Edit tour

Linux Analysis Report
zerx86.elf

Overview

General Information

Sample name:	zerx86.elf
Analysis ID:	1633211
MD5:	c17843bdb7476299eaf606d81b7388c8
SHA1:	85d0bc55f005963f79ff74cf1c165526f4c14f21
SHA256:	54b6884ce916a7fb61d580246410112f100e40fd4a799cafe7de0e1f26c293c6
Tags:	elfuser-abuse_ch
Infos:

Detection

Score:	60
Range:	0 - 100

Signatures

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Sends malformed DNS queries

Detected TCP or UDP traffic on non-standard ports

Enumerates processes within the "proc" file system

Sample has stripped symbol table

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Yara signature match

Classification

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1633211
Start date and time:	2025-03-10 02:59:51 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 15s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Sample name:	zerx86.elf
Detection:	MAL
Classification:	mal60.troj.linELF@0/0@35/0

Runtime Messages

Command:	/tmp/zerx86.elf
PID:	6265
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:	gosh that chinese family at the other table sure ate a lot
Standard Error:

Process Tree

system is lnxubuntu20

zerx86.elf (PID: 6265, Parent: 6193, MD5: c17843bdb7476299eaf606d81b7388c8) Arguments: /tmp/zerx86.elf

zerx86.elf New Fork (PID: 6267, Parent: 6265)

zerx86.elf New Fork (PID: 6268, Parent: 6267)

cleanup

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
zerx86.elf	Linux_Trojan_Mirai_b14f4c5d	unknown	unknown	0x3fd0:$a: 53 31 DB 8B 4C 24 0C 8B 54 24 08 83 F9 01 76 15 66 8B 02 83 E9 02 25 FF FF 00 00 83 C2 02 01 C3 83 F9 01 77 EB 49 75 05 0F BE 02 01 C3
zerx86.elf	Linux_Trojan_Mirai_88de437f	unknown	unknown	0x7aa2:$a: 24 08 8B 4C 24 04 85 D2 74 0D 31 C0 89 F6 C6 04 08 00 40 39 D0
zerx86.elf	Linux_Trojan_Mirai_cc93863b	unknown	unknown	0x84f5:$a: C3 57 8B 44 24 0C 8B 4C 24 10 8B 7C 24 08 F3 AA 8B 44 24 08
zerx86.elf	Linux_Trojan_Mirai_8aa7b5d3	unknown	unknown	0x7a72:$a: 8B 4C 24 14 8B 74 24 0C 8B 5C 24 10 85 C9 74 0D 31 D2 8A 04 1A 88

Memory Dumps

Source	Rule	Description	Author	Strings
6265.1.0000000008048000.0000000008054000.r-x.sdmp	Linux_Trojan_Mirai_b14f4c5d	unknown	unknown	0x3fd0:$a: 53 31 DB 8B 4C 24 0C 8B 54 24 08 83 F9 01 76 15 66 8B 02 83 E9 02 25 FF FF 00 00 83 C2 02 01 C3 83 F9 01 77 EB 49 75 05 0F BE 02 01 C3
6265.1.0000000008048000.0000000008054000.r-x.sdmp	Linux_Trojan_Mirai_88de437f	unknown	unknown	0x7aa2:$a: 24 08 8B 4C 24 04 85 D2 74 0D 31 C0 89 F6 C6 04 08 00 40 39 D0
6265.1.0000000008048000.0000000008054000.r-x.sdmp	Linux_Trojan_Mirai_cc93863b	unknown	unknown	0x84f5:$a: C3 57 8B 44 24 0C 8B 4C 24 10 8B 7C 24 08 F3 AA 8B 44 24 08
6265.1.0000000008048000.0000000008054000.r-x.sdmp	Linux_Trojan_Mirai_8aa7b5d3	unknown	unknown	0x7a72:$a: 8B 4C 24 14 8B 74 24 0C 8B 5C 24 10 85 C9 74 0D 31 D2 8A 04 1A 88

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

• AV Detection
• Networking
• System Summary
• Persistence and Installation Behavior

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: zerx86.elf	Virustotal: Detection: 42%			Perma Link
Source: zerx86.elf	ReversingLabs: Detection: 44%

Networking

Sends malformed DNS queries

Source: global traffic

DNS traffic detected: malformed DNS query: watchmepull.dyn. [malformed]

Source: global traffic	TCP traffic: 192.168.2.23:41832 -> 185.220.204.227:1945
Source: global traffic	TCP traffic: 192.168.2.23:54370 -> 45.147.251.145:1440
Source: global traffic	TCP traffic: 192.168.2.23:36764 -> 159.89.101.70:1990
Source: global traffic	TCP traffic: 192.168.2.23:53968 -> 64.227.79.152:1945

Source: global traffic	TCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443
Source: global traffic	TCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
Source: global traffic	TCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80

Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	UDP traffic detected without corresponding DNS query: 152.53.15.127
Source: unknown	UDP traffic detected without corresponding DNS query: 81.169.136.222
Source: unknown	UDP traffic detected without corresponding DNS query: 168.235.111.72
Source: unknown	UDP traffic detected without corresponding DNS query: 168.235.111.72
Source: unknown	UDP traffic detected without corresponding DNS query: 168.235.111.72
Source: unknown	UDP traffic detected without corresponding DNS query: 168.235.111.72
Source: unknown	UDP traffic detected without corresponding DNS query: 168.235.111.72
Source: unknown	UDP traffic detected without corresponding DNS query: 168.235.111.72
Source: unknown	UDP traffic detected without corresponding DNS query: 51.158.108.203
Source: unknown	UDP traffic detected without corresponding DNS query: 51.158.108.203
Source: unknown	UDP traffic detected without corresponding DNS query: 51.158.108.203
Source: unknown	UDP traffic detected without corresponding DNS query: 51.158.108.203
Source: unknown	UDP traffic detected without corresponding DNS query: 51.158.108.203
Source: unknown	UDP traffic detected without corresponding DNS query: 185.181.61.24
Source: unknown	UDP traffic detected without corresponding DNS query: 51.158.108.203
Source: unknown	UDP traffic detected without corresponding DNS query: 51.158.108.203
Source: unknown	UDP traffic detected without corresponding DNS query: 51.158.108.203
Source: unknown	UDP traffic detected without corresponding DNS query: 51.158.108.203
Source: unknown	UDP traffic detected without corresponding DNS query: 51.158.108.203
Source: unknown	UDP traffic detected without corresponding DNS query: 185.181.61.24
Source: unknown	UDP traffic detected without corresponding DNS query: 185.181.61.24
Source: unknown	UDP traffic detected without corresponding DNS query: 185.181.61.24
Source: unknown	UDP traffic detected without corresponding DNS query: 185.181.61.24
Source: unknown	UDP traffic detected without corresponding DNS query: 185.181.61.24
Source: unknown	UDP traffic detected without corresponding DNS query: 51.158.108.203
Source: unknown	UDP traffic detected without corresponding DNS query: 51.158.108.203
Source: unknown	UDP traffic detected without corresponding DNS query: 51.158.108.203
Source: unknown	UDP traffic detected without corresponding DNS query: 51.158.108.203
Source: unknown	UDP traffic detected without corresponding DNS query: 51.158.108.203
Source: unknown	UDP traffic detected without corresponding DNS query: 81.169.136.222
Source: unknown	UDP traffic detected without corresponding DNS query: 202.61.197.122
Source: unknown	UDP traffic detected without corresponding DNS query: 202.61.197.122
Source: unknown	UDP traffic detected without corresponding DNS query: 202.61.197.122
Source: unknown	UDP traffic detected without corresponding DNS query: 202.61.197.122
Source: unknown	UDP traffic detected without corresponding DNS query: 202.61.197.122

Source: global traffic	DNS traffic detected: DNS query: ohlookthereismyboats.geek
Source: global traffic	DNS traffic detected: DNS query: watchmepull.dyn. [malformed]

Source: unknown	Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 42836 -> 443

System Summary

Malicious sample detected (through community Yara rule)

Source: zerx86.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_b14f4c5d Author: unknown
Source: zerx86.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_88de437f Author: unknown
Source: zerx86.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_cc93863b Author: unknown
Source: zerx86.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_8aa7b5d3 Author: unknown
Source: 6265.1.0000000008048000.0000000008054000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_b14f4c5d Author: unknown
Source: 6265.1.0000000008048000.0000000008054000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_88de437f Author: unknown
Source: 6265.1.0000000008048000.0000000008054000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_cc93863b Author: unknown
Source: 6265.1.0000000008048000.0000000008054000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_8aa7b5d3 Author: unknown

Source: ELF static info symbol of initial sample

.symtab present: no

Source: zerx86.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_b14f4c5d os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = a70d052918dd2fbc66db241da6438015130f0fb6929229bfe573546fe98da817, id = b14f4c5d-054f-46e6-9fa8-3588f1ef68b7, last_modified = 2021-09-16
Source: zerx86.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_88de437f reference_sample = 8dc745a6de6f319cd6021c3e147597315cc1be02099d78fc8aae94de0e1e4bc6, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = c19eb595c2b444a809bef8500c20342c9f46694d3018e268833f9b884133a1ea, id = 88de437f-9c98-4e1d-96c0-7b433c99886a, last_modified = 2021-09-16
Source: zerx86.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_cc93863b reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = f3ecd30f0b511a8e92cfa642409d559e7612c3f57a1659ca46c77aca809a00ac, id = cc93863b-1050-40ba-9d02-5ec9ce6a3a28, last_modified = 2022-01-26
Source: zerx86.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_8aa7b5d3 reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 02a2c18c362df4b1fceb33f3b605586514ba9a00c7afedf71c04fa54d8146444, id = 8aa7b5d3-e1eb-4b55-b36a-0d3a242c06e9, last_modified = 2022-01-26
Source: 6265.1.0000000008048000.0000000008054000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_b14f4c5d os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = a70d052918dd2fbc66db241da6438015130f0fb6929229bfe573546fe98da817, id = b14f4c5d-054f-46e6-9fa8-3588f1ef68b7, last_modified = 2021-09-16
Source: 6265.1.0000000008048000.0000000008054000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_88de437f reference_sample = 8dc745a6de6f319cd6021c3e147597315cc1be02099d78fc8aae94de0e1e4bc6, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = c19eb595c2b444a809bef8500c20342c9f46694d3018e268833f9b884133a1ea, id = 88de437f-9c98-4e1d-96c0-7b433c99886a, last_modified = 2021-09-16
Source: 6265.1.0000000008048000.0000000008054000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_cc93863b reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = f3ecd30f0b511a8e92cfa642409d559e7612c3f57a1659ca46c77aca809a00ac, id = cc93863b-1050-40ba-9d02-5ec9ce6a3a28, last_modified = 2022-01-26
Source: 6265.1.0000000008048000.0000000008054000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_8aa7b5d3 reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 02a2c18c362df4b1fceb33f3b605586514ba9a00c7afedf71c04fa54d8146444, id = 8aa7b5d3-e1eb-4b55-b36a-0d3a242c06e9, last_modified = 2022-01-26

Source: classification engine

Classification label: mal60.troj.linELF@0/0@35/0

Source: /tmp/zerx86.elf (PID: 6265)	File opened: /proc/1582/comm	Jump to behavior
Source: /tmp/zerx86.elf (PID: 6265)	File opened: /proc/3088/comm	Jump to behavior
Source: /tmp/zerx86.elf (PID: 6265)	File opened: /proc/230/comm	Jump to behavior
Source: /tmp/zerx86.elf (PID: 6265)	File opened: /proc/110/comm	Jump to behavior
Source: /tmp/zerx86.elf (PID: 6265)	File opened: /proc/231/comm	Jump to behavior
Source: /tmp/zerx86.elf (PID: 6265)	File opened: /proc/111/comm	Jump to behavior
Source: /tmp/zerx86.elf (PID: 6265)	File opened: /proc/232/comm	Jump to behavior
Source: /tmp/zerx86.elf (PID: 6265)	File opened: /proc/1579/comm	Jump to behavior
Source: /tmp/zerx86.elf (PID: 6265)	File opened: /proc/112/comm	Jump to behavior
Source: /tmp/zerx86.elf (PID: 6265)	File opened: /proc/233/comm	Jump to behavior
Source: /tmp/zerx86.elf (PID: 6265)	File opened: /proc/1699/comm	Jump to behavior
Source: /tmp/zerx86.elf (PID: 6265)	File opened: /proc/113/comm	Jump to behavior
Source: /tmp/zerx86.elf (PID: 6265)	File opened: /proc/234/comm	Jump to behavior
Source: /tmp/zerx86.elf (PID: 6265)	File opened: /proc/1335/comm	Jump to behavior
Source: /tmp/zerx86.elf (PID: 6265)	File opened: /proc/1698/comm	Jump to behavior
Source: /tmp/zerx86.elf (PID: 6265)	File opened: /proc/114/comm	Jump to behavior
Source: /tmp/zerx86.elf (PID: 6265)	File opened: /proc/235/comm	Jump to behavior
Source: /tmp/zerx86.elf (PID: 6265)	File opened: /proc/1334/comm	Jump to behavior
Source: /tmp/zerx86.elf (PID: 6265)	File opened: /proc/1576/comm	Jump to behavior
Source: /tmp/zerx86.elf (PID: 6265)	File opened: /proc/2302/comm	Jump to behavior
Source: /tmp/zerx86.elf (PID: 6265)	File opened: /proc/115/comm	Jump to behavior
Source: /tmp/zerx86.elf (PID: 6265)	File opened: /proc/236/comm	Jump to behavior
Source: /tmp/zerx86.elf (PID: 6265)	File opened: /proc/116/comm	Jump to behavior
Source: /tmp/zerx86.elf (PID: 6265)	File opened: /proc/237/comm	Jump to behavior
Source: /tmp/zerx86.elf (PID: 6265)	File opened: /proc/117/comm	Jump to behavior
Source: /tmp/zerx86.elf (PID: 6265)	File opened: /proc/118/comm	Jump to behavior
Source: /tmp/zerx86.elf (PID: 6265)	File opened: /proc/910/comm	Jump to behavior
Source: /tmp/zerx86.elf (PID: 6265)	File opened: /proc/119/comm	Jump to behavior
Source: /tmp/zerx86.elf (PID: 6265)	File opened: /proc/912/comm	Jump to behavior
Source: /tmp/zerx86.elf (PID: 6265)	File opened: /proc/10/comm	Jump to behavior
Source: /tmp/zerx86.elf (PID: 6265)	File opened: /proc/2307/comm	Jump to behavior
Source: /tmp/zerx86.elf (PID: 6265)	File opened: /proc/11/comm	Jump to behavior
Source: /tmp/zerx86.elf (PID: 6265)	File opened: /proc/918/comm	Jump to behavior
Source: /tmp/zerx86.elf (PID: 6265)	File opened: /proc/12/comm	Jump to behavior
Source: /tmp/zerx86.elf (PID: 6265)	File opened: /proc/13/comm	Jump to behavior
Source: /tmp/zerx86.elf (PID: 6265)	File opened: /proc/14/comm	Jump to behavior
Source: /tmp/zerx86.elf (PID: 6265)	File opened: /proc/15/comm	Jump to behavior
Source: /tmp/zerx86.elf (PID: 6265)	File opened: /proc/16/comm	Jump to behavior
Source: /tmp/zerx86.elf (PID: 6265)	File opened: /proc/17/comm	Jump to behavior
Source: /tmp/zerx86.elf (PID: 6265)	File opened: /proc/18/comm	Jump to behavior
Source: /tmp/zerx86.elf (PID: 6265)	File opened: /proc/1594/comm	Jump to behavior
Source: /tmp/zerx86.elf (PID: 6265)	File opened: /proc/120/comm	Jump to behavior
Source: /tmp/zerx86.elf (PID: 6265)	File opened: /proc/121/comm	Jump to behavior
Source: /tmp/zerx86.elf (PID: 6265)	File opened: /proc/1349/comm	Jump to behavior
Source: /tmp/zerx86.elf (PID: 6265)	File opened: /proc/1/comm	Jump to behavior
Source: /tmp/zerx86.elf (PID: 6265)	File opened: /proc/122/comm	Jump to behavior
Source: /tmp/zerx86.elf (PID: 6265)	File opened: /proc/243/comm	Jump to behavior
Source: /tmp/zerx86.elf (PID: 6265)	File opened: /proc/123/comm	Jump to behavior
Source: /tmp/zerx86.elf (PID: 6265)	File opened: /proc/2/comm	Jump to behavior
Source: /tmp/zerx86.elf (PID: 6265)	File opened: /proc/124/comm	Jump to behavior
Source: /tmp/zerx86.elf (PID: 6265)	File opened: /proc/3/comm	Jump to behavior
Source: /tmp/zerx86.elf (PID: 6265)	File opened: /proc/4/comm	Jump to behavior
Source: /tmp/zerx86.elf (PID: 6265)	File opened: /proc/125/comm	Jump to behavior
Source: /tmp/zerx86.elf (PID: 6265)	File opened: /proc/126/comm	Jump to behavior
Source: /tmp/zerx86.elf (PID: 6265)	File opened: /proc/1344/comm	Jump to behavior
Source: /tmp/zerx86.elf (PID: 6265)	File opened: /proc/1465/comm	Jump to behavior
Source: /tmp/zerx86.elf (PID: 6265)	File opened: /proc/1586/comm	Jump to behavior
Source: /tmp/zerx86.elf (PID: 6265)	File opened: /proc/127/comm	Jump to behavior
Source: /tmp/zerx86.elf (PID: 6265)	File opened: /proc/6/comm	Jump to behavior
Source: /tmp/zerx86.elf (PID: 6265)	File opened: /proc/248/comm	Jump to behavior
Source: /tmp/zerx86.elf (PID: 6265)	File opened: /proc/128/comm	Jump to behavior
Source: /tmp/zerx86.elf (PID: 6265)	File opened: /proc/249/comm	Jump to behavior
Source: /tmp/zerx86.elf (PID: 6265)	File opened: /proc/1463/comm	Jump to behavior
Source: /tmp/zerx86.elf (PID: 6265)	File opened: /proc/800/comm	Jump to behavior
Source: /tmp/zerx86.elf (PID: 6265)	File opened: /proc/9/comm	Jump to behavior
Source: /tmp/zerx86.elf (PID: 6265)	File opened: /proc/801/comm	Jump to behavior
Source: /tmp/zerx86.elf (PID: 6265)	File opened: /proc/20/comm	Jump to behavior
Source: /tmp/zerx86.elf (PID: 6265)	File opened: /proc/21/comm	Jump to behavior
Source: /tmp/zerx86.elf (PID: 6265)	File opened: /proc/1900/comm	Jump to behavior
Source: /tmp/zerx86.elf (PID: 6265)	File opened: /proc/22/comm	Jump to behavior
Source: /tmp/zerx86.elf (PID: 6265)	File opened: /proc/23/comm	Jump to behavior
Source: /tmp/zerx86.elf (PID: 6265)	File opened: /proc/6251/comm	Jump to behavior
Source: /tmp/zerx86.elf (PID: 6265)	File opened: /proc/24/comm	Jump to behavior
Source: /tmp/zerx86.elf (PID: 6265)	File opened: /proc/25/comm	Jump to behavior
Source: /tmp/zerx86.elf (PID: 6265)	File opened: /proc/26/comm	Jump to behavior
Source: /tmp/zerx86.elf (PID: 6265)	File opened: /proc/27/comm	Jump to behavior
Source: /tmp/zerx86.elf (PID: 6265)	File opened: /proc/28/comm	Jump to behavior
Source: /tmp/zerx86.elf (PID: 6265)	File opened: /proc/29/comm	Jump to behavior
Source: /tmp/zerx86.elf (PID: 6265)	File opened: /proc/491/comm	Jump to behavior
Source: /tmp/zerx86.elf (PID: 6265)	File opened: /proc/250/comm	Jump to behavior
Source: /tmp/zerx86.elf (PID: 6265)	File opened: /proc/130/comm	Jump to behavior
Source: /tmp/zerx86.elf (PID: 6265)	File opened: /proc/251/comm	Jump to behavior
Source: /tmp/zerx86.elf (PID: 6265)	File opened: /proc/6250/comm	Jump to behavior
Source: /tmp/zerx86.elf (PID: 6265)	File opened: /proc/252/comm	Jump to behavior
Source: /tmp/zerx86.elf (PID: 6265)	File opened: /proc/132/comm	Jump to behavior
Source: /tmp/zerx86.elf (PID: 6265)	File opened: /proc/253/comm	Jump to behavior
Source: /tmp/zerx86.elf (PID: 6265)	File opened: /proc/254/comm	Jump to behavior
Source: /tmp/zerx86.elf (PID: 6265)	File opened: /proc/255/comm	Jump to behavior
Source: /tmp/zerx86.elf (PID: 6265)	File opened: /proc/256/comm	Jump to behavior
Source: /tmp/zerx86.elf (PID: 6265)	File opened: /proc/1599/comm	Jump to behavior
Source: /tmp/zerx86.elf (PID: 6265)	File opened: /proc/257/comm	Jump to behavior
Source: /tmp/zerx86.elf (PID: 6265)	File opened: /proc/1477/comm	Jump to behavior
Source: /tmp/zerx86.elf (PID: 6265)	File opened: /proc/379/comm	Jump to behavior
Source: /tmp/zerx86.elf (PID: 6265)	File opened: /proc/258/comm	Jump to behavior
Source: /tmp/zerx86.elf (PID: 6265)	File opened: /proc/1476/comm	Jump to behavior
Source: /tmp/zerx86.elf (PID: 6265)	File opened: /proc/259/comm	Jump to behavior
Source: /tmp/zerx86.elf (PID: 6265)	File opened: /proc/1475/comm	Jump to behavior
Source: /tmp/zerx86.elf (PID: 6265)	File opened: /proc/936/comm	Jump to behavior
Source: /tmp/zerx86.elf (PID: 6265)	File opened: /proc/30/comm	Jump to behavior
Source: /tmp/zerx86.elf (PID: 6265)	File opened: /proc/2208/comm	Jump to behavior
Source: /tmp/zerx86.elf (PID: 6265)	File opened: /proc/35/comm	Jump to behavior
Source: /tmp/zerx86.elf (PID: 6265)	File opened: /proc/6265/comm	Jump to behavior
Source: /tmp/zerx86.elf (PID: 6265)	File opened: /proc/1809/comm	Jump to behavior
Source: /tmp/zerx86.elf (PID: 6265)	File opened: /proc/1494/comm	Jump to behavior
Source: /tmp/zerx86.elf (PID: 6265)	File opened: /proc/260/comm	Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	Path Interception	Path Interception	Direct Volume Access	1 OS Credential Dumping	System Service Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	2 Application Layer Protocol	Traffic Duplication	Data Destruction

Malware Configuration

⊘No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Screenshots

Download Video

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
zerx86.elf	43%	Virustotal		Browse
zerx86.elf	45%	ReversingLabs	Linux.Backdoor.Mirai

Dropped Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Download Network PCAP: filtered – full

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
ohlookthereismyboats.geek	159.89.101.70	true	false		high
watchmepull.dyn. [malformed]	unknown	unknown	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
159.89.101.70	ohlookthereismyboats.geek	United States	14061	DIGITALOCEAN-ASNUS	false
109.202.202.202	unknown	Switzerland	13030	INIT7CH	false
45.147.251.145	unknown	Germany	197518	RACKMARKTES	false
64.227.79.152	unknown	United States	14061	DIGITALOCEAN-ASNUS	false
185.220.204.227	unknown	Israel	41436	CLOUDWEBMANAGE-EUGB	false
91.189.91.43	unknown	United Kingdom	41231	CANONICAL-ASGB	false
91.189.91.42	unknown	United Kingdom	41231	CANONICAL-ASGB	false

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
64.227.79.152	zerspc.elf	Get hash	malicious	Unknown	Browse
	zerppc.elf	Get hash	malicious	Unknown	Browse
	zermpsl.elf	Get hash	malicious	Unknown	Browse
	zerm68k.elf	Get hash	malicious	Unknown	Browse
	zerarm7.elf	Get hash	malicious	Unknown	Browse
	zerarm7.elf	Get hash	malicious	Unknown	Browse
185.220.204.227	zerppc.elf	Get hash	malicious	Unknown	Browse
	zermpsl.elf	Get hash	malicious	Unknown	Browse
	zerm68k.elf	Get hash	malicious	Unknown	Browse
	zersh4.elf	Get hash	malicious	Unknown	Browse
	zerarm7.elf	Get hash	malicious	Unknown	Browse
159.89.101.70	zerspc.elf	Get hash	malicious	Unknown	Browse
	zerppc.elf	Get hash	malicious	Unknown	Browse
	zermpsl.elf	Get hash	malicious	Unknown	Browse
	zerm68k.elf	Get hash	malicious	Unknown	Browse
	zersh4.elf	Get hash	malicious	Unknown	Browse
	zerarm7.elf	Get hash	malicious	Unknown	Browse
109.202.202.202	kpLwzBouH4.elf	Get hash	malicious	Unknown	Browse	ch.archive.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_92.0%2bbuild3-0ubuntu0.20.04.1_amd64.deb
45.147.251.145	zerspc.elf	Get hash	malicious	Unknown	Browse
	zerppc.elf	Get hash	malicious	Unknown	Browse
	zermpsl.elf	Get hash	malicious	Unknown	Browse
	zerm68k.elf	Get hash	malicious	Unknown	Browse
	zersh4.elf	Get hash	malicious	Unknown	Browse
	zerarm7.elf	Get hash	malicious	Unknown	Browse
	zerarm7.elf	Get hash	malicious	Unknown	Browse
	zerx86.elf	Get hash	malicious	Unknown	Browse
	zerarm.elf	Get hash	malicious	Unknown	Browse
	zermpsl.elf	Get hash	malicious	Unknown	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ohlookthereismyboats.geek	nklmpsl.elf	Get hash	malicious	Unknown	Browse	185.220.204.227
	zerspc.elf	Get hash	malicious	Unknown	Browse	45.147.251.145
	zerppc.elf	Get hash	malicious	Unknown	Browse	64.227.79.152
	zermpsl.elf	Get hash	malicious	Unknown	Browse	159.89.101.70
	nklppc.elf	Get hash	malicious	Unknown	Browse	64.227.79.152
	zerm68k.elf	Get hash	malicious	Unknown	Browse	45.147.251.145
	nklsh4.elf	Get hash	malicious	Unknown	Browse	64.227.79.152
	nklarm5.elf	Get hash	malicious	Unknown	Browse	64.227.79.152
	nklm68k.elf	Get hash	malicious	Unknown	Browse	185.220.204.227
	zersh4.elf	Get hash	malicious	Unknown	Browse	159.89.101.70

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
RACKMARKTES	zerspc.elf	Get hash	malicious	Unknown	Browse	45.147.251.145
	zerppc.elf	Get hash	malicious	Unknown	Browse	45.147.251.145
	zermpsl.elf	Get hash	malicious	Unknown	Browse	45.147.251.145
	zerm68k.elf	Get hash	malicious	Unknown	Browse	45.147.251.145
	zersh4.elf	Get hash	malicious	Unknown	Browse	45.147.251.145
	zerarm7.elf	Get hash	malicious	Unknown	Browse	45.147.251.145
	i686.elf	Get hash	malicious	Unknown	Browse	185.194.179.220
	zerarm7.elf	Get hash	malicious	Unknown	Browse	45.147.251.145
	zerx86.elf	Get hash	malicious	Unknown	Browse	45.147.251.145
	zerarm.elf	Get hash	malicious	Unknown	Browse	45.147.251.145
CLOUDWEBMANAGE-EUGB	zerppc.elf	Get hash	malicious	Unknown	Browse	185.220.204.227
	zermpsl.elf	Get hash	malicious	Unknown	Browse	185.220.204.227
	zerm68k.elf	Get hash	malicious	Unknown	Browse	185.220.204.227
	zersh4.elf	Get hash	malicious	Unknown	Browse	185.220.204.227
	zerarm7.elf	Get hash	malicious	Unknown	Browse	185.220.204.227
	https://basvur-acildenizv2denizkredi.site/	Get hash	malicious	HTMLPhisher	Browse	5.180.183.64
	https://basvur-acildenizv2denizkredi.xyz/	Get hash	malicious	HTMLPhisher	Browse	5.180.183.64
	4gMmUx86OA.elf	Get hash	malicious	Gafgyt, Mirai	Browse	5.180.183.1
	o5fQSrt5Ds.elf	Get hash	malicious	Gafgyt, Mirai	Browse	5.180.183.1
	pvuhl7xszp.elf	Get hash	malicious	Gafgyt, Mirai	Browse	5.180.183.1
INIT7CH	zerppc.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	zerm68k.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	.i.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	splarm6.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	na.elf	Get hash	malicious	Prometei	Browse	109.202.202.202
	na.elf	Get hash	malicious	Prometei	Browse	109.202.202.202
	.i.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	na.elf	Get hash	malicious	Prometei	Browse	109.202.202.202
	na.elf	Get hash	malicious	Prometei	Browse	109.202.202.202
	debug.dbg.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
DIGITALOCEAN-ASNUS	zerspc.elf	Get hash	malicious	Unknown	Browse	159.89.101.70
	zerppc.elf	Get hash	malicious	Unknown	Browse	64.227.79.152
	zermpsl.elf	Get hash	malicious	Unknown	Browse	159.89.101.70
	zerm68k.elf	Get hash	malicious	Unknown	Browse	64.227.79.152
	zersh4.elf	Get hash	malicious	Unknown	Browse	159.89.101.70
	arm.elf	Get hash	malicious	Unknown	Browse	162.243.214.160
	nabsh4.elf	Get hash	malicious	Unknown	Browse	188.226.156.47
	splarm5.elf	Get hash	malicious	Unknown	Browse	178.128.131.24
	splppc.elf	Get hash	malicious	Unknown	Browse	167.174.154.137
	zerarm7.elf	Get hash	malicious	Unknown	Browse	159.89.101.70
DIGITALOCEAN-ASNUS	zerspc.elf	Get hash	malicious	Unknown	Browse	159.89.101.70
	zerppc.elf	Get hash	malicious	Unknown	Browse	64.227.79.152
	zermpsl.elf	Get hash	malicious	Unknown	Browse	159.89.101.70
	zerm68k.elf	Get hash	malicious	Unknown	Browse	64.227.79.152
	zersh4.elf	Get hash	malicious	Unknown	Browse	159.89.101.70
	arm.elf	Get hash	malicious	Unknown	Browse	162.243.214.160
	nabsh4.elf	Get hash	malicious	Unknown	Browse	188.226.156.47
	splarm5.elf	Get hash	malicious	Unknown	Browse	178.128.131.24
	splppc.elf	Get hash	malicious	Unknown	Browse	167.174.154.137
	zerarm7.elf	Get hash	malicious	Unknown	Browse	159.89.101.70

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, stripped
Entropy (8bit):	6.3655900791559
TrID:	ELF Executable and Linkable format (Linux) (4029/14) 50.16% ELF Executable and Linkable format (generic) (4004/1) 49.84%
File name:	zerx86.elf
File size:	46'172 bytes
MD5:	c17843bdb7476299eaf606d81b7388c8
SHA1:	85d0bc55f005963f79ff74cf1c165526f4c14f21
SHA256:	54b6884ce916a7fb61d580246410112f100e40fd4a799cafe7de0e1f26c293c6
SHA512:	2e3b6547cc07912aaec377b07e5dcd5bc60caeb11b5027c229cc80a295e7d163cb5ca261a5b6a9132d55196fbec104b457b2803c0270f6b515acd930579b6ce2
SSDEEP:	768:qK9Q8sbsAUkwsUnUZx0+xBrx0NrVk/0aW5Ag+yGQZz6PPjzrKw/YJt31Dxe0/F:L9Q8sbsAUkwsUnCx0+xBrx0Fy875Ag+W
TLSH:	9D232AC1A843DAF4D82505707477FB325A73E53F511DEA83E3999A33AC62601E60B2DE
File Content Preview:	.ELF....................d...4...........4. ...(.....................`...`...............d...dA..dA......<...........Q.td............................U..S............h....s...[]...$.............U......=`B...t..5.....A......A......u........t....h`1..........

Static ELF Info

ELF header
Class:	ELF32
Data:	2's complement, little endian
Version:	1 (current)
Machine:	Intel 80386
Version Number:	0x1
Type:	EXEC (Executable file)
OS/ABI:	UNIX - System V
ABI Version:	0
Entry Point Address:	0x8048164
Flags:	0x0
ELF Header Size:	52
Program Header Offset:	52
Program Header Size:	32
Number of Program Headers:	3
Section Header Offset:	45732
Section Header Size:	40
Number of Section Headers:	11
Header String Table Index:	10

Sections

Name	Type	Address	Offset	Size	EntSize	Flags	Flags Description	Align
	NULL	0x0	0x0	0x0	0x0	0x0		0
.init	PROGBITS	0x8048094	0x94	0x1c	0x0	0x6	AX	1
.text	PROGBITS	0x80480b0	0xb0	0xa696	0x0	0x6	AX	16
.fini	PROGBITS	0x8052746	0xa746	0x17	0x0	0x6	AX	1
.rodata	PROGBITS	0x8052760	0xa760	0xa00	0x0	0x2	A	32
.ctors	PROGBITS	0x8054164	0xb164	0x8	0x0	0x3	WA	4
.dtors	PROGBITS	0x805416c	0xb16c	0x8	0x0	0x3	WA	4
.jcr	PROGBITS	0x8054174	0xb174	0x4	0x0	0x3	WA	4
.data	PROGBITS	0x80541a0	0xb1a0	0xc0	0x0	0x3	WA	32
.bss	NOBITS	0x8054260	0xb260	0x640	0x0	0x3	WA	32
.shstrtab	STRTAB	0x0	0xb260	0x43	0x0	0x0		1

Program Segments

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align	Section Mappings
LOAD	0x0	0x8048000	0x8048000	0xb160	0xb160	6.3926	0x5	R E	0x1000	.init .text .fini .rodata
LOAD	0xb164	0x8054164	0x8054164	0xfc	0x73c	3.5691	0x6	RW	0x1000	.ctors .dtors .jcr .data .bss
GNU_STACK	0x0	0x0	0x0	0x0	0x0	0.0000	0x6	RW	0x4

Network Behavior

Download Network PCAP: filtered – full

Network Port Distribution

Total Packets: 98
• 1990 undefined
• 1945 undefined
• 1440 undefined
• 443 (HTTPS)
• 80 (HTTP)
• 53 (DNS)

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 10, 2025 03:01:00.543106079 CET	41832	1945	192.168.2.23	185.220.204.227
Mar 10, 2025 03:01:00.548275948 CET	1945	41832	185.220.204.227	192.168.2.23
Mar 10, 2025 03:01:00.548329115 CET	41832	1945	192.168.2.23	185.220.204.227
Mar 10, 2025 03:01:00.548366070 CET	41832	1945	192.168.2.23	185.220.204.227
Mar 10, 2025 03:01:00.553361893 CET	1945	41832	185.220.204.227	192.168.2.23
Mar 10, 2025 03:01:00.553452969 CET	41832	1945	192.168.2.23	185.220.204.227
Mar 10, 2025 03:01:00.559314966 CET	1945	41832	185.220.204.227	192.168.2.23
Mar 10, 2025 03:01:00.715573072 CET	43928	443	192.168.2.23	91.189.91.42
Mar 10, 2025 03:01:06.090842962 CET	42836	443	192.168.2.23	91.189.91.43
Mar 10, 2025 03:01:10.557140112 CET	41832	1945	192.168.2.23	185.220.204.227
Mar 10, 2025 03:01:10.562242031 CET	1945	41832	185.220.204.227	192.168.2.23
Mar 10, 2025 03:01:10.751715899 CET	1945	41832	185.220.204.227	192.168.2.23
Mar 10, 2025 03:01:10.751939058 CET	41832	1945	192.168.2.23	185.220.204.227
Mar 10, 2025 03:01:10.756958961 CET	1945	41832	185.220.204.227	192.168.2.23
Mar 10, 2025 03:01:11.784071922 CET	54370	1440	192.168.2.23	45.147.251.145
Mar 10, 2025 03:01:11.789197922 CET	1440	54370	45.147.251.145	192.168.2.23
Mar 10, 2025 03:01:11.789287090 CET	54370	1440	192.168.2.23	45.147.251.145
Mar 10, 2025 03:01:11.789361954 CET	54370	1440	192.168.2.23	45.147.251.145
Mar 10, 2025 03:01:11.794329882 CET	1440	54370	45.147.251.145	192.168.2.23
Mar 10, 2025 03:01:11.794393063 CET	54370	1440	192.168.2.23	45.147.251.145
Mar 10, 2025 03:01:11.799418926 CET	1440	54370	45.147.251.145	192.168.2.23
Mar 10, 2025 03:01:21.704638004 CET	43928	443	192.168.2.23	91.189.91.42
Mar 10, 2025 03:01:22.412535906 CET	1440	54370	45.147.251.145	192.168.2.23
Mar 10, 2025 03:01:22.412777901 CET	54370	1440	192.168.2.23	45.147.251.145
Mar 10, 2025 03:01:22.418365955 CET	1440	54370	45.147.251.145	192.168.2.23
Mar 10, 2025 03:01:23.752315998 CET	42516	80	192.168.2.23	109.202.202.202
Mar 10, 2025 03:01:23.878299952 CET	54372	1440	192.168.2.23	45.147.251.145
Mar 10, 2025 03:01:23.884026051 CET	1440	54372	45.147.251.145	192.168.2.23
Mar 10, 2025 03:01:23.884104967 CET	54372	1440	192.168.2.23	45.147.251.145
Mar 10, 2025 03:01:23.884192944 CET	54372	1440	192.168.2.23	45.147.251.145
Mar 10, 2025 03:01:23.889451981 CET	1440	54372	45.147.251.145	192.168.2.23
Mar 10, 2025 03:01:23.889509916 CET	54372	1440	192.168.2.23	45.147.251.145
Mar 10, 2025 03:01:23.894603968 CET	1440	54372	45.147.251.145	192.168.2.23
Mar 10, 2025 03:01:31.943223953 CET	42836	443	192.168.2.23	91.189.91.43
Mar 10, 2025 03:01:34.492078066 CET	1440	54372	45.147.251.145	192.168.2.23
Mar 10, 2025 03:01:34.492321968 CET	54372	1440	192.168.2.23	45.147.251.145
Mar 10, 2025 03:01:34.497328997 CET	1440	54372	45.147.251.145	192.168.2.23
Mar 10, 2025 03:01:35.588968039 CET	36764	1990	192.168.2.23	159.89.101.70
Mar 10, 2025 03:01:35.594598055 CET	1990	36764	159.89.101.70	192.168.2.23
Mar 10, 2025 03:01:35.594712973 CET	36764	1990	192.168.2.23	159.89.101.70
Mar 10, 2025 03:01:35.594784021 CET	36764	1990	192.168.2.23	159.89.101.70
Mar 10, 2025 03:01:35.599818945 CET	1990	36764	159.89.101.70	192.168.2.23
Mar 10, 2025 03:01:35.600035906 CET	36764	1990	192.168.2.23	159.89.101.70
Mar 10, 2025 03:01:35.605135918 CET	1990	36764	159.89.101.70	192.168.2.23
Mar 10, 2025 03:01:46.181210995 CET	1990	36764	159.89.101.70	192.168.2.23
Mar 10, 2025 03:01:46.181682110 CET	36764	1990	192.168.2.23	159.89.101.70
Mar 10, 2025 03:01:46.186861038 CET	1990	36764	159.89.101.70	192.168.2.23
Mar 10, 2025 03:01:47.270962954 CET	36766	1990	192.168.2.23	159.89.101.70
Mar 10, 2025 03:01:47.275979996 CET	1990	36766	159.89.101.70	192.168.2.23
Mar 10, 2025 03:01:47.276201010 CET	36766	1990	192.168.2.23	159.89.101.70
Mar 10, 2025 03:01:47.276448965 CET	36766	1990	192.168.2.23	159.89.101.70
Mar 10, 2025 03:01:47.281471014 CET	1990	36766	159.89.101.70	192.168.2.23
Mar 10, 2025 03:01:47.281584024 CET	36766	1990	192.168.2.23	159.89.101.70
Mar 10, 2025 03:01:47.286647081 CET	1990	36766	159.89.101.70	192.168.2.23
Mar 10, 2025 03:01:57.880923033 CET	1990	36766	159.89.101.70	192.168.2.23
Mar 10, 2025 03:01:57.881544113 CET	36766	1990	192.168.2.23	159.89.101.70
Mar 10, 2025 03:01:57.886995077 CET	1990	36766	159.89.101.70	192.168.2.23
Mar 10, 2025 03:01:58.920831919 CET	53968	1945	192.168.2.23	64.227.79.152
Mar 10, 2025 03:01:58.925975084 CET	1945	53968	64.227.79.152	192.168.2.23
Mar 10, 2025 03:01:58.926054955 CET	53968	1945	192.168.2.23	64.227.79.152
Mar 10, 2025 03:01:58.926135063 CET	53968	1945	192.168.2.23	64.227.79.152
Mar 10, 2025 03:01:58.931142092 CET	1945	53968	64.227.79.152	192.168.2.23
Mar 10, 2025 03:01:58.931196928 CET	53968	1945	192.168.2.23	64.227.79.152
Mar 10, 2025 03:01:58.936270952 CET	1945	53968	64.227.79.152	192.168.2.23
Mar 10, 2025 03:02:02.658962965 CET	43928	443	192.168.2.23	91.189.91.42
Mar 10, 2025 03:02:09.498133898 CET	1945	53968	64.227.79.152	192.168.2.23
Mar 10, 2025 03:02:09.498563051 CET	53968	1945	192.168.2.23	64.227.79.152
Mar 10, 2025 03:02:09.503652096 CET	1945	53968	64.227.79.152	192.168.2.23
Mar 10, 2025 03:02:10.583589077 CET	53970	1945	192.168.2.23	64.227.79.152
Mar 10, 2025 03:02:10.588793993 CET	1945	53970	64.227.79.152	192.168.2.23
Mar 10, 2025 03:02:10.588922024 CET	53970	1945	192.168.2.23	64.227.79.152
Mar 10, 2025 03:02:10.589009047 CET	53970	1945	192.168.2.23	64.227.79.152
Mar 10, 2025 03:02:10.594093084 CET	1945	53970	64.227.79.152	192.168.2.23
Mar 10, 2025 03:02:10.594305038 CET	53970	1945	192.168.2.23	64.227.79.152
Mar 10, 2025 03:02:10.599356890 CET	1945	53970	64.227.79.152	192.168.2.23
Mar 10, 2025 03:02:20.597753048 CET	53970	1945	192.168.2.23	64.227.79.152
Mar 10, 2025 03:02:20.602899075 CET	1945	53970	64.227.79.152	192.168.2.23
Mar 10, 2025 03:02:20.808501959 CET	1945	53970	64.227.79.152	192.168.2.23
Mar 10, 2025 03:02:20.808816910 CET	53970	1945	192.168.2.23	64.227.79.152
Mar 10, 2025 03:02:20.813966036 CET	1945	53970	64.227.79.152	192.168.2.23
Mar 10, 2025 03:02:21.993627071 CET	53972	1945	192.168.2.23	64.227.79.152
Mar 10, 2025 03:02:21.998754978 CET	1945	53972	64.227.79.152	192.168.2.23
Mar 10, 2025 03:02:21.998888016 CET	53972	1945	192.168.2.23	64.227.79.152
Mar 10, 2025 03:02:21.998929977 CET	53972	1945	192.168.2.23	64.227.79.152
Mar 10, 2025 03:02:22.003954887 CET	1945	53972	64.227.79.152	192.168.2.23
Mar 10, 2025 03:02:22.004041910 CET	53972	1945	192.168.2.23	64.227.79.152
Mar 10, 2025 03:02:22.010025024 CET	1945	53972	64.227.79.152	192.168.2.23
Mar 10, 2025 03:02:23.136064053 CET	42836	443	192.168.2.23	91.189.91.43
Mar 10, 2025 03:02:32.577745914 CET	1945	53972	64.227.79.152	192.168.2.23
Mar 10, 2025 03:02:32.577960968 CET	53972	1945	192.168.2.23	64.227.79.152
Mar 10, 2025 03:02:32.583048105 CET	1945	53972	64.227.79.152	192.168.2.23
Mar 10, 2025 03:02:33.659432888 CET	53974	1945	192.168.2.23	64.227.79.152
Mar 10, 2025 03:02:33.664484978 CET	1945	53974	64.227.79.152	192.168.2.23
Mar 10, 2025 03:02:33.664556026 CET	53974	1945	192.168.2.23	64.227.79.152
Mar 10, 2025 03:02:33.664608002 CET	53974	1945	192.168.2.23	64.227.79.152
Mar 10, 2025 03:02:33.669648886 CET	1945	53974	64.227.79.152	192.168.2.23
Mar 10, 2025 03:02:33.669707060 CET	53974	1945	192.168.2.23	64.227.79.152
Mar 10, 2025 03:02:33.674726009 CET	1945	53974	64.227.79.152	192.168.2.23
Mar 10, 2025 03:02:44.230691910 CET	1945	53974	64.227.79.152	192.168.2.23
Mar 10, 2025 03:02:44.230882883 CET	53974	1945	192.168.2.23	64.227.79.152
Mar 10, 2025 03:02:44.239038944 CET	1945	53974	64.227.79.152	192.168.2.23
Mar 10, 2025 03:02:45.262077093 CET	54386	1440	192.168.2.23	45.147.251.145
Mar 10, 2025 03:02:45.267198086 CET	1440	54386	45.147.251.145	192.168.2.23
Mar 10, 2025 03:02:45.267266989 CET	54386	1440	192.168.2.23	45.147.251.145
Mar 10, 2025 03:02:45.267287970 CET	54386	1440	192.168.2.23	45.147.251.145
Mar 10, 2025 03:02:45.272355080 CET	1440	54386	45.147.251.145	192.168.2.23
Mar 10, 2025 03:02:45.272406101 CET	54386	1440	192.168.2.23	45.147.251.145
Mar 10, 2025 03:02:45.277506113 CET	1440	54386	45.147.251.145	192.168.2.23
Mar 10, 2025 03:02:55.875539064 CET	1440	54386	45.147.251.145	192.168.2.23
Mar 10, 2025 03:02:55.875802994 CET	54386	1440	192.168.2.23	45.147.251.145
Mar 10, 2025 03:02:55.880985022 CET	1440	54386	45.147.251.145	192.168.2.23
Mar 10, 2025 03:02:56.979351997 CET	54388	1440	192.168.2.23	45.147.251.145
Mar 10, 2025 03:02:56.986182928 CET	1440	54388	45.147.251.145	192.168.2.23
Mar 10, 2025 03:02:56.986335993 CET	54388	1440	192.168.2.23	45.147.251.145
Mar 10, 2025 03:02:56.986411095 CET	54388	1440	192.168.2.23	45.147.251.145
Mar 10, 2025 03:02:56.992894888 CET	1440	54388	45.147.251.145	192.168.2.23
Mar 10, 2025 03:02:56.992973089 CET	54388	1440	192.168.2.23	45.147.251.145
Mar 10, 2025 03:02:56.999635935 CET	1440	54388	45.147.251.145	192.168.2.23

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 10, 2025 03:01:00.519440889 CET	40274	53	192.168.2.23	152.53.15.127
Mar 10, 2025 03:01:00.542906046 CET	53	40274	152.53.15.127	192.168.2.23
Mar 10, 2025 03:01:11.753518105 CET	55038	53	192.168.2.23	81.169.136.222
Mar 10, 2025 03:01:11.783737898 CET	53	55038	81.169.136.222	192.168.2.23
Mar 10, 2025 03:01:23.414428949 CET	57592	53	192.168.2.23	168.235.111.72
Mar 10, 2025 03:01:23.506261110 CET	53	57592	168.235.111.72	192.168.2.23
Mar 10, 2025 03:01:23.506486893 CET	47098	53	192.168.2.23	168.235.111.72
Mar 10, 2025 03:01:23.597347021 CET	53	47098	168.235.111.72	192.168.2.23
Mar 10, 2025 03:01:23.597462893 CET	44042	53	192.168.2.23	168.235.111.72
Mar 10, 2025 03:01:23.688644886 CET	53	44042	168.235.111.72	192.168.2.23
Mar 10, 2025 03:01:23.688761950 CET	52692	53	192.168.2.23	168.235.111.72
Mar 10, 2025 03:01:23.783483028 CET	53	52692	168.235.111.72	192.168.2.23
Mar 10, 2025 03:01:23.783756971 CET	48031	53	192.168.2.23	168.235.111.72
Mar 10, 2025 03:01:23.877942085 CET	53	48031	168.235.111.72	192.168.2.23
Mar 10, 2025 03:01:35.493983030 CET	48411	53	192.168.2.23	168.235.111.72
Mar 10, 2025 03:01:35.588515043 CET	53	48411	168.235.111.72	192.168.2.23
Mar 10, 2025 03:01:47.183588028 CET	37912	53	192.168.2.23	51.158.108.203
Mar 10, 2025 03:01:47.201478004 CET	53	37912	51.158.108.203	192.168.2.23
Mar 10, 2025 03:01:47.201626062 CET	46875	53	192.168.2.23	51.158.108.203
Mar 10, 2025 03:01:47.219643116 CET	53	46875	51.158.108.203	192.168.2.23
Mar 10, 2025 03:01:47.219851017 CET	53007	53	192.168.2.23	51.158.108.203
Mar 10, 2025 03:01:47.237082958 CET	53	53007	51.158.108.203	192.168.2.23
Mar 10, 2025 03:01:47.237464905 CET	42740	53	192.168.2.23	51.158.108.203
Mar 10, 2025 03:01:47.253566027 CET	53	42740	51.158.108.203	192.168.2.23
Mar 10, 2025 03:01:47.253896952 CET	57617	53	192.168.2.23	51.158.108.203
Mar 10, 2025 03:01:47.270793915 CET	53	57617	51.158.108.203	192.168.2.23
Mar 10, 2025 03:01:58.883987904 CET	52299	53	192.168.2.23	185.181.61.24
Mar 10, 2025 03:01:58.920444012 CET	53	52299	185.181.61.24	192.168.2.23
Mar 10, 2025 03:02:10.501543999 CET	49234	53	192.168.2.23	51.158.108.203
Mar 10, 2025 03:02:10.517529964 CET	53	49234	51.158.108.203	192.168.2.23
Mar 10, 2025 03:02:10.518007040 CET	36022	53	192.168.2.23	51.158.108.203
Mar 10, 2025 03:02:10.533895969 CET	53	36022	51.158.108.203	192.168.2.23
Mar 10, 2025 03:02:10.534275055 CET	40042	53	192.168.2.23	51.158.108.203
Mar 10, 2025 03:02:10.550081015 CET	53	40042	51.158.108.203	192.168.2.23
Mar 10, 2025 03:02:10.550546885 CET	43741	53	192.168.2.23	51.158.108.203
Mar 10, 2025 03:02:10.566720009 CET	53	43741	51.158.108.203	192.168.2.23
Mar 10, 2025 03:02:10.567023039 CET	36000	53	192.168.2.23	51.158.108.203
Mar 10, 2025 03:02:10.583264112 CET	53	36000	51.158.108.203	192.168.2.23
Mar 10, 2025 03:02:21.810693979 CET	39953	53	192.168.2.23	185.181.61.24
Mar 10, 2025 03:02:21.846838951 CET	53	39953	185.181.61.24	192.168.2.23
Mar 10, 2025 03:02:21.847105026 CET	54021	53	192.168.2.23	185.181.61.24
Mar 10, 2025 03:02:21.883975983 CET	53	54021	185.181.61.24	192.168.2.23
Mar 10, 2025 03:02:21.884205103 CET	40275	53	192.168.2.23	185.181.61.24
Mar 10, 2025 03:02:21.920780897 CET	53	40275	185.181.61.24	192.168.2.23
Mar 10, 2025 03:02:21.921017885 CET	42783	53	192.168.2.23	185.181.61.24
Mar 10, 2025 03:02:21.957089901 CET	53	42783	185.181.61.24	192.168.2.23
Mar 10, 2025 03:02:21.957305908 CET	49405	53	192.168.2.23	185.181.61.24
Mar 10, 2025 03:02:21.993315935 CET	53	49405	185.181.61.24	192.168.2.23
Mar 10, 2025 03:02:33.579741001 CET	41124	53	192.168.2.23	51.158.108.203
Mar 10, 2025 03:02:33.595669031 CET	53	41124	51.158.108.203	192.168.2.23
Mar 10, 2025 03:02:33.595822096 CET	33780	53	192.168.2.23	51.158.108.203
Mar 10, 2025 03:02:33.611466885 CET	53	33780	51.158.108.203	192.168.2.23
Mar 10, 2025 03:02:33.611586094 CET	55245	53	192.168.2.23	51.158.108.203
Mar 10, 2025 03:02:33.627372980 CET	53	55245	51.158.108.203	192.168.2.23
Mar 10, 2025 03:02:33.627482891 CET	45204	53	192.168.2.23	51.158.108.203
Mar 10, 2025 03:02:33.643354893 CET	53	45204	51.158.108.203	192.168.2.23
Mar 10, 2025 03:02:33.643451929 CET	44209	53	192.168.2.23	51.158.108.203
Mar 10, 2025 03:02:33.659312963 CET	53	44209	51.158.108.203	192.168.2.23
Mar 10, 2025 03:02:45.232012987 CET	46003	53	192.168.2.23	81.169.136.222
Mar 10, 2025 03:02:45.261977911 CET	53	46003	81.169.136.222	192.168.2.23
Mar 10, 2025 03:02:56.877315998 CET	33522	53	192.168.2.23	202.61.197.122
Mar 10, 2025 03:02:56.897525072 CET	53	33522	202.61.197.122	192.168.2.23
Mar 10, 2025 03:02:56.897670984 CET	57497	53	192.168.2.23	202.61.197.122
Mar 10, 2025 03:02:56.919440031 CET	53	57497	202.61.197.122	192.168.2.23
Mar 10, 2025 03:02:56.919559956 CET	48771	53	192.168.2.23	202.61.197.122
Mar 10, 2025 03:02:56.939389944 CET	53	48771	202.61.197.122	192.168.2.23
Mar 10, 2025 03:02:56.939527988 CET	40320	53	192.168.2.23	202.61.197.122
Mar 10, 2025 03:02:56.959321022 CET	53	40320	202.61.197.122	192.168.2.23
Mar 10, 2025 03:02:56.959462881 CET	50615	53	192.168.2.23	202.61.197.122
Mar 10, 2025 03:02:56.979185104 CET	53	50615	202.61.197.122	192.168.2.23

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Mar 10, 2025 03:01:00.519440889 CET	192.168.2.23	152.53.15.127	0xf43a	Standard query (0)	ohlookthereismyboats.geek	A (IP address)	IN (0x0001)	false
Mar 10, 2025 03:01:11.753518105 CET	192.168.2.23	81.169.136.222	0xde7d	Standard query (0)	ohlookthereismyboats.geek	A (IP address)	IN (0x0001)	false
Mar 10, 2025 03:01:23.414428949 CET	192.168.2.23	168.235.111.72	0xf753	Standard query (0)	watchmepull.dyn. [malformed]	256	499	false
Mar 10, 2025 03:01:23.506486893 CET	192.168.2.23	168.235.111.72	0xf753	Standard query (0)	watchmepull.dyn. [malformed]	256	499	false
Mar 10, 2025 03:01:23.597462893 CET	192.168.2.23	168.235.111.72	0xf753	Standard query (0)	watchmepull.dyn. [malformed]	256	499	false
Mar 10, 2025 03:01:23.688761950 CET	192.168.2.23	168.235.111.72	0xf753	Standard query (0)	watchmepull.dyn. [malformed]	256	499	false
Mar 10, 2025 03:01:23.783756971 CET	192.168.2.23	168.235.111.72	0xf753	Standard query (0)	watchmepull.dyn. [malformed]	256	499	false
Mar 10, 2025 03:01:35.493983030 CET	192.168.2.23	168.235.111.72	0x4760	Standard query (0)	ohlookthereismyboats.geek	A (IP address)	IN (0x0001)	false
Mar 10, 2025 03:01:47.183588028 CET	192.168.2.23	51.158.108.203	0xc595	Standard query (0)	watchmepull.dyn. [malformed]	256	267	false
Mar 10, 2025 03:01:47.201626062 CET	192.168.2.23	51.158.108.203	0xc595	Standard query (0)	watchmepull.dyn. [malformed]	256	267	false
Mar 10, 2025 03:01:47.219851017 CET	192.168.2.23	51.158.108.203	0xc595	Standard query (0)	watchmepull.dyn. [malformed]	256	267	false
Mar 10, 2025 03:01:47.237464905 CET	192.168.2.23	51.158.108.203	0xc595	Standard query (0)	watchmepull.dyn. [malformed]	256	267	false
Mar 10, 2025 03:01:47.253896952 CET	192.168.2.23	51.158.108.203	0xc595	Standard query (0)	watchmepull.dyn. [malformed]	256	267	false
Mar 10, 2025 03:01:58.883987904 CET	192.168.2.23	185.181.61.24	0x27d9	Standard query (0)	ohlookthereismyboats.geek	A (IP address)	IN (0x0001)	false
Mar 10, 2025 03:02:10.501543999 CET	192.168.2.23	51.158.108.203	0x5d9a	Standard query (0)	watchmepull.dyn. [malformed]	256	290	false
Mar 10, 2025 03:02:10.518007040 CET	192.168.2.23	51.158.108.203	0x5d9a	Standard query (0)	watchmepull.dyn. [malformed]	256	290	false
Mar 10, 2025 03:02:10.534275055 CET	192.168.2.23	51.158.108.203	0x5d9a	Standard query (0)	watchmepull.dyn. [malformed]	256	290	false
Mar 10, 2025 03:02:10.550546885 CET	192.168.2.23	51.158.108.203	0x5d9a	Standard query (0)	watchmepull.dyn. [malformed]	256	290	false
Mar 10, 2025 03:02:10.567023039 CET	192.168.2.23	51.158.108.203	0x5d9a	Standard query (0)	watchmepull.dyn. [malformed]	256	290	false
Mar 10, 2025 03:02:21.810693979 CET	192.168.2.23	185.181.61.24	0x62d0	Standard query (0)	watchmepull.dyn. [malformed]	256	301	false
Mar 10, 2025 03:02:21.847105026 CET	192.168.2.23	185.181.61.24	0x62d0	Standard query (0)	watchmepull.dyn. [malformed]	256	301	false
Mar 10, 2025 03:02:21.884205103 CET	192.168.2.23	185.181.61.24	0x62d0	Standard query (0)	watchmepull.dyn. [malformed]	256	301	false
Mar 10, 2025 03:02:21.921017885 CET	192.168.2.23	185.181.61.24	0x62d0	Standard query (0)	watchmepull.dyn. [malformed]	256	301	false
Mar 10, 2025 03:02:21.957305908 CET	192.168.2.23	185.181.61.24	0x62d0	Standard query (0)	watchmepull.dyn. [malformed]	256	301	false
Mar 10, 2025 03:02:33.579741001 CET	192.168.2.23	51.158.108.203	0x5704	Standard query (0)	watchmepull.dyn. [malformed]	256	313	false
Mar 10, 2025 03:02:33.595822096 CET	192.168.2.23	51.158.108.203	0x5704	Standard query (0)	watchmepull.dyn. [malformed]	256	313	false
Mar 10, 2025 03:02:33.611586094 CET	192.168.2.23	51.158.108.203	0x5704	Standard query (0)	watchmepull.dyn. [malformed]	256	313	false
Mar 10, 2025 03:02:33.627482891 CET	192.168.2.23	51.158.108.203	0x5704	Standard query (0)	watchmepull.dyn. [malformed]	256	313	false
Mar 10, 2025 03:02:33.643451929 CET	192.168.2.23	51.158.108.203	0x5704	Standard query (0)	watchmepull.dyn. [malformed]	256	313	false
Mar 10, 2025 03:02:45.232012987 CET	192.168.2.23	81.169.136.222	0xee31	Standard query (0)	ohlookthereismyboats.geek	A (IP address)	IN (0x0001)	false
Mar 10, 2025 03:02:56.877315998 CET	192.168.2.23	202.61.197.122	0x3bc	Standard query (0)	watchmepull.dyn. [malformed]	256	336	false
Mar 10, 2025 03:02:56.897670984 CET	192.168.2.23	202.61.197.122	0x3bc	Standard query (0)	watchmepull.dyn. [malformed]	256	336	false
Mar 10, 2025 03:02:56.919559956 CET	192.168.2.23	202.61.197.122	0x3bc	Standard query (0)	watchmepull.dyn. [malformed]	256	336	false
Mar 10, 2025 03:02:56.939527988 CET	192.168.2.23	202.61.197.122	0x3bc	Standard query (0)	watchmepull.dyn. [malformed]	256	336	false
Mar 10, 2025 03:02:56.959462881 CET	192.168.2.23	202.61.197.122	0x3bc	Standard query (0)	watchmepull.dyn. [malformed]	256	336	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Mar 10, 2025 03:01:00.542906046 CET	152.53.15.127	192.168.2.23	0xf43a	No error (0)	ohlookthereismyboats.geek		159.89.101.70	A (IP address)	IN (0x0001)	false
Mar 10, 2025 03:01:00.542906046 CET	152.53.15.127	192.168.2.23	0xf43a	No error (0)	ohlookthereismyboats.geek		64.227.79.152	A (IP address)	IN (0x0001)	false
Mar 10, 2025 03:01:00.542906046 CET	152.53.15.127	192.168.2.23	0xf43a	No error (0)	ohlookthereismyboats.geek		45.147.251.145	A (IP address)	IN (0x0001)	false
Mar 10, 2025 03:01:00.542906046 CET	152.53.15.127	192.168.2.23	0xf43a	No error (0)	ohlookthereismyboats.geek		185.220.204.227	A (IP address)	IN (0x0001)	false
Mar 10, 2025 03:01:11.783737898 CET	81.169.136.222	192.168.2.23	0xde7d	No error (0)	ohlookthereismyboats.geek		64.227.79.152	A (IP address)	IN (0x0001)	false
Mar 10, 2025 03:01:11.783737898 CET	81.169.136.222	192.168.2.23	0xde7d	No error (0)	ohlookthereismyboats.geek		45.147.251.145	A (IP address)	IN (0x0001)	false
Mar 10, 2025 03:01:11.783737898 CET	81.169.136.222	192.168.2.23	0xde7d	No error (0)	ohlookthereismyboats.geek		185.220.204.227	A (IP address)	IN (0x0001)	false
Mar 10, 2025 03:01:11.783737898 CET	81.169.136.222	192.168.2.23	0xde7d	No error (0)	ohlookthereismyboats.geek		159.89.101.70	A (IP address)	IN (0x0001)	false
Mar 10, 2025 03:01:35.588515043 CET	168.235.111.72	192.168.2.23	0x4760	No error (0)	ohlookthereismyboats.geek		45.147.251.145	A (IP address)	IN (0x0001)	false
Mar 10, 2025 03:01:35.588515043 CET	168.235.111.72	192.168.2.23	0x4760	No error (0)	ohlookthereismyboats.geek		159.89.101.70	A (IP address)	IN (0x0001)	false
Mar 10, 2025 03:01:35.588515043 CET	168.235.111.72	192.168.2.23	0x4760	No error (0)	ohlookthereismyboats.geek		64.227.79.152	A (IP address)	IN (0x0001)	false
Mar 10, 2025 03:01:35.588515043 CET	168.235.111.72	192.168.2.23	0x4760	No error (0)	ohlookthereismyboats.geek		185.220.204.227	A (IP address)	IN (0x0001)	false
Mar 10, 2025 03:01:47.201478004 CET	51.158.108.203	192.168.2.23	0xc595	Format error (1)	watchmepull.dyn. [malformed]	none	none	256	267	false
Mar 10, 2025 03:01:47.219643116 CET	51.158.108.203	192.168.2.23	0xc595	Format error (1)	watchmepull.dyn. [malformed]	none	none	256	267	false
Mar 10, 2025 03:01:47.237082958 CET	51.158.108.203	192.168.2.23	0xc595	Format error (1)	watchmepull.dyn. [malformed]	none	none	256	267	false
Mar 10, 2025 03:01:47.253566027 CET	51.158.108.203	192.168.2.23	0xc595	Format error (1)	watchmepull.dyn. [malformed]	none	none	256	267	false
Mar 10, 2025 03:01:47.270793915 CET	51.158.108.203	192.168.2.23	0xc595	Format error (1)	watchmepull.dyn. [malformed]	none	none	256	267	false
Mar 10, 2025 03:01:58.920444012 CET	185.181.61.24	192.168.2.23	0x27d9	No error (0)	ohlookthereismyboats.geek		45.147.251.145	A (IP address)	IN (0x0001)	false
Mar 10, 2025 03:01:58.920444012 CET	185.181.61.24	192.168.2.23	0x27d9	No error (0)	ohlookthereismyboats.geek		185.220.204.227	A (IP address)	IN (0x0001)	false
Mar 10, 2025 03:01:58.920444012 CET	185.181.61.24	192.168.2.23	0x27d9	No error (0)	ohlookthereismyboats.geek		159.89.101.70	A (IP address)	IN (0x0001)	false
Mar 10, 2025 03:01:58.920444012 CET	185.181.61.24	192.168.2.23	0x27d9	No error (0)	ohlookthereismyboats.geek		64.227.79.152	A (IP address)	IN (0x0001)	false
Mar 10, 2025 03:02:10.517529964 CET	51.158.108.203	192.168.2.23	0x5d9a	Format error (1)	watchmepull.dyn. [malformed]	none	none	256	290	false
Mar 10, 2025 03:02:10.533895969 CET	51.158.108.203	192.168.2.23	0x5d9a	Format error (1)	watchmepull.dyn. [malformed]	none	none	256	290	false
Mar 10, 2025 03:02:10.550081015 CET	51.158.108.203	192.168.2.23	0x5d9a	Format error (1)	watchmepull.dyn. [malformed]	none	none	256	290	false
Mar 10, 2025 03:02:10.566720009 CET	51.158.108.203	192.168.2.23	0x5d9a	Format error (1)	watchmepull.dyn. [malformed]	none	none	256	290	false
Mar 10, 2025 03:02:10.583264112 CET	51.158.108.203	192.168.2.23	0x5d9a	Format error (1)	watchmepull.dyn. [malformed]	none	none	256	290	false
Mar 10, 2025 03:02:33.595669031 CET	51.158.108.203	192.168.2.23	0x5704	Format error (1)	watchmepull.dyn. [malformed]	none	none	256	313	false
Mar 10, 2025 03:02:33.611466885 CET	51.158.108.203	192.168.2.23	0x5704	Format error (1)	watchmepull.dyn. [malformed]	none	none	256	313	false
Mar 10, 2025 03:02:33.627372980 CET	51.158.108.203	192.168.2.23	0x5704	Format error (1)	watchmepull.dyn. [malformed]	none	none	256	313	false
Mar 10, 2025 03:02:33.643354893 CET	51.158.108.203	192.168.2.23	0x5704	Format error (1)	watchmepull.dyn. [malformed]	none	none	256	313	false
Mar 10, 2025 03:02:33.659312963 CET	51.158.108.203	192.168.2.23	0x5704	Format error (1)	watchmepull.dyn. [malformed]	none	none	256	313	false
Mar 10, 2025 03:02:45.261977911 CET	81.169.136.222	192.168.2.23	0xee31	No error (0)	ohlookthereismyboats.geek		64.227.79.152	A (IP address)	IN (0x0001)	false
Mar 10, 2025 03:02:45.261977911 CET	81.169.136.222	192.168.2.23	0xee31	No error (0)	ohlookthereismyboats.geek		159.89.101.70	A (IP address)	IN (0x0001)	false
Mar 10, 2025 03:02:45.261977911 CET	81.169.136.222	192.168.2.23	0xee31	No error (0)	ohlookthereismyboats.geek		185.220.204.227	A (IP address)	IN (0x0001)	false
Mar 10, 2025 03:02:45.261977911 CET	81.169.136.222	192.168.2.23	0xee31	No error (0)	ohlookthereismyboats.geek		45.147.251.145	A (IP address)	IN (0x0001)	false

System Behavior

Analysis Process: zerx86.elf PID: 6265, Parent PID: 6193

General

Start time (UTC):	02:00:58
Start date (UTC):	10/03/2025
Path:	/tmp/zerx86.elf
Arguments:	/tmp/zerx86.elf
File size:	46172 bytes
MD5 hash:	c17843bdb7476299eaf606d81b7388c8

File Activities

File Opened

File Read

File Moved

Directory Enumerated

Process Activities

Process Forked

Prctl Requested

Chronological Activities

Analysis Process: zerx86.elf PID: 6267, Parent PID: 6265

General

Start time (UTC):	02:00:59
Start date (UTC):	10/03/2025
Path:	/tmp/zerx86.elf
Arguments:	-
File size:	46172 bytes
MD5 hash:	c17843bdb7476299eaf606d81b7388c8

Process Activities

Process Forked

Thread Sleep

Chronological Activities

Analysis Process: zerx86.elf PID: 6268, Parent PID: 6267

General

Start time (UTC):	02:00:59
Start date (UTC):	10/03/2025
Path:	/tmp/zerx86.elf
Arguments:	-
File size:	46172 bytes
MD5 hash:	c17843bdb7476299eaf606d81b7388c8

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report zerx86.elf

Overview

General Information

Detection

Signatures

Classification

General Information

Runtime Messages

Process Tree

Yara Signatures

Initial Sample

Memory Dumps

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Networking

System Summary

Persistence and Installation Behavior

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

Static ELF Info

ELF header

Sections

Program Segments

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

System Behavior

Analysis Process: zerx86.elf PID: 6265, Parent PID: 6193

General

File Activities

File Opened

File Read

File Moved

Directory Enumerated

Process Activities

Process Forked

Prctl Requested

Chronological Activities

Analysis Process: zerx86.elf PID: 6267, Parent PID: 6265

General

Process Activities

Process Forked

Thread Sleep

Chronological Activities

Analysis Process: zerx86.elf PID: 6268, Parent PID: 6267

General

Linux Analysis Report
zerx86.elf