Edit tour

Linux Analysis Report
Aqua.ppc.elf

Overview

General Information

Sample name:	Aqua.ppc.elf
Analysis ID:	1581823
MD5:	0083849141685a8acbf50993dc622a69
SHA1:	866ebdd42452e9c26d1c2b750442c91ea200402e
SHA256:	2b1f720187085bcc472fd3a22acb677e448e6eb52c134629c3ad238c53567a98
Tags:	elfuser-abuse_ch
Infos:

Detection

Score:	60
Range:	0 - 100
Whitelisted:	false

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Sample deletes itself

Detected TCP or UDP traffic on non-standard ports

Sample has stripped symbol table

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Uses the "uname" system call to query kernel version information (possible evasion)

Classification

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1581823
Start date and time:	2024-12-29 02:52:07 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 36s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Sample name:	Aqua.ppc.elf
Detection:	MAL
Classification:	mal60.evad.linELF@0/1@32/0

Runtime Messages

Command:	/tmp/Aqua.ppc.elf
PID:	6233
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:	about to cum inside a femboy btw
Standard Error:

Process Tree

system is lnxubuntu20

Aqua.ppc.elf (PID: 6233, Parent: 6154, MD5: ae65271c943d3451b7f026d1fadccea6) Arguments: /tmp/Aqua.ppc.elf

Aqua.ppc.elf New Fork (PID: 6235, Parent: 6233)

cleanup

Yara Signatures

⊘No yara matches

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Aqua.ppc.elf

Avira: detected

Multi AV Scanner detection for submitted file

Source: Aqua.ppc.elf	ReversingLabs: Detection: 28%
Source: Aqua.ppc.elf	Virustotal: Detection: 31%			Perma Link

Source: global traffic

TCP traffic: 192.168.2.23:40832 -> 193.200.78.37:33966

Source: global traffic	TCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443
Source: global traffic	TCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
Source: global traffic	TCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80

Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42

Source: global traffic

DNS traffic detected: DNS query: raw.intenseapi.com

Source: unknown	Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 42836 -> 443

Source: ELF static info symbol of initial sample

.symtab present: no

Source: classification engine

Classification label: mal60.evad.linELF@0/1@32/0

Hooking and other Techniques for Hiding and Protection

Sample deletes itself

Source: /tmp/Aqua.ppc.elf (PID: 6235)

File: /tmp/Aqua.ppc.elf

Jump to behavior

Source: /tmp/Aqua.ppc.elf (PID: 6233)

Queries kernel information via 'uname':

Jump to behavior

Source: Aqua.ppc.elf, 6233.1.000055f353905000.000055f3539b5000.rw-.sdmp	Binary or memory string: !/etc/qemu-binfmt/ppc11!hotpluggableq
Source: Aqua.ppc.elf, 6233.1.00007fff92079000.00007fff9209a000.rw-.sdmp	Binary or memory string: *zox86_64/usr/bin/qemu-ppc/tmp/Aqua.ppc.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/Aqua.ppc.elf
Source: Aqua.ppc.elf, 6233.1.000055f353905000.000055f3539b5000.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/ppc
Source: Aqua.ppc.elf, 6233.1.00007fff92079000.00007fff9209a000.rw-.sdmp	Binary or memory string: /tmp/qemu-open.eniHEx
Source: Aqua.ppc.elf, 6233.1.00007fff92079000.00007fff9209a000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-ppc
Source: Aqua.ppc.elf, 6233.1.00007fff92079000.00007fff9209a000.rw-.sdmp	Binary or memory string: %s/qemu-op
Source: Aqua.ppc.elf, 6233.1.00007fff92079000.00007fff9209a000.rw-.sdmp	Binary or memory string: U/tmp/qemu-open.eniHEx\
Source: Aqua.ppc.elf, 6233.1.00007fff92079000.00007fff9209a000.rw-.sdmp	Binary or memory string: MPDIR%s/qemu-op

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	Path Interception	Path Interception	1 File Deletion	OS Credential Dumping	11 Security Software Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	2 Application Layer Protocol	Traffic Duplication	Data Destruction

Malware Configuration

⊘No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Aqua.ppc.elf	29%	ReversingLabs	Linux.Backdoor.Mirai
Aqua.ppc.elf	31%	Virustotal		Browse
Aqua.ppc.elf	100%	Avira	EXP/ELF.Mirai.W

Dropped Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
raw.intenseapi.com	193.200.78.37	true	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
193.200.78.37	raw.intenseapi.com	Switzerland	29496	LINK-SERVICE-ASUA	false
109.202.202.202	unknown	Switzerland	13030	INIT7CH	false
91.189.91.43	unknown	United Kingdom	41231	CANONICAL-ASGB	false
91.189.91.42	unknown	United Kingdom	41231	CANONICAL-ASGB	false

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
193.200.78.37	Aqua.mpsl.elf	Get hash	malicious	Unknown	Browse
	Aqua.sh4.elf	Get hash	malicious	Unknown	Browse
	Aqua.ppc.elf	Get hash	malicious	Unknown	Browse
	Aqua.arm5.elf	Get hash	malicious	Unknown	Browse
	Aqua.dbg.elf	Get hash	malicious	Unknown	Browse
	Aqua.arm5.elf	Get hash	malicious	Unknown	Browse
	Aqua.mips.elf	Get hash	malicious	Unknown	Browse
	Aqua.x86_64.elf	Get hash	malicious	Unknown	Browse
	Aqua.x86.elf	Get hash	malicious	Unknown	Browse
	Aqua.x86.elf	Get hash	malicious	Unknown	Browse
109.202.202.202	kpLwzBouH4.elf	Get hash	malicious	Unknown	Browse	ch.archive.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_92.0%2bbuild3-0ubuntu0.20.04.1_amd64.deb
91.189.91.43	db0fa4b8db0333367e9bda3ab68b8042.ppc.elf	Get hash	malicious	Unknown	Browse
	Aqua.mpsl.elf	Get hash	malicious	Unknown	Browse
	Aqua.ppc.elf	Get hash	malicious	Unknown	Browse
	Aqua.arm5.elf	Get hash	malicious	Unknown	Browse
	ppc.elf	Get hash	malicious	Unknown	Browse
	Aqua.arm6.elf	Get hash	malicious	Unknown	Browse
	Aqua.arm5.elf	Get hash	malicious	Unknown	Browse
	Aqua.mips.elf	Get hash	malicious	Unknown	Browse
	Aqua.x86.elf	Get hash	malicious	Unknown	Browse
	Aqua.x86.elf	Get hash	malicious	Unknown	Browse
91.189.91.42	db0fa4b8db0333367e9bda3ab68b8042.ppc.elf	Get hash	malicious	Unknown	Browse
	Aqua.mpsl.elf	Get hash	malicious	Unknown	Browse
	Aqua.ppc.elf	Get hash	malicious	Unknown	Browse
	Aqua.arm5.elf	Get hash	malicious	Unknown	Browse
	ppc.elf	Get hash	malicious	Unknown	Browse
	Aqua.arm6.elf	Get hash	malicious	Unknown	Browse
	Aqua.arm5.elf	Get hash	malicious	Unknown	Browse
	Aqua.mips.elf	Get hash	malicious	Unknown	Browse
	Aqua.x86.elf	Get hash	malicious	Unknown	Browse
	Aqua.x86.elf	Get hash	malicious	Unknown	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
raw.intenseapi.com	Aqua.mpsl.elf	Get hash	malicious	Unknown	Browse	193.200.78.37
	Aqua.ppc.elf	Get hash	malicious	Unknown	Browse	193.200.78.37
	Aqua.dbg.elf	Get hash	malicious	Unknown	Browse	193.200.78.37
	Aqua.mips.elf	Get hash	malicious	Unknown	Browse	193.200.78.37
	Aqua.x86_64.elf	Get hash	malicious	Unknown	Browse	193.200.78.37

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CANONICAL-ASGB	db0fa4b8db0333367e9bda3ab68b8042.ppc.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	Aqua.mpsl.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	Aqua.ppc.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	Aqua.arm5.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	ppc.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	Aqua.arm6.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	Aqua.dbg.elf	Get hash	malicious	Unknown	Browse	185.125.190.26
	Aqua.arm5.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	Aqua.mips.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	Aqua.x86.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
CANONICAL-ASGB	db0fa4b8db0333367e9bda3ab68b8042.ppc.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	Aqua.mpsl.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	Aqua.ppc.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	Aqua.arm5.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	ppc.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	Aqua.arm6.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	Aqua.dbg.elf	Get hash	malicious	Unknown	Browse	185.125.190.26
	Aqua.arm5.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	Aqua.mips.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	Aqua.x86.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
INIT7CH	db0fa4b8db0333367e9bda3ab68b8042.ppc.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	Aqua.mpsl.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	Aqua.ppc.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	Aqua.arm5.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	ppc.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	Aqua.arm6.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	Aqua.arm5.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	Aqua.mips.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	Aqua.x86.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	Aqua.x86.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
LINK-SERVICE-ASUA	Aqua.mpsl.elf	Get hash	malicious	Unknown	Browse	193.200.78.37
	Aqua.sh4.elf	Get hash	malicious	Unknown	Browse	193.200.78.37
	Aqua.ppc.elf	Get hash	malicious	Unknown	Browse	193.200.78.37
	Aqua.arm5.elf	Get hash	malicious	Unknown	Browse	193.200.78.37
	Aqua.dbg.elf	Get hash	malicious	Unknown	Browse	193.200.78.37
	Aqua.arm5.elf	Get hash	malicious	Unknown	Browse	193.200.78.37
	Aqua.mips.elf	Get hash	malicious	Unknown	Browse	193.200.78.37
	Aqua.x86_64.elf	Get hash	malicious	Unknown	Browse	193.200.78.37
	Aqua.x86.elf	Get hash	malicious	Unknown	Browse	193.200.78.37
	Aqua.x86.elf	Get hash	malicious	Unknown	Browse	193.200.78.37

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

/tmp/qemu-open.eniHEx (deleted)

Download File

Process:	/tmp/Aqua.ppc.elf
File Type:	data
Category:	dropped
Size (bytes):	28
Entropy (8bit):	4.110577243331642
Encrypted:	false
SSDEEP:	3:TgqLs+HJN:TgcJN
MD5:	DE551D3C32F07A6668813E2D0A0AFD72
SHA1:	E2F9EA925C75F83104708519C2A345AF78C4B4D1
SHA-256:	7256A6F7ABA524B5BBDFAFA4A2FB9C3CCD32E08AEEBE909B07F610704AA00E3C
SHA-512:	C5E9560425A0C399B8F79496321D14B59A1755B2A5337EF9E17060C80C1A2227B5836C593D01F87D8A9F56BE85AAA9DA816FB4BA898A0531A6F6ECBD9F2F318C
Malicious:	false
Reputation:	low
Preview:	/tmp/Aqua.ppc.elf.nwlrbbmqbh

Static File Info

General

File type:	ELF 32-bit MSB executable, PowerPC or cisco 4500, version 1 (SYSV), statically linked, stripped
Entropy (8bit):	6.241558953963658
TrID:	ELF Executable and Linkable format (generic) (4004/1) 100.00%
File name:	Aqua.ppc.elf
File size:	51'744 bytes
MD5:	0083849141685a8acbf50993dc622a69
SHA1:	866ebdd42452e9c26d1c2b750442c91ea200402e
SHA256:	2b1f720187085bcc472fd3a22acb677e448e6eb52c134629c3ad238c53567a98
SHA512:	ef6c9282f8fdf65816eff2b3dc61123ca93a26c070c6113d6c6a591cd2131f24f403dd8a94785fc862e155707c68ebf66942aa7ed144c5b5b87bd3fa0e9728e4
SSDEEP:	768:fYB0Wc/pa5R+2RRNQSOjRgl2DAbcUTL9zZUHnZrCZU94uoFw+t2GIG5:FWKo5zgSiRgl2DAb9NzmHkZU9zt+EGt
TLSH:	AC334C02731C0A47D5A36AB42A3F17E0D3FFA99120E4FA84351E9B4A9671E3651C6FCD
File Content Preview:	.ELF...........................4...@.....4. ...(.......................@...@...............D...D...D......%p........dt.Q.............................!..\|......$H...H......$8!. \|...N.. .!..\|.......?..........@..../...@..\?......\.+../...A..$8...}).....\N..

Static ELF Info

ELF header
Class:	ELF32
Data:	2's complement, big endian
Version:	1 (current)
Machine:	PowerPC
Version Number:	0x1
Type:	EXEC (Executable file)
OS/ABI:	UNIX - System V
ABI Version:	0
Entry Point Address:	0x100001f0
Flags:	0x0
ELF Header Size:	52
Program Header Offset:	52
Program Header Size:	32
Number of Program Headers:	3
Section Header Offset:	51264
Section Header Size:	40
Number of Section Headers:	12
Header String Table Index:	11

Sections

Name	Type	Address	Offset	Size	EntSize	Flags	Flags Description	Align
	NULL	0x0	0x0	0x0	0x0	0x0		0
.init	PROGBITS	0x10000094	0x94	0x24	0x0	0x6	AX	4
.text	PROGBITS	0x100000b8	0xb8	0xb218	0x0	0x6	AX	4
.fini	PROGBITS	0x1000b2d0	0xb2d0	0x20	0x0	0x6	AX	4
.rodata	PROGBITS	0x1000b2f0	0xb2f0	0x1150	0x0	0x2	A	8
.ctors	PROGBITS	0x1001c444	0xc444	0x8	0x0	0x3	WA	4
.dtors	PROGBITS	0x1001c44c	0xc44c	0x8	0x0	0x3	WA	4
.data	PROGBITS	0x1001c458	0xc458	0x364	0x0	0x3	WA	8
.sdata	PROGBITS	0x1001c7bc	0xc7bc	0x38	0x0	0x3	WA	4
.sbss	NOBITS	0x1001c7f4	0xc7f4	0x4c	0x0	0x3	WA	4
.bss	NOBITS	0x1001c840	0xc7f4	0x2174	0x0	0x3	WA	4
.shstrtab	STRTAB	0x0	0xc7f4	0x4b	0x0	0x0		1

Program Segments

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align	Section Mappings
LOAD	0x0	0x10000000	0x10000000	0xc440	0xc440	6.2973	0x5	R E	0x10000	.init .text .fini .rodata
LOAD	0xc444	0x1001c444	0x1001c444	0x3b0	0x2570	3.3647	0x6	RW	0x10000	.ctors .dtors .data .sdata .sbss .bss
GNU_STACK	0x0	0x0	0x0	0x0	0x0	0.0000	0x6	RW	0x4

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 29, 2024 02:52:52.381798983 CET	43928	443	192.168.2.23	91.189.91.42
Dec 29, 2024 02:52:53.022159100 CET	40832	33966	192.168.2.23	193.200.78.37
Dec 29, 2024 02:52:53.141937017 CET	33966	40832	193.200.78.37	192.168.2.23
Dec 29, 2024 02:52:53.142095089 CET	40832	33966	192.168.2.23	193.200.78.37
Dec 29, 2024 02:52:53.143248081 CET	40832	33966	192.168.2.23	193.200.78.37
Dec 29, 2024 02:52:53.263242006 CET	33966	40832	193.200.78.37	192.168.2.23
Dec 29, 2024 02:52:53.263416052 CET	40832	33966	192.168.2.23	193.200.78.37
Dec 29, 2024 02:52:53.382991076 CET	33966	40832	193.200.78.37	192.168.2.23
Dec 29, 2024 02:52:54.391369104 CET	33966	40832	193.200.78.37	192.168.2.23
Dec 29, 2024 02:52:54.391531944 CET	40832	33966	192.168.2.23	193.200.78.37
Dec 29, 2024 02:52:54.391711950 CET	40832	33966	192.168.2.23	193.200.78.37
Dec 29, 2024 02:52:55.112524986 CET	40834	33966	192.168.2.23	193.200.78.37
Dec 29, 2024 02:52:55.232292891 CET	33966	40834	193.200.78.37	192.168.2.23
Dec 29, 2024 02:52:55.232451916 CET	40834	33966	192.168.2.23	193.200.78.37
Dec 29, 2024 02:52:55.233377934 CET	40834	33966	192.168.2.23	193.200.78.37
Dec 29, 2024 02:52:55.352952003 CET	33966	40834	193.200.78.37	192.168.2.23
Dec 29, 2024 02:52:55.353167057 CET	40834	33966	192.168.2.23	193.200.78.37
Dec 29, 2024 02:52:55.472903013 CET	33966	40834	193.200.78.37	192.168.2.23
Dec 29, 2024 02:52:56.514369965 CET	33966	40834	193.200.78.37	192.168.2.23
Dec 29, 2024 02:52:56.514614105 CET	40834	33966	192.168.2.23	193.200.78.37
Dec 29, 2024 02:52:56.514709949 CET	40834	33966	192.168.2.23	193.200.78.37
Dec 29, 2024 02:52:57.234492064 CET	40836	33966	192.168.2.23	193.200.78.37
Dec 29, 2024 02:52:57.962766886 CET	33966	40836	193.200.78.37	192.168.2.23
Dec 29, 2024 02:52:57.962949991 CET	40836	33966	192.168.2.23	193.200.78.37
Dec 29, 2024 02:52:57.963903904 CET	40836	33966	192.168.2.23	193.200.78.37
Dec 29, 2024 02:52:58.013029099 CET	42836	443	192.168.2.23	91.189.91.43
Dec 29, 2024 02:52:58.111517906 CET	33966	40836	193.200.78.37	192.168.2.23
Dec 29, 2024 02:52:58.111624956 CET	40836	33966	192.168.2.23	193.200.78.37
Dec 29, 2024 02:52:58.231122971 CET	33966	40836	193.200.78.37	192.168.2.23
Dec 29, 2024 02:52:59.298832893 CET	33966	40836	193.200.78.37	192.168.2.23
Dec 29, 2024 02:52:59.299078941 CET	40836	33966	192.168.2.23	193.200.78.37
Dec 29, 2024 02:52:59.299197912 CET	40836	33966	192.168.2.23	193.200.78.37
Dec 29, 2024 02:52:59.548804045 CET	42516	80	192.168.2.23	109.202.202.202
Dec 29, 2024 02:52:59.570627928 CET	40838	33966	192.168.2.23	193.200.78.37
Dec 29, 2024 02:52:59.690296888 CET	33966	40838	193.200.78.37	192.168.2.23
Dec 29, 2024 02:52:59.690412045 CET	40838	33966	192.168.2.23	193.200.78.37
Dec 29, 2024 02:52:59.691504002 CET	40838	33966	192.168.2.23	193.200.78.37
Dec 29, 2024 02:52:59.811142921 CET	33966	40838	193.200.78.37	192.168.2.23
Dec 29, 2024 02:52:59.811326981 CET	40838	33966	192.168.2.23	193.200.78.37
Dec 29, 2024 02:52:59.930864096 CET	33966	40838	193.200.78.37	192.168.2.23
Dec 29, 2024 02:53:00.973933935 CET	33966	40838	193.200.78.37	192.168.2.23
Dec 29, 2024 02:53:00.974231005 CET	40838	33966	192.168.2.23	193.200.78.37
Dec 29, 2024 02:53:00.974339962 CET	40838	33966	192.168.2.23	193.200.78.37
Dec 29, 2024 02:53:01.245765924 CET	40840	33966	192.168.2.23	193.200.78.37
Dec 29, 2024 02:53:01.365252018 CET	33966	40840	193.200.78.37	192.168.2.23
Dec 29, 2024 02:53:01.365458012 CET	40840	33966	192.168.2.23	193.200.78.37
Dec 29, 2024 02:53:01.366374016 CET	40840	33966	192.168.2.23	193.200.78.37
Dec 29, 2024 02:53:01.485860109 CET	33966	40840	193.200.78.37	192.168.2.23
Dec 29, 2024 02:53:01.486238003 CET	40840	33966	192.168.2.23	193.200.78.37
Dec 29, 2024 02:53:01.606362104 CET	33966	40840	193.200.78.37	192.168.2.23
Dec 29, 2024 02:53:02.654614925 CET	33966	40840	193.200.78.37	192.168.2.23
Dec 29, 2024 02:53:02.654732943 CET	40840	33966	192.168.2.23	193.200.78.37
Dec 29, 2024 02:53:02.654783964 CET	40840	33966	192.168.2.23	193.200.78.37
Dec 29, 2024 02:53:03.147667885 CET	40842	33966	192.168.2.23	193.200.78.37
Dec 29, 2024 02:53:03.267324924 CET	33966	40842	193.200.78.37	192.168.2.23
Dec 29, 2024 02:53:03.267715931 CET	40842	33966	192.168.2.23	193.200.78.37
Dec 29, 2024 02:53:03.268908024 CET	40842	33966	192.168.2.23	193.200.78.37
Dec 29, 2024 02:53:03.388400078 CET	33966	40842	193.200.78.37	192.168.2.23
Dec 29, 2024 02:53:03.388484001 CET	40842	33966	192.168.2.23	193.200.78.37
Dec 29, 2024 02:53:03.508059978 CET	33966	40842	193.200.78.37	192.168.2.23
Dec 29, 2024 02:53:04.557312965 CET	33966	40842	193.200.78.37	192.168.2.23
Dec 29, 2024 02:53:04.557432890 CET	40842	33966	192.168.2.23	193.200.78.37
Dec 29, 2024 02:53:04.557475090 CET	40842	33966	192.168.2.23	193.200.78.37
Dec 29, 2024 02:53:04.816732883 CET	40844	33966	192.168.2.23	193.200.78.37
Dec 29, 2024 02:53:04.936285973 CET	33966	40844	193.200.78.37	192.168.2.23
Dec 29, 2024 02:53:04.936383963 CET	40844	33966	192.168.2.23	193.200.78.37
Dec 29, 2024 02:53:04.937458038 CET	40844	33966	192.168.2.23	193.200.78.37
Dec 29, 2024 02:53:05.056899071 CET	33966	40844	193.200.78.37	192.168.2.23
Dec 29, 2024 02:53:05.056963921 CET	40844	33966	192.168.2.23	193.200.78.37
Dec 29, 2024 02:53:05.176584005 CET	33966	40844	193.200.78.37	192.168.2.23
Dec 29, 2024 02:53:06.226738930 CET	33966	40844	193.200.78.37	192.168.2.23
Dec 29, 2024 02:53:06.227051973 CET	40844	33966	192.168.2.23	193.200.78.37
Dec 29, 2024 02:53:06.227176905 CET	40844	33966	192.168.2.23	193.200.78.37
Dec 29, 2024 02:53:06.498497009 CET	40846	33966	192.168.2.23	193.200.78.37
Dec 29, 2024 02:53:06.618016958 CET	33966	40846	193.200.78.37	192.168.2.23
Dec 29, 2024 02:53:06.618156910 CET	40846	33966	192.168.2.23	193.200.78.37
Dec 29, 2024 02:53:06.619318962 CET	40846	33966	192.168.2.23	193.200.78.37
Dec 29, 2024 02:53:06.738776922 CET	33966	40846	193.200.78.37	192.168.2.23
Dec 29, 2024 02:53:06.739037991 CET	40846	33966	192.168.2.23	193.200.78.37
Dec 29, 2024 02:53:06.858582973 CET	33966	40846	193.200.78.37	192.168.2.23
Dec 29, 2024 02:53:07.954205036 CET	33966	40846	193.200.78.37	192.168.2.23
Dec 29, 2024 02:53:07.954525948 CET	40846	33966	192.168.2.23	193.200.78.37
Dec 29, 2024 02:53:07.954627991 CET	40846	33966	192.168.2.23	193.200.78.37
Dec 29, 2024 02:53:08.226903915 CET	40848	33966	192.168.2.23	193.200.78.37
Dec 29, 2024 02:53:08.346438885 CET	33966	40848	193.200.78.37	192.168.2.23
Dec 29, 2024 02:53:08.346533060 CET	40848	33966	192.168.2.23	193.200.78.37
Dec 29, 2024 02:53:08.347697973 CET	40848	33966	192.168.2.23	193.200.78.37
Dec 29, 2024 02:53:08.467225075 CET	33966	40848	193.200.78.37	192.168.2.23
Dec 29, 2024 02:53:08.467428923 CET	40848	33966	192.168.2.23	193.200.78.37
Dec 29, 2024 02:53:08.586915970 CET	33966	40848	193.200.78.37	192.168.2.23
Dec 29, 2024 02:53:09.636240959 CET	33966	40848	193.200.78.37	192.168.2.23
Dec 29, 2024 02:53:09.636512041 CET	40848	33966	192.168.2.23	193.200.78.37
Dec 29, 2024 02:53:09.636658907 CET	40848	33966	192.168.2.23	193.200.78.37
Dec 29, 2024 02:53:09.907459974 CET	40850	33966	192.168.2.23	193.200.78.37
Dec 29, 2024 02:53:10.026889086 CET	33966	40850	193.200.78.37	192.168.2.23
Dec 29, 2024 02:53:10.027106047 CET	40850	33966	192.168.2.23	193.200.78.37
Dec 29, 2024 02:53:10.027889967 CET	40850	33966	192.168.2.23	193.200.78.37
Dec 29, 2024 02:53:10.147275925 CET	33966	40850	193.200.78.37	192.168.2.23
Dec 29, 2024 02:53:10.147607088 CET	40850	33966	192.168.2.23	193.200.78.37
Dec 29, 2024 02:53:10.267113924 CET	33966	40850	193.200.78.37	192.168.2.23
Dec 29, 2024 02:53:11.314470053 CET	33966	40850	193.200.78.37	192.168.2.23
Dec 29, 2024 02:53:11.314656973 CET	40850	33966	192.168.2.23	193.200.78.37
Dec 29, 2024 02:53:11.314682961 CET	40850	33966	192.168.2.23	193.200.78.37
Dec 29, 2024 02:53:11.584537029 CET	40852	33966	192.168.2.23	193.200.78.37
Dec 29, 2024 02:53:11.704056978 CET	33966	40852	193.200.78.37	192.168.2.23
Dec 29, 2024 02:53:11.704160929 CET	40852	33966	192.168.2.23	193.200.78.37
Dec 29, 2024 02:53:11.705190897 CET	40852	33966	192.168.2.23	193.200.78.37
Dec 29, 2024 02:53:11.824615955 CET	33966	40852	193.200.78.37	192.168.2.23
Dec 29, 2024 02:53:11.824867010 CET	40852	33966	192.168.2.23	193.200.78.37
Dec 29, 2024 02:53:11.944962025 CET	33966	40852	193.200.78.37	192.168.2.23
Dec 29, 2024 02:53:12.603010893 CET	43928	443	192.168.2.23	91.189.91.42
Dec 29, 2024 02:53:12.993614912 CET	33966	40852	193.200.78.37	192.168.2.23
Dec 29, 2024 02:53:12.993762970 CET	40852	33966	192.168.2.23	193.200.78.37
Dec 29, 2024 02:53:12.993793011 CET	40852	33966	192.168.2.23	193.200.78.37
Dec 29, 2024 02:53:13.265108109 CET	40854	33966	192.168.2.23	193.200.78.37
Dec 29, 2024 02:53:13.384700060 CET	33966	40854	193.200.78.37	192.168.2.23
Dec 29, 2024 02:53:13.384884119 CET	40854	33966	192.168.2.23	193.200.78.37
Dec 29, 2024 02:53:13.386179924 CET	40854	33966	192.168.2.23	193.200.78.37
Dec 29, 2024 02:53:13.505593061 CET	33966	40854	193.200.78.37	192.168.2.23
Dec 29, 2024 02:53:13.505795956 CET	40854	33966	192.168.2.23	193.200.78.37
Dec 29, 2024 02:53:13.625339031 CET	33966	40854	193.200.78.37	192.168.2.23
Dec 29, 2024 02:53:14.713537931 CET	33966	40854	193.200.78.37	192.168.2.23
Dec 29, 2024 02:53:14.713726044 CET	40854	33966	192.168.2.23	193.200.78.37
Dec 29, 2024 02:53:14.713859081 CET	40854	33966	192.168.2.23	193.200.78.37
Dec 29, 2024 02:53:14.985296011 CET	40856	33966	192.168.2.23	193.200.78.37
Dec 29, 2024 02:53:15.104892969 CET	33966	40856	193.200.78.37	192.168.2.23
Dec 29, 2024 02:53:15.105180025 CET	40856	33966	192.168.2.23	193.200.78.37
Dec 29, 2024 02:53:15.106712103 CET	40856	33966	192.168.2.23	193.200.78.37
Dec 29, 2024 02:53:15.226372957 CET	33966	40856	193.200.78.37	192.168.2.23
Dec 29, 2024 02:53:15.226681948 CET	40856	33966	192.168.2.23	193.200.78.37
Dec 29, 2024 02:53:15.346339941 CET	33966	40856	193.200.78.37	192.168.2.23
Dec 29, 2024 02:53:16.419295073 CET	33966	40856	193.200.78.37	192.168.2.23
Dec 29, 2024 02:53:16.419434071 CET	40856	33966	192.168.2.23	193.200.78.37
Dec 29, 2024 02:53:16.419434071 CET	40856	33966	192.168.2.23	193.200.78.37
Dec 29, 2024 02:53:16.923706055 CET	40858	33966	192.168.2.23	193.200.78.37
Dec 29, 2024 02:53:17.043287992 CET	33966	40858	193.200.78.37	192.168.2.23
Dec 29, 2024 02:53:17.043402910 CET	40858	33966	192.168.2.23	193.200.78.37
Dec 29, 2024 02:53:17.044115067 CET	40858	33966	192.168.2.23	193.200.78.37
Dec 29, 2024 02:53:17.163646936 CET	33966	40858	193.200.78.37	192.168.2.23
Dec 29, 2024 02:53:17.163728952 CET	40858	33966	192.168.2.23	193.200.78.37
Dec 29, 2024 02:53:17.283288956 CET	33966	40858	193.200.78.37	192.168.2.23
Dec 29, 2024 02:53:18.361552954 CET	33966	40858	193.200.78.37	192.168.2.23
Dec 29, 2024 02:53:18.361673117 CET	40858	33966	192.168.2.23	193.200.78.37
Dec 29, 2024 02:53:18.361896038 CET	40858	33966	192.168.2.23	193.200.78.37
Dec 29, 2024 02:53:18.665004969 CET	40860	33966	192.168.2.23	193.200.78.37
Dec 29, 2024 02:53:18.784492970 CET	33966	40860	193.200.78.37	192.168.2.23
Dec 29, 2024 02:53:18.784584045 CET	40860	33966	192.168.2.23	193.200.78.37
Dec 29, 2024 02:53:18.785723925 CET	40860	33966	192.168.2.23	193.200.78.37
Dec 29, 2024 02:53:18.905143023 CET	33966	40860	193.200.78.37	192.168.2.23
Dec 29, 2024 02:53:18.905242920 CET	40860	33966	192.168.2.23	193.200.78.37
Dec 29, 2024 02:53:19.024667025 CET	33966	40860	193.200.78.37	192.168.2.23
Dec 29, 2024 02:53:20.074567080 CET	33966	40860	193.200.78.37	192.168.2.23
Dec 29, 2024 02:53:20.074692965 CET	40860	33966	192.168.2.23	193.200.78.37
Dec 29, 2024 02:53:20.074843884 CET	40860	33966	192.168.2.23	193.200.78.37
Dec 29, 2024 02:53:20.334656954 CET	40862	33966	192.168.2.23	193.200.78.37
Dec 29, 2024 02:53:20.454241991 CET	33966	40862	193.200.78.37	192.168.2.23
Dec 29, 2024 02:53:20.454401016 CET	40862	33966	192.168.2.23	193.200.78.37
Dec 29, 2024 02:53:20.455883026 CET	40862	33966	192.168.2.23	193.200.78.37
Dec 29, 2024 02:53:20.575321913 CET	33966	40862	193.200.78.37	192.168.2.23
Dec 29, 2024 02:53:20.575397968 CET	40862	33966	192.168.2.23	193.200.78.37
Dec 29, 2024 02:53:20.694848061 CET	33966	40862	193.200.78.37	192.168.2.23
Dec 29, 2024 02:53:24.889352083 CET	42836	443	192.168.2.23	91.189.91.43
Dec 29, 2024 02:53:28.984781981 CET	42516	80	192.168.2.23	109.202.202.202
Dec 29, 2024 02:53:53.557331085 CET	43928	443	192.168.2.23	91.189.91.42
Dec 29, 2024 02:54:30.511996984 CET	40862	33966	192.168.2.23	193.200.78.37
Dec 29, 2024 02:54:30.631733894 CET	33966	40862	193.200.78.37	192.168.2.23
Dec 29, 2024 02:54:30.923368931 CET	33966	40862	193.200.78.37	192.168.2.23
Dec 29, 2024 02:54:30.923496008 CET	40862	33966	192.168.2.23	193.200.78.37
Dec 29, 2024 02:54:40.926763058 CET	40862	33966	192.168.2.23	193.200.78.37
Dec 29, 2024 02:54:41.294702053 CET	40862	33966	192.168.2.23	193.200.78.37
Dec 29, 2024 02:54:41.524702072 CET	33966	40862	193.200.78.37	192.168.2.23
Dec 29, 2024 02:54:41.524713993 CET	33966	40862	193.200.78.37	192.168.2.23
Dec 29, 2024 02:54:41.816204071 CET	33966	40862	193.200.78.37	192.168.2.23
Dec 29, 2024 02:54:41.816289902 CET	40862	33966	192.168.2.23	193.200.78.37

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 29, 2024 02:52:52.300422907 CET	55168	53	192.168.2.23	8.8.8.8
Dec 29, 2024 02:52:52.659781933 CET	53	55168	8.8.8.8	192.168.2.23
Dec 29, 2024 02:52:52.661364079 CET	37251	53	192.168.2.23	8.8.8.8
Dec 29, 2024 02:52:53.021179914 CET	53	37251	8.8.8.8	192.168.2.23
Dec 29, 2024 02:52:54.392606020 CET	57021	53	192.168.2.23	8.8.8.8
Dec 29, 2024 02:52:54.751882076 CET	53	57021	8.8.8.8	192.168.2.23
Dec 29, 2024 02:52:54.753026009 CET	59799	53	192.168.2.23	8.8.8.8
Dec 29, 2024 02:52:55.111803055 CET	53	59799	8.8.8.8	192.168.2.23
Dec 29, 2024 02:52:56.515604019 CET	41353	53	192.168.2.23	8.8.8.8
Dec 29, 2024 02:52:56.875967026 CET	53	41353	8.8.8.8	192.168.2.23
Dec 29, 2024 02:52:56.877023935 CET	44914	53	192.168.2.23	8.8.8.8
Dec 29, 2024 02:52:57.233701944 CET	53	44914	8.8.8.8	192.168.2.23
Dec 29, 2024 02:52:59.300599098 CET	49835	53	192.168.2.23	8.8.8.8
Dec 29, 2024 02:52:59.434937000 CET	53	49835	8.8.8.8	192.168.2.23
Dec 29, 2024 02:52:59.436201096 CET	60914	53	192.168.2.23	8.8.8.8
Dec 29, 2024 02:52:59.570038080 CET	53	60914	8.8.8.8	192.168.2.23
Dec 29, 2024 02:53:00.975502968 CET	41603	53	192.168.2.23	8.8.8.8
Dec 29, 2024 02:53:01.109513044 CET	53	41603	8.8.8.8	192.168.2.23
Dec 29, 2024 02:53:01.110702038 CET	55262	53	192.168.2.23	8.8.8.8
Dec 29, 2024 02:53:01.244913101 CET	53	55262	8.8.8.8	192.168.2.23
Dec 29, 2024 02:53:02.656073093 CET	47426	53	192.168.2.23	8.8.8.8
Dec 29, 2024 02:53:03.011554956 CET	53	47426	8.8.8.8	192.168.2.23
Dec 29, 2024 02:53:03.012789011 CET	44539	53	192.168.2.23	8.8.8.8
Dec 29, 2024 02:53:03.146997929 CET	53	44539	8.8.8.8	192.168.2.23
Dec 29, 2024 02:53:04.558660984 CET	47452	53	192.168.2.23	8.8.8.8
Dec 29, 2024 02:53:04.692538977 CET	53	47452	8.8.8.8	192.168.2.23
Dec 29, 2024 02:53:04.693850994 CET	57287	53	192.168.2.23	8.8.8.8
Dec 29, 2024 02:53:04.816132069 CET	53	57287	8.8.8.8	192.168.2.23
Dec 29, 2024 02:53:06.228375912 CET	60623	53	192.168.2.23	8.8.8.8
Dec 29, 2024 02:53:06.362550020 CET	53	60623	8.8.8.8	192.168.2.23
Dec 29, 2024 02:53:06.363815069 CET	35222	53	192.168.2.23	8.8.8.8
Dec 29, 2024 02:53:06.497428894 CET	53	35222	8.8.8.8	192.168.2.23
Dec 29, 2024 02:53:07.955794096 CET	39250	53	192.168.2.23	8.8.8.8
Dec 29, 2024 02:53:08.090015888 CET	53	39250	8.8.8.8	192.168.2.23
Dec 29, 2024 02:53:08.091723919 CET	53007	53	192.168.2.23	8.8.8.8
Dec 29, 2024 02:53:08.225898981 CET	53	53007	8.8.8.8	192.168.2.23
Dec 29, 2024 02:53:09.637763023 CET	51400	53	192.168.2.23	8.8.8.8
Dec 29, 2024 02:53:09.771303892 CET	53	51400	8.8.8.8	192.168.2.23
Dec 29, 2024 02:53:09.772584915 CET	35233	53	192.168.2.23	8.8.8.8
Dec 29, 2024 02:53:09.906785965 CET	53	35233	8.8.8.8	192.168.2.23
Dec 29, 2024 02:53:11.315938950 CET	46099	53	192.168.2.23	8.8.8.8
Dec 29, 2024 02:53:11.449209929 CET	53	46099	8.8.8.8	192.168.2.23
Dec 29, 2024 02:53:11.450284004 CET	37220	53	192.168.2.23	8.8.8.8
Dec 29, 2024 02:53:11.584038973 CET	53	37220	8.8.8.8	192.168.2.23
Dec 29, 2024 02:53:12.994807959 CET	49744	53	192.168.2.23	8.8.8.8
Dec 29, 2024 02:53:13.128339052 CET	53	49744	8.8.8.8	192.168.2.23
Dec 29, 2024 02:53:13.129707098 CET	36610	53	192.168.2.23	8.8.8.8
Dec 29, 2024 02:53:13.264017105 CET	53	36610	8.8.8.8	192.168.2.23
Dec 29, 2024 02:53:14.715212107 CET	40546	53	192.168.2.23	8.8.8.8
Dec 29, 2024 02:53:14.848992109 CET	53	40546	8.8.8.8	192.168.2.23
Dec 29, 2024 02:53:14.850636959 CET	33128	53	192.168.2.23	8.8.8.8
Dec 29, 2024 02:53:14.984373093 CET	53	33128	8.8.8.8	192.168.2.23
Dec 29, 2024 02:53:16.420676947 CET	39240	53	192.168.2.23	8.8.8.8
Dec 29, 2024 02:53:16.799792051 CET	53	39240	8.8.8.8	192.168.2.23
Dec 29, 2024 02:53:16.800791979 CET	41397	53	192.168.2.23	8.8.8.8
Dec 29, 2024 02:53:16.923067093 CET	53	41397	8.8.8.8	192.168.2.23
Dec 29, 2024 02:53:18.363014936 CET	59328	53	192.168.2.23	8.8.8.8
Dec 29, 2024 02:53:18.529624939 CET	53	59328	8.8.8.8	192.168.2.23
Dec 29, 2024 02:53:18.530917883 CET	53907	53	192.168.2.23	8.8.8.8
Dec 29, 2024 02:53:18.664402008 CET	53	53907	8.8.8.8	192.168.2.23
Dec 29, 2024 02:53:20.075948954 CET	53056	53	192.168.2.23	8.8.8.8
Dec 29, 2024 02:53:20.198235035 CET	53	53056	8.8.8.8	192.168.2.23
Dec 29, 2024 02:53:20.199505091 CET	44330	53	192.168.2.23	8.8.8.8
Dec 29, 2024 02:53:20.333808899 CET	53	44330	8.8.8.8	192.168.2.23

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 29, 2024 02:52:52.300422907 CET	192.168.2.23	8.8.8.8	0x38fd	Standard query (0)	raw.intenseapi.com	A (IP address)	IN (0x0001)	false
Dec 29, 2024 02:52:52.661364079 CET	192.168.2.23	8.8.8.8	0xd44f	Standard query (0)	raw.intenseapi.com	A (IP address)	IN (0x0001)	false
Dec 29, 2024 02:52:54.392606020 CET	192.168.2.23	8.8.8.8	0x2a9a	Standard query (0)	raw.intenseapi.com	A (IP address)	IN (0x0001)	false
Dec 29, 2024 02:52:54.753026009 CET	192.168.2.23	8.8.8.8	0xd89a	Standard query (0)	raw.intenseapi.com	A (IP address)	IN (0x0001)	false
Dec 29, 2024 02:52:56.515604019 CET	192.168.2.23	8.8.8.8	0x18db	Standard query (0)	raw.intenseapi.com	A (IP address)	IN (0x0001)	false
Dec 29, 2024 02:52:56.877023935 CET	192.168.2.23	8.8.8.8	0xbbd4	Standard query (0)	raw.intenseapi.com	A (IP address)	IN (0x0001)	false
Dec 29, 2024 02:52:59.300599098 CET	192.168.2.23	8.8.8.8	0x4faf	Standard query (0)	raw.intenseapi.com	A (IP address)	IN (0x0001)	false
Dec 29, 2024 02:52:59.436201096 CET	192.168.2.23	8.8.8.8	0x7201	Standard query (0)	raw.intenseapi.com	A (IP address)	IN (0x0001)	false
Dec 29, 2024 02:53:00.975502968 CET	192.168.2.23	8.8.8.8	0x694e	Standard query (0)	raw.intenseapi.com	A (IP address)	IN (0x0001)	false
Dec 29, 2024 02:53:01.110702038 CET	192.168.2.23	8.8.8.8	0x5b97	Standard query (0)	raw.intenseapi.com	A (IP address)	IN (0x0001)	false
Dec 29, 2024 02:53:02.656073093 CET	192.168.2.23	8.8.8.8	0x1e37	Standard query (0)	raw.intenseapi.com	A (IP address)	IN (0x0001)	false
Dec 29, 2024 02:53:03.012789011 CET	192.168.2.23	8.8.8.8	0xcd5	Standard query (0)	raw.intenseapi.com	A (IP address)	IN (0x0001)	false
Dec 29, 2024 02:53:04.558660984 CET	192.168.2.23	8.8.8.8	0x1292	Standard query (0)	raw.intenseapi.com	A (IP address)	IN (0x0001)	false
Dec 29, 2024 02:53:04.693850994 CET	192.168.2.23	8.8.8.8	0x3426	Standard query (0)	raw.intenseapi.com	A (IP address)	IN (0x0001)	false
Dec 29, 2024 02:53:06.228375912 CET	192.168.2.23	8.8.8.8	0x9066	Standard query (0)	raw.intenseapi.com	A (IP address)	IN (0x0001)	false
Dec 29, 2024 02:53:06.363815069 CET	192.168.2.23	8.8.8.8	0x377e	Standard query (0)	raw.intenseapi.com	A (IP address)	IN (0x0001)	false
Dec 29, 2024 02:53:07.955794096 CET	192.168.2.23	8.8.8.8	0xba34	Standard query (0)	raw.intenseapi.com	A (IP address)	IN (0x0001)	false
Dec 29, 2024 02:53:08.091723919 CET	192.168.2.23	8.8.8.8	0xb1f4	Standard query (0)	raw.intenseapi.com	A (IP address)	IN (0x0001)	false
Dec 29, 2024 02:53:09.637763023 CET	192.168.2.23	8.8.8.8	0xb067	Standard query (0)	raw.intenseapi.com	A (IP address)	IN (0x0001)	false
Dec 29, 2024 02:53:09.772584915 CET	192.168.2.23	8.8.8.8	0x2870	Standard query (0)	raw.intenseapi.com	A (IP address)	IN (0x0001)	false
Dec 29, 2024 02:53:11.315938950 CET	192.168.2.23	8.8.8.8	0xb75f	Standard query (0)	raw.intenseapi.com	A (IP address)	IN (0x0001)	false
Dec 29, 2024 02:53:11.450284004 CET	192.168.2.23	8.8.8.8	0x38ff	Standard query (0)	raw.intenseapi.com	A (IP address)	IN (0x0001)	false
Dec 29, 2024 02:53:12.994807959 CET	192.168.2.23	8.8.8.8	0xc019	Standard query (0)	raw.intenseapi.com	A (IP address)	IN (0x0001)	false
Dec 29, 2024 02:53:13.129707098 CET	192.168.2.23	8.8.8.8	0x9eaa	Standard query (0)	raw.intenseapi.com	A (IP address)	IN (0x0001)	false
Dec 29, 2024 02:53:14.715212107 CET	192.168.2.23	8.8.8.8	0xc588	Standard query (0)	raw.intenseapi.com	A (IP address)	IN (0x0001)	false
Dec 29, 2024 02:53:14.850636959 CET	192.168.2.23	8.8.8.8	0x2b4e	Standard query (0)	raw.intenseapi.com	A (IP address)	IN (0x0001)	false
Dec 29, 2024 02:53:16.420676947 CET	192.168.2.23	8.8.8.8	0xdd2b	Standard query (0)	raw.intenseapi.com	A (IP address)	IN (0x0001)	false
Dec 29, 2024 02:53:16.800791979 CET	192.168.2.23	8.8.8.8	0xb8cb	Standard query (0)	raw.intenseapi.com	A (IP address)	IN (0x0001)	false
Dec 29, 2024 02:53:18.363014936 CET	192.168.2.23	8.8.8.8	0x1e49	Standard query (0)	raw.intenseapi.com	A (IP address)	IN (0x0001)	false
Dec 29, 2024 02:53:18.530917883 CET	192.168.2.23	8.8.8.8	0x14dc	Standard query (0)	raw.intenseapi.com	A (IP address)	IN (0x0001)	false
Dec 29, 2024 02:53:20.075948954 CET	192.168.2.23	8.8.8.8	0xedac	Standard query (0)	raw.intenseapi.com	A (IP address)	IN (0x0001)	false
Dec 29, 2024 02:53:20.199505091 CET	192.168.2.23	8.8.8.8	0x5157	Standard query (0)	raw.intenseapi.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Dec 29, 2024 02:52:52.659781933 CET	8.8.8.8	192.168.2.23	0x38fd	No error (0)	raw.intenseapi.com	193.200.78.37	A (IP address)	IN (0x0001)	false
Dec 29, 2024 02:52:53.021179914 CET	8.8.8.8	192.168.2.23	0xd44f	No error (0)	raw.intenseapi.com	193.200.78.37	A (IP address)	IN (0x0001)	false
Dec 29, 2024 02:52:54.751882076 CET	8.8.8.8	192.168.2.23	0x2a9a	No error (0)	raw.intenseapi.com	193.200.78.37	A (IP address)	IN (0x0001)	false
Dec 29, 2024 02:52:55.111803055 CET	8.8.8.8	192.168.2.23	0xd89a	No error (0)	raw.intenseapi.com	193.200.78.37	A (IP address)	IN (0x0001)	false
Dec 29, 2024 02:52:56.875967026 CET	8.8.8.8	192.168.2.23	0x18db	No error (0)	raw.intenseapi.com	193.200.78.37	A (IP address)	IN (0x0001)	false
Dec 29, 2024 02:52:57.233701944 CET	8.8.8.8	192.168.2.23	0xbbd4	No error (0)	raw.intenseapi.com	193.200.78.37	A (IP address)	IN (0x0001)	false
Dec 29, 2024 02:52:59.434937000 CET	8.8.8.8	192.168.2.23	0x4faf	No error (0)	raw.intenseapi.com	193.200.78.37	A (IP address)	IN (0x0001)	false
Dec 29, 2024 02:52:59.570038080 CET	8.8.8.8	192.168.2.23	0x7201	No error (0)	raw.intenseapi.com	193.200.78.37	A (IP address)	IN (0x0001)	false
Dec 29, 2024 02:53:01.109513044 CET	8.8.8.8	192.168.2.23	0x694e	No error (0)	raw.intenseapi.com	193.200.78.37	A (IP address)	IN (0x0001)	false
Dec 29, 2024 02:53:01.244913101 CET	8.8.8.8	192.168.2.23	0x5b97	No error (0)	raw.intenseapi.com	193.200.78.37	A (IP address)	IN (0x0001)	false
Dec 29, 2024 02:53:03.011554956 CET	8.8.8.8	192.168.2.23	0x1e37	No error (0)	raw.intenseapi.com	193.200.78.37	A (IP address)	IN (0x0001)	false
Dec 29, 2024 02:53:03.146997929 CET	8.8.8.8	192.168.2.23	0xcd5	No error (0)	raw.intenseapi.com	193.200.78.37	A (IP address)	IN (0x0001)	false
Dec 29, 2024 02:53:04.692538977 CET	8.8.8.8	192.168.2.23	0x1292	No error (0)	raw.intenseapi.com	193.200.78.37	A (IP address)	IN (0x0001)	false
Dec 29, 2024 02:53:04.816132069 CET	8.8.8.8	192.168.2.23	0x3426	No error (0)	raw.intenseapi.com	193.200.78.37	A (IP address)	IN (0x0001)	false
Dec 29, 2024 02:53:06.362550020 CET	8.8.8.8	192.168.2.23	0x9066	No error (0)	raw.intenseapi.com	193.200.78.37	A (IP address)	IN (0x0001)	false
Dec 29, 2024 02:53:06.497428894 CET	8.8.8.8	192.168.2.23	0x377e	No error (0)	raw.intenseapi.com	193.200.78.37	A (IP address)	IN (0x0001)	false
Dec 29, 2024 02:53:08.090015888 CET	8.8.8.8	192.168.2.23	0xba34	No error (0)	raw.intenseapi.com	193.200.78.37	A (IP address)	IN (0x0001)	false
Dec 29, 2024 02:53:08.225898981 CET	8.8.8.8	192.168.2.23	0xb1f4	No error (0)	raw.intenseapi.com	193.200.78.37	A (IP address)	IN (0x0001)	false
Dec 29, 2024 02:53:09.771303892 CET	8.8.8.8	192.168.2.23	0xb067	No error (0)	raw.intenseapi.com	193.200.78.37	A (IP address)	IN (0x0001)	false
Dec 29, 2024 02:53:09.906785965 CET	8.8.8.8	192.168.2.23	0x2870	No error (0)	raw.intenseapi.com	193.200.78.37	A (IP address)	IN (0x0001)	false
Dec 29, 2024 02:53:11.449209929 CET	8.8.8.8	192.168.2.23	0xb75f	No error (0)	raw.intenseapi.com	193.200.78.37	A (IP address)	IN (0x0001)	false
Dec 29, 2024 02:53:11.584038973 CET	8.8.8.8	192.168.2.23	0x38ff	No error (0)	raw.intenseapi.com	193.200.78.37	A (IP address)	IN (0x0001)	false
Dec 29, 2024 02:53:13.128339052 CET	8.8.8.8	192.168.2.23	0xc019	No error (0)	raw.intenseapi.com	193.200.78.37	A (IP address)	IN (0x0001)	false
Dec 29, 2024 02:53:13.264017105 CET	8.8.8.8	192.168.2.23	0x9eaa	No error (0)	raw.intenseapi.com	193.200.78.37	A (IP address)	IN (0x0001)	false
Dec 29, 2024 02:53:14.848992109 CET	8.8.8.8	192.168.2.23	0xc588	No error (0)	raw.intenseapi.com	193.200.78.37	A (IP address)	IN (0x0001)	false
Dec 29, 2024 02:53:14.984373093 CET	8.8.8.8	192.168.2.23	0x2b4e	No error (0)	raw.intenseapi.com	193.200.78.37	A (IP address)	IN (0x0001)	false
Dec 29, 2024 02:53:16.799792051 CET	8.8.8.8	192.168.2.23	0xdd2b	No error (0)	raw.intenseapi.com	193.200.78.37	A (IP address)	IN (0x0001)	false
Dec 29, 2024 02:53:16.923067093 CET	8.8.8.8	192.168.2.23	0xb8cb	No error (0)	raw.intenseapi.com	193.200.78.37	A (IP address)	IN (0x0001)	false
Dec 29, 2024 02:53:18.529624939 CET	8.8.8.8	192.168.2.23	0x1e49	No error (0)	raw.intenseapi.com	193.200.78.37	A (IP address)	IN (0x0001)	false
Dec 29, 2024 02:53:18.664402008 CET	8.8.8.8	192.168.2.23	0x14dc	No error (0)	raw.intenseapi.com	193.200.78.37	A (IP address)	IN (0x0001)	false
Dec 29, 2024 02:53:20.198235035 CET	8.8.8.8	192.168.2.23	0xedac	No error (0)	raw.intenseapi.com	193.200.78.37	A (IP address)	IN (0x0001)	false
Dec 29, 2024 02:53:20.333808899 CET	8.8.8.8	192.168.2.23	0x5157	No error (0)	raw.intenseapi.com	193.200.78.37	A (IP address)	IN (0x0001)	false

System Behavior

Analysis Process: Aqua.ppc.elf PID: 6233, Parent PID: 6154

General

Start time (UTC):	01:52:51
Start date (UTC):	29/12/2024
Path:	/tmp/Aqua.ppc.elf
Arguments:	/tmp/Aqua.ppc.elf
File size:	5388968 bytes
MD5 hash:	ae65271c943d3451b7f026d1fadccea6

Chronological Activities

Analysis Process: Aqua.ppc.elf PID: 6235, Parent PID: 6233

General

Start time (UTC):	01:52:51
Start date (UTC):	29/12/2024
Path:	/tmp/Aqua.ppc.elf
Arguments:	-
File size:	5388968 bytes
MD5 hash:	ae65271c943d3451b7f026d1fadccea6

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report Aqua.ppc.elf

Overview

General Information

Detection

Signatures

Classification

General Information

Runtime Messages

Process Tree

Yara Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Networking

System Summary

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

/tmp/qemu-open.eniHEx (deleted)

Static File Info

General

Static ELF Info

ELF header

Sections

Program Segments

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

System Behavior

Analysis Process: Aqua.ppc.elf PID: 6233, Parent PID: 6154

General

Chronological Activities

Analysis Process: Aqua.ppc.elf PID: 6235, Parent PID: 6233

General

Chronological Activities

Linux Analysis Report
Aqua.ppc.elf