdio_init	.symtab	0x80507e8	99	FUNC	<unknown>	HIDDEN	2
_stdio_openlist	.symtab	0x805f9fc	4	OBJECT	<unknown>	DEFAULT	10
_stdio_openlist_add_lock	.symtab	0x805fa00	24	OBJECT	<unknown>	DEFAULT	10
_stdio_openlist_dec_use	.symtab	0x8051764	228	FUNC	<unknown>	DEFAULT	2
_stdio_openlist_del_count	.symtab	0x8064100	4	OBJECT	<unknown>	DEFAULT	11
_stdio_openlist_del_lock	.symtab	0x805fa18	24	OBJECT	<unknown>	DEFAULT	10
_stdio_openlist_use_count	.symtab	0x80640fc	4	OBJECT	<unknown>	DEFAULT	11
_stdio_streams	.symtab	0x805fa40	240	OBJECT	<unknown>	DEFAULT	10
_stdio_term	.symtab	0x8050862	136	FUNC	<unknown>	HIDDEN	2
_stdio_user_locking	.symtab	0x805fa30	4	OBJECT	<unknown>	DEFAULT	10
_stdlib_strto_l	.symtab	0x8054f10	289	FUNC	<unknown>	HIDDEN	2
_stdlib_strto_l.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
_store_inttype	.symtab	0x8055f50	61	FUNC	<unknown>	HIDDEN	2
_store_inttype.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
_string_syserrmsgs	.symtab	0x805ca80	2906	OBJECT	<unknown>	HIDDEN	4
_string_syserrmsgs.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
_trans2r.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
_trans2w.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
_uintmaxtostr	.symtab	0x8055f90	207	FUNC	<unknown>	HIDDEN	2
_uintmaxtostr.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
_vfprintf_internal	.symtab	0x8050a40	1464	FUNC	<unknown>	HIDDEN	2
_vfprintf_internal.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
_wcommit.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
abort	.symtab	0x80548f8	273	FUNC	<unknown>	DEFAULT	2
abort.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
accept	.symtab	0x805380c	43	FUNC	<unknown>	DEFAULT	2
accept.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
actualparent	.symtab	0x80662b4	4	OBJECT	<unknown>	DEFAULT	11
advance_telstate	.symtab	0x804c17e	81	FUNC	<unknown>	DEFAULT	2
advances	.symtab	0x805f7f4	28	OBJECT	<unknown>	DEFAULT	10
advances2	.symtab	0x805f880	44	OBJECT	<unknown>	DEFAULT	10
ak47scan	.symtab	0x804d5d8	182	FUNC	<unknown>	DEFAULT	2
ak47scantoggle	.symtab	0x804d68e	450	FUNC	<unknown>	DEFAULT	2
ak47telscan	.symtab	0x804c21d	5051	FUNC	<unknown>	DEFAULT	2
append	.symtab	0x804df29	51	FUNC	<unknown>	DEFAULT	2
asprintf	.symtab	0x8050188	30	FUNC	<unknown>	DEFAULT	2
asprintf.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
atoi	.symtab	0x8054ec4	20	FUNC	<unknown>	DEFAULT	2
atol	.symtab	0x8054ec4	20	FUNC	<unknown>	DEFAULT	2
atol.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
bcopy	.symtab	0x8051d20	21	FUNC	<unknown>	DEFAULT	2
bcopy.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
been_there_done_that	.symtab	0x8066134	1	OBJECT	<unknown>	DEFAULT	11
been_there_done_that.3001	.symtab	0x8066150	1	OBJECT	<unknown>	DEFAULT	11
bind	.symtab	0x8053838	43	FUNC	<unknown>	DEFAULT	2
bind.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
blacknurse	.symtab	0x80493e5	636	FUNC	<unknown>	DEFAULT	2
botkill	.symtab	0x804d850	120	FUNC	<unknown>	DEFAULT	2
brk	.symtab	0x8058094	54	FUNC	<unknown>	DEFAULT	2
brk.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
bsd_signal	.symtab	0x8057f6c	175	FUNC	<unknown>	DEFAULT	2
buf.2827	.symtab	0x8066124	16	OBJECT	<unknown>	DEFAULT	11
c	.symtab	0x805f8bc	4	OBJECT	<unknown>	DEFAULT	10
capsaicin_iot.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
chan	.symtab	0x80673f0	4	OBJECT	<unknown>	DEFAULT	11
changeservers	.symtab	0x805fca4	4	OBJECT	<unknown>	DEFAULT	11
chdir	.symtab	0x804fb84	46	FUNC	<unknown>	DEFAULT	2
chdir.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
clock_getres	.symtab	0x8055838	50	FUNC	<unknown>	DEFAULT	2
clock_getres.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
close	.symtab	0x804fbb4	46	FUNC	<unknown>	DEFAULT	2
close.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
completed.2429	.symtab	0x805fc80	1	OBJECT	<unknown>	DEFAULT	11
con	.symtab	0x804ef0e	701	FUNC	<unknown>	DEFAULT	2
connect	.symtab	0x8053864	43	FUNC	<unknown>	DEFAULT	2
connect.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
contains_fail	.symtab	0x804bfc1	27	FUNC	<unknown>	DEFAULT	2
contains_response	.symtab	0x804bfdc	57	FUNC	<unknown>	DEFAULT	2
contains_string	.symtab	0x804bf32	116	FUNC	<unknown>	DEFAULT	2
contains_success	.symtab	0x804bfa6	27	FUNC	<unknown>	DEFAULT	2
creat	.symtab	0x8055a6b	25	FUNC	<unknown>	DEFAULT	2
crtstuff.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
crtstuff.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
csum	.symtab	0x8048196	104	FUNC	<unknown>	DEFAULT	2
data_start	.symtab	0x805f0c8	0	NOTYPE	<unknown>	DEFAULT	10
decodea.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
decoded.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
decodeh.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
disable	.symtab	0x8049016	296	FUNC	<unknown>	DEFAULT	2
disabled	.symtab	0x805fca8	1	OBJECT	<unknown>	DEFAULT	11
dispass	.symtab	0x80661a0	256	OBJECT	<unknown>	DEFAULT	11
dl-support.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
dns	.symtab	0x804b22e	603	FUNC	<unknown>	DEFAULT	2
dns_format	.symtab	0x804ab5e	169	FUNC	<unknown>	DEFAULT	2
dns_hdr_create	.symtab	0x804ac07	104	FUNC	<unknown>	DEFAULT	2
dns_send	.symtab	0x804ac6f	1025	FUNC	<unknown>	DEFAULT	2
dnsflood	.symtab	0x804b070	446	FUNC	<unknown>	DEFAULT	2
dnslookup.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
download	.symtab	0x8048955	1110	FUNC	<unknown>	DEFAULT	2
dup2	.symtab	0x805586c	50	FUNC	<unknown>	DEFAULT	2
dup2.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
enable	.symtab	0x804913e	233	FUNC	<unknown>	DEFAULT	2
encoded.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
encodeh.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
encodeq.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
endservent	.symtab	0x8056ad7	92	FUNC	<unknown>	DEFAULT	2
environ	.symtab	0x8066140	4	OBJECT	<unknown>	DEFAULT	11
errno	.symtab	0x8066154	4	OBJECT	<unknown>	DEFAULT	11
errno.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
execfile	.symtab	0x80662c0	256	OBJECT	<unknown>	DEFAULT	11
execl	.symtab	0x805509c	105	FUNC	<unknown>	DEFAULT	2
execl.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
execve	.symtab	0x80558a0	54	FUNC	<unknown>	DEFAULT	2
execve.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
exit	.symtab	0x8055034	103	FUNC	<unknown>	DEFAULT	2
exit.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
exp10_table	.symtab	0x805df80	156	OBJECT	<unknown>	DEFAULT	4
fails	.symtab	0x805f820	36	OBJECT	<unknown>	DEFAULT	10
fastflux	.symtab	0x804e0e4	464	FUNC	<unknown>	DEFAULT	2
fclose	.symtab	0x804ff74	271	FUNC	<unknown>	DEFAULT	2
fclose.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
fcntl	.symtab	0x804faec	87	FUNC	<unknown>	DEFAULT	2
fcntl64	.symtab	0x804fb44	63	FUNC	<unknown>	DEFAULT	2
fdopen	.symtab	0x8055cb0	50	FUNC	<unknown>	DEFAULT	2
fdopen.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
feof	.symtab	0x80515b8	84	FUNC	<unknown>	DEFAULT	2
feof.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
fflush_unlocked	.symtab	0x8051848	333	FUNC	<unknown>	DEFAULT	2
fflush_unlocked.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
fgetc_unlocked	.symtab	0x805660c	220	FUNC	<unknown>	DEFAULT	2
fgetc_unlocked.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
fgets	.symtab	0x805160c	98	FUNC	<unknown>	DEFAULT	2
fgets.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
fgets_unlocked	.symtab	0x8051998	105	FUNC	<unknown>	DEFAULT	2
fgets_unlocked.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
filter	.symtab	0x8048460	116	FUNC	<unknown>	DEFAULT	2
flooders	.symtab	0x805f8e0	176	OBJECT	<unknown>	DEFAULT	10
fmt	.symtab	0x805df50	20	OBJECT	<unknown>	DEFAULT	4
fopen	.symtab	0x8050084	24	FUNC	<unknown>	DEFAULT	2
fopen.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
fork	.symtab	0x804fbe4	38	FUNC	<unknown>	DEFAULT	2
fork.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
fprintf	.symtab	0x8050168	30	FUNC	<unknown>	DEFAULT	2
fprintf.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
fputc	.symtab	0x8051670	146	FUNC	<unknown>	DEFAULT	2
fputc.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
fputc_unlocked	.symtab	0x8051a04	187	FUNC	<unknown>	DEFAULT	2
fputc_unlocked.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
fputs	.symtab	0x8051704	95	FUNC	<unknown>	DEFAULT	2
fputs.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
fputs_unlocked	.symtab	0x8051ac0	49	FUNC	<unknown>	DEFAULT	2
fputs_unlocked.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
frame_dummy	.symtab	0x8048110	0	FUNC	<unknown>	DEFAULT	2
free	.symtab	0x8054739	412	FUNC	<unknown>	DEFAULT	2
free.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
freeaddrinfo	.symtab	0x80528fc	35	FUNC	<unknown>	DEFAULT	2
fseek	.symtab	0x80580e4	27	FUNC	<unknown>	DEFAULT	2
fseeko	.symtab	0x80580e4	27	FUNC	<unknown>	DEFAULT	2
fseeko.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
fseeko64	.symtab	0x8058164	231	FUNC	<unknown>	DEFAULT	2
fseeko64.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
fwrite_unlocked	.symtab	0x8051af4	120	FUNC	<unknown>	DEFAULT	2
fwrite_unlocked.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
gaih	.symtab	0x805d5dc	24	OBJECT	<unknown>	DEFAULT	4
gaih_inet	.symtab	0x8051f63	2457	FUNC	<unknown>	DEFAULT	2
gaih_inet_serv	.symtab	0x8051ed0	147	FUNC	<unknown>	DEFAULT	2
gaih_inet_typeproto	.symtab	0x805d600	35	OBJECT	<unknown>	DEFAULT	4
get	.symtab	0x8048dab	267	FUNC	<unknown>	DEFAULT	2
getBuild	.symtab	0x804818c	10	FUNC	<unknown>	DEFAULT	2
getDatIP	.symtab	0x804b9dd	1074	FUNC	<unknown>	DEFAULT	2
getHost	.symtab	0x8049e0c	55	FUNC	<unknown>	DEFAULT	2
getPublicIP	.symtab	0x804e007	133	FUNC	<unknown>	DEFAULT	2
get_hosts_byaddr_r.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
get_hosts_byname_r.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
get_telstate_host	.symtab	0x804c162	28	FUNC	<unknown>	DEFAULT	2
getaddrinfo	.symtab	0x805291f	651	FUNC	<unknown>	DEFAULT	2
getaddrinfo.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
getc_unlocked	.symtab	0x805660c	220	FUNC	<unknown>	DEFAULT	2
getcwd	.symtab	0x804fc0c	184	FUNC	<unknown>	DEFAULT	2
getcwd.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
getdtablesize	.symtab	0x804fcc4	37	FUNC	<unknown>	DEFAULT	2
getdtablesize.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
getegid	.symtab	0x80558d8	38	FUNC	<unknown>	DEFAULT	2
getegid.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
geteuid	.symtab	0x8055900	38	FUNC	<unknown>	DEFAULT	2
geteuid.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
getgid	.symtab	0x8055928	38	FUNC	<unknown>	DEFAULT	2
getgid.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
gethostbyaddr_r	.symtab	0x805349c	878	FUNC	<unknown>	DEFAULT	2
gethostbyaddr_r.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
gethostbyname2_r	.symtab	0x805316c	815	FUNC	<unknown>	DEFAULT	2
gethostbyname2_r.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
gethostbyname_r	.symtab	0x8057bf8	818	FUNC	<unknown>	DEFAULT	2
gethostbyname_r.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
getmyip	.symtab	0x804e08c	88	FUNC	<unknown>	DEFAULT	2
getpagesize	.symtab	0x804fcec	17	FUNC	<unknown>	DEFAULT	2
getpagesize.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
getpid	.symtab	0x804fd00	38	FUNC	<unknown>	DEFAULT	2
getpid.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
getppid	.symtab	0x804fd28	38	FUNC	<unknown>	DEFAULT	2
getppid.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
getrlimit	.symtab	0x804fd50	50	FUNC	<unknown>	DEFAULT	2
getrlimit.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
getservbyname	.symtab	0x8056d6a	52	FUNC	<unknown>	DEFAULT	2
getservbyname_r	.symtab	0x8056c8a	224	FUNC	<unknown>	DEFAULT	2
getservbyport	.symtab	0x8056c56	52	FUNC	<unknown>	DEFAULT	2
getservbyport_r	.symtab	0x8056ba6	176	FUNC	<unknown>	DEFAULT	2
getservent	.symtab	0x8056aad	42	FUNC	<unknown>	DEFAULT	2
getservent_r	.symtab	0x80568da	467	FUNC	<unknown>	DEFAULT	2
getservice.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
getsockopt	.symtab	0x8053890	59	FUNC	<unknown>	DEFAULT	2
getsockopt.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
getuid	.symtab	0x8055950	38	FUNC	<unknown>	DEFAULT	2
getuid.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
h_errno	.symtab	0x8066158	4	OBJECT	<unknown>	DEFAULT	11
head	.symtab	0x80673e0	4	OBJECT	<unknown>	DEFAULT	11
help	.symtab	0x804d952	1179	FUNC	<unknown>	DEFAULT	2
histClear	.symtab	0x804dfe0	39	FUNC	<unknown>	DEFAULT	2
hold	.symtab	0x804aa9e	192	FUNC	<unknown>	DEFAULT	2
host2ip	.symtab	0x8049227	143	FUNC	<unknown>	DEFAULT	2
htonl	.symtab	0x8051eb5	7	FUNC	<unknown>	DEFAULT	2
htons	.symtab	0x8051ea8	13	FUNC	<unknown>	DEFAULT	2
i.5507	.symtab	0x80600c0	4	OBJECT	<unknown>	DEFAULT	11
i.5549	.symtab	0x805f8c0	4	OBJECT	<unknown>	DEFAULT	10
ident	.symtab	0x80662a4	4	OBJECT	<unknown>	DEFAULT	11
identd	.symtab	0x804856c	648	FUNC	<unknown>	DEFAULT	2
if_freenameindex	.symtab	0x805702a	52	FUNC	<unknown>	DEFAULT	2
if_index.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
if_indextoname	.symtab	0x8056da0	123	FUNC	<unknown>	DEFAULT	2
if_nameindex	.symtab	0x8056e90	410	FUNC	<unknown>	DEFAULT	2
if_nametoindex	.symtab	0x8056e1b	117	FUNC	<unknown>	DEFAULT	2
in6_addr.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
in6addr_any	.symtab	0x805d648	16	OBJECT	<unknown>	DEFAULT	4
in6addr_loopback	.symtab	0x805d658	16	OBJECT	<unknown>	DEFAULT	4
in_cksum	.symtab	0x8048838	124	FUNC	<unknown>	DEFAULT	2
index	.symtab	0x8056734	30	FUNC	<unknown>	DEFAULT	2
inet_addr	.symtab	0x8053144	37	FUNC	<unknown>	DEFAULT	2
inet_aton	.symtab	0x8057060	148	FUNC	<unknown>	DEFAULT	2
inet_aton.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
inet_makeaddr.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
inet_ntoa	.symtab	0x805312f	21	FUNC	<unknown>	DEFAULT	2
inet_ntoa.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
inet_ntoa_r	.symtab	0x80530e0	79	FUNC	<unknown>	DEFAULT	2
inet_ntop	.symtab	0x8052f0d	465	FUNC	<unknown>	DEFAULT	2
inet_ntop4	.symtab	0x8052dfc	273	FUNC	<unknown>	DEFAULT	2
inet_pton	.symtab	0x8052c32	458	FUNC	<unknown>	DEFAULT	2
inet_pton4	.symtab	0x8052bac	134	FUNC	<unknown>	DEFAULT	2
infected	.symtab	0x805f8b4	8	OBJECT	<unknown>	DEFAULT	10
init_rand	.symtab	0x80492b6	111	FUNC	<unknown>	DEFAULT	2
initfini.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
initstate	.symtab	0x8054ab9	87	FUNC	<unknown>	DEFAULT	2
initstate_r	.symtab	0x8054ce5	171	FUNC	<unknown>	DEFAULT	2
ioctl	.symtab	0x804fd84	63	FUNC	<unknown>	DEFAULT	2
ioctl.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
isatty	.symtab	0x8051e18	29	FUNC	<unknown>	DEFAULT	2
isatty.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
ismaster	.symtab	0x804df5c	132	FUNC	<unknown>	DEFAULT	2
junk	.symtab	0x804a5e4	192	FUNC	<unknown>	DEFAULT	2
key	.symtab	0x80673e8	4	OBJECT	<unknown>	DEFAULT	11
kill	.symtab	0x804fdc4	50	FUNC	<unknown>	DEFAULT	2
kill.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
killall	.symtab	0x804dded	206	FUNC	<unknown>	DEFAULT	2
killd	.symtab	0x804debb	110	FUNC	<unknown>	DEFAULT	2
knownBots	.symtab	0x805f100	776	OBJECT	<unknown>	DEFAULT	10
legit	.symtab	0x805f8ac	8	OBJECT	<unknown>	DEFAULT	10
lengthd.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
lengthq.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
libc/sysdeps/linux/i386/crt1.S	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
libc/sysdeps/linux/i386/crti.S	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
libc/sysdeps/linux/i386/crtn.S	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
libc/sysdeps/linux/i386/mmap.S	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
libc/sysdeps/linux/i386/vfork.S	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
limiter	.symtab	0x80662a8	4	OBJECT	<unknown>	DEFAULT	11
listFork	.symtab	0x8049a10	169	FUNC	<unknown>	DEFAULT	2
listen	.symtab	0x80538cc	35	FUNC	<unknown>	DEFAULT	2
listen.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
llseek.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
lseek64	.symtab	0x8058ac4	86	FUNC	<unknown>	DEFAULT	2
main	.symtab	0x804f2aa	2112	FUNC	<unknown>	DEFAULT	2
makeFukdString	.symtab	0x804f1cb	144	FUNC	<unknown>	DEFAULT	2
makeRandomShit	.symtab	0x8049661	133	FUNC	<unknown>	DEFAULT	2
malloc	.symtab	0x8053a2a	1954	FUNC	<unknown>	DEFAULT	2
malloc.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
malloc_trim	.symtab	0x80548d5	34	FUNC	<unknown>	DEFAULT	2
masters	.symtab	0x805f0f0	8	OBJECT	<unknown>	DEFAULT	10
memchr	.symtab	0x80566e8	35	FUNC	<unknown>	DEFAULT	2
memchr.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
memcpy	.symtab	0x8051b6c	39	FUNC	<unknown>	DEFAULT	2
memcpy.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
memmove	.symtab	0x805670c	39	FUNC	<unknown>	DEFAULT	2
memmove.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
mempcpy	.symtab	0x8056754	33	FUNC	<unknown>	DEFAULT	2
mempcpy.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
memrchr	.symtab	0x8056778	176	FUNC	<unknown>	DEFAULT	2
memrchr.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
memset	.symtab	0x8051b94	21	FUNC	<unknown>	DEFAULT	2
memset.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
mfork	.symtab	0x8048383	221	FUNC	<unknown>	DEFAULT	2
mmap	.symtab	0x8055784	27	FUNC	<unknown>	DEFAULT	2
move	.symtab	0x804d8f4	94	FUNC	<unknown>	DEFAULT	2
mremap	.symtab	0x8055978	63	FUNC	<unknown>	DEFAULT	2
mremap.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
msgs	.symtab	0x805f9a0	64	OBJECT	<unknown>	DEFAULT	10
munmap	.symtab	0x80559b8	50	FUNC	<unknown>	DEFAULT	2
munmap.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
mygethostbyname	.symtab	0x80488b4	161	FUNC	<unknown>	DEFAULT	2
mylock	.symtab	0x80640e0	24	OBJECT	<unknown>	DEFAULT	11
mylock	.symtab	0x805fb48	24	OBJECT	<unknown>	DEFAULT	10
mylock	.symtab	0x805fb60	24	OBJECT	<unknown>	DEFAULT	10
mylock	.symtab	0x805fc4c	24	OBJECT	<unknown>	DEFAULT	10
mylock	.symtab	0x8066178	24	OBJECT	<unknown>	DEFAULT	11
nanosleep	.symtab	0x80559ec	50	FUNC	<unknown>	DEFAULT	2
nanosleep.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
negotiate	.symtab	0x804be0f	291	FUNC	<unknown>	DEFAULT	2
next_start.1278	.symtab	0x8066120	4	OBJECT	<unknown>	DEFAULT	11
nick	.symtab	0x80662ac	4	OBJECT	<unknown>	DEFAULT	11
nickc	.symtab	0x8048ed8	153	FUNC	<unknown>	DEFAULT	2
ntohl	.symtab	0x8051ec9	7	FUNC	<unknown>	DEFAULT	2
ntohl.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
ntohs	.symtab	0x8051ebc	13	FUNC	<unknown>	DEFAULT	2
ntop.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
nummasters	.symtab	0x805f0ec	4	OBJECT	<unknown>	DEFAULT	10
numpids	.symtab	0x805fcb4	4	OBJECT	<unknown>	DEFAULT	11
numservers	.symtab	0x805f0e0	4	OBJECT	<unknown>	DEFAULT	10
object.2482	.symtab	0x805fc84	24	OBJECT	<unknown>	DEFAULT	11
open	.symtab	0x8055a20	75	FUNC	<unknown>	DEFAULT	2
open.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
opennameservers.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
opensock.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
p.2427	.symtab	0x805f0c4	0	OBJECT	<unknown>	DEFAULT	10
passwords	.symtab	0x805f660	404	OBJECT	<unknown>	DEFAULT	10
pclose	.symtab	0x80502ec	190	FUNC	<unknown>	DEFAULT	2
perror	.symtab	0x805009c	50	FUNC	<unknown>	DEFAULT	2
perror.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
pid	.symtab	0x80662a0	4	OBJECT	<unknown>	DEFAULT	11
pids	.symtab	0x80673f4	4	OBJECT	<unknown>	DEFAULT	11
pipe	.symtab	0x8055a84	46	FUNC	<unknown>	DEFAULT	2
pipe.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
poll	.symtab	0x804fdf8	54	FUNC	<unknown>	DEFAULT	2
poll.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
popen	.symtab	0x80503aa	506	FUNC	<unknown>	DEFAULT	2
popen.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
popen_list	.symtab	0x80640f8	4	OBJECT	<unknown>	DEFAULT	11
poww	.symtab	0x80487f4	68	FUNC	<unknown>	DEFAULT	2
pps	.symtab	0x80663c0	4	OBJECT	<unknown>	DEFAULT	11
prefix.4371	.symtab	0x805c9dd	12	OBJECT	<unknown>	DEFAULT	4
print	.symtab	0x804b6e4	722	FUNC	<unknown>	DEFAULT	2
printchar	.symtab	0x804b489	66	FUNC	<unknown>	DEFAULT	2
printi	.symtab	0x804b5a5	319	FUNC	<unknown>	DEFAULT	2
prints	.symtab	0x804b4cb	218	FUNC	<unknown>	DEFAULT	2
putc	.symtab	0x8051670	146	FUNC	<unknown>	DEFAULT	2
putc_unlocked	.symtab	0x8051a04	187	FUNC	<unknown>	DEFAULT	2
puts	.symtab	0x80500d0	124	FUNC	<unknown>	DEFAULT	2
puts.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
qual_chars.4377	.symtab	0x805c9f0	20	OBJECT	<unknown>	DEFAULT	4
raise	.symtab	0x8057f54	24	FUNC	<unknown>	DEFAULT	2
raise.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
rand	.symtab	0x8054a0c	5	FUNC	<unknown>	DEFAULT	2
rand.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
rand_cmwc	.symtab	0x8049325	192	FUNC	<unknown>	DEFAULT	2
random	.symtab	0x8054a14	72	FUNC	<unknown>	DEFAULT	2
random.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
random_poly_info	.symtab	0x805d6a0	40	OBJECT	<unknown>	DEFAULT	4
random_r	.symtab	0x8054bed	94	FUNC	<unknown>	DEFAULT	2
random_r.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
randstring	.symtab	0x80484d4	152	FUNC	<unknown>	DEFAULT	2
randtbl	.symtab	0x805fba0	128	OBJECT	<unknown>	DEFAULT	10
rawmemchr	.symtab	0x805845c	99	FUNC	<unknown>	DEFAULT	2
rawmemchr.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
read	.symtab	0x8058b1c	54	FUNC	<unknown>	DEFAULT	2
read.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
read_etc_hosts_r.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
read_until_response	.symtab	0x804c0d7	139	FUNC	<unknown>	DEFAULT	2
read_with_timeout	.symtab	0x804c015	194	FUNC	<unknown>	DEFAULT	2
realloc	.symtab	0x80541cc	822	FUNC	<unknown>	DEFAULT	2
realloc.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
realrand	.symtab	0x8048f71	73	FUNC	<unknown>	DEFAULT	2
recv	.symtab	0x80538f0	51	FUNC	<unknown>	DEFAULT	2
recv.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
rekdevice	.symtab	0x805f0f8	4	OBJECT	<unknown>	DEFAULT	10
reset_telstate	.symtab	0x804c1cf	34	FUNC	<unknown>	DEFAULT	2
rewind	.symtab	0x8058100	98	FUNC	<unknown>	DEFAULT	2
rewind.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
rnd	.symtab	0x80673ec	4	OBJECT	<unknown>	DEFAULT	11
rndnick	.symtab	0x8048fba	92	FUNC	<unknown>	DEFAULT	2
rseed	.symtab	0x80663e0	4096	OBJECT	<unknown>	DEFAULT	11
rsi	.symtab	0x80662b8	4	OBJECT	<unknown>	DEFAULT	11
sbrk	.symtab	0x8055ab4	78	FUNC	<unknown>	DEFAULT	2
sbrk.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
scanPid	.symtab	0x805fca0	4	OBJECT	<unknown>	DEFAULT	11
sclose	.symtab	0x804c1f1	44	FUNC	<unknown>	DEFAULT	2
select	.symtab	0x804fe30	63	FUNC	<unknown>	DEFAULT	2
select.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
send	.symtab	0x8053924	51	FUNC	<unknown>	DEFAULT	2
send.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
sendHOLD	.symtab	0x804a6a4	1018	FUNC	<unknown>	DEFAULT	2
sendHTTP	.symtab	0x8049f11	454	FUNC	<unknown>	DEFAULT	2
sendJUNK	.symtab	0x804a1e8	1020	FUNC	<unknown>	DEFAULT	2
sendSTD	.symtab	0x8049ab9	851	FUNC	<unknown>	DEFAULT	2
sendto	.symtab	0x8053958	67	FUNC	<unknown>	DEFAULT	2
sendto.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
serv	.symtab	0x8066164	16	OBJECT	<unknown>	DEFAULT	11
serv_stayopen	.symtab	0x8066174	1	OBJECT	<unknown>	DEFAULT	11
servbuf	.symtab	0x806615c	4	OBJECT	<unknown>	DEFAULT	11
server	.symtab	0x80663c4	4	OBJECT	<unknown>	DEFAULT	11
servers	.symtab	0x805f0e4	8	OBJECT	<unknown>	DEFAULT	10
servf	.symtab	0x8066160	4	OBJECT	<unknown>	DEFAULT	11
setservent	.symtab	0x8056b33	115	FUNC	<unknown>	DEFAULT	2
setsid	.symtab	0x804fe70	38	FUNC	<unknown>	DEFAULT	2
setsid.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
setsockopt	.symtab	0x805399c	59	FUNC	<unknown>	DEFAULT	2
setsockopt.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
setstate	.symtab	0x8054a5c	93	FUNC	<unknown>	DEFAULT	2
setstate_r	.symtab	0x8054b54	153	FUNC	<unknown>	DEFAULT	2
sigaction	.symtab	0x805568f	218	FUNC	<unknown>	DEFAULT	2
sigaction.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
signal	.symtab	0x8057f6c	175	FUNC	<unknown>	DEFAULT	2
signal.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
sigprocmask	.symtab	0x8055b04	85	FUNC	<unknown>	DEFAULT	2
sigprocmask.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
sigsetops.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
sleep	.symtab	0x8055108	393	FUNC	<unknown>	DEFAULT	2
sleep.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
sleeptime	.symtab	0x805f8c4	4	OBJECT	<unknown>	DEFAULT	10
sock	.symtab	0x80662b0	4	OBJECT	<unknown>	DEFAULT	11
socket	.symtab	0x80539d8	43	FUNC	<unknown>	DEFAULT	2
socket.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
socket_connect	.symtab	0x8049e43	206	FUNC	<unknown>	DEFAULT	2
spec_and_mask.4376	.symtab	0x805ca04	16	OBJECT	<unknown>	DEFAULT	4
spec_base.4370	.symtab	0x805c9e9	7	OBJECT	<unknown>	DEFAULT	4
spec_chars.4373	.symtab	0x805ca2d	21	OBJECT	<unknown>	DEFAULT	4
spec_flags.4372	.symtab	0x805ca42	8	OBJECT	<unknown>	DEFAULT	4
spec_or_mask.4375	.symtab	0x805ca14	16	OBJECT	<unknown>	DEFAULT	4
spec_ranges.4374	.symtab	0x805ca24	9	OBJECT	<unknown>	DEFAULT	4
spoofs	.symtab	0x805fcac	4	OBJECT	<unknown>	DEFAULT	11
spoofsm	.symtab	0x805fcb0	4	OBJECT	<unknown>	DEFAULT	11
sprintf	.symtab	0x80501a8	31	FUNC	<unknown>	DEFAULT	2
sprintf.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
srand	.symtab	0x8054b10	67	FUNC	<unknown>	DEFAULT	2
srandom	.symtab	0x8054b10	67	FUNC	<unknown>	DEFAULT	2
srandom_r	.symtab	0x8054c4b	154	FUNC	<unknown>	DEFAULT	2
static_id	.symtab	0x805fc64	2	OBJECT	<unknown>	DEFAULT	10
static_ns	.symtab	0x8066190	4	OBJECT	<unknown>	DEFAULT	11
stderr	.symtab	0x805f9f0	4	OBJECT	<unknown>	DEFAULT	10
stdin	.symtab	0x805f9e8	4	OBJECT	<unknown>	DEFAULT	10
stdout	.symtab	0x805f9ec	4	OBJECT	<unknown>	DEFAULT	10
strcasecmp	.symtab	0x8051d38	54	FUNC	<unknown>	DEFAULT	2
strcasecmp.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
strcasestr	.symtab	0x8051d70	83	FUNC	<unknown>	DEFAULT	2
strcasestr.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
strchr	.symtab	0x8056734	30	FUNC	<unknown>	DEFAULT	2
strchr.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
strcmp	.symtab	0x805840c	29	FUNC	<unknown>	DEFAULT	2
strcmp.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
strcoll	.symtab	0x805840c	29	FUNC	<unknown>	DEFAULT	2
strcpy	.symtab	0x8051bac	27	FUNC	<unknown>	DEFAULT	2
strcpy.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
strdup	.symtab	0x8051dc4	54	FUNC	<unknown>	DEFAULT	2
strdup.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
strerror_r	.symtab	0x8051c68	182	FUNC	<unknown>	DEFAULT	2
strlen	.symtab	0x8051bc8	19	FUNC	<unknown>	DEFAULT	2
strlen.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
strncat	.symtab	0x805842c	46	FUNC	<unknown>	DEFAULT	2
strncat.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
strncmp	.symtab	0x8051bdc	37	FUNC	<unknown>	DEFAULT	2
strncmp.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
strncpy	.symtab	0x8051c04	38	FUNC	<unknown>	DEFAULT	2
strncpy.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
strnlen	.symtab	0x8051c2c	25	FUNC	<unknown>	DEFAULT	2
strnlen.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
strpbrk	.symtab	0x8056884	39	FUNC	<unknown>	DEFAULT	2
strpbrk.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
strspn	.symtab	0x80584c0	50	FUNC	<unknown>	DEFAULT	2
strspn.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
strtok	.symtab	0x8051dfc	25	FUNC	<unknown>	DEFAULT	2
strtok.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
strtok_r	.symtab	0x8056828	89	FUNC	<unknown>	DEFAULT	2
strtok_r.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
strtol	.symtab	0x8054ed8	26	FUNC	<unknown>	DEFAULT	2
strtol.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
strtoul	.symtab	0x8054ef4	26	FUNC	<unknown>	DEFAULT	2
strtoul.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
strwildmatch	.symtab	0x80481fe	295	FUNC	<unknown>	DEFAULT	2
successes	.symtab	0x805f860	32	OBJECT	<unknown>	DEFAULT	10
sysconf	.symtab	0x8055294	325	FUNC	<unknown>	DEFAULT	2
sysconf.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
system	.symtab	0x8054d90	305	FUNC	<unknown>	DEFAULT	2
system.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
szprintf	.symtab	0x804b9b6	39	FUNC	<unknown>	DEFAULT	2
tcgetattr	.symtab	0x8051e38	112	FUNC	<unknown>	DEFAULT	2
tcgetattr.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
tehport	.symtab	0x80673e4	4	OBJECT	<unknown>	DEFAULT	11
textBuffer.5000	.symtab	0x805fcc0	1024	OBJECT	<unknown>	DEFAULT	11
thanks	.symtab	0x805f8c8	4	OBJECT	<unknown>	DEFAULT	10
time	.symtab	0x804fe98	46	FUNC	<unknown>	DEFAULT	2
time.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
tolower	.symtab	0x8055b98	29	FUNC	<unknown>	DEFAULT	2
tolower.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
touchMyself	.symtab	0x804f25b	79	FUNC	<unknown>	DEFAULT	2
toupper	.symtab	0x804ff4c	29	FUNC	<unknown>	DEFAULT	2
toupper.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
type_codes	.symtab	0x805ca4a	24	OBJECT	<unknown>	DEFAULT	4
type_sizes	.symtab	0x805ca62	12	OBJECT	<unknown>	DEFAULT	4
umask	.symtab	0x804fec8	48	FUNC	<unknown>	DEFAULT	2
umask.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
unknown	.symtab	0x80496e6	810	FUNC	<unknown>	DEFAULT	2
unknown.1330	.symtab	0x805ca6e	14	OBJECT	<unknown>	DEFAULT	4
unsafe_state	.symtab	0x805fb78	28	OBJECT	<unknown>	DEFAULT	10
user	.symtab	0x80662bc	4	OBJECT	<unknown>	DEFAULT	11
usernames	.symtab	0x805f4c0	404	OBJECT	<unknown>	DEFAULT	10
usleep	.symtab	0x80553dc	48	FUNC	<unknown>	DEFAULT	2
usleep.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
vasprintf	.symtab	0x80501c8	115	FUNC	<unknown>	DEFAULT	2
vasprintf.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
version	.symtab	0x8048eb6	34	FUNC	<unknown>	DEFAULT	2
vfork	.symtab	0x805576c	21	FUNC	<unknown>	DEFAULT	2
vfprintf	.symtab	0x8050918	136	FUNC	<unknown>	DEFAULT	2
vfprintf.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
vsnprintf	.symtab	0x805023c	176	FUNC	<unknown>	DEFAULT	2
vsnprintf.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
vsprintf	.symtab	0x805014c	26	FUNC	<unknown>	DEFAULT	2
vsprintf.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
wait4	.symtab	0x8055b5c	59	FUNC	<unknown>	DEFAULT	2
wait4.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
waitpid	.symtab	0x804fef8	26	FUNC	<unknown>	DEFAULT	2
waitpid.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
wcrtomb	.symtab	0x8055bc0	69	FUNC	<unknown>	DEFAULT	2
wcrtomb.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
wcsnrtombs	.symtab	0x8055c28	133	FUNC	<unknown>	DEFAULT	2
wcsnrtombs.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
wcsrtombs	.symtab	0x8055c08	30	FUNC	<unknown>	DEFAULT	2
wcsrtombs.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
write	.symtab	0x804ff14	54	FUNC	<unknown>	DEFAULT	2
write.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
xdigits.3285	.symtab	0x805d637	17	OBJECT	<unknown>	DEFAULT	4

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 15, 2025 15:34:12.371056080 CEST	43928	443	192.168.2.23	91.189.91.42
Apr 15, 2025 15:34:18.000957012 CEST	42836	443	192.168.2.23	91.189.91.43
Apr 15, 2025 15:34:19.024811983 CEST	42516	80	192.168.2.23	109.202.202.202
Apr 15, 2025 15:34:33.358814001 CEST	43928	443	192.168.2.23	91.189.91.42
Apr 15, 2025 15:34:35.406677008 CEST	33608	443	192.168.2.23	54.171.230.55
Apr 15, 2025 15:34:38.647294044 CEST	33608	443	192.168.2.23	54.171.230.55
Apr 15, 2025 15:34:38.897315979 CEST	443	33608	54.171.230.55	192.168.2.23
Apr 15, 2025 15:34:43.597404003 CEST	42836	443	192.168.2.23	91.189.91.43
Apr 15, 2025 15:34:49.740567923 CEST	42516	80	192.168.2.23	109.202.202.202
Apr 15, 2025 15:35:14.313235044 CEST	43928	443	192.168.2.23	91.189.91.42
Apr 15, 2025 15:35:34.790360928 CEST	42836	443	192.168.2.23	91.189.91.43

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 15, 2025 15:34:12.685002089 CEST	39872	53	192.168.2.23	1.1.1.1
Apr 15, 2025 15:34:12.899415016 CEST	53	39872	1.1.1.1	192.168.2.23

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Apr 15, 2025 15:34:12.685002089 CEST	192.168.2.23	1.1.1.1	0x6689	Standard query (0)	irc.psychz.net	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Apr 15, 2025 15:34:12.899415016 CEST	1.1.1.1	192.168.2.23	0x6689	No error (0)	irc.psychz.net		108.181.56.253	A (IP address)	IN (0x0001)	false

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report mqi686.elf

Overview

General Information

Detection

Signatures

Classification

General Information

Warnings

Runtime Messages

Process Tree

Malware Threat Intel

Yara Signatures

Initial Sample

Memory Dumps

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Bitcoin Miner

Networking

System Summary

Persistence and Installation Behavior

Malware Analysis System Evasion

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

Static ELF Info

ELF header

Sections

Program Segments

Symbols

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

System Behavior

Linux Analysis Report
mqi686.elf