Edit tour

Linux Analysis Report
ppc.elf

Overview

General Information

Sample name:	ppc.elf
Analysis ID:	1565779
MD5:	7d2d841b43e6d24f359d97e6d324427c
SHA1:	7f503d1d7f87ffa130a9e59698b8e8ddffbd815e
SHA256:	c99eb6d238f76158f76cc9691bae6826e560fc41ca3b5cc930a27c08ea26d62d
Tags:	elfuser-abuse_ch
Infos:

Detection

Score:	60
Range:	0 - 100
Whitelisted:	false

Signatures

Multi AV Scanner detection for submitted file

Connects to many ports of the same IP (likely port scanning)

Sample reads /proc/mounts (often used for finding a writable filesystem)

Sends malformed DNS queries

Detected TCP or UDP traffic on non-standard ports

Enumerates processes within the "proc" file system

Executes the "rm" command used to delete files or directories

Sample has stripped symbol table

Sample listens on a socket

Sample tries to kill a process (SIGKILL)

Sleeps for long times indicative of sandbox evasion

Uses the "uname" system call to query kernel version information (possible evasion)

Classification

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1565779
Start date and time:	2024-11-30 20:02:06 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 10s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Sample name:	ppc.elf
Detection:	MAL
Classification:	mal60.troj.linELF@0/0@44/0

Warnings

VT rate limit hit for: ppc.elf

Runtime Messages

Command:	/tmp/ppc.elf
PID:	6234
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:	I just wanna look after my cats, man.
Standard Error:

Process Tree

system is lnxubuntu20

ppc.elf (PID: 6234, Parent: 6158, MD5: ae65271c943d3451b7f026d1fadccea6) Arguments: /tmp/ppc.elf

ppc.elf New Fork (PID: 6276, Parent: 6234)

ppc.elf New Fork (PID: 6313, Parent: 6276)

ppc.elf New Fork (PID: 6315, Parent: 6276)

ppc.elf New Fork (PID: 6502, Parent: 6315)

ppc.elf New Fork (PID: 6504, Parent: 6502)

ppc.elf New Fork (PID: 6277, Parent: 6234)

ppc.elf New Fork (PID: 6280, Parent: 6234)

ppc.elf New Fork (PID: 6475, Parent: 6280)

ppc.elf New Fork (PID: 6477, Parent: 6475)

dash New Fork (PID: 6380, Parent: 4332)

rm (PID: 6380, Parent: 4332, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -f /tmp/tmp.ZVIY9iWyCT /tmp/tmp.qRXT3uvP5q /tmp/tmp.82xzlcmDwb

dash New Fork (PID: 6381, Parent: 4332)

rm (PID: 6381, Parent: 4332, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -f /tmp/tmp.ZVIY9iWyCT /tmp/tmp.qRXT3uvP5q /tmp/tmp.82xzlcmDwb

cleanup

Yara Signatures

⊘No yara matches

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: ppc.elf

ReversingLabs: Detection: 13%

Networking

Connects to many ports of the same IP (likely port scanning)

Source: global traffic	TCP traffic: 38.114.100.142 ports 3548,3,4,5,8,4413
Source: global traffic	TCP traffic: 86.107.100.88 ports 1,15817,2,3,8,13238
Source: global traffic	TCP traffic: 166.88.130.30 ports 24205,7360,0,3,6,7
Source: global traffic	TCP traffic: 195.133.53.106 ports 21469,1,2,4,6,9
Source: global traffic	TCP traffic: 212.192.15.158 ports 9401,0,1,4,9,15115
Source: global traffic	TCP traffic: 45.147.200.148 ports 9775,3548,3,4,5,8
Source: global traffic	TCP traffic: 128.254.146.232 ports 24812,1,2,4,3136,8

Sends malformed DNS queries

Source: global traffic	DNS traffic detected: malformed DNS query: catvision.dyn. [malformed]
Source: global traffic	DNS traffic detected: malformed DNS query: shitrocket.dyn. [malformed]
Source: global traffic	DNS traffic detected: malformed DNS query: hikvision.geek. [malformed]
Source: global traffic	DNS traffic detected: malformed DNS query: catlovingfools.geek. [malformed]

Source: global traffic	TCP traffic: 192.168.2.23:58018 -> 212.192.15.158:9401
Source: global traffic	TCP traffic: 192.168.2.23:39626 -> 86.107.100.88:13238
Source: global traffic	TCP traffic: 192.168.2.23:35536 -> 185.22.155.152:2555
Source: global traffic	TCP traffic: 192.168.2.23:42792 -> 185.22.153.100:2555
Source: global traffic	TCP traffic: 192.168.2.23:50040 -> 5.39.254.71:22487
Source: global traffic	TCP traffic: 192.168.2.23:55198 -> 128.254.146.232:24812
Source: global traffic	TCP traffic: 192.168.2.23:33030 -> 38.114.100.142:3548
Source: global traffic	TCP traffic: 192.168.2.23:33826 -> 45.147.200.148:3548
Source: global traffic	TCP traffic: 192.168.2.23:41104 -> 195.133.53.106:21469
Source: global traffic	TCP traffic: 192.168.2.23:42442 -> 166.88.130.30:7360
Source: global traffic	TCP traffic: 192.168.2.23:37578 -> 88.151.195.95:7360
Source: global traffic	TCP traffic: 192.168.2.23:47426 -> 31.13.248.234:4673
Source: global traffic	TCP traffic: 192.168.2.23:32812 -> 176.32.39.112:22105
Source: global traffic	TCP traffic: 192.168.2.23:44464 -> 194.58.66.244:6888
Source: global traffic	TCP traffic: 192.168.2.23:42288 -> 103.136.150.114:2029

Source: /tmp/ppc.elf (PID: 6234)

Socket: 127.0.0.1:1172

Jump to behavior

Source: unknown	TCP traffic detected without corresponding DNS query: 212.192.15.158
Source: unknown	TCP traffic detected without corresponding DNS query: 212.192.15.158
Source: unknown	TCP traffic detected without corresponding DNS query: 212.192.15.158
Source: unknown	TCP traffic detected without corresponding DNS query: 86.107.100.88
Source: unknown	TCP traffic detected without corresponding DNS query: 212.192.15.158
Source: unknown	TCP traffic detected without corresponding DNS query: 86.107.100.88
Source: unknown	TCP traffic detected without corresponding DNS query: 86.107.100.88
Source: unknown	TCP traffic detected without corresponding DNS query: 86.107.100.88
Source: unknown	TCP traffic detected without corresponding DNS query: 54.171.230.55
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 212.192.15.158
Source: unknown	TCP traffic detected without corresponding DNS query: 212.192.15.158
Source: unknown	TCP traffic detected without corresponding DNS query: 86.107.100.88
Source: unknown	TCP traffic detected without corresponding DNS query: 86.107.100.88
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.22.155.152
Source: unknown	TCP traffic detected without corresponding DNS query: 185.22.155.152
Source: unknown	TCP traffic detected without corresponding DNS query: 185.22.155.152
Source: unknown	TCP traffic detected without corresponding DNS query: 185.22.155.152
Source: unknown	TCP traffic detected without corresponding DNS query: 185.22.153.100
Source: unknown	TCP traffic detected without corresponding DNS query: 185.22.153.100
Source: unknown	TCP traffic detected without corresponding DNS query: 185.22.153.100
Source: unknown	TCP traffic detected without corresponding DNS query: 185.22.153.100
Source: unknown	TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown	TCP traffic detected without corresponding DNS query: 185.22.155.152
Source: unknown	TCP traffic detected without corresponding DNS query: 185.22.155.152
Source: unknown	TCP traffic detected without corresponding DNS query: 185.22.153.100
Source: unknown	TCP traffic detected without corresponding DNS query: 185.22.153.100
Source: unknown	TCP traffic detected without corresponding DNS query: 5.39.254.71
Source: unknown	TCP traffic detected without corresponding DNS query: 5.39.254.71
Source: unknown	TCP traffic detected without corresponding DNS query: 5.39.254.71
Source: unknown	TCP traffic detected without corresponding DNS query: 5.39.254.71
Source: unknown	TCP traffic detected without corresponding DNS query: 5.39.254.71
Source: unknown	TCP traffic detected without corresponding DNS query: 5.39.254.71
Source: unknown	TCP traffic detected without corresponding DNS query: 5.39.254.71
Source: unknown	TCP traffic detected without corresponding DNS query: 5.39.254.71
Source: unknown	TCP traffic detected without corresponding DNS query: 5.39.254.71
Source: unknown	TCP traffic detected without corresponding DNS query: 5.39.254.71
Source: unknown	TCP traffic detected without corresponding DNS query: 5.39.254.71
Source: unknown	TCP traffic detected without corresponding DNS query: 5.39.254.71
Source: unknown	TCP traffic detected without corresponding DNS query: 128.254.146.232
Source: unknown	TCP traffic detected without corresponding DNS query: 128.254.146.232
Source: unknown	TCP traffic detected without corresponding DNS query: 128.254.146.232
Source: unknown	TCP traffic detected without corresponding DNS query: 128.254.146.232
Source: unknown	TCP traffic detected without corresponding DNS query: 128.254.146.232
Source: unknown	TCP traffic detected without corresponding DNS query: 128.254.146.232
Source: unknown	TCP traffic detected without corresponding DNS query: 128.254.146.232
Source: unknown	TCP traffic detected without corresponding DNS query: 128.254.146.232
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 128.254.146.232

Source: global traffic	DNS traffic detected: DNS query: hikvision.geek
Source: global traffic	DNS traffic detected: DNS query: catvision.dyn
Source: global traffic	DNS traffic detected: DNS query: shitrocket.dyn
Source: global traffic	DNS traffic detected: DNS query: catvision.dyn. [malformed]
Source: global traffic	DNS traffic detected: DNS query: catlovingfools.geek
Source: global traffic	DNS traffic detected: DNS query: shitrocket.dyn. [malformed]
Source: global traffic	DNS traffic detected: DNS query: hikvision.geek. [malformed]
Source: global traffic	DNS traffic detected: DNS query: catlovingfools.geek. [malformed]

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 33606
Source: unknown	Network traffic detected: HTTP traffic on port 33606 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 42836 -> 443

Source: ELF static info symbol of initial sample

.symtab present: no

Source: /tmp/ppc.elf (PID: 6504)	SIGKILL sent: pid: 1860, result: successful			Jump to behavior
Source: /tmp/ppc.elf (PID: 6477)	SIGKILL sent: pid: 1860, result: successful			Jump to behavior

Source: classification engine

Classification label: mal60.troj.linELF@0/0@44/0

Persistence and Installation Behavior

Sample reads /proc/mounts (often used for finding a writable filesystem)

Source: /tmp/ppc.elf (PID: 6234)

File: /proc/6234/mounts

Jump to behavior

Source: /tmp/ppc.elf (PID: 6313)	File opened: /proc/6410/status	Jump to behavior
Source: /tmp/ppc.elf (PID: 6313)	File opened: /proc/6412/status	Jump to behavior
Source: /tmp/ppc.elf (PID: 6313)	File opened: /proc/6411/status	Jump to behavior
Source: /tmp/ppc.elf (PID: 6313)	File opened: /proc/6403/status	Jump to behavior
Source: /tmp/ppc.elf (PID: 6313)	File opened: /proc/6402/status	Jump to behavior
Source: /tmp/ppc.elf (PID: 6313)	File opened: /proc/6405/status	Jump to behavior
Source: /tmp/ppc.elf (PID: 6313)	File opened: /proc/6404/status	Jump to behavior
Source: /tmp/ppc.elf (PID: 6313)	File opened: /proc/6407/status	Jump to behavior
Source: /tmp/ppc.elf (PID: 6313)	File opened: /proc/6406/status	Jump to behavior
Source: /tmp/ppc.elf (PID: 6313)	File opened: /proc/6409/status	Jump to behavior
Source: /tmp/ppc.elf (PID: 6313)	File opened: /proc/6408/status	Jump to behavior
Source: /tmp/ppc.elf (PID: 6313)	File opened: /proc/6384/status	Jump to behavior
Source: /tmp/ppc.elf (PID: 6313)	File opened: /proc/6383/status	Jump to behavior
Source: /tmp/ppc.elf (PID: 6313)	File opened: /proc/6364/status	Jump to behavior
Source: /tmp/ppc.elf (PID: 6313)	File opened: /proc/6386/status	Jump to behavior
Source: /tmp/ppc.elf (PID: 6313)	File opened: /proc/6385/status	Jump to behavior
Source: /tmp/ppc.elf (PID: 6313)	File opened: /proc/6388/status	Jump to behavior
Source: /tmp/ppc.elf (PID: 6313)	File opened: /proc/6366/status	Jump to behavior
Source: /tmp/ppc.elf (PID: 6313)	File opened: /proc/6387/status	Jump to behavior
Source: /tmp/ppc.elf (PID: 6313)	File opened: /proc/6401/status	Jump to behavior
Source: /tmp/ppc.elf (PID: 6313)	File opened: /proc/6368/status	Jump to behavior
Source: /tmp/ppc.elf (PID: 6313)	File opened: /proc/6400/status	Jump to behavior
Source: /tmp/ppc.elf (PID: 6313)	File opened: /proc/6061/cmdline	Jump to behavior
Source: /tmp/ppc.elf (PID: 6313)	File opened: /proc/6382/status	Jump to behavior
Source: /tmp/ppc.elf (PID: 6313)	File opened: /proc/6414/status	Jump to behavior
Source: /tmp/ppc.elf (PID: 6313)	File opened: /proc/6413/status	Jump to behavior
Source: /tmp/ppc.elf (PID: 6313)	File opened: /proc/6416/status	Jump to behavior
Source: /tmp/ppc.elf (PID: 6313)	File opened: /proc/6415/status	Jump to behavior

Source: /usr/bin/dash (PID: 6380)	Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.ZVIY9iWyCT /tmp/tmp.qRXT3uvP5q /tmp/tmp.82xzlcmDwb			Jump to behavior
Source: /usr/bin/dash (PID: 6381)	Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.ZVIY9iWyCT /tmp/tmp.qRXT3uvP5q /tmp/tmp.82xzlcmDwb			Jump to behavior

Source: /tmp/ppc.elf (PID: 6504)	Sleeps longer then 60s: 60.0s			Jump to behavior
Source: /tmp/ppc.elf (PID: 6477)	Sleeps longer then 60s: 60.0s			Jump to behavior

Source: /tmp/ppc.elf (PID: 6234)

Queries kernel information via 'uname':

Jump to behavior

Source: ppc.elf, 6504.1.0000558e10b6c000.0000558e10c42000.rw-.sdmp	Binary or memory string: U/ppc/ro10!/usr/bin/xfce4-session!/usr/bin/vmtoolsd1`r
Source: ppc.elf, 6234.1.00007ffcde483000.00007ffcde4a4000.rw-.sdmp, ppc.elf, 6276.1.00007ffcde483000.00007ffcde4a4000.rw-.sdmp, ppc.elf, 6502.1.00007ffcde483000.00007ffcde4a4000.rw-.sdmp, ppc.elf, 6504.1.00007ffcde483000.00007ffcde4a4000.rw-.sdmp, ppc.elf, 6277.1.00007ffcde483000.00007ffcde4a4000.rw-.sdmp, ppc.elf, 6475.1.00007ffcde483000.00007ffcde4a4000.rw-.sdmp, ppc.elf, 6477.1.00007ffcde483000.00007ffcde4a4000.rw-.sdmp	Binary or memory string: x86_64/usr/bin/qemu-ppc/tmp/ppc.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/ppc.elf
Source: ppc.elf, 6477.1.0000558e10b6c000.0000558e10c42000.rw-.sdmp	Binary or memory string: /usr/bin/vmtoolsd
Source: ppc.elf, 6234.1.0000558e10b6c000.0000558e10c42000.rw-.sdmp, ppc.elf, 6276.1.0000558e10b6c000.0000558e10c42000.rw-.sdmp, ppc.elf, 6502.1.0000558e10b6c000.0000558e10c42000.rw-.sdmp, ppc.elf, 6504.1.0000558e10b6c000.0000558e10c42000.rw-.sdmp, ppc.elf, 6277.1.0000558e10b6c000.0000558e10c42000.rw-.sdmp, ppc.elf, 6475.1.0000558e10b6c000.0000558e10c42000.rw-.sdmp, ppc.elf, 6477.1.0000558e10b6c000.0000558e10c42000.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/ppc
Source: ppc.elf, 6234.1.00007ffcde483000.00007ffcde4a4000.rw-.sdmp, ppc.elf, 6276.1.00007ffcde483000.00007ffcde4a4000.rw-.sdmp, ppc.elf, 6502.1.00007ffcde483000.00007ffcde4a4000.rw-.sdmp, ppc.elf, 6504.1.00007ffcde483000.00007ffcde4a4000.rw-.sdmp, ppc.elf, 6277.1.00007ffcde483000.00007ffcde4a4000.rw-.sdmp, ppc.elf, 6475.1.00007ffcde483000.00007ffcde4a4000.rw-.sdmp, ppc.elf, 6477.1.00007ffcde483000.00007ffcde4a4000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-ppc
Source: ppc.elf, 6477.1.0000558e10b6c000.0000558e10c42000.rw-.sdmp	Binary or memory string: U/ppc/ro10 /usr/bin/xfce4-session!/usr/bin/vmtoolsd1
Source: ppc.elf, 6234.1.0000558e10b6c000.0000558e10c42000.rw-.sdmp, ppc.elf, 6276.1.0000558e10b6c000.0000558e10c42000.rw-.sdmp, ppc.elf, 6502.1.0000558e10b6c000.0000558e10c42000.rw-.sdmp, ppc.elf, 6504.1.0000558e10b6c000.0000558e10c42000.rw-.sdmp, ppc.elf, 6277.1.0000558e10b6c000.0000558e10c42000.rw-.sdmp, ppc.elf, 6475.1.0000558e10b6c000.0000558e10c42000.rw-.sdmp, ppc.elf, 6477.1.0000558e10b6c000.0000558e10c42000.rw-.sdmp	Binary or memory string: !/etc/qemu-binfmt/ppc1/usr/lib/systemd/systemd-logind1/proc/112/exe

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	Path Interception	Path Interception	1 Virtualization/Sandbox Evasion	1 OS Credential Dumping	11 Security Software Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 File Deletion	LSASS Memory	1 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	1 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	2 Application Layer Protocol	Traffic Duplication	Data Destruction

Malware Configuration

⊘No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
ppc.elf	13%	ReversingLabs	Linux.Trojan.Mirai

Dropped Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
catlovingfools.geek. [malformed]	unknown	unknown	true	unknown
catvision.dyn	unknown	unknown	true	unknown
shitrocket.dyn	unknown	unknown	true	unknown
catlovingfools.geek	unknown	unknown	true	unknown
shitrocket.dyn. [malformed]	unknown	unknown	true	unknown
hikvision.geek. [malformed]	unknown	unknown	true	unknown
catvision.dyn. [malformed]	unknown	unknown	true	unknown
hikvision.geek	unknown	unknown	true	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
194.58.66.244	unknown	Russian Federation	2118	RELCOM-ASRelcomGroup19022019RU	false
54.171.230.55	unknown	United States	16509	AMAZON-02US	false
195.133.53.106	unknown	Russian Federation	21453	FLEX-ASRU	true
212.192.15.158	unknown	Russian Federation	49392	ASBAXETNRU	true
45.147.200.148	unknown	Russian Federation	51659	ASBAXETRU	true
91.189.91.43	unknown	United Kingdom	41231	CANONICAL-ASGB	false
91.189.91.42	unknown	United Kingdom	41231	CANONICAL-ASGB	false
5.39.254.71	unknown	United Kingdom	30938	ABSTATIONwwwabstationnetGB	false
88.151.195.95	unknown	Azerbaijan	15723	AZERONLINEAZ	false
38.114.100.142	unknown	United States	22926	AS-WISPERUS	true
31.13.248.234	unknown	Bulgaria	34224	NETERRA-ASBG	false
185.22.155.152	unknown	Russian Federation	51659	ASBAXETRU	false
185.22.153.100	unknown	Russian Federation	51659	ASBAXETRU	false
109.202.202.202	unknown	Switzerland	13030	INIT7CH	false
176.32.39.112	unknown	Russian Federation	51659	ASBAXETRU	false
86.107.100.88	unknown	Romania	38995	AMG-ASRO	true
166.88.130.30	unknown	United States	18779	EGIHOSTINGUS	true
103.136.150.114	unknown	Hong Kong	46261	QUICKPACKETUS	false
128.254.146.232	unknown	United States	2552	WUSTL-ASNUS	true

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
54.171.230.55	hmips.elf	Get hash	malicious	Unknown	Browse
	arm5.elf	Get hash	malicious	Mirai	Browse
	sora.ppc.elf	Get hash	malicious	Unknown	Browse
	dlr.arm7.elf	Get hash	malicious	Mirai	Browse
	m68k.elf	Get hash	malicious	Unknown	Browse
	bot.mpsl.elf	Get hash	malicious	Mirai, Gafgyt, Okiru	Browse
	hidakibest.arm7.elf	Get hash	malicious	Gafgyt, Mirai	Browse
	sora.i686.elf	Get hash	malicious	Unknown	Browse
	loligang.arm5.elf	Get hash	malicious	Mirai	Browse
	loligang.arm6.elf	Get hash	malicious	Mirai	Browse
194.58.66.244	hmips.elf	Get hash	malicious	Unknown	Browse
	harm4.elf	Get hash	malicious	Unknown	Browse
	hmips.elf	Get hash	malicious	Unknown	Browse
	arm7.elf	Get hash	malicious	Unknown	Browse
	x86.elf	Get hash	malicious	Unknown	Browse
	ppc.elf	Get hash	malicious	Unknown	Browse
	hmips.elf	Get hash	malicious	Unknown	Browse
195.133.53.106	hmips.elf	Get hash	malicious	Unknown	Browse
	arm.elf	Get hash	malicious	Unknown	Browse
	hmips.elf	Get hash	malicious	Unknown	Browse
	ppc.elf	Get hash	malicious	Unknown	Browse
	arm7.elf	Get hash	malicious	Unknown	Browse
	ppc.elf	Get hash	malicious	Unknown	Browse
212.192.15.158	hmips.elf	Get hash	malicious	Unknown	Browse
212.192.15.158	mips.elf	Get hash	malicious	Unknown	Browse
45.147.200.148	hmips.elf	Get hash	malicious	Unknown	Browse
	harm4.elf	Get hash	malicious	Unknown	Browse
	harm5.elf	Get hash	malicious	Unknown	Browse
	mips.elf	Get hash	malicious	Unknown	Browse
	hmips.elf	Get hash	malicious	Unknown	Browse
	ppc.elf	Get hash	malicious	Unknown	Browse
	mips.elf	Get hash	malicious	Unknown	Browse
	arm7.elf	Get hash	malicious	Unknown	Browse
	ppc.elf	Get hash	malicious	Unknown	Browse
	hmips.elf	Get hash	malicious	Unknown	Browse
91.189.91.43	x86.elf	Get hash	malicious	Unknown	Browse
	.i.elf	Get hash	malicious	Unknown	Browse
	arm7.elf	Get hash	malicious	Unknown	Browse
	.i.elf	Get hash	malicious	Unknown	Browse
	spc.elf	Get hash	malicious	Unknown	Browse
	sh4.elf	Get hash	malicious	Unknown	Browse
	arm.elf	Get hash	malicious	Unknown	Browse
	mips.elf	Get hash	malicious	Unknown	Browse
	.i.elf	Get hash	malicious	Unknown	Browse
	sora.arm6.elf	Get hash	malicious	Mirai	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
RELCOM-ASRelcomGroup19022019RU	hmips.elf	Get hash	malicious	Unknown	Browse	194.58.66.131
	harm4.elf	Get hash	malicious	Unknown	Browse	194.58.66.244
	harm5.elf	Get hash	malicious	Unknown	Browse	194.58.66.131
	hmips.elf	Get hash	malicious	Unknown	Browse	194.58.66.244
	arm7.elf	Get hash	malicious	Unknown	Browse	194.87.30.79
	x86.elf	Get hash	malicious	Unknown	Browse	194.58.66.244
	ppc.elf	Get hash	malicious	Unknown	Browse	194.87.30.79
	hmips.elf	Get hash	malicious	Unknown	Browse	194.87.30.79
	Supply Contract 12 Additional Agreement to 76_24_.exe	Get hash	malicious	GuLoader, Remcos	Browse	194.58.83.68
	lchs.exe	Get hash	malicious	Quasar	Browse	193.124.33.141
AMAZON-02US	sora.m68k.elf	Get hash	malicious	Mirai	Browse	75.3.32.164
	hmips.elf	Get hash	malicious	Unknown	Browse	54.171.230.55
	loligang.arm7.elf	Get hash	malicious	Mirai	Browse	108.139.28.8
	sh4.elf	Get hash	malicious	Mirai, Moobot	Browse	108.142.136.196
	loligang.spc.elf	Get hash	malicious	Mirai	Browse	54.102.188.116
	loligang.arm.elf	Get hash	malicious	Mirai	Browse	13.214.128.121
	mpsl.elf	Get hash	malicious	Mirai, Moobot	Browse	54.104.26.167
	arm5.elf	Get hash	malicious	Mirai	Browse	54.171.230.55
	loligang.x86.elf	Get hash	malicious	Mirai	Browse	18.253.96.53
	spc.elf	Get hash	malicious	Mirai, Moobot	Browse	54.101.122.142
ASBAXETNRU	hmips.elf	Get hash	malicious	Unknown	Browse	212.192.15.158
	siveria.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	45.130.145.152
	unique.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	45.130.145.152
	siveria.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	45.130.145.152
	1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exe	Get hash	malicious	Remcos	Browse	45.135.232.38
	mips.elf	Get hash	malicious	Unknown	Browse	212.192.15.158
	chelentano.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	45.130.145.152
	m2.exe	Get hash	malicious	Xmrig	Browse	194.87.31.45
	9RM52QaURq.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	45.130.145.152
	HZ1BUCfTne.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	45.130.145.152
FLEX-ASRU	hmips.elf	Get hash	malicious	Unknown	Browse	195.133.53.106
	arm.elf	Get hash	malicious	Unknown	Browse	195.133.53.106
	hmips.elf	Get hash	malicious	Unknown	Browse	195.133.53.106
	ppc.elf	Get hash	malicious	Unknown	Browse	195.133.53.106
	arm7.elf	Get hash	malicious	Unknown	Browse	195.133.53.106
	ppc.elf	Get hash	malicious	Unknown	Browse	195.133.53.106
	la.bot.arm5.elf	Get hash	malicious	Unknown	Browse	178.167.66.6
	la.bot.sh4.elf	Get hash	malicious	Unknown	Browse	195.133.29.42
	IlyNpnwGBF.elf	Get hash	malicious	Mirai	Browse	94.253.22.173
	bin.x86_64.elf	Get hash	malicious	Gafgyt, Mirai	Browse	195.133.7.148

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	ELF 32-bit MSB executable, PowerPC or cisco 4500, version 1 (SYSV), statically linked, stripped
Entropy (8bit):	6.162392548707224
TrID:	ELF Executable and Linkable format (generic) (4004/1) 100.00%
File name:	ppc.elf
File size:	67'016 bytes
MD5:	7d2d841b43e6d24f359d97e6d324427c
SHA1:	7f503d1d7f87ffa130a9e59698b8e8ddffbd815e
SHA256:	c99eb6d238f76158f76cc9691bae6826e560fc41ca3b5cc930a27c08ea26d62d
SHA512:	6bfc18c2933b596f9ae60d67384e16dc1ad8c4d0a30a4a784fb9dfb415aa412fb68dca73bf922c66008719e87693d72c6d6668e59d72dfef925b6d3c70553362
SSDEEP:	1536:YyWqoOUqLSlZ8cUkIWhDxSZIy5MntmDRZlOc+8:Y/qUqWnUGKZIy5Ktce8
TLSH:	82633C42B30C0D47D1675DB03A3F27E193EEE99122E4E785251FEB4692B2E321586ECD
File Content Preview:	.ELF...........................4.........4. ...(.......................D...D..............................S.........dt.Q.............................!..\|......$H...H......$8!. \|...N.. .!..\|.......?.............../...@..\?........+../...A..$8...})......N..

Static ELF Info

ELF header
Class:	ELF32
Data:	2's complement, big endian
Version:	1 (current)
Machine:	PowerPC
Version Number:	0x1
Type:	EXEC (Executable file)
OS/ABI:	UNIX - System V
ABI Version:	0
Entry Point Address:	0x100001f0
Flags:	0x0
ELF Header Size:	52
Program Header Offset:	52
Program Header Size:	32
Number of Program Headers:	3
Section Header Offset:	66536
Section Header Size:	40
Number of Section Headers:	12
Header String Table Index:	11

Sections

Name	Type	Address	Offset	Size	EntSize	Flags	Flags Description	Align
	NULL	0x0	0x0	0x0	0x0	0x0		0
.init	PROGBITS	0x10000094	0x94	0x24	0x0	0x6	AX	4
.text	PROGBITS	0x100000b8	0xb8	0xe654	0x0	0x6	AX	4
.fini	PROGBITS	0x1000e70c	0xe70c	0x20	0x0	0x6	AX	4
.rodata	PROGBITS	0x1000e730	0xe730	0x1614	0x0	0x2	A	8
.ctors	PROGBITS	0x10010000	0x10000	0x8	0x0	0x3	WA	4
.dtors	PROGBITS	0x10010008	0x10008	0x8	0x0	0x3	WA	4
.data	PROGBITS	0x10010018	0x10018	0x344	0x0	0x3	WA	8
.sdata	PROGBITS	0x1001035c	0x1035c	0x40	0x0	0x3	WA	4
.sbss	NOBITS	0x1001039c	0x1039c	0x70	0x0	0x3	WA	4
.bss	NOBITS	0x1001040c	0x1039c	0x4fec	0x0	0x3	WA	4
.shstrtab	STRTAB	0x0	0x1039c	0x4b	0x0	0x0		1

Program Segments

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align	Section Mappings
LOAD	0x0	0x10000000	0x10000000	0xfd44	0xfd44	6.2529	0x5	R E	0x10000	.init .text .fini .rodata
LOAD	0x10000	0x10010000	0x10010000	0x39c	0x53f8	2.9433	0x6	RW	0x10000	.ctors .dtors .data .sdata .sbss .bss
GNU_STACK	0x0	0x0	0x0	0x0	0x0	0.0000	0x6	RW	0x4

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 30, 2024 20:02:49.864573956 CET	58018	9401	192.168.2.23	212.192.15.158
Nov 30, 2024 20:02:49.987102032 CET	9401	58018	212.192.15.158	192.168.2.23
Nov 30, 2024 20:02:49.987298965 CET	58018	9401	192.168.2.23	212.192.15.158
Nov 30, 2024 20:02:49.987298965 CET	58018	9401	192.168.2.23	212.192.15.158
Nov 30, 2024 20:02:49.995815039 CET	39626	13238	192.168.2.23	86.107.100.88
Nov 30, 2024 20:02:50.110857964 CET	9401	58018	212.192.15.158	192.168.2.23
Nov 30, 2024 20:02:50.110920906 CET	58018	9401	192.168.2.23	212.192.15.158
Nov 30, 2024 20:02:50.118304968 CET	13238	39626	86.107.100.88	192.168.2.23
Nov 30, 2024 20:02:50.118362904 CET	39626	13238	192.168.2.23	86.107.100.88
Nov 30, 2024 20:02:50.118498087 CET	39626	13238	192.168.2.23	86.107.100.88
Nov 30, 2024 20:02:50.232777119 CET	9401	58018	212.192.15.158	192.168.2.23
Nov 30, 2024 20:02:50.240397930 CET	13238	39626	86.107.100.88	192.168.2.23
Nov 30, 2024 20:02:50.240480900 CET	39626	13238	192.168.2.23	86.107.100.88
Nov 30, 2024 20:02:50.361670017 CET	13238	39626	86.107.100.88	192.168.2.23
Nov 30, 2024 20:02:50.454895020 CET	443	33606	54.171.230.55	192.168.2.23
Nov 30, 2024 20:02:50.455326080 CET	33606	443	192.168.2.23	54.171.230.55
Nov 30, 2024 20:02:50.575419903 CET	443	33606	54.171.230.55	192.168.2.23
Nov 30, 2024 20:02:51.466433048 CET	43928	443	192.168.2.23	91.189.91.42
Nov 30, 2024 20:02:51.860296965 CET	9401	58018	212.192.15.158	192.168.2.23
Nov 30, 2024 20:02:51.860387087 CET	58018	9401	192.168.2.23	212.192.15.158
Nov 30, 2024 20:02:51.860558033 CET	58018	9401	192.168.2.23	212.192.15.158
Nov 30, 2024 20:02:52.253396988 CET	13238	39626	86.107.100.88	192.168.2.23
Nov 30, 2024 20:02:52.253504038 CET	39626	13238	192.168.2.23	86.107.100.88
Nov 30, 2024 20:02:52.253629923 CET	39626	13238	192.168.2.23	86.107.100.88
Nov 30, 2024 20:02:57.097652912 CET	42836	443	192.168.2.23	91.189.91.43
Nov 30, 2024 20:02:57.102566004 CET	35536	2555	192.168.2.23	185.22.155.152
Nov 30, 2024 20:02:57.223496914 CET	2555	35536	185.22.155.152	192.168.2.23
Nov 30, 2024 20:02:57.223560095 CET	35536	2555	192.168.2.23	185.22.155.152
Nov 30, 2024 20:02:57.223573923 CET	35536	2555	192.168.2.23	185.22.155.152
Nov 30, 2024 20:02:57.343631029 CET	2555	35536	185.22.155.152	192.168.2.23
Nov 30, 2024 20:02:57.343681097 CET	35536	2555	192.168.2.23	185.22.155.152
Nov 30, 2024 20:02:57.463581085 CET	2555	35536	185.22.155.152	192.168.2.23
Nov 30, 2024 20:02:57.500483990 CET	42792	2555	192.168.2.23	185.22.153.100
Nov 30, 2024 20:02:57.620465040 CET	2555	42792	185.22.153.100	192.168.2.23
Nov 30, 2024 20:02:57.620531082 CET	42792	2555	192.168.2.23	185.22.153.100
Nov 30, 2024 20:02:57.620553017 CET	42792	2555	192.168.2.23	185.22.153.100
Nov 30, 2024 20:02:57.745512962 CET	2555	42792	185.22.153.100	192.168.2.23
Nov 30, 2024 20:02:57.745578051 CET	42792	2555	192.168.2.23	185.22.153.100
Nov 30, 2024 20:02:57.869110107 CET	2555	42792	185.22.153.100	192.168.2.23
Nov 30, 2024 20:02:58.633457899 CET	42516	80	192.168.2.23	109.202.202.202
Nov 30, 2024 20:02:58.907648087 CET	2555	35536	185.22.155.152	192.168.2.23
Nov 30, 2024 20:02:58.907701015 CET	35536	2555	192.168.2.23	185.22.155.152
Nov 30, 2024 20:02:58.907737970 CET	35536	2555	192.168.2.23	185.22.155.152
Nov 30, 2024 20:02:59.378503084 CET	2555	42792	185.22.153.100	192.168.2.23
Nov 30, 2024 20:02:59.378675938 CET	42792	2555	192.168.2.23	185.22.153.100
Nov 30, 2024 20:02:59.378675938 CET	42792	2555	192.168.2.23	185.22.153.100
Nov 30, 2024 20:03:04.157087088 CET	50040	22487	192.168.2.23	5.39.254.71
Nov 30, 2024 20:03:04.277472973 CET	22487	50040	5.39.254.71	192.168.2.23
Nov 30, 2024 20:03:04.277544022 CET	50040	22487	192.168.2.23	5.39.254.71
Nov 30, 2024 20:03:04.277564049 CET	50040	22487	192.168.2.23	5.39.254.71
Nov 30, 2024 20:03:04.397625923 CET	22487	50040	5.39.254.71	192.168.2.23
Nov 30, 2024 20:03:04.397690058 CET	50040	22487	192.168.2.23	5.39.254.71
Nov 30, 2024 20:03:04.519608021 CET	22487	50040	5.39.254.71	192.168.2.23
Nov 30, 2024 20:03:04.632827044 CET	50042	22487	192.168.2.23	5.39.254.71
Nov 30, 2024 20:03:04.752741098 CET	22487	50042	5.39.254.71	192.168.2.23
Nov 30, 2024 20:03:04.752809048 CET	50042	22487	192.168.2.23	5.39.254.71
Nov 30, 2024 20:03:04.752820015 CET	50042	22487	192.168.2.23	5.39.254.71
Nov 30, 2024 20:03:04.873074055 CET	22487	50042	5.39.254.71	192.168.2.23
Nov 30, 2024 20:03:04.873138905 CET	50042	22487	192.168.2.23	5.39.254.71
Nov 30, 2024 20:03:04.999664068 CET	22487	50042	5.39.254.71	192.168.2.23
Nov 30, 2024 20:03:05.764488935 CET	22487	50040	5.39.254.71	192.168.2.23
Nov 30, 2024 20:03:05.764554024 CET	50040	22487	192.168.2.23	5.39.254.71
Nov 30, 2024 20:03:05.764581919 CET	50040	22487	192.168.2.23	5.39.254.71
Nov 30, 2024 20:03:06.189477921 CET	22487	50042	5.39.254.71	192.168.2.23
Nov 30, 2024 20:03:06.189588070 CET	50042	22487	192.168.2.23	5.39.254.71
Nov 30, 2024 20:03:06.189609051 CET	50042	22487	192.168.2.23	5.39.254.71
Nov 30, 2024 20:03:11.256112099 CET	55198	24812	192.168.2.23	128.254.146.232
Nov 30, 2024 20:03:11.376174927 CET	24812	55198	128.254.146.232	192.168.2.23
Nov 30, 2024 20:03:11.376260042 CET	55198	24812	192.168.2.23	128.254.146.232
Nov 30, 2024 20:03:11.376291037 CET	55198	24812	192.168.2.23	128.254.146.232
Nov 30, 2024 20:03:11.496370077 CET	24812	55198	128.254.146.232	192.168.2.23
Nov 30, 2024 20:03:11.496454954 CET	55198	24812	192.168.2.23	128.254.146.232
Nov 30, 2024 20:03:11.617623091 CET	24812	55198	128.254.146.232	192.168.2.23
Nov 30, 2024 20:03:11.671065092 CET	55200	24812	192.168.2.23	128.254.146.232
Nov 30, 2024 20:03:11.791209936 CET	24812	55200	128.254.146.232	192.168.2.23
Nov 30, 2024 20:03:11.791380882 CET	55200	24812	192.168.2.23	128.254.146.232
Nov 30, 2024 20:03:11.791410923 CET	55200	24812	192.168.2.23	128.254.146.232
Nov 30, 2024 20:03:11.911745071 CET	24812	55200	128.254.146.232	192.168.2.23
Nov 30, 2024 20:03:11.911794901 CET	55200	24812	192.168.2.23	128.254.146.232
Nov 30, 2024 20:03:11.943589926 CET	43928	443	192.168.2.23	91.189.91.42
Nov 30, 2024 20:03:12.031877995 CET	24812	55200	128.254.146.232	192.168.2.23
Nov 30, 2024 20:03:12.626328945 CET	24812	55198	128.254.146.232	192.168.2.23
Nov 30, 2024 20:03:12.626408100 CET	55198	24812	192.168.2.23	128.254.146.232
Nov 30, 2024 20:03:12.626471996 CET	55198	24812	192.168.2.23	128.254.146.232
Nov 30, 2024 20:03:13.051331997 CET	24812	55200	128.254.146.232	192.168.2.23
Nov 30, 2024 20:03:13.051409960 CET	55200	24812	192.168.2.23	128.254.146.232
Nov 30, 2024 20:03:13.051475048 CET	55200	24812	192.168.2.23	128.254.146.232
Nov 30, 2024 20:03:18.163328886 CET	33030	3548	192.168.2.23	38.114.100.142
Nov 30, 2024 20:03:18.283401966 CET	3548	33030	38.114.100.142	192.168.2.23
Nov 30, 2024 20:03:18.283466101 CET	33030	3548	192.168.2.23	38.114.100.142
Nov 30, 2024 20:03:18.283545971 CET	33030	3548	192.168.2.23	38.114.100.142
Nov 30, 2024 20:03:18.404824018 CET	3548	33030	38.114.100.142	192.168.2.23
Nov 30, 2024 20:03:18.404875994 CET	33030	3548	192.168.2.23	38.114.100.142
Nov 30, 2024 20:03:18.526804924 CET	3548	33030	38.114.100.142	192.168.2.23
Nov 30, 2024 20:03:18.578413963 CET	33826	3548	192.168.2.23	45.147.200.148
Nov 30, 2024 20:03:18.699345112 CET	3548	33826	45.147.200.148	192.168.2.23
Nov 30, 2024 20:03:18.699399948 CET	33826	3548	192.168.2.23	45.147.200.148
Nov 30, 2024 20:03:18.699439049 CET	33826	3548	192.168.2.23	45.147.200.148
Nov 30, 2024 20:03:18.819753885 CET	3548	33826	45.147.200.148	192.168.2.23
Nov 30, 2024 20:03:18.819801092 CET	33826	3548	192.168.2.23	45.147.200.148
Nov 30, 2024 20:03:18.939891100 CET	3548	33826	45.147.200.148	192.168.2.23
Nov 30, 2024 20:03:19.512422085 CET	3548	33030	38.114.100.142	192.168.2.23
Nov 30, 2024 20:03:19.512480021 CET	33030	3548	192.168.2.23	38.114.100.142
Nov 30, 2024 20:03:19.512527943 CET	33030	3548	192.168.2.23	38.114.100.142
Nov 30, 2024 20:03:20.386029959 CET	3548	33826	45.147.200.148	192.168.2.23
Nov 30, 2024 20:03:20.386075020 CET	33826	3548	192.168.2.23	45.147.200.148
Nov 30, 2024 20:03:20.386255026 CET	33826	3548	192.168.2.23	45.147.200.148
Nov 30, 2024 20:03:24.229893923 CET	42836	443	192.168.2.23	91.189.91.43
Nov 30, 2024 20:03:24.754915953 CET	41104	21469	192.168.2.23	195.133.53.106
Nov 30, 2024 20:03:24.874941111 CET	21469	41104	195.133.53.106	192.168.2.23
Nov 30, 2024 20:03:24.875026941 CET	41104	21469	192.168.2.23	195.133.53.106
Nov 30, 2024 20:03:24.875149965 CET	41104	21469	192.168.2.23	195.133.53.106
Nov 30, 2024 20:03:24.999064922 CET	21469	41104	195.133.53.106	192.168.2.23
Nov 30, 2024 20:03:24.999138117 CET	41104	21469	192.168.2.23	195.133.53.106
Nov 30, 2024 20:03:25.119388103 CET	21469	41104	195.133.53.106	192.168.2.23
Nov 30, 2024 20:03:25.951911926 CET	33614	3136	192.168.2.23	128.254.146.232
Nov 30, 2024 20:03:26.078480005 CET	3136	33614	128.254.146.232	192.168.2.23
Nov 30, 2024 20:03:26.078572989 CET	33614	3136	192.168.2.23	128.254.146.232
Nov 30, 2024 20:03:26.078572989 CET	33614	3136	192.168.2.23	128.254.146.232
Nov 30, 2024 20:03:26.200901031 CET	3136	33614	128.254.146.232	192.168.2.23
Nov 30, 2024 20:03:26.201061010 CET	33614	3136	192.168.2.23	128.254.146.232
Nov 30, 2024 20:03:26.326081991 CET	3136	33614	128.254.146.232	192.168.2.23
Nov 30, 2024 20:03:26.668989897 CET	21469	41104	195.133.53.106	192.168.2.23
Nov 30, 2024 20:03:26.669083118 CET	41104	21469	192.168.2.23	195.133.53.106
Nov 30, 2024 20:03:26.669188023 CET	41104	21469	192.168.2.23	195.133.53.106
Nov 30, 2024 20:03:27.333244085 CET	3136	33614	128.254.146.232	192.168.2.23
Nov 30, 2024 20:03:27.333360910 CET	33614	3136	192.168.2.23	128.254.146.232
Nov 30, 2024 20:03:27.333360910 CET	33614	3136	192.168.2.23	128.254.146.232
Nov 30, 2024 20:03:28.325547934 CET	42516	80	192.168.2.23	109.202.202.202
Nov 30, 2024 20:03:31.939897060 CET	42442	7360	192.168.2.23	166.88.130.30
Nov 30, 2024 20:03:32.060084105 CET	7360	42442	166.88.130.30	192.168.2.23
Nov 30, 2024 20:03:32.060164928 CET	42442	7360	192.168.2.23	166.88.130.30
Nov 30, 2024 20:03:32.060375929 CET	42442	7360	192.168.2.23	166.88.130.30
Nov 30, 2024 20:03:32.180304050 CET	7360	42442	166.88.130.30	192.168.2.23
Nov 30, 2024 20:03:32.180407047 CET	42442	7360	192.168.2.23	166.88.130.30
Nov 30, 2024 20:03:32.300405025 CET	7360	42442	166.88.130.30	192.168.2.23
Nov 30, 2024 20:03:32.583923101 CET	37578	7360	192.168.2.23	88.151.195.95
Nov 30, 2024 20:03:32.704036951 CET	7360	37578	88.151.195.95	192.168.2.23
Nov 30, 2024 20:03:32.704195976 CET	37578	7360	192.168.2.23	88.151.195.95
Nov 30, 2024 20:03:32.704260111 CET	37578	7360	192.168.2.23	88.151.195.95
Nov 30, 2024 20:03:32.825968027 CET	7360	37578	88.151.195.95	192.168.2.23
Nov 30, 2024 20:03:32.826189995 CET	37578	7360	192.168.2.23	88.151.195.95
Nov 30, 2024 20:03:32.946150064 CET	7360	37578	88.151.195.95	192.168.2.23
Nov 30, 2024 20:03:33.309999943 CET	7360	42442	166.88.130.30	192.168.2.23
Nov 30, 2024 20:03:33.310162067 CET	42442	7360	192.168.2.23	166.88.130.30
Nov 30, 2024 20:03:33.310348988 CET	42442	7360	192.168.2.23	166.88.130.30
Nov 30, 2024 20:03:34.412913084 CET	7360	37578	88.151.195.95	192.168.2.23
Nov 30, 2024 20:03:34.413021088 CET	37578	7360	192.168.2.23	88.151.195.95
Nov 30, 2024 20:03:34.413058043 CET	37578	7360	192.168.2.23	88.151.195.95
Nov 30, 2024 20:03:38.584064960 CET	44220	9775	192.168.2.23	45.147.200.148
Nov 30, 2024 20:03:38.704452038 CET	9775	44220	45.147.200.148	192.168.2.23
Nov 30, 2024 20:03:38.704622984 CET	44220	9775	192.168.2.23	45.147.200.148
Nov 30, 2024 20:03:38.704623938 CET	44220	9775	192.168.2.23	45.147.200.148
Nov 30, 2024 20:03:38.825023890 CET	9775	44220	45.147.200.148	192.168.2.23
Nov 30, 2024 20:03:38.825170994 CET	44220	9775	192.168.2.23	45.147.200.148
Nov 30, 2024 20:03:38.947546959 CET	9775	44220	45.147.200.148	192.168.2.23
Nov 30, 2024 20:03:39.667017937 CET	56254	15115	192.168.2.23	212.192.15.158
Nov 30, 2024 20:03:39.787322044 CET	15115	56254	212.192.15.158	192.168.2.23
Nov 30, 2024 20:03:39.787473917 CET	56254	15115	192.168.2.23	212.192.15.158
Nov 30, 2024 20:03:39.787473917 CET	56254	15115	192.168.2.23	212.192.15.158
Nov 30, 2024 20:03:39.907624006 CET	15115	56254	212.192.15.158	192.168.2.23
Nov 30, 2024 20:03:39.907779932 CET	56254	15115	192.168.2.23	212.192.15.158
Nov 30, 2024 20:03:40.027733088 CET	15115	56254	212.192.15.158	192.168.2.23
Nov 30, 2024 20:03:40.401304007 CET	9775	44220	45.147.200.148	192.168.2.23
Nov 30, 2024 20:03:40.401498079 CET	44220	9775	192.168.2.23	45.147.200.148
Nov 30, 2024 20:03:40.401498079 CET	44220	9775	192.168.2.23	45.147.200.148
Nov 30, 2024 20:03:41.648339033 CET	15115	56254	212.192.15.158	192.168.2.23
Nov 30, 2024 20:03:41.648535967 CET	56254	15115	192.168.2.23	212.192.15.158
Nov 30, 2024 20:03:41.648535967 CET	56254	15115	192.168.2.23	212.192.15.158
Nov 30, 2024 20:03:51.270049095 CET	47426	4673	192.168.2.23	31.13.248.234
Nov 30, 2024 20:03:51.390197039 CET	4673	47426	31.13.248.234	192.168.2.23
Nov 30, 2024 20:03:51.390285015 CET	47426	4673	192.168.2.23	31.13.248.234
Nov 30, 2024 20:03:51.390335083 CET	47426	4673	192.168.2.23	31.13.248.234
Nov 30, 2024 20:03:51.514799118 CET	4673	47426	31.13.248.234	192.168.2.23
Nov 30, 2024 20:03:51.514874935 CET	47426	4673	192.168.2.23	31.13.248.234
Nov 30, 2024 20:03:51.638008118 CET	4673	47426	31.13.248.234	192.168.2.23
Nov 30, 2024 20:03:52.228816986 CET	37266	24205	192.168.2.23	166.88.130.30
Nov 30, 2024 20:03:52.352974892 CET	24205	37266	166.88.130.30	192.168.2.23
Nov 30, 2024 20:03:52.353074074 CET	37266	24205	192.168.2.23	166.88.130.30
Nov 30, 2024 20:03:52.353264093 CET	37266	24205	192.168.2.23	166.88.130.30
Nov 30, 2024 20:03:52.473175049 CET	24205	37266	166.88.130.30	192.168.2.23
Nov 30, 2024 20:03:52.473284006 CET	37266	24205	192.168.2.23	166.88.130.30
Nov 30, 2024 20:03:52.594393015 CET	24205	37266	166.88.130.30	192.168.2.23
Nov 30, 2024 20:03:52.901961088 CET	43928	443	192.168.2.23	91.189.91.42
Nov 30, 2024 20:03:53.038166046 CET	4673	47426	31.13.248.234	192.168.2.23
Nov 30, 2024 20:03:53.038270950 CET	47426	4673	192.168.2.23	31.13.248.234
Nov 30, 2024 20:03:53.038321018 CET	47426	4673	192.168.2.23	31.13.248.234
Nov 30, 2024 20:03:53.605521917 CET	24205	37266	166.88.130.30	192.168.2.23
Nov 30, 2024 20:03:53.605658054 CET	37266	24205	192.168.2.23	166.88.130.30
Nov 30, 2024 20:03:53.605700016 CET	37266	24205	192.168.2.23	166.88.130.30
Nov 30, 2024 20:03:58.544215918 CET	32812	22105	192.168.2.23	176.32.39.112
Nov 30, 2024 20:03:58.664494991 CET	22105	32812	176.32.39.112	192.168.2.23
Nov 30, 2024 20:03:58.664583921 CET	32812	22105	192.168.2.23	176.32.39.112
Nov 30, 2024 20:03:58.664638042 CET	32812	22105	192.168.2.23	176.32.39.112
Nov 30, 2024 20:03:58.784558058 CET	22105	32812	176.32.39.112	192.168.2.23
Nov 30, 2024 20:03:58.784671068 CET	32812	22105	192.168.2.23	176.32.39.112
Nov 30, 2024 20:03:58.904649019 CET	22105	32812	176.32.39.112	192.168.2.23
Nov 30, 2024 20:03:59.725766897 CET	55946	15817	192.168.2.23	86.107.100.88
Nov 30, 2024 20:03:59.845904112 CET	15817	55946	86.107.100.88	192.168.2.23
Nov 30, 2024 20:03:59.845997095 CET	55946	15817	192.168.2.23	86.107.100.88
Nov 30, 2024 20:03:59.846012115 CET	55946	15817	192.168.2.23	86.107.100.88
Nov 30, 2024 20:03:59.995095968 CET	15817	55946	86.107.100.88	192.168.2.23
Nov 30, 2024 20:03:59.995197058 CET	55946	15817	192.168.2.23	86.107.100.88
Nov 30, 2024 20:04:00.116708994 CET	15817	55946	86.107.100.88	192.168.2.23
Nov 30, 2024 20:04:00.272524118 CET	22105	32812	176.32.39.112	192.168.2.23
Nov 30, 2024 20:04:00.272722960 CET	32812	22105	192.168.2.23	176.32.39.112
Nov 30, 2024 20:04:00.272797108 CET	32812	22105	192.168.2.23	176.32.39.112
Nov 30, 2024 20:04:01.894377947 CET	15817	55946	86.107.100.88	192.168.2.23
Nov 30, 2024 20:04:01.894642115 CET	55946	15817	192.168.2.23	86.107.100.88
Nov 30, 2024 20:04:01.894712925 CET	55946	15817	192.168.2.23	86.107.100.88
Nov 30, 2024 20:04:05.806508064 CET	44464	6888	192.168.2.23	194.58.66.244
Nov 30, 2024 20:04:05.926542997 CET	6888	44464	194.58.66.244	192.168.2.23
Nov 30, 2024 20:04:05.926640034 CET	44464	6888	192.168.2.23	194.58.66.244
Nov 30, 2024 20:04:05.926657915 CET	44464	6888	192.168.2.23	194.58.66.244
Nov 30, 2024 20:04:06.052021027 CET	6888	44464	194.58.66.244	192.168.2.23
Nov 30, 2024 20:04:06.052215099 CET	44464	6888	192.168.2.23	194.58.66.244
Nov 30, 2024 20:04:06.178956032 CET	6888	44464	194.58.66.244	192.168.2.23
Nov 30, 2024 20:04:07.531627893 CET	6888	44464	194.58.66.244	192.168.2.23
Nov 30, 2024 20:04:07.531733990 CET	44464	6888	192.168.2.23	194.58.66.244
Nov 30, 2024 20:04:07.531783104 CET	44464	6888	192.168.2.23	194.58.66.244
Nov 30, 2024 20:04:08.028753042 CET	55950	15817	192.168.2.23	86.107.100.88
Nov 30, 2024 20:04:08.149792910 CET	15817	55950	86.107.100.88	192.168.2.23
Nov 30, 2024 20:04:08.149915934 CET	55950	15817	192.168.2.23	86.107.100.88
Nov 30, 2024 20:04:08.149976969 CET	55950	15817	192.168.2.23	86.107.100.88
Nov 30, 2024 20:04:08.270493031 CET	15817	55950	86.107.100.88	192.168.2.23
Nov 30, 2024 20:04:08.270629883 CET	55950	15817	192.168.2.23	86.107.100.88
Nov 30, 2024 20:04:08.392870903 CET	15817	55950	86.107.100.88	192.168.2.23
Nov 30, 2024 20:04:13.191812992 CET	60756	10092	192.168.2.23	185.22.155.152
Nov 30, 2024 20:04:13.312216997 CET	10092	60756	185.22.155.152	192.168.2.23
Nov 30, 2024 20:04:13.312372923 CET	60756	10092	192.168.2.23	185.22.155.152
Nov 30, 2024 20:04:13.312374115 CET	60756	10092	192.168.2.23	185.22.155.152
Nov 30, 2024 20:04:13.435015917 CET	10092	60756	185.22.155.152	192.168.2.23
Nov 30, 2024 20:04:13.435228109 CET	60756	10092	192.168.2.23	185.22.155.152
Nov 30, 2024 20:04:13.555346966 CET	10092	60756	185.22.155.152	192.168.2.23
Nov 30, 2024 20:04:15.043747902 CET	10092	60756	185.22.155.152	192.168.2.23
Nov 30, 2024 20:04:15.044032097 CET	60756	10092	192.168.2.23	185.22.155.152
Nov 30, 2024 20:04:15.044032097 CET	60756	10092	192.168.2.23	185.22.155.152
Nov 30, 2024 20:04:18.158720016 CET	55950	15817	192.168.2.23	86.107.100.88
Nov 30, 2024 20:04:18.280267000 CET	15817	55950	86.107.100.88	192.168.2.23
Nov 30, 2024 20:04:18.965480089 CET	15817	55950	86.107.100.88	192.168.2.23
Nov 30, 2024 20:04:18.965599060 CET	55950	15817	192.168.2.23	86.107.100.88
Nov 30, 2024 20:04:20.298480034 CET	36826	4413	192.168.2.23	38.114.100.142
Nov 30, 2024 20:04:20.420696020 CET	4413	36826	38.114.100.142	192.168.2.23
Nov 30, 2024 20:04:20.420773029 CET	36826	4413	192.168.2.23	38.114.100.142
Nov 30, 2024 20:04:20.420856953 CET	36826	4413	192.168.2.23	38.114.100.142
Nov 30, 2024 20:04:20.540939093 CET	4413	36826	38.114.100.142	192.168.2.23
Nov 30, 2024 20:04:20.541142941 CET	36826	4413	192.168.2.23	38.114.100.142
Nov 30, 2024 20:04:20.661026001 CET	4413	36826	38.114.100.142	192.168.2.23
Nov 30, 2024 20:04:21.687907934 CET	4413	36826	38.114.100.142	192.168.2.23
Nov 30, 2024 20:04:21.688139915 CET	36826	4413	192.168.2.23	38.114.100.142
Nov 30, 2024 20:04:21.688205004 CET	36826	4413	192.168.2.23	38.114.100.142
Nov 30, 2024 20:04:26.992564917 CET	42288	2029	192.168.2.23	103.136.150.114
Nov 30, 2024 20:04:27.114427090 CET	2029	42288	103.136.150.114	192.168.2.23
Nov 30, 2024 20:04:27.114525080 CET	42288	2029	192.168.2.23	103.136.150.114
Nov 30, 2024 20:04:27.114559889 CET	42288	2029	192.168.2.23	103.136.150.114
Nov 30, 2024 20:04:27.237977982 CET	2029	42288	103.136.150.114	192.168.2.23
Nov 30, 2024 20:04:27.238097906 CET	42288	2029	192.168.2.23	103.136.150.114
Nov 30, 2024 20:04:27.358099937 CET	2029	42288	103.136.150.114	192.168.2.23
Nov 30, 2024 20:04:37.122698069 CET	42288	2029	192.168.2.23	103.136.150.114
Nov 30, 2024 20:04:37.242775917 CET	2029	42288	103.136.150.114	192.168.2.23
Nov 30, 2024 20:04:37.834408998 CET	2029	42288	103.136.150.114	192.168.2.23
Nov 30, 2024 20:04:37.834567070 CET	42288	2029	192.168.2.23	103.136.150.114
Nov 30, 2024 20:05:13.874234915 CET	2029	42288	103.136.150.114	192.168.2.23
Nov 30, 2024 20:05:13.874526024 CET	42288	2029	192.168.2.23	103.136.150.114
Nov 30, 2024 20:05:13.933720112 CET	15817	55950	86.107.100.88	192.168.2.23
Nov 30, 2024 20:05:13.933772087 CET	55950	15817	192.168.2.23	86.107.100.88
Nov 30, 2024 20:05:43.972774982 CET	55950	15817	192.168.2.23	86.107.100.88
Nov 30, 2024 20:05:44.092845917 CET	15817	55950	86.107.100.88	192.168.2.23
Nov 30, 2024 20:05:44.780930996 CET	15817	55950	86.107.100.88	192.168.2.23
Nov 30, 2024 20:05:44.781131029 CET	55950	15817	192.168.2.23	86.107.100.88
Nov 30, 2024 20:06:03.915853024 CET	42288	2029	192.168.2.23	103.136.150.114
Nov 30, 2024 20:06:04.035998106 CET	2029	42288	103.136.150.114	192.168.2.23
Nov 30, 2024 20:06:04.634249926 CET	2029	42288	103.136.150.114	192.168.2.23
Nov 30, 2024 20:06:04.634354115 CET	42288	2029	192.168.2.23	103.136.150.114

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 30, 2024 20:02:49.615833998 CET	33915	53	192.168.2.23	81.169.136.222
Nov 30, 2024 20:02:49.753968954 CET	43478	53	192.168.2.23	81.169.136.222
Nov 30, 2024 20:02:49.858102083 CET	53	33915	81.169.136.222	192.168.2.23
Nov 30, 2024 20:02:49.994934082 CET	53	43478	81.169.136.222	192.168.2.23
Nov 30, 2024 20:02:56.861516953 CET	37729	53	192.168.2.23	194.36.144.87
Nov 30, 2024 20:02:57.102108002 CET	53	37729	194.36.144.87	192.168.2.23
Nov 30, 2024 20:02:57.254623890 CET	55603	53	192.168.2.23	194.36.144.87
Nov 30, 2024 20:02:57.500011921 CET	53	55603	194.36.144.87	192.168.2.23
Nov 30, 2024 20:03:03.909004927 CET	41945	53	192.168.2.23	194.36.144.87
Nov 30, 2024 20:03:04.156513929 CET	53	41945	194.36.144.87	192.168.2.23
Nov 30, 2024 20:03:04.379219055 CET	44073	53	192.168.2.23	194.36.144.87
Nov 30, 2024 20:03:04.632430077 CET	53	44073	194.36.144.87	192.168.2.23
Nov 30, 2024 20:03:10.765269041 CET	39820	53	192.168.2.23	217.160.70.42
Nov 30, 2024 20:03:11.005163908 CET	53	39820	217.160.70.42	192.168.2.23
Nov 30, 2024 20:03:11.006371975 CET	36840	53	192.168.2.23	51.158.108.203
Nov 30, 2024 20:03:11.190093040 CET	48436	53	192.168.2.23	217.160.70.42
Nov 30, 2024 20:03:11.255557060 CET	53	36840	51.158.108.203	192.168.2.23
Nov 30, 2024 20:03:11.430078030 CET	53	48436	217.160.70.42	192.168.2.23
Nov 30, 2024 20:03:11.430809975 CET	33800	53	192.168.2.23	51.158.108.203
Nov 30, 2024 20:03:11.670695066 CET	53	33800	51.158.108.203	192.168.2.23
Nov 30, 2024 20:03:17.627438068 CET	43357	53	192.168.2.23	80.152.203.134
Nov 30, 2024 20:03:17.903356075 CET	53	43357	80.152.203.134	192.168.2.23
Nov 30, 2024 20:03:17.904766083 CET	43652	53	192.168.2.23	185.181.61.24
Nov 30, 2024 20:03:18.052439928 CET	54295	53	192.168.2.23	80.152.203.134
Nov 30, 2024 20:03:18.162811041 CET	53	43652	185.181.61.24	192.168.2.23
Nov 30, 2024 20:03:18.316652060 CET	53	54295	80.152.203.134	192.168.2.23
Nov 30, 2024 20:03:18.317467928 CET	56244	53	192.168.2.23	185.181.61.24
Nov 30, 2024 20:03:18.578078985 CET	53	56244	185.181.61.24	192.168.2.23
Nov 30, 2024 20:03:24.513215065 CET	42233	53	192.168.2.23	202.61.197.122
Nov 30, 2024 20:03:24.754328012 CET	53	42233	202.61.197.122	192.168.2.23
Nov 30, 2024 20:03:25.386909008 CET	56558	53	192.168.2.23	202.61.197.122
Nov 30, 2024 20:03:25.637569904 CET	53	56558	202.61.197.122	192.168.2.23
Nov 30, 2024 20:03:25.638350964 CET	53810	53	192.168.2.23	168.235.111.72
Nov 30, 2024 20:03:25.951358080 CET	53	53810	168.235.111.72	192.168.2.23
Nov 30, 2024 20:03:31.671025038 CET	39903	53	192.168.2.23	185.181.61.24
Nov 30, 2024 20:03:31.939003944 CET	53	39903	185.181.61.24	192.168.2.23
Nov 30, 2024 20:03:32.334080935 CET	59219	53	192.168.2.23	194.36.144.87
Nov 30, 2024 20:03:32.582971096 CET	53	59219	194.36.144.87	192.168.2.23
Nov 30, 2024 20:03:38.312210083 CET	53347	53	192.168.2.23	109.91.184.21
Nov 30, 2024 20:03:38.583450079 CET	53	53347	109.91.184.21	192.168.2.23
Nov 30, 2024 20:03:39.413889885 CET	48343	53	192.168.2.23	202.61.197.122
Nov 30, 2024 20:03:39.666522026 CET	53	48343	202.61.197.122	192.168.2.23
Nov 30, 2024 20:03:45.402892113 CET	35303	53	192.168.2.23	109.91.184.21
Nov 30, 2024 20:03:46.650223970 CET	49303	53	192.168.2.23	109.91.184.21
Nov 30, 2024 20:03:46.958211899 CET	53	49303	109.91.184.21	192.168.2.23
Nov 30, 2024 20:03:46.959212065 CET	43109	53	192.168.2.23	109.91.184.21
Nov 30, 2024 20:03:50.407562017 CET	51236	53	192.168.2.23	109.91.184.21
Nov 30, 2024 20:03:50.709347010 CET	53	51236	109.91.184.21	192.168.2.23
Nov 30, 2024 20:03:50.710526943 CET	56853	53	192.168.2.23	109.91.184.21
Nov 30, 2024 20:03:50.984786034 CET	53	56853	109.91.184.21	192.168.2.23
Nov 30, 2024 20:03:50.986008883 CET	55271	53	192.168.2.23	109.91.184.21
Nov 30, 2024 20:03:51.269357920 CET	53	55271	109.91.184.21	192.168.2.23
Nov 30, 2024 20:03:51.964355946 CET	54499	53	192.168.2.23	109.91.184.21
Nov 30, 2024 20:03:52.228003025 CET	53	54499	109.91.184.21	192.168.2.23
Nov 30, 2024 20:03:58.039793968 CET	56935	53	192.168.2.23	217.160.70.42
Nov 30, 2024 20:03:58.282776117 CET	53	56935	217.160.70.42	192.168.2.23
Nov 30, 2024 20:03:58.284288883 CET	55057	53	192.168.2.23	80.152.203.134
Nov 30, 2024 20:03:58.543607950 CET	53	55057	80.152.203.134	192.168.2.23
Nov 30, 2024 20:03:58.606892109 CET	58284	53	192.168.2.23	217.160.70.42
Nov 30, 2024 20:03:58.846262932 CET	53	58284	217.160.70.42	192.168.2.23
Nov 30, 2024 20:03:58.847503901 CET	55174	53	192.168.2.23	80.152.203.134
Nov 30, 2024 20:03:59.171174049 CET	53	55174	80.152.203.134	192.168.2.23
Nov 30, 2024 20:03:59.171932936 CET	44146	53	192.168.2.23	109.91.184.21
Nov 30, 2024 20:03:59.461190939 CET	53	44146	109.91.184.21	192.168.2.23
Nov 30, 2024 20:03:59.462191105 CET	49039	53	192.168.2.23	185.181.61.24
Nov 30, 2024 20:03:59.725281000 CET	53	49039	185.181.61.24	192.168.2.23
Nov 30, 2024 20:04:05.274941921 CET	58238	53	192.168.2.23	81.169.136.222
Nov 30, 2024 20:04:05.520874977 CET	53	58238	81.169.136.222	192.168.2.23
Nov 30, 2024 20:04:05.522329092 CET	38062	53	192.168.2.23	80.152.203.134
Nov 30, 2024 20:04:05.805726051 CET	53	38062	80.152.203.134	192.168.2.23
Nov 30, 2024 20:04:06.896605015 CET	36464	53	192.168.2.23	194.36.144.87
Nov 30, 2024 20:04:07.149087906 CET	53	36464	194.36.144.87	192.168.2.23
Nov 30, 2024 20:04:07.150424957 CET	47344	53	192.168.2.23	109.91.184.21
Nov 30, 2024 20:04:07.456697941 CET	53	47344	109.91.184.21	192.168.2.23
Nov 30, 2024 20:04:07.457935095 CET	41568	53	192.168.2.23	168.235.111.72
Nov 30, 2024 20:04:07.772028923 CET	53	41568	168.235.111.72	192.168.2.23
Nov 30, 2024 20:04:07.773499966 CET	52004	53	192.168.2.23	152.53.15.127
Nov 30, 2024 20:04:08.027929068 CET	53	52004	152.53.15.127	192.168.2.23
Nov 30, 2024 20:04:12.533407927 CET	38974	53	192.168.2.23	202.61.197.122
Nov 30, 2024 20:04:12.790349007 CET	53	38974	202.61.197.122	192.168.2.23
Nov 30, 2024 20:04:12.791676998 CET	60551	53	192.168.2.23	168.138.12.137
Nov 30, 2024 20:04:13.191063881 CET	53	60551	168.138.12.137	192.168.2.23
Nov 30, 2024 20:04:20.045387983 CET	57486	53	192.168.2.23	152.53.15.127
Nov 30, 2024 20:04:20.297828913 CET	53	57486	152.53.15.127	192.168.2.23
Nov 30, 2024 20:04:26.689330101 CET	38417	53	192.168.2.23	168.235.111.72
Nov 30, 2024 20:04:26.991926908 CET	53	38417	168.235.111.72	192.168.2.23

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 30, 2024 20:02:49.615833998 CET	192.168.2.23	81.169.136.222	0xd21a	Standard query (0)	hikvision.geek	A (IP address)	IN (0x0001)	false
Nov 30, 2024 20:02:49.753968954 CET	192.168.2.23	81.169.136.222	0xd21a	Standard query (0)	catvision.dyn	A (IP address)	IN (0x0001)	false
Nov 30, 2024 20:02:56.861516953 CET	192.168.2.23	194.36.144.87	0xcee4	Standard query (0)	shitrocket.dyn	A (IP address)	IN (0x0001)	false
Nov 30, 2024 20:02:57.254623890 CET	192.168.2.23	194.36.144.87	0xcee4	Standard query (0)	shitrocket.dyn	A (IP address)	IN (0x0001)	false
Nov 30, 2024 20:03:03.909004927 CET	192.168.2.23	194.36.144.87	0x184c	Standard query (0)	shitrocket.dyn	A (IP address)	IN (0x0001)	false
Nov 30, 2024 20:03:04.379219055 CET	192.168.2.23	194.36.144.87	0x184c	Standard query (0)	shitrocket.dyn	A (IP address)	IN (0x0001)	false
Nov 30, 2024 20:03:10.765269041 CET	192.168.2.23	217.160.70.42	0xfb5a	Standard query (0)	catvision.dyn. [malformed]	256	367	false
Nov 30, 2024 20:03:11.006371975 CET	192.168.2.23	51.158.108.203	0xe4dd	Standard query (0)	catlovingfools.geek	A (IP address)	IN (0x0001)	false
Nov 30, 2024 20:03:11.190093040 CET	192.168.2.23	217.160.70.42	0xfb5a	Standard query (0)	catvision.dyn. [malformed]	256	367	false
Nov 30, 2024 20:03:11.430809975 CET	192.168.2.23	51.158.108.203	0xe4dd	Standard query (0)	catlovingfools.geek	A (IP address)	IN (0x0001)	false
Nov 30, 2024 20:03:17.627438068 CET	192.168.2.23	80.152.203.134	0x4313	Standard query (0)	catvision.dyn. [malformed]	256	373	false
Nov 30, 2024 20:03:17.904766083 CET	192.168.2.23	185.181.61.24	0x6b74	Standard query (0)	hikvision.geek	A (IP address)	IN (0x0001)	false
Nov 30, 2024 20:03:18.052439928 CET	192.168.2.23	80.152.203.134	0x4313	Standard query (0)	catvision.dyn. [malformed]	256	374	false
Nov 30, 2024 20:03:18.317467928 CET	192.168.2.23	185.181.61.24	0x6b74	Standard query (0)	hikvision.geek	A (IP address)	IN (0x0001)	false
Nov 30, 2024 20:03:24.513215065 CET	192.168.2.23	202.61.197.122	0x1e25	Standard query (0)	catlovingfools.geek	A (IP address)	IN (0x0001)	false
Nov 30, 2024 20:03:25.386909008 CET	192.168.2.23	202.61.197.122	0x1e25	Standard query (0)	catvision.dyn. [malformed]	256	381	false
Nov 30, 2024 20:03:25.638350964 CET	192.168.2.23	168.235.111.72	0xc813	Standard query (0)	catlovingfools.geek	A (IP address)	IN (0x0001)	false
Nov 30, 2024 20:03:31.671025038 CET	192.168.2.23	185.181.61.24	0x9082	Standard query (0)	catlovingfools.geek	A (IP address)	IN (0x0001)	false
Nov 30, 2024 20:03:32.334080935 CET	192.168.2.23	194.36.144.87	0x810e	Standard query (0)	catlovingfools.geek	A (IP address)	IN (0x0001)	false
Nov 30, 2024 20:03:38.312210083 CET	192.168.2.23	109.91.184.21	0x1bb7	Standard query (0)	catlovingfools.geek	A (IP address)	IN (0x0001)	false
Nov 30, 2024 20:03:39.413889885 CET	192.168.2.23	202.61.197.122	0xc321	Standard query (0)	catlovingfools.geek	A (IP address)	IN (0x0001)	false
Nov 30, 2024 20:03:45.402892113 CET	192.168.2.23	109.91.184.21	0x9e3d	Standard query (0)	catlovingfools.geek	A (IP address)	IN (0x0001)	false
Nov 30, 2024 20:03:46.650223970 CET	192.168.2.23	109.91.184.21	0x65f1	Standard query (0)	shitrocket.dyn. [malformed]	256	402	false
Nov 30, 2024 20:03:46.959212065 CET	192.168.2.23	109.91.184.21	0xf808	Standard query (0)	catvision.dyn. [malformed]	256	406	false
Nov 30, 2024 20:03:50.407562017 CET	192.168.2.23	109.91.184.21	0x65f1	Standard query (0)	hikvision.geek. [malformed]	256	406	false
Nov 30, 2024 20:03:50.710526943 CET	192.168.2.23	109.91.184.21	0xf808	Standard query (0)	catvision.dyn. [malformed]	256	406	false
Nov 30, 2024 20:03:50.986008883 CET	192.168.2.23	109.91.184.21	0x9d30	Standard query (0)	shitrocket.dyn	A (IP address)	IN (0x0001)	false
Nov 30, 2024 20:03:51.964355946 CET	192.168.2.23	109.91.184.21	0x9d30	Standard query (0)	hikvision.geek	A (IP address)	IN (0x0001)	false
Nov 30, 2024 20:03:58.039793968 CET	192.168.2.23	217.160.70.42	0xe43b	Standard query (0)	catvision.dyn. [malformed]	256	414	false
Nov 30, 2024 20:03:58.284288883 CET	192.168.2.23	80.152.203.134	0x254d	Standard query (0)	shitrocket.dyn	A (IP address)	IN (0x0001)	false
Nov 30, 2024 20:03:58.606892109 CET	192.168.2.23	217.160.70.42	0xe43b	Standard query (0)	catlovingfools.geek. [malformed]	256	414	false
Nov 30, 2024 20:03:58.847503901 CET	192.168.2.23	80.152.203.134	0x254d	Standard query (0)	hikvision.geek. [malformed]	256	414	false
Nov 30, 2024 20:03:59.171932936 CET	192.168.2.23	109.91.184.21	0xe3c4	Standard query (0)	catvision.dyn. [malformed]	256	415	false
Nov 30, 2024 20:03:59.462191105 CET	192.168.2.23	185.181.61.24	0xa2fc	Standard query (0)	shitrocket.dyn	A (IP address)	IN (0x0001)	false
Nov 30, 2024 20:04:05.274941921 CET	192.168.2.23	81.169.136.222	0x4edd	Standard query (0)	catvision.dyn. [malformed]	256	421	false
Nov 30, 2024 20:04:05.522329092 CET	192.168.2.23	80.152.203.134	0x4b98	Standard query (0)	hikvision.geek	A (IP address)	IN (0x0001)	false
Nov 30, 2024 20:04:06.896605015 CET	192.168.2.23	194.36.144.87	0x5416	Standard query (0)	catlovingfools.geek. [malformed]	256	423	false
Nov 30, 2024 20:04:07.150424957 CET	192.168.2.23	109.91.184.21	0x8f81	Standard query (0)	hikvision.geek. [malformed]	256	423	false
Nov 30, 2024 20:04:07.457935095 CET	192.168.2.23	168.235.111.72	0x6291	Standard query (0)	shitrocket.dyn. [malformed]	256	423	false
Nov 30, 2024 20:04:07.773499966 CET	192.168.2.23	152.53.15.127	0x147b	Standard query (0)	catvision.dyn. [malformed]	256	424	false
Nov 30, 2024 20:04:12.533407927 CET	192.168.2.23	202.61.197.122	0x11b2	Standard query (0)	catvision.dyn. [malformed]	256	428	false
Nov 30, 2024 20:04:12.791676998 CET	192.168.2.23	168.138.12.137	0x6a80	Standard query (0)	shitrocket.dyn	A (IP address)	IN (0x0001)	false
Nov 30, 2024 20:04:20.045387983 CET	192.168.2.23	152.53.15.127	0x147b	Standard query (0)	hikvision.geek	A (IP address)	IN (0x0001)	false
Nov 30, 2024 20:04:26.689330101 CET	192.168.2.23	168.235.111.72	0xb2af	Standard query (0)	hikvision.geek	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 30, 2024 20:03:17.903356075 CET	80.152.203.134	192.168.2.23	0x4313	Format error (1)	catvision.dyn. [malformed]	none	none	256	373	false
Nov 30, 2024 20:03:18.316652060 CET	80.152.203.134	192.168.2.23	0x4313	Format error (1)	catvision.dyn. [malformed]	none	none	256	374	false
Nov 30, 2024 20:03:46.958211899 CET	109.91.184.21	192.168.2.23	0x65f1	Format error (1)	shitrocket.dyn. [malformed]	none	none	256	402	false
Nov 30, 2024 20:03:50.709347010 CET	109.91.184.21	192.168.2.23	0x65f1	Format error (1)	hikvision.geek. [malformed]	none	none	256	406	false
Nov 30, 2024 20:03:50.984786034 CET	109.91.184.21	192.168.2.23	0xf808	Format error (1)	catvision.dyn. [malformed]	none	none	256	406	false
Nov 30, 2024 20:03:59.171174049 CET	80.152.203.134	192.168.2.23	0x254d	Format error (1)	hikvision.geek. [malformed]	none	none	256	415	false
Nov 30, 2024 20:03:59.461190939 CET	109.91.184.21	192.168.2.23	0xe3c4	Format error (1)	catvision.dyn. [malformed]	none	none	256	415	false
Nov 30, 2024 20:04:07.149087906 CET	194.36.144.87	192.168.2.23	0x5416	Format error (1)	catlovingfools.geek. [malformed]	none	none	256	423	false
Nov 30, 2024 20:04:07.456697941 CET	109.91.184.21	192.168.2.23	0x8f81	Format error (1)	hikvision.geek. [malformed]	none	none	256	423	false
Nov 30, 2024 20:04:08.027929068 CET	152.53.15.127	192.168.2.23	0x147b	Format error (1)	catvision.dyn. [malformed]	none	none	256	424	false

System Behavior

Analysis Process: ppc.elf PID: 6234, Parent PID: 6158

General

Start time (UTC):	19:02:48
Start date (UTC):	30/11/2024
Path:	/tmp/ppc.elf
Arguments:	/tmp/ppc.elf
File size:	5388968 bytes
MD5 hash:	ae65271c943d3451b7f026d1fadccea6

Chronological Activities

Analysis Process: ppc.elf PID: 6276, Parent PID: 6234

General

Start time (UTC):	19:02:48
Start date (UTC):	30/11/2024
Path:	/tmp/ppc.elf
Arguments:	-
File size:	5388968 bytes
MD5 hash:	ae65271c943d3451b7f026d1fadccea6

Chronological Activities

Analysis Process: ppc.elf PID: 6313, Parent PID: 6276

General

Start time (UTC):	19:02:49
Start date (UTC):	30/11/2024
Path:	/tmp/ppc.elf
Arguments:	-
File size:	5388968 bytes
MD5 hash:	ae65271c943d3451b7f026d1fadccea6

Chronological Activities

Analysis Process: ppc.elf PID: 6315, Parent PID: 6276

General

Start time (UTC):	19:02:49
Start date (UTC):	30/11/2024
Path:	/tmp/ppc.elf
Arguments:	-
File size:	5388968 bytes
MD5 hash:	ae65271c943d3451b7f026d1fadccea6

Chronological Activities

Analysis Process: ppc.elf PID: 6502, Parent PID: 6315

General

Start time (UTC):	19:05:13
Start date (UTC):	30/11/2024
Path:	/tmp/ppc.elf
Arguments:	-
File size:	5388968 bytes
MD5 hash:	ae65271c943d3451b7f026d1fadccea6

Chronological Activities

Analysis Process: ppc.elf PID: 6504, Parent PID: 6502

General

Start time (UTC):	19:05:13
Start date (UTC):	30/11/2024
Path:	/tmp/ppc.elf
Arguments:	-
File size:	5388968 bytes
MD5 hash:	ae65271c943d3451b7f026d1fadccea6

Chronological Activities

Analysis Process: ppc.elf PID: 6277, Parent PID: 6234

General

Start time (UTC):	19:02:48
Start date (UTC):	30/11/2024
Path:	/tmp/ppc.elf
Arguments:	-
File size:	5388968 bytes
MD5 hash:	ae65271c943d3451b7f026d1fadccea6

Chronological Activities

Analysis Process: ppc.elf PID: 6280, Parent PID: 6234

General

Start time (UTC):	19:02:48
Start date (UTC):	30/11/2024
Path:	/tmp/ppc.elf
Arguments:	-
File size:	5388968 bytes
MD5 hash:	ae65271c943d3451b7f026d1fadccea6

Chronological Activities

Analysis Process: ppc.elf PID: 6475, Parent PID: 6280

General

Start time (UTC):	19:05:13
Start date (UTC):	30/11/2024
Path:	/tmp/ppc.elf
Arguments:	-
File size:	5388968 bytes
MD5 hash:	ae65271c943d3451b7f026d1fadccea6

Chronological Activities

Analysis Process: ppc.elf PID: 6477, Parent PID: 6475

General

Start time (UTC):	19:05:13
Start date (UTC):	30/11/2024
Path:	/tmp/ppc.elf
Arguments:	-
File size:	5388968 bytes
MD5 hash:	ae65271c943d3451b7f026d1fadccea6

Chronological Activities

Analysis Process: dash PID: 6380, Parent PID: 4332

General

Start time (UTC):	19:02:49
Start date (UTC):	30/11/2024
Path:	/usr/bin/dash
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: rm PID: 6380, Parent PID: 4332

General

Start time (UTC):	19:02:49
Start date (UTC):	30/11/2024
Path:	/usr/bin/rm
Arguments:	rm -f /tmp/tmp.ZVIY9iWyCT /tmp/tmp.qRXT3uvP5q /tmp/tmp.82xzlcmDwb
File size:	72056 bytes
MD5 hash:	aa2b5496fdbfd88e38791ab81f90b95b

Chronological Activities

Analysis Process: dash PID: 6381, Parent PID: 4332

General

Start time (UTC):	19:02:49
Start date (UTC):	30/11/2024
Path:	/usr/bin/dash
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: rm PID: 6381, Parent PID: 4332

General

Start time (UTC):	19:02:49
Start date (UTC):	30/11/2024
Path:	/usr/bin/rm
Arguments:	rm -f /tmp/tmp.ZVIY9iWyCT /tmp/tmp.qRXT3uvP5q /tmp/tmp.82xzlcmDwb
File size:	72056 bytes
MD5 hash:	aa2b5496fdbfd88e38791ab81f90b95b

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report ppc.elf

Overview

General Information

Detection

Signatures

Classification

General Information

Warnings

Runtime Messages

Process Tree

Yara Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Networking

System Summary

Persistence and Installation Behavior

Malware Analysis System Evasion

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

Static ELF Info

ELF header

Sections

Program Segments

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

System Behavior

Analysis Process: ppc.elf PID: 6234, Parent PID: 6158

General

Chronological Activities

Analysis Process: ppc.elf PID: 6276, Parent PID: 6234

General

Chronological Activities

Analysis Process: ppc.elf PID: 6313, Parent PID: 6276

General

Chronological Activities

Analysis Process: ppc.elf PID: 6315, Parent PID: 6276

General

Chronological Activities

Analysis Process: ppc.elf PID: 6502, Parent PID: 6315

General

Chronological Activities

Analysis Process: ppc.elf PID: 6504, Parent PID: 6502

General

Chronological Activities

Analysis Process: ppc.elf PID: 6277, Parent PID: 6234

General

Chronological Activities

Analysis Process: ppc.elf PID: 6280, Parent PID: 6234

General

Linux Analysis Report
ppc.elf