Edit tour

Linux Analysis Report
Kloki.arm5.elf

Overview

General Information

Sample name:	Kloki.arm5.elf
Analysis ID:	1590979
MD5:	5bc43e48f0901f8bd983d197c88b0566
SHA1:	0997c945242c542c58964a574e42f6c8c75562a7
SHA256:	717575d440f1759e2fa0360ba5454170225aed438e78f45deff748ffbb73c5c2
Tags:	elfuser-abuse_ch
Infos:

Detection

Score:	52
Range:	0 - 100
Whitelisted:	false

Signatures

Multi AV Scanner detection for submitted file

Sample tries to kill multiple processes (SIGKILL)

Detected TCP or UDP traffic on non-standard ports

ELF contains segments with high entropy indicating compressed/encrypted content

Sample contains only a LOAD segment without any section mappings

Sample listens on a socket

Sample tries to kill a process (SIGKILL)

Suricata IDS alerts with low severity for network traffic

Uses the "uname" system call to query kernel version information (possible evasion)

Classification

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1590979
Start date and time:	2025-01-14 16:56:49 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 8s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Sample name:	Kloki.arm5.elf
Detection:	MAL
Classification:	mal52.spre.linELF@0/0@1/0

Runtime Messages

Command:	/tmp/Kloki.arm5.elf
PID:	5597
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:	suka
Standard Error:

Process Tree

system is lnxubuntu20

Kloki.arm5.elf (PID: 5597, Parent: 5400, MD5: 5ebfcae4fe2471fcc5695c2394773ff1) Arguments: /tmp/Kloki.arm5.elf

Kloki.arm5.elf New Fork (PID: 5599, Parent: 5597)

Kloki.arm5.elf New Fork (PID: 5601, Parent: 5599)

Kloki.arm5.elf New Fork (PID: 5603, Parent: 5599)

gnome-session-binary New Fork (PID: 5605, Parent: 1588)

sh (PID: 5605, Parent: 1588, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-sharing

gnome-session-binary New Fork (PID: 5627, Parent: 1588)

sh (PID: 5627, Parent: 1588, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/bin/gnome-shell

gnome-shell (PID: 5627, Parent: 1588, MD5: da7a257239677622fe4b3a65972c9e87) Arguments: /usr/bin/gnome-shell

gnome-session-binary New Fork (PID: 5629, Parent: 1588)

sh (PID: 5629, Parent: 1588, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-print-notifications

gsd-print-notifications (PID: 5629, Parent: 1588, MD5: 71539698aa691718cee775d6b9450ae2) Arguments: /usr/libexec/gsd-print-notifications

gnome-session-binary New Fork (PID: 5630, Parent: 1588)

sh (PID: 5630, Parent: 1588, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-rfkill

gsd-rfkill (PID: 5630, Parent: 1588, MD5: 88a16a3c0aba1759358c06215ecfb5cc) Arguments: /usr/libexec/gsd-rfkill

gdm3 New Fork (PID: 5631, Parent: 1400)

Default (PID: 5631, Parent: 1400, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /etc/gdm3/PrimeOff/Default

gdm3 New Fork (PID: 5632, Parent: 1400)

Default (PID: 5632, Parent: 1400, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /etc/gdm3/PrimeOff/Default

cleanup

Yara Signatures

⊘No yara matches

Suricata Signatures

ET COMPROMISED Known Compromised or Hostile Host Traffic group 18

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-14T16:58:01.651229+0100	2500034	2	Misc Attack	83.222.191.90	13566	192.168.2.13	42860	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: Kloki.arm5.elf	Virustotal: Detection: 27%			Perma Link
Source: Kloki.arm5.elf	ReversingLabs: Detection: 21%

Source: global traffic	TCP traffic: 192.168.2.13:33840 -> 83.222.147.62:13566
Source: global traffic	TCP traffic: 192.168.2.13:34240 -> 83.222.98.18:13566
Source: global traffic	TCP traffic: 192.168.2.13:34076 -> 83.222.168.12:13566
Source: global traffic	TCP traffic: 192.168.2.13:42008 -> 83.222.62.2:13566
Source: global traffic	TCP traffic: 192.168.2.13:49032 -> 83.222.139.172:13566
Source: global traffic	TCP traffic: 192.168.2.13:55016 -> 83.222.52.191:13566
Source: global traffic	TCP traffic: 192.168.2.13:46838 -> 83.222.136.147:13566
Source: global traffic	TCP traffic: 192.168.2.13:59670 -> 83.222.49.43:13566
Source: global traffic	TCP traffic: 192.168.2.13:57902 -> 83.222.52.94:13566
Source: global traffic	TCP traffic: 192.168.2.13:50654 -> 83.222.11.140:13566
Source: global traffic	TCP traffic: 192.168.2.13:42068 -> 83.222.124.118:13566
Source: global traffic	TCP traffic: 192.168.2.13:33174 -> 83.222.42.95:13566
Source: global traffic	TCP traffic: 192.168.2.13:48410 -> 83.222.253.56:13566
Source: global traffic	TCP traffic: 192.168.2.13:43710 -> 83.222.15.126:13566
Source: global traffic	TCP traffic: 192.168.2.13:43558 -> 83.222.48.82:13566
Source: global traffic	TCP traffic: 192.168.2.13:37976 -> 83.222.62.195:13566
Source: global traffic	TCP traffic: 192.168.2.13:48526 -> 83.222.144.160:13566
Source: global traffic	TCP traffic: 192.168.2.13:44670 -> 83.222.213.56:13566
Source: global traffic	TCP traffic: 192.168.2.13:54826 -> 83.222.172.19:13566
Source: global traffic	TCP traffic: 192.168.2.13:35504 -> 83.222.58.55:13566
Source: global traffic	TCP traffic: 192.168.2.13:45084 -> 83.222.192.110:13566
Source: global traffic	TCP traffic: 192.168.2.13:59024 -> 83.222.247.72:13566
Source: global traffic	TCP traffic: 192.168.2.13:55910 -> 83.222.1.40:13566
Source: global traffic	TCP traffic: 192.168.2.13:54388 -> 83.222.115.53:13566
Source: global traffic	TCP traffic: 192.168.2.13:45926 -> 83.222.134.127:13566
Source: global traffic	TCP traffic: 192.168.2.13:36096 -> 83.222.194.3:13566
Source: global traffic	TCP traffic: 192.168.2.13:56870 -> 83.222.245.236:13566
Source: global traffic	TCP traffic: 192.168.2.13:57114 -> 83.222.98.243:13566
Source: global traffic	TCP traffic: 192.168.2.13:52276 -> 83.222.36.113:13566
Source: global traffic	TCP traffic: 192.168.2.13:59460 -> 83.222.113.84:13566
Source: global traffic	TCP traffic: 192.168.2.13:47782 -> 83.222.196.175:13566
Source: global traffic	TCP traffic: 192.168.2.13:40052 -> 83.222.24.84:13566
Source: global traffic	TCP traffic: 192.168.2.13:58258 -> 83.222.79.237:13566
Source: global traffic	TCP traffic: 192.168.2.13:47908 -> 83.222.141.251:13566
Source: global traffic	TCP traffic: 192.168.2.13:60466 -> 83.222.1.199:13566
Source: global traffic	TCP traffic: 192.168.2.13:54460 -> 83.222.50.193:13566
Source: global traffic	TCP traffic: 192.168.2.13:46050 -> 83.222.54.41:13566
Source: global traffic	TCP traffic: 192.168.2.13:42506 -> 83.222.9.55:13566
Source: global traffic	TCP traffic: 192.168.2.13:52200 -> 83.222.81.125:13566
Source: global traffic	TCP traffic: 192.168.2.13:35160 -> 83.222.109.216:13566
Source: global traffic	TCP traffic: 192.168.2.13:39340 -> 83.222.252.47:13566
Source: global traffic	TCP traffic: 192.168.2.13:33342 -> 83.222.219.241:13566
Source: global traffic	TCP traffic: 192.168.2.13:44084 -> 83.222.27.61:13566
Source: global traffic	TCP traffic: 192.168.2.13:41800 -> 83.222.228.63:13566
Source: global traffic	TCP traffic: 192.168.2.13:53180 -> 83.222.174.85:13566
Source: global traffic	TCP traffic: 192.168.2.13:44728 -> 83.222.147.114:13566
Source: global traffic	TCP traffic: 192.168.2.13:49008 -> 83.222.4.171:13566
Source: global traffic	TCP traffic: 192.168.2.13:36746 -> 83.222.199.83:13566
Source: global traffic	TCP traffic: 192.168.2.13:32964 -> 83.222.153.84:13566
Source: global traffic	TCP traffic: 192.168.2.13:44678 -> 83.222.78.154:13566
Source: global traffic	TCP traffic: 192.168.2.13:52588 -> 83.222.27.129:13566
Source: global traffic	TCP traffic: 192.168.2.13:40824 -> 83.222.91.81:13566
Source: global traffic	TCP traffic: 192.168.2.13:41698 -> 83.222.170.100:13566
Source: global traffic	TCP traffic: 192.168.2.13:35490 -> 83.222.137.252:13566
Source: global traffic	TCP traffic: 192.168.2.13:37776 -> 83.222.225.246:13566
Source: global traffic	TCP traffic: 192.168.2.13:35810 -> 83.222.212.221:13566
Source: global traffic	TCP traffic: 192.168.2.13:57606 -> 83.222.37.175:13566
Source: global traffic	TCP traffic: 192.168.2.13:43484 -> 83.222.207.64:13566
Source: global traffic	TCP traffic: 192.168.2.13:50192 -> 83.222.236.179:13566
Source: global traffic	TCP traffic: 192.168.2.13:54552 -> 83.222.127.154:13566
Source: global traffic	TCP traffic: 192.168.2.13:60216 -> 83.222.9.18:13566
Source: global traffic	TCP traffic: 192.168.2.13:45148 -> 83.222.13.13:13566
Source: global traffic	TCP traffic: 192.168.2.13:40532 -> 83.222.190.212:13566
Source: global traffic	TCP traffic: 192.168.2.13:49096 -> 83.222.97.87:13566
Source: global traffic	TCP traffic: 192.168.2.13:37112 -> 83.222.40.175:13566
Source: global traffic	TCP traffic: 192.168.2.13:42342 -> 83.222.241.67:13566
Source: global traffic	TCP traffic: 192.168.2.13:37570 -> 83.222.48.76:13566
Source: global traffic	TCP traffic: 192.168.2.13:55936 -> 83.222.149.219:13566
Source: global traffic	TCP traffic: 192.168.2.13:59500 -> 83.222.176.30:13566
Source: global traffic	TCP traffic: 192.168.2.13:35660 -> 83.222.215.146:13566
Source: global traffic	TCP traffic: 192.168.2.13:44668 -> 83.222.20.171:13566
Source: global traffic	TCP traffic: 192.168.2.13:50430 -> 83.222.111.57:13566
Source: global traffic	TCP traffic: 192.168.2.13:49740 -> 83.222.90.62:13566
Source: global traffic	TCP traffic: 192.168.2.13:55086 -> 83.222.121.70:13566
Source: global traffic	TCP traffic: 192.168.2.13:37398 -> 83.222.242.248:13566
Source: global traffic	TCP traffic: 192.168.2.13:60060 -> 83.222.224.251:13566
Source: global traffic	TCP traffic: 192.168.2.13:55782 -> 83.222.10.237:13566
Source: global traffic	TCP traffic: 192.168.2.13:50610 -> 83.222.8.200:13566
Source: global traffic	TCP traffic: 192.168.2.13:48998 -> 83.222.193.105:13566
Source: global traffic	TCP traffic: 192.168.2.13:57322 -> 83.222.31.233:13566
Source: global traffic	TCP traffic: 192.168.2.13:49970 -> 83.222.25.16:13566
Source: global traffic	TCP traffic: 192.168.2.13:42366 -> 83.222.45.73:13566
Source: global traffic	TCP traffic: 192.168.2.13:58902 -> 83.222.92.194:13566
Source: global traffic	TCP traffic: 192.168.2.13:47794 -> 83.222.36.13:13566
Source: global traffic	TCP traffic: 192.168.2.13:47758 -> 83.222.159.244:13566
Source: global traffic	TCP traffic: 192.168.2.13:37218 -> 83.222.166.14:13566
Source: global traffic	TCP traffic: 192.168.2.13:34300 -> 83.222.45.0:13566
Source: global traffic	TCP traffic: 192.168.2.13:58730 -> 83.222.77.166:13566
Source: global traffic	TCP traffic: 192.168.2.13:55190 -> 83.222.70.63:13566
Source: global traffic	TCP traffic: 192.168.2.13:37474 -> 83.222.158.39:13566
Source: global traffic	TCP traffic: 192.168.2.13:42860 -> 83.222.191.90:13566

Source: /tmp/Kloki.arm5.elf (PID: 5597)

Socket: 127.0.0.1:14435

Jump to behavior

Source: Network traffic

Suricata IDS: 2500034 - Severity 2 - ET COMPROMISED Known Compromised or Hostile Host Traffic group 18 : 83.222.191.90:13566 -> 192.168.2.13:42860

Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.147.62
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.147.62
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.98.18
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.98.18
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.168.12
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.168.12
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.62.2
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.62.2
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.139.172
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.52.191
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.139.172
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.52.191
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.52.191
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.52.191
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.136.147
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.49.43
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.52.94
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.136.147
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.49.43
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.52.94
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.52.94
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.11.140
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.124.118
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.52.94
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.42.95
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.11.140
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.253.56
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.124.118
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.15.126
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.42.95
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.253.56
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.48.82
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.15.126
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.62.195
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.48.82
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.144.160
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.62.195
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.213.56
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.144.160
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.172.19
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.213.56
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.58.55
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.172.19
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.192.110
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.58.55
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.247.72
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.192.110
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.1.40
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.247.72
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.115.53

Source: global traffic

DNS traffic detected: DNS query: secure-network-rebirthltd.ru

System Summary

Sample tries to kill multiple processes (SIGKILL)

Source: /tmp/Kloki.arm5.elf (PID: 5603)	SIGKILL sent: pid: 914, result: successful	Jump to behavior
Source: /tmp/Kloki.arm5.elf (PID: 5603)	SIGKILL sent: pid: 917, result: successful	Jump to behavior
Source: /tmp/Kloki.arm5.elf (PID: 5603)	SIGKILL sent: pid: 936, result: successful	Jump to behavior
Source: /tmp/Kloki.arm5.elf (PID: 5603)	SIGKILL sent: pid: 1691, result: successful	Jump to behavior
Source: /tmp/Kloki.arm5.elf (PID: 5603)	SIGKILL sent: pid: 1866, result: successful	Jump to behavior
Source: /tmp/Kloki.arm5.elf (PID: 5603)	SIGKILL sent: pid: 1881, result: successful	Jump to behavior
Source: /tmp/Kloki.arm5.elf (PID: 5603)	SIGKILL sent: pid: 1884, result: successful	Jump to behavior
Source: /tmp/Kloki.arm5.elf (PID: 5603)	SIGKILL sent: pid: 3069, result: successful	Jump to behavior
Source: /tmp/Kloki.arm5.elf (PID: 5603)	SIGKILL sent: pid: 3246, result: successful	Jump to behavior
Source: /tmp/Kloki.arm5.elf (PID: 5603)	SIGKILL sent: pid: 3442, result: successful	Jump to behavior
Source: /tmp/Kloki.arm5.elf (PID: 5603)	SIGKILL sent: pid: 5579, result: successful	Jump to behavior
Source: /tmp/Kloki.arm5.elf (PID: 5603)	SIGKILL sent: pid: 5605, result: successful	Jump to behavior
Source: /tmp/Kloki.arm5.elf (PID: 5603)	SIGKILL sent: pid: 5627, result: successful	Jump to behavior
Source: /tmp/Kloki.arm5.elf (PID: 5603)	SIGKILL sent: pid: 5629, result: successful	Jump to behavior
Source: /tmp/Kloki.arm5.elf (PID: 5603)	SIGKILL sent: pid: 5630, result: successful	Jump to behavior
Source: /tmp/Kloki.arm5.elf (PID: 5603)	SIGKILL sent: pid: 5632, result: successful	Jump to behavior

Source: LOAD without section mappings

Program segment: 0x8000

Source: /tmp/Kloki.arm5.elf (PID: 5603)	SIGKILL sent: pid: 914, result: successful	Jump to behavior
Source: /tmp/Kloki.arm5.elf (PID: 5603)	SIGKILL sent: pid: 917, result: successful	Jump to behavior
Source: /tmp/Kloki.arm5.elf (PID: 5603)	SIGKILL sent: pid: 936, result: successful	Jump to behavior
Source: /tmp/Kloki.arm5.elf (PID: 5603)	SIGKILL sent: pid: 1691, result: successful	Jump to behavior
Source: /tmp/Kloki.arm5.elf (PID: 5603)	SIGKILL sent: pid: 1866, result: successful	Jump to behavior
Source: /tmp/Kloki.arm5.elf (PID: 5603)	SIGKILL sent: pid: 1881, result: successful	Jump to behavior
Source: /tmp/Kloki.arm5.elf (PID: 5603)	SIGKILL sent: pid: 1884, result: successful	Jump to behavior
Source: /tmp/Kloki.arm5.elf (PID: 5603)	SIGKILL sent: pid: 3069, result: successful	Jump to behavior
Source: /tmp/Kloki.arm5.elf (PID: 5603)	SIGKILL sent: pid: 3246, result: successful	Jump to behavior
Source: /tmp/Kloki.arm5.elf (PID: 5603)	SIGKILL sent: pid: 3442, result: successful	Jump to behavior
Source: /tmp/Kloki.arm5.elf (PID: 5603)	SIGKILL sent: pid: 5579, result: successful	Jump to behavior
Source: /tmp/Kloki.arm5.elf (PID: 5603)	SIGKILL sent: pid: 5605, result: successful	Jump to behavior
Source: /tmp/Kloki.arm5.elf (PID: 5603)	SIGKILL sent: pid: 5627, result: successful	Jump to behavior
Source: /tmp/Kloki.arm5.elf (PID: 5603)	SIGKILL sent: pid: 5629, result: successful	Jump to behavior
Source: /tmp/Kloki.arm5.elf (PID: 5603)	SIGKILL sent: pid: 5630, result: successful	Jump to behavior
Source: /tmp/Kloki.arm5.elf (PID: 5603)	SIGKILL sent: pid: 5632, result: successful	Jump to behavior

Source: classification engine

Classification label: mal52.spre.linELF@0/0@1/0

Source: Kloki.arm5.elf	Submission file: segment LOAD with 7.889 entropy (max. 8.0)
Source: Kloki.arm5.elf	Submission file: segment LOAD with 7.9801 entropy (max. 8.0)

Source: /tmp/Kloki.arm5.elf (PID: 5597)

Queries kernel information via 'uname':

Jump to behavior

Source: Kloki.arm5.elf, 5597.1.000055d3fd3ca000.000055d3fd543000.rw-.sdmp, Kloki.arm5.elf, 5601.1.000055d3fd3ca000.000055d3fd543000.rw-.sdmp	Binary or memory string: U!/etc/qemu-binfmt/arm
Source: Kloki.arm5.elf, 5597.1.00007ffc61688000.00007ffc616a9000.rw-.sdmp, Kloki.arm5.elf, 5601.1.00007ffc61688000.00007ffc616a9000.rw-.sdmp	Binary or memory string: x86_64/usr/bin/qemu-arm/tmp/Kloki.arm5.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/Kloki.arm5.elf
Source: Kloki.arm5.elf, 5597.1.000055d3fd3ca000.000055d3fd543000.rw-.sdmp, Kloki.arm5.elf, 5601.1.000055d3fd3ca000.000055d3fd543000.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/arm
Source: Kloki.arm5.elf, 5597.1.00007ffc61688000.00007ffc616a9000.rw-.sdmp, Kloki.arm5.elf, 5601.1.00007ffc61688000.00007ffc616a9000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-arm

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	Path Interception	Path Interception	1 Obfuscated Files or Information	OS Credential Dumping	11 Security Software Discovery	Remote Services	Data from Local System	1 Non-Standard Port	Exfiltration Over Other Network Medium	1 Service Stop
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact

Malware Configuration

⊘No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Kloki.arm5.elf	27%	Virustotal		Browse
Kloki.arm5.elf	21%	ReversingLabs	Linux.Trojan.Svirtu

Dropped Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
secure-network-rebirthltd.ru	83.222.191.90	true	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
83.222.81.125	unknown	Russian Federation	16285	ASN-UMNTechnicheskayaStr18bYekaterinburgRussiaRU	false
83.222.219.241	unknown	Russian Federation	25159	SONICDUO-ASRU	false
83.222.40.175	unknown	Luxembourg	8632	LOL-ASluLU	false
83.222.127.154	unknown	Russian Federation	47328	TRI-ASTrueRecordsIncES	false
83.222.13.13	unknown	Russian Federation	25532	MASTERHOST-ASMoscowRussiaRU	false
83.222.97.87	unknown	Russian Federation	42632	MNOGOBYTE-ASMoscowRussiaRU	false
83.222.36.13	unknown	Luxembourg	8632	LOL-ASluLU	false
83.222.147.62	unknown	Switzerland	31736	SENSELAN-ASsenseLANGmbHCH	false
83.222.98.18	unknown	Russian Federation	42632	MNOGOBYTE-ASMoscowRussiaRU	false
83.222.54.41	unknown	Luxembourg	8632	LOL-ASluLU	false
83.222.190.212	unknown	Bulgaria	43561	NET1-ASBG	false
83.222.121.70	unknown	Russian Federation	42632	MNOGOBYTE-ASMoscowRussiaRU	false
83.222.1.199	unknown	Russian Federation	25532	MASTERHOST-ASMoscowRussiaRU	false
83.222.79.237	unknown	Russian Federation	16285	ASN-UMNTechnicheskayaStr18bYekaterinburgRussiaRU	false
83.222.98.243	unknown	Russian Federation	42632	MNOGOBYTE-ASMoscowRussiaRU	false
83.222.27.61	unknown	Russian Federation	25532	MASTERHOST-ASMoscowRussiaRU	false
83.222.149.219	unknown	Switzerland	31736	SENSELAN-ASsenseLANGmbHCH	false
83.222.48.82	unknown	Luxembourg	8632	LOL-ASluLU	false
83.222.194.3	unknown	Russian Federation	6854	SYNTERRA-ASRU	false
83.222.158.39	unknown	Switzerland	31736	SENSELAN-ASsenseLANGmbHCH	false
83.222.62.195	unknown	Luxembourg	8632	LOL-ASluLU	false
83.222.113.84	unknown	Russian Federation	42632	MNOGOBYTE-ASMoscowRussiaRU	false
83.222.215.146	unknown	Russian Federation	25159	SONICDUO-ASRU	false
83.222.10.237	unknown	Russian Federation	25532	MASTERHOST-ASMoscowRussiaRU	false
83.222.213.56	unknown	Russian Federation	25159	SONICDUO-ASRU	false
83.222.36.113	unknown	Luxembourg	8632	LOL-ASluLU	false
83.222.174.85	unknown	Bulgaria	12615	GCN-ASGCNAD-SofiaBulgariaBG	false
83.222.144.160	unknown	Switzerland	31736	SENSELAN-ASsenseLANGmbHCH	false
83.222.228.63	unknown	United Kingdom	13768	COGECO-PEER1CA	false
83.222.207.64	unknown	Russian Federation	6854	SYNTERRA-ASRU	false
83.222.172.19	unknown	Bulgaria	49040	KIG-UNISAT-TVBG	false
83.222.141.251	unknown	Switzerland	31736	SENSELAN-ASsenseLANGmbHCH	false
83.222.212.221	unknown	Russian Federation	25159	SONICDUO-ASRU	false
83.222.20.171	unknown	Russian Federation	25532	MASTERHOST-ASMoscowRussiaRU	false
83.222.166.14	unknown	Bulgaria	12615	GCN-ASGCNAD-SofiaBulgariaBG	false
83.222.1.40	unknown	Russian Federation	25532	MASTERHOST-ASMoscowRussiaRU	false
83.222.192.110	unknown	Russian Federation	6854	SYNTERRA-ASRU	false
83.222.52.94	unknown	Luxembourg	8632	LOL-ASluLU	false
83.222.48.76	unknown	Luxembourg	8632	LOL-ASluLU	false
83.222.42.95	unknown	Luxembourg	8632	LOL-ASluLU	false
83.222.24.84	unknown	Russian Federation	25532	MASTERHOST-ASMoscowRussiaRU	false
83.222.49.43	unknown	Luxembourg	8632	LOL-ASluLU	false
83.222.4.171	unknown	Russian Federation	25532	MASTERHOST-ASMoscowRussiaRU	false
83.222.193.105	unknown	Russian Federation	6854	SYNTERRA-ASRU	false
83.222.134.127	unknown	Switzerland	31736	SENSELAN-ASsenseLANGmbHCH	false
83.222.196.175	unknown	Russian Federation	6854	SYNTERRA-ASRU	false
83.222.253.56	unknown	United Kingdom	13768	COGECO-PEER1CA	false
83.222.91.81	unknown	Russian Federation	16285	ASN-UMNTechnicheskayaStr18bYekaterinburgRussiaRU	false
83.222.25.16	unknown	Russian Federation	25532	MASTERHOST-ASMoscowRussiaRU	false
83.222.199.83	unknown	Russian Federation	6854	SYNTERRA-ASRU	false
83.222.92.194	unknown	Russian Federation	16285	ASN-UMNTechnicheskayaStr18bYekaterinburgRussiaRU	false
83.222.70.63	unknown	Russian Federation	16285	ASN-UMNTechnicheskayaStr18bYekaterinburgRussiaRU	false
83.222.45.0	unknown	Luxembourg	8632	LOL-ASluLU	false
83.222.37.175	unknown	Luxembourg	8632	LOL-ASluLU	false
83.222.137.252	unknown	Switzerland	31736	SENSELAN-ASsenseLANGmbHCH	false
83.222.31.233	unknown	Russian Federation	25532	MASTERHOST-ASMoscowRussiaRU	false
83.222.62.2	unknown	Luxembourg	8632	LOL-ASluLU	false
83.222.241.67	unknown	United Kingdom	13768	COGECO-PEER1CA	false
83.222.9.18	unknown	Russian Federation	25532	MASTERHOST-ASMoscowRussiaRU	false
83.222.124.118	unknown	Russian Federation	47328	TRI-ASTrueRecordsIncES	false
83.222.50.193	unknown	Luxembourg	8632	LOL-ASluLU	false
83.222.9.55	unknown	Russian Federation	25532	MASTERHOST-ASMoscowRussiaRU	false
83.222.252.47	unknown	United Kingdom	13768	COGECO-PEER1CA	false
83.222.170.100	unknown	Bulgaria	49040	KIG-UNISAT-TVBG	false
83.222.45.73	unknown	Luxembourg	8632	LOL-ASluLU	false
83.222.77.166	unknown	Russian Federation	16285	ASN-UMNTechnicheskayaStr18bYekaterinburgRussiaRU	false
83.222.8.200	unknown	Russian Federation	25532	MASTERHOST-ASMoscowRussiaRU	false
83.222.153.84	unknown	Switzerland	31736	SENSELAN-ASsenseLANGmbHCH	false
83.222.147.114	unknown	Switzerland	31736	SENSELAN-ASsenseLANGmbHCH	false
83.222.90.62	unknown	Russian Federation	16285	ASN-UMNTechnicheskayaStr18bYekaterinburgRussiaRU	false
83.222.242.248	unknown	United Kingdom	13768	COGECO-PEER1CA	false
83.222.236.179	unknown	United Kingdom	13768	COGECO-PEER1CA	false
83.222.109.216	unknown	Russian Federation	42632	MNOGOBYTE-ASMoscowRussiaRU	false
83.222.225.246	unknown	United Kingdom	13768	COGECO-PEER1CA	false
83.222.191.90	secure-network-rebirthltd.ru	Bulgaria	43561	NET1-ASBG	false
83.222.15.126	unknown	Russian Federation	25532	MASTERHOST-ASMoscowRussiaRU	false
83.222.78.154	unknown	Russian Federation	16285	ASN-UMNTechnicheskayaStr18bYekaterinburgRussiaRU	false
83.222.136.147	unknown	Switzerland	31736	SENSELAN-ASsenseLANGmbHCH	false
83.222.168.12	unknown	Bulgaria	12615	GCN-ASGCNAD-SofiaBulgariaBG	false
83.222.58.55	unknown	Luxembourg	8632	LOL-ASluLU	false
83.222.159.244	unknown	Switzerland	31736	SENSELAN-ASsenseLANGmbHCH	false
83.222.139.172	unknown	Switzerland	31736	SENSELAN-ASsenseLANGmbHCH	false
83.222.11.140	unknown	Russian Federation	25532	MASTERHOST-ASMoscowRussiaRU	false
83.222.111.57	unknown	Russian Federation	42632	MNOGOBYTE-ASMoscowRussiaRU	false
83.222.176.30	unknown	Bulgaria	12615	GCN-ASGCNAD-SofiaBulgariaBG	false
83.222.224.251	unknown	United Kingdom	13768	COGECO-PEER1CA	false
83.222.115.53	unknown	Russian Federation	42632	MNOGOBYTE-ASMoscowRussiaRU	false
83.222.52.191	unknown	Luxembourg	8632	LOL-ASluLU	false
83.222.27.129	unknown	Russian Federation	25532	MASTERHOST-ASMoscowRussiaRU	false
83.222.247.72	unknown	United Kingdom	13768	COGECO-PEER1CA	false
83.222.245.236	unknown	United Kingdom	13768	COGECO-PEER1CA	false

Joe Sandbox View / Context

IPs

⊘No context

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
secure-network-rebirthltd.ru	Kloki.arm7.elf	Get hash	malicious	Unknown	Browse	83.222.191.90
	Kloki.arm7.elf	Get hash	malicious	Unknown	Browse	83.222.191.90
	Kloki.m68k.elf	Get hash	malicious	Unknown	Browse	83.222.191.90
	Kloki.x86_64.elf	Get hash	malicious	Unknown	Browse	83.222.191.90
	Kloki.x86.elf	Get hash	malicious	Unknown	Browse	83.222.191.90
	Kloki.arm4.elf	Get hash	malicious	Unknown	Browse	83.222.191.90
	Kloki.spc.elf	Get hash	malicious	Unknown	Browse	83.222.191.90
	Kloki.arm5.elf	Get hash	malicious	Unknown	Browse	83.222.191.90

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TRI-ASTrueRecordsIncES	Kloki.arm7.elf	Get hash	malicious	Unknown	Browse	83.222.125.253
	Kloki.arm7.elf	Get hash	malicious	Unknown	Browse	83.222.124.60
	Kloki.m68k.elf	Get hash	malicious	Unknown	Browse	83.222.126.23
	Kloki.x86_64.elf	Get hash	malicious	Unknown	Browse	83.222.127.227
	Kloki.arm4.elf	Get hash	malicious	Unknown	Browse	83.222.127.11
	Kloki.spc.elf	Get hash	malicious	Unknown	Browse	83.222.125.205
	Kloki.arm5.elf	Get hash	malicious	Unknown	Browse	83.222.126.31
	https://sazi.online/91150/?utm_source=HueVu&utm_medium=AlluringAngels&utm_campaign=Girls&fbclid=IwAR0edkaxp99ZoQQmBnk5RzNjaLguZlK7xHWUVNwiZ8B5L1Dgxb2UluLI-6U	Get hash	malicious	Unknown	Browse	212.124.124.115
	https://sports.zaly.online/57724/	Get hash	malicious	Unknown	Browse	212.124.124.8
	skyljne.arm5.elf	Get hash	malicious	Mirai	Browse	212.124.111.159
MASTERHOST-ASMoscowRussiaRU	Kloki.arm7.elf	Get hash	malicious	Unknown	Browse	83.222.27.245
	rACq8Eaix6.exe	Get hash	malicious	FormBook	Browse	90.156.201.74
	frosty.x86.elf	Get hash	malicious	Mirai	Browse	90.156.234.102
	Kloki.arm7.elf	Get hash	malicious	Unknown	Browse	83.222.6.30
	Kloki.m68k.elf	Get hash	malicious	Unknown	Browse	83.222.18.36
	Kloki.x86_64.elf	Get hash	malicious	Unknown	Browse	83.222.30.186
	Kloki.x86.elf	Get hash	malicious	Unknown	Browse	83.222.26.170
	Kloki.arm4.elf	Get hash	malicious	Unknown	Browse	83.222.4.239
	Kloki.spc.elf	Get hash	malicious	Unknown	Browse	83.222.13.30
	Kloki.arm5.elf	Get hash	malicious	Unknown	Browse	83.222.6.146
LOL-ASluLU	Kloki.arm7.elf	Get hash	malicious	Unknown	Browse	83.222.57.125
	Kloki.arm7.elf	Get hash	malicious	Unknown	Browse	83.222.49.221
	Kloki.m68k.elf	Get hash	malicious	Unknown	Browse	83.222.46.246
	Kloki.x86_64.elf	Get hash	malicious	Unknown	Browse	83.222.47.140
	Kloki.x86.elf	Get hash	malicious	Unknown	Browse	83.222.41.18
	Kloki.arm4.elf	Get hash	malicious	Unknown	Browse	83.222.38.250
	Kloki.spc.elf	Get hash	malicious	Unknown	Browse	83.222.39.173
	Kloki.arm5.elf	Get hash	malicious	Unknown	Browse	83.222.34.98
	jew.x86.elf	Get hash	malicious	Unknown	Browse	85.10.122.249
	ppc.elf	Get hash	malicious	Mirai	Browse	85.10.122.239
ASN-UMNTechnicheskayaStr18bYekaterinburgRussiaRU	Kloki.arm7.elf	Get hash	malicious	Unknown	Browse	83.222.82.17
	Kloki.arm7.elf	Get hash	malicious	Unknown	Browse	83.222.70.81
	Kloki.m68k.elf	Get hash	malicious	Unknown	Browse	83.222.83.69
	Kloki.x86_64.elf	Get hash	malicious	Unknown	Browse	83.222.87.13
	Kloki.x86.elf	Get hash	malicious	Unknown	Browse	83.222.68.210
	Kloki.arm4.elf	Get hash	malicious	Unknown	Browse	83.222.73.212
	Kloki.spc.elf	Get hash	malicious	Unknown	Browse	83.222.89.90
	Kloki.arm5.elf	Get hash	malicious	Unknown	Browse	83.222.64.159
	skid.x86.elf	Get hash	malicious	Moobot	Browse	83.222.64.191
	XfUkJyh9A3.elf	Get hash	malicious	Mirai	Browse	37.209.228.199
SONICDUO-ASRU	Kloki.arm7.elf	Get hash	malicious	Unknown	Browse	83.222.217.191
	3.elf	Get hash	malicious	Unknown	Browse	178.177.147.162
	res.mips.elf	Get hash	malicious	Unknown	Browse	178.178.101.43
	res.m68k.elf	Get hash	malicious	Unknown	Browse	109.188.108.84
	frosty.arm.elf	Get hash	malicious	Mirai	Browse	178.178.49.3
	Fantazy.mips.elf	Get hash	malicious	Unknown	Browse	178.176.79.118
	Kloki.arm7.elf	Get hash	malicious	Unknown	Browse	83.222.223.206
	Kloki.m68k.elf	Get hash	malicious	Unknown	Browse	83.222.214.28
	Kloki.x86_64.elf	Get hash	malicious	Unknown	Browse	83.222.221.95
	Kloki.x86.elf	Get hash	malicious	Unknown	Browse	83.222.222.79

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	ELF 32-bit LSB executable, ARM, version 1 (ARM), statically linked, no section header
Entropy (8bit):	7.9787009809833975
TrID:	ELF Executable and Linkable format (generic) (4004/1) 100.00%
File name:	Kloki.arm5.elf
File size:	50'956 bytes
MD5:	5bc43e48f0901f8bd983d197c88b0566
SHA1:	0997c945242c542c58964a574e42f6c8c75562a7
SHA256:	717575d440f1759e2fa0360ba5454170225aed438e78f45deff748ffbb73c5c2
SHA512:	2efdde6336f36b16591e054b28f25e40469e959e5746e1d95d5cfc0dc566f503c06414c6ae67688b0517ac3fb8eb5c08a45f37e7fede0579b93b74a89c82e53d
SSDEEP:	768:bgTGTi/i0Uj9cHgZ+5CGEF8o6I4DQJpR5wcgjBz7FhM/oOLLZx9hPMUQDemdJwcN:yGCI9c35w3N48JP5wcwHhROLLZ5louoF
TLSH:	1533F262E45DCDF6C4A42CF2C430A7C511B379B9D9AB7923B4290D9A9D6084702FEFD2
File Content Preview:	.ELF...a..........(.....l4..4...........4. ...(.........................<...........................................Q.td............................\...sfga....................S..........?.E.h;.}...^..........e..(Ig........v................8....=...'!....

Static ELF Info

ELF header
Class:	ELF32
Data:	2's complement, little endian
Version:	1 (current)
Machine:	ARM
Version Number:	0x1
Type:	EXEC (Executable file)
OS/ABI:	ARM - ABI
ABI Version:	0
Entry Point Address:	0x4346c
Flags:	0x2
ELF Header Size:	52
Program Header Offset:	52
Program Header Size:	32
Number of Program Headers:	3
Section Header Offset:	0
Section Header Size:	40
Number of Section Headers:	0
Header String Table Index:	0

Program Segments

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align
LOAD	0x0	0x8000	0x8000	0x1000	0x2df3c	7.8890	0x6	RW	0x8000
LOAD	0x0	0x38000	0x38000	0xc61b	0xc61b	7.9801	0x5	R E	0x8000
GNU_STACK	0x0	0x0	0x0	0x0	0x0	0.0000	0x7	RWE	0x4

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-14T16:58:01.651229+0100	2500034	ET COMPROMISED Known Compromised or Hostile Host Traffic group 18	2	83.222.191.90	13566	192.168.2.13	42860	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 14, 2025 16:58:01.275298119 CET	33840	13566	192.168.2.13	83.222.147.62
Jan 14, 2025 16:58:01.280265093 CET	13566	33840	83.222.147.62	192.168.2.13
Jan 14, 2025 16:58:01.280317068 CET	33840	13566	192.168.2.13	83.222.147.62
Jan 14, 2025 16:58:01.288315058 CET	34240	13566	192.168.2.13	83.222.98.18
Jan 14, 2025 16:58:01.293297052 CET	13566	34240	83.222.98.18	192.168.2.13
Jan 14, 2025 16:58:01.293338060 CET	34240	13566	192.168.2.13	83.222.98.18
Jan 14, 2025 16:58:01.310156107 CET	34076	13566	192.168.2.13	83.222.168.12
Jan 14, 2025 16:58:01.315462112 CET	13566	34076	83.222.168.12	192.168.2.13
Jan 14, 2025 16:58:01.315546036 CET	34076	13566	192.168.2.13	83.222.168.12
Jan 14, 2025 16:58:01.316504955 CET	42008	13566	192.168.2.13	83.222.62.2
Jan 14, 2025 16:58:01.321475983 CET	13566	42008	83.222.62.2	192.168.2.13
Jan 14, 2025 16:58:01.321531057 CET	42008	13566	192.168.2.13	83.222.62.2
Jan 14, 2025 16:58:01.321875095 CET	49032	13566	192.168.2.13	83.222.139.172
Jan 14, 2025 16:58:01.323667049 CET	55016	13566	192.168.2.13	83.222.52.191
Jan 14, 2025 16:58:01.326694965 CET	13566	49032	83.222.139.172	192.168.2.13
Jan 14, 2025 16:58:01.326750040 CET	49032	13566	192.168.2.13	83.222.139.172
Jan 14, 2025 16:58:01.328557014 CET	13566	55016	83.222.52.191	192.168.2.13
Jan 14, 2025 16:58:01.328619957 CET	55016	13566	192.168.2.13	83.222.52.191
Jan 14, 2025 16:58:01.331384897 CET	55016	13566	192.168.2.13	83.222.52.191
Jan 14, 2025 16:58:01.336781979 CET	13566	55016	83.222.52.191	192.168.2.13
Jan 14, 2025 16:58:01.336844921 CET	55016	13566	192.168.2.13	83.222.52.191
Jan 14, 2025 16:58:01.339750051 CET	46838	13566	192.168.2.13	83.222.136.147
Jan 14, 2025 16:58:01.342329979 CET	59670	13566	192.168.2.13	83.222.49.43
Jan 14, 2025 16:58:01.343575954 CET	57902	13566	192.168.2.13	83.222.52.94
Jan 14, 2025 16:58:01.344618082 CET	13566	46838	83.222.136.147	192.168.2.13
Jan 14, 2025 16:58:01.344666958 CET	46838	13566	192.168.2.13	83.222.136.147
Jan 14, 2025 16:58:01.347183943 CET	13566	59670	83.222.49.43	192.168.2.13
Jan 14, 2025 16:58:01.347240925 CET	59670	13566	192.168.2.13	83.222.49.43
Jan 14, 2025 16:58:01.348395109 CET	13566	57902	83.222.52.94	192.168.2.13
Jan 14, 2025 16:58:01.348448038 CET	57902	13566	192.168.2.13	83.222.52.94
Jan 14, 2025 16:58:01.357784986 CET	57902	13566	192.168.2.13	83.222.52.94
Jan 14, 2025 16:58:01.358966112 CET	50654	13566	192.168.2.13	83.222.11.140
Jan 14, 2025 16:58:01.361913919 CET	42068	13566	192.168.2.13	83.222.124.118
Jan 14, 2025 16:58:01.362721920 CET	13566	57902	83.222.52.94	192.168.2.13
Jan 14, 2025 16:58:01.362770081 CET	57902	13566	192.168.2.13	83.222.52.94
Jan 14, 2025 16:58:01.363786936 CET	13566	50654	83.222.11.140	192.168.2.13
Jan 14, 2025 16:58:01.363790989 CET	33174	13566	192.168.2.13	83.222.42.95
Jan 14, 2025 16:58:01.363851070 CET	50654	13566	192.168.2.13	83.222.11.140
Jan 14, 2025 16:58:01.366122007 CET	48410	13566	192.168.2.13	83.222.253.56
Jan 14, 2025 16:58:01.366727114 CET	13566	42068	83.222.124.118	192.168.2.13
Jan 14, 2025 16:58:01.366774082 CET	42068	13566	192.168.2.13	83.222.124.118
Jan 14, 2025 16:58:01.367706060 CET	43710	13566	192.168.2.13	83.222.15.126
Jan 14, 2025 16:58:01.368637085 CET	13566	33174	83.222.42.95	192.168.2.13
Jan 14, 2025 16:58:01.368688107 CET	33174	13566	192.168.2.13	83.222.42.95
Jan 14, 2025 16:58:01.370971918 CET	13566	48410	83.222.253.56	192.168.2.13
Jan 14, 2025 16:58:01.371018887 CET	48410	13566	192.168.2.13	83.222.253.56
Jan 14, 2025 16:58:01.371032000 CET	43558	13566	192.168.2.13	83.222.48.82
Jan 14, 2025 16:58:01.372517109 CET	13566	43710	83.222.15.126	192.168.2.13
Jan 14, 2025 16:58:01.372562885 CET	43710	13566	192.168.2.13	83.222.15.126
Jan 14, 2025 16:58:01.373651981 CET	37976	13566	192.168.2.13	83.222.62.195
Jan 14, 2025 16:58:01.375858068 CET	13566	43558	83.222.48.82	192.168.2.13
Jan 14, 2025 16:58:01.375909090 CET	43558	13566	192.168.2.13	83.222.48.82
Jan 14, 2025 16:58:01.376508951 CET	48526	13566	192.168.2.13	83.222.144.160
Jan 14, 2025 16:58:01.378458023 CET	13566	37976	83.222.62.195	192.168.2.13
Jan 14, 2025 16:58:01.378521919 CET	37976	13566	192.168.2.13	83.222.62.195
Jan 14, 2025 16:58:01.379607916 CET	44670	13566	192.168.2.13	83.222.213.56
Jan 14, 2025 16:58:01.381325006 CET	13566	48526	83.222.144.160	192.168.2.13
Jan 14, 2025 16:58:01.381370068 CET	48526	13566	192.168.2.13	83.222.144.160
Jan 14, 2025 16:58:01.382770061 CET	54826	13566	192.168.2.13	83.222.172.19
Jan 14, 2025 16:58:01.384392977 CET	13566	44670	83.222.213.56	192.168.2.13
Jan 14, 2025 16:58:01.384434938 CET	44670	13566	192.168.2.13	83.222.213.56
Jan 14, 2025 16:58:01.385257006 CET	35504	13566	192.168.2.13	83.222.58.55
Jan 14, 2025 16:58:01.387597084 CET	13566	54826	83.222.172.19	192.168.2.13
Jan 14, 2025 16:58:01.387639046 CET	54826	13566	192.168.2.13	83.222.172.19
Jan 14, 2025 16:58:01.388716936 CET	45084	13566	192.168.2.13	83.222.192.110
Jan 14, 2025 16:58:01.390223026 CET	13566	35504	83.222.58.55	192.168.2.13
Jan 14, 2025 16:58:01.390279055 CET	35504	13566	192.168.2.13	83.222.58.55
Jan 14, 2025 16:58:01.393058062 CET	59024	13566	192.168.2.13	83.222.247.72
Jan 14, 2025 16:58:01.393465996 CET	13566	45084	83.222.192.110	192.168.2.13
Jan 14, 2025 16:58:01.393520117 CET	45084	13566	192.168.2.13	83.222.192.110
Jan 14, 2025 16:58:01.396871090 CET	55910	13566	192.168.2.13	83.222.1.40
Jan 14, 2025 16:58:01.397989035 CET	13566	59024	83.222.247.72	192.168.2.13
Jan 14, 2025 16:58:01.398040056 CET	59024	13566	192.168.2.13	83.222.247.72
Jan 14, 2025 16:58:01.398917913 CET	54388	13566	192.168.2.13	83.222.115.53
Jan 14, 2025 16:58:01.400681973 CET	45926	13566	192.168.2.13	83.222.134.127
Jan 14, 2025 16:58:01.401643038 CET	13566	55910	83.222.1.40	192.168.2.13
Jan 14, 2025 16:58:01.401681900 CET	55910	13566	192.168.2.13	83.222.1.40
Jan 14, 2025 16:58:01.402014971 CET	36096	13566	192.168.2.13	83.222.194.3
Jan 14, 2025 16:58:01.403395891 CET	56870	13566	192.168.2.13	83.222.245.236
Jan 14, 2025 16:58:01.403701067 CET	13566	54388	83.222.115.53	192.168.2.13
Jan 14, 2025 16:58:01.403743029 CET	54388	13566	192.168.2.13	83.222.115.53
Jan 14, 2025 16:58:01.404885054 CET	57114	13566	192.168.2.13	83.222.98.243
Jan 14, 2025 16:58:01.405428886 CET	13566	45926	83.222.134.127	192.168.2.13
Jan 14, 2025 16:58:01.405464888 CET	45926	13566	192.168.2.13	83.222.134.127
Jan 14, 2025 16:58:01.406295061 CET	52276	13566	192.168.2.13	83.222.36.113
Jan 14, 2025 16:58:01.406842947 CET	13566	36096	83.222.194.3	192.168.2.13
Jan 14, 2025 16:58:01.406887054 CET	36096	13566	192.168.2.13	83.222.194.3
Jan 14, 2025 16:58:01.407339096 CET	59460	13566	192.168.2.13	83.222.113.84
Jan 14, 2025 16:58:01.408166885 CET	13566	56870	83.222.245.236	192.168.2.13
Jan 14, 2025 16:58:01.408220053 CET	56870	13566	192.168.2.13	83.222.245.236
Jan 14, 2025 16:58:01.409634113 CET	13566	57114	83.222.98.243	192.168.2.13
Jan 14, 2025 16:58:01.409683943 CET	57114	13566	192.168.2.13	83.222.98.243
Jan 14, 2025 16:58:01.410444975 CET	47782	13566	192.168.2.13	83.222.196.175
Jan 14, 2025 16:58:01.411027908 CET	13566	52276	83.222.36.113	192.168.2.13
Jan 14, 2025 16:58:01.411068916 CET	52276	13566	192.168.2.13	83.222.36.113
Jan 14, 2025 16:58:01.411740065 CET	40052	13566	192.168.2.13	83.222.24.84
Jan 14, 2025 16:58:01.412118912 CET	13566	59460	83.222.113.84	192.168.2.13
Jan 14, 2025 16:58:01.412148952 CET	59460	13566	192.168.2.13	83.222.113.84
Jan 14, 2025 16:58:01.414931059 CET	58258	13566	192.168.2.13	83.222.79.237
Jan 14, 2025 16:58:01.415190935 CET	13566	47782	83.222.196.175	192.168.2.13
Jan 14, 2025 16:58:01.415235996 CET	47782	13566	192.168.2.13	83.222.196.175
Jan 14, 2025 16:58:01.416225910 CET	47908	13566	192.168.2.13	83.222.141.251
Jan 14, 2025 16:58:01.416476965 CET	13566	40052	83.222.24.84	192.168.2.13
Jan 14, 2025 16:58:01.416512966 CET	40052	13566	192.168.2.13	83.222.24.84
Jan 14, 2025 16:58:01.419713020 CET	13566	58258	83.222.79.237	192.168.2.13
Jan 14, 2025 16:58:01.419750929 CET	58258	13566	192.168.2.13	83.222.79.237
Jan 14, 2025 16:58:01.420245886 CET	60466	13566	192.168.2.13	83.222.1.199
Jan 14, 2025 16:58:01.421087027 CET	13566	47908	83.222.141.251	192.168.2.13
Jan 14, 2025 16:58:01.421122074 CET	47908	13566	192.168.2.13	83.222.141.251
Jan 14, 2025 16:58:01.422770977 CET	54460	13566	192.168.2.13	83.222.50.193
Jan 14, 2025 16:58:01.425004959 CET	13566	60466	83.222.1.199	192.168.2.13
Jan 14, 2025 16:58:01.425035954 CET	60466	13566	192.168.2.13	83.222.1.199
Jan 14, 2025 16:58:01.425214052 CET	46050	13566	192.168.2.13	83.222.54.41
Jan 14, 2025 16:58:01.427586079 CET	13566	54460	83.222.50.193	192.168.2.13
Jan 14, 2025 16:58:01.427629948 CET	54460	13566	192.168.2.13	83.222.50.193
Jan 14, 2025 16:58:01.428050995 CET	42506	13566	192.168.2.13	83.222.9.55
Jan 14, 2025 16:58:01.429975033 CET	13566	46050	83.222.54.41	192.168.2.13
Jan 14, 2025 16:58:01.430005074 CET	46050	13566	192.168.2.13	83.222.54.41
Jan 14, 2025 16:58:01.432904959 CET	13566	42506	83.222.9.55	192.168.2.13
Jan 14, 2025 16:58:01.432957888 CET	42506	13566	192.168.2.13	83.222.9.55
Jan 14, 2025 16:58:01.452266932 CET	52200	13566	192.168.2.13	83.222.81.125
Jan 14, 2025 16:58:01.457176924 CET	13566	52200	83.222.81.125	192.168.2.13
Jan 14, 2025 16:58:01.457216024 CET	52200	13566	192.168.2.13	83.222.81.125
Jan 14, 2025 16:58:01.460225105 CET	35160	13566	192.168.2.13	83.222.109.216
Jan 14, 2025 16:58:01.464565992 CET	39340	13566	192.168.2.13	83.222.252.47
Jan 14, 2025 16:58:01.464996099 CET	13566	35160	83.222.109.216	192.168.2.13
Jan 14, 2025 16:58:01.465033054 CET	35160	13566	192.168.2.13	83.222.109.216
Jan 14, 2025 16:58:01.467757940 CET	33342	13566	192.168.2.13	83.222.219.241
Jan 14, 2025 16:58:01.469357967 CET	13566	39340	83.222.252.47	192.168.2.13
Jan 14, 2025 16:58:01.469400883 CET	39340	13566	192.168.2.13	83.222.252.47
Jan 14, 2025 16:58:01.470982075 CET	44084	13566	192.168.2.13	83.222.27.61
Jan 14, 2025 16:58:01.472556114 CET	13566	33342	83.222.219.241	192.168.2.13
Jan 14, 2025 16:58:01.472599030 CET	33342	13566	192.168.2.13	83.222.219.241
Jan 14, 2025 16:58:01.474720955 CET	41800	13566	192.168.2.13	83.222.228.63
Jan 14, 2025 16:58:01.475737095 CET	13566	44084	83.222.27.61	192.168.2.13
Jan 14, 2025 16:58:01.475766897 CET	44084	13566	192.168.2.13	83.222.27.61
Jan 14, 2025 16:58:01.478493929 CET	53180	13566	192.168.2.13	83.222.174.85
Jan 14, 2025 16:58:01.479511023 CET	13566	41800	83.222.228.63	192.168.2.13
Jan 14, 2025 16:58:01.479558945 CET	41800	13566	192.168.2.13	83.222.228.63
Jan 14, 2025 16:58:01.480946064 CET	44728	13566	192.168.2.13	83.222.147.114
Jan 14, 2025 16:58:01.482969046 CET	49008	13566	192.168.2.13	83.222.4.171
Jan 14, 2025 16:58:01.483259916 CET	13566	53180	83.222.174.85	192.168.2.13
Jan 14, 2025 16:58:01.483310938 CET	53180	13566	192.168.2.13	83.222.174.85
Jan 14, 2025 16:58:01.485048056 CET	36746	13566	192.168.2.13	83.222.199.83
Jan 14, 2025 16:58:01.485709906 CET	13566	44728	83.222.147.114	192.168.2.13
Jan 14, 2025 16:58:01.485745907 CET	44728	13566	192.168.2.13	83.222.147.114
Jan 14, 2025 16:58:01.487745047 CET	13566	49008	83.222.4.171	192.168.2.13
Jan 14, 2025 16:58:01.487787962 CET	49008	13566	192.168.2.13	83.222.4.171
Jan 14, 2025 16:58:01.488053083 CET	32964	13566	192.168.2.13	83.222.153.84
Jan 14, 2025 16:58:01.489805937 CET	13566	36746	83.222.199.83	192.168.2.13
Jan 14, 2025 16:58:01.489849091 CET	36746	13566	192.168.2.13	83.222.199.83
Jan 14, 2025 16:58:01.490782976 CET	44678	13566	192.168.2.13	83.222.78.154
Jan 14, 2025 16:58:01.492830038 CET	13566	32964	83.222.153.84	192.168.2.13
Jan 14, 2025 16:58:01.492876053 CET	32964	13566	192.168.2.13	83.222.153.84
Jan 14, 2025 16:58:01.495542049 CET	13566	44678	83.222.78.154	192.168.2.13
Jan 14, 2025 16:58:01.495579958 CET	44678	13566	192.168.2.13	83.222.78.154
Jan 14, 2025 16:58:01.496887922 CET	52588	13566	192.168.2.13	83.222.27.129
Jan 14, 2025 16:58:01.499506950 CET	40824	13566	192.168.2.13	83.222.91.81
Jan 14, 2025 16:58:01.501667976 CET	13566	52588	83.222.27.129	192.168.2.13
Jan 14, 2025 16:58:01.501703024 CET	52588	13566	192.168.2.13	83.222.27.129
Jan 14, 2025 16:58:01.502173901 CET	41698	13566	192.168.2.13	83.222.170.100
Jan 14, 2025 16:58:01.504231930 CET	13566	40824	83.222.91.81	192.168.2.13
Jan 14, 2025 16:58:01.504264116 CET	40824	13566	192.168.2.13	83.222.91.81
Jan 14, 2025 16:58:01.504812002 CET	35490	13566	192.168.2.13	83.222.137.252
Jan 14, 2025 16:58:01.506911993 CET	13566	41698	83.222.170.100	192.168.2.13
Jan 14, 2025 16:58:01.506959915 CET	41698	13566	192.168.2.13	83.222.170.100
Jan 14, 2025 16:58:01.507349014 CET	37776	13566	192.168.2.13	83.222.225.246
Jan 14, 2025 16:58:01.509557009 CET	13566	35490	83.222.137.252	192.168.2.13
Jan 14, 2025 16:58:01.509597063 CET	35490	13566	192.168.2.13	83.222.137.252
Jan 14, 2025 16:58:01.509896994 CET	35810	13566	192.168.2.13	83.222.212.221
Jan 14, 2025 16:58:01.512092113 CET	57606	13566	192.168.2.13	83.222.37.175
Jan 14, 2025 16:58:01.512099028 CET	13566	37776	83.222.225.246	192.168.2.13
Jan 14, 2025 16:58:01.512139082 CET	37776	13566	192.168.2.13	83.222.225.246
Jan 14, 2025 16:58:01.514683008 CET	13566	35810	83.222.212.221	192.168.2.13
Jan 14, 2025 16:58:01.514729977 CET	35810	13566	192.168.2.13	83.222.212.221
Jan 14, 2025 16:58:01.515903950 CET	43484	13566	192.168.2.13	83.222.207.64
Jan 14, 2025 16:58:01.516839981 CET	13566	57606	83.222.37.175	192.168.2.13
Jan 14, 2025 16:58:01.516884089 CET	57606	13566	192.168.2.13	83.222.37.175
Jan 14, 2025 16:58:01.519531012 CET	50192	13566	192.168.2.13	83.222.236.179
Jan 14, 2025 16:58:01.520725965 CET	13566	43484	83.222.207.64	192.168.2.13
Jan 14, 2025 16:58:01.520773888 CET	43484	13566	192.168.2.13	83.222.207.64
Jan 14, 2025 16:58:01.522753954 CET	54552	13566	192.168.2.13	83.222.127.154
Jan 14, 2025 16:58:01.524388075 CET	13566	50192	83.222.236.179	192.168.2.13
Jan 14, 2025 16:58:01.524425983 CET	50192	13566	192.168.2.13	83.222.236.179
Jan 14, 2025 16:58:01.525991917 CET	60216	13566	192.168.2.13	83.222.9.18
Jan 14, 2025 16:58:01.527522087 CET	13566	54552	83.222.127.154	192.168.2.13
Jan 14, 2025 16:58:01.527570963 CET	54552	13566	192.168.2.13	83.222.127.154
Jan 14, 2025 16:58:01.529282093 CET	45148	13566	192.168.2.13	83.222.13.13
Jan 14, 2025 16:58:01.530733109 CET	13566	60216	83.222.9.18	192.168.2.13
Jan 14, 2025 16:58:01.530769110 CET	60216	13566	192.168.2.13	83.222.9.18
Jan 14, 2025 16:58:01.532691002 CET	40532	13566	192.168.2.13	83.222.190.212
Jan 14, 2025 16:58:01.534104109 CET	13566	45148	83.222.13.13	192.168.2.13
Jan 14, 2025 16:58:01.534137964 CET	45148	13566	192.168.2.13	83.222.13.13
Jan 14, 2025 16:58:01.536066055 CET	49096	13566	192.168.2.13	83.222.97.87
Jan 14, 2025 16:58:01.537435055 CET	13566	40532	83.222.190.212	192.168.2.13
Jan 14, 2025 16:58:01.537484884 CET	40532	13566	192.168.2.13	83.222.190.212
Jan 14, 2025 16:58:01.539921999 CET	37112	13566	192.168.2.13	83.222.40.175
Jan 14, 2025 16:58:01.540797949 CET	13566	49096	83.222.97.87	192.168.2.13
Jan 14, 2025 16:58:01.540828943 CET	49096	13566	192.168.2.13	83.222.97.87
Jan 14, 2025 16:58:01.542530060 CET	42342	13566	192.168.2.13	83.222.241.67
Jan 14, 2025 16:58:01.544701099 CET	13566	37112	83.222.40.175	192.168.2.13
Jan 14, 2025 16:58:01.544744015 CET	37112	13566	192.168.2.13	83.222.40.175
Jan 14, 2025 16:58:01.545195103 CET	37570	13566	192.168.2.13	83.222.48.76
Jan 14, 2025 16:58:01.547274113 CET	13566	42342	83.222.241.67	192.168.2.13
Jan 14, 2025 16:58:01.547321081 CET	42342	13566	192.168.2.13	83.222.241.67
Jan 14, 2025 16:58:01.548789024 CET	55936	13566	192.168.2.13	83.222.149.219
Jan 14, 2025 16:58:01.549949884 CET	13566	37570	83.222.48.76	192.168.2.13
Jan 14, 2025 16:58:01.549988985 CET	37570	13566	192.168.2.13	83.222.48.76
Jan 14, 2025 16:58:01.551543951 CET	59500	13566	192.168.2.13	83.222.176.30
Jan 14, 2025 16:58:01.553544044 CET	13566	55936	83.222.149.219	192.168.2.13
Jan 14, 2025 16:58:01.553587914 CET	55936	13566	192.168.2.13	83.222.149.219
Jan 14, 2025 16:58:01.554363012 CET	35660	13566	192.168.2.13	83.222.215.146
Jan 14, 2025 16:58:01.556354046 CET	13566	59500	83.222.176.30	192.168.2.13
Jan 14, 2025 16:58:01.556396961 CET	59500	13566	192.168.2.13	83.222.176.30
Jan 14, 2025 16:58:01.559103012 CET	13566	35660	83.222.215.146	192.168.2.13
Jan 14, 2025 16:58:01.559154034 CET	35660	13566	192.168.2.13	83.222.215.146
Jan 14, 2025 16:58:01.560158968 CET	44668	13566	192.168.2.13	83.222.20.171
Jan 14, 2025 16:58:01.563308001 CET	50430	13566	192.168.2.13	83.222.111.57
Jan 14, 2025 16:58:01.564901114 CET	13566	44668	83.222.20.171	192.168.2.13
Jan 14, 2025 16:58:01.564953089 CET	44668	13566	192.168.2.13	83.222.20.171
Jan 14, 2025 16:58:01.566752911 CET	49740	13566	192.168.2.13	83.222.90.62
Jan 14, 2025 16:58:01.568059921 CET	13566	50430	83.222.111.57	192.168.2.13
Jan 14, 2025 16:58:01.568109035 CET	50430	13566	192.168.2.13	83.222.111.57
Jan 14, 2025 16:58:01.570786953 CET	55086	13566	192.168.2.13	83.222.121.70
Jan 14, 2025 16:58:01.571585894 CET	13566	49740	83.222.90.62	192.168.2.13
Jan 14, 2025 16:58:01.571625948 CET	49740	13566	192.168.2.13	83.222.90.62
Jan 14, 2025 16:58:01.574043036 CET	37398	13566	192.168.2.13	83.222.242.248
Jan 14, 2025 16:58:01.575577021 CET	13566	55086	83.222.121.70	192.168.2.13
Jan 14, 2025 16:58:01.575619936 CET	55086	13566	192.168.2.13	83.222.121.70
Jan 14, 2025 16:58:01.577176094 CET	60060	13566	192.168.2.13	83.222.224.251
Jan 14, 2025 16:58:01.578766108 CET	13566	37398	83.222.242.248	192.168.2.13
Jan 14, 2025 16:58:01.578802109 CET	37398	13566	192.168.2.13	83.222.242.248
Jan 14, 2025 16:58:01.580111980 CET	55782	13566	192.168.2.13	83.222.10.237
Jan 14, 2025 16:58:01.581954002 CET	13566	60060	83.222.224.251	192.168.2.13
Jan 14, 2025 16:58:01.581991911 CET	60060	13566	192.168.2.13	83.222.224.251
Jan 14, 2025 16:58:01.583527088 CET	50610	13566	192.168.2.13	83.222.8.200
Jan 14, 2025 16:58:01.584906101 CET	13566	55782	83.222.10.237	192.168.2.13
Jan 14, 2025 16:58:01.584940910 CET	55782	13566	192.168.2.13	83.222.10.237
Jan 14, 2025 16:58:01.587007046 CET	48998	13566	192.168.2.13	83.222.193.105
Jan 14, 2025 16:58:01.588247061 CET	13566	50610	83.222.8.200	192.168.2.13
Jan 14, 2025 16:58:01.588289022 CET	50610	13566	192.168.2.13	83.222.8.200
Jan 14, 2025 16:58:01.590442896 CET	57322	13566	192.168.2.13	83.222.31.233
Jan 14, 2025 16:58:01.591738939 CET	13566	48998	83.222.193.105	192.168.2.13
Jan 14, 2025 16:58:01.591777086 CET	48998	13566	192.168.2.13	83.222.193.105
Jan 14, 2025 16:58:01.594012976 CET	49970	13566	192.168.2.13	83.222.25.16
Jan 14, 2025 16:58:01.595191002 CET	13566	57322	83.222.31.233	192.168.2.13
Jan 14, 2025 16:58:01.595235109 CET	57322	13566	192.168.2.13	83.222.31.233
Jan 14, 2025 16:58:01.596965075 CET	42366	13566	192.168.2.13	83.222.45.73
Jan 14, 2025 16:58:01.598810911 CET	13566	49970	83.222.25.16	192.168.2.13
Jan 14, 2025 16:58:01.599054098 CET	49970	13566	192.168.2.13	83.222.25.16
Jan 14, 2025 16:58:01.600625038 CET	58902	13566	192.168.2.13	83.222.92.194
Jan 14, 2025 16:58:01.601872921 CET	13566	42366	83.222.45.73	192.168.2.13
Jan 14, 2025 16:58:01.601911068 CET	42366	13566	192.168.2.13	83.222.45.73
Jan 14, 2025 16:58:01.603611946 CET	47794	13566	192.168.2.13	83.222.36.13
Jan 14, 2025 16:58:01.605437994 CET	13566	58902	83.222.92.194	192.168.2.13
Jan 14, 2025 16:58:01.605474949 CET	58902	13566	192.168.2.13	83.222.92.194
Jan 14, 2025 16:58:01.607285976 CET	60078	13566	192.168.2.13	83.222.224.251
Jan 14, 2025 16:58:01.608393908 CET	13566	47794	83.222.36.13	192.168.2.13
Jan 14, 2025 16:58:01.608443022 CET	47794	13566	192.168.2.13	83.222.36.13
Jan 14, 2025 16:58:01.610219002 CET	47758	13566	192.168.2.13	83.222.159.244
Jan 14, 2025 16:58:01.612071037 CET	13566	60078	83.222.224.251	192.168.2.13
Jan 14, 2025 16:58:01.612109900 CET	60078	13566	192.168.2.13	83.222.224.251
Jan 14, 2025 16:58:01.613990068 CET	37218	13566	192.168.2.13	83.222.166.14
Jan 14, 2025 16:58:01.614996910 CET	13566	47758	83.222.159.244	192.168.2.13
Jan 14, 2025 16:58:01.615044117 CET	47758	13566	192.168.2.13	83.222.159.244
Jan 14, 2025 16:58:01.617041111 CET	34300	13566	192.168.2.13	83.222.45.0
Jan 14, 2025 16:58:01.618807077 CET	13566	37218	83.222.166.14	192.168.2.13
Jan 14, 2025 16:58:01.618850946 CET	37218	13566	192.168.2.13	83.222.166.14
Jan 14, 2025 16:58:01.621068001 CET	58730	13566	192.168.2.13	83.222.77.166
Jan 14, 2025 16:58:01.621814966 CET	13566	34300	83.222.45.0	192.168.2.13
Jan 14, 2025 16:58:01.621879101 CET	34300	13566	192.168.2.13	83.222.45.0
Jan 14, 2025 16:58:01.624049902 CET	55190	13566	192.168.2.13	83.222.70.63
Jan 14, 2025 16:58:01.625932932 CET	13566	58730	83.222.77.166	192.168.2.13
Jan 14, 2025 16:58:01.625982046 CET	58730	13566	192.168.2.13	83.222.77.166
Jan 14, 2025 16:58:01.627912998 CET	37474	13566	192.168.2.13	83.222.158.39
Jan 14, 2025 16:58:01.628902912 CET	13566	55190	83.222.70.63	192.168.2.13
Jan 14, 2025 16:58:01.628954887 CET	55190	13566	192.168.2.13	83.222.70.63
Jan 14, 2025 16:58:01.632694960 CET	13566	37474	83.222.158.39	192.168.2.13
Jan 14, 2025 16:58:01.632744074 CET	37474	13566	192.168.2.13	83.222.158.39
Jan 14, 2025 16:58:01.646332026 CET	42860	13566	192.168.2.13	83.222.191.90
Jan 14, 2025 16:58:01.651228905 CET	13566	42860	83.222.191.90	192.168.2.13
Jan 14, 2025 16:58:01.651302099 CET	42860	13566	192.168.2.13	83.222.191.90
Jan 14, 2025 16:58:01.654700994 CET	42860	13566	192.168.2.13	83.222.191.90
Jan 14, 2025 16:58:01.659563065 CET	13566	42860	83.222.191.90	192.168.2.13
Jan 14, 2025 16:58:01.659620047 CET	42860	13566	192.168.2.13	83.222.191.90
Jan 14, 2025 16:58:01.664398909 CET	13566	42860	83.222.191.90	192.168.2.13
Jan 14, 2025 16:58:11.664911985 CET	42860	13566	192.168.2.13	83.222.191.90
Jan 14, 2025 16:58:11.669785023 CET	13566	42860	83.222.191.90	192.168.2.13
Jan 14, 2025 16:58:11.878386974 CET	13566	42860	83.222.191.90	192.168.2.13
Jan 14, 2025 16:58:11.878470898 CET	42860	13566	192.168.2.13	83.222.191.90
Jan 14, 2025 16:58:12.254390001 CET	13566	42860	83.222.191.90	192.168.2.13
Jan 14, 2025 16:58:12.254499912 CET	42860	13566	192.168.2.13	83.222.191.90
Jan 14, 2025 16:59:12.306452990 CET	42860	13566	192.168.2.13	83.222.191.90
Jan 14, 2025 16:59:12.311430931 CET	13566	42860	83.222.191.90	192.168.2.13
Jan 14, 2025 16:59:12.520499945 CET	13566	42860	83.222.191.90	192.168.2.13
Jan 14, 2025 16:59:12.520605087 CET	42860	13566	192.168.2.13	83.222.191.90
Jan 14, 2025 16:59:13.453150034 CET	13566	42860	83.222.191.90	192.168.2.13
Jan 14, 2025 16:59:13.453274012 CET	42860	13566	192.168.2.13	83.222.191.90

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 14, 2025 16:58:01.634536982 CET	42578	53	192.168.2.13	8.8.8.8
Jan 14, 2025 16:58:01.644057989 CET	53	42578	8.8.8.8	192.168.2.13

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 14, 2025 16:58:01.634536982 CET	192.168.2.13	8.8.8.8	0x5df3	Standard query (0)	secure-network-rebirthltd.ru	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 14, 2025 16:58:01.644057989 CET	8.8.8.8	192.168.2.13	0x5df3	No error (0)	secure-network-rebirthltd.ru		83.222.191.90	A (IP address)	IN (0x0001)	false

System Behavior

Analysis Process: Kloki.arm5.elf PID: 5597, Parent PID: 5400

General

Start time (UTC):	15:58:00
Start date (UTC):	14/01/2025
Path:	/tmp/Kloki.arm5.elf
Arguments:	/tmp/Kloki.arm5.elf
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Chronological Activities

Analysis Process: Kloki.arm5.elf PID: 5599, Parent PID: 5597

General

Start time (UTC):	15:58:00
Start date (UTC):	14/01/2025
Path:	/tmp/Kloki.arm5.elf
Arguments:	-
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Chronological Activities

Analysis Process: Kloki.arm5.elf PID: 5601, Parent PID: 5599

General

Start time (UTC):	15:58:00
Start date (UTC):	14/01/2025
Path:	/tmp/Kloki.arm5.elf
Arguments:	-
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Chronological Activities

Analysis Process: Kloki.arm5.elf PID: 5603, Parent PID: 5599

General

Start time (UTC):	15:58:00
Start date (UTC):	14/01/2025
Path:	/tmp/Kloki.arm5.elf
Arguments:	-
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Chronological Activities

Analysis Process: gnome-session-binary PID: 5605, Parent PID: 1588

General

Start time (UTC):	15:58:00
Start date (UTC):	14/01/2025
Path:	/usr/libexec/gnome-session-binary
Arguments:	-
File size:	334664 bytes
MD5 hash:	d9b90be4f7db60cb3c2d3da6a1d31bfb

Chronological Activities

Analysis Process: sh PID: 5605, Parent PID: 1588

General

Start time (UTC):	15:58:00
Start date (UTC):	14/01/2025
Path:	/bin/sh
Arguments:	/bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-sharing
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: gnome-session-binary PID: 5627, Parent PID: 1588

General

Start time (UTC):	15:58:00
Start date (UTC):	14/01/2025
Path:	/usr/libexec/gnome-session-binary
Arguments:	-
File size:	334664 bytes
MD5 hash:	d9b90be4f7db60cb3c2d3da6a1d31bfb

Chronological Activities

Analysis Process: sh PID: 5627, Parent PID: 1588

General

Start time (UTC):	15:58:00
Start date (UTC):	14/01/2025
Path:	/bin/sh
Arguments:	/bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/bin/gnome-shell
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: gnome-shell PID: 5627, Parent PID: 1588

General

Start time (UTC):	15:58:00
Start date (UTC):	14/01/2025
Path:	/usr/bin/gnome-shell
Arguments:	/usr/bin/gnome-shell
File size:	23168 bytes
MD5 hash:	da7a257239677622fe4b3a65972c9e87

Chronological Activities

Analysis Process: gnome-session-binary PID: 5629, Parent PID: 1588

General

Start time (UTC):	15:58:00
Start date (UTC):	14/01/2025
Path:	/usr/libexec/gnome-session-binary
Arguments:	-
File size:	334664 bytes
MD5 hash:	d9b90be4f7db60cb3c2d3da6a1d31bfb

Chronological Activities

Analysis Process: sh PID: 5629, Parent PID: 1588

General

Start time (UTC):	15:58:00
Start date (UTC):	14/01/2025
Path:	/bin/sh
Arguments:	/bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-print-notifications
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: gsd-print-notifications PID: 5629, Parent PID: 1588

General

Start time (UTC):	15:58:00
Start date (UTC):	14/01/2025
Path:	/usr/libexec/gsd-print-notifications
Arguments:	/usr/libexec/gsd-print-notifications
File size:	51840 bytes
MD5 hash:	71539698aa691718cee775d6b9450ae2

Chronological Activities

Analysis Process: gnome-session-binary PID: 5630, Parent PID: 1588

General

Start time (UTC):	15:58:00
Start date (UTC):	14/01/2025
Path:	/usr/libexec/gnome-session-binary
Arguments:	-
File size:	334664 bytes
MD5 hash:	d9b90be4f7db60cb3c2d3da6a1d31bfb

Chronological Activities

Analysis Process: sh PID: 5630, Parent PID: 1588

General

Start time (UTC):	15:58:00
Start date (UTC):	14/01/2025
Path:	/bin/sh
Arguments:	/bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-rfkill
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: gsd-rfkill PID: 5630, Parent PID: 1588

General

Start time (UTC):	15:58:00
Start date (UTC):	14/01/2025
Path:	/usr/libexec/gsd-rfkill
Arguments:	/usr/libexec/gsd-rfkill
File size:	51808 bytes
MD5 hash:	88a16a3c0aba1759358c06215ecfb5cc

Chronological Activities

Analysis Process: gdm3 PID: 5631, Parent PID: 1400

General

Start time (UTC):	15:58:00
Start date (UTC):	14/01/2025
Path:	/usr/sbin/gdm3
Arguments:	-
File size:	453296 bytes
MD5 hash:	2492e2d8d34f9377e3e530a61a15674f

Chronological Activities

Analysis Process: Default PID: 5631, Parent PID: 1400

General

Start time (UTC):	15:58:00
Start date (UTC):	14/01/2025
Path:	/etc/gdm3/PrimeOff/Default
Arguments:	/etc/gdm3/PrimeOff/Default
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: gdm3 PID: 5632, Parent PID: 1400

General

Start time (UTC):	15:58:00
Start date (UTC):	14/01/2025
Path:	/usr/sbin/gdm3
Arguments:	-
File size:	453296 bytes
MD5 hash:	2492e2d8d34f9377e3e530a61a15674f

Chronological Activities

Analysis Process: Default PID: 5632, Parent PID: 1400

General

Start time (UTC):	15:58:00
Start date (UTC):	14/01/2025
Path:	/etc/gdm3/PrimeOff/Default
Arguments:	/etc/gdm3/PrimeOff/Default
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may stop or disable services on a system to render those services unavailable to legitimate users. Stopping critical services or processes can inhibit or stop response to an incident or aid in the adversary's overall objectives to cause damage to the environment.
Tactics:	Impact
Data Sources:	Command: Command Execution, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Termination, Service: Service Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report Kloki.arm5.elf

Overview

General Information

Detection

Signatures

Classification

General Information

Runtime Messages

Process Tree

Yara Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Networking

System Summary

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

Static ELF Info

ELF header

Program Segments

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

System Behavior

Analysis Process: Kloki.arm5.elf PID: 5597, Parent PID: 5400

General

Chronological Activities

Analysis Process: Kloki.arm5.elf PID: 5599, Parent PID: 5597

General

Chronological Activities

Analysis Process: Kloki.arm5.elf PID: 5601, Parent PID: 5599

General

Chronological Activities

Analysis Process: Kloki.arm5.elf PID: 5603, Parent PID: 5599

General

Chronological Activities

Analysis Process: gnome-session-binary PID: 5605, Parent PID: 1588

General

Chronological Activities

Analysis Process: sh PID: 5605, Parent PID: 1588

General

Chronological Activities

Analysis Process: gnome-session-binary PID: 5627, Parent PID: 1588

General

Chronological Activities

Analysis Process: sh PID: 5627, Parent PID: 1588

General

Chronological Activities

Linux Analysis Report
Kloki.arm5.elf