Edit tour

Linux Analysis Report
vhsr56PI3r.elf

Overview

General Information

Sample name:	vhsr56PI3r.elf renamed because original name is a hash value
Original sample name:	5853a3bcb813748bca8a06b91e3eff11.elf
Analysis ID:	1545506
MD5:	5853a3bcb813748bca8a06b91e3eff11
SHA1:	b15d7d903673035eb54e0bef2e683bdf9b80c20c
SHA256:	16199bda061a5575d9f226981569c9a92b7562babc1e829631e50cbc2eb8cfcf
Tags:	32elfmiraipowerpc
Infos:

Detection

Score:	68
Range:	0 - 100
Whitelisted:	false

Signatures

Antivirus / Scanner detection for submitted sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Sample is packed with UPX

ELF contains segments with high entropy indicating compressed/encrypted content

Enumerates processes within the "proc" file system

Sample contains only a LOAD segment without any section mappings

Sample listens on a socket

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Uses the "uname" system call to query kernel version information (possible evasion)

Yara signature match

Classification

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1545506
Start date and time:	2024-10-30 16:20:53 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 27s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Sample name:	vhsr56PI3r.elf renamed because original name is a hash value
Original Sample Name:	5853a3bcb813748bca8a06b91e3eff11.elf
Detection:	MAL
Classification:	mal68.evad.linELF@0/0@0/0

Warnings

VT rate limit hit for: vhsr56PI3r.elf

Runtime Messages

Command:	/tmp/vhsr56PI3r.elf
PID:	6212
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:	unstable_is_the_history_of_universe
Standard Error:

Process Tree

system is lnxubuntu20

vhsr56PI3r.elf (PID: 6212, Parent: 6131, MD5: ae65271c943d3451b7f026d1fadccea6) Arguments: /tmp/vhsr56PI3r.elf

vhsr56PI3r.elf New Fork (PID: 6214, Parent: 6212)

vhsr56PI3r.elf New Fork (PID: 6216, Parent: 6214)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
6212.1.00007efe30005000.00007efe3000b000.r-x.sdmp	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0x5ae0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x5af4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x5b08:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x5b1c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x5b30:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x5b44:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x5b58:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x5b6c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x5b80:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x5b94:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x5ba8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x5bbc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x5bd0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x5be4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x5bf8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x5c0c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x5c20:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x5c34:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x5c48:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x5c5c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x5c70:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
Process Memory Space: vhsr56PI3r.elf PID: 6212	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0x3a89:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x3a9d:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x3ab1:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x3ac5:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x3ad9:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x3aed:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x3b01:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x3b15:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x3b29:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x3b3d:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x3b51:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x3b65:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x3b79:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x3b8d:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x3ba1:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x3bb5:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x3bc9:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x3bdd:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x3bf1:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x3c05:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x3c19:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: vhsr56PI3r.elf

Avira: detected

Multi AV Scanner detection for submitted file

Source: vhsr56PI3r.elf

ReversingLabs: Detection: 39%

Source: /tmp/vhsr56PI3r.elf (PID: 6212)

Socket: 127.0.0.1:46157

Jump to behavior

Source: global traffic	TCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443
Source: global traffic	TCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
Source: global traffic	TCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80

Source: unknown	TCP traffic detected without corresponding DNS query: 217.32.184.17
Source: unknown	TCP traffic detected without corresponding DNS query: 217.32.184.17
Source: unknown	TCP traffic detected without corresponding DNS query: 217.32.184.17
Source: unknown	TCP traffic detected without corresponding DNS query: 217.32.184.17
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown	TCP traffic detected without corresponding DNS query: 217.32.184.17
Source: unknown	TCP traffic detected without corresponding DNS query: 217.32.184.17
Source: unknown	TCP traffic detected without corresponding DNS query: 217.32.184.17
Source: unknown	TCP traffic detected without corresponding DNS query: 217.32.184.17
Source: unknown	TCP traffic detected without corresponding DNS query: 217.32.184.17
Source: unknown	TCP traffic detected without corresponding DNS query: 217.32.184.17
Source: unknown	TCP traffic detected without corresponding DNS query: 217.32.184.17
Source: unknown	TCP traffic detected without corresponding DNS query: 217.32.184.17
Source: unknown	TCP traffic detected without corresponding DNS query: 217.32.184.17
Source: unknown	TCP traffic detected without corresponding DNS query: 217.32.184.17
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 217.32.184.17
Source: unknown	TCP traffic detected without corresponding DNS query: 217.32.184.17
Source: unknown	TCP traffic detected without corresponding DNS query: 217.32.184.17
Source: unknown	TCP traffic detected without corresponding DNS query: 217.32.184.17
Source: unknown	TCP traffic detected without corresponding DNS query: 217.32.184.17
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown	TCP traffic detected without corresponding DNS query: 217.32.184.17
Source: unknown	TCP traffic detected without corresponding DNS query: 217.32.184.17
Source: unknown	TCP traffic detected without corresponding DNS query: 217.32.184.17
Source: unknown	TCP traffic detected without corresponding DNS query: 217.32.184.17
Source: unknown	TCP traffic detected without corresponding DNS query: 217.32.184.17
Source: unknown	TCP traffic detected without corresponding DNS query: 217.32.184.17
Source: unknown	TCP traffic detected without corresponding DNS query: 217.32.184.17
Source: unknown	TCP traffic detected without corresponding DNS query: 217.32.184.17
Source: unknown	TCP traffic detected without corresponding DNS query: 217.32.184.17
Source: unknown	TCP traffic detected without corresponding DNS query: 217.32.184.17
Source: unknown	TCP traffic detected without corresponding DNS query: 217.32.184.17
Source: unknown	TCP traffic detected without corresponding DNS query: 217.32.184.17
Source: unknown	TCP traffic detected without corresponding DNS query: 217.32.184.17
Source: unknown	TCP traffic detected without corresponding DNS query: 217.32.184.17
Source: unknown	TCP traffic detected without corresponding DNS query: 217.32.184.17
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 217.32.184.17
Source: unknown	TCP traffic detected without corresponding DNS query: 217.32.184.17
Source: unknown	TCP traffic detected without corresponding DNS query: 217.32.184.17
Source: unknown	TCP traffic detected without corresponding DNS query: 217.32.184.17
Source: unknown	TCP traffic detected without corresponding DNS query: 217.32.184.17
Source: unknown	TCP traffic detected without corresponding DNS query: 217.32.184.17
Source: unknown	TCP traffic detected without corresponding DNS query: 217.32.184.17
Source: unknown	TCP traffic detected without corresponding DNS query: 217.32.184.17
Source: unknown	TCP traffic detected without corresponding DNS query: 217.32.184.17

Source: vhsr56PI3r.elf

String found in binary or memory: http://upx.sf.net

Source: unknown	Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 42836 -> 443

System Summary

Malicious sample detected (through community Yara rule)

Source: 6212.1.00007efe30005000.00007efe3000b000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: Process Memory Space: vhsr56PI3r.elf PID: 6212, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown

Source: LOAD without section mappings

Program segment: 0x100000

Source: 6212.1.00007efe30005000.00007efe3000b000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: Process Memory Space: vhsr56PI3r.elf PID: 6212, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16

Source: classification engine

Classification label: mal68.evad.linELF@0/0@0/0

Data Obfuscation

Sample is packed with UPX

Source: initial sample	String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample	String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample	String containing UPX found: $Id: UPX 3.94 Copyright (C) 1996-2017 the UPX Team. All Rights Reserved. $

Source: /tmp/vhsr56PI3r.elf (PID: 6216)	File opened: /proc/6232/cmdline	Jump to behavior
Source: /tmp/vhsr56PI3r.elf (PID: 6216)	File opened: /proc/6231/cmdline	Jump to behavior
Source: /tmp/vhsr56PI3r.elf (PID: 6216)	File opened: /proc/6234/cmdline	Jump to behavior
Source: /tmp/vhsr56PI3r.elf (PID: 6216)	File opened: /proc/6233/cmdline	Jump to behavior
Source: /tmp/vhsr56PI3r.elf (PID: 6216)	File opened: /proc/6236/cmdline	Jump to behavior
Source: /tmp/vhsr56PI3r.elf (PID: 6216)	File opened: /proc/6235/cmdline	Jump to behavior
Source: /tmp/vhsr56PI3r.elf (PID: 6216)	File opened: /proc/1582/cmdline	Jump to behavior
Source: /tmp/vhsr56PI3r.elf (PID: 6216)	File opened: /proc/3088/cmdline	Jump to behavior
Source: /tmp/vhsr56PI3r.elf (PID: 6216)	File opened: /proc/230/cmdline	Jump to behavior
Source: /tmp/vhsr56PI3r.elf (PID: 6216)	File opened: /proc/110/cmdline	Jump to behavior
Source: /tmp/vhsr56PI3r.elf (PID: 6216)	File opened: /proc/231/cmdline	Jump to behavior
Source: /tmp/vhsr56PI3r.elf (PID: 6216)	File opened: /proc/111/cmdline	Jump to behavior
Source: /tmp/vhsr56PI3r.elf (PID: 6216)	File opened: /proc/232/cmdline	Jump to behavior
Source: /tmp/vhsr56PI3r.elf (PID: 6216)	File opened: /proc/1579/cmdline	Jump to behavior
Source: /tmp/vhsr56PI3r.elf (PID: 6216)	File opened: /proc/112/cmdline	Jump to behavior
Source: /tmp/vhsr56PI3r.elf (PID: 6216)	File opened: /proc/233/cmdline	Jump to behavior
Source: /tmp/vhsr56PI3r.elf (PID: 6216)	File opened: /proc/1699/cmdline	Jump to behavior
Source: /tmp/vhsr56PI3r.elf (PID: 6216)	File opened: /proc/113/cmdline	Jump to behavior
Source: /tmp/vhsr56PI3r.elf (PID: 6216)	File opened: /proc/234/cmdline	Jump to behavior
Source: /tmp/vhsr56PI3r.elf (PID: 6216)	File opened: /proc/1335/cmdline	Jump to behavior
Source: /tmp/vhsr56PI3r.elf (PID: 6216)	File opened: /proc/1698/cmdline	Jump to behavior
Source: /tmp/vhsr56PI3r.elf (PID: 6216)	File opened: /proc/114/cmdline	Jump to behavior
Source: /tmp/vhsr56PI3r.elf (PID: 6216)	File opened: /proc/235/cmdline	Jump to behavior
Source: /tmp/vhsr56PI3r.elf (PID: 6216)	File opened: /proc/1334/cmdline	Jump to behavior
Source: /tmp/vhsr56PI3r.elf (PID: 6216)	File opened: /proc/1576/cmdline	Jump to behavior
Source: /tmp/vhsr56PI3r.elf (PID: 6216)	File opened: /proc/2302/cmdline	Jump to behavior
Source: /tmp/vhsr56PI3r.elf (PID: 6216)	File opened: /proc/115/cmdline	Jump to behavior
Source: /tmp/vhsr56PI3r.elf (PID: 6216)	File opened: /proc/236/cmdline	Jump to behavior
Source: /tmp/vhsr56PI3r.elf (PID: 6216)	File opened: /proc/116/cmdline	Jump to behavior
Source: /tmp/vhsr56PI3r.elf (PID: 6216)	File opened: /proc/237/cmdline	Jump to behavior
Source: /tmp/vhsr56PI3r.elf (PID: 6216)	File opened: /proc/117/cmdline	Jump to behavior
Source: /tmp/vhsr56PI3r.elf (PID: 6216)	File opened: /proc/118/cmdline	Jump to behavior
Source: /tmp/vhsr56PI3r.elf (PID: 6216)	File opened: /proc/910/cmdline	Jump to behavior
Source: /tmp/vhsr56PI3r.elf (PID: 6216)	File opened: /proc/119/cmdline	Jump to behavior
Source: /tmp/vhsr56PI3r.elf (PID: 6216)	File opened: /proc/912/cmdline	Jump to behavior
Source: /tmp/vhsr56PI3r.elf (PID: 6216)	File opened: /proc/10/cmdline	Jump to behavior
Source: /tmp/vhsr56PI3r.elf (PID: 6216)	File opened: /proc/2307/cmdline	Jump to behavior
Source: /tmp/vhsr56PI3r.elf (PID: 6216)	File opened: /proc/11/cmdline	Jump to behavior
Source: /tmp/vhsr56PI3r.elf (PID: 6216)	File opened: /proc/918/cmdline	Jump to behavior
Source: /tmp/vhsr56PI3r.elf (PID: 6216)	File opened: /proc/6241/cmdline	Jump to behavior
Source: /tmp/vhsr56PI3r.elf (PID: 6216)	File opened: /proc/12/cmdline	Jump to behavior
Source: /tmp/vhsr56PI3r.elf (PID: 6216)	File opened: /proc/6240/cmdline	Jump to behavior
Source: /tmp/vhsr56PI3r.elf (PID: 6216)	File opened: /proc/13/cmdline	Jump to behavior
Source: /tmp/vhsr56PI3r.elf (PID: 6216)	File opened: /proc/6243/cmdline	Jump to behavior
Source: /tmp/vhsr56PI3r.elf (PID: 6216)	File opened: /proc/14/cmdline	Jump to behavior
Source: /tmp/vhsr56PI3r.elf (PID: 6216)	File opened: /proc/6242/cmdline	Jump to behavior
Source: /tmp/vhsr56PI3r.elf (PID: 6216)	File opened: /proc/15/cmdline	Jump to behavior
Source: /tmp/vhsr56PI3r.elf (PID: 6216)	File opened: /proc/6245/cmdline	Jump to behavior
Source: /tmp/vhsr56PI3r.elf (PID: 6216)	File opened: /proc/16/cmdline	Jump to behavior
Source: /tmp/vhsr56PI3r.elf (PID: 6216)	File opened: /proc/6244/cmdline	Jump to behavior
Source: /tmp/vhsr56PI3r.elf (PID: 6216)	File opened: /proc/17/cmdline	Jump to behavior
Source: /tmp/vhsr56PI3r.elf (PID: 6216)	File opened: /proc/6247/cmdline	Jump to behavior
Source: /tmp/vhsr56PI3r.elf (PID: 6216)	File opened: /proc/18/cmdline	Jump to behavior
Source: /tmp/vhsr56PI3r.elf (PID: 6216)	File opened: /proc/6246/cmdline	Jump to behavior
Source: /tmp/vhsr56PI3r.elf (PID: 6216)	File opened: /proc/1594/cmdline	Jump to behavior
Source: /tmp/vhsr56PI3r.elf (PID: 6216)	File opened: /proc/120/cmdline	Jump to behavior
Source: /tmp/vhsr56PI3r.elf (PID: 6216)	File opened: /proc/121/cmdline	Jump to behavior
Source: /tmp/vhsr56PI3r.elf (PID: 6216)	File opened: /proc/1349/cmdline	Jump to behavior
Source: /tmp/vhsr56PI3r.elf (PID: 6216)	File opened: /proc/1/cmdline	Jump to behavior
Source: /tmp/vhsr56PI3r.elf (PID: 6216)	File opened: /proc/122/cmdline	Jump to behavior
Source: /tmp/vhsr56PI3r.elf (PID: 6216)	File opened: /proc/243/cmdline	Jump to behavior
Source: /tmp/vhsr56PI3r.elf (PID: 6216)	File opened: /proc/123/cmdline	Jump to behavior
Source: /tmp/vhsr56PI3r.elf (PID: 6216)	File opened: /proc/2/cmdline	Jump to behavior
Source: /tmp/vhsr56PI3r.elf (PID: 6216)	File opened: /proc/124/cmdline	Jump to behavior
Source: /tmp/vhsr56PI3r.elf (PID: 6216)	File opened: /proc/3/cmdline	Jump to behavior
Source: /tmp/vhsr56PI3r.elf (PID: 6216)	File opened: /proc/4/cmdline	Jump to behavior
Source: /tmp/vhsr56PI3r.elf (PID: 6216)	File opened: /proc/125/cmdline	Jump to behavior
Source: /tmp/vhsr56PI3r.elf (PID: 6216)	File opened: /proc/126/cmdline	Jump to behavior
Source: /tmp/vhsr56PI3r.elf (PID: 6216)	File opened: /proc/1344/cmdline	Jump to behavior
Source: /tmp/vhsr56PI3r.elf (PID: 6216)	File opened: /proc/1465/cmdline	Jump to behavior
Source: /tmp/vhsr56PI3r.elf (PID: 6216)	File opened: /proc/1586/cmdline	Jump to behavior
Source: /tmp/vhsr56PI3r.elf (PID: 6216)	File opened: /proc/127/cmdline	Jump to behavior
Source: /tmp/vhsr56PI3r.elf (PID: 6216)	File opened: /proc/6/cmdline	Jump to behavior
Source: /tmp/vhsr56PI3r.elf (PID: 6216)	File opened: /proc/248/cmdline	Jump to behavior
Source: /tmp/vhsr56PI3r.elf (PID: 6216)	File opened: /proc/128/cmdline	Jump to behavior
Source: /tmp/vhsr56PI3r.elf (PID: 6216)	File opened: /proc/249/cmdline	Jump to behavior
Source: /tmp/vhsr56PI3r.elf (PID: 6216)	File opened: /proc/1463/cmdline	Jump to behavior
Source: /tmp/vhsr56PI3r.elf (PID: 6216)	File opened: /proc/800/cmdline	Jump to behavior
Source: /tmp/vhsr56PI3r.elf (PID: 6216)	File opened: /proc/6238/cmdline	Jump to behavior
Source: /tmp/vhsr56PI3r.elf (PID: 6216)	File opened: /proc/9/cmdline	Jump to behavior
Source: /tmp/vhsr56PI3r.elf (PID: 6216)	File opened: /proc/801/cmdline	Jump to behavior
Source: /tmp/vhsr56PI3r.elf (PID: 6216)	File opened: /proc/6237/cmdline	Jump to behavior
Source: /tmp/vhsr56PI3r.elf (PID: 6216)	File opened: /proc/6239/cmdline	Jump to behavior
Source: /tmp/vhsr56PI3r.elf (PID: 6216)	File opened: /proc/20/cmdline	Jump to behavior
Source: /tmp/vhsr56PI3r.elf (PID: 6216)	File opened: /proc/21/cmdline	Jump to behavior
Source: /tmp/vhsr56PI3r.elf (PID: 6216)	File opened: /proc/1900/cmdline	Jump to behavior
Source: /tmp/vhsr56PI3r.elf (PID: 6216)	File opened: /proc/22/cmdline	Jump to behavior
Source: /tmp/vhsr56PI3r.elf (PID: 6216)	File opened: /proc/23/cmdline	Jump to behavior
Source: /tmp/vhsr56PI3r.elf (PID: 6216)	File opened: /proc/6251/cmdline	Jump to behavior
Source: /tmp/vhsr56PI3r.elf (PID: 6216)	File opened: /proc/24/cmdline	Jump to behavior
Source: /tmp/vhsr56PI3r.elf (PID: 6216)	File opened: /proc/25/cmdline	Jump to behavior
Source: /tmp/vhsr56PI3r.elf (PID: 6216)	File opened: /proc/26/cmdline	Jump to behavior
Source: /tmp/vhsr56PI3r.elf (PID: 6216)	File opened: /proc/27/cmdline	Jump to behavior
Source: /tmp/vhsr56PI3r.elf (PID: 6216)	File opened: /proc/28/cmdline	Jump to behavior
Source: /tmp/vhsr56PI3r.elf (PID: 6216)	File opened: /proc/29/cmdline	Jump to behavior
Source: /tmp/vhsr56PI3r.elf (PID: 6216)	File opened: /proc/491/cmdline	Jump to behavior
Source: /tmp/vhsr56PI3r.elf (PID: 6216)	File opened: /proc/250/cmdline	Jump to behavior
Source: /tmp/vhsr56PI3r.elf (PID: 6216)	File opened: /proc/130/cmdline	Jump to behavior
Source: /tmp/vhsr56PI3r.elf (PID: 6216)	File opened: /proc/251/cmdline	Jump to behavior
Source: /tmp/vhsr56PI3r.elf (PID: 6216)	File opened: /proc/6250/cmdline	Jump to behavior
Source: /tmp/vhsr56PI3r.elf (PID: 6216)	File opened: /proc/252/cmdline	Jump to behavior
Source: /tmp/vhsr56PI3r.elf (PID: 6216)	File opened: /proc/132/cmdline	Jump to behavior
Source: /tmp/vhsr56PI3r.elf (PID: 6216)	File opened: /proc/253/cmdline	Jump to behavior
Source: /tmp/vhsr56PI3r.elf (PID: 6216)	File opened: /proc/254/cmdline	Jump to behavior
Source: /tmp/vhsr56PI3r.elf (PID: 6216)	File opened: /proc/255/cmdline	Jump to behavior

Source: vhsr56PI3r.elf

Submission file: segment LOAD with 7.8998 entropy (max. 8.0)

Source: /tmp/vhsr56PI3r.elf (PID: 6212)

Queries kernel information via 'uname':

Jump to behavior

Source: vhsr56PI3r.elf, 6212.1.00007ffcbe9f0000.00007ffcbea11000.rw-.sdmp	Binary or memory string: x86_64/usr/bin/qemu-ppc/tmp/vhsr56PI3r.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/vhsr56PI3r.elf
Source: vhsr56PI3r.elf, 6212.1.000055c5bcebf000.000055c5bcf6f000.rw-.sdmp	Binary or memory string: !/etc/qemu-binfmt/ppc11!hotpluggableq
Source: vhsr56PI3r.elf, 6212.1.000055c5bcebf000.000055c5bcf6f000.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/ppc
Source: vhsr56PI3r.elf, 6212.1.00007ffcbe9f0000.00007ffcbea11000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-ppc

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	Path Interception	Path Interception	11 Obfuscated Files or Information	1 OS Credential Dumping	11 Security Software Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	1 Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service

Malware Configuration

⊘No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
vhsr56PI3r.elf	39%	ReversingLabs	Linux.Trojan.Mirai
vhsr56PI3r.elf	100%	Avira	EXP/ELF.Agent.F.118

Dropped Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://upx.sf.net	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

⊘No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://upx.sf.net	vhsr56PI3r.elf	true	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
217.32.184.17	unknown	United Kingdom	6871	PLUSNETUKInternetServiceProviderGB	false
109.202.202.202	unknown	Switzerland	13030	INIT7CH	false
91.189.91.43	unknown	United Kingdom	41231	CANONICAL-ASGB	false
91.189.91.42	unknown	United Kingdom	41231	CANONICAL-ASGB	false

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
217.32.184.17	TXVo7pIaEB.elf	Get hash	malicious	Unknown	Browse
	CaKRRsqLWL.elf	Get hash	malicious	Unknown	Browse
	7GxZ3z6CMA.elf	Get hash	malicious	Unknown	Browse
	sora.arm.elf	Get hash	malicious	Unknown	Browse
	sora.mips.elf	Get hash	malicious	Unknown	Browse
	sora.mpsl.elf	Get hash	malicious	Unknown	Browse
	sora.x86.elf	Get hash	malicious	Unknown	Browse
	sh4.elf	Get hash	malicious	Unknown	Browse
	debug.dbg.elf	Get hash	malicious	Mirai	Browse
	na.elf	Get hash	malicious	Mirai	Browse
109.202.202.202	kpLwzBouH4.elf	Get hash	malicious	Unknown	Browse	ch.archive.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_92.0%2bbuild3-0ubuntu0.20.04.1_amd64.deb
91.189.91.43	7GxZ3z6CMA.elf	Get hash	malicious	Unknown	Browse
	la.bot.sparc.elf	Get hash	malicious	Unknown	Browse
	sora.arm.elf	Get hash	malicious	Unknown	Browse
	sora.mips.elf	Get hash	malicious	Unknown	Browse
	la.bot.sh4.elf	Get hash	malicious	Unknown	Browse
	la.bot.mipsel.elf	Get hash	malicious	Unknown	Browse
	la.bot.m68k.elf	Get hash	malicious	Unknown	Browse
	la.bot.mips.elf	Get hash	malicious	Unknown	Browse
	.main.elf	Get hash	malicious	Xmrig	Browse
	Mozi.m.elf	Get hash	malicious	Unknown	Browse
91.189.91.42	7GxZ3z6CMA.elf	Get hash	malicious	Unknown	Browse
	la.bot.sparc.elf	Get hash	malicious	Unknown	Browse
	sora.arm.elf	Get hash	malicious	Unknown	Browse
	sora.mips.elf	Get hash	malicious	Unknown	Browse
	la.bot.sh4.elf	Get hash	malicious	Unknown	Browse
	la.bot.mipsel.elf	Get hash	malicious	Unknown	Browse
	la.bot.m68k.elf	Get hash	malicious	Unknown	Browse
	la.bot.mips.elf	Get hash	malicious	Unknown	Browse
	.main.elf	Get hash	malicious	Xmrig	Browse
	Mozi.m.elf	Get hash	malicious	Unknown	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CANONICAL-ASGB	7GxZ3z6CMA.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	la.bot.sparc.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	sora.arm.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	sora.mips.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	sora.x86.elf	Get hash	malicious	Unknown	Browse	185.125.190.26
	la.bot.sh4.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	la.bot.mipsel.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	la.bot.m68k.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	la.bot.mips.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	.main.elf	Get hash	malicious	Xmrig	Browse	91.189.91.42
CANONICAL-ASGB	7GxZ3z6CMA.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	la.bot.sparc.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	sora.arm.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	sora.mips.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	sora.x86.elf	Get hash	malicious	Unknown	Browse	185.125.190.26
	la.bot.sh4.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	la.bot.mipsel.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	la.bot.m68k.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	la.bot.mips.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	.main.elf	Get hash	malicious	Xmrig	Browse	91.189.91.42
PLUSNETUKInternetServiceProviderGB	TXVo7pIaEB.elf	Get hash	malicious	Unknown	Browse	217.32.184.17
	CaKRRsqLWL.elf	Get hash	malicious	Unknown	Browse	217.32.184.17
	7GxZ3z6CMA.elf	Get hash	malicious	Unknown	Browse	217.32.184.17
	sora.arm.elf	Get hash	malicious	Unknown	Browse	217.32.184.17
	sora.mips.elf	Get hash	malicious	Unknown	Browse	217.32.184.17
	sora.mpsl.elf	Get hash	malicious	Unknown	Browse	217.32.184.17
	sora.x86.elf	Get hash	malicious	Unknown	Browse	217.32.184.17
	jew.mpsl.elf	Get hash	malicious	Mirai	Browse	143.159.228.252
	arm5.elf	Get hash	malicious	Unknown	Browse	84.93.57.1
	la.bot.sparc.elf	Get hash	malicious	Unknown	Browse	80.189.244.34
INIT7CH	7GxZ3z6CMA.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	la.bot.sparc.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	sora.arm.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	sora.mips.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	la.bot.sh4.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	la.bot.mipsel.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	la.bot.m68k.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	la.bot.mips.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	.main.elf	Get hash	malicious	Xmrig	Browse	109.202.202.202
	Mozi.m.elf	Get hash	malicious	Unknown	Browse	109.202.202.202

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	ELF 32-bit MSB executable, PowerPC or cisco 4500, version 1 (GNU/Linux), statically linked, no section header
Entropy (8bit):	7.894767593888515
TrID:	ELF Executable and Linkable format (Linux) (4029/14) 50.16% ELF Executable and Linkable format (generic) (4004/1) 49.84%
File name:	vhsr56PI3r.elf
File size:	20'296 bytes
MD5:	5853a3bcb813748bca8a06b91e3eff11
SHA1:	b15d7d903673035eb54e0bef2e683bdf9b80c20c
SHA256:	16199bda061a5575d9f226981569c9a92b7562babc1e829631e50cbc2eb8cfcf
SHA512:	5ec8e61774628405bfcf35c715504b2820e7d178cf651083625b942d8ab46a6bd3aedbe5789ee9761f13f07ee92b1669b8c1aafc5bdaafa74e6995ae49d1e6ab
SSDEEP:	384:d+pkcc9eLCpDiqFwmE4VuTDkVG0WkfQfXXS3WpfM4uVcqgw05VxJ6BT:Mpvc9aFc3VmDDrSQfXXS3Wp04uVcqgwP
TLSH:	2F92CF72E4175E97DF7B9EF85EC9D99093E90E8C3BA38C816061AF051143634BA81ED8
File Content Preview:	.ELF......................<h...4.........4. ...(......................NP..NP...............\...\...\................dt.Q................................UPX!.......................T.......?.E.h4...@b.............=I.......1......T..}.,_......+.8.\.....n~).=

Static ELF Info

ELF header
Class:	ELF32
Data:	2's complement, big endian
Version:	1 (current)
Machine:	PowerPC
Version Number:	0x1
Type:	EXEC (Executable file)
OS/ABI:	UNIX - Linux
ABI Version:	0
Entry Point Address:	0x103c68
Flags:	0x0
ELF Header Size:	52
Program Header Offset:	52
Program Header Size:	32
Number of Program Headers:	3
Section Header Offset:	0
Section Header Size:	40
Number of Section Headers:	0
Header String Table Index:	0

Program Segments

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align
LOAD	0x0	0x100000	0x100000	0x4e50	0x4e50	7.8998	0x5	R E	0x10000
LOAD	0xaa5c	0x1001aa5c	0x1001aa5c	0x0	0x0	0.0000	0x6	RW	0x10000
GNU_STACK	0x0	0x0	0x0	0x0	0x0	0.0000	0x6	RW	0x4

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 30, 2024 16:21:31.692888975 CET	52030	23	192.168.2.23	217.32.184.17
Oct 30, 2024 16:21:31.698743105 CET	23	52030	217.32.184.17	192.168.2.23
Oct 30, 2024 16:21:31.698800087 CET	52030	23	192.168.2.23	217.32.184.17
Oct 30, 2024 16:21:31.700880051 CET	52030	23	192.168.2.23	217.32.184.17
Oct 30, 2024 16:21:31.706288099 CET	23	52030	217.32.184.17	192.168.2.23
Oct 30, 2024 16:21:31.706329107 CET	52030	23	192.168.2.23	217.32.184.17
Oct 30, 2024 16:21:31.711782932 CET	23	52030	217.32.184.17	192.168.2.23
Oct 30, 2024 16:21:32.219392061 CET	43928	443	192.168.2.23	91.189.91.42
Oct 30, 2024 16:21:37.850805998 CET	42836	443	192.168.2.23	91.189.91.43
Oct 30, 2024 16:21:39.130517006 CET	42516	80	192.168.2.23	109.202.202.202
Oct 30, 2024 16:21:40.188666105 CET	23	52030	217.32.184.17	192.168.2.23
Oct 30, 2024 16:21:40.189085960 CET	52030	23	192.168.2.23	217.32.184.17
Oct 30, 2024 16:21:40.196424007 CET	23	52030	217.32.184.17	192.168.2.23
Oct 30, 2024 16:21:41.230870962 CET	52032	23	192.168.2.23	217.32.184.17
Oct 30, 2024 16:21:41.236238956 CET	23	52032	217.32.184.17	192.168.2.23
Oct 30, 2024 16:21:41.236296892 CET	52032	23	192.168.2.23	217.32.184.17
Oct 30, 2024 16:21:41.237020016 CET	52032	23	192.168.2.23	217.32.184.17
Oct 30, 2024 16:21:41.242259026 CET	23	52032	217.32.184.17	192.168.2.23
Oct 30, 2024 16:21:41.242302895 CET	52032	23	192.168.2.23	217.32.184.17
Oct 30, 2024 16:21:41.247575998 CET	23	52032	217.32.184.17	192.168.2.23
Oct 30, 2024 16:21:49.721549034 CET	23	52032	217.32.184.17	192.168.2.23
Oct 30, 2024 16:21:49.721940041 CET	52032	23	192.168.2.23	217.32.184.17
Oct 30, 2024 16:21:49.727371931 CET	23	52032	217.32.184.17	192.168.2.23
Oct 30, 2024 16:21:50.767621040 CET	52034	23	192.168.2.23	217.32.184.17
Oct 30, 2024 16:21:50.774023056 CET	23	52034	217.32.184.17	192.168.2.23
Oct 30, 2024 16:21:50.774084091 CET	52034	23	192.168.2.23	217.32.184.17
Oct 30, 2024 16:21:50.774775028 CET	52034	23	192.168.2.23	217.32.184.17
Oct 30, 2024 16:21:50.782016039 CET	23	52034	217.32.184.17	192.168.2.23
Oct 30, 2024 16:21:50.782067060 CET	52034	23	192.168.2.23	217.32.184.17
Oct 30, 2024 16:21:50.788064003 CET	23	52034	217.32.184.17	192.168.2.23
Oct 30, 2024 16:21:52.184779882 CET	43928	443	192.168.2.23	91.189.91.42
Oct 30, 2024 16:21:59.257381916 CET	23	52034	217.32.184.17	192.168.2.23
Oct 30, 2024 16:21:59.257714033 CET	52034	23	192.168.2.23	217.32.184.17
Oct 30, 2024 16:21:59.263276100 CET	23	52034	217.32.184.17	192.168.2.23
Oct 30, 2024 16:22:00.408312082 CET	52036	23	192.168.2.23	217.32.184.17
Oct 30, 2024 16:22:00.413872957 CET	23	52036	217.32.184.17	192.168.2.23
Oct 30, 2024 16:22:00.413984060 CET	52036	23	192.168.2.23	217.32.184.17
Oct 30, 2024 16:22:00.414658070 CET	52036	23	192.168.2.23	217.32.184.17
Oct 30, 2024 16:22:00.419954062 CET	23	52036	217.32.184.17	192.168.2.23
Oct 30, 2024 16:22:00.420109987 CET	52036	23	192.168.2.23	217.32.184.17
Oct 30, 2024 16:22:00.425463915 CET	23	52036	217.32.184.17	192.168.2.23
Oct 30, 2024 16:22:04.471054077 CET	42836	443	192.168.2.23	91.189.91.43
Oct 30, 2024 16:22:08.566765070 CET	42516	80	192.168.2.23	109.202.202.202
Oct 30, 2024 16:22:08.895020962 CET	23	52036	217.32.184.17	192.168.2.23
Oct 30, 2024 16:22:08.895474911 CET	52036	23	192.168.2.23	217.32.184.17
Oct 30, 2024 16:22:08.901097059 CET	23	52036	217.32.184.17	192.168.2.23
Oct 30, 2024 16:22:09.942529917 CET	52038	23	192.168.2.23	217.32.184.17
Oct 30, 2024 16:22:09.947993040 CET	23	52038	217.32.184.17	192.168.2.23
Oct 30, 2024 16:22:09.948177099 CET	52038	23	192.168.2.23	217.32.184.17
Oct 30, 2024 16:22:09.949166059 CET	52038	23	192.168.2.23	217.32.184.17
Oct 30, 2024 16:22:09.954504013 CET	23	52038	217.32.184.17	192.168.2.23
Oct 30, 2024 16:22:09.954571962 CET	52038	23	192.168.2.23	217.32.184.17
Oct 30, 2024 16:22:09.960633993 CET	23	52038	217.32.184.17	192.168.2.23
Oct 30, 2024 16:22:18.433109045 CET	23	52038	217.32.184.17	192.168.2.23
Oct 30, 2024 16:22:18.433479071 CET	52038	23	192.168.2.23	217.32.184.17
Oct 30, 2024 16:22:18.438911915 CET	23	52038	217.32.184.17	192.168.2.23
Oct 30, 2024 16:22:19.475086927 CET	52040	23	192.168.2.23	217.32.184.17
Oct 30, 2024 16:22:19.480556011 CET	23	52040	217.32.184.17	192.168.2.23
Oct 30, 2024 16:22:19.480674982 CET	52040	23	192.168.2.23	217.32.184.17
Oct 30, 2024 16:22:19.481287003 CET	52040	23	192.168.2.23	217.32.184.17
Oct 30, 2024 16:22:19.486759901 CET	23	52040	217.32.184.17	192.168.2.23
Oct 30, 2024 16:22:19.486829042 CET	52040	23	192.168.2.23	217.32.184.17
Oct 30, 2024 16:22:19.492172956 CET	23	52040	217.32.184.17	192.168.2.23
Oct 30, 2024 16:22:27.972873926 CET	23	52040	217.32.184.17	192.168.2.23
Oct 30, 2024 16:22:27.973141909 CET	52040	23	192.168.2.23	217.32.184.17
Oct 30, 2024 16:22:27.978645086 CET	23	52040	217.32.184.17	192.168.2.23
Oct 30, 2024 16:22:29.015626907 CET	52042	23	192.168.2.23	217.32.184.17
Oct 30, 2024 16:22:29.021064043 CET	23	52042	217.32.184.17	192.168.2.23
Oct 30, 2024 16:22:29.021150112 CET	52042	23	192.168.2.23	217.32.184.17
Oct 30, 2024 16:22:29.021794081 CET	52042	23	192.168.2.23	217.32.184.17
Oct 30, 2024 16:22:29.027098894 CET	23	52042	217.32.184.17	192.168.2.23
Oct 30, 2024 16:22:29.027188063 CET	52042	23	192.168.2.23	217.32.184.17
Oct 30, 2024 16:22:29.032550097 CET	23	52042	217.32.184.17	192.168.2.23
Oct 30, 2024 16:22:33.139127970 CET	43928	443	192.168.2.23	91.189.91.42
Oct 30, 2024 16:22:37.489888906 CET	23	52042	217.32.184.17	192.168.2.23
Oct 30, 2024 16:22:37.490215063 CET	52042	23	192.168.2.23	217.32.184.17
Oct 30, 2024 16:22:37.495733023 CET	23	52042	217.32.184.17	192.168.2.23
Oct 30, 2024 16:22:38.534632921 CET	52044	23	192.168.2.23	217.32.184.17
Oct 30, 2024 16:22:38.540080070 CET	23	52044	217.32.184.17	192.168.2.23
Oct 30, 2024 16:22:38.540141106 CET	52044	23	192.168.2.23	217.32.184.17
Oct 30, 2024 16:22:38.540968895 CET	52044	23	192.168.2.23	217.32.184.17
Oct 30, 2024 16:22:38.546698093 CET	23	52044	217.32.184.17	192.168.2.23
Oct 30, 2024 16:22:38.546758890 CET	52044	23	192.168.2.23	217.32.184.17
Oct 30, 2024 16:22:38.552280903 CET	23	52044	217.32.184.17	192.168.2.23
Oct 30, 2024 16:22:47.017287970 CET	23	52044	217.32.184.17	192.168.2.23
Oct 30, 2024 16:22:47.017682076 CET	52044	23	192.168.2.23	217.32.184.17
Oct 30, 2024 16:22:47.023191929 CET	23	52044	217.32.184.17	192.168.2.23
Oct 30, 2024 16:22:48.057739019 CET	52046	23	192.168.2.23	217.32.184.17
Oct 30, 2024 16:22:48.063256025 CET	23	52046	217.32.184.17	192.168.2.23
Oct 30, 2024 16:22:48.063349009 CET	52046	23	192.168.2.23	217.32.184.17
Oct 30, 2024 16:22:48.063980103 CET	52046	23	192.168.2.23	217.32.184.17
Oct 30, 2024 16:22:48.069397926 CET	23	52046	217.32.184.17	192.168.2.23
Oct 30, 2024 16:22:48.069482088 CET	52046	23	192.168.2.23	217.32.184.17
Oct 30, 2024 16:22:48.074942112 CET	23	52046	217.32.184.17	192.168.2.23
Oct 30, 2024 16:22:56.548197985 CET	23	52046	217.32.184.17	192.168.2.23
Oct 30, 2024 16:22:56.548506021 CET	52046	23	192.168.2.23	217.32.184.17
Oct 30, 2024 16:22:56.554703951 CET	23	52046	217.32.184.17	192.168.2.23
Oct 30, 2024 16:22:57.590125084 CET	52048	23	192.168.2.23	217.32.184.17
Oct 30, 2024 16:22:57.595519066 CET	23	52048	217.32.184.17	192.168.2.23
Oct 30, 2024 16:22:57.595640898 CET	52048	23	192.168.2.23	217.32.184.17
Oct 30, 2024 16:22:57.596700907 CET	52048	23	192.168.2.23	217.32.184.17
Oct 30, 2024 16:22:57.602036953 CET	23	52048	217.32.184.17	192.168.2.23
Oct 30, 2024 16:22:57.602107048 CET	52048	23	192.168.2.23	217.32.184.17
Oct 30, 2024 16:22:57.607472897 CET	23	52048	217.32.184.17	192.168.2.23
Oct 30, 2024 16:23:06.081990957 CET	23	52048	217.32.184.17	192.168.2.23
Oct 30, 2024 16:23:06.082227945 CET	52048	23	192.168.2.23	217.32.184.17
Oct 30, 2024 16:23:06.088572979 CET	23	52048	217.32.184.17	192.168.2.23
Oct 30, 2024 16:23:07.124819994 CET	52050	23	192.168.2.23	217.32.184.17
Oct 30, 2024 16:23:07.130183935 CET	23	52050	217.32.184.17	192.168.2.23
Oct 30, 2024 16:23:07.130270004 CET	52050	23	192.168.2.23	217.32.184.17
Oct 30, 2024 16:23:07.130999088 CET	52050	23	192.168.2.23	217.32.184.17
Oct 30, 2024 16:23:07.136378050 CET	23	52050	217.32.184.17	192.168.2.23
Oct 30, 2024 16:23:07.136430979 CET	52050	23	192.168.2.23	217.32.184.17
Oct 30, 2024 16:23:07.141735077 CET	23	52050	217.32.184.17	192.168.2.23
Oct 30, 2024 16:23:15.613650084 CET	23	52050	217.32.184.17	192.168.2.23
Oct 30, 2024 16:23:15.613851070 CET	52050	23	192.168.2.23	217.32.184.17
Oct 30, 2024 16:23:15.619324923 CET	23	52050	217.32.184.17	192.168.2.23
Oct 30, 2024 16:23:16.657960892 CET	52052	23	192.168.2.23	217.32.184.17
Oct 30, 2024 16:23:16.663959026 CET	23	52052	217.32.184.17	192.168.2.23
Oct 30, 2024 16:23:16.664087057 CET	52052	23	192.168.2.23	217.32.184.17
Oct 30, 2024 16:23:16.665597916 CET	52052	23	192.168.2.23	217.32.184.17
Oct 30, 2024 16:23:16.671006918 CET	23	52052	217.32.184.17	192.168.2.23
Oct 30, 2024 16:23:16.671087027 CET	52052	23	192.168.2.23	217.32.184.17
Oct 30, 2024 16:23:16.676500082 CET	23	52052	217.32.184.17	192.168.2.23
Oct 30, 2024 16:23:25.147727966 CET	23	52052	217.32.184.17	192.168.2.23
Oct 30, 2024 16:23:25.147902966 CET	52052	23	192.168.2.23	217.32.184.17
Oct 30, 2024 16:23:25.153640985 CET	23	52052	217.32.184.17	192.168.2.23
Oct 30, 2024 16:23:26.193013906 CET	52054	23	192.168.2.23	217.32.184.17
Oct 30, 2024 16:23:26.198838949 CET	23	52054	217.32.184.17	192.168.2.23
Oct 30, 2024 16:23:26.198970079 CET	52054	23	192.168.2.23	217.32.184.17
Oct 30, 2024 16:23:26.200243950 CET	52054	23	192.168.2.23	217.32.184.17
Oct 30, 2024 16:23:26.205950022 CET	23	52054	217.32.184.17	192.168.2.23
Oct 30, 2024 16:23:26.206008911 CET	52054	23	192.168.2.23	217.32.184.17
Oct 30, 2024 16:23:26.211410999 CET	23	52054	217.32.184.17	192.168.2.23
Oct 30, 2024 16:23:34.683727026 CET	23	52054	217.32.184.17	192.168.2.23
Oct 30, 2024 16:23:34.684012890 CET	52054	23	192.168.2.23	217.32.184.17
Oct 30, 2024 16:23:34.689441919 CET	23	52054	217.32.184.17	192.168.2.23
Oct 30, 2024 16:23:35.730521917 CET	52056	23	192.168.2.23	217.32.184.17
Oct 30, 2024 16:23:35.736834049 CET	23	52056	217.32.184.17	192.168.2.23
Oct 30, 2024 16:23:35.736901999 CET	52056	23	192.168.2.23	217.32.184.17
Oct 30, 2024 16:23:35.737514019 CET	52056	23	192.168.2.23	217.32.184.17
Oct 30, 2024 16:23:35.745265961 CET	23	52056	217.32.184.17	192.168.2.23
Oct 30, 2024 16:23:35.745326042 CET	52056	23	192.168.2.23	217.32.184.17
Oct 30, 2024 16:23:35.954324007 CET	52056	23	192.168.2.23	217.32.184.17
Oct 30, 2024 16:23:35.983309031 CET	23	52056	217.32.184.17	192.168.2.23
Oct 30, 2024 16:23:35.983345985 CET	23	52056	217.32.184.17	192.168.2.23

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 30, 2024 16:21:31.601630926 CET	56408	53	192.168.2.23	8.8.8.8
Oct 30, 2024 16:21:31.608814955 CET	53	56408	8.8.8.8	192.168.2.23
Oct 30, 2024 16:21:31.622577906 CET	39900	53	192.168.2.23	8.8.8.8
Oct 30, 2024 16:21:31.630218029 CET	53	39900	8.8.8.8	192.168.2.23
Oct 30, 2024 16:21:31.646279097 CET	51859	53	192.168.2.23	8.8.8.8
Oct 30, 2024 16:21:31.653383970 CET	53	51859	8.8.8.8	192.168.2.23
Oct 30, 2024 16:21:31.655361891 CET	46585	53	192.168.2.23	8.8.8.8
Oct 30, 2024 16:21:31.662230015 CET	53	46585	8.8.8.8	192.168.2.23
Oct 30, 2024 16:21:31.675035000 CET	58141	53	192.168.2.23	8.8.8.8
Oct 30, 2024 16:21:31.682239056 CET	53	58141	8.8.8.8	192.168.2.23
Oct 30, 2024 16:21:41.191107035 CET	51991	53	192.168.2.23	8.8.8.8
Oct 30, 2024 16:21:41.198045015 CET	53	51991	8.8.8.8	192.168.2.23
Oct 30, 2024 16:21:41.198856115 CET	35335	53	192.168.2.23	8.8.8.8
Oct 30, 2024 16:21:41.205888033 CET	53	35335	8.8.8.8	192.168.2.23
Oct 30, 2024 16:21:41.206680059 CET	58309	53	192.168.2.23	8.8.8.8
Oct 30, 2024 16:21:41.214335918 CET	53	58309	8.8.8.8	192.168.2.23
Oct 30, 2024 16:21:41.215241909 CET	46324	53	192.168.2.23	8.8.8.8
Oct 30, 2024 16:21:41.222682953 CET	53	46324	8.8.8.8	192.168.2.23
Oct 30, 2024 16:21:41.223599911 CET	48967	53	192.168.2.23	8.8.8.8
Oct 30, 2024 16:21:41.230498075 CET	53	48967	8.8.8.8	192.168.2.23
Oct 30, 2024 16:21:50.724518061 CET	60018	53	192.168.2.23	8.8.8.8
Oct 30, 2024 16:21:50.732115030 CET	53	60018	8.8.8.8	192.168.2.23
Oct 30, 2024 16:21:50.733203888 CET	36838	53	192.168.2.23	8.8.8.8
Oct 30, 2024 16:21:50.741580963 CET	53	36838	8.8.8.8	192.168.2.23
Oct 30, 2024 16:21:50.742547035 CET	52617	53	192.168.2.23	8.8.8.8
Oct 30, 2024 16:21:50.750623941 CET	53	52617	8.8.8.8	192.168.2.23
Oct 30, 2024 16:21:50.751503944 CET	56422	53	192.168.2.23	8.8.8.8
Oct 30, 2024 16:21:50.758830070 CET	53	56422	8.8.8.8	192.168.2.23
Oct 30, 2024 16:21:50.759622097 CET	41641	53	192.168.2.23	8.8.8.8
Oct 30, 2024 16:21:50.767219067 CET	53	41641	8.8.8.8	192.168.2.23
Oct 30, 2024 16:22:00.259654999 CET	41851	53	192.168.2.23	8.8.8.8
Oct 30, 2024 16:22:00.376141071 CET	53	41851	8.8.8.8	192.168.2.23
Oct 30, 2024 16:22:00.377341032 CET	49716	53	192.168.2.23	8.8.8.8
Oct 30, 2024 16:22:00.385050058 CET	53	49716	8.8.8.8	192.168.2.23
Oct 30, 2024 16:22:00.386045933 CET	44726	53	192.168.2.23	8.8.8.8
Oct 30, 2024 16:22:00.392735958 CET	53	44726	8.8.8.8	192.168.2.23
Oct 30, 2024 16:22:00.393538952 CET	42380	53	192.168.2.23	8.8.8.8
Oct 30, 2024 16:22:00.400212049 CET	53	42380	8.8.8.8	192.168.2.23
Oct 30, 2024 16:22:00.400980949 CET	57747	53	192.168.2.23	8.8.8.8
Oct 30, 2024 16:22:00.407918930 CET	53	57747	8.8.8.8	192.168.2.23
Oct 30, 2024 16:22:09.898133993 CET	34820	53	192.168.2.23	8.8.8.8
Oct 30, 2024 16:22:09.905396938 CET	53	34820	8.8.8.8	192.168.2.23
Oct 30, 2024 16:22:09.906776905 CET	49381	53	192.168.2.23	8.8.8.8
Oct 30, 2024 16:22:09.914839029 CET	53	49381	8.8.8.8	192.168.2.23
Oct 30, 2024 16:22:09.916009903 CET	60569	53	192.168.2.23	8.8.8.8
Oct 30, 2024 16:22:09.923979044 CET	53	60569	8.8.8.8	192.168.2.23
Oct 30, 2024 16:22:09.925093889 CET	35576	53	192.168.2.23	8.8.8.8
Oct 30, 2024 16:22:09.933309078 CET	53	35576	8.8.8.8	192.168.2.23
Oct 30, 2024 16:22:09.934500933 CET	54580	53	192.168.2.23	8.8.8.8
Oct 30, 2024 16:22:09.941879034 CET	53	54580	8.8.8.8	192.168.2.23
Oct 30, 2024 16:22:19.435373068 CET	45408	53	192.168.2.23	8.8.8.8
Oct 30, 2024 16:22:19.442362070 CET	53	45408	8.8.8.8	192.168.2.23
Oct 30, 2024 16:22:19.443068981 CET	44426	53	192.168.2.23	8.8.8.8
Oct 30, 2024 16:22:19.450432062 CET	53	44426	8.8.8.8	192.168.2.23
Oct 30, 2024 16:22:19.451106071 CET	58648	53	192.168.2.23	8.8.8.8
Oct 30, 2024 16:22:19.458175898 CET	53	58648	8.8.8.8	192.168.2.23
Oct 30, 2024 16:22:19.458838940 CET	54005	53	192.168.2.23	8.8.8.8
Oct 30, 2024 16:22:19.465919971 CET	53	54005	8.8.8.8	192.168.2.23
Oct 30, 2024 16:22:19.466562986 CET	46802	53	192.168.2.23	8.8.8.8
Oct 30, 2024 16:22:19.474704027 CET	53	46802	8.8.8.8	192.168.2.23
Oct 30, 2024 16:22:28.975029945 CET	40460	53	192.168.2.23	8.8.8.8
Oct 30, 2024 16:22:28.982084990 CET	53	40460	8.8.8.8	192.168.2.23
Oct 30, 2024 16:22:28.982932091 CET	38635	53	192.168.2.23	8.8.8.8
Oct 30, 2024 16:22:28.990413904 CET	53	38635	8.8.8.8	192.168.2.23
Oct 30, 2024 16:22:28.991192102 CET	56897	53	192.168.2.23	8.8.8.8
Oct 30, 2024 16:22:28.999206066 CET	53	56897	8.8.8.8	192.168.2.23
Oct 30, 2024 16:22:29.000010014 CET	48615	53	192.168.2.23	8.8.8.8
Oct 30, 2024 16:22:29.007570982 CET	53	48615	8.8.8.8	192.168.2.23
Oct 30, 2024 16:22:29.008284092 CET	38093	53	192.168.2.23	8.8.8.8
Oct 30, 2024 16:22:29.015225887 CET	53	38093	8.8.8.8	192.168.2.23
Oct 30, 2024 16:22:38.492350101 CET	48337	53	192.168.2.23	8.8.8.8
Oct 30, 2024 16:22:38.501086950 CET	53	48337	8.8.8.8	192.168.2.23
Oct 30, 2024 16:22:38.501924992 CET	42293	53	192.168.2.23	8.8.8.8
Oct 30, 2024 16:22:38.510072947 CET	53	42293	8.8.8.8	192.168.2.23
Oct 30, 2024 16:22:38.510740995 CET	34363	53	192.168.2.23	8.8.8.8
Oct 30, 2024 16:22:38.518110991 CET	53	34363	8.8.8.8	192.168.2.23
Oct 30, 2024 16:22:38.518713951 CET	57145	53	192.168.2.23	8.8.8.8
Oct 30, 2024 16:22:38.526408911 CET	53	57145	8.8.8.8	192.168.2.23
Oct 30, 2024 16:22:38.527102947 CET	50423	53	192.168.2.23	8.8.8.8
Oct 30, 2024 16:22:38.534141064 CET	53	50423	8.8.8.8	192.168.2.23
Oct 30, 2024 16:22:48.019476891 CET	32994	53	192.168.2.23	8.8.8.8
Oct 30, 2024 16:22:48.026753902 CET	53	32994	8.8.8.8	192.168.2.23
Oct 30, 2024 16:22:48.027489901 CET	34862	53	192.168.2.23	8.8.8.8
Oct 30, 2024 16:22:48.034239054 CET	53	34862	8.8.8.8	192.168.2.23
Oct 30, 2024 16:22:48.034889936 CET	33759	53	192.168.2.23	8.8.8.8
Oct 30, 2024 16:22:48.041908979 CET	53	33759	8.8.8.8	192.168.2.23
Oct 30, 2024 16:22:48.042607069 CET	59838	53	192.168.2.23	8.8.8.8
Oct 30, 2024 16:22:48.049696922 CET	53	59838	8.8.8.8	192.168.2.23
Oct 30, 2024 16:22:48.050395966 CET	52766	53	192.168.2.23	8.8.8.8
Oct 30, 2024 16:22:48.057320118 CET	53	52766	8.8.8.8	192.168.2.23
Oct 30, 2024 16:22:57.551023960 CET	57466	53	192.168.2.23	8.8.8.8
Oct 30, 2024 16:22:57.558233976 CET	53	57466	8.8.8.8	192.168.2.23
Oct 30, 2024 16:22:57.559367895 CET	59679	53	192.168.2.23	8.8.8.8
Oct 30, 2024 16:22:57.566469908 CET	53	59679	8.8.8.8	192.168.2.23
Oct 30, 2024 16:22:57.567167997 CET	51389	53	192.168.2.23	8.8.8.8
Oct 30, 2024 16:22:57.574096918 CET	53	51389	8.8.8.8	192.168.2.23
Oct 30, 2024 16:22:57.574726105 CET	35228	53	192.168.2.23	8.8.8.8
Oct 30, 2024 16:22:57.582097054 CET	53	35228	8.8.8.8	192.168.2.23
Oct 30, 2024 16:22:57.582921982 CET	40581	53	192.168.2.23	8.8.8.8
Oct 30, 2024 16:22:57.589734077 CET	53	40581	8.8.8.8	192.168.2.23
Oct 30, 2024 16:23:07.084248066 CET	37164	53	192.168.2.23	8.8.8.8
Oct 30, 2024 16:23:07.091480970 CET	53	37164	8.8.8.8	192.168.2.23
Oct 30, 2024 16:23:07.092398882 CET	52031	53	192.168.2.23	8.8.8.8
Oct 30, 2024 16:23:07.099858046 CET	53	52031	8.8.8.8	192.168.2.23
Oct 30, 2024 16:23:07.100656033 CET	60387	53	192.168.2.23	8.8.8.8
Oct 30, 2024 16:23:07.107964039 CET	53	60387	8.8.8.8	192.168.2.23
Oct 30, 2024 16:23:07.109081984 CET	43969	53	192.168.2.23	8.8.8.8
Oct 30, 2024 16:23:07.116219044 CET	53	43969	8.8.8.8	192.168.2.23
Oct 30, 2024 16:23:07.116983891 CET	45071	53	192.168.2.23	8.8.8.8
Oct 30, 2024 16:23:07.124420881 CET	53	45071	8.8.8.8	192.168.2.23
Oct 30, 2024 16:23:16.616031885 CET	49902	53	192.168.2.23	8.8.8.8
Oct 30, 2024 16:23:16.623163939 CET	53	49902	8.8.8.8	192.168.2.23
Oct 30, 2024 16:23:16.624021053 CET	57244	53	192.168.2.23	8.8.8.8
Oct 30, 2024 16:23:16.631994963 CET	53	57244	8.8.8.8	192.168.2.23
Oct 30, 2024 16:23:16.632792950 CET	40303	53	192.168.2.23	8.8.8.8
Oct 30, 2024 16:23:16.639869928 CET	53	40303	8.8.8.8	192.168.2.23
Oct 30, 2024 16:23:16.640871048 CET	37673	53	192.168.2.23	8.8.8.8
Oct 30, 2024 16:23:16.648363113 CET	53	37673	8.8.8.8	192.168.2.23
Oct 30, 2024 16:23:16.649224997 CET	38524	53	192.168.2.23	8.8.8.8
Oct 30, 2024 16:23:16.657246113 CET	53	38524	8.8.8.8	192.168.2.23
Oct 30, 2024 16:23:26.150671959 CET	59286	53	192.168.2.23	8.8.8.8
Oct 30, 2024 16:23:26.157771111 CET	53	59286	8.8.8.8	192.168.2.23
Oct 30, 2024 16:23:26.158807039 CET	42700	53	192.168.2.23	8.8.8.8
Oct 30, 2024 16:23:26.166498899 CET	53	42700	8.8.8.8	192.168.2.23
Oct 30, 2024 16:23:26.167356968 CET	50490	53	192.168.2.23	8.8.8.8
Oct 30, 2024 16:23:26.174660921 CET	53	50490	8.8.8.8	192.168.2.23
Oct 30, 2024 16:23:26.175441980 CET	37982	53	192.168.2.23	8.8.8.8
Oct 30, 2024 16:23:26.183775902 CET	53	37982	8.8.8.8	192.168.2.23
Oct 30, 2024 16:23:26.184890985 CET	39137	53	192.168.2.23	8.8.8.8
Oct 30, 2024 16:23:26.192445993 CET	53	39137	8.8.8.8	192.168.2.23
Oct 30, 2024 16:23:35.686752081 CET	38472	53	192.168.2.23	8.8.8.8
Oct 30, 2024 16:23:35.694880962 CET	53	38472	8.8.8.8	192.168.2.23
Oct 30, 2024 16:23:35.695703983 CET	59565	53	192.168.2.23	8.8.8.8
Oct 30, 2024 16:23:35.703185081 CET	53	59565	8.8.8.8	192.168.2.23
Oct 30, 2024 16:23:35.703882933 CET	52466	53	192.168.2.23	8.8.8.8
Oct 30, 2024 16:23:35.711896896 CET	53	52466	8.8.8.8	192.168.2.23
Oct 30, 2024 16:23:35.712596893 CET	46118	53	192.168.2.23	8.8.8.8
Oct 30, 2024 16:23:35.719867945 CET	53	46118	8.8.8.8	192.168.2.23
Oct 30, 2024 16:23:35.720618963 CET	49176	53	192.168.2.23	8.8.8.8
Oct 30, 2024 16:23:35.730128050 CET	53	49176	8.8.8.8	192.168.2.23

System Behavior

Analysis Process: vhsr56PI3r.elf PID: 6212, Parent PID: 6131

General

Start time (UTC):	15:21:30
Start date (UTC):	30/10/2024
Path:	/tmp/vhsr56PI3r.elf
Arguments:	/tmp/vhsr56PI3r.elf
File size:	5388968 bytes
MD5 hash:	ae65271c943d3451b7f026d1fadccea6

Chronological Activities

Analysis Process: vhsr56PI3r.elf PID: 6214, Parent PID: 6212

General

Start time (UTC):	15:21:30
Start date (UTC):	30/10/2024
Path:	/tmp/vhsr56PI3r.elf
Arguments:	-
File size:	5388968 bytes
MD5 hash:	ae65271c943d3451b7f026d1fadccea6

Chronological Activities

Analysis Process: vhsr56PI3r.elf PID: 6216, Parent PID: 6214

General

Start time (UTC):	15:21:30
Start date (UTC):	30/10/2024
Path:	/tmp/vhsr56PI3r.elf
Arguments:	-
File size:	5388968 bytes
MD5 hash:	ae65271c943d3451b7f026d1fadccea6

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report vhsr56PI3r.elf

Overview

General Information

Detection

Signatures

Classification

General Information

Warnings

Runtime Messages

Process Tree

Yara Signatures

Memory Dumps

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

Static ELF Info

ELF header

Program Segments

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

System Behavior

Analysis Process: vhsr56PI3r.elf PID: 6212, Parent PID: 6131

General

Chronological Activities

Analysis Process: vhsr56PI3r.elf PID: 6214, Parent PID: 6212

General

Chronological Activities

Analysis Process: vhsr56PI3r.elf PID: 6216, Parent PID: 6214

General

Chronological Activities

Linux Analysis Report
vhsr56PI3r.elf