Edit tour

Linux Analysis Report
spc.elf

Overview

General Information

Sample name:	spc.elf
Analysis ID:	1588723
MD5:	eacda0ea070ca1b3168fa1d059f84db0
SHA1:	3dea1fd0c1dcaab392b888ce37afd4c9bd5d0e11
SHA256:	367446efb00c75a510a0ed29913041e0d0b0928b6e5511b19a3195b760d4590a
Tags:	elfuser-abuse_ch
Infos:

Detection

Score:	56
Range:	0 - 100
Whitelisted:	false

Signatures

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Detected TCP or UDP traffic on non-standard ports

Executes the "rm" command used to delete files or directories

Sample has stripped symbol table

Sample listens on a socket

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Uses the "uname" system call to query kernel version information (possible evasion)

Yara signature match

Classification

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1588723
Start date and time:	2025-01-11 04:40:40 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 40s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Sample name:	spc.elf
Detection:	MAL
Classification:	mal56.linELF@0/0@0/0

Runtime Messages

Command:	/tmp/spc.elf
PID:	6256
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:	wormbot
Standard Error:

Process Tree

system is lnxubuntu20

dash New Fork (PID: 6229, Parent: 4331)

rm (PID: 6229, Parent: 4331, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -f /tmp/tmp.Kx15Y4ZrSy /tmp/tmp.zG9UODFNcX /tmp/tmp.s3tk65Vanm

dash New Fork (PID: 6230, Parent: 4331)

rm (PID: 6230, Parent: 4331, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -f /tmp/tmp.Kx15Y4ZrSy /tmp/tmp.zG9UODFNcX /tmp/tmp.s3tk65Vanm

spc.elf (PID: 6256, Parent: 6157, MD5: 7dc1c0e23cd5e102bb12e5c29403410e) Arguments: /tmp/spc.elf

spc.elf New Fork (PID: 6258, Parent: 6256)

cleanup

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
spc.elf	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0xe6a0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xe6b4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xe6c8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xe6dc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xe6f0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xe704:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xe718:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xe72c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xe740:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xe754:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xe768:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xe77c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xe790:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xe7a4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xe7b8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xe7cc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xe7e0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xe7f4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xe808:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xe81c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xe830:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F

Memory Dumps

Source	Rule	Description	Author	Strings
6256.1.00007fb404011000.00007fb404021000.r-x.sdmp	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0xe6a0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xe6b4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xe6c8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xe6dc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xe6f0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xe704:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xe718:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xe72c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xe740:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xe754:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xe768:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xe77c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xe790:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xe7a4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xe7b8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xe7cc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xe7e0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xe7f4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xe808:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xe81c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xe830:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
Process Memory Space: spc.elf PID: 6256	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0x454e:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x4562:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x4576:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x458a:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x459e:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x45b2:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x45c6:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x45da:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x45ee:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x4602:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x4616:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x462a:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x463e:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x4652:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x4666:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x467a:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x468e:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x46a2:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x46b6:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x46ca:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x46de:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: spc.elf	Virustotal: Detection: 31%			Perma Link
Source: spc.elf	ReversingLabs: Detection: 31%

Source: global traffic

TCP traffic: 192.168.2.23:39354 -> 85.239.34.134:999

Source: /tmp/spc.elf (PID: 6256)

Socket: 127.0.0.1:7567

Jump to behavior

Source: global traffic	TCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443
Source: global traffic	TCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
Source: global traffic	TCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80

Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134

Source: unknown	Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 42836 -> 443

System Summary

Malicious sample detected (through community Yara rule)

Source: spc.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: 6256.1.00007fb404011000.00007fb404021000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: Process Memory Space: spc.elf PID: 6256, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown

Source: ELF static info symbol of initial sample

.symtab present: no

Source: spc.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: 6256.1.00007fb404011000.00007fb404021000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: Process Memory Space: spc.elf PID: 6256, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16

Source: classification engine

Classification label: mal56.linELF@0/0@0/0

Source: /usr/bin/dash (PID: 6229)	Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.Kx15Y4ZrSy /tmp/tmp.zG9UODFNcX /tmp/tmp.s3tk65Vanm			Jump to behavior
Source: /usr/bin/dash (PID: 6230)	Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.Kx15Y4ZrSy /tmp/tmp.zG9UODFNcX /tmp/tmp.s3tk65Vanm			Jump to behavior

Source: /tmp/spc.elf (PID: 6256)

Queries kernel information via 'uname':

Jump to behavior

Source: spc.elf, 6256.1.0000564aa5ee6000.0000564aa5f4b000.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/sparc
Source: spc.elf, 6256.1.00007ffdd66d5000.00007ffdd66f6000.rw-.sdmp	Binary or memory string: Ux86_64/usr/bin/qemu-sparc/tmp/spc.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/spc.elf
Source: spc.elf, 6256.1.0000564aa5ee6000.0000564aa5f4b000.rw-.sdmp	Binary or memory string: JV!/etc/qemu-binfmt/sparc
Source: spc.elf, 6256.1.00007ffdd66d5000.00007ffdd66f6000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-sparc

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	Path Interception	Path Interception	1 File Deletion	OS Credential Dumping	11 Security Software Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact

Malware Configuration

⊘No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
spc.elf	32%	Virustotal		Browse
spc.elf	32%	ReversingLabs	Linux.Backdoor.Mirai

Dropped Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

⊘No contacted domains info

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
85.239.34.134	unknown	Russian Federation	134121	RAINBOW-HKRainbownetworklimitedHK	false
109.202.202.202	unknown	Switzerland	13030	INIT7CH	false
91.189.91.43	unknown	United Kingdom	41231	CANONICAL-ASGB	false
91.189.91.42	unknown	United Kingdom	41231	CANONICAL-ASGB	false

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
85.239.34.134	x86.elf	Get hash	malicious	Unknown	Browse
	arm.elf	Get hash	malicious	Unknown	Browse
	arm7.elf	Get hash	malicious	Mirai	Browse
	arm.elf	Get hash	malicious	Unknown	Browse
	arm7.elf	Get hash	malicious	Unknown	Browse
	x86.elf	Get hash	malicious	Unknown	Browse
	154.216.17.162-arm-2025-01-09T02_53_12.elf	Get hash	malicious	Unknown	Browse
	ppc.elf	Get hash	malicious	Unknown	Browse
	x86.elf	Get hash	malicious	Unknown	Browse
	mpsl.elf	Get hash	malicious	Unknown	Browse
109.202.202.202	kpLwzBouH4.elf	Get hash	malicious	Unknown	Browse	ch.archive.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_92.0%2bbuild3-0ubuntu0.20.04.1_amd64.deb
91.189.91.43	sse.elf	Get hash	malicious	Gafgyt	Browse
	ssp.elf	Get hash	malicious	Gafgyt	Browse
	2.elf	Get hash	malicious	Unknown	Browse
	12.elf	Get hash	malicious	Unknown	Browse
	Space.arm.elf	Get hash	malicious	Mirai	Browse
	arm.elf	Get hash	malicious	Unknown	Browse
	ss.elf	Get hash	malicious	Gafgyt	Browse
	boatnet.x86.elf	Get hash	malicious	Unknown	Browse
	Space.arm5.elf	Get hash	malicious	Unknown	Browse
	ssd.elf	Get hash	malicious	Gafgyt	Browse
91.189.91.42	sse.elf	Get hash	malicious	Gafgyt	Browse
	ssp.elf	Get hash	malicious	Gafgyt	Browse
	2.elf	Get hash	malicious	Unknown	Browse
	12.elf	Get hash	malicious	Unknown	Browse
	Space.arm.elf	Get hash	malicious	Mirai	Browse
	arm.elf	Get hash	malicious	Unknown	Browse
	ss.elf	Get hash	malicious	Gafgyt	Browse
	boatnet.x86.elf	Get hash	malicious	Unknown	Browse
	Space.arm5.elf	Get hash	malicious	Unknown	Browse
	ssd.elf	Get hash	malicious	Gafgyt	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
RAINBOW-HKRainbownetworklimitedHK	x86.elf	Get hash	malicious	Unknown	Browse	85.239.34.134
	arm.elf	Get hash	malicious	Unknown	Browse	85.239.34.134
	arm7.elf	Get hash	malicious	Mirai	Browse	85.239.34.134
	arm.elf	Get hash	malicious	Unknown	Browse	85.239.34.134
	arm7.elf	Get hash	malicious	Unknown	Browse	85.239.34.134
	x86.elf	Get hash	malicious	Unknown	Browse	85.239.34.134
	154.216.17.162-arm-2025-01-09T02_53_12.elf	Get hash	malicious	Unknown	Browse	85.239.34.134
	ppc.elf	Get hash	malicious	Unknown	Browse	85.239.34.134
	x86.elf	Get hash	malicious	Unknown	Browse	85.239.34.134
	mpsl.elf	Get hash	malicious	Unknown	Browse	85.239.34.134
CANONICAL-ASGB	sse.elf	Get hash	malicious	Gafgyt	Browse	91.189.91.42
	ssp.elf	Get hash	malicious	Gafgyt	Browse	91.189.91.42
	2.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	12.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	Space.arm.elf	Get hash	malicious	Mirai	Browse	91.189.91.42
	arm.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	ss.elf	Get hash	malicious	Gafgyt	Browse	91.189.91.42
	boatnet.arm7.elf	Get hash	malicious	Unknown	Browse	185.125.190.26
	boatnet.x86.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	Space.arm5.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
CANONICAL-ASGB	sse.elf	Get hash	malicious	Gafgyt	Browse	91.189.91.42
	ssp.elf	Get hash	malicious	Gafgyt	Browse	91.189.91.42
	2.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	12.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	Space.arm.elf	Get hash	malicious	Mirai	Browse	91.189.91.42
	arm.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	ss.elf	Get hash	malicious	Gafgyt	Browse	91.189.91.42
	boatnet.arm7.elf	Get hash	malicious	Unknown	Browse	185.125.190.26
	boatnet.x86.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	Space.arm5.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
INIT7CH	sse.elf	Get hash	malicious	Gafgyt	Browse	109.202.202.202
	ssp.elf	Get hash	malicious	Gafgyt	Browse	109.202.202.202
	2.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	12.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	Space.arm.elf	Get hash	malicious	Mirai	Browse	109.202.202.202
	arm.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	ss.elf	Get hash	malicious	Gafgyt	Browse	109.202.202.202
	boatnet.x86.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	Space.arm5.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	ssd.elf	Get hash	malicious	Gafgyt	Browse	109.202.202.202

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	ELF 32-bit MSB executable, SPARC, version 1 (SYSV), statically linked, stripped
Entropy (8bit):	5.96159032224557
TrID:	ELF Executable and Linkable format (generic) (4004/1) 100.00%
File name:	spc.elf
File size:	64'016 bytes
MD5:	eacda0ea070ca1b3168fa1d059f84db0
SHA1:	3dea1fd0c1dcaab392b888ce37afd4c9bd5d0e11
SHA256:	367446efb00c75a510a0ed29913041e0d0b0928b6e5511b19a3195b760d4590a
SHA512:	9c599c74c8160ca7418fb53b75ea27afc695a80f6e6642e7f5706b13fb6b68bae433506169b0a2f166db92af550a784b75413922487902880d6679853649fabc
SSDEEP:	1536:yGN5CY0SlWw/kMNq+12odX62ZkoUIdHrN:ytzsNq6NdfkErN
TLSH:	74531B627A7A0B27C4E1643850E7575EB3FA4BCD2564C20B7EB10D4DBFA89613053AF8
File Content Preview:	.ELF...........................4.........4. ...(.......................x...x...............x...x...x......4`........................................dt.Q................................@..(....@.9%................#.....c...`.....!.....#...@.....".........`

Static ELF Info

ELF header
Class:	ELF32
Data:	2's complement, big endian
Version:	1 (current)
Machine:	Sparc
Version Number:	0x1
Type:	EXEC (Executable file)
OS/ABI:	UNIX - System V
ABI Version:	0
Entry Point Address:	0x101c4
Flags:	0x0
ELF Header Size:	52
Program Header Offset:	52
Program Header Size:	32
Number of Program Headers:	4
Section Header Offset:	63456
Section Header Size:	40
Number of Section Headers:	14
Header String Table Index:	13

Sections

Name	Type	Address	Offset	Size	EntSize	Flags	Flags Description	Align
	NULL	0x0	0x0	0x0	0x0	0x0		0
.init	PROGBITS	0x100b4	0xb4	0x1c	0x0	0x6	AX	4
.text	PROGBITS	0x100d0	0xd0	0xe4cc	0x0	0x6	AX	4
.fini	PROGBITS	0x1e59c	0xe59c	0x14	0x0	0x6	AX	4
.rodata	PROGBITS	0x1e5b0	0xe5b0	0xcc8	0x0	0x2	A	8
.eh_frame	PROGBITS	0x20278	0xf278	0x48	0x0	0x3	WA	4
.tbss	NOBITS	0x202c0	0xf2c0	0x8	0x0	0x403	WAT	4
.ctors	PROGBITS	0x202c0	0xf2c0	0x8	0x0	0x3	WA	4
.dtors	PROGBITS	0x202c8	0xf2c8	0x8	0x0	0x3	WA	4
.jcr	PROGBITS	0x202d0	0xf2d0	0x4	0x0	0x3	WA	4
.got	PROGBITS	0x202d4	0xf2d4	0x10c	0x4	0x3	WA	4
.data	PROGBITS	0x203e0	0xf3e0	0x3a8	0x0	0x3	WA	8
.bss	NOBITS	0x20788	0xf788	0x2f50	0x0	0x3	WA	8
.shstrtab	STRTAB	0x0	0xf788	0x58	0x0	0x0		1

Program Segments

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align	Section Mappings
LOAD	0x0	0x10000	0x10000	0xf278	0xf278	5.9714	0x5	R E	0x1000	.init .text .fini .rodata
LOAD	0xf278	0x20278	0x20278	0x510	0x3460	5.0276	0x6	RW	0x1000	.eh_frame .tbss .ctors .dtors .jcr .got .data .bss
TLS	0xf2c0	0x202c0	0x202c0	0x0	0x8	0.0000	0x4	R	0x4	.tbss
GNU_STACK	0x0	0x0	0x0	0x0	0x0	0.0000	0x6	RW	0x4

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 11, 2025 04:41:28.517568111 CET	39354	999	192.168.2.23	85.239.34.134
Jan 11, 2025 04:41:28.522469997 CET	999	39354	85.239.34.134	192.168.2.23
Jan 11, 2025 04:41:28.522535086 CET	39354	999	192.168.2.23	85.239.34.134
Jan 11, 2025 04:41:28.522840023 CET	39354	999	192.168.2.23	85.239.34.134
Jan 11, 2025 04:41:28.528114080 CET	999	39354	85.239.34.134	192.168.2.23
Jan 11, 2025 04:41:28.528153896 CET	39354	999	192.168.2.23	85.239.34.134
Jan 11, 2025 04:41:28.533677101 CET	999	39354	85.239.34.134	192.168.2.23
Jan 11, 2025 04:41:28.823833942 CET	43928	443	192.168.2.23	91.189.91.42
Jan 11, 2025 04:41:30.277235031 CET	999	39354	85.239.34.134	192.168.2.23
Jan 11, 2025 04:41:30.277968884 CET	39354	999	192.168.2.23	85.239.34.134
Jan 11, 2025 04:41:30.282777071 CET	999	39354	85.239.34.134	192.168.2.23
Jan 11, 2025 04:41:31.279681921 CET	39356	999	192.168.2.23	85.239.34.134
Jan 11, 2025 04:41:31.284540892 CET	999	39356	85.239.34.134	192.168.2.23
Jan 11, 2025 04:41:31.284606934 CET	39356	999	192.168.2.23	85.239.34.134
Jan 11, 2025 04:41:31.284630060 CET	39356	999	192.168.2.23	85.239.34.134
Jan 11, 2025 04:41:31.289474964 CET	999	39356	85.239.34.134	192.168.2.23
Jan 11, 2025 04:41:31.289525032 CET	39356	999	192.168.2.23	85.239.34.134
Jan 11, 2025 04:41:31.294337034 CET	999	39356	85.239.34.134	192.168.2.23
Jan 11, 2025 04:41:33.041728973 CET	999	39356	85.239.34.134	192.168.2.23
Jan 11, 2025 04:41:33.042023897 CET	39356	999	192.168.2.23	85.239.34.134
Jan 11, 2025 04:41:33.046892881 CET	999	39356	85.239.34.134	192.168.2.23
Jan 11, 2025 04:41:34.043629885 CET	39358	999	192.168.2.23	85.239.34.134
Jan 11, 2025 04:41:34.053392887 CET	999	39358	85.239.34.134	192.168.2.23
Jan 11, 2025 04:41:34.053471088 CET	39358	999	192.168.2.23	85.239.34.134
Jan 11, 2025 04:41:34.053492069 CET	39358	999	192.168.2.23	85.239.34.134
Jan 11, 2025 04:41:34.058442116 CET	999	39358	85.239.34.134	192.168.2.23
Jan 11, 2025 04:41:34.058501959 CET	39358	999	192.168.2.23	85.239.34.134
Jan 11, 2025 04:41:34.063277006 CET	999	39358	85.239.34.134	192.168.2.23
Jan 11, 2025 04:41:34.198977947 CET	42836	443	192.168.2.23	91.189.91.43
Jan 11, 2025 04:41:35.478807926 CET	42516	80	192.168.2.23	109.202.202.202
Jan 11, 2025 04:41:35.806557894 CET	999	39358	85.239.34.134	192.168.2.23
Jan 11, 2025 04:41:35.806840897 CET	39358	999	192.168.2.23	85.239.34.134
Jan 11, 2025 04:41:35.811748028 CET	999	39358	85.239.34.134	192.168.2.23
Jan 11, 2025 04:41:36.809161901 CET	39360	999	192.168.2.23	85.239.34.134
Jan 11, 2025 04:41:36.814111948 CET	999	39360	85.239.34.134	192.168.2.23
Jan 11, 2025 04:41:36.814258099 CET	39360	999	192.168.2.23	85.239.34.134
Jan 11, 2025 04:41:36.814316988 CET	39360	999	192.168.2.23	85.239.34.134
Jan 11, 2025 04:41:36.819130898 CET	999	39360	85.239.34.134	192.168.2.23
Jan 11, 2025 04:41:36.819195986 CET	39360	999	192.168.2.23	85.239.34.134
Jan 11, 2025 04:41:36.824027061 CET	999	39360	85.239.34.134	192.168.2.23
Jan 11, 2025 04:41:38.608887911 CET	999	39360	85.239.34.134	192.168.2.23
Jan 11, 2025 04:41:38.609083891 CET	39360	999	192.168.2.23	85.239.34.134
Jan 11, 2025 04:41:38.614023924 CET	999	39360	85.239.34.134	192.168.2.23
Jan 11, 2025 04:41:39.610965967 CET	39362	999	192.168.2.23	85.239.34.134
Jan 11, 2025 04:41:39.615731001 CET	999	39362	85.239.34.134	192.168.2.23
Jan 11, 2025 04:41:39.615808964 CET	39362	999	192.168.2.23	85.239.34.134
Jan 11, 2025 04:41:39.615839958 CET	39362	999	192.168.2.23	85.239.34.134
Jan 11, 2025 04:41:39.620618105 CET	999	39362	85.239.34.134	192.168.2.23
Jan 11, 2025 04:41:39.620686054 CET	39362	999	192.168.2.23	85.239.34.134
Jan 11, 2025 04:41:39.625492096 CET	999	39362	85.239.34.134	192.168.2.23
Jan 11, 2025 04:41:41.388557911 CET	999	39362	85.239.34.134	192.168.2.23
Jan 11, 2025 04:41:41.388988018 CET	39362	999	192.168.2.23	85.239.34.134
Jan 11, 2025 04:41:41.393913031 CET	999	39362	85.239.34.134	192.168.2.23
Jan 11, 2025 04:41:42.391252041 CET	39364	999	192.168.2.23	85.239.34.134
Jan 11, 2025 04:41:42.396030903 CET	999	39364	85.239.34.134	192.168.2.23
Jan 11, 2025 04:41:42.396090984 CET	39364	999	192.168.2.23	85.239.34.134
Jan 11, 2025 04:41:42.396111012 CET	39364	999	192.168.2.23	85.239.34.134
Jan 11, 2025 04:41:42.400893927 CET	999	39364	85.239.34.134	192.168.2.23
Jan 11, 2025 04:41:42.400940895 CET	39364	999	192.168.2.23	85.239.34.134
Jan 11, 2025 04:41:42.405786037 CET	999	39364	85.239.34.134	192.168.2.23
Jan 11, 2025 04:41:44.136274099 CET	999	39364	85.239.34.134	192.168.2.23
Jan 11, 2025 04:41:44.136473894 CET	39364	999	192.168.2.23	85.239.34.134
Jan 11, 2025 04:41:44.141329050 CET	999	39364	85.239.34.134	192.168.2.23
Jan 11, 2025 04:41:45.138561964 CET	39366	999	192.168.2.23	85.239.34.134
Jan 11, 2025 04:41:45.143491983 CET	999	39366	85.239.34.134	192.168.2.23
Jan 11, 2025 04:41:45.143552065 CET	39366	999	192.168.2.23	85.239.34.134
Jan 11, 2025 04:41:45.143572092 CET	39366	999	192.168.2.23	85.239.34.134
Jan 11, 2025 04:41:45.148369074 CET	999	39366	85.239.34.134	192.168.2.23
Jan 11, 2025 04:41:45.148417950 CET	39366	999	192.168.2.23	85.239.34.134
Jan 11, 2025 04:41:45.153253078 CET	999	39366	85.239.34.134	192.168.2.23
Jan 11, 2025 04:41:46.904357910 CET	999	39366	85.239.34.134	192.168.2.23
Jan 11, 2025 04:41:46.904624939 CET	39366	999	192.168.2.23	85.239.34.134
Jan 11, 2025 04:41:46.909544945 CET	999	39366	85.239.34.134	192.168.2.23
Jan 11, 2025 04:41:47.906691074 CET	39368	999	192.168.2.23	85.239.34.134
Jan 11, 2025 04:41:47.911474943 CET	999	39368	85.239.34.134	192.168.2.23
Jan 11, 2025 04:41:47.911549091 CET	39368	999	192.168.2.23	85.239.34.134
Jan 11, 2025 04:41:47.911587000 CET	39368	999	192.168.2.23	85.239.34.134
Jan 11, 2025 04:41:47.916342020 CET	999	39368	85.239.34.134	192.168.2.23
Jan 11, 2025 04:41:47.916402102 CET	39368	999	192.168.2.23	85.239.34.134
Jan 11, 2025 04:41:47.921201944 CET	999	39368	85.239.34.134	192.168.2.23
Jan 11, 2025 04:41:49.300795078 CET	43928	443	192.168.2.23	91.189.91.42
Jan 11, 2025 04:41:49.665713072 CET	999	39368	85.239.34.134	192.168.2.23
Jan 11, 2025 04:41:49.666111946 CET	39368	999	192.168.2.23	85.239.34.134
Jan 11, 2025 04:41:49.670878887 CET	999	39368	85.239.34.134	192.168.2.23
Jan 11, 2025 04:41:50.668104887 CET	39370	999	192.168.2.23	85.239.34.134
Jan 11, 2025 04:41:50.673022985 CET	999	39370	85.239.34.134	192.168.2.23
Jan 11, 2025 04:41:50.673094034 CET	39370	999	192.168.2.23	85.239.34.134
Jan 11, 2025 04:41:50.673142910 CET	39370	999	192.168.2.23	85.239.34.134
Jan 11, 2025 04:41:50.678009033 CET	999	39370	85.239.34.134	192.168.2.23
Jan 11, 2025 04:41:50.678054094 CET	39370	999	192.168.2.23	85.239.34.134
Jan 11, 2025 04:41:50.682791948 CET	999	39370	85.239.34.134	192.168.2.23
Jan 11, 2025 04:41:52.431338072 CET	999	39370	85.239.34.134	192.168.2.23
Jan 11, 2025 04:41:52.431590080 CET	39370	999	192.168.2.23	85.239.34.134
Jan 11, 2025 04:41:52.436521053 CET	999	39370	85.239.34.134	192.168.2.23
Jan 11, 2025 04:41:53.433665991 CET	39372	999	192.168.2.23	85.239.34.134
Jan 11, 2025 04:41:53.438674927 CET	999	39372	85.239.34.134	192.168.2.23
Jan 11, 2025 04:41:53.438779116 CET	39372	999	192.168.2.23	85.239.34.134
Jan 11, 2025 04:41:53.438779116 CET	39372	999	192.168.2.23	85.239.34.134
Jan 11, 2025 04:41:53.443700075 CET	999	39372	85.239.34.134	192.168.2.23
Jan 11, 2025 04:41:53.443778992 CET	39372	999	192.168.2.23	85.239.34.134
Jan 11, 2025 04:41:53.448626041 CET	999	39372	85.239.34.134	192.168.2.23
Jan 11, 2025 04:41:55.212837934 CET	999	39372	85.239.34.134	192.168.2.23
Jan 11, 2025 04:41:55.213120937 CET	39372	999	192.168.2.23	85.239.34.134
Jan 11, 2025 04:41:55.217947006 CET	999	39372	85.239.34.134	192.168.2.23
Jan 11, 2025 04:41:56.215307951 CET	39374	999	192.168.2.23	85.239.34.134
Jan 11, 2025 04:41:56.220256090 CET	999	39374	85.239.34.134	192.168.2.23
Jan 11, 2025 04:41:56.220366001 CET	39374	999	192.168.2.23	85.239.34.134
Jan 11, 2025 04:41:56.220433950 CET	39374	999	192.168.2.23	85.239.34.134
Jan 11, 2025 04:41:56.225316048 CET	999	39374	85.239.34.134	192.168.2.23
Jan 11, 2025 04:41:56.225394964 CET	39374	999	192.168.2.23	85.239.34.134
Jan 11, 2025 04:41:56.230262995 CET	999	39374	85.239.34.134	192.168.2.23
Jan 11, 2025 04:41:57.977930069 CET	999	39374	85.239.34.134	192.168.2.23
Jan 11, 2025 04:41:57.978317976 CET	39374	999	192.168.2.23	85.239.34.134
Jan 11, 2025 04:41:57.983156919 CET	999	39374	85.239.34.134	192.168.2.23
Jan 11, 2025 04:41:58.980400085 CET	39376	999	192.168.2.23	85.239.34.134
Jan 11, 2025 04:41:58.985312939 CET	999	39376	85.239.34.134	192.168.2.23
Jan 11, 2025 04:41:58.985394001 CET	39376	999	192.168.2.23	85.239.34.134
Jan 11, 2025 04:41:58.985440969 CET	39376	999	192.168.2.23	85.239.34.134
Jan 11, 2025 04:41:58.990250111 CET	999	39376	85.239.34.134	192.168.2.23
Jan 11, 2025 04:41:58.990303993 CET	39376	999	192.168.2.23	85.239.34.134
Jan 11, 2025 04:41:58.995054960 CET	999	39376	85.239.34.134	192.168.2.23
Jan 11, 2025 04:42:00.728425026 CET	999	39376	85.239.34.134	192.168.2.23
Jan 11, 2025 04:42:00.728872061 CET	39376	999	192.168.2.23	85.239.34.134
Jan 11, 2025 04:42:00.733747959 CET	999	39376	85.239.34.134	192.168.2.23
Jan 11, 2025 04:42:01.586916924 CET	42836	443	192.168.2.23	91.189.91.43
Jan 11, 2025 04:42:01.730880976 CET	39378	999	192.168.2.23	85.239.34.134
Jan 11, 2025 04:42:01.735766888 CET	999	39378	85.239.34.134	192.168.2.23
Jan 11, 2025 04:42:01.735879898 CET	39378	999	192.168.2.23	85.239.34.134
Jan 11, 2025 04:42:01.735925913 CET	39378	999	192.168.2.23	85.239.34.134
Jan 11, 2025 04:42:01.740705967 CET	999	39378	85.239.34.134	192.168.2.23
Jan 11, 2025 04:42:01.740776062 CET	39378	999	192.168.2.23	85.239.34.134
Jan 11, 2025 04:42:01.745549917 CET	999	39378	85.239.34.134	192.168.2.23
Jan 11, 2025 04:42:03.511779070 CET	999	39378	85.239.34.134	192.168.2.23
Jan 11, 2025 04:42:03.512176037 CET	39378	999	192.168.2.23	85.239.34.134
Jan 11, 2025 04:42:03.517055035 CET	999	39378	85.239.34.134	192.168.2.23
Jan 11, 2025 04:42:04.514647961 CET	39380	999	192.168.2.23	85.239.34.134
Jan 11, 2025 04:42:04.519510031 CET	999	39380	85.239.34.134	192.168.2.23
Jan 11, 2025 04:42:04.519603968 CET	39380	999	192.168.2.23	85.239.34.134
Jan 11, 2025 04:42:04.519659042 CET	39380	999	192.168.2.23	85.239.34.134
Jan 11, 2025 04:42:04.524498940 CET	999	39380	85.239.34.134	192.168.2.23
Jan 11, 2025 04:42:04.524573088 CET	39380	999	192.168.2.23	85.239.34.134
Jan 11, 2025 04:42:04.529386997 CET	999	39380	85.239.34.134	192.168.2.23
Jan 11, 2025 04:42:05.682290077 CET	42516	80	192.168.2.23	109.202.202.202
Jan 11, 2025 04:42:06.277482986 CET	999	39380	85.239.34.134	192.168.2.23
Jan 11, 2025 04:42:06.277853012 CET	39380	999	192.168.2.23	85.239.34.134
Jan 11, 2025 04:42:06.283077002 CET	999	39380	85.239.34.134	192.168.2.23
Jan 11, 2025 04:42:07.279660940 CET	39382	999	192.168.2.23	85.239.34.134
Jan 11, 2025 04:42:07.284555912 CET	999	39382	85.239.34.134	192.168.2.23
Jan 11, 2025 04:42:07.284651995 CET	39382	999	192.168.2.23	85.239.34.134
Jan 11, 2025 04:42:07.284676075 CET	39382	999	192.168.2.23	85.239.34.134
Jan 11, 2025 04:42:07.289504051 CET	999	39382	85.239.34.134	192.168.2.23
Jan 11, 2025 04:42:07.289578915 CET	39382	999	192.168.2.23	85.239.34.134
Jan 11, 2025 04:42:07.294365883 CET	999	39382	85.239.34.134	192.168.2.23
Jan 11, 2025 04:42:09.040960073 CET	999	39382	85.239.34.134	192.168.2.23
Jan 11, 2025 04:42:09.041268110 CET	39382	999	192.168.2.23	85.239.34.134
Jan 11, 2025 04:42:09.046065092 CET	999	39382	85.239.34.134	192.168.2.23
Jan 11, 2025 04:42:10.043541908 CET	39384	999	192.168.2.23	85.239.34.134
Jan 11, 2025 04:42:10.048413992 CET	999	39384	85.239.34.134	192.168.2.23
Jan 11, 2025 04:42:10.048496008 CET	39384	999	192.168.2.23	85.239.34.134
Jan 11, 2025 04:42:10.048571110 CET	39384	999	192.168.2.23	85.239.34.134
Jan 11, 2025 04:42:10.053385973 CET	999	39384	85.239.34.134	192.168.2.23
Jan 11, 2025 04:42:10.053533077 CET	39384	999	192.168.2.23	85.239.34.134
Jan 11, 2025 04:42:10.058327913 CET	999	39384	85.239.34.134	192.168.2.23
Jan 11, 2025 04:42:11.807435989 CET	999	39384	85.239.34.134	192.168.2.23
Jan 11, 2025 04:42:11.807665110 CET	39384	999	192.168.2.23	85.239.34.134
Jan 11, 2025 04:42:11.812856913 CET	999	39384	85.239.34.134	192.168.2.23
Jan 11, 2025 04:42:12.809387922 CET	39386	999	192.168.2.23	85.239.34.134
Jan 11, 2025 04:42:12.814405918 CET	999	39386	85.239.34.134	192.168.2.23
Jan 11, 2025 04:42:12.814490080 CET	39386	999	192.168.2.23	85.239.34.134
Jan 11, 2025 04:42:12.814507008 CET	39386	999	192.168.2.23	85.239.34.134
Jan 11, 2025 04:42:12.819391966 CET	999	39386	85.239.34.134	192.168.2.23
Jan 11, 2025 04:42:12.819472075 CET	39386	999	192.168.2.23	85.239.34.134
Jan 11, 2025 04:42:12.824299097 CET	999	39386	85.239.34.134	192.168.2.23
Jan 11, 2025 04:42:14.571729898 CET	999	39386	85.239.34.134	192.168.2.23
Jan 11, 2025 04:42:14.572024107 CET	39386	999	192.168.2.23	85.239.34.134
Jan 11, 2025 04:42:14.576883078 CET	999	39386	85.239.34.134	192.168.2.23
Jan 11, 2025 04:42:15.574521065 CET	39388	999	192.168.2.23	85.239.34.134
Jan 11, 2025 04:42:15.579369068 CET	999	39388	85.239.34.134	192.168.2.23
Jan 11, 2025 04:42:15.579480886 CET	39388	999	192.168.2.23	85.239.34.134
Jan 11, 2025 04:42:15.579536915 CET	39388	999	192.168.2.23	85.239.34.134
Jan 11, 2025 04:42:15.584350109 CET	999	39388	85.239.34.134	192.168.2.23
Jan 11, 2025 04:42:15.584427118 CET	39388	999	192.168.2.23	85.239.34.134
Jan 11, 2025 04:42:15.589262962 CET	999	39388	85.239.34.134	192.168.2.23
Jan 11, 2025 04:42:17.358370066 CET	999	39388	85.239.34.134	192.168.2.23
Jan 11, 2025 04:42:17.358743906 CET	39388	999	192.168.2.23	85.239.34.134
Jan 11, 2025 04:42:17.363563061 CET	999	39388	85.239.34.134	192.168.2.23
Jan 11, 2025 04:42:18.361762047 CET	39390	999	192.168.2.23	85.239.34.134
Jan 11, 2025 04:42:18.366693020 CET	999	39390	85.239.34.134	192.168.2.23
Jan 11, 2025 04:42:18.366787910 CET	39390	999	192.168.2.23	85.239.34.134
Jan 11, 2025 04:42:18.366826057 CET	39390	999	192.168.2.23	85.239.34.134
Jan 11, 2025 04:42:18.371674061 CET	999	39390	85.239.34.134	192.168.2.23
Jan 11, 2025 04:42:18.371747017 CET	39390	999	192.168.2.23	85.239.34.134
Jan 11, 2025 04:42:18.376593113 CET	999	39390	85.239.34.134	192.168.2.23
Jan 11, 2025 04:42:20.103769064 CET	999	39390	85.239.34.134	192.168.2.23
Jan 11, 2025 04:42:20.104286909 CET	39390	999	192.168.2.23	85.239.34.134
Jan 11, 2025 04:42:20.109241009 CET	999	39390	85.239.34.134	192.168.2.23
Jan 11, 2025 04:42:21.107913017 CET	39392	999	192.168.2.23	85.239.34.134
Jan 11, 2025 04:42:21.112850904 CET	999	39392	85.239.34.134	192.168.2.23
Jan 11, 2025 04:42:21.112993956 CET	39392	999	192.168.2.23	85.239.34.134
Jan 11, 2025 04:42:21.113035917 CET	39392	999	192.168.2.23	85.239.34.134
Jan 11, 2025 04:42:21.117908001 CET	999	39392	85.239.34.134	192.168.2.23
Jan 11, 2025 04:42:21.118036985 CET	39392	999	192.168.2.23	85.239.34.134
Jan 11, 2025 04:42:21.122971058 CET	999	39392	85.239.34.134	192.168.2.23
Jan 11, 2025 04:42:22.870405912 CET	999	39392	85.239.34.134	192.168.2.23
Jan 11, 2025 04:42:22.870640039 CET	39392	999	192.168.2.23	85.239.34.134
Jan 11, 2025 04:42:22.876234055 CET	999	39392	85.239.34.134	192.168.2.23
Jan 11, 2025 04:42:23.872947931 CET	39394	999	192.168.2.23	85.239.34.134
Jan 11, 2025 04:42:23.877871990 CET	999	39394	85.239.34.134	192.168.2.23
Jan 11, 2025 04:42:23.877969980 CET	39394	999	192.168.2.23	85.239.34.134
Jan 11, 2025 04:42:23.878019094 CET	39394	999	192.168.2.23	85.239.34.134
Jan 11, 2025 04:42:23.882863998 CET	999	39394	85.239.34.134	192.168.2.23
Jan 11, 2025 04:42:23.882971048 CET	39394	999	192.168.2.23	85.239.34.134
Jan 11, 2025 04:42:23.887811899 CET	999	39394	85.239.34.134	192.168.2.23
Jan 11, 2025 04:42:25.635138988 CET	999	39394	85.239.34.134	192.168.2.23
Jan 11, 2025 04:42:25.635334015 CET	39394	999	192.168.2.23	85.239.34.134
Jan 11, 2025 04:42:25.640218019 CET	999	39394	85.239.34.134	192.168.2.23
Jan 11, 2025 04:42:26.637636900 CET	39396	999	192.168.2.23	85.239.34.134
Jan 11, 2025 04:42:26.642580986 CET	999	39396	85.239.34.134	192.168.2.23
Jan 11, 2025 04:42:26.642693996 CET	39396	999	192.168.2.23	85.239.34.134
Jan 11, 2025 04:42:26.642755032 CET	39396	999	192.168.2.23	85.239.34.134
Jan 11, 2025 04:42:26.647653103 CET	999	39396	85.239.34.134	192.168.2.23
Jan 11, 2025 04:42:26.647846937 CET	39396	999	192.168.2.23	85.239.34.134
Jan 11, 2025 04:42:26.652611971 CET	999	39396	85.239.34.134	192.168.2.23
Jan 11, 2025 04:42:28.385087967 CET	999	39396	85.239.34.134	192.168.2.23
Jan 11, 2025 04:42:28.385379076 CET	39396	999	192.168.2.23	85.239.34.134
Jan 11, 2025 04:42:28.390328884 CET	999	39396	85.239.34.134	192.168.2.23
Jan 11, 2025 04:42:29.387984037 CET	39398	999	192.168.2.23	85.239.34.134
Jan 11, 2025 04:42:29.393208027 CET	999	39398	85.239.34.134	192.168.2.23
Jan 11, 2025 04:42:29.393295050 CET	39398	999	192.168.2.23	85.239.34.134
Jan 11, 2025 04:42:29.393316984 CET	39398	999	192.168.2.23	85.239.34.134
Jan 11, 2025 04:42:29.398248911 CET	999	39398	85.239.34.134	192.168.2.23
Jan 11, 2025 04:42:29.398319960 CET	39398	999	192.168.2.23	85.239.34.134
Jan 11, 2025 04:42:29.403244972 CET	999	39398	85.239.34.134	192.168.2.23
Jan 11, 2025 04:42:30.254740953 CET	43928	443	192.168.2.23	91.189.91.42
Jan 11, 2025 04:42:31.151012897 CET	999	39398	85.239.34.134	192.168.2.23
Jan 11, 2025 04:42:31.151206017 CET	39398	999	192.168.2.23	85.239.34.134
Jan 11, 2025 04:42:31.156167030 CET	999	39398	85.239.34.134	192.168.2.23
Jan 11, 2025 04:42:32.153373957 CET	39400	999	192.168.2.23	85.239.34.134
Jan 11, 2025 04:42:32.158452034 CET	999	39400	85.239.34.134	192.168.2.23
Jan 11, 2025 04:42:32.158531904 CET	39400	999	192.168.2.23	85.239.34.134
Jan 11, 2025 04:42:32.158548117 CET	39400	999	192.168.2.23	85.239.34.134
Jan 11, 2025 04:42:32.163378954 CET	999	39400	85.239.34.134	192.168.2.23
Jan 11, 2025 04:42:32.163436890 CET	39400	999	192.168.2.23	85.239.34.134
Jan 11, 2025 04:42:32.168325901 CET	999	39400	85.239.34.134	192.168.2.23
Jan 11, 2025 04:42:33.917900085 CET	999	39400	85.239.34.134	192.168.2.23
Jan 11, 2025 04:42:33.918118000 CET	39400	999	192.168.2.23	85.239.34.134
Jan 11, 2025 04:42:33.918118000 CET	39400	999	192.168.2.23	85.239.34.134
Jan 11, 2025 04:42:33.923036098 CET	999	39400	85.239.34.134	192.168.2.23
Jan 11, 2025 04:42:34.920384884 CET	39402	999	192.168.2.23	85.239.34.134
Jan 11, 2025 04:42:34.925393105 CET	999	39402	85.239.34.134	192.168.2.23
Jan 11, 2025 04:42:34.925476074 CET	39402	999	192.168.2.23	85.239.34.134
Jan 11, 2025 04:42:34.925493002 CET	39402	999	192.168.2.23	85.239.34.134
Jan 11, 2025 04:42:34.930382013 CET	999	39402	85.239.34.134	192.168.2.23
Jan 11, 2025 04:42:34.930516958 CET	39402	999	192.168.2.23	85.239.34.134
Jan 11, 2025 04:42:34.935374022 CET	999	39402	85.239.34.134	192.168.2.23
Jan 11, 2025 04:42:36.682384968 CET	999	39402	85.239.34.134	192.168.2.23
Jan 11, 2025 04:42:36.682682991 CET	39402	999	192.168.2.23	85.239.34.134
Jan 11, 2025 04:42:36.687566996 CET	999	39402	85.239.34.134	192.168.2.23
Jan 11, 2025 04:42:37.686491013 CET	39404	999	192.168.2.23	85.239.34.134
Jan 11, 2025 04:42:37.691615105 CET	999	39404	85.239.34.134	192.168.2.23
Jan 11, 2025 04:42:37.691777945 CET	39404	999	192.168.2.23	85.239.34.134
Jan 11, 2025 04:42:37.691777945 CET	39404	999	192.168.2.23	85.239.34.134
Jan 11, 2025 04:42:37.696701050 CET	999	39404	85.239.34.134	192.168.2.23
Jan 11, 2025 04:42:37.696796894 CET	39404	999	192.168.2.23	85.239.34.134
Jan 11, 2025 04:42:37.701682091 CET	999	39404	85.239.34.134	192.168.2.23
Jan 11, 2025 04:42:39.432313919 CET	999	39404	85.239.34.134	192.168.2.23
Jan 11, 2025 04:42:39.432559967 CET	39404	999	192.168.2.23	85.239.34.134
Jan 11, 2025 04:42:39.437568903 CET	999	39404	85.239.34.134	192.168.2.23
Jan 11, 2025 04:42:40.435340881 CET	39406	999	192.168.2.23	85.239.34.134
Jan 11, 2025 04:42:40.440484047 CET	999	39406	85.239.34.134	192.168.2.23
Jan 11, 2025 04:42:40.440572023 CET	39406	999	192.168.2.23	85.239.34.134
Jan 11, 2025 04:42:40.440634012 CET	39406	999	192.168.2.23	85.239.34.134
Jan 11, 2025 04:42:40.445530891 CET	999	39406	85.239.34.134	192.168.2.23
Jan 11, 2025 04:42:40.445581913 CET	39406	999	192.168.2.23	85.239.34.134
Jan 11, 2025 04:42:40.450426102 CET	999	39406	85.239.34.134	192.168.2.23
Jan 11, 2025 04:42:42.198194981 CET	999	39406	85.239.34.134	192.168.2.23
Jan 11, 2025 04:42:42.198394060 CET	39406	999	192.168.2.23	85.239.34.134
Jan 11, 2025 04:42:42.203236103 CET	999	39406	85.239.34.134	192.168.2.23
Jan 11, 2025 04:42:43.201119900 CET	39408	999	192.168.2.23	85.239.34.134
Jan 11, 2025 04:42:43.206167936 CET	999	39408	85.239.34.134	192.168.2.23
Jan 11, 2025 04:42:43.206242085 CET	39408	999	192.168.2.23	85.239.34.134
Jan 11, 2025 04:42:43.206290007 CET	39408	999	192.168.2.23	85.239.34.134
Jan 11, 2025 04:42:43.211076021 CET	999	39408	85.239.34.134	192.168.2.23
Jan 11, 2025 04:42:43.211157084 CET	39408	999	192.168.2.23	85.239.34.134
Jan 11, 2025 04:42:43.216028929 CET	999	39408	85.239.34.134	192.168.2.23
Jan 11, 2025 04:42:44.965317011 CET	999	39408	85.239.34.134	192.168.2.23
Jan 11, 2025 04:42:44.965560913 CET	39408	999	192.168.2.23	85.239.34.134
Jan 11, 2025 04:42:44.970501900 CET	999	39408	85.239.34.134	192.168.2.23
Jan 11, 2025 04:42:45.967705011 CET	39410	999	192.168.2.23	85.239.34.134
Jan 11, 2025 04:42:45.972640991 CET	999	39410	85.239.34.134	192.168.2.23
Jan 11, 2025 04:42:45.972752094 CET	39410	999	192.168.2.23	85.239.34.134
Jan 11, 2025 04:42:45.972807884 CET	39410	999	192.168.2.23	85.239.34.134
Jan 11, 2025 04:42:45.977581024 CET	999	39410	85.239.34.134	192.168.2.23
Jan 11, 2025 04:42:45.977642059 CET	39410	999	192.168.2.23	85.239.34.134
Jan 11, 2025 04:42:45.982465029 CET	999	39410	85.239.34.134	192.168.2.23
Jan 11, 2025 04:42:47.729090929 CET	999	39410	85.239.34.134	192.168.2.23
Jan 11, 2025 04:42:47.729473114 CET	39410	999	192.168.2.23	85.239.34.134
Jan 11, 2025 04:42:47.734494925 CET	999	39410	85.239.34.134	192.168.2.23
Jan 11, 2025 04:42:48.732436895 CET	39412	999	192.168.2.23	85.239.34.134
Jan 11, 2025 04:42:48.737765074 CET	999	39412	85.239.34.134	192.168.2.23
Jan 11, 2025 04:42:48.737880945 CET	39412	999	192.168.2.23	85.239.34.134
Jan 11, 2025 04:42:48.737945080 CET	39412	999	192.168.2.23	85.239.34.134
Jan 11, 2025 04:42:48.743221998 CET	999	39412	85.239.34.134	192.168.2.23
Jan 11, 2025 04:42:48.743289948 CET	39412	999	192.168.2.23	85.239.34.134
Jan 11, 2025 04:42:48.748229027 CET	999	39412	85.239.34.134	192.168.2.23
Jan 11, 2025 04:42:50.496484041 CET	999	39412	85.239.34.134	192.168.2.23
Jan 11, 2025 04:42:50.496932030 CET	39412	999	192.168.2.23	85.239.34.134
Jan 11, 2025 04:42:50.501878023 CET	999	39412	85.239.34.134	192.168.2.23
Jan 11, 2025 04:42:51.499340057 CET	39414	999	192.168.2.23	85.239.34.134
Jan 11, 2025 04:42:51.504148960 CET	999	39414	85.239.34.134	192.168.2.23
Jan 11, 2025 04:42:51.504406929 CET	39414	999	192.168.2.23	85.239.34.134
Jan 11, 2025 04:42:51.504406929 CET	39414	999	192.168.2.23	85.239.34.134
Jan 11, 2025 04:42:51.509222984 CET	999	39414	85.239.34.134	192.168.2.23
Jan 11, 2025 04:42:51.509295940 CET	39414	999	192.168.2.23	85.239.34.134
Jan 11, 2025 04:42:51.514139891 CET	999	39414	85.239.34.134	192.168.2.23
Jan 11, 2025 04:42:53.262217045 CET	999	39414	85.239.34.134	192.168.2.23
Jan 11, 2025 04:42:53.262438059 CET	39414	999	192.168.2.23	85.239.34.134
Jan 11, 2025 04:42:53.269413948 CET	999	39414	85.239.34.134	192.168.2.23
Jan 11, 2025 04:42:54.264514923 CET	39416	999	192.168.2.23	85.239.34.134
Jan 11, 2025 04:42:54.269515991 CET	999	39416	85.239.34.134	192.168.2.23
Jan 11, 2025 04:42:54.269602060 CET	39416	999	192.168.2.23	85.239.34.134
Jan 11, 2025 04:42:54.269648075 CET	39416	999	192.168.2.23	85.239.34.134
Jan 11, 2025 04:42:54.274508953 CET	999	39416	85.239.34.134	192.168.2.23
Jan 11, 2025 04:42:54.274571896 CET	39416	999	192.168.2.23	85.239.34.134
Jan 11, 2025 04:42:54.279470921 CET	999	39416	85.239.34.134	192.168.2.23
Jan 11, 2025 04:42:56.010278940 CET	999	39416	85.239.34.134	192.168.2.23
Jan 11, 2025 04:42:56.010601997 CET	39416	999	192.168.2.23	85.239.34.134
Jan 11, 2025 04:42:56.015470982 CET	999	39416	85.239.34.134	192.168.2.23
Jan 11, 2025 04:42:57.013098955 CET	39418	999	192.168.2.23	85.239.34.134
Jan 11, 2025 04:42:57.017996073 CET	999	39418	85.239.34.134	192.168.2.23
Jan 11, 2025 04:42:57.018085957 CET	39418	999	192.168.2.23	85.239.34.134
Jan 11, 2025 04:42:57.018132925 CET	39418	999	192.168.2.23	85.239.34.134
Jan 11, 2025 04:42:57.022914886 CET	999	39418	85.239.34.134	192.168.2.23
Jan 11, 2025 04:42:57.022981882 CET	39418	999	192.168.2.23	85.239.34.134
Jan 11, 2025 04:42:57.027755022 CET	999	39418	85.239.34.134	192.168.2.23
Jan 11, 2025 04:42:58.808917046 CET	999	39418	85.239.34.134	192.168.2.23
Jan 11, 2025 04:42:58.809232950 CET	39418	999	192.168.2.23	85.239.34.134
Jan 11, 2025 04:42:58.814028978 CET	999	39418	85.239.34.134	192.168.2.23
Jan 11, 2025 04:42:59.811059952 CET	39420	999	192.168.2.23	85.239.34.134
Jan 11, 2025 04:42:59.815874100 CET	999	39420	85.239.34.134	192.168.2.23
Jan 11, 2025 04:42:59.815943956 CET	39420	999	192.168.2.23	85.239.34.134
Jan 11, 2025 04:42:59.815968990 CET	39420	999	192.168.2.23	85.239.34.134
Jan 11, 2025 04:42:59.820760012 CET	999	39420	85.239.34.134	192.168.2.23
Jan 11, 2025 04:42:59.820848942 CET	39420	999	192.168.2.23	85.239.34.134
Jan 11, 2025 04:42:59.825704098 CET	999	39420	85.239.34.134	192.168.2.23
Jan 11, 2025 04:43:01.572520971 CET	999	39420	85.239.34.134	192.168.2.23
Jan 11, 2025 04:43:01.572841883 CET	39420	999	192.168.2.23	85.239.34.134
Jan 11, 2025 04:43:01.577646971 CET	999	39420	85.239.34.134	192.168.2.23
Jan 11, 2025 04:43:02.575114965 CET	39422	999	192.168.2.23	85.239.34.134
Jan 11, 2025 04:43:02.580022097 CET	999	39422	85.239.34.134	192.168.2.23
Jan 11, 2025 04:43:02.580112934 CET	39422	999	192.168.2.23	85.239.34.134
Jan 11, 2025 04:43:02.580162048 CET	39422	999	192.168.2.23	85.239.34.134
Jan 11, 2025 04:43:02.584964991 CET	999	39422	85.239.34.134	192.168.2.23
Jan 11, 2025 04:43:02.585040092 CET	39422	999	192.168.2.23	85.239.34.134
Jan 11, 2025 04:43:02.589874983 CET	999	39422	85.239.34.134	192.168.2.23
Jan 11, 2025 04:43:12.589292049 CET	39422	999	192.168.2.23	85.239.34.134
Jan 11, 2025 04:43:12.594149113 CET	999	39422	85.239.34.134	192.168.2.23
Jan 11, 2025 04:43:12.816725016 CET	999	39422	85.239.34.134	192.168.2.23
Jan 11, 2025 04:43:12.817023993 CET	39422	999	192.168.2.23	85.239.34.134

System Behavior

Analysis Process: dash PID: 6229, Parent PID: 4331

General

Start time (UTC):	03:41:24
Start date (UTC):	11/01/2025
Path:	/usr/bin/dash
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: rm PID: 6229, Parent PID: 4331

General

Start time (UTC):	03:41:24
Start date (UTC):	11/01/2025
Path:	/usr/bin/rm
Arguments:	rm -f /tmp/tmp.Kx15Y4ZrSy /tmp/tmp.zG9UODFNcX /tmp/tmp.s3tk65Vanm
File size:	72056 bytes
MD5 hash:	aa2b5496fdbfd88e38791ab81f90b95b

Chronological Activities

Analysis Process: dash PID: 6230, Parent PID: 4331

General

Start time (UTC):	03:41:24
Start date (UTC):	11/01/2025
Path:	/usr/bin/dash
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: rm PID: 6230, Parent PID: 4331

General

Start time (UTC):	03:41:24
Start date (UTC):	11/01/2025
Path:	/usr/bin/rm
Arguments:	rm -f /tmp/tmp.Kx15Y4ZrSy /tmp/tmp.zG9UODFNcX /tmp/tmp.s3tk65Vanm
File size:	72056 bytes
MD5 hash:	aa2b5496fdbfd88e38791ab81f90b95b

Chronological Activities

Analysis Process: spc.elf PID: 6256, Parent PID: 6157

General

Start time (UTC):	03:41:27
Start date (UTC):	11/01/2025
Path:	/tmp/spc.elf
Arguments:	/tmp/spc.elf
File size:	4379400 bytes
MD5 hash:	7dc1c0e23cd5e102bb12e5c29403410e

Chronological Activities

Analysis Process: spc.elf PID: 6258, Parent PID: 6256

General

Start time (UTC):	03:41:27
Start date (UTC):	11/01/2025
Path:	/tmp/spc.elf
Arguments:	-
File size:	4379400 bytes
MD5 hash:	7dc1c0e23cd5e102bb12e5c29403410e

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report spc.elf

Overview

General Information

Detection

Signatures

Classification

General Information

Runtime Messages

Process Tree

Yara Signatures

Initial Sample

Memory Dumps

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Networking

System Summary

Persistence and Installation Behavior

Malware Analysis System Evasion

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

Static ELF Info

ELF header

Sections

Program Segments

Network Behavior

Network Port Distribution

TCP Packets

System Behavior

Analysis Process: dash PID: 6229, Parent PID: 4331

General

Chronological Activities

Analysis Process: rm PID: 6229, Parent PID: 4331

General

Chronological Activities

Analysis Process: dash PID: 6230, Parent PID: 4331

General

Chronological Activities

Analysis Process: rm PID: 6230, Parent PID: 4331

General

Chronological Activities

Analysis Process: spc.elf PID: 6256, Parent PID: 6157

General

Chronological Activities

Analysis Process: spc.elf PID: 6258, Parent PID: 6256

General

Chronological Activities

Linux Analysis Report
spc.elf