Linux
Analysis Report
zersh4.elf
Overview
General Information
Detection
Score: | 52 |
Range: | 0 - 100 |
Signatures
Multi AV Scanner detection for submitted file
Sends malformed DNS queries
Detected TCP or UDP traffic on non-standard ports
Sample has stripped symbol table
Sample listens on a socket
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Uses the "uname" system call to query kernel version information (possible evasion)
Classification
Joe Sandbox version: | 42.0.0 Malachite |
Analysis ID: | 1628737 |
Start date and time: | 2025-03-04 04:18:13 +01:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | 0h 4m 36s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | defaultlinuxfilecookbook.jbs |
Analysis system description: | Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11) |
Analysis Mode: | default |
Sample name: | zersh4.elf |
Detection: | MAL |
Classification: | mal52.troj.linELF@0/0@29/0 |
Command: | /tmp/zersh4.elf |
PID: | 5510 |
Exit Code: | 0 |
Exit Code Info: | |
Killed: | False |
Standard Output: | gosh that chinese family at the other table sure ate a lot |
Standard Error: |
- system is lnxubuntu20
- zersh4.elf New Fork (PID: 5512, Parent: 5510)
- zersh4.elf New Fork (PID: 5514, Parent: 5512)
- cleanup
⊘No yara matches
⊘No Suricata rule has matched
- • AV Detection
- • Networking
- • System Summary
- • Malware Analysis System Evasion
Click to jump to signature section
Show All Signature Results
AV Detection |
---|
Source: | Virustotal: | Perma Link | ||
Source: | ReversingLabs: |
Networking |
---|
Source: | DNS traffic detected: |
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: |
Source: | Socket: | Jump to behavior |
Source: | TCP traffic: |
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: |
Source: | DNS traffic detected: | ||
Source: | DNS traffic detected: | ||
Source: | DNS traffic detected: |
Source: | Network traffic detected: |
Source: | .symtab present: |
Source: | Classification label: |
Source: | Queries kernel information via 'uname': | Jump to behavior |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | Windows Management Instrumentation | Path Interception | Path Interception | Direct Volume Access | OS Credential Dumping | 11 Security Software Discovery | Remote Services | Data from Local System | 1 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
Credentials | Domains | Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | Rootkit | LSASS Memory | Application Window Discovery | Remote Desktop Protocol | Data from Removable Media | 1 Non-Standard Port | Exfiltration Over Bluetooth | Network Denial of Service |
Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | Obfuscated Files or Information | Security Account Manager | Query Registry | SMB/Windows Admin Shares | Data from Network Shared Drive | 1 Non-Application Layer Protocol | Automated Exfiltration | Data Encrypted for Impact |
Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | Binary Padding | NTDS | System Network Configuration Discovery | Distributed Component Object Model | Input Capture | 2 Application Layer Protocol | Traffic Duplication | Data Destruction |
⊘No configs have been found
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
25% | Virustotal | Browse | ||
24% | ReversingLabs | Linux.Backdoor.Gafgyt |
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
watchmepull.dyn | 185.159.74.127 | true | false | high | |
ohlookthereismyboats.geek | 46.19.143.10 | true | false | high | |
watchmepull.dyn. [malformed] | unknown | unknown | false | high |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
46.19.143.10 | ohlookthereismyboats.geek | Switzerland | 51852 | PLI-ASCH | false | |
1.2.3.4 | unknown | Australia | 13335 | CLOUDFLARENETUS | false | |
185.125.190.26 | unknown | United Kingdom | 41231 | CANONICAL-ASGB | false | |
185.159.74.127 | watchmepull.dyn | Georgia | 59447 | SAYFANETTR | false | |
45.147.251.145 | unknown | Germany | 197518 | RACKMARKTES | false |
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
46.19.143.10 | Get hash | malicious | Unknown | Browse | ||
Get hash | malicious | Unknown | Browse | |||
Get hash | malicious | Unknown | Browse | |||
Get hash | malicious | Unknown | Browse | |||
Get hash | malicious | Unknown | Browse | |||
Get hash | malicious | Unknown | Browse | |||
Get hash | malicious | Unknown | Browse | |||
Get hash | malicious | Unknown | Browse | |||
Get hash | malicious | Unknown | Browse | |||
Get hash | malicious | Unknown | Browse | |||
1.2.3.4 | Get hash | malicious | Unknown | Browse | ||
Get hash | malicious | Okiru | Browse | |||
Get hash | malicious | Mirai, Okiru | Browse | |||
Get hash | malicious | Okiru | Browse | |||
Get hash | malicious | Mirai, Okiru | Browse | |||
Get hash | malicious | AveMaria, UACMe | Browse | |||
Get hash | malicious | Metasploit | Browse | |||
Get hash | malicious | AveMaria, PrivateLoader, UACMe | Browse | |||
Get hash | malicious | AveMaria, UACMe | Browse | |||
Get hash | malicious | AveMaria, DBatLoader, UACMe | Browse | |||
185.125.190.26 | Get hash | malicious | Unknown | Browse | ||
Get hash | malicious | Prometei | Browse | |||
Get hash | malicious | Prometei | Browse | |||
Get hash | malicious | Mirai | Browse | |||
Get hash | malicious | Mirai | Browse | |||
Get hash | malicious | Mirai | Browse | |||
Get hash | malicious | Gafgyt, Mirai | Browse | |||
Get hash | malicious | Mirai | Browse | |||
Get hash | malicious | Prometei | Browse | |||
Get hash | malicious | Prometei | Browse | |||
185.159.74.127 | Get hash | malicious | Unknown | Browse | ||
Get hash | malicious | Unknown | Browse |
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
ohlookthereismyboats.geek | Get hash | malicious | Unknown | Browse |
| |
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
|
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
CANONICAL-ASGB | Get hash | malicious | Unknown | Browse |
| |
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Prometei | Browse |
| ||
Get hash | malicious | Prometei | Browse |
| ||
Get hash | malicious | Prometei | Browse |
| ||
Get hash | malicious | Prometei | Browse |
| ||
Get hash | malicious | Prometei | Browse |
| ||
Get hash | malicious | Prometei | Browse |
| ||
Get hash | malicious | Prometei | Browse |
| ||
PLI-ASCH | Get hash | malicious | Unknown | Browse |
| |
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
CLOUDFLARENETUS | Get hash | malicious | Unknown | Browse |
| |
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Babadeda | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | GuLoader, Snake Keylogger | Browse |
| ||
Get hash | malicious | Amadey, LummaC Stealer, Stealc | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | DCRat | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
SAYFANETTR | Get hash | malicious | Unknown | Browse |
| |
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Mirai | Browse |
| ||
Get hash | malicious | Mirai | Browse |
| ||
Get hash | malicious | Mirai | Browse |
| ||
Get hash | malicious | Mirai | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Mirai | Browse |
| ||
Get hash | malicious | Unknown | Browse |
|
⊘No context
⊘No context
⊘No created / dropped files found
File type: | |
Entropy (8bit): | 6.777674415793993 |
TrID: |
|
File name: | zersh4.elf |
File size: | 46'456 bytes |
MD5: | 582bcf4c37d09ce279738983deca4c70 |
SHA1: | 0970e5ddd6029c778356f5307e3fd5f50dd75c6e |
SHA256: | 9e3e6d44561de4323555393fe64d240a81b3150b483b8b8ef5a9272bb9365627 |
SHA512: | 3891f4308b92ca6e40e9d5a7b69115fc5da3818b6ca6df5a69e8a915551b644011544a4cb8596291bc4f2343e178e7e94facd9ee5527b0c92fb2756791e9cdfb |
SSDEEP: | 768:KabwtjUpTiPqmUHYqy9kK6IwNTTfgF1ChoRUMnJCDciN9P:Kabwtj7zoZy667/RRHnJCD |
TLSH: | 95237EA2C46EEDD0C55942B4B935DE7827A3E404C2933EFB5A4AC6668007DACF60D3F5 |
File Content Preview: | .ELF..............*.......@.4...........4. ...(...............@...@...........................A...A......%..........Q.td............................././"O.n........#.*@........#.*@L....o&O.n...l..............................././.../.a"O.!...n...a.b("...q. |
ELF header | |
---|---|
Class: | |
Data: | |
Version: | |
Machine: | |
Version Number: | |
Type: | |
OS/ABI: | |
ABI Version: | 0 |
Entry Point Address: | |
Flags: | |
ELF Header Size: | 52 |
Program Header Offset: | 52 |
Program Header Size: | 32 |
Number of Program Headers: | 3 |
Section Header Offset: | 46016 |
Section Header Size: | 40 |
Number of Section Headers: | 11 |
Header String Table Index: | 10 |
Name | Type | Address | Offset | Size | EntSize | Flags | Flags Description | Link | Info | Align |
---|---|---|---|---|---|---|---|---|---|---|
NULL | 0x0 | 0x0 | 0x0 | 0x0 | 0x0 | 0 | 0 | 0 | ||
.init | PROGBITS | 0x400094 | 0x94 | 0x30 | 0x0 | 0x6 | AX | 0 | 0 | 4 |
.text | PROGBITS | 0x4000e0 | 0xe0 | 0xa760 | 0x0 | 0x6 | AX | 0 | 0 | 32 |
.fini | PROGBITS | 0x40a840 | 0xa840 | 0x24 | 0x0 | 0x6 | AX | 0 | 0 | 4 |
.rodata | PROGBITS | 0x40a864 | 0xa864 | 0x81c | 0x0 | 0x2 | A | 0 | 0 | 4 |
.ctors | PROGBITS | 0x41b084 | 0xb084 | 0x8 | 0x0 | 0x3 | WA | 0 | 0 | 4 |
.dtors | PROGBITS | 0x41b08c | 0xb08c | 0x8 | 0x0 | 0x3 | WA | 0 | 0 | 4 |
.jcr | PROGBITS | 0x41b094 | 0xb094 | 0x4 | 0x0 | 0x3 | WA | 0 | 0 | 4 |
.data | PROGBITS | 0x41b098 | 0xb098 | 0x2e4 | 0x0 | 0x3 | WA | 0 | 0 | 4 |
.bss | NOBITS | 0x41b37c | 0xb37c | 0x2288 | 0x0 | 0x3 | WA | 0 | 0 | 4 |
.shstrtab | STRTAB | 0x0 | 0xb37c | 0x43 | 0x0 | 0x0 | 0 | 0 | 1 |
Type | Offset | Virtual Address | Physical Address | File Size | Memory Size | Entropy | Flags | Flags Description | Align | Prog Interpreter | Section Mappings |
---|---|---|---|---|---|---|---|---|---|---|---|
LOAD | 0x0 | 0x400000 | 0x400000 | 0xb080 | 0xb080 | 6.8470 | 0x5 | R E | 0x10000 | .init .text .fini .rodata | |
LOAD | 0xb084 | 0x41b084 | 0x41b084 | 0x2f8 | 0x2580 | 2.2174 | 0x6 | RW | 0x10000 | .ctors .dtors .jcr .data .bss | |
GNU_STACK | 0x0 | 0x0 | 0x0 | 0x0 | 0x0 | 0.0000 | 0x7 | RWE | 0x4 |
Download Network PCAP: filtered – full
- Total Packets: 77
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Mar 4, 2025 04:18:53.267009020 CET | 36000 | 1440 | 192.168.2.14 | 45.147.251.145 |
Mar 4, 2025 04:18:53.271964073 CET | 1440 | 36000 | 45.147.251.145 | 192.168.2.14 |
Mar 4, 2025 04:18:53.272037983 CET | 36000 | 1440 | 192.168.2.14 | 45.147.251.145 |
Mar 4, 2025 04:18:53.273195982 CET | 36000 | 1440 | 192.168.2.14 | 45.147.251.145 |
Mar 4, 2025 04:18:53.279695034 CET | 1440 | 36000 | 45.147.251.145 | 192.168.2.14 |
Mar 4, 2025 04:18:53.279751062 CET | 36000 | 1440 | 192.168.2.14 | 45.147.251.145 |
Mar 4, 2025 04:18:53.285254955 CET | 1440 | 36000 | 45.147.251.145 | 192.168.2.14 |
Mar 4, 2025 04:19:03.283102989 CET | 36000 | 1440 | 192.168.2.14 | 45.147.251.145 |
Mar 4, 2025 04:19:03.288182974 CET | 1440 | 36000 | 45.147.251.145 | 192.168.2.14 |
Mar 4, 2025 04:19:03.497807980 CET | 1440 | 36000 | 45.147.251.145 | 192.168.2.14 |
Mar 4, 2025 04:19:03.498191118 CET | 36000 | 1440 | 192.168.2.14 | 45.147.251.145 |
Mar 4, 2025 04:19:03.503129005 CET | 1440 | 36000 | 45.147.251.145 | 192.168.2.14 |
Mar 4, 2025 04:19:03.718519926 CET | 46540 | 443 | 192.168.2.14 | 185.125.190.26 |
Mar 4, 2025 04:19:04.521691084 CET | 55468 | 1440 | 192.168.2.14 | 185.159.74.127 |
Mar 4, 2025 04:19:04.526658058 CET | 1440 | 55468 | 185.159.74.127 | 192.168.2.14 |
Mar 4, 2025 04:19:04.526752949 CET | 55468 | 1440 | 192.168.2.14 | 185.159.74.127 |
Mar 4, 2025 04:19:04.528152943 CET | 55468 | 1440 | 192.168.2.14 | 185.159.74.127 |
Mar 4, 2025 04:19:04.533236980 CET | 1440 | 55468 | 185.159.74.127 | 192.168.2.14 |
Mar 4, 2025 04:19:04.533291101 CET | 55468 | 1440 | 192.168.2.14 | 185.159.74.127 |
Mar 4, 2025 04:19:04.538333893 CET | 1440 | 55468 | 185.159.74.127 | 192.168.2.14 |
Mar 4, 2025 04:19:15.323864937 CET | 1440 | 55468 | 185.159.74.127 | 192.168.2.14 |
Mar 4, 2025 04:19:15.324091911 CET | 55468 | 1440 | 192.168.2.14 | 185.159.74.127 |
Mar 4, 2025 04:19:15.329148054 CET | 1440 | 55468 | 185.159.74.127 | 192.168.2.14 |
Mar 4, 2025 04:19:16.365210056 CET | 47102 | 1440 | 192.168.2.14 | 46.19.143.10 |
Mar 4, 2025 04:19:16.370254993 CET | 1440 | 47102 | 46.19.143.10 | 192.168.2.14 |
Mar 4, 2025 04:19:16.370340109 CET | 47102 | 1440 | 192.168.2.14 | 46.19.143.10 |
Mar 4, 2025 04:19:16.371609926 CET | 47102 | 1440 | 192.168.2.14 | 46.19.143.10 |
Mar 4, 2025 04:19:16.376631021 CET | 1440 | 47102 | 46.19.143.10 | 192.168.2.14 |
Mar 4, 2025 04:19:16.376693964 CET | 47102 | 1440 | 192.168.2.14 | 46.19.143.10 |
Mar 4, 2025 04:19:16.382318974 CET | 1440 | 47102 | 46.19.143.10 | 192.168.2.14 |
Mar 4, 2025 04:19:26.923996925 CET | 1440 | 47102 | 46.19.143.10 | 192.168.2.14 |
Mar 4, 2025 04:19:26.924406052 CET | 47102 | 1440 | 192.168.2.14 | 46.19.143.10 |
Mar 4, 2025 04:19:26.929383993 CET | 1440 | 47102 | 46.19.143.10 | 192.168.2.14 |
Mar 4, 2025 04:19:33.669559956 CET | 46540 | 443 | 192.168.2.14 | 185.125.190.26 |
Mar 4, 2025 04:19:52.956748962 CET | 47104 | 1440 | 192.168.2.14 | 46.19.143.10 |
Mar 4, 2025 04:19:52.961915016 CET | 1440 | 47104 | 46.19.143.10 | 192.168.2.14 |
Mar 4, 2025 04:19:52.961983919 CET | 47104 | 1440 | 192.168.2.14 | 46.19.143.10 |
Mar 4, 2025 04:19:52.963376045 CET | 47104 | 1440 | 192.168.2.14 | 46.19.143.10 |
Mar 4, 2025 04:19:52.968381882 CET | 1440 | 47104 | 46.19.143.10 | 192.168.2.14 |
Mar 4, 2025 04:19:52.968472958 CET | 47104 | 1440 | 192.168.2.14 | 46.19.143.10 |
Mar 4, 2025 04:19:52.973452091 CET | 1440 | 47104 | 46.19.143.10 | 192.168.2.14 |
Mar 4, 2025 04:20:03.509629011 CET | 1440 | 47104 | 46.19.143.10 | 192.168.2.14 |
Mar 4, 2025 04:20:03.509938955 CET | 47104 | 1440 | 192.168.2.14 | 46.19.143.10 |
Mar 4, 2025 04:20:03.515012980 CET | 1440 | 47104 | 46.19.143.10 | 192.168.2.14 |
Mar 4, 2025 04:20:04.707732916 CET | 47106 | 1440 | 192.168.2.14 | 46.19.143.10 |
Mar 4, 2025 04:20:04.712980986 CET | 1440 | 47106 | 46.19.143.10 | 192.168.2.14 |
Mar 4, 2025 04:20:04.713068008 CET | 47106 | 1440 | 192.168.2.14 | 46.19.143.10 |
Mar 4, 2025 04:20:04.714234114 CET | 47106 | 1440 | 192.168.2.14 | 46.19.143.10 |
Mar 4, 2025 04:20:04.719285011 CET | 1440 | 47106 | 46.19.143.10 | 192.168.2.14 |
Mar 4, 2025 04:20:04.719352007 CET | 47106 | 1440 | 192.168.2.14 | 46.19.143.10 |
Mar 4, 2025 04:20:04.724422932 CET | 1440 | 47106 | 46.19.143.10 | 192.168.2.14 |
Mar 4, 2025 04:20:15.284322023 CET | 1440 | 47106 | 46.19.143.10 | 192.168.2.14 |
Mar 4, 2025 04:20:15.284487963 CET | 47106 | 1440 | 192.168.2.14 | 46.19.143.10 |
Mar 4, 2025 04:20:15.289508104 CET | 1440 | 47106 | 46.19.143.10 | 192.168.2.14 |
Mar 4, 2025 04:20:16.407010078 CET | 47108 | 1440 | 192.168.2.14 | 46.19.143.10 |
Mar 4, 2025 04:20:16.412040949 CET | 1440 | 47108 | 46.19.143.10 | 192.168.2.14 |
Mar 4, 2025 04:20:16.412110090 CET | 47108 | 1440 | 192.168.2.14 | 46.19.143.10 |
Mar 4, 2025 04:20:16.413402081 CET | 47108 | 1440 | 192.168.2.14 | 46.19.143.10 |
Mar 4, 2025 04:20:16.418437958 CET | 1440 | 47108 | 46.19.143.10 | 192.168.2.14 |
Mar 4, 2025 04:20:16.418509007 CET | 47108 | 1440 | 192.168.2.14 | 46.19.143.10 |
Mar 4, 2025 04:20:16.423528910 CET | 1440 | 47108 | 46.19.143.10 | 192.168.2.14 |
Mar 4, 2025 04:20:26.978157043 CET | 1440 | 47108 | 46.19.143.10 | 192.168.2.14 |
Mar 4, 2025 04:20:26.978682995 CET | 47108 | 1440 | 192.168.2.14 | 46.19.143.10 |
Mar 4, 2025 04:20:26.983717918 CET | 1440 | 47108 | 46.19.143.10 | 192.168.2.14 |
Mar 4, 2025 04:20:28.078334093 CET | 47110 | 1440 | 192.168.2.14 | 46.19.143.10 |
Mar 4, 2025 04:20:28.083401918 CET | 1440 | 47110 | 46.19.143.10 | 192.168.2.14 |
Mar 4, 2025 04:20:28.083484888 CET | 47110 | 1440 | 192.168.2.14 | 46.19.143.10 |
Mar 4, 2025 04:20:28.084729910 CET | 47110 | 1440 | 192.168.2.14 | 46.19.143.10 |
Mar 4, 2025 04:20:28.089756012 CET | 1440 | 47110 | 46.19.143.10 | 192.168.2.14 |
Mar 4, 2025 04:20:28.089818954 CET | 47110 | 1440 | 192.168.2.14 | 46.19.143.10 |
Mar 4, 2025 04:20:28.095128059 CET | 1440 | 47110 | 46.19.143.10 | 192.168.2.14 |
Mar 4, 2025 04:20:38.094691038 CET | 47110 | 1440 | 192.168.2.14 | 46.19.143.10 |
Mar 4, 2025 04:20:38.168463945 CET | 1440 | 47110 | 46.19.143.10 | 192.168.2.14 |
Mar 4, 2025 04:20:38.448421001 CET | 1440 | 47110 | 46.19.143.10 | 192.168.2.14 |
Mar 4, 2025 04:20:38.448832035 CET | 47110 | 1440 | 192.168.2.14 | 46.19.143.10 |
Mar 4, 2025 04:20:38.453947067 CET | 1440 | 47110 | 46.19.143.10 | 192.168.2.14 |
Mar 4, 2025 04:20:39.547256947 CET | 47112 | 1440 | 192.168.2.14 | 46.19.143.10 |
Mar 4, 2025 04:20:39.552485943 CET | 1440 | 47112 | 46.19.143.10 | 192.168.2.14 |
Mar 4, 2025 04:20:39.552615881 CET | 47112 | 1440 | 192.168.2.14 | 46.19.143.10 |
Mar 4, 2025 04:20:39.554033041 CET | 47112 | 1440 | 192.168.2.14 | 46.19.143.10 |
Mar 4, 2025 04:20:39.559087038 CET | 1440 | 47112 | 46.19.143.10 | 192.168.2.14 |
Mar 4, 2025 04:20:39.559165001 CET | 47112 | 1440 | 192.168.2.14 | 46.19.143.10 |
Mar 4, 2025 04:20:39.564255953 CET | 1440 | 47112 | 46.19.143.10 | 192.168.2.14 |
Mar 4, 2025 04:20:50.107472897 CET | 1440 | 47112 | 46.19.143.10 | 192.168.2.14 |
Mar 4, 2025 04:20:50.107739925 CET | 47112 | 1440 | 192.168.2.14 | 46.19.143.10 |
Mar 4, 2025 04:20:50.112835884 CET | 1440 | 47112 | 46.19.143.10 | 192.168.2.14 |
Mar 4, 2025 04:20:51.127912998 CET | 37176 | 1440 | 192.168.2.14 | 1.2.3.4 |
Mar 4, 2025 04:20:51.132898092 CET | 1440 | 37176 | 1.2.3.4 | 192.168.2.14 |
Mar 4, 2025 04:20:51.132991076 CET | 37176 | 1440 | 192.168.2.14 | 1.2.3.4 |
Mar 4, 2025 04:20:51.134171009 CET | 37176 | 1440 | 192.168.2.14 | 1.2.3.4 |
Mar 4, 2025 04:20:51.139209986 CET | 1440 | 37176 | 1.2.3.4 | 192.168.2.14 |
Mar 4, 2025 04:20:51.139292002 CET | 37176 | 1440 | 192.168.2.14 | 1.2.3.4 |
Mar 4, 2025 04:20:51.144334078 CET | 1440 | 37176 | 1.2.3.4 | 192.168.2.14 |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Mar 4, 2025 04:18:53.246635914 CET | 42806 | 53 | 192.168.2.14 | 202.61.197.122 |
Mar 4, 2025 04:18:53.265223980 CET | 53 | 42806 | 202.61.197.122 | 192.168.2.14 |
Mar 4, 2025 04:19:04.502506018 CET | 49865 | 53 | 192.168.2.14 | 202.61.197.122 |
Mar 4, 2025 04:19:04.520512104 CET | 53 | 49865 | 202.61.197.122 | 192.168.2.14 |
Mar 4, 2025 04:19:16.326899052 CET | 52903 | 53 | 192.168.2.14 | 185.181.61.24 |
Mar 4, 2025 04:19:16.364315033 CET | 53 | 52903 | 185.181.61.24 | 192.168.2.14 |
Mar 4, 2025 04:19:27.928302050 CET | 40112 | 53 | 192.168.2.14 | 51.158.108.203 |
Mar 4, 2025 04:19:32.934978962 CET | 36142 | 53 | 192.168.2.14 | 51.158.108.203 |
Mar 4, 2025 04:19:37.936681032 CET | 58500 | 53 | 192.168.2.14 | 51.158.108.203 |
Mar 4, 2025 04:19:42.943439007 CET | 39975 | 53 | 192.168.2.14 | 51.158.108.203 |
Mar 4, 2025 04:19:47.950432062 CET | 53428 | 53 | 192.168.2.14 | 51.158.108.203 |
Mar 4, 2025 04:20:04.512953043 CET | 41671 | 53 | 192.168.2.14 | 185.181.61.24 |
Mar 4, 2025 04:20:04.550553083 CET | 53 | 41671 | 185.181.61.24 | 192.168.2.14 |
Mar 4, 2025 04:20:04.551933050 CET | 58111 | 53 | 192.168.2.14 | 185.181.61.24 |
Mar 4, 2025 04:20:04.589448929 CET | 53 | 58111 | 185.181.61.24 | 192.168.2.14 |
Mar 4, 2025 04:20:04.590727091 CET | 52075 | 53 | 192.168.2.14 | 185.181.61.24 |
Mar 4, 2025 04:20:04.628216028 CET | 53 | 52075 | 185.181.61.24 | 192.168.2.14 |
Mar 4, 2025 04:20:04.629710913 CET | 57628 | 53 | 192.168.2.14 | 185.181.61.24 |
Mar 4, 2025 04:20:04.667335033 CET | 53 | 57628 | 185.181.61.24 | 192.168.2.14 |
Mar 4, 2025 04:20:04.669159889 CET | 43331 | 53 | 192.168.2.14 | 185.181.61.24 |
Mar 4, 2025 04:20:04.706676960 CET | 53 | 43331 | 185.181.61.24 | 192.168.2.14 |
Mar 4, 2025 04:20:16.288064957 CET | 37683 | 53 | 192.168.2.14 | 152.53.15.127 |
Mar 4, 2025 04:20:16.311230898 CET | 53 | 37683 | 152.53.15.127 | 192.168.2.14 |
Mar 4, 2025 04:20:16.312690020 CET | 45003 | 53 | 192.168.2.14 | 152.53.15.127 |
Mar 4, 2025 04:20:16.336110115 CET | 53 | 45003 | 152.53.15.127 | 192.168.2.14 |
Mar 4, 2025 04:20:16.337574005 CET | 56860 | 53 | 192.168.2.14 | 152.53.15.127 |
Mar 4, 2025 04:20:16.362483978 CET | 53 | 56860 | 152.53.15.127 | 192.168.2.14 |
Mar 4, 2025 04:20:16.364023924 CET | 44524 | 53 | 192.168.2.14 | 152.53.15.127 |
Mar 4, 2025 04:20:16.387260914 CET | 53 | 44524 | 152.53.15.127 | 192.168.2.14 |
Mar 4, 2025 04:20:16.388516903 CET | 36707 | 53 | 192.168.2.14 | 152.53.15.127 |
Mar 4, 2025 04:20:16.406261921 CET | 53 | 36707 | 152.53.15.127 | 192.168.2.14 |
Mar 4, 2025 04:20:27.982584953 CET | 53691 | 53 | 192.168.2.14 | 202.61.197.122 |
Mar 4, 2025 04:20:28.000433922 CET | 53 | 53691 | 202.61.197.122 | 192.168.2.14 |
Mar 4, 2025 04:20:28.002047062 CET | 57014 | 53 | 192.168.2.14 | 202.61.197.122 |
Mar 4, 2025 04:20:28.019984007 CET | 53 | 57014 | 202.61.197.122 | 192.168.2.14 |
Mar 4, 2025 04:20:28.021596909 CET | 38316 | 53 | 192.168.2.14 | 202.61.197.122 |
Mar 4, 2025 04:20:28.039211035 CET | 53 | 38316 | 202.61.197.122 | 192.168.2.14 |
Mar 4, 2025 04:20:28.040591002 CET | 59865 | 53 | 192.168.2.14 | 202.61.197.122 |
Mar 4, 2025 04:20:28.058168888 CET | 53 | 59865 | 202.61.197.122 | 192.168.2.14 |
Mar 4, 2025 04:20:28.059343100 CET | 59990 | 53 | 192.168.2.14 | 202.61.197.122 |
Mar 4, 2025 04:20:28.077596903 CET | 53 | 59990 | 202.61.197.122 | 192.168.2.14 |
Mar 4, 2025 04:20:39.452471018 CET | 36708 | 53 | 192.168.2.14 | 152.53.15.127 |
Mar 4, 2025 04:20:39.470237017 CET | 53 | 36708 | 152.53.15.127 | 192.168.2.14 |
Mar 4, 2025 04:20:39.471723080 CET | 58397 | 53 | 192.168.2.14 | 152.53.15.127 |
Mar 4, 2025 04:20:39.489327908 CET | 53 | 58397 | 152.53.15.127 | 192.168.2.14 |
Mar 4, 2025 04:20:39.490778923 CET | 40533 | 53 | 192.168.2.14 | 152.53.15.127 |
Mar 4, 2025 04:20:39.508296013 CET | 53 | 40533 | 152.53.15.127 | 192.168.2.14 |
Mar 4, 2025 04:20:39.509785891 CET | 53600 | 53 | 192.168.2.14 | 152.53.15.127 |
Mar 4, 2025 04:20:39.527509928 CET | 53 | 53600 | 152.53.15.127 | 192.168.2.14 |
Mar 4, 2025 04:20:39.528925896 CET | 54539 | 53 | 192.168.2.14 | 152.53.15.127 |
Mar 4, 2025 04:20:39.546314001 CET | 53 | 54539 | 152.53.15.127 | 192.168.2.14 |
Mar 4, 2025 04:20:51.111329079 CET | 51703 | 53 | 192.168.2.14 | 51.158.108.203 |
Mar 4, 2025 04:20:51.127255917 CET | 53 | 51703 | 51.158.108.203 | 192.168.2.14 |
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|
Mar 4, 2025 04:18:53.246635914 CET | 192.168.2.14 | 202.61.197.122 | 0x109b | Standard query (0) | A (IP address) | IN (0x0001) | false | |
Mar 4, 2025 04:19:04.502506018 CET | 192.168.2.14 | 202.61.197.122 | 0x605a | Standard query (0) | A (IP address) | IN (0x0001) | false | |
Mar 4, 2025 04:19:16.326899052 CET | 192.168.2.14 | 185.181.61.24 | 0xad13 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
Mar 4, 2025 04:19:27.928302050 CET | 192.168.2.14 | 51.158.108.203 | 0x7c25 | Standard query (0) | 256 | 324 | false | |
Mar 4, 2025 04:19:32.934978962 CET | 192.168.2.14 | 51.158.108.203 | 0x7c25 | Standard query (0) | 256 | 325 | false | |
Mar 4, 2025 04:19:37.936681032 CET | 192.168.2.14 | 51.158.108.203 | 0x7c25 | Standard query (0) | 256 | 334 | false | |
Mar 4, 2025 04:19:42.943439007 CET | 192.168.2.14 | 51.158.108.203 | 0x7c25 | Standard query (0) | 256 | 339 | false | |
Mar 4, 2025 04:19:47.950432062 CET | 192.168.2.14 | 51.158.108.203 | 0x7c25 | Standard query (0) | 256 | 344 | false | |
Mar 4, 2025 04:20:04.512953043 CET | 192.168.2.14 | 185.181.61.24 | 0xe105 | Standard query (0) | 256 | 356 | false | |
Mar 4, 2025 04:20:04.551933050 CET | 192.168.2.14 | 185.181.61.24 | 0xe105 | Standard query (0) | 256 | 356 | false | |
Mar 4, 2025 04:20:04.590727091 CET | 192.168.2.14 | 185.181.61.24 | 0xe105 | Standard query (0) | 256 | 356 | false | |
Mar 4, 2025 04:20:04.629710913 CET | 192.168.2.14 | 185.181.61.24 | 0xe105 | Standard query (0) | 256 | 356 | false | |
Mar 4, 2025 04:20:04.669159889 CET | 192.168.2.14 | 185.181.61.24 | 0xe105 | Standard query (0) | 256 | 356 | false | |
Mar 4, 2025 04:20:16.288064957 CET | 192.168.2.14 | 152.53.15.127 | 0xec97 | Standard query (0) | 256 | 368 | false | |
Mar 4, 2025 04:20:16.312690020 CET | 192.168.2.14 | 152.53.15.127 | 0xec97 | Standard query (0) | 256 | 368 | false | |
Mar 4, 2025 04:20:16.337574005 CET | 192.168.2.14 | 152.53.15.127 | 0xec97 | Standard query (0) | 256 | 368 | false | |
Mar 4, 2025 04:20:16.364023924 CET | 192.168.2.14 | 152.53.15.127 | 0xec97 | Standard query (0) | 256 | 368 | false | |
Mar 4, 2025 04:20:16.388516903 CET | 192.168.2.14 | 152.53.15.127 | 0xec97 | Standard query (0) | 256 | 368 | false | |
Mar 4, 2025 04:20:27.982584953 CET | 192.168.2.14 | 202.61.197.122 | 0x1682 | Standard query (0) | 256 | 380 | false | |
Mar 4, 2025 04:20:28.002047062 CET | 192.168.2.14 | 202.61.197.122 | 0x1682 | Standard query (0) | 256 | 380 | false | |
Mar 4, 2025 04:20:28.021596909 CET | 192.168.2.14 | 202.61.197.122 | 0x1682 | Standard query (0) | 256 | 380 | false | |
Mar 4, 2025 04:20:28.040591002 CET | 192.168.2.14 | 202.61.197.122 | 0x1682 | Standard query (0) | 256 | 380 | false | |
Mar 4, 2025 04:20:28.059343100 CET | 192.168.2.14 | 202.61.197.122 | 0x1682 | Standard query (0) | 256 | 380 | false | |
Mar 4, 2025 04:20:39.452471018 CET | 192.168.2.14 | 152.53.15.127 | 0x566e | Standard query (0) | 256 | 391 | false | |
Mar 4, 2025 04:20:39.471723080 CET | 192.168.2.14 | 152.53.15.127 | 0x566e | Standard query (0) | 256 | 391 | false | |
Mar 4, 2025 04:20:39.490778923 CET | 192.168.2.14 | 152.53.15.127 | 0x566e | Standard query (0) | 256 | 391 | false | |
Mar 4, 2025 04:20:39.509785891 CET | 192.168.2.14 | 152.53.15.127 | 0x566e | Standard query (0) | 256 | 391 | false | |
Mar 4, 2025 04:20:39.528925896 CET | 192.168.2.14 | 152.53.15.127 | 0x566e | Standard query (0) | 256 | 391 | false | |
Mar 4, 2025 04:20:51.111329079 CET | 192.168.2.14 | 51.158.108.203 | 0xbc24 | Standard query (0) | A (IP address) | IN (0x0001) | false |
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|---|---|
Mar 4, 2025 04:18:53.265223980 CET | 202.61.197.122 | 192.168.2.14 | 0x109b | No error (0) | 185.159.74.127 | A (IP address) | IN (0x0001) | false | ||
Mar 4, 2025 04:18:53.265223980 CET | 202.61.197.122 | 192.168.2.14 | 0x109b | No error (0) | 46.19.143.10 | A (IP address) | IN (0x0001) | false | ||
Mar 4, 2025 04:18:53.265223980 CET | 202.61.197.122 | 192.168.2.14 | 0x109b | No error (0) | 45.147.251.145 | A (IP address) | IN (0x0001) | false | ||
Mar 4, 2025 04:19:04.520512104 CET | 202.61.197.122 | 192.168.2.14 | 0x605a | No error (0) | 46.19.143.10 | A (IP address) | IN (0x0001) | false | ||
Mar 4, 2025 04:19:04.520512104 CET | 202.61.197.122 | 192.168.2.14 | 0x605a | No error (0) | 45.147.251.145 | A (IP address) | IN (0x0001) | false | ||
Mar 4, 2025 04:19:04.520512104 CET | 202.61.197.122 | 192.168.2.14 | 0x605a | No error (0) | 185.159.74.127 | A (IP address) | IN (0x0001) | false | ||
Mar 4, 2025 04:19:16.364315033 CET | 185.181.61.24 | 192.168.2.14 | 0xad13 | No error (0) | 46.19.143.10 | A (IP address) | IN (0x0001) | false | ||
Mar 4, 2025 04:20:16.311230898 CET | 152.53.15.127 | 192.168.2.14 | 0xec97 | Format error (1) | none | none | 256 | 368 | false | |
Mar 4, 2025 04:20:16.336110115 CET | 152.53.15.127 | 192.168.2.14 | 0xec97 | Format error (1) | none | none | 256 | 368 | false | |
Mar 4, 2025 04:20:16.362483978 CET | 152.53.15.127 | 192.168.2.14 | 0xec97 | Format error (1) | none | none | 256 | 368 | false | |
Mar 4, 2025 04:20:16.387260914 CET | 152.53.15.127 | 192.168.2.14 | 0xec97 | Format error (1) | none | none | 256 | 368 | false | |
Mar 4, 2025 04:20:16.406261921 CET | 152.53.15.127 | 192.168.2.14 | 0xec97 | Format error (1) | none | none | 256 | 368 | false | |
Mar 4, 2025 04:20:39.470237017 CET | 152.53.15.127 | 192.168.2.14 | 0x566e | Format error (1) | none | none | 256 | 391 | false | |
Mar 4, 2025 04:20:39.489327908 CET | 152.53.15.127 | 192.168.2.14 | 0x566e | Format error (1) | none | none | 256 | 391 | false | |
Mar 4, 2025 04:20:39.508296013 CET | 152.53.15.127 | 192.168.2.14 | 0x566e | Format error (1) | none | none | 256 | 391 | false | |
Mar 4, 2025 04:20:39.527509928 CET | 152.53.15.127 | 192.168.2.14 | 0x566e | Format error (1) | none | none | 256 | 391 | false | |
Mar 4, 2025 04:20:39.546314001 CET | 152.53.15.127 | 192.168.2.14 | 0x566e | Format error (1) | none | none | 256 | 391 | false | |
Mar 4, 2025 04:20:51.127255917 CET | 51.158.108.203 | 192.168.2.14 | 0xbc24 | No error (0) | 1.2.3.4 | A (IP address) | IN (0x0001) | false |
System Behavior
Start time (UTC): | 03:18:51 |
Start date (UTC): | 04/03/2025 |
Path: | /tmp/zersh4.elf |
Arguments: | /tmp/zersh4.elf |
File size: | 4139976 bytes |
MD5 hash: | 8943e5f8f8c280467b4472c15ae93ba9 |
Start time (UTC): | 03:18:51 |
Start date (UTC): | 04/03/2025 |
Path: | /tmp/zersh4.elf |
Arguments: | - |
File size: | 4139976 bytes |
MD5 hash: | 8943e5f8f8c280467b4472c15ae93ba9 |
Start time (UTC): | 03:18:51 |
Start date (UTC): | 04/03/2025 |
Path: | /tmp/zersh4.elf |
Arguments: | - |
File size: | 4139976 bytes |
MD5 hash: | 8943e5f8f8c280467b4472c15ae93ba9 |