Edit tour

Linux Analysis Report
arm7.elf

Overview

General Information

Sample name:	arm7.elf
Analysis ID:	1612116
MD5:	7408911cdb1a1c27f878110084a74711
SHA1:	47f878bf7fe963525e0c343e7a9cdc374288c93f
SHA256:	d35abf834e628eea2490e95f10e824ca6204e0d0385e5a6d7482a07eaf52399a
Tags:	user-elfdigest
Infos:

Detection

Mirai

Score:	72
Range:	0 - 100

Signatures

Multi AV Scanner detection for submitted file

Yara detected Mirai

Sample tries to kill multiple processes (SIGKILL)

Sends malformed DNS queries

Detected TCP or UDP traffic on non-standard ports

ELF contains segments with high entropy indicating compressed/encrypted content

Sample contains only a LOAD segment without any section mappings

Sample listens on a socket

Sample tries to kill a process (SIGKILL)

Uses the "uname" system call to query kernel version information (possible evasion)

Classification

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1612116
Start date and time:	2025-02-11 15:10:24 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 3m 48s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Sample name:	arm7.elf
Detection:	MAL
Classification:	mal72.spre.troj.linELF@0/0@8/0

Runtime Messages

Command:	/tmp/arm7.elf
PID:	5446
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:	The Peoples Bank of China.
Standard Error:

Process Tree

system is lnxubuntu20

arm7.elf (PID: 5446, Parent: 5369, MD5: 5ebfcae4fe2471fcc5695c2394773ff1) Arguments: /tmp/arm7.elf

arm7.elf New Fork (PID: 5449, Parent: 5446)

arm7.elf New Fork (PID: 5451, Parent: 5449)

arm7.elf New Fork (PID: 5453, Parent: 5449)

arm7.elf New Fork (PID: 5455, Parent: 5449)

gnome-session-binary New Fork (PID: 5458, Parent: 1588)

gdm3 New Fork (PID: 5477, Parent: 1400)

Default (PID: 5477, Parent: 1400, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /etc/gdm3/PrimeOff/Default

xfce4-session New Fork (PID: 5480, Parent: 2984)

gdm3 New Fork (PID: 5484, Parent: 1400)

Default (PID: 5484, Parent: 1400, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /etc/gdm3/PrimeOff/Default

xfce4-session New Fork (PID: 5485, Parent: 2984)

xfce4-session New Fork (PID: 5486, Parent: 2984)

xfce4-session New Fork (PID: 5487, Parent: 2984)

xfdesktop (PID: 5487, Parent: 2984, MD5: dfb13e1581f80065dcea16f2476f16f2) Arguments: xfdesktop --display :1.0 --sm-client-id 260d40b3c-9c6a-4cb1-bbe4-3557725aa528

xfce4-session New Fork (PID: 5489, Parent: 2984)

xfce4-panel (PID: 5489, Parent: 2984, MD5: a15b657c7d54ac1385f1f15004ea6784) Arguments: xfce4-panel --display :1.0 --sm-client-id 2d6b1caf2-8023-452b-bd0d-d23295482740

xfce4-session New Fork (PID: 5491, Parent: 2984)

xfce4-session New Fork (PID: 5492, Parent: 2984)

xfce4-session New Fork (PID: 5493, Parent: 2984)

xfdesktop (PID: 5493, Parent: 2984, MD5: dfb13e1581f80065dcea16f2476f16f2) Arguments: xfdesktop --display :1.0 --sm-client-id 260d40b3c-9c6a-4cb1-bbe4-3557725aa528

xfce4-session New Fork (PID: 5495, Parent: 2984)

xfce4-panel (PID: 5495, Parent: 2984, MD5: a15b657c7d54ac1385f1f15004ea6784) Arguments: xfce4-panel --display :1.0 --sm-client-id 2d6b1caf2-8023-452b-bd0d-d23295482740

xfce4-session New Fork (PID: 5497, Parent: 2984)

xfwm4 (PID: 5497, Parent: 2984, MD5: 59defa3c00cc30d85ed77b738d55e9da) Arguments: xfwm4 --display :1.0 --sm-client-id 27575c7dd-2dac-48f0-9f3a-eff67ec043e5

xfce4-session New Fork (PID: 5499, Parent: 2984)

xfdesktop (PID: 5499, Parent: 2984, MD5: dfb13e1581f80065dcea16f2476f16f2) Arguments: xfdesktop --display :1.0 --sm-client-id 260d40b3c-9c6a-4cb1-bbe4-3557725aa528

systemd New Fork (PID: 5510, Parent: 1)

systemd-user-runtime-dir (PID: 5510, Parent: 1, MD5: d55f4b0847f88131dbcfb07435178e54) Arguments: /lib/systemd/systemd-user-runtime-dir stop 127

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Mirai	Mirai is one of the first significant botnets targeting exposed networking devices running Linux. Found in August 2016 by MalwareMustDie, its name means "future" in Japanese. Nowadays it targets a wide range of networked embedded devices such as IP cameras, home routers (many vendors involved), and other IoT devices. Since the source code was published on "Hack Forums" many variants of the Mirai family appeared, infecting mostly home networks all around the world.	No Attribution	http://osint.bambenekconsulting.com/feeds/ http://www.simonroses.com/2016/10/mirai-ddos-botnet-source-code-binary-analysis/ https://blog.malwaremustdie.org/2020/02/mmd-0065-2021-linuxmirai-fbot-re.html https://blog.netlab.360.com/another-lilin-dvr-0-day-being-used-to-spread-mirai-en/ https://blog.netlab.360.com/mirai_ptea-botnet-is-exploiting-undisclosed-kguard-dvr-vulnerability-en/	https://malpedia.caad.fkie.fraunhofer.de/details/elf.mirai

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
5446.1.00007f44ec017000.00007f44ec034000.r-x.sdmp	JoeSecurity_Mirai_9	Yara detected Mirai	Joe Security
5446.1.00007f44ec017000.00007f44ec034000.r-x.sdmp	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
5451.1.00007f44ec017000.00007f44ec034000.r-x.sdmp	JoeSecurity_Mirai_9	Yara detected Mirai	Joe Security
5451.1.00007f44ec017000.00007f44ec034000.r-x.sdmp	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
5453.1.00007f44ec017000.00007f44ec034000.r-x.sdmp	JoeSecurity_Mirai_9	Yara detected Mirai	Joe Security
5453.1.00007f44ec017000.00007f44ec034000.r-x.sdmp	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
Click to see the 1 entries

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: arm7.elf	Virustotal: Detection: 19%			Perma Link
Source: arm7.elf	ReversingLabs: Detection: 26%

Networking

Sends malformed DNS queries

Source: global traffic	DNS traffic detected: malformed DNS query: mykittler.ru. [malformed]
Source: global traffic	DNS traffic detected: malformed DNS query: qittler.ru. [malformed]
Source: global traffic	DNS traffic detected: malformed DNS query: cat-are-here.ru. [malformed]

Source: global traffic

TCP traffic: 192.168.2.13:43418 -> 185.93.89.106:34411

Source: /tmp/arm7.elf (PID: 5446)

Socket: 127.0.0.1:13301

Jump to behavior

Source: unknown	TCP traffic detected without corresponding DNS query: 91.181.217.134
Source: unknown	TCP traffic detected without corresponding DNS query: 91.181.217.134
Source: unknown	TCP traffic detected without corresponding DNS query: 165.175.56.79
Source: unknown	TCP traffic detected without corresponding DNS query: 165.175.56.79
Source: unknown	TCP traffic detected without corresponding DNS query: 58.39.38.132
Source: unknown	TCP traffic detected without corresponding DNS query: 95.230.244.111
Source: unknown	TCP traffic detected without corresponding DNS query: 58.39.38.132
Source: unknown	TCP traffic detected without corresponding DNS query: 95.230.244.111
Source: unknown	TCP traffic detected without corresponding DNS query: 138.236.136.255
Source: unknown	TCP traffic detected without corresponding DNS query: 138.236.136.255
Source: unknown	TCP traffic detected without corresponding DNS query: 89.20.161.226
Source: unknown	TCP traffic detected without corresponding DNS query: 72.46.187.63
Source: unknown	TCP traffic detected without corresponding DNS query: 89.20.161.226
Source: unknown	TCP traffic detected without corresponding DNS query: 148.161.153.245
Source: unknown	TCP traffic detected without corresponding DNS query: 72.46.187.63
Source: unknown	TCP traffic detected without corresponding DNS query: 141.186.153.49
Source: unknown	TCP traffic detected without corresponding DNS query: 148.161.153.245
Source: unknown	TCP traffic detected without corresponding DNS query: 46.173.88.202
Source: unknown	TCP traffic detected without corresponding DNS query: 141.186.153.49
Source: unknown	TCP traffic detected without corresponding DNS query: 111.203.43.152
Source: unknown	TCP traffic detected without corresponding DNS query: 46.173.88.202
Source: unknown	TCP traffic detected without corresponding DNS query: 30.208.25.51
Source: unknown	TCP traffic detected without corresponding DNS query: 111.203.43.152
Source: unknown	TCP traffic detected without corresponding DNS query: 2.5.121.154
Source: unknown	TCP traffic detected without corresponding DNS query: 30.208.25.51
Source: unknown	TCP traffic detected without corresponding DNS query: 201.167.152.86
Source: unknown	TCP traffic detected without corresponding DNS query: 2.5.121.154
Source: unknown	TCP traffic detected without corresponding DNS query: 154.189.127.76
Source: unknown	TCP traffic detected without corresponding DNS query: 201.167.152.86
Source: unknown	TCP traffic detected without corresponding DNS query: 155.134.72.107
Source: unknown	TCP traffic detected without corresponding DNS query: 154.189.127.76
Source: unknown	TCP traffic detected without corresponding DNS query: 64.172.161.122
Source: unknown	TCP traffic detected without corresponding DNS query: 155.134.72.107
Source: unknown	TCP traffic detected without corresponding DNS query: 64.172.161.122
Source: unknown	TCP traffic detected without corresponding DNS query: 13.243.147.25
Source: unknown	TCP traffic detected without corresponding DNS query: 13.243.147.25
Source: unknown	TCP traffic detected without corresponding DNS query: 169.62.5.243
Source: unknown	TCP traffic detected without corresponding DNS query: 169.62.5.243
Source: unknown	TCP traffic detected without corresponding DNS query: 60.244.171.151
Source: unknown	TCP traffic detected without corresponding DNS query: 195.190.58.140
Source: unknown	TCP traffic detected without corresponding DNS query: 60.244.171.151
Source: unknown	TCP traffic detected without corresponding DNS query: 138.68.246.130
Source: unknown	TCP traffic detected without corresponding DNS query: 195.190.58.140
Source: unknown	TCP traffic detected without corresponding DNS query: 138.68.246.130
Source: unknown	TCP traffic detected without corresponding DNS query: 21.25.163.174
Source: unknown	TCP traffic detected without corresponding DNS query: 21.25.163.174
Source: unknown	TCP traffic detected without corresponding DNS query: 59.146.163.31
Source: unknown	TCP traffic detected without corresponding DNS query: 59.146.163.31
Source: unknown	TCP traffic detected without corresponding DNS query: 22.241.39.148
Source: unknown	TCP traffic detected without corresponding DNS query: 218.123.237.214

Source: global traffic	DNS traffic detected: DNS query: gokittler.ru
Source: global traffic	DNS traffic detected: DNS query: mykittler.ru
Source: global traffic	DNS traffic detected: DNS query: thekittler.ru
Source: global traffic	DNS traffic detected: DNS query: mykittler.ru. [malformed]
Source: global traffic	DNS traffic detected: DNS query: qittler.ru. [malformed]
Source: global traffic	DNS traffic detected: DNS query: cat-are-here.ru. [malformed]

Source: arm7.elf, 5446.1.00007f44ec017000.00007f44ec034000.r-x.sdmp, arm7.elf, 5451.1.00007f44ec017000.00007f44ec034000.r-x.sdmp, arm7.elf, 5453.1.00007f44ec017000.00007f44ec034000.r-x.sdmp	String found in binary or memory: http:///curl.sh
Source: arm7.elf, 5446.1.00007f44ec017000.00007f44ec034000.r-x.sdmp, arm7.elf, 5451.1.00007f44ec017000.00007f44ec034000.r-x.sdmp, arm7.elf, 5453.1.00007f44ec017000.00007f44ec034000.r-x.sdmp	String found in binary or memory: http:///wget.sh

System Summary

Sample tries to kill multiple processes (SIGKILL)

Source: /tmp/arm7.elf (PID: 5455)	SIGKILL sent: pid: 726, result: successful	Jump to behavior
Source: /tmp/arm7.elf (PID: 5455)	SIGKILL sent: pid: 727, result: successful	Jump to behavior
Source: /tmp/arm7.elf (PID: 5455)	SIGKILL sent: pid: 792, result: successful	Jump to behavior
Source: /tmp/arm7.elf (PID: 5455)	SIGKILL sent: pid: 884, result: successful	Jump to behavior
Source: /tmp/arm7.elf (PID: 5455)	SIGKILL sent: pid: 1563, result: successful	Jump to behavior
Source: /tmp/arm7.elf (PID: 5455)	SIGKILL sent: pid: 1745, result: successful	Jump to behavior
Source: /tmp/arm7.elf (PID: 5455)	SIGKILL sent: pid: 1805, result: successful	Jump to behavior
Source: /tmp/arm7.elf (PID: 5455)	SIGKILL sent: pid: 2961, result: successful	Jump to behavior
Source: /tmp/arm7.elf (PID: 5455)	SIGKILL sent: pid: 2964, result: successful	Jump to behavior
Source: /tmp/arm7.elf (PID: 5455)	SIGKILL sent: pid: 2984, result: successful	Jump to behavior
Source: /tmp/arm7.elf (PID: 5455)	SIGKILL sent: pid: 3069, result: successful	Jump to behavior
Source: /tmp/arm7.elf (PID: 5455)	SIGKILL sent: pid: 3114, result: successful	Jump to behavior
Source: /tmp/arm7.elf (PID: 5455)	SIGKILL sent: pid: 3132, result: successful	Jump to behavior
Source: /tmp/arm7.elf (PID: 5455)	SIGKILL sent: pid: 3134, result: successful	Jump to behavior
Source: /tmp/arm7.elf (PID: 5455)	SIGKILL sent: pid: 3146, result: successful	Jump to behavior
Source: /tmp/arm7.elf (PID: 5455)	SIGKILL sent: pid: 3147, result: successful	Jump to behavior
Source: /tmp/arm7.elf (PID: 5455)	SIGKILL sent: pid: 3153, result: successful	Jump to behavior
Source: /tmp/arm7.elf (PID: 5455)	SIGKILL sent: pid: 3158, result: successful	Jump to behavior
Source: /tmp/arm7.elf (PID: 5455)	SIGKILL sent: pid: 3181, result: successful	Jump to behavior
Source: /tmp/arm7.elf (PID: 5455)	SIGKILL sent: pid: 3183, result: successful	Jump to behavior
Source: /tmp/arm7.elf (PID: 5455)	SIGKILL sent: pid: 3185, result: successful	Jump to behavior
Source: /tmp/arm7.elf (PID: 5455)	SIGKILL sent: pid: 3203, result: successful	Jump to behavior
Source: /tmp/arm7.elf (PID: 5455)	SIGKILL sent: pid: 3220, result: successful	Jump to behavior
Source: /tmp/arm7.elf (PID: 5455)	SIGKILL sent: pid: 5432, result: successful	Jump to behavior
Source: /tmp/arm7.elf (PID: 5455)	SIGKILL sent: pid: 5451, result: successful	Jump to behavior
Source: /tmp/arm7.elf (PID: 5455)	SIGKILL sent: pid: 5453, result: successful	Jump to behavior
Source: /tmp/arm7.elf (PID: 5455)	SIGKILL sent: pid: 5480, result: successful	Jump to behavior
Source: /tmp/arm7.elf (PID: 5455)	SIGKILL sent: pid: 5485, result: successful	Jump to behavior
Source: /tmp/arm7.elf (PID: 5455)	SIGKILL sent: pid: 5486, result: successful	Jump to behavior
Source: /tmp/arm7.elf (PID: 5455)	SIGKILL sent: pid: 5487, result: successful	Jump to behavior
Source: /tmp/arm7.elf (PID: 5455)	SIGKILL sent: pid: 5488, result: successful	Jump to behavior
Source: /tmp/arm7.elf (PID: 5455)	SIGKILL sent: pid: 5489, result: successful	Jump to behavior
Source: /tmp/arm7.elf (PID: 5455)	SIGKILL sent: pid: 5490, result: successful	Jump to behavior
Source: /tmp/arm7.elf (PID: 5455)	SIGKILL sent: pid: 5491, result: successful	Jump to behavior
Source: /tmp/arm7.elf (PID: 5455)	SIGKILL sent: pid: 5492, result: successful	Jump to behavior
Source: /tmp/arm7.elf (PID: 5455)	SIGKILL sent: pid: 5493, result: successful	Jump to behavior
Source: /tmp/arm7.elf (PID: 5455)	SIGKILL sent: pid: 5494, result: successful	Jump to behavior
Source: /tmp/arm7.elf (PID: 5455)	SIGKILL sent: pid: 5495, result: successful	Jump to behavior
Source: /tmp/arm7.elf (PID: 5455)	SIGKILL sent: pid: 5496, result: successful	Jump to behavior
Source: /tmp/arm7.elf (PID: 5455)	SIGKILL sent: pid: 5497, result: successful	Jump to behavior
Source: /tmp/arm7.elf (PID: 5455)	SIGKILL sent: pid: 5498, result: successful	Jump to behavior
Source: /tmp/arm7.elf (PID: 5455)	SIGKILL sent: pid: 5499, result: successful	Jump to behavior

Source: LOAD without section mappings

Program segment: 0x8000

Source: /tmp/arm7.elf (PID: 5455)	SIGKILL sent: pid: 726, result: successful	Jump to behavior
Source: /tmp/arm7.elf (PID: 5455)	SIGKILL sent: pid: 727, result: successful	Jump to behavior
Source: /tmp/arm7.elf (PID: 5455)	SIGKILL sent: pid: 792, result: successful	Jump to behavior
Source: /tmp/arm7.elf (PID: 5455)	SIGKILL sent: pid: 884, result: successful	Jump to behavior
Source: /tmp/arm7.elf (PID: 5455)	SIGKILL sent: pid: 1563, result: successful	Jump to behavior
Source: /tmp/arm7.elf (PID: 5455)	SIGKILL sent: pid: 1745, result: successful	Jump to behavior
Source: /tmp/arm7.elf (PID: 5455)	SIGKILL sent: pid: 1805, result: successful	Jump to behavior
Source: /tmp/arm7.elf (PID: 5455)	SIGKILL sent: pid: 2961, result: successful	Jump to behavior
Source: /tmp/arm7.elf (PID: 5455)	SIGKILL sent: pid: 2964, result: successful	Jump to behavior
Source: /tmp/arm7.elf (PID: 5455)	SIGKILL sent: pid: 2984, result: successful	Jump to behavior
Source: /tmp/arm7.elf (PID: 5455)	SIGKILL sent: pid: 3069, result: successful	Jump to behavior
Source: /tmp/arm7.elf (PID: 5455)	SIGKILL sent: pid: 3114, result: successful	Jump to behavior
Source: /tmp/arm7.elf (PID: 5455)	SIGKILL sent: pid: 3132, result: successful	Jump to behavior
Source: /tmp/arm7.elf (PID: 5455)	SIGKILL sent: pid: 3134, result: successful	Jump to behavior
Source: /tmp/arm7.elf (PID: 5455)	SIGKILL sent: pid: 3146, result: successful	Jump to behavior
Source: /tmp/arm7.elf (PID: 5455)	SIGKILL sent: pid: 3147, result: successful	Jump to behavior
Source: /tmp/arm7.elf (PID: 5455)	SIGKILL sent: pid: 3153, result: successful	Jump to behavior
Source: /tmp/arm7.elf (PID: 5455)	SIGKILL sent: pid: 3158, result: successful	Jump to behavior
Source: /tmp/arm7.elf (PID: 5455)	SIGKILL sent: pid: 3181, result: successful	Jump to behavior
Source: /tmp/arm7.elf (PID: 5455)	SIGKILL sent: pid: 3183, result: successful	Jump to behavior
Source: /tmp/arm7.elf (PID: 5455)	SIGKILL sent: pid: 3185, result: successful	Jump to behavior
Source: /tmp/arm7.elf (PID: 5455)	SIGKILL sent: pid: 3203, result: successful	Jump to behavior
Source: /tmp/arm7.elf (PID: 5455)	SIGKILL sent: pid: 3220, result: successful	Jump to behavior
Source: /tmp/arm7.elf (PID: 5455)	SIGKILL sent: pid: 5432, result: successful	Jump to behavior
Source: /tmp/arm7.elf (PID: 5455)	SIGKILL sent: pid: 5451, result: successful	Jump to behavior
Source: /tmp/arm7.elf (PID: 5455)	SIGKILL sent: pid: 5453, result: successful	Jump to behavior
Source: /tmp/arm7.elf (PID: 5455)	SIGKILL sent: pid: 5480, result: successful	Jump to behavior
Source: /tmp/arm7.elf (PID: 5455)	SIGKILL sent: pid: 5485, result: successful	Jump to behavior
Source: /tmp/arm7.elf (PID: 5455)	SIGKILL sent: pid: 5486, result: successful	Jump to behavior
Source: /tmp/arm7.elf (PID: 5455)	SIGKILL sent: pid: 5487, result: successful	Jump to behavior
Source: /tmp/arm7.elf (PID: 5455)	SIGKILL sent: pid: 5488, result: successful	Jump to behavior
Source: /tmp/arm7.elf (PID: 5455)	SIGKILL sent: pid: 5489, result: successful	Jump to behavior
Source: /tmp/arm7.elf (PID: 5455)	SIGKILL sent: pid: 5490, result: successful	Jump to behavior
Source: /tmp/arm7.elf (PID: 5455)	SIGKILL sent: pid: 5491, result: successful	Jump to behavior
Source: /tmp/arm7.elf (PID: 5455)	SIGKILL sent: pid: 5492, result: successful	Jump to behavior
Source: /tmp/arm7.elf (PID: 5455)	SIGKILL sent: pid: 5493, result: successful	Jump to behavior
Source: /tmp/arm7.elf (PID: 5455)	SIGKILL sent: pid: 5494, result: successful	Jump to behavior
Source: /tmp/arm7.elf (PID: 5455)	SIGKILL sent: pid: 5495, result: successful	Jump to behavior
Source: /tmp/arm7.elf (PID: 5455)	SIGKILL sent: pid: 5496, result: successful	Jump to behavior
Source: /tmp/arm7.elf (PID: 5455)	SIGKILL sent: pid: 5497, result: successful	Jump to behavior
Source: /tmp/arm7.elf (PID: 5455)	SIGKILL sent: pid: 5498, result: successful	Jump to behavior
Source: /tmp/arm7.elf (PID: 5455)	SIGKILL sent: pid: 5499, result: successful	Jump to behavior

Source: classification engine

Classification label: mal72.spre.troj.linELF@0/0@8/0

Source: arm7.elf	Submission file: segment LOAD with 7.8864 entropy (max. 8.0)
Source: arm7.elf	Submission file: segment LOAD with 7.977 entropy (max. 8.0)

Source: /tmp/arm7.elf (PID: 5446)

Queries kernel information via 'uname':

Jump to behavior

Source: arm7.elf, 5453.1.00007f44ec017000.00007f44ec034000.r-x.sdmp	Binary or memory string: vmware
Source: arm7.elf, 5446.1.0000557e57656000.0000557e577aa000.rw-.sdmp, arm7.elf, 5451.1.0000557e57656000.0000557e57784000.rw-.sdmp, arm7.elf, 5453.1.0000557e57656000.0000557e57784000.rw-.sdmp	Binary or memory string: fW~U!/etc/qemu-binfmt/arm
Source: arm7.elf, 5453.1.00007f44ec017000.00007f44ec034000.r-x.sdmp	Binary or memory string: vmware123
Source: arm7.elf, 5446.1.0000557e57656000.0000557e577aa000.rw-.sdmp, arm7.elf, 5451.1.0000557e57656000.0000557e57784000.rw-.sdmp, arm7.elf, 5453.1.0000557e57656000.0000557e57784000.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/arm
Source: arm7.elf, 5446.1.00007ffe0583e000.00007ffe0585f000.rw-.sdmp, arm7.elf, 5451.1.00007ffe0583e000.00007ffe0585f000.rw-.sdmp, arm7.elf, 5453.1.00007ffe0583e000.00007ffe0585f000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-arm
Source: arm7.elf, 5453.1.00007f44ec017000.00007f44ec034000.r-x.sdmp	Binary or memory string: rootPon521Zte521root621vizxvoelinux123wabjtamZxic521tsgoingonxc3511solokeydefaulta1sev5y7c39khkipc2016unisheenFireituphslwificam5upjvbzd1001chinsystemzlxx.7ujMko0vizxv1234horsesantslqxc12345xmhdipcicatch99founder88xirtamtaZz@01/*6.=_jat0talc0ntr0l4!7ujMko0admintelecomadminipcam_rt5350juantechdreamboxIPCam@swzhongxinghi3518hg2x0dropperipc71aroot123telnetipcamgrouterGM8182200808263ep5w2uadmin123admin1234admin@123BrAhMoS@15GeNeXiS@19firetide2601hxservicepasswordsupportadmintelnetadminadmintelecomguestftpnobodydaemon1cDuLJ7ctlJwpbo6S2fGqNFsOxhlwSG8lJwpbo6tluafedbinvstarcam201520150602supporthikvisione8ehomeasbe8ehomee8telnetciscopass123sascottmotorolaROOT500zte9x15cisco123smcadmincsadmincolasoftadminadminsysmanagersysmanager888firewallsys123manager!1fw@2soc#3vpnAdmincyberauditsafetybasehillstonesupermantalenteyouusereyou_admineyougwadmin@(eyou)+-ccccccyouadmintelentadministratoradminpwdvenus70Auditadmlenovovenus60testadminerleadsec.wafauditadminer3100adminer3200adminer3260leadsec1234567root12345root123456root12345678root12345678987654321root1234567890ruleabc123huaweihuawei@1234telnetusertelnetpwdftpuserftppwdAdmin@123h3capadminh3cvenus.fwvenus.audituseradminvenus.userweboperwebauditconadminshell1q2w3e1q2w3e4rauditoroperatoradmin666admin12345admin123456weblogicROOTweblogic12311111111111test123synnettomcattomcat1231234qwerreecam4dettnetip400ho4uku6atPlcmSpIpchangemepa55w0rdpublicfivranneubntpassServ4EMCklv1234ahetzip8awind5885AdministratorbuhrooterCenturyL1nkankoivdevrealtekBGCVDSL2adslolitecip3000calvincat1029comcomcom!roothunt5759extendnetfliradminusuariogvt12345supervisorzyad1234qrstklv123davoxzsun1188xad#12bayandsl3wareradius3UJUh2VemEfUtetoorbintecUq-4GIt3Mwysecoolphoenix579nE7jA%5mmicrobusinessPASSWORDmeinsmcms500adslnadamgiraff666666zoomadslsuperadminIs@dminikwbalpineasantepuconexantaquariotinitsunamivertex25ektks123inflectionip20anicuscADMINpermitpldtadminonexantdvr2580222Win1doW$true5432112341234JVC3500/24sitecom46ironport88888888uClinuxvolition2800tslinuxsecurityatlantis888888nCwMnJVGagbaby00000000openelec1111111kont2004rpitc123123696969362729atc456hp.comcycl3R0cks!letacla000000nosoup4u11111111Gin51mvf3mg3500merlin99999999admin1anni201322222mlusrlogin3333333adminpldtbbsd-clientchangeme2support123aerohiveadmin00vmware123utstartl789l3tm31nseiko2005tivonpw,ba23422222222admintrupt1789admdarkcusadminhighspeedascendMenarasysAdmin33333oracleanicust3333wbox123attackAscendAitbISP4eCiGadmin@mymifi2222222dPZb4GJTu9ROOMeins1988321piloucomcastsetupZmqVfoSIP333333michelangeloCOadmin123Zntslqblendervt100admin_1pfsensehellotest1my_DEMARCjvswitchezdvr7ujMko0root/ADMIN/adminlvjhadminlvjh1232010vstaxmhdpicruntop10qwertyQwestM0demqweasdzxguest123h2014071TANDBERGWprootarkeiachangemenowf00b@rarticawww9311supersurtiwkbadmintesthuigu309UsernetscreenpitaZz@23495859Root1password123fidel123annie2016asdfghdottietwe8ehomebatman123hackedwelcomeyellowD13hh[china123p@ssw0rdjordanhackmewagodasdec1patrickgforgeEminemspidermansparkypassword1shadowgatewaydiamondprincessflowerch
Source: arm7.elf, 5446.1.00007ffe0583e000.00007ffe0585f000.rw-.sdmp, arm7.elf, 5451.1.00007ffe0583e000.00007ffe0585f000.rw-.sdmp, arm7.elf, 5453.1.00007ffe0583e000.00007ffe0585f000.rw-.sdmp	Binary or memory string: x86_64/usr/bin/qemu-arm/tmp/arm7.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/arm7.elf

Stealing of Sensitive Information

Yara detected Mirai

Source: Yara match	File source: 5446.1.00007f44ec017000.00007f44ec034000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5451.1.00007f44ec017000.00007f44ec034000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5453.1.00007f44ec017000.00007f44ec034000.r-x.sdmp, type: MEMORY

Remote Access Functionality

Yara detected Mirai

Source: Yara match	File source: 5446.1.00007f44ec017000.00007f44ec034000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5451.1.00007f44ec017000.00007f44ec034000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5453.1.00007f44ec017000.00007f44ec034000.r-x.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	Path Interception	Path Interception	1 Obfuscated Files or Information	OS Credential Dumping	11 Security Software Discovery	Remote Services	Data from Local System	1 Non-Standard Port	Exfiltration Over Other Network Medium	1 Service Stop
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact

Malware Configuration

⊘No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
arm7.elf	19%	Virustotal		Browse
arm7.elf	26%	ReversingLabs	Linux.Backdoor.Mirai

Dropped Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
thekittler.ru	185.93.89.106	true	false	high
mykittler.ru	185.93.89.106	true	false	high
gokittler.ru	185.93.89.106	true	false	high
qittler.ru. [malformed]	unknown	unknown	false	high
cat-are-here.ru. [malformed]	unknown	unknown	false	high
mykittler.ru. [malformed]	unknown	unknown	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http:///wget.sh	arm7.elf, 5446.1.00007f44ec017000.00007f44ec034000.r-x.sdmp, arm7.elf, 5451.1.00007f44ec017000.00007f44ec034000.r-x.sdmp, arm7.elf, 5453.1.00007f44ec017000.00007f44ec034000.r-x.sdmp	false		high
http:///curl.sh	arm7.elf, 5446.1.00007f44ec017000.00007f44ec034000.r-x.sdmp, arm7.elf, 5451.1.00007f44ec017000.00007f44ec034000.r-x.sdmp, arm7.elf, 5453.1.00007f44ec017000.00007f44ec034000.r-x.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
148.161.153.245	unknown	Japan	6400	CompaniaDominicanadeTelefonosSADO	false
24.201.60.128	unknown	Canada	5769	VIDEOTRONCA	false
59.146.163.31	unknown	Japan	2527	SO-NETSo-netEntertainmentCorporationJP	false
139.117.32.9	unknown	Norway	5619	EVRY-NO	false
215.36.246.225	unknown	United States	721	DNIC-ASBLK-00721-00726US	false
61.94.231.254	unknown	Indonesia	7713	TELKOMNET-AS-APPTTelekomunikasiIndonesiaID	false
72.46.187.63	unknown	United States	53347	PREMIER-COMMUNICATIONSUS	false
165.175.56.79	unknown	United States	36092	CENTENEUS	false
141.186.153.49	unknown	United States	197921	HBTFJO	false
155.134.72.107	unknown	United States	37532	ZAMRENZM	false
95.230.244.111	unknown	Italy	3269	ASN-IBSNAZIT	false
60.244.171.151	unknown	Taiwan; Republic of China (ROC)	7482	APOL-ASAsiaPacificOn-lineServiceIncTW	false
53.79.19.174	unknown	Germany	31399	DAIMLER-ASITIGNGlobalNetworkDE	false
58.39.38.132	unknown	China	4812	CHINANET-SH-APChinaTelecomGroupCN	false
197.150.145.197	unknown	Egypt	37069	MOBINILEG	false
46.173.88.202	unknown	Ukraine	48004	KCT-ASFiordUA	false
19.59.84.20	unknown	United States	3	MIT-GATEWAYSUS	false
55.207.25.18	unknown	United States	1541	DNIC-ASBLK-01534-01546US	false
218.123.237.214	unknown	Japan	17676	GIGAINFRASoftbankBBCorpJP	false
169.62.5.243	unknown	United States	36351	SOFTLAYERUS	false
91.181.217.134	unknown	Belgium	5432	PROXIMUS-ISP-ASBE	false
138.236.136.255	unknown	United States	17234	GACUS	false
111.203.43.152	unknown	China	4808	CHINA169-BJChinaUnicomBeijingProvinceNetworkCN	false
62.210.34.57	unknown	France	12876	OnlineSASFR	false
89.20.161.226	unknown	Netherlands	39686	ASN-EUROFIBERNL	false
30.208.25.51	unknown	United States	7922	COMCAST-7922US	false
22.241.39.148	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
185.93.89.106	thekittler.ru	United Kingdom	200861	TS-EMEA-ASNGB	false
152.7.171.162	unknown	United States	11442	NCSUUS	false
72.50.198.157	unknown	United States	10242	USINTERNETUS	false
218.135.85.145	unknown	Japan	17676	GIGAINFRASoftbankBBCorpJP	false
74.97.134.79	unknown	United States	701	UUNETUS	false
201.167.152.86	unknown	Mexico	16960	CablevisionRedSAdeCVMX	false
64.172.161.122	unknown	United States	7132	SBIS-ASUS	false
33.193.91.1	unknown	United States	2686	ATGS-MMD-ASUS	false
154.189.127.76	unknown	Egypt	8452	TE-ASTE-ASEG	false
138.68.246.130	unknown	United States	14061	DIGITALOCEAN-ASNUS	false
195.190.58.140	unknown	Greece	8499	SPACE_HELLAS_AS8499SpaceHellasNetworkOperationCenterN	false
21.25.163.174	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
2.5.121.154	unknown	France	3215	FranceTelecom-OrangeFR	false
13.243.147.25	unknown	United States	16509	AMAZON-02US	false
134.99.44.34	unknown	Germany	3209	VODANETInternationalIP-BackboneofVodafoneDE	false
93.218.127.174	unknown	Germany	3320	DTAGInternetserviceprovideroperationsDE	false
205.201.60.109	unknown	United States	22147	PACKETSURGEUS	false

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
185.93.89.106	dlr.mips.elf	Get hash	malicious	Mirai	Browse	/mips
	dlr.arm6.elf	Get hash	malicious	Mirai	Browse	/arm6
	dlr.arm7.elf	Get hash	malicious	Mirai	Browse	/arm7

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
mykittler.ru	rep.m68k.elf	Get hash	malicious	Mirai	Browse	185.93.89.106
mykittler.ru	rep.arm7.elf	Get hash	malicious	Mirai	Browse	156.229.232.99
thekittler.ru	rep.spc.elf	Get hash	malicious	Unknown	Browse	156.229.232.99
gokittler.ru	Kloki.mpsl.elf	Get hash	malicious	Gafgyt	Browse	83.222.190.91
gokittler.ru	rep.sh4.elf	Get hash	malicious	Unknown	Browse	156.229.232.99

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
SO-NETSo-netEntertainmentCorporationJP	jklarm.elf	Get hash	malicious	Unknown	Browse	143.189.22.12
	nklmpsl.elf	Get hash	malicious	Unknown	Browse	210.174.254.97
	mpsl.elf	Get hash	malicious	Mirai	Browse	131.147.132.9
	botnet.arm7.elf	Get hash	malicious	Mirai, Moobot	Browse	39.111.20.83
	botnet.spc.elf	Get hash	malicious	Mirai, Moobot	Browse	157.147.21.37
	x86.elf	Get hash	malicious	Mirai, Moobot	Browse	157.147.104.132
	arm.elf	Get hash	malicious	Mirai, Moobot	Browse	157.147.239.186
	Hgf.x86.elf	Get hash	malicious	Mirai	Browse	150.246.120.78
	b1.elf	Get hash	malicious	Unknown	Browse	157.147.239.179
	Fantazy.sh4.elf	Get hash	malicious	Unknown	Browse	120.74.145.110
VIDEOTRONCA	nabarm.elf	Get hash	malicious	Unknown	Browse	96.22.35.162
	splm68k.elf	Get hash	malicious	Unknown	Browse	216.113.59.181
	x86.elf	Get hash	malicious	Unknown	Browse	96.23.113.126
	nklmpsl.elf	Get hash	malicious	Unknown	Browse	216.113.12.149
	arm7.elf	Get hash	malicious	Mirai	Browse	96.22.11.211
	res.mpsl.elf	Get hash	malicious	Unknown	Browse	184.160.42.112
	botx.x86.elf	Get hash	malicious	Mirai	Browse	74.56.51.206
	arm7.elf	Get hash	malicious	Mirai, Moobot	Browse	70.81.60.233
	splarm5.elf	Get hash	malicious	Unknown	Browse	107.171.142.252
	nabspc.elf	Get hash	malicious	Unknown	Browse	45.45.190.45
CompaniaDominicanadeTelefonosSADO	splarm7.elf	Get hash	malicious	Unknown	Browse	152.129.101.225
	nklarm5.elf	Get hash	malicious	Unknown	Browse	150.94.1.251
	nklmips.elf	Get hash	malicious	Unknown	Browse	148.45.32.221
	mips.elf	Get hash	malicious	Unknown	Browse	150.77.171.153
	arm5.elf	Get hash	malicious	Unknown	Browse	148.43.147.62
	botnet.arm.elf	Get hash	malicious	Mirai, Moobot	Browse	148.128.115.150
	botnet.arm5.elf	Get hash	malicious	Mirai, Moobot	Browse	152.144.49.149
	botnet.sh4.elf	Get hash	malicious	Mirai, Moobot	Browse	186.7.134.4
	mips.elf	Get hash	malicious	Mirai, Moobot	Browse	148.176.130.98
	ppc.elf	Get hash	malicious	Mirai, Moobot	Browse	152.154.234.122

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	ELF 32-bit LSB executable, ARM, EABI4 version 1 (GNU/Linux), statically linked, no section header
Entropy (8bit):	7.985752647091721
TrID:	ELF Executable and Linkable format (generic) (4004/1) 100.00%
File name:	arm7.elf
File size:	66'760 bytes
MD5:	7408911cdb1a1c27f878110084a74711
SHA1:	47f878bf7fe963525e0c343e7a9cdc374288c93f
SHA256:	d35abf834e628eea2490e95f10e824ca6204e0d0385e5a6d7482a07eaf52399a
SHA512:	aa1dc27ebd1e68155d6a51f6344533fe15cf65eb4d9a4ef9ed0e21161a2fcebc63fa18d328e8c58db00cac8a2f78be98aa9bf3c01aa511b8a686c956b5cd0818
SSDEEP:	768:bJw3x0gp8ztSOa+65tlOxfxRPvH8+7t0fdBzlR/ElsjKUig4ef2Nq3UoewzDLQhp:bGOS06Pl20+7Ofc4KUig4ACnp
TLSH:	D863023F965CD959EA908E718D58C9C831B65DE074FB34A543B8FE0836CB08B26F7425
File Content Preview:	.ELF..............(.....\|/..4...........4. ...(.....................................................k...k...........Q.td..............................t.sfga....................m..........?.E.h;....#..$...o...!..6w...S."...~....+.9.b.....>.........s...\|...

Static ELF Info

ELF header
Class:	ELF32
Data:	2's complement, little endian
Version:	1 (current)
Machine:	ARM
Version Number:	0x1
Type:	EXEC (Executable file)
OS/ABI:	UNIX - Linux
ABI Version:	0
Entry Point Address:	0x42f7c
Flags:	0x4000002
ELF Header Size:	52
Program Header Offset:	52
Program Header Size:	32
Number of Program Headers:	3
Section Header Offset:	0
Section Header Size:	40
Number of Section Headers:	0
Header String Table Index:	0

Program Segments

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align
LOAD	0x0	0x8000	0x8000	0x1000	0x28ca8	7.8864	0x6	RW	0x8000
LOAD	0x0	0x38000	0x38000	0xc16b	0xc16b	7.9770	0x5	R E	0x8000
GNU_STACK	0x0	0x0	0x0	0x0	0x0	0.0000	0x7	RWE	0x4

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 11, 2025 15:11:12.640172005 CET	57508	23	192.168.2.13	91.181.217.134
Feb 11, 2025 15:11:12.645116091 CET	23	57508	91.181.217.134	192.168.2.13
Feb 11, 2025 15:11:12.645163059 CET	57508	23	192.168.2.13	91.181.217.134
Feb 11, 2025 15:11:12.645401001 CET	43268	23	192.168.2.13	165.175.56.79
Feb 11, 2025 15:11:12.651345968 CET	23	43268	165.175.56.79	192.168.2.13
Feb 11, 2025 15:11:12.651426077 CET	43268	23	192.168.2.13	165.175.56.79
Feb 11, 2025 15:11:12.651941061 CET	52734	23	192.168.2.13	58.39.38.132
Feb 11, 2025 15:11:12.655822039 CET	37450	23	192.168.2.13	95.230.244.111
Feb 11, 2025 15:11:12.656800985 CET	23	52734	58.39.38.132	192.168.2.13
Feb 11, 2025 15:11:12.656867027 CET	52734	23	192.168.2.13	58.39.38.132
Feb 11, 2025 15:11:12.660618067 CET	23	37450	95.230.244.111	192.168.2.13
Feb 11, 2025 15:11:12.661138058 CET	37450	23	192.168.2.13	95.230.244.111
Feb 11, 2025 15:11:12.667937994 CET	52152	23	192.168.2.13	138.236.136.255
Feb 11, 2025 15:11:12.670876026 CET	43418	34411	192.168.2.13	185.93.89.106
Feb 11, 2025 15:11:12.672780037 CET	23	52152	138.236.136.255	192.168.2.13
Feb 11, 2025 15:11:12.672832966 CET	52152	23	192.168.2.13	138.236.136.255
Feb 11, 2025 15:11:12.673407078 CET	46800	23	192.168.2.13	89.20.161.226
Feb 11, 2025 15:11:12.675645113 CET	34411	43418	185.93.89.106	192.168.2.13
Feb 11, 2025 15:11:12.675741911 CET	43418	34411	192.168.2.13	185.93.89.106
Feb 11, 2025 15:11:12.676140070 CET	33604	23	192.168.2.13	72.46.187.63
Feb 11, 2025 15:11:12.678246975 CET	23	46800	89.20.161.226	192.168.2.13
Feb 11, 2025 15:11:12.678888083 CET	46800	23	192.168.2.13	89.20.161.226
Feb 11, 2025 15:11:12.679805040 CET	43418	34411	192.168.2.13	185.93.89.106
Feb 11, 2025 15:11:12.680185080 CET	37470	23	192.168.2.13	148.161.153.245
Feb 11, 2025 15:11:12.680948019 CET	23	33604	72.46.187.63	192.168.2.13
Feb 11, 2025 15:11:12.680993080 CET	33604	23	192.168.2.13	72.46.187.63
Feb 11, 2025 15:11:12.682965040 CET	49142	23	192.168.2.13	141.186.153.49
Feb 11, 2025 15:11:12.684560061 CET	34411	43418	185.93.89.106	192.168.2.13
Feb 11, 2025 15:11:12.684609890 CET	43418	34411	192.168.2.13	185.93.89.106
Feb 11, 2025 15:11:12.684954882 CET	23	37470	148.161.153.245	192.168.2.13
Feb 11, 2025 15:11:12.685025930 CET	37470	23	192.168.2.13	148.161.153.245
Feb 11, 2025 15:11:12.686315060 CET	46964	23	192.168.2.13	46.173.88.202
Feb 11, 2025 15:11:12.687774897 CET	23	49142	141.186.153.49	192.168.2.13
Feb 11, 2025 15:11:12.687835932 CET	49142	23	192.168.2.13	141.186.153.49
Feb 11, 2025 15:11:12.689173937 CET	52938	23	192.168.2.13	111.203.43.152
Feb 11, 2025 15:11:12.689398050 CET	34411	43418	185.93.89.106	192.168.2.13
Feb 11, 2025 15:11:12.691095114 CET	23	46964	46.173.88.202	192.168.2.13
Feb 11, 2025 15:11:12.691226006 CET	46964	23	192.168.2.13	46.173.88.202
Feb 11, 2025 15:11:12.692843914 CET	33468	23	192.168.2.13	30.208.25.51
Feb 11, 2025 15:11:12.693947077 CET	23	52938	111.203.43.152	192.168.2.13
Feb 11, 2025 15:11:12.694015980 CET	52938	23	192.168.2.13	111.203.43.152
Feb 11, 2025 15:11:12.697016001 CET	33816	23	192.168.2.13	2.5.121.154
Feb 11, 2025 15:11:12.697593927 CET	23	33468	30.208.25.51	192.168.2.13
Feb 11, 2025 15:11:12.697643042 CET	33468	23	192.168.2.13	30.208.25.51
Feb 11, 2025 15:11:12.700345993 CET	50680	23	192.168.2.13	201.167.152.86
Feb 11, 2025 15:11:12.701802015 CET	23	33816	2.5.121.154	192.168.2.13
Feb 11, 2025 15:11:12.701848984 CET	33816	23	192.168.2.13	2.5.121.154
Feb 11, 2025 15:11:12.702688932 CET	45072	23	192.168.2.13	154.189.127.76
Feb 11, 2025 15:11:12.705101013 CET	23	50680	201.167.152.86	192.168.2.13
Feb 11, 2025 15:11:12.705142975 CET	50680	23	192.168.2.13	201.167.152.86
Feb 11, 2025 15:11:12.705744028 CET	55282	23	192.168.2.13	155.134.72.107
Feb 11, 2025 15:11:12.707457066 CET	23	45072	154.189.127.76	192.168.2.13
Feb 11, 2025 15:11:12.707504034 CET	45072	23	192.168.2.13	154.189.127.76
Feb 11, 2025 15:11:12.708425999 CET	36912	23	192.168.2.13	64.172.161.122
Feb 11, 2025 15:11:12.710508108 CET	23	55282	155.134.72.107	192.168.2.13
Feb 11, 2025 15:11:12.710629940 CET	55282	23	192.168.2.13	155.134.72.107
Feb 11, 2025 15:11:12.713187933 CET	23	36912	64.172.161.122	192.168.2.13
Feb 11, 2025 15:11:12.716558933 CET	36912	23	192.168.2.13	64.172.161.122
Feb 11, 2025 15:11:12.760152102 CET	44686	23	192.168.2.13	13.243.147.25
Feb 11, 2025 15:11:12.764997005 CET	23	44686	13.243.147.25	192.168.2.13
Feb 11, 2025 15:11:12.765050888 CET	44686	23	192.168.2.13	13.243.147.25
Feb 11, 2025 15:11:12.765192032 CET	56902	23	192.168.2.13	169.62.5.243
Feb 11, 2025 15:11:12.770107031 CET	23	56902	169.62.5.243	192.168.2.13
Feb 11, 2025 15:11:12.770157099 CET	56902	23	192.168.2.13	169.62.5.243
Feb 11, 2025 15:11:12.771455050 CET	55890	23	192.168.2.13	60.244.171.151
Feb 11, 2025 15:11:12.775898933 CET	53206	23	192.168.2.13	195.190.58.140
Feb 11, 2025 15:11:12.776278973 CET	23	55890	60.244.171.151	192.168.2.13
Feb 11, 2025 15:11:12.776328087 CET	55890	23	192.168.2.13	60.244.171.151
Feb 11, 2025 15:11:12.779860020 CET	43802	23	192.168.2.13	138.68.246.130
Feb 11, 2025 15:11:12.780659914 CET	23	53206	195.190.58.140	192.168.2.13
Feb 11, 2025 15:11:12.780713081 CET	53206	23	192.168.2.13	195.190.58.140
Feb 11, 2025 15:11:12.784646034 CET	23	43802	138.68.246.130	192.168.2.13
Feb 11, 2025 15:11:12.784698963 CET	43802	23	192.168.2.13	138.68.246.130
Feb 11, 2025 15:11:12.784863949 CET	33992	23	192.168.2.13	62.210.34.57
Feb 11, 2025 15:11:12.789360046 CET	37910	23	192.168.2.13	21.25.163.174
Feb 11, 2025 15:11:12.789649963 CET	23	33992	62.210.34.57	192.168.2.13
Feb 11, 2025 15:11:12.789937019 CET	33992	23	192.168.2.13	62.210.34.57
Feb 11, 2025 15:11:12.794188976 CET	23	37910	21.25.163.174	192.168.2.13
Feb 11, 2025 15:11:12.794286966 CET	37910	23	192.168.2.13	21.25.163.174
Feb 11, 2025 15:11:12.918207884 CET	54066	23	192.168.2.13	59.146.163.31
Feb 11, 2025 15:11:12.923172951 CET	23	54066	59.146.163.31	192.168.2.13
Feb 11, 2025 15:11:12.923316956 CET	54066	23	192.168.2.13	59.146.163.31
Feb 11, 2025 15:11:12.942357063 CET	38938	23	192.168.2.13	22.241.39.148
Feb 11, 2025 15:11:12.945396900 CET	48170	23	192.168.2.13	218.123.237.214
Feb 11, 2025 15:11:12.947686911 CET	23	38938	22.241.39.148	192.168.2.13
Feb 11, 2025 15:11:12.947772026 CET	38938	23	192.168.2.13	22.241.39.148
Feb 11, 2025 15:11:12.950198889 CET	23	48170	218.123.237.214	192.168.2.13
Feb 11, 2025 15:11:12.950289965 CET	48170	23	192.168.2.13	218.123.237.214
Feb 11, 2025 15:11:12.972138882 CET	47042	23	192.168.2.13	53.79.19.174
Feb 11, 2025 15:11:12.976617098 CET	42452	23	192.168.2.13	134.99.44.34
Feb 11, 2025 15:11:12.976991892 CET	23	47042	53.79.19.174	192.168.2.13
Feb 11, 2025 15:11:12.977066994 CET	47042	23	192.168.2.13	53.79.19.174
Feb 11, 2025 15:11:12.983208895 CET	58832	23	192.168.2.13	74.97.134.79
Feb 11, 2025 15:11:12.984966040 CET	23	42452	134.99.44.34	192.168.2.13
Feb 11, 2025 15:11:12.985033989 CET	42452	23	192.168.2.13	134.99.44.34
Feb 11, 2025 15:11:12.988004923 CET	23	58832	74.97.134.79	192.168.2.13
Feb 11, 2025 15:11:12.988095045 CET	58832	23	192.168.2.13	74.97.134.79
Feb 11, 2025 15:11:12.989181995 CET	52114	23	192.168.2.13	152.7.171.162
Feb 11, 2025 15:11:12.997684002 CET	23	52114	152.7.171.162	192.168.2.13
Feb 11, 2025 15:11:12.997751951 CET	52114	23	192.168.2.13	152.7.171.162
Feb 11, 2025 15:11:13.018923998 CET	57226	23	192.168.2.13	24.201.60.128
Feb 11, 2025 15:11:13.024118900 CET	38582	23	192.168.2.13	139.117.32.9
Feb 11, 2025 15:11:13.024966002 CET	23	57226	24.201.60.128	192.168.2.13
Feb 11, 2025 15:11:13.025021076 CET	57226	23	192.168.2.13	24.201.60.128
Feb 11, 2025 15:11:13.028940916 CET	23	38582	139.117.32.9	192.168.2.13
Feb 11, 2025 15:11:13.028995991 CET	38582	23	192.168.2.13	139.117.32.9
Feb 11, 2025 15:11:13.047019958 CET	51188	23	192.168.2.13	19.59.84.20
Feb 11, 2025 15:11:13.051842928 CET	23	51188	19.59.84.20	192.168.2.13
Feb 11, 2025 15:11:13.051912069 CET	51188	23	192.168.2.13	19.59.84.20
Feb 11, 2025 15:11:13.053529978 CET	49486	23	192.168.2.13	215.36.246.225
Feb 11, 2025 15:11:13.058610916 CET	23	49486	215.36.246.225	192.168.2.13
Feb 11, 2025 15:11:13.058737993 CET	49486	23	192.168.2.13	215.36.246.225
Feb 11, 2025 15:11:13.060329914 CET	42752	23	192.168.2.13	205.201.60.109
Feb 11, 2025 15:11:13.064414024 CET	38914	23	192.168.2.13	218.135.85.145
Feb 11, 2025 15:11:13.067490101 CET	23	42752	205.201.60.109	192.168.2.13
Feb 11, 2025 15:11:13.067538977 CET	42752	23	192.168.2.13	205.201.60.109
Feb 11, 2025 15:11:13.070897102 CET	59320	23	192.168.2.13	33.193.91.1
Feb 11, 2025 15:11:13.071995974 CET	23	38914	218.135.85.145	192.168.2.13
Feb 11, 2025 15:11:13.072046995 CET	38914	23	192.168.2.13	218.135.85.145
Feb 11, 2025 15:11:13.075110912 CET	33994	23	192.168.2.13	72.50.198.157
Feb 11, 2025 15:11:13.078099966 CET	23	59320	33.193.91.1	192.168.2.13
Feb 11, 2025 15:11:13.078155994 CET	59320	23	192.168.2.13	33.193.91.1
Feb 11, 2025 15:11:13.080420971 CET	51404	23	192.168.2.13	55.207.25.18
Feb 11, 2025 15:11:13.082479954 CET	23	33994	72.50.198.157	192.168.2.13
Feb 11, 2025 15:11:13.082530022 CET	33994	23	192.168.2.13	72.50.198.157
Feb 11, 2025 15:11:13.085014105 CET	59304	23	192.168.2.13	197.150.145.197
Feb 11, 2025 15:11:13.088980913 CET	23	51404	55.207.25.18	192.168.2.13
Feb 11, 2025 15:11:13.089090109 CET	51404	23	192.168.2.13	55.207.25.18
Feb 11, 2025 15:11:13.091634989 CET	23	59304	197.150.145.197	192.168.2.13
Feb 11, 2025 15:11:13.091990948 CET	59304	23	192.168.2.13	197.150.145.197
Feb 11, 2025 15:11:13.099051952 CET	36918	23	192.168.2.13	61.94.231.254
Feb 11, 2025 15:11:13.103899956 CET	23	36918	61.94.231.254	192.168.2.13
Feb 11, 2025 15:11:13.103952885 CET	36918	23	192.168.2.13	61.94.231.254
Feb 11, 2025 15:11:13.159337997 CET	59984	23	192.168.2.13	93.218.127.174
Feb 11, 2025 15:11:13.164207935 CET	23	59984	93.218.127.174	192.168.2.13
Feb 11, 2025 15:11:13.164262056 CET	59984	23	192.168.2.13	93.218.127.174
Feb 11, 2025 15:11:13.277529955 CET	34411	43418	185.93.89.106	192.168.2.13
Feb 11, 2025 15:11:13.277640104 CET	43418	34411	192.168.2.13	185.93.89.106
Feb 11, 2025 15:11:13.277812958 CET	43418	34411	192.168.2.13	185.93.89.106
Feb 11, 2025 15:11:13.366628885 CET	59984	23	192.168.2.13	93.218.127.174
Feb 11, 2025 15:11:13.366652966 CET	36918	23	192.168.2.13	61.94.231.254
Feb 11, 2025 15:11:13.366653919 CET	51404	23	192.168.2.13	55.207.25.18
Feb 11, 2025 15:11:13.366657972 CET	59304	23	192.168.2.13	197.150.145.197
Feb 11, 2025 15:11:13.366681099 CET	59320	23	192.168.2.13	33.193.91.1
Feb 11, 2025 15:11:13.366681099 CET	38914	23	192.168.2.13	218.135.85.145
Feb 11, 2025 15:11:13.366687059 CET	33994	23	192.168.2.13	72.50.198.157
Feb 11, 2025 15:11:13.366703033 CET	51188	23	192.168.2.13	19.59.84.20
Feb 11, 2025 15:11:13.366703033 CET	42752	23	192.168.2.13	205.201.60.109
Feb 11, 2025 15:11:13.366705894 CET	49486	23	192.168.2.13	215.36.246.225
Feb 11, 2025 15:11:13.366725922 CET	38582	23	192.168.2.13	139.117.32.9
Feb 11, 2025 15:11:13.366728067 CET	57226	23	192.168.2.13	24.201.60.128
Feb 11, 2025 15:11:13.366729975 CET	52114	23	192.168.2.13	152.7.171.162
Feb 11, 2025 15:11:13.366750002 CET	42452	23	192.168.2.13	134.99.44.34
Feb 11, 2025 15:11:13.366754055 CET	58832	23	192.168.2.13	74.97.134.79
Feb 11, 2025 15:11:13.366786957 CET	38938	23	192.168.2.13	22.241.39.148
Feb 11, 2025 15:11:13.366786957 CET	37910	23	192.168.2.13	21.25.163.174
Feb 11, 2025 15:11:13.366786957 CET	48170	23	192.168.2.13	218.123.237.214
Feb 11, 2025 15:11:13.366789103 CET	47042	23	192.168.2.13	53.79.19.174
Feb 11, 2025 15:11:13.366789103 CET	33992	23	192.168.2.13	62.210.34.57
Feb 11, 2025 15:11:13.366792917 CET	54066	23	192.168.2.13	59.146.163.31
Feb 11, 2025 15:11:13.366831064 CET	43802	23	192.168.2.13	138.68.246.130
Feb 11, 2025 15:11:13.366837025 CET	53206	23	192.168.2.13	195.190.58.140
Feb 11, 2025 15:11:13.366837025 CET	36912	23	192.168.2.13	64.172.161.122
Feb 11, 2025 15:11:13.366847038 CET	50680	23	192.168.2.13	201.167.152.86
Feb 11, 2025 15:11:13.366847992 CET	55890	23	192.168.2.13	60.244.171.151
Feb 11, 2025 15:11:13.366847992 CET	45072	23	192.168.2.13	154.189.127.76
Feb 11, 2025 15:11:13.366847992 CET	56902	23	192.168.2.13	169.62.5.243
Feb 11, 2025 15:11:13.366854906 CET	44686	23	192.168.2.13	13.243.147.25
Feb 11, 2025 15:11:13.366867065 CET	33816	23	192.168.2.13	2.5.121.154
Feb 11, 2025 15:11:13.366867065 CET	49142	23	192.168.2.13	141.186.153.49
Feb 11, 2025 15:11:13.366872072 CET	37470	23	192.168.2.13	148.161.153.245
Feb 11, 2025 15:11:13.366873980 CET	55282	23	192.168.2.13	155.134.72.107
Feb 11, 2025 15:11:13.366873980 CET	33468	23	192.168.2.13	30.208.25.51
Feb 11, 2025 15:11:13.366873980 CET	46964	23	192.168.2.13	46.173.88.202
Feb 11, 2025 15:11:13.366875887 CET	52938	23	192.168.2.13	111.203.43.152
Feb 11, 2025 15:11:13.366875887 CET	33604	23	192.168.2.13	72.46.187.63
Feb 11, 2025 15:11:13.366965055 CET	52152	23	192.168.2.13	138.236.136.255
Feb 11, 2025 15:11:13.366965055 CET	46800	23	192.168.2.13	89.20.161.226
Feb 11, 2025 15:11:13.366975069 CET	37450	23	192.168.2.13	95.230.244.111
Feb 11, 2025 15:11:13.366980076 CET	52734	23	192.168.2.13	58.39.38.132
Feb 11, 2025 15:11:13.366996050 CET	57508	23	192.168.2.13	91.181.217.134
Feb 11, 2025 15:11:13.367003918 CET	43268	23	192.168.2.13	165.175.56.79
Feb 11, 2025 15:11:13.372011900 CET	23	59984	93.218.127.174	192.168.2.13
Feb 11, 2025 15:11:13.372025013 CET	23	36918	61.94.231.254	192.168.2.13
Feb 11, 2025 15:11:13.372035980 CET	23	51404	55.207.25.18	192.168.2.13
Feb 11, 2025 15:11:13.372045994 CET	23	59304	197.150.145.197	192.168.2.13
Feb 11, 2025 15:11:13.372055054 CET	59984	23	192.168.2.13	93.218.127.174
Feb 11, 2025 15:11:13.372056007 CET	23	33994	72.50.198.157	192.168.2.13
Feb 11, 2025 15:11:13.372066021 CET	23	59320	33.193.91.1	192.168.2.13
Feb 11, 2025 15:11:13.372076035 CET	23	38914	218.135.85.145	192.168.2.13
Feb 11, 2025 15:11:13.372083902 CET	36918	23	192.168.2.13	61.94.231.254
Feb 11, 2025 15:11:13.372087955 CET	23	51188	19.59.84.20	192.168.2.13
Feb 11, 2025 15:11:13.372093916 CET	51404	23	192.168.2.13	55.207.25.18
Feb 11, 2025 15:11:13.372097015 CET	33994	23	192.168.2.13	72.50.198.157
Feb 11, 2025 15:11:13.372097969 CET	59304	23	192.168.2.13	197.150.145.197
Feb 11, 2025 15:11:13.372107983 CET	23	49486	215.36.246.225	192.168.2.13
Feb 11, 2025 15:11:13.372116089 CET	59320	23	192.168.2.13	33.193.91.1
Feb 11, 2025 15:11:13.372116089 CET	38914	23	192.168.2.13	218.135.85.145
Feb 11, 2025 15:11:13.372122049 CET	23	42752	205.201.60.109	192.168.2.13
Feb 11, 2025 15:11:13.372129917 CET	51188	23	192.168.2.13	19.59.84.20
Feb 11, 2025 15:11:13.372133017 CET	23	38582	139.117.32.9	192.168.2.13
Feb 11, 2025 15:11:13.372138023 CET	23	57226	24.201.60.128	192.168.2.13
Feb 11, 2025 15:11:13.372145891 CET	49486	23	192.168.2.13	215.36.246.225
Feb 11, 2025 15:11:13.372160912 CET	42752	23	192.168.2.13	205.201.60.109
Feb 11, 2025 15:11:13.372162104 CET	38582	23	192.168.2.13	139.117.32.9
Feb 11, 2025 15:11:13.372193098 CET	57226	23	192.168.2.13	24.201.60.128
Feb 11, 2025 15:11:13.372282028 CET	23	56902	169.62.5.243	192.168.2.13
Feb 11, 2025 15:11:13.372292995 CET	23	36912	64.172.161.122	192.168.2.13
Feb 11, 2025 15:11:13.372303009 CET	23	53206	195.190.58.140	192.168.2.13
Feb 11, 2025 15:11:13.372312069 CET	23	43802	138.68.246.130	192.168.2.13
Feb 11, 2025 15:11:13.372322083 CET	23	33992	62.210.34.57	192.168.2.13
Feb 11, 2025 15:11:13.372330904 CET	23	48170	218.123.237.214	192.168.2.13
Feb 11, 2025 15:11:13.372339964 CET	23	54066	59.146.163.31	192.168.2.13
Feb 11, 2025 15:11:13.372349024 CET	23	37910	21.25.163.174	192.168.2.13
Feb 11, 2025 15:11:13.372359037 CET	23	47042	53.79.19.174	192.168.2.13
Feb 11, 2025 15:11:13.372370005 CET	23	38938	22.241.39.148	192.168.2.13
Feb 11, 2025 15:11:13.372379065 CET	23	58832	74.97.134.79	192.168.2.13
Feb 11, 2025 15:11:13.372387886 CET	23	42452	134.99.44.34	192.168.2.13
Feb 11, 2025 15:11:13.372396946 CET	23	52114	152.7.171.162	192.168.2.13
Feb 11, 2025 15:11:13.372788906 CET	23	52114	152.7.171.162	192.168.2.13
Feb 11, 2025 15:11:13.372797966 CET	23	42452	134.99.44.34	192.168.2.13
Feb 11, 2025 15:11:13.372813940 CET	23	58832	74.97.134.79	192.168.2.13
Feb 11, 2025 15:11:13.372831106 CET	52114	23	192.168.2.13	152.7.171.162
Feb 11, 2025 15:11:13.372852087 CET	23	38938	22.241.39.148	192.168.2.13
Feb 11, 2025 15:11:13.372864962 CET	23	47042	53.79.19.174	192.168.2.13
Feb 11, 2025 15:11:13.372868061 CET	58832	23	192.168.2.13	74.97.134.79
Feb 11, 2025 15:11:13.372870922 CET	42452	23	192.168.2.13	134.99.44.34
Feb 11, 2025 15:11:13.372874022 CET	23	37910	21.25.163.174	192.168.2.13
Feb 11, 2025 15:11:13.372889042 CET	38938	23	192.168.2.13	22.241.39.148
Feb 11, 2025 15:11:13.372900009 CET	23	54066	59.146.163.31	192.168.2.13
Feb 11, 2025 15:11:13.372909069 CET	23	48170	218.123.237.214	192.168.2.13
Feb 11, 2025 15:11:13.372917891 CET	23	33992	62.210.34.57	192.168.2.13
Feb 11, 2025 15:11:13.372920036 CET	37910	23	192.168.2.13	21.25.163.174
Feb 11, 2025 15:11:13.372929096 CET	23	43802	138.68.246.130	192.168.2.13
Feb 11, 2025 15:11:13.372935057 CET	47042	23	192.168.2.13	53.79.19.174
Feb 11, 2025 15:11:13.372936964 CET	48170	23	192.168.2.13	218.123.237.214
Feb 11, 2025 15:11:13.372939110 CET	54066	23	192.168.2.13	59.146.163.31
Feb 11, 2025 15:11:13.372939110 CET	23	53206	195.190.58.140	192.168.2.13
Feb 11, 2025 15:11:13.372953892 CET	43802	23	192.168.2.13	138.68.246.130
Feb 11, 2025 15:11:13.372972965 CET	33992	23	192.168.2.13	62.210.34.57
Feb 11, 2025 15:11:13.372980118 CET	53206	23	192.168.2.13	195.190.58.140
Feb 11, 2025 15:11:13.372994900 CET	23	36912	64.172.161.122	192.168.2.13
Feb 11, 2025 15:11:13.373004913 CET	23	56902	169.62.5.243	192.168.2.13
Feb 11, 2025 15:11:13.373018026 CET	23	50680	201.167.152.86	192.168.2.13
Feb 11, 2025 15:11:13.373025894 CET	36912	23	192.168.2.13	64.172.161.122
Feb 11, 2025 15:11:13.373028040 CET	23	55890	60.244.171.151	192.168.2.13
Feb 11, 2025 15:11:13.373039007 CET	23	45072	154.189.127.76	192.168.2.13
Feb 11, 2025 15:11:13.373044968 CET	56902	23	192.168.2.13	169.62.5.243
Feb 11, 2025 15:11:13.373049974 CET	23	44686	13.243.147.25	192.168.2.13
Feb 11, 2025 15:11:13.373060942 CET	50680	23	192.168.2.13	201.167.152.86
Feb 11, 2025 15:11:13.373080015 CET	55890	23	192.168.2.13	60.244.171.151
Feb 11, 2025 15:11:13.373080969 CET	45072	23	192.168.2.13	154.189.127.76
Feb 11, 2025 15:11:13.373090029 CET	44686	23	192.168.2.13	13.243.147.25
Feb 11, 2025 15:11:13.373090982 CET	23	33816	2.5.121.154	192.168.2.13
Feb 11, 2025 15:11:13.373101950 CET	23	37470	148.161.153.245	192.168.2.13
Feb 11, 2025 15:11:13.373111963 CET	23	49142	141.186.153.49	192.168.2.13
Feb 11, 2025 15:11:13.373121977 CET	23	52938	111.203.43.152	192.168.2.13
Feb 11, 2025 15:11:13.373132944 CET	23	33604	72.46.187.63	192.168.2.13
Feb 11, 2025 15:11:13.373136044 CET	37470	23	192.168.2.13	148.161.153.245
Feb 11, 2025 15:11:13.373136044 CET	33816	23	192.168.2.13	2.5.121.154
Feb 11, 2025 15:11:13.373142004 CET	23	55282	155.134.72.107	192.168.2.13
Feb 11, 2025 15:11:13.373152971 CET	23	33468	30.208.25.51	192.168.2.13
Feb 11, 2025 15:11:13.373158932 CET	49142	23	192.168.2.13	141.186.153.49
Feb 11, 2025 15:11:13.373169899 CET	33604	23	192.168.2.13	72.46.187.63
Feb 11, 2025 15:11:13.373169899 CET	52938	23	192.168.2.13	111.203.43.152
Feb 11, 2025 15:11:13.373169899 CET	23	46964	46.173.88.202	192.168.2.13
Feb 11, 2025 15:11:13.373174906 CET	55282	23	192.168.2.13	155.134.72.107
Feb 11, 2025 15:11:13.373181105 CET	23	52152	138.236.136.255	192.168.2.13
Feb 11, 2025 15:11:13.373192072 CET	23	46800	89.20.161.226	192.168.2.13
Feb 11, 2025 15:11:13.373193979 CET	33468	23	192.168.2.13	30.208.25.51
Feb 11, 2025 15:11:13.373200893 CET	23	37450	95.230.244.111	192.168.2.13
Feb 11, 2025 15:11:13.373212099 CET	23	52734	58.39.38.132	192.168.2.13
Feb 11, 2025 15:11:13.373219013 CET	46800	23	192.168.2.13	89.20.161.226
Feb 11, 2025 15:11:13.373220921 CET	23	57508	91.181.217.134	192.168.2.13
Feb 11, 2025 15:11:13.373220921 CET	52152	23	192.168.2.13	138.236.136.255
Feb 11, 2025 15:11:13.373231888 CET	23	43268	165.175.56.79	192.168.2.13
Feb 11, 2025 15:11:13.373236895 CET	52734	23	192.168.2.13	58.39.38.132
Feb 11, 2025 15:11:13.373241901 CET	37450	23	192.168.2.13	95.230.244.111
Feb 11, 2025 15:11:13.373243093 CET	46964	23	192.168.2.13	46.173.88.202
Feb 11, 2025 15:11:13.373250008 CET	57508	23	192.168.2.13	91.181.217.134
Feb 11, 2025 15:11:13.373272896 CET	43268	23	192.168.2.13	165.175.56.79
Feb 11, 2025 15:11:14.297986984 CET	43496	34411	192.168.2.13	185.93.89.106
Feb 11, 2025 15:11:14.302828074 CET	34411	43496	185.93.89.106	192.168.2.13
Feb 11, 2025 15:11:14.302906990 CET	43496	34411	192.168.2.13	185.93.89.106
Feb 11, 2025 15:11:14.304601908 CET	43496	34411	192.168.2.13	185.93.89.106
Feb 11, 2025 15:11:14.309377909 CET	34411	43496	185.93.89.106	192.168.2.13
Feb 11, 2025 15:11:14.309422016 CET	43496	34411	192.168.2.13	185.93.89.106
Feb 11, 2025 15:11:14.314254045 CET	34411	43496	185.93.89.106	192.168.2.13
Feb 11, 2025 15:11:14.914602995 CET	34411	43496	185.93.89.106	192.168.2.13
Feb 11, 2025 15:11:14.914715052 CET	43496	34411	192.168.2.13	185.93.89.106
Feb 11, 2025 15:11:14.914715052 CET	43496	34411	192.168.2.13	185.93.89.106
Feb 11, 2025 15:11:15.934293985 CET	43498	34411	192.168.2.13	185.93.89.106
Feb 11, 2025 15:11:15.939096928 CET	34411	43498	185.93.89.106	192.168.2.13
Feb 11, 2025 15:11:15.939354897 CET	43498	34411	192.168.2.13	185.93.89.106
Feb 11, 2025 15:11:15.940205097 CET	43498	34411	192.168.2.13	185.93.89.106
Feb 11, 2025 15:11:15.944977999 CET	34411	43498	185.93.89.106	192.168.2.13
Feb 11, 2025 15:11:15.945045948 CET	43498	34411	192.168.2.13	185.93.89.106
Feb 11, 2025 15:11:15.949819088 CET	34411	43498	185.93.89.106	192.168.2.13
Feb 11, 2025 15:11:16.550441027 CET	34411	43498	185.93.89.106	192.168.2.13
Feb 11, 2025 15:11:16.550508022 CET	43498	34411	192.168.2.13	185.93.89.106
Feb 11, 2025 15:11:16.550556898 CET	43498	34411	192.168.2.13	185.93.89.106
Feb 11, 2025 15:11:17.564155102 CET	43500	34411	192.168.2.13	185.93.89.106
Feb 11, 2025 15:11:17.571635008 CET	34411	43500	185.93.89.106	192.168.2.13
Feb 11, 2025 15:11:17.571718931 CET	43500	34411	192.168.2.13	185.93.89.106
Feb 11, 2025 15:11:17.581090927 CET	43500	34411	192.168.2.13	185.93.89.106
Feb 11, 2025 15:11:17.588696003 CET	34411	43500	185.93.89.106	192.168.2.13
Feb 11, 2025 15:11:17.588860035 CET	43500	34411	192.168.2.13	185.93.89.106
Feb 11, 2025 15:11:17.593764067 CET	34411	43500	185.93.89.106	192.168.2.13
Feb 11, 2025 15:11:18.196783066 CET	34411	43500	185.93.89.106	192.168.2.13
Feb 11, 2025 15:11:18.196830034 CET	43500	34411	192.168.2.13	185.93.89.106
Feb 11, 2025 15:11:18.196890116 CET	43500	34411	192.168.2.13	185.93.89.106
Feb 11, 2025 15:11:19.209052086 CET	43502	34411	192.168.2.13	185.93.89.106
Feb 11, 2025 15:11:19.213874102 CET	34411	43502	185.93.89.106	192.168.2.13
Feb 11, 2025 15:11:19.213957071 CET	43502	34411	192.168.2.13	185.93.89.106
Feb 11, 2025 15:11:19.215509892 CET	43502	34411	192.168.2.13	185.93.89.106
Feb 11, 2025 15:11:19.220314026 CET	34411	43502	185.93.89.106	192.168.2.13
Feb 11, 2025 15:11:19.220367908 CET	43502	34411	192.168.2.13	185.93.89.106
Feb 11, 2025 15:11:19.225143909 CET	34411	43502	185.93.89.106	192.168.2.13
Feb 11, 2025 15:11:19.852971077 CET	34411	43502	185.93.89.106	192.168.2.13
Feb 11, 2025 15:11:19.853053093 CET	43502	34411	192.168.2.13	185.93.89.106
Feb 11, 2025 15:11:19.853091002 CET	43502	34411	192.168.2.13	185.93.89.106
Feb 11, 2025 15:11:20.864964962 CET	43504	34411	192.168.2.13	185.93.89.106
Feb 11, 2025 15:11:20.869764090 CET	34411	43504	185.93.89.106	192.168.2.13
Feb 11, 2025 15:11:20.869851112 CET	43504	34411	192.168.2.13	185.93.89.106
Feb 11, 2025 15:11:20.871782064 CET	43504	34411	192.168.2.13	185.93.89.106
Feb 11, 2025 15:11:20.876615047 CET	34411	43504	185.93.89.106	192.168.2.13
Feb 11, 2025 15:11:20.876677036 CET	43504	34411	192.168.2.13	185.93.89.106
Feb 11, 2025 15:11:20.881444931 CET	34411	43504	185.93.89.106	192.168.2.13
Feb 11, 2025 15:11:21.491362095 CET	34411	43504	185.93.89.106	192.168.2.13
Feb 11, 2025 15:11:21.491453886 CET	43504	34411	192.168.2.13	185.93.89.106
Feb 11, 2025 15:11:21.491499901 CET	43504	34411	192.168.2.13	185.93.89.106
Feb 11, 2025 15:11:22.499877930 CET	43506	34411	192.168.2.13	185.93.89.106
Feb 11, 2025 15:11:22.504797935 CET	34411	43506	185.93.89.106	192.168.2.13
Feb 11, 2025 15:11:22.504914045 CET	43506	34411	192.168.2.13	185.93.89.106
Feb 11, 2025 15:11:22.505577087 CET	43506	34411	192.168.2.13	185.93.89.106
Feb 11, 2025 15:11:22.510344982 CET	34411	43506	185.93.89.106	192.168.2.13
Feb 11, 2025 15:11:22.510407925 CET	43506	34411	192.168.2.13	185.93.89.106
Feb 11, 2025 15:11:22.515173912 CET	34411	43506	185.93.89.106	192.168.2.13
Feb 11, 2025 15:11:23.125821114 CET	34411	43506	185.93.89.106	192.168.2.13
Feb 11, 2025 15:11:23.125873089 CET	43506	34411	192.168.2.13	185.93.89.106
Feb 11, 2025 15:11:23.125924110 CET	43506	34411	192.168.2.13	185.93.89.106
Feb 11, 2025 15:11:24.141149998 CET	43508	34411	192.168.2.13	185.93.89.106
Feb 11, 2025 15:11:24.149225950 CET	34411	43508	185.93.89.106	192.168.2.13
Feb 11, 2025 15:11:24.149292946 CET	43508	34411	192.168.2.13	185.93.89.106
Feb 11, 2025 15:11:24.150146961 CET	43508	34411	192.168.2.13	185.93.89.106
Feb 11, 2025 15:11:24.156832933 CET	34411	43508	185.93.89.106	192.168.2.13
Feb 11, 2025 15:11:24.156873941 CET	43508	34411	192.168.2.13	185.93.89.106
Feb 11, 2025 15:11:24.164083958 CET	34411	43508	185.93.89.106	192.168.2.13
Feb 11, 2025 15:11:34.158360958 CET	43508	34411	192.168.2.13	185.93.89.106
Feb 11, 2025 15:11:34.163106918 CET	34411	43508	185.93.89.106	192.168.2.13
Feb 11, 2025 15:11:34.331212997 CET	34411	43508	185.93.89.106	192.168.2.13
Feb 11, 2025 15:11:34.331276894 CET	43508	34411	192.168.2.13	185.93.89.106
Feb 11, 2025 15:12:34.378309965 CET	43508	34411	192.168.2.13	185.93.89.106
Feb 11, 2025 15:12:34.388137102 CET	34411	43508	185.93.89.106	192.168.2.13
Feb 11, 2025 15:12:34.556016922 CET	34411	43508	185.93.89.106	192.168.2.13
Feb 11, 2025 15:12:34.556133986 CET	43508	34411	192.168.2.13	185.93.89.106

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 11, 2025 15:11:12.644339085 CET	48311	53	192.168.2.13	8.8.8.8
Feb 11, 2025 15:11:12.662811995 CET	53	48311	8.8.8.8	192.168.2.13
Feb 11, 2025 15:11:14.286832094 CET	46610	53	192.168.2.13	8.8.8.8
Feb 11, 2025 15:11:14.297332048 CET	53	46610	8.8.8.8	192.168.2.13
Feb 11, 2025 15:11:15.924376965 CET	42831	53	192.168.2.13	8.8.8.8
Feb 11, 2025 15:11:15.933871031 CET	53	42831	8.8.8.8	192.168.2.13
Feb 11, 2025 15:11:17.553406954 CET	33632	53	192.168.2.13	8.8.8.8
Feb 11, 2025 15:11:17.562868118 CET	53	33632	8.8.8.8	192.168.2.13
Feb 11, 2025 15:11:19.201930046 CET	59726	53	192.168.2.13	8.8.8.8
Feb 11, 2025 15:11:19.208195925 CET	53	59726	8.8.8.8	192.168.2.13
Feb 11, 2025 15:11:20.857382059 CET	33633	53	192.168.2.13	8.8.8.8
Feb 11, 2025 15:11:20.863992929 CET	53	33633	8.8.8.8	192.168.2.13
Feb 11, 2025 15:11:22.493176937 CET	32816	53	192.168.2.13	8.8.8.8
Feb 11, 2025 15:11:22.499497890 CET	53	32816	8.8.8.8	192.168.2.13
Feb 11, 2025 15:11:24.127803087 CET	57082	53	192.168.2.13	8.8.8.8
Feb 11, 2025 15:11:24.140628099 CET	53	57082	8.8.8.8	192.168.2.13

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Feb 11, 2025 15:11:12.644339085 CET	192.168.2.13	8.8.8.8	0xfd92	Standard query (0)	gokittler.ru	A (IP address)	IN (0x0001)	false
Feb 11, 2025 15:11:14.286832094 CET	192.168.2.13	8.8.8.8	0xa005	Standard query (0)	mykittler.ru	A (IP address)	IN (0x0001)	false
Feb 11, 2025 15:11:15.924376965 CET	192.168.2.13	8.8.8.8	0x26f6	Standard query (0)	thekittler.ru	A (IP address)	IN (0x0001)	false
Feb 11, 2025 15:11:17.553406954 CET	192.168.2.13	8.8.8.8	0x55ed	Standard query (0)	mykittler.ru. [malformed]	256	389	false
Feb 11, 2025 15:11:19.201930046 CET	192.168.2.13	8.8.8.8	0xe8a6	Standard query (0)	qittler.ru. [malformed]	256	391	false
Feb 11, 2025 15:11:20.857382059 CET	192.168.2.13	8.8.8.8	0x87e2	Standard query (0)	cat-are-here.ru. [malformed]	256	392	false
Feb 11, 2025 15:11:22.493176937 CET	192.168.2.13	8.8.8.8	0x3da0	Standard query (0)	qittler.ru. [malformed]	256	394	false
Feb 11, 2025 15:11:24.127803087 CET	192.168.2.13	8.8.8.8	0xe3e4	Standard query (0)	mykittler.ru	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Feb 11, 2025 15:11:12.662811995 CET	8.8.8.8	192.168.2.13	0xfd92	No error (0)	gokittler.ru	185.93.89.106	A (IP address)	IN (0x0001)	false
Feb 11, 2025 15:11:14.297332048 CET	8.8.8.8	192.168.2.13	0xa005	No error (0)	mykittler.ru	185.93.89.106	A (IP address)	IN (0x0001)	false
Feb 11, 2025 15:11:15.933871031 CET	8.8.8.8	192.168.2.13	0x26f6	No error (0)	thekittler.ru	185.93.89.106	A (IP address)	IN (0x0001)	false
Feb 11, 2025 15:11:24.140628099 CET	8.8.8.8	192.168.2.13	0xe3e4	No error (0)	mykittler.ru	185.93.89.106	A (IP address)	IN (0x0001)	false

System Behavior

Analysis Process: arm7.elf PID: 5446, Parent PID: 5369

General

Start time (UTC):	14:11:10
Start date (UTC):	11/02/2025
Path:	/tmp/arm7.elf
Arguments:	/tmp/arm7.elf
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Chronological Activities

Analysis Process: arm7.elf PID: 5449, Parent PID: 5446

General

Start time (UTC):	14:11:10
Start date (UTC):	11/02/2025
Path:	/tmp/arm7.elf
Arguments:	-
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Chronological Activities

Analysis Process: arm7.elf PID: 5451, Parent PID: 5449

General

Start time (UTC):	14:11:10
Start date (UTC):	11/02/2025
Path:	/tmp/arm7.elf
Arguments:	-
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Chronological Activities

Analysis Process: arm7.elf PID: 5453, Parent PID: 5449

General

Start time (UTC):	14:11:11
Start date (UTC):	11/02/2025
Path:	/tmp/arm7.elf
Arguments:	-
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Chronological Activities

Analysis Process: arm7.elf PID: 5455, Parent PID: 5449

General

Start time (UTC):	14:11:11
Start date (UTC):	11/02/2025
Path:	/tmp/arm7.elf
Arguments:	-
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Chronological Activities

Analysis Process: gnome-session-binary PID: 5458, Parent PID: 1588

General

Start time (UTC):	14:11:12
Start date (UTC):	11/02/2025
Path:	/usr/libexec/gnome-session-binary
Arguments:	-
File size:	334664 bytes
MD5 hash:	d9b90be4f7db60cb3c2d3da6a1d31bfb

Chronological Activities

Analysis Process: gdm3 PID: 5477, Parent PID: 1400

General

Start time (UTC):	14:11:12
Start date (UTC):	11/02/2025
Path:	/usr/sbin/gdm3
Arguments:	-
File size:	453296 bytes
MD5 hash:	2492e2d8d34f9377e3e530a61a15674f

Chronological Activities

Analysis Process: Default PID: 5477, Parent PID: 1400

General

Start time (UTC):	14:11:12
Start date (UTC):	11/02/2025
Path:	/etc/gdm3/PrimeOff/Default
Arguments:	/etc/gdm3/PrimeOff/Default
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: xfce4-session PID: 5480, Parent PID: 2984

General

Start time (UTC):	14:11:12
Start date (UTC):	11/02/2025
Path:	/usr/bin/xfce4-session
Arguments:	-
File size:	264752 bytes
MD5 hash:	648919f03ad356720c8c27f5aaaf75d1

Chronological Activities

Analysis Process: gdm3 PID: 5484, Parent PID: 1400

General

Start time (UTC):	14:11:12
Start date (UTC):	11/02/2025
Path:	/usr/sbin/gdm3
Arguments:	-
File size:	453296 bytes
MD5 hash:	2492e2d8d34f9377e3e530a61a15674f

Chronological Activities

Analysis Process: Default PID: 5484, Parent PID: 1400

General

Start time (UTC):	14:11:12
Start date (UTC):	11/02/2025
Path:	/etc/gdm3/PrimeOff/Default
Arguments:	/etc/gdm3/PrimeOff/Default
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: xfce4-session PID: 5485, Parent PID: 2984

General

Start time (UTC):	14:11:12
Start date (UTC):	11/02/2025
Path:	/usr/bin/xfce4-session
Arguments:	-
File size:	264752 bytes
MD5 hash:	648919f03ad356720c8c27f5aaaf75d1

Chronological Activities

Analysis Process: xfce4-session PID: 5486, Parent PID: 2984

General

Start time (UTC):	14:11:12
Start date (UTC):	11/02/2025
Path:	/usr/bin/xfce4-session
Arguments:	-
File size:	264752 bytes
MD5 hash:	648919f03ad356720c8c27f5aaaf75d1

Chronological Activities

Analysis Process: xfce4-session PID: 5487, Parent PID: 2984

General

Start time (UTC):	14:11:12
Start date (UTC):	11/02/2025
Path:	/usr/bin/xfce4-session
Arguments:	-
File size:	264752 bytes
MD5 hash:	648919f03ad356720c8c27f5aaaf75d1

Chronological Activities

Analysis Process: xfdesktop PID: 5487, Parent PID: 2984

General

Start time (UTC):	14:11:12
Start date (UTC):	11/02/2025
Path:	/usr/bin/xfdesktop
Arguments:	xfdesktop --display :1.0 --sm-client-id 260d40b3c-9c6a-4cb1-bbe4-3557725aa528
File size:	473520 bytes
MD5 hash:	dfb13e1581f80065dcea16f2476f16f2

Chronological Activities

Analysis Process: xfce4-session PID: 5489, Parent PID: 2984

General

Start time (UTC):	14:11:12
Start date (UTC):	11/02/2025
Path:	/usr/bin/xfce4-session
Arguments:	-
File size:	264752 bytes
MD5 hash:	648919f03ad356720c8c27f5aaaf75d1

Chronological Activities

Analysis Process: xfce4-panel PID: 5489, Parent PID: 2984

General

Start time (UTC):	14:11:12
Start date (UTC):	11/02/2025
Path:	/usr/bin/xfce4-panel
Arguments:	xfce4-panel --display :1.0 --sm-client-id 2d6b1caf2-8023-452b-bd0d-d23295482740
File size:	375768 bytes
MD5 hash:	a15b657c7d54ac1385f1f15004ea6784

Chronological Activities

Analysis Process: xfce4-session PID: 5491, Parent PID: 2984

General

Start time (UTC):	14:11:12
Start date (UTC):	11/02/2025
Path:	/usr/bin/xfce4-session
Arguments:	-
File size:	264752 bytes
MD5 hash:	648919f03ad356720c8c27f5aaaf75d1

Chronological Activities

Analysis Process: xfce4-session PID: 5492, Parent PID: 2984

General

Start time (UTC):	14:11:13
Start date (UTC):	11/02/2025
Path:	/usr/bin/xfce4-session
Arguments:	-
File size:	264752 bytes
MD5 hash:	648919f03ad356720c8c27f5aaaf75d1

Chronological Activities

Analysis Process: xfce4-session PID: 5493, Parent PID: 2984

General

Start time (UTC):	14:11:13
Start date (UTC):	11/02/2025
Path:	/usr/bin/xfce4-session
Arguments:	-
File size:	264752 bytes
MD5 hash:	648919f03ad356720c8c27f5aaaf75d1

Chronological Activities

Analysis Process: xfdesktop PID: 5493, Parent PID: 2984

General

Start time (UTC):	14:11:13
Start date (UTC):	11/02/2025
Path:	/usr/bin/xfdesktop
Arguments:	xfdesktop --display :1.0 --sm-client-id 260d40b3c-9c6a-4cb1-bbe4-3557725aa528
File size:	473520 bytes
MD5 hash:	dfb13e1581f80065dcea16f2476f16f2

Chronological Activities

Analysis Process: xfce4-session PID: 5495, Parent PID: 2984

General

Start time (UTC):	14:11:13
Start date (UTC):	11/02/2025
Path:	/usr/bin/xfce4-session
Arguments:	-
File size:	264752 bytes
MD5 hash:	648919f03ad356720c8c27f5aaaf75d1

Chronological Activities

Analysis Process: xfce4-panel PID: 5495, Parent PID: 2984

General

Start time (UTC):	14:11:13
Start date (UTC):	11/02/2025
Path:	/usr/bin/xfce4-panel
Arguments:	xfce4-panel --display :1.0 --sm-client-id 2d6b1caf2-8023-452b-bd0d-d23295482740
File size:	375768 bytes
MD5 hash:	a15b657c7d54ac1385f1f15004ea6784

Chronological Activities

Analysis Process: xfce4-session PID: 5497, Parent PID: 2984

General

Start time (UTC):	14:11:13
Start date (UTC):	11/02/2025
Path:	/usr/bin/xfce4-session
Arguments:	-
File size:	264752 bytes
MD5 hash:	648919f03ad356720c8c27f5aaaf75d1

Chronological Activities

Analysis Process: xfwm4 PID: 5497, Parent PID: 2984

General

Start time (UTC):	14:11:13
Start date (UTC):	11/02/2025
Path:	/usr/bin/xfwm4
Arguments:	xfwm4 --display :1.0 --sm-client-id 27575c7dd-2dac-48f0-9f3a-eff67ec043e5
File size:	420424 bytes
MD5 hash:	59defa3c00cc30d85ed77b738d55e9da

Chronological Activities

Analysis Process: xfce4-session PID: 5499, Parent PID: 2984

General

Start time (UTC):	14:11:13
Start date (UTC):	11/02/2025
Path:	/usr/bin/xfce4-session
Arguments:	-
File size:	264752 bytes
MD5 hash:	648919f03ad356720c8c27f5aaaf75d1

Chronological Activities

Analysis Process: xfdesktop PID: 5499, Parent PID: 2984

General

Start time (UTC):	14:11:13
Start date (UTC):	11/02/2025
Path:	/usr/bin/xfdesktop
Arguments:	xfdesktop --display :1.0 --sm-client-id 260d40b3c-9c6a-4cb1-bbe4-3557725aa528
File size:	473520 bytes
MD5 hash:	dfb13e1581f80065dcea16f2476f16f2

Chronological Activities

Analysis Process: systemd PID: 5510, Parent PID: 1

General

Start time (UTC):	14:11:22
Start date (UTC):	11/02/2025
Path:	/usr/lib/systemd/systemd
Arguments:	-
File size:	1620224 bytes
MD5 hash:	9b2bec7092a40488108543f9334aab75

Chronological Activities

Analysis Process: systemd-user-runtime-dir PID: 5510, Parent PID: 1

General

Start time (UTC):	14:11:22
Start date (UTC):	11/02/2025
Path:	/lib/systemd/systemd-user-runtime-dir
Arguments:	/lib/systemd/systemd-user-runtime-dir stop 127
File size:	22672 bytes
MD5 hash:	d55f4b0847f88131dbcfb07435178e54

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may stop or disable services on a system to render those services unavailable to legitimate users. Stopping critical services or processes can inhibit or stop response to an incident or aid in the adversary's overall objectives to cause damage to the environment.
Tactics:	Impact
Data Sources:	Command: Command Execution, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Termination, Service: Service Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report arm7.elf

Overview

General Information

Detection

Signatures

Classification

General Information

Runtime Messages

Process Tree

Malware Threat Intel

Yara Signatures

Memory Dumps

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Networking

System Summary

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

Static ELF Info

ELF header

Program Segments

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

System Behavior

Analysis Process: arm7.elf PID: 5446, Parent PID: 5369

General

Chronological Activities

Analysis Process: arm7.elf PID: 5449, Parent PID: 5446

General

Chronological Activities

Analysis Process: arm7.elf PID: 5451, Parent PID: 5449

General

Chronological Activities

Analysis Process: arm7.elf PID: 5453, Parent PID: 5449

General

Chronological Activities

Analysis Process: arm7.elf PID: 5455, Parent PID: 5449

General

Chronological Activities

Analysis Process: gnome-session-binary PID: 5458, Parent PID: 1588

General

Chronological Activities

Analysis Process: gdm3 PID: 5477, Parent PID: 1400

General

Linux Analysis Report
arm7.elf