Edit tour

Linux Analysis Report
harm4.elf

Overview

General Information

Sample name:	harm4.elf
Analysis ID:	1564146
MD5:	d70e27950e20deb5595bc0d2e2d3001b
SHA1:	66867b67aca4f2b2d7d4b5cbc6a30ecef5b5ab35
SHA256:	fe2b0f3f4cafb4da8ad97b63098436acde35ce0a955a0277f575d4ba898e9bb4
Tags:	elfuser-abuse_ch
Infos:

Detection

Score:	48
Range:	0 - 100
Whitelisted:	false

Signatures

Connects to many ports of the same IP (likely port scanning)

Sends malformed DNS queries

Detected TCP or UDP traffic on non-standard ports

Sample has stripped symbol table

Sample listens on a socket

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Uses the "uname" system call to query kernel version information (possible evasion)

Classification

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1564146
Start date and time:	2024-11-27 22:06:28 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 25s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Sample name:	harm4.elf
Detection:	MAL
Classification:	mal48.troj.linELF@0/0@30/0

Warnings

VT rate limit hit for: harm4.elf

Runtime Messages

Command:	/tmp/harm4.elf
PID:	6218
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:	I jun ok ter my cats, man.
Standard Error:

Process Tree

system is lnxubuntu20

harm4.elf (PID: 6218, Parent: 6133, MD5: 5ebfcae4fe2471fcc5695c2394773ff1) Arguments: /tmp/harm4.elf

harm4.elf New Fork (PID: 6220, Parent: 6218)

cleanup

Yara Signatures

⊘No yara matches

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Networking

Connects to many ports of the same IP (likely port scanning)

Source: global traffic	TCP traffic: 185.22.155.213 ports 18794,2909,1,4,7,8,9
Source: global traffic	TCP traffic: 88.151.195.95 ports 20662,8137,1,3,7,8
Source: global traffic	TCP traffic: 88.151.195.157 ports 18454,21981,1,2,8,9

Sends malformed DNS queries

Source: global traffic	DNS traffic detected: malformed DNS query: hikvision.geek. [malformed]
Source: global traffic	DNS traffic detected: malformed DNS query: catlovingfools.geek. [malformed]
Source: global traffic	DNS traffic detected: malformed DNS query: catvision.dyn. [malformed]
Source: global traffic	DNS traffic detected: malformed DNS query: shitrocket.dyn. [malformed]

Source: global traffic	TCP traffic: 192.168.2.23:58410 -> 88.151.195.95:8137
Source: global traffic	TCP traffic: 192.168.2.23:45202 -> 31.13.248.234:17557
Source: global traffic	TCP traffic: 192.168.2.23:52900 -> 38.114.100.142:8439
Source: global traffic	TCP traffic: 192.168.2.23:57272 -> 185.22.155.152:16707
Source: global traffic	TCP traffic: 192.168.2.23:51128 -> 185.22.153.100:17785
Source: global traffic	TCP traffic: 192.168.2.23:56636 -> 185.22.155.213:18794
Source: global traffic	TCP traffic: 192.168.2.23:47390 -> 45.147.200.148:16883
Source: global traffic	TCP traffic: 192.168.2.23:42386 -> 88.151.195.157:21981
Source: global traffic	TCP traffic: 192.168.2.23:33888 -> 194.58.66.244:10662
Source: global traffic	TCP traffic: 192.168.2.23:47972 -> 194.87.198.191:23729
Source: global traffic	TCP traffic: 192.168.2.23:37104 -> 31.13.248.13:4084

Source: /tmp/harm4.elf (PID: 6218)

Socket: 127.0.0.1:1172

Jump to behavior

Source: global traffic	TCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443
Source: global traffic	TCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
Source: global traffic	TCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80

Source: unknown	TCP traffic detected without corresponding DNS query: 88.151.195.95
Source: unknown	TCP traffic detected without corresponding DNS query: 88.151.195.95
Source: unknown	TCP traffic detected without corresponding DNS query: 88.151.195.95
Source: unknown	TCP traffic detected without corresponding DNS query: 88.151.195.95
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 88.151.195.95
Source: unknown	TCP traffic detected without corresponding DNS query: 88.151.195.95
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	TCP traffic detected without corresponding DNS query: 31.13.248.234
Source: unknown	TCP traffic detected without corresponding DNS query: 31.13.248.234
Source: unknown	TCP traffic detected without corresponding DNS query: 31.13.248.234
Source: unknown	TCP traffic detected without corresponding DNS query: 31.13.248.234
Source: unknown	TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown	TCP traffic detected without corresponding DNS query: 31.13.248.234
Source: unknown	TCP traffic detected without corresponding DNS query: 31.13.248.234
Source: unknown	TCP traffic detected without corresponding DNS query: 38.114.100.142
Source: unknown	TCP traffic detected without corresponding DNS query: 38.114.100.142
Source: unknown	TCP traffic detected without corresponding DNS query: 38.114.100.142
Source: unknown	TCP traffic detected without corresponding DNS query: 38.114.100.142
Source: unknown	TCP traffic detected without corresponding DNS query: 38.114.100.142
Source: unknown	TCP traffic detected without corresponding DNS query: 38.114.100.142
Source: unknown	TCP traffic detected without corresponding DNS query: 185.22.155.152
Source: unknown	TCP traffic detected without corresponding DNS query: 185.22.155.152
Source: unknown	TCP traffic detected without corresponding DNS query: 185.22.155.152
Source: unknown	TCP traffic detected without corresponding DNS query: 185.22.155.152
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 185.22.155.152
Source: unknown	TCP traffic detected without corresponding DNS query: 185.22.155.152
Source: unknown	TCP traffic detected without corresponding DNS query: 185.22.153.100
Source: unknown	TCP traffic detected without corresponding DNS query: 185.22.153.100
Source: unknown	TCP traffic detected without corresponding DNS query: 185.22.153.100
Source: unknown	TCP traffic detected without corresponding DNS query: 185.22.153.100
Source: unknown	TCP traffic detected without corresponding DNS query: 185.22.153.100
Source: unknown	TCP traffic detected without corresponding DNS query: 185.22.153.100
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.22.155.213
Source: unknown	TCP traffic detected without corresponding DNS query: 185.22.155.213
Source: unknown	TCP traffic detected without corresponding DNS query: 185.22.155.213
Source: unknown	TCP traffic detected without corresponding DNS query: 185.22.155.213
Source: unknown	TCP traffic detected without corresponding DNS query: 185.22.155.213
Source: unknown	TCP traffic detected without corresponding DNS query: 185.22.155.213
Source: unknown	TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown	TCP traffic detected without corresponding DNS query: 45.147.200.148
Source: unknown	TCP traffic detected without corresponding DNS query: 45.147.200.148
Source: unknown	TCP traffic detected without corresponding DNS query: 45.147.200.148
Source: unknown	TCP traffic detected without corresponding DNS query: 45.147.200.148
Source: unknown	TCP traffic detected without corresponding DNS query: 45.147.200.148
Source: unknown	TCP traffic detected without corresponding DNS query: 45.147.200.148
Source: unknown	TCP traffic detected without corresponding DNS query: 88.151.195.95
Source: unknown	TCP traffic detected without corresponding DNS query: 88.151.195.95

Source: global traffic	DNS traffic detected: DNS query: hikvision.geek
Source: global traffic	DNS traffic detected: DNS query: catlovingfools.geek
Source: global traffic	DNS traffic detected: DNS query: hikvision.geek. [malformed]
Source: global traffic	DNS traffic detected: DNS query: catlovingfools.geek. [malformed]
Source: global traffic	DNS traffic detected: DNS query: catvision.dyn. [malformed]
Source: global traffic	DNS traffic detected: DNS query: shitrocket.dyn
Source: global traffic	DNS traffic detected: DNS query: shitrocket.dyn. [malformed]

Source: unknown	Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 42836 -> 443

Source: ELF static info symbol of initial sample

.symtab present: no

Source: classification engine

Classification label: mal48.troj.linELF@0/0@30/0

Source: /tmp/harm4.elf (PID: 6218)

Queries kernel information via 'uname':

Jump to behavior

Source: harm4.elf, 6218.1.00007ffc62f15000.00007ffc62f36000.rw-.sdmp	Binary or memory string: x86_64/usr/bin/qemu-arm/tmp/harm4.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/harm4.elf
Source: harm4.elf, 6218.1.0000561123f35000.00005611240aa000.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/arm
Source: harm4.elf, 6218.1.0000561123f35000.00005611240aa000.rw-.sdmp	Binary or memory string: V!/etc/qemu-binfmt/arm
Source: harm4.elf, 6218.1.00007ffc62f15000.00007ffc62f36000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-arm

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	Path Interception	Path Interception	Direct Volume Access	OS Credential Dumping	11 Security Software Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	2 Application Layer Protocol	Traffic Duplication	Data Destruction

Malware Configuration

⊘No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
harm4.elf	11%	ReversingLabs	Linux.Backdoor.Mirai

Dropped Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
catlovingfools.geek. [malformed]	unknown	unknown	true	unknown
catlovingfools.geek	unknown	unknown	true	unknown
shitrocket.dyn	unknown	unknown	true	unknown
hikvision.geek. [malformed]	unknown	unknown	true	unknown
shitrocket.dyn. [malformed]	unknown	unknown	true	unknown
catvision.dyn. [malformed]	unknown	unknown	true	unknown
hikvision.geek	unknown	unknown	true	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
185.22.155.213	unknown	Russian Federation	51659	ASBAXETRU	true
88.151.195.95	unknown	Azerbaijan	15723	AZERONLINEAZ	true
194.58.66.244	unknown	Russian Federation	2118	RELCOM-ASRelcomGroup19022019RU	false
38.114.100.142	unknown	United States	22926	AS-WISPERUS	false
31.13.248.234	unknown	Bulgaria	34224	NETERRA-ASBG	false
185.22.155.152	unknown	Russian Federation	51659	ASBAXETRU	false
185.22.153.100	unknown	Russian Federation	51659	ASBAXETRU	false
109.202.202.202	unknown	Switzerland	13030	INIT7CH	false
31.13.248.13	unknown	Bulgaria	34224	NETERRA-ASBG	false
194.87.198.191	unknown	Russian Federation	49352	LOGOL-ASRU	false
88.151.195.157	unknown	Azerbaijan	15723	AZERONLINEAZ	true
45.147.200.148	unknown	Russian Federation	51659	ASBAXETRU	false
91.189.91.43	unknown	United Kingdom	41231	CANONICAL-ASGB	false
91.189.91.42	unknown	United Kingdom	41231	CANONICAL-ASGB	false

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
185.22.155.213	arm.elf	Get hash	malicious	Unknown	Browse
185.22.155.213	hmips.elf	Get hash	malicious	Unknown	Browse
88.151.195.95	mips.elf	Get hash	malicious	Unknown	Browse
194.58.66.244	hmips.elf	Get hash	malicious	Unknown	Browse
	arm7.elf	Get hash	malicious	Unknown	Browse
	x86.elf	Get hash	malicious	Unknown	Browse
	ppc.elf	Get hash	malicious	Unknown	Browse
	hmips.elf	Get hash	malicious	Unknown	Browse
38.114.100.142	mips.elf	Get hash	malicious	Unknown	Browse
	hmips.elf	Get hash	malicious	Unknown	Browse
	ppc.elf	Get hash	malicious	Unknown	Browse
	mips.elf	Get hash	malicious	Unknown	Browse
	harm5.elf	Get hash	malicious	Unknown	Browse
185.22.155.152	mips.elf	Get hash	malicious	Unknown	Browse
109.202.202.202	kpLwzBouH4.elf	Get hash	malicious	Unknown	Browse	ch.archive.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_92.0%2bbuild3-0ubuntu0.20.04.1_amd64.deb
31.13.248.13	mips.elf	Get hash	malicious	Unknown	Browse
	mips.elf	Get hash	malicious	Unknown	Browse
	x86.elf	Get hash	malicious	Unknown	Browse
	ppc.elf	Get hash	malicious	Unknown	Browse
	hmips.elf	Get hash	malicious	Unknown	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ASBAXETRU	harm5.elf	Get hash	malicious	Unknown	Browse	45.140.168.235
	mips.elf	Get hash	malicious	Unknown	Browse	176.32.39.112
	arm.elf	Get hash	malicious	Unknown	Browse	185.22.155.213
	hmips.elf	Get hash	malicious	Unknown	Browse	45.140.168.235
	ARRIVAL NOTICE.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	176.32.38.130
	ppc.elf	Get hash	malicious	Unknown	Browse	176.32.39.112
	mips.elf	Get hash	malicious	Unknown	Browse	45.140.168.235
	arm7.elf	Get hash	malicious	Unknown	Browse	45.140.168.235
	x86.elf	Get hash	malicious	Unknown	Browse	176.32.39.112
	arm5.elf	Get hash	malicious	Unknown	Browse	45.140.169.21
RELCOM-ASRelcomGroup19022019RU	harm5.elf	Get hash	malicious	Unknown	Browse	194.58.66.131
	hmips.elf	Get hash	malicious	Unknown	Browse	194.58.66.244
	arm7.elf	Get hash	malicious	Unknown	Browse	194.87.30.79
	x86.elf	Get hash	malicious	Unknown	Browse	194.58.66.244
	ppc.elf	Get hash	malicious	Unknown	Browse	194.87.30.79
	hmips.elf	Get hash	malicious	Unknown	Browse	194.87.30.79
	Supply Contract 12 Additional Agreement to 76_24_.exe	Get hash	malicious	GuLoader, Remcos	Browse	194.58.83.68
	lchs.exe	Get hash	malicious	Quasar	Browse	193.124.33.141
	jKira.arm	Get hash	malicious	Mirai	Browse	195.133.54.44
AZERONLINEAZ	mips.elf	Get hash	malicious	Unknown	Browse	88.151.195.95
	hmips.elf	Get hash	malicious	Unknown	Browse	88.151.195.22
	ppc.elf	Get hash	malicious	Unknown	Browse	88.151.195.22
	mips.elf	Get hash	malicious	Unknown	Browse	88.151.195.22
	x86.elf	Get hash	malicious	Unknown	Browse	88.151.195.157
	harm5.elf	Get hash	malicious	Unknown	Browse	88.151.195.22
	arm5.elf	Get hash	malicious	Unknown	Browse	88.151.195.22
	harm4.elf	Get hash	malicious	Unknown	Browse	88.151.195.22
	harm5.elf	Get hash	malicious	Unknown	Browse	88.151.195.22
	nsharm7.elf	Get hash	malicious	Unknown	Browse	88.151.195.22
AS-WISPERUS	mips.elf	Get hash	malicious	Unknown	Browse	38.114.100.142
	hmips.elf	Get hash	malicious	Unknown	Browse	38.114.100.142
	ppc.elf	Get hash	malicious	Unknown	Browse	38.114.100.142
	mips.elf	Get hash	malicious	Unknown	Browse	38.114.100.142
	harm5.elf	Get hash	malicious	Unknown	Browse	38.114.100.142
	sora.mips.elf	Get hash	malicious	Mirai	Browse	66.232.175.178
	byte.arm.elf	Get hash	malicious	Mirai, Okiru	Browse	66.232.181.219
	m68k.elf	Get hash	malicious	Mirai	Browse	38.114.84.241
	la.bot.powerpc.elf	Get hash	malicious	Unknown	Browse	38.114.66.203
	RiI7W2cj7p.elf	Get hash	malicious	Unknown	Browse	66.232.175.171

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	ELF 32-bit LSB executable, ARM, version 1 (ARM), statically linked, stripped
Entropy (8bit):	6.008160124672379
TrID:	ELF Executable and Linkable format (generic) (4004/1) 100.00%
File name:	harm4.elf
File size:	36'732 bytes
MD5:	d70e27950e20deb5595bc0d2e2d3001b
SHA1:	66867b67aca4f2b2d7d4b5cbc6a30ecef5b5ab35
SHA256:	fe2b0f3f4cafb4da8ad97b63098436acde35ce0a955a0277f575d4ba898e9bb4
SHA512:	40e4e5f7d83ac2715fd67cc89676003fa89c9422f6f6d7fc171121ec64d2fc31d55eb14ee431f0dc2a3ce8ec82e2f9964d7f6535eed5d0f7bbeaec2de64ad27a
SSDEEP:	768:WlWwl+qm1HvqJmll/mO8CRx9MrNaHBFh8/U0dx9H:eotvqImg9MIh+rH
TLSH:	B8F23C80FD909A17C6D4127BBA2E82CD77161368E2EF3303DD166F61778A96B0DB7601
File Content Preview:	.ELF...a..........(.........4...........4. ...(..........................................................$..........Q.td..................................-...L."....!..........0@-.\P...0....S.0...P@...0... ....R......0...0...........0... ....R..... 0....S

Static ELF Info

ELF header
Class:	ELF32
Data:	2's complement, little endian
Version:	1 (current)
Machine:	ARM
Version Number:	0x1
Type:	EXEC (Executable file)
OS/ABI:	ARM - ABI
ABI Version:	0
Entry Point Address:	0x8190
Flags:	0x202
ELF Header Size:	52
Program Header Offset:	52
Program Header Size:	32
Number of Program Headers:	3
Section Header Offset:	36292
Section Header Size:	40
Number of Section Headers:	11
Header String Table Index:	10

Sections

Name	Type	Address	Offset	Size	EntSize	Flags	Flags Description	Align
	NULL	0x0	0x0	0x0	0x0	0x0		0
.init	PROGBITS	0x8094	0x94	0x18	0x0	0x6	AX	4
.text	PROGBITS	0x80b0	0xb0	0x875c	0x0	0x6	AX	16
.fini	PROGBITS	0x1080c	0x880c	0x14	0x0	0x6	AX	4
.rodata	PROGBITS	0x10820	0x8820	0x1c8	0x0	0x2	A	4
.eh_frame	PROGBITS	0x109e8	0x89e8	0x4	0x0	0x2	A	4
.ctors	PROGBITS	0x189ec	0x89ec	0x8	0x0	0x3	WA	4
.dtors	PROGBITS	0x189f4	0x89f4	0x8	0x0	0x3	WA	4
.data	PROGBITS	0x18a00	0x8a00	0x37c	0x0	0x3	WA	4
.bss	NOBITS	0x18d7c	0x8d7c	0x2140	0x0	0x3	WA	4
.shstrtab	STRTAB	0x0	0x8d7c	0x48	0x0	0x0		1

Program Segments

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align	Section Mappings
LOAD	0x0	0x8000	0x8000	0x89ec	0x89ec	6.0666	0x5	R E	0x8000	.init .text .fini .rodata .eh_frame
LOAD	0x89ec	0x189ec	0x189ec	0x390	0x24d0	2.7715	0x6	RW	0x8000	.ctors .dtors .data .bss
GNU_STACK	0x0	0x0	0x0	0x0	0x0	0.0000	0x7	RWE	0x4

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 27, 2024 22:07:06.551450968 CET	58410	8137	192.168.2.23	88.151.195.95
Nov 27, 2024 22:07:06.671519041 CET	8137	58410	88.151.195.95	192.168.2.23
Nov 27, 2024 22:07:06.671724081 CET	58410	8137	192.168.2.23	88.151.195.95
Nov 27, 2024 22:07:06.672142982 CET	58410	8137	192.168.2.23	88.151.195.95
Nov 27, 2024 22:07:06.794001102 CET	8137	58410	88.151.195.95	192.168.2.23
Nov 27, 2024 22:07:06.794125080 CET	58410	8137	192.168.2.23	88.151.195.95
Nov 27, 2024 22:07:06.914504051 CET	8137	58410	88.151.195.95	192.168.2.23
Nov 27, 2024 22:07:07.255245924 CET	43928	443	192.168.2.23	91.189.91.42
Nov 27, 2024 22:07:08.358097076 CET	8137	58410	88.151.195.95	192.168.2.23
Nov 27, 2024 22:07:08.358393908 CET	58410	8137	192.168.2.23	88.151.195.95
Nov 27, 2024 22:07:08.358393908 CET	58410	8137	192.168.2.23	88.151.195.95
Nov 27, 2024 22:07:12.886526108 CET	42836	443	192.168.2.23	91.189.91.43
Nov 27, 2024 22:07:13.670696974 CET	45202	17557	192.168.2.23	31.13.248.234
Nov 27, 2024 22:07:13.790766001 CET	17557	45202	31.13.248.234	192.168.2.23
Nov 27, 2024 22:07:13.790924072 CET	45202	17557	192.168.2.23	31.13.248.234
Nov 27, 2024 22:07:13.791016102 CET	45202	17557	192.168.2.23	31.13.248.234
Nov 27, 2024 22:07:13.911159039 CET	17557	45202	31.13.248.234	192.168.2.23
Nov 27, 2024 22:07:13.911345959 CET	45202	17557	192.168.2.23	31.13.248.234
Nov 27, 2024 22:07:14.031256914 CET	17557	45202	31.13.248.234	192.168.2.23
Nov 27, 2024 22:07:14.422259092 CET	42516	80	192.168.2.23	109.202.202.202
Nov 27, 2024 22:07:15.423588991 CET	17557	45202	31.13.248.234	192.168.2.23
Nov 27, 2024 22:07:15.423690081 CET	45202	17557	192.168.2.23	31.13.248.234
Nov 27, 2024 22:07:15.423727036 CET	45202	17557	192.168.2.23	31.13.248.234
Nov 27, 2024 22:07:20.667881966 CET	52900	8439	192.168.2.23	38.114.100.142
Nov 27, 2024 22:07:20.789921999 CET	8439	52900	38.114.100.142	192.168.2.23
Nov 27, 2024 22:07:20.790056944 CET	52900	8439	192.168.2.23	38.114.100.142
Nov 27, 2024 22:07:20.790091991 CET	52900	8439	192.168.2.23	38.114.100.142
Nov 27, 2024 22:07:20.913074970 CET	8439	52900	38.114.100.142	192.168.2.23
Nov 27, 2024 22:07:20.913283110 CET	52900	8439	192.168.2.23	38.114.100.142
Nov 27, 2024 22:07:21.038836002 CET	8439	52900	38.114.100.142	192.168.2.23
Nov 27, 2024 22:07:22.021148920 CET	8439	52900	38.114.100.142	192.168.2.23
Nov 27, 2024 22:07:22.021564960 CET	52900	8439	192.168.2.23	38.114.100.142
Nov 27, 2024 22:07:22.021631956 CET	52900	8439	192.168.2.23	38.114.100.142
Nov 27, 2024 22:07:27.373291969 CET	57272	16707	192.168.2.23	185.22.155.152
Nov 27, 2024 22:07:27.493364096 CET	16707	57272	185.22.155.152	192.168.2.23
Nov 27, 2024 22:07:27.493652105 CET	57272	16707	192.168.2.23	185.22.155.152
Nov 27, 2024 22:07:27.493680954 CET	57272	16707	192.168.2.23	185.22.155.152
Nov 27, 2024 22:07:27.613712072 CET	16707	57272	185.22.155.152	192.168.2.23
Nov 27, 2024 22:07:27.613775015 CET	57272	16707	192.168.2.23	185.22.155.152
Nov 27, 2024 22:07:27.734133005 CET	16707	57272	185.22.155.152	192.168.2.23
Nov 27, 2024 22:07:27.988398075 CET	43928	443	192.168.2.23	91.189.91.42
Nov 27, 2024 22:07:29.233252048 CET	16707	57272	185.22.155.152	192.168.2.23
Nov 27, 2024 22:07:29.233393908 CET	57272	16707	192.168.2.23	185.22.155.152
Nov 27, 2024 22:07:29.233452082 CET	57272	16707	192.168.2.23	185.22.155.152
Nov 27, 2024 22:07:35.277582884 CET	51128	17785	192.168.2.23	185.22.153.100
Nov 27, 2024 22:07:35.397584915 CET	17785	51128	185.22.153.100	192.168.2.23
Nov 27, 2024 22:07:35.397835016 CET	51128	17785	192.168.2.23	185.22.153.100
Nov 27, 2024 22:07:35.397936106 CET	51128	17785	192.168.2.23	185.22.153.100
Nov 27, 2024 22:07:35.519012928 CET	17785	51128	185.22.153.100	192.168.2.23
Nov 27, 2024 22:07:35.519268036 CET	51128	17785	192.168.2.23	185.22.153.100
Nov 27, 2024 22:07:35.639245987 CET	17785	51128	185.22.153.100	192.168.2.23
Nov 27, 2024 22:07:37.081073046 CET	17785	51128	185.22.153.100	192.168.2.23
Nov 27, 2024 22:07:37.081365108 CET	51128	17785	192.168.2.23	185.22.153.100
Nov 27, 2024 22:07:37.081496954 CET	51128	17785	192.168.2.23	185.22.153.100
Nov 27, 2024 22:07:40.274717093 CET	42836	443	192.168.2.23	91.189.91.43
Nov 27, 2024 22:07:42.343661070 CET	56636	18794	192.168.2.23	185.22.155.213
Nov 27, 2024 22:07:42.463911057 CET	18794	56636	185.22.155.213	192.168.2.23
Nov 27, 2024 22:07:42.463984966 CET	56636	18794	192.168.2.23	185.22.155.213
Nov 27, 2024 22:07:42.464013100 CET	56636	18794	192.168.2.23	185.22.155.213
Nov 27, 2024 22:07:42.584016085 CET	18794	56636	185.22.155.213	192.168.2.23
Nov 27, 2024 22:07:42.584096909 CET	56636	18794	192.168.2.23	185.22.155.213
Nov 27, 2024 22:07:42.704099894 CET	18794	56636	185.22.155.213	192.168.2.23
Nov 27, 2024 22:07:44.148701906 CET	18794	56636	185.22.155.213	192.168.2.23
Nov 27, 2024 22:07:44.148829937 CET	56636	18794	192.168.2.23	185.22.155.213
Nov 27, 2024 22:07:44.148865938 CET	56636	18794	192.168.2.23	185.22.155.213
Nov 27, 2024 22:07:44.370141983 CET	42516	80	192.168.2.23	109.202.202.202
Nov 27, 2024 22:07:49.397785902 CET	47390	16883	192.168.2.23	45.147.200.148
Nov 27, 2024 22:07:49.518275023 CET	16883	47390	45.147.200.148	192.168.2.23
Nov 27, 2024 22:07:49.518343925 CET	47390	16883	192.168.2.23	45.147.200.148
Nov 27, 2024 22:07:49.518384933 CET	47390	16883	192.168.2.23	45.147.200.148
Nov 27, 2024 22:07:49.638966084 CET	16883	47390	45.147.200.148	192.168.2.23
Nov 27, 2024 22:07:49.639072895 CET	47390	16883	192.168.2.23	45.147.200.148
Nov 27, 2024 22:07:49.759429932 CET	16883	47390	45.147.200.148	192.168.2.23
Nov 27, 2024 22:07:51.262423038 CET	16883	47390	45.147.200.148	192.168.2.23
Nov 27, 2024 22:07:51.262572050 CET	47390	16883	192.168.2.23	45.147.200.148
Nov 27, 2024 22:07:51.262572050 CET	47390	16883	192.168.2.23	45.147.200.148
Nov 27, 2024 22:07:56.509563923 CET	49800	20662	192.168.2.23	88.151.195.95
Nov 27, 2024 22:07:56.629674911 CET	20662	49800	88.151.195.95	192.168.2.23
Nov 27, 2024 22:07:56.629843950 CET	49800	20662	192.168.2.23	88.151.195.95
Nov 27, 2024 22:07:56.629906893 CET	49800	20662	192.168.2.23	88.151.195.95
Nov 27, 2024 22:07:56.752053022 CET	20662	49800	88.151.195.95	192.168.2.23
Nov 27, 2024 22:07:56.752268076 CET	49800	20662	192.168.2.23	88.151.195.95
Nov 27, 2024 22:07:56.872210026 CET	20662	49800	88.151.195.95	192.168.2.23
Nov 27, 2024 22:07:58.281371117 CET	20662	49800	88.151.195.95	192.168.2.23
Nov 27, 2024 22:07:58.281625986 CET	49800	20662	192.168.2.23	88.151.195.95
Nov 27, 2024 22:07:58.281660080 CET	49800	20662	192.168.2.23	88.151.195.95
Nov 27, 2024 22:08:03.545345068 CET	42386	21981	192.168.2.23	88.151.195.157
Nov 27, 2024 22:08:03.665415049 CET	21981	42386	88.151.195.157	192.168.2.23
Nov 27, 2024 22:08:03.665590048 CET	42386	21981	192.168.2.23	88.151.195.157
Nov 27, 2024 22:08:03.665606976 CET	42386	21981	192.168.2.23	88.151.195.157
Nov 27, 2024 22:08:03.785641909 CET	21981	42386	88.151.195.157	192.168.2.23
Nov 27, 2024 22:08:03.785789967 CET	42386	21981	192.168.2.23	88.151.195.157
Nov 27, 2024 22:08:03.905891895 CET	21981	42386	88.151.195.157	192.168.2.23
Nov 27, 2024 22:08:05.372843981 CET	21981	42386	88.151.195.157	192.168.2.23
Nov 27, 2024 22:08:05.372991085 CET	42386	21981	192.168.2.23	88.151.195.157
Nov 27, 2024 22:08:05.373132944 CET	42386	21981	192.168.2.23	88.151.195.157
Nov 27, 2024 22:08:08.942821026 CET	43928	443	192.168.2.23	91.189.91.42
Nov 27, 2024 22:08:10.615888119 CET	60094	2909	192.168.2.23	185.22.155.213
Nov 27, 2024 22:08:10.735955954 CET	2909	60094	185.22.155.213	192.168.2.23
Nov 27, 2024 22:08:10.736082077 CET	60094	2909	192.168.2.23	185.22.155.213
Nov 27, 2024 22:08:10.736082077 CET	60094	2909	192.168.2.23	185.22.155.213
Nov 27, 2024 22:08:10.856069088 CET	2909	60094	185.22.155.213	192.168.2.23
Nov 27, 2024 22:08:10.856193066 CET	60094	2909	192.168.2.23	185.22.155.213
Nov 27, 2024 22:08:10.976248026 CET	2909	60094	185.22.155.213	192.168.2.23
Nov 27, 2024 22:08:12.375406981 CET	2909	60094	185.22.155.213	192.168.2.23
Nov 27, 2024 22:08:12.375546932 CET	60094	2909	192.168.2.23	185.22.155.213
Nov 27, 2024 22:08:12.375577927 CET	60094	2909	192.168.2.23	185.22.155.213
Nov 27, 2024 22:08:22.630441904 CET	33888	10662	192.168.2.23	194.58.66.244
Nov 27, 2024 22:08:22.750682116 CET	10662	33888	194.58.66.244	192.168.2.23
Nov 27, 2024 22:08:22.750893116 CET	33888	10662	192.168.2.23	194.58.66.244
Nov 27, 2024 22:08:22.750926971 CET	33888	10662	192.168.2.23	194.58.66.244
Nov 27, 2024 22:08:22.871113062 CET	10662	33888	194.58.66.244	192.168.2.23
Nov 27, 2024 22:08:22.871210098 CET	33888	10662	192.168.2.23	194.58.66.244
Nov 27, 2024 22:08:22.996325970 CET	10662	33888	194.58.66.244	192.168.2.23
Nov 27, 2024 22:08:24.338896036 CET	10662	33888	194.58.66.244	192.168.2.23
Nov 27, 2024 22:08:24.339036942 CET	33888	10662	192.168.2.23	194.58.66.244
Nov 27, 2024 22:08:24.339073896 CET	33888	10662	192.168.2.23	194.58.66.244
Nov 27, 2024 22:08:30.411125898 CET	33890	10662	192.168.2.23	194.58.66.244
Nov 27, 2024 22:08:30.533055067 CET	10662	33890	194.58.66.244	192.168.2.23
Nov 27, 2024 22:08:30.533202887 CET	33890	10662	192.168.2.23	194.58.66.244
Nov 27, 2024 22:08:30.533251047 CET	33890	10662	192.168.2.23	194.58.66.244
Nov 27, 2024 22:08:30.653289080 CET	10662	33890	194.58.66.244	192.168.2.23
Nov 27, 2024 22:08:30.653424978 CET	33890	10662	192.168.2.23	194.58.66.244
Nov 27, 2024 22:08:30.774663925 CET	10662	33890	194.58.66.244	192.168.2.23
Nov 27, 2024 22:08:32.071324110 CET	10662	33890	194.58.66.244	192.168.2.23
Nov 27, 2024 22:08:32.071449995 CET	33890	10662	192.168.2.23	194.58.66.244
Nov 27, 2024 22:08:32.071491003 CET	33890	10662	192.168.2.23	194.58.66.244
Nov 27, 2024 22:08:37.842612028 CET	55996	18454	192.168.2.23	88.151.195.157
Nov 27, 2024 22:08:37.966130018 CET	18454	55996	88.151.195.157	192.168.2.23
Nov 27, 2024 22:08:37.966265917 CET	55996	18454	192.168.2.23	88.151.195.157
Nov 27, 2024 22:08:37.966320992 CET	55996	18454	192.168.2.23	88.151.195.157
Nov 27, 2024 22:08:38.090595007 CET	18454	55996	88.151.195.157	192.168.2.23
Nov 27, 2024 22:08:38.090737104 CET	55996	18454	192.168.2.23	88.151.195.157
Nov 27, 2024 22:08:38.211010933 CET	18454	55996	88.151.195.157	192.168.2.23
Nov 27, 2024 22:08:39.566927910 CET	18454	55996	88.151.195.157	192.168.2.23
Nov 27, 2024 22:08:39.567059040 CET	55996	18454	192.168.2.23	88.151.195.157
Nov 27, 2024 22:08:39.567111969 CET	55996	18454	192.168.2.23	88.151.195.157
Nov 27, 2024 22:08:44.886929989 CET	47972	23729	192.168.2.23	194.87.198.191
Nov 27, 2024 22:08:45.007096052 CET	23729	47972	194.87.198.191	192.168.2.23
Nov 27, 2024 22:08:45.007227898 CET	47972	23729	192.168.2.23	194.87.198.191
Nov 27, 2024 22:08:45.007266998 CET	47972	23729	192.168.2.23	194.87.198.191
Nov 27, 2024 22:08:45.127190113 CET	23729	47972	194.87.198.191	192.168.2.23
Nov 27, 2024 22:08:45.127405882 CET	47972	23729	192.168.2.23	194.87.198.191
Nov 27, 2024 22:08:45.248018026 CET	23729	47972	194.87.198.191	192.168.2.23
Nov 27, 2024 22:08:46.609153986 CET	23729	47972	194.87.198.191	192.168.2.23
Nov 27, 2024 22:08:46.609288931 CET	47972	23729	192.168.2.23	194.87.198.191
Nov 27, 2024 22:08:46.609328032 CET	47972	23729	192.168.2.23	194.87.198.191
Nov 27, 2024 22:08:51.869901896 CET	37104	4084	192.168.2.23	31.13.248.13
Nov 27, 2024 22:08:51.989934921 CET	4084	37104	31.13.248.13	192.168.2.23
Nov 27, 2024 22:08:51.990120888 CET	37104	4084	192.168.2.23	31.13.248.13
Nov 27, 2024 22:08:51.990355968 CET	37104	4084	192.168.2.23	31.13.248.13
Nov 27, 2024 22:08:52.110256910 CET	4084	37104	31.13.248.13	192.168.2.23
Nov 27, 2024 22:08:52.110440016 CET	37104	4084	192.168.2.23	31.13.248.13
Nov 27, 2024 22:08:52.230639935 CET	4084	37104	31.13.248.13	192.168.2.23
Nov 27, 2024 22:08:53.664942026 CET	4084	37104	31.13.248.13	192.168.2.23
Nov 27, 2024 22:08:53.665080070 CET	37104	4084	192.168.2.23	31.13.248.13
Nov 27, 2024 22:08:53.665124893 CET	37104	4084	192.168.2.23	31.13.248.13
Nov 27, 2024 22:09:04.460207939 CET	37106	4084	192.168.2.23	31.13.248.13
Nov 27, 2024 22:09:04.580178022 CET	4084	37106	31.13.248.13	192.168.2.23
Nov 27, 2024 22:09:04.580415010 CET	37106	4084	192.168.2.23	31.13.248.13
Nov 27, 2024 22:09:04.580415010 CET	37106	4084	192.168.2.23	31.13.248.13
Nov 27, 2024 22:09:04.700494051 CET	4084	37106	31.13.248.13	192.168.2.23
Nov 27, 2024 22:09:04.700752974 CET	37106	4084	192.168.2.23	31.13.248.13
Nov 27, 2024 22:09:04.820739031 CET	4084	37106	31.13.248.13	192.168.2.23
Nov 27, 2024 22:09:06.217617989 CET	4084	37106	31.13.248.13	192.168.2.23
Nov 27, 2024 22:09:06.217727900 CET	37106	4084	192.168.2.23	31.13.248.13
Nov 27, 2024 22:09:06.217772007 CET	37106	4084	192.168.2.23	31.13.248.13

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 27, 2024 22:07:06.280608892 CET	51768	53	192.168.2.23	109.91.184.21
Nov 27, 2024 22:07:06.550291061 CET	53	51768	109.91.184.21	192.168.2.23
Nov 27, 2024 22:07:13.360575914 CET	42389	53	192.168.2.23	168.235.111.72
Nov 27, 2024 22:07:13.669661045 CET	53	42389	168.235.111.72	192.168.2.23
Nov 27, 2024 22:07:20.426239967 CET	57966	53	192.168.2.23	81.169.136.222
Nov 27, 2024 22:07:20.666894913 CET	53	57966	81.169.136.222	192.168.2.23
Nov 27, 2024 22:07:27.024255037 CET	55425	53	192.168.2.23	80.152.203.134
Nov 27, 2024 22:07:27.372140884 CET	53	55425	80.152.203.134	192.168.2.23
Nov 27, 2024 22:07:34.235390902 CET	36031	53	192.168.2.23	81.169.136.222
Nov 27, 2024 22:07:34.475756884 CET	53	36031	81.169.136.222	192.168.2.23
Nov 27, 2024 22:07:34.478236914 CET	47641	53	192.168.2.23	185.181.61.24
Nov 27, 2024 22:07:34.738637924 CET	53	47641	185.181.61.24	192.168.2.23
Nov 27, 2024 22:07:34.740274906 CET	51805	53	192.168.2.23	152.53.15.127
Nov 27, 2024 22:07:34.989392996 CET	53	51805	152.53.15.127	192.168.2.23
Nov 27, 2024 22:07:34.991029978 CET	42426	53	192.168.2.23	109.91.184.21
Nov 27, 2024 22:07:35.276370049 CET	53	42426	109.91.184.21	192.168.2.23
Nov 27, 2024 22:07:42.084271908 CET	40068	53	192.168.2.23	185.181.61.24
Nov 27, 2024 22:07:42.342780113 CET	53	40068	185.181.61.24	192.168.2.23
Nov 27, 2024 22:07:49.151252985 CET	46766	53	192.168.2.23	152.53.15.127
Nov 27, 2024 22:07:49.397146940 CET	53	46766	152.53.15.127	192.168.2.23
Nov 27, 2024 22:07:56.264591932 CET	48184	53	192.168.2.23	194.36.144.87
Nov 27, 2024 22:07:56.508559942 CET	53	48184	194.36.144.87	192.168.2.23
Nov 27, 2024 22:08:03.283554077 CET	53191	53	192.168.2.23	185.181.61.24
Nov 27, 2024 22:08:03.544771910 CET	53	53191	185.181.61.24	192.168.2.23
Nov 27, 2024 22:08:10.374736071 CET	60786	53	192.168.2.23	81.169.136.222
Nov 27, 2024 22:08:10.614696980 CET	53	60786	81.169.136.222	192.168.2.23
Nov 27, 2024 22:08:17.377230883 CET	58629	53	192.168.2.23	168.138.12.137
Nov 27, 2024 22:08:22.383253098 CET	50914	53	192.168.2.23	152.53.15.127
Nov 27, 2024 22:08:22.629513025 CET	53	50914	152.53.15.127	192.168.2.23
Nov 27, 2024 22:08:29.341572046 CET	39299	53	192.168.2.23	109.91.184.21
Nov 27, 2024 22:08:29.621746063 CET	53	39299	109.91.184.21	192.168.2.23
Nov 27, 2024 22:08:29.623692036 CET	60814	53	192.168.2.23	185.181.61.24
Nov 27, 2024 22:08:29.883399963 CET	53	60814	185.181.61.24	192.168.2.23
Nov 27, 2024 22:08:29.885046005 CET	54505	53	192.168.2.23	109.91.184.21
Nov 27, 2024 22:08:30.164033890 CET	53	54505	109.91.184.21	192.168.2.23
Nov 27, 2024 22:08:30.165960073 CET	51804	53	192.168.2.23	152.53.15.127
Nov 27, 2024 22:08:30.410227060 CET	53	51804	152.53.15.127	192.168.2.23
Nov 27, 2024 22:08:37.074311018 CET	37347	53	192.168.2.23	217.160.70.42
Nov 27, 2024 22:08:37.330255985 CET	53	37347	217.160.70.42	192.168.2.23
Nov 27, 2024 22:08:37.332043886 CET	54239	53	192.168.2.23	185.181.61.24
Nov 27, 2024 22:08:37.599608898 CET	53	54239	185.181.61.24	192.168.2.23
Nov 27, 2024 22:08:37.601541996 CET	47830	53	192.168.2.23	202.61.197.122
Nov 27, 2024 22:08:37.841567039 CET	53	47830	202.61.197.122	192.168.2.23
Nov 27, 2024 22:08:44.568922997 CET	40942	53	192.168.2.23	168.235.111.72
Nov 27, 2024 22:08:44.886246920 CET	53	40942	168.235.111.72	192.168.2.23
Nov 27, 2024 22:08:51.611243963 CET	58746	53	192.168.2.23	152.53.15.127
Nov 27, 2024 22:08:51.869311094 CET	53	58746	152.53.15.127	192.168.2.23
Nov 27, 2024 22:08:58.666738987 CET	47367	53	192.168.2.23	109.91.184.21
Nov 27, 2024 22:08:58.959351063 CET	53	47367	109.91.184.21	192.168.2.23
Nov 27, 2024 22:08:58.960532904 CET	59913	53	192.168.2.23	81.169.136.222
Nov 27, 2024 22:08:59.202756882 CET	53	59913	81.169.136.222	192.168.2.23
Nov 27, 2024 22:08:59.203685999 CET	41494	53	192.168.2.23	109.91.184.21
Nov 27, 2024 22:09:04.209559917 CET	56679	53	192.168.2.23	81.169.136.222
Nov 27, 2024 22:09:04.459546089 CET	53	56679	81.169.136.222	192.168.2.23
Nov 27, 2024 22:09:11.219732046 CET	52059	53	192.168.2.23	109.91.184.21
Nov 27, 2024 22:09:11.513989925 CET	53	52059	109.91.184.21	192.168.2.23
Nov 27, 2024 22:09:11.514842033 CET	33306	53	192.168.2.23	194.36.144.87
Nov 27, 2024 22:09:11.769685984 CET	53	33306	194.36.144.87	192.168.2.23
Nov 27, 2024 22:09:11.771399021 CET	60351	53	192.168.2.23	109.91.184.21

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 27, 2024 22:07:06.280608892 CET	192.168.2.23	109.91.184.21	0x7a63	Standard query (0)	hikvision.geek	A (IP address)	IN (0x0001)	false
Nov 27, 2024 22:07:13.360575914 CET	192.168.2.23	168.235.111.72	0x565e	Standard query (0)	catlovingfools.geek	A (IP address)	IN (0x0001)	false
Nov 27, 2024 22:07:20.426239967 CET	192.168.2.23	81.169.136.222	0xba94	Standard query (0)	catlovingfools.geek	A (IP address)	IN (0x0001)	false
Nov 27, 2024 22:07:27.024255037 CET	192.168.2.23	80.152.203.134	0x49eb	Standard query (0)	catlovingfools.geek	A (IP address)	IN (0x0001)	false
Nov 27, 2024 22:07:34.235390902 CET	192.168.2.23	81.169.136.222	0x86c	Standard query (0)	hikvision.geek. [malformed]	256	278	false
Nov 27, 2024 22:07:34.478236914 CET	192.168.2.23	185.181.61.24	0x259d	Standard query (0)	catlovingfools.geek. [malformed]	256	278	false
Nov 27, 2024 22:07:34.740274906 CET	192.168.2.23	152.53.15.127	0x5493	Standard query (0)	catvision.dyn. [malformed]	256	278	false
Nov 27, 2024 22:07:34.991029978 CET	192.168.2.23	109.91.184.21	0xd752	Standard query (0)	shitrocket.dyn	A (IP address)	IN (0x0001)	false
Nov 27, 2024 22:07:42.084271908 CET	192.168.2.23	185.181.61.24	0x4f8c	Standard query (0)	shitrocket.dyn	A (IP address)	IN (0x0001)	false
Nov 27, 2024 22:07:49.151252985 CET	192.168.2.23	152.53.15.127	0x232b	Standard query (0)	shitrocket.dyn	A (IP address)	IN (0x0001)	false
Nov 27, 2024 22:07:56.264591932 CET	192.168.2.23	194.36.144.87	0x1e9e	Standard query (0)	shitrocket.dyn	A (IP address)	IN (0x0001)	false
Nov 27, 2024 22:08:03.283554077 CET	192.168.2.23	185.181.61.24	0xe1be	Standard query (0)	shitrocket.dyn	A (IP address)	IN (0x0001)	false
Nov 27, 2024 22:08:10.374736071 CET	192.168.2.23	81.169.136.222	0xb22c	Standard query (0)	shitrocket.dyn	A (IP address)	IN (0x0001)	false
Nov 27, 2024 22:08:17.377230883 CET	192.168.2.23	168.138.12.137	0x4bcd	Standard query (0)	catvision.dyn. [malformed]	256	326	false
Nov 27, 2024 22:08:22.383253098 CET	192.168.2.23	152.53.15.127	0xbb6a	Standard query (0)	hikvision.geek	A (IP address)	IN (0x0001)	false
Nov 27, 2024 22:08:29.341572046 CET	192.168.2.23	109.91.184.21	0xdbda	Standard query (0)	catvision.dyn. [malformed]	256	333	false
Nov 27, 2024 22:08:29.623692036 CET	192.168.2.23	185.181.61.24	0x5456	Standard query (0)	catlovingfools.geek. [malformed]	256	333	false
Nov 27, 2024 22:08:29.885046005 CET	192.168.2.23	109.91.184.21	0x6b4c	Standard query (0)	shitrocket.dyn. [malformed]	256	334	false
Nov 27, 2024 22:08:30.165960073 CET	192.168.2.23	152.53.15.127	0x35be	Standard query (0)	hikvision.geek. [malformed]	256	334	false
Nov 27, 2024 22:08:37.074311018 CET	192.168.2.23	217.160.70.42	0xe688	Standard query (0)	hikvision.geek. [malformed]	256	341	false
Nov 27, 2024 22:08:37.332043886 CET	192.168.2.23	185.181.61.24	0xd6c6	Standard query (0)	catvision.dyn. [malformed]	256	341	false
Nov 27, 2024 22:08:37.601541996 CET	192.168.2.23	202.61.197.122	0xdf80	Standard query (0)	shitrocket.dyn	A (IP address)	IN (0x0001)	false
Nov 27, 2024 22:08:44.568922997 CET	192.168.2.23	168.235.111.72	0xfc19	Standard query (0)	hikvision.geek	A (IP address)	IN (0x0001)	false
Nov 27, 2024 22:08:51.611243963 CET	192.168.2.23	152.53.15.127	0xdd7	Standard query (0)	hikvision.geek	A (IP address)	IN (0x0001)	false
Nov 27, 2024 22:08:58.666738987 CET	192.168.2.23	109.91.184.21	0x3d50	Standard query (0)	catlovingfools.geek. [malformed]	256	362	false
Nov 27, 2024 22:08:58.960532904 CET	192.168.2.23	81.169.136.222	0xb658	Standard query (0)	shitrocket.dyn. [malformed]	256	363	false
Nov 27, 2024 22:08:59.203685999 CET	192.168.2.23	109.91.184.21	0xbc2	Standard query (0)	hikvision.geek. [malformed]	256	368	false
Nov 27, 2024 22:09:04.209559917 CET	192.168.2.23	81.169.136.222	0xd1f9	Standard query (0)	catvision.dyn. [malformed]	256	368	false
Nov 27, 2024 22:09:11.219732046 CET	192.168.2.23	109.91.184.21	0x105d	Standard query (0)	catvision.dyn. [malformed]	256	375	false
Nov 27, 2024 22:09:11.514842033 CET	192.168.2.23	194.36.144.87	0x36e	Standard query (0)	catlovingfools.geek. [malformed]	256	375	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 27, 2024 22:07:34.989392996 CET	152.53.15.127	192.168.2.23	0x5493	Format error (1)	catvision.dyn. [malformed]	none	none	256	278	false
Nov 27, 2024 22:08:29.621746063 CET	109.91.184.21	192.168.2.23	0xdbda	Format error (1)	catvision.dyn. [malformed]	none	none	256	333	false
Nov 27, 2024 22:08:30.164033890 CET	109.91.184.21	192.168.2.23	0x6b4c	Format error (1)	shitrocket.dyn. [malformed]	none	none	256	334	false
Nov 27, 2024 22:08:30.410227060 CET	152.53.15.127	192.168.2.23	0x35be	Format error (1)	hikvision.geek. [malformed]	none	none	256	334	false
Nov 27, 2024 22:08:58.959351063 CET	109.91.184.21	192.168.2.23	0x3d50	Not Implemented (4)	catlovingfools.geek. [malformed]	none	none	256	362	false
Nov 27, 2024 22:09:11.513989925 CET	109.91.184.21	192.168.2.23	0x105d	Format error (1)	catvision.dyn. [malformed]	none	none	256	375	false
Nov 27, 2024 22:09:11.769685984 CET	194.36.144.87	192.168.2.23	0x36e	Format error (1)	catlovingfools.geek. [malformed]	none	none	256	375	false

System Behavior

Analysis Process: harm4.elf PID: 6218, Parent PID: 6133

General

Start time (UTC):	21:07:05
Start date (UTC):	27/11/2024
Path:	/tmp/harm4.elf
Arguments:	/tmp/harm4.elf
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Chronological Activities

Analysis Process: harm4.elf PID: 6220, Parent PID: 6218

General

Start time (UTC):	21:07:05
Start date (UTC):	27/11/2024
Path:	/tmp/harm4.elf
Arguments:	-
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report harm4.elf

Overview

General Information

Detection

Signatures

Classification

General Information

Warnings

Runtime Messages

Process Tree

Yara Signatures

Suricata Signatures

Joe Sandbox Signatures

Networking

System Summary

Malware Analysis System Evasion

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

Static ELF Info

ELF header

Sections

Program Segments

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

System Behavior

Analysis Process: harm4.elf PID: 6218, Parent PID: 6133

General

Chronological Activities

Analysis Process: harm4.elf PID: 6220, Parent PID: 6218

General

Chronological Activities

Linux Analysis Report
harm4.elf