Loading Joe Sandbox Report ...

Edit tour

Linux Analysis Report
p0hr6mFo4a.elf

Overview

General Information

Sample Name:p0hr6mFo4a.elf
Analysis ID:756316
MD5:6ffbb525463973b94b047cb7e87a3f7b
SHA1:b44d04f5f7c258596cfd4b3584beaf23504ca38f
SHA256:3b8cd3d659758d58c07fb37045a07aa1afa74beb160d1393c5f51b4828774418
Tags:32armelfgafgyt
Infos:

Detection

Mirai
Score:76
Range:0 - 100
Whitelisted:false

Signatures

Malicious sample detected (through community Yara rule)
Antivirus / Scanner detection for submitted sample
Yara detected Mirai
Multi AV Scanner detection for submitted file
Opens /proc/net/* files useful for finding connected devices and routers
Yara signature match
Sample contains strings that are user agent strings indicative of HTTP manipulation
Uses the "uname" system call to query kernel version information (possible evasion)
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Detected TCP or UDP traffic on non-standard ports

Classification

Analysis Advice

Static ELF header machine description suggests that the sample might not execute correctly on this machine.
All HTTP servers contacted by the sample do not answer. The sample is likely an old dropper which does no longer work.
Static ELF header machine description suggests that the sample might only run correctly on MIPS or ARM architectures.
Joe Sandbox Version:36.0.0 Rainbow Opal
Analysis ID:756316
Start date and time:2022-11-30 01:09:09 +01:00
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 5m 45s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:p0hr6mFo4a.elf
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Detection:MAL
Classification:mal76.spre.troj.linELF@0/0@0/0
Command:/tmp/p0hr6mFo4a.elf
PID:6222
Exit Code:0
Exit Code Info:
Killed:False
Standard Output:
gosh that chinese family at the other table sure ate alot
Standard Error:
  • system is lnxubuntu20
  • cleanup
SourceRuleDescriptionAuthorStrings
p0hr6mFo4a.elfJoeSecurity_Mirai_8Yara detected MiraiJoe Security
    p0hr6mFo4a.elfLinux_Trojan_Gafgyt_28a2fe0cunknownunknown
    • 0x125f8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x1260c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x12620:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x12634:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x12648:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x1265c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x12670:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x12684:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x12698:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x126ac:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x126c0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x126d4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x126e8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x126fc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x12710:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x12724:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x12738:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x1274c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x12760:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x12774:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x12788:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    SourceRuleDescriptionAuthorStrings
    6224.1.00007fedcc017000.00007fedcc02d000.r-x.sdmpJoeSecurity_Mirai_8Yara detected MiraiJoe Security
      6224.1.00007fedcc017000.00007fedcc02d000.r-x.sdmpLinux_Trojan_Gafgyt_28a2fe0cunknownunknown
      • 0x125f8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x1260c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x12620:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x12634:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x12648:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x1265c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x12670:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x12684:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x12698:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x126ac:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x126c0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x126d4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x126e8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x126fc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x12710:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x12724:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x12738:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x1274c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x12760:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x12774:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x12788:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      6222.1.00007fedcc017000.00007fedcc02d000.r-x.sdmpJoeSecurity_Mirai_8Yara detected MiraiJoe Security
        6222.1.00007fedcc017000.00007fedcc02d000.r-x.sdmpLinux_Trojan_Gafgyt_28a2fe0cunknownunknown
        • 0x125f8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
        • 0x1260c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
        • 0x12620:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
        • 0x12634:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
        • 0x12648:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
        • 0x1265c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
        • 0x12670:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
        • 0x12684:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
        • 0x12698:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
        • 0x126ac:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
        • 0x126c0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
        • 0x126d4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
        • 0x126e8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
        • 0x126fc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
        • 0x12710:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
        • 0x12724:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
        • 0x12738:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
        • 0x1274c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
        • 0x12760:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
        • 0x12774:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
        • 0x12788:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
        6225.1.00007fedcc017000.00007fedcc02d000.r-x.sdmpJoeSecurity_Mirai_8Yara detected MiraiJoe Security
          Click to see the 4 entries
          No Snort rule has matched

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Source: p0hr6mFo4a.elfAvira: detected
          Source: p0hr6mFo4a.elfVirustotal: Detection: 66%Perma Link
          Source: p0hr6mFo4a.elfReversingLabs: Detection: 65%

          Spreading

          barindex
          Source: /tmp/p0hr6mFo4a.elf (PID: 6222)Opens: /proc/net/routeJump to behavior
          Source: global trafficTCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
          Source: global trafficTCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80
          Source: global trafficTCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443
          Source: global trafficTCP traffic: 192.168.2.23:38500 -> 47.87.197.232:576
          Source: unknownNetwork traffic detected: HTTP traffic on port 43928 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 42836 -> 443
          Source: unknownTCP traffic detected without corresponding DNS query: 47.87.197.232
          Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.43
          Source: unknownTCP traffic detected without corresponding DNS query: 109.202.202.202
          Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.42
          Source: unknownTCP traffic detected without corresponding DNS query: 47.87.197.232
          Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.43
          Source: unknownTCP traffic detected without corresponding DNS query: 109.202.202.202
          Source: unknownTCP traffic detected without corresponding DNS query: 47.87.197.232
          Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.42
          Source: unknownTCP traffic detected without corresponding DNS query: 47.87.197.232
          Source: unknownTCP traffic detected without corresponding DNS query: 47.87.197.232
          Source: unknownTCP traffic detected without corresponding DNS query: 47.87.197.232
          Source: unknownTCP traffic detected without corresponding DNS query: 47.87.197.232
          Source: unknownTCP traffic detected without corresponding DNS query: 47.87.197.232
          Source: unknownTCP traffic detected without corresponding DNS query: 47.87.197.232
          Source: unknownTCP traffic detected without corresponding DNS query: 47.87.197.232
          Source: unknownTCP traffic detected without corresponding DNS query: 47.87.197.232

          System Summary

          barindex
          Source: p0hr6mFo4a.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
          Source: 6224.1.00007fedcc017000.00007fedcc02d000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
          Source: 6222.1.00007fedcc017000.00007fedcc02d000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
          Source: 6225.1.00007fedcc017000.00007fedcc02d000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
          Source: Process Memory Space: p0hr6mFo4a.elf PID: 6222, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
          Source: Process Memory Space: p0hr6mFo4a.elf PID: 6224, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
          Source: Process Memory Space: p0hr6mFo4a.elf PID: 6225, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
          Source: p0hr6mFo4a.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
          Source: 6224.1.00007fedcc017000.00007fedcc02d000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
          Source: 6222.1.00007fedcc017000.00007fedcc02d000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
          Source: 6225.1.00007fedcc017000.00007fedcc02d000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
          Source: Process Memory Space: p0hr6mFo4a.elf PID: 6222, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
          Source: Process Memory Space: p0hr6mFo4a.elf PID: 6224, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
          Source: Process Memory Space: p0hr6mFo4a.elf PID: 6225, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
          Source: classification engineClassification label: mal76.spre.troj.linELF@0/0@0/0
          Source: p0hr6mFo4a.elfELF static info symbol of initial sample: /home/firmware/build/temp-armv5l/gcc-core/gcc/config/arm/lib1funcs.asm
          Source: p0hr6mFo4a.elfELF static info symbol of initial sample: /home/firmware/build/temp-armv5l/gcc-core/gcc/config/arm/lib1funcs.asm
          Source: p0hr6mFo4a.elfELF static info symbol of initial sample: /home/firmware/build/temp-armv5l/gcc-core/gcc/config/arm/lib1funcs.asm
          Source: p0hr6mFo4a.elfELF static info symbol of initial sample: /home/firmware/build/temp-armv5l/gcc-core/gcc/config/arm/lib1funcs.asm
          Source: p0hr6mFo4a.elfELF static info symbol of initial sample: /home/firmware/build/temp-armv5l/gcc-core/gcc/config/arm/lib1funcs.asm
          Source: p0hr6mFo4a.elfELF static info symbol of initial sample: libc/string/arm/_memcpy.S
          Source: p0hr6mFo4a.elfELF static info symbol of initial sample: libc/string/arm/bcopy.S
          Source: p0hr6mFo4a.elfELF static info symbol of initial sample: libc/string/arm/memcpy.S
          Source: p0hr6mFo4a.elfELF static info symbol of initial sample: libc/string/arm/memmove.S
          Source: p0hr6mFo4a.elfELF static info symbol of initial sample: libc/string/arm/memset.S
          Source: p0hr6mFo4a.elfELF static info symbol of initial sample: libc/string/arm/strcmp.S
          Source: p0hr6mFo4a.elfELF static info symbol of initial sample: libc/string/arm/strlen.S
          Source: p0hr6mFo4a.elfELF static info symbol of initial sample: libc/sysdeps/linux/arm/crt1.S
          Source: p0hr6mFo4a.elfELF static info symbol of initial sample: libc/sysdeps/linux/arm/crti.S
          Source: p0hr6mFo4a.elfELF static info symbol of initial sample: libc/sysdeps/linux/arm/crtn.S
          Source: p0hr6mFo4a.elfELF static info symbol of initial sample: libc/sysdeps/linux/arm/sigrestorer.S
          Source: p0hr6mFo4a.elfELF static info symbol of initial sample: libc/sysdeps/linux/arm/vfork.S
          Source: /tmp/p0hr6mFo4a.elf (PID: 6222)Queries kernel information via 'uname': Jump to behavior
          Source: p0hr6mFo4a.elf, 6222.1.00007fff1aee7000.00007fff1af08000.rw-.sdmp, p0hr6mFo4a.elf, 6224.1.00007fff1aee7000.00007fff1af08000.rw-.sdmp, p0hr6mFo4a.elf, 6225.1.00007fff1aee7000.00007fff1af08000.rw-.sdmpBinary or memory string: x86_64/usr/bin/qemu-arm/tmp/p0hr6mFo4a.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/p0hr6mFo4a.elf
          Source: p0hr6mFo4a.elf, 6222.1.00005651f2419000.00005651f2568000.rw-.sdmp, p0hr6mFo4a.elf, 6224.1.00005651f2419000.00005651f2568000.rw-.sdmp, p0hr6mFo4a.elf, 6225.1.00005651f2419000.00005651f2568000.rw-.sdmpBinary or memory string: QV!/etc/qemu-binfmt/arm
          Source: p0hr6mFo4a.elf, 6222.1.00005651f2419000.00005651f2568000.rw-.sdmp, p0hr6mFo4a.elf, 6224.1.00005651f2419000.00005651f2568000.rw-.sdmp, p0hr6mFo4a.elf, 6225.1.00005651f2419000.00005651f2568000.rw-.sdmpBinary or memory string: /etc/qemu-binfmt/arm
          Source: p0hr6mFo4a.elf, 6222.1.00007fff1aee7000.00007fff1af08000.rw-.sdmp, p0hr6mFo4a.elf, 6224.1.00007fff1aee7000.00007fff1af08000.rw-.sdmp, p0hr6mFo4a.elf, 6225.1.00007fff1aee7000.00007fff1af08000.rw-.sdmpBinary or memory string: /usr/bin/qemu-arm

          Stealing of Sensitive Information

          barindex
          Source: Yara matchFile source: p0hr6mFo4a.elf, type: SAMPLE
          Source: Yara matchFile source: 6224.1.00007fedcc017000.00007fedcc02d000.r-x.sdmp, type: MEMORY
          Source: Yara matchFile source: 6222.1.00007fedcc017000.00007fedcc02d000.r-x.sdmp, type: MEMORY
          Source: Yara matchFile source: 6225.1.00007fedcc017000.00007fedcc02d000.r-x.sdmp, type: MEMORY
          Source: Initial sampleUser agent string found: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; pl) Opera 11.00
          Source: Initial sampleUser agent string found: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; en) Opera 11.00
          Source: Initial sampleUser agent string found: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; ja) Opera 11.00
          Source: Initial sampleUser agent string found: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; de) Opera 11.01
          Source: Initial sampleUser agent string found: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; fr) Opera 11.00
          Source: Initial sampleUser agent string found: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36
          Source: Initial sampleUser agent string found: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.79 Safari/537.36
          Source: Initial sampleUser agent string found: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0
          Source: Initial sampleUser agent string found: Mozilla/5.0 (iPhone; CPU iPhone OS 8_4 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Version/8.0 Mobile/12H143 Safari/600.1.4
          Source: Initial sampleUser agent string found: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:41.0) Gecko/20100101 Firefox/41.0
          Source: Initial sampleUser agent string found: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.101 Safari/537.36
          Source: Initial sampleUser agent string found: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.80 Safari/537.36
          Source: Initial sampleUser agent string found: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11) AppleWebKit/601.1.56 (KHTML, like Gecko) Version/9.0 Safari/601.1.56
          Source: Initial sampleUser agent string found: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_1) AppleWebKit/601.2.7 (KHTML, like Gecko) Version/9.0.1 Safari/601.2.7
          Source: Initial sampleUser agent string found: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
          Source: Initial sampleUser agent string found: Opera/9.80 (Windows NT 5.2; U; ru) Presto/2.5.22 Version/10.51
          Source: Initial sampleUser agent string found: Opera/9.80 (X11; Linux i686; Ubuntu/14.10) Presto/2.12.388 Version/12.16
          Source: Initial sampleUser agent string found: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.75.14 (KHTML, like Gecko) Version/7.0.3 Safari/7046A194A
          Source: Initial sampleUser agent string found: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36
          Source: Initial sampleUser agent string found: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.94 Safari/537.36
          Source: Initial sampleUser agent string found: Mozilla/5.0 (Linux; Android 4.4.3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.89 Mobile Safari/537.36
          Source: Initial sampleUser agent string found: Mozilla/5.0 (Linux; Android 4.4.3; HTC_0PCV2 Build/KTU84L) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/33.0.0.0 Mobile Safari/537.36
          Source: Initial sampleUser agent string found: Mozilla/4.0 (compatible; MSIE 8.0; X11; Linux x86_64; pl) Opera 11.00
          Source: Initial sampleUser agent string found: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:25.0) Gecko/20100101 Firefox/25.0
          Source: Initial sampleUser agent string found: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:21.0) Gecko/20100101 Firefox/21.0
          Source: Initial sampleUser agent string found: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:24.0) Gecko/20100101 Firefox/24.0
          Source: Initial sampleUser agent string found: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10; rv:33.0) Gecko/20100101 Firefox/33.0

          Remote Access Functionality

          barindex
          Source: Yara matchFile source: p0hr6mFo4a.elf, type: SAMPLE
          Source: Yara matchFile source: 6224.1.00007fedcc017000.00007fedcc02d000.r-x.sdmp, type: MEMORY
          Source: Yara matchFile source: 6222.1.00007fedcc017000.00007fedcc02d000.r-x.sdmp, type: MEMORY
          Source: Yara matchFile source: 6225.1.00007fedcc017000.00007fedcc02d000.r-x.sdmp, type: MEMORY
          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsWindows Management InstrumentationPath InterceptionPath InterceptionDirect Volume AccessOS Credential Dumping11
          Security Software Discovery
          Remote ServicesData from Local SystemExfiltration Over Other Network Medium1
          Data Obfuscation
          Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS Memory1
          Remote System Discovery
          Remote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth1
          Encrypted Channel
          Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration1
          Non-Standard Port
          Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Binary PaddingNTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureScheduled Transfer1
          Application Layer Protocol
          SIM Card SwapCarrier Billing Fraud
          No configs have been found
          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Number of created Files
          • Is malicious
          • Internet
          SourceDetectionScannerLabelLink
          p0hr6mFo4a.elf66%VirustotalBrowse
          p0hr6mFo4a.elf65%ReversingLabsLinux.Trojan.Gafgyt
          p0hr6mFo4a.elf100%AviraLINUX/Gafgyt.opnd
          No Antivirus matches
          No Antivirus matches
          No Antivirus matches
          No contacted domains info
          • No. of IPs < 25%
          • 25% < No. of IPs < 50%
          • 50% < No. of IPs < 75%
          • 75% < No. of IPs
          IPDomainCountryFlagASNASN NameMalicious
          47.87.197.232
          unknownUnited States
          3209VODANETInternationalIP-BackboneofVodafoneDEfalse
          109.202.202.202
          unknownSwitzerland
          13030INIT7CHfalse
          91.189.91.43
          unknownUnited Kingdom
          41231CANONICAL-ASGBfalse
          91.189.91.42
          unknownUnited Kingdom
          41231CANONICAL-ASGBfalse
          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
          109.202.202.202portainerGet hashmaliciousBrowse
            l.out.elfGet hashmaliciousBrowse
              SecuriteInfo.com.Linux.Siggen.4218.14490.21271.elfGet hashmaliciousBrowse
                8LzAAQOA5F.elfGet hashmaliciousBrowse
                  GzQ3LRVbSB.elfGet hashmaliciousBrowse
                    QIsLuTv1ka.elfGet hashmaliciousBrowse
                      FIieajcRYe.elfGet hashmaliciousBrowse
                        o9epZmdr6x.elfGet hashmaliciousBrowse
                          auD8Kknsmc.elfGet hashmaliciousBrowse
                            7Cz3REBlrI.elfGet hashmaliciousBrowse
                              R2YElGmM5e.elfGet hashmaliciousBrowse
                                sora.arm7.elfGet hashmaliciousBrowse
                                  sora.x86.elfGet hashmaliciousBrowse
                                    SecuriteInfo.com.Linux.Siggen.4218.31945.1125.elfGet hashmaliciousBrowse
                                      sora.arm7.elfGet hashmaliciousBrowse
                                        sora.x86.elfGet hashmaliciousBrowse
                                          YziyrKNTFz.elfGet hashmaliciousBrowse
                                            9FrHfq70Fi.elfGet hashmaliciousBrowse
                                              CZr4ZXLsLeGet hashmaliciousBrowse
                                                M8GOt1nlUu.elfGet hashmaliciousBrowse
                                                  91.189.91.43portainerGet hashmaliciousBrowse
                                                    l.out.elfGet hashmaliciousBrowse
                                                      SecuriteInfo.com.Linux.Siggen.4218.14490.21271.elfGet hashmaliciousBrowse
                                                        8LzAAQOA5F.elfGet hashmaliciousBrowse
                                                          GzQ3LRVbSB.elfGet hashmaliciousBrowse
                                                            QIsLuTv1ka.elfGet hashmaliciousBrowse
                                                              FIieajcRYe.elfGet hashmaliciousBrowse
                                                                o9epZmdr6x.elfGet hashmaliciousBrowse
                                                                  auD8Kknsmc.elfGet hashmaliciousBrowse
                                                                    7Cz3REBlrI.elfGet hashmaliciousBrowse
                                                                      R2YElGmM5e.elfGet hashmaliciousBrowse
                                                                        sora.arm7.elfGet hashmaliciousBrowse
                                                                          sora.x86.elfGet hashmaliciousBrowse
                                                                            SecuriteInfo.com.Linux.Siggen.4218.31945.1125.elfGet hashmaliciousBrowse
                                                                              sora.arm7.elfGet hashmaliciousBrowse
                                                                                sora.x86.elfGet hashmaliciousBrowse
                                                                                  YziyrKNTFz.elfGet hashmaliciousBrowse
                                                                                    9FrHfq70Fi.elfGet hashmaliciousBrowse
                                                                                      CZr4ZXLsLeGet hashmaliciousBrowse
                                                                                        M8GOt1nlUu.elfGet hashmaliciousBrowse
                                                                                          No context
                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                          INIT7CHportainerGet hashmaliciousBrowse
                                                                                          • 109.202.202.202
                                                                                          l.out.elfGet hashmaliciousBrowse
                                                                                          • 109.202.202.202
                                                                                          SecuriteInfo.com.Linux.Siggen.4218.14490.21271.elfGet hashmaliciousBrowse
                                                                                          • 109.202.202.202
                                                                                          8LzAAQOA5F.elfGet hashmaliciousBrowse
                                                                                          • 109.202.202.202
                                                                                          GzQ3LRVbSB.elfGet hashmaliciousBrowse
                                                                                          • 109.202.202.202
                                                                                          QIsLuTv1ka.elfGet hashmaliciousBrowse
                                                                                          • 109.202.202.202
                                                                                          FIieajcRYe.elfGet hashmaliciousBrowse
                                                                                          • 109.202.202.202
                                                                                          o9epZmdr6x.elfGet hashmaliciousBrowse
                                                                                          • 109.202.202.202
                                                                                          auD8Kknsmc.elfGet hashmaliciousBrowse
                                                                                          • 109.202.202.202
                                                                                          7Cz3REBlrI.elfGet hashmaliciousBrowse
                                                                                          • 109.202.202.202
                                                                                          R2YElGmM5e.elfGet hashmaliciousBrowse
                                                                                          • 109.202.202.202
                                                                                          sora.arm7.elfGet hashmaliciousBrowse
                                                                                          • 109.202.202.202
                                                                                          sora.x86.elfGet hashmaliciousBrowse
                                                                                          • 109.202.202.202
                                                                                          SecuriteInfo.com.Linux.Siggen.4218.31945.1125.elfGet hashmaliciousBrowse
                                                                                          • 109.202.202.202
                                                                                          sora.arm7.elfGet hashmaliciousBrowse
                                                                                          • 109.202.202.202
                                                                                          sora.x86.elfGet hashmaliciousBrowse
                                                                                          • 109.202.202.202
                                                                                          YziyrKNTFz.elfGet hashmaliciousBrowse
                                                                                          • 109.202.202.202
                                                                                          9FrHfq70Fi.elfGet hashmaliciousBrowse
                                                                                          • 109.202.202.202
                                                                                          CZr4ZXLsLeGet hashmaliciousBrowse
                                                                                          • 109.202.202.202
                                                                                          M8GOt1nlUu.elfGet hashmaliciousBrowse
                                                                                          • 109.202.202.202
                                                                                          VODANETInternationalIP-BackboneofVodafoneDE7HuJu44thW.elfGet hashmaliciousBrowse
                                                                                          • 188.110.182.82
                                                                                          Yw0HhtLWAz.elfGet hashmaliciousBrowse
                                                                                          • 188.109.141.7
                                                                                          MZbxLJqYM3.elfGet hashmaliciousBrowse
                                                                                          • 2.203.197.21
                                                                                          oAUrOBvfbV.elfGet hashmaliciousBrowse
                                                                                          • 2.205.253.113
                                                                                          jew.x86.elfGet hashmaliciousBrowse
                                                                                          • 88.73.217.45
                                                                                          3y849k7eIG.elfGet hashmaliciousBrowse
                                                                                          • 188.97.131.92
                                                                                          ewfDbhCyw3.elfGet hashmaliciousBrowse
                                                                                          • 188.107.42.3
                                                                                          wIUY7HguZD.elfGet hashmaliciousBrowse
                                                                                          • 88.68.114.1
                                                                                          87uWrdTuhh.elfGet hashmaliciousBrowse
                                                                                          • 94.221.53.89
                                                                                          tYV5avLJzh.elfGet hashmaliciousBrowse
                                                                                          • 188.107.45.128
                                                                                          kQhLxBYJGw.elfGet hashmaliciousBrowse
                                                                                          • 109.41.117.192
                                                                                          zg8P6HaVf2.elfGet hashmaliciousBrowse
                                                                                          • 213.23.15.180
                                                                                          Mddos.arm.elfGet hashmaliciousBrowse
                                                                                          • 47.87.28.61
                                                                                          SecuriteInfo.com.Linux.Siggen.9999.7635.14049.elfGet hashmaliciousBrowse
                                                                                          • 178.5.76.73
                                                                                          4Wu0n8HHNS.elfGet hashmaliciousBrowse
                                                                                          • 47.70.112.98
                                                                                          hotnet.arm.elfGet hashmaliciousBrowse
                                                                                          • 188.106.42.82
                                                                                          2BDwNIeogc.elfGet hashmaliciousBrowse
                                                                                          • 109.47.30.165
                                                                                          GoVDsH5Zz1.elfGet hashmaliciousBrowse
                                                                                          • 2.205.253.141
                                                                                          sCxUFOf8Ls.elfGet hashmaliciousBrowse
                                                                                          • 47.65.161.98
                                                                                          gjnmd04mew.elfGet hashmaliciousBrowse
                                                                                          • 2.206.82.182
                                                                                          No context
                                                                                          No context
                                                                                          No created / dropped files found
                                                                                          File type:ELF 32-bit LSB executable, ARM, version 1 (ARM), statically linked, with debug_info, not stripped
                                                                                          Entropy (8bit):5.988533115484921
                                                                                          TrID:
                                                                                          • ELF Executable and Linkable format (generic) (4004/1) 100.00%
                                                                                          File name:p0hr6mFo4a.elf
                                                                                          File size:125008
                                                                                          MD5:6ffbb525463973b94b047cb7e87a3f7b
                                                                                          SHA1:b44d04f5f7c258596cfd4b3584beaf23504ca38f
                                                                                          SHA256:3b8cd3d659758d58c07fb37045a07aa1afa74beb160d1393c5f51b4828774418
                                                                                          SHA512:09adceed5796ddfed2684752b223f62b5ace60f6b46daa25bfc0cf9450605132992017c0e83c22746eb78209a06496e1de425eea792d38f91c73c962e41a1a24
                                                                                          SSDEEP:3072:QjDy/ayFRLtnPUK3lbd3oU3i6m7/L7QsvmGfIiNb:eOlRL1b3lb+km7/L7QsvmGfIiNb
                                                                                          TLSH:0CC3F730E8044B1BC2D223F6E75A869E3F351E9797A733155B3879B02FF27991E29520
                                                                                          File Content Preview:.ELF...a..........(.........4...Xx......4. ...(......................Y...Y...............`...`...`..@....h..........Q.td..................................-...L."....D..........0@-.\P...0....S.0...P@...0... ....R......0...0...........0... ....R..... 0....S

                                                                                          ELF header

                                                                                          Class:
                                                                                          Data:
                                                                                          Version:
                                                                                          Machine:
                                                                                          Version Number:
                                                                                          Type:
                                                                                          OS/ABI:
                                                                                          ABI Version:
                                                                                          Entry Point Address:
                                                                                          Flags:
                                                                                          ELF Header Size:
                                                                                          Program Header Offset:
                                                                                          Program Header Size:
                                                                                          Number of Program Headers:
                                                                                          Section Header Offset:
                                                                                          Section Header Size:
                                                                                          Number of Section Headers:
                                                                                          Header String Table Index:
                                                                                          NameTypeAddressOffsetSizeEntSizeFlagsFlags DescriptionLinkInfoAlign
                                                                                          NULL0x00x00x00x00x0000
                                                                                          .initPROGBITS0x80940x940x180x00x6AX004
                                                                                          .textPROGBITS0x80b00xb00x114240x00x6AX0016
                                                                                          .finiPROGBITS0x194d40x114d40x140x00x6AX004
                                                                                          .rodataPROGBITS0x194e80x114e80x44940x00x2A004
                                                                                          .eh_framePROGBITS0x1d97c0x1597c0x40x00x2A004
                                                                                          .ctorsPROGBITS0x260000x160000x80x00x3WA004
                                                                                          .dtorsPROGBITS0x260080x160080x80x00x3WA004
                                                                                          .jcrPROGBITS0x260100x160100x40x00x3WA004
                                                                                          .dataPROGBITS0x260140x160140x42c0x00x3WA004
                                                                                          .bssNOBITS0x264400x164400x64580x00x3WA004
                                                                                          .commentPROGBITS0x00x164400xbd40x00x0001
                                                                                          .debug_arangesPROGBITS0x00x170180xa00x00x0008
                                                                                          .debug_infoPROGBITS0x00x170b80x30c0x00x0001
                                                                                          .debug_abbrevPROGBITS0x00x173c40x640x00x0001
                                                                                          .debug_linePROGBITS0x00x174280x2e70x00x0001
                                                                                          .debug_framePROGBITS0x00x177100xa00x00x0004
                                                                                          .shstrtabSTRTAB0x00x177b00xa80x00x0001
                                                                                          .symtabSYMTAB0x00x17b780x47500x100x0196404
                                                                                          .strtabSTRTAB0x00x1c2c80x25880x00x0001
                                                                                          TypeOffsetVirtual AddressPhysical AddressFile SizeMemory SizeEntropyFlagsFlags DescriptionAlignProg InterpreterSection Mappings
                                                                                          LOAD0x00x80000x80000x159800x159806.15020x5R E0x8000.init .text .fini .rodata .eh_frame
                                                                                          LOAD0x160000x260000x260000x4400x68983.09900x6RW 0x8000.ctors .dtors .jcr .data .bss
                                                                                          GNU_STACK0x00x00x00x00x00.00000x7RWE0x4
                                                                                          NameVersion Info NameVersion Info File NameSection NameValueSizeSymbol TypeSymbol BindSymbol VisibilityNdx
                                                                                          .symtab0x00NOTYPE<unknown>DEFAULTSHN_UNDEF
                                                                                          .symtab0x80940SECTION<unknown>DEFAULT1
                                                                                          .symtab0x80b00SECTION<unknown>DEFAULT2
                                                                                          .symtab0x194d40SECTION<unknown>DEFAULT3
                                                                                          .symtab0x194e80SECTION<unknown>DEFAULT4
                                                                                          .symtab0x1d97c0SECTION<unknown>DEFAULT5
                                                                                          .symtab0x260000SECTION<unknown>DEFAULT6
                                                                                          .symtab0x260080SECTION<unknown>DEFAULT7
                                                                                          .symtab0x260100SECTION<unknown>DEFAULT8
                                                                                          .symtab0x260140SECTION<unknown>DEFAULT9
                                                                                          .symtab0x264400SECTION<unknown>DEFAULT10
                                                                                          .symtab0x00SECTION<unknown>DEFAULT11
                                                                                          .symtab0x00SECTION<unknown>DEFAULT12
                                                                                          .symtab0x00SECTION<unknown>DEFAULT13
                                                                                          .symtab0x00SECTION<unknown>DEFAULT14
                                                                                          .symtab0x0</