Edit tour

Linux Analysis Report
Kloki.mips.elf

Overview

General Information

Sample name:	Kloki.mips.elf
Analysis ID:	1594497
MD5:	28e2ed00876520c9d7702cdb33281937
SHA1:	22c2d7c21f246b4a1021314a31c443763b2487b5
SHA256:	358fe1f21475d8c341f57165fe6d95f10d54128765a3b9a6c6fd67889c6585ce
Tags:	elfuser-abuse_ch
Infos:

Detection

Score:	52
Range:	0 - 100
Whitelisted:	false

Signatures

Antivirus / Scanner detection for submitted sample

Sample tries to kill multiple processes (SIGKILL)

Detected TCP or UDP traffic on non-standard ports

Found strings indicative of a multi-platform dropper

Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable

Sample has stripped symbol table

Sample listens on a socket

Sample tries to kill a process (SIGKILL)

Suricata IDS alerts with low severity for network traffic

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Uses the "uname" system call to query kernel version information (possible evasion)

Classification

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1594497
Start date and time:	2025-01-19 03:27:04 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 48s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Sample name:	Kloki.mips.elf
Detection:	MAL
Classification:	mal52.spre.linELF@0/0@1/0

Runtime Messages

Command:	/tmp/Kloki.mips.elf
PID:	6263
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:	suka
Standard Error:

Process Tree

system is lnxubuntu20

Kloki.mips.elf (PID: 6263, Parent: 6185, MD5: 0083f1f0e77be34ad27f849842bbb00c) Arguments: /tmp/Kloki.mips.elf

Kloki.mips.elf New Fork (PID: 6265, Parent: 6263)

Kloki.mips.elf New Fork (PID: 6267, Parent: 6263)

Kloki.mips.elf New Fork (PID: 6269, Parent: 6267)

gnome-session-binary New Fork (PID: 6288, Parent: 1477)

sh (PID: 6288, Parent: 1477, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-sharing

gsd-sharing (PID: 6288, Parent: 1477, MD5: e29d9025d98590fbb69f89fdbd4438b3) Arguments: /usr/libexec/gsd-sharing

gnome-session-binary New Fork (PID: 6291, Parent: 1477)

sh (PID: 6291, Parent: 1477, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/bin/gnome-shell

gnome-shell (PID: 6291, Parent: 1477, MD5: da7a257239677622fe4b3a65972c9e87) Arguments: /usr/bin/gnome-shell

gnome-session-binary New Fork (PID: 6292, Parent: 1477)

sh (PID: 6292, Parent: 1477, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-print-notifications

gnome-session-binary New Fork (PID: 6293, Parent: 1477)

sh (PID: 6293, Parent: 1477, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-rfkill

gdm3 New Fork (PID: 6296, Parent: 1320)

Default (PID: 6296, Parent: 1320, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /etc/gdm3/PrimeOff/Default

gdm3 New Fork (PID: 6300, Parent: 1320)

Default (PID: 6300, Parent: 1320, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /etc/gdm3/PrimeOff/Default

cleanup

Suricata Signatures

ET COMPROMISED Known Compromised or Hostile Host Traffic group 18

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-19T03:27:55.358286+0100	2500034	2	Misc Attack	83.222.191.90	13566	192.168.2.23	42704	TCP

Joe Sandbox Signatures

• AV Detection
• Spreading
• Networking
• System Summary
• Malware Analysis System Evasion

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Kloki.mips.elf

Avira: detected

Source: Kloki.mips.elf

String: ppid/proc/net/tcp/proc/self/exe/proc//status/fd//dev/null/dev/consolesocket05/proc/%d/exepkillkillkillallechowgetcurlpsbusyboxiptablesrebootshutdownhaltpoweroffinitsystemctltelinitcatgrepshashbashzshcshkshdashfish

Source: global traffic	TCP traffic: 192.168.2.23:38010 -> 83.222.73.156:13566
Source: global traffic	TCP traffic: 192.168.2.23:35448 -> 83.222.29.148:13566
Source: global traffic	TCP traffic: 192.168.2.23:43048 -> 83.222.232.116:13566
Source: global traffic	TCP traffic: 192.168.2.23:59724 -> 83.222.227.66:13566
Source: global traffic	TCP traffic: 192.168.2.23:58464 -> 83.222.231.200:13566
Source: global traffic	TCP traffic: 192.168.2.23:51842 -> 83.222.213.18:13566
Source: global traffic	TCP traffic: 192.168.2.23:55128 -> 83.222.149.108:13566
Source: global traffic	TCP traffic: 192.168.2.23:51722 -> 83.222.23.247:13566
Source: global traffic	TCP traffic: 192.168.2.23:56410 -> 83.222.125.239:13566
Source: global traffic	TCP traffic: 192.168.2.23:43358 -> 83.222.227.120:13566
Source: global traffic	TCP traffic: 192.168.2.23:47306 -> 83.222.85.122:13566
Source: global traffic	TCP traffic: 192.168.2.23:40874 -> 83.222.238.39:13566
Source: global traffic	TCP traffic: 192.168.2.23:45044 -> 83.222.97.82:13566
Source: global traffic	TCP traffic: 192.168.2.23:55692 -> 83.222.67.148:13566
Source: global traffic	TCP traffic: 192.168.2.23:39430 -> 83.222.33.17:13566
Source: global traffic	TCP traffic: 192.168.2.23:36654 -> 83.222.187.106:13566
Source: global traffic	TCP traffic: 192.168.2.23:44728 -> 83.222.174.216:13566
Source: global traffic	TCP traffic: 192.168.2.23:33390 -> 83.222.254.150:13566
Source: global traffic	TCP traffic: 192.168.2.23:44082 -> 83.222.77.226:13566
Source: global traffic	TCP traffic: 192.168.2.23:52670 -> 83.222.216.52:13566
Source: global traffic	TCP traffic: 192.168.2.23:35988 -> 83.222.170.174:13566
Source: global traffic	TCP traffic: 192.168.2.23:39292 -> 83.222.70.63:13566
Source: global traffic	TCP traffic: 192.168.2.23:35394 -> 83.222.26.93:13566
Source: global traffic	TCP traffic: 192.168.2.23:44962 -> 83.222.54.151:13566
Source: global traffic	TCP traffic: 192.168.2.23:38068 -> 83.222.77.26:13566
Source: global traffic	TCP traffic: 192.168.2.23:41272 -> 83.222.15.162:13566
Source: global traffic	TCP traffic: 192.168.2.23:44216 -> 83.222.148.253:13566
Source: global traffic	TCP traffic: 192.168.2.23:43272 -> 83.222.202.245:13566
Source: global traffic	TCP traffic: 192.168.2.23:52052 -> 83.222.80.13:13566
Source: global traffic	TCP traffic: 192.168.2.23:56430 -> 83.222.137.113:13566
Source: global traffic	TCP traffic: 192.168.2.23:48916 -> 83.222.31.69:13566
Source: global traffic	TCP traffic: 192.168.2.23:45534 -> 83.222.220.205:13566
Source: global traffic	TCP traffic: 192.168.2.23:38438 -> 83.222.29.218:13566
Source: global traffic	TCP traffic: 192.168.2.23:37204 -> 83.222.99.106:13566
Source: global traffic	TCP traffic: 192.168.2.23:36036 -> 83.222.188.59:13566
Source: global traffic	TCP traffic: 192.168.2.23:52846 -> 83.222.159.102:13566
Source: global traffic	TCP traffic: 192.168.2.23:38096 -> 83.222.233.229:13566
Source: global traffic	TCP traffic: 192.168.2.23:36394 -> 83.222.166.4:13566
Source: global traffic	TCP traffic: 192.168.2.23:54314 -> 83.222.67.220:13566
Source: global traffic	TCP traffic: 192.168.2.23:56780 -> 83.222.155.144:13566
Source: global traffic	TCP traffic: 192.168.2.23:52488 -> 83.222.246.171:13566
Source: global traffic	TCP traffic: 192.168.2.23:49912 -> 83.222.50.139:13566
Source: global traffic	TCP traffic: 192.168.2.23:54740 -> 83.222.168.252:13566
Source: global traffic	TCP traffic: 192.168.2.23:35036 -> 83.222.128.248:13566
Source: global traffic	TCP traffic: 192.168.2.23:60936 -> 83.222.10.10:13566
Source: global traffic	TCP traffic: 192.168.2.23:46146 -> 83.222.106.41:13566
Source: global traffic	TCP traffic: 192.168.2.23:39108 -> 83.222.79.70:13566
Source: global traffic	TCP traffic: 192.168.2.23:59812 -> 83.222.246.108:13566
Source: global traffic	TCP traffic: 192.168.2.23:53456 -> 83.222.32.89:13566
Source: global traffic	TCP traffic: 192.168.2.23:52708 -> 83.222.215.221:13566
Source: global traffic	TCP traffic: 192.168.2.23:45660 -> 83.222.148.118:13566
Source: global traffic	TCP traffic: 192.168.2.23:43522 -> 83.222.67.126:13566
Source: global traffic	TCP traffic: 192.168.2.23:50950 -> 83.222.91.233:13566
Source: global traffic	TCP traffic: 192.168.2.23:47456 -> 83.222.130.158:13566
Source: global traffic	TCP traffic: 192.168.2.23:46172 -> 83.222.198.29:13566
Source: global traffic	TCP traffic: 192.168.2.23:54904 -> 83.222.46.188:13566
Source: global traffic	TCP traffic: 192.168.2.23:39716 -> 83.222.200.97:13566
Source: global traffic	TCP traffic: 192.168.2.23:34138 -> 83.222.71.113:13566
Source: global traffic	TCP traffic: 192.168.2.23:40854 -> 83.222.93.200:13566
Source: global traffic	TCP traffic: 192.168.2.23:43522 -> 83.222.105.103:13566
Source: global traffic	TCP traffic: 192.168.2.23:33120 -> 83.222.210.211:13566
Source: global traffic	TCP traffic: 192.168.2.23:58736 -> 83.222.144.33:13566
Source: global traffic	TCP traffic: 192.168.2.23:52696 -> 83.222.25.134:13566
Source: global traffic	TCP traffic: 192.168.2.23:41286 -> 83.222.141.58:13566
Source: global traffic	TCP traffic: 192.168.2.23:45866 -> 83.222.223.100:13566
Source: global traffic	TCP traffic: 192.168.2.23:50226 -> 83.222.23.116:13566
Source: global traffic	TCP traffic: 192.168.2.23:57156 -> 83.222.218.90:13566
Source: global traffic	TCP traffic: 192.168.2.23:44978 -> 83.222.242.54:13566
Source: global traffic	TCP traffic: 192.168.2.23:50174 -> 83.222.68.116:13566
Source: global traffic	TCP traffic: 192.168.2.23:58060 -> 83.222.212.10:13566
Source: global traffic	TCP traffic: 192.168.2.23:46388 -> 83.222.145.3:13566
Source: global traffic	TCP traffic: 192.168.2.23:41150 -> 83.222.198.90:13566
Source: global traffic	TCP traffic: 192.168.2.23:37532 -> 83.222.100.14:13566
Source: global traffic	TCP traffic: 192.168.2.23:49482 -> 83.222.203.193:13566
Source: global traffic	TCP traffic: 192.168.2.23:52928 -> 83.222.214.52:13566
Source: global traffic	TCP traffic: 192.168.2.23:44858 -> 83.222.41.168:13566
Source: global traffic	TCP traffic: 192.168.2.23:54258 -> 83.222.8.185:13566
Source: global traffic	TCP traffic: 192.168.2.23:42704 -> 83.222.191.90:13566

Source: /tmp/Kloki.mips.elf (PID: 6263)

Socket: 127.0.0.1:14435

Jump to behavior

Source: Network traffic

Suricata IDS: 2500034 - Severity 2 - ET COMPROMISED Known Compromised or Hostile Host Traffic group 18 : 83.222.191.90:13566 -> 192.168.2.23:42704

Source: global traffic	TCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443
Source: global traffic	TCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
Source: global traffic	TCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80

Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.73.156
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.73.156
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.73.156
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.29.148
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.73.156
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.29.148
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.29.148
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.29.148
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.232.116
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.227.66
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.231.200
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.232.116
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.227.66
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.213.18
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.149.108
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.231.200
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.213.18
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.23.247
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.149.108
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.125.239
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.23.247
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.227.120
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.125.239
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.85.122
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.227.120
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.85.122
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.238.39
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.97.82
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.238.39
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.97.82
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.97.82
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.67.148
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.97.82
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.67.148
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.67.148
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.33.17
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.67.148
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.33.17
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.187.106
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.174.216
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.187.106
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.174.216
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.254.150
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.254.150
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.77.226
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.77.226
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.216.52
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.170.174
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.216.52

Source: global traffic

DNS traffic detected: DNS query: secure-network-rebirthltd.ru

Source: unknown	Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 42836 -> 443

System Summary

Sample tries to kill multiple processes (SIGKILL)

Source: /tmp/Kloki.mips.elf (PID: 6269)	SIGKILL sent: pid: 904, result: successful	Jump to behavior
Source: /tmp/Kloki.mips.elf (PID: 6269)	SIGKILL sent: pid: 912, result: successful	Jump to behavior
Source: /tmp/Kloki.mips.elf (PID: 6269)	SIGKILL sent: pid: 918, result: successful	Jump to behavior
Source: /tmp/Kloki.mips.elf (PID: 6269)	SIGKILL sent: pid: 936, result: successful	Jump to behavior
Source: /tmp/Kloki.mips.elf (PID: 6269)	SIGKILL sent: pid: 1532, result: successful	Jump to behavior
Source: /tmp/Kloki.mips.elf (PID: 6269)	SIGKILL sent: pid: 1622, result: successful	Jump to behavior
Source: /tmp/Kloki.mips.elf (PID: 6269)	SIGKILL sent: pid: 1633, result: successful	Jump to behavior
Source: /tmp/Kloki.mips.elf (PID: 6269)	SIGKILL sent: pid: 1638, result: successful	Jump to behavior
Source: /tmp/Kloki.mips.elf (PID: 6269)	SIGKILL sent: pid: 1983, result: successful	Jump to behavior
Source: /tmp/Kloki.mips.elf (PID: 6269)	SIGKILL sent: pid: 2146, result: successful	Jump to behavior
Source: /tmp/Kloki.mips.elf (PID: 6269)	SIGKILL sent: pid: 2302, result: successful	Jump to behavior
Source: /tmp/Kloki.mips.elf (PID: 6269)	SIGKILL sent: pid: 6244, result: successful	Jump to behavior
Source: /tmp/Kloki.mips.elf (PID: 6269)	SIGKILL sent: pid: 6288, result: successful	Jump to behavior
Source: /tmp/Kloki.mips.elf (PID: 6269)	SIGKILL sent: pid: 6291, result: successful	Jump to behavior
Source: /tmp/Kloki.mips.elf (PID: 6269)	SIGKILL sent: pid: 6292, result: successful	Jump to behavior
Source: /tmp/Kloki.mips.elf (PID: 6269)	SIGKILL sent: pid: 6293, result: successful	Jump to behavior
Source: /tmp/Kloki.mips.elf (PID: 6269)	SIGKILL sent: pid: 6296, result: no such process	Jump to behavior

Source: Initial sample	String containing 'busybox' found: busybox
Source: Initial sample	String containing 'busybox' found: ppid/proc/net/tcp/proc/self/exe/proc//status/fd//dev/null/dev/consolesocket05/proc/%d/exepkillkillkillallechowgetcurlpsbusyboxiptablesrebootshutdownhaltpoweroffinitsystemctltelinitcatgrepshashbashzshcshkshdashfish

Source: ELF static info symbol of initial sample

.symtab present: no

Source: /tmp/Kloki.mips.elf (PID: 6269)	SIGKILL sent: pid: 904, result: successful	Jump to behavior
Source: /tmp/Kloki.mips.elf (PID: 6269)	SIGKILL sent: pid: 912, result: successful	Jump to behavior
Source: /tmp/Kloki.mips.elf (PID: 6269)	SIGKILL sent: pid: 918, result: successful	Jump to behavior
Source: /tmp/Kloki.mips.elf (PID: 6269)	SIGKILL sent: pid: 936, result: successful	Jump to behavior
Source: /tmp/Kloki.mips.elf (PID: 6269)	SIGKILL sent: pid: 1532, result: successful	Jump to behavior
Source: /tmp/Kloki.mips.elf (PID: 6269)	SIGKILL sent: pid: 1622, result: successful	Jump to behavior
Source: /tmp/Kloki.mips.elf (PID: 6269)	SIGKILL sent: pid: 1633, result: successful	Jump to behavior
Source: /tmp/Kloki.mips.elf (PID: 6269)	SIGKILL sent: pid: 1638, result: successful	Jump to behavior
Source: /tmp/Kloki.mips.elf (PID: 6269)	SIGKILL sent: pid: 1983, result: successful	Jump to behavior
Source: /tmp/Kloki.mips.elf (PID: 6269)	SIGKILL sent: pid: 2146, result: successful	Jump to behavior
Source: /tmp/Kloki.mips.elf (PID: 6269)	SIGKILL sent: pid: 2302, result: successful	Jump to behavior
Source: /tmp/Kloki.mips.elf (PID: 6269)	SIGKILL sent: pid: 6244, result: successful	Jump to behavior
Source: /tmp/Kloki.mips.elf (PID: 6269)	SIGKILL sent: pid: 6288, result: successful	Jump to behavior
Source: /tmp/Kloki.mips.elf (PID: 6269)	SIGKILL sent: pid: 6291, result: successful	Jump to behavior
Source: /tmp/Kloki.mips.elf (PID: 6269)	SIGKILL sent: pid: 6292, result: successful	Jump to behavior
Source: /tmp/Kloki.mips.elf (PID: 6269)	SIGKILL sent: pid: 6293, result: successful	Jump to behavior
Source: /tmp/Kloki.mips.elf (PID: 6269)	SIGKILL sent: pid: 6296, result: no such process	Jump to behavior

Source: classification engine

Classification label: mal52.spre.linELF@0/0@1/0

Source: /tmp/Kloki.mips.elf (PID: 6263)

Queries kernel information via 'uname':

Jump to behavior

Source: Kloki.mips.elf, 6263.1.00007ffd2c62a000.00007ffd2c64b000.rw-.sdmp, Kloki.mips.elf, 6265.1.00007ffd2c62a000.00007ffd2c64b000.rw-.sdmp	Binary or memory string: @x86_64/usr/bin/qemu-mips/tmp/Kloki.mips.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/Kloki.mips.elf
Source: Kloki.mips.elf, 6263.1.0000564531825000.00005645318cd000.rw-.sdmp, Kloki.mips.elf, 6265.1.0000564531825000.00005645318ac000.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/mips
Source: Kloki.mips.elf, 6263.1.00007ffd2c62a000.00007ffd2c64b000.rw-.sdmp, Kloki.mips.elf, 6265.1.00007ffd2c62a000.00007ffd2c64b000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-mips
Source: Kloki.mips.elf, 6263.1.0000564531825000.00005645318cd000.rw-.sdmp, Kloki.mips.elf, 6265.1.0000564531825000.00005645318ac000.rw-.sdmp	Binary or memory string: 1EV!/etc/qemu-binfmt/mips

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	Valid Accounts	Windows Management Instrumentation	1 Scripting	Path Interception	Direct Volume Access	OS Credential Dumping	11 Security Software Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	1 Service Stop
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	2 Application Layer Protocol	Traffic Duplication	Data Destruction

Malware Configuration

⊘No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Kloki.mips.elf	100%	Avira	EXP/ELF.Mirai.W

Dropped Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Download Network PCAP: filtered – full

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
secure-network-rebirthltd.ru	83.222.191.90	true	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
83.222.213.18	unknown	Russian Federation	25159	SONICDUO-ASRU	false
83.222.246.171	unknown	United Kingdom	13768	COGECO-PEER1CA	false
83.222.100.14	unknown	Russian Federation	42632	MNOGOBYTE-ASMoscowRussiaRU	false
83.222.238.39	unknown	United Kingdom	13768	COGECO-PEER1CA	false
83.222.227.66	unknown	United Kingdom	13768	COGECO-PEER1CA	false
83.222.223.100	unknown	Russian Federation	25159	SONICDUO-ASRU	false
83.222.144.33	unknown	Switzerland	31736	SENSELAN-ASsenseLANGmbHCH	false
83.222.198.90	unknown	Russian Federation	6854	SYNTERRA-ASRU	false
83.222.50.139	unknown	Luxembourg	8632	LOL-ASluLU	false
83.222.227.120	unknown	United Kingdom	13768	COGECO-PEER1CA	false
83.222.188.59	unknown	Bulgaria	43561	NET1-ASBG	false
83.222.32.89	unknown	Luxembourg	8632	LOL-ASluLU	false
83.222.26.93	unknown	Russian Federation	25532	MASTERHOST-ASMoscowRussiaRU	false
83.222.187.106	unknown	Bulgaria	43561	NET1-ASBG	false
83.222.33.17	unknown	Luxembourg	8632	LOL-ASluLU	false
83.222.242.54	unknown	United Kingdom	13768	COGECO-PEER1CA	false
83.222.71.113	unknown	Russian Federation	16285	ASN-UMNTechnicheskayaStr18bYekaterinburgRussiaRU	false
83.222.54.151	unknown	Luxembourg	8632	LOL-ASluLU	false
83.222.77.226	unknown	Russian Federation	16285	ASN-UMNTechnicheskayaStr18bYekaterinburgRussiaRU	false
83.222.215.221	unknown	Russian Federation	25159	SONICDUO-ASRU	false
83.222.202.245	unknown	Russian Federation	6854	SYNTERRA-ASRU	false
83.222.137.113	unknown	Switzerland	31736	SENSELAN-ASsenseLANGmbHCH	false
83.222.8.185	unknown	Russian Federation	25532	MASTERHOST-ASMoscowRussiaRU	false
91.189.91.43	unknown	United Kingdom	41231	CANONICAL-ASGB	false
91.189.91.42	unknown	United Kingdom	41231	CANONICAL-ASGB	false
83.222.67.126	unknown	Russian Federation	16285	ASN-UMNTechnicheskayaStr18bYekaterinburgRussiaRU	false
83.222.29.148	unknown	Russian Federation	25532	MASTERHOST-ASMoscowRussiaRU	false
83.222.10.10	unknown	Russian Federation	25532	MASTERHOST-ASMoscowRussiaRU	false
83.222.41.168	unknown	Luxembourg	8632	LOL-ASluLU	false
83.222.125.239	unknown	Russian Federation	47328	TRI-ASTrueRecordsIncES	false
83.222.46.188	unknown	Luxembourg	8632	LOL-ASluLU	false
83.222.106.41	unknown	Russian Federation	42632	MNOGOBYTE-ASMoscowRussiaRU	false
83.222.220.205	unknown	Russian Federation	25159	SONICDUO-ASRU	false
83.222.159.102	unknown	Switzerland	31736	SENSELAN-ASsenseLANGmbHCH	false
83.222.166.4	unknown	Bulgaria	12615	GCN-ASGCNAD-SofiaBulgariaBG	false
83.222.216.52	unknown	Russian Federation	25159	SONICDUO-ASRU	false
83.222.148.253	unknown	Switzerland	31736	SENSELAN-ASsenseLANGmbHCH	false
83.222.80.13	unknown	Russian Federation	16285	ASN-UMNTechnicheskayaStr18bYekaterinburgRussiaRU	false
83.222.97.82	unknown	Russian Federation	42632	MNOGOBYTE-ASMoscowRussiaRU	false
83.222.130.158	unknown	Switzerland	31736	SENSELAN-ASsenseLANGmbHCH	false
83.222.141.58	unknown	Switzerland	31736	SENSELAN-ASsenseLANGmbHCH	false
83.222.79.70	unknown	Russian Federation	16285	ASN-UMNTechnicheskayaStr18bYekaterinburgRussiaRU	false
83.222.212.10	unknown	Russian Federation	25159	SONICDUO-ASRU	false
83.222.254.150	unknown	United Kingdom	13768	COGECO-PEER1CA	false
83.222.198.29	unknown	Russian Federation	6854	SYNTERRA-ASRU	false
83.222.73.156	unknown	Russian Federation	16285	ASN-UMNTechnicheskayaStr18bYekaterinburgRussiaRU	false
83.222.23.247	unknown	Russian Federation	25532	MASTERHOST-ASMoscowRussiaRU	false
83.222.68.116	unknown	Russian Federation	16285	ASN-UMNTechnicheskayaStr18bYekaterinburgRussiaRU	false
83.222.170.174	unknown	Bulgaria	49040	KIG-UNISAT-TVBG	false
83.222.29.218	unknown	Russian Federation	25532	MASTERHOST-ASMoscowRussiaRU	false
83.222.145.3	unknown	Switzerland	31736	SENSELAN-ASsenseLANGmbHCH	false
83.222.231.200	unknown	United Kingdom	13768	COGECO-PEER1CA	false
83.222.155.144	unknown	Switzerland	31736	SENSELAN-ASsenseLANGmbHCH	false
83.222.203.193	unknown	Russian Federation	6854	SYNTERRA-ASRU	false
83.222.218.90	unknown	Russian Federation	25159	SONICDUO-ASRU	false
83.222.70.63	unknown	Russian Federation	16285	ASN-UMNTechnicheskayaStr18bYekaterinburgRussiaRU	false
83.222.99.106	unknown	Russian Federation	42632	MNOGOBYTE-ASMoscowRussiaRU	false
83.222.91.233	unknown	Russian Federation	16285	ASN-UMNTechnicheskayaStr18bYekaterinburgRussiaRU	false
83.222.85.122	unknown	Russian Federation	16285	ASN-UMNTechnicheskayaStr18bYekaterinburgRussiaRU	false
83.222.23.116	unknown	Russian Federation	25532	MASTERHOST-ASMoscowRussiaRU	false
83.222.105.103	unknown	Russian Federation	42632	MNOGOBYTE-ASMoscowRussiaRU	false
83.222.67.148	unknown	Russian Federation	16285	ASN-UMNTechnicheskayaStr18bYekaterinburgRussiaRU	false
83.222.15.162	unknown	Russian Federation	25532	MASTERHOST-ASMoscowRussiaRU	false
83.222.67.220	unknown	Russian Federation	16285	ASN-UMNTechnicheskayaStr18bYekaterinburgRussiaRU	false
83.222.168.252	unknown	Bulgaria	12615	GCN-ASGCNAD-SofiaBulgariaBG	false
83.222.191.90	secure-network-rebirthltd.ru	Bulgaria	43561	NET1-ASBG	false
83.222.200.97	unknown	Russian Federation	6854	SYNTERRA-ASRU	false
83.222.148.118	unknown	Switzerland	31736	SENSELAN-ASsenseLANGmbHCH	false
83.222.210.211	unknown	Russian Federation	6854	SYNTERRA-ASRU	false
109.202.202.202	unknown	Switzerland	13030	INIT7CH	false
83.222.233.229	unknown	United Kingdom	13768	COGECO-PEER1CA	false
83.222.77.26	unknown	Russian Federation	16285	ASN-UMNTechnicheskayaStr18bYekaterinburgRussiaRU	false
83.222.93.200	unknown	Russian Federation	16285	ASN-UMNTechnicheskayaStr18bYekaterinburgRussiaRU	false
83.222.25.134	unknown	Russian Federation	25532	MASTERHOST-ASMoscowRussiaRU	false
83.222.246.108	unknown	United Kingdom	13768	COGECO-PEER1CA	false
83.222.214.52	unknown	Russian Federation	25159	SONICDUO-ASRU	false
83.222.149.108	unknown	Switzerland	31736	SENSELAN-ASsenseLANGmbHCH	false
83.222.31.69	unknown	Russian Federation	25532	MASTERHOST-ASMoscowRussiaRU	false
83.222.174.216	unknown	Bulgaria	12615	GCN-ASGCNAD-SofiaBulgariaBG	false
83.222.232.116	unknown	United Kingdom	13768	COGECO-PEER1CA	false
83.222.128.248	unknown	Switzerland	31736	SENSELAN-ASsenseLANGmbHCH	false

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
83.222.246.171	Kloki.mpsl.elf	Get hash	malicious	Unknown	Browse
83.222.32.89	Kloki.arm5.elf	Get hash	malicious	Unknown	Browse
83.222.26.93	Kloki.arm7.elf	Get hash	malicious	Mirai	Browse
91.189.91.43	loki.arm7.elf	Get hash	malicious	Mirai	Browse
	na.elf	Get hash	malicious	Prometei	Browse
	loki.arc.elf	Get hash	malicious	Unknown	Browse
	Kloki.arm5.elf	Get hash	malicious	Unknown	Browse
	Kloki.arm7.elf	Get hash	malicious	Mirai	Browse
	arm7.elf	Get hash	malicious	Unknown	Browse
	ppc.elf	Get hash	malicious	Unknown	Browse
	arm.elf	Get hash	malicious	Unknown	Browse
	mips.elf	Get hash	malicious	Unknown	Browse
	arm6.elf	Get hash	malicious	Unknown	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
secure-network-rebirthltd.ru	Kloki.sh4.elf	Get hash	malicious	Unknown	Browse	83.222.191.90
	loki.arm7.elf	Get hash	malicious	Mirai	Browse	83.222.191.90
	Kloki.i486.elf	Get hash	malicious	Unknown	Browse	83.222.191.90
	Kloki.ppc.elf	Get hash	malicious	Unknown	Browse	83.222.191.90
	loki.mpsl.elf	Get hash	malicious	Unknown	Browse	83.222.191.90
	loki.i486.elf	Get hash	malicious	Unknown	Browse	83.222.191.90
	loki.sh4.elf	Get hash	malicious	Unknown	Browse	83.222.191.90
	loki.m68k.elf	Get hash	malicious	Unknown	Browse	83.222.191.90
	loki.spc.elf	Get hash	malicious	Unknown	Browse	83.222.191.90
	Kloki.x86.elf	Get hash	malicious	Unknown	Browse	83.222.191.90

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
COGECO-PEER1CA	Kloki.sh4.elf	Get hash	malicious	Unknown	Browse	83.222.224.99
	loki.arm7.elf	Get hash	malicious	Mirai	Browse	83.222.247.103
	Kloki.i486.elf	Get hash	malicious	Unknown	Browse	83.222.224.152
	Kloki.ppc.elf	Get hash	malicious	Unknown	Browse	83.222.243.167
	loki.mpsl.elf	Get hash	malicious	Unknown	Browse	83.222.228.152
	loki.i486.elf	Get hash	malicious	Unknown	Browse	83.222.254.156
	loki.sh4.elf	Get hash	malicious	Unknown	Browse	83.222.233.216
	loki.m68k.elf	Get hash	malicious	Unknown	Browse	83.222.240.133
	loki.spc.elf	Get hash	malicious	Unknown	Browse	83.222.243.125
	Kloki.x86.elf	Get hash	malicious	Unknown	Browse	83.222.239.59
SONICDUO-ASRU	Kloki.sh4.elf	Get hash	malicious	Unknown	Browse	83.222.212.206
	loki.arm7.elf	Get hash	malicious	Mirai	Browse	83.222.215.159
	Kloki.i486.elf	Get hash	malicious	Unknown	Browse	83.222.219.231
	Kloki.ppc.elf	Get hash	malicious	Unknown	Browse	83.222.223.135
	loki.mpsl.elf	Get hash	malicious	Unknown	Browse	83.222.214.233
	loki.i486.elf	Get hash	malicious	Unknown	Browse	83.222.213.184
	loki.sh4.elf	Get hash	malicious	Unknown	Browse	83.222.218.90
	loki.m68k.elf	Get hash	malicious	Unknown	Browse	83.222.216.188
	loki.spc.elf	Get hash	malicious	Unknown	Browse	83.222.219.136
	Kloki.x86.elf	Get hash	malicious	Unknown	Browse	83.222.223.136
COGECO-PEER1CA	Kloki.sh4.elf	Get hash	malicious	Unknown	Browse	83.222.224.99
	loki.arm7.elf	Get hash	malicious	Mirai	Browse	83.222.247.103
	Kloki.i486.elf	Get hash	malicious	Unknown	Browse	83.222.224.152
	Kloki.ppc.elf	Get hash	malicious	Unknown	Browse	83.222.243.167
	loki.mpsl.elf	Get hash	malicious	Unknown	Browse	83.222.228.152
	loki.i486.elf	Get hash	malicious	Unknown	Browse	83.222.254.156
	loki.sh4.elf	Get hash	malicious	Unknown	Browse	83.222.233.216
	loki.m68k.elf	Get hash	malicious	Unknown	Browse	83.222.240.133
	loki.spc.elf	Get hash	malicious	Unknown	Browse	83.222.243.125
	Kloki.x86.elf	Get hash	malicious	Unknown	Browse	83.222.239.59
MNOGOBYTE-ASMoscowRussiaRU	Kloki.sh4.elf	Get hash	malicious	Unknown	Browse	83.222.118.158
	loki.arm7.elf	Get hash	malicious	Mirai	Browse	83.222.117.74
	Kloki.i486.elf	Get hash	malicious	Unknown	Browse	83.222.109.209
	Kloki.ppc.elf	Get hash	malicious	Unknown	Browse	83.222.102.176
	loki.mpsl.elf	Get hash	malicious	Unknown	Browse	83.222.115.205
	loki.i486.elf	Get hash	malicious	Unknown	Browse	83.222.114.114
	loki.sh4.elf	Get hash	malicious	Unknown	Browse	83.222.101.124
	loki.m68k.elf	Get hash	malicious	Unknown	Browse	83.222.98.5
	loki.spc.elf	Get hash	malicious	Unknown	Browse	83.222.118.190
	Kloki.x86.elf	Get hash	malicious	Unknown	Browse	83.222.115.165

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped
Entropy (8bit):	5.522097915773244
TrID:	ELF Executable and Linkable format (generic) (4004/1) 100.00%
File name:	Kloki.mips.elf
File size:	80'700 bytes
MD5:	28e2ed00876520c9d7702cdb33281937
SHA1:	22c2d7c21f246b4a1021314a31c443763b2487b5
SHA256:	358fe1f21475d8c341f57165fe6d95f10d54128765a3b9a6c6fd67889c6585ce
SHA512:	a127a7189b4b80ff8fd81bca868602500c5e366d6235e5f92af33272b225464329d7328321a314da0164e6f4454d014c482a5c7e58034c6ce0565405fb976eda
SSDEEP:	1536:SgezupKOUUj+/vzsx8gFRQHLQHLiiLu3BerXJ7dAeiXOHP:U2KOM/vzs7R8erXJ7dKOHP
TLSH:	F773E81A6E258FEDF768833447B78E21A79833D626E1D685E25CD6001E6034E641FFE8
File Content Preview:	.ELF.....................@.`...4..9......4. ...(.............@...@..../.../...............0..E0..E0.......:x........dt.Q............................<...'......!'.......................<...'......!... ....'9... ......................<...'..X...!........'9.

Static ELF Info

ELF header
Class:	ELF32
Data:	2's complement, big endian
Version:	1 (current)
Machine:	MIPS R3000
Version Number:	0x1
Type:	EXEC (Executable file)
OS/ABI:	UNIX - System V
ABI Version:	0
Entry Point Address:	0x400260
Flags:	0x1007
ELF Header Size:	52
Program Header Offset:	52
Program Header Size:	32
Number of Program Headers:	3
Section Header Offset:	80140
Section Header Size:	40
Number of Section Headers:	14
Header String Table Index:	13

Sections

Name	Type	Address	Offset	Size	EntSize	Flags	Flags Description	Align
	NULL	0x0	0x0	0x0	0x0	0x0		0
.init	PROGBITS	0x400094	0x94	0x8c	0x0	0x6	AX	4
.text	PROGBITS	0x400120	0x120	0x11a30	0x0	0x6	AX	16
.fini	PROGBITS	0x411b50	0x11b50	0x5c	0x0	0x6	AX	4
.rodata	PROGBITS	0x411bb0	0x11bb0	0x1400	0x0	0x2	A	16
.ctors	PROGBITS	0x453000	0x13000	0x8	0x0	0x3	WA	4
.dtors	PROGBITS	0x453008	0x13008	0x8	0x0	0x3	WA	4
.data.rel.ro	PROGBITS	0x453014	0x13014	0x74	0x0	0x3	WA	4
.data	PROGBITS	0x453090	0x13090	0x3c0	0x0	0x3	WA	16
.got	PROGBITS	0x453450	0x13450	0x458	0x4	0x10000003	WAp	16
.sbss	NOBITS	0x4538a8	0x138a8	0x1c	0x0	0x10000003	WAp	4
.bss	NOBITS	0x4538d0	0x138a8	0x31a8	0x0	0x3	WA	16
.mdebug.abi32	PROGBITS	0x9fc	0x138a8	0x0	0x0	0x0		1
.shstrtab	STRTAB	0x0	0x138a8	0x64	0x0	0x0		1

Program Segments

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align	Section Mappings
LOAD	0x0	0x400000	0x400000	0x12fb0	0x12fb0	5.5492	0x5	R E	0x10000	.init .text .fini .rodata
LOAD	0x13000	0x453000	0x453000	0x8a8	0x3a78	4.0384	0x6	RW	0x10000	.ctors .dtors .data.rel.ro .data .got .sbss .bss
GNU_STACK	0x0	0x0	0x0	0x0	0x0	0.0000	0x7	RWE	0x4

Network Behavior

Download Network PCAP: filtered – full

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-19T03:27:55.358286+0100	2500034	ET COMPROMISED Known Compromised or Hostile Host Traffic group 18	2	83.222.191.90	13566	192.168.2.23	42704	TCP

Network Port Distribution

Total Packets: 180
• 13566 undefined
• 443 (HTTPS)
• 80 (HTTP)
• 53 (DNS)

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 19, 2025 03:27:53.536696911 CET	43928	443	192.168.2.23	91.189.91.42
Jan 19, 2025 03:27:54.910422087 CET	38010	13566	192.168.2.23	83.222.73.156
Jan 19, 2025 03:27:54.916722059 CET	13566	38010	83.222.73.156	192.168.2.23
Jan 19, 2025 03:27:54.916783094 CET	38010	13566	192.168.2.23	83.222.73.156
Jan 19, 2025 03:27:54.934442997 CET	38010	13566	192.168.2.23	83.222.73.156
Jan 19, 2025 03:27:54.938491106 CET	35448	13566	192.168.2.23	83.222.29.148
Jan 19, 2025 03:27:54.940746069 CET	13566	38010	83.222.73.156	192.168.2.23
Jan 19, 2025 03:27:54.940799952 CET	38010	13566	192.168.2.23	83.222.73.156
Jan 19, 2025 03:27:54.943767071 CET	13566	35448	83.222.29.148	192.168.2.23
Jan 19, 2025 03:27:54.943819046 CET	35448	13566	192.168.2.23	83.222.29.148
Jan 19, 2025 03:27:54.955193996 CET	35448	13566	192.168.2.23	83.222.29.148
Jan 19, 2025 03:27:54.961255074 CET	13566	35448	83.222.29.148	192.168.2.23
Jan 19, 2025 03:27:54.961343050 CET	35448	13566	192.168.2.23	83.222.29.148
Jan 19, 2025 03:27:54.976733923 CET	43048	13566	192.168.2.23	83.222.232.116
Jan 19, 2025 03:27:54.980217934 CET	59724	13566	192.168.2.23	83.222.227.66
Jan 19, 2025 03:27:54.982563019 CET	58464	13566	192.168.2.23	83.222.231.200
Jan 19, 2025 03:27:54.982759953 CET	13566	43048	83.222.232.116	192.168.2.23
Jan 19, 2025 03:27:54.982831001 CET	43048	13566	192.168.2.23	83.222.232.116
Jan 19, 2025 03:27:54.985141993 CET	13566	59724	83.222.227.66	192.168.2.23
Jan 19, 2025 03:27:54.985340118 CET	59724	13566	192.168.2.23	83.222.227.66
Jan 19, 2025 03:27:54.986067057 CET	51842	13566	192.168.2.23	83.222.213.18
Jan 19, 2025 03:27:54.989717007 CET	55128	13566	192.168.2.23	83.222.149.108
Jan 19, 2025 03:27:54.990504026 CET	13566	58464	83.222.231.200	192.168.2.23
Jan 19, 2025 03:27:54.990679979 CET	58464	13566	192.168.2.23	83.222.231.200
Jan 19, 2025 03:27:54.991799116 CET	13566	51842	83.222.213.18	192.168.2.23
Jan 19, 2025 03:27:54.991892099 CET	51842	13566	192.168.2.23	83.222.213.18
Jan 19, 2025 03:27:54.994257927 CET	51722	13566	192.168.2.23	83.222.23.247
Jan 19, 2025 03:27:54.995598078 CET	13566	55128	83.222.149.108	192.168.2.23
Jan 19, 2025 03:27:54.995659113 CET	55128	13566	192.168.2.23	83.222.149.108
Jan 19, 2025 03:27:54.998481989 CET	56410	13566	192.168.2.23	83.222.125.239
Jan 19, 2025 03:27:55.000142097 CET	13566	51722	83.222.23.247	192.168.2.23
Jan 19, 2025 03:27:55.000206947 CET	51722	13566	192.168.2.23	83.222.23.247
Jan 19, 2025 03:27:55.003470898 CET	43358	13566	192.168.2.23	83.222.227.120
Jan 19, 2025 03:27:55.004322052 CET	13566	56410	83.222.125.239	192.168.2.23
Jan 19, 2025 03:27:55.004394054 CET	56410	13566	192.168.2.23	83.222.125.239
Jan 19, 2025 03:27:55.008368969 CET	47306	13566	192.168.2.23	83.222.85.122
Jan 19, 2025 03:27:55.009536028 CET	13566	43358	83.222.227.120	192.168.2.23
Jan 19, 2025 03:27:55.009601116 CET	43358	13566	192.168.2.23	83.222.227.120
Jan 19, 2025 03:27:55.014250994 CET	13566	47306	83.222.85.122	192.168.2.23
Jan 19, 2025 03:27:55.014298916 CET	47306	13566	192.168.2.23	83.222.85.122
Jan 19, 2025 03:27:55.014915943 CET	40874	13566	192.168.2.23	83.222.238.39
Jan 19, 2025 03:27:55.018975973 CET	45044	13566	192.168.2.23	83.222.97.82
Jan 19, 2025 03:27:55.020828962 CET	13566	40874	83.222.238.39	192.168.2.23
Jan 19, 2025 03:27:55.021009922 CET	40874	13566	192.168.2.23	83.222.238.39
Jan 19, 2025 03:27:55.023966074 CET	13566	45044	83.222.97.82	192.168.2.23
Jan 19, 2025 03:27:55.024025917 CET	45044	13566	192.168.2.23	83.222.97.82
Jan 19, 2025 03:27:55.026216984 CET	45044	13566	192.168.2.23	83.222.97.82
Jan 19, 2025 03:27:55.029082060 CET	55692	13566	192.168.2.23	83.222.67.148
Jan 19, 2025 03:27:55.031917095 CET	13566	45044	83.222.97.82	192.168.2.23
Jan 19, 2025 03:27:55.031999111 CET	45044	13566	192.168.2.23	83.222.97.82
Jan 19, 2025 03:27:55.035008907 CET	13566	55692	83.222.67.148	192.168.2.23
Jan 19, 2025 03:27:55.035074949 CET	55692	13566	192.168.2.23	83.222.67.148
Jan 19, 2025 03:27:55.050096989 CET	55692	13566	192.168.2.23	83.222.67.148
Jan 19, 2025 03:27:55.050508022 CET	39430	13566	192.168.2.23	83.222.33.17
Jan 19, 2025 03:27:55.054944038 CET	13566	55692	83.222.67.148	192.168.2.23
Jan 19, 2025 03:27:55.055015087 CET	55692	13566	192.168.2.23	83.222.67.148
Jan 19, 2025 03:27:55.055310011 CET	13566	39430	83.222.33.17	192.168.2.23
Jan 19, 2025 03:27:55.055380106 CET	39430	13566	192.168.2.23	83.222.33.17
Jan 19, 2025 03:27:55.066498041 CET	36654	13566	192.168.2.23	83.222.187.106
Jan 19, 2025 03:27:55.067120075 CET	44728	13566	192.168.2.23	83.222.174.216
Jan 19, 2025 03:27:55.071391106 CET	13566	36654	83.222.187.106	192.168.2.23
Jan 19, 2025 03:27:55.071449041 CET	36654	13566	192.168.2.23	83.222.187.106
Jan 19, 2025 03:27:55.071892023 CET	13566	44728	83.222.174.216	192.168.2.23
Jan 19, 2025 03:27:55.071943998 CET	44728	13566	192.168.2.23	83.222.174.216
Jan 19, 2025 03:27:55.088388920 CET	33390	13566	192.168.2.23	83.222.254.150
Jan 19, 2025 03:27:55.093275070 CET	13566	33390	83.222.254.150	192.168.2.23
Jan 19, 2025 03:27:55.093334913 CET	33390	13566	192.168.2.23	83.222.254.150
Jan 19, 2025 03:27:55.094767094 CET	44082	13566	192.168.2.23	83.222.77.226
Jan 19, 2025 03:27:55.099564075 CET	13566	44082	83.222.77.226	192.168.2.23
Jan 19, 2025 03:27:55.099623919 CET	44082	13566	192.168.2.23	83.222.77.226
Jan 19, 2025 03:27:55.112695932 CET	52670	13566	192.168.2.23	83.222.216.52
Jan 19, 2025 03:27:55.117144108 CET	35988	13566	192.168.2.23	83.222.170.174
Jan 19, 2025 03:27:55.117583036 CET	13566	52670	83.222.216.52	192.168.2.23
Jan 19, 2025 03:27:55.117634058 CET	52670	13566	192.168.2.23	83.222.216.52
Jan 19, 2025 03:27:55.122049093 CET	13566	35988	83.222.170.174	192.168.2.23
Jan 19, 2025 03:27:55.122097969 CET	35988	13566	192.168.2.23	83.222.170.174
Jan 19, 2025 03:27:55.136037111 CET	39292	13566	192.168.2.23	83.222.70.63
Jan 19, 2025 03:27:55.140933037 CET	13566	39292	83.222.70.63	192.168.2.23
Jan 19, 2025 03:27:55.140990973 CET	39292	13566	192.168.2.23	83.222.70.63
Jan 19, 2025 03:27:55.141216993 CET	35394	13566	192.168.2.23	83.222.26.93
Jan 19, 2025 03:27:55.146159887 CET	44962	13566	192.168.2.23	83.222.54.151
Jan 19, 2025 03:27:55.146639109 CET	13566	35394	83.222.26.93	192.168.2.23
Jan 19, 2025 03:27:55.146688938 CET	35394	13566	192.168.2.23	83.222.26.93
Jan 19, 2025 03:27:55.150398970 CET	38068	13566	192.168.2.23	83.222.77.26
Jan 19, 2025 03:27:55.151576996 CET	13566	44962	83.222.54.151	192.168.2.23
Jan 19, 2025 03:27:55.151650906 CET	44962	13566	192.168.2.23	83.222.54.151
Jan 19, 2025 03:27:55.155114889 CET	41272	13566	192.168.2.23	83.222.15.162
Jan 19, 2025 03:27:55.155978918 CET	13566	38068	83.222.77.26	192.168.2.23
Jan 19, 2025 03:27:55.156043053 CET	38068	13566	192.168.2.23	83.222.77.26
Jan 19, 2025 03:27:55.157968044 CET	44216	13566	192.168.2.23	83.222.148.253
Jan 19, 2025 03:27:55.160041094 CET	13566	41272	83.222.15.162	192.168.2.23
Jan 19, 2025 03:27:55.160099983 CET	41272	13566	192.168.2.23	83.222.15.162
Jan 19, 2025 03:27:55.162441015 CET	43272	13566	192.168.2.23	83.222.202.245
Jan 19, 2025 03:27:55.162779093 CET	13566	44216	83.222.148.253	192.168.2.23
Jan 19, 2025 03:27:55.162833929 CET	44216	13566	192.168.2.23	83.222.148.253
Jan 19, 2025 03:27:55.165754080 CET	52052	13566	192.168.2.23	83.222.80.13
Jan 19, 2025 03:27:55.167345047 CET	13566	43272	83.222.202.245	192.168.2.23
Jan 19, 2025 03:27:55.167396069 CET	43272	13566	192.168.2.23	83.222.202.245
Jan 19, 2025 03:27:55.170408964 CET	56430	13566	192.168.2.23	83.222.137.113
Jan 19, 2025 03:27:55.170566082 CET	13566	52052	83.222.80.13	192.168.2.23
Jan 19, 2025 03:27:55.170605898 CET	52052	13566	192.168.2.23	83.222.80.13
Jan 19, 2025 03:27:55.173605919 CET	48916	13566	192.168.2.23	83.222.31.69
Jan 19, 2025 03:27:55.175231934 CET	13566	56430	83.222.137.113	192.168.2.23
Jan 19, 2025 03:27:55.175287962 CET	56430	13566	192.168.2.23	83.222.137.113
Jan 19, 2025 03:27:55.177014112 CET	45534	13566	192.168.2.23	83.222.220.205
Jan 19, 2025 03:27:55.178047895 CET	38438	13566	192.168.2.23	83.222.29.218
Jan 19, 2025 03:27:55.178491116 CET	13566	48916	83.222.31.69	192.168.2.23
Jan 19, 2025 03:27:55.178544998 CET	48916	13566	192.168.2.23	83.222.31.69
Jan 19, 2025 03:27:55.181870937 CET	13566	45534	83.222.220.205	192.168.2.23
Jan 19, 2025 03:27:55.181931019 CET	45534	13566	192.168.2.23	83.222.220.205
Jan 19, 2025 03:27:55.182260036 CET	37204	13566	192.168.2.23	83.222.99.106
Jan 19, 2025 03:27:55.182863951 CET	13566	38438	83.222.29.218	192.168.2.23
Jan 19, 2025 03:27:55.182914019 CET	38438	13566	192.168.2.23	83.222.29.218
Jan 19, 2025 03:27:55.184006929 CET	36036	13566	192.168.2.23	83.222.188.59
Jan 19, 2025 03:27:55.185563087 CET	52846	13566	192.168.2.23	83.222.159.102
Jan 19, 2025 03:27:55.186418056 CET	38096	13566	192.168.2.23	83.222.233.229
Jan 19, 2025 03:27:55.187079906 CET	13566	37204	83.222.99.106	192.168.2.23
Jan 19, 2025 03:27:55.187134981 CET	37204	13566	192.168.2.23	83.222.99.106
Jan 19, 2025 03:27:55.187634945 CET	36394	13566	192.168.2.23	83.222.166.4
Jan 19, 2025 03:27:55.188529968 CET	54314	13566	192.168.2.23	83.222.67.220
Jan 19, 2025 03:27:55.188805103 CET	13566	36036	83.222.188.59	192.168.2.23
Jan 19, 2025 03:27:55.188852072 CET	36036	13566	192.168.2.23	83.222.188.59
Jan 19, 2025 03:27:55.189146996 CET	56780	13566	192.168.2.23	83.222.155.144
Jan 19, 2025 03:27:55.189760923 CET	52488	13566	192.168.2.23	83.222.246.171
Jan 19, 2025 03:27:55.190387964 CET	13566	52846	83.222.159.102	192.168.2.23
Jan 19, 2025 03:27:55.190432072 CET	52846	13566	192.168.2.23	83.222.159.102
Jan 19, 2025 03:27:55.191211939 CET	13566	38096	83.222.233.229	192.168.2.23
Jan 19, 2025 03:27:55.191265106 CET	38096	13566	192.168.2.23	83.222.233.229
Jan 19, 2025 03:27:55.191948891 CET	49912	13566	192.168.2.23	83.222.50.139
Jan 19, 2025 03:27:55.192473888 CET	13566	36394	83.222.166.4	192.168.2.23
Jan 19, 2025 03:27:55.192526102 CET	36394	13566	192.168.2.23	83.222.166.4
Jan 19, 2025 03:27:55.193304062 CET	13566	54314	83.222.67.220	192.168.2.23
Jan 19, 2025 03:27:55.193353891 CET	54314	13566	192.168.2.23	83.222.67.220
Jan 19, 2025 03:27:55.193949938 CET	13566	56780	83.222.155.144	192.168.2.23
Jan 19, 2025 03:27:55.193991899 CET	56780	13566	192.168.2.23	83.222.155.144
Jan 19, 2025 03:27:55.194084883 CET	54740	13566	192.168.2.23	83.222.168.252
Jan 19, 2025 03:27:55.194550991 CET	13566	52488	83.222.246.171	192.168.2.23
Jan 19, 2025 03:27:55.194598913 CET	52488	13566	192.168.2.23	83.222.246.171
Jan 19, 2025 03:27:55.196789980 CET	13566	49912	83.222.50.139	192.168.2.23
Jan 19, 2025 03:27:55.196841002 CET	49912	13566	192.168.2.23	83.222.50.139
Jan 19, 2025 03:27:55.196886063 CET	35036	13566	192.168.2.23	83.222.128.248
Jan 19, 2025 03:27:55.198872089 CET	13566	54740	83.222.168.252	192.168.2.23
Jan 19, 2025 03:27:55.198925018 CET	54740	13566	192.168.2.23	83.222.168.252
Jan 19, 2025 03:27:55.199556112 CET	60936	13566	192.168.2.23	83.222.10.10
Jan 19, 2025 03:27:55.201721907 CET	13566	35036	83.222.128.248	192.168.2.23
Jan 19, 2025 03:27:55.201776028 CET	35036	13566	192.168.2.23	83.222.128.248
Jan 19, 2025 03:27:55.202080965 CET	46146	13566	192.168.2.23	83.222.106.41
Jan 19, 2025 03:27:55.204421043 CET	13566	60936	83.222.10.10	192.168.2.23
Jan 19, 2025 03:27:55.204474926 CET	60936	13566	192.168.2.23	83.222.10.10
Jan 19, 2025 03:27:55.204657078 CET	39108	13566	192.168.2.23	83.222.79.70
Jan 19, 2025 03:27:55.206881046 CET	13566	46146	83.222.106.41	192.168.2.23
Jan 19, 2025 03:27:55.206933975 CET	46146	13566	192.168.2.23	83.222.106.41
Jan 19, 2025 03:27:55.207212925 CET	59812	13566	192.168.2.23	83.222.246.108
Jan 19, 2025 03:27:55.209423065 CET	53456	13566	192.168.2.23	83.222.32.89
Jan 19, 2025 03:27:55.209471941 CET	13566	39108	83.222.79.70	192.168.2.23
Jan 19, 2025 03:27:55.209527969 CET	39108	13566	192.168.2.23	83.222.79.70
Jan 19, 2025 03:27:55.211271048 CET	52708	13566	192.168.2.23	83.222.215.221
Jan 19, 2025 03:27:55.212143898 CET	13566	59812	83.222.246.108	192.168.2.23
Jan 19, 2025 03:27:55.212198019 CET	59812	13566	192.168.2.23	83.222.246.108
Jan 19, 2025 03:27:55.212407112 CET	45660	13566	192.168.2.23	83.222.148.118
Jan 19, 2025 03:27:55.214297056 CET	13566	53456	83.222.32.89	192.168.2.23
Jan 19, 2025 03:27:55.214358091 CET	53456	13566	192.168.2.23	83.222.32.89
Jan 19, 2025 03:27:55.215431929 CET	43522	13566	192.168.2.23	83.222.67.126
Jan 19, 2025 03:27:55.216161013 CET	13566	52708	83.222.215.221	192.168.2.23
Jan 19, 2025 03:27:55.216208935 CET	52708	13566	192.168.2.23	83.222.215.221
Jan 19, 2025 03:27:55.217272043 CET	13566	45660	83.222.148.118	192.168.2.23
Jan 19, 2025 03:27:55.217324972 CET	45660	13566	192.168.2.23	83.222.148.118
Jan 19, 2025 03:27:55.218080044 CET	50950	13566	192.168.2.23	83.222.91.233
Jan 19, 2025 03:27:55.220336914 CET	13566	43522	83.222.67.126	192.168.2.23
Jan 19, 2025 03:27:55.220396996 CET	43522	13566	192.168.2.23	83.222.67.126
Jan 19, 2025 03:27:55.220695972 CET	47456	13566	192.168.2.23	83.222.130.158
Jan 19, 2025 03:27:55.222953081 CET	13566	50950	83.222.91.233	192.168.2.23
Jan 19, 2025 03:27:55.223000050 CET	50950	13566	192.168.2.23	83.222.91.233
Jan 19, 2025 03:27:55.223537922 CET	46172	13566	192.168.2.23	83.222.198.29
Jan 19, 2025 03:27:55.225486994 CET	13566	47456	83.222.130.158	192.168.2.23
Jan 19, 2025 03:27:55.225533962 CET	47456	13566	192.168.2.23	83.222.130.158
Jan 19, 2025 03:27:55.226428986 CET	54904	13566	192.168.2.23	83.222.46.188
Jan 19, 2025 03:27:55.228384972 CET	13566	46172	83.222.198.29	192.168.2.23
Jan 19, 2025 03:27:55.228436947 CET	46172	13566	192.168.2.23	83.222.198.29
Jan 19, 2025 03:27:55.229310036 CET	39716	13566	192.168.2.23	83.222.200.97
Jan 19, 2025 03:27:55.231218100 CET	13566	54904	83.222.46.188	192.168.2.23
Jan 19, 2025 03:27:55.231264114 CET	54904	13566	192.168.2.23	83.222.46.188
Jan 19, 2025 03:27:55.231556892 CET	34138	13566	192.168.2.23	83.222.71.113
Jan 19, 2025 03:27:55.234987974 CET	13566	39716	83.222.200.97	192.168.2.23
Jan 19, 2025 03:27:55.235052109 CET	39716	13566	192.168.2.23	83.222.200.97
Jan 19, 2025 03:27:55.236017942 CET	40854	13566	192.168.2.23	83.222.93.200
Jan 19, 2025 03:27:55.237235069 CET	13566	34138	83.222.71.113	192.168.2.23
Jan 19, 2025 03:27:55.238457918 CET	34138	13566	192.168.2.23	83.222.71.113
Jan 19, 2025 03:27:55.241750956 CET	13566	40854	83.222.93.200	192.168.2.23
Jan 19, 2025 03:27:55.241822958 CET	40854	13566	192.168.2.23	83.222.93.200
Jan 19, 2025 03:27:55.242583990 CET	43522	13566	192.168.2.23	83.222.105.103
Jan 19, 2025 03:27:55.247859001 CET	33120	13566	192.168.2.23	83.222.210.211
Jan 19, 2025 03:27:55.248464108 CET	13566	43522	83.222.105.103	192.168.2.23
Jan 19, 2025 03:27:55.248528004 CET	43522	13566	192.168.2.23	83.222.105.103
Jan 19, 2025 03:27:55.252126932 CET	58736	13566	192.168.2.23	83.222.144.33
Jan 19, 2025 03:27:55.253520012 CET	13566	33120	83.222.210.211	192.168.2.23
Jan 19, 2025 03:27:55.253571033 CET	33120	13566	192.168.2.23	83.222.210.211
Jan 19, 2025 03:27:55.256083012 CET	52696	13566	192.168.2.23	83.222.25.134
Jan 19, 2025 03:27:55.256988049 CET	13566	58736	83.222.144.33	192.168.2.23
Jan 19, 2025 03:27:55.257046938 CET	58736	13566	192.168.2.23	83.222.144.33
Jan 19, 2025 03:27:55.260396004 CET	41286	13566	192.168.2.23	83.222.141.58
Jan 19, 2025 03:27:55.260902882 CET	13566	52696	83.222.25.134	192.168.2.23
Jan 19, 2025 03:27:55.260972977 CET	52696	13566	192.168.2.23	83.222.25.134
Jan 19, 2025 03:27:55.265258074 CET	13566	41286	83.222.141.58	192.168.2.23
Jan 19, 2025 03:27:55.265338898 CET	41286	13566	192.168.2.23	83.222.141.58
Jan 19, 2025 03:27:55.265345097 CET	45866	13566	192.168.2.23	83.222.223.100
Jan 19, 2025 03:27:55.270155907 CET	13566	45866	83.222.223.100	192.168.2.23
Jan 19, 2025 03:27:55.270216942 CET	45866	13566	192.168.2.23	83.222.223.100
Jan 19, 2025 03:27:55.270858049 CET	50226	13566	192.168.2.23	83.222.23.116
Jan 19, 2025 03:27:55.275804996 CET	13566	50226	83.222.23.116	192.168.2.23
Jan 19, 2025 03:27:55.275883913 CET	50226	13566	192.168.2.23	83.222.23.116
Jan 19, 2025 03:27:55.276602030 CET	57156	13566	192.168.2.23	83.222.218.90
Jan 19, 2025 03:27:55.281502008 CET	13566	57156	83.222.218.90	192.168.2.23
Jan 19, 2025 03:27:55.281565905 CET	57156	13566	192.168.2.23	83.222.218.90
Jan 19, 2025 03:27:55.281999111 CET	44978	13566	192.168.2.23	83.222.242.54
Jan 19, 2025 03:27:55.286545992 CET	50174	13566	192.168.2.23	83.222.68.116
Jan 19, 2025 03:27:55.286889076 CET	13566	44978	83.222.242.54	192.168.2.23
Jan 19, 2025 03:27:55.286931038 CET	44978	13566	192.168.2.23	83.222.242.54
Jan 19, 2025 03:27:55.291414976 CET	13566	50174	83.222.68.116	192.168.2.23
Jan 19, 2025 03:27:55.291462898 CET	50174	13566	192.168.2.23	83.222.68.116
Jan 19, 2025 03:27:55.291976929 CET	58060	13566	192.168.2.23	83.222.212.10
Jan 19, 2025 03:27:55.295445919 CET	46388	13566	192.168.2.23	83.222.145.3
Jan 19, 2025 03:27:55.296897888 CET	13566	58060	83.222.212.10	192.168.2.23
Jan 19, 2025 03:27:55.296956062 CET	58060	13566	192.168.2.23	83.222.212.10
Jan 19, 2025 03:27:55.299765110 CET	41150	13566	192.168.2.23	83.222.198.90
Jan 19, 2025 03:27:55.300317049 CET	13566	46388	83.222.145.3	192.168.2.23
Jan 19, 2025 03:27:55.300535917 CET	46388	13566	192.168.2.23	83.222.145.3
Jan 19, 2025 03:27:55.303692102 CET	37532	13566	192.168.2.23	83.222.100.14
Jan 19, 2025 03:27:55.304640055 CET	13566	41150	83.222.198.90	192.168.2.23
Jan 19, 2025 03:27:55.304706097 CET	41150	13566	192.168.2.23	83.222.198.90
Jan 19, 2025 03:27:55.308368921 CET	49482	13566	192.168.2.23	83.222.203.193
Jan 19, 2025 03:27:55.308562040 CET	13566	37532	83.222.100.14	192.168.2.23
Jan 19, 2025 03:27:55.308636904 CET	37532	13566	192.168.2.23	83.222.100.14
Jan 19, 2025 03:27:55.312422037 CET	52928	13566	192.168.2.23	83.222.214.52
Jan 19, 2025 03:27:55.313275099 CET	13566	49482	83.222.203.193	192.168.2.23
Jan 19, 2025 03:27:55.313321114 CET	49482	13566	192.168.2.23	83.222.203.193
Jan 19, 2025 03:27:55.317276955 CET	44858	13566	192.168.2.23	83.222.41.168
Jan 19, 2025 03:27:55.317348957 CET	13566	52928	83.222.214.52	192.168.2.23
Jan 19, 2025 03:27:55.317410946 CET	52928	13566	192.168.2.23	83.222.214.52
Jan 19, 2025 03:27:55.321479082 CET	54258	13566	192.168.2.23	83.222.8.185
Jan 19, 2025 03:27:55.322257042 CET	13566	44858	83.222.41.168	192.168.2.23
Jan 19, 2025 03:27:55.322302103 CET	44858	13566	192.168.2.23	83.222.41.168
Jan 19, 2025 03:27:55.326313972 CET	13566	54258	83.222.8.185	192.168.2.23
Jan 19, 2025 03:27:55.326379061 CET	54258	13566	192.168.2.23	83.222.8.185
Jan 19, 2025 03:27:55.352912903 CET	42704	13566	192.168.2.23	83.222.191.90
Jan 19, 2025 03:27:55.358285904 CET	13566	42704	83.222.191.90	192.168.2.23
Jan 19, 2025 03:27:55.358339071 CET	42704	13566	192.168.2.23	83.222.191.90
Jan 19, 2025 03:27:55.359301090 CET	42704	13566	192.168.2.23	83.222.191.90
Jan 19, 2025 03:27:55.364125013 CET	13566	42704	83.222.191.90	192.168.2.23
Jan 19, 2025 03:27:55.364180088 CET	42704	13566	192.168.2.23	83.222.191.90
Jan 19, 2025 03:27:55.369154930 CET	13566	42704	83.222.191.90	192.168.2.23
Jan 19, 2025 03:27:59.167937994 CET	42836	443	192.168.2.23	91.189.91.43
Jan 19, 2025 03:27:59.935828924 CET	42516	80	192.168.2.23	109.202.202.202
Jan 19, 2025 03:28:05.367177963 CET	42704	13566	192.168.2.23	83.222.191.90
Jan 19, 2025 03:28:05.372348070 CET	13566	42704	83.222.191.90	192.168.2.23
Jan 19, 2025 03:28:05.869132042 CET	13566	42704	83.222.191.90	192.168.2.23
Jan 19, 2025 03:28:05.869204998 CET	42704	13566	192.168.2.23	83.222.191.90
Jan 19, 2025 03:28:05.996350050 CET	13566	42704	83.222.191.90	192.168.2.23
Jan 19, 2025 03:28:05.996428967 CET	42704	13566	192.168.2.23	83.222.191.90
Jan 19, 2025 03:28:14.273900986 CET	43928	443	192.168.2.23	91.189.91.42
Jan 19, 2025 03:28:26.556360960 CET	42836	443	192.168.2.23	91.189.91.43
Jan 19, 2025 03:28:30.655765057 CET	42516	80	192.168.2.23	109.202.202.202
Jan 19, 2025 03:28:55.224476099 CET	43928	443	192.168.2.23	91.189.91.42
Jan 19, 2025 03:29:06.048928976 CET	42704	13566	192.168.2.23	83.222.191.90
Jan 19, 2025 03:29:06.054464102 CET	13566	42704	83.222.191.90	192.168.2.23
Jan 19, 2025 03:29:06.250765085 CET	13566	42704	83.222.191.90	192.168.2.23
Jan 19, 2025 03:29:06.251183033 CET	42704	13566	192.168.2.23	83.222.191.90
Jan 19, 2025 03:29:06.932406902 CET	13566	42704	83.222.191.90	192.168.2.23
Jan 19, 2025 03:29:06.932636023 CET	42704	13566	192.168.2.23	83.222.191.90

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 19, 2025 03:27:55.339375019 CET	49784	53	192.168.2.23	8.8.8.8
Jan 19, 2025 03:27:55.348695993 CET	53	49784	8.8.8.8	192.168.2.23

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 19, 2025 03:27:55.339375019 CET	192.168.2.23	8.8.8.8	0xf50d	Standard query (0)	secure-network-rebirthltd.ru	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 19, 2025 03:27:55.348695993 CET	8.8.8.8	192.168.2.23	0xf50d	No error (0)	secure-network-rebirthltd.ru		83.222.191.90	A (IP address)	IN (0x0001)	false

System Behavior

Analysis Process: Kloki.mips.elf PID: 6263, Parent PID: 6185

General

Start time (UTC):	02:27:53
Start date (UTC):	19/01/2025
Path:	/tmp/Kloki.mips.elf
Arguments:	/tmp/Kloki.mips.elf
File size:	5777432 bytes
MD5 hash:	0083f1f0e77be34ad27f849842bbb00c

File Activities

File Opened

File Read

File Moved

Process Activities

Process Forked

Prctl Requested

Thread Sleep

System Activities

Query System Information (uname)

Network Activities

Socket Listening

Socket Connecting

Chronological Activities

Analysis Process: Kloki.mips.elf PID: 6265, Parent PID: 6263

General

Start time (UTC):	02:27:53
Start date (UTC):	19/01/2025
Path:	/tmp/Kloki.mips.elf
Arguments:	-
File size:	5777432 bytes
MD5 hash:	0083f1f0e77be34ad27f849842bbb00c

File Activities

File Opened

File Read

Process Activities

Prctl Requested

Thread Sleep

Chronological Activities

Analysis Process: Kloki.mips.elf PID: 6267, Parent PID: 6263

General

Start time (UTC):	02:27:53
Start date (UTC):	19/01/2025
Path:	/tmp/Kloki.mips.elf
Arguments:	-
File size:	5777432 bytes
MD5 hash:	0083f1f0e77be34ad27f849842bbb00c

Process Activities

Process Forked

Thread Sleep

Network Activities

Socket Connecting

Chronological Activities

Analysis Process: Kloki.mips.elf PID: 6269, Parent PID: 6267

General

Start time (UTC):	02:27:53
Start date (UTC):	19/01/2025
Path:	/tmp/Kloki.mips.elf
Arguments:	-
File size:	5777432 bytes
MD5 hash:	0083f1f0e77be34ad27f849842bbb00c

File Activities

File Opened

Directory Enumerated

Process Activities

Signal Sent

Thread Sleep

Chronological Activities

Analysis Process: gnome-session-binary PID: 6288, Parent PID: 1477

General

Start time (UTC):	02:27:53
Start date (UTC):	19/01/2025
Path:	/usr/libexec/gnome-session-binary
Arguments:	-
File size:	334664 bytes
MD5 hash:	d9b90be4f7db60cb3c2d3da6a1d31bfb

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: sh PID: 6288, Parent PID: 1477

General

Start time (UTC):	02:27:53
Start date (UTC):	19/01/2025
Path:	/bin/sh
Arguments:	/bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-sharing
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

File Activities

File Opened

File Read

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: gsd-sharing PID: 6288, Parent PID: 1477

General

Start time (UTC):	02:27:54
Start date (UTC):	19/01/2025
Path:	/usr/libexec/gsd-sharing
Arguments:	/usr/libexec/gsd-sharing
File size:	35424 bytes
MD5 hash:	e29d9025d98590fbb69f89fdbd4438b3

File Activities

File Opened

Chronological Activities

Analysis Process: gnome-session-binary PID: 6291, Parent PID: 1477

General

Start time (UTC):	02:27:53
Start date (UTC):	19/01/2025
Path:	/usr/libexec/gnome-session-binary
Arguments:	-
File size:	334664 bytes
MD5 hash:	d9b90be4f7db60cb3c2d3da6a1d31bfb

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: sh PID: 6291, Parent PID: 1477

General

Start time (UTC):	02:27:53
Start date (UTC):	19/01/2025
Path:	/bin/sh
Arguments:	/bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/bin/gnome-shell
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

File Activities

File Opened

File Read

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: gnome-shell PID: 6291, Parent PID: 1477

General

Start time (UTC):	02:27:54
Start date (UTC):	19/01/2025
Path:	/usr/bin/gnome-shell
Arguments:	/usr/bin/gnome-shell
File size:	23168 bytes
MD5 hash:	da7a257239677622fe4b3a65972c9e87

File Activities

File Opened

Chronological Activities

Analysis Process: gnome-session-binary PID: 6292, Parent PID: 1477

General

Start time (UTC):	02:27:53
Start date (UTC):	19/01/2025
Path:	/usr/libexec/gnome-session-binary
Arguments:	-
File size:	334664 bytes
MD5 hash:	d9b90be4f7db60cb3c2d3da6a1d31bfb

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: sh PID: 6292, Parent PID: 1477

General

Start time (UTC):	02:27:53
Start date (UTC):	19/01/2025
Path:	/bin/sh
Arguments:	/bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-print-notifications
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

File Activities

File Opened

File Read

Chronological Activities

Analysis Process: gnome-session-binary PID: 6293, Parent PID: 1477

General

Start time (UTC):	02:27:54
Start date (UTC):	19/01/2025
Path:	/usr/libexec/gnome-session-binary
Arguments:	-
File size:	334664 bytes
MD5 hash:	d9b90be4f7db60cb3c2d3da6a1d31bfb

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: sh PID: 6293, Parent PID: 1477

General

Start time (UTC):	02:27:54
Start date (UTC):	19/01/2025
Path:	/bin/sh
Arguments:	/bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-rfkill
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

File Activities

File Opened

File Read

Chronological Activities

Analysis Process: gdm3 PID: 6296, Parent PID: 1320

General

Start time (UTC):	02:27:54
Start date (UTC):	19/01/2025
Path:	/usr/sbin/gdm3
Arguments:	-
File size:	453296 bytes
MD5 hash:	2492e2d8d34f9377e3e530a61a15674f

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: Default PID: 6296, Parent PID: 1320

General

Start time (UTC):	02:27:54
Start date (UTC):	19/01/2025
Path:	/etc/gdm3/PrimeOff/Default
Arguments:	/etc/gdm3/PrimeOff/Default
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

File Activities

File Opened

File Read

Chronological Activities

Analysis Process: gdm3 PID: 6300, Parent PID: 1320

General

Start time (UTC):	02:27:54
Start date (UTC):	19/01/2025
Path:	/usr/sbin/gdm3
Arguments:	-
File size:	453296 bytes
MD5 hash:	2492e2d8d34f9377e3e530a61a15674f

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: Default PID: 6300, Parent PID: 1320

General

Start time (UTC):	02:27:54
Start date (UTC):	19/01/2025
Path:	/etc/gdm3/PrimeOff/Default
Arguments:	/etc/gdm3/PrimeOff/Default
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may stop or disable services on a system to render those services unavailable to legitimate users. Stopping critical services or processes can inhibit or stop response to an incident or aid in the adversary's overall objectives to cause damage to the environment.
Tactics:	Impact
Data Sources:	Command: Command Execution, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Termination, Service: Service Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report Kloki.mips.elf

Overview

General Information

Detection

Signatures

Classification

General Information

Runtime Messages

Process Tree

Yara Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Spreading

Networking

System Summary

Malware Analysis System Evasion

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

Static ELF Info

ELF header

Sections

Program Segments

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

System Behavior

Analysis Process: Kloki.mips.elf PID: 6263, Parent PID: 6185

General

File Activities

File Opened

File Read

File Moved

Process Activities

Process Forked

Prctl Requested

Thread Sleep

System Activities

Query System Information (uname)

Network Activities

Socket Listening

Socket Connecting

Chronological Activities

Analysis Process: Kloki.mips.elf PID: 6265, Parent PID: 6263

General

File Activities

File Opened

File Read

Process Activities

Prctl Requested

Linux Analysis Report
Kloki.mips.elf