Loading Joe Sandbox Report ...

Edit tour

Linux Analysis Report
a0dSUrhKjF.elf

Overview

General Information

Sample Name:a0dSUrhKjF.elf
Analysis ID:756329
MD5:c4ca25d9fd71ba88047def343d3a2799
SHA1:11fa564755da7c9b8127316d579b1dc890b22433
SHA256:14fe02e2d1524fc31ed04bf9c4deb14432ad1adb9c934561f832618eec09aa04
Tags:32elfgafgytmips
Infos:

Detection

Mirai
Score:80
Range:0 - 100
Whitelisted:false

Signatures

Malicious sample detected (through community Yara rule)
Antivirus / Scanner detection for submitted sample
Yara detected Mirai
Multi AV Scanner detection for submitted file
Contains symbols with names commonly found in malware
Opens /proc/net/* files useful for finding connected devices and routers
Yara signature match
Sample contains strings that are user agent strings indicative of HTTP manipulation
Uses the "uname" system call to query kernel version information (possible evasion)
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Detected TCP or UDP traffic on non-standard ports

Classification

Analysis Advice

Static ELF header machine description suggests that the sample might not execute correctly on this machine.
All HTTP servers contacted by the sample do not answer. The sample is likely an old dropper which does no longer work.
Static ELF header machine description suggests that the sample might only run correctly on MIPS or ARM architectures.
Joe Sandbox Version:36.0.0 Rainbow Opal
Analysis ID:756329
Start date and time:2022-11-30 01:35:50 +01:00
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 5m 28s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:a0dSUrhKjF.elf
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Detection:MAL
Classification:mal80.spre.troj.linELF@0/0@0/0
Command:/tmp/a0dSUrhKjF.elf
PID:6228
Exit Code:0
Exit Code Info:
Killed:False
Standard Output:
gosh that chinese family at the other table sure ate alot
Standard Error:
  • system is lnxubuntu20
  • cleanup
SourceRuleDescriptionAuthorStrings
a0dSUrhKjF.elfJoeSecurity_Mirai_8Yara detected MiraiJoe Security
    a0dSUrhKjF.elfLinux_Trojan_Gafgyt_28a2fe0cunknownunknown
    • 0x19bb0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x19bc4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x19bd8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x19bec:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x19c00:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x19c14:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x19c28:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x19c3c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x19c50:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x19c64:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x19c78:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x19c8c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x19ca0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x19cb4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x19cc8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x19cdc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x19cf0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x19d04:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x19d18:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x19d2c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x19d40:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    SourceRuleDescriptionAuthorStrings
    6228.1.00007fb298400000.00007fb29841e000.r-x.sdmpJoeSecurity_Mirai_8Yara detected MiraiJoe Security
      6228.1.00007fb298400000.00007fb29841e000.r-x.sdmpLinux_Trojan_Gafgyt_28a2fe0cunknownunknown
      • 0x19bb0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x19bc4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x19bd8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x19bec:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x19c00:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x19c14:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x19c28:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x19c3c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x19c50:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x19c64:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x19c78:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x19c8c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x19ca0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x19cb4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x19cc8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x19cdc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x19cf0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x19d04:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x19d18:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x19d2c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x19d40:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      6230.1.00007fb298400000.00007fb29841e000.r-x.sdmpJoeSecurity_Mirai_8Yara detected MiraiJoe Security
        6230.1.00007fb298400000.00007fb29841e000.r-x.sdmpLinux_Trojan_Gafgyt_28a2fe0cunknownunknown
        • 0x19bb0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
        • 0x19bc4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
        • 0x19bd8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
        • 0x19bec:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
        • 0x19c00:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
        • 0x19c14:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
        • 0x19c28:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
        • 0x19c3c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
        • 0x19c50:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
        • 0x19c64:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
        • 0x19c78:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
        • 0x19c8c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
        • 0x19ca0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
        • 0x19cb4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
        • 0x19cc8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
        • 0x19cdc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
        • 0x19cf0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
        • 0x19d04:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
        • 0x19d18:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
        • 0x19d2c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
        • 0x19d40:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
        6231.1.00007fb298400000.00007fb29841e000.r-x.sdmpJoeSecurity_Mirai_8Yara detected MiraiJoe Security
          Click to see the 4 entries
          No Snort rule has matched

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Source: a0dSUrhKjF.elfAvira: detected
          Source: a0dSUrhKjF.elfReversingLabs: Detection: 69%
          Source: a0dSUrhKjF.elfVirustotal: Detection: 65%Perma Link

          Spreading

          barindex
          Source: /tmp/a0dSUrhKjF.elf (PID: 6228)Opens: /proc/net/routeJump to behavior
          Source: global trafficTCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
          Source: global trafficTCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80
          Source: global trafficTCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443
          Source: global trafficTCP traffic: 192.168.2.23:38500 -> 47.87.197.232:576
          Source: unknownNetwork traffic detected: HTTP traffic on port 43928 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 42836 -> 443
          Source: unknownTCP traffic detected without corresponding DNS query: 47.87.197.232
          Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.43
          Source: unknownTCP traffic detected without corresponding DNS query: 109.202.202.202
          Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.42
          Source: unknownTCP traffic detected without corresponding DNS query: 47.87.197.232
          Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.43
          Source: unknownTCP traffic detected without corresponding DNS query: 109.202.202.202
          Source: unknownTCP traffic detected without corresponding DNS query: 47.87.197.232
          Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.42
          Source: unknownTCP traffic detected without corresponding DNS query: 47.87.197.232
          Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.43
          Source: unknownTCP traffic detected without corresponding DNS query: 47.87.197.232
          Source: unknownTCP traffic detected without corresponding DNS query: 47.87.197.232
          Source: unknownTCP traffic detected without corresponding DNS query: 47.87.197.232
          Source: unknownTCP traffic detected without corresponding DNS query: 47.87.197.232
          Source: unknownTCP traffic detected without corresponding DNS query: 47.87.197.232
          Source: unknownTCP traffic detected without corresponding DNS query: 47.87.197.232
          Source: unknownTCP traffic detected without corresponding DNS query: 47.87.197.232

          System Summary

          barindex
          Source: a0dSUrhKjF.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
          Source: 6228.1.00007fb298400000.00007fb29841e000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
          Source: 6230.1.00007fb298400000.00007fb29841e000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
          Source: 6231.1.00007fb298400000.00007fb29841e000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
          Source: Process Memory Space: a0dSUrhKjF.elf PID: 6228, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
          Source: Process Memory Space: a0dSUrhKjF.elf PID: 6230, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
          Source: Process Memory Space: a0dSUrhKjF.elf PID: 6231, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
          Source: ELF static info symbol of initial sampleName: vseattack
          Source: a0dSUrhKjF.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
          Source: 6228.1.00007fb298400000.00007fb29841e000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
          Source: 6230.1.00007fb298400000.00007fb29841e000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
          Source: 6231.1.00007fb298400000.00007fb29841e000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
          Source: Process Memory Space: a0dSUrhKjF.elf PID: 6228, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
          Source: Process Memory Space: a0dSUrhKjF.elf PID: 6230, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
          Source: Process Memory Space: a0dSUrhKjF.elf PID: 6231, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
          Source: classification engineClassification label: mal80.spre.troj.linELF@0/0@0/0
          Source: a0dSUrhKjF.elfELF static info symbol of initial sample: libc/string/mips/memcpy.S
          Source: a0dSUrhKjF.elfELF static info symbol of initial sample: libc/string/mips/memset.S
          Source: a0dSUrhKjF.elfELF static info symbol of initial sample: libc/sysdeps/linux/mips/crt1.S
          Source: a0dSUrhKjF.elfELF static info symbol of initial sample: libc/sysdeps/linux/mips/crti.S
          Source: a0dSUrhKjF.elfELF static info symbol of initial sample: libc/sysdeps/linux/mips/crtn.S
          Source: a0dSUrhKjF.elfELF static info symbol of initial sample: libc/sysdeps/linux/mips/pipe.S
          Source: /tmp/a0dSUrhKjF.elf (PID: 6228)Queries kernel information via 'uname': Jump to behavior
          Source: a0dSUrhKjF.elf, 6228.1.0000562fabd7f000.0000562fabe06000.rw-.sdmp, a0dSUrhKjF.elf, 6230.1.0000562fabd7f000.0000562fabe06000.rw-.sdmp, a0dSUrhKjF.elf, 6231.1.0000562fabd7f000.0000562fabe06000.rw-.sdmpBinary or memory string: /etc/qemu-binfmt/mipsel
          Source: a0dSUrhKjF.elf, 6228.1.00007ffd122ff000.00007ffd12320000.rw-.sdmp, a0dSUrhKjF.elf, 6230.1.00007ffd122ff000.00007ffd12320000.rw-.sdmp, a0dSUrhKjF.elf, 6231.1.00007ffd122ff000.00007ffd12320000.rw-.sdmpBinary or memory string: Lx86_64/usr/bin/qemu-mipsel/tmp/a0dSUrhKjF.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/a0dSUrhKjF.elf
          Source: a0dSUrhKjF.elf, 6228.1.0000562fabd7f000.0000562fabe06000.rw-.sdmp, a0dSUrhKjF.elf, 6230.1.0000562fabd7f000.0000562fabe06000.rw-.sdmp, a0dSUrhKjF.elf, 6231.1.0000562fabd7f000.0000562fabe06000.rw-.sdmpBinary or memory string: /V!/etc/qemu-binfmt/mipsel
          Source: a0dSUrhKjF.elf, 6228.1.00007ffd122ff000.00007ffd12320000.rw-.sdmp, a0dSUrhKjF.elf, 6230.1.00007ffd122ff000.00007ffd12320000.rw-.sdmp, a0dSUrhKjF.elf, 6231.1.00007ffd122ff000.00007ffd12320000.rw-.sdmpBinary or memory string: /usr/bin/qemu-mipsel

          Stealing of Sensitive Information

          barindex
          Source: Yara matchFile source: a0dSUrhKjF.elf, type: SAMPLE
          Source: Yara matchFile source: 6228.1.00007fb298400000.00007fb29841e000.r-x.sdmp, type: MEMORY
          Source: Yara matchFile source: 6230.1.00007fb298400000.00007fb29841e000.r-x.sdmp, type: MEMORY
          Source: Yara matchFile source: 6231.1.00007fb298400000.00007fb29841e000.r-x.sdmp, type: MEMORY
          Source: Initial sampleUser agent string found: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; pl) Opera 11.00
          Source: Initial sampleUser agent string found: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; en) Opera 11.00
          Source: Initial sampleUser agent string found: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; ja) Opera 11.00
          Source: Initial sampleUser agent string found: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; de) Opera 11.01
          Source: Initial sampleUser agent string found: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; fr) Opera 11.00
          Source: Initial sampleUser agent string found: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36
          Source: Initial sampleUser agent string found: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.79 Safari/537.36
          Source: Initial sampleUser agent string found: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0
          Source: Initial sampleUser agent string found: Mozilla/5.0 (iPhone; CPU iPhone OS 8_4 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Version/8.0 Mobile/12H143 Safari/600.1.4
          Source: Initial sampleUser agent string found: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:41.0) Gecko/20100101 Firefox/41.0
          Source: Initial sampleUser agent string found: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.101 Safari/537.36
          Source: Initial sampleUser agent string found: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.80 Safari/537.36
          Source: Initial sampleUser agent string found: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11) AppleWebKit/601.1.56 (KHTML, like Gecko) Version/9.0 Safari/601.1.56
          Source: Initial sampleUser agent string found: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_1) AppleWebKit/601.2.7 (KHTML, like Gecko) Version/9.0.1 Safari/601.2.7
          Source: Initial sampleUser agent string found: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
          Source: Initial sampleUser agent string found: Opera/9.80 (Windows NT 5.2; U; ru) Presto/2.5.22 Version/10.51
          Source: Initial sampleUser agent string found: Opera/9.80 (X11; Linux i686; Ubuntu/14.10) Presto/2.12.388 Version/12.16
          Source: Initial sampleUser agent string found: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.75.14 (KHTML, like Gecko) Version/7.0.3 Safari/7046A194A
          Source: Initial sampleUser agent string found: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36
          Source: Initial sampleUser agent string found: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.94 Safari/537.36
          Source: Initial sampleUser agent string found: Mozilla/5.0 (Linux; Android 4.4.3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.89 Mobile Safari/537.36
          Source: Initial sampleUser agent string found: Mozilla/5.0 (Linux; Android 4.4.3; HTC_0PCV2 Build/KTU84L) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/33.0.0.0 Mobile Safari/537.36
          Source: Initial sampleUser agent string found: Mozilla/4.0 (compatible; MSIE 8.0; X11; Linux x86_64; pl) Opera 11.00
          Source: Initial sampleUser agent string found: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:25.0) Gecko/20100101 Firefox/25.0
          Source: Initial sampleUser agent string found: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:21.0) Gecko/20100101 Firefox/21.0
          Source: Initial sampleUser agent string found: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:24.0) Gecko/20100101 Firefox/24.0
          Source: Initial sampleUser agent string found: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10; rv:33.0) Gecko/20100101 Firefox/33.0

          Remote Access Functionality

          barindex
          Source: Yara matchFile source: a0dSUrhKjF.elf, type: SAMPLE
          Source: Yara matchFile source: 6228.1.00007fb298400000.00007fb29841e000.r-x.sdmp, type: MEMORY
          Source: Yara matchFile source: 6230.1.00007fb298400000.00007fb29841e000.r-x.sdmp, type: MEMORY
          Source: Yara matchFile source: 6231.1.00007fb298400000.00007fb29841e000.r-x.sdmp, type: MEMORY
          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsWindows Management InstrumentationPath InterceptionPath InterceptionDirect Volume AccessOS Credential Dumping11
          Security Software Discovery
          Remote ServicesData from Local SystemExfiltration Over Other Network Medium1
          Data Obfuscation
          Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS Memory1
          Remote System Discovery
          Remote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth1
          Encrypted Channel
          Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration1
          Non-Standard Port
          Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Binary PaddingNTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureScheduled Transfer1
          Application Layer Protocol
          SIM Card SwapCarrier Billing Fraud
          No configs have been found
          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Number of created Files
          • Is malicious
          • Internet
          SourceDetectionScannerLabelLink
          a0dSUrhKjF.elf69%ReversingLabsLinux.Trojan.Gafgyt
          a0dSUrhKjF.elf65%VirustotalBrowse
          a0dSUrhKjF.elf100%AviraLINUX/Mirai.Gafgyt.
          No Antivirus matches
          No Antivirus matches
          No Antivirus matches
          No contacted domains info
          • No. of IPs < 25%
          • 25% < No. of IPs < 50%
          • 50% < No. of IPs < 75%
          • 75% < No. of IPs
          IPDomainCountryFlagASNASN NameMalicious
          47.87.197.232
          unknownUnited States
          3209VODANETInternationalIP-BackboneofVodafoneDEfalse
          109.202.202.202
          unknownSwitzerland
          13030INIT7CHfalse
          91.189.91.43
          unknownUnited Kingdom
          41231CANONICAL-ASGBfalse
          91.189.91.42
          unknownUnited Kingdom
          41231CANONICAL-ASGBfalse
          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
          47.87.197.232POF7B6Kfw5.elfGet hashmaliciousBrowse
            6d0aJaGK7S.elfGet hashmaliciousBrowse
              Kxc3PFrEoj.elfGet hashmaliciousBrowse
                yB9hLLnhbx.elfGet hashmaliciousBrowse
                  yS7c2Bzlu2.elfGet hashmaliciousBrowse
                    p0hr6mFo4a.elfGet hashmaliciousBrowse
                      109.202.202.202POF7B6Kfw5.elfGet hashmaliciousBrowse
                        6d0aJaGK7S.elfGet hashmaliciousBrowse
                          Kxc3PFrEoj.elfGet hashmaliciousBrowse
                            yB9hLLnhbx.elfGet hashmaliciousBrowse
                              yS7c2Bzlu2.elfGet hashmaliciousBrowse
                                p0hr6mFo4a.elfGet hashmaliciousBrowse
                                  portainerGet hashmaliciousBrowse
                                    l.out.elfGet hashmaliciousBrowse
                                      SecuriteInfo.com.Linux.Siggen.4218.14490.21271.elfGet hashmaliciousBrowse
                                        8LzAAQOA5F.elfGet hashmaliciousBrowse
                                          GzQ3LRVbSB.elfGet hashmaliciousBrowse
                                            QIsLuTv1ka.elfGet hashmaliciousBrowse
                                              FIieajcRYe.elfGet hashmaliciousBrowse
                                                o9epZmdr6x.elfGet hashmaliciousBrowse
                                                  auD8Kknsmc.elfGet hashmaliciousBrowse
                                                    7Cz3REBlrI.elfGet hashmaliciousBrowse
                                                      R2YElGmM5e.elfGet hashmaliciousBrowse
                                                        sora.arm7.elfGet hashmaliciousBrowse
                                                          sora.x86.elfGet hashmaliciousBrowse
                                                            SecuriteInfo.com.Linux.Siggen.4218.31945.1125.elfGet hashmaliciousBrowse
                                                              91.189.91.43POF7B6Kfw5.elfGet hashmaliciousBrowse
                                                                6d0aJaGK7S.elfGet hashmaliciousBrowse
                                                                  Kxc3PFrEoj.elfGet hashmaliciousBrowse
                                                                    yB9hLLnhbx.elfGet hashmaliciousBrowse
                                                                      yS7c2Bzlu2.elfGet hashmaliciousBrowse
                                                                        p0hr6mFo4a.elfGet hashmaliciousBrowse
                                                                          portainerGet hashmaliciousBrowse
                                                                            l.out.elfGet hashmaliciousBrowse
                                                                              SecuriteInfo.com.Linux.Siggen.4218.14490.21271.elfGet hashmaliciousBrowse
                                                                                8LzAAQOA5F.elfGet hashmaliciousBrowse
                                                                                  GzQ3LRVbSB.elfGet hashmaliciousBrowse
                                                                                    QIsLuTv1ka.elfGet hashmaliciousBrowse
                                                                                      FIieajcRYe.elfGet hashmaliciousBrowse
                                                                                        o9epZmdr6x.elfGet hashmaliciousBrowse
                                                                                          auD8Kknsmc.elfGet hashmaliciousBrowse
                                                                                            7Cz3REBlrI.elfGet hashmaliciousBrowse
                                                                                              R2YElGmM5e.elfGet hashmaliciousBrowse
                                                                                                sora.arm7.elfGet hashmaliciousBrowse
                                                                                                  sora.x86.elfGet hashmaliciousBrowse
                                                                                                    SecuriteInfo.com.Linux.Siggen.4218.31945.1125.elfGet hashmaliciousBrowse
                                                                                                      No context
                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                      INIT7CHPOF7B6Kfw5.elfGet hashmaliciousBrowse
                                                                                                      • 109.202.202.202
                                                                                                      6d0aJaGK7S.elfGet hashmaliciousBrowse
                                                                                                      • 109.202.202.202
                                                                                                      Kxc3PFrEoj.elfGet hashmaliciousBrowse
                                                                                                      • 109.202.202.202
                                                                                                      yB9hLLnhbx.elfGet hashmaliciousBrowse
                                                                                                      • 109.202.202.202
                                                                                                      yS7c2Bzlu2.elfGet hashmaliciousBrowse
                                                                                                      • 109.202.202.202
                                                                                                      p0hr6mFo4a.elfGet hashmaliciousBrowse
                                                                                                      • 109.202.202.202
                                                                                                      portainerGet hashmaliciousBrowse
                                                                                                      • 109.202.202.202
                                                                                                      l.out.elfGet hashmaliciousBrowse
                                                                                                      • 109.202.202.202
                                                                                                      SecuriteInfo.com.Linux.Siggen.4218.14490.21271.elfGet hashmaliciousBrowse
                                                                                                      • 109.202.202.202
                                                                                                      8LzAAQOA5F.elfGet hashmaliciousBrowse
                                                                                                      • 109.202.202.202
                                                                                                      GzQ3LRVbSB.elfGet hashmaliciousBrowse
                                                                                                      • 109.202.202.202
                                                                                                      QIsLuTv1ka.elfGet hashmaliciousBrowse
                                                                                                      • 109.202.202.202
                                                                                                      FIieajcRYe.elfGet hashmaliciousBrowse
                                                                                                      • 109.202.202.202
                                                                                                      o9epZmdr6x.elfGet hashmaliciousBrowse
                                                                                                      • 109.202.202.202
                                                                                                      auD8Kknsmc.elfGet hashmaliciousBrowse
                                                                                                      • 109.202.202.202
                                                                                                      7Cz3REBlrI.elfGet hashmaliciousBrowse
                                                                                                      • 109.202.202.202
                                                                                                      R2YElGmM5e.elfGet hashmaliciousBrowse
                                                                                                      • 109.202.202.202
                                                                                                      sora.arm7.elfGet hashmaliciousBrowse
                                                                                                      • 109.202.202.202
                                                                                                      sora.x86.elfGet hashmaliciousBrowse
                                                                                                      • 109.202.202.202
                                                                                                      SecuriteInfo.com.Linux.Siggen.4218.31945.1125.elfGet hashmaliciousBrowse
                                                                                                      • 109.202.202.202
                                                                                                      VODANETInternationalIP-BackboneofVodafoneDEPOF7B6Kfw5.elfGet hashmaliciousBrowse
                                                                                                      • 47.87.197.232
                                                                                                      6d0aJaGK7S.elfGet hashmaliciousBrowse
                                                                                                      • 47.87.197.232
                                                                                                      Kxc3PFrEoj.elfGet hashmaliciousBrowse
                                                                                                      • 47.87.197.232
                                                                                                      yB9hLLnhbx.elfGet hashmaliciousBrowse
                                                                                                      • 47.87.197.232
                                                                                                      yS7c2Bzlu2.elfGet hashmaliciousBrowse
                                                                                                      • 47.87.197.232
                                                                                                      p0hr6mFo4a.elfGet hashmaliciousBrowse
                                                                                                      • 47.87.197.232
                                                                                                      7HuJu44thW.elfGet hashmaliciousBrowse
                                                                                                      • 188.110.182.82
                                                                                                      Yw0HhtLWAz.elfGet hashmaliciousBrowse
                                                                                                      • 188.109.141.7
                                                                                                      MZbxLJqYM3.elfGet hashmaliciousBrowse
                                                                                                      • 2.203.197.21
                                                                                                      oAUrOBvfbV.elfGet hashmaliciousBrowse
                                                                                                      • 2.205.253.113
                                                                                                      jew.x86.elfGet hashmaliciousBrowse
                                                                                                      • 88.73.217.45
                                                                                                      3y849k7eIG.elfGet hashmaliciousBrowse
                                                                                                      • 188.97.131.92
                                                                                                      ewfDbhCyw3.elfGet hashmaliciousBrowse
                                                                                                      • 188.107.42.3
                                                                                                      wIUY7HguZD.elfGet hashmaliciousBrowse
                                                                                                      • 88.68.114.1
                                                                                                      87uWrdTuhh.elfGet hashmaliciousBrowse
                                                                                                      • 94.221.53.89
                                                                                                      tYV5avLJzh.elfGet hashmaliciousBrowse
                                                                                                      • 188.107.45.128
                                                                                                      kQhLxBYJGw.elfGet hashmaliciousBrowse
                                                                                                      • 109.41.117.192
                                                                                                      zg8P6HaVf2.elfGet hashmaliciousBrowse
                                                                                                      • 213.23.15.180
                                                                                                      Mddos.arm.elfGet hashmaliciousBrowse
                                                                                                      • 47.87.28.61
                                                                                                      SecuriteInfo.com.Linux.Siggen.9999.7635.14049.elfGet hashmaliciousBrowse
                                                                                                      • 178.5.76.73
                                                                                                      No context
                                                                                                      No context
                                                                                                      No created / dropped files found
                                                                                                      File type:ELF 32-bit LSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, not stripped
                                                                                                      Entropy (8bit):5.321844123186179
                                                                                                      TrID:
                                                                                                      • ELF Executable and Linkable format (generic) (4004/1) 100.00%
                                                                                                      File name:a0dSUrhKjF.elf
                                                                                                      File size:155476
                                                                                                      MD5:c4ca25d9fd71ba88047def343d3a2799
                                                                                                      SHA1:11fa564755da7c9b8127316d579b1dc890b22433
                                                                                                      SHA256:14fe02e2d1524fc31ed04bf9c4deb14432ad1adb9c934561f832618eec09aa04
                                                                                                      SHA512:7b5a9a65d8fb09b9583cf92bb1a4df49db2b868aad28cca05091bb83036b20ab7820486efaad8c72198e884e890fe08d72acf79a45b7108f218d764e9c178658
                                                                                                      SSDEEP:3072:dg1c9h1jlnLA2PiXYeyCV9VNMVGuo9mrThPaLEnvPrNb:dZ7lnLA2PiIeyU9VWDo9mrThPaLEnvP5
                                                                                                      TLSH:69E38536B7619E77D80ECE7305A985121C8CD98702D92B6BB2B4E51CEB6BC4F08D3D58
                                                                                                      File Content Preview:.ELF......................@.4...4.......4. ...(........p......@...@...........................@...@.D...D...............D...D.E.D.E.P....o..........Q.td.................................................UF....<.T.'!......'.......................<.T.'!... ..

                                                                                                      ELF header

                                                                                                      Class:
                                                                                                      Data:
                                                                                                      Version:
                                                                                                      Machine:
                                                                                                      Version Number:
                                                                                                      Type:
                                                                                                      OS/ABI:
                                                                                                      ABI Version:
                                                                                                      Entry Point Address:
                                                                                                      Flags:
                                                                                                      ELF Header Size:
                                                                                                      Program Header Offset:
                                                                                                      Program Header Size:
                                                                                                      Number of Program Headers:
                                                                                                      Section Header Offset:
                                                                                                      Section Header Size:
                                                                                                      Number of Section Headers:
                                                                                                      Header String Table Index:
                                                                                                      NameTypeAddressOffsetSizeEntSizeFlagsFlags DescriptionLinkInfoAlign
                                                                                                      NULL0x00x00x00x00x0000
                                                                                                      .reginfoMIPS_REGINFO0x4000b40xb40x180x180x2A004
                                                                                                      .initPROGBITS0x4000cc0xcc0x8c0x00x6AX004
                                                                                                      .textPROGBITS0x4001600x1600x188e00x00x6AX0016
                                                                                                      .finiPROGBITS0x418a400x18a400x5c0x00x6AX004
                                                                                                      .rodataPROGBITS0x418aa00x18aa00x45a00x00x2A0016
                                                                                                      .eh_framePROGBITS0x41d0400x1d0400x40x00x2A004
                                                                                                      .ctorsPROGBITS0x45d0440x1d0440x80x00x3WA004
                                                                                                      .dtorsPROGBITS0x45d04c0x1d04c0x80x00x3WA004
                                                                                                      .jcrPROGBITS0x45d0540x1d0540x40x00x3WA004
                                                                                                      .data.rel.roPROGBITS0x45d0580x1d0580x4c0x00x3WA004
                                                                                                      .dataPROGBITS0x45d0b00x1d0b00x4e00x00x3WA0016
                                                                                                      .gotPROGBITS0x45d5900x1d5900x5040x40x10000003WAp0016
                                                                                                      .sbssNOBITS0x45da940x1da940x240x00x10000003WAp004
                                                                                                      .bssNOBITS0x45dac00x1da940x648c0x00x3WA0016
                                                                                                      .commentPROGBITS0x00x1da940xbe20x00x0001
                                                                                                      .mdebug.abi32PROGBITS0xbe20x1e6760x00x00x0001
                                                                                                      .pdrPROGBITS0x00x1e6780x21200x00x0004
                                                                                                      .shstrtabSTRTAB0x00x207980x9a0x00x0001
                                                                                                      .symtabSYMTAB0x00x20b7c0x30300x100x0203214
                                                                                                      .strtabSTRTAB0x00x23bac0x23a80x00x0001
                                                                                                      TypeOffsetVirtual AddressPhysical AddressFile SizeMemory SizeEntropyFlagsFlags DescriptionAlignProg InterpreterSection Mappings
                                                                                                      <unknown>0xb40x4000b40x4000b40x180x180.98340x4R 0x4.reginfo
                                                                                                      LOAD0x00x4000000x4000000x1d0440x1d0445.31170x5R E0x10000.reginfo .init .text .fini .rodata .eh_frame
                                                                                                      LOAD0x1d0440x45d0440x45d0440xa500x6f084.15430x6RW 0x10000.ctors .dtors .jcr .data.rel.ro .data .got .sbss .bss
                                                                                                      GNU_STACK0x00x00x00x00x00.00000x7RWE0x4
                                                                                                      NameVersion Info NameVersion Info File NameSection NameValueSizeSymbol TypeSymbol BindSymbol VisibilityNdx
                                                                                                      .symtab0x00NOTYPE<unknown>DEFAULTSHN_UNDEF
                                                                                                      .symtab0x4000b40SECTION<unknown>DEFAULT1
                                                                                                      .symtab0x4000cc0SECTION<unknown>DEFAULT2
                                                                                                      .symtab0x4001600SECTION<unknown>DEFAULT3
                                                                                                      .symtab0x418a400SECTION<unknown>DEFAULT4
                                                                                                      .symtab0x418aa00SECTION<unknown>DEFAULT5
                                                                                                      .symtab0x41d0400SECTION<unknown>DEFAULT6
                                                                                                      .symtab0x45d0440SECTION<unknown>DEFAULT