Edit tour

Linux Analysis Report
zerarm.elf

Overview

General Information

Sample name:zerarm.elf
Analysis ID:1623328
MD5:7eda1e6f8713164178bf7c6197165c4a
SHA1:3c2ec4fa876b773ce49c13ce8eb4cfafa45dde86
SHA256:603c95bd4c69cfbb0afad0567c1902188befdd46c60bb613291ebfd7fb879f2e
Tags:elfuser-abuse_ch
Infos:

Detection

Score:52
Range:0 - 100

Signatures

Multi AV Scanner detection for submitted file
Sends malformed DNS queries
Detected TCP or UDP traffic on non-standard ports
Sample has stripped symbol table
Sample listens on a socket
Uses the "uname" system call to query kernel version information (possible evasion)

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
Joe Sandbox version:42.0.0 Malachite
Analysis ID:1623328
Start date and time:2025-02-25 07:27:37 +01:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 34s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Sample name:zerarm.elf
Detection:MAL
Classification:mal52.troj.linELF@0/0@31/0
Command:/tmp/zerarm.elf
PID:5488
Exit Code:0
Exit Code Info:
Killed:False
Standard Output:
gosh that chinese family at the other table sure ate a lot
Standard Error:
  • system is lnxubuntu20
  • zerarm.elf (PID: 5488, Parent: 5411, MD5: 5ebfcae4fe2471fcc5695c2394773ff1) Arguments: /tmp/zerarm.elf
  • cleanup
No yara matches
No Suricata rule has matched

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: zerarm.elfVirustotal: Detection: 41%Perma Link
Source: zerarm.elfReversingLabs: Detection: 44%

Networking

barindex
Source: global trafficDNS traffic detected: malformed DNS query: serisbot.geek. [malformed]
Source: global trafficTCP traffic: 192.168.2.14:45444 -> 157.245.23.184:1440
Source: global trafficTCP traffic: 192.168.2.14:39640 -> 64.225.80.213:1440
Source: global trafficTCP traffic: 192.168.2.14:33006 -> 209.97.177.154:1440
Source: /tmp/zerarm.elf (PID: 5488)Socket: 127.0.0.1:39148Jump to behavior
Source: unknownUDP traffic detected without corresponding DNS query: 194.36.144.87
Source: unknownUDP traffic detected without corresponding DNS query: 185.181.61.24
Source: unknownUDP traffic detected without corresponding DNS query: 185.181.61.24
Source: unknownUDP traffic detected without corresponding DNS query: 185.181.61.24
Source: unknownUDP traffic detected without corresponding DNS query: 185.181.61.24
Source: unknownUDP traffic detected without corresponding DNS query: 185.181.61.24
Source: unknownUDP traffic detected without corresponding DNS query: 168.235.111.72
Source: unknownUDP traffic detected without corresponding DNS query: 168.235.111.72
Source: unknownUDP traffic detected without corresponding DNS query: 168.235.111.72
Source: unknownUDP traffic detected without corresponding DNS query: 168.235.111.72
Source: unknownUDP traffic detected without corresponding DNS query: 168.235.111.72
Source: unknownUDP traffic detected without corresponding DNS query: 152.53.15.127
Source: unknownUDP traffic detected without corresponding DNS query: 194.36.144.87
Source: unknownUDP traffic detected without corresponding DNS query: 168.235.111.72
Source: unknownUDP traffic detected without corresponding DNS query: 81.169.136.222
Source: unknownUDP traffic detected without corresponding DNS query: 194.36.144.87
Source: unknownUDP traffic detected without corresponding DNS query: 194.36.144.87
Source: unknownUDP traffic detected without corresponding DNS query: 194.36.144.87
Source: unknownUDP traffic detected without corresponding DNS query: 194.36.144.87
Source: unknownUDP traffic detected without corresponding DNS query: 194.36.144.87
Source: unknownUDP traffic detected without corresponding DNS query: 202.61.197.122
Source: unknownUDP traffic detected without corresponding DNS query: 202.61.197.122
Source: unknownUDP traffic detected without corresponding DNS query: 202.61.197.122
Source: unknownUDP traffic detected without corresponding DNS query: 202.61.197.122
Source: unknownUDP traffic detected without corresponding DNS query: 202.61.197.122
Source: unknownUDP traffic detected without corresponding DNS query: 194.36.144.87
Source: unknownUDP traffic detected without corresponding DNS query: 194.36.144.87
Source: unknownUDP traffic detected without corresponding DNS query: 194.36.144.87
Source: unknownUDP traffic detected without corresponding DNS query: 194.36.144.87
Source: unknownUDP traffic detected without corresponding DNS query: 194.36.144.87
Source: unknownUDP traffic detected without corresponding DNS query: 81.169.136.222
Source: global trafficDNS traffic detected: DNS query: serisontop.dyn
Source: global trafficDNS traffic detected: DNS query: serisbot.geek. [malformed]
Source: ELF static info symbol of initial sample.symtab present: no
Source: classification engineClassification label: mal52.troj.linELF@0/0@31/0
Source: /tmp/zerarm.elf (PID: 5488)Queries kernel information via 'uname': Jump to behavior
Source: zerarm.elf, 5488.1.00005637827b7000.00005637828e5000.rw-.sdmpBinary or memory string: 7V!/etc/qemu-binfmt/arm
Source: zerarm.elf, 5488.1.00007ffdb5819000.00007ffdb583a000.rw-.sdmpBinary or memory string: bax86_64/usr/bin/qemu-arm/tmp/zerarm.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/zerarm.elf
Source: zerarm.elf, 5488.1.00005637827b7000.00005637828e5000.rw-.sdmpBinary or memory string: /etc/qemu-binfmt/arm
Source: zerarm.elf, 5488.1.00007ffdb5819000.00007ffdb583a000.rw-.sdmpBinary or memory string: /usr/bin/qemu-arm
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management InstrumentationPath InterceptionPath InterceptionDirect Volume AccessOS Credential Dumping11
Security Software Discovery
Remote ServicesData from Local System1
Non-Standard Port
Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable Media1
Non-Application Layer Protocol
Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared Drive1
Application Layer Protocol
Automated ExfiltrationData Encrypted for Impact
No configs have been found
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Number of created Files
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1623328 Sample: zerarm.elf Startdate: 25/02/2025 Architecture: LINUX Score: 52 14 serisbot.geek. [malformed] 2->14 16 157.245.23.184, 1440, 45444, 45446 DIGITALOCEAN-ASNUS United States 2->16 18 2 other IPs or domains 2->18 20 Multi AV Scanner detection for submitted file 2->20 8 zerarm.elf 2->8         started        signatures3 22 Sends malformed DNS queries 14->22 process4 process5 10 zerarm.elf 8->10         started        process6 12 zerarm.elf 10->12         started       

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
SourceDetectionScannerLabelLink
zerarm.elf41%VirustotalBrowse
zerarm.elf45%ReversingLabsLinux.Backdoor.Mirai
No Antivirus matches
No Antivirus matches
No Antivirus matches

Download Network PCAP: filteredfull

NameIPActiveMaliciousAntivirus DetectionReputation
serisontop.dyn
209.97.177.154
truefalse
    high
    serisbot.geek. [malformed]
    unknown
    unknownfalse
      high
      • No. of IPs < 25%
      • 25% < No. of IPs < 50%
      • 50% < No. of IPs < 75%
      • 75% < No. of IPs
      IPDomainCountryFlagASNASN NameMalicious
      209.97.177.154
      serisontop.dynUnited States
      14061DIGITALOCEAN-ASNUSfalse
      64.225.80.213
      unknownUnited States
      14061DIGITALOCEAN-ASNUSfalse
      157.245.23.184
      unknownUnited States
      14061DIGITALOCEAN-ASNUSfalse
      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
      209.97.177.154zermips.elfGet hashmaliciousUnknownBrowse
        zerspc.elfGet hashmaliciousUnknownBrowse
          zersh4.elfGet hashmaliciousUnknownBrowse
            64.225.80.213zermips.elfGet hashmaliciousUnknownBrowse
              zerspc.elfGet hashmaliciousUnknownBrowse
                zersh4.elfGet hashmaliciousUnknownBrowse
                  157.245.23.184zermips.elfGet hashmaliciousUnknownBrowse
                    zerspc.elfGet hashmaliciousUnknownBrowse
                      zersh4.elfGet hashmaliciousUnknownBrowse
                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        serisontop.dynsplspc.elfGet hashmaliciousUnknownBrowse
                        • 64.225.80.213
                        jklmpsl.elfGet hashmaliciousUnknownBrowse
                        • 157.245.23.184
                        zermips.elfGet hashmaliciousUnknownBrowse
                        • 209.97.177.154
                        nklmips.elfGet hashmaliciousUnknownBrowse
                        • 157.245.23.184
                        nklm68k.elfGet hashmaliciousUnknownBrowse
                        • 157.245.23.184
                        nabx86.elfGet hashmaliciousUnknownBrowse
                        • 209.97.177.154
                        arm.elfGet hashmaliciousUnknownBrowse
                        • 209.97.177.154
                        splppc.elfGet hashmaliciousUnknownBrowse
                        • 64.225.80.213
                        nklarm7.elfGet hashmaliciousUnknownBrowse
                        • 157.245.23.184
                        nabmpsl.elfGet hashmaliciousUnknownBrowse
                        • 64.225.80.213
                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        DIGITALOCEAN-ASNUSzermips.elfGet hashmaliciousUnknownBrowse
                        • 157.245.23.184
                        zerspc.elfGet hashmaliciousUnknownBrowse
                        • 157.245.23.184
                        https://brightenbooks.com.hk/trigger.php?r_link=https://auth.khs.co.com/kQR5EF2ST6CD1OP4mQR5CD1CD1MN3QR5YZ9OP4kwmOP4cWX8mGet hashmaliciousHTMLPhisherBrowse
                        • 142.93.33.81
                        zersh4.elfGet hashmaliciousUnknownBrowse
                        • 157.245.23.184
                        https://www.easytravel.com.tw/GOMEasytravel.aspx?GO=https://kwm.nexomusic.pe/kQR5EF2ST6CD1OP4mQR5CD1CD1MN3QR5YZ9OP4kwmOP4cWX8mGet hashmaliciousHTMLPhisherBrowse
                        • 138.197.133.161
                        https://www.01caijing.com/weapons/visit.htm?go=https://auth.khs.co.com/kQR5EF2ST6CD1OP4mQR5CD1CD1MN3QR5YZ9OP4kwmOP4cWX8mGet hashmaliciousHTMLPhisherBrowse
                        • 138.197.133.161
                        https://upwork.confirmation-payment.com/51713588Get hashmaliciousUnknownBrowse
                        • 104.131.67.145
                        https://upwork.confirmation-payment.com/51713588Get hashmaliciousUnknownBrowse
                        • 104.131.67.145
                        Setup (1).exeGet hashmaliciousUnknownBrowse
                        • 161.35.127.181
                        x86.elfGet hashmaliciousMirai, MoobotBrowse
                        • 157.245.170.51
                        DIGITALOCEAN-ASNUSzermips.elfGet hashmaliciousUnknownBrowse
                        • 157.245.23.184
                        zerspc.elfGet hashmaliciousUnknownBrowse
                        • 157.245.23.184
                        https://brightenbooks.com.hk/trigger.php?r_link=https://auth.khs.co.com/kQR5EF2ST6CD1OP4mQR5CD1CD1MN3QR5YZ9OP4kwmOP4cWX8mGet hashmaliciousHTMLPhisherBrowse
                        • 142.93.33.81
                        zersh4.elfGet hashmaliciousUnknownBrowse
                        • 157.245.23.184
                        https://www.easytravel.com.tw/GOMEasytravel.aspx?GO=https://kwm.nexomusic.pe/kQR5EF2ST6CD1OP4mQR5CD1CD1MN3QR5YZ9OP4kwmOP4cWX8mGet hashmaliciousHTMLPhisherBrowse
                        • 138.197.133.161
                        https://www.01caijing.com/weapons/visit.htm?go=https://auth.khs.co.com/kQR5EF2ST6CD1OP4mQR5CD1CD1MN3QR5YZ9OP4kwmOP4cWX8mGet hashmaliciousHTMLPhisherBrowse
                        • 138.197.133.161
                        https://upwork.confirmation-payment.com/51713588Get hashmaliciousUnknownBrowse
                        • 104.131.67.145
                        https://upwork.confirmation-payment.com/51713588Get hashmaliciousUnknownBrowse
                        • 104.131.67.145
                        Setup (1).exeGet hashmaliciousUnknownBrowse
                        • 161.35.127.181
                        x86.elfGet hashmaliciousMirai, MoobotBrowse
                        • 157.245.170.51
                        DIGITALOCEAN-ASNUSzermips.elfGet hashmaliciousUnknownBrowse
                        • 157.245.23.184
                        zerspc.elfGet hashmaliciousUnknownBrowse
                        • 157.245.23.184
                        https://brightenbooks.com.hk/trigger.php?r_link=https://auth.khs.co.com/kQR5EF2ST6CD1OP4mQR5CD1CD1MN3QR5YZ9OP4kwmOP4cWX8mGet hashmaliciousHTMLPhisherBrowse
                        • 142.93.33.81
                        zersh4.elfGet hashmaliciousUnknownBrowse
                        • 157.245.23.184
                        https://www.easytravel.com.tw/GOMEasytravel.aspx?GO=https://kwm.nexomusic.pe/kQR5EF2ST6CD1OP4mQR5CD1CD1MN3QR5YZ9OP4kwmOP4cWX8mGet hashmaliciousHTMLPhisherBrowse
                        • 138.197.133.161
                        https://www.01caijing.com/weapons/visit.htm?go=https://auth.khs.co.com/kQR5EF2ST6CD1OP4mQR5CD1CD1MN3QR5YZ9OP4kwmOP4cWX8mGet hashmaliciousHTMLPhisherBrowse
                        • 138.197.133.161
                        https://upwork.confirmation-payment.com/51713588Get hashmaliciousUnknownBrowse
                        • 104.131.67.145
                        https://upwork.confirmation-payment.com/51713588Get hashmaliciousUnknownBrowse
                        • 104.131.67.145
                        Setup (1).exeGet hashmaliciousUnknownBrowse
                        • 161.35.127.181
                        x86.elfGet hashmaliciousMirai, MoobotBrowse
                        • 157.245.170.51
                        No context
                        No context
                        No created / dropped files found
                        File type:ELF 32-bit LSB executable, ARM, version 1 (ARM), statically linked, stripped
                        Entropy (8bit):5.9933609962386765
                        TrID:
                        • ELF Executable and Linkable format (generic) (4004/1) 100.00%
                        File name:zerarm.elf
                        File size:50'344 bytes
                        MD5:7eda1e6f8713164178bf7c6197165c4a
                        SHA1:3c2ec4fa876b773ce49c13ce8eb4cfafa45dde86
                        SHA256:603c95bd4c69cfbb0afad0567c1902188befdd46c60bb613291ebfd7fb879f2e
                        SHA512:c1b383d0a43b8e14357c89c942d21f39bc3d65ba0c2e9c92897345dc129ca44dec8fa09f27f34bbdd72a67d75f981fd5532b7693d403fc5994116c3236a435e3
                        SSDEEP:768:cChrqBf4WFzHtxXXLfxbDo7bWozVos06L8r9Y/hZkVw8OiNqX+oj1:frEfHLfV0nWiRL8pY5O/OX
                        TLSH:E8330791B8C19A16C1E022BBFA2E429C372523F8E2DF7217CD126F51778A81F0DA7655
                        File Content Preview:.ELF...a..........(.........4...........4. ...(.........................................................(...........Q.td..................................-...L."...............0@-.\P...0....S.0...P@...0... ....R......0...0...........0... ....R..... 0....S

                        ELF header

                        Class:ELF32
                        Data:2's complement, little endian
                        Version:1 (current)
                        Machine:ARM
                        Version Number:0x1
                        Type:EXEC (Executable file)
                        OS/ABI:ARM - ABI
                        ABI Version:0
                        Entry Point Address:0x8190
                        Flags:0x202
                        ELF Header Size:52
                        Program Header Offset:52
                        Program Header Size:32
                        Number of Program Headers:3
                        Section Header Offset:49904
                        Section Header Size:40
                        Number of Section Headers:11
                        Header String Table Index:10
                        NameTypeAddressOffsetSizeEntSizeFlagsFlags DescriptionLinkInfoAlign
                        NULL0x00x00x00x00x0000
                        .initPROGBITS0x80940x940x180x00x6AX004
                        .textPROGBITS0x80b00xb00xb8700x00x6AX0016
                        .finiPROGBITS0x139200xb9200x140x00x6AX004
                        .rodataPROGBITS0x139340xb9340x7b40x00x2A004
                        .ctorsPROGBITS0x1c0ec0xc0ec0x80x00x3WA004
                        .dtorsPROGBITS0x1c0f40xc0f40x80x00x3WA004
                        .jcrPROGBITS0x1c0fc0xc0fc0x40x00x3WA004
                        .dataPROGBITS0x1c1000xc1000x1ac0x00x3WA004
                        .bssNOBITS0x1c2ac0xc2ac0x2680x00x3WA004
                        .shstrtabSTRTAB0x00xc2ac0x430x00x0001
                        TypeOffsetVirtual AddressPhysical AddressFile SizeMemory SizeEntropyFlagsFlags DescriptionAlignProg InterpreterSection Mappings
                        LOAD0x00x80000x80000xc0e80xc0e86.02430x5R E0x8000.init .text .fini .rodata
                        LOAD0xc0ec0x1c0ec0x1c0ec0x1c00x4282.30990x6RW 0x8000.ctors .dtors .jcr .data .bss
                        GNU_STACK0x00x00x00x00x00.00000x7RWE0x4

                        Download Network PCAP: filteredfull

                        • Total Packets: 87
                        • 1440 undefined
                        • 53 (DNS)
                        TimestampSource PortDest PortSource IPDest IP
                        Feb 25, 2025 07:28:26.037942886 CET454441440192.168.2.14157.245.23.184
                        Feb 25, 2025 07:28:26.046371937 CET144045444157.245.23.184192.168.2.14
                        Feb 25, 2025 07:28:26.046438932 CET454441440192.168.2.14157.245.23.184
                        Feb 25, 2025 07:28:26.055027962 CET454441440192.168.2.14157.245.23.184
                        Feb 25, 2025 07:28:26.060575008 CET144045444157.245.23.184192.168.2.14
                        Feb 25, 2025 07:28:26.060620070 CET454441440192.168.2.14157.245.23.184
                        Feb 25, 2025 07:28:26.065762043 CET144045444157.245.23.184192.168.2.14
                        Feb 25, 2025 07:28:36.064996958 CET454441440192.168.2.14157.245.23.184
                        Feb 25, 2025 07:28:36.070101976 CET144045444157.245.23.184192.168.2.14
                        Feb 25, 2025 07:28:36.304198027 CET144045444157.245.23.184192.168.2.14
                        Feb 25, 2025 07:28:36.304869890 CET454441440192.168.2.14157.245.23.184
                        Feb 25, 2025 07:28:36.309910059 CET144045444157.245.23.184192.168.2.14
                        Feb 25, 2025 07:28:37.495441914 CET454461440192.168.2.14157.245.23.184
                        Feb 25, 2025 07:28:37.500550985 CET144045446157.245.23.184192.168.2.14
                        Feb 25, 2025 07:28:37.500617981 CET454461440192.168.2.14157.245.23.184
                        Feb 25, 2025 07:28:37.501503944 CET454461440192.168.2.14157.245.23.184
                        Feb 25, 2025 07:28:37.506524086 CET144045446157.245.23.184192.168.2.14
                        Feb 25, 2025 07:28:37.506608009 CET454461440192.168.2.14157.245.23.184
                        Feb 25, 2025 07:28:37.511658907 CET144045446157.245.23.184192.168.2.14
                        Feb 25, 2025 07:28:48.224005938 CET144045446157.245.23.184192.168.2.14
                        Feb 25, 2025 07:28:48.224385023 CET454461440192.168.2.14157.245.23.184
                        Feb 25, 2025 07:28:48.229419947 CET144045446157.245.23.184192.168.2.14
                        Feb 25, 2025 07:28:49.682905912 CET454481440192.168.2.14157.245.23.184
                        Feb 25, 2025 07:28:49.687993050 CET144045448157.245.23.184192.168.2.14
                        Feb 25, 2025 07:28:49.688070059 CET454481440192.168.2.14157.245.23.184
                        Feb 25, 2025 07:28:49.689248085 CET454481440192.168.2.14157.245.23.184
                        Feb 25, 2025 07:28:49.694217920 CET144045448157.245.23.184192.168.2.14
                        Feb 25, 2025 07:28:49.694283009 CET454481440192.168.2.14157.245.23.184
                        Feb 25, 2025 07:28:49.699301004 CET144045448157.245.23.184192.168.2.14
                        Feb 25, 2025 07:29:00.320003033 CET144045448157.245.23.184192.168.2.14
                        Feb 25, 2025 07:29:00.320627928 CET454481440192.168.2.14157.245.23.184
                        Feb 25, 2025 07:29:00.325711012 CET144045448157.245.23.184192.168.2.14
                        Feb 25, 2025 07:29:01.350373983 CET396401440192.168.2.1464.225.80.213
                        Feb 25, 2025 07:29:01.355448008 CET14403964064.225.80.213192.168.2.14
                        Feb 25, 2025 07:29:01.355539083 CET396401440192.168.2.1464.225.80.213
                        Feb 25, 2025 07:29:01.356496096 CET396401440192.168.2.1464.225.80.213
                        Feb 25, 2025 07:29:01.361552000 CET14403964064.225.80.213192.168.2.14
                        Feb 25, 2025 07:29:01.361615896 CET396401440192.168.2.1464.225.80.213
                        Feb 25, 2025 07:29:01.366625071 CET14403964064.225.80.213192.168.2.14
                        Feb 25, 2025 07:29:12.010813951 CET14403964064.225.80.213192.168.2.14
                        Feb 25, 2025 07:29:12.011563063 CET396401440192.168.2.1464.225.80.213
                        Feb 25, 2025 07:29:12.016725063 CET14403964064.225.80.213192.168.2.14
                        Feb 25, 2025 07:29:13.036061049 CET454521440192.168.2.14157.245.23.184
                        Feb 25, 2025 07:29:13.041187048 CET144045452157.245.23.184192.168.2.14
                        Feb 25, 2025 07:29:13.041277885 CET454521440192.168.2.14157.245.23.184
                        Feb 25, 2025 07:29:13.042789936 CET454521440192.168.2.14157.245.23.184
                        Feb 25, 2025 07:29:13.047828913 CET144045452157.245.23.184192.168.2.14
                        Feb 25, 2025 07:29:13.047899961 CET454521440192.168.2.14157.245.23.184
                        Feb 25, 2025 07:29:13.052958965 CET144045452157.245.23.184192.168.2.14
                        Feb 25, 2025 07:29:23.732065916 CET144045452157.245.23.184192.168.2.14
                        Feb 25, 2025 07:29:23.732444048 CET454521440192.168.2.14157.245.23.184
                        Feb 25, 2025 07:29:23.737530947 CET144045452157.245.23.184192.168.2.14
                        Feb 25, 2025 07:29:24.824080944 CET396441440192.168.2.1464.225.80.213
                        Feb 25, 2025 07:29:24.829238892 CET14403964464.225.80.213192.168.2.14
                        Feb 25, 2025 07:29:24.829304934 CET396441440192.168.2.1464.225.80.213
                        Feb 25, 2025 07:29:24.830239058 CET396441440192.168.2.1464.225.80.213
                        Feb 25, 2025 07:29:24.835342884 CET14403964464.225.80.213192.168.2.14
                        Feb 25, 2025 07:29:24.835406065 CET396441440192.168.2.1464.225.80.213
                        Feb 25, 2025 07:29:24.840444088 CET14403964464.225.80.213192.168.2.14
                        Feb 25, 2025 07:29:35.495651960 CET14403964464.225.80.213192.168.2.14
                        Feb 25, 2025 07:29:35.496014118 CET396441440192.168.2.1464.225.80.213
                        Feb 25, 2025 07:29:35.501817942 CET14403964464.225.80.213192.168.2.14
                        Feb 25, 2025 07:29:36.532046080 CET454561440192.168.2.14157.245.23.184
                        Feb 25, 2025 07:29:36.537130117 CET144045456157.245.23.184192.168.2.14
                        Feb 25, 2025 07:29:36.537234068 CET454561440192.168.2.14157.245.23.184
                        Feb 25, 2025 07:29:36.538378000 CET454561440192.168.2.14157.245.23.184
                        Feb 25, 2025 07:29:36.543371916 CET144045456157.245.23.184192.168.2.14
                        Feb 25, 2025 07:29:36.543448925 CET454561440192.168.2.14157.245.23.184
                        Feb 25, 2025 07:29:36.548437119 CET144045456157.245.23.184192.168.2.14
                        Feb 25, 2025 07:29:46.548276901 CET454561440192.168.2.14157.245.23.184
                        Feb 25, 2025 07:29:46.553492069 CET144045456157.245.23.184192.168.2.14
                        Feb 25, 2025 07:29:46.828346968 CET144045456157.245.23.184192.168.2.14
                        Feb 25, 2025 07:29:46.828767061 CET454561440192.168.2.14157.245.23.184
                        Feb 25, 2025 07:29:46.833956957 CET144045456157.245.23.184192.168.2.14
                        Feb 25, 2025 07:29:48.275114059 CET454581440192.168.2.14157.245.23.184
                        Feb 25, 2025 07:29:48.281271935 CET144045458157.245.23.184192.168.2.14
                        Feb 25, 2025 07:29:48.281338930 CET454581440192.168.2.14157.245.23.184
                        Feb 25, 2025 07:29:48.282277107 CET454581440192.168.2.14157.245.23.184
                        Feb 25, 2025 07:29:48.287396908 CET144045458157.245.23.184192.168.2.14
                        Feb 25, 2025 07:29:48.287482977 CET454581440192.168.2.14157.245.23.184
                        Feb 25, 2025 07:29:48.292598009 CET144045458157.245.23.184192.168.2.14
                        Feb 25, 2025 07:29:59.007642031 CET144045458157.245.23.184192.168.2.14
                        Feb 25, 2025 07:29:59.007955074 CET454581440192.168.2.14157.245.23.184
                        Feb 25, 2025 07:29:59.013103008 CET144045458157.245.23.184192.168.2.14
                        Feb 25, 2025 07:30:00.113396883 CET454601440192.168.2.14157.245.23.184
                        Feb 25, 2025 07:30:00.118602991 CET144045460157.245.23.184192.168.2.14
                        Feb 25, 2025 07:30:00.118717909 CET454601440192.168.2.14157.245.23.184
                        Feb 25, 2025 07:30:00.120311022 CET454601440192.168.2.14157.245.23.184
                        Feb 25, 2025 07:30:00.125375032 CET144045460157.245.23.184192.168.2.14
                        Feb 25, 2025 07:30:00.125458956 CET454601440192.168.2.14157.245.23.184
                        Feb 25, 2025 07:30:00.130579948 CET144045460157.245.23.184192.168.2.14
                        Feb 25, 2025 07:30:10.763421059 CET144045460157.245.23.184192.168.2.14
                        Feb 25, 2025 07:30:10.763762951 CET454601440192.168.2.14157.245.23.184
                        Feb 25, 2025 07:30:10.768872976 CET144045460157.245.23.184192.168.2.14
                        Feb 25, 2025 07:30:11.877876997 CET454621440192.168.2.14157.245.23.184
                        Feb 25, 2025 07:30:11.883028030 CET144045462157.245.23.184192.168.2.14
                        Feb 25, 2025 07:30:11.883184910 CET454621440192.168.2.14157.245.23.184
                        Feb 25, 2025 07:30:11.884504080 CET454621440192.168.2.14157.245.23.184
                        Feb 25, 2025 07:30:11.889578104 CET144045462157.245.23.184192.168.2.14
                        Feb 25, 2025 07:30:11.889671087 CET454621440192.168.2.14157.245.23.184
                        Feb 25, 2025 07:30:11.894707918 CET144045462157.245.23.184192.168.2.14
                        Feb 25, 2025 07:30:22.550756931 CET144045462157.245.23.184192.168.2.14
                        Feb 25, 2025 07:30:22.551409960 CET454621440192.168.2.14157.245.23.184
                        Feb 25, 2025 07:30:22.559515953 CET144045462157.245.23.184192.168.2.14
                        Feb 25, 2025 07:30:23.583873987 CET330061440192.168.2.14209.97.177.154
                        Feb 25, 2025 07:30:23.588977098 CET144033006209.97.177.154192.168.2.14
                        Feb 25, 2025 07:30:23.589085102 CET330061440192.168.2.14209.97.177.154
                        Feb 25, 2025 07:30:23.589894056 CET330061440192.168.2.14209.97.177.154
                        Feb 25, 2025 07:30:23.595273018 CET144033006209.97.177.154192.168.2.14
                        Feb 25, 2025 07:30:23.595344067 CET330061440192.168.2.14209.97.177.154
                        Feb 25, 2025 07:30:23.600812912 CET144033006209.97.177.154192.168.2.14
                        TimestampSource PortDest PortSource IPDest IP
                        Feb 25, 2025 07:28:26.001967907 CET4047553192.168.2.14194.36.144.87
                        Feb 25, 2025 07:28:26.029479027 CET5340475194.36.144.87192.168.2.14
                        Feb 25, 2025 07:28:37.307477951 CET4226853192.168.2.14185.181.61.24
                        Feb 25, 2025 07:28:37.340794086 CET5342268185.181.61.24192.168.2.14
                        Feb 25, 2025 07:28:37.341712952 CET6061053192.168.2.14185.181.61.24
                        Feb 25, 2025 07:28:37.377631903 CET5360610185.181.61.24192.168.2.14
                        Feb 25, 2025 07:28:37.378623962 CET5041053192.168.2.14185.181.61.24
                        Feb 25, 2025 07:28:37.417184114 CET5350410185.181.61.24192.168.2.14
                        Feb 25, 2025 07:28:37.418118954 CET5773153192.168.2.14185.181.61.24
                        Feb 25, 2025 07:28:37.454081059 CET5357731185.181.61.24192.168.2.14
                        Feb 25, 2025 07:28:37.455568075 CET5972853192.168.2.14185.181.61.24
                        Feb 25, 2025 07:28:37.494504929 CET5359728185.181.61.24192.168.2.14
                        Feb 25, 2025 07:28:49.228214025 CET3401553192.168.2.14168.235.111.72
                        Feb 25, 2025 07:28:49.317253113 CET5334015168.235.111.72192.168.2.14
                        Feb 25, 2025 07:28:49.319087982 CET4419753192.168.2.14168.235.111.72
                        Feb 25, 2025 07:28:49.406794071 CET5344197168.235.111.72192.168.2.14
                        Feb 25, 2025 07:28:49.408773899 CET5321053192.168.2.14168.235.111.72
                        Feb 25, 2025 07:28:49.498361111 CET5353210168.235.111.72192.168.2.14
                        Feb 25, 2025 07:28:49.500288010 CET5813153192.168.2.14168.235.111.72
                        Feb 25, 2025 07:28:49.592883110 CET5358131168.235.111.72192.168.2.14
                        Feb 25, 2025 07:28:49.594472885 CET3878353192.168.2.14168.235.111.72
                        Feb 25, 2025 07:28:49.681977987 CET5338783168.235.111.72192.168.2.14
                        Feb 25, 2025 07:29:01.323643923 CET4344153192.168.2.14152.53.15.127
                        Feb 25, 2025 07:29:01.349404097 CET5343441152.53.15.127192.168.2.14
                        Feb 25, 2025 07:29:13.015136003 CET4983153192.168.2.14194.36.144.87
                        Feb 25, 2025 07:29:13.035224915 CET5349831194.36.144.87192.168.2.14
                        Feb 25, 2025 07:29:24.735235929 CET3878853192.168.2.14168.235.111.72
                        Feb 25, 2025 07:29:24.822871923 CET5338788168.235.111.72192.168.2.14
                        Feb 25, 2025 07:29:36.501358032 CET3441453192.168.2.1481.169.136.222
                        Feb 25, 2025 07:29:36.531239986 CET533441481.169.136.222192.168.2.14
                        Feb 25, 2025 07:29:47.832248926 CET4637853192.168.2.14194.36.144.87
                        Feb 25, 2025 07:29:48.182532072 CET5346378194.36.144.87192.168.2.14
                        Feb 25, 2025 07:29:48.185049057 CET6026853192.168.2.14194.36.144.87
                        Feb 25, 2025 07:29:48.209207058 CET5360268194.36.144.87192.168.2.14
                        Feb 25, 2025 07:29:48.211024046 CET5694853192.168.2.14194.36.144.87
                        Feb 25, 2025 07:29:48.232198954 CET5356948194.36.144.87192.168.2.14
                        Feb 25, 2025 07:29:48.233972073 CET4358553192.168.2.14194.36.144.87
                        Feb 25, 2025 07:29:48.251281977 CET5343585194.36.144.87192.168.2.14
                        Feb 25, 2025 07:29:48.252868891 CET3954253192.168.2.14194.36.144.87
                        Feb 25, 2025 07:29:48.273957968 CET5339542194.36.144.87192.168.2.14
                        Feb 25, 2025 07:30:00.012430906 CET3283653192.168.2.14202.61.197.122
                        Feb 25, 2025 07:30:00.030636072 CET5332836202.61.197.122192.168.2.14
                        Feb 25, 2025 07:30:00.032569885 CET5848453192.168.2.14202.61.197.122
                        Feb 25, 2025 07:30:00.050425053 CET5358484202.61.197.122192.168.2.14
                        Feb 25, 2025 07:30:00.052248001 CET3649653192.168.2.14202.61.197.122
                        Feb 25, 2025 07:30:00.071274996 CET5336496202.61.197.122192.168.2.14
                        Feb 25, 2025 07:30:00.073163986 CET5947053192.168.2.14202.61.197.122
                        Feb 25, 2025 07:30:00.091968060 CET5359470202.61.197.122192.168.2.14
                        Feb 25, 2025 07:30:00.093750000 CET4770253192.168.2.14202.61.197.122
                        Feb 25, 2025 07:30:00.112386942 CET5347702202.61.197.122192.168.2.14
                        Feb 25, 2025 07:30:11.767220020 CET3849553192.168.2.14194.36.144.87
                        Feb 25, 2025 07:30:11.790366888 CET5338495194.36.144.87192.168.2.14
                        Feb 25, 2025 07:30:11.792192936 CET5700953192.168.2.14194.36.144.87
                        Feb 25, 2025 07:30:11.812026978 CET5357009194.36.144.87192.168.2.14
                        Feb 25, 2025 07:30:11.813558102 CET5616653192.168.2.14194.36.144.87
                        Feb 25, 2025 07:30:11.833559990 CET5356166194.36.144.87192.168.2.14
                        Feb 25, 2025 07:30:11.834846973 CET5592053192.168.2.14194.36.144.87
                        Feb 25, 2025 07:30:11.858149052 CET5355920194.36.144.87192.168.2.14
                        Feb 25, 2025 07:30:11.859718084 CET4016953192.168.2.14194.36.144.87
                        Feb 25, 2025 07:30:11.876980066 CET5340169194.36.144.87192.168.2.14
                        Feb 25, 2025 07:30:23.553236008 CET5438953192.168.2.1481.169.136.222
                        Feb 25, 2025 07:30:23.583151102 CET535438981.169.136.222192.168.2.14
                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                        Feb 25, 2025 07:28:26.001967907 CET192.168.2.14194.36.144.870x3afcStandard query (0)serisontop.dynA (IP address)IN (0x0001)false
                        Feb 25, 2025 07:28:37.307477951 CET192.168.2.14185.181.61.240xc7e9Standard query (0)serisbot.geek. [malformed]256277false
                        Feb 25, 2025 07:28:37.341712952 CET192.168.2.14185.181.61.240xc7e9Standard query (0)serisbot.geek. [malformed]256277false
                        Feb 25, 2025 07:28:37.378623962 CET192.168.2.14185.181.61.240xc7e9Standard query (0)serisbot.geek. [malformed]256277false
                        Feb 25, 2025 07:28:37.418118954 CET192.168.2.14185.181.61.240xc7e9Standard query (0)serisbot.geek. [malformed]256277false
                        Feb 25, 2025 07:28:37.455568075 CET192.168.2.14185.181.61.240xc7e9Standard query (0)serisbot.geek. [malformed]256277false
                        Feb 25, 2025 07:28:49.228214025 CET192.168.2.14168.235.111.720xffc1Standard query (0)serisbot.geek. [malformed]256289false
                        Feb 25, 2025 07:28:49.319087982 CET192.168.2.14168.235.111.720xffc1Standard query (0)serisbot.geek. [malformed]256289false
                        Feb 25, 2025 07:28:49.408773899 CET192.168.2.14168.235.111.720xffc1Standard query (0)serisbot.geek. [malformed]256289false
                        Feb 25, 2025 07:28:49.500288010 CET192.168.2.14168.235.111.720xffc1Standard query (0)serisbot.geek. [malformed]256289false
                        Feb 25, 2025 07:28:49.594472885 CET192.168.2.14168.235.111.720xffc1Standard query (0)serisbot.geek. [malformed]256289false
                        Feb 25, 2025 07:29:01.323643923 CET192.168.2.14152.53.15.1270xfc65Standard query (0)serisontop.dynA (IP address)IN (0x0001)false
                        Feb 25, 2025 07:29:13.015136003 CET192.168.2.14194.36.144.870x912aStandard query (0)serisontop.dynA (IP address)IN (0x0001)false
                        Feb 25, 2025 07:29:24.735235929 CET192.168.2.14168.235.111.720xa139Standard query (0)serisontop.dynA (IP address)IN (0x0001)false
                        Feb 25, 2025 07:29:36.501358032 CET192.168.2.1481.169.136.2220x4e50Standard query (0)serisontop.dynA (IP address)IN (0x0001)false
                        Feb 25, 2025 07:29:47.832248926 CET192.168.2.14194.36.144.870xb68dStandard query (0)serisbot.geek. [malformed]256348false
                        Feb 25, 2025 07:29:48.185049057 CET192.168.2.14194.36.144.870xb68dStandard query (0)serisbot.geek. [malformed]256348false
                        Feb 25, 2025 07:29:48.211024046 CET192.168.2.14194.36.144.870xb68dStandard query (0)serisbot.geek. [malformed]256348false
                        Feb 25, 2025 07:29:48.233972073 CET192.168.2.14194.36.144.870xb68dStandard query (0)serisbot.geek. [malformed]256348false
                        Feb 25, 2025 07:29:48.252868891 CET192.168.2.14194.36.144.870xb68dStandard query (0)serisbot.geek. [malformed]256348false
                        Feb 25, 2025 07:30:00.012430906 CET192.168.2.14202.61.197.1220x22baStandard query (0)serisbot.geek. [malformed]256360false
                        Feb 25, 2025 07:30:00.032569885 CET192.168.2.14202.61.197.1220x22baStandard query (0)serisbot.geek. [malformed]256360false
                        Feb 25, 2025 07:30:00.052248001 CET192.168.2.14202.61.197.1220x22baStandard query (0)serisbot.geek. [malformed]256360false
                        Feb 25, 2025 07:30:00.073163986 CET192.168.2.14202.61.197.1220x22baStandard query (0)serisbot.geek. [malformed]256360false
                        Feb 25, 2025 07:30:00.093750000 CET192.168.2.14202.61.197.1220x22baStandard query (0)serisbot.geek. [malformed]256360false
                        Feb 25, 2025 07:30:11.767220020 CET192.168.2.14194.36.144.870xedf2Standard query (0)serisbot.geek. [malformed]256371false
                        Feb 25, 2025 07:30:11.792192936 CET192.168.2.14194.36.144.870xedf2Standard query (0)serisbot.geek. [malformed]256371false
                        Feb 25, 2025 07:30:11.813558102 CET192.168.2.14194.36.144.870xedf2Standard query (0)serisbot.geek. [malformed]256371false
                        Feb 25, 2025 07:30:11.834846973 CET192.168.2.14194.36.144.870xedf2Standard query (0)serisbot.geek. [malformed]256371false
                        Feb 25, 2025 07:30:11.859718084 CET192.168.2.14194.36.144.870xedf2Standard query (0)serisbot.geek. [malformed]256371false
                        Feb 25, 2025 07:30:23.553236008 CET192.168.2.1481.169.136.2220x5569Standard query (0)serisontop.dynA (IP address)IN (0x0001)false
                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                        Feb 25, 2025 07:28:26.029479027 CET194.36.144.87192.168.2.140x3afcNo error (0)serisontop.dyn209.97.177.154A (IP address)IN (0x0001)false
                        Feb 25, 2025 07:28:26.029479027 CET194.36.144.87192.168.2.140x3afcNo error (0)serisontop.dyn157.245.23.184A (IP address)IN (0x0001)false
                        Feb 25, 2025 07:28:26.029479027 CET194.36.144.87192.168.2.140x3afcNo error (0)serisontop.dyn64.225.80.213A (IP address)IN (0x0001)false
                        Feb 25, 2025 07:29:01.349404097 CET152.53.15.127192.168.2.140xfc65No error (0)serisontop.dyn209.97.177.154A (IP address)IN (0x0001)false
                        Feb 25, 2025 07:29:01.349404097 CET152.53.15.127192.168.2.140xfc65No error (0)serisontop.dyn64.225.80.213A (IP address)IN (0x0001)false
                        Feb 25, 2025 07:29:01.349404097 CET152.53.15.127192.168.2.140xfc65No error (0)serisontop.dyn157.245.23.184A (IP address)IN (0x0001)false
                        Feb 25, 2025 07:29:13.035224915 CET194.36.144.87192.168.2.140x912aNo error (0)serisontop.dyn64.225.80.213A (IP address)IN (0x0001)false
                        Feb 25, 2025 07:29:13.035224915 CET194.36.144.87192.168.2.140x912aNo error (0)serisontop.dyn209.97.177.154A (IP address)IN (0x0001)false
                        Feb 25, 2025 07:29:13.035224915 CET194.36.144.87192.168.2.140x912aNo error (0)serisontop.dyn157.245.23.184A (IP address)IN (0x0001)false
                        Feb 25, 2025 07:29:24.822871923 CET168.235.111.72192.168.2.140xa139No error (0)serisontop.dyn209.97.177.154A (IP address)IN (0x0001)false
                        Feb 25, 2025 07:29:24.822871923 CET168.235.111.72192.168.2.140xa139No error (0)serisontop.dyn157.245.23.184A (IP address)IN (0x0001)false
                        Feb 25, 2025 07:29:24.822871923 CET168.235.111.72192.168.2.140xa139No error (0)serisontop.dyn64.225.80.213A (IP address)IN (0x0001)false
                        Feb 25, 2025 07:29:36.531239986 CET81.169.136.222192.168.2.140x4e50No error (0)serisontop.dyn64.225.80.213A (IP address)IN (0x0001)false
                        Feb 25, 2025 07:29:36.531239986 CET81.169.136.222192.168.2.140x4e50No error (0)serisontop.dyn209.97.177.154A (IP address)IN (0x0001)false
                        Feb 25, 2025 07:29:36.531239986 CET81.169.136.222192.168.2.140x4e50No error (0)serisontop.dyn157.245.23.184A (IP address)IN (0x0001)false
                        Feb 25, 2025 07:29:48.182532072 CET194.36.144.87192.168.2.140xb68dFormat error (1)serisbot.geek. [malformed]nonenone256348false
                        Feb 25, 2025 07:29:48.209207058 CET194.36.144.87192.168.2.140xb68dFormat error (1)serisbot.geek. [malformed]nonenone256348false
                        Feb 25, 2025 07:29:48.232198954 CET194.36.144.87192.168.2.140xb68dFormat error (1)serisbot.geek. [malformed]nonenone256348false
                        Feb 25, 2025 07:29:48.251281977 CET194.36.144.87192.168.2.140xb68dFormat error (1)serisbot.geek. [malformed]nonenone256348false
                        Feb 25, 2025 07:29:48.273957968 CET194.36.144.87192.168.2.140xb68dFormat error (1)serisbot.geek. [malformed]nonenone256348false
                        Feb 25, 2025 07:30:11.790366888 CET194.36.144.87192.168.2.140xedf2Format error (1)serisbot.geek. [malformed]nonenone256371false
                        Feb 25, 2025 07:30:11.812026978 CET194.36.144.87192.168.2.140xedf2Format error (1)serisbot.geek. [malformed]nonenone256371false
                        Feb 25, 2025 07:30:11.833559990 CET194.36.144.87192.168.2.140xedf2Format error (1)serisbot.geek. [malformed]nonenone256371false
                        Feb 25, 2025 07:30:11.858149052 CET194.36.144.87192.168.2.140xedf2Format error (1)serisbot.geek. [malformed]nonenone256371false
                        Feb 25, 2025 07:30:11.876980066 CET194.36.144.87192.168.2.140xedf2Format error (1)serisbot.geek. [malformed]nonenone256371false
                        Feb 25, 2025 07:30:23.583151102 CET81.169.136.222192.168.2.140x5569No error (0)serisontop.dyn209.97.177.154A (IP address)IN (0x0001)false
                        Feb 25, 2025 07:30:23.583151102 CET81.169.136.222192.168.2.140x5569No error (0)serisontop.dyn64.225.80.213A (IP address)IN (0x0001)false
                        Feb 25, 2025 07:30:23.583151102 CET81.169.136.222192.168.2.140x5569No error (0)serisontop.dyn157.245.23.184A (IP address)IN (0x0001)false

                        System Behavior

                        Start time (UTC):06:28:25
                        Start date (UTC):25/02/2025
                        Path:/tmp/zerarm.elf
                        Arguments:/tmp/zerarm.elf
                        File size:4956856 bytes
                        MD5 hash:5ebfcae4fe2471fcc5695c2394773ff1

                        Start time (UTC):06:28:25
                        Start date (UTC):25/02/2025
                        Path:/tmp/zerarm.elf
                        Arguments:-
                        File size:4956856 bytes
                        MD5 hash:5ebfcae4fe2471fcc5695c2394773ff1

                        Start time (UTC):06:28:25
                        Start date (UTC):25/02/2025
                        Path:/tmp/zerarm.elf
                        Arguments:-
                        File size:4956856 bytes
                        MD5 hash:5ebfcae4fe2471fcc5695c2394773ff1