Edit tour

Linux Analysis Report
i686.elf

Overview

General Information

Sample name:i686.elf
Analysis ID:1617828
MD5:c966be652b4df4b0f8fbbaa51a1a29a3
SHA1:42a7156abdc11e456c581db40116f9459f5ec305
SHA256:1d1689d6da651763890e25713e402b357041645f42f8d7ac43acaae1145c1269
Tags:elfuser-abuse_ch
Infos:
Errors
  • No or unstable Internet during analysis

Detection

Score:68
Range:0 - 100

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Performs DNS TXT record lookups
Sample reads /proc/mounts (often used for finding a writable filesystem)
Uses STUN server to do NAT traversial
Detected TCP or UDP traffic on non-standard ports
Enumerates processes within the "proc" file system
Executes the "rm" command used to delete files or directories
Sample has stripped symbol table
Sample listens on a socket
Yara signature match

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
Joe Sandbox version:42.0.0 Malachite
Analysis ID:1617828
Start date and time:2025-02-18 10:17:17 +01:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 57s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Sample name:i686.elf
Detection:MAL
Classification:mal68.troj.evad.linELF@0/0@3/0
  • No or unstable Internet during analysis
  • VT rate limit hit for: lib.libre
Command:/tmp/i686.elf
PID:6210
Exit Code:0
Exit Code Info:
Killed:False
Standard Output:
For God so loved the world, that he gave his only begotten Son, that whosoever believeth in him should not perish, but have everlasting life
Standard Error:
  • system is lnxubuntu20
  • i686.elf (PID: 6210, Parent: 6125, MD5: c966be652b4df4b0f8fbbaa51a1a29a3) Arguments: /tmp/i686.elf
    • i686.elf New Fork (PID: 6212, Parent: 6210)
    • i686.elf New Fork (PID: 6213, Parent: 6210)
    • i686.elf New Fork (PID: 6236, Parent: 6210)
  • dash New Fork (PID: 6575, Parent: 4331)
  • rm (PID: 6575, Parent: 4331, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -f /tmp/tmp.etUmSm2Upd /tmp/tmp.IE9m4z47Lj /tmp/tmp.K6LQK1gdHS
  • dash New Fork (PID: 6576, Parent: 4331)
  • rm (PID: 6576, Parent: 4331, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -f /tmp/tmp.etUmSm2Upd /tmp/tmp.IE9m4z47Lj /tmp/tmp.K6LQK1gdHS
  • cleanup
SourceRuleDescriptionAuthorStrings
i686.elfLinux_Trojan_Gafgyt_9e9530a7unknownunknown
  • 0xb3ac:$a: F6 48 63 FF B8 36 00 00 00 0F 05 48 3D 00 F0 FF FF 48 89 C3
i686.elfLinux_Trojan_Gafgyt_807911a2unknownunknown
  • 0xbb9b:$a: FE 48 39 F3 0F 94 C2 48 83 F9 FF 0F 94 C0 84 D0 74 16 4B 8D
i686.elfLinux_Trojan_Gafgyt_d4227dbfunknownunknown
  • 0x7eda:$a: FF 48 81 EC D0 00 00 00 48 8D 84 24 E0 00 00 00 48 89 54 24 30 C7 04 24 18 00
  • 0x803c:$a: FF 48 81 EC D0 00 00 00 48 8D 84 24 E0 00 00 00 48 89 54 24 30 C7 04 24 18 00
i686.elfLinux_Trojan_Gafgyt_d996d335unknownunknown
  • 0xe18a:$a: D0 EB 0F 40 38 37 75 04 48 89 F8 C3 49 FF C8 48 FF C7 4D 85 C0
i686.elfLinux_Trojan_Gafgyt_620087b9unknownunknown
  • 0xb75b:$a: 48 89 D8 48 83 C8 01 EB 04 48 8B 76 10 48 3B 46 08 72 F6 48 8B
Click to see the 2 entries
SourceRuleDescriptionAuthorStrings
6210.1.0000000000400000.0000000000411000.r-x.sdmpLinux_Trojan_Gafgyt_9e9530a7unknownunknown
  • 0xb3ac:$a: F6 48 63 FF B8 36 00 00 00 0F 05 48 3D 00 F0 FF FF 48 89 C3
6210.1.0000000000400000.0000000000411000.r-x.sdmpLinux_Trojan_Gafgyt_807911a2unknownunknown
  • 0xbb9b:$a: FE 48 39 F3 0F 94 C2 48 83 F9 FF 0F 94 C0 84 D0 74 16 4B 8D
6210.1.0000000000400000.0000000000411000.r-x.sdmpLinux_Trojan_Gafgyt_d4227dbfunknownunknown
  • 0x7eda:$a: FF 48 81 EC D0 00 00 00 48 8D 84 24 E0 00 00 00 48 89 54 24 30 C7 04 24 18 00
  • 0x803c:$a: FF 48 81 EC D0 00 00 00 48 8D 84 24 E0 00 00 00 48 89 54 24 30 C7 04 24 18 00
6210.1.0000000000400000.0000000000411000.r-x.sdmpLinux_Trojan_Gafgyt_d996d335unknownunknown
  • 0xe18a:$a: D0 EB 0F 40 38 37 75 04 48 89 F8 C3 49 FF C8 48 FF C7 4D 85 C0
6210.1.0000000000400000.0000000000411000.r-x.sdmpLinux_Trojan_Gafgyt_620087b9unknownunknown
  • 0xb75b:$a: 48 89 D8 48 83 C8 01 EB 04 48 8B 76 10 48 3B 46 08 72 F6 48 8B
Click to see the 2 entries
No Suricata rule has matched

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: i686.elfReversingLabs: Detection: 21%

Networking

barindex
Source: unknownDNS query: name: stun.l.google.com
Source: global trafficTCP traffic: 192.168.2.23:58904 -> 64.23.188.144:51012
Source: global trafficUDP traffic: 192.168.2.23:44204 -> 74.125.250.129:19302
Source: /tmp/i686.elf (PID: 6210)Socket: 127.0.0.1:43478Jump to behavior
Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknownTCP traffic detected without corresponding DNS query: 64.23.188.144
Source: unknownTCP traffic detected without corresponding DNS query: 64.23.188.144
Source: unknownTCP traffic detected without corresponding DNS query: 64.23.188.144
Source: unknownTCP traffic detected without corresponding DNS query: 64.23.188.144
Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknownTCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknownTCP traffic detected without corresponding DNS query: 64.23.188.144
Source: unknownTCP traffic detected without corresponding DNS query: 64.23.188.144
Source: unknownTCP traffic detected without corresponding DNS query: 64.23.188.144
Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknownTCP traffic detected without corresponding DNS query: 54.171.230.55
Source: unknownTCP traffic detected without corresponding DNS query: 54.171.230.55
Source: unknownTCP traffic detected without corresponding DNS query: 64.23.188.144
Source: unknownTCP traffic detected without corresponding DNS query: 64.23.188.144
Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknownTCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknownTCP traffic detected without corresponding DNS query: 64.23.188.144
Source: unknownTCP traffic detected without corresponding DNS query: 64.23.188.144
Source: unknownTCP traffic detected without corresponding DNS query: 64.23.188.144
Source: unknownTCP traffic detected without corresponding DNS query: 64.23.188.144
Source: unknownTCP traffic detected without corresponding DNS query: 64.23.188.144
Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknownTCP traffic detected without corresponding DNS query: 64.23.188.144
Source: unknownTCP traffic detected without corresponding DNS query: 64.23.188.144
Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknownTCP traffic detected without corresponding DNS query: 64.23.188.144
Source: unknownTCP traffic detected without corresponding DNS query: 64.23.188.144
Source: unknownTCP traffic detected without corresponding DNS query: 64.23.188.144
Source: unknownTCP traffic detected without corresponding DNS query: 64.23.188.144
Source: unknownTCP traffic detected without corresponding DNS query: 64.23.188.144
Source: unknownTCP traffic detected without corresponding DNS query: 64.23.188.144
Source: unknownTCP traffic detected without corresponding DNS query: 64.23.188.144
Source: unknownTCP traffic detected without corresponding DNS query: 64.23.188.144
Source: unknownTCP traffic detected without corresponding DNS query: 64.23.188.144
Source: unknownTCP traffic detected without corresponding DNS query: 64.23.188.144
Source: unknownTCP traffic detected without corresponding DNS query: 64.23.188.144
Source: unknownTCP traffic detected without corresponding DNS query: 64.23.188.144
Source: unknownTCP traffic detected without corresponding DNS query: 64.23.188.144
Source: unknownTCP traffic detected without corresponding DNS query: 64.23.188.144
Source: unknownTCP traffic detected without corresponding DNS query: 64.23.188.144
Source: unknownTCP traffic detected without corresponding DNS query: 64.23.188.144
Source: unknownTCP traffic detected without corresponding DNS query: 64.23.188.144
Source: unknownTCP traffic detected without corresponding DNS query: 64.23.188.144
Source: unknownTCP traffic detected without corresponding DNS query: 64.23.188.144
Source: unknownTCP traffic detected without corresponding DNS query: 64.23.188.144
Source: unknownTCP traffic detected without corresponding DNS query: 64.23.188.144
Source: unknownTCP traffic detected without corresponding DNS query: 64.23.188.144
Source: unknownUDP traffic detected without corresponding DNS query: 54.36.111.116
Source: unknownUDP traffic detected without corresponding DNS query: 161.97.219.84
Source: global trafficDNS traffic detected: DNS query: lib.libre
Source: global trafficDNS traffic detected: DNS query: stun.l.google.com
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 33608
Source: unknownNetwork traffic detected: HTTP traffic on port 43928 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 33608 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 42836 -> 443

System Summary

barindex
Source: i686.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_9e9530a7 Author: unknown
Source: i686.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_807911a2 Author: unknown
Source: i686.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_d4227dbf Author: unknown
Source: i686.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_d996d335 Author: unknown
Source: i686.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_620087b9 Author: unknown
Source: i686.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_33b4111a Author: unknown
Source: i686.elf, type: SAMPLEMatched rule: Linux_Trojan_Mirai_1cb033f3 Author: unknown
Source: 6210.1.0000000000400000.0000000000411000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_9e9530a7 Author: unknown
Source: 6210.1.0000000000400000.0000000000411000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_807911a2 Author: unknown
Source: 6210.1.0000000000400000.0000000000411000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_d4227dbf Author: unknown
Source: 6210.1.0000000000400000.0000000000411000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_d996d335 Author: unknown
Source: 6210.1.0000000000400000.0000000000411000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_620087b9 Author: unknown
Source: 6210.1.0000000000400000.0000000000411000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_33b4111a Author: unknown
Source: 6210.1.0000000000400000.0000000000411000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_1cb033f3 Author: unknown
Source: ELF static info symbol of initial sample.symtab present: no
Source: i686.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_9e9530a7 reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = d6ad6512051e87c8c35dc168d82edd071b122d026dce21d39b9782b3d6a01e50, id = 9e9530a7-ad4d-4a44-b764-437b7621052f, last_modified = 2021-09-16
Source: i686.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_807911a2 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = f409037091b7372f5a42bbe437316bd11c655e7a5fe1fcf83d1981cb5c4a389f, id = 807911a2-f6ec-4e65-924f-61cb065dafc6, last_modified = 2021-09-16
Source: i686.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_d4227dbf reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 58c4b1d4d167876b64cfa10f609911a80284180e4db093917fea16fae8ccd4e3, id = d4227dbf-6ab4-4637-a6ba-0e604acaafb4, last_modified = 2021-09-16
Source: i686.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_d996d335 reference_sample = b511eacd4b44744c8cf82d1b4a9bc6f1022fe6be7c5d17356b171f727ddc6eda, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = e9ccb8412f32187c309b0e9afcc3a6da21ad2f1ffa251c27f9f720ccb284e3ac, id = d996d335-e049-4052-bf36-6cd07c911a8b, last_modified = 2021-09-16
Source: i686.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_620087b9 reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 06cd7e6eb62352ec2ccb9ed48e58c0583c02fefd137cd048d053ab30b5330307, id = 620087b9-c87d-4752-89e8-ca1c16486b28, last_modified = 2021-09-16
Source: i686.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_33b4111a reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 9c3b63b9a0f54006bae12abcefdb518904a85f78be573f0780f0a265b12d2d6e, id = 33b4111a-e59e-48db-9d74-34ca44fcd9f5, last_modified = 2021-09-16
Source: i686.elf, type: SAMPLEMatched rule: Linux_Trojan_Mirai_1cb033f3 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 49201ab37ff0b5cdfa9b0b34b6faa170bd25f04df51c24b0b558b7534fecc358, id = 1cb033f3-68c1-4fe5-9cd1-b5d066c1d86e, last_modified = 2021-09-16
Source: 6210.1.0000000000400000.0000000000411000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_9e9530a7 reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = d6ad6512051e87c8c35dc168d82edd071b122d026dce21d39b9782b3d6a01e50, id = 9e9530a7-ad4d-4a44-b764-437b7621052f, last_modified = 2021-09-16
Source: 6210.1.0000000000400000.0000000000411000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_807911a2 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = f409037091b7372f5a42bbe437316bd11c655e7a5fe1fcf83d1981cb5c4a389f, id = 807911a2-f6ec-4e65-924f-61cb065dafc6, last_modified = 2021-09-16
Source: 6210.1.0000000000400000.0000000000411000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_d4227dbf reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 58c4b1d4d167876b64cfa10f609911a80284180e4db093917fea16fae8ccd4e3, id = d4227dbf-6ab4-4637-a6ba-0e604acaafb4, last_modified = 2021-09-16
Source: 6210.1.0000000000400000.0000000000411000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_d996d335 reference_sample = b511eacd4b44744c8cf82d1b4a9bc6f1022fe6be7c5d17356b171f727ddc6eda, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = e9ccb8412f32187c309b0e9afcc3a6da21ad2f1ffa251c27f9f720ccb284e3ac, id = d996d335-e049-4052-bf36-6cd07c911a8b, last_modified = 2021-09-16
Source: 6210.1.0000000000400000.0000000000411000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_620087b9 reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 06cd7e6eb62352ec2ccb9ed48e58c0583c02fefd137cd048d053ab30b5330307, id = 620087b9-c87d-4752-89e8-ca1c16486b28, last_modified = 2021-09-16
Source: 6210.1.0000000000400000.0000000000411000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_33b4111a reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 9c3b63b9a0f54006bae12abcefdb518904a85f78be573f0780f0a265b12d2d6e, id = 33b4111a-e59e-48db-9d74-34ca44fcd9f5, last_modified = 2021-09-16
Source: 6210.1.0000000000400000.0000000000411000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_1cb033f3 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 49201ab37ff0b5cdfa9b0b34b6faa170bd25f04df51c24b0b558b7534fecc358, id = 1cb033f3-68c1-4fe5-9cd1-b5d066c1d86e, last_modified = 2021-09-16
Source: classification engineClassification label: mal68.troj.evad.linELF@0/0@3/0

Persistence and Installation Behavior

barindex
Source: /tmp/i686.elf (PID: 6210)File: /proc/6210/mountsJump to behavior
Source: /tmp/i686.elf (PID: 6212)File: /proc/6212/mountsJump to behavior
Source: /tmp/i686.elf (PID: 6210)File opened: /proc/4331/mapsJump to behavior
Source: /tmp/i686.elf (PID: 6210)File opened: /proc/2033/mapsJump to behavior
Source: /tmp/i686.elf (PID: 6210)File opened: /proc/2033/statusJump to behavior
Source: /tmp/i686.elf (PID: 6210)File opened: /proc/2033/cmdlineJump to behavior
Source: /tmp/i686.elf (PID: 6210)File opened: /proc/1582/mapsJump to behavior
Source: /tmp/i686.elf (PID: 6210)File opened: /proc/1582/statusJump to behavior
Source: /tmp/i686.elf (PID: 6210)File opened: /proc/1582/cmdlineJump to behavior
Source: /tmp/i686.elf (PID: 6210)File opened: /proc/2275/mapsJump to behavior
Source: /tmp/i686.elf (PID: 6210)File opened: /proc/2275/statusJump to behavior
Source: /tmp/i686.elf (PID: 6210)File opened: /proc/2275/cmdlineJump to behavior
Source: /tmp/i686.elf (PID: 6210)File opened: /proc/1612/mapsJump to behavior
Source: /tmp/i686.elf (PID: 6210)File opened: /proc/1579/mapsJump to behavior
Source: /tmp/i686.elf (PID: 6210)File opened: /proc/1579/statusJump to behavior
Source: /tmp/i686.elf (PID: 6210)File opened: /proc/1579/cmdlineJump to behavior
Source: /tmp/i686.elf (PID: 6210)File opened: /proc/1699/mapsJump to behavior
Source: /tmp/i686.elf (PID: 6210)File opened: /proc/1699/statusJump to behavior
Source: /tmp/i686.elf (PID: 6210)File opened: /proc/1699/cmdlineJump to behavior
Source: /tmp/i686.elf (PID: 6210)File opened: /proc/1335/mapsJump to behavior
Source: /tmp/i686.elf (PID: 6210)File opened: /proc/1335/statusJump to behavior
Source: /tmp/i686.elf (PID: 6210)File opened: /proc/1335/cmdlineJump to behavior
Source: /tmp/i686.elf (PID: 6210)File opened: /proc/1698/mapsJump to behavior
Source: /tmp/i686.elf (PID: 6210)File opened: /proc/1698/statusJump to behavior
Source: /tmp/i686.elf (PID: 6210)File opened: /proc/1698/cmdlineJump to behavior
Source: /tmp/i686.elf (PID: 6210)File opened: /proc/2028/mapsJump to behavior
Source: /tmp/i686.elf (PID: 6210)File opened: /proc/1334/mapsJump to behavior
Source: /tmp/i686.elf (PID: 6210)File opened: /proc/1334/statusJump to behavior
Source: /tmp/i686.elf (PID: 6210)File opened: /proc/1334/cmdlineJump to behavior
Source: /tmp/i686.elf (PID: 6210)File opened: /proc/1576/mapsJump to behavior
Source: /tmp/i686.elf (PID: 6210)File opened: /proc/2302/mapsJump to behavior
Source: /tmp/i686.elf (PID: 6210)File opened: /proc/2302/statusJump to behavior
Source: /tmp/i686.elf (PID: 6210)File opened: /proc/2302/cmdlineJump to behavior
Source: /tmp/i686.elf (PID: 6210)File opened: /proc/3236/mapsJump to behavior
Source: /tmp/i686.elf (PID: 6210)File opened: /proc/3236/statusJump to behavior
Source: /tmp/i686.elf (PID: 6210)File opened: /proc/3236/cmdlineJump to behavior
Source: /tmp/i686.elf (PID: 6210)File opened: /proc/2025/mapsJump to behavior
Source: /tmp/i686.elf (PID: 6210)File opened: /proc/2025/statusJump to behavior
Source: /tmp/i686.elf (PID: 6210)File opened: /proc/2025/cmdlineJump to behavior
Source: /tmp/i686.elf (PID: 6210)File opened: /proc/2146/mapsJump to behavior
Source: /tmp/i686.elf (PID: 6210)File opened: /proc/2146/statusJump to behavior
Source: /tmp/i686.elf (PID: 6210)File opened: /proc/2146/cmdlineJump to behavior
Source: /tmp/i686.elf (PID: 6210)File opened: /proc/912/mapsJump to behavior
Source: /tmp/i686.elf (PID: 6210)File opened: /proc/759/mapsJump to behavior
Source: /tmp/i686.elf (PID: 6210)File opened: /proc/759/statusJump to behavior
Source: /tmp/i686.elf (PID: 6210)File opened: /proc/759/cmdlineJump to behavior
Source: /tmp/i686.elf (PID: 6210)File opened: /proc/2307/mapsJump to behavior
Source: /tmp/i686.elf (PID: 6210)File opened: /proc/2307/statusJump to behavior
Source: /tmp/i686.elf (PID: 6210)File opened: /proc/2307/cmdlineJump to behavior
Source: /tmp/i686.elf (PID: 6210)File opened: /proc/918/mapsJump to behavior
Source: /tmp/i686.elf (PID: 6210)File opened: /proc/1594/mapsJump to behavior
Source: /tmp/i686.elf (PID: 6210)File opened: /proc/1594/statusJump to behavior
Source: /tmp/i686.elf (PID: 6210)File opened: /proc/1594/cmdlineJump to behavior
Source: /tmp/i686.elf (PID: 6210)File opened: /proc/2285/mapsJump to behavior
Source: /tmp/i686.elf (PID: 6210)File opened: /proc/2285/statusJump to behavior
Source: /tmp/i686.elf (PID: 6210)File opened: /proc/2285/cmdlineJump to behavior
Source: /tmp/i686.elf (PID: 6210)File opened: /proc/2281/mapsJump to behavior
Source: /tmp/i686.elf (PID: 6210)File opened: /proc/2281/statusJump to behavior
Source: /tmp/i686.elf (PID: 6210)File opened: /proc/2281/cmdlineJump to behavior
Source: /tmp/i686.elf (PID: 6210)File opened: /proc/1349/mapsJump to behavior
Source: /tmp/i686.elf (PID: 6210)File opened: /proc/1349/statusJump to behavior
Source: /tmp/i686.elf (PID: 6210)File opened: /proc/1349/cmdlineJump to behavior
Source: /tmp/i686.elf (PID: 6210)File opened: /proc/1/mapsJump to behavior
Source: /tmp/i686.elf (PID: 6210)File opened: /proc/1/statusJump to behavior
Source: /tmp/i686.elf (PID: 6210)File opened: /proc/1/cmdlineJump to behavior
Source: /tmp/i686.elf (PID: 6210)File opened: /proc/1623/mapsJump to behavior
Source: /tmp/i686.elf (PID: 6210)File opened: /proc/1623/statusJump to behavior
Source: /tmp/i686.elf (PID: 6210)File opened: /proc/1623/cmdlineJump to behavior
Source: /tmp/i686.elf (PID: 6210)File opened: /proc/761/mapsJump to behavior
Source: /tmp/i686.elf (PID: 6210)File opened: /proc/761/statusJump to behavior
Source: /tmp/i686.elf (PID: 6210)File opened: /proc/761/cmdlineJump to behavior
Source: /tmp/i686.elf (PID: 6210)File opened: /proc/1622/mapsJump to behavior
Source: /tmp/i686.elf (PID: 6210)File opened: /proc/1622/statusJump to behavior
Source: /tmp/i686.elf (PID: 6210)File opened: /proc/1622/cmdlineJump to behavior
Source: /tmp/i686.elf (PID: 6210)File opened: /proc/884/mapsJump to behavior
Source: /tmp/i686.elf (PID: 6210)File opened: /proc/1983/mapsJump to behavior
Source: /tmp/i686.elf (PID: 6210)File opened: /proc/2038/mapsJump to behavior
Source: /tmp/i686.elf (PID: 6210)File opened: /proc/2038/statusJump to behavior
Source: /tmp/i686.elf (PID: 6210)File opened: /proc/2038/cmdlineJump to behavior
Source: /tmp/i686.elf (PID: 6210)File opened: /proc/1586/mapsJump to behavior
Source: /tmp/i686.elf (PID: 6210)File opened: /proc/1586/statusJump to behavior
Source: /tmp/i686.elf (PID: 6210)File opened: /proc/1586/cmdlineJump to behavior
Source: /tmp/i686.elf (PID: 6210)File opened: /proc/1465/mapsJump to behavior
Source: /tmp/i686.elf (PID: 6210)File opened: /proc/1465/statusJump to behavior
Source: /tmp/i686.elf (PID: 6210)File opened: /proc/1465/cmdlineJump to behavior
Source: /tmp/i686.elf (PID: 6210)File opened: /proc/1344/mapsJump to behavior
Source: /tmp/i686.elf (PID: 6210)File opened: /proc/1860/mapsJump to behavior
Source: /tmp/i686.elf (PID: 6210)File opened: /proc/1860/statusJump to behavior
Source: /tmp/i686.elf (PID: 6210)File opened: /proc/1860/cmdlineJump to behavior
Source: /tmp/i686.elf (PID: 6210)File opened: /proc/1463/mapsJump to behavior
Source: /tmp/i686.elf (PID: 6210)File opened: /proc/1463/statusJump to behavior
Source: /tmp/i686.elf (PID: 6210)File opened: /proc/1463/cmdlineJump to behavior
Source: /tmp/i686.elf (PID: 6210)File opened: /proc/2156/mapsJump to behavior
Source: /tmp/i686.elf (PID: 6210)File opened: /proc/2156/statusJump to behavior
Source: /tmp/i686.elf (PID: 6210)File opened: /proc/2156/cmdlineJump to behavior
Source: /tmp/i686.elf (PID: 6210)File opened: /proc/800/mapsJump to behavior
Source: /tmp/i686.elf (PID: 6210)File opened: /proc/801/mapsJump to behavior
Source: /tmp/i686.elf (PID: 6210)File opened: /proc/1629/mapsJump to behavior
Source: /tmp/i686.elf (PID: 6210)File opened: /proc/1629/statusJump to behavior
Source: /tmp/i686.elf (PID: 6210)File opened: /proc/1629/cmdlineJump to behavior
Source: /tmp/i686.elf (PID: 6210)File opened: /proc/1627/mapsJump to behavior
Source: /tmp/i686.elf (PID: 6210)File opened: /proc/1627/statusJump to behavior
Source: /tmp/i686.elf (PID: 6210)File opened: /proc/1627/cmdlineJump to behavior
Source: /tmp/i686.elf (PID: 6210)File opened: /proc/1900/mapsJump to behavior
Source: /tmp/i686.elf (PID: 6210)File opened: /proc/491/mapsJump to behavior
Source: /tmp/i686.elf (PID: 6210)File opened: /proc/491/statusJump to behavior
Source: /tmp/i686.elf (PID: 6210)File opened: /proc/491/cmdlineJump to behavior
Source: /usr/bin/dash (PID: 6575)Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.etUmSm2Upd /tmp/tmp.IE9m4z47Lj /tmp/tmp.K6LQK1gdHSJump to behavior
Source: /usr/bin/dash (PID: 6576)Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.etUmSm2Upd /tmp/tmp.IE9m4z47Lj /tmp/tmp.K6LQK1gdHSJump to behavior

HIPS / PFW / Operating System Protection Evasion

barindex
Source: TrafficDNS traffic detected: queries for: lib.libre
Source: TrafficDNS traffic detected: queries for: lib.libre
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management InstrumentationPath InterceptionPath Interception1
File Deletion
1
OS Credential Dumping
1
File and Directory Discovery
Remote ServicesData from Local System1
Encrypted Channel
Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable Media1
Non-Standard Port
Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared Drive1
Non-Application Layer Protocol
Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin HookBinary PaddingNTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput Capture2
Application Layer Protocol
Traffic DuplicationData Destruction
No configs have been found
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Number of created Files
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1617828 Sample: i686.elf Startdate: 18/02/2025 Architecture: LINUX Score: 68 21 lib.libre 2->21 23 stun.l.google.com 2->23 25 6 other IPs or domains 2->25 27 Malicious sample detected (through community Yara rule) 2->27 29 Multi AV Scanner detection for submitted file 2->29 7 i686.elf 2->7         started        10 dash rm 2->10         started        12 dash rm 2->12         started        signatures3 31 Performs DNS TXT record lookups 21->31 33 Uses STUN server to do NAT traversial 23->33 process4 signatures5 35 Sample reads /proc/mounts (often used for finding a writable filesystem) 7->35 14 i686.elf 7->14         started        17 i686.elf 7->17         started        19 i686.elf 7->19         started        process6 signatures7 37 Sample reads /proc/mounts (often used for finding a writable filesystem) 14->37
SourceDetectionScannerLabelLink
i686.elf22%ReversingLabsLinux.Backdoor.Gafgyt
No Antivirus matches
No Antivirus matches
No Antivirus matches

Download Network PCAP: filteredfull

NameIPActiveMaliciousAntivirus DetectionReputation
stun.l.google.com
74.125.250.129
truefalse
    high
    lib.libre
    unknown
    unknowntrue
      unknown
      • No. of IPs < 25%
      • 25% < No. of IPs < 50%
      • 50% < No. of IPs < 75%
      • 75% < No. of IPs
      IPDomainCountryFlagASNASN NameMalicious
      54.171.230.55
      unknownUnited States
      16509AMAZON-02USfalse
      64.23.188.144
      unknownUnited States
      3064AFFINITY-FTLUSfalse
      109.202.202.202
      unknownSwitzerland
      13030INIT7CHfalse
      74.125.250.129
      stun.l.google.comUnited States
      15169GOOGLEUSfalse
      91.189.91.43
      unknownUnited Kingdom
      41231CANONICAL-ASGBfalse
      91.189.91.42
      unknownUnited Kingdom
      41231CANONICAL-ASGBfalse
      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
      54.171.230.55p.elfGet hashmaliciousGafgytBrowse
        Hilix.arm5.elfGet hashmaliciousUnknownBrowse
          res.arm6.elfGet hashmaliciousUnknownBrowse
            boatnet.mpsl.elfGet hashmaliciousMiraiBrowse
              na.elfGet hashmaliciousPrometeiBrowse
                na.elfGet hashmaliciousPrometeiBrowse
                  na.elfGet hashmaliciousPrometeiBrowse
                    na.elfGet hashmaliciousUnknownBrowse
                      uYtea.x86.elfGet hashmaliciousUnknownBrowse
                        hide.arm5.elfGet hashmaliciousUnknownBrowse
                          64.23.188.144na.elfGet hashmaliciousUnknownBrowse
                            i686.elfGet hashmaliciousUnknownBrowse
                              na.elfGet hashmaliciousUnknownBrowse
                                109.202.202.202kpLwzBouH4.elfGet hashmaliciousUnknownBrowse
                                • ch.archive.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_92.0%2bbuild3-0ubuntu0.20.04.1_amd64.deb
                                91.189.91.43mpsl.elfGet hashmaliciousUnknownBrowse
                                  arm6.elfGet hashmaliciousUnknownBrowse
                                    boatnet.arm6.elfGet hashmaliciousMiraiBrowse
                                      na.elfGet hashmaliciousPrometeiBrowse
                                        boatnet.mips.elfGet hashmaliciousMiraiBrowse
                                          p.elfGet hashmaliciousGafgytBrowse
                                            e.elfGet hashmaliciousGafgytBrowse
                                              c.elfGet hashmaliciousGafgytBrowse
                                                b.elfGet hashmaliciousGafgytBrowse
                                                  na.elfGet hashmaliciousPrometeiBrowse
                                                    91.189.91.42mpsl.elfGet hashmaliciousUnknownBrowse
                                                      arm6.elfGet hashmaliciousUnknownBrowse
                                                        boatnet.arm6.elfGet hashmaliciousMiraiBrowse
                                                          na.elfGet hashmaliciousPrometeiBrowse
                                                            boatnet.mips.elfGet hashmaliciousMiraiBrowse
                                                              p.elfGet hashmaliciousGafgytBrowse
                                                                e.elfGet hashmaliciousGafgytBrowse
                                                                  c.elfGet hashmaliciousGafgytBrowse
                                                                    b.elfGet hashmaliciousGafgytBrowse
                                                                      na.elfGet hashmaliciousPrometeiBrowse
                                                                        No context
                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                        CANONICAL-ASGBmpsl.elfGet hashmaliciousUnknownBrowse
                                                                        • 91.189.91.42
                                                                        arm6.elfGet hashmaliciousUnknownBrowse
                                                                        • 91.189.91.42
                                                                        boatnet.arm6.elfGet hashmaliciousMiraiBrowse
                                                                        • 91.189.91.42
                                                                        na.elfGet hashmaliciousPrometeiBrowse
                                                                        • 91.189.91.42
                                                                        boatnet.mips.elfGet hashmaliciousMiraiBrowse
                                                                        • 91.189.91.42
                                                                        p.elfGet hashmaliciousGafgytBrowse
                                                                        • 91.189.91.42
                                                                        e.elfGet hashmaliciousGafgytBrowse
                                                                        • 91.189.91.42
                                                                        c.elfGet hashmaliciousGafgytBrowse
                                                                        • 91.189.91.42
                                                                        b.elfGet hashmaliciousGafgytBrowse
                                                                        • 91.189.91.42
                                                                        na.elfGet hashmaliciousPrometeiBrowse
                                                                        • 91.189.91.42
                                                                        AFFINITY-FTLUSna.elfGet hashmaliciousUnknownBrowse
                                                                        • 64.23.188.144
                                                                        i686.elfGet hashmaliciousUnknownBrowse
                                                                        • 64.23.188.144
                                                                        na.elfGet hashmaliciousUnknownBrowse
                                                                        • 64.23.188.144
                                                                        arm7.elfGet hashmaliciousMirai, MoobotBrowse
                                                                        • 207.36.98.138
                                                                        arm7.elfGet hashmaliciousMirai, MoobotBrowse
                                                                        • 64.159.94.16
                                                                        https://gffd-5ru.pages.dev/?email=nobody@wp.pl&mail=wp.plGet hashmaliciousHTMLPhisherBrowse
                                                                        • 66.113.135.6
                                                                        sh4.elfGet hashmaliciousMirai, MoobotBrowse
                                                                        • 66.232.157.134
                                                                        telnet.x86.elfGet hashmaliciousUnknownBrowse
                                                                        • 216.219.155.110
                                                                        powerpc.elfGet hashmaliciousUnknownBrowse
                                                                        • 207.234.192.3
                                                                        3.elfGet hashmaliciousUnknownBrowse
                                                                        • 64.157.90.120
                                                                        AMAZON-02USQuotation.exeGet hashmaliciousFormBookBrowse
                                                                        • 13.248.169.48
                                                                        INV-20250217.jsGet hashmaliciousFormBookBrowse
                                                                        • 13.248.169.48
                                                                        p.elfGet hashmaliciousGafgytBrowse
                                                                        • 54.171.230.55
                                                                        SHARP_CAMSCANNER20251601.PDF.vbsGet hashmaliciousFormBook, PureLog Stealer, zgRATBrowse
                                                                        • 13.248.169.48
                                                                        Payment_Activity_0104_2025-2-17.vbsGet hashmaliciousUnknownBrowse
                                                                        • 18.238.49.117
                                                                        Payment_Activity_0104_2025-2-17.vbsGet hashmaliciousUnknownBrowse
                                                                        • 52.85.61.52
                                                                        Payment_Activity_0104_2025-2-17.vbsGet hashmaliciousUnknownBrowse
                                                                        • 108.139.29.102
                                                                        Payment_Activity_0079_2025-2-17.vbsGet hashmaliciousUnknownBrowse
                                                                        • 3.161.82.12
                                                                        Payment_Activity_0079_2025-2-17.vbsGet hashmaliciousUnknownBrowse
                                                                        • 108.138.112.90
                                                                        Payment_Activity_0079_2025-2-17.vbsGet hashmaliciousUnknownBrowse
                                                                        • 108.139.47.120
                                                                        INIT7CHmpsl.elfGet hashmaliciousUnknownBrowse
                                                                        • 109.202.202.202
                                                                        arm6.elfGet hashmaliciousUnknownBrowse
                                                                        • 109.202.202.202
                                                                        boatnet.arm6.elfGet hashmaliciousMiraiBrowse
                                                                        • 109.202.202.202
                                                                        na.elfGet hashmaliciousPrometeiBrowse
                                                                        • 109.202.202.202
                                                                        boatnet.mips.elfGet hashmaliciousMiraiBrowse
                                                                        • 109.202.202.202
                                                                        p.elfGet hashmaliciousGafgytBrowse
                                                                        • 109.202.202.202
                                                                        e.elfGet hashmaliciousGafgytBrowse
                                                                        • 109.202.202.202
                                                                        c.elfGet hashmaliciousGafgytBrowse
                                                                        • 109.202.202.202
                                                                        b.elfGet hashmaliciousGafgytBrowse
                                                                        • 109.202.202.202
                                                                        na.elfGet hashmaliciousPrometeiBrowse
                                                                        • 109.202.202.202
                                                                        No context
                                                                        No context
                                                                        No created / dropped files found
                                                                        File type:ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, stripped
                                                                        Entropy (8bit):6.311024501504234
                                                                        TrID:
                                                                        • ELF Executable and Linkable format (generic) (4004/1) 100.00%
                                                                        File name:i686.elf
                                                                        File size:71'712 bytes
                                                                        MD5:c966be652b4df4b0f8fbbaa51a1a29a3
                                                                        SHA1:42a7156abdc11e456c581db40116f9459f5ec305
                                                                        SHA256:1d1689d6da651763890e25713e402b357041645f42f8d7ac43acaae1145c1269
                                                                        SHA512:38a5ec31a75b703591131bb640d23efe7d3de2084c2c6331a6c9c336946e449c6a8183d4f0a6338625f2a43cee28104dbbf61f38ff9d9fc35ac53469c69cb997
                                                                        SSDEEP:1536:rpe6MaYm5K0DuKUyiJZ0T0raRW2wcZ6cDruKCtkr1:rp6aYm5Kkeyi7WW2r6cWKCtkr1
                                                                        TLSH:1D636C0BA881C0FDC4E6C7744B6EE527D633F4792136B1592BD0BE27BE59D211F2A601
                                                                        File Content Preview:.ELF..............>.......@.....@...................@.8...@.......................@.......@...............................................Q.......Q.....`........o..............Q.td....................................................H...._........H........

                                                                        ELF header

                                                                        Class:ELF64
                                                                        Data:2's complement, little endian
                                                                        Version:1 (current)
                                                                        Machine:Advanced Micro Devices X86-64
                                                                        Version Number:0x1
                                                                        Type:EXEC (Executable file)
                                                                        OS/ABI:UNIX - System V
                                                                        ABI Version:0
                                                                        Entry Point Address:0x400194
                                                                        Flags:0x0
                                                                        ELF Header Size:64
                                                                        Program Header Offset:64
                                                                        Program Header Size:56
                                                                        Number of Program Headers:3
                                                                        Section Header Offset:71072
                                                                        Section Header Size:64
                                                                        Number of Section Headers:10
                                                                        Header String Table Index:9
                                                                        NameTypeAddressOffsetSizeEntSizeFlagsFlags DescriptionLinkInfoAlign
                                                                        NULL0x00x00x00x00x0000
                                                                        .initPROGBITS0x4000e80xe80x130x00x6AX001
                                                                        .textPROGBITS0x4001000x1000xe5060x00x6AX0016
                                                                        .finiPROGBITS0x40e6060xe6060xe0x00x6AX001
                                                                        .rodataPROGBITS0x40e6200xe6200x29700x00x2A0032
                                                                        .ctorsPROGBITS0x5110000x110000x100x00x3WA008
                                                                        .dtorsPROGBITS0x5110100x110100x100x00x3WA008
                                                                        .dataPROGBITS0x5110400x110400x5200x00x3WA0032
                                                                        .bssNOBITS0x5115600x115600x6a880x00x3WA0032
                                                                        .shstrtabSTRTAB0x00x115600x3e0x00x0001
                                                                        TypeOffsetVirtual AddressPhysical AddressFile SizeMemory SizeEntropyFlagsFlags DescriptionAlignProg InterpreterSection Mappings
                                                                        LOAD0x00x4000000x4000000x10f900x10f906.39520x5R E0x100000.init .text .fini .rodata
                                                                        LOAD0x110000x5110000x5110000x5600x6fe82.35660x6RW 0x100000.ctors .dtors .data .bss
                                                                        GNU_STACK0x00x00x00x00x00.00000x6RW 0x8

                                                                        Download Network PCAP: filteredfull

                                                                        • Total Packets: 52
                                                                        • 51012 undefined
                                                                        • 19302 undefined
                                                                        • 443 (HTTPS)
                                                                        • 80 (HTTP)
                                                                        • 53 (DNS)
                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                        Feb 18, 2025 10:17:57.857853889 CET43928443192.168.2.2391.189.91.42
                                                                        Feb 18, 2025 10:18:00.353277922 CET5890451012192.168.2.2364.23.188.144
                                                                        Feb 18, 2025 10:18:00.358331919 CET510125890464.23.188.144192.168.2.23
                                                                        Feb 18, 2025 10:18:00.358382940 CET5890451012192.168.2.2364.23.188.144
                                                                        Feb 18, 2025 10:18:00.912071943 CET510125890464.23.188.144192.168.2.23
                                                                        Feb 18, 2025 10:18:00.912139893 CET5890451012192.168.2.2364.23.188.144
                                                                        Feb 18, 2025 10:18:00.999083042 CET510125890464.23.188.144192.168.2.23
                                                                        Feb 18, 2025 10:18:00.999155998 CET5890451012192.168.2.2364.23.188.144
                                                                        Feb 18, 2025 10:18:03.233242035 CET42836443192.168.2.2391.189.91.43
                                                                        Feb 18, 2025 10:18:04.512892008 CET4251680192.168.2.23109.202.202.202
                                                                        Feb 18, 2025 10:18:05.564102888 CET5890451012192.168.2.2364.23.188.144
                                                                        Feb 18, 2025 10:18:05.569336891 CET510125890464.23.188.144192.168.2.23
                                                                        Feb 18, 2025 10:18:15.571388960 CET5890451012192.168.2.2364.23.188.144
                                                                        Feb 18, 2025 10:18:15.576675892 CET510125890464.23.188.144192.168.2.23
                                                                        Feb 18, 2025 10:18:15.576729059 CET5890451012192.168.2.2364.23.188.144
                                                                        Feb 18, 2025 10:18:15.581746101 CET510125890464.23.188.144192.168.2.23
                                                                        Feb 18, 2025 10:18:18.850884914 CET43928443192.168.2.2391.189.91.42
                                                                        Feb 18, 2025 10:18:24.181154013 CET33608443192.168.2.2354.171.230.55
                                                                        Feb 18, 2025 10:18:24.186964989 CET4433360854.171.230.55192.168.2.23
                                                                        Feb 18, 2025 10:18:24.187021971 CET33608443192.168.2.2354.171.230.55
                                                                        Feb 18, 2025 10:18:28.699338913 CET5890451012192.168.2.2364.23.188.144
                                                                        Feb 18, 2025 10:18:28.704551935 CET510125890464.23.188.144192.168.2.23
                                                                        Feb 18, 2025 10:18:28.704616070 CET5890451012192.168.2.2364.23.188.144
                                                                        Feb 18, 2025 10:18:28.709578037 CET510125890464.23.188.144192.168.2.23
                                                                        Feb 18, 2025 10:18:29.085410118 CET42836443192.168.2.2391.189.91.43
                                                                        Feb 18, 2025 10:18:35.228508949 CET4251680192.168.2.23109.202.202.202
                                                                        Feb 18, 2025 10:18:42.183680058 CET5890451012192.168.2.2364.23.188.144
                                                                        Feb 18, 2025 10:18:42.189589977 CET510125890464.23.188.144192.168.2.23
                                                                        Feb 18, 2025 10:18:42.189642906 CET5890451012192.168.2.2364.23.188.144
                                                                        Feb 18, 2025 10:18:42.194642067 CET510125890464.23.188.144192.168.2.23
                                                                        Feb 18, 2025 10:18:46.351278067 CET510125890464.23.188.144192.168.2.23
                                                                        Feb 18, 2025 10:18:46.351372004 CET5890451012192.168.2.2364.23.188.144
                                                                        Feb 18, 2025 10:18:56.357518911 CET5890451012192.168.2.2364.23.188.144
                                                                        Feb 18, 2025 10:18:56.362653971 CET510125890464.23.188.144192.168.2.23
                                                                        Feb 18, 2025 10:18:56.362714052 CET5890451012192.168.2.2364.23.188.144
                                                                        Feb 18, 2025 10:18:56.367760897 CET510125890464.23.188.144192.168.2.23
                                                                        Feb 18, 2025 10:18:59.801038980 CET43928443192.168.2.2391.189.91.42
                                                                        Feb 18, 2025 10:19:10.383569002 CET5890451012192.168.2.2364.23.188.144
                                                                        Feb 18, 2025 10:19:10.389158964 CET510125890464.23.188.144192.168.2.23
                                                                        Feb 18, 2025 10:19:10.389231920 CET5890451012192.168.2.2364.23.188.144
                                                                        Feb 18, 2025 10:19:10.395049095 CET510125890464.23.188.144192.168.2.23
                                                                        Feb 18, 2025 10:19:20.278152943 CET42836443192.168.2.2391.189.91.43
                                                                        Feb 18, 2025 10:19:23.697647095 CET5890451012192.168.2.2364.23.188.144
                                                                        Feb 18, 2025 10:19:23.702877998 CET510125890464.23.188.144192.168.2.23
                                                                        Feb 18, 2025 10:19:23.702958107 CET5890451012192.168.2.2364.23.188.144
                                                                        Feb 18, 2025 10:19:23.707986116 CET510125890464.23.188.144192.168.2.23
                                                                        Feb 18, 2025 10:19:38.467566967 CET5890451012192.168.2.2364.23.188.144
                                                                        Feb 18, 2025 10:19:38.472675085 CET510125890464.23.188.144192.168.2.23
                                                                        Feb 18, 2025 10:19:38.472733021 CET5890451012192.168.2.2364.23.188.144
                                                                        Feb 18, 2025 10:19:38.477834940 CET510125890464.23.188.144192.168.2.23
                                                                        Feb 18, 2025 10:19:52.141731977 CET5890451012192.168.2.2364.23.188.144
                                                                        Feb 18, 2025 10:19:52.146987915 CET510125890464.23.188.144192.168.2.23
                                                                        Feb 18, 2025 10:19:52.147053957 CET5890451012192.168.2.2364.23.188.144
                                                                        Feb 18, 2025 10:19:52.152858973 CET510125890464.23.188.144192.168.2.23
                                                                        Feb 18, 2025 10:20:05.825424910 CET5890451012192.168.2.2364.23.188.144
                                                                        Feb 18, 2025 10:20:05.830538988 CET510125890464.23.188.144192.168.2.23
                                                                        Feb 18, 2025 10:20:05.830579042 CET5890451012192.168.2.2364.23.188.144
                                                                        Feb 18, 2025 10:20:05.835532904 CET510125890464.23.188.144192.168.2.23
                                                                        Feb 18, 2025 10:20:06.374744892 CET510125890464.23.188.144192.168.2.23
                                                                        Feb 18, 2025 10:20:06.374903917 CET5890451012192.168.2.2364.23.188.144
                                                                        Feb 18, 2025 10:20:19.590114117 CET5890451012192.168.2.2364.23.188.144
                                                                        Feb 18, 2025 10:20:19.595285892 CET510125890464.23.188.144192.168.2.23
                                                                        Feb 18, 2025 10:20:19.595364094 CET5890451012192.168.2.2364.23.188.144
                                                                        Feb 18, 2025 10:20:19.600433111 CET510125890464.23.188.144192.168.2.23
                                                                        Feb 18, 2025 10:20:32.999986887 CET5890451012192.168.2.2364.23.188.144
                                                                        Feb 18, 2025 10:20:33.005105972 CET510125890464.23.188.144192.168.2.23
                                                                        Feb 18, 2025 10:20:33.005188942 CET5890451012192.168.2.2364.23.188.144
                                                                        Feb 18, 2025 10:20:33.010443926 CET510125890464.23.188.144192.168.2.23
                                                                        Feb 18, 2025 10:20:45.934062004 CET5890451012192.168.2.2364.23.188.144
                                                                        Feb 18, 2025 10:20:45.939155102 CET510125890464.23.188.144192.168.2.23
                                                                        Feb 18, 2025 10:20:45.939214945 CET5890451012192.168.2.2364.23.188.144
                                                                        Feb 18, 2025 10:20:45.944165945 CET510125890464.23.188.144192.168.2.23
                                                                        Feb 18, 2025 10:21:00.350594997 CET5890451012192.168.2.2364.23.188.144
                                                                        Feb 18, 2025 10:21:00.452560902 CET510125890464.23.188.144192.168.2.23
                                                                        Feb 18, 2025 10:21:00.452702999 CET5890451012192.168.2.2364.23.188.144
                                                                        Feb 18, 2025 10:21:00.459889889 CET510125890464.23.188.144192.168.2.23
                                                                        Feb 18, 2025 10:21:07.401776075 CET510125890464.23.188.144192.168.2.23
                                                                        Feb 18, 2025 10:21:07.401838064 CET5890451012192.168.2.2364.23.188.144
                                                                        Feb 18, 2025 10:21:17.409719944 CET5890451012192.168.2.2364.23.188.144
                                                                        Feb 18, 2025 10:21:17.414798975 CET510125890464.23.188.144192.168.2.23
                                                                        Feb 18, 2025 10:21:17.414860964 CET5890451012192.168.2.2364.23.188.144
                                                                        Feb 18, 2025 10:21:17.419858932 CET510125890464.23.188.144192.168.2.23
                                                                        Feb 18, 2025 10:21:30.148061037 CET5890451012192.168.2.2364.23.188.144
                                                                        Feb 18, 2025 10:21:30.153371096 CET510125890464.23.188.144192.168.2.23
                                                                        Feb 18, 2025 10:21:30.153424978 CET5890451012192.168.2.2364.23.188.144
                                                                        Feb 18, 2025 10:21:30.158580065 CET510125890464.23.188.144192.168.2.23
                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                        Feb 18, 2025 10:17:58.144813061 CET3584553192.168.2.2354.36.111.116
                                                                        Feb 18, 2025 10:18:00.161515951 CET5522853192.168.2.23161.97.219.84
                                                                        Feb 18, 2025 10:18:00.352632046 CET5355228161.97.219.84192.168.2.23
                                                                        Feb 18, 2025 10:18:01.358875990 CET5200253192.168.2.238.8.8.8
                                                                        Feb 18, 2025 10:18:01.368840933 CET53520028.8.8.8192.168.2.23
                                                                        Feb 18, 2025 10:18:01.370546103 CET4420419302192.168.2.2374.125.250.129
                                                                        Feb 18, 2025 10:18:01.825817108 CET193024420474.125.250.129192.168.2.23
                                                                        TimestampSource IPDest IPChecksumCodeType
                                                                        Feb 18, 2025 10:17:58.150377035 CET54.36.111.116192.168.2.236589(Port unreachable)Destination Unreachable
                                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                        Feb 18, 2025 10:17:58.144813061 CET192.168.2.2354.36.111.1160x799aStandard query (0)lib.libre16IN (0x0001)false
                                                                        Feb 18, 2025 10:18:00.161515951 CET192.168.2.23161.97.219.840xa2f1Standard query (0)lib.libre16IN (0x0001)false
                                                                        Feb 18, 2025 10:18:01.358875990 CET192.168.2.238.8.8.80xa931Standard query (0)stun.l.google.comA (IP address)IN (0x0001)false
                                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                        Feb 18, 2025 10:18:00.352632046 CET161.97.219.84192.168.2.230xa2f1No error (0)lib.libreTXT (Text strings)IN (0x0001)false
                                                                        Feb 18, 2025 10:18:01.368840933 CET8.8.8.8192.168.2.230xa931No error (0)stun.l.google.com74.125.250.129A (IP address)IN (0x0001)false

                                                                        System Behavior

                                                                        Start time (UTC):09:17:56
                                                                        Start date (UTC):18/02/2025
                                                                        Path:/tmp/i686.elf
                                                                        Arguments:/tmp/i686.elf
                                                                        File size:71712 bytes
                                                                        MD5 hash:c966be652b4df4b0f8fbbaa51a1a29a3

                                                                        Start time (UTC):09:17:57
                                                                        Start date (UTC):18/02/2025
                                                                        Path:/tmp/i686.elf
                                                                        Arguments:-
                                                                        File size:71712 bytes
                                                                        MD5 hash:c966be652b4df4b0f8fbbaa51a1a29a3

                                                                        Start time (UTC):09:17:57
                                                                        Start date (UTC):18/02/2025
                                                                        Path:/tmp/i686.elf
                                                                        Arguments:-
                                                                        File size:71712 bytes
                                                                        MD5 hash:c966be652b4df4b0f8fbbaa51a1a29a3

                                                                        Start time (UTC):09:17:57
                                                                        Start date (UTC):18/02/2025
                                                                        Path:/tmp/i686.elf
                                                                        Arguments:-
                                                                        File size:71712 bytes
                                                                        MD5 hash:c966be652b4df4b0f8fbbaa51a1a29a3

                                                                        Start time (UTC):09:18:23
                                                                        Start date (UTC):18/02/2025
                                                                        Path:/usr/bin/dash
                                                                        Arguments:-
                                                                        File size:129816 bytes
                                                                        MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                                                                        Start time (UTC):09:18:23
                                                                        Start date (UTC):18/02/2025
                                                                        Path:/usr/bin/rm
                                                                        Arguments:rm -f /tmp/tmp.etUmSm2Upd /tmp/tmp.IE9m4z47Lj /tmp/tmp.K6LQK1gdHS
                                                                        File size:72056 bytes
                                                                        MD5 hash:aa2b5496fdbfd88e38791ab81f90b95b

                                                                        Start time (UTC):09:18:23
                                                                        Start date (UTC):18/02/2025
                                                                        Path:/usr/bin/dash
                                                                        Arguments:-
                                                                        File size:129816 bytes
                                                                        MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                                                                        Start time (UTC):09:18:23
                                                                        Start date (UTC):18/02/2025
                                                                        Path:/usr/bin/rm
                                                                        Arguments:rm -f /tmp/tmp.etUmSm2Upd /tmp/tmp.IE9m4z47Lj /tmp/tmp.K6LQK1gdHS
                                                                        File size:72056 bytes
                                                                        MD5 hash:aa2b5496fdbfd88e38791ab81f90b95b