Edit tour

Linux Analysis Report
zerppc.elf

Overview

General Information

Sample name:zerppc.elf
Analysis ID:1628711
MD5:2a095201caa05215ccd347543fa492e0
SHA1:365d60045524f624baace635f81e9a879d551323
SHA256:64cea7624d737987bcf62053e679abc932e8c3cfce249dcda38d72a6a64e380e
Tags:elfuser-abuse_ch
Infos:

Detection

Score:52
Range:0 - 100

Signatures

Multi AV Scanner detection for submitted file
Sends malformed DNS queries
Detected TCP or UDP traffic on non-standard ports
Sample has stripped symbol table
Sample listens on a socket
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Uses the "uname" system call to query kernel version information (possible evasion)

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
Joe Sandbox version:42.0.0 Malachite
Analysis ID:1628711
Start date and time:2025-03-04 03:49:01 +01:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 43s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Sample name:zerppc.elf
Detection:MAL
Classification:mal52.troj.linELF@0/0@23/0
Command:/tmp/zerppc.elf
PID:5508
Exit Code:0
Exit Code Info:
Killed:False
Standard Output:
gosh that chinese family at the other table sure ate a lot
Standard Error:
  • system is lnxubuntu20
  • zerppc.elf (PID: 5508, Parent: 5424, MD5: ae65271c943d3451b7f026d1fadccea6) Arguments: /tmp/zerppc.elf
  • cleanup
No yara matches
No Suricata rule has matched

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: zerppc.elfVirustotal: Detection: 25%Perma Link
Source: zerppc.elfReversingLabs: Detection: 28%

Networking

barindex
Source: global trafficDNS traffic detected: malformed DNS query: watchmepull.dyn. [malformed]
Source: global trafficTCP traffic: 192.168.2.14:37160 -> 1.2.3.4:1440
Source: global trafficTCP traffic: 192.168.2.14:47108 -> 46.19.143.10:1440
Source: /tmp/zerppc.elf (PID: 5508)Socket: 127.0.0.1:39148Jump to behavior
Source: global trafficTCP traffic: 192.168.2.14:46540 -> 185.125.190.26:443
Source: unknownTCP traffic detected without corresponding DNS query: 185.125.190.26
Source: unknownTCP traffic detected without corresponding DNS query: 185.125.190.26
Source: unknownUDP traffic detected without corresponding DNS query: 51.158.108.203
Source: unknownUDP traffic detected without corresponding DNS query: 168.235.111.72
Source: unknownUDP traffic detected without corresponding DNS query: 168.235.111.72
Source: unknownUDP traffic detected without corresponding DNS query: 168.235.111.72
Source: unknownUDP traffic detected without corresponding DNS query: 168.235.111.72
Source: unknownUDP traffic detected without corresponding DNS query: 168.235.111.72
Source: unknownUDP traffic detected without corresponding DNS query: 202.61.197.122
Source: unknownUDP traffic detected without corresponding DNS query: 202.61.197.122
Source: unknownUDP traffic detected without corresponding DNS query: 202.61.197.122
Source: unknownUDP traffic detected without corresponding DNS query: 202.61.197.122
Source: unknownUDP traffic detected without corresponding DNS query: 202.61.197.122
Source: unknownUDP traffic detected without corresponding DNS query: 152.53.15.127
Source: unknownUDP traffic detected without corresponding DNS query: 152.53.15.127
Source: unknownUDP traffic detected without corresponding DNS query: 152.53.15.127
Source: unknownUDP traffic detected without corresponding DNS query: 152.53.15.127
Source: unknownUDP traffic detected without corresponding DNS query: 152.53.15.127
Source: unknownUDP traffic detected without corresponding DNS query: 168.235.111.72
Source: unknownUDP traffic detected without corresponding DNS query: 168.235.111.72
Source: unknownUDP traffic detected without corresponding DNS query: 168.235.111.72
Source: unknownUDP traffic detected without corresponding DNS query: 168.235.111.72
Source: unknownUDP traffic detected without corresponding DNS query: 168.235.111.72
Source: unknownUDP traffic detected without corresponding DNS query: 194.36.144.87
Source: unknownUDP traffic detected without corresponding DNS query: 185.181.61.24
Source: global trafficDNS traffic detected: DNS query: ohlookthereismyboats.geek
Source: global trafficDNS traffic detected: DNS query: watchmepull.dyn. [malformed]
Source: unknownNetwork traffic detected: HTTP traffic on port 46540 -> 443
Source: ELF static info symbol of initial sample.symtab present: no
Source: classification engineClassification label: mal52.troj.linELF@0/0@23/0
Source: /tmp/zerppc.elf (PID: 5508)Queries kernel information via 'uname': Jump to behavior
Source: zerppc.elf, 5508.1.0000563d6ecd8000.0000563d6ed88000.rw-.sdmpBinary or memory string: !/etc/qemu-binfmt/ppc1
Source: zerppc.elf, 5508.1.0000563d6ecd8000.0000563d6ed88000.rw-.sdmpBinary or memory string: /etc/qemu-binfmt/ppc
Source: zerppc.elf, 5508.1.00007ffdfae3c000.00007ffdfae5d000.rw-.sdmpBinary or memory string: /usr/bin/qemu-ppc
Source: zerppc.elf, 5508.1.00007ffdfae3c000.00007ffdfae5d000.rw-.sdmpBinary or memory string: Hx86_64/usr/bin/qemu-ppc/tmp/zerppc.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/zerppc.elf
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management InstrumentationPath InterceptionPath InterceptionDirect Volume AccessOS Credential Dumping11
Security Software Discovery
Remote ServicesData from Local System1
Encrypted Channel
Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable Media1
Non-Standard Port
Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared Drive1
Non-Application Layer Protocol
Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin HookBinary PaddingNTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput Capture2
Application Layer Protocol
Traffic DuplicationData Destruction
No configs have been found
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Number of created Files
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1628711 Sample: zerppc.elf Startdate: 04/03/2025 Architecture: LINUX Score: 52 14 watchmepull.dyn. [malformed] 2->14 16 46.19.143.10, 1440, 47108, 47110 PLI-ASCH Switzerland 2->16 18 2 other IPs or domains 2->18 20 Multi AV Scanner detection for submitted file 2->20 8 zerppc.elf 2->8         started        signatures3 22 Sends malformed DNS queries 14->22 process4 process5 10 zerppc.elf 8->10         started        process6 12 zerppc.elf 10->12         started       

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
SourceDetectionScannerLabelLink
zerppc.elf25%VirustotalBrowse
zerppc.elf29%ReversingLabsLinux.Backdoor.Mirai
No Antivirus matches
No Antivirus matches
No Antivirus matches

Download Network PCAP: filteredfull

NameIPActiveMaliciousAntivirus DetectionReputation
ohlookthereismyboats.geek
1.2.3.4
truefalse
    high
    watchmepull.dyn. [malformed]
    unknown
    unknownfalse
      high
      • No. of IPs < 25%
      • 25% < No. of IPs < 50%
      • 50% < No. of IPs < 75%
      • 75% < No. of IPs
      IPDomainCountryFlagASNASN NameMalicious
      46.19.143.10
      unknownSwitzerland
      51852PLI-ASCHfalse
      1.2.3.4
      ohlookthereismyboats.geekAustralia
      13335CLOUDFLARENETUSfalse
      185.125.190.26
      unknownUnited Kingdom
      41231CANONICAL-ASGBfalse
      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
      46.19.143.10zerspc.elfGet hashmaliciousUnknownBrowse
        zerarm7.elfGet hashmaliciousUnknownBrowse
          zerarm7.elfGet hashmaliciousUnknownBrowse
            zerx86.elfGet hashmaliciousUnknownBrowse
              zerspc.elfGet hashmaliciousUnknownBrowse
                zerarm5.elfGet hashmaliciousUnknownBrowse
                  zerm68k.elfGet hashmaliciousUnknownBrowse
                    zermips.elfGet hashmaliciousUnknownBrowse
                      zerppc.elfGet hashmaliciousUnknownBrowse
                        zerarm.elfGet hashmaliciousUnknownBrowse
                          1.2.3.4EdiAf.x86.elfGet hashmaliciousOkiruBrowse
                            debug.dbg.elfGet hashmaliciousMirai, OkiruBrowse
                              EdiAf.x86.elfGet hashmaliciousOkiruBrowse
                                debug.dbg.elfGet hashmaliciousMirai, OkiruBrowse
                                  RfeGlbGe3t.exeGet hashmaliciousAveMaria, UACMeBrowse
                                    test.exeGet hashmaliciousMetasploitBrowse
                                      T4148lxE0N.exeGet hashmaliciousAveMaria, PrivateLoader, UACMeBrowse
                                        P.O.#20(Ageless_15)for_C-Max_Canada.exeGet hashmaliciousAveMaria, UACMeBrowse
                                          SecuriteInfo.com.Variant.Bulz.89663.251.20581.exeGet hashmaliciousAveMaria, DBatLoader, UACMeBrowse
                                            Approved PO - GF-A104-PO-060.exeGet hashmaliciousAveMaria, DBatLoader, UACMeBrowse
                                              185.125.190.26na.elfGet hashmaliciousPrometeiBrowse
                                                na.elfGet hashmaliciousPrometeiBrowse
                                                  mips.elfGet hashmaliciousMiraiBrowse
                                                    mips.elfGet hashmaliciousMiraiBrowse
                                                      yakov.arm6.elfGet hashmaliciousMiraiBrowse
                                                        jackmyx86.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                          main_arm5.elfGet hashmaliciousMiraiBrowse
                                                            na.elfGet hashmaliciousPrometeiBrowse
                                                              na.elfGet hashmaliciousPrometeiBrowse
                                                                owari.sh4.elfGet hashmaliciousUnknownBrowse
                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                  ohlookthereismyboats.geekzerspc.elfGet hashmaliciousUnknownBrowse
                                                                  • 46.19.143.10
                                                                  nabarm5.elfGet hashmaliciousUnknownBrowse
                                                                  • 46.19.143.10
                                                                  nabmpsl.elfGet hashmaliciousUnknownBrowse
                                                                  • 46.19.143.10
                                                                  nklmips.elfGet hashmaliciousUnknownBrowse
                                                                  • 46.19.143.10
                                                                  mpsl.elfGet hashmaliciousUnknownBrowse
                                                                  • 1.2.3.4
                                                                  jklarm7.elfGet hashmaliciousUnknownBrowse
                                                                  • 46.19.143.10
                                                                  nabppc.elfGet hashmaliciousUnknownBrowse
                                                                  • 46.19.143.10
                                                                  nabarm7.elfGet hashmaliciousUnknownBrowse
                                                                  • 46.19.143.10
                                                                  nklmpsl.elfGet hashmaliciousUnknownBrowse
                                                                  • 46.19.143.10
                                                                  zerarm7.elfGet hashmaliciousUnknownBrowse
                                                                  • 46.19.143.10
                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                  CANONICAL-ASGBnabarm6.elfGet hashmaliciousUnknownBrowse
                                                                  • 91.189.91.42
                                                                  na.elfGet hashmaliciousPrometeiBrowse
                                                                  • 91.189.91.42
                                                                  na.elfGet hashmaliciousPrometeiBrowse
                                                                  • 91.189.91.42
                                                                  na.elfGet hashmaliciousPrometeiBrowse
                                                                  • 91.189.91.42
                                                                  na.elfGet hashmaliciousPrometeiBrowse
                                                                  • 91.189.91.42
                                                                  na.elfGet hashmaliciousPrometeiBrowse
                                                                  • 91.189.91.42
                                                                  na.elfGet hashmaliciousPrometeiBrowse
                                                                  • 91.189.91.42
                                                                  na.elfGet hashmaliciousPrometeiBrowse
                                                                  • 91.189.91.42
                                                                  na.elfGet hashmaliciousPrometeiBrowse
                                                                  • 91.189.91.42
                                                                  sshd.elfGet hashmaliciousUnknownBrowse
                                                                  • 91.189.91.42
                                                                  PLI-ASCHzerspc.elfGet hashmaliciousUnknownBrowse
                                                                  • 46.19.143.10
                                                                  zerarm7.elfGet hashmaliciousUnknownBrowse
                                                                  • 46.19.143.10
                                                                  zerarm7.elfGet hashmaliciousUnknownBrowse
                                                                  • 46.19.143.10
                                                                  zerx86.elfGet hashmaliciousUnknownBrowse
                                                                  • 46.19.143.10
                                                                  zerspc.elfGet hashmaliciousUnknownBrowse
                                                                  • 46.19.143.10
                                                                  zerarm5.elfGet hashmaliciousUnknownBrowse
                                                                  • 46.19.143.10
                                                                  zerm68k.elfGet hashmaliciousUnknownBrowse
                                                                  • 46.19.143.10
                                                                  zermips.elfGet hashmaliciousUnknownBrowse
                                                                  • 46.19.143.10
                                                                  zerppc.elfGet hashmaliciousUnknownBrowse
                                                                  • 46.19.143.10
                                                                  zerarm.elfGet hashmaliciousUnknownBrowse
                                                                  • 46.19.143.10
                                                                  CLOUDFLARENETUSWANG DA - VESSEL'S DESCRIPTION.pdf.scr.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                  • 104.21.32.1
                                                                  pGOrhjLXy3.exeGet hashmaliciousAmadey, LummaC Stealer, StealcBrowse
                                                                  • 188.114.96.3
                                                                  splarm5.elfGet hashmaliciousUnknownBrowse
                                                                  • 172.68.102.148
                                                                  leFhB1aYaW.exeGet hashmaliciousDCRatBrowse
                                                                  • 104.21.13.94
                                                                  https://zooominvitee.de/windowsGet hashmaliciousUnknownBrowse
                                                                  • 104.21.96.61
                                                                  QUOTATTION_LIST.exeGet hashmaliciousFormBookBrowse
                                                                  • 104.21.41.115
                                                                  https://translate.google.com/translate?sl=auto&tl=en&hl=en&u=sparscreations.com/stagging/web/go.php?click=0095_5_copy%26googlePIDR=mkuper@spectrum360.org%26id_list=rTpJWSNUVWVWowOMxGet hashmaliciousGRQ ScamBrowse
                                                                  • 1.1.1.1
                                                                  https://hvh.to/test/test1/Duck_Support%20Tool.exeGet hashmaliciousUnknownBrowse
                                                                  • 104.26.9.187
                                                                  https://hvh.to/test/test1/TroubleShooter.exeGet hashmaliciousUnknownBrowse
                                                                  • 104.16.184.241
                                                                  splarm7.elfGet hashmaliciousUnknownBrowse
                                                                  • 1.4.51.26
                                                                  No context
                                                                  No context
                                                                  No created / dropped files found
                                                                  File type:ELF 32-bit MSB executable, PowerPC or cisco 4500, version 1 (SYSV), statically linked, stripped
                                                                  Entropy (8bit):6.149410784927182
                                                                  TrID:
                                                                  • ELF Executable and Linkable format (generic) (4004/1) 100.00%
                                                                  File name:zerppc.elf
                                                                  File size:50'524 bytes
                                                                  MD5:2a095201caa05215ccd347543fa492e0
                                                                  SHA1:365d60045524f624baace635f81e9a879d551323
                                                                  SHA256:64cea7624d737987bcf62053e679abc932e8c3cfce249dcda38d72a6a64e380e
                                                                  SHA512:e0023051f135f3a0c0bdbd01aba674021f6228a24be8ec6c302009c5ad5d907b8c967500fc666434ea791cc64c46d35830cf7380168b3060c8e68aeadba89d9b
                                                                  SSDEEP:768:LwzEhpJvxRGtaXqSEYdisivo/JngRb+mpvuSeFzXDiN9cM6:cAhvZ4SEYdisiogFfuSe1T
                                                                  TLSH:F733390272180A47D5665EB0393F1BE093BFFE9025E4B6C9794FCA468672E370486F9D
                                                                  File Content Preview:.ELF...........................4...T.....4. ...(..........................................................%.........dt.Q.............................!..|......$H...H......$8!. |...N.. .!..|.......?..........h..../...@..\?........+../...A..$8...})......N..

                                                                  ELF header

                                                                  Class:ELF32
                                                                  Data:2's complement, big endian
                                                                  Version:1 (current)
                                                                  Machine:PowerPC
                                                                  Version Number:0x1
                                                                  Type:EXEC (Executable file)
                                                                  OS/ABI:UNIX - System V
                                                                  ABI Version:0
                                                                  Entry Point Address:0x100001f0
                                                                  Flags:0x0
                                                                  ELF Header Size:52
                                                                  Program Header Offset:52
                                                                  Program Header Size:32
                                                                  Number of Program Headers:3
                                                                  Section Header Offset:50004
                                                                  Section Header Size:40
                                                                  Number of Section Headers:13
                                                                  Header String Table Index:12
                                                                  NameTypeAddressOffsetSizeEntSizeFlagsFlags DescriptionLinkInfoAlign
                                                                  NULL0x00x00x00x00x0000
                                                                  .initPROGBITS0x100000940x940x240x00x6AX004
                                                                  .textPROGBITS0x100000b80xb80xb46c0x00x6AX004
                                                                  .finiPROGBITS0x1000b5240xb5240x200x00x6AX004
                                                                  .rodataPROGBITS0x1000b5440xb5440x8b00x00x2A004
                                                                  .ctorsPROGBITS0x1001c0000xc0000x80x00x3WA004
                                                                  .dtorsPROGBITS0x1001c0080xc0080x80x00x3WA004
                                                                  .jcrPROGBITS0x1001c0100xc0100x40x00x3WA004
                                                                  .dataPROGBITS0x1001c0180xc0180x2b80x00x3WA008
                                                                  .sdataPROGBITS0x1001c2d00xc2d00x340x00x3WA004
                                                                  .sbssNOBITS0x1001c3040xc3040x640x00x3WA004
                                                                  .bssNOBITS0x1001c3680xc3040x221c0x00x3WA004
                                                                  .shstrtabSTRTAB0x00xc3040x500x00x0001
                                                                  TypeOffsetVirtual AddressPhysical AddressFile SizeMemory SizeEntropyFlagsFlags DescriptionAlignProg InterpreterSection Mappings
                                                                  LOAD0x00x100000000x100000000xbdf40xbdf46.25320x5R E0x10000.init .text .fini .rodata
                                                                  LOAD0xc0000x1001c0000x1001c0000x3040x25842.31210x6RW 0x10000.ctors .dtors .jcr .data .sdata .sbss .bss
                                                                  GNU_STACK0x00x00x00x00x00.00000x6RW 0x4

                                                                  Download Network PCAP: filteredfull

                                                                  • Total Packets: 61
                                                                  • 1440 undefined
                                                                  • 443 (HTTPS)
                                                                  • 53 (DNS)
                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                  Mar 4, 2025 03:49:56.158237934 CET371601440192.168.2.141.2.3.4
                                                                  Mar 4, 2025 03:49:56.163285971 CET1440371601.2.3.4192.168.2.14
                                                                  Mar 4, 2025 03:49:56.163376093 CET371601440192.168.2.141.2.3.4
                                                                  Mar 4, 2025 03:49:56.174557924 CET371601440192.168.2.141.2.3.4
                                                                  Mar 4, 2025 03:49:56.179584980 CET1440371601.2.3.4192.168.2.14
                                                                  Mar 4, 2025 03:49:56.179632902 CET371601440192.168.2.141.2.3.4
                                                                  Mar 4, 2025 03:49:56.184673071 CET1440371601.2.3.4192.168.2.14
                                                                  Mar 4, 2025 03:50:05.953599930 CET46540443192.168.2.14185.125.190.26
                                                                  Mar 4, 2025 03:50:06.177675962 CET371601440192.168.2.141.2.3.4
                                                                  Mar 4, 2025 03:50:06.182841063 CET1440371601.2.3.4192.168.2.14
                                                                  Mar 4, 2025 03:50:17.547493935 CET1440371601.2.3.4192.168.2.14
                                                                  Mar 4, 2025 03:50:17.547923088 CET371601440192.168.2.141.2.3.4
                                                                  Mar 4, 2025 03:50:17.552985907 CET1440371601.2.3.4192.168.2.14
                                                                  Mar 4, 2025 03:50:19.008995056 CET371621440192.168.2.141.2.3.4
                                                                  Mar 4, 2025 03:50:19.015024900 CET1440371621.2.3.4192.168.2.14
                                                                  Mar 4, 2025 03:50:19.015125036 CET371621440192.168.2.141.2.3.4
                                                                  Mar 4, 2025 03:50:19.016225100 CET371621440192.168.2.141.2.3.4
                                                                  Mar 4, 2025 03:50:19.022998095 CET1440371621.2.3.4192.168.2.14
                                                                  Mar 4, 2025 03:50:19.023075104 CET371621440192.168.2.141.2.3.4
                                                                  Mar 4, 2025 03:50:19.030940056 CET1440371621.2.3.4192.168.2.14
                                                                  Mar 4, 2025 03:50:37.184370041 CET46540443192.168.2.14185.125.190.26
                                                                  Mar 4, 2025 03:50:40.391706944 CET1440371621.2.3.4192.168.2.14
                                                                  Mar 4, 2025 03:50:40.391896009 CET371621440192.168.2.141.2.3.4
                                                                  Mar 4, 2025 03:50:40.396959066 CET1440371621.2.3.4192.168.2.14
                                                                  Mar 4, 2025 03:50:41.490571022 CET371641440192.168.2.141.2.3.4
                                                                  Mar 4, 2025 03:50:41.495675087 CET1440371641.2.3.4192.168.2.14
                                                                  Mar 4, 2025 03:50:41.495806932 CET371641440192.168.2.141.2.3.4
                                                                  Mar 4, 2025 03:50:41.497006893 CET371641440192.168.2.141.2.3.4
                                                                  Mar 4, 2025 03:50:41.502120972 CET1440371641.2.3.4192.168.2.14
                                                                  Mar 4, 2025 03:50:41.502186060 CET371641440192.168.2.141.2.3.4
                                                                  Mar 4, 2025 03:50:41.507263899 CET1440371641.2.3.4192.168.2.14
                                                                  Mar 4, 2025 03:51:02.913717985 CET1440371641.2.3.4192.168.2.14
                                                                  Mar 4, 2025 03:51:02.914211988 CET371641440192.168.2.141.2.3.4
                                                                  Mar 4, 2025 03:51:02.919308901 CET1440371641.2.3.4192.168.2.14
                                                                  Mar 4, 2025 03:51:04.018076897 CET371661440192.168.2.141.2.3.4
                                                                  Mar 4, 2025 03:51:04.023045063 CET1440371661.2.3.4192.168.2.14
                                                                  Mar 4, 2025 03:51:04.023154974 CET371661440192.168.2.141.2.3.4
                                                                  Mar 4, 2025 03:51:04.024339914 CET371661440192.168.2.141.2.3.4
                                                                  Mar 4, 2025 03:51:04.029331923 CET1440371661.2.3.4192.168.2.14
                                                                  Mar 4, 2025 03:51:04.029422045 CET371661440192.168.2.141.2.3.4
                                                                  Mar 4, 2025 03:51:04.034470081 CET1440371661.2.3.4192.168.2.14
                                                                  Mar 4, 2025 03:51:14.034195900 CET371661440192.168.2.141.2.3.4
                                                                  Mar 4, 2025 03:51:14.039277077 CET1440371661.2.3.4192.168.2.14
                                                                  Mar 4, 2025 03:51:25.392690897 CET1440371661.2.3.4192.168.2.14
                                                                  Mar 4, 2025 03:51:25.393034935 CET371661440192.168.2.141.2.3.4
                                                                  Mar 4, 2025 03:51:25.397965908 CET1440371661.2.3.4192.168.2.14
                                                                  Mar 4, 2025 03:51:26.849574089 CET371681440192.168.2.141.2.3.4
                                                                  Mar 4, 2025 03:51:26.854590893 CET1440371681.2.3.4192.168.2.14
                                                                  Mar 4, 2025 03:51:26.854660034 CET371681440192.168.2.141.2.3.4
                                                                  Mar 4, 2025 03:51:26.855823040 CET371681440192.168.2.141.2.3.4
                                                                  Mar 4, 2025 03:51:26.860842943 CET1440371681.2.3.4192.168.2.14
                                                                  Mar 4, 2025 03:51:26.860894918 CET371681440192.168.2.141.2.3.4
                                                                  Mar 4, 2025 03:51:26.865914106 CET1440371681.2.3.4192.168.2.14
                                                                  Mar 4, 2025 03:51:48.238245010 CET1440371681.2.3.4192.168.2.14
                                                                  Mar 4, 2025 03:51:48.238486052 CET371681440192.168.2.141.2.3.4
                                                                  Mar 4, 2025 03:51:48.243578911 CET1440371681.2.3.4192.168.2.14
                                                                  Mar 4, 2025 03:51:49.260075092 CET471081440192.168.2.1446.19.143.10
                                                                  Mar 4, 2025 03:51:49.265108109 CET14404710846.19.143.10192.168.2.14
                                                                  Mar 4, 2025 03:51:49.265185118 CET471081440192.168.2.1446.19.143.10
                                                                  Mar 4, 2025 03:51:49.266582012 CET471081440192.168.2.1446.19.143.10
                                                                  Mar 4, 2025 03:51:49.271646976 CET14404710846.19.143.10192.168.2.14
                                                                  Mar 4, 2025 03:51:49.271711111 CET471081440192.168.2.1446.19.143.10
                                                                  Mar 4, 2025 03:51:49.276738882 CET14404710846.19.143.10192.168.2.14
                                                                  Mar 4, 2025 03:51:59.829557896 CET14404710846.19.143.10192.168.2.14
                                                                  Mar 4, 2025 03:51:59.829716921 CET471081440192.168.2.1446.19.143.10
                                                                  Mar 4, 2025 03:51:59.834737062 CET14404710846.19.143.10192.168.2.14
                                                                  Mar 4, 2025 03:52:00.871721983 CET471101440192.168.2.1446.19.143.10
                                                                  Mar 4, 2025 03:52:00.876714945 CET14404711046.19.143.10192.168.2.14
                                                                  Mar 4, 2025 03:52:00.876785040 CET471101440192.168.2.1446.19.143.10
                                                                  Mar 4, 2025 03:52:00.877974987 CET471101440192.168.2.1446.19.143.10
                                                                  Mar 4, 2025 03:52:00.883013010 CET14404711046.19.143.10192.168.2.14
                                                                  Mar 4, 2025 03:52:00.883055925 CET471101440192.168.2.1446.19.143.10
                                                                  Mar 4, 2025 03:52:00.888042927 CET14404711046.19.143.10192.168.2.14
                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                  Mar 4, 2025 03:49:56.137732983 CET3634753192.168.2.1451.158.108.203
                                                                  Mar 4, 2025 03:49:56.153845072 CET533634751.158.108.203192.168.2.14
                                                                  Mar 4, 2025 03:50:18.552638054 CET5682953192.168.2.14168.235.111.72
                                                                  Mar 4, 2025 03:50:18.640464067 CET5356829168.235.111.72192.168.2.14
                                                                  Mar 4, 2025 03:50:18.642621040 CET3282853192.168.2.14168.235.111.72
                                                                  Mar 4, 2025 03:50:18.731833935 CET5332828168.235.111.72192.168.2.14
                                                                  Mar 4, 2025 03:50:18.734164953 CET4372253192.168.2.14168.235.111.72
                                                                  Mar 4, 2025 03:50:18.823256016 CET5343722168.235.111.72192.168.2.14
                                                                  Mar 4, 2025 03:50:18.825778008 CET4598553192.168.2.14168.235.111.72
                                                                  Mar 4, 2025 03:50:18.915410042 CET5345985168.235.111.72192.168.2.14
                                                                  Mar 4, 2025 03:50:18.917722940 CET4483553192.168.2.14168.235.111.72
                                                                  Mar 4, 2025 03:50:19.007631063 CET5344835168.235.111.72192.168.2.14
                                                                  Mar 4, 2025 03:50:41.395248890 CET4582253192.168.2.14202.61.197.122
                                                                  Mar 4, 2025 03:50:41.412998915 CET5345822202.61.197.122192.168.2.14
                                                                  Mar 4, 2025 03:50:41.414518118 CET5380253192.168.2.14202.61.197.122
                                                                  Mar 4, 2025 03:50:41.433144093 CET5353802202.61.197.122192.168.2.14
                                                                  Mar 4, 2025 03:50:41.434334040 CET4112353192.168.2.14202.61.197.122
                                                                  Mar 4, 2025 03:50:41.452203035 CET5341123202.61.197.122192.168.2.14
                                                                  Mar 4, 2025 03:50:41.453078985 CET5701953192.168.2.14202.61.197.122
                                                                  Mar 4, 2025 03:50:41.470885038 CET5357019202.61.197.122192.168.2.14
                                                                  Mar 4, 2025 03:50:41.472100973 CET4348853192.168.2.14202.61.197.122
                                                                  Mar 4, 2025 03:50:41.489968061 CET5343488202.61.197.122192.168.2.14
                                                                  Mar 4, 2025 03:51:03.918741941 CET3620053192.168.2.14152.53.15.127
                                                                  Mar 4, 2025 03:51:03.942274094 CET5336200152.53.15.127192.168.2.14
                                                                  Mar 4, 2025 03:51:03.943924904 CET4803753192.168.2.14152.53.15.127
                                                                  Mar 4, 2025 03:51:03.961278915 CET5348037152.53.15.127192.168.2.14
                                                                  Mar 4, 2025 03:51:03.962516069 CET3395353192.168.2.14152.53.15.127
                                                                  Mar 4, 2025 03:51:03.979909897 CET5333953152.53.15.127192.168.2.14
                                                                  Mar 4, 2025 03:51:03.981084108 CET3795653192.168.2.14152.53.15.127
                                                                  Mar 4, 2025 03:51:03.998465061 CET5337956152.53.15.127192.168.2.14
                                                                  Mar 4, 2025 03:51:03.999903917 CET5765453192.168.2.14152.53.15.127
                                                                  Mar 4, 2025 03:51:04.017465115 CET5357654152.53.15.127192.168.2.14
                                                                  Mar 4, 2025 03:51:26.396570921 CET5134253192.168.2.14168.235.111.72
                                                                  Mar 4, 2025 03:51:26.485341072 CET5351342168.235.111.72192.168.2.14
                                                                  Mar 4, 2025 03:51:26.487096071 CET3415553192.168.2.14168.235.111.72
                                                                  Mar 4, 2025 03:51:26.574949026 CET5334155168.235.111.72192.168.2.14
                                                                  Mar 4, 2025 03:51:26.576780081 CET4187153192.168.2.14168.235.111.72
                                                                  Mar 4, 2025 03:51:26.664207935 CET5341871168.235.111.72192.168.2.14
                                                                  Mar 4, 2025 03:51:26.665575027 CET5450553192.168.2.14168.235.111.72
                                                                  Mar 4, 2025 03:51:26.758564949 CET5354505168.235.111.72192.168.2.14
                                                                  Mar 4, 2025 03:51:26.759918928 CET4572253192.168.2.14168.235.111.72
                                                                  Mar 4, 2025 03:51:26.848625898 CET5345722168.235.111.72192.168.2.14
                                                                  Mar 4, 2025 03:51:49.242033958 CET4590153192.168.2.14194.36.144.87
                                                                  Mar 4, 2025 03:51:49.259319067 CET5345901194.36.144.87192.168.2.14
                                                                  Mar 4, 2025 03:52:00.833379984 CET5012653192.168.2.14185.181.61.24
                                                                  Mar 4, 2025 03:52:00.870851994 CET5350126185.181.61.24192.168.2.14
                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                  Mar 4, 2025 03:49:56.137732983 CET192.168.2.1451.158.108.2030xdc7eStandard query (0)ohlookthereismyboats.geekA (IP address)IN (0x0001)false
                                                                  Mar 4, 2025 03:50:18.552638054 CET192.168.2.14168.235.111.720x17afStandard query (0)watchmepull.dyn. [malformed]256362false
                                                                  Mar 4, 2025 03:50:18.642621040 CET192.168.2.14168.235.111.720x17afStandard query (0)watchmepull.dyn. [malformed]256362false
                                                                  Mar 4, 2025 03:50:18.734164953 CET192.168.2.14168.235.111.720x17afStandard query (0)watchmepull.dyn. [malformed]256362false
                                                                  Mar 4, 2025 03:50:18.825778008 CET192.168.2.14168.235.111.720x17afStandard query (0)watchmepull.dyn. [malformed]256362false
                                                                  Mar 4, 2025 03:50:18.917722940 CET192.168.2.14168.235.111.720x17afStandard query (0)watchmepull.dyn. [malformed]256363false
                                                                  Mar 4, 2025 03:50:41.395248890 CET192.168.2.14202.61.197.1220xa7fStandard query (0)watchmepull.dyn. [malformed]256385false
                                                                  Mar 4, 2025 03:50:41.414518118 CET192.168.2.14202.61.197.1220xa7fStandard query (0)watchmepull.dyn. [malformed]256385false
                                                                  Mar 4, 2025 03:50:41.434334040 CET192.168.2.14202.61.197.1220xa7fStandard query (0)watchmepull.dyn. [malformed]256385false
                                                                  Mar 4, 2025 03:50:41.453078985 CET192.168.2.14202.61.197.1220xa7fStandard query (0)watchmepull.dyn. [malformed]256385false
                                                                  Mar 4, 2025 03:50:41.472100973 CET192.168.2.14202.61.197.1220xa7fStandard query (0)watchmepull.dyn. [malformed]256385false
                                                                  Mar 4, 2025 03:51:03.918741941 CET192.168.2.14152.53.15.1270x9cc9Standard query (0)watchmepull.dyn. [malformed]256407false
                                                                  Mar 4, 2025 03:51:03.943924904 CET192.168.2.14152.53.15.1270x9cc9Standard query (0)watchmepull.dyn. [malformed]256407false
                                                                  Mar 4, 2025 03:51:03.962516069 CET192.168.2.14152.53.15.1270x9cc9Standard query (0)watchmepull.dyn. [malformed]256407false
                                                                  Mar 4, 2025 03:51:03.981084108 CET192.168.2.14152.53.15.1270x9cc9Standard query (0)watchmepull.dyn. [malformed]256407false
                                                                  Mar 4, 2025 03:51:03.999903917 CET192.168.2.14152.53.15.1270x9cc9Standard query (0)watchmepull.dyn. [malformed]256408false
                                                                  Mar 4, 2025 03:51:26.396570921 CET192.168.2.14168.235.111.720x3b54Standard query (0)watchmepull.dyn. [malformed]256430false
                                                                  Mar 4, 2025 03:51:26.487096071 CET192.168.2.14168.235.111.720x3b54Standard query (0)watchmepull.dyn. [malformed]256430false
                                                                  Mar 4, 2025 03:51:26.576780081 CET192.168.2.14168.235.111.720x3b54Standard query (0)watchmepull.dyn. [malformed]256430false
                                                                  Mar 4, 2025 03:51:26.665575027 CET192.168.2.14168.235.111.720x3b54Standard query (0)watchmepull.dyn. [malformed]256430false
                                                                  Mar 4, 2025 03:51:26.759918928 CET192.168.2.14168.235.111.720x3b54Standard query (0)watchmepull.dyn. [malformed]256430false
                                                                  Mar 4, 2025 03:51:49.242033958 CET192.168.2.14194.36.144.870x4c50Standard query (0)ohlookthereismyboats.geekA (IP address)IN (0x0001)false
                                                                  Mar 4, 2025 03:52:00.833379984 CET192.168.2.14185.181.61.240x6c55Standard query (0)ohlookthereismyboats.geekA (IP address)IN (0x0001)false
                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                  Mar 4, 2025 03:49:56.153845072 CET51.158.108.203192.168.2.140xdc7eNo error (0)ohlookthereismyboats.geek1.2.3.4A (IP address)IN (0x0001)false
                                                                  Mar 4, 2025 03:51:03.942274094 CET152.53.15.127192.168.2.140x9cc9Format error (1)watchmepull.dyn. [malformed]nonenone256407false
                                                                  Mar 4, 2025 03:51:03.961278915 CET152.53.15.127192.168.2.140x9cc9Format error (1)watchmepull.dyn. [malformed]nonenone256407false
                                                                  Mar 4, 2025 03:51:03.979909897 CET152.53.15.127192.168.2.140x9cc9Format error (1)watchmepull.dyn. [malformed]nonenone256407false
                                                                  Mar 4, 2025 03:51:03.998465061 CET152.53.15.127192.168.2.140x9cc9Format error (1)watchmepull.dyn. [malformed]nonenone256407false
                                                                  Mar 4, 2025 03:51:04.017465115 CET152.53.15.127192.168.2.140x9cc9Format error (1)watchmepull.dyn. [malformed]nonenone256408false
                                                                  Mar 4, 2025 03:51:49.259319067 CET194.36.144.87192.168.2.140x4c50No error (0)ohlookthereismyboats.geek46.19.143.10A (IP address)IN (0x0001)false
                                                                  Mar 4, 2025 03:52:00.870851994 CET185.181.61.24192.168.2.140x6c55No error (0)ohlookthereismyboats.geek46.19.143.10A (IP address)IN (0x0001)false

                                                                  System Behavior

                                                                  Start time (UTC):02:49:55
                                                                  Start date (UTC):04/03/2025
                                                                  Path:/tmp/zerppc.elf
                                                                  Arguments:/tmp/zerppc.elf
                                                                  File size:5388968 bytes
                                                                  MD5 hash:ae65271c943d3451b7f026d1fadccea6

                                                                  Start time (UTC):02:49:55
                                                                  Start date (UTC):04/03/2025
                                                                  Path:/tmp/zerppc.elf
                                                                  Arguments:-
                                                                  File size:5388968 bytes
                                                                  MD5 hash:ae65271c943d3451b7f026d1fadccea6

                                                                  Start time (UTC):02:49:55
                                                                  Start date (UTC):04/03/2025
                                                                  Path:/tmp/zerppc.elf
                                                                  Arguments:-
                                                                  File size:5388968 bytes
                                                                  MD5 hash:ae65271c943d3451b7f026d1fadccea6