Edit tour

Linux Analysis Report
zermpsl.elf

Overview

General Information

Sample name:	zermpsl.elf
Analysis ID:	1543157
MD5:	bc43b54f3a613f4d9a1be402422d434f
SHA1:	4d01e06d9e8700ac47797c66d25ef2ca8fd75540
SHA256:	f8e78991ffd812193a92596ef05f3e6fef3995f6099b7c66e091bb7735f81ae4
Tags:	elfMiraiuser-abuse_ch
Infos:

Detection

Score:	56
Range:	0 - 100
Whitelisted:	false

Signatures

Multi AV Scanner detection for submitted file

Connects to many ports of the same IP (likely port scanning)

Sends malformed DNS queries

Detected TCP or UDP traffic on non-standard ports

Sample has stripped symbol table

Sample listens on a socket

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Uses the "uname" system call to query kernel version information (possible evasion)

Classification

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1543157
Start date and time:	2024-10-27 10:00:44 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 1s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Sample name:	zermpsl.elf
Detection:	MAL
Classification:	mal56.troj.linELF@0/0@18/0

Warnings

VT rate limit hit for: zermpsl.elf

Runtime Messages

Command:	/tmp/zermpsl.elf
PID:	6266
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:	The Peoples Bank of China.
Standard Error:

Process Tree

system is lnxubuntu20

zermpsl.elf (PID: 6266, Parent: 6191, MD5: 0d6f61f82cf2f781c6eb0661071d42d9) Arguments: /tmp/zermpsl.elf

zermpsl.elf New Fork (PID: 6268, Parent: 6266)

zermpsl.elf New Fork (PID: 6270, Parent: 6268)

cleanup

Yara Signatures

⊘No yara matches

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: zermpsl.elf

ReversingLabs: Detection: 44%

Networking

Connects to many ports of the same IP (likely port scanning)

Source: global traffic	TCP traffic: 185.150.24.67 ports 38241,1,2,3,4,8
Source: global traffic	TCP traffic: 45.156.86.24 ports 38241,1,2,3,4,8

Sends malformed DNS queries

Source: global traffic	DNS traffic detected: malformed DNS query: netfags.geek. [malformed]
Source: global traffic	DNS traffic detected: malformed DNS query: chinklabs.dyn. [malformed]
Source: global traffic	DNS traffic detected: malformed DNS query: burnthe.libre. [malformed]

Source: global traffic	TCP traffic: 192.168.2.23:49450 -> 45.156.86.24:38241
Source: global traffic	TCP traffic: 192.168.2.23:55106 -> 185.150.24.67:38241

Source: /tmp/zermpsl.elf (PID: 6266)

Socket: 127.0.0.1:39148

Jump to behavior

Source: global traffic	TCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80
Source: global traffic	TCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443
Source: global traffic	TCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443

Source: unknown	TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	UDP traffic detected without corresponding DNS query: 152.53.15.127
Source: unknown	UDP traffic detected without corresponding DNS query: 194.36.144.87
Source: unknown	UDP traffic detected without corresponding DNS query: 152.53.15.127
Source: unknown	UDP traffic detected without corresponding DNS query: 168.235.111.72
Source: unknown	UDP traffic detected without corresponding DNS query: 81.169.136.222
Source: unknown	UDP traffic detected without corresponding DNS query: 168.235.111.72
Source: unknown	UDP traffic detected without corresponding DNS query: 152.53.15.127
Source: unknown	UDP traffic detected without corresponding DNS query: 194.36.144.87
Source: unknown	UDP traffic detected without corresponding DNS query: 81.169.136.222
Source: unknown	UDP traffic detected without corresponding DNS query: 51.158.108.203
Source: unknown	UDP traffic detected without corresponding DNS query: 194.36.144.87
Source: unknown	UDP traffic detected without corresponding DNS query: 185.181.61.24
Source: unknown	UDP traffic detected without corresponding DNS query: 51.158.108.203
Source: unknown	UDP traffic detected without corresponding DNS query: 185.181.61.24
Source: unknown	UDP traffic detected without corresponding DNS query: 194.36.144.87
Source: unknown	UDP traffic detected without corresponding DNS query: 81.169.136.222
Source: unknown	UDP traffic detected without corresponding DNS query: 51.158.108.203
Source: unknown	UDP traffic detected without corresponding DNS query: 168.235.111.72

Source: global traffic	DNS traffic detected: DNS query: burnthe.libre
Source: global traffic	DNS traffic detected: DNS query: chinklabs.dyn
Source: global traffic	DNS traffic detected: DNS query: netfags.geek. [malformed]
Source: global traffic	DNS traffic detected: DNS query: yellowchink.pirate
Source: global traffic	DNS traffic detected: DNS query: chinklabs.dyn. [malformed]
Source: global traffic	DNS traffic detected: DNS query: burnthe.libre. [malformed]

Source: unknown	Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 42836 -> 443

Source: ELF static info symbol of initial sample

.symtab present: no

Source: classification engine

Classification label: mal56.troj.linELF@0/0@18/0

Source: /tmp/zermpsl.elf (PID: 6266)

Queries kernel information via 'uname':

Jump to behavior

Source: zermpsl.elf, 6266.1.000055bd0eb1d000.000055bd0eba4000.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/mipsel
Source: zermpsl.elf, 6266.1.00007ffde1568000.00007ffde1589000.rw-.sdmp	Binary or memory string: x86_64/usr/bin/qemu-mipsel/tmp/zermpsl.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/zermpsl.elf
Source: zermpsl.elf, 6266.1.000055bd0eb1d000.000055bd0eba4000.rw-.sdmp	Binary or memory string: U!/etc/qemu-binfmt/mipsel
Source: zermpsl.elf, 6266.1.00007ffde1568000.00007ffde1589000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-mipsel

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	Path Interception	Path Interception	Direct Volume Access	OS Credential Dumping	11 Security Software Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	2 Application Layer Protocol	Traffic Duplication	Data Destruction

Malware Configuration

⊘No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
zermpsl.elf	45%	ReversingLabs	Linux.Backdoor.Mirai

Dropped Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
yellowchink.pirate	45.156.86.24	true	true	unknown
chinklabs.dyn	185.150.24.67	true	true	unknown
burnthe.libre	45.156.86.24	true	true	unknown
chinklabs.dyn. [malformed]	unknown	unknown	true	unknown
netfags.geek. [malformed]	unknown	unknown	true	unknown
burnthe.libre. [malformed]	unknown	unknown	true	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
109.202.202.202	unknown	Switzerland	13030	INIT7CH	false
185.150.24.67	chinklabs.dyn	Netherlands	44592	SKYLINKNL	true
91.189.91.43	unknown	United Kingdom	41231	CANONICAL-ASGB	false
45.156.86.24	yellowchink.pirate	Germany	44592	SKYLINKNL	true
91.189.91.42	unknown	United Kingdom	41231	CANONICAL-ASGB	false

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
109.202.202.202	kpLwzBouH4.elf	Get hash	malicious	Unknown	Browse	ch.archive.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_92.0%2bbuild3-0ubuntu0.20.04.1_amd64.deb
185.150.24.67	zerspc.elf	Get hash	malicious	Unknown	Browse
	zerarm5.elf	Get hash	malicious	Unknown	Browse
	zermips.elf	Get hash	malicious	Unknown	Browse
	zersh4.elf	Get hash	malicious	Unknown	Browse
	zerppc.elf	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	https://search-dl3.com/staticpr/12.zip	Get hash	malicious	Unknown	Browse
91.189.91.43	zerarm.elf	Get hash	malicious	Unknown	Browse
	zerarm6.elf	Get hash	malicious	Unknown	Browse
	nabarm6.elf	Get hash	malicious	Unknown	Browse
	mips.elf	Get hash	malicious	Unknown	Browse
	arm.elf	Get hash	malicious	Unknown	Browse
	boatnet.arc.elf	Get hash	malicious	Mirai	Browse
	x86.elf	Get hash	malicious	Mirai	Browse
	boatnet.mpsl.elf	Get hash	malicious	Mirai	Browse
	oovw68w2UV.elf	Get hash	malicious	BlackBasta	Browse
	sshd.elf	Get hash	malicious	Unknown	Browse
45.156.86.24	nabarm7.elf	Get hash	malicious	Unknown	Browse
	zerspc.elf	Get hash	malicious	Unknown	Browse
	nabm68k.elf	Get hash	malicious	Unknown	Browse
	zerarm.elf	Get hash	malicious	Unknown	Browse
	zerarm5.elf	Get hash	malicious	Unknown	Browse
	nabspc.elf	Get hash	malicious	Unknown	Browse
	zerx86.elf	Get hash	malicious	Unknown	Browse
	nabppc.elf	Get hash	malicious	Unknown	Browse
	nabmips.elf	Get hash	malicious	Unknown	Browse
	zermips.elf	Get hash	malicious	Unknown	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
burnthe.libre	zerspc.elf	Get hash	malicious	Unknown	Browse	45.156.86.24
	nklsh4.elf	Get hash	malicious	Unknown	Browse	45.156.86.24
	nklm68k.elf	Get hash	malicious	Unknown	Browse	45.156.86.24
	nabmips.elf	Get hash	malicious	Unknown	Browse	45.156.86.24
	zermips.elf	Get hash	malicious	Unknown	Browse	45.156.86.24
yellowchink.pirate	nabm68k.elf	Get hash	malicious	Unknown	Browse	45.156.86.24
	nklx86.elf	Get hash	malicious	Unknown	Browse	45.156.86.24
	zerarm5.elf	Get hash	malicious	Unknown	Browse	45.156.86.24
	nabspc.elf	Get hash	malicious	Unknown	Browse	45.156.86.24
	zerx86.elf	Get hash	malicious	Unknown	Browse	45.156.86.24
chinklabs.dyn	nklx86.elf	Get hash	malicious	Unknown	Browse	185.150.24.67
chinklabs.dyn	zerarm5.elf	Get hash	malicious	Unknown	Browse	185.150.24.67

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CANONICAL-ASGB	zerarm.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	zerarm6.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	nabarm6.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	mips.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	arm.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	nklarm6.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	boatnet.arc.elf	Get hash	malicious	Mirai	Browse	91.189.91.42
	x86.elf	Get hash	malicious	Mirai	Browse	91.189.91.42
	boatnet.mpsl.elf	Get hash	malicious	Mirai	Browse	91.189.91.42
	oovw68w2UV.elf	Get hash	malicious	BlackBasta	Browse	91.189.91.42
CANONICAL-ASGB	zerarm.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	zerarm6.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	nabarm6.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	mips.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	arm.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	nklarm6.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	boatnet.arc.elf	Get hash	malicious	Mirai	Browse	91.189.91.42
	x86.elf	Get hash	malicious	Mirai	Browse	91.189.91.42
	boatnet.mpsl.elf	Get hash	malicious	Mirai	Browse	91.189.91.42
	oovw68w2UV.elf	Get hash	malicious	BlackBasta	Browse	91.189.91.42
SKYLINKNL	nabarm7.elf	Get hash	malicious	Unknown	Browse	45.156.86.24
	zerspc.elf	Get hash	malicious	Unknown	Browse	45.156.86.24
	nabm68k.elf	Get hash	malicious	Unknown	Browse	45.156.86.24
	zerarm.elf	Get hash	malicious	Unknown	Browse	45.156.86.24
	zerarm5.elf	Get hash	malicious	Unknown	Browse	45.156.86.24
	nabspc.elf	Get hash	malicious	Unknown	Browse	45.156.86.24
	zerx86.elf	Get hash	malicious	Unknown	Browse	45.156.86.24
	nabppc.elf	Get hash	malicious	Unknown	Browse	45.156.86.24
	nabmips.elf	Get hash	malicious	Unknown	Browse	45.156.86.24
	zermips.elf	Get hash	malicious	Unknown	Browse	45.156.86.24
INIT7CH	zerarm.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	zerarm6.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	nabarm6.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	mips.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	mpsl.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	arm.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	nklarm6.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	boatnet.arc.elf	Get hash	malicious	Mirai	Browse	109.202.202.202
	x86.elf	Get hash	malicious	Mirai	Browse	109.202.202.202
	boatnet.mpsl.elf	Get hash	malicious	Mirai	Browse	109.202.202.202
SKYLINKNL	zerspc.elf	Get hash	malicious	Unknown	Browse	45.156.86.24
	nabm68k.elf	Get hash	malicious	Unknown	Browse	45.156.86.24
	zerarm.elf	Get hash	malicious	Unknown	Browse	45.156.86.24
	zerarm5.elf	Get hash	malicious	Unknown	Browse	45.156.86.24
	nabspc.elf	Get hash	malicious	Unknown	Browse	45.156.86.24
	zerx86.elf	Get hash	malicious	Unknown	Browse	45.156.86.24
	nabppc.elf	Get hash	malicious	Unknown	Browse	45.156.86.24
	nabmips.elf	Get hash	malicious	Unknown	Browse	45.156.86.24
	zermips.elf	Get hash	malicious	Unknown	Browse	45.156.86.24
	nabarm.elf	Get hash	malicious	Unknown	Browse	45.156.86.24

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	ELF 32-bit LSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped
Entropy (8bit):	5.456249498092866
TrID:	ELF Executable and Linkable format (generic) (4004/1) 100.00%
File name:	zermpsl.elf
File size:	63'512 bytes
MD5:	bc43b54f3a613f4d9a1be402422d434f
SHA1:	4d01e06d9e8700ac47797c66d25ef2ca8fd75540
SHA256:	f8e78991ffd812193a92596ef05f3e6fef3995f6099b7c66e091bb7735f81ae4
SHA512:	a9a046ec4313031d3fc4aad83c069caf3f379a1385608a04d1281041f77a4bcacc8ebff07e2a3be8408285ffa61c8df9124b063467fc2b9fe8dac556f8819e55
SSDEEP:	1536:71rSLVyZZ/ueec/x7BPaeR8hKuUtFkHiMwhn:71uLVy9ueB6jChn
TLSH:	6153B41ABF210FB7EC5BCC3745B95B0525CCA90B21A53B396D34E91CF21B25B19E3864
File Content Preview:	.ELF....................`.@.4...........4. ...(...............@...@.@...@.....................D...D.T...............Q.td...............................<.q.'!......'.......................<.p.'!... .........9'.. ........................<.p.'!.............9

Static ELF Info

ELF header
Class:	ELF32
Data:	2's complement, little endian
Version:	1 (current)
Machine:	MIPS R3000
Version Number:	0x1
Type:	EXEC (Executable file)
OS/ABI:	UNIX - System V
ABI Version:	0
Entry Point Address:	0x400260
Flags:	0x1007
ELF Header Size:	52
Program Header Offset:	52
Program Header Size:	32
Number of Program Headers:	3
Section Header Offset:	62912
Section Header Size:	40
Number of Section Headers:	15
Header String Table Index:	14

Sections

Name	Type	Address	Offset	Size	EntSize	Flags	Flags Description	Align
	NULL	0x0	0x0	0x0	0x0	0x0		0
.init	PROGBITS	0x400094	0x94	0x8c	0x0	0x6	AX	4
.text	PROGBITS	0x400120	0x120	0xe340	0x0	0x6	AX	16
.fini	PROGBITS	0x40e460	0xe460	0x5c	0x0	0x6	AX	4
.rodata	PROGBITS	0x40e4c0	0xe4c0	0x980	0x0	0x2	A	16
.ctors	PROGBITS	0x44f000	0xf000	0x8	0x0	0x3	WA	4
.dtors	PROGBITS	0x44f008	0xf008	0x8	0x0	0x3	WA	4
.jcr	PROGBITS	0x44f010	0xf010	0x4	0x0	0x3	WA	4
.data.rel.ro	PROGBITS	0x44f014	0xf014	0x8	0x0	0x3	WA	4
.data	PROGBITS	0x44f020	0xf020	0x190	0x0	0x3	WA	16
.got	PROGBITS	0x44f1b0	0xf1b0	0x3a4	0x4	0x10000003	WAp	16
.sbss	NOBITS	0x44f554	0xf554	0x18	0x0	0x10000003	WAp	4
.bss	NOBITS	0x44f570	0xf554	0x198	0x0	0x3	WA	16
.mdebug.abi32	PROGBITS	0x71a	0xf554	0x0	0x0	0x0		1
.shstrtab	STRTAB	0x0	0xf554	0x69	0x0	0x0		1

Program Segments

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align	Section Mappings
LOAD	0x0	0x400000	0x400000	0xee40	0xee40	5.5204	0x5	R E	0x10000	.init .text .fini .rodata
LOAD	0xf000	0x44f000	0x44f000	0x554	0x708	3.2181	0x6	RW	0x10000	.ctors .dtors .jcr .data.rel.ro .data .got .sbss .bss
GNU_STACK	0x0	0x0	0x0	0x0	0x0	0.0000	0x7	RWE	0x4

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 27, 2024 10:01:46.955152988 CET	42516	80	192.168.2.23	109.202.202.202
Oct 27, 2024 10:01:48.283499956 CET	49450	38241	192.168.2.23	45.156.86.24
Oct 27, 2024 10:01:48.288837910 CET	38241	49450	45.156.86.24	192.168.2.23
Oct 27, 2024 10:01:48.288921118 CET	49450	38241	192.168.2.23	45.156.86.24
Oct 27, 2024 10:01:48.290848017 CET	49450	38241	192.168.2.23	45.156.86.24
Oct 27, 2024 10:01:48.296494961 CET	38241	49450	45.156.86.24	192.168.2.23
Oct 27, 2024 10:01:48.296621084 CET	49450	38241	192.168.2.23	45.156.86.24
Oct 27, 2024 10:01:48.302083015 CET	38241	49450	45.156.86.24	192.168.2.23
Oct 27, 2024 10:01:49.258872032 CET	43928	443	192.168.2.23	91.189.91.42
Oct 27, 2024 10:01:54.634175062 CET	42836	443	192.168.2.23	91.189.91.43
Oct 27, 2024 10:01:58.298058033 CET	49450	38241	192.168.2.23	45.156.86.24
Oct 27, 2024 10:01:58.303558111 CET	38241	49450	45.156.86.24	192.168.2.23
Oct 27, 2024 10:01:58.662851095 CET	38241	49450	45.156.86.24	192.168.2.23
Oct 27, 2024 10:01:58.663611889 CET	49450	38241	192.168.2.23	45.156.86.24
Oct 27, 2024 10:01:58.669009924 CET	38241	49450	45.156.86.24	192.168.2.23
Oct 27, 2024 10:01:59.678812027 CET	55106	38241	192.168.2.23	185.150.24.67
Oct 27, 2024 10:01:59.684348106 CET	38241	55106	185.150.24.67	192.168.2.23
Oct 27, 2024 10:01:59.684487104 CET	55106	38241	192.168.2.23	185.150.24.67
Oct 27, 2024 10:01:59.685535908 CET	55106	38241	192.168.2.23	185.150.24.67
Oct 27, 2024 10:01:59.690917969 CET	38241	55106	185.150.24.67	192.168.2.23
Oct 27, 2024 10:01:59.690994978 CET	55106	38241	192.168.2.23	185.150.24.67
Oct 27, 2024 10:01:59.696378946 CET	38241	55106	185.150.24.67	192.168.2.23
Oct 27, 2024 10:02:00.300753117 CET	38241	55106	185.150.24.67	192.168.2.23
Oct 27, 2024 10:02:00.301003933 CET	55106	38241	192.168.2.23	185.150.24.67
Oct 27, 2024 10:02:00.306498051 CET	38241	55106	185.150.24.67	192.168.2.23
Oct 27, 2024 10:02:01.465740919 CET	55108	38241	192.168.2.23	185.150.24.67
Oct 27, 2024 10:02:01.471210003 CET	38241	55108	185.150.24.67	192.168.2.23
Oct 27, 2024 10:02:01.471391916 CET	55108	38241	192.168.2.23	185.150.24.67
Oct 27, 2024 10:02:01.472726107 CET	55108	38241	192.168.2.23	185.150.24.67
Oct 27, 2024 10:02:01.478116989 CET	38241	55108	185.150.24.67	192.168.2.23
Oct 27, 2024 10:02:01.478198051 CET	55108	38241	192.168.2.23	185.150.24.67
Oct 27, 2024 10:02:01.484342098 CET	38241	55108	185.150.24.67	192.168.2.23
Oct 27, 2024 10:02:02.083941936 CET	38241	55108	185.150.24.67	192.168.2.23
Oct 27, 2024 10:02:02.084341049 CET	55108	38241	192.168.2.23	185.150.24.67
Oct 27, 2024 10:02:02.089831114 CET	38241	55108	185.150.24.67	192.168.2.23
Oct 27, 2024 10:02:03.177994967 CET	55110	38241	192.168.2.23	185.150.24.67
Oct 27, 2024 10:02:03.183509111 CET	38241	55110	185.150.24.67	192.168.2.23
Oct 27, 2024 10:02:03.183634996 CET	55110	38241	192.168.2.23	185.150.24.67
Oct 27, 2024 10:02:03.184684992 CET	55110	38241	192.168.2.23	185.150.24.67
Oct 27, 2024 10:02:03.190154076 CET	38241	55110	185.150.24.67	192.168.2.23
Oct 27, 2024 10:02:03.190247059 CET	55110	38241	192.168.2.23	185.150.24.67
Oct 27, 2024 10:02:03.195877075 CET	38241	55110	185.150.24.67	192.168.2.23
Oct 27, 2024 10:02:04.820286989 CET	38241	55110	185.150.24.67	192.168.2.23
Oct 27, 2024 10:02:04.820688009 CET	55110	38241	192.168.2.23	185.150.24.67
Oct 27, 2024 10:02:04.826210976 CET	38241	55110	185.150.24.67	192.168.2.23
Oct 27, 2024 10:02:05.853353977 CET	55112	38241	192.168.2.23	185.150.24.67
Oct 27, 2024 10:02:05.858890057 CET	38241	55112	185.150.24.67	192.168.2.23
Oct 27, 2024 10:02:05.859009027 CET	55112	38241	192.168.2.23	185.150.24.67
Oct 27, 2024 10:02:05.860275030 CET	55112	38241	192.168.2.23	185.150.24.67
Oct 27, 2024 10:02:05.865639925 CET	38241	55112	185.150.24.67	192.168.2.23
Oct 27, 2024 10:02:05.865717888 CET	55112	38241	192.168.2.23	185.150.24.67
Oct 27, 2024 10:02:05.871191025 CET	38241	55112	185.150.24.67	192.168.2.23
Oct 27, 2024 10:02:06.469460964 CET	38241	55112	185.150.24.67	192.168.2.23
Oct 27, 2024 10:02:06.470124006 CET	55112	38241	192.168.2.23	185.150.24.67
Oct 27, 2024 10:02:06.475613117 CET	38241	55112	185.150.24.67	192.168.2.23
Oct 27, 2024 10:02:07.569681883 CET	55114	38241	192.168.2.23	185.150.24.67
Oct 27, 2024 10:02:07.575227976 CET	38241	55114	185.150.24.67	192.168.2.23
Oct 27, 2024 10:02:07.575367928 CET	55114	38241	192.168.2.23	185.150.24.67
Oct 27, 2024 10:02:07.576239109 CET	55114	38241	192.168.2.23	185.150.24.67
Oct 27, 2024 10:02:07.581556082 CET	38241	55114	185.150.24.67	192.168.2.23
Oct 27, 2024 10:02:07.581656933 CET	55114	38241	192.168.2.23	185.150.24.67
Oct 27, 2024 10:02:07.587042093 CET	38241	55114	185.150.24.67	192.168.2.23
Oct 27, 2024 10:02:08.182863951 CET	38241	55114	185.150.24.67	192.168.2.23
Oct 27, 2024 10:02:08.183675051 CET	55114	38241	192.168.2.23	185.150.24.67
Oct 27, 2024 10:02:08.189089060 CET	38241	55114	185.150.24.67	192.168.2.23
Oct 27, 2024 10:02:09.196804047 CET	55116	38241	192.168.2.23	185.150.24.67
Oct 27, 2024 10:02:09.202264071 CET	38241	55116	185.150.24.67	192.168.2.23
Oct 27, 2024 10:02:09.202394009 CET	55116	38241	192.168.2.23	185.150.24.67
Oct 27, 2024 10:02:09.203511953 CET	55116	38241	192.168.2.23	185.150.24.67
Oct 27, 2024 10:02:09.208801985 CET	38241	55116	185.150.24.67	192.168.2.23
Oct 27, 2024 10:02:09.208882093 CET	55116	38241	192.168.2.23	185.150.24.67
Oct 27, 2024 10:02:09.214457035 CET	38241	55116	185.150.24.67	192.168.2.23
Oct 27, 2024 10:02:09.816783905 CET	38241	55116	185.150.24.67	192.168.2.23
Oct 27, 2024 10:02:09.817110062 CET	55116	38241	192.168.2.23	185.150.24.67
Oct 27, 2024 10:02:09.822571993 CET	38241	55116	185.150.24.67	192.168.2.23
Oct 27, 2024 10:02:10.759902954 CET	43928	443	192.168.2.23	91.189.91.42
Oct 27, 2024 10:02:10.831357002 CET	55118	38241	192.168.2.23	185.150.24.67
Oct 27, 2024 10:02:10.836815119 CET	38241	55118	185.150.24.67	192.168.2.23
Oct 27, 2024 10:02:10.836936951 CET	55118	38241	192.168.2.23	185.150.24.67
Oct 27, 2024 10:02:10.837956905 CET	55118	38241	192.168.2.23	185.150.24.67
Oct 27, 2024 10:02:10.843358994 CET	38241	55118	185.150.24.67	192.168.2.23
Oct 27, 2024 10:02:10.843447924 CET	55118	38241	192.168.2.23	185.150.24.67
Oct 27, 2024 10:02:10.848838091 CET	38241	55118	185.150.24.67	192.168.2.23
Oct 27, 2024 10:02:11.449029922 CET	38241	55118	185.150.24.67	192.168.2.23
Oct 27, 2024 10:02:11.449307919 CET	55118	38241	192.168.2.23	185.150.24.67
Oct 27, 2024 10:02:11.454768896 CET	38241	55118	185.150.24.67	192.168.2.23
Oct 27, 2024 10:02:12.481946945 CET	55120	38241	192.168.2.23	185.150.24.67
Oct 27, 2024 10:02:12.487709045 CET	38241	55120	185.150.24.67	192.168.2.23
Oct 27, 2024 10:02:12.487829924 CET	55120	38241	192.168.2.23	185.150.24.67
Oct 27, 2024 10:02:12.489128113 CET	55120	38241	192.168.2.23	185.150.24.67
Oct 27, 2024 10:02:12.494616985 CET	38241	55120	185.150.24.67	192.168.2.23
Oct 27, 2024 10:02:12.494729996 CET	55120	38241	192.168.2.23	185.150.24.67
Oct 27, 2024 10:02:12.500375032 CET	38241	55120	185.150.24.67	192.168.2.23
Oct 27, 2024 10:02:13.103787899 CET	38241	55120	185.150.24.67	192.168.2.23
Oct 27, 2024 10:02:13.104273081 CET	55120	38241	192.168.2.23	185.150.24.67
Oct 27, 2024 10:02:13.110073090 CET	38241	55120	185.150.24.67	192.168.2.23
Oct 27, 2024 10:02:14.362766027 CET	49468	38241	192.168.2.23	45.156.86.24
Oct 27, 2024 10:02:14.368330002 CET	38241	49468	45.156.86.24	192.168.2.23
Oct 27, 2024 10:02:14.368433952 CET	49468	38241	192.168.2.23	45.156.86.24
Oct 27, 2024 10:02:14.369148970 CET	49468	38241	192.168.2.23	45.156.86.24
Oct 27, 2024 10:02:14.374566078 CET	38241	49468	45.156.86.24	192.168.2.23
Oct 27, 2024 10:02:14.374644041 CET	49468	38241	192.168.2.23	45.156.86.24
Oct 27, 2024 10:02:14.380014896 CET	38241	49468	45.156.86.24	192.168.2.23
Oct 27, 2024 10:02:16.903151035 CET	42516	80	192.168.2.23	109.202.202.202
Oct 27, 2024 10:02:20.998568058 CET	42836	443	192.168.2.23	91.189.91.43
Oct 27, 2024 10:02:25.204128981 CET	38241	49468	45.156.86.24	192.168.2.23
Oct 27, 2024 10:02:25.204454899 CET	49468	38241	192.168.2.23	45.156.86.24
Oct 27, 2024 10:02:25.210011959 CET	38241	49468	45.156.86.24	192.168.2.23
Oct 27, 2024 10:02:26.218859911 CET	49470	38241	192.168.2.23	45.156.86.24
Oct 27, 2024 10:02:26.224353075 CET	38241	49470	45.156.86.24	192.168.2.23
Oct 27, 2024 10:02:26.224477053 CET	49470	38241	192.168.2.23	45.156.86.24
Oct 27, 2024 10:02:26.226099014 CET	49470	38241	192.168.2.23	45.156.86.24
Oct 27, 2024 10:02:26.231448889 CET	38241	49470	45.156.86.24	192.168.2.23
Oct 27, 2024 10:02:26.231529951 CET	49470	38241	192.168.2.23	45.156.86.24
Oct 27, 2024 10:02:26.237571955 CET	38241	49470	45.156.86.24	192.168.2.23
Oct 27, 2024 10:02:37.087361097 CET	38241	49470	45.156.86.24	192.168.2.23
Oct 27, 2024 10:02:37.087707043 CET	49470	38241	192.168.2.23	45.156.86.24
Oct 27, 2024 10:02:37.094238043 CET	38241	49470	45.156.86.24	192.168.2.23
Oct 27, 2024 10:02:38.127245903 CET	49472	38241	192.168.2.23	45.156.86.24
Oct 27, 2024 10:02:38.132747889 CET	38241	49472	45.156.86.24	192.168.2.23
Oct 27, 2024 10:02:38.133122921 CET	49472	38241	192.168.2.23	45.156.86.24
Oct 27, 2024 10:02:38.135145903 CET	49472	38241	192.168.2.23	45.156.86.24
Oct 27, 2024 10:02:38.140552998 CET	38241	49472	45.156.86.24	192.168.2.23
Oct 27, 2024 10:02:38.140669107 CET	49472	38241	192.168.2.23	45.156.86.24
Oct 27, 2024 10:02:38.146234989 CET	38241	49472	45.156.86.24	192.168.2.23
Oct 27, 2024 10:02:48.976876020 CET	38241	49472	45.156.86.24	192.168.2.23
Oct 27, 2024 10:02:48.977336884 CET	49472	38241	192.168.2.23	45.156.86.24
Oct 27, 2024 10:02:48.983911991 CET	38241	49472	45.156.86.24	192.168.2.23
Oct 27, 2024 10:02:49.998703957 CET	49474	38241	192.168.2.23	45.156.86.24
Oct 27, 2024 10:02:50.004218102 CET	38241	49474	45.156.86.24	192.168.2.23
Oct 27, 2024 10:02:50.004448891 CET	49474	38241	192.168.2.23	45.156.86.24
Oct 27, 2024 10:02:50.006135941 CET	49474	38241	192.168.2.23	45.156.86.24
Oct 27, 2024 10:02:50.011540890 CET	38241	49474	45.156.86.24	192.168.2.23
Oct 27, 2024 10:02:50.011765957 CET	49474	38241	192.168.2.23	45.156.86.24
Oct 27, 2024 10:02:50.017379999 CET	38241	49474	45.156.86.24	192.168.2.23
Oct 27, 2024 10:02:51.714329958 CET	43928	443	192.168.2.23	91.189.91.42
Oct 27, 2024 10:03:00.822004080 CET	38241	49474	45.156.86.24	192.168.2.23
Oct 27, 2024 10:03:00.822428942 CET	49474	38241	192.168.2.23	45.156.86.24
Oct 27, 2024 10:03:00.829241037 CET	38241	49474	45.156.86.24	192.168.2.23
Oct 27, 2024 10:03:01.862869978 CET	49476	38241	192.168.2.23	45.156.86.24
Oct 27, 2024 10:03:01.868520021 CET	38241	49476	45.156.86.24	192.168.2.23
Oct 27, 2024 10:03:01.868737936 CET	49476	38241	192.168.2.23	45.156.86.24
Oct 27, 2024 10:03:01.870084047 CET	49476	38241	192.168.2.23	45.156.86.24
Oct 27, 2024 10:03:01.875519037 CET	38241	49476	45.156.86.24	192.168.2.23
Oct 27, 2024 10:03:01.875912905 CET	49476	38241	192.168.2.23	45.156.86.24
Oct 27, 2024 10:03:01.881342888 CET	38241	49476	45.156.86.24	192.168.2.23
Oct 27, 2024 10:03:12.685162067 CET	38241	49476	45.156.86.24	192.168.2.23
Oct 27, 2024 10:03:12.685760975 CET	49476	38241	192.168.2.23	45.156.86.24
Oct 27, 2024 10:03:12.691971064 CET	38241	49476	45.156.86.24	192.168.2.23
Oct 27, 2024 10:03:13.701199055 CET	49478	38241	192.168.2.23	45.156.86.24
Oct 27, 2024 10:03:13.706665993 CET	38241	49478	45.156.86.24	192.168.2.23
Oct 27, 2024 10:03:13.706729889 CET	49478	38241	192.168.2.23	45.156.86.24
Oct 27, 2024 10:03:13.707967043 CET	49478	38241	192.168.2.23	45.156.86.24
Oct 27, 2024 10:03:13.713397026 CET	38241	49478	45.156.86.24	192.168.2.23
Oct 27, 2024 10:03:13.713624954 CET	49478	38241	192.168.2.23	45.156.86.24
Oct 27, 2024 10:03:13.718961954 CET	38241	49478	45.156.86.24	192.168.2.23
Oct 27, 2024 10:03:23.716943979 CET	49478	38241	192.168.2.23	45.156.86.24
Oct 27, 2024 10:03:23.722482920 CET	38241	49478	45.156.86.24	192.168.2.23
Oct 27, 2024 10:03:24.092365026 CET	38241	49478	45.156.86.24	192.168.2.23
Oct 27, 2024 10:03:24.092859030 CET	49478	38241	192.168.2.23	45.156.86.24
Oct 27, 2024 10:03:24.098156929 CET	38241	49478	45.156.86.24	192.168.2.23
Oct 27, 2024 10:03:25.323863983 CET	49480	38241	192.168.2.23	45.156.86.24
Oct 27, 2024 10:03:25.329519987 CET	38241	49480	45.156.86.24	192.168.2.23
Oct 27, 2024 10:03:25.329907894 CET	49480	38241	192.168.2.23	45.156.86.24
Oct 27, 2024 10:03:25.331823111 CET	49480	38241	192.168.2.23	45.156.86.24
Oct 27, 2024 10:03:25.337238073 CET	38241	49480	45.156.86.24	192.168.2.23
Oct 27, 2024 10:03:25.337428093 CET	49480	38241	192.168.2.23	45.156.86.24
Oct 27, 2024 10:03:25.342757940 CET	38241	49480	45.156.86.24	192.168.2.23
Oct 27, 2024 10:03:36.185587883 CET	38241	49480	45.156.86.24	192.168.2.23
Oct 27, 2024 10:03:36.185916901 CET	49480	38241	192.168.2.23	45.156.86.24
Oct 27, 2024 10:03:36.191874981 CET	38241	49480	45.156.86.24	192.168.2.23
Oct 27, 2024 10:03:37.213403940 CET	49482	38241	192.168.2.23	45.156.86.24
Oct 27, 2024 10:03:37.219002962 CET	38241	49482	45.156.86.24	192.168.2.23
Oct 27, 2024 10:03:37.219212055 CET	49482	38241	192.168.2.23	45.156.86.24
Oct 27, 2024 10:03:37.220948935 CET	49482	38241	192.168.2.23	45.156.86.24
Oct 27, 2024 10:03:37.228940010 CET	38241	49482	45.156.86.24	192.168.2.23
Oct 27, 2024 10:03:37.229382038 CET	49482	38241	192.168.2.23	45.156.86.24
Oct 27, 2024 10:03:37.235697985 CET	38241	49482	45.156.86.24	192.168.2.23
Oct 27, 2024 10:03:48.047220945 CET	38241	49482	45.156.86.24	192.168.2.23
Oct 27, 2024 10:03:48.047633886 CET	49482	38241	192.168.2.23	45.156.86.24
Oct 27, 2024 10:03:48.053474903 CET	38241	49482	45.156.86.24	192.168.2.23
Oct 27, 2024 10:03:49.142024040 CET	49484	38241	192.168.2.23	45.156.86.24
Oct 27, 2024 10:03:49.147944927 CET	38241	49484	45.156.86.24	192.168.2.23
Oct 27, 2024 10:03:49.148344994 CET	49484	38241	192.168.2.23	45.156.86.24
Oct 27, 2024 10:03:49.150259972 CET	49484	38241	192.168.2.23	45.156.86.24
Oct 27, 2024 10:03:49.155818939 CET	38241	49484	45.156.86.24	192.168.2.23
Oct 27, 2024 10:03:49.156035900 CET	49484	38241	192.168.2.23	45.156.86.24
Oct 27, 2024 10:03:49.161891937 CET	38241	49484	45.156.86.24	192.168.2.23

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 27, 2024 10:01:48.228446960 CET	33990	53	192.168.2.23	152.53.15.127
Oct 27, 2024 10:01:48.239942074 CET	53	33990	152.53.15.127	192.168.2.23
Oct 27, 2024 10:01:59.666907072 CET	36423	53	192.168.2.23	194.36.144.87
Oct 27, 2024 10:01:59.678282022 CET	53	36423	194.36.144.87	192.168.2.23
Oct 27, 2024 10:02:01.302978992 CET	34260	53	192.168.2.23	152.53.15.127
Oct 27, 2024 10:02:01.464339972 CET	53	34260	152.53.15.127	192.168.2.23
Oct 27, 2024 10:02:03.086823940 CET	36181	53	192.168.2.23	168.235.111.72
Oct 27, 2024 10:02:03.176806927 CET	53	36181	168.235.111.72	192.168.2.23
Oct 27, 2024 10:02:05.824039936 CET	55775	53	192.168.2.23	81.169.136.222
Oct 27, 2024 10:02:05.852348089 CET	53	55775	81.169.136.222	192.168.2.23
Oct 27, 2024 10:02:07.472502947 CET	55874	53	192.168.2.23	168.235.111.72
Oct 27, 2024 10:02:07.568907022 CET	53	55874	168.235.111.72	192.168.2.23
Oct 27, 2024 10:02:09.185534954 CET	35678	53	192.168.2.23	152.53.15.127
Oct 27, 2024 10:02:09.196245909 CET	53	35678	152.53.15.127	192.168.2.23
Oct 27, 2024 10:02:10.820189953 CET	59745	53	192.168.2.23	194.36.144.87
Oct 27, 2024 10:02:10.830552101 CET	53	59745	194.36.144.87	192.168.2.23
Oct 27, 2024 10:02:12.452369928 CET	42715	53	192.168.2.23	81.169.136.222
Oct 27, 2024 10:02:12.480992079 CET	53	42715	81.169.136.222	192.168.2.23
Oct 27, 2024 10:02:14.108136892 CET	38588	53	192.168.2.23	51.158.108.203
Oct 27, 2024 10:02:14.362062931 CET	53	38588	51.158.108.203	192.168.2.23
Oct 27, 2024 10:02:26.206567049 CET	49439	53	192.168.2.23	194.36.144.87
Oct 27, 2024 10:02:26.218013048 CET	53	49439	194.36.144.87	192.168.2.23
Oct 27, 2024 10:02:38.091475964 CET	47727	53	192.168.2.23	185.181.61.24
Oct 27, 2024 10:02:38.125915051 CET	53	47727	185.181.61.24	192.168.2.23
Oct 27, 2024 10:02:49.981030941 CET	50688	53	192.168.2.23	51.158.108.203
Oct 27, 2024 10:02:49.996927977 CET	53	50688	51.158.108.203	192.168.2.23
Oct 27, 2024 10:03:01.827717066 CET	43374	53	192.168.2.23	185.181.61.24
Oct 27, 2024 10:03:01.861195087 CET	53	43374	185.181.61.24	192.168.2.23
Oct 27, 2024 10:03:13.689606905 CET	51727	53	192.168.2.23	194.36.144.87
Oct 27, 2024 10:03:13.700155020 CET	53	51727	194.36.144.87	192.168.2.23
Oct 27, 2024 10:03:25.096091986 CET	48988	53	192.168.2.23	81.169.136.222
Oct 27, 2024 10:03:25.321687937 CET	53	48988	81.169.136.222	192.168.2.23
Oct 27, 2024 10:03:37.190705061 CET	42448	53	192.168.2.23	51.158.108.203
Oct 27, 2024 10:03:37.210879087 CET	53	42448	51.158.108.203	192.168.2.23
Oct 27, 2024 10:03:49.052622080 CET	48569	53	192.168.2.23	168.235.111.72
Oct 27, 2024 10:03:49.140218019 CET	53	48569	168.235.111.72	192.168.2.23

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 27, 2024 10:01:48.228446960 CET	192.168.2.23	152.53.15.127	0x5ad2	Standard query (0)	burnthe.libre	A (IP address)	IN (0x0001)	false
Oct 27, 2024 10:01:59.666907072 CET	192.168.2.23	194.36.144.87	0x2c15	Standard query (0)	chinklabs.dyn	A (IP address)	IN (0x0001)	false
Oct 27, 2024 10:02:01.302978992 CET	192.168.2.23	152.53.15.127	0x4f57	Standard query (0)	netfags.geek. [malformed]	256	393	false
Oct 27, 2024 10:02:03.086823940 CET	192.168.2.23	168.235.111.72	0x16ea	Standard query (0)	chinklabs.dyn	A (IP address)	IN (0x0001)	false
Oct 27, 2024 10:02:05.824039936 CET	192.168.2.23	81.169.136.222	0xf6	Standard query (0)	netfags.geek. [malformed]	256	397	false
Oct 27, 2024 10:02:07.472502947 CET	192.168.2.23	168.235.111.72	0x79e2	Standard query (0)	netfags.geek. [malformed]	256	399	false
Oct 27, 2024 10:02:09.185534954 CET	192.168.2.23	152.53.15.127	0xbf18	Standard query (0)	netfags.geek. [malformed]	256	401	false
Oct 27, 2024 10:02:10.820189953 CET	192.168.2.23	194.36.144.87	0xf217	Standard query (0)	chinklabs.dyn	A (IP address)	IN (0x0001)	false
Oct 27, 2024 10:02:12.452369928 CET	192.168.2.23	81.169.136.222	0x5d3	Standard query (0)	chinklabs.dyn	A (IP address)	IN (0x0001)	false
Oct 27, 2024 10:02:14.108136892 CET	192.168.2.23	51.158.108.203	0xd233	Standard query (0)	burnthe.libre	A (IP address)	IN (0x0001)	false
Oct 27, 2024 10:02:26.206567049 CET	192.168.2.23	194.36.144.87	0xbc07	Standard query (0)	yellowchink.pirate	A (IP address)	IN (0x0001)	false
Oct 27, 2024 10:02:38.091475964 CET	192.168.2.23	185.181.61.24	0x9289	Standard query (0)	chinklabs.dyn. [malformed]	256	430	false
Oct 27, 2024 10:02:49.981030941 CET	192.168.2.23	51.158.108.203	0x6d2c	Standard query (0)	chinklabs.dyn. [malformed]	256	441	false
Oct 27, 2024 10:03:01.827717066 CET	192.168.2.23	185.181.61.24	0xbbaa	Standard query (0)	chinklabs.dyn. [malformed]	256	453	false
Oct 27, 2024 10:03:13.689606905 CET	192.168.2.23	194.36.144.87	0xc9de	Standard query (0)	chinklabs.dyn. [malformed]	256	465	false
Oct 27, 2024 10:03:25.096091986 CET	192.168.2.23	81.169.136.222	0x4ae1	Standard query (0)	burnthe.libre. [malformed]	256	477	false
Oct 27, 2024 10:03:37.190705061 CET	192.168.2.23	51.158.108.203	0xa0fb	Standard query (0)	chinklabs.dyn. [malformed]	256	489	false
Oct 27, 2024 10:03:49.052622080 CET	192.168.2.23	168.235.111.72	0x6900	Standard query (0)	chinklabs.dyn. [malformed]	256	501	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 27, 2024 10:01:48.239942074 CET	152.53.15.127	192.168.2.23	0x5ad2	No error (0)	burnthe.libre		45.156.86.24	A (IP address)	IN (0x0001)	false
Oct 27, 2024 10:01:59.678282022 CET	194.36.144.87	192.168.2.23	0x2c15	No error (0)	chinklabs.dyn		185.150.24.67	A (IP address)	IN (0x0001)	false
Oct 27, 2024 10:02:01.464339972 CET	152.53.15.127	192.168.2.23	0x4f57	Format error (1)	netfags.geek. [malformed]	none	none	256	393	false
Oct 27, 2024 10:02:03.176806927 CET	168.235.111.72	192.168.2.23	0x16ea	No error (0)	chinklabs.dyn		185.150.24.67	A (IP address)	IN (0x0001)	false
Oct 27, 2024 10:02:09.196245909 CET	152.53.15.127	192.168.2.23	0xbf18	Format error (1)	netfags.geek. [malformed]	none	none	256	401	false
Oct 27, 2024 10:02:10.830552101 CET	194.36.144.87	192.168.2.23	0xf217	No error (0)	chinklabs.dyn		185.150.24.67	A (IP address)	IN (0x0001)	false
Oct 27, 2024 10:02:12.480992079 CET	81.169.136.222	192.168.2.23	0x5d3	No error (0)	chinklabs.dyn		185.150.24.67	A (IP address)	IN (0x0001)	false
Oct 27, 2024 10:02:14.362062931 CET	51.158.108.203	192.168.2.23	0xd233	No error (0)	burnthe.libre		45.156.86.24	A (IP address)	IN (0x0001)	false
Oct 27, 2024 10:02:26.218013048 CET	194.36.144.87	192.168.2.23	0xbc07	No error (0)	yellowchink.pirate		45.156.86.24	A (IP address)	IN (0x0001)	false
Oct 27, 2024 10:02:49.996927977 CET	51.158.108.203	192.168.2.23	0x6d2c	Format error (1)	chinklabs.dyn. [malformed]	none	none	256	441	false
Oct 27, 2024 10:03:13.700155020 CET	194.36.144.87	192.168.2.23	0xc9de	Format error (1)	chinklabs.dyn. [malformed]	none	none	256	465	false
Oct 27, 2024 10:03:37.210879087 CET	51.158.108.203	192.168.2.23	0xa0fb	Format error (1)	chinklabs.dyn. [malformed]	none	none	256	489	false

System Behavior

Analysis Process: zermpsl.elf PID: 6266, Parent PID: 6191

General

Start time (UTC):	09:01:46
Start date (UTC):	27/10/2024
Path:	/tmp/zermpsl.elf
Arguments:	/tmp/zermpsl.elf
File size:	5773336 bytes
MD5 hash:	0d6f61f82cf2f781c6eb0661071d42d9

Chronological Activities

Analysis Process: zermpsl.elf PID: 6268, Parent PID: 6266

General

Start time (UTC):	09:01:47
Start date (UTC):	27/10/2024
Path:	/tmp/zermpsl.elf
Arguments:	-
File size:	5773336 bytes
MD5 hash:	0d6f61f82cf2f781c6eb0661071d42d9

Chronological Activities

Analysis Process: zermpsl.elf PID: 6270, Parent PID: 6268

General

Start time (UTC):	09:01:47
Start date (UTC):	27/10/2024
Path:	/tmp/zermpsl.elf
Arguments:	-
File size:	5773336 bytes
MD5 hash:	0d6f61f82cf2f781c6eb0661071d42d9

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report zermpsl.elf

Overview

General Information

Detection

Signatures

Classification

General Information

Warnings

Runtime Messages

Process Tree

Yara Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Networking

System Summary

Malware Analysis System Evasion

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

Static ELF Info

ELF header

Sections

Program Segments

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

System Behavior

Analysis Process: zermpsl.elf PID: 6266, Parent PID: 6191

General

Chronological Activities

Analysis Process: zermpsl.elf PID: 6268, Parent PID: 6266

General

Chronological Activities

Analysis Process: zermpsl.elf PID: 6270, Parent PID: 6268

General

Chronological Activities

Linux Analysis Report
zermpsl.elf