Edit tour

Linux Analysis Report
zerarm5.elf

Overview

General Information

Sample name:	zerarm5.elf
Analysis ID:	1633215
MD5:	5a5c0e1c92b7937f2e88b11478bbf631
SHA1:	358706dc4eaa65c3da0702a8ad9bba4de6bfafaf
SHA256:	c767b3204bd8bfde69e411b3d0723f0eef5cf70a8091300cd00c50f4efe84891
Tags:	elfuser-abuse_ch
Infos:

Detection

Score:	52
Range:	0 - 100

Signatures

Multi AV Scanner detection for submitted file

Sends malformed DNS queries

Detected TCP or UDP traffic on non-standard ports

Enumerates processes within the "proc" file system

Executes the "rm" command used to delete files or directories

Sample has stripped symbol table

Sample listens on a socket

Uses the "uname" system call to query kernel version information (possible evasion)

Classification

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1633215
Start date and time:	2025-03-10 03:04:11 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 6s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Sample name:	zerarm5.elf
Detection:	MAL
Classification:	mal52.troj.linELF@0/0@47/0

Runtime Messages

Command:	/tmp/zerarm5.elf
PID:	6270
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:	gosh that chinese family at the other table sure ate a lot
Standard Error:

Process Tree

system is lnxubuntu20

zerarm5.elf (PID: 6270, Parent: 6194, MD5: 5ebfcae4fe2471fcc5695c2394773ff1) Arguments: /tmp/zerarm5.elf

zerarm5.elf New Fork (PID: 6272, Parent: 6270)

zerarm5.elf New Fork (PID: 6274, Parent: 6272)

dash New Fork (PID: 6284, Parent: 4341)

rm (PID: 6284, Parent: 4341, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -f /tmp/tmp.f3MA0Bao4i /tmp/tmp.xlsrnaWjFZ /tmp/tmp.GrUFZWE2c2

dash New Fork (PID: 6285, Parent: 4341)

rm (PID: 6285, Parent: 4341, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -f /tmp/tmp.f3MA0Bao4i /tmp/tmp.xlsrnaWjFZ /tmp/tmp.GrUFZWE2c2

cleanup

Yara Signatures

⊘No yara matches

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

• AV Detection
• Networking
• System Summary
• Persistence and Installation Behavior
• Malware Analysis System Evasion

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: zerarm5.elf	Virustotal: Detection: 41%			Perma Link
Source: zerarm5.elf	ReversingLabs: Detection: 44%

Networking

Sends malformed DNS queries

Source: global traffic

DNS traffic detected: malformed DNS query: watchmepull.dyn. [malformed]

Source: global traffic	TCP traffic: 192.168.2.23:54374 -> 45.147.251.145:1440
Source: global traffic	TCP traffic: 192.168.2.23:46870 -> 159.89.101.70:1440

Source: /tmp/zerarm5.elf (PID: 6270)

Socket: 127.0.0.1:39148

Jump to behavior

Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	TCP traffic detected without corresponding DNS query: 34.249.145.219
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	UDP traffic detected without corresponding DNS query: 194.36.144.87
Source: unknown	UDP traffic detected without corresponding DNS query: 81.169.136.222
Source: unknown	UDP traffic detected without corresponding DNS query: 81.169.136.222
Source: unknown	UDP traffic detected without corresponding DNS query: 81.169.136.222
Source: unknown	UDP traffic detected without corresponding DNS query: 81.169.136.222
Source: unknown	UDP traffic detected without corresponding DNS query: 81.169.136.222
Source: unknown	UDP traffic detected without corresponding DNS query: 51.158.108.203
Source: unknown	UDP traffic detected without corresponding DNS query: 51.158.108.203
Source: unknown	UDP traffic detected without corresponding DNS query: 51.158.108.203
Source: unknown	UDP traffic detected without corresponding DNS query: 51.158.108.203
Source: unknown	UDP traffic detected without corresponding DNS query: 51.158.108.203
Source: unknown	UDP traffic detected without corresponding DNS query: 152.53.15.127
Source: unknown	UDP traffic detected without corresponding DNS query: 152.53.15.127
Source: unknown	UDP traffic detected without corresponding DNS query: 152.53.15.127
Source: unknown	UDP traffic detected without corresponding DNS query: 152.53.15.127
Source: unknown	UDP traffic detected without corresponding DNS query: 152.53.15.127
Source: unknown	UDP traffic detected without corresponding DNS query: 185.181.61.24
Source: unknown	UDP traffic detected without corresponding DNS query: 185.181.61.24
Source: unknown	UDP traffic detected without corresponding DNS query: 185.181.61.24
Source: unknown	UDP traffic detected without corresponding DNS query: 185.181.61.24
Source: unknown	UDP traffic detected without corresponding DNS query: 185.181.61.24
Source: unknown	UDP traffic detected without corresponding DNS query: 51.158.108.203
Source: unknown	UDP traffic detected without corresponding DNS query: 51.158.108.203
Source: unknown	UDP traffic detected without corresponding DNS query: 51.158.108.203
Source: unknown	UDP traffic detected without corresponding DNS query: 51.158.108.203
Source: unknown	UDP traffic detected without corresponding DNS query: 51.158.108.203
Source: unknown	UDP traffic detected without corresponding DNS query: 168.235.111.72
Source: unknown	UDP traffic detected without corresponding DNS query: 51.158.108.203
Source: unknown	UDP traffic detected without corresponding DNS query: 51.158.108.203
Source: unknown	UDP traffic detected without corresponding DNS query: 51.158.108.203
Source: unknown	UDP traffic detected without corresponding DNS query: 51.158.108.203
Source: unknown	UDP traffic detected without corresponding DNS query: 51.158.108.203
Source: unknown	UDP traffic detected without corresponding DNS query: 51.158.108.203
Source: unknown	UDP traffic detected without corresponding DNS query: 51.158.108.203
Source: unknown	UDP traffic detected without corresponding DNS query: 51.158.108.203
Source: unknown	UDP traffic detected without corresponding DNS query: 51.158.108.203
Source: unknown	UDP traffic detected without corresponding DNS query: 51.158.108.203
Source: unknown	UDP traffic detected without corresponding DNS query: 202.61.197.122
Source: unknown	UDP traffic detected without corresponding DNS query: 202.61.197.122
Source: unknown	UDP traffic detected without corresponding DNS query: 202.61.197.122
Source: unknown	UDP traffic detected without corresponding DNS query: 202.61.197.122
Source: unknown	UDP traffic detected without corresponding DNS query: 202.61.197.122
Source: unknown	UDP traffic detected without corresponding DNS query: 168.235.111.72

Source: global traffic	DNS traffic detected: DNS query: ohlookthereismyboats.geek
Source: global traffic	DNS traffic detected: DNS query: watchmepull.dyn. [malformed]

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 39260
Source: unknown	Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 39260 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 42836 -> 443

Source: ELF static info symbol of initial sample

.symtab present: no

Source: classification engine

Classification label: mal52.troj.linELF@0/0@47/0

Source: /tmp/zerarm5.elf (PID: 6270)	File opened: /proc/1582/comm	Jump to behavior
Source: /tmp/zerarm5.elf (PID: 6270)	File opened: /proc/3088/comm	Jump to behavior
Source: /tmp/zerarm5.elf (PID: 6270)	File opened: /proc/230/comm	Jump to behavior
Source: /tmp/zerarm5.elf (PID: 6270)	File opened: /proc/110/comm	Jump to behavior
Source: /tmp/zerarm5.elf (PID: 6270)	File opened: /proc/231/comm	Jump to behavior
Source: /tmp/zerarm5.elf (PID: 6270)	File opened: /proc/111/comm	Jump to behavior
Source: /tmp/zerarm5.elf (PID: 6270)	File opened: /proc/232/comm	Jump to behavior
Source: /tmp/zerarm5.elf (PID: 6270)	File opened: /proc/1579/comm	Jump to behavior
Source: /tmp/zerarm5.elf (PID: 6270)	File opened: /proc/112/comm	Jump to behavior
Source: /tmp/zerarm5.elf (PID: 6270)	File opened: /proc/233/comm	Jump to behavior
Source: /tmp/zerarm5.elf (PID: 6270)	File opened: /proc/1699/comm	Jump to behavior
Source: /tmp/zerarm5.elf (PID: 6270)	File opened: /proc/113/comm	Jump to behavior
Source: /tmp/zerarm5.elf (PID: 6270)	File opened: /proc/234/comm	Jump to behavior
Source: /tmp/zerarm5.elf (PID: 6270)	File opened: /proc/1335/comm	Jump to behavior
Source: /tmp/zerarm5.elf (PID: 6270)	File opened: /proc/1698/comm	Jump to behavior
Source: /tmp/zerarm5.elf (PID: 6270)	File opened: /proc/114/comm	Jump to behavior
Source: /tmp/zerarm5.elf (PID: 6270)	File opened: /proc/235/comm	Jump to behavior
Source: /tmp/zerarm5.elf (PID: 6270)	File opened: /proc/1334/comm	Jump to behavior
Source: /tmp/zerarm5.elf (PID: 6270)	File opened: /proc/1576/comm	Jump to behavior
Source: /tmp/zerarm5.elf (PID: 6270)	File opened: /proc/2302/comm	Jump to behavior
Source: /tmp/zerarm5.elf (PID: 6270)	File opened: /proc/115/comm	Jump to behavior
Source: /tmp/zerarm5.elf (PID: 6270)	File opened: /proc/236/comm	Jump to behavior
Source: /tmp/zerarm5.elf (PID: 6270)	File opened: /proc/116/comm	Jump to behavior
Source: /tmp/zerarm5.elf (PID: 6270)	File opened: /proc/237/comm	Jump to behavior
Source: /tmp/zerarm5.elf (PID: 6270)	File opened: /proc/117/comm	Jump to behavior
Source: /tmp/zerarm5.elf (PID: 6270)	File opened: /proc/118/comm	Jump to behavior
Source: /tmp/zerarm5.elf (PID: 6270)	File opened: /proc/910/comm	Jump to behavior
Source: /tmp/zerarm5.elf (PID: 6270)	File opened: /proc/119/comm	Jump to behavior
Source: /tmp/zerarm5.elf (PID: 6270)	File opened: /proc/912/comm	Jump to behavior
Source: /tmp/zerarm5.elf (PID: 6270)	File opened: /proc/6228/comm	Jump to behavior
Source: /tmp/zerarm5.elf (PID: 6270)	File opened: /proc/10/comm	Jump to behavior
Source: /tmp/zerarm5.elf (PID: 6270)	File opened: /proc/2307/comm	Jump to behavior
Source: /tmp/zerarm5.elf (PID: 6270)	File opened: /proc/11/comm	Jump to behavior
Source: /tmp/zerarm5.elf (PID: 6270)	File opened: /proc/918/comm	Jump to behavior
Source: /tmp/zerarm5.elf (PID: 6270)	File opened: /proc/12/comm	Jump to behavior
Source: /tmp/zerarm5.elf (PID: 6270)	File opened: /proc/13/comm	Jump to behavior
Source: /tmp/zerarm5.elf (PID: 6270)	File opened: /proc/14/comm	Jump to behavior
Source: /tmp/zerarm5.elf (PID: 6270)	File opened: /proc/15/comm	Jump to behavior
Source: /tmp/zerarm5.elf (PID: 6270)	File opened: /proc/16/comm	Jump to behavior
Source: /tmp/zerarm5.elf (PID: 6270)	File opened: /proc/17/comm	Jump to behavior
Source: /tmp/zerarm5.elf (PID: 6270)	File opened: /proc/18/comm	Jump to behavior
Source: /tmp/zerarm5.elf (PID: 6270)	File opened: /proc/1594/comm	Jump to behavior
Source: /tmp/zerarm5.elf (PID: 6270)	File opened: /proc/120/comm	Jump to behavior
Source: /tmp/zerarm5.elf (PID: 6270)	File opened: /proc/121/comm	Jump to behavior
Source: /tmp/zerarm5.elf (PID: 6270)	File opened: /proc/1349/comm	Jump to behavior
Source: /tmp/zerarm5.elf (PID: 6270)	File opened: /proc/1/comm	Jump to behavior
Source: /tmp/zerarm5.elf (PID: 6270)	File opened: /proc/122/comm	Jump to behavior
Source: /tmp/zerarm5.elf (PID: 6270)	File opened: /proc/243/comm	Jump to behavior
Source: /tmp/zerarm5.elf (PID: 6270)	File opened: /proc/123/comm	Jump to behavior
Source: /tmp/zerarm5.elf (PID: 6270)	File opened: /proc/2/comm	Jump to behavior
Source: /tmp/zerarm5.elf (PID: 6270)	File opened: /proc/124/comm	Jump to behavior
Source: /tmp/zerarm5.elf (PID: 6270)	File opened: /proc/3/comm	Jump to behavior
Source: /tmp/zerarm5.elf (PID: 6270)	File opened: /proc/4/comm	Jump to behavior
Source: /tmp/zerarm5.elf (PID: 6270)	File opened: /proc/125/comm	Jump to behavior
Source: /tmp/zerarm5.elf (PID: 6270)	File opened: /proc/126/comm	Jump to behavior
Source: /tmp/zerarm5.elf (PID: 6270)	File opened: /proc/1344/comm	Jump to behavior
Source: /tmp/zerarm5.elf (PID: 6270)	File opened: /proc/1465/comm	Jump to behavior
Source: /tmp/zerarm5.elf (PID: 6270)	File opened: /proc/1586/comm	Jump to behavior
Source: /tmp/zerarm5.elf (PID: 6270)	File opened: /proc/127/comm	Jump to behavior
Source: /tmp/zerarm5.elf (PID: 6270)	File opened: /proc/6/comm	Jump to behavior
Source: /tmp/zerarm5.elf (PID: 6270)	File opened: /proc/248/comm	Jump to behavior
Source: /tmp/zerarm5.elf (PID: 6270)	File opened: /proc/128/comm	Jump to behavior
Source: /tmp/zerarm5.elf (PID: 6270)	File opened: /proc/249/comm	Jump to behavior
Source: /tmp/zerarm5.elf (PID: 6270)	File opened: /proc/1463/comm	Jump to behavior
Source: /tmp/zerarm5.elf (PID: 6270)	File opened: /proc/800/comm	Jump to behavior
Source: /tmp/zerarm5.elf (PID: 6270)	File opened: /proc/9/comm	Jump to behavior
Source: /tmp/zerarm5.elf (PID: 6270)	File opened: /proc/801/comm	Jump to behavior
Source: /tmp/zerarm5.elf (PID: 6270)	File opened: /proc/20/comm	Jump to behavior
Source: /tmp/zerarm5.elf (PID: 6270)	File opened: /proc/21/comm	Jump to behavior
Source: /tmp/zerarm5.elf (PID: 6270)	File opened: /proc/1900/comm	Jump to behavior
Source: /tmp/zerarm5.elf (PID: 6270)	File opened: /proc/22/comm	Jump to behavior
Source: /tmp/zerarm5.elf (PID: 6270)	File opened: /proc/23/comm	Jump to behavior
Source: /tmp/zerarm5.elf (PID: 6270)	File opened: /proc/24/comm	Jump to behavior
Source: /tmp/zerarm5.elf (PID: 6270)	File opened: /proc/6254/comm	Jump to behavior
Source: /tmp/zerarm5.elf (PID: 6270)	File opened: /proc/25/comm	Jump to behavior
Source: /tmp/zerarm5.elf (PID: 6270)	File opened: /proc/6253/comm	Jump to behavior
Source: /tmp/zerarm5.elf (PID: 6270)	File opened: /proc/26/comm	Jump to behavior
Source: /tmp/zerarm5.elf (PID: 6270)	File opened: /proc/27/comm	Jump to behavior
Source: /tmp/zerarm5.elf (PID: 6270)	File opened: /proc/28/comm	Jump to behavior
Source: /tmp/zerarm5.elf (PID: 6270)	File opened: /proc/29/comm	Jump to behavior
Source: /tmp/zerarm5.elf (PID: 6270)	File opened: /proc/491/comm	Jump to behavior
Source: /tmp/zerarm5.elf (PID: 6270)	File opened: /proc/250/comm	Jump to behavior
Source: /tmp/zerarm5.elf (PID: 6270)	File opened: /proc/130/comm	Jump to behavior
Source: /tmp/zerarm5.elf (PID: 6270)	File opened: /proc/251/comm	Jump to behavior
Source: /tmp/zerarm5.elf (PID: 6270)	File opened: /proc/252/comm	Jump to behavior
Source: /tmp/zerarm5.elf (PID: 6270)	File opened: /proc/132/comm	Jump to behavior
Source: /tmp/zerarm5.elf (PID: 6270)	File opened: /proc/253/comm	Jump to behavior
Source: /tmp/zerarm5.elf (PID: 6270)	File opened: /proc/254/comm	Jump to behavior
Source: /tmp/zerarm5.elf (PID: 6270)	File opened: /proc/255/comm	Jump to behavior
Source: /tmp/zerarm5.elf (PID: 6270)	File opened: /proc/256/comm	Jump to behavior
Source: /tmp/zerarm5.elf (PID: 6270)	File opened: /proc/1599/comm	Jump to behavior
Source: /tmp/zerarm5.elf (PID: 6270)	File opened: /proc/257/comm	Jump to behavior
Source: /tmp/zerarm5.elf (PID: 6270)	File opened: /proc/1477/comm	Jump to behavior
Source: /tmp/zerarm5.elf (PID: 6270)	File opened: /proc/379/comm	Jump to behavior
Source: /tmp/zerarm5.elf (PID: 6270)	File opened: /proc/258/comm	Jump to behavior
Source: /tmp/zerarm5.elf (PID: 6270)	File opened: /proc/1476/comm	Jump to behavior
Source: /tmp/zerarm5.elf (PID: 6270)	File opened: /proc/259/comm	Jump to behavior
Source: /tmp/zerarm5.elf (PID: 6270)	File opened: /proc/1475/comm	Jump to behavior
Source: /tmp/zerarm5.elf (PID: 6270)	File opened: /proc/936/comm	Jump to behavior
Source: /tmp/zerarm5.elf (PID: 6270)	File opened: /proc/30/comm	Jump to behavior
Source: /tmp/zerarm5.elf (PID: 6270)	File opened: /proc/2208/comm	Jump to behavior
Source: /tmp/zerarm5.elf (PID: 6270)	File opened: /proc/35/comm	Jump to behavior
Source: /tmp/zerarm5.elf (PID: 6270)	File opened: /proc/1809/comm	Jump to behavior
Source: /tmp/zerarm5.elf (PID: 6270)	File opened: /proc/1494/comm	Jump to behavior
Source: /tmp/zerarm5.elf (PID: 6270)	File opened: /proc/260/comm	Jump to behavior

Source: /usr/bin/dash (PID: 6284)	Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.f3MA0Bao4i /tmp/tmp.xlsrnaWjFZ /tmp/tmp.GrUFZWE2c2			Jump to behavior
Source: /usr/bin/dash (PID: 6285)	Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.f3MA0Bao4i /tmp/tmp.xlsrnaWjFZ /tmp/tmp.GrUFZWE2c2			Jump to behavior

Source: /tmp/zerarm5.elf (PID: 6270)

Queries kernel information via 'uname':

Jump to behavior

Source: zerarm5.elf, 6270.1.0000557cb741a000.0000557cb7569000.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/arm
Source: zerarm5.elf, 6270.1.0000557cb741a000.0000557cb7569000.rw-.sdmp	Binary or memory string: \|U!/etc/qemu-binfmt/arm
Source: zerarm5.elf, 6270.1.00007ffd91679000.00007ffd9169a000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-arm
Source: zerarm5.elf, 6270.1.00007ffd91679000.00007ffd9169a000.rw-.sdmp	Binary or memory string: x86_64/usr/bin/qemu-arm/tmp/zerarm5.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/zerarm5.elf

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	Path Interception	Path Interception	1 File Deletion	1 OS Credential Dumping	11 Security Software Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	2 Application Layer Protocol	Traffic Duplication	Data Destruction

Malware Configuration

⊘No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Screenshots

Download Video

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
zerarm5.elf	42%	Virustotal		Browse
zerarm5.elf	45%	ReversingLabs	Linux.Backdoor.Mirai

Dropped Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Download Network PCAP: filtered – full

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
ohlookthereismyboats.geek	64.227.79.152	true	false		high
watchmepull.dyn. [malformed]	unknown	unknown	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
159.89.101.70	unknown	United States	14061	DIGITALOCEAN-ASNUS	false
109.202.202.202	unknown	Switzerland	13030	INIT7CH	false
45.147.251.145	unknown	Germany	197518	RACKMARKTES	false
34.249.145.219	unknown	United States	16509	AMAZON-02US	false
91.189.91.43	unknown	United Kingdom	41231	CANONICAL-ASGB	false
91.189.91.42	unknown	United Kingdom	41231	CANONICAL-ASGB	false

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
34.249.145.219	zerm68k.elf	Get hash	malicious	Unknown	Browse
	na.elf	Get hash	malicious	Prometei	Browse
	m-i.p-s.Sakura.elf	Get hash	malicious	Gafgyt, Mirai	Browse
	linux.elf	Get hash	malicious	Unknown	Browse
	na.elf	Get hash	malicious	Prometei	Browse
	i-5.8-6.opticus.elf	Get hash	malicious	Gafgyt	Browse
	aarch64.elf	Get hash	malicious	Mirai	Browse
	arm6.elf	Get hash	malicious	Unknown	Browse
	arm5.elf	Get hash	malicious	Unknown	Browse
	m68k.elf	Get hash	malicious	Mirai	Browse
159.89.101.70	zermips.elf	Get hash	malicious	Unknown	Browse
	zerx86.elf	Get hash	malicious	Unknown	Browse
	zerspc.elf	Get hash	malicious	Unknown	Browse
	zerppc.elf	Get hash	malicious	Unknown	Browse
	zermpsl.elf	Get hash	malicious	Unknown	Browse
	zerm68k.elf	Get hash	malicious	Unknown	Browse
	zersh4.elf	Get hash	malicious	Unknown	Browse
	zerarm7.elf	Get hash	malicious	Unknown	Browse
109.202.202.202	kpLwzBouH4.elf	Get hash	malicious	Unknown	Browse	ch.archive.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_92.0%2bbuild3-0ubuntu0.20.04.1_amd64.deb
45.147.251.145	zerx86.elf	Get hash	malicious	Unknown	Browse
	zerspc.elf	Get hash	malicious	Unknown	Browse
	zerppc.elf	Get hash	malicious	Unknown	Browse
	zermpsl.elf	Get hash	malicious	Unknown	Browse
	zerm68k.elf	Get hash	malicious	Unknown	Browse
	zersh4.elf	Get hash	malicious	Unknown	Browse
	zerarm7.elf	Get hash	malicious	Unknown	Browse
	zerarm7.elf	Get hash	malicious	Unknown	Browse
	zerx86.elf	Get hash	malicious	Unknown	Browse
	zerarm.elf	Get hash	malicious	Unknown	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ohlookthereismyboats.geek	nklspc.elf	Get hash	malicious	Unknown	Browse	64.227.79.152
	zermips.elf	Get hash	malicious	Unknown	Browse	159.89.101.70
	zerx86.elf	Get hash	malicious	Unknown	Browse	159.89.101.70
	nklmpsl.elf	Get hash	malicious	Unknown	Browse	185.220.204.227
	zerspc.elf	Get hash	malicious	Unknown	Browse	45.147.251.145
	zerppc.elf	Get hash	malicious	Unknown	Browse	64.227.79.152
	zermpsl.elf	Get hash	malicious	Unknown	Browse	159.89.101.70
	nklppc.elf	Get hash	malicious	Unknown	Browse	64.227.79.152
	zerm68k.elf	Get hash	malicious	Unknown	Browse	45.147.251.145
	nklsh4.elf	Get hash	malicious	Unknown	Browse	64.227.79.152

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
RACKMARKTES	zerx86.elf	Get hash	malicious	Unknown	Browse	45.147.251.145
	zerspc.elf	Get hash	malicious	Unknown	Browse	45.147.251.145
	zerppc.elf	Get hash	malicious	Unknown	Browse	45.147.251.145
	zermpsl.elf	Get hash	malicious	Unknown	Browse	45.147.251.145
	zerm68k.elf	Get hash	malicious	Unknown	Browse	45.147.251.145
	zersh4.elf	Get hash	malicious	Unknown	Browse	45.147.251.145
	zerarm7.elf	Get hash	malicious	Unknown	Browse	45.147.251.145
	i686.elf	Get hash	malicious	Unknown	Browse	185.194.179.220
	zerarm7.elf	Get hash	malicious	Unknown	Browse	45.147.251.145
	zerx86.elf	Get hash	malicious	Unknown	Browse	45.147.251.145
INIT7CH	zerx86.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	zerppc.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	zerm68k.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	.i.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	splarm6.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	na.elf	Get hash	malicious	Prometei	Browse	109.202.202.202
	na.elf	Get hash	malicious	Prometei	Browse	109.202.202.202
	.i.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	na.elf	Get hash	malicious	Prometei	Browse	109.202.202.202
	na.elf	Get hash	malicious	Prometei	Browse	109.202.202.202
DIGITALOCEAN-ASNUS	zermips.elf	Get hash	malicious	Unknown	Browse	159.89.101.70
	zerx86.elf	Get hash	malicious	Unknown	Browse	64.227.79.152
	zerspc.elf	Get hash	malicious	Unknown	Browse	159.89.101.70
	zerppc.elf	Get hash	malicious	Unknown	Browse	64.227.79.152
	zermpsl.elf	Get hash	malicious	Unknown	Browse	159.89.101.70
	zerm68k.elf	Get hash	malicious	Unknown	Browse	64.227.79.152
	zersh4.elf	Get hash	malicious	Unknown	Browse	159.89.101.70
	arm.elf	Get hash	malicious	Unknown	Browse	162.243.214.160
	nabsh4.elf	Get hash	malicious	Unknown	Browse	188.226.156.47
	splarm5.elf	Get hash	malicious	Unknown	Browse	178.128.131.24
AMAZON-02US	nklppc.elf	Get hash	malicious	Unknown	Browse	54.119.141.37
	na.elf	Get hash	malicious	Prometei	Browse	52.34.198.229
	zerm68k.elf	Get hash	malicious	Unknown	Browse	34.249.145.219
	nklm68k.elf	Get hash	malicious	Unknown	Browse	52.39.186.67
	jklx86.elf	Get hash	malicious	Unknown	Browse	54.250.212.91
	nabmpsl.elf	Get hash	malicious	Unknown	Browse	54.75.247.65
	jklm68k.elf	Get hash	malicious	Unknown	Browse	35.154.189.71
	nabm68k.elf	Get hash	malicious	Unknown	Browse	13.119.99.76
	splm68k.elf	Get hash	malicious	Unknown	Browse	34.247.50.77
	nabx86.elf	Get hash	malicious	Unknown	Browse	34.210.216.208

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	ELF 32-bit LSB executable, ARM, version 1 (ARM), statically linked, stripped
Entropy (8bit):	5.993355397995043
TrID:	ELF Executable and Linkable format (generic) (4004/1) 100.00%
File name:	zerarm5.elf
File size:	51'776 bytes
MD5:	5a5c0e1c92b7937f2e88b11478bbf631
SHA1:	358706dc4eaa65c3da0702a8ad9bba4de6bfafaf
SHA256:	c767b3204bd8bfde69e411b3d0723f0eef5cf70a8091300cd00c50f4efe84891
SHA512:	2e0ea5f3db9bfdd04b33b7bf72b3eebb0fb06f8df6b0fca442856de6ccfd284536505d08b3b31167ea86ae1ca84456340a73bc87c4325cc598a4834aab3500a1
SSDEEP:	768:TsHcXPbBIKrfx/RaK/3cgWQI9YvTuDorPg8rpI/h4B36OGVzONszaotkMgk:+cl9D3cNj9YvSug8dI5GqO6vFH
TLSH:	0333F895B8C29A12C5D013BBFA2E429D372563F8E2DF7207CD211F51778A82F0DA7651
File Content Preview:	.ELF...a..........(.........4...........4. ...(.........................................................`...........Q.td..................................-...L."...^/..........0@-.\P...0....S.0...P@...0... ....R......0...0...........0... ....R..... 0....S

Static ELF Info

ELF header
Class:	ELF32
Data:	2's complement, little endian
Version:	1 (current)
Machine:	ARM
Version Number:	0x1
Type:	EXEC (Executable file)
OS/ABI:	ARM - ABI
ABI Version:	0
Entry Point Address:	0x8190
Flags:	0x2
ELF Header Size:	52
Program Header Offset:	52
Program Header Size:	32
Number of Program Headers:	3
Section Header Offset:	51336
Section Header Size:	40
Number of Section Headers:	11
Header String Table Index:	10

Sections

Name	Type	Address	Offset	Size	EntSize	Flags	Flags Description	Align
	NULL	0x0	0x0	0x0	0x0	0x0		0
.init	PROGBITS	0x8094	0x94	0x18	0x0	0x6	AX	4
.text	PROGBITS	0x80b0	0xb0	0xbdb0	0x0	0x6	AX	16
.fini	PROGBITS	0x13e60	0xbe60	0x14	0x0	0x6	AX	4
.rodata	PROGBITS	0x13e74	0xbe74	0x80c	0x0	0x2	A	4
.ctors	PROGBITS	0x1c684	0xc684	0x8	0x0	0x3	WA	4
.dtors	PROGBITS	0x1c68c	0xc68c	0x8	0x0	0x3	WA	4
.jcr	PROGBITS	0x1c694	0xc694	0x4	0x0	0x3	WA	4
.data	PROGBITS	0x1c698	0xc698	0x1ac	0x0	0x3	WA	4
.bss	NOBITS	0x1c844	0xc844	0x2a0	0x0	0x3	WA	4
.shstrtab	STRTAB	0x0	0xc844	0x43	0x0	0x0		1

Program Segments

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align	Section Mappings
LOAD	0x0	0x8000	0x8000	0xc680	0xc680	6.0234	0x5	R E	0x8000	.init .text .fini .rodata
LOAD	0xc684	0x1c684	0x1c684	0x1c0	0x460	2.2948	0x6	RW	0x8000	.ctors .dtors .jcr .data .bss
GNU_STACK	0x0	0x0	0x0	0x0	0x0	0.0000	0x7	RWE	0x4

Network Behavior

Download Network PCAP: filtered – full

Network Port Distribution

Total Packets: 112
• 1440 undefined
• 443 (HTTPS)
• 80 (HTTP)
• 53 (DNS)

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 10, 2025 03:05:22.530024052 CET	43928	443	192.168.2.23	91.189.91.42
Mar 10, 2025 03:05:23.441581964 CET	54374	1440	192.168.2.23	45.147.251.145
Mar 10, 2025 03:05:23.446764946 CET	1440	54374	45.147.251.145	192.168.2.23
Mar 10, 2025 03:05:23.446820974 CET	54374	1440	192.168.2.23	45.147.251.145
Mar 10, 2025 03:05:23.448321104 CET	54374	1440	192.168.2.23	45.147.251.145
Mar 10, 2025 03:05:23.453521013 CET	1440	54374	45.147.251.145	192.168.2.23
Mar 10, 2025 03:05:23.453566074 CET	54374	1440	192.168.2.23	45.147.251.145
Mar 10, 2025 03:05:23.458661079 CET	1440	54374	45.147.251.145	192.168.2.23
Mar 10, 2025 03:05:28.161412954 CET	42836	443	192.168.2.23	91.189.91.43
Mar 10, 2025 03:05:33.457345963 CET	54374	1440	192.168.2.23	45.147.251.145
Mar 10, 2025 03:05:33.462474108 CET	1440	54374	45.147.251.145	192.168.2.23
Mar 10, 2025 03:05:33.720145941 CET	1440	54374	45.147.251.145	192.168.2.23
Mar 10, 2025 03:05:33.720555067 CET	54374	1440	192.168.2.23	45.147.251.145
Mar 10, 2025 03:05:33.720895052 CET	54374	1440	192.168.2.23	45.147.251.145
Mar 10, 2025 03:05:33.725975990 CET	1440	54374	45.147.251.145	192.168.2.23
Mar 10, 2025 03:05:34.879033089 CET	54376	1440	192.168.2.23	45.147.251.145
Mar 10, 2025 03:05:34.884118080 CET	1440	54376	45.147.251.145	192.168.2.23
Mar 10, 2025 03:05:34.884202957 CET	54376	1440	192.168.2.23	45.147.251.145
Mar 10, 2025 03:05:34.885163069 CET	54376	1440	192.168.2.23	45.147.251.145
Mar 10, 2025 03:05:34.890211105 CET	1440	54376	45.147.251.145	192.168.2.23
Mar 10, 2025 03:05:34.890280008 CET	54376	1440	192.168.2.23	45.147.251.145
Mar 10, 2025 03:05:34.895406961 CET	1440	54376	45.147.251.145	192.168.2.23
Mar 10, 2025 03:05:39.264147997 CET	443	39260	34.249.145.219	192.168.2.23
Mar 10, 2025 03:05:39.264525890 CET	39260	443	192.168.2.23	34.249.145.219
Mar 10, 2025 03:05:39.269654989 CET	443	39260	34.249.145.219	192.168.2.23
Mar 10, 2025 03:05:43.263278008 CET	43928	443	192.168.2.23	91.189.91.42
Mar 10, 2025 03:05:43.263286114 CET	42516	80	192.168.2.23	109.202.202.202
Mar 10, 2025 03:05:45.824706078 CET	1440	54376	45.147.251.145	192.168.2.23
Mar 10, 2025 03:05:45.824861050 CET	1440	54376	45.147.251.145	192.168.2.23
Mar 10, 2025 03:05:45.824960947 CET	54376	1440	192.168.2.23	45.147.251.145
Mar 10, 2025 03:05:45.824960947 CET	54376	1440	192.168.2.23	45.147.251.145
Mar 10, 2025 03:05:45.835745096 CET	1440	54376	45.147.251.145	192.168.2.23
Mar 10, 2025 03:05:46.914275885 CET	54378	1440	192.168.2.23	45.147.251.145
Mar 10, 2025 03:05:46.919424057 CET	1440	54378	45.147.251.145	192.168.2.23
Mar 10, 2025 03:05:46.919559956 CET	54378	1440	192.168.2.23	45.147.251.145
Mar 10, 2025 03:05:46.920878887 CET	54378	1440	192.168.2.23	45.147.251.145
Mar 10, 2025 03:05:46.925993919 CET	1440	54378	45.147.251.145	192.168.2.23
Mar 10, 2025 03:05:46.926073074 CET	54378	1440	192.168.2.23	45.147.251.145
Mar 10, 2025 03:05:46.931143045 CET	1440	54378	45.147.251.145	192.168.2.23
Mar 10, 2025 03:05:55.549612045 CET	42836	443	192.168.2.23	91.189.91.43
Mar 10, 2025 03:05:57.546415091 CET	1440	54378	45.147.251.145	192.168.2.23
Mar 10, 2025 03:05:57.546999931 CET	54378	1440	192.168.2.23	45.147.251.145
Mar 10, 2025 03:05:57.553199053 CET	1440	54378	45.147.251.145	192.168.2.23
Mar 10, 2025 03:05:58.666471958 CET	54380	1440	192.168.2.23	45.147.251.145
Mar 10, 2025 03:05:58.671561003 CET	1440	54380	45.147.251.145	192.168.2.23
Mar 10, 2025 03:05:58.671669960 CET	54380	1440	192.168.2.23	45.147.251.145
Mar 10, 2025 03:05:58.673103094 CET	54380	1440	192.168.2.23	45.147.251.145
Mar 10, 2025 03:05:58.678205013 CET	1440	54380	45.147.251.145	192.168.2.23
Mar 10, 2025 03:05:58.678338051 CET	54380	1440	192.168.2.23	45.147.251.145
Mar 10, 2025 03:05:58.683496952 CET	1440	54380	45.147.251.145	192.168.2.23
Mar 10, 2025 03:06:09.280558109 CET	1440	54380	45.147.251.145	192.168.2.23
Mar 10, 2025 03:06:09.281049967 CET	54380	1440	192.168.2.23	45.147.251.145
Mar 10, 2025 03:06:09.286201000 CET	1440	54380	45.147.251.145	192.168.2.23
Mar 10, 2025 03:06:10.473207951 CET	54382	1440	192.168.2.23	45.147.251.145
Mar 10, 2025 03:06:10.478255033 CET	1440	54382	45.147.251.145	192.168.2.23
Mar 10, 2025 03:06:10.478313923 CET	54382	1440	192.168.2.23	45.147.251.145
Mar 10, 2025 03:06:10.479511023 CET	54382	1440	192.168.2.23	45.147.251.145
Mar 10, 2025 03:06:10.484556913 CET	1440	54382	45.147.251.145	192.168.2.23
Mar 10, 2025 03:06:10.484642029 CET	54382	1440	192.168.2.23	45.147.251.145
Mar 10, 2025 03:06:10.489705086 CET	1440	54382	45.147.251.145	192.168.2.23
Mar 10, 2025 03:06:21.100596905 CET	1440	54382	45.147.251.145	192.168.2.23
Mar 10, 2025 03:06:21.101037025 CET	54382	1440	192.168.2.23	45.147.251.145
Mar 10, 2025 03:06:21.106225014 CET	1440	54382	45.147.251.145	192.168.2.23
Mar 10, 2025 03:06:22.190777063 CET	54384	1440	192.168.2.23	45.147.251.145
Mar 10, 2025 03:06:22.195801020 CET	1440	54384	45.147.251.145	192.168.2.23
Mar 10, 2025 03:06:22.195899963 CET	54384	1440	192.168.2.23	45.147.251.145
Mar 10, 2025 03:06:22.197191954 CET	54384	1440	192.168.2.23	45.147.251.145
Mar 10, 2025 03:06:22.202227116 CET	1440	54384	45.147.251.145	192.168.2.23
Mar 10, 2025 03:06:22.202301025 CET	54384	1440	192.168.2.23	45.147.251.145
Mar 10, 2025 03:06:22.207308054 CET	1440	54384	45.147.251.145	192.168.2.23
Mar 10, 2025 03:06:24.217408895 CET	43928	443	192.168.2.23	91.189.91.42
Mar 10, 2025 03:06:32.947699070 CET	1440	54384	45.147.251.145	192.168.2.23
Mar 10, 2025 03:06:32.947899103 CET	54384	1440	192.168.2.23	45.147.251.145
Mar 10, 2025 03:06:32.953280926 CET	1440	54384	45.147.251.145	192.168.2.23
Mar 10, 2025 03:06:34.045810938 CET	46870	1440	192.168.2.23	159.89.101.70
Mar 10, 2025 03:06:34.050797939 CET	1440	46870	159.89.101.70	192.168.2.23
Mar 10, 2025 03:06:34.050901890 CET	46870	1440	192.168.2.23	159.89.101.70
Mar 10, 2025 03:06:34.052510977 CET	46870	1440	192.168.2.23	159.89.101.70
Mar 10, 2025 03:06:34.057583094 CET	1440	46870	159.89.101.70	192.168.2.23
Mar 10, 2025 03:06:34.057660103 CET	46870	1440	192.168.2.23	159.89.101.70
Mar 10, 2025 03:06:34.062813044 CET	1440	46870	159.89.101.70	192.168.2.23
Mar 10, 2025 03:06:44.053989887 CET	46870	1440	192.168.2.23	159.89.101.70
Mar 10, 2025 03:06:44.059115887 CET	1440	46870	159.89.101.70	192.168.2.23
Mar 10, 2025 03:06:44.265939951 CET	1440	46870	159.89.101.70	192.168.2.23
Mar 10, 2025 03:06:44.266168118 CET	46870	1440	192.168.2.23	159.89.101.70
Mar 10, 2025 03:06:44.271281958 CET	1440	46870	159.89.101.70	192.168.2.23
Mar 10, 2025 03:06:45.355887890 CET	46872	1440	192.168.2.23	159.89.101.70
Mar 10, 2025 03:06:45.360991001 CET	1440	46872	159.89.101.70	192.168.2.23
Mar 10, 2025 03:06:45.361094952 CET	46872	1440	192.168.2.23	159.89.101.70
Mar 10, 2025 03:06:45.362293005 CET	46872	1440	192.168.2.23	159.89.101.70
Mar 10, 2025 03:06:45.367449999 CET	1440	46872	159.89.101.70	192.168.2.23
Mar 10, 2025 03:06:45.367527962 CET	46872	1440	192.168.2.23	159.89.101.70
Mar 10, 2025 03:06:45.372751951 CET	1440	46872	159.89.101.70	192.168.2.23
Mar 10, 2025 03:06:55.977659941 CET	1440	46872	159.89.101.70	192.168.2.23
Mar 10, 2025 03:06:55.978444099 CET	46872	1440	192.168.2.23	159.89.101.70
Mar 10, 2025 03:06:55.983546972 CET	1440	46872	159.89.101.70	192.168.2.23
Mar 10, 2025 03:06:57.068770885 CET	46874	1440	192.168.2.23	159.89.101.70
Mar 10, 2025 03:06:57.073869944 CET	1440	46874	159.89.101.70	192.168.2.23
Mar 10, 2025 03:06:57.073940992 CET	46874	1440	192.168.2.23	159.89.101.70
Mar 10, 2025 03:06:57.074953079 CET	46874	1440	192.168.2.23	159.89.101.70
Mar 10, 2025 03:06:57.080053091 CET	1440	46874	159.89.101.70	192.168.2.23
Mar 10, 2025 03:06:57.080120087 CET	46874	1440	192.168.2.23	159.89.101.70
Mar 10, 2025 03:06:57.085278034 CET	1440	46874	159.89.101.70	192.168.2.23
Mar 10, 2025 03:07:07.652254105 CET	1440	46874	159.89.101.70	192.168.2.23
Mar 10, 2025 03:07:07.652560949 CET	46874	1440	192.168.2.23	159.89.101.70
Mar 10, 2025 03:07:07.657510042 CET	1440	46874	159.89.101.70	192.168.2.23
Mar 10, 2025 03:07:08.754497051 CET	46876	1440	192.168.2.23	159.89.101.70
Mar 10, 2025 03:07:08.759512901 CET	1440	46876	159.89.101.70	192.168.2.23
Mar 10, 2025 03:07:08.759629011 CET	46876	1440	192.168.2.23	159.89.101.70
Mar 10, 2025 03:07:08.760931015 CET	46876	1440	192.168.2.23	159.89.101.70
Mar 10, 2025 03:07:08.765929937 CET	1440	46876	159.89.101.70	192.168.2.23
Mar 10, 2025 03:07:08.766016960 CET	46876	1440	192.168.2.23	159.89.101.70
Mar 10, 2025 03:07:08.771059036 CET	1440	46876	159.89.101.70	192.168.2.23
Mar 10, 2025 03:07:19.366712093 CET	1440	46876	159.89.101.70	192.168.2.23
Mar 10, 2025 03:07:19.367150068 CET	46876	1440	192.168.2.23	159.89.101.70
Mar 10, 2025 03:07:19.374521971 CET	1440	46876	159.89.101.70	192.168.2.23
Mar 10, 2025 03:07:20.844073057 CET	46878	1440	192.168.2.23	159.89.101.70
Mar 10, 2025 03:07:20.849211931 CET	1440	46878	159.89.101.70	192.168.2.23
Mar 10, 2025 03:07:20.849325895 CET	46878	1440	192.168.2.23	159.89.101.70
Mar 10, 2025 03:07:20.850867033 CET	46878	1440	192.168.2.23	159.89.101.70
Mar 10, 2025 03:07:20.855887890 CET	1440	46878	159.89.101.70	192.168.2.23
Mar 10, 2025 03:07:20.855948925 CET	46878	1440	192.168.2.23	159.89.101.70
Mar 10, 2025 03:07:20.860975027 CET	1440	46878	159.89.101.70	192.168.2.23

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 10, 2025 03:05:23.404006004 CET	50151	53	192.168.2.23	194.36.144.87
Mar 10, 2025 03:05:23.427222967 CET	53	50151	194.36.144.87	192.168.2.23
Mar 10, 2025 03:05:34.724134922 CET	57910	53	192.168.2.23	81.169.136.222
Mar 10, 2025 03:05:34.754107952 CET	53	57910	81.169.136.222	192.168.2.23
Mar 10, 2025 03:05:34.755640984 CET	51792	53	192.168.2.23	81.169.136.222
Mar 10, 2025 03:05:34.785526037 CET	53	51792	81.169.136.222	192.168.2.23
Mar 10, 2025 03:05:34.786437988 CET	53398	53	192.168.2.23	81.169.136.222
Mar 10, 2025 03:05:34.816220999 CET	53	53398	81.169.136.222	192.168.2.23
Mar 10, 2025 03:05:34.817568064 CET	51592	53	192.168.2.23	81.169.136.222
Mar 10, 2025 03:05:34.847467899 CET	53	51592	81.169.136.222	192.168.2.23
Mar 10, 2025 03:05:34.848581076 CET	54445	53	192.168.2.23	81.169.136.222
Mar 10, 2025 03:05:34.878218889 CET	53	54445	81.169.136.222	192.168.2.23
Mar 10, 2025 03:05:46.828130007 CET	45151	53	192.168.2.23	51.158.108.203
Mar 10, 2025 03:05:46.844189882 CET	53	45151	51.158.108.203	192.168.2.23
Mar 10, 2025 03:05:46.845794916 CET	34496	53	192.168.2.23	51.158.108.203
Mar 10, 2025 03:05:46.861486912 CET	53	34496	51.158.108.203	192.168.2.23
Mar 10, 2025 03:05:46.862889051 CET	59108	53	192.168.2.23	51.158.108.203
Mar 10, 2025 03:05:46.878632069 CET	53	59108	51.158.108.203	192.168.2.23
Mar 10, 2025 03:05:46.880076885 CET	38088	53	192.168.2.23	51.158.108.203
Mar 10, 2025 03:05:46.895837069 CET	53	38088	51.158.108.203	192.168.2.23
Mar 10, 2025 03:05:46.897329092 CET	58958	53	192.168.2.23	51.158.108.203
Mar 10, 2025 03:05:46.913038015 CET	53	58958	51.158.108.203	192.168.2.23
Mar 10, 2025 03:05:58.551387072 CET	50734	53	192.168.2.23	152.53.15.127
Mar 10, 2025 03:05:58.568727970 CET	53	50734	152.53.15.127	192.168.2.23
Mar 10, 2025 03:05:58.570693016 CET	37740	53	192.168.2.23	152.53.15.127
Mar 10, 2025 03:05:58.594536066 CET	53	37740	152.53.15.127	192.168.2.23
Mar 10, 2025 03:05:58.596560955 CET	37191	53	192.168.2.23	152.53.15.127
Mar 10, 2025 03:05:58.620429993 CET	53	37191	152.53.15.127	192.168.2.23
Mar 10, 2025 03:05:58.622488022 CET	53873	53	192.168.2.23	152.53.15.127
Mar 10, 2025 03:05:58.645730019 CET	53	53873	152.53.15.127	192.168.2.23
Mar 10, 2025 03:05:58.647720098 CET	36714	53	192.168.2.23	152.53.15.127
Mar 10, 2025 03:05:58.665267944 CET	53	36714	152.53.15.127	192.168.2.23
Mar 10, 2025 03:06:10.285250902 CET	52523	53	192.168.2.23	185.181.61.24
Mar 10, 2025 03:06:10.321300983 CET	53	52523	185.181.61.24	192.168.2.23
Mar 10, 2025 03:06:10.323479891 CET	38918	53	192.168.2.23	185.181.61.24
Mar 10, 2025 03:06:10.359421015 CET	53	38918	185.181.61.24	192.168.2.23
Mar 10, 2025 03:06:10.361077070 CET	33268	53	192.168.2.23	185.181.61.24
Mar 10, 2025 03:06:10.396996975 CET	53	33268	185.181.61.24	192.168.2.23
Mar 10, 2025 03:06:10.398685932 CET	41817	53	192.168.2.23	185.181.61.24
Mar 10, 2025 03:06:10.434613943 CET	53	41817	185.181.61.24	192.168.2.23
Mar 10, 2025 03:06:10.436166048 CET	51156	53	192.168.2.23	185.181.61.24
Mar 10, 2025 03:06:10.472290993 CET	53	51156	185.181.61.24	192.168.2.23
Mar 10, 2025 03:06:22.104476929 CET	33208	53	192.168.2.23	51.158.108.203
Mar 10, 2025 03:06:22.120361090 CET	53	33208	51.158.108.203	192.168.2.23
Mar 10, 2025 03:06:22.122051001 CET	51116	53	192.168.2.23	51.158.108.203
Mar 10, 2025 03:06:22.138003111 CET	53	51116	51.158.108.203	192.168.2.23
Mar 10, 2025 03:06:22.139472008 CET	53121	53	192.168.2.23	51.158.108.203
Mar 10, 2025 03:06:22.155283928 CET	53	53121	51.158.108.203	192.168.2.23
Mar 10, 2025 03:06:22.156663895 CET	59900	53	192.168.2.23	51.158.108.203
Mar 10, 2025 03:06:22.172374010 CET	53	59900	51.158.108.203	192.168.2.23
Mar 10, 2025 03:06:22.173815966 CET	58546	53	192.168.2.23	51.158.108.203
Mar 10, 2025 03:06:22.189939976 CET	53	58546	51.158.108.203	192.168.2.23
Mar 10, 2025 03:06:33.951857090 CET	56209	53	192.168.2.23	168.235.111.72
Mar 10, 2025 03:06:34.044383049 CET	53	56209	168.235.111.72	192.168.2.23
Mar 10, 2025 03:06:45.269947052 CET	33957	53	192.168.2.23	51.158.108.203
Mar 10, 2025 03:06:45.285980940 CET	53	33957	51.158.108.203	192.168.2.23
Mar 10, 2025 03:06:45.287447929 CET	45699	53	192.168.2.23	51.158.108.203
Mar 10, 2025 03:06:45.303220987 CET	53	45699	51.158.108.203	192.168.2.23
Mar 10, 2025 03:06:45.304686069 CET	55347	53	192.168.2.23	51.158.108.203
Mar 10, 2025 03:06:45.320569038 CET	53	55347	51.158.108.203	192.168.2.23
Mar 10, 2025 03:06:45.321964025 CET	37163	53	192.168.2.23	51.158.108.203
Mar 10, 2025 03:06:45.338012934 CET	53	37163	51.158.108.203	192.168.2.23
Mar 10, 2025 03:06:45.339426041 CET	36100	53	192.168.2.23	51.158.108.203
Mar 10, 2025 03:06:45.355195045 CET	53	36100	51.158.108.203	192.168.2.23
Mar 10, 2025 03:06:56.982285976 CET	42211	53	192.168.2.23	51.158.108.203
Mar 10, 2025 03:06:56.998085022 CET	53	42211	51.158.108.203	192.168.2.23
Mar 10, 2025 03:06:56.999608040 CET	39579	53	192.168.2.23	51.158.108.203
Mar 10, 2025 03:06:57.015527010 CET	53	39579	51.158.108.203	192.168.2.23
Mar 10, 2025 03:06:57.017016888 CET	36143	53	192.168.2.23	51.158.108.203
Mar 10, 2025 03:06:57.033226967 CET	53	36143	51.158.108.203	192.168.2.23
Mar 10, 2025 03:06:57.034720898 CET	59080	53	192.168.2.23	51.158.108.203
Mar 10, 2025 03:06:57.050724983 CET	53	59080	51.158.108.203	192.168.2.23
Mar 10, 2025 03:06:57.052176952 CET	39198	53	192.168.2.23	51.158.108.203
Mar 10, 2025 03:06:57.068227053 CET	53	39198	51.158.108.203	192.168.2.23
Mar 10, 2025 03:07:08.655921936 CET	49100	53	192.168.2.23	202.61.197.122
Mar 10, 2025 03:07:08.674354076 CET	53	49100	202.61.197.122	192.168.2.23
Mar 10, 2025 03:07:08.675477982 CET	57095	53	192.168.2.23	202.61.197.122
Mar 10, 2025 03:07:08.693898916 CET	53	57095	202.61.197.122	192.168.2.23
Mar 10, 2025 03:07:08.695167065 CET	45504	53	192.168.2.23	202.61.197.122
Mar 10, 2025 03:07:08.713797092 CET	53	45504	202.61.197.122	192.168.2.23
Mar 10, 2025 03:07:08.715147972 CET	38207	53	192.168.2.23	202.61.197.122
Mar 10, 2025 03:07:08.732871056 CET	53	38207	202.61.197.122	192.168.2.23
Mar 10, 2025 03:07:08.734364986 CET	56257	53	192.168.2.23	202.61.197.122
Mar 10, 2025 03:07:08.753833055 CET	53	56257	202.61.197.122	192.168.2.23
Mar 10, 2025 03:07:20.370743990 CET	37111	53	192.168.2.23	168.235.111.72
Mar 10, 2025 03:07:20.462680101 CET	53	37111	168.235.111.72	192.168.2.23
Mar 10, 2025 03:07:20.464548111 CET	52602	53	192.168.2.23	168.235.111.72
Mar 10, 2025 03:07:20.555713892 CET	53	52602	168.235.111.72	192.168.2.23
Mar 10, 2025 03:07:20.557491064 CET	53042	53	192.168.2.23	168.235.111.72
Mar 10, 2025 03:07:20.652234077 CET	53	53042	168.235.111.72	192.168.2.23
Mar 10, 2025 03:07:20.654015064 CET	60369	53	192.168.2.23	168.235.111.72
Mar 10, 2025 03:07:20.748303890 CET	53	60369	168.235.111.72	192.168.2.23
Mar 10, 2025 03:07:20.750689030 CET	33707	53	192.168.2.23	168.235.111.72
Mar 10, 2025 03:07:20.842730045 CET	53	33707	168.235.111.72	192.168.2.23

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Mar 10, 2025 03:05:23.404006004 CET	192.168.2.23	194.36.144.87	0x63b0	Standard query (0)	ohlookthereismyboats.geek	A (IP address)	IN (0x0001)	false
Mar 10, 2025 03:05:34.724134922 CET	192.168.2.23	81.169.136.222	0xb181	Standard query (0)	watchmepull.dyn. [malformed]	256	494	false
Mar 10, 2025 03:05:34.755640984 CET	192.168.2.23	81.169.136.222	0xb181	Standard query (0)	watchmepull.dyn. [malformed]	256	494	false
Mar 10, 2025 03:05:34.786437988 CET	192.168.2.23	81.169.136.222	0xb181	Standard query (0)	watchmepull.dyn. [malformed]	256	494	false
Mar 10, 2025 03:05:34.817568064 CET	192.168.2.23	81.169.136.222	0xb181	Standard query (0)	watchmepull.dyn. [malformed]	256	494	false
Mar 10, 2025 03:05:34.848581076 CET	192.168.2.23	81.169.136.222	0xb181	Standard query (0)	watchmepull.dyn. [malformed]	256	494	false
Mar 10, 2025 03:05:46.828130007 CET	192.168.2.23	51.158.108.203	0x10d7	Standard query (0)	watchmepull.dyn. [malformed]	256	506	false
Mar 10, 2025 03:05:46.845794916 CET	192.168.2.23	51.158.108.203	0x10d7	Standard query (0)	watchmepull.dyn. [malformed]	256	506	false
Mar 10, 2025 03:05:46.862889051 CET	192.168.2.23	51.158.108.203	0x10d7	Standard query (0)	watchmepull.dyn. [malformed]	256	506	false
Mar 10, 2025 03:05:46.880076885 CET	192.168.2.23	51.158.108.203	0x10d7	Standard query (0)	watchmepull.dyn. [malformed]	256	506	false
Mar 10, 2025 03:05:46.897329092 CET	192.168.2.23	51.158.108.203	0x10d7	Standard query (0)	watchmepull.dyn. [malformed]	256	506	false
Mar 10, 2025 03:05:58.551387072 CET	192.168.2.23	152.53.15.127	0xbf20	Standard query (0)	watchmepull.dyn. [malformed]	256	262	false
Mar 10, 2025 03:05:58.570693016 CET	192.168.2.23	152.53.15.127	0xbf20	Standard query (0)	watchmepull.dyn. [malformed]	256	262	false
Mar 10, 2025 03:05:58.596560955 CET	192.168.2.23	152.53.15.127	0xbf20	Standard query (0)	watchmepull.dyn. [malformed]	256	262	false
Mar 10, 2025 03:05:58.622488022 CET	192.168.2.23	152.53.15.127	0xbf20	Standard query (0)	watchmepull.dyn. [malformed]	256	262	false
Mar 10, 2025 03:05:58.647720098 CET	192.168.2.23	152.53.15.127	0xbf20	Standard query (0)	watchmepull.dyn. [malformed]	256	262	false
Mar 10, 2025 03:06:10.285250902 CET	192.168.2.23	185.181.61.24	0xcaec	Standard query (0)	watchmepull.dyn. [malformed]	256	274	false
Mar 10, 2025 03:06:10.323479891 CET	192.168.2.23	185.181.61.24	0xcaec	Standard query (0)	watchmepull.dyn. [malformed]	256	274	false
Mar 10, 2025 03:06:10.361077070 CET	192.168.2.23	185.181.61.24	0xcaec	Standard query (0)	watchmepull.dyn. [malformed]	256	274	false
Mar 10, 2025 03:06:10.398685932 CET	192.168.2.23	185.181.61.24	0xcaec	Standard query (0)	watchmepull.dyn. [malformed]	256	274	false
Mar 10, 2025 03:06:10.436166048 CET	192.168.2.23	185.181.61.24	0xcaec	Standard query (0)	watchmepull.dyn. [malformed]	256	274	false
Mar 10, 2025 03:06:22.104476929 CET	192.168.2.23	51.158.108.203	0xb23	Standard query (0)	watchmepull.dyn. [malformed]	256	286	false
Mar 10, 2025 03:06:22.122051001 CET	192.168.2.23	51.158.108.203	0xb23	Standard query (0)	watchmepull.dyn. [malformed]	256	286	false
Mar 10, 2025 03:06:22.139472008 CET	192.168.2.23	51.158.108.203	0xb23	Standard query (0)	watchmepull.dyn. [malformed]	256	286	false
Mar 10, 2025 03:06:22.156663895 CET	192.168.2.23	51.158.108.203	0xb23	Standard query (0)	watchmepull.dyn. [malformed]	256	286	false
Mar 10, 2025 03:06:22.173815966 CET	192.168.2.23	51.158.108.203	0xb23	Standard query (0)	watchmepull.dyn. [malformed]	256	286	false
Mar 10, 2025 03:06:33.951857090 CET	192.168.2.23	168.235.111.72	0xe0d6	Standard query (0)	ohlookthereismyboats.geek	A (IP address)	IN (0x0001)	false
Mar 10, 2025 03:06:45.269947052 CET	192.168.2.23	51.158.108.203	0x7af0	Standard query (0)	watchmepull.dyn. [malformed]	256	309	false
Mar 10, 2025 03:06:45.287447929 CET	192.168.2.23	51.158.108.203	0x7af0	Standard query (0)	watchmepull.dyn. [malformed]	256	309	false
Mar 10, 2025 03:06:45.304686069 CET	192.168.2.23	51.158.108.203	0x7af0	Standard query (0)	watchmepull.dyn. [malformed]	256	309	false
Mar 10, 2025 03:06:45.321964025 CET	192.168.2.23	51.158.108.203	0x7af0	Standard query (0)	watchmepull.dyn. [malformed]	256	309	false
Mar 10, 2025 03:06:45.339426041 CET	192.168.2.23	51.158.108.203	0x7af0	Standard query (0)	watchmepull.dyn. [malformed]	256	309	false
Mar 10, 2025 03:06:56.982285976 CET	192.168.2.23	51.158.108.203	0xa253	Standard query (0)	watchmepull.dyn. [malformed]	256	320	false
Mar 10, 2025 03:06:56.999608040 CET	192.168.2.23	51.158.108.203	0xa253	Standard query (0)	watchmepull.dyn. [malformed]	256	321	false
Mar 10, 2025 03:06:57.017016888 CET	192.168.2.23	51.158.108.203	0xa253	Standard query (0)	watchmepull.dyn. [malformed]	256	321	false
Mar 10, 2025 03:06:57.034720898 CET	192.168.2.23	51.158.108.203	0xa253	Standard query (0)	watchmepull.dyn. [malformed]	256	321	false
Mar 10, 2025 03:06:57.052176952 CET	192.168.2.23	51.158.108.203	0xa253	Standard query (0)	watchmepull.dyn. [malformed]	256	321	false
Mar 10, 2025 03:07:08.655921936 CET	192.168.2.23	202.61.197.122	0x6326	Standard query (0)	watchmepull.dyn. [malformed]	256	332	false
Mar 10, 2025 03:07:08.675477982 CET	192.168.2.23	202.61.197.122	0x6326	Standard query (0)	watchmepull.dyn. [malformed]	256	332	false
Mar 10, 2025 03:07:08.695167065 CET	192.168.2.23	202.61.197.122	0x6326	Standard query (0)	watchmepull.dyn. [malformed]	256	332	false
Mar 10, 2025 03:07:08.715147972 CET	192.168.2.23	202.61.197.122	0x6326	Standard query (0)	watchmepull.dyn. [malformed]	256	332	false
Mar 10, 2025 03:07:08.734364986 CET	192.168.2.23	202.61.197.122	0x6326	Standard query (0)	watchmepull.dyn. [malformed]	256	332	false
Mar 10, 2025 03:07:20.370743990 CET	192.168.2.23	168.235.111.72	0x7935	Standard query (0)	watchmepull.dyn. [malformed]	256	344	false
Mar 10, 2025 03:07:20.464548111 CET	192.168.2.23	168.235.111.72	0x7935	Standard query (0)	watchmepull.dyn. [malformed]	256	344	false
Mar 10, 2025 03:07:20.557491064 CET	192.168.2.23	168.235.111.72	0x7935	Standard query (0)	watchmepull.dyn. [malformed]	256	344	false
Mar 10, 2025 03:07:20.654015064 CET	192.168.2.23	168.235.111.72	0x7935	Standard query (0)	watchmepull.dyn. [malformed]	256	344	false
Mar 10, 2025 03:07:20.750689030 CET	192.168.2.23	168.235.111.72	0x7935	Standard query (0)	watchmepull.dyn. [malformed]	256	344	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Mar 10, 2025 03:05:23.427222967 CET	194.36.144.87	192.168.2.23	0x63b0	No error (0)	ohlookthereismyboats.geek		64.227.79.152	A (IP address)	IN (0x0001)	false
Mar 10, 2025 03:05:23.427222967 CET	194.36.144.87	192.168.2.23	0x63b0	No error (0)	ohlookthereismyboats.geek		45.147.251.145	A (IP address)	IN (0x0001)	false
Mar 10, 2025 03:05:23.427222967 CET	194.36.144.87	192.168.2.23	0x63b0	No error (0)	ohlookthereismyboats.geek		185.220.204.227	A (IP address)	IN (0x0001)	false
Mar 10, 2025 03:05:23.427222967 CET	194.36.144.87	192.168.2.23	0x63b0	No error (0)	ohlookthereismyboats.geek		159.89.101.70	A (IP address)	IN (0x0001)	false
Mar 10, 2025 03:05:46.844189882 CET	51.158.108.203	192.168.2.23	0x10d7	Format error (1)	watchmepull.dyn. [malformed]	none	none	256	506	false
Mar 10, 2025 03:05:46.861486912 CET	51.158.108.203	192.168.2.23	0x10d7	Format error (1)	watchmepull.dyn. [malformed]	none	none	256	506	false
Mar 10, 2025 03:05:46.878632069 CET	51.158.108.203	192.168.2.23	0x10d7	Format error (1)	watchmepull.dyn. [malformed]	none	none	256	506	false
Mar 10, 2025 03:05:46.895837069 CET	51.158.108.203	192.168.2.23	0x10d7	Format error (1)	watchmepull.dyn. [malformed]	none	none	256	506	false
Mar 10, 2025 03:05:46.913038015 CET	51.158.108.203	192.168.2.23	0x10d7	Format error (1)	watchmepull.dyn. [malformed]	none	none	256	506	false
Mar 10, 2025 03:05:58.568727970 CET	152.53.15.127	192.168.2.23	0xbf20	Format error (1)	watchmepull.dyn. [malformed]	none	none	256	262	false
Mar 10, 2025 03:05:58.594536066 CET	152.53.15.127	192.168.2.23	0xbf20	Format error (1)	watchmepull.dyn. [malformed]	none	none	256	262	false
Mar 10, 2025 03:05:58.620429993 CET	152.53.15.127	192.168.2.23	0xbf20	Format error (1)	watchmepull.dyn. [malformed]	none	none	256	262	false
Mar 10, 2025 03:05:58.645730019 CET	152.53.15.127	192.168.2.23	0xbf20	Format error (1)	watchmepull.dyn. [malformed]	none	none	256	262	false
Mar 10, 2025 03:05:58.665267944 CET	152.53.15.127	192.168.2.23	0xbf20	Format error (1)	watchmepull.dyn. [malformed]	none	none	256	262	false
Mar 10, 2025 03:06:22.120361090 CET	51.158.108.203	192.168.2.23	0xb23	Format error (1)	watchmepull.dyn. [malformed]	none	none	256	286	false
Mar 10, 2025 03:06:22.138003111 CET	51.158.108.203	192.168.2.23	0xb23	Format error (1)	watchmepull.dyn. [malformed]	none	none	256	286	false
Mar 10, 2025 03:06:22.155283928 CET	51.158.108.203	192.168.2.23	0xb23	Format error (1)	watchmepull.dyn. [malformed]	none	none	256	286	false
Mar 10, 2025 03:06:22.172374010 CET	51.158.108.203	192.168.2.23	0xb23	Format error (1)	watchmepull.dyn. [malformed]	none	none	256	286	false
Mar 10, 2025 03:06:22.189939976 CET	51.158.108.203	192.168.2.23	0xb23	Format error (1)	watchmepull.dyn. [malformed]	none	none	256	286	false
Mar 10, 2025 03:06:34.044383049 CET	168.235.111.72	192.168.2.23	0xe0d6	No error (0)	ohlookthereismyboats.geek		159.89.101.70	A (IP address)	IN (0x0001)	false
Mar 10, 2025 03:06:34.044383049 CET	168.235.111.72	192.168.2.23	0xe0d6	No error (0)	ohlookthereismyboats.geek		45.147.251.145	A (IP address)	IN (0x0001)	false
Mar 10, 2025 03:06:34.044383049 CET	168.235.111.72	192.168.2.23	0xe0d6	No error (0)	ohlookthereismyboats.geek		64.227.79.152	A (IP address)	IN (0x0001)	false
Mar 10, 2025 03:06:34.044383049 CET	168.235.111.72	192.168.2.23	0xe0d6	No error (0)	ohlookthereismyboats.geek		185.220.204.227	A (IP address)	IN (0x0001)	false
Mar 10, 2025 03:06:45.285980940 CET	51.158.108.203	192.168.2.23	0x7af0	Format error (1)	watchmepull.dyn. [malformed]	none	none	256	309	false
Mar 10, 2025 03:06:45.303220987 CET	51.158.108.203	192.168.2.23	0x7af0	Format error (1)	watchmepull.dyn. [malformed]	none	none	256	309	false
Mar 10, 2025 03:06:45.320569038 CET	51.158.108.203	192.168.2.23	0x7af0	Format error (1)	watchmepull.dyn. [malformed]	none	none	256	309	false
Mar 10, 2025 03:06:45.338012934 CET	51.158.108.203	192.168.2.23	0x7af0	Format error (1)	watchmepull.dyn. [malformed]	none	none	256	309	false
Mar 10, 2025 03:06:45.355195045 CET	51.158.108.203	192.168.2.23	0x7af0	Format error (1)	watchmepull.dyn. [malformed]	none	none	256	309	false
Mar 10, 2025 03:06:56.998085022 CET	51.158.108.203	192.168.2.23	0xa253	Format error (1)	watchmepull.dyn. [malformed]	none	none	256	320	false
Mar 10, 2025 03:06:57.015527010 CET	51.158.108.203	192.168.2.23	0xa253	Format error (1)	watchmepull.dyn. [malformed]	none	none	256	321	false
Mar 10, 2025 03:06:57.033226967 CET	51.158.108.203	192.168.2.23	0xa253	Format error (1)	watchmepull.dyn. [malformed]	none	none	256	321	false
Mar 10, 2025 03:06:57.050724983 CET	51.158.108.203	192.168.2.23	0xa253	Format error (1)	watchmepull.dyn. [malformed]	none	none	256	321	false
Mar 10, 2025 03:06:57.068227053 CET	51.158.108.203	192.168.2.23	0xa253	Format error (1)	watchmepull.dyn. [malformed]	none	none	256	321	false

System Behavior

Analysis Process: zerarm5.elf PID: 6270, Parent PID: 6194

General

Start time (UTC):	02:05:22
Start date (UTC):	10/03/2025
Path:	/tmp/zerarm5.elf
Arguments:	/tmp/zerarm5.elf
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

File Activities

File Opened

File Read

File Moved

Directory Enumerated

Process Activities

Process Forked

Prctl Requested

Thread Sleep

System Activities

Query System Information (uname)

Network Activities

Socket Listening

Socket Connecting

Chronological Activities

Analysis Process: zerarm5.elf PID: 6272, Parent PID: 6270

General

Start time (UTC):	02:05:23
Start date (UTC):	10/03/2025
Path:	/tmp/zerarm5.elf
Arguments:	-
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Process Activities

Process Forked

Thread Sleep

Network Activities

Socket Connecting

Chronological Activities

Analysis Process: zerarm5.elf PID: 6274, Parent PID: 6272

General

Start time (UTC):	02:05:23
Start date (UTC):	10/03/2025
Path:	/tmp/zerarm5.elf
Arguments:	-
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Process Activities

Thread Sleep

Network Activities

Socket Connecting

Chronological Activities

Analysis Process: dash PID: 6284, Parent PID: 4341

General

Start time (UTC):	02:05:38
Start date (UTC):	10/03/2025
Path:	/usr/bin/dash
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: rm PID: 6284, Parent PID: 4341

General

Start time (UTC):	02:05:38
Start date (UTC):	10/03/2025
Path:	/usr/bin/rm
Arguments:	rm -f /tmp/tmp.f3MA0Bao4i /tmp/tmp.xlsrnaWjFZ /tmp/tmp.GrUFZWE2c2
File size:	72056 bytes
MD5 hash:	aa2b5496fdbfd88e38791ab81f90b95b

File Activities

File Opened

File Deleted

File Read

Chronological Activities

Analysis Process: dash PID: 6285, Parent PID: 4341

General

Start time (UTC):	02:05:38
Start date (UTC):	10/03/2025
Path:	/usr/bin/dash
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: rm PID: 6285, Parent PID: 4341

General

Start time (UTC):	02:05:38
Start date (UTC):	10/03/2025
Path:	/usr/bin/rm
Arguments:	rm -f /tmp/tmp.f3MA0Bao4i /tmp/tmp.xlsrnaWjFZ /tmp/tmp.GrUFZWE2c2
File size:	72056 bytes
MD5 hash:	aa2b5496fdbfd88e38791ab81f90b95b

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report zerarm5.elf

Overview

General Information

Detection

Signatures

Classification

General Information

Runtime Messages

Process Tree

Yara Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Networking

System Summary

Persistence and Installation Behavior

Malware Analysis System Evasion

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

Static ELF Info

ELF header

Sections

Program Segments

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

System Behavior

Analysis Process: zerarm5.elf PID: 6270, Parent PID: 6194

General

File Activities

File Opened

File Read

File Moved

Directory Enumerated

Process Activities

Process Forked

Prctl Requested

Thread Sleep

System Activities

Query System Information (uname)

Network Activities

Socket Listening

Socket Connecting

Chronological Activities

Analysis Process: zerarm5.elf PID: 6272, Parent PID: 6270

General

Process Activities

Process Forked

Thread Sleep

Linux Analysis Report
zerarm5.elf