Edit tour

Linux Analysis Report
na.elf

Overview

General Information

Sample name:	na.elf
Analysis ID:	1536979
MD5:	b51a743a5d9483e64e33e7bf781088dd
SHA1:	9ca5ed2c9f3fa737c2835cbeaebb3cb162f9d9b4
SHA256:	14bba29034078974f506e082c7df4bc676bb3b94cc469a68f77eed0c8734b783
Tags:	elfuser-abuse_ch
Infos:

Detection

Score:	56
Range:	0 - 100
Whitelisted:	false

Signatures

Malicious sample detected (through community Yara rule)

Machine Learning detection for sample

Sample is packed with UPX

Detected TCP or UDP traffic on non-standard ports

ELF contains segments with high entropy indicating compressed/encrypted content

Enumerates processes within the "proc" file system

Sample contains only a LOAD segment without any section mappings

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Yara signature match

Classification

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1536979
Start date and time:	2024-10-18 13:27:11 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 22s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Sample name:	na.elf
Detection:	MAL
Classification:	mal56.evad.linELF@0/0@0/0

Warnings

VT rate limit hit for: na.elf

Runtime Messages

Command:	/tmp/na.elf
PID:	5490
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:	lzrd cock fest"/proc/"/exe
Standard Error:

Process Tree

system is lnxubuntu20

na.elf (PID: 5490, Parent: 5414, MD5: b51a743a5d9483e64e33e7bf781088dd) Arguments: /tmp/na.elf

na.elf New Fork (PID: 5491, Parent: 5490)

na.elf New Fork (PID: 5492, Parent: 5491)

na.elf New Fork (PID: 5493, Parent: 5491)

na.elf New Fork (PID: 5496, Parent: 5490)

na.elf New Fork (PID: 5497, Parent: 5490)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
5491.1.0000000000400000.0000000000413000.r-x.sdmp	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0xfeb8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xfecc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xfee0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xfef4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xff08:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xff1c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xff30:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xff44:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xff58:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xff6c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xff80:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xff94:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xffa8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xffbc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xffd0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xffe4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xfff8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1000c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10020:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10034:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10048:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
5491.1.0000000000400000.0000000000413000.r-x.sdmp	Linux_Trojan_Mirai_564b8eda	unknown	unknown	0x49b2:$a: 83 FE 01 76 12 0F B7 07 83 EE 02 48 83 C7 02 48 01 C1 83 FE 01
5490.1.0000000000400000.0000000000413000.r-x.sdmp	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0xfeb8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xfecc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xfee0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xfef4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xff08:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xff1c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xff30:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xff44:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xff58:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xff6c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xff80:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xff94:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xffa8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xffbc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xffd0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xffe4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xfff8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1000c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10020:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10034:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10048:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
5490.1.0000000000400000.0000000000413000.r-x.sdmp	Linux_Trojan_Mirai_564b8eda	unknown	unknown	0x49b2:$a: 83 FE 01 76 12 0F B7 07 83 EE 02 48 83 C7 02 48 01 C1 83 FE 01
5492.1.0000000000400000.0000000000413000.r-x.sdmp	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0xfeb8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xfecc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xfee0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xfef4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xff08:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xff1c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xff30:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xff44:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xff58:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xff6c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xff80:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xff94:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xffa8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xffbc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xffd0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xffe4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xfff8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1000c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10020:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10034:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10048:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
5492.1.0000000000400000.0000000000413000.r-x.sdmp	Linux_Trojan_Mirai_564b8eda	unknown	unknown	0x49b2:$a: 83 FE 01 76 12 0F B7 07 83 EE 02 48 83 C7 02 48 01 C1 83 FE 01
5496.1.0000000000400000.0000000000413000.r-x.sdmp	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0xfeb8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xfecc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xfee0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xfef4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xff08:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xff1c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xff30:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xff44:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xff58:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xff6c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xff80:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xff94:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xffa8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xffbc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xffd0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xffe4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xfff8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1000c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10020:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10034:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10048:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
5496.1.0000000000400000.0000000000413000.r-x.sdmp	Linux_Trojan_Mirai_564b8eda	unknown	unknown	0x49b2:$a: 83 FE 01 76 12 0F B7 07 83 EE 02 48 83 C7 02 48 01 C1 83 FE 01
Process Memory Space: na.elf PID: 5490	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0x193b:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x194f:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1963:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1977:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x198b:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x199f:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x19b3:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x19c7:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x19db:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x19ef:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1a03:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1a17:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1a2b:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1a3f:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1a53:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1a67:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1a7b:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1a8f:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1aa3:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1ab7:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1acb:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
Process Memory Space: na.elf PID: 5491	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0xee2:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xef6:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xf0a:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xf1e:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xf32:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xf46:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xf5a:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xf6e:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xf82:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xf96:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xfaa:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xfbe:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xfd2:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xfe6:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xffa:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x100e:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1022:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1036:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x104a:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x105e:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1072:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
Process Memory Space: na.elf PID: 5492	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0x1185:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1199:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x11ad:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x11c1:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x11d5:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x11e9:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x11fd:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1211:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1225:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1239:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x124d:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1261:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1275:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1289:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x129d:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x12b1:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x12c5:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x12d9:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x12ed:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1301:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1315:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
Process Memory Space: na.elf PID: 5496	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0x8b3:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x8c7:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x8db:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x8ef:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x903:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x917:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x92b:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x93f:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x953:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x967:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x97b:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x98f:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x9a3:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x9b7:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x9cb:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x9df:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x9f3:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xa07:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xa1b:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xa2f:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xa43:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
Click to see the 7 entries

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Machine Learning detection for sample

Source: na.elf

Joe Sandbox ML: detected

Source: global traffic

TCP traffic: 192.168.2.14:51134 -> 45.86.155.23:3778

Source: global traffic

TCP traffic: 192.168.2.14:46540 -> 185.125.190.26:443

Source: unknown	TCP traffic detected without corresponding DNS query: 45.86.155.23
Source: unknown	TCP traffic detected without corresponding DNS query: 45.86.155.23
Source: unknown	TCP traffic detected without corresponding DNS query: 45.86.155.23
Source: unknown	TCP traffic detected without corresponding DNS query: 45.86.155.23
Source: unknown	TCP traffic detected without corresponding DNS query: 45.86.155.23
Source: unknown	TCP traffic detected without corresponding DNS query: 45.86.155.23
Source: unknown	TCP traffic detected without corresponding DNS query: 45.86.155.23
Source: unknown	TCP traffic detected without corresponding DNS query: 45.86.155.23
Source: unknown	TCP traffic detected without corresponding DNS query: 45.86.155.23
Source: unknown	TCP traffic detected without corresponding DNS query: 45.86.155.23
Source: unknown	TCP traffic detected without corresponding DNS query: 45.86.155.23
Source: unknown	TCP traffic detected without corresponding DNS query: 45.86.155.23
Source: unknown	TCP traffic detected without corresponding DNS query: 45.86.155.23
Source: unknown	TCP traffic detected without corresponding DNS query: 45.86.155.23
Source: unknown	TCP traffic detected without corresponding DNS query: 45.86.155.23
Source: unknown	TCP traffic detected without corresponding DNS query: 45.86.155.23
Source: unknown	TCP traffic detected without corresponding DNS query: 45.86.155.23
Source: unknown	TCP traffic detected without corresponding DNS query: 45.86.155.23
Source: unknown	TCP traffic detected without corresponding DNS query: 45.86.155.23
Source: unknown	TCP traffic detected without corresponding DNS query: 45.86.155.23
Source: unknown	TCP traffic detected without corresponding DNS query: 45.86.155.23
Source: unknown	TCP traffic detected without corresponding DNS query: 45.86.155.23
Source: unknown	TCP traffic detected without corresponding DNS query: 45.86.155.23
Source: unknown	TCP traffic detected without corresponding DNS query: 45.86.155.23
Source: unknown	TCP traffic detected without corresponding DNS query: 45.86.155.23
Source: unknown	TCP traffic detected without corresponding DNS query: 45.86.155.23
Source: unknown	TCP traffic detected without corresponding DNS query: 45.86.155.23
Source: unknown	TCP traffic detected without corresponding DNS query: 45.86.155.23
Source: unknown	TCP traffic detected without corresponding DNS query: 45.86.155.23
Source: unknown	TCP traffic detected without corresponding DNS query: 45.86.155.23
Source: unknown	TCP traffic detected without corresponding DNS query: 45.86.155.23
Source: unknown	TCP traffic detected without corresponding DNS query: 45.86.155.23
Source: unknown	TCP traffic detected without corresponding DNS query: 45.86.155.23
Source: unknown	TCP traffic detected without corresponding DNS query: 45.86.155.23
Source: unknown	TCP traffic detected without corresponding DNS query: 45.86.155.23
Source: unknown	TCP traffic detected without corresponding DNS query: 45.86.155.23
Source: unknown	TCP traffic detected without corresponding DNS query: 45.86.155.23
Source: unknown	TCP traffic detected without corresponding DNS query: 45.86.155.23
Source: unknown	TCP traffic detected without corresponding DNS query: 45.86.155.23
Source: unknown	TCP traffic detected without corresponding DNS query: 45.86.155.23
Source: unknown	TCP traffic detected without corresponding DNS query: 45.86.155.23
Source: unknown	TCP traffic detected without corresponding DNS query: 45.86.155.23
Source: unknown	TCP traffic detected without corresponding DNS query: 45.86.155.23
Source: unknown	TCP traffic detected without corresponding DNS query: 45.86.155.23
Source: unknown	TCP traffic detected without corresponding DNS query: 45.86.155.23
Source: unknown	TCP traffic detected without corresponding DNS query: 45.86.155.23
Source: unknown	TCP traffic detected without corresponding DNS query: 45.86.155.23
Source: unknown	TCP traffic detected without corresponding DNS query: 45.86.155.23
Source: unknown	TCP traffic detected without corresponding DNS query: 45.86.155.23
Source: unknown	TCP traffic detected without corresponding DNS query: 45.86.155.23

Source: na.elf

String found in binary or memory: http://upx.sf.net

Source: unknown

Network traffic detected: HTTP traffic on port 46540 -> 443

System Summary

Malicious sample detected (through community Yara rule)

Source: 5491.1.0000000000400000.0000000000413000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: 5491.1.0000000000400000.0000000000413000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_564b8eda Author: unknown
Source: 5490.1.0000000000400000.0000000000413000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: 5490.1.0000000000400000.0000000000413000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_564b8eda Author: unknown
Source: 5492.1.0000000000400000.0000000000413000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: 5492.1.0000000000400000.0000000000413000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_564b8eda Author: unknown
Source: 5496.1.0000000000400000.0000000000413000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: 5496.1.0000000000400000.0000000000413000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_564b8eda Author: unknown
Source: Process Memory Space: na.elf PID: 5490, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: Process Memory Space: na.elf PID: 5491, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: Process Memory Space: na.elf PID: 5492, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: Process Memory Space: na.elf PID: 5496, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown

Source: LOAD without section mappings

Program segment: 0x400000

Source: 5491.1.0000000000400000.0000000000413000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: 5491.1.0000000000400000.0000000000413000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_564b8eda reference_sample = ff04921d7bf9ca01ae33a9fc0743dce9ca250e42a33547c5665b1c9a0b5260ee, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 63a9e43902e7db0b7a20498b5a860e36201bacc407e9e336faca0b7cfbc37819, id = 564b8eda-6f0e-45b8-bef6-d61b0f090a36, last_modified = 2021-09-16
Source: 5490.1.0000000000400000.0000000000413000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: 5490.1.0000000000400000.0000000000413000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_564b8eda reference_sample = ff04921d7bf9ca01ae33a9fc0743dce9ca250e42a33547c5665b1c9a0b5260ee, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 63a9e43902e7db0b7a20498b5a860e36201bacc407e9e336faca0b7cfbc37819, id = 564b8eda-6f0e-45b8-bef6-d61b0f090a36, last_modified = 2021-09-16
Source: 5492.1.0000000000400000.0000000000413000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: 5492.1.0000000000400000.0000000000413000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_564b8eda reference_sample = ff04921d7bf9ca01ae33a9fc0743dce9ca250e42a33547c5665b1c9a0b5260ee, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 63a9e43902e7db0b7a20498b5a860e36201bacc407e9e336faca0b7cfbc37819, id = 564b8eda-6f0e-45b8-bef6-d61b0f090a36, last_modified = 2021-09-16
Source: 5496.1.0000000000400000.0000000000413000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: 5496.1.0000000000400000.0000000000413000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_564b8eda reference_sample = ff04921d7bf9ca01ae33a9fc0743dce9ca250e42a33547c5665b1c9a0b5260ee, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 63a9e43902e7db0b7a20498b5a860e36201bacc407e9e336faca0b7cfbc37819, id = 564b8eda-6f0e-45b8-bef6-d61b0f090a36, last_modified = 2021-09-16
Source: Process Memory Space: na.elf PID: 5490, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: Process Memory Space: na.elf PID: 5491, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: Process Memory Space: na.elf PID: 5492, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: Process Memory Space: na.elf PID: 5496, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16

Source: classification engine

Classification label: mal56.evad.linELF@0/0@0/0

Data Obfuscation

Sample is packed with UPX

Source: initial sample	String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample	String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample	String containing UPX found: $Id: UPX 3.94 Copyright (C) 1996-2017 the UPX Team. All Rights Reserved. $

Source: /tmp/na.elf (PID: 5490)	File opened: /proc/3760/status	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	File opened: /proc/3761/status	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	File opened: /proc/1583/status	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	File opened: /proc/2672/status	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	File opened: /proc/110/status	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	File opened: /proc/111/status	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	File opened: /proc/112/status	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	File opened: /proc/113/status	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	File opened: /proc/234/status	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	File opened: /proc/1577/status	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	File opened: /proc/114/status	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	File opened: /proc/235/status	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	File opened: /proc/115/status	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	File opened: /proc/116/status	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	File opened: /proc/117/status	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	File opened: /proc/118/status	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	File opened: /proc/119/status	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	File opened: /proc/10/status	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	File opened: /proc/917/status	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	File opened: /proc/11/status	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	File opened: /proc/12/status	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	File opened: /proc/13/status	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	File opened: /proc/14/status	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	File opened: /proc/15/status	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	File opened: /proc/16/status	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	File opened: /proc/17/status	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	File opened: /proc/18/status	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	File opened: /proc/19/status	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	File opened: /proc/1593/status	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	File opened: /proc/240/status	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	File opened: /proc/120/status	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	File opened: /proc/3094/status	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	File opened: /proc/121/status	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	File opened: /proc/242/status	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	File opened: /proc/3406/status	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	File opened: /proc/1/status	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	File opened: /proc/122/status	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	File opened: /proc/243/status	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	File opened: /proc/2/status	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	File opened: /proc/123/status	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	File opened: /proc/244/status	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	File opened: /proc/1589/status	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	File opened: /proc/3/status	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	File opened: /proc/124/status	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	File opened: /proc/245/status	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	File opened: /proc/1588/status	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	File opened: /proc/125/status	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	File opened: /proc/4/status	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	File opened: /proc/246/status	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	File opened: /proc/3402/status	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	File opened: /proc/126/status	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	File opened: /proc/5/status	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	File opened: /proc/247/status	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	File opened: /proc/127/status	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	File opened: /proc/6/status	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	File opened: /proc/248/status	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	File opened: /proc/128/status	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	File opened: /proc/7/status	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	File opened: /proc/249/status	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	File opened: /proc/8/status	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	File opened: /proc/129/status	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	File opened: /proc/800/status	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	File opened: /proc/3762/status	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	File opened: /proc/9/status	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	File opened: /proc/801/status	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	File opened: /proc/3763/status	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	File opened: /proc/803/status	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	File opened: /proc/20/status	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	File opened: /proc/806/status	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	File opened: /proc/21/status	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	File opened: /proc/807/status	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	File opened: /proc/928/status	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	File opened: /proc/22/status	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	File opened: /proc/23/status	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	File opened: /proc/24/status	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	File opened: /proc/25/status	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	File opened: /proc/26/status	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	File opened: /proc/27/status	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	File opened: /proc/28/status	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	File opened: /proc/29/status	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	File opened: /proc/3420/status	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	File opened: /proc/490/status	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	File opened: /proc/250/status	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	File opened: /proc/130/status	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	File opened: /proc/251/status	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	File opened: /proc/131/status	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	File opened: /proc/252/status	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	File opened: /proc/132/status	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	File opened: /proc/253/status	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	File opened: /proc/254/status	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	File opened: /proc/255/status	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	File opened: /proc/135/status	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	File opened: /proc/256/status	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	File opened: /proc/1599/status	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	File opened: /proc/257/status	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	File opened: /proc/378/status	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	File opened: /proc/258/status	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	File opened: /proc/3412/status	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	File opened: /proc/259/status	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	File opened: /proc/30/status	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	File opened: /proc/35/status	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	File opened: /proc/1371/status	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	File opened: /proc/260/status	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	File opened: /proc/261/status	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	File opened: /proc/262/status	Jump to behavior

Source: na.elf

Submission file: segment LOAD with 7.9646 entropy (max. 8.0)

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	Path Interception	Path Interception	11 Obfuscated Files or Information	1 OS Credential Dumping	System Service Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact

Malware Configuration

⊘No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
na.elf	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://upx.sf.net	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

⊘No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://upx.sf.net	na.elf	true	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.125.190.26	unknown	United Kingdom		41231	CANONICAL-ASGB	false
45.86.155.23	unknown	Germany		202322	EVERYONE-BANDWIDTH-INCDE	false

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
185.125.190.26	aOEIurMq5y.elf	Get hash	malicious	Rekoobe	Browse
	ex86.elf	Get hash	malicious	Unknown	Browse
	earm5.elf	Get hash	malicious	Unknown	Browse
	H67Pi5Q4j3.elf	Get hash	malicious	Gafgyt, Mirai	Browse
	0tC8hgmU0a.elf	Get hash	malicious	Unknown	Browse
	armv4eb.elf	Get hash	malicious	Unknown	Browse
	JdU8SZwtWW.elf	Get hash	malicious	Gafgyt, Mirai	Browse
	rondo.armv6l.elf	Get hash	malicious	Unknown	Browse
	GZrCQ5cvLI.elf	Get hash	malicious	Gafgyt, Mirai	Browse
	na.elf	Get hash	malicious	Unknown	Browse
45.86.155.23	na.elf	Get hash	malicious	Unknown	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
EVERYONE-BANDWIDTH-INCDE	na.elf	Get hash	malicious	Unknown	Browse	45.86.155.23
	http://qgasyntax.com/2753402WB7192675vw697764118Il17367cC38SJr190893GZ	Get hash	malicious	Phisher	Browse	45.13.225.215
	K5P6Oe31Kq.elf	Get hash	malicious	Mirai	Browse	45.133.73.210
CANONICAL-ASGB	na.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	bin.sh.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	aOEIurMq5y.elf	Get hash	malicious	Rekoobe	Browse	185.125.190.26
	HiO21MreI7.elf	Get hash	malicious	Rekoobe	Browse	91.189.91.42
	boatnet.sh4.elf	Get hash	malicious	Mirai	Browse	91.189.91.42
	boatnet.ppc.elf	Get hash	malicious	Mirai	Browse	91.189.91.42
	boatnet.arm6.elf	Get hash	malicious	Mirai	Browse	91.189.91.42
	na.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	main_mips.elf	Get hash	malicious	Mirai	Browse	91.189.91.42
	qkdjdjj22.sh4.elf	Get hash	malicious	Gafgyt, Mirai	Browse	91.189.91.42

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, no section header
Entropy (8bit):	7.962605514066814
TrID:	ELF Executable and Linkable format (generic) (4004/1) 100.00%
File name:	na.elf
File size:	37'540 bytes
MD5:	b51a743a5d9483e64e33e7bf781088dd
SHA1:	9ca5ed2c9f3fa737c2835cbeaebb3cb162f9d9b4
SHA256:	14bba29034078974f506e082c7df4bc676bb3b94cc469a68f77eed0c8734b783
SHA512:	cbc639432c7588c2c9b37e8733875c8e4410b3508665cf6b977d4741e9daca7148e85a2945c8549dd73874b914ed05e500a43801843d04f15e2dd11db2f9a69b
SSDEEP:	768:v+4q/iqtmv2pUkaFBrq0xEaXLZY77qLhdDGc7x07:W9LQKiHruaXLa3+hdDGeC
TLSH:	82F2F1A75975F33CDC2168F1A1DD06C4F56B398A13839EAE11CF2AB8DC7B09A2701A40
File Content Preview:	.ELF..............>.....`.@.....@...................@.8...@.......................@.......@....................... ......................Ka......Ka.............................Q.td.....................................................I..UPX!H.......8:..8:.

Static ELF Info

ELF header
Class:	ELF64
Data:	2's complement, little endian
Version:	1 (current)
Machine:	Advanced Micro Devices X86-64
Version Number:	0x1
Type:	EXEC (Executable file)
OS/ABI:	UNIX - System V
ABI Version:	0
Entry Point Address:	0x408060
Flags:	0x0
ELF Header Size:	64
Program Header Offset:	64
Program Header Size:	56
Number of Program Headers:	3
Section Header Offset:	0
Section Header Size:	64
Number of Section Headers:	0
Header String Table Index:	0

Program Segments

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align
LOAD	0x0	0x400000	0x400000	0x919c	0x919c	7.9646	0x5	R E	0x200000
LOAD	0xb00	0x614b00	0x614b00	0x0	0x0	0.0000	0x6	RW	0x1000
GNU_STACK	0x0	0x0	0x0	0x0	0x0	0.0000	0x6	RW	0x8

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 18, 2024 13:27:52.334388018 CEST	51134	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:27:52.339623928 CEST	3778	51134	45.86.155.23	192.168.2.14
Oct 18, 2024 13:27:52.339696884 CEST	51134	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:27:52.342287064 CEST	51134	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:27:52.347243071 CEST	3778	51134	45.86.155.23	192.168.2.14
Oct 18, 2024 13:27:52.347304106 CEST	51134	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:27:52.352183104 CEST	3778	51134	45.86.155.23	192.168.2.14
Oct 18, 2024 13:27:53.184312105 CEST	3778	51134	45.86.155.23	192.168.2.14
Oct 18, 2024 13:27:53.184592962 CEST	51134	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:27:53.184592962 CEST	51134	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:27:53.185347080 CEST	51136	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:27:53.191056013 CEST	3778	51136	45.86.155.23	192.168.2.14
Oct 18, 2024 13:27:53.191165924 CEST	51136	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:27:53.192097902 CEST	51136	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:27:53.196985960 CEST	3778	51136	45.86.155.23	192.168.2.14
Oct 18, 2024 13:27:53.197055101 CEST	51136	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:27:53.202001095 CEST	3778	51136	45.86.155.23	192.168.2.14
Oct 18, 2024 13:27:54.024983883 CEST	3778	51136	45.86.155.23	192.168.2.14
Oct 18, 2024 13:27:54.025150061 CEST	51136	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:27:54.025183916 CEST	51136	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:27:54.026070118 CEST	51138	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:27:54.031088114 CEST	3778	51138	45.86.155.23	192.168.2.14
Oct 18, 2024 13:27:54.031157017 CEST	51138	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:27:54.032130003 CEST	51138	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:27:54.037004948 CEST	3778	51138	45.86.155.23	192.168.2.14
Oct 18, 2024 13:27:54.037076950 CEST	51138	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:27:54.041976929 CEST	3778	51138	45.86.155.23	192.168.2.14
Oct 18, 2024 13:27:54.876844883 CEST	3778	51138	45.86.155.23	192.168.2.14
Oct 18, 2024 13:27:54.877080917 CEST	51138	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:27:54.877080917 CEST	51138	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:27:54.877562046 CEST	51140	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:27:54.883586884 CEST	3778	51140	45.86.155.23	192.168.2.14
Oct 18, 2024 13:27:54.883656025 CEST	51140	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:27:54.884341955 CEST	51140	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:27:54.889873981 CEST	3778	51140	45.86.155.23	192.168.2.14
Oct 18, 2024 13:27:54.889916897 CEST	51140	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:27:54.894931078 CEST	3778	51140	45.86.155.23	192.168.2.14
Oct 18, 2024 13:27:55.713562965 CEST	3778	51140	45.86.155.23	192.168.2.14
Oct 18, 2024 13:27:55.713783026 CEST	51140	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:27:55.713783979 CEST	51140	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:27:55.714562893 CEST	51142	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:27:55.719744921 CEST	3778	51142	45.86.155.23	192.168.2.14
Oct 18, 2024 13:27:55.719810009 CEST	51142	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:27:55.720593929 CEST	51142	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:27:55.725562096 CEST	3778	51142	45.86.155.23	192.168.2.14
Oct 18, 2024 13:27:55.725620985 CEST	51142	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:27:55.730474949 CEST	3778	51142	45.86.155.23	192.168.2.14
Oct 18, 2024 13:27:56.564709902 CEST	3778	51142	45.86.155.23	192.168.2.14
Oct 18, 2024 13:27:56.564981937 CEST	51142	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:27:56.564982891 CEST	51142	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:27:56.565412998 CEST	51144	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:27:56.570333958 CEST	3778	51144	45.86.155.23	192.168.2.14
Oct 18, 2024 13:27:56.570394993 CEST	51144	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:27:56.571043968 CEST	51144	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:27:56.577330112 CEST	3778	51144	45.86.155.23	192.168.2.14
Oct 18, 2024 13:27:56.577377081 CEST	51144	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:27:56.584779024 CEST	3778	51144	45.86.155.23	192.168.2.14
Oct 18, 2024 13:27:57.428669930 CEST	3778	51144	45.86.155.23	192.168.2.14
Oct 18, 2024 13:27:57.428878069 CEST	51144	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:27:57.428878069 CEST	51144	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:27:57.429429054 CEST	51146	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:27:57.434381008 CEST	3778	51146	45.86.155.23	192.168.2.14
Oct 18, 2024 13:27:57.434516907 CEST	51146	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:27:57.435126066 CEST	51146	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:27:57.440025091 CEST	3778	51146	45.86.155.23	192.168.2.14
Oct 18, 2024 13:27:57.440088987 CEST	51146	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:27:57.445022106 CEST	3778	51146	45.86.155.23	192.168.2.14
Oct 18, 2024 13:27:57.979628086 CEST	51148	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:27:57.984551907 CEST	3778	51148	45.86.155.23	192.168.2.14
Oct 18, 2024 13:27:57.984631062 CEST	51148	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:27:57.985965967 CEST	51148	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:27:57.990897894 CEST	3778	51148	45.86.155.23	192.168.2.14
Oct 18, 2024 13:27:57.990948915 CEST	51148	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:27:57.995796919 CEST	3778	51148	45.86.155.23	192.168.2.14
Oct 18, 2024 13:27:58.279582977 CEST	3778	51146	45.86.155.23	192.168.2.14
Oct 18, 2024 13:27:58.279834032 CEST	51146	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:27:58.279834032 CEST	51146	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:27:58.280313969 CEST	51150	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:27:58.285132885 CEST	3778	51150	45.86.155.23	192.168.2.14
Oct 18, 2024 13:27:58.285188913 CEST	51150	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:27:58.285864115 CEST	51150	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:27:58.291769028 CEST	3778	51150	45.86.155.23	192.168.2.14
Oct 18, 2024 13:27:58.291820049 CEST	51150	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:27:58.296890020 CEST	3778	51150	45.86.155.23	192.168.2.14
Oct 18, 2024 13:27:58.811290979 CEST	3778	51148	45.86.155.23	192.168.2.14
Oct 18, 2024 13:27:58.811517000 CEST	51148	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:27:58.811548948 CEST	51148	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:27:58.812136889 CEST	51152	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:27:58.817085981 CEST	3778	51152	45.86.155.23	192.168.2.14
Oct 18, 2024 13:27:58.817187071 CEST	51152	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:27:58.817926884 CEST	51152	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:27:58.823374987 CEST	3778	51152	45.86.155.23	192.168.2.14
Oct 18, 2024 13:27:58.823422909 CEST	51152	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:27:58.829015970 CEST	3778	51152	45.86.155.23	192.168.2.14
Oct 18, 2024 13:27:59.119368076 CEST	3778	51150	45.86.155.23	192.168.2.14
Oct 18, 2024 13:27:59.119591951 CEST	51150	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:27:59.119638920 CEST	51150	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:27:59.120075941 CEST	51154	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:27:59.125022888 CEST	3778	51154	45.86.155.23	192.168.2.14
Oct 18, 2024 13:27:59.125087023 CEST	51154	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:27:59.125797033 CEST	51154	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:27:59.130562067 CEST	3778	51154	45.86.155.23	192.168.2.14
Oct 18, 2024 13:27:59.130610943 CEST	51154	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:27:59.135437012 CEST	3778	51154	45.86.155.23	192.168.2.14
Oct 18, 2024 13:27:59.654604912 CEST	3778	51152	45.86.155.23	192.168.2.14
Oct 18, 2024 13:27:59.654706001 CEST	51152	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:27:59.654815912 CEST	51152	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:27:59.655263901 CEST	51156	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:27:59.660142899 CEST	3778	51156	45.86.155.23	192.168.2.14
Oct 18, 2024 13:27:59.660232067 CEST	51156	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:27:59.660878897 CEST	51156	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:27:59.665693998 CEST	3778	51156	45.86.155.23	192.168.2.14
Oct 18, 2024 13:27:59.665750027 CEST	51156	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:27:59.670670033 CEST	3778	51156	45.86.155.23	192.168.2.14
Oct 18, 2024 13:27:59.962167978 CEST	3778	51154	45.86.155.23	192.168.2.14
Oct 18, 2024 13:27:59.962268114 CEST	51154	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:27:59.962301970 CEST	51154	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:27:59.962770939 CEST	51158	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:27:59.967628002 CEST	3778	51158	45.86.155.23	192.168.2.14
Oct 18, 2024 13:27:59.967683077 CEST	51158	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:27:59.968453884 CEST	51158	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:27:59.973381996 CEST	3778	51158	45.86.155.23	192.168.2.14
Oct 18, 2024 13:27:59.973428965 CEST	51158	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:27:59.978306055 CEST	3778	51158	45.86.155.23	192.168.2.14
Oct 18, 2024 13:28:00.493621111 CEST	3778	51156	45.86.155.23	192.168.2.14
Oct 18, 2024 13:28:00.493746996 CEST	51156	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:28:00.493782997 CEST	51156	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:28:00.494251013 CEST	51160	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:28:00.499119997 CEST	3778	51160	45.86.155.23	192.168.2.14
Oct 18, 2024 13:28:00.499188900 CEST	51160	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:28:00.499903917 CEST	51160	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:28:00.504760027 CEST	3778	51160	45.86.155.23	192.168.2.14
Oct 18, 2024 13:28:00.504813910 CEST	51160	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:28:00.509648085 CEST	3778	51160	45.86.155.23	192.168.2.14
Oct 18, 2024 13:28:00.818936110 CEST	3778	51158	45.86.155.23	192.168.2.14
Oct 18, 2024 13:28:00.819047928 CEST	51158	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:28:00.819080114 CEST	51158	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:28:00.819564104 CEST	51162	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:28:00.824491024 CEST	3778	51162	45.86.155.23	192.168.2.14
Oct 18, 2024 13:28:00.824553013 CEST	51162	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:28:00.825236082 CEST	51162	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:28:00.830092907 CEST	3778	51162	45.86.155.23	192.168.2.14
Oct 18, 2024 13:28:00.830146074 CEST	51162	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:28:00.835025072 CEST	3778	51162	45.86.155.23	192.168.2.14
Oct 18, 2024 13:28:01.333292961 CEST	3778	51160	45.86.155.23	192.168.2.14
Oct 18, 2024 13:28:01.333610058 CEST	51160	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:28:01.333610058 CEST	51160	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:28:01.334034920 CEST	51164	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:28:01.338953018 CEST	3778	51164	45.86.155.23	192.168.2.14
Oct 18, 2024 13:28:01.339016914 CEST	51164	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:28:01.339792013 CEST	51164	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:28:01.344661951 CEST	3778	51164	45.86.155.23	192.168.2.14
Oct 18, 2024 13:28:01.344741106 CEST	51164	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:28:01.349729061 CEST	3778	51164	45.86.155.23	192.168.2.14
Oct 18, 2024 13:28:01.666718006 CEST	3778	51162	45.86.155.23	192.168.2.14
Oct 18, 2024 13:28:01.666862965 CEST	51162	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:28:01.666929007 CEST	51162	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:28:01.667551994 CEST	51166	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:28:01.672527075 CEST	3778	51166	45.86.155.23	192.168.2.14
Oct 18, 2024 13:28:01.672599077 CEST	51166	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:28:01.673544884 CEST	51166	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:28:01.678481102 CEST	3778	51166	45.86.155.23	192.168.2.14
Oct 18, 2024 13:28:01.678545952 CEST	51166	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:28:01.683470964 CEST	3778	51166	45.86.155.23	192.168.2.14
Oct 18, 2024 13:28:02.392151117 CEST	3778	51164	45.86.155.23	192.168.2.14
Oct 18, 2024 13:28:02.392457962 CEST	51164	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:28:02.392457962 CEST	51164	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:28:02.393111944 CEST	51168	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:28:02.397985935 CEST	3778	51168	45.86.155.23	192.168.2.14
Oct 18, 2024 13:28:02.398049116 CEST	51168	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:28:02.399095058 CEST	51168	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:28:02.403950930 CEST	3778	51168	45.86.155.23	192.168.2.14
Oct 18, 2024 13:28:02.403996944 CEST	51168	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:28:02.408977032 CEST	3778	51168	45.86.155.23	192.168.2.14
Oct 18, 2024 13:28:02.497335911 CEST	3778	51166	45.86.155.23	192.168.2.14
Oct 18, 2024 13:28:02.497522116 CEST	51166	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:28:02.497523069 CEST	51166	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:28:02.498044014 CEST	51170	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:28:02.502950907 CEST	3778	51170	45.86.155.23	192.168.2.14
Oct 18, 2024 13:28:02.503057003 CEST	51170	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:28:02.503958941 CEST	51170	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:28:02.508800030 CEST	3778	51170	45.86.155.23	192.168.2.14
Oct 18, 2024 13:28:02.508866072 CEST	51170	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:28:02.513736963 CEST	3778	51170	45.86.155.23	192.168.2.14
Oct 18, 2024 13:28:02.560925007 CEST	46540	443	192.168.2.14	185.125.190.26
Oct 18, 2024 13:28:03.244119883 CEST	3778	51168	45.86.155.23	192.168.2.14
Oct 18, 2024 13:28:03.244303942 CEST	51168	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:28:03.244339943 CEST	51168	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:28:03.244848967 CEST	51172	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:28:03.249742031 CEST	3778	51172	45.86.155.23	192.168.2.14
Oct 18, 2024 13:28:03.249813080 CEST	51172	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:28:03.250531912 CEST	51172	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:28:03.255338907 CEST	3778	51172	45.86.155.23	192.168.2.14
Oct 18, 2024 13:28:03.255404949 CEST	51172	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:28:03.260227919 CEST	3778	51172	45.86.155.23	192.168.2.14
Oct 18, 2024 13:28:03.322578907 CEST	3778	51170	45.86.155.23	192.168.2.14
Oct 18, 2024 13:28:03.322736025 CEST	51170	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:28:03.322938919 CEST	51170	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:28:03.323463917 CEST	51174	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:28:03.328490019 CEST	3778	51174	45.86.155.23	192.168.2.14
Oct 18, 2024 13:28:03.328557014 CEST	51174	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:28:03.329406023 CEST	51174	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:28:03.334264040 CEST	3778	51174	45.86.155.23	192.168.2.14
Oct 18, 2024 13:28:03.334321976 CEST	51174	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:28:03.339274883 CEST	3778	51174	45.86.155.23	192.168.2.14
Oct 18, 2024 13:28:04.075342894 CEST	3778	51172	45.86.155.23	192.168.2.14
Oct 18, 2024 13:28:04.075488091 CEST	51172	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:28:04.075603962 CEST	51172	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:28:04.076359034 CEST	51176	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:28:04.081337929 CEST	3778	51176	45.86.155.23	192.168.2.14
Oct 18, 2024 13:28:04.081414938 CEST	51176	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:28:04.082370043 CEST	51176	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:28:04.087233067 CEST	3778	51176	45.86.155.23	192.168.2.14
Oct 18, 2024 13:28:04.087300062 CEST	51176	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:28:04.092619896 CEST	3778	51176	45.86.155.23	192.168.2.14
Oct 18, 2024 13:28:04.186827898 CEST	3778	51174	45.86.155.23	192.168.2.14
Oct 18, 2024 13:28:04.186983109 CEST	51174	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:28:04.187161922 CEST	51174	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:28:04.187820911 CEST	51178	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:28:04.192881107 CEST	3778	51178	45.86.155.23	192.168.2.14
Oct 18, 2024 13:28:04.192939997 CEST	51178	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:28:04.193845034 CEST	51178	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:28:04.198676109 CEST	3778	51178	45.86.155.23	192.168.2.14
Oct 18, 2024 13:28:04.198720932 CEST	51178	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:28:04.203535080 CEST	3778	51178	45.86.155.23	192.168.2.14
Oct 18, 2024 13:28:04.909368992 CEST	3778	51176	45.86.155.23	192.168.2.14
Oct 18, 2024 13:28:04.909590960 CEST	51176	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:28:04.909590960 CEST	51176	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:28:04.910386086 CEST	51180	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:28:04.915478945 CEST	3778	51180	45.86.155.23	192.168.2.14
Oct 18, 2024 13:28:04.915555954 CEST	51180	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:28:04.916433096 CEST	51180	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:28:04.921397924 CEST	3778	51180	45.86.155.23	192.168.2.14
Oct 18, 2024 13:28:04.921454906 CEST	51180	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:28:04.927611113 CEST	3778	51180	45.86.155.23	192.168.2.14
Oct 18, 2024 13:28:05.040859938 CEST	3778	51178	45.86.155.23	192.168.2.14
Oct 18, 2024 13:28:05.041157007 CEST	51178	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:28:05.041157007 CEST	51178	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:28:05.041743040 CEST	51182	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:28:05.047116041 CEST	3778	51182	45.86.155.23	192.168.2.14
Oct 18, 2024 13:28:05.047204971 CEST	51182	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:28:05.048674107 CEST	51182	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:28:05.053530931 CEST	3778	51182	45.86.155.23	192.168.2.14
Oct 18, 2024 13:28:05.053596973 CEST	51182	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:28:05.058549881 CEST	3778	51182	45.86.155.23	192.168.2.14
Oct 18, 2024 13:28:05.759099007 CEST	3778	51180	45.86.155.23	192.168.2.14
Oct 18, 2024 13:28:05.759282112 CEST	51180	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:28:05.759366989 CEST	51180	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:28:05.759654999 CEST	3778	51180	45.86.155.23	192.168.2.14
Oct 18, 2024 13:28:05.759763956 CEST	51180	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:28:05.760106087 CEST	51184	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:28:05.765160084 CEST	3778	51184	45.86.155.23	192.168.2.14
Oct 18, 2024 13:28:05.765233994 CEST	51184	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:28:05.766050100 CEST	51184	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:28:05.771110058 CEST	3778	51184	45.86.155.23	192.168.2.14
Oct 18, 2024 13:28:05.771173000 CEST	51184	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:28:05.776130915 CEST	3778	51184	45.86.155.23	192.168.2.14
Oct 18, 2024 13:28:05.902388096 CEST	3778	51182	45.86.155.23	192.168.2.14
Oct 18, 2024 13:28:05.902503967 CEST	51182	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:28:05.902544022 CEST	51182	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:28:05.903183937 CEST	51186	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:28:05.908405066 CEST	3778	51186	45.86.155.23	192.168.2.14
Oct 18, 2024 13:28:05.908497095 CEST	51186	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:28:05.909802914 CEST	51186	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:28:05.914627075 CEST	3778	51186	45.86.155.23	192.168.2.14
Oct 18, 2024 13:28:05.914694071 CEST	51186	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:28:05.919821978 CEST	3778	51186	45.86.155.23	192.168.2.14
Oct 18, 2024 13:28:06.655416012 CEST	3778	51184	45.86.155.23	192.168.2.14
Oct 18, 2024 13:28:06.655564070 CEST	51184	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:28:06.655651093 CEST	51184	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:28:06.656348944 CEST	51188	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:28:06.661264896 CEST	3778	51188	45.86.155.23	192.168.2.14
Oct 18, 2024 13:28:06.661358118 CEST	51188	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:28:06.662455082 CEST	51188	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:28:06.667350054 CEST	3778	51188	45.86.155.23	192.168.2.14
Oct 18, 2024 13:28:06.667423964 CEST	51188	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:28:06.672276020 CEST	3778	51188	45.86.155.23	192.168.2.14
Oct 18, 2024 13:28:06.750885963 CEST	3778	51186	45.86.155.23	192.168.2.14
Oct 18, 2024 13:28:06.750989914 CEST	51186	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:28:06.751048088 CEST	51186	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:28:06.751702070 CEST	51190	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:28:06.756705999 CEST	3778	51190	45.86.155.23	192.168.2.14
Oct 18, 2024 13:28:06.756777048 CEST	51190	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:28:06.757812023 CEST	51190	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:28:06.762701035 CEST	3778	51190	45.86.155.23	192.168.2.14
Oct 18, 2024 13:28:06.762790918 CEST	51190	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:28:06.767632961 CEST	3778	51190	45.86.155.23	192.168.2.14
Oct 18, 2024 13:28:07.495768070 CEST	3778	51188	45.86.155.23	192.168.2.14
Oct 18, 2024 13:28:07.495913029 CEST	51188	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:28:07.496105909 CEST	51188	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:28:07.496762991 CEST	51192	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:28:07.502060890 CEST	3778	51192	45.86.155.23	192.168.2.14
Oct 18, 2024 13:28:07.502152920 CEST	51192	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:28:07.503456116 CEST	51192	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:28:07.508327961 CEST	3778	51192	45.86.155.23	192.168.2.14
Oct 18, 2024 13:28:07.508399963 CEST	51192	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:28:07.513247967 CEST	3778	51192	45.86.155.23	192.168.2.14
Oct 18, 2024 13:28:07.590889931 CEST	3778	51190	45.86.155.23	192.168.2.14
Oct 18, 2024 13:28:07.591135025 CEST	51190	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:28:07.591201067 CEST	51190	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:28:07.591901064 CEST	51194	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:28:07.597727060 CEST	3778	51194	45.86.155.23	192.168.2.14
Oct 18, 2024 13:28:07.597836018 CEST	51194	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:28:07.599153996 CEST	51194	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:28:07.604046106 CEST	3778	51194	45.86.155.23	192.168.2.14
Oct 18, 2024 13:28:07.604119062 CEST	51194	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:28:07.609158993 CEST	3778	51194	45.86.155.23	192.168.2.14
Oct 18, 2024 13:28:08.331953049 CEST	3778	51192	45.86.155.23	192.168.2.14
Oct 18, 2024 13:28:08.332195997 CEST	51192	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:28:08.332196951 CEST	51192	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:28:08.333055973 CEST	51196	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:28:08.338027954 CEST	3778	51196	45.86.155.23	192.168.2.14
Oct 18, 2024 13:28:08.338099003 CEST	51196	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:28:08.339128971 CEST	51196	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:28:08.344094992 CEST	3778	51196	45.86.155.23	192.168.2.14
Oct 18, 2024 13:28:08.344146013 CEST	51196	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:28:08.348972082 CEST	3778	51196	45.86.155.23	192.168.2.14
Oct 18, 2024 13:28:17.608551979 CEST	51194	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:28:17.614126921 CEST	3778	51194	45.86.155.23	192.168.2.14
Oct 18, 2024 13:28:17.848680019 CEST	3778	51194	45.86.155.23	192.168.2.14
Oct 18, 2024 13:28:17.848819971 CEST	51194	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:28:18.348869085 CEST	51196	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:28:18.353946924 CEST	3778	51196	45.86.155.23	192.168.2.14
Oct 18, 2024 13:28:18.594641924 CEST	3778	51196	45.86.155.23	192.168.2.14
Oct 18, 2024 13:28:18.594845057 CEST	51196	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:28:33.023894072 CEST	46540	443	192.168.2.14	185.125.190.26
Oct 18, 2024 13:29:17.890247107 CEST	51194	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:29:17.895299911 CEST	3778	51194	45.86.155.23	192.168.2.14
Oct 18, 2024 13:29:18.129359961 CEST	3778	51194	45.86.155.23	192.168.2.14
Oct 18, 2024 13:29:18.129705906 CEST	51194	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:29:18.650881052 CEST	51196	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:29:18.656003952 CEST	3778	51196	45.86.155.23	192.168.2.14
Oct 18, 2024 13:29:18.897111893 CEST	3778	51196	45.86.155.23	192.168.2.14
Oct 18, 2024 13:29:18.897310019 CEST	51196	3778	192.168.2.14	45.86.155.23

System Behavior

Analysis Process: na.elf PID: 5490, Parent PID: 5414

General

Start time (UTC):	11:27:51
Start date (UTC):	18/10/2024
Path:	/tmp/na.elf
Arguments:	/tmp/na.elf
File size:	37540 bytes
MD5 hash:	b51a743a5d9483e64e33e7bf781088dd

Chronological Activities

Analysis Process: na.elf PID: 5491, Parent PID: 5490

General

Start time (UTC):	11:27:51
Start date (UTC):	18/10/2024
Path:	/tmp/na.elf
Arguments:	-
File size:	37540 bytes
MD5 hash:	b51a743a5d9483e64e33e7bf781088dd

Chronological Activities

Analysis Process: na.elf PID: 5492, Parent PID: 5491

General

Start time (UTC):	11:27:51
Start date (UTC):	18/10/2024
Path:	/tmp/na.elf
Arguments:	-
File size:	37540 bytes
MD5 hash:	b51a743a5d9483e64e33e7bf781088dd

Chronological Activities

Analysis Process: na.elf PID: 5493, Parent PID: 5491

General

Start time (UTC):	11:27:51
Start date (UTC):	18/10/2024
Path:	/tmp/na.elf
Arguments:	-
File size:	37540 bytes
MD5 hash:	b51a743a5d9483e64e33e7bf781088dd

Chronological Activities

Analysis Process: na.elf PID: 5496, Parent PID: 5490

General

Start time (UTC):	11:27:57
Start date (UTC):	18/10/2024
Path:	/tmp/na.elf
Arguments:	-
File size:	37540 bytes
MD5 hash:	b51a743a5d9483e64e33e7bf781088dd

Chronological Activities

Analysis Process: na.elf PID: 5497, Parent PID: 5490

General

Start time (UTC):	11:27:57
Start date (UTC):	18/10/2024
Path:	/tmp/na.elf
Arguments:	-
File size:	37540 bytes
MD5 hash:	b51a743a5d9483e64e33e7bf781088dd

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report na.elf

Overview

General Information

Detection

Signatures

Classification

General Information

Warnings

Runtime Messages

Process Tree

Yara Signatures

Memory Dumps

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

Static ELF Info

ELF header

Program Segments

Network Behavior

Network Port Distribution

TCP Packets

System Behavior

Analysis Process: na.elf PID: 5490, Parent PID: 5414

General

Chronological Activities

Analysis Process: na.elf PID: 5491, Parent PID: 5490

General

Chronological Activities

Analysis Process: na.elf PID: 5492, Parent PID: 5491

General

Chronological Activities

Analysis Process: na.elf PID: 5493, Parent PID: 5491

General

Chronological Activities

Analysis Process: na.elf PID: 5496, Parent PID: 5490

General

Chronological Activities

Analysis Process: na.elf PID: 5497, Parent PID: 5490

General

Chronological Activities

Linux Analysis Report
na.elf