Edit tour
Linux
Analysis Report
zerarm5.elf
Overview
General Information
Detection
Score: | 56 |
Range: | 0 - 100 |
Whitelisted: | false |
Signatures
Multi AV Scanner detection for submitted file
Connects to many ports of the same IP (likely port scanning)
Sends malformed DNS queries
Detected TCP or UDP traffic on non-standard ports
Executes the "rm" command used to delete files or directories
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable
Sample has stripped symbol table
Sample listens on a socket
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Uses the "uname" system call to query kernel version information (possible evasion)
Classification
Joe Sandbox version: | 41.0.0 Charoite |
Analysis ID: | 1580197 |
Start date and time: | 2024-12-24 04:09:40 +01:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | 0h 4m 26s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | defaultlinuxfilecookbook.jbs |
Analysis system description: | Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11) |
Analysis Mode: | default |
Sample name: | zerarm5.elf |
Detection: | MAL |
Classification: | mal56.troj.linELF@0/0@11/0 |
Command: | /tmp/zerarm5.elf |
PID: | 5443 |
Exit Code: | 0 |
Exit Code Info: | |
Killed: | False |
Standard Output: | The Peoples Bank of China. |
Standard Error: |
- system is lnxubuntu20
- dash New Fork (PID: 5412, Parent: 3582)
- dash New Fork (PID: 5413, Parent: 3582)
- zerarm5.elf New Fork (PID: 5445, Parent: 5443)
- zerarm5.elf New Fork (PID: 5447, Parent: 5445)
- cleanup
⊘No yara matches
⊘No Suricata rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection |
---|
Source: | ReversingLabs: | |||
Source: | Virustotal: | Perma Link |
Networking |
---|
Source: | TCP traffic: | ||
Source: | TCP traffic: |
Source: | DNS traffic detected: |
Source: | TCP traffic: | ||
Source: | TCP traffic: |
Source: | Socket: | Jump to behavior |
Source: | TCP traffic: |
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: |
Source: | DNS traffic detected: | ||
Source: | DNS traffic detected: | ||
Source: | DNS traffic detected: |
Source: | Network traffic detected: |
Source: | String containing 'busybox' found: | ||
Source: | String containing 'busybox' found: |
Source: | .symtab present: |
Source: | Classification label: |
Source: | Rm executable: | Jump to behavior | ||
Source: | Rm executable: | Jump to behavior |
Source: | Queries kernel information via 'uname': | Jump to behavior |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | Windows Management Instrumentation | Path Interception | Path Interception | 1 File Deletion | OS Credential Dumping | 11 Security Software Discovery | Remote Services | Data from Local System | 1 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
Credentials | Domains | Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | Rootkit | LSASS Memory | Application Window Discovery | Remote Desktop Protocol | Data from Removable Media | 1 Non-Standard Port | Exfiltration Over Bluetooth | Network Denial of Service |
Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | Obfuscated Files or Information | Security Account Manager | Query Registry | SMB/Windows Admin Shares | Data from Network Shared Drive | 1 Non-Application Layer Protocol | Automated Exfiltration | Data Encrypted for Impact |
Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | Binary Padding | NTDS | System Network Configuration Discovery | Distributed Component Object Model | Input Capture | 2 Application Layer Protocol | Traffic Duplication | Data Destruction |
⊘No configs have been found
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
45% | ReversingLabs | Linux.Backdoor.Mirai | ||
47% | Virustotal | Browse |
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
serisontop.dyn | 209.38.192.73 | true | false | high | |
serisbot.geek | 209.38.192.73 | true | false | high | |
serisbot.geek. [malformed] | unknown | unknown | false | high |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
154.216.16.244 | unknown | Seychelles | 135357 | SKHT-ASShenzhenKatherineHengTechnologyInformationCo | true | |
185.125.190.26 | unknown | United Kingdom | 41231 | CANONICAL-ASGB | false | |
209.38.192.73 | serisontop.dyn | United States | 7018 | ATT-INTERNET4US | false |
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
154.216.16.244 | Get hash | malicious | Unknown | Browse | ||
Get hash | malicious | Unknown | Browse | |||
Get hash | malicious | Unknown | Browse | |||
Get hash | malicious | Unknown | Browse | |||
Get hash | malicious | Unknown | Browse | |||
Get hash | malicious | Unknown | Browse | |||
Get hash | malicious | Unknown | Browse | |||
185.125.190.26 | Get hash | malicious | Unknown | Browse | ||
Get hash | malicious | Mirai, Gafgyt, Okiru | Browse | |||
Get hash | malicious | Okiru | Browse | |||
Get hash | malicious | Gafgyt, Mirai | Browse | |||
Get hash | malicious | Okiru | Browse | |||
Get hash | malicious | Okiru | Browse | |||
Get hash | malicious | Gafgyt, Mirai | Browse | |||
Get hash | malicious | Mirai, Gafgyt, Okiru | Browse | |||
Get hash | malicious | Mirai | Browse | |||
Get hash | malicious | Mirai | Browse | |||
209.38.192.73 | Get hash | malicious | Unknown | Browse | ||
Get hash | malicious | Unknown | Browse | |||
Get hash | malicious | Unknown | Browse | |||
Get hash | malicious | Unknown | Browse | |||
Get hash | malicious | Unknown | Browse | |||
Get hash | malicious | Unknown | Browse | |||
Get hash | malicious | Unknown | Browse |
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
serisontop.dyn | Get hash | malicious | Unknown | Browse |
| |
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
serisbot.geek | Get hash | malicious | Unknown | Browse |
| |
Get hash | malicious | Unknown | Browse |
|
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
CANONICAL-ASGB | Get hash | malicious | Unknown | Browse |
| |
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Okiru | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Okiru | Browse |
| ||
Get hash | malicious | Mirai, Gafgyt, Okiru | Browse |
| ||
Get hash | malicious | Okiru | Browse |
| ||
Get hash | malicious | Okiru | Browse |
| ||
ATT-INTERNET4US | Get hash | malicious | Unknown | Browse |
| |
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
SKHT-ASShenzhenKatherineHengTechnologyInformationCo | Get hash | malicious | Unknown | Browse |
| |
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Okiru | Browse |
|
⊘No context
⊘No context
⊘No created / dropped files found
File type: | |
Entropy (8bit): | 5.954315775946027 |
TrID: |
|
File name: | zerarm5.elf |
File size: | 47'736 bytes |
MD5: | ac337219e9a43a565056d52291706eda |
SHA1: | e551b3116f04e5848559e3d0e441c8c655ebf924 |
SHA256: | 296999268ed5f4a3406552febfd889b8bd2acdf512ce0be9c756f32cef7843a1 |
SHA512: | 790a2eec6c466024407023d418c7d1ccfb3860a62c582bc969b80f628e46d1ec7e33bdd7bf0d0021d53b1574c89c43836afc7550ca0a744afc997c4d5bdfeb75 |
SSDEEP: | 768:NBu0TFCEfCkPTQSlghpsvW692N8jaabj0GkozlFozCRxyNqRW+ql1iTs:f5FZfFcps+69G8Z/0urxMkT |
TLSH: | A3230741BC819A13C5D413BEF66E429D372523B8E2EFB217DC222F15778A82B0DB7645 |
File Content Preview: | .ELF...a..........(.........4...........4. ...(.....................................................................Q.td..................................-...L."....+..........0@-.\P...0....S.0...P@...0... ....R......0...0...........0... ....R..... 0....S |
ELF header | |
---|---|
Class: | |
Data: | |
Version: | |
Machine: | |
Version Number: | |
Type: | |
OS/ABI: | |
ABI Version: | 0 |
Entry Point Address: | |
Flags: | |
ELF Header Size: | 52 |
Program Header Offset: | 52 |
Program Header Size: | 32 |
Number of Program Headers: | 3 |
Section Header Offset: | 47296 |
Section Header Size: | 40 |
Number of Section Headers: | 11 |
Header String Table Index: | 10 |
Name | Type | Address | Offset | Size | EntSize | Flags | Flags Description | Link | Info | Align |
---|---|---|---|---|---|---|---|---|---|---|
NULL | 0x0 | 0x0 | 0x0 | 0x0 | 0x0 | 0 | 0 | 0 | ||
.init | PROGBITS | 0x8094 | 0x94 | 0x18 | 0x0 | 0x6 | AX | 0 | 0 | 4 |
.text | PROGBITS | 0x80b0 | 0xb0 | 0xae90 | 0x0 | 0x6 | AX | 0 | 0 | 16 |
.fini | PROGBITS | 0x12f40 | 0xaf40 | 0x14 | 0x0 | 0x6 | AX | 0 | 0 | 4 |
.rodata | PROGBITS | 0x12f54 | 0xaf54 | 0x7a4 | 0x0 | 0x2 | A | 0 | 0 | 4 |
.ctors | PROGBITS | 0x1b6fc | 0xb6fc | 0x8 | 0x0 | 0x3 | WA | 0 | 0 | 4 |
.dtors | PROGBITS | 0x1b704 | 0xb704 | 0x8 | 0x0 | 0x3 | WA | 0 | 0 | 4 |
.jcr | PROGBITS | 0x1b70c | 0xb70c | 0x4 | 0x0 | 0x3 | WA | 0 | 0 | 4 |
.data | PROGBITS | 0x1b710 | 0xb710 | 0x16c | 0x0 | 0x3 | WA | 0 | 0 | 4 |
.bss | NOBITS | 0x1b87c | 0xb87c | 0x178 | 0x0 | 0x3 | WA | 0 | 0 | 4 |
.shstrtab | STRTAB | 0x0 | 0xb87c | 0x43 | 0x0 | 0x0 | 0 | 0 | 1 |
Type | Offset | Virtual Address | Physical Address | File Size | Memory Size | Entropy | Flags | Flags Description | Align | Prog Interpreter | Section Mappings |
---|---|---|---|---|---|---|---|---|---|---|---|
LOAD | 0x0 | 0x8000 | 0x8000 | 0xb6f8 | 0xb6f8 | 5.9928 | 0x5 | R E | 0x8000 | .init .text .fini .rodata | |
LOAD | 0xb6fc | 0x1b6fc | 0x1b6fc | 0x180 | 0x2f8 | 0.8427 | 0x6 | RW | 0x8000 | .ctors .dtors .jcr .data .bss | |
GNU_STACK | 0x0 | 0x0 | 0x0 | 0x0 | 0x0 | 0.0000 | 0x7 | RWE | 0x4 |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Dec 24, 2024 04:10:19.399625063 CET | 48448 | 38241 | 192.168.2.13 | 209.38.192.73 |
Dec 24, 2024 04:10:19.519130945 CET | 38241 | 48448 | 209.38.192.73 | 192.168.2.13 |
Dec 24, 2024 04:10:19.519220114 CET | 48448 | 38241 | 192.168.2.13 | 209.38.192.73 |
Dec 24, 2024 04:10:19.520355940 CET | 48448 | 38241 | 192.168.2.13 | 209.38.192.73 |
Dec 24, 2024 04:10:19.639826059 CET | 38241 | 48448 | 209.38.192.73 | 192.168.2.13 |
Dec 24, 2024 04:10:19.639945984 CET | 48448 | 38241 | 192.168.2.13 | 209.38.192.73 |
Dec 24, 2024 04:10:19.759433985 CET | 38241 | 48448 | 209.38.192.73 | 192.168.2.13 |
Dec 24, 2024 04:10:29.528861046 CET | 48448 | 38241 | 192.168.2.13 | 209.38.192.73 |
Dec 24, 2024 04:10:29.648333073 CET | 38241 | 48448 | 209.38.192.73 | 192.168.2.13 |
Dec 24, 2024 04:10:29.950885057 CET | 38241 | 48448 | 209.38.192.73 | 192.168.2.13 |
Dec 24, 2024 04:10:29.951231003 CET | 48448 | 38241 | 192.168.2.13 | 209.38.192.73 |
Dec 24, 2024 04:10:30.070842981 CET | 38241 | 48448 | 209.38.192.73 | 192.168.2.13 |
Dec 24, 2024 04:10:30.718027115 CET | 48202 | 443 | 192.168.2.13 | 185.125.190.26 |
Dec 24, 2024 04:10:31.193133116 CET | 48450 | 38241 | 192.168.2.13 | 209.38.192.73 |
Dec 24, 2024 04:10:31.312606096 CET | 38241 | 48450 | 209.38.192.73 | 192.168.2.13 |
Dec 24, 2024 04:10:31.312738895 CET | 48450 | 38241 | 192.168.2.13 | 209.38.192.73 |
Dec 24, 2024 04:10:31.314148903 CET | 48450 | 38241 | 192.168.2.13 | 209.38.192.73 |
Dec 24, 2024 04:10:31.433599949 CET | 38241 | 48450 | 209.38.192.73 | 192.168.2.13 |
Dec 24, 2024 04:10:31.433815956 CET | 48450 | 38241 | 192.168.2.13 | 209.38.192.73 |
Dec 24, 2024 04:10:31.553329945 CET | 38241 | 48450 | 209.38.192.73 | 192.168.2.13 |
Dec 24, 2024 04:10:42.425910950 CET | 38241 | 48450 | 209.38.192.73 | 192.168.2.13 |
Dec 24, 2024 04:10:42.426337957 CET | 48450 | 38241 | 192.168.2.13 | 209.38.192.73 |
Dec 24, 2024 04:10:42.545969963 CET | 38241 | 48450 | 209.38.192.73 | 192.168.2.13 |
Dec 24, 2024 04:10:43.669998884 CET | 48452 | 38241 | 192.168.2.13 | 209.38.192.73 |
Dec 24, 2024 04:10:43.789638042 CET | 38241 | 48452 | 209.38.192.73 | 192.168.2.13 |
Dec 24, 2024 04:10:43.789835930 CET | 48452 | 38241 | 192.168.2.13 | 209.38.192.73 |
Dec 24, 2024 04:10:43.791383982 CET | 48452 | 38241 | 192.168.2.13 | 209.38.192.73 |
Dec 24, 2024 04:10:43.910983086 CET | 38241 | 48452 | 209.38.192.73 | 192.168.2.13 |
Dec 24, 2024 04:10:43.911166906 CET | 48452 | 38241 | 192.168.2.13 | 209.38.192.73 |
Dec 24, 2024 04:10:44.030662060 CET | 38241 | 48452 | 209.38.192.73 | 192.168.2.13 |
Dec 24, 2024 04:10:54.902745008 CET | 38241 | 48452 | 209.38.192.73 | 192.168.2.13 |
Dec 24, 2024 04:10:54.903114080 CET | 48452 | 38241 | 192.168.2.13 | 209.38.192.73 |
Dec 24, 2024 04:10:55.022664070 CET | 38241 | 48452 | 209.38.192.73 | 192.168.2.13 |
Dec 24, 2024 04:10:56.155603886 CET | 44654 | 38241 | 192.168.2.13 | 154.216.16.244 |
Dec 24, 2024 04:10:56.275058985 CET | 38241 | 44654 | 154.216.16.244 | 192.168.2.13 |
Dec 24, 2024 04:10:56.275186062 CET | 44654 | 38241 | 192.168.2.13 | 154.216.16.244 |
Dec 24, 2024 04:10:56.276900053 CET | 44654 | 38241 | 192.168.2.13 | 154.216.16.244 |
Dec 24, 2024 04:10:56.396388054 CET | 38241 | 44654 | 154.216.16.244 | 192.168.2.13 |
Dec 24, 2024 04:10:56.396526098 CET | 44654 | 38241 | 192.168.2.13 | 154.216.16.244 |
Dec 24, 2024 04:10:56.516036987 CET | 38241 | 44654 | 154.216.16.244 | 192.168.2.13 |
Dec 24, 2024 04:11:02.206008911 CET | 48202 | 443 | 192.168.2.13 | 185.125.190.26 |
Dec 24, 2024 04:11:07.383824110 CET | 38241 | 44654 | 154.216.16.244 | 192.168.2.13 |
Dec 24, 2024 04:11:07.383960962 CET | 44654 | 38241 | 192.168.2.13 | 154.216.16.244 |
Dec 24, 2024 04:11:07.503545046 CET | 38241 | 44654 | 154.216.16.244 | 192.168.2.13 |
Dec 24, 2024 04:11:08.706823111 CET | 44656 | 38241 | 192.168.2.13 | 154.216.16.244 |
Dec 24, 2024 04:11:08.826514006 CET | 38241 | 44656 | 154.216.16.244 | 192.168.2.13 |
Dec 24, 2024 04:11:08.826622009 CET | 44656 | 38241 | 192.168.2.13 | 154.216.16.244 |
Dec 24, 2024 04:11:08.828180075 CET | 44656 | 38241 | 192.168.2.13 | 154.216.16.244 |
Dec 24, 2024 04:11:08.947684050 CET | 38241 | 44656 | 154.216.16.244 | 192.168.2.13 |
Dec 24, 2024 04:11:08.947971106 CET | 44656 | 38241 | 192.168.2.13 | 154.216.16.244 |
Dec 24, 2024 04:11:09.067578077 CET | 38241 | 44656 | 154.216.16.244 | 192.168.2.13 |
Dec 24, 2024 04:11:19.936494112 CET | 38241 | 44656 | 154.216.16.244 | 192.168.2.13 |
Dec 24, 2024 04:11:19.936778069 CET | 44656 | 38241 | 192.168.2.13 | 154.216.16.244 |
Dec 24, 2024 04:11:20.056334019 CET | 38241 | 44656 | 154.216.16.244 | 192.168.2.13 |
Dec 24, 2024 04:11:21.181216002 CET | 44658 | 38241 | 192.168.2.13 | 154.216.16.244 |
Dec 24, 2024 04:11:21.410368919 CET | 38241 | 44658 | 154.216.16.244 | 192.168.2.13 |
Dec 24, 2024 04:11:21.410722971 CET | 44658 | 38241 | 192.168.2.13 | 154.216.16.244 |
Dec 24, 2024 04:11:21.412506104 CET | 44658 | 38241 | 192.168.2.13 | 154.216.16.244 |
Dec 24, 2024 04:11:21.646828890 CET | 38241 | 44658 | 154.216.16.244 | 192.168.2.13 |
Dec 24, 2024 04:11:21.647161961 CET | 44658 | 38241 | 192.168.2.13 | 154.216.16.244 |
Dec 24, 2024 04:11:21.766633034 CET | 38241 | 44658 | 154.216.16.244 | 192.168.2.13 |
Dec 24, 2024 04:11:32.703114986 CET | 38241 | 44658 | 154.216.16.244 | 192.168.2.13 |
Dec 24, 2024 04:11:32.703509092 CET | 44658 | 38241 | 192.168.2.13 | 154.216.16.244 |
Dec 24, 2024 04:11:32.823041916 CET | 38241 | 44658 | 154.216.16.244 | 192.168.2.13 |
Dec 24, 2024 04:11:34.022164106 CET | 44660 | 38241 | 192.168.2.13 | 154.216.16.244 |
Dec 24, 2024 04:11:34.141663074 CET | 38241 | 44660 | 154.216.16.244 | 192.168.2.13 |
Dec 24, 2024 04:11:34.141762018 CET | 44660 | 38241 | 192.168.2.13 | 154.216.16.244 |
Dec 24, 2024 04:11:34.143435955 CET | 44660 | 38241 | 192.168.2.13 | 154.216.16.244 |
Dec 24, 2024 04:11:34.262835026 CET | 38241 | 44660 | 154.216.16.244 | 192.168.2.13 |
Dec 24, 2024 04:11:34.262953997 CET | 44660 | 38241 | 192.168.2.13 | 154.216.16.244 |
Dec 24, 2024 04:11:34.427306890 CET | 38241 | 44660 | 154.216.16.244 | 192.168.2.13 |
Dec 24, 2024 04:11:44.145045042 CET | 44660 | 38241 | 192.168.2.13 | 154.216.16.244 |
Dec 24, 2024 04:11:44.264484882 CET | 38241 | 44660 | 154.216.16.244 | 192.168.2.13 |
Dec 24, 2024 04:11:44.566169024 CET | 38241 | 44660 | 154.216.16.244 | 192.168.2.13 |
Dec 24, 2024 04:11:44.566312075 CET | 44660 | 38241 | 192.168.2.13 | 154.216.16.244 |
Dec 24, 2024 04:11:44.685754061 CET | 38241 | 44660 | 154.216.16.244 | 192.168.2.13 |
Dec 24, 2024 04:11:45.826572895 CET | 44662 | 38241 | 192.168.2.13 | 154.216.16.244 |
Dec 24, 2024 04:11:45.946516991 CET | 38241 | 44662 | 154.216.16.244 | 192.168.2.13 |
Dec 24, 2024 04:11:45.946671963 CET | 44662 | 38241 | 192.168.2.13 | 154.216.16.244 |
Dec 24, 2024 04:11:45.948409081 CET | 44662 | 38241 | 192.168.2.13 | 154.216.16.244 |
Dec 24, 2024 04:11:46.067828894 CET | 38241 | 44662 | 154.216.16.244 | 192.168.2.13 |
Dec 24, 2024 04:11:46.067955971 CET | 44662 | 38241 | 192.168.2.13 | 154.216.16.244 |
Dec 24, 2024 04:11:46.189475060 CET | 38241 | 44662 | 154.216.16.244 | 192.168.2.13 |
Dec 24, 2024 04:11:57.051892996 CET | 38241 | 44662 | 154.216.16.244 | 192.168.2.13 |
Dec 24, 2024 04:11:57.052243948 CET | 44662 | 38241 | 192.168.2.13 | 154.216.16.244 |
Dec 24, 2024 04:11:57.171713114 CET | 38241 | 44662 | 154.216.16.244 | 192.168.2.13 |
Dec 24, 2024 04:11:58.364291906 CET | 44664 | 38241 | 192.168.2.13 | 154.216.16.244 |
Dec 24, 2024 04:11:58.483728886 CET | 38241 | 44664 | 154.216.16.244 | 192.168.2.13 |
Dec 24, 2024 04:11:58.483983040 CET | 44664 | 38241 | 192.168.2.13 | 154.216.16.244 |
Dec 24, 2024 04:11:58.485707998 CET | 44664 | 38241 | 192.168.2.13 | 154.216.16.244 |
Dec 24, 2024 04:11:58.605149031 CET | 38241 | 44664 | 154.216.16.244 | 192.168.2.13 |
Dec 24, 2024 04:11:58.605220079 CET | 44664 | 38241 | 192.168.2.13 | 154.216.16.244 |
Dec 24, 2024 04:11:58.724725008 CET | 38241 | 44664 | 154.216.16.244 | 192.168.2.13 |
Dec 24, 2024 04:12:09.591270924 CET | 38241 | 44664 | 154.216.16.244 | 192.168.2.13 |
Dec 24, 2024 04:12:09.591408968 CET | 44664 | 38241 | 192.168.2.13 | 154.216.16.244 |
Dec 24, 2024 04:12:09.710922956 CET | 38241 | 44664 | 154.216.16.244 | 192.168.2.13 |
Dec 24, 2024 04:12:10.837810993 CET | 44666 | 38241 | 192.168.2.13 | 154.216.16.244 |
Dec 24, 2024 04:12:10.957366943 CET | 38241 | 44666 | 154.216.16.244 | 192.168.2.13 |
Dec 24, 2024 04:12:10.957458019 CET | 44666 | 38241 | 192.168.2.13 | 154.216.16.244 |
Dec 24, 2024 04:12:10.958700895 CET | 44666 | 38241 | 192.168.2.13 | 154.216.16.244 |
Dec 24, 2024 04:12:11.078211069 CET | 38241 | 44666 | 154.216.16.244 | 192.168.2.13 |
Dec 24, 2024 04:12:11.078279018 CET | 44666 | 38241 | 192.168.2.13 | 154.216.16.244 |
Dec 24, 2024 04:12:11.197820902 CET | 38241 | 44666 | 154.216.16.244 | 192.168.2.13 |
Dec 24, 2024 04:12:22.064682007 CET | 38241 | 44666 | 154.216.16.244 | 192.168.2.13 |
Dec 24, 2024 04:12:22.064919949 CET | 44666 | 38241 | 192.168.2.13 | 154.216.16.244 |
Dec 24, 2024 04:12:22.184638977 CET | 38241 | 44666 | 154.216.16.244 | 192.168.2.13 |
Dec 24, 2024 04:12:23.307070971 CET | 44668 | 38241 | 192.168.2.13 | 154.216.16.244 |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Dec 24, 2024 04:10:19.159781933 CET | 35417 | 53 | 192.168.2.13 | 51.158.108.203 |
Dec 24, 2024 04:10:19.398626089 CET | 53 | 35417 | 51.158.108.203 | 192.168.2.13 |
Dec 24, 2024 04:10:30.954899073 CET | 39065 | 53 | 192.168.2.13 | 81.169.136.222 |
Dec 24, 2024 04:10:31.192255020 CET | 53 | 39065 | 81.169.136.222 | 192.168.2.13 |
Dec 24, 2024 04:10:43.429497957 CET | 42525 | 53 | 192.168.2.13 | 81.169.136.222 |
Dec 24, 2024 04:10:43.669300079 CET | 53 | 42525 | 81.169.136.222 | 192.168.2.13 |
Dec 24, 2024 04:10:55.907196045 CET | 51143 | 53 | 192.168.2.13 | 202.61.197.122 |
Dec 24, 2024 04:10:56.154481888 CET | 53 | 51143 | 202.61.197.122 | 192.168.2.13 |
Dec 24, 2024 04:11:08.386436939 CET | 42890 | 53 | 192.168.2.13 | 168.235.111.72 |
Dec 24, 2024 04:11:08.705656052 CET | 53 | 42890 | 168.235.111.72 | 192.168.2.13 |
Dec 24, 2024 04:11:20.941044092 CET | 49789 | 53 | 192.168.2.13 | 51.158.108.203 |
Dec 24, 2024 04:11:21.179781914 CET | 53 | 49789 | 51.158.108.203 | 192.168.2.13 |
Dec 24, 2024 04:11:33.706809998 CET | 52350 | 53 | 192.168.2.13 | 168.235.111.72 |
Dec 24, 2024 04:11:34.021044970 CET | 53 | 52350 | 168.235.111.72 | 192.168.2.13 |
Dec 24, 2024 04:11:45.569688082 CET | 45916 | 53 | 192.168.2.13 | 185.181.61.24 |
Dec 24, 2024 04:11:45.825277090 CET | 53 | 45916 | 185.181.61.24 | 192.168.2.13 |
Dec 24, 2024 04:11:58.055666924 CET | 47988 | 53 | 192.168.2.13 | 168.235.111.72 |
Dec 24, 2024 04:11:58.363323927 CET | 53 | 47988 | 168.235.111.72 | 192.168.2.13 |
Dec 24, 2024 04:12:10.594264984 CET | 55651 | 53 | 192.168.2.13 | 194.36.144.87 |
Dec 24, 2024 04:12:10.836684942 CET | 53 | 55651 | 194.36.144.87 | 192.168.2.13 |
Dec 24, 2024 04:12:23.067543030 CET | 44106 | 53 | 192.168.2.13 | 51.158.108.203 |
Dec 24, 2024 04:12:23.306457043 CET | 53 | 44106 | 51.158.108.203 | 192.168.2.13 |
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|
Dec 24, 2024 04:10:19.159781933 CET | 192.168.2.13 | 51.158.108.203 | 0x7d27 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
Dec 24, 2024 04:10:30.954899073 CET | 192.168.2.13 | 81.169.136.222 | 0x2922 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
Dec 24, 2024 04:10:43.429497957 CET | 192.168.2.13 | 81.169.136.222 | 0xfe78 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
Dec 24, 2024 04:10:55.907196045 CET | 192.168.2.13 | 202.61.197.122 | 0xd1a5 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
Dec 24, 2024 04:11:08.386436939 CET | 192.168.2.13 | 168.235.111.72 | 0xf7ec | Standard query (0) | A (IP address) | IN (0x0001) | false | |
Dec 24, 2024 04:11:20.941044092 CET | 192.168.2.13 | 51.158.108.203 | 0xfc4a | Standard query (0) | A (IP address) | IN (0x0001) | false | |
Dec 24, 2024 04:11:33.706809998 CET | 192.168.2.13 | 168.235.111.72 | 0xf481 | Standard query (0) | 256 | 358 | false | |
Dec 24, 2024 04:11:45.569688082 CET | 192.168.2.13 | 185.181.61.24 | 0x6b29 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
Dec 24, 2024 04:11:58.055666924 CET | 192.168.2.13 | 168.235.111.72 | 0xae29 | Standard query (0) | 256 | 382 | false | |
Dec 24, 2024 04:12:10.594264984 CET | 192.168.2.13 | 194.36.144.87 | 0xf8b5 | Standard query (0) | 256 | 394 | false | |
Dec 24, 2024 04:12:23.067543030 CET | 192.168.2.13 | 51.158.108.203 | 0x99a | Standard query (0) | 256 | 407 | false |
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|---|---|
Dec 24, 2024 04:10:19.398626089 CET | 51.158.108.203 | 192.168.2.13 | 0x7d27 | No error (0) | 209.38.192.73 | A (IP address) | IN (0x0001) | false | ||
Dec 24, 2024 04:10:31.192255020 CET | 81.169.136.222 | 192.168.2.13 | 0x2922 | Refused (5) | none | none | A (IP address) | IN (0x0001) | false | |
Dec 24, 2024 04:10:43.669300079 CET | 81.169.136.222 | 192.168.2.13 | 0xfe78 | Refused (5) | none | none | A (IP address) | IN (0x0001) | false | |
Dec 24, 2024 04:10:56.154481888 CET | 202.61.197.122 | 192.168.2.13 | 0xd1a5 | No error (0) | 209.38.192.73 | A (IP address) | IN (0x0001) | false | ||
Dec 24, 2024 04:10:56.154481888 CET | 202.61.197.122 | 192.168.2.13 | 0xd1a5 | No error (0) | 154.216.16.250 | A (IP address) | IN (0x0001) | false | ||
Dec 24, 2024 04:10:56.154481888 CET | 202.61.197.122 | 192.168.2.13 | 0xd1a5 | No error (0) | 154.216.16.244 | A (IP address) | IN (0x0001) | false | ||
Dec 24, 2024 04:11:08.705656052 CET | 168.235.111.72 | 192.168.2.13 | 0xf7ec | No error (0) | 209.38.192.73 | A (IP address) | IN (0x0001) | false | ||
Dec 24, 2024 04:11:08.705656052 CET | 168.235.111.72 | 192.168.2.13 | 0xf7ec | No error (0) | 154.216.16.244 | A (IP address) | IN (0x0001) | false | ||
Dec 24, 2024 04:11:08.705656052 CET | 168.235.111.72 | 192.168.2.13 | 0xf7ec | No error (0) | 154.216.16.250 | A (IP address) | IN (0x0001) | false | ||
Dec 24, 2024 04:11:21.179781914 CET | 51.158.108.203 | 192.168.2.13 | 0xfc4a | No error (0) | 154.216.16.250 | A (IP address) | IN (0x0001) | false | ||
Dec 24, 2024 04:11:21.179781914 CET | 51.158.108.203 | 192.168.2.13 | 0xfc4a | No error (0) | 154.216.16.244 | A (IP address) | IN (0x0001) | false | ||
Dec 24, 2024 04:11:21.179781914 CET | 51.158.108.203 | 192.168.2.13 | 0xfc4a | No error (0) | 209.38.192.73 | A (IP address) | IN (0x0001) | false | ||
Dec 24, 2024 04:11:45.825277090 CET | 185.181.61.24 | 192.168.2.13 | 0x6b29 | No error (0) | 154.216.16.250 | A (IP address) | IN (0x0001) | false | ||
Dec 24, 2024 04:11:45.825277090 CET | 185.181.61.24 | 192.168.2.13 | 0x6b29 | No error (0) | 154.216.16.244 | A (IP address) | IN (0x0001) | false | ||
Dec 24, 2024 04:11:45.825277090 CET | 185.181.61.24 | 192.168.2.13 | 0x6b29 | No error (0) | 209.38.192.73 | A (IP address) | IN (0x0001) | false | ||
Dec 24, 2024 04:12:10.836684942 CET | 194.36.144.87 | 192.168.2.13 | 0xf8b5 | Format error (1) | none | none | 256 | 394 | false | |
Dec 24, 2024 04:12:23.306457043 CET | 51.158.108.203 | 192.168.2.13 | 0x99a | Format error (1) | none | none | 256 | 407 | false |
System Behavior
Start time (UTC): | 03:10:13 |
Start date (UTC): | 24/12/2024 |
Path: | /usr/bin/dash |
Arguments: | - |
File size: | 129816 bytes |
MD5 hash: | 1e6b1c887c59a315edb7eb9a315fc84c |
Start time (UTC): | 03:10:13 |
Start date (UTC): | 24/12/2024 |
Path: | /usr/bin/rm |
Arguments: | rm -f /tmp/tmp.FqQRvUdAvt /tmp/tmp.BpvDYSP9bx /tmp/tmp.uDbJAauplH |
File size: | 72056 bytes |
MD5 hash: | aa2b5496fdbfd88e38791ab81f90b95b |
Start time (UTC): | 03:10:13 |
Start date (UTC): | 24/12/2024 |
Path: | /usr/bin/dash |
Arguments: | - |
File size: | 129816 bytes |
MD5 hash: | 1e6b1c887c59a315edb7eb9a315fc84c |
Start time (UTC): | 03:10:13 |
Start date (UTC): | 24/12/2024 |
Path: | /usr/bin/rm |
Arguments: | rm -f /tmp/tmp.FqQRvUdAvt /tmp/tmp.BpvDYSP9bx /tmp/tmp.uDbJAauplH |
File size: | 72056 bytes |
MD5 hash: | aa2b5496fdbfd88e38791ab81f90b95b |
Start time (UTC): | 03:10:17 |
Start date (UTC): | 24/12/2024 |
Path: | /tmp/zerarm5.elf |
Arguments: | /tmp/zerarm5.elf |
File size: | 4956856 bytes |
MD5 hash: | 5ebfcae4fe2471fcc5695c2394773ff1 |
Start time (UTC): | 03:10:17 |
Start date (UTC): | 24/12/2024 |
Path: | /tmp/zerarm5.elf |
Arguments: | - |
File size: | 4956856 bytes |
MD5 hash: | 5ebfcae4fe2471fcc5695c2394773ff1 |
Start time (UTC): | 03:10:17 |
Start date (UTC): | 24/12/2024 |
Path: | /tmp/zerarm5.elf |
Arguments: | - |
File size: | 4956856 bytes |
MD5 hash: | 5ebfcae4fe2471fcc5695c2394773ff1 |