Edit tour

Linux Analysis Report
zersh4.elf

Overview

General Information

Sample name:zersh4.elf
Analysis ID:1628737
MD5:582bcf4c37d09ce279738983deca4c70
SHA1:0970e5ddd6029c778356f5307e3fd5f50dd75c6e
SHA256:9e3e6d44561de4323555393fe64d240a81b3150b483b8b8ef5a9272bb9365627
Tags:elfuser-abuse_ch
Infos:

Detection

Score:52
Range:0 - 100

Signatures

Multi AV Scanner detection for submitted file
Sends malformed DNS queries
Detected TCP or UDP traffic on non-standard ports
Sample has stripped symbol table
Sample listens on a socket
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Uses the "uname" system call to query kernel version information (possible evasion)

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
Joe Sandbox version:42.0.0 Malachite
Analysis ID:1628737
Start date and time:2025-03-04 04:18:13 +01:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 36s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Sample name:zersh4.elf
Detection:MAL
Classification:mal52.troj.linELF@0/0@29/0
Command:/tmp/zersh4.elf
PID:5510
Exit Code:0
Exit Code Info:
Killed:False
Standard Output:
gosh that chinese family at the other table sure ate a lot
Standard Error:
  • system is lnxubuntu20
  • zersh4.elf (PID: 5510, Parent: 5434, MD5: 8943e5f8f8c280467b4472c15ae93ba9) Arguments: /tmp/zersh4.elf
  • cleanup
No yara matches
No Suricata rule has matched

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: zersh4.elfVirustotal: Detection: 25%Perma Link
Source: zersh4.elfReversingLabs: Detection: 23%

Networking

barindex
Source: global trafficDNS traffic detected: malformed DNS query: watchmepull.dyn. [malformed]
Source: global trafficTCP traffic: 192.168.2.14:36000 -> 45.147.251.145:1440
Source: global trafficTCP traffic: 192.168.2.14:55468 -> 185.159.74.127:1440
Source: global trafficTCP traffic: 192.168.2.14:47102 -> 46.19.143.10:1440
Source: global trafficTCP traffic: 192.168.2.14:37176 -> 1.2.3.4:1440
Source: /tmp/zersh4.elf (PID: 5510)Socket: 127.0.0.1:39148Jump to behavior
Source: global trafficTCP traffic: 192.168.2.14:46540 -> 185.125.190.26:443
Source: unknownTCP traffic detected without corresponding DNS query: 185.125.190.26
Source: unknownTCP traffic detected without corresponding DNS query: 185.125.190.26
Source: unknownUDP traffic detected without corresponding DNS query: 202.61.197.122
Source: unknownUDP traffic detected without corresponding DNS query: 202.61.197.122
Source: unknownUDP traffic detected without corresponding DNS query: 185.181.61.24
Source: unknownUDP traffic detected without corresponding DNS query: 51.158.108.203
Source: unknownUDP traffic detected without corresponding DNS query: 51.158.108.203
Source: unknownUDP traffic detected without corresponding DNS query: 51.158.108.203
Source: unknownUDP traffic detected without corresponding DNS query: 51.158.108.203
Source: unknownUDP traffic detected without corresponding DNS query: 51.158.108.203
Source: unknownUDP traffic detected without corresponding DNS query: 185.181.61.24
Source: unknownUDP traffic detected without corresponding DNS query: 185.181.61.24
Source: unknownUDP traffic detected without corresponding DNS query: 185.181.61.24
Source: unknownUDP traffic detected without corresponding DNS query: 185.181.61.24
Source: unknownUDP traffic detected without corresponding DNS query: 185.181.61.24
Source: unknownUDP traffic detected without corresponding DNS query: 152.53.15.127
Source: unknownUDP traffic detected without corresponding DNS query: 152.53.15.127
Source: unknownUDP traffic detected without corresponding DNS query: 152.53.15.127
Source: unknownUDP traffic detected without corresponding DNS query: 152.53.15.127
Source: unknownUDP traffic detected without corresponding DNS query: 152.53.15.127
Source: unknownUDP traffic detected without corresponding DNS query: 202.61.197.122
Source: unknownUDP traffic detected without corresponding DNS query: 202.61.197.122
Source: unknownUDP traffic detected without corresponding DNS query: 202.61.197.122
Source: unknownUDP traffic detected without corresponding DNS query: 202.61.197.122
Source: unknownUDP traffic detected without corresponding DNS query: 202.61.197.122
Source: unknownUDP traffic detected without corresponding DNS query: 152.53.15.127
Source: unknownUDP traffic detected without corresponding DNS query: 152.53.15.127
Source: unknownUDP traffic detected without corresponding DNS query: 152.53.15.127
Source: unknownUDP traffic detected without corresponding DNS query: 152.53.15.127
Source: unknownUDP traffic detected without corresponding DNS query: 152.53.15.127
Source: unknownUDP traffic detected without corresponding DNS query: 51.158.108.203
Source: global trafficDNS traffic detected: DNS query: watchmepull.dyn
Source: global trafficDNS traffic detected: DNS query: ohlookthereismyboats.geek
Source: global trafficDNS traffic detected: DNS query: watchmepull.dyn. [malformed]
Source: unknownNetwork traffic detected: HTTP traffic on port 46540 -> 443
Source: ELF static info symbol of initial sample.symtab present: no
Source: classification engineClassification label: mal52.troj.linELF@0/0@29/0
Source: /tmp/zersh4.elf (PID: 5510)Queries kernel information via 'uname': Jump to behavior
Source: zersh4.elf, 5510.1.00005630f9860000.00005630f98c3000.rw-.sdmpBinary or memory string: 0V5!/etc/qemu-binfmt/sh4
Source: zersh4.elf, 5510.1.00007ffe5b9e0000.00007ffe5ba01000.rw-.sdmpBinary or memory string: /usr/bin/qemu-sh4
Source: zersh4.elf, 5510.1.00007ffe5b9e0000.00007ffe5ba01000.rw-.sdmpBinary or memory string: x86_64/usr/bin/qemu-sh4/tmp/zersh4.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/zersh4.elf
Source: zersh4.elf, 5510.1.00005630f9860000.00005630f98c3000.rw-.sdmpBinary or memory string: /etc/qemu-binfmt/sh4
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management InstrumentationPath InterceptionPath InterceptionDirect Volume AccessOS Credential Dumping11
Security Software Discovery
Remote ServicesData from Local System1
Encrypted Channel
Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable Media1
Non-Standard Port
Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared Drive1
Non-Application Layer Protocol
Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin HookBinary PaddingNTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput Capture2
Application Layer Protocol
Traffic DuplicationData Destruction
No configs have been found
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Number of created Files
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1628737 Sample: zersh4.elf Startdate: 04/03/2025 Architecture: LINUX Score: 52 14 watchmepull.dyn. [malformed] 2->14 16 watchmepull.dyn 185.159.74.127, 1440, 55468 SAYFANETTR Georgia 2->16 18 4 other IPs or domains 2->18 20 Multi AV Scanner detection for submitted file 2->20 8 zersh4.elf 2->8         started        signatures3 22 Sends malformed DNS queries 14->22 process4 process5 10 zersh4.elf 8->10         started        process6 12 zersh4.elf 10->12         started       

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
SourceDetectionScannerLabelLink
zersh4.elf25%VirustotalBrowse
zersh4.elf24%ReversingLabsLinux.Backdoor.Gafgyt
No Antivirus matches
No Antivirus matches
No Antivirus matches

Download Network PCAP: filteredfull

NameIPActiveMaliciousAntivirus DetectionReputation
watchmepull.dyn
185.159.74.127
truefalse
    high
    ohlookthereismyboats.geek
    46.19.143.10
    truefalse
      high
      watchmepull.dyn. [malformed]
      unknown
      unknownfalse
        high
        • No. of IPs < 25%
        • 25% < No. of IPs < 50%
        • 50% < No. of IPs < 75%
        • 75% < No. of IPs
        IPDomainCountryFlagASNASN NameMalicious
        46.19.143.10
        ohlookthereismyboats.geekSwitzerland
        51852PLI-ASCHfalse
        1.2.3.4
        unknownAustralia
        13335CLOUDFLARENETUSfalse
        185.125.190.26
        unknownUnited Kingdom
        41231CANONICAL-ASGBfalse
        185.159.74.127
        watchmepull.dynGeorgia
        59447SAYFANETTRfalse
        45.147.251.145
        unknownGermany
        197518RACKMARKTESfalse
        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
        46.19.143.10zermips.elfGet hashmaliciousUnknownBrowse
          zerx86.elfGet hashmaliciousUnknownBrowse
            zerppc.elfGet hashmaliciousUnknownBrowse
              zerspc.elfGet hashmaliciousUnknownBrowse
                zerarm7.elfGet hashmaliciousUnknownBrowse
                  zerarm7.elfGet hashmaliciousUnknownBrowse
                    zerx86.elfGet hashmaliciousUnknownBrowse
                      zerspc.elfGet hashmaliciousUnknownBrowse
                        zerarm5.elfGet hashmaliciousUnknownBrowse
                          zerm68k.elfGet hashmaliciousUnknownBrowse
                            1.2.3.4zerppc.elfGet hashmaliciousUnknownBrowse
                              EdiAf.x86.elfGet hashmaliciousOkiruBrowse
                                debug.dbg.elfGet hashmaliciousMirai, OkiruBrowse
                                  EdiAf.x86.elfGet hashmaliciousOkiruBrowse
                                    debug.dbg.elfGet hashmaliciousMirai, OkiruBrowse
                                      RfeGlbGe3t.exeGet hashmaliciousAveMaria, UACMeBrowse
                                        test.exeGet hashmaliciousMetasploitBrowse
                                          T4148lxE0N.exeGet hashmaliciousAveMaria, PrivateLoader, UACMeBrowse
                                            P.O.#20(Ageless_15)for_C-Max_Canada.exeGet hashmaliciousAveMaria, UACMeBrowse
                                              SecuriteInfo.com.Variant.Bulz.89663.251.20581.exeGet hashmaliciousAveMaria, DBatLoader, UACMeBrowse
                                                185.125.190.26zerppc.elfGet hashmaliciousUnknownBrowse
                                                  na.elfGet hashmaliciousPrometeiBrowse
                                                    na.elfGet hashmaliciousPrometeiBrowse
                                                      mips.elfGet hashmaliciousMiraiBrowse
                                                        mips.elfGet hashmaliciousMiraiBrowse
                                                          yakov.arm6.elfGet hashmaliciousMiraiBrowse
                                                            jackmyx86.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                              main_arm5.elfGet hashmaliciousMiraiBrowse
                                                                na.elfGet hashmaliciousPrometeiBrowse
                                                                  na.elfGet hashmaliciousPrometeiBrowse
                                                                    185.159.74.127zermips.elfGet hashmaliciousUnknownBrowse
                                                                      zerspc.elfGet hashmaliciousUnknownBrowse
                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                        ohlookthereismyboats.geeknabm68k.elfGet hashmaliciousUnknownBrowse
                                                                        • 1.2.3.4
                                                                        x86.elfGet hashmaliciousUnknownBrowse
                                                                        • 185.159.74.127
                                                                        splarm7.elfGet hashmaliciousUnknownBrowse
                                                                        • 46.19.143.10
                                                                        nabx86.elfGet hashmaliciousUnknownBrowse
                                                                        • 1.2.3.4
                                                                        nklspc.elfGet hashmaliciousUnknownBrowse
                                                                        • 46.19.143.10
                                                                        splm68k.elfGet hashmaliciousUnknownBrowse
                                                                        • 46.19.143.10
                                                                        nklarm5.elfGet hashmaliciousUnknownBrowse
                                                                        • 46.19.143.10
                                                                        nklarm7.elfGet hashmaliciousUnknownBrowse
                                                                        • 46.19.143.10
                                                                        splmips.elfGet hashmaliciousUnknownBrowse
                                                                        • 46.19.143.10
                                                                        jklsh4.elfGet hashmaliciousUnknownBrowse
                                                                        • 45.147.251.145
                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                        CANONICAL-ASGBzerx86.elfGet hashmaliciousUnknownBrowse
                                                                        • 91.189.91.42
                                                                        zerppc.elfGet hashmaliciousUnknownBrowse
                                                                        • 185.125.190.26
                                                                        nabarm6.elfGet hashmaliciousUnknownBrowse
                                                                        • 91.189.91.42
                                                                        na.elfGet hashmaliciousPrometeiBrowse
                                                                        • 91.189.91.42
                                                                        na.elfGet hashmaliciousPrometeiBrowse
                                                                        • 91.189.91.42
                                                                        na.elfGet hashmaliciousPrometeiBrowse
                                                                        • 91.189.91.42
                                                                        na.elfGet hashmaliciousPrometeiBrowse
                                                                        • 91.189.91.42
                                                                        na.elfGet hashmaliciousPrometeiBrowse
                                                                        • 91.189.91.42
                                                                        na.elfGet hashmaliciousPrometeiBrowse
                                                                        • 91.189.91.42
                                                                        na.elfGet hashmaliciousPrometeiBrowse
                                                                        • 91.189.91.42
                                                                        PLI-ASCHzermips.elfGet hashmaliciousUnknownBrowse
                                                                        • 46.19.143.10
                                                                        zerx86.elfGet hashmaliciousUnknownBrowse
                                                                        • 46.19.143.10
                                                                        zerppc.elfGet hashmaliciousUnknownBrowse
                                                                        • 46.19.143.10
                                                                        zerspc.elfGet hashmaliciousUnknownBrowse
                                                                        • 46.19.143.10
                                                                        zerarm7.elfGet hashmaliciousUnknownBrowse
                                                                        • 46.19.143.10
                                                                        zerarm7.elfGet hashmaliciousUnknownBrowse
                                                                        • 46.19.143.10
                                                                        zerx86.elfGet hashmaliciousUnknownBrowse
                                                                        • 46.19.143.10
                                                                        zerspc.elfGet hashmaliciousUnknownBrowse
                                                                        • 46.19.143.10
                                                                        zerarm5.elfGet hashmaliciousUnknownBrowse
                                                                        • 46.19.143.10
                                                                        zerm68k.elfGet hashmaliciousUnknownBrowse
                                                                        • 46.19.143.10
                                                                        CLOUDFLARENETUSsplsh4.elfGet hashmaliciousUnknownBrowse
                                                                        • 104.24.135.169
                                                                        jklppc.elfGet hashmaliciousUnknownBrowse
                                                                        • 8.44.60.59
                                                                        boot.exeGet hashmaliciousBabadedaBrowse
                                                                        • 104.21.81.221
                                                                        nabmips.elfGet hashmaliciousUnknownBrowse
                                                                        • 172.71.137.249
                                                                        zerppc.elfGet hashmaliciousUnknownBrowse
                                                                        • 1.2.3.4
                                                                        WANG DA - VESSEL'S DESCRIPTION.pdf.scr.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                        • 104.21.32.1
                                                                        pGOrhjLXy3.exeGet hashmaliciousAmadey, LummaC Stealer, StealcBrowse
                                                                        • 188.114.96.3
                                                                        splarm5.elfGet hashmaliciousUnknownBrowse
                                                                        • 172.68.102.148
                                                                        leFhB1aYaW.exeGet hashmaliciousDCRatBrowse
                                                                        • 104.21.13.94
                                                                        https://zooominvitee.de/windowsGet hashmaliciousUnknownBrowse
                                                                        • 104.21.96.61
                                                                        SAYFANETTRzermips.elfGet hashmaliciousUnknownBrowse
                                                                        • 185.159.74.127
                                                                        zerspc.elfGet hashmaliciousUnknownBrowse
                                                                        • 185.159.74.127
                                                                        nklmips.elfGet hashmaliciousUnknownBrowse
                                                                        • 167.162.208.146
                                                                        yakov.m68k.elfGet hashmaliciousMiraiBrowse
                                                                        • 167.168.143.126
                                                                        cbr.m68k.elfGet hashmaliciousMiraiBrowse
                                                                        • 167.170.223.105
                                                                        cbr.mips.elfGet hashmaliciousMiraiBrowse
                                                                        • 167.161.40.196
                                                                        cbr.arm7.elfGet hashmaliciousMiraiBrowse
                                                                        • 167.170.67.41
                                                                        owari.ppc.elfGet hashmaliciousUnknownBrowse
                                                                        • 167.166.48.91
                                                                        res.arm.elfGet hashmaliciousMiraiBrowse
                                                                        • 167.183.111.191
                                                                        sh4.elfGet hashmaliciousUnknownBrowse
                                                                        • 167.164.124.192
                                                                        No context
                                                                        No context
                                                                        No created / dropped files found
                                                                        File type:ELF 32-bit LSB executable, Renesas SH, version 1 (SYSV), statically linked, stripped
                                                                        Entropy (8bit):6.777674415793993
                                                                        TrID:
                                                                        • ELF Executable and Linkable format (generic) (4004/1) 100.00%
                                                                        File name:zersh4.elf
                                                                        File size:46'456 bytes
                                                                        MD5:582bcf4c37d09ce279738983deca4c70
                                                                        SHA1:0970e5ddd6029c778356f5307e3fd5f50dd75c6e
                                                                        SHA256:9e3e6d44561de4323555393fe64d240a81b3150b483b8b8ef5a9272bb9365627
                                                                        SHA512:3891f4308b92ca6e40e9d5a7b69115fc5da3818b6ca6df5a69e8a915551b644011544a4cb8596291bc4f2343e178e7e94facd9ee5527b0c92fb2756791e9cdfb
                                                                        SSDEEP:768:KabwtjUpTiPqmUHYqy9kK6IwNTTfgF1ChoRUMnJCDciN9P:Kabwtj7zoZy667/RRHnJCD
                                                                        TLSH:95237EA2C46EEDD0C55942B4B935DE7827A3E404C2933EFB5A4AC6668007DACF60D3F5
                                                                        File Content Preview:.ELF..............*.......@.4...........4. ...(...............@...@...........................A...A......%..........Q.td............................././"O.n........#.*@........#.*@L....o&O.n...l..............................././.../.a"O.!...n...a.b("...q.

                                                                        ELF header

                                                                        Class:ELF32
                                                                        Data:2's complement, little endian
                                                                        Version:1 (current)
                                                                        Machine:<unknown>
                                                                        Version Number:0x1
                                                                        Type:EXEC (Executable file)
                                                                        OS/ABI:UNIX - System V
                                                                        ABI Version:0
                                                                        Entry Point Address:0x4001a0
                                                                        Flags:0x9
                                                                        ELF Header Size:52
                                                                        Program Header Offset:52
                                                                        Program Header Size:32
                                                                        Number of Program Headers:3
                                                                        Section Header Offset:46016
                                                                        Section Header Size:40
                                                                        Number of Section Headers:11
                                                                        Header String Table Index:10
                                                                        NameTypeAddressOffsetSizeEntSizeFlagsFlags DescriptionLinkInfoAlign
                                                                        NULL0x00x00x00x00x0000
                                                                        .initPROGBITS0x4000940x940x300x00x6AX004
                                                                        .textPROGBITS0x4000e00xe00xa7600x00x6AX0032
                                                                        .finiPROGBITS0x40a8400xa8400x240x00x6AX004
                                                                        .rodataPROGBITS0x40a8640xa8640x81c0x00x2A004
                                                                        .ctorsPROGBITS0x41b0840xb0840x80x00x3WA004
                                                                        .dtorsPROGBITS0x41b08c0xb08c0x80x00x3WA004
                                                                        .jcrPROGBITS0x41b0940xb0940x40x00x3WA004
                                                                        .dataPROGBITS0x41b0980xb0980x2e40x00x3WA004
                                                                        .bssNOBITS0x41b37c0xb37c0x22880x00x3WA004
                                                                        .shstrtabSTRTAB0x00xb37c0x430x00x0001
                                                                        TypeOffsetVirtual AddressPhysical AddressFile SizeMemory SizeEntropyFlagsFlags DescriptionAlignProg InterpreterSection Mappings
                                                                        LOAD0x00x4000000x4000000xb0800xb0806.84700x5R E0x10000.init .text .fini .rodata
                                                                        LOAD0xb0840x41b0840x41b0840x2f80x25802.21740x6RW 0x10000.ctors .dtors .jcr .data .bss
                                                                        GNU_STACK0x00x00x00x00x00.00000x7RWE0x4

                                                                        Download Network PCAP: filteredfull

                                                                        • Total Packets: 77
                                                                        • 1440 undefined
                                                                        • 443 (HTTPS)
                                                                        • 53 (DNS)
                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                        Mar 4, 2025 04:18:53.267009020 CET360001440192.168.2.1445.147.251.145
                                                                        Mar 4, 2025 04:18:53.271964073 CET14403600045.147.251.145192.168.2.14
                                                                        Mar 4, 2025 04:18:53.272037983 CET360001440192.168.2.1445.147.251.145
                                                                        Mar 4, 2025 04:18:53.273195982 CET360001440192.168.2.1445.147.251.145
                                                                        Mar 4, 2025 04:18:53.279695034 CET14403600045.147.251.145192.168.2.14
                                                                        Mar 4, 2025 04:18:53.279751062 CET360001440192.168.2.1445.147.251.145
                                                                        Mar 4, 2025 04:18:53.285254955 CET14403600045.147.251.145192.168.2.14
                                                                        Mar 4, 2025 04:19:03.283102989 CET360001440192.168.2.1445.147.251.145
                                                                        Mar 4, 2025 04:19:03.288182974 CET14403600045.147.251.145192.168.2.14
                                                                        Mar 4, 2025 04:19:03.497807980 CET14403600045.147.251.145192.168.2.14
                                                                        Mar 4, 2025 04:19:03.498191118 CET360001440192.168.2.1445.147.251.145
                                                                        Mar 4, 2025 04:19:03.503129005 CET14403600045.147.251.145192.168.2.14
                                                                        Mar 4, 2025 04:19:03.718519926 CET46540443192.168.2.14185.125.190.26
                                                                        Mar 4, 2025 04:19:04.521691084 CET554681440192.168.2.14185.159.74.127
                                                                        Mar 4, 2025 04:19:04.526658058 CET144055468185.159.74.127192.168.2.14
                                                                        Mar 4, 2025 04:19:04.526752949 CET554681440192.168.2.14185.159.74.127
                                                                        Mar 4, 2025 04:19:04.528152943 CET554681440192.168.2.14185.159.74.127
                                                                        Mar 4, 2025 04:19:04.533236980 CET144055468185.159.74.127192.168.2.14
                                                                        Mar 4, 2025 04:19:04.533291101 CET554681440192.168.2.14185.159.74.127
                                                                        Mar 4, 2025 04:19:04.538333893 CET144055468185.159.74.127192.168.2.14
                                                                        Mar 4, 2025 04:19:15.323864937 CET144055468185.159.74.127192.168.2.14
                                                                        Mar 4, 2025 04:19:15.324091911 CET554681440192.168.2.14185.159.74.127
                                                                        Mar 4, 2025 04:19:15.329148054 CET144055468185.159.74.127192.168.2.14
                                                                        Mar 4, 2025 04:19:16.365210056 CET471021440192.168.2.1446.19.143.10
                                                                        Mar 4, 2025 04:19:16.370254993 CET14404710246.19.143.10192.168.2.14
                                                                        Mar 4, 2025 04:19:16.370340109 CET471021440192.168.2.1446.19.143.10
                                                                        Mar 4, 2025 04:19:16.371609926 CET471021440192.168.2.1446.19.143.10
                                                                        Mar 4, 2025 04:19:16.376631021 CET14404710246.19.143.10192.168.2.14
                                                                        Mar 4, 2025 04:19:16.376693964 CET471021440192.168.2.1446.19.143.10
                                                                        Mar 4, 2025 04:19:16.382318974 CET14404710246.19.143.10192.168.2.14
                                                                        Mar 4, 2025 04:19:26.923996925 CET14404710246.19.143.10192.168.2.14
                                                                        Mar 4, 2025 04:19:26.924406052 CET471021440192.168.2.1446.19.143.10
                                                                        Mar 4, 2025 04:19:26.929383993 CET14404710246.19.143.10192.168.2.14
                                                                        Mar 4, 2025 04:19:33.669559956 CET46540443192.168.2.14185.125.190.26
                                                                        Mar 4, 2025 04:19:52.956748962 CET471041440192.168.2.1446.19.143.10
                                                                        Mar 4, 2025 04:19:52.961915016 CET14404710446.19.143.10192.168.2.14
                                                                        Mar 4, 2025 04:19:52.961983919 CET471041440192.168.2.1446.19.143.10
                                                                        Mar 4, 2025 04:19:52.963376045 CET471041440192.168.2.1446.19.143.10
                                                                        Mar 4, 2025 04:19:52.968381882 CET14404710446.19.143.10192.168.2.14
                                                                        Mar 4, 2025 04:19:52.968472958 CET471041440192.168.2.1446.19.143.10
                                                                        Mar 4, 2025 04:19:52.973452091 CET14404710446.19.143.10192.168.2.14
                                                                        Mar 4, 2025 04:20:03.509629011 CET14404710446.19.143.10192.168.2.14
                                                                        Mar 4, 2025 04:20:03.509938955 CET471041440192.168.2.1446.19.143.10
                                                                        Mar 4, 2025 04:20:03.515012980 CET14404710446.19.143.10192.168.2.14
                                                                        Mar 4, 2025 04:20:04.707732916 CET471061440192.168.2.1446.19.143.10
                                                                        Mar 4, 2025 04:20:04.712980986 CET14404710646.19.143.10192.168.2.14
                                                                        Mar 4, 2025 04:20:04.713068008 CET471061440192.168.2.1446.19.143.10
                                                                        Mar 4, 2025 04:20:04.714234114 CET471061440192.168.2.1446.19.143.10
                                                                        Mar 4, 2025 04:20:04.719285011 CET14404710646.19.143.10192.168.2.14
                                                                        Mar 4, 2025 04:20:04.719352007 CET471061440192.168.2.1446.19.143.10
                                                                        Mar 4, 2025 04:20:04.724422932 CET14404710646.19.143.10192.168.2.14
                                                                        Mar 4, 2025 04:20:15.284322023 CET14404710646.19.143.10192.168.2.14
                                                                        Mar 4, 2025 04:20:15.284487963 CET471061440192.168.2.1446.19.143.10
                                                                        Mar 4, 2025 04:20:15.289508104 CET14404710646.19.143.10192.168.2.14
                                                                        Mar 4, 2025 04:20:16.407010078 CET471081440192.168.2.1446.19.143.10
                                                                        Mar 4, 2025 04:20:16.412040949 CET14404710846.19.143.10192.168.2.14
                                                                        Mar 4, 2025 04:20:16.412110090 CET471081440192.168.2.1446.19.143.10
                                                                        Mar 4, 2025 04:20:16.413402081 CET471081440192.168.2.1446.19.143.10
                                                                        Mar 4, 2025 04:20:16.418437958 CET14404710846.19.143.10192.168.2.14
                                                                        Mar 4, 2025 04:20:16.418509007 CET471081440192.168.2.1446.19.143.10
                                                                        Mar 4, 2025 04:20:16.423528910 CET14404710846.19.143.10192.168.2.14
                                                                        Mar 4, 2025 04:20:26.978157043 CET14404710846.19.143.10192.168.2.14
                                                                        Mar 4, 2025 04:20:26.978682995 CET471081440192.168.2.1446.19.143.10
                                                                        Mar 4, 2025 04:20:26.983717918 CET14404710846.19.143.10192.168.2.14
                                                                        Mar 4, 2025 04:20:28.078334093 CET471101440192.168.2.1446.19.143.10
                                                                        Mar 4, 2025 04:20:28.083401918 CET14404711046.19.143.10192.168.2.14
                                                                        Mar 4, 2025 04:20:28.083484888 CET471101440192.168.2.1446.19.143.10
                                                                        Mar 4, 2025 04:20:28.084729910 CET471101440192.168.2.1446.19.143.10
                                                                        Mar 4, 2025 04:20:28.089756012 CET14404711046.19.143.10192.168.2.14
                                                                        Mar 4, 2025 04:20:28.089818954 CET471101440192.168.2.1446.19.143.10
                                                                        Mar 4, 2025 04:20:28.095128059 CET14404711046.19.143.10192.168.2.14
                                                                        Mar 4, 2025 04:20:38.094691038 CET471101440192.168.2.1446.19.143.10
                                                                        Mar 4, 2025 04:20:38.168463945 CET14404711046.19.143.10192.168.2.14
                                                                        Mar 4, 2025 04:20:38.448421001 CET14404711046.19.143.10192.168.2.14
                                                                        Mar 4, 2025 04:20:38.448832035 CET471101440192.168.2.1446.19.143.10
                                                                        Mar 4, 2025 04:20:38.453947067 CET14404711046.19.143.10192.168.2.14
                                                                        Mar 4, 2025 04:20:39.547256947 CET471121440192.168.2.1446.19.143.10
                                                                        Mar 4, 2025 04:20:39.552485943 CET14404711246.19.143.10192.168.2.14
                                                                        Mar 4, 2025 04:20:39.552615881 CET471121440192.168.2.1446.19.143.10
                                                                        Mar 4, 2025 04:20:39.554033041 CET471121440192.168.2.1446.19.143.10
                                                                        Mar 4, 2025 04:20:39.559087038 CET14404711246.19.143.10192.168.2.14
                                                                        Mar 4, 2025 04:20:39.559165001 CET471121440192.168.2.1446.19.143.10
                                                                        Mar 4, 2025 04:20:39.564255953 CET14404711246.19.143.10192.168.2.14
                                                                        Mar 4, 2025 04:20:50.107472897 CET14404711246.19.143.10192.168.2.14
                                                                        Mar 4, 2025 04:20:50.107739925 CET471121440192.168.2.1446.19.143.10
                                                                        Mar 4, 2025 04:20:50.112835884 CET14404711246.19.143.10192.168.2.14
                                                                        Mar 4, 2025 04:20:51.127912998 CET371761440192.168.2.141.2.3.4
                                                                        Mar 4, 2025 04:20:51.132898092 CET1440371761.2.3.4192.168.2.14
                                                                        Mar 4, 2025 04:20:51.132991076 CET371761440192.168.2.141.2.3.4
                                                                        Mar 4, 2025 04:20:51.134171009 CET371761440192.168.2.141.2.3.4
                                                                        Mar 4, 2025 04:20:51.139209986 CET1440371761.2.3.4192.168.2.14
                                                                        Mar 4, 2025 04:20:51.139292002 CET371761440192.168.2.141.2.3.4
                                                                        Mar 4, 2025 04:20:51.144334078 CET1440371761.2.3.4192.168.2.14
                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                        Mar 4, 2025 04:18:53.246635914 CET4280653192.168.2.14202.61.197.122
                                                                        Mar 4, 2025 04:18:53.265223980 CET5342806202.61.197.122192.168.2.14
                                                                        Mar 4, 2025 04:19:04.502506018 CET4986553192.168.2.14202.61.197.122
                                                                        Mar 4, 2025 04:19:04.520512104 CET5349865202.61.197.122192.168.2.14
                                                                        Mar 4, 2025 04:19:16.326899052 CET5290353192.168.2.14185.181.61.24
                                                                        Mar 4, 2025 04:19:16.364315033 CET5352903185.181.61.24192.168.2.14
                                                                        Mar 4, 2025 04:19:27.928302050 CET4011253192.168.2.1451.158.108.203
                                                                        Mar 4, 2025 04:19:32.934978962 CET3614253192.168.2.1451.158.108.203
                                                                        Mar 4, 2025 04:19:37.936681032 CET5850053192.168.2.1451.158.108.203
                                                                        Mar 4, 2025 04:19:42.943439007 CET3997553192.168.2.1451.158.108.203
                                                                        Mar 4, 2025 04:19:47.950432062 CET5342853192.168.2.1451.158.108.203
                                                                        Mar 4, 2025 04:20:04.512953043 CET4167153192.168.2.14185.181.61.24
                                                                        Mar 4, 2025 04:20:04.550553083 CET5341671185.181.61.24192.168.2.14
                                                                        Mar 4, 2025 04:20:04.551933050 CET5811153192.168.2.14185.181.61.24
                                                                        Mar 4, 2025 04:20:04.589448929 CET5358111185.181.61.24192.168.2.14
                                                                        Mar 4, 2025 04:20:04.590727091 CET5207553192.168.2.14185.181.61.24
                                                                        Mar 4, 2025 04:20:04.628216028 CET5352075185.181.61.24192.168.2.14
                                                                        Mar 4, 2025 04:20:04.629710913 CET5762853192.168.2.14185.181.61.24
                                                                        Mar 4, 2025 04:20:04.667335033 CET5357628185.181.61.24192.168.2.14
                                                                        Mar 4, 2025 04:20:04.669159889 CET4333153192.168.2.14185.181.61.24
                                                                        Mar 4, 2025 04:20:04.706676960 CET5343331185.181.61.24192.168.2.14
                                                                        Mar 4, 2025 04:20:16.288064957 CET3768353192.168.2.14152.53.15.127
                                                                        Mar 4, 2025 04:20:16.311230898 CET5337683152.53.15.127192.168.2.14
                                                                        Mar 4, 2025 04:20:16.312690020 CET4500353192.168.2.14152.53.15.127
                                                                        Mar 4, 2025 04:20:16.336110115 CET5345003152.53.15.127192.168.2.14
                                                                        Mar 4, 2025 04:20:16.337574005 CET5686053192.168.2.14152.53.15.127
                                                                        Mar 4, 2025 04:20:16.362483978 CET5356860152.53.15.127192.168.2.14
                                                                        Mar 4, 2025 04:20:16.364023924 CET4452453192.168.2.14152.53.15.127
                                                                        Mar 4, 2025 04:20:16.387260914 CET5344524152.53.15.127192.168.2.14
                                                                        Mar 4, 2025 04:20:16.388516903 CET3670753192.168.2.14152.53.15.127
                                                                        Mar 4, 2025 04:20:16.406261921 CET5336707152.53.15.127192.168.2.14
                                                                        Mar 4, 2025 04:20:27.982584953 CET5369153192.168.2.14202.61.197.122
                                                                        Mar 4, 2025 04:20:28.000433922 CET5353691202.61.197.122192.168.2.14
                                                                        Mar 4, 2025 04:20:28.002047062 CET5701453192.168.2.14202.61.197.122
                                                                        Mar 4, 2025 04:20:28.019984007 CET5357014202.61.197.122192.168.2.14
                                                                        Mar 4, 2025 04:20:28.021596909 CET3831653192.168.2.14202.61.197.122
                                                                        Mar 4, 2025 04:20:28.039211035 CET5338316202.61.197.122192.168.2.14
                                                                        Mar 4, 2025 04:20:28.040591002 CET5986553192.168.2.14202.61.197.122
                                                                        Mar 4, 2025 04:20:28.058168888 CET5359865202.61.197.122192.168.2.14
                                                                        Mar 4, 2025 04:20:28.059343100 CET5999053192.168.2.14202.61.197.122
                                                                        Mar 4, 2025 04:20:28.077596903 CET5359990202.61.197.122192.168.2.14
                                                                        Mar 4, 2025 04:20:39.452471018 CET3670853192.168.2.14152.53.15.127
                                                                        Mar 4, 2025 04:20:39.470237017 CET5336708152.53.15.127192.168.2.14
                                                                        Mar 4, 2025 04:20:39.471723080 CET5839753192.168.2.14152.53.15.127
                                                                        Mar 4, 2025 04:20:39.489327908 CET5358397152.53.15.127192.168.2.14
                                                                        Mar 4, 2025 04:20:39.490778923 CET4053353192.168.2.14152.53.15.127
                                                                        Mar 4, 2025 04:20:39.508296013 CET5340533152.53.15.127192.168.2.14
                                                                        Mar 4, 2025 04:20:39.509785891 CET5360053192.168.2.14152.53.15.127
                                                                        Mar 4, 2025 04:20:39.527509928 CET5353600152.53.15.127192.168.2.14
                                                                        Mar 4, 2025 04:20:39.528925896 CET5453953192.168.2.14152.53.15.127
                                                                        Mar 4, 2025 04:20:39.546314001 CET5354539152.53.15.127192.168.2.14
                                                                        Mar 4, 2025 04:20:51.111329079 CET5170353192.168.2.1451.158.108.203
                                                                        Mar 4, 2025 04:20:51.127255917 CET535170351.158.108.203192.168.2.14
                                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                        Mar 4, 2025 04:18:53.246635914 CET192.168.2.14202.61.197.1220x109bStandard query (0)watchmepull.dynA (IP address)IN (0x0001)false
                                                                        Mar 4, 2025 04:19:04.502506018 CET192.168.2.14202.61.197.1220x605aStandard query (0)ohlookthereismyboats.geekA (IP address)IN (0x0001)false
                                                                        Mar 4, 2025 04:19:16.326899052 CET192.168.2.14185.181.61.240xad13Standard query (0)ohlookthereismyboats.geekA (IP address)IN (0x0001)false
                                                                        Mar 4, 2025 04:19:27.928302050 CET192.168.2.1451.158.108.2030x7c25Standard query (0)watchmepull.dyn. [malformed]256324false
                                                                        Mar 4, 2025 04:19:32.934978962 CET192.168.2.1451.158.108.2030x7c25Standard query (0)watchmepull.dyn. [malformed]256325false
                                                                        Mar 4, 2025 04:19:37.936681032 CET192.168.2.1451.158.108.2030x7c25Standard query (0)watchmepull.dyn. [malformed]256334false
                                                                        Mar 4, 2025 04:19:42.943439007 CET192.168.2.1451.158.108.2030x7c25Standard query (0)watchmepull.dyn. [malformed]256339false
                                                                        Mar 4, 2025 04:19:47.950432062 CET192.168.2.1451.158.108.2030x7c25Standard query (0)watchmepull.dyn. [malformed]256344false
                                                                        Mar 4, 2025 04:20:04.512953043 CET192.168.2.14185.181.61.240xe105Standard query (0)watchmepull.dyn. [malformed]256356false
                                                                        Mar 4, 2025 04:20:04.551933050 CET192.168.2.14185.181.61.240xe105Standard query (0)watchmepull.dyn. [malformed]256356false
                                                                        Mar 4, 2025 04:20:04.590727091 CET192.168.2.14185.181.61.240xe105Standard query (0)watchmepull.dyn. [malformed]256356false
                                                                        Mar 4, 2025 04:20:04.629710913 CET192.168.2.14185.181.61.240xe105Standard query (0)watchmepull.dyn. [malformed]256356false
                                                                        Mar 4, 2025 04:20:04.669159889 CET192.168.2.14185.181.61.240xe105Standard query (0)watchmepull.dyn. [malformed]256356false
                                                                        Mar 4, 2025 04:20:16.288064957 CET192.168.2.14152.53.15.1270xec97Standard query (0)watchmepull.dyn. [malformed]256368false
                                                                        Mar 4, 2025 04:20:16.312690020 CET192.168.2.14152.53.15.1270xec97Standard query (0)watchmepull.dyn. [malformed]256368false
                                                                        Mar 4, 2025 04:20:16.337574005 CET192.168.2.14152.53.15.1270xec97Standard query (0)watchmepull.dyn. [malformed]256368false
                                                                        Mar 4, 2025 04:20:16.364023924 CET192.168.2.14152.53.15.1270xec97Standard query (0)watchmepull.dyn. [malformed]256368false
                                                                        Mar 4, 2025 04:20:16.388516903 CET192.168.2.14152.53.15.1270xec97Standard query (0)watchmepull.dyn. [malformed]256368false
                                                                        Mar 4, 2025 04:20:27.982584953 CET192.168.2.14202.61.197.1220x1682Standard query (0)watchmepull.dyn. [malformed]256380false
                                                                        Mar 4, 2025 04:20:28.002047062 CET192.168.2.14202.61.197.1220x1682Standard query (0)watchmepull.dyn. [malformed]256380false
                                                                        Mar 4, 2025 04:20:28.021596909 CET192.168.2.14202.61.197.1220x1682Standard query (0)watchmepull.dyn. [malformed]256380false
                                                                        Mar 4, 2025 04:20:28.040591002 CET192.168.2.14202.61.197.1220x1682Standard query (0)watchmepull.dyn. [malformed]256380false
                                                                        Mar 4, 2025 04:20:28.059343100 CET192.168.2.14202.61.197.1220x1682Standard query (0)watchmepull.dyn. [malformed]256380false
                                                                        Mar 4, 2025 04:20:39.452471018 CET192.168.2.14152.53.15.1270x566eStandard query (0)watchmepull.dyn. [malformed]256391false
                                                                        Mar 4, 2025 04:20:39.471723080 CET192.168.2.14152.53.15.1270x566eStandard query (0)watchmepull.dyn. [malformed]256391false
                                                                        Mar 4, 2025 04:20:39.490778923 CET192.168.2.14152.53.15.1270x566eStandard query (0)watchmepull.dyn. [malformed]256391false
                                                                        Mar 4, 2025 04:20:39.509785891 CET192.168.2.14152.53.15.1270x566eStandard query (0)watchmepull.dyn. [malformed]256391false
                                                                        Mar 4, 2025 04:20:39.528925896 CET192.168.2.14152.53.15.1270x566eStandard query (0)watchmepull.dyn. [malformed]256391false
                                                                        Mar 4, 2025 04:20:51.111329079 CET192.168.2.1451.158.108.2030xbc24Standard query (0)ohlookthereismyboats.geekA (IP address)IN (0x0001)false
                                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                        Mar 4, 2025 04:18:53.265223980 CET202.61.197.122192.168.2.140x109bNo error (0)watchmepull.dyn185.159.74.127A (IP address)IN (0x0001)false
                                                                        Mar 4, 2025 04:18:53.265223980 CET202.61.197.122192.168.2.140x109bNo error (0)watchmepull.dyn46.19.143.10A (IP address)IN (0x0001)false
                                                                        Mar 4, 2025 04:18:53.265223980 CET202.61.197.122192.168.2.140x109bNo error (0)watchmepull.dyn45.147.251.145A (IP address)IN (0x0001)false
                                                                        Mar 4, 2025 04:19:04.520512104 CET202.61.197.122192.168.2.140x605aNo error (0)ohlookthereismyboats.geek46.19.143.10A (IP address)IN (0x0001)false
                                                                        Mar 4, 2025 04:19:04.520512104 CET202.61.197.122192.168.2.140x605aNo error (0)ohlookthereismyboats.geek45.147.251.145A (IP address)IN (0x0001)false
                                                                        Mar 4, 2025 04:19:04.520512104 CET202.61.197.122192.168.2.140x605aNo error (0)ohlookthereismyboats.geek185.159.74.127A (IP address)IN (0x0001)false
                                                                        Mar 4, 2025 04:19:16.364315033 CET185.181.61.24192.168.2.140xad13No error (0)ohlookthereismyboats.geek46.19.143.10A (IP address)IN (0x0001)false
                                                                        Mar 4, 2025 04:20:16.311230898 CET152.53.15.127192.168.2.140xec97Format error (1)watchmepull.dyn. [malformed]nonenone256368false
                                                                        Mar 4, 2025 04:20:16.336110115 CET152.53.15.127192.168.2.140xec97Format error (1)watchmepull.dyn. [malformed]nonenone256368false
                                                                        Mar 4, 2025 04:20:16.362483978 CET152.53.15.127192.168.2.140xec97Format error (1)watchmepull.dyn. [malformed]nonenone256368false
                                                                        Mar 4, 2025 04:20:16.387260914 CET152.53.15.127192.168.2.140xec97Format error (1)watchmepull.dyn. [malformed]nonenone256368false
                                                                        Mar 4, 2025 04:20:16.406261921 CET152.53.15.127192.168.2.140xec97Format error (1)watchmepull.dyn. [malformed]nonenone256368false
                                                                        Mar 4, 2025 04:20:39.470237017 CET152.53.15.127192.168.2.140x566eFormat error (1)watchmepull.dyn. [malformed]nonenone256391false
                                                                        Mar 4, 2025 04:20:39.489327908 CET152.53.15.127192.168.2.140x566eFormat error (1)watchmepull.dyn. [malformed]nonenone256391false
                                                                        Mar 4, 2025 04:20:39.508296013 CET152.53.15.127192.168.2.140x566eFormat error (1)watchmepull.dyn. [malformed]nonenone256391false
                                                                        Mar 4, 2025 04:20:39.527509928 CET152.53.15.127192.168.2.140x566eFormat error (1)watchmepull.dyn. [malformed]nonenone256391false
                                                                        Mar 4, 2025 04:20:39.546314001 CET152.53.15.127192.168.2.140x566eFormat error (1)watchmepull.dyn. [malformed]nonenone256391false
                                                                        Mar 4, 2025 04:20:51.127255917 CET51.158.108.203192.168.2.140xbc24No error (0)ohlookthereismyboats.geek1.2.3.4A (IP address)IN (0x0001)false

                                                                        System Behavior

                                                                        Start time (UTC):03:18:51
                                                                        Start date (UTC):04/03/2025
                                                                        Path:/tmp/zersh4.elf
                                                                        Arguments:/tmp/zersh4.elf
                                                                        File size:4139976 bytes
                                                                        MD5 hash:8943e5f8f8c280467b4472c15ae93ba9

                                                                        Start time (UTC):03:18:51
                                                                        Start date (UTC):04/03/2025
                                                                        Path:/tmp/zersh4.elf
                                                                        Arguments:-
                                                                        File size:4139976 bytes
                                                                        MD5 hash:8943e5f8f8c280467b4472c15ae93ba9

                                                                        Start time (UTC):03:18:51
                                                                        Start date (UTC):04/03/2025
                                                                        Path:/tmp/zersh4.elf
                                                                        Arguments:-
                                                                        File size:4139976 bytes
                                                                        MD5 hash:8943e5f8f8c280467b4472c15ae93ba9