Edit tour

Linux Analysis Report
zermips.elf

Overview

General Information

Sample name:	zermips.elf
Analysis ID:	1623338
MD5:	f034753a8e28e602c6d6abdd7cbf9d5a
SHA1:	022c9a7da63426d3dfd256f6622a6cf6d4f7a324
SHA256:	956083f9fb19568b62f7fd06b2a7a117e244609039c9fcc16a95140292705703
Tags:	elfuser-abuse_ch
Infos:

Detection

Score:	52
Range:	0 - 100

Signatures

Multi AV Scanner detection for submitted file

Sends malformed DNS queries

Detected TCP or UDP traffic on non-standard ports

Sample has stripped symbol table

Sample listens on a socket

Uses the "uname" system call to query kernel version information (possible evasion)

Classification

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1623338
Start date and time:	2025-02-25 07:20:19 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 30s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Sample name:	zermips.elf
Detection:	MAL
Classification:	mal52.troj.linELF@0/0@27/0

Runtime Messages

Command:	/tmp/zermips.elf
PID:	5529
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:	gosh that chinese family at the other table sure ate a lot
Standard Error:

Process Tree

system is lnxubuntu20

zermips.elf (PID: 5529, Parent: 5447, MD5: 0083f1f0e77be34ad27f849842bbb00c) Arguments: /tmp/zermips.elf

zermips.elf New Fork (PID: 5531, Parent: 5529)

zermips.elf New Fork (PID: 5533, Parent: 5531)

cleanup

Yara Signatures

⊘No yara matches

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

• AV Detection
• Networking
• System Summary
• Malware Analysis System Evasion

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: zermips.elf	Virustotal: Detection: 25%			Perma Link
Source: zermips.elf	ReversingLabs: Detection: 34%

Networking

Sends malformed DNS queries

Source: global traffic

DNS traffic detected: malformed DNS query: serisbot.geek. [malformed]

Source: global traffic	TCP traffic: 192.168.2.15:57830 -> 209.97.177.154:1440
Source: global traffic	TCP traffic: 192.168.2.15:37388 -> 64.225.80.213:1440
Source: global traffic	TCP traffic: 192.168.2.15:45542 -> 157.245.23.184:1440

Source: /tmp/zermips.elf (PID: 5529)

Socket: 127.0.0.1:39148

Jump to behavior

Source: unknown	UDP traffic detected without corresponding DNS query: 185.181.61.24
Source: unknown	UDP traffic detected without corresponding DNS query: 185.181.61.24
Source: unknown	UDP traffic detected without corresponding DNS query: 185.181.61.24
Source: unknown	UDP traffic detected without corresponding DNS query: 185.181.61.24
Source: unknown	UDP traffic detected without corresponding DNS query: 185.181.61.24
Source: unknown	UDP traffic detected without corresponding DNS query: 185.181.61.24
Source: unknown	UDP traffic detected without corresponding DNS query: 51.158.108.203
Source: unknown	UDP traffic detected without corresponding DNS query: 194.36.144.87
Source: unknown	UDP traffic detected without corresponding DNS query: 81.169.136.222
Source: unknown	UDP traffic detected without corresponding DNS query: 168.235.111.72
Source: unknown	UDP traffic detected without corresponding DNS query: 168.235.111.72
Source: unknown	UDP traffic detected without corresponding DNS query: 168.235.111.72
Source: unknown	UDP traffic detected without corresponding DNS query: 168.235.111.72
Source: unknown	UDP traffic detected without corresponding DNS query: 168.235.111.72
Source: unknown	UDP traffic detected without corresponding DNS query: 81.169.136.222
Source: unknown	UDP traffic detected without corresponding DNS query: 81.169.136.222
Source: unknown	UDP traffic detected without corresponding DNS query: 81.169.136.222
Source: unknown	UDP traffic detected without corresponding DNS query: 81.169.136.222
Source: unknown	UDP traffic detected without corresponding DNS query: 81.169.136.222
Source: unknown	UDP traffic detected without corresponding DNS query: 51.158.108.203
Source: unknown	UDP traffic detected without corresponding DNS query: 168.235.111.72
Source: unknown	UDP traffic detected without corresponding DNS query: 194.36.144.87
Source: unknown	UDP traffic detected without corresponding DNS query: 194.36.144.87
Source: unknown	UDP traffic detected without corresponding DNS query: 194.36.144.87
Source: unknown	UDP traffic detected without corresponding DNS query: 194.36.144.87
Source: unknown	UDP traffic detected without corresponding DNS query: 194.36.144.87
Source: unknown	UDP traffic detected without corresponding DNS query: 194.36.144.87

Source: global traffic	DNS traffic detected: DNS query: serisontop.dyn
Source: global traffic	DNS traffic detected: DNS query: serisbot.geek. [malformed]

Source: ELF static info symbol of initial sample

.symtab present: no

Source: classification engine

Classification label: mal52.troj.linELF@0/0@27/0

Source: /tmp/zermips.elf (PID: 5529)

Queries kernel information via 'uname':

Jump to behavior

Source: zermips.elf, 5529.1.00007ffc8de39000.00007ffc8de5a000.rw-.sdmp	Binary or memory string: }Hx86_64/usr/bin/qemu-mips/tmp/zermips.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/zermips.elf
Source: zermips.elf, 5529.1.00005569b3eb7000.00005569b3f3e000.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/mips
Source: zermips.elf, 5529.1.00005569b3eb7000.00005569b3f3e000.rw-.sdmp	Binary or memory string: iU!/etc/qemu-binfmt/mips
Source: zermips.elf, 5529.1.00007ffc8de39000.00007ffc8de5a000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-mips

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	Path Interception	Path Interception	Direct Volume Access	OS Credential Dumping	11 Security Software Discovery	Remote Services	Data from Local System	1 Non-Standard Port	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact

Malware Configuration

⊘No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Screenshots

Download Video

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
zermips.elf	26%	Virustotal		Browse
zermips.elf	34%	ReversingLabs	Linux.Backdoor.Mirai

Dropped Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Download Network PCAP: filtered – full

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
serisontop.dyn	209.97.177.154	true	false		high
serisbot.geek. [malformed]	unknown	unknown	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
209.97.177.154	serisontop.dyn	United States	14061	DIGITALOCEAN-ASNUS	false
64.225.80.213	unknown	United States	14061	DIGITALOCEAN-ASNUS	false
157.245.23.184	unknown	United States	14061	DIGITALOCEAN-ASNUS	false

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
209.97.177.154	zerspc.elf	Get hash	malicious	Unknown	Browse
209.97.177.154	zersh4.elf	Get hash	malicious	Unknown	Browse
64.225.80.213	zerspc.elf	Get hash	malicious	Unknown	Browse
64.225.80.213	zersh4.elf	Get hash	malicious	Unknown	Browse
157.245.23.184	zerspc.elf	Get hash	malicious	Unknown	Browse
157.245.23.184	zersh4.elf	Get hash	malicious	Unknown	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
serisontop.dyn	nklmips.elf	Get hash	malicious	Unknown	Browse	157.245.23.184
	nklm68k.elf	Get hash	malicious	Unknown	Browse	157.245.23.184
	nabx86.elf	Get hash	malicious	Unknown	Browse	209.97.177.154
	arm.elf	Get hash	malicious	Unknown	Browse	209.97.177.154
	splppc.elf	Get hash	malicious	Unknown	Browse	64.225.80.213
	nklarm7.elf	Get hash	malicious	Unknown	Browse	157.245.23.184
	nabmpsl.elf	Get hash	malicious	Unknown	Browse	64.225.80.213
	zerspc.elf	Get hash	malicious	Unknown	Browse	64.225.80.213
	splsh4.elf	Get hash	malicious	Unknown	Browse	64.225.80.213
	splarm7.elf	Get hash	malicious	Unknown	Browse	209.97.177.154

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
DIGITALOCEAN-ASNUS	zerspc.elf	Get hash	malicious	Unknown	Browse	157.245.23.184
	https://brightenbooks.com.hk/trigger.php?r_link=https://auth.khs.co.com/kQR5EF2ST6CD1OP4mQR5CD1CD1MN3QR5YZ9OP4kwmOP4cWX8m	Get hash	malicious	HTMLPhisher	Browse	142.93.33.81
	zersh4.elf	Get hash	malicious	Unknown	Browse	157.245.23.184
	https://www.easytravel.com.tw/GOMEasytravel.aspx?GO=https://kwm.nexomusic.pe/kQR5EF2ST6CD1OP4mQR5CD1CD1MN3QR5YZ9OP4kwmOP4cWX8m	Get hash	malicious	HTMLPhisher	Browse	138.197.133.161
	https://www.01caijing.com/weapons/visit.htm?go=https://auth.khs.co.com/kQR5EF2ST6CD1OP4mQR5CD1CD1MN3QR5YZ9OP4kwmOP4cWX8m	Get hash	malicious	HTMLPhisher	Browse	138.197.133.161
	https://upwork.confirmation-payment.com/51713588	Get hash	malicious	Unknown	Browse	104.131.67.145
	https://upwork.confirmation-payment.com/51713588	Get hash	malicious	Unknown	Browse	104.131.67.145
	Setup (1).exe	Get hash	malicious	Unknown	Browse	161.35.127.181
	x86.elf	Get hash	malicious	Mirai, Moobot	Browse	157.245.170.51
	https://semi-zcmp.maillist-manage.com/click/113bc2fac6fdfbf8d/113bc2fac6fdfb926	Get hash	malicious	PayPal Phisher	Browse	178.62.11.52
DIGITALOCEAN-ASNUS	zerspc.elf	Get hash	malicious	Unknown	Browse	157.245.23.184
	https://brightenbooks.com.hk/trigger.php?r_link=https://auth.khs.co.com/kQR5EF2ST6CD1OP4mQR5CD1CD1MN3QR5YZ9OP4kwmOP4cWX8m	Get hash	malicious	HTMLPhisher	Browse	142.93.33.81
	zersh4.elf	Get hash	malicious	Unknown	Browse	157.245.23.184
	https://www.easytravel.com.tw/GOMEasytravel.aspx?GO=https://kwm.nexomusic.pe/kQR5EF2ST6CD1OP4mQR5CD1CD1MN3QR5YZ9OP4kwmOP4cWX8m	Get hash	malicious	HTMLPhisher	Browse	138.197.133.161
	https://www.01caijing.com/weapons/visit.htm?go=https://auth.khs.co.com/kQR5EF2ST6CD1OP4mQR5CD1CD1MN3QR5YZ9OP4kwmOP4cWX8m	Get hash	malicious	HTMLPhisher	Browse	138.197.133.161
	https://upwork.confirmation-payment.com/51713588	Get hash	malicious	Unknown	Browse	104.131.67.145
	https://upwork.confirmation-payment.com/51713588	Get hash	malicious	Unknown	Browse	104.131.67.145
	Setup (1).exe	Get hash	malicious	Unknown	Browse	161.35.127.181
	x86.elf	Get hash	malicious	Mirai, Moobot	Browse	157.245.170.51
	https://semi-zcmp.maillist-manage.com/click/113bc2fac6fdfbf8d/113bc2fac6fdfb926	Get hash	malicious	PayPal Phisher	Browse	178.62.11.52
DIGITALOCEAN-ASNUS	zerspc.elf	Get hash	malicious	Unknown	Browse	157.245.23.184
	https://brightenbooks.com.hk/trigger.php?r_link=https://auth.khs.co.com/kQR5EF2ST6CD1OP4mQR5CD1CD1MN3QR5YZ9OP4kwmOP4cWX8m	Get hash	malicious	HTMLPhisher	Browse	142.93.33.81
	zersh4.elf	Get hash	malicious	Unknown	Browse	157.245.23.184
	https://www.easytravel.com.tw/GOMEasytravel.aspx?GO=https://kwm.nexomusic.pe/kQR5EF2ST6CD1OP4mQR5CD1CD1MN3QR5YZ9OP4kwmOP4cWX8m	Get hash	malicious	HTMLPhisher	Browse	138.197.133.161
	https://www.01caijing.com/weapons/visit.htm?go=https://auth.khs.co.com/kQR5EF2ST6CD1OP4mQR5CD1CD1MN3QR5YZ9OP4kwmOP4cWX8m	Get hash	malicious	HTMLPhisher	Browse	138.197.133.161
	https://upwork.confirmation-payment.com/51713588	Get hash	malicious	Unknown	Browse	104.131.67.145
	https://upwork.confirmation-payment.com/51713588	Get hash	malicious	Unknown	Browse	104.131.67.145
	Setup (1).exe	Get hash	malicious	Unknown	Browse	161.35.127.181
	x86.elf	Get hash	malicious	Mirai, Moobot	Browse	157.245.170.51
	https://semi-zcmp.maillist-manage.com/click/113bc2fac6fdfbf8d/113bc2fac6fdfb926	Get hash	malicious	PayPal Phisher	Browse	178.62.11.52

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped
Entropy (8bit):	5.424298816526931
TrID:	ELF Executable and Linkable format (generic) (4004/1) 100.00%
File name:	zermips.elf
File size:	64'360 bytes
MD5:	f034753a8e28e602c6d6abdd7cbf9d5a
SHA1:	022c9a7da63426d3dfd256f6622a6cf6d4f7a324
SHA256:	956083f9fb19568b62f7fd06b2a7a117e244609039c9fcc16a95140292705703
SHA512:	1ce1108a2120f99f3c3c03f5eea27591ea96ea6746f4bf1ea91c33ebefbd28473e404eb22f173f2b9f20d1eaafb3cc7d91a6ac92f15d760c556ac623ac074411
SSDEEP:	768:xOEcK9vS/EEHDw2FzEXqfL8annRQ9EOH2T8yF8lCNtNCNONBNYNHNBz8Cb9Pwhxs:1cpjDwozEs8rZ8Cb9PwhxBsoIh
TLSH:	8F53D71E2E219FACFBAC823547F78F31965833D536E1C245E15CE9011EB024E646FBA9
File Content Preview:	.ELF.....................@.`...4.........4. ...(.............@...@...........................D...D.........T........dt.Q............................<...'.tL...!'.......................<...'.t(...!... ....'9... ......................<...'.s....!........'9.

Static ELF Info

ELF header
Class:	ELF32
Data:	2's complement, big endian
Version:	1 (current)
Machine:	MIPS R3000
Version Number:	0x1
Type:	EXEC (Executable file)
OS/ABI:	UNIX - System V
ABI Version:	0
Entry Point Address:	0x400260
Flags:	0x1007
ELF Header Size:	52
Program Header Offset:	52
Program Header Size:	32
Number of Program Headers:	3
Section Header Offset:	63760
Section Header Size:	40
Number of Section Headers:	15
Header String Table Index:	14

Sections

Name	Type	Address	Offset	Size	EntSize	Flags	Flags Description	Align
	NULL	0x0	0x0	0x0	0x0	0x0		0
.init	PROGBITS	0x400094	0x94	0x8c	0x0	0x6	AX	4
.text	PROGBITS	0x400120	0x120	0xe940	0x0	0x6	AX	16
.fini	PROGBITS	0x40ea60	0xea60	0x5c	0x0	0x6	AX	4
.rodata	PROGBITS	0x40eac0	0xeac0	0x840	0x0	0x2	A	16
.ctors	PROGBITS	0x44f304	0xf304	0x8	0x0	0x3	WA	4
.dtors	PROGBITS	0x44f30c	0xf30c	0x8	0x0	0x3	WA	4
.jcr	PROGBITS	0x44f314	0xf314	0x4	0x0	0x3	WA	4
.data.rel.ro	PROGBITS	0x44f318	0xf318	0x8	0x0	0x3	WA	4
.data	PROGBITS	0x44f320	0xf320	0x1d0	0x0	0x3	WA	16
.got	PROGBITS	0x44f4f0	0xf4f0	0x3b4	0x4	0x10000003	WAp	16
.sbss	NOBITS	0x44f8a4	0xf8a4	0x1c	0x0	0x10000003	WAp	4
.bss	NOBITS	0x44f8c0	0xf8a4	0x298	0x0	0x3	WA	16
.mdebug.abi32	PROGBITS	0x71a	0xf8a4	0x0	0x0	0x0		1
.shstrtab	STRTAB	0x0	0xf8a4	0x69	0x0	0x0		1

Program Segments

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align	Section Mappings
LOAD	0x0	0x400000	0x400000	0xf300	0xf300	5.4535	0x5	R E	0x10000	.init .text .fini .rodata
LOAD	0xf304	0x44f304	0x44f304	0x5a0	0x854	3.6052	0x6	RW	0x10000	.ctors .dtors .jcr .data.rel.ro .data .got .sbss .bss
GNU_STACK	0x0	0x0	0x0	0x0	0x0	0.0000	0x7	RWE	0x4

Network Behavior

Download Network PCAP: filtered – full

Network Port Distribution

Total Packets: 83
• 1440 undefined
• 53 (DNS)

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 25, 2025 07:21:05.641881943 CET	57830	1440	192.168.2.15	209.97.177.154
Feb 25, 2025 07:21:05.648087025 CET	1440	57830	209.97.177.154	192.168.2.15
Feb 25, 2025 07:21:05.648214102 CET	57830	1440	192.168.2.15	209.97.177.154
Feb 25, 2025 07:21:05.660065889 CET	57830	1440	192.168.2.15	209.97.177.154
Feb 25, 2025 07:21:05.665237904 CET	1440	57830	209.97.177.154	192.168.2.15
Feb 25, 2025 07:21:05.665332079 CET	57830	1440	192.168.2.15	209.97.177.154
Feb 25, 2025 07:21:05.670458078 CET	1440	57830	209.97.177.154	192.168.2.15
Feb 25, 2025 07:21:15.670243025 CET	57830	1440	192.168.2.15	209.97.177.154
Feb 25, 2025 07:21:15.675374985 CET	1440	57830	209.97.177.154	192.168.2.15
Feb 25, 2025 07:21:15.896416903 CET	1440	57830	209.97.177.154	192.168.2.15
Feb 25, 2025 07:21:15.897094965 CET	57830	1440	192.168.2.15	209.97.177.154
Feb 25, 2025 07:21:15.902163029 CET	1440	57830	209.97.177.154	192.168.2.15
Feb 25, 2025 07:21:17.088059902 CET	57832	1440	192.168.2.15	209.97.177.154
Feb 25, 2025 07:21:17.093194008 CET	1440	57832	209.97.177.154	192.168.2.15
Feb 25, 2025 07:21:17.093274117 CET	57832	1440	192.168.2.15	209.97.177.154
Feb 25, 2025 07:21:17.094598055 CET	57832	1440	192.168.2.15	209.97.177.154
Feb 25, 2025 07:21:17.099576950 CET	1440	57832	209.97.177.154	192.168.2.15
Feb 25, 2025 07:21:17.099813938 CET	57832	1440	192.168.2.15	209.97.177.154
Feb 25, 2025 07:21:17.104871035 CET	1440	57832	209.97.177.154	192.168.2.15
Feb 25, 2025 07:21:27.756686926 CET	1440	57832	209.97.177.154	192.168.2.15
Feb 25, 2025 07:21:27.757401943 CET	57832	1440	192.168.2.15	209.97.177.154
Feb 25, 2025 07:21:27.762546062 CET	1440	57832	209.97.177.154	192.168.2.15
Feb 25, 2025 07:21:28.789216995 CET	37388	1440	192.168.2.15	64.225.80.213
Feb 25, 2025 07:21:28.794437885 CET	1440	37388	64.225.80.213	192.168.2.15
Feb 25, 2025 07:21:28.794548988 CET	37388	1440	192.168.2.15	64.225.80.213
Feb 25, 2025 07:21:28.797691107 CET	37388	1440	192.168.2.15	64.225.80.213
Feb 25, 2025 07:21:28.802731037 CET	1440	37388	64.225.80.213	192.168.2.15
Feb 25, 2025 07:21:28.802835941 CET	37388	1440	192.168.2.15	64.225.80.213
Feb 25, 2025 07:21:28.807955027 CET	1440	37388	64.225.80.213	192.168.2.15
Feb 25, 2025 07:21:39.429354906 CET	1440	37388	64.225.80.213	192.168.2.15
Feb 25, 2025 07:21:39.429755926 CET	37388	1440	192.168.2.15	64.225.80.213
Feb 25, 2025 07:21:39.434799910 CET	1440	37388	64.225.80.213	192.168.2.15
Feb 25, 2025 07:21:40.454376936 CET	45542	1440	192.168.2.15	157.245.23.184
Feb 25, 2025 07:21:40.459541082 CET	1440	45542	157.245.23.184	192.168.2.15
Feb 25, 2025 07:21:40.459625006 CET	45542	1440	192.168.2.15	157.245.23.184
Feb 25, 2025 07:21:40.460798979 CET	45542	1440	192.168.2.15	157.245.23.184
Feb 25, 2025 07:21:40.466420889 CET	1440	45542	157.245.23.184	192.168.2.15
Feb 25, 2025 07:21:40.466483116 CET	45542	1440	192.168.2.15	157.245.23.184
Feb 25, 2025 07:21:40.472841978 CET	1440	45542	157.245.23.184	192.168.2.15
Feb 25, 2025 07:21:51.099512100 CET	1440	45542	157.245.23.184	192.168.2.15
Feb 25, 2025 07:21:51.099948883 CET	45542	1440	192.168.2.15	157.245.23.184
Feb 25, 2025 07:21:51.105015039 CET	1440	45542	157.245.23.184	192.168.2.15
Feb 25, 2025 07:21:52.137263060 CET	37392	1440	192.168.2.15	64.225.80.213
Feb 25, 2025 07:21:52.142793894 CET	1440	37392	64.225.80.213	192.168.2.15
Feb 25, 2025 07:21:52.142874956 CET	37392	1440	192.168.2.15	64.225.80.213
Feb 25, 2025 07:21:52.144438028 CET	37392	1440	192.168.2.15	64.225.80.213
Feb 25, 2025 07:21:52.149892092 CET	1440	37392	64.225.80.213	192.168.2.15
Feb 25, 2025 07:21:52.150002956 CET	37392	1440	192.168.2.15	64.225.80.213
Feb 25, 2025 07:21:52.154983044 CET	1440	37392	64.225.80.213	192.168.2.15
Feb 25, 2025 07:22:02.845293999 CET	1440	37392	64.225.80.213	192.168.2.15
Feb 25, 2025 07:22:02.845829964 CET	37392	1440	192.168.2.15	64.225.80.213
Feb 25, 2025 07:22:02.850912094 CET	1440	37392	64.225.80.213	192.168.2.15
Feb 25, 2025 07:22:04.304980040 CET	37394	1440	192.168.2.15	64.225.80.213
Feb 25, 2025 07:22:04.310026884 CET	1440	37394	64.225.80.213	192.168.2.15
Feb 25, 2025 07:22:04.310101032 CET	37394	1440	192.168.2.15	64.225.80.213
Feb 25, 2025 07:22:04.310833931 CET	37394	1440	192.168.2.15	64.225.80.213
Feb 25, 2025 07:22:04.315869093 CET	1440	37394	64.225.80.213	192.168.2.15
Feb 25, 2025 07:22:04.315922022 CET	37394	1440	192.168.2.15	64.225.80.213
Feb 25, 2025 07:22:04.321682930 CET	1440	37394	64.225.80.213	192.168.2.15
Feb 25, 2025 07:22:14.958391905 CET	1440	37394	64.225.80.213	192.168.2.15
Feb 25, 2025 07:22:14.958525896 CET	37394	1440	192.168.2.15	64.225.80.213
Feb 25, 2025 07:22:14.963620901 CET	1440	37394	64.225.80.213	192.168.2.15
Feb 25, 2025 07:22:16.113586903 CET	37396	1440	192.168.2.15	64.225.80.213
Feb 25, 2025 07:22:16.118840933 CET	1440	37396	64.225.80.213	192.168.2.15
Feb 25, 2025 07:22:16.118911982 CET	37396	1440	192.168.2.15	64.225.80.213
Feb 25, 2025 07:22:16.120147943 CET	37396	1440	192.168.2.15	64.225.80.213
Feb 25, 2025 07:22:16.126415968 CET	1440	37396	64.225.80.213	192.168.2.15
Feb 25, 2025 07:22:16.126497030 CET	37396	1440	192.168.2.15	64.225.80.213
Feb 25, 2025 07:22:16.131553888 CET	1440	37396	64.225.80.213	192.168.2.15
Feb 25, 2025 07:22:26.127321005 CET	37396	1440	192.168.2.15	64.225.80.213
Feb 25, 2025 07:22:26.132426977 CET	1440	37396	64.225.80.213	192.168.2.15
Feb 25, 2025 07:22:26.374825954 CET	1440	37396	64.225.80.213	192.168.2.15
Feb 25, 2025 07:22:26.375116110 CET	37396	1440	192.168.2.15	64.225.80.213
Feb 25, 2025 07:22:26.380542040 CET	1440	37396	64.225.80.213	192.168.2.15
Feb 25, 2025 07:22:27.400544882 CET	57844	1440	192.168.2.15	209.97.177.154
Feb 25, 2025 07:22:27.405606985 CET	1440	57844	209.97.177.154	192.168.2.15
Feb 25, 2025 07:22:27.405689001 CET	57844	1440	192.168.2.15	209.97.177.154
Feb 25, 2025 07:22:27.406647921 CET	57844	1440	192.168.2.15	209.97.177.154
Feb 25, 2025 07:22:27.411659956 CET	1440	57844	209.97.177.154	192.168.2.15
Feb 25, 2025 07:22:27.411757946 CET	57844	1440	192.168.2.15	209.97.177.154
Feb 25, 2025 07:22:27.416778088 CET	1440	57844	209.97.177.154	192.168.2.15
Feb 25, 2025 07:22:38.082784891 CET	1440	57844	209.97.177.154	192.168.2.15
Feb 25, 2025 07:22:38.083117008 CET	57844	1440	192.168.2.15	209.97.177.154
Feb 25, 2025 07:22:38.088305950 CET	1440	57844	209.97.177.154	192.168.2.15
Feb 25, 2025 07:22:39.177150011 CET	37400	1440	192.168.2.15	64.225.80.213
Feb 25, 2025 07:22:39.182291985 CET	1440	37400	64.225.80.213	192.168.2.15
Feb 25, 2025 07:22:39.182432890 CET	37400	1440	192.168.2.15	64.225.80.213
Feb 25, 2025 07:22:39.184005976 CET	37400	1440	192.168.2.15	64.225.80.213
Feb 25, 2025 07:22:39.189073086 CET	1440	37400	64.225.80.213	192.168.2.15
Feb 25, 2025 07:22:39.189205885 CET	37400	1440	192.168.2.15	64.225.80.213
Feb 25, 2025 07:22:39.194302082 CET	1440	37400	64.225.80.213	192.168.2.15
Feb 25, 2025 07:22:49.837565899 CET	1440	37400	64.225.80.213	192.168.2.15
Feb 25, 2025 07:22:49.837733030 CET	37400	1440	192.168.2.15	64.225.80.213
Feb 25, 2025 07:22:49.842763901 CET	1440	37400	64.225.80.213	192.168.2.15
Feb 25, 2025 07:22:50.861551046 CET	57848	1440	192.168.2.15	209.97.177.154
Feb 25, 2025 07:22:50.866673946 CET	1440	57848	209.97.177.154	192.168.2.15
Feb 25, 2025 07:22:50.866746902 CET	57848	1440	192.168.2.15	209.97.177.154
Feb 25, 2025 07:22:50.867993116 CET	57848	1440	192.168.2.15	209.97.177.154
Feb 25, 2025 07:22:50.873039007 CET	1440	57848	209.97.177.154	192.168.2.15
Feb 25, 2025 07:22:50.873095036 CET	57848	1440	192.168.2.15	209.97.177.154
Feb 25, 2025 07:22:50.878156900 CET	1440	57848	209.97.177.154	192.168.2.15
Feb 25, 2025 07:23:01.512387037 CET	1440	57848	209.97.177.154	192.168.2.15
Feb 25, 2025 07:23:01.512685061 CET	57848	1440	192.168.2.15	209.97.177.154
Feb 25, 2025 07:23:01.517818928 CET	1440	57848	209.97.177.154	192.168.2.15
Feb 25, 2025 07:23:02.641144991 CET	57850	1440	192.168.2.15	209.97.177.154
Feb 25, 2025 07:23:02.646193027 CET	1440	57850	209.97.177.154	192.168.2.15
Feb 25, 2025 07:23:02.646259069 CET	57850	1440	192.168.2.15	209.97.177.154
Feb 25, 2025 07:23:02.647485018 CET	57850	1440	192.168.2.15	209.97.177.154
Feb 25, 2025 07:23:02.652518034 CET	1440	57850	209.97.177.154	192.168.2.15
Feb 25, 2025 07:23:02.652575970 CET	57850	1440	192.168.2.15	209.97.177.154
Feb 25, 2025 07:23:02.657598019 CET	1440	57850	209.97.177.154	192.168.2.15

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 25, 2025 07:21:05.600480080 CET	52418	53	192.168.2.15	185.181.61.24
Feb 25, 2025 07:21:05.640430927 CET	53	52418	185.181.61.24	192.168.2.15
Feb 25, 2025 07:21:16.901107073 CET	54189	53	192.168.2.15	185.181.61.24
Feb 25, 2025 07:21:16.934432983 CET	53	54189	185.181.61.24	192.168.2.15
Feb 25, 2025 07:21:16.936429977 CET	50632	53	192.168.2.15	185.181.61.24
Feb 25, 2025 07:21:16.972316980 CET	53	50632	185.181.61.24	192.168.2.15
Feb 25, 2025 07:21:16.973802090 CET	59722	53	192.168.2.15	185.181.61.24
Feb 25, 2025 07:21:17.009946108 CET	53	59722	185.181.61.24	192.168.2.15
Feb 25, 2025 07:21:17.011420012 CET	43608	53	192.168.2.15	185.181.61.24
Feb 25, 2025 07:21:17.049999952 CET	53	43608	185.181.61.24	192.168.2.15
Feb 25, 2025 07:21:17.051038027 CET	43655	53	192.168.2.15	185.181.61.24
Feb 25, 2025 07:21:17.087054014 CET	53	43655	185.181.61.24	192.168.2.15
Feb 25, 2025 07:21:28.761229038 CET	49593	53	192.168.2.15	51.158.108.203
Feb 25, 2025 07:21:28.787847996 CET	53	49593	51.158.108.203	192.168.2.15
Feb 25, 2025 07:21:40.432944059 CET	53169	53	192.168.2.15	194.36.144.87
Feb 25, 2025 07:21:40.453265905 CET	53	53169	194.36.144.87	192.168.2.15
Feb 25, 2025 07:21:52.103147984 CET	54376	53	192.168.2.15	81.169.136.222
Feb 25, 2025 07:21:52.135736942 CET	53	54376	81.169.136.222	192.168.2.15
Feb 25, 2025 07:22:03.849798918 CET	48932	53	192.168.2.15	168.235.111.72
Feb 25, 2025 07:22:03.939979076 CET	53	48932	168.235.111.72	192.168.2.15
Feb 25, 2025 07:22:03.941735983 CET	36838	53	192.168.2.15	168.235.111.72
Feb 25, 2025 07:22:04.032016993 CET	53	36838	168.235.111.72	192.168.2.15
Feb 25, 2025 07:22:04.034233093 CET	48428	53	192.168.2.15	168.235.111.72
Feb 25, 2025 07:22:04.123343945 CET	53	48428	168.235.111.72	192.168.2.15
Feb 25, 2025 07:22:04.125576019 CET	38447	53	192.168.2.15	168.235.111.72
Feb 25, 2025 07:22:04.215138912 CET	53	38447	168.235.111.72	192.168.2.15
Feb 25, 2025 07:22:04.216743946 CET	54118	53	192.168.2.15	168.235.111.72
Feb 25, 2025 07:22:04.304333925 CET	53	54118	168.235.111.72	192.168.2.15
Feb 25, 2025 07:22:15.961605072 CET	55156	53	192.168.2.15	81.169.136.222
Feb 25, 2025 07:22:15.988830090 CET	53	55156	81.169.136.222	192.168.2.15
Feb 25, 2025 07:22:15.990386963 CET	42632	53	192.168.2.15	81.169.136.222
Feb 25, 2025 07:22:16.020219088 CET	53	42632	81.169.136.222	192.168.2.15
Feb 25, 2025 07:22:16.021720886 CET	39581	53	192.168.2.15	81.169.136.222
Feb 25, 2025 07:22:16.049920082 CET	53	39581	81.169.136.222	192.168.2.15
Feb 25, 2025 07:22:16.051331997 CET	42223	53	192.168.2.15	81.169.136.222
Feb 25, 2025 07:22:16.081115007 CET	53	42223	81.169.136.222	192.168.2.15
Feb 25, 2025 07:22:16.082659960 CET	52563	53	192.168.2.15	81.169.136.222
Feb 25, 2025 07:22:16.112560987 CET	53	52563	81.169.136.222	192.168.2.15
Feb 25, 2025 07:22:27.378240108 CET	47715	53	192.168.2.15	51.158.108.203
Feb 25, 2025 07:22:27.399502993 CET	53	47715	51.158.108.203	192.168.2.15
Feb 25, 2025 07:22:39.086695910 CET	44490	53	192.168.2.15	168.235.111.72
Feb 25, 2025 07:22:39.175905943 CET	53	44490	168.235.111.72	192.168.2.15
Feb 25, 2025 07:22:50.841284990 CET	50989	53	192.168.2.15	194.36.144.87
Feb 25, 2025 07:22:50.860717058 CET	53	50989	194.36.144.87	192.168.2.15
Feb 25, 2025 07:23:02.516176939 CET	59836	53	192.168.2.15	194.36.144.87
Feb 25, 2025 07:23:02.541384935 CET	53	59836	194.36.144.87	192.168.2.15
Feb 25, 2025 07:23:02.543289900 CET	42428	53	192.168.2.15	194.36.144.87
Feb 25, 2025 07:23:02.562195063 CET	53	42428	194.36.144.87	192.168.2.15
Feb 25, 2025 07:23:02.564244986 CET	39374	53	192.168.2.15	194.36.144.87
Feb 25, 2025 07:23:02.590120077 CET	53	39374	194.36.144.87	192.168.2.15
Feb 25, 2025 07:23:02.592035055 CET	55367	53	192.168.2.15	194.36.144.87
Feb 25, 2025 07:23:02.617976904 CET	53	55367	194.36.144.87	192.168.2.15
Feb 25, 2025 07:23:02.620130062 CET	32861	53	192.168.2.15	194.36.144.87
Feb 25, 2025 07:23:02.640048981 CET	53	32861	194.36.144.87	192.168.2.15

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Feb 25, 2025 07:21:05.600480080 CET	192.168.2.15	185.181.61.24	0x8c24	Standard query (0)	serisontop.dyn	A (IP address)	IN (0x0001)	false
Feb 25, 2025 07:21:16.901107073 CET	192.168.2.15	185.181.61.24	0x524d	Standard query (0)	serisbot.geek. [malformed]	256	348	false
Feb 25, 2025 07:21:16.936429977 CET	192.168.2.15	185.181.61.24	0x524d	Standard query (0)	serisbot.geek. [malformed]	256	348	false
Feb 25, 2025 07:21:16.973802090 CET	192.168.2.15	185.181.61.24	0x524d	Standard query (0)	serisbot.geek. [malformed]	256	349	false
Feb 25, 2025 07:21:17.011420012 CET	192.168.2.15	185.181.61.24	0x524d	Standard query (0)	serisbot.geek. [malformed]	256	349	false
Feb 25, 2025 07:21:17.051038027 CET	192.168.2.15	185.181.61.24	0x524d	Standard query (0)	serisbot.geek. [malformed]	256	349	false
Feb 25, 2025 07:21:28.761229038 CET	192.168.2.15	51.158.108.203	0x410b	Standard query (0)	serisontop.dyn	A (IP address)	IN (0x0001)	false
Feb 25, 2025 07:21:40.432944059 CET	192.168.2.15	194.36.144.87	0xeb09	Standard query (0)	serisontop.dyn	A (IP address)	IN (0x0001)	false
Feb 25, 2025 07:21:52.103147984 CET	192.168.2.15	81.169.136.222	0x8c66	Standard query (0)	serisontop.dyn	A (IP address)	IN (0x0001)	false
Feb 25, 2025 07:22:03.849798918 CET	192.168.2.15	168.235.111.72	0xe1a2	Standard query (0)	serisbot.geek. [malformed]	256	395	false
Feb 25, 2025 07:22:03.941735983 CET	192.168.2.15	168.235.111.72	0xe1a2	Standard query (0)	serisbot.geek. [malformed]	256	396	false
Feb 25, 2025 07:22:04.034233093 CET	192.168.2.15	168.235.111.72	0xe1a2	Standard query (0)	serisbot.geek. [malformed]	256	396	false
Feb 25, 2025 07:22:04.125576019 CET	192.168.2.15	168.235.111.72	0xe1a2	Standard query (0)	serisbot.geek. [malformed]	256	396	false
Feb 25, 2025 07:22:04.216743946 CET	192.168.2.15	168.235.111.72	0xe1a2	Standard query (0)	serisbot.geek. [malformed]	256	396	false
Feb 25, 2025 07:22:15.961605072 CET	192.168.2.15	81.169.136.222	0xb6b9	Standard query (0)	serisbot.geek. [malformed]	256	407	false
Feb 25, 2025 07:22:15.990386963 CET	192.168.2.15	81.169.136.222	0xb6b9	Standard query (0)	serisbot.geek. [malformed]	256	408	false
Feb 25, 2025 07:22:16.021720886 CET	192.168.2.15	81.169.136.222	0xb6b9	Standard query (0)	serisbot.geek. [malformed]	256	408	false
Feb 25, 2025 07:22:16.051331997 CET	192.168.2.15	81.169.136.222	0xb6b9	Standard query (0)	serisbot.geek. [malformed]	256	408	false
Feb 25, 2025 07:22:16.082659960 CET	192.168.2.15	81.169.136.222	0xb6b9	Standard query (0)	serisbot.geek. [malformed]	256	408	false
Feb 25, 2025 07:22:27.378240108 CET	192.168.2.15	51.158.108.203	0xdc68	Standard query (0)	serisontop.dyn	A (IP address)	IN (0x0001)	false
Feb 25, 2025 07:22:39.086695910 CET	192.168.2.15	168.235.111.72	0x6b64	Standard query (0)	serisontop.dyn	A (IP address)	IN (0x0001)	false
Feb 25, 2025 07:22:50.841284990 CET	192.168.2.15	194.36.144.87	0xe317	Standard query (0)	serisontop.dyn	A (IP address)	IN (0x0001)	false
Feb 25, 2025 07:23:02.516176939 CET	192.168.2.15	194.36.144.87	0xb363	Standard query (0)	serisbot.geek. [malformed]	256	454	false
Feb 25, 2025 07:23:02.543289900 CET	192.168.2.15	194.36.144.87	0xb363	Standard query (0)	serisbot.geek. [malformed]	256	454	false
Feb 25, 2025 07:23:02.564244986 CET	192.168.2.15	194.36.144.87	0xb363	Standard query (0)	serisbot.geek. [malformed]	256	454	false
Feb 25, 2025 07:23:02.592035055 CET	192.168.2.15	194.36.144.87	0xb363	Standard query (0)	serisbot.geek. [malformed]	256	454	false
Feb 25, 2025 07:23:02.620130062 CET	192.168.2.15	194.36.144.87	0xb363	Standard query (0)	serisbot.geek. [malformed]	256	454	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Feb 25, 2025 07:21:05.640430927 CET	185.181.61.24	192.168.2.15	0x8c24	No error (0)	serisontop.dyn		209.97.177.154	A (IP address)	IN (0x0001)	false
Feb 25, 2025 07:21:05.640430927 CET	185.181.61.24	192.168.2.15	0x8c24	No error (0)	serisontop.dyn		64.225.80.213	A (IP address)	IN (0x0001)	false
Feb 25, 2025 07:21:05.640430927 CET	185.181.61.24	192.168.2.15	0x8c24	No error (0)	serisontop.dyn		157.245.23.184	A (IP address)	IN (0x0001)	false
Feb 25, 2025 07:21:28.787847996 CET	51.158.108.203	192.168.2.15	0x410b	No error (0)	serisontop.dyn		157.245.23.184	A (IP address)	IN (0x0001)	false
Feb 25, 2025 07:21:28.787847996 CET	51.158.108.203	192.168.2.15	0x410b	No error (0)	serisontop.dyn		64.225.80.213	A (IP address)	IN (0x0001)	false
Feb 25, 2025 07:21:28.787847996 CET	51.158.108.203	192.168.2.15	0x410b	No error (0)	serisontop.dyn		209.97.177.154	A (IP address)	IN (0x0001)	false
Feb 25, 2025 07:21:40.453265905 CET	194.36.144.87	192.168.2.15	0xeb09	No error (0)	serisontop.dyn		64.225.80.213	A (IP address)	IN (0x0001)	false
Feb 25, 2025 07:21:40.453265905 CET	194.36.144.87	192.168.2.15	0xeb09	No error (0)	serisontop.dyn		209.97.177.154	A (IP address)	IN (0x0001)	false
Feb 25, 2025 07:21:40.453265905 CET	194.36.144.87	192.168.2.15	0xeb09	No error (0)	serisontop.dyn		157.245.23.184	A (IP address)	IN (0x0001)	false
Feb 25, 2025 07:21:52.135736942 CET	81.169.136.222	192.168.2.15	0x8c66	No error (0)	serisontop.dyn		157.245.23.184	A (IP address)	IN (0x0001)	false
Feb 25, 2025 07:21:52.135736942 CET	81.169.136.222	192.168.2.15	0x8c66	No error (0)	serisontop.dyn		64.225.80.213	A (IP address)	IN (0x0001)	false
Feb 25, 2025 07:21:52.135736942 CET	81.169.136.222	192.168.2.15	0x8c66	No error (0)	serisontop.dyn		209.97.177.154	A (IP address)	IN (0x0001)	false
Feb 25, 2025 07:22:27.399502993 CET	51.158.108.203	192.168.2.15	0xdc68	No error (0)	serisontop.dyn		64.225.80.213	A (IP address)	IN (0x0001)	false
Feb 25, 2025 07:22:27.399502993 CET	51.158.108.203	192.168.2.15	0xdc68	No error (0)	serisontop.dyn		209.97.177.154	A (IP address)	IN (0x0001)	false
Feb 25, 2025 07:22:27.399502993 CET	51.158.108.203	192.168.2.15	0xdc68	No error (0)	serisontop.dyn		157.245.23.184	A (IP address)	IN (0x0001)	false
Feb 25, 2025 07:22:39.175905943 CET	168.235.111.72	192.168.2.15	0x6b64	No error (0)	serisontop.dyn		209.97.177.154	A (IP address)	IN (0x0001)	false
Feb 25, 2025 07:22:39.175905943 CET	168.235.111.72	192.168.2.15	0x6b64	No error (0)	serisontop.dyn		157.245.23.184	A (IP address)	IN (0x0001)	false
Feb 25, 2025 07:22:39.175905943 CET	168.235.111.72	192.168.2.15	0x6b64	No error (0)	serisontop.dyn		64.225.80.213	A (IP address)	IN (0x0001)	false
Feb 25, 2025 07:22:50.860717058 CET	194.36.144.87	192.168.2.15	0xe317	No error (0)	serisontop.dyn		209.97.177.154	A (IP address)	IN (0x0001)	false
Feb 25, 2025 07:22:50.860717058 CET	194.36.144.87	192.168.2.15	0xe317	No error (0)	serisontop.dyn		157.245.23.184	A (IP address)	IN (0x0001)	false
Feb 25, 2025 07:22:50.860717058 CET	194.36.144.87	192.168.2.15	0xe317	No error (0)	serisontop.dyn		64.225.80.213	A (IP address)	IN (0x0001)	false
Feb 25, 2025 07:23:02.541384935 CET	194.36.144.87	192.168.2.15	0xb363	Format error (1)	serisbot.geek. [malformed]	none	none	256	454	false
Feb 25, 2025 07:23:02.562195063 CET	194.36.144.87	192.168.2.15	0xb363	Format error (1)	serisbot.geek. [malformed]	none	none	256	454	false
Feb 25, 2025 07:23:02.590120077 CET	194.36.144.87	192.168.2.15	0xb363	Format error (1)	serisbot.geek. [malformed]	none	none	256	454	false
Feb 25, 2025 07:23:02.617976904 CET	194.36.144.87	192.168.2.15	0xb363	Format error (1)	serisbot.geek. [malformed]	none	none	256	454	false
Feb 25, 2025 07:23:02.640048981 CET	194.36.144.87	192.168.2.15	0xb363	Format error (1)	serisbot.geek. [malformed]	none	none	256	454	false

System Behavior

Analysis Process: zermips.elf PID: 5529, Parent PID: 5447

General

Start time (UTC):	06:21:04
Start date (UTC):	25/02/2025
Path:	/tmp/zermips.elf
Arguments:	/tmp/zermips.elf
File size:	5777432 bytes
MD5 hash:	0083f1f0e77be34ad27f849842bbb00c

File Activities

File Opened

File Read

File Moved

Process Activities

Process Forked

Prctl Requested

Thread Sleep

System Activities

Query System Information (uname)

Network Activities

Socket Listening

Socket Connecting

Chronological Activities

Analysis Process: zermips.elf PID: 5531, Parent PID: 5529

General

Start time (UTC):	06:21:04
Start date (UTC):	25/02/2025
Path:	/tmp/zermips.elf
Arguments:	-
File size:	5777432 bytes
MD5 hash:	0083f1f0e77be34ad27f849842bbb00c

Process Activities

Process Forked

Thread Sleep

Network Activities

Socket Connecting

Chronological Activities

Analysis Process: zermips.elf PID: 5533, Parent PID: 5531

General

Start time (UTC):	06:21:04
Start date (UTC):	25/02/2025
Path:	/tmp/zermips.elf
Arguments:	-
File size:	5777432 bytes
MD5 hash:	0083f1f0e77be34ad27f849842bbb00c

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report zermips.elf

Overview

General Information

Detection

Signatures

Classification

General Information

Runtime Messages

Process Tree

Yara Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Networking

System Summary

Malware Analysis System Evasion

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

Static ELF Info

ELF header

Sections

Program Segments

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

System Behavior

Analysis Process: zermips.elf PID: 5529, Parent PID: 5447

General

File Activities

File Opened

File Read

File Moved

Process Activities

Process Forked

Prctl Requested

Thread Sleep

System Activities

Query System Information (uname)

Network Activities

Socket Listening

Socket Connecting

Chronological Activities

Analysis Process: zermips.elf PID: 5531, Parent PID: 5529

General

Process Activities

Process Forked

Thread Sleep

Network Activities

Socket Connecting

Linux Analysis Report
zermips.elf