Edit tour

Linux Analysis Report
zermips.elf

Overview

General Information

Sample name:zermips.elf
Analysis ID:1628717
MD5:d84eb4d133bda9dff840c3202ba5e52d
SHA1:851a03e9ea302afdde49a182ecba03ca0d3daa6b
SHA256:22a9d983c2eda46c0360c88eab77a9fcf2eb64d9c966e6843aa95c543ee925fa
Tags:elfuser-abuse_ch
Infos:

Detection

Score:52
Range:0 - 100

Signatures

Multi AV Scanner detection for submitted file
Sends malformed DNS queries
Detected TCP or UDP traffic on non-standard ports
Sample has stripped symbol table
Sample listens on a socket
Uses the "uname" system call to query kernel version information (possible evasion)

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
Joe Sandbox version:42.0.0 Malachite
Analysis ID:1628717
Start date and time:2025-03-04 03:57:12 +01:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 29s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Sample name:zermips.elf
Detection:MAL
Classification:mal52.troj.linELF@0/0@28/0
Command:/tmp/zermips.elf
PID:5436
Exit Code:0
Exit Code Info:
Killed:False
Standard Output:
gosh that chinese family at the other table sure ate a lot
Standard Error:
  • system is lnxubuntu20
  • zermips.elf (PID: 5436, Parent: 5359, MD5: 0083f1f0e77be34ad27f849842bbb00c) Arguments: /tmp/zermips.elf
  • cleanup
No yara matches
No Suricata rule has matched

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: zermips.elfVirustotal: Detection: 23%Perma Link
Source: zermips.elfReversingLabs: Detection: 28%

Networking

barindex
Source: global trafficDNS traffic detected: malformed DNS query: watchmepull.dyn. [malformed]
Source: global trafficTCP traffic: 192.168.2.13:36954 -> 46.19.143.10:1440
Source: global trafficTCP traffic: 192.168.2.13:33336 -> 185.159.74.127:1440
Source: /tmp/zermips.elf (PID: 5436)Socket: 127.0.0.1:39148Jump to behavior
Source: unknownUDP traffic detected without corresponding DNS query: 202.61.197.122
Source: unknownUDP traffic detected without corresponding DNS query: 51.158.108.203
Source: unknownUDP traffic detected without corresponding DNS query: 51.158.108.203
Source: unknownUDP traffic detected without corresponding DNS query: 51.158.108.203
Source: unknownUDP traffic detected without corresponding DNS query: 51.158.108.203
Source: unknownUDP traffic detected without corresponding DNS query: 51.158.108.203
Source: unknownUDP traffic detected without corresponding DNS query: 152.53.15.127
Source: unknownUDP traffic detected without corresponding DNS query: 152.53.15.127
Source: unknownUDP traffic detected without corresponding DNS query: 152.53.15.127
Source: unknownUDP traffic detected without corresponding DNS query: 152.53.15.127
Source: unknownUDP traffic detected without corresponding DNS query: 152.53.15.127
Source: unknownUDP traffic detected without corresponding DNS query: 185.181.61.24
Source: unknownUDP traffic detected without corresponding DNS query: 185.181.61.24
Source: unknownUDP traffic detected without corresponding DNS query: 185.181.61.24
Source: unknownUDP traffic detected without corresponding DNS query: 185.181.61.24
Source: unknownUDP traffic detected without corresponding DNS query: 185.181.61.24
Source: unknownUDP traffic detected without corresponding DNS query: 185.181.61.24
Source: unknownUDP traffic detected without corresponding DNS query: 168.235.111.72
Source: unknownUDP traffic detected without corresponding DNS query: 51.158.108.203
Source: unknownUDP traffic detected without corresponding DNS query: 51.158.108.203
Source: unknownUDP traffic detected without corresponding DNS query: 51.158.108.203
Source: unknownUDP traffic detected without corresponding DNS query: 51.158.108.203
Source: unknownUDP traffic detected without corresponding DNS query: 51.158.108.203
Source: unknownUDP traffic detected without corresponding DNS query: 194.36.144.87
Source: unknownUDP traffic detected without corresponding DNS query: 194.36.144.87
Source: unknownUDP traffic detected without corresponding DNS query: 194.36.144.87
Source: unknownUDP traffic detected without corresponding DNS query: 194.36.144.87
Source: unknownUDP traffic detected without corresponding DNS query: 194.36.144.87
Source: unknownUDP traffic detected without corresponding DNS query: 51.158.108.203
Source: global trafficDNS traffic detected: DNS query: ohlookthereismyboats.geek
Source: global trafficDNS traffic detected: DNS query: watchmepull.dyn. [malformed]
Source: ELF static info symbol of initial sample.symtab present: no
Source: classification engineClassification label: mal52.troj.linELF@0/0@28/0
Source: /tmp/zermips.elf (PID: 5436)Queries kernel information via 'uname': Jump to behavior
Source: zermips.elf, 5436.1.000055781d3f2000.000055781d479000.rw-.sdmpBinary or memory string: xU!/etc/qemu-binfmt/mips
Source: zermips.elf, 5436.1.000055781d3f2000.000055781d479000.rw-.sdmpBinary or memory string: /etc/qemu-binfmt/mips
Source: zermips.elf, 5436.1.00007ffe3833c000.00007ffe3835d000.rw-.sdmpBinary or memory string: Vlx86_64/usr/bin/qemu-mips/tmp/zermips.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/zermips.elf
Source: zermips.elf, 5436.1.00007ffe3833c000.00007ffe3835d000.rw-.sdmpBinary or memory string: /usr/bin/qemu-mips
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management InstrumentationPath InterceptionPath InterceptionDirect Volume AccessOS Credential Dumping11
Security Software Discovery
Remote ServicesData from Local System1
Non-Standard Port
Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable Media1
Non-Application Layer Protocol
Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared Drive1
Application Layer Protocol
Automated ExfiltrationData Encrypted for Impact
No configs have been found
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Number of created Files
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1628717 Sample: zermips.elf Startdate: 04/03/2025 Architecture: LINUX Score: 52 14 watchmepull.dyn. [malformed] 2->14 16 185.159.74.127, 1440, 33336, 33338 SAYFANETTR Georgia 2->16 18 ohlookthereismyboats.geek 46.19.143.10, 1440, 36954, 36956 PLI-ASCH Switzerland 2->18 20 Multi AV Scanner detection for submitted file 2->20 8 zermips.elf 2->8         started        signatures3 22 Sends malformed DNS queries 14->22 process4 process5 10 zermips.elf 8->10         started        process6 12 zermips.elf 10->12         started       

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
SourceDetectionScannerLabelLink
zermips.elf24%VirustotalBrowse
zermips.elf29%ReversingLabsLinux.Backdoor.Mirai
No Antivirus matches
No Antivirus matches
No Antivirus matches

Download Network PCAP: filteredfull

NameIPActiveMaliciousAntivirus DetectionReputation
ohlookthereismyboats.geek
46.19.143.10
truefalse
    high
    watchmepull.dyn. [malformed]
    unknown
    unknownfalse
      high
      • No. of IPs < 25%
      • 25% < No. of IPs < 50%
      • 50% < No. of IPs < 75%
      • 75% < No. of IPs
      IPDomainCountryFlagASNASN NameMalicious
      46.19.143.10
      ohlookthereismyboats.geekSwitzerland
      51852PLI-ASCHfalse
      185.159.74.127
      unknownGeorgia
      59447SAYFANETTRfalse
      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
      46.19.143.10zerx86.elfGet hashmaliciousUnknownBrowse
        zerppc.elfGet hashmaliciousUnknownBrowse
          zerspc.elfGet hashmaliciousUnknownBrowse
            zerarm7.elfGet hashmaliciousUnknownBrowse
              zerarm7.elfGet hashmaliciousUnknownBrowse
                zerx86.elfGet hashmaliciousUnknownBrowse
                  zerspc.elfGet hashmaliciousUnknownBrowse
                    zerarm5.elfGet hashmaliciousUnknownBrowse
                      zerm68k.elfGet hashmaliciousUnknownBrowse
                        zermips.elfGet hashmaliciousUnknownBrowse
                          185.159.74.127zerspc.elfGet hashmaliciousUnknownBrowse
                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            ohlookthereismyboats.geekzerx86.elfGet hashmaliciousUnknownBrowse
                            • 46.19.143.10
                            nabmips.elfGet hashmaliciousUnknownBrowse
                            • 46.19.143.10
                            jklarm5.elfGet hashmaliciousUnknownBrowse
                            • 46.19.143.10
                            zerppc.elfGet hashmaliciousUnknownBrowse
                            • 1.2.3.4
                            splx86.elfGet hashmaliciousUnknownBrowse
                            • 1.2.3.4
                            zerspc.elfGet hashmaliciousUnknownBrowse
                            • 46.19.143.10
                            nabarm5.elfGet hashmaliciousUnknownBrowse
                            • 46.19.143.10
                            nabmpsl.elfGet hashmaliciousUnknownBrowse
                            • 46.19.143.10
                            nklmips.elfGet hashmaliciousUnknownBrowse
                            • 46.19.143.10
                            mpsl.elfGet hashmaliciousUnknownBrowse
                            • 1.2.3.4
                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            PLI-ASCHzerx86.elfGet hashmaliciousUnknownBrowse
                            • 46.19.143.10
                            zerppc.elfGet hashmaliciousUnknownBrowse
                            • 46.19.143.10
                            zerspc.elfGet hashmaliciousUnknownBrowse
                            • 46.19.143.10
                            zerarm7.elfGet hashmaliciousUnknownBrowse
                            • 46.19.143.10
                            zerarm7.elfGet hashmaliciousUnknownBrowse
                            • 46.19.143.10
                            zerx86.elfGet hashmaliciousUnknownBrowse
                            • 46.19.143.10
                            zerspc.elfGet hashmaliciousUnknownBrowse
                            • 46.19.143.10
                            zerarm5.elfGet hashmaliciousUnknownBrowse
                            • 46.19.143.10
                            zerm68k.elfGet hashmaliciousUnknownBrowse
                            • 46.19.143.10
                            zermips.elfGet hashmaliciousUnknownBrowse
                            • 46.19.143.10
                            SAYFANETTRzerspc.elfGet hashmaliciousUnknownBrowse
                            • 185.159.74.127
                            nklmips.elfGet hashmaliciousUnknownBrowse
                            • 167.162.208.146
                            yakov.m68k.elfGet hashmaliciousMiraiBrowse
                            • 167.168.143.126
                            cbr.m68k.elfGet hashmaliciousMiraiBrowse
                            • 167.170.223.105
                            cbr.mips.elfGet hashmaliciousMiraiBrowse
                            • 167.161.40.196
                            cbr.arm7.elfGet hashmaliciousMiraiBrowse
                            • 167.170.67.41
                            owari.ppc.elfGet hashmaliciousUnknownBrowse
                            • 167.166.48.91
                            res.arm.elfGet hashmaliciousMiraiBrowse
                            • 167.183.111.191
                            sh4.elfGet hashmaliciousUnknownBrowse
                            • 167.164.124.192
                            ppc.elfGet hashmaliciousUnknownBrowse
                            • 167.164.124.192
                            No context
                            No context
                            No created / dropped files found
                            File type:ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped
                            Entropy (8bit):5.293526990698313
                            TrID:
                            • ELF Executable and Linkable format (generic) (4004/1) 100.00%
                            File name:zermips.elf
                            File size:68'420 bytes
                            MD5:d84eb4d133bda9dff840c3202ba5e52d
                            SHA1:851a03e9ea302afdde49a182ecba03ca0d3daa6b
                            SHA256:22a9d983c2eda46c0360c88eab77a9fcf2eb64d9c966e6843aa95c543ee925fa
                            SHA512:4c390f8547963dd2a4ce5ee0ac27ff3e311e62106ef8976e4ffa23c882e05bdb3ef508517c13c0e0b1a54b601d18f38f9f28b3169417d2fe333120c8e2ec48ff
                            SSDEEP:768:MsWD8BAejTQ279TrWJgsbleCiUNkjaXHU4//ml3A1IyTkT5TqTRT8T8TjF5tPEk6:MZ8BH79/WJg+A2085tckus1Yx1ODbJJq
                            TLSH:4863B50D6E22CFADFBACC63547B78A219358378A36D1D185E15CEA011F7024E641FBB9
                            File Content Preview:.ELF.....................@.`...4.........4. ...(.............@...@.....0...0.................E...E........+`........dt.Q............................<...'......!'.......................<...'..x...!... ....'9... ......................<...'..H...!........'9.

                            ELF header

                            Class:ELF32
                            Data:2's complement, big endian
                            Version:1 (current)
                            Machine:MIPS R3000
                            Version Number:0x1
                            Type:EXEC (Executable file)
                            OS/ABI:UNIX - System V
                            ABI Version:0
                            Entry Point Address:0x400260
                            Flags:0x1007
                            ELF Header Size:52
                            Program Header Offset:52
                            Program Header Size:32
                            Number of Program Headers:3
                            Section Header Offset:67820
                            Section Header Size:40
                            Number of Section Headers:15
                            Header String Table Index:14
                            NameTypeAddressOffsetSizeEntSizeFlagsFlags DescriptionLinkInfoAlign
                            NULL0x00x00x00x00x0000
                            .initPROGBITS0x4000940x940x8c0x00x6AX004
                            .textPROGBITS0x4001200x1200xeec00x00x6AX0016
                            .finiPROGBITS0x40efe00xefe00x5c0x00x6AX004
                            .rodataPROGBITS0x40f0400xf0400x8f00x00x2A0016
                            .ctorsPROGBITS0x4500000x100000x80x00x3WA004
                            .dtorsPROGBITS0x4500080x100080x80x00x3WA004
                            .jcrPROGBITS0x4500100x100100x40x00x3WA004
                            .data.rel.roPROGBITS0x4500140x100140x80x00x3WA004
                            .dataPROGBITS0x4500200x100200x3200x00x3WA0016
                            .gotPROGBITS0x4503400x103400x5400x40x10000003WAp0016
                            .sbssNOBITS0x4508800x108800x1c0x00x10000003WAp004
                            .bssNOBITS0x4508a00x108800x22c00x00x3WA0016
                            .mdebug.abi32PROGBITS0xab00x108800x00x00x0001
                            .shstrtabSTRTAB0x00x108800x690x00x0001
                            TypeOffsetVirtual AddressPhysical AddressFile SizeMemory SizeEntropyFlagsFlags DescriptionAlignProg InterpreterSection Mappings
                            LOAD0x00x4000000x4000000xf9300xf9305.44350x5R E0x10000.init .text .fini .rodata
                            LOAD0x100000x4500000x4500000x8800x2b602.95100x6RW 0x10000.ctors .dtors .jcr .data.rel.ro .data .got .sbss .bss
                            GNU_STACK0x00x00x00x00x00.00000x7RWE0x4

                            Download Network PCAP: filteredfull

                            • Total Packets: 71
                            • 1440 undefined
                            • 53 (DNS)
                            TimestampSource PortDest PortSource IPDest IP
                            Mar 4, 2025 03:57:54.720674038 CET369541440192.168.2.1346.19.143.10
                            Mar 4, 2025 03:57:54.726485968 CET14403695446.19.143.10192.168.2.13
                            Mar 4, 2025 03:57:54.726602077 CET369541440192.168.2.1346.19.143.10
                            Mar 4, 2025 03:57:54.740840912 CET369541440192.168.2.1346.19.143.10
                            Mar 4, 2025 03:57:54.745944977 CET14403695446.19.143.10192.168.2.13
                            Mar 4, 2025 03:57:54.746007919 CET369541440192.168.2.1346.19.143.10
                            Mar 4, 2025 03:57:54.751023054 CET14403695446.19.143.10192.168.2.13
                            Mar 4, 2025 03:58:04.751363039 CET369541440192.168.2.1346.19.143.10
                            Mar 4, 2025 03:58:04.756548882 CET14403695446.19.143.10192.168.2.13
                            Mar 4, 2025 03:58:04.942691088 CET14403695446.19.143.10192.168.2.13
                            Mar 4, 2025 03:58:04.943193913 CET369541440192.168.2.1346.19.143.10
                            Mar 4, 2025 03:58:04.948462009 CET14403695446.19.143.10192.168.2.13
                            Mar 4, 2025 03:58:30.979026079 CET369561440192.168.2.1346.19.143.10
                            Mar 4, 2025 03:58:30.984236002 CET14403695646.19.143.10192.168.2.13
                            Mar 4, 2025 03:58:30.984343052 CET369561440192.168.2.1346.19.143.10
                            Mar 4, 2025 03:58:30.985416889 CET369561440192.168.2.1346.19.143.10
                            Mar 4, 2025 03:58:30.990406990 CET14403695646.19.143.10192.168.2.13
                            Mar 4, 2025 03:58:30.990509033 CET369561440192.168.2.1346.19.143.10
                            Mar 4, 2025 03:58:30.995575905 CET14403695646.19.143.10192.168.2.13
                            Mar 4, 2025 03:58:41.540158987 CET14403695646.19.143.10192.168.2.13
                            Mar 4, 2025 03:58:41.540409088 CET369561440192.168.2.1346.19.143.10
                            Mar 4, 2025 03:58:41.545459032 CET14403695646.19.143.10192.168.2.13
                            Mar 4, 2025 03:58:42.642504930 CET369581440192.168.2.1346.19.143.10
                            Mar 4, 2025 03:58:42.647582054 CET14403695846.19.143.10192.168.2.13
                            Mar 4, 2025 03:58:42.647650957 CET369581440192.168.2.1346.19.143.10
                            Mar 4, 2025 03:58:42.648508072 CET369581440192.168.2.1346.19.143.10
                            Mar 4, 2025 03:58:42.653538942 CET14403695846.19.143.10192.168.2.13
                            Mar 4, 2025 03:58:42.653613091 CET369581440192.168.2.1346.19.143.10
                            Mar 4, 2025 03:58:42.658710957 CET14403695846.19.143.10192.168.2.13
                            Mar 4, 2025 03:58:53.202948093 CET14403695846.19.143.10192.168.2.13
                            Mar 4, 2025 03:58:53.203284979 CET369581440192.168.2.1346.19.143.10
                            Mar 4, 2025 03:58:53.208389044 CET14403695846.19.143.10192.168.2.13
                            Mar 4, 2025 03:58:54.405777931 CET369601440192.168.2.1346.19.143.10
                            Mar 4, 2025 03:58:54.411098957 CET14403696046.19.143.10192.168.2.13
                            Mar 4, 2025 03:58:54.411228895 CET369601440192.168.2.1346.19.143.10
                            Mar 4, 2025 03:58:54.412158966 CET369601440192.168.2.1346.19.143.10
                            Mar 4, 2025 03:58:54.417326927 CET14403696046.19.143.10192.168.2.13
                            Mar 4, 2025 03:58:54.417423964 CET369601440192.168.2.1346.19.143.10
                            Mar 4, 2025 03:58:54.422555923 CET14403696046.19.143.10192.168.2.13
                            Mar 4, 2025 03:59:04.983357906 CET14403696046.19.143.10192.168.2.13
                            Mar 4, 2025 03:59:04.983813047 CET369601440192.168.2.1346.19.143.10
                            Mar 4, 2025 03:59:04.988933086 CET14403696046.19.143.10192.168.2.13
                            Mar 4, 2025 03:59:06.029582024 CET369621440192.168.2.1346.19.143.10
                            Mar 4, 2025 03:59:06.034969091 CET14403696246.19.143.10192.168.2.13
                            Mar 4, 2025 03:59:06.035048008 CET369621440192.168.2.1346.19.143.10
                            Mar 4, 2025 03:59:06.036448956 CET369621440192.168.2.1346.19.143.10
                            Mar 4, 2025 03:59:06.041450977 CET14403696246.19.143.10192.168.2.13
                            Mar 4, 2025 03:59:06.041549921 CET369621440192.168.2.1346.19.143.10
                            Mar 4, 2025 03:59:06.046600103 CET14403696246.19.143.10192.168.2.13
                            Mar 4, 2025 03:59:16.583875895 CET14403696246.19.143.10192.168.2.13
                            Mar 4, 2025 03:59:16.584419966 CET369621440192.168.2.1346.19.143.10
                            Mar 4, 2025 03:59:16.589520931 CET14403696246.19.143.10192.168.2.13
                            Mar 4, 2025 03:59:17.683031082 CET333361440192.168.2.13185.159.74.127
                            Mar 4, 2025 03:59:17.688127041 CET144033336185.159.74.127192.168.2.13
                            Mar 4, 2025 03:59:17.688225031 CET333361440192.168.2.13185.159.74.127
                            Mar 4, 2025 03:59:17.689886093 CET333361440192.168.2.13185.159.74.127
                            Mar 4, 2025 03:59:17.695005894 CET144033336185.159.74.127192.168.2.13
                            Mar 4, 2025 03:59:17.695081949 CET333361440192.168.2.13185.159.74.127
                            Mar 4, 2025 03:59:17.700082064 CET144033336185.159.74.127192.168.2.13
                            Mar 4, 2025 03:59:28.486202002 CET144033336185.159.74.127192.168.2.13
                            Mar 4, 2025 03:59:28.486515999 CET333361440192.168.2.13185.159.74.127
                            Mar 4, 2025 03:59:28.491674900 CET144033336185.159.74.127192.168.2.13
                            Mar 4, 2025 03:59:34.570208073 CET333381440192.168.2.13185.159.74.127
                            Mar 4, 2025 03:59:34.575974941 CET144033338185.159.74.127192.168.2.13
                            Mar 4, 2025 03:59:34.576035976 CET333381440192.168.2.13185.159.74.127
                            Mar 4, 2025 03:59:34.577253103 CET333381440192.168.2.13185.159.74.127
                            Mar 4, 2025 03:59:34.582364082 CET144033338185.159.74.127192.168.2.13
                            Mar 4, 2025 03:59:34.582412958 CET333381440192.168.2.13185.159.74.127
                            Mar 4, 2025 03:59:34.587538004 CET144033338185.159.74.127192.168.2.13
                            Mar 4, 2025 03:59:44.587498903 CET333381440192.168.2.13185.159.74.127
                            Mar 4, 2025 03:59:44.592703104 CET144033338185.159.74.127192.168.2.13
                            Mar 4, 2025 03:59:44.903191090 CET144033338185.159.74.127192.168.2.13
                            Mar 4, 2025 03:59:44.903450012 CET333381440192.168.2.13185.159.74.127
                            Mar 4, 2025 03:59:44.908684969 CET144033338185.159.74.127192.168.2.13
                            Mar 4, 2025 03:59:46.016463995 CET333401440192.168.2.13185.159.74.127
                            Mar 4, 2025 03:59:46.021622896 CET144033340185.159.74.127192.168.2.13
                            Mar 4, 2025 03:59:46.021724939 CET333401440192.168.2.13185.159.74.127
                            Mar 4, 2025 03:59:46.022907019 CET333401440192.168.2.13185.159.74.127
                            Mar 4, 2025 03:59:46.027966976 CET144033340185.159.74.127192.168.2.13
                            Mar 4, 2025 03:59:46.028045893 CET333401440192.168.2.13185.159.74.127
                            Mar 4, 2025 03:59:46.033137083 CET144033340185.159.74.127192.168.2.13
                            Mar 4, 2025 03:59:56.835339069 CET144033340185.159.74.127192.168.2.13
                            Mar 4, 2025 03:59:56.835721016 CET333401440192.168.2.13185.159.74.127
                            Mar 4, 2025 03:59:56.840760946 CET144033340185.159.74.127192.168.2.13
                            TimestampSource PortDest PortSource IPDest IP
                            Mar 4, 2025 03:57:54.696122885 CET4991153192.168.2.13202.61.197.122
                            Mar 4, 2025 03:57:54.714785099 CET5349911202.61.197.122192.168.2.13
                            Mar 4, 2025 03:58:05.946228981 CET3931453192.168.2.1351.158.108.203
                            Mar 4, 2025 03:58:10.952528000 CET4499253192.168.2.1351.158.108.203
                            Mar 4, 2025 03:58:15.959664106 CET4228053192.168.2.1351.158.108.203
                            Mar 4, 2025 03:58:20.966535091 CET3808553192.168.2.1351.158.108.203
                            Mar 4, 2025 03:58:25.972771883 CET4924453192.168.2.1351.158.108.203
                            Mar 4, 2025 03:58:42.544111013 CET5307353192.168.2.13152.53.15.127
                            Mar 4, 2025 03:58:42.561865091 CET5353073152.53.15.127192.168.2.13
                            Mar 4, 2025 03:58:42.563020945 CET3668553192.168.2.13152.53.15.127
                            Mar 4, 2025 03:58:42.586431026 CET5336685152.53.15.127192.168.2.13
                            Mar 4, 2025 03:58:42.587573051 CET4937153192.168.2.13152.53.15.127
                            Mar 4, 2025 03:58:42.604845047 CET5349371152.53.15.127192.168.2.13
                            Mar 4, 2025 03:58:42.605952024 CET5236653192.168.2.13152.53.15.127
                            Mar 4, 2025 03:58:42.623450041 CET5352366152.53.15.127192.168.2.13
                            Mar 4, 2025 03:58:42.624377966 CET4407453192.168.2.13152.53.15.127
                            Mar 4, 2025 03:58:42.642004013 CET5344074152.53.15.127192.168.2.13
                            Mar 4, 2025 03:58:54.207510948 CET4243353192.168.2.13185.181.61.24
                            Mar 4, 2025 03:58:54.245107889 CET5342433185.181.61.24192.168.2.13
                            Mar 4, 2025 03:58:54.246745110 CET5586353192.168.2.13185.181.61.24
                            Mar 4, 2025 03:58:54.287102938 CET5355863185.181.61.24192.168.2.13
                            Mar 4, 2025 03:58:54.288649082 CET3620753192.168.2.13185.181.61.24
                            Mar 4, 2025 03:58:54.326159954 CET5336207185.181.61.24192.168.2.13
                            Mar 4, 2025 03:58:54.327681065 CET5573453192.168.2.13185.181.61.24
                            Mar 4, 2025 03:58:54.365310907 CET5355734185.181.61.24192.168.2.13
                            Mar 4, 2025 03:58:54.366972923 CET3583753192.168.2.13185.181.61.24
                            Mar 4, 2025 03:58:54.404572964 CET5335837185.181.61.24192.168.2.13
                            Mar 4, 2025 03:59:05.987407923 CET5616753192.168.2.13185.181.61.24
                            Mar 4, 2025 03:59:06.025101900 CET5356167185.181.61.24192.168.2.13
                            Mar 4, 2025 03:59:17.589986086 CET4709453192.168.2.13168.235.111.72
                            Mar 4, 2025 03:59:17.681600094 CET5347094168.235.111.72192.168.2.13
                            Mar 4, 2025 03:59:29.490737915 CET5642653192.168.2.1351.158.108.203
                            Mar 4, 2025 03:59:29.510211945 CET535642651.158.108.203192.168.2.13
                            Mar 4, 2025 03:59:29.512119055 CET4742053192.168.2.1351.158.108.203
                            Mar 4, 2025 03:59:34.518955946 CET5150453192.168.2.1351.158.108.203
                            Mar 4, 2025 03:59:34.534980059 CET535150451.158.108.203192.168.2.13
                            Mar 4, 2025 03:59:34.536039114 CET5538553192.168.2.1351.158.108.203
                            Mar 4, 2025 03:59:34.552515030 CET535538551.158.108.203192.168.2.13
                            Mar 4, 2025 03:59:34.553986073 CET3695653192.168.2.1351.158.108.203
                            Mar 4, 2025 03:59:34.569626093 CET533695651.158.108.203192.168.2.13
                            Mar 4, 2025 03:59:45.906924963 CET4607653192.168.2.13194.36.144.87
                            Mar 4, 2025 03:59:45.930361032 CET5346076194.36.144.87192.168.2.13
                            Mar 4, 2025 03:59:45.932132006 CET3620353192.168.2.13194.36.144.87
                            Mar 4, 2025 03:59:45.949115992 CET5336203194.36.144.87192.168.2.13
                            Mar 4, 2025 03:59:45.950443983 CET3561453192.168.2.13194.36.144.87
                            Mar 4, 2025 03:59:45.973480940 CET5335614194.36.144.87192.168.2.13
                            Mar 4, 2025 03:59:45.974759102 CET3889153192.168.2.13194.36.144.87
                            Mar 4, 2025 03:59:45.991817951 CET5338891194.36.144.87192.168.2.13
                            Mar 4, 2025 03:59:45.993045092 CET3443253192.168.2.13194.36.144.87
                            Mar 4, 2025 03:59:46.015803099 CET5334432194.36.144.87192.168.2.13
                            Mar 4, 2025 03:59:57.838743925 CET5615653192.168.2.1351.158.108.203
                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                            Mar 4, 2025 03:57:54.696122885 CET192.168.2.13202.61.197.1220x7f7Standard query (0)ohlookthereismyboats.geekA (IP address)IN (0x0001)false
                            Mar 4, 2025 03:58:05.946228981 CET192.168.2.1351.158.108.2030x1efStandard query (0)watchmepull.dyn. [malformed]256322false
                            Mar 4, 2025 03:58:10.952528000 CET192.168.2.1351.158.108.2030x1efStandard query (0)watchmepull.dyn. [malformed]256327false
                            Mar 4, 2025 03:58:15.959664106 CET192.168.2.1351.158.108.2030x1efStandard query (0)watchmepull.dyn. [malformed]256332false
                            Mar 4, 2025 03:58:20.966535091 CET192.168.2.1351.158.108.2030x1efStandard query (0)watchmepull.dyn. [malformed]256337false
                            Mar 4, 2025 03:58:25.972771883 CET192.168.2.1351.158.108.2030x1efStandard query (0)watchmepull.dyn. [malformed]256342false
                            Mar 4, 2025 03:58:42.544111013 CET192.168.2.13152.53.15.1270xa95bStandard query (0)watchmepull.dyn. [malformed]256354false
                            Mar 4, 2025 03:58:42.563020945 CET192.168.2.13152.53.15.1270xa95bStandard query (0)watchmepull.dyn. [malformed]256354false
                            Mar 4, 2025 03:58:42.587573051 CET192.168.2.13152.53.15.1270xa95bStandard query (0)watchmepull.dyn. [malformed]256354false
                            Mar 4, 2025 03:58:42.605952024 CET192.168.2.13152.53.15.1270xa95bStandard query (0)watchmepull.dyn. [malformed]256354false
                            Mar 4, 2025 03:58:42.624377966 CET192.168.2.13152.53.15.1270xa95bStandard query (0)watchmepull.dyn. [malformed]256354false
                            Mar 4, 2025 03:58:54.207510948 CET192.168.2.13185.181.61.240x63b0Standard query (0)watchmepull.dyn. [malformed]256366false
                            Mar 4, 2025 03:58:54.246745110 CET192.168.2.13185.181.61.240x63b0Standard query (0)watchmepull.dyn. [malformed]256366false
                            Mar 4, 2025 03:58:54.288649082 CET192.168.2.13185.181.61.240x63b0Standard query (0)watchmepull.dyn. [malformed]256366false
                            Mar 4, 2025 03:58:54.327681065 CET192.168.2.13185.181.61.240x63b0Standard query (0)watchmepull.dyn. [malformed]256366false
                            Mar 4, 2025 03:58:54.366972923 CET192.168.2.13185.181.61.240x63b0Standard query (0)watchmepull.dyn. [malformed]256366false
                            Mar 4, 2025 03:59:05.987407923 CET192.168.2.13185.181.61.240x9c5aStandard query (0)ohlookthereismyboats.geekA (IP address)IN (0x0001)false
                            Mar 4, 2025 03:59:17.589986086 CET192.168.2.13168.235.111.720xc48cStandard query (0)ohlookthereismyboats.geekA (IP address)IN (0x0001)false
                            Mar 4, 2025 03:59:29.490737915 CET192.168.2.1351.158.108.2030xd75fStandard query (0)watchmepull.dyn. [malformed]256401false
                            Mar 4, 2025 03:59:29.512119055 CET192.168.2.1351.158.108.2030xd75fStandard query (0)watchmepull.dyn. [malformed]256406false
                            Mar 4, 2025 03:59:34.518955946 CET192.168.2.1351.158.108.2030xd75fStandard query (0)watchmepull.dyn. [malformed]256406false
                            Mar 4, 2025 03:59:34.536039114 CET192.168.2.1351.158.108.2030xd75fStandard query (0)watchmepull.dyn. [malformed]256406false
                            Mar 4, 2025 03:59:34.553986073 CET192.168.2.1351.158.108.2030xd75fStandard query (0)watchmepull.dyn. [malformed]256406false
                            Mar 4, 2025 03:59:45.906924963 CET192.168.2.13194.36.144.870xa452Standard query (0)watchmepull.dyn. [malformed]256417false
                            Mar 4, 2025 03:59:45.932132006 CET192.168.2.13194.36.144.870xa452Standard query (0)watchmepull.dyn. [malformed]256417false
                            Mar 4, 2025 03:59:45.950443983 CET192.168.2.13194.36.144.870xa452Standard query (0)watchmepull.dyn. [malformed]256417false
                            Mar 4, 2025 03:59:45.974759102 CET192.168.2.13194.36.144.870xa452Standard query (0)watchmepull.dyn. [malformed]256417false
                            Mar 4, 2025 03:59:45.993045092 CET192.168.2.13194.36.144.870xa452Standard query (0)watchmepull.dyn. [malformed]256418false
                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                            Mar 4, 2025 03:57:54.714785099 CET202.61.197.122192.168.2.130x7f7No error (0)ohlookthereismyboats.geek46.19.143.10A (IP address)IN (0x0001)false
                            Mar 4, 2025 03:58:42.561865091 CET152.53.15.127192.168.2.130xa95bFormat error (1)watchmepull.dyn. [malformed]nonenone256354false
                            Mar 4, 2025 03:58:42.586431026 CET152.53.15.127192.168.2.130xa95bFormat error (1)watchmepull.dyn. [malformed]nonenone256354false
                            Mar 4, 2025 03:58:42.604845047 CET152.53.15.127192.168.2.130xa95bFormat error (1)watchmepull.dyn. [malformed]nonenone256354false
                            Mar 4, 2025 03:58:42.623450041 CET152.53.15.127192.168.2.130xa95bFormat error (1)watchmepull.dyn. [malformed]nonenone256354false
                            Mar 4, 2025 03:58:42.642004013 CET152.53.15.127192.168.2.130xa95bFormat error (1)watchmepull.dyn. [malformed]nonenone256354false
                            Mar 4, 2025 03:59:06.025101900 CET185.181.61.24192.168.2.130x9c5aNo error (0)ohlookthereismyboats.geek46.19.143.10A (IP address)IN (0x0001)false
                            Mar 4, 2025 03:59:17.681600094 CET168.235.111.72192.168.2.130xc48cNo error (0)ohlookthereismyboats.geek46.19.143.10A (IP address)IN (0x0001)false
                            Mar 4, 2025 03:59:17.681600094 CET168.235.111.72192.168.2.130xc48cNo error (0)ohlookthereismyboats.geek185.159.74.127A (IP address)IN (0x0001)false
                            Mar 4, 2025 03:59:17.681600094 CET168.235.111.72192.168.2.130xc48cNo error (0)ohlookthereismyboats.geek45.147.251.145A (IP address)IN (0x0001)false
                            Mar 4, 2025 03:59:29.510211945 CET51.158.108.203192.168.2.130xd75fFormat error (1)watchmepull.dyn. [malformed]nonenone256401false
                            Mar 4, 2025 03:59:34.534980059 CET51.158.108.203192.168.2.130xd75fFormat error (1)watchmepull.dyn. [malformed]nonenone256406false
                            Mar 4, 2025 03:59:34.552515030 CET51.158.108.203192.168.2.130xd75fFormat error (1)watchmepull.dyn. [malformed]nonenone256406false
                            Mar 4, 2025 03:59:34.569626093 CET51.158.108.203192.168.2.130xd75fFormat error (1)watchmepull.dyn. [malformed]nonenone256406false
                            Mar 4, 2025 03:59:45.930361032 CET194.36.144.87192.168.2.130xa452Format error (1)watchmepull.dyn. [malformed]nonenone256417false
                            Mar 4, 2025 03:59:45.949115992 CET194.36.144.87192.168.2.130xa452Format error (1)watchmepull.dyn. [malformed]nonenone256417false
                            Mar 4, 2025 03:59:45.973480940 CET194.36.144.87192.168.2.130xa452Format error (1)watchmepull.dyn. [malformed]nonenone256417false
                            Mar 4, 2025 03:59:45.991817951 CET194.36.144.87192.168.2.130xa452Format error (1)watchmepull.dyn. [malformed]nonenone256417false
                            Mar 4, 2025 03:59:46.015803099 CET194.36.144.87192.168.2.130xa452Format error (1)watchmepull.dyn. [malformed]nonenone256418false

                            System Behavior

                            Start time (UTC):02:57:53
                            Start date (UTC):04/03/2025
                            Path:/tmp/zermips.elf
                            Arguments:/tmp/zermips.elf
                            File size:5777432 bytes
                            MD5 hash:0083f1f0e77be34ad27f849842bbb00c

                            Start time (UTC):02:57:54
                            Start date (UTC):04/03/2025
                            Path:/tmp/zermips.elf
                            Arguments:-
                            File size:5777432 bytes
                            MD5 hash:0083f1f0e77be34ad27f849842bbb00c

                            Start time (UTC):02:57:54
                            Start date (UTC):04/03/2025
                            Path:/tmp/zermips.elf
                            Arguments:-
                            File size:5777432 bytes
                            MD5 hash:0083f1f0e77be34ad27f849842bbb00c