Edit tour

Linux Analysis Report
zerm68k.elf

Overview

General Information

Sample name:	zerm68k.elf
Analysis ID:	1543158
MD5:	1d68b438282771f4a9fd88497e1aa35b
SHA1:	58d1cca61d5ef67d4bbc46fdff9d6bd3663e5a75
SHA256:	8dbf0e8164c609ed504c645633c26e96e8a8d4a643e0dff42834020a280a3c7a
Tags:	elfMiraiuser-abuse_ch
Infos:

Detection

Score:	56
Range:	0 - 100
Whitelisted:	false

Signatures

Multi AV Scanner detection for submitted file

Connects to many ports of the same IP (likely port scanning)

Sends malformed DNS queries

Detected TCP or UDP traffic on non-standard ports

Sample has stripped symbol table

Sample listens on a socket

Uses the "uname" system call to query kernel version information (possible evasion)

Classification

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1543158
Start date and time:	2024-10-27 10:00:46 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 54s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Sample name:	zerm68k.elf
Detection:	MAL
Classification:	mal56.troj.linELF@0/0@11/0

Warnings

VT rate limit hit for: zerm68k.elf

Runtime Messages

Command:	/tmp/zerm68k.elf
PID:	5652
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:	The Peoples Bank of China.
Standard Error:

Process Tree

system is lnxubuntu20

zerm68k.elf (PID: 5652, Parent: 5578, MD5: cd177594338c77b895ae27c33f8f86cc) Arguments: /tmp/zerm68k.elf

zerm68k.elf New Fork (PID: 5654, Parent: 5652)

zerm68k.elf New Fork (PID: 5656, Parent: 5654)

cleanup

Yara Signatures

⊘No yara matches

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: zerm68k.elf

ReversingLabs: Detection: 47%

Networking

Connects to many ports of the same IP (likely port scanning)

Source: global traffic	TCP traffic: 185.150.24.67 ports 38241,1,2,3,4,8
Source: global traffic	TCP traffic: 45.156.86.24 ports 38241,1,2,3,4,8

Sends malformed DNS queries

Source: global traffic	DNS traffic detected: malformed DNS query: netfags.geek. [malformed]
Source: global traffic	DNS traffic detected: malformed DNS query: burnthe.libre. [malformed]
Source: global traffic	DNS traffic detected: malformed DNS query: yellowchink.pirate. [malformed]

Source: global traffic	TCP traffic: 192.168.2.15:55542 -> 45.156.86.24:38241
Source: global traffic	TCP traffic: 192.168.2.15:35542 -> 185.150.24.67:38241

Source: /tmp/zerm68k.elf (PID: 5652)

Socket: 127.0.0.1:39148

Jump to behavior

Source: unknown	UDP traffic detected without corresponding DNS query: 168.235.111.72
Source: unknown	UDP traffic detected without corresponding DNS query: 194.36.144.87
Source: unknown	UDP traffic detected without corresponding DNS query: 194.36.144.87
Source: unknown	UDP traffic detected without corresponding DNS query: 194.36.144.87
Source: unknown	UDP traffic detected without corresponding DNS query: 194.36.144.87
Source: unknown	UDP traffic detected without corresponding DNS query: 51.158.108.203
Source: unknown	UDP traffic detected without corresponding DNS query: 194.36.144.87
Source: unknown	UDP traffic detected without corresponding DNS query: 194.36.144.87
Source: unknown	UDP traffic detected without corresponding DNS query: 81.169.136.222
Source: unknown	UDP traffic detected without corresponding DNS query: 168.235.111.72
Source: unknown	UDP traffic detected without corresponding DNS query: 185.181.61.24

Source: global traffic	DNS traffic detected: DNS query: netfags.geek
Source: global traffic	DNS traffic detected: DNS query: burnthe.libre
Source: global traffic	DNS traffic detected: DNS query: netfags.geek. [malformed]
Source: global traffic	DNS traffic detected: DNS query: chinklabs.dyn
Source: global traffic	DNS traffic detected: DNS query: yellowchink.pirate
Source: global traffic	DNS traffic detected: DNS query: burnthe.libre. [malformed]
Source: global traffic	DNS traffic detected: DNS query: yellowchink.pirate. [malformed]

Source: ELF static info symbol of initial sample

.symtab present: no

Source: classification engine

Classification label: mal56.troj.linELF@0/0@11/0

Source: /tmp/zerm68k.elf (PID: 5652)

Queries kernel information via 'uname':

Jump to behavior

Source: zerm68k.elf, 5652.1.000055d11cff8000.000055d11d07c000.rw-.sdmp	Binary or memory string: U!/etc/qemu-binfmt/m68k
Source: zerm68k.elf, 5652.1.00007ffd1521f000.00007ffd15240000.rw-.sdmp	Binary or memory string: x86_64/usr/bin/qemu-m68k/tmp/zerm68k.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/zerm68k.elf
Source: zerm68k.elf, 5652.1.00007ffd1521f000.00007ffd15240000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-m68k
Source: zerm68k.elf, 5652.1.000055d11cff8000.000055d11d07c000.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/m68k

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	Path Interception	Path Interception	Direct Volume Access	OS Credential Dumping	11 Security Software Discovery	Remote Services	Data from Local System	1 Non-Standard Port	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact

Malware Configuration

⊘No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
zerm68k.elf	47%	ReversingLabs	Linux.Backdoor.Mirai

Dropped Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
netfags.geek	45.156.86.24	true	true	unknown
yellowchink.pirate	45.156.86.24	true	true	unknown
chinklabs.dyn	185.150.24.67	true	true	unknown
burnthe.libre	45.156.86.24	true	true	unknown
netfags.geek. [malformed]	unknown	unknown	true	unknown
burnthe.libre. [malformed]	unknown	unknown	true	unknown
yellowchink.pirate. [malformed]	unknown	unknown	true	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.150.24.67	chinklabs.dyn	Netherlands		44592	SKYLINKNL	true
45.156.86.24	netfags.geek	Germany		44592	SKYLINKNL	true

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
185.150.24.67	zerspc.elf	Get hash	malicious	Unknown	Browse
	zerarm5.elf	Get hash	malicious	Unknown	Browse
	zermips.elf	Get hash	malicious	Unknown	Browse
	zersh4.elf	Get hash	malicious	Unknown	Browse
	zerppc.elf	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	https://search-dl3.com/staticpr/12.zip	Get hash	malicious	Unknown	Browse
45.156.86.24	zerspc.elf	Get hash	malicious	Unknown	Browse
	nabm68k.elf	Get hash	malicious	Unknown	Browse
	zerarm.elf	Get hash	malicious	Unknown	Browse
	zerarm5.elf	Get hash	malicious	Unknown	Browse
	nabspc.elf	Get hash	malicious	Unknown	Browse
	zerx86.elf	Get hash	malicious	Unknown	Browse
	nabppc.elf	Get hash	malicious	Unknown	Browse
	nabmips.elf	Get hash	malicious	Unknown	Browse
	zermips.elf	Get hash	malicious	Unknown	Browse
	nabarm.elf	Get hash	malicious	Unknown	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
yellowchink.pirate	nabm68k.elf	Get hash	malicious	Unknown	Browse	45.156.86.24
	nklx86.elf	Get hash	malicious	Unknown	Browse	45.156.86.24
	zerarm5.elf	Get hash	malicious	Unknown	Browse	45.156.86.24
	nabspc.elf	Get hash	malicious	Unknown	Browse	45.156.86.24
	zerx86.elf	Get hash	malicious	Unknown	Browse	45.156.86.24
chinklabs.dyn	nklx86.elf	Get hash	malicious	Unknown	Browse	185.150.24.67
chinklabs.dyn	zerarm5.elf	Get hash	malicious	Unknown	Browse	185.150.24.67

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
SKYLINKNL	zerspc.elf	Get hash	malicious	Unknown	Browse	45.156.86.24
	nabm68k.elf	Get hash	malicious	Unknown	Browse	45.156.86.24
	zerarm.elf	Get hash	malicious	Unknown	Browse	45.156.86.24
	zerarm5.elf	Get hash	malicious	Unknown	Browse	45.156.86.24
	nabspc.elf	Get hash	malicious	Unknown	Browse	45.156.86.24
	zerx86.elf	Get hash	malicious	Unknown	Browse	45.156.86.24
	nabppc.elf	Get hash	malicious	Unknown	Browse	45.156.86.24
	nabmips.elf	Get hash	malicious	Unknown	Browse	45.156.86.24
	zermips.elf	Get hash	malicious	Unknown	Browse	45.156.86.24
	nabarm.elf	Get hash	malicious	Unknown	Browse	45.156.86.24
SKYLINKNL	zerspc.elf	Get hash	malicious	Unknown	Browse	45.156.86.24
	nabm68k.elf	Get hash	malicious	Unknown	Browse	45.156.86.24
	zerarm.elf	Get hash	malicious	Unknown	Browse	45.156.86.24
	zerarm5.elf	Get hash	malicious	Unknown	Browse	45.156.86.24
	nabspc.elf	Get hash	malicious	Unknown	Browse	45.156.86.24
	zerx86.elf	Get hash	malicious	Unknown	Browse	45.156.86.24
	nabppc.elf	Get hash	malicious	Unknown	Browse	45.156.86.24
	nabmips.elf	Get hash	malicious	Unknown	Browse	45.156.86.24
	zermips.elf	Get hash	malicious	Unknown	Browse	45.156.86.24
	nabarm.elf	Get hash	malicious	Unknown	Browse	45.156.86.24

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	ELF 32-bit MSB executable, Motorola m68k, 68020, version 1 (SYSV), statically linked, stripped
Entropy (8bit):	6.209448832967863
TrID:	ELF Executable and Linkable format (generic) (4004/1) 100.00%
File name:	zerm68k.elf
File size:	48'628 bytes
MD5:	1d68b438282771f4a9fd88497e1aa35b
SHA1:	58d1cca61d5ef67d4bbc46fdff9d6bd3663e5a75
SHA256:	8dbf0e8164c609ed504c645633c26e96e8a8d4a643e0dff42834020a280a3c7a
SHA512:	54a45cd236224dd1eca50a41f0566389e94c8cac75eaa0f3925007cb9acacdad1419ea8b531c4d71114f32025c3ad2f2f9cd7601917ecf8ac53c10d6bd8b5e42
SSDEEP:	768:fPegq++79Zv4DyKHs//NLaO7oA20/QuSbFbRDlF8nANzq:HNq7nv4DyOs3NLj7o8/Qu2bRDP8nkq
TLSH:	17233C99B801AD3CFD4BF7BE84130A0CF560375951A20B2B67ABFE936C726944D16D83
File Content Preview:	.ELF.......................D...4...<.....4. ...(.......................v...v...... ........\|...\|...\|...\|.......... .dt.Q............................NV..a....da.....N^NuNV..J9....f>"y.... QJ.g.X.#.....N."y.... QJ.f.A.....J.g.Hy...xN.X.........N^NuNV..N^NuN

Static ELF Info

ELF header
Class:	ELF32
Data:	2's complement, big endian
Version:	1 (current)
Machine:	MC68000
Version Number:	0x1
Type:	EXEC (Executable file)
OS/ABI:	UNIX - System V
ABI Version:	0
Entry Point Address:	0x80000144
Flags:	0x0
ELF Header Size:	52
Program Header Offset:	52
Program Header Size:	32
Number of Program Headers:	3
Section Header Offset:	48188
Section Header Size:	40
Number of Section Headers:	11
Header String Table Index:	10

Sections

Name	Type	Address	Offset	Size	EntSize	Flags	Flags Description	Align
	NULL	0x0	0x0	0x0	0x0	0x0		0
.init	PROGBITS	0x80000094	0x94	0x14	0x0	0x6	AX	2
.text	PROGBITS	0x800000a8	0xa8	0xb1c2	0x0	0x6	AX	4
.fini	PROGBITS	0x8000b26a	0xb26a	0xe	0x0	0x6	AX	2
.rodata	PROGBITS	0x8000b278	0xb278	0x7fe	0x0	0x2	A	2
.ctors	PROGBITS	0x8000da7c	0xba7c	0x8	0x0	0x3	WA	4
.dtors	PROGBITS	0x8000da84	0xba84	0x8	0x0	0x3	WA	4
.jcr	PROGBITS	0x8000da8c	0xba8c	0x4	0x0	0x3	WA	4
.data	PROGBITS	0x8000da90	0xba90	0x168	0x0	0x3	WA	4
.bss	NOBITS	0x8000dbf8	0xbbf8	0x174	0x0	0x3	WA	4
.shstrtab	STRTAB	0x0	0xbbf8	0x43	0x0	0x0		1

Program Segments

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align	Section Mappings
LOAD	0x0	0x80000000	0x80000000	0xba76	0xba76	6.2581	0x5	R E	0x2000	.init .text .fini .rodata
LOAD	0xba7c	0x8000da7c	0x8000da7c	0x17c	0x2f0	0.8833	0x6	RW	0x2000	.ctors .dtors .jcr .data .bss
GNU_STACK	0x0	0x0	0x0	0x0	0x0	0.0000	0x6	RW	0x4

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 27, 2024 10:01:50.430027962 CET	55542	38241	192.168.2.15	45.156.86.24
Oct 27, 2024 10:01:50.435419083 CET	38241	55542	45.156.86.24	192.168.2.15
Oct 27, 2024 10:01:50.435501099 CET	55542	38241	192.168.2.15	45.156.86.24
Oct 27, 2024 10:01:50.436463118 CET	55542	38241	192.168.2.15	45.156.86.24
Oct 27, 2024 10:01:50.441968918 CET	38241	55542	45.156.86.24	192.168.2.15
Oct 27, 2024 10:01:50.442037106 CET	55542	38241	192.168.2.15	45.156.86.24
Oct 27, 2024 10:01:50.447423935 CET	38241	55542	45.156.86.24	192.168.2.15
Oct 27, 2024 10:02:00.446639061 CET	55542	38241	192.168.2.15	45.156.86.24
Oct 27, 2024 10:02:00.452399969 CET	38241	55542	45.156.86.24	192.168.2.15
Oct 27, 2024 10:02:00.804382086 CET	38241	55542	45.156.86.24	192.168.2.15
Oct 27, 2024 10:02:00.805039883 CET	55542	38241	192.168.2.15	45.156.86.24
Oct 27, 2024 10:02:00.810653925 CET	38241	55542	45.156.86.24	192.168.2.15
Oct 27, 2024 10:02:01.820624113 CET	55544	38241	192.168.2.15	45.156.86.24
Oct 27, 2024 10:02:01.826018095 CET	38241	55544	45.156.86.24	192.168.2.15
Oct 27, 2024 10:02:01.826082945 CET	55544	38241	192.168.2.15	45.156.86.24
Oct 27, 2024 10:02:01.826989889 CET	55544	38241	192.168.2.15	45.156.86.24
Oct 27, 2024 10:02:01.832509995 CET	38241	55544	45.156.86.24	192.168.2.15
Oct 27, 2024 10:02:01.832571030 CET	55544	38241	192.168.2.15	45.156.86.24
Oct 27, 2024 10:02:01.838109016 CET	38241	55544	45.156.86.24	192.168.2.15
Oct 27, 2024 10:02:12.666147947 CET	38241	55544	45.156.86.24	192.168.2.15
Oct 27, 2024 10:02:12.666747093 CET	55544	38241	192.168.2.15	45.156.86.24
Oct 27, 2024 10:02:12.672476053 CET	38241	55544	45.156.86.24	192.168.2.15
Oct 27, 2024 10:02:13.682650089 CET	55546	38241	192.168.2.15	45.156.86.24
Oct 27, 2024 10:02:13.688425064 CET	38241	55546	45.156.86.24	192.168.2.15
Oct 27, 2024 10:02:13.688652039 CET	55546	38241	192.168.2.15	45.156.86.24
Oct 27, 2024 10:02:13.690320969 CET	55546	38241	192.168.2.15	45.156.86.24
Oct 27, 2024 10:02:13.695822001 CET	38241	55546	45.156.86.24	192.168.2.15
Oct 27, 2024 10:02:13.695920944 CET	55546	38241	192.168.2.15	45.156.86.24
Oct 27, 2024 10:02:13.701383114 CET	38241	55546	45.156.86.24	192.168.2.15
Oct 27, 2024 10:02:24.696712017 CET	38241	55546	45.156.86.24	192.168.2.15
Oct 27, 2024 10:02:24.697010040 CET	55546	38241	192.168.2.15	45.156.86.24
Oct 27, 2024 10:02:24.703288078 CET	38241	55546	45.156.86.24	192.168.2.15
Oct 27, 2024 10:02:25.710952997 CET	55548	38241	192.168.2.15	45.156.86.24
Oct 27, 2024 10:02:25.716689110 CET	38241	55548	45.156.86.24	192.168.2.15
Oct 27, 2024 10:02:25.716749907 CET	55548	38241	192.168.2.15	45.156.86.24
Oct 27, 2024 10:02:25.717529058 CET	55548	38241	192.168.2.15	45.156.86.24
Oct 27, 2024 10:02:25.723298073 CET	38241	55548	45.156.86.24	192.168.2.15
Oct 27, 2024 10:02:25.723402023 CET	55548	38241	192.168.2.15	45.156.86.24
Oct 27, 2024 10:02:25.729010105 CET	38241	55548	45.156.86.24	192.168.2.15
Oct 27, 2024 10:02:36.541434050 CET	38241	55548	45.156.86.24	192.168.2.15
Oct 27, 2024 10:02:36.541600943 CET	55548	38241	192.168.2.15	45.156.86.24
Oct 27, 2024 10:02:36.547050953 CET	38241	55548	45.156.86.24	192.168.2.15
Oct 27, 2024 10:02:37.559803009 CET	35542	38241	192.168.2.15	185.150.24.67
Oct 27, 2024 10:02:37.565248013 CET	38241	35542	185.150.24.67	192.168.2.15
Oct 27, 2024 10:02:37.565327883 CET	35542	38241	192.168.2.15	185.150.24.67
Oct 27, 2024 10:02:37.566802025 CET	35542	38241	192.168.2.15	185.150.24.67
Oct 27, 2024 10:02:37.572309971 CET	38241	35542	185.150.24.67	192.168.2.15
Oct 27, 2024 10:02:37.572400093 CET	35542	38241	192.168.2.15	185.150.24.67
Oct 27, 2024 10:02:37.577867031 CET	38241	35542	185.150.24.67	192.168.2.15
Oct 27, 2024 10:02:39.188162088 CET	38241	35542	185.150.24.67	192.168.2.15
Oct 27, 2024 10:02:39.188460112 CET	35542	38241	192.168.2.15	185.150.24.67
Oct 27, 2024 10:02:39.193993092 CET	38241	35542	185.150.24.67	192.168.2.15
Oct 27, 2024 10:02:40.211536884 CET	55552	38241	192.168.2.15	45.156.86.24
Oct 27, 2024 10:02:40.217070103 CET	38241	55552	45.156.86.24	192.168.2.15
Oct 27, 2024 10:02:40.217312098 CET	55552	38241	192.168.2.15	45.156.86.24
Oct 27, 2024 10:02:40.219254971 CET	55552	38241	192.168.2.15	45.156.86.24
Oct 27, 2024 10:02:40.224864960 CET	38241	55552	45.156.86.24	192.168.2.15
Oct 27, 2024 10:02:40.224946022 CET	55552	38241	192.168.2.15	45.156.86.24
Oct 27, 2024 10:02:40.230417013 CET	38241	55552	45.156.86.24	192.168.2.15
Oct 27, 2024 10:02:51.054430008 CET	38241	55552	45.156.86.24	192.168.2.15
Oct 27, 2024 10:02:51.054933071 CET	55552	38241	192.168.2.15	45.156.86.24
Oct 27, 2024 10:02:51.060731888 CET	38241	55552	45.156.86.24	192.168.2.15
Oct 27, 2024 10:02:52.353832006 CET	55554	38241	192.168.2.15	45.156.86.24
Oct 27, 2024 10:02:52.359532118 CET	38241	55554	45.156.86.24	192.168.2.15
Oct 27, 2024 10:02:52.359817982 CET	55554	38241	192.168.2.15	45.156.86.24
Oct 27, 2024 10:02:52.361481905 CET	55554	38241	192.168.2.15	45.156.86.24
Oct 27, 2024 10:02:52.367000103 CET	38241	55554	45.156.86.24	192.168.2.15
Oct 27, 2024 10:02:52.367073059 CET	55554	38241	192.168.2.15	45.156.86.24
Oct 27, 2024 10:02:52.372484922 CET	38241	55554	45.156.86.24	192.168.2.15
Oct 27, 2024 10:03:03.202358961 CET	38241	55554	45.156.86.24	192.168.2.15
Oct 27, 2024 10:03:03.202940941 CET	55554	38241	192.168.2.15	45.156.86.24
Oct 27, 2024 10:03:03.208420992 CET	38241	55554	45.156.86.24	192.168.2.15
Oct 27, 2024 10:03:04.341274023 CET	55556	38241	192.168.2.15	45.156.86.24
Oct 27, 2024 10:03:04.346713066 CET	38241	55556	45.156.86.24	192.168.2.15
Oct 27, 2024 10:03:04.347070932 CET	55556	38241	192.168.2.15	45.156.86.24
Oct 27, 2024 10:03:04.348742008 CET	55556	38241	192.168.2.15	45.156.86.24
Oct 27, 2024 10:03:04.354083061 CET	38241	55556	45.156.86.24	192.168.2.15
Oct 27, 2024 10:03:04.354316950 CET	55556	38241	192.168.2.15	45.156.86.24
Oct 27, 2024 10:03:04.359772921 CET	38241	55556	45.156.86.24	192.168.2.15
Oct 27, 2024 10:03:14.358592033 CET	55556	38241	192.168.2.15	45.156.86.24
Oct 27, 2024 10:03:14.364101887 CET	38241	55556	45.156.86.24	192.168.2.15
Oct 27, 2024 10:03:14.719866991 CET	38241	55556	45.156.86.24	192.168.2.15
Oct 27, 2024 10:03:14.720160007 CET	55556	38241	192.168.2.15	45.156.86.24
Oct 27, 2024 10:03:14.725665092 CET	38241	55556	45.156.86.24	192.168.2.15
Oct 27, 2024 10:03:15.754432917 CET	55558	38241	192.168.2.15	45.156.86.24
Oct 27, 2024 10:03:15.760741949 CET	38241	55558	45.156.86.24	192.168.2.15
Oct 27, 2024 10:03:15.761080980 CET	55558	38241	192.168.2.15	45.156.86.24
Oct 27, 2024 10:03:15.762645006 CET	55558	38241	192.168.2.15	45.156.86.24
Oct 27, 2024 10:03:15.768539906 CET	38241	55558	45.156.86.24	192.168.2.15
Oct 27, 2024 10:03:15.768733978 CET	55558	38241	192.168.2.15	45.156.86.24
Oct 27, 2024 10:03:15.774143934 CET	38241	55558	45.156.86.24	192.168.2.15
Oct 27, 2024 10:03:26.603466034 CET	38241	55558	45.156.86.24	192.168.2.15
Oct 27, 2024 10:03:26.604065895 CET	55558	38241	192.168.2.15	45.156.86.24
Oct 27, 2024 10:03:26.609558105 CET	38241	55558	45.156.86.24	192.168.2.15
Oct 27, 2024 10:03:27.705235958 CET	55560	38241	192.168.2.15	45.156.86.24
Oct 27, 2024 10:03:27.710787058 CET	38241	55560	45.156.86.24	192.168.2.15
Oct 27, 2024 10:03:27.711205959 CET	55560	38241	192.168.2.15	45.156.86.24
Oct 27, 2024 10:03:27.713009119 CET	55560	38241	192.168.2.15	45.156.86.24
Oct 27, 2024 10:03:27.718513966 CET	38241	55560	45.156.86.24	192.168.2.15
Oct 27, 2024 10:03:27.718832016 CET	55560	38241	192.168.2.15	45.156.86.24
Oct 27, 2024 10:03:27.724155903 CET	38241	55560	45.156.86.24	192.168.2.15
Oct 27, 2024 10:03:38.843534946 CET	38241	55560	45.156.86.24	192.168.2.15
Oct 27, 2024 10:03:38.843805075 CET	55560	38241	192.168.2.15	45.156.86.24
Oct 27, 2024 10:03:38.843812943 CET	38241	55560	45.156.86.24	192.168.2.15
Oct 27, 2024 10:03:38.843868971 CET	55560	38241	192.168.2.15	45.156.86.24
Oct 27, 2024 10:03:38.859962940 CET	38241	55560	45.156.86.24	192.168.2.15
Oct 27, 2024 10:03:39.884008884 CET	55562	38241	192.168.2.15	45.156.86.24
Oct 27, 2024 10:03:39.889687061 CET	38241	55562	45.156.86.24	192.168.2.15
Oct 27, 2024 10:03:39.889955044 CET	55562	38241	192.168.2.15	45.156.86.24
Oct 27, 2024 10:03:39.891926050 CET	55562	38241	192.168.2.15	45.156.86.24
Oct 27, 2024 10:03:39.897865057 CET	38241	55562	45.156.86.24	192.168.2.15
Oct 27, 2024 10:03:39.898189068 CET	55562	38241	192.168.2.15	45.156.86.24
Oct 27, 2024 10:03:39.904277086 CET	38241	55562	45.156.86.24	192.168.2.15

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 27, 2024 10:01:50.335982084 CET	36854	53	192.168.2.15	168.235.111.72
Oct 27, 2024 10:01:50.428841114 CET	53	36854	168.235.111.72	192.168.2.15
Oct 27, 2024 10:02:01.807929039 CET	39484	53	192.168.2.15	194.36.144.87
Oct 27, 2024 10:02:01.819906950 CET	53	39484	194.36.144.87	192.168.2.15
Oct 27, 2024 10:02:13.670342922 CET	56663	53	192.168.2.15	194.36.144.87
Oct 27, 2024 10:02:13.681118011 CET	53	56663	194.36.144.87	192.168.2.15
Oct 27, 2024 10:02:25.699623108 CET	47442	53	192.168.2.15	194.36.144.87
Oct 27, 2024 10:02:25.710355997 CET	53	47442	194.36.144.87	192.168.2.15
Oct 27, 2024 10:02:37.547168970 CET	57241	53	192.168.2.15	194.36.144.87
Oct 27, 2024 10:02:37.558649063 CET	53	57241	194.36.144.87	192.168.2.15
Oct 27, 2024 10:02:40.193806887 CET	58481	53	192.168.2.15	51.158.108.203
Oct 27, 2024 10:02:40.209717035 CET	53	58481	51.158.108.203	192.168.2.15
Oct 27, 2024 10:02:52.059477091 CET	39335	53	192.168.2.15	194.36.144.87
Oct 27, 2024 10:02:52.352718115 CET	53	39335	194.36.144.87	192.168.2.15
Oct 27, 2024 10:03:04.208713055 CET	33859	53	192.168.2.15	194.36.144.87
Oct 27, 2024 10:03:04.339762926 CET	53	33859	194.36.144.87	192.168.2.15
Oct 27, 2024 10:03:15.725230932 CET	60296	53	192.168.2.15	81.169.136.222
Oct 27, 2024 10:03:15.753168106 CET	53	60296	81.169.136.222	192.168.2.15
Oct 27, 2024 10:03:27.609436989 CET	57716	53	192.168.2.15	168.235.111.72
Oct 27, 2024 10:03:27.702718973 CET	53	57716	168.235.111.72	192.168.2.15
Oct 27, 2024 10:03:39.848315954 CET	41994	53	192.168.2.15	185.181.61.24
Oct 27, 2024 10:03:39.882134914 CET	53	41994	185.181.61.24	192.168.2.15

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 27, 2024 10:01:50.335982084 CET	192.168.2.15	168.235.111.72	0xd44	Standard query (0)	netfags.geek	A (IP address)	IN (0x0001)	false
Oct 27, 2024 10:02:01.807929039 CET	192.168.2.15	194.36.144.87	0xdff4	Standard query (0)	burnthe.libre	A (IP address)	IN (0x0001)	false
Oct 27, 2024 10:02:13.670342922 CET	192.168.2.15	194.36.144.87	0xf6d1	Standard query (0)	netfags.geek. [malformed]	256	405	false
Oct 27, 2024 10:02:25.699623108 CET	192.168.2.15	194.36.144.87	0xfd22	Standard query (0)	netfags.geek. [malformed]	256	417	false
Oct 27, 2024 10:02:37.547168970 CET	192.168.2.15	194.36.144.87	0xaf21	Standard query (0)	chinklabs.dyn	A (IP address)	IN (0x0001)	false
Oct 27, 2024 10:02:40.193806887 CET	192.168.2.15	51.158.108.203	0x1f0e	Standard query (0)	yellowchink.pirate	A (IP address)	IN (0x0001)	false
Oct 27, 2024 10:02:52.059477091 CET	192.168.2.15	194.36.144.87	0xbbe7	Standard query (0)	yellowchink.pirate	A (IP address)	IN (0x0001)	false
Oct 27, 2024 10:03:04.208713055 CET	192.168.2.15	194.36.144.87	0xc18d	Standard query (0)	burnthe.libre. [malformed]	256	456	false
Oct 27, 2024 10:03:15.725230932 CET	192.168.2.15	81.169.136.222	0x7f0d	Standard query (0)	netfags.geek. [malformed]	256	467	false
Oct 27, 2024 10:03:27.609436989 CET	192.168.2.15	168.235.111.72	0x82c	Standard query (0)	yellowchink.pirate. [malformed]	256	479	false
Oct 27, 2024 10:03:39.848315954 CET	192.168.2.15	185.181.61.24	0xcb9c	Standard query (0)	yellowchink.pirate. [malformed]	256	491	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 27, 2024 10:01:50.428841114 CET	168.235.111.72	192.168.2.15	0xd44	No error (0)	netfags.geek		45.156.86.24	A (IP address)	IN (0x0001)	false
Oct 27, 2024 10:02:01.819906950 CET	194.36.144.87	192.168.2.15	0xdff4	No error (0)	burnthe.libre		45.156.86.24	A (IP address)	IN (0x0001)	false
Oct 27, 2024 10:02:13.681118011 CET	194.36.144.87	192.168.2.15	0xf6d1	Format error (1)	netfags.geek. [malformed]	none	none	256	405	false
Oct 27, 2024 10:02:25.710355997 CET	194.36.144.87	192.168.2.15	0xfd22	Format error (1)	netfags.geek. [malformed]	none	none	256	417	false
Oct 27, 2024 10:02:37.558649063 CET	194.36.144.87	192.168.2.15	0xaf21	No error (0)	chinklabs.dyn		185.150.24.67	A (IP address)	IN (0x0001)	false
Oct 27, 2024 10:02:40.209717035 CET	51.158.108.203	192.168.2.15	0x1f0e	No error (0)	yellowchink.pirate		45.156.86.24	A (IP address)	IN (0x0001)	false
Oct 27, 2024 10:02:52.352718115 CET	194.36.144.87	192.168.2.15	0xbbe7	No error (0)	yellowchink.pirate		45.156.86.24	A (IP address)	IN (0x0001)	false
Oct 27, 2024 10:03:04.339762926 CET	194.36.144.87	192.168.2.15	0xc18d	Format error (1)	burnthe.libre. [malformed]	none	none	256	456	false

System Behavior

Analysis Process: zerm68k.elf PID: 5652, Parent PID: 5578

General

Start time (UTC):	09:01:49
Start date (UTC):	27/10/2024
Path:	/tmp/zerm68k.elf
Arguments:	/tmp/zerm68k.elf
File size:	4463432 bytes
MD5 hash:	cd177594338c77b895ae27c33f8f86cc

Chronological Activities

Analysis Process: zerm68k.elf PID: 5654, Parent PID: 5652

General

Start time (UTC):	09:01:49
Start date (UTC):	27/10/2024
Path:	/tmp/zerm68k.elf
Arguments:	-
File size:	4463432 bytes
MD5 hash:	cd177594338c77b895ae27c33f8f86cc

Chronological Activities

Analysis Process: zerm68k.elf PID: 5656, Parent PID: 5654

General

Start time (UTC):	09:01:49
Start date (UTC):	27/10/2024
Path:	/tmp/zerm68k.elf
Arguments:	-
File size:	4463432 bytes
MD5 hash:	cd177594338c77b895ae27c33f8f86cc

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report zerm68k.elf

Overview

General Information

Detection

Signatures

Classification

General Information

Warnings

Runtime Messages

Process Tree

Yara Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Networking

System Summary

Malware Analysis System Evasion

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

Static ELF Info

ELF header

Sections

Program Segments

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

System Behavior

Analysis Process: zerm68k.elf PID: 5652, Parent PID: 5578

General

Chronological Activities

Analysis Process: zerm68k.elf PID: 5654, Parent PID: 5652

General

Chronological Activities

Analysis Process: zerm68k.elf PID: 5656, Parent PID: 5654

General

Chronological Activities

Linux Analysis Report
zerm68k.elf