Edit tour

Linux Analysis Report
uYtea.mips.elf

Overview

General Information

Sample name:	uYtea.mips.elf
Analysis ID:	1586055
MD5:	f1b1fd4e7d87ee3295b6910bda417e84
SHA1:	8ae0a41216cd7ee4e200f50324ddeda7cf8cbd33
SHA256:	d045b60fb22bef2a0a2073d5a36d38c1e72ef5e9e9c93f6a1555ac83d53d5feb
Tags:	user-elfdigest
Infos:

Detection

Score:	64
Range:	0 - 100
Whitelisted:	false

Signatures

Antivirus / Scanner detection for submitted sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Creates hidden files and/or directories

Detected TCP or UDP traffic on non-standard ports

Sample has stripped symbol table

Sample listens on a socket

Uses the "uname" system call to query kernel version information (possible evasion)

Yara signature match

Classification

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1586055
Start date and time:	2025-01-08 17:05:12 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 33s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Sample name:	uYtea.mips.elf
Detection:	MAL
Classification:	mal64.linELF@0/0@0/0

Warnings

VT rate limit hit for: uYtea.mips.elf

Runtime Messages

Command:	/tmp/uYtea.mips.elf
PID:	5492
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:	connecterror
Standard Error:

Process Tree

system is lnxubuntu20

uYtea.mips.elf (PID: 5492, Parent: 5412, MD5: 0083f1f0e77be34ad27f849842bbb00c) Arguments: /tmp/uYtea.mips.elf

uYtea.mips.elf New Fork (PID: 5494, Parent: 5492)

uYtea.mips.elf New Fork (PID: 5496, Parent: 5494)

cleanup

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
uYtea.mips.elf	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0xf6c0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xf6d4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xf6e8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xf6fc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xf710:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xf724:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xf738:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xf74c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xf760:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xf774:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xf788:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xf79c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xf7b0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xf7c4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xf7d8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xf7ec:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xf800:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xf814:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xf828:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xf83c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xf850:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F

Memory Dumps

Source	Rule	Description	Author	Strings
5492.1.00007f4304400000.00007f4304412000.r-x.sdmp	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0xf6c0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xf6d4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xf6e8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xf6fc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xf710:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xf724:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xf738:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xf74c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xf760:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xf774:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xf788:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xf79c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xf7b0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xf7c4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xf7d8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xf7ec:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xf800:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xf814:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xf828:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xf83c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xf850:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
5496.1.00007f4304400000.00007f4304412000.r-x.sdmp	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0xf6c0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xf6d4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xf6e8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xf6fc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xf710:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xf724:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xf738:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xf74c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xf760:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xf774:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xf788:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xf79c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xf7b0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xf7c4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xf7d8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xf7ec:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xf800:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xf814:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xf828:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xf83c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xf850:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
Process Memory Space: uYtea.mips.elf PID: 5492	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0x116:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x12a:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x13e:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x152:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x166:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x17a:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x18e:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1a2:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1b6:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1ca:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1de:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1f2:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x206:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x21a:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x22e:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x242:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x256:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x26a:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x27e:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x292:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x2a6:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
Process Memory Space: uYtea.mips.elf PID: 5496	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0x787a:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x788e:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x78a2:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x78b6:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x78ca:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x78de:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x78f2:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x7906:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x791a:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x792e:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x7942:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x7956:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x796a:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x797e:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x7992:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x79a6:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x79ba:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x79ce:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x79e2:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x79f6:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x7a0a:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: uYtea.mips.elf

Avira: detected

Multi AV Scanner detection for submitted file

Source: uYtea.mips.elf

ReversingLabs: Detection: 65%

Source: global traffic

TCP traffic: 192.168.2.14:40160 -> 141.98.10.115:1302

Source: /tmp/uYtea.mips.elf (PID: 5492)

Socket: 127.0.0.1:9473

Jump to behavior

System Summary

Malicious sample detected (through community Yara rule)

Source: uYtea.mips.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: 5492.1.00007f4304400000.00007f4304412000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: 5496.1.00007f4304400000.00007f4304412000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: Process Memory Space: uYtea.mips.elf PID: 5492, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: Process Memory Space: uYtea.mips.elf PID: 5496, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown

Source: ELF static info symbol of initial sample

.symtab present: no

Source: uYtea.mips.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: 5492.1.00007f4304400000.00007f4304412000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: 5496.1.00007f4304400000.00007f4304412000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: Process Memory Space: uYtea.mips.elf PID: 5492, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: Process Memory Space: uYtea.mips.elf PID: 5496, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16

Source: classification engine

Classification label: mal64.linELF@0/0@0/0

Source: /tmp/uYtea.mips.elf (PID: 5494)	Directory: /tmp/.			Jump to behavior
Source: /tmp/uYtea.mips.elf (PID: 5494)	Directory: /tmp/..			Jump to behavior

Source: /tmp/uYtea.mips.elf (PID: 5492)

Queries kernel information via 'uname':

Jump to behavior

Source: uYtea.mips.elf, 5492.1.000056428d58f000.000056428d616000.rw-.sdmp, uYtea.mips.elf, 5496.1.000056428d58f000.000056428d616000.rw-.sdmp	Binary or memory string: BV!/etc/qemu-binfmt/mips
Source: uYtea.mips.elf, 5492.1.00007ffdde4d6000.00007ffdde4f7000.rw-.sdmp, uYtea.mips.elf, 5496.1.00007ffdde4d6000.00007ffdde4f7000.rw-.sdmp	Binary or memory string: x86_64/usr/bin/qemu-mips/tmp/uYtea.mips.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/uYtea.mips.elf
Source: uYtea.mips.elf, 5492.1.000056428d58f000.000056428d616000.rw-.sdmp, uYtea.mips.elf, 5496.1.000056428d58f000.000056428d616000.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/mips
Source: uYtea.mips.elf, 5492.1.00007ffdde4d6000.00007ffdde4f7000.rw-.sdmp, uYtea.mips.elf, 5496.1.00007ffdde4d6000.00007ffdde4f7000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-mips

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	Path Interception	Path Interception	1 Hidden Files and Directories	OS Credential Dumping	11 Security Software Discovery	Remote Services	Data from Local System	1 Non-Standard Port	Exfiltration Over Other Network Medium	Abuse Accessibility Features

Malware Configuration

⊘No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
uYtea.mips.elf	66%	ReversingLabs	Linux.Trojan.Mirai
uYtea.mips.elf	100%	Avira	EXP/ELF.Mirai.Z.D

Dropped Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

⊘No contacted domains info

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
141.98.10.115	unknown	Lithuania		209605	HOSTBALTICLT	false

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
141.98.10.115	uYtea.arm7.elf	Get hash	malicious	Mirai	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
HOSTBALTICLT	uYtea.arm7.elf	Get hash	malicious	Mirai	Browse	141.98.10.115
	Scan12112024,pdf.vbs	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	141.98.10.88
	Scan12112024,pdf.vbs	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	141.98.10.88
	Scan112024.vbs	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	141.98.10.88
	173127133603e75602cf90c03b229cc07ec4f5c026cad2909c809b767b293bf800a0e9ade9674.dat-decoded.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	141.98.10.88
	ConfirmaciXnXdeXfacturaXPedidoXadicional.doc	Get hash	malicious	Unknown	Browse	141.98.10.88
	DOC11042024.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	141.98.10.40
	Contract #U2116 KB #U2013 08152024 - 1.pif.exe	Get hash	malicious	RedLine	Browse	141.98.10.33
	PRODUCT OVERVIEW.doc	Get hash	malicious	Unknown	Browse	141.98.10.11
	tppc.elf	Get hash	malicious	Unknown	Browse	141.98.10.95

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped
Entropy (8bit):	5.493130227777573
TrID:	ELF Executable and Linkable format (generic) (4004/1) 100.00%
File name:	uYtea.mips.elf
File size:	77'288 bytes
MD5:	f1b1fd4e7d87ee3295b6910bda417e84
SHA1:	8ae0a41216cd7ee4e200f50324ddeda7cf8cbd33
SHA256:	d045b60fb22bef2a0a2073d5a36d38c1e72ef5e9e9c93f6a1555ac83d53d5feb
SHA512:	894ffd2f738d386b6dea92982a6b49a4e0c1eaf19656657726fe840120075e15251bc89b9d1114d5c4e37d8076db34f17253dd46d3b7ec301ba4b4ea503e4f9f
SSDEEP:	1536:bpxe5qoct9fdlQBI6rAEnUFndlBotYG9CJa101Dv:Fx3oANdTrndvomgC4S
TLSH:	9573C70A7E229FBCFB9846354BB78F159A5833D627D1D641E2ACDA001D7024E341FFA9
File Content Preview:	.ELF.....................@.`...4..+......4. ...(.............@...@........................ ..E ..E ....T..N.........dt.Q............................<...'......!'.......................<...'......!... ....'9... ......................<...'......!........'9.

Static ELF Info

ELF header
Class:	ELF32
Data:	2's complement, big endian
Version:	1 (current)
Machine:	MIPS R3000
Version Number:	0x1
Type:	EXEC (Executable file)
OS/ABI:	UNIX - System V
ABI Version:	0
Entry Point Address:	0x400260
Flags:	0x1007
ELF Header Size:	52
Program Header Offset:	52
Program Header Size:	32
Number of Program Headers:	3
Section Header Offset:	76728
Section Header Size:	40
Number of Section Headers:	14
Header String Table Index:	13

Sections

Name	Type	Address	Offset	Size	EntSize	Flags	Flags Description	Align
	NULL	0x0	0x0	0x0	0x0	0x0		0
.init	PROGBITS	0x400094	0x94	0x8c	0x0	0x6	AX	4
.text	PROGBITS	0x400120	0x120	0xf540	0x0	0x6	AX	16
.fini	PROGBITS	0x40f660	0xf660	0x5c	0x0	0x6	AX	4
.rodata	PROGBITS	0x40f6c0	0xf6c0	0x1fe0	0x0	0x2	A	16
.ctors	PROGBITS	0x452000	0x12000	0x8	0x0	0x3	WA	4
.dtors	PROGBITS	0x452008	0x12008	0x8	0x0	0x3	WA	4
.data.rel.ro	PROGBITS	0x452014	0x12014	0x4	0x0	0x3	WA	4
.data	PROGBITS	0x452020	0x12020	0x770	0x0	0x3	WA	16
.got	PROGBITS	0x452790	0x12790	0x3c4	0x4	0x10000003	WAp	16
.sbss	NOBITS	0x452b54	0x12b54	0x28	0x0	0x10000003	WAp	4
.bss	NOBITS	0x452b80	0x12b54	0x4314	0x0	0x3	WA	16
.mdebug.abi32	PROGBITS	0x6e4	0x12b54	0x0	0x0	0x0		1
.shstrtab	STRTAB	0x0	0x12b54	0x64	0x0	0x0		1

Program Segments

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align	Section Mappings
LOAD	0x0	0x400000	0x400000	0x116a0	0x116a0	5.6285	0x5	R E	0x10000	.init .text .fini .rodata
LOAD	0x12000	0x452000	0x452000	0xb54	0x4e94	4.4142	0x6	RW	0x10000	.ctors .dtors .data.rel.ro .data .got .sbss .bss
GNU_STACK	0x0	0x0	0x0	0x0	0x0	0.0000	0x7	RWE	0x4

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 8, 2025 17:06:13.518125057 CET	40160	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:06:13.523040056 CET	1302	40160	141.98.10.115	192.168.2.14
Jan 8, 2025 17:06:13.523125887 CET	40160	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:06:13.524404049 CET	40160	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:06:13.529160023 CET	1302	40160	141.98.10.115	192.168.2.14
Jan 8, 2025 17:06:13.529236078 CET	40160	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:06:13.534043074 CET	1302	40160	141.98.10.115	192.168.2.14
Jan 8, 2025 17:06:15.229046106 CET	1302	40160	141.98.10.115	192.168.2.14
Jan 8, 2025 17:06:15.229377985 CET	40160	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:06:15.234205961 CET	1302	40160	141.98.10.115	192.168.2.14
Jan 8, 2025 17:06:16.231033087 CET	40162	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:06:16.237451077 CET	1302	40162	141.98.10.115	192.168.2.14
Jan 8, 2025 17:06:16.237509012 CET	40162	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:06:16.238146067 CET	40162	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:06:16.242927074 CET	1302	40162	141.98.10.115	192.168.2.14
Jan 8, 2025 17:06:16.243009090 CET	40162	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:06:16.248030901 CET	1302	40162	141.98.10.115	192.168.2.14
Jan 8, 2025 17:06:17.933134079 CET	1302	40162	141.98.10.115	192.168.2.14
Jan 8, 2025 17:06:17.933459997 CET	40162	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:06:17.938824892 CET	1302	40162	141.98.10.115	192.168.2.14
Jan 8, 2025 17:06:18.935247898 CET	40164	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:06:18.940155983 CET	1302	40164	141.98.10.115	192.168.2.14
Jan 8, 2025 17:06:18.940217972 CET	40164	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:06:18.940895081 CET	40164	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:06:18.945692062 CET	1302	40164	141.98.10.115	192.168.2.14
Jan 8, 2025 17:06:18.945735931 CET	40164	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:06:18.950579882 CET	1302	40164	141.98.10.115	192.168.2.14
Jan 8, 2025 17:06:20.654752970 CET	1302	40164	141.98.10.115	192.168.2.14
Jan 8, 2025 17:06:20.655067921 CET	40164	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:06:20.655067921 CET	40164	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:06:20.659862041 CET	1302	40164	141.98.10.115	192.168.2.14
Jan 8, 2025 17:06:21.657784939 CET	40166	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:06:21.662560940 CET	1302	40166	141.98.10.115	192.168.2.14
Jan 8, 2025 17:06:21.662626028 CET	40166	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:06:21.663310051 CET	40166	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:06:21.668071032 CET	1302	40166	141.98.10.115	192.168.2.14
Jan 8, 2025 17:06:21.668118954 CET	40166	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:06:21.672864914 CET	1302	40166	141.98.10.115	192.168.2.14
Jan 8, 2025 17:06:23.374619961 CET	1302	40166	141.98.10.115	192.168.2.14
Jan 8, 2025 17:06:23.374815941 CET	40166	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:06:23.379616976 CET	1302	40166	141.98.10.115	192.168.2.14
Jan 8, 2025 17:06:24.376533031 CET	40168	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:06:24.381392002 CET	1302	40168	141.98.10.115	192.168.2.14
Jan 8, 2025 17:06:24.381453037 CET	40168	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:06:24.382086992 CET	40168	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:06:24.386919022 CET	1302	40168	141.98.10.115	192.168.2.14
Jan 8, 2025 17:06:24.386967897 CET	40168	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:06:24.391751051 CET	1302	40168	141.98.10.115	192.168.2.14
Jan 8, 2025 17:06:26.090179920 CET	1302	40168	141.98.10.115	192.168.2.14
Jan 8, 2025 17:06:26.090357065 CET	40168	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:06:26.095868111 CET	1302	40168	141.98.10.115	192.168.2.14
Jan 8, 2025 17:06:27.091734886 CET	40170	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:06:27.096548080 CET	1302	40170	141.98.10.115	192.168.2.14
Jan 8, 2025 17:06:27.096604109 CET	40170	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:06:27.097239971 CET	40170	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:06:27.101999998 CET	1302	40170	141.98.10.115	192.168.2.14
Jan 8, 2025 17:06:27.102046967 CET	40170	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:06:27.106839895 CET	1302	40170	141.98.10.115	192.168.2.14
Jan 8, 2025 17:06:28.808191061 CET	1302	40170	141.98.10.115	192.168.2.14
Jan 8, 2025 17:06:28.808300972 CET	40170	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:06:28.813060999 CET	1302	40170	141.98.10.115	192.168.2.14
Jan 8, 2025 17:06:29.809708118 CET	40172	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:06:29.814496040 CET	1302	40172	141.98.10.115	192.168.2.14
Jan 8, 2025 17:06:29.814558029 CET	40172	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:06:29.815257072 CET	40172	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:06:29.820030928 CET	1302	40172	141.98.10.115	192.168.2.14
Jan 8, 2025 17:06:29.820087910 CET	40172	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:06:29.824899912 CET	1302	40172	141.98.10.115	192.168.2.14
Jan 8, 2025 17:06:31.509160042 CET	1302	40172	141.98.10.115	192.168.2.14
Jan 8, 2025 17:06:31.509402037 CET	40172	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:06:31.514170885 CET	1302	40172	141.98.10.115	192.168.2.14
Jan 8, 2025 17:06:32.511049986 CET	40174	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:06:32.515863895 CET	1302	40174	141.98.10.115	192.168.2.14
Jan 8, 2025 17:06:32.515930891 CET	40174	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:06:32.516581059 CET	40174	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:06:32.521388054 CET	1302	40174	141.98.10.115	192.168.2.14
Jan 8, 2025 17:06:32.521456003 CET	40174	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:06:32.526279926 CET	1302	40174	141.98.10.115	192.168.2.14
Jan 8, 2025 17:06:34.215883970 CET	1302	40174	141.98.10.115	192.168.2.14
Jan 8, 2025 17:06:34.216152906 CET	40174	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:06:34.222237110 CET	1302	40174	141.98.10.115	192.168.2.14
Jan 8, 2025 17:06:35.217880964 CET	40176	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:06:35.222693920 CET	1302	40176	141.98.10.115	192.168.2.14
Jan 8, 2025 17:06:35.222755909 CET	40176	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:06:35.223404884 CET	40176	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:06:35.228171110 CET	1302	40176	141.98.10.115	192.168.2.14
Jan 8, 2025 17:06:35.228216887 CET	40176	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:06:35.233031988 CET	1302	40176	141.98.10.115	192.168.2.14
Jan 8, 2025 17:06:36.982611895 CET	1302	40176	141.98.10.115	192.168.2.14
Jan 8, 2025 17:06:36.982759953 CET	40176	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:06:36.987632036 CET	1302	40176	141.98.10.115	192.168.2.14
Jan 8, 2025 17:06:37.984129906 CET	40178	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:06:37.989106894 CET	1302	40178	141.98.10.115	192.168.2.14
Jan 8, 2025 17:06:37.989166975 CET	40178	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:06:37.989820004 CET	40178	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:06:37.994606972 CET	1302	40178	141.98.10.115	192.168.2.14
Jan 8, 2025 17:06:37.994685888 CET	40178	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:06:37.999492884 CET	1302	40178	141.98.10.115	192.168.2.14
Jan 8, 2025 17:06:39.733697891 CET	1302	40178	141.98.10.115	192.168.2.14
Jan 8, 2025 17:06:39.733967066 CET	40178	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:06:39.739905119 CET	1302	40178	141.98.10.115	192.168.2.14
Jan 8, 2025 17:06:40.735869884 CET	40180	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:06:40.741954088 CET	1302	40180	141.98.10.115	192.168.2.14
Jan 8, 2025 17:06:40.742027998 CET	40180	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:06:40.743083954 CET	40180	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:06:40.747853041 CET	1302	40180	141.98.10.115	192.168.2.14
Jan 8, 2025 17:06:40.747919083 CET	40180	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:06:40.752700090 CET	1302	40180	141.98.10.115	192.168.2.14
Jan 8, 2025 17:06:42.447813034 CET	1302	40180	141.98.10.115	192.168.2.14
Jan 8, 2025 17:06:42.448013067 CET	40180	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:06:42.452797890 CET	1302	40180	141.98.10.115	192.168.2.14
Jan 8, 2025 17:06:43.449516058 CET	40182	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:06:43.454319954 CET	1302	40182	141.98.10.115	192.168.2.14
Jan 8, 2025 17:06:43.454371929 CET	40182	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:06:43.455014944 CET	40182	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:06:43.459836006 CET	1302	40182	141.98.10.115	192.168.2.14
Jan 8, 2025 17:06:43.459882975 CET	40182	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:06:43.464634895 CET	1302	40182	141.98.10.115	192.168.2.14
Jan 8, 2025 17:06:45.215050936 CET	1302	40182	141.98.10.115	192.168.2.14
Jan 8, 2025 17:06:45.215265036 CET	40182	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:06:45.221487045 CET	1302	40182	141.98.10.115	192.168.2.14
Jan 8, 2025 17:06:46.217112064 CET	40184	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:06:46.221869946 CET	1302	40184	141.98.10.115	192.168.2.14
Jan 8, 2025 17:06:46.221976042 CET	40184	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:06:46.222985983 CET	40184	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:06:46.227730036 CET	1302	40184	141.98.10.115	192.168.2.14
Jan 8, 2025 17:06:46.227799892 CET	40184	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:06:46.232573032 CET	1302	40184	141.98.10.115	192.168.2.14
Jan 8, 2025 17:06:47.899116993 CET	1302	40184	141.98.10.115	192.168.2.14
Jan 8, 2025 17:06:47.899293900 CET	40184	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:06:47.904078007 CET	1302	40184	141.98.10.115	192.168.2.14
Jan 8, 2025 17:06:48.901086092 CET	40186	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:06:48.905946970 CET	1302	40186	141.98.10.115	192.168.2.14
Jan 8, 2025 17:06:48.906009912 CET	40186	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:06:48.906773090 CET	40186	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:06:48.911580086 CET	1302	40186	141.98.10.115	192.168.2.14
Jan 8, 2025 17:06:48.911618948 CET	40186	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:06:48.916383982 CET	1302	40186	141.98.10.115	192.168.2.14
Jan 8, 2025 17:06:50.605686903 CET	1302	40186	141.98.10.115	192.168.2.14
Jan 8, 2025 17:06:50.605875969 CET	40186	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:06:50.605910063 CET	40186	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:06:50.610680103 CET	1302	40186	141.98.10.115	192.168.2.14
Jan 8, 2025 17:06:51.607441902 CET	40188	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:06:51.612241030 CET	1302	40188	141.98.10.115	192.168.2.14
Jan 8, 2025 17:06:51.612312078 CET	40188	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:06:51.613024950 CET	40188	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:06:51.617821932 CET	1302	40188	141.98.10.115	192.168.2.14
Jan 8, 2025 17:06:51.617882967 CET	40188	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:06:51.622657061 CET	1302	40188	141.98.10.115	192.168.2.14
Jan 8, 2025 17:06:53.291176081 CET	1302	40188	141.98.10.115	192.168.2.14
Jan 8, 2025 17:06:53.291445017 CET	40188	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:06:53.296226978 CET	1302	40188	141.98.10.115	192.168.2.14
Jan 8, 2025 17:06:54.293179989 CET	40190	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:06:54.297986984 CET	1302	40190	141.98.10.115	192.168.2.14
Jan 8, 2025 17:06:54.298075914 CET	40190	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:06:54.298773050 CET	40190	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:06:54.303560972 CET	1302	40190	141.98.10.115	192.168.2.14
Jan 8, 2025 17:06:54.303612947 CET	40190	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:06:54.308337927 CET	1302	40190	141.98.10.115	192.168.2.14
Jan 8, 2025 17:06:56.014801979 CET	1302	40190	141.98.10.115	192.168.2.14
Jan 8, 2025 17:06:56.015149117 CET	40190	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:06:56.019927979 CET	1302	40190	141.98.10.115	192.168.2.14
Jan 8, 2025 17:06:57.017501116 CET	40192	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:06:57.022384882 CET	1302	40192	141.98.10.115	192.168.2.14
Jan 8, 2025 17:06:57.022475958 CET	40192	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:06:57.023680925 CET	40192	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:06:57.028528929 CET	1302	40192	141.98.10.115	192.168.2.14
Jan 8, 2025 17:06:57.028592110 CET	40192	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:06:57.033401012 CET	1302	40192	141.98.10.115	192.168.2.14
Jan 8, 2025 17:06:59.392314911 CET	1302	40192	141.98.10.115	192.168.2.14
Jan 8, 2025 17:06:59.392443895 CET	1302	40192	141.98.10.115	192.168.2.14
Jan 8, 2025 17:06:59.392515898 CET	40192	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:06:59.392565012 CET	1302	40192	141.98.10.115	192.168.2.14
Jan 8, 2025 17:06:59.392601967 CET	40192	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:06:59.392615080 CET	40192	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:06:59.401726961 CET	1302	40192	141.98.10.115	192.168.2.14
Jan 8, 2025 17:07:00.395021915 CET	40194	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:07:00.399890900 CET	1302	40194	141.98.10.115	192.168.2.14
Jan 8, 2025 17:07:00.399959087 CET	40194	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:07:00.400809050 CET	40194	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:07:00.405575991 CET	1302	40194	141.98.10.115	192.168.2.14
Jan 8, 2025 17:07:00.405622005 CET	40194	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:07:00.411389112 CET	1302	40194	141.98.10.115	192.168.2.14
Jan 8, 2025 17:07:02.115782976 CET	1302	40194	141.98.10.115	192.168.2.14
Jan 8, 2025 17:07:02.116142988 CET	40194	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:07:02.121020079 CET	1302	40194	141.98.10.115	192.168.2.14
Jan 8, 2025 17:07:03.118243933 CET	40196	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:07:03.123039007 CET	1302	40196	141.98.10.115	192.168.2.14
Jan 8, 2025 17:07:03.123097897 CET	40196	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:07:03.124098063 CET	40196	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:07:03.128854036 CET	1302	40196	141.98.10.115	192.168.2.14
Jan 8, 2025 17:07:03.128902912 CET	40196	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:07:03.133676052 CET	1302	40196	141.98.10.115	192.168.2.14
Jan 8, 2025 17:07:04.824839115 CET	1302	40196	141.98.10.115	192.168.2.14
Jan 8, 2025 17:07:04.825037003 CET	40196	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:07:04.829835892 CET	1302	40196	141.98.10.115	192.168.2.14
Jan 8, 2025 17:07:05.826545954 CET	40198	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:07:05.831413031 CET	1302	40198	141.98.10.115	192.168.2.14
Jan 8, 2025 17:07:05.831471920 CET	40198	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:07:05.832190990 CET	40198	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:07:05.836936951 CET	1302	40198	141.98.10.115	192.168.2.14
Jan 8, 2025 17:07:05.836977005 CET	40198	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:07:05.841742039 CET	1302	40198	141.98.10.115	192.168.2.14
Jan 8, 2025 17:07:07.544405937 CET	1302	40198	141.98.10.115	192.168.2.14
Jan 8, 2025 17:07:07.544567108 CET	40198	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:07:07.549364090 CET	1302	40198	141.98.10.115	192.168.2.14
Jan 8, 2025 17:07:08.546407938 CET	40200	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:07:08.551414013 CET	1302	40200	141.98.10.115	192.168.2.14
Jan 8, 2025 17:07:08.551490068 CET	40200	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:07:08.552444935 CET	40200	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:07:08.557219028 CET	1302	40200	141.98.10.115	192.168.2.14
Jan 8, 2025 17:07:08.557272911 CET	40200	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:07:08.562145948 CET	1302	40200	141.98.10.115	192.168.2.14
Jan 8, 2025 17:07:10.245798111 CET	1302	40200	141.98.10.115	192.168.2.14
Jan 8, 2025 17:07:10.246001005 CET	40200	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:07:10.250782013 CET	1302	40200	141.98.10.115	192.168.2.14
Jan 8, 2025 17:07:11.248330116 CET	40202	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:07:11.253175974 CET	1302	40202	141.98.10.115	192.168.2.14
Jan 8, 2025 17:07:11.253251076 CET	40202	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:07:11.254489899 CET	40202	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:07:11.259232998 CET	1302	40202	141.98.10.115	192.168.2.14
Jan 8, 2025 17:07:11.259287119 CET	40202	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:07:11.264018059 CET	1302	40202	141.98.10.115	192.168.2.14
Jan 8, 2025 17:07:12.968192101 CET	1302	40202	141.98.10.115	192.168.2.14
Jan 8, 2025 17:07:12.968417883 CET	40202	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:07:12.973232031 CET	1302	40202	141.98.10.115	192.168.2.14
Jan 8, 2025 17:07:13.970230103 CET	40204	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:07:13.975028038 CET	1302	40204	141.98.10.115	192.168.2.14
Jan 8, 2025 17:07:13.975116968 CET	40204	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:07:13.975979090 CET	40204	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:07:13.980804920 CET	1302	40204	141.98.10.115	192.168.2.14
Jan 8, 2025 17:07:13.980874062 CET	40204	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:07:13.985672951 CET	1302	40204	141.98.10.115	192.168.2.14
Jan 8, 2025 17:07:15.670485973 CET	1302	40204	141.98.10.115	192.168.2.14
Jan 8, 2025 17:07:15.670708895 CET	40204	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:07:15.675484896 CET	1302	40204	141.98.10.115	192.168.2.14
Jan 8, 2025 17:07:16.672554970 CET	40206	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:07:16.677392006 CET	1302	40206	141.98.10.115	192.168.2.14
Jan 8, 2025 17:07:16.677464008 CET	40206	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:07:16.678291082 CET	40206	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:07:16.683064938 CET	1302	40206	141.98.10.115	192.168.2.14
Jan 8, 2025 17:07:16.683120966 CET	40206	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:07:16.687956095 CET	1302	40206	141.98.10.115	192.168.2.14
Jan 8, 2025 17:07:18.369076014 CET	1302	40206	141.98.10.115	192.168.2.14
Jan 8, 2025 17:07:18.369200945 CET	40206	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:07:18.373970032 CET	1302	40206	141.98.10.115	192.168.2.14
Jan 8, 2025 17:07:19.371150970 CET	40208	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:07:19.376036882 CET	1302	40208	141.98.10.115	192.168.2.14
Jan 8, 2025 17:07:19.376106977 CET	40208	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:07:19.376822948 CET	40208	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:07:19.381671906 CET	1302	40208	141.98.10.115	192.168.2.14
Jan 8, 2025 17:07:19.381746054 CET	40208	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:07:19.386491060 CET	1302	40208	141.98.10.115	192.168.2.14
Jan 8, 2025 17:07:21.058121920 CET	1302	40208	141.98.10.115	192.168.2.14
Jan 8, 2025 17:07:21.058324099 CET	40208	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:07:21.063170910 CET	1302	40208	141.98.10.115	192.168.2.14
Jan 8, 2025 17:07:22.059987068 CET	40210	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:07:22.064893961 CET	1302	40210	141.98.10.115	192.168.2.14
Jan 8, 2025 17:07:22.064955950 CET	40210	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:07:22.065711975 CET	40210	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:07:22.070493937 CET	1302	40210	141.98.10.115	192.168.2.14
Jan 8, 2025 17:07:22.070548058 CET	40210	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:07:22.075309038 CET	1302	40210	141.98.10.115	192.168.2.14
Jan 8, 2025 17:07:23.765407085 CET	1302	40210	141.98.10.115	192.168.2.14
Jan 8, 2025 17:07:23.765608072 CET	40210	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:07:23.770426035 CET	1302	40210	141.98.10.115	192.168.2.14
Jan 8, 2025 17:07:24.767659903 CET	40212	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:07:24.772682905 CET	1302	40212	141.98.10.115	192.168.2.14
Jan 8, 2025 17:07:24.772773027 CET	40212	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:07:24.773720980 CET	40212	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:07:24.778537989 CET	1302	40212	141.98.10.115	192.168.2.14
Jan 8, 2025 17:07:24.778603077 CET	40212	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:07:24.783368111 CET	1302	40212	141.98.10.115	192.168.2.14
Jan 8, 2025 17:07:26.468070984 CET	1302	40212	141.98.10.115	192.168.2.14
Jan 8, 2025 17:07:26.468506098 CET	40212	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:07:26.468605995 CET	40212	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:07:26.473371983 CET	1302	40212	141.98.10.115	192.168.2.14
Jan 8, 2025 17:07:27.470923901 CET	40214	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:07:27.475895882 CET	1302	40214	141.98.10.115	192.168.2.14
Jan 8, 2025 17:07:27.475990057 CET	40214	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:07:27.477154016 CET	40214	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:07:27.481914043 CET	1302	40214	141.98.10.115	192.168.2.14
Jan 8, 2025 17:07:27.481976032 CET	40214	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:07:27.486737013 CET	1302	40214	141.98.10.115	192.168.2.14
Jan 8, 2025 17:07:29.296876907 CET	1302	40214	141.98.10.115	192.168.2.14
Jan 8, 2025 17:07:29.297131062 CET	40214	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:07:29.301995039 CET	1302	40214	141.98.10.115	192.168.2.14
Jan 8, 2025 17:07:30.298814058 CET	40216	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:07:30.303826094 CET	1302	40216	141.98.10.115	192.168.2.14
Jan 8, 2025 17:07:30.303973913 CET	40216	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:07:30.304554939 CET	40216	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:07:30.309324026 CET	1302	40216	141.98.10.115	192.168.2.14
Jan 8, 2025 17:07:30.309387922 CET	40216	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:07:30.314181089 CET	1302	40216	141.98.10.115	192.168.2.14
Jan 8, 2025 17:07:32.026351929 CET	1302	40216	141.98.10.115	192.168.2.14
Jan 8, 2025 17:07:32.026516914 CET	40216	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:07:32.031369925 CET	1302	40216	141.98.10.115	192.168.2.14
Jan 8, 2025 17:07:33.027903080 CET	40218	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:07:33.032915115 CET	1302	40218	141.98.10.115	192.168.2.14
Jan 8, 2025 17:07:33.032965899 CET	40218	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:07:33.033561945 CET	40218	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:07:33.038327932 CET	1302	40218	141.98.10.115	192.168.2.14
Jan 8, 2025 17:07:33.038372993 CET	40218	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:07:33.043128014 CET	1302	40218	141.98.10.115	192.168.2.14
Jan 8, 2025 17:07:34.754688025 CET	1302	40218	141.98.10.115	192.168.2.14
Jan 8, 2025 17:07:34.754867077 CET	40218	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:07:34.759751081 CET	1302	40218	141.98.10.115	192.168.2.14
Jan 8, 2025 17:07:35.756299019 CET	40220	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:07:35.761277914 CET	1302	40220	141.98.10.115	192.168.2.14
Jan 8, 2025 17:07:35.761332989 CET	40220	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:07:35.761868000 CET	40220	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:07:35.766655922 CET	1302	40220	141.98.10.115	192.168.2.14
Jan 8, 2025 17:07:35.766700983 CET	40220	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:07:35.771459103 CET	1302	40220	141.98.10.115	192.168.2.14
Jan 8, 2025 17:07:37.485270023 CET	1302	40220	141.98.10.115	192.168.2.14
Jan 8, 2025 17:07:37.485524893 CET	40220	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:07:37.490289927 CET	1302	40220	141.98.10.115	192.168.2.14
Jan 8, 2025 17:07:38.487221003 CET	40222	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:07:38.492014885 CET	1302	40222	141.98.10.115	192.168.2.14
Jan 8, 2025 17:07:38.492070913 CET	40222	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:07:38.492670059 CET	40222	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:07:38.497596979 CET	1302	40222	141.98.10.115	192.168.2.14
Jan 8, 2025 17:07:38.497642040 CET	40222	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:07:38.502446890 CET	1302	40222	141.98.10.115	192.168.2.14
Jan 8, 2025 17:07:40.200182915 CET	1302	40222	141.98.10.115	192.168.2.14
Jan 8, 2025 17:07:40.200370073 CET	40222	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:07:40.205176115 CET	1302	40222	141.98.10.115	192.168.2.14
Jan 8, 2025 17:07:41.201956034 CET	40224	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:07:41.206959009 CET	1302	40224	141.98.10.115	192.168.2.14
Jan 8, 2025 17:07:41.207012892 CET	40224	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:07:41.207676888 CET	40224	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:07:41.212450027 CET	1302	40224	141.98.10.115	192.168.2.14
Jan 8, 2025 17:07:41.212491989 CET	40224	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:07:41.217247963 CET	1302	40224	141.98.10.115	192.168.2.14
Jan 8, 2025 17:07:42.918972969 CET	1302	40224	141.98.10.115	192.168.2.14
Jan 8, 2025 17:07:42.919255018 CET	40224	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:07:42.924073935 CET	1302	40224	141.98.10.115	192.168.2.14
Jan 8, 2025 17:07:43.920876980 CET	40226	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:07:43.925633907 CET	1302	40226	141.98.10.115	192.168.2.14
Jan 8, 2025 17:07:43.925707102 CET	40226	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:07:43.926301956 CET	40226	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:07:43.931071043 CET	1302	40226	141.98.10.115	192.168.2.14
Jan 8, 2025 17:07:43.931118011 CET	40226	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:07:43.935853958 CET	1302	40226	141.98.10.115	192.168.2.14
Jan 8, 2025 17:07:45.620668888 CET	1302	40226	141.98.10.115	192.168.2.14
Jan 8, 2025 17:07:45.620995045 CET	40226	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:07:45.625803947 CET	1302	40226	141.98.10.115	192.168.2.14
Jan 8, 2025 17:07:46.622956991 CET	40228	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:07:46.627933979 CET	1302	40228	141.98.10.115	192.168.2.14
Jan 8, 2025 17:07:46.628012896 CET	40228	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:07:46.628545046 CET	40228	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:07:46.633332014 CET	1302	40228	141.98.10.115	192.168.2.14
Jan 8, 2025 17:07:46.633416891 CET	40228	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:07:46.638254881 CET	1302	40228	141.98.10.115	192.168.2.14
Jan 8, 2025 17:07:48.308032990 CET	1302	40228	141.98.10.115	192.168.2.14
Jan 8, 2025 17:07:48.308175087 CET	40228	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:07:48.313004017 CET	1302	40228	141.98.10.115	192.168.2.14
Jan 8, 2025 17:07:49.309555054 CET	40230	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:07:49.314546108 CET	1302	40230	141.98.10.115	192.168.2.14
Jan 8, 2025 17:07:49.314666986 CET	40230	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:07:49.315218925 CET	40230	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:07:49.319977999 CET	1302	40230	141.98.10.115	192.168.2.14
Jan 8, 2025 17:07:49.320046902 CET	40230	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:07:49.324841022 CET	1302	40230	141.98.10.115	192.168.2.14
Jan 8, 2025 17:07:50.996632099 CET	1302	40230	141.98.10.115	192.168.2.14
Jan 8, 2025 17:07:50.997090101 CET	40230	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:07:51.001895905 CET	1302	40230	141.98.10.115	192.168.2.14
Jan 8, 2025 17:07:51.998467922 CET	40232	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:07:52.003549099 CET	1302	40232	141.98.10.115	192.168.2.14
Jan 8, 2025 17:07:52.003612041 CET	40232	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:07:52.004066944 CET	40232	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:07:52.009146929 CET	1302	40232	141.98.10.115	192.168.2.14
Jan 8, 2025 17:07:52.009202957 CET	40232	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:07:52.013988972 CET	1302	40232	141.98.10.115	192.168.2.14
Jan 8, 2025 17:07:53.702358961 CET	1302	40232	141.98.10.115	192.168.2.14
Jan 8, 2025 17:07:53.702567101 CET	40232	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:07:53.707464933 CET	1302	40232	141.98.10.115	192.168.2.14
Jan 8, 2025 17:07:54.704207897 CET	40234	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:07:54.709197044 CET	1302	40234	141.98.10.115	192.168.2.14
Jan 8, 2025 17:07:54.709312916 CET	40234	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:07:54.709821939 CET	40234	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:07:54.714561939 CET	1302	40234	141.98.10.115	192.168.2.14
Jan 8, 2025 17:07:54.714622974 CET	40234	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:07:54.719356060 CET	1302	40234	141.98.10.115	192.168.2.14
Jan 8, 2025 17:07:56.406397104 CET	1302	40234	141.98.10.115	192.168.2.14
Jan 8, 2025 17:07:56.406702042 CET	40234	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:07:56.411585093 CET	1302	40234	141.98.10.115	192.168.2.14
Jan 8, 2025 17:07:57.408410072 CET	40236	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:07:57.413381100 CET	1302	40236	141.98.10.115	192.168.2.14
Jan 8, 2025 17:07:57.413443089 CET	40236	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:07:57.414060116 CET	40236	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:07:57.418845892 CET	1302	40236	141.98.10.115	192.168.2.14
Jan 8, 2025 17:07:57.418900013 CET	40236	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:07:57.423691034 CET	1302	40236	141.98.10.115	192.168.2.14
Jan 8, 2025 17:07:59.125447989 CET	1302	40236	141.98.10.115	192.168.2.14
Jan 8, 2025 17:07:59.125716925 CET	40236	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:07:59.130604982 CET	1302	40236	141.98.10.115	192.168.2.14
Jan 8, 2025 17:08:00.127856970 CET	40238	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:08:00.132796049 CET	1302	40238	141.98.10.115	192.168.2.14
Jan 8, 2025 17:08:00.132963896 CET	40238	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:08:00.133960962 CET	40238	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:08:00.138711929 CET	1302	40238	141.98.10.115	192.168.2.14
Jan 8, 2025 17:08:00.138777018 CET	40238	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:08:00.143562078 CET	1302	40238	141.98.10.115	192.168.2.14
Jan 8, 2025 17:08:01.841826916 CET	1302	40238	141.98.10.115	192.168.2.14
Jan 8, 2025 17:08:01.842201948 CET	40238	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:08:01.849428892 CET	1302	40238	141.98.10.115	192.168.2.14
Jan 8, 2025 17:08:02.844366074 CET	40240	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:08:02.849355936 CET	1302	40240	141.98.10.115	192.168.2.14
Jan 8, 2025 17:08:02.849488974 CET	40240	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:08:02.850402117 CET	40240	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:08:02.855137110 CET	1302	40240	141.98.10.115	192.168.2.14
Jan 8, 2025 17:08:02.855201960 CET	40240	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:08:02.859962940 CET	1302	40240	141.98.10.115	192.168.2.14
Jan 8, 2025 17:08:04.546849966 CET	1302	40240	141.98.10.115	192.168.2.14
Jan 8, 2025 17:08:04.547200918 CET	40240	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:08:04.552061081 CET	1302	40240	141.98.10.115	192.168.2.14
Jan 8, 2025 17:08:05.549273968 CET	40242	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:08:05.554439068 CET	1302	40242	141.98.10.115	192.168.2.14
Jan 8, 2025 17:08:05.554513931 CET	40242	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:08:05.555455923 CET	40242	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:08:05.560226917 CET	1302	40242	141.98.10.115	192.168.2.14
Jan 8, 2025 17:08:05.560286999 CET	40242	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:08:05.565067053 CET	1302	40242	141.98.10.115	192.168.2.14
Jan 8, 2025 17:08:07.265464067 CET	1302	40242	141.98.10.115	192.168.2.14
Jan 8, 2025 17:08:07.265697002 CET	40242	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:08:07.270540953 CET	1302	40242	141.98.10.115	192.168.2.14
Jan 8, 2025 17:08:08.267673016 CET	40244	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:08:08.272511005 CET	1302	40244	141.98.10.115	192.168.2.14
Jan 8, 2025 17:08:08.272583961 CET	40244	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:08:08.273495913 CET	40244	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:08:08.278235912 CET	1302	40244	141.98.10.115	192.168.2.14
Jan 8, 2025 17:08:08.278278112 CET	40244	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:08:08.283041000 CET	1302	40244	141.98.10.115	192.168.2.14
Jan 8, 2025 17:08:09.963965893 CET	1302	40244	141.98.10.115	192.168.2.14
Jan 8, 2025 17:08:09.964127064 CET	40244	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:08:09.968888998 CET	1302	40244	141.98.10.115	192.168.2.14
Jan 8, 2025 17:08:10.965996981 CET	40246	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:08:10.970772982 CET	1302	40246	141.98.10.115	192.168.2.14
Jan 8, 2025 17:08:10.970827103 CET	40246	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:08:10.971478939 CET	40246	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:08:10.976221085 CET	1302	40246	141.98.10.115	192.168.2.14
Jan 8, 2025 17:08:10.976267099 CET	40246	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:08:10.981169939 CET	1302	40246	141.98.10.115	192.168.2.14
Jan 8, 2025 17:08:12.652930021 CET	1302	40246	141.98.10.115	192.168.2.14
Jan 8, 2025 17:08:12.653307915 CET	40246	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:08:12.658075094 CET	1302	40246	141.98.10.115	192.168.2.14
Jan 8, 2025 17:08:13.654536963 CET	40248	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:08:13.659322977 CET	1302	40248	141.98.10.115	192.168.2.14
Jan 8, 2025 17:08:13.659437895 CET	40248	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:08:13.659990072 CET	40248	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:08:13.664705992 CET	1302	40248	141.98.10.115	192.168.2.14
Jan 8, 2025 17:08:13.664777040 CET	40248	1302	192.168.2.14	141.98.10.115
Jan 8, 2025 17:08:13.669553995 CET	1302	40248	141.98.10.115	192.168.2.14

System Behavior

Analysis Process: uYtea.mips.elf PID: 5492, Parent PID: 5412

General

Start time (UTC):	16:06:06
Start date (UTC):	08/01/2025
Path:	/tmp/uYtea.mips.elf
Arguments:	/tmp/uYtea.mips.elf
File size:	5777432 bytes
MD5 hash:	0083f1f0e77be34ad27f849842bbb00c

Chronological Activities

Analysis Process: uYtea.mips.elf PID: 5494, Parent PID: 5492

General

Start time (UTC):	16:06:06
Start date (UTC):	08/01/2025
Path:	/tmp/uYtea.mips.elf
Arguments:	-
File size:	5777432 bytes
MD5 hash:	0083f1f0e77be34ad27f849842bbb00c

Chronological Activities

Analysis Process: uYtea.mips.elf PID: 5496, Parent PID: 5494

General

Start time (UTC):	16:06:06
Start date (UTC):	08/01/2025
Path:	/tmp/uYtea.mips.elf
Arguments:	-
File size:	5777432 bytes
MD5 hash:	0083f1f0e77be34ad27f849842bbb00c

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report uYtea.mips.elf

Overview

General Information

Detection

Signatures

Classification

General Information

Warnings

Runtime Messages

Process Tree

Yara Signatures

Initial Sample

Memory Dumps

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Networking

System Summary

Persistence and Installation Behavior

Malware Analysis System Evasion

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

Static ELF Info

ELF header

Sections

Program Segments

Network Behavior

Network Port Distribution

TCP Packets

System Behavior

Analysis Process: uYtea.mips.elf PID: 5492, Parent PID: 5412

General

Chronological Activities

Analysis Process: uYtea.mips.elf PID: 5494, Parent PID: 5492

General

Chronological Activities

Analysis Process: uYtea.mips.elf PID: 5496, Parent PID: 5494

General

Chronological Activities

Linux Analysis Report
uYtea.mips.elf