Edit tour

Linux Analysis Report
9Iakt8wQQ7.elf

Overview

General Information

Sample name:9Iakt8wQQ7.elf
renamed because original name is a hash value
Original sample name:a9f370a8aef906ec967bdf2140d0d797.elf
Analysis ID:1441899
MD5:a9f370a8aef906ec967bdf2140d0d797
SHA1:71a51453266310f24798de9053ca42b5e7cf6a7b
SHA256:a5f72c891e99a002bb1a3a1237b3f252b4cd613e4c4f5f248243e23c259dcfa7
Tags:32armelfmirai
Infos:

Detection

Gafgyt
Score:64
Range:0 - 100
Whitelisted:false

Signatures

Multi AV Scanner detection for submitted file
Yara detected Gafgyt
Deletes system log files
Manipulation of devices in /dev
Detected TCP or UDP traffic on non-standard ports
Executes the "rm" command used to delete files or directories
Sample has stripped symbol table
Sample listens on a socket
Uses the "uname" system call to query kernel version information (possible evasion)

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
Joe Sandbox version:40.0.0 Tourmaline
Analysis ID:1441899
Start date and time:2024-05-15 12:52:11 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 45s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Sample name:9Iakt8wQQ7.elf
renamed because original name is a hash value
Original Sample Name:a9f370a8aef906ec967bdf2140d0d797.elf
Detection:MAL
Classification:mal64.troj.evad.linELF@0/0@1/0
Command:/tmp/9Iakt8wQQ7.elf
PID:5422
Exit Code:0
Exit Code Info:
Killed:False
Standard Output:
guess what. you're retarded
Standard Error:
  • system is lnxubuntu20
  • dash New Fork (PID: 5439, Parent: 3582)
  • rm (PID: 5439, Parent: 3582, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -f /tmp/tmp.AEQOKm3Wk1 /tmp/tmp.u2Z8V9De4Y /tmp/tmp.pzSyU74hCW
  • dash New Fork (PID: 5440, Parent: 3582)
  • cat (PID: 5440, Parent: 3582, MD5: 7e9d213e404ad3bb82e4ebb2e1f2c1b3) Arguments: cat /tmp/tmp.AEQOKm3Wk1
  • dash New Fork (PID: 5441, Parent: 3582)
  • head (PID: 5441, Parent: 3582, MD5: fd96a67145172477dd57131396fc9608) Arguments: head -n 10
  • dash New Fork (PID: 5442, Parent: 3582)
  • tr (PID: 5442, Parent: 3582, MD5: fbd1402dd9f72d8ebfff00ce7c3a7bb5) Arguments: tr -d \\000-\\011\\013\\014\\016-\\037
  • dash New Fork (PID: 5443, Parent: 3582)
  • cut (PID: 5443, Parent: 3582, MD5: d8ed0ea8f22c0de0f8692d4d9f1759d3) Arguments: cut -c -80
  • dash New Fork (PID: 5444, Parent: 3582)
  • cat (PID: 5444, Parent: 3582, MD5: 7e9d213e404ad3bb82e4ebb2e1f2c1b3) Arguments: cat /tmp/tmp.AEQOKm3Wk1
  • dash New Fork (PID: 5445, Parent: 3582)
  • head (PID: 5445, Parent: 3582, MD5: fd96a67145172477dd57131396fc9608) Arguments: head -n 10
  • dash New Fork (PID: 5446, Parent: 3582)
  • tr (PID: 5446, Parent: 3582, MD5: fbd1402dd9f72d8ebfff00ce7c3a7bb5) Arguments: tr -d \\000-\\011\\013\\014\\016-\\037
  • dash New Fork (PID: 5447, Parent: 3582)
  • cut (PID: 5447, Parent: 3582, MD5: d8ed0ea8f22c0de0f8692d4d9f1759d3) Arguments: cut -c -80
  • dash New Fork (PID: 5448, Parent: 3582)
  • rm (PID: 5448, Parent: 3582, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -f /tmp/tmp.AEQOKm3Wk1 /tmp/tmp.u2Z8V9De4Y /tmp/tmp.pzSyU74hCW
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
Bashlite, GafgytBashlite is a malware family which infects Linux systems in order to launch distributed denial-of-service attacks (DDoS). Originally it was also known under the name Bashdoor, but this term now refers to the exploit method used by the malware. It has been used to launch attacks of up to 400 Gbps.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/elf.bashlite
SourceRuleDescriptionAuthorStrings
9Iakt8wQQ7.elfJoeSecurity_GafgytYara detected GafgytJoe Security
    SourceRuleDescriptionAuthorStrings
    5426.1.00007f8fa4017000.00007f8fa4038000.r-x.sdmpJoeSecurity_GafgytYara detected GafgytJoe Security
      5422.1.00007f8fa4017000.00007f8fa4038000.r-x.sdmpJoeSecurity_GafgytYara detected GafgytJoe Security
        No Snort rule has matched

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        Source: 9Iakt8wQQ7.elfVirustotal: Detection: 37%Perma Link
        Source: 9Iakt8wQQ7.elfReversingLabs: Detection: 50%
        Source: unknownHTTPS traffic detected: 54.217.10.153:443 -> 192.168.2.13:37676 version: TLS 1.2
        Source: global trafficTCP traffic: 192.168.2.13:55932 -> 31.220.1.44:5667
        Source: /tmp/9Iakt8wQQ7.elf (PID: 5422)Socket: 127.0.0.1::46373Jump to behavior
        Source: unknownUDP traffic detected without corresponding DNS query: 51.254.162.59
        Source: global trafficDNS traffic detected: DNS query: retardedclassmate.dyn
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 37676
        Source: unknownNetwork traffic detected: HTTP traffic on port 37676 -> 443
        Source: unknownHTTPS traffic detected: 54.217.10.153:443 -> 192.168.2.13:37676 version: TLS 1.2
        Source: ELF static info symbol of initial sample.symtab present: no
        Source: classification engineClassification label: mal64.troj.evad.linELF@0/0@1/0

        Data Obfuscation

        barindex
        Source: /tmp/9Iakt8wQQ7.elf (PID: 5430)Deleted: /dev/kmsgJump to behavior
        Source: /tmp/9Iakt8wQQ7.elf (PID: 5430)Deleted: /dev/nullJump to behavior
        Source: /usr/bin/dash (PID: 5439)Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.AEQOKm3Wk1 /tmp/tmp.u2Z8V9De4Y /tmp/tmp.pzSyU74hCWJump to behavior
        Source: /usr/bin/dash (PID: 5448)Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.AEQOKm3Wk1 /tmp/tmp.u2Z8V9De4Y /tmp/tmp.pzSyU74hCWJump to behavior

        Hooking and other Techniques for Hiding and Protection

        barindex
        Source: /tmp/9Iakt8wQQ7.elf (PID: 5430)Log files deleted: /var/log/kern.logJump to behavior
        Source: /tmp/9Iakt8wQQ7.elf (PID: 5422)Queries kernel information via 'uname': Jump to behavior
        Source: 9Iakt8wQQ7.elf, 5422.1.00007ffc6c991000.00007ffc6c9b2000.rw-.sdmp, 9Iakt8wQQ7.elf, 5426.1.00007ffc6c991000.00007ffc6c9b2000.rw-.sdmpBinary or memory string: x86_64/usr/bin/qemu-arm/tmp/9Iakt8wQQ7.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/9Iakt8wQQ7.elf
        Source: 9Iakt8wQQ7.elf, 5422.1.000056182160c000.0000561821782000.rw-.sdmp, 9Iakt8wQQ7.elf, 5426.1.000056182160c000.0000561821782000.rw-.sdmpBinary or memory string: /etc/qemu-binfmt/arm
        Source: 9Iakt8wQQ7.elf, 5422.1.000056182160c000.0000561821782000.rw-.sdmp, 9Iakt8wQQ7.elf, 5426.1.000056182160c000.0000561821782000.rw-.sdmpBinary or memory string: V!/etc/qemu-binfmt/arm
        Source: 9Iakt8wQQ7.elf, 5422.1.00007ffc6c991000.00007ffc6c9b2000.rw-.sdmp, 9Iakt8wQQ7.elf, 5426.1.00007ffc6c991000.00007ffc6c9b2000.rw-.sdmpBinary or memory string: /usr/bin/qemu-arm

        Stealing of Sensitive Information

        barindex
        Source: Yara matchFile source: 9Iakt8wQQ7.elf, type: SAMPLE
        Source: Yara matchFile source: 5426.1.00007f8fa4017000.00007f8fa4038000.r-x.sdmp, type: MEMORY
        Source: Yara matchFile source: 5422.1.00007f8fa4017000.00007f8fa4038000.r-x.sdmp, type: MEMORY

        Remote Access Functionality

        barindex
        Source: Yara matchFile source: 9Iakt8wQQ7.elf, type: SAMPLE
        Source: Yara matchFile source: 5426.1.00007f8fa4017000.00007f8fa4038000.r-x.sdmp, type: MEMORY
        Source: Yara matchFile source: 5422.1.00007f8fa4017000.00007f8fa4038000.r-x.sdmp, type: MEMORY
        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
        Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management InstrumentationPath InterceptionPath Interception1
        Indicator Removal
        OS Credential Dumping11
        Security Software Discovery
        Remote ServicesData from Local System1
        Encrypted Channel
        Exfiltration Over Other Network MediumAbuse Accessibility Features
        CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
        File Deletion
        LSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable Media1
        Non-Standard Port
        Exfiltration Over BluetoothNetwork Denial of Service
        Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared Drive1
        Non-Application Layer Protocol
        Automated ExfiltrationData Encrypted for Impact
        Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin HookBinary PaddingNTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput Capture2
        Application Layer Protocol
        Traffic DuplicationData Destruction
        No configs have been found
        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Number of created Files
        • Is malicious
        • Internet
        behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1441899 Sample: 9Iakt8wQQ7.elf Startdate: 15/05/2024 Architecture: LINUX Score: 64 25 54.217.10.153, 37676, 443 AMAZON-02US United States 2->25 27 31.220.1.44, 55932, 5667 AMARUTU-TECHNOLOGYNL Germany 2->27 29 retardedclassmate.dyn 2->29 35 Multi AV Scanner detection for submitted file 2->35 37 Yara detected Gafgyt 2->37 8 9Iakt8wQQ7.elf 2->8         started        10 dash rm 2->10         started        12 dash tr 2->12         started        14 8 other processes 2->14 signatures3 process4 process5 16 9Iakt8wQQ7.elf 8->16         started        process6 18 9Iakt8wQQ7.elf 16->18         started        21 9Iakt8wQQ7.elf 16->21         started        23 9Iakt8wQQ7.elf 16->23         started        signatures7 31 Manipulation of devices in /dev 18->31 33 Deletes system log files 18->33
        SourceDetectionScannerLabelLink
        9Iakt8wQQ7.elf38%VirustotalBrowse
        9Iakt8wQQ7.elf50%ReversingLabsLinux.Trojan.Mirai
        No Antivirus matches
        SourceDetectionScannerLabelLink
        retardedclassmate.dyn4%VirustotalBrowse
        No Antivirus matches

        Download Network PCAP: filteredfull

        NameIPActiveMaliciousAntivirus DetectionReputation
        retardedclassmate.dyn
        103.161.35.44
        truefalseunknown
        • No. of IPs < 25%
        • 25% < No. of IPs < 50%
        • 50% < No. of IPs < 75%
        • 75% < No. of IPs
        IPDomainCountryFlagASNASN NameMalicious
        54.217.10.153
        unknownUnited States
        16509AMAZON-02USfalse
        31.220.1.44
        unknownGermany
        206264AMARUTU-TECHNOLOGYNLfalse
        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
        54.217.10.153SecuriteInfo.com.HEUR.Backdoor.Linux.Mirai.cu.13705.6845.elfGet hashmaliciousMiraiBrowse
          SecuriteInfo.com.ELF.Mirai-ATU.14126.25506.elfGet hashmaliciousMiraiBrowse
            MzIP71OrfX.elfGet hashmaliciousMiraiBrowse
              Aqua.x86.elfGet hashmaliciousMiraiBrowse
                Aqua.arm7-20240513-1656.elfGet hashmaliciousMiraiBrowse
                  Aqua.arm7.elfGet hashmaliciousMiraiBrowse
                    a-r.m-5.ISIS.elfGet hashmaliciousGafgytBrowse
                      retBnGdjco.elfGet hashmaliciousUnknownBrowse
                        UAb8TpF1fg.elfGet hashmaliciousUnknownBrowse
                          SecuriteInfo.com.Linux.Siggen.9999.17714.21341.elfGet hashmaliciousMiraiBrowse
                            31.220.1.44arm7.elfGet hashmaliciousUnknownBrowse
                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              retardedclassmate.dynSecuriteInfo.com.Linux.Siggen.9999.4824.4127.elfGet hashmaliciousGafgyt, MiraiBrowse
                              • 154.197.110.191
                              arm7.elfGet hashmaliciousUnknownBrowse
                              • 31.220.1.44
                              vtuYyqk0Xt.elfGet hashmaliciousGafgytBrowse
                              • 85.239.33.65
                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              AMARUTU-TECHNOLOGYNLarm7.elfGet hashmaliciousUnknownBrowse
                              • 31.220.1.44
                              XZoxEqlRUw.exeGet hashmaliciousLokibotBrowse
                              • 31.220.1.194
                              file.exeGet hashmaliciousGlupteba, LummaC Stealer, Petite Virus, RedLine, SmokeLoaderBrowse
                              • 185.169.253.175
                              havHHgUTMf.elfGet hashmaliciousUnknownBrowse
                              • 31.220.1.59
                              XhXwuGeQt1.elfGet hashmaliciousUnknownBrowse
                              • 31.220.1.59
                              pqV96ooXHb.elfGet hashmaliciousUnknownBrowse
                              • 31.220.1.59
                              K0NrQivg3A.elfGet hashmaliciousUnknownBrowse
                              • 31.220.1.59
                              EMhQG2ir2C.elfGet hashmaliciousUnknownBrowse
                              • 31.220.1.59
                              37sRIovciS.elfGet hashmaliciousUnknownBrowse
                              • 31.220.1.59
                              4c.exeGet hashmaliciousGurcu StealerBrowse
                              • 103.109.100.207
                              AMAZON-02USGms-Worldwide SWIFT COPY _ Wednesday May 2024..rtfGet hashmaliciousHTMLPhisherBrowse
                              • 108.156.83.45
                              https://www.ammyy.com/it/downloads.htmlGet hashmaliciousFlawedammyyBrowse
                              • 18.239.225.92
                              https://url2.mailanyone.net/scanner?m=1s6sb2-0006Pu-3k&d=4%7Cmail%2F90%2F1715694600%2F1s6sb2-0006Pu-3k%7Cin2b%7C57e1b682%7C17902772%7C12174482%7C66436CE030707A56854C2AE2FCBD062A&o=%2Fphtd%3A%2Fttsc.tcesekfu6cdrRm%2FE.o%2F8l&s=JQTgFqmC2FIjTsfPxKBQ-aQsMP8Get hashmaliciousUnknownBrowse
                              • 108.156.83.40
                              https://www.flipsnack.com/99F99AEEFB5/fm-birch-limted/full-view.htmlGet hashmaliciousUnknownBrowse
                              • 108.157.173.103
                              da3kfB4m8R.elfGet hashmaliciousMirai, OkiruBrowse
                              • 54.171.230.55
                              zlBVRRlWYS.elfGet hashmaliciousMirai, OkiruBrowse
                              • 34.254.182.186
                              MicrosoftCorporation.exeGet hashmaliciousAsyncRAT, PrivateLoaderBrowse
                              • 52.85.151.47
                              WVJ5O5BLbK.exeGet hashmaliciousNjratBrowse
                              • 18.158.249.75
                              vm6XYZzWOd.exeGet hashmaliciousPureLog Stealer, SystemBCBrowse
                              • 3.125.131.179
                              https://biggesttubesite.z13.web.core.windows.net/index.htmlGet hashmaliciousTechSupportScamBrowse
                              • 65.8.184.5
                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              fb4726d465c5f28b84cd6d14cedd13a7x7Z7EQGweF.elfGet hashmaliciousMiraiBrowse
                              • 54.217.10.153
                              g058ub3UiN.elfGet hashmaliciousMiraiBrowse
                              • 54.217.10.153
                              SecuriteInfo.com.Linux.Siggen.9999.20934.12421.elfGet hashmaliciousUnknownBrowse
                              • 54.217.10.153
                              Aqua.x86.elfGet hashmaliciousMiraiBrowse
                              • 54.217.10.153
                              bot.mips.elfGet hashmaliciousMirai, OkiruBrowse
                              • 54.217.10.153
                              2oxo8KJQv0.elfGet hashmaliciousMiraiBrowse
                              • 54.217.10.153
                              f4twIqJjVs.elfGet hashmaliciousMiraiBrowse
                              • 54.217.10.153
                              ZaakFRkzk0.elfGet hashmaliciousMiraiBrowse
                              • 54.217.10.153
                              0bB3bZhaGj.elfGet hashmaliciousUnknownBrowse
                              • 54.217.10.153
                              systemd-resolvedGet hashmaliciousUnknownBrowse
                              • 54.217.10.153
                              No context
                              No created / dropped files found
                              File type:ELF 32-bit LSB executable, ARM, version 1 (ARM), statically linked, stripped
                              Entropy (8bit):5.459195978600076
                              TrID:
                              • ELF Executable and Linkable format (generic) (4004/1) 100.00%
                              File name:9Iakt8wQQ7.elf
                              File size:154'272 bytes
                              MD5:a9f370a8aef906ec967bdf2140d0d797
                              SHA1:71a51453266310f24798de9053ca42b5e7cf6a7b
                              SHA256:a5f72c891e99a002bb1a3a1237b3f252b4cd613e4c4f5f248243e23c259dcfa7
                              SHA512:5a0111c69278a062686ad97f1f4bc17cea91763e3f070ad4353caf81d1b2cfd9a95a228e0717d6023ebf30369c8a77213c18a846529683aabef7dce064d6c89f
                              SSDEEP:1536:zNNW7z/eMG0C8GW7I7GqQ2qFMc5VfyAMDCADPL8Tn/T2Gn0AmOzUnT5Hy25lAl5O:z0zWMPxauXXfyaAv8rr2G0b1yuNU6
                              TLSH:59E32A45FD509F26C6D221BBFF4E428D372A5768D3EE720399255F20378A89B0E77242
                              File Content Preview:.ELF...a..........(.........4....Y......4. ...(......................................................H..............Q.td..................................-...L."....t..........0@-.\P...0....S.0...P@...0... ....R......0...0...........0... ....R..... 0....S

                              ELF header

                              Class:ELF32
                              Data:2's complement, little endian
                              Version:1 (current)
                              Machine:ARM
                              Version Number:0x1
                              Type:EXEC (Executable file)
                              OS/ABI:ARM - ABI
                              ABI Version:0
                              Entry Point Address:0x8190
                              Flags:0x2
                              ELF Header Size:52
                              Program Header Offset:52
                              Program Header Size:32
                              Number of Program Headers:3
                              Section Header Offset:153872
                              Section Header Size:40
                              Number of Section Headers:10
                              Header String Table Index:9
                              NameTypeAddressOffsetSizeEntSizeFlagsFlags DescriptionLinkInfoAlign
                              NULL0x00x00x00x00x0000
                              .initPROGBITS0x80940x940x180x00x6AX004
                              .textPROGBITS0x80b00xb00x1d2d40x00x6AX0016
                              .finiPROGBITS0x253840x1d3840x140x00x6AX004
                              .rodataPROGBITS0x253980x1d3980x36000x00x2A004
                              .ctorsPROGBITS0x310000x210000xc0x00x3WA004
                              .dtorsPROGBITS0x3100c0x2100c0x80x00x3WA004
                              .dataPROGBITS0x310200x210200x48b00x00x3WA0032
                              .bssNOBITS0x358d00x258d00xd5440x00x3WA004
                              .shstrtabSTRTAB0x00x258d00x3e0x00x0001
                              TypeOffsetVirtual AddressPhysical AddressFile SizeMemory SizeEntropyFlagsFlags DescriptionAlignProg InterpreterSection Mappings
                              LOAD0x00x80000x80000x209980x209985.95220x5R E0x8000.init .text .fini .rodata
                              LOAD0x210000x310000x310000x48d00x11e140.37270x6RW 0x8000.ctors .dtors .data .bss
                              GNU_STACK0x00x00x00x00x00.00000x7RWE0x4

                              Download Network PCAP: filteredfull

                              • Total Packets: 28
                              • 5667 undefined
                              • 443 (HTTPS)
                              • 53 (DNS)
                              TimestampSource PortDest PortSource IPDest IP
                              May 15, 2024 12:52:55.368139029 CEST559325667192.168.2.1331.220.1.44
                              May 15, 2024 12:52:55.615361929 CEST56675593231.220.1.44192.168.2.13
                              May 15, 2024 12:52:55.615449905 CEST559325667192.168.2.1331.220.1.44
                              May 15, 2024 12:52:55.615905046 CEST559325667192.168.2.1331.220.1.44
                              May 15, 2024 12:52:55.863574982 CEST56675593231.220.1.44192.168.2.13
                              May 15, 2024 12:52:55.863663912 CEST559325667192.168.2.1331.220.1.44
                              May 15, 2024 12:52:56.111051083 CEST56675593231.220.1.44192.168.2.13
                              May 15, 2024 12:52:59.496867895 CEST37676443192.168.2.1354.217.10.153
                              May 15, 2024 12:52:59.724498987 CEST4433767654.217.10.153192.168.2.13
                              May 15, 2024 12:52:59.724639893 CEST37676443192.168.2.1354.217.10.153
                              May 15, 2024 12:52:59.725806952 CEST37676443192.168.2.1354.217.10.153
                              May 15, 2024 12:52:59.956332922 CEST4433767654.217.10.153192.168.2.13
                              May 15, 2024 12:53:01.129060030 CEST4433767654.217.10.153192.168.2.13
                              May 15, 2024 12:53:01.129085064 CEST4433767654.217.10.153192.168.2.13
                              May 15, 2024 12:53:01.129152060 CEST4433767654.217.10.153192.168.2.13
                              May 15, 2024 12:53:01.129235983 CEST37676443192.168.2.1354.217.10.153
                              May 15, 2024 12:53:01.129235983 CEST37676443192.168.2.1354.217.10.153
                              May 15, 2024 12:53:01.129235983 CEST37676443192.168.2.1354.217.10.153
                              May 15, 2024 12:53:01.129988909 CEST37676443192.168.2.1354.217.10.153
                              May 15, 2024 12:53:01.367477894 CEST4433767654.217.10.153192.168.2.13
                              May 15, 2024 12:53:01.388668060 CEST4433767654.217.10.153192.168.2.13
                              May 15, 2024 12:53:01.388756990 CEST37676443192.168.2.1354.217.10.153
                              May 15, 2024 12:53:01.388884068 CEST37676443192.168.2.1354.217.10.153
                              May 15, 2024 12:53:01.664736986 CEST4433767654.217.10.153192.168.2.13
                              May 15, 2024 12:53:01.726641893 CEST4433767654.217.10.153192.168.2.13
                              May 15, 2024 12:53:01.726722002 CEST37676443192.168.2.1354.217.10.153
                              May 15, 2024 12:53:01.727504969 CEST37676443192.168.2.1354.217.10.153
                              May 15, 2024 12:53:02.009854078 CEST4433767654.217.10.153192.168.2.13
                              May 15, 2024 12:53:02.091548920 CEST4433767654.217.10.153192.168.2.13
                              May 15, 2024 12:53:02.091564894 CEST4433767654.217.10.153192.168.2.13
                              May 15, 2024 12:53:02.091650009 CEST37676443192.168.2.1354.217.10.153
                              May 15, 2024 12:53:02.091650009 CEST37676443192.168.2.1354.217.10.153
                              May 15, 2024 12:53:10.631273985 CEST559325667192.168.2.1331.220.1.44
                              May 15, 2024 12:53:10.878499031 CEST56675593231.220.1.44192.168.2.13
                              May 15, 2024 12:53:10.878568888 CEST56675593231.220.1.44192.168.2.13
                              May 15, 2024 12:53:10.878638029 CEST559325667192.168.2.1331.220.1.44
                              May 15, 2024 12:53:26.129232883 CEST56675593231.220.1.44192.168.2.13
                              May 15, 2024 12:53:26.129385948 CEST559325667192.168.2.1331.220.1.44
                              May 15, 2024 12:53:41.379712105 CEST56675593231.220.1.44192.168.2.13
                              May 15, 2024 12:53:41.379940987 CEST559325667192.168.2.1331.220.1.44
                              May 15, 2024 12:53:56.633325100 CEST56675593231.220.1.44192.168.2.13
                              May 15, 2024 12:53:56.633511066 CEST559325667192.168.2.1331.220.1.44
                              May 15, 2024 12:54:11.883758068 CEST56675593231.220.1.44192.168.2.13
                              May 15, 2024 12:54:11.883889914 CEST559325667192.168.2.1331.220.1.44
                              May 15, 2024 12:54:27.131624937 CEST56675593231.220.1.44192.168.2.13
                              May 15, 2024 12:54:27.131726980 CEST559325667192.168.2.1331.220.1.44
                              May 15, 2024 12:54:40.956845999 CEST559325667192.168.2.1331.220.1.44
                              May 15, 2024 12:54:41.204154015 CEST56675593231.220.1.44192.168.2.13
                              May 15, 2024 12:54:41.204174042 CEST56675593231.220.1.44192.168.2.13
                              May 15, 2024 12:54:41.204282045 CEST559325667192.168.2.1331.220.1.44
                              May 15, 2024 12:54:56.471813917 CEST56675593231.220.1.44192.168.2.13
                              May 15, 2024 12:54:56.471930981 CEST559325667192.168.2.1331.220.1.44
                              TimestampSource PortDest PortSource IPDest IP
                              May 15, 2024 12:52:55.148164034 CEST5157953192.168.2.1351.254.162.59
                              May 15, 2024 12:52:55.367338896 CEST535157951.254.162.59192.168.2.13
                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                              May 15, 2024 12:52:55.148164034 CEST192.168.2.1351.254.162.590x14d4Standard query (0)retardedclassmate.dynA (IP address)IN (0x0001)false
                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                              May 15, 2024 12:52:55.367338896 CEST51.254.162.59192.168.2.130x14d4No error (0)retardedclassmate.dyn103.161.35.44A (IP address)IN (0x0001)false
                              May 15, 2024 12:52:55.367338896 CEST51.254.162.59192.168.2.130x14d4No error (0)retardedclassmate.dyn31.220.1.44A (IP address)IN (0x0001)false
                              May 15, 2024 12:52:55.367338896 CEST51.254.162.59192.168.2.130x14d4No error (0)retardedclassmate.dyn89.32.41.31A (IP address)IN (0x0001)false
                              TimestampSource IPSource PortDest IPDest PortSubjectIssuerNot BeforeNot AfterJA3 SSL Client FingerprintJA3 SSL Client Digest
                              May 15, 2024 12:53:01.129152060 CEST54.217.10.153443192.168.2.1337676CN=motd.ubuntu.com CN=R3, O=Let's Encrypt, C=USCN=R3, O=Let's Encrypt, C=US CN=ISRG Root X1, O=Internet Security Research Group, C=USThu Mar 07 10:27:55 CET 2024 Fri Sep 04 02:00:00 CEST 2020Wed Jun 05 11:27:54 CEST 2024 Mon Sep 15 18:00:00 CEST 2025771,4866-4867-4865-49196-49200-163-159-52393-52392-52394-49327-49325-49315-49311-49245-49249-49239-49235-49195-49199-162-158-49326-49324-49314-49310-49244-49248-49238-49234-49188-49192-107-106-49267-49271-196-195-49187-49191-103-64-49266-49270-190-189-49162-49172-57-56-136-135-49161-49171-51-50-69-68-157-49313-49309-49233-156-49312-49308-49232-61-192-60-186-53-132-47-65-255,0-11-10-35-22-23-13-43-45-51,29-23-30-25-24,0-1-2fb4726d465c5f28b84cd6d14cedd13a7
                              CN=R3, O=Let's Encrypt, C=USCN=ISRG Root X1, O=Internet Security Research Group, C=USFri Sep 04 02:00:00 CEST 2020Mon Sep 15 18:00:00 CEST 2025

                              System Behavior

                              Start time (UTC):10:52:53
                              Start date (UTC):15/05/2024
                              Path:/tmp/9Iakt8wQQ7.elf
                              Arguments:/tmp/9Iakt8wQQ7.elf
                              File size:4956856 bytes
                              MD5 hash:5ebfcae4fe2471fcc5695c2394773ff1

                              Start time (UTC):10:52:53
                              Start date (UTC):15/05/2024
                              Path:/tmp/9Iakt8wQQ7.elf
                              Arguments:-
                              File size:4956856 bytes
                              MD5 hash:5ebfcae4fe2471fcc5695c2394773ff1

                              Start time (UTC):10:52:53
                              Start date (UTC):15/05/2024
                              Path:/tmp/9Iakt8wQQ7.elf
                              Arguments:-
                              File size:4956856 bytes
                              MD5 hash:5ebfcae4fe2471fcc5695c2394773ff1

                              Start time (UTC):10:52:53
                              Start date (UTC):15/05/2024
                              Path:/tmp/9Iakt8wQQ7.elf
                              Arguments:-
                              File size:4956856 bytes
                              MD5 hash:5ebfcae4fe2471fcc5695c2394773ff1

                              Start time (UTC):10:52:53
                              Start date (UTC):15/05/2024
                              Path:/tmp/9Iakt8wQQ7.elf
                              Arguments:-
                              File size:4956856 bytes
                              MD5 hash:5ebfcae4fe2471fcc5695c2394773ff1

                              Start time (UTC):10:53:00
                              Start date (UTC):15/05/2024
                              Path:/usr/bin/dash
                              Arguments:-
                              File size:129816 bytes
                              MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                              Start time (UTC):10:53:00
                              Start date (UTC):15/05/2024
                              Path:/usr/bin/rm
                              Arguments:rm -f /tmp/tmp.AEQOKm3Wk1 /tmp/tmp.u2Z8V9De4Y /tmp/tmp.pzSyU74hCW
                              File size:72056 bytes
                              MD5 hash:aa2b5496fdbfd88e38791ab81f90b95b

                              Start time (UTC):10:53:00
                              Start date (UTC):15/05/2024
                              Path:/usr/bin/dash
                              Arguments:-
                              File size:129816 bytes
                              MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                              Start time (UTC):10:53:00
                              Start date (UTC):15/05/2024
                              Path:/usr/bin/cat
                              Arguments:cat /tmp/tmp.AEQOKm3Wk1
                              File size:43416 bytes
                              MD5 hash:7e9d213e404ad3bb82e4ebb2e1f2c1b3

                              Start time (UTC):10:53:00
                              Start date (UTC):15/05/2024
                              Path:/usr/bin/dash
                              Arguments:-
                              File size:129816 bytes
                              MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                              Start time (UTC):10:53:00
                              Start date (UTC):15/05/2024
                              Path:/usr/bin/head
                              Arguments:head -n 10
                              File size:47480 bytes
                              MD5 hash:fd96a67145172477dd57131396fc9608

                              Start time (UTC):10:53:00
                              Start date (UTC):15/05/2024
                              Path:/usr/bin/dash
                              Arguments:-
                              File size:129816 bytes
                              MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                              Start time (UTC):10:53:00
                              Start date (UTC):15/05/2024
                              Path:/usr/bin/tr
                              Arguments:tr -d \\000-\\011\\013\\014\\016-\\037
                              File size:51544 bytes
                              MD5 hash:fbd1402dd9f72d8ebfff00ce7c3a7bb5

                              Start time (UTC):10:53:00
                              Start date (UTC):15/05/2024
                              Path:/usr/bin/dash
                              Arguments:-
                              File size:129816 bytes
                              MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                              Start time (UTC):10:53:00
                              Start date (UTC):15/05/2024
                              Path:/usr/bin/cut
                              Arguments:cut -c -80
                              File size:47480 bytes
                              MD5 hash:d8ed0ea8f22c0de0f8692d4d9f1759d3

                              Start time (UTC):10:53:00
                              Start date (UTC):15/05/2024
                              Path:/usr/bin/dash
                              Arguments:-
                              File size:129816 bytes
                              MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                              Start time (UTC):10:53:00
                              Start date (UTC):15/05/2024
                              Path:/usr/bin/cat
                              Arguments:cat /tmp/tmp.AEQOKm3Wk1
                              File size:43416 bytes
                              MD5 hash:7e9d213e404ad3bb82e4ebb2e1f2c1b3

                              Start time (UTC):10:53:00
                              Start date (UTC):15/05/2024
                              Path:/usr/bin/dash
                              Arguments:-
                              File size:129816 bytes
                              MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                              Start time (UTC):10:53:00
                              Start date (UTC):15/05/2024
                              Path:/usr/bin/head
                              Arguments:head -n 10
                              File size:47480 bytes
                              MD5 hash:fd96a67145172477dd57131396fc9608

                              Start time (UTC):10:53:00
                              Start date (UTC):15/05/2024
                              Path:/usr/bin/dash
                              Arguments:-
                              File size:129816 bytes
                              MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                              Start time (UTC):10:53:00
                              Start date (UTC):15/05/2024
                              Path:/usr/bin/tr
                              Arguments:tr -d \\000-\\011\\013\\014\\016-\\037
                              File size:51544 bytes
                              MD5 hash:fbd1402dd9f72d8ebfff00ce7c3a7bb5

                              Start time (UTC):10:53:00
                              Start date (UTC):15/05/2024
                              Path:/usr/bin/dash
                              Arguments:-
                              File size:129816 bytes
                              MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                              Start time (UTC):10:53:00
                              Start date (UTC):15/05/2024
                              Path:/usr/bin/cut
                              Arguments:cut -c -80
                              File size:47480 bytes
                              MD5 hash:d8ed0ea8f22c0de0f8692d4d9f1759d3

                              Start time (UTC):10:53:00
                              Start date (UTC):15/05/2024
                              Path:/usr/bin/dash
                              Arguments:-
                              File size:129816 bytes
                              MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                              Start time (UTC):10:53:00
                              Start date (UTC):15/05/2024
                              Path:/usr/bin/rm
                              Arguments:rm -f /tmp/tmp.AEQOKm3Wk1 /tmp/tmp.u2Z8V9De4Y /tmp/tmp.pzSyU74hCW
                              File size:72056 bytes
                              MD5 hash:aa2b5496fdbfd88e38791ab81f90b95b