Edit tour

Linux Analysis Report
boatnet.m68k.elf

Overview

General Information

Sample name:	boatnet.m68k.elf
Analysis ID:	1588200
MD5:	df3457e13e59ec5dc4dad27fd20e0dbb
SHA1:	a9e953567d44c0c2539fd960afdbdbce9e094d75
SHA256:	9f69eb2a80da5e1c62aa57e361ca6bbd647c390f4205ae5200cf415ac33f03e9
Tags:	elfuser-abuse_ch
Infos:

Detection

Score:	52
Range:	0 - 100
Whitelisted:	false

Signatures

Multi AV Scanner detection for submitted file

Sends malformed DNS queries

Executes the "rm" command used to delete files or directories

Sample has stripped symbol table

Sample listens on a socket

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Uses the "uname" system call to query kernel version information (possible evasion)

Classification

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1588200
Start date and time:	2025-01-10 22:34:20 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 29s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Sample name:	boatnet.m68k.elf
Detection:	MAL
Classification:	mal52.troj.linELF@0/0@20/0

Warnings

VT rate limit hit for: w3d0ntlikebot5.parody

Runtime Messages

Command:	/tmp/boatnet.m68k.elf
PID:	5426
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:	The Peoples Bank of China.
Standard Error:

Process Tree

system is lnxubuntu20

dash New Fork (PID: 5411, Parent: 3577)

rm (PID: 5411, Parent: 3577, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -f /tmp/tmp.U54jVe4wZw /tmp/tmp.EMvb9QwckN /tmp/tmp.GJwcdQJgjw

dash New Fork (PID: 5412, Parent: 3577)

rm (PID: 5412, Parent: 3577, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -f /tmp/tmp.U54jVe4wZw /tmp/tmp.EMvb9QwckN /tmp/tmp.GJwcdQJgjw

boatnet.m68k.elf (PID: 5426, Parent: 5347, MD5: cd177594338c77b895ae27c33f8f86cc) Arguments: /tmp/boatnet.m68k.elf

boatnet.m68k.elf New Fork (PID: 5428, Parent: 5426)

boatnet.m68k.elf New Fork (PID: 5430, Parent: 5428)

cleanup

Yara Signatures

⊘No yara matches

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: boatnet.m68k.elf	Virustotal: Detection: 25%			Perma Link
Source: boatnet.m68k.elf	ReversingLabs: Detection: 28%

Networking

Sends malformed DNS queries

Source: global traffic	DNS traffic detected: malformed DNS query: yellowchink.pirate. [malformed]
Source: global traffic	DNS traffic detected: malformed DNS query: infectedslurs.geek. [malformed]
Source: global traffic	DNS traffic detected: malformed DNS query: burnthe.libre. [malformed]
Source: global traffic	DNS traffic detected: malformed DNS query: freethemonkeys.pirate. [malformed]
Source: global traffic	DNS traffic detected: malformed DNS query: dogeatingchink.parody. [malformed]
Source: global traffic	DNS traffic detected: malformed DNS query: chinklabs.dyn. [malformed]
Source: global traffic	DNS traffic detected: malformed DNS query: himrresearcher.dyn. [malformed]
Source: global traffic	DNS traffic detected: malformed DNS query: netfags.geek. [malformed]

Source: /tmp/boatnet.m68k.elf (PID: 5426)

Socket: 127.0.0.1:39148

Jump to behavior

Source: global traffic

TCP traffic: 192.168.2.13:48202 -> 185.125.190.26:443

Source: unknown	TCP traffic detected without corresponding DNS query: 185.125.190.26
Source: unknown	TCP traffic detected without corresponding DNS query: 185.125.190.26
Source: unknown	UDP traffic detected without corresponding DNS query: 5.161.109.23
Source: unknown	UDP traffic detected without corresponding DNS query: 95.216.99.249
Source: unknown	UDP traffic detected without corresponding DNS query: 81.169.136.222
Source: unknown	UDP traffic detected without corresponding DNS query: 139.84.165.176
Source: unknown	UDP traffic detected without corresponding DNS query: 194.36.144.87
Source: unknown	UDP traffic detected without corresponding DNS query: 64.176.6.48
Source: unknown	UDP traffic detected without corresponding DNS query: 137.220.55.93
Source: unknown	UDP traffic detected without corresponding DNS query: 139.84.165.176
Source: unknown	UDP traffic detected without corresponding DNS query: 139.84.165.176
Source: unknown	UDP traffic detected without corresponding DNS query: 185.232.68.212
Source: unknown	UDP traffic detected without corresponding DNS query: 178.254.22.166
Source: unknown	UDP traffic detected without corresponding DNS query: 81.169.136.222
Source: unknown	UDP traffic detected without corresponding DNS query: 139.84.165.176
Source: unknown	UDP traffic detected without corresponding DNS query: 178.254.22.166
Source: unknown	UDP traffic detected without corresponding DNS query: 95.216.99.249
Source: unknown	UDP traffic detected without corresponding DNS query: 185.232.68.212
Source: unknown	UDP traffic detected without corresponding DNS query: 185.232.68.212
Source: unknown	UDP traffic detected without corresponding DNS query: 65.21.1.106
Source: unknown	UDP traffic detected without corresponding DNS query: 65.21.1.106
Source: unknown	UDP traffic detected without corresponding DNS query: 95.216.99.249
Source: unknown	UDP traffic detected without corresponding DNS query: 51.158.108.203

Source: global traffic	DNS traffic detected: DNS query: chinklabs.dyn
Source: global traffic	DNS traffic detected: DNS query: infectedslurs.geek
Source: global traffic	DNS traffic detected: DNS query: w3d0ntlikebot5.parody
Source: global traffic	DNS traffic detected: DNS query: yellowchink.pirate. [malformed]
Source: global traffic	DNS traffic detected: DNS query: infectedslurs.geek. [malformed]
Source: global traffic	DNS traffic detected: DNS query: burnthe.libre. [malformed]
Source: global traffic	DNS traffic detected: DNS query: freethemonkeys.pirate. [malformed]
Source: global traffic	DNS traffic detected: DNS query: dogeatingchink.parody. [malformed]
Source: global traffic	DNS traffic detected: DNS query: chinklabs.dyn. [malformed]
Source: global traffic	DNS traffic detected: DNS query: infectedchink.pirate
Source: global traffic	DNS traffic detected: DNS query: dogeatingchink.parody
Source: global traffic	DNS traffic detected: DNS query: himrresearcher.dyn. [malformed]
Source: global traffic	DNS traffic detected: DNS query: netfags.geek. [malformed]

Source: unknown

Network traffic detected: HTTP traffic on port 48202 -> 443

Source: ELF static info symbol of initial sample

.symtab present: no

Source: classification engine

Classification label: mal52.troj.linELF@0/0@20/0

Source: /usr/bin/dash (PID: 5411)	Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.U54jVe4wZw /tmp/tmp.EMvb9QwckN /tmp/tmp.GJwcdQJgjw			Jump to behavior
Source: /usr/bin/dash (PID: 5412)	Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.U54jVe4wZw /tmp/tmp.EMvb9QwckN /tmp/tmp.GJwcdQJgjw			Jump to behavior

Source: /tmp/boatnet.m68k.elf (PID: 5426)

Queries kernel information via 'uname':

Jump to behavior

Source: boatnet.m68k.elf, 5426.1.00007ffe05d8e000.00007ffe05daf000.rw-.sdmp	Binary or memory string: x86_64/usr/bin/qemu-m68k/tmp/boatnet.m68k.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/boatnet.m68k.elf
Source: boatnet.m68k.elf, 5426.1.000055a8ecdd6000.000055a8ece5a000.rw-.sdmp	Binary or memory string: U!/etc/qemu-binfmt/m68k
Source: boatnet.m68k.elf, 5426.1.00007ffe05d8e000.00007ffe05daf000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-m68k
Source: boatnet.m68k.elf, 5426.1.000055a8ecdd6000.000055a8ece5a000.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/m68k

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	Path Interception	Path Interception	1 File Deletion	OS Credential Dumping	11 Security Software Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact

Malware Configuration

⊘No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
boatnet.m68k.elf	25%	Virustotal		Browse
boatnet.m68k.elf	29%	ReversingLabs	Linux.Backdoor.Mirai

Dropped Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
w3d0ntlikebot5.parody	172.232.34.247	true	false	unknown
infectedslurs.geek	45.79.236.13	true	true	unknown
infectedchink.pirate	unknown	unknown	false	unknown
himrresearcher.dyn. [malformed]	unknown	unknown	true	unknown
chinklabs.dyn. [malformed]	unknown	unknown	true	unknown
burnthe.libre. [malformed]	unknown	unknown	true	unknown
netfags.geek. [malformed]	unknown	unknown	true	unknown
dogeatingchink.parody. [malformed]	unknown	unknown	true	unknown
infectedslurs.geek. [malformed]	unknown	unknown	true	unknown
freethemonkeys.pirate. [malformed]	unknown	unknown	true	unknown
yellowchink.pirate. [malformed]	unknown	unknown	true	unknown
chinklabs.dyn	unknown	unknown	true	unknown
dogeatingchink.parody	unknown	unknown	true	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
172.105.120.101	unknown	United States	63949	LINODE-APLinodeLLCUS	false
185.125.190.26	unknown	United Kingdom	41231	CANONICAL-ASGB	false
172.234.20.31	unknown	United States	20940	AKAMAI-ASN1EU	false

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
185.125.190.26	ssh.elf	Get hash	malicious	Gafgyt	Browse
	gnjqwpc.elf	Get hash	malicious	Unknown	Browse
	Space.arm6.elf	Get hash	malicious	Unknown	Browse
	main_sh4.elf	Get hash	malicious	Mirai	Browse
	fenty.arm4.elf	Get hash	malicious	Mirai	Browse
	Space.x86.elf	Get hash	malicious	Unknown	Browse
	boatnet.mpsl.elf	Get hash	malicious	Mirai	Browse
	wind.arm5.elf	Get hash	malicious	Mirai	Browse
	main_ppc.elf	Get hash	malicious	Mirai	Browse
	.i.elf	Get hash	malicious	Unknown	Browse
172.105.120.101	boatnet.ppc.elf	Get hash	malicious	Unknown	Browse
172.105.120.101	meow.arm.elf	Get hash	malicious	Unknown	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
w3d0ntlikebot5.parody	boatnet.mpsl.elf	Get hash	malicious	Unknown	Browse	172.236.61.194
	j980HN1yJw.elf	Get hash	malicious	Unknown	Browse	204.76.203.19
	vCh0ttyibb.elf	Get hash	malicious	Unknown	Browse	5.181.80.189
infectedslurs.geek	vCh0ttyibb.elf	Get hash	malicious	Unknown	Browse	204.76.203.15

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
LINODE-APLinodeLLCUS	QUOTATION#050125.exe	Get hash	malicious	FormBook	Browse	45.33.2.79
	QUOTATION#070125-ELITE MARINE .exe	Get hash	malicious	FormBook	Browse	198.58.118.167
	Benefit_401k_2025_Enrollment.pdf	Get hash	malicious	Unknown	Browse	198.58.122.131
	QUOTATION#050125.exe	Get hash	malicious	FormBook	Browse	45.33.23.183
	ZipThis.exe	Get hash	malicious	Unknown	Browse	45.33.84.9
	miori.x86.elf	Get hash	malicious	Unknown	Browse	45.79.143.171
	https://creditunions.taplink.ws	Get hash	malicious	HTMLPhisher	Browse	198.58.107.108
	ZipThis.exe	Get hash	malicious	Unknown	Browse	45.33.84.9
	http://phothockey.ch	Get hash	malicious	CAPTCHA Scam ClickFix	Browse	172.105.221.29
	cZO.exe	Get hash	malicious	Unknown	Browse	198.74.48.115
CANONICAL-ASGB	ssd.elf	Get hash	malicious	Gafgyt	Browse	91.189.91.42
	arm7.elf	Get hash	malicious	Mirai	Browse	91.189.91.42
	ssy.elf	Get hash	malicious	Gafgyt	Browse	91.189.91.42
	ssh.elf	Get hash	malicious	Gafgyt	Browse	185.125.190.26
	UnHAnaAW.mpsl.elf	Get hash	malicious	Mirai	Browse	91.189.91.42
	UnHAnaAW.arm7.elf	Get hash	malicious	Mirai	Browse	91.189.91.42
	UnHAnaAW.sh4.elf	Get hash	malicious	Mirai	Browse	91.189.91.42
	wrjkngh4.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	gnjqwpc.elf	Get hash	malicious	Unknown	Browse	185.125.190.26
	fqkjei686.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
AKAMAI-ASN1EU	https://payhip.com/b/J12iX/purchased	Get hash	malicious	Unknown	Browse	2.16.168.106
	http://unikuesolutions.com/ck/bd/%7BRANDOM_NUMBER05%7D/YmVuc29uLmxpbkB2aGFjb3JwLmNvbQ==	Get hash	malicious	HTMLPhisher	Browse	2.16.168.12
	Bontrageroutdoors_Project_Update_202557516.pdf	Get hash	malicious	Unknown	Browse	2.16.238.149
	Message 2.eml	Get hash	malicious	Unknown	Browse	2.16.168.101
	Message.eml	Get hash	malicious	Unknown	Browse	2.16.168.101
	https://www.filemail.com/d/rxythqchkhluipl?skipreg=true	Get hash	malicious	Unknown	Browse	2.16.238.149
	https://app.planable.io/review/0OPaw36t6M_k	Get hash	malicious	HTMLPhisher	Browse	104.124.11.217
	Quarantined Messages(3).zip	Get hash	malicious	HTMLPhisher	Browse	2.22.242.90
	https://www.dcamarketintelligence.com/tdt	Get hash	malicious	Unknown	Browse	88.221.110.227
	5.elf	Get hash	malicious	Unknown	Browse	172.235.247.29

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	ELF 32-bit MSB executable, Motorola m68k, 68020, version 1 (SYSV), statically linked, stripped
Entropy (8bit):	6.1534083938138995
TrID:	ELF Executable and Linkable format (generic) (4004/1) 100.00%
File name:	boatnet.m68k.elf
File size:	29'884 bytes
MD5:	df3457e13e59ec5dc4dad27fd20e0dbb
SHA1:	a9e953567d44c0c2539fd960afdbdbce9e094d75
SHA256:	9f69eb2a80da5e1c62aa57e361ca6bbd647c390f4205ae5200cf415ac33f03e9
SHA512:	2d5c21943d924e99c60312f985137a44d2e238734e49c3030e52fe73d4df5294f5834bb6a9eb68c7f2188efdacf2b20a91d6ec7323f2b6039a378978229f5489
SSDEEP:	768:p4Te27r+jp2soLyOeQFR09EJm0paBAc+84Tt+3wmzX:ER+jp23LreQ89EJmiaBe84KX
TLSH:	EED2D797B800E8BDF885E77B85170909F1B07AD905E11A77B367B99B9C711C48C2AF82
File Content Preview:	.ELF.......................D...4..s,.....4. ...(......................q...q....... .......q............d.......... .dt.Q............................NV..a....da...k$N^NuNV..J9....f>"y.... QJ.g.X.#.....N."y.... QJ.f.A.....J.g.Hy..q.N.X.........N^NuNV..N^NuN

Static ELF Info

ELF header
Class:	ELF32
Data:	2's complement, big endian
Version:	1 (current)
Machine:	MC68000
Version Number:	0x1
Type:	EXEC (Executable file)
OS/ABI:	UNIX - System V
ABI Version:	0
Entry Point Address:	0x80000144
Flags:	0x0
ELF Header Size:	52
Program Header Offset:	52
Program Header Size:	32
Number of Program Headers:	3
Section Header Offset:	29484
Section Header Size:	40
Number of Section Headers:	10
Header String Table Index:	9

Sections

Name	Type	Address	Offset	Size	EntSize	Flags	Flags Description	Align
	NULL	0x0	0x0	0x0	0x0	0x0		0
.init	PROGBITS	0x80000094	0x94	0x14	0x0	0x6	AX	2
.text	PROGBITS	0x800000a8	0xa8	0x6b4e	0x0	0x6	AX	4
.fini	PROGBITS	0x80006bf6	0x6bf6	0xe	0x0	0x6	AX	2
.rodata	PROGBITS	0x80006c04	0x6c04	0x580	0x0	0x2	A	1
.ctors	PROGBITS	0x80009188	0x7188	0x8	0x0	0x3	WA	4
.dtors	PROGBITS	0x80009190	0x7190	0x8	0x0	0x3	WA	4
.data	PROGBITS	0x8000919c	0x719c	0x150	0x0	0x3	WA	4
.bss	NOBITS	0x800092ec	0x72ec	0x174	0x0	0x3	WA	4
.shstrtab	STRTAB	0x0	0x72ec	0x3e	0x0	0x0		1

Program Segments

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align	Section Mappings
LOAD	0x0	0x80000000	0x80000000	0x7184	0x7184	6.2235	0x5	R E	0x2000	.init .text .fini .rodata
LOAD	0x7188	0x80009188	0x80009188	0x164	0x2d8	0.5874	0x6	RW	0x2000	.ctors .dtors .data .bss
GNU_STACK	0x0	0x0	0x0	0x0	0x0	0.0000	0x6	RW	0x4

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 10, 2025 22:35:06.034734964 CET	40314	25596	192.168.2.13	172.234.20.31
Jan 10, 2025 22:35:06.040242910 CET	25596	40314	172.234.20.31	192.168.2.13
Jan 10, 2025 22:35:06.040299892 CET	40314	25596	192.168.2.13	172.234.20.31
Jan 10, 2025 22:35:06.041380882 CET	40314	25596	192.168.2.13	172.234.20.31
Jan 10, 2025 22:35:06.047472000 CET	25596	40314	172.234.20.31	192.168.2.13
Jan 10, 2025 22:35:06.047549009 CET	40314	25596	192.168.2.13	172.234.20.31
Jan 10, 2025 22:35:06.052992105 CET	25596	40314	172.234.20.31	192.168.2.13
Jan 10, 2025 22:35:09.387058973 CET	48202	443	192.168.2.13	185.125.190.26
Jan 10, 2025 22:35:16.051079035 CET	40314	25596	192.168.2.13	172.234.20.31
Jan 10, 2025 22:35:16.056090117 CET	25596	40314	172.234.20.31	192.168.2.13
Jan 10, 2025 22:35:27.418837070 CET	25596	40314	172.234.20.31	192.168.2.13
Jan 10, 2025 22:35:27.419039011 CET	40314	25596	192.168.2.13	172.234.20.31
Jan 10, 2025 22:35:27.419464111 CET	40314	25596	192.168.2.13	172.234.20.31
Jan 10, 2025 22:35:27.424199104 CET	25596	40314	172.234.20.31	192.168.2.13
Jan 10, 2025 22:35:28.449680090 CET	51978	25596	192.168.2.13	172.105.120.101
Jan 10, 2025 22:35:28.454554081 CET	25596	51978	172.105.120.101	192.168.2.13
Jan 10, 2025 22:35:28.454658031 CET	51978	25596	192.168.2.13	172.105.120.101
Jan 10, 2025 22:35:28.455432892 CET	51978	25596	192.168.2.13	172.105.120.101
Jan 10, 2025 22:35:28.460269928 CET	25596	51978	172.105.120.101	192.168.2.13
Jan 10, 2025 22:35:28.460330963 CET	51978	25596	192.168.2.13	172.105.120.101
Jan 10, 2025 22:35:28.465188980 CET	25596	51978	172.105.120.101	192.168.2.13
Jan 10, 2025 22:35:30.529628038 CET	25596	51978	172.105.120.101	192.168.2.13
Jan 10, 2025 22:35:30.529978037 CET	51978	25596	192.168.2.13	172.105.120.101
Jan 10, 2025 22:35:30.534867048 CET	25596	51978	172.105.120.101	192.168.2.13
Jan 10, 2025 22:35:36.538595915 CET	51980	25596	192.168.2.13	172.105.120.101
Jan 10, 2025 22:35:36.543601036 CET	25596	51980	172.105.120.101	192.168.2.13
Jan 10, 2025 22:35:36.543713093 CET	51980	25596	192.168.2.13	172.105.120.101
Jan 10, 2025 22:35:36.544691086 CET	51980	25596	192.168.2.13	172.105.120.101
Jan 10, 2025 22:35:36.549494982 CET	25596	51980	172.105.120.101	192.168.2.13
Jan 10, 2025 22:35:36.549592018 CET	51980	25596	192.168.2.13	172.105.120.101
Jan 10, 2025 22:35:36.554375887 CET	25596	51980	172.105.120.101	192.168.2.13
Jan 10, 2025 22:35:38.644742966 CET	25596	51980	172.105.120.101	192.168.2.13
Jan 10, 2025 22:35:38.644938946 CET	51980	25596	192.168.2.13	172.105.120.101
Jan 10, 2025 22:35:38.649771929 CET	25596	51980	172.105.120.101	192.168.2.13
Jan 10, 2025 22:35:39.665369034 CET	51982	25596	192.168.2.13	172.105.120.101
Jan 10, 2025 22:35:39.670253992 CET	25596	51982	172.105.120.101	192.168.2.13
Jan 10, 2025 22:35:39.670326948 CET	51982	25596	192.168.2.13	172.105.120.101
Jan 10, 2025 22:35:39.671045065 CET	51982	25596	192.168.2.13	172.105.120.101
Jan 10, 2025 22:35:39.675817013 CET	25596	51982	172.105.120.101	192.168.2.13
Jan 10, 2025 22:35:39.675862074 CET	51982	25596	192.168.2.13	172.105.120.101
Jan 10, 2025 22:35:39.680619955 CET	25596	51982	172.105.120.101	192.168.2.13
Jan 10, 2025 22:35:39.851031065 CET	48202	443	192.168.2.13	185.125.190.26
Jan 10, 2025 22:35:41.730623960 CET	25596	51982	172.105.120.101	192.168.2.13
Jan 10, 2025 22:35:41.730982065 CET	51982	25596	192.168.2.13	172.105.120.101
Jan 10, 2025 22:35:41.735821009 CET	25596	51982	172.105.120.101	192.168.2.13
Jan 10, 2025 22:35:47.740226030 CET	51984	25596	192.168.2.13	172.105.120.101
Jan 10, 2025 22:35:47.745328903 CET	25596	51984	172.105.120.101	192.168.2.13
Jan 10, 2025 22:35:47.745450020 CET	51984	25596	192.168.2.13	172.105.120.101
Jan 10, 2025 22:35:47.747275114 CET	51984	25596	192.168.2.13	172.105.120.101
Jan 10, 2025 22:35:47.752662897 CET	25596	51984	172.105.120.101	192.168.2.13
Jan 10, 2025 22:35:47.752743006 CET	51984	25596	192.168.2.13	172.105.120.101
Jan 10, 2025 22:35:47.758069992 CET	25596	51984	172.105.120.101	192.168.2.13
Jan 10, 2025 22:35:49.804433107 CET	25596	51984	172.105.120.101	192.168.2.13
Jan 10, 2025 22:35:49.804748058 CET	51984	25596	192.168.2.13	172.105.120.101
Jan 10, 2025 22:35:49.809552908 CET	25596	51984	172.105.120.101	192.168.2.13
Jan 10, 2025 22:35:55.814409018 CET	51986	25596	192.168.2.13	172.105.120.101
Jan 10, 2025 22:35:55.819341898 CET	25596	51986	172.105.120.101	192.168.2.13
Jan 10, 2025 22:35:55.819449902 CET	51986	25596	192.168.2.13	172.105.120.101
Jan 10, 2025 22:35:55.820564032 CET	51986	25596	192.168.2.13	172.105.120.101
Jan 10, 2025 22:35:55.825354099 CET	25596	51986	172.105.120.101	192.168.2.13
Jan 10, 2025 22:35:55.825454950 CET	51986	25596	192.168.2.13	172.105.120.101
Jan 10, 2025 22:35:55.830284119 CET	25596	51986	172.105.120.101	192.168.2.13
Jan 10, 2025 22:35:57.902625084 CET	25596	51986	172.105.120.101	192.168.2.13
Jan 10, 2025 22:35:57.903006077 CET	51986	25596	192.168.2.13	172.105.120.101
Jan 10, 2025 22:35:57.903048038 CET	51986	25596	192.168.2.13	172.105.120.101
Jan 10, 2025 22:35:57.907937050 CET	25596	51986	172.105.120.101	192.168.2.13
Jan 10, 2025 22:36:03.912075043 CET	51988	25596	192.168.2.13	172.105.120.101
Jan 10, 2025 22:36:03.916987896 CET	25596	51988	172.105.120.101	192.168.2.13
Jan 10, 2025 22:36:03.917077065 CET	51988	25596	192.168.2.13	172.105.120.101
Jan 10, 2025 22:36:03.917824984 CET	51988	25596	192.168.2.13	172.105.120.101
Jan 10, 2025 22:36:03.922673941 CET	25596	51988	172.105.120.101	192.168.2.13
Jan 10, 2025 22:36:03.922736883 CET	51988	25596	192.168.2.13	172.105.120.101
Jan 10, 2025 22:36:03.927577019 CET	25596	51988	172.105.120.101	192.168.2.13
Jan 10, 2025 22:36:06.000794888 CET	25596	51988	172.105.120.101	192.168.2.13
Jan 10, 2025 22:36:06.001164913 CET	51988	25596	192.168.2.13	172.105.120.101
Jan 10, 2025 22:36:06.005981922 CET	25596	51988	172.105.120.101	192.168.2.13
Jan 10, 2025 22:36:12.007709026 CET	51990	25596	192.168.2.13	172.105.120.101
Jan 10, 2025 22:36:12.012573004 CET	25596	51990	172.105.120.101	192.168.2.13
Jan 10, 2025 22:36:12.012640953 CET	51990	25596	192.168.2.13	172.105.120.101
Jan 10, 2025 22:36:12.013372898 CET	51990	25596	192.168.2.13	172.105.120.101
Jan 10, 2025 22:36:12.018126011 CET	25596	51990	172.105.120.101	192.168.2.13
Jan 10, 2025 22:36:12.018186092 CET	51990	25596	192.168.2.13	172.105.120.101
Jan 10, 2025 22:36:12.022979021 CET	25596	51990	172.105.120.101	192.168.2.13
Jan 10, 2025 22:36:14.111210108 CET	25596	51990	172.105.120.101	192.168.2.13
Jan 10, 2025 22:36:14.111578941 CET	51990	25596	192.168.2.13	172.105.120.101
Jan 10, 2025 22:36:14.116405010 CET	25596	51990	172.105.120.101	192.168.2.13
Jan 10, 2025 22:36:15.132318020 CET	51992	25596	192.168.2.13	172.105.120.101
Jan 10, 2025 22:36:15.137197971 CET	25596	51992	172.105.120.101	192.168.2.13
Jan 10, 2025 22:36:15.137295008 CET	51992	25596	192.168.2.13	172.105.120.101
Jan 10, 2025 22:36:15.138524055 CET	51992	25596	192.168.2.13	172.105.120.101
Jan 10, 2025 22:36:15.143419981 CET	25596	51992	172.105.120.101	192.168.2.13
Jan 10, 2025 22:36:15.143513918 CET	51992	25596	192.168.2.13	172.105.120.101
Jan 10, 2025 22:36:15.148315907 CET	25596	51992	172.105.120.101	192.168.2.13
Jan 10, 2025 22:36:17.218010902 CET	25596	51992	172.105.120.101	192.168.2.13
Jan 10, 2025 22:36:17.218364000 CET	51992	25596	192.168.2.13	172.105.120.101
Jan 10, 2025 22:36:17.223145962 CET	25596	51992	172.105.120.101	192.168.2.13
Jan 10, 2025 22:36:23.226496935 CET	51994	25596	192.168.2.13	172.105.120.101
Jan 10, 2025 22:36:23.231748104 CET	25596	51994	172.105.120.101	192.168.2.13
Jan 10, 2025 22:36:23.231864929 CET	51994	25596	192.168.2.13	172.105.120.101
Jan 10, 2025 22:36:23.232865095 CET	51994	25596	192.168.2.13	172.105.120.101
Jan 10, 2025 22:36:23.238070011 CET	25596	51994	172.105.120.101	192.168.2.13
Jan 10, 2025 22:36:23.238130093 CET	51994	25596	192.168.2.13	172.105.120.101
Jan 10, 2025 22:36:23.242903948 CET	25596	51994	172.105.120.101	192.168.2.13
Jan 10, 2025 22:36:25.289356947 CET	25596	51994	172.105.120.101	192.168.2.13
Jan 10, 2025 22:36:25.289648056 CET	51994	25596	192.168.2.13	172.105.120.101
Jan 10, 2025 22:36:25.294444084 CET	25596	51994	172.105.120.101	192.168.2.13
Jan 10, 2025 22:36:26.323673964 CET	51996	25596	192.168.2.13	172.105.120.101
Jan 10, 2025 22:36:26.330960989 CET	25596	51996	172.105.120.101	192.168.2.13
Jan 10, 2025 22:36:26.331056118 CET	51996	25596	192.168.2.13	172.105.120.101
Jan 10, 2025 22:36:26.332083941 CET	51996	25596	192.168.2.13	172.105.120.101
Jan 10, 2025 22:36:26.336941004 CET	25596	51996	172.105.120.101	192.168.2.13
Jan 10, 2025 22:36:26.336998940 CET	51996	25596	192.168.2.13	172.105.120.101
Jan 10, 2025 22:36:26.342912912 CET	25596	51996	172.105.120.101	192.168.2.13
Jan 10, 2025 22:36:28.457545996 CET	25596	51996	172.105.120.101	192.168.2.13
Jan 10, 2025 22:36:28.457834959 CET	51996	25596	192.168.2.13	172.105.120.101
Jan 10, 2025 22:36:28.462764978 CET	25596	51996	172.105.120.101	192.168.2.13
Jan 10, 2025 22:36:34.466567039 CET	51998	25596	192.168.2.13	172.105.120.101
Jan 10, 2025 22:36:34.471554995 CET	25596	51998	172.105.120.101	192.168.2.13
Jan 10, 2025 22:36:34.471616030 CET	51998	25596	192.168.2.13	172.105.120.101
Jan 10, 2025 22:36:34.472352982 CET	51998	25596	192.168.2.13	172.105.120.101
Jan 10, 2025 22:36:34.477252960 CET	25596	51998	172.105.120.101	192.168.2.13
Jan 10, 2025 22:36:34.477299929 CET	51998	25596	192.168.2.13	172.105.120.101
Jan 10, 2025 22:36:34.482125044 CET	25596	51998	172.105.120.101	192.168.2.13
Jan 10, 2025 22:36:36.542062998 CET	25596	51998	172.105.120.101	192.168.2.13
Jan 10, 2025 22:36:36.542372942 CET	51998	25596	192.168.2.13	172.105.120.101
Jan 10, 2025 22:36:36.547352076 CET	25596	51998	172.105.120.101	192.168.2.13
Jan 10, 2025 22:36:42.552181005 CET	52000	25596	192.168.2.13	172.105.120.101
Jan 10, 2025 22:36:42.558821917 CET	25596	52000	172.105.120.101	192.168.2.13
Jan 10, 2025 22:36:42.558897972 CET	52000	25596	192.168.2.13	172.105.120.101
Jan 10, 2025 22:36:42.560043097 CET	52000	25596	192.168.2.13	172.105.120.101
Jan 10, 2025 22:36:42.565000057 CET	25596	52000	172.105.120.101	192.168.2.13
Jan 10, 2025 22:36:42.565063953 CET	52000	25596	192.168.2.13	172.105.120.101
Jan 10, 2025 22:36:42.569952011 CET	25596	52000	172.105.120.101	192.168.2.13
Jan 10, 2025 22:36:44.657103062 CET	25596	52000	172.105.120.101	192.168.2.13
Jan 10, 2025 22:36:44.657397032 CET	52000	25596	192.168.2.13	172.105.120.101
Jan 10, 2025 22:36:44.662363052 CET	25596	52000	172.105.120.101	192.168.2.13
Jan 10, 2025 22:36:45.687838078 CET	52002	25596	192.168.2.13	172.105.120.101
Jan 10, 2025 22:36:45.694956064 CET	25596	52002	172.105.120.101	192.168.2.13
Jan 10, 2025 22:36:45.695045948 CET	52002	25596	192.168.2.13	172.105.120.101
Jan 10, 2025 22:36:45.695837021 CET	52002	25596	192.168.2.13	172.105.120.101
Jan 10, 2025 22:36:45.700707912 CET	25596	52002	172.105.120.101	192.168.2.13
Jan 10, 2025 22:36:45.700774908 CET	52002	25596	192.168.2.13	172.105.120.101
Jan 10, 2025 22:36:45.706151962 CET	25596	52002	172.105.120.101	192.168.2.13
Jan 10, 2025 22:36:47.744127989 CET	25596	52002	172.105.120.101	192.168.2.13
Jan 10, 2025 22:36:47.744524956 CET	52002	25596	192.168.2.13	172.105.120.101
Jan 10, 2025 22:36:47.749330997 CET	25596	52002	172.105.120.101	192.168.2.13
Jan 10, 2025 22:36:48.765537977 CET	52004	25596	192.168.2.13	172.105.120.101
Jan 10, 2025 22:36:48.770313978 CET	25596	52004	172.105.120.101	192.168.2.13
Jan 10, 2025 22:36:48.770414114 CET	52004	25596	192.168.2.13	172.105.120.101
Jan 10, 2025 22:36:48.771589994 CET	52004	25596	192.168.2.13	172.105.120.101
Jan 10, 2025 22:36:48.776364088 CET	25596	52004	172.105.120.101	192.168.2.13
Jan 10, 2025 22:36:48.776452065 CET	52004	25596	192.168.2.13	172.105.120.101
Jan 10, 2025 22:36:48.781290054 CET	25596	52004	172.105.120.101	192.168.2.13
Jan 10, 2025 22:36:50.838845968 CET	25596	52004	172.105.120.101	192.168.2.13
Jan 10, 2025 22:36:50.839165926 CET	52004	25596	192.168.2.13	172.105.120.101
Jan 10, 2025 22:36:50.844074011 CET	25596	52004	172.105.120.101	192.168.2.13
Jan 10, 2025 22:36:51.859720945 CET	52006	25596	192.168.2.13	172.105.120.101
Jan 10, 2025 22:36:51.864531040 CET	25596	52006	172.105.120.101	192.168.2.13
Jan 10, 2025 22:36:51.864614010 CET	52006	25596	192.168.2.13	172.105.120.101
Jan 10, 2025 22:36:51.865600109 CET	52006	25596	192.168.2.13	172.105.120.101
Jan 10, 2025 22:36:51.870326042 CET	25596	52006	172.105.120.101	192.168.2.13
Jan 10, 2025 22:36:51.870383978 CET	52006	25596	192.168.2.13	172.105.120.101
Jan 10, 2025 22:36:51.875171900 CET	25596	52006	172.105.120.101	192.168.2.13
Jan 10, 2025 22:36:53.933391094 CET	25596	52006	172.105.120.101	192.168.2.13
Jan 10, 2025 22:36:53.933851004 CET	52006	25596	192.168.2.13	172.105.120.101
Jan 10, 2025 22:36:53.938766956 CET	25596	52006	172.105.120.101	192.168.2.13
Jan 10, 2025 22:36:54.965763092 CET	52008	25596	192.168.2.13	172.105.120.101
Jan 10, 2025 22:36:54.970678091 CET	25596	52008	172.105.120.101	192.168.2.13
Jan 10, 2025 22:36:54.970768929 CET	52008	25596	192.168.2.13	172.105.120.101
Jan 10, 2025 22:36:54.972275019 CET	52008	25596	192.168.2.13	172.105.120.101
Jan 10, 2025 22:36:54.977086067 CET	25596	52008	172.105.120.101	192.168.2.13
Jan 10, 2025 22:36:54.977170944 CET	52008	25596	192.168.2.13	172.105.120.101
Jan 10, 2025 22:36:54.981961012 CET	25596	52008	172.105.120.101	192.168.2.13
Jan 10, 2025 22:36:57.066231966 CET	25596	52008	172.105.120.101	192.168.2.13
Jan 10, 2025 22:36:57.066597939 CET	52008	25596	192.168.2.13	172.105.120.101
Jan 10, 2025 22:36:57.071636915 CET	25596	52008	172.105.120.101	192.168.2.13
Jan 10, 2025 22:36:58.098310947 CET	52010	25596	192.168.2.13	172.105.120.101
Jan 10, 2025 22:36:58.104063988 CET	25596	52010	172.105.120.101	192.168.2.13
Jan 10, 2025 22:36:58.104146004 CET	52010	25596	192.168.2.13	172.105.120.101
Jan 10, 2025 22:36:58.105684042 CET	52010	25596	192.168.2.13	172.105.120.101
Jan 10, 2025 22:36:58.111394882 CET	25596	52010	172.105.120.101	192.168.2.13
Jan 10, 2025 22:36:58.111469984 CET	52010	25596	192.168.2.13	172.105.120.101
Jan 10, 2025 22:36:58.117157936 CET	25596	52010	172.105.120.101	192.168.2.13
Jan 10, 2025 22:37:00.205312967 CET	25596	52010	172.105.120.101	192.168.2.13
Jan 10, 2025 22:37:00.205668926 CET	52010	25596	192.168.2.13	172.105.120.101
Jan 10, 2025 22:37:00.210635900 CET	25596	52010	172.105.120.101	192.168.2.13
Jan 10, 2025 22:37:01.235759974 CET	52012	25596	192.168.2.13	172.105.120.101
Jan 10, 2025 22:37:01.240763903 CET	25596	52012	172.105.120.101	192.168.2.13
Jan 10, 2025 22:37:01.240875006 CET	52012	25596	192.168.2.13	172.105.120.101
Jan 10, 2025 22:37:01.241947889 CET	52012	25596	192.168.2.13	172.105.120.101
Jan 10, 2025 22:37:01.246716022 CET	25596	52012	172.105.120.101	192.168.2.13
Jan 10, 2025 22:37:01.246793985 CET	52012	25596	192.168.2.13	172.105.120.101
Jan 10, 2025 22:37:01.251629114 CET	25596	52012	172.105.120.101	192.168.2.13
Jan 10, 2025 22:37:03.310262918 CET	25596	52012	172.105.120.101	192.168.2.13
Jan 10, 2025 22:37:03.310471058 CET	52012	25596	192.168.2.13	172.105.120.101
Jan 10, 2025 22:37:03.315382004 CET	25596	52012	172.105.120.101	192.168.2.13

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 10, 2025 22:34:58.919219017 CET	59923	53	192.168.2.13	5.161.109.23
Jan 10, 2025 22:35:05.928951979 CET	53663	53	192.168.2.13	95.216.99.249
Jan 10, 2025 22:35:06.032659054 CET	53	53663	95.216.99.249	192.168.2.13
Jan 10, 2025 22:35:28.421717882 CET	43648	53	192.168.2.13	81.169.136.222
Jan 10, 2025 22:35:28.448942900 CET	53	43648	81.169.136.222	192.168.2.13
Jan 10, 2025 22:35:31.532639027 CET	44994	53	192.168.2.13	139.84.165.176
Jan 10, 2025 22:35:39.647432089 CET	45282	53	192.168.2.13	194.36.144.87
Jan 10, 2025 22:35:39.664639950 CET	53	45282	194.36.144.87	192.168.2.13
Jan 10, 2025 22:35:42.733850002 CET	35928	53	192.168.2.13	64.176.6.48
Jan 10, 2025 22:35:50.808439016 CET	52922	53	192.168.2.13	137.220.55.93
Jan 10, 2025 22:35:58.906300068 CET	52350	53	192.168.2.13	139.84.165.176
Jan 10, 2025 22:36:07.003635883 CET	32828	53	192.168.2.13	139.84.165.176
Jan 10, 2025 22:36:15.114387035 CET	37312	53	192.168.2.13	185.232.68.212
Jan 10, 2025 22:36:15.131505013 CET	53	37312	185.232.68.212	192.168.2.13
Jan 10, 2025 22:36:18.220688105 CET	39919	53	192.168.2.13	178.254.22.166
Jan 10, 2025 22:36:26.292351961 CET	35588	53	192.168.2.13	81.169.136.222
Jan 10, 2025 22:36:26.322998047 CET	53	35588	81.169.136.222	192.168.2.13
Jan 10, 2025 22:36:29.460905075 CET	51182	53	192.168.2.13	139.84.165.176
Jan 10, 2025 22:36:37.546191931 CET	39027	53	192.168.2.13	178.254.22.166
Jan 10, 2025 22:36:45.659807920 CET	51923	53	192.168.2.13	95.216.99.249
Jan 10, 2025 22:36:45.687026024 CET	53	51923	95.216.99.249	192.168.2.13
Jan 10, 2025 22:36:48.747296095 CET	35629	53	192.168.2.13	185.232.68.212
Jan 10, 2025 22:36:48.764483929 CET	53	35629	185.232.68.212	192.168.2.13
Jan 10, 2025 22:36:51.841684103 CET	51512	53	192.168.2.13	185.232.68.212
Jan 10, 2025 22:36:51.859050989 CET	53	51512	185.232.68.212	192.168.2.13
Jan 10, 2025 22:36:54.938353062 CET	54201	53	192.168.2.13	65.21.1.106
Jan 10, 2025 22:36:54.964806080 CET	53	54201	65.21.1.106	192.168.2.13
Jan 10, 2025 22:36:58.069703102 CET	48640	53	192.168.2.13	65.21.1.106
Jan 10, 2025 22:36:58.097322941 CET	53	48640	65.21.1.106	192.168.2.13
Jan 10, 2025 22:37:01.208424091 CET	35023	53	192.168.2.13	95.216.99.249
Jan 10, 2025 22:37:01.234677076 CET	53	35023	95.216.99.249	192.168.2.13
Jan 10, 2025 22:37:04.312935114 CET	54609	53	192.168.2.13	51.158.108.203

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 10, 2025 22:34:58.919219017 CET	192.168.2.13	5.161.109.23	0xb64d	Standard query (0)	chinklabs.dyn	A (IP address)	IN (0x0001)	false
Jan 10, 2025 22:35:05.928951979 CET	192.168.2.13	95.216.99.249	0xd2c7	Standard query (0)	infectedslurs.geek	A (IP address)	IN (0x0001)	false
Jan 10, 2025 22:35:28.421717882 CET	192.168.2.13	81.169.136.222	0xef7f	Standard query (0)	w3d0ntlikebot5.parody	A (IP address)	IN (0x0001)	false
Jan 10, 2025 22:35:31.532639027 CET	192.168.2.13	139.84.165.176	0xb5cd	Standard query (0)	yellowchink.pirate. [malformed]	256	424	false
Jan 10, 2025 22:35:39.647432089 CET	192.168.2.13	194.36.144.87	0xc8a4	Standard query (0)	infectedslurs.geek. [malformed]	256	427	false
Jan 10, 2025 22:35:42.733850002 CET	192.168.2.13	64.176.6.48	0x1524	Standard query (0)	yellowchink.pirate. [malformed]	256	435	false
Jan 10, 2025 22:35:50.808439016 CET	192.168.2.13	137.220.55.93	0xa8c8	Standard query (0)	burnthe.libre. [malformed]	256	443	false
Jan 10, 2025 22:35:58.906300068 CET	192.168.2.13	139.84.165.176	0x8c85	Standard query (0)	freethemonkeys.pirate. [malformed]	256	451	false
Jan 10, 2025 22:36:07.003635883 CET	192.168.2.13	139.84.165.176	0x766a	Standard query (0)	dogeatingchink.parody. [malformed]	256	460	false
Jan 10, 2025 22:36:15.114387035 CET	192.168.2.13	185.232.68.212	0xf981	Standard query (0)	chinklabs.dyn. [malformed]	256	463	false
Jan 10, 2025 22:36:18.220688105 CET	192.168.2.13	178.254.22.166	0x6369	Standard query (0)	infectedslurs.geek. [malformed]	256	471	false
Jan 10, 2025 22:36:26.292351961 CET	192.168.2.13	81.169.136.222	0x93c6	Standard query (0)	infectedchink.pirate	A (IP address)	IN (0x0001)	false
Jan 10, 2025 22:36:29.460905075 CET	192.168.2.13	139.84.165.176	0x600f	Standard query (0)	dogeatingchink.parody	A (IP address)	IN (0x0001)	false
Jan 10, 2025 22:36:37.546191931 CET	192.168.2.13	178.254.22.166	0xf6b4	Standard query (0)	himrresearcher.dyn. [malformed]	256	490	false
Jan 10, 2025 22:36:45.659807920 CET	192.168.2.13	95.216.99.249	0xf897	Standard query (0)	infectedslurs.geek. [malformed]	256	493	false
Jan 10, 2025 22:36:48.747296095 CET	192.168.2.13	185.232.68.212	0xef55	Standard query (0)	burnthe.libre. [malformed]	256	496	false
Jan 10, 2025 22:36:51.841684103 CET	192.168.2.13	185.232.68.212	0xdb36	Standard query (0)	infectedchink.pirate	A (IP address)	IN (0x0001)	false
Jan 10, 2025 22:36:54.938353062 CET	192.168.2.13	65.21.1.106	0x20df	Standard query (0)	netfags.geek. [malformed]	256	502	false
Jan 10, 2025 22:36:58.069703102 CET	192.168.2.13	65.21.1.106	0xe48d	Standard query (0)	himrresearcher.dyn. [malformed]	256	506	false
Jan 10, 2025 22:37:01.208424091 CET	192.168.2.13	95.216.99.249	0x79a3	Standard query (0)	himrresearcher.dyn. [malformed]	256	509	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 10, 2025 22:35:06.032659054 CET	95.216.99.249	192.168.2.13	0xd2c7	No error (0)	infectedslurs.geek		45.79.236.13	A (IP address)	IN (0x0001)	false
Jan 10, 2025 22:35:06.032659054 CET	95.216.99.249	192.168.2.13	0xd2c7	No error (0)	infectedslurs.geek		172.105.120.101	A (IP address)	IN (0x0001)	false
Jan 10, 2025 22:35:06.032659054 CET	95.216.99.249	192.168.2.13	0xd2c7	No error (0)	infectedslurs.geek		172.232.34.247	A (IP address)	IN (0x0001)	false
Jan 10, 2025 22:35:06.032659054 CET	95.216.99.249	192.168.2.13	0xd2c7	No error (0)	infectedslurs.geek		172.236.28.137	A (IP address)	IN (0x0001)	false
Jan 10, 2025 22:35:06.032659054 CET	95.216.99.249	192.168.2.13	0xd2c7	No error (0)	infectedslurs.geek		170.187.181.188	A (IP address)	IN (0x0001)	false
Jan 10, 2025 22:35:06.032659054 CET	95.216.99.249	192.168.2.13	0xd2c7	No error (0)	infectedslurs.geek		172.234.20.31	A (IP address)	IN (0x0001)	false
Jan 10, 2025 22:35:06.032659054 CET	95.216.99.249	192.168.2.13	0xd2c7	No error (0)	infectedslurs.geek		172.236.11.132	A (IP address)	IN (0x0001)	false
Jan 10, 2025 22:35:06.032659054 CET	95.216.99.249	192.168.2.13	0xd2c7	No error (0)	infectedslurs.geek		74.207.230.91	A (IP address)	IN (0x0001)	false
Jan 10, 2025 22:35:06.032659054 CET	95.216.99.249	192.168.2.13	0xd2c7	No error (0)	infectedslurs.geek		172.236.61.194	A (IP address)	IN (0x0001)	false
Jan 10, 2025 22:35:06.032659054 CET	95.216.99.249	192.168.2.13	0xd2c7	No error (0)	infectedslurs.geek		192.46.236.113	A (IP address)	IN (0x0001)	false
Jan 10, 2025 22:35:06.032659054 CET	95.216.99.249	192.168.2.13	0xd2c7	No error (0)	infectedslurs.geek		172.104.165.127	A (IP address)	IN (0x0001)	false
Jan 10, 2025 22:35:06.032659054 CET	95.216.99.249	192.168.2.13	0xd2c7	No error (0)	infectedslurs.geek		104.237.135.249	A (IP address)	IN (0x0001)	false
Jan 10, 2025 22:35:06.032659054 CET	95.216.99.249	192.168.2.13	0xd2c7	No error (0)	infectedslurs.geek		172.233.66.46	A (IP address)	IN (0x0001)	false
Jan 10, 2025 22:35:06.032659054 CET	95.216.99.249	192.168.2.13	0xd2c7	No error (0)	infectedslurs.geek		104.237.135.234	A (IP address)	IN (0x0001)	false
Jan 10, 2025 22:35:06.032659054 CET	95.216.99.249	192.168.2.13	0xd2c7	No error (0)	infectedslurs.geek		172.105.109.175	A (IP address)	IN (0x0001)	false
Jan 10, 2025 22:35:28.448942900 CET	81.169.136.222	192.168.2.13	0xef7f	No error (0)	w3d0ntlikebot5.parody		172.232.34.247	A (IP address)	IN (0x0001)	false
Jan 10, 2025 22:35:28.448942900 CET	81.169.136.222	192.168.2.13	0xef7f	No error (0)	w3d0ntlikebot5.parody		172.236.61.194	A (IP address)	IN (0x0001)	false
Jan 10, 2025 22:35:28.448942900 CET	81.169.136.222	192.168.2.13	0xef7f	No error (0)	w3d0ntlikebot5.parody		172.236.11.132	A (IP address)	IN (0x0001)	false
Jan 10, 2025 22:35:28.448942900 CET	81.169.136.222	192.168.2.13	0xef7f	No error (0)	w3d0ntlikebot5.parody		172.104.165.127	A (IP address)	IN (0x0001)	false
Jan 10, 2025 22:35:28.448942900 CET	81.169.136.222	192.168.2.13	0xef7f	No error (0)	w3d0ntlikebot5.parody		172.105.109.175	A (IP address)	IN (0x0001)	false
Jan 10, 2025 22:35:28.448942900 CET	81.169.136.222	192.168.2.13	0xef7f	No error (0)	w3d0ntlikebot5.parody		74.207.230.91	A (IP address)	IN (0x0001)	false
Jan 10, 2025 22:35:28.448942900 CET	81.169.136.222	192.168.2.13	0xef7f	No error (0)	w3d0ntlikebot5.parody		104.237.135.234	A (IP address)	IN (0x0001)	false
Jan 10, 2025 22:35:28.448942900 CET	81.169.136.222	192.168.2.13	0xef7f	No error (0)	w3d0ntlikebot5.parody		104.237.135.249	A (IP address)	IN (0x0001)	false
Jan 10, 2025 22:35:28.448942900 CET	81.169.136.222	192.168.2.13	0xef7f	No error (0)	w3d0ntlikebot5.parody		172.105.120.101	A (IP address)	IN (0x0001)	false
Jan 10, 2025 22:35:28.448942900 CET	81.169.136.222	192.168.2.13	0xef7f	No error (0)	w3d0ntlikebot5.parody		170.187.181.188	A (IP address)	IN (0x0001)	false
Jan 10, 2025 22:35:28.448942900 CET	81.169.136.222	192.168.2.13	0xef7f	No error (0)	w3d0ntlikebot5.parody		45.79.236.13	A (IP address)	IN (0x0001)	false
Jan 10, 2025 22:35:28.448942900 CET	81.169.136.222	192.168.2.13	0xef7f	No error (0)	w3d0ntlikebot5.parody		172.234.20.31	A (IP address)	IN (0x0001)	false
Jan 10, 2025 22:35:28.448942900 CET	81.169.136.222	192.168.2.13	0xef7f	No error (0)	w3d0ntlikebot5.parody		192.46.236.113	A (IP address)	IN (0x0001)	false
Jan 10, 2025 22:35:28.448942900 CET	81.169.136.222	192.168.2.13	0xef7f	No error (0)	w3d0ntlikebot5.parody		172.233.66.46	A (IP address)	IN (0x0001)	false
Jan 10, 2025 22:35:28.448942900 CET	81.169.136.222	192.168.2.13	0xef7f	No error (0)	w3d0ntlikebot5.parody		172.236.28.137	A (IP address)	IN (0x0001)	false
Jan 10, 2025 22:35:39.664639950 CET	194.36.144.87	192.168.2.13	0xc8a4	Format error (1)	infectedslurs.geek. [malformed]	none	none	256	427	false
Jan 10, 2025 22:36:26.322998047 CET	81.169.136.222	192.168.2.13	0x93c6	Name error (3)	infectedchink.pirate	none	none	A (IP address)	IN (0x0001)	false
Jan 10, 2025 22:36:45.687026024 CET	95.216.99.249	192.168.2.13	0xf897	Format error (1)	infectedslurs.geek. [malformed]	none	none	256	493	false
Jan 10, 2025 22:36:51.859050989 CET	185.232.68.212	192.168.2.13	0xdb36	Refused (5)	infectedchink.pirate	none	none	A (IP address)	IN (0x0001)	false
Jan 10, 2025 22:36:54.964806080 CET	65.21.1.106	192.168.2.13	0x20df	Format error (1)	netfags.geek. [malformed]	none	none	256	502	false
Jan 10, 2025 22:36:58.097322941 CET	65.21.1.106	192.168.2.13	0xe48d	Format error (1)	himrresearcher.dyn. [malformed]	none	none	256	506	false
Jan 10, 2025 22:37:01.234677076 CET	95.216.99.249	192.168.2.13	0x79a3	Format error (1)	himrresearcher.dyn. [malformed]	none	none	256	509	false

System Behavior

Analysis Process: dash PID: 5411, Parent PID: 3577

General

Start time (UTC):	21:34:47
Start date (UTC):	10/01/2025
Path:	/usr/bin/dash
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: rm PID: 5411, Parent PID: 3577

General

Start time (UTC):	21:34:47
Start date (UTC):	10/01/2025
Path:	/usr/bin/rm
Arguments:	rm -f /tmp/tmp.U54jVe4wZw /tmp/tmp.EMvb9QwckN /tmp/tmp.GJwcdQJgjw
File size:	72056 bytes
MD5 hash:	aa2b5496fdbfd88e38791ab81f90b95b

Chronological Activities

Analysis Process: dash PID: 5412, Parent PID: 3577

General

Start time (UTC):	21:34:47
Start date (UTC):	10/01/2025
Path:	/usr/bin/dash
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: rm PID: 5412, Parent PID: 3577

General

Start time (UTC):	21:34:47
Start date (UTC):	10/01/2025
Path:	/usr/bin/rm
Arguments:	rm -f /tmp/tmp.U54jVe4wZw /tmp/tmp.EMvb9QwckN /tmp/tmp.GJwcdQJgjw
File size:	72056 bytes
MD5 hash:	aa2b5496fdbfd88e38791ab81f90b95b

Chronological Activities

Analysis Process: boatnet.m68k.elf PID: 5426, Parent PID: 5347

General

Start time (UTC):	21:34:57
Start date (UTC):	10/01/2025
Path:	/tmp/boatnet.m68k.elf
Arguments:	/tmp/boatnet.m68k.elf
File size:	4463432 bytes
MD5 hash:	cd177594338c77b895ae27c33f8f86cc

Chronological Activities

Analysis Process: boatnet.m68k.elf PID: 5428, Parent PID: 5426

General

Start time (UTC):	21:34:57
Start date (UTC):	10/01/2025
Path:	/tmp/boatnet.m68k.elf
Arguments:	-
File size:	4463432 bytes
MD5 hash:	cd177594338c77b895ae27c33f8f86cc

Chronological Activities

Analysis Process: boatnet.m68k.elf PID: 5430, Parent PID: 5428

General

Start time (UTC):	21:34:57
Start date (UTC):	10/01/2025
Path:	/tmp/boatnet.m68k.elf
Arguments:	-
File size:	4463432 bytes
MD5 hash:	cd177594338c77b895ae27c33f8f86cc

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report boatnet.m68k.elf

Overview

General Information

Detection

Signatures

Classification

General Information

Warnings

Runtime Messages

Process Tree

Yara Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Networking

System Summary

Persistence and Installation Behavior

Malware Analysis System Evasion

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

Static ELF Info

ELF header

Sections

Program Segments

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

System Behavior

Analysis Process: dash PID: 5411, Parent PID: 3577

General

Chronological Activities

Analysis Process: rm PID: 5411, Parent PID: 3577

General

Chronological Activities

Analysis Process: dash PID: 5412, Parent PID: 3577

General

Chronological Activities

Analysis Process: rm PID: 5412, Parent PID: 3577

General

Chronological Activities

Analysis Process: boatnet.m68k.elf PID: 5426, Parent PID: 5347

General

Chronological Activities

Analysis Process: boatnet.m68k.elf PID: 5428, Parent PID: 5426

General

Chronological Activities

Analysis Process: boatnet.m68k.elf PID: 5430, Parent PID: 5428

General

Chronological Activities

Linux Analysis Report
boatnet.m68k.elf