Edit tour

Linux Analysis Report
uYtea.mpsl.elf

Overview

General Information

Sample name:	uYtea.mpsl.elf
Analysis ID:	1586054
MD5:	a2d136b494b26c43bf3df8af3e9c899d
SHA1:	c85948b663595680d8f8a27560303d131e22466e
SHA256:	c65de05ba9a20d85c9e9f2d4d22e1c7d7df058f6efa49c97375f65639ab3d65d
Tags:	user-elfdigest
Infos:

Detection

Score:	64
Range:	0 - 100
Whitelisted:	false

Signatures

Antivirus / Scanner detection for submitted sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Creates hidden files and/or directories

Detected TCP or UDP traffic on non-standard ports

Sample has stripped symbol table

Sample listens on a socket

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Uses the "uname" system call to query kernel version information (possible evasion)

Yara signature match

Classification

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1586054
Start date and time:	2025-01-08 17:05:06 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 34s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Sample name:	uYtea.mpsl.elf
Detection:	MAL
Classification:	mal64.linELF@0/0@0/0

Warnings

VT rate limit hit for: uYtea.mpsl.elf

Runtime Messages

Command:	/tmp/uYtea.mpsl.elf
PID:	6230
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:	connecterror
Standard Error:

Process Tree

system is lnxubuntu20

uYtea.mpsl.elf (PID: 6230, Parent: 6153, MD5: 0d6f61f82cf2f781c6eb0661071d42d9) Arguments: /tmp/uYtea.mpsl.elf

uYtea.mpsl.elf New Fork (PID: 6232, Parent: 6230)

uYtea.mpsl.elf New Fork (PID: 6234, Parent: 6232)

cleanup

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
uYtea.mpsl.elf	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0x10030:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10044:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10058:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1006c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10080:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10094:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x100a8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x100bc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x100d0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x100e4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x100f8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1010c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10120:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10134:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10148:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1015c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10170:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10184:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10198:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x101ac:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x101c0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F

Memory Dumps

Source	Rule	Description	Author	Strings
6230.1.00007fef44400000.00007fef44413000.r-x.sdmp	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0x10030:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10044:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10058:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1006c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10080:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10094:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x100a8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x100bc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x100d0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x100e4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x100f8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1010c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10120:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10134:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10148:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1015c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10170:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10184:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10198:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x101ac:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x101c0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
6234.1.00007fef44400000.00007fef44413000.r-x.sdmp	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0x10030:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10044:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10058:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1006c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10080:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10094:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x100a8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x100bc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x100d0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x100e4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x100f8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1010c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10120:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10134:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10148:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1015c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10170:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10184:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10198:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x101ac:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x101c0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
Process Memory Space: uYtea.mpsl.elf PID: 6230	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0x589:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x59d:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x5b1:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x5c5:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x5d9:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x5ed:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x601:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x615:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x629:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x63d:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x651:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x665:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x679:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x68d:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x6a1:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x6b5:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x6c9:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x6dd:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x6f1:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x705:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x719:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
Process Memory Space: uYtea.mpsl.elf PID: 6234	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0x6269:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x627d:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x6291:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x62a5:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x62b9:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x62cd:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x62e1:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x62f5:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x6309:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x631d:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x6331:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x6345:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x6359:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x636d:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x6381:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x6395:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x63a9:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x63bd:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x63d1:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x63e5:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x63f9:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: uYtea.mpsl.elf

Avira: detected

Multi AV Scanner detection for submitted file

Source: uYtea.mpsl.elf

ReversingLabs: Detection: 63%

Source: global traffic

TCP traffic: 192.168.2.23:51398 -> 141.98.10.115:1302

Source: /tmp/uYtea.mpsl.elf (PID: 6230)

Socket: 127.0.0.1:9473

Jump to behavior

Source: global traffic	TCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443
Source: global traffic	TCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
Source: global traffic	TCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80

Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43

Source: unknown	Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 42836 -> 443

System Summary

Malicious sample detected (through community Yara rule)

Source: uYtea.mpsl.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: 6230.1.00007fef44400000.00007fef44413000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: 6234.1.00007fef44400000.00007fef44413000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: Process Memory Space: uYtea.mpsl.elf PID: 6230, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: Process Memory Space: uYtea.mpsl.elf PID: 6234, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown

Source: ELF static info symbol of initial sample

.symtab present: no

Source: uYtea.mpsl.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: 6230.1.00007fef44400000.00007fef44413000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: 6234.1.00007fef44400000.00007fef44413000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: Process Memory Space: uYtea.mpsl.elf PID: 6230, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: Process Memory Space: uYtea.mpsl.elf PID: 6234, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16

Source: classification engine

Classification label: mal64.linELF@0/0@0/0

Source: /tmp/uYtea.mpsl.elf (PID: 6232)	Directory: /tmp/.			Jump to behavior
Source: /tmp/uYtea.mpsl.elf (PID: 6232)	Directory: /tmp/..			Jump to behavior

Source: /tmp/uYtea.mpsl.elf (PID: 6230)

Queries kernel information via 'uname':

Jump to behavior

Source: uYtea.mpsl.elf, 6230.1.000055e920912000.000055e920999000.rw-.sdmp, uYtea.mpsl.elf, 6234.1.000055e920912000.000055e920999000.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/mipsel
Source: uYtea.mpsl.elf, 6230.1.00007ffe88d13000.00007ffe88d34000.rw-.sdmp, uYtea.mpsl.elf, 6234.1.00007ffe88d13000.00007ffe88d34000.rw-.sdmp	Binary or memory string: x86_64/usr/bin/qemu-mipsel/tmp/uYtea.mpsl.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/uYtea.mpsl.elf
Source: uYtea.mpsl.elf, 6230.1.000055e920912000.000055e920999000.rw-.sdmp, uYtea.mpsl.elf, 6234.1.000055e920912000.000055e920999000.rw-.sdmp	Binary or memory string: U!/etc/qemu-binfmt/mipsel
Source: uYtea.mpsl.elf, 6230.1.00007ffe88d13000.00007ffe88d34000.rw-.sdmp, uYtea.mpsl.elf, 6234.1.00007ffe88d13000.00007ffe88d34000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-mipsel

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	Path Interception	Path Interception	1 Hidden Files and Directories	OS Credential Dumping	11 Security Software Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact

Malware Configuration

⊘No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
uYtea.mpsl.elf	63%	ReversingLabs	Linux.Trojan.Mirai
uYtea.mpsl.elf	100%	Avira	EXP/ELF.Mirai.Z.D

Dropped Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

⊘No contacted domains info

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
141.98.10.115	unknown	Lithuania	209605	HOSTBALTICLT	false
109.202.202.202	unknown	Switzerland	13030	INIT7CH	false
91.189.91.43	unknown	United Kingdom	41231	CANONICAL-ASGB	false
91.189.91.42	unknown	United Kingdom	41231	CANONICAL-ASGB	false

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
141.98.10.115	uYtea.arm7.elf	Get hash	malicious	Mirai	Browse
109.202.202.202	kpLwzBouH4.elf	Get hash	malicious	Unknown	Browse	ch.archive.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_92.0%2bbuild3-0ubuntu0.20.04.1_amd64.deb
91.189.91.43	uYtea.x86_64.elf	Get hash	malicious	Unknown	Browse
	main_x86_64.elf	Get hash	malicious	Mirai	Browse
	Aqua.arm5.elf	Get hash	malicious	Unknown	Browse
	main_m68k.elf	Get hash	malicious	Mirai	Browse
	main_arm5.elf	Get hash	malicious	Mirai	Browse
	mips64.elf	Get hash	malicious	Unknown	Browse
	mips64el.elf	Get hash	malicious	Unknown	Browse
	main_arm.elf	Get hash	malicious	Mirai	Browse
	mips.elf	Get hash	malicious	Mirai	Browse
	main_sh4.elf	Get hash	malicious	Mirai	Browse
91.189.91.42	uYtea.x86_64.elf	Get hash	malicious	Unknown	Browse
	main_x86_64.elf	Get hash	malicious	Mirai	Browse
	Aqua.arm5.elf	Get hash	malicious	Unknown	Browse
	main_m68k.elf	Get hash	malicious	Mirai	Browse
	main_arm5.elf	Get hash	malicious	Mirai	Browse
	mips64.elf	Get hash	malicious	Unknown	Browse
	mips64el.elf	Get hash	malicious	Unknown	Browse
	main_arm.elf	Get hash	malicious	Mirai	Browse
	mips.elf	Get hash	malicious	Mirai	Browse
	main_sh4.elf	Get hash	malicious	Mirai	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CANONICAL-ASGB	uYtea.x86_64.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	main_x86_64.elf	Get hash	malicious	Mirai	Browse	91.189.91.42
	Aqua.arm5.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	main_m68k.elf	Get hash	malicious	Mirai	Browse	91.189.91.42
	main_arm5.elf	Get hash	malicious	Mirai	Browse	91.189.91.42
	mips64.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	386.elf	Get hash	malicious	Unknown	Browse	185.125.190.26
	mips64el.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	main_arm5.elf	Get hash	malicious	Mirai	Browse	185.125.190.26
	main_arm.elf	Get hash	malicious	Mirai	Browse	91.189.91.42
CANONICAL-ASGB	uYtea.x86_64.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	main_x86_64.elf	Get hash	malicious	Mirai	Browse	91.189.91.42
	Aqua.arm5.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	main_m68k.elf	Get hash	malicious	Mirai	Browse	91.189.91.42
	main_arm5.elf	Get hash	malicious	Mirai	Browse	91.189.91.42
	mips64.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	386.elf	Get hash	malicious	Unknown	Browse	185.125.190.26
	mips64el.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	main_arm5.elf	Get hash	malicious	Mirai	Browse	185.125.190.26
	main_arm.elf	Get hash	malicious	Mirai	Browse	91.189.91.42
HOSTBALTICLT	uYtea.arm7.elf	Get hash	malicious	Mirai	Browse	141.98.10.115
	Scan12112024,pdf.vbs	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	141.98.10.88
	Scan12112024,pdf.vbs	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	141.98.10.88
	Scan112024.vbs	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	141.98.10.88
	173127133603e75602cf90c03b229cc07ec4f5c026cad2909c809b767b293bf800a0e9ade9674.dat-decoded.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	141.98.10.88
	ConfirmaciXnXdeXfacturaXPedidoXadicional.doc	Get hash	malicious	Unknown	Browse	141.98.10.88
	DOC11042024.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	141.98.10.40
	Contract #U2116 KB #U2013 08152024 - 1.pif.exe	Get hash	malicious	RedLine	Browse	141.98.10.33
	PRODUCT OVERVIEW.doc	Get hash	malicious	Unknown	Browse	141.98.10.11
	tppc.elf	Get hash	malicious	Unknown	Browse	141.98.10.95
INIT7CH	uYtea.x86_64.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	main_x86_64.elf	Get hash	malicious	Mirai	Browse	109.202.202.202
	Aqua.arm5.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	main_m68k.elf	Get hash	malicious	Mirai	Browse	109.202.202.202
	main_arm5.elf	Get hash	malicious	Mirai	Browse	109.202.202.202
	mips64.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	mips64el.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	main_arm.elf	Get hash	malicious	Mirai	Browse	109.202.202.202
	mips.elf	Get hash	malicious	Mirai	Browse	109.202.202.202
	main_sh4.elf	Get hash	malicious	Mirai	Browse	109.202.202.202

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	ELF 32-bit LSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped
Entropy (8bit):	5.639881046271277
TrID:	ELF Executable and Linkable format (generic) (4004/1) 100.00%
File name:	uYtea.mpsl.elf
File size:	77'320 bytes
MD5:	a2d136b494b26c43bf3df8af3e9c899d
SHA1:	c85948b663595680d8f8a27560303d131e22466e
SHA256:	c65de05ba9a20d85c9e9f2d4d22e1c7d7df058f6efa49c97375f65639ab3d65d
SHA512:	71e2eced88e612995cfac25d3b4c0302eee94e256a71ef1661fa57186cf4c4f9cc2a395af7a5a00493e7e1829acd1dcfd093a5e801ce09c70c13d6f3340b02d3
SSDEEP:	1536:7J5dbFB4x92nKoINa98M26ofWU+UZ9CYXzdJa10N:7J5dxBu9uKooIUXd4u
TLSH:	3973F819BF610F77EC6BCC370AA92B0129CC954B22E57B367934C528B60B61B19E3C74
File Content Preview:	.ELF....................`.@.4....+......4. ...(...............@...@. .. ..............$ ..$ E.$ E.P....N..........Q.td...............................<...'!......'.......................<...'!... .........9'.. ........................<...'!...........`.9

Static ELF Info

ELF header
Class:	ELF32
Data:	2's complement, little endian
Version:	1 (current)
Machine:	MIPS R3000
Version Number:	0x1
Type:	EXEC (Executable file)
OS/ABI:	UNIX - System V
ABI Version:	0
Entry Point Address:	0x400260
Flags:	0x1007
ELF Header Size:	52
Program Header Offset:	52
Program Header Size:	32
Number of Program Headers:	3
Section Header Offset:	76760
Section Header Size:	40
Number of Section Headers:	14
Header String Table Index:	13

Sections

Name	Type	Address	Offset	Size	EntSize	Flags	Flags Description	Align
	NULL	0x0	0x0	0x0	0x0	0x0		0
.init	PROGBITS	0x400094	0x94	0x8c	0x0	0x6	AX	4
.text	PROGBITS	0x400120	0x120	0xfeb0	0x0	0x6	AX	16
.fini	PROGBITS	0x40ffd0	0xffd0	0x5c	0x0	0x6	AX	4
.rodata	PROGBITS	0x410030	0x10030	0x1ff0	0x0	0x2	A	16
.ctors	PROGBITS	0x452024	0x12024	0x8	0x0	0x3	WA	4
.dtors	PROGBITS	0x45202c	0x1202c	0x8	0x0	0x3	WA	4
.data.rel.ro	PROGBITS	0x452038	0x12038	0x4	0x0	0x3	WA	4
.data	PROGBITS	0x452040	0x12040	0x770	0x0	0x3	WA	16
.got	PROGBITS	0x4527b0	0x127b0	0x3c4	0x4	0x10000003	WAp	16
.sbss	NOBITS	0x452b74	0x12b74	0x28	0x0	0x10000003	WAp	4
.bss	NOBITS	0x452ba0	0x12b74	0x4314	0x0	0x3	WA	16
.mdebug.abi32	PROGBITS	0x6e4	0x12b74	0x0	0x0	0x0		1
.shstrtab	STRTAB	0x0	0x12b74	0x64	0x0	0x0		1

Program Segments

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align	Section Mappings
LOAD	0x0	0x400000	0x400000	0x12020	0x12020	5.6498	0x5	R E	0x10000	.init .text .fini .rodata
LOAD	0x12024	0x452024	0x452024	0xb50	0x4e90	4.4984	0x6	RW	0x10000	.ctors .dtors .data.rel.ro .data .got .sbss .bss
GNU_STACK	0x0	0x0	0x0	0x0	0x0	0.0000	0x7	RWE	0x4

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 8, 2025 17:05:53.947760105 CET	43928	443	192.168.2.23	91.189.91.42
Jan 8, 2025 17:05:59.322977066 CET	42836	443	192.168.2.23	91.189.91.43
Jan 8, 2025 17:06:00.413846016 CET	51398	1302	192.168.2.23	141.98.10.115
Jan 8, 2025 17:06:00.418818951 CET	1302	51398	141.98.10.115	192.168.2.23
Jan 8, 2025 17:06:00.419009924 CET	51398	1302	192.168.2.23	141.98.10.115
Jan 8, 2025 17:06:00.420021057 CET	51398	1302	192.168.2.23	141.98.10.115
Jan 8, 2025 17:06:00.424853086 CET	1302	51398	141.98.10.115	192.168.2.23
Jan 8, 2025 17:06:00.424894094 CET	51398	1302	192.168.2.23	141.98.10.115
Jan 8, 2025 17:06:00.429732084 CET	1302	51398	141.98.10.115	192.168.2.23
Jan 8, 2025 17:06:00.858913898 CET	42516	80	192.168.2.23	109.202.202.202
Jan 8, 2025 17:06:02.123779058 CET	1302	51398	141.98.10.115	192.168.2.23
Jan 8, 2025 17:06:02.124223948 CET	51398	1302	192.168.2.23	141.98.10.115
Jan 8, 2025 17:06:02.129030943 CET	1302	51398	141.98.10.115	192.168.2.23
Jan 8, 2025 17:06:03.125829935 CET	51400	1302	192.168.2.23	141.98.10.115
Jan 8, 2025 17:06:03.130817890 CET	1302	51400	141.98.10.115	192.168.2.23
Jan 8, 2025 17:06:03.130877972 CET	51400	1302	192.168.2.23	141.98.10.115
Jan 8, 2025 17:06:03.131736994 CET	51400	1302	192.168.2.23	141.98.10.115
Jan 8, 2025 17:06:03.136570930 CET	1302	51400	141.98.10.115	192.168.2.23
Jan 8, 2025 17:06:03.136653900 CET	51400	1302	192.168.2.23	141.98.10.115
Jan 8, 2025 17:06:03.141408920 CET	1302	51400	141.98.10.115	192.168.2.23
Jan 8, 2025 17:06:04.820919991 CET	1302	51400	141.98.10.115	192.168.2.23
Jan 8, 2025 17:06:04.821295023 CET	51400	1302	192.168.2.23	141.98.10.115
Jan 8, 2025 17:06:04.826191902 CET	1302	51400	141.98.10.115	192.168.2.23
Jan 8, 2025 17:06:05.822689056 CET	51402	1302	192.168.2.23	141.98.10.115
Jan 8, 2025 17:06:05.827588081 CET	1302	51402	141.98.10.115	192.168.2.23
Jan 8, 2025 17:06:05.827646971 CET	51402	1302	192.168.2.23	141.98.10.115
Jan 8, 2025 17:06:05.828366995 CET	51402	1302	192.168.2.23	141.98.10.115
Jan 8, 2025 17:06:05.833142042 CET	1302	51402	141.98.10.115	192.168.2.23
Jan 8, 2025 17:06:05.833187103 CET	51402	1302	192.168.2.23	141.98.10.115
Jan 8, 2025 17:06:05.838027954 CET	1302	51402	141.98.10.115	192.168.2.23
Jan 8, 2025 17:06:07.507952929 CET	1302	51402	141.98.10.115	192.168.2.23
Jan 8, 2025 17:06:07.508148909 CET	51402	1302	192.168.2.23	141.98.10.115
Jan 8, 2025 17:06:07.514254093 CET	1302	51402	141.98.10.115	192.168.2.23
Jan 8, 2025 17:06:08.509701967 CET	51404	1302	192.168.2.23	141.98.10.115
Jan 8, 2025 17:06:08.514501095 CET	1302	51404	141.98.10.115	192.168.2.23
Jan 8, 2025 17:06:08.514552116 CET	51404	1302	192.168.2.23	141.98.10.115
Jan 8, 2025 17:06:08.515122890 CET	51404	1302	192.168.2.23	141.98.10.115
Jan 8, 2025 17:06:08.519850969 CET	1302	51404	141.98.10.115	192.168.2.23
Jan 8, 2025 17:06:08.519893885 CET	51404	1302	192.168.2.23	141.98.10.115
Jan 8, 2025 17:06:08.524653912 CET	1302	51404	141.98.10.115	192.168.2.23
Jan 8, 2025 17:06:10.231741905 CET	1302	51404	141.98.10.115	192.168.2.23
Jan 8, 2025 17:06:10.231939077 CET	51404	1302	192.168.2.23	141.98.10.115
Jan 8, 2025 17:06:10.236686945 CET	1302	51404	141.98.10.115	192.168.2.23
Jan 8, 2025 17:06:11.233253002 CET	51406	1302	192.168.2.23	141.98.10.115
Jan 8, 2025 17:06:11.238126040 CET	1302	51406	141.98.10.115	192.168.2.23
Jan 8, 2025 17:06:11.238182068 CET	51406	1302	192.168.2.23	141.98.10.115
Jan 8, 2025 17:06:11.238804102 CET	51406	1302	192.168.2.23	141.98.10.115
Jan 8, 2025 17:06:11.243552923 CET	1302	51406	141.98.10.115	192.168.2.23
Jan 8, 2025 17:06:11.243593931 CET	51406	1302	192.168.2.23	141.98.10.115
Jan 8, 2025 17:06:11.248323917 CET	1302	51406	141.98.10.115	192.168.2.23
Jan 8, 2025 17:06:12.931364059 CET	1302	51406	141.98.10.115	192.168.2.23
Jan 8, 2025 17:06:12.931529999 CET	51406	1302	192.168.2.23	141.98.10.115
Jan 8, 2025 17:06:12.936345100 CET	1302	51406	141.98.10.115	192.168.2.23
Jan 8, 2025 17:06:13.932817936 CET	51408	1302	192.168.2.23	141.98.10.115
Jan 8, 2025 17:06:13.937700033 CET	1302	51408	141.98.10.115	192.168.2.23
Jan 8, 2025 17:06:13.937849998 CET	51408	1302	192.168.2.23	141.98.10.115
Jan 8, 2025 17:06:13.938416004 CET	51408	1302	192.168.2.23	141.98.10.115
Jan 8, 2025 17:06:13.943201065 CET	1302	51408	141.98.10.115	192.168.2.23
Jan 8, 2025 17:06:13.943264008 CET	51408	1302	192.168.2.23	141.98.10.115
Jan 8, 2025 17:06:13.948005915 CET	1302	51408	141.98.10.115	192.168.2.23
Jan 8, 2025 17:06:15.192821980 CET	43928	443	192.168.2.23	91.189.91.42
Jan 8, 2025 17:06:15.649112940 CET	1302	51408	141.98.10.115	192.168.2.23
Jan 8, 2025 17:06:15.649410963 CET	51408	1302	192.168.2.23	141.98.10.115
Jan 8, 2025 17:06:15.654191017 CET	1302	51408	141.98.10.115	192.168.2.23
Jan 8, 2025 17:06:16.651283979 CET	51410	1302	192.168.2.23	141.98.10.115
Jan 8, 2025 17:06:16.656124115 CET	1302	51410	141.98.10.115	192.168.2.23
Jan 8, 2025 17:06:16.656219959 CET	51410	1302	192.168.2.23	141.98.10.115
Jan 8, 2025 17:06:16.657275915 CET	51410	1302	192.168.2.23	141.98.10.115
Jan 8, 2025 17:06:16.662005901 CET	1302	51410	141.98.10.115	192.168.2.23
Jan 8, 2025 17:06:16.662050962 CET	51410	1302	192.168.2.23	141.98.10.115
Jan 8, 2025 17:06:16.666791916 CET	1302	51410	141.98.10.115	192.168.2.23
Jan 8, 2025 17:06:18.374485016 CET	1302	51410	141.98.10.115	192.168.2.23
Jan 8, 2025 17:06:18.374993086 CET	51410	1302	192.168.2.23	141.98.10.115
Jan 8, 2025 17:06:18.379793882 CET	1302	51410	141.98.10.115	192.168.2.23
Jan 8, 2025 17:06:19.377182961 CET	51412	1302	192.168.2.23	141.98.10.115
Jan 8, 2025 17:06:19.382098913 CET	1302	51412	141.98.10.115	192.168.2.23
Jan 8, 2025 17:06:19.382185936 CET	51412	1302	192.168.2.23	141.98.10.115
Jan 8, 2025 17:06:19.383295059 CET	51412	1302	192.168.2.23	141.98.10.115
Jan 8, 2025 17:06:19.388039112 CET	1302	51412	141.98.10.115	192.168.2.23
Jan 8, 2025 17:06:19.388097048 CET	51412	1302	192.168.2.23	141.98.10.115
Jan 8, 2025 17:06:19.392836094 CET	1302	51412	141.98.10.115	192.168.2.23
Jan 8, 2025 17:06:21.108127117 CET	1302	51412	141.98.10.115	192.168.2.23
Jan 8, 2025 17:06:21.108330011 CET	51412	1302	192.168.2.23	141.98.10.115
Jan 8, 2025 17:06:21.113112926 CET	1302	51412	141.98.10.115	192.168.2.23
Jan 8, 2025 17:06:22.109709024 CET	51414	1302	192.168.2.23	141.98.10.115
Jan 8, 2025 17:06:22.114546061 CET	1302	51414	141.98.10.115	192.168.2.23
Jan 8, 2025 17:06:22.114604950 CET	51414	1302	192.168.2.23	141.98.10.115
Jan 8, 2025 17:06:22.115232944 CET	51414	1302	192.168.2.23	141.98.10.115
Jan 8, 2025 17:06:22.119968891 CET	1302	51414	141.98.10.115	192.168.2.23
Jan 8, 2025 17:06:22.120059967 CET	51414	1302	192.168.2.23	141.98.10.115
Jan 8, 2025 17:06:22.124815941 CET	1302	51414	141.98.10.115	192.168.2.23
Jan 8, 2025 17:06:23.840908051 CET	1302	51414	141.98.10.115	192.168.2.23
Jan 8, 2025 17:06:23.841164112 CET	51414	1302	192.168.2.23	141.98.10.115
Jan 8, 2025 17:06:23.846029043 CET	1302	51414	141.98.10.115	192.168.2.23
Jan 8, 2025 17:06:24.843383074 CET	51416	1302	192.168.2.23	141.98.10.115
Jan 8, 2025 17:06:24.848237991 CET	1302	51416	141.98.10.115	192.168.2.23
Jan 8, 2025 17:06:24.848313093 CET	51416	1302	192.168.2.23	141.98.10.115
Jan 8, 2025 17:06:24.849576950 CET	51416	1302	192.168.2.23	141.98.10.115
Jan 8, 2025 17:06:24.854423046 CET	1302	51416	141.98.10.115	192.168.2.23
Jan 8, 2025 17:06:24.854523897 CET	51416	1302	192.168.2.23	141.98.10.115
Jan 8, 2025 17:06:24.859265089 CET	1302	51416	141.98.10.115	192.168.2.23
Jan 8, 2025 17:06:25.431375980 CET	42836	443	192.168.2.23	91.189.91.43
Jan 8, 2025 17:06:26.576690912 CET	1302	51416	141.98.10.115	192.168.2.23
Jan 8, 2025 17:06:26.576931953 CET	51416	1302	192.168.2.23	141.98.10.115
Jan 8, 2025 17:06:26.581727028 CET	1302	51416	141.98.10.115	192.168.2.23
Jan 8, 2025 17:06:27.578191042 CET	51418	1302	192.168.2.23	141.98.10.115
Jan 8, 2025 17:06:27.583056927 CET	1302	51418	141.98.10.115	192.168.2.23
Jan 8, 2025 17:06:27.583111048 CET	51418	1302	192.168.2.23	141.98.10.115
Jan 8, 2025 17:06:27.583765030 CET	51418	1302	192.168.2.23	141.98.10.115
Jan 8, 2025 17:06:27.588675022 CET	1302	51418	141.98.10.115	192.168.2.23
Jan 8, 2025 17:06:27.588715076 CET	51418	1302	192.168.2.23	141.98.10.115
Jan 8, 2025 17:06:27.593470097 CET	1302	51418	141.98.10.115	192.168.2.23
Jan 8, 2025 17:06:29.279150009 CET	1302	51418	141.98.10.115	192.168.2.23
Jan 8, 2025 17:06:29.279401064 CET	51418	1302	192.168.2.23	141.98.10.115
Jan 8, 2025 17:06:29.284163952 CET	1302	51418	141.98.10.115	192.168.2.23
Jan 8, 2025 17:06:30.281296968 CET	51420	1302	192.168.2.23	141.98.10.115
Jan 8, 2025 17:06:30.286109924 CET	1302	51420	141.98.10.115	192.168.2.23
Jan 8, 2025 17:06:30.286183119 CET	51420	1302	192.168.2.23	141.98.10.115
Jan 8, 2025 17:06:30.287233114 CET	51420	1302	192.168.2.23	141.98.10.115
Jan 8, 2025 17:06:30.291965008 CET	1302	51420	141.98.10.115	192.168.2.23
Jan 8, 2025 17:06:30.292022943 CET	51420	1302	192.168.2.23	141.98.10.115
Jan 8, 2025 17:06:30.296847105 CET	1302	51420	141.98.10.115	192.168.2.23
Jan 8, 2025 17:06:31.574681997 CET	42516	80	192.168.2.23	109.202.202.202
Jan 8, 2025 17:06:32.003225088 CET	1302	51420	141.98.10.115	192.168.2.23
Jan 8, 2025 17:06:32.003417015 CET	51420	1302	192.168.2.23	141.98.10.115
Jan 8, 2025 17:06:32.008171082 CET	1302	51420	141.98.10.115	192.168.2.23
Jan 8, 2025 17:06:33.004616976 CET	51422	1302	192.168.2.23	141.98.10.115
Jan 8, 2025 17:06:33.009449959 CET	1302	51422	141.98.10.115	192.168.2.23
Jan 8, 2025 17:06:33.009514093 CET	51422	1302	192.168.2.23	141.98.10.115
Jan 8, 2025 17:06:33.010087967 CET	51422	1302	192.168.2.23	141.98.10.115
Jan 8, 2025 17:06:33.014908075 CET	1302	51422	141.98.10.115	192.168.2.23
Jan 8, 2025 17:06:33.014962912 CET	51422	1302	192.168.2.23	141.98.10.115
Jan 8, 2025 17:06:33.019747972 CET	1302	51422	141.98.10.115	192.168.2.23
Jan 8, 2025 17:06:34.712831974 CET	1302	51422	141.98.10.115	192.168.2.23
Jan 8, 2025 17:06:34.713144064 CET	51422	1302	192.168.2.23	141.98.10.115
Jan 8, 2025 17:06:34.717994928 CET	1302	51422	141.98.10.115	192.168.2.23
Jan 8, 2025 17:06:35.714682102 CET	51424	1302	192.168.2.23	141.98.10.115
Jan 8, 2025 17:06:35.719590902 CET	1302	51424	141.98.10.115	192.168.2.23
Jan 8, 2025 17:06:35.719646931 CET	51424	1302	192.168.2.23	141.98.10.115
Jan 8, 2025 17:06:35.720242023 CET	51424	1302	192.168.2.23	141.98.10.115
Jan 8, 2025 17:06:35.725063086 CET	1302	51424	141.98.10.115	192.168.2.23
Jan 8, 2025 17:06:35.725115061 CET	51424	1302	192.168.2.23	141.98.10.115
Jan 8, 2025 17:06:35.730612040 CET	1302	51424	141.98.10.115	192.168.2.23
Jan 8, 2025 17:06:37.401983976 CET	1302	51424	141.98.10.115	192.168.2.23
Jan 8, 2025 17:06:37.402173042 CET	51424	1302	192.168.2.23	141.98.10.115
Jan 8, 2025 17:06:37.406964064 CET	1302	51424	141.98.10.115	192.168.2.23
Jan 8, 2025 17:06:38.403551102 CET	51426	1302	192.168.2.23	141.98.10.115
Jan 8, 2025 17:06:38.408463001 CET	1302	51426	141.98.10.115	192.168.2.23
Jan 8, 2025 17:06:38.408530951 CET	51426	1302	192.168.2.23	141.98.10.115
Jan 8, 2025 17:06:38.409251928 CET	51426	1302	192.168.2.23	141.98.10.115
Jan 8, 2025 17:06:38.414800882 CET	1302	51426	141.98.10.115	192.168.2.23
Jan 8, 2025 17:06:38.414845943 CET	51426	1302	192.168.2.23	141.98.10.115
Jan 8, 2025 17:06:38.420680046 CET	1302	51426	141.98.10.115	192.168.2.23
Jan 8, 2025 17:06:40.131407976 CET	1302	51426	141.98.10.115	192.168.2.23
Jan 8, 2025 17:06:40.131618977 CET	51426	1302	192.168.2.23	141.98.10.115
Jan 8, 2025 17:06:40.136791945 CET	1302	51426	141.98.10.115	192.168.2.23
Jan 8, 2025 17:06:41.133099079 CET	51428	1302	192.168.2.23	141.98.10.115
Jan 8, 2025 17:06:41.138691902 CET	1302	51428	141.98.10.115	192.168.2.23
Jan 8, 2025 17:06:41.138750076 CET	51428	1302	192.168.2.23	141.98.10.115
Jan 8, 2025 17:06:41.139342070 CET	51428	1302	192.168.2.23	141.98.10.115
Jan 8, 2025 17:06:41.144354105 CET	1302	51428	141.98.10.115	192.168.2.23
Jan 8, 2025 17:06:41.144402981 CET	51428	1302	192.168.2.23	141.98.10.115
Jan 8, 2025 17:06:41.150728941 CET	1302	51428	141.98.10.115	192.168.2.23
Jan 8, 2025 17:06:42.840859890 CET	1302	51428	141.98.10.115	192.168.2.23
Jan 8, 2025 17:06:42.841022968 CET	51428	1302	192.168.2.23	141.98.10.115
Jan 8, 2025 17:06:42.845849991 CET	1302	51428	141.98.10.115	192.168.2.23
Jan 8, 2025 17:06:43.842915058 CET	51430	1302	192.168.2.23	141.98.10.115
Jan 8, 2025 17:06:43.848607063 CET	1302	51430	141.98.10.115	192.168.2.23
Jan 8, 2025 17:06:43.848705053 CET	51430	1302	192.168.2.23	141.98.10.115
Jan 8, 2025 17:06:43.849695921 CET	51430	1302	192.168.2.23	141.98.10.115
Jan 8, 2025 17:06:43.855679035 CET	1302	51430	141.98.10.115	192.168.2.23
Jan 8, 2025 17:06:43.855743885 CET	51430	1302	192.168.2.23	141.98.10.115
Jan 8, 2025 17:06:43.861808062 CET	1302	51430	141.98.10.115	192.168.2.23
Jan 8, 2025 17:06:45.545274973 CET	1302	51430	141.98.10.115	192.168.2.23
Jan 8, 2025 17:06:45.545455933 CET	51430	1302	192.168.2.23	141.98.10.115
Jan 8, 2025 17:06:45.550177097 CET	1302	51430	141.98.10.115	192.168.2.23
Jan 8, 2025 17:06:46.546684027 CET	51432	1302	192.168.2.23	141.98.10.115
Jan 8, 2025 17:06:46.552431107 CET	1302	51432	141.98.10.115	192.168.2.23
Jan 8, 2025 17:06:46.552481890 CET	51432	1302	192.168.2.23	141.98.10.115
Jan 8, 2025 17:06:46.553119898 CET	51432	1302	192.168.2.23	141.98.10.115
Jan 8, 2025 17:06:46.557887077 CET	1302	51432	141.98.10.115	192.168.2.23
Jan 8, 2025 17:06:46.557935953 CET	51432	1302	192.168.2.23	141.98.10.115
Jan 8, 2025 17:06:46.562686920 CET	1302	51432	141.98.10.115	192.168.2.23
Jan 8, 2025 17:06:48.245379925 CET	1302	51432	141.98.10.115	192.168.2.23
Jan 8, 2025 17:06:48.245613098 CET	51432	1302	192.168.2.23	141.98.10.115
Jan 8, 2025 17:06:48.250402927 CET	1302	51432	141.98.10.115	192.168.2.23
Jan 8, 2025 17:06:49.247451067 CET	51434	1302	192.168.2.23	141.98.10.115
Jan 8, 2025 17:06:49.252217054 CET	1302	51434	141.98.10.115	192.168.2.23
Jan 8, 2025 17:06:49.252295971 CET	51434	1302	192.168.2.23	141.98.10.115
Jan 8, 2025 17:06:49.253407001 CET	51434	1302	192.168.2.23	141.98.10.115
Jan 8, 2025 17:06:49.258152008 CET	1302	51434	141.98.10.115	192.168.2.23
Jan 8, 2025 17:06:49.258219004 CET	51434	1302	192.168.2.23	141.98.10.115
Jan 8, 2025 17:06:49.263020039 CET	1302	51434	141.98.10.115	192.168.2.23
Jan 8, 2025 17:06:51.015357971 CET	1302	51434	141.98.10.115	192.168.2.23
Jan 8, 2025 17:06:51.015539885 CET	51434	1302	192.168.2.23	141.98.10.115
Jan 8, 2025 17:06:51.020370007 CET	1302	51434	141.98.10.115	192.168.2.23
Jan 8, 2025 17:06:52.017338991 CET	51436	1302	192.168.2.23	141.98.10.115
Jan 8, 2025 17:06:52.022217989 CET	1302	51436	141.98.10.115	192.168.2.23
Jan 8, 2025 17:06:52.022286892 CET	51436	1302	192.168.2.23	141.98.10.115
Jan 8, 2025 17:06:52.023303986 CET	51436	1302	192.168.2.23	141.98.10.115
Jan 8, 2025 17:06:52.028069973 CET	1302	51436	141.98.10.115	192.168.2.23
Jan 8, 2025 17:06:52.028130054 CET	51436	1302	192.168.2.23	141.98.10.115
Jan 8, 2025 17:06:52.032969952 CET	1302	51436	141.98.10.115	192.168.2.23
Jan 8, 2025 17:06:53.761281967 CET	1302	51436	141.98.10.115	192.168.2.23
Jan 8, 2025 17:06:53.761447906 CET	51436	1302	192.168.2.23	141.98.10.115
Jan 8, 2025 17:06:53.766268969 CET	1302	51436	141.98.10.115	192.168.2.23
Jan 8, 2025 17:06:54.763331890 CET	51438	1302	192.168.2.23	141.98.10.115
Jan 8, 2025 17:06:54.768141985 CET	1302	51438	141.98.10.115	192.168.2.23
Jan 8, 2025 17:06:54.768225908 CET	51438	1302	192.168.2.23	141.98.10.115
Jan 8, 2025 17:06:54.769242048 CET	51438	1302	192.168.2.23	141.98.10.115
Jan 8, 2025 17:06:54.775872946 CET	1302	51438	141.98.10.115	192.168.2.23
Jan 8, 2025 17:06:54.775937080 CET	51438	1302	192.168.2.23	141.98.10.115
Jan 8, 2025 17:06:54.780754089 CET	1302	51438	141.98.10.115	192.168.2.23
Jan 8, 2025 17:06:56.147136927 CET	43928	443	192.168.2.23	91.189.91.42
Jan 8, 2025 17:06:56.483469009 CET	1302	51438	141.98.10.115	192.168.2.23
Jan 8, 2025 17:06:56.483683109 CET	51438	1302	192.168.2.23	141.98.10.115
Jan 8, 2025 17:06:56.488496065 CET	1302	51438	141.98.10.115	192.168.2.23
Jan 8, 2025 17:06:57.485420942 CET	51440	1302	192.168.2.23	141.98.10.115
Jan 8, 2025 17:06:57.490309000 CET	1302	51440	141.98.10.115	192.168.2.23
Jan 8, 2025 17:06:57.490358114 CET	51440	1302	192.168.2.23	141.98.10.115
Jan 8, 2025 17:06:57.491091013 CET	51440	1302	192.168.2.23	141.98.10.115
Jan 8, 2025 17:06:57.495913982 CET	1302	51440	141.98.10.115	192.168.2.23
Jan 8, 2025 17:06:57.495963097 CET	51440	1302	192.168.2.23	141.98.10.115
Jan 8, 2025 17:06:57.500808001 CET	1302	51440	141.98.10.115	192.168.2.23
Jan 8, 2025 17:06:59.392580986 CET	1302	51440	141.98.10.115	192.168.2.23
Jan 8, 2025 17:06:59.392828941 CET	51440	1302	192.168.2.23	141.98.10.115
Jan 8, 2025 17:06:59.401737928 CET	1302	51440	141.98.10.115	192.168.2.23
Jan 8, 2025 17:07:00.395010948 CET	51442	1302	192.168.2.23	141.98.10.115
Jan 8, 2025 17:07:00.399878979 CET	1302	51442	141.98.10.115	192.168.2.23
Jan 8, 2025 17:07:00.399971962 CET	51442	1302	192.168.2.23	141.98.10.115
Jan 8, 2025 17:07:00.400923014 CET	51442	1302	192.168.2.23	141.98.10.115
Jan 8, 2025 17:07:00.405644894 CET	1302	51442	141.98.10.115	192.168.2.23
Jan 8, 2025 17:07:00.405709028 CET	51442	1302	192.168.2.23	141.98.10.115
Jan 8, 2025 17:07:00.411398888 CET	1302	51442	141.98.10.115	192.168.2.23
Jan 8, 2025 17:07:02.092603922 CET	1302	51442	141.98.10.115	192.168.2.23
Jan 8, 2025 17:07:02.092767000 CET	51442	1302	192.168.2.23	141.98.10.115
Jan 8, 2025 17:07:02.097563982 CET	1302	51442	141.98.10.115	192.168.2.23
Jan 8, 2025 17:07:03.094069004 CET	51444	1302	192.168.2.23	141.98.10.115
Jan 8, 2025 17:07:03.098937035 CET	1302	51444	141.98.10.115	192.168.2.23
Jan 8, 2025 17:07:03.098993063 CET	51444	1302	192.168.2.23	141.98.10.115
Jan 8, 2025 17:07:03.099911928 CET	51444	1302	192.168.2.23	141.98.10.115
Jan 8, 2025 17:07:03.104660034 CET	1302	51444	141.98.10.115	192.168.2.23
Jan 8, 2025 17:07:03.104718924 CET	51444	1302	192.168.2.23	141.98.10.115
Jan 8, 2025 17:07:03.109582901 CET	1302	51444	141.98.10.115	192.168.2.23
Jan 8, 2025 17:07:04.793174028 CET	1302	51444	141.98.10.115	192.168.2.23
Jan 8, 2025 17:07:04.793416023 CET	51444	1302	192.168.2.23	141.98.10.115
Jan 8, 2025 17:07:04.798254013 CET	1302	51444	141.98.10.115	192.168.2.23
Jan 8, 2025 17:07:05.794902086 CET	51446	1302	192.168.2.23	141.98.10.115
Jan 8, 2025 17:07:05.799844027 CET	1302	51446	141.98.10.115	192.168.2.23
Jan 8, 2025 17:07:05.799920082 CET	51446	1302	192.168.2.23	141.98.10.115
Jan 8, 2025 17:07:05.800925016 CET	51446	1302	192.168.2.23	141.98.10.115
Jan 8, 2025 17:07:05.805794001 CET	1302	51446	141.98.10.115	192.168.2.23
Jan 8, 2025 17:07:05.805847883 CET	51446	1302	192.168.2.23	141.98.10.115
Jan 8, 2025 17:07:05.810585976 CET	1302	51446	141.98.10.115	192.168.2.23
Jan 8, 2025 17:07:07.512733936 CET	1302	51446	141.98.10.115	192.168.2.23
Jan 8, 2025 17:07:07.513020039 CET	51446	1302	192.168.2.23	141.98.10.115
Jan 8, 2025 17:07:07.517808914 CET	1302	51446	141.98.10.115	192.168.2.23
Jan 8, 2025 17:07:08.514884949 CET	51448	1302	192.168.2.23	141.98.10.115
Jan 8, 2025 17:07:08.519819975 CET	1302	51448	141.98.10.115	192.168.2.23
Jan 8, 2025 17:07:08.519929886 CET	51448	1302	192.168.2.23	141.98.10.115
Jan 8, 2025 17:07:08.521215916 CET	51448	1302	192.168.2.23	141.98.10.115
Jan 8, 2025 17:07:08.525964975 CET	1302	51448	141.98.10.115	192.168.2.23
Jan 8, 2025 17:07:08.526025057 CET	51448	1302	192.168.2.23	141.98.10.115
Jan 8, 2025 17:07:08.530755997 CET	1302	51448	141.98.10.115	192.168.2.23
Jan 8, 2025 17:07:10.230969906 CET	1302	51448	141.98.10.115	192.168.2.23
Jan 8, 2025 17:07:10.231323004 CET	51448	1302	192.168.2.23	141.98.10.115
Jan 8, 2025 17:07:10.236119986 CET	1302	51448	141.98.10.115	192.168.2.23
Jan 8, 2025 17:07:11.233011961 CET	51450	1302	192.168.2.23	141.98.10.115
Jan 8, 2025 17:07:11.237816095 CET	1302	51450	141.98.10.115	192.168.2.23
Jan 8, 2025 17:07:11.238022089 CET	51450	1302	192.168.2.23	141.98.10.115
Jan 8, 2025 17:07:11.238545895 CET	51450	1302	192.168.2.23	141.98.10.115
Jan 8, 2025 17:07:11.243305922 CET	1302	51450	141.98.10.115	192.168.2.23
Jan 8, 2025 17:07:11.243357897 CET	51450	1302	192.168.2.23	141.98.10.115
Jan 8, 2025 17:07:11.248171091 CET	1302	51450	141.98.10.115	192.168.2.23
Jan 8, 2025 17:07:12.936039925 CET	1302	51450	141.98.10.115	192.168.2.23
Jan 8, 2025 17:07:12.936491013 CET	51450	1302	192.168.2.23	141.98.10.115
Jan 8, 2025 17:07:12.941237926 CET	1302	51450	141.98.10.115	192.168.2.23
Jan 8, 2025 17:07:13.938951015 CET	51452	1302	192.168.2.23	141.98.10.115
Jan 8, 2025 17:07:13.944011927 CET	1302	51452	141.98.10.115	192.168.2.23
Jan 8, 2025 17:07:13.944281101 CET	51452	1302	192.168.2.23	141.98.10.115
Jan 8, 2025 17:07:13.946475983 CET	51452	1302	192.168.2.23	141.98.10.115
Jan 8, 2025 17:07:13.951371908 CET	1302	51452	141.98.10.115	192.168.2.23
Jan 8, 2025 17:07:13.951453924 CET	51452	1302	192.168.2.23	141.98.10.115
Jan 8, 2025 17:07:13.956315041 CET	1302	51452	141.98.10.115	192.168.2.23
Jan 8, 2025 17:07:15.636712074 CET	1302	51452	141.98.10.115	192.168.2.23
Jan 8, 2025 17:07:15.637058020 CET	51452	1302	192.168.2.23	141.98.10.115
Jan 8, 2025 17:07:15.641948938 CET	1302	51452	141.98.10.115	192.168.2.23
Jan 8, 2025 17:07:16.624294043 CET	42836	443	192.168.2.23	91.189.91.43
Jan 8, 2025 17:07:16.638343096 CET	51454	1302	192.168.2.23	141.98.10.115
Jan 8, 2025 17:07:16.643198967 CET	1302	51454	141.98.10.115	192.168.2.23
Jan 8, 2025 17:07:16.643331051 CET	51454	1302	192.168.2.23	141.98.10.115
Jan 8, 2025 17:07:16.643891096 CET	51454	1302	192.168.2.23	141.98.10.115
Jan 8, 2025 17:07:16.648638010 CET	1302	51454	141.98.10.115	192.168.2.23
Jan 8, 2025 17:07:16.648734093 CET	51454	1302	192.168.2.23	141.98.10.115
Jan 8, 2025 17:07:16.653460026 CET	1302	51454	141.98.10.115	192.168.2.23
Jan 8, 2025 17:07:18.356769085 CET	1302	51454	141.98.10.115	192.168.2.23
Jan 8, 2025 17:07:18.356981039 CET	51454	1302	192.168.2.23	141.98.10.115
Jan 8, 2025 17:07:18.361773968 CET	1302	51454	141.98.10.115	192.168.2.23
Jan 8, 2025 17:07:19.358494043 CET	51456	1302	192.168.2.23	141.98.10.115
Jan 8, 2025 17:07:19.363351107 CET	1302	51456	141.98.10.115	192.168.2.23
Jan 8, 2025 17:07:19.363410950 CET	51456	1302	192.168.2.23	141.98.10.115
Jan 8, 2025 17:07:19.364097118 CET	51456	1302	192.168.2.23	141.98.10.115
Jan 8, 2025 17:07:19.368918896 CET	1302	51456	141.98.10.115	192.168.2.23
Jan 8, 2025 17:07:19.368982077 CET	51456	1302	192.168.2.23	141.98.10.115
Jan 8, 2025 17:07:19.373785973 CET	1302	51456	141.98.10.115	192.168.2.23
Jan 8, 2025 17:07:21.062289953 CET	1302	51456	141.98.10.115	192.168.2.23
Jan 8, 2025 17:07:21.062468052 CET	51456	1302	192.168.2.23	141.98.10.115
Jan 8, 2025 17:07:21.067348003 CET	1302	51456	141.98.10.115	192.168.2.23
Jan 8, 2025 17:07:22.063783884 CET	51458	1302	192.168.2.23	141.98.10.115
Jan 8, 2025 17:07:22.068723917 CET	1302	51458	141.98.10.115	192.168.2.23
Jan 8, 2025 17:07:22.068825960 CET	51458	1302	192.168.2.23	141.98.10.115
Jan 8, 2025 17:07:22.069531918 CET	51458	1302	192.168.2.23	141.98.10.115
Jan 8, 2025 17:07:22.074316978 CET	1302	51458	141.98.10.115	192.168.2.23
Jan 8, 2025 17:07:22.074388981 CET	51458	1302	192.168.2.23	141.98.10.115
Jan 8, 2025 17:07:22.079272985 CET	1302	51458	141.98.10.115	192.168.2.23
Jan 8, 2025 17:07:23.776272058 CET	1302	51458	141.98.10.115	192.168.2.23
Jan 8, 2025 17:07:23.776453972 CET	51458	1302	192.168.2.23	141.98.10.115
Jan 8, 2025 17:07:23.781286955 CET	1302	51458	141.98.10.115	192.168.2.23
Jan 8, 2025 17:07:24.777815104 CET	51460	1302	192.168.2.23	141.98.10.115
Jan 8, 2025 17:07:24.782660961 CET	1302	51460	141.98.10.115	192.168.2.23
Jan 8, 2025 17:07:24.782715082 CET	51460	1302	192.168.2.23	141.98.10.115
Jan 8, 2025 17:07:24.783334017 CET	51460	1302	192.168.2.23	141.98.10.115
Jan 8, 2025 17:07:24.788105011 CET	1302	51460	141.98.10.115	192.168.2.23
Jan 8, 2025 17:07:24.788153887 CET	51460	1302	192.168.2.23	141.98.10.115
Jan 8, 2025 17:07:24.792916059 CET	1302	51460	141.98.10.115	192.168.2.23
Jan 8, 2025 17:07:26.486191034 CET	1302	51460	141.98.10.115	192.168.2.23
Jan 8, 2025 17:07:26.486371994 CET	51460	1302	192.168.2.23	141.98.10.115
Jan 8, 2025 17:07:26.491206884 CET	1302	51460	141.98.10.115	192.168.2.23
Jan 8, 2025 17:07:27.487840891 CET	51462	1302	192.168.2.23	141.98.10.115
Jan 8, 2025 17:07:27.492712021 CET	1302	51462	141.98.10.115	192.168.2.23
Jan 8, 2025 17:07:27.492765903 CET	51462	1302	192.168.2.23	141.98.10.115
Jan 8, 2025 17:07:27.493422985 CET	51462	1302	192.168.2.23	141.98.10.115
Jan 8, 2025 17:07:27.498158932 CET	1302	51462	141.98.10.115	192.168.2.23
Jan 8, 2025 17:07:27.498203993 CET	51462	1302	192.168.2.23	141.98.10.115
Jan 8, 2025 17:07:27.502950907 CET	1302	51462	141.98.10.115	192.168.2.23
Jan 8, 2025 17:07:29.311857939 CET	1302	51462	141.98.10.115	192.168.2.23
Jan 8, 2025 17:07:29.312016964 CET	51462	1302	192.168.2.23	141.98.10.115
Jan 8, 2025 17:07:29.316766024 CET	1302	51462	141.98.10.115	192.168.2.23
Jan 8, 2025 17:07:30.313556910 CET	51464	1302	192.168.2.23	141.98.10.115
Jan 8, 2025 17:07:30.318331957 CET	1302	51464	141.98.10.115	192.168.2.23
Jan 8, 2025 17:07:30.318389893 CET	51464	1302	192.168.2.23	141.98.10.115
Jan 8, 2025 17:07:30.318998098 CET	51464	1302	192.168.2.23	141.98.10.115
Jan 8, 2025 17:07:30.323710918 CET	1302	51464	141.98.10.115	192.168.2.23
Jan 8, 2025 17:07:30.323754072 CET	51464	1302	192.168.2.23	141.98.10.115
Jan 8, 2025 17:07:30.328474045 CET	1302	51464	141.98.10.115	192.168.2.23
Jan 8, 2025 17:07:32.042707920 CET	1302	51464	141.98.10.115	192.168.2.23
Jan 8, 2025 17:07:32.042861938 CET	51464	1302	192.168.2.23	141.98.10.115
Jan 8, 2025 17:07:32.047696114 CET	1302	51464	141.98.10.115	192.168.2.23
Jan 8, 2025 17:07:33.044171095 CET	51466	1302	192.168.2.23	141.98.10.115
Jan 8, 2025 17:07:33.048953056 CET	1302	51466	141.98.10.115	192.168.2.23
Jan 8, 2025 17:07:33.049012899 CET	51466	1302	192.168.2.23	141.98.10.115
Jan 8, 2025 17:07:33.049640894 CET	51466	1302	192.168.2.23	141.98.10.115
Jan 8, 2025 17:07:33.054372072 CET	1302	51466	141.98.10.115	192.168.2.23
Jan 8, 2025 17:07:33.054419994 CET	51466	1302	192.168.2.23	141.98.10.115
Jan 8, 2025 17:07:33.059206009 CET	1302	51466	141.98.10.115	192.168.2.23
Jan 8, 2025 17:07:34.765489101 CET	1302	51466	141.98.10.115	192.168.2.23
Jan 8, 2025 17:07:34.765661001 CET	51466	1302	192.168.2.23	141.98.10.115
Jan 8, 2025 17:07:34.770498037 CET	1302	51466	141.98.10.115	192.168.2.23
Jan 8, 2025 17:07:35.766972065 CET	51468	1302	192.168.2.23	141.98.10.115
Jan 8, 2025 17:07:35.771747112 CET	1302	51468	141.98.10.115	192.168.2.23
Jan 8, 2025 17:07:35.771794081 CET	51468	1302	192.168.2.23	141.98.10.115
Jan 8, 2025 17:07:35.772384882 CET	51468	1302	192.168.2.23	141.98.10.115
Jan 8, 2025 17:07:35.777111053 CET	1302	51468	141.98.10.115	192.168.2.23
Jan 8, 2025 17:07:35.777180910 CET	51468	1302	192.168.2.23	141.98.10.115
Jan 8, 2025 17:07:35.781975985 CET	1302	51468	141.98.10.115	192.168.2.23
Jan 8, 2025 17:07:37.483510017 CET	1302	51468	141.98.10.115	192.168.2.23
Jan 8, 2025 17:07:37.483882904 CET	51468	1302	192.168.2.23	141.98.10.115
Jan 8, 2025 17:07:37.488749027 CET	1302	51468	141.98.10.115	192.168.2.23
Jan 8, 2025 17:07:38.485975027 CET	51470	1302	192.168.2.23	141.98.10.115
Jan 8, 2025 17:07:38.490811110 CET	1302	51470	141.98.10.115	192.168.2.23
Jan 8, 2025 17:07:38.491111994 CET	51470	1302	192.168.2.23	141.98.10.115
Jan 8, 2025 17:07:38.491761923 CET	51470	1302	192.168.2.23	141.98.10.115
Jan 8, 2025 17:07:38.496539116 CET	1302	51470	141.98.10.115	192.168.2.23
Jan 8, 2025 17:07:38.496615887 CET	51470	1302	192.168.2.23	141.98.10.115
Jan 8, 2025 17:07:38.501426935 CET	1302	51470	141.98.10.115	192.168.2.23
Jan 8, 2025 17:07:40.199506998 CET	1302	51470	141.98.10.115	192.168.2.23
Jan 8, 2025 17:07:40.199918032 CET	51470	1302	192.168.2.23	141.98.10.115
Jan 8, 2025 17:07:40.204758883 CET	1302	51470	141.98.10.115	192.168.2.23
Jan 8, 2025 17:07:41.202014923 CET	51472	1302	192.168.2.23	141.98.10.115
Jan 8, 2025 17:07:41.206975937 CET	1302	51472	141.98.10.115	192.168.2.23
Jan 8, 2025 17:07:41.207132101 CET	51472	1302	192.168.2.23	141.98.10.115
Jan 8, 2025 17:07:41.208178997 CET	51472	1302	192.168.2.23	141.98.10.115
Jan 8, 2025 17:07:41.212929010 CET	1302	51472	141.98.10.115	192.168.2.23
Jan 8, 2025 17:07:41.212994099 CET	51472	1302	192.168.2.23	141.98.10.115
Jan 8, 2025 17:07:41.217806101 CET	1302	51472	141.98.10.115	192.168.2.23
Jan 8, 2025 17:07:42.904490948 CET	1302	51472	141.98.10.115	192.168.2.23
Jan 8, 2025 17:07:42.904685020 CET	51472	1302	192.168.2.23	141.98.10.115
Jan 8, 2025 17:07:42.909511089 CET	1302	51472	141.98.10.115	192.168.2.23
Jan 8, 2025 17:07:43.906447887 CET	51474	1302	192.168.2.23	141.98.10.115
Jan 8, 2025 17:07:43.911365986 CET	1302	51474	141.98.10.115	192.168.2.23
Jan 8, 2025 17:07:43.911612034 CET	51474	1302	192.168.2.23	141.98.10.115
Jan 8, 2025 17:07:43.912600994 CET	51474	1302	192.168.2.23	141.98.10.115
Jan 8, 2025 17:07:43.917330027 CET	1302	51474	141.98.10.115	192.168.2.23
Jan 8, 2025 17:07:43.917393923 CET	51474	1302	192.168.2.23	141.98.10.115
Jan 8, 2025 17:07:43.922156096 CET	1302	51474	141.98.10.115	192.168.2.23
Jan 8, 2025 17:07:45.641849995 CET	1302	51474	141.98.10.115	192.168.2.23
Jan 8, 2025 17:07:45.642456055 CET	51474	1302	192.168.2.23	141.98.10.115
Jan 8, 2025 17:07:45.647270918 CET	1302	51474	141.98.10.115	192.168.2.23
Jan 8, 2025 17:07:46.644503117 CET	51476	1302	192.168.2.23	141.98.10.115
Jan 8, 2025 17:07:46.649297953 CET	1302	51476	141.98.10.115	192.168.2.23
Jan 8, 2025 17:07:46.649434090 CET	51476	1302	192.168.2.23	141.98.10.115
Jan 8, 2025 17:07:46.650466919 CET	51476	1302	192.168.2.23	141.98.10.115
Jan 8, 2025 17:07:46.655237913 CET	1302	51476	141.98.10.115	192.168.2.23
Jan 8, 2025 17:07:46.655304909 CET	51476	1302	192.168.2.23	141.98.10.115
Jan 8, 2025 17:07:46.660187960 CET	1302	51476	141.98.10.115	192.168.2.23
Jan 8, 2025 17:07:48.356558084 CET	1302	51476	141.98.10.115	192.168.2.23
Jan 8, 2025 17:07:48.357095003 CET	51476	1302	192.168.2.23	141.98.10.115
Jan 8, 2025 17:07:48.361887932 CET	1302	51476	141.98.10.115	192.168.2.23
Jan 8, 2025 17:07:49.358918905 CET	51478	1302	192.168.2.23	141.98.10.115
Jan 8, 2025 17:07:49.363698959 CET	1302	51478	141.98.10.115	192.168.2.23
Jan 8, 2025 17:07:49.363830090 CET	51478	1302	192.168.2.23	141.98.10.115
Jan 8, 2025 17:07:49.364792109 CET	51478	1302	192.168.2.23	141.98.10.115
Jan 8, 2025 17:07:49.369532108 CET	1302	51478	141.98.10.115	192.168.2.23
Jan 8, 2025 17:07:49.369596958 CET	51478	1302	192.168.2.23	141.98.10.115
Jan 8, 2025 17:07:49.374325991 CET	1302	51478	141.98.10.115	192.168.2.23
Jan 8, 2025 17:07:51.059102058 CET	1302	51478	141.98.10.115	192.168.2.23
Jan 8, 2025 17:07:51.059645891 CET	51478	1302	192.168.2.23	141.98.10.115
Jan 8, 2025 17:07:51.064380884 CET	1302	51478	141.98.10.115	192.168.2.23
Jan 8, 2025 17:07:52.061592102 CET	51480	1302	192.168.2.23	141.98.10.115
Jan 8, 2025 17:07:52.066595078 CET	1302	51480	141.98.10.115	192.168.2.23
Jan 8, 2025 17:07:52.066735029 CET	51480	1302	192.168.2.23	141.98.10.115
Jan 8, 2025 17:07:52.067318916 CET	51480	1302	192.168.2.23	141.98.10.115
Jan 8, 2025 17:07:52.072163105 CET	1302	51480	141.98.10.115	192.168.2.23
Jan 8, 2025 17:07:52.072213888 CET	51480	1302	192.168.2.23	141.98.10.115
Jan 8, 2025 17:07:52.077033043 CET	1302	51480	141.98.10.115	192.168.2.23
Jan 8, 2025 17:07:53.765189886 CET	1302	51480	141.98.10.115	192.168.2.23
Jan 8, 2025 17:07:53.765506983 CET	51480	1302	192.168.2.23	141.98.10.115
Jan 8, 2025 17:07:53.770313025 CET	1302	51480	141.98.10.115	192.168.2.23
Jan 8, 2025 17:07:54.767036915 CET	51482	1302	192.168.2.23	141.98.10.115
Jan 8, 2025 17:07:54.771908045 CET	1302	51482	141.98.10.115	192.168.2.23
Jan 8, 2025 17:07:54.771980047 CET	51482	1302	192.168.2.23	141.98.10.115
Jan 8, 2025 17:07:54.772746086 CET	51482	1302	192.168.2.23	141.98.10.115
Jan 8, 2025 17:07:54.777564049 CET	1302	51482	141.98.10.115	192.168.2.23
Jan 8, 2025 17:07:54.777631998 CET	51482	1302	192.168.2.23	141.98.10.115
Jan 8, 2025 17:07:54.782407999 CET	1302	51482	141.98.10.115	192.168.2.23
Jan 8, 2025 17:07:56.463875055 CET	1302	51482	141.98.10.115	192.168.2.23
Jan 8, 2025 17:07:56.464092016 CET	51482	1302	192.168.2.23	141.98.10.115
Jan 8, 2025 17:07:56.468952894 CET	1302	51482	141.98.10.115	192.168.2.23

System Behavior

Analysis Process: uYtea.mpsl.elf PID: 6230, Parent PID: 6153

General

Start time (UTC):	16:05:52
Start date (UTC):	08/01/2025
Path:	/tmp/uYtea.mpsl.elf
Arguments:	/tmp/uYtea.mpsl.elf
File size:	5773336 bytes
MD5 hash:	0d6f61f82cf2f781c6eb0661071d42d9

Chronological Activities

Analysis Process: uYtea.mpsl.elf PID: 6232, Parent PID: 6230

General

Start time (UTC):	16:05:52
Start date (UTC):	08/01/2025
Path:	/tmp/uYtea.mpsl.elf
Arguments:	-
File size:	5773336 bytes
MD5 hash:	0d6f61f82cf2f781c6eb0661071d42d9

Chronological Activities

Analysis Process: uYtea.mpsl.elf PID: 6234, Parent PID: 6232

General

Start time (UTC):	16:05:52
Start date (UTC):	08/01/2025
Path:	/tmp/uYtea.mpsl.elf
Arguments:	-
File size:	5773336 bytes
MD5 hash:	0d6f61f82cf2f781c6eb0661071d42d9

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report uYtea.mpsl.elf

Overview

General Information

Detection

Signatures

Classification

General Information

Warnings

Runtime Messages

Process Tree

Yara Signatures

Initial Sample

Memory Dumps

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Networking

System Summary

Persistence and Installation Behavior

Malware Analysis System Evasion

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

Static ELF Info

ELF header

Sections

Program Segments

Network Behavior

Network Port Distribution

TCP Packets

System Behavior

Analysis Process: uYtea.mpsl.elf PID: 6230, Parent PID: 6153

General

Chronological Activities

Analysis Process: uYtea.mpsl.elf PID: 6232, Parent PID: 6230

General

Chronological Activities

Analysis Process: uYtea.mpsl.elf PID: 6234, Parent PID: 6232

General

Chronological Activities

Linux Analysis Report
uYtea.mpsl.elf