Edit tour

Linux Analysis Report
uYtea.ppc.elf

Overview

General Information

Sample name:	uYtea.ppc.elf
Analysis ID:	1586062
MD5:	41ac5881c526563558a9b1141d71d092
SHA1:	4a410ffd83c414289dd0a6c27eb92cd0f3a39111
SHA256:	55dceb79ff0e327ad2bb77f730e03d7e287fc141aba09481d0e67c09b185faab
Tags:	elfuser-abuse_ch
Infos:

Detection

Score:	64
Range:	0 - 100
Whitelisted:	false

Signatures

Antivirus / Scanner detection for submitted sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Creates hidden files and/or directories

Detected TCP or UDP traffic on non-standard ports

Sample has stripped symbol table

Sample listens on a socket

Uses the "uname" system call to query kernel version information (possible evasion)

Yara signature match

Classification

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1586062
Start date and time:	2025-01-08 17:09:57 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 30s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Sample name:	uYtea.ppc.elf
Detection:	MAL
Classification:	mal64.linELF@0/0@0/0

Warnings

VT rate limit hit for: uYtea.ppc.elf

Runtime Messages

Command:	/tmp/uYtea.ppc.elf
PID:	5552
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:	connecterror
Standard Error:

Process Tree

system is lnxubuntu20

uYtea.ppc.elf (PID: 5552, Parent: 5473, MD5: ae65271c943d3451b7f026d1fadccea6) Arguments: /tmp/uYtea.ppc.elf

uYtea.ppc.elf New Fork (PID: 5554, Parent: 5552)

uYtea.ppc.elf New Fork (PID: 5560, Parent: 5554)

cleanup

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
uYtea.ppc.elf	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0xba98:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xbaac:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xbac0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xbad4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xbae8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xbafc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xbb10:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xbb24:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xbb38:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xbb4c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xbb60:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xbb74:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xbb88:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xbb9c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xbbb0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xbbc4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xbbd8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xbbec:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xbc00:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xbc14:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xbc28:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F

Memory Dumps

Source	Rule	Description	Author	Strings
5560.1.00007fbd94001000.00007fbd9400f000.r-x.sdmp	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0xba98:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xbaac:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xbac0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xbad4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xbae8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xbafc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xbb10:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xbb24:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xbb38:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xbb4c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xbb60:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xbb74:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xbb88:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xbb9c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xbbb0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xbbc4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xbbd8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xbbec:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xbc00:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xbc14:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xbc28:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
5552.1.00007fbd94001000.00007fbd9400f000.r-x.sdmp	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0xba98:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xbaac:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xbac0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xbad4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xbae8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xbafc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xbb10:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xbb24:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xbb38:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xbb4c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xbb60:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xbb74:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xbb88:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xbb9c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xbbb0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xbbc4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xbbd8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xbbec:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xbc00:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xbc14:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xbc28:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
Process Memory Space: uYtea.ppc.elf PID: 5552	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0x112f:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1143:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1157:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x116b:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x117f:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1193:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x11a7:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x11bb:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x11cf:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x11e3:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x11f7:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x120b:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x121f:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1233:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1247:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x125b:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x126f:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1283:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1297:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x12ab:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x12bf:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
Process Memory Space: uYtea.ppc.elf PID: 5560	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0x1007:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x101b:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x102f:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1043:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1057:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x106b:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x107f:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1093:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10a7:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10bb:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10cf:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10e3:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10f7:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x110b:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x111f:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1133:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1147:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x115b:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x116f:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1183:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1197:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: uYtea.ppc.elf

Avira: detected

Multi AV Scanner detection for submitted file

Source: uYtea.ppc.elf

ReversingLabs: Detection: 65%

Source: global traffic

TCP traffic: 192.168.2.15:35658 -> 141.98.10.115:1302

Source: /tmp/uYtea.ppc.elf (PID: 5552)

Socket: 127.0.0.1:9473

Jump to behavior

System Summary

Malicious sample detected (through community Yara rule)

Source: uYtea.ppc.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: 5560.1.00007fbd94001000.00007fbd9400f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: 5552.1.00007fbd94001000.00007fbd9400f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: Process Memory Space: uYtea.ppc.elf PID: 5552, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: Process Memory Space: uYtea.ppc.elf PID: 5560, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown

Source: ELF static info symbol of initial sample

.symtab present: no

Source: uYtea.ppc.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: 5560.1.00007fbd94001000.00007fbd9400f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: 5552.1.00007fbd94001000.00007fbd9400f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: Process Memory Space: uYtea.ppc.elf PID: 5552, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: Process Memory Space: uYtea.ppc.elf PID: 5560, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16

Source: classification engine

Classification label: mal64.linELF@0/0@0/0

Source: /tmp/uYtea.ppc.elf (PID: 5554)	Directory: /tmp/.			Jump to behavior
Source: /tmp/uYtea.ppc.elf (PID: 5554)	Directory: /tmp/..			Jump to behavior

Source: /tmp/uYtea.ppc.elf (PID: 5552)

Queries kernel information via 'uname':

Jump to behavior

Source: uYtea.ppc.elf, 5552.1.00007ffc7e24a000.00007ffc7e26b000.rw-.sdmp, uYtea.ppc.elf, 5560.1.00007ffc7e24a000.00007ffc7e26b000.rw-.sdmp	Binary or memory string: :x86_64/usr/bin/qemu-ppc/tmp/uYtea.ppc.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/uYtea.ppc.elf
Source: uYtea.ppc.elf, 5552.1.000056228440c000.00005622844bc000.rw-.sdmp	Binary or memory string: !/etc/qemu-binfmt/ppc11!hotpluggableq
Source: uYtea.ppc.elf, 5560.1.000056228440c000.00005622844bc000.rw-.sdmp	Binary or memory string: !/etc/qemu-binfmt/ppc1
Source: uYtea.ppc.elf, 5552.1.000056228440c000.00005622844bc000.rw-.sdmp, uYtea.ppc.elf, 5560.1.000056228440c000.00005622844bc000.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/ppc
Source: uYtea.ppc.elf, 5552.1.00007ffc7e24a000.00007ffc7e26b000.rw-.sdmp, uYtea.ppc.elf, 5560.1.00007ffc7e24a000.00007ffc7e26b000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-ppc

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	Path Interception	Path Interception	1 Hidden Files and Directories	OS Credential Dumping	11 Security Software Discovery	Remote Services	Data from Local System	1 Non-Standard Port	Exfiltration Over Other Network Medium	Abuse Accessibility Features

Malware Configuration

⊘No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
uYtea.ppc.elf	66%	ReversingLabs	Linux.Trojan.Mirai
uYtea.ppc.elf	100%	Avira	EXP/ELF.Mirai.Z.D

Dropped Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

⊘No contacted domains info

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
141.98.10.115	unknown	Lithuania		209605	HOSTBALTICLT	false

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
141.98.10.115	uYtea.x86.elf	Get hash	malicious	Unknown	Browse
	uYtea.arm.elf	Get hash	malicious	Unknown	Browse
	uYtea.mips.elf	Get hash	malicious	Unknown	Browse
	uYtea.mpsl.elf	Get hash	malicious	Unknown	Browse
	uYtea.arm7.elf	Get hash	malicious	Mirai	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
HOSTBALTICLT	uYtea.x86.elf	Get hash	malicious	Unknown	Browse	141.98.10.115
	uYtea.arm.elf	Get hash	malicious	Unknown	Browse	141.98.10.115
	uYtea.mips.elf	Get hash	malicious	Unknown	Browse	141.98.10.115
	uYtea.mpsl.elf	Get hash	malicious	Unknown	Browse	141.98.10.115
	uYtea.arm7.elf	Get hash	malicious	Mirai	Browse	141.98.10.115
	Scan12112024,pdf.vbs	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	141.98.10.88
	Scan12112024,pdf.vbs	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	141.98.10.88
	Scan112024.vbs	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	141.98.10.88
	173127133603e75602cf90c03b229cc07ec4f5c026cad2909c809b767b293bf800a0e9ade9674.dat-decoded.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	141.98.10.88
	ConfirmaciXnXdeXfacturaXPedidoXadicional.doc	Get hash	malicious	Unknown	Browse	141.98.10.88

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	ELF 32-bit MSB executable, PowerPC or cisco 4500, version 1 (SYSV), statically linked, stripped
Entropy (8bit):	6.201326888275538
TrID:	ELF Executable and Linkable format (generic) (4004/1) 100.00%
File name:	uYtea.ppc.elf
File size:	59'764 bytes
MD5:	41ac5881c526563558a9b1141d71d092
SHA1:	4a410ffd83c414289dd0a6c27eb92cd0f3a39111
SHA256:	55dceb79ff0e327ad2bb77f730e03d7e287fc141aba09481d0e67c09b185faab
SHA512:	168a5070478d4b51d754c308ea8e5f6942a4d057db1609e61fd61235ad625bac6a58af9882f8538309b154524ce5b2ff7feff4c471ded3fdd9ecb1e0b88a1f7b
SSDEEP:	1536:eF6QcATQdskHosl9k1dP9iT0bI666hJa108:tqgtJHk1dP4gbI6x4f
TLSH:	99435B52721C0E17C4A31A70263F5BE08BFBEAE021E4B685695F5F968935D331486FCD
File Content Preview:	.ELF...........................4.........4. ...(.......................(...(...........................H..J4........dt.Q.............................!..\|......$H...H..i...$8!. \|...N.. .!..\|.......?.............../...@..\?........+../...A..$8...})......N..

Static ELF Info

ELF header
Class:	ELF32
Data:	2's complement, big endian
Version:	1 (current)
Machine:	PowerPC
Version Number:	0x1
Type:	EXEC (Executable file)
OS/ABI:	UNIX - System V
ABI Version:	0
Entry Point Address:	0x100001f0
Flags:	0x0
ELF Header Size:	52
Program Header Offset:	52
Program Header Size:	32
Number of Program Headers:	3
Section Header Offset:	59284
Section Header Size:	40
Number of Section Headers:	12
Header String Table Index:	11

Sections

Name	Type	Address	Offset	Size	EntSize	Flags	Flags Description	Align
	NULL	0x0	0x0	0x0	0x0	0x0		0
.init	PROGBITS	0x10000094	0x94	0x24	0x0	0x6	AX	4
.text	PROGBITS	0x100000b8	0xb8	0xb9c0	0x0	0x6	AX	4
.fini	PROGBITS	0x1000ba78	0xba78	0x20	0x0	0x6	AX	4
.rodata	PROGBITS	0x1000ba98	0xba98	0x1f90	0x0	0x2	A	4
.ctors	PROGBITS	0x1001e000	0xe000	0x8	0x0	0x3	WA	4
.dtors	PROGBITS	0x1001e008	0xe008	0x8	0x0	0x3	WA	4
.data	PROGBITS	0x1001e018	0xe018	0x704	0x0	0x3	WA	8
.sdata	PROGBITS	0x1001e71c	0xe71c	0x2c	0x0	0x3	WA	4
.sbss	NOBITS	0x1001e748	0xe748	0x54	0x0	0x3	WA	4
.bss	NOBITS	0x1001e79c	0xe748	0x4298	0x0	0x3	WA	4
.shstrtab	STRTAB	0x0	0xe748	0x4b	0x0	0x0		1

Program Segments

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align	Section Mappings
LOAD	0x0	0x10000000	0x10000000	0xda28	0xda28	6.3355	0x5	R E	0x10000	.init .text .fini .rodata
LOAD	0xe000	0x1001e000	0x1001e000	0x748	0x4a34	4.3150	0x6	RW	0x10000	.ctors .dtors .data .sdata .sbss .bss
GNU_STACK	0x0	0x0	0x0	0x0	0x0	0.0000	0x6	RW	0x4

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 8, 2025 17:10:57.116444111 CET	35658	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:10:57.121304035 CET	1302	35658	141.98.10.115	192.168.2.15
Jan 8, 2025 17:10:57.121357918 CET	35658	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:10:57.122221947 CET	35658	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:10:57.126945019 CET	1302	35658	141.98.10.115	192.168.2.15
Jan 8, 2025 17:10:57.127007008 CET	35658	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:10:57.131738901 CET	1302	35658	141.98.10.115	192.168.2.15
Jan 8, 2025 17:10:58.831073046 CET	1302	35658	141.98.10.115	192.168.2.15
Jan 8, 2025 17:10:58.831351042 CET	35658	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:10:58.836194992 CET	1302	35658	141.98.10.115	192.168.2.15
Jan 8, 2025 17:10:59.833266973 CET	35660	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:10:59.840894938 CET	1302	35660	141.98.10.115	192.168.2.15
Jan 8, 2025 17:10:59.840970993 CET	35660	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:10:59.841630936 CET	35660	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:10:59.849138975 CET	1302	35660	141.98.10.115	192.168.2.15
Jan 8, 2025 17:10:59.849181890 CET	35660	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:10:59.855492115 CET	1302	35660	141.98.10.115	192.168.2.15
Jan 8, 2025 17:11:01.531265020 CET	1302	35660	141.98.10.115	192.168.2.15
Jan 8, 2025 17:11:01.531511068 CET	35660	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:11:01.536293983 CET	1302	35660	141.98.10.115	192.168.2.15
Jan 8, 2025 17:11:02.533229113 CET	35662	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:11:02.538309097 CET	1302	35662	141.98.10.115	192.168.2.15
Jan 8, 2025 17:11:02.538398027 CET	35662	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:11:02.539210081 CET	35662	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:11:02.544312954 CET	1302	35662	141.98.10.115	192.168.2.15
Jan 8, 2025 17:11:02.544399023 CET	35662	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:11:02.549288034 CET	1302	35662	141.98.10.115	192.168.2.15
Jan 8, 2025 17:11:04.218050003 CET	1302	35662	141.98.10.115	192.168.2.15
Jan 8, 2025 17:11:04.218389034 CET	35662	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:11:04.223196030 CET	1302	35662	141.98.10.115	192.168.2.15
Jan 8, 2025 17:11:05.220103025 CET	35664	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:11:05.225152969 CET	1302	35664	141.98.10.115	192.168.2.15
Jan 8, 2025 17:11:05.225213051 CET	35664	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:11:05.225831985 CET	35664	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:11:05.230612993 CET	1302	35664	141.98.10.115	192.168.2.15
Jan 8, 2025 17:11:05.230659962 CET	35664	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:11:05.235662937 CET	1302	35664	141.98.10.115	192.168.2.15
Jan 8, 2025 17:11:06.927891016 CET	1302	35664	141.98.10.115	192.168.2.15
Jan 8, 2025 17:11:06.928127050 CET	35664	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:11:06.932944059 CET	1302	35664	141.98.10.115	192.168.2.15
Jan 8, 2025 17:11:07.929689884 CET	35666	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:11:07.934717894 CET	1302	35666	141.98.10.115	192.168.2.15
Jan 8, 2025 17:11:07.934797049 CET	35666	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:11:07.935456991 CET	35666	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:11:07.940210104 CET	1302	35666	141.98.10.115	192.168.2.15
Jan 8, 2025 17:11:07.940253019 CET	35666	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:11:07.945070028 CET	1302	35666	141.98.10.115	192.168.2.15
Jan 8, 2025 17:11:09.889146090 CET	1302	35666	141.98.10.115	192.168.2.15
Jan 8, 2025 17:11:09.889534950 CET	35666	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:11:09.894412041 CET	1302	35666	141.98.10.115	192.168.2.15
Jan 8, 2025 17:11:10.891666889 CET	35668	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:11:10.896709919 CET	1302	35668	141.98.10.115	192.168.2.15
Jan 8, 2025 17:11:10.896894932 CET	35668	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:11:10.898049116 CET	35668	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:11:10.902823925 CET	1302	35668	141.98.10.115	192.168.2.15
Jan 8, 2025 17:11:10.902929068 CET	35668	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:11:10.907759905 CET	1302	35668	141.98.10.115	192.168.2.15
Jan 8, 2025 17:11:12.854316950 CET	1302	35668	141.98.10.115	192.168.2.15
Jan 8, 2025 17:11:12.854327917 CET	1302	35668	141.98.10.115	192.168.2.15
Jan 8, 2025 17:11:12.854753017 CET	35668	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:11:12.854829073 CET	35668	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:11:12.859703064 CET	1302	35668	141.98.10.115	192.168.2.15
Jan 8, 2025 17:11:13.856332064 CET	35670	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:11:13.861762047 CET	1302	35670	141.98.10.115	192.168.2.15
Jan 8, 2025 17:11:13.861897945 CET	35670	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:11:13.862463951 CET	35670	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:11:13.867957115 CET	1302	35670	141.98.10.115	192.168.2.15
Jan 8, 2025 17:11:13.868025064 CET	35670	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:11:13.873399973 CET	1302	35670	141.98.10.115	192.168.2.15
Jan 8, 2025 17:11:15.768500090 CET	1302	35670	141.98.10.115	192.168.2.15
Jan 8, 2025 17:11:15.768788099 CET	35670	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:11:15.773598909 CET	1302	35670	141.98.10.115	192.168.2.15
Jan 8, 2025 17:11:16.770809889 CET	35672	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:11:16.775728941 CET	1302	35672	141.98.10.115	192.168.2.15
Jan 8, 2025 17:11:16.775821924 CET	35672	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:11:16.776643991 CET	35672	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:11:16.781449080 CET	1302	35672	141.98.10.115	192.168.2.15
Jan 8, 2025 17:11:16.781506062 CET	35672	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:11:16.786382914 CET	1302	35672	141.98.10.115	192.168.2.15
Jan 8, 2025 17:11:18.531114101 CET	1302	35672	141.98.10.115	192.168.2.15
Jan 8, 2025 17:11:18.531347990 CET	35672	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:11:18.536132097 CET	1302	35672	141.98.10.115	192.168.2.15
Jan 8, 2025 17:11:19.532999039 CET	35674	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:11:19.537800074 CET	1302	35674	141.98.10.115	192.168.2.15
Jan 8, 2025 17:11:19.537884951 CET	35674	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:11:19.538594007 CET	35674	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:11:19.543389082 CET	1302	35674	141.98.10.115	192.168.2.15
Jan 8, 2025 17:11:19.543431044 CET	35674	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:11:19.548178911 CET	1302	35674	141.98.10.115	192.168.2.15
Jan 8, 2025 17:11:21.236591101 CET	1302	35674	141.98.10.115	192.168.2.15
Jan 8, 2025 17:11:21.236778021 CET	35674	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:11:21.241827965 CET	1302	35674	141.98.10.115	192.168.2.15
Jan 8, 2025 17:11:22.238814116 CET	35676	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:11:22.243678093 CET	1302	35676	141.98.10.115	192.168.2.15
Jan 8, 2025 17:11:22.243783951 CET	35676	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:11:22.244808912 CET	35676	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:11:22.249629021 CET	1302	35676	141.98.10.115	192.168.2.15
Jan 8, 2025 17:11:22.249684095 CET	35676	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:11:22.254462957 CET	1302	35676	141.98.10.115	192.168.2.15
Jan 8, 2025 17:11:23.967452049 CET	1302	35676	141.98.10.115	192.168.2.15
Jan 8, 2025 17:11:23.967652082 CET	35676	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:11:23.972434998 CET	1302	35676	141.98.10.115	192.168.2.15
Jan 8, 2025 17:11:24.969403982 CET	35678	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:11:24.974241972 CET	1302	35678	141.98.10.115	192.168.2.15
Jan 8, 2025 17:11:24.974338055 CET	35678	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:11:24.975431919 CET	35678	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:11:24.980159998 CET	1302	35678	141.98.10.115	192.168.2.15
Jan 8, 2025 17:11:24.980218887 CET	35678	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:11:24.984968901 CET	1302	35678	141.98.10.115	192.168.2.15
Jan 8, 2025 17:11:26.757442951 CET	1302	35678	141.98.10.115	192.168.2.15
Jan 8, 2025 17:11:26.757637978 CET	35678	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:11:26.762437105 CET	1302	35678	141.98.10.115	192.168.2.15
Jan 8, 2025 17:11:27.759226084 CET	35680	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:11:27.764197111 CET	1302	35680	141.98.10.115	192.168.2.15
Jan 8, 2025 17:11:27.764331102 CET	35680	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:11:27.765110970 CET	35680	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:11:27.769922018 CET	1302	35680	141.98.10.115	192.168.2.15
Jan 8, 2025 17:11:27.769994020 CET	35680	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:11:27.774791002 CET	1302	35680	141.98.10.115	192.168.2.15
Jan 8, 2025 17:11:29.486653090 CET	1302	35680	141.98.10.115	192.168.2.15
Jan 8, 2025 17:11:29.487118006 CET	35680	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:11:29.491905928 CET	1302	35680	141.98.10.115	192.168.2.15
Jan 8, 2025 17:11:30.488957882 CET	35682	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:11:30.493925095 CET	1302	35682	141.98.10.115	192.168.2.15
Jan 8, 2025 17:11:30.494168997 CET	35682	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:11:30.494879961 CET	35682	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:11:30.499686003 CET	1302	35682	141.98.10.115	192.168.2.15
Jan 8, 2025 17:11:30.499767065 CET	35682	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:11:30.504576921 CET	1302	35682	141.98.10.115	192.168.2.15
Jan 8, 2025 17:11:32.187328100 CET	1302	35682	141.98.10.115	192.168.2.15
Jan 8, 2025 17:11:32.187560081 CET	35682	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:11:32.192789078 CET	1302	35682	141.98.10.115	192.168.2.15
Jan 8, 2025 17:11:33.189363956 CET	35684	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:11:33.194392920 CET	1302	35684	141.98.10.115	192.168.2.15
Jan 8, 2025 17:11:33.194488049 CET	35684	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:11:33.195343971 CET	35684	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:11:33.200067043 CET	1302	35684	141.98.10.115	192.168.2.15
Jan 8, 2025 17:11:33.200110912 CET	35684	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:11:33.204883099 CET	1302	35684	141.98.10.115	192.168.2.15
Jan 8, 2025 17:11:34.890619040 CET	1302	35684	141.98.10.115	192.168.2.15
Jan 8, 2025 17:11:34.890930891 CET	35684	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:11:34.895768881 CET	1302	35684	141.98.10.115	192.168.2.15
Jan 8, 2025 17:11:35.892988920 CET	35686	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:11:35.897989035 CET	1302	35686	141.98.10.115	192.168.2.15
Jan 8, 2025 17:11:35.898086071 CET	35686	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:11:35.899183035 CET	35686	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:11:35.903955936 CET	1302	35686	141.98.10.115	192.168.2.15
Jan 8, 2025 17:11:35.904020071 CET	35686	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:11:35.908761024 CET	1302	35686	141.98.10.115	192.168.2.15
Jan 8, 2025 17:11:37.595319033 CET	1302	35686	141.98.10.115	192.168.2.15
Jan 8, 2025 17:11:37.595474005 CET	35686	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:11:37.600322008 CET	1302	35686	141.98.10.115	192.168.2.15
Jan 8, 2025 17:11:38.596987009 CET	35688	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:11:38.601972103 CET	1302	35688	141.98.10.115	192.168.2.15
Jan 8, 2025 17:11:38.602076054 CET	35688	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:11:38.602804899 CET	35688	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:11:38.607562065 CET	1302	35688	141.98.10.115	192.168.2.15
Jan 8, 2025 17:11:38.607611895 CET	35688	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:11:38.612358093 CET	1302	35688	141.98.10.115	192.168.2.15
Jan 8, 2025 17:11:40.333587885 CET	1302	35688	141.98.10.115	192.168.2.15
Jan 8, 2025 17:11:40.333872080 CET	35688	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:11:40.338608027 CET	1302	35688	141.98.10.115	192.168.2.15
Jan 8, 2025 17:11:41.335679054 CET	35690	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:11:41.340511084 CET	1302	35690	141.98.10.115	192.168.2.15
Jan 8, 2025 17:11:41.340612888 CET	35690	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:11:41.341366053 CET	35690	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:11:41.346129894 CET	1302	35690	141.98.10.115	192.168.2.15
Jan 8, 2025 17:11:41.346180916 CET	35690	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:11:41.350999117 CET	1302	35690	141.98.10.115	192.168.2.15
Jan 8, 2025 17:11:43.066081047 CET	1302	35690	141.98.10.115	192.168.2.15
Jan 8, 2025 17:11:43.066338062 CET	35690	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:11:43.071094036 CET	1302	35690	141.98.10.115	192.168.2.15
Jan 8, 2025 17:11:44.067770004 CET	35692	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:11:44.072654009 CET	1302	35692	141.98.10.115	192.168.2.15
Jan 8, 2025 17:11:44.072721958 CET	35692	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:11:44.073409081 CET	35692	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:11:44.078207016 CET	1302	35692	141.98.10.115	192.168.2.15
Jan 8, 2025 17:11:44.078263998 CET	35692	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:11:44.083053112 CET	1302	35692	141.98.10.115	192.168.2.15
Jan 8, 2025 17:11:45.812908888 CET	1302	35692	141.98.10.115	192.168.2.15
Jan 8, 2025 17:11:45.813150883 CET	35692	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:11:45.817915916 CET	1302	35692	141.98.10.115	192.168.2.15
Jan 8, 2025 17:11:46.814670086 CET	35694	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:11:46.819534063 CET	1302	35694	141.98.10.115	192.168.2.15
Jan 8, 2025 17:11:46.819598913 CET	35694	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:11:46.820453882 CET	35694	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:11:46.825300932 CET	1302	35694	141.98.10.115	192.168.2.15
Jan 8, 2025 17:11:46.825352907 CET	35694	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:11:46.830192089 CET	1302	35694	141.98.10.115	192.168.2.15
Jan 8, 2025 17:11:48.592004061 CET	1302	35694	141.98.10.115	192.168.2.15
Jan 8, 2025 17:11:48.592314005 CET	35694	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:11:48.597345114 CET	1302	35694	141.98.10.115	192.168.2.15
Jan 8, 2025 17:11:49.594367027 CET	35696	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:11:49.603219986 CET	1302	35696	141.98.10.115	192.168.2.15
Jan 8, 2025 17:11:49.603332996 CET	35696	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:11:49.605294943 CET	35696	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:11:49.614032030 CET	1302	35696	141.98.10.115	192.168.2.15
Jan 8, 2025 17:11:49.614090919 CET	35696	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:11:49.622664928 CET	1302	35696	141.98.10.115	192.168.2.15
Jan 8, 2025 17:11:51.339797020 CET	1302	35696	141.98.10.115	192.168.2.15
Jan 8, 2025 17:11:51.340212107 CET	35696	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:11:51.345000982 CET	1302	35696	141.98.10.115	192.168.2.15
Jan 8, 2025 17:11:52.342026949 CET	35698	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:11:52.347505093 CET	1302	35698	141.98.10.115	192.168.2.15
Jan 8, 2025 17:11:52.347604990 CET	35698	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:11:52.348350048 CET	35698	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:11:52.353158951 CET	1302	35698	141.98.10.115	192.168.2.15
Jan 8, 2025 17:11:52.353214025 CET	35698	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:11:52.358541012 CET	1302	35698	141.98.10.115	192.168.2.15
Jan 8, 2025 17:11:54.124061108 CET	1302	35698	141.98.10.115	192.168.2.15
Jan 8, 2025 17:11:54.124248028 CET	35698	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:11:54.129013062 CET	1302	35698	141.98.10.115	192.168.2.15
Jan 8, 2025 17:11:55.125678062 CET	35700	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:11:55.130489111 CET	1302	35700	141.98.10.115	192.168.2.15
Jan 8, 2025 17:11:55.130575895 CET	35700	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:11:55.131366014 CET	35700	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:11:55.136172056 CET	1302	35700	141.98.10.115	192.168.2.15
Jan 8, 2025 17:11:55.136240005 CET	35700	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:11:55.141032934 CET	1302	35700	141.98.10.115	192.168.2.15
Jan 8, 2025 17:11:56.876023054 CET	1302	35700	141.98.10.115	192.168.2.15
Jan 8, 2025 17:11:56.876274109 CET	35700	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:11:56.881061077 CET	1302	35700	141.98.10.115	192.168.2.15
Jan 8, 2025 17:11:57.877696991 CET	35702	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:11:57.882503986 CET	1302	35702	141.98.10.115	192.168.2.15
Jan 8, 2025 17:11:57.882561922 CET	35702	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:11:57.883245945 CET	35702	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:11:57.888016939 CET	1302	35702	141.98.10.115	192.168.2.15
Jan 8, 2025 17:11:57.888075113 CET	35702	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:11:57.892891884 CET	1302	35702	141.98.10.115	192.168.2.15
Jan 8, 2025 17:11:59.692362070 CET	1302	35702	141.98.10.115	192.168.2.15
Jan 8, 2025 17:11:59.692550898 CET	35702	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:11:59.697407961 CET	1302	35702	141.98.10.115	192.168.2.15
Jan 8, 2025 17:12:00.693999052 CET	35704	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:12:00.698935986 CET	1302	35704	141.98.10.115	192.168.2.15
Jan 8, 2025 17:12:00.699055910 CET	35704	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:12:00.699683905 CET	35704	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:12:00.704427004 CET	1302	35704	141.98.10.115	192.168.2.15
Jan 8, 2025 17:12:00.704479933 CET	35704	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:12:00.709237099 CET	1302	35704	141.98.10.115	192.168.2.15
Jan 8, 2025 17:12:02.422092915 CET	1302	35704	141.98.10.115	192.168.2.15
Jan 8, 2025 17:12:02.422517061 CET	35704	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:12:02.427287102 CET	1302	35704	141.98.10.115	192.168.2.15
Jan 8, 2025 17:12:03.424479961 CET	35706	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:12:03.429291964 CET	1302	35706	141.98.10.115	192.168.2.15
Jan 8, 2025 17:12:03.429416895 CET	35706	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:12:03.430150032 CET	35706	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:12:03.434937000 CET	1302	35706	141.98.10.115	192.168.2.15
Jan 8, 2025 17:12:03.435017109 CET	35706	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:12:03.439800978 CET	1302	35706	141.98.10.115	192.168.2.15
Jan 8, 2025 17:12:05.219115973 CET	1302	35706	141.98.10.115	192.168.2.15
Jan 8, 2025 17:12:05.219333887 CET	35706	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:12:05.224160910 CET	1302	35706	141.98.10.115	192.168.2.15
Jan 8, 2025 17:12:06.221129894 CET	35708	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:12:06.227488995 CET	1302	35708	141.98.10.115	192.168.2.15
Jan 8, 2025 17:12:06.227549076 CET	35708	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:12:06.228255033 CET	35708	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:12:06.235697031 CET	1302	35708	141.98.10.115	192.168.2.15
Jan 8, 2025 17:12:06.235739946 CET	35708	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:12:06.240475893 CET	1302	35708	141.98.10.115	192.168.2.15
Jan 8, 2025 17:12:07.925885916 CET	1302	35708	141.98.10.115	192.168.2.15
Jan 8, 2025 17:12:07.926137924 CET	35708	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:12:07.930973053 CET	1302	35708	141.98.10.115	192.168.2.15
Jan 8, 2025 17:12:08.928071022 CET	35710	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:12:08.932948112 CET	1302	35710	141.98.10.115	192.168.2.15
Jan 8, 2025 17:12:08.933038950 CET	35710	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:12:08.934112072 CET	35710	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:12:08.940201998 CET	1302	35710	141.98.10.115	192.168.2.15
Jan 8, 2025 17:12:08.940258980 CET	35710	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:12:08.946073055 CET	1302	35710	141.98.10.115	192.168.2.15
Jan 8, 2025 17:12:10.790019989 CET	1302	35710	141.98.10.115	192.168.2.15
Jan 8, 2025 17:12:10.790266991 CET	35710	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:12:10.795403004 CET	1302	35710	141.98.10.115	192.168.2.15
Jan 8, 2025 17:12:11.792804956 CET	35712	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:12:11.797641039 CET	1302	35712	141.98.10.115	192.168.2.15
Jan 8, 2025 17:12:11.797780991 CET	35712	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:12:11.798988104 CET	35712	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:12:11.803734064 CET	1302	35712	141.98.10.115	192.168.2.15
Jan 8, 2025 17:12:11.803807020 CET	35712	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:12:11.808557987 CET	1302	35712	141.98.10.115	192.168.2.15
Jan 8, 2025 17:12:13.624702930 CET	1302	35712	141.98.10.115	192.168.2.15
Jan 8, 2025 17:12:13.624994993 CET	35712	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:12:13.629766941 CET	1302	35712	141.98.10.115	192.168.2.15
Jan 8, 2025 17:12:14.626830101 CET	35714	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:12:14.631694078 CET	1302	35714	141.98.10.115	192.168.2.15
Jan 8, 2025 17:12:14.631891012 CET	35714	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:12:14.632560015 CET	35714	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:12:14.637325048 CET	1302	35714	141.98.10.115	192.168.2.15
Jan 8, 2025 17:12:14.637398958 CET	35714	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:12:14.642189026 CET	1302	35714	141.98.10.115	192.168.2.15
Jan 8, 2025 17:12:16.425092936 CET	1302	35714	141.98.10.115	192.168.2.15
Jan 8, 2025 17:12:16.425609112 CET	35714	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:12:16.430499077 CET	1302	35714	141.98.10.115	192.168.2.15
Jan 8, 2025 17:12:17.427799940 CET	35716	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:12:17.432658911 CET	1302	35716	141.98.10.115	192.168.2.15
Jan 8, 2025 17:12:17.432734966 CET	35716	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:12:17.433733940 CET	35716	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:12:17.438494921 CET	1302	35716	141.98.10.115	192.168.2.15
Jan 8, 2025 17:12:17.438555956 CET	35716	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:12:17.443344116 CET	1302	35716	141.98.10.115	192.168.2.15
Jan 8, 2025 17:12:19.128612041 CET	1302	35716	141.98.10.115	192.168.2.15
Jan 8, 2025 17:12:19.128993034 CET	35716	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:12:19.133775949 CET	1302	35716	141.98.10.115	192.168.2.15
Jan 8, 2025 17:12:20.130863905 CET	35718	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:12:20.135760069 CET	1302	35718	141.98.10.115	192.168.2.15
Jan 8, 2025 17:12:20.135838985 CET	35718	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:12:20.137033939 CET	35718	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:12:20.141819000 CET	1302	35718	141.98.10.115	192.168.2.15
Jan 8, 2025 17:12:20.141866922 CET	35718	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:12:20.146691084 CET	1302	35718	141.98.10.115	192.168.2.15
Jan 8, 2025 17:12:21.844285011 CET	1302	35718	141.98.10.115	192.168.2.15
Jan 8, 2025 17:12:21.844469070 CET	35718	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:12:21.849263906 CET	1302	35718	141.98.10.115	192.168.2.15
Jan 8, 2025 17:12:22.846326113 CET	35720	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:12:22.851145029 CET	1302	35720	141.98.10.115	192.168.2.15
Jan 8, 2025 17:12:22.851351976 CET	35720	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:12:22.852057934 CET	35720	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:12:22.856820107 CET	1302	35720	141.98.10.115	192.168.2.15
Jan 8, 2025 17:12:22.856890917 CET	35720	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:12:22.861650944 CET	1302	35720	141.98.10.115	192.168.2.15
Jan 8, 2025 17:12:24.549516916 CET	1302	35720	141.98.10.115	192.168.2.15
Jan 8, 2025 17:12:24.549853086 CET	35720	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:12:24.554661036 CET	1302	35720	141.98.10.115	192.168.2.15
Jan 8, 2025 17:12:25.551450968 CET	35722	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:12:25.557653904 CET	1302	35722	141.98.10.115	192.168.2.15
Jan 8, 2025 17:12:25.557790995 CET	35722	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:12:25.558551073 CET	35722	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:12:25.563564062 CET	1302	35722	141.98.10.115	192.168.2.15
Jan 8, 2025 17:12:25.563623905 CET	35722	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:12:25.568625927 CET	1302	35722	141.98.10.115	192.168.2.15
Jan 8, 2025 17:12:27.317337990 CET	1302	35722	141.98.10.115	192.168.2.15
Jan 8, 2025 17:12:27.317631960 CET	35722	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:12:27.322402000 CET	1302	35722	141.98.10.115	192.168.2.15
Jan 8, 2025 17:12:28.319199085 CET	35724	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:12:28.323995113 CET	1302	35724	141.98.10.115	192.168.2.15
Jan 8, 2025 17:12:28.324049950 CET	35724	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:12:28.324970961 CET	35724	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:12:28.329791069 CET	1302	35724	141.98.10.115	192.168.2.15
Jan 8, 2025 17:12:28.329840899 CET	35724	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:12:28.334582090 CET	1302	35724	141.98.10.115	192.168.2.15
Jan 8, 2025 17:12:30.035007000 CET	1302	35724	141.98.10.115	192.168.2.15
Jan 8, 2025 17:12:30.035316944 CET	35724	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:12:30.040162086 CET	1302	35724	141.98.10.115	192.168.2.15
Jan 8, 2025 17:12:31.036865950 CET	35726	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:12:31.041718006 CET	1302	35726	141.98.10.115	192.168.2.15
Jan 8, 2025 17:12:31.041780949 CET	35726	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:12:31.042463064 CET	35726	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:12:31.047276020 CET	1302	35726	141.98.10.115	192.168.2.15
Jan 8, 2025 17:12:31.047342062 CET	35726	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:12:31.052508116 CET	1302	35726	141.98.10.115	192.168.2.15
Jan 8, 2025 17:12:32.768388033 CET	1302	35726	141.98.10.115	192.168.2.15
Jan 8, 2025 17:12:32.768563986 CET	35726	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:12:32.773379087 CET	1302	35726	141.98.10.115	192.168.2.15
Jan 8, 2025 17:12:33.770353079 CET	35728	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:12:33.775162935 CET	1302	35728	141.98.10.115	192.168.2.15
Jan 8, 2025 17:12:33.775402069 CET	35728	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:12:33.776563883 CET	35728	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:12:33.781346083 CET	1302	35728	141.98.10.115	192.168.2.15
Jan 8, 2025 17:12:33.781419039 CET	35728	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:12:33.786237001 CET	1302	35728	141.98.10.115	192.168.2.15
Jan 8, 2025 17:12:35.494029045 CET	1302	35728	141.98.10.115	192.168.2.15
Jan 8, 2025 17:12:35.494362116 CET	35728	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:12:35.499216080 CET	1302	35728	141.98.10.115	192.168.2.15
Jan 8, 2025 17:12:36.496268988 CET	35730	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:12:36.501255035 CET	1302	35730	141.98.10.115	192.168.2.15
Jan 8, 2025 17:12:36.501396894 CET	35730	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:12:36.502178907 CET	35730	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:12:36.506990910 CET	1302	35730	141.98.10.115	192.168.2.15
Jan 8, 2025 17:12:36.507067919 CET	35730	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:12:36.511939049 CET	1302	35730	141.98.10.115	192.168.2.15
Jan 8, 2025 17:12:38.208621979 CET	1302	35730	141.98.10.115	192.168.2.15
Jan 8, 2025 17:12:38.208836079 CET	35730	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:12:38.213597059 CET	1302	35730	141.98.10.115	192.168.2.15
Jan 8, 2025 17:12:39.210478067 CET	35732	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:12:39.215255022 CET	1302	35732	141.98.10.115	192.168.2.15
Jan 8, 2025 17:12:39.215308905 CET	35732	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:12:39.216047049 CET	35732	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:12:39.220777035 CET	1302	35732	141.98.10.115	192.168.2.15
Jan 8, 2025 17:12:39.220820904 CET	35732	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:12:39.225568056 CET	1302	35732	141.98.10.115	192.168.2.15
Jan 8, 2025 17:12:40.926245928 CET	1302	35732	141.98.10.115	192.168.2.15
Jan 8, 2025 17:12:40.926417112 CET	35732	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:12:40.931813955 CET	1302	35732	141.98.10.115	192.168.2.15
Jan 8, 2025 17:12:41.927917957 CET	35734	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:12:41.932821035 CET	1302	35734	141.98.10.115	192.168.2.15
Jan 8, 2025 17:12:41.932873964 CET	35734	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:12:41.933681011 CET	35734	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:12:41.938460112 CET	1302	35734	141.98.10.115	192.168.2.15
Jan 8, 2025 17:12:41.938503027 CET	35734	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:12:41.943394899 CET	1302	35734	141.98.10.115	192.168.2.15
Jan 8, 2025 17:12:43.667428970 CET	1302	35734	141.98.10.115	192.168.2.15
Jan 8, 2025 17:12:43.667814970 CET	35734	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:12:43.672643900 CET	1302	35734	141.98.10.115	192.168.2.15
Jan 8, 2025 17:12:44.670252085 CET	35736	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:12:44.675064087 CET	1302	35736	141.98.10.115	192.168.2.15
Jan 8, 2025 17:12:44.675318003 CET	35736	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:12:44.681385040 CET	35736	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:12:44.686182976 CET	1302	35736	141.98.10.115	192.168.2.15
Jan 8, 2025 17:12:44.686253071 CET	35736	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:12:44.691003084 CET	1302	35736	141.98.10.115	192.168.2.15
Jan 8, 2025 17:12:46.380573034 CET	1302	35736	141.98.10.115	192.168.2.15
Jan 8, 2025 17:12:46.380851030 CET	35736	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:12:46.385701895 CET	1302	35736	141.98.10.115	192.168.2.15
Jan 8, 2025 17:12:47.383035898 CET	35738	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:12:47.387839079 CET	1302	35738	141.98.10.115	192.168.2.15
Jan 8, 2025 17:12:47.387948036 CET	35738	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:12:47.389082909 CET	35738	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:12:47.393847942 CET	1302	35738	141.98.10.115	192.168.2.15
Jan 8, 2025 17:12:47.393908024 CET	35738	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:12:47.398663998 CET	1302	35738	141.98.10.115	192.168.2.15
Jan 8, 2025 17:12:49.082031012 CET	1302	35738	141.98.10.115	192.168.2.15
Jan 8, 2025 17:12:49.082565069 CET	35738	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:12:49.087487936 CET	1302	35738	141.98.10.115	192.168.2.15
Jan 8, 2025 17:12:50.089194059 CET	35740	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:12:50.094150066 CET	1302	35740	141.98.10.115	192.168.2.15
Jan 8, 2025 17:12:50.094232082 CET	35740	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:12:50.095438004 CET	35740	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:12:50.100330114 CET	1302	35740	141.98.10.115	192.168.2.15
Jan 8, 2025 17:12:50.100399017 CET	35740	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:12:50.105282068 CET	1302	35740	141.98.10.115	192.168.2.15
Jan 8, 2025 17:12:51.803163052 CET	1302	35740	141.98.10.115	192.168.2.15
Jan 8, 2025 17:12:51.803555012 CET	35740	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:12:51.808418036 CET	1302	35740	141.98.10.115	192.168.2.15
Jan 8, 2025 17:12:52.805871010 CET	35742	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:12:52.812226057 CET	1302	35742	141.98.10.115	192.168.2.15
Jan 8, 2025 17:12:52.812315941 CET	35742	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:12:52.813039064 CET	35742	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:12:52.820015907 CET	1302	35742	141.98.10.115	192.168.2.15
Jan 8, 2025 17:12:52.820065022 CET	35742	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:12:52.826348066 CET	1302	35742	141.98.10.115	192.168.2.15
Jan 8, 2025 17:12:54.515391111 CET	1302	35742	141.98.10.115	192.168.2.15
Jan 8, 2025 17:12:54.515624046 CET	35742	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:12:54.520529032 CET	1302	35742	141.98.10.115	192.168.2.15

System Behavior

Analysis Process: uYtea.ppc.elf PID: 5552, Parent PID: 5473

General

Start time (UTC):	16:10:50
Start date (UTC):	08/01/2025
Path:	/tmp/uYtea.ppc.elf
Arguments:	/tmp/uYtea.ppc.elf
File size:	5388968 bytes
MD5 hash:	ae65271c943d3451b7f026d1fadccea6

Chronological Activities

Analysis Process: uYtea.ppc.elf PID: 5554, Parent PID: 5552

General

Start time (UTC):	16:10:50
Start date (UTC):	08/01/2025
Path:	/tmp/uYtea.ppc.elf
Arguments:	-
File size:	5388968 bytes
MD5 hash:	ae65271c943d3451b7f026d1fadccea6

Chronological Activities

Analysis Process: uYtea.ppc.elf PID: 5560, Parent PID: 5554

General

Start time (UTC):	16:10:50
Start date (UTC):	08/01/2025
Path:	/tmp/uYtea.ppc.elf
Arguments:	-
File size:	5388968 bytes
MD5 hash:	ae65271c943d3451b7f026d1fadccea6

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report uYtea.ppc.elf

Overview

General Information

Detection

Signatures

Classification

General Information

Warnings

Runtime Messages

Process Tree

Yara Signatures

Initial Sample

Memory Dumps

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Networking

System Summary

Persistence and Installation Behavior

Malware Analysis System Evasion

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

Static ELF Info

ELF header

Sections

Program Segments

Network Behavior

Network Port Distribution

TCP Packets

System Behavior

Analysis Process: uYtea.ppc.elf PID: 5552, Parent PID: 5473

General

Chronological Activities

Analysis Process: uYtea.ppc.elf PID: 5554, Parent PID: 5552

General

Chronological Activities

Analysis Process: uYtea.ppc.elf PID: 5560, Parent PID: 5554

General

Chronological Activities

Linux Analysis Report
uYtea.ppc.elf