Edit tour

Linux Analysis Report
hmips.elf

Overview

General Information

Sample name:	hmips.elf
Analysis ID:	1564142
MD5:	28fc9f0cd24699ce680863863ec8469c
SHA1:	85abd61de6549ff139f1e612ad1c666ccac16717
SHA256:	579dcaaa155d451be140a6faaa49a81325dde94d34d039697ae2fe305954def2
Tags:	elfuser-abuse_ch
Infos:

Detection

Score:	60
Range:	0 - 100
Whitelisted:	false

Signatures

Multi AV Scanner detection for submitted file

Connects to many ports of the same IP (likely port scanning)

Sample reads /proc/mounts (often used for finding a writable filesystem)

Sends malformed DNS queries

Detected TCP or UDP traffic on non-standard ports

Sample has stripped symbol table

Sample listens on a socket

Uses the "uname" system call to query kernel version information (possible evasion)

Classification

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1564142
Start date and time:	2024-11-27 22:02:08 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 30s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Sample name:	hmips.elf
Detection:	MAL
Classification:	mal60.troj.linELF@0/0@30/0

Warnings

VT rate limit hit for: hmips.elf

Runtime Messages

Command:	/tmp/hmips.elf
PID:	5436
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:	I just wanna look after my cats, man.
Standard Error:

Process Tree

system is lnxubuntu20

hmips.elf (PID: 5436, Parent: 5361, MD5: 0083f1f0e77be34ad27f849842bbb00c) Arguments: /tmp/hmips.elf

hmips.elf New Fork (PID: 5483, Parent: 5436)

hmips.elf New Fork (PID: 5526, Parent: 5483)

hmips.elf New Fork (PID: 5485, Parent: 5436)

cleanup

Yara Signatures

⊘No yara matches

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: hmips.elf

ReversingLabs: Detection: 13%

Networking

Connects to many ports of the same IP (likely port scanning)

Source: global traffic	TCP traffic: 194.87.198.191 ports 8273,2,3,7,8,16306
Source: global traffic	TCP traffic: 195.133.53.106 ports 18278,24325,1,2,7,8

Sends malformed DNS queries

Source: global traffic	DNS traffic detected: malformed DNS query: catvision.dyn. [malformed]
Source: global traffic	DNS traffic detected: malformed DNS query: shitrocket.dyn. [malformed]
Source: global traffic	DNS traffic detected: malformed DNS query: catlovingfools.geek. [malformed]
Source: global traffic	DNS traffic detected: malformed DNS query: hikvision.geek. [malformed]

Source: global traffic	TCP traffic: 192.168.2.13:34236 -> 38.114.100.142:18278
Source: global traffic	TCP traffic: 192.168.2.13:51428 -> 195.133.53.106:18278
Source: global traffic	TCP traffic: 192.168.2.13:55542 -> 128.254.146.232:12105
Source: global traffic	TCP traffic: 192.168.2.13:51770 -> 5.39.254.71:21421
Source: global traffic	TCP traffic: 192.168.2.13:37658 -> 103.136.150.114:21206
Source: global traffic	TCP traffic: 192.168.2.13:57534 -> 45.140.168.235:21206
Source: global traffic	TCP traffic: 192.168.2.13:45648 -> 185.22.155.213:3113
Source: global traffic	TCP traffic: 192.168.2.13:56080 -> 86.107.100.88:6727
Source: global traffic	TCP traffic: 192.168.2.13:49818 -> 166.88.130.30:6727
Source: global traffic	TCP traffic: 192.168.2.13:56200 -> 194.87.198.191:8273
Source: global traffic	TCP traffic: 192.168.2.13:48098 -> 194.58.66.244:19391
Source: global traffic	TCP traffic: 192.168.2.13:34800 -> 45.147.200.148:5163

Source: /tmp/hmips.elf (PID: 5436)

Socket: 127.0.0.1:1172

Jump to behavior

Source: unknown	TCP traffic detected without corresponding DNS query: 38.114.100.142
Source: unknown	TCP traffic detected without corresponding DNS query: 38.114.100.142
Source: unknown	TCP traffic detected without corresponding DNS query: 38.114.100.142
Source: unknown	TCP traffic detected without corresponding DNS query: 195.133.53.106
Source: unknown	TCP traffic detected without corresponding DNS query: 195.133.53.106
Source: unknown	TCP traffic detected without corresponding DNS query: 38.114.100.142
Source: unknown	TCP traffic detected without corresponding DNS query: 195.133.53.106
Source: unknown	TCP traffic detected without corresponding DNS query: 195.133.53.106
Source: unknown	TCP traffic detected without corresponding DNS query: 38.114.100.142
Source: unknown	TCP traffic detected without corresponding DNS query: 38.114.100.142
Source: unknown	TCP traffic detected without corresponding DNS query: 195.133.53.106
Source: unknown	TCP traffic detected without corresponding DNS query: 195.133.53.106
Source: unknown	TCP traffic detected without corresponding DNS query: 128.254.146.232
Source: unknown	TCP traffic detected without corresponding DNS query: 128.254.146.232
Source: unknown	TCP traffic detected without corresponding DNS query: 128.254.146.232
Source: unknown	TCP traffic detected without corresponding DNS query: 128.254.146.232
Source: unknown	TCP traffic detected without corresponding DNS query: 5.39.254.71
Source: unknown	TCP traffic detected without corresponding DNS query: 5.39.254.71
Source: unknown	TCP traffic detected without corresponding DNS query: 5.39.254.71
Source: unknown	TCP traffic detected without corresponding DNS query: 5.39.254.71
Source: unknown	TCP traffic detected without corresponding DNS query: 128.254.146.232
Source: unknown	TCP traffic detected without corresponding DNS query: 128.254.146.232
Source: unknown	TCP traffic detected without corresponding DNS query: 5.39.254.71
Source: unknown	TCP traffic detected without corresponding DNS query: 5.39.254.71
Source: unknown	TCP traffic detected without corresponding DNS query: 103.136.150.114
Source: unknown	TCP traffic detected without corresponding DNS query: 103.136.150.114
Source: unknown	TCP traffic detected without corresponding DNS query: 103.136.150.114
Source: unknown	TCP traffic detected without corresponding DNS query: 103.136.150.114
Source: unknown	TCP traffic detected without corresponding DNS query: 45.140.168.235
Source: unknown	TCP traffic detected without corresponding DNS query: 45.140.168.235
Source: unknown	TCP traffic detected without corresponding DNS query: 45.140.168.235
Source: unknown	TCP traffic detected without corresponding DNS query: 45.140.168.235
Source: unknown	TCP traffic detected without corresponding DNS query: 103.136.150.114
Source: unknown	TCP traffic detected without corresponding DNS query: 103.136.150.114
Source: unknown	TCP traffic detected without corresponding DNS query: 45.140.168.235
Source: unknown	TCP traffic detected without corresponding DNS query: 45.140.168.235
Source: unknown	TCP traffic detected without corresponding DNS query: 195.133.53.106
Source: unknown	TCP traffic detected without corresponding DNS query: 195.133.53.106
Source: unknown	TCP traffic detected without corresponding DNS query: 195.133.53.106
Source: unknown	TCP traffic detected without corresponding DNS query: 185.22.155.213
Source: unknown	TCP traffic detected without corresponding DNS query: 195.133.53.106
Source: unknown	TCP traffic detected without corresponding DNS query: 185.22.155.213
Source: unknown	TCP traffic detected without corresponding DNS query: 185.22.155.213
Source: unknown	TCP traffic detected without corresponding DNS query: 185.22.155.213
Source: unknown	TCP traffic detected without corresponding DNS query: 195.133.53.106
Source: unknown	TCP traffic detected without corresponding DNS query: 195.133.53.106
Source: unknown	TCP traffic detected without corresponding DNS query: 185.22.155.213
Source: unknown	TCP traffic detected without corresponding DNS query: 185.22.155.213
Source: unknown	TCP traffic detected without corresponding DNS query: 86.107.100.88
Source: unknown	TCP traffic detected without corresponding DNS query: 166.88.130.30

Source: global traffic	DNS traffic detected: DNS query: hikvision.geek
Source: global traffic	DNS traffic detected: DNS query: shitrocket.dyn
Source: global traffic	DNS traffic detected: DNS query: catvision.dyn. [malformed]
Source: global traffic	DNS traffic detected: DNS query: catlovingfools.geek
Source: global traffic	DNS traffic detected: DNS query: shitrocket.dyn. [malformed]
Source: global traffic	DNS traffic detected: DNS query: catlovingfools.geek. [malformed]
Source: global traffic	DNS traffic detected: DNS query: hikvision.geek. [malformed]

Source: ELF static info symbol of initial sample

.symtab present: no

Source: classification engine

Classification label: mal60.troj.linELF@0/0@30/0

Persistence and Installation Behavior

Sample reads /proc/mounts (often used for finding a writable filesystem)

Source: /tmp/hmips.elf (PID: 5436)

File: /proc/5436/mounts

Jump to behavior

Source: /tmp/hmips.elf (PID: 5436)

Queries kernel information via 'uname':

Jump to behavior

Source: hmips.elf, 5436.1.00005641c1e94000.00005641c1f3c000.rw-.sdmp, hmips.elf, 5483.1.00005641c1e94000.00005641c1f3c000.rw-.sdmp	Binary or memory string: AV!/etc/qemu-binfmt/mips
Source: hmips.elf, 5436.1.00005641c1e94000.00005641c1f3c000.rw-.sdmp, hmips.elf, 5483.1.00005641c1e94000.00005641c1f3c000.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt
Source: hmips.elf, 5436.1.00005641c1e94000.00005641c1f3c000.rw-.sdmp, hmips.elf, 5483.1.00005641c1e94000.00005641c1f3c000.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/mips
Source: hmips.elf, 5483.1.00005641c1e94000.00005641c1f3c000.rw-.sdmp	Binary or memory string: /usr/bin/vmtoolsd
Source: hmips.elf, 5436.1.00007ffc38064000.00007ffc38085000.rw-.sdmp, hmips.elf, 5483.1.00007ffc38064000.00007ffc38085000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-mips
Source: hmips.elf, 5436.1.00007ffc38064000.00007ffc38085000.rw-.sdmp, hmips.elf, 5483.1.00007ffc38064000.00007ffc38085000.rw-.sdmp	Binary or memory string: fx86_64/usr/bin/qemu-mips/tmp/hmips.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/hmips.elf
Source: hmips.elf, 5436.1.00005641c1e94000.00005641c1f3c000.rw-.sdmp, hmips.elf, 5483.1.00005641c1e94000.00005641c1f3c000.rw-.sdmp	Binary or memory string: /mips/usr/libexec/gvfsd-trash/etc/qemu-binfmt
Source: hmips.elf, 5483.1.00005641c1e94000.00005641c1f3c000.rw-.sdmp	Binary or memory string: AV0!/usr/bin/vmtoolsd

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	Path Interception	Path Interception	Direct Volume Access	OS Credential Dumping	11 Security Software Discovery	Remote Services	Data from Local System	1 Non-Standard Port	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	1 File and Directory Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact

Malware Configuration

⊘No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
hmips.elf	13%	ReversingLabs	Linux.Backdoor.Mirai

Dropped Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
catlovingfools.geek. [malformed]	unknown	unknown	true	unknown
shitrocket.dyn	unknown	unknown	true	unknown
catlovingfools.geek	unknown	unknown	true	unknown
shitrocket.dyn. [malformed]	unknown	unknown	true	unknown
hikvision.geek. [malformed]	unknown	unknown	true	unknown
catvision.dyn. [malformed]	unknown	unknown	true	unknown
hikvision.geek	unknown	unknown	true	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
5.39.254.71	unknown	United Kingdom	30938	ABSTATIONwwwabstationnetGB	false
185.22.155.213	unknown	Russian Federation	51659	ASBAXETRU	false
194.58.66.244	unknown	Russian Federation	2118	RELCOM-ASRelcomGroup19022019RU	false
38.114.100.142	unknown	United States	22926	AS-WISPERUS	false
86.107.100.88	unknown	Romania	38995	AMG-ASRO	false
166.88.130.30	unknown	United States	18779	EGIHOSTINGUS	false
194.87.198.191	unknown	Russian Federation	49352	LOGOL-ASRU	true
195.133.53.106	unknown	Russian Federation	21453	FLEX-ASRU	true
103.136.150.114	unknown	Hong Kong	46261	QUICKPACKETUS	false
45.147.200.148	unknown	Russian Federation	51659	ASBAXETRU	false
45.140.168.235	unknown	Russian Federation	51659	ASBAXETRU	false
128.254.146.232	unknown	United States	2552	WUSTL-ASNUS	false

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
5.39.254.71	hmips.elf	Get hash	malicious	Unknown	Browse
	mips.elf	Get hash	malicious	Unknown	Browse
	arm7.elf	Get hash	malicious	Unknown	Browse
	harm5.elf	Get hash	malicious	Unknown	Browse
	ppc.elf	Get hash	malicious	Unknown	Browse
194.58.66.244	arm7.elf	Get hash	malicious	Unknown	Browse
	x86.elf	Get hash	malicious	Unknown	Browse
	ppc.elf	Get hash	malicious	Unknown	Browse
	hmips.elf	Get hash	malicious	Unknown	Browse
38.114.100.142	ppc.elf	Get hash	malicious	Unknown	Browse
	mips.elf	Get hash	malicious	Unknown	Browse
	harm5.elf	Get hash	malicious	Unknown	Browse
195.133.53.106	ppc.elf	Get hash	malicious	Unknown	Browse
	arm7.elf	Get hash	malicious	Unknown	Browse
	ppc.elf	Get hash	malicious	Unknown	Browse
103.136.150.114	hmips.elf	Get hash	malicious	Unknown	Browse
	arm7.elf	Get hash	malicious	Unknown	Browse
	x86.elf	Get hash	malicious	Unknown	Browse
	hmips.elf	Get hash	malicious	Unknown	Browse
45.147.200.148	ppc.elf	Get hash	malicious	Unknown	Browse
	mips.elf	Get hash	malicious	Unknown	Browse
	arm7.elf	Get hash	malicious	Unknown	Browse
	ppc.elf	Get hash	malicious	Unknown	Browse
	hmips.elf	Get hash	malicious	Unknown	Browse
45.140.168.235	mips.elf	Get hash	malicious	Unknown	Browse
	arm7.elf	Get hash	malicious	Unknown	Browse
	ppc.elf	Get hash	malicious	Unknown	Browse
	hmips.elf	Get hash	malicious	Unknown	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ABSTATIONwwwabstationnetGB	hmips.elf	Get hash	malicious	Unknown	Browse	5.39.254.71
	mips.elf	Get hash	malicious	Unknown	Browse	5.39.254.71
	arm7.elf	Get hash	malicious	Unknown	Browse	5.39.254.71
	https://blacksaltys.com	Get hash	malicious	Unknown	Browse	5.144.179.245
	https://packedbrick.com	Get hash	malicious	Unknown	Browse	5.144.179.245
	harm5.elf	Get hash	malicious	Unknown	Browse	5.39.254.71
	ppc.elf	Get hash	malicious	Unknown	Browse	5.39.254.71
	SecuriteInfo.com.Linux.Siggen.9999.21530.5221.elf	Get hash	malicious	Mirai	Browse	103.101.86.128
	SecuriteInfo.com.Trojan.Inject5.6732.13710.8794.exe	Get hash	malicious	Cryptbot, Neoreklami	Browse	31.192.244.36
	yLfAxBEcuo.exe	Get hash	malicious	Cryptbot, Vidar, Xmrig	Browse	31.192.244.36
ASBAXETRU	ARRIVAL NOTICE.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	176.32.38.130
	ppc.elf	Get hash	malicious	Unknown	Browse	176.32.39.112
	mips.elf	Get hash	malicious	Unknown	Browse	45.140.168.235
	arm7.elf	Get hash	malicious	Unknown	Browse	45.140.168.235
	x86.elf	Get hash	malicious	Unknown	Browse	176.32.39.112
	arm5.elf	Get hash	malicious	Unknown	Browse	45.140.169.21
	Delivery_Notification_00000207899.doc.js	Get hash	malicious	Unknown	Browse	185.22.155.63
	Quotation request -30112024_pdf.exe	Get hash	malicious	FormBook	Browse	176.32.38.130
	ppc.elf	Get hash	malicious	Unknown	Browse	45.140.168.235
	hmips.elf	Get hash	malicious	Unknown	Browse	176.32.39.112
RELCOM-ASRelcomGroup19022019RU	arm7.elf	Get hash	malicious	Unknown	Browse	194.87.30.79
	x86.elf	Get hash	malicious	Unknown	Browse	194.58.66.244
	ppc.elf	Get hash	malicious	Unknown	Browse	194.87.30.79
	hmips.elf	Get hash	malicious	Unknown	Browse	194.87.30.79
	Supply Contract 12 Additional Agreement to 76_24_.exe	Get hash	malicious	GuLoader, Remcos	Browse	194.58.83.68
	lchs.exe	Get hash	malicious	Quasar	Browse	193.124.33.141
	jKira.arm	Get hash	malicious	Mirai	Browse	195.133.54.44
AS-WISPERUS	ppc.elf	Get hash	malicious	Unknown	Browse	38.114.100.142
	mips.elf	Get hash	malicious	Unknown	Browse	38.114.100.142
	harm5.elf	Get hash	malicious	Unknown	Browse	38.114.100.142
	sora.mips.elf	Get hash	malicious	Mirai	Browse	66.232.175.178
	byte.arm.elf	Get hash	malicious	Mirai, Okiru	Browse	66.232.181.219
	m68k.elf	Get hash	malicious	Mirai	Browse	38.114.84.241
	la.bot.powerpc.elf	Get hash	malicious	Unknown	Browse	38.114.66.203
	RiI7W2cj7p.elf	Get hash	malicious	Unknown	Browse	66.232.175.171
	f6RyWmGZLw.elf	Get hash	malicious	Unknown	Browse	38.114.84.222
	7bPP8gHfVN.elf	Get hash	malicious	Mirai	Browse	72.14.15.95

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped
Entropy (8bit):	5.3121543335031065
TrID:	ELF Executable and Linkable format (generic) (4004/1) 100.00%
File name:	hmips.elf
File size:	72'664 bytes
MD5:	28fc9f0cd24699ce680863863ec8469c
SHA1:	85abd61de6549ff139f1e612ad1c666ccac16717
SHA256:	579dcaaa155d451be140a6faaa49a81325dde94d34d039697ae2fe305954def2
SHA512:	9a00cb9191ffe60a6ad300dc48713144a4d32fd06aee93b2548c8d99c358e0e4b1977374d84c336f35691b496a875e15fb7185b6c1208cfa78bfca1e78bea0cb
SSDEEP:	1536:F2lwI9ulrulhT/lh6mQUjnnLs3ultIgeRRwMwoU3:F2lhAILs3uPI/woU3
TLSH:	5663B74E6E328FEDF66C833047B74A31A75963D523E1D685E2ACD1101F7028E585FBA8
File Content Preview:	.ELF.....................@.`...4.........4. ...(.............@...@...........................E...E.....x..Z8........dt.Q............................<...'..\...!'.......................<...'..8...!... ....'9... ......................<...'......!........'9.

Static ELF Info

ELF header
Class:	ELF32
Data:	2's complement, big endian
Version:	1 (current)
Machine:	MIPS R3000
Version Number:	0x1
Type:	EXEC (Executable file)
OS/ABI:	UNIX - System V
ABI Version:	0
Entry Point Address:	0x400260
Flags:	0x1007
ELF Header Size:	52
Program Header Offset:	52
Program Header Size:	32
Number of Program Headers:	3
Section Header Offset:	72144
Section Header Size:	40
Number of Section Headers:	13
Header String Table Index:	12

Sections

Name	Type	Address	Offset	Size	EntSize	Flags	Flags Description	Align
	NULL	0x0	0x0	0x0	0x0	0x0		0
.init	PROGBITS	0x400094	0x94	0x8c	0x0	0x6	AX	4
.text	PROGBITS	0x400120	0x120	0xef40	0x0	0x6	AX	16
.fini	PROGBITS	0x40f060	0xf060	0x5c	0x0	0x6	AX	4
.rodata	PROGBITS	0x40f0c0	0xf0c0	0x16f0	0x0	0x2	A	16
.ctors	PROGBITS	0x451000	0x11000	0x8	0x0	0x3	WA	4
.dtors	PROGBITS	0x451008	0x11008	0x8	0x0	0x3	WA	4
.data	PROGBITS	0x451020	0x11020	0x3d8	0x0	0x3	WA	16
.got	PROGBITS	0x451400	0x11400	0x578	0x4	0x10000003	WAp	16
.sbss	NOBITS	0x451978	0x11978	0x1c	0x0	0x10000003	WAp	4
.bss	NOBITS	0x4519a0	0x11978	0x5098	0x0	0x3	WA	16
.mdebug.abi32	PROGBITS	0xc06	0x11978	0x0	0x0	0x0		1
.shstrtab	STRTAB	0x0	0x11978	0x57	0x0	0x0		1

Program Segments

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align	Section Mappings
LOAD	0x0	0x400000	0x400000	0x107b0	0x107b0	5.4628	0x5	R E	0x10000	.init .text .fini .rodata
LOAD	0x11000	0x451000	0x451000	0x978	0x5a38	3.7256	0x6	RW	0x10000	.ctors .dtors .data .got .sbss .bss
GNU_STACK	0x0	0x0	0x0	0x0	0x0	0.0000	0x7	RWE	0x4

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 27, 2024 22:02:56.763890028 CET	34236	18278	192.168.2.13	38.114.100.142
Nov 27, 2024 22:02:56.890706062 CET	18278	34236	38.114.100.142	192.168.2.13
Nov 27, 2024 22:02:56.891047001 CET	34236	18278	192.168.2.13	38.114.100.142
Nov 27, 2024 22:02:56.891144991 CET	34236	18278	192.168.2.13	38.114.100.142
Nov 27, 2024 22:02:56.891489029 CET	51428	18278	192.168.2.13	195.133.53.106
Nov 27, 2024 22:02:57.084712029 CET	18278	34236	38.114.100.142	192.168.2.13
Nov 27, 2024 22:02:57.084718943 CET	18278	51428	195.133.53.106	192.168.2.13
Nov 27, 2024 22:02:57.084878922 CET	51428	18278	192.168.2.13	195.133.53.106
Nov 27, 2024 22:02:57.084935904 CET	34236	18278	192.168.2.13	38.114.100.142
Nov 27, 2024 22:02:57.085041046 CET	51428	18278	192.168.2.13	195.133.53.106
Nov 27, 2024 22:02:57.204895973 CET	18278	34236	38.114.100.142	192.168.2.13
Nov 27, 2024 22:02:57.204920053 CET	18278	51428	195.133.53.106	192.168.2.13
Nov 27, 2024 22:02:57.205200911 CET	51428	18278	192.168.2.13	195.133.53.106
Nov 27, 2024 22:02:57.325159073 CET	18278	51428	195.133.53.106	192.168.2.13
Nov 27, 2024 22:02:58.205686092 CET	18278	34236	38.114.100.142	192.168.2.13
Nov 27, 2024 22:02:58.205881119 CET	34236	18278	192.168.2.13	38.114.100.142
Nov 27, 2024 22:02:58.206408978 CET	34236	18278	192.168.2.13	38.114.100.142
Nov 27, 2024 22:02:58.870559931 CET	18278	51428	195.133.53.106	192.168.2.13
Nov 27, 2024 22:02:58.870784998 CET	51428	18278	192.168.2.13	195.133.53.106
Nov 27, 2024 22:02:58.870945930 CET	51428	18278	192.168.2.13	195.133.53.106
Nov 27, 2024 22:03:03.784405947 CET	55542	12105	192.168.2.13	128.254.146.232
Nov 27, 2024 22:03:03.904485941 CET	12105	55542	128.254.146.232	192.168.2.13
Nov 27, 2024 22:03:03.904571056 CET	55542	12105	192.168.2.13	128.254.146.232
Nov 27, 2024 22:03:03.904614925 CET	55542	12105	192.168.2.13	128.254.146.232
Nov 27, 2024 22:03:04.025780916 CET	12105	55542	128.254.146.232	192.168.2.13
Nov 27, 2024 22:03:04.025911093 CET	55542	12105	192.168.2.13	128.254.146.232
Nov 27, 2024 22:03:04.152770996 CET	12105	55542	128.254.146.232	192.168.2.13
Nov 27, 2024 22:03:04.170829058 CET	51770	21421	192.168.2.13	5.39.254.71
Nov 27, 2024 22:03:04.297580004 CET	21421	51770	5.39.254.71	192.168.2.13
Nov 27, 2024 22:03:04.297643900 CET	51770	21421	192.168.2.13	5.39.254.71
Nov 27, 2024 22:03:04.297682047 CET	51770	21421	192.168.2.13	5.39.254.71
Nov 27, 2024 22:03:04.417768955 CET	21421	51770	5.39.254.71	192.168.2.13
Nov 27, 2024 22:03:04.417953014 CET	51770	21421	192.168.2.13	5.39.254.71
Nov 27, 2024 22:03:04.538065910 CET	21421	51770	5.39.254.71	192.168.2.13
Nov 27, 2024 22:03:05.156531096 CET	12105	55542	128.254.146.232	192.168.2.13
Nov 27, 2024 22:03:05.156681061 CET	55542	12105	192.168.2.13	128.254.146.232
Nov 27, 2024 22:03:05.156719923 CET	55542	12105	192.168.2.13	128.254.146.232
Nov 27, 2024 22:03:05.783174992 CET	21421	51770	5.39.254.71	192.168.2.13
Nov 27, 2024 22:03:05.783474922 CET	51770	21421	192.168.2.13	5.39.254.71
Nov 27, 2024 22:03:05.783597946 CET	51770	21421	192.168.2.13	5.39.254.71
Nov 27, 2024 22:03:10.732665062 CET	37658	21206	192.168.2.13	103.136.150.114
Nov 27, 2024 22:03:10.852772951 CET	21206	37658	103.136.150.114	192.168.2.13
Nov 27, 2024 22:03:10.853014946 CET	37658	21206	192.168.2.13	103.136.150.114
Nov 27, 2024 22:03:10.853259087 CET	37658	21206	192.168.2.13	103.136.150.114
Nov 27, 2024 22:03:10.973237991 CET	21206	37658	103.136.150.114	192.168.2.13
Nov 27, 2024 22:03:10.973359108 CET	37658	21206	192.168.2.13	103.136.150.114
Nov 27, 2024 22:03:11.097246885 CET	21206	37658	103.136.150.114	192.168.2.13
Nov 27, 2024 22:03:11.352682114 CET	57534	21206	192.168.2.13	45.140.168.235
Nov 27, 2024 22:03:11.472923040 CET	21206	57534	45.140.168.235	192.168.2.13
Nov 27, 2024 22:03:11.473082066 CET	57534	21206	192.168.2.13	45.140.168.235
Nov 27, 2024 22:03:11.473186970 CET	57534	21206	192.168.2.13	45.140.168.235
Nov 27, 2024 22:03:11.593194962 CET	21206	57534	45.140.168.235	192.168.2.13
Nov 27, 2024 22:03:11.593308926 CET	57534	21206	192.168.2.13	45.140.168.235
Nov 27, 2024 22:03:11.713309050 CET	21206	57534	45.140.168.235	192.168.2.13
Nov 27, 2024 22:03:12.784581900 CET	21206	37658	103.136.150.114	192.168.2.13
Nov 27, 2024 22:03:12.784739971 CET	37658	21206	192.168.2.13	103.136.150.114
Nov 27, 2024 22:03:12.784796000 CET	37658	21206	192.168.2.13	103.136.150.114
Nov 27, 2024 22:03:13.159852028 CET	21206	57534	45.140.168.235	192.168.2.13
Nov 27, 2024 22:03:13.159986973 CET	57534	21206	192.168.2.13	45.140.168.235
Nov 27, 2024 22:03:13.160147905 CET	57534	21206	192.168.2.13	45.140.168.235
Nov 27, 2024 22:03:18.327878952 CET	60438	24325	192.168.2.13	195.133.53.106
Nov 27, 2024 22:03:18.448045015 CET	24325	60438	195.133.53.106	192.168.2.13
Nov 27, 2024 22:03:18.448129892 CET	60438	24325	192.168.2.13	195.133.53.106
Nov 27, 2024 22:03:18.448328972 CET	60438	24325	192.168.2.13	195.133.53.106
Nov 27, 2024 22:03:18.483278990 CET	45648	3113	192.168.2.13	185.22.155.213
Nov 27, 2024 22:03:18.569402933 CET	24325	60438	195.133.53.106	192.168.2.13
Nov 27, 2024 22:03:18.569545031 CET	60438	24325	192.168.2.13	195.133.53.106
Nov 27, 2024 22:03:18.625639915 CET	3113	45648	185.22.155.213	192.168.2.13
Nov 27, 2024 22:03:18.625730038 CET	45648	3113	192.168.2.13	185.22.155.213
Nov 27, 2024 22:03:18.625766993 CET	45648	3113	192.168.2.13	185.22.155.213
Nov 27, 2024 22:03:18.694541931 CET	24325	60438	195.133.53.106	192.168.2.13
Nov 27, 2024 22:03:18.752789021 CET	3113	45648	185.22.155.213	192.168.2.13
Nov 27, 2024 22:03:18.752882957 CET	45648	3113	192.168.2.13	185.22.155.213
Nov 27, 2024 22:03:18.878045082 CET	3113	45648	185.22.155.213	192.168.2.13
Nov 27, 2024 22:03:20.286000967 CET	24325	60438	195.133.53.106	192.168.2.13
Nov 27, 2024 22:03:20.286109924 CET	60438	24325	192.168.2.13	195.133.53.106
Nov 27, 2024 22:03:20.286149025 CET	60438	24325	192.168.2.13	195.133.53.106
Nov 27, 2024 22:03:20.327914953 CET	3113	45648	185.22.155.213	192.168.2.13
Nov 27, 2024 22:03:20.328210115 CET	45648	3113	192.168.2.13	185.22.155.213
Nov 27, 2024 22:03:20.328210115 CET	45648	3113	192.168.2.13	185.22.155.213
Nov 27, 2024 22:03:25.802527905 CET	56080	6727	192.168.2.13	86.107.100.88
Nov 27, 2024 22:03:25.804085016 CET	49818	6727	192.168.2.13	166.88.130.30
Nov 27, 2024 22:03:25.924473047 CET	6727	56080	86.107.100.88	192.168.2.13
Nov 27, 2024 22:03:25.924685955 CET	56080	6727	192.168.2.13	86.107.100.88
Nov 27, 2024 22:03:25.924685955 CET	56080	6727	192.168.2.13	86.107.100.88
Nov 27, 2024 22:03:25.925911903 CET	6727	49818	166.88.130.30	192.168.2.13
Nov 27, 2024 22:03:25.926007986 CET	49818	6727	192.168.2.13	166.88.130.30
Nov 27, 2024 22:03:25.926089048 CET	49818	6727	192.168.2.13	166.88.130.30
Nov 27, 2024 22:03:26.045500994 CET	6727	56080	86.107.100.88	192.168.2.13
Nov 27, 2024 22:03:26.045650005 CET	56080	6727	192.168.2.13	86.107.100.88
Nov 27, 2024 22:03:26.046624899 CET	6727	49818	166.88.130.30	192.168.2.13
Nov 27, 2024 22:03:26.046689987 CET	49818	6727	192.168.2.13	166.88.130.30
Nov 27, 2024 22:03:26.165652990 CET	6727	56080	86.107.100.88	192.168.2.13
Nov 27, 2024 22:03:26.166553974 CET	6727	49818	166.88.130.30	192.168.2.13
Nov 27, 2024 22:03:27.081942081 CET	6727	49818	166.88.130.30	192.168.2.13
Nov 27, 2024 22:03:27.082060099 CET	49818	6727	192.168.2.13	166.88.130.30
Nov 27, 2024 22:03:27.082317114 CET	49818	6727	192.168.2.13	166.88.130.30
Nov 27, 2024 22:03:33.390683889 CET	56200	8273	192.168.2.13	194.87.198.191
Nov 27, 2024 22:03:33.511197090 CET	8273	56200	194.87.198.191	192.168.2.13
Nov 27, 2024 22:03:33.511464119 CET	56200	8273	192.168.2.13	194.87.198.191
Nov 27, 2024 22:03:33.511600018 CET	56200	8273	192.168.2.13	194.87.198.191
Nov 27, 2024 22:03:33.631587982 CET	8273	56200	194.87.198.191	192.168.2.13
Nov 27, 2024 22:03:33.631691933 CET	56200	8273	192.168.2.13	194.87.198.191
Nov 27, 2024 22:03:33.751734018 CET	8273	56200	194.87.198.191	192.168.2.13
Nov 27, 2024 22:03:35.109638929 CET	8273	56200	194.87.198.191	192.168.2.13
Nov 27, 2024 22:03:35.109872103 CET	56200	8273	192.168.2.13	194.87.198.191
Nov 27, 2024 22:03:35.109873056 CET	56200	8273	192.168.2.13	194.87.198.191
Nov 27, 2024 22:03:35.934873104 CET	56080	6727	192.168.2.13	86.107.100.88
Nov 27, 2024 22:03:36.060450077 CET	6727	56080	86.107.100.88	192.168.2.13
Nov 27, 2024 22:03:36.748286009 CET	6727	56080	86.107.100.88	192.168.2.13
Nov 27, 2024 22:03:36.748466015 CET	56080	6727	192.168.2.13	86.107.100.88
Nov 27, 2024 22:03:40.370295048 CET	59740	6537	192.168.2.13	166.88.130.30
Nov 27, 2024 22:03:40.490324020 CET	6537	59740	166.88.130.30	192.168.2.13
Nov 27, 2024 22:03:40.490513086 CET	59740	6537	192.168.2.13	166.88.130.30
Nov 27, 2024 22:03:40.490559101 CET	59740	6537	192.168.2.13	166.88.130.30
Nov 27, 2024 22:03:40.610707998 CET	6537	59740	166.88.130.30	192.168.2.13
Nov 27, 2024 22:03:40.610892057 CET	59740	6537	192.168.2.13	166.88.130.30
Nov 27, 2024 22:03:40.730895042 CET	6537	59740	166.88.130.30	192.168.2.13
Nov 27, 2024 22:03:41.706716061 CET	6537	59740	166.88.130.30	192.168.2.13
Nov 27, 2024 22:03:41.706911087 CET	59740	6537	192.168.2.13	166.88.130.30
Nov 27, 2024 22:03:41.706984043 CET	59740	6537	192.168.2.13	166.88.130.30
Nov 27, 2024 22:03:46.968209982 CET	41746	16306	192.168.2.13	194.87.198.191
Nov 27, 2024 22:03:47.091489077 CET	16306	41746	194.87.198.191	192.168.2.13
Nov 27, 2024 22:03:47.091701984 CET	41746	16306	192.168.2.13	194.87.198.191
Nov 27, 2024 22:03:47.091702938 CET	41746	16306	192.168.2.13	194.87.198.191
Nov 27, 2024 22:03:47.211728096 CET	16306	41746	194.87.198.191	192.168.2.13
Nov 27, 2024 22:03:47.211894035 CET	41746	16306	192.168.2.13	194.87.198.191
Nov 27, 2024 22:03:47.333796024 CET	16306	41746	194.87.198.191	192.168.2.13
Nov 27, 2024 22:03:48.773902893 CET	16306	41746	194.87.198.191	192.168.2.13
Nov 27, 2024 22:03:48.774235964 CET	41746	16306	192.168.2.13	194.87.198.191
Nov 27, 2024 22:03:48.774235964 CET	41746	16306	192.168.2.13	194.87.198.191
Nov 27, 2024 22:03:54.092139959 CET	48098	19391	192.168.2.13	194.58.66.244
Nov 27, 2024 22:03:54.212382078 CET	19391	48098	194.58.66.244	192.168.2.13
Nov 27, 2024 22:03:54.212558985 CET	48098	19391	192.168.2.13	194.58.66.244
Nov 27, 2024 22:03:54.212620020 CET	48098	19391	192.168.2.13	194.58.66.244
Nov 27, 2024 22:03:54.333373070 CET	19391	48098	194.58.66.244	192.168.2.13
Nov 27, 2024 22:03:54.333704948 CET	48098	19391	192.168.2.13	194.58.66.244
Nov 27, 2024 22:03:54.453712940 CET	19391	48098	194.58.66.244	192.168.2.13
Nov 27, 2024 22:03:55.845145941 CET	19391	48098	194.58.66.244	192.168.2.13
Nov 27, 2024 22:03:55.845504999 CET	48098	19391	192.168.2.13	194.58.66.244
Nov 27, 2024 22:03:55.845563889 CET	48098	19391	192.168.2.13	194.58.66.244
Nov 27, 2024 22:04:01.107964039 CET	34800	5163	192.168.2.13	45.147.200.148
Nov 27, 2024 22:04:01.228751898 CET	5163	34800	45.147.200.148	192.168.2.13
Nov 27, 2024 22:04:01.229055882 CET	34800	5163	192.168.2.13	45.147.200.148
Nov 27, 2024 22:04:01.229135990 CET	34800	5163	192.168.2.13	45.147.200.148
Nov 27, 2024 22:04:01.349278927 CET	5163	34800	45.147.200.148	192.168.2.13
Nov 27, 2024 22:04:01.349565983 CET	34800	5163	192.168.2.13	45.147.200.148
Nov 27, 2024 22:04:01.472275019 CET	5163	34800	45.147.200.148	192.168.2.13
Nov 27, 2024 22:04:02.925523996 CET	5163	34800	45.147.200.148	192.168.2.13
Nov 27, 2024 22:04:02.925966978 CET	34800	5163	192.168.2.13	45.147.200.148
Nov 27, 2024 22:04:02.925966978 CET	34800	5163	192.168.2.13	45.147.200.148
Nov 27, 2024 22:04:13.762706041 CET	34802	5163	192.168.2.13	45.147.200.148
Nov 27, 2024 22:04:13.886096001 CET	5163	34802	45.147.200.148	192.168.2.13
Nov 27, 2024 22:04:13.886226892 CET	34802	5163	192.168.2.13	45.147.200.148
Nov 27, 2024 22:04:13.886322975 CET	34802	5163	192.168.2.13	45.147.200.148
Nov 27, 2024 22:04:14.011833906 CET	5163	34802	45.147.200.148	192.168.2.13
Nov 27, 2024 22:04:14.011914968 CET	34802	5163	192.168.2.13	45.147.200.148
Nov 27, 2024 22:04:14.138034105 CET	5163	34802	45.147.200.148	192.168.2.13
Nov 27, 2024 22:04:23.896136045 CET	34802	5163	192.168.2.13	45.147.200.148
Nov 27, 2024 22:04:24.017432928 CET	5163	34802	45.147.200.148	192.168.2.13
Nov 27, 2024 22:04:24.500754118 CET	5163	34802	45.147.200.148	192.168.2.13
Nov 27, 2024 22:04:24.500911951 CET	34802	5163	192.168.2.13	45.147.200.148

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 27, 2024 22:02:51.515445948 CET	53152	53	192.168.2.13	168.138.12.137
Nov 27, 2024 22:02:51.641015053 CET	53134	53	192.168.2.13	168.138.12.137
Nov 27, 2024 22:02:56.521773100 CET	53355	53	192.168.2.13	81.169.136.222
Nov 27, 2024 22:02:56.647332907 CET	36533	53	192.168.2.13	81.169.136.222
Nov 27, 2024 22:02:56.762598038 CET	53	53355	81.169.136.222	192.168.2.13
Nov 27, 2024 22:02:56.890399933 CET	53	36533	81.169.136.222	192.168.2.13
Nov 27, 2024 22:03:03.209772110 CET	42008	53	192.168.2.13	109.91.184.21
Nov 27, 2024 22:03:03.489557028 CET	53	42008	109.91.184.21	192.168.2.13
Nov 27, 2024 22:03:03.491034031 CET	33255	53	192.168.2.13	109.91.184.21
Nov 27, 2024 22:03:03.783468962 CET	53	33255	109.91.184.21	192.168.2.13
Nov 27, 2024 22:03:03.874161959 CET	46624	53	192.168.2.13	109.91.184.21
Nov 27, 2024 22:03:04.170154095 CET	53	46624	109.91.184.21	192.168.2.13
Nov 27, 2024 22:03:10.159557104 CET	55243	53	192.168.2.13	168.235.111.72
Nov 27, 2024 22:03:10.482188940 CET	53	55243	168.235.111.72	192.168.2.13
Nov 27, 2024 22:03:10.483814001 CET	48730	53	192.168.2.13	152.53.15.127
Nov 27, 2024 22:03:10.731833935 CET	53	48730	152.53.15.127	192.168.2.13
Nov 27, 2024 22:03:10.786067963 CET	57454	53	192.168.2.13	109.91.184.21
Nov 27, 2024 22:03:11.042117119 CET	53	57454	109.91.184.21	192.168.2.13
Nov 27, 2024 22:03:11.043874025 CET	60103	53	192.168.2.13	168.235.111.72
Nov 27, 2024 22:03:11.351521015 CET	53	60103	168.235.111.72	192.168.2.13
Nov 27, 2024 22:03:17.788604021 CET	52737	53	192.168.2.13	109.91.184.21
Nov 27, 2024 22:03:18.057341099 CET	53	52737	109.91.184.21	192.168.2.13
Nov 27, 2024 22:03:18.059184074 CET	44163	53	192.168.2.13	109.91.184.21
Nov 27, 2024 22:03:18.162909031 CET	54446	53	192.168.2.13	168.235.111.72
Nov 27, 2024 22:03:18.327040911 CET	53	44163	109.91.184.21	192.168.2.13
Nov 27, 2024 22:03:18.482553959 CET	53	54446	168.235.111.72	192.168.2.13
Nov 27, 2024 22:03:25.288968086 CET	39175	53	192.168.2.13	202.61.197.122
Nov 27, 2024 22:03:25.331388950 CET	34316	53	192.168.2.13	213.202.211.221
Nov 27, 2024 22:03:25.541071892 CET	53	39175	202.61.197.122	192.168.2.13
Nov 27, 2024 22:03:25.542181015 CET	47042	53	192.168.2.13	185.181.61.24
Nov 27, 2024 22:03:25.563036919 CET	53	34316	213.202.211.221	192.168.2.13
Nov 27, 2024 22:03:25.564438105 CET	34086	53	192.168.2.13	51.158.108.203
Nov 27, 2024 22:03:25.801835060 CET	53	47042	185.181.61.24	192.168.2.13
Nov 27, 2024 22:03:25.803689957 CET	53	34086	51.158.108.203	192.168.2.13
Nov 27, 2024 22:03:32.085315943 CET	55424	53	192.168.2.13	80.152.203.134
Nov 27, 2024 22:03:32.489198923 CET	53	55424	80.152.203.134	192.168.2.13
Nov 27, 2024 22:03:32.490792036 CET	52775	53	192.168.2.13	194.36.144.87
Nov 27, 2024 22:03:32.744287014 CET	53	52775	194.36.144.87	192.168.2.13
Nov 27, 2024 22:03:32.745800972 CET	55277	53	192.168.2.13	185.181.61.24
Nov 27, 2024 22:03:33.016283989 CET	53	55277	185.181.61.24	192.168.2.13
Nov 27, 2024 22:03:33.017921925 CET	41548	53	192.168.2.13	109.91.184.21
Nov 27, 2024 22:03:33.390079975 CET	53	41548	109.91.184.21	192.168.2.13
Nov 27, 2024 22:03:40.112473011 CET	45905	53	192.168.2.13	185.181.61.24
Nov 27, 2024 22:03:40.369404078 CET	53	45905	185.181.61.24	192.168.2.13
Nov 27, 2024 22:03:46.709079981 CET	34504	53	192.168.2.13	185.181.61.24
Nov 27, 2024 22:03:46.967439890 CET	53	34504	185.181.61.24	192.168.2.13
Nov 27, 2024 22:03:53.776339054 CET	43018	53	192.168.2.13	168.235.111.72
Nov 27, 2024 22:03:54.091351986 CET	53	43018	168.235.111.72	192.168.2.13
Nov 27, 2024 22:04:00.847774029 CET	38935	53	192.168.2.13	185.181.61.24
Nov 27, 2024 22:04:01.106920004 CET	53	38935	185.181.61.24	192.168.2.13
Nov 27, 2024 22:04:07.928903103 CET	49889	53	192.168.2.13	185.181.61.24
Nov 27, 2024 22:04:08.191406965 CET	53	49889	185.181.61.24	192.168.2.13
Nov 27, 2024 22:04:08.193176031 CET	55253	53	192.168.2.13	168.138.12.137
Nov 27, 2024 22:04:13.195301056 CET	56118	53	192.168.2.13	152.53.15.127
Nov 27, 2024 22:04:13.447444916 CET	53	56118	152.53.15.127	192.168.2.13
Nov 27, 2024 22:04:13.448968887 CET	42040	53	192.168.2.13	109.91.184.21
Nov 27, 2024 22:04:13.761753082 CET	53	42040	109.91.184.21	192.168.2.13

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 27, 2024 22:02:51.515445948 CET	192.168.2.13	168.138.12.137	0x87ba	Standard query (0)	hikvision.geek	A (IP address)	IN (0x0001)	false
Nov 27, 2024 22:02:51.641015053 CET	192.168.2.13	168.138.12.137	0x87ba	Standard query (0)	hikvision.geek	A (IP address)	IN (0x0001)	false
Nov 27, 2024 22:02:56.521773100 CET	192.168.2.13	81.169.136.222	0x703e	Standard query (0)	shitrocket.dyn	A (IP address)	IN (0x0001)	false
Nov 27, 2024 22:02:56.647332907 CET	192.168.2.13	81.169.136.222	0x703e	Standard query (0)	shitrocket.dyn	A (IP address)	IN (0x0001)	false
Nov 27, 2024 22:03:03.209772110 CET	192.168.2.13	109.91.184.21	0x740d	Standard query (0)	catvision.dyn. [malformed]	256	263	false
Nov 27, 2024 22:03:03.491034031 CET	192.168.2.13	109.91.184.21	0xc2b4	Standard query (0)	catlovingfools.geek	A (IP address)	IN (0x0001)	false
Nov 27, 2024 22:03:03.874161959 CET	192.168.2.13	109.91.184.21	0x740d	Standard query (0)	shitrocket.dyn	A (IP address)	IN (0x0001)	false
Nov 27, 2024 22:03:10.159557104 CET	192.168.2.13	168.235.111.72	0xb51f	Standard query (0)	catvision.dyn. [malformed]	256	270	false
Nov 27, 2024 22:03:10.483814001 CET	192.168.2.13	152.53.15.127	0x5c83	Standard query (0)	hikvision.geek	A (IP address)	IN (0x0001)	false
Nov 27, 2024 22:03:10.786067963 CET	192.168.2.13	109.91.184.21	0x72c7	Standard query (0)	catvision.dyn. [malformed]	256	270	false
Nov 27, 2024 22:03:11.043874025 CET	192.168.2.13	168.235.111.72	0xb51f	Standard query (0)	hikvision.geek	A (IP address)	IN (0x0001)	false
Nov 27, 2024 22:03:17.788604021 CET	192.168.2.13	109.91.184.21	0x5880	Standard query (0)	catvision.dyn. [malformed]	256	278	false
Nov 27, 2024 22:03:18.059184074 CET	192.168.2.13	109.91.184.21	0x2284	Standard query (0)	shitrocket.dyn	A (IP address)	IN (0x0001)	false
Nov 27, 2024 22:03:18.162909031 CET	192.168.2.13	168.235.111.72	0xa8e	Standard query (0)	shitrocket.dyn	A (IP address)	IN (0x0001)	false
Nov 27, 2024 22:03:25.288968086 CET	192.168.2.13	202.61.197.122	0xa1e2	Standard query (0)	catvision.dyn. [malformed]	256	285	false
Nov 27, 2024 22:03:25.331388950 CET	192.168.2.13	213.202.211.221	0x5ae4	Standard query (0)	catvision.dyn. [malformed]	256	285	false
Nov 27, 2024 22:03:25.542181015 CET	192.168.2.13	185.181.61.24	0x9dd	Standard query (0)	catlovingfools.geek	A (IP address)	IN (0x0001)	false
Nov 27, 2024 22:03:25.564438105 CET	192.168.2.13	51.158.108.203	0xd5dd	Standard query (0)	catlovingfools.geek	A (IP address)	IN (0x0001)	false
Nov 27, 2024 22:03:32.085315943 CET	192.168.2.13	80.152.203.134	0xad6e	Standard query (0)	shitrocket.dyn. [malformed]	256	292	false
Nov 27, 2024 22:03:32.490792036 CET	192.168.2.13	194.36.144.87	0xa80c	Standard query (0)	catlovingfools.geek. [malformed]	256	292	false
Nov 27, 2024 22:03:32.745800972 CET	192.168.2.13	185.181.61.24	0x254f	Standard query (0)	catvision.dyn. [malformed]	256	293	false
Nov 27, 2024 22:03:33.017921925 CET	192.168.2.13	109.91.184.21	0xc7f0	Standard query (0)	hikvision.geek	A (IP address)	IN (0x0001)	false
Nov 27, 2024 22:03:40.112473011 CET	192.168.2.13	185.181.61.24	0x435f	Standard query (0)	hikvision.geek	A (IP address)	IN (0x0001)	false
Nov 27, 2024 22:03:46.709079981 CET	192.168.2.13	185.181.61.24	0x45a1	Standard query (0)	shitrocket.dyn	A (IP address)	IN (0x0001)	false
Nov 27, 2024 22:03:53.776339054 CET	192.168.2.13	168.235.111.72	0x4651	Standard query (0)	shitrocket.dyn	A (IP address)	IN (0x0001)	false
Nov 27, 2024 22:04:00.847774029 CET	192.168.2.13	185.181.61.24	0x5eb5	Standard query (0)	hikvision.geek	A (IP address)	IN (0x0001)	false
Nov 27, 2024 22:04:07.928903103 CET	192.168.2.13	185.181.61.24	0x2fd0	Standard query (0)	catlovingfools.geek. [malformed]	256	328	false
Nov 27, 2024 22:04:08.193176031 CET	192.168.2.13	168.138.12.137	0xe5d9	Standard query (0)	hikvision.geek. [malformed]	256	333	false
Nov 27, 2024 22:04:13.195301056 CET	192.168.2.13	152.53.15.127	0xe432	Standard query (0)	shitrocket.dyn. [malformed]	256	333	false
Nov 27, 2024 22:04:13.448968887 CET	192.168.2.13	109.91.184.21	0x7433	Standard query (0)	catvision.dyn. [malformed]	256	333	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 27, 2024 22:03:03.489557028 CET	109.91.184.21	192.168.2.13	0x740d	Format error (1)	catvision.dyn. [malformed]	none	none	256	263	false
Nov 27, 2024 22:03:11.042117119 CET	109.91.184.21	192.168.2.13	0x72c7	Format error (1)	catvision.dyn. [malformed]	none	none	256	271	false
Nov 27, 2024 22:03:18.057341099 CET	109.91.184.21	192.168.2.13	0x5880	Format error (1)	catvision.dyn. [malformed]	none	none	256	278	false
Nov 27, 2024 22:03:32.489198923 CET	80.152.203.134	192.168.2.13	0xad6e	Format error (1)	shitrocket.dyn. [malformed]	none	none	256	292	false
Nov 27, 2024 22:03:32.744287014 CET	194.36.144.87	192.168.2.13	0xa80c	Format error (1)	catlovingfools.geek. [malformed]	none	none	256	292	false
Nov 27, 2024 22:04:13.447444916 CET	152.53.15.127	192.168.2.13	0xe432	Format error (1)	shitrocket.dyn. [malformed]	none	none	256	333	false
Nov 27, 2024 22:04:13.761753082 CET	109.91.184.21	192.168.2.13	0x7433	Format error (1)	catvision.dyn. [malformed]	none	none	256	333	false

System Behavior

Analysis Process: hmips.elf PID: 5436, Parent PID: 5361

General

Start time (UTC):	21:02:50
Start date (UTC):	27/11/2024
Path:	/tmp/hmips.elf
Arguments:	/tmp/hmips.elf
File size:	5777432 bytes
MD5 hash:	0083f1f0e77be34ad27f849842bbb00c

Chronological Activities

Analysis Process: hmips.elf PID: 5483, Parent PID: 5436

General

Start time (UTC):	21:02:50
Start date (UTC):	27/11/2024
Path:	/tmp/hmips.elf
Arguments:	-
File size:	5777432 bytes
MD5 hash:	0083f1f0e77be34ad27f849842bbb00c

Chronological Activities

Analysis Process: hmips.elf PID: 5526, Parent PID: 5483

General

Start time (UTC):	21:02:50
Start date (UTC):	27/11/2024
Path:	/tmp/hmips.elf
Arguments:	-
File size:	5777432 bytes
MD5 hash:	0083f1f0e77be34ad27f849842bbb00c

Chronological Activities

Analysis Process: hmips.elf PID: 5485, Parent PID: 5436

General

Start time (UTC):	21:02:50
Start date (UTC):	27/11/2024
Path:	/tmp/hmips.elf
Arguments:	-
File size:	5777432 bytes
MD5 hash:	0083f1f0e77be34ad27f849842bbb00c

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report hmips.elf

Overview

General Information

Detection

Signatures

Classification

General Information

Warnings

Runtime Messages

Process Tree

Yara Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Networking

System Summary

Persistence and Installation Behavior

Malware Analysis System Evasion

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

Static ELF Info

ELF header

Sections

Program Segments

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

System Behavior

Analysis Process: hmips.elf PID: 5436, Parent PID: 5361

General

Chronological Activities

Analysis Process: hmips.elf PID: 5483, Parent PID: 5436

General

Chronological Activities

Analysis Process: hmips.elf PID: 5526, Parent PID: 5483

General

Chronological Activities

Analysis Process: hmips.elf PID: 5485, Parent PID: 5436

General

Chronological Activities

Linux Analysis Report
hmips.elf