Edit tour

Linux Analysis Report
zmap.sh4.elf

Overview

General Information

Sample name:	zmap.sh4.elf
Analysis ID:	1547472
MD5:	072034caacd2f00a0ecb21c2cd8d089c
SHA1:	8e03db8c54dd27dd41557211f0487063a8edb95c
SHA256:	aa06b7f54a62bb858c5e32ae4f52160052c32430388af5f4f7d1fd28a211fdcc
Tags:	elfuser-abuse_ch
Infos:

Detection

Mirai, Okiru

Score:	84
Range:	0 - 100
Whitelisted:	false

Signatures

Antivirus / Scanner detection for submitted sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected Mirai

Yara detected Okiru

Sample deletes itself

Detected TCP or UDP traffic on non-standard ports

Sample has stripped symbol table

Sample listens on a socket

Uses the "uname" system call to query kernel version information (possible evasion)

Yara signature match

Classification

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1547472
Start date and time:	2024-11-02 15:37:12 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 29s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Sample name:	zmap.sh4.elf
Detection:	MAL
Classification:	mal84.troj.evad.linELF@0/0@24/0

Warnings

VT rate limit hit for: zmap.sh4.elf

Runtime Messages

Command:	/tmp/zmap.sh4.elf
PID:	5491
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:	VagneRHere
Standard Error:

Process Tree

system is lnxubuntu20

zmap.sh4.elf (PID: 5491, Parent: 5416, MD5: 8943e5f8f8c280467b4472c15ae93ba9) Arguments: /tmp/zmap.sh4.elf

zmap.sh4.elf New Fork (PID: 5493, Parent: 5491)

zmap.sh4.elf New Fork (PID: 5499, Parent: 5493)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Mirai	Mirai is one of the first significant botnets targeting exposed networking devices running Linux. Found in August 2016 by MalwareMustDie, its name means "future" in Japanese. Nowadays it targets a wide range of networked embedded devices such as IP cameras, home routers (many vendors involved), and other IoT devices. Since the source code was published on "Hack Forums" many variants of the Mirai family appeared, infecting mostly home networks all around the world.	No Attribution	http://osint.bambenekconsulting.com/feeds/ http://www.simonroses.com/2016/10/mirai-ddos-botnet-source-code-binary-analysis/ https://blog.malwaremustdie.org/2020/02/mmd-0065-2021-linuxmirai-fbot-re.html https://blog.netlab.360.com/another-lilin-dvr-0-day-being-used-to-spread-mirai-en/ https://blog.netlab.360.com/mirai_ptea-botnet-is-exploiting-undisclosed-kguard-dvr-vulnerability-en/	https://malpedia.caad.fkie.fraunhofer.de/details/elf.mirai

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
zmap.sh4.elf	JoeSecurity_Okiru	Yara detected Okiru	Joe Security
zmap.sh4.elf	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
zmap.sh4.elf	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0xd548:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xd55c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xd570:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xd584:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xd598:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xd5ac:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xd5c0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xd5d4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xd5e8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xd5fc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xd610:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xd624:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xd638:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xd64c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xd660:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xd674:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xd688:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xd69c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xd6b0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xd6c4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xd6d8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F

Memory Dumps

Source	Rule	Description	Author	Strings
5491.1.00007fa8d0400000.00007fa8d0410000.r-x.sdmp	JoeSecurity_Okiru	Yara detected Okiru	Joe Security
5491.1.00007fa8d0400000.00007fa8d0410000.r-x.sdmp	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
5491.1.00007fa8d0400000.00007fa8d0410000.r-x.sdmp	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0xd548:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xd55c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xd570:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xd584:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xd598:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xd5ac:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xd5c0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xd5d4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xd5e8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xd5fc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xd610:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xd624:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xd638:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xd64c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xd660:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xd674:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xd688:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xd69c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xd6b0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xd6c4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xd6d8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
5499.1.00007fa8d0400000.00007fa8d0410000.r-x.sdmp	JoeSecurity_Okiru	Yara detected Okiru	Joe Security
5499.1.00007fa8d0400000.00007fa8d0410000.r-x.sdmp	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
5499.1.00007fa8d0400000.00007fa8d0410000.r-x.sdmp	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0xd548:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xd55c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xd570:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xd584:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xd598:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xd5ac:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xd5c0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xd5d4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xd5e8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xd5fc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xd610:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xd624:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xd638:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xd64c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xd660:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xd674:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xd688:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xd69c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xd6b0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xd6c4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xd6d8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
Process Memory Space: zmap.sh4.elf PID: 5491	JoeSecurity_Okiru	Yara detected Okiru	Joe Security
Process Memory Space: zmap.sh4.elf PID: 5491	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
Process Memory Space: zmap.sh4.elf PID: 5491	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0x501b:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x502f:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x5043:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x5057:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x506b:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x507f:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x5093:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x50a7:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x50bb:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x50cf:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x50e3:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x50f7:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x510b:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x511f:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x5133:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x5147:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x515b:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x516f:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x5183:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x5197:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x51ab:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
Process Memory Space: zmap.sh4.elf PID: 5499	JoeSecurity_Okiru	Yara detected Okiru	Joe Security
Process Memory Space: zmap.sh4.elf PID: 5499	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
Process Memory Space: zmap.sh4.elf PID: 5499	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0x110e:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1122:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1136:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x114a:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x115e:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1172:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1186:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x119a:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x11ae:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x11c2:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x11d6:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x11ea:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x11fe:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1212:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1226:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x123a:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x124e:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1262:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1276:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x128a:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x129e:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
Click to see the 7 entries

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: zmap.sh4.elf

Avira: detected

Multi AV Scanner detection for submitted file

Source: zmap.sh4.elf

ReversingLabs: Detection: 57%

Source: global traffic

TCP traffic: 192.168.2.14:47360 -> 154.216.16.38:59962

Source: /tmp/zmap.sh4.elf (PID: 5491)

Socket: 127.0.0.1:39148

Jump to behavior

Source: global traffic

DNS traffic detected: DNS query: server.myway-ing.win

System Summary

Malicious sample detected (through community Yara rule)

Source: zmap.sh4.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: 5491.1.00007fa8d0400000.00007fa8d0410000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: 5499.1.00007fa8d0400000.00007fa8d0410000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: Process Memory Space: zmap.sh4.elf PID: 5491, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: Process Memory Space: zmap.sh4.elf PID: 5499, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown

Source: ELF static info symbol of initial sample

.symtab present: no

Source: zmap.sh4.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: 5491.1.00007fa8d0400000.00007fa8d0410000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: 5499.1.00007fa8d0400000.00007fa8d0410000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: Process Memory Space: zmap.sh4.elf PID: 5491, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: Process Memory Space: zmap.sh4.elf PID: 5499, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16

Source: classification engine

Classification label: mal84.troj.evad.linELF@0/0@24/0

Hooking and other Techniques for Hiding and Protection

Sample deletes itself

Source: /tmp/zmap.sh4.elf (PID: 5491)

File: /tmp/zmap.sh4.elf

Jump to behavior

Source: /tmp/zmap.sh4.elf (PID: 5491)

Queries kernel information via 'uname':

Jump to behavior

Source: zmap.sh4.elf, 5491.1.00007ffca9798000.00007ffca97b9000.rw-.sdmp, zmap.sh4.elf, 5499.1.00007ffca9798000.00007ffca97b9000.rw-.sdmp	Binary or memory string: x86_64/usr/bin/qemu-sh4/tmp/zmap.sh4.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/zmap.sh4.elf
Source: zmap.sh4.elf, 5491.1.00007ffca9798000.00007ffca97b9000.rw-.sdmp, zmap.sh4.elf, 5499.1.00007ffca9798000.00007ffca97b9000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-sh4
Source: zmap.sh4.elf, 5491.1.0000562edc9ec000.0000562edca4f000.rw-.sdmp, zmap.sh4.elf, 5499.1.0000562edc9ec000.0000562edca4f000.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/sh4
Source: zmap.sh4.elf, 5491.1.0000562edc9ec000.0000562edca4f000.rw-.sdmp, zmap.sh4.elf, 5499.1.0000562edc9ec000.0000562edca4f000.rw-.sdmp	Binary or memory string: .V5!/etc/qemu-binfmt/sh4

Stealing of Sensitive Information

Yara detected Mirai

Source: Yara match	File source: zmap.sh4.elf, type: SAMPLE
Source: Yara match	File source: 5491.1.00007fa8d0400000.00007fa8d0410000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5499.1.00007fa8d0400000.00007fa8d0410000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: zmap.sh4.elf PID: 5491, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: zmap.sh4.elf PID: 5499, type: MEMORYSTR

Yara detected Okiru

Source: Yara match	File source: zmap.sh4.elf, type: SAMPLE
Source: Yara match	File source: 5491.1.00007fa8d0400000.00007fa8d0410000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5499.1.00007fa8d0400000.00007fa8d0410000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: zmap.sh4.elf PID: 5491, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: zmap.sh4.elf PID: 5499, type: MEMORYSTR

Remote Access Functionality

Yara detected Mirai

Source: Yara match	File source: zmap.sh4.elf, type: SAMPLE
Source: Yara match	File source: 5491.1.00007fa8d0400000.00007fa8d0410000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5499.1.00007fa8d0400000.00007fa8d0410000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: zmap.sh4.elf PID: 5491, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: zmap.sh4.elf PID: 5499, type: MEMORYSTR

Yara detected Okiru

Source: Yara match	File source: zmap.sh4.elf, type: SAMPLE
Source: Yara match	File source: 5491.1.00007fa8d0400000.00007fa8d0410000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5499.1.00007fa8d0400000.00007fa8d0410000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: zmap.sh4.elf PID: 5491, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: zmap.sh4.elf PID: 5499, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	Path Interception	Path Interception	1 File Deletion	OS Credential Dumping	11 Security Software Discovery	Remote Services	Data from Local System	1 Non-Standard Port	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact

Malware Configuration

⊘No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
zmap.sh4.elf	58%	ReversingLabs	Linux.Trojan.Mirai
zmap.sh4.elf	100%	Avira	EXP/ELF.Mirai.Z.A

Dropped Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
server.myway-ing.win	154.216.16.38	true	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
154.216.16.38	server.myway-ing.win	Seychelles		135357	SKHT-ASShenzhenKatherineHengTechnologyInformationCo	false

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
154.216.16.38	zmap.mips.elf	Get hash	malicious	Mirai, Okiru	Browse
	zmap.x86.elf	Get hash	malicious	Okiru	Browse
	zmap.mpsl.elf	Get hash	malicious	Mirai, Okiru	Browse
	debug.dbg.elf	Get hash	malicious	Mirai, Okiru	Browse
	zmap.m68k.elf	Get hash	malicious	Mirai, Okiru	Browse
	zmap.mpsl.elf	Get hash	malicious	Mirai, Okiru	Browse
	zmap.mips.elf	Get hash	malicious	Mirai, Okiru	Browse
	zmap.arm.elf	Get hash	malicious	Mirai, Okiru	Browse
	zmap.spc.elf	Get hash	malicious	Mirai, Okiru	Browse
	zmap.sh4.elf	Get hash	malicious	Mirai, Okiru	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
server.myway-ing.win	zmap.mips.elf	Get hash	malicious	Mirai, Okiru	Browse	154.216.16.38
	zmap.x86.elf	Get hash	malicious	Okiru	Browse	154.216.16.38
	zmap.mpsl.elf	Get hash	malicious	Mirai, Okiru	Browse	154.216.16.38

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
SKHT-ASShenzhenKatherineHengTechnologyInformationCo	zmap.mips.elf	Get hash	malicious	Mirai, Okiru	Browse	154.216.16.38
	zmap.x86.elf	Get hash	malicious	Okiru	Browse	154.216.16.38
	zmap.mpsl.elf	Get hash	malicious	Mirai, Okiru	Browse	154.216.16.38
	qkehusl.elf	Get hash	malicious	Mirai	Browse	154.216.19.76
	jwwofba5.elf	Get hash	malicious	Mirai	Browse	154.216.19.76
	wheiuwa4.elf	Get hash	malicious	Mirai	Browse	154.216.19.76
	dvwkja7.elf	Get hash	malicious	Mirai	Browse	154.216.19.76
	vsbeps.elf	Get hash	malicious	Mirai	Browse	154.216.19.76
	qkbfi86.elf	Get hash	malicious	Mirai	Browse	154.216.19.76
	boatnet.m68k.elf	Get hash	malicious	Mirai	Browse	154.216.19.64

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	ELF 32-bit LSB executable, Renesas SH, version 1 (SYSV), statically linked, stripped
Entropy (8bit):	6.906975450842153
TrID:	ELF Executable and Linkable format (generic) (4004/1) 100.00%
File name:	zmap.sh4.elf
File size:	64'316 bytes
MD5:	072034caacd2f00a0ecb21c2cd8d089c
SHA1:	8e03db8c54dd27dd41557211f0487063a8edb95c
SHA256:	aa06b7f54a62bb858c5e32ae4f52160052c32430388af5f4f7d1fd28a211fdcc
SHA512:	2311565b506ec54a9a70c7ee9bd336babba09be44e1baadc30e990cd153a9f05195e6cf4700dbfa79c7418787f3e914d745ea1714fe3b69ca63b89962ff8bf96
SSDEEP:	1536:axqlNEqXAcC9s/mRH2Gy2BX3tlzYN2KWNxXrCZQCZr2JY:axQ+cAcC9s/mRH2Gy2BX9l83W3CZQpJY
TLSH:	08539E7AE42A2984C5450434A0B88F741FA3B1C4935B6EFB1ADDC6B5604BEBCF449FE4
File Content Preview:	.ELF.....................@.4...........4. ...(...............@...@...........................A...A......'..........Q.td............................././"O.n........#.@........#.*@,....o&O.n...l..............................././.../.a"O.!...n...a.b("...q.

Static ELF Info

ELF header
Class:	ELF32
Data:	2's complement, little endian
Version:	1 (current)
Machine:	<unknown>
Version Number:	0x1
Type:	EXEC (Executable file)
OS/ABI:	UNIX - System V
ABI Version:	0
Entry Point Address:	0x4001a0
Flags:	0x9
ELF Header Size:	52
Program Header Offset:	52
Program Header Size:	32
Number of Program Headers:	3
Section Header Offset:	63916
Section Header Size:	40
Number of Section Headers:	10
Header String Table Index:	9

Sections

Name	Type	Address	Offset	Size	EntSize	Flags	Flags Description	Align
	NULL	0x0	0x0	0x0	0x0	0x0		0
.init	PROGBITS	0x400094	0x94	0x30	0x0	0x6	AX	4
.text	PROGBITS	0x4000e0	0xe0	0xd440	0x0	0x6	AX	32
.fini	PROGBITS	0x40d520	0xd520	0x24	0x0	0x6	AX	4
.rodata	PROGBITS	0x40d544	0xd544	0x2084	0x0	0x2	A	4
.ctors	PROGBITS	0x41f5cc	0xf5cc	0x8	0x0	0x3	WA	4
.dtors	PROGBITS	0x41f5d4	0xf5d4	0x8	0x0	0x3	WA	4
.data	PROGBITS	0x41f5e0	0xf5e0	0x38c	0x0	0x3	WA	4
.bss	NOBITS	0x41f96c	0xf96c	0x2430	0x0	0x3	WA	4
.shstrtab	STRTAB	0x0	0xf96c	0x3e	0x0	0x0		1

Program Segments

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align	Section Mappings
LOAD	0x0	0x400000	0x400000	0xf5c8	0xf5c8	6.9534	0x5	R E	0x10000	.init .text .fini .rodata
LOAD	0xf5cc	0x41f5cc	0x41f5cc	0x3a0	0x27d0	3.1237	0x6	RW	0x10000	.ctors .dtors .data .bss
GNU_STACK	0x0	0x0	0x0	0x0	0x0	0.0000	0x7	RWE	0x4

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 2, 2024 15:38:00.295809031 CET	47360	59962	192.168.2.14	154.216.16.38
Nov 2, 2024 15:38:00.300612926 CET	59962	47360	154.216.16.38	192.168.2.14
Nov 2, 2024 15:38:00.300668955 CET	47360	59962	192.168.2.14	154.216.16.38
Nov 2, 2024 15:38:00.307323933 CET	47360	59962	192.168.2.14	154.216.16.38
Nov 2, 2024 15:38:00.312163115 CET	59962	47360	154.216.16.38	192.168.2.14
Nov 2, 2024 15:38:00.312205076 CET	47360	59962	192.168.2.14	154.216.16.38
Nov 2, 2024 15:38:00.324250937 CET	59962	47360	154.216.16.38	192.168.2.14
Nov 2, 2024 15:38:01.189470053 CET	59962	47360	154.216.16.38	192.168.2.14
Nov 2, 2024 15:38:01.189769983 CET	47360	59962	192.168.2.14	154.216.16.38
Nov 2, 2024 15:38:01.189769983 CET	47360	59962	192.168.2.14	154.216.16.38
Nov 2, 2024 15:38:01.198340893 CET	47362	59962	192.168.2.14	154.216.16.38
Nov 2, 2024 15:38:01.203181028 CET	59962	47362	154.216.16.38	192.168.2.14
Nov 2, 2024 15:38:01.203254938 CET	47362	59962	192.168.2.14	154.216.16.38
Nov 2, 2024 15:38:01.203908920 CET	47362	59962	192.168.2.14	154.216.16.38
Nov 2, 2024 15:38:01.209089041 CET	59962	47362	154.216.16.38	192.168.2.14
Nov 2, 2024 15:38:01.209134102 CET	47362	59962	192.168.2.14	154.216.16.38
Nov 2, 2024 15:38:01.214088917 CET	59962	47362	154.216.16.38	192.168.2.14
Nov 2, 2024 15:38:02.082496881 CET	59962	47362	154.216.16.38	192.168.2.14
Nov 2, 2024 15:38:02.082510948 CET	59962	47362	154.216.16.38	192.168.2.14
Nov 2, 2024 15:38:02.082609892 CET	47362	59962	192.168.2.14	154.216.16.38
Nov 2, 2024 15:38:02.082609892 CET	47362	59962	192.168.2.14	154.216.16.38
Nov 2, 2024 15:38:02.082690954 CET	47362	59962	192.168.2.14	154.216.16.38
Nov 2, 2024 15:38:02.090620995 CET	47364	59962	192.168.2.14	154.216.16.38
Nov 2, 2024 15:38:02.095457077 CET	59962	47364	154.216.16.38	192.168.2.14
Nov 2, 2024 15:38:02.095518112 CET	47364	59962	192.168.2.14	154.216.16.38
Nov 2, 2024 15:38:02.096115112 CET	47364	59962	192.168.2.14	154.216.16.38
Nov 2, 2024 15:38:02.100944042 CET	59962	47364	154.216.16.38	192.168.2.14
Nov 2, 2024 15:38:02.100990057 CET	47364	59962	192.168.2.14	154.216.16.38
Nov 2, 2024 15:38:02.105797052 CET	59962	47364	154.216.16.38	192.168.2.14
Nov 2, 2024 15:38:03.002341986 CET	59962	47364	154.216.16.38	192.168.2.14
Nov 2, 2024 15:38:03.002605915 CET	47364	59962	192.168.2.14	154.216.16.38
Nov 2, 2024 15:38:03.002607107 CET	47364	59962	192.168.2.14	154.216.16.38
Nov 2, 2024 15:38:03.043574095 CET	47366	59962	192.168.2.14	154.216.16.38
Nov 2, 2024 15:38:03.048499107 CET	59962	47366	154.216.16.38	192.168.2.14
Nov 2, 2024 15:38:03.048554897 CET	47366	59962	192.168.2.14	154.216.16.38
Nov 2, 2024 15:38:03.049115896 CET	47366	59962	192.168.2.14	154.216.16.38
Nov 2, 2024 15:38:03.053996086 CET	59962	47366	154.216.16.38	192.168.2.14
Nov 2, 2024 15:38:03.054043055 CET	47366	59962	192.168.2.14	154.216.16.38
Nov 2, 2024 15:38:03.059020042 CET	59962	47366	154.216.16.38	192.168.2.14
Nov 2, 2024 15:38:03.963859081 CET	59962	47366	154.216.16.38	192.168.2.14
Nov 2, 2024 15:38:03.963967085 CET	47366	59962	192.168.2.14	154.216.16.38
Nov 2, 2024 15:38:03.964121103 CET	47366	59962	192.168.2.14	154.216.16.38
Nov 2, 2024 15:38:03.972405910 CET	47368	59962	192.168.2.14	154.216.16.38
Nov 2, 2024 15:38:03.977350950 CET	59962	47368	154.216.16.38	192.168.2.14
Nov 2, 2024 15:38:03.977407932 CET	47368	59962	192.168.2.14	154.216.16.38
Nov 2, 2024 15:38:03.978003025 CET	47368	59962	192.168.2.14	154.216.16.38
Nov 2, 2024 15:38:03.982769012 CET	59962	47368	154.216.16.38	192.168.2.14
Nov 2, 2024 15:38:03.982822895 CET	47368	59962	192.168.2.14	154.216.16.38
Nov 2, 2024 15:38:03.988888979 CET	59962	47368	154.216.16.38	192.168.2.14
Nov 2, 2024 15:38:04.860703945 CET	59962	47368	154.216.16.38	192.168.2.14
Nov 2, 2024 15:38:04.861105919 CET	47368	59962	192.168.2.14	154.216.16.38
Nov 2, 2024 15:38:04.861107111 CET	47368	59962	192.168.2.14	154.216.16.38
Nov 2, 2024 15:38:04.869196892 CET	47370	59962	192.168.2.14	154.216.16.38
Nov 2, 2024 15:38:04.874027014 CET	59962	47370	154.216.16.38	192.168.2.14
Nov 2, 2024 15:38:04.874093056 CET	47370	59962	192.168.2.14	154.216.16.38
Nov 2, 2024 15:38:04.874727011 CET	47370	59962	192.168.2.14	154.216.16.38
Nov 2, 2024 15:38:04.879571915 CET	59962	47370	154.216.16.38	192.168.2.14
Nov 2, 2024 15:38:04.879617929 CET	47370	59962	192.168.2.14	154.216.16.38
Nov 2, 2024 15:38:04.884443045 CET	59962	47370	154.216.16.38	192.168.2.14
Nov 2, 2024 15:38:05.760056973 CET	59962	47370	154.216.16.38	192.168.2.14
Nov 2, 2024 15:38:05.760158062 CET	47370	59962	192.168.2.14	154.216.16.38
Nov 2, 2024 15:38:05.760232925 CET	47370	59962	192.168.2.14	154.216.16.38
Nov 2, 2024 15:38:05.760293007 CET	59962	47370	154.216.16.38	192.168.2.14
Nov 2, 2024 15:38:05.760351896 CET	47370	59962	192.168.2.14	154.216.16.38
Nov 2, 2024 15:38:05.768824100 CET	47372	59962	192.168.2.14	154.216.16.38
Nov 2, 2024 15:38:05.773706913 CET	59962	47372	154.216.16.38	192.168.2.14
Nov 2, 2024 15:38:05.773772955 CET	47372	59962	192.168.2.14	154.216.16.38
Nov 2, 2024 15:38:05.774491072 CET	47372	59962	192.168.2.14	154.216.16.38
Nov 2, 2024 15:38:05.779350042 CET	59962	47372	154.216.16.38	192.168.2.14
Nov 2, 2024 15:38:05.779393911 CET	47372	59962	192.168.2.14	154.216.16.38
Nov 2, 2024 15:38:05.784260988 CET	59962	47372	154.216.16.38	192.168.2.14
Nov 2, 2024 15:38:06.674825907 CET	59962	47372	154.216.16.38	192.168.2.14
Nov 2, 2024 15:38:06.674896002 CET	59962	47372	154.216.16.38	192.168.2.14
Nov 2, 2024 15:38:06.675056934 CET	47372	59962	192.168.2.14	154.216.16.38
Nov 2, 2024 15:38:06.675056934 CET	47372	59962	192.168.2.14	154.216.16.38
Nov 2, 2024 15:38:06.675056934 CET	47372	59962	192.168.2.14	154.216.16.38
Nov 2, 2024 15:38:06.683270931 CET	47374	59962	192.168.2.14	154.216.16.38
Nov 2, 2024 15:38:06.688087940 CET	59962	47374	154.216.16.38	192.168.2.14
Nov 2, 2024 15:38:06.688136101 CET	47374	59962	192.168.2.14	154.216.16.38
Nov 2, 2024 15:38:06.688926935 CET	47374	59962	192.168.2.14	154.216.16.38
Nov 2, 2024 15:38:06.693731070 CET	59962	47374	154.216.16.38	192.168.2.14
Nov 2, 2024 15:38:06.693772078 CET	47374	59962	192.168.2.14	154.216.16.38
Nov 2, 2024 15:38:06.698605061 CET	59962	47374	154.216.16.38	192.168.2.14
Nov 2, 2024 15:38:07.592345953 CET	59962	47374	154.216.16.38	192.168.2.14
Nov 2, 2024 15:38:07.592619896 CET	47374	59962	192.168.2.14	154.216.16.38
Nov 2, 2024 15:38:07.592619896 CET	47374	59962	192.168.2.14	154.216.16.38
Nov 2, 2024 15:38:07.602118015 CET	47376	59962	192.168.2.14	154.216.16.38
Nov 2, 2024 15:38:07.606867075 CET	59962	47376	154.216.16.38	192.168.2.14
Nov 2, 2024 15:38:07.606925011 CET	47376	59962	192.168.2.14	154.216.16.38
Nov 2, 2024 15:38:07.607847929 CET	47376	59962	192.168.2.14	154.216.16.38
Nov 2, 2024 15:38:07.612575054 CET	59962	47376	154.216.16.38	192.168.2.14
Nov 2, 2024 15:38:07.612637997 CET	47376	59962	192.168.2.14	154.216.16.38
Nov 2, 2024 15:38:07.618452072 CET	59962	47376	154.216.16.38	192.168.2.14
Nov 2, 2024 15:38:08.493181944 CET	59962	47376	154.216.16.38	192.168.2.14
Nov 2, 2024 15:38:08.493385077 CET	47376	59962	192.168.2.14	154.216.16.38
Nov 2, 2024 15:38:08.493385077 CET	47376	59962	192.168.2.14	154.216.16.38
Nov 2, 2024 15:38:08.502052069 CET	47378	59962	192.168.2.14	154.216.16.38
Nov 2, 2024 15:38:08.507383108 CET	59962	47378	154.216.16.38	192.168.2.14
Nov 2, 2024 15:38:08.507478952 CET	47378	59962	192.168.2.14	154.216.16.38
Nov 2, 2024 15:38:08.508299112 CET	47378	59962	192.168.2.14	154.216.16.38
Nov 2, 2024 15:38:08.513101101 CET	59962	47378	154.216.16.38	192.168.2.14
Nov 2, 2024 15:38:08.513199091 CET	47378	59962	192.168.2.14	154.216.16.38
Nov 2, 2024 15:38:08.517968893 CET	59962	47378	154.216.16.38	192.168.2.14
Nov 2, 2024 15:38:09.381093025 CET	59962	47378	154.216.16.38	192.168.2.14
Nov 2, 2024 15:38:09.381383896 CET	47378	59962	192.168.2.14	154.216.16.38
Nov 2, 2024 15:38:09.381485939 CET	47378	59962	192.168.2.14	154.216.16.38
Nov 2, 2024 15:38:09.389822006 CET	47380	59962	192.168.2.14	154.216.16.38
Nov 2, 2024 15:38:09.394696951 CET	59962	47380	154.216.16.38	192.168.2.14
Nov 2, 2024 15:38:09.394757032 CET	47380	59962	192.168.2.14	154.216.16.38
Nov 2, 2024 15:38:09.395626068 CET	47380	59962	192.168.2.14	154.216.16.38
Nov 2, 2024 15:38:09.400350094 CET	59962	47380	154.216.16.38	192.168.2.14
Nov 2, 2024 15:38:09.400403023 CET	47380	59962	192.168.2.14	154.216.16.38
Nov 2, 2024 15:38:09.405214071 CET	59962	47380	154.216.16.38	192.168.2.14
Nov 2, 2024 15:38:11.137495041 CET	59962	47380	154.216.16.38	192.168.2.14
Nov 2, 2024 15:38:11.137690067 CET	47380	59962	192.168.2.14	154.216.16.38
Nov 2, 2024 15:38:11.137718916 CET	47380	59962	192.168.2.14	154.216.16.38
Nov 2, 2024 15:38:11.138674021 CET	59962	47380	154.216.16.38	192.168.2.14
Nov 2, 2024 15:38:11.138748884 CET	47380	59962	192.168.2.14	154.216.16.38
Nov 2, 2024 15:38:11.138894081 CET	59962	47380	154.216.16.38	192.168.2.14
Nov 2, 2024 15:38:11.138945103 CET	47380	59962	192.168.2.14	154.216.16.38
Nov 2, 2024 15:38:11.139383078 CET	59962	47380	154.216.16.38	192.168.2.14
Nov 2, 2024 15:38:11.139463902 CET	47380	59962	192.168.2.14	154.216.16.38
Nov 2, 2024 15:38:11.149511099 CET	47382	59962	192.168.2.14	154.216.16.38
Nov 2, 2024 15:38:11.154628038 CET	59962	47382	154.216.16.38	192.168.2.14
Nov 2, 2024 15:38:11.154726982 CET	47382	59962	192.168.2.14	154.216.16.38
Nov 2, 2024 15:38:11.155854940 CET	47382	59962	192.168.2.14	154.216.16.38
Nov 2, 2024 15:38:11.160672903 CET	59962	47382	154.216.16.38	192.168.2.14
Nov 2, 2024 15:38:11.160739899 CET	47382	59962	192.168.2.14	154.216.16.38
Nov 2, 2024 15:38:11.165481091 CET	59962	47382	154.216.16.38	192.168.2.14
Nov 2, 2024 15:38:12.025686026 CET	59962	47382	154.216.16.38	192.168.2.14
Nov 2, 2024 15:38:12.026022911 CET	47382	59962	192.168.2.14	154.216.16.38
Nov 2, 2024 15:38:12.026057959 CET	47382	59962	192.168.2.14	154.216.16.38
Nov 2, 2024 15:38:12.034792900 CET	47384	59962	192.168.2.14	154.216.16.38
Nov 2, 2024 15:38:12.039582014 CET	59962	47384	154.216.16.38	192.168.2.14
Nov 2, 2024 15:38:12.039685965 CET	47384	59962	192.168.2.14	154.216.16.38
Nov 2, 2024 15:38:12.040759087 CET	47384	59962	192.168.2.14	154.216.16.38
Nov 2, 2024 15:38:12.045514107 CET	59962	47384	154.216.16.38	192.168.2.14
Nov 2, 2024 15:38:12.045581102 CET	47384	59962	192.168.2.14	154.216.16.38
Nov 2, 2024 15:38:12.050327063 CET	59962	47384	154.216.16.38	192.168.2.14
Nov 2, 2024 15:38:12.951064110 CET	59962	47384	154.216.16.38	192.168.2.14
Nov 2, 2024 15:38:12.951440096 CET	47384	59962	192.168.2.14	154.216.16.38
Nov 2, 2024 15:38:12.951440096 CET	47384	59962	192.168.2.14	154.216.16.38
Nov 2, 2024 15:38:12.960381985 CET	47386	59962	192.168.2.14	154.216.16.38
Nov 2, 2024 15:38:12.965432882 CET	59962	47386	154.216.16.38	192.168.2.14
Nov 2, 2024 15:38:12.965523958 CET	47386	59962	192.168.2.14	154.216.16.38
Nov 2, 2024 15:38:12.966603041 CET	47386	59962	192.168.2.14	154.216.16.38
Nov 2, 2024 15:38:12.972376108 CET	59962	47386	154.216.16.38	192.168.2.14
Nov 2, 2024 15:38:12.972444057 CET	47386	59962	192.168.2.14	154.216.16.38
Nov 2, 2024 15:38:12.977266073 CET	59962	47386	154.216.16.38	192.168.2.14
Nov 2, 2024 15:38:13.870620966 CET	59962	47386	154.216.16.38	192.168.2.14
Nov 2, 2024 15:38:13.870884895 CET	47386	59962	192.168.2.14	154.216.16.38
Nov 2, 2024 15:38:13.870884895 CET	47386	59962	192.168.2.14	154.216.16.38
Nov 2, 2024 15:38:13.881287098 CET	47388	59962	192.168.2.14	154.216.16.38
Nov 2, 2024 15:38:13.886140108 CET	59962	47388	154.216.16.38	192.168.2.14
Nov 2, 2024 15:38:13.886236906 CET	47388	59962	192.168.2.14	154.216.16.38
Nov 2, 2024 15:38:13.887171984 CET	47388	59962	192.168.2.14	154.216.16.38
Nov 2, 2024 15:38:13.891968012 CET	59962	47388	154.216.16.38	192.168.2.14
Nov 2, 2024 15:38:13.892067909 CET	47388	59962	192.168.2.14	154.216.16.38
Nov 2, 2024 15:38:13.896914959 CET	59962	47388	154.216.16.38	192.168.2.14
Nov 2, 2024 15:38:14.770572901 CET	59962	47388	154.216.16.38	192.168.2.14
Nov 2, 2024 15:38:14.770587921 CET	59962	47388	154.216.16.38	192.168.2.14
Nov 2, 2024 15:38:14.770914078 CET	47388	59962	192.168.2.14	154.216.16.38
Nov 2, 2024 15:38:14.770914078 CET	47388	59962	192.168.2.14	154.216.16.38
Nov 2, 2024 15:38:14.771049023 CET	47388	59962	192.168.2.14	154.216.16.38
Nov 2, 2024 15:38:14.780493021 CET	47390	59962	192.168.2.14	154.216.16.38
Nov 2, 2024 15:38:14.785336018 CET	59962	47390	154.216.16.38	192.168.2.14
Nov 2, 2024 15:38:14.785402060 CET	47390	59962	192.168.2.14	154.216.16.38
Nov 2, 2024 15:38:14.786360025 CET	47390	59962	192.168.2.14	154.216.16.38
Nov 2, 2024 15:38:14.791439056 CET	59962	47390	154.216.16.38	192.168.2.14
Nov 2, 2024 15:38:14.791492939 CET	47390	59962	192.168.2.14	154.216.16.38
Nov 2, 2024 15:38:14.796351910 CET	59962	47390	154.216.16.38	192.168.2.14
Nov 2, 2024 15:38:15.653098106 CET	59962	47390	154.216.16.38	192.168.2.14
Nov 2, 2024 15:38:15.653516054 CET	47390	59962	192.168.2.14	154.216.16.38
Nov 2, 2024 15:38:15.653516054 CET	47390	59962	192.168.2.14	154.216.16.38
Nov 2, 2024 15:38:15.662092924 CET	47392	59962	192.168.2.14	154.216.16.38
Nov 2, 2024 15:38:15.666940928 CET	59962	47392	154.216.16.38	192.168.2.14
Nov 2, 2024 15:38:15.667037964 CET	47392	59962	192.168.2.14	154.216.16.38
Nov 2, 2024 15:38:15.667892933 CET	47392	59962	192.168.2.14	154.216.16.38
Nov 2, 2024 15:38:15.672733068 CET	59962	47392	154.216.16.38	192.168.2.14
Nov 2, 2024 15:38:15.672802925 CET	47392	59962	192.168.2.14	154.216.16.38
Nov 2, 2024 15:38:15.677745104 CET	59962	47392	154.216.16.38	192.168.2.14
Nov 2, 2024 15:38:16.567812920 CET	59962	47392	154.216.16.38	192.168.2.14
Nov 2, 2024 15:38:16.568049908 CET	47392	59962	192.168.2.14	154.216.16.38
Nov 2, 2024 15:38:16.568120956 CET	47392	59962	192.168.2.14	154.216.16.38
Nov 2, 2024 15:38:16.576822042 CET	47394	59962	192.168.2.14	154.216.16.38
Nov 2, 2024 15:38:16.581708908 CET	59962	47394	154.216.16.38	192.168.2.14
Nov 2, 2024 15:38:16.581765890 CET	47394	59962	192.168.2.14	154.216.16.38
Nov 2, 2024 15:38:16.582545996 CET	47394	59962	192.168.2.14	154.216.16.38
Nov 2, 2024 15:38:16.587532043 CET	59962	47394	154.216.16.38	192.168.2.14
Nov 2, 2024 15:38:16.587584972 CET	47394	59962	192.168.2.14	154.216.16.38
Nov 2, 2024 15:38:16.592643976 CET	59962	47394	154.216.16.38	192.168.2.14
Nov 2, 2024 15:38:17.483061075 CET	59962	47394	154.216.16.38	192.168.2.14
Nov 2, 2024 15:38:17.483097076 CET	59962	47394	154.216.16.38	192.168.2.14
Nov 2, 2024 15:38:17.483299971 CET	47394	59962	192.168.2.14	154.216.16.38
Nov 2, 2024 15:38:17.483299971 CET	47394	59962	192.168.2.14	154.216.16.38
Nov 2, 2024 15:38:17.483519077 CET	47394	59962	192.168.2.14	154.216.16.38
Nov 2, 2024 15:38:17.493541002 CET	47396	59962	192.168.2.14	154.216.16.38
Nov 2, 2024 15:38:17.498383045 CET	59962	47396	154.216.16.38	192.168.2.14
Nov 2, 2024 15:38:17.498469114 CET	47396	59962	192.168.2.14	154.216.16.38
Nov 2, 2024 15:38:17.499583006 CET	47396	59962	192.168.2.14	154.216.16.38
Nov 2, 2024 15:38:17.504406929 CET	59962	47396	154.216.16.38	192.168.2.14
Nov 2, 2024 15:38:17.504467964 CET	47396	59962	192.168.2.14	154.216.16.38
Nov 2, 2024 15:38:17.509260893 CET	59962	47396	154.216.16.38	192.168.2.14
Nov 2, 2024 15:38:18.378031969 CET	59962	47396	154.216.16.38	192.168.2.14
Nov 2, 2024 15:38:18.378228903 CET	47396	59962	192.168.2.14	154.216.16.38
Nov 2, 2024 15:38:18.378233910 CET	59962	47396	154.216.16.38	192.168.2.14
Nov 2, 2024 15:38:18.378293991 CET	47396	59962	192.168.2.14	154.216.16.38
Nov 2, 2024 15:38:18.378365993 CET	47396	59962	192.168.2.14	154.216.16.38
Nov 2, 2024 15:38:18.387245893 CET	47398	59962	192.168.2.14	154.216.16.38
Nov 2, 2024 15:38:18.392146111 CET	59962	47398	154.216.16.38	192.168.2.14
Nov 2, 2024 15:38:18.392225981 CET	47398	59962	192.168.2.14	154.216.16.38
Nov 2, 2024 15:38:18.393280983 CET	47398	59962	192.168.2.14	154.216.16.38
Nov 2, 2024 15:38:18.398040056 CET	59962	47398	154.216.16.38	192.168.2.14
Nov 2, 2024 15:38:18.398106098 CET	47398	59962	192.168.2.14	154.216.16.38
Nov 2, 2024 15:38:18.402874947 CET	59962	47398	154.216.16.38	192.168.2.14
Nov 2, 2024 15:38:19.299143076 CET	59962	47398	154.216.16.38	192.168.2.14
Nov 2, 2024 15:38:19.299323082 CET	47398	59962	192.168.2.14	154.216.16.38
Nov 2, 2024 15:38:19.299360991 CET	47398	59962	192.168.2.14	154.216.16.38
Nov 2, 2024 15:38:19.528168917 CET	59962	47398	154.216.16.38	192.168.2.14
Nov 2, 2024 15:38:19.528466940 CET	47398	59962	192.168.2.14	154.216.16.38
Nov 2, 2024 15:38:19.530745983 CET	47400	59962	192.168.2.14	154.216.16.38
Nov 2, 2024 15:38:19.535628080 CET	59962	47400	154.216.16.38	192.168.2.14
Nov 2, 2024 15:38:19.535696030 CET	47400	59962	192.168.2.14	154.216.16.38
Nov 2, 2024 15:38:19.536726952 CET	47400	59962	192.168.2.14	154.216.16.38
Nov 2, 2024 15:38:19.541480064 CET	59962	47400	154.216.16.38	192.168.2.14
Nov 2, 2024 15:38:19.541524887 CET	47400	59962	192.168.2.14	154.216.16.38
Nov 2, 2024 15:38:19.546480894 CET	59962	47400	154.216.16.38	192.168.2.14
Nov 2, 2024 15:38:20.420366049 CET	59962	47400	154.216.16.38	192.168.2.14
Nov 2, 2024 15:38:20.420387030 CET	59962	47400	154.216.16.38	192.168.2.14
Nov 2, 2024 15:38:20.420408964 CET	59962	47400	154.216.16.38	192.168.2.14
Nov 2, 2024 15:38:20.420491934 CET	47400	59962	192.168.2.14	154.216.16.38
Nov 2, 2024 15:38:20.420491934 CET	47400	59962	192.168.2.14	154.216.16.38
Nov 2, 2024 15:38:20.420491934 CET	47400	59962	192.168.2.14	154.216.16.38
Nov 2, 2024 15:38:20.420684099 CET	47400	59962	192.168.2.14	154.216.16.38
Nov 2, 2024 15:38:20.429454088 CET	47402	59962	192.168.2.14	154.216.16.38
Nov 2, 2024 15:38:20.434372902 CET	59962	47402	154.216.16.38	192.168.2.14
Nov 2, 2024 15:38:20.434448004 CET	47402	59962	192.168.2.14	154.216.16.38
Nov 2, 2024 15:38:20.435400009 CET	47402	59962	192.168.2.14	154.216.16.38
Nov 2, 2024 15:38:20.440217972 CET	59962	47402	154.216.16.38	192.168.2.14
Nov 2, 2024 15:38:20.440279961 CET	47402	59962	192.168.2.14	154.216.16.38
Nov 2, 2024 15:38:20.445163965 CET	59962	47402	154.216.16.38	192.168.2.14
Nov 2, 2024 15:38:21.358680964 CET	59962	47402	154.216.16.38	192.168.2.14
Nov 2, 2024 15:38:21.358846903 CET	47402	59962	192.168.2.14	154.216.16.38
Nov 2, 2024 15:38:21.358995914 CET	47402	59962	192.168.2.14	154.216.16.38
Nov 2, 2024 15:38:21.367994070 CET	47404	59962	192.168.2.14	154.216.16.38
Nov 2, 2024 15:38:21.372844934 CET	59962	47404	154.216.16.38	192.168.2.14
Nov 2, 2024 15:38:21.372916937 CET	47404	59962	192.168.2.14	154.216.16.38
Nov 2, 2024 15:38:21.374588013 CET	47404	59962	192.168.2.14	154.216.16.38
Nov 2, 2024 15:38:21.379354000 CET	59962	47404	154.216.16.38	192.168.2.14
Nov 2, 2024 15:38:21.379406929 CET	47404	59962	192.168.2.14	154.216.16.38
Nov 2, 2024 15:38:21.384131908 CET	59962	47404	154.216.16.38	192.168.2.14
Nov 2, 2024 15:38:22.282627106 CET	59962	47404	154.216.16.38	192.168.2.14
Nov 2, 2024 15:38:22.282809973 CET	47404	59962	192.168.2.14	154.216.16.38
Nov 2, 2024 15:38:22.282872915 CET	47404	59962	192.168.2.14	154.216.16.38
Nov 2, 2024 15:38:22.292066097 CET	47406	59962	192.168.2.14	154.216.16.38
Nov 2, 2024 15:38:22.298268080 CET	59962	47406	154.216.16.38	192.168.2.14
Nov 2, 2024 15:38:22.298340082 CET	47406	59962	192.168.2.14	154.216.16.38
Nov 2, 2024 15:38:22.299335957 CET	47406	59962	192.168.2.14	154.216.16.38
Nov 2, 2024 15:38:22.304197073 CET	59962	47406	154.216.16.38	192.168.2.14
Nov 2, 2024 15:38:22.304264069 CET	47406	59962	192.168.2.14	154.216.16.38
Nov 2, 2024 15:38:22.309120893 CET	59962	47406	154.216.16.38	192.168.2.14
Nov 2, 2024 15:38:32.306417942 CET	47406	59962	192.168.2.14	154.216.16.38
Nov 2, 2024 15:38:32.311323881 CET	59962	47406	154.216.16.38	192.168.2.14
Nov 2, 2024 15:38:32.571492910 CET	59962	47406	154.216.16.38	192.168.2.14
Nov 2, 2024 15:38:32.571706057 CET	47406	59962	192.168.2.14	154.216.16.38
Nov 2, 2024 15:39:32.606683969 CET	47406	59962	192.168.2.14	154.216.16.38
Nov 2, 2024 15:39:32.611737967 CET	59962	47406	154.216.16.38	192.168.2.14
Nov 2, 2024 15:39:32.870861053 CET	59962	47406	154.216.16.38	192.168.2.14
Nov 2, 2024 15:39:32.871057034 CET	47406	59962	192.168.2.14	154.216.16.38

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 2, 2024 15:38:00.248895884 CET	50590	53	192.168.2.14	8.8.8.8
Nov 2, 2024 15:38:00.255628109 CET	53	50590	8.8.8.8	192.168.2.14
Nov 2, 2024 15:38:01.190677881 CET	56488	53	192.168.2.14	8.8.8.8
Nov 2, 2024 15:38:01.197784901 CET	53	56488	8.8.8.8	192.168.2.14
Nov 2, 2024 15:38:02.083508968 CET	39061	53	192.168.2.14	8.8.8.8
Nov 2, 2024 15:38:02.090195894 CET	53	39061	8.8.8.8	192.168.2.14
Nov 2, 2024 15:38:03.003510952 CET	47112	53	192.168.2.14	8.8.8.8
Nov 2, 2024 15:38:03.042954922 CET	53	47112	8.8.8.8	192.168.2.14
Nov 2, 2024 15:38:03.964941025 CET	50790	53	192.168.2.14	8.8.8.8
Nov 2, 2024 15:38:03.972016096 CET	53	50790	8.8.8.8	192.168.2.14
Nov 2, 2024 15:38:04.861912012 CET	42382	53	192.168.2.14	8.8.8.8
Nov 2, 2024 15:38:04.868834019 CET	53	42382	8.8.8.8	192.168.2.14
Nov 2, 2024 15:38:05.761450052 CET	41583	53	192.168.2.14	8.8.8.8
Nov 2, 2024 15:38:05.768170118 CET	53	41583	8.8.8.8	192.168.2.14
Nov 2, 2024 15:38:06.675770044 CET	42092	53	192.168.2.14	8.8.8.8
Nov 2, 2024 15:38:06.682918072 CET	53	42092	8.8.8.8	192.168.2.14
Nov 2, 2024 15:38:07.593676090 CET	51407	53	192.168.2.14	8.8.8.8
Nov 2, 2024 15:38:07.601325989 CET	53	51407	8.8.8.8	192.168.2.14
Nov 2, 2024 15:38:08.494215012 CET	36023	53	192.168.2.14	8.8.8.8
Nov 2, 2024 15:38:08.501648903 CET	53	36023	8.8.8.8	192.168.2.14
Nov 2, 2024 15:38:09.382649899 CET	60946	53	192.168.2.14	8.8.8.8
Nov 2, 2024 15:38:09.389367104 CET	53	60946	8.8.8.8	192.168.2.14
Nov 2, 2024 15:38:11.139053106 CET	45527	53	192.168.2.14	8.8.8.8
Nov 2, 2024 15:38:11.149015903 CET	53	45527	8.8.8.8	192.168.2.14
Nov 2, 2024 15:38:12.027287006 CET	50391	53	192.168.2.14	8.8.8.8
Nov 2, 2024 15:38:12.034184933 CET	53	50391	8.8.8.8	192.168.2.14
Nov 2, 2024 15:38:12.952636003 CET	40061	53	192.168.2.14	8.8.8.8
Nov 2, 2024 15:38:12.959769011 CET	53	40061	8.8.8.8	192.168.2.14
Nov 2, 2024 15:38:13.872041941 CET	42184	53	192.168.2.14	8.8.8.8
Nov 2, 2024 15:38:13.880661964 CET	53	42184	8.8.8.8	192.168.2.14
Nov 2, 2024 15:38:14.772461891 CET	36142	53	192.168.2.14	8.8.8.8
Nov 2, 2024 15:38:14.779997110 CET	53	36142	8.8.8.8	192.168.2.14
Nov 2, 2024 15:38:15.654563904 CET	38332	53	192.168.2.14	8.8.8.8
Nov 2, 2024 15:38:15.661633968 CET	53	38332	8.8.8.8	192.168.2.14
Nov 2, 2024 15:38:16.569240093 CET	50104	53	192.168.2.14	8.8.8.8
Nov 2, 2024 15:38:16.576322079 CET	53	50104	8.8.8.8	192.168.2.14
Nov 2, 2024 15:38:17.484961987 CET	47826	53	192.168.2.14	8.8.8.8
Nov 2, 2024 15:38:17.492938995 CET	53	47826	8.8.8.8	192.168.2.14
Nov 2, 2024 15:38:18.379832029 CET	56024	53	192.168.2.14	8.8.8.8
Nov 2, 2024 15:38:18.386615992 CET	53	56024	8.8.8.8	192.168.2.14
Nov 2, 2024 15:38:19.300539017 CET	39388	53	192.168.2.14	8.8.8.8
Nov 2, 2024 15:38:19.529891014 CET	53	39388	8.8.8.8	192.168.2.14
Nov 2, 2024 15:38:20.421919107 CET	34420	53	192.168.2.14	8.8.8.8
Nov 2, 2024 15:38:20.428924084 CET	53	34420	8.8.8.8	192.168.2.14
Nov 2, 2024 15:38:21.360435009 CET	39169	53	192.168.2.14	8.8.8.8
Nov 2, 2024 15:38:21.367463112 CET	53	39169	8.8.8.8	192.168.2.14
Nov 2, 2024 15:38:22.284084082 CET	54940	53	192.168.2.14	8.8.8.8
Nov 2, 2024 15:38:22.291555882 CET	53	54940	8.8.8.8	192.168.2.14

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 2, 2024 15:38:00.248895884 CET	192.168.2.14	8.8.8.8	0x17f3	Standard query (0)	server.myway-ing.win	A (IP address)	IN (0x0001)	false
Nov 2, 2024 15:38:01.190677881 CET	192.168.2.14	8.8.8.8	0x2100	Standard query (0)	server.myway-ing.win	A (IP address)	IN (0x0001)	false
Nov 2, 2024 15:38:02.083508968 CET	192.168.2.14	8.8.8.8	0x22a4	Standard query (0)	server.myway-ing.win	A (IP address)	IN (0x0001)	false
Nov 2, 2024 15:38:03.003510952 CET	192.168.2.14	8.8.8.8	0xd09b	Standard query (0)	server.myway-ing.win	A (IP address)	IN (0x0001)	false
Nov 2, 2024 15:38:03.964941025 CET	192.168.2.14	8.8.8.8	0xb06d	Standard query (0)	server.myway-ing.win	A (IP address)	IN (0x0001)	false
Nov 2, 2024 15:38:04.861912012 CET	192.168.2.14	8.8.8.8	0x27df	Standard query (0)	server.myway-ing.win	A (IP address)	IN (0x0001)	false
Nov 2, 2024 15:38:05.761450052 CET	192.168.2.14	8.8.8.8	0xf26d	Standard query (0)	server.myway-ing.win	A (IP address)	IN (0x0001)	false
Nov 2, 2024 15:38:06.675770044 CET	192.168.2.14	8.8.8.8	0x6b36	Standard query (0)	server.myway-ing.win	A (IP address)	IN (0x0001)	false
Nov 2, 2024 15:38:07.593676090 CET	192.168.2.14	8.8.8.8	0x66f4	Standard query (0)	server.myway-ing.win	A (IP address)	IN (0x0001)	false
Nov 2, 2024 15:38:08.494215012 CET	192.168.2.14	8.8.8.8	0xe322	Standard query (0)	server.myway-ing.win	A (IP address)	IN (0x0001)	false
Nov 2, 2024 15:38:09.382649899 CET	192.168.2.14	8.8.8.8	0x58ff	Standard query (0)	server.myway-ing.win	A (IP address)	IN (0x0001)	false
Nov 2, 2024 15:38:11.139053106 CET	192.168.2.14	8.8.8.8	0x6413	Standard query (0)	server.myway-ing.win	A (IP address)	IN (0x0001)	false
Nov 2, 2024 15:38:12.027287006 CET	192.168.2.14	8.8.8.8	0xb11	Standard query (0)	server.myway-ing.win	A (IP address)	IN (0x0001)	false
Nov 2, 2024 15:38:12.952636003 CET	192.168.2.14	8.8.8.8	0x5c97	Standard query (0)	server.myway-ing.win	A (IP address)	IN (0x0001)	false
Nov 2, 2024 15:38:13.872041941 CET	192.168.2.14	8.8.8.8	0x6cd4	Standard query (0)	server.myway-ing.win	A (IP address)	IN (0x0001)	false
Nov 2, 2024 15:38:14.772461891 CET	192.168.2.14	8.8.8.8	0x295b	Standard query (0)	server.myway-ing.win	A (IP address)	IN (0x0001)	false
Nov 2, 2024 15:38:15.654563904 CET	192.168.2.14	8.8.8.8	0x4f50	Standard query (0)	server.myway-ing.win	A (IP address)	IN (0x0001)	false
Nov 2, 2024 15:38:16.569240093 CET	192.168.2.14	8.8.8.8	0x6b72	Standard query (0)	server.myway-ing.win	A (IP address)	IN (0x0001)	false
Nov 2, 2024 15:38:17.484961987 CET	192.168.2.14	8.8.8.8	0x5918	Standard query (0)	server.myway-ing.win	A (IP address)	IN (0x0001)	false
Nov 2, 2024 15:38:18.379832029 CET	192.168.2.14	8.8.8.8	0xb2ac	Standard query (0)	server.myway-ing.win	A (IP address)	IN (0x0001)	false
Nov 2, 2024 15:38:19.300539017 CET	192.168.2.14	8.8.8.8	0x9469	Standard query (0)	server.myway-ing.win	A (IP address)	IN (0x0001)	false
Nov 2, 2024 15:38:20.421919107 CET	192.168.2.14	8.8.8.8	0xc489	Standard query (0)	server.myway-ing.win	A (IP address)	IN (0x0001)	false
Nov 2, 2024 15:38:21.360435009 CET	192.168.2.14	8.8.8.8	0x3fc6	Standard query (0)	server.myway-ing.win	A (IP address)	IN (0x0001)	false
Nov 2, 2024 15:38:22.284084082 CET	192.168.2.14	8.8.8.8	0xaece	Standard query (0)	server.myway-ing.win	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Nov 2, 2024 15:38:00.255628109 CET	8.8.8.8	192.168.2.14	0x17f3	No error (0)	server.myway-ing.win	154.216.16.38	A (IP address)	IN (0x0001)	false
Nov 2, 2024 15:38:01.197784901 CET	8.8.8.8	192.168.2.14	0x2100	No error (0)	server.myway-ing.win	154.216.16.38	A (IP address)	IN (0x0001)	false
Nov 2, 2024 15:38:02.090195894 CET	8.8.8.8	192.168.2.14	0x22a4	No error (0)	server.myway-ing.win	154.216.16.38	A (IP address)	IN (0x0001)	false
Nov 2, 2024 15:38:03.042954922 CET	8.8.8.8	192.168.2.14	0xd09b	No error (0)	server.myway-ing.win	154.216.16.38	A (IP address)	IN (0x0001)	false
Nov 2, 2024 15:38:03.972016096 CET	8.8.8.8	192.168.2.14	0xb06d	No error (0)	server.myway-ing.win	154.216.16.38	A (IP address)	IN (0x0001)	false
Nov 2, 2024 15:38:04.868834019 CET	8.8.8.8	192.168.2.14	0x27df	No error (0)	server.myway-ing.win	154.216.16.38	A (IP address)	IN (0x0001)	false
Nov 2, 2024 15:38:05.768170118 CET	8.8.8.8	192.168.2.14	0xf26d	No error (0)	server.myway-ing.win	154.216.16.38	A (IP address)	IN (0x0001)	false
Nov 2, 2024 15:38:06.682918072 CET	8.8.8.8	192.168.2.14	0x6b36	No error (0)	server.myway-ing.win	154.216.16.38	A (IP address)	IN (0x0001)	false
Nov 2, 2024 15:38:07.601325989 CET	8.8.8.8	192.168.2.14	0x66f4	No error (0)	server.myway-ing.win	154.216.16.38	A (IP address)	IN (0x0001)	false
Nov 2, 2024 15:38:08.501648903 CET	8.8.8.8	192.168.2.14	0xe322	No error (0)	server.myway-ing.win	154.216.16.38	A (IP address)	IN (0x0001)	false
Nov 2, 2024 15:38:09.389367104 CET	8.8.8.8	192.168.2.14	0x58ff	No error (0)	server.myway-ing.win	154.216.16.38	A (IP address)	IN (0x0001)	false
Nov 2, 2024 15:38:11.149015903 CET	8.8.8.8	192.168.2.14	0x6413	No error (0)	server.myway-ing.win	154.216.16.38	A (IP address)	IN (0x0001)	false
Nov 2, 2024 15:38:12.034184933 CET	8.8.8.8	192.168.2.14	0xb11	No error (0)	server.myway-ing.win	154.216.16.38	A (IP address)	IN (0x0001)	false
Nov 2, 2024 15:38:12.959769011 CET	8.8.8.8	192.168.2.14	0x5c97	No error (0)	server.myway-ing.win	154.216.16.38	A (IP address)	IN (0x0001)	false
Nov 2, 2024 15:38:13.880661964 CET	8.8.8.8	192.168.2.14	0x6cd4	No error (0)	server.myway-ing.win	154.216.16.38	A (IP address)	IN (0x0001)	false
Nov 2, 2024 15:38:14.779997110 CET	8.8.8.8	192.168.2.14	0x295b	No error (0)	server.myway-ing.win	154.216.16.38	A (IP address)	IN (0x0001)	false
Nov 2, 2024 15:38:15.661633968 CET	8.8.8.8	192.168.2.14	0x4f50	No error (0)	server.myway-ing.win	154.216.16.38	A (IP address)	IN (0x0001)	false
Nov 2, 2024 15:38:16.576322079 CET	8.8.8.8	192.168.2.14	0x6b72	No error (0)	server.myway-ing.win	154.216.16.38	A (IP address)	IN (0x0001)	false
Nov 2, 2024 15:38:17.492938995 CET	8.8.8.8	192.168.2.14	0x5918	No error (0)	server.myway-ing.win	154.216.16.38	A (IP address)	IN (0x0001)	false
Nov 2, 2024 15:38:18.386615992 CET	8.8.8.8	192.168.2.14	0xb2ac	No error (0)	server.myway-ing.win	154.216.16.38	A (IP address)	IN (0x0001)	false
Nov 2, 2024 15:38:19.529891014 CET	8.8.8.8	192.168.2.14	0x9469	No error (0)	server.myway-ing.win	154.216.16.38	A (IP address)	IN (0x0001)	false
Nov 2, 2024 15:38:20.428924084 CET	8.8.8.8	192.168.2.14	0xc489	No error (0)	server.myway-ing.win	154.216.16.38	A (IP address)	IN (0x0001)	false
Nov 2, 2024 15:38:21.367463112 CET	8.8.8.8	192.168.2.14	0x3fc6	No error (0)	server.myway-ing.win	154.216.16.38	A (IP address)	IN (0x0001)	false
Nov 2, 2024 15:38:22.291555882 CET	8.8.8.8	192.168.2.14	0xaece	No error (0)	server.myway-ing.win	154.216.16.38	A (IP address)	IN (0x0001)	false

System Behavior

Analysis Process: zmap.sh4.elf PID: 5491, Parent PID: 5416

General

Start time (UTC):	14:37:59
Start date (UTC):	02/11/2024
Path:	/tmp/zmap.sh4.elf
Arguments:	/tmp/zmap.sh4.elf
File size:	4139976 bytes
MD5 hash:	8943e5f8f8c280467b4472c15ae93ba9

Chronological Activities

Analysis Process: zmap.sh4.elf PID: 5493, Parent PID: 5491

General

Start time (UTC):	14:37:59
Start date (UTC):	02/11/2024
Path:	/tmp/zmap.sh4.elf
Arguments:	-
File size:	4139976 bytes
MD5 hash:	8943e5f8f8c280467b4472c15ae93ba9

Chronological Activities

Analysis Process: zmap.sh4.elf PID: 5499, Parent PID: 5493

General

Start time (UTC):	14:37:59
Start date (UTC):	02/11/2024
Path:	/tmp/zmap.sh4.elf
Arguments:	-
File size:	4139976 bytes
MD5 hash:	8943e5f8f8c280467b4472c15ae93ba9

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report zmap.sh4.elf

Overview

General Information

Detection

Signatures

Classification

General Information

Warnings

Runtime Messages

Process Tree

Malware Threat Intel

Yara Signatures

Initial Sample

Memory Dumps

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Networking

System Summary

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

Static ELF Info

ELF header

Sections

Program Segments

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

System Behavior

Analysis Process: zmap.sh4.elf PID: 5491, Parent PID: 5416

General

Chronological Activities

Analysis Process: zmap.sh4.elf PID: 5493, Parent PID: 5491

General

Chronological Activities

Analysis Process: zmap.sh4.elf PID: 5499, Parent PID: 5493

General

Chronological Activities

Linux Analysis Report
zmap.sh4.elf