Edit tour

Linux Analysis Report
Kloki.arm4.elf

Overview

General Information

Sample name:	Kloki.arm4.elf
Analysis ID:	1591029
MD5:	b1f3a500f6313f6580d511bd121673fb
SHA1:	8551921306b456d3d31e61768e125e235f3d691e
SHA256:	04773b2be8239ff774f0549a81559504c1dcdd4556c3aa8a28a77b285e02348b
Tags:	elfuser-abuse_ch
Infos:

Detection

Score:	52
Range:	0 - 100
Whitelisted:	false

Signatures

Multi AV Scanner detection for submitted file

Sample tries to kill multiple processes (SIGKILL)

Detected TCP or UDP traffic on non-standard ports

ELF contains segments with high entropy indicating compressed/encrypted content

Sample contains only a LOAD segment without any section mappings

Sample listens on a socket

Sample tries to kill a process (SIGKILL)

Suricata IDS alerts with low severity for network traffic

Uses the "uname" system call to query kernel version information (possible evasion)

Classification

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1591029
Start date and time:	2025-01-14 17:05:02 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 39s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Sample name:	Kloki.arm4.elf
Detection:	MAL
Classification:	mal52.spre.linELF@0/0@1/0

Runtime Messages

Command:	/tmp/Kloki.arm4.elf
PID:	5476
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:	suka
Standard Error:

Process Tree

system is lnxubuntu20

Kloki.arm4.elf (PID: 5476, Parent: 5400, MD5: 5ebfcae4fe2471fcc5695c2394773ff1) Arguments: /tmp/Kloki.arm4.elf

Kloki.arm4.elf New Fork (PID: 5478, Parent: 5476)

Kloki.arm4.elf New Fork (PID: 5480, Parent: 5478)

Kloki.arm4.elf New Fork (PID: 5482, Parent: 5478)

gnome-session-binary New Fork (PID: 5484, Parent: 1383)

sh (PID: 5484, Parent: 1383, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-sharing

gsd-sharing (PID: 5484, Parent: 1383, MD5: e29d9025d98590fbb69f89fdbd4438b3) Arguments: /usr/libexec/gsd-sharing

gnome-session-binary New Fork (PID: 5505, Parent: 1383)

sh (PID: 5505, Parent: 1383, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/bin/gnome-shell

gnome-shell (PID: 5505, Parent: 1383, MD5: da7a257239677622fe4b3a65972c9e87) Arguments: /usr/bin/gnome-shell

gnome-session-binary New Fork (PID: 5507, Parent: 1383)

sh (PID: 5507, Parent: 1383, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-print-notifications

gsd-print-notifications (PID: 5507, Parent: 1383, MD5: 71539698aa691718cee775d6b9450ae2) Arguments: /usr/libexec/gsd-print-notifications

gnome-session-binary New Fork (PID: 5508, Parent: 1383)

sh (PID: 5508, Parent: 1383, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-rfkill

gsd-rfkill (PID: 5508, Parent: 1383, MD5: 88a16a3c0aba1759358c06215ecfb5cc) Arguments: /usr/libexec/gsd-rfkill

gdm3 New Fork (PID: 5509, Parent: 1289)

Default (PID: 5509, Parent: 1289, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /etc/gdm3/PrimeOff/Default

gdm3 New Fork (PID: 5511, Parent: 1289)

Default (PID: 5511, Parent: 1289, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /etc/gdm3/PrimeOff/Default

systemd New Fork (PID: 5522, Parent: 1)

systemd-user-runtime-dir (PID: 5522, Parent: 1, MD5: d55f4b0847f88131dbcfb07435178e54) Arguments: /lib/systemd/systemd-user-runtime-dir stop 127

cleanup

Yara Signatures

⊘No yara matches

Suricata Signatures

ET COMPROMISED Known Compromised or Hostile Host Traffic group 18

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-14T17:05:46.793673+0100	2500034	2	Misc Attack	83.222.191.90	13566	192.168.2.14	56532	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: Kloki.arm4.elf	Virustotal: Detection: 28%			Perma Link
Source: Kloki.arm4.elf	ReversingLabs: Detection: 21%

Source: global traffic	TCP traffic: 192.168.2.14:44418 -> 83.222.42.25:13566
Source: global traffic	TCP traffic: 192.168.2.14:56394 -> 83.222.186.220:13566
Source: global traffic	TCP traffic: 192.168.2.14:35422 -> 83.222.145.130:13566
Source: global traffic	TCP traffic: 192.168.2.14:41850 -> 83.222.71.157:13566
Source: global traffic	TCP traffic: 192.168.2.14:48112 -> 83.222.15.195:13566
Source: global traffic	TCP traffic: 192.168.2.14:39990 -> 83.222.166.183:13566
Source: global traffic	TCP traffic: 192.168.2.14:37770 -> 83.222.50.111:13566
Source: global traffic	TCP traffic: 192.168.2.14:43808 -> 83.222.87.183:13566
Source: global traffic	TCP traffic: 192.168.2.14:43900 -> 83.222.0.13:13566
Source: global traffic	TCP traffic: 192.168.2.14:38756 -> 83.222.22.43:13566
Source: global traffic	TCP traffic: 192.168.2.14:55124 -> 83.222.252.160:13566
Source: global traffic	TCP traffic: 192.168.2.14:46234 -> 83.222.199.144:13566
Source: global traffic	TCP traffic: 192.168.2.14:40108 -> 83.222.185.126:13566
Source: global traffic	TCP traffic: 192.168.2.14:40058 -> 83.222.241.195:13566
Source: global traffic	TCP traffic: 192.168.2.14:51738 -> 83.222.97.189:13566
Source: global traffic	TCP traffic: 192.168.2.14:59710 -> 83.222.245.140:13566
Source: global traffic	TCP traffic: 192.168.2.14:57602 -> 83.222.214.175:13566
Source: global traffic	TCP traffic: 192.168.2.14:59526 -> 83.222.104.103:13566
Source: global traffic	TCP traffic: 192.168.2.14:37964 -> 83.222.49.175:13566
Source: global traffic	TCP traffic: 192.168.2.14:38924 -> 83.222.4.65:13566
Source: global traffic	TCP traffic: 192.168.2.14:54960 -> 83.222.114.171:13566
Source: global traffic	TCP traffic: 192.168.2.14:55108 -> 83.222.248.165:13566
Source: global traffic	TCP traffic: 192.168.2.14:46936 -> 83.222.26.79:13566
Source: global traffic	TCP traffic: 192.168.2.14:41652 -> 83.222.92.26:13566
Source: global traffic	TCP traffic: 192.168.2.14:47044 -> 83.222.93.115:13566
Source: global traffic	TCP traffic: 192.168.2.14:43830 -> 83.222.69.89:13566
Source: global traffic	TCP traffic: 192.168.2.14:43552 -> 83.222.19.12:13566
Source: global traffic	TCP traffic: 192.168.2.14:42186 -> 83.222.233.204:13566
Source: global traffic	TCP traffic: 192.168.2.14:39530 -> 83.222.138.218:13566
Source: global traffic	TCP traffic: 192.168.2.14:45588 -> 83.222.144.235:13566
Source: global traffic	TCP traffic: 192.168.2.14:43794 -> 83.222.151.133:13566
Source: global traffic	TCP traffic: 192.168.2.14:35930 -> 83.222.119.109:13566
Source: global traffic	TCP traffic: 192.168.2.14:45814 -> 83.222.53.223:13566
Source: global traffic	TCP traffic: 192.168.2.14:44126 -> 83.222.212.102:13566
Source: global traffic	TCP traffic: 192.168.2.14:58610 -> 83.222.143.217:13566
Source: global traffic	TCP traffic: 192.168.2.14:44972 -> 83.222.167.1:13566
Source: global traffic	TCP traffic: 192.168.2.14:49228 -> 83.222.132.160:13566
Source: global traffic	TCP traffic: 192.168.2.14:53980 -> 83.222.166.158:13566
Source: global traffic	TCP traffic: 192.168.2.14:49334 -> 83.222.239.3:13566
Source: global traffic	TCP traffic: 192.168.2.14:51802 -> 83.222.184.76:13566
Source: global traffic	TCP traffic: 192.168.2.14:46320 -> 83.222.118.253:13566
Source: global traffic	TCP traffic: 192.168.2.14:46958 -> 83.222.165.137:13566
Source: global traffic	TCP traffic: 192.168.2.14:59142 -> 83.222.9.142:13566
Source: global traffic	TCP traffic: 192.168.2.14:53646 -> 83.222.86.147:13566
Source: global traffic	TCP traffic: 192.168.2.14:52198 -> 83.222.104.230:13566
Source: global traffic	TCP traffic: 192.168.2.14:57998 -> 83.222.126.255:13566
Source: global traffic	TCP traffic: 192.168.2.14:44760 -> 83.222.107.246:13566
Source: global traffic	TCP traffic: 192.168.2.14:33808 -> 83.222.108.160:13566
Source: global traffic	TCP traffic: 192.168.2.14:36864 -> 83.222.213.65:13566
Source: global traffic	TCP traffic: 192.168.2.14:45506 -> 83.222.7.100:13566
Source: global traffic	TCP traffic: 192.168.2.14:45578 -> 83.222.26.174:13566
Source: global traffic	TCP traffic: 192.168.2.14:36918 -> 83.222.102.158:13566
Source: global traffic	TCP traffic: 192.168.2.14:51876 -> 83.222.78.12:13566
Source: global traffic	TCP traffic: 192.168.2.14:54180 -> 83.222.60.62:13566
Source: global traffic	TCP traffic: 192.168.2.14:56718 -> 83.222.15.244:13566
Source: global traffic	TCP traffic: 192.168.2.14:54610 -> 83.222.138.133:13566
Source: global traffic	TCP traffic: 192.168.2.14:53008 -> 83.222.241.48:13566
Source: global traffic	TCP traffic: 192.168.2.14:38316 -> 83.222.15.250:13566
Source: global traffic	TCP traffic: 192.168.2.14:40570 -> 83.222.190.101:13566
Source: global traffic	TCP traffic: 192.168.2.14:33022 -> 83.222.141.39:13566
Source: global traffic	TCP traffic: 192.168.2.14:33176 -> 83.222.75.11:13566
Source: global traffic	TCP traffic: 192.168.2.14:53636 -> 83.222.38.182:13566
Source: global traffic	TCP traffic: 192.168.2.14:41244 -> 83.222.1.147:13566
Source: global traffic	TCP traffic: 192.168.2.14:47658 -> 83.222.87.215:13566
Source: global traffic	TCP traffic: 192.168.2.14:54972 -> 83.222.212.94:13566
Source: global traffic	TCP traffic: 192.168.2.14:51152 -> 83.222.59.238:13566
Source: global traffic	TCP traffic: 192.168.2.14:45820 -> 83.222.12.161:13566
Source: global traffic	TCP traffic: 192.168.2.14:57442 -> 83.222.140.91:13566
Source: global traffic	TCP traffic: 192.168.2.14:44476 -> 83.222.174.200:13566
Source: global traffic	TCP traffic: 192.168.2.14:60630 -> 83.222.153.189:13566
Source: global traffic	TCP traffic: 192.168.2.14:58448 -> 83.222.188.35:13566
Source: global traffic	TCP traffic: 192.168.2.14:37108 -> 83.222.67.173:13566
Source: global traffic	TCP traffic: 192.168.2.14:59770 -> 83.222.83.82:13566
Source: global traffic	TCP traffic: 192.168.2.14:52102 -> 83.222.167.18:13566
Source: global traffic	TCP traffic: 192.168.2.14:42594 -> 83.222.183.52:13566
Source: global traffic	TCP traffic: 192.168.2.14:43372 -> 83.222.57.2:13566
Source: global traffic	TCP traffic: 192.168.2.14:46808 -> 83.222.63.95:13566
Source: global traffic	TCP traffic: 192.168.2.14:42618 -> 83.222.184.65:13566
Source: global traffic	TCP traffic: 192.168.2.14:35218 -> 83.222.242.15:13566
Source: global traffic	TCP traffic: 192.168.2.14:36138 -> 83.222.24.198:13566
Source: global traffic	TCP traffic: 192.168.2.14:59888 -> 83.222.109.83:13566
Source: global traffic	TCP traffic: 192.168.2.14:36480 -> 83.222.180.122:13566
Source: global traffic	TCP traffic: 192.168.2.14:49230 -> 83.222.245.64:13566
Source: global traffic	TCP traffic: 192.168.2.14:56368 -> 83.222.213.163:13566
Source: global traffic	TCP traffic: 192.168.2.14:40420 -> 83.222.8.110:13566
Source: global traffic	TCP traffic: 192.168.2.14:53138 -> 83.222.96.196:13566
Source: global traffic	TCP traffic: 192.168.2.14:35048 -> 83.222.145.163:13566
Source: global traffic	TCP traffic: 192.168.2.14:35332 -> 83.222.113.229:13566
Source: global traffic	TCP traffic: 192.168.2.14:55652 -> 83.222.245.24:13566
Source: global traffic	TCP traffic: 192.168.2.14:56104 -> 83.222.247.172:13566
Source: global traffic	TCP traffic: 192.168.2.14:47992 -> 83.222.76.48:13566
Source: global traffic	TCP traffic: 192.168.2.14:52660 -> 83.222.174.140:13566
Source: global traffic	TCP traffic: 192.168.2.14:56176 -> 83.222.143.103:13566
Source: global traffic	TCP traffic: 192.168.2.14:45746 -> 83.222.205.130:13566
Source: global traffic	TCP traffic: 192.168.2.14:57498 -> 83.222.118.229:13566
Source: global traffic	TCP traffic: 192.168.2.14:40002 -> 83.222.72.228:13566
Source: global traffic	TCP traffic: 192.168.2.14:46726 -> 83.222.56.253:13566
Source: global traffic	TCP traffic: 192.168.2.14:47992 -> 83.222.94.45:13566
Source: global traffic	TCP traffic: 192.168.2.14:56532 -> 83.222.191.90:13566

Source: /tmp/Kloki.arm4.elf (PID: 5476)

Socket: 127.0.0.1:14435

Jump to behavior

Source: Network traffic

Suricata IDS: 2500034 - Severity 2 - ET COMPROMISED Known Compromised or Hostile Host Traffic group 18 : 83.222.191.90:13566 -> 192.168.2.14:56532

Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.42.25
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.42.25
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.42.25
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.42.25
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.186.220
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.145.130
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.71.157
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.186.220
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.145.130
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.71.157
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.15.195
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.166.183
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.50.111
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.15.195
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.166.183
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.87.183
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.0.13
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.50.111
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.87.183
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.22.43
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.0.13
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.252.160
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.22.43
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.199.144
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.252.160
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.185.126
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.199.144
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.241.195
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.185.126
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.97.189
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.241.195
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.245.140
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.97.189
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.214.175
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.245.140
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.104.103
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.214.175
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.49.175
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.104.103
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.4.65
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.49.175
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.4.65
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.114.171
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.248.165
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.26.79
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.114.171
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.248.165
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.26.79
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.26.79
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.92.26

Source: global traffic

DNS traffic detected: DNS query: secure-network-rebirthltd.ru

System Summary

Sample tries to kill multiple processes (SIGKILL)

Source: /tmp/Kloki.arm4.elf (PID: 5482)	SIGKILL sent: pid: 917, result: successful	Jump to behavior
Source: /tmp/Kloki.arm4.elf (PID: 5482)	SIGKILL sent: pid: 928, result: successful	Jump to behavior
Source: /tmp/Kloki.arm4.elf (PID: 5482)	SIGKILL sent: pid: 940, result: successful	Jump to behavior
Source: /tmp/Kloki.arm4.elf (PID: 5482)	SIGKILL sent: pid: 1444, result: successful	Jump to behavior
Source: /tmp/Kloki.arm4.elf (PID: 5482)	SIGKILL sent: pid: 1610, result: successful	Jump to behavior
Source: /tmp/Kloki.arm4.elf (PID: 5482)	SIGKILL sent: pid: 1638, result: successful	Jump to behavior
Source: /tmp/Kloki.arm4.elf (PID: 5482)	SIGKILL sent: pid: 1639, result: successful	Jump to behavior
Source: /tmp/Kloki.arm4.elf (PID: 5482)	SIGKILL sent: pid: 3094, result: successful	Jump to behavior
Source: /tmp/Kloki.arm4.elf (PID: 5482)	SIGKILL sent: pid: 3268, result: successful	Jump to behavior
Source: /tmp/Kloki.arm4.elf (PID: 5482)	SIGKILL sent: pid: 3420, result: successful	Jump to behavior
Source: /tmp/Kloki.arm4.elf (PID: 5482)	SIGKILL sent: pid: 5459, result: successful	Jump to behavior
Source: /tmp/Kloki.arm4.elf (PID: 5482)	SIGKILL sent: pid: 5484, result: successful	Jump to behavior
Source: /tmp/Kloki.arm4.elf (PID: 5482)	SIGKILL sent: pid: 5505, result: successful	Jump to behavior
Source: /tmp/Kloki.arm4.elf (PID: 5482)	SIGKILL sent: pid: 5507, result: successful	Jump to behavior
Source: /tmp/Kloki.arm4.elf (PID: 5482)	SIGKILL sent: pid: 5508, result: successful	Jump to behavior
Source: /tmp/Kloki.arm4.elf (PID: 5482)	SIGKILL sent: pid: 5509, result: successful	Jump to behavior

Source: LOAD without section mappings

Program segment: 0x8000

Source: /tmp/Kloki.arm4.elf (PID: 5482)	SIGKILL sent: pid: 917, result: successful	Jump to behavior
Source: /tmp/Kloki.arm4.elf (PID: 5482)	SIGKILL sent: pid: 928, result: successful	Jump to behavior
Source: /tmp/Kloki.arm4.elf (PID: 5482)	SIGKILL sent: pid: 940, result: successful	Jump to behavior
Source: /tmp/Kloki.arm4.elf (PID: 5482)	SIGKILL sent: pid: 1444, result: successful	Jump to behavior
Source: /tmp/Kloki.arm4.elf (PID: 5482)	SIGKILL sent: pid: 1610, result: successful	Jump to behavior
Source: /tmp/Kloki.arm4.elf (PID: 5482)	SIGKILL sent: pid: 1638, result: successful	Jump to behavior
Source: /tmp/Kloki.arm4.elf (PID: 5482)	SIGKILL sent: pid: 1639, result: successful	Jump to behavior
Source: /tmp/Kloki.arm4.elf (PID: 5482)	SIGKILL sent: pid: 3094, result: successful	Jump to behavior
Source: /tmp/Kloki.arm4.elf (PID: 5482)	SIGKILL sent: pid: 3268, result: successful	Jump to behavior
Source: /tmp/Kloki.arm4.elf (PID: 5482)	SIGKILL sent: pid: 3420, result: successful	Jump to behavior
Source: /tmp/Kloki.arm4.elf (PID: 5482)	SIGKILL sent: pid: 5459, result: successful	Jump to behavior
Source: /tmp/Kloki.arm4.elf (PID: 5482)	SIGKILL sent: pid: 5484, result: successful	Jump to behavior
Source: /tmp/Kloki.arm4.elf (PID: 5482)	SIGKILL sent: pid: 5505, result: successful	Jump to behavior
Source: /tmp/Kloki.arm4.elf (PID: 5482)	SIGKILL sent: pid: 5507, result: successful	Jump to behavior
Source: /tmp/Kloki.arm4.elf (PID: 5482)	SIGKILL sent: pid: 5508, result: successful	Jump to behavior
Source: /tmp/Kloki.arm4.elf (PID: 5482)	SIGKILL sent: pid: 5509, result: successful	Jump to behavior

Source: classification engine

Classification label: mal52.spre.linELF@0/0@1/0

Source: Kloki.arm4.elf	Submission file: segment LOAD with 7.8919 entropy (max. 8.0)
Source: Kloki.arm4.elf	Submission file: segment LOAD with 7.9798 entropy (max. 8.0)

Source: /tmp/Kloki.arm4.elf (PID: 5476)

Queries kernel information via 'uname':

Jump to behavior

Source: Kloki.arm4.elf, 5476.1.00007fff2a160000.00007fff2a181000.rw-.sdmp, Kloki.arm4.elf, 5480.1.00007fff2a160000.00007fff2a181000.rw-.sdmp	Binary or memory string: x86_64/usr/bin/qemu-arm/tmp/Kloki.arm4.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/Kloki.arm4.elf
Source: Kloki.arm4.elf, 5476.1.000055a25efc8000.000055a25f141000.rw-.sdmp, Kloki.arm4.elf, 5480.1.000055a25efc8000.000055a25f141000.rw-.sdmp	Binary or memory string: U!/etc/qemu-binfmt/arm
Source: Kloki.arm4.elf, 5476.1.000055a25efc8000.000055a25f141000.rw-.sdmp, Kloki.arm4.elf, 5480.1.000055a25efc8000.000055a25f141000.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/arm
Source: Kloki.arm4.elf, 5476.1.00007fff2a160000.00007fff2a181000.rw-.sdmp, Kloki.arm4.elf, 5480.1.00007fff2a160000.00007fff2a181000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-arm

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	Path Interception	Path Interception	1 Obfuscated Files or Information	OS Credential Dumping	11 Security Software Discovery	Remote Services	Data from Local System	1 Non-Standard Port	Exfiltration Over Other Network Medium	1 Service Stop
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact

Malware Configuration

⊘No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Kloki.arm4.elf	29%	Virustotal		Browse
Kloki.arm4.elf	21%	ReversingLabs	Linux.Trojan.Svirtu

Dropped Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
secure-network-rebirthltd.ru	83.222.191.90	true	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
83.222.15.250	unknown	Russian Federation	25532	MASTERHOST-ASMoscowRussiaRU	false
83.222.86.147	unknown	Russian Federation	16285	ASN-UMNTechnicheskayaStr18bYekaterinburgRussiaRU	false
83.222.7.100	unknown	Russian Federation	25532	MASTERHOST-ASMoscowRussiaRU	false
83.222.83.82	unknown	Russian Federation	16285	ASN-UMNTechnicheskayaStr18bYekaterinburgRussiaRU	false
83.222.12.161	unknown	Russian Federation	25532	MASTERHOST-ASMoscowRussiaRU	false
83.222.4.65	unknown	Russian Federation	25532	MASTERHOST-ASMoscowRussiaRU	false
83.222.186.220	unknown	Bulgaria	43561	NET1-ASBG	false
83.222.247.172	unknown	United Kingdom	13768	COGECO-PEER1CA	false
83.222.143.103	unknown	Switzerland	31736	SENSELAN-ASsenseLANGmbHCH	false
83.222.67.173	unknown	Russian Federation	16285	ASN-UMNTechnicheskayaStr18bYekaterinburgRussiaRU	false
83.222.71.157	unknown	Russian Federation	16285	ASN-UMNTechnicheskayaStr18bYekaterinburgRussiaRU	false
83.222.49.175	unknown	Luxembourg	8632	LOL-ASluLU	false
83.222.174.200	unknown	Bulgaria	12615	GCN-ASGCNAD-SofiaBulgariaBG	false
83.222.212.102	unknown	Russian Federation	25159	SONICDUO-ASRU	false
83.222.233.204	unknown	United Kingdom	13768	COGECO-PEER1CA	false
83.222.87.183	unknown	Russian Federation	16285	ASN-UMNTechnicheskayaStr18bYekaterinburgRussiaRU	false
83.222.214.175	unknown	Russian Federation	25159	SONICDUO-ASRU	false
83.222.57.2	unknown	Luxembourg	8632	LOL-ASluLU	false
83.222.109.83	unknown	Russian Federation	42632	MNOGOBYTE-ASMoscowRussiaRU	false
83.222.184.76	unknown	Bulgaria	43561	NET1-ASBG	false
83.222.165.137	unknown	Bulgaria	31037	WAVENETLB	false
83.222.118.253	unknown	Russian Federation	42632	MNOGOBYTE-ASMoscowRussiaRU	false
83.222.212.94	unknown	Russian Federation	25159	SONICDUO-ASRU	false
83.222.213.65	unknown	Russian Federation	25159	SONICDUO-ASRU	false
83.222.60.62	unknown	Luxembourg	8632	LOL-ASluLU	false
83.222.1.147	unknown	Russian Federation	25532	MASTERHOST-ASMoscowRussiaRU	false
83.222.15.195	unknown	Russian Federation	25532	MASTERHOST-ASMoscowRussiaRU	false
83.222.104.103	unknown	Russian Federation	42632	MNOGOBYTE-ASMoscowRussiaRU	false
83.222.19.12	unknown	Russian Federation	25532	MASTERHOST-ASMoscowRussiaRU	false
83.222.108.160	unknown	Russian Federation	42632	MNOGOBYTE-ASMoscowRussiaRU	false
83.222.76.48	unknown	Russian Federation	16285	ASN-UMNTechnicheskayaStr18bYekaterinburgRussiaRU	false
83.222.199.144	unknown	Russian Federation	6854	SYNTERRA-ASRU	false
83.222.145.130	unknown	Switzerland	31736	SENSELAN-ASsenseLANGmbHCH	false
83.222.140.91	unknown	Switzerland	31736	SENSELAN-ASsenseLANGmbHCH	false
83.222.184.65	unknown	Bulgaria	43561	NET1-ASBG	false
83.222.245.24	unknown	United Kingdom	13768	COGECO-PEER1CA	false
83.222.72.228	unknown	Russian Federation	16285	ASN-UMNTechnicheskayaStr18bYekaterinburgRussiaRU	false
83.222.87.215	unknown	Russian Federation	16285	ASN-UMNTechnicheskayaStr18bYekaterinburgRussiaRU	false
83.222.38.182	unknown	Luxembourg	8632	LOL-ASluLU	false
83.222.69.89	unknown	Russian Federation	16285	ASN-UMNTechnicheskayaStr18bYekaterinburgRussiaRU	false
83.222.153.189	unknown	Switzerland	31736	SENSELAN-ASsenseLANGmbHCH	false
83.222.15.244	unknown	Russian Federation	25532	MASTERHOST-ASMoscowRussiaRU	false
83.222.166.183	unknown	Bulgaria	12615	GCN-ASGCNAD-SofiaBulgariaBG	false
83.222.56.253	unknown	Luxembourg	8632	LOL-ASluLU	false
83.222.191.90	secure-network-rebirthltd.ru	Bulgaria	43561	NET1-ASBG	false
83.222.205.130	unknown	Russian Federation	6854	SYNTERRA-ASRU	false
83.222.104.230	unknown	Russian Federation	42632	MNOGOBYTE-ASMoscowRussiaRU	false
83.222.138.218	unknown	Switzerland	31736	SENSELAN-ASsenseLANGmbHCH	false
83.222.0.13	unknown	Russian Federation	25532	MASTERHOST-ASMoscowRussiaRU	false
83.222.126.255	unknown	Russian Federation	47328	TRI-ASTrueRecordsIncES	false
83.222.53.223	unknown	Luxembourg	8632	LOL-ASluLU	false
83.222.119.109	unknown	Russian Federation	42632	MNOGOBYTE-ASMoscowRussiaRU	false
83.222.114.171	unknown	Russian Federation	42632	MNOGOBYTE-ASMoscowRussiaRU	false
83.222.252.160	unknown	United Kingdom	13768	COGECO-PEER1CA	false
83.222.241.195	unknown	United Kingdom	13768	COGECO-PEER1CA	false
83.222.180.122	unknown	Bulgaria	205872	EXTRANET-ASBG	false
83.222.144.235	unknown	Switzerland	31736	SENSELAN-ASsenseLANGmbHCH	false
83.222.241.48	unknown	United Kingdom	13768	COGECO-PEER1CA	false
83.222.242.15	unknown	United Kingdom	13768	COGECO-PEER1CA	false
83.222.96.196	unknown	Russian Federation	42632	MNOGOBYTE-ASMoscowRussiaRU	false
83.222.75.11	unknown	Russian Federation	16285	ASN-UMNTechnicheskayaStr18bYekaterinburgRussiaRU	false
83.222.118.229	unknown	Russian Federation	42632	MNOGOBYTE-ASMoscowRussiaRU	false
83.222.78.12	unknown	Russian Federation	16285	ASN-UMNTechnicheskayaStr18bYekaterinburgRussiaRU	false
83.222.102.158	unknown	Russian Federation	42632	MNOGOBYTE-ASMoscowRussiaRU	false
83.222.151.133	unknown	Switzerland	31736	SENSELAN-ASsenseLANGmbHCH	false
83.222.92.26	unknown	Russian Federation	16285	ASN-UMNTechnicheskayaStr18bYekaterinburgRussiaRU	false
83.222.94.45	unknown	Russian Federation	16285	ASN-UMNTechnicheskayaStr18bYekaterinburgRussiaRU	false
83.222.9.142	unknown	Russian Federation	25532	MASTERHOST-ASMoscowRussiaRU	false
83.222.248.165	unknown	United Kingdom	13768	COGECO-PEER1CA	false
83.222.107.246	unknown	Russian Federation	42632	MNOGOBYTE-ASMoscowRussiaRU	false
83.222.8.110	unknown	Russian Federation	25532	MASTERHOST-ASMoscowRussiaRU	false
83.222.59.238	unknown	Luxembourg	8632	LOL-ASluLU	false
83.222.63.95	unknown	Luxembourg	8632	LOL-ASluLU	false
83.222.185.126	unknown	Bulgaria	43561	NET1-ASBG	false
83.222.24.198	unknown	Russian Federation	25532	MASTERHOST-ASMoscowRussiaRU	false
83.222.93.115	unknown	Russian Federation	16285	ASN-UMNTechnicheskayaStr18bYekaterinburgRussiaRU	false
83.222.166.158	unknown	Bulgaria	12615	GCN-ASGCNAD-SofiaBulgariaBG	false
83.222.188.35	unknown	Bulgaria	43561	NET1-ASBG	false
83.222.132.160	unknown	Switzerland	31736	SENSELAN-ASsenseLANGmbHCH	false
83.222.183.52	unknown	Bulgaria	12615	GCN-ASGCNAD-SofiaBulgariaBG	false
83.222.50.111	unknown	Luxembourg	8632	LOL-ASluLU	false
83.222.245.64	unknown	United Kingdom	13768	COGECO-PEER1CA	false
83.222.167.18	unknown	Bulgaria	49040	KIG-UNISAT-TVBG	false
83.222.245.140	unknown	United Kingdom	13768	COGECO-PEER1CA	false
83.222.26.79	unknown	Russian Federation	25532	MASTERHOST-ASMoscowRussiaRU	false
83.222.113.229	unknown	Russian Federation	42632	MNOGOBYTE-ASMoscowRussiaRU	false
83.222.174.140	unknown	Bulgaria	12615	GCN-ASGCNAD-SofiaBulgariaBG	false
83.222.97.189	unknown	Russian Federation	42632	MNOGOBYTE-ASMoscowRussiaRU	false
83.222.42.25	unknown	Luxembourg	8632	LOL-ASluLU	false
83.222.26.174	unknown	Russian Federation	25532	MASTERHOST-ASMoscowRussiaRU	false
83.222.239.3	unknown	United Kingdom	13768	COGECO-PEER1CA	false
83.222.190.101	unknown	Bulgaria	43561	NET1-ASBG	false
83.222.145.163	unknown	Switzerland	31736	SENSELAN-ASsenseLANGmbHCH	false
83.222.138.133	unknown	Switzerland	31736	SENSELAN-ASsenseLANGmbHCH	false
83.222.141.39	unknown	Switzerland	31736	SENSELAN-ASsenseLANGmbHCH	false
83.222.143.217	unknown	Switzerland	31736	SENSELAN-ASsenseLANGmbHCH	false
83.222.22.43	unknown	Russian Federation	25532	MASTERHOST-ASMoscowRussiaRU	false
83.222.167.1	unknown	Bulgaria	49040	KIG-UNISAT-TVBG	false
83.222.213.163	unknown	Russian Federation	25159	SONICDUO-ASRU	false

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
83.222.184.65	Kloki.arm7.elf	Get hash	malicious	Unknown	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
secure-network-rebirthltd.ru	Kloki.arm5.elf	Get hash	malicious	Unknown	Browse	83.222.191.90
	Kloki.arm7.elf	Get hash	malicious	Unknown	Browse	83.222.191.90
	Kloki.arm7.elf	Get hash	malicious	Unknown	Browse	83.222.191.90
	Kloki.m68k.elf	Get hash	malicious	Unknown	Browse	83.222.191.90
	Kloki.x86_64.elf	Get hash	malicious	Unknown	Browse	83.222.191.90
	Kloki.x86.elf	Get hash	malicious	Unknown	Browse	83.222.191.90
	Kloki.arm4.elf	Get hash	malicious	Unknown	Browse	83.222.191.90
	Kloki.spc.elf	Get hash	malicious	Unknown	Browse	83.222.191.90
	Kloki.arm5.elf	Get hash	malicious	Unknown	Browse	83.222.191.90

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
MASTERHOST-ASMoscowRussiaRU	Kloki.arm5.elf	Get hash	malicious	Unknown	Browse	83.222.27.129
	Kloki.arm7.elf	Get hash	malicious	Unknown	Browse	83.222.27.245
	rACq8Eaix6.exe	Get hash	malicious	FormBook	Browse	90.156.201.74
	frosty.x86.elf	Get hash	malicious	Mirai	Browse	90.156.234.102
	Kloki.arm7.elf	Get hash	malicious	Unknown	Browse	83.222.6.30
	Kloki.m68k.elf	Get hash	malicious	Unknown	Browse	83.222.18.36
	Kloki.x86_64.elf	Get hash	malicious	Unknown	Browse	83.222.30.186
	Kloki.x86.elf	Get hash	malicious	Unknown	Browse	83.222.26.170
	Kloki.arm4.elf	Get hash	malicious	Unknown	Browse	83.222.4.239
	Kloki.spc.elf	Get hash	malicious	Unknown	Browse	83.222.13.30
MASTERHOST-ASMoscowRussiaRU	Kloki.arm5.elf	Get hash	malicious	Unknown	Browse	83.222.27.129
	Kloki.arm7.elf	Get hash	malicious	Unknown	Browse	83.222.27.245
	rACq8Eaix6.exe	Get hash	malicious	FormBook	Browse	90.156.201.74
	frosty.x86.elf	Get hash	malicious	Mirai	Browse	90.156.234.102
	Kloki.arm7.elf	Get hash	malicious	Unknown	Browse	83.222.6.30
	Kloki.m68k.elf	Get hash	malicious	Unknown	Browse	83.222.18.36
	Kloki.x86_64.elf	Get hash	malicious	Unknown	Browse	83.222.30.186
	Kloki.x86.elf	Get hash	malicious	Unknown	Browse	83.222.26.170
	Kloki.arm4.elf	Get hash	malicious	Unknown	Browse	83.222.4.239
	Kloki.spc.elf	Get hash	malicious	Unknown	Browse	83.222.13.30
ASN-UMNTechnicheskayaStr18bYekaterinburgRussiaRU	Kloki.arm5.elf	Get hash	malicious	Unknown	Browse	83.222.78.154
	Kloki.arm7.elf	Get hash	malicious	Unknown	Browse	83.222.82.17
	Kloki.arm7.elf	Get hash	malicious	Unknown	Browse	83.222.70.81
	Kloki.m68k.elf	Get hash	malicious	Unknown	Browse	83.222.83.69
	Kloki.x86_64.elf	Get hash	malicious	Unknown	Browse	83.222.87.13
	Kloki.x86.elf	Get hash	malicious	Unknown	Browse	83.222.68.210
	Kloki.arm4.elf	Get hash	malicious	Unknown	Browse	83.222.73.212
	Kloki.spc.elf	Get hash	malicious	Unknown	Browse	83.222.89.90
	Kloki.arm5.elf	Get hash	malicious	Unknown	Browse	83.222.64.159
	skid.x86.elf	Get hash	malicious	Moobot	Browse	83.222.64.191

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	ELF 32-bit LSB executable, ARM, version 1 (ARM), statically linked, no section header
Entropy (8bit):	7.978501152570999
TrID:	ELF Executable and Linkable format (generic) (4004/1) 100.00%
File name:	Kloki.arm4.elf
File size:	52'492 bytes
MD5:	b1f3a500f6313f6580d511bd121673fb
SHA1:	8551921306b456d3d31e61768e125e235f3d691e
SHA256:	04773b2be8239ff774f0549a81559504c1dcdd4556c3aa8a28a77b285e02348b
SHA512:	a3dda12bb35abe16202f086834c5a1bfeb3bb2084fa0df8d4d0e73caa0011452513db507b8b1c1b345dc9349eaec494ed5e3a3cf699135963ad033f5e365c081
SSDEEP:	768:Rhlj99J7ZaMOB6RIwqD2z896wloUQoC9KUq0LxtkZQ9HfK53UGR:Rhlx9J7ZaMOBcqD2zMNloUTCwUqstEZR
TLSH:	113302E11E42D9F0D7394D39F15D929ED7561EBCD0A1B03B220882407B8253FAACE5AB
File Content Preview:	.ELF...a..........(.....d:..4...........4. ...(.....................................................................Q.td............................\...sfga........`...`.......S..........?.E.h;.}...^..........f?..S......{.#yq...><.N.=....m..G.\|.v.........

Static ELF Info

ELF header
Class:	ELF32
Data:	2's complement, little endian
Version:	1 (current)
Machine:	ARM
Version Number:	0x1
Type:	EXEC (Executable file)
OS/ABI:	ARM - ABI
ABI Version:	0
Entry Point Address:	0x43a64
Flags:	0x202
ELF Header Size:	52
Program Header Offset:	52
Program Header Size:	32
Number of Program Headers:	3
Section Header Offset:	0
Section Header Size:	40
Number of Section Headers:	0
Header String Table Index:	0

Program Segments

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align
LOAD	0x0	0x8000	0x8000	0x1000	0x2edbc	7.8919	0x6	RW	0x8000
LOAD	0x0	0x38000	0x38000	0xcc13	0xcc13	7.9798	0x5	R E	0x8000
GNU_STACK	0x0	0x0	0x0	0x0	0x0	0.0000	0x7	RWE	0x4

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-14T17:05:46.793673+0100	2500034	ET COMPROMISED Known Compromised or Hostile Host Traffic group 18	2	83.222.191.90	13566	192.168.2.14	56532	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 14, 2025 17:05:46.356303930 CET	44418	13566	192.168.2.14	83.222.42.25
Jan 14, 2025 17:05:46.361994982 CET	13566	44418	83.222.42.25	192.168.2.14
Jan 14, 2025 17:05:46.362047911 CET	44418	13566	192.168.2.14	83.222.42.25
Jan 14, 2025 17:05:46.363142967 CET	44418	13566	192.168.2.14	83.222.42.25
Jan 14, 2025 17:05:46.368622065 CET	13566	44418	83.222.42.25	192.168.2.14
Jan 14, 2025 17:05:46.368663073 CET	44418	13566	192.168.2.14	83.222.42.25
Jan 14, 2025 17:05:46.377497911 CET	56394	13566	192.168.2.14	83.222.186.220
Jan 14, 2025 17:05:46.381254911 CET	35422	13566	192.168.2.14	83.222.145.130
Jan 14, 2025 17:05:46.382534981 CET	41850	13566	192.168.2.14	83.222.71.157
Jan 14, 2025 17:05:46.382687092 CET	13566	56394	83.222.186.220	192.168.2.14
Jan 14, 2025 17:05:46.382733107 CET	56394	13566	192.168.2.14	83.222.186.220
Jan 14, 2025 17:05:46.386552095 CET	13566	35422	83.222.145.130	192.168.2.14
Jan 14, 2025 17:05:46.386601925 CET	35422	13566	192.168.2.14	83.222.145.130
Jan 14, 2025 17:05:46.387671947 CET	13566	41850	83.222.71.157	192.168.2.14
Jan 14, 2025 17:05:46.387706041 CET	41850	13566	192.168.2.14	83.222.71.157
Jan 14, 2025 17:05:46.395334959 CET	48112	13566	192.168.2.14	83.222.15.195
Jan 14, 2025 17:05:46.398016930 CET	39990	13566	192.168.2.14	83.222.166.183
Jan 14, 2025 17:05:46.400376081 CET	37770	13566	192.168.2.14	83.222.50.111
Jan 14, 2025 17:05:46.400866985 CET	13566	48112	83.222.15.195	192.168.2.14
Jan 14, 2025 17:05:46.400911093 CET	48112	13566	192.168.2.14	83.222.15.195
Jan 14, 2025 17:05:46.402818918 CET	13566	39990	83.222.166.183	192.168.2.14
Jan 14, 2025 17:05:46.402864933 CET	39990	13566	192.168.2.14	83.222.166.183
Jan 14, 2025 17:05:46.402978897 CET	43808	13566	192.168.2.14	83.222.87.183
Jan 14, 2025 17:05:46.406043053 CET	43900	13566	192.168.2.14	83.222.0.13
Jan 14, 2025 17:05:46.406177044 CET	13566	37770	83.222.50.111	192.168.2.14
Jan 14, 2025 17:05:46.406207085 CET	37770	13566	192.168.2.14	83.222.50.111
Jan 14, 2025 17:05:46.407699108 CET	13566	43808	83.222.87.183	192.168.2.14
Jan 14, 2025 17:05:46.407732010 CET	43808	13566	192.168.2.14	83.222.87.183
Jan 14, 2025 17:05:46.409863949 CET	38756	13566	192.168.2.14	83.222.22.43
Jan 14, 2025 17:05:46.410878897 CET	13566	43900	83.222.0.13	192.168.2.14
Jan 14, 2025 17:05:46.410908937 CET	43900	13566	192.168.2.14	83.222.0.13
Jan 14, 2025 17:05:46.413469076 CET	55124	13566	192.168.2.14	83.222.252.160
Jan 14, 2025 17:05:46.414638996 CET	13566	38756	83.222.22.43	192.168.2.14
Jan 14, 2025 17:05:46.414691925 CET	38756	13566	192.168.2.14	83.222.22.43
Jan 14, 2025 17:05:46.416843891 CET	46234	13566	192.168.2.14	83.222.199.144
Jan 14, 2025 17:05:46.418940067 CET	13566	55124	83.222.252.160	192.168.2.14
Jan 14, 2025 17:05:46.418975115 CET	55124	13566	192.168.2.14	83.222.252.160
Jan 14, 2025 17:05:46.420260906 CET	40108	13566	192.168.2.14	83.222.185.126
Jan 14, 2025 17:05:46.421932936 CET	13566	46234	83.222.199.144	192.168.2.14
Jan 14, 2025 17:05:46.421973944 CET	46234	13566	192.168.2.14	83.222.199.144
Jan 14, 2025 17:05:46.423957109 CET	40058	13566	192.168.2.14	83.222.241.195
Jan 14, 2025 17:05:46.425297022 CET	13566	40108	83.222.185.126	192.168.2.14
Jan 14, 2025 17:05:46.425355911 CET	40108	13566	192.168.2.14	83.222.185.126
Jan 14, 2025 17:05:46.428625107 CET	51738	13566	192.168.2.14	83.222.97.189
Jan 14, 2025 17:05:46.428714037 CET	13566	40058	83.222.241.195	192.168.2.14
Jan 14, 2025 17:05:46.428755999 CET	40058	13566	192.168.2.14	83.222.241.195
Jan 14, 2025 17:05:46.431961060 CET	59710	13566	192.168.2.14	83.222.245.140
Jan 14, 2025 17:05:46.434067011 CET	13566	51738	83.222.97.189	192.168.2.14
Jan 14, 2025 17:05:46.434112072 CET	51738	13566	192.168.2.14	83.222.97.189
Jan 14, 2025 17:05:46.435348988 CET	57602	13566	192.168.2.14	83.222.214.175
Jan 14, 2025 17:05:46.437124968 CET	13566	59710	83.222.245.140	192.168.2.14
Jan 14, 2025 17:05:46.437160015 CET	59710	13566	192.168.2.14	83.222.245.140
Jan 14, 2025 17:05:46.437170029 CET	59526	13566	192.168.2.14	83.222.104.103
Jan 14, 2025 17:05:46.440892935 CET	13566	57602	83.222.214.175	192.168.2.14
Jan 14, 2025 17:05:46.440937996 CET	57602	13566	192.168.2.14	83.222.214.175
Jan 14, 2025 17:05:46.441910028 CET	37964	13566	192.168.2.14	83.222.49.175
Jan 14, 2025 17:05:46.442344904 CET	13566	59526	83.222.104.103	192.168.2.14
Jan 14, 2025 17:05:46.442382097 CET	59526	13566	192.168.2.14	83.222.104.103
Jan 14, 2025 17:05:46.444565058 CET	38924	13566	192.168.2.14	83.222.4.65
Jan 14, 2025 17:05:46.446655035 CET	13566	37964	83.222.49.175	192.168.2.14
Jan 14, 2025 17:05:46.446695089 CET	37964	13566	192.168.2.14	83.222.49.175
Jan 14, 2025 17:05:46.449297905 CET	13566	38924	83.222.4.65	192.168.2.14
Jan 14, 2025 17:05:46.449340105 CET	38924	13566	192.168.2.14	83.222.4.65
Jan 14, 2025 17:05:46.449852943 CET	54960	13566	192.168.2.14	83.222.114.171
Jan 14, 2025 17:05:46.451986074 CET	55108	13566	192.168.2.14	83.222.248.165
Jan 14, 2025 17:05:46.453471899 CET	46936	13566	192.168.2.14	83.222.26.79
Jan 14, 2025 17:05:46.454658985 CET	13566	54960	83.222.114.171	192.168.2.14
Jan 14, 2025 17:05:46.454727888 CET	54960	13566	192.168.2.14	83.222.114.171
Jan 14, 2025 17:05:46.457051039 CET	13566	55108	83.222.248.165	192.168.2.14
Jan 14, 2025 17:05:46.457115889 CET	55108	13566	192.168.2.14	83.222.248.165
Jan 14, 2025 17:05:46.458414078 CET	13566	46936	83.222.26.79	192.168.2.14
Jan 14, 2025 17:05:46.458461046 CET	46936	13566	192.168.2.14	83.222.26.79
Jan 14, 2025 17:05:46.473284960 CET	46936	13566	192.168.2.14	83.222.26.79
Jan 14, 2025 17:05:46.474602938 CET	41652	13566	192.168.2.14	83.222.92.26
Jan 14, 2025 17:05:46.476339102 CET	47044	13566	192.168.2.14	83.222.93.115
Jan 14, 2025 17:05:46.478982925 CET	13566	46936	83.222.26.79	192.168.2.14
Jan 14, 2025 17:05:46.479043961 CET	46936	13566	192.168.2.14	83.222.26.79
Jan 14, 2025 17:05:46.479387999 CET	13566	41652	83.222.92.26	192.168.2.14
Jan 14, 2025 17:05:46.479439974 CET	41652	13566	192.168.2.14	83.222.92.26
Jan 14, 2025 17:05:46.481182098 CET	13566	47044	83.222.93.115	192.168.2.14
Jan 14, 2025 17:05:46.481224060 CET	47044	13566	192.168.2.14	83.222.93.115
Jan 14, 2025 17:05:46.481286049 CET	47044	13566	192.168.2.14	83.222.93.115
Jan 14, 2025 17:05:46.483290911 CET	43830	13566	192.168.2.14	83.222.69.89
Jan 14, 2025 17:05:46.486591101 CET	13566	47044	83.222.93.115	192.168.2.14
Jan 14, 2025 17:05:46.486639023 CET	47044	13566	192.168.2.14	83.222.93.115
Jan 14, 2025 17:05:46.487514019 CET	43552	13566	192.168.2.14	83.222.19.12
Jan 14, 2025 17:05:46.488084078 CET	13566	43830	83.222.69.89	192.168.2.14
Jan 14, 2025 17:05:46.488141060 CET	43830	13566	192.168.2.14	83.222.69.89
Jan 14, 2025 17:05:46.491044998 CET	42186	13566	192.168.2.14	83.222.233.204
Jan 14, 2025 17:05:46.492331028 CET	13566	43552	83.222.19.12	192.168.2.14
Jan 14, 2025 17:05:46.492384911 CET	43552	13566	192.168.2.14	83.222.19.12
Jan 14, 2025 17:05:46.493817091 CET	39530	13566	192.168.2.14	83.222.138.218
Jan 14, 2025 17:05:46.496248007 CET	45588	13566	192.168.2.14	83.222.144.235
Jan 14, 2025 17:05:46.496376038 CET	13566	42186	83.222.233.204	192.168.2.14
Jan 14, 2025 17:05:46.496423960 CET	42186	13566	192.168.2.14	83.222.233.204
Jan 14, 2025 17:05:46.498452902 CET	43794	13566	192.168.2.14	83.222.151.133
Jan 14, 2025 17:05:46.500329971 CET	13566	39530	83.222.138.218	192.168.2.14
Jan 14, 2025 17:05:46.500369072 CET	39530	13566	192.168.2.14	83.222.138.218
Jan 14, 2025 17:05:46.500957966 CET	35930	13566	192.168.2.14	83.222.119.109
Jan 14, 2025 17:05:46.502212048 CET	45814	13566	192.168.2.14	83.222.53.223
Jan 14, 2025 17:05:46.503684044 CET	13566	45588	83.222.144.235	192.168.2.14
Jan 14, 2025 17:05:46.503732920 CET	45588	13566	192.168.2.14	83.222.144.235
Jan 14, 2025 17:05:46.505525112 CET	44126	13566	192.168.2.14	83.222.212.102
Jan 14, 2025 17:05:46.505532026 CET	13566	43794	83.222.151.133	192.168.2.14
Jan 14, 2025 17:05:46.505584002 CET	43794	13566	192.168.2.14	83.222.151.133
Jan 14, 2025 17:05:46.508274078 CET	13566	35930	83.222.119.109	192.168.2.14
Jan 14, 2025 17:05:46.508320093 CET	35930	13566	192.168.2.14	83.222.119.109
Jan 14, 2025 17:05:46.508558989 CET	13566	45814	83.222.53.223	192.168.2.14
Jan 14, 2025 17:05:46.508595943 CET	45814	13566	192.168.2.14	83.222.53.223
Jan 14, 2025 17:05:46.509324074 CET	58610	13566	192.168.2.14	83.222.143.217
Jan 14, 2025 17:05:46.511502981 CET	13566	44126	83.222.212.102	192.168.2.14
Jan 14, 2025 17:05:46.511540890 CET	44126	13566	192.168.2.14	83.222.212.102
Jan 14, 2025 17:05:46.511796951 CET	44972	13566	192.168.2.14	83.222.167.1
Jan 14, 2025 17:05:46.514379978 CET	49228	13566	192.168.2.14	83.222.132.160
Jan 14, 2025 17:05:46.515348911 CET	13566	58610	83.222.143.217	192.168.2.14
Jan 14, 2025 17:05:46.515388966 CET	58610	13566	192.168.2.14	83.222.143.217
Jan 14, 2025 17:05:46.516818047 CET	53980	13566	192.168.2.14	83.222.166.158
Jan 14, 2025 17:05:46.517311096 CET	13566	44972	83.222.167.1	192.168.2.14
Jan 14, 2025 17:05:46.517349958 CET	44972	13566	192.168.2.14	83.222.167.1
Jan 14, 2025 17:05:46.519361019 CET	49334	13566	192.168.2.14	83.222.239.3
Jan 14, 2025 17:05:46.520057917 CET	13566	49228	83.222.132.160	192.168.2.14
Jan 14, 2025 17:05:46.520098925 CET	49228	13566	192.168.2.14	83.222.132.160
Jan 14, 2025 17:05:46.522557974 CET	51802	13566	192.168.2.14	83.222.184.76
Jan 14, 2025 17:05:46.523451090 CET	13566	53980	83.222.166.158	192.168.2.14
Jan 14, 2025 17:05:46.523495913 CET	53980	13566	192.168.2.14	83.222.166.158
Jan 14, 2025 17:05:46.525588036 CET	13566	49334	83.222.239.3	192.168.2.14
Jan 14, 2025 17:05:46.525628090 CET	49334	13566	192.168.2.14	83.222.239.3
Jan 14, 2025 17:05:46.527935982 CET	46320	13566	192.168.2.14	83.222.118.253
Jan 14, 2025 17:05:46.529495955 CET	13566	51802	83.222.184.76	192.168.2.14
Jan 14, 2025 17:05:46.529534101 CET	51802	13566	192.168.2.14	83.222.184.76
Jan 14, 2025 17:05:46.531320095 CET	46958	13566	192.168.2.14	83.222.165.137
Jan 14, 2025 17:05:46.533366919 CET	13566	46320	83.222.118.253	192.168.2.14
Jan 14, 2025 17:05:46.533406019 CET	46320	13566	192.168.2.14	83.222.118.253
Jan 14, 2025 17:05:46.534394026 CET	59142	13566	192.168.2.14	83.222.9.142
Jan 14, 2025 17:05:46.537067890 CET	53646	13566	192.168.2.14	83.222.86.147
Jan 14, 2025 17:05:46.537327051 CET	13566	46958	83.222.165.137	192.168.2.14
Jan 14, 2025 17:05:46.537359953 CET	46958	13566	192.168.2.14	83.222.165.137
Jan 14, 2025 17:05:46.539350033 CET	13566	59142	83.222.9.142	192.168.2.14
Jan 14, 2025 17:05:46.539388895 CET	59142	13566	192.168.2.14	83.222.9.142
Jan 14, 2025 17:05:46.539729118 CET	52198	13566	192.168.2.14	83.222.104.230
Jan 14, 2025 17:05:46.541822910 CET	13566	53646	83.222.86.147	192.168.2.14
Jan 14, 2025 17:05:46.541862965 CET	53646	13566	192.168.2.14	83.222.86.147
Jan 14, 2025 17:05:46.542383909 CET	57998	13566	192.168.2.14	83.222.126.255
Jan 14, 2025 17:05:46.544470072 CET	13566	52198	83.222.104.230	192.168.2.14
Jan 14, 2025 17:05:46.544507980 CET	52198	13566	192.168.2.14	83.222.104.230
Jan 14, 2025 17:05:46.544945002 CET	44760	13566	192.168.2.14	83.222.107.246
Jan 14, 2025 17:05:46.547610044 CET	33808	13566	192.168.2.14	83.222.108.160
Jan 14, 2025 17:05:46.548562050 CET	13566	57998	83.222.126.255	192.168.2.14
Jan 14, 2025 17:05:46.548612118 CET	57998	13566	192.168.2.14	83.222.126.255
Jan 14, 2025 17:05:46.549685001 CET	13566	44760	83.222.107.246	192.168.2.14
Jan 14, 2025 17:05:46.549727917 CET	44760	13566	192.168.2.14	83.222.107.246
Jan 14, 2025 17:05:46.549866915 CET	36864	13566	192.168.2.14	83.222.213.65
Jan 14, 2025 17:05:46.552351952 CET	45506	13566	192.168.2.14	83.222.7.100
Jan 14, 2025 17:05:46.552423000 CET	13566	33808	83.222.108.160	192.168.2.14
Jan 14, 2025 17:05:46.552473068 CET	33808	13566	192.168.2.14	83.222.108.160
Jan 14, 2025 17:05:46.555138111 CET	13566	36864	83.222.213.65	192.168.2.14
Jan 14, 2025 17:05:46.555176020 CET	36864	13566	192.168.2.14	83.222.213.65
Jan 14, 2025 17:05:46.555404902 CET	45578	13566	192.168.2.14	83.222.26.174
Jan 14, 2025 17:05:46.557097912 CET	13566	45506	83.222.7.100	192.168.2.14
Jan 14, 2025 17:05:46.557132006 CET	45506	13566	192.168.2.14	83.222.7.100
Jan 14, 2025 17:05:46.558330059 CET	36918	13566	192.168.2.14	83.222.102.158
Jan 14, 2025 17:05:46.560158968 CET	13566	45578	83.222.26.174	192.168.2.14
Jan 14, 2025 17:05:46.560198069 CET	45578	13566	192.168.2.14	83.222.26.174
Jan 14, 2025 17:05:46.560864925 CET	51876	13566	192.168.2.14	83.222.78.12
Jan 14, 2025 17:05:46.562268019 CET	54180	13566	192.168.2.14	83.222.60.62
Jan 14, 2025 17:05:46.563179016 CET	13566	36918	83.222.102.158	192.168.2.14
Jan 14, 2025 17:05:46.563215017 CET	36918	13566	192.168.2.14	83.222.102.158
Jan 14, 2025 17:05:46.566360950 CET	56718	13566	192.168.2.14	83.222.15.244
Jan 14, 2025 17:05:46.566905022 CET	13566	51876	83.222.78.12	192.168.2.14
Jan 14, 2025 17:05:46.566941977 CET	51876	13566	192.168.2.14	83.222.78.12
Jan 14, 2025 17:05:46.568639994 CET	13566	54180	83.222.60.62	192.168.2.14
Jan 14, 2025 17:05:46.568686962 CET	54180	13566	192.168.2.14	83.222.60.62
Jan 14, 2025 17:05:46.570111036 CET	54610	13566	192.168.2.14	83.222.138.133
Jan 14, 2025 17:05:46.572504997 CET	13566	56718	83.222.15.244	192.168.2.14
Jan 14, 2025 17:05:46.572536945 CET	56718	13566	192.168.2.14	83.222.15.244
Jan 14, 2025 17:05:46.573772907 CET	53008	13566	192.168.2.14	83.222.241.48
Jan 14, 2025 17:05:46.576812983 CET	38316	13566	192.168.2.14	83.222.15.250
Jan 14, 2025 17:05:46.577533960 CET	13566	54610	83.222.138.133	192.168.2.14
Jan 14, 2025 17:05:46.577570915 CET	54610	13566	192.168.2.14	83.222.138.133
Jan 14, 2025 17:05:46.580636024 CET	40570	13566	192.168.2.14	83.222.190.101
Jan 14, 2025 17:05:46.580899000 CET	13566	53008	83.222.241.48	192.168.2.14
Jan 14, 2025 17:05:46.580931902 CET	53008	13566	192.168.2.14	83.222.241.48
Jan 14, 2025 17:05:46.583558083 CET	33022	13566	192.168.2.14	83.222.141.39
Jan 14, 2025 17:05:46.584408045 CET	13566	38316	83.222.15.250	192.168.2.14
Jan 14, 2025 17:05:46.584439993 CET	38316	13566	192.168.2.14	83.222.15.250
Jan 14, 2025 17:05:46.587397099 CET	33176	13566	192.168.2.14	83.222.75.11
Jan 14, 2025 17:05:46.588002920 CET	13566	40570	83.222.190.101	192.168.2.14
Jan 14, 2025 17:05:46.588042021 CET	40570	13566	192.168.2.14	83.222.190.101
Jan 14, 2025 17:05:46.590763092 CET	53636	13566	192.168.2.14	83.222.38.182
Jan 14, 2025 17:05:46.590871096 CET	13566	33022	83.222.141.39	192.168.2.14
Jan 14, 2025 17:05:46.590909004 CET	33022	13566	192.168.2.14	83.222.141.39
Jan 14, 2025 17:05:46.595051050 CET	13566	33176	83.222.75.11	192.168.2.14
Jan 14, 2025 17:05:46.595098972 CET	33176	13566	192.168.2.14	83.222.75.11
Jan 14, 2025 17:05:46.595599890 CET	41244	13566	192.168.2.14	83.222.1.147
Jan 14, 2025 17:05:46.598520994 CET	13566	53636	83.222.38.182	192.168.2.14
Jan 14, 2025 17:05:46.598567963 CET	53636	13566	192.168.2.14	83.222.38.182
Jan 14, 2025 17:05:46.598584890 CET	47658	13566	192.168.2.14	83.222.87.215
Jan 14, 2025 17:05:46.602263927 CET	54972	13566	192.168.2.14	83.222.212.94
Jan 14, 2025 17:05:46.602433920 CET	13566	41244	83.222.1.147	192.168.2.14
Jan 14, 2025 17:05:46.602467060 CET	41244	13566	192.168.2.14	83.222.1.147
Jan 14, 2025 17:05:46.604981899 CET	13566	47658	83.222.87.215	192.168.2.14
Jan 14, 2025 17:05:46.605030060 CET	47658	13566	192.168.2.14	83.222.87.215
Jan 14, 2025 17:05:46.605360985 CET	51152	13566	192.168.2.14	83.222.59.238
Jan 14, 2025 17:05:46.609426022 CET	45820	13566	192.168.2.14	83.222.12.161
Jan 14, 2025 17:05:46.609838963 CET	13566	54972	83.222.212.94	192.168.2.14
Jan 14, 2025 17:05:46.609888077 CET	54972	13566	192.168.2.14	83.222.212.94
Jan 14, 2025 17:05:46.612854958 CET	13566	51152	83.222.59.238	192.168.2.14
Jan 14, 2025 17:05:46.612927914 CET	57442	13566	192.168.2.14	83.222.140.91
Jan 14, 2025 17:05:46.612931013 CET	51152	13566	192.168.2.14	83.222.59.238
Jan 14, 2025 17:05:46.617010117 CET	13566	45820	83.222.12.161	192.168.2.14
Jan 14, 2025 17:05:46.617059946 CET	45820	13566	192.168.2.14	83.222.12.161
Jan 14, 2025 17:05:46.617181063 CET	44476	13566	192.168.2.14	83.222.174.200
Jan 14, 2025 17:05:46.620630980 CET	13566	57442	83.222.140.91	192.168.2.14
Jan 14, 2025 17:05:46.620660067 CET	60630	13566	192.168.2.14	83.222.153.189
Jan 14, 2025 17:05:46.620676041 CET	57442	13566	192.168.2.14	83.222.140.91
Jan 14, 2025 17:05:46.624756098 CET	13566	44476	83.222.174.200	192.168.2.14
Jan 14, 2025 17:05:46.624819994 CET	44476	13566	192.168.2.14	83.222.174.200
Jan 14, 2025 17:05:46.625014067 CET	58448	13566	192.168.2.14	83.222.188.35
Jan 14, 2025 17:05:46.628134966 CET	13566	60630	83.222.153.189	192.168.2.14
Jan 14, 2025 17:05:46.628177881 CET	60630	13566	192.168.2.14	83.222.153.189
Jan 14, 2025 17:05:46.628335953 CET	37108	13566	192.168.2.14	83.222.67.173
Jan 14, 2025 17:05:46.632386923 CET	13566	58448	83.222.188.35	192.168.2.14
Jan 14, 2025 17:05:46.632488012 CET	58448	13566	192.168.2.14	83.222.188.35
Jan 14, 2025 17:05:46.632870913 CET	59770	13566	192.168.2.14	83.222.83.82
Jan 14, 2025 17:05:46.635890007 CET	13566	37108	83.222.67.173	192.168.2.14
Jan 14, 2025 17:05:46.635972023 CET	37108	13566	192.168.2.14	83.222.67.173
Jan 14, 2025 17:05:46.637821913 CET	52102	13566	192.168.2.14	83.222.167.18
Jan 14, 2025 17:05:46.640537977 CET	13566	59770	83.222.83.82	192.168.2.14
Jan 14, 2025 17:05:46.640593052 CET	59770	13566	192.168.2.14	83.222.83.82
Jan 14, 2025 17:05:46.643364906 CET	42594	13566	192.168.2.14	83.222.183.52
Jan 14, 2025 17:05:46.643589973 CET	13566	52102	83.222.167.18	192.168.2.14
Jan 14, 2025 17:05:46.643639088 CET	52102	13566	192.168.2.14	83.222.167.18
Jan 14, 2025 17:05:46.647067070 CET	43372	13566	192.168.2.14	83.222.57.2
Jan 14, 2025 17:05:46.649512053 CET	13566	42594	83.222.183.52	192.168.2.14
Jan 14, 2025 17:05:46.649594069 CET	42594	13566	192.168.2.14	83.222.183.52
Jan 14, 2025 17:05:46.652362108 CET	46808	13566	192.168.2.14	83.222.63.95
Jan 14, 2025 17:05:46.653666973 CET	13566	43372	83.222.57.2	192.168.2.14
Jan 14, 2025 17:05:46.653709888 CET	43372	13566	192.168.2.14	83.222.57.2
Jan 14, 2025 17:05:46.656383991 CET	42618	13566	192.168.2.14	83.222.184.65
Jan 14, 2025 17:05:46.658668041 CET	13566	46808	83.222.63.95	192.168.2.14
Jan 14, 2025 17:05:46.658719063 CET	46808	13566	192.168.2.14	83.222.63.95
Jan 14, 2025 17:05:46.661514044 CET	35218	13566	192.168.2.14	83.222.242.15
Jan 14, 2025 17:05:46.663664103 CET	13566	42618	83.222.184.65	192.168.2.14
Jan 14, 2025 17:05:46.663713932 CET	42618	13566	192.168.2.14	83.222.184.65
Jan 14, 2025 17:05:46.666277885 CET	36138	13566	192.168.2.14	83.222.24.198
Jan 14, 2025 17:05:46.669187069 CET	13566	35218	83.222.242.15	192.168.2.14
Jan 14, 2025 17:05:46.669235945 CET	35218	13566	192.168.2.14	83.222.242.15
Jan 14, 2025 17:05:46.671866894 CET	59888	13566	192.168.2.14	83.222.109.83
Jan 14, 2025 17:05:46.673546076 CET	13566	36138	83.222.24.198	192.168.2.14
Jan 14, 2025 17:05:46.673607111 CET	36138	13566	192.168.2.14	83.222.24.198
Jan 14, 2025 17:05:46.676429987 CET	36480	13566	192.168.2.14	83.222.180.122
Jan 14, 2025 17:05:46.676634073 CET	13566	59888	83.222.109.83	192.168.2.14
Jan 14, 2025 17:05:46.676709890 CET	59888	13566	192.168.2.14	83.222.109.83
Jan 14, 2025 17:05:46.681776047 CET	49230	13566	192.168.2.14	83.222.245.64
Jan 14, 2025 17:05:46.682765961 CET	13566	36480	83.222.180.122	192.168.2.14
Jan 14, 2025 17:05:46.682832956 CET	36480	13566	192.168.2.14	83.222.180.122
Jan 14, 2025 17:05:46.686506033 CET	56368	13566	192.168.2.14	83.222.213.163
Jan 14, 2025 17:05:46.687794924 CET	13566	49230	83.222.245.64	192.168.2.14
Jan 14, 2025 17:05:46.687835932 CET	49230	13566	192.168.2.14	83.222.245.64
Jan 14, 2025 17:05:46.691958904 CET	40420	13566	192.168.2.14	83.222.8.110
Jan 14, 2025 17:05:46.692799091 CET	13566	56368	83.222.213.163	192.168.2.14
Jan 14, 2025 17:05:46.692848921 CET	56368	13566	192.168.2.14	83.222.213.163
Jan 14, 2025 17:05:46.696219921 CET	53138	13566	192.168.2.14	83.222.96.196
Jan 14, 2025 17:05:46.697724104 CET	13566	40420	83.222.8.110	192.168.2.14
Jan 14, 2025 17:05:46.697788954 CET	40420	13566	192.168.2.14	83.222.8.110
Jan 14, 2025 17:05:46.701925039 CET	35048	13566	192.168.2.14	83.222.145.163
Jan 14, 2025 17:05:46.702393055 CET	13566	53138	83.222.96.196	192.168.2.14
Jan 14, 2025 17:05:46.702450991 CET	53138	13566	192.168.2.14	83.222.96.196
Jan 14, 2025 17:05:46.706283092 CET	35332	13566	192.168.2.14	83.222.113.229
Jan 14, 2025 17:05:46.707727909 CET	13566	35048	83.222.145.163	192.168.2.14
Jan 14, 2025 17:05:46.707791090 CET	35048	13566	192.168.2.14	83.222.145.163
Jan 14, 2025 17:05:46.711108923 CET	13566	35332	83.222.113.229	192.168.2.14
Jan 14, 2025 17:05:46.711153984 CET	35332	13566	192.168.2.14	83.222.113.229
Jan 14, 2025 17:05:46.711944103 CET	55652	13566	192.168.2.14	83.222.245.24
Jan 14, 2025 17:05:46.716285944 CET	56104	13566	192.168.2.14	83.222.247.172
Jan 14, 2025 17:05:46.716773987 CET	13566	55652	83.222.245.24	192.168.2.14
Jan 14, 2025 17:05:46.716828108 CET	55652	13566	192.168.2.14	83.222.245.24
Jan 14, 2025 17:05:46.721088886 CET	13566	56104	83.222.247.172	192.168.2.14
Jan 14, 2025 17:05:46.721131086 CET	56104	13566	192.168.2.14	83.222.247.172
Jan 14, 2025 17:05:46.722064972 CET	47992	13566	192.168.2.14	83.222.76.48
Jan 14, 2025 17:05:46.726185083 CET	52660	13566	192.168.2.14	83.222.174.140
Jan 14, 2025 17:05:46.726953030 CET	13566	47992	83.222.76.48	192.168.2.14
Jan 14, 2025 17:05:46.727035999 CET	47992	13566	192.168.2.14	83.222.76.48
Jan 14, 2025 17:05:46.731013060 CET	13566	52660	83.222.174.140	192.168.2.14
Jan 14, 2025 17:05:46.731362104 CET	52660	13566	192.168.2.14	83.222.174.140
Jan 14, 2025 17:05:46.732182026 CET	56176	13566	192.168.2.14	83.222.143.103
Jan 14, 2025 17:05:46.736999035 CET	13566	56176	83.222.143.103	192.168.2.14
Jan 14, 2025 17:05:46.737051010 CET	56176	13566	192.168.2.14	83.222.143.103
Jan 14, 2025 17:05:46.738101006 CET	45746	13566	192.168.2.14	83.222.205.130
Jan 14, 2025 17:05:46.743052006 CET	13566	45746	83.222.205.130	192.168.2.14
Jan 14, 2025 17:05:46.743161917 CET	45746	13566	192.168.2.14	83.222.205.130
Jan 14, 2025 17:05:46.743722916 CET	57498	13566	192.168.2.14	83.222.118.229
Jan 14, 2025 17:05:46.748526096 CET	13566	57498	83.222.118.229	192.168.2.14
Jan 14, 2025 17:05:46.748589993 CET	57498	13566	192.168.2.14	83.222.118.229
Jan 14, 2025 17:05:46.767393112 CET	57498	13566	192.168.2.14	83.222.118.229
Jan 14, 2025 17:05:46.769370079 CET	40002	13566	192.168.2.14	83.222.72.228
Jan 14, 2025 17:05:46.772339106 CET	13566	57498	83.222.118.229	192.168.2.14
Jan 14, 2025 17:05:46.772383928 CET	57498	13566	192.168.2.14	83.222.118.229
Jan 14, 2025 17:05:46.772845030 CET	46726	13566	192.168.2.14	83.222.56.253
Jan 14, 2025 17:05:46.774249077 CET	13566	40002	83.222.72.228	192.168.2.14
Jan 14, 2025 17:05:46.774816036 CET	40002	13566	192.168.2.14	83.222.72.228
Jan 14, 2025 17:05:46.777090073 CET	47992	13566	192.168.2.14	83.222.94.45
Jan 14, 2025 17:05:46.777667046 CET	13566	46726	83.222.56.253	192.168.2.14
Jan 14, 2025 17:05:46.777719975 CET	46726	13566	192.168.2.14	83.222.56.253
Jan 14, 2025 17:05:46.781948090 CET	13566	47992	83.222.94.45	192.168.2.14
Jan 14, 2025 17:05:46.781999111 CET	47992	13566	192.168.2.14	83.222.94.45
Jan 14, 2025 17:05:46.788811922 CET	56532	13566	192.168.2.14	83.222.191.90
Jan 14, 2025 17:05:46.793673038 CET	13566	56532	83.222.191.90	192.168.2.14
Jan 14, 2025 17:05:46.793845892 CET	56532	13566	192.168.2.14	83.222.191.90
Jan 14, 2025 17:05:46.795269966 CET	56532	13566	192.168.2.14	83.222.191.90
Jan 14, 2025 17:05:46.800076008 CET	13566	56532	83.222.191.90	192.168.2.14
Jan 14, 2025 17:05:46.800124884 CET	56532	13566	192.168.2.14	83.222.191.90
Jan 14, 2025 17:05:46.805135012 CET	13566	56532	83.222.191.90	192.168.2.14
Jan 14, 2025 17:05:56.805047989 CET	56532	13566	192.168.2.14	83.222.191.90
Jan 14, 2025 17:05:56.810722113 CET	13566	56532	83.222.191.90	192.168.2.14
Jan 14, 2025 17:05:57.015492916 CET	13566	56532	83.222.191.90	192.168.2.14
Jan 14, 2025 17:05:57.015549898 CET	56532	13566	192.168.2.14	83.222.191.90
Jan 14, 2025 17:05:57.390358925 CET	13566	56532	83.222.191.90	192.168.2.14
Jan 14, 2025 17:05:57.390559912 CET	56532	13566	192.168.2.14	83.222.191.90
Jan 14, 2025 17:06:57.426773071 CET	56532	13566	192.168.2.14	83.222.191.90
Jan 14, 2025 17:06:57.431652069 CET	13566	56532	83.222.191.90	192.168.2.14
Jan 14, 2025 17:06:57.638056993 CET	13566	56532	83.222.191.90	192.168.2.14
Jan 14, 2025 17:06:57.638181925 CET	56532	13566	192.168.2.14	83.222.191.90
Jan 14, 2025 17:06:59.408638000 CET	13566	56532	83.222.191.90	192.168.2.14
Jan 14, 2025 17:06:59.408751965 CET	56532	13566	192.168.2.14	83.222.191.90
Jan 14, 2025 17:06:59.409826040 CET	13566	56532	83.222.191.90	192.168.2.14
Jan 14, 2025 17:06:59.409861088 CET	56532	13566	192.168.2.14	83.222.191.90
Jan 14, 2025 17:06:59.411304951 CET	13566	56532	83.222.191.90	192.168.2.14
Jan 14, 2025 17:06:59.411340952 CET	56532	13566	192.168.2.14	83.222.191.90
Jan 14, 2025 17:06:59.411776066 CET	13566	56532	83.222.191.90	192.168.2.14
Jan 14, 2025 17:06:59.411812067 CET	56532	13566	192.168.2.14	83.222.191.90

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 14, 2025 17:05:46.781250954 CET	46244	53	192.168.2.14	8.8.8.8
Jan 14, 2025 17:05:46.787801027 CET	53	46244	8.8.8.8	192.168.2.14

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 14, 2025 17:05:46.781250954 CET	192.168.2.14	8.8.8.8	0xb556	Standard query (0)	secure-network-rebirthltd.ru	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 14, 2025 17:05:46.787801027 CET	8.8.8.8	192.168.2.14	0xb556	No error (0)	secure-network-rebirthltd.ru		83.222.191.90	A (IP address)	IN (0x0001)	false

System Behavior

Analysis Process: Kloki.arm4.elf PID: 5476, Parent PID: 5400

General

Start time (UTC):	16:05:44
Start date (UTC):	14/01/2025
Path:	/tmp/Kloki.arm4.elf
Arguments:	/tmp/Kloki.arm4.elf
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Chronological Activities

Analysis Process: Kloki.arm4.elf PID: 5478, Parent PID: 5476

General

Start time (UTC):	16:05:45
Start date (UTC):	14/01/2025
Path:	/tmp/Kloki.arm4.elf
Arguments:	-
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Chronological Activities

Analysis Process: Kloki.arm4.elf PID: 5480, Parent PID: 5478

General

Start time (UTC):	16:05:45
Start date (UTC):	14/01/2025
Path:	/tmp/Kloki.arm4.elf
Arguments:	-
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Chronological Activities

Analysis Process: Kloki.arm4.elf PID: 5482, Parent PID: 5478

General

Start time (UTC):	16:05:45
Start date (UTC):	14/01/2025
Path:	/tmp/Kloki.arm4.elf
Arguments:	-
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Chronological Activities

Analysis Process: gnome-session-binary PID: 5484, Parent PID: 1383

General

Start time (UTC):	16:05:45
Start date (UTC):	14/01/2025
Path:	/usr/libexec/gnome-session-binary
Arguments:	-
File size:	334664 bytes
MD5 hash:	d9b90be4f7db60cb3c2d3da6a1d31bfb

Chronological Activities

Analysis Process: sh PID: 5484, Parent PID: 1383

General

Start time (UTC):	16:05:45
Start date (UTC):	14/01/2025
Path:	/bin/sh
Arguments:	/bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-sharing
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: gsd-sharing PID: 5484, Parent PID: 1383

General

Start time (UTC):	16:05:45
Start date (UTC):	14/01/2025
Path:	/usr/libexec/gsd-sharing
Arguments:	/usr/libexec/gsd-sharing
File size:	35424 bytes
MD5 hash:	e29d9025d98590fbb69f89fdbd4438b3

Chronological Activities

Analysis Process: gnome-session-binary PID: 5505, Parent PID: 1383

General

Start time (UTC):	16:05:45
Start date (UTC):	14/01/2025
Path:	/usr/libexec/gnome-session-binary
Arguments:	-
File size:	334664 bytes
MD5 hash:	d9b90be4f7db60cb3c2d3da6a1d31bfb

Chronological Activities

Analysis Process: sh PID: 5505, Parent PID: 1383

General

Start time (UTC):	16:05:45
Start date (UTC):	14/01/2025
Path:	/bin/sh
Arguments:	/bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/bin/gnome-shell
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: gnome-shell PID: 5505, Parent PID: 1383

General

Start time (UTC):	16:05:45
Start date (UTC):	14/01/2025
Path:	/usr/bin/gnome-shell
Arguments:	/usr/bin/gnome-shell
File size:	23168 bytes
MD5 hash:	da7a257239677622fe4b3a65972c9e87

Chronological Activities

Analysis Process: gnome-session-binary PID: 5507, Parent PID: 1383

General

Start time (UTC):	16:05:45
Start date (UTC):	14/01/2025
Path:	/usr/libexec/gnome-session-binary
Arguments:	-
File size:	334664 bytes
MD5 hash:	d9b90be4f7db60cb3c2d3da6a1d31bfb

Chronological Activities

Analysis Process: sh PID: 5507, Parent PID: 1383

General

Start time (UTC):	16:05:45
Start date (UTC):	14/01/2025
Path:	/bin/sh
Arguments:	/bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-print-notifications
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: gsd-print-notifications PID: 5507, Parent PID: 1383

General

Start time (UTC):	16:05:45
Start date (UTC):	14/01/2025
Path:	/usr/libexec/gsd-print-notifications
Arguments:	/usr/libexec/gsd-print-notifications
File size:	51840 bytes
MD5 hash:	71539698aa691718cee775d6b9450ae2

Chronological Activities

Analysis Process: gnome-session-binary PID: 5508, Parent PID: 1383

General

Start time (UTC):	16:05:45
Start date (UTC):	14/01/2025
Path:	/usr/libexec/gnome-session-binary
Arguments:	-
File size:	334664 bytes
MD5 hash:	d9b90be4f7db60cb3c2d3da6a1d31bfb

Chronological Activities

Analysis Process: sh PID: 5508, Parent PID: 1383

General

Start time (UTC):	16:05:45
Start date (UTC):	14/01/2025
Path:	/bin/sh
Arguments:	/bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-rfkill
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: gsd-rfkill PID: 5508, Parent PID: 1383

General

Start time (UTC):	16:05:45
Start date (UTC):	14/01/2025
Path:	/usr/libexec/gsd-rfkill
Arguments:	/usr/libexec/gsd-rfkill
File size:	51808 bytes
MD5 hash:	88a16a3c0aba1759358c06215ecfb5cc

Chronological Activities

Analysis Process: gdm3 PID: 5509, Parent PID: 1289

General

Start time (UTC):	16:05:45
Start date (UTC):	14/01/2025
Path:	/usr/sbin/gdm3
Arguments:	-
File size:	453296 bytes
MD5 hash:	2492e2d8d34f9377e3e530a61a15674f

Chronological Activities

Analysis Process: Default PID: 5509, Parent PID: 1289

General

Start time (UTC):	16:05:45
Start date (UTC):	14/01/2025
Path:	/etc/gdm3/PrimeOff/Default
Arguments:	/etc/gdm3/PrimeOff/Default
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: gdm3 PID: 5511, Parent PID: 1289

General

Start time (UTC):	16:05:45
Start date (UTC):	14/01/2025
Path:	/usr/sbin/gdm3
Arguments:	-
File size:	453296 bytes
MD5 hash:	2492e2d8d34f9377e3e530a61a15674f

Chronological Activities

Analysis Process: Default PID: 5511, Parent PID: 1289

General

Start time (UTC):	16:05:45
Start date (UTC):	14/01/2025
Path:	/etc/gdm3/PrimeOff/Default
Arguments:	/etc/gdm3/PrimeOff/Default
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: systemd PID: 5522, Parent PID: 1

General

Start time (UTC):	16:05:55
Start date (UTC):	14/01/2025
Path:	/usr/lib/systemd/systemd
Arguments:	-
File size:	1620224 bytes
MD5 hash:	9b2bec7092a40488108543f9334aab75

Chronological Activities

Analysis Process: systemd-user-runtime-dir PID: 5522, Parent PID: 1

General

Start time (UTC):	16:05:55
Start date (UTC):	14/01/2025
Path:	/lib/systemd/systemd-user-runtime-dir
Arguments:	/lib/systemd/systemd-user-runtime-dir stop 127
File size:	22672 bytes
MD5 hash:	d55f4b0847f88131dbcfb07435178e54

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may stop or disable services on a system to render those services unavailable to legitimate users. Stopping critical services or processes can inhibit or stop response to an incident or aid in the adversary's overall objectives to cause damage to the environment.
Tactics:	Impact
Data Sources:	Command: Command Execution, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Termination, Service: Service Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report Kloki.arm4.elf

Overview

General Information

Detection

Signatures

Classification

General Information

Runtime Messages

Process Tree

Yara Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Networking

System Summary

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

Static ELF Info

ELF header

Program Segments

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

System Behavior

Analysis Process: Kloki.arm4.elf PID: 5476, Parent PID: 5400

General

Chronological Activities

Analysis Process: Kloki.arm4.elf PID: 5478, Parent PID: 5476

General

Chronological Activities

Analysis Process: Kloki.arm4.elf PID: 5480, Parent PID: 5478

General

Chronological Activities

Analysis Process: Kloki.arm4.elf PID: 5482, Parent PID: 5478

General

Chronological Activities

Analysis Process: gnome-session-binary PID: 5484, Parent PID: 1383

General

Chronological Activities

Analysis Process: sh PID: 5484, Parent PID: 1383

General

Chronological Activities

Analysis Process: gsd-sharing PID: 5484, Parent PID: 1383

General

Chronological Activities

Analysis Process: gnome-session-binary PID: 5505, Parent PID: 1383

General

Chronological Activities

Linux Analysis Report
Kloki.arm4.elf