Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Linux Analysis Report
Kloki.ppc.elf

Overview

General Information

Sample name:Kloki.ppc.elf
Analysis ID:1584111
MD5:882122df0b30bde6021e4987fed11755
SHA1:229f98429ccf445b61e14a1eb275fb50120b7ddb
SHA256:0fcf14ca363a57d61610bfc67af3ddbb87f1635e6d456becb340e4428ca60df2
Tags:elfuser-abuse_ch
Infos:

Detection

Mirai
Score:68
Range:0 - 100
Whitelisted:false

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Yara detected Mirai
Sample tries to kill multiple processes (SIGKILL)
Detected TCP or UDP traffic on non-standard ports
Enumerates processes within the "proc" file system
Found strings indicative of a multi-platform dropper
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable
Sample has stripped symbol table
Sample listens on a socket
Sample tries to kill a process (SIGKILL)
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Uses the "uname" system call to query kernel version information (possible evasion)

Classification

General Information

Joe Sandbox version:41.0.0 Charoite
Analysis ID:1584111
Start date and time:2025-01-04 09:27:24 +01:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 5m 57s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Sample name:Kloki.ppc.elf
Detection:MAL
Classification:mal68.spre.troj.linELF@0/23@5/0

Warnings

  • Connection to analysis system has been lost, crash info: Unknown

Runtime Messages

Command:/tmp/Kloki.ppc.elf
PID:5488
Exit Code:0
Exit Code Info:
Killed:False
Standard Output:
dear
Standard Error:

Process Tree

  • system is lnxubuntu20
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
MiraiMirai is one of the first significant botnets targeting exposed networking devices running Linux. Found in August 2016 by MalwareMustDie, its name means "future" in Japanese. Nowadays it targets a wide range of networked embedded devices such as IP cameras, home routers (many vendors involved), and other IoT devices. Since the source code was published on "Hack Forums" many variants of the Mirai family appeared, infecting mostly home networks all around the world.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/elf.mirai

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
Kloki.ppc.elfJoeSecurity_Mirai_8Yara detected MiraiJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    5488.1.00007f8138001000.00007f813801f000.r-x.sdmpJoeSecurity_Mirai_8Yara detected MiraiJoe Security
      5492.1.00007f8138001000.00007f813801f000.r-x.sdmpJoeSecurity_Mirai_8Yara detected MiraiJoe Security

        Suricata Signatures

        No Suricata rule has matched

        Joe Sandbox Signatures

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        Antivirus / Scanner detection for submitted sample
        Source: Kloki.ppc.elfAvira: detected
        Multi AV Scanner detection for submitted file
        Source: Kloki.ppc.elfReversingLabs: Detection: 34%
        Source: Kloki.ppc.elfString: %d/proc/self/exe/. ppid/proc/net/tcp/proc//exe/status/fd//dev/null/dev/consolesocket05self/bin/bash/bin/sh/bin/dashbashshftpwgettftpncnetcatnmaptcpdumpsocatcurlbusyboxpythonrebootechoinitcroniptablessshdtelnettelnetdtftpdrshdrexecdftpdxinetdpftp/bin/login
        Source: global trafficTCP traffic: 192.168.2.14:47164 -> 210.99.214.129:13566
        Source: global trafficTCP traffic: 192.168.2.14:59380 -> 210.99.249.152:13566
        Source: global trafficTCP traffic: 192.168.2.14:49958 -> 210.99.186.59:13566
        Source: global trafficTCP traffic: 192.168.2.14:38266 -> 210.99.214.7:13566
        Source: global trafficTCP traffic: 192.168.2.14:46210 -> 210.99.99.145:13566
        Source: global trafficTCP traffic: 192.168.2.14:59898 -> 210.99.5.190:13566
        Source: global trafficTCP traffic: 192.168.2.14:38548 -> 210.99.163.209:13566
        Source: global trafficTCP traffic: 192.168.2.14:38772 -> 210.99.255.94:13566
        Source: global trafficTCP traffic: 192.168.2.14:50228 -> 210.99.222.217:13566
        Source: global trafficTCP traffic: 192.168.2.14:45658 -> 210.99.176.157:13566
        Source: global trafficTCP traffic: 192.168.2.14:35644 -> 210.99.11.251:13566
        Source: global trafficTCP traffic: 192.168.2.14:46942 -> 210.99.150.142:13566
        Source: global trafficTCP traffic: 192.168.2.14:57516 -> 210.99.40.186:13566
        Source: global trafficTCP traffic: 192.168.2.14:52096 -> 210.99.174.139:13566
        Source: global trafficTCP traffic: 192.168.2.14:36534 -> 210.99.95.255:13566
        Source: global trafficTCP traffic: 192.168.2.14:40482 -> 210.99.103.53:13566
        Source: global trafficTCP traffic: 192.168.2.14:45918 -> 210.99.128.96:13566
        Source: global trafficTCP traffic: 192.168.2.14:46804 -> 210.99.206.58:13566
        Source: global trafficTCP traffic: 192.168.2.14:58292 -> 210.99.155.164:13566
        Source: global trafficTCP traffic: 192.168.2.14:48616 -> 210.99.66.254:13566
        Source: global trafficTCP traffic: 192.168.2.14:58058 -> 210.99.53.71:13566
        Source: global trafficTCP traffic: 192.168.2.14:35146 -> 210.99.188.216:13566
        Source: global trafficTCP traffic: 192.168.2.14:41438 -> 210.99.24.188:13566
        Source: global trafficTCP traffic: 192.168.2.14:33400 -> 210.99.54.246:13566
        Source: global trafficTCP traffic: 192.168.2.14:33346 -> 210.99.149.231:13566
        Source: global trafficTCP traffic: 192.168.2.14:56390 -> 83.222.191.90:13566
        Source: /tmp/Kloki.ppc.elf (PID: 5488)Socket: 127.0.0.1:8341Jump to behavior
        Source: unknownDNS traffic detected: query: secure-network-rebirthltd.ru replaycode: Name error (3)
        Source: unknownTCP traffic detected without corresponding DNS query: 83.222.191.90
        Source: unknownTCP traffic detected without corresponding DNS query: 83.222.191.90
        Source: unknownTCP traffic detected without corresponding DNS query: 83.222.191.90
        Source: unknownTCP traffic detected without corresponding DNS query: 83.222.191.90
        Source: unknownTCP traffic detected without corresponding DNS query: 83.222.191.90
        Source: unknownTCP traffic detected without corresponding DNS query: 83.222.191.90
        Source: unknownTCP traffic detected without corresponding DNS query: 83.222.191.90
        Source: unknownTCP traffic detected without corresponding DNS query: 83.222.191.90
        Source: unknownTCP traffic detected without corresponding DNS query: 83.222.191.90
        Source: unknownTCP traffic detected without corresponding DNS query: 83.222.191.90
        Source: global trafficDNS traffic detected: DNS query: secure-network-rebirthltd.ru

        System Summary

        barindex
        Sample tries to kill multiple processes (SIGKILL)
        Source: /tmp/Kloki.ppc.elf (PID: 5496)SIGKILL sent: pid: 5498, result: successfulJump to behavior
        Source: /tmp/Kloki.ppc.elf (PID: 5496)SIGKILL sent: pid: 5519, result: successfulJump to behavior
        Source: /tmp/Kloki.ppc.elf (PID: 5496)SIGKILL sent: pid: 5520, result: successfulJump to behavior
        Source: /tmp/Kloki.ppc.elf (PID: 5496)SIGKILL sent: pid: 5521, result: successfulJump to behavior
        Source: /tmp/Kloki.ppc.elf (PID: 5496)SIGKILL sent: pid: 5522, result: successfulJump to behavior
        Source: /tmp/Kloki.ppc.elf (PID: 5496)SIGKILL sent: pid: 5523, result: successfulJump to behavior
        Source: /tmp/Kloki.ppc.elf (PID: 5496)SIGKILL sent: pid: 5524, result: successfulJump to behavior
        Source: /tmp/Kloki.ppc.elf (PID: 5496)SIGKILL sent: pid: 5525, result: successfulJump to behavior
        Source: /tmp/Kloki.ppc.elf (PID: 5496)SIGKILL sent: pid: 5526, result: successfulJump to behavior
        Source: /tmp/Kloki.ppc.elf (PID: 5496)SIGKILL sent: pid: 5527, result: successfulJump to behavior
        Source: /tmp/Kloki.ppc.elf (PID: 5496)SIGKILL sent: pid: 5528, result: successfulJump to behavior
        Source: /tmp/Kloki.ppc.elf (PID: 5496)SIGKILL sent: pid: 5529, result: successfulJump to behavior
        Source: /tmp/Kloki.ppc.elf (PID: 5496)SIGKILL sent: pid: 5530, result: successfulJump to behavior
        Source: /tmp/Kloki.ppc.elf (PID: 5496)SIGKILL sent: pid: 5531, result: successfulJump to behavior
        Source: /tmp/Kloki.ppc.elf (PID: 5496)SIGKILL sent: pid: 5532, result: successfulJump to behavior
        Source: /tmp/Kloki.ppc.elf (PID: 5496)SIGKILL sent: pid: 5533, result: successfulJump to behavior
        Source: /tmp/Kloki.ppc.elf (PID: 5496)SIGKILL sent: pid: 5534, result: successfulJump to behavior
        Source: /tmp/Kloki.ppc.elf (PID: 5496)SIGKILL sent: pid: 5535, result: successfulJump to behavior
        Source: /tmp/Kloki.ppc.elf (PID: 5496)SIGKILL sent: pid: 5536, result: successfulJump to behavior
        Source: /tmp/Kloki.ppc.elf (PID: 5496)SIGKILL sent: pid: 5537, result: successfulJump to behavior
        Source: /tmp/Kloki.ppc.elf (PID: 5496)SIGKILL sent: pid: 5587, result: successfulJump to behavior
        Source: Initial sampleString containing 'busybox' found: busybox
        Source: Initial sampleString containing 'busybox' found: %d/proc/self/exe/. ppid/proc/net/tcp/proc//exe/status/fd//dev/null/dev/consolesocket05self/bin/bash/bin/sh/bin/dashbashshftpwgettftpncnetcatnmaptcpdumpsocatcurlbusyboxpythonrebootechoinitcroniptablessshdtelnettelnetdtftpdrshdrexecdftpdxinetdpftp/bin/login
        Source: ELF static info symbol of initial sample.symtab present: no
        Source: /tmp/Kloki.ppc.elf (PID: 5496)SIGKILL sent: pid: 5498, result: successfulJump to behavior
        Source: /tmp/Kloki.ppc.elf (PID: 5496)SIGKILL sent: pid: 5519, result: successfulJump to behavior
        Source: /tmp/Kloki.ppc.elf (PID: 5496)SIGKILL sent: pid: 5520, result: successfulJump to behavior
        Source: /tmp/Kloki.ppc.elf (PID: 5496)SIGKILL sent: pid: 5521, result: successfulJump to behavior
        Source: /tmp/Kloki.ppc.elf (PID: 5496)SIGKILL sent: pid: 5522, result: successfulJump to behavior
        Source: /tmp/Kloki.ppc.elf (PID: 5496)SIGKILL sent: pid: 5523, result: successfulJump to behavior
        Source: /tmp/Kloki.ppc.elf (PID: 5496)SIGKILL sent: pid: 5524, result: successfulJump to behavior
        Source: /tmp/Kloki.ppc.elf (PID: 5496)SIGKILL sent: pid: 5525, result: successfulJump to behavior
        Source: /tmp/Kloki.ppc.elf (PID: 5496)SIGKILL sent: pid: 5526, result: successfulJump to behavior
        Source: /tmp/Kloki.ppc.elf (PID: 5496)SIGKILL sent: pid: 5527, result: successfulJump to behavior
        Source: /tmp/Kloki.ppc.elf (PID: 5496)SIGKILL sent: pid: 5528, result: successfulJump to behavior
        Source: /tmp/Kloki.ppc.elf (PID: 5496)SIGKILL sent: pid: 5529, result: successfulJump to behavior
        Source: /tmp/Kloki.ppc.elf (PID: 5496)SIGKILL sent: pid: 5530, result: successfulJump to behavior
        Source: /tmp/Kloki.ppc.elf (PID: 5496)SIGKILL sent: pid: 5531, result: successfulJump to behavior
        Source: /tmp/Kloki.ppc.elf (PID: 5496)SIGKILL sent: pid: 5532, result: successfulJump to behavior
        Source: /tmp/Kloki.ppc.elf (PID: 5496)SIGKILL sent: pid: 5533, result: successfulJump to behavior
        Source: /tmp/Kloki.ppc.elf (PID: 5496)SIGKILL sent: pid: 5534, result: successfulJump to behavior
        Source: /tmp/Kloki.ppc.elf (PID: 5496)SIGKILL sent: pid: 5535, result: successfulJump to behavior
        Source: /tmp/Kloki.ppc.elf (PID: 5496)SIGKILL sent: pid: 5536, result: successfulJump to behavior
        Source: /tmp/Kloki.ppc.elf (PID: 5496)SIGKILL sent: pid: 5537, result: successfulJump to behavior
        Source: /tmp/Kloki.ppc.elf (PID: 5496)SIGKILL sent: pid: 5587, result: successfulJump to behavior
        Source: classification engineClassification label: mal68.spre.troj.linELF@0/23@5/0
        Source: /tmp/Kloki.ppc.elf (PID: 5496)File opened: /proc/5530/mapsJump to behavior
        Source: /tmp/Kloki.ppc.elf (PID: 5496)File opened: /proc/5530/cmdlineJump to behavior
        Source: /tmp/Kloki.ppc.elf (PID: 5496)File opened: /proc/5498/mapsJump to behavior
        Source: /tmp/Kloki.ppc.elf (PID: 5496)File opened: /proc/5498/cmdlineJump to behavior
        Source: /tmp/Kloki.ppc.elf (PID: 5496)File opened: /proc/5520/mapsJump to behavior
        Source: /tmp/Kloki.ppc.elf (PID: 5496)File opened: /proc/5520/cmdlineJump to behavior
        Source: /tmp/Kloki.ppc.elf (PID: 5496)File opened: /proc/5531/mapsJump to behavior
        Source: /tmp/Kloki.ppc.elf (PID: 5496)File opened: /proc/5531/cmdlineJump to behavior
        Source: /tmp/Kloki.ppc.elf (PID: 5496)File opened: /proc/5521/mapsJump to behavior
        Source: /tmp/Kloki.ppc.elf (PID: 5496)File opened: /proc/5521/cmdlineJump to behavior
        Source: /tmp/Kloki.ppc.elf (PID: 5496)File opened: /proc/5532/mapsJump to behavior
        Source: /tmp/Kloki.ppc.elf (PID: 5496)File opened: /proc/5532/cmdlineJump to behavior
        Source: /tmp/Kloki.ppc.elf (PID: 5496)File opened: /proc/5587/mapsJump to behavior
        Source: /tmp/Kloki.ppc.elf (PID: 5496)File opened: /proc/5587/cmdlineJump to behavior
        Source: /tmp/Kloki.ppc.elf (PID: 5496)File opened: /proc/5519/mapsJump to behavior
        Source: /tmp/Kloki.ppc.elf (PID: 5496)File opened: /proc/5519/cmdlineJump to behavior
        Source: /tmp/Kloki.ppc.elf (PID: 5496)File opened: /proc/5522/mapsJump to behavior
        Source: /tmp/Kloki.ppc.elf (PID: 5496)File opened: /proc/5522/cmdlineJump to behavior
        Source: /tmp/Kloki.ppc.elf (PID: 5496)File opened: /proc/5533/mapsJump to behavior
        Source: /tmp/Kloki.ppc.elf (PID: 5496)File opened: /proc/5533/cmdlineJump to behavior
        Source: /tmp/Kloki.ppc.elf (PID: 5496)File opened: /proc/5523/mapsJump to behavior
        Source: /tmp/Kloki.ppc.elf (PID: 5496)File opened: /proc/5523/cmdlineJump to behavior
        Source: /tmp/Kloki.ppc.elf (PID: 5496)File opened: /proc/5534/mapsJump to behavior
        Source: /tmp/Kloki.ppc.elf (PID: 5496)File opened: /proc/5534/cmdlineJump to behavior
        Source: /tmp/Kloki.ppc.elf (PID: 5496)File opened: /proc/5524/mapsJump to behavior
        Source: /tmp/Kloki.ppc.elf (PID: 5496)File opened: /proc/5524/cmdlineJump to behavior
        Source: /tmp/Kloki.ppc.elf (PID: 5496)File opened: /proc/5535/mapsJump to behavior
        Source: /tmp/Kloki.ppc.elf (PID: 5496)File opened: /proc/5535/cmdlineJump to behavior
        Source: /tmp/Kloki.ppc.elf (PID: 5496)File opened: /proc/5525/mapsJump to behavior
        Source: /tmp/Kloki.ppc.elf (PID: 5496)File opened: /proc/5525/cmdlineJump to behavior
        Source: /tmp/Kloki.ppc.elf (PID: 5496)File opened: /proc/5536/mapsJump to behavior
        Source: /tmp/Kloki.ppc.elf (PID: 5496)File opened: /proc/5536/cmdlineJump to behavior
        Source: /tmp/Kloki.ppc.elf (PID: 5496)File opened: /proc/5526/mapsJump to behavior
        Source: /tmp/Kloki.ppc.elf (PID: 5496)File opened: /proc/5526/cmdlineJump to behavior
        Source: /tmp/Kloki.ppc.elf (PID: 5496)File opened: /proc/5537/mapsJump to behavior
        Source: /tmp/Kloki.ppc.elf (PID: 5496)File opened: /proc/5537/cmdlineJump to behavior
        Source: /tmp/Kloki.ppc.elf (PID: 5496)File opened: /proc/5527/mapsJump to behavior
        Source: /tmp/Kloki.ppc.elf (PID: 5496)File opened: /proc/5527/cmdlineJump to behavior
        Source: /tmp/Kloki.ppc.elf (PID: 5496)File opened: /proc/5528/mapsJump to behavior
        Source: /tmp/Kloki.ppc.elf (PID: 5496)File opened: /proc/5528/cmdlineJump to behavior
        Source: /tmp/Kloki.ppc.elf (PID: 5496)File opened: /proc/5529/mapsJump to behavior
        Source: /tmp/Kloki.ppc.elf (PID: 5496)File opened: /proc/5529/cmdlineJump to behavior
        Source: /tmp/Kloki.ppc.elf (PID: 5488)Queries kernel information via 'uname': Jump to behavior
        Source: Kloki.ppc.elf, 5488.1.00007ffd9f38c000.00007ffd9f3ad000.rw-.sdmp, Kloki.ppc.elf, 5492.1.00007ffd9f38c000.00007ffd9f3ad000.rw-.sdmpBinary or memory string: x86_64/usr/bin/qemu-ppc/tmp/Kloki.ppc.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/Kloki.ppc.elf
        Source: Kloki.ppc.elf, 5488.1.0000558915026000.00005589150d6000.rw-.sdmp, Kloki.ppc.elf, 5492.1.0000558915026000.00005589150d6000.rw-.sdmpBinary or memory string: !/etc/qemu-binfmt/ppc1
        Source: Kloki.ppc.elf, 5488.1.0000558915026000.00005589150d6000.rw-.sdmp, Kloki.ppc.elf, 5492.1.0000558915026000.00005589150d6000.rw-.sdmpBinary or memory string: /etc/qemu-binfmt/ppc
        Source: Kloki.ppc.elf, 5488.1.00007ffd9f38c000.00007ffd9f3ad000.rw-.sdmp, Kloki.ppc.elf, 5492.1.00007ffd9f38c000.00007ffd9f3ad000.rw-.sdmpBinary or memory string: /usr/bin/qemu-ppc
        Source: Kloki.ppc.elf, 5488.1.00007ffd9f38c000.00007ffd9f3ad000.rw-.sdmpBinary or memory string: U/tmp/qemu-open.iYO7I9\
        Source: Kloki.ppc.elf, 5488.1.00007ffd9f38c000.00007ffd9f3ad000.rw-.sdmpBinary or memory string: /tmp/qemu-open.iYO7I9

        Stealing of Sensitive Information

        barindex
        Yara detected Mirai
        Source: Yara matchFile source: Kloki.ppc.elf, type: SAMPLE
        Source: Yara matchFile source: 5488.1.00007f8138001000.00007f813801f000.r-x.sdmp, type: MEMORY
        Source: Yara matchFile source: 5492.1.00007f8138001000.00007f813801f000.r-x.sdmp, type: MEMORY

        Remote Access Functionality

        barindex
        Yara detected Mirai
        Source: Yara matchFile source: Kloki.ppc.elf, type: SAMPLE
        Source: Yara matchFile source: 5488.1.00007f8138001000.00007f813801f000.r-x.sdmp, type: MEMORY
        Source: Yara matchFile source: 5492.1.00007f8138001000.00007f813801f000.r-x.sdmp, type: MEMORY

        Mitre Att&ck Matrix

        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
        Gather Victim Identity Information1
        Scripting        		Valid AccountsWindows Management Instrumentation1
        Scripting        		Path InterceptionDirect Volume Access1
        OS Credential Dumping        		11
        Security Software Discovery        		Remote ServicesData from Local System1
        Non-Standard Port        		Exfiltration Over Other Network Medium1
        Service Stop
        CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable Media1
        Non-Application Layer Protocol        		Exfiltration Over BluetoothNetwork Denial of Service
        Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared Drive1
        Application Layer Protocol        		Automated ExfiltrationData Encrypted for Impact

        Malware Configuration

        No configs have been found

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Number of created Files
        • Is malicious
        • Internet
        behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1584111 Sample: Kloki.ppc.elf Startdate: 04/01/2025 Architecture: LINUX Score: 68 19 210.99.103.53, 13566, 40482 NICNETKoreaTelecomKR Korea Republic of 2->19 21 210.99.11.251, 13566, 35644 NICNETKoreaTelecomKR Korea Republic of 2->21 23 25 other IPs or domains 2->23 25 Antivirus / Scanner detection for submitted sample 2->25 27 Multi AV Scanner detection for submitted file 2->27 29 Yara detected Mirai 2->29 8 Kloki.ppc.elf 2->8         started        signatures3 process4 process5 10 Kloki.ppc.elf 8->10         started        process6 12 Kloki.ppc.elf 10->12         started        15 Kloki.ppc.elf 10->15         started        17 Kloki.ppc.elf 10->17         started        signatures7 31 Sample tries to kill multiple processes (SIGKILL) 12->31

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        Kloki.ppc.elf34%ReversingLabsLinux.Backdoor.Mirai
        Kloki.ppc.elf100%AviraEXP/ELF.Mirai.W

        Dropped Files

        No Antivirus matches

        Domains

        No Antivirus matches

        URLs

        No Antivirus matches

        Domains and IPs

        Contacted Domains

        NameIPActiveMaliciousAntivirus DetectionReputation
        secure-network-rebirthltd.ru
        		unknown
        		unknownfalse
          		high

          World Map of Contacted IPs

          • No. of IPs < 25%
          • 25% < No. of IPs < 50%
          • 50% < No. of IPs < 75%
          • 75% < No. of IPs

          Public IPs

          IPDomainCountryFlagASNASN NameMalicious
          210.99.249.152
          		unknownKorea Republic of
          		17841NCIA-AS-KRNATIONALINFORMATIONRESOURCESSERVICEKRfalse
          210.99.186.59
          		unknownKorea Republic of
          		4766KIXS-AS-KRKoreaTelecomKRfalse
          210.99.128.96
          		unknownKorea Republic of
          		4766KIXS-AS-KRKoreaTelecomKRfalse
          210.99.103.53
          		unknownKorea Republic of
          		45400NICNETKoreaTelecomKRfalse
          210.99.66.254
          		unknownKorea Republic of
          		4766KIXS-AS-KRKoreaTelecomKRfalse
          210.99.214.7
          		unknownKorea Republic of
          		4766KIXS-AS-KRKoreaTelecomKRfalse
          210.99.40.186
          		unknownKorea Republic of
          		4766KIXS-AS-KRKoreaTelecomKRfalse
          210.99.5.190
          		unknownKorea Republic of
          		4766KIXS-AS-KRKoreaTelecomKRfalse
          210.99.24.188
          		unknownKorea Republic of
          		17841NCIA-AS-KRNATIONALINFORMATIONRESOURCESSERVICEKRfalse
          210.99.149.231
          		unknownKorea Republic of
          		4766KIXS-AS-KRKoreaTelecomKRfalse
          210.99.54.246
          		unknownKorea Republic of
          		17841NCIA-AS-KRNATIONALINFORMATIONRESOURCESSERVICEKRfalse
          210.99.155.164
          		unknownKorea Republic of
          		4766KIXS-AS-KRKoreaTelecomKRfalse
          210.99.174.139
          		unknownKorea Republic of
          		45400NICNETKoreaTelecomKRfalse
          210.99.163.209
          		unknownKorea Republic of
          		4766KIXS-AS-KRKoreaTelecomKRfalse
          210.99.95.255
          		unknownKorea Republic of
          		4766KIXS-AS-KRKoreaTelecomKRfalse
          83.222.191.90
          		unknownBulgaria
          		43561NET1-ASBGfalse
          210.99.255.94
          		unknownKorea Republic of
          		17841NCIA-AS-KRNATIONALINFORMATIONRESOURCESSERVICEKRfalse
          210.99.53.71
          		unknownKorea Republic of
          		17841NCIA-AS-KRNATIONALINFORMATIONRESOURCESSERVICEKRfalse
          210.99.150.142
          		unknownKorea Republic of
          		4766KIXS-AS-KRKoreaTelecomKRfalse
          210.99.188.216
          		unknownKorea Republic of
          		4766KIXS-AS-KRKoreaTelecomKRfalse
          210.99.214.129
          		unknownKorea Republic of
          		4766KIXS-AS-KRKoreaTelecomKRfalse
          210.99.176.157
          		unknownKorea Republic of
          		4766KIXS-AS-KRKoreaTelecomKRfalse
          210.99.206.58
          		unknownKorea Republic of
          		4766KIXS-AS-KRKoreaTelecomKRfalse
          210.99.99.145
          		unknownKorea Republic of
          		4766KIXS-AS-KRKoreaTelecomKRfalse
          210.99.222.217
          		unknownKorea Republic of
          		4766KIXS-AS-KRKoreaTelecomKRfalse
          210.99.11.251
          		unknownKorea Republic of
          		45400NICNETKoreaTelecomKRfalse

          Joe Sandbox View / Context

          IPs

          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
          83.222.191.90Kloki.spc.elfGet hashmaliciousUnknownBrowse
            Kloki.mips.elfGet hashmaliciousMiraiBrowse
              Kloki.arm5.elfGet hashmaliciousMiraiBrowse
                Kloki.arm4.elfGet hashmaliciousMiraiBrowse
                  mips.elfGet hashmaliciousUnknownBrowse
                    ppc.elfGet hashmaliciousUnknownBrowse
                      spc.elfGet hashmaliciousUnknownBrowse
                        x86_64.elfGet hashmaliciousUnknownBrowse
                          arm5.elfGet hashmaliciousUnknownBrowse
                            x86.elfGet hashmaliciousUnknownBrowse

                              Domains

                              No context

                              ASNs

                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              KIXS-AS-KRKoreaTelecomKRKloki.spc.elfGet hashmaliciousUnknownBrowse
                              • 210.99.222.86
                              Kloki.mips.elfGet hashmaliciousMiraiBrowse
                              • 210.99.235.154
                              Kloki.arm5.elfGet hashmaliciousMiraiBrowse
                              • 210.99.77.3
                              Kloki.arm4.elfGet hashmaliciousMiraiBrowse
                              • 210.99.83.44
                              Fantazy.i686.elfGet hashmaliciousUnknownBrowse
                              • 14.37.185.220
                              Fantazy.sh4.elfGet hashmaliciousUnknownBrowse
                              • 115.10.35.0
                              Fantazy.mips.elfGet hashmaliciousUnknownBrowse
                              • 222.118.184.250
                              Fantazy.spc.elfGet hashmaliciousUnknownBrowse
                              • 203.251.148.181
                              Fantazy.arm4.elfGet hashmaliciousUnknownBrowse
                              • 121.170.84.76
                              31.13.224.14-mips-2025-01-03T22_14_18.elfGet hashmaliciousMiraiBrowse
                              • 1.97.220.156
                              NICNETKoreaTelecomKRKloki.spc.elfGet hashmaliciousUnknownBrowse
                              • 210.99.84.6
                              ppc.elfGet hashmaliciousUnknownBrowse
                              • 210.99.174.9
                              spc.elfGet hashmaliciousUnknownBrowse
                              • 210.99.154.16
                              x86_64.elfGet hashmaliciousUnknownBrowse
                              • 210.99.173.147
                              arm5.elfGet hashmaliciousUnknownBrowse
                              • 210.99.158.157
                              x86.elfGet hashmaliciousUnknownBrowse
                              • 210.99.91.209
                              arm7.elfGet hashmaliciousMiraiBrowse
                              • 210.99.103.22
                              arm4.elfGet hashmaliciousUnknownBrowse
                              • 210.99.173.201
                              m68k.elfGet hashmaliciousUnknownBrowse
                              • 210.99.168.215
                              mips.elfGet hashmaliciousUnknownBrowse
                              • 210.99.103.28
                              NCIA-AS-KRNATIONALINFORMATIONRESOURCESSERVICEKRKloki.spc.elfGet hashmaliciousUnknownBrowse
                              • 210.99.252.54
                              Kloki.mips.elfGet hashmaliciousMiraiBrowse
                              • 210.99.61.102
                              Kloki.arm5.elfGet hashmaliciousMiraiBrowse
                              • 210.99.252.117
                              Kloki.arm4.elfGet hashmaliciousMiraiBrowse
                              • 210.99.26.244
                              ppc.elfGet hashmaliciousUnknownBrowse
                              • 210.99.50.186
                              spc.elfGet hashmaliciousUnknownBrowse
                              • 210.99.26.121
                              x86_64.elfGet hashmaliciousUnknownBrowse
                              • 210.99.56.147
                              arm5.elfGet hashmaliciousUnknownBrowse
                              • 210.99.27.225
                              x86.elfGet hashmaliciousUnknownBrowse
                              • 210.99.252.114
                              arm7.elfGet hashmaliciousMiraiBrowse
                              • 210.99.50.140
                              KIXS-AS-KRKoreaTelecomKRKloki.spc.elfGet hashmaliciousUnknownBrowse
                              • 210.99.222.86
                              Kloki.mips.elfGet hashmaliciousMiraiBrowse
                              • 210.99.235.154
                              Kloki.arm5.elfGet hashmaliciousMiraiBrowse
                              • 210.99.77.3
                              Kloki.arm4.elfGet hashmaliciousMiraiBrowse
                              • 210.99.83.44
                              Fantazy.i686.elfGet hashmaliciousUnknownBrowse
                              • 14.37.185.220
                              Fantazy.sh4.elfGet hashmaliciousUnknownBrowse
                              • 115.10.35.0
                              Fantazy.mips.elfGet hashmaliciousUnknownBrowse
                              • 222.118.184.250
                              Fantazy.spc.elfGet hashmaliciousUnknownBrowse
                              • 203.251.148.181
                              Fantazy.arm4.elfGet hashmaliciousUnknownBrowse
                              • 121.170.84.76
                              31.13.224.14-mips-2025-01-03T22_14_18.elfGet hashmaliciousMiraiBrowse
                              • 1.97.220.156

                              JA3 Fingerprints

                              No context

                              Dropped Files

                              No context

                              Created / dropped Files

                              /tmp/qemu-open.0rXNwO (deleted)

                              Download File
                              Process:/tmp/Kloki.ppc.elf
                              File Type:ASCII text
                              Category:dropped
                              Size (bytes):267
                              Entropy (8bit):3.2046777842533603
                              Encrypted:false
                              SSDEEP:3:MVHOX9FQWUT5FFNFuP/VUAV3FQWUT5FFNFPVxmY/VVdf/FVXKfwuv/VVdf/FVUMd:MUgDFg/VUwaDFnmY/VfKoO/VNfiY/VH
                              MD5:444AA6A21DBE69233C80F2DDFB60340D
                              SHA1:CE422B2097D3FA248B3C3182E5949D294B9EFF4A
                              SHA-256:BECEFD87F0E9F020EE0364443724AA39FF748CAC76A6D667B30D5AE0498222CB
                              SHA-512:0922E46399147518E8FC0811A22BB2DEF7ABE80C31F04B30D03A79A3A82D2FF71468468CFB16D64B356A73368551949C0F1C0876733FA46D2FCC24A20278E036
                              Malicious:false
                              Reputation:low
                              Preview:10000000-1001e000 r-xp 00000000 fd:00 531606 /tmp/..1002e000-10033000 rw-p 0001e000 fd:00 531606 /tmp/..10033000-10039000 rw-p 00000000 00:00 0 .ff7fe000-ff7ff000 ---p 00000000 00:00 0 .ff7ff000-fffff000 rw-p 00000000 00:00 0 [stack].

                              /tmp/qemu-open.0wQYVN (deleted)

                              Download File
                              Process:/tmp/Kloki.ppc.elf
                              File Type:ASCII text
                              Category:dropped
                              Size (bytes):267
                              Entropy (8bit):3.2046777842533603
                              Encrypted:false
                              SSDEEP:3:MVHOX9FQWUT5FFNFuP/VUAV3FQWUT5FFNFPVxmY/VVdf/FVXKfwuv/VVdf/FVUMd:MUgDFg/VUwaDFnmY/VfKoO/VNfiY/VH
                              MD5:444AA6A21DBE69233C80F2DDFB60340D
                              SHA1:CE422B2097D3FA248B3C3182E5949D294B9EFF4A
                              SHA-256:BECEFD87F0E9F020EE0364443724AA39FF748CAC76A6D667B30D5AE0498222CB
                              SHA-512:0922E46399147518E8FC0811A22BB2DEF7ABE80C31F04B30D03A79A3A82D2FF71468468CFB16D64B356A73368551949C0F1C0876733FA46D2FCC24A20278E036
                              Malicious:false
                              Reputation:low
                              Preview:10000000-1001e000 r-xp 00000000 fd:00 531606 /tmp/..1002e000-10033000 rw-p 0001e000 fd:00 531606 /tmp/..10033000-10039000 rw-p 00000000 00:00 0 .ff7fe000-ff7ff000 ---p 00000000 00:00 0 .ff7ff000-fffff000 rw-p 00000000 00:00 0 [stack].

                              /tmp/qemu-open.61oWIL (deleted)

                              Download File
                              Process:/tmp/Kloki.ppc.elf
                              File Type:ASCII text
                              Category:dropped
                              Size (bytes):267
                              Entropy (8bit):3.2046777842533603
                              Encrypted:false
                              SSDEEP:3:MVHOX9FQWUT5FFNFuP/VUAV3FQWUT5FFNFPVxmY/VVdf/FVXKfwuv/VVdf/FVUMd:MUgDFg/VUwaDFnmY/VfKoO/VNfiY/VH
                              MD5:444AA6A21DBE69233C80F2DDFB60340D
                              SHA1:CE422B2097D3FA248B3C3182E5949D294B9EFF4A
                              SHA-256:BECEFD87F0E9F020EE0364443724AA39FF748CAC76A6D667B30D5AE0498222CB
                              SHA-512:0922E46399147518E8FC0811A22BB2DEF7ABE80C31F04B30D03A79A3A82D2FF71468468CFB16D64B356A73368551949C0F1C0876733FA46D2FCC24A20278E036
                              Malicious:false
                              Reputation:low
                              Preview:10000000-1001e000 r-xp 00000000 fd:00 531606 /tmp/..1002e000-10033000 rw-p 0001e000 fd:00 531606 /tmp/..10033000-10039000 rw-p 00000000 00:00 0 .ff7fe000-ff7ff000 ---p 00000000 00:00 0 .ff7ff000-fffff000 rw-p 00000000 00:00 0 [stack].

                              /tmp/qemu-open.6KtFzO (deleted)

                              Download File
                              Process:/tmp/Kloki.ppc.elf
                              File Type:ASCII text
                              Category:dropped
                              Size (bytes):267
                              Entropy (8bit):3.2046777842533603
                              Encrypted:false
                              SSDEEP:3:MVHOX9FQWUT5FFNFuP/VUAV3FQWUT5FFNFPVxmY/VVdf/FVXKfwuv/VVdf/FVUMd:MUgDFg/VUwaDFnmY/VfKoO/VNfiY/VH
                              MD5:444AA6A21DBE69233C80F2DDFB60340D
                              SHA1:CE422B2097D3FA248B3C3182E5949D294B9EFF4A
                              SHA-256:BECEFD87F0E9F020EE0364443724AA39FF748CAC76A6D667B30D5AE0498222CB
                              SHA-512:0922E46399147518E8FC0811A22BB2DEF7ABE80C31F04B30D03A79A3A82D2FF71468468CFB16D64B356A73368551949C0F1C0876733FA46D2FCC24A20278E036
                              Malicious:false
                              Reputation:low
                              Preview:10000000-1001e000 r-xp 00000000 fd:00 531606 /tmp/..1002e000-10033000 rw-p 0001e000 fd:00 531606 /tmp/..10033000-10039000 rw-p 00000000 00:00 0 .ff7fe000-ff7ff000 ---p 00000000 00:00 0 .ff7ff000-fffff000 rw-p 00000000 00:00 0 [stack].

                              /tmp/qemu-open.9K7izN (deleted)

                              Download File
                              Process:/tmp/Kloki.ppc.elf
                              File Type:ASCII text
                              Category:dropped
                              Size (bytes):267
                              Entropy (8bit):3.2046777842533603
                              Encrypted:false
                              SSDEEP:3:MVHOX9FQWUT5FFNFuP/VUAV3FQWUT5FFNFPVxmY/VVdf/FVXKfwuv/VVdf/FVUMd:MUgDFg/VUwaDFnmY/VfKoO/VNfiY/VH
                              MD5:444AA6A21DBE69233C80F2DDFB60340D
                              SHA1:CE422B2097D3FA248B3C3182E5949D294B9EFF4A
                              SHA-256:BECEFD87F0E9F020EE0364443724AA39FF748CAC76A6D667B30D5AE0498222CB
                              SHA-512:0922E46399147518E8FC0811A22BB2DEF7ABE80C31F04B30D03A79A3A82D2FF71468468CFB16D64B356A73368551949C0F1C0876733FA46D2FCC24A20278E036
                              Malicious:false
                              Reputation:low
                              Preview:10000000-1001e000 r-xp 00000000 fd:00 531606 /tmp/..1002e000-10033000 rw-p 0001e000 fd:00 531606 /tmp/..10033000-10039000 rw-p 00000000 00:00 0 .ff7fe000-ff7ff000 ---p 00000000 00:00 0 .ff7ff000-fffff000 rw-p 00000000 00:00 0 [stack].

                              /tmp/qemu-open.AL0DMN (deleted)

                              Download File
                              Process:/tmp/Kloki.ppc.elf
                              File Type:ASCII text
                              Category:dropped
                              Size (bytes):267
                              Entropy (8bit):3.2046777842533603
                              Encrypted:false
                              SSDEEP:3:MVHOX9FQWUT5FFNFuP/VUAV3FQWUT5FFNFPVxmY/VVdf/FVXKfwuv/VVdf/FVUMd:MUgDFg/VUwaDFnmY/VfKoO/VNfiY/VH
                              MD5:444AA6A21DBE69233C80F2DDFB60340D
                              SHA1:CE422B2097D3FA248B3C3182E5949D294B9EFF4A
                              SHA-256:BECEFD87F0E9F020EE0364443724AA39FF748CAC76A6D667B30D5AE0498222CB
                              SHA-512:0922E46399147518E8FC0811A22BB2DEF7ABE80C31F04B30D03A79A3A82D2FF71468468CFB16D64B356A73368551949C0F1C0876733FA46D2FCC24A20278E036
                              Malicious:false
                              Reputation:low
                              Preview:10000000-1001e000 r-xp 00000000 fd:00 531606 /tmp/..1002e000-10033000 rw-p 0001e000 fd:00 531606 /tmp/..10033000-10039000 rw-p 00000000 00:00 0 .ff7fe000-ff7ff000 ---p 00000000 00:00 0 .ff7ff000-fffff000 rw-p 00000000 00:00 0 [stack].

                              /tmp/qemu-open.DF1XVM (deleted)

                              Download File
                              Process:/tmp/Kloki.ppc.elf
                              File Type:ASCII text
                              Category:dropped
                              Size (bytes):267
                              Entropy (8bit):3.2046777842533603
                              Encrypted:false
                              SSDEEP:3:MVHOX9FQWUT5FFNFuP/VUAV3FQWUT5FFNFPVxmY/VVdf/FVXKfwuv/VVdf/FVUMd:MUgDFg/VUwaDFnmY/VfKoO/VNfiY/VH
                              MD5:444AA6A21DBE69233C80F2DDFB60340D
                              SHA1:CE422B2097D3FA248B3C3182E5949D294B9EFF4A
                              SHA-256:BECEFD87F0E9F020EE0364443724AA39FF748CAC76A6D667B30D5AE0498222CB
                              SHA-512:0922E46399147518E8FC0811A22BB2DEF7ABE80C31F04B30D03A79A3A82D2FF71468468CFB16D64B356A73368551949C0F1C0876733FA46D2FCC24A20278E036
                              Malicious:false
                              Reputation:low
                              Preview:10000000-1001e000 r-xp 00000000 fd:00 531606 /tmp/..1002e000-10033000 rw-p 0001e000 fd:00 531606 /tmp/..10033000-10039000 rw-p 00000000 00:00 0 .ff7fe000-ff7ff000 ---p 00000000 00:00 0 .ff7ff000-fffff000 rw-p 00000000 00:00 0 [stack].

                              /tmp/qemu-open.FCnnYN (deleted)

                              Download File
                              Process:/tmp/Kloki.ppc.elf
                              File Type:ASCII text
                              Category:dropped
                              Size (bytes):267
                              Entropy (8bit):3.2046777842533603
                              Encrypted:false
                              SSDEEP:3:MVHOX9FQWUT5FFNFuP/VUAV3FQWUT5FFNFPVxmY/VVdf/FVXKfwuv/VVdf/FVUMd:MUgDFg/VUwaDFnmY/VfKoO/VNfiY/VH
                              MD5:444AA6A21DBE69233C80F2DDFB60340D
                              SHA1:CE422B2097D3FA248B3C3182E5949D294B9EFF4A
                              SHA-256:BECEFD87F0E9F020EE0364443724AA39FF748CAC76A6D667B30D5AE0498222CB
                              SHA-512:0922E46399147518E8FC0811A22BB2DEF7ABE80C31F04B30D03A79A3A82D2FF71468468CFB16D64B356A73368551949C0F1C0876733FA46D2FCC24A20278E036
                              Malicious:false
                              Reputation:low
                              Preview:10000000-1001e000 r-xp 00000000 fd:00 531606 /tmp/..1002e000-10033000 rw-p 0001e000 fd:00 531606 /tmp/..10033000-10039000 rw-p 00000000 00:00 0 .ff7fe000-ff7ff000 ---p 00000000 00:00 0 .ff7ff000-fffff000 rw-p 00000000 00:00 0 [stack].

                              /tmp/qemu-open.FbRYHM (deleted)

                              Download File
                              Process:/tmp/Kloki.ppc.elf
                              File Type:ASCII text
                              Category:dropped
                              Size (bytes):267
                              Entropy (8bit):3.2046777842533603
                              Encrypted:false
                              SSDEEP:3:MVHOX9FQWUT5FFNFuP/VUAV3FQWUT5FFNFPVxmY/VVdf/FVXKfwuv/VVdf/FVUMd:MUgDFg/VUwaDFnmY/VfKoO/VNfiY/VH
                              MD5:444AA6A21DBE69233C80F2DDFB60340D
                              SHA1:CE422B2097D3FA248B3C3182E5949D294B9EFF4A
                              SHA-256:BECEFD87F0E9F020EE0364443724AA39FF748CAC76A6D667B30D5AE0498222CB
                              SHA-512:0922E46399147518E8FC0811A22BB2DEF7ABE80C31F04B30D03A79A3A82D2FF71468468CFB16D64B356A73368551949C0F1C0876733FA46D2FCC24A20278E036
                              Malicious:false
                              Reputation:low
                              Preview:10000000-1001e000 r-xp 00000000 fd:00 531606 /tmp/..1002e000-10033000 rw-p 0001e000 fd:00 531606 /tmp/..10033000-10039000 rw-p 00000000 00:00 0 .ff7fe000-ff7ff000 ---p 00000000 00:00 0 .ff7ff000-fffff000 rw-p 00000000 00:00 0 [stack].

                              /tmp/qemu-open.GoMxCO (deleted)

                              Download File
                              Process:/tmp/Kloki.ppc.elf
                              File Type:ASCII text
                              Category:dropped
                              Size (bytes):267
                              Entropy (8bit):3.2046777842533603
                              Encrypted:false
                              SSDEEP:3:MVHOX9FQWUT5FFNFuP/VUAV3FQWUT5FFNFPVxmY/VVdf/FVXKfwuv/VVdf/FVUMd:MUgDFg/VUwaDFnmY/VfKoO/VNfiY/VH
                              MD5:444AA6A21DBE69233C80F2DDFB60340D
                              SHA1:CE422B2097D3FA248B3C3182E5949D294B9EFF4A
                              SHA-256:BECEFD87F0E9F020EE0364443724AA39FF748CAC76A6D667B30D5AE0498222CB
                              SHA-512:0922E46399147518E8FC0811A22BB2DEF7ABE80C31F04B30D03A79A3A82D2FF71468468CFB16D64B356A73368551949C0F1C0876733FA46D2FCC24A20278E036
                              Malicious:false
                              Reputation:low
                              Preview:10000000-1001e000 r-xp 00000000 fd:00 531606 /tmp/..1002e000-10033000 rw-p 0001e000 fd:00 531606 /tmp/..10033000-10039000 rw-p 00000000 00:00 0 .ff7fe000-ff7ff000 ---p 00000000 00:00 0 .ff7ff000-fffff000 rw-p 00000000 00:00 0 [stack].

                              /tmp/qemu-open.HAcOtL (deleted)

                              Download File
                              Process:/tmp/Kloki.ppc.elf
                              File Type:ASCII text
                              Category:dropped
                              Size (bytes):267
                              Entropy (8bit):3.2046777842533603
                              Encrypted:false
                              SSDEEP:3:MVHOX9FQWUT5FFNFuP/VUAV3FQWUT5FFNFPVxmY/VVdf/FVXKfwuv/VVdf/FVUMd:MUgDFg/VUwaDFnmY/VfKoO/VNfiY/VH
                              MD5:444AA6A21DBE69233C80F2DDFB60340D
                              SHA1:CE422B2097D3FA248B3C3182E5949D294B9EFF4A
                              SHA-256:BECEFD87F0E9F020EE0364443724AA39FF748CAC76A6D667B30D5AE0498222CB
                              SHA-512:0922E46399147518E8FC0811A22BB2DEF7ABE80C31F04B30D03A79A3A82D2FF71468468CFB16D64B356A73368551949C0F1C0876733FA46D2FCC24A20278E036
                              Malicious:false
                              Preview:10000000-1001e000 r-xp 00000000 fd:00 531606 /tmp/..1002e000-10033000 rw-p 0001e000 fd:00 531606 /tmp/..10033000-10039000 rw-p 00000000 00:00 0 .ff7fe000-ff7ff000 ---p 00000000 00:00 0 .ff7ff000-fffff000 rw-p 00000000 00:00 0 [stack].

                              /tmp/qemu-open.NgaosL (deleted)

                              Download File
                              Process:/tmp/Kloki.ppc.elf
                              File Type:ASCII text
                              Category:dropped
                              Size (bytes):267
                              Entropy (8bit):3.2046777842533603
                              Encrypted:false
                              SSDEEP:3:MVHOX9FQWUT5FFNFuP/VUAV3FQWUT5FFNFPVxmY/VVdf/FVXKfwuv/VVdf/FVUMd:MUgDFg/VUwaDFnmY/VfKoO/VNfiY/VH
                              MD5:444AA6A21DBE69233C80F2DDFB60340D
                              SHA1:CE422B2097D3FA248B3C3182E5949D294B9EFF4A
                              SHA-256:BECEFD87F0E9F020EE0364443724AA39FF748CAC76A6D667B30D5AE0498222CB
                              SHA-512:0922E46399147518E8FC0811A22BB2DEF7ABE80C31F04B30D03A79A3A82D2FF71468468CFB16D64B356A73368551949C0F1C0876733FA46D2FCC24A20278E036
                              Malicious:false
                              Preview:10000000-1001e000 r-xp 00000000 fd:00 531606 /tmp/..1002e000-10033000 rw-p 0001e000 fd:00 531606 /tmp/..10033000-10039000 rw-p 00000000 00:00 0 .ff7fe000-ff7ff000 ---p 00000000 00:00 0 .ff7ff000-fffff000 rw-p 00000000 00:00 0 [stack].

                              /tmp/qemu-open.Q4bIqM (deleted)

                              Download File
                              Process:/tmp/Kloki.ppc.elf
                              File Type:ASCII text
                              Category:dropped
                              Size (bytes):267
                              Entropy (8bit):3.2046777842533603
                              Encrypted:false
                              SSDEEP:3:MVHOX9FQWUT5FFNFuP/VUAV3FQWUT5FFNFPVxmY/VVdf/FVXKfwuv/VVdf/FVUMd:MUgDFg/VUwaDFnmY/VfKoO/VNfiY/VH
                              MD5:444AA6A21DBE69233C80F2DDFB60340D
                              SHA1:CE422B2097D3FA248B3C3182E5949D294B9EFF4A
                              SHA-256:BECEFD87F0E9F020EE0364443724AA39FF748CAC76A6D667B30D5AE0498222CB
                              SHA-512:0922E46399147518E8FC0811A22BB2DEF7ABE80C31F04B30D03A79A3A82D2FF71468468CFB16D64B356A73368551949C0F1C0876733FA46D2FCC24A20278E036
                              Malicious:false
                              Preview:10000000-1001e000 r-xp 00000000 fd:00 531606 /tmp/..1002e000-10033000 rw-p 0001e000 fd:00 531606 /tmp/..10033000-10039000 rw-p 00000000 00:00 0 .ff7fe000-ff7ff000 ---p 00000000 00:00 0 .ff7ff000-fffff000 rw-p 00000000 00:00 0 [stack].

                              /tmp/qemu-open.UBqfpK (deleted)

                              Download File
                              Process:/tmp/Kloki.ppc.elf
                              File Type:ASCII text
                              Category:dropped
                              Size (bytes):267
                              Entropy (8bit):3.2046777842533603
                              Encrypted:false
                              SSDEEP:3:MVHOX9FQWUT5FFNFuP/VUAV3FQWUT5FFNFPVxmY/VVdf/FVXKfwuv/VVdf/FVUMd:MUgDFg/VUwaDFnmY/VfKoO/VNfiY/VH
                              MD5:444AA6A21DBE69233C80F2DDFB60340D
                              SHA1:CE422B2097D3FA248B3C3182E5949D294B9EFF4A
                              SHA-256:BECEFD87F0E9F020EE0364443724AA39FF748CAC76A6D667B30D5AE0498222CB
                              SHA-512:0922E46399147518E8FC0811A22BB2DEF7ABE80C31F04B30D03A79A3A82D2FF71468468CFB16D64B356A73368551949C0F1C0876733FA46D2FCC24A20278E036
                              Malicious:false
                              Preview:10000000-1001e000 r-xp 00000000 fd:00 531606 /tmp/..1002e000-10033000 rw-p 0001e000 fd:00 531606 /tmp/..10033000-10039000 rw-p 00000000 00:00 0 .ff7fe000-ff7ff000 ---p 00000000 00:00 0 .ff7ff000-fffff000 rw-p 00000000 00:00 0 [stack].

                              /tmp/qemu-open.UIBilN (deleted)

                              Download File
                              Process:/tmp/Kloki.ppc.elf
                              File Type:ASCII text
                              Category:dropped
                              Size (bytes):267
                              Entropy (8bit):3.2046777842533603
                              Encrypted:false
                              SSDEEP:3:MVHOX9FQWUT5FFNFuP/VUAV3FQWUT5FFNFPVxmY/VVdf/FVXKfwuv/VVdf/FVUMd:MUgDFg/VUwaDFnmY/VfKoO/VNfiY/VH
                              MD5:444AA6A21DBE69233C80F2DDFB60340D
                              SHA1:CE422B2097D3FA248B3C3182E5949D294B9EFF4A
                              SHA-256:BECEFD87F0E9F020EE0364443724AA39FF748CAC76A6D667B30D5AE0498222CB
                              SHA-512:0922E46399147518E8FC0811A22BB2DEF7ABE80C31F04B30D03A79A3A82D2FF71468468CFB16D64B356A73368551949C0F1C0876733FA46D2FCC24A20278E036
                              Malicious:false
                              Preview:10000000-1001e000 r-xp 00000000 fd:00 531606 /tmp/..1002e000-10033000 rw-p 0001e000 fd:00 531606 /tmp/..10033000-10039000 rw-p 00000000 00:00 0 .ff7fe000-ff7ff000 ---p 00000000 00:00 0 .ff7ff000-fffff000 rw-p 00000000 00:00 0 [stack].

                              /tmp/qemu-open.UzWiyN (deleted)

                              Download File
                              Process:/tmp/Kloki.ppc.elf
                              File Type:ASCII text
                              Category:dropped
                              Size (bytes):267
                              Entropy (8bit):3.2046777842533603
                              Encrypted:false
                              SSDEEP:3:MVHOX9FQWUT5FFNFuP/VUAV3FQWUT5FFNFPVxmY/VVdf/FVXKfwuv/VVdf/FVUMd:MUgDFg/VUwaDFnmY/VfKoO/VNfiY/VH
                              MD5:444AA6A21DBE69233C80F2DDFB60340D
                              SHA1:CE422B2097D3FA248B3C3182E5949D294B9EFF4A
                              SHA-256:BECEFD87F0E9F020EE0364443724AA39FF748CAC76A6D667B30D5AE0498222CB
                              SHA-512:0922E46399147518E8FC0811A22BB2DEF7ABE80C31F04B30D03A79A3A82D2FF71468468CFB16D64B356A73368551949C0F1C0876733FA46D2FCC24A20278E036
                              Malicious:false
                              Preview:10000000-1001e000 r-xp 00000000 fd:00 531606 /tmp/..1002e000-10033000 rw-p 0001e000 fd:00 531606 /tmp/..10033000-10039000 rw-p 00000000 00:00 0 .ff7fe000-ff7ff000 ---p 00000000 00:00 0 .ff7ff000-fffff000 rw-p 00000000 00:00 0 [stack].

                              /tmp/qemu-open.ZJKZUN (deleted)

                              Download File
                              Process:/tmp/Kloki.ppc.elf
                              File Type:ASCII text
                              Category:dropped
                              Size (bytes):267
                              Entropy (8bit):3.2046777842533603
                              Encrypted:false
                              SSDEEP:3:MVHOX9FQWUT5FFNFuP/VUAV3FQWUT5FFNFPVxmY/VVdf/FVXKfwuv/VVdf/FVUMd:MUgDFg/VUwaDFnmY/VfKoO/VNfiY/VH
                              MD5:444AA6A21DBE69233C80F2DDFB60340D
                              SHA1:CE422B2097D3FA248B3C3182E5949D294B9EFF4A
                              SHA-256:BECEFD87F0E9F020EE0364443724AA39FF748CAC76A6D667B30D5AE0498222CB
                              SHA-512:0922E46399147518E8FC0811A22BB2DEF7ABE80C31F04B30D03A79A3A82D2FF71468468CFB16D64B356A73368551949C0F1C0876733FA46D2FCC24A20278E036
                              Malicious:false
                              Preview:10000000-1001e000 r-xp 00000000 fd:00 531606 /tmp/..1002e000-10033000 rw-p 0001e000 fd:00 531606 /tmp/..10033000-10039000 rw-p 00000000 00:00 0 .ff7fe000-ff7ff000 ---p 00000000 00:00 0 .ff7ff000-fffff000 rw-p 00000000 00:00 0 [stack].

                              /tmp/qemu-open.d5rx6N (deleted)

                              Download File
                              Process:/tmp/Kloki.ppc.elf
                              File Type:ASCII text
                              Category:dropped
                              Size (bytes):267
                              Entropy (8bit):3.2046777842533603
                              Encrypted:false
                              SSDEEP:3:MVHOX9FQWUT5FFNFuP/VUAV3FQWUT5FFNFPVxmY/VVdf/FVXKfwuv/VVdf/FVUMd:MUgDFg/VUwaDFnmY/VfKoO/VNfiY/VH
                              MD5:444AA6A21DBE69233C80F2DDFB60340D
                              SHA1:CE422B2097D3FA248B3C3182E5949D294B9EFF4A
                              SHA-256:BECEFD87F0E9F020EE0364443724AA39FF748CAC76A6D667B30D5AE0498222CB
                              SHA-512:0922E46399147518E8FC0811A22BB2DEF7ABE80C31F04B30D03A79A3A82D2FF71468468CFB16D64B356A73368551949C0F1C0876733FA46D2FCC24A20278E036
                              Malicious:false
                              Preview:10000000-1001e000 r-xp 00000000 fd:00 531606 /tmp/..1002e000-10033000 rw-p 0001e000 fd:00 531606 /tmp/..10033000-10039000 rw-p 00000000 00:00 0 .ff7fe000-ff7ff000 ---p 00000000 00:00 0 .ff7ff000-fffff000 rw-p 00000000 00:00 0 [stack].

                              /tmp/qemu-open.iYO7I9 (deleted)

                              Download File
                              Process:/tmp/Kloki.ppc.elf
                              File Type:ASCII text
                              Category:dropped
                              Size (bytes):291
                              Entropy (8bit):3.4997943442966797
                              Encrypted:false
                              SSDEEP:6:MUgDFjAJ/VUwaDFZmY/VfKoO/VNfiY/VH:MZVdLm/l
                              MD5:46B7FF1534EE81856D90B394EA0CE543
                              SHA1:BAC94B11786B746FDDA3759D8D581C828FEECA4B
                              SHA-256:72B6164591A5AF8D291D5B7ECC7619307EC24F3343804EBE0CA510CE5138E62D
                              SHA-512:76CBB1917B218F4D3E0FDC4CE96BFC527D122BC6110386282D6E8581487D29C73976D4451276062392BA18C2746A7F2F1A3EE3F9FFA45658D3617DB2F4CCC2C6
                              Malicious:false
                              Preview:10000000-1001e000 r-xp 00000000 fd:00 531606 /tmp/Kloki.ppc.elf.1002e000-10033000 rw-p 0001e000 fd:00 531606 /tmp/Kloki.ppc.elf.10033000-10039000 rw-p 00000000 00:00 0 .ff7fe000-ff7ff000 ---p 00000000 00:00 0 .ff7ff000-fffff000 rw-p 00000000 00:00 0 [stack].

                              /tmp/qemu-open.pSAhFO (deleted)

                              Download File
                              Process:/tmp/Kloki.ppc.elf
                              File Type:ASCII text
                              Category:dropped
                              Size (bytes):267
                              Entropy (8bit):3.2046777842533603
                              Encrypted:false
                              SSDEEP:3:MVHOX9FQWUT5FFNFuP/VUAV3FQWUT5FFNFPVxmY/VVdf/FVXKfwuv/VVdf/FVUMd:MUgDFg/VUwaDFnmY/VfKoO/VNfiY/VH
                              MD5:444AA6A21DBE69233C80F2DDFB60340D
                              SHA1:CE422B2097D3FA248B3C3182E5949D294B9EFF4A
                              SHA-256:BECEFD87F0E9F020EE0364443724AA39FF748CAC76A6D667B30D5AE0498222CB
                              SHA-512:0922E46399147518E8FC0811A22BB2DEF7ABE80C31F04B30D03A79A3A82D2FF71468468CFB16D64B356A73368551949C0F1C0876733FA46D2FCC24A20278E036
                              Malicious:false
                              Preview:10000000-1001e000 r-xp 00000000 fd:00 531606 /tmp/..1002e000-10033000 rw-p 0001e000 fd:00 531606 /tmp/..10033000-10039000 rw-p 00000000 00:00 0 .ff7fe000-ff7ff000 ---p 00000000 00:00 0 .ff7ff000-fffff000 rw-p 00000000 00:00 0 [stack].

                              /tmp/qemu-open.sfPeIO (deleted)

                              Download File
                              Process:/tmp/Kloki.ppc.elf
                              File Type:ASCII text
                              Category:dropped
                              Size (bytes):267
                              Entropy (8bit):3.2046777842533603
                              Encrypted:false
                              SSDEEP:3:MVHOX9FQWUT5FFNFuP/VUAV3FQWUT5FFNFPVxmY/VVdf/FVXKfwuv/VVdf/FVUMd:MUgDFg/VUwaDFnmY/VfKoO/VNfiY/VH
                              MD5:444AA6A21DBE69233C80F2DDFB60340D
                              SHA1:CE422B2097D3FA248B3C3182E5949D294B9EFF4A
                              SHA-256:BECEFD87F0E9F020EE0364443724AA39FF748CAC76A6D667B30D5AE0498222CB
                              SHA-512:0922E46399147518E8FC0811A22BB2DEF7ABE80C31F04B30D03A79A3A82D2FF71468468CFB16D64B356A73368551949C0F1C0876733FA46D2FCC24A20278E036
                              Malicious:false
                              Preview:10000000-1001e000 r-xp 00000000 fd:00 531606 /tmp/..1002e000-10033000 rw-p 0001e000 fd:00 531606 /tmp/..10033000-10039000 rw-p 00000000 00:00 0 .ff7fe000-ff7ff000 ---p 00000000 00:00 0 .ff7ff000-fffff000 rw-p 00000000 00:00 0 [stack].

                              /tmp/qemu-open.vtvhVb (deleted)

                              Download File
                              Process:/tmp/Kloki.ppc.elf
                              File Type:ASCII text
                              Category:dropped
                              Size (bytes):291
                              Entropy (8bit):3.4997943442966797
                              Encrypted:false
                              SSDEEP:6:MUgDFjAJ/VUwaDFZmY/VfKoO/VNfiY/VH:MZVdLm/l
                              MD5:46B7FF1534EE81856D90B394EA0CE543
                              SHA1:BAC94B11786B746FDDA3759D8D581C828FEECA4B
                              SHA-256:72B6164591A5AF8D291D5B7ECC7619307EC24F3343804EBE0CA510CE5138E62D
                              SHA-512:76CBB1917B218F4D3E0FDC4CE96BFC527D122BC6110386282D6E8581487D29C73976D4451276062392BA18C2746A7F2F1A3EE3F9FFA45658D3617DB2F4CCC2C6
                              Malicious:false
                              Preview:10000000-1001e000 r-xp 00000000 fd:00 531606 /tmp/Kloki.ppc.elf.1002e000-10033000 rw-p 0001e000 fd:00 531606 /tmp/Kloki.ppc.elf.10033000-10039000 rw-p 00000000 00:00 0 .ff7fe000-ff7ff000 ---p 00000000 00:00 0 .ff7ff000-fffff000 rw-p 00000000 00:00 0 [stack].

                              /tmp/qemu-open.yOPzNO (deleted)

                              Download File
                              Process:/tmp/Kloki.ppc.elf
                              File Type:ASCII text
                              Category:dropped
                              Size (bytes):267
                              Entropy (8bit):3.2046777842533603
                              Encrypted:false
                              SSDEEP:3:MVHOX9FQWUT5FFNFuP/VUAV3FQWUT5FFNFPVxmY/VVdf/FVXKfwuv/VVdf/FVUMd:MUgDFg/VUwaDFnmY/VfKoO/VNfiY/VH
                              MD5:444AA6A21DBE69233C80F2DDFB60340D
                              SHA1:CE422B2097D3FA248B3C3182E5949D294B9EFF4A
                              SHA-256:BECEFD87F0E9F020EE0364443724AA39FF748CAC76A6D667B30D5AE0498222CB
                              SHA-512:0922E46399147518E8FC0811A22BB2DEF7ABE80C31F04B30D03A79A3A82D2FF71468468CFB16D64B356A73368551949C0F1C0876733FA46D2FCC24A20278E036
                              Malicious:false
                              Preview:10000000-1001e000 r-xp 00000000 fd:00 531606 /tmp/..1002e000-10033000 rw-p 0001e000 fd:00 531606 /tmp/..10033000-10039000 rw-p 00000000 00:00 0 .ff7fe000-ff7ff000 ---p 00000000 00:00 0 .ff7ff000-fffff000 rw-p 00000000 00:00 0 [stack].

                              Static File Info

                              General

                              File type:ELF 32-bit MSB executable, PowerPC or cisco 4500, version 1 (SYSV), statically linked, stripped
                              Entropy (8bit):5.669122070187971
                              TrID:
                              • ELF Executable and Linkable format (generic) (4004/1) 100.00%
                              File name:Kloki.ppc.elf
                              File size:142'028 bytes
                              MD5:882122df0b30bde6021e4987fed11755
                              SHA1:229f98429ccf445b61e14a1eb275fb50120b7ddb
                              SHA256:0fcf14ca363a57d61610bfc67af3ddbb87f1635e6d456becb340e4428ca60df2
                              SHA512:fa35e5f90808a9b6e82b8bfca97cc2793c468f80e496a66a7faf63310c89b374111bf33a3b6c067973e31771b8b0e53d389f564fdef3820a16dcda14086430c7
                              SSDEEP:1536:KHOz6XN37cvseJ/VBZxt+//OGrD7cATN9tpDQHvAS+y7H7jhL8qcgJgHPn2f:qOuqxU/DX3N9zDdSjsn2f
                              TLSH:CCD33B06730C0947D1532EF43A3F27E093EFAA5121F8F644285FAA8A9271E375586EDD
                              File Content Preview:.ELF...........................4..(......4. ...(......................................................H.............dt.Q.............................!..|......$H...H......$8!. |...N.. .!..|.......?.........)...../...@..\?......$.+../...A..$8...}).....$N..

                              Static ELF Info

                              ELF header

                              Class:ELF32
                              Data:2's complement, big endian
                              Version:1 (current)
                              Machine:PowerPC
                              Version Number:0x1
                              Type:EXEC (Executable file)
                              OS/ABI:UNIX - System V
                              ABI Version:0
                              Entry Point Address:0x100001f0
                              Flags:0x0
                              ELF Header Size:52
                              Program Header Offset:52
                              Program Header Size:32
                              Number of Program Headers:3
                              Section Header Offset:141548
                              Section Header Size:40
                              Number of Section Headers:12
                              Header String Table Index:11

                              Sections

                              NameTypeAddressOffsetSizeEntSizeFlagsFlags DescriptionLinkInfoAlign
                              NULL0x00x00x00x00x0000
                              .initPROGBITS0x100000940x940x240x00x6AX004
                              .textPROGBITS0x100000b80xb80x1bb080x00x6AX004
                              .finiPROGBITS0x1001bbc00x1bbc00x200x00x6AX004
                              .rodataPROGBITS0x1001bbe00x1bbe00x20f40x00x2A008
                              .ctorsPROGBITS0x1002e0000x1e0000xc0x00x3WA004
                              .dtorsPROGBITS0x1002e00c0x1e00c0x80x00x3WA004
                              .dataPROGBITS0x1002e0200x1e0200x48000x00x3WA0032
                              .sdataPROGBITS0x100328200x228200x800x00x3WA004
                              .sbssNOBITS0x100328a00x228a00x10c0x00x3WA004
                              .bssNOBITS0x100329b00x228a00x54480x00x3WA008
                              .shstrtabSTRTAB0x00x228a00x4b0x00x0001

                              Program Segments

                              TypeOffsetVirtual AddressPhysical AddressFile SizeMemory SizeEntropyFlagsFlags DescriptionAlignProg InterpreterSection Mappings
                              LOAD0x00x100000000x100000000x1dcd40x1dcd46.22870x5R E0x10000.init .text .fini .rodata
                              LOAD0x1e0000x1002e0000x1002e0000x48a00x9df80.36700x6RW 0x10000.ctors .dtors .data .sdata .sbss .bss
                              GNU_STACK0x00x00x00x00x00.00000x6RW 0x4

                              Network Behavior

                              Network Port Distribution

                              TCP Packets

                              TimestampSource PortDest PortSource IPDest IP
                              Jan 4, 2025 09:28:06.992625952 CET4716413566192.168.2.14210.99.214.129
                              Jan 4, 2025 09:28:06.996114969 CET5938013566192.168.2.14210.99.249.152
                              Jan 4, 2025 09:28:06.997505903 CET1356647164210.99.214.129192.168.2.14
                              Jan 4, 2025 09:28:06.997562885 CET4716413566192.168.2.14210.99.214.129
                              Jan 4, 2025 09:28:06.998497009 CET4995813566192.168.2.14210.99.186.59
                              Jan 4, 2025 09:28:07.000962019 CET1356659380210.99.249.152192.168.2.14
                              Jan 4, 2025 09:28:07.001036882 CET5938013566192.168.2.14210.99.249.152
                              Jan 4, 2025 09:28:07.001082897 CET3826613566192.168.2.14210.99.214.7
                              Jan 4, 2025 09:28:07.003062010 CET4621013566192.168.2.14210.99.99.145
                              Jan 4, 2025 09:28:07.003299952 CET1356649958210.99.186.59192.168.2.14
                              Jan 4, 2025 09:28:07.003343105 CET4995813566192.168.2.14210.99.186.59
                              Jan 4, 2025 09:28:07.005800962 CET5989813566192.168.2.14210.99.5.190
                              Jan 4, 2025 09:28:07.005882025 CET1356638266210.99.214.7192.168.2.14
                              Jan 4, 2025 09:28:07.005919933 CET3826613566192.168.2.14210.99.214.7
                              Jan 4, 2025 09:28:07.007883072 CET1356646210210.99.99.145192.168.2.14
                              Jan 4, 2025 09:28:07.007921934 CET4621013566192.168.2.14210.99.99.145
                              Jan 4, 2025 09:28:07.008053064 CET3854813566192.168.2.14210.99.163.209
                              Jan 4, 2025 09:28:07.010390043 CET3877213566192.168.2.14210.99.255.94
                              Jan 4, 2025 09:28:07.010679007 CET1356659898210.99.5.190192.168.2.14
                              Jan 4, 2025 09:28:07.010726929 CET5989813566192.168.2.14210.99.5.190
                              Jan 4, 2025 09:28:07.012474060 CET5022813566192.168.2.14210.99.222.217
                              Jan 4, 2025 09:28:07.012856007 CET1356638548210.99.163.209192.168.2.14
                              Jan 4, 2025 09:28:07.012923956 CET3854813566192.168.2.14210.99.163.209
                              Jan 4, 2025 09:28:07.015016079 CET4565813566192.168.2.14210.99.176.157
                              Jan 4, 2025 09:28:07.015225887 CET1356638772210.99.255.94192.168.2.14
                              Jan 4, 2025 09:28:07.015290976 CET3877213566192.168.2.14210.99.255.94
                              Jan 4, 2025 09:28:07.017175913 CET3564413566192.168.2.14210.99.11.251
                              Jan 4, 2025 09:28:07.017241001 CET1356650228210.99.222.217192.168.2.14
                              Jan 4, 2025 09:28:07.017281055 CET5022813566192.168.2.14210.99.222.217
                              Jan 4, 2025 09:28:07.019654036 CET4694213566192.168.2.14210.99.150.142
                              Jan 4, 2025 09:28:07.019841909 CET1356645658210.99.176.157192.168.2.14
                              Jan 4, 2025 09:28:07.019881010 CET4565813566192.168.2.14210.99.176.157
                              Jan 4, 2025 09:28:07.021828890 CET5751613566192.168.2.14210.99.40.186
                              Jan 4, 2025 09:28:07.021954060 CET1356635644210.99.11.251192.168.2.14
                              Jan 4, 2025 09:28:07.021991968 CET3564413566192.168.2.14210.99.11.251
                              Jan 4, 2025 09:28:07.024458885 CET5209613566192.168.2.14210.99.174.139
                              Jan 4, 2025 09:28:07.024483919 CET1356646942210.99.150.142192.168.2.14
                              Jan 4, 2025 09:28:07.024528980 CET4694213566192.168.2.14210.99.150.142
                              Jan 4, 2025 09:28:07.026561022 CET3653413566192.168.2.14210.99.95.255
                              Jan 4, 2025 09:28:07.026647091 CET1356657516210.99.40.186192.168.2.14
                              Jan 4, 2025 09:28:07.026707888 CET5751613566192.168.2.14210.99.40.186
                              Jan 4, 2025 09:28:07.029295921 CET1356652096210.99.174.139192.168.2.14
                              Jan 4, 2025 09:28:07.029335976 CET5209613566192.168.2.14210.99.174.139
                              Jan 4, 2025 09:28:07.029416084 CET4048213566192.168.2.14210.99.103.53
                              Jan 4, 2025 09:28:07.031316996 CET1356636534210.99.95.255192.168.2.14
                              Jan 4, 2025 09:28:07.031353951 CET3653413566192.168.2.14210.99.95.255
                              Jan 4, 2025 09:28:07.031569958 CET4591813566192.168.2.14210.99.128.96
                              Jan 4, 2025 09:28:07.034166098 CET1356640482210.99.103.53192.168.2.14
                              Jan 4, 2025 09:28:07.034218073 CET4048213566192.168.2.14210.99.103.53
                              Jan 4, 2025 09:28:07.034235954 CET4680413566192.168.2.14210.99.206.58
                              Jan 4, 2025 09:28:07.036364079 CET1356645918210.99.128.96192.168.2.14
                              Jan 4, 2025 09:28:07.036406994 CET4591813566192.168.2.14210.99.128.96
                              Jan 4, 2025 09:28:07.036614895 CET5829213566192.168.2.14210.99.155.164
                              Jan 4, 2025 09:28:07.039047003 CET1356646804210.99.206.58192.168.2.14
                              Jan 4, 2025 09:28:07.039083004 CET4680413566192.168.2.14210.99.206.58
                              Jan 4, 2025 09:28:07.039381981 CET4861613566192.168.2.14210.99.66.254
                              Jan 4, 2025 09:28:07.041364908 CET1356658292210.99.155.164192.168.2.14
                              Jan 4, 2025 09:28:07.041403055 CET5829213566192.168.2.14210.99.155.164
                              Jan 4, 2025 09:28:07.041595936 CET5805813566192.168.2.14210.99.53.71
                              Jan 4, 2025 09:28:07.044148922 CET1356648616210.99.66.254192.168.2.14
                              Jan 4, 2025 09:28:07.044189930 CET4861613566192.168.2.14210.99.66.254
                              Jan 4, 2025 09:28:07.044297934 CET3514613566192.168.2.14210.99.188.216
                              Jan 4, 2025 09:28:07.046360970 CET1356658058210.99.53.71192.168.2.14
                              Jan 4, 2025 09:28:07.046400070 CET5805813566192.168.2.14210.99.53.71
                              Jan 4, 2025 09:28:07.046479940 CET4143813566192.168.2.14210.99.24.188
                              Jan 4, 2025 09:28:07.049052954 CET1356635146210.99.188.216192.168.2.14
                              Jan 4, 2025 09:28:07.049088955 CET3514613566192.168.2.14210.99.188.216
                              Jan 4, 2025 09:28:07.049310923 CET3340013566192.168.2.14210.99.54.246
                              Jan 4, 2025 09:28:07.051259041 CET1356641438210.99.24.188192.168.2.14
                              Jan 4, 2025 09:28:07.051301956 CET4143813566192.168.2.14210.99.24.188
                              Jan 4, 2025 09:28:07.051553965 CET3334613566192.168.2.14210.99.149.231
                              Jan 4, 2025 09:28:07.054111004 CET1356633400210.99.54.246192.168.2.14
                              Jan 4, 2025 09:28:07.054148912 CET3340013566192.168.2.14210.99.54.246
                              Jan 4, 2025 09:28:07.056345940 CET1356633346210.99.149.231192.168.2.14
                              Jan 4, 2025 09:28:07.056380987 CET3334613566192.168.2.14210.99.149.231
                              Jan 4, 2025 09:28:07.110527039 CET5639013566192.168.2.1483.222.191.90
                              Jan 4, 2025 09:28:07.115353107 CET135665639083.222.191.90192.168.2.14
                              Jan 4, 2025 09:28:07.115459919 CET5639013566192.168.2.1483.222.191.90
                              Jan 4, 2025 09:28:07.117644072 CET5639013566192.168.2.1483.222.191.90
                              Jan 4, 2025 09:28:07.122436047 CET135665639083.222.191.90192.168.2.14
                              Jan 4, 2025 09:28:07.122510910 CET5639013566192.168.2.1483.222.191.90
                              Jan 4, 2025 09:28:07.127316952 CET135665639083.222.191.90192.168.2.14
                              Jan 4, 2025 09:28:17.127315044 CET5639013566192.168.2.1483.222.191.90
                              Jan 4, 2025 09:28:17.132280111 CET135665639083.222.191.90192.168.2.14
                              Jan 4, 2025 09:28:17.330871105 CET135665639083.222.191.90192.168.2.14
                              Jan 4, 2025 09:28:17.330914974 CET5639013566192.168.2.1483.222.191.90
                              Jan 4, 2025 09:28:17.696866035 CET135665639083.222.191.90192.168.2.14
                              Jan 4, 2025 09:28:17.696921110 CET5639013566192.168.2.1483.222.191.90
                              Jan 4, 2025 09:29:17.755198002 CET5639013566192.168.2.1483.222.191.90
                              Jan 4, 2025 09:29:17.760154963 CET135665639083.222.191.90192.168.2.14
                              Jan 4, 2025 09:29:17.958791971 CET135665639083.222.191.90192.168.2.14
                              Jan 4, 2025 09:29:17.958853006 CET5639013566192.168.2.1483.222.191.90
                              Jan 4, 2025 09:29:18.697207928 CET135665639083.222.191.90192.168.2.14
                              Jan 4, 2025 09:29:18.697315931 CET5639013566192.168.2.1483.222.191.90

                              UDP Packets

                              TimestampSource PortDest PortSource IPDest IP
                              Jan 4, 2025 09:28:07.063040018 CET3888353192.168.2.148.8.8.8
                              Jan 4, 2025 09:28:07.070163965 CET53388838.8.8.8192.168.2.14
                              Jan 4, 2025 09:28:07.073141098 CET5810453192.168.2.148.8.8.8
                              Jan 4, 2025 09:28:07.080284119 CET53581048.8.8.8192.168.2.14
                              Jan 4, 2025 09:28:07.082506895 CET3303053192.168.2.148.8.8.8
                              Jan 4, 2025 09:28:07.089879036 CET53330308.8.8.8192.168.2.14
                              Jan 4, 2025 09:28:07.092827082 CET3605553192.168.2.148.8.8.8
                              Jan 4, 2025 09:28:07.099908113 CET53360558.8.8.8192.168.2.14
                              Jan 4, 2025 09:28:07.102572918 CET5007053192.168.2.148.8.8.8
                              Jan 4, 2025 09:28:07.109347105 CET53500708.8.8.8192.168.2.14

                              DNS Queries

                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                              Jan 4, 2025 09:28:07.063040018 CET192.168.2.148.8.8.80x7c79Standard query (0)secure-network-rebirthltd.ruA (IP address)IN (0x0001)false
                              Jan 4, 2025 09:28:07.073141098 CET192.168.2.148.8.8.80x7c79Standard query (0)secure-network-rebirthltd.ruA (IP address)IN (0x0001)false
                              Jan 4, 2025 09:28:07.082506895 CET192.168.2.148.8.8.80x7c79Standard query (0)secure-network-rebirthltd.ruA (IP address)IN (0x0001)false
                              Jan 4, 2025 09:28:07.092827082 CET192.168.2.148.8.8.80x7c79Standard query (0)secure-network-rebirthltd.ruA (IP address)IN (0x0001)false
                              Jan 4, 2025 09:28:07.102572918 CET192.168.2.148.8.8.80x7c79Standard query (0)secure-network-rebirthltd.ruA (IP address)IN (0x0001)false

                              DNS Answers

                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                              Jan 4, 2025 09:28:07.070163965 CET8.8.8.8192.168.2.140x7c79Name error (3)secure-network-rebirthltd.runonenoneA (IP address)IN (0x0001)false
                              Jan 4, 2025 09:28:07.080284119 CET8.8.8.8192.168.2.140x7c79Name error (3)secure-network-rebirthltd.runonenoneA (IP address)IN (0x0001)false
                              Jan 4, 2025 09:28:07.089879036 CET8.8.8.8192.168.2.140x7c79Name error (3)secure-network-rebirthltd.runonenoneA (IP address)IN (0x0001)false
                              Jan 4, 2025 09:28:07.099908113 CET8.8.8.8192.168.2.140x7c79Name error (3)secure-network-rebirthltd.runonenoneA (IP address)IN (0x0001)false
                              Jan 4, 2025 09:28:07.109347105 CET8.8.8.8192.168.2.140x7c79Name error (3)secure-network-rebirthltd.runonenoneA (IP address)IN (0x0001)false

                              System Behavior

                              General

                              Start time (UTC):08:28:05
                              Start date (UTC):04/01/2025
                              Path:/tmp/Kloki.ppc.elf
                              Arguments:/tmp/Kloki.ppc.elf
                              File size:5388968 bytes
                              MD5 hash:ae65271c943d3451b7f026d1fadccea6

                              Chronological Activities


                              General

                              Start time (UTC):08:28:05
                              Start date (UTC):04/01/2025
                              Path:/tmp/Kloki.ppc.elf
                              Arguments:-
                              File size:5388968 bytes
                              MD5 hash:ae65271c943d3451b7f026d1fadccea6

                              Chronological Activities


                              General

                              Start time (UTC):08:28:05
                              Start date (UTC):04/01/2025
                              Path:/tmp/Kloki.ppc.elf
                              Arguments:-
                              File size:5388968 bytes
                              MD5 hash:ae65271c943d3451b7f026d1fadccea6

                              Chronological Activities


                              General

                              Start time (UTC):08:28:06
                              Start date (UTC):04/01/2025
                              Path:/tmp/Kloki.ppc.elf
                              Arguments:-
                              File size:5388968 bytes
                              MD5 hash:ae65271c943d3451b7f026d1fadccea6

                              Chronological Activities


                              General

                              Start time (UTC):08:28:06
                              Start date (UTC):04/01/2025
                              Path:/tmp/Kloki.ppc.elf
                              Arguments:-
                              File size:5388968 bytes
                              MD5 hash:ae65271c943d3451b7f026d1fadccea6

                              Chronological Activities