It seems like sample 906ad27e3afe5c0d92ab3c543478f5dd9a999f22f16b837f3f2bf7e18ee54762 uses some kind of new UPX unpacking stub which seems different what we have for ARM. Please investigate whether it is indeed some new unpacking stub for ARM ELFs. What is interesting here that it contains masked UPX metadata header where UPX! is replaced with YTS. Renaming it back makes our unpacker work again.
It seems like sample
906ad27e3afe5c0d92ab3c543478f5dd9a999f22f16b837f3f2bf7e18ee54762uses some kind of new UPX unpacking stub which seems different what we have for ARM. Please investigate whether it is indeed some new unpacking stub for ARM ELFs. What is interesting here that it contains masked UPX metadata header whereUPX!is replaced withYTS. Renaming it back makes our unpacker work again.