Edit tour

Linux Analysis Report
boatnet.arm.elf

Overview

General Information

Sample name:	boatnet.arm.elf
Analysis ID:	1588204
MD5:	9ddae3ed15851a6660a6de94dda637ae
SHA1:	ced5e67201d2d06c3c29889ef81cabc9d96cb7c2
SHA256:	eb6da8c6eebe8470b6a107910c74ecc6ec5f2a9fd1f0fd313948c20fe92295cf
Tags:	user-elfdigest
Infos:

Detection

Score:	56
Range:	0 - 100
Whitelisted:	false

Signatures

Multi AV Scanner detection for submitted file

Sample is packed with UPX

Sends malformed DNS queries

Detected TCP or UDP traffic on non-standard ports

ELF contains segments with high entropy indicating compressed/encrypted content

Sample contains only a LOAD segment without any section mappings

Sample listens on a socket

Uses the "uname" system call to query kernel version information (possible evasion)

Classification

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1588204
Start date and time:	2025-01-10 22:38:08 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 28s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Sample name:	boatnet.arm.elf
Detection:	MAL
Classification:	mal56.troj.evad.linELF@0/0@29/0

Warnings

VT rate limit hit for: chinklabs.dyn

Runtime Messages

Command:	/tmp/boatnet.arm.elf
PID:	5485
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:	The Peoples Bank of China.
Standard Error:

Process Tree

system is lnxubuntu20

boatnet.arm.elf (PID: 5485, Parent: 5409, MD5: 5ebfcae4fe2471fcc5695c2394773ff1) Arguments: /tmp/boatnet.arm.elf

boatnet.arm.elf New Fork (PID: 5487, Parent: 5485)

boatnet.arm.elf New Fork (PID: 5489, Parent: 5487)

cleanup

Yara Signatures

⊘No yara matches

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: boatnet.arm.elf	Virustotal: Detection: 14%			Perma Link
Source: boatnet.arm.elf	ReversingLabs: Detection: 23%

Networking

Sends malformed DNS queries

Source: global traffic	DNS traffic detected: malformed DNS query: netfags.geek. [malformed]
Source: global traffic	DNS traffic detected: malformed DNS query: yellowchink.pirate. [malformed]
Source: global traffic	DNS traffic detected: malformed DNS query: dogeatingchink.parody. [malformed]
Source: global traffic	DNS traffic detected: malformed DNS query: hiakamai.dyn. [malformed]
Source: global traffic	DNS traffic detected: malformed DNS query: himrresearcher.dyn. [malformed]
Source: global traffic	DNS traffic detected: malformed DNS query: w3d0ntlikebot5.parody. [malformed]
Source: global traffic	DNS traffic detected: malformed DNS query: infectedslurs.geek. [malformed]
Source: global traffic	DNS traffic detected: malformed DNS query: chinklabs.dyn. [malformed]
Source: global traffic	DNS traffic detected: malformed DNS query: burnthe.libre. [malformed]
Source: global traffic	DNS traffic detected: malformed DNS query: freethemonkeys.pirate. [malformed]

Source: global traffic

TCP traffic: 192.168.2.14:38924 -> 193.143.1.54:25596

Source: /tmp/boatnet.arm.elf (PID: 5485)

Socket: 127.0.0.1:39148

Jump to behavior

Source: unknown	UDP traffic detected without corresponding DNS query: 51.158.108.203
Source: unknown	UDP traffic detected without corresponding DNS query: 95.216.99.249
Source: unknown	UDP traffic detected without corresponding DNS query: 5.161.109.23
Source: unknown	UDP traffic detected without corresponding DNS query: 51.254.162.59
Source: unknown	UDP traffic detected without corresponding DNS query: 185.232.68.212
Source: unknown	UDP traffic detected without corresponding DNS query: 178.254.22.166
Source: unknown	UDP traffic detected without corresponding DNS query: 5.161.109.23
Source: unknown	UDP traffic detected without corresponding DNS query: 5.161.109.23
Source: unknown	UDP traffic detected without corresponding DNS query: 152.53.15.127
Source: unknown	UDP traffic detected without corresponding DNS query: 95.216.99.249
Source: unknown	UDP traffic detected without corresponding DNS query: 65.21.1.106
Source: unknown	UDP traffic detected without corresponding DNS query: 95.216.99.249
Source: unknown	UDP traffic detected without corresponding DNS query: 152.53.15.127
Source: unknown	UDP traffic detected without corresponding DNS query: 194.36.144.87
Source: unknown	UDP traffic detected without corresponding DNS query: 152.53.15.127
Source: unknown	UDP traffic detected without corresponding DNS query: 194.36.144.87
Source: unknown	UDP traffic detected without corresponding DNS query: 51.158.108.203
Source: unknown	UDP traffic detected without corresponding DNS query: 81.169.136.222
Source: unknown	UDP traffic detected without corresponding DNS query: 51.158.108.203
Source: unknown	UDP traffic detected without corresponding DNS query: 65.21.1.106
Source: unknown	UDP traffic detected without corresponding DNS query: 64.176.6.48
Source: unknown	UDP traffic detected without corresponding DNS query: 51.158.108.203
Source: unknown	UDP traffic detected without corresponding DNS query: 178.254.22.166
Source: unknown	UDP traffic detected without corresponding DNS query: 185.232.68.212
Source: unknown	UDP traffic detected without corresponding DNS query: 81.169.136.222
Source: unknown	UDP traffic detected without corresponding DNS query: 152.53.15.127
Source: unknown	UDP traffic detected without corresponding DNS query: 152.53.15.127
Source: unknown	UDP traffic detected without corresponding DNS query: 5.161.109.23
Source: unknown	UDP traffic detected without corresponding DNS query: 178.254.22.166

Source: global traffic	DNS traffic detected: DNS query: chinklabs.dyn
Source: global traffic	DNS traffic detected: DNS query: freethewind.parody
Source: global traffic	DNS traffic detected: DNS query: netfags.geek. [malformed]
Source: global traffic	DNS traffic detected: DNS query: dogeatingchink.parody
Source: global traffic	DNS traffic detected: DNS query: yellowchink.pirate. [malformed]
Source: global traffic	DNS traffic detected: DNS query: dogeatingchink.parody. [malformed]
Source: global traffic	DNS traffic detected: DNS query: hiakamai.dyn. [malformed]
Source: global traffic	DNS traffic detected: DNS query: himrresearcher.dyn. [malformed]
Source: global traffic	DNS traffic detected: DNS query: w3d0ntlikebot5.parody. [malformed]
Source: global traffic	DNS traffic detected: DNS query: infectedslurs.geek. [malformed]
Source: global traffic	DNS traffic detected: DNS query: chinklabs.dyn. [malformed]
Source: global traffic	DNS traffic detected: DNS query: infectedchink.pirate
Source: global traffic	DNS traffic detected: DNS query: burnthe.libre. [malformed]
Source: global traffic	DNS traffic detected: DNS query: freethemonkeys.pirate. [malformed]

Source: boatnet.arm.elf

String found in binary or memory: http://upx.sf.net

Source: LOAD without section mappings

Program segment: 0x8000

Source: classification engine

Classification label: mal56.troj.evad.linELF@0/0@29/0

Data Obfuscation

Sample is packed with UPX

Source: initial sample	String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample	String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample	String containing UPX found: $Id: UPX 3.94 Copyright (C) 1996-2017 the UPX Team. All Rights Reserved. $

Source: boatnet.arm.elf

Submission file: segment LOAD with 7.7034 entropy (max. 8.0)

Source: /tmp/boatnet.arm.elf (PID: 5485)

Queries kernel information via 'uname':

Jump to behavior

Source: boatnet.arm.elf, 5485.1.0000557b596d5000.0000557b598c3000.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/arm
Source: boatnet.arm.elf, 5485.1.00007ffd4445c000.00007ffd4447d000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-arm
Source: boatnet.arm.elf, 5485.1.0000557b596d5000.0000557b598c3000.rw-.sdmp	Binary or memory string: nY{U!/etc/qemu-binfmt/arm
Source: boatnet.arm.elf, 5485.1.00007ffd4445c000.00007ffd4447d000.rw-.sdmp	Binary or memory string: x86_64/usr/bin/qemu-arm/tmp/boatnet.arm.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/boatnet.arm.elf

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	Path Interception	Path Interception	11 Obfuscated Files or Information	OS Credential Dumping	11 Security Software Discovery	Remote Services	Data from Local System	1 Non-Standard Port	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact

Malware Configuration

⊘No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
boatnet.arm.elf	15%	Virustotal		Browse
boatnet.arm.elf	24%	ReversingLabs	Linux.Trojan.Mirai

Dropped Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
chinklabs.dyn	193.143.1.54	true	true	unknown
infectedchink.pirate	unknown	unknown	false	unknown
himrresearcher.dyn. [malformed]	unknown	unknown	true	unknown
chinklabs.dyn. [malformed]	unknown	unknown	true	unknown
netfags.geek. [malformed]	unknown	unknown	true	unknown
burnthe.libre. [malformed]	unknown	unknown	true	unknown
dogeatingchink.parody. [malformed]	unknown	unknown	true	unknown
infectedslurs.geek. [malformed]	unknown	unknown	true	unknown
freethewind.parody	unknown	unknown	false	unknown
w3d0ntlikebot5.parody. [malformed]	unknown	unknown	true	unknown
freethemonkeys.pirate. [malformed]	unknown	unknown	true	unknown
hiakamai.dyn. [malformed]	unknown	unknown	true	unknown
yellowchink.pirate. [malformed]	unknown	unknown	true	unknown
dogeatingchink.parody	unknown	unknown	true	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://upx.sf.net	boatnet.arm.elf	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
193.143.1.54	chinklabs.dyn	unknown		57271	BITWEB-ASRU	true

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
193.143.1.54	https://www.lieferung-dhl-tracking.de/captcha/calcul_captcha.php	Get hash	malicious	Unknown	Browse
	https://www.deutschepost-gefolgt.com/	Get hash	malicious	Unknown	Browse
	https://deutsche-post-infos.com/	Get hash	malicious	Unknown	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
chinklabs.dyn	zerm68k.elf	Get hash	malicious	Unknown	Browse	185.150.24.67

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
BITWEB-ASRU	133313712272908537.js	Get hash	malicious	Strela Downloader	Browse	193.143.1.205
	1667730710460316051.js	Get hash	malicious	Strela Downloader	Browse	193.143.1.205
	2609231882173488714.js	Get hash	malicious	Strela Downloader	Browse	193.143.1.205
	23614810137024152.js	Get hash	malicious	Strela Downloader	Browse	193.143.1.205
	20394193042959831455.js	Get hash	malicious	Strela Downloader	Browse	193.143.1.205
	11057252552282120022.js	Get hash	malicious	Strela Downloader	Browse	193.143.1.205
	3039412363370818030.js	Get hash	malicious	Strela Downloader	Browse	193.143.1.205
	160370701202011504.js	Get hash	malicious	Strela Downloader	Browse	193.143.1.205
	206038195771531175.js	Get hash	malicious	Strela Downloader	Browse	193.143.1.205
	273371081152046820.js	Get hash	malicious	Strela Downloader	Browse	193.143.1.205

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	ELF 32-bit LSB executable, ARM, version 1 (ARM), statically linked, no section header
Entropy (8bit):	7.695762425558059
TrID:	ELF Executable and Linkable format (generic) (4004/1) 100.00%
File name:	boatnet.arm.elf
File size:	15'656 bytes
MD5:	9ddae3ed15851a6660a6de94dda637ae
SHA1:	ced5e67201d2d06c3c29889ef81cabc9d96cb7c2
SHA256:	eb6da8c6eebe8470b6a107910c74ecc6ec5f2a9fd1f0fd313948c20fe92295cf
SHA512:	37d34b86a6e45df056c74521127f320cad4ab9891618a99ec5e21b699bd95bee6e1be0fee3734bdba78d0c72c246a7268fed65e9c37de2d404e795cc33c1999a
SSDEEP:	384:wNPZ3wEWnWFfrZbu45kXYRKvkOP1ryYlmhTp/ftBb:OZ3p6WLbu45dKvk2j0dRb
TLSH:	8662D1E86A21AD87F1E00D73488D25CDD1A6202863ADE8657DC01F54E11F90ABA4EDDC
File Content Preview:	.ELF...a..........(.........4...........4. ...(.....................3<..3<...............d...d...d..................Q.td............................}.{mUPX!X.......\d..\d......V.........ELF.ra....(........4...b.... ...w.......... a.../..$a..#hu...C...Q.t.

Static ELF Info

ELF header
Class:	ELF32
Data:	2's complement, little endian
Version:	1 (current)
Machine:	ARM
Version Number:	0x1
Type:	EXEC (Executable file)
OS/ABI:	ARM - ABI
ABI Version:	0
Entry Point Address:	0xb2f8
Flags:	0x202
ELF Header Size:	52
Program Header Offset:	52
Program Header Size:	32
Number of Program Headers:	3
Section Header Offset:	0
Section Header Size:	40
Number of Section Headers:	0
Header String Table Index:	0

Program Segments

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align
LOAD	0x0	0x8000	0x8000	0x3c33	0x3c33	7.7034	0x5	R E	0x8000
LOAD	0x6404	0x16404	0x16404	0x0	0x0	0.0000	0x6	RW	0x8000
GNU_STACK	0x0	0x0	0x0	0x0	0x0	0.0000	0x7	RWE	0x4

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 10, 2025 22:38:54.328224897 CET	38924	25596	192.168.2.14	193.143.1.54
Jan 10, 2025 22:38:54.333235979 CET	25596	38924	193.143.1.54	192.168.2.14
Jan 10, 2025 22:38:54.333308935 CET	38924	25596	192.168.2.14	193.143.1.54
Jan 10, 2025 22:38:54.345977068 CET	38924	25596	192.168.2.14	193.143.1.54
Jan 10, 2025 22:38:54.351069927 CET	25596	38924	193.143.1.54	192.168.2.14
Jan 10, 2025 22:38:54.351102114 CET	38924	25596	192.168.2.14	193.143.1.54
Jan 10, 2025 22:38:54.356147051 CET	25596	38924	193.143.1.54	192.168.2.14
Jan 10, 2025 22:38:56.059988976 CET	25596	38924	193.143.1.54	192.168.2.14
Jan 10, 2025 22:38:56.060503960 CET	38924	25596	192.168.2.14	193.143.1.54
Jan 10, 2025 22:38:56.065239906 CET	25596	38924	193.143.1.54	192.168.2.14
Jan 10, 2025 22:38:57.492364883 CET	38926	25596	192.168.2.14	193.143.1.54
Jan 10, 2025 22:38:57.497296095 CET	25596	38926	193.143.1.54	192.168.2.14
Jan 10, 2025 22:38:57.497431040 CET	38926	25596	192.168.2.14	193.143.1.54
Jan 10, 2025 22:38:57.498425007 CET	38926	25596	192.168.2.14	193.143.1.54
Jan 10, 2025 22:38:57.503153086 CET	25596	38926	193.143.1.54	192.168.2.14
Jan 10, 2025 22:38:57.503207922 CET	38926	25596	192.168.2.14	193.143.1.54
Jan 10, 2025 22:38:57.508018970 CET	25596	38926	193.143.1.54	192.168.2.14
Jan 10, 2025 22:38:59.280508995 CET	25596	38926	193.143.1.54	192.168.2.14
Jan 10, 2025 22:38:59.280898094 CET	38926	25596	192.168.2.14	193.143.1.54
Jan 10, 2025 22:38:59.285765886 CET	25596	38926	193.143.1.54	192.168.2.14
Jan 10, 2025 22:39:05.288923979 CET	38928	25596	192.168.2.14	193.143.1.54
Jan 10, 2025 22:39:05.293879986 CET	25596	38928	193.143.1.54	192.168.2.14
Jan 10, 2025 22:39:05.293991089 CET	38928	25596	192.168.2.14	193.143.1.54
Jan 10, 2025 22:39:05.294965982 CET	38928	25596	192.168.2.14	193.143.1.54
Jan 10, 2025 22:39:05.307387114 CET	25596	38928	193.143.1.54	192.168.2.14
Jan 10, 2025 22:39:05.307596922 CET	38928	25596	192.168.2.14	193.143.1.54
Jan 10, 2025 22:39:05.312712908 CET	25596	38928	193.143.1.54	192.168.2.14
Jan 10, 2025 22:39:07.089544058 CET	25596	38928	193.143.1.54	192.168.2.14
Jan 10, 2025 22:39:07.089943886 CET	38928	25596	192.168.2.14	193.143.1.54
Jan 10, 2025 22:39:07.094782114 CET	25596	38928	193.143.1.54	192.168.2.14
Jan 10, 2025 22:39:13.099606991 CET	38930	25596	192.168.2.14	193.143.1.54
Jan 10, 2025 22:39:13.104516983 CET	25596	38930	193.143.1.54	192.168.2.14
Jan 10, 2025 22:39:13.104609966 CET	38930	25596	192.168.2.14	193.143.1.54
Jan 10, 2025 22:39:13.105838060 CET	38930	25596	192.168.2.14	193.143.1.54
Jan 10, 2025 22:39:13.111183882 CET	25596	38930	193.143.1.54	192.168.2.14
Jan 10, 2025 22:39:13.111255884 CET	38930	25596	192.168.2.14	193.143.1.54
Jan 10, 2025 22:39:13.116331100 CET	25596	38930	193.143.1.54	192.168.2.14
Jan 10, 2025 22:39:14.843761921 CET	25596	38930	193.143.1.54	192.168.2.14
Jan 10, 2025 22:39:14.844126940 CET	38930	25596	192.168.2.14	193.143.1.54
Jan 10, 2025 22:39:14.849023104 CET	25596	38930	193.143.1.54	192.168.2.14
Jan 10, 2025 22:39:15.865374088 CET	38932	25596	192.168.2.14	193.143.1.54
Jan 10, 2025 22:39:15.870254040 CET	25596	38932	193.143.1.54	192.168.2.14
Jan 10, 2025 22:39:15.870546103 CET	38932	25596	192.168.2.14	193.143.1.54
Jan 10, 2025 22:39:15.871459961 CET	38932	25596	192.168.2.14	193.143.1.54
Jan 10, 2025 22:39:15.876254082 CET	25596	38932	193.143.1.54	192.168.2.14
Jan 10, 2025 22:39:15.876348019 CET	38932	25596	192.168.2.14	193.143.1.54
Jan 10, 2025 22:39:15.881107092 CET	25596	38932	193.143.1.54	192.168.2.14
Jan 10, 2025 22:39:17.629755974 CET	25596	38932	193.143.1.54	192.168.2.14
Jan 10, 2025 22:39:17.630116940 CET	38932	25596	192.168.2.14	193.143.1.54
Jan 10, 2025 22:39:17.636167049 CET	25596	38932	193.143.1.54	192.168.2.14
Jan 10, 2025 22:39:23.638180017 CET	38934	25596	192.168.2.14	193.143.1.54
Jan 10, 2025 22:39:23.643172979 CET	25596	38934	193.143.1.54	192.168.2.14
Jan 10, 2025 22:39:23.643251896 CET	38934	25596	192.168.2.14	193.143.1.54
Jan 10, 2025 22:39:23.644265890 CET	38934	25596	192.168.2.14	193.143.1.54
Jan 10, 2025 22:39:23.649111032 CET	25596	38934	193.143.1.54	192.168.2.14
Jan 10, 2025 22:39:23.649177074 CET	38934	25596	192.168.2.14	193.143.1.54
Jan 10, 2025 22:39:23.654022932 CET	25596	38934	193.143.1.54	192.168.2.14
Jan 10, 2025 22:39:25.444031954 CET	25596	38934	193.143.1.54	192.168.2.14
Jan 10, 2025 22:39:25.444356918 CET	38934	25596	192.168.2.14	193.143.1.54
Jan 10, 2025 22:39:25.449167967 CET	25596	38934	193.143.1.54	192.168.2.14
Jan 10, 2025 22:39:31.448988914 CET	38936	25596	192.168.2.14	193.143.1.54
Jan 10, 2025 22:39:31.453910112 CET	25596	38936	193.143.1.54	192.168.2.14
Jan 10, 2025 22:39:31.454022884 CET	38936	25596	192.168.2.14	193.143.1.54
Jan 10, 2025 22:39:31.455214977 CET	38936	25596	192.168.2.14	193.143.1.54
Jan 10, 2025 22:39:31.460109949 CET	25596	38936	193.143.1.54	192.168.2.14
Jan 10, 2025 22:39:31.460176945 CET	38936	25596	192.168.2.14	193.143.1.54
Jan 10, 2025 22:39:31.464963913 CET	25596	38936	193.143.1.54	192.168.2.14
Jan 10, 2025 22:39:33.222588062 CET	25596	38936	193.143.1.54	192.168.2.14
Jan 10, 2025 22:39:33.222948074 CET	38936	25596	192.168.2.14	193.143.1.54
Jan 10, 2025 22:39:33.227813959 CET	25596	38936	193.143.1.54	192.168.2.14
Jan 10, 2025 22:39:39.231281042 CET	38938	25596	192.168.2.14	193.143.1.54
Jan 10, 2025 22:39:39.236223936 CET	25596	38938	193.143.1.54	192.168.2.14
Jan 10, 2025 22:39:39.236287117 CET	38938	25596	192.168.2.14	193.143.1.54
Jan 10, 2025 22:39:39.237287045 CET	38938	25596	192.168.2.14	193.143.1.54
Jan 10, 2025 22:39:39.242119074 CET	25596	38938	193.143.1.54	192.168.2.14
Jan 10, 2025 22:39:39.242191076 CET	38938	25596	192.168.2.14	193.143.1.54
Jan 10, 2025 22:39:39.247051954 CET	25596	38938	193.143.1.54	192.168.2.14
Jan 10, 2025 22:39:40.988214016 CET	25596	38938	193.143.1.54	192.168.2.14
Jan 10, 2025 22:39:40.988430023 CET	38938	25596	192.168.2.14	193.143.1.54
Jan 10, 2025 22:39:40.993387938 CET	25596	38938	193.143.1.54	192.168.2.14
Jan 10, 2025 22:39:42.008059025 CET	38940	25596	192.168.2.14	193.143.1.54
Jan 10, 2025 22:39:42.012921095 CET	25596	38940	193.143.1.54	192.168.2.14
Jan 10, 2025 22:39:42.013042927 CET	38940	25596	192.168.2.14	193.143.1.54
Jan 10, 2025 22:39:42.013590097 CET	38940	25596	192.168.2.14	193.143.1.54
Jan 10, 2025 22:39:42.018369913 CET	25596	38940	193.143.1.54	192.168.2.14
Jan 10, 2025 22:39:42.018445015 CET	38940	25596	192.168.2.14	193.143.1.54
Jan 10, 2025 22:39:42.023283958 CET	25596	38940	193.143.1.54	192.168.2.14
Jan 10, 2025 22:39:43.790716887 CET	25596	38940	193.143.1.54	192.168.2.14
Jan 10, 2025 22:39:43.791013956 CET	38940	25596	192.168.2.14	193.143.1.54
Jan 10, 2025 22:39:43.795821905 CET	25596	38940	193.143.1.54	192.168.2.14
Jan 10, 2025 22:39:44.820385933 CET	38942	25596	192.168.2.14	193.143.1.54
Jan 10, 2025 22:39:44.825239897 CET	25596	38942	193.143.1.54	192.168.2.14
Jan 10, 2025 22:39:44.825301886 CET	38942	25596	192.168.2.14	193.143.1.54
Jan 10, 2025 22:39:44.826246023 CET	38942	25596	192.168.2.14	193.143.1.54
Jan 10, 2025 22:39:44.830977917 CET	25596	38942	193.143.1.54	192.168.2.14
Jan 10, 2025 22:39:44.831051111 CET	38942	25596	192.168.2.14	193.143.1.54
Jan 10, 2025 22:39:44.835858107 CET	25596	38942	193.143.1.54	192.168.2.14
Jan 10, 2025 22:39:46.588001013 CET	25596	38942	193.143.1.54	192.168.2.14
Jan 10, 2025 22:39:46.588248968 CET	38942	25596	192.168.2.14	193.143.1.54
Jan 10, 2025 22:39:46.593189001 CET	25596	38942	193.143.1.54	192.168.2.14
Jan 10, 2025 22:39:47.618014097 CET	38944	25596	192.168.2.14	193.143.1.54
Jan 10, 2025 22:39:47.622961998 CET	25596	38944	193.143.1.54	192.168.2.14
Jan 10, 2025 22:39:47.623024940 CET	38944	25596	192.168.2.14	193.143.1.54
Jan 10, 2025 22:39:47.623832941 CET	38944	25596	192.168.2.14	193.143.1.54
Jan 10, 2025 22:39:47.628716946 CET	25596	38944	193.143.1.54	192.168.2.14
Jan 10, 2025 22:39:47.628767967 CET	38944	25596	192.168.2.14	193.143.1.54
Jan 10, 2025 22:39:47.633591890 CET	25596	38944	193.143.1.54	192.168.2.14
Jan 10, 2025 22:39:49.395503044 CET	25596	38944	193.143.1.54	192.168.2.14
Jan 10, 2025 22:39:49.395589113 CET	38944	25596	192.168.2.14	193.143.1.54
Jan 10, 2025 22:39:49.400541067 CET	25596	38944	193.143.1.54	192.168.2.14
Jan 10, 2025 22:39:50.425786018 CET	38946	25596	192.168.2.14	193.143.1.54
Jan 10, 2025 22:39:50.430718899 CET	25596	38946	193.143.1.54	192.168.2.14
Jan 10, 2025 22:39:50.430844069 CET	38946	25596	192.168.2.14	193.143.1.54
Jan 10, 2025 22:39:50.432348013 CET	38946	25596	192.168.2.14	193.143.1.54
Jan 10, 2025 22:39:50.437243938 CET	25596	38946	193.143.1.54	192.168.2.14
Jan 10, 2025 22:39:50.437305927 CET	38946	25596	192.168.2.14	193.143.1.54
Jan 10, 2025 22:39:50.442105055 CET	25596	38946	193.143.1.54	192.168.2.14
Jan 10, 2025 22:39:52.242284060 CET	25596	38946	193.143.1.54	192.168.2.14
Jan 10, 2025 22:39:52.242535114 CET	38946	25596	192.168.2.14	193.143.1.54
Jan 10, 2025 22:39:52.247456074 CET	25596	38946	193.143.1.54	192.168.2.14
Jan 10, 2025 22:39:53.264159918 CET	38948	25596	192.168.2.14	193.143.1.54
Jan 10, 2025 22:39:53.269537926 CET	25596	38948	193.143.1.54	192.168.2.14
Jan 10, 2025 22:39:53.269627094 CET	38948	25596	192.168.2.14	193.143.1.54
Jan 10, 2025 22:39:53.270950079 CET	38948	25596	192.168.2.14	193.143.1.54
Jan 10, 2025 22:39:53.276392937 CET	25596	38948	193.143.1.54	192.168.2.14
Jan 10, 2025 22:39:53.276475906 CET	38948	25596	192.168.2.14	193.143.1.54
Jan 10, 2025 22:39:53.282102108 CET	25596	38948	193.143.1.54	192.168.2.14
Jan 10, 2025 22:39:55.063174009 CET	25596	38948	193.143.1.54	192.168.2.14
Jan 10, 2025 22:39:55.063453913 CET	38948	25596	192.168.2.14	193.143.1.54
Jan 10, 2025 22:39:55.068276882 CET	25596	38948	193.143.1.54	192.168.2.14
Jan 10, 2025 22:39:56.083940983 CET	38950	25596	192.168.2.14	193.143.1.54
Jan 10, 2025 22:39:56.088782072 CET	25596	38950	193.143.1.54	192.168.2.14
Jan 10, 2025 22:39:56.088852882 CET	38950	25596	192.168.2.14	193.143.1.54
Jan 10, 2025 22:39:56.089905024 CET	38950	25596	192.168.2.14	193.143.1.54
Jan 10, 2025 22:39:56.095499992 CET	25596	38950	193.143.1.54	192.168.2.14
Jan 10, 2025 22:39:56.095545053 CET	38950	25596	192.168.2.14	193.143.1.54
Jan 10, 2025 22:39:56.101236105 CET	25596	38950	193.143.1.54	192.168.2.14
Jan 10, 2025 22:39:57.852133989 CET	25596	38950	193.143.1.54	192.168.2.14
Jan 10, 2025 22:39:57.852595091 CET	38950	25596	192.168.2.14	193.143.1.54
Jan 10, 2025 22:39:57.857572079 CET	25596	38950	193.143.1.54	192.168.2.14
Jan 10, 2025 22:39:58.874306917 CET	38952	25596	192.168.2.14	193.143.1.54
Jan 10, 2025 22:39:58.879115105 CET	25596	38952	193.143.1.54	192.168.2.14
Jan 10, 2025 22:39:58.879260063 CET	38952	25596	192.168.2.14	193.143.1.54
Jan 10, 2025 22:39:58.880295992 CET	38952	25596	192.168.2.14	193.143.1.54
Jan 10, 2025 22:39:58.885171890 CET	25596	38952	193.143.1.54	192.168.2.14
Jan 10, 2025 22:39:58.885260105 CET	38952	25596	192.168.2.14	193.143.1.54
Jan 10, 2025 22:39:58.890106916 CET	25596	38952	193.143.1.54	192.168.2.14
Jan 10, 2025 22:40:00.648186922 CET	25596	38952	193.143.1.54	192.168.2.14
Jan 10, 2025 22:40:00.648346901 CET	38952	25596	192.168.2.14	193.143.1.54
Jan 10, 2025 22:40:00.653214931 CET	25596	38952	193.143.1.54	192.168.2.14
Jan 10, 2025 22:40:01.669091940 CET	38954	25596	192.168.2.14	193.143.1.54
Jan 10, 2025 22:40:01.674048901 CET	25596	38954	193.143.1.54	192.168.2.14
Jan 10, 2025 22:40:01.674159050 CET	38954	25596	192.168.2.14	193.143.1.54
Jan 10, 2025 22:40:01.675498962 CET	38954	25596	192.168.2.14	193.143.1.54
Jan 10, 2025 22:40:01.680354118 CET	25596	38954	193.143.1.54	192.168.2.14
Jan 10, 2025 22:40:01.680428028 CET	38954	25596	192.168.2.14	193.143.1.54
Jan 10, 2025 22:40:01.685252905 CET	25596	38954	193.143.1.54	192.168.2.14
Jan 10, 2025 22:40:03.495528936 CET	25596	38954	193.143.1.54	192.168.2.14
Jan 10, 2025 22:40:03.495670080 CET	38954	25596	192.168.2.14	193.143.1.54
Jan 10, 2025 22:40:03.500454903 CET	25596	38954	193.143.1.54	192.168.2.14
Jan 10, 2025 22:40:04.515263081 CET	38956	25596	192.168.2.14	193.143.1.54
Jan 10, 2025 22:40:04.520296097 CET	25596	38956	193.143.1.54	192.168.2.14
Jan 10, 2025 22:40:04.520355940 CET	38956	25596	192.168.2.14	193.143.1.54
Jan 10, 2025 22:40:04.521418095 CET	38956	25596	192.168.2.14	193.143.1.54
Jan 10, 2025 22:40:04.526300907 CET	25596	38956	193.143.1.54	192.168.2.14
Jan 10, 2025 22:40:04.526361942 CET	38956	25596	192.168.2.14	193.143.1.54
Jan 10, 2025 22:40:04.531397104 CET	25596	38956	193.143.1.54	192.168.2.14
Jan 10, 2025 22:40:06.294950008 CET	25596	38956	193.143.1.54	192.168.2.14
Jan 10, 2025 22:40:06.295176983 CET	38956	25596	192.168.2.14	193.143.1.54
Jan 10, 2025 22:40:06.300066948 CET	25596	38956	193.143.1.54	192.168.2.14
Jan 10, 2025 22:40:07.326318979 CET	38958	25596	192.168.2.14	193.143.1.54
Jan 10, 2025 22:40:07.331502914 CET	25596	38958	193.143.1.54	192.168.2.14
Jan 10, 2025 22:40:07.331660032 CET	38958	25596	192.168.2.14	193.143.1.54
Jan 10, 2025 22:40:07.332607985 CET	38958	25596	192.168.2.14	193.143.1.54
Jan 10, 2025 22:40:07.337503910 CET	25596	38958	193.143.1.54	192.168.2.14
Jan 10, 2025 22:40:07.337560892 CET	38958	25596	192.168.2.14	193.143.1.54
Jan 10, 2025 22:40:07.342436075 CET	25596	38958	193.143.1.54	192.168.2.14
Jan 10, 2025 22:40:09.126251936 CET	25596	38958	193.143.1.54	192.168.2.14
Jan 10, 2025 22:40:09.126491070 CET	38958	25596	192.168.2.14	193.143.1.54
Jan 10, 2025 22:40:09.131308079 CET	25596	38958	193.143.1.54	192.168.2.14
Jan 10, 2025 22:40:10.145282030 CET	38960	25596	192.168.2.14	193.143.1.54
Jan 10, 2025 22:40:10.150137901 CET	25596	38960	193.143.1.54	192.168.2.14
Jan 10, 2025 22:40:10.150208950 CET	38960	25596	192.168.2.14	193.143.1.54
Jan 10, 2025 22:40:10.150934935 CET	38960	25596	192.168.2.14	193.143.1.54
Jan 10, 2025 22:40:10.155754089 CET	25596	38960	193.143.1.54	192.168.2.14
Jan 10, 2025 22:40:10.155805111 CET	38960	25596	192.168.2.14	193.143.1.54
Jan 10, 2025 22:40:10.160610914 CET	25596	38960	193.143.1.54	192.168.2.14
Jan 10, 2025 22:40:11.912132978 CET	25596	38960	193.143.1.54	192.168.2.14
Jan 10, 2025 22:40:11.912430048 CET	38960	25596	192.168.2.14	193.143.1.54
Jan 10, 2025 22:40:11.917426109 CET	25596	38960	193.143.1.54	192.168.2.14
Jan 10, 2025 22:40:12.944109917 CET	38962	25596	192.168.2.14	193.143.1.54
Jan 10, 2025 22:40:12.949103117 CET	25596	38962	193.143.1.54	192.168.2.14
Jan 10, 2025 22:40:12.949183941 CET	38962	25596	192.168.2.14	193.143.1.54
Jan 10, 2025 22:40:12.950388908 CET	38962	25596	192.168.2.14	193.143.1.54
Jan 10, 2025 22:40:12.955228090 CET	25596	38962	193.143.1.54	192.168.2.14
Jan 10, 2025 22:40:12.955321074 CET	38962	25596	192.168.2.14	193.143.1.54
Jan 10, 2025 22:40:12.960216045 CET	25596	38962	193.143.1.54	192.168.2.14
Jan 10, 2025 22:40:14.855901957 CET	25596	38962	193.143.1.54	192.168.2.14
Jan 10, 2025 22:40:14.856118917 CET	38962	25596	192.168.2.14	193.143.1.54
Jan 10, 2025 22:40:14.861023903 CET	25596	38962	193.143.1.54	192.168.2.14
Jan 10, 2025 22:40:20.865269899 CET	38964	25596	192.168.2.14	193.143.1.54
Jan 10, 2025 22:40:20.870394945 CET	25596	38964	193.143.1.54	192.168.2.14
Jan 10, 2025 22:40:20.870593071 CET	38964	25596	192.168.2.14	193.143.1.54
Jan 10, 2025 22:40:20.871407986 CET	38964	25596	192.168.2.14	193.143.1.54
Jan 10, 2025 22:40:20.876224041 CET	25596	38964	193.143.1.54	192.168.2.14
Jan 10, 2025 22:40:20.876343012 CET	38964	25596	192.168.2.14	193.143.1.54
Jan 10, 2025 22:40:20.881449938 CET	25596	38964	193.143.1.54	192.168.2.14
Jan 10, 2025 22:40:22.648525953 CET	25596	38964	193.143.1.54	192.168.2.14
Jan 10, 2025 22:40:22.648904085 CET	38964	25596	192.168.2.14	193.143.1.54
Jan 10, 2025 22:40:22.653934002 CET	25596	38964	193.143.1.54	192.168.2.14
Jan 10, 2025 22:40:23.667766094 CET	38966	25596	192.168.2.14	193.143.1.54
Jan 10, 2025 22:40:23.672663927 CET	25596	38966	193.143.1.54	192.168.2.14
Jan 10, 2025 22:40:23.672715902 CET	38966	25596	192.168.2.14	193.143.1.54
Jan 10, 2025 22:40:23.673296928 CET	38966	25596	192.168.2.14	193.143.1.54
Jan 10, 2025 22:40:23.678116083 CET	25596	38966	193.143.1.54	192.168.2.14
Jan 10, 2025 22:40:23.678154945 CET	38966	25596	192.168.2.14	193.143.1.54
Jan 10, 2025 22:40:23.682980061 CET	25596	38966	193.143.1.54	192.168.2.14
Jan 10, 2025 22:40:25.447256088 CET	25596	38966	193.143.1.54	192.168.2.14
Jan 10, 2025 22:40:25.447376013 CET	38966	25596	192.168.2.14	193.143.1.54
Jan 10, 2025 22:40:25.452281952 CET	25596	38966	193.143.1.54	192.168.2.14
Jan 10, 2025 22:40:31.452493906 CET	38968	25596	192.168.2.14	193.143.1.54
Jan 10, 2025 22:40:31.457585096 CET	25596	38968	193.143.1.54	192.168.2.14
Jan 10, 2025 22:40:31.457700014 CET	38968	25596	192.168.2.14	193.143.1.54
Jan 10, 2025 22:40:31.458580017 CET	38968	25596	192.168.2.14	193.143.1.54
Jan 10, 2025 22:40:31.463349104 CET	25596	38968	193.143.1.54	192.168.2.14
Jan 10, 2025 22:40:31.463426113 CET	38968	25596	192.168.2.14	193.143.1.54
Jan 10, 2025 22:40:31.468399048 CET	25596	38968	193.143.1.54	192.168.2.14
Jan 10, 2025 22:40:33.194490910 CET	25596	38968	193.143.1.54	192.168.2.14
Jan 10, 2025 22:40:33.194688082 CET	38968	25596	192.168.2.14	193.143.1.54
Jan 10, 2025 22:40:33.203567028 CET	25596	38968	193.143.1.54	192.168.2.14
Jan 10, 2025 22:40:34.214818001 CET	38970	25596	192.168.2.14	193.143.1.54
Jan 10, 2025 22:40:34.220164061 CET	25596	38970	193.143.1.54	192.168.2.14
Jan 10, 2025 22:40:34.220256090 CET	38970	25596	192.168.2.14	193.143.1.54
Jan 10, 2025 22:40:34.221029043 CET	38970	25596	192.168.2.14	193.143.1.54
Jan 10, 2025 22:40:34.226237059 CET	25596	38970	193.143.1.54	192.168.2.14
Jan 10, 2025 22:40:34.226301908 CET	38970	25596	192.168.2.14	193.143.1.54
Jan 10, 2025 22:40:34.232085943 CET	25596	38970	193.143.1.54	192.168.2.14
Jan 10, 2025 22:40:35.971221924 CET	25596	38970	193.143.1.54	192.168.2.14
Jan 10, 2025 22:40:35.971467018 CET	38970	25596	192.168.2.14	193.143.1.54
Jan 10, 2025 22:40:35.976457119 CET	25596	38970	193.143.1.54	192.168.2.14
Jan 10, 2025 22:40:37.001326084 CET	38972	25596	192.168.2.14	193.143.1.54
Jan 10, 2025 22:40:37.006108999 CET	25596	38972	193.143.1.54	192.168.2.14
Jan 10, 2025 22:40:37.006640911 CET	38972	25596	192.168.2.14	193.143.1.54
Jan 10, 2025 22:40:37.006777048 CET	38972	25596	192.168.2.14	193.143.1.54
Jan 10, 2025 22:40:37.011543989 CET	25596	38972	193.143.1.54	192.168.2.14
Jan 10, 2025 22:40:37.011590004 CET	38972	25596	192.168.2.14	193.143.1.54
Jan 10, 2025 22:40:37.016347885 CET	25596	38972	193.143.1.54	192.168.2.14
Jan 10, 2025 22:40:38.788809061 CET	25596	38972	193.143.1.54	192.168.2.14
Jan 10, 2025 22:40:38.789140940 CET	38972	25596	192.168.2.14	193.143.1.54
Jan 10, 2025 22:40:38.794126987 CET	25596	38972	193.143.1.54	192.168.2.14
Jan 10, 2025 22:40:39.809478045 CET	38974	25596	192.168.2.14	193.143.1.54
Jan 10, 2025 22:40:39.814372063 CET	25596	38974	193.143.1.54	192.168.2.14
Jan 10, 2025 22:40:39.814517021 CET	38974	25596	192.168.2.14	193.143.1.54
Jan 10, 2025 22:40:39.815289974 CET	38974	25596	192.168.2.14	193.143.1.54
Jan 10, 2025 22:40:39.820099115 CET	25596	38974	193.143.1.54	192.168.2.14
Jan 10, 2025 22:40:39.820147038 CET	38974	25596	192.168.2.14	193.143.1.54
Jan 10, 2025 22:40:39.825035095 CET	25596	38974	193.143.1.54	192.168.2.14
Jan 10, 2025 22:40:41.570080996 CET	25596	38974	193.143.1.54	192.168.2.14
Jan 10, 2025 22:40:41.570425987 CET	38974	25596	192.168.2.14	193.143.1.54
Jan 10, 2025 22:40:41.575262070 CET	25596	38974	193.143.1.54	192.168.2.14
Jan 10, 2025 22:40:42.590853930 CET	38976	25596	192.168.2.14	193.143.1.54
Jan 10, 2025 22:40:42.595714092 CET	25596	38976	193.143.1.54	192.168.2.14
Jan 10, 2025 22:40:42.595767975 CET	38976	25596	192.168.2.14	193.143.1.54
Jan 10, 2025 22:40:42.599957943 CET	38976	25596	192.168.2.14	193.143.1.54
Jan 10, 2025 22:40:42.604736090 CET	25596	38976	193.143.1.54	192.168.2.14
Jan 10, 2025 22:40:42.604819059 CET	38976	25596	192.168.2.14	193.143.1.54
Jan 10, 2025 22:40:42.609579086 CET	25596	38976	193.143.1.54	192.168.2.14
Jan 10, 2025 22:40:44.331492901 CET	25596	38976	193.143.1.54	192.168.2.14
Jan 10, 2025 22:40:44.331654072 CET	38976	25596	192.168.2.14	193.143.1.54
Jan 10, 2025 22:40:44.336528063 CET	25596	38976	193.143.1.54	192.168.2.14
Jan 10, 2025 22:40:50.340646029 CET	38978	25596	192.168.2.14	193.143.1.54
Jan 10, 2025 22:40:50.345489979 CET	25596	38978	193.143.1.54	192.168.2.14
Jan 10, 2025 22:40:50.345597982 CET	38978	25596	192.168.2.14	193.143.1.54
Jan 10, 2025 22:40:50.346427917 CET	38978	25596	192.168.2.14	193.143.1.54
Jan 10, 2025 22:40:50.351191998 CET	25596	38978	193.143.1.54	192.168.2.14
Jan 10, 2025 22:40:50.351269007 CET	38978	25596	192.168.2.14	193.143.1.54
Jan 10, 2025 22:40:50.356071949 CET	25596	38978	193.143.1.54	192.168.2.14
Jan 10, 2025 22:40:52.123835087 CET	25596	38978	193.143.1.54	192.168.2.14
Jan 10, 2025 22:40:52.124094963 CET	38978	25596	192.168.2.14	193.143.1.54
Jan 10, 2025 22:40:52.128892899 CET	25596	38978	193.143.1.54	192.168.2.14
Jan 10, 2025 22:40:58.133230925 CET	38980	25596	192.168.2.14	193.143.1.54
Jan 10, 2025 22:40:58.138071060 CET	25596	38980	193.143.1.54	192.168.2.14
Jan 10, 2025 22:40:58.138138056 CET	38980	25596	192.168.2.14	193.143.1.54
Jan 10, 2025 22:40:58.139250040 CET	38980	25596	192.168.2.14	193.143.1.54
Jan 10, 2025 22:40:58.144197941 CET	25596	38980	193.143.1.54	192.168.2.14
Jan 10, 2025 22:40:58.144251108 CET	38980	25596	192.168.2.14	193.143.1.54
Jan 10, 2025 22:40:58.149147034 CET	25596	38980	193.143.1.54	192.168.2.14

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 10, 2025 22:38:54.302695036 CET	56553	53	192.168.2.14	51.158.108.203
Jan 10, 2025 22:38:54.318474054 CET	53	56553	51.158.108.203	192.168.2.14
Jan 10, 2025 22:38:57.062472105 CET	48435	53	192.168.2.14	95.216.99.249
Jan 10, 2025 22:38:57.491147995 CET	53	48435	95.216.99.249	192.168.2.14
Jan 10, 2025 22:39:00.283268929 CET	45267	53	192.168.2.14	5.161.109.23
Jan 10, 2025 22:39:08.093811989 CET	39709	53	192.168.2.14	51.254.162.59
Jan 10, 2025 22:39:15.847039938 CET	34850	53	192.168.2.14	185.232.68.212
Jan 10, 2025 22:39:15.864573002 CET	53	34850	185.232.68.212	192.168.2.14
Jan 10, 2025 22:39:18.632392883 CET	41918	53	192.168.2.14	178.254.22.166
Jan 10, 2025 22:39:26.446069002 CET	49378	53	192.168.2.14	5.161.109.23
Jan 10, 2025 22:39:34.225750923 CET	58679	53	192.168.2.14	5.161.109.23
Jan 10, 2025 22:39:41.990223885 CET	55677	53	192.168.2.14	152.53.15.127
Jan 10, 2025 22:39:42.007707119 CET	53	55677	152.53.15.127	192.168.2.14
Jan 10, 2025 22:39:44.793905973 CET	60881	53	192.168.2.14	95.216.99.249
Jan 10, 2025 22:39:44.819984913 CET	53	60881	95.216.99.249	192.168.2.14
Jan 10, 2025 22:39:47.590783119 CET	44590	53	192.168.2.14	65.21.1.106
Jan 10, 2025 22:39:47.617487907 CET	53	44590	65.21.1.106	192.168.2.14
Jan 10, 2025 22:39:50.397377014 CET	53604	53	192.168.2.14	95.216.99.249
Jan 10, 2025 22:39:50.424557924 CET	53	53604	95.216.99.249	192.168.2.14
Jan 10, 2025 22:39:53.245532990 CET	50338	53	192.168.2.14	152.53.15.127
Jan 10, 2025 22:39:53.263148069 CET	53	50338	152.53.15.127	192.168.2.14
Jan 10, 2025 22:39:56.066260099 CET	54613	53	192.168.2.14	194.36.144.87
Jan 10, 2025 22:39:56.083542109 CET	53	54613	194.36.144.87	192.168.2.14
Jan 10, 2025 22:39:58.855969906 CET	34731	53	192.168.2.14	152.53.15.127
Jan 10, 2025 22:39:58.873368025 CET	53	34731	152.53.15.127	192.168.2.14
Jan 10, 2025 22:40:01.651282072 CET	58950	53	192.168.2.14	194.36.144.87
Jan 10, 2025 22:40:01.668395996 CET	53	58950	194.36.144.87	192.168.2.14
Jan 10, 2025 22:40:04.498683929 CET	34480	53	192.168.2.14	51.158.108.203
Jan 10, 2025 22:40:04.514589071 CET	53	34480	51.158.108.203	192.168.2.14
Jan 10, 2025 22:40:07.298350096 CET	43386	53	192.168.2.14	81.169.136.222
Jan 10, 2025 22:40:07.325578928 CET	53	43386	81.169.136.222	192.168.2.14
Jan 10, 2025 22:40:10.129331112 CET	57717	53	192.168.2.14	51.158.108.203
Jan 10, 2025 22:40:10.144819021 CET	53	57717	51.158.108.203	192.168.2.14
Jan 10, 2025 22:40:12.916194916 CET	52332	53	192.168.2.14	65.21.1.106
Jan 10, 2025 22:40:12.943078995 CET	53	52332	65.21.1.106	192.168.2.14
Jan 10, 2025 22:40:15.859687090 CET	43075	53	192.168.2.14	64.176.6.48
Jan 10, 2025 22:40:23.650955915 CET	57597	53	192.168.2.14	51.158.108.203
Jan 10, 2025 22:40:23.667349100 CET	53	57597	51.158.108.203	192.168.2.14
Jan 10, 2025 22:40:26.449614048 CET	33162	53	192.168.2.14	178.254.22.166
Jan 10, 2025 22:40:34.197341919 CET	35686	53	192.168.2.14	185.232.68.212
Jan 10, 2025 22:40:34.214267015 CET	53	35686	185.232.68.212	192.168.2.14
Jan 10, 2025 22:40:36.973750114 CET	35243	53	192.168.2.14	81.169.136.222
Jan 10, 2025 22:40:37.000643969 CET	53	35243	81.169.136.222	192.168.2.14
Jan 10, 2025 22:40:39.791505098 CET	55023	53	192.168.2.14	152.53.15.127
Jan 10, 2025 22:40:39.808602095 CET	53	55023	152.53.15.127	192.168.2.14
Jan 10, 2025 22:40:42.573023081 CET	52414	53	192.168.2.14	152.53.15.127
Jan 10, 2025 22:40:42.590312004 CET	53	52414	152.53.15.127	192.168.2.14
Jan 10, 2025 22:40:45.334912062 CET	34650	53	192.168.2.14	5.161.109.23
Jan 10, 2025 22:40:53.127437115 CET	41727	53	192.168.2.14	178.254.22.166

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 10, 2025 22:38:54.302695036 CET	192.168.2.14	51.158.108.203	0x9a8e	Standard query (0)	chinklabs.dyn	A (IP address)	IN (0x0001)	false
Jan 10, 2025 22:38:57.062472105 CET	192.168.2.14	95.216.99.249	0xc5d2	Standard query (0)	freethewind.parody	A (IP address)	IN (0x0001)	false
Jan 10, 2025 22:39:00.283268929 CET	192.168.2.14	5.161.109.23	0x8576	Standard query (0)	freethewind.parody	A (IP address)	IN (0x0001)	false
Jan 10, 2025 22:39:08.093811989 CET	192.168.2.14	51.254.162.59	0x2080	Standard query (0)	netfags.geek. [malformed]	256	385	false
Jan 10, 2025 22:39:15.847039938 CET	192.168.2.14	185.232.68.212	0xfdd3	Standard query (0)	freethewind.parody	A (IP address)	IN (0x0001)	false
Jan 10, 2025 22:39:18.632392883 CET	192.168.2.14	178.254.22.166	0x11f9	Standard query (0)	dogeatingchink.parody	A (IP address)	IN (0x0001)	false
Jan 10, 2025 22:39:26.446069002 CET	192.168.2.14	5.161.109.23	0x819b	Standard query (0)	yellowchink.pirate. [malformed]	256	403	false
Jan 10, 2025 22:39:34.225750923 CET	192.168.2.14	5.161.109.23	0xfc8	Standard query (0)	dogeatingchink.parody. [malformed]	256	411	false
Jan 10, 2025 22:39:41.990223885 CET	192.168.2.14	152.53.15.127	0xff1b	Standard query (0)	hiakamai.dyn. [malformed]	256	414	false
Jan 10, 2025 22:39:44.793905973 CET	192.168.2.14	95.216.99.249	0x776e	Standard query (0)	hiakamai.dyn. [malformed]	256	416	false
Jan 10, 2025 22:39:47.590783119 CET	192.168.2.14	65.21.1.106	0xfee8	Standard query (0)	himrresearcher.dyn. [malformed]	256	419	false
Jan 10, 2025 22:39:50.397377014 CET	192.168.2.14	95.216.99.249	0x47a8	Standard query (0)	w3d0ntlikebot5.parody. [malformed]	256	422	false
Jan 10, 2025 22:39:53.245532990 CET	192.168.2.14	152.53.15.127	0x3cdf	Standard query (0)	infectedslurs.geek. [malformed]	256	425	false
Jan 10, 2025 22:39:56.066260099 CET	192.168.2.14	194.36.144.87	0xe065	Standard query (0)	chinklabs.dyn. [malformed]	256	428	false
Jan 10, 2025 22:39:58.855969906 CET	192.168.2.14	152.53.15.127	0x67ca	Standard query (0)	infectedchink.pirate	A (IP address)	IN (0x0001)	false
Jan 10, 2025 22:40:01.651282072 CET	192.168.2.14	194.36.144.87	0x8b37	Standard query (0)	burnthe.libre. [malformed]	256	433	false
Jan 10, 2025 22:40:04.498683929 CET	192.168.2.14	51.158.108.203	0xa5a0	Standard query (0)	infectedslurs.geek. [malformed]	256	436	false
Jan 10, 2025 22:40:07.298350096 CET	192.168.2.14	81.169.136.222	0x4a0d	Standard query (0)	chinklabs.dyn. [malformed]	256	439	false
Jan 10, 2025 22:40:10.129331112 CET	192.168.2.14	51.158.108.203	0x9bee	Standard query (0)	hiakamai.dyn. [malformed]	256	442	false
Jan 10, 2025 22:40:12.916194916 CET	192.168.2.14	65.21.1.106	0x5239	Standard query (0)	hiakamai.dyn. [malformed]	256	444	false
Jan 10, 2025 22:40:15.859687090 CET	192.168.2.14	64.176.6.48	0xe446	Standard query (0)	chinklabs.dyn	A (IP address)	IN (0x0001)	false
Jan 10, 2025 22:40:23.650955915 CET	192.168.2.14	51.158.108.203	0x9fb1	Standard query (0)	dogeatingchink.parody. [malformed]	256	455	false
Jan 10, 2025 22:40:26.449614048 CET	192.168.2.14	178.254.22.166	0xb194	Standard query (0)	infectedslurs.geek. [malformed]	256	463	false
Jan 10, 2025 22:40:34.197341919 CET	192.168.2.14	185.232.68.212	0xda18	Standard query (0)	dogeatingchink.parody. [malformed]	256	466	false
Jan 10, 2025 22:40:36.973750114 CET	192.168.2.14	81.169.136.222	0x7e5f	Standard query (0)	burnthe.libre. [malformed]	256	469	false
Jan 10, 2025 22:40:39.791505098 CET	192.168.2.14	152.53.15.127	0x8b65	Standard query (0)	chinklabs.dyn. [malformed]	256	471	false
Jan 10, 2025 22:40:42.573023081 CET	192.168.2.14	152.53.15.127	0x4e5	Standard query (0)	freethemonkeys.pirate. [malformed]	256	474	false
Jan 10, 2025 22:40:45.334912062 CET	192.168.2.14	5.161.109.23	0x7026	Standard query (0)	w3d0ntlikebot5.parody. [malformed]	256	482	false
Jan 10, 2025 22:40:53.127437115 CET	192.168.2.14	178.254.22.166	0x571d	Standard query (0)	hiakamai.dyn. [malformed]	256	490	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 10, 2025 22:38:54.318474054 CET	51.158.108.203	192.168.2.14	0x9a8e	No error (0)	chinklabs.dyn		193.143.1.54	A (IP address)	IN (0x0001)	false
Jan 10, 2025 22:38:57.491147995 CET	95.216.99.249	192.168.2.14	0xc5d2	Name error (3)	freethewind.parody	none	none	A (IP address)	IN (0x0001)	false
Jan 10, 2025 22:39:15.864573002 CET	185.232.68.212	192.168.2.14	0xfdd3	Refused (5)	freethewind.parody	none	none	A (IP address)	IN (0x0001)	false
Jan 10, 2025 22:39:42.007707119 CET	152.53.15.127	192.168.2.14	0xff1b	Format error (1)	hiakamai.dyn. [malformed]	none	none	256	414	false
Jan 10, 2025 22:39:44.819984913 CET	95.216.99.249	192.168.2.14	0x776e	Format error (1)	hiakamai.dyn. [malformed]	none	none	256	416	false
Jan 10, 2025 22:39:47.617487907 CET	65.21.1.106	192.168.2.14	0xfee8	Format error (1)	himrresearcher.dyn. [malformed]	none	none	256	419	false
Jan 10, 2025 22:39:50.424557924 CET	95.216.99.249	192.168.2.14	0x47a8	Format error (1)	w3d0ntlikebot5.parody. [malformed]	none	none	256	422	false
Jan 10, 2025 22:39:53.263148069 CET	152.53.15.127	192.168.2.14	0x3cdf	Format error (1)	infectedslurs.geek. [malformed]	none	none	256	425	false
Jan 10, 2025 22:39:56.083542109 CET	194.36.144.87	192.168.2.14	0xe065	Format error (1)	chinklabs.dyn. [malformed]	none	none	256	428	false
Jan 10, 2025 22:39:58.873368025 CET	152.53.15.127	192.168.2.14	0x67ca	Name error (3)	infectedchink.pirate	none	none	A (IP address)	IN (0x0001)	false
Jan 10, 2025 22:40:01.668395996 CET	194.36.144.87	192.168.2.14	0x8b37	Format error (1)	burnthe.libre. [malformed]	none	none	256	433	false
Jan 10, 2025 22:40:04.514589071 CET	51.158.108.203	192.168.2.14	0xa5a0	Format error (1)	infectedslurs.geek. [malformed]	none	none	256	436	false
Jan 10, 2025 22:40:10.144819021 CET	51.158.108.203	192.168.2.14	0x9bee	Format error (1)	hiakamai.dyn. [malformed]	none	none	256	442	false
Jan 10, 2025 22:40:12.943078995 CET	65.21.1.106	192.168.2.14	0x5239	Format error (1)	hiakamai.dyn. [malformed]	none	none	256	444	false
Jan 10, 2025 22:40:23.667349100 CET	51.158.108.203	192.168.2.14	0x9fb1	Format error (1)	dogeatingchink.parody. [malformed]	none	none	256	455	false
Jan 10, 2025 22:40:39.808602095 CET	152.53.15.127	192.168.2.14	0x8b65	Format error (1)	chinklabs.dyn. [malformed]	none	none	256	471	false
Jan 10, 2025 22:40:42.590312004 CET	152.53.15.127	192.168.2.14	0x4e5	Format error (1)	freethemonkeys.pirate. [malformed]	none	none	256	474	false

System Behavior

Analysis Process: boatnet.arm.elf PID: 5485, Parent PID: 5409

General

Start time (UTC):	21:38:53
Start date (UTC):	10/01/2025
Path:	/tmp/boatnet.arm.elf
Arguments:	/tmp/boatnet.arm.elf
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Chronological Activities

Analysis Process: boatnet.arm.elf PID: 5487, Parent PID: 5485

General

Start time (UTC):	21:38:53
Start date (UTC):	10/01/2025
Path:	/tmp/boatnet.arm.elf
Arguments:	-
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Chronological Activities

Analysis Process: boatnet.arm.elf PID: 5489, Parent PID: 5487

General

Start time (UTC):	21:38:53
Start date (UTC):	10/01/2025
Path:	/tmp/boatnet.arm.elf
Arguments:	-
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report boatnet.arm.elf

Overview

General Information

Detection

Signatures

Classification

General Information

Warnings

Runtime Messages

Process Tree

Yara Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

Static ELF Info

ELF header

Program Segments

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

System Behavior

Analysis Process: boatnet.arm.elf PID: 5485, Parent PID: 5409

General

Chronological Activities

Analysis Process: boatnet.arm.elf PID: 5487, Parent PID: 5485

General

Chronological Activities

Analysis Process: boatnet.arm.elf PID: 5489, Parent PID: 5487

General

Chronological Activities

Linux Analysis Report
boatnet.arm.elf