Edit tour

Linux Analysis Report
zmap.sh4.elf

Overview

General Information

Sample name:	zmap.sh4.elf
Analysis ID:	1580405
MD5:	8efd8091d55d8b7099d49db979b7bfbb
SHA1:	4f3c58baf9ec7cea6fc5598cd352563b0196fd59
SHA256:	81268c14f3075a5546559bfa6f73e83cc796a94545836ef6f80197e1438490a4
Tags:	elfuser-abuse_ch
Infos:

Detection

Mirai, Okiru

Score:	84
Range:	0 - 100
Whitelisted:	false

Signatures

Antivirus / Scanner detection for submitted sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected Mirai

Yara detected Okiru

Sample deletes itself

Detected TCP or UDP traffic on non-standard ports

Sample has stripped symbol table

Sample listens on a socket

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Uses the "uname" system call to query kernel version information (possible evasion)

Yara signature match

Classification

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1580405
Start date and time:	2024-12-24 13:27:06 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 31s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Sample name:	zmap.sh4.elf
Detection:	MAL
Classification:	mal84.troj.evad.linELF@0/0@26/0

Warnings

VT rate limit hit for: zmap.sh4.elf

Runtime Messages

Command:	/tmp/zmap.sh4.elf
PID:	6213
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:	VagneRHere
Standard Error:

Process Tree

system is lnxubuntu20

zmap.sh4.elf (PID: 6213, Parent: 6130, MD5: 8943e5f8f8c280467b4472c15ae93ba9) Arguments: /tmp/zmap.sh4.elf

zmap.sh4.elf New Fork (PID: 6215, Parent: 6213)

zmap.sh4.elf New Fork (PID: 6217, Parent: 6215)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Mirai	Mirai is one of the first significant botnets targeting exposed networking devices running Linux. Found in August 2016 by MalwareMustDie, its name means "future" in Japanese. Nowadays it targets a wide range of networked embedded devices such as IP cameras, home routers (many vendors involved), and other IoT devices. Since the source code was published on "Hack Forums" many variants of the Mirai family appeared, infecting mostly home networks all around the world.	No Attribution	http://osint.bambenekconsulting.com/feeds/ http://www.simonroses.com/2016/10/mirai-ddos-botnet-source-code-binary-analysis/ https://blog.malwaremustdie.org/2020/02/mmd-0065-2021-linuxmirai-fbot-re.html https://blog.netlab.360.com/another-lilin-dvr-0-day-being-used-to-spread-mirai-en/ https://blog.netlab.360.com/mirai_ptea-botnet-is-exploiting-undisclosed-kguard-dvr-vulnerability-en/	https://malpedia.caad.fkie.fraunhofer.de/details/elf.mirai

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
zmap.sh4.elf	JoeSecurity_Okiru	Yara detected Okiru	Joe Security
zmap.sh4.elf	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
zmap.sh4.elf	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0xd548:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xd55c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xd570:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xd584:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xd598:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xd5ac:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xd5c0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xd5d4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xd5e8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xd5fc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xd610:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xd624:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xd638:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xd64c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xd660:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xd674:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xd688:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xd69c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xd6b0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xd6c4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xd6d8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F

Memory Dumps

Source	Rule	Description	Author	Strings
6217.1.00007f476c400000.00007f476c410000.r-x.sdmp	JoeSecurity_Okiru	Yara detected Okiru	Joe Security
6217.1.00007f476c400000.00007f476c410000.r-x.sdmp	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
6217.1.00007f476c400000.00007f476c410000.r-x.sdmp	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0xd548:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xd55c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xd570:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xd584:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xd598:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xd5ac:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xd5c0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xd5d4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xd5e8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xd5fc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xd610:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xd624:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xd638:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xd64c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xd660:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xd674:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xd688:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xd69c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xd6b0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xd6c4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xd6d8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
6213.1.00007f476c400000.00007f476c410000.r-x.sdmp	JoeSecurity_Okiru	Yara detected Okiru	Joe Security
6213.1.00007f476c400000.00007f476c410000.r-x.sdmp	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
6213.1.00007f476c400000.00007f476c410000.r-x.sdmp	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0xd548:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xd55c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xd570:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xd584:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xd598:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xd5ac:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xd5c0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xd5d4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xd5e8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xd5fc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xd610:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xd624:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xd638:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xd64c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xd660:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xd674:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xd688:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xd69c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xd6b0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xd6c4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xd6d8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
Process Memory Space: zmap.sh4.elf PID: 6213	JoeSecurity_Okiru	Yara detected Okiru	Joe Security
Process Memory Space: zmap.sh4.elf PID: 6213	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
Process Memory Space: zmap.sh4.elf PID: 6213	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0x16d9:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x16ed:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1701:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1715:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1729:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x173d:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1751:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1765:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1779:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x178d:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x17a1:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x17b5:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x17c9:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x17dd:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x17f1:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1805:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1819:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x182d:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1841:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1855:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1869:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
Process Memory Space: zmap.sh4.elf PID: 6217	JoeSecurity_Okiru	Yara detected Okiru	Joe Security
Process Memory Space: zmap.sh4.elf PID: 6217	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
Process Memory Space: zmap.sh4.elf PID: 6217	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0x1f0e:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1f22:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1f36:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1f4a:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1f5e:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1f72:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1f86:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1f9a:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1fae:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1fc2:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1fd6:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1fea:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1ffe:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x2012:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x2026:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x203a:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x204e:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x2062:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x2076:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x208a:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x209e:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
Click to see the 7 entries

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: zmap.sh4.elf

Avira: detected

Multi AV Scanner detection for submitted file

Source: zmap.sh4.elf

ReversingLabs: Detection: 60%

Source: global traffic

TCP traffic: 192.168.2.23:39528 -> 185.196.8.105:59962

Source: /tmp/zmap.sh4.elf (PID: 6213)

Socket: 127.0.0.1:39148

Jump to behavior

Source: global traffic	TCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443
Source: global traffic	TCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
Source: global traffic	TCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80

Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42

Source: global traffic

DNS traffic detected: DNS query: srvy.vlrt-gap.com

Source: unknown	Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 42836 -> 443

System Summary

Malicious sample detected (through community Yara rule)

Source: zmap.sh4.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: 6217.1.00007f476c400000.00007f476c410000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: 6213.1.00007f476c400000.00007f476c410000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: Process Memory Space: zmap.sh4.elf PID: 6213, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: Process Memory Space: zmap.sh4.elf PID: 6217, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown

Source: ELF static info symbol of initial sample

.symtab present: no

Source: zmap.sh4.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: 6217.1.00007f476c400000.00007f476c410000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: 6213.1.00007f476c400000.00007f476c410000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: Process Memory Space: zmap.sh4.elf PID: 6213, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: Process Memory Space: zmap.sh4.elf PID: 6217, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16

Source: classification engine

Classification label: mal84.troj.evad.linELF@0/0@26/0

Hooking and other Techniques for Hiding and Protection

Sample deletes itself

Source: /tmp/zmap.sh4.elf (PID: 6213)

File: /tmp/zmap.sh4.elf

Jump to behavior

Source: /tmp/zmap.sh4.elf (PID: 6213)

Queries kernel information via 'uname':

Jump to behavior

Source: zmap.sh4.elf, 6213.1.00007ffdde258000.00007ffdde279000.rw-.sdmp, zmap.sh4.elf, 6217.1.00007ffdde258000.00007ffdde279000.rw-.sdmp	Binary or memory string: x86_64/usr/bin/qemu-sh4/tmp/zmap.sh4.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/zmap.sh4.elf
Source: zmap.sh4.elf, 6213.1.00007ffdde258000.00007ffdde279000.rw-.sdmp, zmap.sh4.elf, 6217.1.00007ffdde258000.00007ffdde279000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-sh4
Source: zmap.sh4.elf, 6213.1.00005611f98ae000.00005611f9911000.rw-.sdmp, zmap.sh4.elf, 6217.1.00005611f98ae000.00005611f9911000.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/sh4
Source: zmap.sh4.elf, 6213.1.00005611f98ae000.00005611f9911000.rw-.sdmp, zmap.sh4.elf, 6217.1.00005611f98ae000.00005611f9911000.rw-.sdmp	Binary or memory string: V5!/etc/qemu-binfmt/sh4

Stealing of Sensitive Information

Yara detected Mirai

Source: Yara match	File source: zmap.sh4.elf, type: SAMPLE
Source: Yara match	File source: 6217.1.00007f476c400000.00007f476c410000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 6213.1.00007f476c400000.00007f476c410000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: zmap.sh4.elf PID: 6213, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: zmap.sh4.elf PID: 6217, type: MEMORYSTR

Yara detected Okiru

Source: Yara match	File source: zmap.sh4.elf, type: SAMPLE
Source: Yara match	File source: 6217.1.00007f476c400000.00007f476c410000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 6213.1.00007f476c400000.00007f476c410000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: zmap.sh4.elf PID: 6213, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: zmap.sh4.elf PID: 6217, type: MEMORYSTR

Remote Access Functionality

Yara detected Mirai

Source: Yara match	File source: zmap.sh4.elf, type: SAMPLE
Source: Yara match	File source: 6217.1.00007f476c400000.00007f476c410000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 6213.1.00007f476c400000.00007f476c410000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: zmap.sh4.elf PID: 6213, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: zmap.sh4.elf PID: 6217, type: MEMORYSTR

Yara detected Okiru

Source: Yara match	File source: zmap.sh4.elf, type: SAMPLE
Source: Yara match	File source: 6217.1.00007f476c400000.00007f476c410000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 6213.1.00007f476c400000.00007f476c410000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: zmap.sh4.elf PID: 6213, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: zmap.sh4.elf PID: 6217, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	Path Interception	Path Interception	1 File Deletion	OS Credential Dumping	11 Security Software Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	2 Application Layer Protocol	Traffic Duplication	Data Destruction

Malware Configuration

⊘No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
zmap.sh4.elf	61%	ReversingLabs	Linux.Trojan.Mirai
zmap.sh4.elf	100%	Avira	EXP/ELF.Mirai.Z.A

Dropped Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
srvy.vlrt-gap.com	185.196.8.105	true	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
185.196.8.105	srvy.vlrt-gap.com	Switzerland	34888	SIMPLECARRER2IT	false
109.202.202.202	unknown	Switzerland	13030	INIT7CH	false
91.189.91.43	unknown	United Kingdom	41231	CANONICAL-ASGB	false
91.189.91.42	unknown	United Kingdom	41231	CANONICAL-ASGB	false

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
185.196.8.105	zmap.mpsl.elf	Get hash	malicious	Mirai, Okiru	Browse
	zmap.spc.elf	Get hash	malicious	Mirai, Okiru	Browse
	zmap.x86.elf	Get hash	malicious	Okiru	Browse
	zmap.arm.elf	Get hash	malicious	Mirai, Okiru	Browse
109.202.202.202	kpLwzBouH4.elf	Get hash	malicious	Unknown	Browse	ch.archive.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_92.0%2bbuild3-0ubuntu0.20.04.1_amd64.deb
91.189.91.43	x86.elf	Get hash	malicious	Unknown	Browse
	zmap.mpsl.elf	Get hash	malicious	Mirai, Okiru	Browse
	zmap.spc.elf	Get hash	malicious	Mirai, Okiru	Browse
	zmap.x86.elf	Get hash	malicious	Okiru	Browse
	zmap.arm.elf	Get hash	malicious	Mirai, Okiru	Browse
	most-m68k.elf	Get hash	malicious	Unknown	Browse
	arm7.elf	Get hash	malicious	Unknown	Browse
	x86_64.nn.elf	Get hash	malicious	Okiru	Browse
	nshppc.elf	Get hash	malicious	Unknown	Browse
	nshsh4.elf	Get hash	malicious	Unknown	Browse
91.189.91.42	x86.elf	Get hash	malicious	Unknown	Browse
	zmap.mpsl.elf	Get hash	malicious	Mirai, Okiru	Browse
	zmap.spc.elf	Get hash	malicious	Mirai, Okiru	Browse
	zmap.x86.elf	Get hash	malicious	Okiru	Browse
	zmap.arm.elf	Get hash	malicious	Mirai, Okiru	Browse
	most-m68k.elf	Get hash	malicious	Unknown	Browse
	arm7.elf	Get hash	malicious	Unknown	Browse
	x86_64.nn.elf	Get hash	malicious	Okiru	Browse
	nshppc.elf	Get hash	malicious	Unknown	Browse
	nshsh4.elf	Get hash	malicious	Unknown	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
srvy.vlrt-gap.com	zmap.mpsl.elf	Get hash	malicious	Mirai, Okiru	Browse	185.196.8.105
	zmap.spc.elf	Get hash	malicious	Mirai, Okiru	Browse	185.196.8.105
	zmap.x86.elf	Get hash	malicious	Okiru	Browse	185.196.8.105
	zmap.arm.elf	Get hash	malicious	Mirai, Okiru	Browse	185.196.8.105

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CANONICAL-ASGB	x86.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	zmap.mpsl.elf	Get hash	malicious	Mirai, Okiru	Browse	91.189.91.42
	zmap.spc.elf	Get hash	malicious	Mirai, Okiru	Browse	91.189.91.42
	zmap.x86.elf	Get hash	malicious	Okiru	Browse	91.189.91.42
	zmap.arm.elf	Get hash	malicious	Mirai, Okiru	Browse	91.189.91.42
	most-m68k.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	arm7.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	x86_64.nn.elf	Get hash	malicious	Okiru	Browse	91.189.91.42
	nshppc.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	nshsh4.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
CANONICAL-ASGB	x86.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	zmap.mpsl.elf	Get hash	malicious	Mirai, Okiru	Browse	91.189.91.42
	zmap.spc.elf	Get hash	malicious	Mirai, Okiru	Browse	91.189.91.42
	zmap.x86.elf	Get hash	malicious	Okiru	Browse	91.189.91.42
	zmap.arm.elf	Get hash	malicious	Mirai, Okiru	Browse	91.189.91.42
	most-m68k.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	arm7.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	x86_64.nn.elf	Get hash	malicious	Okiru	Browse	91.189.91.42
	nshppc.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	nshsh4.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
SIMPLECARRER2IT	zmap.mpsl.elf	Get hash	malicious	Mirai, Okiru	Browse	185.196.8.105
	zmap.spc.elf	Get hash	malicious	Mirai, Okiru	Browse	185.196.8.105
	zmap.x86.elf	Get hash	malicious	Okiru	Browse	185.196.8.105
	zmap.arm.elf	Get hash	malicious	Mirai, Okiru	Browse	185.196.8.105
	DQmU06kq9I.exe	Get hash	malicious	LiteHTTP Bot	Browse	185.208.159.109
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LiteHTTP Bot, LummaC Stealer, Stealc, Xmrig	Browse	185.208.159.109
	file.exe	Get hash	malicious	ScreenConnect Tool, Amadey, RHADAMANTHYS, XWorm, Xmrig	Browse	185.196.8.237
	file.exe	Get hash	malicious	AsyncRAT, VenomRAT	Browse	185.208.158.187
	Ziraat Bankasi Swift Mesaji.dqy.dll	Get hash	malicious	AsyncRAT, VenomRAT	Browse	185.208.158.187
	file.exe	Get hash	malicious	AsyncRAT, VenomRAT	Browse	185.208.158.187
INIT7CH	x86.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	zmap.mpsl.elf	Get hash	malicious	Mirai, Okiru	Browse	109.202.202.202
	zmap.spc.elf	Get hash	malicious	Mirai, Okiru	Browse	109.202.202.202
	zmap.x86.elf	Get hash	malicious	Okiru	Browse	109.202.202.202
	zmap.arm.elf	Get hash	malicious	Mirai, Okiru	Browse	109.202.202.202
	most-m68k.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	arm7.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	x86_64.nn.elf	Get hash	malicious	Okiru	Browse	109.202.202.202
	nshppc.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	nshsh4.elf	Get hash	malicious	Unknown	Browse	109.202.202.202

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	ELF 32-bit LSB executable, Renesas SH, version 1 (SYSV), statically linked, stripped
Entropy (8bit):	6.906665833064167
TrID:	ELF Executable and Linkable format (generic) (4004/1) 100.00%
File name:	zmap.sh4.elf
File size:	64'312 bytes
MD5:	8efd8091d55d8b7099d49db979b7bfbb
SHA1:	4f3c58baf9ec7cea6fc5598cd352563b0196fd59
SHA256:	81268c14f3075a5546559bfa6f73e83cc796a94545836ef6f80197e1438490a4
SHA512:	fc0925e81c612b0b47b7dca9f842ca04366598e8fd229992a87ee8afcf0ab53e3cb5bb4725c1c69d1df697af040fed06e5226b935e7722a702c67ed7cb16585f
SSDEEP:	1536:qR2xNYObAIC9s/mRD2+y2FXLll/x9eKeNt7vKdkCZ76Fx:qRgC8AIC9s/mRD2+y2FXxlZ/erKdklFx
TLSH:	89539D76E4262984C5860834B0B88E741FA3B1C0935B6EFB19DDC6B5604BEBCF449FE4
File Content Preview:	.ELF.....................@.4...........4. ...(...............@...@...........................A...A......'..........Q.td............................././"O.n........#.@........#.*@,....o&O.n...l..............................././.../.a"O.!...n...a.b("...q.

Static ELF Info

ELF header
Class:	ELF32
Data:	2's complement, little endian
Version:	1 (current)
Machine:	<unknown>
Version Number:	0x1
Type:	EXEC (Executable file)
OS/ABI:	UNIX - System V
ABI Version:	0
Entry Point Address:	0x4001a0
Flags:	0x9
ELF Header Size:	52
Program Header Offset:	52
Program Header Size:	32
Number of Program Headers:	3
Section Header Offset:	63912
Section Header Size:	40
Number of Section Headers:	10
Header String Table Index:	9

Sections

Name	Type	Address	Offset	Size	EntSize	Flags	Flags Description	Align
	NULL	0x0	0x0	0x0	0x0	0x0		0
.init	PROGBITS	0x400094	0x94	0x30	0x0	0x6	AX	4
.text	PROGBITS	0x4000e0	0xe0	0xd440	0x0	0x6	AX	32
.fini	PROGBITS	0x40d520	0xd520	0x24	0x0	0x6	AX	4
.rodata	PROGBITS	0x40d544	0xd544	0x2080	0x0	0x2	A	4
.ctors	PROGBITS	0x41f5c8	0xf5c8	0x8	0x0	0x3	WA	4
.dtors	PROGBITS	0x41f5d0	0xf5d0	0x8	0x0	0x3	WA	4
.data	PROGBITS	0x41f5dc	0xf5dc	0x38c	0x0	0x3	WA	4
.bss	NOBITS	0x41f968	0xf968	0x2430	0x0	0x3	WA	4
.shstrtab	STRTAB	0x0	0xf968	0x3e	0x0	0x0		1

Program Segments

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align	Section Mappings
LOAD	0x0	0x400000	0x400000	0xf5c4	0xf5c4	6.9535	0x5	R E	0x10000	.init .text .fini .rodata
LOAD	0xf5c8	0x41f5c8	0x41f5c8	0x3a0	0x27d0	3.1222	0x6	RW	0x10000	.ctors .dtors .data .bss
GNU_STACK	0x0	0x0	0x0	0x0	0x0	0.0000	0x7	RWE	0x4

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 24, 2024 13:27:45.674694061 CET	43928	443	192.168.2.23	91.189.91.42
Dec 24, 2024 13:27:46.271955967 CET	39528	59962	192.168.2.23	185.196.8.105
Dec 24, 2024 13:27:46.391504049 CET	59962	39528	185.196.8.105	192.168.2.23
Dec 24, 2024 13:27:46.392021894 CET	39528	59962	192.168.2.23	185.196.8.105
Dec 24, 2024 13:27:46.392916918 CET	39528	59962	192.168.2.23	185.196.8.105
Dec 24, 2024 13:27:46.512458086 CET	59962	39528	185.196.8.105	192.168.2.23
Dec 24, 2024 13:27:46.512640953 CET	39528	59962	192.168.2.23	185.196.8.105
Dec 24, 2024 13:27:46.632103920 CET	59962	39528	185.196.8.105	192.168.2.23
Dec 24, 2024 13:27:47.691318035 CET	59962	39528	185.196.8.105	192.168.2.23
Dec 24, 2024 13:27:47.691450119 CET	39528	59962	192.168.2.23	185.196.8.105
Dec 24, 2024 13:27:47.691616058 CET	39528	59962	192.168.2.23	185.196.8.105
Dec 24, 2024 13:27:48.054272890 CET	39530	59962	192.168.2.23	185.196.8.105
Dec 24, 2024 13:27:48.173979044 CET	59962	39530	185.196.8.105	192.168.2.23
Dec 24, 2024 13:27:48.174069881 CET	39530	59962	192.168.2.23	185.196.8.105
Dec 24, 2024 13:27:48.174925089 CET	39530	59962	192.168.2.23	185.196.8.105
Dec 24, 2024 13:27:48.294399977 CET	59962	39530	185.196.8.105	192.168.2.23
Dec 24, 2024 13:27:48.294524908 CET	39530	59962	192.168.2.23	185.196.8.105
Dec 24, 2024 13:27:48.414053917 CET	59962	39530	185.196.8.105	192.168.2.23
Dec 24, 2024 13:27:49.469697952 CET	59962	39530	185.196.8.105	192.168.2.23
Dec 24, 2024 13:27:49.469808102 CET	39530	59962	192.168.2.23	185.196.8.105
Dec 24, 2024 13:27:49.469953060 CET	39530	59962	192.168.2.23	185.196.8.105
Dec 24, 2024 13:27:49.605670929 CET	39532	59962	192.168.2.23	185.196.8.105
Dec 24, 2024 13:27:49.725131989 CET	59962	39532	185.196.8.105	192.168.2.23
Dec 24, 2024 13:27:49.725231886 CET	39532	59962	192.168.2.23	185.196.8.105
Dec 24, 2024 13:27:49.726308107 CET	39532	59962	192.168.2.23	185.196.8.105
Dec 24, 2024 13:27:49.845783949 CET	59962	39532	185.196.8.105	192.168.2.23
Dec 24, 2024 13:27:49.845886946 CET	39532	59962	192.168.2.23	185.196.8.105
Dec 24, 2024 13:27:49.965481997 CET	59962	39532	185.196.8.105	192.168.2.23
Dec 24, 2024 13:27:51.029416084 CET	59962	39532	185.196.8.105	192.168.2.23
Dec 24, 2024 13:27:51.029690027 CET	39532	59962	192.168.2.23	185.196.8.105
Dec 24, 2024 13:27:51.029721022 CET	39532	59962	192.168.2.23	185.196.8.105
Dec 24, 2024 13:27:51.165620089 CET	39534	59962	192.168.2.23	185.196.8.105
Dec 24, 2024 13:27:51.285200119 CET	59962	39534	185.196.8.105	192.168.2.23
Dec 24, 2024 13:27:51.285321951 CET	39534	59962	192.168.2.23	185.196.8.105
Dec 24, 2024 13:27:51.286386013 CET	39534	59962	192.168.2.23	185.196.8.105
Dec 24, 2024 13:27:51.306010008 CET	42836	443	192.168.2.23	91.189.91.43
Dec 24, 2024 13:27:51.405862093 CET	59962	39534	185.196.8.105	192.168.2.23
Dec 24, 2024 13:27:51.406054020 CET	39534	59962	192.168.2.23	185.196.8.105
Dec 24, 2024 13:27:51.525624037 CET	59962	39534	185.196.8.105	192.168.2.23
Dec 24, 2024 13:27:52.590221882 CET	59962	39534	185.196.8.105	192.168.2.23
Dec 24, 2024 13:27:52.590478897 CET	39534	59962	192.168.2.23	185.196.8.105
Dec 24, 2024 13:27:52.590596914 CET	39534	59962	192.168.2.23	185.196.8.105
Dec 24, 2024 13:27:52.726825953 CET	39536	59962	192.168.2.23	185.196.8.105
Dec 24, 2024 13:27:52.841730118 CET	42516	80	192.168.2.23	109.202.202.202
Dec 24, 2024 13:27:52.847893953 CET	59962	39536	185.196.8.105	192.168.2.23
Dec 24, 2024 13:27:52.848174095 CET	39536	59962	192.168.2.23	185.196.8.105
Dec 24, 2024 13:27:52.849525928 CET	39536	59962	192.168.2.23	185.196.8.105
Dec 24, 2024 13:27:52.969335079 CET	59962	39536	185.196.8.105	192.168.2.23
Dec 24, 2024 13:27:52.969650984 CET	39536	59962	192.168.2.23	185.196.8.105
Dec 24, 2024 13:27:53.089669943 CET	59962	39536	185.196.8.105	192.168.2.23
Dec 24, 2024 13:27:54.153621912 CET	59962	39536	185.196.8.105	192.168.2.23
Dec 24, 2024 13:27:54.153847933 CET	39536	59962	192.168.2.23	185.196.8.105
Dec 24, 2024 13:27:54.153908014 CET	39536	59962	192.168.2.23	185.196.8.105
Dec 24, 2024 13:27:54.517214060 CET	39538	59962	192.168.2.23	185.196.8.105
Dec 24, 2024 13:27:54.636663914 CET	59962	39538	185.196.8.105	192.168.2.23
Dec 24, 2024 13:27:54.636791945 CET	39538	59962	192.168.2.23	185.196.8.105
Dec 24, 2024 13:27:54.637841940 CET	39538	59962	192.168.2.23	185.196.8.105
Dec 24, 2024 13:27:54.757391930 CET	59962	39538	185.196.8.105	192.168.2.23
Dec 24, 2024 13:27:54.757541895 CET	39538	59962	192.168.2.23	185.196.8.105
Dec 24, 2024 13:27:54.877022982 CET	59962	39538	185.196.8.105	192.168.2.23
Dec 24, 2024 13:27:55.936044931 CET	59962	39538	185.196.8.105	192.168.2.23
Dec 24, 2024 13:27:55.936472893 CET	39538	59962	192.168.2.23	185.196.8.105
Dec 24, 2024 13:27:55.936472893 CET	39538	59962	192.168.2.23	185.196.8.105
Dec 24, 2024 13:27:56.296094894 CET	39540	59962	192.168.2.23	185.196.8.105
Dec 24, 2024 13:27:56.415651083 CET	59962	39540	185.196.8.105	192.168.2.23
Dec 24, 2024 13:27:56.415790081 CET	39540	59962	192.168.2.23	185.196.8.105
Dec 24, 2024 13:27:56.416876078 CET	39540	59962	192.168.2.23	185.196.8.105
Dec 24, 2024 13:27:56.536318064 CET	59962	39540	185.196.8.105	192.168.2.23
Dec 24, 2024 13:27:56.536436081 CET	39540	59962	192.168.2.23	185.196.8.105
Dec 24, 2024 13:27:56.655999899 CET	59962	39540	185.196.8.105	192.168.2.23
Dec 24, 2024 13:27:57.824654102 CET	59962	39540	185.196.8.105	192.168.2.23
Dec 24, 2024 13:27:57.825010061 CET	39540	59962	192.168.2.23	185.196.8.105
Dec 24, 2024 13:27:57.825128078 CET	39540	59962	192.168.2.23	185.196.8.105
Dec 24, 2024 13:27:58.184809923 CET	39542	59962	192.168.2.23	185.196.8.105
Dec 24, 2024 13:27:58.304434061 CET	59962	39542	185.196.8.105	192.168.2.23
Dec 24, 2024 13:27:58.304580927 CET	39542	59962	192.168.2.23	185.196.8.105
Dec 24, 2024 13:27:58.305938959 CET	39542	59962	192.168.2.23	185.196.8.105
Dec 24, 2024 13:27:58.434920073 CET	59962	39542	185.196.8.105	192.168.2.23
Dec 24, 2024 13:27:58.435187101 CET	39542	59962	192.168.2.23	185.196.8.105
Dec 24, 2024 13:27:58.554744005 CET	59962	39542	185.196.8.105	192.168.2.23
Dec 24, 2024 13:27:59.605238914 CET	59962	39542	185.196.8.105	192.168.2.23
Dec 24, 2024 13:27:59.605390072 CET	39542	59962	192.168.2.23	185.196.8.105
Dec 24, 2024 13:27:59.605664015 CET	39542	59962	192.168.2.23	185.196.8.105
Dec 24, 2024 13:27:59.742299080 CET	39544	59962	192.168.2.23	185.196.8.105
Dec 24, 2024 13:27:59.861836910 CET	59962	39544	185.196.8.105	192.168.2.23
Dec 24, 2024 13:27:59.862134933 CET	39544	59962	192.168.2.23	185.196.8.105
Dec 24, 2024 13:27:59.863483906 CET	39544	59962	192.168.2.23	185.196.8.105
Dec 24, 2024 13:27:59.983026028 CET	59962	39544	185.196.8.105	192.168.2.23
Dec 24, 2024 13:27:59.983294964 CET	39544	59962	192.168.2.23	185.196.8.105
Dec 24, 2024 13:28:00.102840900 CET	59962	39544	185.196.8.105	192.168.2.23
Dec 24, 2024 13:28:01.175587893 CET	59962	39544	185.196.8.105	192.168.2.23
Dec 24, 2024 13:28:01.175896883 CET	39544	59962	192.168.2.23	185.196.8.105
Dec 24, 2024 13:28:01.175987005 CET	39544	59962	192.168.2.23	185.196.8.105
Dec 24, 2024 13:28:01.540935993 CET	39546	59962	192.168.2.23	185.196.8.105
Dec 24, 2024 13:28:01.660542965 CET	59962	39546	185.196.8.105	192.168.2.23
Dec 24, 2024 13:28:01.660840034 CET	39546	59962	192.168.2.23	185.196.8.105
Dec 24, 2024 13:28:01.662643909 CET	39546	59962	192.168.2.23	185.196.8.105
Dec 24, 2024 13:28:01.782263041 CET	59962	39546	185.196.8.105	192.168.2.23
Dec 24, 2024 13:28:01.782394886 CET	39546	59962	192.168.2.23	185.196.8.105
Dec 24, 2024 13:28:01.902101994 CET	59962	39546	185.196.8.105	192.168.2.23
Dec 24, 2024 13:28:02.973190069 CET	59962	39546	185.196.8.105	192.168.2.23
Dec 24, 2024 13:28:02.973299980 CET	39546	59962	192.168.2.23	185.196.8.105
Dec 24, 2024 13:28:02.973366976 CET	39546	59962	192.168.2.23	185.196.8.105
Dec 24, 2024 13:28:03.110219955 CET	39548	59962	192.168.2.23	185.196.8.105
Dec 24, 2024 13:28:03.229757071 CET	59962	39548	185.196.8.105	192.168.2.23
Dec 24, 2024 13:28:03.229918957 CET	39548	59962	192.168.2.23	185.196.8.105
Dec 24, 2024 13:28:03.230901957 CET	39548	59962	192.168.2.23	185.196.8.105
Dec 24, 2024 13:28:03.350436926 CET	59962	39548	185.196.8.105	192.168.2.23
Dec 24, 2024 13:28:03.350498915 CET	39548	59962	192.168.2.23	185.196.8.105
Dec 24, 2024 13:28:03.470654011 CET	59962	39548	185.196.8.105	192.168.2.23
Dec 24, 2024 13:28:04.535669088 CET	59962	39548	185.196.8.105	192.168.2.23
Dec 24, 2024 13:28:04.535836935 CET	39548	59962	192.168.2.23	185.196.8.105
Dec 24, 2024 13:28:04.535914898 CET	39548	59962	192.168.2.23	185.196.8.105
Dec 24, 2024 13:28:04.673825979 CET	39550	59962	192.168.2.23	185.196.8.105
Dec 24, 2024 13:28:04.796077013 CET	59962	39550	185.196.8.105	192.168.2.23
Dec 24, 2024 13:28:04.796190977 CET	39550	59962	192.168.2.23	185.196.8.105
Dec 24, 2024 13:28:04.797429085 CET	39550	59962	192.168.2.23	185.196.8.105
Dec 24, 2024 13:28:04.917721033 CET	59962	39550	185.196.8.105	192.168.2.23
Dec 24, 2024 13:28:04.917872906 CET	39550	59962	192.168.2.23	185.196.8.105
Dec 24, 2024 13:28:05.037676096 CET	59962	39550	185.196.8.105	192.168.2.23
Dec 24, 2024 13:28:05.896039009 CET	43928	443	192.168.2.23	91.189.91.42
Dec 24, 2024 13:28:06.097996950 CET	59962	39550	185.196.8.105	192.168.2.23
Dec 24, 2024 13:28:06.098175049 CET	39550	59962	192.168.2.23	185.196.8.105
Dec 24, 2024 13:28:06.098244905 CET	39550	59962	192.168.2.23	185.196.8.105
Dec 24, 2024 13:28:06.462227106 CET	39552	59962	192.168.2.23	185.196.8.105
Dec 24, 2024 13:28:06.581758022 CET	59962	39552	185.196.8.105	192.168.2.23
Dec 24, 2024 13:28:06.581887007 CET	39552	59962	192.168.2.23	185.196.8.105
Dec 24, 2024 13:28:06.582868099 CET	39552	59962	192.168.2.23	185.196.8.105
Dec 24, 2024 13:28:06.702301025 CET	59962	39552	185.196.8.105	192.168.2.23
Dec 24, 2024 13:28:06.702435017 CET	39552	59962	192.168.2.23	185.196.8.105
Dec 24, 2024 13:28:06.821927071 CET	59962	39552	185.196.8.105	192.168.2.23
Dec 24, 2024 13:28:07.879407883 CET	59962	39552	185.196.8.105	192.168.2.23
Dec 24, 2024 13:28:07.879539967 CET	39552	59962	192.168.2.23	185.196.8.105
Dec 24, 2024 13:28:07.879564047 CET	39552	59962	192.168.2.23	185.196.8.105
Dec 24, 2024 13:28:08.003545046 CET	39554	59962	192.168.2.23	185.196.8.105
Dec 24, 2024 13:28:08.123321056 CET	59962	39554	185.196.8.105	192.168.2.23
Dec 24, 2024 13:28:08.123466969 CET	39554	59962	192.168.2.23	185.196.8.105
Dec 24, 2024 13:28:08.124716997 CET	39554	59962	192.168.2.23	185.196.8.105
Dec 24, 2024 13:28:08.244168997 CET	59962	39554	185.196.8.105	192.168.2.23
Dec 24, 2024 13:28:08.244498968 CET	39554	59962	192.168.2.23	185.196.8.105
Dec 24, 2024 13:28:08.364012003 CET	59962	39554	185.196.8.105	192.168.2.23
Dec 24, 2024 13:28:09.422003984 CET	59962	39554	185.196.8.105	192.168.2.23
Dec 24, 2024 13:28:09.422316074 CET	39554	59962	192.168.2.23	185.196.8.105
Dec 24, 2024 13:28:09.422414064 CET	39554	59962	192.168.2.23	185.196.8.105
Dec 24, 2024 13:28:09.559231997 CET	39556	59962	192.168.2.23	185.196.8.105
Dec 24, 2024 13:28:09.678833008 CET	59962	39556	185.196.8.105	192.168.2.23
Dec 24, 2024 13:28:09.679132938 CET	39556	59962	192.168.2.23	185.196.8.105
Dec 24, 2024 13:28:09.680310011 CET	39556	59962	192.168.2.23	185.196.8.105
Dec 24, 2024 13:28:09.799791098 CET	59962	39556	185.196.8.105	192.168.2.23
Dec 24, 2024 13:28:09.799922943 CET	39556	59962	192.168.2.23	185.196.8.105
Dec 24, 2024 13:28:09.919429064 CET	59962	39556	185.196.8.105	192.168.2.23
Dec 24, 2024 13:28:10.980204105 CET	59962	39556	185.196.8.105	192.168.2.23
Dec 24, 2024 13:28:10.980401993 CET	39556	59962	192.168.2.23	185.196.8.105
Dec 24, 2024 13:28:10.980523109 CET	39556	59962	192.168.2.23	185.196.8.105
Dec 24, 2024 13:28:11.104710102 CET	39558	59962	192.168.2.23	185.196.8.105
Dec 24, 2024 13:28:11.224303007 CET	59962	39558	185.196.8.105	192.168.2.23
Dec 24, 2024 13:28:11.224610090 CET	39558	59962	192.168.2.23	185.196.8.105
Dec 24, 2024 13:28:11.225812912 CET	39558	59962	192.168.2.23	185.196.8.105
Dec 24, 2024 13:28:11.345319986 CET	59962	39558	185.196.8.105	192.168.2.23
Dec 24, 2024 13:28:11.345443010 CET	39558	59962	192.168.2.23	185.196.8.105
Dec 24, 2024 13:28:11.464993000 CET	59962	39558	185.196.8.105	192.168.2.23
Dec 24, 2024 13:28:12.538827896 CET	59962	39558	185.196.8.105	192.168.2.23
Dec 24, 2024 13:28:12.539006948 CET	39558	59962	192.168.2.23	185.196.8.105
Dec 24, 2024 13:28:12.539098024 CET	39558	59962	192.168.2.23	185.196.8.105
Dec 24, 2024 13:28:12.675636053 CET	39560	59962	192.168.2.23	185.196.8.105
Dec 24, 2024 13:28:12.795490980 CET	59962	39560	185.196.8.105	192.168.2.23
Dec 24, 2024 13:28:12.795806885 CET	39560	59962	192.168.2.23	185.196.8.105
Dec 24, 2024 13:28:12.797394037 CET	39560	59962	192.168.2.23	185.196.8.105
Dec 24, 2024 13:28:12.917053938 CET	59962	39560	185.196.8.105	192.168.2.23
Dec 24, 2024 13:28:12.917300940 CET	39560	59962	192.168.2.23	185.196.8.105
Dec 24, 2024 13:28:13.036880016 CET	59962	39560	185.196.8.105	192.168.2.23
Dec 24, 2024 13:28:14.110086918 CET	59962	39560	185.196.8.105	192.168.2.23
Dec 24, 2024 13:28:14.110177994 CET	39560	59962	192.168.2.23	185.196.8.105
Dec 24, 2024 13:28:14.110343933 CET	39560	59962	192.168.2.23	185.196.8.105
Dec 24, 2024 13:28:14.246717930 CET	39562	59962	192.168.2.23	185.196.8.105
Dec 24, 2024 13:28:14.366319895 CET	59962	39562	185.196.8.105	192.168.2.23
Dec 24, 2024 13:28:14.366492033 CET	39562	59962	192.168.2.23	185.196.8.105
Dec 24, 2024 13:28:14.368043900 CET	39562	59962	192.168.2.23	185.196.8.105
Dec 24, 2024 13:28:14.487571955 CET	59962	39562	185.196.8.105	192.168.2.23
Dec 24, 2024 13:28:14.487657070 CET	39562	59962	192.168.2.23	185.196.8.105
Dec 24, 2024 13:28:14.607217073 CET	59962	39562	185.196.8.105	192.168.2.23
Dec 24, 2024 13:28:15.680495977 CET	59962	39562	185.196.8.105	192.168.2.23
Dec 24, 2024 13:28:15.680798054 CET	39562	59962	192.168.2.23	185.196.8.105
Dec 24, 2024 13:28:15.680896997 CET	39562	59962	192.168.2.23	185.196.8.105
Dec 24, 2024 13:28:15.816973925 CET	39564	59962	192.168.2.23	185.196.8.105
Dec 24, 2024 13:28:15.936491966 CET	59962	39564	185.196.8.105	192.168.2.23
Dec 24, 2024 13:28:15.936640978 CET	39564	59962	192.168.2.23	185.196.8.105
Dec 24, 2024 13:28:15.937866926 CET	39564	59962	192.168.2.23	185.196.8.105
Dec 24, 2024 13:28:16.059041977 CET	59962	39564	185.196.8.105	192.168.2.23
Dec 24, 2024 13:28:16.059303045 CET	39564	59962	192.168.2.23	185.196.8.105
Dec 24, 2024 13:28:16.178862095 CET	59962	39564	185.196.8.105	192.168.2.23
Dec 24, 2024 13:28:18.182393074 CET	42836	443	192.168.2.23	91.189.91.43
Dec 24, 2024 13:28:22.277769089 CET	42516	80	192.168.2.23	109.202.202.202
Dec 24, 2024 13:28:25.946743965 CET	39564	59962	192.168.2.23	185.196.8.105
Dec 24, 2024 13:28:26.066442013 CET	59962	39564	185.196.8.105	192.168.2.23
Dec 24, 2024 13:28:26.353022099 CET	59962	39564	185.196.8.105	192.168.2.23
Dec 24, 2024 13:28:26.353184938 CET	39564	59962	192.168.2.23	185.196.8.105
Dec 24, 2024 13:28:26.353239059 CET	39564	59962	192.168.2.23	185.196.8.105
Dec 24, 2024 13:28:26.472893953 CET	59962	39564	185.196.8.105	192.168.2.23
Dec 24, 2024 13:28:27.492702961 CET	39566	59962	192.168.2.23	185.196.8.105
Dec 24, 2024 13:28:27.612207890 CET	59962	39566	185.196.8.105	192.168.2.23
Dec 24, 2024 13:28:27.612385035 CET	39566	59962	192.168.2.23	185.196.8.105
Dec 24, 2024 13:28:27.613935947 CET	39566	59962	192.168.2.23	185.196.8.105
Dec 24, 2024 13:28:27.733515024 CET	59962	39566	185.196.8.105	192.168.2.23
Dec 24, 2024 13:28:27.733655930 CET	39566	59962	192.168.2.23	185.196.8.105
Dec 24, 2024 13:28:27.853238106 CET	59962	39566	185.196.8.105	192.168.2.23
Dec 24, 2024 13:28:28.684828043 CET	59962	39566	185.196.8.105	192.168.2.23
Dec 24, 2024 13:28:28.685256958 CET	39566	59962	192.168.2.23	185.196.8.105
Dec 24, 2024 13:28:28.804968119 CET	59962	39566	185.196.8.105	192.168.2.23
Dec 24, 2024 13:28:29.822549105 CET	39568	59962	192.168.2.23	185.196.8.105
Dec 24, 2024 13:28:29.942150116 CET	59962	39568	185.196.8.105	192.168.2.23
Dec 24, 2024 13:28:29.942262888 CET	39568	59962	192.168.2.23	185.196.8.105
Dec 24, 2024 13:28:29.943850994 CET	39568	59962	192.168.2.23	185.196.8.105
Dec 24, 2024 13:28:30.063420057 CET	59962	39568	185.196.8.105	192.168.2.23
Dec 24, 2024 13:28:30.063553095 CET	39568	59962	192.168.2.23	185.196.8.105
Dec 24, 2024 13:28:30.183007956 CET	59962	39568	185.196.8.105	192.168.2.23
Dec 24, 2024 13:28:31.297925949 CET	59962	39568	185.196.8.105	192.168.2.23
Dec 24, 2024 13:28:31.298172951 CET	39568	59962	192.168.2.23	185.196.8.105
Dec 24, 2024 13:28:31.298389912 CET	39568	59962	192.168.2.23	185.196.8.105
Dec 24, 2024 13:28:31.424206018 CET	39570	59962	192.168.2.23	185.196.8.105
Dec 24, 2024 13:28:31.543834925 CET	59962	39570	185.196.8.105	192.168.2.23
Dec 24, 2024 13:28:31.544002056 CET	39570	59962	192.168.2.23	185.196.8.105
Dec 24, 2024 13:28:31.545095921 CET	39570	59962	192.168.2.23	185.196.8.105
Dec 24, 2024 13:28:31.664581060 CET	59962	39570	185.196.8.105	192.168.2.23
Dec 24, 2024 13:28:31.664644957 CET	39570	59962	192.168.2.23	185.196.8.105
Dec 24, 2024 13:28:31.784168005 CET	59962	39570	185.196.8.105	192.168.2.23
Dec 24, 2024 13:28:32.869618893 CET	59962	39570	185.196.8.105	192.168.2.23
Dec 24, 2024 13:28:32.870033026 CET	39570	59962	192.168.2.23	185.196.8.105
Dec 24, 2024 13:28:32.870033026 CET	39570	59962	192.168.2.23	185.196.8.105
Dec 24, 2024 13:28:33.005665064 CET	39572	59962	192.168.2.23	185.196.8.105
Dec 24, 2024 13:28:33.125200987 CET	59962	39572	185.196.8.105	192.168.2.23
Dec 24, 2024 13:28:33.125437975 CET	39572	59962	192.168.2.23	185.196.8.105
Dec 24, 2024 13:28:33.126312017 CET	39572	59962	192.168.2.23	185.196.8.105
Dec 24, 2024 13:28:33.245850086 CET	59962	39572	185.196.8.105	192.168.2.23
Dec 24, 2024 13:28:33.246033907 CET	39572	59962	192.168.2.23	185.196.8.105
Dec 24, 2024 13:28:33.365564108 CET	59962	39572	185.196.8.105	192.168.2.23
Dec 24, 2024 13:28:34.436722994 CET	59962	39572	185.196.8.105	192.168.2.23
Dec 24, 2024 13:28:34.436990023 CET	39572	59962	192.168.2.23	185.196.8.105
Dec 24, 2024 13:28:34.436990976 CET	39572	59962	192.168.2.23	185.196.8.105
Dec 24, 2024 13:28:34.561625957 CET	39574	59962	192.168.2.23	185.196.8.105
Dec 24, 2024 13:28:34.681185007 CET	59962	39574	185.196.8.105	192.168.2.23
Dec 24, 2024 13:28:34.681298971 CET	39574	59962	192.168.2.23	185.196.8.105
Dec 24, 2024 13:28:34.682380915 CET	39574	59962	192.168.2.23	185.196.8.105
Dec 24, 2024 13:28:34.801958084 CET	59962	39574	185.196.8.105	192.168.2.23
Dec 24, 2024 13:28:34.802215099 CET	39574	59962	192.168.2.23	185.196.8.105
Dec 24, 2024 13:28:34.921740055 CET	59962	39574	185.196.8.105	192.168.2.23
Dec 24, 2024 13:28:35.986563921 CET	59962	39574	185.196.8.105	192.168.2.23
Dec 24, 2024 13:28:35.986856937 CET	39574	59962	192.168.2.23	185.196.8.105
Dec 24, 2024 13:28:35.986884117 CET	39574	59962	192.168.2.23	185.196.8.105
Dec 24, 2024 13:28:36.123001099 CET	39576	59962	192.168.2.23	185.196.8.105
Dec 24, 2024 13:28:36.242655039 CET	59962	39576	185.196.8.105	192.168.2.23
Dec 24, 2024 13:28:36.242832899 CET	39576	59962	192.168.2.23	185.196.8.105
Dec 24, 2024 13:28:36.244060993 CET	39576	59962	192.168.2.23	185.196.8.105
Dec 24, 2024 13:28:36.363678932 CET	59962	39576	185.196.8.105	192.168.2.23
Dec 24, 2024 13:28:36.364037991 CET	39576	59962	192.168.2.23	185.196.8.105
Dec 24, 2024 13:28:36.483715057 CET	59962	39576	185.196.8.105	192.168.2.23
Dec 24, 2024 13:28:37.552393913 CET	59962	39576	185.196.8.105	192.168.2.23
Dec 24, 2024 13:28:37.552525997 CET	39576	59962	192.168.2.23	185.196.8.105
Dec 24, 2024 13:28:37.552614927 CET	39576	59962	192.168.2.23	185.196.8.105
Dec 24, 2024 13:28:37.688695908 CET	39578	59962	192.168.2.23	185.196.8.105
Dec 24, 2024 13:28:37.808295012 CET	59962	39578	185.196.8.105	192.168.2.23
Dec 24, 2024 13:28:37.808466911 CET	39578	59962	192.168.2.23	185.196.8.105
Dec 24, 2024 13:28:37.809559107 CET	39578	59962	192.168.2.23	185.196.8.105
Dec 24, 2024 13:28:37.929155111 CET	59962	39578	185.196.8.105	192.168.2.23
Dec 24, 2024 13:28:37.929306984 CET	39578	59962	192.168.2.23	185.196.8.105
Dec 24, 2024 13:28:38.049010038 CET	59962	39578	185.196.8.105	192.168.2.23
Dec 24, 2024 13:28:46.850454092 CET	43928	443	192.168.2.23	91.189.91.42
Dec 24, 2024 13:29:37.847863913 CET	39578	59962	192.168.2.23	185.196.8.105
Dec 24, 2024 13:29:37.967674971 CET	59962	39578	185.196.8.105	192.168.2.23
Dec 24, 2024 13:29:38.267853022 CET	59962	39578	185.196.8.105	192.168.2.23
Dec 24, 2024 13:29:38.268178940 CET	39578	59962	192.168.2.23	185.196.8.105

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 24, 2024 13:27:45.911016941 CET	42755	53	192.168.2.23	8.8.8.8
Dec 24, 2024 13:27:46.270858049 CET	53	42755	8.8.8.8	192.168.2.23
Dec 24, 2024 13:27:47.692979097 CET	48939	53	192.168.2.23	8.8.8.8
Dec 24, 2024 13:27:48.053771973 CET	53	48939	8.8.8.8	192.168.2.23
Dec 24, 2024 13:27:49.470963955 CET	41213	53	192.168.2.23	8.8.8.8
Dec 24, 2024 13:27:49.605051041 CET	53	41213	8.8.8.8	192.168.2.23
Dec 24, 2024 13:27:51.030754089 CET	43005	53	192.168.2.23	8.8.8.8
Dec 24, 2024 13:27:51.164967060 CET	53	43005	8.8.8.8	192.168.2.23
Dec 24, 2024 13:27:52.591979027 CET	46822	53	192.168.2.23	8.8.8.8
Dec 24, 2024 13:27:52.725830078 CET	53	46822	8.8.8.8	192.168.2.23
Dec 24, 2024 13:27:54.154926062 CET	44296	53	192.168.2.23	8.8.8.8
Dec 24, 2024 13:27:54.516367912 CET	53	44296	8.8.8.8	192.168.2.23
Dec 24, 2024 13:27:55.937473059 CET	46532	53	192.168.2.23	8.8.8.8
Dec 24, 2024 13:27:56.295211077 CET	53	46532	8.8.8.8	192.168.2.23
Dec 24, 2024 13:27:57.826309919 CET	36682	53	192.168.2.23	8.8.8.8
Dec 24, 2024 13:27:58.183718920 CET	53	36682	8.8.8.8	192.168.2.23
Dec 24, 2024 13:27:59.607044935 CET	49594	53	192.168.2.23	8.8.8.8
Dec 24, 2024 13:27:59.741419077 CET	53	49594	8.8.8.8	192.168.2.23
Dec 24, 2024 13:28:01.177419901 CET	54547	53	192.168.2.23	8.8.8.8
Dec 24, 2024 13:28:01.540015936 CET	53	54547	8.8.8.8	192.168.2.23
Dec 24, 2024 13:28:02.974261045 CET	47010	53	192.168.2.23	8.8.8.8
Dec 24, 2024 13:28:03.109246969 CET	53	47010	8.8.8.8	192.168.2.23
Dec 24, 2024 13:28:04.537254095 CET	33216	53	192.168.2.23	8.8.8.8
Dec 24, 2024 13:28:04.672951937 CET	53	33216	8.8.8.8	192.168.2.23
Dec 24, 2024 13:28:06.099613905 CET	60133	53	192.168.2.23	8.8.8.8
Dec 24, 2024 13:28:06.461330891 CET	53	60133	8.8.8.8	192.168.2.23
Dec 24, 2024 13:28:07.880471945 CET	60079	53	192.168.2.23	8.8.8.8
Dec 24, 2024 13:28:08.002921104 CET	53	60079	8.8.8.8	192.168.2.23
Dec 24, 2024 13:28:09.423852921 CET	39132	53	192.168.2.23	8.8.8.8
Dec 24, 2024 13:28:09.558698893 CET	53	39132	8.8.8.8	192.168.2.23
Dec 24, 2024 13:28:10.981646061 CET	42415	53	192.168.2.23	8.8.8.8
Dec 24, 2024 13:28:11.103919983 CET	53	42415	8.8.8.8	192.168.2.23
Dec 24, 2024 13:28:12.540235043 CET	59734	53	192.168.2.23	8.8.8.8
Dec 24, 2024 13:28:12.674623966 CET	53	59734	8.8.8.8	192.168.2.23
Dec 24, 2024 13:28:14.111695051 CET	46136	53	192.168.2.23	8.8.8.8
Dec 24, 2024 13:28:14.245599985 CET	53	46136	8.8.8.8	192.168.2.23
Dec 24, 2024 13:28:15.682090998 CET	59885	53	192.168.2.23	8.8.8.8
Dec 24, 2024 13:28:15.815918922 CET	53	59885	8.8.8.8	192.168.2.23
Dec 24, 2024 13:28:27.357248068 CET	58585	53	192.168.2.23	8.8.8.8
Dec 24, 2024 13:28:27.491447926 CET	53	58585	8.8.8.8	192.168.2.23
Dec 24, 2024 13:28:29.687598944 CET	35637	53	192.168.2.23	8.8.8.8
Dec 24, 2024 13:28:29.821445942 CET	53	35637	8.8.8.8	192.168.2.23
Dec 24, 2024 13:28:31.299705029 CET	49595	53	192.168.2.23	8.8.8.8
Dec 24, 2024 13:28:31.423237085 CET	53	49595	8.8.8.8	192.168.2.23
Dec 24, 2024 13:28:32.871118069 CET	58992	53	192.168.2.23	8.8.8.8
Dec 24, 2024 13:28:33.004808903 CET	53	58992	8.8.8.8	192.168.2.23
Dec 24, 2024 13:28:34.438359022 CET	54502	53	192.168.2.23	8.8.8.8
Dec 24, 2024 13:28:34.560714006 CET	53	54502	8.8.8.8	192.168.2.23
Dec 24, 2024 13:28:35.988130093 CET	57995	53	192.168.2.23	8.8.8.8
Dec 24, 2024 13:28:36.122106075 CET	53	57995	8.8.8.8	192.168.2.23
Dec 24, 2024 13:28:37.553371906 CET	49019	53	192.168.2.23	8.8.8.8
Dec 24, 2024 13:28:37.688033104 CET	53	49019	8.8.8.8	192.168.2.23

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 24, 2024 13:27:45.911016941 CET	192.168.2.23	8.8.8.8	0x2fa7	Standard query (0)	srvy.vlrt-gap.com	A (IP address)	IN (0x0001)	false
Dec 24, 2024 13:27:47.692979097 CET	192.168.2.23	8.8.8.8	0xcdc6	Standard query (0)	srvy.vlrt-gap.com	A (IP address)	IN (0x0001)	false
Dec 24, 2024 13:27:49.470963955 CET	192.168.2.23	8.8.8.8	0x28c0	Standard query (0)	srvy.vlrt-gap.com	A (IP address)	IN (0x0001)	false
Dec 24, 2024 13:27:51.030754089 CET	192.168.2.23	8.8.8.8	0x9c60	Standard query (0)	srvy.vlrt-gap.com	A (IP address)	IN (0x0001)	false
Dec 24, 2024 13:27:52.591979027 CET	192.168.2.23	8.8.8.8	0x3e17	Standard query (0)	srvy.vlrt-gap.com	A (IP address)	IN (0x0001)	false
Dec 24, 2024 13:27:54.154926062 CET	192.168.2.23	8.8.8.8	0xc7a3	Standard query (0)	srvy.vlrt-gap.com	A (IP address)	IN (0x0001)	false
Dec 24, 2024 13:27:55.937473059 CET	192.168.2.23	8.8.8.8	0x60be	Standard query (0)	srvy.vlrt-gap.com	A (IP address)	IN (0x0001)	false
Dec 24, 2024 13:27:57.826309919 CET	192.168.2.23	8.8.8.8	0xdaa5	Standard query (0)	srvy.vlrt-gap.com	A (IP address)	IN (0x0001)	false
Dec 24, 2024 13:27:59.607044935 CET	192.168.2.23	8.8.8.8	0x891b	Standard query (0)	srvy.vlrt-gap.com	A (IP address)	IN (0x0001)	false
Dec 24, 2024 13:28:01.177419901 CET	192.168.2.23	8.8.8.8	0x40a4	Standard query (0)	srvy.vlrt-gap.com	A (IP address)	IN (0x0001)	false
Dec 24, 2024 13:28:02.974261045 CET	192.168.2.23	8.8.8.8	0xf80a	Standard query (0)	srvy.vlrt-gap.com	A (IP address)	IN (0x0001)	false
Dec 24, 2024 13:28:04.537254095 CET	192.168.2.23	8.8.8.8	0x778e	Standard query (0)	srvy.vlrt-gap.com	A (IP address)	IN (0x0001)	false
Dec 24, 2024 13:28:06.099613905 CET	192.168.2.23	8.8.8.8	0x77e7	Standard query (0)	srvy.vlrt-gap.com	A (IP address)	IN (0x0001)	false
Dec 24, 2024 13:28:07.880471945 CET	192.168.2.23	8.8.8.8	0x65be	Standard query (0)	srvy.vlrt-gap.com	A (IP address)	IN (0x0001)	false
Dec 24, 2024 13:28:09.423852921 CET	192.168.2.23	8.8.8.8	0x2c0d	Standard query (0)	srvy.vlrt-gap.com	A (IP address)	IN (0x0001)	false
Dec 24, 2024 13:28:10.981646061 CET	192.168.2.23	8.8.8.8	0x7113	Standard query (0)	srvy.vlrt-gap.com	A (IP address)	IN (0x0001)	false
Dec 24, 2024 13:28:12.540235043 CET	192.168.2.23	8.8.8.8	0x68e3	Standard query (0)	srvy.vlrt-gap.com	A (IP address)	IN (0x0001)	false
Dec 24, 2024 13:28:14.111695051 CET	192.168.2.23	8.8.8.8	0x2849	Standard query (0)	srvy.vlrt-gap.com	A (IP address)	IN (0x0001)	false
Dec 24, 2024 13:28:15.682090998 CET	192.168.2.23	8.8.8.8	0xac52	Standard query (0)	srvy.vlrt-gap.com	A (IP address)	IN (0x0001)	false
Dec 24, 2024 13:28:27.357248068 CET	192.168.2.23	8.8.8.8	0xf7d9	Standard query (0)	srvy.vlrt-gap.com	A (IP address)	IN (0x0001)	false
Dec 24, 2024 13:28:29.687598944 CET	192.168.2.23	8.8.8.8	0x4ef3	Standard query (0)	srvy.vlrt-gap.com	A (IP address)	IN (0x0001)	false
Dec 24, 2024 13:28:31.299705029 CET	192.168.2.23	8.8.8.8	0x28fc	Standard query (0)	srvy.vlrt-gap.com	A (IP address)	IN (0x0001)	false
Dec 24, 2024 13:28:32.871118069 CET	192.168.2.23	8.8.8.8	0x735a	Standard query (0)	srvy.vlrt-gap.com	A (IP address)	IN (0x0001)	false
Dec 24, 2024 13:28:34.438359022 CET	192.168.2.23	8.8.8.8	0x536b	Standard query (0)	srvy.vlrt-gap.com	A (IP address)	IN (0x0001)	false
Dec 24, 2024 13:28:35.988130093 CET	192.168.2.23	8.8.8.8	0x7db0	Standard query (0)	srvy.vlrt-gap.com	A (IP address)	IN (0x0001)	false
Dec 24, 2024 13:28:37.553371906 CET	192.168.2.23	8.8.8.8	0x3988	Standard query (0)	srvy.vlrt-gap.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Dec 24, 2024 13:27:46.270858049 CET	8.8.8.8	192.168.2.23	0x2fa7	No error (0)	srvy.vlrt-gap.com	185.196.8.105	A (IP address)	IN (0x0001)	false
Dec 24, 2024 13:27:48.053771973 CET	8.8.8.8	192.168.2.23	0xcdc6	No error (0)	srvy.vlrt-gap.com	185.196.8.105	A (IP address)	IN (0x0001)	false
Dec 24, 2024 13:27:49.605051041 CET	8.8.8.8	192.168.2.23	0x28c0	No error (0)	srvy.vlrt-gap.com	185.196.8.105	A (IP address)	IN (0x0001)	false
Dec 24, 2024 13:27:51.164967060 CET	8.8.8.8	192.168.2.23	0x9c60	No error (0)	srvy.vlrt-gap.com	185.196.8.105	A (IP address)	IN (0x0001)	false
Dec 24, 2024 13:27:52.725830078 CET	8.8.8.8	192.168.2.23	0x3e17	No error (0)	srvy.vlrt-gap.com	185.196.8.105	A (IP address)	IN (0x0001)	false
Dec 24, 2024 13:27:54.516367912 CET	8.8.8.8	192.168.2.23	0xc7a3	No error (0)	srvy.vlrt-gap.com	185.196.8.105	A (IP address)	IN (0x0001)	false
Dec 24, 2024 13:27:56.295211077 CET	8.8.8.8	192.168.2.23	0x60be	No error (0)	srvy.vlrt-gap.com	185.196.8.105	A (IP address)	IN (0x0001)	false
Dec 24, 2024 13:27:58.183718920 CET	8.8.8.8	192.168.2.23	0xdaa5	No error (0)	srvy.vlrt-gap.com	185.196.8.105	A (IP address)	IN (0x0001)	false
Dec 24, 2024 13:27:59.741419077 CET	8.8.8.8	192.168.2.23	0x891b	No error (0)	srvy.vlrt-gap.com	185.196.8.105	A (IP address)	IN (0x0001)	false
Dec 24, 2024 13:28:01.540015936 CET	8.8.8.8	192.168.2.23	0x40a4	No error (0)	srvy.vlrt-gap.com	185.196.8.105	A (IP address)	IN (0x0001)	false
Dec 24, 2024 13:28:03.109246969 CET	8.8.8.8	192.168.2.23	0xf80a	No error (0)	srvy.vlrt-gap.com	185.196.8.105	A (IP address)	IN (0x0001)	false
Dec 24, 2024 13:28:04.672951937 CET	8.8.8.8	192.168.2.23	0x778e	No error (0)	srvy.vlrt-gap.com	185.196.8.105	A (IP address)	IN (0x0001)	false
Dec 24, 2024 13:28:06.461330891 CET	8.8.8.8	192.168.2.23	0x77e7	No error (0)	srvy.vlrt-gap.com	185.196.8.105	A (IP address)	IN (0x0001)	false
Dec 24, 2024 13:28:08.002921104 CET	8.8.8.8	192.168.2.23	0x65be	No error (0)	srvy.vlrt-gap.com	185.196.8.105	A (IP address)	IN (0x0001)	false
Dec 24, 2024 13:28:09.558698893 CET	8.8.8.8	192.168.2.23	0x2c0d	No error (0)	srvy.vlrt-gap.com	185.196.8.105	A (IP address)	IN (0x0001)	false
Dec 24, 2024 13:28:11.103919983 CET	8.8.8.8	192.168.2.23	0x7113	No error (0)	srvy.vlrt-gap.com	185.196.8.105	A (IP address)	IN (0x0001)	false
Dec 24, 2024 13:28:12.674623966 CET	8.8.8.8	192.168.2.23	0x68e3	No error (0)	srvy.vlrt-gap.com	185.196.8.105	A (IP address)	IN (0x0001)	false
Dec 24, 2024 13:28:14.245599985 CET	8.8.8.8	192.168.2.23	0x2849	No error (0)	srvy.vlrt-gap.com	185.196.8.105	A (IP address)	IN (0x0001)	false
Dec 24, 2024 13:28:15.815918922 CET	8.8.8.8	192.168.2.23	0xac52	No error (0)	srvy.vlrt-gap.com	185.196.8.105	A (IP address)	IN (0x0001)	false
Dec 24, 2024 13:28:27.491447926 CET	8.8.8.8	192.168.2.23	0xf7d9	No error (0)	srvy.vlrt-gap.com	185.196.8.105	A (IP address)	IN (0x0001)	false
Dec 24, 2024 13:28:29.821445942 CET	8.8.8.8	192.168.2.23	0x4ef3	No error (0)	srvy.vlrt-gap.com	185.196.8.105	A (IP address)	IN (0x0001)	false
Dec 24, 2024 13:28:31.423237085 CET	8.8.8.8	192.168.2.23	0x28fc	No error (0)	srvy.vlrt-gap.com	185.196.8.105	A (IP address)	IN (0x0001)	false
Dec 24, 2024 13:28:33.004808903 CET	8.8.8.8	192.168.2.23	0x735a	No error (0)	srvy.vlrt-gap.com	185.196.8.105	A (IP address)	IN (0x0001)	false
Dec 24, 2024 13:28:34.560714006 CET	8.8.8.8	192.168.2.23	0x536b	No error (0)	srvy.vlrt-gap.com	185.196.8.105	A (IP address)	IN (0x0001)	false
Dec 24, 2024 13:28:36.122106075 CET	8.8.8.8	192.168.2.23	0x7db0	No error (0)	srvy.vlrt-gap.com	185.196.8.105	A (IP address)	IN (0x0001)	false
Dec 24, 2024 13:28:37.688033104 CET	8.8.8.8	192.168.2.23	0x3988	No error (0)	srvy.vlrt-gap.com	185.196.8.105	A (IP address)	IN (0x0001)	false

System Behavior

Analysis Process: zmap.sh4.elf PID: 6213, Parent PID: 6130

General

Start time (UTC):	12:27:44
Start date (UTC):	24/12/2024
Path:	/tmp/zmap.sh4.elf
Arguments:	/tmp/zmap.sh4.elf
File size:	4139976 bytes
MD5 hash:	8943e5f8f8c280467b4472c15ae93ba9

Chronological Activities

Analysis Process: zmap.sh4.elf PID: 6215, Parent PID: 6213

General

Start time (UTC):	12:27:44
Start date (UTC):	24/12/2024
Path:	/tmp/zmap.sh4.elf
Arguments:	-
File size:	4139976 bytes
MD5 hash:	8943e5f8f8c280467b4472c15ae93ba9

Chronological Activities

Analysis Process: zmap.sh4.elf PID: 6217, Parent PID: 6215

General

Start time (UTC):	12:27:44
Start date (UTC):	24/12/2024
Path:	/tmp/zmap.sh4.elf
Arguments:	-
File size:	4139976 bytes
MD5 hash:	8943e5f8f8c280467b4472c15ae93ba9

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report zmap.sh4.elf

Overview

General Information

Detection

Signatures

Classification

General Information

Warnings

Runtime Messages

Process Tree

Malware Threat Intel

Yara Signatures

Initial Sample

Memory Dumps

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Networking

System Summary

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

Static ELF Info

ELF header

Sections

Program Segments

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

System Behavior

Analysis Process: zmap.sh4.elf PID: 6213, Parent PID: 6130

General

Chronological Activities

Analysis Process: zmap.sh4.elf PID: 6215, Parent PID: 6213

General

Chronological Activities

Analysis Process: zmap.sh4.elf PID: 6217, Parent PID: 6215

General

Chronological Activities

Linux Analysis Report
zmap.sh4.elf