Edit tour

Linux Analysis Report
boatnet.ppc.elf

Overview

General Information

Sample name:	boatnet.ppc.elf
Analysis ID:	1558957
MD5:	d6b832a8b592f58a99f00ccaf8ca4780
SHA1:	13bcf95df7d7f3790de35309580d3e82a355337d
SHA256:	17d78d8a58f7e76bbec5f9a610f088300a3b4dcf7107bd3f4fd1bf07db732e53
Tags:	elfuser-abuse_ch
Infos:

Detection

Score:	60
Range:	0 - 100
Whitelisted:	false

Signatures

Multi AV Scanner detection for submitted file

Connects to many ports of the same IP (likely port scanning)

Sample is packed with UPX

Sends malformed DNS queries

Detected TCP or UDP traffic on non-standard ports

ELF contains segments with high entropy indicating compressed/encrypted content

Sample contains only a LOAD segment without any section mappings

Sample listens on a socket

Uses the "uname" system call to query kernel version information (possible evasion)

Classification

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1558957
Start date and time:	2024-11-20 01:12:55 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 54s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Sample name:	boatnet.ppc.elf
Detection:	MAL
Classification:	mal60.troj.evad.linELF@0/0@20/0

Warnings

VT rate limit hit for: burnthe.libre. [malformed]
VT rate limit hit for: chinklabs.dyn. [malformed]
VT rate limit hit for: freethewind.parody. [malformed]
VT rate limit hit for: hiakamai.dyn. [malformed]
VT rate limit hit for: infectedslurs.geek. [malformed]
VT rate limit hit for: netfags.geek. [malformed]
VT rate limit hit for: w3d0ntlikebot5.parody. [malformed]
VT rate limit hit for: yellowchink.pirate. [malformed]

Runtime Messages

Command:	/tmp/boatnet.ppc.elf
PID:	5637
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:	The Peoples Bank of China.
Standard Error:

Process Tree

system is lnxubuntu20

boatnet.ppc.elf (PID: 5637, Parent: 5554, MD5: ae65271c943d3451b7f026d1fadccea6) Arguments: /tmp/boatnet.ppc.elf

boatnet.ppc.elf New Fork (PID: 5639, Parent: 5637)

boatnet.ppc.elf New Fork (PID: 5641, Parent: 5639)

cleanup

Yara Signatures

⊘No yara matches

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: boatnet.ppc.elf

ReversingLabs: Detection: 15%

Networking

Connects to many ports of the same IP (likely port scanning)

Source: global traffic

TCP traffic: 45.156.86.26 ports 38241,1,2,3,4,8

Sends malformed DNS queries

Source: global traffic	DNS traffic detected: malformed DNS query: hiakamai.dyn. [malformed]
Source: global traffic	DNS traffic detected: malformed DNS query: freethewind.parody. [malformed]
Source: global traffic	DNS traffic detected: malformed DNS query: infectedslurs.geek. [malformed]
Source: global traffic	DNS traffic detected: malformed DNS query: w3d0ntlikebot5.parody. [malformed]
Source: global traffic	DNS traffic detected: malformed DNS query: chinklabs.dyn. [malformed]
Source: global traffic	DNS traffic detected: malformed DNS query: yellowchink.pirate. [malformed]
Source: global traffic	DNS traffic detected: malformed DNS query: burnthe.libre. [malformed]
Source: global traffic	DNS traffic detected: malformed DNS query: netfags.geek. [malformed]

Source: global traffic

TCP traffic: 192.168.2.14:58538 -> 45.156.86.26:38241

Source: /tmp/boatnet.ppc.elf (PID: 5637)

Socket: 127.0.0.1:39148

Jump to behavior

Source: unknown	UDP traffic detected without corresponding DNS query: 217.160.70.42
Source: unknown	UDP traffic detected without corresponding DNS query: 81.169.136.222
Source: unknown	UDP traffic detected without corresponding DNS query: 185.232.68.212
Source: unknown	UDP traffic detected without corresponding DNS query: 64.176.6.48
Source: unknown	UDP traffic detected without corresponding DNS query: 95.216.99.249
Source: unknown	UDP traffic detected without corresponding DNS query: 194.36.144.87
Source: unknown	UDP traffic detected without corresponding DNS query: 194.36.144.87
Source: unknown	UDP traffic detected without corresponding DNS query: 95.216.99.249
Source: unknown	UDP traffic detected without corresponding DNS query: 152.53.15.127
Source: unknown	UDP traffic detected without corresponding DNS query: 152.53.15.127
Source: unknown	UDP traffic detected without corresponding DNS query: 152.53.15.127
Source: unknown	UDP traffic detected without corresponding DNS query: 168.235.111.72
Source: unknown	UDP traffic detected without corresponding DNS query: 51.254.162.59
Source: unknown	UDP traffic detected without corresponding DNS query: 5.161.109.23
Source: unknown	UDP traffic detected without corresponding DNS query: 81.169.136.222
Source: unknown	UDP traffic detected without corresponding DNS query: 95.216.99.249
Source: unknown	UDP traffic detected without corresponding DNS query: 81.169.136.222
Source: unknown	UDP traffic detected without corresponding DNS query: 137.220.55.93
Source: unknown	UDP traffic detected without corresponding DNS query: 95.216.99.249
Source: unknown	UDP traffic detected without corresponding DNS query: 51.158.108.203

Source: global traffic	DNS traffic detected: DNS query: hiakamai.dyn
Source: global traffic	DNS traffic detected: DNS query: w3d0ntlikebot5.parody
Source: global traffic	DNS traffic detected: DNS query: hiakamai.dyn. [malformed]
Source: global traffic	DNS traffic detected: DNS query: freethewind.parody. [malformed]
Source: global traffic	DNS traffic detected: DNS query: infectedslurs.geek. [malformed]
Source: global traffic	DNS traffic detected: DNS query: w3d0ntlikebot5.parody. [malformed]
Source: global traffic	DNS traffic detected: DNS query: chinklabs.dyn. [malformed]
Source: global traffic	DNS traffic detected: DNS query: yellowchink.pirate. [malformed]
Source: global traffic	DNS traffic detected: DNS query: burnthe.libre. [malformed]
Source: global traffic	DNS traffic detected: DNS query: netfags.geek. [malformed]
Source: global traffic	DNS traffic detected: DNS query: infectedchink.pirate

Source: boatnet.ppc.elf

String found in binary or memory: http://upx.sf.net

Source: LOAD without section mappings

Program segment: 0x100000

Source: classification engine

Classification label: mal60.troj.evad.linELF@0/0@20/0

Data Obfuscation

Sample is packed with UPX

Source: initial sample	String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample	String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample	String containing UPX found: $Id: UPX 3.94 Copyright (C) 1996-2017 the UPX Team. All Rights Reserved. $

Source: boatnet.ppc.elf

Submission file: segment LOAD with 7.7088 entropy (max. 8.0)

Source: /tmp/boatnet.ppc.elf (PID: 5637)

Queries kernel information via 'uname':

Jump to behavior

Source: boatnet.ppc.elf, 5637.1.0000562bc52c6000.0000562bc5378000.rw-.sdmp	Binary or memory string: !/etc/qemu-binfmt/ppc1
Source: boatnet.ppc.elf, 5637.1.00007ffe5d187000.00007ffe5d1a8000.rw-.sdmp	Binary or memory string: x86_64/usr/bin/qemu-ppc/tmp/boatnet.ppc.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/boatnet.ppc.elf
Source: boatnet.ppc.elf, 5637.1.0000562bc52c6000.0000562bc5378000.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/ppc
Source: boatnet.ppc.elf, 5637.1.00007ffe5d187000.00007ffe5d1a8000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-ppc

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	Path Interception	Path Interception	11 Obfuscated Files or Information	OS Credential Dumping	11 Security Software Discovery	Remote Services	Data from Local System	1 Non-Standard Port	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact

Malware Configuration

⊘No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
boatnet.ppc.elf	16%	ReversingLabs	Linux.Trojan.Mirai

Dropped Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
hiakamai.dyn	3%	Virustotal		Browse

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
infectedchink.pirate	45.156.86.24	true	false		unknown
w3d0ntlikebot5.parody	170.187.181.188	true	true		unknown
hiakamai.dyn	45.79.236.13	true	true	3%, Virustotal, Browse	unknown
chinklabs.dyn. [malformed]	unknown	unknown	true		unknown
hiakamai.dyn. [malformed]	unknown	unknown	true		unknown
burnthe.libre. [malformed]	unknown	unknown	true		unknown
netfags.geek. [malformed]	unknown	unknown	true		unknown
infectedslurs.geek. [malformed]	unknown	unknown	true		unknown
freethewind.parody. [malformed]	unknown	unknown	true		unknown
yellowchink.pirate. [malformed]	unknown	unknown	true		unknown
w3d0ntlikebot5.parody. [malformed]	unknown	unknown	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://upx.sf.net	boatnet.ppc.elf	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
172.105.120.101	unknown	United States	63949	LINODE-APLinodeLLCUS	false
172.104.165.127	unknown	United States	63949	LINODE-APLinodeLLCUS	false
45.156.86.26	unknown	Germany	44592	SKYLINKNL	true

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
172.105.120.101	meow.arm.elf	Get hash	malicious	Unknown	Browse
45.156.86.26	nabmips.elf	Get hash	malicious	Unknown	Browse
	splppc.elf	Get hash	malicious	Unknown	Browse
	nabsh4.elf	Get hash	malicious	Unknown	Browse
	zerarm.elf	Get hash	malicious	Unknown	Browse
	nabmpsl.elf	Get hash	malicious	Unknown	Browse
	nabx86.elf	Get hash	malicious	Unknown	Browse
	zerarm5.elf	Get hash	malicious	Unknown	Browse
	zersh4.elf	Get hash	malicious	Unknown	Browse
	zermips.elf	Get hash	malicious	Unknown	Browse
	zermpsl.elf	Get hash	malicious	Unknown	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
w3d0ntlikebot5.parody	j980HN1yJw.elf	Get hash	malicious	Unknown	Browse	204.76.203.19
	vCh0ttyibb.elf	Get hash	malicious	Unknown	Browse	5.181.80.189
	CMgd5ZVG2N.elf	Get hash	malicious	Unknown	Browse	5.181.80.189
	95DVgihS4k.elf	Get hash	malicious	Unknown	Browse	5.181.80.61
infectedchink.pirate	XHrUkAemNj.elf	Get hash	malicious	Unknown	Browse	77.105.135.60
	nIl2wyif6Q.elf	Get hash	malicious	Unknown	Browse	77.105.135.60
	CMgd5ZVG2N.elf	Get hash	malicious	Unknown	Browse	204.76.203.15
	ck4L513fGM.elf	Get hash	malicious	Unknown	Browse	5.181.80.60

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
LINODE-APLinodeLLCUS	https://hopp.bio/wchn	Get hash	malicious	HTMLPhisher	Browse	173.230.149.18
	fM7fKHA1rf.exe	Get hash	malicious	XenoRAT	Browse	96.126.118.61
	exe009.exe	Get hash	malicious	Emotet	Browse	103.3.63.137
	QWJfaEAROV.exe	Get hash	malicious	AsyncRAT	Browse	139.162.100.28
	https://stopify.co/BOAZ81	Get hash	malicious	Unknown	Browse	172.104.231.58
	HZ1ZzlIpm7.vbe	Get hash	malicious	FormBook	Browse	45.33.6.223
	RN# D7521-RN-00353 REV-2.exe	Get hash	malicious	FormBook	Browse	45.33.6.223
	http://www2.megawebfind.com	Get hash	malicious	Unknown	Browse	45.56.79.23
	botnet.x86.elf	Get hash	malicious	Mirai, Moobot	Browse	192.155.85.209
	yakuza.i586.elf	Get hash	malicious	Unknown	Browse	212.71.233.232
LINODE-APLinodeLLCUS	https://hopp.bio/wchn	Get hash	malicious	HTMLPhisher	Browse	173.230.149.18
	fM7fKHA1rf.exe	Get hash	malicious	XenoRAT	Browse	96.126.118.61
	exe009.exe	Get hash	malicious	Emotet	Browse	103.3.63.137
	QWJfaEAROV.exe	Get hash	malicious	AsyncRAT	Browse	139.162.100.28
	https://stopify.co/BOAZ81	Get hash	malicious	Unknown	Browse	172.104.231.58
	HZ1ZzlIpm7.vbe	Get hash	malicious	FormBook	Browse	45.33.6.223
	RN# D7521-RN-00353 REV-2.exe	Get hash	malicious	FormBook	Browse	45.33.6.223
	http://www2.megawebfind.com	Get hash	malicious	Unknown	Browse	45.56.79.23
	botnet.x86.elf	Get hash	malicious	Mirai, Moobot	Browse	192.155.85.209
	yakuza.i586.elf	Get hash	malicious	Unknown	Browse	212.71.233.232
SKYLINKNL	nabarm5.elf	Get hash	malicious	Unknown	Browse	45.156.86.24
	nabmips.elf	Get hash	malicious	Unknown	Browse	45.156.86.24
	splppc.elf	Get hash	malicious	Unknown	Browse	45.156.86.24
	nabsh4.elf	Get hash	malicious	Unknown	Browse	45.156.86.24
	zerarm.elf	Get hash	malicious	Unknown	Browse	45.156.86.24
	zerspc.elf	Get hash	malicious	Unknown	Browse	45.156.86.24
	nabmpsl.elf	Get hash	malicious	Unknown	Browse	45.156.86.24
	nabx86.elf	Get hash	malicious	Unknown	Browse	45.156.86.24
	zerarm5.elf	Get hash	malicious	Unknown	Browse	45.156.86.24
	nabarm.elf	Get hash	malicious	Unknown	Browse	45.156.86.24

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	ELF 32-bit MSB executable, PowerPC or cisco 4500, version 1 (GNU/Linux), statically linked, no section header
Entropy (8bit):	7.702055155900184
TrID:	ELF Executable and Linkable format (Linux) (4029/14) 50.16% ELF Executable and Linkable format (generic) (4004/1) 49.84%
File name:	boatnet.ppc.elf
File size:	15'880 bytes
MD5:	d6b832a8b592f58a99f00ccaf8ca4780
SHA1:	13bcf95df7d7f3790de35309580d3e82a355337d
SHA256:	17d78d8a58f7e76bbec5f9a610f088300a3b4dcf7107bd3f4fd1bf07db732e53
SHA512:	35f3400c6ee84e4c9db7ae33f81f6128a8b24e612e48054ade5351250d1ae6f54e9e87ed23cd50f1ee2d93fca212491f1d4c1515b929737fa197c9d5d2044c53
SSDEEP:	384:RvykYKa9XwDNhIcvzhXMlUzN43WVD4XgwlZez:6KauDNhlN4bK4gN
TLSH:	3162C0D3D2444D17D961DEBC52292B297F8E8CCB6A3E4CAB02C756F435AA1920E07F91
File Content Preview:	.ELF......................3....4.........4. ...(......................<...<...............gx..gx..gx................dt.Q................................UPX!.<........h<..h<.......Z....\|.$..ELF..............w..4.f\. ...(.....\|........d.........d.....lX..#]

Static ELF Info

ELF header
Class:	ELF32
Data:	2's complement, big endian
Version:	1 (current)
Machine:	PowerPC
Version Number:	0x1
Type:	EXEC (Executable file)
OS/ABI:	UNIX - Linux
ABI Version:	0
Entry Point Address:	0x1033c8
Flags:	0x0
ELF Header Size:	52
Program Header Offset:	52
Program Header Size:	32
Number of Program Headers:	3
Section Header Offset:	0
Section Header Size:	40
Number of Section Headers:	0
Header String Table Index:	0

Program Segments

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align
LOAD	0x0	0x100000	0x100000	0x3cfc	0x3cfc	7.7088	0x5	R E	0x10000
LOAD	0x6778	0x10016778	0x10016778	0x0	0x0	0.0000	0x6	RW	0x10000
GNU_STACK	0x0	0x0	0x0	0x0	0x0	0.0000	0x6	RW	0x4

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 20, 2024 01:13:59.607248068 CET	60694	38241	192.168.2.14	172.104.165.127
Nov 20, 2024 01:13:59.612171888 CET	38241	60694	172.104.165.127	192.168.2.14
Nov 20, 2024 01:13:59.612227917 CET	60694	38241	192.168.2.14	172.104.165.127
Nov 20, 2024 01:13:59.628869057 CET	60694	38241	192.168.2.14	172.104.165.127
Nov 20, 2024 01:13:59.633873940 CET	38241	60694	172.104.165.127	192.168.2.14
Nov 20, 2024 01:13:59.633924007 CET	60694	38241	192.168.2.14	172.104.165.127
Nov 20, 2024 01:13:59.638777971 CET	38241	60694	172.104.165.127	192.168.2.14
Nov 20, 2024 01:14:01.667361975 CET	38241	60694	172.104.165.127	192.168.2.14
Nov 20, 2024 01:14:01.667591095 CET	60694	38241	192.168.2.14	172.104.165.127
Nov 20, 2024 01:14:01.672597885 CET	38241	60694	172.104.165.127	192.168.2.14
Nov 20, 2024 01:14:02.698920012 CET	50234	38241	192.168.2.14	172.105.120.101
Nov 20, 2024 01:14:02.703895092 CET	38241	50234	172.105.120.101	192.168.2.14
Nov 20, 2024 01:14:02.703979969 CET	50234	38241	192.168.2.14	172.105.120.101
Nov 20, 2024 01:14:02.704890013 CET	50234	38241	192.168.2.14	172.105.120.101
Nov 20, 2024 01:14:02.709755898 CET	38241	50234	172.105.120.101	192.168.2.14
Nov 20, 2024 01:14:02.709873915 CET	50234	38241	192.168.2.14	172.105.120.101
Nov 20, 2024 01:14:02.714762926 CET	38241	50234	172.105.120.101	192.168.2.14
Nov 20, 2024 01:14:04.760802984 CET	38241	50234	172.105.120.101	192.168.2.14
Nov 20, 2024 01:14:04.761231899 CET	50234	38241	192.168.2.14	172.105.120.101
Nov 20, 2024 01:14:04.766885042 CET	38241	50234	172.105.120.101	192.168.2.14
Nov 20, 2024 01:14:05.774826050 CET	50236	38241	192.168.2.14	172.105.120.101
Nov 20, 2024 01:14:05.779783964 CET	38241	50236	172.105.120.101	192.168.2.14
Nov 20, 2024 01:14:05.779856920 CET	50236	38241	192.168.2.14	172.105.120.101
Nov 20, 2024 01:14:05.780739069 CET	50236	38241	192.168.2.14	172.105.120.101
Nov 20, 2024 01:14:05.785693884 CET	38241	50236	172.105.120.101	192.168.2.14
Nov 20, 2024 01:14:05.785789967 CET	50236	38241	192.168.2.14	172.105.120.101
Nov 20, 2024 01:14:05.790618896 CET	38241	50236	172.105.120.101	192.168.2.14
Nov 20, 2024 01:14:07.878635883 CET	38241	50236	172.105.120.101	192.168.2.14
Nov 20, 2024 01:14:07.878901005 CET	50236	38241	192.168.2.14	172.105.120.101
Nov 20, 2024 01:14:07.883784056 CET	38241	50236	172.105.120.101	192.168.2.14
Nov 20, 2024 01:14:13.886732101 CET	50238	38241	192.168.2.14	172.105.120.101
Nov 20, 2024 01:14:13.891881943 CET	38241	50238	172.105.120.101	192.168.2.14
Nov 20, 2024 01:14:13.891952991 CET	50238	38241	192.168.2.14	172.105.120.101
Nov 20, 2024 01:14:13.892741919 CET	50238	38241	192.168.2.14	172.105.120.101
Nov 20, 2024 01:14:13.897592068 CET	38241	50238	172.105.120.101	192.168.2.14
Nov 20, 2024 01:14:13.897649050 CET	50238	38241	192.168.2.14	172.105.120.101
Nov 20, 2024 01:14:13.902462006 CET	38241	50238	172.105.120.101	192.168.2.14
Nov 20, 2024 01:14:15.968502045 CET	38241	50238	172.105.120.101	192.168.2.14
Nov 20, 2024 01:14:15.969183922 CET	50238	38241	192.168.2.14	172.105.120.101
Nov 20, 2024 01:14:15.975435972 CET	38241	50238	172.105.120.101	192.168.2.14
Nov 20, 2024 01:14:21.980545998 CET	50240	38241	192.168.2.14	172.105.120.101
Nov 20, 2024 01:14:22.000251055 CET	38241	50240	172.105.120.101	192.168.2.14
Nov 20, 2024 01:14:22.000535965 CET	50240	38241	192.168.2.14	172.105.120.101
Nov 20, 2024 01:14:22.002082109 CET	50240	38241	192.168.2.14	172.105.120.101
Nov 20, 2024 01:14:22.007637978 CET	38241	50240	172.105.120.101	192.168.2.14
Nov 20, 2024 01:14:22.007710934 CET	50240	38241	192.168.2.14	172.105.120.101
Nov 20, 2024 01:14:22.012681007 CET	38241	50240	172.105.120.101	192.168.2.14
Nov 20, 2024 01:14:24.057090044 CET	38241	50240	172.105.120.101	192.168.2.14
Nov 20, 2024 01:14:24.057549953 CET	50240	38241	192.168.2.14	172.105.120.101
Nov 20, 2024 01:14:24.062827110 CET	38241	50240	172.105.120.101	192.168.2.14
Nov 20, 2024 01:14:25.073137045 CET	50242	38241	192.168.2.14	172.105.120.101
Nov 20, 2024 01:14:25.078082085 CET	38241	50242	172.105.120.101	192.168.2.14
Nov 20, 2024 01:14:25.078176022 CET	50242	38241	192.168.2.14	172.105.120.101
Nov 20, 2024 01:14:25.079818964 CET	50242	38241	192.168.2.14	172.105.120.101
Nov 20, 2024 01:14:25.084963083 CET	38241	50242	172.105.120.101	192.168.2.14
Nov 20, 2024 01:14:25.085057020 CET	50242	38241	192.168.2.14	172.105.120.101
Nov 20, 2024 01:14:25.090333939 CET	38241	50242	172.105.120.101	192.168.2.14
Nov 20, 2024 01:14:27.174438000 CET	38241	50242	172.105.120.101	192.168.2.14
Nov 20, 2024 01:14:27.174916983 CET	50242	38241	192.168.2.14	172.105.120.101
Nov 20, 2024 01:14:27.179909945 CET	38241	50242	172.105.120.101	192.168.2.14
Nov 20, 2024 01:14:28.189945936 CET	50244	38241	192.168.2.14	172.105.120.101
Nov 20, 2024 01:14:28.194926023 CET	38241	50244	172.105.120.101	192.168.2.14
Nov 20, 2024 01:14:28.195010900 CET	50244	38241	192.168.2.14	172.105.120.101
Nov 20, 2024 01:14:28.196367979 CET	50244	38241	192.168.2.14	172.105.120.101
Nov 20, 2024 01:14:28.201204062 CET	38241	50244	172.105.120.101	192.168.2.14
Nov 20, 2024 01:14:28.201272964 CET	50244	38241	192.168.2.14	172.105.120.101
Nov 20, 2024 01:14:28.206161976 CET	38241	50244	172.105.120.101	192.168.2.14
Nov 20, 2024 01:14:30.242551088 CET	38241	50244	172.105.120.101	192.168.2.14
Nov 20, 2024 01:14:30.242944002 CET	50244	38241	192.168.2.14	172.105.120.101
Nov 20, 2024 01:14:30.248012066 CET	38241	50244	172.105.120.101	192.168.2.14
Nov 20, 2024 01:14:36.256597996 CET	50246	38241	192.168.2.14	172.105.120.101
Nov 20, 2024 01:14:36.261857986 CET	38241	50246	172.105.120.101	192.168.2.14
Nov 20, 2024 01:14:36.262101889 CET	50246	38241	192.168.2.14	172.105.120.101
Nov 20, 2024 01:14:36.264647961 CET	50246	38241	192.168.2.14	172.105.120.101
Nov 20, 2024 01:14:36.269692898 CET	38241	50246	172.105.120.101	192.168.2.14
Nov 20, 2024 01:14:36.269912958 CET	50246	38241	192.168.2.14	172.105.120.101
Nov 20, 2024 01:14:36.274868011 CET	38241	50246	172.105.120.101	192.168.2.14
Nov 20, 2024 01:14:38.324558973 CET	38241	50246	172.105.120.101	192.168.2.14
Nov 20, 2024 01:14:38.325140953 CET	50246	38241	192.168.2.14	172.105.120.101
Nov 20, 2024 01:14:38.331109047 CET	38241	50246	172.105.120.101	192.168.2.14
Nov 20, 2024 01:14:39.342745066 CET	50248	38241	192.168.2.14	172.105.120.101
Nov 20, 2024 01:14:39.347727060 CET	38241	50248	172.105.120.101	192.168.2.14
Nov 20, 2024 01:14:39.347826004 CET	50248	38241	192.168.2.14	172.105.120.101
Nov 20, 2024 01:14:39.350189924 CET	50248	38241	192.168.2.14	172.105.120.101
Nov 20, 2024 01:14:39.355127096 CET	38241	50248	172.105.120.101	192.168.2.14
Nov 20, 2024 01:14:39.355237007 CET	50248	38241	192.168.2.14	172.105.120.101
Nov 20, 2024 01:14:39.360296011 CET	38241	50248	172.105.120.101	192.168.2.14
Nov 20, 2024 01:14:41.458633900 CET	38241	50248	172.105.120.101	192.168.2.14
Nov 20, 2024 01:14:41.459302902 CET	50248	38241	192.168.2.14	172.105.120.101
Nov 20, 2024 01:14:41.464318991 CET	38241	50248	172.105.120.101	192.168.2.14
Nov 20, 2024 01:14:42.479559898 CET	50250	38241	192.168.2.14	172.105.120.101
Nov 20, 2024 01:14:42.485779047 CET	38241	50250	172.105.120.101	192.168.2.14
Nov 20, 2024 01:14:42.485974073 CET	50250	38241	192.168.2.14	172.105.120.101
Nov 20, 2024 01:14:42.487835884 CET	50250	38241	192.168.2.14	172.105.120.101
Nov 20, 2024 01:14:42.494761944 CET	38241	50250	172.105.120.101	192.168.2.14
Nov 20, 2024 01:14:42.494831085 CET	50250	38241	192.168.2.14	172.105.120.101
Nov 20, 2024 01:14:42.500930071 CET	38241	50250	172.105.120.101	192.168.2.14
Nov 20, 2024 01:14:44.583228111 CET	38241	50250	172.105.120.101	192.168.2.14
Nov 20, 2024 01:14:44.583627939 CET	50250	38241	192.168.2.14	172.105.120.101
Nov 20, 2024 01:14:44.588606119 CET	38241	50250	172.105.120.101	192.168.2.14
Nov 20, 2024 01:14:45.602977991 CET	50252	38241	192.168.2.14	172.105.120.101
Nov 20, 2024 01:14:45.607834101 CET	38241	50252	172.105.120.101	192.168.2.14
Nov 20, 2024 01:14:45.608036041 CET	50252	38241	192.168.2.14	172.105.120.101
Nov 20, 2024 01:14:45.610013962 CET	50252	38241	192.168.2.14	172.105.120.101
Nov 20, 2024 01:14:45.615175962 CET	38241	50252	172.105.120.101	192.168.2.14
Nov 20, 2024 01:14:45.615411043 CET	50252	38241	192.168.2.14	172.105.120.101
Nov 20, 2024 01:14:45.620321989 CET	38241	50252	172.105.120.101	192.168.2.14
Nov 20, 2024 01:14:47.705094099 CET	38241	50252	172.105.120.101	192.168.2.14
Nov 20, 2024 01:14:47.705523968 CET	50252	38241	192.168.2.14	172.105.120.101
Nov 20, 2024 01:14:47.710411072 CET	38241	50252	172.105.120.101	192.168.2.14
Nov 20, 2024 01:14:48.802344084 CET	50254	38241	192.168.2.14	172.105.120.101
Nov 20, 2024 01:14:48.808986902 CET	38241	50254	172.105.120.101	192.168.2.14
Nov 20, 2024 01:14:48.809344053 CET	50254	38241	192.168.2.14	172.105.120.101
Nov 20, 2024 01:14:48.812375069 CET	50254	38241	192.168.2.14	172.105.120.101
Nov 20, 2024 01:14:48.817488909 CET	38241	50254	172.105.120.101	192.168.2.14
Nov 20, 2024 01:14:48.817728043 CET	50254	38241	192.168.2.14	172.105.120.101
Nov 20, 2024 01:14:48.822603941 CET	38241	50254	172.105.120.101	192.168.2.14
Nov 20, 2024 01:14:50.892093897 CET	38241	50254	172.105.120.101	192.168.2.14
Nov 20, 2024 01:14:50.892666101 CET	50254	38241	192.168.2.14	172.105.120.101
Nov 20, 2024 01:14:50.897874117 CET	38241	50254	172.105.120.101	192.168.2.14
Nov 20, 2024 01:14:56.907021046 CET	50256	38241	192.168.2.14	172.105.120.101
Nov 20, 2024 01:14:56.912400007 CET	38241	50256	172.105.120.101	192.168.2.14
Nov 20, 2024 01:14:56.912842989 CET	50256	38241	192.168.2.14	172.105.120.101
Nov 20, 2024 01:14:56.915041924 CET	50256	38241	192.168.2.14	172.105.120.101
Nov 20, 2024 01:14:56.920713902 CET	38241	50256	172.105.120.101	192.168.2.14
Nov 20, 2024 01:14:56.921076059 CET	50256	38241	192.168.2.14	172.105.120.101
Nov 20, 2024 01:14:56.926093102 CET	38241	50256	172.105.120.101	192.168.2.14
Nov 20, 2024 01:14:59.019088030 CET	38241	50256	172.105.120.101	192.168.2.14
Nov 20, 2024 01:14:59.019614935 CET	50256	38241	192.168.2.14	172.105.120.101
Nov 20, 2024 01:14:59.024512053 CET	38241	50256	172.105.120.101	192.168.2.14
Nov 20, 2024 01:15:05.033389091 CET	50258	38241	192.168.2.14	172.105.120.101
Nov 20, 2024 01:15:05.038731098 CET	38241	50258	172.105.120.101	192.168.2.14
Nov 20, 2024 01:15:05.038975954 CET	50258	38241	192.168.2.14	172.105.120.101
Nov 20, 2024 01:15:05.041244030 CET	50258	38241	192.168.2.14	172.105.120.101
Nov 20, 2024 01:15:05.046403885 CET	38241	50258	172.105.120.101	192.168.2.14
Nov 20, 2024 01:15:05.046638012 CET	50258	38241	192.168.2.14	172.105.120.101
Nov 20, 2024 01:15:05.051772118 CET	38241	50258	172.105.120.101	192.168.2.14
Nov 20, 2024 01:15:07.090718985 CET	38241	50258	172.105.120.101	192.168.2.14
Nov 20, 2024 01:15:07.091442108 CET	50258	38241	192.168.2.14	172.105.120.101
Nov 20, 2024 01:15:07.097964048 CET	38241	50258	172.105.120.101	192.168.2.14
Nov 20, 2024 01:15:08.125960112 CET	50260	38241	192.168.2.14	172.105.120.101
Nov 20, 2024 01:15:08.130825996 CET	38241	50260	172.105.120.101	192.168.2.14
Nov 20, 2024 01:15:08.131020069 CET	50260	38241	192.168.2.14	172.105.120.101
Nov 20, 2024 01:15:08.132641077 CET	50260	38241	192.168.2.14	172.105.120.101
Nov 20, 2024 01:15:08.137528896 CET	38241	50260	172.105.120.101	192.168.2.14
Nov 20, 2024 01:15:08.137770891 CET	50260	38241	192.168.2.14	172.105.120.101
Nov 20, 2024 01:15:08.142628908 CET	38241	50260	172.105.120.101	192.168.2.14
Nov 20, 2024 01:15:10.224945068 CET	38241	50260	172.105.120.101	192.168.2.14
Nov 20, 2024 01:15:10.225219011 CET	50260	38241	192.168.2.14	172.105.120.101
Nov 20, 2024 01:15:10.230120897 CET	38241	50260	172.105.120.101	192.168.2.14
Nov 20, 2024 01:15:16.236325026 CET	50262	38241	192.168.2.14	172.105.120.101
Nov 20, 2024 01:15:16.241625071 CET	38241	50262	172.105.120.101	192.168.2.14
Nov 20, 2024 01:15:16.241746902 CET	50262	38241	192.168.2.14	172.105.120.101
Nov 20, 2024 01:15:16.242945910 CET	50262	38241	192.168.2.14	172.105.120.101
Nov 20, 2024 01:15:16.247911930 CET	38241	50262	172.105.120.101	192.168.2.14
Nov 20, 2024 01:15:16.248328924 CET	50262	38241	192.168.2.14	172.105.120.101
Nov 20, 2024 01:15:16.253353119 CET	38241	50262	172.105.120.101	192.168.2.14
Nov 20, 2024 01:15:18.330744982 CET	38241	50262	172.105.120.101	192.168.2.14
Nov 20, 2024 01:15:18.331300020 CET	50262	38241	192.168.2.14	172.105.120.101
Nov 20, 2024 01:15:18.336673021 CET	38241	50262	172.105.120.101	192.168.2.14
Nov 20, 2024 01:15:19.367737055 CET	58538	38241	192.168.2.14	45.156.86.26
Nov 20, 2024 01:15:19.372816086 CET	38241	58538	45.156.86.26	192.168.2.14
Nov 20, 2024 01:15:19.372905016 CET	58538	38241	192.168.2.14	45.156.86.26
Nov 20, 2024 01:15:19.375396013 CET	58538	38241	192.168.2.14	45.156.86.26
Nov 20, 2024 01:15:19.380338907 CET	38241	58538	45.156.86.26	192.168.2.14
Nov 20, 2024 01:15:19.380429029 CET	58538	38241	192.168.2.14	45.156.86.26
Nov 20, 2024 01:15:19.385410070 CET	38241	58538	45.156.86.26	192.168.2.14
Nov 20, 2024 01:15:29.385632038 CET	58538	38241	192.168.2.14	45.156.86.26
Nov 20, 2024 01:15:29.390774012 CET	38241	58538	45.156.86.26	192.168.2.14
Nov 20, 2024 01:15:29.563371897 CET	38241	58538	45.156.86.26	192.168.2.14
Nov 20, 2024 01:15:29.563710928 CET	58538	38241	192.168.2.14	45.156.86.26
Nov 20, 2024 01:15:29.568691015 CET	38241	58538	45.156.86.26	192.168.2.14
Nov 20, 2024 01:15:35.577541113 CET	58540	38241	192.168.2.14	45.156.86.26
Nov 20, 2024 01:15:35.582709074 CET	38241	58540	45.156.86.26	192.168.2.14
Nov 20, 2024 01:15:35.582804918 CET	58540	38241	192.168.2.14	45.156.86.26
Nov 20, 2024 01:15:35.584959984 CET	58540	38241	192.168.2.14	45.156.86.26
Nov 20, 2024 01:15:35.589905977 CET	38241	58540	45.156.86.26	192.168.2.14
Nov 20, 2024 01:15:35.590061903 CET	58540	38241	192.168.2.14	45.156.86.26
Nov 20, 2024 01:15:35.595025063 CET	38241	58540	45.156.86.26	192.168.2.14
Nov 20, 2024 01:15:46.099239111 CET	38241	58540	45.156.86.26	192.168.2.14
Nov 20, 2024 01:15:46.099735975 CET	58540	38241	192.168.2.14	45.156.86.26
Nov 20, 2024 01:15:46.104626894 CET	38241	58540	45.156.86.26	192.168.2.14
Nov 20, 2024 01:15:52.112855911 CET	58542	38241	192.168.2.14	45.156.86.26
Nov 20, 2024 01:15:52.119504929 CET	38241	58542	45.156.86.26	192.168.2.14
Nov 20, 2024 01:15:52.119575024 CET	58542	38241	192.168.2.14	45.156.86.26
Nov 20, 2024 01:15:52.121834993 CET	58542	38241	192.168.2.14	45.156.86.26
Nov 20, 2024 01:15:52.128372908 CET	38241	58542	45.156.86.26	192.168.2.14
Nov 20, 2024 01:15:52.128591061 CET	58542	38241	192.168.2.14	45.156.86.26
Nov 20, 2024 01:15:52.135046005 CET	38241	58542	45.156.86.26	192.168.2.14
Nov 20, 2024 01:16:02.638577938 CET	38241	58542	45.156.86.26	192.168.2.14
Nov 20, 2024 01:16:02.639183044 CET	58542	38241	192.168.2.14	45.156.86.26
Nov 20, 2024 01:16:02.644268036 CET	38241	58542	45.156.86.26	192.168.2.14
Nov 20, 2024 01:16:03.662923098 CET	58544	38241	192.168.2.14	45.156.86.26
Nov 20, 2024 01:16:03.668020010 CET	38241	58544	45.156.86.26	192.168.2.14
Nov 20, 2024 01:16:03.668082952 CET	58544	38241	192.168.2.14	45.156.86.26
Nov 20, 2024 01:16:03.669743061 CET	58544	38241	192.168.2.14	45.156.86.26
Nov 20, 2024 01:16:03.674833059 CET	38241	58544	45.156.86.26	192.168.2.14
Nov 20, 2024 01:16:03.675059080 CET	58544	38241	192.168.2.14	45.156.86.26
Nov 20, 2024 01:16:03.680233955 CET	38241	58544	45.156.86.26	192.168.2.14

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 20, 2024 01:13:59.577832937 CET	39366	53	192.168.2.14	217.160.70.42
Nov 20, 2024 01:13:59.604968071 CET	53	39366	217.160.70.42	192.168.2.14
Nov 20, 2024 01:14:02.670629978 CET	50785	53	192.168.2.14	81.169.136.222
Nov 20, 2024 01:14:02.698076010 CET	53	50785	81.169.136.222	192.168.2.14
Nov 20, 2024 01:14:05.763844013 CET	49333	53	192.168.2.14	185.232.68.212
Nov 20, 2024 01:14:05.774138927 CET	53	49333	185.232.68.212	192.168.2.14
Nov 20, 2024 01:14:08.881354094 CET	47696	53	192.168.2.14	64.176.6.48
Nov 20, 2024 01:14:16.974533081 CET	37113	53	192.168.2.14	95.216.99.249
Nov 20, 2024 01:14:25.061404943 CET	39957	53	192.168.2.14	194.36.144.87
Nov 20, 2024 01:14:25.071852922 CET	53	39957	194.36.144.87	192.168.2.14
Nov 20, 2024 01:14:28.178997040 CET	53552	53	192.168.2.14	194.36.144.87
Nov 20, 2024 01:14:28.189188957 CET	53	53552	194.36.144.87	192.168.2.14
Nov 20, 2024 01:14:31.248873949 CET	56466	53	192.168.2.14	95.216.99.249
Nov 20, 2024 01:14:39.330327034 CET	50600	53	192.168.2.14	152.53.15.127
Nov 20, 2024 01:14:39.340856075 CET	53	50600	152.53.15.127	192.168.2.14
Nov 20, 2024 01:14:42.466557980 CET	50765	53	192.168.2.14	152.53.15.127
Nov 20, 2024 01:14:42.477310896 CET	53	50765	152.53.15.127	192.168.2.14
Nov 20, 2024 01:14:45.590759993 CET	57660	53	192.168.2.14	152.53.15.127
Nov 20, 2024 01:14:45.601044893 CET	53	57660	152.53.15.127	192.168.2.14
Nov 20, 2024 01:14:48.712214947 CET	45581	53	192.168.2.14	168.235.111.72
Nov 20, 2024 01:14:48.799643993 CET	53	45581	168.235.111.72	192.168.2.14
Nov 20, 2024 01:14:51.899801016 CET	55107	53	192.168.2.14	51.254.162.59
Nov 20, 2024 01:15:00.026268005 CET	39905	53	192.168.2.14	5.161.109.23
Nov 20, 2024 01:15:08.097243071 CET	52182	53	192.168.2.14	81.169.136.222
Nov 20, 2024 01:15:08.124202967 CET	53	52182	81.169.136.222	192.168.2.14
Nov 20, 2024 01:15:11.230467081 CET	33711	53	192.168.2.14	95.216.99.249
Nov 20, 2024 01:15:19.337899923 CET	60908	53	192.168.2.14	81.169.136.222
Nov 20, 2024 01:15:19.365294933 CET	53	60908	81.169.136.222	192.168.2.14
Nov 20, 2024 01:15:30.570033073 CET	35646	53	192.168.2.14	137.220.55.93
Nov 20, 2024 01:15:47.105031013 CET	41791	53	192.168.2.14	95.216.99.249
Nov 20, 2024 01:16:03.645776987 CET	47565	53	192.168.2.14	51.158.108.203
Nov 20, 2024 01:16:03.661604881 CET	53	47565	51.158.108.203	192.168.2.14

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 20, 2024 01:13:59.577832937 CET	192.168.2.14	217.160.70.42	0x3a6c	Standard query (0)	hiakamai.dyn	A (IP address)	IN (0x0001)	false
Nov 20, 2024 01:14:02.670629978 CET	192.168.2.14	81.169.136.222	0xf174	Standard query (0)	w3d0ntlikebot5.parody	A (IP address)	IN (0x0001)	false
Nov 20, 2024 01:14:05.763844013 CET	192.168.2.14	185.232.68.212	0x2d29	Standard query (0)	hiakamai.dyn. [malformed]	256	461	false
Nov 20, 2024 01:14:08.881354094 CET	192.168.2.14	64.176.6.48	0x25b3	Standard query (0)	freethewind.parody. [malformed]	256	469	false
Nov 20, 2024 01:14:16.974533081 CET	192.168.2.14	95.216.99.249	0xb805	Standard query (0)	infectedslurs.geek. [malformed]	256	477	false
Nov 20, 2024 01:14:25.061404943 CET	192.168.2.14	194.36.144.87	0x90ff	Standard query (0)	freethewind.parody. [malformed]	256	481	false
Nov 20, 2024 01:14:28.178997040 CET	192.168.2.14	194.36.144.87	0xea78	Standard query (0)	w3d0ntlikebot5.parody. [malformed]	256	484	false
Nov 20, 2024 01:14:31.248873949 CET	192.168.2.14	95.216.99.249	0x8491	Standard query (0)	chinklabs.dyn. [malformed]	256	492	false
Nov 20, 2024 01:14:39.330327034 CET	192.168.2.14	152.53.15.127	0x1f5a	Standard query (0)	w3d0ntlikebot5.parody. [malformed]	256	495	false
Nov 20, 2024 01:14:42.466557980 CET	192.168.2.14	152.53.15.127	0x1469	Standard query (0)	hiakamai.dyn. [malformed]	256	498	false
Nov 20, 2024 01:14:45.590759993 CET	192.168.2.14	152.53.15.127	0x7b0d	Standard query (0)	yellowchink.pirate. [malformed]	256	501	false
Nov 20, 2024 01:14:48.712214947 CET	192.168.2.14	168.235.111.72	0xa833	Standard query (0)	burnthe.libre. [malformed]	256	504	false
Nov 20, 2024 01:14:51.899801016 CET	192.168.2.14	51.254.162.59	0x5640	Standard query (0)	infectedslurs.geek. [malformed]	256	256	false
Nov 20, 2024 01:15:00.026268005 CET	192.168.2.14	5.161.109.23	0xd6bc	Standard query (0)	netfags.geek. [malformed]	256	265	false
Nov 20, 2024 01:15:08.097243071 CET	192.168.2.14	81.169.136.222	0xa71e	Standard query (0)	netfags.geek. [malformed]	256	268	false
Nov 20, 2024 01:15:11.230467081 CET	192.168.2.14	95.216.99.249	0xef35	Standard query (0)	yellowchink.pirate. [malformed]	256	276	false
Nov 20, 2024 01:15:19.337899923 CET	192.168.2.14	81.169.136.222	0x666e	Standard query (0)	infectedchink.pirate	A (IP address)	IN (0x0001)	false
Nov 20, 2024 01:15:30.570033073 CET	192.168.2.14	137.220.55.93	0x4083	Standard query (0)	hiakamai.dyn. [malformed]	256	295	false
Nov 20, 2024 01:15:47.105031013 CET	192.168.2.14	95.216.99.249	0xe489	Standard query (0)	hiakamai.dyn. [malformed]	256	312	false
Nov 20, 2024 01:16:03.645776987 CET	192.168.2.14	51.158.108.203	0x4ff9	Standard query (0)	freethewind.parody. [malformed]	256	323	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 20, 2024 01:13:59.604968071 CET	217.160.70.42	192.168.2.14	0x3a6c	No error (0)	hiakamai.dyn		45.79.236.13	A (IP address)	IN (0x0001)	false
Nov 20, 2024 01:13:59.604968071 CET	217.160.70.42	192.168.2.14	0x3a6c	No error (0)	hiakamai.dyn		172.236.11.132	A (IP address)	IN (0x0001)	false
Nov 20, 2024 01:13:59.604968071 CET	217.160.70.42	192.168.2.14	0x3a6c	No error (0)	hiakamai.dyn		172.105.109.175	A (IP address)	IN (0x0001)	false
Nov 20, 2024 01:13:59.604968071 CET	217.160.70.42	192.168.2.14	0x3a6c	No error (0)	hiakamai.dyn		104.237.135.249	A (IP address)	IN (0x0001)	false
Nov 20, 2024 01:13:59.604968071 CET	217.160.70.42	192.168.2.14	0x3a6c	No error (0)	hiakamai.dyn		172.105.120.101	A (IP address)	IN (0x0001)	false
Nov 20, 2024 01:13:59.604968071 CET	217.160.70.42	192.168.2.14	0x3a6c	No error (0)	hiakamai.dyn		172.104.165.127	A (IP address)	IN (0x0001)	false
Nov 20, 2024 01:13:59.604968071 CET	217.160.70.42	192.168.2.14	0x3a6c	No error (0)	hiakamai.dyn		172.233.66.46	A (IP address)	IN (0x0001)	false
Nov 20, 2024 01:13:59.604968071 CET	217.160.70.42	192.168.2.14	0x3a6c	No error (0)	hiakamai.dyn		170.187.181.188	A (IP address)	IN (0x0001)	false
Nov 20, 2024 01:13:59.604968071 CET	217.160.70.42	192.168.2.14	0x3a6c	No error (0)	hiakamai.dyn		74.207.230.91	A (IP address)	IN (0x0001)	false
Nov 20, 2024 01:13:59.604968071 CET	217.160.70.42	192.168.2.14	0x3a6c	No error (0)	hiakamai.dyn		104.237.135.234	A (IP address)	IN (0x0001)	false
Nov 20, 2024 01:13:59.604968071 CET	217.160.70.42	192.168.2.14	0x3a6c	No error (0)	hiakamai.dyn		172.234.20.31	A (IP address)	IN (0x0001)	false
Nov 20, 2024 01:13:59.604968071 CET	217.160.70.42	192.168.2.14	0x3a6c	No error (0)	hiakamai.dyn		172.232.34.247	A (IP address)	IN (0x0001)	false
Nov 20, 2024 01:13:59.604968071 CET	217.160.70.42	192.168.2.14	0x3a6c	No error (0)	hiakamai.dyn		172.236.28.137	A (IP address)	IN (0x0001)	false
Nov 20, 2024 01:13:59.604968071 CET	217.160.70.42	192.168.2.14	0x3a6c	No error (0)	hiakamai.dyn		172.236.61.194	A (IP address)	IN (0x0001)	false
Nov 20, 2024 01:13:59.604968071 CET	217.160.70.42	192.168.2.14	0x3a6c	No error (0)	hiakamai.dyn		192.46.236.113	A (IP address)	IN (0x0001)	false
Nov 20, 2024 01:14:02.698076010 CET	81.169.136.222	192.168.2.14	0xf174	No error (0)	w3d0ntlikebot5.parody		170.187.181.188	A (IP address)	IN (0x0001)	false
Nov 20, 2024 01:14:02.698076010 CET	81.169.136.222	192.168.2.14	0xf174	No error (0)	w3d0ntlikebot5.parody		45.79.236.13	A (IP address)	IN (0x0001)	false
Nov 20, 2024 01:14:02.698076010 CET	81.169.136.222	192.168.2.14	0xf174	No error (0)	w3d0ntlikebot5.parody		172.233.66.46	A (IP address)	IN (0x0001)	false
Nov 20, 2024 01:14:02.698076010 CET	81.169.136.222	192.168.2.14	0xf174	No error (0)	w3d0ntlikebot5.parody		172.234.20.31	A (IP address)	IN (0x0001)	false
Nov 20, 2024 01:14:02.698076010 CET	81.169.136.222	192.168.2.14	0xf174	No error (0)	w3d0ntlikebot5.parody		192.46.236.113	A (IP address)	IN (0x0001)	false
Nov 20, 2024 01:14:02.698076010 CET	81.169.136.222	192.168.2.14	0xf174	No error (0)	w3d0ntlikebot5.parody		74.207.230.91	A (IP address)	IN (0x0001)	false
Nov 20, 2024 01:14:02.698076010 CET	81.169.136.222	192.168.2.14	0xf174	No error (0)	w3d0ntlikebot5.parody		104.237.135.249	A (IP address)	IN (0x0001)	false
Nov 20, 2024 01:14:02.698076010 CET	81.169.136.222	192.168.2.14	0xf174	No error (0)	w3d0ntlikebot5.parody		172.104.165.127	A (IP address)	IN (0x0001)	false
Nov 20, 2024 01:14:02.698076010 CET	81.169.136.222	192.168.2.14	0xf174	No error (0)	w3d0ntlikebot5.parody		172.236.11.132	A (IP address)	IN (0x0001)	false
Nov 20, 2024 01:14:02.698076010 CET	81.169.136.222	192.168.2.14	0xf174	No error (0)	w3d0ntlikebot5.parody		172.105.109.175	A (IP address)	IN (0x0001)	false
Nov 20, 2024 01:14:02.698076010 CET	81.169.136.222	192.168.2.14	0xf174	No error (0)	w3d0ntlikebot5.parody		172.105.120.101	A (IP address)	IN (0x0001)	false
Nov 20, 2024 01:14:02.698076010 CET	81.169.136.222	192.168.2.14	0xf174	No error (0)	w3d0ntlikebot5.parody		104.237.135.234	A (IP address)	IN (0x0001)	false
Nov 20, 2024 01:14:02.698076010 CET	81.169.136.222	192.168.2.14	0xf174	No error (0)	w3d0ntlikebot5.parody		172.236.61.194	A (IP address)	IN (0x0001)	false
Nov 20, 2024 01:14:02.698076010 CET	81.169.136.222	192.168.2.14	0xf174	No error (0)	w3d0ntlikebot5.parody		172.232.34.247	A (IP address)	IN (0x0001)	false
Nov 20, 2024 01:14:02.698076010 CET	81.169.136.222	192.168.2.14	0xf174	No error (0)	w3d0ntlikebot5.parody		172.236.28.137	A (IP address)	IN (0x0001)	false
Nov 20, 2024 01:14:25.071852922 CET	194.36.144.87	192.168.2.14	0x90ff	Format error (1)	freethewind.parody. [malformed]	none	none	256	481	false
Nov 20, 2024 01:14:28.189188957 CET	194.36.144.87	192.168.2.14	0xea78	Format error (1)	w3d0ntlikebot5.parody. [malformed]	none	none	256	484	false
Nov 20, 2024 01:14:39.340856075 CET	152.53.15.127	192.168.2.14	0x1f5a	Format error (1)	w3d0ntlikebot5.parody. [malformed]	none	none	256	495	false
Nov 20, 2024 01:14:42.477310896 CET	152.53.15.127	192.168.2.14	0x1469	Format error (1)	hiakamai.dyn. [malformed]	none	none	256	498	false
Nov 20, 2024 01:14:45.601044893 CET	152.53.15.127	192.168.2.14	0x7b0d	Format error (1)	yellowchink.pirate. [malformed]	none	none	256	501	false
Nov 20, 2024 01:15:19.365294933 CET	81.169.136.222	192.168.2.14	0x666e	No error (0)	infectedchink.pirate		45.156.86.24	A (IP address)	IN (0x0001)	false
Nov 20, 2024 01:15:19.365294933 CET	81.169.136.222	192.168.2.14	0x666e	No error (0)	infectedchink.pirate		45.156.86.26	A (IP address)	IN (0x0001)	false
Nov 20, 2024 01:16:03.661604881 CET	51.158.108.203	192.168.2.14	0x4ff9	Format error (1)	freethewind.parody. [malformed]	none	none	256	323	false

System Behavior

Analysis Process: boatnet.ppc.elf PID: 5637, Parent PID: 5554

General

Start time (UTC):	00:13:58
Start date (UTC):	20/11/2024
Path:	/tmp/boatnet.ppc.elf
Arguments:	/tmp/boatnet.ppc.elf
File size:	5388968 bytes
MD5 hash:	ae65271c943d3451b7f026d1fadccea6

Chronological Activities

Analysis Process: boatnet.ppc.elf PID: 5639, Parent PID: 5637

General

Start time (UTC):	00:13:58
Start date (UTC):	20/11/2024
Path:	/tmp/boatnet.ppc.elf
Arguments:	-
File size:	5388968 bytes
MD5 hash:	ae65271c943d3451b7f026d1fadccea6

Chronological Activities

Analysis Process: boatnet.ppc.elf PID: 5641, Parent PID: 5639

General

Start time (UTC):	00:13:58
Start date (UTC):	20/11/2024
Path:	/tmp/boatnet.ppc.elf
Arguments:	-
File size:	5388968 bytes
MD5 hash:	ae65271c943d3451b7f026d1fadccea6

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report boatnet.ppc.elf

Overview

General Information

Detection

Signatures

Classification

General Information

Warnings

Runtime Messages

Process Tree

Yara Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

Static ELF Info

ELF header

Program Segments

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

System Behavior

Analysis Process: boatnet.ppc.elf PID: 5637, Parent PID: 5554

General

Chronological Activities

Analysis Process: boatnet.ppc.elf PID: 5639, Parent PID: 5637

General

Chronological Activities

Analysis Process: boatnet.ppc.elf PID: 5641, Parent PID: 5639

General

Chronological Activities

Linux Analysis Report
boatnet.ppc.elf