Loading Joe Sandbox Report ...

Edit tour

Linux Analysis Report
yB9hLLnhbx.elf

Overview

General Information

Sample Name:yB9hLLnhbx.elf
Analysis ID:756320
MD5:f91d9aa9e9d29ae67a5d1d504050c519
SHA1:aad17596d13e5d9439141165e968f9001af29407
SHA256:b49d71d61bc5f0871a7fa5f4cb6816d9a58633440428a3ddec13346fd4386185
Tags:32elfgafgytmips
Infos:

Detection

Mirai
Score:80
Range:0 - 100
Whitelisted:false

Signatures

Malicious sample detected (through community Yara rule)
Antivirus / Scanner detection for submitted sample
Yara detected Mirai
Multi AV Scanner detection for submitted file
Contains symbols with names commonly found in malware
Opens /proc/net/* files useful for finding connected devices and routers
Yara signature match
Sample contains strings that are user agent strings indicative of HTTP manipulation
Uses the "uname" system call to query kernel version information (possible evasion)
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Detected TCP or UDP traffic on non-standard ports

Classification

Analysis Advice

Static ELF header machine description suggests that the sample might not execute correctly on this machine.
All HTTP servers contacted by the sample do not answer. The sample is likely an old dropper which does no longer work.
Static ELF header machine description suggests that the sample might only run correctly on MIPS or ARM architectures.
Joe Sandbox Version:36.0.0 Rainbow Opal
Analysis ID:756320
Start date and time:2022-11-30 01:18:06 +01:00
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 5m 34s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:yB9hLLnhbx.elf
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Detection:MAL
Classification:mal80.spre.troj.linELF@0/1@0/0
Command:/tmp/yB9hLLnhbx.elf
PID:6229
Exit Code:0
Exit Code Info:
Killed:False
Standard Output:
gosh that chinese family at the other table sure ate alot
Standard Error:
  • system is lnxubuntu20
  • cleanup
SourceRuleDescriptionAuthorStrings
yB9hLLnhbx.elfJoeSecurity_Mirai_8Yara detected MiraiJoe Security
    yB9hLLnhbx.elfLinux_Trojan_Gafgyt_28a2fe0cunknownunknown
    • 0x19b80:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x19b94:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x19ba8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x19bbc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x19bd0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x19be4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x19bf8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x19c0c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x19c20:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x19c34:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x19c48:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x19c5c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x19c70:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x19c84:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x19c98:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x19cac:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x19cc0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x19cd4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x19ce8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x19cfc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x19d10:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    SourceRuleDescriptionAuthorStrings
    6231.1.00007fbb84400000.00007fbb8441e000.r-x.sdmpJoeSecurity_Mirai_8Yara detected MiraiJoe Security
      6231.1.00007fbb84400000.00007fbb8441e000.r-x.sdmpLinux_Trojan_Gafgyt_28a2fe0cunknownunknown
      • 0x19b80:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x19b94:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x19ba8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x19bbc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x19bd0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x19be4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x19bf8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x19c0c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x19c20:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x19c34:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x19c48:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x19c5c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x19c70:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x19c84:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x19c98:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x19cac:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x19cc0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x19cd4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x19ce8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x19cfc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x19d10:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      6232.1.00007fbb84400000.00007fbb8441e000.r-x.sdmpJoeSecurity_Mirai_8Yara detected MiraiJoe Security
        6232.1.00007fbb84400000.00007fbb8441e000.r-x.sdmpLinux_Trojan_Gafgyt_28a2fe0cunknownunknown
        • 0x19b80:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
        • 0x19b94:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
        • 0x19ba8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
        • 0x19bbc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
        • 0x19bd0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
        • 0x19be4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
        • 0x19bf8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
        • 0x19c0c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
        • 0x19c20:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
        • 0x19c34:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
        • 0x19c48:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
        • 0x19c5c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
        • 0x19c70:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
        • 0x19c84:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
        • 0x19c98:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
        • 0x19cac:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
        • 0x19cc0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
        • 0x19cd4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
        • 0x19ce8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
        • 0x19cfc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
        • 0x19d10:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
        6229.1.00007fbb84400000.00007fbb8441e000.r-x.sdmpJoeSecurity_Mirai_8Yara detected MiraiJoe Security
          Click to see the 4 entries
          No Snort rule has matched

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Source: yB9hLLnhbx.elfAvira: detected
          Source: yB9hLLnhbx.elfReversingLabs: Detection: 61%
          Source: yB9hLLnhbx.elfVirustotal: Detection: 63%Perma Link

          Spreading

          barindex
          Source: /tmp/yB9hLLnhbx.elf (PID: 6229)Opens: /proc/net/routeJump to behavior
          Source: global trafficTCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
          Source: global trafficTCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80
          Source: global trafficTCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443
          Source: global trafficTCP traffic: 192.168.2.23:38500 -> 47.87.197.232:576
          Source: unknownNetwork traffic detected: HTTP traffic on port 43928 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 42836 -> 443
          Source: unknownTCP traffic detected without corresponding DNS query: 47.87.197.232
          Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.43
          Source: unknownTCP traffic detected without corresponding DNS query: 109.202.202.202
          Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.42
          Source: unknownTCP traffic detected without corresponding DNS query: 47.87.197.232
          Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.43
          Source: unknownTCP traffic detected without corresponding DNS query: 109.202.202.202
          Source: unknownTCP traffic detected without corresponding DNS query: 47.87.197.232
          Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.42
          Source: unknownTCP traffic detected without corresponding DNS query: 47.87.197.232
          Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.43
          Source: unknownTCP traffic detected without corresponding DNS query: 47.87.197.232
          Source: unknownTCP traffic detected without corresponding DNS query: 47.87.197.232
          Source: unknownTCP traffic detected without corresponding DNS query: 47.87.197.232
          Source: unknownTCP traffic detected without corresponding DNS query: 47.87.197.232
          Source: unknownTCP traffic detected without corresponding DNS query: 47.87.197.232
          Source: unknownTCP traffic detected without corresponding DNS query: 47.87.197.232
          Source: unknownTCP traffic detected without corresponding DNS query: 47.87.197.232

          System Summary

          barindex
          Source: yB9hLLnhbx.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
          Source: 6231.1.00007fbb84400000.00007fbb8441e000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
          Source: 6232.1.00007fbb84400000.00007fbb8441e000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
          Source: 6229.1.00007fbb84400000.00007fbb8441e000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
          Source: Process Memory Space: yB9hLLnhbx.elf PID: 6229, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
          Source: Process Memory Space: yB9hLLnhbx.elf PID: 6231, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
          Source: Process Memory Space: yB9hLLnhbx.elf PID: 6232, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
          Source: ELF static info symbol of initial sampleName: vseattack
          Source: yB9hLLnhbx.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
          Source: 6231.1.00007fbb84400000.00007fbb8441e000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
          Source: 6232.1.00007fbb84400000.00007fbb8441e000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
          Source: 6229.1.00007fbb84400000.00007fbb8441e000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
          Source: Process Memory Space: yB9hLLnhbx.elf PID: 6229, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
          Source: Process Memory Space: yB9hLLnhbx.elf PID: 6231, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
          Source: Process Memory Space: yB9hLLnhbx.elf PID: 6232, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
          Source: classification engineClassification label: mal80.spre.troj.linELF@0/1@0/0
          Source: yB9hLLnhbx.elfELF static info symbol of initial sample: libc/string/mips/memcpy.S
          Source: yB9hLLnhbx.elfELF static info symbol of initial sample: libc/string/mips/memset.S
          Source: yB9hLLnhbx.elfELF static info symbol of initial sample: libc/sysdeps/linux/mips/crt1.S
          Source: yB9hLLnhbx.elfELF static info symbol of initial sample: libc/sysdeps/linux/mips/crti.S
          Source: yB9hLLnhbx.elfELF static info symbol of initial sample: libc/sysdeps/linux/mips/crtn.S
          Source: yB9hLLnhbx.elfELF static info symbol of initial sample: libc/sysdeps/linux/mips/pipe.S
          Source: /tmp/yB9hLLnhbx.elf (PID: 6229)Queries kernel information via 'uname': Jump to behavior
          Source: yB9hLLnhbx.elf, 6229.1.00007ffcdd214000.00007ffcdd235000.rw-.sdmpBinary or memory string: U/tmp/qemu-open.LkIBrb\
          Source: yB9hLLnhbx.elf, 6229.1.000055a0aa12d000.000055a0aa1b4000.rw-.sdmp, yB9hLLnhbx.elf, 6231.1.000055a0aa12d000.000055a0aa1b4000.rw-.sdmp, yB9hLLnhbx.elf, 6232.1.000055a0aa12d000.000055a0aa1b4000.rw-.sdmpBinary or memory string: U!/etc/qemu-binfmt/mips
          Source: yB9hLLnhbx.elf, 6229.1.000055a0aa12d000.000055a0aa1b4000.rw-.sdmp, yB9hLLnhbx.elf, 6231.1.000055a0aa12d000.000055a0aa1b4000.rw-.sdmp, yB9hLLnhbx.elf, 6232.1.000055a0aa12d000.000055a0aa1b4000.rw-.sdmpBinary or memory string: /etc/qemu-binfmt/mips
          Source: yB9hLLnhbx.elf, 6229.1.00007ffcdd214000.00007ffcdd235000.rw-.sdmp, yB9hLLnhbx.elf, 6231.1.00007ffcdd214000.00007ffcdd235000.rw-.sdmp, yB9hLLnhbx.elf, 6232.1.00007ffcdd214000.00007ffcdd235000.rw-.sdmpBinary or memory string: /usr/bin/qemu-mips
          Source: yB9hLLnhbx.elf, 6229.1.00007ffcdd214000.00007ffcdd235000.rw-.sdmp, yB9hLLnhbx.elf, 6231.1.00007ffcdd214000.00007ffcdd235000.rw-.sdmp, yB9hLLnhbx.elf, 6232.1.00007ffcdd214000.00007ffcdd235000.rw-.sdmpBinary or memory string: Jx86_64/usr/bin/qemu-mips/tmp/yB9hLLnhbx.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/yB9hLLnhbx.elf
          Source: yB9hLLnhbx.elf, 6229.1.00007ffcdd214000.00007ffcdd235000.rw-.sdmpBinary or memory string: /tmp/qemu-open.LkIBrb

          Stealing of Sensitive Information

          barindex
          Source: Yara matchFile source: yB9hLLnhbx.elf, type: SAMPLE
          Source: Yara matchFile source: 6231.1.00007fbb84400000.00007fbb8441e000.r-x.sdmp, type: MEMORY
          Source: Yara matchFile source: 6232.1.00007fbb84400000.00007fbb8441e000.r-x.sdmp, type: MEMORY
          Source: Yara matchFile source: 6229.1.00007fbb84400000.00007fbb8441e000.r-x.sdmp, type: MEMORY
          Source: Initial sampleUser agent string found: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; pl) Opera 11.00
          Source: Initial sampleUser agent string found: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; en) Opera 11.00
          Source: Initial sampleUser agent string found: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; ja) Opera 11.00
          Source: Initial sampleUser agent string found: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; de) Opera 11.01
          Source: Initial sampleUser agent string found: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; fr) Opera 11.00
          Source: Initial sampleUser agent string found: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36
          Source: Initial sampleUser agent string found: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.79 Safari/537.36
          Source: Initial sampleUser agent string found: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0
          Source: Initial sampleUser agent string found: Mozilla/5.0 (iPhone; CPU iPhone OS 8_4 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Version/8.0 Mobile/12H143 Safari/600.1.4
          Source: Initial sampleUser agent string found: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:41.0) Gecko/20100101 Firefox/41.0
          Source: Initial sampleUser agent string found: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.101 Safari/537.36
          Source: Initial sampleUser agent string found: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.80 Safari/537.36
          Source: Initial sampleUser agent string found: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11) AppleWebKit/601.1.56 (KHTML, like Gecko) Version/9.0 Safari/601.1.56
          Source: Initial sampleUser agent string found: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_1) AppleWebKit/601.2.7 (KHTML, like Gecko) Version/9.0.1 Safari/601.2.7
          Source: Initial sampleUser agent string found: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
          Source: Initial sampleUser agent string found: Opera/9.80 (Windows NT 5.2; U; ru) Presto/2.5.22 Version/10.51
          Source: Initial sampleUser agent string found: Opera/9.80 (X11; Linux i686; Ubuntu/14.10) Presto/2.12.388 Version/12.16
          Source: Initial sampleUser agent string found: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.75.14 (KHTML, like Gecko) Version/7.0.3 Safari/7046A194A
          Source: Initial sampleUser agent string found: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36
          Source: Initial sampleUser agent string found: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.94 Safari/537.36
          Source: Initial sampleUser agent string found: Mozilla/5.0 (Linux; Android 4.4.3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.89 Mobile Safari/537.36
          Source: Initial sampleUser agent string found: Mozilla/5.0 (Linux; Android 4.4.3; HTC_0PCV2 Build/KTU84L) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/33.0.0.0 Mobile Safari/537.36
          Source: Initial sampleUser agent string found: Mozilla/4.0 (compatible; MSIE 8.0; X11; Linux x86_64; pl) Opera 11.00
          Source: Initial sampleUser agent string found: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:25.0) Gecko/20100101 Firefox/25.0
          Source: Initial sampleUser agent string found: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:21.0) Gecko/20100101 Firefox/21.0
          Source: Initial sampleUser agent string found: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:24.0) Gecko/20100101 Firefox/24.0
          Source: Initial sampleUser agent string found: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10; rv:33.0) Gecko/20100101 Firefox/33.0

          Remote Access Functionality

          barindex
          Source: Yara matchFile source: yB9hLLnhbx.elf, type: SAMPLE
          Source: Yara matchFile source: 6231.1.00007fbb84400000.00007fbb8441e000.r-x.sdmp, type: MEMORY
          Source: Yara matchFile source: 6232.1.00007fbb84400000.00007fbb8441e000.r-x.sdmp, type: MEMORY
          Source: Yara matchFile source: 6229.1.00007fbb84400000.00007fbb8441e000.r-x.sdmp, type: MEMORY
          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsWindows Management InstrumentationPath InterceptionPath InterceptionDirect Volume AccessOS Credential Dumping11
          Security Software Discovery
          Remote ServicesData from Local SystemExfiltration Over Other Network Medium1
          Data Obfuscation
          Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS Memory1
          Remote System Discovery
          Remote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth1
          Encrypted Channel
          Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration1
          Non-Standard Port
          Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Binary PaddingNTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureScheduled Transfer1
          Application Layer Protocol
          SIM Card SwapCarrier Billing Fraud
          No configs have been found
          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Number of created Files
          • Is malicious
          • Internet
          SourceDetectionScannerLabelLink
          yB9hLLnhbx.elf62%ReversingLabsLinux.Trojan.LnxGafgyt
          yB9hLLnhbx.elf63%VirustotalBrowse
          yB9hLLnhbx.elf100%AviraLINUX/Mirai.Gafgyt.
          No Antivirus matches
          No Antivirus matches
          No Antivirus matches
          No contacted domains info
          • No. of IPs < 25%
          • 25% < No. of IPs < 50%
          • 50% < No. of IPs < 75%
          • 75% < No. of IPs
          IPDomainCountryFlagASNASN NameMalicious
          47.87.197.232
          unknownUnited States
          3209VODANETInternationalIP-BackboneofVodafoneDEfalse
          109.202.202.202
          unknownSwitzerland
          13030INIT7CHfalse
          91.189.91.43
          unknownUnited Kingdom
          41231CANONICAL-ASGBfalse
          91.189.91.42
          unknownUnited Kingdom
          41231CANONICAL-ASGBfalse
          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
          47.87.197.232yS7c2Bzlu2.elfGet hashmaliciousBrowse
            p0hr6mFo4a.elfGet hashmaliciousBrowse
              109.202.202.202yS7c2Bzlu2.elfGet hashmaliciousBrowse
                p0hr6mFo4a.elfGet hashmaliciousBrowse
                  portainerGet hashmaliciousBrowse
                    l.out.elfGet hashmaliciousBrowse
                      SecuriteInfo.com.Linux.Siggen.4218.14490.21271.elfGet hashmaliciousBrowse
                        8LzAAQOA5F.elfGet hashmaliciousBrowse
                          GzQ3LRVbSB.elfGet hashmaliciousBrowse
                            QIsLuTv1ka.elfGet hashmaliciousBrowse
                              FIieajcRYe.elfGet hashmaliciousBrowse
                                o9epZmdr6x.elfGet hashmaliciousBrowse
                                  auD8Kknsmc.elfGet hashmaliciousBrowse
                                    7Cz3REBlrI.elfGet hashmaliciousBrowse
                                      R2YElGmM5e.elfGet hashmaliciousBrowse
                                        sora.arm7.elfGet hashmaliciousBrowse
                                          sora.x86.elfGet hashmaliciousBrowse
                                            SecuriteInfo.com.Linux.Siggen.4218.31945.1125.elfGet hashmaliciousBrowse
                                              sora.arm7.elfGet hashmaliciousBrowse
                                                sora.x86.elfGet hashmaliciousBrowse
                                                  YziyrKNTFz.elfGet hashmaliciousBrowse
                                                    9FrHfq70Fi.elfGet hashmaliciousBrowse
                                                      91.189.91.43yS7c2Bzlu2.elfGet hashmaliciousBrowse
                                                        p0hr6mFo4a.elfGet hashmaliciousBrowse
                                                          portainerGet hashmaliciousBrowse
                                                            l.out.elfGet hashmaliciousBrowse
                                                              SecuriteInfo.com.Linux.Siggen.4218.14490.21271.elfGet hashmaliciousBrowse
                                                                8LzAAQOA5F.elfGet hashmaliciousBrowse
                                                                  GzQ3LRVbSB.elfGet hashmaliciousBrowse
                                                                    QIsLuTv1ka.elfGet hashmaliciousBrowse
                                                                      FIieajcRYe.elfGet hashmaliciousBrowse
                                                                        o9epZmdr6x.elfGet hashmaliciousBrowse
                                                                          auD8Kknsmc.elfGet hashmaliciousBrowse
                                                                            7Cz3REBlrI.elfGet hashmaliciousBrowse
                                                                              R2YElGmM5e.elfGet hashmaliciousBrowse
                                                                                sora.arm7.elfGet hashmaliciousBrowse
                                                                                  sora.x86.elfGet hashmaliciousBrowse
                                                                                    SecuriteInfo.com.Linux.Siggen.4218.31945.1125.elfGet hashmaliciousBrowse
                                                                                      sora.arm7.elfGet hashmaliciousBrowse
                                                                                        sora.x86.elfGet hashmaliciousBrowse
                                                                                          YziyrKNTFz.elfGet hashmaliciousBrowse
                                                                                            9FrHfq70Fi.elfGet hashmaliciousBrowse
                                                                                              No context
                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                              INIT7CHyS7c2Bzlu2.elfGet hashmaliciousBrowse
                                                                                              • 109.202.202.202
                                                                                              p0hr6mFo4a.elfGet hashmaliciousBrowse
                                                                                              • 109.202.202.202
                                                                                              portainerGet hashmaliciousBrowse
                                                                                              • 109.202.202.202
                                                                                              l.out.elfGet hashmaliciousBrowse
                                                                                              • 109.202.202.202
                                                                                              SecuriteInfo.com.Linux.Siggen.4218.14490.21271.elfGet hashmaliciousBrowse
                                                                                              • 109.202.202.202
                                                                                              8LzAAQOA5F.elfGet hashmaliciousBrowse
                                                                                              • 109.202.202.202
                                                                                              GzQ3LRVbSB.elfGet hashmaliciousBrowse
                                                                                              • 109.202.202.202
                                                                                              QIsLuTv1ka.elfGet hashmaliciousBrowse
                                                                                              • 109.202.202.202
                                                                                              FIieajcRYe.elfGet hashmaliciousBrowse
                                                                                              • 109.202.202.202
                                                                                              o9epZmdr6x.elfGet hashmaliciousBrowse
                                                                                              • 109.202.202.202
                                                                                              auD8Kknsmc.elfGet hashmaliciousBrowse
                                                                                              • 109.202.202.202
                                                                                              7Cz3REBlrI.elfGet hashmaliciousBrowse
                                                                                              • 109.202.202.202
                                                                                              R2YElGmM5e.elfGet hashmaliciousBrowse
                                                                                              • 109.202.202.202
                                                                                              sora.arm7.elfGet hashmaliciousBrowse
                                                                                              • 109.202.202.202
                                                                                              sora.x86.elfGet hashmaliciousBrowse
                                                                                              • 109.202.202.202
                                                                                              SecuriteInfo.com.Linux.Siggen.4218.31945.1125.elfGet hashmaliciousBrowse
                                                                                              • 109.202.202.202
                                                                                              sora.arm7.elfGet hashmaliciousBrowse
                                                                                              • 109.202.202.202
                                                                                              sora.x86.elfGet hashmaliciousBrowse
                                                                                              • 109.202.202.202
                                                                                              YziyrKNTFz.elfGet hashmaliciousBrowse
                                                                                              • 109.202.202.202
                                                                                              9FrHfq70Fi.elfGet hashmaliciousBrowse
                                                                                              • 109.202.202.202
                                                                                              VODANETInternationalIP-BackboneofVodafoneDEyS7c2Bzlu2.elfGet hashmaliciousBrowse
                                                                                              • 47.87.197.232
                                                                                              p0hr6mFo4a.elfGet hashmaliciousBrowse
                                                                                              • 47.87.197.232
                                                                                              7HuJu44thW.elfGet hashmaliciousBrowse
                                                                                              • 188.110.182.82
                                                                                              Yw0HhtLWAz.elfGet hashmaliciousBrowse
                                                                                              • 188.109.141.7
                                                                                              MZbxLJqYM3.elfGet hashmaliciousBrowse
                                                                                              • 2.203.197.21
                                                                                              oAUrOBvfbV.elfGet hashmaliciousBrowse
                                                                                              • 2.205.253.113
                                                                                              jew.x86.elfGet hashmaliciousBrowse
                                                                                              • 88.73.217.45
                                                                                              3y849k7eIG.elfGet hashmaliciousBrowse
                                                                                              • 188.97.131.92
                                                                                              ewfDbhCyw3.elfGet hashmaliciousBrowse
                                                                                              • 188.107.42.3
                                                                                              wIUY7HguZD.elfGet hashmaliciousBrowse
                                                                                              • 88.68.114.1
                                                                                              87uWrdTuhh.elfGet hashmaliciousBrowse
                                                                                              • 94.221.53.89
                                                                                              tYV5avLJzh.elfGet hashmaliciousBrowse
                                                                                              • 188.107.45.128
                                                                                              kQhLxBYJGw.elfGet hashmaliciousBrowse
                                                                                              • 109.41.117.192
                                                                                              zg8P6HaVf2.elfGet hashmaliciousBrowse
                                                                                              • 213.23.15.180
                                                                                              Mddos.arm.elfGet hashmaliciousBrowse
                                                                                              • 47.87.28.61
                                                                                              SecuriteInfo.com.Linux.Siggen.9999.7635.14049.elfGet hashmaliciousBrowse
                                                                                              • 178.5.76.73
                                                                                              4Wu0n8HHNS.elfGet hashmaliciousBrowse
                                                                                              • 47.70.112.98
                                                                                              hotnet.arm.elfGet hashmaliciousBrowse
                                                                                              • 188.106.42.82
                                                                                              2BDwNIeogc.elfGet hashmaliciousBrowse
                                                                                              • 109.47.30.165
                                                                                              GoVDsH5Zz1.elfGet hashmaliciousBrowse
                                                                                              • 2.205.253.141
                                                                                              No context
                                                                                              No context
                                                                                              Process:/tmp/yB9hLLnhbx.elf
                                                                                              File Type:ASCII text
                                                                                              Category:dropped
                                                                                              Size (bytes):230
                                                                                              Entropy (8bit):3.709552666863289
                                                                                              Encrypted:false
                                                                                              SSDEEP:6:iekrEcvwAsE5KlwSd4pzKaV6Lpms/a/1VCxGF:ur+m5MwSdIKaV6L1adVRF
                                                                                              MD5:2E667F43AE18CD1FE3C108641708A82C
                                                                                              SHA1:12B90DE2DA0FBCFE66F3D6130905E56C8D6A68D3
                                                                                              SHA-256:6F721492E7A337C5B498A8F55F5EB7AC745AFF716D0B5B08EFF2C1B6B250F983
                                                                                              SHA-512:D2A0EE2509154EC1098994F38BE172F98F4150399C534A04D5C675D7C05630802225019F19344CC9070C576BC465A4FEB382AC7712DE6BF25E9244B54A9DB830
                                                                                              Malicious:false
                                                                                              Reputation:high, very likely benign file
                                                                                              Preview:Iface.Destination.Gateway .Flags.RefCnt.Use.Metric.Mask..MTU.Window.IRTT .ens160.00000000.c0a80201.0003.0.0.0.00000000.0.0.0.ens160.c0a80200.00000000.0001.0.0.0.ffffff00.0.0.0.
                                                                                              File type:ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, not stripped
                                                                                              Entropy (8bit):5.320838724230978
                                                                                              TrID:
                                                                                              • ELF Executable and Linkable format (generic) (4004/1) 100.00%
                                                                                              File name:yB9hLLnhbx.elf
                                                                                              File size:155428
                                                                                              MD5:f91d9aa9e9d29ae67a5d1d504050c519
                                                                                              SHA1:aad17596d13e5d9439141165e968f9001af29407
                                                                                              SHA256:b49d71d61bc5f0871a7fa5f4cb6816d9a58633440428a3ddec13346fd4386185
                                                                                              SHA512:3293e2e6546b811a160a0cf204d955623f4c2e0ac7893ffafb6e114aca53b41a334875715ab12dac5512d98b298632e15e946fa890a453a3cb566b5420cd5c05
                                                                                              SSDEEP:3072:JW6dK9tS1aRGQdK76t/zLEI5mrThPaLEnvPrNb:c6UG+LL5mrThPaLEnvPrNb
                                                                                              TLSH:33E3A53E7A11AFBEE168827107F29F70CF9529D326A19381E26CF6185E7118D0C9FB54
                                                                                              File Content Preview:.ELF.....................@.....4.........4. ...(....p........@...@...........................@...@...........................E...E.....P..o.........dt.Q.................................................FUP<...'.T....!'.......................<...'.T`...!...

                                                                                              ELF header

                                                                                              Class:
                                                                                              Data:
                                                                                              Version:
                                                                                              Machine:
                                                                                              Version Number:
                                                                                              Type:
                                                                                              OS/ABI:
                                                                                              ABI Version:
                                                                                              Entry Point Address:
                                                                                              Flags:
                                                                                              ELF Header Size:
                                                                                              Program Header Offset:
                                                                                              Program Header Size:
                                                                                              Number of Program Headers:
                                                                                              Section Header Offset:
                                                                                              Section Header Size:
                                                                                              Number of Section Headers:
                                                                                              Header String Table Index:
                                                                                              NameTypeAddressOffsetSizeEntSizeFlagsFlags DescriptionLinkInfoAlign
                                                                                              NULL0x00x00x00x00x0000
                                                                                              .reginfoMIPS_REGINFO0x4000b40xb40x180x180x2A004
                                                                                              .initPROGBITS0x4000cc0xcc0x8c0x00x6AX004
                                                                                              .textPROGBITS0x4001600x1600x188b00x00x6AX0016
                                                                                              .finiPROGBITS0x418a100x18a100x5c0x00x6AX004
                                                                                              .rodataPROGBITS0x418a700x18a700x45a00x00x2A0016
                                                                                              .eh_framePROGBITS0x41d0100x1d0100x40x00x2A004
                                                                                              .ctorsPROGBITS0x45d0140x1d0140x80x00x3WA004
                                                                                              .dtorsPROGBITS0x45d01c0x1d01c0x80x00x3WA004
                                                                                              .jcrPROGBITS0x45d0240x1d0240x40x00x3WA004
                                                                                              .data.rel.roPROGBITS0x45d0280x1d0280x4c0x00x3WA004
                                                                                              .dataPROGBITS0x45d0800x1d0800x4e00x00x3WA0016
                                                                                              .gotPROGBITS0x45d5600x1d5600x5040x40x10000003WAp0016
                                                                                              .sbssNOBITS0x45da640x1da640x240x00x10000003WAp004
                                                                                              .bssNOBITS0x45da900x1da640x648c0x00x3WA0016
                                                                                              .commentPROGBITS0x00x1da640xbe20x00x0001
                                                                                              .mdebug.abi32PROGBITS0xbe20x1e6460x00x00x0001
                                                                                              .pdrPROGBITS0x00x1e6480x21200x00x0004
                                                                                              .shstrtabSTRTAB0x00x207680x9a0x00x0001
                                                                                              .symtabSYMTAB0x00x20b4c0x30300x100x0203214
                                                                                              .strtabSTRTAB0x00x23b7c0x23a80x00x0001
                                                                                              TypeOffsetVirtual AddressPhysical AddressFile SizeMemory SizeEntropyFlagsFlags DescriptionAlignProg InterpreterSection Mappings
                                                                                              <unknown>0xb40x4000b40x4000b40x180x180.98340x4R 0x4.reginfo
                                                                                              LOAD0x00x4000000x4000000x1d0140x1d0145.31310x5R E0x10000.reginfo .init .text .fini .rodata .eh_frame
                                                                                              LOAD0x1d0140x45d0140x45d0140xa500x6f084.14010x6RW 0x10000.ctors .dtors .jcr