Edit tour

Linux Analysis Report
loki.sh4.elf

Overview

General Information

Sample name:	loki.sh4.elf
Analysis ID:	1594483
MD5:	9fdfb43e7c4271d64e9ae6171dc0e9f0
SHA1:	3f309312bb8d5d9450abcf81b19b5c2859c703aa
SHA256:	adc2214eb373c5df5625687dee512fb2c612fd0facb2abff822f2d0544359493
Tags:	elfuser-abuse_ch
Infos:

Detection

Score:	48
Range:	0 - 100
Whitelisted:	false

Signatures

Multi AV Scanner detection for submitted file

Detected TCP or UDP traffic on non-standard ports

Sample has stripped symbol table

Sample listens on a socket

Suricata IDS alerts with low severity for network traffic

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Uses the "uname" system call to query kernel version information (possible evasion)

Classification

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1594483
Start date and time:	2025-01-19 03:01:01 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 36s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Sample name:	loki.sh4.elf
Detection:	MAL
Classification:	mal48.linELF@0/0@1/0

Runtime Messages

Command:	/tmp/loki.sh4.elf
PID:	5433
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:	suka
Standard Error:

Process Tree

system is lnxubuntu20

loki.sh4.elf (PID: 5433, Parent: 5356, MD5: 8943e5f8f8c280467b4472c15ae93ba9) Arguments: /tmp/loki.sh4.elf

loki.sh4.elf New Fork (PID: 5435, Parent: 5433)

loki.sh4.elf New Fork (PID: 5437, Parent: 5433)

cleanup

Yara Signatures

⊘No yara matches

Suricata Signatures

ET COMPROMISED Known Compromised or Hostile Host Traffic group 18

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-19T03:01:41.493720+0100	2500034	2	Misc Attack	83.222.191.90	13566	192.168.2.13	42858	TCP

Joe Sandbox Signatures

• AV Detection
• Networking
• System Summary
• Malware Analysis System Evasion

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: loki.sh4.elf	Virustotal: Detection: 23%			Perma Link
Source: loki.sh4.elf	ReversingLabs: Detection: 23%

Source: global traffic	TCP traffic: 192.168.2.13:54812 -> 83.222.101.124:13566
Source: global traffic	TCP traffic: 192.168.2.13:34498 -> 83.222.72.227:13566
Source: global traffic	TCP traffic: 192.168.2.13:52638 -> 83.222.218.1:13566
Source: global traffic	TCP traffic: 192.168.2.13:53288 -> 83.222.89.179:13566
Source: global traffic	TCP traffic: 192.168.2.13:43260 -> 83.222.181.221:13566
Source: global traffic	TCP traffic: 192.168.2.13:38828 -> 83.222.144.175:13566
Source: global traffic	TCP traffic: 192.168.2.13:58394 -> 83.222.79.190:13566
Source: global traffic	TCP traffic: 192.168.2.13:34582 -> 83.222.179.8:13566
Source: global traffic	TCP traffic: 192.168.2.13:33864 -> 83.222.171.39:13566
Source: global traffic	TCP traffic: 192.168.2.13:57494 -> 83.222.218.90:13566
Source: global traffic	TCP traffic: 192.168.2.13:33464 -> 83.222.95.85:13566
Source: global traffic	TCP traffic: 192.168.2.13:43284 -> 83.222.151.192:13566
Source: global traffic	TCP traffic: 192.168.2.13:58664 -> 83.222.10.35:13566
Source: global traffic	TCP traffic: 192.168.2.13:53392 -> 83.222.178.168:13566
Source: global traffic	TCP traffic: 192.168.2.13:54048 -> 83.222.50.71:13566
Source: global traffic	TCP traffic: 192.168.2.13:33340 -> 83.222.165.151:13566
Source: global traffic	TCP traffic: 192.168.2.13:49678 -> 83.222.195.237:13566
Source: global traffic	TCP traffic: 192.168.2.13:57260 -> 83.222.122.157:13566
Source: global traffic	TCP traffic: 192.168.2.13:35698 -> 83.222.238.211:13566
Source: global traffic	TCP traffic: 192.168.2.13:53440 -> 83.222.81.164:13566
Source: global traffic	TCP traffic: 192.168.2.13:58224 -> 83.222.176.225:13566
Source: global traffic	TCP traffic: 192.168.2.13:46412 -> 83.222.83.0:13566
Source: global traffic	TCP traffic: 192.168.2.13:54186 -> 83.222.159.6:13566
Source: global traffic	TCP traffic: 192.168.2.13:34758 -> 83.222.8.74:13566
Source: global traffic	TCP traffic: 192.168.2.13:38952 -> 83.222.45.226:13566
Source: global traffic	TCP traffic: 192.168.2.13:58058 -> 83.222.165.140:13566
Source: global traffic	TCP traffic: 192.168.2.13:55668 -> 83.222.55.60:13566
Source: global traffic	TCP traffic: 192.168.2.13:42664 -> 83.222.77.65:13566
Source: global traffic	TCP traffic: 192.168.2.13:42804 -> 83.222.95.255:13566
Source: global traffic	TCP traffic: 192.168.2.13:50284 -> 83.222.233.145:13566
Source: global traffic	TCP traffic: 192.168.2.13:55490 -> 83.222.70.143:13566
Source: global traffic	TCP traffic: 192.168.2.13:42776 -> 83.222.41.9:13566
Source: global traffic	TCP traffic: 192.168.2.13:53380 -> 83.222.124.163:13566
Source: global traffic	TCP traffic: 192.168.2.13:41148 -> 83.222.166.107:13566
Source: global traffic	TCP traffic: 192.168.2.13:44260 -> 83.222.119.247:13566
Source: global traffic	TCP traffic: 192.168.2.13:44310 -> 83.222.15.39:13566
Source: global traffic	TCP traffic: 192.168.2.13:56370 -> 83.222.217.98:13566
Source: global traffic	TCP traffic: 192.168.2.13:47586 -> 83.222.39.120:13566
Source: global traffic	TCP traffic: 192.168.2.13:50252 -> 83.222.104.47:13566
Source: global traffic	TCP traffic: 192.168.2.13:60856 -> 83.222.195.150:13566
Source: global traffic	TCP traffic: 192.168.2.13:56260 -> 83.222.17.104:13566
Source: global traffic	TCP traffic: 192.168.2.13:35912 -> 83.222.34.72:13566
Source: global traffic	TCP traffic: 192.168.2.13:54564 -> 83.222.164.111:13566
Source: global traffic	TCP traffic: 192.168.2.13:36286 -> 83.222.137.3:13566
Source: global traffic	TCP traffic: 192.168.2.13:33582 -> 83.222.110.115:13566
Source: global traffic	TCP traffic: 192.168.2.13:55742 -> 83.222.149.180:13566
Source: global traffic	TCP traffic: 192.168.2.13:52694 -> 83.222.2.190:13566
Source: global traffic	TCP traffic: 192.168.2.13:47124 -> 83.222.189.126:13566
Source: global traffic	TCP traffic: 192.168.2.13:46586 -> 83.222.97.100:13566
Source: global traffic	TCP traffic: 192.168.2.13:55476 -> 83.222.233.216:13566
Source: global traffic	TCP traffic: 192.168.2.13:48584 -> 83.222.91.248:13566
Source: global traffic	TCP traffic: 192.168.2.13:55842 -> 83.222.0.52:13566
Source: global traffic	TCP traffic: 192.168.2.13:54590 -> 83.222.90.39:13566
Source: global traffic	TCP traffic: 192.168.2.13:50716 -> 83.222.173.195:13566
Source: global traffic	TCP traffic: 192.168.2.13:39556 -> 83.222.87.112:13566
Source: global traffic	TCP traffic: 192.168.2.13:60400 -> 83.222.89.104:13566
Source: global traffic	TCP traffic: 192.168.2.13:42612 -> 83.222.216.123:13566
Source: global traffic	TCP traffic: 192.168.2.13:41888 -> 83.222.177.124:13566
Source: global traffic	TCP traffic: 192.168.2.13:43366 -> 83.222.235.58:13566
Source: global traffic	TCP traffic: 192.168.2.13:45440 -> 83.222.127.89:13566
Source: global traffic	TCP traffic: 192.168.2.13:53656 -> 83.222.173.20:13566
Source: global traffic	TCP traffic: 192.168.2.13:43820 -> 83.222.14.175:13566
Source: global traffic	TCP traffic: 192.168.2.13:47706 -> 83.222.210.203:13566
Source: global traffic	TCP traffic: 192.168.2.13:36106 -> 83.222.46.52:13566
Source: global traffic	TCP traffic: 192.168.2.13:34440 -> 83.222.47.23:13566
Source: global traffic	TCP traffic: 192.168.2.13:43382 -> 83.222.12.139:13566
Source: global traffic	TCP traffic: 192.168.2.13:40600 -> 83.222.16.12:13566
Source: global traffic	TCP traffic: 192.168.2.13:47668 -> 83.222.191.106:13566
Source: global traffic	TCP traffic: 192.168.2.13:40642 -> 83.222.52.108:13566
Source: global traffic	TCP traffic: 192.168.2.13:54094 -> 83.222.45.139:13566
Source: global traffic	TCP traffic: 192.168.2.13:35964 -> 83.222.220.134:13566
Source: global traffic	TCP traffic: 192.168.2.13:40456 -> 83.222.243.180:13566
Source: global traffic	TCP traffic: 192.168.2.13:44666 -> 83.222.2.164:13566
Source: global traffic	TCP traffic: 192.168.2.13:40550 -> 83.222.48.237:13566
Source: global traffic	TCP traffic: 192.168.2.13:33722 -> 83.222.223.176:13566
Source: global traffic	TCP traffic: 192.168.2.13:56750 -> 83.222.70.140:13566
Source: global traffic	TCP traffic: 192.168.2.13:41238 -> 83.222.196.84:13566
Source: global traffic	TCP traffic: 192.168.2.13:46804 -> 83.222.60.151:13566
Source: global traffic	TCP traffic: 192.168.2.13:56420 -> 83.222.32.106:13566
Source: global traffic	TCP traffic: 192.168.2.13:42570 -> 83.222.203.79:13566
Source: global traffic	TCP traffic: 192.168.2.13:37050 -> 83.222.129.215:13566
Source: global traffic	TCP traffic: 192.168.2.13:52536 -> 83.222.218.145:13566
Source: global traffic	TCP traffic: 192.168.2.13:41704 -> 83.222.228.154:13566
Source: global traffic	TCP traffic: 192.168.2.13:41874 -> 83.222.252.24:13566
Source: global traffic	TCP traffic: 192.168.2.13:52782 -> 83.222.6.41:13566
Source: global traffic	TCP traffic: 192.168.2.13:44978 -> 83.222.163.227:13566
Source: global traffic	TCP traffic: 192.168.2.13:46870 -> 83.222.176.150:13566
Source: global traffic	TCP traffic: 192.168.2.13:44720 -> 83.222.151.178:13566
Source: global traffic	TCP traffic: 192.168.2.13:38454 -> 83.222.59.200:13566
Source: global traffic	TCP traffic: 192.168.2.13:33708 -> 83.222.159.26:13566
Source: global traffic	TCP traffic: 192.168.2.13:55390 -> 83.222.120.229:13566
Source: global traffic	TCP traffic: 192.168.2.13:39402 -> 83.222.166.60:13566
Source: global traffic	TCP traffic: 192.168.2.13:42650 -> 83.222.58.226:13566
Source: global traffic	TCP traffic: 192.168.2.13:38054 -> 83.222.211.90:13566
Source: global traffic	TCP traffic: 192.168.2.13:55740 -> 83.222.76.158:13566
Source: global traffic	TCP traffic: 192.168.2.13:35046 -> 83.222.169.206:13566
Source: global traffic	TCP traffic: 192.168.2.13:39352 -> 83.222.118.132:13566
Source: global traffic	TCP traffic: 192.168.2.13:45080 -> 83.222.95.90:13566
Source: global traffic	TCP traffic: 192.168.2.13:33372 -> 83.222.30.91:13566
Source: global traffic	TCP traffic: 192.168.2.13:58110 -> 83.222.114.36:13566
Source: global traffic	TCP traffic: 192.168.2.13:42858 -> 83.222.191.90:13566

Source: /tmp/loki.sh4.elf (PID: 5433)

Socket: 127.0.0.1:14435

Jump to behavior

Source: Network traffic

Suricata IDS: 2500034 - Severity 2 - ET COMPROMISED Known Compromised or Hostile Host Traffic group 18 : 83.222.191.90:13566 -> 192.168.2.13:42858

Source: global traffic

TCP traffic: 192.168.2.13:48202 -> 185.125.190.26:443

Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.101.124
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.101.124
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.72.227
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.72.227
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.218.1
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.89.179
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.181.221
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.144.175
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.218.1
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.89.179
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.181.221
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.144.175
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.144.175
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.79.190
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.144.175
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.79.190
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.179.8
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.171.39
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.179.8
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.171.39
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.218.90
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.218.90
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.95.85
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.151.192
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.95.85
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.151.192
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.178.168
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.178.168
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.50.71
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.50.71
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.165.151
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.165.151
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.195.237
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.195.237
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.122.157
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.238.211
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.81.164
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.122.157
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.238.211
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.176.225
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.81.164
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.83.0
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.159.6
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.176.225
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.83.0
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.159.6
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.159.6
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.8.74
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.159.6
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.8.74

Source: global traffic

DNS traffic detected: DNS query: secure-network-rebirthltd.ru

Source: unknown

Network traffic detected: HTTP traffic on port 48202 -> 443

Source: ELF static info symbol of initial sample

.symtab present: no

Source: classification engine

Classification label: mal48.linELF@0/0@1/0

Source: /tmp/loki.sh4.elf (PID: 5433)

Queries kernel information via 'uname':

Jump to behavior

Source: loki.sh4.elf, 5433.1.00007ffde1de8000.00007ffde1e09000.rw-.sdmp, loki.sh4.elf, 5435.1.00007ffde1de8000.00007ffde1e09000.rw-.sdmp	Binary or memory string: x86_64/usr/bin/qemu-sh4/tmp/loki.sh4.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/loki.sh4.elf
Source: loki.sh4.elf, 5433.1.00007ffde1de8000.00007ffde1e09000.rw-.sdmp, loki.sh4.elf, 5435.1.00007ffde1de8000.00007ffde1e09000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-sh4
Source: loki.sh4.elf, 5433.1.000055866c3a0000.000055866c429000.rw-.sdmp, loki.sh4.elf, 5435.1.000055866c3a0000.000055866c403000.rw-.sdmp	Binary or memory string: U5!/etc/qemu-binfmt/sh4
Source: loki.sh4.elf, 5433.1.000055866c3a0000.000055866c429000.rw-.sdmp, loki.sh4.elf, 5435.1.000055866c3a0000.000055866c403000.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/sh4

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	Path Interception	Path Interception	Direct Volume Access	OS Credential Dumping	11 Security Software Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	2 Application Layer Protocol	Traffic Duplication	Data Destruction

Malware Configuration

⊘No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Screenshots

Download Video

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
loki.sh4.elf	24%	Virustotal		Browse
loki.sh4.elf	24%	ReversingLabs	Linux.Backdoor.Gafgyt

Dropped Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Download Network PCAP: filtered – full

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
secure-network-rebirthltd.ru	83.222.191.90	true	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
83.222.110.115	unknown	Russian Federation	42632	MNOGOBYTE-ASMoscowRussiaRU	false
83.222.79.190	unknown	Russian Federation	16285	ASN-UMNTechnicheskayaStr18bYekaterinburgRussiaRU	false
83.222.81.164	unknown	Russian Federation	16285	ASN-UMNTechnicheskayaStr18bYekaterinburgRussiaRU	false
83.222.210.203	unknown	Russian Federation	6854	SYNTERRA-ASRU	false
83.222.195.150	unknown	Russian Federation	6854	SYNTERRA-ASRU	false
83.222.52.108	unknown	Luxembourg	8632	LOL-ASluLU	false
83.222.34.72	unknown	Luxembourg	8632	LOL-ASluLU	false
83.222.151.192	unknown	Switzerland	31736	SENSELAN-ASsenseLANGmbHCH	false
83.222.87.112	unknown	Russian Federation	16285	ASN-UMNTechnicheskayaStr18bYekaterinburgRussiaRU	false
83.222.217.98	unknown	Russian Federation	25159	SONICDUO-ASRU	false
83.222.14.175	unknown	Russian Federation	25532	MASTERHOST-ASMoscowRussiaRU	false
83.222.252.24	unknown	United Kingdom	13768	COGECO-PEER1CA	false
83.222.196.84	unknown	Russian Federation	6854	SYNTERRA-ASRU	false
83.222.32.106	unknown	Luxembourg	8632	LOL-ASluLU	false
83.222.216.123	unknown	Russian Federation	25159	SONICDUO-ASRU	false
83.222.151.178	unknown	Switzerland	31736	SENSELAN-ASsenseLANGmbHCH	false
83.222.89.104	unknown	Russian Federation	16285	ASN-UMNTechnicheskayaStr18bYekaterinburgRussiaRU	false
83.222.118.132	unknown	Russian Federation	42632	MNOGOBYTE-ASMoscowRussiaRU	false
83.222.176.225	unknown	Bulgaria	12615	GCN-ASGCNAD-SofiaBulgariaBG	false
83.222.163.227	unknown	Bulgaria	31037	WAVENETLB	false
83.222.120.229	unknown	Russian Federation	42632	MNOGOBYTE-ASMoscowRussiaRU	false
83.222.119.247	unknown	Russian Federation	42632	MNOGOBYTE-ASMoscowRussiaRU	false
83.222.46.52	unknown	Luxembourg	8632	LOL-ASluLU	false
83.222.47.23	unknown	Luxembourg	8632	LOL-ASluLU	false
83.222.144.175	unknown	Switzerland	31736	SENSELAN-ASsenseLANGmbHCH	false
83.222.171.39	unknown	Bulgaria	12615	GCN-ASGCNAD-SofiaBulgariaBG	false
83.222.45.139	unknown	Luxembourg	8632	LOL-ASluLU	false
83.222.30.91	unknown	Russian Federation	25532	MASTERHOST-ASMoscowRussiaRU	false
83.222.89.179	unknown	Russian Federation	16285	ASN-UMNTechnicheskayaStr18bYekaterinburgRussiaRU	false
83.222.95.85	unknown	Russian Federation	16285	ASN-UMNTechnicheskayaStr18bYekaterinburgRussiaRU	false
83.222.203.79	unknown	Russian Federation	6854	SYNTERRA-ASRU	false
83.222.76.158	unknown	Russian Federation	16285	ASN-UMNTechnicheskayaStr18bYekaterinburgRussiaRU	false
83.222.129.215	unknown	Switzerland	31736	SENSELAN-ASsenseLANGmbHCH	false
83.222.177.124	unknown	Bulgaria	12615	GCN-ASGCNAD-SofiaBulgariaBG	false
83.222.218.145	unknown	Russian Federation	25159	SONICDUO-ASRU	false
83.222.114.36	unknown	Russian Federation	42632	MNOGOBYTE-ASMoscowRussiaRU	false
83.222.211.90	unknown	Russian Federation	6854	SYNTERRA-ASRU	false
83.222.95.90	unknown	Russian Federation	16285	ASN-UMNTechnicheskayaStr18bYekaterinburgRussiaRU	false
83.222.10.35	unknown	Russian Federation	25532	MASTERHOST-ASMoscowRussiaRU	false
83.222.72.227	unknown	Russian Federation	16285	ASN-UMNTechnicheskayaStr18bYekaterinburgRussiaRU	false
83.222.165.140	unknown	Bulgaria	31037	WAVENETLB	false
83.222.159.26	unknown	Switzerland	31736	SENSELAN-ASsenseLANGmbHCH	false
83.222.191.106	unknown	Bulgaria	43561	NET1-ASBG	false
83.222.2.190	unknown	Russian Federation	25532	MASTERHOST-ASMoscowRussiaRU	false
83.222.178.168	unknown	Bulgaria	12615	GCN-ASGCNAD-SofiaBulgariaBG	false
83.222.235.58	unknown	United Kingdom	13768	COGECO-PEER1CA	false
83.222.16.12	unknown	Russian Federation	25532	MASTERHOST-ASMoscowRussiaRU	false
83.222.233.145	unknown	United Kingdom	13768	COGECO-PEER1CA	false
83.222.149.180	unknown	Switzerland	31736	SENSELAN-ASsenseLANGmbHCH	false
83.222.191.90	secure-network-rebirthltd.ru	Bulgaria	43561	NET1-ASBG	false
83.222.218.1	unknown	Russian Federation	25159	SONICDUO-ASRU	false
83.222.164.111	unknown	Bulgaria	31037	WAVENETLB	false
83.222.223.176	unknown	Russian Federation	25159	SONICDUO-ASRU	false
83.222.59.200	unknown	Luxembourg	8632	LOL-ASluLU	false
83.222.166.107	unknown	Bulgaria	12615	GCN-ASGCNAD-SofiaBulgariaBG	false
83.222.165.151	unknown	Bulgaria	31037	WAVENETLB	false
83.222.15.39	unknown	Russian Federation	25532	MASTERHOST-ASMoscowRussiaRU	false
83.222.122.157	unknown	Russian Federation	42632	MNOGOBYTE-ASMoscowRussiaRU	false
83.222.220.134	unknown	Russian Federation	25159	SONICDUO-ASRU	false
83.222.39.120	unknown	Luxembourg	8632	LOL-ASluLU	false
83.222.166.60	unknown	Bulgaria	12615	GCN-ASGCNAD-SofiaBulgariaBG	false
83.222.238.211	unknown	United Kingdom	13768	COGECO-PEER1CA	false
83.222.2.164	unknown	Russian Federation	25532	MASTERHOST-ASMoscowRussiaRU	false
83.222.17.104	unknown	Russian Federation	25532	MASTERHOST-ASMoscowRussiaRU	false
83.222.179.8	unknown	Bulgaria	12615	GCN-ASGCNAD-SofiaBulgariaBG	false
83.222.137.3	unknown	Switzerland	31736	SENSELAN-ASsenseLANGmbHCH	false
83.222.6.41	unknown	Russian Federation	25532	MASTERHOST-ASMoscowRussiaRU	false
83.222.127.89	unknown	Russian Federation	47328	TRI-ASTrueRecordsIncES	false
83.222.176.150	unknown	Bulgaria	12615	GCN-ASGCNAD-SofiaBulgariaBG	false
83.222.45.226	unknown	Luxembourg	8632	LOL-ASluLU	false
83.222.58.226	unknown	Luxembourg	8632	LOL-ASluLU	false
83.222.50.71	unknown	Luxembourg	8632	LOL-ASluLU	false
83.222.124.163	unknown	Russian Federation	47328	TRI-ASTrueRecordsIncES	false
83.222.95.255	unknown	Russian Federation	16285	ASN-UMNTechnicheskayaStr18bYekaterinburgRussiaRU	false
83.222.181.221	unknown	Bulgaria	12615	GCN-ASGCNAD-SofiaBulgariaBG	false
83.222.8.74	unknown	Russian Federation	25532	MASTERHOST-ASMoscowRussiaRU	false
83.222.60.151	unknown	Luxembourg	8632	LOL-ASluLU	false
83.222.173.20	unknown	Bulgaria	12615	GCN-ASGCNAD-SofiaBulgariaBG	false
83.222.243.180	unknown	United Kingdom	13768	COGECO-PEER1CA	false
83.222.218.90	unknown	Russian Federation	25159	SONICDUO-ASRU	false
83.222.90.39	unknown	Russian Federation	16285	ASN-UMNTechnicheskayaStr18bYekaterinburgRussiaRU	false
83.222.173.195	unknown	Bulgaria	12615	GCN-ASGCNAD-SofiaBulgariaBG	false
83.222.41.9	unknown	Luxembourg	8632	LOL-ASluLU	false
83.222.233.216	unknown	United Kingdom	13768	COGECO-PEER1CA	false
83.222.77.65	unknown	Russian Federation	16285	ASN-UMNTechnicheskayaStr18bYekaterinburgRussiaRU	false
83.222.159.6	unknown	Switzerland	31736	SENSELAN-ASsenseLANGmbHCH	false
83.222.83.0	unknown	Russian Federation	16285	ASN-UMNTechnicheskayaStr18bYekaterinburgRussiaRU	false
185.125.190.26	unknown	United Kingdom	41231	CANONICAL-ASGB	false
83.222.169.206	unknown	Bulgaria	12615	GCN-ASGCNAD-SofiaBulgariaBG	false
83.222.48.237	unknown	Luxembourg	8632	LOL-ASluLU	false
83.222.70.143	unknown	Russian Federation	16285	ASN-UMNTechnicheskayaStr18bYekaterinburgRussiaRU	false
83.222.104.47	unknown	Russian Federation	42632	MNOGOBYTE-ASMoscowRussiaRU	false
83.222.97.100	unknown	Russian Federation	42632	MNOGOBYTE-ASMoscowRussiaRU	false
83.222.55.60	unknown	Luxembourg	8632	LOL-ASluLU	false
83.222.101.124	unknown	Russian Federation	42632	MNOGOBYTE-ASMoscowRussiaRU	false
83.222.91.248	unknown	Russian Federation	16285	ASN-UMNTechnicheskayaStr18bYekaterinburgRussiaRU	false
83.222.70.140	unknown	Russian Federation	16285	ASN-UMNTechnicheskayaStr18bYekaterinburgRussiaRU	false
83.222.195.237	unknown	Russian Federation	6854	SYNTERRA-ASRU	false
83.222.189.126	unknown	Bulgaria	43561	NET1-ASBG	false
83.222.12.139	unknown	Russian Federation	25532	MASTERHOST-ASMoscowRussiaRU	false

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
83.222.79.190	loki.sh4.elf	Get hash	malicious	Unknown	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
secure-network-rebirthltd.ru	loki.m68k.elf	Get hash	malicious	Unknown	Browse	83.222.191.90
	loki.spc.elf	Get hash	malicious	Unknown	Browse	83.222.191.90
	Kloki.x86.elf	Get hash	malicious	Unknown	Browse	83.222.191.90
	Kloki.arm5.elf	Get hash	malicious	Unknown	Browse	83.222.191.90
	Kloki.spc.elf	Get hash	malicious	Unknown	Browse	83.222.191.90
	Kloki.arm7.elf	Get hash	malicious	Mirai	Browse	83.222.191.90
	loki.x86_64.elf	Get hash	malicious	Unknown	Browse	83.222.191.90
	Kloki.x86_64.elf	Get hash	malicious	Unknown	Browse	83.222.191.90
	Kloki.i686.elf	Get hash	malicious	Unknown	Browse	83.222.191.90
	loki.spc.elf	Get hash	malicious	Unknown	Browse	83.222.191.90

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ASN-UMNTechnicheskayaStr18bYekaterinburgRussiaRU	loki.m68k.elf	Get hash	malicious	Unknown	Browse	83.222.71.222
	loki.spc.elf	Get hash	malicious	Unknown	Browse	83.222.93.121
	Kloki.x86.elf	Get hash	malicious	Unknown	Browse	83.222.82.115
	Kloki.arm5.elf	Get hash	malicious	Unknown	Browse	83.222.77.162
	Kloki.spc.elf	Get hash	malicious	Unknown	Browse	83.222.84.27
	Kloki.arm7.elf	Get hash	malicious	Mirai	Browse	83.222.84.226
	loki.x86_64.elf	Get hash	malicious	Unknown	Browse	83.222.82.223
	Kloki.x86_64.elf	Get hash	malicious	Unknown	Browse	83.222.89.99
	Kloki.i686.elf	Get hash	malicious	Unknown	Browse	83.222.78.125
	loki.spc.elf	Get hash	malicious	Unknown	Browse	83.222.88.209
SYNTERRA-ASRU	loki.m68k.elf	Get hash	malicious	Unknown	Browse	83.222.211.69
	loki.spc.elf	Get hash	malicious	Unknown	Browse	83.222.196.65
	Kloki.x86.elf	Get hash	malicious	Unknown	Browse	83.222.207.214
	Kloki.arm5.elf	Get hash	malicious	Unknown	Browse	83.222.200.226
	Kloki.spc.elf	Get hash	malicious	Unknown	Browse	83.222.205.255
	Kloki.arm7.elf	Get hash	malicious	Mirai	Browse	83.222.194.159
	loki.x86_64.elf	Get hash	malicious	Unknown	Browse	83.222.200.182
	Kloki.x86_64.elf	Get hash	malicious	Unknown	Browse	83.222.192.170
	Kloki.i686.elf	Get hash	malicious	Unknown	Browse	83.222.201.96
	loki.spc.elf	Get hash	malicious	Unknown	Browse	83.222.210.254
MNOGOBYTE-ASMoscowRussiaRU	loki.m68k.elf	Get hash	malicious	Unknown	Browse	83.222.98.5
	loki.spc.elf	Get hash	malicious	Unknown	Browse	83.222.118.190
	Kloki.x86.elf	Get hash	malicious	Unknown	Browse	83.222.115.165
	Kloki.arm5.elf	Get hash	malicious	Unknown	Browse	83.222.105.229
	Kloki.spc.elf	Get hash	malicious	Unknown	Browse	83.222.112.215
	Kloki.arm7.elf	Get hash	malicious	Mirai	Browse	83.222.110.25
	loki.x86_64.elf	Get hash	malicious	Unknown	Browse	83.222.101.228
	Kloki.x86_64.elf	Get hash	malicious	Unknown	Browse	83.222.107.141
	Kloki.i686.elf	Get hash	malicious	Unknown	Browse	83.222.109.253
	loki.spc.elf	Get hash	malicious	Unknown	Browse	83.222.112.175
SYNTERRA-ASRU	loki.m68k.elf	Get hash	malicious	Unknown	Browse	83.222.211.69
	loki.spc.elf	Get hash	malicious	Unknown	Browse	83.222.196.65
	Kloki.x86.elf	Get hash	malicious	Unknown	Browse	83.222.207.214
	Kloki.arm5.elf	Get hash	malicious	Unknown	Browse	83.222.200.226
	Kloki.spc.elf	Get hash	malicious	Unknown	Browse	83.222.205.255
	Kloki.arm7.elf	Get hash	malicious	Mirai	Browse	83.222.194.159
	loki.x86_64.elf	Get hash	malicious	Unknown	Browse	83.222.200.182
	Kloki.x86_64.elf	Get hash	malicious	Unknown	Browse	83.222.192.170
	Kloki.i686.elf	Get hash	malicious	Unknown	Browse	83.222.201.96
	loki.spc.elf	Get hash	malicious	Unknown	Browse	83.222.210.254
ASN-UMNTechnicheskayaStr18bYekaterinburgRussiaRU	loki.m68k.elf	Get hash	malicious	Unknown	Browse	83.222.71.222
	loki.spc.elf	Get hash	malicious	Unknown	Browse	83.222.93.121
	Kloki.x86.elf	Get hash	malicious	Unknown	Browse	83.222.82.115
	Kloki.arm5.elf	Get hash	malicious	Unknown	Browse	83.222.77.162
	Kloki.spc.elf	Get hash	malicious	Unknown	Browse	83.222.84.27
	Kloki.arm7.elf	Get hash	malicious	Mirai	Browse	83.222.84.226
	loki.x86_64.elf	Get hash	malicious	Unknown	Browse	83.222.82.223
	Kloki.x86_64.elf	Get hash	malicious	Unknown	Browse	83.222.89.99
	Kloki.i686.elf	Get hash	malicious	Unknown	Browse	83.222.78.125
	loki.spc.elf	Get hash	malicious	Unknown	Browse	83.222.88.209

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	ELF 32-bit LSB executable, Renesas SH, version 1 (SYSV), statically linked, stripped
Entropy (8bit):	6.805730210497
TrID:	ELF Executable and Linkable format (generic) (4004/1) 100.00%
File name:	loki.sh4.elf
File size:	43'416 bytes
MD5:	9fdfb43e7c4271d64e9ae6171dc0e9f0
SHA1:	3f309312bb8d5d9450abcf81b19b5c2859c703aa
SHA256:	adc2214eb373c5df5625687dee512fb2c612fd0facb2abff822f2d0544359493
SHA512:	0763a5554c4d244f94c1289e70c1182f8058cc28011fb09d6e7b5826f5b5e9c04e4d4c6e5394d6f6c1521df3eb45ee80f5ea8833277b5582de37b2d5b4afb0e5
SSDEEP:	768:uaYwt3g/v9Ve4U+8e7ua7LQNQAC7eokg0pHxCJv:uaYwt3yxYaH3hAGhvwxCJv
TLSH:	7E137D7BD87EEF94C15942B8A8708E781B13F444D2532EBF1A9584A79003DACF6093F6
File Content Preview:	.ELF.....................@.4...........4. ...(...............@...@.x...x...............\|...\|.A.\|.A.L...............Q.td............................././"O.n........#.@........#.*@L....o&O.n...l..............................././.../.a"O.!...n...a.b("...q.

Static ELF Info

ELF header
Class:	ELF32
Data:	2's complement, little endian
Version:	1 (current)
Machine:	<unknown>
Version Number:	0x1
Type:	EXEC (Executable file)
OS/ABI:	UNIX - System V
ABI Version:	0
Entry Point Address:	0x4001a0
Flags:	0x9
ELF Header Size:	52
Program Header Offset:	52
Program Header Size:	32
Number of Program Headers:	3
Section Header Offset:	43016
Section Header Size:	40
Number of Section Headers:	10
Header String Table Index:	9

Sections

Name	Type	Address	Offset	Size	EntSize	Flags	Flags Description	Align
	NULL	0x0	0x0	0x0	0x0	0x0		0
.init	PROGBITS	0x400094	0x94	0x30	0x0	0x6	AX	4
.text	PROGBITS	0x4000e0	0xe0	0x9f60	0x0	0x6	AX	32
.fini	PROGBITS	0x40a040	0xa040	0x24	0x0	0x6	AX	4
.rodata	PROGBITS	0x40a064	0xa064	0x514	0x0	0x2	A	4
.ctors	PROGBITS	0x41a57c	0xa57c	0x8	0x0	0x3	WA	4
.dtors	PROGBITS	0x41a584	0xa584	0x8	0x0	0x3	WA	4
.data	PROGBITS	0x41a590	0xa590	0x238	0x0	0x3	WA	4
.bss	NOBITS	0x41a7c8	0xa7c8	0x1164	0x0	0x3	WA	4
.shstrtab	STRTAB	0x0	0xa7c8	0x3e	0x0	0x0		1

Program Segments

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align	Section Mappings
LOAD	0x0	0x400000	0x400000	0xa578	0xa578	6.8577	0x5	R E	0x10000	.init .text .fini .rodata
LOAD	0xa57c	0x41a57c	0x41a57c	0x24c	0x13b0	3.2241	0x6	RW	0x10000	.ctors .dtors .data .bss
GNU_STACK	0x0	0x0	0x0	0x0	0x0	0.0000	0x7	RWE	0x4

Network Behavior

Download Network PCAP: filtered – full

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-19T03:01:41.493720+0100	2500034	ET COMPROMISED Known Compromised or Hostile Host Traffic group 18	2	83.222.191.90	13566	192.168.2.13	42858	TCP

Network Port Distribution

Total Packets: 225
• 13566 undefined
• 443 (HTTPS)
• 53 (DNS)

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 19, 2025 03:01:41.117270947 CET	54812	13566	192.168.2.13	83.222.101.124
Jan 19, 2025 03:01:41.122456074 CET	13566	54812	83.222.101.124	192.168.2.13
Jan 19, 2025 03:01:41.122543097 CET	54812	13566	192.168.2.13	83.222.101.124
Jan 19, 2025 03:01:41.137197971 CET	34498	13566	192.168.2.13	83.222.72.227
Jan 19, 2025 03:01:41.142065048 CET	13566	34498	83.222.72.227	192.168.2.13
Jan 19, 2025 03:01:41.142117977 CET	34498	13566	192.168.2.13	83.222.72.227
Jan 19, 2025 03:01:41.144087076 CET	52638	13566	192.168.2.13	83.222.218.1
Jan 19, 2025 03:01:41.146570921 CET	53288	13566	192.168.2.13	83.222.89.179
Jan 19, 2025 03:01:41.147850990 CET	43260	13566	192.168.2.13	83.222.181.221
Jan 19, 2025 03:01:41.148777008 CET	38828	13566	192.168.2.13	83.222.144.175
Jan 19, 2025 03:01:41.150120020 CET	13566	52638	83.222.218.1	192.168.2.13
Jan 19, 2025 03:01:41.150161982 CET	52638	13566	192.168.2.13	83.222.218.1
Jan 19, 2025 03:01:41.151447058 CET	13566	53288	83.222.89.179	192.168.2.13
Jan 19, 2025 03:01:41.151556969 CET	53288	13566	192.168.2.13	83.222.89.179
Jan 19, 2025 03:01:41.153012037 CET	13566	43260	83.222.181.221	192.168.2.13
Jan 19, 2025 03:01:41.153060913 CET	43260	13566	192.168.2.13	83.222.181.221
Jan 19, 2025 03:01:41.153601885 CET	13566	38828	83.222.144.175	192.168.2.13
Jan 19, 2025 03:01:41.153651953 CET	38828	13566	192.168.2.13	83.222.144.175
Jan 19, 2025 03:01:41.162067890 CET	38828	13566	192.168.2.13	83.222.144.175
Jan 19, 2025 03:01:41.164997101 CET	58394	13566	192.168.2.13	83.222.79.190
Jan 19, 2025 03:01:41.167067051 CET	13566	38828	83.222.144.175	192.168.2.13
Jan 19, 2025 03:01:41.167114019 CET	38828	13566	192.168.2.13	83.222.144.175
Jan 19, 2025 03:01:41.169848919 CET	13566	58394	83.222.79.190	192.168.2.13
Jan 19, 2025 03:01:41.169900894 CET	58394	13566	192.168.2.13	83.222.79.190
Jan 19, 2025 03:01:41.178097963 CET	34582	13566	192.168.2.13	83.222.179.8
Jan 19, 2025 03:01:41.181454897 CET	33864	13566	192.168.2.13	83.222.171.39
Jan 19, 2025 03:01:41.182979107 CET	13566	34582	83.222.179.8	192.168.2.13
Jan 19, 2025 03:01:41.183032036 CET	34582	13566	192.168.2.13	83.222.179.8
Jan 19, 2025 03:01:41.186408997 CET	13566	33864	83.222.171.39	192.168.2.13
Jan 19, 2025 03:01:41.186445951 CET	33864	13566	192.168.2.13	83.222.171.39
Jan 19, 2025 03:01:41.186501980 CET	57494	13566	192.168.2.13	83.222.218.90
Jan 19, 2025 03:01:41.191304922 CET	13566	57494	83.222.218.90	192.168.2.13
Jan 19, 2025 03:01:41.193125010 CET	57494	13566	192.168.2.13	83.222.218.90
Jan 19, 2025 03:01:41.197515011 CET	33464	13566	192.168.2.13	83.222.95.85
Jan 19, 2025 03:01:41.201299906 CET	43284	13566	192.168.2.13	83.222.151.192
Jan 19, 2025 03:01:41.202409983 CET	13566	33464	83.222.95.85	192.168.2.13
Jan 19, 2025 03:01:41.202451944 CET	33464	13566	192.168.2.13	83.222.95.85
Jan 19, 2025 03:01:41.206186056 CET	13566	43284	83.222.151.192	192.168.2.13
Jan 19, 2025 03:01:41.206235886 CET	43284	13566	192.168.2.13	83.222.151.192
Jan 19, 2025 03:01:41.207467079 CET	58664	13566	192.168.2.13	83.222.10.35
Jan 19, 2025 03:01:41.212379932 CET	13566	58664	83.222.10.35	192.168.2.13
Jan 19, 2025 03:01:41.212424040 CET	58664	13566	192.168.2.13	83.222.10.35
Jan 19, 2025 03:01:41.212708950 CET	53392	13566	192.168.2.13	83.222.178.168
Jan 19, 2025 03:01:41.217489958 CET	13566	53392	83.222.178.168	192.168.2.13
Jan 19, 2025 03:01:41.217534065 CET	53392	13566	192.168.2.13	83.222.178.168
Jan 19, 2025 03:01:41.217670918 CET	54048	13566	192.168.2.13	83.222.50.71
Jan 19, 2025 03:01:41.222608089 CET	13566	54048	83.222.50.71	192.168.2.13
Jan 19, 2025 03:01:41.222676992 CET	54048	13566	192.168.2.13	83.222.50.71
Jan 19, 2025 03:01:41.223540068 CET	33340	13566	192.168.2.13	83.222.165.151
Jan 19, 2025 03:01:41.228403091 CET	13566	33340	83.222.165.151	192.168.2.13
Jan 19, 2025 03:01:41.228441954 CET	33340	13566	192.168.2.13	83.222.165.151
Jan 19, 2025 03:01:41.229279995 CET	49678	13566	192.168.2.13	83.222.195.237
Jan 19, 2025 03:01:41.234160900 CET	13566	49678	83.222.195.237	192.168.2.13
Jan 19, 2025 03:01:41.234204054 CET	49678	13566	192.168.2.13	83.222.195.237
Jan 19, 2025 03:01:41.234802961 CET	57260	13566	192.168.2.13	83.222.122.157
Jan 19, 2025 03:01:41.238372087 CET	35698	13566	192.168.2.13	83.222.238.211
Jan 19, 2025 03:01:41.239289045 CET	53440	13566	192.168.2.13	83.222.81.164
Jan 19, 2025 03:01:41.239625931 CET	13566	57260	83.222.122.157	192.168.2.13
Jan 19, 2025 03:01:41.239667892 CET	57260	13566	192.168.2.13	83.222.122.157
Jan 19, 2025 03:01:41.243208885 CET	13566	35698	83.222.238.211	192.168.2.13
Jan 19, 2025 03:01:41.243262053 CET	35698	13566	192.168.2.13	83.222.238.211
Jan 19, 2025 03:01:41.243437052 CET	58224	13566	192.168.2.13	83.222.176.225
Jan 19, 2025 03:01:41.244194031 CET	13566	53440	83.222.81.164	192.168.2.13
Jan 19, 2025 03:01:41.244241953 CET	53440	13566	192.168.2.13	83.222.81.164
Jan 19, 2025 03:01:41.246035099 CET	46412	13566	192.168.2.13	83.222.83.0
Jan 19, 2025 03:01:41.248279095 CET	54186	13566	192.168.2.13	83.222.159.6
Jan 19, 2025 03:01:41.248375893 CET	13566	58224	83.222.176.225	192.168.2.13
Jan 19, 2025 03:01:41.248420000 CET	58224	13566	192.168.2.13	83.222.176.225
Jan 19, 2025 03:01:41.250864029 CET	13566	46412	83.222.83.0	192.168.2.13
Jan 19, 2025 03:01:41.250900984 CET	46412	13566	192.168.2.13	83.222.83.0
Jan 19, 2025 03:01:41.253091097 CET	13566	54186	83.222.159.6	192.168.2.13
Jan 19, 2025 03:01:41.253134966 CET	54186	13566	192.168.2.13	83.222.159.6
Jan 19, 2025 03:01:41.263799906 CET	54186	13566	192.168.2.13	83.222.159.6
Jan 19, 2025 03:01:41.264558077 CET	34758	13566	192.168.2.13	83.222.8.74
Jan 19, 2025 03:01:41.268729925 CET	13566	54186	83.222.159.6	192.168.2.13
Jan 19, 2025 03:01:41.268825054 CET	54186	13566	192.168.2.13	83.222.159.6
Jan 19, 2025 03:01:41.269426107 CET	13566	34758	83.222.8.74	192.168.2.13
Jan 19, 2025 03:01:41.269479990 CET	34758	13566	192.168.2.13	83.222.8.74
Jan 19, 2025 03:01:41.271914959 CET	34758	13566	192.168.2.13	83.222.8.74
Jan 19, 2025 03:01:41.276783943 CET	13566	34758	83.222.8.74	192.168.2.13
Jan 19, 2025 03:01:41.276844025 CET	34758	13566	192.168.2.13	83.222.8.74
Jan 19, 2025 03:01:41.280796051 CET	38952	13566	192.168.2.13	83.222.45.226
Jan 19, 2025 03:01:41.285670996 CET	13566	38952	83.222.45.226	192.168.2.13
Jan 19, 2025 03:01:41.285720110 CET	38952	13566	192.168.2.13	83.222.45.226
Jan 19, 2025 03:01:41.293560028 CET	58058	13566	192.168.2.13	83.222.165.140
Jan 19, 2025 03:01:41.298593998 CET	13566	58058	83.222.165.140	192.168.2.13
Jan 19, 2025 03:01:41.298645020 CET	58058	13566	192.168.2.13	83.222.165.140
Jan 19, 2025 03:01:41.300209045 CET	55668	13566	192.168.2.13	83.222.55.60
Jan 19, 2025 03:01:41.303603888 CET	42664	13566	192.168.2.13	83.222.77.65
Jan 19, 2025 03:01:41.305275917 CET	13566	55668	83.222.55.60	192.168.2.13
Jan 19, 2025 03:01:41.305327892 CET	55668	13566	192.168.2.13	83.222.55.60
Jan 19, 2025 03:01:41.306039095 CET	42804	13566	192.168.2.13	83.222.95.255
Jan 19, 2025 03:01:41.308137894 CET	50284	13566	192.168.2.13	83.222.233.145
Jan 19, 2025 03:01:41.308523893 CET	13566	42664	83.222.77.65	192.168.2.13
Jan 19, 2025 03:01:41.308573008 CET	42664	13566	192.168.2.13	83.222.77.65
Jan 19, 2025 03:01:41.309089899 CET	55490	13566	192.168.2.13	83.222.70.143
Jan 19, 2025 03:01:41.311021090 CET	13566	42804	83.222.95.255	192.168.2.13
Jan 19, 2025 03:01:41.311072111 CET	42804	13566	192.168.2.13	83.222.95.255
Jan 19, 2025 03:01:41.313033104 CET	13566	50284	83.222.233.145	192.168.2.13
Jan 19, 2025 03:01:41.313105106 CET	50284	13566	192.168.2.13	83.222.233.145
Jan 19, 2025 03:01:41.313982010 CET	13566	55490	83.222.70.143	192.168.2.13
Jan 19, 2025 03:01:41.314034939 CET	55490	13566	192.168.2.13	83.222.70.143
Jan 19, 2025 03:01:41.316823006 CET	42776	13566	192.168.2.13	83.222.41.9
Jan 19, 2025 03:01:41.321682930 CET	13566	42776	83.222.41.9	192.168.2.13
Jan 19, 2025 03:01:41.321795940 CET	42776	13566	192.168.2.13	83.222.41.9
Jan 19, 2025 03:01:41.324099064 CET	42776	13566	192.168.2.13	83.222.41.9
Jan 19, 2025 03:01:41.324991941 CET	53380	13566	192.168.2.13	83.222.124.163
Jan 19, 2025 03:01:41.328979969 CET	13566	42776	83.222.41.9	192.168.2.13
Jan 19, 2025 03:01:41.329025984 CET	42776	13566	192.168.2.13	83.222.41.9
Jan 19, 2025 03:01:41.329916954 CET	13566	53380	83.222.124.163	192.168.2.13
Jan 19, 2025 03:01:41.329973936 CET	53380	13566	192.168.2.13	83.222.124.163
Jan 19, 2025 03:01:41.331621885 CET	53380	13566	192.168.2.13	83.222.124.163
Jan 19, 2025 03:01:41.333488941 CET	41148	13566	192.168.2.13	83.222.166.107
Jan 19, 2025 03:01:41.334682941 CET	44260	13566	192.168.2.13	83.222.119.247
Jan 19, 2025 03:01:41.336500883 CET	13566	53380	83.222.124.163	192.168.2.13
Jan 19, 2025 03:01:41.336546898 CET	53380	13566	192.168.2.13	83.222.124.163
Jan 19, 2025 03:01:41.338310003 CET	13566	41148	83.222.166.107	192.168.2.13
Jan 19, 2025 03:01:41.338395119 CET	41148	13566	192.168.2.13	83.222.166.107
Jan 19, 2025 03:01:41.339538097 CET	13566	44260	83.222.119.247	192.168.2.13
Jan 19, 2025 03:01:41.339581013 CET	44260	13566	192.168.2.13	83.222.119.247
Jan 19, 2025 03:01:41.345319033 CET	44260	13566	192.168.2.13	83.222.119.247
Jan 19, 2025 03:01:41.350161076 CET	13566	44260	83.222.119.247	192.168.2.13
Jan 19, 2025 03:01:41.350229979 CET	44260	13566	192.168.2.13	83.222.119.247
Jan 19, 2025 03:01:41.351831913 CET	44310	13566	192.168.2.13	83.222.15.39
Jan 19, 2025 03:01:41.354448080 CET	56370	13566	192.168.2.13	83.222.217.98
Jan 19, 2025 03:01:41.356676102 CET	13566	44310	83.222.15.39	192.168.2.13
Jan 19, 2025 03:01:41.356719017 CET	44310	13566	192.168.2.13	83.222.15.39
Jan 19, 2025 03:01:41.356864929 CET	47586	13566	192.168.2.13	83.222.39.120
Jan 19, 2025 03:01:41.358856916 CET	50252	13566	192.168.2.13	83.222.104.47
Jan 19, 2025 03:01:41.359251022 CET	13566	56370	83.222.217.98	192.168.2.13
Jan 19, 2025 03:01:41.359287977 CET	56370	13566	192.168.2.13	83.222.217.98
Jan 19, 2025 03:01:41.361445904 CET	60856	13566	192.168.2.13	83.222.195.150
Jan 19, 2025 03:01:41.361732006 CET	13566	47586	83.222.39.120	192.168.2.13
Jan 19, 2025 03:01:41.361779928 CET	47586	13566	192.168.2.13	83.222.39.120
Jan 19, 2025 03:01:41.363734961 CET	13566	50252	83.222.104.47	192.168.2.13
Jan 19, 2025 03:01:41.363785028 CET	50252	13566	192.168.2.13	83.222.104.47
Jan 19, 2025 03:01:41.363972902 CET	56260	13566	192.168.2.13	83.222.17.104
Jan 19, 2025 03:01:41.366257906 CET	13566	60856	83.222.195.150	192.168.2.13
Jan 19, 2025 03:01:41.366311073 CET	60856	13566	192.168.2.13	83.222.195.150
Jan 19, 2025 03:01:41.366837025 CET	35912	13566	192.168.2.13	83.222.34.72
Jan 19, 2025 03:01:41.368839025 CET	13566	56260	83.222.17.104	192.168.2.13
Jan 19, 2025 03:01:41.368882895 CET	56260	13566	192.168.2.13	83.222.17.104
Jan 19, 2025 03:01:41.369319916 CET	54564	13566	192.168.2.13	83.222.164.111
Jan 19, 2025 03:01:41.371690989 CET	13566	35912	83.222.34.72	192.168.2.13
Jan 19, 2025 03:01:41.371733904 CET	35912	13566	192.168.2.13	83.222.34.72
Jan 19, 2025 03:01:41.372253895 CET	36286	13566	192.168.2.13	83.222.137.3
Jan 19, 2025 03:01:41.374176979 CET	13566	54564	83.222.164.111	192.168.2.13
Jan 19, 2025 03:01:41.374212980 CET	33582	13566	192.168.2.13	83.222.110.115
Jan 19, 2025 03:01:41.374226093 CET	54564	13566	192.168.2.13	83.222.164.111
Jan 19, 2025 03:01:41.377141953 CET	13566	36286	83.222.137.3	192.168.2.13
Jan 19, 2025 03:01:41.377142906 CET	55742	13566	192.168.2.13	83.222.149.180
Jan 19, 2025 03:01:41.377237082 CET	36286	13566	192.168.2.13	83.222.137.3
Jan 19, 2025 03:01:41.379178047 CET	13566	33582	83.222.110.115	192.168.2.13
Jan 19, 2025 03:01:41.379251003 CET	33582	13566	192.168.2.13	83.222.110.115
Jan 19, 2025 03:01:41.380166054 CET	52694	13566	192.168.2.13	83.222.2.190
Jan 19, 2025 03:01:41.382009983 CET	13566	55742	83.222.149.180	192.168.2.13
Jan 19, 2025 03:01:41.382054090 CET	55742	13566	192.168.2.13	83.222.149.180
Jan 19, 2025 03:01:41.382369041 CET	47124	13566	192.168.2.13	83.222.189.126
Jan 19, 2025 03:01:41.384710073 CET	46586	13566	192.168.2.13	83.222.97.100
Jan 19, 2025 03:01:41.385092974 CET	13566	52694	83.222.2.190	192.168.2.13
Jan 19, 2025 03:01:41.385147095 CET	52694	13566	192.168.2.13	83.222.2.190
Jan 19, 2025 03:01:41.386501074 CET	55476	13566	192.168.2.13	83.222.233.216
Jan 19, 2025 03:01:41.387172937 CET	13566	47124	83.222.189.126	192.168.2.13
Jan 19, 2025 03:01:41.387213945 CET	47124	13566	192.168.2.13	83.222.189.126
Jan 19, 2025 03:01:41.388761997 CET	48584	13566	192.168.2.13	83.222.91.248
Jan 19, 2025 03:01:41.389627934 CET	13566	46586	83.222.97.100	192.168.2.13
Jan 19, 2025 03:01:41.389672041 CET	46586	13566	192.168.2.13	83.222.97.100
Jan 19, 2025 03:01:41.390791893 CET	55842	13566	192.168.2.13	83.222.0.52
Jan 19, 2025 03:01:41.391370058 CET	13566	55476	83.222.233.216	192.168.2.13
Jan 19, 2025 03:01:41.391413927 CET	55476	13566	192.168.2.13	83.222.233.216
Jan 19, 2025 03:01:41.393404961 CET	54590	13566	192.168.2.13	83.222.90.39
Jan 19, 2025 03:01:41.393615007 CET	13566	48584	83.222.91.248	192.168.2.13
Jan 19, 2025 03:01:41.393661022 CET	48584	13566	192.168.2.13	83.222.91.248
Jan 19, 2025 03:01:41.395567894 CET	13566	55842	83.222.0.52	192.168.2.13
Jan 19, 2025 03:01:41.395612955 CET	55842	13566	192.168.2.13	83.222.0.52
Jan 19, 2025 03:01:41.396321058 CET	50716	13566	192.168.2.13	83.222.173.195
Jan 19, 2025 03:01:41.398222923 CET	13566	54590	83.222.90.39	192.168.2.13
Jan 19, 2025 03:01:41.398272038 CET	54590	13566	192.168.2.13	83.222.90.39
Jan 19, 2025 03:01:41.400361061 CET	39556	13566	192.168.2.13	83.222.87.112
Jan 19, 2025 03:01:41.401166916 CET	13566	50716	83.222.173.195	192.168.2.13
Jan 19, 2025 03:01:41.401213884 CET	50716	13566	192.168.2.13	83.222.173.195
Jan 19, 2025 03:01:41.404619932 CET	60400	13566	192.168.2.13	83.222.89.104
Jan 19, 2025 03:01:41.405224085 CET	13566	39556	83.222.87.112	192.168.2.13
Jan 19, 2025 03:01:41.405286074 CET	39556	13566	192.168.2.13	83.222.87.112
Jan 19, 2025 03:01:41.408468008 CET	42612	13566	192.168.2.13	83.222.216.123
Jan 19, 2025 03:01:41.409512043 CET	13566	60400	83.222.89.104	192.168.2.13
Jan 19, 2025 03:01:41.409558058 CET	60400	13566	192.168.2.13	83.222.89.104
Jan 19, 2025 03:01:41.411482096 CET	41888	13566	192.168.2.13	83.222.177.124
Jan 19, 2025 03:01:41.413192034 CET	43366	13566	192.168.2.13	83.222.235.58
Jan 19, 2025 03:01:41.413305044 CET	13566	42612	83.222.216.123	192.168.2.13
Jan 19, 2025 03:01:41.413341999 CET	42612	13566	192.168.2.13	83.222.216.123
Jan 19, 2025 03:01:41.414064884 CET	45440	13566	192.168.2.13	83.222.127.89
Jan 19, 2025 03:01:41.415071011 CET	53656	13566	192.168.2.13	83.222.173.20
Jan 19, 2025 03:01:41.416089058 CET	43820	13566	192.168.2.13	83.222.14.175
Jan 19, 2025 03:01:41.416450977 CET	13566	41888	83.222.177.124	192.168.2.13
Jan 19, 2025 03:01:41.416655064 CET	41888	13566	192.168.2.13	83.222.177.124
Jan 19, 2025 03:01:41.417105913 CET	47706	13566	192.168.2.13	83.222.210.203
Jan 19, 2025 03:01:41.417937994 CET	36106	13566	192.168.2.13	83.222.46.52
Jan 19, 2025 03:01:41.418104887 CET	13566	43366	83.222.235.58	192.168.2.13
Jan 19, 2025 03:01:41.418158054 CET	43366	13566	192.168.2.13	83.222.235.58
Jan 19, 2025 03:01:41.418931007 CET	34440	13566	192.168.2.13	83.222.47.23
Jan 19, 2025 03:01:41.419083118 CET	13566	45440	83.222.127.89	192.168.2.13
Jan 19, 2025 03:01:41.419133902 CET	45440	13566	192.168.2.13	83.222.127.89
Jan 19, 2025 03:01:41.419765949 CET	43382	13566	192.168.2.13	83.222.12.139
Jan 19, 2025 03:01:41.419946909 CET	13566	53656	83.222.173.20	192.168.2.13
Jan 19, 2025 03:01:41.419990063 CET	53656	13566	192.168.2.13	83.222.173.20
Jan 19, 2025 03:01:41.420746088 CET	40600	13566	192.168.2.13	83.222.16.12
Jan 19, 2025 03:01:41.420985937 CET	13566	43820	83.222.14.175	192.168.2.13
Jan 19, 2025 03:01:41.421037912 CET	43820	13566	192.168.2.13	83.222.14.175
Jan 19, 2025 03:01:41.421675920 CET	47668	13566	192.168.2.13	83.222.191.106
Jan 19, 2025 03:01:41.421951056 CET	13566	47706	83.222.210.203	192.168.2.13
Jan 19, 2025 03:01:41.421993971 CET	47706	13566	192.168.2.13	83.222.210.203
Jan 19, 2025 03:01:41.422805071 CET	13566	36106	83.222.46.52	192.168.2.13
Jan 19, 2025 03:01:41.422847033 CET	36106	13566	192.168.2.13	83.222.46.52
Jan 19, 2025 03:01:41.422955036 CET	40642	13566	192.168.2.13	83.222.52.108
Jan 19, 2025 03:01:41.423948050 CET	13566	34440	83.222.47.23	192.168.2.13
Jan 19, 2025 03:01:41.423978090 CET	54094	13566	192.168.2.13	83.222.45.139
Jan 19, 2025 03:01:41.423983097 CET	34440	13566	192.168.2.13	83.222.47.23
Jan 19, 2025 03:01:41.424846888 CET	13566	43382	83.222.12.139	192.168.2.13
Jan 19, 2025 03:01:41.424940109 CET	43382	13566	192.168.2.13	83.222.12.139
Jan 19, 2025 03:01:41.425422907 CET	35964	13566	192.168.2.13	83.222.220.134
Jan 19, 2025 03:01:41.425838947 CET	13566	40600	83.222.16.12	192.168.2.13
Jan 19, 2025 03:01:41.425878048 CET	40600	13566	192.168.2.13	83.222.16.12
Jan 19, 2025 03:01:41.426649094 CET	13566	47668	83.222.191.106	192.168.2.13
Jan 19, 2025 03:01:41.426692963 CET	47668	13566	192.168.2.13	83.222.191.106
Jan 19, 2025 03:01:41.426810026 CET	40456	13566	192.168.2.13	83.222.243.180
Jan 19, 2025 03:01:41.427761078 CET	13566	40642	83.222.52.108	192.168.2.13
Jan 19, 2025 03:01:41.427810907 CET	40642	13566	192.168.2.13	83.222.52.108
Jan 19, 2025 03:01:41.428406954 CET	44666	13566	192.168.2.13	83.222.2.164
Jan 19, 2025 03:01:41.428879023 CET	13566	54094	83.222.45.139	192.168.2.13
Jan 19, 2025 03:01:41.428982973 CET	54094	13566	192.168.2.13	83.222.45.139
Jan 19, 2025 03:01:41.429630041 CET	40550	13566	192.168.2.13	83.222.48.237
Jan 19, 2025 03:01:41.430202961 CET	13566	35964	83.222.220.134	192.168.2.13
Jan 19, 2025 03:01:41.430248976 CET	35964	13566	192.168.2.13	83.222.220.134
Jan 19, 2025 03:01:41.431600094 CET	33722	13566	192.168.2.13	83.222.223.176
Jan 19, 2025 03:01:41.431624889 CET	13566	40456	83.222.243.180	192.168.2.13
Jan 19, 2025 03:01:41.431678057 CET	40456	13566	192.168.2.13	83.222.243.180
Jan 19, 2025 03:01:41.433262110 CET	13566	44666	83.222.2.164	192.168.2.13
Jan 19, 2025 03:01:41.433393955 CET	44666	13566	192.168.2.13	83.222.2.164
Jan 19, 2025 03:01:41.433520079 CET	56750	13566	192.168.2.13	83.222.70.140
Jan 19, 2025 03:01:41.434494019 CET	13566	40550	83.222.48.237	192.168.2.13
Jan 19, 2025 03:01:41.434784889 CET	40550	13566	192.168.2.13	83.222.48.237
Jan 19, 2025 03:01:41.435578108 CET	41238	13566	192.168.2.13	83.222.196.84
Jan 19, 2025 03:01:41.436460018 CET	13566	33722	83.222.223.176	192.168.2.13
Jan 19, 2025 03:01:41.436537981 CET	33722	13566	192.168.2.13	83.222.223.176
Jan 19, 2025 03:01:41.437274933 CET	46804	13566	192.168.2.13	83.222.60.151
Jan 19, 2025 03:01:41.438360929 CET	13566	56750	83.222.70.140	192.168.2.13
Jan 19, 2025 03:01:41.438415051 CET	56750	13566	192.168.2.13	83.222.70.140
Jan 19, 2025 03:01:41.438716888 CET	56420	13566	192.168.2.13	83.222.32.106
Jan 19, 2025 03:01:41.440241098 CET	42570	13566	192.168.2.13	83.222.203.79
Jan 19, 2025 03:01:41.440428972 CET	13566	41238	83.222.196.84	192.168.2.13
Jan 19, 2025 03:01:41.440485001 CET	41238	13566	192.168.2.13	83.222.196.84
Jan 19, 2025 03:01:41.442148924 CET	13566	46804	83.222.60.151	192.168.2.13
Jan 19, 2025 03:01:41.442198992 CET	46804	13566	192.168.2.13	83.222.60.151
Jan 19, 2025 03:01:41.442389011 CET	37050	13566	192.168.2.13	83.222.129.215
Jan 19, 2025 03:01:41.443563938 CET	13566	56420	83.222.32.106	192.168.2.13
Jan 19, 2025 03:01:41.443682909 CET	56420	13566	192.168.2.13	83.222.32.106
Jan 19, 2025 03:01:41.444569111 CET	52536	13566	192.168.2.13	83.222.218.145
Jan 19, 2025 03:01:41.445039034 CET	13566	42570	83.222.203.79	192.168.2.13
Jan 19, 2025 03:01:41.445099115 CET	42570	13566	192.168.2.13	83.222.203.79
Jan 19, 2025 03:01:41.446564913 CET	41704	13566	192.168.2.13	83.222.228.154
Jan 19, 2025 03:01:41.447218895 CET	13566	37050	83.222.129.215	192.168.2.13
Jan 19, 2025 03:01:41.447257042 CET	37050	13566	192.168.2.13	83.222.129.215
Jan 19, 2025 03:01:41.448225975 CET	41874	13566	192.168.2.13	83.222.252.24
Jan 19, 2025 03:01:41.449338913 CET	13566	52536	83.222.218.145	192.168.2.13
Jan 19, 2025 03:01:41.449377060 CET	52536	13566	192.168.2.13	83.222.218.145
Jan 19, 2025 03:01:41.449886084 CET	52782	13566	192.168.2.13	83.222.6.41
Jan 19, 2025 03:01:41.451445103 CET	13566	41704	83.222.228.154	192.168.2.13
Jan 19, 2025 03:01:41.451488972 CET	41704	13566	192.168.2.13	83.222.228.154
Jan 19, 2025 03:01:41.451833963 CET	44978	13566	192.168.2.13	83.222.163.227
Jan 19, 2025 03:01:41.453119993 CET	13566	41874	83.222.252.24	192.168.2.13
Jan 19, 2025 03:01:41.453167915 CET	41874	13566	192.168.2.13	83.222.252.24
Jan 19, 2025 03:01:41.453237057 CET	46870	13566	192.168.2.13	83.222.176.150
Jan 19, 2025 03:01:41.454618931 CET	44720	13566	192.168.2.13	83.222.151.178
Jan 19, 2025 03:01:41.454699993 CET	13566	52782	83.222.6.41	192.168.2.13
Jan 19, 2025 03:01:41.454749107 CET	52782	13566	192.168.2.13	83.222.6.41
Jan 19, 2025 03:01:41.456159115 CET	38454	13566	192.168.2.13	83.222.59.200
Jan 19, 2025 03:01:41.456873894 CET	13566	44978	83.222.163.227	192.168.2.13
Jan 19, 2025 03:01:41.456917048 CET	44978	13566	192.168.2.13	83.222.163.227
Jan 19, 2025 03:01:41.457557917 CET	33708	13566	192.168.2.13	83.222.159.26
Jan 19, 2025 03:01:41.458417892 CET	13566	46870	83.222.176.150	192.168.2.13
Jan 19, 2025 03:01:41.458465099 CET	46870	13566	192.168.2.13	83.222.176.150
Jan 19, 2025 03:01:41.458848000 CET	55390	13566	192.168.2.13	83.222.120.229
Jan 19, 2025 03:01:41.460035086 CET	13566	44720	83.222.151.178	192.168.2.13
Jan 19, 2025 03:01:41.460073948 CET	44720	13566	192.168.2.13	83.222.151.178
Jan 19, 2025 03:01:41.460562944 CET	39402	13566	192.168.2.13	83.222.166.60
Jan 19, 2025 03:01:41.461139917 CET	13566	38454	83.222.59.200	192.168.2.13
Jan 19, 2025 03:01:41.461188078 CET	38454	13566	192.168.2.13	83.222.59.200
Jan 19, 2025 03:01:41.461946964 CET	42650	13566	192.168.2.13	83.222.58.226
Jan 19, 2025 03:01:41.462698936 CET	13566	33708	83.222.159.26	192.168.2.13
Jan 19, 2025 03:01:41.462747097 CET	33708	13566	192.168.2.13	83.222.159.26
Jan 19, 2025 03:01:41.463929892 CET	13566	55390	83.222.120.229	192.168.2.13
Jan 19, 2025 03:01:41.463980913 CET	55390	13566	192.168.2.13	83.222.120.229
Jan 19, 2025 03:01:41.465655088 CET	13566	39402	83.222.166.60	192.168.2.13
Jan 19, 2025 03:01:41.465694904 CET	39402	13566	192.168.2.13	83.222.166.60
Jan 19, 2025 03:01:41.467210054 CET	13566	42650	83.222.58.226	192.168.2.13
Jan 19, 2025 03:01:41.467293978 CET	42650	13566	192.168.2.13	83.222.58.226
Jan 19, 2025 03:01:41.467497110 CET	38054	13566	192.168.2.13	83.222.211.90
Jan 19, 2025 03:01:41.468750954 CET	55740	13566	192.168.2.13	83.222.76.158
Jan 19, 2025 03:01:41.469907045 CET	35046	13566	192.168.2.13	83.222.169.206
Jan 19, 2025 03:01:41.471755981 CET	39352	13566	192.168.2.13	83.222.118.132
Jan 19, 2025 03:01:41.472881079 CET	13566	38054	83.222.211.90	192.168.2.13
Jan 19, 2025 03:01:41.472925901 CET	38054	13566	192.168.2.13	83.222.211.90
Jan 19, 2025 03:01:41.473331928 CET	45080	13566	192.168.2.13	83.222.95.90
Jan 19, 2025 03:01:41.474039078 CET	13566	55740	83.222.76.158	192.168.2.13
Jan 19, 2025 03:01:41.474081039 CET	55740	13566	192.168.2.13	83.222.76.158
Jan 19, 2025 03:01:41.475197077 CET	13566	35046	83.222.169.206	192.168.2.13
Jan 19, 2025 03:01:41.475239992 CET	35046	13566	192.168.2.13	83.222.169.206
Jan 19, 2025 03:01:41.475281000 CET	33372	13566	192.168.2.13	83.222.30.91
Jan 19, 2025 03:01:41.476758003 CET	13566	39352	83.222.118.132	192.168.2.13
Jan 19, 2025 03:01:41.476810932 CET	39352	13566	192.168.2.13	83.222.118.132
Jan 19, 2025 03:01:41.477149963 CET	58110	13566	192.168.2.13	83.222.114.36
Jan 19, 2025 03:01:41.478458881 CET	13566	45080	83.222.95.90	192.168.2.13
Jan 19, 2025 03:01:41.478928089 CET	45080	13566	192.168.2.13	83.222.95.90
Jan 19, 2025 03:01:41.480338097 CET	13566	33372	83.222.30.91	192.168.2.13
Jan 19, 2025 03:01:41.480395079 CET	33372	13566	192.168.2.13	83.222.30.91
Jan 19, 2025 03:01:41.482215881 CET	13566	58110	83.222.114.36	192.168.2.13
Jan 19, 2025 03:01:41.482264042 CET	58110	13566	192.168.2.13	83.222.114.36
Jan 19, 2025 03:01:41.488782883 CET	42858	13566	192.168.2.13	83.222.191.90
Jan 19, 2025 03:01:41.493720055 CET	13566	42858	83.222.191.90	192.168.2.13
Jan 19, 2025 03:01:41.493915081 CET	42858	13566	192.168.2.13	83.222.191.90
Jan 19, 2025 03:01:41.495269060 CET	42858	13566	192.168.2.13	83.222.191.90
Jan 19, 2025 03:01:41.500078917 CET	13566	42858	83.222.191.90	192.168.2.13
Jan 19, 2025 03:01:41.500137091 CET	42858	13566	192.168.2.13	83.222.191.90
Jan 19, 2025 03:01:41.504930973 CET	13566	42858	83.222.191.90	192.168.2.13
Jan 19, 2025 03:01:51.257222891 CET	48202	443	192.168.2.13	185.125.190.26
Jan 19, 2025 03:01:51.500493050 CET	42858	13566	192.168.2.13	83.222.191.90
Jan 19, 2025 03:01:51.505409956 CET	13566	42858	83.222.191.90	192.168.2.13
Jan 19, 2025 03:01:51.707825899 CET	13566	42858	83.222.191.90	192.168.2.13
Jan 19, 2025 03:01:51.708025932 CET	42858	13566	192.168.2.13	83.222.191.90
Jan 19, 2025 03:01:52.431551933 CET	13566	42858	83.222.191.90	192.168.2.13
Jan 19, 2025 03:01:52.431823969 CET	42858	13566	192.168.2.13	83.222.191.90
Jan 19, 2025 03:02:22.745238066 CET	48202	443	192.168.2.13	185.125.190.26
Jan 19, 2025 03:02:52.490492105 CET	42858	13566	192.168.2.13	83.222.191.90
Jan 19, 2025 03:02:52.498178959 CET	13566	42858	83.222.191.90	192.168.2.13
Jan 19, 2025 03:02:52.703161001 CET	13566	42858	83.222.191.90	192.168.2.13
Jan 19, 2025 03:02:52.703371048 CET	42858	13566	192.168.2.13	83.222.191.90
Jan 19, 2025 03:02:53.085557938 CET	13566	42858	83.222.191.90	192.168.2.13
Jan 19, 2025 03:02:53.085843086 CET	42858	13566	192.168.2.13	83.222.191.90

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 19, 2025 03:01:41.480676889 CET	46853	53	192.168.2.13	8.8.8.8
Jan 19, 2025 03:01:41.487687111 CET	53	46853	8.8.8.8	192.168.2.13

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 19, 2025 03:01:41.480676889 CET	192.168.2.13	8.8.8.8	0xfd72	Standard query (0)	secure-network-rebirthltd.ru	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 19, 2025 03:01:41.487687111 CET	8.8.8.8	192.168.2.13	0xfd72	No error (0)	secure-network-rebirthltd.ru		83.222.191.90	A (IP address)	IN (0x0001)	false

System Behavior

Analysis Process: loki.sh4.elf PID: 5433, Parent PID: 5356

General

Start time (UTC):	02:01:39
Start date (UTC):	19/01/2025
Path:	/tmp/loki.sh4.elf
Arguments:	/tmp/loki.sh4.elf
File size:	4139976 bytes
MD5 hash:	8943e5f8f8c280467b4472c15ae93ba9

File Activities

File Opened

File Read

File Moved

Process Activities

Process Forked

Prctl Requested

Thread Sleep

System Activities

Query System Information (uname)

Network Activities

Socket Listening

Socket Connecting

Chronological Activities

Analysis Process: loki.sh4.elf PID: 5435, Parent PID: 5433

General

Start time (UTC):	02:01:40
Start date (UTC):	19/01/2025
Path:	/tmp/loki.sh4.elf
Arguments:	-
File size:	4139976 bytes
MD5 hash:	8943e5f8f8c280467b4472c15ae93ba9

File Activities

File Opened

File Read

Process Activities

Prctl Requested

Thread Sleep

Chronological Activities

Analysis Process: loki.sh4.elf PID: 5437, Parent PID: 5433

General

Start time (UTC):	02:01:40
Start date (UTC):	19/01/2025
Path:	/tmp/loki.sh4.elf
Arguments:	-
File size:	4139976 bytes
MD5 hash:	8943e5f8f8c280467b4472c15ae93ba9

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report loki.sh4.elf

Overview

General Information

Detection

Signatures

Classification

General Information

Runtime Messages

Process Tree

Yara Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Networking

System Summary

Malware Analysis System Evasion

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

Static ELF Info

ELF header

Sections

Program Segments

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

System Behavior

Analysis Process: loki.sh4.elf PID: 5433, Parent PID: 5356

General

File Activities

File Opened

File Read

File Moved

Process Activities

Process Forked

Prctl Requested

Thread Sleep

System Activities

Query System Information (uname)

Network Activities

Socket Listening

Socket Connecting

Chronological Activities

Analysis Process: loki.sh4.elf PID: 5435, Parent PID: 5433

General

File Activities

File Opened

File Read

Process Activities

Linux Analysis Report
loki.sh4.elf