Edit tour

Linux Analysis Report
zmap.arm.elf

Overview

General Information

Sample name:	zmap.arm.elf
Analysis ID:	1544691
MD5:	823958d1dbb59368ec9cb465345ede82
SHA1:	4246851d3b9f1b59c45e2069fc1e204fa2937fc6
SHA256:	ce3fcb923990e59f2bcee0f811a868fa7a0abf2a461b54974977d1db6e940aee
Tags:	elfMiraiuser-abuse_ch
Infos:

Detection

Mirai, Okiru

Score:	84
Range:	0 - 100
Whitelisted:	false

Signatures

Antivirus / Scanner detection for submitted sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected Mirai

Yara detected Okiru

Sample deletes itself

Detected TCP or UDP traffic on non-standard ports

Sample has stripped symbol table

Sample listens on a socket

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Uses the "uname" system call to query kernel version information (possible evasion)

Yara signature match

Classification

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1544691
Start date and time:	2024-10-29 17:27:25 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 38s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Sample name:	zmap.arm.elf
Detection:	MAL
Classification:	mal84.troj.evad.linELF@0/0@23/0

Warnings

VT rate limit hit for: zmap.arm.elf

Runtime Messages

Command:	/tmp/zmap.arm.elf
PID:	5513
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:	VagneRHere
Standard Error:

Process Tree

system is lnxubuntu20

zmap.arm.elf (PID: 5513, Parent: 5429, MD5: 5ebfcae4fe2471fcc5695c2394773ff1) Arguments: /tmp/zmap.arm.elf

zmap.arm.elf New Fork (PID: 5515, Parent: 5513)

zmap.arm.elf New Fork (PID: 5517, Parent: 5515)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Mirai	Mirai is one of the first significant botnets targeting exposed networking devices running Linux. Found in August 2016 by MalwareMustDie, its name means "future" in Japanese. Nowadays it targets a wide range of networked embedded devices such as IP cameras, home routers (many vendors involved), and other IoT devices. Since the source code was published on "Hack Forums" many variants of the Mirai family appeared, infecting mostly home networks all around the world.	No Attribution	http://osint.bambenekconsulting.com/feeds/ http://www.simonroses.com/2016/10/mirai-ddos-botnet-source-code-binary-analysis/ https://blog.malwaremustdie.org/2020/02/mmd-0065-2021-linuxmirai-fbot-re.html https://blog.netlab.360.com/another-lilin-dvr-0-day-being-used-to-spread-mirai-en/ https://blog.netlab.360.com/mirai_ptea-botnet-is-exploiting-undisclosed-kguard-dvr-vulnerability-en/	https://malpedia.caad.fkie.fraunhofer.de/details/elf.mirai

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
zmap.arm.elf	JoeSecurity_Okiru	Yara detected Okiru	Joe Security
zmap.arm.elf	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
zmap.arm.elf	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0x10248:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1025c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10270:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10284:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10298:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x102ac:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x102c0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x102d4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x102e8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x102fc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10310:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10324:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10338:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1034c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10360:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10374:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10388:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1039c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x103b0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x103c4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x103d8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F

Memory Dumps

Source	Rule	Description	Author	Strings
5517.1.00007ffa80017000.00007ffa8002a000.r-x.sdmp	JoeSecurity_Okiru	Yara detected Okiru	Joe Security
5517.1.00007ffa80017000.00007ffa8002a000.r-x.sdmp	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
5517.1.00007ffa80017000.00007ffa8002a000.r-x.sdmp	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0x10248:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1025c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10270:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10284:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10298:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x102ac:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x102c0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x102d4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x102e8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x102fc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10310:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10324:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10338:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1034c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10360:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10374:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10388:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1039c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x103b0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x103c4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x103d8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
5513.1.00007ffa80017000.00007ffa8002a000.r-x.sdmp	JoeSecurity_Okiru	Yara detected Okiru	Joe Security
5513.1.00007ffa80017000.00007ffa8002a000.r-x.sdmp	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
5513.1.00007ffa80017000.00007ffa8002a000.r-x.sdmp	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0x10248:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1025c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10270:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10284:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10298:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x102ac:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x102c0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x102d4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x102e8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x102fc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10310:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10324:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10338:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1034c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10360:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10374:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10388:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1039c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x103b0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x103c4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x103d8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
Process Memory Space: zmap.arm.elf PID: 5513	JoeSecurity_Okiru	Yara detected Okiru	Joe Security
Process Memory Space: zmap.arm.elf PID: 5513	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
Process Memory Space: zmap.arm.elf PID: 5513	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0x3bb:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x3cf:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x3e3:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x3f7:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x40b:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x41f:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x433:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x447:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x45b:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x46f:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x483:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x497:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x4ab:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x4bf:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x4d3:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x4e7:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x4fb:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x50f:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x523:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x537:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x54b:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
Process Memory Space: zmap.arm.elf PID: 5517	JoeSecurity_Okiru	Yara detected Okiru	Joe Security
Process Memory Space: zmap.arm.elf PID: 5517	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
Process Memory Space: zmap.arm.elf PID: 5517	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0x31d7:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x31eb:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x31ff:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x3213:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x3227:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x323b:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x324f:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x3263:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x3277:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x328b:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x329f:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x32b3:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x32c7:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x32db:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x32ef:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x3303:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x3317:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x332b:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x333f:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x3353:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x3367:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
Click to see the 7 entries

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: zmap.arm.elf

Avira: detected

Multi AV Scanner detection for submitted file

Source: zmap.arm.elf

ReversingLabs: Detection: 63%

Source: global traffic

TCP traffic: 192.168.2.14:54784 -> 154.216.20.164:59962

Source: /tmp/zmap.arm.elf (PID: 5513)

Socket: 127.0.0.1:39148

Jump to behavior

Source: global traffic

TCP traffic: 192.168.2.14:46540 -> 185.125.190.26:443

Source: unknown	TCP traffic detected without corresponding DNS query: 185.125.190.26
Source: unknown	TCP traffic detected without corresponding DNS query: 185.125.190.26

Source: global traffic

DNS traffic detected: DNS query: cnc.dico-inside.com

Source: unknown

Network traffic detected: HTTP traffic on port 46540 -> 443

System Summary

Malicious sample detected (through community Yara rule)

Source: zmap.arm.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: 5517.1.00007ffa80017000.00007ffa8002a000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: 5513.1.00007ffa80017000.00007ffa8002a000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: Process Memory Space: zmap.arm.elf PID: 5513, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: Process Memory Space: zmap.arm.elf PID: 5517, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown

Source: ELF static info symbol of initial sample

.symtab present: no

Source: zmap.arm.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: 5517.1.00007ffa80017000.00007ffa8002a000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: 5513.1.00007ffa80017000.00007ffa8002a000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: Process Memory Space: zmap.arm.elf PID: 5513, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: Process Memory Space: zmap.arm.elf PID: 5517, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16

Source: classification engine

Classification label: mal84.troj.evad.linELF@0/0@23/0

Hooking and other Techniques for Hiding and Protection

Sample deletes itself

Source: /tmp/zmap.arm.elf (PID: 5513)

File: /tmp/zmap.arm.elf

Jump to behavior

Source: /tmp/zmap.arm.elf (PID: 5513)

Queries kernel information via 'uname':

Jump to behavior

Source: zmap.arm.elf, 5513.1.00007ffdb7d57000.00007ffdb7d78000.rw-.sdmp, zmap.arm.elf, 5517.1.00007ffdb7d57000.00007ffdb7d78000.rw-.sdmp	Binary or memory string: x86_64/usr/bin/qemu-arm/tmp/zmap.arm.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/zmap.arm.elf
Source: zmap.arm.elf, 5513.1.0000558bd0919000.0000558bd0a47000.rw-.sdmp, zmap.arm.elf, 5517.1.0000558bd0919000.0000558bd0a47000.rw-.sdmp	Binary or memory string: U!/etc/qemu-binfmt/arm
Source: zmap.arm.elf, 5513.1.0000558bd0919000.0000558bd0a47000.rw-.sdmp, zmap.arm.elf, 5517.1.0000558bd0919000.0000558bd0a47000.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/arm
Source: zmap.arm.elf, 5513.1.00007ffdb7d57000.00007ffdb7d78000.rw-.sdmp, zmap.arm.elf, 5517.1.00007ffdb7d57000.00007ffdb7d78000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-arm

Stealing of Sensitive Information

Yara detected Mirai

Source: Yara match	File source: zmap.arm.elf, type: SAMPLE
Source: Yara match	File source: 5517.1.00007ffa80017000.00007ffa8002a000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5513.1.00007ffa80017000.00007ffa8002a000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: zmap.arm.elf PID: 5513, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: zmap.arm.elf PID: 5517, type: MEMORYSTR

Yara detected Okiru

Source: Yara match	File source: zmap.arm.elf, type: SAMPLE
Source: Yara match	File source: 5517.1.00007ffa80017000.00007ffa8002a000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5513.1.00007ffa80017000.00007ffa8002a000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: zmap.arm.elf PID: 5513, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: zmap.arm.elf PID: 5517, type: MEMORYSTR

Remote Access Functionality

Yara detected Mirai

Source: Yara match	File source: zmap.arm.elf, type: SAMPLE
Source: Yara match	File source: 5517.1.00007ffa80017000.00007ffa8002a000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5513.1.00007ffa80017000.00007ffa8002a000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: zmap.arm.elf PID: 5513, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: zmap.arm.elf PID: 5517, type: MEMORYSTR

Yara detected Okiru

Source: Yara match	File source: zmap.arm.elf, type: SAMPLE
Source: Yara match	File source: 5517.1.00007ffa80017000.00007ffa8002a000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5513.1.00007ffa80017000.00007ffa8002a000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: zmap.arm.elf PID: 5513, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: zmap.arm.elf PID: 5517, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	Path Interception	Path Interception	1 File Deletion	OS Credential Dumping	11 Security Software Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	2 Application Layer Protocol	Traffic Duplication	Data Destruction

Malware Configuration

⊘No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
zmap.arm.elf	63%	ReversingLabs	Linux.Trojan.Mirai
zmap.arm.elf	100%	Avira	EXP/ELF.Mirai.Z.A

Dropped Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
cnc.dico-inside.com	154.216.20.164	true	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.125.190.26	unknown	United Kingdom		41231	CANONICAL-ASGB	false
154.216.20.164	cnc.dico-inside.com	Seychelles		135357	SKHT-ASShenzhenKatherineHengTechnologyInformationCo	false

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
185.125.190.26	ppc.elf	Get hash	malicious	Mirai	Browse
	wriww68k.elf	Get hash	malicious	Gafgyt, Mirai, Okiru	Browse
	x86.elf	Get hash	malicious	Unknown	Browse
	zmap.x86_64.elf	Get hash	malicious	Okiru	Browse
	spc.elf	Get hash	malicious	Mirai	Browse
	na.elf	Get hash	malicious	Gafgyt, Mirai	Browse
	na.elf	Get hash	malicious	Gafgyt, Mirai	Browse
	na.elf	Get hash	malicious	Gafgyt, Mirai	Browse
	boatnet.arm7.elf	Get hash	malicious	Mirai	Browse
	m68k.elf	Get hash	malicious	Unknown	Browse
154.216.20.164	zmap.arm7.elf	Get hash	malicious	Mirai, Okiru	Browse
	zmap.mips.elf	Get hash	malicious	Mirai, Okiru	Browse
	zmap.m68k.elf	Get hash	malicious	Mirai, Okiru	Browse
	zmap.mpsl.elf	Get hash	malicious	Mirai, Okiru	Browse
	zmap.ppc.elf	Get hash	malicious	Mirai, Okiru	Browse
	zmap.sh4.elf	Get hash	malicious	Mirai, Okiru	Browse
	zmap.spc.elf	Get hash	malicious	Mirai, Okiru	Browse
	zmap.x86.elf	Get hash	malicious	Okiru	Browse
	debug.dbg.elf	Get hash	malicious	Mirai, Okiru	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
cnc.dico-inside.com	zmap.arm7.elf	Get hash	malicious	Mirai, Okiru	Browse	154.216.20.164
	zmap.mips.elf	Get hash	malicious	Mirai, Okiru	Browse	154.216.20.164
	zmap.m68k.elf	Get hash	malicious	Mirai, Okiru	Browse	154.216.20.164
	zmap.mpsl.elf	Get hash	malicious	Mirai, Okiru	Browse	154.216.20.164
	zmap.ppc.elf	Get hash	malicious	Mirai, Okiru	Browse	154.216.20.164
	zmap.sh4.elf	Get hash	malicious	Mirai, Okiru	Browse	154.216.20.164
	zmap.spc.elf	Get hash	malicious	Mirai, Okiru	Browse	154.216.20.164
	zmap.x86.elf	Get hash	malicious	Okiru	Browse	154.216.20.164
	debug.dbg.elf	Get hash	malicious	Mirai, Okiru	Browse	154.216.20.164

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
SKHT-ASShenzhenKatherineHengTechnologyInformationCo	arm5.elf	Get hash	malicious	Unknown	Browse	154.216.20.58
	jew.spc.elf	Get hash	malicious	Mirai	Browse	156.254.70.156
	x86_64.elf	Get hash	malicious	Mirai	Browse	156.241.11.59
	mips.elf	Get hash	malicious	Unknown	Browse	154.216.20.58
	parm.elf	Get hash	malicious	Mirai	Browse	156.230.19.184
	tel.x86.elf	Get hash	malicious	Mirai	Browse	156.230.19.193
	zmap.arm7.elf	Get hash	malicious	Mirai, Okiru	Browse	154.216.20.164
	zmap.mips.elf	Get hash	malicious	Mirai, Okiru	Browse	154.216.20.164
	zmap.m68k.elf	Get hash	malicious	Mirai, Okiru	Browse	154.216.20.164
	garm.elf	Get hash	malicious	Mirai	Browse	156.241.11.91
CANONICAL-ASGB	mips.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	ppc.elf	Get hash	malicious	Mirai	Browse	185.125.190.26
	parm6.elf	Get hash	malicious	Mirai	Browse	91.189.91.42
	zmap.mpsl.elf	Get hash	malicious	Mirai, Okiru	Browse	91.189.91.42
	xmpsl.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	tarm.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	wriww68k.elf	Get hash	malicious	Gafgyt, Mirai, Okiru	Browse	185.125.190.26
	zmap.sh4.elf	Get hash	malicious	Mirai, Okiru	Browse	91.189.91.42
	x86.elf	Get hash	malicious	Unknown	Browse	185.125.190.26
	zmap.x86_64.elf	Get hash	malicious	Okiru	Browse	185.125.190.26

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	ELF 32-bit LSB executable, ARM, version 1 (ARM), statically linked, stripped
Entropy (8bit):	6.196744399151135
TrID:	ELF Executable and Linkable format (generic) (4004/1) 100.00%
File name:	zmap.arm.elf
File size:	75'840 bytes
MD5:	823958d1dbb59368ec9cb465345ede82
SHA1:	4246851d3b9f1b59c45e2069fc1e204fa2937fc6
SHA256:	ce3fcb923990e59f2bcee0f811a868fa7a0abf2a461b54974977d1db6e940aee
SHA512:	2598ed24790e8e29fe7e54c8b06c65bc58a55348a0eb20359d6b25eeee0d5565b5746915c6f07f6149f8c0fa8ffac3a060bb7b794d36dbfeaeb40f8aebe4803d
SSDEEP:	1536:+jdTb69MAWg92P72qa9H4S5wPX6WZeqLeBZebFvTsA:+jd14H4QWZetb0Ts
TLSH:	0C733A45B9815A13C6E5127BFAAE01CD372523E8E3DE7207DE216F21379682F0D67A81
File Content Preview:	.ELF...a..........(.........4....&......4. ...(......................"..."..............."..."...".......'..........Q.td..................................-...L."...R@..........0@-.\P...0....S.0...P@...0... ....R......0...0...........0... ....R..... 0....S

Static ELF Info

ELF header
Class:	ELF32
Data:	2's complement, little endian
Version:	1 (current)
Machine:	ARM
Version Number:	0x1
Type:	EXEC (Executable file)
OS/ABI:	ARM - ABI
ABI Version:	0
Entry Point Address:	0x8190
Flags:	0x202
ELF Header Size:	52
Program Header Offset:	52
Program Header Size:	32
Number of Program Headers:	3
Section Header Offset:	75440
Section Header Size:	40
Number of Section Headers:	10
Header String Table Index:	9

Sections

Name	Type	Address	Offset	Size	EntSize	Flags	Flags Description	Align
	NULL	0x0	0x0	0x0	0x0	0x0		0
.init	PROGBITS	0x8094	0x94	0x18	0x0	0x6	AX	4
.text	PROGBITS	0x80b0	0xb0	0x10180	0x0	0x6	AX	16
.fini	PROGBITS	0x18230	0x10230	0x14	0x0	0x6	AX	4
.rodata	PROGBITS	0x18244	0x10244	0x2084	0x0	0x2	A	4
.ctors	PROGBITS	0x222cc	0x122cc	0x8	0x0	0x3	WA	4
.dtors	PROGBITS	0x222d4	0x122d4	0x8	0x0	0x3	WA	4
.data	PROGBITS	0x222e0	0x122e0	0x390	0x0	0x3	WA	4
.bss	NOBITS	0x22670	0x12670	0x2430	0x0	0x3	WA	4
.shstrtab	STRTAB	0x0	0x12670	0x3e	0x0	0x0		1

Program Segments

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align	Section Mappings
LOAD	0x0	0x8000	0x8000	0x122c8	0x122c8	6.2251	0x5	R E	0x8000	.init .text .fini .rodata
LOAD	0x122cc	0x222cc	0x222cc	0x3a4	0x27d4	3.0685	0x6	RW	0x8000	.ctors .dtors .data .bss
GNU_STACK	0x0	0x0	0x0	0x0	0x0	0.0000	0x7	RWE	0x4

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 29, 2024 17:28:18.811501980 CET	54784	59962	192.168.2.14	154.216.20.164
Oct 29, 2024 17:28:18.817039967 CET	59962	54784	154.216.20.164	192.168.2.14
Oct 29, 2024 17:28:18.817121983 CET	54784	59962	192.168.2.14	154.216.20.164
Oct 29, 2024 17:28:18.829580069 CET	54784	59962	192.168.2.14	154.216.20.164
Oct 29, 2024 17:28:18.835028887 CET	59962	54784	154.216.20.164	192.168.2.14
Oct 29, 2024 17:28:18.835086107 CET	54784	59962	192.168.2.14	154.216.20.164
Oct 29, 2024 17:28:18.840500116 CET	59962	54784	154.216.20.164	192.168.2.14
Oct 29, 2024 17:28:19.697688103 CET	59962	54784	154.216.20.164	192.168.2.14
Oct 29, 2024 17:28:19.698081017 CET	54784	59962	192.168.2.14	154.216.20.164
Oct 29, 2024 17:28:19.698081017 CET	54784	59962	192.168.2.14	154.216.20.164
Oct 29, 2024 17:28:19.762167931 CET	54786	59962	192.168.2.14	154.216.20.164
Oct 29, 2024 17:28:19.767673969 CET	59962	54786	154.216.20.164	192.168.2.14
Oct 29, 2024 17:28:19.767985106 CET	54786	59962	192.168.2.14	154.216.20.164
Oct 29, 2024 17:28:19.769148111 CET	54786	59962	192.168.2.14	154.216.20.164
Oct 29, 2024 17:28:19.775088072 CET	59962	54786	154.216.20.164	192.168.2.14
Oct 29, 2024 17:28:19.775192022 CET	54786	59962	192.168.2.14	154.216.20.164
Oct 29, 2024 17:28:19.781131983 CET	59962	54786	154.216.20.164	192.168.2.14
Oct 29, 2024 17:28:20.637486935 CET	59962	54786	154.216.20.164	192.168.2.14
Oct 29, 2024 17:28:20.637722015 CET	54786	59962	192.168.2.14	154.216.20.164
Oct 29, 2024 17:28:20.637722015 CET	54786	59962	192.168.2.14	154.216.20.164
Oct 29, 2024 17:28:20.637763023 CET	59962	54786	154.216.20.164	192.168.2.14
Oct 29, 2024 17:28:20.637825012 CET	54786	59962	192.168.2.14	154.216.20.164
Oct 29, 2024 17:28:20.706221104 CET	54788	59962	192.168.2.14	154.216.20.164
Oct 29, 2024 17:28:20.717914104 CET	59962	54788	154.216.20.164	192.168.2.14
Oct 29, 2024 17:28:20.718008041 CET	54788	59962	192.168.2.14	154.216.20.164
Oct 29, 2024 17:28:20.718980074 CET	54788	59962	192.168.2.14	154.216.20.164
Oct 29, 2024 17:28:20.729301929 CET	59962	54788	154.216.20.164	192.168.2.14
Oct 29, 2024 17:28:20.729398966 CET	54788	59962	192.168.2.14	154.216.20.164
Oct 29, 2024 17:28:20.735080957 CET	59962	54788	154.216.20.164	192.168.2.14
Oct 29, 2024 17:28:21.596369982 CET	59962	54788	154.216.20.164	192.168.2.14
Oct 29, 2024 17:28:21.596493959 CET	54788	59962	192.168.2.14	154.216.20.164
Oct 29, 2024 17:28:21.596570969 CET	54788	59962	192.168.2.14	154.216.20.164
Oct 29, 2024 17:28:21.607337952 CET	54790	59962	192.168.2.14	154.216.20.164
Oct 29, 2024 17:28:21.613018036 CET	59962	54790	154.216.20.164	192.168.2.14
Oct 29, 2024 17:28:21.613084078 CET	54790	59962	192.168.2.14	154.216.20.164
Oct 29, 2024 17:28:21.613715887 CET	54790	59962	192.168.2.14	154.216.20.164
Oct 29, 2024 17:28:21.619091034 CET	59962	54790	154.216.20.164	192.168.2.14
Oct 29, 2024 17:28:21.619142056 CET	54790	59962	192.168.2.14	154.216.20.164
Oct 29, 2024 17:28:21.624445915 CET	59962	54790	154.216.20.164	192.168.2.14
Oct 29, 2024 17:28:22.493290901 CET	59962	54790	154.216.20.164	192.168.2.14
Oct 29, 2024 17:28:22.493436098 CET	54790	59962	192.168.2.14	154.216.20.164
Oct 29, 2024 17:28:22.493473053 CET	54790	59962	192.168.2.14	154.216.20.164
Oct 29, 2024 17:28:22.502439976 CET	54792	59962	192.168.2.14	154.216.20.164
Oct 29, 2024 17:28:22.507863045 CET	59962	54792	154.216.20.164	192.168.2.14
Oct 29, 2024 17:28:22.507960081 CET	54792	59962	192.168.2.14	154.216.20.164
Oct 29, 2024 17:28:22.508557081 CET	54792	59962	192.168.2.14	154.216.20.164
Oct 29, 2024 17:28:22.514362097 CET	59962	54792	154.216.20.164	192.168.2.14
Oct 29, 2024 17:28:22.514431953 CET	54792	59962	192.168.2.14	154.216.20.164
Oct 29, 2024 17:28:22.519889116 CET	59962	54792	154.216.20.164	192.168.2.14
Oct 29, 2024 17:28:23.368053913 CET	59962	54792	154.216.20.164	192.168.2.14
Oct 29, 2024 17:28:23.368226051 CET	54792	59962	192.168.2.14	154.216.20.164
Oct 29, 2024 17:28:23.368295908 CET	54792	59962	192.168.2.14	154.216.20.164
Oct 29, 2024 17:28:23.378143072 CET	54794	59962	192.168.2.14	154.216.20.164
Oct 29, 2024 17:28:23.383833885 CET	59962	54794	154.216.20.164	192.168.2.14
Oct 29, 2024 17:28:23.383904934 CET	54794	59962	192.168.2.14	154.216.20.164
Oct 29, 2024 17:28:23.384510994 CET	54794	59962	192.168.2.14	154.216.20.164
Oct 29, 2024 17:28:23.389853001 CET	59962	54794	154.216.20.164	192.168.2.14
Oct 29, 2024 17:28:23.389914989 CET	54794	59962	192.168.2.14	154.216.20.164
Oct 29, 2024 17:28:23.395294905 CET	59962	54794	154.216.20.164	192.168.2.14
Oct 29, 2024 17:28:24.258979082 CET	59962	54794	154.216.20.164	192.168.2.14
Oct 29, 2024 17:28:24.259166956 CET	54794	59962	192.168.2.14	154.216.20.164
Oct 29, 2024 17:28:24.259252071 CET	54794	59962	192.168.2.14	154.216.20.164
Oct 29, 2024 17:28:24.270593882 CET	54796	59962	192.168.2.14	154.216.20.164
Oct 29, 2024 17:28:24.275985956 CET	59962	54796	154.216.20.164	192.168.2.14
Oct 29, 2024 17:28:24.276078939 CET	54796	59962	192.168.2.14	154.216.20.164
Oct 29, 2024 17:28:24.276890993 CET	54796	59962	192.168.2.14	154.216.20.164
Oct 29, 2024 17:28:24.282227993 CET	59962	54796	154.216.20.164	192.168.2.14
Oct 29, 2024 17:28:24.282291889 CET	54796	59962	192.168.2.14	154.216.20.164
Oct 29, 2024 17:28:24.289388895 CET	59962	54796	154.216.20.164	192.168.2.14
Oct 29, 2024 17:28:25.249794960 CET	59962	54796	154.216.20.164	192.168.2.14
Oct 29, 2024 17:28:25.250049114 CET	54796	59962	192.168.2.14	154.216.20.164
Oct 29, 2024 17:28:25.250049114 CET	54796	59962	192.168.2.14	154.216.20.164
Oct 29, 2024 17:28:25.260272026 CET	54798	59962	192.168.2.14	154.216.20.164
Oct 29, 2024 17:28:25.265697002 CET	59962	54798	154.216.20.164	192.168.2.14
Oct 29, 2024 17:28:25.265753031 CET	54798	59962	192.168.2.14	154.216.20.164
Oct 29, 2024 17:28:25.266478062 CET	54798	59962	192.168.2.14	154.216.20.164
Oct 29, 2024 17:28:25.271835089 CET	59962	54798	154.216.20.164	192.168.2.14
Oct 29, 2024 17:28:25.271950960 CET	54798	59962	192.168.2.14	154.216.20.164
Oct 29, 2024 17:28:25.277267933 CET	59962	54798	154.216.20.164	192.168.2.14
Oct 29, 2024 17:28:26.151930094 CET	59962	54798	154.216.20.164	192.168.2.14
Oct 29, 2024 17:28:26.152076006 CET	54798	59962	192.168.2.14	154.216.20.164
Oct 29, 2024 17:28:26.152122974 CET	54798	59962	192.168.2.14	154.216.20.164
Oct 29, 2024 17:28:26.161017895 CET	54800	59962	192.168.2.14	154.216.20.164
Oct 29, 2024 17:28:26.166467905 CET	59962	54800	154.216.20.164	192.168.2.14
Oct 29, 2024 17:28:26.166548967 CET	54800	59962	192.168.2.14	154.216.20.164
Oct 29, 2024 17:28:26.167212963 CET	54800	59962	192.168.2.14	154.216.20.164
Oct 29, 2024 17:28:26.172665119 CET	59962	54800	154.216.20.164	192.168.2.14
Oct 29, 2024 17:28:26.172722101 CET	54800	59962	192.168.2.14	154.216.20.164
Oct 29, 2024 17:28:26.178212881 CET	59962	54800	154.216.20.164	192.168.2.14
Oct 29, 2024 17:28:27.044857979 CET	59962	54800	154.216.20.164	192.168.2.14
Oct 29, 2024 17:28:27.045023918 CET	54800	59962	192.168.2.14	154.216.20.164
Oct 29, 2024 17:28:27.045125008 CET	54800	59962	192.168.2.14	154.216.20.164
Oct 29, 2024 17:28:27.054202080 CET	54802	59962	192.168.2.14	154.216.20.164
Oct 29, 2024 17:28:27.059993029 CET	59962	54802	154.216.20.164	192.168.2.14
Oct 29, 2024 17:28:27.060096979 CET	54802	59962	192.168.2.14	154.216.20.164
Oct 29, 2024 17:28:27.060868025 CET	54802	59962	192.168.2.14	154.216.20.164
Oct 29, 2024 17:28:27.066155910 CET	59962	54802	154.216.20.164	192.168.2.14
Oct 29, 2024 17:28:27.066226006 CET	54802	59962	192.168.2.14	154.216.20.164
Oct 29, 2024 17:28:27.071638107 CET	59962	54802	154.216.20.164	192.168.2.14
Oct 29, 2024 17:28:27.936135054 CET	59962	54802	154.216.20.164	192.168.2.14
Oct 29, 2024 17:28:27.936300993 CET	54802	59962	192.168.2.14	154.216.20.164
Oct 29, 2024 17:28:27.936372042 CET	54802	59962	192.168.2.14	154.216.20.164
Oct 29, 2024 17:28:27.945751905 CET	54804	59962	192.168.2.14	154.216.20.164
Oct 29, 2024 17:28:27.952150106 CET	59962	54804	154.216.20.164	192.168.2.14
Oct 29, 2024 17:28:27.952203035 CET	54804	59962	192.168.2.14	154.216.20.164
Oct 29, 2024 17:28:27.952790976 CET	54804	59962	192.168.2.14	154.216.20.164
Oct 29, 2024 17:28:27.958295107 CET	59962	54804	154.216.20.164	192.168.2.14
Oct 29, 2024 17:28:27.958347082 CET	54804	59962	192.168.2.14	154.216.20.164
Oct 29, 2024 17:28:27.963974953 CET	59962	54804	154.216.20.164	192.168.2.14
Oct 29, 2024 17:28:28.826984882 CET	59962	54804	154.216.20.164	192.168.2.14
Oct 29, 2024 17:28:28.827223063 CET	54804	59962	192.168.2.14	154.216.20.164
Oct 29, 2024 17:28:28.827281952 CET	54804	59962	192.168.2.14	154.216.20.164
Oct 29, 2024 17:28:28.837117910 CET	54806	59962	192.168.2.14	154.216.20.164
Oct 29, 2024 17:28:28.842717886 CET	59962	54806	154.216.20.164	192.168.2.14
Oct 29, 2024 17:28:28.842899084 CET	54806	59962	192.168.2.14	154.216.20.164
Oct 29, 2024 17:28:28.843854904 CET	54806	59962	192.168.2.14	154.216.20.164
Oct 29, 2024 17:28:28.849821091 CET	59962	54806	154.216.20.164	192.168.2.14
Oct 29, 2024 17:28:28.849881887 CET	54806	59962	192.168.2.14	154.216.20.164
Oct 29, 2024 17:28:28.855529070 CET	59962	54806	154.216.20.164	192.168.2.14
Oct 29, 2024 17:28:29.193483114 CET	46540	443	192.168.2.14	185.125.190.26
Oct 29, 2024 17:28:29.789130926 CET	59962	54806	154.216.20.164	192.168.2.14
Oct 29, 2024 17:28:29.789150000 CET	59962	54806	154.216.20.164	192.168.2.14
Oct 29, 2024 17:28:29.789299011 CET	54806	59962	192.168.2.14	154.216.20.164
Oct 29, 2024 17:28:29.789299011 CET	54806	59962	192.168.2.14	154.216.20.164
Oct 29, 2024 17:28:29.789401054 CET	54806	59962	192.168.2.14	154.216.20.164
Oct 29, 2024 17:28:29.791342974 CET	59962	54806	154.216.20.164	192.168.2.14
Oct 29, 2024 17:28:29.791435957 CET	54806	59962	192.168.2.14	154.216.20.164
Oct 29, 2024 17:28:29.799155951 CET	54808	59962	192.168.2.14	154.216.20.164
Oct 29, 2024 17:28:29.804610968 CET	59962	54808	154.216.20.164	192.168.2.14
Oct 29, 2024 17:28:29.804655075 CET	54808	59962	192.168.2.14	154.216.20.164
Oct 29, 2024 17:28:29.805615902 CET	54808	59962	192.168.2.14	154.216.20.164
Oct 29, 2024 17:28:29.810964108 CET	59962	54808	154.216.20.164	192.168.2.14
Oct 29, 2024 17:28:29.811003923 CET	54808	59962	192.168.2.14	154.216.20.164
Oct 29, 2024 17:28:29.816421986 CET	59962	54808	154.216.20.164	192.168.2.14
Oct 29, 2024 17:28:30.673145056 CET	59962	54808	154.216.20.164	192.168.2.14
Oct 29, 2024 17:28:30.673276901 CET	54808	59962	192.168.2.14	154.216.20.164
Oct 29, 2024 17:28:30.673337936 CET	54808	59962	192.168.2.14	154.216.20.164
Oct 29, 2024 17:28:30.682888031 CET	54810	59962	192.168.2.14	154.216.20.164
Oct 29, 2024 17:28:30.688927889 CET	59962	54810	154.216.20.164	192.168.2.14
Oct 29, 2024 17:28:30.689008951 CET	54810	59962	192.168.2.14	154.216.20.164
Oct 29, 2024 17:28:30.689594030 CET	54810	59962	192.168.2.14	154.216.20.164
Oct 29, 2024 17:28:30.695354939 CET	59962	54810	154.216.20.164	192.168.2.14
Oct 29, 2024 17:28:30.695413113 CET	54810	59962	192.168.2.14	154.216.20.164
Oct 29, 2024 17:28:30.700854063 CET	59962	54810	154.216.20.164	192.168.2.14
Oct 29, 2024 17:28:31.560652971 CET	59962	54810	154.216.20.164	192.168.2.14
Oct 29, 2024 17:28:31.560746908 CET	59962	54810	154.216.20.164	192.168.2.14
Oct 29, 2024 17:28:31.560800076 CET	59962	54810	154.216.20.164	192.168.2.14
Oct 29, 2024 17:28:31.560817003 CET	54810	59962	192.168.2.14	154.216.20.164
Oct 29, 2024 17:28:31.560853958 CET	54810	59962	192.168.2.14	154.216.20.164
Oct 29, 2024 17:28:31.560853958 CET	54810	59962	192.168.2.14	154.216.20.164
Oct 29, 2024 17:28:31.560854912 CET	54810	59962	192.168.2.14	154.216.20.164
Oct 29, 2024 17:28:31.570405006 CET	54812	59962	192.168.2.14	154.216.20.164
Oct 29, 2024 17:28:31.575860023 CET	59962	54812	154.216.20.164	192.168.2.14
Oct 29, 2024 17:28:31.575917006 CET	54812	59962	192.168.2.14	154.216.20.164
Oct 29, 2024 17:28:31.576400042 CET	54812	59962	192.168.2.14	154.216.20.164
Oct 29, 2024 17:28:31.582285881 CET	59962	54812	154.216.20.164	192.168.2.14
Oct 29, 2024 17:28:31.582355976 CET	54812	59962	192.168.2.14	154.216.20.164
Oct 29, 2024 17:28:31.588619947 CET	59962	54812	154.216.20.164	192.168.2.14
Oct 29, 2024 17:28:32.510178089 CET	59962	54812	154.216.20.164	192.168.2.14
Oct 29, 2024 17:28:32.510341883 CET	54812	59962	192.168.2.14	154.216.20.164
Oct 29, 2024 17:28:32.510468960 CET	54812	59962	192.168.2.14	154.216.20.164
Oct 29, 2024 17:28:32.521461964 CET	54814	59962	192.168.2.14	154.216.20.164
Oct 29, 2024 17:28:32.527395964 CET	59962	54814	154.216.20.164	192.168.2.14
Oct 29, 2024 17:28:32.527508020 CET	54814	59962	192.168.2.14	154.216.20.164
Oct 29, 2024 17:28:32.528130054 CET	54814	59962	192.168.2.14	154.216.20.164
Oct 29, 2024 17:28:32.533795118 CET	59962	54814	154.216.20.164	192.168.2.14
Oct 29, 2024 17:28:32.533879042 CET	54814	59962	192.168.2.14	154.216.20.164
Oct 29, 2024 17:28:32.539916039 CET	59962	54814	154.216.20.164	192.168.2.14
Oct 29, 2024 17:28:33.406833887 CET	59962	54814	154.216.20.164	192.168.2.14
Oct 29, 2024 17:28:33.407072067 CET	54814	59962	192.168.2.14	154.216.20.164
Oct 29, 2024 17:28:33.407100916 CET	54814	59962	192.168.2.14	154.216.20.164
Oct 29, 2024 17:28:33.417510033 CET	54816	59962	192.168.2.14	154.216.20.164
Oct 29, 2024 17:28:33.423363924 CET	59962	54816	154.216.20.164	192.168.2.14
Oct 29, 2024 17:28:33.423497915 CET	54816	59962	192.168.2.14	154.216.20.164
Oct 29, 2024 17:28:33.424174070 CET	54816	59962	192.168.2.14	154.216.20.164
Oct 29, 2024 17:28:33.429606915 CET	59962	54816	154.216.20.164	192.168.2.14
Oct 29, 2024 17:28:33.429714918 CET	54816	59962	192.168.2.14	154.216.20.164
Oct 29, 2024 17:28:33.435101032 CET	59962	54816	154.216.20.164	192.168.2.14
Oct 29, 2024 17:28:34.289659977 CET	59962	54816	154.216.20.164	192.168.2.14
Oct 29, 2024 17:28:34.289855957 CET	59962	54816	154.216.20.164	192.168.2.14
Oct 29, 2024 17:28:34.289936066 CET	54816	59962	192.168.2.14	154.216.20.164
Oct 29, 2024 17:28:34.289936066 CET	54816	59962	192.168.2.14	154.216.20.164
Oct 29, 2024 17:28:34.290020943 CET	54816	59962	192.168.2.14	154.216.20.164
Oct 29, 2024 17:28:34.299987078 CET	54818	59962	192.168.2.14	154.216.20.164
Oct 29, 2024 17:28:34.305423021 CET	59962	54818	154.216.20.164	192.168.2.14
Oct 29, 2024 17:28:34.305541992 CET	54818	59962	192.168.2.14	154.216.20.164
Oct 29, 2024 17:28:34.306534052 CET	54818	59962	192.168.2.14	154.216.20.164
Oct 29, 2024 17:28:34.312422991 CET	59962	54818	154.216.20.164	192.168.2.14
Oct 29, 2024 17:28:34.312489033 CET	54818	59962	192.168.2.14	154.216.20.164
Oct 29, 2024 17:28:34.318043947 CET	59962	54818	154.216.20.164	192.168.2.14
Oct 29, 2024 17:28:35.247839928 CET	59962	54818	154.216.20.164	192.168.2.14
Oct 29, 2024 17:28:35.247854948 CET	59962	54818	154.216.20.164	192.168.2.14
Oct 29, 2024 17:28:35.247879028 CET	59962	54818	154.216.20.164	192.168.2.14
Oct 29, 2024 17:28:35.248053074 CET	54818	59962	192.168.2.14	154.216.20.164
Oct 29, 2024 17:28:35.248099089 CET	54818	59962	192.168.2.14	154.216.20.164
Oct 29, 2024 17:28:35.248099089 CET	54818	59962	192.168.2.14	154.216.20.164
Oct 29, 2024 17:28:35.248184919 CET	54818	59962	192.168.2.14	154.216.20.164
Oct 29, 2024 17:28:35.257735014 CET	54820	59962	192.168.2.14	154.216.20.164
Oct 29, 2024 17:28:35.263159990 CET	59962	54820	154.216.20.164	192.168.2.14
Oct 29, 2024 17:28:35.263278008 CET	54820	59962	192.168.2.14	154.216.20.164
Oct 29, 2024 17:28:35.264113903 CET	54820	59962	192.168.2.14	154.216.20.164
Oct 29, 2024 17:28:35.269527912 CET	59962	54820	154.216.20.164	192.168.2.14
Oct 29, 2024 17:28:35.269618034 CET	54820	59962	192.168.2.14	154.216.20.164
Oct 29, 2024 17:28:35.275011063 CET	59962	54820	154.216.20.164	192.168.2.14
Oct 29, 2024 17:28:36.138708115 CET	59962	54820	154.216.20.164	192.168.2.14
Oct 29, 2024 17:28:36.138935089 CET	54820	59962	192.168.2.14	154.216.20.164
Oct 29, 2024 17:28:36.139020920 CET	54820	59962	192.168.2.14	154.216.20.164
Oct 29, 2024 17:28:36.202075958 CET	54822	59962	192.168.2.14	154.216.20.164
Oct 29, 2024 17:28:36.207623005 CET	59962	54822	154.216.20.164	192.168.2.14
Oct 29, 2024 17:28:36.207756996 CET	54822	59962	192.168.2.14	154.216.20.164
Oct 29, 2024 17:28:36.209088087 CET	54822	59962	192.168.2.14	154.216.20.164
Oct 29, 2024 17:28:36.214495897 CET	59962	54822	154.216.20.164	192.168.2.14
Oct 29, 2024 17:28:36.214581013 CET	54822	59962	192.168.2.14	154.216.20.164
Oct 29, 2024 17:28:36.220546007 CET	59962	54822	154.216.20.164	192.168.2.14
Oct 29, 2024 17:28:37.107027054 CET	59962	54822	154.216.20.164	192.168.2.14
Oct 29, 2024 17:28:37.107405901 CET	54822	59962	192.168.2.14	154.216.20.164
Oct 29, 2024 17:28:37.107505083 CET	54822	59962	192.168.2.14	154.216.20.164
Oct 29, 2024 17:28:37.147306919 CET	54824	59962	192.168.2.14	154.216.20.164
Oct 29, 2024 17:28:37.153311968 CET	59962	54824	154.216.20.164	192.168.2.14
Oct 29, 2024 17:28:37.153405905 CET	54824	59962	192.168.2.14	154.216.20.164
Oct 29, 2024 17:28:37.154572964 CET	54824	59962	192.168.2.14	154.216.20.164
Oct 29, 2024 17:28:37.160775900 CET	59962	54824	154.216.20.164	192.168.2.14
Oct 29, 2024 17:28:37.160851955 CET	54824	59962	192.168.2.14	154.216.20.164
Oct 29, 2024 17:28:37.166528940 CET	59962	54824	154.216.20.164	192.168.2.14
Oct 29, 2024 17:28:38.035844088 CET	59962	54824	154.216.20.164	192.168.2.14
Oct 29, 2024 17:28:38.035972118 CET	59962	54824	154.216.20.164	192.168.2.14
Oct 29, 2024 17:28:38.036024094 CET	54824	59962	192.168.2.14	154.216.20.164
Oct 29, 2024 17:28:38.036084890 CET	54824	59962	192.168.2.14	154.216.20.164
Oct 29, 2024 17:28:38.036084890 CET	54824	59962	192.168.2.14	154.216.20.164
Oct 29, 2024 17:28:38.045553923 CET	54826	59962	192.168.2.14	154.216.20.164
Oct 29, 2024 17:28:38.050908089 CET	59962	54826	154.216.20.164	192.168.2.14
Oct 29, 2024 17:28:38.050975084 CET	54826	59962	192.168.2.14	154.216.20.164
Oct 29, 2024 17:28:38.051677942 CET	54826	59962	192.168.2.14	154.216.20.164
Oct 29, 2024 17:28:38.057018995 CET	59962	54826	154.216.20.164	192.168.2.14
Oct 29, 2024 17:28:38.057085991 CET	54826	59962	192.168.2.14	154.216.20.164
Oct 29, 2024 17:28:38.062743902 CET	59962	54826	154.216.20.164	192.168.2.14
Oct 29, 2024 17:28:38.914911032 CET	59962	54826	154.216.20.164	192.168.2.14
Oct 29, 2024 17:28:38.915110111 CET	54826	59962	192.168.2.14	154.216.20.164
Oct 29, 2024 17:28:38.915131092 CET	59962	54826	154.216.20.164	192.168.2.14
Oct 29, 2024 17:28:38.915174007 CET	54826	59962	192.168.2.14	154.216.20.164
Oct 29, 2024 17:28:38.915256977 CET	54826	59962	192.168.2.14	154.216.20.164
Oct 29, 2024 17:28:38.925916910 CET	54828	59962	192.168.2.14	154.216.20.164
Oct 29, 2024 17:28:38.931269884 CET	59962	54828	154.216.20.164	192.168.2.14
Oct 29, 2024 17:28:38.931441069 CET	54828	59962	192.168.2.14	154.216.20.164
Oct 29, 2024 17:28:38.932107925 CET	54828	59962	192.168.2.14	154.216.20.164
Oct 29, 2024 17:28:38.937550068 CET	59962	54828	154.216.20.164	192.168.2.14
Oct 29, 2024 17:28:38.937644958 CET	54828	59962	192.168.2.14	154.216.20.164
Oct 29, 2024 17:28:38.943263054 CET	59962	54828	154.216.20.164	192.168.2.14
Oct 29, 2024 17:28:48.941031933 CET	54828	59962	192.168.2.14	154.216.20.164
Oct 29, 2024 17:28:48.946774960 CET	59962	54828	154.216.20.164	192.168.2.14
Oct 29, 2024 17:28:49.249403954 CET	59962	54828	154.216.20.164	192.168.2.14
Oct 29, 2024 17:28:49.249562979 CET	54828	59962	192.168.2.14	154.216.20.164
Oct 29, 2024 17:29:00.168284893 CET	46540	443	192.168.2.14	185.125.190.26
Oct 29, 2024 17:29:49.300436020 CET	54828	59962	192.168.2.14	154.216.20.164
Oct 29, 2024 17:29:49.306524038 CET	59962	54828	154.216.20.164	192.168.2.14
Oct 29, 2024 17:29:49.564480066 CET	59962	54828	154.216.20.164	192.168.2.14
Oct 29, 2024 17:29:49.564672947 CET	54828	59962	192.168.2.14	154.216.20.164

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 29, 2024 17:28:18.799911976 CET	60782	53	192.168.2.14	8.8.8.8
Oct 29, 2024 17:28:18.808861017 CET	53	60782	8.8.8.8	192.168.2.14
Oct 29, 2024 17:28:19.699105024 CET	59261	53	192.168.2.14	8.8.8.8
Oct 29, 2024 17:28:19.761317015 CET	53	59261	8.8.8.8	192.168.2.14
Oct 29, 2024 17:28:20.638957024 CET	34072	53	192.168.2.14	8.8.8.8
Oct 29, 2024 17:28:20.705172062 CET	53	34072	8.8.8.8	192.168.2.14
Oct 29, 2024 17:28:21.597441912 CET	41638	53	192.168.2.14	8.8.8.8
Oct 29, 2024 17:28:21.606856108 CET	53	41638	8.8.8.8	192.168.2.14
Oct 29, 2024 17:28:22.494370937 CET	53322	53	192.168.2.14	8.8.8.8
Oct 29, 2024 17:28:22.502017975 CET	53	53322	8.8.8.8	192.168.2.14
Oct 29, 2024 17:28:23.369204044 CET	39871	53	192.168.2.14	8.8.8.8
Oct 29, 2024 17:28:23.377727032 CET	53	39871	8.8.8.8	192.168.2.14
Oct 29, 2024 17:28:24.260304928 CET	57736	53	192.168.2.14	8.8.8.8
Oct 29, 2024 17:28:24.270010948 CET	53	57736	8.8.8.8	192.168.2.14
Oct 29, 2024 17:28:25.251064062 CET	50335	53	192.168.2.14	8.8.8.8
Oct 29, 2024 17:28:25.259705067 CET	53	50335	8.8.8.8	192.168.2.14
Oct 29, 2024 17:28:26.152923107 CET	45563	53	192.168.2.14	8.8.8.8
Oct 29, 2024 17:28:26.160413027 CET	53	45563	8.8.8.8	192.168.2.14
Oct 29, 2024 17:28:27.046096087 CET	39427	53	192.168.2.14	8.8.8.8
Oct 29, 2024 17:28:27.053471088 CET	53	39427	8.8.8.8	192.168.2.14
Oct 29, 2024 17:28:27.937407017 CET	51764	53	192.168.2.14	8.8.8.8
Oct 29, 2024 17:28:27.945363998 CET	53	51764	8.8.8.8	192.168.2.14
Oct 29, 2024 17:28:28.828593969 CET	57811	53	192.168.2.14	8.8.8.8
Oct 29, 2024 17:28:28.836597919 CET	53	57811	8.8.8.8	192.168.2.14
Oct 29, 2024 17:28:29.790643930 CET	34968	53	192.168.2.14	8.8.8.8
Oct 29, 2024 17:28:29.798654079 CET	53	34968	8.8.8.8	192.168.2.14
Oct 29, 2024 17:28:30.674640894 CET	44499	53	192.168.2.14	8.8.8.8
Oct 29, 2024 17:28:30.682296991 CET	53	44499	8.8.8.8	192.168.2.14
Oct 29, 2024 17:28:31.561579943 CET	36673	53	192.168.2.14	8.8.8.8
Oct 29, 2024 17:28:31.570061922 CET	53	36673	8.8.8.8	192.168.2.14
Oct 29, 2024 17:28:32.511645079 CET	60070	53	192.168.2.14	8.8.8.8
Oct 29, 2024 17:28:32.520726919 CET	53	60070	8.8.8.8	192.168.2.14
Oct 29, 2024 17:28:33.407999992 CET	35829	53	192.168.2.14	8.8.8.8
Oct 29, 2024 17:28:33.416810036 CET	53	35829	8.8.8.8	192.168.2.14
Oct 29, 2024 17:28:34.291380882 CET	35840	53	192.168.2.14	8.8.8.8
Oct 29, 2024 17:28:34.299446106 CET	53	35840	8.8.8.8	192.168.2.14
Oct 29, 2024 17:28:35.249511957 CET	45309	53	192.168.2.14	8.8.8.8
Oct 29, 2024 17:28:35.257191896 CET	53	45309	8.8.8.8	192.168.2.14
Oct 29, 2024 17:28:36.140469074 CET	50719	53	192.168.2.14	8.8.8.8
Oct 29, 2024 17:28:36.200712919 CET	53	50719	8.8.8.8	192.168.2.14
Oct 29, 2024 17:28:37.112157106 CET	54671	53	192.168.2.14	8.8.8.8
Oct 29, 2024 17:28:37.146044970 CET	53	54671	8.8.8.8	192.168.2.14
Oct 29, 2024 17:28:38.037092924 CET	58570	53	192.168.2.14	8.8.8.8
Oct 29, 2024 17:28:38.045118093 CET	53	58570	8.8.8.8	192.168.2.14
Oct 29, 2024 17:28:38.916825056 CET	44757	53	192.168.2.14	8.8.8.8
Oct 29, 2024 17:28:38.925324917 CET	53	44757	8.8.8.8	192.168.2.14

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 29, 2024 17:28:18.799911976 CET	192.168.2.14	8.8.8.8	0xd9b4	Standard query (0)	cnc.dico-inside.com	A (IP address)	IN (0x0001)	false
Oct 29, 2024 17:28:19.699105024 CET	192.168.2.14	8.8.8.8	0xea53	Standard query (0)	cnc.dico-inside.com	A (IP address)	IN (0x0001)	false
Oct 29, 2024 17:28:20.638957024 CET	192.168.2.14	8.8.8.8	0x193b	Standard query (0)	cnc.dico-inside.com	A (IP address)	IN (0x0001)	false
Oct 29, 2024 17:28:21.597441912 CET	192.168.2.14	8.8.8.8	0xae02	Standard query (0)	cnc.dico-inside.com	A (IP address)	IN (0x0001)	false
Oct 29, 2024 17:28:22.494370937 CET	192.168.2.14	8.8.8.8	0x5659	Standard query (0)	cnc.dico-inside.com	A (IP address)	IN (0x0001)	false
Oct 29, 2024 17:28:23.369204044 CET	192.168.2.14	8.8.8.8	0xf7c	Standard query (0)	cnc.dico-inside.com	A (IP address)	IN (0x0001)	false
Oct 29, 2024 17:28:24.260304928 CET	192.168.2.14	8.8.8.8	0xce37	Standard query (0)	cnc.dico-inside.com	A (IP address)	IN (0x0001)	false
Oct 29, 2024 17:28:25.251064062 CET	192.168.2.14	8.8.8.8	0x61a1	Standard query (0)	cnc.dico-inside.com	A (IP address)	IN (0x0001)	false
Oct 29, 2024 17:28:26.152923107 CET	192.168.2.14	8.8.8.8	0xd6ed	Standard query (0)	cnc.dico-inside.com	A (IP address)	IN (0x0001)	false
Oct 29, 2024 17:28:27.046096087 CET	192.168.2.14	8.8.8.8	0xd6ab	Standard query (0)	cnc.dico-inside.com	A (IP address)	IN (0x0001)	false
Oct 29, 2024 17:28:27.937407017 CET	192.168.2.14	8.8.8.8	0x6c8f	Standard query (0)	cnc.dico-inside.com	A (IP address)	IN (0x0001)	false
Oct 29, 2024 17:28:28.828593969 CET	192.168.2.14	8.8.8.8	0x9d42	Standard query (0)	cnc.dico-inside.com	A (IP address)	IN (0x0001)	false
Oct 29, 2024 17:28:29.790643930 CET	192.168.2.14	8.8.8.8	0x9309	Standard query (0)	cnc.dico-inside.com	A (IP address)	IN (0x0001)	false
Oct 29, 2024 17:28:30.674640894 CET	192.168.2.14	8.8.8.8	0x7551	Standard query (0)	cnc.dico-inside.com	A (IP address)	IN (0x0001)	false
Oct 29, 2024 17:28:31.561579943 CET	192.168.2.14	8.8.8.8	0x5031	Standard query (0)	cnc.dico-inside.com	A (IP address)	IN (0x0001)	false
Oct 29, 2024 17:28:32.511645079 CET	192.168.2.14	8.8.8.8	0x9a74	Standard query (0)	cnc.dico-inside.com	A (IP address)	IN (0x0001)	false
Oct 29, 2024 17:28:33.407999992 CET	192.168.2.14	8.8.8.8	0x4ed	Standard query (0)	cnc.dico-inside.com	A (IP address)	IN (0x0001)	false
Oct 29, 2024 17:28:34.291380882 CET	192.168.2.14	8.8.8.8	0xff0e	Standard query (0)	cnc.dico-inside.com	A (IP address)	IN (0x0001)	false
Oct 29, 2024 17:28:35.249511957 CET	192.168.2.14	8.8.8.8	0x6266	Standard query (0)	cnc.dico-inside.com	A (IP address)	IN (0x0001)	false
Oct 29, 2024 17:28:36.140469074 CET	192.168.2.14	8.8.8.8	0x3149	Standard query (0)	cnc.dico-inside.com	A (IP address)	IN (0x0001)	false
Oct 29, 2024 17:28:37.112157106 CET	192.168.2.14	8.8.8.8	0x318f	Standard query (0)	cnc.dico-inside.com	A (IP address)	IN (0x0001)	false
Oct 29, 2024 17:28:38.037092924 CET	192.168.2.14	8.8.8.8	0x5d30	Standard query (0)	cnc.dico-inside.com	A (IP address)	IN (0x0001)	false
Oct 29, 2024 17:28:38.916825056 CET	192.168.2.14	8.8.8.8	0xbcc9	Standard query (0)	cnc.dico-inside.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Oct 29, 2024 17:28:18.808861017 CET	8.8.8.8	192.168.2.14	0xd9b4	No error (0)	cnc.dico-inside.com	154.216.20.164	A (IP address)	IN (0x0001)	false
Oct 29, 2024 17:28:19.761317015 CET	8.8.8.8	192.168.2.14	0xea53	No error (0)	cnc.dico-inside.com	154.216.20.164	A (IP address)	IN (0x0001)	false
Oct 29, 2024 17:28:20.705172062 CET	8.8.8.8	192.168.2.14	0x193b	No error (0)	cnc.dico-inside.com	154.216.20.164	A (IP address)	IN (0x0001)	false
Oct 29, 2024 17:28:21.606856108 CET	8.8.8.8	192.168.2.14	0xae02	No error (0)	cnc.dico-inside.com	154.216.20.164	A (IP address)	IN (0x0001)	false
Oct 29, 2024 17:28:22.502017975 CET	8.8.8.8	192.168.2.14	0x5659	No error (0)	cnc.dico-inside.com	154.216.20.164	A (IP address)	IN (0x0001)	false
Oct 29, 2024 17:28:23.377727032 CET	8.8.8.8	192.168.2.14	0xf7c	No error (0)	cnc.dico-inside.com	154.216.20.164	A (IP address)	IN (0x0001)	false
Oct 29, 2024 17:28:24.270010948 CET	8.8.8.8	192.168.2.14	0xce37	No error (0)	cnc.dico-inside.com	154.216.20.164	A (IP address)	IN (0x0001)	false
Oct 29, 2024 17:28:25.259705067 CET	8.8.8.8	192.168.2.14	0x61a1	No error (0)	cnc.dico-inside.com	154.216.20.164	A (IP address)	IN (0x0001)	false
Oct 29, 2024 17:28:26.160413027 CET	8.8.8.8	192.168.2.14	0xd6ed	No error (0)	cnc.dico-inside.com	154.216.20.164	A (IP address)	IN (0x0001)	false
Oct 29, 2024 17:28:27.053471088 CET	8.8.8.8	192.168.2.14	0xd6ab	No error (0)	cnc.dico-inside.com	154.216.20.164	A (IP address)	IN (0x0001)	false
Oct 29, 2024 17:28:27.945363998 CET	8.8.8.8	192.168.2.14	0x6c8f	No error (0)	cnc.dico-inside.com	154.216.20.164	A (IP address)	IN (0x0001)	false
Oct 29, 2024 17:28:28.836597919 CET	8.8.8.8	192.168.2.14	0x9d42	No error (0)	cnc.dico-inside.com	154.216.20.164	A (IP address)	IN (0x0001)	false
Oct 29, 2024 17:28:29.798654079 CET	8.8.8.8	192.168.2.14	0x9309	No error (0)	cnc.dico-inside.com	154.216.20.164	A (IP address)	IN (0x0001)	false
Oct 29, 2024 17:28:30.682296991 CET	8.8.8.8	192.168.2.14	0x7551	No error (0)	cnc.dico-inside.com	154.216.20.164	A (IP address)	IN (0x0001)	false
Oct 29, 2024 17:28:31.570061922 CET	8.8.8.8	192.168.2.14	0x5031	No error (0)	cnc.dico-inside.com	154.216.20.164	A (IP address)	IN (0x0001)	false
Oct 29, 2024 17:28:32.520726919 CET	8.8.8.8	192.168.2.14	0x9a74	No error (0)	cnc.dico-inside.com	154.216.20.164	A (IP address)	IN (0x0001)	false
Oct 29, 2024 17:28:33.416810036 CET	8.8.8.8	192.168.2.14	0x4ed	No error (0)	cnc.dico-inside.com	154.216.20.164	A (IP address)	IN (0x0001)	false
Oct 29, 2024 17:28:34.299446106 CET	8.8.8.8	192.168.2.14	0xff0e	No error (0)	cnc.dico-inside.com	154.216.20.164	A (IP address)	IN (0x0001)	false
Oct 29, 2024 17:28:35.257191896 CET	8.8.8.8	192.168.2.14	0x6266	No error (0)	cnc.dico-inside.com	154.216.20.164	A (IP address)	IN (0x0001)	false
Oct 29, 2024 17:28:36.200712919 CET	8.8.8.8	192.168.2.14	0x3149	No error (0)	cnc.dico-inside.com	154.216.20.164	A (IP address)	IN (0x0001)	false
Oct 29, 2024 17:28:37.146044970 CET	8.8.8.8	192.168.2.14	0x318f	No error (0)	cnc.dico-inside.com	154.216.20.164	A (IP address)	IN (0x0001)	false
Oct 29, 2024 17:28:38.045118093 CET	8.8.8.8	192.168.2.14	0x5d30	No error (0)	cnc.dico-inside.com	154.216.20.164	A (IP address)	IN (0x0001)	false
Oct 29, 2024 17:28:38.925324917 CET	8.8.8.8	192.168.2.14	0xbcc9	No error (0)	cnc.dico-inside.com	154.216.20.164	A (IP address)	IN (0x0001)	false

System Behavior

Analysis Process: zmap.arm.elf PID: 5513, Parent PID: 5429

General

Start time (UTC):	16:28:18
Start date (UTC):	29/10/2024
Path:	/tmp/zmap.arm.elf
Arguments:	/tmp/zmap.arm.elf
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Chronological Activities

Analysis Process: zmap.arm.elf PID: 5515, Parent PID: 5513

General

Start time (UTC):	16:28:18
Start date (UTC):	29/10/2024
Path:	/tmp/zmap.arm.elf
Arguments:	-
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Chronological Activities

Analysis Process: zmap.arm.elf PID: 5517, Parent PID: 5515

General

Start time (UTC):	16:28:18
Start date (UTC):	29/10/2024
Path:	/tmp/zmap.arm.elf
Arguments:	-
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report zmap.arm.elf

Overview

General Information

Detection

Signatures

Classification

General Information

Warnings

Runtime Messages

Process Tree

Malware Threat Intel

Yara Signatures

Initial Sample

Memory Dumps

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Networking

System Summary

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

Static ELF Info

ELF header

Sections

Program Segments

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

System Behavior

Analysis Process: zmap.arm.elf PID: 5513, Parent PID: 5429

General

Chronological Activities

Analysis Process: zmap.arm.elf PID: 5515, Parent PID: 5513

General

Chronological Activities

Analysis Process: zmap.arm.elf PID: 5517, Parent PID: 5515

General

Chronological Activities

Linux Analysis Report
zmap.arm.elf