Edit tour

Linux Analysis Report
I686.elf

Overview

General Information

Sample name:	I686.elf
Analysis ID:	1583579
MD5:	66a01f0510ebc9589dcbff7b42c1573c
SHA1:	26d0b67a509aacae15c18375e11d5a9d889d379c
SHA256:	88a5ec4709e75598c567094063013148a1e1ae8b3cefcffe096f7b0a574573e2
Tags:	elfuser-abuse_ch
Infos:

Detection

Score:	72
Range:	0 - 100
Whitelisted:	false

Signatures

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Machine Learning detection for sample

Opens /proc/net/* files useful for finding connected devices and routers

Detected TCP or UDP traffic on non-standard ports

ELF contains segments with high entropy indicating compressed/encrypted content

Executes the "rm" command used to delete files or directories

Sample contains only a LOAD segment without any section mappings

Yara signature match

Classification

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1583579
Start date and time:	2025-01-03 05:07:04 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 57s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Sample name:	I686.elf
Detection:	MAL
Classification:	mal72.spre.linELF@0/0@0/0

Runtime Messages

Command:	/tmp/I686.elf
PID:	6271
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:	Cia Qbot Has Infected This Device ;)
Standard Error:

Process Tree

system is lnxubuntu20

dash New Fork (PID: 6242, Parent: 4331)

rm (PID: 6242, Parent: 4331, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -f /tmp/tmp.TF6lRJD3T3 /tmp/tmp.FI8uK2IPOd /tmp/tmp.zd2U4tPRSm

dash New Fork (PID: 6243, Parent: 4331)

rm (PID: 6243, Parent: 4331, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -f /tmp/tmp.TF6lRJD3T3 /tmp/tmp.FI8uK2IPOd /tmp/tmp.zd2U4tPRSm

I686.elf (PID: 6271, Parent: 6171, MD5: 66a01f0510ebc9589dcbff7b42c1573c) Arguments: /tmp/I686.elf

I686.elf New Fork (PID: 6272, Parent: 6271)

I686.elf New Fork (PID: 6273, Parent: 6271)

I686.elf New Fork (PID: 6274, Parent: 6273)

cleanup

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
I686.elf	Linux_Trojan_Mirai_ec591e81	unknown	unknown	0x6d07:$a: 22 01 00 00 0E 00 00 00 18 03 00 7F E9 38 32 C9 4D 04 9A 3C

Memory Dumps

Source	Rule	Description	Author	Strings
6273.1.0000000008048000.0000000008057000.r-x.sdmp	Linux_Trojan_Gafgyt_83715433	unknown	unknown	0x12f7:$a: 8B 45 08 88 10 FF 45 08 8B 45 08 0F B6 00 84 C0 75 DB C9 C3 55
6273.1.0000000008048000.0000000008057000.r-x.sdmp	Linux_Trojan_Gafgyt_6122acdf	unknown	unknown	0x538:$a: E8 B0 00 FC 8B 7D E8 F2 AE 89 C8 F7 D0 48 48 89 45 F8 EB 03 FF
6273.1.0000000008048000.0000000008057000.r-x.sdmp	Linux_Trojan_Gafgyt_f51c5ac3	unknown	unknown	0x11ce:$a: 74 2A 8B 45 0C 0F B6 00 84 C0 74 17 8B 45 0C 40 89 44 24 04 8B
6273.1.0000000008048000.0000000008057000.r-x.sdmp	Linux_Trojan_Gafgyt_27de1106	unknown	unknown	0x120e:$a: 0C 0F B6 00 84 C0 74 18 8B 45 0C 40 8B 55 08 42 89 44 24 04 89
6273.1.0000000008048000.0000000008057000.r-x.sdmp	Linux_Trojan_Gafgyt_1b2e2a3a	unknown	unknown	0x92a:$a: 83 7D 18 00 74 25 8B 45 1C 83 E0 02 85 C0 74 1B C7 44 24 04 2D 00
6273.1.0000000008048000.0000000008057000.r-x.sdmp	Linux_Trojan_Gafgyt_9127f7be	unknown	unknown	0x133a:$a: E4 F7 E1 89 D0 C1 E8 03 89 45 E8 8B 45 E8 01 C0 03 45 E8 C1
6272.1.0000000008048000.0000000008057000.r-x.sdmp	Linux_Trojan_Gafgyt_83715433	unknown	unknown	0x12f7:$a: 8B 45 08 88 10 FF 45 08 8B 45 08 0F B6 00 84 C0 75 DB C9 C3 55
6272.1.0000000008048000.0000000008057000.r-x.sdmp	Linux_Trojan_Gafgyt_6122acdf	unknown	unknown	0x538:$a: E8 B0 00 FC 8B 7D E8 F2 AE 89 C8 F7 D0 48 48 89 45 F8 EB 03 FF
6272.1.0000000008048000.0000000008057000.r-x.sdmp	Linux_Trojan_Gafgyt_f51c5ac3	unknown	unknown	0x11ce:$a: 74 2A 8B 45 0C 0F B6 00 84 C0 74 17 8B 45 0C 40 89 44 24 04 8B
6272.1.0000000008048000.0000000008057000.r-x.sdmp	Linux_Trojan_Gafgyt_27de1106	unknown	unknown	0x120e:$a: 0C 0F B6 00 84 C0 74 18 8B 45 0C 40 8B 55 08 42 89 44 24 04 89
6272.1.0000000008048000.0000000008057000.r-x.sdmp	Linux_Trojan_Gafgyt_1b2e2a3a	unknown	unknown	0x92a:$a: 83 7D 18 00 74 25 8B 45 1C 83 E0 02 85 C0 74 1B C7 44 24 04 2D 00
6272.1.0000000008048000.0000000008057000.r-x.sdmp	Linux_Trojan_Gafgyt_9127f7be	unknown	unknown	0x133a:$a: E4 F7 E1 89 D0 C1 E8 03 89 45 E8 8B 45 E8 01 C0 03 45 E8 C1
6271.1.0000000008048000.0000000008057000.r-x.sdmp	Linux_Trojan_Gafgyt_83715433	unknown	unknown	0x12f7:$a: 8B 45 08 88 10 FF 45 08 8B 45 08 0F B6 00 84 C0 75 DB C9 C3 55
6271.1.0000000008048000.0000000008057000.r-x.sdmp	Linux_Trojan_Gafgyt_6122acdf	unknown	unknown	0x538:$a: E8 B0 00 FC 8B 7D E8 F2 AE 89 C8 F7 D0 48 48 89 45 F8 EB 03 FF
6271.1.0000000008048000.0000000008057000.r-x.sdmp	Linux_Trojan_Gafgyt_f51c5ac3	unknown	unknown	0x11ce:$a: 74 2A 8B 45 0C 0F B6 00 84 C0 74 17 8B 45 0C 40 89 44 24 04 8B
6271.1.0000000008048000.0000000008057000.r-x.sdmp	Linux_Trojan_Gafgyt_27de1106	unknown	unknown	0x120e:$a: 0C 0F B6 00 84 C0 74 18 8B 45 0C 40 8B 55 08 42 89 44 24 04 89
6271.1.0000000008048000.0000000008057000.r-x.sdmp	Linux_Trojan_Gafgyt_1b2e2a3a	unknown	unknown	0x92a:$a: 83 7D 18 00 74 25 8B 45 1C 83 E0 02 85 C0 74 1B C7 44 24 04 2D 00
6271.1.0000000008048000.0000000008057000.r-x.sdmp	Linux_Trojan_Gafgyt_9127f7be	unknown	unknown	0x133a:$a: E4 F7 E1 89 D0 C1 E8 03 89 45 E8 8B 45 E8 01 C0 03 45 E8 C1
Click to see the 13 entries

Suricata Signatures

ETPRO MALWARE ELF/BASHLITE Variant CnC Checkin M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-03T05:07:49.462375+0100	2839491	1	Malware Command and Control Activity Detected	192.168.2.23	45568	216.9.227.143	9168	TCP
2025-01-03T05:07:51.112792+0100	2839491	1	Malware Command and Control Activity Detected	192.168.2.23	45570	216.9.227.143	9168	TCP
2025-01-03T05:07:51.736842+0100	2839491	1	Malware Command and Control Activity Detected	192.168.2.23	45572	216.9.227.143	9168	TCP
2025-01-03T05:07:52.375475+0100	2839491	1	Malware Command and Control Activity Detected	192.168.2.23	45574	216.9.227.143	9168	TCP
2025-01-03T05:07:53.004865+0100	2839491	1	Malware Command and Control Activity Detected	192.168.2.23	45576	216.9.227.143	9168	TCP
2025-01-03T05:07:53.625821+0100	2839491	1	Malware Command and Control Activity Detected	192.168.2.23	45578	216.9.227.143	9168	TCP
2025-01-03T05:07:54.247570+0100	2839491	1	Malware Command and Control Activity Detected	192.168.2.23	45580	216.9.227.143	9168	TCP
2025-01-03T05:07:54.880420+0100	2839491	1	Malware Command and Control Activity Detected	192.168.2.23	45582	216.9.227.143	9168	TCP
2025-01-03T05:07:55.536110+0100	2839491	1	Malware Command and Control Activity Detected	192.168.2.23	45584	216.9.227.143	9168	TCP
2025-01-03T05:07:56.184183+0100	2839491	1	Malware Command and Control Activity Detected	192.168.2.23	45586	216.9.227.143	9168	TCP
2025-01-03T05:07:56.826350+0100	2839491	1	Malware Command and Control Activity Detected	192.168.2.23	45588	216.9.227.143	9168	TCP
2025-01-03T05:07:57.453372+0100	2839491	1	Malware Command and Control Activity Detected	192.168.2.23	45590	216.9.227.143	9168	TCP
2025-01-03T05:07:58.069464+0100	2839491	1	Malware Command and Control Activity Detected	192.168.2.23	45592	216.9.227.143	9168	TCP
2025-01-03T05:07:58.693966+0100	2839491	1	Malware Command and Control Activity Detected	192.168.2.23	45594	216.9.227.143	9168	TCP
2025-01-03T05:07:59.306084+0100	2839491	1	Malware Command and Control Activity Detected	192.168.2.23	45596	216.9.227.143	9168	TCP
2025-01-03T05:07:59.944289+0100	2839491	1	Malware Command and Control Activity Detected	192.168.2.23	45598	216.9.227.143	9168	TCP
2025-01-03T05:08:00.575103+0100	2839491	1	Malware Command and Control Activity Detected	192.168.2.23	45600	216.9.227.143	9168	TCP
2025-01-03T05:08:01.205243+0100	2839491	1	Malware Command and Control Activity Detected	192.168.2.23	45602	216.9.227.143	9168	TCP
2025-01-03T05:08:01.830266+0100	2839491	1	Malware Command and Control Activity Detected	192.168.2.23	45604	216.9.227.143	9168	TCP
2025-01-03T05:08:02.461853+0100	2839491	1	Malware Command and Control Activity Detected	192.168.2.23	45606	216.9.227.143	9168	TCP
2025-01-03T05:08:03.087875+0100	2839491	1	Malware Command and Control Activity Detected	192.168.2.23	45608	216.9.227.143	9168	TCP
2025-01-03T05:08:03.706657+0100	2839491	1	Malware Command and Control Activity Detected	192.168.2.23	45610	216.9.227.143	9168	TCP
2025-01-03T05:08:04.355369+0100	2839491	1	Malware Command and Control Activity Detected	192.168.2.23	45612	216.9.227.143	9168	TCP
2025-01-03T05:08:04.975381+0100	2839491	1	Malware Command and Control Activity Detected	192.168.2.23	45614	216.9.227.143	9168	TCP
2025-01-03T05:08:05.624586+0100	2839491	1	Malware Command and Control Activity Detected	192.168.2.23	45616	216.9.227.143	9168	TCP
2025-01-03T05:08:06.284679+0100	2839491	1	Malware Command and Control Activity Detected	192.168.2.23	45618	216.9.227.143	9168	TCP
2025-01-03T05:08:06.920760+0100	2839491	1	Malware Command and Control Activity Detected	192.168.2.23	45620	216.9.227.143	9168	TCP
2025-01-03T05:08:07.542325+0100	2839491	1	Malware Command and Control Activity Detected	192.168.2.23	45622	216.9.227.143	9168	TCP
2025-01-03T05:08:08.164240+0100	2839491	1	Malware Command and Control Activity Detected	192.168.2.23	45624	216.9.227.143	9168	TCP
2025-01-03T05:08:08.784896+0100	2839491	1	Malware Command and Control Activity Detected	192.168.2.23	45626	216.9.227.143	9168	TCP
2025-01-03T05:08:09.406317+0100	2839491	1	Malware Command and Control Activity Detected	192.168.2.23	45628	216.9.227.143	9168	TCP
2025-01-03T05:08:10.030457+0100	2839491	1	Malware Command and Control Activity Detected	192.168.2.23	45630	216.9.227.143	9168	TCP
2025-01-03T05:08:10.650709+0100	2839491	1	Malware Command and Control Activity Detected	192.168.2.23	45632	216.9.227.143	9168	TCP
2025-01-03T05:08:11.273695+0100	2839491	1	Malware Command and Control Activity Detected	192.168.2.23	45634	216.9.227.143	9168	TCP
2025-01-03T05:08:11.914389+0100	2839491	1	Malware Command and Control Activity Detected	192.168.2.23	45636	216.9.227.143	9168	TCP
2025-01-03T05:08:12.539577+0100	2839491	1	Malware Command and Control Activity Detected	192.168.2.23	45638	216.9.227.143	9168	TCP
2025-01-03T05:08:13.165193+0100	2839491	1	Malware Command and Control Activity Detected	192.168.2.23	45640	216.9.227.143	9168	TCP
2025-01-03T05:08:13.792015+0100	2839491	1	Malware Command and Control Activity Detected	192.168.2.23	45642	216.9.227.143	9168	TCP
2025-01-03T05:08:14.420926+0100	2839491	1	Malware Command and Control Activity Detected	192.168.2.23	45644	216.9.227.143	9168	TCP
2025-01-03T05:08:15.063967+0100	2839491	1	Malware Command and Control Activity Detected	192.168.2.23	45646	216.9.227.143	9168	TCP
2025-01-03T05:08:15.703621+0100	2839491	1	Malware Command and Control Activity Detected	192.168.2.23	45648	216.9.227.143	9168	TCP
2025-01-03T05:08:16.318380+0100	2839491	1	Malware Command and Control Activity Detected	192.168.2.23	45650	216.9.227.143	9168	TCP
2025-01-03T05:08:16.945976+0100	2839491	1	Malware Command and Control Activity Detected	192.168.2.23	45652	216.9.227.143	9168	TCP
2025-01-03T05:08:17.591671+0100	2839491	1	Malware Command and Control Activity Detected	192.168.2.23	45654	216.9.227.143	9168	TCP
2025-01-03T05:08:18.232922+0100	2839491	1	Malware Command and Control Activity Detected	192.168.2.23	45656	216.9.227.143	9168	TCP
2025-01-03T05:08:18.870067+0100	2839491	1	Malware Command and Control Activity Detected	192.168.2.23	45658	216.9.227.143	9168	TCP
2025-01-03T05:08:19.512517+0100	2839491	1	Malware Command and Control Activity Detected	192.168.2.23	45660	216.9.227.143	9168	TCP
2025-01-03T05:08:20.128219+0100	2839491	1	Malware Command and Control Activity Detected	192.168.2.23	45662	216.9.227.143	9168	TCP
2025-01-03T05:08:20.752331+0100	2839491	1	Malware Command and Control Activity Detected	192.168.2.23	45664	216.9.227.143	9168	TCP
2025-01-03T05:08:21.395689+0100	2839491	1	Malware Command and Control Activity Detected	192.168.2.23	45666	216.9.227.143	9168	TCP
2025-01-03T05:08:22.031778+0100	2839491	1	Malware Command and Control Activity Detected	192.168.2.23	45668	216.9.227.143	9168	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: I686.elf

ReversingLabs: Detection: 23%

Machine Learning detection for sample

Source: I686.elf

Joe Sandbox ML: detected

Spreading

Opens /proc/net/* files useful for finding connected devices and routers

Source: /tmp/I686.elf (PID: 6271)

Opens: /proc/net/route

Jump to behavior

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2839491 - Severity 1 - ETPRO MALWARE ELF/BASHLITE Variant CnC Checkin M2 : 192.168.2.23:45576 -> 216.9.227.143:9168
Source: Network traffic	Suricata IDS: 2839491 - Severity 1 - ETPRO MALWARE ELF/BASHLITE Variant CnC Checkin M2 : 192.168.2.23:45596 -> 216.9.227.143:9168
Source: Network traffic	Suricata IDS: 2839491 - Severity 1 - ETPRO MALWARE ELF/BASHLITE Variant CnC Checkin M2 : 192.168.2.23:45586 -> 216.9.227.143:9168
Source: Network traffic	Suricata IDS: 2839491 - Severity 1 - ETPRO MALWARE ELF/BASHLITE Variant CnC Checkin M2 : 192.168.2.23:45578 -> 216.9.227.143:9168
Source: Network traffic	Suricata IDS: 2839491 - Severity 1 - ETPRO MALWARE ELF/BASHLITE Variant CnC Checkin M2 : 192.168.2.23:45642 -> 216.9.227.143:9168
Source: Network traffic	Suricata IDS: 2839491 - Severity 1 - ETPRO MALWARE ELF/BASHLITE Variant CnC Checkin M2 : 192.168.2.23:45588 -> 216.9.227.143:9168
Source: Network traffic	Suricata IDS: 2839491 - Severity 1 - ETPRO MALWARE ELF/BASHLITE Variant CnC Checkin M2 : 192.168.2.23:45612 -> 216.9.227.143:9168
Source: Network traffic	Suricata IDS: 2839491 - Severity 1 - ETPRO MALWARE ELF/BASHLITE Variant CnC Checkin M2 : 192.168.2.23:45626 -> 216.9.227.143:9168
Source: Network traffic	Suricata IDS: 2839491 - Severity 1 - ETPRO MALWARE ELF/BASHLITE Variant CnC Checkin M2 : 192.168.2.23:45616 -> 216.9.227.143:9168
Source: Network traffic	Suricata IDS: 2839491 - Severity 1 - ETPRO MALWARE ELF/BASHLITE Variant CnC Checkin M2 : 192.168.2.23:45640 -> 216.9.227.143:9168
Source: Network traffic	Suricata IDS: 2839491 - Severity 1 - ETPRO MALWARE ELF/BASHLITE Variant CnC Checkin M2 : 192.168.2.23:45598 -> 216.9.227.143:9168
Source: Network traffic	Suricata IDS: 2839491 - Severity 1 - ETPRO MALWARE ELF/BASHLITE Variant CnC Checkin M2 : 192.168.2.23:45654 -> 216.9.227.143:9168
Source: Network traffic	Suricata IDS: 2839491 - Severity 1 - ETPRO MALWARE ELF/BASHLITE Variant CnC Checkin M2 : 192.168.2.23:45594 -> 216.9.227.143:9168
Source: Network traffic	Suricata IDS: 2839491 - Severity 1 - ETPRO MALWARE ELF/BASHLITE Variant CnC Checkin M2 : 192.168.2.23:45582 -> 216.9.227.143:9168
Source: Network traffic	Suricata IDS: 2839491 - Severity 1 - ETPRO MALWARE ELF/BASHLITE Variant CnC Checkin M2 : 192.168.2.23:45668 -> 216.9.227.143:9168
Source: Network traffic	Suricata IDS: 2839491 - Severity 1 - ETPRO MALWARE ELF/BASHLITE Variant CnC Checkin M2 : 192.168.2.23:45570 -> 216.9.227.143:9168
Source: Network traffic	Suricata IDS: 2839491 - Severity 1 - ETPRO MALWARE ELF/BASHLITE Variant CnC Checkin M2 : 192.168.2.23:45590 -> 216.9.227.143:9168
Source: Network traffic	Suricata IDS: 2839491 - Severity 1 - ETPRO MALWARE ELF/BASHLITE Variant CnC Checkin M2 : 192.168.2.23:45604 -> 216.9.227.143:9168
Source: Network traffic	Suricata IDS: 2839491 - Severity 1 - ETPRO MALWARE ELF/BASHLITE Variant CnC Checkin M2 : 192.168.2.23:45574 -> 216.9.227.143:9168
Source: Network traffic	Suricata IDS: 2839491 - Severity 1 - ETPRO MALWARE ELF/BASHLITE Variant CnC Checkin M2 : 192.168.2.23:45608 -> 216.9.227.143:9168
Source: Network traffic	Suricata IDS: 2839491 - Severity 1 - ETPRO MALWARE ELF/BASHLITE Variant CnC Checkin M2 : 192.168.2.23:45624 -> 216.9.227.143:9168
Source: Network traffic	Suricata IDS: 2839491 - Severity 1 - ETPRO MALWARE ELF/BASHLITE Variant CnC Checkin M2 : 192.168.2.23:45614 -> 216.9.227.143:9168
Source: Network traffic	Suricata IDS: 2839491 - Severity 1 - ETPRO MALWARE ELF/BASHLITE Variant CnC Checkin M2 : 192.168.2.23:45568 -> 216.9.227.143:9168
Source: Network traffic	Suricata IDS: 2839491 - Severity 1 - ETPRO MALWARE ELF/BASHLITE Variant CnC Checkin M2 : 192.168.2.23:45630 -> 216.9.227.143:9168
Source: Network traffic	Suricata IDS: 2839491 - Severity 1 - ETPRO MALWARE ELF/BASHLITE Variant CnC Checkin M2 : 192.168.2.23:45634 -> 216.9.227.143:9168
Source: Network traffic	Suricata IDS: 2839491 - Severity 1 - ETPRO MALWARE ELF/BASHLITE Variant CnC Checkin M2 : 192.168.2.23:45628 -> 216.9.227.143:9168
Source: Network traffic	Suricata IDS: 2839491 - Severity 1 - ETPRO MALWARE ELF/BASHLITE Variant CnC Checkin M2 : 192.168.2.23:45600 -> 216.9.227.143:9168
Source: Network traffic	Suricata IDS: 2839491 - Severity 1 - ETPRO MALWARE ELF/BASHLITE Variant CnC Checkin M2 : 192.168.2.23:45602 -> 216.9.227.143:9168
Source: Network traffic	Suricata IDS: 2839491 - Severity 1 - ETPRO MALWARE ELF/BASHLITE Variant CnC Checkin M2 : 192.168.2.23:45632 -> 216.9.227.143:9168
Source: Network traffic	Suricata IDS: 2839491 - Severity 1 - ETPRO MALWARE ELF/BASHLITE Variant CnC Checkin M2 : 192.168.2.23:45584 -> 216.9.227.143:9168
Source: Network traffic	Suricata IDS: 2839491 - Severity 1 - ETPRO MALWARE ELF/BASHLITE Variant CnC Checkin M2 : 192.168.2.23:45622 -> 216.9.227.143:9168
Source: Network traffic	Suricata IDS: 2839491 - Severity 1 - ETPRO MALWARE ELF/BASHLITE Variant CnC Checkin M2 : 192.168.2.23:45664 -> 216.9.227.143:9168
Source: Network traffic	Suricata IDS: 2839491 - Severity 1 - ETPRO MALWARE ELF/BASHLITE Variant CnC Checkin M2 : 192.168.2.23:45652 -> 216.9.227.143:9168
Source: Network traffic	Suricata IDS: 2839491 - Severity 1 - ETPRO MALWARE ELF/BASHLITE Variant CnC Checkin M2 : 192.168.2.23:45580 -> 216.9.227.143:9168
Source: Network traffic	Suricata IDS: 2839491 - Severity 1 - ETPRO MALWARE ELF/BASHLITE Variant CnC Checkin M2 : 192.168.2.23:45606 -> 216.9.227.143:9168
Source: Network traffic	Suricata IDS: 2839491 - Severity 1 - ETPRO MALWARE ELF/BASHLITE Variant CnC Checkin M2 : 192.168.2.23:45650 -> 216.9.227.143:9168
Source: Network traffic	Suricata IDS: 2839491 - Severity 1 - ETPRO MALWARE ELF/BASHLITE Variant CnC Checkin M2 : 192.168.2.23:45656 -> 216.9.227.143:9168
Source: Network traffic	Suricata IDS: 2839491 - Severity 1 - ETPRO MALWARE ELF/BASHLITE Variant CnC Checkin M2 : 192.168.2.23:45618 -> 216.9.227.143:9168
Source: Network traffic	Suricata IDS: 2839491 - Severity 1 - ETPRO MALWARE ELF/BASHLITE Variant CnC Checkin M2 : 192.168.2.23:45592 -> 216.9.227.143:9168
Source: Network traffic	Suricata IDS: 2839491 - Severity 1 - ETPRO MALWARE ELF/BASHLITE Variant CnC Checkin M2 : 192.168.2.23:45666 -> 216.9.227.143:9168
Source: Network traffic	Suricata IDS: 2839491 - Severity 1 - ETPRO MALWARE ELF/BASHLITE Variant CnC Checkin M2 : 192.168.2.23:45644 -> 216.9.227.143:9168
Source: Network traffic	Suricata IDS: 2839491 - Severity 1 - ETPRO MALWARE ELF/BASHLITE Variant CnC Checkin M2 : 192.168.2.23:45648 -> 216.9.227.143:9168
Source: Network traffic	Suricata IDS: 2839491 - Severity 1 - ETPRO MALWARE ELF/BASHLITE Variant CnC Checkin M2 : 192.168.2.23:45636 -> 216.9.227.143:9168
Source: Network traffic	Suricata IDS: 2839491 - Severity 1 - ETPRO MALWARE ELF/BASHLITE Variant CnC Checkin M2 : 192.168.2.23:45638 -> 216.9.227.143:9168
Source: Network traffic	Suricata IDS: 2839491 - Severity 1 - ETPRO MALWARE ELF/BASHLITE Variant CnC Checkin M2 : 192.168.2.23:45662 -> 216.9.227.143:9168
Source: Network traffic	Suricata IDS: 2839491 - Severity 1 - ETPRO MALWARE ELF/BASHLITE Variant CnC Checkin M2 : 192.168.2.23:45572 -> 216.9.227.143:9168
Source: Network traffic	Suricata IDS: 2839491 - Severity 1 - ETPRO MALWARE ELF/BASHLITE Variant CnC Checkin M2 : 192.168.2.23:45610 -> 216.9.227.143:9168
Source: Network traffic	Suricata IDS: 2839491 - Severity 1 - ETPRO MALWARE ELF/BASHLITE Variant CnC Checkin M2 : 192.168.2.23:45620 -> 216.9.227.143:9168
Source: Network traffic	Suricata IDS: 2839491 - Severity 1 - ETPRO MALWARE ELF/BASHLITE Variant CnC Checkin M2 : 192.168.2.23:45658 -> 216.9.227.143:9168
Source: Network traffic	Suricata IDS: 2839491 - Severity 1 - ETPRO MALWARE ELF/BASHLITE Variant CnC Checkin M2 : 192.168.2.23:45646 -> 216.9.227.143:9168
Source: Network traffic	Suricata IDS: 2839491 - Severity 1 - ETPRO MALWARE ELF/BASHLITE Variant CnC Checkin M2 : 192.168.2.23:45660 -> 216.9.227.143:9168

Source: global traffic

TCP traffic: 192.168.2.23:45568 -> 216.9.227.143:9168

Source: unknown	TCP traffic detected without corresponding DNS query: 54.171.230.55
Source: unknown	TCP traffic detected without corresponding DNS query: 216.9.227.143
Source: unknown	TCP traffic detected without corresponding DNS query: 216.9.227.143
Source: unknown	TCP traffic detected without corresponding DNS query: 216.9.227.143
Source: unknown	TCP traffic detected without corresponding DNS query: 216.9.227.143
Source: unknown	TCP traffic detected without corresponding DNS query: 216.9.227.143
Source: unknown	TCP traffic detected without corresponding DNS query: 216.9.227.143
Source: unknown	TCP traffic detected without corresponding DNS query: 216.9.227.143
Source: unknown	TCP traffic detected without corresponding DNS query: 216.9.227.143
Source: unknown	TCP traffic detected without corresponding DNS query: 216.9.227.143
Source: unknown	TCP traffic detected without corresponding DNS query: 216.9.227.143
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 216.9.227.143
Source: unknown	TCP traffic detected without corresponding DNS query: 216.9.227.143
Source: unknown	TCP traffic detected without corresponding DNS query: 216.9.227.143
Source: unknown	TCP traffic detected without corresponding DNS query: 216.9.227.143
Source: unknown	TCP traffic detected without corresponding DNS query: 216.9.227.143
Source: unknown	TCP traffic detected without corresponding DNS query: 216.9.227.143
Source: unknown	TCP traffic detected without corresponding DNS query: 216.9.227.143
Source: unknown	TCP traffic detected without corresponding DNS query: 216.9.227.143
Source: unknown	TCP traffic detected without corresponding DNS query: 216.9.227.143
Source: unknown	TCP traffic detected without corresponding DNS query: 216.9.227.143
Source: unknown	TCP traffic detected without corresponding DNS query: 216.9.227.143
Source: unknown	TCP traffic detected without corresponding DNS query: 216.9.227.143
Source: unknown	TCP traffic detected without corresponding DNS query: 216.9.227.143
Source: unknown	TCP traffic detected without corresponding DNS query: 216.9.227.143
Source: unknown	TCP traffic detected without corresponding DNS query: 216.9.227.143
Source: unknown	TCP traffic detected without corresponding DNS query: 216.9.227.143
Source: unknown	TCP traffic detected without corresponding DNS query: 216.9.227.143
Source: unknown	TCP traffic detected without corresponding DNS query: 216.9.227.143
Source: unknown	TCP traffic detected without corresponding DNS query: 216.9.227.143
Source: unknown	TCP traffic detected without corresponding DNS query: 216.9.227.143
Source: unknown	TCP traffic detected without corresponding DNS query: 216.9.227.143
Source: unknown	TCP traffic detected without corresponding DNS query: 216.9.227.143
Source: unknown	TCP traffic detected without corresponding DNS query: 216.9.227.143
Source: unknown	TCP traffic detected without corresponding DNS query: 216.9.227.143
Source: unknown	TCP traffic detected without corresponding DNS query: 216.9.227.143
Source: unknown	TCP traffic detected without corresponding DNS query: 216.9.227.143
Source: unknown	TCP traffic detected without corresponding DNS query: 216.9.227.143
Source: unknown	TCP traffic detected without corresponding DNS query: 216.9.227.143
Source: unknown	TCP traffic detected without corresponding DNS query: 216.9.227.143
Source: unknown	TCP traffic detected without corresponding DNS query: 216.9.227.143
Source: unknown	TCP traffic detected without corresponding DNS query: 216.9.227.143
Source: unknown	TCP traffic detected without corresponding DNS query: 216.9.227.143
Source: unknown	TCP traffic detected without corresponding DNS query: 216.9.227.143
Source: unknown	TCP traffic detected without corresponding DNS query: 216.9.227.143
Source: unknown	TCP traffic detected without corresponding DNS query: 216.9.227.143
Source: unknown	TCP traffic detected without corresponding DNS query: 216.9.227.143
Source: unknown	TCP traffic detected without corresponding DNS query: 216.9.227.143
Source: unknown	TCP traffic detected without corresponding DNS query: 216.9.227.143

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 33606
Source: unknown	Network traffic detected: HTTP traffic on port 33606 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 42836 -> 443

System Summary

Malicious sample detected (through community Yara rule)

Source: I686.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_ec591e81 Author: unknown
Source: 6273.1.0000000008048000.0000000008057000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_83715433 Author: unknown
Source: 6273.1.0000000008048000.0000000008057000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_6122acdf Author: unknown
Source: 6273.1.0000000008048000.0000000008057000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_f51c5ac3 Author: unknown
Source: 6273.1.0000000008048000.0000000008057000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_27de1106 Author: unknown
Source: 6273.1.0000000008048000.0000000008057000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_1b2e2a3a Author: unknown
Source: 6273.1.0000000008048000.0000000008057000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_9127f7be Author: unknown
Source: 6272.1.0000000008048000.0000000008057000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_83715433 Author: unknown
Source: 6272.1.0000000008048000.0000000008057000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_6122acdf Author: unknown
Source: 6272.1.0000000008048000.0000000008057000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_f51c5ac3 Author: unknown
Source: 6272.1.0000000008048000.0000000008057000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_27de1106 Author: unknown
Source: 6272.1.0000000008048000.0000000008057000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_1b2e2a3a Author: unknown
Source: 6272.1.0000000008048000.0000000008057000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_9127f7be Author: unknown
Source: 6271.1.0000000008048000.0000000008057000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_83715433 Author: unknown
Source: 6271.1.0000000008048000.0000000008057000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_6122acdf Author: unknown
Source: 6271.1.0000000008048000.0000000008057000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_f51c5ac3 Author: unknown
Source: 6271.1.0000000008048000.0000000008057000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_27de1106 Author: unknown
Source: 6271.1.0000000008048000.0000000008057000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_1b2e2a3a Author: unknown
Source: 6271.1.0000000008048000.0000000008057000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_9127f7be Author: unknown

Source: LOAD without section mappings

Program segment: 0x8048000

Source: I686.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_ec591e81 reference_sample = 7d45a4a128c25f317020b5d042ab893e9875b6ff0ef17482b984f5b3fe87e451, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = fe3d305202ca5376be7103d0b40f746fc26f8e442f8337a1e7c6d658b00fc4aa, id = ec591e81-8594-4317-89b0-0fb4d43e14c1, last_modified = 2021-09-16
Source: 6273.1.0000000008048000.0000000008057000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_83715433 reference_sample = 3648a407224634d76e82eceec84250a7506720a7f43a6ccf5873f478408fedba, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 25ac15f4b903d9e28653dad0db399ebd20d4e9baabf5078fbc33d3cd838dd7e9, id = 83715433-3dff-4238-8cdb-c51279565e05, last_modified = 2021-09-16
Source: 6273.1.0000000008048000.0000000008057000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_6122acdf os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 283275705c729be23d7dc75056388ecae00390bd25ee7b66b0cfc9b85feee212, id = 6122acdf-1eef-45ea-83ea-699d21c2dc20, last_modified = 2021-09-16
Source: 6273.1.0000000008048000.0000000008057000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_f51c5ac3 reference_sample = 899c072730590003b98278bdda21c15ecaa2f49ad51e417ed59e88caf054a72d, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 34f254afdf94b1eb29bae4eb8e3864ea49e918a5dbe6e4c9d06a4292c104a792, id = f51c5ac3-ade9-4d01-b578-3473a2b116db, last_modified = 2021-09-16
Source: 6273.1.0000000008048000.0000000008057000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_27de1106 reference_sample = 899c072730590003b98278bdda21c15ecaa2f49ad51e417ed59e88caf054a72d, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 9a747f0fc7ccc55f24f2654344484f643103da709270a45de4c1174d8e4101cc, id = 27de1106-497d-40a0-8fc4-929f7a927628, last_modified = 2021-09-16
Source: 6273.1.0000000008048000.0000000008057000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_1b2e2a3a reference_sample = 899c072730590003b98278bdda21c15ecaa2f49ad51e417ed59e88caf054a72d, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 6f24b67d0a6a4fc4e1cfea5a5414b82af1332a3e6074eb2178aee6b27702b407, id = 1b2e2a3a-1302-41c7-be99-43edb5563294, last_modified = 2021-09-16
Source: 6273.1.0000000008048000.0000000008057000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_9127f7be reference_sample = 899c072730590003b98278bdda21c15ecaa2f49ad51e417ed59e88caf054a72d, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 72c742cb8b11ddf030e10f67e13c0392748dcd970394ec77ace3d2baa705a375, id = 9127f7be-6e82-46a1-9f11-0b3570b0cd76, last_modified = 2021-09-16
Source: 6272.1.0000000008048000.0000000008057000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_83715433 reference_sample = 3648a407224634d76e82eceec84250a7506720a7f43a6ccf5873f478408fedba, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 25ac15f4b903d9e28653dad0db399ebd20d4e9baabf5078fbc33d3cd838dd7e9, id = 83715433-3dff-4238-8cdb-c51279565e05, last_modified = 2021-09-16
Source: 6272.1.0000000008048000.0000000008057000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_6122acdf os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 283275705c729be23d7dc75056388ecae00390bd25ee7b66b0cfc9b85feee212, id = 6122acdf-1eef-45ea-83ea-699d21c2dc20, last_modified = 2021-09-16
Source: 6272.1.0000000008048000.0000000008057000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_f51c5ac3 reference_sample = 899c072730590003b98278bdda21c15ecaa2f49ad51e417ed59e88caf054a72d, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 34f254afdf94b1eb29bae4eb8e3864ea49e918a5dbe6e4c9d06a4292c104a792, id = f51c5ac3-ade9-4d01-b578-3473a2b116db, last_modified = 2021-09-16
Source: 6272.1.0000000008048000.0000000008057000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_27de1106 reference_sample = 899c072730590003b98278bdda21c15ecaa2f49ad51e417ed59e88caf054a72d, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 9a747f0fc7ccc55f24f2654344484f643103da709270a45de4c1174d8e4101cc, id = 27de1106-497d-40a0-8fc4-929f7a927628, last_modified = 2021-09-16
Source: 6272.1.0000000008048000.0000000008057000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_1b2e2a3a reference_sample = 899c072730590003b98278bdda21c15ecaa2f49ad51e417ed59e88caf054a72d, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 6f24b67d0a6a4fc4e1cfea5a5414b82af1332a3e6074eb2178aee6b27702b407, id = 1b2e2a3a-1302-41c7-be99-43edb5563294, last_modified = 2021-09-16
Source: 6272.1.0000000008048000.0000000008057000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_9127f7be reference_sample = 899c072730590003b98278bdda21c15ecaa2f49ad51e417ed59e88caf054a72d, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 72c742cb8b11ddf030e10f67e13c0392748dcd970394ec77ace3d2baa705a375, id = 9127f7be-6e82-46a1-9f11-0b3570b0cd76, last_modified = 2021-09-16
Source: 6271.1.0000000008048000.0000000008057000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_83715433 reference_sample = 3648a407224634d76e82eceec84250a7506720a7f43a6ccf5873f478408fedba, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 25ac15f4b903d9e28653dad0db399ebd20d4e9baabf5078fbc33d3cd838dd7e9, id = 83715433-3dff-4238-8cdb-c51279565e05, last_modified = 2021-09-16
Source: 6271.1.0000000008048000.0000000008057000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_6122acdf os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 283275705c729be23d7dc75056388ecae00390bd25ee7b66b0cfc9b85feee212, id = 6122acdf-1eef-45ea-83ea-699d21c2dc20, last_modified = 2021-09-16
Source: 6271.1.0000000008048000.0000000008057000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_f51c5ac3 reference_sample = 899c072730590003b98278bdda21c15ecaa2f49ad51e417ed59e88caf054a72d, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 34f254afdf94b1eb29bae4eb8e3864ea49e918a5dbe6e4c9d06a4292c104a792, id = f51c5ac3-ade9-4d01-b578-3473a2b116db, last_modified = 2021-09-16
Source: 6271.1.0000000008048000.0000000008057000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_27de1106 reference_sample = 899c072730590003b98278bdda21c15ecaa2f49ad51e417ed59e88caf054a72d, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 9a747f0fc7ccc55f24f2654344484f643103da709270a45de4c1174d8e4101cc, id = 27de1106-497d-40a0-8fc4-929f7a927628, last_modified = 2021-09-16
Source: 6271.1.0000000008048000.0000000008057000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_1b2e2a3a reference_sample = 899c072730590003b98278bdda21c15ecaa2f49ad51e417ed59e88caf054a72d, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 6f24b67d0a6a4fc4e1cfea5a5414b82af1332a3e6074eb2178aee6b27702b407, id = 1b2e2a3a-1302-41c7-be99-43edb5563294, last_modified = 2021-09-16
Source: 6271.1.0000000008048000.0000000008057000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_9127f7be reference_sample = 899c072730590003b98278bdda21c15ecaa2f49ad51e417ed59e88caf054a72d, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 72c742cb8b11ddf030e10f67e13c0392748dcd970394ec77ace3d2baa705a375, id = 9127f7be-6e82-46a1-9f11-0b3570b0cd76, last_modified = 2021-09-16

Source: classification engine

Classification label: mal72.spre.linELF@0/0@0/0

Source: /usr/bin/dash (PID: 6242)	Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.TF6lRJD3T3 /tmp/tmp.FI8uK2IPOd /tmp/tmp.zd2U4tPRSm			Jump to behavior
Source: /usr/bin/dash (PID: 6243)	Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.TF6lRJD3T3 /tmp/tmp.FI8uK2IPOd /tmp/tmp.zd2U4tPRSm			Jump to behavior

Source: I686.elf

Submission file: segment LOAD with 7.9542 entropy (max. 8.0)

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	Path Interception	Path Interception	1 Obfuscated Files or Information	OS Credential Dumping	1 Remote System Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 File Deletion	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact

Malware Configuration

⊘No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
I686.elf	24%	ReversingLabs
I686.elf	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

⊘No contacted domains info

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
54.171.230.55	unknown	United States	16509	AMAZON-02US	false
109.202.202.202	unknown	Switzerland	13030	INIT7CH	false
216.9.227.143	unknown	Reserved	7018	ATT-INTERNET4US	true
91.189.91.43	unknown	United Kingdom	41231	CANONICAL-ASGB	false
91.189.91.42	unknown	United Kingdom	41231	CANONICAL-ASGB	false

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54.171.230.55	wind.mpsl.elf	Get hash	malicious	Mirai	Browse
	ZohoAssistURS	Get hash	malicious	Unknown	Browse
	Aqua.mpsl.elf	Get hash	malicious	Unknown	Browse
	x86_64.elf	Get hash	malicious	Unknown	Browse
	socat.elf	Get hash	malicious	Unknown	Browse
	arm5.elf	Get hash	malicious	Unknown	Browse
	bot.mips.elf	Get hash	malicious	Mirai, Gafgyt, Okiru	Browse
	emips.elf	Get hash	malicious	Unknown	Browse
	i.elf	Get hash	malicious	Unknown	Browse
	.i.elf	Get hash	malicious	Unknown	Browse
109.202.202.202	kpLwzBouH4.elf	Get hash	malicious	Unknown	Browse	ch.archive.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_92.0%2bbuild3-0ubuntu0.20.04.1_amd64.deb
216.9.227.143	M68K.elf	Get hash	malicious	Unknown	Browse
	I586.elf	Get hash	malicious	Unknown	Browse
	SH4.elf	Get hash	malicious	Unknown	Browse
	SPARC.elf	Get hash	malicious	Unknown	Browse
	SH4.elf	Get hash	malicious	Mirai	Browse
	POWERPC.elf	Get hash	malicious	Mirai	Browse
	SPARC.elf	Get hash	malicious	Mirai	Browse
	MIPSEL.elf	Get hash	malicious	Mirai	Browse
	MIPS.elf	Get hash	malicious	Mirai	Browse
	ARMV6L.elf	Get hash	malicious	Mirai	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CANONICAL-ASGB	M68K.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	bin.sh.elf	Get hash	malicious	Mirai	Browse	91.189.91.42
	I586.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	ARMV4L.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	POWERPC.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	wind.arm7.elf	Get hash	malicious	Mirai	Browse	91.189.91.42
	SH4.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	SPARC.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	wind.arm5.elf	Get hash	malicious	Mirai	Browse	91.189.91.42
	sshd.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
AMAZON-02US	x86_64.elf	Get hash	malicious	Gafgyt, Mirai	Browse	157.175.218.211
	1.elf	Get hash	malicious	Unknown	Browse	52.221.18.147
	http://4.nscqn.dashboradcortx.xyz/4hbVgI3060FFjU163rczgakrldw288HJUBSXEIQRWLNTA425583MYLP8076x12	Get hash	malicious	Unknown	Browse	35.161.242.225
	wind.mpsl.elf	Get hash	malicious	Mirai	Browse	54.171.230.55
	https://myburbank-uat.3didemo.com	Get hash	malicious	HTMLPhisher	Browse	52.40.130.243
	http://hotelyetipokhara.com	Get hash	malicious	Unknown	Browse	13.33.187.21
	1.elf	Get hash	malicious	Unknown	Browse	13.32.82.152
	http://boir.org	Get hash	malicious	Unknown	Browse	18.195.105.217
	http://vaporblastingservices.com	Get hash	malicious	Unknown	Browse	18.244.18.120
	file.exe	Get hash	malicious	Unknown	Browse	45.112.123.126
INIT7CH	M68K.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	bin.sh.elf	Get hash	malicious	Mirai	Browse	109.202.202.202
	I586.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	ARMV4L.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	POWERPC.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	wind.arm7.elf	Get hash	malicious	Mirai	Browse	109.202.202.202
	SH4.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	SPARC.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	wind.arm5.elf	Get hash	malicious	Mirai	Browse	109.202.202.202
	sshd.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
ATT-INTERNET4US	M68K.elf	Get hash	malicious	Unknown	Browse	216.9.227.143
	1.elf	Get hash	malicious	Unknown	Browse	139.151.95.187
	I586.elf	Get hash	malicious	Unknown	Browse	216.9.227.143
	4.elf	Get hash	malicious	Unknown	Browse	208.61.41.157
	4.elf	Get hash	malicious	Unknown	Browse	75.42.13.152
	SH4.elf	Get hash	malicious	Unknown	Browse	216.9.227.143
	SPARC.elf	Get hash	malicious	Unknown	Browse	216.9.227.143
	3.elf	Get hash	malicious	Unknown	Browse	12.114.129.91
	https://midoregoncu-securemessagecenter.s3.us-east-1.amazonaws.com/open/message_12832.html	Get hash	malicious	HTMLPhisher	Browse	13.32.27.129
	DEMONS.ppc.elf	Get hash	malicious	Unknown	Browse	108.84.153.89

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), statically linked, no section header
Entropy (8bit):	7.952069181739197
TrID:	ELF Executable and Linkable format (Linux) (4029/14) 50.16% ELF Executable and Linkable format (generic) (4004/1) 49.84%
File name:	I686.elf
File size:	33'164 bytes
MD5:	66a01f0510ebc9589dcbff7b42c1573c
SHA1:	26d0b67a509aacae15c18375e11d5a9d889d379c
SHA256:	88a5ec4709e75598c567094063013148a1e1ae8b3cefcffe096f7b0a574573e2
SHA512:	140c2ea096b3eb4afebeda910ff51e2004a51e908d562b3c573ca122ea4dca6698045fa8ce7379fcb4df5f4c44ca157e4d33f5386c50a840ca992862dbeef4b6
SSDEEP:	768:HyzmCa1b14OqUAldbIvqMVV0dw72ZM+S4KZs2RD0hXBwDanbcuyD7UryqL:SqJb140wsSMVad02M3R08anouy8mqL
TLSH:	B0E2E135C9F86FD1C09D10FC341E6D0A53706B2696CA5336E7D8647F8B22E9B7958213
File Content Preview:	.ELF....................@...4...........4. ...(.....................4...4...........................................Q.td.............................4.IYTS.....................Q..........?..k.I/.j....\.h.blz.x..&.A!!.1h\.?W'..o.....V.4Lk0..\|G.K....tmL.M..

Static ELF Info

ELF header
Class:	ELF32
Data:	2's complement, little endian
Version:	1 (current)
Machine:	Intel 80386
Version Number:	0x1
Type:	EXEC (Executable file)
OS/ABI:	UNIX - Linux
ABI Version:	0
Entry Point Address:	0x804ee40
Flags:	0x0
ELF Header Size:	52
Program Header Offset:	52
Program Header Size:	32
Number of Program Headers:	3
Section Header Offset:	0
Section Header Size:	40
Number of Section Headers:	0
Header String Table Index:	0

Program Segments

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align
LOAD	0x0	0x8048000	0x8048000	0x8034	0x8034	7.9542	0x5	R E	0x1000
LOAD	0x0	0x8051000	0x8051000	0x0	0xcb04	0.0000	0x6	RW	0x1000
GNU_STACK	0x0	0x0	0x0	0x0	0x0	0.0000	0x6	RW	0x4

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-03T05:07:49.462375+0100	2839491	ETPRO MALWARE ELF/BASHLITE Variant CnC Checkin M2	1	192.168.2.23	45568	216.9.227.143	9168	TCP
2025-01-03T05:07:51.112792+0100	2839491	ETPRO MALWARE ELF/BASHLITE Variant CnC Checkin M2	1	192.168.2.23	45570	216.9.227.143	9168	TCP
2025-01-03T05:07:51.736842+0100	2839491	ETPRO MALWARE ELF/BASHLITE Variant CnC Checkin M2	1	192.168.2.23	45572	216.9.227.143	9168	TCP
2025-01-03T05:07:52.375475+0100	2839491	ETPRO MALWARE ELF/BASHLITE Variant CnC Checkin M2	1	192.168.2.23	45574	216.9.227.143	9168	TCP
2025-01-03T05:07:53.004865+0100	2839491	ETPRO MALWARE ELF/BASHLITE Variant CnC Checkin M2	1	192.168.2.23	45576	216.9.227.143	9168	TCP
2025-01-03T05:07:53.625821+0100	2839491	ETPRO MALWARE ELF/BASHLITE Variant CnC Checkin M2	1	192.168.2.23	45578	216.9.227.143	9168	TCP
2025-01-03T05:07:54.247570+0100	2839491	ETPRO MALWARE ELF/BASHLITE Variant CnC Checkin M2	1	192.168.2.23	45580	216.9.227.143	9168	TCP
2025-01-03T05:07:54.880420+0100	2839491	ETPRO MALWARE ELF/BASHLITE Variant CnC Checkin M2	1	192.168.2.23	45582	216.9.227.143	9168	TCP
2025-01-03T05:07:55.536110+0100	2839491	ETPRO MALWARE ELF/BASHLITE Variant CnC Checkin M2	1	192.168.2.23	45584	216.9.227.143	9168	TCP
2025-01-03T05:07:56.184183+0100	2839491	ETPRO MALWARE ELF/BASHLITE Variant CnC Checkin M2	1	192.168.2.23	45586	216.9.227.143	9168	TCP
2025-01-03T05:07:56.826350+0100	2839491	ETPRO MALWARE ELF/BASHLITE Variant CnC Checkin M2	1	192.168.2.23	45588	216.9.227.143	9168	TCP
2025-01-03T05:07:57.453372+0100	2839491	ETPRO MALWARE ELF/BASHLITE Variant CnC Checkin M2	1	192.168.2.23	45590	216.9.227.143	9168	TCP
2025-01-03T05:07:58.069464+0100	2839491	ETPRO MALWARE ELF/BASHLITE Variant CnC Checkin M2	1	192.168.2.23	45592	216.9.227.143	9168	TCP
2025-01-03T05:07:58.693966+0100	2839491	ETPRO MALWARE ELF/BASHLITE Variant CnC Checkin M2	1	192.168.2.23	45594	216.9.227.143	9168	TCP
2025-01-03T05:07:59.306084+0100	2839491	ETPRO MALWARE ELF/BASHLITE Variant CnC Checkin M2	1	192.168.2.23	45596	216.9.227.143	9168	TCP
2025-01-03T05:07:59.944289+0100	2839491	ETPRO MALWARE ELF/BASHLITE Variant CnC Checkin M2	1	192.168.2.23	45598	216.9.227.143	9168	TCP
2025-01-03T05:08:00.575103+0100	2839491	ETPRO MALWARE ELF/BASHLITE Variant CnC Checkin M2	1	192.168.2.23	45600	216.9.227.143	9168	TCP
2025-01-03T05:08:01.205243+0100	2839491	ETPRO MALWARE ELF/BASHLITE Variant CnC Checkin M2	1	192.168.2.23	45602	216.9.227.143	9168	TCP
2025-01-03T05:08:01.830266+0100	2839491	ETPRO MALWARE ELF/BASHLITE Variant CnC Checkin M2	1	192.168.2.23	45604	216.9.227.143	9168	TCP
2025-01-03T05:08:02.461853+0100	2839491	ETPRO MALWARE ELF/BASHLITE Variant CnC Checkin M2	1	192.168.2.23	45606	216.9.227.143	9168	TCP
2025-01-03T05:08:03.087875+0100	2839491	ETPRO MALWARE ELF/BASHLITE Variant CnC Checkin M2	1	192.168.2.23	45608	216.9.227.143	9168	TCP
2025-01-03T05:08:03.706657+0100	2839491	ETPRO MALWARE ELF/BASHLITE Variant CnC Checkin M2	1	192.168.2.23	45610	216.9.227.143	9168	TCP
2025-01-03T05:08:04.355369+0100	2839491	ETPRO MALWARE ELF/BASHLITE Variant CnC Checkin M2	1	192.168.2.23	45612	216.9.227.143	9168	TCP
2025-01-03T05:08:04.975381+0100	2839491	ETPRO MALWARE ELF/BASHLITE Variant CnC Checkin M2	1	192.168.2.23	45614	216.9.227.143	9168	TCP
2025-01-03T05:08:05.624586+0100	2839491	ETPRO MALWARE ELF/BASHLITE Variant CnC Checkin M2	1	192.168.2.23	45616	216.9.227.143	9168	TCP
2025-01-03T05:08:06.284679+0100	2839491	ETPRO MALWARE ELF/BASHLITE Variant CnC Checkin M2	1	192.168.2.23	45618	216.9.227.143	9168	TCP
2025-01-03T05:08:06.920760+0100	2839491	ETPRO MALWARE ELF/BASHLITE Variant CnC Checkin M2	1	192.168.2.23	45620	216.9.227.143	9168	TCP
2025-01-03T05:08:07.542325+0100	2839491	ETPRO MALWARE ELF/BASHLITE Variant CnC Checkin M2	1	192.168.2.23	45622	216.9.227.143	9168	TCP
2025-01-03T05:08:08.164240+0100	2839491	ETPRO MALWARE ELF/BASHLITE Variant CnC Checkin M2	1	192.168.2.23	45624	216.9.227.143	9168	TCP
2025-01-03T05:08:08.784896+0100	2839491	ETPRO MALWARE ELF/BASHLITE Variant CnC Checkin M2	1	192.168.2.23	45626	216.9.227.143	9168	TCP
2025-01-03T05:08:09.406317+0100	2839491	ETPRO MALWARE ELF/BASHLITE Variant CnC Checkin M2	1	192.168.2.23	45628	216.9.227.143	9168	TCP
2025-01-03T05:08:10.030457+0100	2839491	ETPRO MALWARE ELF/BASHLITE Variant CnC Checkin M2	1	192.168.2.23	45630	216.9.227.143	9168	TCP
2025-01-03T05:08:10.650709+0100	2839491	ETPRO MALWARE ELF/BASHLITE Variant CnC Checkin M2	1	192.168.2.23	45632	216.9.227.143	9168	TCP
2025-01-03T05:08:11.273695+0100	2839491	ETPRO MALWARE ELF/BASHLITE Variant CnC Checkin M2	1	192.168.2.23	45634	216.9.227.143	9168	TCP
2025-01-03T05:08:11.914389+0100	2839491	ETPRO MALWARE ELF/BASHLITE Variant CnC Checkin M2	1	192.168.2.23	45636	216.9.227.143	9168	TCP
2025-01-03T05:08:12.539577+0100	2839491	ETPRO MALWARE ELF/BASHLITE Variant CnC Checkin M2	1	192.168.2.23	45638	216.9.227.143	9168	TCP
2025-01-03T05:08:13.165193+0100	2839491	ETPRO MALWARE ELF/BASHLITE Variant CnC Checkin M2	1	192.168.2.23	45640	216.9.227.143	9168	TCP
2025-01-03T05:08:13.792015+0100	2839491	ETPRO MALWARE ELF/BASHLITE Variant CnC Checkin M2	1	192.168.2.23	45642	216.9.227.143	9168	TCP
2025-01-03T05:08:14.420926+0100	2839491	ETPRO MALWARE ELF/BASHLITE Variant CnC Checkin M2	1	192.168.2.23	45644	216.9.227.143	9168	TCP
2025-01-03T05:08:15.063967+0100	2839491	ETPRO MALWARE ELF/BASHLITE Variant CnC Checkin M2	1	192.168.2.23	45646	216.9.227.143	9168	TCP
2025-01-03T05:08:15.703621+0100	2839491	ETPRO MALWARE ELF/BASHLITE Variant CnC Checkin M2	1	192.168.2.23	45648	216.9.227.143	9168	TCP
2025-01-03T05:08:16.318380+0100	2839491	ETPRO MALWARE ELF/BASHLITE Variant CnC Checkin M2	1	192.168.2.23	45650	216.9.227.143	9168	TCP
2025-01-03T05:08:16.945976+0100	2839491	ETPRO MALWARE ELF/BASHLITE Variant CnC Checkin M2	1	192.168.2.23	45652	216.9.227.143	9168	TCP
2025-01-03T05:08:17.591671+0100	2839491	ETPRO MALWARE ELF/BASHLITE Variant CnC Checkin M2	1	192.168.2.23	45654	216.9.227.143	9168	TCP
2025-01-03T05:08:18.232922+0100	2839491	ETPRO MALWARE ELF/BASHLITE Variant CnC Checkin M2	1	192.168.2.23	45656	216.9.227.143	9168	TCP
2025-01-03T05:08:18.870067+0100	2839491	ETPRO MALWARE ELF/BASHLITE Variant CnC Checkin M2	1	192.168.2.23	45658	216.9.227.143	9168	TCP
2025-01-03T05:08:19.512517+0100	2839491	ETPRO MALWARE ELF/BASHLITE Variant CnC Checkin M2	1	192.168.2.23	45660	216.9.227.143	9168	TCP
2025-01-03T05:08:20.128219+0100	2839491	ETPRO MALWARE ELF/BASHLITE Variant CnC Checkin M2	1	192.168.2.23	45662	216.9.227.143	9168	TCP
2025-01-03T05:08:20.752331+0100	2839491	ETPRO MALWARE ELF/BASHLITE Variant CnC Checkin M2	1	192.168.2.23	45664	216.9.227.143	9168	TCP
2025-01-03T05:08:21.395689+0100	2839491	ETPRO MALWARE ELF/BASHLITE Variant CnC Checkin M2	1	192.168.2.23	45666	216.9.227.143	9168	TCP
2025-01-03T05:08:22.031778+0100	2839491	ETPRO MALWARE ELF/BASHLITE Variant CnC Checkin M2	1	192.168.2.23	45668	216.9.227.143	9168	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 3, 2025 05:07:47.176537991 CET	443	33606	54.171.230.55	192.168.2.23
Jan 3, 2025 05:07:47.176692963 CET	33606	443	192.168.2.23	54.171.230.55
Jan 3, 2025 05:07:47.181461096 CET	443	33606	54.171.230.55	192.168.2.23
Jan 3, 2025 05:07:49.457426071 CET	45568	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:07:49.462282896 CET	9168	45568	216.9.227.143	192.168.2.23
Jan 3, 2025 05:07:49.462352991 CET	45568	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:07:49.462374926 CET	45568	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:07:49.467137098 CET	9168	45568	216.9.227.143	192.168.2.23
Jan 3, 2025 05:07:50.082719088 CET	9168	45568	216.9.227.143	192.168.2.23
Jan 3, 2025 05:07:50.082835913 CET	9168	45568	216.9.227.143	192.168.2.23
Jan 3, 2025 05:07:50.082910061 CET	45568	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:07:50.082910061 CET	45568	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:07:50.082910061 CET	45570	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:07:50.087779999 CET	9168	45568	216.9.227.143	192.168.2.23
Jan 3, 2025 05:07:50.087796926 CET	9168	45570	216.9.227.143	192.168.2.23
Jan 3, 2025 05:07:50.087853909 CET	45570	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:07:51.107887030 CET	45570	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:07:51.112703085 CET	9168	45570	216.9.227.143	192.168.2.23
Jan 3, 2025 05:07:51.112775087 CET	45570	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:07:51.112792015 CET	45570	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:07:51.117594957 CET	9168	45570	216.9.227.143	192.168.2.23
Jan 3, 2025 05:07:51.651772022 CET	43928	443	192.168.2.23	91.189.91.42
Jan 3, 2025 05:07:51.731820107 CET	9168	45570	216.9.227.143	192.168.2.23
Jan 3, 2025 05:07:51.731872082 CET	9168	45570	216.9.227.143	192.168.2.23
Jan 3, 2025 05:07:51.731904984 CET	45570	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:07:51.731944084 CET	45570	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:07:51.731997013 CET	45572	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:07:51.736699104 CET	9168	45570	216.9.227.143	192.168.2.23
Jan 3, 2025 05:07:51.736769915 CET	9168	45572	216.9.227.143	192.168.2.23
Jan 3, 2025 05:07:51.736828089 CET	45572	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:07:51.736841917 CET	45572	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:07:51.741600037 CET	9168	45572	216.9.227.143	192.168.2.23
Jan 3, 2025 05:07:52.370021105 CET	9168	45572	216.9.227.143	192.168.2.23
Jan 3, 2025 05:07:52.370209932 CET	45572	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:07:52.370462894 CET	9168	45572	216.9.227.143	192.168.2.23
Jan 3, 2025 05:07:52.370516062 CET	45572	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:07:52.370553017 CET	45574	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:07:52.375407934 CET	9168	45572	216.9.227.143	192.168.2.23
Jan 3, 2025 05:07:52.375420094 CET	9168	45574	216.9.227.143	192.168.2.23
Jan 3, 2025 05:07:52.375459909 CET	45574	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:07:52.375474930 CET	45574	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:07:52.380232096 CET	9168	45574	216.9.227.143	192.168.2.23
Jan 3, 2025 05:07:52.999597073 CET	9168	45574	216.9.227.143	192.168.2.23
Jan 3, 2025 05:07:52.999682903 CET	9168	45574	216.9.227.143	192.168.2.23
Jan 3, 2025 05:07:52.999701023 CET	45574	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:07:52.999730110 CET	45574	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:07:52.999783039 CET	45576	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:07:53.004796982 CET	9168	45574	216.9.227.143	192.168.2.23
Jan 3, 2025 05:07:53.004811049 CET	9168	45576	216.9.227.143	192.168.2.23
Jan 3, 2025 05:07:53.004849911 CET	45576	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:07:53.004864931 CET	45576	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:07:53.009596109 CET	9168	45576	216.9.227.143	192.168.2.23
Jan 3, 2025 05:07:53.620609045 CET	9168	45576	216.9.227.143	192.168.2.23
Jan 3, 2025 05:07:53.620713949 CET	9168	45576	216.9.227.143	192.168.2.23
Jan 3, 2025 05:07:53.620799065 CET	45576	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:07:53.620903015 CET	45576	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:07:53.621006012 CET	45578	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:07:53.625631094 CET	9168	45576	216.9.227.143	192.168.2.23
Jan 3, 2025 05:07:53.625761986 CET	9168	45578	216.9.227.143	192.168.2.23
Jan 3, 2025 05:07:53.625806093 CET	45578	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:07:53.625821114 CET	45578	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:07:53.630563974 CET	9168	45578	216.9.227.143	192.168.2.23
Jan 3, 2025 05:07:54.242373943 CET	9168	45578	216.9.227.143	192.168.2.23
Jan 3, 2025 05:07:54.242521048 CET	45578	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:07:54.242543936 CET	9168	45578	216.9.227.143	192.168.2.23
Jan 3, 2025 05:07:54.242624998 CET	45578	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:07:54.242674112 CET	45580	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:07:54.247488976 CET	9168	45578	216.9.227.143	192.168.2.23
Jan 3, 2025 05:07:54.247502089 CET	9168	45580	216.9.227.143	192.168.2.23
Jan 3, 2025 05:07:54.247554064 CET	45580	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:07:54.247570038 CET	45580	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:07:54.252341032 CET	9168	45580	216.9.227.143	192.168.2.23
Jan 3, 2025 05:07:54.875276089 CET	9168	45580	216.9.227.143	192.168.2.23
Jan 3, 2025 05:07:54.875310898 CET	9168	45580	216.9.227.143	192.168.2.23
Jan 3, 2025 05:07:54.875438929 CET	45580	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:07:54.875468969 CET	45580	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:07:54.875564098 CET	45582	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:07:54.880289078 CET	9168	45580	216.9.227.143	192.168.2.23
Jan 3, 2025 05:07:54.880343914 CET	9168	45582	216.9.227.143	192.168.2.23
Jan 3, 2025 05:07:54.880394936 CET	45582	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:07:54.880419970 CET	45582	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:07:54.885214090 CET	9168	45582	216.9.227.143	192.168.2.23
Jan 3, 2025 05:07:55.530870914 CET	9168	45582	216.9.227.143	192.168.2.23
Jan 3, 2025 05:07:55.530888081 CET	9168	45582	216.9.227.143	192.168.2.23
Jan 3, 2025 05:07:55.531018019 CET	45582	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:07:55.531075954 CET	45582	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:07:55.531131983 CET	45584	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:07:55.535949945 CET	9168	45582	216.9.227.143	192.168.2.23
Jan 3, 2025 05:07:55.535981894 CET	9168	45584	216.9.227.143	192.168.2.23
Jan 3, 2025 05:07:55.536082983 CET	45584	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:07:55.536109924 CET	45584	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:07:55.540874004 CET	9168	45584	216.9.227.143	192.168.2.23
Jan 3, 2025 05:07:56.178899050 CET	9168	45584	216.9.227.143	192.168.2.23
Jan 3, 2025 05:07:56.179060936 CET	9168	45584	216.9.227.143	192.168.2.23
Jan 3, 2025 05:07:56.179141998 CET	45584	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:07:56.179178953 CET	45584	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:07:56.179255009 CET	45586	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:07:56.183974981 CET	9168	45584	216.9.227.143	192.168.2.23
Jan 3, 2025 05:07:56.184099913 CET	9168	45586	216.9.227.143	192.168.2.23
Jan 3, 2025 05:07:56.184170008 CET	45586	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:07:56.184182882 CET	45586	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:07:56.188954115 CET	9168	45586	216.9.227.143	192.168.2.23
Jan 3, 2025 05:07:56.820972919 CET	9168	45586	216.9.227.143	192.168.2.23
Jan 3, 2025 05:07:56.821197987 CET	9168	45586	216.9.227.143	192.168.2.23
Jan 3, 2025 05:07:56.821204901 CET	45586	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:07:56.821360111 CET	45586	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:07:56.821443081 CET	45588	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:07:56.826045990 CET	9168	45586	216.9.227.143	192.168.2.23
Jan 3, 2025 05:07:56.826267958 CET	9168	45588	216.9.227.143	192.168.2.23
Jan 3, 2025 05:07:56.826329947 CET	45588	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:07:56.826349974 CET	45588	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:07:56.831062078 CET	9168	45588	216.9.227.143	192.168.2.23
Jan 3, 2025 05:07:57.027055025 CET	42836	443	192.168.2.23	91.189.91.43
Jan 3, 2025 05:07:57.448074102 CET	9168	45588	216.9.227.143	192.168.2.23
Jan 3, 2025 05:07:57.448086977 CET	9168	45588	216.9.227.143	192.168.2.23
Jan 3, 2025 05:07:57.448282957 CET	45588	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:07:57.448405027 CET	45588	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:07:57.448470116 CET	45590	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:07:57.453247070 CET	9168	45588	216.9.227.143	192.168.2.23
Jan 3, 2025 05:07:57.453263998 CET	9168	45590	216.9.227.143	192.168.2.23
Jan 3, 2025 05:07:57.453358889 CET	45590	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:07:57.453372002 CET	45590	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:07:57.458148956 CET	9168	45590	216.9.227.143	192.168.2.23
Jan 3, 2025 05:07:58.064256907 CET	9168	45590	216.9.227.143	192.168.2.23
Jan 3, 2025 05:07:58.064275980 CET	9168	45590	216.9.227.143	192.168.2.23
Jan 3, 2025 05:07:58.064389944 CET	45590	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:07:58.064476013 CET	45590	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:07:58.064531088 CET	45592	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:07:58.069190979 CET	9168	45590	216.9.227.143	192.168.2.23
Jan 3, 2025 05:07:58.069366932 CET	9168	45592	216.9.227.143	192.168.2.23
Jan 3, 2025 05:07:58.069463968 CET	45592	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:07:58.069463968 CET	45592	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:07:58.074245930 CET	9168	45592	216.9.227.143	192.168.2.23
Jan 3, 2025 05:07:58.562822104 CET	42516	80	192.168.2.23	109.202.202.202
Jan 3, 2025 05:07:58.688822985 CET	9168	45592	216.9.227.143	192.168.2.23
Jan 3, 2025 05:07:58.688927889 CET	9168	45592	216.9.227.143	192.168.2.23
Jan 3, 2025 05:07:58.688999891 CET	45592	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:07:58.689032078 CET	45592	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:07:58.689075947 CET	45594	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:07:58.693850994 CET	9168	45592	216.9.227.143	192.168.2.23
Jan 3, 2025 05:07:58.693862915 CET	9168	45594	216.9.227.143	192.168.2.23
Jan 3, 2025 05:07:58.693953991 CET	45594	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:07:58.693965912 CET	45594	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:07:58.698791981 CET	9168	45594	216.9.227.143	192.168.2.23
Jan 3, 2025 05:07:59.300775051 CET	9168	45594	216.9.227.143	192.168.2.23
Jan 3, 2025 05:07:59.300880909 CET	9168	45594	216.9.227.143	192.168.2.23
Jan 3, 2025 05:07:59.300947905 CET	45594	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:07:59.301076889 CET	45594	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:07:59.301126003 CET	45596	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:07:59.305876017 CET	9168	45594	216.9.227.143	192.168.2.23
Jan 3, 2025 05:07:59.305994034 CET	9168	45596	216.9.227.143	192.168.2.23
Jan 3, 2025 05:07:59.306071043 CET	45596	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:07:59.306083918 CET	45596	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:07:59.310866117 CET	9168	45596	216.9.227.143	192.168.2.23
Jan 3, 2025 05:07:59.939222097 CET	9168	45596	216.9.227.143	192.168.2.23
Jan 3, 2025 05:07:59.939240932 CET	9168	45596	216.9.227.143	192.168.2.23
Jan 3, 2025 05:07:59.939364910 CET	45596	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:07:59.939404964 CET	45596	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:07:59.939445972 CET	45598	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:07:59.944181919 CET	9168	45596	216.9.227.143	192.168.2.23
Jan 3, 2025 05:07:59.944195032 CET	9168	45598	216.9.227.143	192.168.2.23
Jan 3, 2025 05:07:59.944278955 CET	45598	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:07:59.944288969 CET	45598	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:07:59.949070930 CET	9168	45598	216.9.227.143	192.168.2.23
Jan 3, 2025 05:08:00.569744110 CET	9168	45598	216.9.227.143	192.168.2.23
Jan 3, 2025 05:08:00.569868088 CET	45598	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:08:00.569947958 CET	9168	45598	216.9.227.143	192.168.2.23
Jan 3, 2025 05:08:00.570058107 CET	45598	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:08:00.570190907 CET	45600	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:08:00.574865103 CET	9168	45598	216.9.227.143	192.168.2.23
Jan 3, 2025 05:08:00.574976921 CET	9168	45600	216.9.227.143	192.168.2.23
Jan 3, 2025 05:08:00.575062990 CET	45600	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:08:00.575103045 CET	45600	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:08:00.579827070 CET	9168	45600	216.9.227.143	192.168.2.23
Jan 3, 2025 05:08:01.199954987 CET	9168	45600	216.9.227.143	192.168.2.23
Jan 3, 2025 05:08:01.200042963 CET	45600	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:08:01.200154066 CET	9168	45600	216.9.227.143	192.168.2.23
Jan 3, 2025 05:08:01.200275898 CET	45600	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:08:01.200371981 CET	45602	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:08:01.205056906 CET	9168	45600	216.9.227.143	192.168.2.23
Jan 3, 2025 05:08:01.205118895 CET	9168	45602	216.9.227.143	192.168.2.23
Jan 3, 2025 05:08:01.205189943 CET	45602	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:08:01.205243111 CET	45602	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:08:01.209966898 CET	9168	45602	216.9.227.143	192.168.2.23
Jan 3, 2025 05:08:01.824903011 CET	9168	45602	216.9.227.143	192.168.2.23
Jan 3, 2025 05:08:01.825026989 CET	9168	45602	216.9.227.143	192.168.2.23
Jan 3, 2025 05:08:01.825095892 CET	45602	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:08:01.825280905 CET	45602	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:08:01.825352907 CET	45604	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:08:01.829988956 CET	9168	45602	216.9.227.143	192.168.2.23
Jan 3, 2025 05:08:01.830152988 CET	9168	45604	216.9.227.143	192.168.2.23
Jan 3, 2025 05:08:01.830214024 CET	45604	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:08:01.830265999 CET	45604	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:08:01.835040092 CET	9168	45604	216.9.227.143	192.168.2.23
Jan 3, 2025 05:08:02.456527948 CET	9168	45604	216.9.227.143	192.168.2.23
Jan 3, 2025 05:08:02.456547022 CET	9168	45604	216.9.227.143	192.168.2.23
Jan 3, 2025 05:08:02.456784010 CET	45604	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:08:02.456969023 CET	45604	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:08:02.457072020 CET	45606	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:08:02.461715937 CET	9168	45604	216.9.227.143	192.168.2.23
Jan 3, 2025 05:08:02.461776972 CET	9168	45606	216.9.227.143	192.168.2.23
Jan 3, 2025 05:08:02.461836100 CET	45606	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:08:02.461853027 CET	45606	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:08:02.466576099 CET	9168	45606	216.9.227.143	192.168.2.23
Jan 3, 2025 05:08:03.081835032 CET	9168	45606	216.9.227.143	192.168.2.23
Jan 3, 2025 05:08:03.082072973 CET	45606	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:08:03.082755089 CET	9168	45606	216.9.227.143	192.168.2.23
Jan 3, 2025 05:08:03.082886934 CET	45606	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:08:03.083010912 CET	45608	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:08:03.087599039 CET	9168	45606	216.9.227.143	192.168.2.23
Jan 3, 2025 05:08:03.087769985 CET	9168	45608	216.9.227.143	192.168.2.23
Jan 3, 2025 05:08:03.087841034 CET	45608	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:08:03.087874889 CET	45608	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:08:03.092720032 CET	9168	45608	216.9.227.143	192.168.2.23
Jan 3, 2025 05:08:03.701112032 CET	9168	45608	216.9.227.143	192.168.2.23
Jan 3, 2025 05:08:03.701348066 CET	9168	45608	216.9.227.143	192.168.2.23
Jan 3, 2025 05:08:03.701489925 CET	45608	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:08:03.701530933 CET	45608	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:08:03.701556921 CET	45610	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:08:03.706501961 CET	9168	45608	216.9.227.143	192.168.2.23
Jan 3, 2025 05:08:03.706513882 CET	9168	45610	216.9.227.143	192.168.2.23
Jan 3, 2025 05:08:03.706598043 CET	45610	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:08:03.706656933 CET	45610	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:08:03.711384058 CET	9168	45610	216.9.227.143	192.168.2.23
Jan 3, 2025 05:08:04.349932909 CET	9168	45610	216.9.227.143	192.168.2.23
Jan 3, 2025 05:08:04.350063086 CET	9168	45610	216.9.227.143	192.168.2.23
Jan 3, 2025 05:08:04.350258112 CET	45610	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:08:04.350375891 CET	45610	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:08:04.350517035 CET	45612	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:08:04.355114937 CET	9168	45610	216.9.227.143	192.168.2.23
Jan 3, 2025 05:08:04.355266094 CET	9168	45612	216.9.227.143	192.168.2.23
Jan 3, 2025 05:08:04.355369091 CET	45612	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:08:04.355369091 CET	45612	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:08:04.360101938 CET	9168	45612	216.9.227.143	192.168.2.23
Jan 3, 2025 05:08:04.970221996 CET	9168	45612	216.9.227.143	192.168.2.23
Jan 3, 2025 05:08:04.970376015 CET	9168	45612	216.9.227.143	192.168.2.23
Jan 3, 2025 05:08:04.970458984 CET	45612	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:08:04.970458984 CET	45612	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:08:04.970516920 CET	45614	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:08:04.975292921 CET	9168	45612	216.9.227.143	192.168.2.23
Jan 3, 2025 05:08:04.975306034 CET	9168	45614	216.9.227.143	192.168.2.23
Jan 3, 2025 05:08:04.975354910 CET	45614	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:08:04.975380898 CET	45614	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:08:04.980231047 CET	9168	45614	216.9.227.143	192.168.2.23
Jan 3, 2025 05:08:05.619234085 CET	9168	45614	216.9.227.143	192.168.2.23
Jan 3, 2025 05:08:05.619249105 CET	9168	45614	216.9.227.143	192.168.2.23
Jan 3, 2025 05:08:05.619462013 CET	45614	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:08:05.619559050 CET	45614	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:08:05.619692087 CET	45616	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:08:05.624314070 CET	9168	45614	216.9.227.143	192.168.2.23
Jan 3, 2025 05:08:05.624418974 CET	9168	45616	216.9.227.143	192.168.2.23
Jan 3, 2025 05:08:05.624571085 CET	45616	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:08:05.624586105 CET	45616	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:08:05.629400015 CET	9168	45616	216.9.227.143	192.168.2.23
Jan 3, 2025 05:08:06.279633999 CET	9168	45616	216.9.227.143	192.168.2.23
Jan 3, 2025 05:08:06.279692888 CET	9168	45616	216.9.227.143	192.168.2.23
Jan 3, 2025 05:08:06.279743910 CET	45616	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:08:06.279781103 CET	45616	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:08:06.279829025 CET	45618	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:08:06.284557104 CET	9168	45616	216.9.227.143	192.168.2.23
Jan 3, 2025 05:08:06.284610987 CET	9168	45618	216.9.227.143	192.168.2.23
Jan 3, 2025 05:08:06.284666061 CET	45618	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:08:06.284678936 CET	45618	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:08:06.289390087 CET	9168	45618	216.9.227.143	192.168.2.23
Jan 3, 2025 05:08:06.915227890 CET	9168	45618	216.9.227.143	192.168.2.23
Jan 3, 2025 05:08:06.915535927 CET	9168	45618	216.9.227.143	192.168.2.23
Jan 3, 2025 05:08:06.915616035 CET	45618	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:08:06.915777922 CET	45618	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:08:06.915903091 CET	45620	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:08:06.920496941 CET	9168	45618	216.9.227.143	192.168.2.23
Jan 3, 2025 05:08:06.920645952 CET	9168	45620	216.9.227.143	192.168.2.23
Jan 3, 2025 05:08:06.920722961 CET	45620	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:08:06.920759916 CET	45620	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:08:06.925564051 CET	9168	45620	216.9.227.143	192.168.2.23
Jan 3, 2025 05:08:07.536982059 CET	9168	45620	216.9.227.143	192.168.2.23
Jan 3, 2025 05:08:07.537137985 CET	9168	45620	216.9.227.143	192.168.2.23
Jan 3, 2025 05:08:07.537283897 CET	45620	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:08:07.537353992 CET	45620	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:08:07.537425995 CET	45622	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:08:07.542098045 CET	9168	45620	216.9.227.143	192.168.2.23
Jan 3, 2025 05:08:07.542160034 CET	9168	45622	216.9.227.143	192.168.2.23
Jan 3, 2025 05:08:07.542242050 CET	45622	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:08:07.542325020 CET	45622	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:08:07.547141075 CET	9168	45622	216.9.227.143	192.168.2.23
Jan 3, 2025 05:08:08.158920050 CET	9168	45622	216.9.227.143	192.168.2.23
Jan 3, 2025 05:08:08.159181118 CET	45622	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:08:08.159215927 CET	9168	45622	216.9.227.143	192.168.2.23
Jan 3, 2025 05:08:08.159301043 CET	45622	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:08:08.159339905 CET	45624	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:08:08.164102077 CET	9168	45622	216.9.227.143	192.168.2.23
Jan 3, 2025 05:08:08.164123058 CET	9168	45624	216.9.227.143	192.168.2.23
Jan 3, 2025 05:08:08.164212942 CET	45624	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:08:08.164239883 CET	45624	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:08:08.169095993 CET	9168	45624	216.9.227.143	192.168.2.23
Jan 3, 2025 05:08:08.779489040 CET	9168	45624	216.9.227.143	192.168.2.23
Jan 3, 2025 05:08:08.779656887 CET	45624	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:08:08.779838085 CET	9168	45624	216.9.227.143	192.168.2.23
Jan 3, 2025 05:08:08.779953003 CET	45624	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:08:08.780025005 CET	45626	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:08:08.784759998 CET	9168	45624	216.9.227.143	192.168.2.23
Jan 3, 2025 05:08:08.784770966 CET	9168	45626	216.9.227.143	192.168.2.23
Jan 3, 2025 05:08:08.784866095 CET	45626	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:08:08.784895897 CET	45626	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:08:08.789655924 CET	9168	45626	216.9.227.143	192.168.2.23
Jan 3, 2025 05:08:09.401025057 CET	9168	45626	216.9.227.143	192.168.2.23
Jan 3, 2025 05:08:09.401232004 CET	45626	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:08:09.401238918 CET	9168	45626	216.9.227.143	192.168.2.23
Jan 3, 2025 05:08:09.401362896 CET	45626	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:08:09.401458979 CET	45628	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:08:09.406078100 CET	9168	45626	216.9.227.143	192.168.2.23
Jan 3, 2025 05:08:09.406189919 CET	9168	45628	216.9.227.143	192.168.2.23
Jan 3, 2025 05:08:09.406270981 CET	45628	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:08:09.406316996 CET	45628	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:08:09.411108017 CET	9168	45628	216.9.227.143	192.168.2.23
Jan 3, 2025 05:08:10.025333881 CET	9168	45628	216.9.227.143	192.168.2.23
Jan 3, 2025 05:08:10.025353909 CET	9168	45628	216.9.227.143	192.168.2.23
Jan 3, 2025 05:08:10.025451899 CET	45628	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:08:10.025520086 CET	45628	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:08:10.025594950 CET	45630	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:08:10.030282021 CET	9168	45628	216.9.227.143	192.168.2.23
Jan 3, 2025 05:08:10.030333042 CET	9168	45630	216.9.227.143	192.168.2.23
Jan 3, 2025 05:08:10.030412912 CET	45630	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:08:10.030457020 CET	45630	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:08:10.035218000 CET	9168	45630	216.9.227.143	192.168.2.23
Jan 3, 2025 05:08:10.645179987 CET	9168	45630	216.9.227.143	192.168.2.23
Jan 3, 2025 05:08:10.645387888 CET	45630	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:08:10.645495892 CET	9168	45630	216.9.227.143	192.168.2.23
Jan 3, 2025 05:08:10.645597935 CET	45630	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:08:10.645734072 CET	45632	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:08:10.650347948 CET	9168	45630	216.9.227.143	192.168.2.23
Jan 3, 2025 05:08:10.650531054 CET	9168	45632	216.9.227.143	192.168.2.23
Jan 3, 2025 05:08:10.650609970 CET	45632	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:08:10.650708914 CET	45632	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:08:10.655461073 CET	9168	45632	216.9.227.143	192.168.2.23
Jan 3, 2025 05:08:11.268142939 CET	9168	45632	216.9.227.143	192.168.2.23
Jan 3, 2025 05:08:11.268264055 CET	9168	45632	216.9.227.143	192.168.2.23
Jan 3, 2025 05:08:11.268430948 CET	45632	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:08:11.268564939 CET	45632	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:08:11.268697023 CET	45634	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:08:11.273355961 CET	9168	45632	216.9.227.143	192.168.2.23
Jan 3, 2025 05:08:11.273576021 CET	9168	45634	216.9.227.143	192.168.2.23
Jan 3, 2025 05:08:11.273639917 CET	45634	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:08:11.273694992 CET	45634	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:08:11.278465986 CET	9168	45634	216.9.227.143	192.168.2.23
Jan 3, 2025 05:08:11.906904936 CET	9168	45634	216.9.227.143	192.168.2.23
Jan 3, 2025 05:08:11.907090902 CET	45634	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:08:11.909248114 CET	9168	45634	216.9.227.143	192.168.2.23
Jan 3, 2025 05:08:11.909346104 CET	45634	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:08:11.909471035 CET	45636	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:08:11.914247990 CET	9168	45634	216.9.227.143	192.168.2.23
Jan 3, 2025 05:08:11.914259911 CET	9168	45636	216.9.227.143	192.168.2.23
Jan 3, 2025 05:08:11.914340973 CET	45636	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:08:11.914388895 CET	45636	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:08:11.920164108 CET	9168	45636	216.9.227.143	192.168.2.23
Jan 3, 2025 05:08:12.534120083 CET	9168	45636	216.9.227.143	192.168.2.23
Jan 3, 2025 05:08:12.534362078 CET	9168	45636	216.9.227.143	192.168.2.23
Jan 3, 2025 05:08:12.534384966 CET	45636	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:08:12.534521103 CET	45636	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:08:12.534632921 CET	45638	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:08:12.539216042 CET	9168	45636	216.9.227.143	192.168.2.23
Jan 3, 2025 05:08:12.539467096 CET	9168	45638	216.9.227.143	192.168.2.23
Jan 3, 2025 05:08:12.539534092 CET	45638	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:08:12.539577007 CET	45638	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:08:12.544392109 CET	9168	45638	216.9.227.143	192.168.2.23
Jan 3, 2025 05:08:13.159804106 CET	9168	45638	216.9.227.143	192.168.2.23
Jan 3, 2025 05:08:13.159847975 CET	9168	45638	216.9.227.143	192.168.2.23
Jan 3, 2025 05:08:13.160098076 CET	45638	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:08:13.160182953 CET	45638	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:08:13.160269022 CET	45640	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:08:13.164966106 CET	9168	45638	216.9.227.143	192.168.2.23
Jan 3, 2025 05:08:13.165079117 CET	9168	45640	216.9.227.143	192.168.2.23
Jan 3, 2025 05:08:13.165143967 CET	45640	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:08:13.165193081 CET	45640	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:08:13.169962883 CET	9168	45640	216.9.227.143	192.168.2.23
Jan 3, 2025 05:08:13.408778906 CET	43928	443	192.168.2.23	91.189.91.42
Jan 3, 2025 05:08:13.785151958 CET	9168	45640	216.9.227.143	192.168.2.23
Jan 3, 2025 05:08:13.785232067 CET	45640	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:08:13.785243988 CET	9168	45640	216.9.227.143	192.168.2.23
Jan 3, 2025 05:08:13.785376072 CET	45640	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:08:13.785473108 CET	45642	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:08:13.791843891 CET	9168	45640	216.9.227.143	192.168.2.23
Jan 3, 2025 05:08:13.791903019 CET	9168	45642	216.9.227.143	192.168.2.23
Jan 3, 2025 05:08:13.791966915 CET	45642	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:08:13.792015076 CET	45642	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:08:13.796777964 CET	9168	45642	216.9.227.143	192.168.2.23
Jan 3, 2025 05:08:14.415641069 CET	9168	45642	216.9.227.143	192.168.2.23
Jan 3, 2025 05:08:14.415735960 CET	9168	45642	216.9.227.143	192.168.2.23
Jan 3, 2025 05:08:14.415796041 CET	45642	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:08:14.415915966 CET	45642	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:08:14.416002989 CET	45644	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:08:14.420733929 CET	9168	45642	216.9.227.143	192.168.2.23
Jan 3, 2025 05:08:14.420810938 CET	9168	45644	216.9.227.143	192.168.2.23
Jan 3, 2025 05:08:14.420875072 CET	45644	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:08:14.420926094 CET	45644	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:08:14.425674915 CET	9168	45644	216.9.227.143	192.168.2.23
Jan 3, 2025 05:08:15.058684111 CET	9168	45644	216.9.227.143	192.168.2.23
Jan 3, 2025 05:08:15.058779001 CET	45644	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:08:15.059000969 CET	9168	45644	216.9.227.143	192.168.2.23
Jan 3, 2025 05:08:15.059048891 CET	45644	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:08:15.059137106 CET	45646	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:08:15.063855886 CET	9168	45644	216.9.227.143	192.168.2.23
Jan 3, 2025 05:08:15.063909054 CET	9168	45646	216.9.227.143	192.168.2.23
Jan 3, 2025 05:08:15.063955069 CET	45646	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:08:15.063966990 CET	45646	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:08:15.068778992 CET	9168	45646	216.9.227.143	192.168.2.23
Jan 3, 2025 05:08:15.698244095 CET	9168	45646	216.9.227.143	192.168.2.23
Jan 3, 2025 05:08:15.698457003 CET	9168	45646	216.9.227.143	192.168.2.23
Jan 3, 2025 05:08:15.698513985 CET	45646	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:08:15.698620081 CET	45646	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:08:15.698720932 CET	45648	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:08:15.703372002 CET	9168	45646	216.9.227.143	192.168.2.23
Jan 3, 2025 05:08:15.703495979 CET	9168	45648	216.9.227.143	192.168.2.23
Jan 3, 2025 05:08:15.703600883 CET	45648	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:08:15.703620911 CET	45648	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:08:15.708323956 CET	9168	45648	216.9.227.143	192.168.2.23
Jan 3, 2025 05:08:16.313097000 CET	9168	45648	216.9.227.143	192.168.2.23
Jan 3, 2025 05:08:16.313114882 CET	9168	45648	216.9.227.143	192.168.2.23
Jan 3, 2025 05:08:16.313232899 CET	45648	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:08:16.313317060 CET	45648	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:08:16.313415051 CET	45650	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:08:16.318120003 CET	9168	45648	216.9.227.143	192.168.2.23
Jan 3, 2025 05:08:16.318237066 CET	9168	45650	216.9.227.143	192.168.2.23
Jan 3, 2025 05:08:16.318314075 CET	45650	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:08:16.318380117 CET	45650	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:08:16.323132038 CET	9168	45650	216.9.227.143	192.168.2.23
Jan 3, 2025 05:08:16.940627098 CET	9168	45650	216.9.227.143	192.168.2.23
Jan 3, 2025 05:08:16.940658092 CET	9168	45650	216.9.227.143	192.168.2.23
Jan 3, 2025 05:08:16.940747023 CET	45650	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:08:16.940929890 CET	45650	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:08:16.941005945 CET	45652	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:08:16.945684910 CET	9168	45650	216.9.227.143	192.168.2.23
Jan 3, 2025 05:08:16.945854902 CET	9168	45652	216.9.227.143	192.168.2.23
Jan 3, 2025 05:08:16.945930958 CET	45652	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:08:16.945976019 CET	45652	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:08:16.950719118 CET	9168	45652	216.9.227.143	192.168.2.23
Jan 3, 2025 05:08:17.586303949 CET	9168	45652	216.9.227.143	192.168.2.23
Jan 3, 2025 05:08:17.586397886 CET	9168	45652	216.9.227.143	192.168.2.23
Jan 3, 2025 05:08:17.586457968 CET	45652	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:08:17.586644888 CET	45652	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:08:17.586736917 CET	45654	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:08:17.591420889 CET	9168	45652	216.9.227.143	192.168.2.23
Jan 3, 2025 05:08:17.591535091 CET	9168	45654	216.9.227.143	192.168.2.23
Jan 3, 2025 05:08:17.591619968 CET	45654	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:08:17.591670990 CET	45654	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:08:17.596443892 CET	9168	45654	216.9.227.143	192.168.2.23
Jan 3, 2025 05:08:18.227765083 CET	9168	45654	216.9.227.143	192.168.2.23
Jan 3, 2025 05:08:18.227797985 CET	9168	45654	216.9.227.143	192.168.2.23
Jan 3, 2025 05:08:18.227897882 CET	45654	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:08:18.227967024 CET	45654	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:08:18.228056908 CET	45656	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:08:18.232732058 CET	9168	45654	216.9.227.143	192.168.2.23
Jan 3, 2025 05:08:18.232808113 CET	9168	45656	216.9.227.143	192.168.2.23
Jan 3, 2025 05:08:18.232878923 CET	45656	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:08:18.232922077 CET	45656	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:08:18.237679005 CET	9168	45656	216.9.227.143	192.168.2.23
Jan 3, 2025 05:08:18.864747047 CET	9168	45656	216.9.227.143	192.168.2.23
Jan 3, 2025 05:08:18.864784956 CET	9168	45656	216.9.227.143	192.168.2.23
Jan 3, 2025 05:08:18.865037918 CET	45656	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:08:18.865098953 CET	45656	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:08:18.865221977 CET	45658	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:08:18.869895935 CET	9168	45656	216.9.227.143	192.168.2.23
Jan 3, 2025 05:08:18.869956017 CET	9168	45658	216.9.227.143	192.168.2.23
Jan 3, 2025 05:08:18.870032072 CET	45658	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:08:18.870066881 CET	45658	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:08:18.874840021 CET	9168	45658	216.9.227.143	192.168.2.23
Jan 3, 2025 05:08:19.507294893 CET	9168	45658	216.9.227.143	192.168.2.23
Jan 3, 2025 05:08:19.507401943 CET	45658	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:08:19.507407904 CET	9168	45658	216.9.227.143	192.168.2.23
Jan 3, 2025 05:08:19.507601023 CET	45658	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:08:19.507668972 CET	45660	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:08:19.512356997 CET	9168	45658	216.9.227.143	192.168.2.23
Jan 3, 2025 05:08:19.512428999 CET	9168	45660	216.9.227.143	192.168.2.23
Jan 3, 2025 05:08:19.512481928 CET	45660	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:08:19.512516975 CET	45660	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:08:19.517277956 CET	9168	45660	216.9.227.143	192.168.2.23
Jan 3, 2025 05:08:20.123065948 CET	9168	45660	216.9.227.143	192.168.2.23
Jan 3, 2025 05:08:20.123183966 CET	9168	45660	216.9.227.143	192.168.2.23
Jan 3, 2025 05:08:20.123214006 CET	45660	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:08:20.123244047 CET	45660	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:08:20.123276949 CET	45662	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:08:20.128057957 CET	9168	45660	216.9.227.143	192.168.2.23
Jan 3, 2025 05:08:20.128099918 CET	9168	45662	216.9.227.143	192.168.2.23
Jan 3, 2025 05:08:20.128173113 CET	45662	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:08:20.128218889 CET	45662	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:08:20.133028984 CET	9168	45662	216.9.227.143	192.168.2.23
Jan 3, 2025 05:08:20.747230053 CET	9168	45662	216.9.227.143	192.168.2.23
Jan 3, 2025 05:08:20.747318983 CET	9168	45662	216.9.227.143	192.168.2.23
Jan 3, 2025 05:08:20.747365952 CET	45662	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:08:20.747395992 CET	45662	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:08:20.747435093 CET	45664	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:08:20.752252102 CET	9168	45662	216.9.227.143	192.168.2.23
Jan 3, 2025 05:08:20.752263069 CET	9168	45664	216.9.227.143	192.168.2.23
Jan 3, 2025 05:08:20.752315044 CET	45664	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:08:20.752331018 CET	45664	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:08:20.757114887 CET	9168	45664	216.9.227.143	192.168.2.23
Jan 3, 2025 05:08:21.390595913 CET	9168	45664	216.9.227.143	192.168.2.23
Jan 3, 2025 05:08:21.390711069 CET	45664	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:08:21.390767097 CET	9168	45664	216.9.227.143	192.168.2.23
Jan 3, 2025 05:08:21.390850067 CET	45664	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:08:21.390881062 CET	45666	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:08:21.395576000 CET	9168	45664	216.9.227.143	192.168.2.23
Jan 3, 2025 05:08:21.395622015 CET	9168	45666	216.9.227.143	192.168.2.23
Jan 3, 2025 05:08:21.395689011 CET	45666	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:08:21.395689011 CET	45666	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:08:21.400490999 CET	9168	45666	216.9.227.143	192.168.2.23
Jan 3, 2025 05:08:22.026551008 CET	9168	45666	216.9.227.143	192.168.2.23
Jan 3, 2025 05:08:22.026604891 CET	9168	45666	216.9.227.143	192.168.2.23
Jan 3, 2025 05:08:22.026706934 CET	45666	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:08:22.026746035 CET	45666	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:08:22.026803017 CET	45668	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:08:22.031547070 CET	9168	45666	216.9.227.143	192.168.2.23
Jan 3, 2025 05:08:22.031662941 CET	9168	45668	216.9.227.143	192.168.2.23
Jan 3, 2025 05:08:22.031749010 CET	45668	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:08:22.031778097 CET	45668	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:08:22.036581039 CET	9168	45668	216.9.227.143	192.168.2.23
Jan 3, 2025 05:08:23.647367954 CET	42836	443	192.168.2.23	91.189.91.43
Jan 3, 2025 05:08:29.791095972 CET	42516	80	192.168.2.23	109.202.202.202
Jan 3, 2025 05:08:54.363301039 CET	43928	443	192.168.2.23	91.189.91.42
Jan 3, 2025 05:09:01.776339054 CET	9168	45668	216.9.227.143	192.168.2.23
Jan 3, 2025 05:09:01.776465893 CET	45668	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:09:22.009071112 CET	9168	45668	216.9.227.143	192.168.2.23
Jan 3, 2025 05:09:22.009188890 CET	45668	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:09:22.190548897 CET	9168	45668	216.9.227.143	192.168.2.23
Jan 3, 2025 05:09:22.190706968 CET	45668	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:10:22.014239073 CET	9168	45668	216.9.227.143	192.168.2.23
Jan 3, 2025 05:10:22.014422894 CET	45668	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:10:22.199598074 CET	9168	45668	216.9.227.143	192.168.2.23
Jan 3, 2025 05:10:22.199721098 CET	45668	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:11:22.019448042 CET	9168	45668	216.9.227.143	192.168.2.23
Jan 3, 2025 05:11:22.019649029 CET	45668	9168	192.168.2.23	216.9.227.143
Jan 3, 2025 05:11:22.201967001 CET	9168	45668	216.9.227.143	192.168.2.23
Jan 3, 2025 05:11:22.202029943 CET	45668	9168	192.168.2.23	216.9.227.143

System Behavior

Analysis Process: dash PID: 6242, Parent PID: 4331

General

Start time (UTC):	04:07:46
Start date (UTC):	03/01/2025
Path:	/usr/bin/dash
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: rm PID: 6242, Parent PID: 4331

General

Start time (UTC):	04:07:46
Start date (UTC):	03/01/2025
Path:	/usr/bin/rm
Arguments:	rm -f /tmp/tmp.TF6lRJD3T3 /tmp/tmp.FI8uK2IPOd /tmp/tmp.zd2U4tPRSm
File size:	72056 bytes
MD5 hash:	aa2b5496fdbfd88e38791ab81f90b95b

Chronological Activities

Analysis Process: dash PID: 6243, Parent PID: 4331

General

Start time (UTC):	04:07:46
Start date (UTC):	03/01/2025
Path:	/usr/bin/dash
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: rm PID: 6243, Parent PID: 4331

General

Start time (UTC):	04:07:46
Start date (UTC):	03/01/2025
Path:	/usr/bin/rm
Arguments:	rm -f /tmp/tmp.TF6lRJD3T3 /tmp/tmp.FI8uK2IPOd /tmp/tmp.zd2U4tPRSm
File size:	72056 bytes
MD5 hash:	aa2b5496fdbfd88e38791ab81f90b95b

Chronological Activities

Analysis Process: I686.elf PID: 6271, Parent PID: 6171

General

Start time (UTC):	04:07:48
Start date (UTC):	03/01/2025
Path:	/tmp/I686.elf
Arguments:	/tmp/I686.elf
File size:	33164 bytes
MD5 hash:	66a01f0510ebc9589dcbff7b42c1573c

Chronological Activities

Analysis Process: I686.elf PID: 6272, Parent PID: 6271

General

Start time (UTC):	04:07:48
Start date (UTC):	03/01/2025
Path:	/tmp/I686.elf
Arguments:	-
File size:	33164 bytes
MD5 hash:	66a01f0510ebc9589dcbff7b42c1573c

Chronological Activities

Analysis Process: I686.elf PID: 6273, Parent PID: 6271

General

Start time (UTC):	04:07:48
Start date (UTC):	03/01/2025
Path:	/tmp/I686.elf
Arguments:	-
File size:	33164 bytes
MD5 hash:	66a01f0510ebc9589dcbff7b42c1573c

Chronological Activities

Analysis Process: I686.elf PID: 6274, Parent PID: 6273

General

Start time (UTC):	04:07:48
Start date (UTC):	03/01/2025
Path:	/tmp/I686.elf
Arguments:	-
File size:	33164 bytes
MD5 hash:	66a01f0510ebc9589dcbff7b42c1573c

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system. Functionality could exist within remote access tools to enable this, but utilities available on the operating system could also be used such as Ping or `net view` using Net .
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Network Traffic: Network Connection Creation, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report I686.elf

Overview

General Information

Detection

Signatures

Classification

General Information

Runtime Messages

Process Tree

Yara Signatures

Initial Sample

Memory Dumps

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Spreading

Networking

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

Static ELF Info

ELF header

Program Segments

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

System Behavior

Analysis Process: dash PID: 6242, Parent PID: 4331

General

Chronological Activities

Analysis Process: rm PID: 6242, Parent PID: 4331

General

Chronological Activities

Analysis Process: dash PID: 6243, Parent PID: 4331

General

Chronological Activities

Analysis Process: rm PID: 6243, Parent PID: 4331

General

Chronological Activities

Analysis Process: I686.elf PID: 6271, Parent PID: 6171

General

Chronological Activities

Analysis Process: I686.elf PID: 6272, Parent PID: 6271

General

Chronological Activities

Analysis Process: I686.elf PID: 6273, Parent PID: 6271

General

Chronological Activities

Analysis Process: I686.elf PID: 6274, Parent PID: 6273

General

Linux Analysis Report
I686.elf