Joe Sandbox Cloud Basic Analysis Report
Edit tour

Linux Analysis Report
Kloki.sh4.elf

Overview

General Information

Sample name:Kloki.sh4.elf
Analysis ID:1594496
MD5:fe6d747aff69396231c579700d673775
SHA1:5ecb9c6cc0ac382e97882a4a1164c8ee3895a783
SHA256:649c8f52c7bc85fb0f997557bdd19d972230c99c141c8834796db07fb43d6878
Tags:elfuser-abuse_ch
Infos:

Detection

Score:60
Range:0 - 100
Whitelisted:false

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Sample tries to kill multiple processes (SIGKILL)
Detected TCP or UDP traffic on non-standard ports
Found strings indicative of a multi-platform dropper
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable
Sample has stripped symbol table
Sample listens on a socket
Sample tries to kill a process (SIGKILL)
Suricata IDS alerts with low severity for network traffic
Uses the "uname" system call to query kernel version information (possible evasion)

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

General Information

Joe Sandbox version:42.0.0 Malachite
Analysis ID:1594496
Start date and time:2025-01-19 03:22:09 +01:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 46s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Sample name:Kloki.sh4.elf
Detection:MAL
Classification:mal60.spre.linELF@0/0@1/0

Runtime Messages

Command:/tmp/Kloki.sh4.elf
PID:5441
Exit Code:0
Exit Code Info:
Killed:False
Standard Output:
suka
Standard Error:

Process Tree

  • system is lnxubuntu20
  • sh (PID: 5449, Parent: 1588, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-rfkill
  • gsd-rfkill (PID: 5449, Parent: 1588, MD5: 88a16a3c0aba1759358c06215ecfb5cc) Arguments: /usr/libexec/gsd-rfkill
  • sh (PID: 5468, Parent: 1588, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/bin/gnome-shell
  • gnome-shell (PID: 5468, Parent: 1588, MD5: da7a257239677622fe4b3a65972c9e87) Arguments: /usr/bin/gnome-shell
  • sh (PID: 5470, Parent: 1588, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-print-notifications
  • sh (PID: 5471, Parent: 1588, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-sharing
  • gdm3 New Fork (PID: 5472, Parent: 1400)
  • Default (PID: 5472, Parent: 1400, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /etc/gdm3/PrimeOff/Default
  • gdm3 New Fork (PID: 5475, Parent: 1400)
  • Default (PID: 5475, Parent: 1400, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /etc/gdm3/PrimeOff/Default
  • systemd New Fork (PID: 5486, Parent: 1)
  • systemd-user-runtime-dir (PID: 5486, Parent: 1, MD5: d55f4b0847f88131dbcfb07435178e54) Arguments: /lib/systemd/systemd-user-runtime-dir stop 127
  • cleanup

Yara Signatures

No yara matches

Suricata Signatures

TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2025-01-19T03:22:59.888796+010025000342Misc Attack83.222.191.9013566192.168.2.1342788TCP

Joe Sandbox Signatures

  • AV Detection
  • Spreading
  • Networking
  • System Summary
  • Malware Analysis System Evasion

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: Kloki.sh4.elfAvira: detected
Source: Kloki.sh4.elfVirustotal: Detection: 24%Perma Link
Source: Kloki.sh4.elfString: ppid/proc/net/tcp/proc/self/exe/proc//status/fd//dev/null/dev/consolesocket05pkillkillkillallechowgetcurlpsbusyboxiptablesrebootshutdownhaltpoweroffinitsystemctltelinitcatgrepshashbashzshcshkshdashfish/proc/%d/exe
Source: global trafficTCP traffic: 192.168.2.13:53986 -> 83.222.74.54:13566
Source: global trafficTCP traffic: 192.168.2.13:33332 -> 83.222.246.141:13566
Source: global trafficTCP traffic: 192.168.2.13:54160 -> 83.222.28.56:13566
Source: global trafficTCP traffic: 192.168.2.13:40408 -> 83.222.187.141:13566
Source: global trafficTCP traffic: 192.168.2.13:52652 -> 83.222.149.168:13566
Source: global trafficTCP traffic: 192.168.2.13:52562 -> 83.222.32.111:13566
Source: global trafficTCP traffic: 192.168.2.13:55546 -> 83.222.111.180:13566
Source: global trafficTCP traffic: 192.168.2.13:53252 -> 83.222.231.118:13566
Source: global trafficTCP traffic: 192.168.2.13:56200 -> 83.222.93.70:13566
Source: global trafficTCP traffic: 192.168.2.13:60602 -> 83.222.170.87:13566
Source: global trafficTCP traffic: 192.168.2.13:46512 -> 83.222.52.147:13566
Source: global trafficTCP traffic: 192.168.2.13:52560 -> 83.222.60.229:13566
Source: global trafficTCP traffic: 192.168.2.13:48722 -> 83.222.38.243:13566
Source: global trafficTCP traffic: 192.168.2.13:49556 -> 83.222.74.37:13566
Source: global trafficTCP traffic: 192.168.2.13:55960 -> 83.222.127.151:13566
Source: global trafficTCP traffic: 192.168.2.13:34030 -> 83.222.218.201:13566
Source: global trafficTCP traffic: 192.168.2.13:47940 -> 83.222.205.208:13566
Source: global trafficTCP traffic: 192.168.2.13:42802 -> 83.222.87.233:13566
Source: global trafficTCP traffic: 192.168.2.13:60116 -> 83.222.9.18:13566
Source: global trafficTCP traffic: 192.168.2.13:51670 -> 83.222.118.158:13566
Source: global trafficTCP traffic: 192.168.2.13:46820 -> 83.222.187.150:13566
Source: global trafficTCP traffic: 192.168.2.13:45828 -> 83.222.13.42:13566
Source: global trafficTCP traffic: 192.168.2.13:43970 -> 83.222.74.245:13566
Source: global trafficTCP traffic: 192.168.2.13:35054 -> 83.222.161.168:13566
Source: global trafficTCP traffic: 192.168.2.13:55776 -> 83.222.59.75:13566
Source: global trafficTCP traffic: 192.168.2.13:44820 -> 83.222.255.112:13566
Source: global trafficTCP traffic: 192.168.2.13:40934 -> 83.222.222.59:13566
Source: global trafficTCP traffic: 192.168.2.13:60228 -> 83.222.85.5:13566
Source: global trafficTCP traffic: 192.168.2.13:36282 -> 83.222.46.159:13566
Source: global trafficTCP traffic: 192.168.2.13:52452 -> 83.222.42.173:13566
Source: global trafficTCP traffic: 192.168.2.13:41970 -> 83.222.54.4:13566
Source: global trafficTCP traffic: 192.168.2.13:36606 -> 83.222.119.3:13566
Source: global trafficTCP traffic: 192.168.2.13:58238 -> 83.222.212.206:13566
Source: global trafficTCP traffic: 192.168.2.13:50632 -> 83.222.236.221:13566
Source: global trafficTCP traffic: 192.168.2.13:51646 -> 83.222.224.99:13566
Source: global trafficTCP traffic: 192.168.2.13:33828 -> 83.222.123.155:13566
Source: global trafficTCP traffic: 192.168.2.13:46116 -> 83.222.249.137:13566
Source: global trafficTCP traffic: 192.168.2.13:57084 -> 83.222.198.68:13566
Source: global trafficTCP traffic: 192.168.2.13:43014 -> 83.222.126.103:13566
Source: global trafficTCP traffic: 192.168.2.13:50798 -> 83.222.236.185:13566
Source: global trafficTCP traffic: 192.168.2.13:37402 -> 83.222.178.235:13566
Source: global trafficTCP traffic: 192.168.2.13:42408 -> 83.222.41.144:13566
Source: global trafficTCP traffic: 192.168.2.13:52806 -> 83.222.38.126:13566
Source: global trafficTCP traffic: 192.168.2.13:34114 -> 83.222.149.84:13566
Source: global trafficTCP traffic: 192.168.2.13:36758 -> 83.222.29.191:13566
Source: global trafficTCP traffic: 192.168.2.13:48908 -> 83.222.2.83:13566
Source: global trafficTCP traffic: 192.168.2.13:40226 -> 83.222.195.121:13566
Source: global trafficTCP traffic: 192.168.2.13:34438 -> 83.222.86.152:13566
Source: global trafficTCP traffic: 192.168.2.13:55308 -> 83.222.71.67:13566
Source: global trafficTCP traffic: 192.168.2.13:44170 -> 83.222.117.39:13566
Source: global trafficTCP traffic: 192.168.2.13:58138 -> 83.222.166.241:13566
Source: global trafficTCP traffic: 192.168.2.13:59950 -> 83.222.195.159:13566
Source: global trafficTCP traffic: 192.168.2.13:44960 -> 83.222.122.137:13566
Source: global trafficTCP traffic: 192.168.2.13:46786 -> 83.222.227.248:13566
Source: global trafficTCP traffic: 192.168.2.13:41414 -> 83.222.240.207:13566
Source: global trafficTCP traffic: 192.168.2.13:47508 -> 83.222.177.162:13566
Source: global trafficTCP traffic: 192.168.2.13:51608 -> 83.222.186.219:13566
Source: global trafficTCP traffic: 192.168.2.13:36042 -> 83.222.50.224:13566
Source: global trafficTCP traffic: 192.168.2.13:56052 -> 83.222.89.200:13566
Source: global trafficTCP traffic: 192.168.2.13:43426 -> 83.222.53.119:13566
Source: global trafficTCP traffic: 192.168.2.13:41558 -> 83.222.135.55:13566
Source: global trafficTCP traffic: 192.168.2.13:56070 -> 83.222.202.75:13566
Source: global trafficTCP traffic: 192.168.2.13:45742 -> 83.222.176.33:13566
Source: global trafficTCP traffic: 192.168.2.13:42788 -> 83.222.191.90:13566
Source: /tmp/Kloki.sh4.elf (PID: 5441)Socket: 127.0.0.1:14435Jump to behavior
Source: Network trafficSuricata IDS: 2500034 - Severity 2 - ET COMPROMISED Known Compromised or Hostile Host Traffic group 18 : 83.222.191.90:13566 -> 192.168.2.13:42788
Source: unknownTCP traffic detected without corresponding DNS query: 83.222.74.54
Source: unknownTCP traffic detected without corresponding DNS query: 83.222.246.141
Source: unknownTCP traffic detected without corresponding DNS query: 83.222.28.56
Source: unknownTCP traffic detected without corresponding DNS query: 83.222.187.141
Source: unknownTCP traffic detected without corresponding DNS query: 83.222.74.54
Source: unknownTCP traffic detected without corresponding DNS query: 83.222.149.168
Source: unknownTCP traffic detected without corresponding DNS query: 83.222.246.141
Source: unknownTCP traffic detected without corresponding DNS query: 83.222.28.56
Source: unknownTCP traffic detected without corresponding DNS query: 83.222.187.141
Source: unknownTCP traffic detected without corresponding DNS query: 83.222.149.168
Source: unknownTCP traffic detected without corresponding DNS query: 83.222.32.111
Source: unknownTCP traffic detected without corresponding DNS query: 83.222.32.111
Source: unknownTCP traffic detected without corresponding DNS query: 83.222.32.111
Source: unknownTCP traffic detected without corresponding DNS query: 83.222.32.111
Source: unknownTCP traffic detected without corresponding DNS query: 83.222.111.180
Source: unknownTCP traffic detected without corresponding DNS query: 83.222.231.118
Source: unknownTCP traffic detected without corresponding DNS query: 83.222.111.180
Source: unknownTCP traffic detected without corresponding DNS query: 83.222.93.70
Source: unknownTCP traffic detected without corresponding DNS query: 83.222.231.118
Source: unknownTCP traffic detected without corresponding DNS query: 83.222.170.87
Source: unknownTCP traffic detected without corresponding DNS query: 83.222.93.70
Source: unknownTCP traffic detected without corresponding DNS query: 83.222.52.147
Source: unknownTCP traffic detected without corresponding DNS query: 83.222.170.87
Source: unknownTCP traffic detected without corresponding DNS query: 83.222.60.229
Source: unknownTCP traffic detected without corresponding DNS query: 83.222.52.147
Source: unknownTCP traffic detected without corresponding DNS query: 83.222.60.229
Source: unknownTCP traffic detected without corresponding DNS query: 83.222.38.243
Source: unknownTCP traffic detected without corresponding DNS query: 83.222.38.243
Source: unknownTCP traffic detected without corresponding DNS query: 83.222.74.37
Source: unknownTCP traffic detected without corresponding DNS query: 83.222.74.37
Source: unknownTCP traffic detected without corresponding DNS query: 83.222.74.37
Source: unknownTCP traffic detected without corresponding DNS query: 83.222.74.37
Source: unknownTCP traffic detected without corresponding DNS query: 83.222.127.151
Source: unknownTCP traffic detected without corresponding DNS query: 83.222.127.151
Source: unknownTCP traffic detected without corresponding DNS query: 83.222.127.151
Source: unknownTCP traffic detected without corresponding DNS query: 83.222.218.201
Source: unknownTCP traffic detected without corresponding DNS query: 83.222.127.151
Source: unknownTCP traffic detected without corresponding DNS query: 83.222.218.201
Source: unknownTCP traffic detected without corresponding DNS query: 83.222.218.201
Source: unknownTCP traffic detected without corresponding DNS query: 83.222.205.208
Source: unknownTCP traffic detected without corresponding DNS query: 83.222.87.233
Source: unknownTCP traffic detected without corresponding DNS query: 83.222.9.18
Source: unknownTCP traffic detected without corresponding DNS query: 83.222.218.201
Source: unknownTCP traffic detected without corresponding DNS query: 83.222.205.208
Source: unknownTCP traffic detected without corresponding DNS query: 83.222.87.233
Source: unknownTCP traffic detected without corresponding DNS query: 83.222.9.18
Source: unknownTCP traffic detected without corresponding DNS query: 83.222.118.158
Source: unknownTCP traffic detected without corresponding DNS query: 83.222.118.158
Source: unknownTCP traffic detected without corresponding DNS query: 83.222.118.158
Source: unknownTCP traffic detected without corresponding DNS query: 83.222.118.158
Source: global trafficDNS traffic detected: DNS query: secure-network-rebirthltd.ru

System Summary

barindex
Source: /tmp/Kloki.sh4.elf (PID: 5447)SIGKILL sent: pid: 914, result: successfulJump to behavior
Source: /tmp/Kloki.sh4.elf (PID: 5447)SIGKILL sent: pid: 917, result: successfulJump to behavior
Source: /tmp/Kloki.sh4.elf (PID: 5447)SIGKILL sent: pid: 936, result: successfulJump to behavior
Source: /tmp/Kloki.sh4.elf (PID: 5447)SIGKILL sent: pid: 1691, result: successfulJump to behavior
Source: /tmp/Kloki.sh4.elf (PID: 5447)SIGKILL sent: pid: 1866, result: successfulJump to behavior
Source: /tmp/Kloki.sh4.elf (PID: 5447)SIGKILL sent: pid: 1881, result: successfulJump to behavior
Source: /tmp/Kloki.sh4.elf (PID: 5447)SIGKILL sent: pid: 1884, result: successfulJump to behavior
Source: /tmp/Kloki.sh4.elf (PID: 5447)SIGKILL sent: pid: 3069, result: successfulJump to behavior
Source: /tmp/Kloki.sh4.elf (PID: 5447)SIGKILL sent: pid: 3246, result: successfulJump to behavior
Source: /tmp/Kloki.sh4.elf (PID: 5447)SIGKILL sent: pid: 3442, result: successfulJump to behavior
Source: /tmp/Kloki.sh4.elf (PID: 5447)SIGKILL sent: pid: 5427, result: successfulJump to behavior
Source: /tmp/Kloki.sh4.elf (PID: 5447)SIGKILL sent: pid: 5443, result: successfulJump to behavior
Source: /tmp/Kloki.sh4.elf (PID: 5447)SIGKILL sent: pid: 5449, result: successfulJump to behavior
Source: /tmp/Kloki.sh4.elf (PID: 5447)SIGKILL sent: pid: 5468, result: successfulJump to behavior
Source: /tmp/Kloki.sh4.elf (PID: 5447)SIGKILL sent: pid: 5470, result: successfulJump to behavior
Source: /tmp/Kloki.sh4.elf (PID: 5447)SIGKILL sent: pid: 5471, result: successfulJump to behavior
Source: /tmp/Kloki.sh4.elf (PID: 5447)SIGKILL sent: pid: 5472, result: successfulJump to behavior
Source: Initial sampleString containing 'busybox' found: busybox
Source: Initial sampleString containing 'busybox' found: ppid/proc/net/tcp/proc/self/exe/proc//status/fd//dev/null/dev/consolesocket05pkillkillkillallechowgetcurlpsbusyboxiptablesrebootshutdownhaltpoweroffinitsystemctltelinitcatgrepshashbashzshcshkshdashfish/proc/%d/exe
Source: ELF static info symbol of initial sample.symtab present: no
Source: /tmp/Kloki.sh4.elf (PID: 5447)SIGKILL sent: pid: 914, result: successfulJump to behavior
Source: /tmp/Kloki.sh4.elf (PID: 5447)SIGKILL sent: pid: 917, result: successfulJump to behavior
Source: /tmp/Kloki.sh4.elf (PID: 5447)SIGKILL sent: pid: 936, result: successfulJump to behavior
Source: /tmp/Kloki.sh4.elf (PID: 5447)SIGKILL sent: pid: 1691, result: successfulJump to behavior
Source: /tmp/Kloki.sh4.elf (PID: 5447)SIGKILL sent: pid: 1866, result: successfulJump to behavior
Source: /tmp/Kloki.sh4.elf (PID: 5447)SIGKILL sent: pid: 1881, result: successfulJump to behavior
Source: /tmp/Kloki.sh4.elf (PID: 5447)SIGKILL sent: pid: 1884, result: successfulJump to behavior
Source: /tmp/Kloki.sh4.elf (PID: 5447)SIGKILL sent: pid: 3069, result: successfulJump to behavior
Source: /tmp/Kloki.sh4.elf (PID: 5447)SIGKILL sent: pid: 3246, result: successfulJump to behavior
Source: /tmp/Kloki.sh4.elf (PID: 5447)SIGKILL sent: pid: 3442, result: successfulJump to behavior
Source: /tmp/Kloki.sh4.elf (PID: 5447)SIGKILL sent: pid: 5427, result: successfulJump to behavior
Source: /tmp/Kloki.sh4.elf (PID: 5447)SIGKILL sent: pid: 5443, result: successfulJump to behavior
Source: /tmp/Kloki.sh4.elf (PID: 5447)SIGKILL sent: pid: 5449, result: successfulJump to behavior
Source: /tmp/Kloki.sh4.elf (PID: 5447)SIGKILL sent: pid: 5468, result: successfulJump to behavior
Source: /tmp/Kloki.sh4.elf (PID: 5447)SIGKILL sent: pid: 5470, result: successfulJump to behavior
Source: /tmp/Kloki.sh4.elf (PID: 5447)SIGKILL sent: pid: 5471, result: successfulJump to behavior
Source: /tmp/Kloki.sh4.elf (PID: 5447)SIGKILL sent: pid: 5472, result: successfulJump to behavior
Source: classification engineClassification label: mal60.spre.linELF@0/0@1/0
Source: /tmp/Kloki.sh4.elf (PID: 5441)Queries kernel information via 'uname': Jump to behavior
Source: Kloki.sh4.elf, 5441.1.0000556df5e8f000.0000556df5f18000.rw-.sdmp, Kloki.sh4.elf, 5443.1.0000556df5e8f000.0000556df5ef2000.rw-.sdmpBinary or memory string: mU5!/etc/qemu-binfmt/sh4
Source: Kloki.sh4.elf, 5441.1.00007fff7684f000.00007fff76870000.rw-.sdmp, Kloki.sh4.elf, 5443.1.00007fff7684f000.00007fff76870000.rw-.sdmpBinary or memory string: /usr/bin/qemu-sh4
Source: Kloki.sh4.elf, 5441.1.00007fff7684f000.00007fff76870000.rw-.sdmp, Kloki.sh4.elf, 5443.1.00007fff7684f000.00007fff76870000.rw-.sdmpBinary or memory string: x86_64/usr/bin/qemu-sh4/tmp/Kloki.sh4.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/Kloki.sh4.elf
Source: Kloki.sh4.elf, 5441.1.0000556df5e8f000.0000556df5f18000.rw-.sdmp, Kloki.sh4.elf, 5443.1.0000556df5e8f000.0000556df5ef2000.rw-.sdmpBinary or memory string: /etc/qemu-binfmt/sh4

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity Information1
Scripting		Valid AccountsWindows Management Instrumentation1
Scripting		Path InterceptionDirect Volume AccessOS Credential Dumping11
Security Software Discovery		Remote ServicesData from Local System1
Non-Standard Port		Exfiltration Over Other Network Medium1
Service Stop
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable Media1
Non-Application Layer Protocol		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared Drive1
Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact

Malware Configuration

No configs have been found

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Number of created Files
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1594496 Sample: Kloki.sh4.elf Startdate: 19/01/2025 Architecture: LINUX Score: 60 23 83.222.126.103, 13566, 43014 TRI-ASTrueRecordsIncES Russian Federation 2->23 25 83.222.127.151, 13566, 55960 TRI-ASTrueRecordsIncES Russian Federation 2->25 27 62 other IPs or domains 2->27 29 Antivirus / Scanner detection for submitted sample 2->29 31 Multi AV Scanner detection for submitted file 2->31 8 Kloki.sh4.elf 2->8         started        10 gnome-session-binary sh gsd-rfkill 2->10         started        12 gnome-session-binary sh gnome-shell 2->12         started        14 5 other processes 2->14 signatures3 process4 process5 16 Kloki.sh4.elf 8->16         started        18 Kloki.sh4.elf 8->18         started        process6 20 Kloki.sh4.elf 16->20         started        signatures7 33 Sample tries to kill multiple processes (SIGKILL) 20->33

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
Kloki.sh4.elf24%VirustotalBrowse
Kloki.sh4.elf100%AviraEXP/ELF.Mirai.W

Dropped Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Download Network PCAP: filteredfull

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
secure-network-rebirthltd.ru
83.222.191.90
truefalse
    		high

    World Map of Contacted IPs

    • No. of IPs < 25%
    • 25% < No. of IPs < 50%
    • 50% < No. of IPs < 75%
    • 75% < No. of IPs

    Public IPs

    IPDomainCountryFlagASNASN NameMalicious
    83.222.60.229
    		unknownLuxembourg
    		8632LOL-ASluLUfalse
    83.222.187.150
    		unknownBulgaria
    		43561NET1-ASBGfalse
    83.222.127.151
    		unknownRussian Federation
    		47328TRI-ASTrueRecordsIncESfalse
    83.222.46.159
    		unknownLuxembourg
    		8632LOL-ASluLUfalse
    83.222.52.147
    		unknownLuxembourg
    		8632LOL-ASluLUfalse
    83.222.149.84
    		unknownSwitzerland
    		31736SENSELAN-ASsenseLANGmbHCHfalse
    83.222.29.191
    		unknownRussian Federation
    		25532MASTERHOST-ASMoscowRussiaRUfalse
    83.222.218.201
    		unknownRussian Federation
    		25159SONICDUO-ASRUfalse
    83.222.38.243
    		unknownLuxembourg
    		8632LOL-ASluLUfalse
    83.222.53.119
    		unknownLuxembourg
    		8632LOL-ASluLUfalse
    83.222.87.233
    		unknownRussian Federation
    		16285ASN-UMNTechnicheskayaStr18bYekaterinburgRussiaRUfalse
    83.222.227.248
    		unknownUnited Kingdom
    		13768COGECO-PEER1CAfalse
    83.222.170.87
    		unknownBulgaria
    		49040KIG-UNISAT-TVBGfalse
    83.222.38.126
    		unknownLuxembourg
    		8632LOL-ASluLUfalse
    83.222.2.83
    		unknownRussian Federation
    		25532MASTERHOST-ASMoscowRussiaRUfalse
    83.222.187.141
    		unknownBulgaria
    		43561NET1-ASBGfalse
    83.222.126.103
    		unknownRussian Federation
    		47328TRI-ASTrueRecordsIncESfalse
    83.222.198.68
    		unknownRussian Federation
    		6854SYNTERRA-ASRUfalse
    83.222.166.241
    		unknownBulgaria
    		12615GCN-ASGCNAD-SofiaBulgariaBGfalse
    83.222.149.168
    		unknownSwitzerland
    		31736SENSELAN-ASsenseLANGmbHCHfalse
    83.222.13.42
    		unknownRussian Federation
    		25532MASTERHOST-ASMoscowRussiaRUfalse
    83.222.74.54
    		unknownRussian Federation
    		16285ASN-UMNTechnicheskayaStr18bYekaterinburgRussiaRUfalse
    83.222.71.67
    		unknownRussian Federation
    		16285ASN-UMNTechnicheskayaStr18bYekaterinburgRussiaRUfalse
    83.222.50.224
    		unknownLuxembourg
    		8632LOL-ASluLUfalse
    83.222.222.59
    		unknownRussian Federation
    		25159SONICDUO-ASRUfalse
    83.222.122.137
    		unknownRussian Federation
    		42632MNOGOBYTE-ASMoscowRussiaRUfalse
    83.222.86.152
    		unknownRussian Federation
    		16285ASN-UMNTechnicheskayaStr18bYekaterinburgRussiaRUfalse
    83.222.32.111
    		unknownLuxembourg
    		8632LOL-ASluLUfalse
    83.222.240.207
    		unknownUnited Kingdom
    		13768COGECO-PEER1CAfalse
    83.222.236.221
    		unknownUnited Kingdom
    		13768COGECO-PEER1CAfalse
    83.222.85.5
    		unknownRussian Federation
    		16285ASN-UMNTechnicheskayaStr18bYekaterinburgRussiaRUfalse
    83.222.236.185
    		unknownUnited Kingdom
    		13768COGECO-PEER1CAfalse
    83.222.177.162
    		unknownBulgaria
    		12615GCN-ASGCNAD-SofiaBulgariaBGfalse
    83.222.111.180
    		unknownRussian Federation
    		42632MNOGOBYTE-ASMoscowRussiaRUfalse
    83.222.59.75
    		unknownLuxembourg
    		8632LOL-ASluLUfalse
    83.222.255.112
    		unknownUnited Kingdom
    		13768COGECO-PEER1CAfalse
    83.222.123.155
    		unknownRussian Federation
    		42632MNOGOBYTE-ASMoscowRussiaRUfalse
    83.222.135.55
    		unknownSwitzerland
    		31736SENSELAN-ASsenseLANGmbHCHfalse
    83.222.205.208
    		unknownRussian Federation
    		6854SYNTERRA-ASRUfalse
    83.222.93.70
    		unknownRussian Federation
    		16285ASN-UMNTechnicheskayaStr18bYekaterinburgRussiaRUfalse
    83.222.195.121
    		unknownRussian Federation
    		6854SYNTERRA-ASRUfalse
    83.222.9.18
    		unknownRussian Federation
    		25532MASTERHOST-ASMoscowRussiaRUfalse
    83.222.119.3
    		unknownRussian Federation
    		42632MNOGOBYTE-ASMoscowRussiaRUfalse
    83.222.28.56
    		unknownRussian Federation
    		25532MASTERHOST-ASMoscowRussiaRUfalse
    83.222.161.168
    		unknownBulgaria
    		12615GCN-ASGCNAD-SofiaBulgariaBGfalse
    83.222.212.206
    		unknownRussian Federation
    		25159SONICDUO-ASRUfalse
    83.222.249.137
    		unknownUnited Kingdom
    		13768COGECO-PEER1CAfalse
    83.222.202.75
    		unknownRussian Federation
    		6854SYNTERRA-ASRUfalse
    83.222.246.141
    		unknownUnited Kingdom
    		13768COGECO-PEER1CAfalse
    83.222.191.90
    		secure-network-rebirthltd.ruBulgaria
    		43561NET1-ASBGfalse
    83.222.89.200
    		unknownRussian Federation
    		16285ASN-UMNTechnicheskayaStr18bYekaterinburgRussiaRUfalse
    83.222.74.37
    		unknownRussian Federation
    		16285ASN-UMNTechnicheskayaStr18bYekaterinburgRussiaRUfalse
    83.222.42.173
    		unknownLuxembourg
    		8632LOL-ASluLUfalse
    83.222.231.118
    		unknownUnited Kingdom
    		13768COGECO-PEER1CAfalse
    83.222.54.4
    		unknownLuxembourg
    		8632LOL-ASluLUfalse
    83.222.74.245
    		unknownRussian Federation
    		16285ASN-UMNTechnicheskayaStr18bYekaterinburgRussiaRUfalse
    83.222.117.39
    		unknownRussian Federation
    		42632MNOGOBYTE-ASMoscowRussiaRUfalse
    83.222.195.159
    		unknownRussian Federation
    		6854SYNTERRA-ASRUfalse
    83.222.118.158
    		unknownRussian Federation
    		42632MNOGOBYTE-ASMoscowRussiaRUfalse
    83.222.224.99
    		unknownUnited Kingdom
    		13768COGECO-PEER1CAfalse
    83.222.41.144
    		unknownLuxembourg
    		8632LOL-ASluLUfalse
    83.222.186.219
    		unknownBulgaria
    		43561NET1-ASBGfalse
    83.222.178.235
    		unknownBulgaria
    		12615GCN-ASGCNAD-SofiaBulgariaBGfalse
    83.222.176.33
    		unknownBulgaria
    		12615GCN-ASGCNAD-SofiaBulgariaBGfalse

    Joe Sandbox View / Context

    IPs

    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
    83.222.187.150Kloki.x86_64.elfGet hashmaliciousUnknownBrowse
      83.222.111.180Kloki.x86.elfGet hashmaliciousUnknownBrowse

        Domains

        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
        secure-network-rebirthltd.ruKloki.i486.elfGet hashmaliciousUnknownBrowse
        • 83.222.191.90
        Kloki.ppc.elfGet hashmaliciousUnknownBrowse
        • 83.222.191.90
        loki.mpsl.elfGet hashmaliciousUnknownBrowse
        • 83.222.191.90
        loki.i486.elfGet hashmaliciousUnknownBrowse
        • 83.222.191.90
        loki.sh4.elfGet hashmaliciousUnknownBrowse
        • 83.222.191.90
        loki.m68k.elfGet hashmaliciousUnknownBrowse
        • 83.222.191.90
        loki.spc.elfGet hashmaliciousUnknownBrowse
        • 83.222.191.90
        Kloki.x86.elfGet hashmaliciousUnknownBrowse
        • 83.222.191.90
        Kloki.arm5.elfGet hashmaliciousUnknownBrowse
        • 83.222.191.90
        Kloki.spc.elfGet hashmaliciousUnknownBrowse
        • 83.222.191.90

        ASNs

        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
        LOL-ASluLUKloki.i486.elfGet hashmaliciousUnknownBrowse
        • 83.222.39.107
        Kloki.ppc.elfGet hashmaliciousUnknownBrowse
        • 83.222.59.20
        loki.mpsl.elfGet hashmaliciousUnknownBrowse
        • 83.222.55.216
        loki.i486.elfGet hashmaliciousUnknownBrowse
        • 83.222.48.106
        loki.sh4.elfGet hashmaliciousUnknownBrowse
        • 83.222.55.60
        loki.m68k.elfGet hashmaliciousUnknownBrowse
        • 83.222.36.39
        loki.spc.elfGet hashmaliciousUnknownBrowse
        • 83.222.53.146
        Kloki.x86.elfGet hashmaliciousUnknownBrowse
        • 83.222.34.13
        Kloki.arm5.elfGet hashmaliciousUnknownBrowse
        • 83.222.43.208
        Kloki.spc.elfGet hashmaliciousUnknownBrowse
        • 83.222.55.219
        LOL-ASluLUKloki.i486.elfGet hashmaliciousUnknownBrowse
        • 83.222.39.107
        Kloki.ppc.elfGet hashmaliciousUnknownBrowse
        • 83.222.59.20
        loki.mpsl.elfGet hashmaliciousUnknownBrowse
        • 83.222.55.216
        loki.i486.elfGet hashmaliciousUnknownBrowse
        • 83.222.48.106
        loki.sh4.elfGet hashmaliciousUnknownBrowse
        • 83.222.55.60
        loki.m68k.elfGet hashmaliciousUnknownBrowse
        • 83.222.36.39
        loki.spc.elfGet hashmaliciousUnknownBrowse
        • 83.222.53.146
        Kloki.x86.elfGet hashmaliciousUnknownBrowse
        • 83.222.34.13
        Kloki.arm5.elfGet hashmaliciousUnknownBrowse
        • 83.222.43.208
        Kloki.spc.elfGet hashmaliciousUnknownBrowse
        • 83.222.55.219
        TRI-ASTrueRecordsIncESKloki.i486.elfGet hashmaliciousUnknownBrowse
        • 83.222.125.200
        Kloki.ppc.elfGet hashmaliciousUnknownBrowse
        • 83.222.124.41
        loki.mpsl.elfGet hashmaliciousUnknownBrowse
        • 83.222.126.192
        loki.i486.elfGet hashmaliciousUnknownBrowse
        • 83.222.124.201
        loki.sh4.elfGet hashmaliciousUnknownBrowse
        • 83.222.124.163
        loki.m68k.elfGet hashmaliciousUnknownBrowse
        • 83.222.125.8
        loki.spc.elfGet hashmaliciousUnknownBrowse
        • 83.222.126.34
        Kloki.x86.elfGet hashmaliciousUnknownBrowse
        • 83.222.126.216
        Kloki.spc.elfGet hashmaliciousUnknownBrowse
        • 83.222.126.197
        loki.x86_64.elfGet hashmaliciousUnknownBrowse
        • 83.222.127.231
        NET1-ASBGKloki.i486.elfGet hashmaliciousUnknownBrowse
        • 83.222.191.211
        Kloki.ppc.elfGet hashmaliciousUnknownBrowse
        • 83.222.188.207
        loki.mpsl.elfGet hashmaliciousUnknownBrowse
        • 83.222.186.137
        loki.i486.elfGet hashmaliciousUnknownBrowse
        • 83.222.191.90
        loki.sh4.elfGet hashmaliciousUnknownBrowse
        • 83.222.189.126
        loki.m68k.elfGet hashmaliciousUnknownBrowse
        • 83.222.189.89
        loki.spc.elfGet hashmaliciousUnknownBrowse
        • 83.222.185.58
        Kloki.x86.elfGet hashmaliciousUnknownBrowse
        • 83.222.191.90
        Kloki.arm5.elfGet hashmaliciousUnknownBrowse
        • 83.222.190.71
        Kloki.spc.elfGet hashmaliciousUnknownBrowse
        • 83.222.191.90

        JA3 Fingerprints

        No context

        Dropped Files

        No context

        Created / dropped Files

        No created / dropped files found

        Static File Info

        General

        File type:ELF 32-bit LSB executable, Renesas SH, version 1 (SYSV), statically linked, stripped
        Entropy (8bit):6.856830392608925
        TrID:
        • ELF Executable and Linkable format (generic) (4004/1) 100.00%
        File name:Kloki.sh4.elf
        File size:56'104 bytes
        MD5:fe6d747aff69396231c579700d673775
        SHA1:5ecb9c6cc0ac382e97882a4a1164c8ee3895a783
        SHA256:649c8f52c7bc85fb0f997557bdd19d972230c99c141c8834796db07fb43d6878
        SHA512:6caf2c16283ce2fda7dd8d68d0f1fb155a161522dc55f1f3cef7ae543d882bafc1c587dbfc1ceff6c07c012fde23646530cb6b402a6c5bf0857b79653c8dbf65
        SSDEEP:768:Vaawtf7j0/ueoUHrD7uDLvWYCyw4ugQaCHCjsKrPJyaRolIASaCTe7pHfAkvHLI:VaawtftJCHyLulaGKrPJ1GlaaCTpkvL
        TLSH:A5438D37C93A7E84D19996B4B8318E352B53E484C2531FBF06A5C66AA043DECF6053F6
        File Content Preview:.ELF..............*.......@.4...........4. ...(...............@...@...........................A...A......4..........Q.td............................././"O.n........#.*@........#.*@L....o&O.n...l..............................././.../.a"O.!...n...a.b("...q.

        Static ELF Info

        ELF header

        Class:ELF32
        Data:2's complement, little endian
        Version:1 (current)
        Machine:<unknown>
        Version Number:0x1
        Type:EXEC (Executable file)
        OS/ABI:UNIX - System V
        ABI Version:0
        Entry Point Address:0x4001a0
        Flags:0x9
        ELF Header Size:52
        Program Header Offset:52
        Program Header Size:32
        Number of Program Headers:3
        Section Header Offset:55704
        Section Header Size:40
        Number of Section Headers:10
        Header String Table Index:9

        Sections

        NameTypeAddressOffsetSizeEntSizeFlagsFlags DescriptionLinkInfoAlign
        NULL0x00x00x00x00x0000
        .initPROGBITS0x4000940x940x300x00x6AX004
        .textPROGBITS0x4000e00xe00xc2600x00x6AX0032
        .finiPROGBITS0x40c3400xc3400x240x00x6AX004
        .rodataPROGBITS0x40c3640xc3640x12680x00x2A004
        .ctorsPROGBITS0x41d5d00xd5d00x80x00x3WA004
        .dtorsPROGBITS0x41d5d80xd5d80x80x00x3WA004
        .dataPROGBITS0x41d5e40xd5e40x3740x00x3WA004
        .bssNOBITS0x41d9580xd9580x31740x00x3WA004
        .shstrtabSTRTAB0x00xd9580x3e0x00x0001

        Program Segments

        TypeOffsetVirtual AddressPhysical AddressFile SizeMemory SizeEntropyFlagsFlags DescriptionAlignProg InterpreterSection Mappings
        LOAD0x00x4000000x4000000xd5cc0xd5cc6.91170x5R E0x10000.init .text .fini .rodata
        LOAD0xd5d00x41d5d00x41d5d00x3880x34fc2.87480x6RW 0x10000.ctors .dtors .data .bss
        GNU_STACK0x00x00x00x00x00.00000x7RWE0x4

        Network Behavior

        Download Network PCAP: filteredfull

        Suricata IDS Alerts

        TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
        2025-01-19T03:22:59.888796+01002500034ET COMPROMISED Known Compromised or Hostile Host Traffic group 18283.222.191.9013566192.168.2.1342788TCP

        Network Port Distribution

        • Total Packets: 149
        • 13566 undefined
        • 53 (DNS)
        TimestampSource PortDest PortSource IPDest IP
        Jan 19, 2025 03:22:59.473004103 CET5398613566192.168.2.1383.222.74.54
        Jan 19, 2025 03:22:59.477139950 CET3333213566192.168.2.1383.222.246.141
        Jan 19, 2025 03:22:59.477891922 CET5416013566192.168.2.1383.222.28.56
        Jan 19, 2025 03:22:59.478542089 CET4040813566192.168.2.1383.222.187.141
        Jan 19, 2025 03:22:59.478605032 CET135665398683.222.74.54192.168.2.13
        Jan 19, 2025 03:22:59.478847980 CET5398613566192.168.2.1383.222.74.54
        Jan 19, 2025 03:22:59.479037046 CET5265213566192.168.2.1383.222.149.168
        Jan 19, 2025 03:22:59.482332945 CET135663333283.222.246.141192.168.2.13
        Jan 19, 2025 03:22:59.482544899 CET3333213566192.168.2.1383.222.246.141
        Jan 19, 2025 03:22:59.483233929 CET135665416083.222.28.56192.168.2.13
        Jan 19, 2025 03:22:59.483305931 CET5416013566192.168.2.1383.222.28.56
        Jan 19, 2025 03:22:59.483817101 CET135664040883.222.187.141192.168.2.13
        Jan 19, 2025 03:22:59.483874083 CET4040813566192.168.2.1383.222.187.141
        Jan 19, 2025 03:22:59.484460115 CET135665265283.222.149.168192.168.2.13
        Jan 19, 2025 03:22:59.484512091 CET5265213566192.168.2.1383.222.149.168
        Jan 19, 2025 03:22:59.494052887 CET5256213566192.168.2.1383.222.32.111
        Jan 19, 2025 03:22:59.499357939 CET135665256283.222.32.111192.168.2.13
        Jan 19, 2025 03:22:59.499435902 CET5256213566192.168.2.1383.222.32.111
        Jan 19, 2025 03:22:59.511090040 CET5256213566192.168.2.1383.222.32.111
        Jan 19, 2025 03:22:59.516477108 CET135665256283.222.32.111192.168.2.13
        Jan 19, 2025 03:22:59.516541004 CET5256213566192.168.2.1383.222.32.111
        Jan 19, 2025 03:22:59.550405979 CET5554613566192.168.2.1383.222.111.180
        Jan 19, 2025 03:22:59.554716110 CET5325213566192.168.2.1383.222.231.118
        Jan 19, 2025 03:22:59.555809021 CET135665554683.222.111.180192.168.2.13
        Jan 19, 2025 03:22:59.555998087 CET5554613566192.168.2.1383.222.111.180
        Jan 19, 2025 03:22:59.558228970 CET5620013566192.168.2.1383.222.93.70
        Jan 19, 2025 03:22:59.559638023 CET135665325283.222.231.118192.168.2.13
        Jan 19, 2025 03:22:59.559696913 CET5325213566192.168.2.1383.222.231.118
        Jan 19, 2025 03:22:59.561892986 CET6060213566192.168.2.1383.222.170.87
        Jan 19, 2025 03:22:59.563086033 CET135665620083.222.93.70192.168.2.13
        Jan 19, 2025 03:22:59.563138008 CET5620013566192.168.2.1383.222.93.70
        Jan 19, 2025 03:22:59.565809965 CET4651213566192.168.2.1383.222.52.147
        Jan 19, 2025 03:22:59.566977024 CET135666060283.222.170.87192.168.2.13
        Jan 19, 2025 03:22:59.567178965 CET6060213566192.168.2.1383.222.170.87
        Jan 19, 2025 03:22:59.569689989 CET5256013566192.168.2.1383.222.60.229
        Jan 19, 2025 03:22:59.570871115 CET135664651283.222.52.147192.168.2.13
        Jan 19, 2025 03:22:59.571043015 CET4651213566192.168.2.1383.222.52.147
        Jan 19, 2025 03:22:59.574771881 CET135665256083.222.60.229192.168.2.13
        Jan 19, 2025 03:22:59.574856997 CET5256013566192.168.2.1383.222.60.229
        Jan 19, 2025 03:22:59.575552940 CET4872213566192.168.2.1383.222.38.243
        Jan 19, 2025 03:22:59.580522060 CET135664872283.222.38.243192.168.2.13
        Jan 19, 2025 03:22:59.580701113 CET4872213566192.168.2.1383.222.38.243
        Jan 19, 2025 03:22:59.582462072 CET4955613566192.168.2.1383.222.74.37
        Jan 19, 2025 03:22:59.588305950 CET135664955683.222.74.37192.168.2.13
        Jan 19, 2025 03:22:59.588366032 CET4955613566192.168.2.1383.222.74.37
        Jan 19, 2025 03:22:59.603770018 CET4955613566192.168.2.1383.222.74.37
        Jan 19, 2025 03:22:59.609004021 CET135664955683.222.74.37192.168.2.13
        Jan 19, 2025 03:22:59.609234095 CET4955613566192.168.2.1383.222.74.37
        Jan 19, 2025 03:22:59.620402098 CET5596013566192.168.2.1383.222.127.151
        Jan 19, 2025 03:22:59.625718117 CET135665596083.222.127.151192.168.2.13
        Jan 19, 2025 03:22:59.625777960 CET5596013566192.168.2.1383.222.127.151
        Jan 19, 2025 03:22:59.637707949 CET5596013566192.168.2.1383.222.127.151
        Jan 19, 2025 03:22:59.638225079 CET3403013566192.168.2.1383.222.218.201
        Jan 19, 2025 03:22:59.643007994 CET135665596083.222.127.151192.168.2.13
        Jan 19, 2025 03:22:59.643058062 CET5596013566192.168.2.1383.222.127.151
        Jan 19, 2025 03:22:59.643400908 CET135663403083.222.218.201192.168.2.13
        Jan 19, 2025 03:22:59.643466949 CET3403013566192.168.2.1383.222.218.201
        Jan 19, 2025 03:22:59.645525932 CET3403013566192.168.2.1383.222.218.201
        Jan 19, 2025 03:22:59.647732019 CET4794013566192.168.2.1383.222.205.208
        Jan 19, 2025 03:22:59.650579929 CET4280213566192.168.2.1383.222.87.233
        Jan 19, 2025 03:22:59.651724100 CET6011613566192.168.2.1383.222.9.18
        Jan 19, 2025 03:22:59.652028084 CET135663403083.222.218.201192.168.2.13
        Jan 19, 2025 03:22:59.652201891 CET3403013566192.168.2.1383.222.218.201
        Jan 19, 2025 03:22:59.654129028 CET135664794083.222.205.208192.168.2.13
        Jan 19, 2025 03:22:59.654314995 CET4794013566192.168.2.1383.222.205.208
        Jan 19, 2025 03:22:59.656064034 CET135664280283.222.87.233192.168.2.13
        Jan 19, 2025 03:22:59.656101942 CET4280213566192.168.2.1383.222.87.233
        Jan 19, 2025 03:22:59.656668901 CET135666011683.222.9.18192.168.2.13
        Jan 19, 2025 03:22:59.656744003 CET6011613566192.168.2.1383.222.9.18
        Jan 19, 2025 03:22:59.659709930 CET5167013566192.168.2.1383.222.118.158
        Jan 19, 2025 03:22:59.664753914 CET135665167083.222.118.158192.168.2.13
        Jan 19, 2025 03:22:59.664819956 CET5167013566192.168.2.1383.222.118.158
        Jan 19, 2025 03:22:59.678030968 CET5167013566192.168.2.1383.222.118.158
        Jan 19, 2025 03:22:59.684815884 CET135665167083.222.118.158192.168.2.13
        Jan 19, 2025 03:22:59.686036110 CET5167013566192.168.2.1383.222.118.158
        Jan 19, 2025 03:22:59.707124949 CET4682013566192.168.2.1383.222.187.150
        Jan 19, 2025 03:22:59.711982965 CET135664682083.222.187.150192.168.2.13
        Jan 19, 2025 03:22:59.712064981 CET4682013566192.168.2.1383.222.187.150
        Jan 19, 2025 03:22:59.713442087 CET4582813566192.168.2.1383.222.13.42
        Jan 19, 2025 03:22:59.717195988 CET4397013566192.168.2.1383.222.74.245
        Jan 19, 2025 03:22:59.719569921 CET135664582883.222.13.42192.168.2.13
        Jan 19, 2025 03:22:59.720705032 CET4582813566192.168.2.1383.222.13.42
        Jan 19, 2025 03:22:59.722146988 CET135664397083.222.74.245192.168.2.13
        Jan 19, 2025 03:22:59.722260952 CET4397013566192.168.2.1383.222.74.245
        Jan 19, 2025 03:22:59.723978996 CET3505413566192.168.2.1383.222.161.168
        Jan 19, 2025 03:22:59.728441954 CET5577613566192.168.2.1383.222.59.75
        Jan 19, 2025 03:22:59.728912115 CET135663505483.222.161.168192.168.2.13
        Jan 19, 2025 03:22:59.728980064 CET3505413566192.168.2.1383.222.161.168
        Jan 19, 2025 03:22:59.732240915 CET4482013566192.168.2.1383.222.255.112
        Jan 19, 2025 03:22:59.733278036 CET135665577683.222.59.75192.168.2.13
        Jan 19, 2025 03:22:59.733342886 CET5577613566192.168.2.1383.222.59.75
        Jan 19, 2025 03:22:59.735743999 CET4093413566192.168.2.1383.222.222.59
        Jan 19, 2025 03:22:59.737572908 CET135664482083.222.255.112192.168.2.13
        Jan 19, 2025 03:22:59.737622023 CET4482013566192.168.2.1383.222.255.112
        Jan 19, 2025 03:22:59.738923073 CET6022813566192.168.2.1383.222.85.5
        Jan 19, 2025 03:22:59.740804911 CET135664093483.222.222.59192.168.2.13
        Jan 19, 2025 03:22:59.740907907 CET4093413566192.168.2.1383.222.222.59
        Jan 19, 2025 03:22:59.743689060 CET135666022883.222.85.5192.168.2.13
        Jan 19, 2025 03:22:59.743742943 CET6022813566192.168.2.1383.222.85.5
        Jan 19, 2025 03:22:59.750792980 CET3628213566192.168.2.1383.222.46.159
        Jan 19, 2025 03:22:59.757469893 CET135663628283.222.46.159192.168.2.13
        Jan 19, 2025 03:22:59.757539988 CET3628213566192.168.2.1383.222.46.159
        Jan 19, 2025 03:22:59.760792971 CET5245213566192.168.2.1383.222.42.173
        Jan 19, 2025 03:22:59.762029886 CET4197013566192.168.2.1383.222.54.4
        Jan 19, 2025 03:22:59.763185978 CET3660613566192.168.2.1383.222.119.3
        Jan 19, 2025 03:22:59.764137030 CET5823813566192.168.2.1383.222.212.206
        Jan 19, 2025 03:22:59.765909910 CET135665245283.222.42.173192.168.2.13
        Jan 19, 2025 03:22:59.765993118 CET5245213566192.168.2.1383.222.42.173
        Jan 19, 2025 03:22:59.766086102 CET5063213566192.168.2.1383.222.236.221
        Jan 19, 2025 03:22:59.767009974 CET135664197083.222.54.4192.168.2.13
        Jan 19, 2025 03:22:59.767066956 CET4197013566192.168.2.1383.222.54.4
        Jan 19, 2025 03:22:59.768248081 CET135663660683.222.119.3192.168.2.13
        Jan 19, 2025 03:22:59.768362999 CET3660613566192.168.2.1383.222.119.3
        Jan 19, 2025 03:22:59.769226074 CET135665823883.222.212.206192.168.2.13
        Jan 19, 2025 03:22:59.769328117 CET5164613566192.168.2.1383.222.224.99
        Jan 19, 2025 03:22:59.769334078 CET5823813566192.168.2.1383.222.212.206
        Jan 19, 2025 03:22:59.771115065 CET135665063283.222.236.221192.168.2.13
        Jan 19, 2025 03:22:59.771162033 CET5063213566192.168.2.1383.222.236.221
        Jan 19, 2025 03:22:59.773752928 CET3382813566192.168.2.1383.222.123.155
        Jan 19, 2025 03:22:59.774455070 CET135665164683.222.224.99192.168.2.13
        Jan 19, 2025 03:22:59.774497032 CET5164613566192.168.2.1383.222.224.99
        Jan 19, 2025 03:22:59.775866985 CET4611613566192.168.2.1383.222.249.137
        Jan 19, 2025 03:22:59.778476000 CET5708413566192.168.2.1383.222.198.68
        Jan 19, 2025 03:22:59.778614044 CET135663382883.222.123.155192.168.2.13
        Jan 19, 2025 03:22:59.778670073 CET3382813566192.168.2.1383.222.123.155
        Jan 19, 2025 03:22:59.780591011 CET4301413566192.168.2.1383.222.126.103
        Jan 19, 2025 03:22:59.780641079 CET135664611683.222.249.137192.168.2.13
        Jan 19, 2025 03:22:59.780685902 CET4611613566192.168.2.1383.222.249.137
        Jan 19, 2025 03:22:59.783184052 CET5079813566192.168.2.1383.222.236.185
        Jan 19, 2025 03:22:59.783376932 CET135665708483.222.198.68192.168.2.13
        Jan 19, 2025 03:22:59.783426046 CET5708413566192.168.2.1383.222.198.68
        Jan 19, 2025 03:22:59.785408974 CET135664301483.222.126.103192.168.2.13
        Jan 19, 2025 03:22:59.785415888 CET3740213566192.168.2.1383.222.178.235
        Jan 19, 2025 03:22:59.785449982 CET4301413566192.168.2.1383.222.126.103
        Jan 19, 2025 03:22:59.788019896 CET4240813566192.168.2.1383.222.41.144
        Jan 19, 2025 03:22:59.789242983 CET135665079883.222.236.185192.168.2.13
        Jan 19, 2025 03:22:59.789290905 CET5079813566192.168.2.1383.222.236.185
        Jan 19, 2025 03:22:59.790112972 CET5280613566192.168.2.1383.222.38.126
        Jan 19, 2025 03:22:59.790671110 CET135663740283.222.178.235192.168.2.13
        Jan 19, 2025 03:22:59.790713072 CET3740213566192.168.2.1383.222.178.235
        Jan 19, 2025 03:22:59.792156935 CET3411413566192.168.2.1383.222.149.84
        Jan 19, 2025 03:22:59.792834044 CET135664240883.222.41.144192.168.2.13
        Jan 19, 2025 03:22:59.792886019 CET4240813566192.168.2.1383.222.41.144
        Jan 19, 2025 03:22:59.793893099 CET3675813566192.168.2.1383.222.29.191
        Jan 19, 2025 03:22:59.794996977 CET135665280683.222.38.126192.168.2.13
        Jan 19, 2025 03:22:59.795219898 CET5280613566192.168.2.1383.222.38.126
        Jan 19, 2025 03:22:59.796494961 CET4890813566192.168.2.1383.222.2.83
        Jan 19, 2025 03:22:59.796996117 CET135663411483.222.149.84192.168.2.13
        Jan 19, 2025 03:22:59.797069073 CET3411413566192.168.2.1383.222.149.84
        Jan 19, 2025 03:22:59.798230886 CET4022613566192.168.2.1383.222.195.121
        Jan 19, 2025 03:22:59.798742056 CET135663675883.222.29.191192.168.2.13
        Jan 19, 2025 03:22:59.798790932 CET3675813566192.168.2.1383.222.29.191
        Jan 19, 2025 03:22:59.800414085 CET3443813566192.168.2.1383.222.86.152
        Jan 19, 2025 03:22:59.801373959 CET135664890883.222.2.83192.168.2.13
        Jan 19, 2025 03:22:59.801600933 CET4890813566192.168.2.1383.222.2.83
        Jan 19, 2025 03:22:59.802692890 CET5530813566192.168.2.1383.222.71.67
        Jan 19, 2025 03:22:59.802957058 CET135664022683.222.195.121192.168.2.13
        Jan 19, 2025 03:22:59.802999973 CET4022613566192.168.2.1383.222.195.121
        Jan 19, 2025 03:22:59.805227995 CET135663443883.222.86.152192.168.2.13
        Jan 19, 2025 03:22:59.805345058 CET3443813566192.168.2.1383.222.86.152
        Jan 19, 2025 03:22:59.805522919 CET4417013566192.168.2.1383.222.117.39
        Jan 19, 2025 03:22:59.807503939 CET135665530883.222.71.67192.168.2.13
        Jan 19, 2025 03:22:59.807636023 CET5530813566192.168.2.1383.222.71.67
        Jan 19, 2025 03:22:59.810236931 CET5813813566192.168.2.1383.222.166.241
        Jan 19, 2025 03:22:59.810457945 CET135664417083.222.117.39192.168.2.13
        Jan 19, 2025 03:22:59.810502052 CET4417013566192.168.2.1383.222.117.39
        Jan 19, 2025 03:22:59.814939022 CET5995013566192.168.2.1383.222.195.159
        Jan 19, 2025 03:22:59.816349983 CET135665813883.222.166.241192.168.2.13
        Jan 19, 2025 03:22:59.816423893 CET5813813566192.168.2.1383.222.166.241
        Jan 19, 2025 03:22:59.818447113 CET4496013566192.168.2.1383.222.122.137
        Jan 19, 2025 03:22:59.820312977 CET135665995083.222.195.159192.168.2.13
        Jan 19, 2025 03:22:59.820354939 CET5995013566192.168.2.1383.222.195.159
        Jan 19, 2025 03:22:59.822113037 CET4678613566192.168.2.1383.222.227.248
        Jan 19, 2025 03:22:59.823185921 CET135664496083.222.122.137192.168.2.13
        Jan 19, 2025 03:22:59.823235989 CET4496013566192.168.2.1383.222.122.137
        Jan 19, 2025 03:22:59.824826956 CET4141413566192.168.2.1383.222.240.207
        Jan 19, 2025 03:22:59.827161074 CET135664678683.222.227.248192.168.2.13
        Jan 19, 2025 03:22:59.827209949 CET4678613566192.168.2.1383.222.227.248
        Jan 19, 2025 03:22:59.828252077 CET4750813566192.168.2.1383.222.177.162
        Jan 19, 2025 03:22:59.829664946 CET135664141483.222.240.207192.168.2.13
        Jan 19, 2025 03:22:59.829708099 CET4141413566192.168.2.1383.222.240.207
        Jan 19, 2025 03:22:59.831018925 CET5160813566192.168.2.1383.222.186.219
        Jan 19, 2025 03:22:59.833314896 CET135664750883.222.177.162192.168.2.13
        Jan 19, 2025 03:22:59.833444118 CET4750813566192.168.2.1383.222.177.162
        Jan 19, 2025 03:22:59.836235046 CET135665160883.222.186.219192.168.2.13
        Jan 19, 2025 03:22:59.836359978 CET5160813566192.168.2.1383.222.186.219
        Jan 19, 2025 03:22:59.836402893 CET3604213566192.168.2.1383.222.50.224
        Jan 19, 2025 03:22:59.841403008 CET135663604283.222.50.224192.168.2.13
        Jan 19, 2025 03:22:59.841475010 CET3604213566192.168.2.1383.222.50.224
        Jan 19, 2025 03:22:59.842775106 CET3604213566192.168.2.1383.222.50.224
        Jan 19, 2025 03:22:59.844501019 CET5605213566192.168.2.1383.222.89.200
        Jan 19, 2025 03:22:59.847965956 CET135663604283.222.50.224192.168.2.13
        Jan 19, 2025 03:22:59.848025084 CET3604213566192.168.2.1383.222.50.224
        Jan 19, 2025 03:22:59.849647999 CET135665605283.222.89.200192.168.2.13
        Jan 19, 2025 03:22:59.849688053 CET5605213566192.168.2.1383.222.89.200
        Jan 19, 2025 03:22:59.850451946 CET4342613566192.168.2.1383.222.53.119
        Jan 19, 2025 03:22:59.854630947 CET4155813566192.168.2.1383.222.135.55
        Jan 19, 2025 03:22:59.855458975 CET135664342683.222.53.119192.168.2.13
        Jan 19, 2025 03:22:59.855508089 CET4342613566192.168.2.1383.222.53.119
        Jan 19, 2025 03:22:59.859524012 CET135664155883.222.135.55192.168.2.13
        Jan 19, 2025 03:22:59.859561920 CET4155813566192.168.2.1383.222.135.55
        Jan 19, 2025 03:22:59.859632015 CET5607013566192.168.2.1383.222.202.75
        Jan 19, 2025 03:22:59.863876104 CET4574213566192.168.2.1383.222.176.33
        Jan 19, 2025 03:22:59.864536047 CET135665607083.222.202.75192.168.2.13
        Jan 19, 2025 03:22:59.864599943 CET5607013566192.168.2.1383.222.202.75
        Jan 19, 2025 03:22:59.868654966 CET135664574283.222.176.33192.168.2.13
        Jan 19, 2025 03:22:59.868704081 CET4574213566192.168.2.1383.222.176.33
        Jan 19, 2025 03:22:59.883629084 CET4278813566192.168.2.1383.222.191.90
        Jan 19, 2025 03:22:59.888796091 CET135664278883.222.191.90192.168.2.13
        Jan 19, 2025 03:22:59.888855934 CET4278813566192.168.2.1383.222.191.90
        Jan 19, 2025 03:22:59.895843029 CET4278813566192.168.2.1383.222.191.90
        Jan 19, 2025 03:22:59.901890993 CET135664278883.222.191.90192.168.2.13
        Jan 19, 2025 03:22:59.901957035 CET4278813566192.168.2.1383.222.191.90
        Jan 19, 2025 03:22:59.906951904 CET135664278883.222.191.90192.168.2.13
        Jan 19, 2025 03:23:09.901717901 CET4278813566192.168.2.1383.222.191.90
        Jan 19, 2025 03:23:09.906987906 CET135664278883.222.191.90192.168.2.13
        Jan 19, 2025 03:23:10.103444099 CET135664278883.222.191.90192.168.2.13
        Jan 19, 2025 03:23:10.103609085 CET4278813566192.168.2.1383.222.191.90
        Jan 19, 2025 03:23:10.462558031 CET135664278883.222.191.90192.168.2.13
        Jan 19, 2025 03:23:10.462682009 CET4278813566192.168.2.1383.222.191.90
        Jan 19, 2025 03:24:10.504755974 CET4278813566192.168.2.1383.222.191.90
        Jan 19, 2025 03:24:10.510433912 CET135664278883.222.191.90192.168.2.13
        Jan 19, 2025 03:24:10.706958055 CET135664278883.222.191.90192.168.2.13
        Jan 19, 2025 03:24:10.707283020 CET4278813566192.168.2.1383.222.191.90
        Jan 19, 2025 03:24:11.463079929 CET135664278883.222.191.90192.168.2.13
        Jan 19, 2025 03:24:11.463188887 CET4278813566192.168.2.1383.222.191.90
        TimestampSource PortDest PortSource IPDest IP
        Jan 19, 2025 03:22:59.873250961 CET5091253192.168.2.138.8.8.8
        Jan 19, 2025 03:22:59.880356073 CET53509128.8.8.8192.168.2.13

        DNS Queries

        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
        Jan 19, 2025 03:22:59.873250961 CET192.168.2.138.8.8.80x7fa6Standard query (0)secure-network-rebirthltd.ruA (IP address)IN (0x0001)false

        DNS Answers

        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
        Jan 19, 2025 03:22:59.880356073 CET8.8.8.8192.168.2.130x7fa6No error (0)secure-network-rebirthltd.ru83.222.191.90A (IP address)IN (0x0001)false

        System Behavior

        General

        Start time (UTC):02:22:58
        Start date (UTC):19/01/2025
        Path:/tmp/Kloki.sh4.elf
        Arguments:/tmp/Kloki.sh4.elf
        File size:4139976 bytes
        MD5 hash:8943e5f8f8c280467b4472c15ae93ba9

        File Activities

        Process Activities

        System Activities

        Network Activities


        General

        Start time (UTC):02:22:58
        Start date (UTC):19/01/2025
        Path:/tmp/Kloki.sh4.elf
        Arguments:-
        File size:4139976 bytes
        MD5 hash:8943e5f8f8c280467b4472c15ae93ba9

        File Activities

        Process Activities


        General

        Start time (UTC):02:22:58
        Start date (UTC):19/01/2025
        Path:/tmp/Kloki.sh4.elf
        Arguments:-
        File size:4139976 bytes
        MD5 hash:8943e5f8f8c280467b4472c15ae93ba9

        Process Activities

        Network Activities


        General

        Start time (UTC):02:22:58
        Start date (UTC):19/01/2025
        Path:/tmp/Kloki.sh4.elf
        Arguments:-
        File size:4139976 bytes
        MD5 hash:8943e5f8f8c280467b4472c15ae93ba9

        File Activities

        Process Activities


        General

        Start time (UTC):02:22:58
        Start date (UTC):19/01/2025
        Path:/usr/libexec/gnome-session-binary
        Arguments:-
        File size:334664 bytes
        MD5 hash:d9b90be4f7db60cb3c2d3da6a1d31bfb

        Process Activities


        General

        Start time (UTC):02:22:58
        Start date (UTC):19/01/2025
        Path:/bin/sh
        Arguments:/bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-rfkill
        File size:129816 bytes
        MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

        File Activities

        Process Activities


        General

        Start time (UTC):02:22:58
        Start date (UTC):19/01/2025
        Path:/usr/libexec/gsd-rfkill
        Arguments:/usr/libexec/gsd-rfkill
        File size:51808 bytes
        MD5 hash:88a16a3c0aba1759358c06215ecfb5cc

        File Activities


        General

        Start time (UTC):02:22:58
        Start date (UTC):19/01/2025
        Path:/usr/libexec/gnome-session-binary
        Arguments:-
        File size:334664 bytes
        MD5 hash:d9b90be4f7db60cb3c2d3da6a1d31bfb

        Process Activities


        General

        Start time (UTC):02:22:58
        Start date (UTC):19/01/2025
        Path:/bin/sh
        Arguments:/bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/bin/gnome-shell
        File size:129816 bytes
        MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

        File Activities

        Process Activities


        General

        Start time (UTC):02:22:58
        Start date (UTC):19/01/2025
        Path:/usr/bin/gnome-shell
        Arguments:/usr/bin/gnome-shell
        File size:23168 bytes
        MD5 hash:da7a257239677622fe4b3a65972c9e87

        File Activities


        General

        Start time (UTC):02:22:58
        Start date (UTC):19/01/2025
        Path:/usr/libexec/gnome-session-binary
        Arguments:-
        File size:334664 bytes
        MD5 hash:d9b90be4f7db60cb3c2d3da6a1d31bfb

        Process Activities


        General

        Start time (UTC):02:22:58
        Start date (UTC):19/01/2025
        Path:/bin/sh
        Arguments:/bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-print-notifications
        File size:129816 bytes
        MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

        File Activities

        Process Activities


        General

        Start time (UTC):02:22:58
        Start date (UTC):19/01/2025
        Path:/usr/libexec/gnome-session-binary
        Arguments:-
        File size:334664 bytes
        MD5 hash:d9b90be4f7db60cb3c2d3da6a1d31bfb

        Process Activities


        General

        Start time (UTC):02:22:58
        Start date (UTC):19/01/2025
        Path:/bin/sh
        Arguments:/bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-sharing
        File size:129816 bytes
        MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

        File Activities


        General

        Start time (UTC):02:22:59
        Start date (UTC):19/01/2025
        Path:/usr/sbin/gdm3
        Arguments:-
        File size:453296 bytes
        MD5 hash:2492e2d8d34f9377e3e530a61a15674f

        Process Activities


        General

        Start time (UTC):02:22:59
        Start date (UTC):19/01/2025
        Path:/etc/gdm3/PrimeOff/Default
        Arguments:/etc/gdm3/PrimeOff/Default
        File size:129816 bytes
        MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

        File Activities


        General

        Start time (UTC):02:22:59
        Start date (UTC):19/01/2025
        Path:/usr/sbin/gdm3
        Arguments:-
        File size:453296 bytes
        MD5 hash:2492e2d8d34f9377e3e530a61a15674f

        Process Activities


        General

        Start time (UTC):02:22:59
        Start date (UTC):19/01/2025
        Path:/etc/gdm3/PrimeOff/Default
        Arguments:/etc/gdm3/PrimeOff/Default
        File size:129816 bytes
        MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

        File Activities


        General

        Start time (UTC):02:23:09
        Start date (UTC):19/01/2025
        Path:/usr/lib/systemd/systemd
        Arguments:-
        File size:1620224 bytes
        MD5 hash:9b2bec7092a40488108543f9334aab75

        Process Activities


        General

        Start time (UTC):02:23:09
        Start date (UTC):19/01/2025
        Path:/lib/systemd/systemd-user-runtime-dir
        Arguments:/lib/systemd/systemd-user-runtime-dir stop 127
        File size:22672 bytes
        MD5 hash:d55f4b0847f88131dbcfb07435178e54

        File Activities

        Process Activities