Edit tour
Linux
Analysis Report
botnt.arm7.elf
Overview
General Information
Sample name: | botnt.arm7.elf |
Analysis ID: | 1502200 |
MD5: | 97ef72e9f5e8a8b12ded9b6e22bc0672 |
SHA1: | 31bd62fe2554ebed242986e7576f74c510370c46 |
SHA256: | a80d1ad56de4e4bd29e79065e05a692459e72c1d6ef3097ece98620c975e1cd2 |
Tags: | botntelf |
Infos: |
Detection
Score: | 48 |
Range: | 0 - 100 |
Whitelisted: | false |
Signatures
Multi AV Scanner detection for submitted file
Detected TCP or UDP traffic on non-standard ports
Executes the "rm" command used to delete files or directories
Sample has stripped symbol table
Sample listens on a socket
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Uses the "uname" system call to query kernel version information (possible evasion)
Classification
Joe Sandbox version: | 40.0.0 Tourmaline |
Analysis ID: | 1502200 |
Start date and time: | 2024-08-31 14:48:06 +02:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | 0h 4m 48s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | defaultlinuxfilecookbook.jbs |
Analysis system description: | Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11) |
Analysis Mode: | default |
Sample name: | botnt.arm7.elf |
Detection: | MAL |
Classification: | mal48.linELF@0/0@1/0 |
Command: | /tmp/botnt.arm7.elf |
PID: | 6293 |
Exit Code: | 0 |
Exit Code Info: | |
Killed: | False |
Standard Output: | |
Standard Error: | Segmentation fault |
- system is lnxubuntu20
- dash New Fork (PID: 6260, Parent: 4332)
- dash New Fork (PID: 6261, Parent: 4332)
- dash New Fork (PID: 6262, Parent: 4332)
- dash New Fork (PID: 6263, Parent: 4332)
- dash New Fork (PID: 6264, Parent: 4332)
- dash New Fork (PID: 6265, Parent: 4332)
- dash New Fork (PID: 6266, Parent: 4332)
- dash New Fork (PID: 6267, Parent: 4332)
- dash New Fork (PID: 6268, Parent: 4332)
- dash New Fork (PID: 6269, Parent: 4332)
- botnt.arm7.elf New Fork (PID: 6296, Parent: 6293)
- cleanup
⊘No yara matches
⊘No Suricata rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection |
---|
Source: | ReversingLabs: |
Source: | TCP traffic: |
Source: | Socket: | Jump to behavior |
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: |
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: |
Source: | DNS traffic detected: |
Source: | Network traffic detected: | ||
Source: | Network traffic detected: |
Source: | .symtab present: |
Source: | Classification label: |
Source: | Rm executable: | Jump to behavior | ||
Source: | Rm executable: | Jump to behavior |
Source: | Stderr: Segmentation fault: |
Source: | Queries kernel information via 'uname': | Jump to behavior |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | Windows Management Instrumentation | Path Interception | Path Interception | 1 File Deletion | OS Credential Dumping | 11 Security Software Discovery | Remote Services | Data from Local System | 1 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
Credentials | Domains | Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | Rootkit | LSASS Memory | Application Window Discovery | Remote Desktop Protocol | Data from Removable Media | 1 Non-Standard Port | Exfiltration Over Bluetooth | Network Denial of Service |
Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | Obfuscated Files or Information | Security Account Manager | Query Registry | SMB/Windows Admin Shares | Data from Network Shared Drive | 1 Non-Application Layer Protocol | Automated Exfiltration | Data Encrypted for Impact |
Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | Binary Padding | NTDS | System Network Configuration Discovery | Distributed Component Object Model | Input Capture | 2 Application Layer Protocol | Traffic Duplication | Data Destruction |
⊘No configs have been found
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
18% | ReversingLabs | Linux.Backdoor.Mirai |
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
c.francoanddosbot.fun | 172.232.152.145 | true | false | unknown |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
109.202.202.202 | unknown | Switzerland | 13030 | INIT7CH | false | |
91.189.91.43 | unknown | United Kingdom | 41231 | CANONICAL-ASGB | false | |
95.85.78.2 | unknown | Russian Federation | 8749 | REDCOM-ASRedcomKhabarovskRussiaRU | false | |
91.189.91.42 | unknown | United Kingdom | 41231 | CANONICAL-ASGB | false |
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
109.202.202.202 | Get hash | malicious | Unknown | Browse |
| |
91.189.91.43 | Get hash | malicious | Unknown | Browse | ||
Get hash | malicious | Unknown | Browse | |||
Get hash | malicious | Unknown | Browse | |||
Get hash | malicious | Mirai | Browse | |||
Get hash | malicious | Unknown | Browse | |||
Get hash | malicious | Mirai | Browse | |||
Get hash | malicious | Unknown | Browse | |||
Get hash | malicious | Mirai, Okiru | Browse | |||
Get hash | malicious | Mirai | Browse | |||
Get hash | malicious | Unknown | Browse | |||
91.189.91.42 | Get hash | malicious | Unknown | Browse | ||
Get hash | malicious | Unknown | Browse | |||
Get hash | malicious | Unknown | Browse | |||
Get hash | malicious | Mirai | Browse | |||
Get hash | malicious | Unknown | Browse | |||
Get hash | malicious | Mirai | Browse | |||
Get hash | malicious | Unknown | Browse | |||
Get hash | malicious | Mirai, Okiru | Browse | |||
Get hash | malicious | Mirai | Browse | |||
Get hash | malicious | Unknown | Browse |
⊘No context
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
CANONICAL-ASGB | Get hash | malicious | Unknown | Browse |
| |
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Mirai | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Mirai | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Mirai, Okiru | Browse |
| ||
CANONICAL-ASGB | Get hash | malicious | Unknown | Browse |
| |
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Mirai | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Mirai | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Mirai, Okiru | Browse |
| ||
REDCOM-ASRedcomKhabarovskRussiaRU | Get hash | malicious | Mirai | Browse |
| |
Get hash | malicious | Mirai | Browse |
| ||
Get hash | malicious | Amadey, Healer AV Disabler, RedLine | Browse |
| ||
Get hash | malicious | Amadey, Healer AV Disabler, RedLine | Browse |
| ||
Get hash | malicious | Mirai | Browse |
| ||
Get hash | malicious | Mirai | Browse |
| ||
Get hash | malicious | SystemBC | Browse |
| ||
Get hash | malicious | PureLog Stealer, RHADAMANTHYS | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
INIT7CH | Get hash | malicious | Unknown | Browse |
| |
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Mirai | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Mirai | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Mirai, Okiru | Browse |
| ||
Get hash | malicious | Mirai | Browse |
| ||
Get hash | malicious | Unknown | Browse |
|
⊘No context
⊘No context
⊘No created / dropped files found
File type: | |
Entropy (8bit): | 6.134342099176749 |
TrID: |
|
File name: | botnt.arm7.elf |
File size: | 92'288 bytes |
MD5: | 97ef72e9f5e8a8b12ded9b6e22bc0672 |
SHA1: | 31bd62fe2554ebed242986e7576f74c510370c46 |
SHA256: | a80d1ad56de4e4bd29e79065e05a692459e72c1d6ef3097ece98620c975e1cd2 |
SHA512: | c702b00dea450f06be4a46fda5cabe454125198a32396645a5664d3e0c3886f4c086d5250828cdb8c7cd2acc8d30d110764318ad6ad44c2f1a9c371a4cff1ee5 |
SSDEEP: | 1536:VQnuiXtI1wYQxRYMc3Lu9FDDD6JSTpP2aFzoiMjOJUaOll7CiXzItl0Y7MyB:+iyYsnckDv6JWp+aFzoiMjOATzItl0LO |
TLSH: | 3493385AFC819B01D4D522BAFE4E118A33531B7CE3EF72129D14AF2563CA96B0E7B501 |
File Content Preview: | .ELF..............(.........4....f......4. ...(........p.`...........................................b...b...............b...b...b..T....3...............b...b...b..................Q.td..................................-...L..................@-.,@...0....S |
ELF header | |
---|---|
Class: | |
Data: | |
Version: | |
Machine: | |
Version Number: | |
Type: | |
OS/ABI: | |
ABI Version: | 0 |
Entry Point Address: | |
Flags: | |
ELF Header Size: | 52 |
Program Header Offset: | 52 |
Program Header Size: | 32 |
Number of Program Headers: | 5 |
Section Header Offset: | 91648 |
Section Header Size: | 40 |
Number of Section Headers: | 16 |
Header String Table Index: | 15 |
Name | Type | Address | Offset | Size | EntSize | Flags | Flags Description | Link | Info | Align |
---|---|---|---|---|---|---|---|---|---|---|
NULL | 0x0 | 0x0 | 0x0 | 0x0 | 0x0 | 0 | 0 | 0 | ||
.init | PROGBITS | 0x80d4 | 0xd4 | 0x10 | 0x0 | 0x6 | AX | 0 | 0 | 4 |
.text | PROGBITS | 0x80f0 | 0xf0 | 0x14b34 | 0x0 | 0x6 | AX | 0 | 0 | 16 |
.fini | PROGBITS | 0x1cc24 | 0x14c24 | 0x10 | 0x0 | 0x6 | AX | 0 | 0 | 4 |
.rodata | PROGBITS | 0x1cc38 | 0x14c38 | 0x14a8 | 0x0 | 0x2 | A | 0 | 0 | 8 |
.ARM.extab | PROGBITS | 0x1e0e0 | 0x160e0 | 0x18 | 0x0 | 0x2 | A | 0 | 0 | 4 |
.ARM.exidx | ARM_EXIDX | 0x1e0f8 | 0x160f8 | 0x118 | 0x0 | 0x82 | AL | 2 | 0 | 4 |
.eh_frame | PROGBITS | 0x26210 | 0x16210 | 0x4 | 0x0 | 0x3 | WA | 0 | 0 | 4 |
.tbss | NOBITS | 0x26214 | 0x16214 | 0x8 | 0x0 | 0x403 | WAT | 0 | 0 | 4 |
.init_array | INIT_ARRAY | 0x26214 | 0x16214 | 0x4 | 0x0 | 0x3 | WA | 0 | 0 | 4 |
.fini_array | FINI_ARRAY | 0x26218 | 0x16218 | 0x4 | 0x0 | 0x3 | WA | 0 | 0 | 4 |
.got | PROGBITS | 0x26220 | 0x16220 | 0xa8 | 0x4 | 0x3 | WA | 0 | 0 | 4 |
.data | PROGBITS | 0x262c8 | 0x162c8 | 0x29c | 0x0 | 0x3 | WA | 0 | 0 | 4 |
.bss | NOBITS | 0x26564 | 0x16564 | 0x3074 | 0x0 | 0x3 | WA | 0 | 0 | 4 |
.ARM.attributes | ARM_ATTRIBUTES | 0x0 | 0x16564 | 0x16 | 0x0 | 0x0 | 0 | 0 | 1 | |
.shstrtab | STRTAB | 0x0 | 0x1657a | 0x83 | 0x0 | 0x0 | 0 | 0 | 1 |
Type | Offset | Virtual Address | Physical Address | File Size | Memory Size | Entropy | Flags | Flags Description | Align | Prog Interpreter | Section Mappings |
---|---|---|---|---|---|---|---|---|---|---|---|
EXIDX | 0x160f8 | 0x1e0f8 | 0x1e0f8 | 0x118 | 0x118 | 4.4505 | 0x4 | R | 0x4 | .ARM.exidx | |
LOAD | 0x0 | 0x8000 | 0x8000 | 0x16210 | 0x16210 | 6.1529 | 0x5 | R E | 0x8000 | .init .text .fini .rodata .ARM.extab .ARM.exidx | |
LOAD | 0x16210 | 0x26210 | 0x26210 | 0x354 | 0x33c8 | 4.1570 | 0x6 | RW | 0x8000 | .eh_frame .tbss .init_array .fini_array .got .data .bss | |
TLS | 0x16214 | 0x26214 | 0x26214 | 0x0 | 0x8 | 0.0000 | 0x4 | R | 0x4 | .tbss | |
GNU_STACK | 0x0 | 0x0 | 0x0 | 0x0 | 0x0 | 0.0000 | 0x7 | RWE | 0x4 |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Aug 31, 2024 14:49:10.095851898 CEST | 44774 | 6969 | 192.168.2.23 | 95.85.78.2 |
Aug 31, 2024 14:49:10.100766897 CEST | 6969 | 44774 | 95.85.78.2 | 192.168.2.23 |
Aug 31, 2024 14:49:10.100814104 CEST | 44774 | 6969 | 192.168.2.23 | 95.85.78.2 |
Aug 31, 2024 14:49:10.100948095 CEST | 44774 | 6969 | 192.168.2.23 | 95.85.78.2 |
Aug 31, 2024 14:49:10.105814934 CEST | 6969 | 44774 | 95.85.78.2 | 192.168.2.23 |
Aug 31, 2024 14:49:10.353389978 CEST | 42516 | 80 | 192.168.2.23 | 109.202.202.202 |
Aug 31, 2024 14:49:11.315922022 CEST | 6969 | 44774 | 95.85.78.2 | 192.168.2.23 |
Aug 31, 2024 14:49:11.316040039 CEST | 44774 | 6969 | 192.168.2.23 | 95.85.78.2 |
Aug 31, 2024 14:49:11.316524029 CEST | 44774 | 6969 | 192.168.2.23 | 95.85.78.2 |
Aug 31, 2024 14:49:11.321305037 CEST | 6969 | 44774 | 95.85.78.2 | 192.168.2.23 |
Aug 31, 2024 14:49:11.377257109 CEST | 43928 | 443 | 192.168.2.23 | 91.189.91.42 |
Aug 31, 2024 14:49:11.836836100 CEST | 6969 | 44774 | 95.85.78.2 | 192.168.2.23 |
Aug 31, 2024 14:49:11.836899042 CEST | 44774 | 6969 | 192.168.2.23 | 95.85.78.2 |
Aug 31, 2024 14:49:11.836941004 CEST | 44774 | 6969 | 192.168.2.23 | 95.85.78.2 |
Aug 31, 2024 14:49:11.842691898 CEST | 6969 | 44774 | 95.85.78.2 | 192.168.2.23 |
Aug 31, 2024 14:49:12.358872890 CEST | 6969 | 44774 | 95.85.78.2 | 192.168.2.23 |
Aug 31, 2024 14:49:12.359107018 CEST | 44774 | 6969 | 192.168.2.23 | 95.85.78.2 |
Aug 31, 2024 14:49:12.359968901 CEST | 44774 | 6969 | 192.168.2.23 | 95.85.78.2 |
Aug 31, 2024 14:49:12.365731955 CEST | 6969 | 44774 | 95.85.78.2 | 192.168.2.23 |
Aug 31, 2024 14:49:12.365783930 CEST | 44774 | 6969 | 192.168.2.23 | 95.85.78.2 |
Aug 31, 2024 14:49:12.370582104 CEST | 6969 | 44774 | 95.85.78.2 | 192.168.2.23 |
Aug 31, 2024 14:49:14.361929893 CEST | 44774 | 6969 | 192.168.2.23 | 95.85.78.2 |
Aug 31, 2024 14:49:14.366895914 CEST | 6969 | 44774 | 95.85.78.2 | 192.168.2.23 |
Aug 31, 2024 14:49:14.882232904 CEST | 6969 | 44774 | 95.85.78.2 | 192.168.2.23 |
Aug 31, 2024 14:49:14.924746037 CEST | 44774 | 6969 | 192.168.2.23 | 95.85.78.2 |
Aug 31, 2024 14:49:16.752624989 CEST | 42836 | 443 | 192.168.2.23 | 91.189.91.43 |
Aug 31, 2024 14:49:26.893373013 CEST | 44774 | 6969 | 192.168.2.23 | 95.85.78.2 |
Aug 31, 2024 14:49:26.898344994 CEST | 6969 | 44774 | 95.85.78.2 | 192.168.2.23 |
Aug 31, 2024 14:49:27.493725061 CEST | 6969 | 44774 | 95.85.78.2 | 192.168.2.23 |
Aug 31, 2024 14:49:27.493980885 CEST | 44774 | 6969 | 192.168.2.23 | 95.85.78.2 |
Aug 31, 2024 14:49:32.110358000 CEST | 43928 | 443 | 192.168.2.23 | 91.189.91.42 |
Aug 31, 2024 14:49:39.503602982 CEST | 44774 | 6969 | 192.168.2.23 | 95.85.78.2 |
Aug 31, 2024 14:49:39.508472919 CEST | 6969 | 44774 | 95.85.78.2 | 192.168.2.23 |
Aug 31, 2024 14:49:40.025361061 CEST | 6969 | 44774 | 95.85.78.2 | 192.168.2.23 |
Aug 31, 2024 14:49:40.025432110 CEST | 44774 | 6969 | 192.168.2.23 | 95.85.78.2 |
Aug 31, 2024 14:49:40.301234007 CEST | 42516 | 80 | 192.168.2.23 | 109.202.202.202 |
Aug 31, 2024 14:49:42.348898888 CEST | 42836 | 443 | 192.168.2.23 | 91.189.91.43 |
Aug 31, 2024 14:49:52.036084890 CEST | 44774 | 6969 | 192.168.2.23 | 95.85.78.2 |
Aug 31, 2024 14:49:52.040963888 CEST | 6969 | 44774 | 95.85.78.2 | 192.168.2.23 |
Aug 31, 2024 14:49:52.557145119 CEST | 6969 | 44774 | 95.85.78.2 | 192.168.2.23 |
Aug 31, 2024 14:49:52.557476044 CEST | 44774 | 6969 | 192.168.2.23 | 95.85.78.2 |
Aug 31, 2024 14:50:04.568555117 CEST | 44774 | 6969 | 192.168.2.23 | 95.85.78.2 |
Aug 31, 2024 14:50:04.574157000 CEST | 6969 | 44774 | 95.85.78.2 | 192.168.2.23 |
Aug 31, 2024 14:50:05.090142965 CEST | 6969 | 44774 | 95.85.78.2 | 192.168.2.23 |
Aug 31, 2024 14:50:05.090265036 CEST | 44774 | 6969 | 192.168.2.23 | 95.85.78.2 |
Aug 31, 2024 14:50:13.064615965 CEST | 43928 | 443 | 192.168.2.23 | 91.189.91.42 |
Aug 31, 2024 14:50:17.101461887 CEST | 44774 | 6969 | 192.168.2.23 | 95.85.78.2 |
Aug 31, 2024 14:50:17.106385946 CEST | 6969 | 44774 | 95.85.78.2 | 192.168.2.23 |
Aug 31, 2024 14:50:17.621952057 CEST | 6969 | 44774 | 95.85.78.2 | 192.168.2.23 |
Aug 31, 2024 14:50:17.622035980 CEST | 44774 | 6969 | 192.168.2.23 | 95.85.78.2 |
Aug 31, 2024 14:50:29.632997036 CEST | 44774 | 6969 | 192.168.2.23 | 95.85.78.2 |
Aug 31, 2024 14:50:29.637845993 CEST | 6969 | 44774 | 95.85.78.2 | 192.168.2.23 |
Aug 31, 2024 14:50:30.154107094 CEST | 6969 | 44774 | 95.85.78.2 | 192.168.2.23 |
Aug 31, 2024 14:50:30.154186964 CEST | 44774 | 6969 | 192.168.2.23 | 95.85.78.2 |
Aug 31, 2024 14:50:33.541758060 CEST | 42836 | 443 | 192.168.2.23 | 91.189.91.43 |
Aug 31, 2024 14:50:42.165105104 CEST | 44774 | 6969 | 192.168.2.23 | 95.85.78.2 |
Aug 31, 2024 14:50:42.170852900 CEST | 6969 | 44774 | 95.85.78.2 | 192.168.2.23 |
Aug 31, 2024 14:50:42.686424971 CEST | 6969 | 44774 | 95.85.78.2 | 192.168.2.23 |
Aug 31, 2024 14:50:42.686631918 CEST | 44774 | 6969 | 192.168.2.23 | 95.85.78.2 |
Aug 31, 2024 14:50:54.697235107 CEST | 44774 | 6969 | 192.168.2.23 | 95.85.78.2 |
Aug 31, 2024 14:50:54.702045918 CEST | 6969 | 44774 | 95.85.78.2 | 192.168.2.23 |
Aug 31, 2024 14:50:55.217782974 CEST | 6969 | 44774 | 95.85.78.2 | 192.168.2.23 |
Aug 31, 2024 14:50:55.217921019 CEST | 44774 | 6969 | 192.168.2.23 | 95.85.78.2 |
Aug 31, 2024 14:51:07.228802919 CEST | 44774 | 6969 | 192.168.2.23 | 95.85.78.2 |
Aug 31, 2024 14:51:07.436939955 CEST | 44774 | 6969 | 192.168.2.23 | 95.85.78.2 |
Aug 31, 2024 14:51:07.648921967 CEST | 44774 | 6969 | 192.168.2.23 | 95.85.78.2 |
Aug 31, 2024 14:51:08.096844912 CEST | 44774 | 6969 | 192.168.2.23 | 95.85.78.2 |
Aug 31, 2024 14:51:08.960702896 CEST | 44774 | 6969 | 192.168.2.23 | 95.85.78.2 |
Aug 31, 2024 14:51:08.992408037 CEST | 6969 | 44774 | 95.85.78.2 | 192.168.2.23 |
Aug 31, 2024 14:51:09.508027077 CEST | 6969 | 44774 | 95.85.78.2 | 192.168.2.23 |
Aug 31, 2024 14:51:09.508126020 CEST | 44774 | 6969 | 192.168.2.23 | 95.85.78.2 |
Aug 31, 2024 14:51:09.723426104 CEST | 6969 | 44774 | 95.85.78.2 | 192.168.2.23 |
Aug 31, 2024 14:51:09.723509073 CEST | 44774 | 6969 | 192.168.2.23 | 95.85.78.2 |
Aug 31, 2024 14:51:09.943342924 CEST | 6969 | 44774 | 95.85.78.2 | 192.168.2.23 |
Aug 31, 2024 14:51:09.943432093 CEST | 44774 | 6969 | 192.168.2.23 | 95.85.78.2 |
Aug 31, 2024 14:51:10.391416073 CEST | 6969 | 44774 | 95.85.78.2 | 192.168.2.23 |
Aug 31, 2024 14:51:10.391494036 CEST | 44774 | 6969 | 192.168.2.23 | 95.85.78.2 |
Aug 31, 2024 14:51:11.255434990 CEST | 6969 | 44774 | 95.85.78.2 | 192.168.2.23 |
Aug 31, 2024 14:51:11.255527020 CEST | 44774 | 6969 | 192.168.2.23 | 95.85.78.2 |
Aug 31, 2024 14:51:12.983433962 CEST | 6969 | 44774 | 95.85.78.2 | 192.168.2.23 |
Aug 31, 2024 14:51:12.983530045 CEST | 44774 | 6969 | 192.168.2.23 | 95.85.78.2 |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Aug 31, 2024 14:49:10.070991993 CEST | 48904 | 53 | 192.168.2.23 | 8.8.8.8 |
Aug 31, 2024 14:49:10.091264009 CEST | 53 | 48904 | 8.8.8.8 | 192.168.2.23 |
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|
Aug 31, 2024 14:49:10.070991993 CEST | 192.168.2.23 | 8.8.8.8 | 0x2030 | Standard query (0) | A (IP address) | IN (0x0001) | false |
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|---|---|
Aug 31, 2024 14:49:10.091264009 CEST | 8.8.8.8 | 192.168.2.23 | 0x2030 | No error (0) | 172.232.152.145 | A (IP address) | IN (0x0001) | false | ||
Aug 31, 2024 14:49:10.091264009 CEST | 8.8.8.8 | 192.168.2.23 | 0x2030 | No error (0) | 51.13.59.242 | A (IP address) | IN (0x0001) | false | ||
Aug 31, 2024 14:49:10.091264009 CEST | 8.8.8.8 | 192.168.2.23 | 0x2030 | No error (0) | 95.85.78.2 | A (IP address) | IN (0x0001) | false | ||
Aug 31, 2024 14:49:10.091264009 CEST | 8.8.8.8 | 192.168.2.23 | 0x2030 | No error (0) | 139.162.84.81 | A (IP address) | IN (0x0001) | false | ||
Aug 31, 2024 14:49:10.091264009 CEST | 8.8.8.8 | 192.168.2.23 | 0x2030 | No error (0) | 5.8.33.163 | A (IP address) | IN (0x0001) | false | ||
Aug 31, 2024 14:49:10.091264009 CEST | 8.8.8.8 | 192.168.2.23 | 0x2030 | No error (0) | 172.236.34.39 | A (IP address) | IN (0x0001) | false | ||
Aug 31, 2024 14:49:10.091264009 CEST | 8.8.8.8 | 192.168.2.23 | 0x2030 | No error (0) | 193.32.179.248 | A (IP address) | IN (0x0001) | false | ||
Aug 31, 2024 14:49:10.091264009 CEST | 8.8.8.8 | 192.168.2.23 | 0x2030 | No error (0) | 52.232.76.114 | A (IP address) | IN (0x0001) | false | ||
Aug 31, 2024 14:49:10.091264009 CEST | 8.8.8.8 | 192.168.2.23 | 0x2030 | No error (0) | 172.235.48.113 | A (IP address) | IN (0x0001) | false | ||
Aug 31, 2024 14:49:10.091264009 CEST | 8.8.8.8 | 192.168.2.23 | 0x2030 | No error (0) | 92.38.160.11 | A (IP address) | IN (0x0001) | false |
System Behavior
Start time (UTC): | 12:49:05 |
Start date (UTC): | 31/08/2024 |
Path: | /usr/bin/dash |
Arguments: | - |
File size: | 129816 bytes |
MD5 hash: | 1e6b1c887c59a315edb7eb9a315fc84c |
Start time (UTC): | 12:49:05 |
Start date (UTC): | 31/08/2024 |
Path: | /usr/bin/rm |
Arguments: | rm -f /tmp/tmp.1YvvdxWDCb /tmp/tmp.LxoRQpWOAW /tmp/tmp.Fvxx9mpQsR |
File size: | 72056 bytes |
MD5 hash: | aa2b5496fdbfd88e38791ab81f90b95b |
Start time (UTC): | 12:49:05 |
Start date (UTC): | 31/08/2024 |
Path: | /usr/bin/dash |
Arguments: | - |
File size: | 129816 bytes |
MD5 hash: | 1e6b1c887c59a315edb7eb9a315fc84c |
Start time (UTC): | 12:49:05 |
Start date (UTC): | 31/08/2024 |
Path: | /usr/bin/cat |
Arguments: | cat /tmp/tmp.1YvvdxWDCb |
File size: | 43416 bytes |
MD5 hash: | 7e9d213e404ad3bb82e4ebb2e1f2c1b3 |
Start time (UTC): | 12:49:05 |
Start date (UTC): | 31/08/2024 |
Path: | /usr/bin/dash |
Arguments: | - |
File size: | 129816 bytes |
MD5 hash: | 1e6b1c887c59a315edb7eb9a315fc84c |
Start time (UTC): | 12:49:05 |
Start date (UTC): | 31/08/2024 |
Path: | /usr/bin/head |
Arguments: | head -n 10 |
File size: | 47480 bytes |
MD5 hash: | fd96a67145172477dd57131396fc9608 |
Start time (UTC): | 12:49:05 |
Start date (UTC): | 31/08/2024 |
Path: | /usr/bin/dash |
Arguments: | - |
File size: | 129816 bytes |
MD5 hash: | 1e6b1c887c59a315edb7eb9a315fc84c |
Start time (UTC): | 12:49:05 |
Start date (UTC): | 31/08/2024 |
Path: | /usr/bin/tr |
Arguments: | tr -d \\000-\\011\\013\\014\\016-\\037 |
File size: | 51544 bytes |
MD5 hash: | fbd1402dd9f72d8ebfff00ce7c3a7bb5 |
Start time (UTC): | 12:49:05 |
Start date (UTC): | 31/08/2024 |
Path: | /usr/bin/dash |
Arguments: | - |
File size: | 129816 bytes |
MD5 hash: | 1e6b1c887c59a315edb7eb9a315fc84c |
Start time (UTC): | 12:49:05 |
Start date (UTC): | 31/08/2024 |
Path: | /usr/bin/cut |
Arguments: | cut -c -80 |
File size: | 47480 bytes |
MD5 hash: | d8ed0ea8f22c0de0f8692d4d9f1759d3 |
Start time (UTC): | 12:49:05 |
Start date (UTC): | 31/08/2024 |
Path: | /usr/bin/dash |
Arguments: | - |
File size: | 129816 bytes |
MD5 hash: | 1e6b1c887c59a315edb7eb9a315fc84c |
Start time (UTC): | 12:49:05 |
Start date (UTC): | 31/08/2024 |
Path: | /usr/bin/cat |
Arguments: | cat /tmp/tmp.1YvvdxWDCb |
File size: | 43416 bytes |
MD5 hash: | 7e9d213e404ad3bb82e4ebb2e1f2c1b3 |
Start time (UTC): | 12:49:05 |
Start date (UTC): | 31/08/2024 |
Path: | /usr/bin/dash |
Arguments: | - |
File size: | 129816 bytes |
MD5 hash: | 1e6b1c887c59a315edb7eb9a315fc84c |
Start time (UTC): | 12:49:05 |
Start date (UTC): | 31/08/2024 |
Path: | /usr/bin/head |
Arguments: | head -n 10 |
File size: | 47480 bytes |
MD5 hash: | fd96a67145172477dd57131396fc9608 |
Start time (UTC): | 12:49:05 |
Start date (UTC): | 31/08/2024 |
Path: | /usr/bin/dash |
Arguments: | - |
File size: | 129816 bytes |
MD5 hash: | 1e6b1c887c59a315edb7eb9a315fc84c |
Start time (UTC): | 12:49:05 |
Start date (UTC): | 31/08/2024 |
Path: | /usr/bin/tr |
Arguments: | tr -d \\000-\\011\\013\\014\\016-\\037 |
File size: | 51544 bytes |
MD5 hash: | fbd1402dd9f72d8ebfff00ce7c3a7bb5 |
Start time (UTC): | 12:49:05 |
Start date (UTC): | 31/08/2024 |
Path: | /usr/bin/dash |
Arguments: | - |
File size: | 129816 bytes |
MD5 hash: | 1e6b1c887c59a315edb7eb9a315fc84c |
Start time (UTC): | 12:49:05 |
Start date (UTC): | 31/08/2024 |
Path: | /usr/bin/cut |
Arguments: | cut -c -80 |
File size: | 47480 bytes |
MD5 hash: | d8ed0ea8f22c0de0f8692d4d9f1759d3 |
Start time (UTC): | 12:49:05 |
Start date (UTC): | 31/08/2024 |
Path: | /usr/bin/dash |
Arguments: | - |
File size: | 129816 bytes |
MD5 hash: | 1e6b1c887c59a315edb7eb9a315fc84c |
Start time (UTC): | 12:49:05 |
Start date (UTC): | 31/08/2024 |
Path: | /usr/bin/rm |
Arguments: | rm -f /tmp/tmp.1YvvdxWDCb /tmp/tmp.LxoRQpWOAW /tmp/tmp.Fvxx9mpQsR |
File size: | 72056 bytes |
MD5 hash: | aa2b5496fdbfd88e38791ab81f90b95b |
Start time (UTC): | 12:49:09 |
Start date (UTC): | 31/08/2024 |
Path: | /tmp/botnt.arm7.elf |
Arguments: | /tmp/botnt.arm7.elf |
File size: | 4956856 bytes |
MD5 hash: | 5ebfcae4fe2471fcc5695c2394773ff1 |
Start time (UTC): | 12:49:09 |
Start date (UTC): | 31/08/2024 |
Path: | /tmp/botnt.arm7.elf |
Arguments: | - |
File size: | 4956856 bytes |
MD5 hash: | 5ebfcae4fe2471fcc5695c2394773ff1 |