Edit tour

Linux Analysis Report
na.elf

Overview

General Information

Sample name:	na.elf
Analysis ID:	1528786
MD5:	9458b4459ba8c90817ef0e0775e93a14
SHA1:	727d79f62ec7cd02bdea82b8b02326ba1801d321
SHA256:	beaa0cad81db02c93c77dc0c6d2a25736be5194306fcafd4d9c2045fc75eb7b0
Tags:	elfMiraiuser-abuse_ch
Infos:

Detection

Score:	60
Range:	0 - 100
Whitelisted:	false

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Connects to many ports of the same IP (likely port scanning)

Detected TCP or UDP traffic on non-standard ports

Executes the "systemctl" command used for controlling the systemd system and service manager

Reads system version information

Sample has stripped symbol table

Sample listens on a socket

Uses the "uname" system call to query kernel version information (possible evasion)

Classification

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1528786
Start date and time:	2024-10-08 10:52:35 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 30s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Sample name:	na.elf
Detection:	MAL
Classification:	mal60.troj.linELF@0/0@46/0

Runtime Messages

Command:	/tmp/na.elf
PID:	5840
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:	zenci
Standard Error:

Process Tree

system is lnxubuntu20

na.elf (PID: 5840, Parent: 5583, MD5: 0d6f61f82cf2f781c6eb0661071d42d9) Arguments: /tmp/na.elf

na.elf New Fork (PID: 5843, Parent: 5840)

na.elf New Fork (PID: 5845, Parent: 5843)

udisksd New Fork (PID: 5854, Parent: 802)

dumpe2fs (PID: 5854, Parent: 802, MD5: 5c66f7d8f7681a40562cf049ad4b72b4) Arguments: dumpe2fs -h /dev/dm-0

udisksd New Fork (PID: 5886, Parent: 802)

dumpe2fs (PID: 5886, Parent: 802, MD5: 5c66f7d8f7681a40562cf049ad4b72b4) Arguments: dumpe2fs -h /dev/dm-0

udisksd New Fork (PID: 5906, Parent: 802)

dumpe2fs (PID: 5906, Parent: 802, MD5: 5c66f7d8f7681a40562cf049ad4b72b4) Arguments: dumpe2fs -h /dev/dm-0

systemd New Fork (PID: 5957, Parent: 1)

snap-failure (PID: 5957, Parent: 1, MD5: 69136a7d575731ce62349f2e4d3e5c36) Arguments: /usr/lib/snapd/snap-failure snapd

snap-failure New Fork (PID: 5971, Parent: 5957)

systemctl (PID: 5971, Parent: 5957, MD5: 4deddfb6741481f68aeac522cc26ff4b) Arguments: systemctl stop snapd.socket

snap-failure New Fork (PID: 5972, Parent: 5957)

cleanup

Yara Signatures

⊘No yara matches

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: na.elf

Avira: detected

Multi AV Scanner detection for submitted file

Source: na.elf	ReversingLabs: Detection: 50%
Source: na.elf	Virustotal: Detection: 58%			Perma Link

Networking

Connects to many ports of the same IP (likely port scanning)

Source: global traffic

TCP traffic: 93.123.39.105 ports 38241,1,2,3,4,8

Source: global traffic

TCP traffic: 192.168.2.13:35230 -> 93.123.39.105:38241

Source: /tmp/na.elf (PID: 5840)

Socket: 127.0.0.1:2353

Jump to behavior

Source: unknown	UDP traffic detected without corresponding DNS query: 80.152.203.134
Source: unknown	UDP traffic detected without corresponding DNS query: 168.235.111.72
Source: unknown	UDP traffic detected without corresponding DNS query: 168.235.111.72
Source: unknown	UDP traffic detected without corresponding DNS query: 51.158.108.203
Source: unknown	UDP traffic detected without corresponding DNS query: 80.152.203.134
Source: unknown	UDP traffic detected without corresponding DNS query: 70.34.254.19
Source: unknown	UDP traffic detected without corresponding DNS query: 194.36.144.87
Source: unknown	UDP traffic detected without corresponding DNS query: 139.84.165.176
Source: unknown	UDP traffic detected without corresponding DNS query: 81.169.136.222
Source: unknown	UDP traffic detected without corresponding DNS query: 185.181.61.24
Source: unknown	UDP traffic detected without corresponding DNS query: 80.152.203.134
Source: unknown	UDP traffic detected without corresponding DNS query: 152.53.15.127
Source: unknown	UDP traffic detected without corresponding DNS query: 64.176.6.48
Source: unknown	UDP traffic detected without corresponding DNS query: 194.36.144.87
Source: unknown	UDP traffic detected without corresponding DNS query: 5.161.109.23
Source: unknown	UDP traffic detected without corresponding DNS query: 65.21.1.106
Source: unknown	UDP traffic detected without corresponding DNS query: 202.61.197.122
Source: unknown	UDP traffic detected without corresponding DNS query: 5.161.109.23
Source: unknown	UDP traffic detected without corresponding DNS query: 178.254.22.166
Source: unknown	UDP traffic detected without corresponding DNS query: 139.84.165.176
Source: unknown	UDP traffic detected without corresponding DNS query: 152.53.15.127
Source: unknown	UDP traffic detected without corresponding DNS query: 202.61.197.122
Source: unknown	UDP traffic detected without corresponding DNS query: 81.169.136.222
Source: unknown	UDP traffic detected without corresponding DNS query: 137.220.52.23
Source: unknown	UDP traffic detected without corresponding DNS query: 185.181.61.24
Source: unknown	UDP traffic detected without corresponding DNS query: 81.169.136.222
Source: unknown	UDP traffic detected without corresponding DNS query: 81.169.136.222
Source: unknown	UDP traffic detected without corresponding DNS query: 64.176.6.48
Source: unknown	UDP traffic detected without corresponding DNS query: 65.21.1.106
Source: unknown	UDP traffic detected without corresponding DNS query: 70.34.254.19
Source: unknown	UDP traffic detected without corresponding DNS query: 65.21.1.106
Source: unknown	UDP traffic detected without corresponding DNS query: 178.254.22.166
Source: unknown	UDP traffic detected without corresponding DNS query: 152.53.15.127
Source: unknown	UDP traffic detected without corresponding DNS query: 194.36.144.87
Source: unknown	UDP traffic detected without corresponding DNS query: 217.160.70.42
Source: unknown	UDP traffic detected without corresponding DNS query: 202.61.197.122
Source: unknown	UDP traffic detected without corresponding DNS query: 64.176.6.48
Source: unknown	UDP traffic detected without corresponding DNS query: 139.84.165.176
Source: unknown	UDP traffic detected without corresponding DNS query: 64.176.6.48
Source: unknown	UDP traffic detected without corresponding DNS query: 152.53.15.127
Source: unknown	UDP traffic detected without corresponding DNS query: 178.254.22.166
Source: unknown	UDP traffic detected without corresponding DNS query: 178.254.22.166
Source: unknown	UDP traffic detected without corresponding DNS query: 80.152.203.134
Source: unknown	UDP traffic detected without corresponding DNS query: 194.36.144.87
Source: unknown	UDP traffic detected without corresponding DNS query: 64.176.6.48
Source: unknown	UDP traffic detected without corresponding DNS query: 64.176.6.48

Source: global traffic

DNS traffic detected: DNS query: enemybotnet.com

Source: ELF static info symbol of initial sample

.symtab present: no

Source: classification engine

Classification label: mal60.troj.linELF@0/0@46/0

Source: /usr/lib/snapd/snap-failure (PID: 5971)

Systemctl executable: /usr/bin/systemctl -> systemctl stop snapd.socket

Jump to behavior

Source: /usr/lib/snapd/snap-failure (PID: 5957)

Reads version info: /proc/version

Jump to behavior

Source: /tmp/na.elf (PID: 5840)

Queries kernel information via 'uname':

Jump to behavior

Source: na.elf, 5840.1.000055cb30f72000.000055cb30ff9000.rw-.sdmp, na.elf, 5845.1.000055cb30f72000.000055cb30ff9000.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/mipsel
Source: na.elf, 5840.1.00007ffe142ae000.00007ffe142cf000.rw-.sdmp, na.elf, 5845.1.00007ffe142ae000.00007ffe142cf000.rw-.sdmp	Binary or memory string: \|x86_64/usr/bin/qemu-mipsel/tmp/na.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/na.elf
Source: na.elf, 5840.1.000055cb30f72000.000055cb30ff9000.rw-.sdmp, na.elf, 5845.1.000055cb30f72000.000055cb30ff9000.rw-.sdmp	Binary or memory string: U!/etc/qemu-binfmt/mipsel
Source: na.elf, 5840.1.00007ffe142ae000.00007ffe142cf000.rw-.sdmp, na.elf, 5845.1.00007ffe142ae000.00007ffe142cf000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-mipsel

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 Systemd Service	1 Systemd Service	Direct Volume Access	OS Credential Dumping	11 Security Software Discovery	Remote Services	Data from Local System	1 Non-Standard Port	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	1 System Information Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact

Malware Configuration

⊘No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
na.elf	50%	ReversingLabs	Linux.Trojan.Mirai
na.elf	58%	Virustotal		Browse
na.elf	100%	Avira	EXP/ELF.Mirai.W

Dropped Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
enemybotnet.com	14%	Virustotal		Browse

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
enemybotnet.com	93.123.39.105	true	true	14%, Virustotal, Browse	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
93.123.39.105	enemybotnet.com	Bulgaria		43561	NET1-ASBG	true

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
93.123.39.105	na.elf	Get hash	malicious	Unknown	Browse
	na.elf	Get hash	malicious	Unknown	Browse
	na.elf	Get hash	malicious	Unknown	Browse
	na.elf	Get hash	malicious	Unknown	Browse
	na.elf	Get hash	malicious	Unknown	Browse
	na.elf	Get hash	malicious	Unknown	Browse
	arm7.elf	Get hash	malicious	Mirai	Browse
	x86.elf	Get hash	malicious	Unknown	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
enemybotnet.com	na.elf	Get hash	malicious	Unknown	Browse	93.123.39.105
	na.elf	Get hash	malicious	Unknown	Browse	93.123.39.105
	na.elf	Get hash	malicious	Unknown	Browse	93.123.39.105
	na.elf	Get hash	malicious	Unknown	Browse	93.123.39.105
	na.elf	Get hash	malicious	Unknown	Browse	93.123.39.105
	na.elf	Get hash	malicious	Unknown	Browse	93.123.39.105
	arm7.elf	Get hash	malicious	Mirai	Browse	93.123.39.105
	x86.elf	Get hash	malicious	Unknown	Browse	93.123.39.105

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
NET1-ASBG	na.elf	Get hash	malicious	Unknown	Browse	93.123.39.105
	na.elf	Get hash	malicious	Unknown	Browse	93.123.39.105
	na.elf	Get hash	malicious	Unknown	Browse	93.123.39.105
	na.elf	Get hash	malicious	Unknown	Browse	93.123.39.105
	na.elf	Get hash	malicious	Unknown	Browse	93.123.39.105
	na.elf	Get hash	malicious	Unknown	Browse	93.123.39.105
	na.elf	Get hash	malicious	Mirai	Browse	93.123.39.116
	na.elf	Get hash	malicious	Mirai	Browse	93.123.39.116
	na.elf	Get hash	malicious	Mirai	Browse	93.123.39.116
	na.elf	Get hash	malicious	Mirai	Browse	93.123.39.116

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	ELF 32-bit LSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped
Entropy (8bit):	5.382355479473668
TrID:	ELF Executable and Linkable format (generic) (4004/1) 100.00%
File name:	na.elf
File size:	84'808 bytes
MD5:	9458b4459ba8c90817ef0e0775e93a14
SHA1:	727d79f62ec7cd02bdea82b8b02326ba1801d321
SHA256:	beaa0cad81db02c93c77dc0c6d2a25736be5194306fcafd4d9c2045fc75eb7b0
SHA512:	591e41e778029ae748d3cccd8ae9ebce5e582f473d94bba0933e073dc4c8cc3c5c6e31372372d8dc1152bb97471a85e50fcdebb54844a482729ec10f84245eeb
SSDEEP:	1536:l2Csvuic4qPjcIMbDL57Y7/vj98ca+cZ7Kma1EONZ/:l2CsvuKqPMca+c23NZ/
TLSH:	BB83F719BB944FBBEC6BCC330AA9170134CC591A22B97B3A7534C91CF64F64B46E3964
File Content Preview:	.ELF....................`.@.4....I......4. ...(...............@...@..5...5...............@...@E..@E......:..........Q.td...............................<L..'!......'.......................<(..'!... .........9'.. ........................<...'!.............9

Static ELF Info

ELF header
Class:	ELF32
Data:	2's complement, little endian
Version:	1 (current)
Machine:	MIPS R3000
Version Number:	0x1
Type:	EXEC (Executable file)
OS/ABI:	UNIX - System V
ABI Version:	0
Entry Point Address:	0x400260
Flags:	0x1007
ELF Header Size:	52
Program Header Offset:	52
Program Header Size:	32
Number of Program Headers:	3
Section Header Offset:	84248
Section Header Size:	40
Number of Section Headers:	14
Header String Table Index:	13

Sections

Name	Type	Address	Offset	Size	EntSize	Flags	Flags Description	Align
	NULL	0x0	0x0	0x0	0x0	0x0		0
.init	PROGBITS	0x400094	0x94	0x8c	0x0	0x6	AX	4
.text	PROGBITS	0x400120	0x120	0x11e30	0x0	0x6	AX	16
.fini	PROGBITS	0x411f50	0x11f50	0x5c	0x0	0x6	AX	4
.rodata	PROGBITS	0x411fb0	0x11fb0	0x15d0	0x0	0x2	A	16
.ctors	PROGBITS	0x454000	0x14000	0x8	0x0	0x3	WA	4
.dtors	PROGBITS	0x454008	0x14008	0x8	0x0	0x3	WA	4
.data.rel.ro	PROGBITS	0x454014	0x14014	0x34	0x0	0x3	WA	4
.data	PROGBITS	0x454050	0x14050	0x3a0	0x0	0x3	WA	16
.got	PROGBITS	0x4543f0	0x143f0	0x4c4	0x4	0x10000003	WAp	16
.sbss	NOBITS	0x4548b4	0x148b4	0x14	0x0	0x10000003	WAp	4
.bss	NOBITS	0x4548d0	0x148b4	0x31f8	0x0	0x3	WA	16
.mdebug.abi32	PROGBITS	0x9a2	0x148b4	0x0	0x0	0x0		1
.shstrtab	STRTAB	0x0	0x148b4	0x64	0x0	0x0		1

Program Segments

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align	Section Mappings
LOAD	0x0	0x400000	0x400000	0x13580	0x13580	5.5342	0x5	R E	0x10000	.init .text .fini .rodata
LOAD	0x14000	0x454000	0x454000	0x8b4	0x3ac8	3.5918	0x6	RW	0x10000	.ctors .dtors .data.rel.ro .data .got .sbss .bss
GNU_STACK	0x0	0x0	0x0	0x0	0x0	0.0000	0x7	RWE	0x4

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 8, 2024 10:54:26.478312969 CEST	35230	38241	192.168.2.13	93.123.39.105
Oct 8, 2024 10:54:26.483247995 CEST	38241	35230	93.123.39.105	192.168.2.13
Oct 8, 2024 10:54:26.483328104 CEST	35230	38241	192.168.2.13	93.123.39.105
Oct 8, 2024 10:54:26.484204054 CEST	35230	38241	192.168.2.13	93.123.39.105
Oct 8, 2024 10:54:26.488447905 CEST	38241	35230	93.123.39.105	192.168.2.13
Oct 8, 2024 10:54:26.488571882 CEST	35230	38241	192.168.2.13	93.123.39.105
Oct 8, 2024 10:54:26.488995075 CEST	38241	35230	93.123.39.105	192.168.2.13
Oct 8, 2024 10:54:26.493458033 CEST	38241	35230	93.123.39.105	192.168.2.13
Oct 8, 2024 10:54:27.688832998 CEST	35232	38241	192.168.2.13	93.123.39.105
Oct 8, 2024 10:54:27.693725109 CEST	38241	35232	93.123.39.105	192.168.2.13
Oct 8, 2024 10:54:27.693784952 CEST	35232	38241	192.168.2.13	93.123.39.105
Oct 8, 2024 10:54:27.694638014 CEST	35232	38241	192.168.2.13	93.123.39.105
Oct 8, 2024 10:54:27.698924065 CEST	38241	35232	93.123.39.105	192.168.2.13
Oct 8, 2024 10:54:27.698990107 CEST	35232	38241	192.168.2.13	93.123.39.105
Oct 8, 2024 10:54:27.699392080 CEST	38241	35232	93.123.39.105	192.168.2.13
Oct 8, 2024 10:54:27.703834057 CEST	38241	35232	93.123.39.105	192.168.2.13
Oct 8, 2024 10:54:29.117818117 CEST	35234	38241	192.168.2.13	93.123.39.105
Oct 8, 2024 10:54:29.123002052 CEST	38241	35234	93.123.39.105	192.168.2.13
Oct 8, 2024 10:54:29.123086929 CEST	35234	38241	192.168.2.13	93.123.39.105
Oct 8, 2024 10:54:29.123979092 CEST	35234	38241	192.168.2.13	93.123.39.105
Oct 8, 2024 10:54:29.128387928 CEST	38241	35234	93.123.39.105	192.168.2.13
Oct 8, 2024 10:54:29.128567934 CEST	35234	38241	192.168.2.13	93.123.39.105
Oct 8, 2024 10:54:29.128871918 CEST	38241	35234	93.123.39.105	192.168.2.13
Oct 8, 2024 10:54:29.133430004 CEST	38241	35234	93.123.39.105	192.168.2.13
Oct 8, 2024 10:54:30.150671959 CEST	35236	38241	192.168.2.13	93.123.39.105
Oct 8, 2024 10:54:30.155761003 CEST	38241	35236	93.123.39.105	192.168.2.13
Oct 8, 2024 10:54:30.155844927 CEST	35236	38241	192.168.2.13	93.123.39.105
Oct 8, 2024 10:54:30.156543970 CEST	35236	38241	192.168.2.13	93.123.39.105
Oct 8, 2024 10:54:30.160985947 CEST	38241	35236	93.123.39.105	192.168.2.13
Oct 8, 2024 10:54:30.161058903 CEST	35236	38241	192.168.2.13	93.123.39.105
Oct 8, 2024 10:54:30.161374092 CEST	38241	35236	93.123.39.105	192.168.2.13
Oct 8, 2024 10:54:30.165962934 CEST	38241	35236	93.123.39.105	192.168.2.13
Oct 8, 2024 10:54:31.956671000 CEST	35238	38241	192.168.2.13	93.123.39.105
Oct 8, 2024 10:54:31.961641073 CEST	38241	35238	93.123.39.105	192.168.2.13
Oct 8, 2024 10:54:31.961855888 CEST	35238	38241	192.168.2.13	93.123.39.105
Oct 8, 2024 10:54:31.962699890 CEST	35238	38241	192.168.2.13	93.123.39.105
Oct 8, 2024 10:54:31.967164040 CEST	38241	35238	93.123.39.105	192.168.2.13
Oct 8, 2024 10:54:31.967217922 CEST	35238	38241	192.168.2.13	93.123.39.105
Oct 8, 2024 10:54:31.967528105 CEST	38241	35238	93.123.39.105	192.168.2.13
Oct 8, 2024 10:54:31.972105026 CEST	38241	35238	93.123.39.105	192.168.2.13
Oct 8, 2024 10:54:37.987998009 CEST	35240	38241	192.168.2.13	93.123.39.105
Oct 8, 2024 10:54:37.992856979 CEST	38241	35240	93.123.39.105	192.168.2.13
Oct 8, 2024 10:54:37.992927074 CEST	35240	38241	192.168.2.13	93.123.39.105
Oct 8, 2024 10:54:37.994168997 CEST	35240	38241	192.168.2.13	93.123.39.105
Oct 8, 2024 10:54:37.998070002 CEST	38241	35240	93.123.39.105	192.168.2.13
Oct 8, 2024 10:54:37.998173952 CEST	35240	38241	192.168.2.13	93.123.39.105
Oct 8, 2024 10:54:37.999440908 CEST	38241	35240	93.123.39.105	192.168.2.13
Oct 8, 2024 10:54:38.003015995 CEST	38241	35240	93.123.39.105	192.168.2.13
Oct 8, 2024 10:54:44.437077999 CEST	35242	38241	192.168.2.13	93.123.39.105
Oct 8, 2024 10:54:44.442100048 CEST	38241	35242	93.123.39.105	192.168.2.13
Oct 8, 2024 10:54:44.442234993 CEST	35242	38241	192.168.2.13	93.123.39.105
Oct 8, 2024 10:54:44.443470955 CEST	35242	38241	192.168.2.13	93.123.39.105
Oct 8, 2024 10:54:44.447586060 CEST	38241	35242	93.123.39.105	192.168.2.13
Oct 8, 2024 10:54:44.447684050 CEST	35242	38241	192.168.2.13	93.123.39.105
Oct 8, 2024 10:54:44.448298931 CEST	38241	35242	93.123.39.105	192.168.2.13
Oct 8, 2024 10:54:44.452666044 CEST	38241	35242	93.123.39.105	192.168.2.13
Oct 8, 2024 10:54:45.660794973 CEST	35244	38241	192.168.2.13	93.123.39.105
Oct 8, 2024 10:54:45.666270018 CEST	38241	35244	93.123.39.105	192.168.2.13
Oct 8, 2024 10:54:45.666409969 CEST	35244	38241	192.168.2.13	93.123.39.105
Oct 8, 2024 10:54:45.667781115 CEST	35244	38241	192.168.2.13	93.123.39.105
Oct 8, 2024 10:54:45.671883106 CEST	38241	35244	93.123.39.105	192.168.2.13
Oct 8, 2024 10:54:45.671977043 CEST	35244	38241	192.168.2.13	93.123.39.105
Oct 8, 2024 10:54:45.672621012 CEST	38241	35244	93.123.39.105	192.168.2.13
Oct 8, 2024 10:54:45.676954985 CEST	38241	35244	93.123.39.105	192.168.2.13
Oct 8, 2024 10:54:47.590085030 CEST	35246	38241	192.168.2.13	93.123.39.105
Oct 8, 2024 10:54:47.595118999 CEST	38241	35246	93.123.39.105	192.168.2.13
Oct 8, 2024 10:54:47.595185995 CEST	35246	38241	192.168.2.13	93.123.39.105
Oct 8, 2024 10:54:47.596779108 CEST	35246	38241	192.168.2.13	93.123.39.105
Oct 8, 2024 10:54:47.600497007 CEST	38241	35246	93.123.39.105	192.168.2.13
Oct 8, 2024 10:54:47.600589991 CEST	35246	38241	192.168.2.13	93.123.39.105
Oct 8, 2024 10:54:47.601805925 CEST	38241	35246	93.123.39.105	192.168.2.13
Oct 8, 2024 10:54:47.605581045 CEST	38241	35246	93.123.39.105	192.168.2.13
Oct 8, 2024 10:54:48.615849972 CEST	35248	38241	192.168.2.13	93.123.39.105
Oct 8, 2024 10:54:48.620753050 CEST	38241	35248	93.123.39.105	192.168.2.13
Oct 8, 2024 10:54:48.620841026 CEST	35248	38241	192.168.2.13	93.123.39.105
Oct 8, 2024 10:54:48.622061014 CEST	35248	38241	192.168.2.13	93.123.39.105
Oct 8, 2024 10:54:48.625894070 CEST	38241	35248	93.123.39.105	192.168.2.13
Oct 8, 2024 10:54:48.626008987 CEST	35248	38241	192.168.2.13	93.123.39.105
Oct 8, 2024 10:54:48.626883984 CEST	38241	35248	93.123.39.105	192.168.2.13
Oct 8, 2024 10:54:48.630866051 CEST	38241	35248	93.123.39.105	192.168.2.13
Oct 8, 2024 10:54:54.643826008 CEST	35250	38241	192.168.2.13	93.123.39.105
Oct 8, 2024 10:54:54.648873091 CEST	38241	35250	93.123.39.105	192.168.2.13
Oct 8, 2024 10:54:54.648946047 CEST	35250	38241	192.168.2.13	93.123.39.105
Oct 8, 2024 10:54:54.650522947 CEST	35250	38241	192.168.2.13	93.123.39.105
Oct 8, 2024 10:54:54.654386044 CEST	38241	35250	93.123.39.105	192.168.2.13
Oct 8, 2024 10:54:54.654478073 CEST	35250	38241	192.168.2.13	93.123.39.105
Oct 8, 2024 10:54:54.655402899 CEST	38241	35250	93.123.39.105	192.168.2.13
Oct 8, 2024 10:54:54.659360886 CEST	38241	35250	93.123.39.105	192.168.2.13
Oct 8, 2024 10:55:01.052335024 CEST	35252	38241	192.168.2.13	93.123.39.105
Oct 8, 2024 10:55:01.057398081 CEST	38241	35252	93.123.39.105	192.168.2.13
Oct 8, 2024 10:55:01.057514906 CEST	35252	38241	192.168.2.13	93.123.39.105
Oct 8, 2024 10:55:01.058794975 CEST	35252	38241	192.168.2.13	93.123.39.105
Oct 8, 2024 10:55:01.063673973 CEST	38241	35252	93.123.39.105	192.168.2.13
Oct 8, 2024 10:55:01.063755035 CEST	35252	38241	192.168.2.13	93.123.39.105
Oct 8, 2024 10:55:01.067679882 CEST	38241	35252	93.123.39.105	192.168.2.13
Oct 8, 2024 10:55:01.068716049 CEST	38241	35252	93.123.39.105	192.168.2.13
Oct 8, 2024 10:55:02.245342970 CEST	35254	38241	192.168.2.13	93.123.39.105
Oct 8, 2024 10:55:02.250420094 CEST	38241	35254	93.123.39.105	192.168.2.13
Oct 8, 2024 10:55:02.250474930 CEST	35254	38241	192.168.2.13	93.123.39.105
Oct 8, 2024 10:55:02.255997896 CEST	38241	35254	93.123.39.105	192.168.2.13
Oct 8, 2024 10:55:02.258332014 CEST	35254	38241	192.168.2.13	93.123.39.105
Oct 8, 2024 10:55:02.260473967 CEST	35254	38241	192.168.2.13	93.123.39.105
Oct 8, 2024 10:55:02.260493040 CEST	35254	38241	192.168.2.13	93.123.39.105
Oct 8, 2024 10:55:02.282339096 CEST	35254	38241	192.168.2.13	93.123.39.105
Oct 8, 2024 10:55:02.494386911 CEST	35254	38241	192.168.2.13	93.123.39.105
Oct 8, 2024 10:55:02.639493942 CEST	38241	35254	93.123.39.105	192.168.2.13
Oct 8, 2024 10:55:02.639517069 CEST	38241	35254	93.123.39.105	192.168.2.13
Oct 8, 2024 10:55:02.639528990 CEST	38241	35254	93.123.39.105	192.168.2.13
Oct 8, 2024 10:55:02.639540911 CEST	38241	35254	93.123.39.105	192.168.2.13
Oct 8, 2024 10:55:18.298147917 CEST	35256	38241	192.168.2.13	93.123.39.105
Oct 8, 2024 10:55:18.303031921 CEST	38241	35256	93.123.39.105	192.168.2.13
Oct 8, 2024 10:55:18.303107977 CEST	35256	38241	192.168.2.13	93.123.39.105
Oct 8, 2024 10:55:18.304428101 CEST	35256	38241	192.168.2.13	93.123.39.105
Oct 8, 2024 10:55:18.309065104 CEST	38241	35256	93.123.39.105	192.168.2.13
Oct 8, 2024 10:55:18.309154034 CEST	35256	38241	192.168.2.13	93.123.39.105
Oct 8, 2024 10:55:18.309278011 CEST	38241	35256	93.123.39.105	192.168.2.13
Oct 8, 2024 10:55:18.314131975 CEST	38241	35256	93.123.39.105	192.168.2.13
Oct 8, 2024 10:55:19.470984936 CEST	35258	38241	192.168.2.13	93.123.39.105
Oct 8, 2024 10:55:19.476000071 CEST	38241	35258	93.123.39.105	192.168.2.13
Oct 8, 2024 10:55:19.476321936 CEST	35258	38241	192.168.2.13	93.123.39.105
Oct 8, 2024 10:55:19.477459908 CEST	35258	38241	192.168.2.13	93.123.39.105
Oct 8, 2024 10:55:19.482547998 CEST	38241	35258	93.123.39.105	192.168.2.13
Oct 8, 2024 10:55:19.482597113 CEST	38241	35258	93.123.39.105	192.168.2.13
Oct 8, 2024 10:55:19.483421087 CEST	35258	38241	192.168.2.13	93.123.39.105
Oct 8, 2024 10:55:19.488396883 CEST	38241	35258	93.123.39.105	192.168.2.13
Oct 8, 2024 10:55:21.717510939 CEST	35260	38241	192.168.2.13	93.123.39.105
Oct 8, 2024 10:55:21.722563028 CEST	38241	35260	93.123.39.105	192.168.2.13
Oct 8, 2024 10:55:21.722616911 CEST	35260	38241	192.168.2.13	93.123.39.105
Oct 8, 2024 10:55:21.723793983 CEST	35260	38241	192.168.2.13	93.123.39.105
Oct 8, 2024 10:55:21.727914095 CEST	38241	35260	93.123.39.105	192.168.2.13
Oct 8, 2024 10:55:21.727979898 CEST	35260	38241	192.168.2.13	93.123.39.105
Oct 8, 2024 10:55:21.728620052 CEST	38241	35260	93.123.39.105	192.168.2.13
Oct 8, 2024 10:55:21.732778072 CEST	38241	35260	93.123.39.105	192.168.2.13
Oct 8, 2024 10:55:27.943639994 CEST	35262	38241	192.168.2.13	93.123.39.105
Oct 8, 2024 10:55:27.948513031 CEST	38241	35262	93.123.39.105	192.168.2.13
Oct 8, 2024 10:55:27.948613882 CEST	35262	38241	192.168.2.13	93.123.39.105
Oct 8, 2024 10:55:27.949316978 CEST	35262	38241	192.168.2.13	93.123.39.105
Oct 8, 2024 10:55:27.953994989 CEST	38241	35262	93.123.39.105	192.168.2.13
Oct 8, 2024 10:55:27.954066038 CEST	38241	35262	93.123.39.105	192.168.2.13
Oct 8, 2024 10:55:27.954098940 CEST	35262	38241	192.168.2.13	93.123.39.105
Oct 8, 2024 10:55:27.958945036 CEST	38241	35262	93.123.39.105	192.168.2.13
Oct 8, 2024 10:55:29.188139915 CEST	35264	38241	192.168.2.13	93.123.39.105
Oct 8, 2024 10:55:29.193135977 CEST	38241	35264	93.123.39.105	192.168.2.13
Oct 8, 2024 10:55:29.193218946 CEST	35264	38241	192.168.2.13	93.123.39.105
Oct 8, 2024 10:55:29.194274902 CEST	35264	38241	192.168.2.13	93.123.39.105
Oct 8, 2024 10:55:29.198571920 CEST	38241	35264	93.123.39.105	192.168.2.13
Oct 8, 2024 10:55:29.198641062 CEST	35264	38241	192.168.2.13	93.123.39.105
Oct 8, 2024 10:55:29.199145079 CEST	38241	35264	93.123.39.105	192.168.2.13
Oct 8, 2024 10:55:29.203495026 CEST	38241	35264	93.123.39.105	192.168.2.13
Oct 8, 2024 10:55:31.375950098 CEST	35266	38241	192.168.2.13	93.123.39.105
Oct 8, 2024 10:55:31.380994081 CEST	38241	35266	93.123.39.105	192.168.2.13
Oct 8, 2024 10:55:31.381056070 CEST	35266	38241	192.168.2.13	93.123.39.105
Oct 8, 2024 10:55:31.382107019 CEST	35266	38241	192.168.2.13	93.123.39.105
Oct 8, 2024 10:55:31.386389017 CEST	38241	35266	93.123.39.105	192.168.2.13
Oct 8, 2024 10:55:31.386445045 CEST	35266	38241	192.168.2.13	93.123.39.105
Oct 8, 2024 10:55:31.386941910 CEST	38241	35266	93.123.39.105	192.168.2.13
Oct 8, 2024 10:55:31.391350985 CEST	38241	35266	93.123.39.105	192.168.2.13
Oct 8, 2024 10:55:37.618292093 CEST	35268	38241	192.168.2.13	93.123.39.105
Oct 8, 2024 10:55:37.623159885 CEST	38241	35268	93.123.39.105	192.168.2.13
Oct 8, 2024 10:55:37.623342991 CEST	35268	38241	192.168.2.13	93.123.39.105
Oct 8, 2024 10:55:37.624634027 CEST	35268	38241	192.168.2.13	93.123.39.105
Oct 8, 2024 10:55:37.628493071 CEST	38241	35268	93.123.39.105	192.168.2.13
Oct 8, 2024 10:55:37.628613949 CEST	35268	38241	192.168.2.13	93.123.39.105
Oct 8, 2024 10:55:37.629432917 CEST	38241	35268	93.123.39.105	192.168.2.13
Oct 8, 2024 10:55:37.633466959 CEST	38241	35268	93.123.39.105	192.168.2.13
Oct 8, 2024 10:55:44.284147978 CEST	35270	38241	192.168.2.13	93.123.39.105
Oct 8, 2024 10:55:44.289092064 CEST	38241	35270	93.123.39.105	192.168.2.13
Oct 8, 2024 10:55:44.289172888 CEST	35270	38241	192.168.2.13	93.123.39.105
Oct 8, 2024 10:55:44.290400982 CEST	35270	38241	192.168.2.13	93.123.39.105
Oct 8, 2024 10:55:44.294544935 CEST	38241	35270	93.123.39.105	192.168.2.13
Oct 8, 2024 10:55:44.294658899 CEST	35270	38241	192.168.2.13	93.123.39.105
Oct 8, 2024 10:55:44.295514107 CEST	38241	35270	93.123.39.105	192.168.2.13
Oct 8, 2024 10:55:44.299525976 CEST	38241	35270	93.123.39.105	192.168.2.13
Oct 8, 2024 10:55:50.315946102 CEST	35272	38241	192.168.2.13	93.123.39.105
Oct 8, 2024 10:55:50.320938110 CEST	38241	35272	93.123.39.105	192.168.2.13
Oct 8, 2024 10:55:50.321003914 CEST	35272	38241	192.168.2.13	93.123.39.105
Oct 8, 2024 10:55:50.321655035 CEST	35272	38241	192.168.2.13	93.123.39.105
Oct 8, 2024 10:55:50.326221943 CEST	38241	35272	93.123.39.105	192.168.2.13
Oct 8, 2024 10:55:50.326286077 CEST	35272	38241	192.168.2.13	93.123.39.105
Oct 8, 2024 10:55:50.326478958 CEST	38241	35272	93.123.39.105	192.168.2.13
Oct 8, 2024 10:55:50.331139088 CEST	38241	35272	93.123.39.105	192.168.2.13
Oct 8, 2024 10:55:51.340207100 CEST	35274	38241	192.168.2.13	93.123.39.105
Oct 8, 2024 10:55:51.345129013 CEST	38241	35274	93.123.39.105	192.168.2.13
Oct 8, 2024 10:55:51.345220089 CEST	35274	38241	192.168.2.13	93.123.39.105
Oct 8, 2024 10:55:51.346282005 CEST	35274	38241	192.168.2.13	93.123.39.105
Oct 8, 2024 10:55:51.350403070 CEST	38241	35274	93.123.39.105	192.168.2.13
Oct 8, 2024 10:55:51.350502014 CEST	35274	38241	192.168.2.13	93.123.39.105
Oct 8, 2024 10:55:51.351285934 CEST	38241	35274	93.123.39.105	192.168.2.13
Oct 8, 2024 10:55:51.355380058 CEST	38241	35274	93.123.39.105	192.168.2.13
Oct 8, 2024 10:55:52.587016106 CEST	35276	38241	192.168.2.13	93.123.39.105
Oct 8, 2024 10:55:52.592097044 CEST	38241	35276	93.123.39.105	192.168.2.13
Oct 8, 2024 10:55:52.592248917 CEST	35276	38241	192.168.2.13	93.123.39.105
Oct 8, 2024 10:55:52.593544960 CEST	35276	38241	192.168.2.13	93.123.39.105
Oct 8, 2024 10:55:52.597558022 CEST	38241	35276	93.123.39.105	192.168.2.13
Oct 8, 2024 10:55:52.597656012 CEST	35276	38241	192.168.2.13	93.123.39.105
Oct 8, 2024 10:55:52.598614931 CEST	38241	35276	93.123.39.105	192.168.2.13
Oct 8, 2024 10:55:52.602559090 CEST	38241	35276	93.123.39.105	192.168.2.13
Oct 8, 2024 10:55:53.767946005 CEST	35278	38241	192.168.2.13	93.123.39.105
Oct 8, 2024 10:55:53.772927046 CEST	38241	35278	93.123.39.105	192.168.2.13
Oct 8, 2024 10:55:53.773014069 CEST	35278	38241	192.168.2.13	93.123.39.105
Oct 8, 2024 10:55:53.773638964 CEST	35278	38241	192.168.2.13	93.123.39.105
Oct 8, 2024 10:55:53.778654099 CEST	38241	35278	93.123.39.105	192.168.2.13
Oct 8, 2024 10:55:53.778713942 CEST	38241	35278	93.123.39.105	192.168.2.13
Oct 8, 2024 10:56:09.811757088 CEST	35280	38241	192.168.2.13	93.123.39.105
Oct 8, 2024 10:56:09.816725016 CEST	38241	35280	93.123.39.105	192.168.2.13
Oct 8, 2024 10:56:09.816927910 CEST	35280	38241	192.168.2.13	93.123.39.105
Oct 8, 2024 10:56:09.818176985 CEST	35280	38241	192.168.2.13	93.123.39.105
Oct 8, 2024 10:56:09.822160959 CEST	38241	35280	93.123.39.105	192.168.2.13
Oct 8, 2024 10:56:09.822278023 CEST	35280	38241	192.168.2.13	93.123.39.105
Oct 8, 2024 10:56:09.823071003 CEST	38241	35280	93.123.39.105	192.168.2.13
Oct 8, 2024 10:56:09.827178955 CEST	38241	35280	93.123.39.105	192.168.2.13
Oct 8, 2024 10:56:21.888706923 CEST	35282	38241	192.168.2.13	93.123.39.105
Oct 8, 2024 10:56:21.893631935 CEST	38241	35282	93.123.39.105	192.168.2.13
Oct 8, 2024 10:56:21.893862009 CEST	35282	38241	192.168.2.13	93.123.39.105
Oct 8, 2024 10:56:21.895410061 CEST	35282	38241	192.168.2.13	93.123.39.105
Oct 8, 2024 10:56:21.899214983 CEST	38241	35282	93.123.39.105	192.168.2.13
Oct 8, 2024 10:56:21.899363041 CEST	35282	38241	192.168.2.13	93.123.39.105
Oct 8, 2024 10:56:21.900258064 CEST	38241	35282	93.123.39.105	192.168.2.13
Oct 8, 2024 10:56:21.904237032 CEST	38241	35282	93.123.39.105	192.168.2.13
Oct 8, 2024 10:56:22.914105892 CEST	35284	38241	192.168.2.13	93.123.39.105
Oct 8, 2024 10:56:22.919028997 CEST	38241	35284	93.123.39.105	192.168.2.13
Oct 8, 2024 10:56:22.919132948 CEST	35284	38241	192.168.2.13	93.123.39.105
Oct 8, 2024 10:56:22.920217991 CEST	35284	38241	192.168.2.13	93.123.39.105
Oct 8, 2024 10:56:22.924894094 CEST	38241	35284	93.123.39.105	192.168.2.13
Oct 8, 2024 10:56:22.924997091 CEST	35284	38241	192.168.2.13	93.123.39.105
Oct 8, 2024 10:56:22.925062895 CEST	38241	35284	93.123.39.105	192.168.2.13
Oct 8, 2024 10:56:22.930450916 CEST	38241	35284	93.123.39.105	192.168.2.13

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 8, 2024 10:54:25.485173941 CEST	36754	53	192.168.2.13	80.152.203.134
Oct 8, 2024 10:54:26.475203991 CEST	53	36754	80.152.203.134	192.168.2.13
Oct 8, 2024 10:54:27.490993977 CEST	36926	53	192.168.2.13	168.235.111.72
Oct 8, 2024 10:54:27.688046932 CEST	53	36926	168.235.111.72	192.168.2.13
Oct 8, 2024 10:54:28.701350927 CEST	41700	53	192.168.2.13	168.235.111.72
Oct 8, 2024 10:54:29.116848946 CEST	53	41700	168.235.111.72	192.168.2.13
Oct 8, 2024 10:54:30.130801916 CEST	43440	53	192.168.2.13	51.158.108.203
Oct 8, 2024 10:54:30.150142908 CEST	53	43440	51.158.108.203	192.168.2.13
Oct 8, 2024 10:54:31.163299084 CEST	43233	53	192.168.2.13	80.152.203.134
Oct 8, 2024 10:54:31.955785036 CEST	53	43233	80.152.203.134	192.168.2.13
Oct 8, 2024 10:54:32.969878912 CEST	55667	53	192.168.2.13	70.34.254.19
Oct 8, 2024 10:54:37.976948977 CEST	46161	53	192.168.2.13	194.36.144.87
Oct 8, 2024 10:54:37.987122059 CEST	53	46161	194.36.144.87	192.168.2.13
Oct 8, 2024 10:54:39.002075911 CEST	59275	53	192.168.2.13	139.84.165.176
Oct 8, 2024 10:54:44.009711981 CEST	53124	53	192.168.2.13	81.169.136.222
Oct 8, 2024 10:54:44.435879946 CEST	53	53124	81.169.136.222	192.168.2.13
Oct 8, 2024 10:54:45.451927900 CEST	37578	53	192.168.2.13	185.181.61.24
Oct 8, 2024 10:54:45.659358025 CEST	53	37578	185.181.61.24	192.168.2.13
Oct 8, 2024 10:54:46.675501108 CEST	52266	53	192.168.2.13	80.152.203.134
Oct 8, 2024 10:54:47.588562965 CEST	53	52266	80.152.203.134	192.168.2.13
Oct 8, 2024 10:54:48.604170084 CEST	43052	53	192.168.2.13	152.53.15.127
Oct 8, 2024 10:54:48.614995003 CEST	53	43052	152.53.15.127	192.168.2.13
Oct 8, 2024 10:54:49.629348993 CEST	32818	53	192.168.2.13	64.176.6.48
Oct 8, 2024 10:54:54.632513046 CEST	56394	53	192.168.2.13	194.36.144.87
Oct 8, 2024 10:54:54.642966986 CEST	53	56394	194.36.144.87	192.168.2.13
Oct 8, 2024 10:54:55.657645941 CEST	43257	53	192.168.2.13	5.161.109.23
Oct 8, 2024 10:55:00.662584066 CEST	50476	53	192.168.2.13	65.21.1.106
Oct 8, 2024 10:55:01.050833941 CEST	53	50476	65.21.1.106	192.168.2.13
Oct 8, 2024 10:55:02.071763992 CEST	43987	53	192.168.2.13	202.61.197.122
Oct 8, 2024 10:55:02.244477987 CEST	53	43987	202.61.197.122	192.168.2.13
Oct 8, 2024 10:55:03.264293909 CEST	50006	53	192.168.2.13	5.161.109.23
Oct 8, 2024 10:55:08.271249056 CEST	46947	53	192.168.2.13	178.254.22.166
Oct 8, 2024 10:55:13.278599024 CEST	57442	53	192.168.2.13	139.84.165.176
Oct 8, 2024 10:55:18.285964966 CEST	54320	53	192.168.2.13	152.53.15.127
Oct 8, 2024 10:55:18.297353983 CEST	53	54320	152.53.15.127	192.168.2.13
Oct 8, 2024 10:55:19.312547922 CEST	40308	53	192.168.2.13	202.61.197.122
Oct 8, 2024 10:55:19.469455957 CEST	53	40308	202.61.197.122	192.168.2.13
Oct 8, 2024 10:55:20.486392975 CEST	47805	53	192.168.2.13	81.169.136.222
Oct 8, 2024 10:55:21.716501951 CEST	53	47805	81.169.136.222	192.168.2.13
Oct 8, 2024 10:55:22.730813980 CEST	54000	53	192.168.2.13	137.220.52.23
Oct 8, 2024 10:55:27.737754107 CEST	59112	53	192.168.2.13	185.181.61.24
Oct 8, 2024 10:55:27.942527056 CEST	53	59112	185.181.61.24	192.168.2.13
Oct 8, 2024 10:55:28.961867094 CEST	58734	53	192.168.2.13	81.169.136.222
Oct 8, 2024 10:55:29.186865091 CEST	53	58734	81.169.136.222	192.168.2.13
Oct 8, 2024 10:55:30.201001883 CEST	47950	53	192.168.2.13	81.169.136.222
Oct 8, 2024 10:55:31.375010967 CEST	53	47950	81.169.136.222	192.168.2.13
Oct 8, 2024 10:55:32.388878107 CEST	55107	53	192.168.2.13	64.176.6.48
Oct 8, 2024 10:55:37.391823053 CEST	38825	53	192.168.2.13	65.21.1.106
Oct 8, 2024 10:55:37.616763115 CEST	53	38825	65.21.1.106	192.168.2.13
Oct 8, 2024 10:55:38.631663084 CEST	58573	53	192.168.2.13	70.34.254.19
Oct 8, 2024 10:55:43.638488054 CEST	43003	53	192.168.2.13	65.21.1.106
Oct 8, 2024 10:55:44.282541990 CEST	53	43003	65.21.1.106	192.168.2.13
Oct 8, 2024 10:55:45.298010111 CEST	36404	53	192.168.2.13	178.254.22.166
Oct 8, 2024 10:55:50.304846048 CEST	45090	53	192.168.2.13	152.53.15.127
Oct 8, 2024 10:55:50.315283060 CEST	53	45090	152.53.15.127	192.168.2.13
Oct 8, 2024 10:55:51.329514027 CEST	45295	53	192.168.2.13	194.36.144.87
Oct 8, 2024 10:55:51.339596987 CEST	53	45295	194.36.144.87	192.168.2.13
Oct 8, 2024 10:55:52.353451967 CEST	49019	53	192.168.2.13	217.160.70.42
Oct 8, 2024 10:55:52.585464001 CEST	53	49019	217.160.70.42	192.168.2.13
Oct 8, 2024 10:55:53.599986076 CEST	39576	53	192.168.2.13	202.61.197.122
Oct 8, 2024 10:55:53.766793966 CEST	53	39576	202.61.197.122	192.168.2.13
Oct 8, 2024 10:55:54.781464100 CEST	56181	53	192.168.2.13	64.176.6.48
Oct 8, 2024 10:55:59.787456989 CEST	50693	53	192.168.2.13	139.84.165.176
Oct 8, 2024 10:56:04.795159101 CEST	40312	53	192.168.2.13	64.176.6.48
Oct 8, 2024 10:56:09.800045013 CEST	38187	53	192.168.2.13	152.53.15.127
Oct 8, 2024 10:56:09.810997963 CEST	53	38187	152.53.15.127	192.168.2.13
Oct 8, 2024 10:56:10.825167894 CEST	50722	53	192.168.2.13	178.254.22.166
Oct 8, 2024 10:56:15.832250118 CEST	52750	53	192.168.2.13	178.254.22.166
Oct 8, 2024 10:56:20.839176893 CEST	48339	53	192.168.2.13	80.152.203.134
Oct 8, 2024 10:56:21.887299061 CEST	53	48339	80.152.203.134	192.168.2.13
Oct 8, 2024 10:56:22.902796984 CEST	55222	53	192.168.2.13	194.36.144.87
Oct 8, 2024 10:56:22.913223028 CEST	53	55222	194.36.144.87	192.168.2.13
Oct 8, 2024 10:56:23.928145885 CEST	43165	53	192.168.2.13	64.176.6.48
Oct 8, 2024 10:56:28.934957981 CEST	43792	53	192.168.2.13	64.176.6.48

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 8, 2024 10:54:25.485173941 CEST	192.168.2.13	80.152.203.134	0x7a5c	Standard query (0)	enemybotnet.com	A (IP address)	IN (0x0001)	false
Oct 8, 2024 10:54:27.490993977 CEST	192.168.2.13	168.235.111.72	0xd054	Standard query (0)	enemybotnet.com	A (IP address)	IN (0x0001)	false
Oct 8, 2024 10:54:28.701350927 CEST	192.168.2.13	168.235.111.72	0x3afd	Standard query (0)	enemybotnet.com	A (IP address)	IN (0x0001)	false
Oct 8, 2024 10:54:30.130801916 CEST	192.168.2.13	51.158.108.203	0x33a9	Standard query (0)	enemybotnet.com	A (IP address)	IN (0x0001)	false
Oct 8, 2024 10:54:31.163299084 CEST	192.168.2.13	80.152.203.134	0xc63a	Standard query (0)	enemybotnet.com	A (IP address)	IN (0x0001)	false
Oct 8, 2024 10:54:32.969878912 CEST	192.168.2.13	70.34.254.19	0xaa5	Standard query (0)	enemybotnet.com	A (IP address)	IN (0x0001)	false
Oct 8, 2024 10:54:37.976948977 CEST	192.168.2.13	194.36.144.87	0x20ca	Standard query (0)	enemybotnet.com	A (IP address)	IN (0x0001)	false
Oct 8, 2024 10:54:39.002075911 CEST	192.168.2.13	139.84.165.176	0x5159	Standard query (0)	enemybotnet.com	A (IP address)	IN (0x0001)	false
Oct 8, 2024 10:54:44.009711981 CEST	192.168.2.13	81.169.136.222	0x966e	Standard query (0)	enemybotnet.com	A (IP address)	IN (0x0001)	false
Oct 8, 2024 10:54:45.451927900 CEST	192.168.2.13	185.181.61.24	0xf42a	Standard query (0)	enemybotnet.com	A (IP address)	IN (0x0001)	false
Oct 8, 2024 10:54:46.675501108 CEST	192.168.2.13	80.152.203.134	0x5520	Standard query (0)	enemybotnet.com	A (IP address)	IN (0x0001)	false
Oct 8, 2024 10:54:48.604170084 CEST	192.168.2.13	152.53.15.127	0x1c94	Standard query (0)	enemybotnet.com	A (IP address)	IN (0x0001)	false
Oct 8, 2024 10:54:49.629348993 CEST	192.168.2.13	64.176.6.48	0xa813	Standard query (0)	enemybotnet.com	A (IP address)	IN (0x0001)	false
Oct 8, 2024 10:54:54.632513046 CEST	192.168.2.13	194.36.144.87	0x161e	Standard query (0)	enemybotnet.com	A (IP address)	IN (0x0001)	false
Oct 8, 2024 10:54:55.657645941 CEST	192.168.2.13	5.161.109.23	0xfb4	Standard query (0)	enemybotnet.com	A (IP address)	IN (0x0001)	false
Oct 8, 2024 10:55:00.662584066 CEST	192.168.2.13	65.21.1.106	0x99dd	Standard query (0)	enemybotnet.com	A (IP address)	IN (0x0001)	false
Oct 8, 2024 10:55:02.071763992 CEST	192.168.2.13	202.61.197.122	0x28ba	Standard query (0)	enemybotnet.com	A (IP address)	IN (0x0001)	false
Oct 8, 2024 10:55:03.264293909 CEST	192.168.2.13	5.161.109.23	0xd64	Standard query (0)	enemybotnet.com	A (IP address)	IN (0x0001)	false
Oct 8, 2024 10:55:08.271249056 CEST	192.168.2.13	178.254.22.166	0x97c6	Standard query (0)	enemybotnet.com	A (IP address)	IN (0x0001)	false
Oct 8, 2024 10:55:13.278599024 CEST	192.168.2.13	139.84.165.176	0xa350	Standard query (0)	enemybotnet.com	A (IP address)	IN (0x0001)	false
Oct 8, 2024 10:55:18.285964966 CEST	192.168.2.13	152.53.15.127	0x2497	Standard query (0)	enemybotnet.com	A (IP address)	IN (0x0001)	false
Oct 8, 2024 10:55:19.312547922 CEST	192.168.2.13	202.61.197.122	0x3eec	Standard query (0)	enemybotnet.com	A (IP address)	IN (0x0001)	false
Oct 8, 2024 10:55:20.486392975 CEST	192.168.2.13	81.169.136.222	0xf4f1	Standard query (0)	enemybotnet.com	A (IP address)	IN (0x0001)	false
Oct 8, 2024 10:55:22.730813980 CEST	192.168.2.13	137.220.52.23	0x5ed7	Standard query (0)	enemybotnet.com	A (IP address)	IN (0x0001)	false
Oct 8, 2024 10:55:27.737754107 CEST	192.168.2.13	185.181.61.24	0x43c0	Standard query (0)	enemybotnet.com	A (IP address)	IN (0x0001)	false
Oct 8, 2024 10:55:28.961867094 CEST	192.168.2.13	81.169.136.222	0xe068	Standard query (0)	enemybotnet.com	A (IP address)	IN (0x0001)	false
Oct 8, 2024 10:55:30.201001883 CEST	192.168.2.13	81.169.136.222	0xd325	Standard query (0)	enemybotnet.com	A (IP address)	IN (0x0001)	false
Oct 8, 2024 10:55:32.388878107 CEST	192.168.2.13	64.176.6.48	0xc596	Standard query (0)	enemybotnet.com	A (IP address)	IN (0x0001)	false
Oct 8, 2024 10:55:37.391823053 CEST	192.168.2.13	65.21.1.106	0x5a37	Standard query (0)	enemybotnet.com	A (IP address)	IN (0x0001)	false
Oct 8, 2024 10:55:38.631663084 CEST	192.168.2.13	70.34.254.19	0x771d	Standard query (0)	enemybotnet.com	A (IP address)	IN (0x0001)	false
Oct 8, 2024 10:55:43.638488054 CEST	192.168.2.13	65.21.1.106	0x96d4	Standard query (0)	enemybotnet.com	A (IP address)	IN (0x0001)	false
Oct 8, 2024 10:55:45.298010111 CEST	192.168.2.13	178.254.22.166	0xba55	Standard query (0)	enemybotnet.com	A (IP address)	IN (0x0001)	false
Oct 8, 2024 10:55:50.304846048 CEST	192.168.2.13	152.53.15.127	0x1e32	Standard query (0)	enemybotnet.com	A (IP address)	IN (0x0001)	false
Oct 8, 2024 10:55:51.329514027 CEST	192.168.2.13	194.36.144.87	0xf96f	Standard query (0)	enemybotnet.com	A (IP address)	IN (0x0001)	false
Oct 8, 2024 10:55:52.353451967 CEST	192.168.2.13	217.160.70.42	0x7817	Standard query (0)	enemybotnet.com	A (IP address)	IN (0x0001)	false
Oct 8, 2024 10:55:53.599986076 CEST	192.168.2.13	202.61.197.122	0xf360	Standard query (0)	enemybotnet.com	A (IP address)	IN (0x0001)	false
Oct 8, 2024 10:55:54.781464100 CEST	192.168.2.13	64.176.6.48	0x219	Standard query (0)	enemybotnet.com	A (IP address)	IN (0x0001)	false
Oct 8, 2024 10:55:59.787456989 CEST	192.168.2.13	139.84.165.176	0x7c9f	Standard query (0)	enemybotnet.com	A (IP address)	IN (0x0001)	false
Oct 8, 2024 10:56:04.795159101 CEST	192.168.2.13	64.176.6.48	0xda80	Standard query (0)	enemybotnet.com	A (IP address)	IN (0x0001)	false
Oct 8, 2024 10:56:09.800045013 CEST	192.168.2.13	152.53.15.127	0xb179	Standard query (0)	enemybotnet.com	A (IP address)	IN (0x0001)	false
Oct 8, 2024 10:56:10.825167894 CEST	192.168.2.13	178.254.22.166	0x8a5d	Standard query (0)	enemybotnet.com	A (IP address)	IN (0x0001)	false
Oct 8, 2024 10:56:15.832250118 CEST	192.168.2.13	178.254.22.166	0xb7c9	Standard query (0)	enemybotnet.com	A (IP address)	IN (0x0001)	false
Oct 8, 2024 10:56:20.839176893 CEST	192.168.2.13	80.152.203.134	0x4fef	Standard query (0)	enemybotnet.com	A (IP address)	IN (0x0001)	false
Oct 8, 2024 10:56:22.902796984 CEST	192.168.2.13	194.36.144.87	0x8c16	Standard query (0)	enemybotnet.com	A (IP address)	IN (0x0001)	false
Oct 8, 2024 10:56:23.928145885 CEST	192.168.2.13	64.176.6.48	0x7c50	Standard query (0)	enemybotnet.com	A (IP address)	IN (0x0001)	false
Oct 8, 2024 10:56:28.934957981 CEST	192.168.2.13	64.176.6.48	0x6ea1	Standard query (0)	enemybotnet.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Oct 8, 2024 10:54:26.475203991 CEST	80.152.203.134	192.168.2.13	0x7a5c	No error (0)	enemybotnet.com	93.123.39.105	A (IP address)	IN (0x0001)	false
Oct 8, 2024 10:54:27.688046932 CEST	168.235.111.72	192.168.2.13	0xd054	No error (0)	enemybotnet.com	93.123.39.105	A (IP address)	IN (0x0001)	false
Oct 8, 2024 10:54:29.116848946 CEST	168.235.111.72	192.168.2.13	0x3afd	No error (0)	enemybotnet.com	93.123.39.105	A (IP address)	IN (0x0001)	false
Oct 8, 2024 10:54:30.150142908 CEST	51.158.108.203	192.168.2.13	0x33a9	No error (0)	enemybotnet.com	93.123.39.105	A (IP address)	IN (0x0001)	false
Oct 8, 2024 10:54:31.955785036 CEST	80.152.203.134	192.168.2.13	0xc63a	No error (0)	enemybotnet.com	93.123.39.105	A (IP address)	IN (0x0001)	false
Oct 8, 2024 10:54:37.987122059 CEST	194.36.144.87	192.168.2.13	0x20ca	No error (0)	enemybotnet.com	93.123.39.105	A (IP address)	IN (0x0001)	false
Oct 8, 2024 10:54:44.435879946 CEST	81.169.136.222	192.168.2.13	0x966e	No error (0)	enemybotnet.com	93.123.39.105	A (IP address)	IN (0x0001)	false
Oct 8, 2024 10:54:45.659358025 CEST	185.181.61.24	192.168.2.13	0xf42a	No error (0)	enemybotnet.com	93.123.39.105	A (IP address)	IN (0x0001)	false
Oct 8, 2024 10:54:47.588562965 CEST	80.152.203.134	192.168.2.13	0x5520	No error (0)	enemybotnet.com	93.123.39.105	A (IP address)	IN (0x0001)	false
Oct 8, 2024 10:54:48.614995003 CEST	152.53.15.127	192.168.2.13	0x1c94	No error (0)	enemybotnet.com	93.123.39.105	A (IP address)	IN (0x0001)	false
Oct 8, 2024 10:54:54.642966986 CEST	194.36.144.87	192.168.2.13	0x161e	No error (0)	enemybotnet.com	93.123.39.105	A (IP address)	IN (0x0001)	false
Oct 8, 2024 10:55:01.050833941 CEST	65.21.1.106	192.168.2.13	0x99dd	No error (0)	enemybotnet.com	93.123.39.105	A (IP address)	IN (0x0001)	false
Oct 8, 2024 10:55:02.244477987 CEST	202.61.197.122	192.168.2.13	0x28ba	No error (0)	enemybotnet.com	93.123.39.105	A (IP address)	IN (0x0001)	false
Oct 8, 2024 10:55:18.297353983 CEST	152.53.15.127	192.168.2.13	0x2497	No error (0)	enemybotnet.com	93.123.39.105	A (IP address)	IN (0x0001)	false
Oct 8, 2024 10:55:19.469455957 CEST	202.61.197.122	192.168.2.13	0x3eec	No error (0)	enemybotnet.com	93.123.39.105	A (IP address)	IN (0x0001)	false
Oct 8, 2024 10:55:21.716501951 CEST	81.169.136.222	192.168.2.13	0xf4f1	No error (0)	enemybotnet.com	93.123.39.105	A (IP address)	IN (0x0001)	false
Oct 8, 2024 10:55:27.942527056 CEST	185.181.61.24	192.168.2.13	0x43c0	No error (0)	enemybotnet.com	93.123.39.105	A (IP address)	IN (0x0001)	false
Oct 8, 2024 10:55:29.186865091 CEST	81.169.136.222	192.168.2.13	0xe068	No error (0)	enemybotnet.com	93.123.39.105	A (IP address)	IN (0x0001)	false
Oct 8, 2024 10:55:31.375010967 CEST	81.169.136.222	192.168.2.13	0xd325	No error (0)	enemybotnet.com	93.123.39.105	A (IP address)	IN (0x0001)	false
Oct 8, 2024 10:55:37.616763115 CEST	65.21.1.106	192.168.2.13	0x5a37	No error (0)	enemybotnet.com	93.123.39.105	A (IP address)	IN (0x0001)	false
Oct 8, 2024 10:55:44.282541990 CEST	65.21.1.106	192.168.2.13	0x96d4	No error (0)	enemybotnet.com	93.123.39.105	A (IP address)	IN (0x0001)	false
Oct 8, 2024 10:55:50.315283060 CEST	152.53.15.127	192.168.2.13	0x1e32	No error (0)	enemybotnet.com	93.123.39.105	A (IP address)	IN (0x0001)	false
Oct 8, 2024 10:55:51.339596987 CEST	194.36.144.87	192.168.2.13	0xf96f	No error (0)	enemybotnet.com	93.123.39.105	A (IP address)	IN (0x0001)	false
Oct 8, 2024 10:55:52.585464001 CEST	217.160.70.42	192.168.2.13	0x7817	No error (0)	enemybotnet.com	93.123.39.105	A (IP address)	IN (0x0001)	false
Oct 8, 2024 10:55:53.766793966 CEST	202.61.197.122	192.168.2.13	0xf360	No error (0)	enemybotnet.com	93.123.39.105	A (IP address)	IN (0x0001)	false
Oct 8, 2024 10:56:09.810997963 CEST	152.53.15.127	192.168.2.13	0xb179	No error (0)	enemybotnet.com	93.123.39.105	A (IP address)	IN (0x0001)	false
Oct 8, 2024 10:56:21.887299061 CEST	80.152.203.134	192.168.2.13	0x4fef	No error (0)	enemybotnet.com	93.123.39.105	A (IP address)	IN (0x0001)	false
Oct 8, 2024 10:56:22.913223028 CEST	194.36.144.87	192.168.2.13	0x8c16	No error (0)	enemybotnet.com	93.123.39.105	A (IP address)	IN (0x0001)	false

System Behavior

Analysis Process: na.elf PID: 5840, Parent PID: 5583

General

Start time (UTC):	08:54:23
Start date (UTC):	08/10/2024
Path:	/tmp/na.elf
Arguments:	/tmp/na.elf
File size:	5773336 bytes
MD5 hash:	0d6f61f82cf2f781c6eb0661071d42d9

Chronological Activities

Analysis Process: na.elf PID: 5843, Parent PID: 5840

General

Start time (UTC):	08:54:24
Start date (UTC):	08/10/2024
Path:	/tmp/na.elf
Arguments:	-
File size:	5773336 bytes
MD5 hash:	0d6f61f82cf2f781c6eb0661071d42d9

Chronological Activities

Analysis Process: na.elf PID: 5845, Parent PID: 5843

General

Start time (UTC):	08:54:24
Start date (UTC):	08/10/2024
Path:	/tmp/na.elf
Arguments:	-
File size:	5773336 bytes
MD5 hash:	0d6f61f82cf2f781c6eb0661071d42d9

Chronological Activities

Analysis Process: udisksd PID: 5854, Parent PID: 802

General

Start time (UTC):	08:54:24
Start date (UTC):	08/10/2024
Path:	/usr/lib/udisks2/udisksd
Arguments:	-
File size:	483056 bytes
MD5 hash:	1d7ae439cc3d82fa6b127671ce037a24

Chronological Activities

Analysis Process: dumpe2fs PID: 5854, Parent PID: 802

General

Start time (UTC):	08:54:24
Start date (UTC):	08/10/2024
Path:	/usr/sbin/dumpe2fs
Arguments:	dumpe2fs -h /dev/dm-0
File size:	31112 bytes
MD5 hash:	5c66f7d8f7681a40562cf049ad4b72b4

Chronological Activities

Analysis Process: udisksd PID: 5886, Parent PID: 802

General

Start time (UTC):	08:54:24
Start date (UTC):	08/10/2024
Path:	/usr/lib/udisks2/udisksd
Arguments:	-
File size:	483056 bytes
MD5 hash:	1d7ae439cc3d82fa6b127671ce037a24

Chronological Activities

Analysis Process: dumpe2fs PID: 5886, Parent PID: 802

General

Start time (UTC):	08:54:24
Start date (UTC):	08/10/2024
Path:	/usr/sbin/dumpe2fs
Arguments:	dumpe2fs -h /dev/dm-0
File size:	31112 bytes
MD5 hash:	5c66f7d8f7681a40562cf049ad4b72b4

Chronological Activities

Analysis Process: udisksd PID: 5906, Parent PID: 802

General

Start time (UTC):	08:54:24
Start date (UTC):	08/10/2024
Path:	/usr/lib/udisks2/udisksd
Arguments:	-
File size:	483056 bytes
MD5 hash:	1d7ae439cc3d82fa6b127671ce037a24

Chronological Activities

Analysis Process: dumpe2fs PID: 5906, Parent PID: 802

General

Start time (UTC):	08:54:24
Start date (UTC):	08/10/2024
Path:	/usr/sbin/dumpe2fs
Arguments:	dumpe2fs -h /dev/dm-0
File size:	31112 bytes
MD5 hash:	5c66f7d8f7681a40562cf049ad4b72b4

Chronological Activities

Analysis Process: systemd PID: 5957, Parent PID: 1

General

Start time (UTC):	08:55:01
Start date (UTC):	08/10/2024
Path:	/usr/lib/systemd/systemd
Arguments:	-
File size:	1620224 bytes
MD5 hash:	9b2bec7092a40488108543f9334aab75

Chronological Activities

Analysis Process: snap-failure PID: 5957, Parent PID: 1

General

Start time (UTC):	08:55:01
Start date (UTC):	08/10/2024
Path:	/usr/lib/snapd/snap-failure
Arguments:	/usr/lib/snapd/snap-failure snapd
File size:	4764904 bytes
MD5 hash:	69136a7d575731ce62349f2e4d3e5c36

Chronological Activities

Analysis Process: snap-failure PID: 5971, Parent PID: 5957

General

Start time (UTC):	08:55:01
Start date (UTC):	08/10/2024
Path:	/usr/lib/snapd/snap-failure
Arguments:	-
File size:	4764904 bytes
MD5 hash:	69136a7d575731ce62349f2e4d3e5c36

Chronological Activities

Analysis Process: systemctl PID: 5971, Parent PID: 5957

General

Start time (UTC):	08:55:01
Start date (UTC):	08/10/2024
Path:	/usr/bin/systemctl
Arguments:	systemctl stop snapd.socket
File size:	996584 bytes
MD5 hash:	4deddfb6741481f68aeac522cc26ff4b

Chronological Activities

Analysis Process: snap-failure PID: 5972, Parent PID: 5957

General

Start time (UTC):	08:55:01
Start date (UTC):	08/10/2024
Path:	/usr/lib/snapd/snap-failure
Arguments:	-
File size:	4764904 bytes
MD5 hash:	69136a7d575731ce62349f2e4d3e5c36

Description:	Adversaries may create or modify systemd services to repeatedly execute malicious payloads as part of persistence. Systemd is a system and service manager commonly used for managing background daemon processes (also known as services) and other system resources.Systemd is the default initialization (init) system on many Linux distributions replacing legacy init systems, including SysVinit and Upstart, while remaining backwards compatible.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Creation, File: File Modification, Process: Process Creation, Service: Service Creation, Service: Service Modification
Platforms:	Linux
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report na.elf

Overview

General Information

Detection

Signatures

Classification

General Information

Runtime Messages

Process Tree

Yara Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Networking

System Summary

Persistence and Installation Behavior

Malware Analysis System Evasion

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

Static ELF Info

ELF header

Sections

Program Segments

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

System Behavior

Analysis Process: na.elf PID: 5840, Parent PID: 5583

General

Chronological Activities

Analysis Process: na.elf PID: 5843, Parent PID: 5840

General

Chronological Activities

Analysis Process: na.elf PID: 5845, Parent PID: 5843

General

Chronological Activities

Analysis Process: udisksd PID: 5854, Parent PID: 802

General

Chronological Activities

Analysis Process: dumpe2fs PID: 5854, Parent PID: 802

General

Chronological Activities

Analysis Process: udisksd PID: 5886, Parent PID: 802

General

Chronological Activities

Analysis Process: dumpe2fs PID: 5886, Parent PID: 802

General

Chronological Activities

Analysis Process: udisksd PID: 5906, Parent PID: 802

General

Chronological Activities

Linux Analysis Report
na.elf