Loading Joe Sandbox Report ...

Edit tour

Linux Analysis Report
zerx86.elf

Overview

General Information

Sample name:zerx86.elf
Analysis ID:1580171
MD5:8f88d9001a0bbe8d00b274f3b3fecd19
SHA1:0fcd715c7844c033afb261fdcf18837d14b24cf6
SHA256:f1ddc5731c1cddc1a7fcba1fd34df63f8fa60d5d2ad1210c02893faec6f3b600
Tags:elfuser-abuse_ch
Infos:

Detection

Score:68
Range:0 - 100
Whitelisted:false

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Connects to many ports of the same IP (likely port scanning)
Machine Learning detection for sample
Sends malformed DNS queries
Detected TCP or UDP traffic on non-standard ports
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable
Sample has stripped symbol table
Yara signature match

Classification

Joe Sandbox version:41.0.0 Charoite
Analysis ID:1580171
Start date and time:2024-12-24 03:39:16 +01:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 39s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Sample name:zerx86.elf
Detection:MAL
Classification:mal68.troj.linELF@0/0@11/0
  • VT rate limit hit for: serisbot.geek. [malformed]
Command:/tmp/zerx86.elf
PID:5518
Exit Code:0
Exit Code Info:
Killed:False
Standard Output:
The Peoples Bank of China.
Standard Error:
  • system is lnxubuntu20
  • zerx86.elf (PID: 5518, Parent: 5435, MD5: 8f88d9001a0bbe8d00b274f3b3fecd19) Arguments: /tmp/zerx86.elf
  • cleanup
SourceRuleDescriptionAuthorStrings
zerx86.elfLinux_Trojan_Mirai_b14f4c5dunknownunknown
  • 0x4730:$a: 53 31 DB 8B 4C 24 0C 8B 54 24 08 83 F9 01 76 15 66 8B 02 83 E9 02 25 FF FF 00 00 83 C2 02 01 C3 83 F9 01 77 EB 49 75 05 0F BE 02 01 C3
zerx86.elfLinux_Trojan_Mirai_88de437funknownunknown
  • 0x6e62:$a: 24 08 8B 4C 24 04 85 D2 74 0D 31 C0 89 F6 C6 04 08 00 40 39 D0
zerx86.elfLinux_Trojan_Mirai_cc93863bunknownunknown
  • 0x77e5:$a: C3 57 8B 44 24 0C 8B 4C 24 10 8B 7C 24 08 F3 AA 8B 44 24 08
zerx86.elfLinux_Trojan_Mirai_8aa7b5d3unknownunknown
  • 0x6e32:$a: 8B 4C 24 14 8B 74 24 0C 8B 5C 24 10 85 C9 74 0D 31 D2 8A 04 1A 88
SourceRuleDescriptionAuthorStrings
5518.1.0000000008048000.0000000008053000.r-x.sdmpLinux_Trojan_Mirai_b14f4c5dunknownunknown
  • 0x4730:$a: 53 31 DB 8B 4C 24 0C 8B 54 24 08 83 F9 01 76 15 66 8B 02 83 E9 02 25 FF FF 00 00 83 C2 02 01 C3 83 F9 01 77 EB 49 75 05 0F BE 02 01 C3
5518.1.0000000008048000.0000000008053000.r-x.sdmpLinux_Trojan_Mirai_88de437funknownunknown
  • 0x6e62:$a: 24 08 8B 4C 24 04 85 D2 74 0D 31 C0 89 F6 C6 04 08 00 40 39 D0
5518.1.0000000008048000.0000000008053000.r-x.sdmpLinux_Trojan_Mirai_cc93863bunknownunknown
  • 0x77e5:$a: C3 57 8B 44 24 0C 8B 4C 24 10 8B 7C 24 08 F3 AA 8B 44 24 08
5518.1.0000000008048000.0000000008053000.r-x.sdmpLinux_Trojan_Mirai_8aa7b5d3unknownunknown
  • 0x6e32:$a: 8B 4C 24 14 8B 74 24 0C 8B 5C 24 10 85 C9 74 0D 31 D2 8A 04 1A 88
No Suricata rule has matched

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: zerx86.elfReversingLabs: Detection: 39%
Source: zerx86.elfJoe Sandbox ML: detected

Networking

barindex
Source: global trafficTCP traffic: 154.216.16.244 ports 38241,1,2,3,4,8
Source: global trafficTCP traffic: 154.216.16.250 ports 38241,1,2,3,4,8
Source: global trafficTCP traffic: 209.38.192.73 ports 38241,1,2,3,4,8
Source: global trafficDNS traffic detected: malformed DNS query: serisbot.geek. [malformed]
Source: global trafficTCP traffic: 192.168.2.14:37086 -> 209.38.192.73:38241
Source: global trafficTCP traffic: 192.168.2.14:49644 -> 154.216.16.244:38241
Source: global trafficTCP traffic: 192.168.2.14:38410 -> 154.216.16.250:38241
Source: unknownUDP traffic detected without corresponding DNS query: 51.158.108.203
Source: unknownUDP traffic detected without corresponding DNS query: 51.158.108.203
Source: unknownUDP traffic detected without corresponding DNS query: 168.235.111.72
Source: unknownUDP traffic detected without corresponding DNS query: 168.235.111.72
Source: unknownUDP traffic detected without corresponding DNS query: 168.235.111.72
Source: unknownUDP traffic detected without corresponding DNS query: 152.53.15.127
Source: unknownUDP traffic detected without corresponding DNS query: 202.61.197.122
Source: unknownUDP traffic detected without corresponding DNS query: 202.61.197.122
Source: unknownUDP traffic detected without corresponding DNS query: 168.235.111.72
Source: unknownUDP traffic detected without corresponding DNS query: 194.36.144.87
Source: unknownUDP traffic detected without corresponding DNS query: 185.181.61.24
Source: global trafficDNS traffic detected: DNS query: serisbot.geek
Source: global trafficDNS traffic detected: DNS query: serisontop.dyn
Source: global trafficDNS traffic detected: DNS query: serisbot.geek. [malformed]

System Summary

barindex
Source: zerx86.elf, type: SAMPLEMatched rule: Linux_Trojan_Mirai_b14f4c5d Author: unknown
Source: zerx86.elf, type: SAMPLEMatched rule: Linux_Trojan_Mirai_88de437f Author: unknown
Source: zerx86.elf, type: SAMPLEMatched rule: Linux_Trojan_Mirai_cc93863b Author: unknown
Source: zerx86.elf, type: SAMPLEMatched rule: Linux_Trojan_Mirai_8aa7b5d3 Author: unknown
Source: 5518.1.0000000008048000.0000000008053000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_b14f4c5d Author: unknown
Source: 5518.1.0000000008048000.0000000008053000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_88de437f Author: unknown
Source: 5518.1.0000000008048000.0000000008053000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_cc93863b Author: unknown
Source: 5518.1.0000000008048000.0000000008053000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_8aa7b5d3 Author: unknown
Source: Initial sampleString containing 'busybox' found: /bin/busybox echo -ne
Source: Initial sampleString containing 'busybox' found: /bin/busybox echo -ne >> > .dPon521rootZte521root621vizxvoelinux123wabjtamZxic521tsgoingon123456xc3511solokeydefaulthkipc2016unisheenFireituphslwificam5upjvbzdsystemzlxx.antslqxc12345xmhdipcicatch99founder88xirtam/*6.=_jat0talc0ntr0l4!7ujMko0adminjuantechipc71aroot12320080826admin123admin1234admin@123BrAhMoS@15GeNeXiS@19supportadmintelnetadminadmintelecomtelecomadminguestftpusernobodydaemon1cDuLJ7ctlJwpbo6S2fGqNFsOxhlwSG8tluafedbin20150602vstarcam2015supporte8ehomee8telnetarmarm5arm6arm7mipsmpslppcspcsh4knfggvgfchinj.catqerkwmlvop.dxnqerkw`mv.geejqerkwpgr.libseVhe"Tgmrles Cank of Bihoa/VSowvag"Engioe Query-prmg--exg-fd-cmfhklg-prmg-'f/exepebmkvdtpugev-bil+nmein/proc/net/tcp
Source: ELF static info symbol of initial sample.symtab present: no
Source: zerx86.elf, type: SAMPLEMatched rule: Linux_Trojan_Mirai_b14f4c5d os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = a70d052918dd2fbc66db241da6438015130f0fb6929229bfe573546fe98da817, id = b14f4c5d-054f-46e6-9fa8-3588f1ef68b7, last_modified = 2021-09-16
Source: zerx86.elf, type: SAMPLEMatched rule: Linux_Trojan_Mirai_88de437f reference_sample = 8dc745a6de6f319cd6021c3e147597315cc1be02099d78fc8aae94de0e1e4bc6, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = c19eb595c2b444a809bef8500c20342c9f46694d3018e268833f9b884133a1ea, id = 88de437f-9c98-4e1d-96c0-7b433c99886a, last_modified = 2021-09-16
Source: zerx86.elf, type: SAMPLEMatched rule: Linux_Trojan_Mirai_cc93863b reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = f3ecd30f0b511a8e92cfa642409d559e7612c3f57a1659ca46c77aca809a00ac, id = cc93863b-1050-40ba-9d02-5ec9ce6a3a28, last_modified = 2022-01-26
Source: zerx86.elf, type: SAMPLEMatched rule: Linux_Trojan_Mirai_8aa7b5d3 reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 02a2c18c362df4b1fceb33f3b605586514ba9a00c7afedf71c04fa54d8146444, id = 8aa7b5d3-e1eb-4b55-b36a-0d3a242c06e9, last_modified = 2022-01-26
Source: 5518.1.0000000008048000.0000000008053000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_b14f4c5d os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = a70d052918dd2fbc66db241da6438015130f0fb6929229bfe573546fe98da817, id = b14f4c5d-054f-46e6-9fa8-3588f1ef68b7, last_modified = 2021-09-16
Source: 5518.1.0000000008048000.0000000008053000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_88de437f reference_sample = 8dc745a6de6f319cd6021c3e147597315cc1be02099d78fc8aae94de0e1e4bc6, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = c19eb595c2b444a809bef8500c20342c9f46694d3018e268833f9b884133a1ea, id = 88de437f-9c98-4e1d-96c0-7b433c99886a, last_modified = 2021-09-16
Source: 5518.1.0000000008048000.0000000008053000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_cc93863b reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = f3ecd30f0b511a8e92cfa642409d559e7612c3f57a1659ca46c77aca809a00ac, id = cc93863b-1050-40ba-9d02-5ec9ce6a3a28, last_modified = 2022-01-26
Source: 5518.1.0000000008048000.0000000008053000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_8aa7b5d3 reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 02a2c18c362df4b1fceb33f3b605586514ba9a00c7afedf71c04fa54d8146444, id = 8aa7b5d3-e1eb-4b55-b36a-0d3a242c06e9, last_modified = 2022-01-26
Source: classification engineClassification label: mal68.troj.linELF@0/0@11/0
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management InstrumentationPath InterceptionPath InterceptionDirect Volume AccessOS Credential DumpingSystem Service DiscoveryRemote ServicesData from Local System1
Non-Standard Port
Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable Media1
Non-Application Layer Protocol
Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared Drive1
Application Layer Protocol
Automated ExfiltrationData Encrypted for Impact
No configs have been found
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Number of created Files
  • Is malicious
  • Internet

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
SourceDetectionScannerLabelLink
zerx86.elf39%ReversingLabsLinux.Backdoor.Mirai
zerx86.elf100%Joe Sandbox ML
No Antivirus matches
No Antivirus matches
No Antivirus matches
NameIPActiveMaliciousAntivirus DetectionReputation
serisontop.dyn
209.38.192.73
truefalse
    high
    serisbot.geek
    209.38.192.73
    truefalse
      high
      serisbot.geek. [malformed]
      unknown
      unknowntrue
        unknown
        • No. of IPs < 25%
        • 25% < No. of IPs < 50%
        • 50% < No. of IPs < 75%
        • 75% < No. of IPs
        IPDomainCountryFlagASNASN NameMalicious
        154.216.16.244
        unknownSeychelles
        135357SKHT-ASShenzhenKatherineHengTechnologyInformationCotrue
        154.216.16.250
        unknownSeychelles
        135357SKHT-ASShenzhenKatherineHengTechnologyInformationCotrue
        209.38.192.73
        serisontop.dynUnited States
        7018ATT-INTERNET4USfalse
        No context
        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
        serisontop.dynjklmpsl.elfGet hashmaliciousUnknownBrowse
        • 209.38.192.73
        arm5.elfGet hashmaliciousUnknownBrowse
        • 209.38.192.73
        nabarm5.elfGet hashmaliciousUnknownBrowse
        • 154.216.16.244
        nklx86.elfGet hashmaliciousUnknownBrowse
        • 154.216.16.250
        sh4.elfGet hashmaliciousUnknownBrowse
        • 209.38.192.73
        nklppc.elfGet hashmaliciousUnknownBrowse
        • 154.216.16.244
        nklmips.elfGet hashmaliciousUnknownBrowse
        • 154.216.16.244
        serisbot.geeknklppc.elfGet hashmaliciousUnknownBrowse
        • 209.38.192.73
        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
        SKHT-ASShenzhenKatherineHengTechnologyInformationCox86_32.nn.elfGet hashmaliciousOkiruBrowse
        • 154.216.19.139
        arm7.nn-20241224-0051.elfGet hashmaliciousMirai, OkiruBrowse
        • 154.216.19.139
        sparc.nn.elfGet hashmaliciousOkiruBrowse
        • 154.216.19.139
        arm5.nn-20241224-0050.elfGet hashmaliciousOkiruBrowse
        • 154.216.19.139
        arm.nn-20241224-0050.elfGet hashmaliciousOkiruBrowse
        • 154.216.19.139
        mipsel.nn.elfGet hashmaliciousOkiruBrowse
        • 154.216.19.139
        powerpc.nn.elfGet hashmaliciousOkiruBrowse
        • 154.216.19.139
        Iuv2tI4JHh.exeGet hashmaliciousRHADAMANTHYSBrowse
        • 154.216.18.146
        byte.x86.elfGet hashmaliciousMirai, OkiruBrowse
        • 154.216.19.138
        Brooming.vbsGet hashmaliciousRemcos, GuLoaderBrowse
        • 154.216.20.209
        SKHT-ASShenzhenKatherineHengTechnologyInformationCox86_32.nn.elfGet hashmaliciousOkiruBrowse
        • 154.216.19.139
        arm7.nn-20241224-0051.elfGet hashmaliciousMirai, OkiruBrowse
        • 154.216.19.139
        sparc.nn.elfGet hashmaliciousOkiruBrowse
        • 154.216.19.139
        arm5.nn-20241224-0050.elfGet hashmaliciousOkiruBrowse
        • 154.216.19.139
        arm.nn-20241224-0050.elfGet hashmaliciousOkiruBrowse
        • 154.216.19.139
        mipsel.nn.elfGet hashmaliciousOkiruBrowse
        • 154.216.19.139
        powerpc.nn.elfGet hashmaliciousOkiruBrowse
        • 154.216.19.139
        Iuv2tI4JHh.exeGet hashmaliciousRHADAMANTHYSBrowse
        • 154.216.18.146
        byte.x86.elfGet hashmaliciousMirai, OkiruBrowse
        • 154.216.19.138
        Brooming.vbsGet hashmaliciousRemcos, GuLoaderBrowse
        • 154.216.20.209
        No context
        No context
        No created / dropped files found
        File type:ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, stripped
        Entropy (8bit):6.353277651482587
        TrID:
        • ELF Executable and Linkable format (Linux) (4029/14) 50.16%
        • ELF Executable and Linkable format (generic) (4004/1) 49.84%
        File name:zerx86.elf
        File size:42'612 bytes
        MD5:8f88d9001a0bbe8d00b274f3b3fecd19
        SHA1:0fcd715c7844c033afb261fdcf18837d14b24cf6
        SHA256:f1ddc5731c1cddc1a7fcba1fd34df63f8fa60d5d2ad1210c02893faec6f3b600
        SHA512:5820a4424f6b85e0077dc684fada861a598c87c4ef4da2b696729febc69cc61fb7743f2100832f9b5a2950a3fcdda7709f039ab4e50cd3f7a0bbaf07ce30dab0
        SSDEEP:768:+8g87pqsbxzynf8l2j9WF05Yp8ZAfMG4Jlu6Myl:+8g87pqsbxzy0ogFNf54JldMyl
        TLSH:CC133AC9E803E9F4DC126671287BF333BB76F0751129FD5BD355A936B882600960B6AC
        File Content Preview:.ELF....................d...4...........4. ...(..............................................3...3......|...........Q.td............................U..S.......[....h....c...[]...$.............U......=.4...t..5.....4......4......u........t....h.#..........

        ELF header

        Class:ELF32
        Data:2's complement, little endian
        Version:1 (current)
        Machine:Intel 80386
        Version Number:0x1
        Type:EXEC (Executable file)
        OS/ABI:UNIX - System V
        ABI Version:0
        Entry Point Address:0x8048164
        Flags:0x0
        ELF Header Size:52
        Program Header Offset:52
        Program Header Size:32
        Number of Program Headers:3
        Section Header Offset:42172
        Section Header Size:40
        Number of Section Headers:11
        Header String Table Index:10
        NameTypeAddressOffsetSizeEntSizeFlagsFlags DescriptionLinkInfoAlign
        NULL0x00x00x00x00x0000
        .initPROGBITS0x80480940x940x1c0x00x6AX001
        .textPROGBITS0x80480b00xb00x99860x00x6AX0016
        .finiPROGBITS0x8051a360x9a360x170x00x6AX001
        .rodataPROGBITS0x8051a600x9a600x9800x00x2A0032
        .ctorsPROGBITS0x80533e40xa3e40x80x00x3WA004
        .dtorsPROGBITS0x80533ec0xa3ec0x80x00x3WA004
        .jcrPROGBITS0x80533f40xa3f40x40x00x3WA004
        .dataPROGBITS0x80534040xa4040x740x00x3WA004
        .bssNOBITS0x80534800xa4780x4e00x00x3WA0032
        .shstrtabSTRTAB0x00xa4780x430x00x0001
        TypeOffsetVirtual AddressPhysical AddressFile SizeMemory SizeEntropyFlagsFlags DescriptionAlignProg InterpreterSection Mappings
        LOAD0x00x80480000x80480000xa3e00xa3e06.38580x5R E0x1000.init .text .fini .rodata
        LOAD0xa3e40x80533e40x80533e40x940x57c1.68320x6RW 0x1000.ctors .dtors .jcr .data .bss
        GNU_STACK0x00x00x00x00x00.00000x6RW 0x4
        TimestampSource PortDest PortSource IPDest IP
        Dec 24, 2024 03:40:15.707021952 CET3708638241192.168.2.14209.38.192.73
        Dec 24, 2024 03:40:15.826596975 CET3824137086209.38.192.73192.168.2.14
        Dec 24, 2024 03:40:15.826673031 CET3708638241192.168.2.14209.38.192.73
        Dec 24, 2024 03:40:15.826733112 CET3708638241192.168.2.14209.38.192.73
        Dec 24, 2024 03:40:15.946295023 CET3824137086209.38.192.73192.168.2.14
        Dec 24, 2024 03:40:15.946363926 CET3708638241192.168.2.14209.38.192.73
        Dec 24, 2024 03:40:16.065892935 CET3824137086209.38.192.73192.168.2.14
        Dec 24, 2024 03:40:25.828768015 CET3708638241192.168.2.14209.38.192.73
        Dec 24, 2024 03:40:25.948913097 CET3824137086209.38.192.73192.168.2.14
        Dec 24, 2024 03:40:26.254693985 CET3824137086209.38.192.73192.168.2.14
        Dec 24, 2024 03:40:26.254786015 CET3708638241192.168.2.14209.38.192.73
        Dec 24, 2024 03:40:26.374480009 CET3824137086209.38.192.73192.168.2.14
        Dec 24, 2024 03:40:27.499219894 CET3708838241192.168.2.14209.38.192.73
        Dec 24, 2024 03:40:27.618699074 CET3824137088209.38.192.73192.168.2.14
        Dec 24, 2024 03:40:27.618869066 CET3708838241192.168.2.14209.38.192.73
        Dec 24, 2024 03:40:27.618942022 CET3708838241192.168.2.14209.38.192.73
        Dec 24, 2024 03:40:27.739420891 CET3824137088209.38.192.73192.168.2.14
        Dec 24, 2024 03:40:27.739573956 CET3708838241192.168.2.14209.38.192.73
        Dec 24, 2024 03:40:27.859163046 CET3824137088209.38.192.73192.168.2.14
        Dec 24, 2024 03:40:38.731847048 CET3824137088209.38.192.73192.168.2.14
        Dec 24, 2024 03:40:38.732368946 CET3708838241192.168.2.14209.38.192.73
        Dec 24, 2024 03:40:38.851918936 CET3824137088209.38.192.73192.168.2.14
        Dec 24, 2024 03:40:40.044503927 CET3709038241192.168.2.14209.38.192.73
        Dec 24, 2024 03:40:40.164413929 CET3824137090209.38.192.73192.168.2.14
        Dec 24, 2024 03:40:40.164588928 CET3709038241192.168.2.14209.38.192.73
        Dec 24, 2024 03:40:40.164786100 CET3709038241192.168.2.14209.38.192.73
        Dec 24, 2024 03:40:40.284452915 CET3824137090209.38.192.73192.168.2.14
        Dec 24, 2024 03:40:40.284760952 CET3709038241192.168.2.14209.38.192.73
        Dec 24, 2024 03:40:40.404408932 CET3824137090209.38.192.73192.168.2.14
        Dec 24, 2024 03:40:51.278106928 CET3824137090209.38.192.73192.168.2.14
        Dec 24, 2024 03:40:51.278386116 CET3709038241192.168.2.14209.38.192.73
        Dec 24, 2024 03:40:51.398015976 CET3824137090209.38.192.73192.168.2.14
        Dec 24, 2024 03:40:52.593699932 CET4964438241192.168.2.14154.216.16.244
        Dec 24, 2024 03:40:52.713335037 CET3824149644154.216.16.244192.168.2.14
        Dec 24, 2024 03:40:52.713509083 CET4964438241192.168.2.14154.216.16.244
        Dec 24, 2024 03:40:52.713532925 CET4964438241192.168.2.14154.216.16.244
        Dec 24, 2024 03:40:52.833044052 CET3824149644154.216.16.244192.168.2.14
        Dec 24, 2024 03:40:52.833209991 CET4964438241192.168.2.14154.216.16.244
        Dec 24, 2024 03:40:52.952728987 CET3824149644154.216.16.244192.168.2.14
        Dec 24, 2024 03:41:03.815999031 CET3824149644154.216.16.244192.168.2.14
        Dec 24, 2024 03:41:03.816271067 CET4964438241192.168.2.14154.216.16.244
        Dec 24, 2024 03:41:03.937113047 CET3824149644154.216.16.244192.168.2.14
        Dec 24, 2024 03:41:05.128772974 CET4964638241192.168.2.14154.216.16.244
        Dec 24, 2024 03:41:05.248425007 CET3824149646154.216.16.244192.168.2.14
        Dec 24, 2024 03:41:05.248528957 CET4964638241192.168.2.14154.216.16.244
        Dec 24, 2024 03:41:05.248580933 CET4964638241192.168.2.14154.216.16.244
        Dec 24, 2024 03:41:05.368187904 CET3824149646154.216.16.244192.168.2.14
        Dec 24, 2024 03:41:05.368303061 CET4964638241192.168.2.14154.216.16.244
        Dec 24, 2024 03:41:05.488009930 CET3824149646154.216.16.244192.168.2.14
        Dec 24, 2024 03:41:16.355853081 CET3824149646154.216.16.244192.168.2.14
        Dec 24, 2024 03:41:16.356234074 CET4964638241192.168.2.14154.216.16.244
        Dec 24, 2024 03:41:16.477695942 CET3824149646154.216.16.244192.168.2.14
        Dec 24, 2024 03:41:17.602617979 CET4964838241192.168.2.14154.216.16.244
        Dec 24, 2024 03:41:17.722440004 CET3824149648154.216.16.244192.168.2.14
        Dec 24, 2024 03:41:17.722600937 CET4964838241192.168.2.14154.216.16.244
        Dec 24, 2024 03:41:17.722703934 CET4964838241192.168.2.14154.216.16.244
        Dec 24, 2024 03:41:17.842442989 CET3824149648154.216.16.244192.168.2.14
        Dec 24, 2024 03:41:17.842782974 CET4964838241192.168.2.14154.216.16.244
        Dec 24, 2024 03:41:17.962795019 CET3824149648154.216.16.244192.168.2.14
        Dec 24, 2024 03:41:28.828253031 CET3824149648154.216.16.244192.168.2.14
        Dec 24, 2024 03:41:28.828388929 CET4964838241192.168.2.14154.216.16.244
        Dec 24, 2024 03:41:28.948724031 CET3824149648154.216.16.244192.168.2.14
        Dec 24, 2024 03:41:30.071809053 CET3841038241192.168.2.14154.216.16.250
        Dec 24, 2024 03:41:30.191498041 CET3824138410154.216.16.250192.168.2.14
        Dec 24, 2024 03:41:30.191746950 CET3841038241192.168.2.14154.216.16.250
        Dec 24, 2024 03:41:30.191907883 CET3841038241192.168.2.14154.216.16.250
        Dec 24, 2024 03:41:30.311503887 CET3824138410154.216.16.250192.168.2.14
        Dec 24, 2024 03:41:30.311661959 CET3841038241192.168.2.14154.216.16.250
        Dec 24, 2024 03:41:30.431267023 CET3824138410154.216.16.250192.168.2.14
        Dec 24, 2024 03:41:40.201770067 CET3841038241192.168.2.14154.216.16.250
        Dec 24, 2024 03:41:40.321531057 CET3824138410154.216.16.250192.168.2.14
        Dec 24, 2024 03:41:40.622725964 CET3824138410154.216.16.250192.168.2.14
        Dec 24, 2024 03:41:40.622838020 CET3841038241192.168.2.14154.216.16.250
        Dec 24, 2024 03:41:40.742496967 CET3824138410154.216.16.250192.168.2.14
        Dec 24, 2024 03:41:41.874629021 CET3841238241192.168.2.14154.216.16.250
        Dec 24, 2024 03:41:41.994424105 CET3824138412154.216.16.250192.168.2.14
        Dec 24, 2024 03:41:41.994816065 CET3841238241192.168.2.14154.216.16.250
        Dec 24, 2024 03:41:41.994817019 CET3841238241192.168.2.14154.216.16.250
        Dec 24, 2024 03:41:42.115200996 CET3824138412154.216.16.250192.168.2.14
        Dec 24, 2024 03:41:42.115374088 CET3841238241192.168.2.14154.216.16.250
        Dec 24, 2024 03:41:42.235225916 CET3824138412154.216.16.250192.168.2.14
        Dec 24, 2024 03:41:53.102047920 CET3824138412154.216.16.250192.168.2.14
        Dec 24, 2024 03:41:53.102233887 CET3841238241192.168.2.14154.216.16.250
        Dec 24, 2024 03:41:53.221821070 CET3824138412154.216.16.250192.168.2.14
        Dec 24, 2024 03:41:54.406941891 CET3841438241192.168.2.14154.216.16.250
        Dec 24, 2024 03:41:54.526494980 CET3824138414154.216.16.250192.168.2.14
        Dec 24, 2024 03:41:54.526793003 CET3841438241192.168.2.14154.216.16.250
        Dec 24, 2024 03:41:54.527031898 CET3841438241192.168.2.14154.216.16.250
        Dec 24, 2024 03:41:54.646495104 CET3824138414154.216.16.250192.168.2.14
        Dec 24, 2024 03:41:54.646606922 CET3841438241192.168.2.14154.216.16.250
        Dec 24, 2024 03:41:54.766129017 CET3824138414154.216.16.250192.168.2.14
        Dec 24, 2024 03:42:05.646851063 CET3824138414154.216.16.250192.168.2.14
        Dec 24, 2024 03:42:05.647031069 CET3841438241192.168.2.14154.216.16.250
        Dec 24, 2024 03:42:05.766848087 CET3824138414154.216.16.250192.168.2.14
        Dec 24, 2024 03:42:06.897608995 CET3841638241192.168.2.14154.216.16.250
        Dec 24, 2024 03:42:07.017225981 CET3824138416154.216.16.250192.168.2.14
        Dec 24, 2024 03:42:07.017369986 CET3841638241192.168.2.14154.216.16.250
        Dec 24, 2024 03:42:07.017419100 CET3841638241192.168.2.14154.216.16.250
        Dec 24, 2024 03:42:07.137196064 CET3824138416154.216.16.250192.168.2.14
        Dec 24, 2024 03:42:07.137319088 CET3841638241192.168.2.14154.216.16.250
        Dec 24, 2024 03:42:07.257107019 CET3824138416154.216.16.250192.168.2.14
        Dec 24, 2024 03:42:18.123908043 CET3824138416154.216.16.250192.168.2.14
        Dec 24, 2024 03:42:18.124047041 CET3841638241192.168.2.14154.216.16.250
        Dec 24, 2024 03:42:18.243674994 CET3824138416154.216.16.250192.168.2.14
        Dec 24, 2024 03:42:19.395340919 CET3710638241192.168.2.14209.38.192.73
        TimestampSource PortDest PortSource IPDest IP
        Dec 24, 2024 03:40:15.467221975 CET5917553192.168.2.1451.158.108.203
        Dec 24, 2024 03:40:15.706895113 CET535917551.158.108.203192.168.2.14
        Dec 24, 2024 03:40:27.256365061 CET4753753192.168.2.1451.158.108.203
        Dec 24, 2024 03:40:27.499084949 CET534753751.158.108.203192.168.2.14
        Dec 24, 2024 03:40:39.734270096 CET5835153192.168.2.14168.235.111.72
        Dec 24, 2024 03:40:40.044171095 CET5358351168.235.111.72192.168.2.14
        Dec 24, 2024 03:40:52.280029058 CET4557253192.168.2.14168.235.111.72
        Dec 24, 2024 03:40:52.593579054 CET5345572168.235.111.72192.168.2.14
        Dec 24, 2024 03:41:04.818027973 CET4870153192.168.2.14168.235.111.72
        Dec 24, 2024 03:41:05.128632069 CET5348701168.235.111.72192.168.2.14
        Dec 24, 2024 03:41:17.358886003 CET3345553192.168.2.14152.53.15.127
        Dec 24, 2024 03:41:17.602171898 CET5333455152.53.15.127192.168.2.14
        Dec 24, 2024 03:41:29.830041885 CET5848853192.168.2.14202.61.197.122
        Dec 24, 2024 03:41:30.071660995 CET5358488202.61.197.122192.168.2.14
        Dec 24, 2024 03:41:41.624512911 CET5832753192.168.2.14202.61.197.122
        Dec 24, 2024 03:41:41.874087095 CET5358327202.61.197.122192.168.2.14
        Dec 24, 2024 03:41:54.103951931 CET3554853192.168.2.14168.235.111.72
        Dec 24, 2024 03:41:54.406486034 CET5335548168.235.111.72192.168.2.14
        Dec 24, 2024 03:42:06.649137974 CET5236953192.168.2.14194.36.144.87
        Dec 24, 2024 03:42:06.897239923 CET5352369194.36.144.87192.168.2.14
        Dec 24, 2024 03:42:19.125982046 CET5289853192.168.2.14185.181.61.24
        Dec 24, 2024 03:42:19.394968033 CET5352898185.181.61.24192.168.2.14
        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
        Dec 24, 2024 03:40:15.467221975 CET192.168.2.1451.158.108.2030xd495Standard query (0)serisbot.geekA (IP address)IN (0x0001)false
        Dec 24, 2024 03:40:27.256365061 CET192.168.2.1451.158.108.2030xf363Standard query (0)serisbot.geekA (IP address)IN (0x0001)false
        Dec 24, 2024 03:40:39.734270096 CET192.168.2.14168.235.111.720x71c2Standard query (0)serisbot.geekA (IP address)IN (0x0001)false
        Dec 24, 2024 03:40:52.280029058 CET192.168.2.14168.235.111.720xdf1bStandard query (0)serisontop.dynA (IP address)IN (0x0001)false
        Dec 24, 2024 03:41:04.818027973 CET192.168.2.14168.235.111.720xc722Standard query (0)serisontop.dynA (IP address)IN (0x0001)false
        Dec 24, 2024 03:41:17.358886003 CET192.168.2.14152.53.15.1270x1e9Standard query (0)serisontop.dynA (IP address)IN (0x0001)false
        Dec 24, 2024 03:41:29.830041885 CET192.168.2.14202.61.197.1220x257dStandard query (0)serisontop.dynA (IP address)IN (0x0001)false
        Dec 24, 2024 03:41:41.624512911 CET192.168.2.14202.61.197.1220xd05bStandard query (0)serisbot.geek. [malformed]256357false
        Dec 24, 2024 03:41:54.103951931 CET192.168.2.14168.235.111.720xb155Standard query (0)serisbot.geek. [malformed]256370false
        Dec 24, 2024 03:42:06.649137974 CET192.168.2.14194.36.144.870xc0b7Standard query (0)serisbot.geek. [malformed]256382false
        Dec 24, 2024 03:42:19.125982046 CET192.168.2.14185.181.61.240x5543Standard query (0)serisontop.dynA (IP address)IN (0x0001)false
        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
        Dec 24, 2024 03:40:15.706895113 CET51.158.108.203192.168.2.140xd495No error (0)serisbot.geek209.38.192.73A (IP address)IN (0x0001)false
        Dec 24, 2024 03:40:27.499084949 CET51.158.108.203192.168.2.140xf363No error (0)serisbot.geek209.38.192.73A (IP address)IN (0x0001)false
        Dec 24, 2024 03:40:40.044171095 CET168.235.111.72192.168.2.140x71c2No error (0)serisbot.geek209.38.192.73A (IP address)IN (0x0001)false
        Dec 24, 2024 03:40:52.593579054 CET168.235.111.72192.168.2.140xdf1bNo error (0)serisontop.dyn209.38.192.73A (IP address)IN (0x0001)false
        Dec 24, 2024 03:40:52.593579054 CET168.235.111.72192.168.2.140xdf1bNo error (0)serisontop.dyn154.216.16.250A (IP address)IN (0x0001)false
        Dec 24, 2024 03:40:52.593579054 CET168.235.111.72192.168.2.140xdf1bNo error (0)serisontop.dyn154.216.16.244A (IP address)IN (0x0001)false
        Dec 24, 2024 03:41:05.128632069 CET168.235.111.72192.168.2.140xc722No error (0)serisontop.dyn154.216.16.244A (IP address)IN (0x0001)false
        Dec 24, 2024 03:41:05.128632069 CET168.235.111.72192.168.2.140xc722No error (0)serisontop.dyn209.38.192.73A (IP address)IN (0x0001)false
        Dec 24, 2024 03:41:05.128632069 CET168.235.111.72192.168.2.140xc722No error (0)serisontop.dyn154.216.16.250A (IP address)IN (0x0001)false
        Dec 24, 2024 03:41:17.602171898 CET152.53.15.127192.168.2.140x1e9No error (0)serisontop.dyn154.216.16.244A (IP address)IN (0x0001)false
        Dec 24, 2024 03:41:17.602171898 CET152.53.15.127192.168.2.140x1e9No error (0)serisontop.dyn209.38.192.73A (IP address)IN (0x0001)false
        Dec 24, 2024 03:41:17.602171898 CET152.53.15.127192.168.2.140x1e9No error (0)serisontop.dyn154.216.16.250A (IP address)IN (0x0001)false
        Dec 24, 2024 03:41:30.071660995 CET202.61.197.122192.168.2.140x257dNo error (0)serisontop.dyn154.216.16.244A (IP address)IN (0x0001)false
        Dec 24, 2024 03:41:30.071660995 CET202.61.197.122192.168.2.140x257dNo error (0)serisontop.dyn154.216.16.250A (IP address)IN (0x0001)false
        Dec 24, 2024 03:41:30.071660995 CET202.61.197.122192.168.2.140x257dNo error (0)serisontop.dyn209.38.192.73A (IP address)IN (0x0001)false
        Dec 24, 2024 03:42:06.897239923 CET194.36.144.87192.168.2.140xc0b7Format error (1)serisbot.geek. [malformed]nonenone256382false
        Dec 24, 2024 03:42:19.394968033 CET185.181.61.24192.168.2.140x5543No error (0)serisontop.dyn154.216.16.250A (IP address)IN (0x0001)false
        Dec 24, 2024 03:42:19.394968033 CET185.181.61.24192.168.2.140x5543No error (0)serisontop.dyn209.38.192.73A (IP address)IN (0x0001)false
        Dec 24, 2024 03:42:19.394968033 CET185.181.61.24192.168.2.140x5543No error (0)serisontop.dyn154.216.16.244A (IP address)IN (0x0001)false

        System Behavior

        Start time (UTC):02:40:14
        Start date (UTC):24/12/2024
        Path:/tmp/zerx86.elf
        Arguments:/tmp/zerx86.elf
        File size:42612 bytes
        MD5 hash:8f88d9001a0bbe8d00b274f3b3fecd19

        Start time (UTC):02:40:15
        Start date (UTC):24/12/2024
        Path:/tmp/zerx86.elf
        Arguments:-
        File size:42612 bytes
        MD5 hash:8f88d9001a0bbe8d00b274f3b3fecd19

        Start time (UTC):02:40:15
        Start date (UTC):24/12/2024
        Path:/tmp/zerx86.elf
        Arguments:-
        File size:42612 bytes
        MD5 hash:8f88d9001a0bbe8d00b274f3b3fecd19