Edit tour

Linux Analysis Report
i686.elf

Overview

General Information

Sample name:i686.elf
Analysis ID:1620021
MD5:57045cec69bfd85596dd14675c537d5d
SHA1:ecf18ceace3b02e0928977e38c5ac154eb473760
SHA256:b737141b12b58332dcd7b81044c896aab8c72ea2ac4743ba9c45586708cec591
Tags:elfuser-abuse_ch
Infos:

Detection

Score:72
Range:0 - 100

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Connects to many ports of the same IP (likely port scanning)
Performs DNS TXT record lookups
Sample reads /proc/mounts (often used for finding a writable filesystem)
Uses STUN server to do NAT traversial
Detected TCP or UDP traffic on non-standard ports
Enumerates processes within the "proc" file system
Executes the "rm" command used to delete files or directories
Sample has stripped symbol table
Sample listens on a socket
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Yara signature match

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
Joe Sandbox version:42.0.0 Malachite
Analysis ID:1620021
Start date and time:2025-02-20 15:47:18 +01:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 5m 6s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Sample name:i686.elf
Detection:MAL
Classification:mal72.troj.evad.linELF@0/0@2/0
  • VT rate limit hit for: lib.libre
Command:/tmp/i686.elf
PID:6263
Exit Code:0
Exit Code Info:
Killed:False
Standard Output:
For God so loved the world, that he gave his only begotten Son, that whosoever believeth in him should not perish, but have everlasting life
Standard Error:
  • system is lnxubuntu20
  • dash New Fork (PID: 6230, Parent: 4347)
  • rm (PID: 6230, Parent: 4347, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -f /tmp/tmp.vBBRTifGAJ /tmp/tmp.xneQExVNf2 /tmp/tmp.Wm7UWqWH0o
  • dash New Fork (PID: 6231, Parent: 4347)
  • rm (PID: 6231, Parent: 4347, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -f /tmp/tmp.vBBRTifGAJ /tmp/tmp.xneQExVNf2 /tmp/tmp.Wm7UWqWH0o
  • i686.elf (PID: 6263, Parent: 6163, MD5: 57045cec69bfd85596dd14675c537d5d) Arguments: /tmp/i686.elf
    • i686.elf New Fork (PID: 6265, Parent: 6263)
    • i686.elf New Fork (PID: 6266, Parent: 6263)
    • i686.elf New Fork (PID: 6280, Parent: 6263)
  • cleanup
SourceRuleDescriptionAuthorStrings
i686.elfLinux_Trojan_Gafgyt_9e9530a7unknownunknown
  • 0xb63c:$a: F6 48 63 FF B8 36 00 00 00 0F 05 48 3D 00 F0 FF FF 48 89 C3
i686.elfLinux_Trojan_Gafgyt_807911a2unknownunknown
  • 0xbe2b:$a: FE 48 39 F3 0F 94 C2 48 83 F9 FF 0F 94 C0 84 D0 74 16 4B 8D
i686.elfLinux_Trojan_Gafgyt_d4227dbfunknownunknown
  • 0x816e:$a: FF 48 81 EC D0 00 00 00 48 8D 84 24 E0 00 00 00 48 89 54 24 30 C7 04 24 18 00
  • 0x82d0:$a: FF 48 81 EC D0 00 00 00 48 8D 84 24 E0 00 00 00 48 89 54 24 30 C7 04 24 18 00
i686.elfLinux_Trojan_Gafgyt_d996d335unknownunknown
  • 0xe41a:$a: D0 EB 0F 40 38 37 75 04 48 89 F8 C3 49 FF C8 48 FF C7 4D 85 C0
i686.elfLinux_Trojan_Gafgyt_620087b9unknownunknown
  • 0xb9eb:$a: 48 89 D8 48 83 C8 01 EB 04 48 8B 76 10 48 3B 46 08 72 F6 48 8B
Click to see the 2 entries
SourceRuleDescriptionAuthorStrings
6263.1.0000000000400000.0000000000412000.r-x.sdmpLinux_Trojan_Gafgyt_9e9530a7unknownunknown
  • 0xb63c:$a: F6 48 63 FF B8 36 00 00 00 0F 05 48 3D 00 F0 FF FF 48 89 C3
6263.1.0000000000400000.0000000000412000.r-x.sdmpLinux_Trojan_Gafgyt_807911a2unknownunknown
  • 0xbe2b:$a: FE 48 39 F3 0F 94 C2 48 83 F9 FF 0F 94 C0 84 D0 74 16 4B 8D
6263.1.0000000000400000.0000000000412000.r-x.sdmpLinux_Trojan_Gafgyt_d4227dbfunknownunknown
  • 0x816e:$a: FF 48 81 EC D0 00 00 00 48 8D 84 24 E0 00 00 00 48 89 54 24 30 C7 04 24 18 00
  • 0x82d0:$a: FF 48 81 EC D0 00 00 00 48 8D 84 24 E0 00 00 00 48 89 54 24 30 C7 04 24 18 00
6263.1.0000000000400000.0000000000412000.r-x.sdmpLinux_Trojan_Gafgyt_d996d335unknownunknown
  • 0xe41a:$a: D0 EB 0F 40 38 37 75 04 48 89 F8 C3 49 FF C8 48 FF C7 4D 85 C0
6263.1.0000000000400000.0000000000412000.r-x.sdmpLinux_Trojan_Gafgyt_620087b9unknownunknown
  • 0xb9eb:$a: 48 89 D8 48 83 C8 01 EB 04 48 8B 76 10 48 3B 46 08 72 F6 48 8B
Click to see the 2 entries
No Suricata rule has matched

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: i686.elfReversingLabs: Detection: 28%

Networking

barindex
Source: global trafficTCP traffic: 64.23.188.144 ports 43712,1,2,3,4,7
Source: unknownDNS query: name: stun.l.google.com
Source: global trafficTCP traffic: 192.168.2.23:47466 -> 64.23.188.144:43712
Source: global trafficUDP traffic: 192.168.2.23:42130 -> 74.125.250.129:19302
Source: /tmp/i686.elf (PID: 6263)Socket: 127.0.0.1:43478Jump to behavior
Source: global trafficTCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443
Source: global trafficTCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
Source: global trafficTCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80
Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknownTCP traffic detected without corresponding DNS query: 64.23.188.144
Source: unknownTCP traffic detected without corresponding DNS query: 64.23.188.144
Source: unknownTCP traffic detected without corresponding DNS query: 64.23.188.144
Source: unknownTCP traffic detected without corresponding DNS query: 64.23.188.144
Source: unknownTCP traffic detected without corresponding DNS query: 64.23.188.144
Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknownTCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknownTCP traffic detected without corresponding DNS query: 64.23.188.144
Source: unknownTCP traffic detected without corresponding DNS query: 64.23.188.144
Source: unknownTCP traffic detected without corresponding DNS query: 64.23.188.144
Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknownTCP traffic detected without corresponding DNS query: 64.23.188.144
Source: unknownTCP traffic detected without corresponding DNS query: 64.23.188.144
Source: unknownTCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknownTCP traffic detected without corresponding DNS query: 64.23.188.144
Source: unknownTCP traffic detected without corresponding DNS query: 64.23.188.144
Source: unknownTCP traffic detected without corresponding DNS query: 64.23.188.144
Source: unknownTCP traffic detected without corresponding DNS query: 64.23.188.144
Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknownTCP traffic detected without corresponding DNS query: 64.23.188.144
Source: unknownTCP traffic detected without corresponding DNS query: 64.23.188.144
Source: unknownTCP traffic detected without corresponding DNS query: 64.23.188.144
Source: unknownTCP traffic detected without corresponding DNS query: 64.23.188.144
Source: unknownTCP traffic detected without corresponding DNS query: 64.23.188.144
Source: unknownTCP traffic detected without corresponding DNS query: 64.23.188.144
Source: unknownTCP traffic detected without corresponding DNS query: 64.23.188.144
Source: unknownTCP traffic detected without corresponding DNS query: 64.23.188.144
Source: unknownTCP traffic detected without corresponding DNS query: 64.23.188.144
Source: unknownTCP traffic detected without corresponding DNS query: 64.23.188.144
Source: unknownTCP traffic detected without corresponding DNS query: 64.23.188.144
Source: unknownTCP traffic detected without corresponding DNS query: 64.23.188.144
Source: unknownTCP traffic detected without corresponding DNS query: 64.23.188.144
Source: unknownTCP traffic detected without corresponding DNS query: 64.23.188.144
Source: unknownTCP traffic detected without corresponding DNS query: 64.23.188.144
Source: unknownTCP traffic detected without corresponding DNS query: 64.23.188.144
Source: unknownTCP traffic detected without corresponding DNS query: 64.23.188.144
Source: unknownTCP traffic detected without corresponding DNS query: 64.23.188.144
Source: unknownTCP traffic detected without corresponding DNS query: 64.23.188.144
Source: unknownTCP traffic detected without corresponding DNS query: 64.23.188.144
Source: unknownTCP traffic detected without corresponding DNS query: 64.23.188.144
Source: unknownTCP traffic detected without corresponding DNS query: 64.23.188.144
Source: unknownUDP traffic detected without corresponding DNS query: 185.84.81.194
Source: global trafficDNS traffic detected: DNS query: lib.libre
Source: global trafficDNS traffic detected: DNS query: stun.l.google.com
Source: unknownNetwork traffic detected: HTTP traffic on port 43928 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 42836 -> 443

System Summary

barindex
Source: i686.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_9e9530a7 Author: unknown
Source: i686.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_807911a2 Author: unknown
Source: i686.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_d4227dbf Author: unknown
Source: i686.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_d996d335 Author: unknown
Source: i686.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_620087b9 Author: unknown
Source: i686.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_33b4111a Author: unknown
Source: i686.elf, type: SAMPLEMatched rule: Linux_Trojan_Mirai_1cb033f3 Author: unknown
Source: 6263.1.0000000000400000.0000000000412000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_9e9530a7 Author: unknown
Source: 6263.1.0000000000400000.0000000000412000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_807911a2 Author: unknown
Source: 6263.1.0000000000400000.0000000000412000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_d4227dbf Author: unknown
Source: 6263.1.0000000000400000.0000000000412000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_d996d335 Author: unknown
Source: 6263.1.0000000000400000.0000000000412000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_620087b9 Author: unknown
Source: 6263.1.0000000000400000.0000000000412000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_33b4111a Author: unknown
Source: 6263.1.0000000000400000.0000000000412000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_1cb033f3 Author: unknown
Source: ELF static info symbol of initial sample.symtab present: no
Source: i686.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_9e9530a7 reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = d6ad6512051e87c8c35dc168d82edd071b122d026dce21d39b9782b3d6a01e50, id = 9e9530a7-ad4d-4a44-b764-437b7621052f, last_modified = 2021-09-16
Source: i686.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_807911a2 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = f409037091b7372f5a42bbe437316bd11c655e7a5fe1fcf83d1981cb5c4a389f, id = 807911a2-f6ec-4e65-924f-61cb065dafc6, last_modified = 2021-09-16
Source: i686.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_d4227dbf reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 58c4b1d4d167876b64cfa10f609911a80284180e4db093917fea16fae8ccd4e3, id = d4227dbf-6ab4-4637-a6ba-0e604acaafb4, last_modified = 2021-09-16
Source: i686.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_d996d335 reference_sample = b511eacd4b44744c8cf82d1b4a9bc6f1022fe6be7c5d17356b171f727ddc6eda, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = e9ccb8412f32187c309b0e9afcc3a6da21ad2f1ffa251c27f9f720ccb284e3ac, id = d996d335-e049-4052-bf36-6cd07c911a8b, last_modified = 2021-09-16
Source: i686.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_620087b9 reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 06cd7e6eb62352ec2ccb9ed48e58c0583c02fefd137cd048d053ab30b5330307, id = 620087b9-c87d-4752-89e8-ca1c16486b28, last_modified = 2021-09-16
Source: i686.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_33b4111a reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 9c3b63b9a0f54006bae12abcefdb518904a85f78be573f0780f0a265b12d2d6e, id = 33b4111a-e59e-48db-9d74-34ca44fcd9f5, last_modified = 2021-09-16
Source: i686.elf, type: SAMPLEMatched rule: Linux_Trojan_Mirai_1cb033f3 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 49201ab37ff0b5cdfa9b0b34b6faa170bd25f04df51c24b0b558b7534fecc358, id = 1cb033f3-68c1-4fe5-9cd1-b5d066c1d86e, last_modified = 2021-09-16
Source: 6263.1.0000000000400000.0000000000412000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_9e9530a7 reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = d6ad6512051e87c8c35dc168d82edd071b122d026dce21d39b9782b3d6a01e50, id = 9e9530a7-ad4d-4a44-b764-437b7621052f, last_modified = 2021-09-16
Source: 6263.1.0000000000400000.0000000000412000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_807911a2 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = f409037091b7372f5a42bbe437316bd11c655e7a5fe1fcf83d1981cb5c4a389f, id = 807911a2-f6ec-4e65-924f-61cb065dafc6, last_modified = 2021-09-16
Source: 6263.1.0000000000400000.0000000000412000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_d4227dbf reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 58c4b1d4d167876b64cfa10f609911a80284180e4db093917fea16fae8ccd4e3, id = d4227dbf-6ab4-4637-a6ba-0e604acaafb4, last_modified = 2021-09-16
Source: 6263.1.0000000000400000.0000000000412000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_d996d335 reference_sample = b511eacd4b44744c8cf82d1b4a9bc6f1022fe6be7c5d17356b171f727ddc6eda, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = e9ccb8412f32187c309b0e9afcc3a6da21ad2f1ffa251c27f9f720ccb284e3ac, id = d996d335-e049-4052-bf36-6cd07c911a8b, last_modified = 2021-09-16
Source: 6263.1.0000000000400000.0000000000412000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_620087b9 reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 06cd7e6eb62352ec2ccb9ed48e58c0583c02fefd137cd048d053ab30b5330307, id = 620087b9-c87d-4752-89e8-ca1c16486b28, last_modified = 2021-09-16
Source: 6263.1.0000000000400000.0000000000412000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_33b4111a reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 9c3b63b9a0f54006bae12abcefdb518904a85f78be573f0780f0a265b12d2d6e, id = 33b4111a-e59e-48db-9d74-34ca44fcd9f5, last_modified = 2021-09-16
Source: 6263.1.0000000000400000.0000000000412000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_1cb033f3 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 49201ab37ff0b5cdfa9b0b34b6faa170bd25f04df51c24b0b558b7534fecc358, id = 1cb033f3-68c1-4fe5-9cd1-b5d066c1d86e, last_modified = 2021-09-16
Source: classification engineClassification label: mal72.troj.evad.linELF@0/0@2/0

Persistence and Installation Behavior

barindex
Source: /tmp/i686.elf (PID: 6263)File: /proc/6263/mountsJump to behavior
Source: /tmp/i686.elf (PID: 6265)File: /proc/6265/mountsJump to behavior
Source: /tmp/i686.elf (PID: 6263)File opened: /proc/2033/mapsJump to behavior
Source: /tmp/i686.elf (PID: 6263)File opened: /proc/2033/statusJump to behavior
Source: /tmp/i686.elf (PID: 6263)File opened: /proc/2033/cmdlineJump to behavior
Source: /tmp/i686.elf (PID: 6263)File opened: /proc/1582/mapsJump to behavior
Source: /tmp/i686.elf (PID: 6263)File opened: /proc/1582/statusJump to behavior
Source: /tmp/i686.elf (PID: 6263)File opened: /proc/1582/cmdlineJump to behavior
Source: /tmp/i686.elf (PID: 6263)File opened: /proc/2275/mapsJump to behavior
Source: /tmp/i686.elf (PID: 6263)File opened: /proc/2275/statusJump to behavior
Source: /tmp/i686.elf (PID: 6263)File opened: /proc/2275/cmdlineJump to behavior
Source: /tmp/i686.elf (PID: 6263)File opened: /proc/1612/mapsJump to behavior
Source: /tmp/i686.elf (PID: 6263)File opened: /proc/1579/mapsJump to behavior
Source: /tmp/i686.elf (PID: 6263)File opened: /proc/1579/statusJump to behavior
Source: /tmp/i686.elf (PID: 6263)File opened: /proc/1579/cmdlineJump to behavior
Source: /tmp/i686.elf (PID: 6263)File opened: /proc/1699/mapsJump to behavior
Source: /tmp/i686.elf (PID: 6263)File opened: /proc/1699/statusJump to behavior
Source: /tmp/i686.elf (PID: 6263)File opened: /proc/1699/cmdlineJump to behavior
Source: /tmp/i686.elf (PID: 6263)File opened: /proc/1335/mapsJump to behavior
Source: /tmp/i686.elf (PID: 6263)File opened: /proc/1335/statusJump to behavior
Source: /tmp/i686.elf (PID: 6263)File opened: /proc/1335/cmdlineJump to behavior
Source: /tmp/i686.elf (PID: 6263)File opened: /proc/1698/mapsJump to behavior
Source: /tmp/i686.elf (PID: 6263)File opened: /proc/1698/statusJump to behavior
Source: /tmp/i686.elf (PID: 6263)File opened: /proc/1698/cmdlineJump to behavior
Source: /tmp/i686.elf (PID: 6263)File opened: /proc/2028/mapsJump to behavior
Source: /tmp/i686.elf (PID: 6263)File opened: /proc/1334/mapsJump to behavior
Source: /tmp/i686.elf (PID: 6263)File opened: /proc/1334/statusJump to behavior
Source: /tmp/i686.elf (PID: 6263)File opened: /proc/1334/cmdlineJump to behavior
Source: /tmp/i686.elf (PID: 6263)File opened: /proc/1576/mapsJump to behavior
Source: /tmp/i686.elf (PID: 6263)File opened: /proc/2302/mapsJump to behavior
Source: /tmp/i686.elf (PID: 6263)File opened: /proc/2302/statusJump to behavior
Source: /tmp/i686.elf (PID: 6263)File opened: /proc/2302/cmdlineJump to behavior
Source: /tmp/i686.elf (PID: 6263)File opened: /proc/3236/mapsJump to behavior
Source: /tmp/i686.elf (PID: 6263)File opened: /proc/3236/statusJump to behavior
Source: /tmp/i686.elf (PID: 6263)File opened: /proc/3236/cmdlineJump to behavior
Source: /tmp/i686.elf (PID: 6263)File opened: /proc/2025/mapsJump to behavior
Source: /tmp/i686.elf (PID: 6263)File opened: /proc/2025/statusJump to behavior
Source: /tmp/i686.elf (PID: 6263)File opened: /proc/2025/cmdlineJump to behavior
Source: /tmp/i686.elf (PID: 6263)File opened: /proc/2146/mapsJump to behavior
Source: /tmp/i686.elf (PID: 6263)File opened: /proc/2146/statusJump to behavior
Source: /tmp/i686.elf (PID: 6263)File opened: /proc/2146/cmdlineJump to behavior
Source: /tmp/i686.elf (PID: 6263)File opened: /proc/912/mapsJump to behavior
Source: /tmp/i686.elf (PID: 6263)File opened: /proc/759/mapsJump to behavior
Source: /tmp/i686.elf (PID: 6263)File opened: /proc/759/statusJump to behavior
Source: /tmp/i686.elf (PID: 6263)File opened: /proc/759/cmdlineJump to behavior
Source: /tmp/i686.elf (PID: 6263)File opened: /proc/2307/mapsJump to behavior
Source: /tmp/i686.elf (PID: 6263)File opened: /proc/2307/statusJump to behavior
Source: /tmp/i686.elf (PID: 6263)File opened: /proc/2307/cmdlineJump to behavior
Source: /tmp/i686.elf (PID: 6263)File opened: /proc/918/mapsJump to behavior
Source: /tmp/i686.elf (PID: 6263)File opened: /proc/1594/mapsJump to behavior
Source: /tmp/i686.elf (PID: 6263)File opened: /proc/1594/statusJump to behavior
Source: /tmp/i686.elf (PID: 6263)File opened: /proc/1594/cmdlineJump to behavior
Source: /tmp/i686.elf (PID: 6263)File opened: /proc/2285/mapsJump to behavior
Source: /tmp/i686.elf (PID: 6263)File opened: /proc/2285/statusJump to behavior
Source: /tmp/i686.elf (PID: 6263)File opened: /proc/2285/cmdlineJump to behavior
Source: /tmp/i686.elf (PID: 6263)File opened: /proc/2281/mapsJump to behavior
Source: /tmp/i686.elf (PID: 6263)File opened: /proc/2281/statusJump to behavior
Source: /tmp/i686.elf (PID: 6263)File opened: /proc/2281/cmdlineJump to behavior
Source: /tmp/i686.elf (PID: 6263)File opened: /proc/1349/mapsJump to behavior
Source: /tmp/i686.elf (PID: 6263)File opened: /proc/1349/statusJump to behavior
Source: /tmp/i686.elf (PID: 6263)File opened: /proc/1349/cmdlineJump to behavior
Source: /tmp/i686.elf (PID: 6263)File opened: /proc/1/mapsJump to behavior
Source: /tmp/i686.elf (PID: 6263)File opened: /proc/1/statusJump to behavior
Source: /tmp/i686.elf (PID: 6263)File opened: /proc/1/cmdlineJump to behavior
Source: /tmp/i686.elf (PID: 6263)File opened: /proc/1623/mapsJump to behavior
Source: /tmp/i686.elf (PID: 6263)File opened: /proc/1623/statusJump to behavior
Source: /tmp/i686.elf (PID: 6263)File opened: /proc/1623/cmdlineJump to behavior
Source: /tmp/i686.elf (PID: 6263)File opened: /proc/761/mapsJump to behavior
Source: /tmp/i686.elf (PID: 6263)File opened: /proc/761/statusJump to behavior
Source: /tmp/i686.elf (PID: 6263)File opened: /proc/761/cmdlineJump to behavior
Source: /tmp/i686.elf (PID: 6263)File opened: /proc/1622/mapsJump to behavior
Source: /tmp/i686.elf (PID: 6263)File opened: /proc/1622/statusJump to behavior
Source: /tmp/i686.elf (PID: 6263)File opened: /proc/1622/cmdlineJump to behavior
Source: /tmp/i686.elf (PID: 6263)File opened: /proc/884/mapsJump to behavior
Source: /tmp/i686.elf (PID: 6263)File opened: /proc/1983/mapsJump to behavior
Source: /tmp/i686.elf (PID: 6263)File opened: /proc/2038/mapsJump to behavior
Source: /tmp/i686.elf (PID: 6263)File opened: /proc/2038/statusJump to behavior
Source: /tmp/i686.elf (PID: 6263)File opened: /proc/2038/cmdlineJump to behavior
Source: /tmp/i686.elf (PID: 6263)File opened: /proc/1586/mapsJump to behavior
Source: /tmp/i686.elf (PID: 6263)File opened: /proc/1586/statusJump to behavior
Source: /tmp/i686.elf (PID: 6263)File opened: /proc/1586/cmdlineJump to behavior
Source: /tmp/i686.elf (PID: 6263)File opened: /proc/1465/mapsJump to behavior
Source: /tmp/i686.elf (PID: 6263)File opened: /proc/1465/statusJump to behavior
Source: /tmp/i686.elf (PID: 6263)File opened: /proc/1465/cmdlineJump to behavior
Source: /tmp/i686.elf (PID: 6263)File opened: /proc/1344/mapsJump to behavior
Source: /tmp/i686.elf (PID: 6263)File opened: /proc/1860/mapsJump to behavior
Source: /tmp/i686.elf (PID: 6263)File opened: /proc/1860/statusJump to behavior
Source: /tmp/i686.elf (PID: 6263)File opened: /proc/1860/cmdlineJump to behavior
Source: /tmp/i686.elf (PID: 6263)File opened: /proc/1463/mapsJump to behavior
Source: /tmp/i686.elf (PID: 6263)File opened: /proc/1463/statusJump to behavior
Source: /tmp/i686.elf (PID: 6263)File opened: /proc/1463/cmdlineJump to behavior
Source: /tmp/i686.elf (PID: 6263)File opened: /proc/2156/mapsJump to behavior
Source: /tmp/i686.elf (PID: 6263)File opened: /proc/2156/statusJump to behavior
Source: /tmp/i686.elf (PID: 6263)File opened: /proc/2156/cmdlineJump to behavior
Source: /tmp/i686.elf (PID: 6263)File opened: /proc/800/mapsJump to behavior
Source: /tmp/i686.elf (PID: 6263)File opened: /proc/801/mapsJump to behavior
Source: /tmp/i686.elf (PID: 6263)File opened: /proc/1629/mapsJump to behavior
Source: /tmp/i686.elf (PID: 6263)File opened: /proc/1629/statusJump to behavior
Source: /tmp/i686.elf (PID: 6263)File opened: /proc/1629/cmdlineJump to behavior
Source: /tmp/i686.elf (PID: 6263)File opened: /proc/1627/mapsJump to behavior
Source: /tmp/i686.elf (PID: 6263)File opened: /proc/1627/statusJump to behavior
Source: /tmp/i686.elf (PID: 6263)File opened: /proc/1627/cmdlineJump to behavior
Source: /tmp/i686.elf (PID: 6263)File opened: /proc/1900/mapsJump to behavior
Source: /tmp/i686.elf (PID: 6263)File opened: /proc/491/mapsJump to behavior
Source: /tmp/i686.elf (PID: 6263)File opened: /proc/491/statusJump to behavior
Source: /tmp/i686.elf (PID: 6263)File opened: /proc/491/cmdlineJump to behavior
Source: /tmp/i686.elf (PID: 6263)File opened: /proc/2294/mapsJump to behavior
Source: /tmp/i686.elf (PID: 6263)File opened: /proc/2294/statusJump to behavior
Source: /tmp/i686.elf (PID: 6263)File opened: /proc/2294/cmdlineJump to behavior
Source: /usr/bin/dash (PID: 6230)Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.vBBRTifGAJ /tmp/tmp.xneQExVNf2 /tmp/tmp.Wm7UWqWH0oJump to behavior
Source: /usr/bin/dash (PID: 6231)Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.vBBRTifGAJ /tmp/tmp.xneQExVNf2 /tmp/tmp.Wm7UWqWH0oJump to behavior

HIPS / PFW / Operating System Protection Evasion

barindex
Source: TrafficDNS traffic detected: queries for: lib.libre
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management InstrumentationPath InterceptionPath Interception1
File Deletion
1
OS Credential Dumping
1
File and Directory Discovery
Remote ServicesData from Local System1
Encrypted Channel
Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable Media1
Non-Standard Port
Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared Drive1
Non-Application Layer Protocol
Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin HookBinary PaddingNTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput Capture2
Application Layer Protocol
Traffic DuplicationData Destruction
No configs have been found
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Number of created Files
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1620021 Sample: i686.elf Startdate: 20/02/2025 Architecture: LINUX Score: 72 19 lib.libre 2->19 21 stun.l.google.com 2->21 23 5 other IPs or domains 2->23 25 Malicious sample detected (through community Yara rule) 2->25 27 Multi AV Scanner detection for submitted file 2->27 29 Connects to many ports of the same IP (likely port scanning) 2->29 7 dash rm i686.elf 2->7         started        10 dash rm 2->10         started        signatures3 31 Performs DNS TXT record lookups 19->31 33 Uses STUN server to do NAT traversial 21->33 process4 signatures5 35 Sample reads /proc/mounts (often used for finding a writable filesystem) 7->35 12 i686.elf 7->12         started        15 i686.elf 7->15         started        17 i686.elf 7->17         started        process6 signatures7 37 Sample reads /proc/mounts (often used for finding a writable filesystem) 12->37
SourceDetectionScannerLabelLink
i686.elf29%ReversingLabsLinux.Backdoor.Gafgyt
No Antivirus matches
No Antivirus matches
No Antivirus matches

Download Network PCAP: filteredfull

NameIPActiveMaliciousAntivirus DetectionReputation
stun.l.google.com
74.125.250.129
truefalse
    high
    lib.libre
    unknown
    unknowntrue
      unknown
      • No. of IPs < 25%
      • 25% < No. of IPs < 50%
      • 50% < No. of IPs < 75%
      • 75% < No. of IPs
      IPDomainCountryFlagASNASN NameMalicious
      64.23.188.144
      unknownUnited States
      3064AFFINITY-FTLUStrue
      109.202.202.202
      unknownSwitzerland
      13030INIT7CHfalse
      74.125.250.129
      stun.l.google.comUnited States
      15169GOOGLEUSfalse
      91.189.91.43
      unknownUnited Kingdom
      41231CANONICAL-ASGBfalse
      91.189.91.42
      unknownUnited Kingdom
      41231CANONICAL-ASGBfalse
      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
      64.23.188.144i686.elfGet hashmaliciousMiraiBrowse
        i686.elfGet hashmaliciousUnknownBrowse
          i686.elfGet hashmaliciousUnknownBrowse
            i686.elfGet hashmaliciousUnknownBrowse
              na.elfGet hashmaliciousUnknownBrowse
                i686.elfGet hashmaliciousUnknownBrowse
                  na.elfGet hashmaliciousUnknownBrowse
                    109.202.202.202kpLwzBouH4.elfGet hashmaliciousUnknownBrowse
                    • ch.archive.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_92.0%2bbuild3-0ubuntu0.20.04.1_amd64.deb
                    91.189.91.43ppc.elfGet hashmaliciousUnknownBrowse
                      sh4.elfGet hashmaliciousUnknownBrowse
                        na.elfGet hashmaliciousPrometeiBrowse
                          aarch64.elfGet hashmaliciousUnknownBrowse
                            spc.elfGet hashmaliciousUnknownBrowse
                              na.elfGet hashmaliciousPrometeiBrowse
                                na.elfGet hashmaliciousPrometeiBrowse
                                  na.elfGet hashmaliciousPrometeiBrowse
                                    na.elfGet hashmaliciousPrometeiBrowse
                                      na.elfGet hashmaliciousPrometeiBrowse
                                        91.189.91.42ppc.elfGet hashmaliciousUnknownBrowse
                                          sh4.elfGet hashmaliciousUnknownBrowse
                                            na.elfGet hashmaliciousPrometeiBrowse
                                              aarch64.elfGet hashmaliciousUnknownBrowse
                                                spc.elfGet hashmaliciousUnknownBrowse
                                                  na.elfGet hashmaliciousPrometeiBrowse
                                                    na.elfGet hashmaliciousPrometeiBrowse
                                                      na.elfGet hashmaliciousPrometeiBrowse
                                                        na.elfGet hashmaliciousPrometeiBrowse
                                                          na.elfGet hashmaliciousPrometeiBrowse
                                                            No context
                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                            CANONICAL-ASGBppc.elfGet hashmaliciousUnknownBrowse
                                                            • 91.189.91.42
                                                            mips.elfGet hashmaliciousUnknownBrowse
                                                            • 185.125.190.26
                                                            sh4.elfGet hashmaliciousUnknownBrowse
                                                            • 91.189.91.42
                                                            na.elfGet hashmaliciousPrometeiBrowse
                                                            • 91.189.91.42
                                                            aarch64.elfGet hashmaliciousUnknownBrowse
                                                            • 91.189.91.42
                                                            spc.elfGet hashmaliciousUnknownBrowse
                                                            • 91.189.91.42
                                                            na.elfGet hashmaliciousPrometeiBrowse
                                                            • 91.189.91.42
                                                            na.elfGet hashmaliciousPrometeiBrowse
                                                            • 91.189.91.42
                                                            na.elfGet hashmaliciousPrometeiBrowse
                                                            • 91.189.91.42
                                                            na.elfGet hashmaliciousPrometeiBrowse
                                                            • 91.189.91.42
                                                            CANONICAL-ASGBppc.elfGet hashmaliciousUnknownBrowse
                                                            • 91.189.91.42
                                                            mips.elfGet hashmaliciousUnknownBrowse
                                                            • 185.125.190.26
                                                            sh4.elfGet hashmaliciousUnknownBrowse
                                                            • 91.189.91.42
                                                            na.elfGet hashmaliciousPrometeiBrowse
                                                            • 91.189.91.42
                                                            aarch64.elfGet hashmaliciousUnknownBrowse
                                                            • 91.189.91.42
                                                            spc.elfGet hashmaliciousUnknownBrowse
                                                            • 91.189.91.42
                                                            na.elfGet hashmaliciousPrometeiBrowse
                                                            • 91.189.91.42
                                                            na.elfGet hashmaliciousPrometeiBrowse
                                                            • 91.189.91.42
                                                            na.elfGet hashmaliciousPrometeiBrowse
                                                            • 91.189.91.42
                                                            na.elfGet hashmaliciousPrometeiBrowse
                                                            • 91.189.91.42
                                                            AFFINITY-FTLUSOpalescently.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                            • 64.23.153.21
                                                            i686.elfGet hashmaliciousMiraiBrowse
                                                            • 64.23.188.144
                                                            i686.elfGet hashmaliciousUnknownBrowse
                                                            • 64.23.188.144
                                                            i686.elfGet hashmaliciousUnknownBrowse
                                                            • 64.23.188.144
                                                            i686.elfGet hashmaliciousUnknownBrowse
                                                            • 64.23.188.144
                                                            na.elfGet hashmaliciousUnknownBrowse
                                                            • 64.23.188.144
                                                            i686.elfGet hashmaliciousUnknownBrowse
                                                            • 64.23.188.144
                                                            na.elfGet hashmaliciousUnknownBrowse
                                                            • 64.23.188.144
                                                            arm7.elfGet hashmaliciousMirai, MoobotBrowse
                                                            • 207.36.98.138
                                                            arm7.elfGet hashmaliciousMirai, MoobotBrowse
                                                            • 64.159.94.16
                                                            INIT7CHppc.elfGet hashmaliciousUnknownBrowse
                                                            • 109.202.202.202
                                                            sh4.elfGet hashmaliciousUnknownBrowse
                                                            • 109.202.202.202
                                                            na.elfGet hashmaliciousPrometeiBrowse
                                                            • 109.202.202.202
                                                            aarch64.elfGet hashmaliciousUnknownBrowse
                                                            • 109.202.202.202
                                                            spc.elfGet hashmaliciousUnknownBrowse
                                                            • 109.202.202.202
                                                            na.elfGet hashmaliciousPrometeiBrowse
                                                            • 109.202.202.202
                                                            na.elfGet hashmaliciousPrometeiBrowse
                                                            • 109.202.202.202
                                                            na.elfGet hashmaliciousPrometeiBrowse
                                                            • 109.202.202.202
                                                            na.elfGet hashmaliciousPrometeiBrowse
                                                            • 109.202.202.202
                                                            na.elfGet hashmaliciousPrometeiBrowse
                                                            • 109.202.202.202
                                                            No context
                                                            No context
                                                            No created / dropped files found
                                                            File type:ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, stripped
                                                            Entropy (8bit):5.94067173923663
                                                            TrID:
                                                            • ELF Executable and Linkable format (generic) (4004/1) 100.00%
                                                            File name:i686.elf
                                                            File size:79'904 bytes
                                                            MD5:57045cec69bfd85596dd14675c537d5d
                                                            SHA1:ecf18ceace3b02e0928977e38c5ac154eb473760
                                                            SHA256:b737141b12b58332dcd7b81044c896aab8c72ea2ac4743ba9c45586708cec591
                                                            SHA512:9e1330feda3b9cd3d4821083e4f35d67e63dde554ad139bb967fda0c6be09cd58edd785c4d550a2e1b7337a31fc0467ab096fbbe9209450f6ebfbbdb874de5cb
                                                            SSDEEP:1536:T4CFysLhRYmD/VA2uSdyiwzKZa0Hoy0rufCS/0fBz+1sG51:LyuRYmD/VA2/yiuaoy+S/0s1sC1
                                                            TLSH:3C735B07648290FDC496C2B84B7EA527D573F47E2138B25927D0BE26EE5EE213F6B140
                                                            File Content Preview:.ELF..............>.......@.....@........%..........@.8...@.......................@.......@...................................... ....... Q...... Q.....`........o..............Q.td....................................................H...._....j...H........

                                                            ELF header

                                                            Class:ELF64
                                                            Data:2's complement, little endian
                                                            Version:1 (current)
                                                            Machine:Advanced Micro Devices X86-64
                                                            Version Number:0x1
                                                            Type:EXEC (Executable file)
                                                            OS/ABI:UNIX - System V
                                                            ABI Version:0
                                                            Entry Point Address:0x400194
                                                            Flags:0x0
                                                            ELF Header Size:64
                                                            Program Header Offset:64
                                                            Program Header Size:56
                                                            Number of Program Headers:3
                                                            Section Header Offset:75168
                                                            Section Header Size:64
                                                            Number of Section Headers:10
                                                            Header String Table Index:9
                                                            NameTypeAddressOffsetSizeEntSizeFlagsFlags DescriptionLinkInfoAlign
                                                            NULL0x00x00x00x00x0000
                                                            .initPROGBITS0x4000e80xe80x130x00x6AX001
                                                            .textPROGBITS0x4001000x1000xe7960x00x6AX0016
                                                            .finiPROGBITS0x40e8960xe8960xe0x00x6AX001
                                                            .rodataPROGBITS0x40e8c00xe8c00x2b300x00x2A0032
                                                            .ctorsPROGBITS0x5120000x120000x100x00x3WA008
                                                            .dtorsPROGBITS0x5120100x120100x100x00x3WA008
                                                            .dataPROGBITS0x5120400x120400x5200x00x3WA0032
                                                            .bssNOBITS0x5125600x125600x6a880x00x3WA0032
                                                            .shstrtabSTRTAB0x00x125600x3e0x00x0001
                                                            TypeOffsetVirtual AddressPhysical AddressFile SizeMemory SizeEntropyFlagsFlags DescriptionAlignProg InterpreterSection Mappings
                                                            LOAD0x00x4000000x4000000x113f00x113f06.39780x5R E0x100000.init .text .fini .rodata
                                                            LOAD0x120000x5120000x5120000x5600x6fe82.35550x6RW 0x100000.ctors .dtors .data .bss
                                                            GNU_STACK0x00x00x00x00x00.00000x6RW 0x8

                                                            Download Network PCAP: filteredfull

                                                            • Total Packets: 46
                                                            • 43712 undefined
                                                            • 19302 undefined
                                                            • 443 (HTTPS)
                                                            • 80 (HTTP)
                                                            • 53 (DNS)
                                                            TimestampSource PortDest PortSource IPDest IP
                                                            Feb 20, 2025 15:48:05.087002993 CET43928443192.168.2.2391.189.91.42
                                                            Feb 20, 2025 15:48:05.349570990 CET4746643712192.168.2.2364.23.188.144
                                                            Feb 20, 2025 15:48:05.354651928 CET437124746664.23.188.144192.168.2.23
                                                            Feb 20, 2025 15:48:05.354691982 CET4746643712192.168.2.2364.23.188.144
                                                            Feb 20, 2025 15:48:05.920171022 CET437124746664.23.188.144192.168.2.23
                                                            Feb 20, 2025 15:48:05.920274973 CET4746643712192.168.2.2364.23.188.144
                                                            Feb 20, 2025 15:48:06.007776022 CET437124746664.23.188.144192.168.2.23
                                                            Feb 20, 2025 15:48:06.007831097 CET4746643712192.168.2.2364.23.188.144
                                                            Feb 20, 2025 15:48:09.319262028 CET4746643712192.168.2.2364.23.188.144
                                                            Feb 20, 2025 15:48:09.324378014 CET437124746664.23.188.144192.168.2.23
                                                            Feb 20, 2025 15:48:10.463160992 CET42836443192.168.2.2391.189.91.43
                                                            Feb 20, 2025 15:48:11.742150068 CET4251680192.168.2.23109.202.202.202
                                                            Feb 20, 2025 15:48:14.085133076 CET437124746664.23.188.144192.168.2.23
                                                            Feb 20, 2025 15:48:14.085191011 CET4746643712192.168.2.2364.23.188.144
                                                            Feb 20, 2025 15:48:24.092602015 CET4746643712192.168.2.2364.23.188.144
                                                            Feb 20, 2025 15:48:24.097644091 CET437124746664.23.188.144192.168.2.23
                                                            Feb 20, 2025 15:48:24.097677946 CET4746643712192.168.2.2364.23.188.144
                                                            Feb 20, 2025 15:48:24.102705956 CET437124746664.23.188.144192.168.2.23
                                                            Feb 20, 2025 15:48:26.844244957 CET43928443192.168.2.2391.189.91.42
                                                            Feb 20, 2025 15:48:37.083051920 CET42836443192.168.2.2391.189.91.43
                                                            Feb 20, 2025 15:48:38.266835928 CET4746643712192.168.2.2364.23.188.144
                                                            Feb 20, 2025 15:48:38.271912098 CET437124746664.23.188.144192.168.2.23
                                                            Feb 20, 2025 15:48:38.271956921 CET4746643712192.168.2.2364.23.188.144
                                                            Feb 20, 2025 15:48:38.276921034 CET437124746664.23.188.144192.168.2.23
                                                            Feb 20, 2025 15:48:41.178468943 CET4251680192.168.2.23109.202.202.202
                                                            Feb 20, 2025 15:48:52.464831114 CET4746643712192.168.2.2364.23.188.144
                                                            Feb 20, 2025 15:48:52.470031023 CET437124746664.23.188.144192.168.2.23
                                                            Feb 20, 2025 15:48:52.470109940 CET4746643712192.168.2.2364.23.188.144
                                                            Feb 20, 2025 15:48:52.475611925 CET437124746664.23.188.144192.168.2.23
                                                            Feb 20, 2025 15:49:06.359092951 CET4746643712192.168.2.2364.23.188.144
                                                            Feb 20, 2025 15:49:06.364116907 CET437124746664.23.188.144192.168.2.23
                                                            Feb 20, 2025 15:49:06.364187002 CET4746643712192.168.2.2364.23.188.144
                                                            Feb 20, 2025 15:49:06.370348930 CET437124746664.23.188.144192.168.2.23
                                                            Feb 20, 2025 15:49:07.799086094 CET43928443192.168.2.2391.189.91.42
                                                            Feb 20, 2025 15:49:20.169585943 CET4746643712192.168.2.2364.23.188.144
                                                            Feb 20, 2025 15:49:20.174681902 CET437124746664.23.188.144192.168.2.23
                                                            Feb 20, 2025 15:49:20.174760103 CET4746643712192.168.2.2364.23.188.144
                                                            Feb 20, 2025 15:49:20.179851055 CET437124746664.23.188.144192.168.2.23
                                                            Feb 20, 2025 15:49:24.109605074 CET437124746664.23.188.144192.168.2.23
                                                            Feb 20, 2025 15:49:24.109683990 CET4746643712192.168.2.2364.23.188.144
                                                            Feb 20, 2025 15:49:34.118546009 CET4746643712192.168.2.2364.23.188.144
                                                            Feb 20, 2025 15:49:34.123759031 CET437124746664.23.188.144192.168.2.23
                                                            Feb 20, 2025 15:49:34.123830080 CET4746643712192.168.2.2364.23.188.144
                                                            Feb 20, 2025 15:49:34.128854036 CET437124746664.23.188.144192.168.2.23
                                                            Feb 20, 2025 15:49:47.230178118 CET4746643712192.168.2.2364.23.188.144
                                                            Feb 20, 2025 15:49:47.235157967 CET437124746664.23.188.144192.168.2.23
                                                            Feb 20, 2025 15:49:47.235203028 CET4746643712192.168.2.2364.23.188.144
                                                            Feb 20, 2025 15:49:47.240159035 CET437124746664.23.188.144192.168.2.23
                                                            Feb 20, 2025 15:50:01.100471973 CET4746643712192.168.2.2364.23.188.144
                                                            Feb 20, 2025 15:50:01.108241081 CET437124746664.23.188.144192.168.2.23
                                                            Feb 20, 2025 15:50:01.108427048 CET4746643712192.168.2.2364.23.188.144
                                                            Feb 20, 2025 15:50:01.115869999 CET437124746664.23.188.144192.168.2.23
                                                            Feb 20, 2025 15:50:15.850554943 CET4746643712192.168.2.2364.23.188.144
                                                            Feb 20, 2025 15:50:15.856091976 CET437124746664.23.188.144192.168.2.23
                                                            Feb 20, 2025 15:50:15.856163979 CET4746643712192.168.2.2364.23.188.144
                                                            Feb 20, 2025 15:50:15.861277103 CET437124746664.23.188.144192.168.2.23
                                                            Feb 20, 2025 15:50:29.500770092 CET4746643712192.168.2.2364.23.188.144
                                                            Feb 20, 2025 15:50:29.507556915 CET437124746664.23.188.144192.168.2.23
                                                            Feb 20, 2025 15:50:29.507658005 CET4746643712192.168.2.2364.23.188.144
                                                            Feb 20, 2025 15:50:29.514230013 CET437124746664.23.188.144192.168.2.23
                                                            Feb 20, 2025 15:50:43.603440046 CET4746643712192.168.2.2364.23.188.144
                                                            Feb 20, 2025 15:50:43.608447075 CET437124746664.23.188.144192.168.2.23
                                                            Feb 20, 2025 15:50:43.608509064 CET4746643712192.168.2.2364.23.188.144
                                                            Feb 20, 2025 15:50:43.613581896 CET437124746664.23.188.144192.168.2.23
                                                            Feb 20, 2025 15:50:52.131908894 CET437124746664.23.188.144192.168.2.23
                                                            Feb 20, 2025 15:50:52.132024050 CET4746643712192.168.2.2364.23.188.144
                                                            Feb 20, 2025 15:51:02.140733957 CET4746643712192.168.2.2364.23.188.144
                                                            Feb 20, 2025 15:51:02.147507906 CET437124746664.23.188.144192.168.2.23
                                                            Feb 20, 2025 15:51:02.147571087 CET4746643712192.168.2.2364.23.188.144
                                                            Feb 20, 2025 15:51:02.153543949 CET437124746664.23.188.144192.168.2.23
                                                            Feb 20, 2025 15:51:14.862103939 CET4746643712192.168.2.2364.23.188.144
                                                            Feb 20, 2025 15:51:14.867125034 CET437124746664.23.188.144192.168.2.23
                                                            Feb 20, 2025 15:51:14.867202044 CET4746643712192.168.2.2364.23.188.144
                                                            Feb 20, 2025 15:51:14.872172117 CET437124746664.23.188.144192.168.2.23
                                                            Feb 20, 2025 15:51:29.157089949 CET4746643712192.168.2.2364.23.188.144
                                                            Feb 20, 2025 15:51:29.162036896 CET437124746664.23.188.144192.168.2.23
                                                            Feb 20, 2025 15:51:29.162128925 CET4746643712192.168.2.2364.23.188.144
                                                            Feb 20, 2025 15:51:29.167099953 CET437124746664.23.188.144192.168.2.23
                                                            TimestampSource PortDest PortSource IPDest IP
                                                            Feb 20, 2025 15:48:05.333760977 CET3585653192.168.2.23185.84.81.194
                                                            Feb 20, 2025 15:48:05.344412088 CET5335856185.84.81.194192.168.2.23
                                                            Feb 20, 2025 15:48:06.357161045 CET5895353192.168.2.238.8.8.8
                                                            Feb 20, 2025 15:48:06.366576910 CET53589538.8.8.8192.168.2.23
                                                            Feb 20, 2025 15:48:06.366715908 CET4213019302192.168.2.2374.125.250.129
                                                            Feb 20, 2025 15:48:06.822084904 CET193024213074.125.250.129192.168.2.23
                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                            Feb 20, 2025 15:48:05.333760977 CET192.168.2.23185.84.81.1940xf7Standard query (0)lib.libre16IN (0x0001)false
                                                            Feb 20, 2025 15:48:06.357161045 CET192.168.2.238.8.8.80x918bStandard query (0)stun.l.google.comA (IP address)IN (0x0001)false
                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                            Feb 20, 2025 15:48:05.344412088 CET185.84.81.194192.168.2.230xf7No error (0)lib.libreTXT (Text strings)IN (0x0001)false
                                                            Feb 20, 2025 15:48:06.366576910 CET8.8.8.8192.168.2.230x918bNo error (0)stun.l.google.com74.125.250.129A (IP address)IN (0x0001)false

                                                            System Behavior

                                                            Start time (UTC):14:47:58
                                                            Start date (UTC):20/02/2025
                                                            Path:/usr/bin/dash
                                                            Arguments:-
                                                            File size:129816 bytes
                                                            MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                                                            Start time (UTC):14:47:58
                                                            Start date (UTC):20/02/2025
                                                            Path:/usr/bin/rm
                                                            Arguments:rm -f /tmp/tmp.vBBRTifGAJ /tmp/tmp.xneQExVNf2 /tmp/tmp.Wm7UWqWH0o
                                                            File size:72056 bytes
                                                            MD5 hash:aa2b5496fdbfd88e38791ab81f90b95b

                                                            Start time (UTC):14:47:58
                                                            Start date (UTC):20/02/2025
                                                            Path:/usr/bin/dash
                                                            Arguments:-
                                                            File size:129816 bytes
                                                            MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                                                            Start time (UTC):14:47:58
                                                            Start date (UTC):20/02/2025
                                                            Path:/usr/bin/rm
                                                            Arguments:rm -f /tmp/tmp.vBBRTifGAJ /tmp/tmp.xneQExVNf2 /tmp/tmp.Wm7UWqWH0o
                                                            File size:72056 bytes
                                                            MD5 hash:aa2b5496fdbfd88e38791ab81f90b95b

                                                            Start time (UTC):14:48:04
                                                            Start date (UTC):20/02/2025
                                                            Path:/tmp/i686.elf
                                                            Arguments:/tmp/i686.elf
                                                            File size:79904 bytes
                                                            MD5 hash:57045cec69bfd85596dd14675c537d5d

                                                            Start time (UTC):14:48:04
                                                            Start date (UTC):20/02/2025
                                                            Path:/tmp/i686.elf
                                                            Arguments:-
                                                            File size:79904 bytes
                                                            MD5 hash:57045cec69bfd85596dd14675c537d5d

                                                            Start time (UTC):14:48:04
                                                            Start date (UTC):20/02/2025
                                                            Path:/tmp/i686.elf
                                                            Arguments:-
                                                            File size:79904 bytes
                                                            MD5 hash:57045cec69bfd85596dd14675c537d5d

                                                            Start time (UTC):14:48:04
                                                            Start date (UTC):20/02/2025
                                                            Path:/tmp/i686.elf
                                                            Arguments:-
                                                            File size:79904 bytes
                                                            MD5 hash:57045cec69bfd85596dd14675c537d5d